@furystack/rest-service 11.0.7 → 12.1.0

package/CHANGELOG.md

@@ -1,5 +1,125 @@
 # Changelog
 
+## [12.1.0] - 2026-02-26
+
+### 🔧 Chores
+
+- Normalized line endings in `http-user-context.ts`, `http-authentication-settings.ts`, and related spec files
+
+### ✨ Features
+
+### `LoginResponseStrategy<TResult>` type
+
+New pluggable type that decouples login actions from session/token creation. A strategy turns an authenticated `User` into an `ActionResult<TResult>` — the generic parameter flows through to the action's return type for full type inference.
+
+```typescript
+import type { LoginResponseStrategy } from '@furystack/rest-service'
+
+type LoginResponseStrategy<TResult> = {
+  createLoginResponse: (user: User, injector: Injector) => Promise<ActionResult<TResult>>
+}
+```
+
+### `createCookieLoginStrategy(injector)`
+
+Factory that creates a cookie-based `LoginResponseStrategy<User>`. On login it generates a random session ID, persists it in the session DataSet, and returns the user with a `Set-Cookie` header.
+
+```typescript
+import { createCookieLoginStrategy } from '@furystack/rest-service'
+
+const cookieStrategy = createCookieLoginStrategy(injector)
+// cookieStrategy.createLoginResponse(user, injector) → ActionResult<User> with Set-Cookie header
+```
+
+### `createPasswordLoginAction(strategy)`
+
+Factory that creates a password-based login `RequestAction`. Authenticates via `HttpUserContext.authenticateUser()` then delegates session/token creation to the provided strategy. Includes timing-attack mitigation on failure.
+
+```typescript
+import { createPasswordLoginAction, createCookieLoginStrategy } from '@furystack/rest-service'
+
+const cookieStrategy = createCookieLoginStrategy(injector)
+const loginAction = createPasswordLoginAction(cookieStrategy)
+// loginAction: RequestAction<{ result: User; body: { username: string; password: string } }>
+```
+
+### 🧪 Tests
+
+- Added `login-response-strategy.spec.ts` — tests cookie strategy session creation, Set-Cookie headers, session persistence, and session ID uniqueness
+- Added `password-login-action.spec.ts` — tests strategy delegation, user forwarding, auth failure handling, and custom strategy result types
+
+### ⬆️ Dependencies
+
+- Bumped `@types/node` from ^25.3.0 to ^25.3.1
+
+## [12.0.0] - 2026-02-26
+
+### ✨ Features
+
+### Pluggable Authentication Provider System
+
+Introduced the `AuthenticationProvider` type and refactored `HttpUserContext.authenticateRequest()` to iterate an ordered provider chain instead of hardcoded Basic Auth and Cookie Auth logic.
+
+- `AuthenticationProvider` - Type for pluggable authentication providers. Each provider returns `User` on success, `null` if it doesn't apply, or throws on auth failure.
+- `createBasicAuthProvider()` - Factory that extracts the existing Basic Auth logic into a standalone provider
+- `createCookieAuthProvider()` - Factory that extracts the existing Cookie Auth logic into a standalone provider
+- `HttpAuthenticationSettings.authenticationProviders` - Ordered list of providers, populated by `useHttpAuthentication()` and extensible by auth plugins like `useJwtAuthentication()`
+
+**Usage:**
+
+```typescript
+useHttpAuthentication(injector, {
+  enableBasicAuth: true,
+  authenticationProviders: [myCustomProvider],
+})
+```
+
+Custom providers are appended after the built-in Basic Auth and Cookie Auth providers.
+
+### ♻️ Refactoring
+
+- `useHttpAuthentication()` now eagerly resolves `PasswordAuthenticator` and store dependencies at setup time, constructing providers with resolved instances rather than passing the `Injector`
+- `Authenticate()` middleware checks for a registered `'basic-auth'` provider by name instead of reading the `enableBasicAuth` flag when deciding whether to include the `WWW-Authenticate: Basic` response header
+- Extracted shared store lookup helpers (`authenticateUserWithDataSet`, `findSessionById`, `findUserByName`, `extractSessionIdFromCookies`) into `authentication-providers/helpers.ts`
+
+### 💥 Breaking Changes
+
+- `HttpAuthenticationSettings.getUserStore(StoreManager)` → `getUserDataSet(Injector)` — now returns a `DataSet` instead of a `PhysicalStore`
+- `HttpAuthenticationSettings.getSessionStore(StoreManager)` → `getSessionDataSet(Injector)`
+- `HttpUserContext.getUserStore()` → `getUserDataSet()`
+- `HttpUserContext.getSessionStore()` → `getSessionDataSet()`
+- `authenticateUserWithStore()` → `authenticateUserWithDataSet()` — renamed helper with updated signature
+- `useHttpAuthentication()` now requires DataSets for `User` and `DefaultSession` to be registered via `getRepository(injector).createDataSet()` before calling
+
+### 🔄 Migration
+
+**Setup:**
+
+```typescript
+// Before
+useHttpAuthentication(injector, {
+  getUserStore: (sm) => sm.getStoreFor(User, 'username'),
+  getSessionStore: (sm) => sm.getStoreFor(DefaultSession, 'sessionId'),
+})
+
+// After — register DataSets first, defaults resolve them automatically
+getRepository(injector).createDataSet(User, 'username')
+getRepository(injector).createDataSet(DefaultSession, 'sessionId')
+useHttpAuthentication(injector)
+```
+
+**Custom store accessors:**
+
+```typescript
+// Before
+settings.getUserStore(storeManager)
+settings.getSessionStore(storeManager)
+
+// After
+settings.getUserDataSet(injector)
+settings.getSessionDataSet(injector)
+```
+
 ## [11.0.7] - 2026-02-22
 
 ### ⬆️ Dependencies

package/README.md

@@ -210,14 +210,15 @@ You can use the built-in authentication that comes with this package. It contain
 ```ts
 import { useHttpAuthentication, useRestService } from '@furystack/rest-service'
 import { Injector } from '@furystack/inject'
+import { getDataSetFor } from '@furystack/repository'
 
 const myInjector = new Injector()
 useHttpAuthentication(myInjector, {
   cookieName: 'sessionId', // The session ID will be stored in this cookie
   enableBasicAuth: true, // Enables / disables standard Basic Authentication
   model: ApplicationUserModel, // The custom User model. Should implement `User`
-  getUserStore: (storeManager) => storeManager.getStoreFor(ApplicationUserModel, 'username'), // Callback to retrieve the User Store
-  getSessionStore: (storeManager) => storeManager.getStoreFor(MySessionModel, 'sessionId'), // Callback to retrieve the Session Store
+  getUserDataSet: (injector) => getDataSetFor(injector, ApplicationUserModel, 'username'),
+  getSessionDataSet: (injector) => getDataSetFor(injector, MySessionModel, 'sessionId'),
 })
 await useRestService<MyApi>({ injector: myInjector, ...apiOptions })
 ```

