@electr0zed/auth-gateway-cf 0.1.0

package/dist/stores/postgres.js

@@ -0,0 +1,231 @@
+import { Pool } from 'pg';
+import { Kysely, PostgresDialect } from 'kysely';
+export class PostgresUserStore {
+    pool;
+    db;
+    constructor(hyperdrive) {
+        this.pool = new Pool({
+            connectionString: hyperdrive.connectionString,
+            max: 5, // keep small in Workers
+        });
+        this.db = new Kysely({
+            dialect: new PostgresDialect({ pool: this.pool }),
+        });
+    }
+    async findUserIdByIdentity(issuer, subject) {
+        const row = await this.db
+            .selectFrom('user_identities as ui')
+            .innerJoin('users as u', 'u.id', 'ui.user_id')
+            .select(['u.id'])
+            .where('ui.issuer', '=', issuer)
+            .where('ui.subject', '=', subject)
+            .executeTakeFirst();
+        return row?.id ?? null;
+        // (Optional) .execute() returns array; .executeTakeFirst() returns a single row or undefined.
+    }
+    async findUserIdByEmail(email) {
+        const row = await this.db.selectFrom('users').select('id').where('email', '=', email).executeTakeFirst();
+        return row?.id ?? null;
+    }
+    async createUserWithIdentity(email, identity, generateUsernameFunc) {
+        return this.db.transaction().execute(async (trx) => {
+            if (await this.checkEmailExists(email)) {
+                throw new Error('email_in_use');
+            }
+            let username = null;
+            if (generateUsernameFunc) {
+                let attempts = 0;
+                while (attempts < 5) {
+                    const generated = generateUsernameFunc(email);
+                    if (!(await this.checkUsernameExists(generated))) {
+                        username = generated;
+                        break;
+                    }
+                    attempts++;
+                }
+                if (!username) {
+                    throw new Error('username_generation_failed');
+                }
+            }
+            // 1) Create-or-detect user by email
+            const insertedUser = await this.createUser(trx, email, username);
+            const userId = insertedUser?.id;
+            if (!userId) {
+                throw new Error('account_exists');
+            }
+            // 2) Bind identity. If (issuer, subject) owned by another user, fail.
+            const insertedIdentity = await trx
+                .insertInto('user_identities')
+                .values({
+                user_id: userId,
+                provider: identity.provider,
+                issuer: identity.issuer,
+                subject: identity.subject,
+            })
+                .onConflict((oc) => oc.columns(['issuer', 'subject']).doNothing())
+                .returning(['user_id'])
+                .executeTakeFirst();
+            if (!insertedIdentity) {
+                // Conflict → check owner
+                const owner = await trx
+                    .selectFrom('user_identities')
+                    .select(['user_id'])
+                    .where('issuer', '=', identity.issuer)
+                    .where('subject', '=', identity.subject)
+                    .executeTakeFirst();
+                if (owner?.user_id && owner.user_id !== userId) {
+                    throw new Error('account_exists');
+                }
+                // else already linked to this user → idempotent
+            }
+            // 3) Create user_states row
+            await this.createUserStates(trx, userId);
+            return userId;
+        });
+    }
+    async addIdentityToUser(userId, identity) {
+        const res = await this.db
+            .insertInto('user_identities')
+            .values({
+            user_id: userId,
+            provider: identity.provider,
+            issuer: identity.issuer,
+            subject: identity.subject,
+        })
+            .onConflict((oc) => oc.columns(['issuer', 'subject']).doNothing())
+            .returning(['user_id'])
+            .executeTakeFirst();
+        if (!res) {
+            // Conflict → figure out owner
+            const owner = await this.db
+                .selectFrom('user_identities')
+                .select(['user_id'])
+                .where('issuer', '=', identity.issuer)
+                .where('subject', '=', identity.subject)
+                .executeTakeFirst();
+            if (owner?.user_id && owner.user_id !== userId) {
+                throw new Error('identity_taken');
+            }
+            // already linked to same user → no-op
+        }
+    }
+    async getUserRoles(userId) {
+        const row = await this.db.selectFrom('users').select('system_roles').where('id', '=', userId).executeTakeFirst();
+        return row?.system_roles ?? [];
+    }
+    async getUserStates(userId) {
+        const row = await this.db.selectFrom('user_states').selectAll().where('user_id', '=', userId).executeTakeFirst();
+        return row || null;
+    }
+    async createUser(trx, email, username = null) {
+        try {
+            return await trx
+                .insertInto('users')
+                .values({ email, username })
+                .onConflict((oc) => oc.column('email').doNothing())
+                .returning(['id'])
+                .executeTakeFirst();
+        }
+        catch (err) {
+            // Normalize unique-constraint violations so callers can distinguish causes.
+            // Postgres uses SQLSTATE '23505' for unique_violation errors.
+            if (err && typeof err === 'object' && 'code' in err && err.code === '23505') {
+                const constraint = 'constraint' in err ? err.constraint : undefined;
+                if (typeof constraint === 'string') {
+                    if (constraint.includes('email')) {
+                        throw new Error('email_in_use');
+                    }
+                    if (constraint.includes('username')) {
+                        throw new Error('username_in_use');
+                    }
+                }
+            }
+            throw err;
+        }
+    }
+    async createUserStates(trx, userId) {
+        await trx
+            .insertInto('user_states')
+            .values({
+            user_id: userId,
+            is_disabled: false,
+            disabled_at: null,
+            disabled_by: null,
+            is_approved: false,
+            approved_at: null,
+            approved_by: null,
+            is_email_verified: false,
+            email_verified_at: null,
+            email_verification_token_hash: null,
+            created_at: new Date(),
+            updated_at: new Date(),
+        })
+            .execute();
+    }
+    async createUserWithPassword(email, passwordHash, username = null) {
+        return this.db.transaction().execute(async (trx) => {
+            if (await this.checkEmailExists(email)) {
+                throw new Error('email_in_use');
+            }
+            if (username && (await this.checkUsernameExists(username))) {
+                throw new Error('username_in_use');
+            }
+            // Create user (email unique). If it already exists -> account_exists
+            const insertedUser = await this.createUser(trx, email, username);
+            const userId = insertedUser?.id;
+            if (!userId) {
+                throw new Error('account_exists');
+            }
+            // Set password
+            await trx
+                .insertInto('user_passwords')
+                .values({
+                user_id: userId,
+                password_hash: passwordHash,
+            })
+                .execute();
+            // Create user_states row
+            await this.createUserStates(trx, userId);
+            return userId;
+        });
+    }
+    async getUserIdByEmailForPassword(email) {
+        const row = await this.db
+            .selectFrom('users as u')
+            .innerJoin('user_passwords as up', 'up.user_id', 'u.id')
+            .select(['u.id as userId', 'up.password_hash as passwordHash'])
+            .where('u.email', '=', email)
+            .executeTakeFirst();
+        return row ?? null;
+    }
+    async getPasswordHashByUserId(userId) {
+        const row = await this.db.selectFrom('user_passwords').select(['password_hash']).where('user_id', '=', userId).executeTakeFirst();
+        return row?.password_hash ?? null;
+    }
+    async setPasswordHash(userId, passwordHash) {
+        await this.db
+            .insertInto('user_passwords')
+            .values({
+            user_id: userId,
+            password_hash: passwordHash,
+        })
+            .onConflict((oc) => oc.column('user_id').doUpdateSet({
+            password_hash: passwordHash,
+            updated_at: new Date(),
+        }))
+            .execute();
+    }
+    async checkUsernameExists(username) {
+        const row = await this.db.selectFrom('users').select('id').where('username', '=', username).executeTakeFirst();
+        return !!row;
+    }
+    async checkEmailExists(email) {
+        const row = await this.db.selectFrom('users').select('id').where('email', '=', email).executeTakeFirst();
+        return !!row;
+    }
+    async destroy() {
+        await this.db.destroy();
+        await this.pool.end();
+    }
+}
+//# sourceMappingURL=postgres.js.map

