@axium/server 0.13.0 → 0.13.2

package/build/server/chunks/{user2-D249re2A.js → user-BM1CPpSk.js}

@@ -1,3 +1,594 @@
+import { P as push, a7 as copy_payload, a8 as assign_payload, ag as bind_props, T as pop, ah as spread_props, ai as spread_attributes, aj as attr_class, a5 as escape_html, ak as clsx } from './exports-Bdi6Ec6W.js';
+import './client-BwGZz7hC.js';
+
+/**
+ * Convert the given array buffer into a Base64URL-encoded string. Ideal for converting various
+ * credential response ArrayBuffers to string for sending back to the server as JSON.
+ *
+ * Helper method to compliment `base64URLStringToBuffer`
+ */
+function bufferToBase64URLString(buffer) {
+    const bytes = new Uint8Array(buffer);
+    let str = '';
+    for (const charCode of bytes) {
+        str += String.fromCharCode(charCode);
+    }
+    const base64String = btoa(str);
+    return base64String.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+}
+
+/**
+ * Convert from a Base64URL-encoded string to an Array Buffer. Best used when converting a
+ * credential ID from a JSON string to an ArrayBuffer, like in allowCredentials or
+ * excludeCredentials
+ *
+ * Helper method to compliment `bufferToBase64URLString`
+ */
+function base64URLStringToBuffer(base64URLString) {
+    // Convert from Base64URL to Base64
+    const base64 = base64URLString.replace(/-/g, '+').replace(/_/g, '/');
+    /**
+     * Pad with '=' until it's a multiple of four
+     * (4 - (85 % 4 = 1) = 3) % 4 = 3 padding
+     * (4 - (86 % 4 = 2) = 2) % 4 = 2 padding
+     * (4 - (87 % 4 = 3) = 1) % 4 = 1 padding
+     * (4 - (88 % 4 = 0) = 4) % 4 = 0 padding
+     */
+    const padLength = (4 - (base64.length % 4)) % 4;
+    const padded = base64.padEnd(base64.length + padLength, '=');
+    // Convert to a binary string
+    const binary = atob(padded);
+    // Convert binary string to buffer
+    const buffer = new ArrayBuffer(binary.length);
+    const bytes = new Uint8Array(buffer);
+    for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+    }
+    return buffer;
+}
+
+/**
+ * Determine if the browser is capable of Webauthn
+ */
+function browserSupportsWebAuthn() {
+    return _browserSupportsWebAuthnInternals.stubThis(globalThis?.PublicKeyCredential !== undefined &&
+        typeof globalThis.PublicKeyCredential === 'function');
+}
+/**
+ * Make it possible to stub the return value during testing
+ * @ignore Don't include this in docs output
+ */
+const _browserSupportsWebAuthnInternals = {
+    stubThis: (value) => value,
+};
+
+function toPublicKeyCredentialDescriptor(descriptor) {
+    const { id } = descriptor;
+    return {
+        ...descriptor,
+        id: base64URLStringToBuffer(id),
+        /**
+         * `descriptor.transports` is an array of our `AuthenticatorTransportFuture` that includes newer
+         * transports that TypeScript's DOM lib is ignorant of. Convince TS that our list of transports
+         * are fine to pass to WebAuthn since browsers will recognize the new value.
+         */
+        transports: descriptor.transports,
+    };
+}
+
+/**
+ * A simple test to determine if a hostname is a properly-formatted domain name
+ *
+ * A "valid domain" is defined here: https://url.spec.whatwg.org/#valid-domain
+ *
+ * Regex sourced from here:
+ * https://www.oreilly.com/library/view/regular-expressions-cookbook/9781449327453/ch08s15.html
+ */
+function isValidDomain(hostname) {
+    return (
+    // Consider localhost valid as well since it's okay wrt Secure Contexts
+    hostname === 'localhost' ||
+        /^([a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}$/i.test(hostname));
+}
+
+/**
+ * A custom Error used to return a more nuanced error detailing _why_ one of the eight documented
+ * errors in the spec was raised after calling `navigator.credentials.create()` or
+ * `navigator.credentials.get()`:
+ *
+ * - `AbortError`
+ * - `ConstraintError`
+ * - `InvalidStateError`
+ * - `NotAllowedError`
+ * - `NotSupportedError`
+ * - `SecurityError`
+ * - `TypeError`
+ * - `UnknownError`
+ *
+ * Error messages were determined through investigation of the spec to determine under which
+ * scenarios a given error would be raised.
