@archlast/server 0.0.1

package/dist/auth/otp/service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"service.js","sourceRoot":"","sources":["../../../src/auth/otp/service.ts"],"names":[],"mappings":";AAAA;;;GAGG;;AA8EH,4CA2LC;AAvQD,gDAAgD;AAChD,mCAAiD;AAEjD,2CAAuE;AAEvE,MAAM,eAAe,GAAG,CAAC,CAAC;AAC1B,MAAM,iBAAiB,GAAG,EAAE,CAAC;AAC7B,MAAM,sBAAsB,GAAG,EAAE,CAAC;AAElC;;GAEG;AACH,SAAS,QAAQ,CAAC,IAAY;IAC1B,OAAO,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC3D,CAAC;AAED;;GAEG;AACH,SAAS,eAAe;IACpB,MAAM,KAAK,GAAG,IAAA,oBAAW,EAAC,CAAC,CAAC,CAAC;IAC7B,MAAM,GAAG,GAAG,KAAK,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAClC,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,GAAG,OAAO,CAAC,CAAC,QAAQ,CAAC,eAAe,EAAE,GAAG,CAAC,CAAC;IAClE,OAAO,IAAI,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB;IACvB,OAAO,IAAA,oBAAW,EAAC,iBAAiB,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAChE,CAAC;AA0CD;;GAEG;AACH,SAAgB,gBAAgB,CAAC,EAAmB;IAChD,KAAK,UAAU,SAAS,CAAC,OAKxB;QACG,MAAM,IAAI,GAAG,eAAe,EAAE,CAAC;QAC/B,MAAM,aAAa,GAAG,OAAO,CAAC,aAAa,IAAI,sBAAsB,CAAC;QACtE,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,SAAS,GAAG,GAAG,GAAG,aAAa,GAAG,EAAE,GAAG,IAAI,CAAC;QAElD,oDAAoD;QACpD,MAAM,QAAQ,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,2BAAe,CAAC,KAAY,EAAE;YAC7D,KAAK,EAAE;gBACH,GAAG,EAAE;oBACD,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,KAAK,EAAE,EAAE;oBAChC,EAAE,IAAI,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,IAAI,EAAE,EAAE;oBAC9B,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE;iBAC3B;aACJ;SACJ,CAAC,CAAC;QAEH,KAAK,MAAM,MAAM,IAAI,QAAiB,EAAE,CAAC;YACrC,MAAM,EAAE,CAAC,KAAK,CAAC,2BAAe,CAAC,KAAY,EAAE,MAAM,CAAC,GAAG,EAAE;gBACrD,MAAM,EAAE,GAAG,EAAE,2BAA2B;aAC3C,CAAC,CAAC;QACP,CAAC;QAED,iBAAiB;QACjB,MAAM,EAAE,CAAC,MAAM,CAAC,2BAAe,CAAC,KAAY,EAAE;YAC1C,GAAG,EAAE,IAAA,gBAAQ,GAAE;YACf,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,IAAI;YAC9B,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,IAAI,EAAE,QAAQ,CAAC,IAAI,CAAC;YACpB,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,SAAS;YACT,MAAM,EAAE,IAAI;YACZ,SAAS,EAAE,GAAG;SACjB,CAAC,CAAC;QAEH,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;IAC/B,CAAC;IAED,KAAK,UAAU,eAAe,CAAC,OAI9B;QACG,MAAM,KAAK,GAAG,kBAAkB,EAAE,CAAC;QACnC,MAAM,aAAa,GAAG,OAAO,CAAC,aAAa,IAAI,EAAE,CAAC;QAClD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,SAAS,GAAG,GAAG,GAAG,aAAa,GAAG,EAAE,GAAG,IAAI,CAAC;QAElD,kCAAkC;QAClC,MAAM,QAAQ,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,2BAAe,CAAC,KAAY,EAAE;YAC7D,KAAK,EAAE;gBACH,GAAG,EAAE;oBACD,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,KAAK,EAAE,EAAE;oBAChC,EAAE,IAAI,EAAE,EAAE,EAAE,EAAE,qBAAS,CAAC,UAAU,EAAE,EAAE;oBACtC,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE;iBAC3B;aACJ;SACJ,CAAC,CAAC;QAEH,KAAK,MAAM,MAAM,IAAI,QAAiB,EAAE,CAAC;YACrC,MAAM,EAAE,CAAC,KAAK,CAAC,2BAAe,CAAC,KAAY,EAAE,MAAM,CAAC,GAAG,EAAE;gBACrD,MAAM,EAAE,GAAG;aACd,CAAC,CAAC;QACP,CAAC;QAED,wBAAwB;QACxB,MAAM,EAAE,CAAC,MAAM,CAAC,2BAAe,CAAC,KAAY,EAAE;YAC1C,GAAG,EAAE,IAAA,gBAAQ,GAAE;YACf,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,IAAI;YAC9B,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,IAAI,EAAE,QAAQ,CAAC,KAAK,CAAC;YACrB,IAAI,EAAE,qBAAS,CAAC,UAAU;YAC1B,SAAS;YACT,MAAM,EAAE,IAAI;YACZ,SAAS,EAAE,GAAG;SACjB,CAAC,CAAC;QAEH,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;IAChC,CAAC;IAED,KAAK,UAAU,SAAS,CAAC,OAIxB;QACG,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,2BAAe,CAAC,KAAY,EAAE;YAC5D,KAAK,EAAE;gBACH,GAAG,EAAE;oBACD,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,KAAK,EAAE,EAAE;oBAChC,EAAE,IAAI,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,IAAI,EAAE,EAAE;oBAC9B,EAAE,IAAI,EAAE,EAAE,EAAE,EAAE,UAAU,EAAE,EAAE;oBAC5B,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE;iBAC3B;aACJ;YACD,IAAI,EAAE,CAAC;SACV,CAAC,CAAC;QAEH,MAAM,MAAM,GAAI,OAAiB,CAAC,CAAC,CAAC,CAAC;QACrC,IAAI,CAAC,MAAM,EAAE,CAAC;YACV,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;QAC5B,CAAC;QAED,IAAI,MAAM,CAAC,SAAS,GAAG,GAAG,EAAE,CAAC;YACzB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;QAC5B,CAAC;QAED,eAAe;QACf,MAAM,EAAE,CAAC,KAAK,CAAC,2BAAe,CAAC,KAAY,EAAE,MAAM,CAAC,GAAG,EAAE;YACrD,MAAM,EAAE,GAAG;SACd,CAAC,CAAC;QAEH,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,SAAS,EAAE,CAAC;IAC/D,CAAC;IAED,KAAK,UAAU,eAAe,CAAC,KAAa;QAKxC,MAAM,WAAW,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;QACpC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,2BAAe,CAAC,KAAY,EAAE;YAC5D,KAAK,EAAE;gBACH,GAAG,EAAE;oBACD,EAAE,IAAI,EAAE,EAAE,EAAE,EAAE,qBAAS,CAAC,UAAU,EAAE,EAAE;oBACtC,EAAE,IAAI,EAAE,EAAE,EAAE,EAAE,WAAW,EAAE,EAAE;oBAC7B,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE;iBAC3B;aACJ;YACD,IAAI,EAAE,CAAC;SACV,CAAC,CAAC;QAEH,MAAM,MAAM,GAAI,OAAiB,CAAC,CAAC,CAAC,CAAC;QACrC,IAAI,CAAC,MAAM,EAAE,CAAC;YACV,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;QAC5B,CAAC;QAED,IAAI,MAAM,CAAC,SAAS,GAAG,GAAG,EAAE,CAAC;YACzB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;QAC5B,CAAC;QAED,eAAe;QACf,MAAM,EAAE,CAAC,KAAK,CAAC,2BAAe,CAAC,KAAY,EAAE,MAAM,CAAC,GAAG,EAAE;YACrD,MAAM,EAAE,GAAG;SACd,CAAC,CAAC;QAEH,OAAO;YACH,KAAK,EAAE,IAAI;YACX,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,SAAS;SACrC,CAAC;IACN,CAAC;IAED,KAAK,UAAU,cAAc;QACzB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,MAAM,GAAG,GAAG,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,8BAA8B;QAExE,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,2BAAe,CAAC,KAAY,EAAE;YAC5D,KAAK,EAAE;gBACH,EAAE,EAAE,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,CAAC;aAClE;SACJ,CAAC,CAAC;QAEH,KAAK,MAAM,MAAM,IAAI,OAAgB,EAAE,CAAC;YACpC,MAAM,EAAE,CAAC,MAAM,CAAC,2BAAe,CAAC,KAAY,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;QAC9D,CAAC;QAED,OAAO,OAAO,CAAC,MAAM,CAAC;IAC1B,CAAC;IAED,OAAO;QACH,SAAS;QACT,eAAe;QACf,SAAS;QACT,eAAe;QACf,cAAc;KACjB,CAAC;AACN,CAAC"}

