@factiii/auth 0.1.0 → 0.2.0

package/dist/index.mjs

@@ -21,7 +21,7 @@ import {
   twoFaSetupSchema,
   twoFaVerifySchema,
   verifyEmailSchema
-} from "./chunk-CLHDX2R2.mjs";
+} from "./chunk-PYVDWODF.mjs";
 
 // src/middleware/authGuard.ts
 import { TRPCError } from "@trpc/server";
@@ -30,22 +30,20 @@ import { TRPCError } from "@trpc/server";
 function createNoopEmailAdapter() {
   return {
     async sendVerificationEmail(email, code) {
-      console.log(
+      console.debug(
         `[NoopEmailAdapter] Would send verification email to ${email} with code ${code}`
       );
     },
     async sendPasswordResetEmail(email, token) {
-      console.log(
+      console.debug(
         `[NoopEmailAdapter] Would send password reset email to ${email} with token ${token}`
       );
     },
     async sendOTPEmail(email, otp) {
-      console.log(
-        `[NoopEmailAdapter] Would send OTP email to ${email} with code ${otp}`
-      );
+      console.debug(`[NoopEmailAdapter] Would send OTP email to ${email} with code ${otp}`);
     },
     async sendLoginNotification(email, browserName, ip) {
-      console.log(
+      console.debug(
         `[NoopEmailAdapter] Would send login notification to ${email} from ${browserName} (${ip})`
       );
     }
@@ -104,6 +102,7 @@ var defaultStorageKeys = {
 };
 var defaultFeatures = {
   twoFa: true,
+  twoFaRequiresDevice: true,
   oauth: { google: true, apple: true },
   biometric: false,
   emailVerification: true,
@@ -251,9 +250,7 @@ function decodeToken(token) {
   }
 }
 function isJwtError(error) {
-  return error instanceof Error && ["TokenExpiredError", "JsonWebTokenError", "NotBeforeError"].includes(
-    error.name
-  );
+  return error instanceof Error && ["TokenExpiredError", "JsonWebTokenError", "NotBeforeError"].includes(error.name);
 }
 function isTokenExpiredError(error) {
   return isJwtError(error) && error.name === "TokenExpiredError";
@@ -307,11 +304,7 @@ ${errorStack}` : null,
             select: { id: true, userId: true, socketId: true }
           });
           if (session) {
-            await config.hooks.onSessionRevoked(
-              session.userId,
-              session.socketId,
-              description
-            );
+            await config.hooks.onSessionRevoked(session.userId, session.socketId, description);
           }
         }
       } catch {
@@ -380,13 +373,7 @@ ${errorStack}` : null,
           });
         }
         if (session.user.status === "BANNED") {
-          await revokeSession(
-            ctx,
-            session.id,
-            "Session revoked: User banned",
-            void 0,
-            path
-          );
+          await revokeSession(ctx, session.id, "Session revoked: User banned", void 0, path);
           throw new TRPCError({
             message: "Unauthorized",
             code: "UNAUTHORIZED"
@@ -394,9 +381,7 @@ ${errorStack}` : null,
         }
         if (config.features?.biometric && config.hooks?.getBiometricTimeout) {
           const timeoutMs = await config.hooks.getBiometricTimeout();
-          if (timeoutMs !== null && !["auth.refresh", "auth.verifyBiometric", "auth.logout"].includes(
-            path
-          )) {
+          if (timeoutMs !== null && !["auth.refresh", "auth.verifyBiometric", "auth.logout"].includes(path)) {
             if (!session.user.verifiedHumanAt) {
               throw new TRPCError({
                 message: "Biometric verification not completed. Please verify again.",
@@ -404,9 +389,7 @@ ${errorStack}` : null,
               });
             }
             const now = /* @__PURE__ */ new Date();
-            const verificationExpiry = new Date(
-              session.user.verifiedHumanAt.getTime() + timeoutMs
-            );
+            const verificationExpiry = new Date(session.user.verifiedHumanAt.getTime() + timeoutMs);
             if (now > verificationExpiry) {
               throw new TRPCError({
                 message: "Biometric verification expired. Please verify again.",
@@ -478,13 +461,7 @@ ${errorStack}` : null,
           });
         }
         if (err instanceof TRPCError && err.code === "UNAUTHORIZED") {
-          await revokeSession(
-            ctx,
-            null,
-            "Session revoked: Unauthorized",
-            errorStack,
-            path
-          );
+          await revokeSession(ctx, null, "Session revoked: Unauthorized", errorStack, path);
           throw new TRPCError({
             message: "Unauthorized",
             code: "UNAUTHORIZED"
@@ -496,13 +473,7 @@ ${errorStack}` : null,
       if (!meta?.authRequired) {
         return next({ ctx: { ...ctx, userId: 0 } });
       }
-      await revokeSession(
-        ctx,
-        null,
-        "Session revoked: No token sent",
-        void 0,
-        path
-      );
+      await revokeSession(ctx, null, "Session revoked: No token sent", void 0, path);