package/dist/stores/postgres.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"postgres.js","sourceRoot":"","sources":["../../src/stores/postgres.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,IAAI,EAAE,MAAM,IAAI,CAAC;AAC1B,OAAO,EAAE,MAAM,EAAE,eAAe,EAAoC,MAAM,QAAQ,CAAC;AA+CnF,MAAM,OAAO,iBAAiB;IACrB,IAAI,CAAO;IACX,EAAE,CAAa;IAEvB,YAAY,UAAsB;QACjC,IAAI,CAAC,IAAI,GAAG,IAAI,IAAI,CAAC;YACpB,gBAAgB,EAAE,UAAU,CAAC,gBAAgB;YAC7C,GAAG,EAAE,CAAC,EAAE,wBAAwB;SAChC,CAAC,CAAC;QACH,IAAI,CAAC,EAAE,GAAG,IAAI,MAAM,CAAK;YACxB,OAAO,EAAE,IAAI,eAAe,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC;SACjD,CAAC,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,oBAAoB,CAAC,MAAc,EAAE,OAAe;QACzD,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,EAAE;aACvB,UAAU,CAAC,uBAAuB,CAAC;aACnC,SAAS,CAAC,YAAY,EAAE,MAAM,EAAE,YAAY,CAAC;aAC7C,MAAM,CAAC,CAAC,MAAM,CAAC,CAAC;aAChB,KAAK,CAAC,WAAW,EAAE,GAAG,EAAE,MAAM,CAAC;aAC/B,KAAK,CAAC,YAAY,EAAE,GAAG,EAAE,OAAO,CAAC;aACjC,gBAAgB,EAAE,CAAC;QAErB,OAAO,GAAG,EAAE,EAAE,IAAI,IAAI,CAAC;QACvB,8FAA8F;IAC/F,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,KAAa;QACpC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC,gBAAgB,EAAE,CAAC;QAEzG,OAAO,GAAG,EAAE,EAAE,IAAI,IAAI,CAAC;IACxB,CAAC;IAED,KAAK,CAAC,sBAAsB,CAC3B,KAAa,EACb,QAA+D,EAC/D,oBAAgD;QAEhD,OAAO,IAAI,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;YAClD,IAAI,MAAM,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,EAAE,CAAC;gBACxC,MAAM,IAAI,KAAK,CAAC,cAAc,CAAC,CAAC;YACjC,CAAC;YACD,IAAI,QAAQ,GAAkB,IAAI,CAAC;YACnC,IAAI,oBAAoB,EAAE,CAAC;gBAC1B,IAAI,QAAQ,GAAG,CAAC,CAAC;gBACjB,OAAO,QAAQ,GAAG,CAAC,EAAE,CAAC;oBACrB,MAAM,SAAS,GAAG,oBAAoB,CAAC,KAAK,CAAC,CAAC;oBAC9C,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;wBAClD,QAAQ,GAAG,SAAS,CAAC;wBACrB,MAAM;oBACP,CAAC;oBACD,QAAQ,EAAE,CAAC;gBACZ,CAAC;gBACD,IAAI,CAAC,QAAQ,EAAE,CAAC;oBACf,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;gBAC/C,CAAC;YACF,CAAC;YACD,oCAAoC;YACpC,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAC;YAEjE,MAAM,MAAM,GAAG,YAAY,EAAE,EAAE,CAAC;YAChC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACb,MAAM,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC;YACnC,CAAC;YAED,sEAAsE;YACtE,MAAM,gBAAgB,GAAG,MAAM,GAAG;iBAChC,UAAU,CAAC,iBAAiB,CAAC;iBAC7B,MAAM,CAAC;gBACP,OAAO,EAAE,MAAM;gBACf,QAAQ,EAAE,QAAQ,CAAC,QAAQ;gBAC3B,MAAM,EAAE,QAAQ,CAAC,MAAM;gBACvB,OAAO,EAAE,QAAQ,CAAC,OAAO;aACzB,CAAC;iBACD,UAAU,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC;iBACjE,SAAS,CAAC,CAAC,SAAS,CAAC,CAAC;iBACtB,gBAAgB,EAAE,CAAC;YAErB,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBACvB,yBAAyB;gBACzB,MAAM,KAAK,GAAG,MAAM,GAAG;qBACrB,UAAU,CAAC,iBAAiB,CAAC;qBAC7B,MAAM,CAAC,CAAC,SAAS,CAAC,CAAC;qBACnB,KAAK,CAAC,QAAQ,EAAE,GAAG,EAAE,QAAQ,CAAC,MAAM,CAAC;qBACrC,KAAK,CAAC,SAAS,EAAE,GAAG,EAAE,QAAQ,CAAC,OAAO,CAAC;qBACvC,gBAAgB,EAAE,CAAC;gBAErB,IAAI,KAAK,EAAE,OAAO,IAAI,KAAK,CAAC,OAAO,KAAK,MAAM,EAAE,CAAC;oBAChD,MAAM,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC;gBACnC,CAAC;gBACD,gDAAgD;YACjD,CAAC;YAED,4BAA4B;YAC5B,MAAM,IAAI,CAAC,gBAAgB,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;YAEzC,OAAO,MAAM,CAAC;QACf,CAAC,CAAC,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,MAAc,EAAE,QAA+D;QACtG,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,EAAE;aACvB,UAAU,CAAC,iBAAiB,CAAC;aAC7B,MAAM,CAAC;YACP,OAAO,EAAE,MAAM;YACf,QAAQ,EAAE,QAAQ,CAAC,QAAQ;YAC3B,MAAM,EAAE,QAAQ,CAAC,MAAM;YACvB,OAAO,EAAE,QAAQ,CAAC,OAAO;SACzB,CAAC;aACD,UAAU,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC;aACjE,SAAS,CAAC,CAAC,SAAS,CAAC,CAAC;aACtB,gBAAgB,EAAE,CAAC;QAErB,IAAI,CAAC,GAAG,EAAE,CAAC;YACV,8BAA8B;YAC9B,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,EAAE;iBACzB,UAAU,CAAC,iBAAiB,CAAC;iBAC7B,MAAM,CAAC,CAAC,SAAS,CAAC,CAAC;iBACnB,KAAK,CAAC,QAAQ,EAAE,GAAG,EAAE,QAAQ,CAAC,MAAM,CAAC;iBACrC,KAAK,CAAC,SAAS,EAAE,GAAG,EAAE,QAAQ,CAAC,OAAO,CAAC;iBACvC,gBAAgB,EAAE,CAAC;YAErB,IAAI,KAAK,EAAE,OAAO,IAAI,KAAK,CAAC,OAAO,KAAK,MAAM,EAAE,CAAC;gBAChD,MAAM,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC;YACnC,CAAC;YACD,sCAAsC;QACvC,CAAC;IACF,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,MAAc;QAChC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,KAAK,CAAC,IAAI,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC,gBAAgB,EAAE,CAAC;QAEjH,OAAO,GAAG,EAAE,YAAY,IAAI,EAAE,CAAC;IAChC,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,MAAc;QACjC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC,SAAS,EAAE,CAAC,KAAK,CAAC,SAAS,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC,gBAAgB,EAAE,CAAC;QAEjH,OAAO,GAAG,IAAI,IAAI,CAAC;IACpB,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,GAAoB,EAAE,KAAa,EAAE,WAA0B,IAAI;QACnF,IAAI,CAAC;YACJ,OAAO,MAAM,GAAG;iBACd,UAAU,CAAC,OAAO,CAAC;iBACnB,MAAM,CAAC,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;iBAC3B,UAAU,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,SAAS,EAAE,CAAC;iBAClD,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC;iBACjB,gBAAgB,EAAE,CAAC;QACtB,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACvB,4EAA4E;YAC5E,8DAA8D;YAC9D,IAAI,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,MAAM,IAAI,GAAG,IAAK,GAAwB,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;gBACnG,MAAM,UAAU,GAAY,YAAY,IAAI,GAAG,CAAC,CAAC,CAAE,GAA8B,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC;gBACzG,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;oBACpC,IAAI,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;wBAClC,MAAM,IAAI,KAAK,CAAC,cAAc,CAAC,CAAC;oBACjC,CAAC;oBACD,IAAI,UAAU,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;wBACrC,MAAM,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC;oBACpC,CAAC;gBACF,CAAC;YACF,CAAC;YACD,MAAM,GAAG,CAAC;QACX,CAAC;IACF,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,GAAoB,EAAE,MAAc;QAC1D,MAAM,GAAG;aACP,UAAU,CAAC,aAAa,CAAC;aACzB,MAAM,CAAC;YACP,OAAO,EAAE,MAAM;YAEf,WAAW,EAAE,KAAK;YAClB,WAAW,EAAE,IAAI;YACjB,WAAW,EAAE,IAAI;YAEjB,WAAW,EAAE,KAAK;YAClB,WAAW,EAAE,IAAI;YACjB,WAAW,EAAE,IAAI;YAEjB,iBAAiB,EAAE,KAAK;YACxB,iBAAiB,EAAE,IAAI;YACvB,6BAA6B,EAAE,IAAI;YAEnC,UAAU,EAAE,IAAI,IAAI,EAAE;YACtB,UAAU,EAAE,IAAI,IAAI,EAAE;SACtB,CAAC;aACD,OAAO,EAAE,CAAC;IACb,CAAC;IAED,KAAK,CAAC,sBAAsB,CAAC,KAAa,EAAE,YAAoB,EAAE,WAA0B,IAAI;QAC/F,OAAO,IAAI,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;YAClD,IAAI,MAAM,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,EAAE,CAAC;gBACxC,MAAM,IAAI,KAAK,CAAC,cAAc,CAAC,CAAC;YACjC,CAAC;YACD,IAAI,QAAQ,IAAI,CAAC,MAAM,IAAI,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;gBAC5D,MAAM,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC;YACpC,CAAC;YAED,qEAAqE;YACrE,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAC;YACjE,MAAM,MAAM,GAAG,YAAY,EAAE,EAAE,CAAC;YAChC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACb,MAAM,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC;YACnC,CAAC;YAED,eAAe;YACf,MAAM,GAAG;iBACP,UAAU,CAAC,gBAAgB,CAAC;iBAC5B,MAAM,CAAC;gBACP,OAAO,EAAE,MAAM;gBACf,aAAa,EAAE,YAAY;aAC3B,CAAC;iBACD,OAAO,EAAE,CAAC;YAEZ,yBAAyB;YACzB,MAAM,IAAI,CAAC,gBAAgB,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;YAEzC,OAAO,MAAM,CAAC;QACf,CAAC,CAAC,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,2BAA2B,CAAC,KAAa;QAC9C,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,EAAE;aACvB,UAAU,CAAC,YAAY,CAAC;aACxB,SAAS,CAAC,sBAAsB,EAAE,YAAY,EAAE,MAAM,CAAC;aACvD,MAAM,CAAC,CAAC,gBAAgB,EAAE,kCAAkC,CAAC,CAAC;aAC9D,KAAK,CAAC,SAAS,EAAE,GAAG,EAAE,KAAK,CAAC;aAC5B,gBAAgB,EAAE,CAAC;QAErB,OAAO,GAAG,IAAI,IAAI,CAAC;IACpB,CAAC;IAED,KAAK,CAAC,uBAAuB,CAAC,MAAc;QAC3C,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,KAAK,CAAC,SAAS,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC,gBAAgB,EAAE,CAAC;QAElI,OAAO,GAAG,EAAE,aAAa,IAAI,IAAI,CAAC;IACnC,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,MAAc,EAAE,YAAoB;QACzD,MAAM,IAAI,CAAC,EAAE;aACX,UAAU,CAAC,gBAAgB,CAAC;aAC5B,MAAM,CAAC;YACP,OAAO,EAAE,MAAM;YACf,aAAa,EAAE,YAAY;SAC3B,CAAC;aACD,UAAU,CAAC,CAAC,EAAE,EAAE,EAAE,CAClB,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,WAAW,CAAC;YAChC,aAAa,EAAE,YAAY;YAC3B,UAAU,EAAE,IAAI,IAAI,EAAE;SACtB,CAAC,CACF;aACA,OAAO,EAAE,CAAC;IACb,CAAC;IAED,KAAK,CAAC,mBAAmB,CAAC,QAAgB;QACzC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,UAAU,EAAE,GAAG,EAAE,QAAQ,CAAC,CAAC,gBAAgB,EAAE,CAAC;QAC/G,OAAO,CAAC,CAAC,GAAG,CAAC;IACd,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,KAAa;QACnC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC,gBAAgB,EAAE,CAAC;QACzG,OAAO,CAAC,CAAC,GAAG,CAAC;IACd,CAAC;IAED,KAAK,CAAC,OAAO;QACZ,MAAM,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC;QACxB,MAAM,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,CAAC;CACD"}

