npm - @gzl10/nexus-plugin-auth-providers - Versions diffs - 0.14.0 - Mend

@gzl10/nexus-plugin-auth-providers 0.14.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/dist/chunk-TPBCCFGG.js +489 -0
package/dist/chunk-TPBCCFGG.js.map +1 -0
package/dist/index.d.ts +5 -0
package/dist/index.js +749 -0
package/dist/index.js.map +1 -0
package/dist/shared/index.d.ts +402 -0
package/dist/shared/index.js +17 -0
package/dist/shared/index.js.map +1 -0
package/image.png +0 -0
package/package.json +42 -0

package/dist/chunk-TPBCCFGG.js ADDED Viewed

@@ -0,0 +1,489 @@
+// src/shared/create-auth-service.ts
+import { randomUUID } from "crypto";
+import { createStateManager, checkAllowedDomain } from "@gzl10/nexus-sdk";
+function buildCallbackUrl(moduleName, req) {
+  const backendUrl = process.env["BACKEND_URL"];
+  if (backendUrl) {
+    return `${backendUrl.replace(/\/$/, "")}/api/v1/${moduleName}/callback`;
+  }
+  let proto = req?.headers?.["x-forwarded-proto"] || req?.protocol || "http";
+  const host = req?.headers?.["x-forwarded-host"] || req?.headers?.["host"] || "localhost";
+  if (proto === "http" && host !== "localhost" && !host.startsWith("localhost:") && !host.startsWith("127.0.0.1")) {
+    proto = "https";
+  }
+  return `${proto}://${host}/api/v1/${moduleName}/callback`;
+}
+function createAuthPluginService(options) {
+  const { adapter, ctx } = options;
+  const { logger, errors } = ctx.core;
+  const PROVIDER = adapter.provider;
+  let stateManager = null;
+  function getStateManager() {
+    if (!stateManager) {
+      stateManager = createStateManager();
+    }
+    return stateManager;
+  }
+  async function getAuthorizationUrl(redirectUri, linkUserId, returnUrl) {
+    const config = await adapter.getValidConfig();
+    const state = randomUUID();
+    const nonce = randomUUID();
+    const stateData = {
+      state,
+      nonce,
+      redirectUri,
+      createdAt: Date.now(),
+      linkUserId,
+      returnUrl
+    };
+    getStateManager().store(state, stateData);
+    const scopes = config.scopes?.split(" ").filter(Boolean) || [];
+    const url = await adapter.buildAuthorizationUrl(config, {
+      redirectUri,
+      state,
+      nonce,
+      scopes
+    });
+    logger.debug({ state, redirectUri, linkUserId }, `Generated ${PROVIDER} authorization URL`);
+    return { url, state };
+  }
+  async function verifyState(state) {
+    return getStateManager().verify(state);
+  }
+  async function clearState(state) {
+    getStateManager().clear(state);
+  }
+  async function handleCallback(code, state) {
+    const stateData = await verifyState(state);
+    if (!stateData) {
+      throw new errors.ValidationError("Invalid or expired state");
+    }
+    const config = await adapter.getValidConfig();
+    const userInfo = await adapter.exchangeCodeAndGetUserInfo(
+      config,
+      code,
+      stateData.redirectUri,
+      stateData.nonce || ""
+    );
+    logger.debug(
+      { providerUserId: userInfo.providerUserId, email: userInfo.email },
+      `Got user info from ${PROVIDER}`
+    );
+    if (userInfo.email) {
+      const domainResult = checkAllowedDomain(userInfo.email, config.allowed_domains || null);
+      if (!domainResult.allowed) {
+        throw new errors.ForbiddenError(`Email domain '${domainResult.domain}' is not allowed`);
+      }
+    }
+    const authService = ctx.services.get("auth");
+    const identity = await authService.findIdentity(PROVIDER, userInfo.providerUserId);
+    let nexusUser;
+    if (stateData.linkUserId) {
+      if (identity) {
+        throw new errors.ValidationError(`This ${PROVIDER} account is already linked to another user`);
+      }
+      nexusUser = await authService.findUserById(stateData.linkUserId);
+      if (!nexusUser) {
+        throw new errors.NotFoundError("User not found");
+      }
+      await authService.linkIdentity({
+        userId: stateData.linkUserId,
+        provider: PROVIDER,
+        providerUserId: userInfo.providerUserId,
+        providerEmail: userInfo.email || null
+      });
+      logger.info({ userId: stateData.linkUserId, providerUserId: userInfo.providerUserId }, `Linked ${PROVIDER} account`);
+    } else if (identity) {
+      await authService.updateIdentityLogin(PROVIDER, userInfo.providerUserId);
+      nexusUser = await authService.findUserById(identity.user_id);
+      if (!nexusUser) {
+        throw new errors.NotFoundError("Linked user not found");
+      }
+      logger.debug({ userId: identity.user_id }, `Existing ${PROVIDER} user logged in`);
+    } else {
+      if (userInfo.email) {
+        nexusUser = await authService.findUserByEmail(userInfo.email);
+      }
+      if (nexusUser) {
+        await authService.linkIdentity({
+          userId: nexusUser.id,
+          provider: PROVIDER,
+          providerUserId: userInfo.providerUserId,
+          providerEmail: userInfo.email || null
+        });
+        logger.info({ userId: nexusUser.id, providerUserId: userInfo.providerUserId }, `Linked ${PROVIDER} to existing user by email`);
+      } else {
+        if (!userInfo.email) {
+          throw new errors.ValidationError("Email is required for registration");
+        }
+        nexusUser = await authService.createUser({
+          email: userInfo.email,
+          name: userInfo.name || void 0,
+          role: config.default_role || void 0
+        });
+        await authService.linkIdentity({
+          userId: nexusUser.id,
+          provider: PROVIDER,
+          providerUserId: userInfo.providerUserId,
+          providerEmail: userInfo.email
+        });
+        logger.info({ userId: nexusUser.id, email: userInfo.email }, `Created new user via ${PROVIDER}`);
+      }
+    }
+    await clearState(state);
+    const sessionTokens = await authService.createTokens(nexusUser);
+    return {
+      ...sessionTokens,
+      user: {
+        id: nexusUser.id,
+        email: nexusUser.email,
+        name: nexusUser.name
+      },
+      returnUrl: stateData.returnUrl
+    };
+  }
+  return {
+    getAuthorizationUrl,
+    handleCallback,
+    verifyState,
+    clearState
+  };
+}
+// src/shared/create-auth-controller.ts
+var DEFAULT_FRIENDLY_ERRORS = {
+  "Auto-creation of users is disabled": "Your account does not exist. Contact an administrator to get access.",
+  "Auto-registration is disabled. Please contact administrator.": "Auto-registration is disabled. Contact an administrator to get access."