       throw new TRPCError({ message: "Unauthorized", code: "UNAUTHORIZED" });
     }
   });
@@ -523,25 +494,19 @@ function detectBrowser(userAgent) {
     return "iOS Browser (Chrome)";
   if (/iphone|ipad|ipod/i.test(userAgent) && /fxios/i.test(userAgent))
     return "iOS Browser (Firefox)";
-  if (/iphone|ipad|ipod/i.test(userAgent) && /edg\//i.test(userAgent))
-    return "iOS Browser (Edge)";
+  if (/iphone|ipad|ipod/i.test(userAgent) && /edg\//i.test(userAgent)) return "iOS Browser (Edge)";
   if (/android/i.test(userAgent) && !/chrome|firefox|samsungbrowser|opr\/|edg\//i.test(userAgent)) {
     return "Android App";
   }
-  if (/android/i.test(userAgent) && /chrome/i.test(userAgent))
-    return "Android Browser (Chrome)";
-  if (/android/i.test(userAgent) && /firefox/i.test(userAgent))
-    return "Android Browser (Firefox)";
+  if (/android/i.test(userAgent) && /chrome/i.test(userAgent)) return "Android Browser (Chrome)";
+  if (/android/i.test(userAgent) && /firefox/i.test(userAgent)) return "Android Browser (Firefox)";
   if (/android/i.test(userAgent) && /samsungbrowser/i.test(userAgent))
     return "Android Browser (Samsung)";
-  if (/android/i.test(userAgent) && /opr\//i.test(userAgent))
-    return "Android Browser (Opera)";
-  if (/android/i.test(userAgent) && /edg\//i.test(userAgent))
-    return "Android Browser (Edge)";
+  if (/android/i.test(userAgent) && /opr\//i.test(userAgent)) return "Android Browser (Opera)";
+  if (/android/i.test(userAgent) && /edg\//i.test(userAgent)) return "Android Browser (Edge)";
   if (/chrome|chromium/i.test(userAgent)) return "Chrome";
   if (/firefox/i.test(userAgent)) return "Firefox";
-  if (/safari/i.test(userAgent) && !/chrome|chromium|crios/i.test(userAgent))
-    return "Safari";
+  if (/safari/i.test(userAgent) && !/chrome|chromium|crios/i.test(userAgent)) return "Safari";
   if (/opr\//i.test(userAgent)) return "Opera";
   if (/edg\//i.test(userAgent)) return "Edge";
   return "Unknown";
@@ -575,16 +540,10 @@ function createOAuthVerifier(keys) {
   return async function verifyOAuthToken(provider, token, extra) {
     if (provider === "GOOGLE") {
       if (!keys.google?.clientId) {
-        throw new OAuthVerificationError(
-          "Google OAuth configuration missing",
-          500
-        );
+        throw new OAuthVerificationError("Google OAuth configuration missing", 500);
       }
       if (!googleClient) {
-        throw new OAuthVerificationError(
-          "Google OAuth client not initialized",
-          500
-        );
+        throw new OAuthVerificationError("Google OAuth client not initialized", 500);
       }
       const audience = [keys.google.clientId];
       if (keys.google.iosClientId) {
@@ -605,10 +564,7 @@ function createOAuthVerifier(keys) {
     }
     if (provider === "APPLE") {
       if (!keys.apple?.clientId) {
-        throw new OAuthVerificationError(
-          "Apple OAuth configuration missing",
-          500
-        );
+        throw new OAuthVerificationError("Apple OAuth configuration missing", 500);
       }
       const audience = [keys.apple.clientId];
       if (keys.apple.iosClientId) {
@@ -1014,7 +970,11 @@ var BaseProcedureFactory = class {
       });
       for (const session of sessionsToRevoke) {
         if (this.config.hooks?.onSessionRevoked) {
-          await this.config.hooks.onSessionRevoked(session.id, session.socketId, "End all sessions");
+          await this.config.hooks.onSessionRevoked(
+            session.id,
+            session.socketId,
+            "End all sessions"
+          );
         }
       }
       if (!skipCurrentSession) {
@@ -1343,14 +1303,14 @@ var OAuthLoginProcedureFactory = class {
       }
       const { email, oauthId } = await this.verifyOAuthToken(provider, idToken, appleUser);
       if (!email) {
-        throw new TRPCError5({ code: "BAD_REQUEST", message: "Email not provided by OAuth provider" });
+        throw new TRPCError5({
+          code: "BAD_REQUEST",
+          message: "Email not provided by OAuth provider"
+        });
       }
       let user = await this.config.prisma.user.findFirst({
         where: {
-          OR: [
-            { email: { equals: email, mode: "insensitive" } },
-            { oauthId: { equals: oauthId } }
-          ]
+          OR: [{ email: { equals: email, mode: "insensitive" } }, { oauthId: { equals: oauthId } }]
         },
         select: {
           id: true,
@@ -1500,15 +1460,17 @@ var TwoFaProcedureFactory = class {
       if (user.twoFaEnabled) {
         throw new TRPCError6({ code: "BAD_REQUEST", message: "2FA already enabled." });
       }
-      const checkSession = await this.config.prisma.session.findFirst({
-        where: { userId, id: sessionId },
-        select: { deviceId: true }
-      });
-      if (!checkSession?.deviceId) {
-        throw new TRPCError6({
-          code: "BAD_REQUEST",
-          message: "You must be logged in on mobile to enable 2FA."
