@betterportal/auth-default 0.0.1

package/lib/plugins/service-betterportal-auth-default/bp-routes/login/index.js

@@ -0,0 +1,186 @@
+import * as av from "anyvali";
+import { createHandler } from "@betterportal/framework";
+import { resolveDefaultAuthAppConfig } from "../../index.js";
+export const QuerySchema = av.object({
+    action: av.optional(av.string()).describe("Optional login route action, currently supports logout."),
+    next: av.optional(av.string()).describe("The view path that redirected to the login page and should be redirected back to after a successful login.")
+}, { unknownKeys: "strip" });
+export const HeadersSchema = av.object({}, { unknownKeys: "strip" });
+export const RequestSchema = av.object({
+    username: av.string().minLength(1).describe("Username for the account signing in."),
+    password: av.string().minLength(1).describe("Password for the account signing in."),
+    next: av.optional(av.string()).describe("The view path to soft-navigate to after a successful login.")
+}, { unknownKeys: "strip" });
+export const ResponseSchema = av.object({
+    status: av.enum_(["ok", "error"]).describe("Login request outcome."),
+    message: av.optional(av.string()).describe("Human-readable status or error message for the renderer."),
+    accessToken: av.optional(av.string()).describe("Signed JWT access token returned on successful login."),
+    refreshToken: av.optional(av.string()).describe("Signed JWT refresh token returned on successful login."),
+    expiresInSeconds: av.optional(av.int().min(1)).describe("Access token lifetime in seconds."),
+    user: av.optional(av.object({
+        id: av.string().describe("Stable UUIDv7 user id."),
+        username: av.string().describe("Account username."),
+        email: av.optional(av.string()).describe("User email address, when set."),
+        name: av.optional(av.string()).describe("Display name, when set.")
+    }, { unknownKeys: "strip" }).describe("Authenticated user summary.")),
+    // True while the auth service has zero users - the theme renderer redirects
+    // to the register view (first-admin setup) instead of showing the login form.
+    requiresFirstAdmin: av.optional(av.bool()).describe("True while the auth service has zero users; the theme renderer should redirect to first-admin registration instead of showing the login form."),
+    // Absolute URL of this auth service's register view (self-origin). Provided so
+    // the theme renderer can load it in-shell without knowing the auth origin.
+    firstAdminUrl: av.optional(av.string()).describe("Absolute self-origin URL of this auth service's register view so the theme can load it in-shell without knowing the auth origin."),
+    // True when the GET request already carried a valid access token - the theme
+    // renderer shows a "signed in" state instead of the login form.
+    alreadyLoggedIn: av.optional(av.bool()).describe("True when the GET request already carried a valid access token; the theme renderer should show a signed-in state instead of the login form."),
+    loggedOut: av.optional(av.bool()).describe("True after the login route handled ?action=logout."),
+    // Tenant-app path of the logout view (app config auth.logoutViewId).
+    logoutUrl: av.optional(av.string()).describe("Tenant-app path of the logout view from app auth config."),
+    // Echo of ?next= when already signed in - the theme renderer redirects there
+    // immediately instead of showing the signed-in card.
+    nextUrl: av.optional(av.string()).describe("Echo of the next path when already signed in; the theme renderer should redirect there immediately.")
+}, { unknownKeys: "strip" });
+export const title = "Login";
+export const description = "Authenticate with username and password to receive a JWT.";
+export const role = "auth.login";
+export const dependencies = ["logout.index", "refresh.index", "register.index"];
+export const chrome = { fullScreen: true };
+export const auth = {
+    required: false,
+    permissions: []
+};
+export const cacheHints = {
+    ttlSeconds: 0,
+    varyBy: []
+};
+function runtimeFrom(ctx) {
+    const runtime = ctx.plugin?.runtime;
+    if (!runtime)
+        throw new Error("Auth runtime not available on handler context");
+    return runtime;
+}
+function normalizeRedirect(raw) {
+    const redirect = raw?.trim();
+    if (!redirect)
+        return "/";
+    if (redirect.startsWith("http://") || redirect.startsWith("https://"))
+        return redirect;
+    return redirect.startsWith("/") ? redirect : `/${redirect}`;
+}
+export const handleGet = createHandler({ response: ResponseSchema, query: QuerySchema }, (ctx) => {
+    const runtime = runtimeFrom(ctx);
+    const requiresFirstAdmin = runtime.userStore.hasNoUsers();
+    if (ctx.query.action === "logout") {
+        const config = resolveDefaultAuthAppConfig(ctx.config);
+        const nextUrl = normalizeRedirect(config.logoutRedirectPath);
+        ctx.bpHeaders?.remove("Authorization");
+        ctx.bpHeaders?.remove("X-BP-Refresh");
+        if (ctx.serviceId)
+            ctx.responseHeaders?.set("HX-Trigger", `bp:fragments:${ctx.serviceId}`);
+        return {
+            status: "ok",
+            message: "Signed out.",
+            loggedOut: true,
+            nextUrl
+        };
+    }
+    // Valid token already on the request - no point rendering a login form.
+    // First-admin setup still wins: a token can outlive a wiped user store.
+    if (ctx.user && !requiresFirstAdmin) {
+        const config = resolveDefaultAuthAppConfig(ctx.config);
+        const next = ctx.query.next || config.loginRedirectPath;
+        return {
+            status: "ok",
+            message: "Already signed in.",
+            alreadyLoggedIn: true,
+            user: {
+                id: ctx.user.sub,
+                username: ctx.user.name ?? ctx.user.email ?? ctx.user.sub,
+                email: ctx.user.email,
+                name: ctx.user.name
+            },
+            logoutUrl: "/login?action=logout",
+            ...(next ? { nextUrl: next } : {})
+        };
+    }
+    let firstAdminUrl;
+    if (requiresFirstAdmin) {
+        const host = ctx.headers.host;
+        if (host) {
+            const proto = ctx.headers["x-forwarded-proto"] ?? "http";
+            const next = ctx.query.next;
+            firstAdminUrl = `${proto}://${host}/register${next ? `?next=${encodeURIComponent(next)}` : ""}`;
+        }
+    }
+    return {
+        status: "ok",
+        message: "Submit username + password via POST to authenticate.",
+        requiresFirstAdmin,
+        ...(firstAdminUrl ? { firstAdminUrl } : {})
+    };
+});
+export const handlePost = createHandler({ response: ResponseSchema, request: RequestSchema, query: QuerySchema }, async (ctx) => {
+    const runtime = runtimeFrom(ctx);
+    const tenantId = ctx.tenant.id;
+    const appId = ctx.app.id;
+    const body = ctx.request;
+    const user = await runtime.userStore.authenticate(tenantId, appId, body.username, body.password);
+    if (!user) {
+        // Auth failures are 401, not 200-with-error-body.
+        ctx.setStatus?.(401);
+        return {
+            status: "error",
+            message: "Invalid username or password."
+        };
+    }
+    const issued = runtime.tokenIssuer.issueTokenPair({
+        sub: user.id,
+        tenantId: user.tenantId,
+        appId,
+        roles: user.roles,
+        name: user.name ?? user.username,
+        email: user.email,
+        picture: user.picture
+    });
+    if (!issued.refreshToken) {
+        throw new Error("Auth token issuer did not return a refresh token");
+    }
+    // Login is rendered in the theme's auth-only page state. After credentials
+    // are stored, navigate the browser back to the tenant route so the normal
+    // shell is rendered from a clean page request.
+    const config = resolveDefaultAuthAppConfig(ctx.config);
+    const next = body.next || ctx.query.next || config.loginRedirectPath || "/";
+    ctx.responseHeaders?.set("HX-Redirect", next);
+    // Auth state changed - reload this service's fragments (nav profile etc.).
+    // Fragments listening on this key re-fetch; absent fragments ignore it.
+    if (ctx.serviceId) {
+        ctx.responseHeaders?.set("HX-Trigger", `bp:fragments:${ctx.serviceId}`);
+    }
+    // Expire the stored header with the ACCESS token, not the refresh token -
+    // otherwise the client replays a dead JWT for days. The refresh token is
+    // stored separately so the profile fragment can renew before expiry.
+    ctx.bpHeaders?.set('Authorization', `Bearer ${issued.accessToken}`, {
+        expiresInSeconds: issued.accessTokenExpiresInSeconds,
+        locked: true,
+        refreshPath: "/refresh",
+        refreshBeforeSeconds: 60
+    });
+    ctx.bpHeaders?.set('X-BP-Refresh', issued.refreshToken, {
+        expiresInSeconds: issued.refreshTokenExpiresInSeconds ?? runtime.refreshTokenSeconds,
+        locked: true,
+        scopeToOwner: true
+    });
+    return {
+        status: "ok",
+        message: "logged in",
+        accessToken: issued.accessToken,
+        refreshToken: issued.refreshToken,
+        expiresInSeconds: issued.accessTokenExpiresInSeconds,
+        user: {
+            id: user.id,
+            username: user.username,
+            email: user.email,
+            name: user.name ?? user.username
+        }
+    };
+});
+//# sourceMappingURL=index.js.map