package/esm/actions/index.d.ts

@@ -4,4 +4,5 @@ export * from './is-authenticated.js';
 export * from './login.js';
 export * from './logout.js';
 export * from './not-found-action.js';
+export * from './password-login-action.js';
 //# sourceMappingURL=index.d.ts.map

package/esm/actions/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/actions/index.ts"],"names":[],"mappings":"AAAA,cAAc,mBAAmB,CAAA;AACjC,cAAc,uBAAuB,CAAA;AACrC,cAAc,uBAAuB,CAAA;AACrC,cAAc,YAAY,CAAA;AAC1B,cAAc,aAAa,CAAA;AAC3B,cAAc,uBAAuB,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/actions/index.ts"],"names":[],"mappings":"AAAA,cAAc,mBAAmB,CAAA;AACjC,cAAc,uBAAuB,CAAA;AACrC,cAAc,uBAAuB,CAAA;AACrC,cAAc,YAAY,CAAA;AAC1B,cAAc,aAAa,CAAA;AAC3B,cAAc,uBAAuB,CAAA;AACrC,cAAc,4BAA4B,CAAA"}

package/esm/actions/index.js

@@ -4,4 +4,5 @@ export * from './is-authenticated.js';
 export * from './login.js';
 export * from './logout.js';
 export * from './not-found-action.js';
+export * from './password-login-action.js';
 //# sourceMappingURL=index.js.map

package/esm/actions/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/actions/index.ts"],"names":[],"mappings":"AAAA,cAAc,mBAAmB,CAAA;AACjC,cAAc,uBAAuB,CAAA;AACrC,cAAc,uBAAuB,CAAA;AACrC,cAAc,YAAY,CAAA;AAC1B,cAAc,aAAa,CAAA;AAC3B,cAAc,uBAAuB,CAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/actions/index.ts"],"names":[],"mappings":"AAAA,cAAc,mBAAmB,CAAA;AACjC,cAAc,uBAAuB,CAAA;AACrC,cAAc,uBAAuB,CAAA;AACrC,cAAc,YAAY,CAAA;AAC1B,cAAc,aAAa,CAAA;AAC3B,cAAc,uBAAuB,CAAA;AACrC,cAAc,4BAA4B,CAAA"}

package/esm/actions/login.d.ts

@@ -1,9 +1,13 @@
 import type { User } from '@furystack/core';
 import type { RequestAction } from '../request-action-implementation.js';
 /**
- * Action that logs in the current user
- * Should be called with a JSON Post body with ``username`` and ``password`` fields.
- * Returns the current user instance
+ * Action that logs in the current user.
+ * Should be called with a JSON POST body with `username` and `password` fields.
+ * Returns the current user instance.
+ *
+ * @deprecated Use `createPasswordLoginAction(createCookieLoginStrategy(injector))` instead.
+ * This static action resolves services from the request-scoped injector on
+ * every call; the factory approach captures them once at setup time.
  */
 export declare const LoginAction: RequestAction<{
     result: User;

package/esm/actions/login.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"login.d.ts","sourceRoot":"","sources":["../../src/actions/login.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAA;AAE3C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qCAAqC,CAAA;AAGxE;;;;GAIG;AAEH,eAAO,MAAM,WAAW,EAAE,aAAa,CAAC;IACtC,MAAM,EAAE,IAAI,CAAA;IACZ,IAAI,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAA;CAC7C,CAUA,CAAA"}
+{"version":3,"file":"login.d.ts","sourceRoot":"","sources":["../../src/actions/login.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAA;AAK3C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qCAAqC,CAAA;AAGxE;;;;;;;;GAQG;AACH,eAAO,MAAM,WAAW,EAAE,aAAa,CAAC;IACtC,MAAM,EAAE,IAAI,CAAA;IACZ,IAAI,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAA;CAC7C,CAWA,CAAA"}

package/esm/actions/login.js

@@ -1,10 +1,15 @@
-import { HttpUserContext } from '../http-user-context.js';
 import { RequestError } from '@furystack/rest';
+import { sleepAsync } from '@furystack/utils';
+import { HttpUserContext } from '../http-user-context.js';
 import { JsonResult } from '../request-action-implementation.js';
 /**
- * Action that logs in the current user
- * Should be called with a JSON Post body with ``username`` and ``password`` fields.
- * Returns the current user instance
+ * Action that logs in the current user.
+ * Should be called with a JSON POST body with `username` and `password` fields.
+ * Returns the current user instance.
+ *
+ * @deprecated Use `createPasswordLoginAction(createCookieLoginStrategy(injector))` instead.
+ * This static action resolves services from the request-scoped injector on
+ * every call; the factory approach captures them once at setup time.
  */
 export const LoginAction = async ({ injector, getBody, response }) => {
     const userContext = injector.getInstance(HttpUserContext);
@@ -14,7 +19,8 @@ export const LoginAction = async ({ injector, getBody, response }) => {
         await userContext.cookieLogin(user, response);
         return JsonResult(user, 200);
     }
-    catch (error) {
+    catch {
+        await sleepAsync(Math.random() * 1000);
         throw new RequestError('Login Failed', 400);
     }
 };

package/esm/actions/login.js.map

@@ -1 +1 @@
-{"version":3,"file":"login.js","sourceRoot":"","sources":["../../src/actions/login.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAA;AAEzD,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAA;AAE9C,OAAO,EAAE,UAAU,EAAE,MAAM,qCAAqC,CAAA;AAEhE;;;;GAIG;AAEH,MAAM,CAAC,MAAM,WAAW,GAGnB,KAAK,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE;IAC7C,MAAM,WAAW,GAAG,QAAQ,CAAC,WAAW,CAAC,eAAe,CAAC,CAAA;IACzD,MAAM,IAAI,GAAG,MAAM,OAAO,EAAE,CAAA;IAC5B,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,gBAAgB,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAA;QAC7E,MAAM,WAAW,CAAC,WAAW,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAA;QAC7C,OAAO,UAAU,CAAC,IAAI,EAAE,GAAG,CAAC,CAAA;IAC9B,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,YAAY,CAAC,cAAc,EAAE,GAAG,CAAC,CAAA;IAC7C,CAAC;AACH,CAAC,CAAA"}
+{"version":3,"file":"login.js","sourceRoot":"","sources":["../../src/actions/login.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAA;AAC9C,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAA;AAEzD,OAAO,EAAE,UAAU,EAAE,MAAM,qCAAqC,CAAA;AAEhE;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,WAAW,GAGnB,KAAK,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE;IAC7C,MAAM,WAAW,GAAG,QAAQ,CAAC,WAAW,CAAC,eAAe,CAAC,CAAA;IACzD,MAAM,IAAI,GAAG,MAAM,OAAO,EAAE,CAAA;IAC5B,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,gBAAgB,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAA;QAC7E,MAAM,WAAW,CAAC,WAAW,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAA;QAC7C,OAAO,UAAU,CAAC,IAAI,EAAE,GAAG,CAAC,CAAA;IAC9B,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,UAAU,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,IAAI,CAAC,CAAA;QACtC,MAAM,IAAI,YAAY,CAAC,cAAc,EAAE,GAAG,CAAC,CAAA;IAC7C,CAAC;AACH,CAAC,CAAA"}

