@axium/server 0.26.0 → 0.26.2

package/build/server/chunks/user2-CRfK67II.js

@@ -1,716 +0,0 @@
-import { o as object, e as email, d as string, u as uuid, f as prettifyError, $ as $ZodError, U as UserChangeable } from './index-Tt4zVDIZ.js';
-
-/**
- * Convert the given array buffer into a Base64URL-encoded string. Ideal for converting various
- * credential response ArrayBuffers to string for sending back to the server as JSON.
- *
- * Helper method to compliment `base64URLStringToBuffer`
- */
-function bufferToBase64URLString(buffer) {
-    const bytes = new Uint8Array(buffer);
-    let str = '';
-    for (const charCode of bytes) {
-        str += String.fromCharCode(charCode);
-    }
-    const base64String = btoa(str);
-    return base64String.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-}
-
-/**
- * Convert from a Base64URL-encoded string to an Array Buffer. Best used when converting a
- * credential ID from a JSON string to an ArrayBuffer, like in allowCredentials or
- * excludeCredentials
- *
- * Helper method to compliment `bufferToBase64URLString`
- */
-function base64URLStringToBuffer(base64URLString) {
-    // Convert from Base64URL to Base64
-    const base64 = base64URLString.replace(/-/g, '+').replace(/_/g, '/');
-    /**
-     * Pad with '=' until it's a multiple of four
-     * (4 - (85 % 4 = 1) = 3) % 4 = 3 padding
-     * (4 - (86 % 4 = 2) = 2) % 4 = 2 padding
-     * (4 - (87 % 4 = 3) = 1) % 4 = 1 padding
-     * (4 - (88 % 4 = 0) = 4) % 4 = 0 padding
-     */
-    const padLength = (4 - (base64.length % 4)) % 4;
-    const padded = base64.padEnd(base64.length + padLength, '=');
-    // Convert to a binary string
-    const binary = atob(padded);
-    // Convert binary string to buffer
-    const buffer = new ArrayBuffer(binary.length);
-    const bytes = new Uint8Array(buffer);
-    for (let i = 0; i < binary.length; i++) {
-        bytes[i] = binary.charCodeAt(i);
-    }
-    return buffer;
-}
-
-/**
- * Determine if the browser is capable of Webauthn
- */
-function browserSupportsWebAuthn() {
-    return _browserSupportsWebAuthnInternals.stubThis(globalThis?.PublicKeyCredential !== undefined &&
-        typeof globalThis.PublicKeyCredential === 'function');
-}
-/**
- * Make it possible to stub the return value during testing
- * @ignore Don't include this in docs output
- */
-const _browserSupportsWebAuthnInternals = {
-    stubThis: (value) => value,
-};
-
-function toPublicKeyCredentialDescriptor(descriptor) {
-    const { id } = descriptor;
-    return {
-        ...descriptor,
-        id: base64URLStringToBuffer(id),
-        /**
-         * `descriptor.transports` is an array of our `AuthenticatorTransportFuture` that includes newer
-         * transports that TypeScript's DOM lib is ignorant of. Convince TS that our list of transports
-         * are fine to pass to WebAuthn since browsers will recognize the new value.
-         */
-        transports: descriptor.transports,
-    };
-}
-
-/**
- * A simple test to determine if a hostname is a properly-formatted domain name
- *
- * A "valid domain" is defined here: https://url.spec.whatwg.org/#valid-domain
- *
- * Regex sourced from here:
- * https://www.oreilly.com/library/view/regular-expressions-cookbook/9781449327453/ch08s15.html
- */
-function isValidDomain(hostname) {
-    return (
-    // Consider localhost valid as well since it's okay wrt Secure Contexts
-    hostname === 'localhost' ||
-        /^([a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}$/i.test(hostname));
-}
-
-/**
- * A custom Error used to return a more nuanced error detailing _why_ one of the eight documented
- * errors in the spec was raised after calling `navigator.credentials.create()` or
- * `navigator.credentials.get()`:
- *
- * - `AbortError`
- * - `ConstraintError`
- * - `InvalidStateError`
- * - `NotAllowedError`
- * - `NotSupportedError`
- * - `SecurityError`
- * - `TypeError`
- * - `UnknownError`
- *
- * Error messages were determined through investigation of the spec to determine under which
- * scenarios a given error would be raised.
