@crossauth/backend 1.0.0 → 1.0.1

package/dist/index.js

@@ -1,10 +1,10 @@
 var Ae = Object.defineProperty;
 var Ie = (S, s, e) => s in S ? Ae(S, s, { enumerable: !0, configurable: !0, writable: !0, value: e }) : S[s] = e;
 var h = (S, s, e) => Ie(S, typeof s != "symbol" ? s + "" : s, e);
-import { CrossauthError as o, ErrorCode as l, UserState as E, CrossauthLogger as u, j as f, OAuthFlows as U, KeyPrefix as b, OAuthTokenConsumerBase as Pe, OAuthClientBase as Ke } from "@crossauth/common";
+import { CrossauthError as o, ErrorCode as l, CrossauthLogger as u, j as f, UserState as E, OAuthFlows as U, KeyPrefix as b, OAuthTokenConsumerBase as Pe, OAuthClientBase as Ke } from "@crossauth/common";
 import { PrismaClient as ce, Prisma as X } from "@prisma/client";
 import ye from "@mbakereth/ldapjs";
-import { timingSafeEqual as he, randomBytes as ue, randomUUID as Oe, createHash as Fe, pbkdf2 as Ne, createHmac as se, createCipheriv as De, createDecipheriv as Re, randomInt as te } from "node:crypto";
+import { timingSafeEqual as he, randomBytes as ue, randomUUID as Oe, createHash as Fe, pbkdf2 as Ne, createHmac as se, createCipheriv as Re, createDecipheriv as De, randomInt as te } from "node:crypto";
 import { promisify as xe } from "node:util";
 import W from "nunjucks";
 import Ee from "nodemailer";
@@ -187,6 +187,7 @@ class G extends L {
   }
   async getUser(e, t, r) {
     let i, a;
+    if (this.prismaClient || (i = new o(l.Connection)), i) throw i;
     try {
       a = await this.prismaClient[this.userTable].findUniqueOrThrow({
         where: {
@@ -194,10 +195,10 @@ class G extends L {
         },
         include: this.includesObject
       });
-    } catch {
-      i = new o(l.UserNotExist);
+    } catch (c) {
+      typeof c == "object" && (c == null ? void 0 : c.constructor.name) == "PrismaClientInitializationError" ? (u.logger.debug(f({ err: c })), u.logger.error(f({ cerr: c })), i = new o(l.Connection, "Couldn't connect to database server")) : typeof c == "object" && (c == null ? void 0 : c.constructor.name) == "PrismaClientInitializationError" ? (u.logger.debug(f({ err: c })), u.logger.error(f({ cerr: c })), i = new o(l.Connection, "Received error from database")) : i = new o(l.UserNotExist);
     }
-    if (this.prismaClient || (i = new o(l.Connection)), i) throw i;
+    if (i) throw i;
     if ((r == null ? void 0 : r.skipActiveCheck) != !0 && a.state == E.awaitingTwoFactorSetup)
       throw u.logger.debug(f({ msg: "2FA setup is not complete" })), new o(l.TwoFactorIncomplete);
     if ((r == null ? void 0 : r.skipActiveCheck) != !0 && a.state == E.disabled)
@@ -220,8 +221,13 @@ class G extends L {
    * @throws {@link @crossauth/common!CrossauthError } with {@link @crossauth/common!ErrorCode } set to either `UserNotExist` or `Connection`.
    */
   async getUserByUsername(e, t) {
-    const r = G.normalize(e);
-    return this.getUser("username_normalized", r, t);
+    if (this.normalizeUsername) {
+      const r = G.normalize(e);
+      return this.getUser("username_normalized", r, t);
+    } else {
+      const r = e;
+      return this.getUser("username", r, t);
+    }
   }
   /**
    * Returns user matching the given field, or throws an exception.  
@@ -244,8 +250,13 @@ class G extends L {
    * @throws {@link @crossauth/common!CrossauthError } with {@link @crossauth/common!ErrorCode } set to either `UserNotExist` or `Connection`.
    */
   async getUserByEmail(e, t) {
-    const r = G.normalize(e);
-    return this.getUser("email_normalized", r, t);
+    if (this.normalizeEmail) {
+      const r = G.normalize(e);
+      return this.getUser("email_normalized", r, t);
+    } else {
+      const r = e;
+      return this.getUser("email", r, t);
+    }
   }
   /**
    * Same as {@link getUserByUsername } but matching user ID,
@@ -278,7 +289,7 @@ class G extends L {
     t && !t.userid && (t = { ...t, userid: e[this.idColumn] });
     try {
       let { id: r, ...i } = e, { userid: a, ...n } = t ?? {};
-      "email" in i && i.email && (i = { email_normalized: G.normalize(i.email), ...i }), "username" in i && i.username && (i = { username_normalized: G.normalize(i.username), ...i }), t ? await this.prismaClient.$transaction(async (c) => {
+      "email" in i && i.email && this.normalizeEmail && (i = { email_normalized: G.normalize(i.email), ...i }), "username" in i && i.username && this.normalizeUsername && (i = { username_normalized: G.normalize(i.username), ...i }), t ? await this.prismaClient.$transaction(async (c) => {
         let d = {};
         try {
           d = await c[this.userSecretsTable].findUniqueOrThrow({
@@ -313,7 +324,7 @@ class G extends L {
         data: i
       });
     } catch (r) {
-      throw u.logger.debug(f({ err: r })), new o(l.Connection, "Error updating user");
+      throw console.log(r), u.logger.debug(f({ err: r })), new o(l.Connection, "Error updating user");
     }
   }
   /**
@@ -330,22 +341,26 @@ class G extends L {
     if (t && !t.password) throw new o(l.PasswordFormat, "Password required when creating user");
     let i, a = "", n = "";
     try {
-      "email" in e && e.email && (n = G.normalize(e.email)), "username" in e && e.username && (a = G.normalize(e.username)), t ? i = await this.prismaClient[this.userTable].create({
-        data: {
-          ...e,
-          email_normalized: n,
-          username_normalized: a,
-          secrets: {
-            create: t
-          }
-        },
-        include: { secrets: !0 }
-      }) : i = await this.prismaClient[this.userTable].create({
-        data: {
-          ...e,
-          email_normalized: n,
-          username_normalized: a
+      "email" in e && e.email && this.normalizeEmail && (n = G.normalize(e.email)), "username" in e && e.username && this.normalizeUsername && (a = G.normalize(e.username));
+      let c = {
+        ...e
+      };
+      this.normalizeUsername && (c = {
+        ...c,
+        username_normalized: a
+      }), this.normalizeEmail && (c = {
+        ...c,
+        email_normalized: n
+      }), t ? (c = {
+        ...c,
+        secrets: {
+          create: t
         }
+      }, i = await this.prismaClient[this.userTable].create({
+        data: c,
+        include: { secrets: !0 }
+      })) : i = await this.prismaClient[this.userTable].create({
+        data: c
       });
     } catch (c) {
       u.logger.debug(f({ err: c })), r = new o(l.Connection, "Error creating user"), (c instanceof X.PrismaClientKnownRequestError || c instanceof Object && "code" in c) && c.code === "P2002" && (r = new o(l.UserExists));
@@ -398,18 +413,19 @@ class G extends L {
   async getUsers(e, t) {
     let r = {};
     e && (r.skip = e), t && (r.take = t);
+    let i = this.normalizeUsername ? "username_normalized" : "username";
     try {
       return await this.prismaClient[this.userTable].findMany({
         ...r,
         orderBy: [
           {
-            username_normalized: "asc"
+            [i]: "asc"
           }
         ],
         include: this.includesObject
       });
-    } catch (i) {
-      throw u.logger.error(f({ err: i })), new o(l.Connection, "Couldn't select from user table");
+    } catch (a) {
+      throw u.logger.error(f({ err: a })), new o(l.Connection, "Couldn't select from user table");
     }
   }
 }
@@ -959,7 +975,7 @@ class Ut extends we {
     // PrismaClient;