package/esm/actions/password-login-action.d.ts

@@ -0,0 +1,24 @@
+import type { LoginResponseStrategy } from '../login-response-strategy.js';
+import type { RequestAction } from '../request-action-implementation.js';
+/**
+ * Creates a login {@link RequestAction} that authenticates a user by
+ * username + password, then delegates session/token creation to the
+ * provided {@link LoginResponseStrategy}.
+ *
+ * The return type is inferred from the strategy:
+ * - Cookie strategy -> `ActionResult<User>`
+ * - JWT strategy   -> `ActionResult<{ accessToken: string; refreshToken: string }>`
+ *
+ * A random delay (0-1 s) is added on failure to mitigate timing attacks.
+ *
+ * @param strategy The login response strategy that produces the session/token result
+ * @returns A `RequestAction` that can be wired into a REST API route
+ */
+export declare const createPasswordLoginAction: <TResult>(strategy: LoginResponseStrategy<TResult>) => RequestAction<{
+    result: TResult;
+    body: {
+        username: string;
+        password: string;
+    };
+}>;
+//# sourceMappingURL=password-login-action.d.ts.map

package/esm/actions/password-login-action.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"password-login-action.d.ts","sourceRoot":"","sources":["../../src/actions/password-login-action.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAA;AAC1E,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qCAAqC,CAAA;AAExE;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,yBAAyB,GAAI,OAAO,EAC/C,UAAU,qBAAqB,CAAC,OAAO,CAAC,KACvC,aAAa,CAAC;IAAE,MAAM,EAAE,OAAO,CAAC;IAAC,IAAI,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,CAWjF,CAAA"}

package/esm/actions/password-login-action.js

@@ -0,0 +1,31 @@
+import { RequestError } from '@furystack/rest';
+import { sleepAsync } from '@furystack/utils';
+import { HttpUserContext } from '../http-user-context.js';
+/**
+ * Creates a login {@link RequestAction} that authenticates a user by
+ * username + password, then delegates session/token creation to the
+ * provided {@link LoginResponseStrategy}.
+ *
+ * The return type is inferred from the strategy:
+ * - Cookie strategy -> `ActionResult<User>`
+ * - JWT strategy   -> `ActionResult<{ accessToken: string; refreshToken: string }>`
+ *
+ * A random delay (0-1 s) is added on failure to mitigate timing attacks.
+ *
+ * @param strategy The login response strategy that produces the session/token result
+ * @returns A `RequestAction` that can be wired into a REST API route
+ */
+export const createPasswordLoginAction = (strategy) => {
+    return async ({ injector, getBody }) => {
+        const body = await getBody();
+        try {
+            const user = await injector.getInstance(HttpUserContext).authenticateUser(body.username, body.password);
+            return strategy.createLoginResponse(user, injector);
+        }
+        catch {
+            await sleepAsync(Math.random() * 1000);
+            throw new RequestError('Login Failed', 400);
+        }
+    };
+};
+//# sourceMappingURL=password-login-action.js.map

package/esm/actions/password-login-action.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"password-login-action.js","sourceRoot":"","sources":["../../src/actions/password-login-action.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAA;AAC9C,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAA;AAIzD;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAG,CACvC,QAAwC,EAC0C,EAAE;IACpF,OAAO,KAAK,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,EAAE;QACrC,MAAM,IAAI,GAAG,MAAM,OAAO,EAAE,CAAA;QAC5B,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,WAAW,CAAC,eAAe,CAAC,CAAC,gBAAgB,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAA;YACvG,OAAO,QAAQ,CAAC,mBAAmB,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAA;QACrD,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,UAAU,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,IAAI,CAAC,CAAA;YACtC,MAAM,IAAI,YAAY,CAAC,cAAc,EAAE,GAAG,CAAC,CAAA;QAC7C,CAAC;IACH,CAAC,CAAA;AACH,CAAC,CAAA"}

package/esm/actions/password-login-action.spec.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=password-login-action.spec.d.ts.map

package/esm/actions/password-login-action.spec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"password-login-action.spec.d.ts","sourceRoot":"","sources":["../../src/actions/password-login-action.spec.ts"],"names":[],"mappings":""}