package/dist/auth/password-recovery.d.ts

@@ -0,0 +1,61 @@
+/**
+ * Password Recovery Service
+ *
+ * Provides password reset/forgot password functionality.
+ *
+ * Design:
+ * - `requestPasswordReset(email)`: Creates a short-lived reset token, stores it, and
+ *   returns the token (in production, this would be emailed to the user).
+ * - `resetPassword(token, newPassword)`: Verifies the token and updates the password.
+ */
+import type { IDatabaseClient } from "../db/interfaces.js";
+export interface PasswordResetToken {
+    _id: string;
+    userId: string;
+    tokenHash: string;
+    expiresAt: number;
+    usedAt: number | null;
+    createdAt: number;
+}
+export interface PasswordRecoveryConfig {
+    /**
+     * Token TTL in ms. Default: 1 hour.
+     */
+    tokenTtlMs?: number;
+    /**
+     * Callback to send the reset email/notification.
+     * In production, integrate with your email service.
+     */
+    sendResetNotification?: (email: string, token: string, userId: string) => Promise<void>;
+}
+export declare class PasswordRecoveryService {
+    private readonly db;
+    private readonly tokenTtlMs;
+    private readonly sendResetNotification?;
+    constructor(db: IDatabaseClient, config?: PasswordRecoveryConfig);
+    /**
+     * Request a password reset for the given email.
+     * Returns the raw token (for testing/dev). In production, the token is sent via email.
+     */
+    requestPasswordReset(email: string): Promise<{
+        success: boolean;
+        message: string;
+        token?: string;
+    }>;
+    /**
+     * Reset the password using a reset token.
+     */
+    resetPassword(rawToken: string, newPassword: string): Promise<{
+        success: boolean;
+        message: string;
+    }>;
+    /**
+     * Invalidate all existing reset tokens for a user.
+     */
+    private invalidateExistingTokens;
+    /**
+     * Cleanup expired tokens. Call this periodically.
+     */
+    cleanupExpiredTokens(): Promise<number>;
+}
+//# sourceMappingURL=password-recovery.d.ts.map

package/dist/auth/password-recovery.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"password-recovery.d.ts","sourceRoot":"","sources":["../../src/auth/password-recovery.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAW3D,MAAM,WAAW,kBAAkB;IAC/B,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,sBAAsB;IACnC;;OAEG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB;;;OAGG;IACH,qBAAqB,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CAC3F;AAED,qBAAa,uBAAuB;IAChC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAkB;IACrC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAAC,CAIpB;gBAEP,EAAE,EAAE,eAAe,EAAE,MAAM,CAAC,EAAE,sBAAsB;IAMhE;;;OAGG;IACG,oBAAoB,CACtB,KAAK,EAAE,MAAM,GACd,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAwEjE;;OAEG;IACG,aAAa,CACf,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,GACpB,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC;IAqDjD;;OAEG;YACW,wBAAwB;IAatC;;OAEG;IACG,oBAAoB,IAAI,OAAO,CAAC,MAAM,CAAC;CAahD"}