package/lib/plugins/service-betterportal-auth-default/bp-routes/login/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../src/plugins/service-betterportal-auth-default/bp-routes/login/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAE9B,OAAO,EACL,aAAa,EAId,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EAAE,2BAA2B,EAAE,MAAM,gBAAgB,CAAC;AAE7D,MAAM,CAAC,MAAM,WAAW,GAAG,EAAE,CAAC,MAAM,CAAC;IACnC,MAAM,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,yDAAyD,CAAC;IACpG,IAAI,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,4GAA4G,CAAC;CACtJ,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AAE7B,MAAM,CAAC,MAAM,aAAa,GAAG,EAAE,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AAErE,MAAM,CAAC,MAAM,aAAa,GAAG,EAAE,CAAC,MAAM,CAAC;IACrC,QAAQ,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,sCAAsC,CAAC;IACnF,QAAQ,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,sCAAsC,CAAC;IACnF,IAAI,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,6DAA6D,CAAC;CACvG,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AAE7B,MAAM,CAAC,MAAM,cAAc,GAAG,EAAE,CAAC,MAAM,CAAC;IACtC,MAAM,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,OAAO,CAAU,CAAC,CAAC,QAAQ,CAAC,wBAAwB,CAAC;IAC7E,OAAO,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,0DAA0D,CAAC;IACtG,WAAW,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,uDAAuD,CAAC;IACvG,YAAY,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,wDAAwD,CAAC;IACzG,gBAAgB,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,mCAAmC,CAAC;IAC5F,IAAI,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,CAAC;QAC1B,EAAE,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,wBAAwB,CAAC;QAClD,QAAQ,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,mBAAmB,CAAC;QACnD,KAAK,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,+BAA+B,CAAC;QACzE,IAAI,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,yBAAyB,CAAC;KACnE,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,6BAA6B,CAAC,CAAC;IACrE,4EAA4E;IAC5E,8EAA8E;IAC9E,kBAAkB,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,+IAA+I,CAAC;IACpM,+EAA+E;IAC/E,2EAA2E;IAC3E,aAAa,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,kIAAkI,CAAC;IACpL,6EAA6E;IAC7E,gEAAgE;IAChE,eAAe,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,6IAA6I,CAAC;IAC/L,SAAS,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,oDAAoD,CAAC;IAChG,qEAAqE;IACrE,SAAS,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,0DAA0D,CAAC;IACxG,6EAA6E;IAC7E,qDAAqD;IACrD,OAAO,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,qGAAqG,CAAC;CAClJ,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AAG7B,MAAM,CAAC,MAAM,KAAK,GAAG,OAAO,CAAC;AAC7B,MAAM,CAAC,MAAM,WAAW,GAAG,2DAA2D,CAAC;AACvF,MAAM,CAAC,MAAM,IAAI,GAAG,YAAY,CAAC;AACjC,MAAM,CAAC,MAAM,YAAY,GAAG,CAAC,cAAc,EAAE,eAAe,EAAE,gBAAgB,CAAC,CAAC;AAChF,MAAM,CAAC,MAAM,MAAM,GAA4B,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC;AAEpE,MAAM,CAAC,MAAM,IAAI,GAAuB;IACtC,QAAQ,EAAE,KAAK;IACf,WAAW,EAAE,EAAE;CAChB,CAAC;AAEF,MAAM,CAAC,MAAM,UAAU,GAAe;IACpC,UAAU,EAAE,CAAC;IACb,MAAM,EAAE,EAAE;CACX,CAAC;AAEF,SAAS,WAAW,CAAC,GAAyB;IAC5C,MAAM,OAAO,GAAI,GAAG,CAAC,MAAgD,EAAE,OAAO,CAAC;IAC/E,IAAI,CAAC,OAAO;QAAE,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;IAC/E,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,iBAAiB,CAAC,GAAuB;IAChD,MAAM,QAAQ,GAAG,GAAG,EAAE,IAAI,EAAE,CAAC;IAC7B,IAAI,CAAC,QAAQ;QAAE,OAAO,GAAG,CAAC;IAC1B,IAAI,QAAQ,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,UAAU,CAAC;QAAE,OAAO,QAAQ,CAAC;IACvF,OAAO,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,QAAQ,EAAE,CAAC;AAC9D,CAAC;AAED,MAAM,CAAC,MAAM,SAAS,GAAG,aAAa,CACpC,EAAE,QAAQ,EAAE,cAAc,EAAE,KAAK,EAAE,WAAW,EAAE,EAChD,CAAC,GAAG,EAAE,EAAE;IACN,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;IACjC,MAAM,kBAAkB,GAAG,OAAO,CAAC,SAAS,CAAC,UAAU,EAAE,CAAC;IAC1D,IAAK,GAAG,CAAC,KAAmC,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;QACjE,MAAM,MAAM,GAAG,2BAA2B,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACvD,MAAM,OAAO,GAAG,iBAAiB,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC;QAC7D,GAAG,CAAC,SAAS,EAAE,MAAM,CAAC,eAAe,CAAC,CAAC;QACvC,GAAG,CAAC,SAAS,EAAE,MAAM,CAAC,cAAc,CAAC,CAAC;QACtC,IAAI,GAAG,CAAC,SAAS;YAAE,GAAG,CAAC,eAAe,EAAE,GAAG,CAAC,YAAY,EAAE,gBAAgB,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC;QAC3F,OAAO;YACL,MAAM,EAAE,IAAa;YACrB,OAAO,EAAE,aAAa;YACtB,SAAS,EAAE,IAAI;YACf,OAAO;SACR,CAAC;IACJ,CAAC;IAED,wEAAwE;IACxE,wEAAwE;IACxE,IAAI,GAAG,CAAC,IAAI,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACpC,MAAM,MAAM,GAAG,2BAA2B,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACvD,MAAM,IAAI,GAAI,GAAG,CAAC,KAA2B,CAAC,IAAI,IAAI,MAAM,CAAC,iBAAiB,CAAC;QAC/E,OAAO;YACL,MAAM,EAAE,IAAa;YACrB,OAAO,EAAE,oBAAoB;YAC7B,eAAe,EAAE,IAAI;YACrB,IAAI,EAAE;gBACJ,EAAE,EAAE,GAAG,CAAC,IAAI,CAAC,GAAG;gBAChB,QAAQ,EAAE,GAAG,CAAC,IAAI,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,CAAC,KAAK,IAAI,GAAG,CAAC,IAAI,CAAC,GAAG;gBACzD,KAAK,EAAE,GAAG,CAAC,IAAI,CAAC,KAAK;gBACrB,IAAI,EAAE,GAAG,CAAC,IAAI,CAAC,IAAI;aACpB;YACD,SAAS,EAAE,sBAAsB;YACjC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACnC,CAAC;IACJ,CAAC;IAED,IAAI,aAAiC,CAAC;IACtC,IAAI,kBAAkB,EAAE,CAAC;QACvB,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC;QAC9B,IAAI,IAAI,EAAE,CAAC;YACT,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,CAAC,mBAAmB,CAAC,IAAI,MAAM,CAAC;YACzD,MAAM,IAAI,GAAI,GAAG,CAAC,KAA2B,CAAC,IAAI,CAAC;YACnD,aAAa,GAAG,GAAG,KAAK,MAAM,IAAI,YAAY,IAAI,CAAC,CAAC,CAAC,SAAS,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QAClG,CAAC;IACH,CAAC;IACD,OAAO;QACL,MAAM,EAAE,IAAa;QACrB,OAAO,EAAE,sDAAsD;QAC/D,kBAAkB;QAClB,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC5C,CAAC;AACJ,CAAC,CACF,CAAC;AAEF,MAAM,CAAC,MAAM,UAAU,GAAG,aAAa,CACrC,EAAE,QAAQ,EAAE,cAAc,EAAE,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,WAAW,EAAE,EACxE,KAAK,EAAE,GAAG,EAAE,EAAE;IACZ,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;IACjC,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;IAC/B,MAAM,KAAK,GAAG,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;IAEzB,MAAM,IAAI,GAAG,GAAG,CAAC,OAAsC,CAAC;IACxD,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,SAAS,CAAC,YAAY,CAC/C,QAAQ,EACR,KAAK,EACL,IAAI,CAAC,QAAQ,EACb,IAAI,CAAC,QAAQ,CACd,CAAC;IAEF,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,kDAAkD;QAClD,GAAG,CAAC,SAAS,EAAE,CAAC,GAAG,CAAC,CAAC;QACrB,OAAO;YACL,MAAM,EAAE,OAAgB;YACxB,OAAO,EAAE,+BAA+B;SACzC,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC,cAAc,CAAC;QAChD,GAAG,EAAE,IAAI,CAAC,EAAE;QACZ,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,KAAK;QACL,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,QAAQ;QAChC,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,OAAO,EAAE,IAAI,CAAC,OAAO;KACtB,CAAC,CAAC;IACH,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACtE,CAAC;IAED,2EAA2E;IAC3E,0EAA0E;IAC1E,+CAA+C;IAC/C,MAAM,MAAM,GAAG,2BAA2B,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACvD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAK,GAAG,CAAC,KAA2B,CAAC,IAAI,IAAI,MAAM,CAAC,iBAAiB,IAAI,GAAG,CAAC;IACnG,GAAG,CAAC,eAAe,EAAE,GAAG,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC;IAC9C,2EAA2E;IAC3E,wEAAwE;IACxE,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC;QAClB,GAAG,CAAC,eAAe,EAAE,GAAG,CAAC,YAAY,EAAE,gBAAgB,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC;IAC1E,CAAC;IACD,0EAA0E;IAC1E,yEAAyE;IACzE,qEAAqE;IACrE,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,eAAe,EAAE,UAAU,MAAM,CAAC,WAAW,EAAE,EAAE;QAClE,gBAAgB,EAAE,MAAM,CAAC,2BAA2B;QACpD,MAAM,EAAE,IAAI;QACZ,WAAW,EAAE,UAAU;QACvB,oBAAoB,EAAE,EAAE;KACzB,CAAC,CAAC;IACH,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,cAAc,EAAE,MAAM,CAAC,YAAY,EAAE;QACtD,gBAAgB,EAAE,MAAM,CAAC,4BAA4B,IAAI,OAAO,CAAC,mBAAmB;QACpF,MAAM,EAAE,IAAI;QACZ,YAAY,EAAE,IAAI;KACnB,CAAC,CAAC;IAEH,OAAO;QACL,MAAM,EAAE,IAAa;QACrB,OAAO,EAAE,WAAW;QACpB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,gBAAgB,EAAE,MAAM,CAAC,2BAA2B;QACpD,IAAI,EAAE;YACJ,EAAE,EAAE,IAAI,CAAC,EAAE;YACX,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,QAAQ;SACjC;KACF,CAAC;AACJ,CAAC,CACF,CAAC"}

package/lib/plugins/service-betterportal-auth-default/bp-routes/logout/_theme.bootstrap1/index.d.ts

@@ -0,0 +1,5 @@
+/** @jsxImportSource jsx-htmx */
+import type { HtmlRenderable } from "@betterportal/framework";
+import type { ResponseData } from "../index.js";
+export declare function render(_data: ResponseData): HtmlRenderable;
+//# sourceMappingURL=index.d.ts.map

package/lib/plugins/service-betterportal-auth-default/bp-routes/logout/_theme.bootstrap1/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../../src/plugins/service-betterportal-auth-default/bp-routes/logout/_theme.bootstrap1/index.tsx"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAEhD,wBAAgB,MAAM,CAAC,KAAK,EAAE,YAAY,GAAG,cAAc,CAU1D"}

package/lib/plugins/service-betterportal-auth-default/bp-routes/logout/_theme.bootstrap1/index.js

@@ -0,0 +1,7 @@
+import { jsx as _jsx } from "jsx-htmx/jsx-runtime";
+export function render(_data) {
+    // Transient view: the response's BP-RemoveHeader directives clear the stored
+    // tokens and HX-Location immediately soft-navigates to the login view.
+    return (_jsx("div", { class: "d-flex justify-content-center py-5", children: _jsx("div", { class: "spinner-border", role: "status", children: _jsx("span", { class: "visually-hidden", children: "Signing out..." }) }) }));
+}
+//# sourceMappingURL=index.js.map

package/lib/plugins/service-betterportal-auth-default/bp-routes/logout/_theme.bootstrap1/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../src/plugins/service-betterportal-auth-default/bp-routes/logout/_theme.bootstrap1/index.tsx"],"names":[],"mappings":";AAIA,MAAM,UAAU,MAAM,CAAC,KAAmB;IACxC,6EAA6E;IAC7E,uEAAuE;IACvE,OAAO,CACL,cAAK,KAAK,EAAC,oCAAoC,YAC7C,cAAK,KAAK,EAAC,gBAAgB,EAAC,IAAI,EAAC,QAAQ,YACvC,eAAM,KAAK,EAAC,iBAAiB,+BAAsB,GAC/C,GACF,CACP,CAAC;AACJ,CAAC"}

package/lib/plugins/service-betterportal-auth-default/bp-routes/logout/index.d.ts