package/esm/actions/password-login-action.spec.js

@@ -0,0 +1,105 @@
+import { InMemoryStore, StoreManager, User, addStore } from '@furystack/core';
+import { Injector } from '@furystack/inject';
+import { getRepository } from '@furystack/repository';
+import { PasswordAuthenticator, PasswordCredential, PasswordResetToken, usePasswordPolicy } from '@furystack/security';
+import { usingAsync } from '@furystack/utils';
+import { describe, expect, it, vi } from 'vitest';
+import { useHttpAuthentication } from '../helpers.js';
+import { DefaultSession } from '../models/default-session.js';
+import { JsonResult } from '../request-action-implementation.js';
+import { createPasswordLoginAction } from './password-login-action.js';
+const setupInjector = async (i, username, password) => {
+    addStore(i, new InMemoryStore({ model: User, primaryKey: 'username' }))
+        .addStore(new InMemoryStore({ model: DefaultSession, primaryKey: 'sessionId' }))
+        .addStore(new InMemoryStore({ model: PasswordCredential, primaryKey: 'userName' }))
+        .addStore(new InMemoryStore({ model: PasswordResetToken, primaryKey: 'token' }));
+    const repo = getRepository(i);
+    repo.createDataSet(User, 'username');
+    repo.createDataSet(DefaultSession, 'sessionId');
+    repo.createDataSet(PasswordCredential, 'userName');
+    repo.createDataSet(PasswordResetToken, 'token');
+    usePasswordPolicy(i);
+    useHttpAuthentication(i);
+    const sm = i.getInstance(StoreManager);
+    const pw = i.getInstance(PasswordAuthenticator);
+    const cred = await pw.hasher.createCredential(username, password);
+    await sm.getStoreFor(PasswordCredential, 'userName').add(cred);
+    await sm.getStoreFor(User, 'username').add({ username, roles: ['admin'] });
+};
+const mockStrategy = {
+    createLoginResponse: vi.fn(async (user) => JsonResult(user, 200)),
+};
+describe('createPasswordLoginAction', () => {
+    const request = {};
+    const response = {};
+    it('Should delegate to the strategy on successful authentication', async () => {
+        await usingAsync(new Injector(), async (i) => {
+            await setupInjector(i, 'testuser', 'testpass');
+            const action = createPasswordLoginAction(mockStrategy);
+            const result = await action({
+                injector: i,
+                request,
+                response,
+                getBody: () => Promise.resolve({ username: 'testuser', password: 'testpass' }),
+            });
+            expect(mockStrategy.createLoginResponse).toHaveBeenCalled();
+            expect(result.chunk.username).toBe('testuser');
+        });
+    });
+    it('Should pass the correct user to the strategy', async () => {
+        await usingAsync(new Injector(), async (i) => {
+            await setupInjector(i, 'testuser', 'testpass');
+            const strategyFn = vi.fn(async (user) => JsonResult(user, 200));
+            const strategy = { createLoginResponse: strategyFn };
+            const action = createPasswordLoginAction(strategy);
+            await action({
+                injector: i,
+                request,
+                response,
+                getBody: () => Promise.resolve({ username: 'testuser', password: 'testpass' }),
+            });
+            expect(strategyFn).toHaveBeenCalledWith(expect.objectContaining({ username: 'testuser', roles: ['admin'] }), i);
+        });
+    });
+    it('Should throw RequestError on invalid credentials', async () => {
+        await usingAsync(new Injector(), async (i) => {
+            await setupInjector(i, 'testuser', 'testpass');
+            const action = createPasswordLoginAction(mockStrategy);
+            await expect(action({
+                injector: i,
+                request,
+                response,
+                getBody: () => Promise.resolve({ username: 'testuser', password: 'wrongpass' }),
+            })).rejects.toThrow('Login Failed');
+        });
+    });
+    it('Should throw RequestError for nonexistent user', async () => {
+        await usingAsync(new Injector(), async (i) => {
+            await setupInjector(i, 'testuser', 'testpass');
+            const action = createPasswordLoginAction(mockStrategy);
+            await expect(action({
+                injector: i,
+                request,
+                response,
+                getBody: () => Promise.resolve({ username: 'nobody', password: 'nopass' }),
+            })).rejects.toThrow('Login Failed');
+        });
+    });
+    it('Should work with a custom result type from strategy', async () => {
+        await usingAsync(new Injector(), async (i) => {
+            await setupInjector(i, 'testuser', 'testpass');
+            const tokenStrategy = {
+                createLoginResponse: async () => JsonResult({ accessToken: 'tok123' }, 200),
+            };
+            const action = createPasswordLoginAction(tokenStrategy);
+            const result = await action({
+                injector: i,
+                request,
+                response,
+                getBody: () => Promise.resolve({ username: 'testuser', password: 'testpass' }),
+            });
+            expect(result.chunk.accessToken).toBe('tok123');
+        });
+    });
+});
+//# sourceMappingURL=password-login-action.spec.js.map

package/esm/actions/password-login-action.spec.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"password-login-action.spec.js","sourceRoot":"","sources":["../../src/actions/password-login-action.spec.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAA;AAC7E,OAAO,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAA;AAC5C,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAA;AACrD,OAAO,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AACtH,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAA;AAEjD,OAAO,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAA;AAErD,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAA;AAC7D,OAAO,EAAE,UAAU,EAAE,MAAM,qCAAqC,CAAA;AAChE,OAAO,EAAE,yBAAyB,EAAE,MAAM,4BAA4B,CAAA;AAEtE,MAAM,aAAa,GAAG,KAAK,EAAE,CAAW,EAAE,QAAgB,EAAE,QAAgB,EAAE,EAAE;IAC9E,QAAQ,CAAC,CAAC,EAAE,IAAI,aAAa,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,UAAU,EAAE,CAAC,CAAC;SACpE,QAAQ,CAAC,IAAI,aAAa,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,UAAU,EAAE,WAAW,EAAE,CAAC,CAAC;SAC/E,QAAQ,CAAC,IAAI,aAAa,CAAC,EAAE,KAAK,EAAE,kBAAkB,EAAE,UAAU,EAAE,UAAU,EAAE,CAAC,CAAC;SAClF,QAAQ,CAAC,IAAI,aAAa,CAAC,EAAE,KAAK,EAAE,kBAAkB,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC,CAAC,CAAA;IAElF,MAAM,IAAI,GAAG,aAAa,CAAC,CAAC,CAAC,CAAA;IAC7B,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,UAAU,CAAC,CAAA;IACpC,IAAI,CAAC,aAAa,CAAC,cAAc,EAAE,WAAW,CAAC,CAAA;IAC/C,IAAI,CAAC,aAAa,CAAC,kBAAkB,EAAE,UAAU,CAAC,CAAA;IAClD,IAAI,CAAC,aAAa,CAAC,kBAAkB,EAAE,OAAO,CAAC,CAAA;IAE/C,iBAAiB,CAAC,CAAC,CAAC,CAAA;IACpB,qBAAqB,CAAC,CAAC,CAAC,CAAA;IAExB,MAAM,EAAE,GAAG,CAAC,CAAC,WAAW,CAAC,YAAY,CAAC,CAAA;IACtC,MAAM,EAAE,GAAG,CAAC,CAAC,WAAW,CAAC,qBAAqB,CAAC,CAAA;IAC/C,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,MAAM,CAAC,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAA;IACjE,MAAM,EAAE,CAAC,WAAW,CAAC,kBAAkB,EAAE,UAAU,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;IAC9D,MAAM,EAAE,CAAC,WAAW,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC,GAAG,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;AAC5E,CAAC,CAAA;AAED,MAAM,YAAY,GAAgC;IAChD,mBAAmB,EAAE,EAAE,CAAC,EAAE,CAAC,KAAK,EAAE,IAAU,EAAE,EAAE,CAAC,UAAU,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;CACxE,CAAA;AAED,QAAQ,CAAC,2BAA2B,EAAE,GAAG,EAAE;IACzC,MAAM,OAAO,GAAG,EAAqB,CAAA;IACrC,MAAM,QAAQ,GAAG,EAAoB,CAAA;IAErC,EAAE,CAAC,8DAA8D,EAAE,KAAK,IAAI,EAAE;QAC5E,MAAM,UAAU,CAAC,IAAI,QAAQ,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;YAC3C,MAAM,aAAa,CAAC,CAAC,EAAE,UAAU,EAAE,UAAU,CAAC,CAAA;YAC9C,MAAM,MAAM,GAAG,yBAAyB,CAAC,YAAY,CAAC,CAAA;YACtD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC;gBAC1B,QAAQ,EAAE,CAAC;gBACX,OAAO;gBACP,QAAQ;gBACR,OAAO,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC;aAC/E,CAAC,CAAA;YACF,MAAM,CAAC,YAAY,CAAC,mBAAmB,CAAC,CAAC,gBAAgB,EAAE,CAAA;YAC3D,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;QAChD,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;QAC5D,MAAM,UAAU,CAAC,IAAI,QAAQ,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;YAC3C,MAAM,aAAa,CAAC,CAAC,EAAE,UAAU,EAAE,UAAU,CAAC,CAAA;YAC9C,MAAM,UAAU,GAAG,EAAE,CAAC,EAAE,CAAC,KAAK,EAAE,IAAU,EAAE,EAAE,CAAC,UAAU,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAA;YACrE,MAAM,QAAQ,GAAgC,EAAE,mBAAmB,EAAE,UAAU,EAAE,CAAA;YACjF,MAAM,MAAM,GAAG,yBAAyB,CAAC,QAAQ,CAAC,CAAA;YAClD,MAAM,MAAM,CAAC;gBACX,QAAQ,EAAE,CAAC;gBACX,OAAO;gBACP,QAAQ;gBACR,OAAO,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC;aAC/E,CAAC,CAAA;YACF,MAAM,CAAC,UAAU,CAAC,CAAC,oBAAoB,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAA;QACjH,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,kDAAkD,EAAE,KAAK,IAAI,EAAE;QAChE,MAAM,UAAU,CAAC,IAAI,QAAQ,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;YAC3C,MAAM,aAAa,CAAC,CAAC,EAAE,UAAU,EAAE,UAAU,CAAC,CAAA;YAC9C,MAAM,MAAM,GAAG,yBAAyB,CAAC,YAAY,CAAC,CAAA;YACtD,MAAM,MAAM,CACV,MAAM,CAAC;gBACL,QAAQ,EAAE,CAAC;gBACX,OAAO;gBACP,QAAQ;gBACR,OAAO,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,WAAW,EAAE,CAAC;aAChF,CAAC,CACH,CAAC,OAAO,CAAC,OAAO,CAAC,cAAc,CAAC,CAAA;QACnC,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;QAC9D,MAAM,UAAU,CAAC,IAAI,QAAQ,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;YAC3C,MAAM,aAAa,CAAC,CAAC,EAAE,UAAU,EAAE,UAAU,CAAC,CAAA;YAC9C,MAAM,MAAM,GAAG,yBAAyB,CAAC,YAAY,CAAC,CAAA;YACtD,MAAM,MAAM,CACV,MAAM,CAAC;gBACL,QAAQ,EAAE,CAAC;gBACX,OAAO;gBACP,QAAQ;gBACR,OAAO,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC;aAC3E,CAAC,CACH,CAAC,OAAO,CAAC,OAAO,CAAC,cAAc,CAAC,CAAA;QACnC,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;QACnE,MAAM,UAAU,CAAC,IAAI,QAAQ,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;YAC3C,MAAM,aAAa,CAAC,CAAC,EAAE,UAAU,EAAE,UAAU,CAAC,CAAA;YAC9C,MAAM,aAAa,GAAmD;gBACpE,mBAAmB,EAAE,KAAK,IAAI,EAAE,CAAC,UAAU,CAAC,EAAE,WAAW,EAAE,QAAQ,EAAE,EAAE,GAAG,CAAC;aAC5E,CAAA;YACD,MAAM,MAAM,GAAG,yBAAyB,CAAC,aAAa,CAAC,CAAA;YACvD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC;gBAC1B,QAAQ,EAAE,CAAC;gBACX,OAAO;gBACP,QAAQ;gBACR,OAAO,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC;aAC/E,CAAC,CAAA;YACF,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACjD,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA"}