package/dist/types.d.ts

@@ -0,0 +1,247 @@
+import type { DB } from './stores/postgres';
+export type RouteMatch = {
+    path: string | RegExp;
+    host?: string | RegExp;
+    methods?: string[];
+};
+export type RouteRule = {
+    name?: string;
+    match: RouteMatch | RouteMatch[];
+    auth: 'required' | 'none';
+    requireRolesAny?: string[];
+    requireRolesAll?: string[];
+    bypassAuthForStaticAssets?: boolean;
+    unauthenticatedRedirectUrl?: string;
+    service: Fetcher;
+};
+export type LoginProviderId = 'google';
+export type ProviderConfig = {
+    id: LoginProviderId;
+    enabled: boolean;
+    label?: string;
+    clientId: string;
+    clientSecretEnv?: string;
+    issuer?: string;
+    authUrl?: string;
+    tokenUrl?: string;
+    userInfoUrl?: string;
+    scope?: string;
+    tenant?: string;
+    b2cPolicy?: string;
+};
+/** What each provider must extract from its claims. */
+export type NormalizedClaims = {
+    email: string;
+    subject: string;
+};
+export type ClaimsMode = 'id_token' | 'userinfo';
+/** Static wiring for a provider (URLs & defaults). */
+export type ProviderStatic = {
+    id: LoginProviderId;
+    authorizeEndpoint: string;
+    tokenEndpoint: string;
+    defaultIssuer: string;
+    defaultScope?: string;
+    userInfoEndpoint?: string;
+    claimsMode: ClaimsMode;
+};
+/** Provider-normalized identity output (minimal) */
+export type ProviderIdentity = {
+    email: string;
+    provider: LoginProviderId;
+    issuer: string;
+    subject: string;
+};
+export type SystemRole = string;
+export type SessionStrategyCfg = {
+    kind: 'jwt';
+    cookieName?: string;
+    expMinutes?: number;
+    jwtSecretEnv: string;
+} | {
+    kind: 'durableObject';
+    cookieName?: string;
+    doName: DurableObjectNamespace<import('./index').SessionDO>;
+    jwtSecretEnv: string;
+    idleTtlSec?: number;
+    absoluteTtlSec?: number;
+    issuer?: string;
+    audience?: string;
+};
+/** Minimal persistent session payload */
+export interface StoredSession {
+    userId: string;
+    email: string;
+    systemRoles: SystemRole[];
+    createdAt: number;
+    updatedAt: number;
+}
+export type Session = {
+    userId: string;
+    email: string;
+    systemRoles: SystemRole[];
+};
+export interface SessionStrategy {
+    resolve(request: Request, env: Env): Promise<{
+        session: Session | null;
+        accessJwt?: string;
+    }>;
+    issue?(session: Session, env: Env): Promise<{
+        cookie?: string;
+        accessJwt?: string;
+    }>;
+    clear?(request: Request, env: Env): Promise<{
+        cookie: string;
+    }>;
+}
+export type OAuthCfg = {
+    enabled: true;
+    providers: ProviderConfig[];
+    defaultProvider: LoginProviderId;
+    successRedirectUrl: string;
+    failureRedirectUrl: string;
+} | {
+    enabled: false;
+};
+export type PasswordPolicy = {
+    minLength: number;
+    requireUppercase?: boolean;
+    requireLowercase?: boolean;
+    requireNumber?: boolean;
+    requireSymbol?: boolean;
+};
+export type TurnstileCfg = {
+    enabled: true;
+    /**
+     * Env var that contains the Turnstile secret key.
+     * (Configurable like your other secrets)
+     */
+    secretEnv: string;
+    /**
+     * JSON field name that carries the token.
+     * Default: "turnstileToken"
+     */
+    tokenField?: string;
+} | {
+    enabled: false;
+};
+export type PasswordAuthCfg = {
+    enabled: true;
+    /**
+     * Env var that contains comma-separated peppers (newest first).
+     * Example value: "pepper_v2,pepper_v1"
+     */
+    pepperEnv: string;
+    policy?: PasswordPolicy;
+    allowSignup: boolean;
+    turnstile?: TurnstileCfg;
+} | {
+    enabled: false;
+};
+export type ConfigOverrides = {
+    staticAssetRegex?: RegExp;
+    globalUnauthenticatedRedirectUrl?: string;
+    accountApproval?: {
+        enabled: boolean;
+    };
+    emailVerification?: {
+        enabled: true;
+        requiredForLogin: boolean;
+    } | {
+        enabled: false;
+    };
+    autoLoginAfterSignup?: boolean;
+    captureUsername?: {
+        enabled: true;
+        required: true;
+        generateFunction?: (email: string) => string;
+        minLength?: number;
+    } | {