+      if (this.config.features.twoFaRequiresDevice !== false) {
+        const checkSession = await this.config.prisma.session.findFirst({
+          where: { userId, id: sessionId },
+          select: { deviceId: true }
         });
+        if (!checkSession?.deviceId) {
+          throw new TRPCError6({
+            code: "BAD_REQUEST",
+            message: "You must be logged in on mobile to enable 2FA."
+          });
+        }
       }
       await this.config.prisma.session.updateMany({
         where: { userId, revokedAt: null, NOT: { id: sessionId } },
@@ -1827,10 +1789,7 @@ function getClientIp(req) {
 }
 
 // src/router.ts
-var createContext = ({
-  req,
-  res
-}) => ({
+var createContext = ({ req, res }) => ({
   headers: req.headers,
   userId: null,
   sessionId: null,
@@ -1843,9 +1802,7 @@ var AuthRouterFactory = class {
   constructor(userConfig) {
     this.userConfig = userConfig;
     this.config = createAuthConfig(this.userConfig);
-    this.schemas = createSchemas(
-      this.config.schemaExtensions
-    );
+    this.schemas = createSchemas(this.config.schemaExtensions);
     this.t = createTrpcBuilder(this.config);
     this.authGuard = createAuthGuard(this.config, this.t);
     this.procedure = createBaseProcedure(this.t, this.authGuard);
@@ -1857,10 +1814,7 @@ var AuthRouterFactory = class {
       this.procedure,
       this.authProcedure
     );
-    const biometricRoutes = new BiometricProcedureFactory(
-      this.config,
-      this.authProcedure
-    );
+    const biometricRoutes = new BiometricProcedureFactory(this.config, this.authProcedure);
     const emailVerificationRoutes = new EmailVerificationProcedureFactory(
       this.config,
       this.authProcedure
@@ -1869,11 +1823,7 @@ var AuthRouterFactory = class {
       this.config,
       this.procedure
     );
-    const twoFaRoutes = new TwoFaProcedureFactory(
-      this.config,
-      this.procedure,
-      this.authProcedure
-    );
+    const twoFaRoutes = new TwoFaProcedureFactory(this.config, this.procedure, this.authProcedure);
     return this.t.router({
       ...baseRoutes.createBaseProcedures(this.schemas),
       ...oAuthLoginRoutes.createOAuthLoginProcedures(this.schemas),
@@ -1944,4 +1894,3 @@ export {
   verifyEmailSchema,
   verifyTotp
 };
-//# sourceMappingURL=index.mjs.map

package/dist/validators.d.mts

@@ -1,2 +1,2 @@
 import 'zod';
-export { m as AuthSchemas, C as ChangePasswordInput, n as CreatedSchemas, L as LoginInput, p as LoginSchemaInput, a as LogoutInput, O as OAuthLoginInput, q as OAuthSchemaInput, R as ResetPasswordInput, b as SignupInput, u as SignupSchemaInput, T as TwoFaVerifyInput, V as VerifyEmailInput, c as biometricVerifySchema, d as changePasswordSchema, w as checkPasswordResetSchema, x as createSchemas, y as deregisterPushTokenSchema, z as disableTwofaSchema, e as endAllSessionsSchema, B as getTwofaSecretSchema, l as loginSchema, f as logoutSchema, o as oAuthLoginSchema, g as otpLoginRequestSchema, h as otpLoginVerifySchema, D as registerPushTokenSchema, r as requestPasswordResetSchema, E as resendVerificationSchema, i as resetPasswordSchema, s as signupSchema, t as twoFaResetSchema, F as twoFaResetVerifySchema, j as twoFaSetupSchema, k as twoFaVerifySchema, v as verifyEmailSchema } from './hooks-B4Kl294A.mjs';
