npm - @gzl10/nexus-plugin-auth-providers - Versions diffs - 0.14.0 - Mend

@gzl10/nexus-plugin-auth-providers 0.14.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/dist/chunk-TPBCCFGG.js +489 -0
package/dist/chunk-TPBCCFGG.js.map +1 -0
package/dist/index.d.ts +5 -0
package/dist/index.js +749 -0
package/dist/index.js.map +1 -0
package/dist/shared/index.d.ts +402 -0
package/dist/shared/index.js +17 -0
package/dist/shared/index.js.map +1 -0
package/image.png +0 -0
package/package.json +42 -0

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/index.ts","../src/providers/google/adapter.ts","../src/providers/google/index.ts","../src/providers/github/adapter.ts","../src/providers/github/index.ts","../src/providers/gitlab/adapter.ts","../src/providers/gitlab/index.ts","../src/providers/microsoft/adapter.ts","../src/providers/microsoft/index.ts","../src/providers/pocketid/adapter.ts","../src/providers/pocketid/index.ts","../src/providers/oidc/adapter.ts","../src/providers/oidc/index.ts"],"sourcesContent":["/**\n * @gzl10/nexus-plugin-auth-providers\n *\n * Consolidated auth providers plugin for Nexus BaaS.\n * Auto-discovers active providers based on environment variables.\n *\n * Supported providers:\n * - Google (OIDC) — GOOGLE_CLIENT_ID\n * - GitHub (OAuth 2.0) — GITHUB_CLIENT_ID\n * - GitLab (OAuth 2.0) — GITLAB_CLIENT_ID\n * - Microsoft (OIDC) — MICROSOFT_CLIENT_ID\n * - PocketID (OIDC) — POCKETID_URL\n * - Generic OIDC — OIDC_ISSUER_URL\n */\nimport { readFileSync } from 'node:fs'\nimport { join } from 'node:path'\nimport type { PluginManifest, ModuleManifest, PluginEnvVar } from '@gzl10/nexus-sdk'\nimport { authProvidersConfigEntity } from './shared/index.js'\n\nconst pkg = JSON.parse(readFileSync(join(import.meta.dirname, '..', 'package.json'), 'utf-8')) as { version: string }\n\n// ============================================================================\n// PROVIDER REGISTRY\n// ============================================================================\n\ninterface ProviderDef {\n name: string\n envKey: string\n modules: () => ModuleManifest[]\n envVars: PluginEnvVar[]\n}\n\n// Google\nimport { configModule as googleConfig, authModule as googleAuth } from './providers/google/index.js'\n// GitHub\nimport { configModule as githubConfig, authModule as githubAuth } from './providers/github/index.js'\n// GitLab\nimport { configModule as gitlabConfig, authModule as gitlabAuth } from './providers/gitlab/index.js'\n// Microsoft\nimport { configModule as microsoftConfig, authModule as microsoftAuth } from './providers/microsoft/index.js'\n// PocketID\nimport { configModule as pocketidConfig, authModule as pocketidAuth } from './providers/pocketid/index.js'\n// Generic OIDC\nimport { configModule as oidcConfig, authModule as oidcAuth } from './providers/oidc/index.js'\n\nconst providers: ProviderDef[] = [\n {\n name: 'google',\n envKey: 'GOOGLE_CLIENT_ID',\n modules: () => [googleConfig, googleAuth],\n envVars: [\n { name: 'GOOGLE_CLIENT_ID', description: { en: 'Google OAuth client ID' }, required: true },\n { name: 'GOOGLE_CLIENT_SECRET', description: { en: 'Google OAuth client secret' }, required: true, sensitive: true }\n ]\n },\n {\n name: 'github',\n envKey: 'GITHUB_CLIENT_ID',\n modules: () => [githubConfig, githubAuth],\n envVars: [\n { name: 'GITHUB_CLIENT_ID', description: { en: 'GitHub OAuth client ID' }, required: true },\n { name: 'GITHUB_CLIENT_SECRET', description: { en: 'GitHub OAuth client secret' }, required: true, sensitive: true }\n ]\n },\n {\n name: 'gitlab',\n envKey: 'GITLAB_CLIENT_ID',\n modules: () => [gitlabConfig, gitlabAuth],\n envVars: [\n { name: 'GITLAB_CLIENT_ID', description: { en: 'GitLab OAuth client ID' }, required: true },\n { name: 'GITLAB_CLIENT_SECRET', description: { en: 'GitLab OAuth client secret' }, required: true, sensitive: true },\n { name: 'GITLAB_URL', description: { en: 'GitLab instance URL (default: https://gitlab.com)' }, required: false }\n ]\n },\n {\n name: 'microsoft',\n envKey: 'MICROSOFT_CLIENT_ID',\n modules: () => [microsoftConfig, microsoftAuth],\n envVars: [\n { name: 'MICROSOFT_CLIENT_ID', description: { en: 'Microsoft OAuth client ID' }, required: true },\n { name: 'MICROSOFT_CLIENT_SECRET', description: { en: 'Microsoft OAuth client secret' }, required: true, sensitive: true },\n { name: 'MICROSOFT_TENANT_ID', description: { en: 'Azure AD tenant ID (default: common)' }, required: false }\n ]\n },\n {\n name: 'pocketid',\n envKey: 'POCKETID_URL',\n modules: () => [pocketidConfig, pocketidAuth],\n envVars: [\n { name: 'POCKETID_URL', description: { en: 'PocketID instance URL' }, required: true },\n { name: 'POCKETID_CLIENT_ID', description: { en: 'PocketID OAuth client ID' }, required: true },\n { name: 'POCKETID_CLIENT_SECRET', description: { en: 'PocketID OAuth client secret' }, required: true, sensitive: true }\n ]\n },\n {\n name: 'oidc',\n envKey: 'OIDC_ISSUER_URL',\n modules: () => [oidcConfig, oidcAuth],\n envVars: [\n { name: 'OIDC_ISSUER_URL', description: { en: 'OIDC issuer URL (discovery endpoint)' }, required: true },\n { name: 'OIDC_CLIENT_ID', description: { en: 'OIDC client ID' }, required: true },\n { name: 'OIDC_CLIENT_SECRET', description: { en: 'OIDC client secret' }, required: true, sensitive: true }\n ]\n }\n]\n\n// ============================================================================\n// AUTO-DISCOVERY\n// ============================================================================\n\nconst activeProviders = providers.filter(p => !!process.env[p.envKey])\nconst providerModules = activeProviders.flatMap(p => p.modules())\nconst activeEnvVars = activeProviders.flatMap(p => p.envVars)\n\n// Base module: registers the unified auth_providers_config entity (only if providers are active)\nconst baseModule: ModuleManifest = {\n name: 'auth_providers_config',\n type: 'plugin',\n category: 'security',\n label: { en: 'Auth Providers Config', es: 'Config Proveedores Auth' },\n icon: 'mdi:shield-key',\n definitions: [authProvidersConfigEntity]\n}\n\nconst activeModules = activeProviders.length > 0\n ? [baseModule, ...providerModules]\n : []\n\n// ============================================================================\n// PLUGIN MANIFEST\n// ============================================================================\n\nexport const authProvidersPlugin: PluginManifest = {\n name: '@gzl10/nexus-plugin-auth-providers',\n code: 'atp',\n version: pkg.version,\n label: { en: 'Auth Providers', es: 'Proveedores de Auth' },\n icon: 'mdi:shield-check',\n category: 'integrations',\n description: {\n en: 'Consolidated OAuth/OIDC authentication providers (Google, GitHub, GitLab, Microsoft, PocketID, Generic OIDC)',\n es: 'Proveedores de autenticación OAuth/OIDC consolidados'\n },\n modules: activeModules,\n envVars: activeEnvVars\n}\n\nexport default authProvidersPlugin\n","/**\n * Google OIDC Adapter\n *\n * Provider-specific logic for Google authentication.\n * Everything else (state management, identity resolution, controller)\n * is handled by the shared Auth Plugin Base in @gzl10/nexus-sdk.