+        enabled: true;
+        required: false;
+        minLength?: number;
+    } | {
+        enabled: false;
+    };
+};
+export type PropagationCfg = {
+    headerName?: string;
+    sigHeaderName?: string;
+    hmacSecretEnv: string;
+};
+type StoreBackend = {
+    kind: 'postgres';
+    hyperdrive: Hyperdrive;
+};
+export type UserStoreCfg = StoreBackend & {
+    shortStateKV: KVNamespace;
+};
+export type ProjectConfig = {
+    projectName: string;
+    publicBaseUrl: string;
+    routes: RouteRule[];
+    session: SessionStrategyCfg;
+    propagation: PropagationCfg;
+    userStore: UserStoreCfg;
+    oAuth: OAuthCfg;
+    passwordAuth: PasswordAuthCfg;
+    overrides?: ConfigOverrides;
+};
+export interface UserCore {
+    id: string;
+    email: string;
+    systemRoles: SystemRole[];
+}
+export interface UserStore {
+    findUserIdByIdentity(issuer: string, subject: string): Promise<string | null>;
+    findUserIdByEmail(emailLower: string): Promise<string | null>;
+    createUserWithIdentity(emailLower: string, identity: {
+        provider: string;
+        issuer: string;
+        subject: string;
+    }, generateUsernameFunc?: (email: string) => string): Promise<string>;
+    addIdentityToUser(userId: string, identity: {
+        provider: string;
+        issuer: string;
+        subject: string;
+    }): Promise<void>;
+    getUserRoles(userId: string): Promise<SystemRole[]>;
+    getUserStates(userId: string): Promise<DB['user_states'] | null>;
+    createUserWithPassword(emailLower: string, passwordHash: string, username?: string | null): Promise<string>;
+    getPasswordHashByUserId(userId: string): Promise<string | null>;
+    getUserIdByEmailForPassword(emailLower: string): Promise<{
+        userId: string;
+        passwordHash: string;
+    } | null>;
+    setPasswordHash(userId: string, passwordHash: string): Promise<void>;
+}
+export type StateMode = 'login' | 'link';
+export type StateInfo = {
+    mode: StateMode;
+    returnTo?: string;
+    provider?: string;
+};
+export type StoredPkce = {
+    v: string;
+    i: StateInfo;
+};
+export type TokenResponse = {
+    access_token?: string;
+    id_token?: string;
+    refresh_token?: string;
+    token_type?: string;
+    expires_in?: number;
+    [key: string]: unknown;
+};
+declare global {
+    interface Env {
+        [key: string]: string | undefined;
+    }
+}
+export type JwtPrimitive = string | number | boolean | null;
+export type JwtValue = JwtPrimitive | JwtValue[] | {
+    [key: string]: JwtValue;
+};
+export type JwtPayload = Record<string, JwtValue>;
+export {};
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,EAAE,EAAE,MAAM,mBAAmB,CAAC;AAE5C,MAAM,MAAM,UAAU,GAAG;IACxB,IAAI,EAAE,MAAM,GAAG,MAAM,CAAC;IACtB,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,SAAS,GAAG;IACvB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,UAAU,GAAG,UAAU,EAAE,CAAC;IACjC,IAAI,EAAE,UAAU,GAAG,MAAM,CAAC;IAC1B,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,yBAAyB,CAAC,EAAE,OAAO,CAAC;IACpC,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,OAAO,EAAE,OAAO,CAAC;CACjB,CAAC;AAMF,MAAM,MAAM,eAAe,GAAG,QAAQ,CAAC;AAEvC,MAAM,MAAM,cAAc,GAAG;IAC5B,EAAE,EAAE,eAAe,CAAC;IACpB,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAMF,uDAAuD;AACvD,MAAM,MAAM,gBAAgB,GAAG;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,MAAM,MAAM,UAAU,GAAG,UAAU,GAAG,UAAU,CAAC;AAEjD,sDAAsD;AACtD,MAAM,MAAM,cAAc,GAAG;IAC5B,EAAE,EAAE,eAAe,CAAC;IACpB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,aAAa,EAAE,MAAM,CAAC;IACtB,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,UAAU,EAAE,UAAU,CAAC;CACvB,CAAC;AAEF,oDAAoD;AACpD,MAAM,MAAM,gBAAgB,GAAG;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,eAAe,CAAC;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CAChB,CAAC;AAMF,MAAM,MAAM,UAAU,GAAG,MAAM,CAAC;AAMhC,MAAM,MAAM,kBAAkB,GAC3B;IACA,IAAI,EAAE,KAAK,CAAC;IACZ,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;CACpB,GACD;IACA,IAAI,EAAE,eAAe,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,sBAAsB,CAAC,OAAO,SAAS,EAAE,SAAS,CAAC,CAAC;IAC5D,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACjB,CAAC;AAEL,yCAAyC;AACzC,MAAM,WAAW,aAAa;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,UAAU,EAAE,CAAC