@@ -0,0 +1,25 @@
+import * as av from "anyvali";
+import type { Infer } from "anyvali";
+import { type ApiAuthRequirement, type CacheHints } from "@betterportal/framework";
+export declare const QuerySchema: av.ObjectSchema<{}>;
+export declare const HeadersSchema: av.ObjectSchema<{}>;
+export declare const RequestSchema: av.ObjectSchema<{}>;
+export declare const ResponseSchema: av.ObjectSchema<{
+    status: av.EnumSchema<readonly ["ok"]>;
+    message: av.StringSchema;
+}>;
+export type ResponseData = Infer<typeof ResponseSchema>;
+export declare const title = "Logout";
+export declare const description = "Clear the authentication token from the client.";
+export declare const role = "auth.logout";
+export declare const auth: ApiAuthRequirement;
+export declare const cacheHints: CacheHints;
+export declare const handlePost: import("@betterportal/framework").RouteHandler<Record<string, string>, Record<string, unknown>, Record<string, string>, Record<string, unknown>, {
+    status: "ok";
+    message: string;
+}, unknown, Record<string, unknown>>;
+export declare const handleGet: import("@betterportal/framework").RouteHandler<Record<string, string>, Record<string, unknown>, Record<string, string>, Record<string, unknown>, {
+    status: "ok";
+    message: string;
+}, unknown, Record<string, unknown>>;
+//# sourceMappingURL=index.d.ts.map

package/lib/plugins/service-betterportal-auth-default/bp-routes/logout/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/plugins/service-betterportal-auth-default/bp-routes/logout/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAEL,KAAK,kBAAkB,EACvB,KAAK,UAAU,EAChB,MAAM,yBAAyB,CAAC;AAEjC,eAAO,MAAM,WAAW,qBAA0C,CAAC;AACnE,eAAO,MAAM,aAAa,qBAA0C,CAAC;AACrE,eAAO,MAAM,aAAa,qBAA0C,CAAC;AAErE,eAAO,MAAM,cAAc;;;EAGC,CAAC;AAC7B,MAAM,MAAM,YAAY,GAAG,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAExD,eAAO,MAAM,KAAK,WAAW,CAAC;AAC9B,eAAO,MAAM,WAAW,oDAAoD,CAAC;AAC7E,eAAO,MAAM,IAAI,gBAAgB,CAAC;AAElC,eAAO,MAAM,IAAI,EAAE,kBAGlB,CAAC;AAEF,eAAO,MAAM,UAAU,EAAE,UAGxB,CAAC;AAEF,eAAO,MAAM,UAAU;;;oCAkBtB,CAAC;AAEF,eAAO,MAAM,SAAS;;;oCAAa,CAAC"}

package/lib/plugins/service-betterportal-auth-default/bp-routes/logout/index.js

@@ -0,0 +1,38 @@
+import * as av from "anyvali";
+import { createHandler } from "@betterportal/framework";
+export const QuerySchema = av.object({}, { unknownKeys: "strip" });
+export const HeadersSchema = av.object({}, { unknownKeys: "strip" });
+export const RequestSchema = av.object({}, { unknownKeys: "strip" });
+export const ResponseSchema = av.object({
+    status: av.enum_(["ok"]).describe("Logout request outcome."),
+    message: av.string().describe("Human-readable logout status for the renderer.")
+}, { unknownKeys: "strip" });
+export const title = "Logout";
+export const description = "Clear the authentication token from the client.";
+export const role = "auth.logout";
+export const auth = {
+    required: false,
+    permissions: []
+};
+export const cacheHints = {
+    ttlSeconds: 0,
+    varyBy: []
+};
+export const handlePost = createHandler({ response: ResponseSchema }, (ctx) => {
+    // Always emit BP-RemoveHeader so the client shim drops the stored token -
+    // logout must clear state even when called with a dead or missing token.
+    ctx.bpHeaders?.remove("Authorization");
+    ctx.bpHeaders?.remove("X-BP-Refresh");
+    // Compatibility shim: current UI uses /login?action=logout.
+    ctx.responseHeaders?.set("HX-Location", "/login?action=logout");
+    // Auth state changed - reload this service's fragments (nav profile etc.).
+    if (ctx.serviceId) {
+        ctx.responseHeaders?.set("HX-Trigger", `bp:fragments:${ctx.serviceId}`);
+    }
+    return {
+        status: "ok",
+        message: "Client should clear stored Authorization header."
+    };
+});
+export const handleGet = handlePost;
+//# sourceMappingURL=index.js.map

package/lib/plugins/service-betterportal-auth-default/bp-routes/logout/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../src/plugins/service-betterportal-auth-default/bp-routes/logout/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAE9B,OAAO,EACL,aAAa,EAGd,MAAM,yBAAyB,CAAC;AAEjC,MAAM,CAAC,MAAM,WAAW,GAAG,EAAE,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AACnE,MAAM,CAAC,MAAM,aAAa,GAAG,EAAE,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AACrE,MAAM,CAAC,MAAM,aAAa,GAAG,EAAE,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AAErE,MAAM,CAAC,MAAM,cAAc,GAAG,EAAE,CAAC,MAAM,CAAC;IACtC,MAAM,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,IAAI,CAAU,CAAC,CAAC,QAAQ,CAAC,yBAAyB,CAAC;IACrE,OAAO,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,gDAAgD,CAAC;CAChF,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AAG7B,MAAM,CAAC,MAAM,KAAK,GAAG,QAAQ,CAAC;AAC9B,MAAM,CAAC,MAAM,WAAW,GAAG,iDAAiD,CAAC;AAC7E,MAAM,CAAC,MAAM,IAAI,GAAG,aAAa,CAAC;AAElC,MAAM,CAAC,MAAM,IAAI,GAAuB;IACtC,QAAQ,EAAE,KAAK;IACf,WAAW,EAAE,EAAE;CAChB,CAAC;AAEF,MAAM,CAAC,MAAM,UAAU,GAAe;IACpC,UAAU,EAAE,CAAC;IACb,MAAM,EAAE,EAAE;CACX,CAAC;AAEF,MAAM,CAAC,MAAM,UAAU,GAAG,aAAa,CACrC,EAAE,QAAQ,EAAE,cAAc,EAAE,EAC5B,CAAC,GAAG,EAAE,EAAE;IACN,0EAA0E;IAC1E,yEAAyE;IACzE,GAAG,CAAC,SAAS,EAAE,MAAM,CAAC,eAAe,CAAC,CAAC;IACvC,GAAG,CAAC,SAAS,EAAE,MAAM,CAAC,cAAc,CAAC,CAAC;IACtC,4DAA4D;IAC5D,GAAG,CAAC,eAAe,EAAE,GAAG,CAAC,aAAa,EAAE,sBAAsB,CAAC,CAAC;IAChE,2EAA2E;IAC3E,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC;QAClB,GAAG,CAAC,eAAe,EAAE,GAAG,CAAC,YAAY,EAAE,gBAAgB,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC;IAC1E,CAAC;IACD,OAAO;QACL,MAAM,EAAE,IAAa;QACrB,OAAO,EAAE,kDAAkD;KAC5D,CAAC;AACJ,CAAC,CACF,CAAC;AAEF,MAAM,CAAC,MAAM,SAAS,GAAG,UAAU,CAAC"}

package/lib/plugins/service-betterportal-auth-default/bp-routes/refresh/index.d.ts

