@factiii/auth 0.1.0

package/dist/index.js

@@ -0,0 +1,2096 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  DEFAULT_STORAGE_KEYS: () => DEFAULT_STORAGE_KEYS,
+  OAuthVerificationError: () => OAuthVerificationError,
+  biometricVerifySchema: () => biometricVerifySchema,
+  changePasswordSchema: () => changePasswordSchema,
+  cleanBase32String: () => cleanBase32String,
+  clearAuthCookies: () => clearAuthCookies,
+  comparePassword: () => comparePassword,
+  createAccessToken: () => createAccessToken,
+  createAuthConfig: () => createAuthConfig,
+  createAuthGuard: () => createAuthGuard,
+  createAuthRouter: () => createAuthRouter,
+  createConsoleEmailAdapter: () => createConsoleEmailAdapter,
+  createNoopEmailAdapter: () => createNoopEmailAdapter,
+  createOAuthVerifier: () => createOAuthVerifier,
+  decodeToken: () => decodeToken,
+  defaultAuthConfig: () => defaultAuthConfig,
+  defaultCookieSettings: () => defaultCookieSettings,
+  defaultStorageKeys: () => defaultStorageKeys,
+  defaultTokenSettings: () => defaultTokenSettings,
+  detectBrowser: () => detectBrowser,
+  endAllSessionsSchema: () => endAllSessionsSchema,
+  generateOtp: () => generateOtp,
+  generateTotpCode: () => generateTotpCode,
+  generateTotpSecret: () => generateTotpSecret,
+  hashPassword: () => hashPassword,
+  isMobileDevice: () => isMobileDevice,
+  isNativeApp: () => isNativeApp,
+  isTokenExpiredError: () => isTokenExpiredError,
+  isTokenInvalidError: () => isTokenInvalidError,
+  loginSchema: () => loginSchema,
+  logoutSchema: () => logoutSchema,
+  oAuthLoginSchema: () => oAuthLoginSchema,
+  otpLoginRequestSchema: () => otpLoginRequestSchema,
+  otpLoginVerifySchema: () => otpLoginVerifySchema,
+  parseAuthCookies: () => parseAuthCookies,
+  requestPasswordResetSchema: () => requestPasswordResetSchema,
+  resetPasswordSchema: () => resetPasswordSchema,
+  setAuthCookies: () => setAuthCookies,
+  signupSchema: () => signupSchema,
+  twoFaResetSchema: () => twoFaResetSchema,
+  twoFaSetupSchema: () => twoFaSetupSchema,
+  twoFaVerifySchema: () => twoFaVerifySchema,
+  validatePasswordStrength: () => validatePasswordStrength,
+  verifyAccessToken: () => verifyAccessToken,
+  verifyEmailSchema: () => verifyEmailSchema,
+  verifyTotp: () => verifyTotp
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/middleware/authGuard.ts
+var import_server = require("@trpc/server");
+
+// src/adapters/email.ts
+function createNoopEmailAdapter() {
+  return {
+    async sendVerificationEmail(email, code) {
+      console.log(
+        `[NoopEmailAdapter] Would send verification email to ${email} with code ${code}`
+      );
+    },
+    async sendPasswordResetEmail(email, token) {
+      console.log(
+        `[NoopEmailAdapter] Would send password reset email to ${email} with token ${token}`
+      );
+    },
+    async sendOTPEmail(email, otp) {
+      console.log(
+        `[NoopEmailAdapter] Would send OTP email to ${email} with code ${otp}`
+      );
+    },
+    async sendLoginNotification(email, browserName, ip) {
+      console.log(
+        `[NoopEmailAdapter] Would send login notification to ${email} from ${browserName} (${ip})`
+      );
+    }
+  };
+}
+function createConsoleEmailAdapter() {
+  return {
+    async sendVerificationEmail(email, code) {
+      console.log("\n=== EMAIL: Verification ===");
+      console.log(`To: ${email}`);
+      console.log(`Code: ${code}`);
+      console.log("===========================\n");
+    },
+    async sendPasswordResetEmail(email, token) {
+      console.log("\n=== EMAIL: Password Reset ===");
+      console.log(`To: ${email}`);
+      console.log(`Token: ${token}`);
+      console.log("=============================\n");
+    },
+    async sendOTPEmail(email, otp) {
+      console.log("\n=== EMAIL: OTP Login ===");
+      console.log(`To: ${email}`);
+      console.log(`OTP: ${otp}`);
+      console.log("========================\n");
+    },
+    async sendLoginNotification(email, browserName, ip) {
+      console.log("\n=== EMAIL: Login Notification ===");
+      console.log(`To: ${email}`);
+      console.log(`Browser: ${browserName}`);
+      console.log(`IP: ${ip || "Unknown"}`);
+      console.log("=================================\n");
+    }
+  };
+}
+
+// src/utilities/config.ts
+var defaultTokenSettings = {
+  accessTokenExpiry: "5m",
+  passwordResetExpiryMs: 60 * 60 * 1e3,
+  // 1 hour
+  otpValidityMs: 15 * 60 * 1e3
+  // 15 minutes
+};
+var defaultCookieSettings = {
+  secure: true,
+  sameSite: "Strict",
+  httpOnly: true,
+  accessTokenPath: "/",
+  refreshTokenPath: "/api/trpc/auth.refresh",
+  maxAge: 365 * 24 * 60 * 60
+  // 1 year in seconds
+};
+var defaultStorageKeys = {
+  accessToken: "auth-at",
+  refreshToken: "auth-rt"
+};
+var defaultFeatures = {
+  twoFa: true,
+  oauth: { google: true, apple: true },
+  biometric: false,
+  emailVerification: true,
+  passwordReset: true,
+  otpLogin: true
+};
+function createAuthConfig(config) {
+  const emailService = config.emailService ?? createNoopEmailAdapter();
+  return {
+    ...config,
+    features: { ...defaultFeatures, ...config.features },
+    tokenSettings: { ...defaultTokenSettings, ...config.tokenSettings },
+    cookieSettings: { ...defaultCookieSettings, ...config.cookieSettings },
+    storageKeys: { ...defaultStorageKeys, ...config.storageKeys },
+    generateUsername: config.generateUsername ?? (() => `user_${Date.now()}`),
+    emailService
+  };
+}
+var defaultAuthConfig = {
+  features: defaultFeatures,
+  tokenSettings: defaultTokenSettings,
+  cookieSettings: defaultCookieSettings,
+  storageKeys: defaultStorageKeys
+};
+
+// src/utilities/cookies.ts
+var DEFAULT_STORAGE_KEYS = {
+  ACCESS_TOKEN: "auth-at",
+  REFRESH_TOKEN: "auth-rt"
+};
+function parseAuthCookies(cookieHeader, storageKeys = {
+  accessToken: DEFAULT_STORAGE_KEYS.ACCESS_TOKEN,
+  refreshToken: DEFAULT_STORAGE_KEYS.REFRESH_TOKEN
+}) {
+  if (!cookieHeader) {
+    return {};
+  }
+  const accessToken = cookieHeader.split(`${storageKeys.accessToken}=`)[1]?.split(";")[0];
+  const refreshToken = cookieHeader.split(`${storageKeys.refreshToken}=`)[1]?.split(";")[0];
+  return {
+    accessToken: accessToken || void 0,
+    refreshToken: refreshToken || void 0
+  };
+}
+function extractDomain(req) {
+  const origin = req.headers.origin;
+  if (origin) {
+    try {
+      return new URL(origin).hostname;
+    } catch {
+    }
+  }
+  const referer = req.headers.referer;
+  if (referer) {
+    try {
+      return new URL(referer).hostname;
+    } catch {
+    }
+  }
+  const host = req.headers.host;
+  if (host) {
+    return host.split(":")[0];
+  }
+  return void 0;
+}
+function setAuthCookies(res, credentials, settings, storageKeys = {
+  accessToken: DEFAULT_STORAGE_KEYS.ACCESS_TOKEN,
+  refreshToken: DEFAULT_STORAGE_KEYS.REFRESH_TOKEN
+}) {
+  const cookies = [];
+  const domain = settings.domain ?? extractDomain(res.req);
+  const expiresDate = settings.maxAge ? new Date(Date.now() + settings.maxAge * 1e3).toUTCString() : void 0;
+  if (credentials.refreshToken) {
+    const refreshCookie = [
+      `${storageKeys.refreshToken}=${credentials.refreshToken}`,
+      "HttpOnly",
+      settings.secure ? "Secure=true" : "",
+      `SameSite=${settings.sameSite}`,
+      `Path=${settings.refreshTokenPath}`,
+      domain ? `Domain=${domain}` : "",
+      `Expires=${expiresDate}`
+    ].filter(Boolean).join("; ");
+    cookies.push(refreshCookie);
+  }
+  if (credentials.accessToken) {
+    const accessCookie = [
+      `${storageKeys.accessToken}=${credentials.accessToken}`,
+      settings.secure ? "Secure=true" : "",
+      `SameSite=${settings.sameSite}`,
+      `Path=${settings.accessTokenPath}`,
+      domain ? `Domain=${domain}` : "",
+      `Expires=${expiresDate}`
+    ].filter(Boolean).join("; ");
+    cookies.push(accessCookie);
+  }
+  if (cookies.length > 0) {
+    res.setHeader("Set-Cookie", cookies);
+  }
+}
+function clearAuthCookies(res, settings, storageKeys = {
+  accessToken: DEFAULT_STORAGE_KEYS.ACCESS_TOKEN,
+  refreshToken: DEFAULT_STORAGE_KEYS.REFRESH_TOKEN
+}) {
+  const domain = extractDomain(res.req);
+  const expiredDate = (/* @__PURE__ */ new Date(0)).toUTCString();
+  const cookies = [
+    [
+      `${storageKeys.refreshToken}=destroy`,
+      "HttpOnly",
+      settings.secure ? "Secure=true" : "",
+      `SameSite=${settings.sameSite}`,
+      `Path=${settings.refreshTokenPath}`,
+      domain ? `Domain=${domain}` : "",
+      `Expires=${expiredDate}`
+    ].filter(Boolean).join("; "),
+    [
+      `${storageKeys.accessToken}=destroy`,
+      settings.secure ? "Secure=true" : "",
+      `SameSite=${settings.sameSite}`,
+      `Path=${settings.accessTokenPath}`,
+      domain ? `Domain=${domain}` : "",
+      `Expires=${expiredDate}`
+    ].filter(Boolean).join("; ")
+  ];