\n */\nimport type { ModuleContext } from '@gzl10/nexus-sdk'\nimport {\n getOidcClient,\n type OidcDiscoveryDocument\n} from '@gzl10/nexus-sdk'\nimport type {\n AuthPluginAdapter,\n AuthPluginBaseConfig,\n BuildAuthUrlParams,\n AuthPluginUserInfo\n} from '../../shared/index.js'\n\n// ============================================================================\n// CONFIG TYPE\n// ============================================================================\n\nexport interface GoogleAuthConfig extends AuthPluginBaseConfig {\n /** Provider-specific: extra_config JSON with hosted_domain */\n extra_config: string | null\n}\n\ninterface GoogleExtraConfig {\n hosted_domain?: string | null\n}\n\n// ============================================================================\n// ADAPTER\n// ============================================================================\n\nconst GOOGLE_ISSUER = 'https://accounts.google.com'\n\nexport function createGoogleAdapter(ctx: ModuleContext): AuthPluginAdapter<GoogleAuthConfig> {\n const { errors } = ctx.core\n const oidcClient = getOidcClient()\n\n // Discovery cache (1 hour)\n let discoveryDoc: OidcDiscoveryDocument | null = null\n let discoveryExpires = 0\n\n async function getDiscovery(): Promise<OidcDiscoveryDocument> {\n const now = Date.now()\n if (discoveryDoc && discoveryExpires > now) {\n return discoveryDoc\n }\n discoveryDoc = await oidcClient.discover(GOOGLE_ISSUER)\n discoveryExpires = now + 3600000\n return discoveryDoc\n }\n\n function parseExtraConfig(config: GoogleAuthConfig): GoogleExtraConfig {\n if (!config.extra_config) return {}\n try {\n return typeof config.extra_config === 'string'\n ? JSON.parse(config.extra_config) as GoogleExtraConfig\n : config.extra_config as unknown as GoogleExtraConfig\n } catch {\n return {}\n }\n }\n\n return {\n provider: 'google',\n\n async getValidConfig(): Promise<GoogleAuthConfig> {\n const configService = ctx.services.get<{ getConfig(): Promise<GoogleAuthConfig | null> }>('google.config')\n const config = await configService.getConfig()\n\n if (!config?.enabled) {\n throw new errors.ForbiddenError('Google authentication is disabled')\n }\n if (!config.client_id || !config.client_secret) {\n throw new errors.ForbiddenError('Google Auth is not fully configured')\n }\n return config\n },\n\n async buildAuthorizationUrl(config: GoogleAuthConfig, params: BuildAuthUrlParams): Promise<string> {\n const discovery = await getDiscovery()\n const extra = parseExtraConfig(config)\n\n return oidcClient.buildAuthorizationUrl(discovery.authorization_endpoint, {\n clientId: config.client_id,\n redirectUri: params.redirectUri,\n scopes: params.scopes,\n state: params.state,\n nonce: params.nonce,\n hostedDomain: extra.hosted_domain || undefined\n })\n },\n\n async exchangeCodeAndGetUserInfo(\n config: GoogleAuthConfig,\n code: string,\n redirectUri: string,\n nonce: string\n ): Promise<AuthPluginUserInfo> {\n const discovery = await getDiscovery()\n\n // Exchange code for tokens\n const tokens = await oidcClient.exchangeCode({\n tokenEndpoint: discovery.token_endpoint,\n clientId: config.client_id,\n clientSecret: config.client_secret,\n code,\n redirectUri\n })\n\n // Validate ID token\n if (tokens.id_token) {\n await oidcClient.validateIdToken(tokens.id_token, {\n jwksUri: discovery.jwks_uri,\n issuer: discovery.issuer,\n clientId: config.client_id,\n nonce\n })\n }\n\n // Get user info\n const userInfo = await oidcClient.getUserInfo(\n tokens.access_token,\n discovery.userinfo_endpoint\n )\n\n return {\n providerUserId: userInfo.sub,\n email: userInfo.email || null,\n name: userInfo.name || userInfo.preferred_username || null,\n raw: userInfo as unknown as Record<string, unknown>\n }\n }\n }\n}\n","import {\n createAuthConfigModule,\n createAuthModule\n} from '../../shared/index.js'\nimport { createGoogleAdapter } from './adapter.js'\n\n// ============================================================================\n// MODULES (generated by factories)\n// ============================================================================\n\nexport const configModule = createAuthConfigModule({\n name: 'google_auth_config',\n label: { en: 'Google Auth Config', es: 'Configuración Google Auth' },\n provider: 'google',\n envPrefix: 'GOOGLE',\n defaultScopes: 'openid profile email',\n defaultRole: 'VIEWER'\n})\n\nexport const authModule = createAuthModule({\n name: 'google_auth',\n label: { en: 'Google Auth', es: 'Auth Google' },\n configDependency: 'google_auth_config',\n provider: 'google',\n caslSubject: 'GoogleAuth',\n providerInfo: {\n code: 'GOOGLE_AUTH',\n provider: 'google',\n icon: 'mdi:google',\n label: { en: 'Sign in with Google', es: 'Iniciar sesión con Google' },\n color: '#4285F4'\n },\n createAdapter: createGoogleAdapter\n})\n","/**\n * GitHub OAuth 2.0 Adapter\n *\n * Provider-specific logic for GitHub authentication.\n * Note: GitHub does NOT support OIDC, only OAuth 2.0.\n * Token exchange and user info use direct API calls via ofetch.\n */\nimport { ofetch } from 'ofetch'\nimport type { ModuleContext } from '@gzl10/nexus-sdk'\nimport type {\n AuthPluginAdapter,\n AuthPluginBaseConfig,\n BuildAuthUrlParams,\n AuthPluginUserInfo\n} from '../../shared/index.js'\n\n// ============================================================================\n// GITHUB API TYPES\n// ============================================================================\n\ninterface GitHubUserInfo {\n id: number\n login: string\n name: string | null\n email: string | null\n avatar_url: string\n}\n\ninterface GitHubEmail {\n email: string\n primary: boolean\n verified: boolean\n}\n\n// ============================================================================\n// CONSTANTS\n// ============================================================================\n\nconst GITHUB_AUTHORIZE_URL = 'https://github.com/login/oauth/authorize'\nconst GITHUB_TOKEN_URL = 'https://github.com/login/oauth/access_token'\nconst GITHUB_USER_URL = 'https://api.github.com/user'\nconst GITHUB_EMAILS_URL = 'https://api.github.com/user/emails'\n\n// ============================================================================\n// ADAPTER\n// ============================================================================\n\nexport function createGitHubAdapter(ctx: ModuleContext): AuthPluginAdapter<AuthPluginBaseConfig> {\n const { logger, errors } = ctx.core\n\n return {\n provider: 'github',\n\n async getValidConfig(): Promise<AuthPluginBaseConfig> {\n const configService = ctx.services.get<{ getConfig(): Promise<AuthPluginBaseConfig | null> }>('github.config')\n const config = await configService.getConfig()\n\n if (!config?.enabled) {\n throw new errors.ForbiddenError('GitHub authentication is disabled')\n }\n if (!config.client_id || !config.client_secret) {\n throw new errors.ForbiddenError('GitHub Auth is not fully configured')\n }\n return config\n },\n\n async buildAuthorizationUrl(config: AuthPluginBaseConfig, params: BuildAuthUrlParams): Promise<string> {\n const queryParams = new URLSearchParams({\n client_id: config.client_id,\n redirect_uri: params.redirectUri,\n scope: config.scopes || 'user:email',\n state: params.state\n })\n return `${GITHUB_AUTHORIZE_URL}?${queryParams}`\n },\n\n async exchangeCodeAndGetUserInfo(\n config: AuthPluginBaseConfig,\n code: string,\n redirectUri: string,\n _nonce: string\n ): Promise<AuthPluginUserInfo> {\n // Exchange code for access token\n const tokenResponse = await ofetch<{\n access_token?: string\n error?: string\n error_description?: string\n }>(GITHUB_TOKEN_URL, {\n method: 'POST',\n headers: { Accept: 'application/json' },\n body: {\n client_id: config.client_id,\n client_secret: config.client_secret,\n code,\n redirect_uri: redirectUri\n }\n })\n\n if (tokenResponse.error || !tokenResponse.access_token) {\n throw new errors.ValidationError(\n tokenResponse.error_description || tokenResponse.error || 'Failed to exchange code'\n )\n }\n\n const accessToken = tokenResponse.access_token\n\n // Get user info\n const user = await ofetch<GitHubUserInfo>(GITHUB_USER_URL, {\n headers: { Authorization: `Bearer ${accessToken}` }\n })\n\n // If email is not public, fetch from emails API\n let email = user.email\n if (!email) {\n try {\n const emails = await ofetch<GitHubEmail[]>(GITHUB_EMAILS_URL, {\n headers: { Authorization: `Bearer ${accessToken}` }\n })\n const primaryEmail = emails.find(e => e.primary && e.verified)\n if (primaryEmail) {\n email = primaryEmail.email\n }\n } catch {\n logger.debug('Could not fetch emails - scope might not be granted')\n }\n }\n\n return {\n providerUserId: user.id.toString(),\n email: email || null,\n name: user.name || user.login || null,\n raw: user as unknown as Record<string, unknown>\n }\n }\n }\n}\n","import {\n createAuthConfigModule,\n createAuthModule\n} from '../../shared/index.js'\nimport { createGitHubAdapter } from './adapter.js'\n\n// ============================================================================\n// MODULES (generated by factories)\n// ============================================================================\n\nexport const configModule = createAuthConfigModule({\n name: 'github_auth_config',\n label: { en: 'GitHub Auth Config', es: 'Configuración GitHub Auth' },\n provider: 'github',\n envPrefix: 'GITHUB',\n defaultScopes: 'user:email',\n defaultRole: 'VIEWER'\n})\n\nexport const authModule = createAuthModule({\n name: 'github_auth',\n label: { en: 'GitHub Auth', es: 'Auth GitHub' },\n configDependency: 'github_auth_config',\n provider: 'github',\n caslSubject: 'GitHubAuth',\n providerInfo: {\n code: 'GITHUB_AUTH',\n provider: 'github',\n icon: 'mdi:github',\n label: { en: 'Sign in with GitHub', es: 'Iniciar sesión con GitHub' },\n color: '#24292e'\n },\n createAdapter: createGitHubAdapter\n})\n","/**\n * GitLab OAuth 2.0 Adapter\n *\n * Provider-specific logic for GitLab authentication (cloud and self-hosted).\n * Supports configurable GitLab instance URL via extra_config.gitlab_url or GITLAB_URL env var.\n */\nimport { ofetch } from 'ofetch'\nimport type { ModuleContext } from '@gzl10/nexus-sdk'\nimport type {\n AuthPluginAdapter,\n AuthPluginBaseConfig,\n BuildAuthUrlParams,\n AuthPluginUserInfo\n} from '../../shared/index.js'\n\n// ============================================================================\n// GITLAB API TYPES\n// ============================================================================\n\ninterface GitLabUserInfo {\n id: number\n username: string\n email: string | null\n name: string\n avatar_url: string | null\n}\n\ninterface GitLabAuthConfig extends AuthPluginBaseConfig {\n extra_config?: {\n gitlab_url?: string\n } | null\n}\n\n// ============================================================================\n// ADAPTER\n// ============================================================================\n\nexport function createGitLabAdapter(ctx: ModuleContext): AuthPluginAdapter<GitLabAuthConfig> {\n const { errors } = ctx.core\n\n function getGitLabUrl(config: GitLabAuthConfig): string {\n const url =\n config?.extra_config?.gitlab_url || process.env['GITLAB_URL'] || 'https://gitlab.com'\n return url.replace(/\\/$/, '')\n }\n\n return {\n provider: 'gitlab',\n\n async getValidConfig(): Promise<GitLabAuthConfig> {\n const configService = ctx.services.get<{\n getConfig(): Promise<GitLabAuthConfig | null>\n }>('gitlab.config')\n const config = await configService.getConfig()\n\n if (!config?.enabled) {\n throw new errors.ForbiddenError('GitLab authentication is disabled')\n }\n if (!config.client_id || !config.client_secret) {\n throw new errors.ForbiddenError('GitLab Auth is not fully configured')\n }\n return config\n },\n\n async buildAuthorizationUrl(\n config: GitLabAuthConfig,\n params: BuildAuthUrlParams\n ): Promise<string> {\n const gitlabUrl = getGitLabUrl(config)\n const queryParams = new URLSearchParams({\n client_id: config.client_id,\n redirect_uri: params.redirectUri,\n response_type: 'code',\n scope: config.scopes || 'read_user',\n state: params.state\n })\n return `${gitlabUrl}/oauth/authorize?${queryParams}`\n },\n\n async exchangeCodeAndGetUserInfo(\n config: GitLabAuthConfig,\n code: string,\n redirectUri: string,\n _nonce: string\n ): Promise<AuthPluginUserInfo> {\n const gitlabUrl = getGitLabUrl(config)\n\n // Exchange code for access token\n const tokenResponse = await ofetch<{\n access_token?: string\n error?: string\n error_description?: string\n }>(`${gitlabUrl}/oauth/token`, {\n method: 'POST',\n headers: { Accept: 'application/json' },\n body: {\n client_id: config.client_id,\n client_secret: config.client_secret,\n code,\n redirect_uri: redirectUri,\n grant_type: 'authorization_code'\n }\n })\n\n if (tokenResponse.error || !tokenResponse.access_token) {\n throw new errors.ValidationError(\n tokenResponse.error_description || tokenResponse.error || 'Failed to exchange code'\n )\n }\n\n const accessToken = tokenResponse.access_token\n\n // Get user info\n const user = await ofetch<GitLabUserInfo>(`${gitlabUrl}/api/v4/user`, {\n headers: { Authorization: `Bearer ${accessToken}` }\n })\n\n return {\n providerUserId: user.id.toString(),\n email: user.email || null,\n name: user.name || user.username || null,\n raw: user as unknown as Record<string, unknown>\n }\n }\n }\n}\n","import {\n createAuthConfigModule,\n createAuthModule\n} from '../../shared/index.js'\nimport { createGitLabAdapter } from './adapter.js'\n\n// ============================================================================\n// MODULES (generated by factories)\n// ============================================================================\n\nexport const configModule = createAuthConfigModule({\n name: 'gitlab_auth_config',\n label: { en: 'GitLab Auth Config', es: 'Configuración GitLab Auth' },\n provider: 'gitlab',\n envPrefix: 'GITLAB',\n defaultScopes: 'read_user',\n defaultRole: 'VIEWER',\n extraConfig: {\n gitlab_url: process.env['GITLAB_URL'] || 'https://gitlab.com'\n }\n})\n\nexport const authModule = createAuthModule({\n name: 'gitlab_auth',\n label: { en: 'GitLab Auth', es: 'Auth GitLab' },\n configDependency: 'gitlab_auth_config',\n provider: 'gitlab',\n caslSubject: 'GitLabAuth',\n providerInfo: {\n code: 'GITLAB_AUTH',\n provider: 'gitlab',\n icon: 'mdi:gitlab',\n label: { en: 'Sign in with GitLab', es: 'Iniciar sesión con GitLab' },\n color: '#FC6D26'\n },\n createAdapter: createGitLabAdapter\n})\n","/**\n * Microsoft OIDC Adapter\n *\n * Provider-specific logic for Microsoft/Azure AD authentication.\n * Supports single/multi-tenant scenarios with tenant-aware discovery.\n * Everything else (state management, identity resolution, controller)\n * is handled by the shared Auth Plugin Base in @gzl10/nexus-sdk.\n */\nimport type { ModuleContext } from '@gzl10/nexus-sdk'\nimport {\n getOidcClient,\n type OidcDiscoveryDocument\n} from '@gzl10/nexus-sdk'\nimport type {\n AuthPluginAdapter,\n AuthPluginBaseConfig,\n BuildAuthUrlParams,\n AuthPluginUserInfo\n} from '../../shared/index.js'\n\n// ============================================================================\n// CONFIG TYPE\n// ============================================================================\n\nexport interface MicrosoftAuthConfig extends AuthPluginBaseConfig {\n /** Provider-specific: extra_config JSON with tenant_id */\n extra_config: string | null\n}\n\ninterface MicrosoftExtraConfig {\n tenant_id?: string | null\n}\n\n// ============================================================================\n// ADAPTER\n// ============================================================================\n\nexport function createMicrosoftAdapter(ctx: ModuleContext): AuthPluginAdapter<MicrosoftAuthConfig> {\n const { errors } = ctx.core\n const oidcClient = getOidcClient()\n\n // Discovery cache per tenant (1 hour TTL)\n const discoveryCache = new Map<string, { doc: OidcDiscoveryDocument; expiresAt: number }>()\n const CACHE_TTL = 3600000 // 1 hour\n\n function getTenant(config: MicrosoftAuthConfig): string {\n const extra = parseExtraConfig(config)\n return extra.tenant_id || process.env['MICROSOFT_TENANT_ID'] || 'common'\n }\n\n function