+};
+function createAuthPluginActions(options, getAuthService) {
+  const { provider, moduleName, caslSubject, friendlyErrors } = options;
+  const allFriendlyErrors = { ...DEFAULT_FRIENDLY_ERRORS, ...friendlyErrors };
+  const authorizeAction = {
+    label: { en: "Authorize", es: "Autorizar" },
+    icon: "mdi:login",
+    key: "authorize",
+    scope: "module",
+    hidden: true,
+    method: "GET",
+    skipAuth: true,
+    input: {},
+    handler: async (_ctx, _input, req, res) => {
+      const callbackUrl = buildCallbackUrl(moduleName, req);
+      const returnUrl = req?.query?.["redirect_uri"] || req?.headers?.["referer"] || req?.headers?.["origin"];
+      const authService = getAuthService();
+      const { url } = await authService.getAuthorizationUrl(callbackUrl, void 0, returnUrl);
+      res?.redirect(302, url);
+    }
+  };
+  const callbackAction = {
+    label: { en: "Callback", es: "Callback" },
+    icon: "mdi:arrow-left",
+    key: "callback",
+    scope: "module",
+    hidden: true,
+    method: "GET",
+    skipAuth: true,
+    input: {},
+    handler: async (ctx, _input, req, res) => {
+      const code = req?.query?.["code"];
+      const state = req?.query?.["state"];
+      const error = req?.query?.["error"];
+      const authService = getAuthService();
+      let returnUrl;
+      if (state) {
+        const stateData = await authService.verifyState(state);
+        returnUrl = stateData?.returnUrl;
+      }
+      function redirectError(message) {
+        if (returnUrl && res) {
+          const params = new URLSearchParams({ error: message });
+          res.redirect(302, `${returnUrl}#${params.toString()}`);
+          return;
+        }
+        throw new ctx.core.errors.ForbiddenError(message);
+      }
+      if (error) {
+        const errorDescription = req?.query?.["error_description"];
+        redirectError(errorDescription || error);
+        return;
+      }
+      if (!code || !state) {
+        throw new ctx.core.errors.ValidationError("code and state are required");
+      }
+      try {
+        const result = await authService.handleCallback(code, state);
+        if (result.returnUrl && res) {
+          const params = new URLSearchParams({
+            accessToken: result.accessToken,
+            refreshToken: result.refreshToken
+          });
+          res.redirect(302, `${result.returnUrl}#${params.toString()}`);
+          return;
+        }
+        return result;
+      } catch (err) {
+        const raw = err instanceof Error ? err.message : "Authentication failed";
+        redirectError(allFriendlyErrors[raw] || raw);
+      }
+    }
+  };
+  const linkAction = {
+    label: { en: "Link Account", es: "Vincular Cuenta" },
+    icon: "mdi:link-plus",
+    key: "link",
+    scope: "module",
+    method: "GET",
+    input: {},
+    handler: async (_ctx, _input, req, res) => {
+      const authReq = req;
+      if (!authReq?.user?.id) {
+        throw new _ctx.core.errors.UnauthorizedError("Authentication required");
+      }
+      const callbackUrl = buildCallbackUrl(moduleName, req);
+      const returnUrl = req?.query?.["redirect_uri"] || req?.headers?.["referer"];
+      const authService = getAuthService();
+      const { url } = await authService.getAuthorizationUrl(callbackUrl, authReq.user.id, returnUrl);
+      res?.redirect(302, url);
+    },
+    casl: {
+      subject: caslSubject,
+      permissions: {
+        "*": { actions: ["update"] }
+      }
+    }
+  };
+  const statusAction = {
+    label: { en: "Status", es: "Estado" },
+    icon: "mdi:information",
+    key: "status",
+    scope: "module",
+    hidden: true,
+    method: "GET",
+    input: {},
+    handler: async (ctx, _input, req) => {
+      const authReq = req;
+      if (!authReq?.user?.id) {
+        throw new ctx.core.errors.UnauthorizedError("Authentication required");
+      }
+      const coreAuth = ctx.services.get("auth");
+      const identities = await coreAuth.findIdentitiesByUser(authReq.user.id, provider);
+      return {
+        linked: identities.length > 0,
+        linkedAt: identities[0]?.linked_at ?? null
+      };
+    },
+    casl: {
+      subject: caslSubject,
+      permissions: {
+        "*": { actions: ["read"] }
+      }
+    }
+  };
+  return [authorizeAction, callbackAction, linkAction, statusAction];
+}
+// src/shared/create-config-entity.ts
+import {
+  useIdField,
+  useTextField,
+  useTextUniqueField,
+  useSwitchField,
+  usePasswordField
+} from "@gzl10/nexus-sdk/fields";
+var authProvidersConfigEntity = {
+  type: "config",
+  key: "auth_providers_config",
+  label: { en: "Auth Providers", es: "Proveedores de Auth" },
+  routePrefix: "/auth-providers-config",
+  scopeField: "provider",
+  timestamps: true,
+  audit: true,
+  get defaults() {
+    return {
+      enabled: false,
+      client_id: "",
+      client_secret: "",
+      scopes: "",
+      allowed_domains: null,
+      default_role: "USER",
+      extra_config: null
+    };
+  },
+  fields: {
+    id: useIdField(),
+    provider: {
+      ...useTextUniqueField({
+        label: { en: "Provider", es: "Proveedor" },
+        size: 50
+      }),
+      disabled: true,
+      hint: { en: "Provider identifier (e.g., google, github, pocketid)", es: "Identificador del proveedor" }
+    },
+    enabled: useSwitchField({
+      label: { en: "Enabled", es: "Habilitado" }
+    }),
+    client_id: useTextField({
+      label: { en: "Client ID", es: "ID de Cliente" }
+    }),
+    client_secret: usePasswordField({
+      label: { en: "Client Secret", es: "Secret de Cliente" }
+    }),
+    scopes: useTextField({
+      label: { en: "Scopes", es: "Scopes" },
+      hint: { en: "Space-separated scopes", es: "Scopes separados por espacios" },
+      nullable: false
+    }),
+    allowed_domains: useTextField({
+      label: { en: "Allowed Domains", es: "Dominios Permitidos" },
+      hint: { en: "JSON array of allowed email domains (empty = all)", es: "Array JSON de dominios permitidos (vac\xEDo = todos)" }
+    }),
+    default_role: useTextField({
+      label: { en: "Default Role", es: "Rol por Defecto" },
+      hint: { en: "Role assigned to new users", es: "Rol asignado a nuevos usuarios" },
+      size: 50
+    }),
+    extra_config: {
+      label: { en: "Extra Config", es: "Config Extra" },
+      input: "json",
+      db: { type: "json", nullable: true },
+      hint: { en: "Provider-specific settings (issuer_url, hosted_domain, etc.)", es: "Configuracion especifica del proveedor" }
+    }
+  },
+  casl: {
+    subject: "AuthProvidersConfig",
+    permissions: {
+      ADMIN: { actions: ["read", "update"] }
+    }
+  }
+};
+// src/shared/create-config-module.ts
+var CONFIG_TABLE = "auth_providers_config";
+function createProviderConfigService(ctx, provider) {
+  const { knex } = ctx.db;
+  async function getConfig() {
+    const result = await knex(CONFIG_TABLE).where("provider", provider).select("*").first();
