npm - @digilogiclabs/platform-core - Versions diffs - 1.5.0 → 1.5.1 - Mend

@digilogiclabs/platform-core 1.5.0 → 1.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/auth.mjs ADDED Viewed

@@ -0,0 +1,900 @@
+// src/auth/keycloak.ts
+var KEYCLOAK_DEFAULT_ROLES = [
+  "offline_access",
+  "uma_authorization"
+];
+function parseKeycloakRoles(accessToken, additionalDefaultRoles = []) {
+  if (!accessToken) return [];
+  try {
+    const parts = accessToken.split(".");
+    if (parts.length !== 3) return [];
+    const payload = parts[1];
+    const decoded = JSON.parse(atob(payload));
+    const realmRoles = decoded.realm_roles ?? decoded.realm_access?.roles;
+    if (!Array.isArray(realmRoles)) return [];
+    const filterSet = /* @__PURE__ */ new Set([
+      ...KEYCLOAK_DEFAULT_ROLES,
+      ...additionalDefaultRoles
+    ]);
+    return realmRoles.filter(
+      (role) => typeof role === "string" && !filterSet.has(role)
+    );
+  } catch {
+    return [];
+  }
+}
+function hasRole(roles, role) {
+  return roles?.includes(role) ?? false;
+}
+function hasAnyRole(roles, requiredRoles) {
+  if (!roles || roles.length === 0) return false;
+  return requiredRoles.some((role) => roles.includes(role));
+}
+function hasAllRoles(roles, requiredRoles) {
+  if (!roles || roles.length === 0) return false;
+  return requiredRoles.every((role) => roles.includes(role));
+}
+function isTokenExpired(expiresAt, bufferMs = 6e4) {
+  if (!expiresAt) return true;
+  return Date.now() >= expiresAt - bufferMs;
+}
+function buildTokenRefreshParams(config, refreshToken) {
+  return new URLSearchParams({
+    grant_type: "refresh_token",
+    client_id: config.clientId,
+    client_secret: config.clientSecret,
+    refresh_token: refreshToken
+  });
+}
+function getTokenEndpoint(issuer) {
+  const base = issuer.endsWith("/") ? issuer.slice(0, -1) : issuer;
+  return `${base}/protocol/openid-connect/token`;
+}
+function getEndSessionEndpoint(issuer) {
+  const base = issuer.endsWith("/") ? issuer.slice(0, -1) : issuer;
+  return `${base}/protocol/openid-connect/logout`;
+}
+async function refreshKeycloakToken(config, refreshToken, additionalDefaultRoles) {
+  try {
+    const endpoint = getTokenEndpoint(config.issuer);
+    const params = buildTokenRefreshParams(config, refreshToken);
+    const response = await fetch(endpoint, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: params
+    });
+    if (!response.ok) {
+      const body = await response.text().catch(() => "");
+      return {
+        ok: false,
+        error: `Token refresh failed: HTTP ${response.status} - ${body}`
+      };
+    }
+    const data = await response.json();
+    return {
+      ok: true,
+      tokens: {
+        accessToken: data.access_token,
+        refreshToken: data.refresh_token ?? refreshToken,
+        idToken: data.id_token,
+        expiresAt: Date.now() + data.expires_in * 1e3,
+        roles: parseKeycloakRoles(data.access_token, additionalDefaultRoles)
+      }
+    };
+  } catch (error) {
+    return {
+      ok: false,
+      error: error instanceof Error ? error.message : "Token refresh failed"
+    };
+  }
+}
+// src/auth/nextjs-keycloak.ts
+function buildAuthCookies(config = {}) {
+  const { domain, sessionToken = true, callbackUrl = true } = config;
+  const isProduction = process.env.NODE_ENV === "production";
+  const cookieDomain = isProduction ? domain : void 0;
+  const baseOptions = {
+    httpOnly: true,
+    sameSite: "lax",
+    path: "/",
+    secure: isProduction,
+    domain: cookieDomain