package/esm/authenticate.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authenticate.d.ts","sourceRoot":"","sources":["../src/authenticate.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAgB,aAAa,EAAwB,MAAM,oCAAoC,CAAA;AAG3G;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,YAAY,SAEtB,CAAC,SAAS;IAAE,MAAM,EAAE,OAAO,CAAA;CAAE,EAAE,QAAQ,aAAa,CAAC,CAAC,CAAC,KAAG,aAAa,CAAC,CAAC,CAkBzE,CAAA"}
+{"version":3,"file":"authenticate.d.ts","sourceRoot":"","sources":["../src/authenticate.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAgB,aAAa,EAAwB,MAAM,oCAAoC,CAAA;AAG3G;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,YAAY,SAEtB,CAAC,SAAS;IAAE,MAAM,EAAE,OAAO,CAAA;CAAE,EAAE,QAAQ,aAAa,CAAC,CAAC,CAAC,KAAG,aAAa,CAAC,CAAC,CAqBzE,CAAA"}

package/esm/authenticate.js

@@ -27,7 +27,10 @@ export const Authenticate = () => (action) => {
         const authenticated = await isAuthenticated(injector);
         if (!authenticated) {
             await sleepAsync(Math.random() * 1000);
-            return JsonResult({ error: 'unauthorized' }, 401, injector.getInstance(HttpUserContext).authentication.enableBasicAuth ? { 'WWW-Authenticate': 'Basic' } : {});
+            const hasBasicAuth = injector
+                .getInstance(HttpUserContext)
+                .authentication.authenticationProviders.some((p) => p.name === 'basic-auth');
+            return JsonResult({ error: 'unauthorized' }, 401, hasBasicAuth ? { 'WWW-Authenticate': 'Basic' } : {});
         }
         return (await action(args));
     };