package/dist/auth/password-recovery.js

@@ -0,0 +1,173 @@
+"use strict";
+/**
+ * Password Recovery Service
+ *
+ * Provides password reset/forgot password functionality.
+ *
+ * Design:
+ * - `requestPasswordReset(email)`: Creates a short-lived reset token, stores it, and
+ *   returns the token (in production, this would be emailed to the user).
+ * - `resetPassword(token, newPassword)`: Verifies the token and updates the password.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PasswordRecoveryService = void 0;
+const cuid2_1 = require("@paralleldrive/cuid2");
+const constants_js_1 = require("./system/constants.js");
+const crypto_js_1 = require("./system/crypto.js");
+const logger_js_1 = require("../logging/logger.js");
+// We'll use a dedicated collection for password reset tokens
+const PASSWORD_RESET_COLLECTION = "auth_password_resets";
+// Token expires after 1 hour
+const PASSWORD_RESET_TTL_MS = 60 * 60 * 1000;
+class PasswordRecoveryService {
+    db;
+    tokenTtlMs;
+    sendResetNotification;
+    constructor(db, config) {
+        this.db = db;
+        this.tokenTtlMs = config?.tokenTtlMs ?? PASSWORD_RESET_TTL_MS;
+        this.sendResetNotification = config?.sendResetNotification;
+    }
+    /**
+     * Request a password reset for the given email.
+     * Returns the raw token (for testing/dev). In production, the token is sent via email.
+     */
+    async requestPasswordReset(email) {
+        if (!email || !email.includes("@")) {
+            return { success: false, message: "Invalid email address" };
+        }
+        // Find user by email
+        const user = await this.db.findFirst(constants_js_1.AUTH_COLLECTIONS.users, {
+            where: { email: { eq: email.toLowerCase().trim() } },
+        });
+        if (!user) {
+            // Don't reveal if email exists
+            logger_js_1.logger.log({
+                timestamp: Date.now(),
+                level: "info",
+                kind: "system",
+                message: `[PasswordRecovery] Reset requested for unknown email: ${email}`,
+            });
+            return { success: true, message: "If this email exists, a reset link has been sent." };
+        }
+        const userId = user._id;
+        // Invalidate any existing tokens for this user
+        await this.invalidateExistingTokens(userId);
+        // Generate new token
+        const rawToken = (0, crypto_js_1.generateSessionToken)(32); // 256 bits
+        const tokenHash = (0, crypto_js_1.hashSessionToken)(rawToken);
+        const now = Date.now();
+        const expiresAt = now + this.tokenTtlMs;
+        await this.db.insert(PASSWORD_RESET_COLLECTION, {
+            _id: (0, cuid2_1.createId)(),
+            userId,
+            tokenHash,
+            expiresAt,
+            usedAt: null,
+            createdAt: now,
+        });
+        // Send notification
+        if (this.sendResetNotification) {
+            try {
+                await this.sendResetNotification(email, rawToken, userId);
+            }
+            catch (err) {
+                logger_js_1.logger.log({
+                    timestamp: Date.now(),
+                    level: "error",
+                    kind: "system",
+                    message: `[PasswordRecovery] Failed to send reset notification`,
+                    context: { err },
+                });
+            }
+        }
+        logger_js_1.logger.log({
+            timestamp: Date.now(),
+            level: "info",
+            kind: "system",
+            message: `[PasswordRecovery] Reset token generated for user: ${userId}`,
+        });
+        // In dev/test, return the token. In production, only send via email.
+        const isDev = process.env.NODE_ENV !== "production";
+        return {
+            success: true,
+            message: "If this email exists, a reset link has been sent.",
+            token: isDev ? rawToken : undefined,
+        };
+    }
+    /**
+     * Reset the password using a reset token.
+     */
+    async resetPassword(rawToken, newPassword) {
+        if (!rawToken) {
+            return { success: false, message: "Invalid token" };
+        }
+        if (!newPassword || newPassword.length < 8) {
+            return { success: false, message: "Password must be at least 8 characters" };
+        }
+        const tokenHash = (0, crypto_js_1.hashSessionToken)(rawToken);
+        const now = Date.now();
+        // Find valid token
+        const resetRecord = await this.db.findFirst(PASSWORD_RESET_COLLECTION, {
+            where: {
+                and: [
+                    { tokenHash: { eq: tokenHash } },
+                    { usedAt: { eq: null } },
+                    { expiresAt: { gt: now } },
+                ],
+            },
+        });
+        if (!resetRecord) {
+            return { success: false, message: "Invalid or expired token" };
+        }
+        const userId = resetRecord.userId;
+        // Hash new password
+        const passwordHash = await (0, crypto_js_1.hashPassword)(newPassword);
+        // Update user's password
+        await this.db.patch(constants_js_1.AUTH_COLLECTIONS.users, userId, {
+            passwordHash,
+            updatedAt: now,
+        });
+        // Mark token as used
+        await this.db.patch(PASSWORD_RESET_COLLECTION, resetRecord._id, {
+            usedAt: now,
+        });
+        logger_js_1.logger.log({
+            timestamp: Date.now(),
+            level: "info",
+            kind: "system",
+            message: `[PasswordRecovery] Password reset successful for user: ${userId}`,
+        });
+        return { success: true, message: "Password has been reset successfully" };
+    }
+    /**
+     * Invalidate all existing reset tokens for a user.
+     */
+    async invalidateExistingTokens(userId) {
+        const tokens = await this.db.findMany(PASSWORD_RESET_COLLECTION, {
+            where: { userId: { eq: userId }, usedAt: { eq: null } },
+        });
+        const now = Date.now();
+        for (const token of tokens) {
+            await this.db.patch(PASSWORD_RESET_COLLECTION, token._id, {
+                usedAt: now,
+            });
+        }
+    }
+    /**
+     * Cleanup expired tokens. Call this periodically.
+     */
+    async cleanupExpiredTokens() {
+        const expired = await this.db.findMany(PASSWORD_RESET_COLLECTION, {
+            where: { expiresAt: { lte: Date.now() } },
+        });
+        let count = 0;
+        for (const token of expired) {
+            await this.db.delete(PASSWORD_RESET_COLLECTION, token._id);
+            count++;
+        }
+        return count;
+    }
+}
+exports.PasswordRecoveryService = PasswordRecoveryService;
+//# sourceMappingURL=password-recovery.js.map