+  res.setHeader("Set-Cookie", cookies);
+}
+
+// src/utilities/jwt.ts
+var import_jsonwebtoken = __toESM(require("jsonwebtoken"));
+function createAccessToken(payload, options) {
+  return import_jsonwebtoken.default.sign(payload, options.secret, {
+    expiresIn: options.expiresIn
+  });
+}
+function verifyAccessToken(token, options) {
+  return import_jsonwebtoken.default.verify(token, options.secret, {
+    ignoreExpiration: options.ignoreExpiration ?? false
+  });
+}
+function decodeToken(token) {
+  try {
+    return import_jsonwebtoken.default.decode(token);
+  } catch {
+    return null;
+  }
+}
+function isJwtError(error) {
+  return error instanceof Error && ["TokenExpiredError", "JsonWebTokenError", "NotBeforeError"].includes(
+    error.name
+  );
+}
+function isTokenExpiredError(error) {
+  return isJwtError(error) && error.name === "TokenExpiredError";
+}
+function isTokenInvalidError(error) {
+  return isJwtError(error) && error.name === "JsonWebTokenError";
+}
+
+// src/middleware/authGuard.ts
+function createAuthGuard(config, t) {
+  const storageKeys = config.storageKeys ?? defaultStorageKeys;
+  const cookieSettings = { ...defaultCookieSettings, ...config.cookieSettings };
+  const revokeSession = async (ctx, sessionId, description, errorStack, path) => {
+    clearAuthCookies(ctx.res, cookieSettings, storageKeys);
+    if (config.hooks?.logError) {
+      try {
+        const contextInfo = {
+          reason: description,
+          sessionId,
+          userId: ctx.userId,
+          ip: ctx.ip,
+          userAgent: ctx.headers["user-agent"],
+          ...path ? { path } : {},
+          timestamp: (/* @__PURE__ */ new Date()).toISOString()
+        };
+        const combinedStack = [
+          errorStack ? `Error Stack:
+${errorStack}` : null,
+          "Context:",
+          JSON.stringify(contextInfo, null, 2)
+        ].filter(Boolean).join("\n\n");
+        await config.hooks.logError({
+          type: "SECURITY",
+          description: `Session revoked: ${description}`,
+          stack: combinedStack,
+          ip: ctx.ip,
+          userId: ctx.userId ?? null
+        });
+      } catch {
+      }
+    }
+    if (sessionId) {
+      try {
+        await config.prisma.session.update({
+          where: { id: sessionId },
+          data: { revokedAt: /* @__PURE__ */ new Date() }
+        });
+        if (config.hooks?.onSessionRevoked) {
+          const session = await config.prisma.session.findUnique({
+            where: { id: sessionId },
+            select: { id: true, userId: true, socketId: true }
+          });
+          if (session) {
+            await config.hooks.onSessionRevoked(
+              session.userId,
+              session.socketId,
+              description
+            );
+          }
+        }
+      } catch {
+      }
+    }
+  };
+  const authGuard = t.middleware(async ({ ctx, meta, next, path }) => {
+    const cookies = parseAuthCookies(ctx.headers.cookie, storageKeys);
+    const authToken = cookies.accessToken;
+    const refreshToken = cookies.refreshToken;
+    const userAgent = ctx.headers["user-agent"];
+    if (!userAgent) {
+      throw new import_server.TRPCError({
+        code: "BAD_REQUEST",
+        message: "User agent is required"
+      });
+    }
+    if (authToken) {
+      try {
+        const decodedToken = verifyAccessToken(authToken, {
+          secret: config.secrets.jwt,
+          ignoreExpiration: meta?.ignoreExpiration ?? false
+        });
+        if (path === "auth.refresh" && !refreshToken) {
+          await revokeSession(
+            ctx,
+            decodedToken.id,
+            "Session revoked: No refresh token",
+            void 0,
+            path
+          );
+          throw new import_server.TRPCError({
+            message: "Unauthorized",
+            code: "UNAUTHORIZED"
+          });
+        }
+        const session = await config.prisma.session.findUnique({
+          where: {
+            id: decodedToken.id,
+            ...path === "auth.refresh" ? { refreshToken } : {}
+          },
+          select: {
+            userId: true,
+            user: {
+              select: {
+                status: true,
+                verifiedHumanAt: true
+              }
+            },
+            revokedAt: true,
+            socketId: true,
+            id: true
+          }
+        });
+        if (!session) {
+          await revokeSession(
+            ctx,
+            decodedToken.id,
+            "Session revoked: Session not found",
+            void 0,
+            path
+          );
+          throw new import_server.TRPCError({
+            message: "Unauthorized",
+            code: "UNAUTHORIZED"
+          });
+        }
+        if (session.user.status === "BANNED") {
+          await revokeSession(
+            ctx,
+            session.id,
+            "Session revoked: User banned",
+            void 0,
+            path
+          );
+          throw new import_server.TRPCError({
+            message: "Unauthorized",
+            code: "UNAUTHORIZED"
+          });
+        }
+        if (config.features?.biometric && config.hooks?.getBiometricTimeout) {
+          const timeoutMs = await config.hooks.getBiometricTimeout();
+          if (timeoutMs !== null && !["auth.refresh", "auth.verifyBiometric", "auth.logout"].includes(
+            path
+          )) {
+            if (!session.user.verifiedHumanAt) {
+              throw new import_server.TRPCError({
+                message: "Biometric verification not completed. Please verify again.",
+                code: "FORBIDDEN"
+              });
+            }
+            const now = /* @__PURE__ */ new Date();
+            const verificationExpiry = new Date(
+              session.user.verifiedHumanAt.getTime() + timeoutMs
+            );
+            if (now > verificationExpiry) {
+              throw new import_server.TRPCError({
+                message: "Biometric verification expired. Please verify again.",
+                code: "FORBIDDEN"
+              });
+            }
+          }
+        }
+        if (session.revokedAt) {
+          await revokeSession(
+            ctx,
+            session.id,
+            "Session revoked: Session already revoked",
+            void 0,
+            path
+          );
+          throw new import_server.TRPCError({
+            message: "Unauthorized",
+            code: "UNAUTHORIZED"
+          });
+        }
+        if (meta?.adminRequired) {
+          const admin = await config.prisma.admin.findFirst({
+            where: { userId: session.userId },
+            select: { ip: true }
+          });
+          if (!admin || admin.ip !== ctx.ip) {
+            await revokeSession(
+              ctx,
+              session.id,
+              "Session revoked: Admin not found or IP mismatch",
+              void 0,
+              path
+            );
+            throw new import_server.TRPCError({
+              message: "Unauthorized",
+              code: "UNAUTHORIZED"
+            });
+          }
+        }
+        return next({
+          ctx: {
+            ...ctx,
+            userId: session.userId,
+            socketId: session.socketId,
+            sessionId: session.id,
+            refreshToken
+          }
+        });
+      } catch (err) {
+        if (err instanceof import_server.TRPCError && err.code === "FORBIDDEN") {
+          throw err;
+        }
+        if (!meta?.authRequired) {
+          return next({ ctx: { ...ctx, userId: 0 } });
+        }
+        const errorStack = err instanceof Error ? err.stack : void 0;
+        if (isTokenExpiredError(err) || isTokenInvalidError(err)) {
+          await revokeSession(
+            ctx,
+            null,
+            isTokenInvalidError(err) ? "Session revoked: Token invalid" : "Session revoked: Token expired",
+            errorStack,
+            path
+          );
+          throw new import_server.TRPCError({
+            message: isTokenInvalidError(err) ? "Token invalid" : "Token expired",
+            code: "UNAUTHORIZED"
+          });
+        }
+        if (err instanceof import_server.TRPCError && err.code === "UNAUTHORIZED") {
+          await revokeSession(
+            ctx,
+            null,
+            "Session revoked: Unauthorized",
+            errorStack,
+            path
+          );
+          throw new import_server.TRPCError({
+            message: "Unauthorized",
+            code: "UNAUTHORIZED"
+          });
+        }
+        throw err;
+      }
+    } else {
+      if (!meta?.authRequired) {
+        return next({ ctx: { ...ctx, userId: 0 } });
+      }
+      await revokeSession(
+        ctx,
+        null,
+        "Session revoked: No token sent",
+        void 0,
+        path
+      );