+ */
+class WebAuthnError extends Error {
+    constructor({ message, code, cause, name, }) {
+        // @ts-ignore: help Rollup understand that `cause` is okay to set
+        super(message, { cause });
+        Object.defineProperty(this, "code", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        this.name = name ?? cause.name;
+        this.code = code;
+    }
+}
+
+/**
+ * Attempt to intuit _why_ an error was raised after calling `navigator.credentials.create()`
+ */
+function identifyRegistrationError({ error, options, }) {
+    const { publicKey } = options;
+    if (!publicKey) {
+        throw Error('options was missing required publicKey property');
+    }
+    if (error.name === 'AbortError') {
+        if (options.signal instanceof AbortSignal) {
+            // https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 16)
+            return new WebAuthnError({
+                message: 'Registration ceremony was sent an abort signal',
+                code: 'ERROR_CEREMONY_ABORTED',
+                cause: error,
+            });
+        }
+    }
+    else if (error.name === 'ConstraintError') {
+        if (publicKey.authenticatorSelection?.requireResidentKey === true) {
+            // https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 4)
+            return new WebAuthnError({
+                message: 'Discoverable credentials were required but no available authenticator supported it',
+                code: 'ERROR_AUTHENTICATOR_MISSING_DISCOVERABLE_CREDENTIAL_SUPPORT',
+                cause: error,
+            });
+        }
+        else if (
+        // @ts-ignore: `mediation` doesn't yet exist on CredentialCreationOptions but it's possible as of Sept 2024
+        options.mediation === 'conditional' &&
+            publicKey.authenticatorSelection?.userVerification === 'required') {
+            // https://w3c.github.io/webauthn/#sctn-createCredential (Step 22.4)
+            return new WebAuthnError({
+                message: 'User verification was required during automatic registration but it could not be performed',
+                code: 'ERROR_AUTO_REGISTER_USER_VERIFICATION_FAILURE',
+                cause: error,
+            });
+        }
+        else if (publicKey.authenticatorSelection?.userVerification === 'required') {
+            // https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 5)
+            return new WebAuthnError({
+                message: 'User verification was required but no available authenticator supported it',
+                code: 'ERROR_AUTHENTICATOR_MISSING_USER_VERIFICATION_SUPPORT',
+                cause: error,
+            });
+        }
+    }
+    else if (error.name === 'InvalidStateError') {
+        // https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 20)
+        // https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 3)
+        return new WebAuthnError({
+            message: 'The authenticator was previously registered',
+            code: 'ERROR_AUTHENTICATOR_PREVIOUSLY_REGISTERED',
+            cause: error,
+        });
+    }
+    else if (error.name === 'NotAllowedError') {
+        /**
+         * Pass the error directly through. Platforms are overloading this error beyond what the spec
+         * defines and we don't want to overwrite potentially useful error messages.