package/dist/auth/password-recovery.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"password-recovery.js","sourceRoot":"","sources":["../../src/auth/password-recovery.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;;AAEH,gDAAgD;AAEhD,wDAAyD;AACzD,kDAA0F;AAC1F,oDAA8C;AAE9C,6DAA6D;AAC7D,MAAM,yBAAyB,GAAG,sBAAsB,CAAC;AAEzD,6BAA6B;AAC7B,MAAM,qBAAqB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAwB7C,MAAa,uBAAuB;IACf,EAAE,CAAkB;IACpB,UAAU,CAAS;IACnB,qBAAqB,CAInB;IAEnB,YAAY,EAAmB,EAAE,MAA+B;QAC5D,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC;QACb,IAAI,CAAC,UAAU,GAAG,MAAM,EAAE,UAAU,IAAI,qBAAqB,CAAC;QAC9D,IAAI,CAAC,qBAAqB,GAAG,MAAM,EAAE,qBAAqB,CAAC;IAC/D,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,oBAAoB,CACtB,KAAa;QAEb,IAAI,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACjC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,uBAAuB,EAAE,CAAC;QAChE,CAAC;QAED,qBAAqB;QACrB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,SAAS,CAAC,+BAAgB,CAAC,KAAK,EAAE;YACzD,KAAK,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,EAAE,EAAE;SACvD,CAAC,CAAC;QAEH,IAAI,CAAC,IAAI,EAAE,CAAC;YACR,+BAA+B;YAC/B,kBAAM,CAAC,GAAG,CAAC;gBACP,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;gBACrB,KAAK,EAAE,MAAM;gBACb,IAAI,EAAE,QAAQ;gBACd,OAAO,EAAE,yDAAyD,KAAK,EAAE;aAC5E,CAAC,CAAC;YACH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,mDAAmD,EAAE,CAAC;QAC3F,CAAC;QAED,MAAM,MAAM,GAAI,IAAY,CAAC,GAAG,CAAC;QAEjC,+CAA+C;QAC/C,MAAM,IAAI,CAAC,wBAAwB,CAAC,MAAM,CAAC,CAAC;QAE5C,qBAAqB;QACrB,MAAM,QAAQ,GAAG,IAAA,gCAAoB,EAAC,EAAE,CAAC,CAAC,CAAC,WAAW;QACtD,MAAM,SAAS,GAAG,IAAA,4BAAgB,EAAC,QAAQ,CAAC,CAAC;QAC7C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,SAAS,GAAG,GAAG,GAAG,IAAI,CAAC,UAAU,CAAC;QAExC,MAAM,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,yBAAyB,EAAE;YAC5C,GAAG,EAAE,IAAA,gBAAQ,GAAE;YACf,MAAM;YACN,SAAS;YACT,SAAS;YACT,MAAM,EAAE,IAAI;YACZ,SAAS,EAAE,GAAG;SACjB,CAAC,CAAC;QAEH,oBAAoB;QACpB,IAAI,IAAI,CAAC,qBAAqB,EAAE,CAAC;YAC7B,IAAI,CAAC;gBACD,MAAM,IAAI,CAAC,qBAAqB,CAAC,KAAK,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;YAC9D,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACX,kBAAM,CAAC,GAAG,CAAC;oBACP,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;oBACrB,KAAK,EAAE,OAAO;oBACd,IAAI,EAAE,QAAQ;oBACd,OAAO,EAAE,sDAAsD;oBAC/D,OAAO,EAAE,EAAE,GAAG,EAAE;iBACnB,CAAC,CAAC;YACP,CAAC;QACL,CAAC;QAED,kBAAM,CAAC,GAAG,CAAC;YACP,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;YACrB,KAAK,EAAE,MAAM;YACb,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,sDAAsD,MAAM,EAAE;SAC1E,CAAC,CAAC;QAEH,qEAAqE;QACrE,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;QACpD,OAAO;YACH,OAAO,EAAE,IAAI;YACb,OAAO,EAAE,mDAAmD;YAC5D,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;SACtC,CAAC;IACN,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CACf,QAAgB,EAChB,WAAmB;QAEnB,IAAI,CAAC,QAAQ,EAAE,CAAC;YACZ,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC;QACxD,CAAC;QAED,IAAI,CAAC,WAAW,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,wCAAwC,EAAE,CAAC;QACjF,CAAC;QAED,MAAM,SAAS,GAAG,IAAA,4BAAgB,EAAC,QAAQ,CAAC,CAAC;QAC7C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,mBAAmB;QACnB,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,SAAS,CAAC,yBAAyB,EAAE;YACnE,KAAK,EAAE;gBACH,GAAG,EAAE;oBACD,EAAE,SAAS,EAAE,EAAE,EAAE,EAAE,SAAS,EAAE,EAAE;oBAChC,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE;oBACxB,EAAE,SAAS,EAAE,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE;iBAC7B;aACJ;SACJ,CAAC,CAAC;QAEH,IAAI,CAAC,WAAW,EAAE,CAAC;YACf,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,0BAA0B,EAAE,CAAC;QACnE,CAAC;QAED,MAAM,MAAM,GAAI,WAAmB,CAAC,MAAM,CAAC;QAE3C,oBAAoB;QACpB,MAAM,YAAY,GAAG,MAAM,IAAA,wBAAY,EAAC,WAAW,CAAC,CAAC;QAErD,yBAAyB;QACzB,MAAM,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,+BAAgB,CAAC,KAAK,EAAE,MAAM,EAAE;YAChD,YAAY;YACZ,SAAS,EAAE,GAAG;SACjB,CAAC,CAAC;QAEH,qBAAqB;QACrB,MAAM,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,yBAAyB,EAAG,WAAmB,CAAC,GAAG,EAAE;YACrE,MAAM,EAAE,GAAG;SACd,CAAC,CAAC;QAEH,kBAAM,CAAC,GAAG,CAAC;YACP,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;YACrB,KAAK,EAAE,MAAM;YACb,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,0DAA0D,MAAM,EAAE;SAC9E,CAAC,CAAC;QAEH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,sCAAsC,EAAE,CAAC;IAC9E,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,wBAAwB,CAAC,MAAc;QACjD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,QAAQ,CAAC,yBAAyB,EAAE;YAC7D,KAAK,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE;SAC1D,CAAC,CAAC;QAEH,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,KAAK,IAAI,MAAe,EAAE,CAAC;YAClC,MAAM,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,yBAAyB,EAAE,KAAK,CAAC,GAAG,EAAE;gBACtD,MAAM,EAAE,GAAG;aACd,CAAC,CAAC;QACP,CAAC;IACL,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,oBAAoB;QACtB,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,QAAQ,CAAC,yBAAyB,EAAE;YAC9D,KAAK,EAAE,EAAE,SAAS,EAAE,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,EAAE;SAC5C,CAAC,CAAC;QAEH,IAAI,KAAK,GAAG,CAAC,CAAC;QACd,KAAK,MAAM,KAAK,IAAI,OAAgB,EAAE,CAAC;YACnC,MAAM,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,yBAAyB,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC;YAC3D,KAAK,EAAE,CAAC;QACZ,CAAC;QAED,OAAO,KAAK,CAAC;IACjB,CAAC;CACJ;AAxLD,0DAwLC"}