package/esm/authenticate.js.map

@@ -1 +1 @@
-{"version":3,"file":"authenticate.js","sourceRoot":"","sources":["../src/authenticate.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAA;AACjD,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAC7C,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAA;AAExD,OAAO,EAAE,UAAU,EAAE,MAAM,oCAAoC,CAAA;AAE/D;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,CAAC,MAAM,YAAY,GACvB,GAAG,EAAE,CACL,CAAgC,MAAwB,EAAoB,EAAE;IAC5E,MAAM,OAAO,GAAG,KAAK,EAAE,IAA6B,EAA4B,EAAE;QAChF,MAAM,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAA;QACzB,MAAM,aAAa,GAAG,MAAM,eAAe,CAAC,QAAQ,CAAC,CAAA;QACrD,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,MAAM,UAAU,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,IAAI,CAAC,CAAA;YACtC,OAAO,UAAU,CACf,EAAE,KAAK,EAAE,cAAc,EAAE,EACzB,GAAG,EACH,QAAQ,CAAC,WAAW,CAAC,eAAe,CAAC,CAAC,cAAc,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,kBAAkB,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAC9E,CAAA;QACjC,CAAC;QACD,OAAO,CAAC,MAAM,MAAM,CAAC,IAAI,CAAC,CAAoB,CAAA;IAChD,CAAC,CAAA;IAED,OAAO,CAAC,eAAe,GAAG,IAAI,CAAA;IAE9B,OAAO,OAAO,CAAA;AAChB,CAAC,CAAA"}
+{"version":3,"file":"authenticate.js","sourceRoot":"","sources":["../src/authenticate.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAA;AACjD,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAC7C,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAA;AAExD,OAAO,EAAE,UAAU,EAAE,MAAM,oCAAoC,CAAA;AAE/D;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,CAAC,MAAM,YAAY,GACvB,GAAG,EAAE,CACL,CAAgC,MAAwB,EAAoB,EAAE;IAC5E,MAAM,OAAO,GAAG,KAAK,EAAE,IAA6B,EAA4B,EAAE;QAChF,MAAM,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAA;QACzB,MAAM,aAAa,GAAG,MAAM,eAAe,CAAC,QAAQ,CAAC,CAAA;QACrD,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,MAAM,UAAU,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,IAAI,CAAC,CAAA;YACtC,MAAM,YAAY,GAAG,QAAQ;iBAC1B,WAAW,CAAC,eAAe,CAAC;iBAC5B,cAAc,CAAC,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,YAAY,CAAC,CAAA;YAC9E,OAAO,UAAU,CACf,EAAE,KAAK,EAAE,cAAc,EAAE,EACzB,GAAG,EACH,YAAY,CAAC,CAAC,CAAC,EAAE,kBAAkB,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CACtB,CAAA;QACjC,CAAC;QACD,OAAO,CAAC,MAAM,MAAM,CAAC,IAAI,CAAC,CAAoB,CAAA;IAChD,CAAC,CAAA;IAED,OAAO,CAAC,eAAe,GAAG,IAAI,CAAA;IAE9B,OAAO,OAAO,CAAA;AAChB,CAAC,CAAA"}

package/esm/authenticate.spec.js

@@ -8,12 +8,12 @@ import { EmptyResult } from './request-action-implementation.js';
 describe('Authenticate', () => {
     const response = {};
     const request = { url: 'http://google.com' };
-    it('Should return 403 w/o basic auth header, when unauthorized and basic auth is disabled', async () => {
+    it('Should return 401 without WWW-Authenticate header when no basic-auth provider is registered', async () => {
         await usingAsync(new Injector(), async (i) => {
             const isAuthenticatedAction = vi.fn(async () => false);
             i.setExplicitInstance({ isAuthenticated: isAuthenticatedAction, getCurrentUser: async () => Promise.reject(new Error(':(')) }, IdentityContext);
             i.setExplicitInstance({
-                authentication: { enableBasicAuth: false },
+                authentication: { authenticationProviders: [] },
             }, HttpUserContext);
             const exampleAuthenticatedAction = vi.fn(async () => EmptyResult());
             const authorized = Authenticate()(exampleAuthenticatedAction);
@@ -24,13 +24,15 @@ describe('Authenticate', () => {
             expect(exampleAuthenticatedAction).not.toBeCalled();
         });
     });
-    it('Should return 403 with basic auth headers when unauthorized and basic auth is enabled', async () => {
+    it('Should return 401 with WWW-Authenticate: Basic header when basic-auth provider is registered', async () => {
         await usingAsync(new Injector(), async (i) => {
             const isAuthenticatedAction = vi.fn(async () => false);
             i.setExplicitInstance({
                 isAuthenticated: isAuthenticatedAction,
                 getCurrentUser: async () => Promise.reject(new Error(':(')),
-                authentication: { enableBasicAuth: true },
+                authentication: {
+                    authenticationProviders: [{ name: 'basic-auth', authenticate: async () => null }],
+                },
             }, HttpUserContext);
             const exampleAuthenticatedAction = vi.fn(async () => EmptyResult());
             const authorized = Authenticate()(exampleAuthenticatedAction);