;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,MAAM,OAAO,GAAG;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,UAAU,EAAE,CAAC;CAC1B,CAAC;AAEF,MAAM,WAAW,eAAe;IAC/B,OAAO,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,GAAG,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,GAAG,IAAI,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC9F,KAAK,CAAC,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,GAAG,OAAO,CAAC;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACrF,KAAK,CAAC,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,GAAG,OAAO,CAAC;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAChE;AAMD,MAAM,MAAM,QAAQ,GACjB;IACA,OAAO,EAAE,IAAI,CAAC;IACd,SAAS,EAAE,cAAc,EAAE,CAAC;IAC5B,eAAe,EAAE,eAAe,CAAC;IACjC,kBAAkB,EAAE,MAAM,CAAC;IAC3B,kBAAkB,EAAE,MAAM,CAAC;CAC1B,GACD;IAAE,OAAO,EAAE,KAAK,CAAA;CAAE,CAAC;AAEtB,MAAM,MAAM,cAAc,GAAG;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,aAAa,CAAC,EAAE,OAAO,CAAC;CACxB,CAAC;AAEF,MAAM,MAAM,YAAY,GACrB;IACA,OAAO,EAAE,IAAI,CAAC;IAEd;;;OAGG;IACH,SAAS,EAAE,MAAM,CAAC;IAElB;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;CACnB,GACD;IAAE,OAAO,EAAE,KAAK,CAAA;CAAE,CAAC;AAEtB,MAAM,MAAM,eAAe,GACxB;IACA,OAAO,EAAE,IAAI,CAAC;IAEd;;;OAGG;IACH,SAAS,EAAE,MAAM,CAAC;IAElB,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,WAAW,EAAE,OAAO,CAAC;IAErB,SAAS,CAAC,EAAE,YAAY,CAAC;CACxB,GACD;IAAE,OAAO,EAAE,KAAK,CAAA;CAAE,CAAC;AAMtB,MAAM,MAAM,eAAe,GAAG;IAC7B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,gCAAgC,CAAC,EAAE,MAAM,CAAC;IAE1C,eAAe,CAAC,EAAE;QACjB,OAAO,EAAE,OAAO,CAAC;KACjB,CAAC;IACF,iBAAiB,CAAC,EACf;QACA,OAAO,EAAE,IAAI,CAAC;QACd,gBAAgB,EAAE,OAAO,CAAC;KACzB,GACD;QAAE,OAAO,EAAE,KAAK,CAAA;KAAE,CAAC;IAEtB,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,eAAe,CAAC,EACb;QACA,OAAO,EAAE,IAAI,CAAC;QACd,QAAQ,EAAE,IAAI,CAAC;QACf,gBAAgB,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,MAAM,CAAC;QAC7C,SAAS,CAAC,EAAE,MAAM,CAAC;KAClB,GACD;QACA,OAAO,EAAE,IAAI,CAAC;QACd,QAAQ,EAAE,KAAK,CAAC;QAChB,SAAS,CAAC,EAAE,MAAM,CAAC;KAClB,GACD;QAAE,OAAO,EAAE,KAAK,CAAA;KAAE,CAAC;CACtB,CAAC;AAMF,MAAM,MAAM,cAAc,GAAG;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,EAAE,MAAM,CAAC;CACtB,CAAC;AAEF,KAAK,YAAY,GAAG;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,UAAU,EAAE,UAAU,CAAA;CAAE,CAAC;AAEjE,MAAM,MAAM,YAAY,GAAG,YAAY,GAAG;IACzC,YAAY,EAAE,WAAW,CAAC;CAC1B,CAAC;AAEF,MAAM,MAAM,aAAa,GAAG;IAC3B,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,SAAS,EAAE,CAAC;IACpB,OAAO,EAAE,kBAAkB,CAAC;IAC5B,WAAW,EAAE,cAAc,CAAC;IAC5B,SAAS,EAAE,YAAY,CAAC;IACxB,KAAK,EAAE,QAAQ,CAAC;IAChB,YAAY,EAAE,eAAe,CAAC;IAC9B,SAAS,CAAC,EAAE,eAAe,CAAC;CAC5B,CAAC;AAMF,MAAM,WAAW,QAAQ;IACxB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,UAAU,EAAE,CAAC;CAC1B;AAED,MAAM,WAAW,SAAS;IACzB,oBAAoB,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAC9E,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAC9D,sBAAsB,CACrB,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,EAC/D,oBAAoB,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,MAAM,GAC9C,OAAO,CAAC,MAAM,CAAC,CAAC;IACnB,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAClH,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC;IACpD,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,EAAE,CAAC,aAAa,CAAC,GAAG,IAAI,CAAC,CAAC;IAEjE,sBAAsB,CAAC,UAAU,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC5G,uBAAuB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAChE,2BAA2B,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC,CAAC;IAC1G,eAAe,CAAC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACrE;AAMD,MAAM,MAAM,SAAS,GAAG,OAAO,GAAG,MAAM,CAAC;AAEzC,MAAM,MAAM,SAAS,GAAG;IACvB,IAAI,EAAE,SAAS,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,UAAU,GAAG;IACxB,CAAC,EAAE,MAAM,CAAC;IACV,CAAC,EAAE,SAAS,CAAC;CACb,CAAC;AAMF,MAAM,MAAM,aAAa,GAAG;IAC3B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACvB,CAAC;AAMF,OAAO,CAAC,MAAM,CAAC;IACd,UAAU,GAAG;QACZ,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;KAClC;CACD;AAMD,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,IAAI,CAAC;AAE5D,MAAM,MAAM,QAAQ,GAAG,YAAY,GAAG,QAAQ,EAAE,GAAG;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,QAAQ,CAAA;CAAE,CAAC;AAE/E,MAAM,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC"}