     h(this, "transactionTimeout", 5e3);
     h(this, "useridForeignKeyColumn", "userid");
-    m("authorizationTable", g.String, this, e, "OAUTH_CLIENT_TABLE"), m("transactionTimeout", g.Number, this, e, "TRANSACTION_TIMEOUT"), m("useridForeignKeyColumn", g.String, this, e, "USER_ID_FOREIGN_KEY_COLUMN"), e.prismaClient == null ? this.prismaClient = new ce() : this.prismaClient = e.prismaClient;
+    m("authorizationTable", g.String, this, e, "OAUTH_AUTHORIZATION_TABLE"), m("transactionTimeout", g.Number, this, e, "TRANSACTION_TIMEOUT"), m("useridForeignKeyColumn", g.String, this, e, "USER_ID_FOREIGN_KEY_COLUMN"), e.prismaClient == null ? this.prismaClient = new ce() : this.prismaClient = e.prismaClient;
   }
   async getAuthorizations(e, t) {
     try {
@@ -1029,12 +1045,13 @@ class At extends L {
    * @param secrets optionally, secrets to save
    */
   async createUser(e, t) {
-    if (e.username_normalized = L.normalize(e.username), e.username_normalized in this.usersByUsername)
+    let r = "username", i = "email";
+    if (this.normalizeUsername && (r = "username_normalized", e.username_normalized = L.normalize(e.username), e.username_normalized in this.usersByUsername))
       throw new o(l.UserExists);
-    if ("email" in e && e.email && (e.email_normalized = L.normalize(e.email), e.email_normalized in this.getUserByEmail))
+    if ("email" in e && e.email && this.normalizeEmail && (i = "email_normalized", e.email_normalized = L.normalize(e.email), e.email_normalized in this.getUserByEmail))
       throw new o(l.UserExists);
-    const r = { id: e.username, ...e };
-    return this.usersByUsername[e.username_normalized] = r, this.secretsByUsername[e.username_normalized] = t ?? {}, "email" in e && e.email && (this.usersByEmail[e.email_normalized] = r), "email" in e && e.email && (this.secretsByEmail[e.email_normalized] = t ?? {}), { id: e.username, ...e };
+    const a = { id: e.username, ...e };
+    return this.usersByUsername[e[r]] = a, this.secretsByUsername[e[r]] = t ?? {}, "email" in e && e.email && (this.usersByEmail[e[i]] = a), "email" in e && e.email && (this.secretsByEmail[e[i]] = t ?? {}), { id: e.username, ...e };
   }
   /**
    * Returns a {@link User }and {@link UserSecrets } instance matching the given username, or throws an Exception.
@@ -1044,7 +1061,7 @@ class At extends L {
    * @throws {@link @crossauth/common!CrossauthError } with {@link @crossauth/common!ErrorCode } set to either `UserNotExist`.
    */
   async getUserByUsername(e, t) {
-    const r = L.normalize(e);
+    const r = this.normalizeUsername ? L.normalize(e) : e;
     if (r in this.usersByUsername) {
       const i = this.usersByUsername[r];
       if (!i) throw new o(l.UserNotExist);
@@ -1073,7 +1090,7 @@ class At extends L {
    * @throws {@link @crossauth/common!CrossauthError } with {@link @crossauth/common!ErrorCode } set to either `UserNotExist`.
    */
   async getUserByEmail(e, t) {
-    const r = L.normalize(e);
+    const r = this.normalizeEmail ? L.normalize(e) : e;
     if (r in this.usersByEmail) {
       const i = this.usersByEmail[r];
       if (!i) throw new o(l.UserNotExist);
@@ -1116,12 +1133,12 @@ class At extends L {
    * @param user the user to update.  The id to update is taken from this obkect, which must be present.  All other attributes are optional. 
    */
   async updateUser(e, t) {
-    let r = { ...e };
-    if ("username" in r && r.username ? r.username_normalized = L.normalize(r.username) : "id" in r && r.id && (r.username_normalized = L.normalize(String(r.id))), "email" in r && r.email && (r.email_normalized = L.normalize(r.email)), r.username_normalized && r.username_normalized in this.usersByUsername) {
-      for (let i in r)
-        this.usersByUsername[r.username_normalized][i] = r[i];
-      t && (this.secretsByUsername[r.username_normalized] = {
-        ...this.secretsByUsername[r.username_normalized],
+    let r = { ...e }, i = "username";
+    if ("username" in r && r.username && this.normalizeUsername ? (r.username_normalized = L.normalize(r.username), i = "username_normalized") : "id" in r && r.id && this.normalizeUsername && (r.username_normalized = L.normalize(String(r.id)), i = "username_normalized"), "email" in r && r.email && this.normalizeEmail && (r.email_normalized = L.normalize(r.email)), r[i] && r[i] in this.usersByUsername) {
+      for (let a in r)
+        this.usersByUsername[r[i]][a] = r[a];
+      t && (this.secretsByUsername[r[i]] = {
+        ...this.secretsByUsername[r[i]],
         ...t
       });
     }
@@ -1131,12 +1148,12 @@ class At extends L {
    * @param username username of user to delete
    */
   async deleteUserByUsername(e) {
-    const t = L.normalize(String(e));
+    const t = this.normalizeUsername ? L.normalize(String(e)) : e;
     if (t in this.usersByUsername) {
       const r = this.usersByUsername[t];
       delete this.usersByUsername[t], delete this.secretsByUsername[t];
-      const i = L.normalize(String(r.email));
-      i in this.usersByEmail && (delete this.usersByEmail[i], delete this.secretsByEmail[i]);
+      const i = this.normalizeEmail ? L.normalize(String(r.email)) : r.email;
+      i && i in this.usersByEmail && (delete this.usersByEmail[i], delete this.secretsByEmail[i]);
     }
   }
   /**
@@ -1546,7 +1563,7 @@ class oe extends L {
   async getLdapUser(e, t) {
     let r;
     try {
-      const i = oe.sanitizeLdapDnForSerach(e), a = [this.ldapUsernameAttribute + "=" + i, this.ldapUserSearchBase].join(",");
+      const i = oe.sanitizeLdapDnForSearch(e), a = [this.ldapUsernameAttribute + "=" + i, this.ldapUserSearchBase].join(",");
       if (!t) throw new o(l.PasswordInvalid);
       return u.logger.debug(f({ msg: "LDAP search " + a })), r = await this.ldapBind(a, t), await this.searchUser(r, a);
     } catch (i) {
@@ -1626,7 +1643,7 @@ class oe extends L {
    * @param dn the dn to sanitise
    * @returns a sanitized dn
    */
-  static sanitizeLdapDnForSerach(e) {
+  static sanitizeLdapDnForSearch(e) {
     return oe.sanitizeLdapDn(e).replace("*", "*").replace("(", "(").replace(")", ")");
   }
 }
@@ -2216,10 +2233,10 @@ class We extends me {
     t && r && (p = `where c.${t} = ` + d.nextParameter(), w.push(r)), i !== null && i == null || (p == "" ? p = "where " : p += " and ", i == null ? p += "userid is null" : (p += `${this.useridForeignKeyColumn} = ` + d.nextParameter(), w.push(i))), n && (a || (a = 0), a = Number(a), n = Number(n), C == "" ? C = "where " : C += " and ", C += ` c.client_id in (select client_id from ${this.clientTable} limit ${n} offset ${a})`, p == "" ? p = "where " : p += " and ", p += ` c.client_id in (select client_id from ${this.clientTable} limit ${n} offset ${a})`), y += C, v += p;
     let T = y + " union " + v + " order by client_id";
     const k = await e.execute(T, w);
-    let P;
+    let A;
     for (let H of k)
-      (!P || H.client_id != P.client_id) && (P && c.push(P), P = this.makeClient(H), P.valid_flow = [], P.redirect_uri = []), H.uri && P.redirect_uri.push(H.uri), H.flow && P.valid_flow.push(H.flow);
-    return P && c.push(P), c;
+      (!A || H.client_id != A.client_id) && (A && c.push(A), A = this.makeClient(H), A.valid_flow = [], A.redirect_uri = []), H.uri && A.redirect_uri.push(H.uri), H.flow && A.valid_flow.push(H.flow);
+    return A && c.push(A), c;
   }
   /**
    * Saves a key in the session table.
