@betterportal/auth-default 0.0.1 → 10.0.1

package/lib/plugins/service-betterportal-auth-default/bp-routes/login/route.impl.d.ts

@@ -0,0 +1,89 @@
+import * as av from "anyvali";
+import type { Infer } from "anyvali";
+import { type ApiAuthRequirement, type CacheHints, type BetterPortalRouteChrome } from "@betterportal/framework";
+export declare const QuerySchema: av.ObjectSchema<{
+    action: av.OptionalSchema<av.StringSchema>;
+    next: av.OptionalSchema<av.StringSchema>;
+}>;
+export declare const HeadersSchema: av.ObjectSchema<{}>;
+export declare const RequestSchema: av.ObjectSchema<{
+    username: av.StringSchema;
+    password: av.StringSchema;
+    next: av.OptionalSchema<av.StringSchema>;
+}>;
+export declare const ResponseSchema: av.ObjectSchema<{
+    status: av.EnumSchema<readonly ["ok", "error"]>;
+    message: av.OptionalSchema<av.StringSchema>;
+    accessToken: av.OptionalSchema<av.StringSchema>;
+    refreshToken: av.OptionalSchema<av.StringSchema>;
+    expiresInSeconds: av.OptionalSchema<av.IntSchema>;
+    user: av.OptionalSchema<av.ObjectSchema<{
+        id: av.StringSchema;
+        username: av.StringSchema;
+        email: av.OptionalSchema<av.StringSchema>;
+        name: av.OptionalSchema<av.StringSchema>;
+    }>>;
+    requiresFirstAdmin: av.OptionalSchema<av.BoolSchema>;
+    firstAdminUrl: av.OptionalSchema<av.StringSchema>;
+    alreadyLoggedIn: av.OptionalSchema<av.BoolSchema>;
+    loggedOut: av.OptionalSchema<av.BoolSchema>;
+    logoutUrl: av.OptionalSchema<av.StringSchema>;
+    nextUrl: av.OptionalSchema<av.StringSchema>;
+}>;
+export type ResponseData = Infer<typeof ResponseSchema>;
+export declare const title = "Login";
+export declare const description = "Authenticate with username and password to receive a JWT.";
+export declare const role = "auth.login";
+export declare const dependencies: string[];
+export declare const chrome: BetterPortalRouteChrome;
+export declare const auth: ApiAuthRequirement;
+export declare const cacheHints: CacheHints;
+export declare const handleGet: import("@betterportal/framework").RouteHandler<Record<string, string>, {
+    action?: string | undefined;
+    next?: string | undefined;
+}, Record<string, string>, Record<string, unknown>, {
+    status: "ok" | "error";
+    message?: string | undefined;
+    accessToken?: string | undefined;
+    refreshToken?: string | undefined;
+    expiresInSeconds?: number | undefined;
+    user?: {
+        id: string;
+        username: string;
+        email?: string | undefined;
+        name?: string | undefined;
+    } | undefined;
+    requiresFirstAdmin?: boolean | undefined;
+    firstAdminUrl?: string | undefined;
+    alreadyLoggedIn?: boolean | undefined;
+    loggedOut?: boolean | undefined;
+    logoutUrl?: string | undefined;
+    nextUrl?: string | undefined;
+}, unknown, Record<string, unknown>>;
+export declare const handlePost: import("@betterportal/framework").RouteHandler<Record<string, string>, {
+    action?: string | undefined;
+    next?: string | undefined;
+}, Record<string, string>, {
+    username: string;
+    password: string;
+    next?: string | undefined;
+}, {
+    status: "ok" | "error";
+    message?: string | undefined;
+    accessToken?: string | undefined;
+    refreshToken?: string | undefined;
+    expiresInSeconds?: number | undefined;
+    user?: {
+        id: string;
+        username: string;
+        email?: string | undefined;
+        name?: string | undefined;
+    } | undefined;
+    requiresFirstAdmin?: boolean | undefined;
+    firstAdminUrl?: string | undefined;
+    alreadyLoggedIn?: boolean | undefined;
+    loggedOut?: boolean | undefined;
+    logoutUrl?: string | undefined;
+    nextUrl?: string | undefined;
+}, unknown, Record<string, unknown>>;
+//# sourceMappingURL=route.impl.d.ts.map

package/lib/plugins/service-betterportal-auth-default/bp-routes/login/route.impl.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"route.impl.d.ts","sourceRoot":"","sources":["../../../../../src/plugins/service-betterportal-auth-default/bp-routes/login/route.impl.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAEL,KAAK,kBAAkB,EACvB,KAAK,UAAU,EACf,KAAK,uBAAuB,EAC7B,MAAM,yBAAyB,CAAC;AAIjC,eAAO,MAAM,WAAW;;;EAGI,CAAC;AAE7B,eAAO,MAAM,aAAa,qBAA0C,CAAC;AAErE,eAAO,MAAM,aAAa;;;;EAIE,CAAC;AAE7B,eAAO,MAAM,cAAc;;;;;;;;;;;;;;;;;;EA2BC,CAAC;AAC7B,MAAM,MAAM,YAAY,GAAG,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAExD,eAAO,MAAM,KAAK,UAAU,CAAC;AAC7B,eAAO,MAAM,WAAW,8DAA8D,CAAC;AACvF,eAAO,MAAM,IAAI,eAAe,CAAC;AACjC,eAAO,MAAM,YAAY,UAAsD,CAAC;AAChF,eAAO,MAAM,MAAM,EAAE,uBAA8C,CAAC;AAEpE,eAAO,MAAM,IAAI,EAAE,kBAGlB,CAAC;AAEF,eAAO,MAAM,UAAU,EAAE,UAGxB,CAAC;AAeF,eAAO,MAAM,SAAS;;;;;;;;;;;;;;;;;;;;;oCAuDrB,CAAC;AAEF,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;;;;;;;;;oCA6EtB,CAAC"}

package/lib/plugins/service-betterportal-auth-default/bp-routes/login/route.impl.js