+         */
+        return new WebAuthnError({
+            message: error.message,
+            code: 'ERROR_PASSTHROUGH_SEE_CAUSE_PROPERTY',
+            cause: error,
+        });
+    }
+    else if (error.name === 'NotSupportedError') {
+        const validPubKeyCredParams = publicKey.pubKeyCredParams.filter((param) => param.type === 'public-key');
+        if (validPubKeyCredParams.length === 0) {
+            // https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 10)
+            return new WebAuthnError({
+                message: 'No entry in pubKeyCredParams was of type "public-key"',
+                code: 'ERROR_MALFORMED_PUBKEYCREDPARAMS',
+                cause: error,
+            });
+        }
+        // https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 2)
+        return new WebAuthnError({
+            message: 'No available authenticator supported any of the specified pubKeyCredParams algorithms',
+            code: 'ERROR_AUTHENTICATOR_NO_SUPPORTED_PUBKEYCREDPARAMS_ALG',
+            cause: error,
+        });
+    }
+    else if (error.name === 'SecurityError') {
+        const effectiveDomain = globalThis.location.hostname;
+        if (!isValidDomain(effectiveDomain)) {
+            // https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 7)
+            return new WebAuthnError({
+                message: `${globalThis.location.hostname} is an invalid domain`,
+                code: 'ERROR_INVALID_DOMAIN',
+                cause: error,
+            });
+        }
+        else if (publicKey.rp.id !== effectiveDomain) {
+            // https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 8)
+            return new WebAuthnError({
+                message: `The RP ID "${publicKey.rp.id}" is invalid for this domain`,
+                code: 'ERROR_INVALID_RP_ID',
+                cause: error,
+            });
+        }
+    }
+    else if (error.name === 'TypeError') {
+        if (publicKey.user.id.byteLength < 1 || publicKey.user.id.byteLength > 64) {
+            // https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 5)
+            return new WebAuthnError({
+                message: 'User ID was not between 1 and 64 characters',
+                code: 'ERROR_INVALID_USER_ID_LENGTH',
+                cause: error,
+            });
+        }
+    }
+    else if (error.name === 'UnknownError') {
+        // https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 1)
+        // https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 8)
+        return new WebAuthnError({
+            message: 'The authenticator was unable to process the specified options, or could not create a new credential',
+            code: 'ERROR_AUTHENTICATOR_GENERAL_ERROR',
+            cause: error,
+        });
+    }
+    return error;
+}
+
+class BaseWebAuthnAbortService {
+    constructor() {
+        Object.defineProperty(this, "controller", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+    }
+    createNewAbortSignal() {
+        // Abort any existing calls to navigator.credentials.create() or navigator.credentials.get()
+        if (this.controller) {
+            const abortError = new Error('Cancelling existing WebAuthn API call for new one');
+            abortError.name = 'AbortError';
+            this.controller.abort(abortError);
+        }
+        const newController = new AbortController();
+        this.controller = newController;
+        return newController.signal;
+    }
+    cancelCeremony() {
+        if (this.controller) {
+            const abortError = new Error('Manually cancelling existing WebAuthn API call');
+            abortError.name = 'AbortError';
+            this.controller.abort(abortError);
+            this.controller = undefined;
+        }
+    }
+}
+/**
+ * A service singleton to help ensure that only a single WebAuthn ceremony is active at a time.
+ *
+ * Users of **@simplewebauthn/browser** shouldn't typically need to use this, but it can help e.g.
+ * developers building projects that use client-side routing to better control the behavior of
+ * their UX in response to router navigation events.
+ */
+const WebAuthnAbortService = new BaseWebAuthnAbortService();
+
+const attachments = ['cross-platform', 'platform'];
+/**
+ * If possible coerce a `string` value into a known `AuthenticatorAttachment`
+ */
+function toAuthenticatorAttachment(attachment) {
+    if (!attachment) {
+        return;
+    }
+    if (attachments.indexOf(attachment) < 0) {
+        return;
+    }
+    return attachment;
+}
+
+/**
+ * Begin authenticator "registration" via WebAuthn attestation
+ *
+ * @param optionsJSON Output from **@simplewebauthn/server**'s `generateRegistrationOptions()`
+ * @param useAutoRegister (Optional) Try to silently create a passkey with the password manager that the user just signed in with. Defaults to `false`.
+ */
+async function startRegistration(options) {
+    // @ts-ignore: Intentionally check for old call structure to warn about improper API call
+    if (!options.optionsJSON && options.challenge) {
+        console.warn('startRegistration() was not called correctly. It will try to continue with the provided options, but this call should be refactored to use the expected call structure instead. See https://simplewebauthn.dev/docs/packages/browser#typeerror-cannot-read-properties-of-undefined-reading-challenge for more information.');
+        // @ts-ignore: Reassign the options, passed in as a positional argument, to the expected variable
+        options = { optionsJSON: options };
+    }
+    const { optionsJSON, useAutoRegister = false } = options;
+    if (!browserSupportsWebAuthn()) {
+        throw new Error('WebAuthn is not supported in this browser');
+    }
+    // We need to convert some values to Uint8Arrays before passing the credentials to the navigator
+    const publicKey = {
+        ...optionsJSON,
+        challenge: base64URLStringToBuffer(optionsJSON.challenge),
+        user: {
+            ...optionsJSON.user,
+            id: base64URLStringToBuffer(optionsJSON.user.id),
+        },
+        excludeCredentials: optionsJSON.excludeCredentials?.map(toPublicKeyCredentialDescriptor),
+    };
+    // Prepare options for `.create()`
+    const createOptions = {};
+    /**
+     * Try to use conditional create to register a passkey for the user with the password manager
+     * the user just used to authenticate with. The user won't be shown any prominent UI by the
+     * browser.