+  };
+  const cookies = {
+    pkceCodeVerifier: {
+      name: "authjs.pkce.code_verifier",
+      options: { ...baseOptions }
+    },
+    state: {
+      name: "authjs.state",
+      options: { ...baseOptions }
+    }
+  };
+  if (sessionToken) {
+    cookies.sessionToken = {
+      name: isProduction ? "__Secure-authjs.session-token" : "authjs.session-token",
+      options: { ...baseOptions }
+    };
+  }
+  if (callbackUrl) {
+    cookies.callbackUrl = {
+      name: isProduction ? "__Secure-authjs.callback-url" : "authjs.callback-url",
+      options: { ...baseOptions }
+    };
+  }
+  return cookies;
+}
+function buildRedirectCallback(config = {}) {
+  const { allowWwwVariant = false } = config;
+  return async ({ url, baseUrl }) => {
+    if (url.startsWith("/")) return `${baseUrl}${url}`;
+    try {
+      if (new URL(url).origin === baseUrl) return url;
+    } catch {
+      return baseUrl;
+    }
+    if (allowWwwVariant) {
+      try {
+        const urlHost = new URL(url).hostname;
+        const baseHost = new URL(baseUrl).hostname;
+        if (urlHost === `www.${baseHost}` || baseHost === `www.${urlHost}`) {
+          return url;
+        }
+      } catch {
+      }
+    }
+    return baseUrl;
+  };
+}
+function buildKeycloakCallbacks(config) {
+  const {
+    issuer,
+    clientId,
+    clientSecret,
+    defaultRoles = [],
+    debug = process.env.NODE_ENV === "development"
+  } = config;
+  const kcConfig = { issuer, clientId, clientSecret };
+  function log(message, meta) {
+    if (debug) {
+      console.log(`[Auth] ${message}`, meta ? JSON.stringify(meta) : "");
+    }
+  }
+  return {
+    /**
+     * JWT callback — stores Keycloak tokens and handles refresh.
+     *
+     * Compatible with Auth.js v5 JWT callback signature.
+     */
+    async jwt({
+      token,
+      user,
+      account
+    }) {
+      if (user) {
+        token.id = token.sub ?? user.id;
+      }
+      if (account?.provider === "keycloak") {
+        token.accessToken = account.access_token;
+        token.refreshToken = account.refresh_token;
+        token.idToken = account.id_token;
+        token.roles = parseKeycloakRoles(
+          account.access_token,
+          defaultRoles
+        );
+        token.accessTokenExpires = account.expires_at ? account.expires_at * 1e3 : Date.now() + 3e5;
+        return token;
+      }
+      if (!isTokenExpired(token.accessTokenExpires)) {
+        return token;
+      }
+      if (token.refreshToken) {
+        log("Token expired, attempting refresh...");
+        const result = await refreshKeycloakToken(
+          kcConfig,
+          token.refreshToken,
+          defaultRoles
+        );
+        if (result.ok) {
+          token.accessToken = result.tokens.accessToken;
+          token.idToken = result.tokens.idToken ?? token.idToken;
+          token.refreshToken = result.tokens.refreshToken ?? token.refreshToken;
+          token.accessTokenExpires = result.tokens.expiresAt;
+          token.roles = result.tokens.roles;
+          delete token.error;
+          log("Token refreshed OK");
+          return token;
+        }
+        log("Token refresh failed", { error: result.error });
+        return { ...token, error: "RefreshTokenError" };
+      }
+      log("Token expired but no refresh token available");
+      return { ...token, error: "RefreshTokenError" };
+    },
+    /**
+     * Session callback — maps JWT fields to the session object.
+     *
+     * Compatible with Auth.js v5 session callback signature.