+      throw new import_server.TRPCError({ message: "Unauthorized", code: "UNAUTHORIZED" });
+    }
+  });
+  return authGuard;
+}
+
+// src/procedures/base.ts
+var import_node_crypto = require("crypto");
+var import_server2 = require("@trpc/server");
+
+// src/utilities/browser.ts
+function detectBrowser(userAgent) {
+  if (/cfnetwork|darwin/i.test(userAgent)) return "iOS App";
+  if (/iphone|ipad|ipod/i.test(userAgent) && /safari/i.test(userAgent) && !/crios|fxios|edg\//i.test(userAgent)) {
+    return "iOS Browser (Safari)";
+  }
+  if (/iphone|ipad|ipod/i.test(userAgent) && /crios/i.test(userAgent))
+    return "iOS Browser (Chrome)";
+  if (/iphone|ipad|ipod/i.test(userAgent) && /fxios/i.test(userAgent))
+    return "iOS Browser (Firefox)";
+  if (/iphone|ipad|ipod/i.test(userAgent) && /edg\//i.test(userAgent))
+    return "iOS Browser (Edge)";
+  if (/android/i.test(userAgent) && !/chrome|firefox|samsungbrowser|opr\/|edg\//i.test(userAgent)) {
+    return "Android App";
+  }
+  if (/android/i.test(userAgent) && /chrome/i.test(userAgent))
+    return "Android Browser (Chrome)";
+  if (/android/i.test(userAgent) && /firefox/i.test(userAgent))
+    return "Android Browser (Firefox)";
+  if (/android/i.test(userAgent) && /samsungbrowser/i.test(userAgent))
+    return "Android Browser (Samsung)";
+  if (/android/i.test(userAgent) && /opr\//i.test(userAgent))
+    return "Android Browser (Opera)";
+  if (/android/i.test(userAgent) && /edg\//i.test(userAgent))
+    return "Android Browser (Edge)";
+  if (/chrome|chromium/i.test(userAgent)) return "Chrome";
+  if (/firefox/i.test(userAgent)) return "Firefox";
+  if (/safari/i.test(userAgent) && !/chrome|chromium|crios/i.test(userAgent))
+    return "Safari";
+  if (/opr\//i.test(userAgent)) return "Opera";
+  if (/edg\//i.test(userAgent)) return "Edge";
+  return "Unknown";
+}
+function isMobileDevice(userAgent) {
+  return /android|iphone|ipad|ipod|mobile/i.test(userAgent);
+}
+function isNativeApp(userAgent) {
+  const browser = detectBrowser(userAgent);
+  return browser === "iOS App" || browser === "Android App";
+}
+
+// src/utilities/oauth.ts
+var import_apple_signin_auth = __toESM(require("apple-signin-auth"));
+var import_google_auth_library = require("google-auth-library");
+var OAuthVerificationError = class extends Error {
+  constructor(message, statusCode = 401) {
+    super(message);
+    this.statusCode = statusCode;
+    this.name = "OAuthVerificationError";
+  }
+};
+function createOAuthVerifier(keys) {
+  let googleClient = null;
+  if (keys.google?.clientId) {
+    googleClient = new import_google_auth_library.OAuth2Client({
+      clientId: keys.google.clientId,
+      clientSecret: keys.google.clientSecret
+    });
+  }
+  return async function verifyOAuthToken(provider, token, extra) {
+    if (provider === "GOOGLE") {
+      if (!keys.google?.clientId) {
+        throw new OAuthVerificationError(
+          "Google OAuth configuration missing",
+          500
+        );
+      }
+      if (!googleClient) {
+        throw new OAuthVerificationError(
+          "Google OAuth client not initialized",
+          500
+        );
+      }
+      const audience = [keys.google.clientId];
+      if (keys.google.iosClientId) {
+        audience.push(keys.google.iosClientId);
+      }
+      const ticket = await googleClient.verifyIdToken({
+        idToken: token,
+        audience
+      });
+      const payload = ticket.getPayload();
+      if (!payload?.sub || !payload.email) {
+        throw new OAuthVerificationError("Invalid Google token", 401);
+      }
+      return {
+        oauthId: payload.sub,
+        email: payload.email
+      };
+    }
+    if (provider === "APPLE") {
+      if (!keys.apple?.clientId) {
+        throw new OAuthVerificationError(
+          "Apple OAuth configuration missing",
+          500
+        );
+      }
+      const audience = [keys.apple.clientId];
+      if (keys.apple.iosClientId) {
+        audience.push(keys.apple.iosClientId);
+      }
+      const { sub, email } = await import_apple_signin_auth.default.verifyIdToken(token, {
+        audience,
+        ignoreExpiration: false
+      });
+      const finalEmail = email || extra?.email;
+      if (!finalEmail || !sub) {
+        throw new OAuthVerificationError("Invalid Apple token", 401);
+      }
+      return {
+        oauthId: sub,
+        email: finalEmail
+      };
+    }
+    throw new OAuthVerificationError("Unsupported OAuth provider", 400);
+  };
+}
+
+// src/utilities/password.ts
+var import_bcryptjs = __toESM(require("bcryptjs"));
+var DEFAULT_SALT_ROUNDS = 10;
+async function hashPassword(password, saltRounds = DEFAULT_SALT_ROUNDS) {
+  const salt = await import_bcryptjs.default.genSalt(saltRounds);
+  return import_bcryptjs.default.hash(password, salt);
+}
+async function comparePassword(password, hashedPassword) {
+  return import_bcryptjs.default.compare(password, hashedPassword);
+}
+function validatePasswordStrength(password, minLength = 6) {
+  if (password.length < minLength) {
+    return {
+      valid: false,
+      error: `Password must be at least ${minLength} characters`
+    };
+  }
+  return { valid: true };
+}
+
+// src/utilities/totp.ts
+var import_crypto = __toESM(require("crypto"));
+var import_totp_generator = require("totp-generator");
+var BASE32_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+function generateTotpSecret(length = 16) {
+  let secret = "";
+  for (let i = 0; i < length; i++) {
+    const randIndex = Math.floor(Math.random() * BASE32_CHARS.length);
+    secret += BASE32_CHARS[randIndex];
+  }
+  return secret;
+}
+function cleanBase32String(input) {
+  return input.replace(/[^A-Z2-7]/gi, "").toUpperCase();
+}
+async function generateTotpCode(secret) {
+  const cleanSecret = cleanBase32String(secret);
+  const { otp } = await import_totp_generator.TOTP.generate(cleanSecret);
+  return otp;
+}
+async function verifyTotp(code, secret) {
+  const cleanSecret = cleanBase32String(secret);
+  const normalizedCode = code.replace(/\s/g, "");
+  const { otp } = await import_totp_generator.TOTP.generate(cleanSecret);
+  return otp === normalizedCode;
+}
+function generateOtp(min = 1e5, max = 999999) {
+  return Math.floor(import_crypto.default.randomInt(min, max + 1));
+}
+
+// src/validators.ts
+var import_zod = require("zod");
+var usernameValidationRegex = /^[a-zA-Z0-9_]+$/;
+var signupSchema = import_zod.z.object({
+  username: import_zod.z.string().min(1, { message: "Username is required" }).max(30, { message: "Username must be 30 characters or less" }).regex(usernameValidationRegex, {
+    message: "Username can only contain letters, numbers, and underscores"
+  }),
+  email: import_zod.z.string().email({ message: "Invalid email address" }),
+  password: import_zod.z.string().min(6, { message: "Password must contain at least 6 characters" })
+});
+var loginSchema = import_zod.z.object({
+  username: import_zod.z.string().min(1, { message: "Username or email is required" }),
+  password: import_zod.z.string().min(1, { message: "Password is required" }),
+  code: import_zod.z.string().optional()
+  // 2FA code
+});
+var oAuthLoginSchema = import_zod.z.object({
+  idToken: import_zod.z.string(),
+  user: import_zod.z.object({
+    email: import_zod.z.string().email().optional()
+  }).optional(),
+  provider: import_zod.z.enum(["GOOGLE", "APPLE"])
+});
+var requestPasswordResetSchema = import_zod.z.object({
+  email: import_zod.z.string().email({ message: "Invalid email address" })
+});
+var resetPasswordSchema = import_zod.z.object({
+  token: import_zod.z.string().min(1, { message: "Reset token is required" }),
+  password: import_zod.z.string().min(6, { message: "Password must contain at least 6 characters" })
+});
+var checkPasswordResetSchema = import_zod.z.object({
+  token: import_zod.z.string().min(1, { message: "Reset token is required" })
+});
+var changePasswordSchema = import_zod.z.object({
+  currentPassword: import_zod.z.string().min(1, { message: "Current password is required" }),
+  newPassword: import_zod.z.string().min(6, { message: "New password must contain at least 6 characters" })
+});
+var twoFaVerifySchema = import_zod.z.object({
+  code: import_zod.z.string().min(6, { message: "Verification code is required" }),
+  sessionId: import_zod.z.number().optional()
+});
+var twoFaSetupSchema = import_zod.z.object({
+  code: import_zod.z.string().min(6, { message: "Verification code is required" })
+});
+var twoFaResetSchema = import_zod.z.object({
+  username: import_zod.z.string().min(1),
+  password: import_zod.z.string().min(1)
+});
+var twoFaResetVerifySchema = import_zod.z.object({
+  code: import_zod.z.number().min(1e5).max(999999),
+  username: import_zod.z.string().min(1)
+});
+var verifyEmailSchema = import_zod.z.object({
+  code: import_zod.z.string().min(1, { message: "Verification code is required" })