@@ -0,0 +1,31 @@
+import * as av from "anyvali";
+import type { Infer } from "anyvali";
+import { type ApiAuthRequirement, type CacheHints } from "@betterportal/framework";
+export declare const QuerySchema: av.ObjectSchema<{}>;
+export declare const HeadersSchema: av.ObjectSchema<{
+    "x-bp-refresh": av.OptionalSchema<av.StringSchema>;
+}>;
+export declare const RequestSchema: av.ObjectSchema<{
+    refreshToken: av.OptionalSchema<av.StringSchema>;
+}>;
+export declare const ResponseSchema: av.ObjectSchema<{
+    status: av.EnumSchema<readonly ["ok", "error"]>;
+    message: av.OptionalSchema<av.StringSchema>;
+    accessToken: av.OptionalSchema<av.StringSchema>;
+    expiresInSeconds: av.OptionalSchema<av.IntSchema>;
+}>;
+export type ResponseData = Infer<typeof ResponseSchema>;
+export declare const title = "Refresh Token";
+export declare const description = "Exchange a refresh token for a new access token.";
+export declare const role = "auth.refresh";
+export declare const auth: ApiAuthRequirement;
+export declare const cacheHints: CacheHints;
+export declare const handlePost: import("@betterportal/framework").RouteHandler<Record<string, string>, Record<string, unknown>, Record<string, string>, {
+    refreshToken?: string | undefined;
+}, {
+    status: "ok" | "error";
+    message?: string | undefined;
+    accessToken?: string | undefined;
+    expiresInSeconds?: number | undefined;
+}, unknown, Record<string, unknown>>;
+//# sourceMappingURL=index.d.ts.map

package/lib/plugins/service-betterportal-auth-default/bp-routes/refresh/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/plugins/service-betterportal-auth-default/bp-routes/refresh/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAErC,OAAO,EAEL,KAAK,kBAAkB,EACvB,KAAK,UAAU,EAChB,MAAM,yBAAyB,CAAC;AAGjC,eAAO,MAAM,WAAW,qBAA0C,CAAC;AACnE,eAAO,MAAM,aAAa;;EAEE,CAAC;AAE7B,eAAO,MAAM,aAAa;;EAEE,CAAC;AAE7B,eAAO,MAAM,cAAc;;;;;EAKC,CAAC;AAC7B,MAAM,MAAM,YAAY,GAAG,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAExD,eAAO,MAAM,KAAK,kBAAkB,CAAC;AACrC,eAAO,MAAM,WAAW,qDAAqD,CAAC;AAC9E,eAAO,MAAM,IAAI,iBAAiB,CAAC;AAEnC,eAAO,MAAM,IAAI,EAAE,kBAGlB,CAAC;AAEF,eAAO,MAAM,UAAU,EAAE,UAGxB,CAAC;AAQF,eAAO,MAAM,UAAU;;;;;;;oCAiEtB,CAAC"}

package/lib/plugins/service-betterportal-auth-default/bp-routes/refresh/index.js

@@ -0,0 +1,92 @@
+import * as av from "anyvali";
+// Infer used at runtime cast for typed body access.
+import { createHandler } from "@betterportal/framework";
+export const QuerySchema = av.object({}, { unknownKeys: "strip" });
+export const HeadersSchema = av.object({
+    "x-bp-refresh": av.optional(av.string().minLength(1))
+}, { unknownKeys: "strip" });
+export const RequestSchema = av.object({
+    refreshToken: av.optional(av.string().minLength(1).describe("Signed refresh token issued by the auth service."))
+}, { unknownKeys: "strip" });
+export const ResponseSchema = av.object({
+    status: av.enum_(["ok", "error"]).describe("Refresh request outcome."),
+    message: av.optional(av.string()).describe("Human-readable status or error message for the renderer."),
+    accessToken: av.optional(av.string()).describe("New signed JWT access token returned when refresh succeeds."),
+    expiresInSeconds: av.optional(av.int().min(1)).describe("New access token lifetime in seconds.")
+}, { unknownKeys: "strip" });
+export const title = "Refresh Token";
+export const description = "Exchange a refresh token for a new access token.";
+export const role = "auth.refresh";
+export const auth = {
+    required: false,
+    permissions: []
+};
+export const cacheHints = {
+    ttlSeconds: 0,
+    varyBy: []
+};
+function runtimeFrom(ctx) {
+    const runtime = ctx.plugin?.runtime;
+    if (!runtime)
+        throw new Error("Auth runtime not available on handler context");
+    return runtime;
+}
+export const handlePost = createHandler({ response: ResponseSchema, request: RequestSchema }, async (ctx) => {
+    const runtime = runtimeFrom(ctx);
+    const tenantId = ctx.tenant.id;
+    const appId = ctx.app.id;
+    const body = ctx.request;
+    const headers = ctx.headers;
+    const refreshToken = body.refreshToken ?? headers["x-bp-refresh"];
+    if (!refreshToken) {
+        return {
+            status: "error",
+            message: "Refresh token missing."
+        };
+    }
+    let claims;
+    try {
+        claims = await runtime.tokenIssuer.verifyRefreshToken({
+            refreshToken,
+            tenantId,
+            appId
+        });
+    }
+    catch {
+        return {
+            status: "error",
+            message: "Refresh token invalid or expired."
+        };
+    }
+    const user = runtime.userStore.findById(claims.sub);
+    if (!user || !user.enabled) {
+        return {
+            status: "error",
+            message: "User no longer exists or is disabled."
+        };
+    }
+    const roles = user.appRoles[appId] ?? [];
+    const issued = runtime.tokenIssuer.issueTokenPair({
+        sub: user.id,
+        tenantId: user.tenantId,
+        appId,
+        roles,
+        name: user.name ?? user.username,
+        email: user.email,
+        picture: user.picture
+    }, {
+        includeRefreshToken: false
+    });
+    ctx.bpHeaders?.set("Authorization", `Bearer ${issued.accessToken}`, {
+        expiresInSeconds: issued.accessTokenExpiresInSeconds,
+        locked: true,
+        refreshPath: "/refresh",
+        refreshBeforeSeconds: 60
+    });
+    return {
+        status: "ok",
+        accessToken: issued.accessToken,
+        expiresInSeconds: issued.accessTokenExpiresInSeconds
+    };
+});
+//# sourceMappingURL=index.js.map

