@electr0zed/auth-gateway-cf 0.1.0

package/dist/utils/jwt.d.ts

@@ -0,0 +1,22 @@
+import { JwtPayload } from '../types';
+/**
+ * Signs a payload using HMAC with the given secret.
+ *
+ * @export
+ * @async
+ * @param {JwtPayload} payload
+ * @param {string} secret
+ * @returns {Promise<string>}
+ */
+export declare function signJwtHS256(payload: JwtPayload, secret: string): Promise<string>;
+/**
+ * Verifies a JWT signed using HS256.
+ *
+ * @export
+ * @async
+ * @param {string} token
+ * @param {string} secret
+ * @returns {Promise<JwtPayload>}
+ */
+export declare function verifyJwtHS256(token: string, secret: string): Promise<JwtPayload>;
+//# sourceMappingURL=jwt.d.ts.map

package/dist/utils/jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../src/utils/jwt.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AA+CtC;;;;;;;;GAQG;AACH,wBAAsB,YAAY,CAAC,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAcvF;AAED;;;;;;;;GAQG;AACH,wBAAsB,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CA2BvF"}

package/dist/utils/jwt.js

@@ -0,0 +1,96 @@
+/**
+ * Converts a byte array to a base64url-encoded string.
+ *
+ * @param {Uint8Array} b
+ * @returns {string}
+ */
+function b64urlBytes(b) {
+    return btoa(String.fromCharCode(...b))
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=+$/g, '');
+}
+/**
+ * Converts a string to a base64url-encoded string.
+ *
+ * @param {string} s
+ * @returns {string}
+ */
+function b64urlEncodeUtf8(s) {
+    return b64urlBytes(new TextEncoder().encode(s));
+}
+/**
+ * Converts a base64url-encoded string to a byte array.
+ *
+ * @param {string} u
+ * @returns {Uint8Array}
+ */
+function b64urlToBytes(u) {
+    const b64 = u.replace(/-/g, '+').replace(/_/g, '/');
+    const bin = atob(b64);
+    return Uint8Array.from(bin, (c) => c.charCodeAt(0));
+}
+/**
+ * Converts a base64url-encoded string to a byte array.
+ *
+ * @param {string} u
+ * @returns {string}
+ */
+function b64urlDecodeUtf8(u) {
+    return new TextDecoder().decode(b64urlToBytes(u));
+}
+/**
+ * Signs a payload using HMAC with the given secret.
+ *
+ * @export
+ * @async
+ * @param {JwtPayload} payload
+ * @param {string} secret
+ * @returns {Promise<string>}
+ */
+export async function signJwtHS256(payload, secret) {
+    if (!secret) {
+        throw new Error('Missing JWT Secret');
+    }
+    const header = b64urlEncodeUtf8(JSON.stringify({ alg: 'HS256', typ: 'JWT' }));
+    const body = b64urlEncodeUtf8(JSON.stringify(payload));
+    const enc = new TextEncoder();
+    const key = await crypto.subtle.importKey('raw', enc.encode(secret), { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
+    const sigBuf = await crypto.subtle.sign('HMAC', key, enc.encode(`${header}.${body}`));
+    const sig = b64urlBytes(new Uint8Array(sigBuf));
+    return `${header}.${body}.${sig}`;
+}
+/**
+ * Verifies a JWT signed using HS256.
+ *
+ * @export
+ * @async
+ * @param {string} token
+ * @param {string} secret
+ * @returns {Promise<JwtPayload>}
+ */
+export async function verifyJwtHS256(token, secret) {
+    if (!secret) {
+        throw new Error('Missing JWT Secret');
+    }
+    const [h, p, s] = token.split('.');
+    if (!h || !p || !s) {
+        throw new Error('bad jwt');
+    }
+    const enc = new TextEncoder();
+    const key = await crypto.subtle.importKey('raw', enc.encode(secret), { name: 'HMAC', hash: 'SHA-256' }, false, ['verify']);
+    const ok = await crypto.subtle.verify('HMAC', key, b64urlToBytes(s), enc.encode(`${h}.${p}`));
+    if (!ok) {
+        throw new Error('bad sig');
+    }
+    const payload = JSON.parse(b64urlDecodeUtf8(p));
+    const now = Math.floor(Date.now() / 1000);
+    if (payload.exp && now >= payload.exp) {
+        throw new Error('expired');
+    }
+    if (payload.nbf && now < payload.nbf) {
+        throw new Error('nbf');
+    }
+    return payload;
+}
+//# sourceMappingURL=jwt.js.map