- */
-class WebAuthnError extends Error {
-    constructor({ message, code, cause, name, }) {
-        // @ts-ignore: help Rollup understand that `cause` is okay to set
-        super(message, { cause });
-        Object.defineProperty(this, "code", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: void 0
-        });
-        this.name = name ?? cause.name;
-        this.code = code;
-    }
-}
-
-/**
- * Attempt to intuit _why_ an error was raised after calling `navigator.credentials.create()`
- */
-function identifyRegistrationError({ error, options, }) {
-    const { publicKey } = options;
-    if (!publicKey) {
-        throw Error('options was missing required publicKey property');
-    }
-    if (error.name === 'AbortError') {
-        if (options.signal instanceof AbortSignal) {
-            // https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 16)
-            return new WebAuthnError({
-                message: 'Registration ceremony was sent an abort signal',
-                code: 'ERROR_CEREMONY_ABORTED',
-                cause: error,
-            });
-        }
-    }
-    else if (error.name === 'ConstraintError') {
-        if (publicKey.authenticatorSelection?.requireResidentKey === true) {
-            // https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 4)
-            return new WebAuthnError({
-                message: 'Discoverable credentials were required but no available authenticator supported it',
-                code: 'ERROR_AUTHENTICATOR_MISSING_DISCOVERABLE_CREDENTIAL_SUPPORT',
-                cause: error,
-            });
-        }
-        else if (
-        // @ts-ignore: `mediation` doesn't yet exist on CredentialCreationOptions but it's possible as of Sept 2024
-        options.mediation === 'conditional' &&
-            publicKey.authenticatorSelection?.userVerification === 'required') {
-            // https://w3c.github.io/webauthn/#sctn-createCredential (Step 22.4)
-            return new WebAuthnError({
-                message: 'User verification was required during automatic registration but it could not be performed',
-                code: 'ERROR_AUTO_REGISTER_USER_VERIFICATION_FAILURE',
-                cause: error,
-            });
-        }
-        else if (publicKey.authenticatorSelection?.userVerification === 'required') {
-            // https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 5)
-            return new WebAuthnError({
-                message: 'User verification was required but no available authenticator supported it',
-                code: 'ERROR_AUTHENTICATOR_MISSING_USER_VERIFICATION_SUPPORT',
-                cause: error,
-            });
-        }
-    }
-    else if (error.name === 'InvalidStateError') {
-        // https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 20)
-        // https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 3)
-        return new WebAuthnError({
-            message: 'The authenticator was previously registered',
-            code: 'ERROR_AUTHENTICATOR_PREVIOUSLY_REGISTERED',
-            cause: error,
-        });
-    }
-    else if (error.name === 'NotAllowedError') {
-        /**
-         * Pass the error directly through. Platforms are overloading this error beyond what the spec
-         * defines and we don't want to overwrite potentially useful error messages.