+     */
+    if (useAutoRegister) {
+        // @ts-ignore: `mediation` doesn't yet exist on CredentialCreationOptions but it's possible as of Sept 2024
+        createOptions.mediation = 'conditional';
+    }
+    // Finalize options
+    createOptions.publicKey = publicKey;
+    // Set up the ability to cancel this request if the user attempts another
+    createOptions.signal = WebAuthnAbortService.createNewAbortSignal();
+    // Wait for the user to complete attestation
+    let credential;
+    try {
+        credential = (await navigator.credentials.create(createOptions));
+    }
+    catch (err) {
+        throw identifyRegistrationError({ error: err, options: createOptions });
+    }
+    if (!credential) {
+        throw new Error('Registration was not completed');
+    }
+    const { id, rawId, response, type } = credential;
+    // Continue to play it safe with `getTransports()` for now, even when L3 types say it's required
+    let transports = undefined;
+    if (typeof response.getTransports === 'function') {
+        transports = response.getTransports();
+    }
+    // L3 says this is required, but browser and webview support are still not guaranteed.
+    let responsePublicKeyAlgorithm = undefined;
+    if (typeof response.getPublicKeyAlgorithm === 'function') {
+        try {
+            responsePublicKeyAlgorithm = response.getPublicKeyAlgorithm();
+        }
+        catch (error) {
+            warnOnBrokenImplementation('getPublicKeyAlgorithm()', error);
+        }
+    }
+    let responsePublicKey = undefined;
+    if (typeof response.getPublicKey === 'function') {
+        try {
+            const _publicKey = response.getPublicKey();
+            if (_publicKey !== null) {
+                responsePublicKey = bufferToBase64URLString(_publicKey);
+            }
+        }
+        catch (error) {
+            warnOnBrokenImplementation('getPublicKey()', error);
+        }
+    }
+    // L3 says this is required, but browser and webview support are still not guaranteed.
+    let responseAuthenticatorData;
+    if (typeof response.getAuthenticatorData === 'function') {
+        try {
+            responseAuthenticatorData = bufferToBase64URLString(response.getAuthenticatorData());
+        }
+        catch (error) {
+            warnOnBrokenImplementation('getAuthenticatorData()', error);
+        }
+    }
+    return {
+        id,
+        rawId: bufferToBase64URLString(rawId),
+        response: {
+            attestationObject: bufferToBase64URLString(response.attestationObject),
+            clientDataJSON: bufferToBase64URLString(response.clientDataJSON),
+            transports,
+            publicKeyAlgorithm: responsePublicKeyAlgorithm,
+            publicKey: responsePublicKey,
+            authenticatorData: responseAuthenticatorData,
+        },
+        type,
+        clientExtensionResults: credential.getClientExtensionResults(),
+        authenticatorAttachment: toAuthenticatorAttachment(credential.authenticatorAttachment),
+    };
+}
+/**
+ * Visibly warn when we detect an issue related to a passkey provider intercepting WebAuthn API
+ * calls
+ */
+function warnOnBrokenImplementation(methodName, cause) {
+    console.warn(`The browser extension that intercepted this WebAuthn API call incorrectly implemented ${methodName}. You should report this error to them.\n`, cause);
+}
+
+/**
+ * Determine if the browser supports conditional UI, so that WebAuthn credentials can
+ * be shown to the user in the browser's typical password autofill popup.