package/dist/auth/resolver.d.ts

@@ -0,0 +1,29 @@
+import { AuthAdapter, AuthContext, AuthInput } from "./interfaces.js";
+import type { IDatabaseClient } from "../db/interfaces.js";
+export interface AuthResolverOptions {
+    /**
+     * Primary auth adapter (for session-based authentication)
+     */
+    adapter: AuthAdapter;
+    /**
+     * Optional database client for API key resolution
+     */
+    db?: IDatabaseClient;
+    /**
+     * Optional Better-Auth instance for Better-Auth session verification
+     */
+    betterAuth?: any;
+}
+export declare class AuthResolver {
+    private adapter;
+    private betterAuthApiKeyResolver;
+    private betterAuthAdapter;
+    constructor(options: AuthResolverOptions);
+    resolve(input: AuthInput): Promise<AuthContext>;
+}
+/**
+ * Legacy constructor for backward compatibility
+ * @deprecated Use AuthResolver constructor with options object
+ */
+export declare function createAuthResolver(adapter: AuthAdapter, db?: IDatabaseClient): AuthResolver;
+//# sourceMappingURL=resolver.d.ts.map

package/dist/auth/resolver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolver.d.ts","sourceRoot":"","sources":["../../src/auth/resolver.ts"],"names":[],"mappings":"AACA,OAAO,EACH,WAAW,EACX,WAAW,EACX,SAAS,EAEZ,MAAM,iBAAiB,CAAC;AAGzB,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAE3D,MAAM,WAAW,mBAAmB;IAChC;;OAEG;IACH,OAAO,EAAE,WAAW,CAAC;IAErB;;OAEG;IACH,EAAE,CAAC,EAAE,eAAe,CAAC;IAErB;;OAEG;IACH,UAAU,CAAC,EAAE,GAAG,CAAC;CACpB;AAED,qBAAa,YAAY;IACrB,OAAO,CAAC,OAAO,CAAc;IAC7B,OAAO,CAAC,wBAAwB,CAAyC;IACzE,OAAO,CAAC,iBAAiB,CAA4B;gBAEzC,OAAO,EAAE,mBAAmB;IAkBlC,OAAO,CAAC,KAAK,EAAE,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC;CA4CxD;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAC9B,OAAO,EAAE,WAAW,EACpB,EAAE,CAAC,EAAE,eAAe,GACrB,YAAY,CAEd"}

package/dist/auth/resolver.js

@@ -0,0 +1,78 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthResolver = void 0;
+exports.createAuthResolver = createAuthResolver;
+// no-op: touch file to refresh incremental TypeScript diagnostics
+const interfaces_js_1 = require("./interfaces.js");
+const logger_js_1 = require("../logging/logger.js");
+const better_auth_api_key_resolver_js_1 = require("./better-auth-api-key-resolver.js");
+class AuthResolver {
+    adapter;
+    betterAuthApiKeyResolver = null;
+    betterAuthAdapter = null;
+    constructor(options) {
+        this.adapter = options.adapter;
+        // Initialize Better-Auth adapter if provided
+        if (options.betterAuth) {
+            const { createBetterAuthSessionAdapter } = require("./better-auth-session-adapter.js");
+            this.betterAuthAdapter = createBetterAuthSessionAdapter({
+                auth: options.betterAuth,
+                db: options.db,
+            });
+            // Initialize Better-Auth API key resolver (no longer needs db)
+            this.betterAuthApiKeyResolver = new better_auth_api_key_resolver_js_1.BetterAuthApiKeyResolver({
+                auth: options.betterAuth,
+            });
+        }
+    }
+    async resolve(input) {
+        // Precedence: Better-Auth session > Better-Auth API key > unauthenticated
+        // 1. Try Better-Auth session (if enabled)
+        if (this.betterAuthAdapter) {
+            try {
+                const ctx = await this.betterAuthAdapter.verify(input);
+                if (ctx && ctx.isAuthenticated) {
+                    return ctx;
+                }
+            }
+            catch (error) {
+                logger_js_1.logger.log({
+                    timestamp: Date.now(),
+                    level: "error",
+                    kind: "system",
+                    message: "Better-Auth session resolution failed",
+                    context: { error: error instanceof Error ? error.message : String(error) },
+                });
+            }
+        }
+        // 2. Try Better-Auth API key auth (if resolver is available)
+        if (this.betterAuthApiKeyResolver) {
+            try {
+                const apiKeyCtx = await this.betterAuthApiKeyResolver.resolve(input);
+                if (apiKeyCtx && apiKeyCtx.isAuthenticated) {
+                    return apiKeyCtx;
+                }
+            }
+            catch (error) {
+                logger_js_1.logger.log({
+                    timestamp: Date.now(),
+                    level: "error",
+                    kind: "system",
+                    message: "Better-Auth API key resolution failed",
+                    context: { error: error instanceof Error ? error.message : String(error) },
+                });
+            }
+        }
+        // 3. Return unauthenticated context
+        return (0, interfaces_js_1.createUnauthenticatedAuthContext)("better-auth");
+    }
+}
+exports.AuthResolver = AuthResolver;
+/**
+ * Legacy constructor for backward compatibility
+ * @deprecated Use AuthResolver constructor with options object
+ */
+function createAuthResolver(adapter, db) {
+    return new AuthResolver({ adapter, db });
+}
+//# sourceMappingURL=resolver.js.map