+});
+var resendVerificationSchema = import_zod.z.object({
+  email: import_zod.z.string().email().optional()
+});
+var biometricVerifySchema = import_zod.z.object({});
+var registerPushTokenSchema = import_zod.z.object({
+  pushToken: import_zod.z.string().min(1, { message: "Push token is required" })
+});
+var deregisterPushTokenSchema = import_zod.z.object({
+  pushToken: import_zod.z.string().min(1, { message: "Push token is required" })
+});
+var getTwofaSecretSchema = import_zod.z.object({
+  pushCode: import_zod.z.string().min(6, { message: "Push code is required" })
+});
+var disableTwofaSchema = import_zod.z.object({
+  password: import_zod.z.string().min(1, { message: "Password is required" })
+});
+var logoutSchema = import_zod.z.object({
+  allDevices: import_zod.z.boolean().optional().default(false)
+});
+var endAllSessionsSchema = import_zod.z.object({
+  skipCurrentSession: import_zod.z.boolean().optional().default(true)
+});
+var otpLoginRequestSchema = import_zod.z.object({
+  email: import_zod.z.string().email({ message: "Invalid email address" })
+});
+var otpLoginVerifySchema = import_zod.z.object({
+  email: import_zod.z.string().email(),
+  code: import_zod.z.number().min(1e5).max(999999)
+});
+function createSchemas(extensions) {
+  return {
+    signup: extensions?.signup ? signupSchema.merge(extensions.signup) : signupSchema,
+    login: extensions?.login ? loginSchema.merge(extensions.login) : loginSchema,
+    oauth: extensions?.oauth ? oAuthLoginSchema.merge(extensions.oauth) : oAuthLoginSchema
+  };
+}
+
+// src/procedures/base.ts
+var BaseProcedureFactory = class {
+  constructor(config, procedure, authProcedure) {
+    this.config = config;
+    this.procedure = procedure;
+    this.authProcedure = authProcedure;
+  }
+  /** Returns all base auth procedures to be merged into the router. */
+  createBaseProcedures(schemas) {
+    return {
+      register: this.register(schemas.signup),
+      login: this.login(schemas.login),
+      logout: this.logout(),
+      refresh: this.refresh(),
+      endAllSessions: this.endAllSessions(),
+      changePassword: this.changePassword(),
+      sendPasswordResetEmail: this.sendPasswordResetEmail(),
+      checkPasswordReset: this.checkPasswordReset(),
+      resetPassword: this.resetPassword()
+    };
+  }
+  register(schema) {
+    return this.procedure.input(schema).mutation(async ({ ctx, input }) => {
+      const typedInput = input;
+      const { username, email, password } = typedInput;
+      const userAgent = ctx.headers["user-agent"];
+      if (!userAgent) {
+        throw new import_server2.TRPCError({
+          code: "BAD_REQUEST",
+          message: "User agent not found"
+        });
+      }
+      if (this.config.hooks?.beforeRegister) {
+        await this.config.hooks.beforeRegister(typedInput);
+      }
+      const usernameCheck = await this.config.prisma.user.findFirst({
+        where: { username: { equals: username, mode: "insensitive" } }
+      });
+      if (usernameCheck) {
+        throw new import_server2.TRPCError({
+          code: "CONFLICT",
+          message: "An account already exists with that username."
+        });
+      }
+      const emailCheck = await this.config.prisma.user.findFirst({
+        where: { email: { equals: email, mode: "insensitive" } },
+        select: { id: true }
+      });
+      if (emailCheck) {
+        throw new import_server2.TRPCError({
+          code: "CONFLICT",
+          message: "An account already exists with that email."
+        });
+      }
+      const hashedPassword = await hashPassword(password);
+      const user = await this.config.prisma.user.create({
+        data: {
+          username,
+          email,
+          password: hashedPassword,
+          status: "ACTIVE",
+          tag: this.config.features.biometric ? "BOT" : "HUMAN",
+          twoFaEnabled: false,
+          emailVerificationStatus: "UNVERIFIED",
+          verifiedHumanAt: null
+        }
+      });
+      if (this.config.hooks?.onUserCreated) {
+        await this.config.hooks.onUserCreated(user.id, typedInput);
+      }
+      const refreshToken = (0, import_node_crypto.randomUUID)();
+      const extraSessionData = this.config.hooks?.getSessionData ? await this.config.hooks.getSessionData(typedInput) : {};
+      const session = await this.config.prisma.session.create({
+        data: {
+          userId: user.id,
+          browserName: detectBrowser(userAgent),
+          socketId: null,
+          refreshToken,
+          ...extraSessionData
+        },
+        select: { id: true, refreshToken: true, userId: true }
+      });
+      if (this.config.hooks?.onSessionCreated) {
+        await this.config.hooks.onSessionCreated(session.id, typedInput);
+      }
+      const accessToken = createAccessToken(
+        { id: session.id, userId: session.userId, verifiedHumanAt: null },
+        {
+          secret: this.config.secrets.jwt,
+          expiresIn: this.config.tokenSettings.accessTokenExpiry
+        }
+      );
+      setAuthCookies(
+        ctx.res,
+        { accessToken, refreshToken: session.refreshToken },
+        this.config.cookieSettings,
+        this.config.storageKeys
+      );
+      return {
+        success: true,
+        user: { id: user.id, email: user.email, username: user.username }
+      };
+    });
+  }
+  login(schema) {
+    return this.procedure.input(schema).mutation(async ({ ctx, input }) => {
+      const typedInput = input;
+      const { username, password, code } = typedInput;
+      const userAgent = ctx.headers["user-agent"];
+      if (!userAgent) {
+        throw new import_server2.TRPCError({
+          code: "BAD_REQUEST",
+          message: "User agent not found"
+        });
+      }
+      if (this.config.hooks?.beforeLogin) {
+        await this.config.hooks.beforeLogin(typedInput);
+      }
+      const user = await this.config.prisma.user.findFirst({
+        where: {
+          OR: [
+            { email: { equals: username, mode: "insensitive" } },
+            { username: { equals: username, mode: "insensitive" } }
+          ]
+        },
+        select: {
+          id: true,
+          status: true,
+          password: true,
+          twoFaEnabled: true,
+          email: true,
+          username: true,
+          oauthProvider: true,
+          verifiedHumanAt: true
+        }
+      });
+      if (!user) {
+        throw new import_server2.TRPCError({
+          code: "FORBIDDEN",
+          message: "Invalid credentials."
+        });
+      }
+      if (user.status === "DEACTIVATED") {
+        throw new import_server2.TRPCError({
+          code: "FORBIDDEN",
+          message: "Your account has been deactivated."
+        });
+      }
+      if (user.status === "BANNED") {
+        throw new import_server2.TRPCError({
+          code: "FORBIDDEN",
+          message: "Your account has been banned."
+        });
+      }
+      if (!user.password) {
+        throw new import_server2.TRPCError({
+          code: "FORBIDDEN",
+          message: `This account uses ${user.oauthProvider?.toLowerCase() || "social login"}. Please use that method.`
+        });
+      }
+      const isMatch = await comparePassword(password, user.password);
+      if (!isMatch) {
+        throw new import_server2.TRPCError({
+          code: "FORBIDDEN",
+          message: "Invalid credentials."
+        });
+      }
+      if (user.twoFaEnabled && this.config.features?.twoFa) {
+        if (!code) {
+          throw new import_server2.TRPCError({
+            code: "FORBIDDEN",
+            message: "2FA code required."
+          });
+        }
+        let validCode = false;
+        const secrets = await this.config.prisma.session.findMany({
+          where: { userId: user.id, twoFaSecret: { not: null } },
+          select: { twoFaSecret: true }
+        });
+        for (const s of secrets) {
+          if (s.twoFaSecret && await verifyTotp(code, cleanBase32String(s.twoFaSecret))) {
+            validCode = true;
+            break;
+          }
+        }
+        if (!validCode) {
+          const checkOTP = await this.config.prisma.oTPBasedLogin.findFirst({
+            where: {
+              code: Number(code),
+              userId: user.id,
+              disabled: false,
+              createdAt: { gte: new Date(Date.now() - this.config.tokenSettings.otpValidityMs) }
+            }
+          });
+          if (checkOTP) {
+            validCode = true;
+            await this.config.prisma.oTPBasedLogin.updateMany({
+              where: { code: Number(code) },
+              data: { disabled: true }
+            });
+          }
+        }
+        if (!validCode) {
+          throw new import_server2.TRPCError({
+            code: "FORBIDDEN",
+            message: "Invalid 2FA code."