package/lib/plugins/service-betterportal-auth-default/bp-routes/refresh/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../src/plugins/service-betterportal-auth-default/bp-routes/refresh/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAE9B,oDAAoD;AACpD,OAAO,EACL,aAAa,EAGd,MAAM,yBAAyB,CAAC;AAGjC,MAAM,CAAC,MAAM,WAAW,GAAG,EAAE,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AACnE,MAAM,CAAC,MAAM,aAAa,GAAG,EAAE,CAAC,MAAM,CAAC;IACrC,cAAc,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;CACtD,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AAE7B,MAAM,CAAC,MAAM,aAAa,GAAG,EAAE,CAAC,MAAM,CAAC;IACrC,YAAY,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,kDAAkD,CAAC,CAAC;CACjH,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AAE7B,MAAM,CAAC,MAAM,cAAc,GAAG,EAAE,CAAC,MAAM,CAAC;IACtC,MAAM,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,OAAO,CAAU,CAAC,CAAC,QAAQ,CAAC,0BAA0B,CAAC;IAC/E,OAAO,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,0DAA0D,CAAC;IACtG,WAAW,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,6DAA6D,CAAC;IAC7G,gBAAgB,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,uCAAuC,CAAC;CACjG,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AAG7B,MAAM,CAAC,MAAM,KAAK,GAAG,eAAe,CAAC;AACrC,MAAM,CAAC,MAAM,WAAW,GAAG,kDAAkD,CAAC;AAC9E,MAAM,CAAC,MAAM,IAAI,GAAG,cAAc,CAAC;AAEnC,MAAM,CAAC,MAAM,IAAI,GAAuB;IACtC,QAAQ,EAAE,KAAK;IACf,WAAW,EAAE,EAAE;CAChB,CAAC;AAEF,MAAM,CAAC,MAAM,UAAU,GAAe;IACpC,UAAU,EAAE,CAAC;IACb,MAAM,EAAE,EAAE;CACX,CAAC;AAEF,SAAS,WAAW,CAAC,GAAyB;IAC5C,MAAM,OAAO,GAAI,GAAG,CAAC,MAAgD,EAAE,OAAO,CAAC;IAC/E,IAAI,CAAC,OAAO;QAAE,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;IAC/E,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,CAAC,MAAM,UAAU,GAAG,aAAa,CACrC,EAAE,QAAQ,EAAE,cAAc,EAAE,OAAO,EAAE,aAAa,EAAE,EACpD,KAAK,EAAE,GAAG,EAAE,EAAE;IACZ,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;IACjC,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;IAC/B,MAAM,KAAK,GAAG,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;IAEzB,MAAM,IAAI,GAAG,GAAG,CAAC,OAAsC,CAAC;IACxD,MAAM,OAAO,GAAG,GAAG,CAAC,OAAsC,CAAC;IAC3D,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,IAAI,OAAO,CAAC,cAAc,CAAC,CAAC;IAClE,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,OAAO;YACL,MAAM,EAAE,OAAgB;YACxB,OAAO,EAAE,wBAAwB;SAClC,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,CAAC;IACX,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,kBAAkB,CAAC;YACpD,YAAY;YACZ,QAAQ;YACR,KAAK;SACN,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;YACL,MAAM,EAAE,OAAgB;YACxB,OAAO,EAAE,mCAAmC;SAC7C,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACpD,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;QAC3B,OAAO;YACL,MAAM,EAAE,OAAgB;YACxB,OAAO,EAAE,uCAAuC;SACjD,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;IACzC,MAAM,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC,cAAc,CAAC;QAChD,GAAG,EAAE,IAAI,CAAC,EAAE;QACZ,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,KAAK;QACL,KAAK;QACL,IAAI,EAAE,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,QAAQ;QAChC,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,OAAO,EAAE,IAAI,CAAC,OAAO;KACtB,EAAE;QACD,mBAAmB,EAAE,KAAK;KAC3B,CAAC,CAAC;IAEH,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,eAAe,EAAE,UAAU,MAAM,CAAC,WAAW,EAAE,EAAE;QAClE,gBAAgB,EAAE,MAAM,CAAC,2BAA2B;QACpD,MAAM,EAAE,IAAI;QACZ,WAAW,EAAE,UAAU;QACvB,oBAAoB,EAAE,EAAE;KACzB,CAAC,CAAC;IAEH,OAAO;QACL,MAAM,EAAE,IAAa;QACrB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,gBAAgB,EAAE,MAAM,CAAC,2BAA2B;KACrD,CAAC;AACJ,CAAC,CACF,CAAC"}

package/lib/plugins/service-betterportal-auth-default/bp-routes/register/_theme.bootstrap1/index.400.d.ts

@@ -0,0 +1,7 @@
+/**
+ * 400 status view for register POST failures (duplicate user, weak input, no
+ * context). Same renderer as the main view - it re-renders the form with the
+ * error message so the response swaps into #bp-main like any other view.
+ */
+export { render } from "./index.js";
+//# sourceMappingURL=index.400.d.ts.map

package/lib/plugins/service-betterportal-auth-default/bp-routes/register/_theme.bootstrap1/index.400.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.400.d.ts","sourceRoot":"","sources":["../../../../../../src/plugins/service-betterportal-auth-default/bp-routes/register/_theme.bootstrap1/index.400.tsx"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,MAAM,EAAE,MAAM,YAAY,CAAC"}

package/lib/plugins/service-betterportal-auth-default/bp-routes/register/_theme.bootstrap1/index.400.js

@@ -0,0 +1,7 @@
+/**
+ * 400 status view for register POST failures (duplicate user, weak input, no
+ * context). Same renderer as the main view - it re-renders the form with the
+ * error message so the response swaps into #bp-main like any other view.
+ */
+export { render } from "./index.js";
+//# sourceMappingURL=index.400.js.map

package/lib/plugins/service-betterportal-auth-default/bp-routes/register/_theme.bootstrap1/index.400.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.400.js","sourceRoot":"","sources":["../../../../../../src/plugins/service-betterportal-auth-default/bp-routes/register/_theme.bootstrap1/index.400.tsx"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,MAAM,EAAE,MAAM,YAAY,CAAC"}

package/lib/plugins/service-betterportal-auth-default/bp-routes/register/_theme.bootstrap1/index.d.ts

@@ -0,0 +1,4 @@
+import type { HtmlRenderable } from "@betterportal/framework";
+import type { ResponseData } from "../index.js";
+export declare function render(data: ResponseData): HtmlRenderable;
+//# sourceMappingURL=index.d.ts.map

package/lib/plugins/service-betterportal-auth-default/bp-routes/register/_theme.bootstrap1/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../../src/plugins/service-betterportal-auth-default/bp-routes/register/_theme.bootstrap1/index.tsx"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AA6FhD,wBAAgB,MAAM,CAAC,IAAI,EAAE,YAAY,GAAG,cAAc,CAwCzD"}

package/lib/plugins/service-betterportal-auth-default/bp-routes/register/_theme.bootstrap1/index.js