@@ -2518,7 +2535,7 @@ class Nt extends We {
     super(new de(s), e);
   }
 }
-class Dt extends Je {
+class Rt extends Je {
   /**
    * Creates a PostgresOAuthClientStorage object, optionally overriding defaults.
    * @param pgPool the instance of the Posrgres client. 
@@ -2838,7 +2855,7 @@ const Ce = process.env.PBKDF2_DIGEST || "sha256", Se = Number(process.env.PBKDF2
   static symmetricEncrypt(s, e, t = void 0) {
     t || (t = ue(16));
     let r = Buffer.from(e, "base64url");
-    var i = De("aes-256-cbc", r, t);
+    var i = Re("aes-256-cbc", r, t);
     let a = i.update(s);
     return a = Buffer.concat([a, i.final()]), t.toString("base64url") + "." + a.toString("base64url");
   }
@@ -2854,7 +2871,7 @@ const Ce = process.env.PBKDF2_DIGEST || "sha256", Se = Number(process.env.PBKDF2
     const r = s.split(".");
     if (r.length != 2) throw new o(l.InvalidHash, "Not AES-256-CBC ciphertext");
     let i = Buffer.from(r[0], "base64url"), a = Buffer.from(r[1], "base64url");
-    var n = Re("aes-256-cbc", t, i);
+    var n = De("aes-256-cbc", t, i);
     let c = n.update(a);
     return c = Buffer.concat([c, n.final()]), c.toString();
   }
@@ -2916,9 +2933,9 @@ const le = class le extends be {
     if (!t.password) throw new o(l.PasswordInvalid);
     if (!await _.passwordsEqual(r.password, t.password, this.secret))
       throw u.logger.debug(f({ msg: "Invalid password hash", user: e.username })), new o(l.PasswordInvalid);
-    if (e.state == "awaitingtwofactorsetup") throw new o(l.TwoFactorIncomplete);
-    if (e.state == "awaitingemailverification") throw new o(l.EmailNotVerified);
-    if (e.state == "deactivated") throw new o(l.UserNotActive);
+    if (e.state == E.awaitingTwoFactorSetup) throw new o(l.TwoFactorIncomplete);
+    if (e.state == E.awaitingEmailVerification) throw new o(l.EmailNotVerified);
+    if (e.state == E.disabled) throw new o(l.UserNotActive);
   }
   /**
    * Calls the implementor-provided `validatePasswordFn` 
@@ -2943,10 +2960,10 @@ const le = class le extends be {
    * @param salt the salt to use.  If undefined, a random one will be generated.
    * @returns the encoded hash string.
    */
-  async createPasswordHash(e, t) {
+  async createPasswordHash(e, t, r = !0) {
     return await _.passwordHash(e, {
       salt: t,
-      encode: !0,
+      encode: r,
       secret: this.enableSecretForPasswords ? this.secret : void 0,
       iterations: this.pbkdf2Iterations,
       keyLen: this.pbkdf2KeyLength,
@@ -3035,7 +3052,7 @@ class Z extends ie {
    * @param options see {@link EmailAuthenticatorOptions}
    */
   constructor(e = {}) {
-    super({ friendlyName: "Email otp", ...e });
+    super({ friendlyName: "Email OTP", ...e });
     h(this, "views", "views");
     h(this, "emailAuthenticatorTextBody", "emailauthenticationtextbody.njk");
     h(this, "emailAuthenticatorHtmlBody");
@@ -3104,6 +3121,7 @@ class Z extends ie {
       username: e.username,
       factor2: this.factorName,
       expiry: a,
+      email: r,
       otp: t
     }, d = this.sendToken(r, t);
     return u.logger.info(f({
@@ -3293,6 +3311,7 @@ class Q extends ie {
       username: e.username,
       factor2: this.factorName,
       expiry: a,
+      phone: r,
       otp: t
     };
     let d = { otp: t };
@@ -3474,7 +3493,7 @@ class Ue extends Q {
     return (await Be(this.accountSid, this.authToken).messages.create(r)).sid;
   }
 }
-class Rt extends ie {
+class Dt extends ie {
   /**
    * Constructor
    * 
@@ -3667,15 +3686,15 @@ class xt extends be {
         try {
           i = (await this.ldapStorage.getUserByUsername(e.username)).user, i.factor1 = this.ldapAutoCreateFactor1;
         } catch {
-          i = await this.ldapStorage.createUser({ factor1: this.ldapAutoCreateFactor1, ...e }, r);
+          u.logger.debug(f({ msg: "Creating user", user: e.username })), i = await this.ldapStorage.createUser({ factor1: this.ldapAutoCreateFactor1, ...e }, r);
         }
       else
         i = (await this.ldapStorage.getUserByUsername(e.username)).user;
-      if (i.state == "awaitingtwofactorsetup") throw new o(l.TwoFactorIncomplete);
-      if (i.state == "awaitingemailverification") throw new o(l.EmailNotVerified);
-      if (i.state == "deactivated") throw new o(l.UserNotActive);
+      if (i.state == E.awaitingTwoFactorSetup) throw new o(l.TwoFactorIncomplete);
+      if (i.state == E.awaitingEmailVerification) throw new o(l.EmailNotVerified);
+      if (i.state == E.disabled) throw new o(l.UserNotActive);
     } catch (a) {
-      throw console.log(a), u.logger.debug(f({ err: a })), a;
+      throw u.logger.debug(f({ err: a })), a;
     }
   }
   /**
@@ -3917,7 +3936,7 @@ class Bt extends ie {
   }
 }
 const ne = 16;
-class D {
+class R {
   /**
    * Construct a new EmailVerifier.