parseExtraConfig(config: MicrosoftAuthConfig): MicrosoftExtraConfig {\n if (!config.extra_config) return {}\n try {\n return typeof config.extra_config === 'string'\n ? JSON.parse(config.extra_config) as MicrosoftExtraConfig\n : config.extra_config as unknown as MicrosoftExtraConfig\n } catch {\n return {}\n }\n }\n\n async function getDiscovery(tenant: string): Promise<OidcDiscoveryDocument> {\n const now = Date.now()\n const cached = discoveryCache.get(tenant)\n if (cached && cached.expiresAt > now) {\n return cached.doc\n }\n\n const issuer = `https://login.microsoftonline.com/${tenant}/v2.0`\n const doc = await oidcClient.discover(issuer)\n discoveryCache.set(tenant, { doc, expiresAt: now + CACHE_TTL })\n return doc\n }\n\n return {\n provider: 'microsoft',\n\n async getValidConfig(): Promise<MicrosoftAuthConfig> {\n const configService = ctx.services.get<{ getConfig(): Promise<MicrosoftAuthConfig | null> }>('microsoft.config')\n const config = await configService.getConfig()\n\n if (!config?.enabled) {\n throw new errors.ForbiddenError('Microsoft authentication is disabled')\n }\n if (!config.client_id || !config.client_secret) {\n throw new errors.ForbiddenError('Microsoft Auth is not fully configured')\n }\n return config\n },\n\n async buildAuthorizationUrl(config: MicrosoftAuthConfig, params: BuildAuthUrlParams): Promise<string> {\n const tenant = getTenant(config)\n const discovery = await getDiscovery(tenant)\n\n return oidcClient.buildAuthorizationUrl(discovery.authorization_endpoint, {\n clientId: config.client_id,\n redirectUri: params.redirectUri,\n scopes: params.scopes,\n state: params.state,\n nonce: params.nonce\n })\n },\n\n async exchangeCodeAndGetUserInfo(\n config: MicrosoftAuthConfig,\n code: string,\n redirectUri: string,\n nonce: string\n ): Promise<AuthPluginUserInfo> {\n const tenant = getTenant(config)\n const discovery = await getDiscovery(tenant)\n\n // Exchange code for tokens\n const tokens = await oidcClient.exchangeCode({\n tokenEndpoint: discovery.token_endpoint,\n clientId: config.client_id,\n clientSecret: config.client_secret,\n code,\n redirectUri\n })\n\n // Validate ID token\n if (tokens.id_token) {\n await oidcClient.validateIdToken(tokens.id_token, {\n jwksUri: discovery.jwks_uri,\n issuer: discovery.issuer,\n clientId: config.client_id,\n nonce\n })\n }\n\n // Get user info\n const userInfo = await oidcClient.getUserInfo(\n tokens.access_token,\n discovery.userinfo_endpoint\n )\n\n return {\n providerUserId: userInfo.sub,\n email: userInfo.email || null,\n name: userInfo.name || userInfo.preferred_username || null,\n raw: userInfo as unknown as Record<string, unknown>\n }\n }\n }\n}\n","/**\n * Microsoft Auth Provider\n *\n * Azure AD / Microsoft Entra ID via OIDC with tenant-aware discovery.\n * Supports single-tenant, multi-tenant, and B2C scenarios.\n */\nimport {\n createAuthConfigModule,\n createAuthModule\n} from '../../shared/index.js'\nimport { createMicrosoftAdapter } from './adapter.js'\n\n// ============================================================================\n// MODULES (generated by factories)\n// ============================================================================\n\nexport const configModule = createAuthConfigModule({\n name: 'microsoft_auth_config',\n label: { en: 'Microsoft Auth Config', es: 'Configuración Microsoft Auth' },\n provider: 'microsoft',\n envPrefix: 'MICROSOFT',\n defaultScopes: 'openid profile email',\n defaultRole: 'VIEWER'\n})\n\nexport const authModule = createAuthModule({\n name: 'microsoft_auth',\n label: { en: 'Microsoft Auth', es: 'Auth Microsoft' },\n configDependency: 'microsoft_auth_config',\n provider: 'microsoft',\n caslSubject: 'MicrosoftAuth',\n providerInfo: {\n code: 'MICROSOFT_AUTH',\n provider: 'microsoft',\n icon: 'mdi:microsoft',\n label: { en: 'Sign in with Microsoft', es: 'Iniciar sesión con Microsoft' },\n color: '#00A4EF'\n },\n createAdapter: createMicrosoftAdapter\n})\n","/**\n * PocketID OIDC Adapter\n *\n * Provider-specific logic for PocketID authentication.\n * Differs from Google in that the issuer URL is dynamic (from config).\n */\nimport type { ModuleContext } from '@gzl10/nexus-sdk'\nimport {\n getOidcClient,\n type OidcDiscoveryDocument\n} from '@gzl10/nexus-sdk'\nimport type {\n AuthPluginAdapter,\n AuthPluginBaseConfig,\n BuildAuthUrlParams,\n AuthPluginUserInfo\n} from '../../shared/index.js'\n\n// ============================================================================\n// CONFIG TYPE\n// ============================================================================\n\nexport interface PocketIdAuthConfig extends AuthPluginBaseConfig {\n /** Provider-specific: extra_config JSON with issuer_url */\n extra_config: string | null\n}\n\ninterface PocketIdExtraConfig {\n issuer_url?: string | null\n}\n\n// ============================================================================\n// ADAPTER\n// ============================================================================\n\nexport function createPocketIdAdapter(ctx: ModuleContext): AuthPluginAdapter<PocketIdAuthConfig> {\n const { errors } = ctx.core\n const oidcClient = getOidcClient()\n\n // Discovery cache (1 hour)\n let discoveryDoc: OidcDiscoveryDocument | null = null\n let discoveryExpires = 0\n\n function parseExtraConfig(config: PocketIdAuthConfig): PocketIdExtraConfig {\n if (!config.extra_config) return {}\n try {\n return typeof config.extra_config === 'string'\n ? JSON.parse(config.extra_config) as PocketIdExtraConfig\n : config.extra_config as unknown as PocketIdExtraConfig\n } catch {\n return {}\n }\n }\n\n function getIssuerUrl(config: PocketIdAuthConfig): string {\n // Check extra_config first, then fall back to POCKETID_URL env var\n const extra = parseExtraConfig(config)\n const issuerUrl = extra.issuer_url || process.env['POCKETID_URL']\n if (!issuerUrl) {\n throw new errors.ForbiddenError('PocketID issuer URL is not configured')\n }\n return issuerUrl\n }\n\n async function getDiscovery(config: PocketIdAuthConfig): Promise<OidcDiscoveryDocument> {\n const issuerUrl = getIssuerUrl(config)\n const now = Date.now()\n if (discoveryDoc && discoveryExpires > now) {\n return discoveryDoc\n }\n discoveryDoc = await oidcClient.discover(issuerUrl)\n discoveryExpires = now + 3600000\n return discoveryDoc\n }\n\n return {\n provider: 'pocketid',\n\n async getValidConfig(): Promise<PocketIdAuthConfig> {\n const configService = ctx.services.get<{ getConfig(): Promise<PocketIdAuthConfig | null> }>('pocketid.config')\n const config = await configService.getConfig()\n\n if (!config?.enabled) {\n throw new errors.ForbiddenError('PocketID authentication is disabled')\n }\n if (!config.client_id || !config.client_secret) {\n throw new errors.ForbiddenError('PocketID is not fully configured')\n }\n // Validate issuer URL is available\n getIssuerUrl(config)\n return config\n },\n\n async buildAuthorizationUrl(config: PocketIdAuthConfig, params: BuildAuthUrlParams): Promise<string> {\n const discovery = await getDiscovery(config)\n\n return oidcClient.buildAuthorizationUrl(discovery.authorization_endpoint, {\n clientId: config.client_id,\n redirectUri: params.redirectUri,\n scopes: params.scopes,\n state: params.state,\n nonce: params.nonce\n })\n },\n\n async exchangeCodeAndGetUserInfo(\n config: PocketIdAuthConfig,\n code: string,\n redirectUri: string,\n nonce: string\n ): Promise<AuthPluginUserInfo> {\n const discovery = await getDiscovery(config)\n\n // Exchange code for tokens\n const tokens = await oidcClient.exchangeCode({\n tokenEndpoint: discovery.token_endpoint,\n clientId: config.client_id,\n clientSecret: config.client_secret,\n code,\n redirectUri\n })\n\n // Validate ID token\n if (tokens.id_token) {\n await