@@ -0,0 +1,63 @@
+import { jsx as _jsx, jsxs as _jsxs } from "jsx-htmx/jsx-runtime";
+/** @jsxImportSource jsx-htmx */
+import { js } from "jsx-htmx";
+/** Tenant-relative path (+query) of an absolute self-origin URL, for hx-push-url. */
+function pushPathOf(url, fallback) {
+    if (!url)
+        return fallback;
+    try {
+        const parsed = new URL(url);
+        return parsed.pathname + parsed.search;
+    }
+    catch {
+        return fallback;
+    }
+}
+/** Client-side confirm-password gate; everything else is server-rendered. */
+function registerScript() {
+    // IIFE - htmx executes swapped <script> content as a plain script, where a
+    // top-level `return` inside a bare block is a SyntaxError.
+    return js(`(() => {
+    const form = document.getElementById("bp-register-form");
+    if (!form) return;
+    form.addEventListener("htmx:beforeRequest", (ev) => {
+      const errEl = document.getElementById("bp-register-error");
+      const pw = form.querySelector('input[name="password"]');
+      const confirm = document.getElementById("bp-register-confirm");
+      if (pw && confirm && pw.value !== confirm.value) {
+        if (errEl) { errEl.textContent = "Passwords do not match."; errEl.classList.remove("d-none"); }
+        ev.preventDefault();
+        return;
+      }
+      if (errEl) errEl.classList.add("d-none");
+    });
+  })()`);
+}
+function redirectStub(url, pushUrl, label) {
+    return (_jsx("div", { "hx-get": url, "hx-trigger": "load delay:1200ms", "hx-target": "#bp-main", "hx-swap": "innerHTML", "hx-push-url": pushUrl, children: _jsx("div", { class: "d-flex justify-content-center py-3", children: _jsx("div", { class: "spinner-border spinner-border-sm", role: "status", children: _jsx("span", { class: "visually-hidden", children: label }) }) }) }));
+}
+function renderForm(data) {
+    return (_jsxs("div", { class: "container py-5", style: "max-width: 420px;", children: [_jsx("div", { class: "card border-0 shadow-sm", children: _jsxs("div", { class: "card-body", children: [_jsx("h3", { class: "card-title mb-1 text-center", children: "Create first admin" }), _jsx("p", { class: "text-secondary text-center small mb-4", children: "This deployment has no users yet. The account you create here becomes the platform administrator." }), _jsxs("form", { id: "bp-register-form", "hx-post": "this", "hx-target": "#bp-main", "hx-swap": "innerHTML", children: [_jsxs("div", { class: "mb-3", children: [_jsx("label", { class: "form-label", children: "Username *" }), _jsx("input", { type: "text", class: "form-control", name: "username", autocomplete: "username", required: true, autofocus: true })] }), _jsxs("div", { class: "mb-3", children: [_jsx("label", { class: "form-label", children: "Email" }), _jsx("input", { type: "email", class: "form-control", name: "email", autocomplete: "email" })] }), _jsxs("div", { class: "mb-3", children: [_jsxs("label", { class: "form-label", children: ["Password * ", _jsx("span", { class: "text-secondary small", children: "(min 8 chars)" })] }), _jsx("input", { type: "password", class: "form-control", name: "password", autocomplete: "new-password", minlength: "8", required: true })] }), _jsxs("div", { class: "mb-3", children: [_jsx("label", { class: "form-label", children: "Confirm password *" }), _jsx("input", { type: "password", class: "form-control", id: "bp-register-confirm", autocomplete: "new-password", minlength: "8", required: true })] }), _jsx("div", { class: `alert alert-danger ${data.status === "error" && data.message ? "" : "d-none"}`, id: "bp-register-error", children: data.status === "error" ? (data.message ?? "") : "" }), _jsx("button", { type: "submit", class: "btn btn-primary w-100", children: "Create admin account" })] })] }) }), _jsx("script", { children: registerScript() })] }));
+}
+export function render(data) {
+    // POST success - server-rendered confirmation, then on to sign-in.
+    if (data.status === "ok" && data.user) {
+        return (_jsx("div", { class: "container py-5", style: "max-width: 420px;", children: _jsx("div", { class: "card border-0 shadow-sm", children: _jsxs("div", { class: "card-body text-center", children: [_jsx("h3", { class: "card-title mb-2", children: "Admin created" }), _jsxs("div", { class: "alert alert-success mb-3", children: [_jsx("strong", { children: data.user.username }), " is now the platform administrator."] }), _jsx("p", { class: "text-secondary small mb-0", children: "Taking you to sign in..." }), data.loginUrl
+                            ? redirectStub(data.loginUrl, pushPathOf(data.loginUrl, "/login"), "Redirecting to sign in...")
+                            : _jsx("a", { class: "btn btn-primary mt-3", href: "/login", children: "Sign in" })] }) }) }));
+    }
+    // POST validation error (rendered via the 400 status view) - form + message.
+    if (data.status === "error") {
+        return renderForm(data);
+    }
+    // GET with users already present - registrations are closed; bounce to login.
+    if (!data.registrationOpen) {
+        if (data.loginUrl) {
+            return redirectStub(data.loginUrl, pushPathOf(data.loginUrl, "/login"), "Redirecting to sign in...");
+        }
+        return (_jsx("div", { class: "container py-5", style: "max-width: 420px;", children: _jsxs("div", { class: "alert alert-secondary", children: ["Registration is closed. ", _jsx("a", { href: "/login", children: "Sign in" }), " instead."] }) }));
+    }
+    // GET, zero users - the first-admin form.
+    return renderForm(data);
+}
+//# sourceMappingURL=index.js.map

package/lib/plugins/service-betterportal-auth-default/bp-routes/register/_theme.bootstrap1/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../src/plugins/service-betterportal-auth-default/bp-routes/register/_theme.bootstrap1/index.tsx"],"names":[],"mappings":";AAAA,gCAAgC;AAChC,OAAO,EAAE,EAAE,EAAE,MAAM,UAAU,CAAC;AAI9B,qFAAqF;AACrF,SAAS,UAAU,CAAC,GAAuB,EAAE,QAAgB;IAC3D,IAAI,CAAC,GAAG;QAAE,OAAO,QAAQ,CAAC;IAC1B,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,OAAO,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC;IACzC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,QAAQ,CAAC;IAClB,CAAC;AACH,CAAC;AAED,6EAA6E;AAC7E,SAAS,cAAc;IACrB,2EAA2E;IAC3E,2DAA2D;IAC3D,OAAO,EAAE,CAAC;;;;;;;;;;;;;;OAcL,CAAC,CAAC;AACT,CAAC;AAED,SAAS,YAAY,CAAC,GAAW,EAAE,OAAe,EAAE,KAAa;IAC/D,OAAO,CACL,wBACU,GAAG,gBACA,mBAAmB,eACpB,UAAU,aACZ,WAAW,iBACN,OAAO,YAEpB,cAAK,KAAK,EAAC,oCAAoC,YAC7C,cAAK,KAAK,EAAC,kCAAkC,EAAC,IAAI,EAAC,QAAQ,YAAC,eAAM,KAAK,EAAC,iBAAiB,YAAE,KAAK,GAAQ,GAAM,GAC1G,GACF,CACP,CAAC;AACJ,CAAC;AAED,SAAS,UAAU,CAAC,IAAkB;IACpC,OAAO,CACL,eAAK,KAAK,EAAC,gBAAgB,EAAC,KAAK,EAAC,mBAAmB,aACnD,cAAK,KAAK,EAAC,yBAAyB,YAClC,eAAK,KAAK,EAAC,WAAW,aACpB,aAAI,KAAK,EAAC,6BAA6B,mCAAwB,EAC/D,YAAG,KAAK,EAAC,uCAAuC,kHAE5C,EACJ,gBACE,EAAE,EAAC,kBAAkB,aACb,MAAM,eACJ,UAAU,aACZ,WAAW,aAEnB,eAAK,KAAK,EAAC,MAAM,aACf,gBAAO,KAAK,EAAC,YAAY,2BAAmB,EAC5C,gBAAO,IAAI,EAAC,MAAM,EAAC,KAAK,EAAC,cAAc,EAAC,IAAI,EAAC,UAAU,EAAC,YAAY,EAAC,UAAU,EAAC,QAAQ,QAAC,SAAS,SAAG,IACjG,EACN,eAAK,KAAK,EAAC,MAAM,aACf,gBAAO,KAAK,EAAC,YAAY,sBAAc,EACvC,gBAAO,IAAI,EAAC,OAAO,EAAC,KAAK,EAAC,cAAc,EAAC,IAAI,EAAC,OAAO,EAAC,YAAY,EAAC,OAAO,GAAG,IACzE,EACN,eAAK,KAAK,EAAC,MAAM,aACf,iBAAO,KAAK,EAAC,YAAY,4BAAY,eAAM,KAAK,EAAC,sBAAsB,8BAAqB,IAAQ,EACpG,gBAAO,IAAI,EAAC,UAAU,EAAC,KAAK,EAAC,cAAc,EAAC,IAAI,EAAC,UAAU,EAAC,YAAY,EAAC,cAAc,EAAC,SAAS,EAAC,GAAG,EAAC,QAAQ,SAAG,IAC7G,EACN,eAAK,KAAK,EAAC,MAAM,aACf,gBAAO,KAAK,EAAC,YAAY,mCAA2B,EACpD,gBAAO,IAAI,EAAC,UAAU,EAAC,KAAK,EAAC,cAAc,EAAC,EAAE,EAAC,qBAAqB,EAAC,YAAY,EAAC,cAAc,EAAC,SAAS,EAAC,GAAG,EAAC,QAAQ,SAAG,IACtH,EACN,cAAK,KAAK,EAAE,sBAAsB,IAAI,CAAC,MAAM,KAAK,OAAO,IAAI,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,EAAE,EAAC,mBAAmB,YAChH,IAAI,CAAC,MAAM,KAAK,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,GAChD,EACN,iBAAQ,IAAI,EAAC,QAAQ,EAAC,KAAK,EAAC,uBAAuB,qCAA8B,IAC5E,IACH,GACF,EACN,2BAAS,cAAc,EAAE,GAAU,IAC/B,CACP,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,MAAM,CAAC,IAAkB;IACvC,mEAAmE;IACnE,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QACtC,OAAO,CACL,cAAK,KAAK,EAAC,gBAAgB,EAAC,KAAK,EAAC,mBAAmB,YACnD,cAAK,KAAK,EAAC,yBAAyB,YAClC,eAAK,KAAK,EAAC,uBAAuB,aAChC,aAAI,KAAK,EAAC,iBAAiB,8BAAmB,EAC9C,eAAK,KAAK,EAAC,0BAA0B,aACnC,2BAAS,IAAI,CAAC,IAAI,CAAC,QAAQ,GAAU,2CACjC,EACN,YAAG,KAAK,EAAC,2BAA2B,yCAA6B,EAChE,IAAI,CAAC,QAAQ;4BACZ,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,CAAC,EAAE,2BAA2B,CAAC;4BAC/F,CAAC,CAAC,YAAG,KAAK,EAAC,sBAAsB,EAAC,IAAI,EAAC,QAAQ,wBAAY,IACzD,GACF,GACF,CACP,CAAC;IACJ,CAAC;IAED,6EAA6E;IAC7E,IAAI,IAAI,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;QAC5B,OAAO,UAAU,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAED,8EAA8E;IAC9E,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAC3B,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,OAAO,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,CAAC,EAAE,2BAA2B,CAAC,CAAC;QACvG,CAAC;QACD,OAAO,CACL,cAAK,KAAK,EAAC,gBAAgB,EAAC,KAAK,EAAC,mBAAmB,YACnD,eAAK,KAAK,EAAC,uBAAuB,yCAAyB,YAAG,IAAI,EAAC,QAAQ,wBAAY,iBAAe,GAClG,CACP,CAAC;IACJ,CAAC;IAED,0CAA0C;IAC1C,OAAO,UAAU,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/lib/plugins/service-betterportal-auth-default/bp-routes/register/index.d.ts