-         */
-        return new WebAuthnError({
-            message: error.message,
-            code: 'ERROR_PASSTHROUGH_SEE_CAUSE_PROPERTY',
-            cause: error,
-        });
-    }
-    else if (error.name === 'NotSupportedError') {
-        const validPubKeyCredParams = publicKey.pubKeyCredParams.filter((param) => param.type === 'public-key');
-        if (validPubKeyCredParams.length === 0) {
-            // https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 10)
-            return new WebAuthnError({
-                message: 'No entry in pubKeyCredParams was of type "public-key"',
-                code: 'ERROR_MALFORMED_PUBKEYCREDPARAMS',
-                cause: error,
-            });
-        }
-        // https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 2)
-        return new WebAuthnError({
-            message: 'No available authenticator supported any of the specified pubKeyCredParams algorithms',
-            code: 'ERROR_AUTHENTICATOR_NO_SUPPORTED_PUBKEYCREDPARAMS_ALG',
-            cause: error,
-        });
-    }
-    else if (error.name === 'SecurityError') {
-        const effectiveDomain = globalThis.location.hostname;
-        if (!isValidDomain(effectiveDomain)) {
-            // https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 7)
-            return new WebAuthnError({
-                message: `${globalThis.location.hostname} is an invalid domain`,
-                code: 'ERROR_INVALID_DOMAIN',
-                cause: error,
-            });
-        }
-        else if (publicKey.rp.id !== effectiveDomain) {
-            // https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 8)
-            return new WebAuthnError({
-                message: `The RP ID "${publicKey.rp.id}" is invalid for this domain`,
-                code: 'ERROR_INVALID_RP_ID',
-                cause: error,
-            });
-        }
-    }
-    else if (error.name === 'TypeError') {
-        if (publicKey.user.id.byteLength < 1 || publicKey.user.id.byteLength > 64) {
-            // https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 5)
-            return new WebAuthnError({
-                message: 'User ID was not between 1 and 64 characters',
-                code: 'ERROR_INVALID_USER_ID_LENGTH',
-                cause: error,
-            });
-        }
-    }
-    else if (error.name === 'UnknownError') {
-        // https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 1)
-        // https://www.w3.org/TR/webauthn-2/#sctn-op-make-cred (Step 8)
-        return new WebAuthnError({
-            message: 'The authenticator was unable to process the specified options, or could not create a new credential',
-            code: 'ERROR_AUTHENTICATOR_GENERAL_ERROR',
-            cause: error,
-        });
-    }
-    return error;
-}
-
-class BaseWebAuthnAbortService {
-    constructor() {
-        Object.defineProperty(this, "controller", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: void 0
-        });
-    }
-    createNewAbortSignal() {
-        // Abort any existing calls to navigator.credentials.create() or navigator.credentials.get()
-        if (this.controller) {
-            const abortError = new Error('Cancelling existing WebAuthn API call for new one');
-            abortError.name = 'AbortError';
-            this.controller.abort(abortError);
-        }
-        const newController = new AbortController();
-        this.controller = newController;
-        return newController.signal;
-    }
-    cancelCeremony() {
-        if (this.controller) {
-            const abortError = new Error('Manually cancelling existing WebAuthn API call');
-            abortError.name = 'AbortError';
-            this.controller.abort(abortError);
-            this.controller = undefined;
-        }
-    }
-}
-/**
- * A service singleton to help ensure that only a single WebAuthn ceremony is active at a time.
- *
- * Users of **@simplewebauthn/browser** shouldn't typically need to use this, but it can help e.g.
- * developers building projects that use client-side routing to better control the behavior of
- * their UX in response to router navigation events.
- */
-const WebAuthnAbortService = new BaseWebAuthnAbortService();
-
-const attachments = ['cross-platform', 'platform'];
-/**
- * If possible coerce a `string` value into a known `AuthenticatorAttachment`
- */
-function toAuthenticatorAttachment(attachment) {
-    if (!attachment) {
-        return;
-    }
-    if (attachments.indexOf(attachment) < 0) {
-        return;
-    }
-    return attachment;
-}
-
-/**
- * Begin authenticator "registration" via WebAuthn attestation
- *
- * @param optionsJSON Output from **@simplewebauthn/server**'s `generateRegistrationOptions()`
- * @param useAutoRegister (Optional) Try to silently create a passkey with the password manager that the user just signed in with. Defaults to `false`.
- */
-async function startRegistration(options) {
-    // @ts-ignore: Intentionally check for old call structure to warn about improper API call
-    if (!options.optionsJSON && options.challenge) {
-        console.warn('startRegistration() was not called correctly. It will try to continue with the provided options, but this call should be refactored to use the expected call structure instead. See https://simplewebauthn.dev/docs/packages/browser#typeerror-cannot-read-properties-of-undefined-reading-challenge for more information.');
-        // @ts-ignore: Reassign the options, passed in as a positional argument, to the expected variable
-        options = { optionsJSON: options };
-    }
-    const { optionsJSON, useAutoRegister = false } = options;
-    if (!browserSupportsWebAuthn()) {
-        throw new Error('WebAuthn is not supported in this browser');
-    }
-    // We need to convert some values to Uint8Arrays before passing the credentials to the navigator
-    const publicKey = {
-        ...optionsJSON,
-        challenge: base64URLStringToBuffer(optionsJSON.challenge),
-        user: {
-            ...optionsJSON.user,
-            id: base64URLStringToBuffer(optionsJSON.user.id),
-        },
-        excludeCredentials: optionsJSON.excludeCredentials?.map(toPublicKeyCredentialDescriptor),
-    };
-    // Prepare options for `.create()`
-    const createOptions = {};
-    /**
-     * Try to use conditional create to register a passkey for the user with the password manager
-     * the user just used to authenticate with. The user won't be shown any prominent UI by the
-     * browser.