package/dist/auth/resolver.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolver.js","sourceRoot":"","sources":["../../src/auth/resolver.ts"],"names":[],"mappings":";;;AAqGA,gDAKC;AA1GD,kEAAkE;AAClE,mDAKyB;AACzB,oDAA8C;AAC9C,uFAA6E;AAoB7E,MAAa,YAAY;IACb,OAAO,CAAc;IACrB,wBAAwB,GAAoC,IAAI,CAAC;IACjE,iBAAiB,GAAuB,IAAI,CAAC;IAErD,YAAY,OAA4B;QACpC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;QAE/B,6CAA6C;QAC7C,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;YACrB,MAAM,EAAE,8BAA8B,EAAE,GAAG,OAAO,CAAC,kCAAkC,CAAC,CAAC;YACvF,IAAI,CAAC,iBAAiB,GAAG,8BAA8B,CAAC;gBACpD,IAAI,EAAE,OAAO,CAAC,UAAU;gBACxB,EAAE,EAAE,OAAO,CAAC,EAAE;aACjB,CAAC,CAAC;YAEH,+DAA+D;YAC/D,IAAI,CAAC,wBAAwB,GAAG,IAAI,0DAAwB,CAAC;gBACzD,IAAI,EAAE,OAAO,CAAC,UAAU;aAC3B,CAAC,CAAC;QACP,CAAC;IACL,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,KAAgB;QAC1B,0EAA0E;QAE1E,0CAA0C;QAC1C,IAAI,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACzB,IAAI,CAAC;gBACD,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;gBAEvD,IAAI,GAAG,IAAI,GAAG,CAAC,eAAe,EAAE,CAAC;oBAC7B,OAAO,GAAG,CAAC;gBACf,CAAC;YACL,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACb,kBAAM,CAAC,GAAG,CAAC;oBACP,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;oBACrB,KAAK,EAAE,OAAO;oBACd,IAAI,EAAE,QAAQ;oBACd,OAAO,EAAE,uCAAuC;oBAChD,OAAO,EAAE,EAAE,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE;iBAC7E,CAAC,CAAC;YACP,CAAC;QACL,CAAC;QAED,6DAA6D;QAC7D,IAAI,IAAI,CAAC,wBAAwB,EAAE,CAAC;YAChC,IAAI,CAAC;gBACD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,wBAAwB,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;gBAErE,IAAI,SAAS,IAAI,SAAS,CAAC,eAAe,EAAE,CAAC;oBACzC,OAAO,SAAS,CAAC;gBACrB,CAAC;YACL,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACb,kBAAM,CAAC,GAAG,CAAC;oBACP,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;oBACrB,KAAK,EAAE,OAAO;oBACd,IAAI,EAAE,QAAQ;oBACd,OAAO,EAAE,uCAAuC;oBAChD,OAAO,EAAE,EAAE,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE;iBAC7E,CAAC,CAAC;YACP,CAAC;QACL,CAAC;QAED,oCAAoC;QACpC,OAAO,IAAA,gDAAgC,EAAC,aAAa,CAAC,CAAC;IAC3D,CAAC;CACJ;AAnED,oCAmEC;AAED;;;GAGG;AACH,SAAgB,kBAAkB,CAC9B,OAAoB,EACpB,EAAoB;IAEpB,OAAO,IAAI,YAAY,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC,CAAC;AAC7C,CAAC"}

package/dist/auth/role-helpers.d.ts

@@ -0,0 +1,56 @@
+/**
+ * Role-Based Access Control Helpers
+ *
+ * Provides consistent role checking across the application.
+ * Uses Better-Auth's admin plugin for role management.
+ */
+import type { BetterAuthInstance } from "./better-auth-instance.js";
+export declare const ROLES: {
+    readonly SUPER_ADMIN: "super-admin";
+    readonly ADMIN: "admin";
+    readonly USER: "user";
+};
+export type Role = typeof ROLES[keyof typeof ROLES];
+export declare const ADMIN_ROLES: Role[];
+export declare const ALL_ROLES: Role[];
+/**
+ * Check if a role has admin privileges
+ */
+export declare function isAdminRole(role: string | undefined | null): boolean;
+/**
+ * Check if a role is super-admin
+ */
+export declare function isSuperAdminRole(role: string | undefined | null): boolean;
+/**
+ * Get user session and validate role
+ */
+export declare function getSessionWithRole(auth: BetterAuthInstance, request: Request, requiredRoles?: Role[]): Promise<{
+    user: any;
+    session: any;
+    role: Role;
+} | null>;
+/**
+ * Require admin authentication (admin or super-admin)
+ */
+export declare function requireAdmin(auth: BetterAuthInstance, request: Request): Promise<{
+    user: any;
+    session: any;
+    role: Role;
+} | null>;
+/**
+ * Require super-admin authentication
+ */
+export declare function requireSuperAdmin(auth: BetterAuthInstance, request: Request): Promise<{
+    user: any;
+    session: any;
+    role: Role;
+} | null>;
+/**
+ * Require any authenticated user
+ */
+export declare function requireAuthenticated(auth: BetterAuthInstance, request: Request): Promise<{
+    user: any;
+    session: any;
+    role: Role;
+} | null>;
+//# sourceMappingURL=role-helpers.d.ts.map

package/dist/auth/role-helpers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"role-helpers.d.ts","sourceRoot":"","sources":["../../src/auth/role-helpers.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAIpE,eAAO,MAAM,KAAK;;;;CAIR,CAAC;AAEX,MAAM,MAAM,IAAI,GAAG,OAAO,KAAK,CAAC,MAAM,OAAO,KAAK,CAAC,CAAC;AAGpD,eAAO,MAAM,WAAW,EAAE,IAAI,EAAqC,CAAC;AAGpE,eAAO,MAAM,SAAS,EAAE,IAAI,EAAiD,CAAC;AAE9E;;GAEG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,OAAO,CAEpE;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAAG,OAAO,CAEzE;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CACpC,IAAI,EAAE,kBAAkB,EACxB,OAAO,EAAE,OAAO,EAChB,aAAa,CAAC,EAAE,IAAI,EAAE,GACvB,OAAO,CAAC;IACP,IAAI,EAAE,GAAG,CAAC;IACV,OAAO,EAAE,GAAG,CAAC;IACb,IAAI,EAAE,IAAI,CAAC;CACd,GAAG,IAAI,CAAC,CA6CR;AAED;;GAEG;AACH,wBAAsB,YAAY,CAC9B,IAAI,EAAE,kBAAkB,EACxB,OAAO,EAAE,OAAO;UAvDV,GAAG;aACA,GAAG;UACN,IAAI;UAwDb;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CACnC,IAAI,EAAE,kBAAkB,EACxB,OAAO,EAAE,OAAO;UAjEV,GAAG;aACA,GAAG;UACN,IAAI;UAkEb;AAED;;GAEG;AACH,wBAAsB,oBAAoB,CACtC,IAAI,EAAE,kBAAkB,EACxB,OAAO,EAAE,OAAO;UA3EV,GAAG;aACA,GAAG;UACN,IAAI;UA4Eb"}