+          });
+        }
+      }
+      const refreshToken = (0, import_node_crypto.randomUUID)();
+      const extraSessionData = this.config.hooks?.getSessionData ? await this.config.hooks.getSessionData(typedInput) : {};
+      const session = await this.config.prisma.session.create({
+        data: {
+          userId: user.id,
+          browserName: detectBrowser(userAgent),
+          socketId: null,
+          refreshToken,
+          ...extraSessionData
+        },
+        select: {
+          id: true,
+          refreshToken: true,
+          userId: true,
+          socketId: true,
+          browserName: true,
+          issuedAt: true,
+          lastUsed: true,
+          revokedAt: true,
+          deviceId: true,
+          twoFaSecret: true
+        }
+      });
+      if (this.config.hooks?.onUserLogin) {
+        await this.config.hooks.onUserLogin(user.id, session.id);
+      }
+      if (this.config.hooks?.onSessionCreated) {
+        await this.config.hooks.onSessionCreated(session.id, typedInput);
+      }
+      const accessToken = createAccessToken(
+        { id: session.id, userId: session.userId, verifiedHumanAt: user.verifiedHumanAt },
+        {
+          secret: this.config.secrets.jwt,
+          expiresIn: this.config.tokenSettings.accessTokenExpiry
+        }
+      );
+      setAuthCookies(
+        ctx.res,
+        { accessToken, refreshToken: session.refreshToken },
+        this.config.cookieSettings,
+        this.config.storageKeys
+      );
+      return {
+        success: true,
+        user: { id: user.id, email: user.email, username: user.username }
+      };
+    });
+  }
+  logout() {
+    return this.procedure.mutation(async ({ ctx }) => {
+      const { userId, sessionId } = ctx;
+      if (sessionId) {
+        await this.config.prisma.session.update({
+          where: { id: sessionId },
+          data: { revokedAt: /* @__PURE__ */ new Date() }
+        });
+        if (userId) {
+          await this.config.prisma.user.update({
+            where: { id: userId },
+            data: { isActive: false }
+          });
+        }
+        if (this.config.hooks?.afterLogout) {
+          await this.config.hooks.afterLogout(userId, sessionId, ctx.socketId);
+        }
+      }
+      clearAuthCookies(ctx.res, this.config.cookieSettings, this.config.storageKeys);
+      return { success: true };
+    });
+  }
+  refresh() {
+    return this.authProcedure.meta({ ignoreExpiration: true }).query(async ({ ctx }) => {
+      const session = await this.config.prisma.session.update({
+        where: { id: ctx.sessionId },
+        data: { refreshToken: (0, import_node_crypto.randomUUID)(), lastUsed: /* @__PURE__ */ new Date() },
+        select: {
+          id: true,
+          refreshToken: true,
+          userId: true,
+          user: { select: { verifiedHumanAt: true } }
+        }
+      });
+      if (this.config.hooks?.onRefresh) {
+        this.config.hooks.onRefresh(session.userId).catch(() => {
+        });
+      }
+      const accessToken = createAccessToken(
+        { id: session.id, userId: session.userId, verifiedHumanAt: session.user.verifiedHumanAt },
+        {
+          secret: this.config.secrets.jwt,
+          expiresIn: this.config.tokenSettings.accessTokenExpiry
+        }
+      );
+      setAuthCookies(
+        ctx.res,
+        { accessToken, refreshToken: session.refreshToken },
+        this.config.cookieSettings,
+        this.config.storageKeys
+      );
+      return { success: true };
+    });
+  }
+  endAllSessions() {
+    return this.authProcedure.input(endAllSessionsSchema).mutation(async ({ ctx, input }) => {
+      const { skipCurrentSession } = input;
+      const { userId, sessionId } = ctx;
+      const sessionsToRevoke = await this.config.prisma.session.findMany({
+        where: {
+          userId,
+          revokedAt: null,
+          ...skipCurrentSession ? { NOT: { id: sessionId } } : {}
+        },
+        select: { socketId: true, id: true, userId: true }
+      });
+      await this.config.prisma.session.updateMany({
+        where: {
+          userId,
+          revokedAt: null,
+          ...skipCurrentSession ? { NOT: { id: sessionId } } : {}
+        },
+        data: { revokedAt: /* @__PURE__ */ new Date() }
+      });
+      for (const session of sessionsToRevoke) {
+        if (this.config.hooks?.onSessionRevoked) {
+          await this.config.hooks.onSessionRevoked(session.id, session.socketId, "End all sessions");
+        }
+      }
+      if (!skipCurrentSession) {
+        await this.config.prisma.user.update({
+          where: { id: userId },
+          data: { isActive: false }
+        });
+      }
+      return { success: true, revokedCount: sessionsToRevoke.length };
+    });
+  }
+  changePassword() {
+    return this.authProcedure.input(changePasswordSchema).mutation(async ({ ctx, input }) => {
+      const { userId, sessionId } = ctx;
+      const { currentPassword, newPassword } = input;
+      if (currentPassword === newPassword) {
+        throw new import_server2.TRPCError({
+          code: "BAD_REQUEST",
+          message: "New password cannot be the same as current password"
+        });
+      }
+      const user = await this.config.prisma.user.findUnique({
+        where: { id: userId },
+        select: { password: true }
+      });
+      if (!user) {
+        throw new import_server2.TRPCError({ code: "NOT_FOUND", message: "User not found" });
+      }
+      if (!user.password) {
+        throw new import_server2.TRPCError({
+          code: "BAD_REQUEST",
+          message: "This account uses social login and cannot change password."
+        });
+      }
+      const isMatch = await comparePassword(currentPassword, user.password);
+      if (!isMatch) {
+        throw new import_server2.TRPCError({
+          code: "FORBIDDEN",
+          message: "Current password is incorrect"
+        });
+      }
+      const hashedPassword = await hashPassword(newPassword);
+      await this.config.prisma.user.update({
+        where: { id: userId },
+        data: { password: hashedPassword }
+      });
+      await this.config.prisma.session.updateMany({
+        where: { userId, revokedAt: null, NOT: { id: sessionId } },
+        data: { revokedAt: /* @__PURE__ */ new Date() }
+      });
+      if (this.config.hooks?.onPasswordChanged) {
+        await this.config.hooks.onPasswordChanged(userId);
+      }
+      return {
+        success: true,
+        message: "Password changed. You will need to re-login on other devices."
+      };
+    });
+  }
+  sendPasswordResetEmail() {
+    return this.procedure.input(requestPasswordResetSchema).mutation(async ({ input }) => {
+      const { email } = input;
+      const user = await this.config.prisma.user.findFirst({
+        where: { email: { equals: email, mode: "insensitive" }, status: "ACTIVE" },
+        select: { id: true, password: true, email: true }
+      });
+      if (!user) {
+        return { message: "If an account exists with that email, a reset link has been sent." };
+      }
+      if (!user.password) {
+        throw new import_server2.TRPCError({
+          code: "BAD_REQUEST",
+          message: "This account uses social login. Please use that method."