-     */
-    if (useAutoRegister) {
-        // @ts-ignore: `mediation` doesn't yet exist on CredentialCreationOptions but it's possible as of Sept 2024
-        createOptions.mediation = 'conditional';
-    }
-    // Finalize options
-    createOptions.publicKey = publicKey;
-    // Set up the ability to cancel this request if the user attempts another
-    createOptions.signal = WebAuthnAbortService.createNewAbortSignal();
-    // Wait for the user to complete attestation
-    let credential;
-    try {
-        credential = (await navigator.credentials.create(createOptions));
-    }
-    catch (err) {
-        throw identifyRegistrationError({ error: err, options: createOptions });
-    }
-    if (!credential) {
-        throw new Error('Registration was not completed');
-    }
-    const { id, rawId, response, type } = credential;
-    // Continue to play it safe with `getTransports()` for now, even when L3 types say it's required
-    let transports = undefined;
-    if (typeof response.getTransports === 'function') {
-        transports = response.getTransports();
-    }
-    // L3 says this is required, but browser and webview support are still not guaranteed.
-    let responsePublicKeyAlgorithm = undefined;
-    if (typeof response.getPublicKeyAlgorithm === 'function') {
-        try {
-            responsePublicKeyAlgorithm = response.getPublicKeyAlgorithm();
-        }
-        catch (error) {
-            warnOnBrokenImplementation('getPublicKeyAlgorithm()', error);
-        }
-    }
-    let responsePublicKey = undefined;
-    if (typeof response.getPublicKey === 'function') {
-        try {
-            const _publicKey = response.getPublicKey();
-            if (_publicKey !== null) {
-                responsePublicKey = bufferToBase64URLString(_publicKey);
-            }
-        }
-        catch (error) {
-            warnOnBrokenImplementation('getPublicKey()', error);
-        }
-    }
-    // L3 says this is required, but browser and webview support are still not guaranteed.
-    let responseAuthenticatorData;
-    if (typeof response.getAuthenticatorData === 'function') {
-        try {
-            responseAuthenticatorData = bufferToBase64URLString(response.getAuthenticatorData());
-        }
-        catch (error) {
-            warnOnBrokenImplementation('getAuthenticatorData()', error);
-        }
-    }
-    return {
-        id,
-        rawId: bufferToBase64URLString(rawId),
-        response: {
-            attestationObject: bufferToBase64URLString(response.attestationObject),
-            clientDataJSON: bufferToBase64URLString(response.clientDataJSON),
-            transports,
-            publicKeyAlgorithm: responsePublicKeyAlgorithm,
-            publicKey: responsePublicKey,
-            authenticatorData: responseAuthenticatorData,
-        },
-        type,
-        clientExtensionResults: credential.getClientExtensionResults(),
-        authenticatorAttachment: toAuthenticatorAttachment(credential.authenticatorAttachment),
-    };
-}
-/**
- * Visibly warn when we detect an issue related to a passkey provider intercepting WebAuthn API
- * calls
- */
-function warnOnBrokenImplementation(methodName, cause) {
-    console.warn(`The browser extension that intercepted this WebAuthn API call incorrectly implemented ${methodName}. You should report this error to them.\n`, cause);
-}
-
-/**
- * Determine if the browser supports conditional UI, so that WebAuthn credentials can
- * be shown to the user in the browser's typical password autofill popup.
- */
-function browserSupportsWebAuthnAutofill() {
-    if (!browserSupportsWebAuthn()) {
-        return _browserSupportsWebAuthnAutofillInternals.stubThis(new Promise((resolve) => resolve(false)));
-    }
-    /**
-     * I don't like the `as unknown` here but there's a `declare var PublicKeyCredential` in
-     * TS' DOM lib that's making it difficult for me to just go `as PublicKeyCredentialFuture` as I
-     * want. I think I'm fine with this for now since it's _supposed_ to be temporary, until TS types
-     * have a chance to catch up.