package/dist/auth/role-helpers.js

@@ -0,0 +1,103 @@
+"use strict";
+/**
+ * Role-Based Access Control Helpers
+ *
+ * Provides consistent role checking across the application.
+ * Uses Better-Auth's admin plugin for role management.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ALL_ROLES = exports.ADMIN_ROLES = exports.ROLES = void 0;
+exports.isAdminRole = isAdminRole;
+exports.isSuperAdminRole = isSuperAdminRole;
+exports.getSessionWithRole = getSessionWithRole;
+exports.requireAdmin = requireAdmin;
+exports.requireSuperAdmin = requireSuperAdmin;
+exports.requireAuthenticated = requireAuthenticated;
+const logger_js_1 = require("../logging/logger.js");
+// Role constants
+exports.ROLES = {
+    SUPER_ADMIN: "super-admin",
+    ADMIN: "admin",
+    USER: "user",
+};
+// Admin roles that grant dashboard access
+exports.ADMIN_ROLES = [exports.ROLES.SUPER_ADMIN, exports.ROLES.ADMIN];
+// All roles
+exports.ALL_ROLES = [exports.ROLES.SUPER_ADMIN, exports.ROLES.ADMIN, exports.ROLES.USER];
+/**
+ * Check if a role has admin privileges
+ */
+function isAdminRole(role) {
+    return exports.ADMIN_ROLES.includes(role);
+}
+/**
+ * Check if a role is super-admin
+ */
+function isSuperAdminRole(role) {
+    return role === exports.ROLES.SUPER_ADMIN;
+}
+/**
+ * Get user session and validate role
+ */
+async function getSessionWithRole(auth, request, requiredRoles) {
+    try {
+        const result = await auth.api.getSession({
+            headers: request.headers,
+        });
+        if (!result?.user || !result?.session) {
+            return null;
+        }
+        const role = (result.user.role || exports.ROLES.USER);
+        // If specific roles required, validate
+        if (requiredRoles && requiredRoles.length > 0) {
+            if (!requiredRoles.includes(role)) {
+                logger_js_1.logger.log({
+                    timestamp: Date.now(),
+                    level: "warn",
+                    kind: "system",
+                    message: "[Auth] Role check failed",
+                    context: {
+                        userId: result.user.id,
+                        userRole: role,
+                        requiredRoles,
+                    },
+                });
+                return null;
+            }
+        }
+        return {
+            user: result.user,
+            session: result.session,
+            role,
+        };
+    }
+    catch (error) {
+        logger_js_1.logger.log({
+            timestamp: Date.now(),
+            level: "error",
+            kind: "system",
+            message: "[Auth] Session fetch failed",
+            context: { error: error instanceof Error ? error.message : String(error) },
+        });
+        return null;
+    }
+}
+/**
+ * Require admin authentication (admin or super-admin)
+ */
+async function requireAdmin(auth, request) {
+    return getSessionWithRole(auth, request, exports.ADMIN_ROLES);
+}
+/**
+ * Require super-admin authentication
+ */
+async function requireSuperAdmin(auth, request) {
+    return getSessionWithRole(auth, request, [exports.ROLES.SUPER_ADMIN]);
+}
+/**
+ * Require any authenticated user
+ */
+async function requireAuthenticated(auth, request) {
+    return getSessionWithRole(auth, request);
+}
+//# sourceMappingURL=role-helpers.js.map

package/dist/auth/role-helpers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"role-helpers.js","sourceRoot":"","sources":["../../src/auth/role-helpers.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAuBH,kCAEC;AAKD,4CAEC;AAKD,gDAqDC;AAKD,oCAKC;AAKD,8CAKC;AAKD,oDAKC;AArHD,oDAA8C;AAE9C,iBAAiB;AACJ,QAAA,KAAK,GAAG;IACjB,WAAW,EAAE,aAAa;IAC1B,KAAK,EAAE,OAAO;IACd,IAAI,EAAE,MAAM;CACN,CAAC;AAIX,0CAA0C;AAC7B,QAAA,WAAW,GAAW,CAAC,aAAK,CAAC,WAAW,EAAE,aAAK,CAAC,KAAK,CAAC,CAAC;AAEpE,YAAY;AACC,QAAA,SAAS,GAAW,CAAC,aAAK,CAAC,WAAW,EAAE,aAAK,CAAC,KAAK,EAAE,aAAK,CAAC,IAAI,CAAC,CAAC;AAE9E;;GAEG;AACH,SAAgB,WAAW,CAAC,IAA+B;IACvD,OAAO,mBAAW,CAAC,QAAQ,CAAC,IAAY,CAAC,CAAC;AAC9C,CAAC;AAED;;GAEG;AACH,SAAgB,gBAAgB,CAAC,IAA+B;IAC5D,OAAO,IAAI,KAAK,aAAK,CAAC,WAAW,CAAC;AACtC,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,kBAAkB,CACpC,IAAwB,EACxB,OAAgB,EAChB,aAAsB;IAMtB,IAAI,CAAC;QACD,MAAM,MAAM,GAAG,MAAO,IAAY,CAAC,GAAG,CAAC,UAAU,CAAC;YAC9C,OAAO,EAAE,OAAO,CAAC,OAAO;SAC3B,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC;YACpC,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,IAAI,aAAK,CAAC,IAAI,CAAS,CAAC;QAEtD,uCAAuC;QACvC,IAAI,aAAa,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC5C,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChC,kBAAM,CAAC,GAAG,CAAC;oBACP,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;oBACrB,KAAK,EAAE,MAAM;oBACb,IAAI,EAAE,QAAQ;oBACd,OAAO,EAAE,0BAA0B;oBACnC,OAAO,EAAE;wBACL,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE;wBACtB,QAAQ,EAAE,IAAI;wBACd,aAAa;qBAChB;iBACJ,CAAC,CAAC;gBACH,OAAO,IAAI,CAAC;YAChB,CAAC;QACL,CAAC;QAED,OAAO;YACH,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,IAAI;SACP,CAAC;IACN,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACb,kBAAM,CAAC,GAAG,CAAC;YACP,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;YACrB,KAAK,EAAE,OAAO;YACd,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,6BAA6B;YACtC,OAAO,EAAE,EAAE,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE;SAC7E,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IAChB,CAAC;AACL,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,YAAY,CAC9B,IAAwB,EACxB,OAAgB;IAEhB,OAAO,kBAAkB,CAAC,IAAI,EAAE,OAAO,EAAE,mBAAW,CAAC,CAAC;AAC1D,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,iBAAiB,CACnC,IAAwB,EACxB,OAAgB;IAEhB,OAAO,kBAAkB,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC,aAAK,CAAC,WAAW,CAAC,CAAC,CAAC;AAClE,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,oBAAoB,CACtC,IAAwB,EACxB,OAAgB;IAEhB,OAAO,kBAAkB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;AAC7C,CAAC"}