@@ -0,0 +1,186 @@
+import * as av from "anyvali";
+import { createHandler } from "@betterportal/framework";
+import { resolveDefaultAuthAppConfig } from "../../index.js";
+export const QuerySchema = av.object({
+    action: av.optional(av.string()).describe("Optional login route action, currently supports logout."),
+    next: av.optional(av.string()).describe("The view path that redirected to the login page and should be redirected back to after a successful login.")
+}, { unknownKeys: "strip" });
+export const HeadersSchema = av.object({}, { unknownKeys: "strip" });
+export const RequestSchema = av.object({
+    username: av.string().minLength(1).describe("Username for the account signing in."),
+    password: av.string().minLength(1).describe("Password for the account signing in."),
+    next: av.optional(av.string()).describe("The view path to soft-navigate to after a successful login.")
+}, { unknownKeys: "strip" });
+export const ResponseSchema = av.object({
+    status: av.enum_(["ok", "error"]).describe("Login request outcome."),
+    message: av.optional(av.string()).describe("Human-readable status or error message for the renderer."),
+    accessToken: av.optional(av.string()).describe("Signed JWT access token returned on successful login."),
+    refreshToken: av.optional(av.string()).describe("Signed JWT refresh token returned on successful login."),
+    expiresInSeconds: av.optional(av.int().min(1)).describe("Access token lifetime in seconds."),
+    user: av.optional(av.object({
+        id: av.string().describe("Stable UUIDv7 user id."),
+        username: av.string().describe("Account username."),
+        email: av.optional(av.string()).describe("User email address, when set."),
+        name: av.optional(av.string()).describe("Display name, when set.")
+    }, { unknownKeys: "strip" }).describe("Authenticated user summary.")),
+    // True while the auth service has zero users - the theme renderer redirects
+    // to the register view (first-admin setup) instead of showing the login form.
+    requiresFirstAdmin: av.optional(av.bool()).describe("True while the auth service has zero users; the theme renderer should redirect to first-admin registration instead of showing the login form."),
+    // Absolute URL of this auth service's register view (self-origin). Provided so
+    // the theme renderer can load it in-shell without knowing the auth origin.
+    firstAdminUrl: av.optional(av.string()).describe("Absolute self-origin URL of this auth service's register view so the theme can load it in-shell without knowing the auth origin."),
+    // True when the GET request already carried a valid access token - the theme
+    // renderer shows a "signed in" state instead of the login form.
+    alreadyLoggedIn: av.optional(av.bool()).describe("True when the GET request already carried a valid access token; the theme renderer should show a signed-in state instead of the login form."),
+    loggedOut: av.optional(av.bool()).describe("True after the login route handled ?action=logout."),
+    // Tenant-app path of the logout view (app config auth.logoutViewId).
+    logoutUrl: av.optional(av.string()).describe("Tenant-app path of the logout view from app auth config."),
+    // Echo of ?next= when already signed in - the theme renderer redirects there
+    // immediately instead of showing the signed-in card.
+    nextUrl: av.optional(av.string()).describe("Echo of the next path when already signed in; the theme renderer should redirect there immediately.")
+}, { unknownKeys: "strip" });
+export const title = "Login";
+export const description = "Authenticate with username and password to receive a JWT.";
+export const role = "auth.login";
+export const dependencies = ["logout.index", "refresh.index", "register.index"];
+export const chrome = { fullScreen: true };
+export const auth = {
+    required: false,
+    permissions: []
+};
+export const cacheHints = {
+    ttlSeconds: 0,
+    varyBy: []
+};
+function runtimeFrom(ctx) {
+    const runtime = ctx.plugin?.runtime;
+    if (!runtime)
+        throw new Error("Auth runtime not available on handler context");
+    return runtime;
+}
+function normalizeRedirect(raw) {
+    const redirect = raw?.trim();
+    if (!redirect)
+        return "/";
+    if (redirect.startsWith("http://") || redirect.startsWith("https://"))
+        return redirect;
+    return redirect.startsWith("/") ? redirect : `/${redirect}`;
+}
+export const handleGet = createHandler({ response: ResponseSchema, query: QuerySchema }, (ctx) => {
+    const runtime = runtimeFrom(ctx);
+    const requiresFirstAdmin = runtime.userStore.hasNoUsers();
+    if (ctx.query.action === "logout") {
+        const config = resolveDefaultAuthAppConfig(ctx.config);
+        const nextUrl = normalizeRedirect(config.logoutRedirectPath);
+        ctx.bpHeaders?.remove("Authorization");
+        ctx.bpHeaders?.remove("X-BP-Refresh");
+        if (ctx.serviceId)
+            ctx.responseHeaders?.set("HX-Trigger", `bp:fragments:${ctx.serviceId}`);
+        return {
+            status: "ok",
+            message: "Signed out.",
+            loggedOut: true,
+            nextUrl
+        };
+    }
+    // Valid token already on the request - no point rendering a login form.
+    // First-admin setup still wins: a token can outlive a wiped user store.
+    if (ctx.user && !requiresFirstAdmin) {
+        const config = resolveDefaultAuthAppConfig(ctx.config);
+        const next = ctx.query.next || config.loginRedirectPath;
+        return {
+            status: "ok",
+            message: "Already signed in.",
+            alreadyLoggedIn: true,
+            user: {
+                id: ctx.user.sub,
+                username: ctx.user.name ?? ctx.user.email ?? ctx.user.sub,
+                email: ctx.user.email,
+                name: ctx.user.name
+            },
+            logoutUrl: "/login?action=logout",
+            ...(next ? { nextUrl: next } : {})
+        };
+    }
+    let firstAdminUrl;
+    if (requiresFirstAdmin) {
+        const host = ctx.headers.host;
+        if (host) {
+            const proto = ctx.headers["x-forwarded-proto"] ?? "http";
+            const next = ctx.query.next;
+            firstAdminUrl = `${proto}://${host}/register${next ? `?next=${encodeURIComponent(next)}` : ""}`;
+        }
+    }
+    return {
+        status: "ok",
+        message: "Submit username + password via POST to authenticate.",
+        requiresFirstAdmin,
+        ...(firstAdminUrl ? { firstAdminUrl } : {})
+    };
+});
+export const handlePost = createHandler({ response: ResponseSchema, request: RequestSchema, query: QuerySchema }, async (ctx) => {
+    const runtime = runtimeFrom(ctx);
+    const tenantId = ctx.tenant.id;
+    const appId = ctx.app.id;
+    const body = ctx.request;
+    const user = await runtime.userStore.authenticate(tenantId, appId, body.username, body.password);
+    if (!user) {
+        // Auth failures are 401, not 200-with-error-body.
+        ctx.setStatus?.(401);
+        return {
+            status: "error",
+            message: "Invalid username or password."
+        };
+    }
+    const issued = runtime.tokenIssuer.issueTokenPair({
+        sub: user.id,
+        tenantId: user.tenantId,
+        appId,
+        roles: user.roles,
+        name: user.name ?? user.username,
+        email: user.email,
+        picture: user.picture
+    });
+    if (!issued.refreshToken) {
+        throw new Error("Auth token issuer did not return a refresh token");
+    }
+    // Login is rendered in the theme's auth-only page state. After credentials
+    // are stored, navigate the browser back to the tenant route so the normal
+    // shell is rendered from a clean page request.
+    const config = resolveDefaultAuthAppConfig(ctx.config);
+    const next = body.next || ctx.query.next || config.loginRedirectPath || "/";
+    ctx.responseHeaders?.set("HX-Redirect", next);
+    // Auth state changed - reload this service's fragments (nav profile etc.).
+    // Fragments listening on this key re-fetch; absent fragments ignore it.
+    if (ctx.serviceId) {
+        ctx.responseHeaders?.set("HX-Trigger", `bp:fragments:${ctx.serviceId}`);
+    }
+    // Expire the stored header with the ACCESS token, not the refresh token -
+    // otherwise the client replays a dead JWT for days. The refresh token is
+    // stored separately so the profile fragment can renew before expiry.
+    ctx.bpHeaders?.set('Authorization', `Bearer ${issued.accessToken}`, {
+        expiresInSeconds: issued.accessTokenExpiresInSeconds,
+        locked: true,
+        refreshPath: "/refresh",
+        refreshBeforeSeconds: 60
+    });
+    ctx.bpHeaders?.set('X-BP-Refresh', issued.refreshToken, {
+        expiresInSeconds: issued.refreshTokenExpiresInSeconds ?? runtime.refreshTokenSeconds,
+        locked: true,
+        scopeToOwner: true
+    });
+    return {
+        status: "ok",
+        message: "logged in",
+        accessToken: issued.accessToken,
+        refreshToken: issued.refreshToken,
+        expiresInSeconds: issued.accessTokenExpiresInSeconds,
+        user: {
+            id: user.id,
+            username: user.username,
+            email: user.email,
+            name: user.name ?? user.username
+        }
+    };
+});
+//# sourceMappingURL=route.impl.js.map