+     */
+    async session({
+      session,
+      token
+    }) {
+      const user = session.user;
+      if (user) {
+        user.id = token.id || token.sub;
+        user.roles = token.roles || [];
+      }
+      session.idToken = token.idToken;
+      session.accessToken = token.accessToken;
+      if (token.error) {
+        session.error = token.error;
+      }
+      return session;
+    }
+  };
+}
+// src/auth/api-security.ts
+var StandardRateLimitPresets = {
+  /** General API: 100/min, 200/min authenticated */
+  apiGeneral: {
+    limit: 100,
+    windowSeconds: 60,
+    authenticatedLimit: 200
+  },
+  /** Admin operations: 100/min (admins are trusted) */
+  adminAction: {
+    limit: 100,
+    windowSeconds: 60
+  },
+  /** AI/expensive operations: 20/hour, 50/hour authenticated */
+  aiRequest: {
+    limit: 20,
+    windowSeconds: 3600,
+    authenticatedLimit: 50
+  },
+  /** Auth attempts: 5/15min with 15min block */
+  authAttempt: {
+    limit: 5,
+    windowSeconds: 900,
+    blockDurationSeconds: 900
+  },
+  /** Contact/public forms: 10/hour */
+  publicForm: {
+    limit: 10,
+    windowSeconds: 3600,
+    blockDurationSeconds: 1800
+  },
+  /** Checkout/billing: 10/hour with 1hr block */
+  checkout: {
+    limit: 10,
+    windowSeconds: 3600,
+    blockDurationSeconds: 3600
+  }
+};
+function resolveRateLimitIdentifier(session, clientIp) {
+  if (session?.user?.id) {
+    return { identifier: `user:${session.user.id}`, isAuthenticated: true };
+  }
+  if (session?.user?.email) {
+    return {
+      identifier: `email:${session.user.email}`,
+      isAuthenticated: true
+    };
+  }
+  return { identifier: `ip:${clientIp}`, isAuthenticated: false };
+}
+function extractClientIp(getHeader) {
+  return getHeader("cf-connecting-ip") || getHeader("x-real-ip") || getHeader("x-forwarded-for")?.split(",")[0]?.trim() || "unknown";
+}
+function buildRateLimitHeaders(limit, remaining, resetAtMs) {
+  return {
+    "X-RateLimit-Limit": String(limit),
+    "X-RateLimit-Remaining": String(Math.max(0, remaining)),
+    "X-RateLimit-Reset": String(Math.ceil(resetAtMs / 1e3))
+  };
+}
+function buildErrorBody(error, extra) {
+  return { error, ...extra };
+}
+var WrapperPresets = {
+  /** Public route: no auth, rate limited */
+  public: {
+    requireAuth: false,
+    requireAdmin: false,
+    rateLimit: "apiGeneral"
+  },
+  /** Authenticated route: requires session */
+  authenticated: {
+    requireAuth: true,
+    requireAdmin: false,
+    rateLimit: "apiGeneral"
+  },
+  /** Admin route: requires session with admin role */
+  admin: {
+    requireAuth: true,
+    requireAdmin: true,
+    rateLimit: "adminAction"
+  },
+  /** Legacy admin: accepts session OR bearer token */
+  legacyAdmin: {
+    requireAuth: true,
+    requireAdmin: true,
+    allowBearerToken: true,
+    rateLimit: "adminAction"
+  },
+  /** AI/expensive: requires auth, strict rate limit */
+  ai: {
+    requireAuth: true,
+    requireAdmin: false,
+    rateLimit: "aiRequest"
+  },
+  /** Cron: no rate limit, admin-level access */
+  cron: {
+    requireAuth: true,
+    requireAdmin: false,
+    skipRateLimit: true,
+    skipAudit: false
+  }
+};
+// src/auth/schemas.ts
+import { z } from "zod";
+// src/security.ts
+var URL_PROTOCOL_PATTERN = /(https?:\/\/|ftp:\/\/|www\.)\S+/i;
+var URL_DOMAIN_PATTERN = /\b[\w.-]+\.(com|net|org|io|co|dev|app|xyz|info|biz|me|us|uk|edu|gov)\b/i;
+var HTML_TAG_PATTERN = /<[^>]*>/;
+// src/auth/schemas.ts
+var EmailSchema = z.string().trim().toLowerCase().email("Invalid email address");
+var PasswordSchema = z.string().min(8, "Password must be at least 8 characters").max(100, "Password must be less than 100 characters");
+var SlugSchema = z.string().min(1, "Slug is required").max(100, "Slug must be less than 100 characters").regex(
+  /^[a-z0-9-]+$/,
+  "Slug can only contain lowercase letters, numbers, and hyphens"
+);