package/esm/authenticate.spec.js.map

@@ -1 +1 @@
-{"version":3,"file":"authenticate.spec.js","sourceRoot":"","sources":["../src/authenticate.spec.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAA;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAA;AAC5C,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAA;AACjD,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAA;AAChD,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAA;AACxD,OAAO,EAAE,WAAW,EAAE,MAAM,oCAAoC,CAAA;AAEhE,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;IAC5B,MAAM,QAAQ,GAAG,EAA2B,CAAA;IAC5C,MAAM,OAAO,GAAG,EAAE,GAAG,EAAE,mBAAmB,EAAqB,CAAA;IAE/D,EAAE,CAAC,uFAAuF,EAAE,KAAK,IAAI,EAAE;QACrG,MAAM,UAAU,CAAC,IAAI,QAAQ,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;YAC3C,MAAM,qBAAqB,GAAG,EAAE,CAAC,EAAE,CAAC,KAAK,IAAI,EAAE,CAAC,KAAK,CAAC,CAAA;YAEtD,CAAC,CAAC,mBAAmB,CACnB,EAAE,eAAe,EAAE,qBAAqB,EAAE,cAAc,EAAE,KAAK,IAAI,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,EAAE,EACvG,eAAe,CAChB,CAAA;YAED,CAAC,CAAC,mBAAmB,CACnB;gBACE,cAAc,EAAE,EAAE,eAAe,EAAE,KAAK,EAAE;aAC3C,EACD,eAAe,CAChB,CAAA;YACD,MAAM,0BAA0B,GAAG,EAAE,CAAC,EAAE,CAAC,KAAK,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,CAAA;YACnE,MAAM,UAAU,GAAG,YAAY,EAAE,CAAC,0BAA0B,CAAC,CAAA;YAE7D,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,CAAA;YACnE,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;YACnC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAA;YACvD,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAA;YACtE,MAAM,CAAC,0BAA0B,CAAC,CAAC,GAAG,CAAC,UAAU,EAAE,CAAA;QACrD,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,uFAAuF,EAAE,KAAK,IAAI,EAAE;QACrG,MAAM,UAAU,CAAC,IAAI,QAAQ,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;YAC3C,MAAM,qBAAqB,GAAG,EAAE,CAAC,EAAE,CAAC,KAAK,IAAI,EAAE,CAAC,KAAK,CAAC,CAAA;YACtD,CAAC,CAAC,mBAAmB,CACnB;gBACE,eAAe,EAAE,qBAAqB;gBACtC,cAAc,EAAE,KAAK,IAAI,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC;gBAC3D,cAAc,EAAE,EAAE,eAAe,EAAE,IAAI,EAAE;aAC1C,EACD,eAAe,CAChB,CAAA;YACD,MAAM,0BAA0B,GAAG,EAAE,CAAC,EAAE,CAAC,KAAK,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,CAAA;YACnE,MAAM,UAAU,GAAG,YAAY,EAAE,CAAC,0BAA0B,CAAC,CAAA;YAE7D,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,CAAA;YACnE,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;YACnC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAA;YACvD,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,EAAE,cAAc,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,OAAO,EAAE,CAAC,CAAA;YACnG,MAAM,CAAC,0BAA0B,CAAC,CAAC,GAAG,CAAC,UAAU,EAAE,CAAA;QACrD,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;QAC7D,MAAM,UAAU,CAAC,IAAI,QAAQ,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;YAC3C,MAAM,qBAAqB,GAAG,EAAE,CAAC,EAAE,CAAC,KAAK,IAAI,EAAE,CAAC,IAAI,CAAC,CAAA;YACrD,CAAC,CAAC,mBAAmB,CACnB,EAAE,eAAe,EAAE,qBAAqB,EAAE,cAAc,EAAE,KAAK,IAAI,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,EAAE,EACvG,eAAe,CAChB,CAAA;YACD,MAAM,0BAA0B,GAAG,EAAE,CAAC,EAAE,CAAC,KAAK,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,CAAA;YACnE,MAAM,UAAU,GAAG,YAAY,EAAE,CAAC,0BAA0B,CAAC,CAAA;YAC7D,MAAM,MAAM,GAAG,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAA;YACpF,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,CAAA;YACvC,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;YACnC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;YACpC,MAAM,CAAC,0BAA0B,CAAC,CAAC,cAAc,CAAC,MAAM,CAAC,CAAA;QAC3D,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA"}
+{"version":3,"file":"authenticate.spec.js","sourceRoot":"","sources":["../src/authenticate.spec.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAA;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAA;AAC5C,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAA;AACjD,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAA;AAChD,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAA;AACxD,OAAO,EAAE,WAAW,EAAE,MAAM,oCAAoC,CAAA;AAEhE,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;IAC5B,MAAM,QAAQ,GAAG,EAA2B,CAAA;IAC5C,MAAM,OAAO,GAAG,EAAE,GAAG,EAAE,mBAAmB,EAAqB,CAAA;IAE/D,EAAE,CAAC,6FAA6F,EAAE,KAAK,IAAI,EAAE;QAC3G,MAAM,UAAU,CAAC,IAAI,QAAQ,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;YAC3C,MAAM,qBAAqB,GAAG,EAAE,CAAC,EAAE,CAAC,KAAK,IAAI,EAAE,CAAC,KAAK,CAAC,CAAA;YAEtD,CAAC,CAAC,mBAAmB,CACnB,EAAE,eAAe,EAAE,qBAAqB,EAAE,cAAc,EAAE,KAAK,IAAI,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,EAAE,EACvG,eAAe,CAChB,CAAA;YAED,CAAC,CAAC,mBAAmB,CACnB;gBACE,cAAc,EAAE,EAAE,uBAAuB,EAAE,EAAE,EAAE;aAChD,EACD,eAAe,CAChB,CAAA;YACD,MAAM,0BAA0B,GAAG,EAAE,CAAC,EAAE,CAAC,KAAK,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,CAAA;YACnE,MAAM,UAAU,GAAG,YAAY,EAAE,CAAC,0BAA0B,CAAC,CAAA;YAE7D,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,CAAA;YACnE,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;YACnC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAA;YACvD,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAA;YACtE,MAAM,CAAC,0BAA0B,CAAC,CAAC,GAAG,CAAC,UAAU,EAAE,CAAA;QACrD,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,8FAA8F,EAAE,KAAK,IAAI,EAAE;QAC5G,MAAM,UAAU,CAAC,IAAI,QAAQ,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;YAC3C,MAAM,qBAAqB,GAAG,EAAE,CAAC,EAAE,CAAC,KAAK,IAAI,EAAE,CAAC,KAAK,CAAC,CAAA;YACtD,CAAC,CAAC,mBAAmB,CACnB;gBACE,eAAe,EAAE,qBAAqB;gBACtC,cAAc,EAAE,KAAK,IAAI,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC;gBAC3D,cAAc,EAAE;oBACd,uBAAuB,EAAE,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE,YAAY,EAAE,KAAK,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC;iBAClF;aACF,EACD,eAAe,CAChB,CAAA;YACD,MAAM,0BAA0B,GAAG,EAAE,CAAC,EAAE,CAAC,KAAK,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,CAAA;YACnE,MAAM,UAAU,GAAG,YAAY,EAAE,CAAC,0BAA0B,CAAC,CAAA;YAE7D,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,CAAA;YACnE,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;YACnC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAA;YACvD,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,EAAE,cAAc,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,OAAO,EAAE,CAAC,CAAA;YACnG,MAAM,CAAC,0BAA0B,CAAC,CAAC,GAAG,CAAC,UAAU,EAAE,CAAA;QACrD,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;QAC7D,MAAM,UAAU,CAAC,IAAI,QAAQ,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;YAC3C,MAAM,qBAAqB,GAAG,EAAE,CAAC,EAAE,CAAC,KAAK,IAAI,EAAE,CAAC,IAAI,CAAC,CAAA;YACrD,CAAC,CAAC,mBAAmB,CACnB,EAAE,eAAe,EAAE,qBAAqB,EAAE,cAAc,EAAE,KAAK,IAAI,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,EAAE,EACvG,eAAe,CAChB,CAAA;YACD,MAAM,0BAA0B,GAAG,EAAE,CAAC,EAAE,CAAC,KAAK,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,CAAA;YACnE,MAAM,UAAU,GAAG,YAAY,EAAE,CAAC,0BAA0B,CAAC,CAAA;YAC7D,MAAM,MAAM,GAAG,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAA;YACpF,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,CAAA;YACvC,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;YACnC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;YACpC,MAAM,CAAC,0BAA0B,CAAC,CAAC,cAAc,CAAC,MAAM,CAAC,CAAA;QAC3D,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA"}

package/esm/authentication-providers/authentication-provider.d.ts

@@ -0,0 +1,25 @@
+import type { User } from '@furystack/core';
+import type { IncomingMessage } from 'http';
+/**
+ * Interface for pluggable authentication providers.
+ *
+ * Each provider attempts to authenticate an HTTP request using
+ * a specific mechanism (e.g. Basic Auth, Cookie, JWT Bearer).
+ *
+ * **Error handling contract:**
+ * - Returns `User` if authentication succeeded.
+ * - Returns `null` if this provider does not apply to the request
+ *   (e.g. no relevant header present). The next provider in the chain will be tried.
+ * - Throws if the provider applies but authentication fails due to
+ *   bad credentials or an infrastructure error (DB down, etc.).
+ *   Throwing skips remaining providers and results in a 401/500.
+ */
+export type AuthenticationProvider = {
+    /**
+     * Identifies the provider for debugging and logging purposes only.
+     * Not used for deduplication or lookup.
+     */
+    readonly name: string;
+    authenticate: (request: Pick<IncomingMessage, 'headers'>) => Promise<User | null>;
+};
+//# sourceMappingURL=authentication-provider.d.ts.map