+export { m as AuthSchemas, C as ChangePasswordInput, n as CreatedSchemas, L as LoginInput, p as LoginSchemaInput, a as LogoutInput, O as OAuthLoginInput, q as OAuthSchemaInput, R as ResetPasswordInput, b as SignupInput, u as SignupSchemaInput, T as TwoFaVerifyInput, V as VerifyEmailInput, c as biometricVerifySchema, d as changePasswordSchema, w as checkPasswordResetSchema, x as createSchemas, y as deregisterPushTokenSchema, z as disableTwofaSchema, e as endAllSessionsSchema, B as getTwofaSecretSchema, l as loginSchema, f as logoutSchema, o as oAuthLoginSchema, g as otpLoginRequestSchema, h as otpLoginVerifySchema, D as registerPushTokenSchema, r as requestPasswordResetSchema, E as resendVerificationSchema, i as resetPasswordSchema, s as signupSchema, t as twoFaResetSchema, F as twoFaResetVerifySchema, j as twoFaSetupSchema, k as twoFaVerifySchema, v as verifyEmailSchema } from './hooks-B41uikq7.mjs';

package/dist/validators.d.ts

@@ -1,2 +1,2 @@
 import 'zod';
-export { m as AuthSchemas, C as ChangePasswordInput, n as CreatedSchemas, L as LoginInput, p as LoginSchemaInput, a as LogoutInput, O as OAuthLoginInput, q as OAuthSchemaInput, R as ResetPasswordInput, b as SignupInput, u as SignupSchemaInput, T as TwoFaVerifyInput, V as VerifyEmailInput, c as biometricVerifySchema, d as changePasswordSchema, w as checkPasswordResetSchema, x as createSchemas, y as deregisterPushTokenSchema, z as disableTwofaSchema, e as endAllSessionsSchema, B as getTwofaSecretSchema, l as loginSchema, f as logoutSchema, o as oAuthLoginSchema, g as otpLoginRequestSchema, h as otpLoginVerifySchema, D as registerPushTokenSchema, r as requestPasswordResetSchema, E as resendVerificationSchema, i as resetPasswordSchema, s as signupSchema, t as twoFaResetSchema, F as twoFaResetVerifySchema, j as twoFaSetupSchema, k as twoFaVerifySchema, v as verifyEmailSchema } from './hooks-B4Kl294A.js';
+export { m as AuthSchemas, C as ChangePasswordInput, n as CreatedSchemas, L as LoginInput, p as LoginSchemaInput, a as LogoutInput, O as OAuthLoginInput, q as OAuthSchemaInput, R as ResetPasswordInput, b as SignupInput, u as SignupSchemaInput, T as TwoFaVerifyInput, V as VerifyEmailInput, c as biometricVerifySchema, d as changePasswordSchema, w as checkPasswordResetSchema, x as createSchemas, y as deregisterPushTokenSchema, z as disableTwofaSchema, e as endAllSessionsSchema, B as getTwofaSecretSchema, l as loginSchema, f as logoutSchema, o as oAuthLoginSchema, g as otpLoginRequestSchema, h as otpLoginVerifySchema, D as registerPushTokenSchema, r as requestPasswordResetSchema, E as resendVerificationSchema, i as resetPasswordSchema, s as signupSchema, t as twoFaResetSchema, F as twoFaResetVerifySchema, j as twoFaSetupSchema, k as twoFaVerifySchema, v as verifyEmailSchema } from './hooks-B41uikq7.js';

package/dist/validators.js

@@ -51,8 +51,10 @@ var signupSchema = import_zod.z.object({
   username: import_zod.z.string().min(1, { message: "Username is required" }).max(30, { message: "Username must be 30 characters or less" }).regex(usernameValidationRegex, {
     message: "Username can only contain letters, numbers, and underscores"
   }),
-  email: import_zod.z.string().email({ message: "Invalid email address" }),
-  password: import_zod.z.string().min(6, { message: "Password must contain at least 6 characters" })
+  email: import_zod.z.string().max(254, { message: "Email must be 254 characters or less" }).email({ message: "Invalid email address" }),
+  password: import_zod.z.string().min(6, { message: "Password must contain at least 6 characters" }).max(72, { message: "Password must be 72 characters or less" }).refine((val) => val.trim().length >= 6, {
+    message: "Password cannot be only whitespace"
+  })
 });
 var loginSchema = import_zod.z.object({
   username: import_zod.z.string().min(1, { message: "Username or email is required" }),
@@ -72,14 +74,14 @@ var requestPasswordResetSchema = import_zod.z.object({
 });
 var resetPasswordSchema = import_zod.z.object({