package/dist/types.js

@@ -0,0 +1,5 @@
+/* =========================================
+ * Routing / Gateway
+ * =======================================*/
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;4CAE4C"}

package/dist/utils/csrf.d.ts

@@ -0,0 +1,13 @@
+export declare function makeCsrfToken(): string;
+export declare function csrfCookie(token: string): string;
+export declare function sameOrigin(request: Request, publicBaseUrl: string): boolean;
+type Obj = Record<string, unknown>;
+export declare function requireCsrfJson<T extends Obj>(request: Request): Promise<{
+    ok: true;
+    body: T;
+} | {
+    ok: false;
+    code: string;
+}>;
+export {};
+//# sourceMappingURL=csrf.d.ts.map

package/dist/utils/csrf.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"csrf.d.ts","sourceRoot":"","sources":["../../src/utils/csrf.ts"],"names":[],"mappings":"AAKA,wBAAgB,aAAa,IAAI,MAAM,CAKtC;AAED,wBAAgB,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAEhD;AAED,wBAAgB,UAAU,CAAC,OAAO,EAAE,OAAO,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAS3E;AAED,KAAK,GAAG,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAOnC,wBAAsB,eAAe,CAAC,CAAC,SAAS,GAAG,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,IAAI,EAAE,CAAC,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAAC,CAYnI"}

package/dist/utils/csrf.js

@@ -0,0 +1,42 @@
+// src/utils/csrf.ts
+import { getCookie } from '../sessions';
+import { readJson } from './http';
+export function makeCsrfToken() {
+    const b = crypto.getRandomValues(new Uint8Array(16));
+    return Array.from(b)
+        .map((x) => x.toString(16).padStart(2, '0'))
+        .join('');
+}
+export function csrfCookie(token) {
+    return `__Host-csrf=${token}; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=3600; Priority=Medium`;
+}
+export function sameOrigin(request, publicBaseUrl) {
+    const origin = request.headers.get('origin');
+    if (!origin)
+        return false;
+    try {
+        return new URL(origin).origin === new URL(publicBaseUrl).origin;
+    }
+    catch {
+        return false;
+    }
+}
+function getStringField(obj, key) {
+    const v = obj[key];
+    return typeof v === 'string' ? v : null;
+}
+export async function requireCsrfJson(request) {
+    const parsed = await readJson(request);
+    if (!parsed.ok)
+        return parsed;
+    const cookieToken = getCookie(request, '__Host-csrf');
+    if (!cookieToken)
+        return { ok: false, code: 'csrf_missing' };
+    const provided = getStringField(parsed.body, 'csrf');
+    if (!provided || provided.length !== 32)
+        return { ok: false, code: 'csrf_missing' };
+    if (provided !== cookieToken)
+        return { ok: false, code: 'csrf_invalid' };
+    return parsed;
+}
+//# sourceMappingURL=csrf.js.map

package/dist/utils/csrf.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"csrf.js","sourceRoot":"","sources":["../../src/utils/csrf.ts"],"names":[],"mappings":"AAAA,oBAAoB;AAEpB,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACxC,OAAO,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAC;AAElC,MAAM,UAAU,aAAa;IAC5B,MAAM,CAAC,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;IACrD,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;SAClB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SAC3C,IAAI,CAAC,EAAE,CAAC,CAAC;AACZ,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,KAAa;IACvC,OAAO,eAAe,KAAK,yEAAyE,CAAC;AACtG,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,OAAgB,EAAE,aAAqB;IACjE,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC7C,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAE1B,IAAI,CAAC;QACJ,OAAO,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,MAAM,KAAK,IAAI,GAAG,CAAC,aAAa,CAAC,CAAC,MAAM,CAAC;IACjE,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,KAAK,CAAC;IACd,CAAC;AACF,CAAC;AAID,SAAS,cAAc,CAAC,GAAQ,EAAE,GAAW;IAC5C,MAAM,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IACnB,OAAO,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACzC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CAAgB,OAAgB;IACpE,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAI,OAAO,CAAC,CAAC;IAC1C,IAAI,CAAC,MAAM,CAAC,EAAE;QAAE,OAAO,MAAM,CAAC;IAE9B,MAAM,WAAW,GAAG,SAAS,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;IACtD,IAAI,CAAC,WAAW;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC;IAE7D,MAAM,QAAQ,GAAG,cAAc,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACrD,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,EAAE;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC;IACpF,IAAI,QAAQ,KAAK,WAAW;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC;IAEzE,OAAO,MAAM,CAAC;AACf,CAAC"}

package/dist/utils/helpers.d.ts

@@ -0,0 +1,8 @@
+export declare const normEmail: (e: string) => string;
+export declare const validateEmail: (email: string) => boolean;
+export declare const usernameRegex: RegExp;
+export declare const normUsername: (u: string) => string;
+export declare const validateUsername: (username: string) => boolean;
+export declare const STATIC_ASSET_RE: RegExp;
+export declare const generateUsername: (_: string) => string;
+//# sourceMappingURL=helpers.d.ts.map