+ */
+function browserSupportsWebAuthnAutofill() {
+    if (!browserSupportsWebAuthn()) {
+        return _browserSupportsWebAuthnAutofillInternals.stubThis(new Promise((resolve) => resolve(false)));
+    }
+    /**
+     * I don't like the `as unknown` here but there's a `declare var PublicKeyCredential` in
+     * TS' DOM lib that's making it difficult for me to just go `as PublicKeyCredentialFuture` as I
+     * want. I think I'm fine with this for now since it's _supposed_ to be temporary, until TS types
+     * have a chance to catch up.
+     */
+    const globalPublicKeyCredential = globalThis
+        .PublicKeyCredential;
+    if (globalPublicKeyCredential?.isConditionalMediationAvailable === undefined) {
+        return _browserSupportsWebAuthnAutofillInternals.stubThis(new Promise((resolve) => resolve(false)));
+    }
+    return _browserSupportsWebAuthnAutofillInternals.stubThis(globalPublicKeyCredential.isConditionalMediationAvailable());
+}
+// Make it possible to stub the return value during testing
+const _browserSupportsWebAuthnAutofillInternals = {
+    stubThis: (value) => value,
+};
+
+/**
+ * Attempt to intuit _why_ an error was raised after calling `navigator.credentials.get()`
+ */
+function identifyAuthenticationError({ error, options, }) {
+    const { publicKey } = options;
+    if (!publicKey) {
+        throw Error('options was missing required publicKey property');
+    }
+    if (error.name === 'AbortError') {
+        if (options.signal instanceof AbortSignal) {
+            // https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 16)
+            return new WebAuthnError({
+                message: 'Authentication ceremony was sent an abort signal',
+                code: 'ERROR_CEREMONY_ABORTED',
+                cause: error,
+            });
+        }
+    }
+    else if (error.name === 'NotAllowedError') {
+        /**
+         * Pass the error directly through. Platforms are overloading this error beyond what the spec
+         * defines and we don't want to overwrite potentially useful error messages.
+         */
+        return new WebAuthnError({
+            message: error.message,
+            code: 'ERROR_PASSTHROUGH_SEE_CAUSE_PROPERTY',
+            cause: error,
+        });
+    }
+    else if (error.name === 'SecurityError') {
+        const effectiveDomain = globalThis.location.hostname;
+        if (!isValidDomain(effectiveDomain)) {
+            // https://www.w3.org/TR/webauthn-2/#sctn-discover-from-external-source (Step 5)
+            return new WebAuthnError({
+                message: `${globalThis.location.hostname} is an invalid domain`,
+                code: 'ERROR_INVALID_DOMAIN',
+                cause: error,
+            });
+        }
+        else if (publicKey.rpId !== effectiveDomain) {
+            // https://www.w3.org/TR/webauthn-2/#sctn-discover-from-external-source (Step 6)
+            return new WebAuthnError({
+                message: `The RP ID "${publicKey.rpId}" is invalid for this domain`,
+                code: 'ERROR_INVALID_RP_ID',
+                cause: error,
+            });
+        }
+    }
+    else if (error.name === 'UnknownError') {
+        // https://www.w3.org/TR/webauthn-2/#sctn-op-get-assertion (Step 1)
+        // https://www.w3.org/TR/webauthn-2/#sctn-op-get-assertion (Step 12)
+        return new WebAuthnError({
+            message: 'The authenticator was unable to process the specified options, or could not create a new assertion signature',
+            code: 'ERROR_AUTHENTICATOR_GENERAL_ERROR',
+            cause: error,
+        });
+    }
+    return error;
+}
+
+/**
+ * Begin authenticator "login" via WebAuthn assertion
+ *
+ * @param optionsJSON Output from **@simplewebauthn/server**'s `generateAuthenticationOptions()`
+ * @param useBrowserAutofill (Optional) Initialize conditional UI to enable logging in via browser autofill prompts. Defaults to `false`.
+ * @param verifyBrowserAutofillInput (Optional) Ensure a suitable `<input>` element is present when `useBrowserAutofill` is `true`. Defaults to `true`.