+    return result || null;
+  }
+  async function isEnabled() {
+    const config = await getConfig();
+    return config?.enabled ?? false;
+  }
+  return { getConfig, isEnabled };
+}
+function createAuthConfigModule(options) {
+  const {
+    name,
+    label,
+    provider,
+    envPrefix,
+    defaultScopes,
+    defaultRole = "USER",
+    extraConfig
+  } = options;
+  return {
+    name,
+    type: "plugin",
+    category: "integrations",
+    label,
+    icon: "mdi:cog",
+    // Entity registered by core auth module — plugins only seed + register service
+    seed: async (ctx) => {
+      const { knex } = ctx.db;
+      const clientId = process.env[`${envPrefix}_CLIENT_ID`];
+      const clientSecret = process.env[`${envPrefix}_CLIENT_SECRET`];
+      if (!clientId || !clientSecret) return;
+      const now = ctx.db.nowTimestamp(knex);
+      const existing = await knex(CONFIG_TABLE).where("provider", provider).first();
+      if (existing) {
+        await knex(CONFIG_TABLE).where("id", existing.id).update({
+          client_id: clientId,
+          client_secret: clientSecret,
+          updated_at: now
+        });
+        ctx.core.logger.info(`${provider} auth config updated from environment variables`);
+      } else {
+        await knex(CONFIG_TABLE).insert({
+          id: ctx.core.generateId(),
+          provider,
+          enabled: true,
+          client_id: clientId,
+          client_secret: clientSecret,
+          scopes: defaultScopes,
+          allowed_domains: null,
+          default_role: defaultRole,
+          extra_config: extraConfig ? JSON.stringify(extraConfig) : null,
+          created_at: now,
+          updated_at: now
+        });
+        ctx.core.logger.info(`${provider} auth config seeded from environment variables`);
+      }
+    },
+    init: (ctx) => {
+      const service = createProviderConfigService(ctx, provider);
+      ctx.services.register(`${provider}.config`, service);
+      ctx.core.logger.info(`${provider} auth config module initialized`);
+    }
+  };
+}
+// src/shared/create-auth-module.ts
+function createAuthModule(options) {
+  const {
+    name,
+    label,
+    provider,
+    caslSubject,
+    providerInfo,
+    createAdapter,
+    friendlyErrors
+  } = options;
+  let _authService = null;
+  function getAuthService() {
+    if (!_authService) {
+      throw new Error(`${provider} AuthService not initialized`);
+    }
+    return _authService;
+  }
+  const actions = createAuthPluginActions(
+    { provider, moduleName: name, caslSubject, friendlyErrors },
+    getAuthService
+  );
+  return {
+    name,
+    type: "auth-plugin",
+    category: "security",
+    label,
+    icon: "mdi:shield-key",
+    actions,
+    init: (ctx) => {
+      const adapter = createAdapter(ctx);
+      const service = createAuthPluginService({ adapter, ctx });
+      _authService = service;
+      ctx.services.register(`${provider}.auth`, service);
+      const authProviderService = {
+        async getInfo() {
+          const configService = ctx.services.get(`${provider}.config`);
+          const enabled = await configService.isEnabled();
+          if (!enabled) return null;
+          return {
+            ...providerInfo,
+            authorizeEndpoint: `/api/v1/${name}/authorize`
+          };
+        }
+      };
+      ctx.services.register(`${provider}.provider`, authProviderService);
+      ctx.core.logger.info(`${provider} auth module initialized`);
+    }
+  };
+}
+export {
+  buildCallbackUrl,
+  createAuthPluginService,
+  createAuthPluginActions,
+  authProvidersConfigEntity,
+  createAuthConfigModule,
+  createAuthModule
+};
+//# sourceMappingURL=chunk-TPBCCFGG.js.map

package/dist/chunk-TPBCCFGG.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/shared/create-auth-service.ts","../src/shared/create-auth-controller.ts","../src/shared/create-config-entity.ts","../src/shared/create-config-module.ts","../src/shared/create-auth-module.ts"],"sourcesContent":["/**\n * Auth Plugin Service Factory\n *\n * Creates a complete auth service from a provider adapter.\n * Handles all shared logic: state management, identity resolution,\n * user creation, session tokens, and callback URL construction.\n *\n * This eliminates ~150 lines of duplicated code per auth plugin.\n */\nimport { randomUUID } from 'node:crypto'\nimport type { ModuleContext } from '@gzl10/nexus-sdk'\nimport type { Request } from 'express'\nimport { createStateManager, checkAllowedDomain, type StateManager } from '@gzl10/nexus-sdk'\nimport type { AuthPluginAdapter, AuthPluginBaseConfig } from './adapter.js'\nimport type {\n AuthPluginState,\n AuthPluginSessionResult,\n CoreAuthService\n} from './types.js'\n\n// ============================================================================\n// SERVICE INTERFACE\n// ============================================================================\n\n/**\n * Auth plugin service returned by `createAuthPluginService()`.\n * All auth plugins expose this same interface.\n */\nexport interface AuthPluginService {\n /** Generate authorization URL and redirect state */\n getAuthorizationUrl(redirectUri: string, linkUserId?: string, returnUrl?: string): Promise<{ url: string; state: string }>\n /** Handle OAuth/OIDC callback after provider redirect */\n handleCallback(code: string, state: string): Promise<AuthPluginSessionResult>\n /** Verify state is valid (non-destructive peek) */\n verifyState(state: string): Promise<AuthPluginState | null>\n /** Clear state after use */\n clearState(state: string): Promise<void>\n}\n\n// ============================================================================\n// CALLBACK URL BUILDER\n// ============================================================================\n\n/**\n * Build the backend's callback URL from the request.\n * Supports BACKEND_URL env var override (consistent across all plugins).\n */\nexport function buildCallbackUrl(moduleName: string, req?: Request): string {\n const backendUrl = process.env['BACKEND_URL']\n if (backendUrl) {\n return `${backendUrl.replace(/\\/$/, '')}/api/v1/${moduleName}/callback`\n }\n\n let proto = (req?.headers?.['x-forwarded-proto'] as string) || req?.protocol || 'http'\n const host = (req?.headers?.['x-forwarded-host'] as string) || (req?.headers?.['host'] as string) || 'localhost'\n\n // Infer HTTPS for non-localhost hosts behind reverse proxy\n if (proto === 'http' && host !== 'localhost' && !host.startsWith('localhost:') && !host.startsWith('127.0.0.1')) {\n proto = 'https'\n }\n\n return `${proto}://${host}/api/v1/${moduleName}/callback`\n}\n\n// ============================================================================\n// SERVICE FACTORY\n// ============================================================================\n\n/**\n * Create an auth plugin service from an adapter.