package/dist/utils/jwt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../../src/utils/jwt.ts"],"names":[],"mappings":"AAEA;;;;;GAKG;AACH,SAAS,WAAW,CAAC,CAAa;IACjC,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC;SACpC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AACvB,CAAC;AAED;;;;;GAKG;AACH,SAAS,gBAAgB,CAAC,CAAS;IAClC,OAAO,WAAW,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;AACjD,CAAC;AAED;;;;;GAKG;AACH,SAAS,aAAa,CAAC,CAAS;IAC/B,MAAM,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACpD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;IACtB,OAAO,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;AACrD,CAAC;AAED;;;;;GAKG;AACH,SAAS,gBAAgB,CAAC,CAAS;IAClC,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC;AACnD,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,OAAmB,EAAE,MAAc;IACrE,IAAI,CAAC,MAAM,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC;IACvC,CAAC;IAED,MAAM,MAAM,GAAG,gBAAgB,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;IAC9E,MAAM,IAAI,GAAG,gBAAgB,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;IAEvD,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC;IAC9B,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,KAAK,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC;IAEzH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,GAAG,CAAC,MAAM,CAAC,GAAG,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC,CAAC;IACtF,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;IAChD,OAAO,GAAG,MAAM,IAAI,IAAI,IAAI,GAAG,EAAE,CAAC;AACnC,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,KAAa,EAAE,MAAc;IACjE,IAAI,CAAC,MAAM,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC;IACvC,CAAC;IAED,MAAM,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACnC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC;IAC5B,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC;IAC9B,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,KAAK,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC;IAE3H,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,EAAE,aAAa,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;IAC9F,IAAI,CAAC,EAAE,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC;IAC5B,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,CAAC;IAChD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,IAAI,OAAO,CAAC,GAAG,IAAI,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC;IAC5B,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,IAAI,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC;IACxB,CAAC;IACD,OAAO,OAAO,CAAC;AAChB,CAAC"}

package/dist/utils/passwordPolicy.d.ts

@@ -0,0 +1,9 @@
+import type { PasswordPolicy } from '../types';
+export declare function getPasswordPolicy(cfg?: PasswordPolicy): PasswordPolicy;
+export declare function validatePassword(password: string, policy: PasswordPolicy): {
+    ok: true;
+} | {
+    ok: false;
+    reason: string;
+};
+//# sourceMappingURL=passwordPolicy.d.ts.map

package/dist/utils/passwordPolicy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"passwordPolicy.d.ts","sourceRoot":"","sources":["../../src/utils/passwordPolicy.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAU/C,wBAAgB,iBAAiB,CAAC,GAAG,CAAC,EAAE,cAAc,GAAG,cAAc,CAEtE;AAED,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,cAAc,GAAG;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAsBvH"}

package/dist/utils/passwordPolicy.js

@@ -0,0 +1,29 @@
+const DEFAULT_POLICY = {
+    minLength: 12,
+    requireUppercase: true,
+    requireLowercase: true,
+    requireNumber: true,
+    requireSymbol: true,
+};
+export function getPasswordPolicy(cfg) {
+    return { ...DEFAULT_POLICY, ...cfg };
+}
+export function validatePassword(password, policy) {
+    if (password.length < policy.minLength) {
+        return { ok: false, reason: 'too_short' };
+    }
+    if (policy.requireUppercase && !/[A-Z]/.test(password)) {
+        return { ok: false, reason: 'missing_uppercase' };
+    }
+    if (policy.requireLowercase && !/[a-z]/.test(password)) {
+        return { ok: false, reason: 'missing_lowercase' };
+    }
+    if (policy.requireNumber && !/[0-9]/.test(password)) {
+        return { ok: false, reason: 'missing_number' };
+    }
+    if (policy.requireSymbol && !/[!@#$%^&*()_+\-=[\]{};':"\\|,.<>/?]/.test(password)) {
+        return { ok: false, reason: 'missing_symbol' };
+    }
+    return { ok: true };
+}
+//# sourceMappingURL=passwordPolicy.js.map

package/dist/utils/passwordPolicy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"passwordPolicy.js","sourceRoot":"","sources":["../../src/utils/passwordPolicy.ts"],"names":[],"mappings":"AAEA,MAAM,cAAc,GAAmB;IACtC,SAAS,EAAE,EAAE;IACb,gBAAgB,EAAE,IAAI;IACtB,gBAAgB,EAAE,IAAI;IACtB,aAAa,EAAE,IAAI;IACnB,aAAa,EAAE,IAAI;CACnB,CAAC;AAEF,MAAM,UAAU,iBAAiB,CAAC,GAAoB;IACrD,OAAO,EAAE,GAAG,cAAc,EAAE,GAAG,GAAG,EAAE,CAAC;AACtC,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,QAAgB,EAAE,MAAsB;IACxE,IAAI,QAAQ,CAAC,MAAM,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;QACxC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IAC3C,CAAC;IAED,IAAI,MAAM,CAAC,gBAAgB,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACxD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAC;IACnD,CAAC;IAED,IAAI,MAAM,CAAC,gBAAgB,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACxD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAC;IACnD,CAAC;IAED,IAAI,MAAM,CAAC,aAAa,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACrD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC;IAChD,CAAC;IAED,IAAI,MAAM,CAAC,aAAa,IAAI,CAAC,qCAAqC,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACnF,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC;IAChD,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;AACrB,CAAC"}