+var PhoneSchema = z.string().regex(/^[\d\s()+.\-]{7,20}$/, "Invalid phone number format");
+var PersonNameSchema = z.string().min(2, "Name must be at least 2 characters").max(100, "Name must be less than 100 characters").regex(
+  /^[a-zA-Z\s\-']+$/,
+  "Name can only contain letters, spaces, hyphens and apostrophes"
+);
+function createSafeTextSchema(options) {
+  const {
+    min,
+    max,
+    allowHtml = false,
+    allowUrls = false,
+    fieldName = "Text"
+  } = options ?? {};
+  let schema = z.string();
+  if (min !== void 0)
+    schema = schema.min(min, `${fieldName} must be at least ${min} characters`);
+  if (max !== void 0)
+    schema = schema.max(
+      max,
+      `${fieldName} must be less than ${max} characters`
+    );
+  if (!allowHtml && !allowUrls) {
+    return schema.refine((val) => !HTML_TAG_PATTERN.test(val), "HTML tags are not allowed").refine(
+      (val) => !URL_PROTOCOL_PATTERN.test(val),
+      "Links are not allowed for security reasons"
+    ).refine(
+      (val) => !URL_DOMAIN_PATTERN.test(val),
+      "Links are not allowed for security reasons"
+    );
+  }
+  if (!allowHtml) {
+    return schema.refine(
+      (val) => !HTML_TAG_PATTERN.test(val),
+      "HTML tags are not allowed"
+    );
+  }
+  if (!allowUrls) {
+    return schema.refine(
+      (val) => !URL_PROTOCOL_PATTERN.test(val),
+      "Links are not allowed for security reasons"
+    ).refine(
+      (val) => !URL_DOMAIN_PATTERN.test(val),
+      "Links are not allowed for security reasons"
+    );
+  }
+  return schema;
+}
+var PaginationSchema = z.object({
+  page: z.coerce.number().int().positive().default(1),
+  limit: z.coerce.number().int().positive().max(100).default(20),
+  sortBy: z.string().optional(),
+  sortOrder: z.enum(["asc", "desc"]).default("desc")
+});
+var DateRangeSchema = z.object({
+  startDate: z.string().datetime(),
+  endDate: z.string().datetime()
+}).refine((data) => new Date(data.startDate) <= new Date(data.endDate), {
+  message: "Start date must be before end date"
+});
+var SearchQuerySchema = z.object({
+  query: z.string().min(1).max(200).trim(),
+  page: z.coerce.number().int().positive().default(1),
+  limit: z.coerce.number().int().positive().max(50).default(10)
+});
+var LoginSchema = z.object({
+  email: EmailSchema,
+  password: PasswordSchema
+});
+var SignupSchema = z.object({
+  email: EmailSchema,
+  password: PasswordSchema,
+  name: z.string().min(2).max(100).optional()
+});
+// src/auth/feature-flags.ts
+function detectStage() {
+  const stage = process.env.DEPLOYMENT_STAGE;
+  if (stage === "staging" || stage === "preview") return stage;
+  if (process.env.NODE_ENV === "production") return "production";
+  return "development";
+}
+function resolveFlagValue(value) {
+  if (typeof value === "boolean") return value;
+  const envValue = process.env[value.envVar];
+  if (envValue === void 0 || envValue === "") {
+    return value.default ?? false;
+  }
+  return envValue === "true" || envValue === "1";
+}
+function createFeatureFlags(definitions) {
+  return {
+    /**
+     * Resolve all flags for the current environment.
+     * Call this once at startup or per-request for dynamic flags.
+     */
+    resolve(stage) {
+      const currentStage = stage ?? detectStage();
+      const resolved = {};
+      for (const [key, def] of Object.entries(definitions)) {
+        const stageKey = currentStage === "preview" ? "staging" : currentStage;
+        resolved[key] = resolveFlagValue(def[stageKey]);
+      }
+      return resolved;
+    },
+    /**
+     * Check if a single flag is enabled.
+     */
+    isEnabled(flag, stage) {
+      const currentStage = stage ?? detectStage();
+      const def = definitions[flag];
+      const stageKey = currentStage === "preview" ? "staging" : currentStage;
+      return resolveFlagValue(def[stageKey]);
+    },
+    /**
+     * Get the flag definitions (for introspection/admin UI).