package/lib/plugins/service-betterportal-auth-default/bp-routes/login/route.impl.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"route.impl.js","sourceRoot":"","sources":["../../../../../src/plugins/service-betterportal-auth-default/bp-routes/login/route.impl.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAE9B,OAAO,EACL,aAAa,EAId,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EAAE,2BAA2B,EAAE,MAAM,gBAAgB,CAAC;AAE7D,MAAM,CAAC,MAAM,WAAW,GAAG,EAAE,CAAC,MAAM,CAAC;IACnC,MAAM,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,yDAAyD,CAAC;IACpG,IAAI,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,4GAA4G,CAAC;CACtJ,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AAE7B,MAAM,CAAC,MAAM,aAAa,GAAG,EAAE,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AAErE,MAAM,CAAC,MAAM,aAAa,GAAG,EAAE,CAAC,MAAM,CAAC;IACrC,QAAQ,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,sCAAsC,CAAC;IACnF,QAAQ,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,sCAAsC,CAAC;IACnF,IAAI,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,6DAA6D,CAAC;CACvG,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AAE7B,MAAM,CAAC,MAAM,cAAc,GAAG,EAAE,CAAC,MAAM,CAAC;IACtC,MAAM,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,OAAO,CAAU,CAAC,CAAC,QAAQ,CAAC,wBAAwB,CAAC;IAC7E,OAAO,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,0DAA0D,CAAC;IACtG,WAAW,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,uDAAuD,CAAC;IACvG,YAAY,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,wDAAwD,CAAC;IACzG,gBAAgB,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,mCAAmC,CAAC;IAC5F,IAAI,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,CAAC;QAC1B,EAAE,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,wBAAwB,CAAC;QAClD,QAAQ,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,mBAAmB,CAAC;QACnD,KAAK,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,+BAA+B,CAAC;QACzE,IAAI,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,yBAAyB,CAAC;KACnE,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,6BAA6B,CAAC,CAAC;IACrE,4EAA4E;IAC5E,8EAA8E;IAC9E,kBAAkB,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,+IAA+I,CAAC;IACpM,+EAA+E;IAC/E,2EAA2E;IAC3E,aAAa,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,kIAAkI,CAAC;IACpL,6EAA6E;IAC7E,gEAAgE;IAChE,eAAe,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,6IAA6I,CAAC;IAC/L,SAAS,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,oDAAoD,CAAC;IAChG,qEAAqE;IACrE,SAAS,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,0DAA0D,CAAC;IACxG,6EAA6E;IAC7E,qDAAqD;IACrD,OAAO,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,qGAAqG,CAAC;CAClJ,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AAG7B,MAAM,CAAC,MAAM,KAAK,GAAG,OAAO,CAAC;AAC7B,MAAM,CAAC,MAAM,WAAW,GAAG,2DAA2D,CAAC;AACvF,MAAM,CAAC,MAAM,IAAI,GAAG,YAAY,CAAC;AACjC,MAAM,CAAC,MAAM,YAAY,GAAG,CAAC,cAAc,EAAE,eAAe,EAAE,gBAAgB,CAAC,CAAC;AAChF,MAAM,CAAC,MAAM,MAAM,GAA4B,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC;AAEpE,MAAM,CAAC,MAAM,IAAI,GAAuB;IACtC,QAAQ,EAAE,KAAK;IACf,WAAW,EAAE,EAAE;CAChB,CAAC;AAEF,MAAM,CAAC,MAAM,UAAU,GAAe;IACpC,UAAU,EAAE,CAAC;IACb,MAAM,EAAE,EAAE;CACX,CAAC;AAEF,SAAS,WAAW,CAAC,GAAyB;IAC5C,MAAM,OAAO,GAAI,GAAG,CAAC,MAAgD,EAAE,OAAO,CAAC;IAC/E,IAAI,CAAC,OAAO;QAAE,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;IAC/E,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,iBAAiB,CAAC,GAAuB;IAChD,MAAM,QAAQ,GAAG,GAAG,EAAE,IAAI,EAAE,CAAC;IAC7B,IAAI,CAAC,QAAQ;QAAE,OAAO,GAAG,CAAC;IAC1B,IAAI,QAAQ,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,UAAU,CAAC;QAAE,OAAO,QAAQ,CAAC;IACvF,OAAO,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,QAAQ,EAAE,CAAC;AAC9D,CAAC;AAED,MAAM,CAAC,MAAM,SAAS,GAAG,aAAa,CACpC,EAAE,QAAQ,EAAE,cAAc,EAAE,KAAK,EAAE,WAAW,EAAE,EAChD,CAAC,GAAG,EAAE,EAAE;IACN,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;IACjC,MAAM,kBAAkB,GAAG,OAAO,CAAC,SAAS,CAAC,UAAU,EAAE,CAAC;IAC1D,IAAK,GAAG,CAAC,KAAmC,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;QACjE,MAAM,MAAM,GAAG,2BAA2B,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACvD,MAAM,OAAO,GAAG,iBAAiB,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC;QAC7D,GAAG,CAAC,SAAS,EAAE,MAAM,CAAC,eAAe,CAAC,CAAC;QACvC,GAAG,CAAC,SAAS,EAAE,MAAM,CAAC,cAAc,CAAC,CAAC;QACtC,IAAI,GAAG,CAAC,SAAS;YAAE,GAAG,CAAC,eAAe,EAAE,GAAG,CAAC,YAAY,EAAE,gBAAgB,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC;QAC3F,OAAO;YACL,MAAM,EAAE,IAAa;YACrB,OAAO,EAAE,aAAa;YACtB,SAAS,EAAE,IAAI;YACf,OAAO;SACR,CAAC;IACJ,CAAC;IAED,wEAAwE;IACxE,wEAAwE;IACxE,IAAI,GAAG,CAAC,IAAI,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACpC,MAAM,MAAM,GAAG,2BAA2B,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACvD,MAAM,IAAI,GAAI,GAAG,CAAC,KAA2B,CAAC,IAAI,IAAI,MAAM,CAAC,iBAAiB,CAAC;QAC/E,OAAO;YACL,MAAM,EAAE,IAAa;YACrB,OAAO,EAAE,oBAAoB;YAC7B,eAAe,EAAE,IAAI;YACrB,IAAI,EAAE;gBACJ,EAAE,EAAE,GAAG,CAAC,IAAI,CAAC,GAAG;gBAChB,QAAQ,EAAE,GAAG,CAAC,IAAI,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,CAAC,KAAK,IAAI,GAAG,CAAC,IAAI,CAAC,GAAG;gBACzD,KAAK,EAAE,GAAG,CAAC,IAAI,CAAC,KAAK;gBACrB,IAAI,EAAE,GAAG,CAAC,IAAI,CAAC,IAAI;aACpB;YACD,SAAS,EAAE,sBAAsB;YACjC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACnC,CAAC;IACJ,CAAC;IAED,IAAI,aAAiC,CAAC;IACtC,IAAI,kBAAkB,EAAE,CAAC;QACvB,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC;QAC9B,IAAI,IAAI,EAAE,CAAC;YACT,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,CAAC,mBAAmB,CAAC,IAAI,MAAM,CAAC;YACzD,MAAM,IAAI,GAAI,GAAG,CAAC,KAA2B,CAAC,IAAI,CAAC;YACnD,aAAa,GAAG,GAAG,KAAK,MAAM,IAAI,YAAY,IAAI,CAAC,CAAC,CAAC,SAAS,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QAClG,CAAC;IACH,CAAC;IACD,OAAO;QACL,MAAM,EAAE,IAAa;QACrB,OAAO,EAAE,sDAAsD;QAC/D,kBAAkB;QAClB,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC5C,CAAC;AACJ,CAAC,CACF,CAAC;AAEF,MAAM,CAAC,MAAM,UAAU,GAAG,aAAa,CACrC,EAAE,QAAQ,EAAE,cAAc,EAAE,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,WAAW,EAAE,EACxE,KAAK,EAAE,GAAG,EAAE,EAAE;IACZ,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;IACjC,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;IAC/B,MAAM,KAAK,GAAG,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;IAEzB,MAAM,IAAI,GAAG,GAAG,CAAC,OAAsC,CAAC;IACxD,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,SAAS,CAAC,YAAY,CAC/C,QAAQ,EACR,KAAK,EACL,IAAI,CAAC,QAAQ,EACb,IAAI,CAAC,QAAQ,CACd,CAAC;IAEF,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,kDAAkD;QAClD,GAAG,CAAC,SAAS,EAAE,CAAC,GAAG,CAAC,CAAC;QACrB,OAAO;YACL,MAAM,EAAE,OAAgB;YACxB,OAAO,EAAE,+BAA+B;SACzC,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC,cAAc,CAAC;QAChD,GAAG,EAAE,IAAI,CAAC,EAAE;QACZ,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,KAAK;QACL,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,QAAQ;QAChC,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,OAAO,EAAE,IAAI,CAAC,OAAO;KACtB,CAAC,CAAC;IACH,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACtE,CAAC;IAED,2EAA2E;IAC3E,0EAA0E;IAC1E,+CAA+C;IAC/C,MAAM,MAAM,GAAG,2BAA2B,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACvD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAK,GAAG,CAAC,KAA2B,CAAC,IAAI,IAAI,MAAM,CAAC,iBAAiB,IAAI,GAAG,CAAC;IACnG,GAAG,CAAC,eAAe,EAAE,GAAG,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC;IAC9C,2EAA2E;IAC3E,wEAAwE;IACxE,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC;QAClB,GAAG,CAAC,eAAe,EAAE,GAAG,CAAC,YAAY,EAAE,gBAAgB,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC;IAC1E,CAAC;IACD,0EAA0E;IAC1E,yEAAyE;IACzE,qEAAqE;IACrE,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,eAAe,EAAE,UAAU,MAAM,CAAC,WAAW,EAAE,EAAE;QAClE,gBAAgB,EAAE,MAAM,CAAC,2BAA2B;QACpD,MAAM,EAAE,IAAI;QACZ,WAAW,EAAE,UAAU;QACvB,oBAAoB,EAAE,EAAE;KACzB,CAAC,CAAC;IACH,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,cAAc,EAAE,MAAM,CAAC,YAAY,EAAE;QACtD,gBAAgB,EAAE,MAAM,CAAC,4BAA4B,IAAI,OAAO,CAAC,mBAAmB;QACpF,MAAM,EAAE,IAAI;QACZ,YAAY,EAAE,IAAI;KACnB,CAAC,CAAC;IAEH,OAAO;QACL,MAAM,EAAE,IAAa;QACrB,OAAO,EAAE,WAAW;QACpB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,gBAAgB,EAAE,MAAM,CAAC,2BAA2B;QACpD,IAAI,EAAE;YACJ,EAAE,EAAE,IAAI,CAAC,EAAE;YACX,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,QAAQ;SACjC;KACF,CAAC;AACJ,CAAC,CACF,CAAC"}