package/dist/utils/passwords.d.ts

@@ -0,0 +1,33 @@
+declare const DEFAULT_PARAMS: {
+    hash: "SHA-256";
+    iter: number;
+    dkLen: number;
+};
+export declare function getFakeStoredHash(): string;
+/**
+ * PASSWORD_PEPPERS format:
+ *	"pepper_v2,pepper_v1" (newest first)
+ */
+export declare function getPeppers(env: Env, pepperEnv?: string): string[];
+/**
+ * Stored format:
+ *	pbkdf2$SHA-256$600000$32$<saltB64u>$<dkB64u>
+ */
+export declare function hashPassword(password: string, options?: {
+    pepper?: string;
+    params?: Partial<typeof DEFAULT_PARAMS>;
+}): Promise<string>;
+export declare function verifyPassword(password: string, stored: string, pepper?: string): Promise<boolean>;
+/**
+ * Verifies using multiple peppers (newest->oldest). Returns which matched.
+ * If no peppers configured, treats as "no pepper".
+ */
+export declare function verifyPasswordWithPepperRotation(password: string, stored: string, peppers: string[]): Promise<{
+    ok: true;
+    usedPepperIndex: number;
+} | {
+    ok: false;
+}>;
+export declare function needsRehash(stored: string, desired?: Partial<typeof DEFAULT_PARAMS>): boolean;
+export {};
+//# sourceMappingURL=passwords.d.ts.map

package/dist/utils/passwords.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"passwords.d.ts","sourceRoot":"","sources":["../../src/utils/passwords.ts"],"names":[],"mappings":"AAWA,QAAA,MAAM,cAAc;;;;CAInB,CAAC;AAIF,wBAAgB,iBAAiB,IAAI,MAAM,CAY1C;AAED;;;GAGG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,SAAS,GAAE,MAA2B,GAAG,MAAM,EAAE,CAOrF;AAED;;;GAGG;AACH,wBAAsB,YAAY,CACjC,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;IACT,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,OAAO,CAAC,OAAO,cAAc,CAAC,CAAC;CACxC,GACC,OAAO,CAAC,MAAM,CAAC,CAqBjB;AAED,wBAAsB,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAOxG;AAED;;;GAGG;AACH,wBAAsB,gCAAgC,CACrD,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM,EAAE,GACf,OAAO,CAAC;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,eAAe,EAAE,MAAM,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAA;CAAE,CAAC,CAYhE;AAED,wBAAgB,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,OAAO,CAAC,OAAO,cAAc,CAAC,GAAG,OAAO,CAM7F"}