+        });
+      }
+      await this.config.prisma.passwordReset.deleteMany({ where: { userId: user.id } });
+      const passwordReset = await this.config.prisma.passwordReset.create({
+        data: { userId: user.id }
+      });
+      if (this.config.emailService) {
+        await this.config.emailService.sendPasswordResetEmail(user.email, String(passwordReset.id));
+      }
+      return { message: "Password reset email sent." };
+    });
+  }
+  checkPasswordReset() {
+    return this.procedure.input(checkPasswordResetSchema).query(async ({ input }) => {
+      const { token } = input;
+      const passwordReset = await this.config.prisma.passwordReset.findUnique({
+        where: { id: token },
+        select: { id: true, createdAt: true, userId: true }
+      });
+      if (!passwordReset) {
+        throw new import_server2.TRPCError({ code: "NOT_FOUND", message: "Invalid reset token." });
+      }
+      if (passwordReset.createdAt.getTime() + this.config.tokenSettings.passwordResetExpiryMs < Date.now()) {
+        await this.config.prisma.passwordReset.delete({ where: { id: token } });
+        throw new import_server2.TRPCError({ code: "FORBIDDEN", message: "Reset token expired." });
+      }
+      return { valid: true };
+    });
+  }
+  resetPassword() {
+    return this.procedure.input(resetPasswordSchema).mutation(async ({ input }) => {
+      const { token, password } = input;
+      const passwordReset = await this.config.prisma.passwordReset.findFirst({
+        where: { id: token },
+        select: { id: true, createdAt: true, userId: true }
+      });
+      if (!passwordReset) {
+        throw new import_server2.TRPCError({ code: "NOT_FOUND", message: "Invalid reset token." });
+      }
+      if (passwordReset.createdAt.getTime() + this.config.tokenSettings.passwordResetExpiryMs < Date.now()) {
+        await this.config.prisma.passwordReset.delete({ where: { id: token } });
+        throw new import_server2.TRPCError({ code: "FORBIDDEN", message: "Reset token expired." });
+      }
+      const hashedPassword = await hashPassword(password);
+      await this.config.prisma.user.update({
+        where: { id: passwordReset.userId },
+        data: { password: hashedPassword }
+      });
+      await this.config.prisma.passwordReset.delete({ where: { id: token } });
+      await this.config.prisma.session.updateMany({
+        where: { userId: passwordReset.userId },
+        data: { revokedAt: /* @__PURE__ */ new Date() }
+      });
+      return { message: "Password updated. Please log in with your new password." };
+    });
+  }
+};
+
+// src/procedures/biometric.ts
+var import_server3 = require("@trpc/server");
+var BiometricProcedureFactory = class {
+  constructor(config, authProcedure) {
+    this.config = config;
+    this.authProcedure = authProcedure;
+  }
+  createBiometricProcedures() {
+    return {
+      verifyBiometric: this.verifyBiometric(),
+      getBiometricStatus: this.getBiometricStatus()
+    };
+  }
+  checkConfig() {
+    if (!this.config.features.biometric) {
+      throw new import_server3.TRPCError({ code: "NOT_FOUND" });
+    }
+  }
+  verifyBiometric() {
+    return this.authProcedure.input(biometricVerifySchema).mutation(async ({ ctx }) => {
+      this.checkConfig();
+      const { userId } = ctx;
+      await this.config.prisma.user.update({
+        where: { id: userId },
+        data: { verifiedHumanAt: /* @__PURE__ */ new Date(), tag: "HUMAN" }
+      });
+      if (this.config.hooks?.onBiometricVerified) {
+        await this.config.hooks.onBiometricVerified(userId);
+      }
+      return { success: true, verifiedAt: /* @__PURE__ */ new Date() };
+    });
+  }
+  getBiometricStatus() {
+    return this.authProcedure.query(async ({ ctx }) => {
+      this.checkConfig();
+      const { userId } = ctx;
+      const user = await this.config.prisma.user.findUnique({
+        where: { id: userId },
+        select: { verifiedHumanAt: true }
+      });
+      if (!user) {
+        throw new import_server3.TRPCError({ code: "NOT_FOUND", message: "User not found" });
+      }
+      let timeoutMs = null;
+      if (this.config.hooks?.getBiometricTimeout) {
+        timeoutMs = await this.config.hooks.getBiometricTimeout();
+      }
+      let isExpired = false;
+      if (user.verifiedHumanAt && timeoutMs !== null) {
+        const expiresAt = new Date(user.verifiedHumanAt.getTime() + timeoutMs);
+        isExpired = /* @__PURE__ */ new Date() > expiresAt;
+      }
+      return {
+        verifiedHumanAt: user.verifiedHumanAt,
+        isVerified: !!user.verifiedHumanAt && !isExpired,
+        isExpired,
+        requiresVerification: timeoutMs !== null
+      };
+    });
+  }
+};
+
+// src/procedures/emailVerification.ts
+var import_node_crypto2 = require("crypto");
+var import_server4 = require("@trpc/server");
+var EmailVerificationProcedureFactory = class {
+  constructor(config, authProcedure) {
+    this.config = config;
+    this.authProcedure = authProcedure;
+  }
+  createEmailVerificationProcedures() {
+    return {
+      sendVerificationEmail: this.sendVerificationEmail(),
+      verifyEmail: this.verifyEmail(),
+      getVerificationStatus: this.getVerificationStatus()
+    };
+  }
+  checkConfig() {
+    if (!this.config.features.emailVerification) {
+      throw new import_server4.TRPCError({ code: "NOT_FOUND" });
+    }
+  }
+  sendVerificationEmail() {
+    return this.authProcedure.mutation(async ({ ctx }) => {
+      this.checkConfig();
+      const { userId } = ctx;
+      const user = await this.config.prisma.user.findUnique({
+        where: { id: userId, status: "ACTIVE" },
+        select: { id: true, email: true, emailVerificationStatus: true }
+      });
+      if (!user) {
+        throw new import_server4.TRPCError({ code: "NOT_FOUND", message: "User not found" });
+      }
+      if (user.emailVerificationStatus === "VERIFIED") {
+        return { message: "Email is already verified", emailSent: false };
+      }
+      const otp = (0, import_node_crypto2.randomUUID)();
+      await this.config.prisma.user.update({
+        where: { id: userId },
+        data: { emailVerificationStatus: "PENDING", otpForEmailVerification: otp }
+      });
+      if (this.config.emailService) {
+        try {
+          await this.config.emailService.sendVerificationEmail(user.email, otp);
+          return { message: "Verification email sent", emailSent: true };
+        } catch {
+          return { message: "Failed to send email", emailSent: false };
+        }
+      }
+      return { message: "Email service not configured", emailSent: false };
+    });
+  }
+  verifyEmail() {
+    return this.authProcedure.input(verifyEmailSchema).mutation(async ({ ctx, input }) => {
+      this.checkConfig();
+      const { userId } = ctx;
+      const { code } = input;
+      const user = await this.config.prisma.user.findUnique({
+        where: { id: userId, status: "ACTIVE" },
+        select: { id: true, emailVerificationStatus: true, otpForEmailVerification: true }
+      });
+      if (!user) {
+        throw new import_server4.TRPCError({ code: "NOT_FOUND", message: "User not found" });
+      }
+      if (user.emailVerificationStatus === "VERIFIED") {
+        return { success: true, message: "Email is already verified" };
+      }
+      if (code !== user.otpForEmailVerification) {
+        throw new import_server4.TRPCError({ code: "BAD_REQUEST", message: "Invalid verification code" });
+      }
+      await this.config.prisma.user.update({
+        where: { id: userId },
+        data: { emailVerificationStatus: "VERIFIED", otpForEmailVerification: null }
+      });
+      if (this.config.hooks?.onEmailVerified) {
+        await this.config.hooks.onEmailVerified(userId);
+      }
+      return { success: true, message: "Email verified" };
+    });
+  }
+  getVerificationStatus() {
+    return this.authProcedure.query(async ({ ctx }) => {
+      this.checkConfig();
+      const { userId } = ctx;
+      const user = await this.config.prisma.user.findUnique({
+        where: { id: userId },
+        select: { emailVerificationStatus: true, email: true }
+      });
+      if (!user) {
+        throw new import_server4.TRPCError({ code: "NOT_FOUND", message: "User not found" });
+      }
+      return {
+        email: user.email,
+        status: user.emailVerificationStatus,
+        isVerified: user.emailVerificationStatus === "VERIFIED"
+      };
+    });
+  }
+};
+
+// src/procedures/oauth.ts
+var import_node_crypto3 = require("crypto");
+var import_server5 = require("@trpc/server");
+var OAuthLoginProcedureFactory = class {
+  constructor(config, procedure) {
+    this.config = config;
+    this.procedure = procedure;
+    this.verifyOAuthToken = null;
+    if (config.oauthKeys) {
+      this.verifyOAuthToken = createOAuthVerifier(config.oauthKeys);
+    }
+  }
+  createOAuthLoginProcedures(schemas) {
+    return { oAuthLogin: this.oAuthLogin(schemas.oauth) };
+  }
+  checkConfig() {
+    if (!this.config.features.oauth?.google && !this.config.features.oauth?.apple) {
+      throw new import_server5.TRPCError({ code: "NOT_FOUND" });
+    }
+  }
+  oAuthLogin(schema) {
+    return this.procedure.input(schema).mutation(async ({ ctx, input }) => {
+      this.checkConfig();
+      const typedInput = input;
+      const { idToken, user: appleUser, provider } = typedInput;
+      const userAgent = ctx.headers["user-agent"];
+      if (!userAgent) {
+        throw new import_server5.TRPCError({ code: "BAD_REQUEST", message: "User agent not found" });
+      }
+      if (!this.verifyOAuthToken) {
+        throw new import_server5.TRPCError({
+          code: "INTERNAL_SERVER_ERROR",
+          message: "OAuth not configured. Provide oauthKeys in config."
+        });
+      }
+      const { email, oauthId } = await this.verifyOAuthToken(provider, idToken, appleUser);
+      if (!email) {
+        throw new import_server5.TRPCError({ code: "BAD_REQUEST", message: "Email not provided by OAuth provider" });
+      }
+      let user = await this.config.prisma.user.findFirst({
+        where: {
+          OR: [
+            { email: { equals: email, mode: "insensitive" } },
+            { oauthId: { equals: oauthId } }
+          ]
+        },
+        select: {
+          id: true,
+          status: true,
+          email: true,
+          username: true,
+          password: true,
+          oauthProvider: true,
+          oauthId: true,
+          twoFaEnabled: true,
+          verifiedHumanAt: true,
+          emailVerificationStatus: true
+        }
+      });
+      if (user?.oauthProvider && user.oauthProvider !== provider) {
+        throw new import_server5.TRPCError({
+          code: "BAD_REQUEST",
+          message: `This email uses ${user.oauthProvider.toLowerCase()} sign-in.`
+        });
+      }
+      if (user && !user.oauthProvider && user.password) {
+        throw new import_server5.TRPCError({
+          code: "BAD_REQUEST",
+          message: "This email uses password login. Please use email/password."