-     */
-    const globalPublicKeyCredential = globalThis
-        .PublicKeyCredential;
-    if (globalPublicKeyCredential?.isConditionalMediationAvailable === undefined) {
-        return _browserSupportsWebAuthnAutofillInternals.stubThis(new Promise((resolve) => resolve(false)));
-    }
-    return _browserSupportsWebAuthnAutofillInternals.stubThis(globalPublicKeyCredential.isConditionalMediationAvailable());
-}
-// Make it possible to stub the return value during testing
-const _browserSupportsWebAuthnAutofillInternals = {
-    stubThis: (value) => value,
-};
-
-/**
- * Attempt to intuit _why_ an error was raised after calling `navigator.credentials.get()`
- */
-function identifyAuthenticationError({ error, options, }) {
-    const { publicKey } = options;
-    if (!publicKey) {
-        throw Error('options was missing required publicKey property');
-    }
-    if (error.name === 'AbortError') {
-        if (options.signal instanceof AbortSignal) {
-            // https://www.w3.org/TR/webauthn-2/#sctn-createCredential (Step 16)
-            return new WebAuthnError({
-                message: 'Authentication ceremony was sent an abort signal',
-                code: 'ERROR_CEREMONY_ABORTED',
-                cause: error,
-            });
-        }
-    }
-    else if (error.name === 'NotAllowedError') {
-        /**
-         * Pass the error directly through. Platforms are overloading this error beyond what the spec
-         * defines and we don't want to overwrite potentially useful error messages.
-         */
-        return new WebAuthnError({
-            message: error.message,
-            code: 'ERROR_PASSTHROUGH_SEE_CAUSE_PROPERTY',
-            cause: error,
-        });
-    }
-    else if (error.name === 'SecurityError') {
-        const effectiveDomain = globalThis.location.hostname;
-        if (!isValidDomain(effectiveDomain)) {
-            // https://www.w3.org/TR/webauthn-2/#sctn-discover-from-external-source (Step 5)
-            return new WebAuthnError({
-                message: `${globalThis.location.hostname} is an invalid domain`,
-                code: 'ERROR_INVALID_DOMAIN',
-                cause: error,
-            });
-        }
-        else if (publicKey.rpId !== effectiveDomain) {
-            // https://www.w3.org/TR/webauthn-2/#sctn-discover-from-external-source (Step 6)
-            return new WebAuthnError({
-                message: `The RP ID "${publicKey.rpId}" is invalid for this domain`,
-                code: 'ERROR_INVALID_RP_ID',
-                cause: error,
-            });
-        }
-    }
-    else if (error.name === 'UnknownError') {
-        // https://www.w3.org/TR/webauthn-2/#sctn-op-get-assertion (Step 1)
-        // https://www.w3.org/TR/webauthn-2/#sctn-op-get-assertion (Step 12)
-        return new WebAuthnError({
-            message: 'The authenticator was unable to process the specified options, or could not create a new assertion signature',
-            code: 'ERROR_AUTHENTICATOR_GENERAL_ERROR',
-            cause: error,
-        });
-    }
-    return error;
-}
-
-/**
- * Begin authenticator "login" via WebAuthn assertion
- *
- * @param optionsJSON Output from **@simplewebauthn/server**'s `generateAuthenticationOptions()`
- * @param useBrowserAutofill (Optional) Initialize conditional UI to enable logging in via browser autofill prompts. Defaults to `false`.
- * @param verifyBrowserAutofillInput (Optional) Ensure a suitable `<input>` element is present when `useBrowserAutofill` is `true`. Defaults to `true`.