package/lib/plugins/service-betterportal-auth-default/bp-routes/logout/GET.d.ts

@@ -0,0 +1,3 @@
+export { ResponseSchema, QuerySchema, HeadersSchema, RequestSchema } from "./route.impl.js";
+export { handleGet as default } from "./route.impl.js";
+//# sourceMappingURL=GET.d.ts.map

package/lib/plugins/service-betterportal-auth-default/bp-routes/logout/GET.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"GET.d.ts","sourceRoot":"","sources":["../../../../../src/plugins/service-betterportal-auth-default/bp-routes/logout/GET.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAC5F,OAAO,EAAE,SAAS,IAAI,OAAO,EAAE,MAAM,iBAAiB,CAAC"}

package/lib/plugins/service-betterportal-auth-default/bp-routes/logout/GET.js

@@ -0,0 +1,3 @@
+export { ResponseSchema, QuerySchema, HeadersSchema, RequestSchema } from "./route.impl.js";
+export { handleGet as default } from "./route.impl.js";
+//# sourceMappingURL=GET.js.map

package/lib/plugins/service-betterportal-auth-default/bp-routes/logout/GET.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"GET.js","sourceRoot":"","sources":["../../../../../src/plugins/service-betterportal-auth-default/bp-routes/logout/GET.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAC5F,OAAO,EAAE,SAAS,IAAI,OAAO,EAAE,MAAM,iBAAiB,CAAC"}

package/lib/plugins/service-betterportal-auth-default/bp-routes/logout/POST.d.ts

@@ -0,0 +1,3 @@
+export { ResponseSchema, QuerySchema, HeadersSchema, RequestSchema } from "./route.impl.js";
+export { handlePost as default } from "./route.impl.js";
+//# sourceMappingURL=POST.d.ts.map

package/lib/plugins/service-betterportal-auth-default/bp-routes/logout/POST.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"POST.d.ts","sourceRoot":"","sources":["../../../../../src/plugins/service-betterportal-auth-default/bp-routes/logout/POST.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAC5F,OAAO,EAAE,UAAU,IAAI,OAAO,EAAE,MAAM,iBAAiB,CAAC"}

package/lib/plugins/service-betterportal-auth-default/bp-routes/logout/POST.js

@@ -0,0 +1,3 @@
+export { ResponseSchema, QuerySchema, HeadersSchema, RequestSchema } from "./route.impl.js";
+export { handlePost as default } from "./route.impl.js";
+//# sourceMappingURL=POST.js.map

package/lib/plugins/service-betterportal-auth-default/bp-routes/logout/POST.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"POST.js","sourceRoot":"","sources":["../../../../../src/plugins/service-betterportal-auth-default/bp-routes/logout/POST.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAC5F,OAAO,EAAE,UAAU,IAAI,OAAO,EAAE,MAAM,iBAAiB,CAAC"}

package/lib/plugins/service-betterportal-auth-default/bp-routes/logout/_theme.bootstrap1/{index.d.ts → GET.d.ts}

@@ -1,5 +1,5 @@
 /** @jsxImportSource jsx-htmx */
 import type { HtmlRenderable } from "@betterportal/framework";
-import type { ResponseData } from "../index.js";
+import type { ResponseData } from "../route.impl.js";
 export declare function render(_data: ResponseData): HtmlRenderable;
-//# sourceMappingURL=index.d.ts.map
+//# sourceMappingURL=GET.d.ts.map

package/lib/plugins/service-betterportal-auth-default/bp-routes/logout/_theme.bootstrap1/GET.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"GET.d.ts","sourceRoot":"","sources":["../../../../../../src/plugins/service-betterportal-auth-default/bp-routes/logout/_theme.bootstrap1/GET.tsx"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAErD,wBAAgB,MAAM,CAAC,KAAK,EAAE,YAAY,GAAG,cAAc,CAU1D"}

package/lib/plugins/service-betterportal-auth-default/bp-routes/logout/_theme.bootstrap1/{index.js → GET.js}

@@ -4,4 +4,4 @@ export function render(_data) {
     // tokens and HX-Location immediately soft-navigates to the login view.
     return (_jsx("div", { class: "d-flex justify-content-center py-5", children: _jsx("div", { class: "spinner-border", role: "status", children: _jsx("span", { class: "visually-hidden", children: "Signing out..." }) }) }));
 }
-//# sourceMappingURL=index.js.map
+//# sourceMappingURL=GET.js.map

package/lib/plugins/service-betterportal-auth-default/bp-routes/logout/_theme.bootstrap1/GET.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"GET.js","sourceRoot":"","sources":["../../../../../../src/plugins/service-betterportal-auth-default/bp-routes/logout/_theme.bootstrap1/GET.tsx"],"names":[],"mappings":";AAIA,MAAM,UAAU,MAAM,CAAC,KAAmB;IACxC,6EAA6E;IAC7E,uEAAuE;IACvE,OAAO,CACL,cAAK,KAAK,EAAC,oCAAoC,YAC7C,cAAK,KAAK,EAAC,gBAAgB,EAAC,IAAI,EAAC,QAAQ,YACvC,eAAM,KAAK,EAAC,iBAAiB,+BAAsB,GAC/C,GACF,CACP,CAAC;AACJ,CAAC"}

package/lib/plugins/service-betterportal-auth-default/bp-routes/logout/index.d.ts