+ */
+async function startAuthentication(options) {
+    // @ts-ignore: Intentionally check for old call structure to warn about improper API call
+    if (!options.optionsJSON && options.challenge) {
+        console.warn('startAuthentication() was not called correctly. It will try to continue with the provided options, but this call should be refactored to use the expected call structure instead. See https://simplewebauthn.dev/docs/packages/browser#typeerror-cannot-read-properties-of-undefined-reading-challenge for more information.');
+        // @ts-ignore: Reassign the options, passed in as a positional argument, to the expected variable
+        options = { optionsJSON: options };
+    }
+    const { optionsJSON, useBrowserAutofill = false, verifyBrowserAutofillInput = true, } = options;
+    if (!browserSupportsWebAuthn()) {
+        throw new Error('WebAuthn is not supported in this browser');
+    }
+    // We need to avoid passing empty array to avoid blocking retrieval
+    // of public key
+    let allowCredentials;
+    if (optionsJSON.allowCredentials?.length !== 0) {
+        allowCredentials = optionsJSON.allowCredentials?.map(toPublicKeyCredentialDescriptor);
+    }
+    // We need to convert some values to Uint8Arrays before passing the credentials to the navigator
+    const publicKey = {
+        ...optionsJSON,
+        challenge: base64URLStringToBuffer(optionsJSON.challenge),
+        allowCredentials,
+    };
+    // Prepare options for `.get()`
+    const getOptions = {};
+    /**
+     * Set up the page to prompt the user to select a credential for authentication via the browser's
+     * input autofill mechanism.
+     */
+    if (useBrowserAutofill) {
+        if (!(await browserSupportsWebAuthnAutofill())) {
+            throw Error('Browser does not support WebAuthn autofill');
+        }
+        // Check for an <input> with "webauthn" in its `autocomplete` attribute
+        const eligibleInputs = document.querySelectorAll("input[autocomplete$='webauthn']");
+        // WebAuthn autofill requires at least one valid input
+        if (eligibleInputs.length < 1 && verifyBrowserAutofillInput) {
+            throw Error('No <input> with "webauthn" as the only or last value in its `autocomplete` attribute was detected');
+        }
+        // `CredentialMediationRequirement` doesn't know about "conditional" yet as of
+        // typescript@4.6.3
+        getOptions.mediation = 'conditional';
+        // Conditional UI requires an empty allow list
+        publicKey.allowCredentials = [];
+    }
+    // Finalize options
+    getOptions.publicKey = publicKey;
+    // Set up the ability to cancel this request if the user attempts another
+    getOptions.signal = WebAuthnAbortService.createNewAbortSignal();
+    // Wait for the user to complete assertion
+    let credential;
+    try {
+        credential = (await navigator.credentials.get(getOptions));
+    }
+    catch (err) {
+        throw identifyAuthenticationError({ error: err, options: getOptions });
+    }
+    if (!credential) {
+        throw new Error('Authentication was not completed');
+    }
+    const { id, rawId, response, type } = credential;
+    let userHandle = undefined;
+    if (response.userHandle) {
+        userHandle = bufferToBase64URLString(response.userHandle);
+    }
+    // Convert values to base64 to make it easier to send back to the server
+    return {
+        id,
+        rawId: bufferToBase64URLString(rawId),
+        response: {
+            authenticatorData: bufferToBase64URLString(response.authenticatorData),
+            clientDataJSON: bufferToBase64URLString(response.clientDataJSON),
+            signature: bufferToBase64URLString(response.signature),
+            userHandle,
+        },
+        type,
+        clientExtensionResults: credential.getClientExtensionResults(),
+        authenticatorAttachment: toAuthenticatorAttachment(credential.authenticatorAttachment),
+    };
+}
+
 /** A special constant with type `never` */
 const NEVER = Object.freeze({
     status: "aborted",
@@ -11481,6 +12072,119 @@ var z = /*#__PURE__*/Object.freeze({
     xid: xid
 });
 