package/dist/utils/passwords.js

@@ -0,0 +1,139 @@
+// src/utils/passwords.ts
+const DEFAULT_PARAMS = {
+    hash: 'SHA-256',
+    iter: 800_000,
+    dkLen: 32,
+};
+let cachedFake = null;
+export function getFakeStoredHash() {
+    // Best-effort cache per isolate; fine if it resets on cold start.
+    if (cachedFake)
+        return cachedFake;
+    const salt = crypto.getRandomValues(new Uint8Array(32));
+    const dk = crypto.getRandomValues(new Uint8Array(32)); // dkLen must match your DEFAULT_PARAMS.dkLen
+    const saltB64u = b64urlEncodeBytes(salt);
+    const dkB64u = b64urlEncodeBytes(dk);
+    cachedFake = `pbkdf2$SHA-256$800000$32$${saltB64u}$${dkB64u}`;
+    return cachedFake;
+}
+/**
+ * PASSWORD_PEPPERS format:
+ *	"pepper_v2,pepper_v1" (newest first)
+ */
+export function getPeppers(env, pepperEnv = 'PASSWORD_PEPPERS') {
+    const raw = (env[pepperEnv] ?? '').trim();
+    if (!raw)
+        return [];
+    return raw
+        .split(',')
+        .map((s) => s.trim())
+        .filter((s) => s.length > 0);
+}
+/**
+ * Stored format:
+ *	pbkdf2$SHA-256$600000$32$<saltB64u>$<dkB64u>
+ */
+export async function hashPassword(password, options) {
+    const salt = crypto.getRandomValues(new Uint8Array(32));
+    const saltB64u = b64urlEncodeBytes(salt);
+    const params = { ...DEFAULT_PARAMS, ...options?.params };
+    const dk = await deriveKeyBytes(password, {
+        alg: 'pbkdf2',
+        hash: params.hash,
+        iter: params.iter,
+        dkLen: params.dkLen,
+        saltB64u,
+        dkB64u: '',
+    }, options?.pepper);
+    const dkB64u = b64urlEncodeBytes(dk);
+    return `pbkdf2$${params.hash}$${params.iter}$${params.dkLen}$${saltB64u}$${dkB64u}`;
+}
+export async function verifyPassword(password, stored, pepper) {
+    const parsed = parseStored(stored);
+    if (!parsed)
+        return false;
+    const dk = await deriveKeyBytes(password, parsed, pepper);
+    const expected = b64urlDecodeBytes(parsed.dkB64u);
+    return timingSafeEqualBytes(dk, expected);
+}
+/**
+ * Verifies using multiple peppers (newest->oldest). Returns which matched.
+ * If no peppers configured, treats as "no pepper".
+ */
+export async function verifyPasswordWithPepperRotation(password, stored, peppers) {
+    if (!peppers.length) {
+        const ok = await verifyPassword(password, stored, undefined);
+        return ok ? { ok: true, usedPepperIndex: -1 } : { ok: false };
+    }
+    for (let i = 0; i < peppers.length; i++) {
+        if (await verifyPassword(password, stored, peppers[i])) {
+            return { ok: true, usedPepperIndex: i };
+        }
+    }
+    return { ok: false };
+}
+export function needsRehash(stored, desired) {
+    const parsed = parseStored(stored);
+    if (!parsed)
+        return true;
+    const target = { ...DEFAULT_PARAMS, ...desired };
+    return parsed.hash !== target.hash || parsed.iter !== target.iter || parsed.dkLen !== target.dkLen;
+}
+/* ----------------------------- internals ----------------------------- */
+async function deriveKeyBytes(password, parsed, pepper) {
+    const pw = normalizePassword(password, pepper);
+    const pwKey = await crypto.subtle.importKey('raw', new TextEncoder().encode(pw), { name: 'PBKDF2' }, false, ['deriveBits']);
+    const salt = b64urlDecodeBytes(parsed.saltB64u);
+    const bits = await crypto.subtle.deriveBits({
+        name: 'PBKDF2',
+        hash: parsed.hash,
+        salt,
+        iterations: parsed.iter,
+    }, pwKey, parsed.dkLen * 8);
+    return new Uint8Array(bits);
+}
+function normalizePassword(password, pepper) {
+    const p = password.normalize('NFC');
+    return pepper ? `${pepper}\u0000${p}` : p;
+}
+function parseStored(stored) {
+    const parts = stored.split('$');
+    if (parts.length !== 6)
+        return null;
+    const [alg, hash, iterStr, dkLenStr, saltB64u, dkB64u] = parts;
+    if (alg !== 'pbkdf2')
+        return null;
+    if (hash !== 'SHA-256' && hash !== 'SHA-512')
+        return null;
+    const iter = Number(iterStr);
+    const dkLen = Number(dkLenStr);
+    if (!Number.isFinite(iter) || iter <= 0)
+        return null;
+    if (!Number.isFinite(dkLen) || dkLen <= 0)
+        return null;
+    return { alg: 'pbkdf2', hash, iter, dkLen, saltB64u, dkB64u };
+}
+function b64urlEncodeBytes(bytes) {
+    return btoa(String.fromCharCode(...bytes))
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=+$/g, '');
+}
+function b64urlDecodeBytes(b64u) {
+    let b64 = b64u.replace(/-/g, '+').replace(/_/g, '/');
+    const pad = b64.length % 4;
+    if (pad)
+        b64 += '='.repeat(4 - pad);
+    const bin = atob(b64);
+    return Uint8Array.from(bin, (c) => c.charCodeAt(0));
+}
+function timingSafeEqualBytes(a, b) {
+    if (a.length !== b.length)
+        return false;
+    let out = 0;
+    for (let i = 0; i < a.length; i++) {
+        out |= a[i] ^ b[i];
+    }
+    return out === 0;
+}
+//# sourceMappingURL=passwords.js.map