   token: import_zod.z.string().min(1, { message: "Reset token is required" }),
-  password: import_zod.z.string().min(6, { message: "Password must contain at least 6 characters" })
+  password: import_zod.z.string().min(6, { message: "Password must contain at least 6 characters" }).max(72, { message: "Password must be 72 characters or less" })
 });
 var checkPasswordResetSchema = import_zod.z.object({
   token: import_zod.z.string().min(1, { message: "Reset token is required" })
 });
 var changePasswordSchema = import_zod.z.object({
   currentPassword: import_zod.z.string().min(1, { message: "Current password is required" }),
-  newPassword: import_zod.z.string().min(6, { message: "New password must contain at least 6 characters" })
+  newPassword: import_zod.z.string().min(6, { message: "New password must contain at least 6 characters" }).max(72, { message: "Password must be 72 characters or less" })
 });
 var twoFaVerifySchema = import_zod.z.object({
   code: import_zod.z.string().min(6, { message: "Verification code is required" }),
@@ -161,4 +163,3 @@ function createSchemas(extensions) {
   twoFaVerifySchema,
   verifyEmailSchema
 });
-//# sourceMappingURL=validators.js.map

package/dist/validators.mjs

@@ -22,7 +22,7 @@ import {
   twoFaSetupSchema,
   twoFaVerifySchema,
   verifyEmailSchema
-} from "./chunk-CLHDX2R2.mjs";
+} from "./chunk-PYVDWODF.mjs";
 export {
   biometricVerifySchema,
   changePasswordSchema,
@@ -48,4 +48,3 @@ export {
   twoFaVerifySchema,
   verifyEmailSchema
 };
-//# sourceMappingURL=validators.mjs.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@factiii/auth",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "publishConfig": {
     "access": "public"
   },
@@ -53,10 +53,16 @@
     "build": "tsup",
     "dev": "tsup --watch",
     "check-types": "tsc --noEmit",
-    "lint": "eslint src --ext .ts,.tsx",
-    "lint:fix": "eslint src --ext .ts,.tsx --fix",
+    "lint": "eslint src",
+    "lint:fix": "eslint src --fix",
+    "format": "prettier --check src",
+    "format:fix": "prettier --write src",
     "clean": "rm -rf dist node_modules/.cache .turbo",
-    "prepublishOnly": "npm run build"
+    "prepublishOnly": "npm run build",
+    "e2e": "pnpm e2e:db:up && playwright test --reporter=list; pnpm e2e:db:down",
+    "e2e:ui": "pnpm e2e:db:up && playwright test --ui",
+    "e2e:db:up": "docker compose -f e2e/docker-compose.yml up -d --wait && prisma generate --schema=e2e/server/schema.prisma --config=e2e/server/prisma.config.ts && prisma migrate reset --schema=e2e/server/schema.prisma --config=e2e/server/prisma.config.ts --force",
+    "e2e:db:down": "docker compose -f e2e/docker-compose.yml down"
   },
   "dependencies": {
     "@trpc/server": "11.8.0",
@@ -83,22 +89,39 @@
     }
   },
   "devDependencies": {
+    "@playwright/test": "^1.58.1",
+    "@prisma/adapter-better-sqlite3": "^7.3.0",
+    "@prisma/adapter-pg": "^7.3.0",
     "@prisma/client": "^7.1.0",
+    "@trpc/client": "^11.8.0",
     "@trpc/server": "11.8.0",
     "@types/bcryptjs": "^2.4.6",
+    "@types/better-sqlite3": "^7.6.13",
     "@types/jsonwebtoken": "^9.0.9",
     "@types/node": "^20.19.0",
+    "@types/pg": "^8.16.0",
+    "@types/react": "^19.2.11",
+    "@types/react-dom": "^19.2.3",
     "@typescript-eslint/eslint-plugin": "^7.18.0",
     "@typescript-eslint/parser": "^7.18.0",
+    "@vitejs/plugin-react": "^5.1.3",
+    "better-sqlite3": "^12.6.2",
     "eslint": "^8.57.0",
+    "pg": "^8.18.0",
+    "prettier": "^3.8.1",
     "prisma": "^7.1.0",
+    "react": "^19.2.4",
+    "react-dom": "^19.2.4",
+    "react-router-dom": "^7.2.0",