@@ -1,25 +1,2 @@
-import * as av from "anyvali";
-import type { Infer } from "anyvali";
-import { type ApiAuthRequirement, type CacheHints } from "@betterportal/framework";
-export declare const QuerySchema: av.ObjectSchema<{}>;
-export declare const HeadersSchema: av.ObjectSchema<{}>;
-export declare const RequestSchema: av.ObjectSchema<{}>;
-export declare const ResponseSchema: av.ObjectSchema<{
-    status: av.EnumSchema<readonly ["ok"]>;
-    message: av.StringSchema;
-}>;
-export type ResponseData = Infer<typeof ResponseSchema>;
-export declare const title = "Logout";
-export declare const description = "Clear the authentication token from the client.";
-export declare const role = "auth.logout";
-export declare const auth: ApiAuthRequirement;
-export declare const cacheHints: CacheHints;
-export declare const handlePost: import("@betterportal/framework").RouteHandler<Record<string, string>, Record<string, unknown>, Record<string, string>, Record<string, unknown>, {
-    status: "ok";
-    message: string;
-}, unknown, Record<string, unknown>>;
-export declare const handleGet: import("@betterportal/framework").RouteHandler<Record<string, string>, Record<string, unknown>, Record<string, string>, Record<string, unknown>, {
-    status: "ok";
-    message: string;
-}, unknown, Record<string, unknown>>;
+export { title, description, auth, role, cacheHints } from "./route.impl.js";
 //# sourceMappingURL=index.d.ts.map

package/lib/plugins/service-betterportal-auth-default/bp-routes/logout/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/plugins/service-betterportal-auth-default/bp-routes/logout/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAEL,KAAK,kBAAkB,EACvB,KAAK,UAAU,EAChB,MAAM,yBAAyB,CAAC;AAEjC,eAAO,MAAM,WAAW,qBAA0C,CAAC;AACnE,eAAO,MAAM,aAAa,qBAA0C,CAAC;AACrE,eAAO,MAAM,aAAa,qBAA0C,CAAC;AAErE,eAAO,MAAM,cAAc;;;EAGC,CAAC;AAC7B,MAAM,MAAM,YAAY,GAAG,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAExD,eAAO,MAAM,KAAK,WAAW,CAAC;AAC9B,eAAO,MAAM,WAAW,oDAAoD,CAAC;AAC7E,eAAO,MAAM,IAAI,gBAAgB,CAAC;AAElC,eAAO,MAAM,IAAI,EAAE,kBAGlB,CAAC;AAEF,eAAO,MAAM,UAAU,EAAE,UAGxB,CAAC;AAEF,eAAO,MAAM,UAAU;;;oCAkBtB,CAAC;AAEF,eAAO,MAAM,SAAS;;;oCAAa,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/plugins/service-betterportal-auth-default/bp-routes/logout/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,IAAI,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC"}

package/lib/plugins/service-betterportal-auth-default/bp-routes/logout/index.js

@@ -1,38 +1,2 @@
-import * as av from "anyvali";
-import { createHandler } from "@betterportal/framework";
-export const QuerySchema = av.object({}, { unknownKeys: "strip" });
-export const HeadersSchema = av.object({}, { unknownKeys: "strip" });
-export const RequestSchema = av.object({}, { unknownKeys: "strip" });
-export const ResponseSchema = av.object({
-    status: av.enum_(["ok"]).describe("Logout request outcome."),
-    message: av.string().describe("Human-readable logout status for the renderer.")
-}, { unknownKeys: "strip" });
-export const title = "Logout";
-export const description = "Clear the authentication token from the client.";
-export const role = "auth.logout";
-export const auth = {
-    required: false,
-    permissions: []
-};
-export const cacheHints = {
-    ttlSeconds: 0,
-    varyBy: []
-};
-export const handlePost = createHandler({ response: ResponseSchema }, (ctx) => {
-    // Always emit BP-RemoveHeader so the client shim drops the stored token -
-    // logout must clear state even when called with a dead or missing token.
-    ctx.bpHeaders?.remove("Authorization");
-    ctx.bpHeaders?.remove("X-BP-Refresh");
-    // Compatibility shim: current UI uses /login?action=logout.
-    ctx.responseHeaders?.set("HX-Location", "/login?action=logout");
-    // Auth state changed - reload this service's fragments (nav profile etc.).
-    if (ctx.serviceId) {
-        ctx.responseHeaders?.set("HX-Trigger", `bp:fragments:${ctx.serviceId}`);
-    }
-    return {
-        status: "ok",
-        message: "Client should clear stored Authorization header."
-    };
-});
-export const handleGet = handlePost;
+export { title, description, auth, role, cacheHints } from "./route.impl.js";
 //# sourceMappingURL=index.js.map

package/lib/plugins/service-betterportal-auth-default/bp-routes/logout/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../src/plugins/service-betterportal-auth-default/bp-routes/logout/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAE9B,OAAO,EACL,aAAa,EAGd,MAAM,yBAAyB,CAAC;AAEjC,MAAM,CAAC,MAAM,WAAW,GAAG,EAAE,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AACnE,MAAM,CAAC,MAAM,aAAa,GAAG,EAAE,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AACrE,MAAM,CAAC,MAAM,aAAa,GAAG,EAAE,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AAErE,MAAM,CAAC,MAAM,cAAc,GAAG,EAAE,CAAC,MAAM,CAAC;IACtC,MAAM,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,IAAI,CAAU,CAAC,CAAC,QAAQ,CAAC,yBAAyB,CAAC;IACrE,OAAO,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,gDAAgD,CAAC;CAChF,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AAG7B,MAAM,CAAC,MAAM,KAAK,GAAG,QAAQ,CAAC;AAC9B,MAAM,CAAC,MAAM,WAAW,GAAG,iDAAiD,CAAC;AAC7E,MAAM,CAAC,MAAM,IAAI,GAAG,aAAa,CAAC;AAElC,MAAM,CAAC,MAAM,IAAI,GAAuB;IACtC,QAAQ,EAAE,KAAK;IACf,WAAW,EAAE,EAAE;CAChB,CAAC;AAEF,MAAM,CAAC,MAAM,UAAU,GAAe;IACpC,UAAU,EAAE,CAAC;IACb,MAAM,EAAE,EAAE;CACX,CAAC;AAEF,MAAM,CAAC,MAAM,UAAU,GAAG,aAAa,CACrC,EAAE,QAAQ,EAAE,cAAc,EAAE,EAC5B,CAAC,GAAG,EAAE,EAAE;IACN,0EAA0E;IAC1E,yEAAyE;IACzE,GAAG,CAAC,SAAS,EAAE,MAAM,CAAC,eAAe,CAAC,CAAC;IACvC,GAAG,CAAC,SAAS,EAAE,MAAM,CAAC,cAAc,CAAC,CAAC;IACtC,4DAA4D;IAC5D,GAAG,CAAC,eAAe,EAAE,GAAG,CAAC,aAAa,EAAE,sBAAsB,CAAC,CAAC;IAChE,2EAA2E;IAC3E,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC;QAClB,GAAG,CAAC,eAAe,EAAE,GAAG,CAAC,YAAY,EAAE,gBAAgB,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC;IAC1E,CAAC;IACD,OAAO;QACL,MAAM,EAAE,IAAa;QACrB,OAAO,EAAE,kDAAkD;KAC5D,CAAC;AACJ,CAAC,CACF,CAAC;AAEF,MAAM,CAAC,MAAM,SAAS,GAAG,UAAU,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../src/plugins/service-betterportal-auth-default/bp-routes/logout/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,IAAI,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC"}

package/lib/plugins/service-betterportal-auth-default/bp-routes/logout/route.impl.d.ts