package/dist/utils/passwords.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"passwords.js","sourceRoot":"","sources":["../../src/utils/passwords.ts"],"names":[],"mappings":"AAAA,yBAAyB;AAWzB,MAAM,cAAc,GAAG;IACtB,IAAI,EAAE,SAAkB;IACxB,IAAI,EAAE,OAAO;IACb,KAAK,EAAE,EAAE;CACT,CAAC;AAEF,IAAI,UAAU,GAAkB,IAAI,CAAC;AAErC,MAAM,UAAU,iBAAiB;IAChC,kEAAkE;IAClE,IAAI,UAAU;QAAE,OAAO,UAAU,CAAC;IAElC,MAAM,IAAI,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;IACxD,MAAM,EAAE,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,6CAA6C;IAEpG,MAAM,QAAQ,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;IACzC,MAAM,MAAM,GAAG,iBAAiB,CAAC,EAAE,CAAC,CAAC;IAErC,UAAU,GAAG,4BAA4B,QAAQ,IAAI,MAAM,EAAE,CAAC;IAC9D,OAAO,UAAU,CAAC;AACnB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,UAAU,CAAC,GAAQ,EAAE,YAAoB,kBAAkB;IAC1E,MAAM,GAAG,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IAC1C,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,CAAC;IACpB,OAAO,GAAG;SACR,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SACpB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;AAC/B,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CACjC,QAAgB,EAChB,OAGC;IAED,MAAM,IAAI,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;IACxD,MAAM,QAAQ,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;IAEzC,MAAM,MAAM,GAAG,EAAE,GAAG,cAAc,EAAE,GAAG,OAAO,EAAE,MAAM,EAAE,CAAC;IAEzD,MAAM,EAAE,GAAG,MAAM,cAAc,CAC9B,QAAQ,EACR;QACC,GAAG,EAAE,QAAQ;QACb,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,QAAQ;QACR,MAAM,EAAE,EAAE;KACV,EACD,OAAO,EAAE,MAAM,CACf,CAAC;IAEF,MAAM,MAAM,GAAG,iBAAiB,CAAC,EAAE,CAAC,CAAC;IACrC,OAAO,UAAU,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,KAAK,IAAI,QAAQ,IAAI,MAAM,EAAE,CAAC;AACrF,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,QAAgB,EAAE,MAAc,EAAE,MAAe;IACrF,MAAM,MAAM,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;IACnC,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAE1B,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;IAC1D,MAAM,QAAQ,GAAG,iBAAiB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAClD,OAAO,oBAAoB,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;AAC3C,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,gCAAgC,CACrD,QAAgB,EAChB,MAAc,EACd,OAAiB;IAEjB,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;QACrB,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;QAC7D,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,eAAe,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC;IAC/D,CAAC;IAED,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACzC,IAAI,MAAM,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YACxD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,eAAe,EAAE,CAAC,EAAE,CAAC;QACzC,CAAC;IACF,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC;AACtB,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,MAAc,EAAE,OAAwC;IACnF,MAAM,MAAM,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;IACnC,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAEzB,MAAM,MAAM,GAAG,EAAE,GAAG,cAAc,EAAE,GAAG,OAAO,EAAE,CAAC;IACjD,OAAO,MAAM,CAAC,IAAI,KAAK,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,KAAK,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,KAAK,KAAK,MAAM,CAAC,KAAK,CAAC;AACpG,CAAC;AAED,2EAA2E;AAE3E,KAAK,UAAU,cAAc,CAAC,QAAgB,EAAE,MAAkB,EAAE,MAAe;IAClF,MAAM,EAAE,GAAG,iBAAiB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAE/C,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,KAAK,EAAE,CAAC,YAAY,CAAC,CAAC,CAAC;IAE5H,MAAM,IAAI,GAAG,iBAAiB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAEhD,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,UAAU,CAC1C;QACC,IAAI,EAAE,QAAQ;QACd,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,IAAI;QACJ,UAAU,EAAE,MAAM,CAAC,IAAI;KACvB,EACD,KAAK,EACL,MAAM,CAAC,KAAK,GAAG,CAAC,CAChB,CAAC;IAEF,OAAO,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC;AAC7B,CAAC;AAED,SAAS,iBAAiB,CAAC,QAAgB,EAAE,MAAe;IAC3D,MAAM,CAAC,GAAG,QAAQ,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IACpC,OAAO,MAAM,CAAC,CAAC,CAAC,GAAG,MAAM,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;AAC3C,CAAC;AAED,SAAS,WAAW,CAAC,MAAc;IAClC,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAChC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAEpC,MAAM,CAAC,GAAG,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,GAAG,KAAK,CAAC;IAE/D,IAAI,GAAG,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAClC,IAAI,IAAI,KAAK,SAAS,IAAI,IAAI,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IAE1D,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC;IAC7B,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC;IAC/B,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACrD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAEvD,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;AAC/D,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAiB;IAC3C,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,KAAK,CAAC,CAAC;SACxC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AACvB,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAY;IACtC,IAAI,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACrD,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC;IAC3B,IAAI,GAAG;QAAE,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC;IAEpC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;IACtB,OAAO,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;AACrD,CAAC;AAED,SAAS,oBAAoB,CAAC,CAAa,EAAE,CAAa;IACzD,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACxC,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACnC,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;IACD,OAAO,GAAG,KAAK,CAAC,CAAC;AAClB,CAAC"}

package/dist/utils/propagation.d.ts

@@ -0,0 +1,30 @@
+import type { ProjectConfig, Session } from '../types';
+export type PropagatedUserPayload = {
+    userId: string;
+    email: string;
+    systemRoles: string[];
+    ts: number;
+};
+/**
+ * Attaches a signed user payload to the request headers.
+ */
+export declare function attachSignedUser(headers: Headers, session: Session, cfg: ProjectConfig, env: Env): Promise<void>;
+/**
+ * Removes the user payload from the request headers.
+ */
+export declare function stripUser(headers: Headers, cfg: ProjectConfig): void;
+/**
+ * Encode an object as base64(JSON).
+ * (Used by gateway to create X-User; reused by verifiers to decode.)
+ */
+export declare function encodeJsonToBase64(value: unknown): string;
+/**
+ * Decode base64(JSON) into a JS value.
+ */
+export declare function decodeJsonFromBase64<T = unknown>(payloadB64: string): T;
+/**
+ * Signs a payload using HMAC with the given secret.
+ * Returns base64url.
+ */
+export declare function signHmac(payload: string, secret: string): Promise<string>;
+//# sourceMappingURL=propagation.d.ts.map