oidcClient.validateIdToken(tokens.id_token, {\n jwksUri: discovery.jwks_uri,\n issuer: discovery.issuer,\n clientId: config.client_id,\n nonce\n })\n }\n\n // Get user info\n const userInfo = await oidcClient.getUserInfo(\n tokens.access_token,\n discovery.userinfo_endpoint\n )\n\n return {\n providerUserId: userInfo.sub,\n email: userInfo.email || null,\n name: userInfo.name || userInfo.preferred_username || null,\n raw: userInfo as unknown as Record<string, unknown>\n }\n }\n }\n}\n","import {\n createAuthConfigModule,\n createAuthModule\n} from '../../shared/index.js'\nimport { createPocketIdAdapter } from './adapter.js'\n\n// ============================================================================\n// MODULES (generated by factories)\n// ============================================================================\n\nexport const configModule = createAuthConfigModule({\n name: 'pocketid_config',\n label: { en: 'PocketID Config', es: 'Configuración PocketID' },\n provider: 'pocketid',\n envPrefix: 'POCKETID',\n defaultScopes: 'openid profile email',\n defaultRole: 'VIEWER',\n extraConfig: { issuer_url: process.env['POCKETID_URL'] || null }\n})\n\nexport const authModule = createAuthModule({\n name: 'pocketid_auth',\n label: { en: 'PocketID Auth', es: 'Auth PocketID' },\n configDependency: 'pocketid_config',\n provider: 'pocketid',\n caslSubject: 'PocketIdAuth',\n providerInfo: {\n code: 'POCKETID_AUTH',\n provider: 'pocketid',\n icon: 'mdi:key-chain',\n label: { en: 'Sign in with PocketID', es: 'Iniciar sesión con PocketID' },\n color: '#7c3aed'\n },\n createAdapter: createPocketIdAdapter\n})\n\n// ============================================================================\n// EXPORTS\n// ============================================================================\n\nexport { createPocketIdAdapter } from './adapter.js'\nexport type { PocketIdAuthConfig } from './adapter.js'\n","/**\n * Generic OIDC Adapter\n *\n * Works with any OpenID Connect compliant identity provider.\n * Issuer URL is configured via OIDC_ISSUER_URL env var or admin panel.\n */\nimport type { ModuleContext } from '@gzl10/nexus-sdk'\nimport {\n getOidcClient,\n type OidcDiscoveryDocument\n} from '@gzl10/nexus-sdk'\nimport type {\n AuthPluginAdapter,\n AuthPluginBaseConfig,\n BuildAuthUrlParams,\n AuthPluginUserInfo\n} from '../../shared/index.js'\n\n// ============================================================================\n// CONFIG TYPE\n// ============================================================================\n\nexport interface GenericOidcConfig extends AuthPluginBaseConfig {\n /** Provider-specific: extra_config JSON with issuer_url */\n extra_config: string | null\n}\n\ninterface OidcExtraConfig {\n issuer_url?: string | null\n}\n\n// ============================================================================\n// ADAPTER\n// ============================================================================\n\nexport function createOidcAdapter(ctx: ModuleContext): AuthPluginAdapter<GenericOidcConfig> {\n const { errors } = ctx.core\n const oidcClient = getOidcClient()\n\n // Discovery cache (1 hour per issuer)\n const discoveryCache = new Map<string, { doc: OidcDiscoveryDocument; expiresAt: number }>()\n const CACHE_TTL = 3600000 // 1 hour in ms\n\n function getIssuerUrl(config: GenericOidcConfig): string {\n const extra = parseExtraConfig(config)\n const url = extra.issuer_url || process.env['OIDC_ISSUER_URL']\n\n if (!url) {\n throw new errors.ForbiddenError('OIDC issuer URL is required (set OIDC_ISSUER_URL env var or configure issuer_url in admin)')\n }\n\n return url.replace(/\\/$/, '') // Remove trailing slash\n }\n\n function parseExtraConfig(config: GenericOidcConfig): OidcExtraConfig {\n if (!config.extra_config) return {}\n try {\n return typeof config.extra_config === 'string'\n ? JSON.parse(config.extra_config) as OidcExtraConfig\n : config.extra_config as unknown as OidcExtraConfig\n } catch {\n return {}\n }\n }\n\n async function getDiscovery(issuerUrl: string): Promise<OidcDiscoveryDocument> {\n const now = Date.now()\n const cached = discoveryCache.get(issuerUrl)\n\n if (cached && cached.expiresAt > now) {\n return cached.doc\n }\n\n const doc = await oidcClient.discover(issuerUrl)\n discoveryCache.set(issuerUrl, { doc, expiresAt: now + CACHE_TTL })\n\n return doc\n }\n\n return {\n provider: 'oidc',\n\n async getValidConfig(): Promise<GenericOidcConfig> {\n const configService = ctx.services.get<{ getConfig(): Promise<GenericOidcConfig | null> }>('oidc.config')\n const config = await configService.getConfig()\n\n if (!config?.enabled) {\n throw new errors.ForbiddenError('OIDC authentication is disabled')\n }\n if (!config.client_id || !config.client_secret) {\n throw new errors.ForbiddenError('OIDC Auth is not fully configured')\n }\n // Validate issuer URL can be resolved\n getIssuerUrl(config)\n return config\n },\n\n async buildAuthorizationUrl(config: GenericOidcConfig, params: BuildAuthUrlParams): Promise<string> {\n const issuerUrl = getIssuerUrl(config)\n const discovery = await getDiscovery(issuerUrl)\n\n return oidcClient.buildAuthorizationUrl(discovery.authorization_endpoint, {\n clientId: config.client_id,\n redirectUri: params.redirectUri,\n scopes: params.scopes,\n state: params.state,\n nonce: params.nonce\n })\n },\n\n async exchangeCodeAndGetUserInfo(\n config: GenericOidcConfig,\n code: string,\n redirectUri: string,\n nonce: string\n ): Promise<AuthPluginUserInfo> {\n const issuerUrl = getIssuerUrl(config)\n const discovery = await getDiscovery(issuerUrl)\n\n // Exchange code for tokens\n const tokens = await oidcClient.exchangeCode({\n tokenEndpoint: discovery.token_endpoint,\n clientId: config.client_id,\n clientSecret: config.client_secret,\n code,\n redirectUri\n })\n\n // Validate ID token\n if (tokens.id_token) {\n await oidcClient.validateIdToken(tokens.id_token, {\n jwksUri: discovery.jwks_uri,\n issuer: discovery.issuer,\n clientId: config.client_id,\n nonce\n })\n }\n\n // Get user info\n const userInfo = await oidcClient.getUserInfo(\n tokens.access_token,\n discovery.userinfo_endpoint\n )\n\n return {\n providerUserId: userInfo.sub,\n email: userInfo.email || null,\n name: userInfo.name || userInfo.preferred_username || null,\n raw: userInfo as unknown as Record<string, unknown>\n }\n }\n }\n}\n","/**\n * Generic OIDC Provider\n *\n * Works with any OpenID Connect compliant identity provider\n * (Keycloak, Authentik, Authelia, Zitadel, etc.).\n *\n * Configure via OIDC_ISSUER_URL environment variable or admin panel.\n */\nimport {\n createAuthConfigModule,\n createAuthModule\n} from '../../shared/index.js'\nimport { createOidcAdapter } from './adapter.js'\n\n// ============================================================================\n// MODULES (generated by factories)\n// ============================================================================\n\nexport const configModule = createAuthConfigModule({\n name: 'oidc_auth_config',\n label: { en: 'Generic OIDC Auth Config', es: 'Configuración Auth OIDC Genérico' },\n provider: 'oidc',\n envPrefix: 'OIDC',\n defaultScopes: 'openid profile email',\n defaultRole: 'VIEWER'\n})\n\nexport const authModule = createAuthModule({\n name: 'oidc_auth',\n label: { en: 'Generic OIDC Auth', es: 'Auth OIDC Genérico' },\n configDependency: 'oidc_auth_config',\n provider: 'oidc',\n caslSubject: 'OidcAuth',\n providerInfo: {\n code: 'OIDC_AUTH',\n provider: 'oidc',\n icon: 'mdi:shield-key',\n label: { en: 'Sign in with SSO', es: 'Iniciar sesión con SSO' },\n color: '#6366F1'\n },\n createAdapter: createOidcAdapter\n})\n"],"mappings":";;;;;;;AAcA,SAAS,oBAAoB;AAC7B,SAAS,YAAY;;;ACPrB;AAAA,EACE;AAAA,OAEK;AAyBP,IAAM,gBAAgB;AAEf,SAAS,oBAAoB,KAAyD;AAC3F,QAAM,EAAE,OAAO,IAAI,IAAI;AACvB,QAAM,aAAa,cAAc;AAGjC,MAAI,eAA6C;AACjD,MAAI,mBAAmB;AAEvB,iBAAe,eAA+C;AAC5D,UAAM,MAAM,KAAK,IAAI;AACrB,QAAI,gBAAgB,mBAAmB,KAAK;AAC1C,aAAO;AAAA,IACT;AACA,mBAAe,MAAM,WAAW,SAAS,aAAa;AACtD,uBAAmB,MAAM;AACzB,WAAO;AAAA,EACT;AAEA,WAAS,iBAAiB,QAA6C;AACrE,QAAI,CAAC,OAAO,aAAc,QAAO,CAAC;AAClC,QAAI;AACF,aAAO,OAAO,OAAO,iBAAiB,WAClC,KAAK,MAAM,OAAO,YAAY,IAC9B,OAAO;AAAA,IACb,QAAQ;AACN,aAAO,CAAC;AAAA,IACV;AAAA,EACF;AAEA,SAAO;AAAA,IACL,UAAU;AAAA,IAEV,MAAM,iBAA4C;AAChD,YAAM,gBAAgB,IAAI,SAAS,IAAuD,eAAe;AACzG,YAAM,SAAS,MAAM,cAAc,UAAU;AAE7C,UAAI,CAAC,QAAQ,SAAS;AACpB,cAAM,IAAI,OAAO,eAAe,mCAAmC;AAAA,MACrE;AACA,UAAI,CAAC,OAAO,aAAa,CAAC,OAAO,eAAe;AAC9C,cAAM,IAAI,OAAO,eAAe,qCAAqC;AAAA,MACvE;AACA,aAAO;AAAA,IACT;AAAA,IAEA,MAAM,sBAAsB,QAA0B,QAA6C;AACjG,YAAM,YAAY,MAAM,aAAa;AACrC,YAAM,QAAQ,iBAAiB,MAAM;AAErC,aAAO,WAAW,sBAAsB,UAAU,wBAAwB;AAAA,QACxE,UAAU,OAAO;AAAA,QACjB,aAAa,OAAO;AAAA,QACpB,QAAQ,OAAO;AAAA,QACf,OAAO,OAAO;AAAA,QACd,OAAO,OAAO;AAAA,QACd,cAAc,MAAM,iBAAiB;AAAA,MACvC,CAAC;AAAA,IACH;AAAA,IAEA,MAAM,2BACJ,QACA,MACA,aACA,OAC6B;AAC7B,YAAM,YAAY,MAAM,aAAa;AAGrC,YAAM,SAAS,MAAM,WAAW,aAAa;AAAA,QAC3C,eAAe,UAAU;AAAA,QACzB,UAAU,OAAO;AAAA,QACjB,cAAc,OAAO;AAAA,QACrB;AAAA,QACA;AAAA,MACF,CAAC;AAGD,UAAI,OAAO,UAAU;AACnB,cAAM,WAAW,gBAAgB,OAAO,UAAU;AAAA,UAChD,SAAS,UAAU;AAAA,UACnB,QAAQ,UAAU;AAAA,UAClB,UAAU,OAAO;AAAA,UACjB;AAAA,QACF,CAAC;AAAA,MACH;AAGA,YAAM,WAAW,MAAM,WAAW;AAAA,QAChC,OAAO;AAAA,QACP,UAAU;AAAA,MACZ;AAEA,aAAO;AAAA,QACL,gBAAgB,SAAS;AAAA,QACzB,OAAO,SAAS,SAAS;AAAA,QACzB,MAAM,SAAS,QAAQ,SAAS,sBAAsB;AAAA,QACtD,KAAK;AAAA,MACP;AAAA,IACF;AAAA,EACF;AACF;;;AChIO,IAAM,eAAe,uBAAuB;AAAA,EACjD,MAAM;AAAA,EACN,OAAO,EAAE,IAAI,sBAAsB,IAAI,+BAA4B;AAAA,EACnE,UAAU;AAAA,EACV,WAAW;AAAA,EACX,eAAe;AAAA,EACf,aAAa;AACf,CAAC;AAEM,IAAM,aAAa,iBAAiB;AAAA,EACzC,MAAM;AAAA,EACN,OAAO,EAAE,IAAI,eAAe,IAAI,cAAc;AAAA,EAC9C,kBAAkB;AAAA,EAClB,UAAU;AAAA,EACV,aAAa;AAAA,EACb,cAAc;AAAA,IACZ,MAAM;AAAA,IACN,UAAU;AAAA,IACV,MAAM;AAAA,IACN,OAAO,EAAE,IAAI,uBAAuB,IAAI,+BAA4B;AAAA,IACpE,OAAO;AAAA,EACT;AAAA,EACA,eAAe;AACjB,CAAC;;;AC1BD,SAAS,cAAc;AA+BvB,IAAM,uBAAuB;AAC7B,IAAM,mBAAmB;AACzB,IAAM,kBAAkB;AACxB,IAAM,oBAAoB;AAMnB,SAAS,oBAAoB,KAA6D;AAC/F,QAAM,EAAE,QAAQ,OAAO,IAAI,IAAI;AAE/B,SAAO;AAAA,IACL,UAAU;AAAA,IAEV,MAAM,iBAAgD;AACpD,YAAM,gBAAgB,IAAI,SAAS,IAA2D,eAAe;AAC7G,YAAM,SAAS,MAAM,cAAc,UAAU;AAE7C,UAAI,CAAC,QAAQ,SAAS;AACpB,cAAM,IAAI,OAAO,eAAe,mCAAmC;AAAA,MACrE;AACA,UAAI,CAAC,OAAO,aAAa,CAAC,OAAO,eAAe;AAC9C,cAAM,IAAI,OAAO,eAAe,qCAAqC;AAAA,MACvE;AACA,aAAO;AAAA,IACT;AAAA,IAEA,MAAM,sBAAsB,QAA8B,QAA6C;AACrG,YAAM,cAAc,IAAI,gBAAgB;AAAA,QACtC,WAAW,OAAO;AAAA,QAClB,cAAc,OAAO;AAAA,QACrB,OAAO,OAAO,UAAU;AAAA,QACxB,OAAO,OAAO;AAAA,MAChB,CAAC;AACD,aAAO,GAAG,oBAAoB,IAAI,WAAW;AAAA,IAC/C;AAAA,IAEA,MAAM,2BACJ,QACA,MACA,aACA,QAC6B;AAE7B,YAAM,gBAAgB,MAAM,OAIzB,kBAAkB;AAAA,QACnB,QAAQ;AAAA,QACR,SAAS,EAAE,QAAQ,mBAAmB;AAAA,QACtC,MAAM;AAAA,UACJ,WAAW,OAAO;AAAA,UAClB,eAAe,OAAO;AAAA,UACtB;AAAA,UACA,cAAc;AAAA,QAChB;AAAA,MACF,CAAC;AAED,UAAI,cAAc,SAAS,CAAC,cAAc,cAAc;AACtD,cAAM,IAAI,OAAO;AAAA,UACf,cAAc,qBAAqB,cAAc,SAAS;AAAA,QAC5D;AAAA,MACF;AAEA,YAAM,cAAc,cAAc;AAGlC,YAAM,OAAO,MAAM,OAAuB,iBAAiB;AAAA,QACzD,SAAS,EAAE,eAAe,UAAU,WAAW,GAAG;AAAA,MACpD,CAAC;AAGD,UAAI,QAAQ,KAAK;AACjB,UAAI,CAAC,OAAO;AACV,YAAI;AACF,gBAAM,SAAS,MAAM,OAAsB,mBAAmB;AAAA,YAC5D,SAAS,EAAE,eAAe,UAAU,WAAW,GAAG;AAAA,UACpD,CAAC;AACD,gBAAM,eAAe,OAAO,KAAK,OAAK,EAAE,WAAW,EAAE,QAAQ;AAC7D,cAAI,cAAc;AAChB,oBAAQ,aAAa;AAAA,UACvB;AAAA,QACF,QAAQ;AACN,iBAAO,MAAM,qDAAqD;AAAA,QACpE;AAAA,MACF;AAEA,aAAO;AAAA,QACL,gBAAgB,KAAK,GAAG,SAAS;AAAA,QACjC,OAAO,SAAS;AAAA,QAChB,MAAM,KAAK,QAAQ,KAAK,SAAS;AAAA,QACjC,KAAK;AAAA,MACP;AAAA,IACF;AAAA,EACF;AACF;;;AC7HO,IAAMA,gBAAe,uBAAuB;AAAA,EACjD,MAAM;AAAA,EACN,OAAO,EAAE,IAAI,sBAAsB,IAAI,+BAA4B;AAAA,EACnE,UAAU;AAAA,EACV,WAAW;AAAA,EACX,eAAe;AAAA,EACf,aAAa;AACf,CAAC;AAEM,IAAMC,cAAa,iBAAiB;AAAA,EACzC,MAAM;AAAA,EACN,OAAO,EAAE,IAAI,eAAe,IAAI,cAAc;AAAA,EAC9C,kBAAkB;AAAA,EAClB,UAAU;AAAA,EACV,aAAa;AAAA,EACb,cAAc;AAAA,IACZ,MAAM;AAAA,IACN,UAAU;AAAA,IACV,MAAM;AAAA,IACN,OAAO,EAAE,IAAI,uBAAuB,IAAI,+BAA4B;AAAA,IACpE,OAAO;AAAA,EACT;AAAA,EACA,eAAe;AACjB,CAAC;;;AC3BD,SAAS,UAAAC,eAAc;AA+BhB,SAAS,oBAAoB,KAAyD;AAC3F,QAAM,EAAE,OAAO,IAAI,IAAI;AAEvB,WAAS,aAAa,QAAkC;AACtD,UAAM,MACJ,QAAQ,cAAc,cAAc,QAAQ,IAAI,YAAY,KAAK;AACnE,WAAO,IAAI,QAAQ,OAAO,EAAE;AAAA,EAC9B;AAEA,SAAO;AAAA,IACL,UAAU;AAAA,IAEV,MAAM,iBAA4C;AAChD,YAAM,gBAAgB,IAAI,SAAS,IAEhC,eAAe;AAClB,YAAM,SAAS,MAAM,cAAc,UAAU;AAE7C,UAAI,CAAC,QAAQ,SAAS;AACpB,cAAM,IAAI,OAAO,eAAe,mCAAmC;AAAA,MACrE;AACA,UAAI,CAAC,OAAO,aAAa,CAAC,OAAO,eAAe;AAC9C,cAAM,IAAI,OAAO,eAAe,qCAAqC;AAAA,MACvE;AACA,aAAO;AAAA,IACT;AAAA,IAEA,MAAM,sBACJ,QACA,QACiB;AACjB,YAAM,YAAY,aAAa,MAAM;AACrC,YAAM,cAAc,IAAI,gBAAgB;AAAA,QACtC,WAAW,OAAO;AAAA,QAClB,cAAc,OAAO;AAAA,QACrB,eAAe;AAAA,QACf,OAAO,OAAO,UAAU;AAAA,QACxB,OAAO,OAAO;AAAA,MAChB,CAAC;AACD,aAAO,GAAG,SAAS,oBAAoB,WAAW;AAAA,IACpD;AAAA,IAEA,MAAM,2BACJ,QACA,MACA,aACA,QAC6B;AAC7B,YAAM,YAAY,aAAa,MAAM;AAGrC,YAAM,gBAAgB,MAAMA,QAIzB,GAAG,SAAS,gBAAgB;AAAA,QAC7B,QAAQ;AAAA,QACR,SAAS,EAAE,QAAQ,mBAAmB;AAAA,QACtC,MAAM;AAAA,UACJ,WAAW,OAAO;AAAA,UAClB,eAAe,OAAO;AAAA,UACtB;AAAA,UACA,cAAc;AAAA,UACd,YAAY;AAAA,QACd;AAAA,MACF,CAAC;AAED,UAAI,cAAc,SAAS,CAAC,cAAc,cAAc;AACtD,cAAM,IAAI,OAAO;AAAA,UACf,cAAc,qBAAqB,cAAc,SAAS;AAAA,QAC5D;AAAA,MACF;AAEA,YAAM,cAAc,cAAc;AAGlC,YAAM,OAAO,MAAMA,QAAuB,GAAG,SAAS,gBAAgB;AAAA,QACpE,SAAS,EAAE,eAAe,UAAU,WAAW,GAAG;AAAA,MACpD,CAAC;AAED,aAAO;AAAA,QACL,gBAAgB,KAAK,GAAG,SAAS;AAAA,QACjC,OAAO,KAAK,SAAS;AAAA,QACrB,MAAM,KAAK,QAAQ,KAAK,YAAY;AAAA,QACpC,KAAK;AAAA,MACP;AAAA,IACF;AAAA,EACF;AACF;;;ACnHO,IAAMC,gBAAe,uBAAuB;AAAA,EACjD,MAAM;AAAA,EACN,OAAO,EAAE,IAAI,sBAAsB,IAAI,+BAA4B;AAAA,EACnE,UAAU;AAAA,EACV,WAAW;AAAA,EACX,eAAe;AAAA,EACf,aAAa;AAAA,EACb,aAAa;AAAA,IACX,YAAY,QAAQ,IAAI,YAAY,KAAK;AAAA,EAC3C;AACF,CAAC;AAEM,IAAMC,cAAa,iBAAiB;AAAA,EACzC,MAAM;AAAA,EACN,OAAO,EAAE,IAAI,eAAe,IAAI,cAAc;AAAA,EAC9C,kBAAkB;AAAA,EAClB,UAAU;AAAA,EACV,aAAa;AAAA,EACb,cAAc;AAAA,IACZ,MAAM;AAAA,IACN,UAAU;AAAA,IACV,MAAM;AAAA,IACN,OAAO,EAAE,IAAI,uBAAuB,IAAI,+BAA4B;AAAA,IACpE,OAAO;AAAA,EACT;AAAA,EACA,eAAe;AACjB,CAAC;;;AC3BD;AAAA,EACE,iBAAAC;AAAA,OAEK;AAyBA,SAAS,uBAAuB,KAA4D;AACjG,QAAM,EAAE,OAAO,IAAI,IAAI;AACvB,QAAM,aAAaA,eAAc;AAGjC,QAAM,iBAAiB,oBAAI,IAA+D;AAC1F,QAAM,YAAY;AAElB,WAAS,UAAU,QAAqC;AACtD,UAAM,QAAQ,iBAAiB,MAAM;AACrC,WAAO,MAAM,aAAa,QAAQ,IAAI,qBAAqB,KAAK;AAAA,EAClE;AAEA,WAAS,iBAAiB,QAAmD;AAC3E,QAAI,CAAC,OAAO,aAAc,QAAO,CAAC;AAClC,QAAI;AACF,aAAO,OAAO,OAAO,iBAAiB,WAClC,KAAK,MAAM,OAAO,YAAY,IAC9B,OAAO;AAAA,IACb,QAAQ;AACN,aAAO,CAAC;AAAA,IACV;AAAA,EACF;AAEA,iBAAe,aAAa,QAAgD;AAC1E,UAAM,MAAM,KAAK,IAAI;AACrB,UAAM,SAAS,eAAe,IAAI,MAAM;AACxC,QAAI,UAAU,OAAO,YAAY,KAAK;AACpC,aAAO,OAAO;AAAA,IAChB;AAEA,UAAM,SAAS,qCAAqC,MAAM;AAC1D,UAAM,MAAM,MAAM,WAAW,SAAS,MAAM;AAC5C,mBAAe,IAAI,QAAQ,EAAE,KAAK,WAAW,MAAM,UAAU,CAAC;AAC9D,WAAO;AAAA,EACT;AAEA,SAAO;AAAA,IACL,UAAU;AAAA,IAEV,MAAM,iBAA+C;AACnD,YAAM,gBAAgB,IAAI,SAAS,IAA0D,kBAAkB;AAC/G,YAAM,SAAS,MAAM,cAAc,UAAU;AAE7C,UAAI,CAAC,QAAQ,SAAS;AACpB,cAAM,IAAI,OAAO,eAAe,sCAAsC;AAAA,MACxE;AACA,UAAI,CAAC,OAAO,aAAa,CAAC,OAAO,eAAe;AAC9C,cAAM,IAAI,OAAO,eAAe,wCAAwC;AAAA,MAC1E;AACA,aAAO;AAAA,IACT;AAAA,IAEA,MAAM,sBAAsB,QAA6B,QAA6C;AACpG,YAAM,SAAS,UAAU,MAAM;AAC/B,YAAM,YAAY,MAAM,aAAa,MAAM;AAE3C,aAAO,WAAW,sBAAsB,UAAU,wBAAwB;AAAA,QACxE,UAAU,OAAO;AAAA,QACjB,aAAa,OAAO;AAAA,QACpB,QAAQ,OAAO;AAAA,QACf,OAAO,OAAO;AAAA,QACd,OAAO,OAAO;AAAA,MAChB,CAAC;AAAA,IACH;AAAA,IAEA,MAAM,2BACJ,QACA,MACA,aACA,OAC6B;AAC7B,YAAM,SAAS,UAAU,MAAM;AAC/B,YAAM,YAAY,MAAM,aAAa,MAAM;AAG3C,YAAM,SAAS,MAAM,WAAW,aAAa;AAAA,QAC3C,eAAe,UAAU;AAAA,QACzB,UAAU,OAAO;AAAA,QACjB,cAAc,OAAO;AAAA,QACrB;AAAA,QACA;AAAA,MACF,CAAC;AAGD,UAAI,OAAO,UAAU;AACnB,cAAM,WAAW,gBAAgB,OAAO,UAAU;AAAA,UAChD,SAAS,UAAU;AAAA,UACnB,QAAQ,UAAU;AAAA,UAClB,UAAU,OAAO;AAAA,UACjB;AAAA,QACF,CAAC;AAAA,MACH;AAGA,YAAM,WAAW,MAAM,WAAW;AAAA,QAChC,OAAO;AAAA,QACP,UAAU;AAAA,MACZ;AAEA,aAAO;AAAA,QACL,gBAAgB,SAAS;AAAA,QACzB,OAAO,SAAS,SAAS;AAAA,QACzB,MAAM,SAAS,QAAQ,SAAS,sBAAsB;AAAA,QACtD,KAAK;AAAA,MACP;AAAA,IACF;AAAA,EACF