+function Dialog($$payload, $$props) {
+  push();
+  let { children, dialog = void 0, $$slots, $$events, ...rest } = $$props;
+  $$payload.out += `<dialog${spread_attributes({ ...rest }, "svelte-1yuzruq")}>`;
+  children($$payload);
+  $$payload.out += `<!----></dialog>`;
+  bind_props($$props, { dialog });
+  pop();
+}
+function FormDialog($$payload, $$props) {
+  push();
+  let {
+    children,
+    dialog = void 0,
+    submitText = "Submit",
+    cancel = () => {
+    },
+    submit = (data) => Promise.resolve(),
+    pageMode = false,
+    submitDanger = false,
+    header,
+    footer,
+    $$slots,
+    $$events,
+    ...rest
+  } = $$props;
+  function onclose(e) {
+    e.preventDefault();
+    cancel();
+  }
+  function submitButton($$payload2) {
+    $$payload2.out += `<button type="submit"${attr_class(clsx(["submit", submitDanger && "danger"]))}>${escape_html(submitText)}</button>`;
+  }
+  let $$settled = true;
+  let $$inner_payload;
+  function $$render_inner($$payload2) {
+    Dialog($$payload2, spread_props([
+      { onclose },
+      rest,
+      {
+        get dialog() {
+          return dialog;
+        },
+        set dialog($$value) {
+          dialog = $$value;
+          $$settled = false;
+        },
+        children: ($$payload3) => {
+          header?.($$payload3);
+          $$payload3.out += `<!----> <form class="main" method="dialog">`;
+          {
+            $$payload3.out += "<!--[!-->";
+          }
+          $$payload3.out += `<!--]--> `;
+          children($$payload3);
+          $$payload3.out += `<!----> `;
+          if (pageMode) {
+            $$payload3.out += "<!--[-->";
+            submitButton($$payload3);
+          } else {
+            $$payload3.out += "<!--[!-->";
+            $$payload3.out += `<div class="actions svelte-p6pltw"><button type="button">Cancel</button> `;
+            submitButton($$payload3);
+            $$payload3.out += `<!----></div>`;
+          }
+          $$payload3.out += `<!--]--></form> `;
+          footer?.($$payload3);
+          $$payload3.out += `<!---->`;
+        },
+        $$slots: { default: true }
+      }
+    ]));
+  }
+  do {
+    $$settled = true;
+    $$inner_payload = copy_payload($$payload);
+    $$render_inner($$inner_payload);
+  } while (!$$settled);
+  assign_payload($$payload, $$inner_payload);
+  bind_props($$props, { dialog });
+  pop();
+}
+let prefix = "/api/";
+async function fetchAPI(method, endpoint, data, ...params) {
+  const options = {
+    method,
+    headers: {
+      "Content-Type": "application/json",
+      Accept: "application/json"
+    }
+  };
+  if (method !== "GET" && method !== "HEAD")
+    options.body = JSON.stringify(data);
+  const parts = [];
+  for (const part of endpoint.split("/")) {
+    if (!part.startsWith(":")) {
+      parts.push(part);
+      continue;
+    }
+    const value = params.shift();
+    if (!value)
+      throw new Error(`Missing parameter "${part.slice(1)}"`);
+    parts.push(value);
+  }
+  const response = await fetch(prefix + parts.join("/"), options);
+  if (!response.headers.get("Content-Type")?.includes("application/json")) {
+    throw new Error(`Unexpected response type: ${response.headers.get("Content-Type")}`);
+  }
+  const json = await response.json().catch(() => ({ message: "Unknown server error (invalid JSON response)" }));
+  if (!response.ok)
+    throw new Error(json.message);
+  return json;
+}
 const transports = ["ble", "cable", "hybrid", "internal", "nfc", "smart-card", "usb"];
 const authenticatorAttachment = z.literal(["platform", "cross-platform"]).optional();
 const PasskeyRegistration = z.object({
@@ -11555,6 +12259,118 @@ function getUserImage(user) {
 		<text x="23" y="28" style="font-family:sans-serif;font-weight:bold;" fill="white">${user.name.replaceAll(/\W/g, "")[0]}</text>
 	</svg>`.replaceAll(/[\t\n]/g, "");
 }
+async function login(userId) {
+  const options = await fetchAPI("OPTIONS", "users/:id/auth", { type: "login" }, userId);
+  const response = await startAuthentication({ optionsJSON: options });
+  return await fetchAPI("POST", "users/:id/auth", response, userId);
+}
+async function elevate(userId) {