@@ -0,0 +1,64 @@
+import * as av from "anyvali";
+import type { Infer } from "anyvali";
+import { type ApiAuthRequirement, type CacheHints, type BetterPortalRouteChrome } from "@betterportal/framework";
+export declare const QuerySchema: av.ObjectSchema<{
+    next: av.OptionalSchema<av.StringSchema>;
+}>;
+export declare const HeadersSchema: av.ObjectSchema<{}>;
+export declare const RequestSchema: av.ObjectSchema<{
+    username: av.StringSchema;
+    password: av.StringSchema;
+    email: av.OptionalSchema<av.StringSchema>;
+    name: av.OptionalSchema<av.StringSchema>;
+}>;
+export declare const ResponseSchema: av.ObjectSchema<{
+    status: av.EnumSchema<readonly ["ok", "error"]>;
+    message: av.OptionalSchema<av.StringSchema>;
+    user: av.OptionalSchema<av.ObjectSchema<{
+        id: av.StringSchema;
+        username: av.StringSchema;
+        isFirstAdmin: av.BoolSchema;
+    }>>;
+    registrationOpen: av.OptionalSchema<av.BoolSchema>;
+    loginUrl: av.OptionalSchema<av.StringSchema>;
+}>;
+export type ResponseData = Infer<typeof ResponseSchema>;
+export declare const title = "Register First Admin";
+export declare const description = "Open registration for the very first user. Once any user exists, this endpoint requires admin auth.";
+export declare const role = "auth.register";
+export declare const dependencies: string[];
+export declare const chrome: BetterPortalRouteChrome;
+export declare const auth: ApiAuthRequirement;
+export declare const cacheHints: CacheHints;
+export declare const handleGet: import("@betterportal/framework").RouteHandler<Record<string, string>, {
+    next?: string | undefined;
+}, Record<string, string>, Record<string, unknown>, {
+    status: "ok" | "error";
+    message?: string | undefined;
+    user?: {
+        id: string;
+        username: string;
+        isFirstAdmin: boolean;
+    } | undefined;
+    registrationOpen?: boolean | undefined;
+    loginUrl?: string | undefined;
+}, unknown, Record<string, unknown>>;
+export declare const handlePost: import("@betterportal/framework").RouteHandler<Record<string, string>, {
+    next?: string | undefined;
+}, Record<string, string>, {
+    username: string;
+    password: string;
+    email?: string | undefined;
+    name?: string | undefined;
+}, {
+    status: "ok" | "error";
+    message?: string | undefined;
+    user?: {
+        id: string;
+        username: string;
+        isFirstAdmin: boolean;
+    } | undefined;
+    registrationOpen?: boolean | undefined;
+    loginUrl?: string | undefined;
+}, unknown, Record<string, unknown>>;
+//# sourceMappingURL=index.d.ts.map

package/lib/plugins/service-betterportal-auth-default/bp-routes/register/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/plugins/service-betterportal-auth-default/bp-routes/register/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAEL,KAAK,kBAAkB,EACvB,KAAK,UAAU,EACf,KAAK,uBAAuB,EAC7B,MAAM,yBAAyB,CAAC;AAGjC,eAAO,MAAM,WAAW;;EAEI,CAAC;AAC7B,eAAO,MAAM,aAAa,qBAA0C,CAAC;AAErE,eAAO,MAAM,aAAa;;;;;EAKE,CAAC;AAE7B,eAAO,MAAM,cAAc;;;;;;;;;;EAaC,CAAC;AAC7B,MAAM,MAAM,YAAY,GAAG,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAExD,eAAO,MAAM,KAAK,yBAAyB,CAAC;AAC5C,eAAO,MAAM,WAAW,wGAAwG,CAAC;AAEjI,eAAO,MAAM,IAAI,kBAAkB,CAAC;AACpC,eAAO,MAAM,YAAY,UAAkB,CAAC;AAC5C,eAAO,MAAM,MAAM,EAAE,uBAA8C,CAAC;AAEpE,eAAO,MAAM,IAAI,EAAE,kBAGlB,CAAC;AAEF,eAAO,MAAM,UAAU,EAAE,UAGxB,CAAC;AAgBF,eAAO,MAAM,SAAS;;;;;;;;;;;;oCAWrB,CAAC;AAEF,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;oCA8CtB,CAAC"}