;AACF;;;ACjIO,IAAMC,gBAAe,uBAAuB;AAAA,EACjD,MAAM;AAAA,EACN,OAAO,EAAE,IAAI,yBAAyB,IAAI,kCAA+B;AAAA,EACzE,UAAU;AAAA,EACV,WAAW;AAAA,EACX,eAAe;AAAA,EACf,aAAa;AACf,CAAC;AAEM,IAAMC,cAAa,iBAAiB;AAAA,EACzC,MAAM;AAAA,EACN,OAAO,EAAE,IAAI,kBAAkB,IAAI,iBAAiB;AAAA,EACpD,kBAAkB;AAAA,EAClB,UAAU;AAAA,EACV,aAAa;AAAA,EACb,cAAc;AAAA,IACZ,MAAM;AAAA,IACN,UAAU;AAAA,IACV,MAAM;AAAA,IACN,OAAO,EAAE,IAAI,0BAA0B,IAAI,kCAA+B;AAAA,IAC1E,OAAO;AAAA,EACT;AAAA,EACA,eAAe;AACjB,CAAC;;;AChCD;AAAA,EACE,iBAAAC;AAAA,OAEK;AAyBA,SAAS,sBAAsB,KAA2D;AAC/F,QAAM,EAAE,OAAO,IAAI,IAAI;AACvB,QAAM,aAAaA,eAAc;AAGjC,MAAI,eAA6C;AACjD,MAAI,mBAAmB;AAEvB,WAAS,iBAAiB,QAAiD;AACzE,QAAI,CAAC,OAAO,aAAc,QAAO,CAAC;AAClC,QAAI;AACF,aAAO,OAAO,OAAO,iBAAiB,WAClC,KAAK,MAAM,OAAO,YAAY,IAC9B,OAAO;AAAA,IACb,QAAQ;AACN,aAAO,CAAC;AAAA,IACV;AAAA,EACF;AAEA,WAAS,aAAa,QAAoC;AAExD,UAAM,QAAQ,iBAAiB,MAAM;AACrC,UAAM,YAAY,MAAM,cAAc,QAAQ,IAAI,cAAc;AAChE,QAAI,CAAC,WAAW;AACd,YAAM,IAAI,OAAO,eAAe,uCAAuC;AAAA,IACzE;AACA,WAAO;AAAA,EACT;AAEA,iBAAe,aAAa,QAA4D;AACtF,UAAM,YAAY,aAAa,MAAM;AACrC,UAAM,MAAM,KAAK,IAAI;AACrB,QAAI,gBAAgB,mBAAmB,KAAK;AAC1C,aAAO;AAAA,IACT;AACA,mBAAe,MAAM,WAAW,SAAS,SAAS;AAClD,uBAAmB,MAAM;AACzB,WAAO;AAAA,EACT;AAEA,SAAO;AAAA,IACL,UAAU;AAAA,IAEV,MAAM,iBAA8C;AAClD,YAAM,gBAAgB,IAAI,SAAS,IAAyD,iBAAiB;AAC7G,YAAM,SAAS,MAAM,cAAc,UAAU;AAE7C,UAAI,CAAC,QAAQ,SAAS;AACpB,cAAM,IAAI,OAAO,eAAe,qCAAqC;AAAA,MACvE;AACA,UAAI,CAAC,OAAO,aAAa,CAAC,OAAO,eAAe;AAC9C,cAAM,IAAI,OAAO,eAAe,kCAAkC;AAAA,MACpE;AAEA,mBAAa,MAAM;AACnB,aAAO;AAAA,IACT;AAAA,IAEA,MAAM,sBAAsB,QAA4B,QAA6C;AACnG,YAAM,YAAY,MAAM,aAAa,MAAM;AAE3C,aAAO,WAAW,sBAAsB,UAAU,wBAAwB;AAAA,QACxE,UAAU,OAAO;AAAA,QACjB,aAAa,OAAO;AAAA,QACpB,QAAQ,OAAO;AAAA,QACf,OAAO,OAAO;AAAA,QACd,OAAO,OAAO;AAAA,MAChB,CAAC;AAAA,IACH;AAAA,IAEA,MAAM,2BACJ,QACA,MACA,aACA,OAC6B;AAC7B,YAAM,YAAY,MAAM,aAAa,MAAM;AAG3C,YAAM,SAAS,MAAM,WAAW,aAAa;AAAA,QAC3C,eAAe,UAAU;AAAA,QACzB,UAAU,OAAO;AAAA,QACjB,cAAc,OAAO;AAAA,QACrB;AAAA,QACA;AAAA,MACF,CAAC;AAGD,UAAI,OAAO,UAAU;AACnB,cAAM,WAAW,gBAAgB,OAAO,UAAU;AAAA,UAChD,SAAS,UAAU;AAAA,UACnB,QAAQ,UAAU;AAAA,UAClB,UAAU,OAAO;AAAA,UACjB;AAAA,QACF,CAAC;AAAA,MACH;AAGA,YAAM,WAAW,MAAM,WAAW;AAAA,QAChC,OAAO;AAAA,QACP,UAAU;AAAA,MACZ;AAEA,aAAO;AAAA,QACL,gBAAgB,SAAS;AAAA,QACzB,OAAO,SAAS,SAAS;AAAA,QACzB,MAAM,SAAS,QAAQ,SAAS,sBAAsB;AAAA,QACtD,KAAK;AAAA,MACP;AAAA,IACF;AAAA,EACF;AACF;;;ACxIO,IAAMC,gBAAe,uBAAuB;AAAA,EACjD,MAAM;AAAA,EACN,OAAO,EAAE,IAAI,mBAAmB,IAAI,4BAAyB;AAAA,EAC7D,UAAU;AAAA,EACV,WAAW;AAAA,EACX,eAAe;AAAA,EACf,aAAa;AAAA,EACb,aAAa,EAAE,YAAY,QAAQ,IAAI,cAAc,KAAK,KAAK;AACjE,CAAC;AAEM,IAAMC,cAAa,iBAAiB;AAAA,EACzC,MAAM;AAAA,EACN,OAAO,EAAE,IAAI,iBAAiB,IAAI,gBAAgB;AAAA,EAClD,kBAAkB;AAAA,EAClB,UAAU;AAAA,EACV,aAAa;AAAA,EACb,cAAc;AAAA,IACZ,MAAM;AAAA,IACN,UAAU;AAAA,IACV,MAAM;AAAA,IACN,OAAO,EAAE,IAAI,yBAAyB,IAAI,iCAA8B;AAAA,IACxE,OAAO;AAAA,EACT;AAAA,EACA,eAAe;AACjB,CAAC;;;AC3BD;AAAA,EACE,iBAAAC;AAAA,OAEK;AAyBA,SAAS,kBAAkB,KAA0D;AAC1F,QAAM,EAAE,OAAO,IAAI,IAAI;AACvB,QAAM,aAAaA,eAAc;AAGjC,QAAM,iBAAiB,oBAAI,IAA+D;AAC1F,QAAM,YAAY;AAElB,WAAS,aAAa,QAAmC;AACvD,UAAM,QAAQ,iBAAiB,MAAM;AACrC,UAAM,MAAM,MAAM,cAAc,QAAQ,IAAI,iBAAiB;AAE7D,QAAI,CAAC,KAAK;AACR,YAAM,IAAI,OAAO,eAAe,4FAA4F;AAAA,IAC9H;AAEA,WAAO,IAAI,QAAQ,OAAO,EAAE;AAAA,EAC9B;AAEA,WAAS,iBAAiB,QAA4C;AACpE,QAAI,CAAC,OAAO,aAAc,QAAO,CAAC;AAClC,QAAI;AACF,aAAO,OAAO,OAAO,iBAAiB,WAClC,KAAK,MAAM,OAAO,YAAY,IAC9B,OAAO;AAAA,IACb,QAAQ;AACN,aAAO,CAAC;AAAA,IACV;AAAA,EACF;AAEA,iBAAe,aAAa,WAAmD;AAC7E,UAAM,MAAM,KAAK,IAAI;AACrB,UAAM,SAAS,eAAe,IAAI,SAAS;AAE3C,QAAI,UAAU,OAAO,YAAY,KAAK;AACpC,aAAO,OAAO;AAAA,IAChB;AAEA,UAAM,MAAM,MAAM,WAAW,SAAS,SAAS;AAC/C,mBAAe,IAAI,WAAW,EAAE,KAAK,WAAW,MAAM,UAAU,CAAC;AAEjE,WAAO;AAAA,EACT;AAEA,SAAO;AAAA,IACL,UAAU;AAAA,IAEV,MAAM,iBAA6C;AACjD,YAAM,gBAAgB,IAAI,SAAS,IAAwD,aAAa;AACxG,YAAM,SAAS,MAAM,cAAc,UAAU;AAE7C,UAAI,CAAC,QAAQ,SAAS;AACpB,cAAM,IAAI,OAAO,eAAe,iCAAiC;AAAA,MACnE;AACA,UAAI,CAAC,OAAO,aAAa,CAAC,OAAO,eAAe;AAC9C,cAAM,IAAI,OAAO,eAAe,mCAAmC;AAAA,MACrE;AAEA,mBAAa,MAAM;AACnB,aAAO;AAAA,IACT;AAAA,IAEA,MAAM,sBAAsB,QAA2B,QAA6C;AAClG,YAAM,YAAY,aAAa,MAAM;AACrC,YAAM,YAAY,MAAM,aAAa,SAAS;AAE9C,aAAO,WAAW,sBAAsB,UAAU,wBAAwB;AAAA,QACxE,UAAU,OAAO;AAAA,QACjB,aAAa,OAAO;AAAA,QACpB,QAAQ,OAAO;AAAA,QACf,OAAO,OAAO;AAAA,QACd,OAAO,OAAO;AAAA,MAChB,CAAC;AAAA,IACH;AAAA,IAEA,MAAM,2BACJ,QACA,MACA,aACA,OAC6B;AAC7B,YAAM,YAAY,aAAa,MAAM;AACrC,YAAM,YAAY,MAAM,aAAa,SAAS;AAG9C,YAAM,SAAS,MAAM,WAAW,aAAa;AAAA,QAC3C,eAAe,UAAU;AAAA,QACzB,UAAU,OAAO;AAAA,QACjB,cAAc,OAAO;AAAA,QACrB;AAAA,QACA;AAAA,MACF,CAAC;AAGD,UAAI,OAAO,UAAU;AACnB,cAAM,WAAW,gBAAgB,OAAO,UAAU;AAAA,UAChD,SAAS,UAAU;AAAA,UACnB,QAAQ,UAAU;AAAA,UAClB,UAAU,OAAO;AAAA,UACjB;AAAA,QACF,CAAC;AAAA,MACH;AAGA,YAAM,WAAW,MAAM,WAAW;AAAA,QAChC,OAAO;AAAA,QACP,UAAU;AAAA,MACZ;AAEA,aAAO;AAAA,QACL,gBAAgB,SAAS;AAAA,QACzB,OAAO,SAAS,SAAS;AAAA,QACzB,MAAM,SAAS,QAAQ,SAAS,sBAAsB;AAAA,QACtD,KAAK;AAAA,MACP;AAAA,IACF;AAAA,EACF;AACF;;;ACtIO,IAAMC,gBAAe,uBAAuB;AAAA,EACjD,MAAM;AAAA,EACN,OAAO,EAAE,IAAI,4BAA4B,IAAI,yCAAmC;AAAA,EAChF,UAAU;AAAA,EACV,WAAW;AAAA,EACX,eAAe;AAAA,EACf,aAAa;AACf,CAAC;AAEM,IAAMC,cAAa,iBAAiB;AAAA,EACzC,MAAM;AAAA,EACN,OAAO,EAAE,IAAI,qBAAqB,IAAI,wBAAqB;AAAA,EAC3D,kBAAkB;AAAA,EAClB,UAAU;AAAA,EACV,aAAa;AAAA,EACb,cAAc;AAAA,IACZ,MAAM;AAAA,IACN,UAAU;AAAA,IACV,MAAM;AAAA,IACN,OAAO,EAAE,IAAI,oBAAoB,IAAI,4BAAyB;AAAA,IAC9D,OAAO;AAAA,EACT;AAAA,EACA,eAAe;AACjB,CAAC;;;AZtBD,IAAM,MAAM,KAAK,MAAM,aAAa,KAAK,YAAY,SAAS,MAAM,cAAc,GAAG,OAAO,CAAC;AA0B7F,IAAM,YAA2B;AAAA,EAC/B;AAAA,IACE,MAAM;AAAA,IACN,QAAQ;AAAA,IACR,SAAS,MAAM,CAAC,cAAc,UAAU;AAAA,IACxC,SAAS;AAAA,MACP,EAAE,MAAM,oBAAoB,aAAa,EAAE,IAAI,yBAAyB,GAAG,UAAU,KAAK;AAAA,MAC1F,EAAE,MAAM,wBAAwB,aAAa,EAAE,IAAI,6BAA6B,GAAG,UAAU,MAAM,WAAW,KAAK;AAAA,IACrH;AAAA,EACF;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,QAAQ;AAAA,IACR,SAAS,MAAM,CAACC,eAAcC,WAAU;AAAA,IACxC,SAAS;AAAA,MACP,EAAE,MAAM,oBAAoB,aAAa,EAAE,IAAI,yBAAyB,GAAG,UAAU,KAAK;AAAA,MAC1F,EAAE,MAAM,wBAAwB,aAAa,EAAE,IAAI,6BAA6B,GAAG,UAAU,MAAM,WAAW,KAAK;AAAA,IACrH;AAAA,EACF;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,QAAQ;AAAA,IACR,SAAS,MAAM,CAACD,eAAcC,WAAU;AAAA,IACxC,SAAS;AAAA,MACP,EAAE,MAAM,oBAAoB,aAAa,EAAE,IAAI,yBAAyB,GAAG,UAAU,KAAK;AAAA,MAC1F,EAAE,MAAM,wBAAwB,aAAa,EAAE,IAAI,6BAA6B,GAAG,UAAU,MAAM,WAAW,KAAK;AAAA,MACnH,EAAE,MAAM,cAAc,aAAa,EAAE,IAAI,oDAAoD,GAAG,UAAU,MAAM;AAAA,IAClH;AAAA,EACF;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,QAAQ;AAAA,IACR,SAAS,MAAM,CAACD,eAAiBC,WAAa;AAAA,IAC9C,SAAS;AAAA,MACP,EAAE,MAAM,uBAAuB,aAAa,EAAE,IAAI,4BAA4B,GAAG,UAAU,KAAK;AAAA,MAChG,EAAE,MAAM,2BAA2B,aAAa,EAAE,IAAI,gCAAgC,GAAG,UAAU,MAAM,WAAW,KAAK;AAAA,MACzH,EAAE,MAAM,uBAAuB,aAAa,EAAE,IAAI,uCAAuC,GAAG,UAAU,MAAM;AAAA,IAC9G;AAAA,EACF;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,QAAQ;AAAA,IACR,SAAS,MAAM,CAACD,eAAgBC,WAAY;AAAA,IAC5C,SAAS;AAAA,MACP,EAAE,MAAM,gBAAgB,aAAa,EAAE,IAAI,wBAAwB,GAAG,UAAU,KAAK;AAAA,MACrF,EAAE,MAAM,sBAAsB,aAAa,EAAE,IAAI,2BAA2B,GAAG,UAAU,KAAK;AAAA,MAC9F,EAAE,MAAM,0BAA0B,aAAa,EAAE,IAAI,+BAA+B,GAAG,UAAU,MAAM,WAAW,KAAK;AAAA,IACzH;AAAA,EACF;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,QAAQ;AAAA,IACR,SAAS,MAAM,CAACD,eAAYC,WAAQ;AAAA,IACpC,SAAS;AAAA,MACP,EAAE,MAAM,mBAAmB,aAAa,EAAE,IAAI,uCAAuC,GAAG,UAAU,KAAK;AAAA,MACvG,EAAE,MAAM,kBAAkB,aAAa,EAAE,IAAI,iBAAiB,GAAG,UAAU,KAAK;AAAA,MAChF,EAAE,MAAM,sBAAsB,aAAa,EAAE,IAAI,qBAAqB,GAAG,UAAU,MAAM,WAAW,KAAK;AAAA,IAC3G;AAAA,EACF;AACF;AAMA,IAAM,kBAAkB,UAAU,OAAO,OAAK,CAAC,CAAC,QAAQ,IAAI,EAAE,MAAM,CAAC;AACrE,IAAM,kBAAkB,gBAAgB,QAAQ,OAAK,EAAE,QAAQ,CAAC;AAChE,IAAM,gBAAgB,gBAAgB,QAAQ,OAAK,EAAE,OAAO;AAG5D,IAAM,aAA6B;AAAA,EACjC,MAAM;AAAA,EACN,MAAM;AAAA,EACN,UAAU;AAAA,EACV,OAAO,EAAE,IAAI,yBAAyB,IAAI,0BAA0B;AAAA,EACpE,MAAM;AAAA,EACN,aAAa,CAAC,yBAAyB;AACzC;AAEA,IAAM,gBAAgB,gBAAgB,SAAS,IAC3C,CAAC,YAAY,GAAG,eAAe,IAC/B,CAAC;AAME,IAAM,sBAAsC;AAAA,EACjD,MAAM;AAAA,EACN,MAAM;AAAA,EACN,SAAS,IAAI;AAAA,EACb,OAAO,EAAE,IAAI,kBAAkB,IAAI,sBAAsB;AAAA,EACzD,MAAM;AAAA,EACN,UAAU;AAAA,EACV,aAAa;AAAA,IACX,IAAI;AAAA,IACJ,IAAI;AAAA,EACN;AAAA,EACA,SAAS;AAAA,EACT,SAAS;AACX;AAEA,IAAO,gBAAQ;","names":["configModule","authModule","ofetch","configModule","authModule","getOidcClient","configModule","authModule","getOidcClient","configModule","authModule","getOidcClient","configModule","authModule","configModule","authModule"]}