@@ -0,0 +1,25 @@
+import * as av from "anyvali";
+import type { Infer } from "anyvali";
+import { type ApiAuthRequirement, type CacheHints } from "@betterportal/framework";
+export declare const QuerySchema: av.ObjectSchema<{}>;
+export declare const HeadersSchema: av.ObjectSchema<{}>;
+export declare const RequestSchema: av.ObjectSchema<{}>;
+export declare const ResponseSchema: av.ObjectSchema<{
+    status: av.EnumSchema<readonly ["ok"]>;
+    message: av.StringSchema;
+}>;
+export type ResponseData = Infer<typeof ResponseSchema>;
+export declare const title = "Logout";
+export declare const description = "Clear the authentication token from the client.";
+export declare const role = "auth.logout";
+export declare const auth: ApiAuthRequirement;
+export declare const cacheHints: CacheHints;
+export declare const handlePost: import("@betterportal/framework").RouteHandler<Record<string, string>, Record<string, unknown>, Record<string, string>, Record<string, unknown>, {
+    status: "ok";
+    message: string;
+}, unknown, Record<string, unknown>>;
+export declare const handleGet: import("@betterportal/framework").RouteHandler<Record<string, string>, Record<string, unknown>, Record<string, string>, Record<string, unknown>, {
+    status: "ok";
+    message: string;
+}, unknown, Record<string, unknown>>;
+//# sourceMappingURL=route.impl.d.ts.map

package/lib/plugins/service-betterportal-auth-default/bp-routes/logout/route.impl.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"route.impl.d.ts","sourceRoot":"","sources":["../../../../../src/plugins/service-betterportal-auth-default/bp-routes/logout/route.impl.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAEL,KAAK,kBAAkB,EACvB,KAAK,UAAU,EAChB,MAAM,yBAAyB,CAAC;AAEjC,eAAO,MAAM,WAAW,qBAA0C,CAAC;AACnE,eAAO,MAAM,aAAa,qBAA0C,CAAC;AACrE,eAAO,MAAM,aAAa,qBAA0C,CAAC;AAErE,eAAO,MAAM,cAAc;;;EAGC,CAAC;AAC7B,MAAM,MAAM,YAAY,GAAG,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAExD,eAAO,MAAM,KAAK,WAAW,CAAC;AAC9B,eAAO,MAAM,WAAW,oDAAoD,CAAC;AAC7E,eAAO,MAAM,IAAI,gBAAgB,CAAC;AAElC,eAAO,MAAM,IAAI,EAAE,kBAGlB,CAAC;AAEF,eAAO,MAAM,UAAU,EAAE,UAGxB,CAAC;AAEF,eAAO,MAAM,UAAU;;;oCAkBtB,CAAC;AAEF,eAAO,MAAM,SAAS;;;oCAAa,CAAC"}

package/lib/plugins/service-betterportal-auth-default/bp-routes/logout/route.impl.js

@@ -0,0 +1,38 @@
+import * as av from "anyvali";
+import { createHandler } from "@betterportal/framework";
+export const QuerySchema = av.object({}, { unknownKeys: "strip" });
+export const HeadersSchema = av.object({}, { unknownKeys: "strip" });
+export const RequestSchema = av.object({}, { unknownKeys: "strip" });
+export const ResponseSchema = av.object({
+    status: av.enum_(["ok"]).describe("Logout request outcome."),
+    message: av.string().describe("Human-readable logout status for the renderer.")
+}, { unknownKeys: "strip" });
+export const title = "Logout";
+export const description = "Clear the authentication token from the client.";
+export const role = "auth.logout";
+export const auth = {
+    required: false,
+    permissions: []
+};
+export const cacheHints = {
+    ttlSeconds: 0,
+    varyBy: []
+};
+export const handlePost = createHandler({ response: ResponseSchema }, (ctx) => {
+    // Always emit BP-RemoveHeader so the client shim drops the stored token -
+    // logout must clear state even when called with a dead or missing token.
+    ctx.bpHeaders?.remove("Authorization");
+    ctx.bpHeaders?.remove("X-BP-Refresh");
+    // Compatibility shim: current UI uses /login?action=logout.
+    ctx.responseHeaders?.set("HX-Location", "/login?action=logout");
+    // Auth state changed - reload this service's fragments (nav profile etc.).
+    if (ctx.serviceId) {
+        ctx.responseHeaders?.set("HX-Trigger", `bp:fragments:${ctx.serviceId}`);
+    }
+    return {
+        status: "ok",
+        message: "Client should clear stored Authorization header."
+    };
+});
+export const handleGet = handlePost;
+//# sourceMappingURL=route.impl.js.map