- */
-async function startAuthentication(options) {
-    // @ts-ignore: Intentionally check for old call structure to warn about improper API call
-    if (!options.optionsJSON && options.challenge) {
-        console.warn('startAuthentication() was not called correctly. It will try to continue with the provided options, but this call should be refactored to use the expected call structure instead. See https://simplewebauthn.dev/docs/packages/browser#typeerror-cannot-read-properties-of-undefined-reading-challenge for more information.');
-        // @ts-ignore: Reassign the options, passed in as a positional argument, to the expected variable
-        options = { optionsJSON: options };
-    }
-    const { optionsJSON, useBrowserAutofill = false, verifyBrowserAutofillInput = true, } = options;
-    if (!browserSupportsWebAuthn()) {
-        throw new Error('WebAuthn is not supported in this browser');
-    }
-    // We need to avoid passing empty array to avoid blocking retrieval
-    // of public key
-    let allowCredentials;
-    if (optionsJSON.allowCredentials?.length !== 0) {
-        allowCredentials = optionsJSON.allowCredentials?.map(toPublicKeyCredentialDescriptor);
-    }
-    // We need to convert some values to Uint8Arrays before passing the credentials to the navigator
-    const publicKey = {
-        ...optionsJSON,
-        challenge: base64URLStringToBuffer(optionsJSON.challenge),
-        allowCredentials,
-    };
-    // Prepare options for `.get()`
-    const getOptions = {};
-    /**
-     * Set up the page to prompt the user to select a credential for authentication via the browser's
-     * input autofill mechanism.
-     */
-    if (useBrowserAutofill) {
-        if (!(await browserSupportsWebAuthnAutofill())) {
-            throw Error('Browser does not support WebAuthn autofill');
-        }
-        // Check for an <input> with "webauthn" in its `autocomplete` attribute
-        const eligibleInputs = document.querySelectorAll("input[autocomplete$='webauthn']");
-        // WebAuthn autofill requires at least one valid input
-        if (eligibleInputs.length < 1 && verifyBrowserAutofillInput) {
-            throw Error('No <input> with "webauthn" as the only or last value in its `autocomplete` attribute was detected');
-        }
-        // `CredentialMediationRequirement` doesn't know about "conditional" yet as of
-        // typescript@4.6.3
-        getOptions.mediation = 'conditional';
-        // Conditional UI requires an empty allow list
-        publicKey.allowCredentials = [];
-    }
-    // Finalize options
-    getOptions.publicKey = publicKey;
-    // Set up the ability to cancel this request if the user attempts another
-    getOptions.signal = WebAuthnAbortService.createNewAbortSignal();
-    // Wait for the user to complete assertion
-    let credential;
-    try {
-        credential = (await navigator.credentials.get(getOptions));
-    }
-    catch (err) {
-        throw identifyAuthenticationError({ error: err, options: getOptions });
-    }
-    if (!credential) {
-        throw new Error('Authentication was not completed');
-    }
-    const { id, rawId, response, type } = credential;
-    let userHandle = undefined;
-    if (response.userHandle) {
-        userHandle = bufferToBase64URLString(response.userHandle);
-    }
-    // Convert values to base64 to make it easier to send back to the server
-    return {
-        id,
-        rawId: bufferToBase64URLString(rawId),
-        response: {
-            authenticatorData: bufferToBase64URLString(response.authenticatorData),
-            clientDataJSON: bufferToBase64URLString(response.clientDataJSON),
-            signature: bufferToBase64URLString(response.signature),
-            userHandle,
-        },
-        type,
-        clientExtensionResults: credential.getClientExtensionResults(),
-        authenticatorAttachment: toAuthenticatorAttachment(credential.authenticatorAttachment),
-    };
-}
-
-let prefix = "/api/";
-async function fetchAPI(method, endpoint, data, ...params) {
-  const options = {
-    method,
-    headers: {
-      "Content-Type": "application/json",
-      Accept: "application/json"
-    }
-  };
-  if (method !== "GET" && method !== "HEAD")
-    options.body = JSON.stringify(data);
-  const search = method != "GET" || typeof data != "object" || data == null || !Object.keys(data).length ? "" : "?" + new URLSearchParams(data).toString();