\n *\n * @example\n * ```typescript\n * const service = createAuthPluginService({\n * adapter: createGoogleAdapter(ctx),\n * ctx\n * })\n * ```\n */\nexport function createAuthPluginService<TConfig extends AuthPluginBaseConfig>(options: {\n adapter: AuthPluginAdapter<TConfig>\n ctx: ModuleContext\n}): AuthPluginService {\n const { adapter, ctx } = options\n const { logger, errors } = ctx.core\n const PROVIDER = adapter.provider\n\n // State manager (10 minutes TTL)\n let stateManager: StateManager<AuthPluginState> | null = null\n function getStateManager(): StateManager<AuthPluginState> {\n if (!stateManager) {\n stateManager = createStateManager<AuthPluginState>()\n }\n return stateManager\n }\n\n /**\n * Generate authorization URL\n */\n async function getAuthorizationUrl(\n redirectUri: string,\n linkUserId?: string,\n returnUrl?: string\n ): Promise<{ url: string; state: string }> {\n const config = await adapter.getValidConfig()\n\n const state = randomUUID()\n const nonce = randomUUID()\n\n const stateData: AuthPluginState = {\n state,\n nonce,\n redirectUri,\n createdAt: Date.now(),\n linkUserId,\n returnUrl\n }\n getStateManager().store(state, stateData)\n\n const scopes = config.scopes?.split(' ').filter(Boolean) || []\n const url = await adapter.buildAuthorizationUrl(config, {\n redirectUri,\n state,\n nonce,\n scopes\n })\n\n logger.debug({ state, redirectUri, linkUserId }, `Generated ${PROVIDER} authorization URL`)\n return { url, state }\n }\n\n /**\n * Verify state is valid (non-destructive)\n */\n async function verifyState(state: string): Promise<AuthPluginState | null> {\n return getStateManager().verify(state)\n }\n\n /**\n * Clear state after use\n */\n async function clearState(state: string): Promise<void> {\n getStateManager().clear(state)\n }\n\n /**\n * Handle callback from provider.\n * This is the core shared logic (~70 lines) that was duplicated across all plugins.\n */\n async function handleCallback(code: string, state: string): Promise<AuthPluginSessionResult> {\n // 1. Verify state\n const stateData = await verifyState(state)\n if (!stateData) {\n throw new errors.ValidationError('Invalid or expired state')\n }\n\n // 2. Get validated config\n const config = await adapter.getValidConfig()\n\n // 3. Exchange code and get normalized user info (provider-specific)\n const userInfo = await adapter.exchangeCodeAndGetUserInfo(\n config,\n code,\n stateData.redirectUri,\n stateData.nonce || ''\n )\n\n logger.debug(\n { providerUserId: userInfo.providerUserId, email: userInfo.email },\n `Got user info from ${PROVIDER}`\n )\n\n // 4. Check allowed domains\n if (userInfo.email) {\n const domainResult = checkAllowedDomain(userInfo.email, config.allowed_domains || null)\n if (!domainResult.allowed) {\n throw new errors.ForbiddenError(`Email domain '${domainResult.domain}' is not allowed`)\n }\n }\n\n // 5. Identity resolution (shared across all plugins)\n const authService = ctx.services.get<CoreAuthService>('auth')\n const identity = await authService.findIdentity(PROVIDER, userInfo.providerUserId)\n let nexusUser\n\n if (stateData.linkUserId) {\n // Case A: Linking existing account\n if (identity) {\n throw new errors.ValidationError(`This ${PROVIDER} account is already linked to another user`)\n }\n\n nexusUser = await authService.findUserById(stateData.linkUserId)\n if (!nexusUser) {\n throw new errors.NotFoundError('User not found')\n }\n\n await authService.linkIdentity({\n userId: stateData.linkUserId,\n provider: PROVIDER,\n providerUserId: userInfo.providerUserId,\n providerEmail: userInfo.email || null\n })\n\n logger.info({ userId: stateData.linkUserId, providerUserId: userInfo.providerUserId }, `Linked ${PROVIDER} account`)\n } else if (identity) {\n // Case B: Existing identity - update last login\n await authService.updateIdentityLogin(PROVIDER, userInfo.providerUserId)\n\n nexusUser = await authService.findUserById(identity.user_id)\n if (!nexusUser) {\n throw new errors.NotFoundError('Linked user not found')\n }\n\n logger.debug({ userId: identity.user_id }, `Existing ${PROVIDER} user logged in`)\n } else {\n // Case C: New user - auto-creation controlled by nexus-backend (AUTH_DISABLE_AUTO_CREATE)\n\n // Check if user with this email already exists\n if (userInfo.email) {\n nexusUser = await authService.findUserByEmail(userInfo.email)\n }\n\n if (nexusUser) {\n // Link existing user by email match\n await authService.linkIdentity({\n userId: nexusUser.id,\n provider: PROVIDER,\n providerUserId: userInfo.providerUserId,\n providerEmail: userInfo.email || null\n })\n logger.info({ userId: nexusUser.id, providerUserId: userInfo.providerUserId }, `Linked ${PROVIDER} to existing user by email`)\n } else {\n // Create new user\n if (!userInfo.email) {\n throw new errors.ValidationError('Email is required for registration')\n }\n\n nexusUser = await authService.createUser({\n email: userInfo.email,\n name: userInfo.name || undefined,\n role: config.default_role || undefined\n })\n\n await authService.linkIdentity({\n userId: nexusUser.id,\n provider: PROVIDER,\n providerUserId: userInfo.providerUserId,\n providerEmail: userInfo.email\n })\n\n logger.info({ userId: nexusUser.id, email: userInfo.email }, `Created new user via ${PROVIDER}`)\n }\n }\n\n // 6. Clear state and create session\n await clearState(state)\n const sessionTokens = await authService.createTokens(nexusUser)\n\n return {\n ...sessionTokens,\n user: {\n id: nexusUser.id,\n email: nexusUser.email,\n name: nexusUser.name\n },\n returnUrl: stateData.returnUrl\n }\n }\n\n return {\n getAuthorizationUrl,\n handleCallback,\n verifyState,\n clearState\n }\n}\n","/**\n * Auth Plugin Controller Factory\n *\n * Generates the 4 standard action definitions that every auth plugin needs:\n * - authorize: Start OAuth/OIDC flow (GET, skipAuth)\n * - callback: Handle provider callback (GET, skipAuth)\n * - link: Link existing account (GET, requires auth)\n * - status: Check if provider is linked (GET, requires auth)\n */\nimport type { ActionDefinition, ModuleContext, AuthRequest, LocalizedString } from '@gzl10/nexus-sdk'\nimport type { Request, Response } from 'express'\nimport type { AuthPluginService } from './create-auth-service.js'\nimport { buildCallbackUrl } from './create-auth-service.js'\n\n// ============================================================================\n// OPTIONS\n// ============================================================================\n\nexport interface AuthControllerOptions {\n /** Provider identifier (e.g., 'google', 'github') */\n provider: string\n /** Module name for URL paths (e.g., 'google_auth') */\n moduleName: string\n /** CASL subject for permissions (e.g., 'GoogleAuth') */\n caslSubject: string\n /** Additional friendly error messages for the callback handler */\n friendlyErrors?: Record<string, string>\n}\n\n// ============================================================================\n// DEFAULT FRIENDLY ERRORS\n// ============================================================================\n\nconst DEFAULT_FRIENDLY_ERRORS: Record<string, string> = {\n 'Auto-creation of users is disabled': 'Your account does not exist. Contact an administrator to get access.',\n 'Auto-registration is disabled. Please contact administrator.': 'Auto-registration is disabled. Contact an administrator to get access.',\n}\n\n// ============================================================================\n// FACTORY\n// ============================================================================\n\n/**\n * Create the 4 standard auth plugin actions.