+     */
+    definitions
+  };
+}
+function buildAllowlist(config) {
+  const fromEnv = config.envVar ? process.env[config.envVar]?.split(",").map((e) => e.trim().toLowerCase()).filter(Boolean) ?? [] : [];
+  const fallback = config.fallback?.map((e) => e.toLowerCase()) ?? [];
+  return [.../* @__PURE__ */ new Set([...fromEnv, ...fallback])];
+}
+function isAllowlisted(email, allowlist) {
+  return allowlist.includes(email.toLowerCase());
+}
+// src/auth/rate-limiter.ts
+var CommonRateLimits = {
+  /** General API: 100/min, 200/min authenticated */
+  apiGeneral: {
+    limit: 100,
+    windowSeconds: 60,
+    authenticatedLimit: 200
+  },
+  /** Admin actions: 100/min */
+  adminAction: {
+    limit: 100,
+    windowSeconds: 60
+  },
+  /** Auth attempts: 10/15min with 30min block */
+  authAttempt: {
+    limit: 10,
+    windowSeconds: 900,
+    blockDurationSeconds: 1800
+  },
+  /** AI/expensive requests: 20/hour, 50/hour authenticated */
+  aiRequest: {
+    limit: 20,
+    windowSeconds: 3600,
+    authenticatedLimit: 50
+  },
+  /** Public form submissions: 5/hour with 1hr block */
+  publicForm: {
+    limit: 5,
+    windowSeconds: 3600,
+    blockDurationSeconds: 3600
+  },
+  /** Checkout/billing: 10/hour with 1hr block */
+  checkout: {
+    limit: 10,
+    windowSeconds: 3600,
+    blockDurationSeconds: 3600
+  }
+};
+function createMemoryRateLimitStore() {
+  const windows = /* @__PURE__ */ new Map();
+  const blocks = /* @__PURE__ */ new Map();
+  const cleanupInterval = setInterval(() => {
+    const now = Date.now();
+    for (const [key, entry] of windows) {
+      if (entry.expiresAt < now) windows.delete(key);
+    }
+    for (const [key, expiry] of blocks) {
+      if (expiry < now) blocks.delete(key);
+    }
+  }, 60 * 1e3);
+  if (cleanupInterval.unref) {
+    cleanupInterval.unref();
+  }
+  return {
+    async increment(key, windowMs, now) {
+      const windowStart = now - windowMs;
+      let entry = windows.get(key);
+      if (!entry) {
+        entry = { timestamps: [], expiresAt: now + windowMs + 6e4 };
+        windows.set(key, entry);
+      }
+      entry.timestamps = entry.timestamps.filter((t) => t > windowStart);
+      entry.timestamps.push(now);
+      entry.expiresAt = now + windowMs + 6e4;
+      return { count: entry.timestamps.length };
+    },
+    async isBlocked(key) {
+      const expiry = blocks.get(key);
+      if (!expiry || expiry < Date.now()) {
+        blocks.delete(key);
+        return { blocked: false, ttlMs: 0 };
+      }
+      return { blocked: true, ttlMs: expiry - Date.now() };
+    },
+    async setBlock(key, durationSeconds) {
+      blocks.set(key, Date.now() + durationSeconds * 1e3);
+    },
+    async reset(key) {
+      windows.delete(key);
+      blocks.delete(`block:${key}`);
+      blocks.delete(key);
+    }
+  };
+}
+var defaultStore;
+function getDefaultStore() {
+  if (!defaultStore) {
+    defaultStore = createMemoryRateLimitStore();
+  }
+  return defaultStore;
+}
+async function checkRateLimit(operation, identifier, rule, options = {}) {
+  const store = options.store ?? getDefaultStore();
+  const limit = options.isAuthenticated && rule.authenticatedLimit ? rule.authenticatedLimit : rule.limit;
+  const now = Date.now();
+  const windowMs = rule.windowSeconds * 1e3;
+  const resetAt = now + windowMs;
+  const key = `ratelimit:${operation}:${identifier}`;
+  const blockKey = `ratelimit:block:${operation}:${identifier}`;
+  try {
+    if (rule.blockDurationSeconds) {
+      const blockStatus = await store.isBlocked(blockKey);
+      if (blockStatus.blocked) {
+        return {
+          allowed: false,
+          remaining: 0,
+          resetAt: now + blockStatus.ttlMs,
+          current: limit + 1,
+          limit,
+          retryAfterSeconds: Math.ceil(blockStatus.ttlMs / 1e3)
+        };
+      }
+    }
+    const { count } = await store.increment(key, windowMs, now);
+    if (count > limit) {
+      options.logger?.warn("Rate limit exceeded", {
+        operation,
+        identifier,
+        current: count,
+        limit
+      });