    * 
@@ -3977,11 +3996,11 @@ class D {
     let r = 0;
     const i = /* @__PURE__ */ new Date(), a = new Date(i.getTime() + 1e3 * this.verifyEmailExpires);
     for (; r < 10; ) {
-      let n = _.randomValue(ne), c = D.hashEmailVerificationToken(n);
+      let n = _.randomValue(ne), c = R.hashEmailVerificationToken(n);
       try {
         return await this.keyStorage.saveKey(s, c, i, a, e), n;
       } catch {
-        n = _.randomValue(ne), c = D.hashEmailVerificationToken(n), r++;
+        n = _.randomValue(ne), c = R.hashEmailVerificationToken(n), r++;
       }
     }
     throw new o(l.Connection, "failed creating a unique key");
@@ -4022,7 +4041,7 @@ class D {
         "Either emailVerificationTextBody or emailVerificationHtmlBody must be set to send email verification emails"
       );
     let { user: r } = await this.userStorage.getUserById(s, { skipEmailVerifiedCheck: !0 }), i = e;
-    i != "" ? D.validateEmail(i) : (i = r.email ?? r.username, i || (i = r.username), D.validateEmail(i)), D.validateEmail(i);
+    i != "" ? R.validateEmail(i) : (i = r.email ?? r.username, i || (i = r.username), R.validateEmail(i)), R.validateEmail(i);
     const a = await this.createAndSaveEmailVerificationToken(s, e), n = await this._sendEmailVerificationToken(a, i, t);
     u.logger.info(f({ msg: "Sent email verification email", emailMessageId: n, email: i }));
   }
@@ -4042,20 +4061,20 @@ class D {
    *          address the user is validating
    */
   async verifyEmailVerificationToken(s) {
-    const e = D.hashEmailVerificationToken(s);
+    const e = R.hashEmailVerificationToken(s);
     let t = await this.keyStorage.getKey(e);
     try {
       if (!t.userid || !t.expires) throw new o(l.InvalidKey);
       const { user: r } = await this.userStorage.getUserById(t.userid, { skipEmailVerifiedCheck: !0 });
       let i = (r.email ?? r.username).toLowerCase();
-      if (i || (i = r.username.toLowerCase()), D.validateEmail(i), (/* @__PURE__ */ new Date()).getTime() > t.expires.getTime()) throw new o(l.Expired);
+      if (i || (i = r.username.toLowerCase()), R.validateEmail(i), (/* @__PURE__ */ new Date()).getTime() > t.expires.getTime()) throw new o(l.Expired);
       return { userid: t.userid, newEmail: t.data ?? "" };
     } finally {
     }
   }
   async deleteEmailVerificationToken(s) {
     try {
-      const e = D.hashEmailVerificationToken(s);
+      const e = R.hashEmailVerificationToken(s);
       await this.keyStorage.deleteKey(e);
     } catch (e) {
       const t = o.asCrossauthError(e);
@@ -4066,11 +4085,11 @@ class D {
     let t = 0;
     const r = /* @__PURE__ */ new Date(), i = new Date(r.getTime() + 1e3 * this.passwordResetExpires);
     for (; t < 10; ) {
-      let a = _.randomValue(ne), n = D.hashPasswordResetToken(a);
+      let a = _.randomValue(ne), n = R.hashPasswordResetToken(a);
       try {
         return await this.keyStorage.saveKey(s, n, r, i), a;
       } catch {
-        a = _.randomValue(ne), n = D.hashPasswordResetToken(a), t++;
+        a = _.randomValue(ne), n = R.hashPasswordResetToken(a), t++;
       }
     }
     throw new o(l.Connection, "failed creating a unique key");
@@ -4090,7 +4109,7 @@ class D {
    * @returns the user that the token is for
    */
   async verifyPasswordResetToken(s) {
-    const e = D.hashPasswordResetToken(s);
+    const e = R.hashPasswordResetToken(s);
     u.logger.debug("verifyPasswordResetToken " + s + " " + e);
     let t = await this.keyStorage.getKey(e);
     if (!t.userid) throw new o(l.InvalidKey);
@@ -4139,7 +4158,7 @@ class D {
     if (!t && r.state != E.active && r.state != E.passwordResetNeeded && r.state != E.passwordAndFactor2ResetNeeded)
       throw new o(l.UserNotActive);
     let i = (r.email ?? r.username).toLowerCase();
-    i || (i = r.username.toLowerCase()), D.validateEmail(i);
+    i || (i = r.username.toLowerCase()), R.validateEmail(i);
     const a = await this.createAndSavePasswordResetToken(s), n = await this._sendPasswordResetToken(a, i, e);
     u.logger.info(f({ msg: "Sent password reset email", emailMessageId: n, email: i }));
   }
@@ -4161,7 +4180,7 @@ class D {
    * @param email the email to validate
    */
   static validateEmail(s) {
-    if (s == null || !D.isEmailValid(s)) throw new o(l.InvalidEmail);
+    if (s == null || !R.isEmailValid(s)) throw new o(l.InvalidEmail);
   }
 }
 const _e = 16, ke = 16;
@@ -4285,7 +4304,7 @@ class rt {
     }
   }
 }
-class R {
+class D {
   /**
    * Constructor.
    * 
@@ -4351,7 +4370,7 @@ class R {
     const a = /* @__PURE__ */ new Date();
     let n = this.expiry(a), c = !1;
     for (; r < 10 && !c; ) {
-      const d = R.hashSessionId(i);
+      const d = D.hashSessionId(i);
       try {
         this.idleTimeout > 0 && s && (e = { ...e, lastActivity: /* @__PURE__ */ new Date() }), await this.keyStorage.saveKey(s, d, a, n, void 0, e), c = !0;
       } catch (w) {
@@ -4407,7 +4426,7 @@ class R {
    */
   async updateSessionKey(s) {
     if (!s.value) throw new o(l.InvalidKey, "No session when updating activity");
-    s.value = R.hashSessionId(s.value), await this.keyStorage.updateKey(s);
+    s.value = D.hashSessionId(s.value), await this.keyStorage.updateKey(s);
   }
   /**
    * Unsigns a cookie and returns the original value.
@@ -4455,7 +4474,7 @@ class R {
    *         `Expired` or `UserNotExist`.