+        });
+      }
+      if (!user) {
+        const generateUsername = this.config.generateUsername ?? (() => `user_${Date.now()}`);
+        user = await this.config.prisma.user.create({
+          data: {
+            username: generateUsername(),
+            email,
+            password: null,
+            emailVerificationStatus: "VERIFIED",
+            oauthProvider: provider,
+            oauthId,
+            status: "ACTIVE",
+            tag: this.config.features.biometric ? "BOT" : "HUMAN",
+            twoFaEnabled: false,
+            verifiedHumanAt: null
+          }
+        });
+        if (this.config.hooks?.onUserCreated) {
+          await this.config.hooks.onUserCreated(user.id, typedInput);
+        }
+        if (this.config.hooks?.onOAuthLinked) {
+          await this.config.hooks.onOAuthLinked(user.id, provider);
+        }
+      }
+      if (user.status === "DEACTIVATED") {
+        throw new import_server5.TRPCError({ code: "FORBIDDEN", message: "Your account has been deactivated." });
+      }
+      if (user.status === "BANNED") {
+        throw new import_server5.TRPCError({ code: "FORBIDDEN", message: "Your account has been banned." });
+      }
+      const refreshToken = (0, import_node_crypto3.randomUUID)();
+      const extraSessionData = this.config.hooks?.getSessionData ? await this.config.hooks.getSessionData(typedInput) : {};
+      const session = await this.config.prisma.session.create({
+        data: {
+          userId: user.id,
+          browserName: detectBrowser(userAgent),
+          socketId: null,
+          refreshToken,
+          ...extraSessionData
+        },
+        select: {
+          id: true,
+          refreshToken: true,
+          userId: true,
+          socketId: true,
+          browserName: true,
+          issuedAt: true,
+          lastUsed: true,
+          revokedAt: true,
+          deviceId: true,
+          twoFaSecret: true
+        }
+      });
+      if (this.config.hooks?.onUserLogin) {
+        await this.config.hooks.onUserLogin(user.id, session.id);
+      }
+      if (this.config.hooks?.onSessionCreated) {
+        await this.config.hooks.onSessionCreated(session.id, typedInput);
+      }
+      const accessToken = createAccessToken(
+        { id: session.id, userId: session.userId, verifiedHumanAt: user.verifiedHumanAt ?? null },
+        {
+          secret: this.config.secrets.jwt,
+          expiresIn: this.config.tokenSettings.accessTokenExpiry
+        }
+      );
+      setAuthCookies(
+        ctx.res,
+        { accessToken, refreshToken: session.refreshToken },
+        this.config.cookieSettings,
+        this.config.storageKeys
+      );
+      return {
+        success: true,
+        user: { id: user.id, email: user.email, username: user.username }
+      };
+    });
+  }
+};
+
+// src/procedures/twoFa.ts
+var import_server6 = require("@trpc/server");
+var TwoFaProcedureFactory = class {
+  constructor(config, procedure, authProcedure) {
+    this.config = config;
+    this.procedure = procedure;
+    this.authProcedure = authProcedure;
+  }
+  createTwoFaProcedures() {
+    return {
+      enableTwofa: this.enableTwofa(),
+      disableTwofa: this.disableTwofa(),
+      getTwofaSecret: this.getTwofaSecret(),
+      twoFaReset: this.twoFaReset(),
+      twoFaResetVerify: this.twoFaResetVerify(),
+      registerPushToken: this.registerPushToken(),
+      deregisterPushToken: this.deregisterPushToken()
+    };
+  }
+  checkConfig() {
+    if (!this.config.features.twoFa) {
+      throw new import_server6.TRPCError({ code: "NOT_FOUND" });
+    }
+  }
+  enableTwofa() {
+    return this.authProcedure.mutation(async ({ ctx }) => {
+      this.checkConfig();
+      const { userId, sessionId } = ctx;
+      const user = await this.config.prisma.user.findFirst({
+        where: { id: userId },
+        select: { twoFaEnabled: true, oauthProvider: true, password: true }
+      });
+      if (!user) {
+        throw new import_server6.TRPCError({ code: "NOT_FOUND", message: "User not found." });
+      }
+      if (user.oauthProvider) {
+        throw new import_server6.TRPCError({
+          code: "FORBIDDEN",
+          message: "2FA is not available for social login accounts."
+        });
+      }
+      if (user.twoFaEnabled) {
+        throw new import_server6.TRPCError({ code: "BAD_REQUEST", message: "2FA already enabled." });
+      }
+      const checkSession = await this.config.prisma.session.findFirst({
+        where: { userId, id: sessionId },
+        select: { deviceId: true }
+      });
+      if (!checkSession?.deviceId) {
+        throw new import_server6.TRPCError({
+          code: "BAD_REQUEST",
+          message: "You must be logged in on mobile to enable 2FA."
+        });
+      }
+      await this.config.prisma.session.updateMany({
+        where: { userId, revokedAt: null, NOT: { id: sessionId } },
+        data: { revokedAt: /* @__PURE__ */ new Date() }
+      });
+      await this.config.prisma.session.updateMany({
+        where: { userId, NOT: { id: sessionId } },
+        data: { twoFaSecret: null }
+      });
+      const secret = generateTotpSecret();
+      await this.config.prisma.user.update({
+        where: { id: userId },
+        data: { twoFaEnabled: true }
+      });
+      await this.config.prisma.session.update({
+        where: { id: sessionId },
+        data: { twoFaSecret: secret }
+      });
+      if (this.config.hooks?.onTwoFaStatusChanged) {
+        await this.config.hooks.onTwoFaStatusChanged(userId, true);
+      }
+      return { secret };
+    });
+  }
+  disableTwofa() {
+    return this.authProcedure.input(disableTwofaSchema).mutation(async ({ ctx, input }) => {
+      this.checkConfig();
+      const { userId, sessionId } = ctx;
+      const { password } = input;
+      const user = await this.config.prisma.user.findFirst({
+        where: { id: userId },
+        select: { password: true, status: true, oauthProvider: true }
+      });
+      if (!user) {
+        throw new import_server6.TRPCError({ code: "NOT_FOUND", message: "User not found." });
+      }
+      if (user.status !== "ACTIVE") {
+        throw new import_server6.TRPCError({ code: "FORBIDDEN", message: "Account deactivated." });
+      }
+      if (user.oauthProvider) {
+        throw new import_server6.TRPCError({
+          code: "FORBIDDEN",
+          message: "2FA is not available for social login accounts."
+        });
+      }
+      if (!user.password) {
+        throw new import_server6.TRPCError({
+          code: "BAD_REQUEST",
+          message: "Cannot verify password for social login account."
+        });
+      }
+      const isMatch = await comparePassword(password, user.password);
+      if (!isMatch) {
+        throw new import_server6.TRPCError({ code: "FORBIDDEN", message: "Incorrect password." });
+      }
+      await this.config.prisma.user.update({
+        where: { id: userId },
+        data: { twoFaEnabled: false }
+      });
+      await this.config.prisma.session.update({
+        where: { id: sessionId },
+        data: { twoFaSecret: null }
+      });
+      if (this.config.hooks?.onTwoFaStatusChanged) {
+        await this.config.hooks.onTwoFaStatusChanged(userId, false);
+      }
+      return { disabled: true };
+    });
+  }
+  getTwofaSecret() {
+    return this.authProcedure.input(getTwofaSecretSchema).query(async ({ ctx, input }) => {
+      this.checkConfig();
+      const { userId, sessionId } = ctx;
+      const { pushCode } = input;
+      const user = await this.config.prisma.user.findFirst({
+        where: { id: userId },
+        select: { twoFaEnabled: true, oauthProvider: true }
+      });
+      if (user?.oauthProvider) {
+        throw new import_server6.TRPCError({
+          code: "FORBIDDEN",
+          message: "2FA is not available for social login accounts."
+        });
+      }
+      if (!user?.twoFaEnabled) {
+        throw new import_server6.TRPCError({ code: "BAD_REQUEST", message: "2FA not enabled." });
+      }
+      const session = await this.config.prisma.session.findUnique({
+        where: { id: sessionId, userId },
+        select: { twoFaSecret: true, device: { select: { pushToken: true } } }
+      });
+      if (!session?.device) {
+        throw new import_server6.TRPCError({ code: "BAD_REQUEST", message: "Invalid request" });
+      }
+      const expectedCode = await verifyTotp(pushCode, cleanBase32String(session.device.pushToken));
+      if (!expectedCode) {
+        throw new import_server6.TRPCError({ code: "BAD_REQUEST", message: "Invalid request" });
+      }
+      if (session.twoFaSecret) {
+        return { secret: session.twoFaSecret };
+      }
+      const secret = generateTotpSecret();
+      await this.config.prisma.session.update({
+        where: { id: sessionId },
+        data: { twoFaSecret: secret }
+      });
+      return { secret };
+    });
+  }
+  twoFaReset() {
+    return this.procedure.input(twoFaResetSchema).mutation(async ({ input }) => {
+      this.checkConfig();
+      const { username, password } = input;
+      const user = await this.config.prisma.user.findFirst({
+        where: { username: { equals: username, mode: "insensitive" }, twoFaEnabled: true },
+        select: { id: true, password: true, email: true }
+      });
+      if (!user) {
+        throw new import_server6.TRPCError({ code: "UNAUTHORIZED", message: "Invalid credentials." });
+      }
+      if (!user.password) {
+        throw new import_server6.TRPCError({
+          code: "BAD_REQUEST",
+          message: "Social login accounts cannot use 2FA reset."