package/dist/utils/propagation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"propagation.d.ts","sourceRoot":"","sources":["../../src/utils/propagation.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,UAAU,CAAC;AAEvD,MAAM,MAAM,qBAAqB,GAAG;IACnC,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,EAAE,EAAE,MAAM,CAAC;CACX,CAAC;AAEF;;GAEG;AACH,wBAAsB,gBAAgB,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,aAAa,EAAE,GAAG,EAAE,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,CAkBtH;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,aAAa,GAAG,IAAI,CAGpE;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAIzD;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,CAAC,GAAG,OAAO,EAAE,UAAU,EAAE,MAAM,GAAG,CAAC,CAKvE;AAED;;;GAGG;AACH,wBAAsB,QAAQ,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAS/E"}

package/dist/utils/propagation.js

@@ -0,0 +1,60 @@
+/**
+ * Attaches a signed user payload to the request headers.
+ */
+export async function attachSignedUser(headers, session, cfg, env) {
+    const name = cfg.propagation.headerName ?? 'X-User';
+    const sigName = cfg.propagation.sigHeaderName ?? 'X-User-Sig';
+    const secret = env[cfg.propagation.hmacSecretEnv];
+    if (!secret)
+        throw new Error('Missing HMAC secret');
+    const payloadObj = {
+        userId: session.userId,
+        email: session.email,
+        systemRoles: session.systemRoles,
+        ts: Math.floor(Date.now() / 1000),
+    };
+    const payload = encodeJsonToBase64(payloadObj);
+    const sig = await signHmac(payload, secret);
+    headers.set(name, payload);
+    headers.set(sigName, sig);
+}
+/**
+ * Removes the user payload from the request headers.
+ */
+export function stripUser(headers, cfg) {
+    headers.delete(cfg.propagation.headerName ?? 'X-User');
+    headers.delete(cfg.propagation.sigHeaderName ?? 'X-User-Sig');
+}
+/**
+ * Encode an object as base64(JSON).
+ * (Used by gateway to create X-User; reused by verifiers to decode.)
+ */
+export function encodeJsonToBase64(value) {
+    const json = JSON.stringify(value);
+    const bytes = new Uint8Array(new TextEncoder().encode(json));
+    return btoa(String.fromCharCode(...bytes));
+}
+/**
+ * Decode base64(JSON) into a JS value.
+ */
+export function decodeJsonFromBase64(payloadB64) {
+    const bin = atob(payloadB64);
+    const bytes = Uint8Array.from(bin, (c) => c.charCodeAt(0));
+    const json = new TextDecoder().decode(bytes);
+    return JSON.parse(json);
+}
+/**
+ * Signs a payload using HMAC with the given secret.
+ * Returns base64url.
+ */
+export async function signHmac(payload, secret) {
+    const enc = new TextEncoder();
+    const key = await crypto.subtle.importKey('raw', enc.encode(secret), { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
+    const sigBuf = await crypto.subtle.sign('HMAC', key, enc.encode(payload));
+    const bytes = new Uint8Array(sigBuf);
+    return btoa(String.fromCharCode(...bytes))
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=+$/, '');
+}
+//# sourceMappingURL=propagation.js.map

package/dist/utils/propagation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"propagation.js","sourceRoot":"","sources":["../../src/utils/propagation.ts"],"names":[],"mappings":"AAUA;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,OAAgB,EAAE,OAAgB,EAAE,GAAkB,EAAE,GAAQ;IACtG,MAAM,IAAI,GAAG,GAAG,CAAC,WAAW,CAAC,UAAU,IAAI,QAAQ,CAAC;IACpD,MAAM,OAAO,GAAG,GAAG,CAAC,WAAW,CAAC,aAAa,IAAI,YAAY,CAAC;IAC9D,MAAM,MAAM,GAAG,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,aAAa,CAAC,CAAC;IAClD,IAAI,CAAC,MAAM;QAAE,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;IAEpD,MAAM,UAAU,GAA0B;QACzC,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,EAAE,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;KACjC,CAAC;IAEF,MAAM,OAAO,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;IAC/C,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAE5C,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC3B,OAAO,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;AAC3B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,SAAS,CAAC,OAAgB,EAAE,GAAkB;IAC7D,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC,UAAU,IAAI,QAAQ,CAAC,CAAC;IACvD,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC,aAAa,IAAI,YAAY,CAAC,CAAC;AAC/D,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAc;IAChD,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IACnC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;IAC7D,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC;AAC5C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAc,UAAkB;IACnE,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC;IAC7B,MAAM,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3D,MAAM,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC7C,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAM,CAAC;AAC9B,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,OAAe,EAAE,MAAc;IAC7D,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC;IAC9B,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,KAAK,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC;IACzH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;IAC1E,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IACrC,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,KAAK,CAAC,CAAC;SACxC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACtB,CAAC"}