    */
   async getSessionKey(s) {
-    const e = Date.now(), t = R.hashSessionId(s), r = await this.keyStorage.getKey(t);
+    const e = Date.now(), t = D.hashSessionId(s), r = await this.keyStorage.getKey(t);
     if (r.value = s, r.expires && e > r.expires.getTime())
       throw u.logger.warn(f({ msg: "Session id in cookie expired in key storage", hashedSessionCookie: _.hash(s) })), new o(l.Expired);
     if (r.userid && this.idleTimeout > 0 && r.lastactive && e > r.lastactive.getTime() + this.idleTimeout * 1e3)
@@ -4470,7 +4489,7 @@ class R {
    * @param except if defined, don't delete this key
    */
   async deleteAllForUser(s, e) {
-    e && (e = R.hashSessionId(e)), await this.keyStorage.deleteAllForUser(s, b.session, e);
+    e && (e = D.hashSessionId(e)), await this.keyStorage.deleteAllForUser(s, b.session, e);
   }
 }
 class Lt {
@@ -4495,9 +4514,9 @@ class Lt {
     t.userStorage && (this.userStorage = t.userStorage), this.keyStorage = s, this.authenticators = e;
     for (let r in this.authenticators)
       this.authenticators[r].factorName = r;
-    if (this.session = new R(this.keyStorage, { ...t == null ? void 0 : t.sessionCookieOptions, ...t ?? {} }), this.csrfTokens = new rt({ ...t == null ? void 0 : t.doubleSubmitCookieOptions, ...t ?? {} }), m("allowedFactor2", g.JsonArray, this, t, "ALLOWED_FACTOR2"), m("enableEmailVerification", g.Boolean, this, t, "ENABLE_EMAIL_VERIFICATION"), m("enablePasswordReset", g.Boolean, this, t, "ENABLE_PASSWORD_RESET"), this.emailTokenStorage = this.keyStorage, this.userStorage && (this.enableEmailVerification || this.enablePasswordReset)) {
+    if (this.session = new D(this.keyStorage, { ...t == null ? void 0 : t.sessionCookieOptions, ...t ?? {} }), this.csrfTokens = new rt({ ...t == null ? void 0 : t.doubleSubmitCookieOptions, ...t ?? {} }), m("allowedFactor2", g.JsonArray, this, t, "ALLOWED_FACTOR2"), m("enableEmailVerification", g.Boolean, this, t, "ENABLE_EMAIL_VERIFICATION"), m("enablePasswordReset", g.Boolean, this, t, "ENABLE_PASSWORD_RESET"), this.emailTokenStorage = this.keyStorage, this.userStorage && (this.enableEmailVerification || this.enablePasswordReset)) {
       let r = this.keyStorage;
-      t.emailTokenStorage && (this.emailTokenStorage = t.emailTokenStorage), this.tokenEmailer = new D(this.userStorage, r, t);
+      t.emailTokenStorage && (this.emailTokenStorage = t.emailTokenStorage), this.tokenEmailer = new R(this.userStorage, r, t);
     }
   }
   /**
@@ -4561,9 +4580,10 @@ class Lt {
       try {
         let T = await this.userStorage.getUserByUsername(s, { skipActiveCheck: !0, skipEmailVerifiedCheck: !0 });
         n = T.secrets, i = T.user, v = T.user;
-      } catch {
-        for (let k in this.authenticators)
-          this.authenticators[k].requireUserEntry() || (v = { username: e.username, state: "active" }, c = k);
+      } catch (T) {
+        if (o.asCrossauthError(T).code == l.Connection) throw T;
+        for (let A in this.authenticators)
+          this.authenticators[A].requireUserEntry() || (v = { username: e.username, state: "active" }, c = A);
       }
       if (v.username == "") throw new o(l.UserNotExist);
       await this.authenticators[(i == null ? void 0 : i.factor1) ?? c].authenticateUser(v, n, e);
@@ -4626,7 +4646,7 @@ class Lt {
    */
   async logout(s) {
     const e = await this.session.getSessionKey(s);
-    return await this.keyStorage.deleteKey(R.hashSessionId(e.value));
+    return await this.keyStorage.deleteKey(D.hashSessionId(e.value));
   }
   /**
    * Logs a user out from all sessions.
@@ -4774,7 +4794,7 @@ class Lt {
    * @param value new value to store
    */
   async updateSessionData(s, e, t) {
-    const r = R.hashSessionId(s);
+    const r = D.hashSessionId(s);
     u.logger.debug(f({ msg: `Updating session data value ${e}`, hashedSessionCookie: _.hash(s) })), await this.keyStorage.updateData(r, e, t);
   }
   /**
@@ -4786,7 +4806,7 @@ class Lt {
    * @param dataArray names and values.
    */
   async updateManySessionData(s, e) {
-    const t = R.hashSessionId(s);
+    const t = D.hashSessionId(s);
     u.logger.debug(f({ msg: "Updating session data", hashedSessionCookie: _.hash(s) })), await this.keyStorage.updateManyData(t, e);
   }
   /**
@@ -4798,7 +4818,7 @@ class Lt {
   * @param name of the field.
   */
   async deleteSessionData(s, e) {
-    const t = R.hashSessionId(s);
+    const t = D.hashSessionId(s);
     u.logger.debug(f({ msg: `Updating session data value ${e}`, hashedSessionCookie: _.hash(s) })), await this.keyStorage.deleteData(t, e);
   }
   /**
@@ -4807,7 +4827,7 @@ class Lt {
    * @param sessionId the session Id to delete
    */
   async deleteSession(s) {
-    return await this.keyStorage.deleteKey(R.hashSessionId(s));
+    return await this.keyStorage.deleteKey(D.hashSessionId(s));
   }
   /**
    * Creates a new user, sending an email verification message if necessary.
@@ -4838,7 +4858,7 @@ class Lt {
    */
   async deleteUserByUsername(s) {
     if (!this.userStorage) throw new o(l.Configuration, "Cannot call deleteUser if no user storage provided");
-    this.userStorage.deleteUserByUsername(s);
+    await this.userStorage.deleteUserByUsername(s);
   }
   /** Creates a user with 2FA enabled.
    * 
@@ -4862,7 +4882,7 @@ class Lt {
     if (!this.authenticators[s.factor2]) throw new o(l.Configuration, "Two factor authentication not enabled for user");
     const a = await this.authenticators[s.factor2].prepareConfiguration(s), n = a == null ? {} : a.userData, c = a == null ? {} : a.sessionData, d = await this.authenticators[s.factor1].createPersistentSecrets(s.username, e, r);
     return s.state = "awaitingtwofactorsetup", await this.keyStorage.updateData(
-      R.hashSessionId(t),
+      D.hashSessionId(t),
       "2fa",
       c
     ), { userid: (await this.userStorage.createUser(s, d)).id, userData: n };
@@ -4882,13 +4902,13 @@ class Lt {
       if (!this.authenticators[e]) throw new o(l.Configuration, "Two factor authentication not enabled for user");
       const i = await this.authenticators[e].prepareConfiguration(s), a = i == null ? {} : i.userData, n = i == null ? {} : i.sessionData;
       return n && (n.userData = a), await this.keyStorage.updateData(
-        R.hashSessionId(t),
+        D.hashSessionId(t),
         "2fa",
         n
       ), a;
     }
     return await this.userStorage.updateUser({ id: s.id, factor2: e ?? "" }), await this.keyStorage.updateData(
-      R.hashSessionId(t),
+      D.hashSessionId(t),
       "2fa",
       void 0
     ), {};
@@ -4908,7 +4928,7 @@ class Lt {
    */
   async repeatTwoFactorSignup(s) {
     if (!this.userStorage) throw new o(l.Configuration, "Cannot call repeatTwoFactorSignup if no user storage provided");
-    const e = (await this.dataForSessionId(s))["2fa"], t = e.username, r = e.factor2, i = R.hashSessionId(s), a = await this.keyStorage.getKey(i), c = await this.authenticators[r].reprepareConfiguration(t, a), d = c == null ? {} : c.userData, w = c == null ? {} : c.secrets, y = c == null ? {} : c.newSessionData;
+    const e = (await this.dataForSessionId(s))["2fa"], t = e.username, r = e.factor2, i = D.hashSessionId(s), a = await this.keyStorage.getKey(i), c = await this.authenticators[r].reprepareConfiguration(t, a), d = c == null ? {} : c.userData, w = c == null ? {} : c.secrets, y = c == null ? {} : c.newSessionData;
     y && await this.keyStorage.updateData(i, "2fa", y);
     const { user: C } = await this.userStorage.getUserByUsername(t, { skipActiveCheck: !0, skipEmailVerifiedCheck: !0 });
     return { userid: C.id, userData: d, secrets: w };
@@ -4948,7 +4968,7 @@ class Lt {
       state: !y && this.enableEmailVerification ? "awaitingemailverification" : "active",
       factor2: a.factor2
     };
-    return c.secretNames().length > 0 ? await this.userStorage.updateUser(C, d) : await this.userStorage.updateUser(C), !y && t && this.enableEmailVerification && this.tokenEmailer && await ((v = this.tokenEmailer) == null ? void 0 : v.sendEmailVerificationToken(r.id, void 0)), await this.keyStorage.updateData(R.hashSessionId(i.value), "2fa", void 0), { ...r, ...C };
+    return c.secretNames().length > 0 ? await this.userStorage.updateUser(C, d) : await this.userStorage.updateUser(C), !y && t && this.enableEmailVerification && this.tokenEmailer && await ((v = this.tokenEmailer) == null ? void 0 : v.sendEmailVerificationToken(r.id, void 0)), await this.keyStorage.updateData(D.hashSessionId(i.value), "2fa", void 0), { ...r, ...C };
   }
   /**
    * Initiates the two factor login process.