package/esm/authentication-providers/authentication-provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authentication-provider.d.ts","sourceRoot":"","sources":["../../src/authentication-providers/authentication-provider.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAA;AAC3C,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,MAAM,CAAA;AAE3C;;;;;;;;;;;;;GAaG;AACH,MAAM,MAAM,sBAAsB,GAAG;IACnC;;;OAGG;IACH,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAA;IACrB,YAAY,EAAE,CAAC,OAAO,EAAE,IAAI,CAAC,eAAe,EAAE,SAAS,CAAC,KAAK,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,CAAA;CAClF,CAAA"}

package/esm/authentication-providers/authentication-provider.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=authentication-provider.js.map

package/esm/authentication-providers/authentication-provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authentication-provider.js","sourceRoot":"","sources":["../../src/authentication-providers/authentication-provider.ts"],"names":[],"mappings":""}

package/esm/authentication-providers/basic-auth-provider.d.ts

@@ -0,0 +1,8 @@
+import type { User } from '@furystack/core';
+import type { AuthenticationProvider } from './authentication-provider.js';
+/**
+ * Creates an authentication provider for HTTP Basic Authentication.
+ * @param authenticateUser Callback that verifies credentials and returns a User or throws
+ */
+export declare const createBasicAuthProvider: (authenticateUser: (username: string, password: string) => Promise<User>) => AuthenticationProvider;
+//# sourceMappingURL=basic-auth-provider.d.ts.map

package/esm/authentication-providers/basic-auth-provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"basic-auth-provider.d.ts","sourceRoot":"","sources":["../../src/authentication-providers/basic-auth-provider.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAA;AAC3C,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,8BAA8B,CAAA;AAE1E;;;GAGG;AACH,eAAO,MAAM,uBAAuB,GAClC,kBAAkB,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,KACtE,sBAWD,CAAA"}

package/esm/authentication-providers/basic-auth-provider.js

@@ -0,0 +1,18 @@
+/**
+ * Creates an authentication provider for HTTP Basic Authentication.
+ * @param authenticateUser Callback that verifies credentials and returns a User or throws
+ */
+export const createBasicAuthProvider = (authenticateUser) => ({
+    name: 'basic-auth',
+    authenticate: async (request) => {
+        const authHeader = request.headers.authorization;
+        if (!authHeader?.startsWith('Basic '))
+            return null;
+        const decoded = Buffer.from(authHeader.split(' ')[1], 'base64').toString();
+        const colonIndex = decoded.indexOf(':');
+        const userName = decoded.slice(0, colonIndex);
+        const password = decoded.slice(colonIndex + 1);
+        return await authenticateUser(userName, password);
+    },
+});
+//# sourceMappingURL=basic-auth-provider.js.map

package/esm/authentication-providers/basic-auth-provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"basic-auth-provider.js","sourceRoot":"","sources":["../../src/authentication-providers/basic-auth-provider.ts"],"names":[],"mappings":"AAGA;;;GAGG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAG,CACrC,gBAAuE,EAC/C,EAAE,CAAC,CAAC;IAC5B,IAAI,EAAE,YAAY;IAClB,YAAY,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE;QAC9B,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,CAAA;QAChD,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,QAAQ,CAAC;YAAE,OAAO,IAAI,CAAA;QAClD,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,QAAQ,EAAE,CAAA;QAC1E,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QACvC,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAA;QAC7C,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,CAAA;QAC9C,OAAO,MAAM,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAA;IACnD,CAAC;CACF,CAAC,CAAA"}

package/esm/authentication-providers/cookie-auth-provider.d.ts

@@ -0,0 +1,11 @@
+import type { User } from '@furystack/core';
+import type { DefaultSession } from '../models/default-session.js';
+import type { AuthenticationProvider } from './authentication-provider.js';
+/**
+ * Creates an authentication provider for cookie-based session authentication.
+ * @param cookieName The name of the session cookie
+ * @param getSessionById Callback to find a session by ID
+ * @param getUserByName Callback to find a user by username
+ */
+export declare const createCookieAuthProvider: (cookieName: string, getSessionById: (sessionId: string) => Promise<DefaultSession | null>, getUserByName: (username: string) => Promise<User>) => AuthenticationProvider;
+//# sourceMappingURL=cookie-auth-provider.d.ts.map

package/esm/authentication-providers/cookie-auth-provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cookie-auth-provider.d.ts","sourceRoot":"","sources":["../../src/authentication-providers/cookie-auth-provider.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAA;AAE3C,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAA;AAClE,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,8BAA8B,CAAA;AAG1E;;;;;GAKG;AACH,eAAO,MAAM,wBAAwB,GACnC,YAAY,MAAM,EAClB,gBAAgB,CAAC,SAAS,EAAE,MAAM,KAAK,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,EACrE,eAAe,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,KACjD,sBASD,CAAA"}

package/esm/authentication-providers/cookie-auth-provider.js

@@ -0,0 +1,21 @@
+import { UnauthenticatedError } from '@furystack/security';
+import { extractSessionIdFromCookies } from './helpers.js';
+/**
+ * Creates an authentication provider for cookie-based session authentication.
+ * @param cookieName The name of the session cookie
+ * @param getSessionById Callback to find a session by ID
+ * @param getUserByName Callback to find a user by username
+ */
+export const createCookieAuthProvider = (cookieName, getSessionById, getUserByName) => ({
+    name: 'cookie-auth',
+    authenticate: async (request) => {
+        const sessionId = extractSessionIdFromCookies(request, cookieName);
+        if (!sessionId)
+            return null;
+        const session = await getSessionById(sessionId);
+        if (!session)
+            throw new UnauthenticatedError();
+        return await getUserByName(session.username);
+    },
+});
+//# sourceMappingURL=cookie-auth-provider.js.map

package/esm/authentication-providers/cookie-auth-provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cookie-auth-provider.js","sourceRoot":"","sources":["../../src/authentication-providers/cookie-auth-provider.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAA;AAG1D,OAAO,EAAE,2BAA2B,EAAE,MAAM,cAAc,CAAA;AAE1D;;;;;GAKG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAG,CACtC,UAAkB,EAClB,cAAqE,EACrE,aAAkD,EAC1B,EAAE,CAAC,CAAC;IAC5B,IAAI,EAAE,aAAa;IACnB,YAAY,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE;QAC9B,MAAM,SAAS,GAAG,2BAA2B,CAAC,OAAO,EAAE,UAAU,CAAC,CAAA;QAClE,IAAI,CAAC,SAAS;YAAE,OAAO,IAAI,CAAA;QAC3B,MAAM,OAAO,GAAG,MAAM,cAAc,CAAC,SAAS,CAAC,CAAA;QAC/C,IAAI,CAAC,OAAO;YAAE,MAAM,IAAI,oBAAoB,EAAE,CAAA;QAC9C,OAAO,MAAM,aAAa,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAA;IAC9C,CAAC;CACF,CAAC,CAAA"}