+        });
+      }
+      const isMatch = await comparePassword(password, user.password);
+      if (!isMatch) {
+        throw new import_server6.TRPCError({ code: "FORBIDDEN", message: "Invalid credentials." });
+      }
+      const otp = generateOtp();
+      await this.config.prisma.oTPBasedLogin.create({
+        data: { userId: user.id, code: otp }
+      });
+      if (this.config.emailService) {
+        await this.config.emailService.sendOTPEmail(user.email, otp);
+      }
+      return { success: true };
+    });
+  }
+  twoFaResetVerify() {
+    return this.procedure.input(twoFaResetVerifySchema).mutation(async ({ input }) => {
+      this.checkConfig();
+      const { code, username } = input;
+      const user = await this.config.prisma.user.findFirst({
+        where: { username: { equals: username, mode: "insensitive" } },
+        select: { id: true }
+      });
+      if (!user) {
+        throw new import_server6.TRPCError({ code: "NOT_FOUND", message: "User not found" });
+      }
+      const otp = await this.config.prisma.oTPBasedLogin.findFirst({
+        where: {
+          userId: user.id,
+          code,
+          disabled: false,
+          createdAt: { gte: new Date(Date.now() - this.config.tokenSettings.otpValidityMs) }
+        }
+      });
+      if (!otp) {
+        throw new import_server6.TRPCError({ code: "FORBIDDEN", message: "Invalid or expired OTP" });
+      }
+      await this.config.prisma.oTPBasedLogin.update({
+        where: { id: otp.id },
+        data: { disabled: true }
+      });
+      await this.config.prisma.user.update({
+        where: { id: user.id },
+        data: { twoFaEnabled: false }
+      });
+      await this.config.prisma.session.updateMany({
+        where: { userId: user.id },
+        data: { twoFaSecret: null }
+      });
+      return { success: true, message: "2FA has been reset." };
+    });
+  }
+  registerPushToken() {
+    return this.authProcedure.input(registerPushTokenSchema).mutation(async ({ ctx, input }) => {
+      this.checkConfig();
+      const { userId, sessionId } = ctx;
+      const { pushToken } = input;
+      await this.config.prisma.session.updateMany({
+        where: {
+          userId,
+          id: { not: sessionId },
+          revokedAt: null,
+          device: { pushToken }
+        },
+        data: { revokedAt: /* @__PURE__ */ new Date() }
+      });
+      const checkDevice = await this.config.prisma.device.findFirst({
+        where: {
+          pushToken,
+          sessions: { some: { id: sessionId } },
+          users: { some: { id: userId } }
+        },
+        select: { id: true }
+      });
+      if (!checkDevice) {
+        await this.config.prisma.device.upsert({
+          where: { pushToken },
+          create: {
+            pushToken,
+            sessions: { connect: { id: sessionId } },
+            users: { connect: { id: userId } }
+          },
+          update: {
+            sessions: { connect: { id: sessionId } },
+            users: { connect: { id: userId } }
+          }
+        });
+      }
+      return { registered: true };
+    });
+  }
+  deregisterPushToken() {
+    return this.authProcedure.meta({ ignoreExpiration: true }).input(deregisterPushTokenSchema).mutation(async ({ ctx, input }) => {
+      this.checkConfig();
+      const { userId } = ctx;
+      const { pushToken } = input;
+      const device = await this.config.prisma.device.findFirst({
+        where: {
+          ...userId !== 0 && { users: { some: { id: userId } } },
+          pushToken
+        },
+        select: { id: true }
+      });
+      if (device) {
+        await this.config.prisma.device.delete({
+          where: { id: device.id }
+        });
+      }
+      return { deregistered: true };
+    });
+  }
+};
+
+// src/utilities/trpc.ts
+var import_server7 = require("@trpc/server");
+var import_superjson = __toESM(require("superjson"));
+var import_zod2 = require("zod");
+function isPrismaConnectionError(error) {
+  if (!error || typeof error !== "object") {
+    return false;
+  }
+  const errorCode = error.code;
+  if (errorCode && typeof errorCode === "string") {
+    const codeMatch = errorCode.match(/^P(\d+)$/);
+    if (codeMatch) {
+      const codeNum = parseInt(codeMatch[1], 10);
+      if (codeNum >= 1e3 && codeNum <= 1003) {
+        return true;
+      }
+    }
+  }
+  const constructorName = error.constructor?.name || "";
+  if (constructorName.includes("Prisma")) {
+    const errorMessage = error.message?.toLowerCase() || "";
+    if (errorMessage.includes("can't reach database") || errorMessage.includes("authentication failed") || errorMessage.includes("database server") || errorMessage.includes("timeout") || errorMessage.includes("connection")) {
+      return true;
+    }
+  }
+  const cause = error.cause;
+  if (cause) {
+    return isPrismaConnectionError(cause);
+  }
+  return false;
+}
+function createTrpcBuilder(config) {
+  return import_server7.initTRPC.context().meta().create({
+    transformer: import_superjson.default,
+    errorFormatter: (opts) => {
+      const { shape, error } = opts;
+      const { stack: _stack, ...safeData } = shape.data;
+      if (error.code === "INTERNAL_SERVER_ERROR") {
+        if (config.hooks?.logError) {
+          const errorType = isPrismaConnectionError(error) || isPrismaConnectionError(error.cause) ? "DATABASE_ERROR" : "SERVER_ERROR";
+          config.hooks.logError({
+            type: errorType,
+            description: error.message,
+            stack: error.stack || "No stack trace",
+            ip: opts.ctx?.ip,
+            userId: opts.ctx?.userId ?? null
+          }).catch(() => {
+          });
+        }
+        return {
+          ...shape,
+          message: "An unexpected error occurred. Please try again later.",
+          data: {
+            ...safeData,
+            zodError: error.cause instanceof import_zod2.ZodError ? error.cause.flatten() : null
+          }
+        };
+      }
+      return {
+        ...shape,
+        data: {
+          ...safeData,
+          zodError: error.cause instanceof import_zod2.ZodError ? error.cause.flatten() : null
+        }
+      };
+    }
+  });
+}
+function createBaseProcedure(t, authGuard) {
+  return t.procedure.use(authGuard);
+}
+function getClientIp(req) {
+  const forwarded = req.headers["x-forwarded-for"];
+  if (forwarded) {
+    return forwarded.split(",")[0]?.trim();
+  }
+  return req.socket.remoteAddress || void 0;
+}
+
+// src/router.ts
+var createContext = ({
+  req,
+  res
+}) => ({
+  headers: req.headers,
+  userId: null,
+  sessionId: null,
+  refreshToken: null,
+  socketId: null,
+  ip: getClientIp(req),
+  res
+});
+var AuthRouterFactory = class {
+  constructor(userConfig) {
+    this.userConfig = userConfig;
+    this.config = createAuthConfig(this.userConfig);
+    this.schemas = createSchemas(
+      this.config.schemaExtensions
+    );
+    this.t = createTrpcBuilder(this.config);
+    this.authGuard = createAuthGuard(this.config, this.t);
+    this.procedure = createBaseProcedure(this.t, this.authGuard);
+    this.authProcedure = this.procedure.meta({ authRequired: true });
+  }
+  createRouter() {
+    const baseRoutes = new BaseProcedureFactory(
+      this.config,
+      this.procedure,
+      this.authProcedure
+    );
+    const biometricRoutes = new BiometricProcedureFactory(
+      this.config,
+      this.authProcedure
+    );
+    const emailVerificationRoutes = new EmailVerificationProcedureFactory(
+      this.config,
+      this.authProcedure
+    );
+    const oAuthLoginRoutes = new OAuthLoginProcedureFactory(
+      this.config,
+      this.procedure
+    );
+    const twoFaRoutes = new TwoFaProcedureFactory(
+      this.config,
+      this.procedure,
+      this.authProcedure
+    );
+    return this.t.router({
+      ...baseRoutes.createBaseProcedures(this.schemas),
+      ...oAuthLoginRoutes.createOAuthLoginProcedures(this.schemas),
+      ...twoFaRoutes.createTwoFaProcedures(),
+      ...biometricRoutes.createBiometricProcedures(),
+      ...emailVerificationRoutes.createEmailVerificationProcedures()
+    });
+  }
+};
+function createAuthRouter(config) {
+  const factory = new AuthRouterFactory(config);
+  const router = factory.t.router({
+    auth: factory.createRouter()
+  });
+  return {
+    router,
+    t: factory.t,
+    procedure: factory.procedure,
+    authProcedure: factory.authProcedure,
+    createContext
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  DEFAULT_STORAGE_KEYS,
+  OAuthVerificationError,
+  biometricVerifySchema,
+  changePasswordSchema,
+  cleanBase32String,
+  clearAuthCookies,
+  comparePassword,
+  createAccessToken,
+  createAuthConfig,
+  createAuthGuard,
+  createAuthRouter,
+  createConsoleEmailAdapter,
+  createNoopEmailAdapter,
+  createOAuthVerifier,
+  decodeToken,
+  defaultAuthConfig,
+  defaultCookieSettings,
+  defaultStorageKeys,
+  defaultTokenSettings,
+  detectBrowser,
+  endAllSessionsSchema,
+  generateOtp,
+  generateTotpCode,
+  generateTotpSecret,
+  hashPassword,
+  isMobileDevice,
+  isNativeApp,
+  isTokenExpiredError,
+  isTokenInvalidError,
+  loginSchema,
+  logoutSchema,
+  oAuthLoginSchema,
+  otpLoginRequestSchema,
+  otpLoginVerifySchema,
+  parseAuthCookies,
+  requestPasswordResetSchema,
+  resetPasswordSchema,
+  setAuthCookies,
+  signupSchema,
+  twoFaResetSchema,
+  twoFaSetupSchema,
+  twoFaVerifySchema,
+  validatePasswordStrength,
+  verifyAccessToken,
+  verifyEmailSchema,
+  verifyTotp
+});
+//# sourceMappingURL=index.js.map