@@ -4979,7 +4999,7 @@ class Lt {
   async initiateTwoFactorPageVisit(s, e, t, r, i) {
     const n = await this.authenticators[s.factor2].createOneTimeSecrets(s);
     let c, d, w;
-    const y = R.hashSessionId(e);
+    const y = D.hashSessionId(e);
     u.logger.debug("initiateTwoFactorPageVisit " + s.username + " " + e + " " + y);
     let C = { username: s.username, factor2: s.factor2, secrets: n, body: t, url: r };
     return i && (C["content-type"] = i), await this.keyStorage.updateData(y, "pre2fa", C), {
@@ -5008,7 +5028,7 @@ class Lt {
     const n = {}, c = a.secretNames();
     for (let d in i)
       c.includes(d) && d in i && (n[d] = i[d]);
-    await a.authenticateUser(void 0, { ...n, ...r.pre2fa.secrets }, s), await this.keyStorage.updateData(R.hashSessionId(t.value), "pre2fa", void 0);
+    await a.authenticateUser(void 0, { ...n, ...r.pre2fa.secrets }, s), await this.keyStorage.updateData(D.hashSessionId(t.value), "pre2fa", void 0);
   }
   /**
    * Cancels the 2FA that was previously initiated but not completed..  
@@ -5021,10 +5041,10 @@ class Lt {
    */
   async cancelTwoFactorPageVisit(s) {
     let { key: e } = await this.session.getUserForSessionId(s);
-    if (!e) throw new o(l.InvalidKey, "Session key not found");
+    if (!e) throw new o(l.InvalidSession, "Session key not found");
     let t = z.decodeData(e.data);
     if (!("pre2fa" in t)) throw new o(l.Unauthorized, "Two factor authentication not initiated");
-    return await this.keyStorage.updateData(R.hashSessionId(e.value), "pre2fa", void 0), t.pre2fa;
+    return await this.keyStorage.updateData(D.hashSessionId(e.value), "pre2fa", void 0), t.pre2fa;
   }
   /**
    * Performs the second factor authentication as the second step of the login
@@ -5052,15 +5072,15 @@ class Lt {
     if (!y) throw new o(l.Configuration, "Second factor " + c + " not enabled");
     await y.authenticateUser(d, { ...w, ...a }, s);
     const C = await this.session.createSessionKey(d.id, t);
-    await this.keyStorage.deleteKey(R.hashSessionId(i.value));
+    await this.keyStorage.deleteKey(D.hashSessionId(i.value));
     const v = this.session.makeCookie(C, r), p = this.csrfTokens.createCsrfToken(), T = this.csrfTokens.makeCsrfCookie(p), k = this.csrfTokens.makeCsrfFormOrHeaderToken(p);
     try {
       this.emailTokenStorage.deleteAllForUser(
         d.id,
         b.passwordResetToken
       );
-    } catch (P) {
-      u.logger.warn(f({ msg: "Couldn't delete password reset tokens while logging in", user: n })), u.logger.debug(f({ err: P }));
+    } catch (A) {
+      u.logger.warn(f({ msg: "Couldn't delete password reset tokens while logging in", user: n })), u.logger.debug(f({ err: A }));
     }
     return {
       sessionCookie: v,
@@ -5126,7 +5146,7 @@ class Lt {
       d
     );
     try {
-      this.emailTokenStorage.deleteAllForUser(
+      await this.emailTokenStorage.deleteAllForUser(
         a.id,
         b.passwordResetToken
       );
@@ -5150,17 +5170,17 @@ class Lt {
     if (!("username" in s) || s.username == null)
       throw new o(l.UserNotExist, "Please specify a userername");
     let { email: a, username: n, password: c, ...d } = e;
-    d.userid = s.userid;
+    d.userid = s.userid, d.id = s.id;
     let w = !1;
     if (a)
-      i = a, D.validateEmail(i), w = !0;
+      i = a, R.validateEmail(i), w = !0;
     else if (n) {
       i = n;
       try {
-        D.validateEmail(s.username), w = !0;
+        R.validateEmail(s.username), w = !0;
       } catch {
       }
-      w && D.validateEmail(i);
+      w && R.validateEmail(i);
     }
     return !t && this.enableEmailVerification && w ? await ((y = this.tokenEmailer) == null ? void 0 : y.sendEmailVerificationToken(s.id, i)) : (a && (d.email = a), n && (d.username = n)), (e.state == E.passwordResetNeeded || e.state == E.passwordAndFactor2ResetNeeded) && await ((C = this.tokenEmailer) == null ? void 0 : C.sendPasswordResetToken(s.id, {}, r)), await this.userStorage.updateUser(d), {
       emailVerificationTokenSent: !t && this.enableEmailVerification && w,
@@ -5975,7 +5995,7 @@ class Ht {
     };
     const k = await this.getClientById(e);
     if (!k.client) return k;
-    const P = k.client, H = await this.authenticateClient(T, P, i);
+    const A = k.client, H = await this.authenticateClient(T, A, i);
     if (H.error) return H;
     if (T == U.Password && !this.validFlows.includes(T) && !this.validFlows.includes(U.PasswordMfa))
       return {
@@ -5987,7 +6007,7 @@ class Ht {
         error: "access_denied",
         error_description: "Unsupported flow type " + T
       };
-    if (P && !P.valid_flow.includes(T))
+    if (A && !A.valid_flow.includes(T))
       return {
         error: "unauthorized_client",
         error_description: "Client does not support " + T
@@ -5996,14 +6016,14 @@ class Ht {
     this.issueRefreshToken && T != U.RefreshToken && (j = !0), this.issueRefreshToken && T == U.RefreshToken && this.rollingRefreshToken && (j = !0);
     let O;
     if (s == "authorization_code")
-      return this.requireClientSecretOrChallenge && P && P.client_secret && !i && !a ? {
+      return this.requireClientSecretOrChallenge && A && A.client_secret && !i && !a ? {
         error: "access_denied",
         error_description: "Must provide either a client secret or use PKCE"
-      } : P && P.client_secret && !i ? {
+      } : A && A.client_secret && !i ? {
         error: "access_denied",
         error_description: "No client secret or code verifier provided for authorization coode flow"
       } : r ? await this.makeAccessToken({
-        client: P,
+        client: A,
         code: r,
         client_secret: i,
         codeVerifier: a,
@@ -6019,26 +6039,26 @@ class Ht {
             error: "invalid_request",
             error_description: "If executing the refresh token flow, must  provide a refresh token"
           };
-        let A = await this.upstreamClient.refreshTokenFlow(n);
-        if (!A.access_token)
+        let I = await this.upstreamClient.refreshTokenFlow(n);
+        if (!I.access_token)
           return {
             error: "access_denied",
             error_description: "Didn't receive an access token"
           };
-        let I = A.access_token;
-        if (this.upstreamClientOptions.accessTokenIsJwt && (I = await this.upstreamClient.validateAccessToken(A.access_token, !1), !I))
+        let P = I.access_token;
+        if (this.upstreamClientOptions.accessTokenIsJwt && (P = await this.upstreamClient.validateAccessToken(I.access_token, !1), !P))
           return {
             error: "access_denied",
             error_description: "Couldn't decode access token"
           };
-        const x = await this.upstreamClientOptions.tokenMergeFn(I, A.id_payload, this.userStorage);