\n *\n * @param options - Controller configuration\n * @param getAuthService - Getter for the auth plugin service (deferred to avoid init order issues)\n */\nexport function createAuthPluginActions(\n options: AuthControllerOptions,\n getAuthService: () => AuthPluginService\n): ActionDefinition[] {\n const { provider, moduleName, caslSubject, friendlyErrors } = options\n\n const allFriendlyErrors = { ...DEFAULT_FRIENDLY_ERRORS, ...friendlyErrors }\n\n // ---- authorize ----\n const authorizeAction: ActionDefinition = {\n\n label: { en: 'Authorize', es: 'Autorizar' } as LocalizedString,\n icon: 'mdi:login',\n key: 'authorize',\n scope: 'module',\n hidden: true,\n method: 'GET',\n skipAuth: true,\n input: {},\n\n handler: async (_ctx: ModuleContext, _input: unknown, req?: Request, res?: Response) => {\n const callbackUrl = buildCallbackUrl(moduleName, req)\n const returnUrl = (req?.query?.['redirect_uri'] as string)\n || (req?.headers?.['referer'] as string)\n || (req?.headers?.['origin'] as string)\n\n const authService = getAuthService()\n const { url } = await authService.getAuthorizationUrl(callbackUrl, undefined, returnUrl)\n\n res?.redirect(302, url)\n }\n }\n\n // ---- callback ----\n const callbackAction: ActionDefinition = {\n\n label: { en: 'Callback', es: 'Callback' } as LocalizedString,\n icon: 'mdi:arrow-left',\n key: 'callback',\n scope: 'module',\n hidden: true,\n method: 'GET',\n skipAuth: true,\n input: {},\n\n handler: async (ctx: ModuleContext, _input: unknown, req?: Request, res?: Response) => {\n const code = req?.query?.['code'] as string\n const state = req?.query?.['state'] as string\n const error = req?.query?.['error'] as string\n\n const authService = getAuthService()\n\n // Peek at state for error redirects (non-destructive)\n let returnUrl: string | undefined\n if (state) {\n const stateData = await authService.verifyState(state)\n returnUrl = stateData?.returnUrl\n }\n\n /** Redirect to frontend with error, or throw for API consumers */\n function redirectError(message: string): void {\n if (returnUrl && res) {\n const params = new URLSearchParams({ error: message })\n res.redirect(302, `${returnUrl}#${params.toString()}`)\n return\n }\n throw new ctx.core.errors.ForbiddenError(message)\n }\n\n if (error) {\n const errorDescription = req?.query?.['error_description'] as string\n redirectError(errorDescription || error)\n return\n }\n\n if (!code || !state) {\n throw new ctx.core.errors.ValidationError('code and state are required')\n }\n\n try {\n const result = await authService.handleCallback(code, state)\n\n // Server-side flow: redirect with tokens in URL fragment\n if (result.returnUrl && res) {\n const params = new URLSearchParams({\n accessToken: result.accessToken,\n refreshToken: result.refreshToken\n })\n res.redirect(302, `${result.returnUrl}#${params.toString()}`)\n return\n }\n\n // API flow: return JSON\n return result\n } catch (err) {\n const raw = err instanceof Error ? err.message : 'Authentication failed'\n redirectError(allFriendlyErrors[raw] || raw)\n }\n }\n }\n\n // ---- link ----\n const linkAction: ActionDefinition = {\n\n label: { en: 'Link Account', es: 'Vincular Cuenta' } as LocalizedString,\n icon: 'mdi:link-plus',\n key: 'link',\n scope: 'module',\n method: 'GET',\n input: {},\n\n handler: async (_ctx: ModuleContext, _input: unknown, req?: Request, res?: Response) => {\n const authReq = req as AuthRequest\n\n if (!authReq?.user?.id) {\n throw new _ctx.core.errors.UnauthorizedError('Authentication required')\n }\n\n const callbackUrl = buildCallbackUrl(moduleName, req)\n const returnUrl = (req?.query?.['redirect_uri'] as string)\n || (req?.headers?.['referer'] as string)\n\n const authService = getAuthService()\n const { url } = await authService.getAuthorizationUrl(callbackUrl, authReq.user.id, returnUrl)\n\n res?.redirect(302, url)\n },\n\n casl: {\n subject: caslSubject,\n permissions: {\n '*': { actions: ['update'] }\n }\n }\n }\n\n // ---- status ----\n const statusAction: ActionDefinition = {\n\n label: { en: 'Status', es: 'Estado' } as LocalizedString,\n icon: 'mdi:information',\n key: 'status',\n scope: 'module',\n hidden: true,\n method: 'GET',\n input: {},\n\n handler: async (ctx: ModuleContext, _input: unknown, req?: Request) => {\n const authReq = req as AuthRequest\n\n if (!authReq?.user?.id) {\n throw new ctx.core.errors.UnauthorizedError('Authentication required')\n }\n\n const coreAuth = ctx.services.get<{\n findIdentitiesByUser(userId: string, provider?: string): Promise<Array<{ linked_at: string }>>\n }>('auth')\n\n const identities = await coreAuth.findIdentitiesByUser(authReq.user.id, provider)\n\n return {\n linked: identities.length > 0,\n linkedAt: identities[0]?.linked_at ?? null\n }\n },\n\n casl: {\n subject: caslSubject,\n permissions: {\n '*': { actions: ['read'] }\n }\n }\n }\n\n return [authorizeAction, callbackAction, linkAction, statusAction]\n}\n","/**\n * Unified Auth Providers Config Entity\n *\n * Single table `auth_providers_config` with one row per provider.\n * Replaces separate tables (google_auth_config, pocketid_config, github_auth_config).\n *\n * Provider-specific fields (hosted_domain, issuer_url) go in `extra_config` JSON.\n */\nimport type { SingleEntityDefinition } from '@gzl10/nexus-sdk'\nimport {\n useIdField,\n useTextField,\n useTextUniqueField,\n useSwitchField,\n usePasswordField\n} from '@gzl10/nexus-sdk/fields'\n\n/**\n * Unified config entity for all auth providers.\n *\n * Each provider gets one row, identified by the `provider` column.\n * The `scopeField: 'provider'` makes each provider a separate \"scope\",\n * so the config UI shows each provider's settings independently.\n *\n * Usage: Include this entity in the core auth module's definitions.