package/dist/utils/returnTo.d.ts

@@ -0,0 +1,2 @@
+export declare function safeReturnTo(returnTo: string | undefined, publicBaseUrl: string): string | undefined;
+//# sourceMappingURL=returnTo.d.ts.map

package/dist/utils/returnTo.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"returnTo.d.ts","sourceRoot":"","sources":["../../src/utils/returnTo.ts"],"names":[],"mappings":"AAAA,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,SAAS,EAAE,aAAa,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAoBpG"}

package/dist/utils/returnTo.js

@@ -0,0 +1,21 @@
+export function safeReturnTo(returnTo, publicBaseUrl) {
+    if (!returnTo)
+        return undefined;
+    // Allow only same-origin relative paths by default
+    if (returnTo.startsWith('/') && !returnTo.startsWith('//')) {
+        return returnTo;
+    }
+    // Optional: allow absolute URLs only if same origin
+    try {
+        const rt = new URL(returnTo);
+        const pub = new URL(publicBaseUrl);
+        if (rt.origin === pub.origin) {
+            return rt.pathname + rt.search + rt.hash;
+        }
+    }
+    catch {
+        // ignore
+    }
+    return undefined;
+}
+//# sourceMappingURL=returnTo.js.map

package/dist/utils/returnTo.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"returnTo.js","sourceRoot":"","sources":["../../src/utils/returnTo.ts"],"names":[],"mappings":"AAAA,MAAM,UAAU,YAAY,CAAC,QAA4B,EAAE,aAAqB;IAC/E,IAAI,CAAC,QAAQ;QAAE,OAAO,SAAS,CAAC;IAEhC,mDAAmD;IACnD,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5D,OAAO,QAAQ,CAAC;IACjB,CAAC;IAED,oDAAoD;IACpD,IAAI,CAAC;QACJ,MAAM,EAAE,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC7B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,CAAC;QACnC,IAAI,EAAE,CAAC,MAAM,KAAK,GAAG,CAAC,MAAM,EAAE,CAAC;YAC9B,OAAO,EAAE,CAAC,QAAQ,GAAG,EAAE,CAAC,MAAM,GAAG,EAAE,CAAC,IAAI,CAAC;QAC1C,CAAC;IACF,CAAC;IAAC,MAAM,CAAC;QACR,SAAS;IACV,CAAC;IAED,OAAO,SAAS,CAAC;AAClB,CAAC"}

package/dist/utils/roles.d.ts

@@ -0,0 +1,3 @@
+export declare function hasAnyRole(userRoles: string[], required: string[]): boolean;
+export declare function hasAllRoles(userRoles: string[], required: string[]): boolean;
+//# sourceMappingURL=roles.d.ts.map

package/dist/utils/roles.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"roles.d.ts","sourceRoot":"","sources":["../../src/utils/roles.ts"],"names":[],"mappings":"AAAA,wBAAgB,UAAU,CAAC,SAAS,EAAE,MAAM,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,OAAO,CAW3E;AAED,wBAAgB,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,OAAO,CAW5E"}

package/dist/utils/roles.js

@@ -0,0 +1,25 @@
+export function hasAnyRole(userRoles, required) {
+    if (!Array.isArray(userRoles) || userRoles.length === 0)
+        return false;
+    if (!Array.isArray(required) || required.length === 0)
+        return false;
+    const roles = new Set(userRoles);
+    for (const role of required) {
+        if (roles.has(role))
+            return true;
+    }
+    return false;
+}
+export function hasAllRoles(userRoles, required) {
+    if (!Array.isArray(userRoles))
+        return false;
+    if (!Array.isArray(required) || required.length === 0)
+        return true;
+    const roles = new Set(userRoles);
+    for (const role of required) {
+        if (!roles.has(role))
+            return false;
+    }
+    return true;
+}
+//# sourceMappingURL=roles.js.map

package/dist/utils/roles.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"roles.js","sourceRoot":"","sources":["../../src/utils/roles.ts"],"names":[],"mappings":"AAAA,MAAM,UAAU,UAAU,CAAC,SAAmB,EAAE,QAAkB;IACjE,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACtE,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAEpE,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAEjC,KAAK,MAAM,IAAI,IAAI,QAAQ,EAAE,CAAC;QAC7B,IAAI,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;IAClC,CAAC;IAED,OAAO,KAAK,CAAC;AACd,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,SAAmB,EAAE,QAAkB;IAClE,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC;QAAE,OAAO,KAAK,CAAC;IAC5C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAEnE,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAEjC,KAAK,MAAM,IAAI,IAAI,QAAQ,EAAE,CAAC;QAC7B,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,OAAO,KAAK,CAAC;IACpC,CAAC;IAED,OAAO,IAAI,CAAC;AACb,CAAC"}