package/lib/plugins/service-betterportal-auth-default/bp-routes/logout/route.impl.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"route.impl.js","sourceRoot":"","sources":["../../../../../src/plugins/service-betterportal-auth-default/bp-routes/logout/route.impl.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAE9B,OAAO,EACL,aAAa,EAGd,MAAM,yBAAyB,CAAC;AAEjC,MAAM,CAAC,MAAM,WAAW,GAAG,EAAE,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AACnE,MAAM,CAAC,MAAM,aAAa,GAAG,EAAE,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AACrE,MAAM,CAAC,MAAM,aAAa,GAAG,EAAE,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AAErE,MAAM,CAAC,MAAM,cAAc,GAAG,EAAE,CAAC,MAAM,CAAC;IACtC,MAAM,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,IAAI,CAAU,CAAC,CAAC,QAAQ,CAAC,yBAAyB,CAAC;IACrE,OAAO,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,gDAAgD,CAAC;CAChF,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AAG7B,MAAM,CAAC,MAAM,KAAK,GAAG,QAAQ,CAAC;AAC9B,MAAM,CAAC,MAAM,WAAW,GAAG,iDAAiD,CAAC;AAC7E,MAAM,CAAC,MAAM,IAAI,GAAG,aAAa,CAAC;AAElC,MAAM,CAAC,MAAM,IAAI,GAAuB;IACtC,QAAQ,EAAE,KAAK;IACf,WAAW,EAAE,EAAE;CAChB,CAAC;AAEF,MAAM,CAAC,MAAM,UAAU,GAAe;IACpC,UAAU,EAAE,CAAC;IACb,MAAM,EAAE,EAAE;CACX,CAAC;AAEF,MAAM,CAAC,MAAM,UAAU,GAAG,aAAa,CACrC,EAAE,QAAQ,EAAE,cAAc,EAAE,EAC5B,CAAC,GAAG,EAAE,EAAE;IACN,0EAA0E;IAC1E,yEAAyE;IACzE,GAAG,CAAC,SAAS,EAAE,MAAM,CAAC,eAAe,CAAC,CAAC;IACvC,GAAG,CAAC,SAAS,EAAE,MAAM,CAAC,cAAc,CAAC,CAAC;IACtC,4DAA4D;IAC5D,GAAG,CAAC,eAAe,EAAE,GAAG,CAAC,aAAa,EAAE,sBAAsB,CAAC,CAAC;IAChE,2EAA2E;IAC3E,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC;QAClB,GAAG,CAAC,eAAe,EAAE,GAAG,CAAC,YAAY,EAAE,gBAAgB,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC;IAC1E,CAAC;IACD,OAAO;QACL,MAAM,EAAE,IAAa;QACrB,OAAO,EAAE,kDAAkD;KAC5D,CAAC;AACJ,CAAC,CACF,CAAC;AAEF,MAAM,CAAC,MAAM,SAAS,GAAG,UAAU,CAAC"}

package/lib/plugins/service-betterportal-auth-default/bp-routes/refresh/POST.d.ts

@@ -0,0 +1,3 @@
+export { ResponseSchema, QuerySchema, HeadersSchema, RequestSchema } from "./route.impl.js";
+export { handlePost as default } from "./route.impl.js";
+//# sourceMappingURL=POST.d.ts.map

package/lib/plugins/service-betterportal-auth-default/bp-routes/refresh/POST.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"POST.d.ts","sourceRoot":"","sources":["../../../../../src/plugins/service-betterportal-auth-default/bp-routes/refresh/POST.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAC5F,OAAO,EAAE,UAAU,IAAI,OAAO,EAAE,MAAM,iBAAiB,CAAC"}

package/lib/plugins/service-betterportal-auth-default/bp-routes/refresh/POST.js

@@ -0,0 +1,3 @@
+export { ResponseSchema, QuerySchema, HeadersSchema, RequestSchema } from "./route.impl.js";
+export { handlePost as default } from "./route.impl.js";
+//# sourceMappingURL=POST.js.map

package/lib/plugins/service-betterportal-auth-default/bp-routes/refresh/POST.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"POST.js","sourceRoot":"","sources":["../../../../../src/plugins/service-betterportal-auth-default/bp-routes/refresh/POST.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAC5F,OAAO,EAAE,UAAU,IAAI,OAAO,EAAE,MAAM,iBAAiB,CAAC"}

package/lib/plugins/service-betterportal-auth-default/bp-routes/refresh/index.d.ts

@@ -1,31 +1,2 @@
-import * as av from "anyvali";
-import type { Infer } from "anyvali";
-import { type ApiAuthRequirement, type CacheHints } from "@betterportal/framework";
-export declare const QuerySchema: av.ObjectSchema<{}>;
-export declare const HeadersSchema: av.ObjectSchema<{
-    "x-bp-refresh": av.OptionalSchema<av.StringSchema>;
-}>;
-export declare const RequestSchema: av.ObjectSchema<{
-    refreshToken: av.OptionalSchema<av.StringSchema>;
-}>;
-export declare const ResponseSchema: av.ObjectSchema<{
-    status: av.EnumSchema<readonly ["ok", "error"]>;
-    message: av.OptionalSchema<av.StringSchema>;
-    accessToken: av.OptionalSchema<av.StringSchema>;
-    expiresInSeconds: av.OptionalSchema<av.IntSchema>;
-}>;
-export type ResponseData = Infer<typeof ResponseSchema>;
-export declare const title = "Refresh Token";
-export declare const description = "Exchange a refresh token for a new access token.";
-export declare const role = "auth.refresh";
-export declare const auth: ApiAuthRequirement;
-export declare const cacheHints: CacheHints;
-export declare const handlePost: import("@betterportal/framework").RouteHandler<Record<string, string>, Record<string, unknown>, Record<string, string>, {
-    refreshToken?: string | undefined;
-}, {
-    status: "ok" | "error";
-    message?: string | undefined;
-    accessToken?: string | undefined;
-    expiresInSeconds?: number | undefined;
-}, unknown, Record<string, unknown>>;
+export { title, description, auth, role, cacheHints } from "./route.impl.js";
 //# sourceMappingURL=index.d.ts.map

package/lib/plugins/service-betterportal-auth-default/bp-routes/refresh/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/plugins/service-betterportal-auth-default/bp-routes/refresh/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAErC,OAAO,EAEL,KAAK,kBAAkB,EACvB,KAAK,UAAU,EAChB,MAAM,yBAAyB,CAAC;AAGjC,eAAO,MAAM,WAAW,qBAA0C,CAAC;AACnE,eAAO,MAAM,aAAa;;EAEE,CAAC;AAE7B,eAAO,MAAM,aAAa;;EAEE,CAAC;AAE7B,eAAO,MAAM,cAAc;;;;;EAKC,CAAC;AAC7B,MAAM,MAAM,YAAY,GAAG,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAExD,eAAO,MAAM,KAAK,kBAAkB,CAAC;AACrC,eAAO,MAAM,WAAW,qDAAqD,CAAC;AAC9E,eAAO,MAAM,IAAI,iBAAiB,CAAC;AAEnC,eAAO,MAAM,IAAI,EAAE,kBAGlB,CAAC;AAEF,eAAO,MAAM,UAAU,EAAE,UAGxB,CAAC;AAQF,eAAO,MAAM,UAAU;;;;;;;oCAiEtB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/plugins/service-betterportal-auth-default/bp-routes/refresh/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,IAAI,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC"}