package/dist/utils/helpers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"helpers.d.ts","sourceRoot":"","sources":["../../src/utils/helpers.ts"],"names":[],"mappings":"AAKA,eAAO,MAAM,SAAS,GAAI,GAAG,MAAM,WAA2B,CAAC;AAE/D,eAAO,MAAM,aAAa,GAAI,OAAO,MAAM,KAAG,OAE7C,CAAC;AAEF,eAAO,MAAM,aAAa,QAAqB,CAAC;AAEhD,eAAO,MAAM,YAAY,GAAI,GAAG,MAAM,WAAa,CAAC;AAEpD,eAAO,MAAM,gBAAgB,GAAI,UAAU,MAAM,KAAG,OAEnD,CAAC;AAEF,eAAO,MAAM,eAAe,QAAoE,CAAC;AAEjG,eAAO,MAAM,gBAAgB,GAAI,GAAG,MAAM,KAAG,MAQ5C,CAAC"}

package/dist/utils/helpers.js

@@ -0,0 +1,22 @@
+import { uniqueNamesGenerator, adjectives, animals } from 'unique-names-generator';
+const emailRegex = /^[A-Za-z0-9.!#$%&'*+/=?^_`{|}~-]+@[A-Za-z0-9](?:[A-Za-z0-9-]{0,61}[A-Za-z0-9])?(?:\.[A-Za-z0-9](?:[A-Za-z0-9-]{0,61}[A-Za-z0-9])?)+$/;
+export const normEmail = (e) => e.trim().toLowerCase();
+export const validateEmail = (email) => {
+    return emailRegex.test(email);
+};
+export const usernameRegex = /^[A-Za-z0-9_-]+$/;
+export const normUsername = (u) => u.trim();
+export const validateUsername = (username) => {
+    return usernameRegex.test(username);
+};
+export const STATIC_ASSET_RE = /\.(?:css|js|mjs|png|jpg|jpeg|gif|webp|svg|ico|woff2?|ttf|otf)$/i;
+export const generateUsername = (_) => {
+    const config = {
+        dictionaries: [adjectives, animals],
+        separator: '-',
+        length: 2,
+        style: 'capital',
+    };
+    return uniqueNamesGenerator(config) + '-' + Math.random().toString(36).substring(2, 6);
+};
+//# sourceMappingURL=helpers.js.map

package/dist/utils/helpers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"helpers.js","sourceRoot":"","sources":["../../src/utils/helpers.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAU,UAAU,EAAE,OAAO,EAAE,MAAM,wBAAwB,CAAC;AAE3F,MAAM,UAAU,GACf,sIAAsI,CAAC;AAExI,MAAM,CAAC,MAAM,SAAS,GAAG,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;AAE/D,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,KAAa,EAAW,EAAE;IACvD,OAAO,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AAC/B,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,aAAa,GAAG,kBAAkB,CAAC;AAEhD,MAAM,CAAC,MAAM,YAAY,GAAG,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;AAEpD,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,QAAgB,EAAW,EAAE;IAC7D,OAAO,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AACrC,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,eAAe,GAAG,iEAAiE,CAAC;AAEjG,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAS,EAAU,EAAE;IACrD,MAAM,MAAM,GAAW;QACtB,YAAY,EAAE,CAAC,UAAU,EAAE,OAAO,CAAC;QACnC,SAAS,EAAE,GAAG;QACd,MAAM,EAAE,CAAC;QACT,KAAK,EAAE,SAAS;KAChB,CAAC;IACF,OAAO,oBAAoB,CAAC,MAAM,CAAC,GAAG,GAAG,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;AACxF,CAAC,CAAC"}

package/dist/utils/http.d.ts

@@ -0,0 +1,9 @@
+export declare function json(obj: unknown, init?: ResponseInit): Response;
+export declare function readJson<T = unknown>(request: Request): Promise<{
+    ok: true;
+    body: T;
+} | {
+    ok: false;
+    code: string;
+}>;
+//# sourceMappingURL=http.d.ts.map

package/dist/utils/http.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http.d.ts","sourceRoot":"","sources":["../../src/utils/http.ts"],"names":[],"mappings":"AAEA,wBAAgB,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,GAAE,YAAiB,GAAG,QAAQ,CAQpE;AAED,wBAAsB,QAAQ,CAAC,CAAC,GAAG,OAAO,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,IAAI,EAAE,CAAC,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAAC,CAU1H"}

package/dist/utils/http.js

@@ -0,0 +1,23 @@
+// src/utils/http.ts
+export function json(obj, init = {}) {
+    return new Response(JSON.stringify(obj), {
+        ...init,
+        headers: {
+            ...(init.headers ? Object.fromEntries(new Headers(init.headers)) : {}),
+            'content-type': 'application/json',
+        },
+    });
+}
+export async function readJson(request) {
+    const ct = request.headers.get('content-type') || '';
+    if (!ct.includes('application/json'))
+        return { ok: false, code: 'bad_content_type' };
+    try {
+        const body = (await request.json());
+        return { ok: true, body };
+    }
+    catch {
+        return { ok: false, code: 'bad_json' };
+    }
+}
+//# sourceMappingURL=http.js.map

package/dist/utils/http.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http.js","sourceRoot":"","sources":["../../src/utils/http.ts"],"names":[],"mappings":"AAAA,oBAAoB;AAEpB,MAAM,UAAU,IAAI,CAAC,GAAY,EAAE,OAAqB,EAAE;IACzD,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE;QACxC,GAAG,IAAI;QACP,OAAO,EAAE;YACR,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YACtE,cAAc,EAAE,kBAAkB;SAClC;KACD,CAAC,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAc,OAAgB;IAC3D,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;IACrD,IAAI,CAAC,EAAE,CAAC,QAAQ,CAAC,kBAAkB,CAAC;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,kBAAkB,EAAE,CAAC;IAErF,IAAI,CAAC;QACJ,MAAM,IAAI,GAAG,CAAC,MAAM,OAAO,CAAC,IAAI,EAAE,CAAM,CAAC;QACzC,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;IACxC,CAAC;AACF,CAAC"}