+        const x = await this.upstreamClientOptions.tokenMergeFn(P, I.id_payload, this.userStorage);
         if (x.authorized) {
           const B = await this.createTokensFromPayload(
             e,
             x.access_payload,
             x.id_payload
           );
-          return A.access_token = B.access_token, A.id_token = B.id_token, A.id_payload = B.id_payload, A;
+          return I.access_token = B.access_token, I.id_token = B.id_token, I.id_payload = B.id_payload, I;
         } else
           return u.logger.warn(f({ msg: x.error_description })), {
             error: x.error,
@@ -6054,11 +6074,11 @@ class Ht {
       let K;
       if (N.username)
         try {
-          const { user: A } = await ((F = this.userStorage) == null ? void 0 : F.getUserByUsername(N.username));
-          K = A;
-        } catch (A) {
+          const { user: I } = await ((F = this.userStorage) == null ? void 0 : F.getUserByUsername(N.username));
+          K = I;
+        } catch (I) {
           return u.logger.error(f({
-            err: A,
+            err: I,
             msg: "Couldn't get user for refresh token.  Doesn't exist?",
             username: N.username
           })), {
@@ -6067,14 +6087,14 @@ class Ht {
           };
         }
       try {
-        const A = b.refreshToken + _.hash(n);
-        await this.keyStorage.deleteKey(A);
-      } catch (A) {
-        const I = o.asCrossauthError(A);
-        u.logger.debug(f({ err: A })), u.logger.warn(f({ msg: "Cannot delete refresh token", cerr: I }));
+        const I = b.refreshToken + _.hash(n);
+        await this.keyStorage.deleteKey(I);
+      } catch (I) {
+        const P = o.asCrossauthError(I);
+        u.logger.debug(f({ err: I })), u.logger.warn(f({ msg: "Cannot delete refresh token", cerr: P }));
       }
       return await this.makeAccessToken({
-        client: P,
+        client: A,
         client_secret: i,
         codeVerifier: a,
         issueRefreshToken: j,
@@ -6085,13 +6105,13 @@ class Ht {
       const {
         scopes: N,
         error: K,
-        error_description: A
+        error_description: I
       } = await this.validateAndPersistScope(e, t, void 0);
       return K ? {
         error: K,
-        error_description: A
+        error_description: I
       } : await this.makeAccessToken({
-        client: P,
+        client: A,
         client_secret: i,
         codeVerifier: a,
         scopes: N,
@@ -6109,19 +6129,19 @@ class Ht {
             error: "server_error",
             error_description: "Password authentication not configured"
           };
-        const { user: I, secrets: x } = await this.userStorage.getUserByUsername(c), B = this.authenticators[I.factor1];
+        const { user: P, secrets: x } = await this.userStorage.getUserByUsername(c), B = this.authenticators[P.factor1];
         if (!B || !B.secretNames().includes("password"))
           return {
             error: "access_denied",
             error_description: "Password flow used but factor 1 authenticator does not accept passwords"
           };
         await B.authenticateUser(
-          I,
+          P,
           x,
           { password: d }
-        ), O = I;
-      } catch (I) {
-        return u.logger.debug(f({ err: I })), {
+        ), O = P;
+      } catch (P) {
+        return u.logger.debug(f({ err: P })), {
           error: "access_denied",
           error_description: "Username and/or password do not match"
         };
@@ -6129,16 +6149,16 @@ class Ht {
       const {
         scopes: N,
         error: K,
-        error_description: A
+        error_description: I
       } = await this.validateAndPersistScope(e, t, O);
       return K ? {
         error: K,
-        error_description: A
+        error_description: I
       } : O.factor2 ? this.allowedFactor2.length > 0 && (O.state == E.factor2ResetNeeded || !this.allowedFactor2.includes(O.factor2 ? O.factor2 : "none")) ? {
         error: "access_denied",
         error_description: "2FA method not allowed or needs to be reconfigured"
       } : await this.createMfaRequest(O) : await this.makeAccessToken({
-        client: P,
+        client: A,
         client_secret: i,
         codeVerifier: a,
         scopes: N,
@@ -6149,12 +6169,12 @@ class Ht {
       const {
         scopes: N,
         error: K,
-        error_description: A
+        error_description: I
       } = await this.validateAndPersistScope(e, t, void 0);
       if (K)
         return {
           error: K,
-          error_description: A
+          error_description: I
         };
       if (!v)
         return {
@@ -6166,22 +6186,22 @@ class Ht {
           error: "access_denied",
           error_description: "MFA token not provided"
         };
-      const I = await this.validateMfaToken(w), x = b.mfaToken + _.hash(w);
-      if (!I.user || !I.key)
+      const P = await this.validateMfaToken(w), x = b.mfaToken + _.hash(w);
+      if (!P.user || !P.key)
         return {
           error: "access_denied",
           error_description: "Invalid MFA token"
         };
-      const B = this.authenticators[I.user.factor2];
+      const B = this.authenticators[P.user.factor2];
       if (!B || !this.userStorage)
         return {
           error: "access_denied",
           error_description: "MFA type is not supported for OAuth"
         };
       try {
-        const { secrets: V } = await this.userStorage.getUserById(I.user.id);
+        const { secrets: V } = await this.userStorage.getUserById(P.user.id);
         await B.authenticateUser(
-          I.user,
+          P.user,
           V,
           { otp: v }
         );
@@ -6197,27 +6217,27 @@ class Ht {
         u.logger.debug(f({ err: V })), u.logger.warn(f({
           cerr: V,
           msg: "Couldn't delete mfa token",
-          hashedMfaToken: I.key.value
+          hashedMfaToken: P.key.value
         }));
       }
       return await this.makeAccessToken({
-        client: P,
+        client: A,
         client_secret: i,
         codeVerifier: a,
         scopes: N,
         issueRefreshToken: j,
-        user: I.user
+        user: P.user
       });
     } else if (s == "http://auth0.com/oauth/grant-type/mfa-oob") {
       const {
         scopes: N,
         error: K,
-        error_description: A
+        error_description: I
       } = await this.validateAndPersistScope(e, t, void 0);
       if (K)
         return {
           error: K,
-          error_description: A
+          error_description: I
         };
       if (!y || !C)
         return {
@@ -6229,20 +6249,20 @@ class Ht {
           error: "access_denied",
           error_description: "MFA token not provided"
         };
-      const I = await this.validateMfaToken(w);
-      if (!I.user || !I.key)
+      const P = await this.validateMfaToken(w);
+      if (!P.user || !P.key)
         return {