     "superjson": "^1.13.3",
     "tsup": "^8.3.5",
+    "tsx": "^4.21.0",
     "typescript": "5.9.3",
+    "vite": "^7.3.1",
     "zod": "3.24.2"
   },
   "engines": {
     "node": ">=18.0.0"
   },
-  "packageManager": "pnpm@10.26.0+sha512.3b3f6c725ebe712506c0ab1ad4133cf86b1f4b687effce62a9b38b4d72e3954242e643190fc51fa1642949c735f403debd44f5cb0edd657abe63a8b6a7e1e402"
+  "packageManager": "pnpm@10.26.0"
 }

package/dist/chunk-CLHDX2R2.mjs.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/validators.ts"],"sourcesContent":["import { z, type AnyZodObject } from 'zod';\n\nimport type { SchemaExtensions } from './types/hooks';\n\n/**\n * Username validation regex - allows letters, numbers, and underscores\n */\nconst usernameValidationRegex = /^[a-zA-Z0-9_]+$/;\n\n/**\n * Schema for user registration\n */\nexport const signupSchema = z.object({\n  username: z\n    .string()\n    .min(1, { message: 'Username is required' })\n    .max(30, { message: 'Username must be 30 characters or less' })\n    .regex(usernameValidationRegex, {\n      message: 'Username can only contain letters, numbers, and underscores'\n    }),\n  email: z.string().email({ message: 'Invalid email address' }),\n  password: z\n    .string()\n    .min(6, { message: 'Password must contain at least 6 characters' })\n});\n\n/**\n * Schema for user login\n */\nexport const loginSchema = z.object({\n  username: z.string().min(1, { message: 'Username or email is required' }),\n  password: z.string().min(1, { message: 'Password is required' }),\n  code: z.string().optional() // 2FA code\n});\n\n/**\n * Schema for OAuth login\n */\nexport const oAuthLoginSchema = z.object({\n  idToken: z.string(),\n  user: z\n    .object({\n      email: z.string().email().optional()\n    })\n    .optional(),\n  provider: z.enum(['GOOGLE', 'APPLE'])\n});\n\n/**\n * Schema for password reset request\n */\nexport const requestPasswordResetSchema = z.object({\n  email: z.string().email({ message: 'Invalid email address' })\n});\n\n/**\n * Schema for password reset confirmation\n */\nexport const resetPasswordSchema = z.object({\n  token: z.string().min(1, { message: 'Reset token is required' }),\n  password: z\n    .string()\n    .min(6, { message: 'Password must contain at least 6 characters' })\n});\n\n/**\n * Schema for checking password reset token\n */\nexport const checkPasswordResetSchema = z.object({\n  token: z.string().min(1, { message: 'Reset token is required' })\n});\n\n/**\n * Schema for changing password (authenticated)\n */\nexport const changePasswordSchema = z.object({\n  currentPassword: z\n    .string()\n    .min(1, { message: 'Current password is required' }),\n  newPassword: z\n    .string()\n    .min(6, { message: 'New password must contain at least 6 characters' })\n});\n\n/**\n * Schema for 2FA verification\n */\nexport const twoFaVerifySchema = z.object({\n  code: z.string().min(6, { message: 'Verification code is required' }),\n  sessionId: z.number().optional()\n});\n\n/**\n * Schema for 2FA setup\n */\nexport const twoFaSetupSchema = z.object({\n  code: z.string().min(6, { message: 'Verification code is required' })\n});\n\n/**\n * Schema for 2FA reset request\n */\nexport const twoFaResetSchema = z.object({\n  username: z.string().min(1),\n  password: z.string().min(1)\n});\n\n/**\n * Schema for 2FA reset verification\n */\nexport const twoFaResetVerifySchema = z.object({\n  code: z.number().min(100000).max(999999),\n  username: z.string().min(1)\n});\n\n/**\n * Schema for email verification\n */\nexport const verifyEmailSchema = z.object({\n  code: z.string().min(1, { message: 'Verification code is required' })\n});\n\n/**\n * Schema for resending verification email\n */\nexport const resendVerificationSchema = z.object({\n  email: z.string().email().optional()\n});\n\n/**\n * Schema for biometric verification\n */\nexport const biometricVerifySchema = z.object({});\n\n/**\n * Schema for push token registration\n */\nexport const registerPushTokenSchema = z.object({\n  pushToken: z.string().min(1, { message: 'Push token is required' })\n});\n\n/**\n * Schema for push token deregistration\n */\nexport const deregisterPushTokenSchema = z.object({\n  pushToken: z.string().min(1, { message: 'Push token is required' })\n});\n\n/**\n * Schema for getting 2FA secret\n */\nexport const getTwofaSecretSchema = z.object({\n  pushCode: z.string().min(6, { message: 'Push code is required' })\n});\n\n/**\n * Schema for disabling 2FA\n */\nexport const disableTwofaSchema = z.object({\n  password: z.string().min(1, { message: 'Password is required' })\n});\n\n/**\n * Schema for logout\n */\nexport const logoutSchema = z.object({\n  allDevices: z.boolean().optional().default(false)\n});\n\n/**\n * Schema for ending all sessions\n */\nexport const endAllSessionsSchema = z.object({\n  skipCurrentSession: z.boolean().optional().default(true)\n});\n\n/**\n * Schema for OTP-based login request\n */\nexport const otpLoginRequestSchema = z.object({\n  email: z.string().email({ message: 'Invalid email address' })\n});\n\n/**\n * Schema for OTP-based login verification\n */\nexport const otpLoginVerifySchema = z.object({\n  email: z.string().email(),\n  code: z.number().min(100000).max(999999)\n});\n\nexport type SignupInput = z.infer<typeof signupSchema>;\nexport type LoginInput = z.infer<typeof loginSchema>;\nexport type OAuthLoginInput = z.infer<typeof oAuthLoginSchema>;\nexport type ResetPasswordInput = z.infer<typeof resetPasswordSchema>;\nexport type ChangePasswordInput = z.infer<typeof changePasswordSchema>;\nexport type TwoFaVerifyInput = z.infer<typeof twoFaVerifySchema>;\nexport type VerifyEmailInput = z.infer<typeof verifyEmailSchema>;\nexport type LogoutInput = z.infer<typeof logoutSchema>;\n\n/** Schemas used by auth procedures */\nexport interface AuthSchemas {\n  signup: AnyZodObject;\n  login: AnyZodObject;\n  oauth: AnyZodObject;\n}\n\n\n/**\n * Compute merged ZodObject type.\n * When TExt is defined, produces a schema with both base and extension shapes.\n * When TExt is undefined, produces the base schema.\n */\ntype MergedSchema<TBase extends AnyZodObject, TExt extends AnyZodObject | undefined> =\n  [TExt] extends [AnyZodObject]\n    ? z.ZodObject<TBase['shape'] & TExt['shape'], 'strip', z.ZodTypeAny>\n    : TBase;\n\n/** Result type from createSchemas - preserves concrete schema types */\nexport type CreatedSchemas<TExtensions extends SchemaExtensions = {}> = {\n  signup: MergedSchema<typeof signupSchema, TExtensions['signup']>;\n  login: MergedSchema<typeof loginSchema, TExtensions['login']>;\n  oauth: MergedSchema<typeof oAuthLoginSchema, TExtensions['oauth']>;\n};\n\nexport type SignupSchemaInput<TExtensions extends SchemaExtensions = {}> =\n  SignupInput & (TExtensions['signup'] extends AnyZodObject ? z.infer<TExtensions['signup']> : {});\n\nexport type LoginSchemaInput<TExtensions extends SchemaExtensions = {}> =\n  LoginInput & (TExtensions['login'] extends AnyZodObject ? z.infer<TExtensions['login']> : {});\n\nexport type OAuthSchemaInput<TExtensions extends SchemaExtensions = {}> =\n  OAuthLoginInput & (TExtensions['oauth'] extends AnyZodObject ? z.infer<TExtensions['oauth']> : {});\n\n/** Create schemas with optional extensions merged in */\nexport function createSchemas<TExtensions extends