\n *\n * @example Backend auth module\n * ```typescript\n * import { authProvidersConfigEntity } from '@gzl10/nexus-sdk'\n *\n * export const authModule: ModuleManifest = {\n * definitions: [..., authProvidersConfigEntity],\n * }\n * ```\n */\nexport const authProvidersConfigEntity: SingleEntityDefinition = {\n type: 'config',\n key: 'auth_providers_config',\n label: { en: 'Auth Providers', es: 'Proveedores de Auth' },\n routePrefix: '/auth-providers-config',\n scopeField: 'provider',\n timestamps: true,\n audit: true,\n\n get defaults() {\n return {\n enabled: false,\n client_id: '',\n client_secret: '',\n scopes: '',\n allowed_domains: null,\n default_role: 'USER',\n extra_config: null\n }\n },\n\n fields: {\n id: useIdField(),\n provider: {\n ...useTextUniqueField({\n label: { en: 'Provider', es: 'Proveedor' },\n size: 50\n }),\n disabled: true,\n hint: { en: 'Provider identifier (e.g., google, github, pocketid)', es: 'Identificador del proveedor' }\n },\n enabled: useSwitchField({\n label: { en: 'Enabled', es: 'Habilitado' }\n }),\n client_id: useTextField({\n label: { en: 'Client ID', es: 'ID de Cliente' }\n }),\n client_secret: usePasswordField({\n label: { en: 'Client Secret', es: 'Secret de Cliente' }\n }),\n scopes: useTextField({\n label: { en: 'Scopes', es: 'Scopes' },\n hint: { en: 'Space-separated scopes', es: 'Scopes separados por espacios' },\n nullable: false\n }),\n allowed_domains: useTextField({\n label: { en: 'Allowed Domains', es: 'Dominios Permitidos' },\n hint: { en: 'JSON array of allowed email domains (empty = all)', es: 'Array JSON de dominios permitidos (vacío = todos)' }\n }),\n default_role: useTextField({\n label: { en: 'Default Role', es: 'Rol por Defecto' },\n hint: { en: 'Role assigned to new users', es: 'Rol asignado a nuevos usuarios' },\n size: 50\n }),\n extra_config: {\n label: { en: 'Extra Config', es: 'Config Extra' },\n input: 'json' as const,\n db: { type: 'json' as const, nullable: true },\n hint: { en: 'Provider-specific settings (issuer_url, hosted_domain, etc.)', es: 'Configuracion especifica del proveedor' }\n }\n },\n\n casl: {\n subject: 'AuthProvidersConfig',\n permissions: {\n ADMIN: { actions: ['read', 'update'] }\n }\n }\n}\n","/**\n * Auth Config Module Factory\n *\n * Creates a module that seeds the provider's row in the unified\n * `auth_providers_config` table and registers a config service.\n *\n * The entity itself is registered by the core auth module.\n * This module only handles seeding + config service registration.\n */\nimport type { ModuleManifest, ModuleContext, LocalizedString } from '@gzl10/nexus-sdk'\nimport type { AuthPluginBaseConfig } from './adapter.js'\nimport type { AuthPluginConfigService } from './types.js'\n\n// ============================================================================\n// OPTIONS\n// ============================================================================\n\nexport interface AuthConfigModuleOptions {\n /** Module name (e.g., 'google_auth_config') */\n name: string\n /** Module label */\n label: LocalizedString\n /** Provider identifier (e.g., 'google', 'github', 'pocketid') */\n provider: string\n /** Environment variable prefix (e.g., 'GOOGLE' reads GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET) */\n envPrefix: string\n /** Default scopes for this provider */\n defaultScopes: string\n /** Default role for new users (default: 'USER') */\n defaultRole?: string\n /** Extra config values for the seed (e.g., { issuer_url: '...' }) */\n extraConfig?: Record<string, unknown>\n}\n\n// ============================================================================\n// CONFIG SERVICE FACTORY\n// ============================================================================\n\nconst CONFIG_TABLE = 'auth_providers_config'\n\n/**\n * Create a config service scoped to a specific provider.\n */\nfunction createProviderConfigService<TConfig extends AuthPluginBaseConfig = AuthPluginBaseConfig>(\n ctx: ModuleContext,\n provider: string\n): AuthPluginConfigService<TConfig> {\n const { knex } = ctx.db\n\n async function getConfig(): Promise<TConfig | null> {\n const result = await knex(CONFIG_TABLE)\n .where('provider', provider)\n .select('*')\n .first()\n return result || null\n }\n\n async function isEnabled(): Promise<boolean> {\n const config = await getConfig()\n return config?.enabled ?? false\n }\n\n return { getConfig, isEnabled }\n}\n\n// ============================================================================\n// MODULE FACTORY\n// ============================================================================\n\n/**\n * Create the config module for an auth plugin.\n *\n * This module:\n * 1. Seeds the provider's row from environment variables\n * 2. Registers a config service scoped to this provider\n *\n * Note: The `auth_providers_config` entity is registered by the core auth module.\n *\n * @example\n * ```typescript\n * const configModule = createAuthConfigModule({\n * name: 'google_auth_config',\n * label: { en: 'Google Auth Config' },\n * provider: 'google',\n * envPrefix: 'GOOGLE',\n * defaultScopes: 'openid profile email',\n * extraConfig: { hosted_domain: null }\n * })\n * ```\n */\nexport function createAuthConfigModule(options: AuthConfigModuleOptions): ModuleManifest {\n const {\n name,\n label,\n provider,\n envPrefix,\n defaultScopes,\n defaultRole = 'USER',\n extraConfig\n } = options\n\n return {\n name,\n type: 'plugin',\n category: 'integrations',\n label,\n icon: 'mdi:cog',\n\n // Entity registered by core auth module — plugins only seed + register service\n\n seed: async (ctx) => {\n const { knex } = ctx.db\n\n const clientId = process.env[`${envPrefix}_CLIENT_ID`]\n const clientSecret = process.env[`${envPrefix}_CLIENT_SECRET`]\n\n if (!clientId || !clientSecret) return\n\n const now = ctx.db.nowTimestamp(knex)\n const existing = await knex(CONFIG_TABLE)\n .where('provider', provider)\n .first()\n\n if (existing) {\n // Upsert: update credentials from env vars (consistent across all plugins)\n await knex(CONFIG_TABLE)\n .where('id', existing.id)\n .update({\n client_id: clientId,\n client_secret: clientSecret,\n updated_at: now\n })\n ctx.core.logger.info(`${provider} auth config updated from environment variables`)\n } else {\n await knex(CONFIG_TABLE).insert({\n id: ctx.core.generateId(),\n provider,\n enabled: true,\n client_id: clientId,\n client_secret: clientSecret,\n scopes: defaultScopes,\n allowed_domains: null,\n default_role: defaultRole,\n extra_config: extraConfig ? JSON.stringify(extraConfig) : null,\n created_at: now,\n updated_at: now\n })\n ctx.core.logger.info(`${provider} auth config seeded from environment variables`)\n }\n },\n\n init: (ctx) => {\n const service = createProviderConfigService(ctx, provider)\n ctx.services.register(`${provider}.config`, service)\n ctx.core.logger.info(`${provider} auth config module initialized`)\n }\n }\n}\n","/**\n * Auth Module Factory\n *\n * Creates the complete auth module for a plugin, including:\n * - Auth plugin service (state management, identity resolution, session creation)\n * - Auth controller (4 actions: authorize, callback, link, status)\n * - AuthProviderService registration (for dynamic login buttons in UI)\n */\nimport type { ModuleManifest, ModuleContext, AuthProviderInfo, AuthProviderService, LocalizedString } from '@gzl10/nexus-sdk'\nimport type { AuthPluginAdapter, AuthPluginBaseConfig } from './adapter.js'\nimport type { AuthPluginConfigService } from './types.js'\nimport { createAuthPluginService, type AuthPluginService } from './create-auth-service.js'\nimport { createAuthPluginActions } from './create-auth-controller.js'\n\n// ============================================================================\n// OPTIONS\n// ============================================================================\n\nexport interface AuthModuleOptions<TConfig extends AuthPluginBaseConfig = AuthPluginBaseConfig> {\n /** Module name (e.g., 'google_auth') */\n name: string\n /** Module label */\n label: LocalizedString\n /** Config module dependency name (e.g., 'google_auth_config') */\n configDependency: string\n /** Provider identifier (e.g., 'google') */\n provider: string\n /** CASL subject for permissions (e.g., 'GoogleAuth') */\n caslSubject: string\n /** Provider info for the dynamic login button (icon, color, label) */\n providerInfo: Omit<AuthProviderInfo, 'authorizeEndpoint'>\n /** Factory function to create the provider-specific adapter */\n createAdapter: (ctx: ModuleContext) => AuthPluginAdapter<TConfig>\n /** Additional friendly error messages for the callback */\n friendlyErrors?: Record<string, string>\n}\n\n// ============================================================================\n// MODULE FACTORY\n// ============================================================================\n\n/**\n * Create the auth module for a plugin.\n *\n * @example Google Auth\n * ```typescript\n * const authModule = createAuthModule({\n * name: 'google_auth',\n * label: { en: 'Google Auth' },\n * configDependency: 'google_auth_config',\n * provider: 'google',\n * caslSubject: 'GoogleAuth',\n * providerInfo: {\n * code: 'GOOGLE_AUTH',\n * provider: 'google',\n * icon: 'mdi:google',\n * label: { en: 'Sign in with Google' },\n * color: '#4285F4'\n * },\n * createAdapter: createGoogleAdapter\n * })\n * ```\n */\nexport function createAuthModule<TConfig extends AuthPluginBaseConfig = AuthPluginBaseConfig>(\n options: AuthModuleOptions<TConfig>\n): ModuleManifest {\n const {\n name,\n label,\n provider,\n caslSubject,\n providerInfo,\n createAdapter,\n friendlyErrors\n } = options\n\n // Deferred service reference (set during init)\n let _authService: AuthPluginService | null = null\n function getAuthService(): AuthPluginService {\n if (!_authService) {\n throw new Error(`${provider} AuthService not initialized`)\n }\n return _authService\n }\n\n // Create actions with deferred service getter\n const actions = createAuthPluginActions(\n { provider, moduleName: name, caslSubject, friendlyErrors },\n getAuthService\n )\n\n return {\n name,\n type: 'auth-plugin',\n category: 'security',\n label,\n icon: 'mdi:shield-key',\n\n actions,\n\n init: (ctx) => {\n // Create adapter and auth service\n const adapter = createAdapter(ctx)\n const service = createAuthPluginService({ adapter, ctx })\n _authService = service\n\n // Register auth service for other modules to use\n ctx.services.register(`${provider}.auth`, service)\n\n // Register auth provider for dynamic login buttons\n const authProviderService: AuthProviderService = {\n async getInfo(): Promise<AuthProviderInfo | null> {\n const configService = ctx.services.get<AuthPluginConfigService>(`${provider}.config`)\n const enabled = await configService.isEnabled()\n if (!enabled) return null\n\n return {\n ...providerInfo,\n authorizeEndpoint: `/api/v1/${name}/authorize`\n }\n }\n }\n ctx.services.register(`${provider}.provider`, authProviderService)\n\n ctx.core.logger.info(`${provider} auth module initialized`)\n }\n }\n}\n"],"mappings":";AASA,SAAS,kBAAkB;AAG3B,SAAS,oBAAoB,0BAA6C;AAmCnE,SAAS,iBAAiB,YAAoB,KAAuB;AAC1E,QAAM,aAAa,QAAQ,IAAI,aAAa;AAC5C,MAAI,YAAY;AACd,WAAO,GAAG,WAAW,QAAQ,OAAO,EAAE,CAAC,WAAW,UAAU;AAAA,EAC9D;AAEA,MAAI,QAAS,KAAK,UAAU,mBAAmB,KAAgB,KAAK,YAAY;AAChF,QAAM,OAAQ,KAAK,UAAU,kBAAkB,KAAiB,KAAK,UAAU,MAAM,KAAgB;AAGrG,MAAI,UAAU,UAAU,SAAS,eAAe,CAAC,KAAK,WAAW,YAAY,KAAK,CAAC,KAAK,WAAW,WAAW,GAAG;AAC/G,YAAQ;AAAA,EACV;AAEA,SAAO,GAAG,KAAK,MAAM,IAAI,WAAW,UAAU;AAChD;AAiBO,SAAS,wBAA8D,SAGxD;AACpB,QAAM,EAAE,SAAS,IAAI,IAAI;AACzB,QAAM,EAAE,QAAQ,OAAO,IAAI,IAAI;AAC/B,QAAM,WAAW,QAAQ;AAGzB,MAAI,eAAqD;AACzD,WAAS,kBAAiD;AACxD,QAAI,CAAC,cAAc;AACjB,qBAAe,mBAAoC;AAAA,IACrD;AACA,WAAO;AAAA,EACT;AAKA,iBAAe,oBACb,aACA,YACA,WACyC;AACzC,UAAM,SAAS,MAAM,QAAQ,eAAe;AAE5C,UAAM,QAAQ,WAAW;AACzB,UAAM,QAAQ,WAAW;AAEzB,UAAM,YAA6B;AAAA,MACjC;AAAA,MACA;AAAA,MACA;AAAA,MACA,WAAW,KAAK,IAAI;AAAA,MACpB;AAAA,MACA;AAAA,IACF;AACA,oBAAgB,EAAE,MAAM,OAAO,SAAS;AAExC,UAAM,SAAS,OAAO,QAAQ,MAAM,GAAG,EAAE,OAAO,OAAO,KAAK,CAAC;AAC7D,UAAM,MAAM,MAAM,QAAQ,sBAAsB,QAAQ;AAAA,MACtD;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AAED,WAAO,MAAM,EAAE,OAAO,aAAa,WAAW,GAAG,aAAa,QAAQ,oBAAoB;AAC1F,WAAO,EAAE,KAAK,MAAM;AAAA,EACtB;AAKA,iBAAe,YAAY,OAAgD;AACzE,WAAO,gBAAgB,EAAE,OAAO,KAAK;AAAA,EACvC;AAKA,iBAAe,WAAW,OAA8B;AACtD,oBAAgB,EAAE,MAAM,KAAK;AAAA,EAC/B;AAMA,iBAAe,eAAe,MAAc,OAAiD;AAE3F,UAAM,YAAY,MAAM,YAAY,KAAK;AACzC,QAAI,CAAC,WAAW;AACd,YAAM,IAAI,OAAO,gBAAgB,0BAA0B;AAAA,IAC7D;AAGA,UAAM,SAAS,MAAM,QAAQ,eAAe;AAG5C,UAAM,WAAW,MAAM,QAAQ;AAAA,MAC7B;AAAA,MACA;AAAA,MACA,UAAU;AAAA,MACV,UAAU,SAAS;AAAA,IACrB;AAEA,WAAO;AAAA,MACL,EAAE,gBAAgB,SAAS,gBAAgB,OAAO,SAAS,MAAM;AAAA,MACjE,sBAAsB,QAAQ;AAAA,IAChC;AAGA,QAAI,SAAS,OAAO;AAClB,YAAM,eAAe,mBAAmB,SAAS,OAAO,OAAO,mBAAmB,IAAI;AACtF,UAAI,CAAC,aAAa,SAAS;AACzB,cAAM,IAAI,OAAO,eAAe,iBAAiB,aAAa,MAAM,kBAAkB;AAAA,MACxF;AAAA,IACF;AAGA,UAAM,cAAc,IAAI,SAAS,IAAqB,MAAM;AAC5D,UAAM,WAAW,MAAM,YAAY,aAAa,UAAU,SAAS,cAAc;AACjF,QAAI;AAEJ,QAAI,UAAU,YAAY;AAExB,UAAI,UAAU;AACZ,cAAM,IAAI,OAAO,gBAAgB,QAAQ,QAAQ,4CAA4C;AAAA,MAC/F;AAEA,kBAAY,MAAM,YAAY,aAAa,UAAU,UAAU;AAC/D,UAAI,CAAC,WAAW;AACd,cAAM,IAAI,OAAO,cAAc,gBAAgB;AAAA,MACjD;AAEA,YAAM,YAAY,aAAa;AAAA,QAC7B,QAAQ,UAAU;AAAA,QAClB,UAAU;AAAA,QACV,gBAAgB,SAAS;AAAA,QACzB,eAAe,SAAS,SAAS;AAAA,MACnC,CAAC;AAED,aAAO,KAAK,EAAE,QAAQ,UAAU,YAAY,gBAAgB,SAAS,eAAe,GAAG,UAAU,QAAQ,UAAU;AAAA,IACrH,WAAW,UAAU;AAEnB,YAAM,YAAY,oBAAoB,UAAU,SAAS,cAAc;AAEvE,kBAAY,MAAM,YAAY,aAAa,SAAS,OAAO;AAC3D,UAAI,CAAC,WAAW;AACd,cAAM,IAAI,OAAO,cAAc,uBAAuB;AAAA,MACxD;AAEA,aAAO,MAAM,EAAE,QAAQ,SAAS,QAAQ,GAAG,YAAY,QAAQ,iBAAiB;AAAA,IAClF,OAAO;AAIL,UAAI,SAAS,OAAO;AAClB,oBAAY,MAAM,YAAY,gBAAgB,SAAS,KAAK;AAAA,MAC9D;AAEA,UAAI,WAAW;AAEb,cAAM,YAAY,aAAa;AAAA,UAC7B,QAAQ,UAAU;AAAA,UAClB,UAAU;AAAA,UACV,gBAAgB,SAAS;AAAA,UACzB,eAAe,SAAS,SAAS;AAAA,QACnC,CAAC;AACD,eAAO,KAAK,EAAE,QAAQ,UAAU,IAAI,gBAAgB,SAAS,eAAe,GAAG,UAAU,QAAQ,4BAA4B;AAAA,MAC/H,OAAO;AAEL,YAAI,CAAC,SAAS,OAAO;AACnB,gBAAM,IAAI,OAAO,gBAAgB,oCAAoC;AAAA,QACvE;AAEA,oBAAY,MAAM,YAAY,WAAW;AAAA,UACvC,OAAO,SAAS;AAAA,UAChB,MAAM,SAAS,QAAQ;AAAA,UACvB,MAAM,OAAO,gBAAgB;AAAA,QAC/B,CAAC;AAED,cAAM,YAAY,aAAa;AAAA,UAC7B,QAAQ,UAAU;AAAA,UAClB,UAAU;AAAA,UACV,gBAAgB,SAAS;AAAA,UACzB,eAAe,SAAS;AAAA,QAC1B,CAAC;AAED,eAAO,KAAK,EAAE,QAAQ,UAAU,IAAI,OAAO,SAAS,MAAM,GAAG,wBAAwB,QAAQ,EAAE;AAAA,MACjG;AAAA,IACF;AAGA,UAAM,WAAW,KAAK;AACtB,UAAM,gBAAgB,MAAM,YAAY,aAAa,SAAS;AAE9D,WAAO;AAAA,MACL,GAAG;AAAA,MACH,MAAM;AAAA,QACJ,IAAI,UAAU;AAAA,QACd,OAAO,UAAU;AAAA,QACjB,MAAM,UAAU;AAAA,MAClB;AAAA,MACA,WAAW,UAAU;AAAA,IACvB;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;;;AClPA,IAAM,0BAAkD;AAAA,EACtD,sCAAsC;AAAA,EACtC,gEAAgE;AAClE;AAYO,SAAS,wBACd,SACA,gBACoB;AACpB,QAAM,EAAE,UAAU,YAAY,aAAa,eAAe,IAAI;AAE9D,QAAM,oBAAoB,EAAE,GAAG,yBAAyB,GAAG,eAAe;AAG1E,QAAM,kBAAoC;AAAA,IAExC,OAAO,EAAE,IAAI,aAAa,IAAI,YAAY;AAAA,IAC1C,MAAM;AAAA,IACN,KAAK;AAAA,IACL,OAAO;AAAA,IACP,QAAQ;AAAA,IACR,QAAQ;AAAA,IACR,UAAU;AAAA,IACV,OAAO,CAAC;AAAA,IAER,SAAS,OAAO,MAAqB,QAAiB,KAAe,QAAmB;AACtF,YAAM,cAAc,iBAAiB,YAAY,GAAG;AACpD,YAAM,YAAa,KAAK,QAAQ,cAAc,KACxC,KAAK,UAAU,SAAS,KACxB,KAAK,UAAU,QAAQ;AAE7B,YAAM,cAAc,eAAe;AACnC,YAAM,EAAE,IAAI,IAAI,MAAM,YAAY,oBAAoB,aAAa,QAAW,SAAS;AAEvF,WAAK,SAAS,KAAK,GAAG;AAAA,IACxB;AAAA,EACF;AAGA,QAAM,iBAAmC;AAAA,IAEvC,OAAO,EAAE,IAAI,YAAY,IAAI,WAAW;AAAA,IACxC,MAAM;AAAA,IACN,KAAK;AAAA,IACL,OAAO;AAAA,IACP,QAAQ;AAAA,IACR,QAAQ;AAAA,IACR,UAAU;AAAA,IACV,OAAO,CAAC;AAAA,IAER,SAAS,OAAO,KAAoB,QAAiB,KAAe,QAAmB;AACrF,YAAM,OAAO,KAAK,QAAQ,MAAM;AAChC,YAAM,QAAQ,KAAK,QAAQ,OAAO;AAClC,YAAM,QAAQ,KAAK,QAAQ,OAAO;AAElC,YAAM,cAAc,eAAe;AAGnC,UAAI;AACJ,UAAI,OAAO;AACT,cAAM,YAAY,MAAM,YAAY,YAAY,KAAK;AACrD,oBAAY,WAAW;AAAA,MACzB;AAGA,eAAS,cAAc,SAAuB;AAC5C,YAAI,aAAa,KAAK;AACpB,gBAAM,SAAS,IAAI,gBAAgB,EAAE,OAAO,QAAQ,CAAC;AACrD,cAAI,SAAS,KAAK,GAAG,SAAS,IAAI,OAAO,SAAS,CAAC,EAAE;AACrD;AAAA,QACF;AACA,cAAM,IAAI,IAAI,KAAK,OAAO,eAAe,OAAO;AAAA,MAClD;AAEA,UAAI,OAAO;AACT,cAAM,mBAAmB,KAAK,QAAQ,mBAAmB;AACzD,sBAAc,oBAAoB,KAAK;AACvC;AAAA,MACF;AAEA,UAAI,CAAC,QAAQ,CAAC,OAAO;AACnB,cAAM,IAAI,IAAI,KAAK,OAAO,gBAAgB,6BAA6B;AAAA,MACzE;AAEA,UAAI;AACF,cAAM,SAAS,MAAM,YAAY,eAAe,MAAM,KAAK;AAG3D,YAAI,OAAO,aAAa,KAAK;AAC3B,gBAAM,SAAS,IAAI,gBAAgB;AAAA,YACjC,aAAa,OAAO;AAAA,YACpB,cAAc,OAAO;AAAA,UACvB,CAAC;AACD,cAAI,SAAS,KAAK,GAAG,OAAO,SAAS,IAAI,OAAO,SAAS,CAAC,EAAE;AAC5D;AAAA,QACF;AAGA,eAAO;AAAA,MACT,SAAS,KAAK;AACZ,cAAM,MAAM,eAAe,QAAQ,IAAI,UAAU;AACjD,sBAAc,kBAAkB,GAAG,KAAK,GAAG;AAAA,MAC7C;AAAA,IACF;AAAA,EACF;AAGA,QAAM,aAA+B;AAAA,IAEnC,OAAO,EAAE,IAAI,gBAAgB,IAAI,kBAAkB;AAAA,IACnD,MAAM;AAAA,IACN,KAAK;AAAA,IACL,OAAO;AAAA,IACP,QAAQ;AAAA,IACR,OAAO,CAAC;AAAA,IAER,SAAS,OAAO,MAAqB,QAAiB,KAAe,QAAmB;AACtF,YAAM,UAAU;AAEhB,UAAI,CAAC,SAAS,MAAM,IAAI;AACtB,cAAM,IAAI,KAAK,KAAK,OAAO,kBAAkB,yBAAyB;AAAA,MACxE;AAEA,YAAM,cAAc,iBAAiB,YAAY,GAAG;AACpD,YAAM,YAAa,KAAK,QAAQ,cAAc,KACxC,KAAK,UAAU,SAAS;AAE9B,YAAM,cAAc,eAAe;AACnC,YAAM,EAAE,IAAI,IAAI,MAAM,YAAY,oBAAoB,aAAa,QAAQ,KAAK,IAAI,SAAS;AAE7F,WAAK,SAAS,KAAK,GAAG;AAAA,IACxB;AAAA,IAEA,MAAM;AAAA,MACJ,SAAS;AAAA,MACT,aAAa;AAAA,QACX,KAAK,EAAE,SAAS,CAAC,QAAQ,EAAE;AAAA,MAC7B;AAAA,IACF;AAAA,EACF;AAGA,QAAM,eAAiC;AAAA,IAErC,OAAO,EAAE,IAAI,UAAU,IAAI,SAAS;AAAA,IACpC,MAAM;AAAA,IACN,KAAK;AAAA,IACL,OAAO;AAAA,IACP,QAAQ;AAAA,IACR,QAAQ;AAAA,IACR,OAAO,CAAC;AAAA,IAER,SAAS,OAAO,KAAoB,QAAiB,QAAkB;AACrE,YAAM,UAAU;AAEhB,UAAI,CAAC,SAAS,MAAM,IAAI;AACtB,cAAM,IAAI,IAAI,KAAK,OAAO,kBAAkB,yBAAyB;AAAA,MACvE;AAEA,YAAM,WAAW,IAAI,SAAS,IAE3B,MAAM;AAET,YAAM,aAAa,MAAM,SAAS,qBAAqB,QAAQ,KAAK,IAAI,QAAQ;AAEhF,aAAO;AAAA,QACL,QAAQ,WAAW,SAAS;AAAA,QAC5B,UAAU,WAAW,CAAC,GAAG,aAAa;AAAA,MACxC;AAAA,IACF;AAAA,IAEA,MAAM;AAAA,MACJ,SAAS;AAAA,MACT,aAAa;AAAA,QACX,KAAK,EAAE,SAAS,CAAC,MAAM,EAAE;AAAA,MAC3B;AAAA,IACF;AAAA,EACF;AAEA,SAAO,CAAC,iBAAiB,gBAAgB,YAAY,YAAY;AACnE;;;ACtNA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAoBA,IAAM,4BAAoD;AAAA,EAC/D,MAAM;AAAA,EACN,KAAK;AAAA,EACL,OAAO,EAAE,IAAI,kBAAkB,IAAI,sBAAsB;AAAA,EACzD,aAAa;AAAA,EACb,YAAY;AAAA,EACZ,YAAY;AAAA,EACZ,OAAO;AAAA,EAEP,IAAI,WAAW;AACb,WAAO;AAAA,MACL,SAAS;AAAA,MACT,WAAW;AAAA,MACX,eAAe;AAAA,MACf,QAAQ;AAAA,MACR,iBAAiB;AAAA,MACjB,cAAc;AAAA,MACd,cAAc;AAAA,IAChB;AAAA,EACF;AAAA,EAEA,QAAQ;AAAA,IACN,IAAI,WAAW;AAAA,IACf,UAAU;AAAA,MACR,GAAG,mBAAmB;AAAA,QACpB,OAAO,EAAE,IAAI,YAAY,IAAI,YAAY;AAAA,QACzC,MAAM;AAAA,MACR,CAAC;AAAA,MACD,UAAU;AAAA,MACV,MAAM,EAAE,IAAI,wDAAwD,IAAI,8BAA8B;AAAA,IACxG;AAAA,IACA,SAAS,eAAe;AAAA,MACtB,OAAO,EAAE,IAAI,WAAW,IAAI,aAAa;AAAA,IAC3C,CAAC;AAAA,IACD,WAAW,aAAa;AAAA,MACtB,OAAO,EAAE,IAAI,aAAa,IAAI,gBAAgB;AAAA,IAChD,CAAC;AAAA,IACD,eAAe,iBAAiB;AAAA,MAC9B,OAAO,EAAE,IAAI,iBAAiB,IAAI,oBAAoB;AAAA,IACxD,CAAC;AAAA,IACD,QAAQ,aAAa;AAAA,MACnB,OAAO,EAAE,IAAI,UAAU,IAAI,SAAS;AAAA,MACpC,MAAM,EAAE,IAAI,0BAA0B,IAAI,gCAAgC;AAAA,MAC1E,UAAU;AAAA,IACZ,CAAC;AAAA,IACD,iBAAiB,aAAa;AAAA,MAC5B,OAAO,EAAE,IAAI,mBAAmB,IAAI,sBAAsB;AAAA,MAC1D,MAAM,EAAE,IAAI,qDAAqD,IAAI,uDAAoD;AAAA,IAC3H,CAAC;AAAA,IACD,cAAc,aAAa;AAAA,MACzB,OAAO,EAAE,IAAI,gBAAgB,IAAI,kBAAkB;AAAA,MACnD,MAAM,EAAE,IAAI,8BAA8B,IAAI,iCAAiC;AAAA,MAC/E,MAAM;AAAA,IACR,CAAC;AAAA,IACD,cAAc;AAAA,MACZ,OAAO,EAAE,IAAI,gBAAgB,IAAI,eAAe;AAAA,MAChD,OAAO;AAAA,MACP,IAAI,EAAE,MAAM,QAAiB,UAAU,KAAK;AAAA,MAC5C,MAAM,EAAE,IAAI,gEAAgE,IAAI,yCAAyC;AAAA,IAC3H;AAAA,EACF;AAAA,EAEA,MAAM;AAAA,IACJ,SAAS;AAAA,IACT,aAAa;AAAA,MACX,OAAO,EAAE,SAAS,CAAC,QAAQ,QAAQ,EAAE;AAAA,IACvC;AAAA,EACF;AACF;;;ACjEA,IAAM,eAAe;AAKrB,SAAS,4BACP,KACA,UACkC;AAClC,QAAM,EAAE,KAAK,IAAI,IAAI;AAErB,iBAAe,YAAqC;AAClD,UAAM,SAAS,MAAM,KAAK,YAAY,EACnC,MAAM,YAAY,QAAQ,EAC1B,OAAO,GAAG,EACV,MAAM;AACT,WAAO,UAAU;AAAA,EACnB;AAEA,iBAAe,YAA8B;AAC3C,UAAM,SAAS,MAAM,UAAU;AAC/B,WAAO,QAAQ,WAAW;AAAA,EAC5B;AAEA,SAAO,EAAE,WAAW,UAAU;AAChC;AA2BO,SAAS,uBAAuB,SAAkD;AACvF,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,cAAc;AAAA,IACd;AAAA,EACF,IAAI;AAEJ,SAAO;AAAA,IACL;AAAA,IACA,MAAM;AAAA,IACN,UAAU;AAAA,IACV;AAAA,IACA,MAAM;AAAA;AAAA,IAIN,MAAM,OAAO,QAAQ;AACnB,YAAM,EAAE,KAAK,IAAI,IAAI;AAErB,YAAM,WAAW,QAAQ,IAAI,GAAG,SAAS,YAAY;AACrD,YAAM,eAAe,QAAQ,IAAI,GAAG,SAAS,gBAAgB;AAE7D,UAAI,CAAC,YAAY,CAAC,aAAc;AAEhC,YAAM,MAAM,IAAI,GAAG,aAAa,IAAI;AACpC,YAAM,WAAW,MAAM,KAAK,YAAY,EACrC,MAAM,YAAY,QAAQ,EAC1B,MAAM;AAET,UAAI,UAAU;AAEZ,cAAM,KAAK,YAAY,EACpB,MAAM,MAAM,SAAS,EAAE,EACvB,OAAO;AAAA,UACN,WAAW;AAAA,UACX,eAAe;AAAA,UACf,YAAY;AAAA,QACd,CAAC;AACH,YAAI,KAAK,OAAO,KAAK,GAAG,QAAQ,iDAAiD;AAAA,MACnF,OAAO;AACL,cAAM,KAAK,YAAY,EAAE,OAAO;AAAA,UAC9B,IAAI,IAAI,KAAK,WAAW;AAAA,UACxB;AAAA,UACA,SAAS;AAAA,UACT,WAAW;AAAA,UACX,eAAe;AAAA,UACf,QAAQ;AAAA,UACR,iBAAiB;AAAA,UACjB,cAAc;AAAA,UACd,cAAc,cAAc,KAAK,UAAU,WAAW,IAAI;AAAA,UAC1D,YAAY;AAAA,UACZ,YAAY;AAAA,QACd,CAAC;AACD,YAAI,KAAK,OAAO,KAAK,GAAG,QAAQ,gDAAgD;AAAA,MAClF;AAAA,IACF;AAAA,IAEA,MAAM,CAAC,QAAQ;AACb,YAAM,UAAU,4BAA4B,KAAK,QAAQ;AACzD,UAAI,SAAS,SAAS,GAAG,QAAQ,WAAW,OAAO;AACnD,UAAI,KAAK,OAAO,KAAK,GAAG,QAAQ,iCAAiC;AAAA,IACnE;AAAA,EACF;AACF;;;AC9FO,SAAS,iBACd,SACgB;AAChB,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,IAAI;AAGJ,MAAI,eAAyC;AAC7C,WAAS,iBAAoC;AAC3C,QAAI,CAAC,cAAc;AACjB,YAAM,IAAI,MAAM,GAAG,QAAQ,8BAA8B;AAAA,IAC3D;AACA,WAAO;AAAA,EACT;AAGA,QAAM,UAAU;AAAA,IACd,EAAE,UAAU,YAAY,MAAM,aAAa,eAAe;AAAA,IAC1D;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA,MAAM;AAAA,IACN,UAAU;AAAA,IACV;AAAA,IACA,MAAM;AAAA,IAEN;AAAA,IAEA,MAAM,CAAC,QAAQ;AAEb,YAAM,UAAU,cAAc,GAAG;AACjC,YAAM,UAAU,wBAAwB,EAAE,SAAS,IAAI,CAAC;AACxD,qBAAe;AAGf,UAAI,SAAS,SAAS,GAAG,QAAQ,SAAS,OAAO;AAGjD,YAAM,sBAA2C;AAAA,QAC/C,MAAM,UAA4C;AAChD,gBAAM,gBAAgB,IAAI,SAAS,IAA6B,GAAG,QAAQ,SAAS;AACpF,gBAAM,UAAU,MAAM,cAAc,UAAU;AAC9C,cAAI,CAAC,QAAS,QAAO;AAErB,iBAAO;AAAA,YACL,GAAG;AAAA,YACH,mBAAmB,WAAW,IAAI;AAAA,UACpC;AAAA,QACF;AAAA,MACF;AACA,UAAI,SAAS,SAAS,GAAG,QAAQ,aAAa,mBAAmB;AAEjE,UAAI,KAAK,OAAO,KAAK,GAAG,QAAQ,0BAA0B;AAAA,IAC5D;AAAA,EACF;AACF;","names":[]}

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,5 @@
+import { PluginManifest } from '@gzl10/nexus-sdk';
+declare const authProvidersPlugin: PluginManifest;
+export { authProvidersPlugin, authProvidersPlugin as default };