           error: "access_denied",
           error_description: "Invalid MFA token"
         };
-      const x = this.authenticators[I.user.factor2];
+      const x = this.authenticators[P.user.factor2];
       if (!x || !this.userStorage)
         return {
           error: "access_denied",
           error_description: "MFA type is not supported for OAuth"
         };
       try {
-        const { secrets: B } = await this.userStorage.getUserById(I.user.id), V = z.decodeData(I.key.data).omfa;
+        const { secrets: B } = await this.userStorage.getUserById(P.user.id), V = z.decodeData(P.key.data).omfa;
         if (!V || !V.otp || !V.oobCode)
           return {
             error: "server_error",
@@ -6254,8 +6274,8 @@ class Ht {
             error_description: "Invalid OOB code"
           };
         await x.authenticateUser(
-          I.user,
-          { ...B, otp: V.otp, expiry: ($ = I.key.expires) == null ? void 0 : $.getTime() },
+          P.user,
+          { ...B, otp: V.otp, expiry: ($ = P.key.expires) == null ? void 0 : $.getTime() },
           { otp: C }
         );
       } catch (B) {
@@ -6265,21 +6285,21 @@ class Ht {
         };
       }
       try {
-        await this.keyStorage.deleteKey(I.key.value);
+        await this.keyStorage.deleteKey(P.key.value);
       } catch (B) {
         u.logger.debug(f({ err: B })), u.logger.warn(f({
           cerr: B,
           msg: "Couldn't delete mfa token",
-          hashedMfaToken: I.key.value
+          hashedMfaToken: P.key.value
         }));
       }
       return await this.makeAccessToken({
-        client: P,
+        client: A,
         client_secret: i,
         codeVerifier: a,
         scopes: N,
         issueRefreshToken: j,
-        user: I.user
+        user: P.user
       });
     } else if (s == "urn:ietf:params:oauth:grant-type:device_code") {
       if (!p)
@@ -6291,15 +6311,15 @@ class Ht {
       try {
         N = await this.keyStorage.getKey(b.deviceCode + p);
       } catch (K) {
-        const A = o.asCrossauthError(K);
-        return u.logger.debug(f({ err: A })), u.logger.error(f({ msg: "Couldn't get device code", cerr: A })), {
+        const I = o.asCrossauthError(K);
+        return u.logger.debug(f({ err: I })), u.logger.error(f({ msg: "Couldn't get device code", cerr: I })), {
           error: "accerss_denied",
           error_description: "Invalid device code"
         };
       }
       try {
-        const K = JSON.parse(N.data ?? "{}"), A = (/* @__PURE__ */ new Date()).getTime();
-        if (N.expires && A > N.expires.getTime())
+        const K = JSON.parse(N.data ?? "{}"), I = (/* @__PURE__ */ new Date()).getTime();
+        if (N.expires && I > N.expires.getTime())
           return await this.deleteDeviceCode(p), {
             error: "expired_token",
             error_description: "Code has expired"
@@ -6310,19 +6330,19 @@ class Ht {
             error_description: "Waiting for user code to be entered"
           };
         {
-          let I = K.scope ? K.scope.split(" ") : void 0, x = K.userid ? await ((M = this.userStorage) == null ? void 0 : M.getUserById(K.userid)) : void 0;
+          let P = K.scope ? K.scope.split(" ") : void 0, x = K.userid ? await ((M = this.userStorage) == null ? void 0 : M.getUserById(K.userid)) : void 0;
           return await this.deleteDeviceCode(p), await this.makeAccessToken({
-            client: P,
+            client: A,
             client_secret: i,
             codeVerifier: a,
-            scopes: I,
+            scopes: P,
             issueRefreshToken: j,
             user: x == null ? void 0 : x.user
           });
         }
       } catch (K) {
-        const A = o.asCrossauthError(K);
-        return u.logger.debug(f({ err: A })), u.logger.error(f({ msg: "Couldn't get device code", cerr: A })), await this.deleteDeviceCode(p), {
+        const I = o.asCrossauthError(K);
+        return u.logger.debug(f({ err: I })), u.logger.error(f({ msg: "Couldn't get device code", cerr: I })), await this.deleteDeviceCode(p), {
           error: "accerss_denied",
           error_description: "Invalid device code"
         };
@@ -7038,7 +7058,7 @@ class Ht {
         );
       });
     }
-    let P;
+    let A;
     if (a) {
       const O = {
         username: d.username,
@@ -7053,22 +7073,22 @@ class Ht {
         sub: d.username,
         type: "refresh"
       };
-      this.refreshTokenExpiry != null && (M.exp = y + this.refreshTokenExpiry, F = this.refreshTokenExpiry ? new Date(y + this.refreshTokenExpiry * 1e3 + this.clockTolerance * 1e3) : void 0), this.oauthIssuer && (M.aud = this.oauthIssuer), P = await new Promise((N, K) => {
+      this.refreshTokenExpiry != null && (M.exp = y + this.refreshTokenExpiry, F = this.refreshTokenExpiry ? new Date(y + this.refreshTokenExpiry * 1e3 + this.clockTolerance * 1e3) : void 0), this.oauthIssuer && (M.aud = this.oauthIssuer), A = await new Promise((N, K) => {
         ee.sign(
           M,
           this.secretOrPrivateKey,
           { algorithm: this.jwtAlgorithmChecked, keyid: "1" },
-          (A, I) => {
-            I ? N(I) : K(A || new o(
+          (I, P) => {
+            P ? N(P) : K(I || new o(
               l.Unauthorized,
               "Couldn't create jwt"
             ));
           }
         );
-      }), P && await ((j = this.keyStorage) == null ? void 0 : j.saveKey(
+      }), A && await ((j = this.keyStorage) == null ? void 0 : j.saveKey(
         void 0,
         // to avoid user storage dependency
-        b.refreshToken + _.hash(P),
+        b.refreshToken + _.hash(A),
         w,
         F,
         JSON.stringify(O)
@@ -7077,7 +7097,7 @@ class Ht {
     return {
       access_token: T,
       id_token: k,
-      refresh_token: P,
+      refresh_token: A,
       expires_in: this.accessTokenExpiry == null ? void 0 : this.accessTokenExpiry,
       token_type: "Bearer",
       scope: i ? i.join(" ") : void 0
@@ -7499,7 +7519,7 @@ export {
   ie as Authenticator,
   _ as Crypto,
   rt as DoubleSubmitCsrfToken,
-  Rt as DummyFactor2Authenticator,
+  Dt as DummyFactor2Authenticator,
   Z as EmailAuthenticator,
   It as InMemoryKeyStorage,
   Kt as InMemoryOAuthAuthorizationStorage,
@@ -7519,17 +7539,17 @@ export {
   g as ParamType,
   be as PasswordAuthenticator,
   Ft as PostgresKeyStorage,
-  Dt as PostgresOAuthAuthorizationStorage,
+  Rt as PostgresOAuthAuthorizationStorage,
   Nt as PostgresOAuthClientStorage,
   Ot as PostgresUserStorage,
   Et as PrismaKeyStorage,
   Ut as PrismaOAuthAuthorizationStorage,
   bt as PrismaOAuthClientStorage,
   G as PrismaUserStorage,
-  R as SessionCookie,
+  D as SessionCookie,
   Lt as SessionManager,
   Q as SmsAuthenticator,
-  D as TokenEmailer,
+  R as TokenEmailer,
   Bt as TotpAuthenticator,
   Ue as TwilioAuthenticator,
   L as UserStorage,