package/dist/utils/turnstile.d.ts

@@ -0,0 +1,12 @@
+export type TurnstileVerifyResult = {
+    ok: true;
+} | {
+    ok: false;
+    code: string;
+    errors?: string[];
+};
+export declare function verifyTurnstile(token: string, secret: string, remoteip?: string): Promise<TurnstileVerifyResult>;
+export declare function getTurnstileTokenField(cfg?: {
+    tokenField?: string;
+}): string;
+//# sourceMappingURL=turnstile.d.ts.map

package/dist/utils/turnstile.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"turnstile.d.ts","sourceRoot":"","sources":["../../src/utils/turnstile.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,qBAAqB,GAAG;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAAE,CAAC;AAQlG,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,CAAC,CAsCtH;AAED,wBAAgB,sBAAsB,CAAC,GAAG,CAAC,EAAE;IAAE,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,MAAM,CAE5E"}

package/dist/utils/turnstile.js

@@ -0,0 +1,40 @@
+// src/utils/turnstile.ts
+export async function verifyTurnstile(token, secret, remoteip) {
+    if (!token || typeof token !== 'string') {
+        return { ok: false, code: 'turnstile_missing' };
+    }
+    if (!secret || typeof secret !== 'string') {
+        return { ok: false, code: 'turnstile_misconfigured' };
+    }
+    const form = new FormData();
+    form.append('secret', secret);
+    form.append('response', token);
+    if (remoteip)
+        form.append('remoteip', remoteip);
+    let res;
+    try {
+        res = await fetch('https://challenges.cloudflare.com/turnstile/v0/siteverify', {
+            method: 'POST',
+            body: form,
+        });
+    }
+    catch {
+        return { ok: false, code: 'turnstile_unavailable' };
+    }
+    if (!res.ok) {
+        return { ok: false, code: 'turnstile_unavailable' };
+    }
+    const data = (await res.json().catch(() => null));
+    if (!data?.success) {
+        return {
+            ok: false,
+            code: 'turnstile_invalid',
+            errors: data?.['error-codes'] ?? [],
+        };
+    }
+    return { ok: true };
+}
+export function getTurnstileTokenField(cfg) {
+    return cfg?.tokenField ?? 'turnstileToken';
+}
+//# sourceMappingURL=turnstile.js.map

package/dist/utils/turnstile.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"turnstile.js","sourceRoot":"","sources":["../../src/utils/turnstile.ts"],"names":[],"mappings":"AAAA,yBAAyB;AAUzB,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,KAAa,EAAE,MAAc,EAAE,QAAiB;IACrF,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACzC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,mBAAmB,EAAE,CAAC;IACjD,CAAC;IAED,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC3C,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,yBAAyB,EAAE,CAAC;IACvD,CAAC;IAED,MAAM,IAAI,GAAG,IAAI,QAAQ,EAAE,CAAC;IAC5B,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC9B,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;IAC/B,IAAI,QAAQ;QAAE,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;IAEhD,IAAI,GAAa,CAAC;IAClB,IAAI,CAAC;QACJ,GAAG,GAAG,MAAM,KAAK,CAAC,2DAA2D,EAAE;YAC9E,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,IAAI;SACV,CAAC,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,uBAAuB,EAAE,CAAC;IACrD,CAAC;IAED,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACb,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,uBAAuB,EAAE,CAAC;IACrD,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAA8B,CAAC;IAC/E,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC;QACpB,OAAO;YACN,EAAE,EAAE,KAAK;YACT,IAAI,EAAE,mBAAmB;YACzB,MAAM,EAAE,IAAI,EAAE,CAAC,aAAa,CAAC,IAAI,EAAE;SACnC,CAAC;IACH,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;AACrB,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,GAA6B;IACnE,OAAO,GAAG,EAAE,UAAU,IAAI,gBAAgB,CAAC;AAC5C,CAAC"}

package/dist/utils/verifyInternal.d.ts

@@ -0,0 +1,8 @@
+import type { ProjectConfig } from '../types';
+import { type PropagatedUserPayload } from './propagation';
+export type VerifyGatewayUserOptions = {
+    maxSkewSec?: number;
+    require?: boolean;
+};
+export declare function verifyGatewayUser(request: Request, cfg: Pick<ProjectConfig, 'propagation'>, env: Env, options?: VerifyGatewayUserOptions): Promise<PropagatedUserPayload | null>;
+//# sourceMappingURL=verifyInternal.d.ts.map

package/dist/utils/verifyInternal.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifyInternal.d.ts","sourceRoot":"","sources":["../../src/utils/verifyInternal.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAC9C,OAAO,EAAkC,KAAK,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAE3F,MAAM,MAAM,wBAAwB,GAAG;IACtC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,OAAO,CAAC;CAClB,CAAC;AAEF,wBAAsB,iBAAiB,CACtC,OAAO,EAAE,OAAO,EAChB,GAAG,EAAE,IAAI,CAAC,aAAa,EAAE,aAAa,CAAC,EACvC,GAAG,EAAE,GAAG,EACR,OAAO,GAAE,wBAA6B,GACpC,OAAO,CAAC,qBAAqB,GAAG,IAAI,CAAC,CA0CvC"}