+      if (rule.blockDurationSeconds) {
+        await store.setBlock(blockKey, rule.blockDurationSeconds);
+      }
+      return {
+        allowed: false,
+        remaining: 0,
+        resetAt,
+        current: count,
+        limit,
+        retryAfterSeconds: Math.ceil(windowMs / 1e3)
+      };
+    }
+    return {
+      allowed: true,
+      remaining: limit - count,
+      resetAt,
+      current: count,
+      limit,
+      retryAfterSeconds: 0
+    };
+  } catch (error) {
+    options.logger?.error("Rate limit check failed, allowing request", {
+      error: error instanceof Error ? error.message : String(error),
+      operation,
+      identifier
+    });
+    return {
+      allowed: true,
+      remaining: limit,
+      resetAt,
+      current: 0,
+      limit,
+      retryAfterSeconds: 0
+    };
+  }
+}
+async function getRateLimitStatus(operation, identifier, rule, store) {
+  const s = store ?? getDefaultStore();
+  const key = `ratelimit:${operation}:${identifier}`;
+  const now = Date.now();
+  const windowMs = rule.windowSeconds * 1e3;
+  try {
+    const { count } = await s.increment(key, windowMs, now);
+    return {
+      allowed: count <= rule.limit,
+      remaining: Math.max(0, rule.limit - count),
+      resetAt: now + windowMs,
+      current: count,
+      limit: rule.limit,
+      retryAfterSeconds: count > rule.limit ? Math.ceil(windowMs / 1e3) : 0
+    };
+  } catch {
+    return null;
+  }
+}
+async function resetRateLimitForKey(operation, identifier, store) {
+  const s = store ?? getDefaultStore();
+  const key = `ratelimit:${operation}:${identifier}`;
+  const blockKey = `ratelimit:block:${operation}:${identifier}`;
+  await s.reset(key);
+  await s.reset(blockKey);
+}
+function buildRateLimitResponseHeaders(result) {
+  const headers = {
+    "X-RateLimit-Limit": String(result.limit),
+    "X-RateLimit-Remaining": String(result.remaining),
+    "X-RateLimit-Reset": String(Math.ceil(result.resetAt / 1e3))
+  };
+  if (!result.allowed) {
+    headers["Retry-After"] = String(result.retryAfterSeconds);
+  }
+  return headers;
+}
+function resolveIdentifier(session, clientIp) {
+  if (session?.user?.id) {
+    return { identifier: `user:${session.user.id}`, isAuthenticated: true };
+  }
+  if (session?.user?.email) {
+    return {
+      identifier: `email:${session.user.email}`,
+      isAuthenticated: true
+    };
+  }
+  return { identifier: `ip:${clientIp ?? "unknown"}`, isAuthenticated: false };
+}
+// src/auth/audit.ts
+var StandardAuditActions = {
+  // Authentication
+  LOGIN_SUCCESS: "auth.login.success",
+  LOGIN_FAILURE: "auth.login.failure",
+  LOGOUT: "auth.logout",
+  SESSION_REFRESH: "auth.session.refresh",
+  PASSWORD_CHANGE: "auth.password.change",
+  PASSWORD_RESET: "auth.password.reset",
+  // Billing
+  CHECKOUT_START: "billing.checkout.start",
+  CHECKOUT_COMPLETE: "billing.checkout.complete",
+  SUBSCRIPTION_CREATE: "billing.subscription.create",
+  SUBSCRIPTION_CANCEL: "billing.subscription.cancel",
+  SUBSCRIPTION_UPDATE: "billing.subscription.update",
+  PAYMENT_FAILED: "billing.payment.failed",
+  // Admin
+  ADMIN_LOGIN: "admin.login",
+  ADMIN_USER_VIEW: "admin.user.view",
+  ADMIN_USER_UPDATE: "admin.user.update",
+  ADMIN_CONFIG_CHANGE: "admin.config.change",
+  // Security Events
+  RATE_LIMIT_EXCEEDED: "security.rate_limit.exceeded",
+  INVALID_INPUT: "security.input.invalid",
+  UNAUTHORIZED_ACCESS: "security.access.unauthorized",
+  OWNERSHIP_VIOLATION: "security.ownership.violation",
+  WEBHOOK_SIGNATURE_INVALID: "security.webhook.signature_invalid",
+  // Data
+  DATA_EXPORT: "data.export",
+  DATA_DELETE: "data.delete",
+  DATA_UPDATE: "data.update"
+};
+function extractAuditIp(request) {
+  if (!request) return void 0;
+  const headers = [
+    "cf-connecting-ip",
+    // Cloudflare
+    "x-real-ip",
+    // Nginx
+    "x-forwarded-for",
+    // Standard proxy
+    "x-client-ip"
+    // Apache
+  ];
+  for (const header of headers) {
+    const value = request.headers.get(header);
+    if (value) {
+      return value.split(",")[0]?.trim();
+    }
+  }
+  return void 0;
+}