-  const parts = [];
-  for (const part of endpoint.split("/")) {
-    if (!part.startsWith(":")) {
-      parts.push(part);
-      continue;
-    }
-    const value = params.shift();
-    if (!value)
-      throw new Error(`Missing parameter "${part.slice(1)}"`);
-    parts.push(value);
-  }
-  const response = await fetch(prefix + parts.join("/") + search, options);
-  if (!response.headers.get("Content-Type")?.includes("application/json")) {
-    throw new Error(`Unexpected response type: ${response.headers.get("Content-Type")}`);
-  }
-  const json = await response.json().catch(() => ({ message: "Unknown server error (invalid JSON response)" }));
-  if (!response.ok)
-    throw new Error(json.message);
-  return json;
-}
-
-async function login(userId) {
-  const options = await fetchAPI("OPTIONS", "users/:id/auth", { type: "login" }, userId);
-  const response = await startAuthentication({ optionsJSON: options });
-  return await fetchAPI("POST", "users/:id/auth", response, userId);
-}
-async function elevate(userId) {
-  const options = await fetchAPI("OPTIONS", "users/:id/auth", { type: "action" }, userId);
-  const response = await startAuthentication({ optionsJSON: options });
-  await fetchAPI("POST", "users/:id/auth", response, userId);
-}
-async function loginByEmail(email) {
-  const { id: userId } = await fetchAPI("POST", "user_id", {
-    using: "email",
-    value: email
-  });
-  return await login(userId);
-}
-async function getCurrentSession() {
-  const result = await fetchAPI("GET", "session");
-  result.created = new Date(result.created);
-  result.expires = new Date(result.expires);
-  return result;
-}
-async function logout(userId, ...sessionId) {
-  _checkId(userId);
-  const result = await fetchAPI("DELETE", "users/:id/sessions", { id: sessionId }, userId);
-  for (const session of result) {
-    session.created = new Date(session.created);
-    session.expires = new Date(session.expires);
-  }
-  return result;
-}
-async function logoutAll(userId) {
-  _checkId(userId);
-  await elevate(userId);
-  const result = await fetchAPI("DELETE", "users/:id/sessions", { confirm_all: true }, userId);
-  for (const session of result) {
-    session.created = new Date(session.created);
-    session.expires = new Date(session.expires);
-  }
-  return result;
-}
-async function logoutCurrentSession() {
-  return await fetchAPI("DELETE", "session");
-}
-async function register(_data) {
-  const data = object({ name: string(), email: email() }).parse(_data);
-  const { options, userId } = await fetchAPI("OPTIONS", "register", data);
-  const response = await startRegistration({ optionsJSON: options });
-  await fetchAPI("POST", "register", {
-    userId,
-    name: data.name,
-    email: data.email,
-    response
-  });
-}
-function _checkId(userId) {
-  try {
-    uuid().parse(userId);
-  } catch (e) {
-    throw e instanceof $ZodError ? prettifyError(e) : e;
-  }
-}
-async function updateUser(userId, data) {
-  _checkId(userId);
-  const body = await UserChangeable.parseAsync(data).catch((e) => {
-    throw e instanceof $ZodError ? prettifyError(e) : e;
-  });
-  const result = await fetchAPI("PATCH", "users/:id", body, userId);
-  result.registeredAt = new Date(result.registeredAt);
-  if (result.emailVerified)
-    result.emailVerified = new Date(result.emailVerified);
-  return result;
-}
-async function deleteUser(userId) {
-  _checkId(userId);
-  const options = await fetchAPI("OPTIONS", "users/:id/auth", { type: "action" }, userId);
-  const response = await startAuthentication({ optionsJSON: options });
-  await fetchAPI("POST", "users/:id/auth", response, userId);
-  const result = await fetchAPI("DELETE", "users/:id", response, userId);
-  result.registeredAt = new Date(result.registeredAt);
-  result.emailVerified = new Date(result.emailVerified);
-  return result;
-}
-async function updatePasskey(passkeyId, data) {
-  return await fetchAPI("PATCH", "passkeys/:id", data, passkeyId);
-}
-async function deletePasskey(passkeyId) {
-  return await fetchAPI("DELETE", "passkeys/:id", {}, passkeyId);
-}
-
-export { deletePasskey as a, updateUser as b, logoutAll as c, deleteUser as d, loginByEmail as e, logoutCurrentSession as f, getCurrentSession as g, logout as l, register as r, updatePasskey as u };
-//# sourceMappingURL=user2-CRfK67II.js.map