SchemaExtensions = {}>(\n  extensions?: TExtensions\n): CreatedSchemas<TExtensions> {\n  return {\n    signup: extensions?.signup\n      ? signupSchema.merge(extensions.signup)\n      : signupSchema,\n    login: extensions?.login\n      ? loginSchema.merge(extensions.login)\n      : loginSchema,\n    oauth: extensions?.oauth\n      ? oAuthLoginSchema.merge(extensions.oauth)\n      : oAuthLoginSchema\n  } as CreatedSchemas<TExtensions>;\n}\n"],"mappings":";AAAA,SAAS,SAA4B;AAOrC,IAAM,0BAA0B;AAKzB,IAAM,eAAe,EAAE,OAAO;AAAA,EACnC,UAAU,EACP,OAAO,EACP,IAAI,GAAG,EAAE,SAAS,uBAAuB,CAAC,EAC1C,IAAI,IAAI,EAAE,SAAS,yCAAyC,CAAC,EAC7D,MAAM,yBAAyB;AAAA,IAC9B,SAAS;AAAA,EACX,CAAC;AAAA,EACH,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,wBAAwB,CAAC;AAAA,EAC5D,UAAU,EACP,OAAO,EACP,IAAI,GAAG,EAAE,SAAS,8CAA8C,CAAC;AACtE,CAAC;AAKM,IAAM,cAAc,EAAE,OAAO;AAAA,EAClC,UAAU,EAAE,OAAO,EAAE,IAAI,GAAG,EAAE,SAAS,gCAAgC,CAAC;AAAA,EACxE,UAAU,EAAE,OAAO,EAAE,IAAI,GAAG,EAAE,SAAS,uBAAuB,CAAC;AAAA,EAC/D,MAAM,EAAE,OAAO,EAAE,SAAS;AAAA;AAC5B,CAAC;AAKM,IAAM,mBAAmB,EAAE,OAAO;AAAA,EACvC,SAAS,EAAE,OAAO;AAAA,EAClB,MAAM,EACH,OAAO;AAAA,IACN,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS;AAAA,EACrC,CAAC,EACA,SAAS;AAAA,EACZ,UAAU,EAAE,KAAK,CAAC,UAAU,OAAO,CAAC;AACtC,CAAC;AAKM,IAAM,6BAA6B,EAAE,OAAO;AAAA,EACjD,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,wBAAwB,CAAC;AAC9D,CAAC;AAKM,IAAM,sBAAsB,EAAE,OAAO;AAAA,EAC1C,OAAO,EAAE,OAAO,EAAE,IAAI,GAAG,EAAE,SAAS,0BAA0B,CAAC;AAAA,EAC/D,UAAU,EACP,OAAO,EACP,IAAI,GAAG,EAAE,SAAS,8CAA8C,CAAC;AACtE,CAAC;AAKM,IAAM,2BAA2B,EAAE,OAAO;AAAA,EAC/C,OAAO,EAAE,OAAO,EAAE,IAAI,GAAG,EAAE,SAAS,0BAA0B,CAAC;AACjE,CAAC;AAKM,IAAM,uBAAuB,EAAE,OAAO;AAAA,EAC3C,iBAAiB,EACd,OAAO,EACP,IAAI,GAAG,EAAE,SAAS,+BAA+B,CAAC;AAAA,EACrD,aAAa,EACV,OAAO,EACP,IAAI,GAAG,EAAE,SAAS,kDAAkD,CAAC;AAC1E,CAAC;AAKM,IAAM,oBAAoB,EAAE,OAAO;AAAA,EACxC,MAAM,EAAE,OAAO,EAAE,IAAI,GAAG,EAAE,SAAS,gCAAgC,CAAC;AAAA,EACpE,WAAW,EAAE,OAAO,EAAE,SAAS;AACjC,CAAC;AAKM,IAAM,mBAAmB,EAAE,OAAO;AAAA,EACvC,MAAM,EAAE,OAAO,EAAE,IAAI,GAAG,EAAE,SAAS,gCAAgC,CAAC;AACtE,CAAC;AAKM,IAAM,mBAAmB,EAAE,OAAO;AAAA,EACvC,UAAU,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EAC1B,UAAU,EAAE,OAAO,EAAE,IAAI,CAAC;AAC5B,CAAC;AAKM,IAAM,yBAAyB,EAAE,OAAO;AAAA,EAC7C,MAAM,EAAE,OAAO,EAAE,IAAI,GAAM,EAAE,IAAI,MAAM;AAAA,EACvC,UAAU,EAAE,OAAO,EAAE,IAAI,CAAC;AAC5B,CAAC;AAKM,IAAM,oBAAoB,EAAE,OAAO;AAAA,EACxC,MAAM,EAAE,OAAO,EAAE,IAAI,GAAG,EAAE,SAAS,gCAAgC,CAAC;AACtE,CAAC;AAKM,IAAM,2BAA2B,EAAE,OAAO;AAAA,EAC/C,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS;AACrC,CAAC;AAKM,IAAM,wBAAwB,EAAE,OAAO,CAAC,CAAC;AAKzC,IAAM,0BAA0B,EAAE,OAAO;AAAA,EAC9C,WAAW,EAAE,OAAO,EAAE,IAAI,GAAG,EAAE,SAAS,yBAAyB,CAAC;AACpE,CAAC;AAKM,IAAM,4BAA4B,EAAE,OAAO;AAAA,EAChD,WAAW,EAAE,OAAO,EAAE,IAAI,GAAG,EAAE,SAAS,yBAAyB,CAAC;AACpE,CAAC;AAKM,IAAM,uBAAuB,EAAE,OAAO;AAAA,EAC3C,UAAU,EAAE,OAAO,EAAE,IAAI,GAAG,EAAE,SAAS,wBAAwB,CAAC;AAClE,CAAC;AAKM,IAAM,qBAAqB,EAAE,OAAO;AAAA,EACzC,UAAU,EAAE,OAAO,EAAE,IAAI,GAAG,EAAE,SAAS,uBAAuB,CAAC;AACjE,CAAC;AAKM,IAAM,eAAe,EAAE,OAAO;AAAA,EACnC,YAAY,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,KAAK;AAClD,CAAC;AAKM,IAAM,uBAAuB,EAAE,OAAO;AAAA,EAC3C,oBAAoB,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,IAAI;AACzD,CAAC;AAKM,IAAM,wBAAwB,EAAE,OAAO;AAAA,EAC5C,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,wBAAwB,CAAC;AAC9D,CAAC;AAKM,IAAM,uBAAuB,EAAE,OAAO;AAAA,EAC3C,OAAO,EAAE,OAAO,EAAE,MAAM;AAAA,EACxB,MAAM,EAAE,OAAO,EAAE,IAAI,GAAM,EAAE,IAAI,MAAM;AACzC,CAAC;AA8CM,SAAS,cACd,YAC6B;AAC7B,SAAO;AAAA,IACL,QAAQ,YAAY,SAChB,aAAa,MAAM,WAAW,MAAM,IACpC;AAAA,IACJ,OAAO,YAAY,QACf,YAAY,MAAM,WAAW,KAAK,IAClC;AAAA,IACJ,OAAO,YAAY,QACf,iBAAiB,MAAM,WAAW,KAAK,IACvC;AAAA,EACN;AACF;","names":[]}