+function extractAuditUserAgent(request) {
+  return request?.headers.get("user-agent") ?? void 0;
+}
+function extractAuditRequestId(request) {
+  return request?.headers.get("x-request-id") ?? crypto.randomUUID();
+}
+function createAuditActor(session) {
+  if (!session?.user) {
+    return { id: "anonymous", type: "anonymous" };
+  }
+  return {
+    id: session.user.id ?? session.user.email ?? "unknown",
+    email: session.user.email ?? void 0,
+    type: "user"
+  };
+}
+var defaultLogger = {
+  info: (msg, meta) => console.log(msg, meta ? JSON.stringify(meta) : ""),
+  warn: (msg, meta) => console.warn(msg, meta ? JSON.stringify(meta) : ""),
+  error: (msg, meta) => console.error(msg, meta ? JSON.stringify(meta) : "")
+};
+function createAuditLogger(options = {}) {
+  const { persist, logger = defaultLogger } = options;
+  async function log(event, request) {
+    const record = {
+      id: crypto.randomUUID(),
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      ip: extractAuditIp(request),
+      userAgent: extractAuditUserAgent(request),
+      requestId: extractAuditRequestId(request),
+      ...event
+    };
+    const logFn = event.outcome === "failure" || event.outcome === "blocked" ? logger.warn : logger.info;
+    logFn(`[AUDIT] ${event.action}`, {
+      auditId: record.id,
+      actor: record.actor,
+      action: record.action,
+      resource: record.resource,
+      outcome: record.outcome,
+      ip: record.ip,
+      metadata: record.metadata,
+      reason: record.reason
+    });
+    if (persist) {
+      try {
+        await persist(record);
+      } catch (error) {
+        logger.error("Failed to persist audit log", {
+          error: error instanceof Error ? error.message : String(error),
+          auditId: record.id
+        });
+      }
+    }
+    return record;
+  }
+  function createTimedAudit(event, request) {
+    const startTime = Date.now();
+    return {
+      success: async (metadata) => {
+        return log(
+          {
+            ...event,
+            outcome: "success",
+            metadata: {
+              ...event.metadata,
+              ...metadata,
+              durationMs: Date.now() - startTime
+            }
+          },
+          request
+        );
+      },
+      failure: async (reason, metadata) => {
+        return log(
+          {
+            ...event,
+            outcome: "failure",
+            reason,
+            metadata: {
+              ...event.metadata,
+              ...metadata,
+              durationMs: Date.now() - startTime
+            }
+          },
+          request
+        );
+      },
+      blocked: async (reason, metadata) => {
+        return log(
+          {
+            ...event,
+            outcome: "blocked",
+            reason,
+            metadata: {
+              ...event.metadata,
+              ...metadata,
+              durationMs: Date.now() - startTime
+            }
+          },
+          request
+        );
+      }
+    };
+  }
+  return { log, createTimedAudit };
+}
+export {
+  CommonRateLimits,
+  DateRangeSchema,
+  EmailSchema,
+  KEYCLOAK_DEFAULT_ROLES,
+  LoginSchema,
+  PaginationSchema,
+  PasswordSchema,
+  PersonNameSchema,
+  PhoneSchema,
+  SearchQuerySchema,
+  SignupSchema,
+  SlugSchema,
+  StandardAuditActions,
+  StandardRateLimitPresets,
+  WrapperPresets,
+  buildAllowlist,
+  buildAuthCookies,
+  buildErrorBody,
+  buildKeycloakCallbacks,
+  buildRateLimitHeaders,
+  buildRateLimitResponseHeaders,
+  buildRedirectCallback,
+  buildTokenRefreshParams,
+  checkRateLimit,
+  createAuditActor,
+  createAuditLogger,
+  createFeatureFlags,
+  createMemoryRateLimitStore,
+  createSafeTextSchema,
+  detectStage,
+  extractAuditIp,
+  extractAuditRequestId,
+  extractAuditUserAgent,
+  extractClientIp,
+  getEndSessionEndpoint,
+  getRateLimitStatus,
+  getTokenEndpoint,
+  hasAllRoles,
+  hasAnyRole,
+  hasRole,
+  isAllowlisted,
+  isTokenExpired,
+  parseKeycloakRoles,
+  refreshKeycloakToken,
+  resetRateLimitForKey,
+  resolveIdentifier,
+  resolveRateLimitIdentifier
+};
+//# sourceMappingURL=auth.mjs.map