package/dist/auth/session-manager.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Legacy Session Manager Stub
+ *
+ * This is a placeholder stub for the deleted SessionManager.
+ * We've consolidated to Better-Auth for session management.
+ *
+ * TODO: Remove all references to legacy session system
+ */
+export declare class SessionManager {
+    constructor(_options: any);
+    createSession(): Promise<any>;
+    verifySession(): Promise<any>;
+    revokeSession(): Promise<void>;
+    issueSession(_options: {
+        userId: string;
+        tenantId?: string;
+    }): Promise<{
+        token: string;
+    }>;
+}
+//# sourceMappingURL=session-manager.d.ts.map

package/dist/auth/session-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-manager.d.ts","sourceRoot":"","sources":["../../src/auth/session-manager.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,qBAAa,cAAc;gBACX,QAAQ,EAAE,GAAG;IAInB,aAAa,IAAI,OAAO,CAAC,GAAG,CAAC;IAI7B,aAAa,IAAI,OAAO,CAAC,GAAG,CAAC;IAI7B,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC;IAI9B,YAAY,CAAC,QAAQ,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC;QAAE,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;CAGlG"}

package/dist/auth/session-manager.js

@@ -0,0 +1,30 @@
+"use strict";
+/**
+ * Legacy Session Manager Stub
+ *
+ * This is a placeholder stub for the deleted SessionManager.
+ * We've consolidated to Better-Auth for session management.
+ *
+ * TODO: Remove all references to legacy session system
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SessionManager = void 0;
+class SessionManager {
+    constructor(_options) {
+        throw new Error("Legacy session system deprecated. Use Better-Auth sessions via /api/auth/*");
+    }
+    async createSession() {
+        throw new Error("Legacy session system deprecated. Use Better-Auth sessions via /api/auth/*");
+    }
+    async verifySession() {
+        throw new Error("Legacy session system deprecated. Use Better-Auth sessions via /api/auth/*");
+    }
+    async revokeSession() {
+        throw new Error("Legacy session system deprecated. Use Better-Auth sessions via /api/auth/*");
+    }
+    async issueSession(_options) {
+        throw new Error("Legacy session system deprecated. Use Better-Auth sessions via /api/auth/*");
+    }
+}
+exports.SessionManager = SessionManager;
+//# sourceMappingURL=session-manager.js.map

package/dist/auth/session-manager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-manager.js","sourceRoot":"","sources":["../../src/auth/session-manager.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AAEH,MAAa,cAAc;IACvB,YAAY,QAAa;QACrB,MAAM,IAAI,KAAK,CAAC,4EAA4E,CAAC,CAAC;IAClG,CAAC;IAED,KAAK,CAAC,aAAa;QACf,MAAM,IAAI,KAAK,CAAC,4EAA4E,CAAC,CAAC;IAClG,CAAC;IAED,KAAK,CAAC,aAAa;QACf,MAAM,IAAI,KAAK,CAAC,4EAA4E,CAAC,CAAC;IAClG,CAAC;IAED,KAAK,CAAC,aAAa;QACf,MAAM,IAAI,KAAK,CAAC,4EAA4E,CAAC,CAAC;IAClG,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,QAA+C;QAC9D,MAAM,IAAI,KAAK,CAAC,4EAA4E,CAAC,CAAC;IAClG,CAAC;CACJ;AApBD,wCAoBC"}

package/dist/auth/session-security.d.ts

@@ -0,0 +1,14 @@
+export interface SessionSecurityOptions {
+    bindToIP?: boolean;
+    bindToUserAgent?: boolean;
+    alertOnMismatch?: boolean;
+}
+export interface ValidationResult {
+    valid: boolean;
+    reason?: string;
+}
+export declare function validateSessionBinding(request: Request, session: {
+    ipAddress?: string;
+    userAgent?: string;
+} | null, options: SessionSecurityOptions): ValidationResult;
+//# sourceMappingURL=session-security.d.ts.map

package/dist/auth/session-security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-security.d.ts","sourceRoot":"","sources":["../../src/auth/session-security.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,sBAAsB;IACnC,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,eAAe,CAAC,EAAE,OAAO,CAAC;CAC7B;AAED,MAAM,WAAW,gBAAgB;IAC7B,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,wBAAgB,sBAAsB,CAClC,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE;IAAE,SAAS,CAAC,EAAE,MAAM,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,EAC1D,OAAO,EAAE,sBAAsB,GAChC,gBAAgB,CAgBlB"}

package/dist/auth/session-security.js

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateSessionBinding = validateSessionBinding;
+function validateSessionBinding(request, session, options) {
+    if (options.bindToIP && session?.ipAddress) {
+        const requestIP = getClientIP(request);
+        if (requestIP !== session.ipAddress) {
+            return { valid: false, reason: "IP address mismatch" };
+        }
+    }
+    if (options.bindToUserAgent && session?.userAgent) {
+        const requestUA = request.headers.get("user-agent");
+        if (requestUA !== session.userAgent) {
+            return { valid: false, reason: "User agent mismatch" };
+        }
+    }
+    return { valid: true };
+}
+function getClientIP(request) {
+    const forwarded = request.headers.get("x-forwarded-for");
+    if (forwarded) {
+        return forwarded.split(",")[0].trim();
+    }
+    return request.headers.get("cf-connecting-ip") || "";
+}
+//# sourceMappingURL=session-security.js.map