+  const options = await fetchAPI("OPTIONS", "users/:id/auth", { type: "action" }, userId);
+  const response = await startAuthentication({ optionsJSON: options });
+  await fetchAPI("POST", "users/:id/auth", response, userId);
+}
+async function loginByEmail(email) {
+  const { id: userId } = await fetchAPI("POST", "user_id", {
+    using: "email",
+    value: email
+  });
+  return await login(userId);
+}
+async function getCurrentSession() {
+  const result = await fetchAPI("GET", "session");
+  result.created = new Date(result.created);
+  result.expires = new Date(result.expires);
+  return result;
+}
+async function getSessions(userId) {
+  _checkId(userId);
+  const result = await fetchAPI("GET", "users/:id/sessions", {}, userId);
+  for (const session of result) {
+    session.created = new Date(session.created);
+    session.expires = new Date(session.expires);
+  }
+  return result;
+}
+async function logout(userId, ...sessionId) {
+  _checkId(userId);
+  const result = await fetchAPI("DELETE", "users/:id/sessions", { id: sessionId }, userId);
+  for (const session of result) {
+    session.created = new Date(session.created);
+    session.expires = new Date(session.expires);
+  }
+  return result;
+}
+async function logoutAll(userId) {
+  _checkId(userId);
+  await elevate(userId);
+  const result = await fetchAPI("DELETE", "users/:id/sessions", { confirm_all: true }, userId);
+  for (const session of result) {
+    session.created = new Date(session.created);
+    session.expires = new Date(session.expires);
+  }
+  return result;
+}
+async function logoutCurrentSession() {
+  return await fetchAPI("DELETE", "session");
+}
+async function register(_data) {
+  const data = z.object({ name: z.string(), email: z.email() }).parse(_data);
+  const { options, userId } = await fetchAPI("OPTIONS", "register", data);
+  const response = await startRegistration({ optionsJSON: options });
+  await fetchAPI("POST", "register", {
+    userId,
+    name: data.name,
+    email: data.email,
+    response
+  });
+}
+function _checkId(userId) {
+  try {
+    z.uuid().parse(userId);
+  } catch (e) {
+    throw z.prettifyError(e);
+  }
+}
+async function updateUser(userId, data) {
+  _checkId(userId);
+  const body = await UserChangeable.parseAsync(data).catch((e) => {
+    throw z.prettifyError(e);
+  });
+  const result = await fetchAPI("PATCH", "users/:id", body, userId);
+  result.registeredAt = new Date(result.registeredAt);
+  if (result.emailVerified)
+    result.emailVerified = new Date(result.emailVerified);
+  return result;
+}
+async function deleteUser(userId) {
+  _checkId(userId);
+  const options = await fetchAPI("OPTIONS", "users/:id/auth", { type: "action" }, userId);
+  const response = await startAuthentication({ optionsJSON: options });
+  await fetchAPI("POST", "users/:id/auth", response, userId);
+  const result = await fetchAPI("DELETE", "users/:id", response, userId);
+  result.registeredAt = new Date(result.registeredAt);
+  result.emailVerified = new Date(result.emailVerified);
+  return result;
+}
+async function emailVerificationEnabled(userId) {
+  _checkId(userId);
+  const { enabled } = await fetchAPI("OPTIONS", "users/:id/verify_email", {}, userId);
+  return enabled;
+}
+async function getPasskeys(userId) {
+  _checkId(userId);
+  const result = await fetchAPI("GET", "users/:id/passkeys", {}, userId);
+  for (const passkey of result) {
+    passkey.createdAt = new Date(passkey.createdAt);
+  }
+  return result;
+}
+async function updatePasskey(passkeyId, data) {
+  return await fetchAPI("PATCH", "passkeys/:id", data, passkeyId);
+}
+async function deletePasskey(passkeyId) {
+  return await fetchAPI("DELETE", "passkeys/:id", {}, passkeyId);
+}
 
-export { UserChangeable as U, getUserImage as g, z };
-//# sourceMappingURL=user2-D249re2A.js.map
+export { FormDialog as F, getPasskeys as a, getSessions as b, getUserImage as c, deleteUser as d, emailVerificationEnabled as e, deletePasskey as f, getCurrentSession as g, logoutAll as h, updateUser as i, loginByEmail as j, logoutCurrentSession as k, logout as l, register as r, updatePasskey as u };
+//# sourceMappingURL=user-BM1CPpSk.js.map