package/dist/shared/index.d.ts ADDED Viewed

@@ -0,0 +1,402 @@
+import { OidcState, SessionResult, ModuleContext, ActionDefinition, SingleEntityDefinition, LocalizedString, ModuleManifest, AuthProviderInfo } from '@gzl10/nexus-sdk';
+import { Request } from 'express';
+/**
+ * Auth Plugin Base Types
+ *
+ * Shared types for OAuth/OIDC authentication plugins.
+ * Eliminates duplication across google-auth, pocketid, github-auth plugins.
+ */
+/**
+ * Extended OAuth state with returnUrl for post-auth frontend redirects.
+ * Used by all auth plugins regardless of protocol (OIDC or OAuth 2.0).
+ */
+interface AuthPluginState extends OidcState {
+    /** Frontend URL to redirect user after auth completes */
+    returnUrl?: string;
+}
+/**
+ * Session result with optional redirect URL.
+ * Returned by handleCallback after successful authentication.
+ */
+interface AuthPluginSessionResult extends SessionResult {
+    /** Frontend URL to redirect user after auth (server-side flow) */
+    returnUrl?: string;
+}
+/**
+ * Subset of core AuthService used by auth plugins.
+ * Registered as `ctx.services.get('auth')` by nexus-backend.
+ *
+ * Auth plugins use this interface to:
+ * - Find/create users
+ * - Link/unlink external identities
+ * - Create session tokens
+ */
+interface CoreAuthService {
+    findUserById(id: string): Promise<{
+        id: string;
+        email: string;
+        name?: string;
+    } | null>;
+    findUserByEmail(email: string): Promise<{
+        id: string;
+        email: string;
+        name?: string;
+    } | null>;
+    createUser(data: {
+        email: string;
+        name?: string;
+        role?: string;
+    }): Promise<{
+        id: string;
+        email: string;
+        name?: string;
+    }>;
+    createTokens(user: {
+        id: string;
+    }): Promise<{
+        accessToken: string;
+        refreshToken: string;
+        expiresIn: number;
+    }>;
+    findIdentity(provider: string, providerUserId: string): Promise<AuthIdentity | undefined>;
+    findIdentitiesByUser(userId: string, provider?: string): Promise<AuthIdentity[]>;
+    linkIdentity(input: LinkIdentityInput): Promise<AuthIdentity>;
+    unlinkIdentity(provider: string, providerUserId: string): Promise<boolean>;
+    updateIdentityLogin(provider: string, providerUserId: string): Promise<void>;
+}
+/**
+ * External auth identity (mirrors core auth_identities table)
+ */
+interface AuthIdentity {
+    id: string;
+    user_id: string;
+    provider: string;
+    provider_user_id: string;
+    provider_email: string | null;
+    metadata: Record<string, unknown> | null;
+    linked_at: string;
+    last_login_at: string | null;
+}
+/**
+ * Input for linking an external identity to a Nexus user
+ */
+interface LinkIdentityInput {
+    userId: string;
+    provider: string;
+    providerUserId: string;
+    providerEmail?: string | null;
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Normalized user info from any OAuth/OIDC provider.
+ * Adapters map provider-specific responses to this common shape.
+ *
+ * @example Google/PocketID (OIDC)
+ * { providerUserId: userInfo.sub, email: userInfo.email, name: userInfo.name }
+ *
+ * @example GitHub (OAuth 2.0)
+ * { providerUserId: String(user.id), email: user.email, name: user.name || user.login }
+ */
+interface AuthPluginUserInfo {
+    /** Provider's user ID (OIDC `sub` or GitHub `id.toString()`) */
+    providerUserId: string;
+    /** User's email (may be null if not public/granted) */
+    email: string | null;
+    /** User's display name */
+    name: string | null;
+    /** Raw provider response for metadata storage */
+    raw: Record<string, unknown>;
+}
+/**
+ * Config service interface for auth plugins.
+ * Created by `createAuthConfigModule()`.
+ */
+interface AuthPluginConfigService<TConfig = unknown> {
+    getConfig(): Promise<TConfig | null>;
+    isEnabled(): Promise<boolean>;
+}
+/**
+ * Auth Plugin Adapter Interface
+ *
+ * Strategy pattern: each auth plugin implements this interface
+ * to handle provider-specific OAuth/OIDC details.
+ *
+ * The base service (`createAuthPluginService`) handles all shared logic
+ * (state management, identity resolution, session creation) and delegates
+ * provider-specific operations to the adapter.
+ */
+/**
+ * Base configuration shared by all auth plugins.
+ * Plugins can extend this with provider-specific fields
+ * (e.g., `hosted_domain` for Google, `issuer_url` for PocketID).
+ */
+interface AuthPluginBaseConfig {
+    enabled: boolean;
+    client_id: string;
+    client_secret: string;
+    scopes: string;
+    allowed_domains: string | null;
+    default_role: string;
+}
+/** Parameters for building the authorization URL */
+interface BuildAuthUrlParams {
+    redirectUri: string;
+    state: string;
+    nonce: string;
+    scopes: string[];
+}
+/**
+ * Adapter that each auth plugin must implement.
+ *
+ * @example OIDC adapter (Google, PocketID)
+ * ```typescript
+ * const adapter: AuthPluginAdapter<GoogleConfig> = {
+ *   provider: 'google',
+ *   getValidConfig: () => configService.getConfig(),
+ *   buildAuthorizationUrl: (config, params) => oidcClient.buildAuthorizationUrl(...),
+ *   exchangeCodeAndGetUserInfo: async (config, code, redirectUri, nonce) => {
+ *     const tokens = await oidcClient.exchangeCode(...)
+ *     const userInfo = await oidcClient.getUserInfo(...)
+ *     return { providerUserId: userInfo.sub, email: userInfo.email, ... }
+ *   }
+ * }
+ * ```
+ *
+ * @example OAuth 2.0 adapter (GitHub)
+ * ```typescript
+ * const adapter: AuthPluginAdapter<GitHubConfig> = {
+ *   provider: 'github',
+ *   getValidConfig: () => configService.getConfig(),
+ *   buildAuthorizationUrl: (config, params) => {
+ *     return `https://github.com/login/oauth/authorize?${new URLSearchParams(...)}`
+ *   },
+ *   exchangeCodeAndGetUserInfo: async (config, code, redirectUri) => {
+ *     const token = await ofetch(GITHUB_TOKEN_URL, ...)
+ *     const user = await ofetch(GITHUB_USER_URL, ...)
+ *     return { providerUserId: String(user.id), email: user.email, ... }
+ *   }
+ * }
+ * ```
+ */
+interface AuthPluginAdapter<TConfig extends AuthPluginBaseConfig = AuthPluginBaseConfig> {
+    /** Provider identifier (e.g., 'google', 'github', 'pocketid') */
+    provider: string;
+    /** Get validated config or throw ForbiddenError if disabled/misconfigured */
+    getValidConfig(): Promise<TConfig>;
+    /** Build the provider's authorization URL */
+    buildAuthorizationUrl(config: TConfig, params: BuildAuthUrlParams): Promise<string>;
+    /**
+     * Exchange authorization code for user info.
+     * Handles the full token exchange + user info retrieval.
+     *
+     * For OIDC: exchange code, validate ID token, get userinfo
+     * For OAuth 2.0: exchange code, call user API
+     *
+     * @param config - Validated provider config
+     * @param code - Authorization code from callback
+     * @param redirectUri - Redirect URI used in authorization request
+     * @param nonce - Nonce for OIDC ID token validation (empty string for OAuth 2.0)
+     */
+    exchangeCodeAndGetUserInfo(config: TConfig, code: string, redirectUri: string, nonce: string): Promise<AuthPluginUserInfo>;
+}
+/**
+ * Auth plugin service returned by `createAuthPluginService()`.
+ * All auth plugins expose this same interface.
+ */
+interface AuthPluginService {
+    /** Generate authorization URL and redirect state */
+    getAuthorizationUrl(redirectUri: string, linkUserId?: string, returnUrl?: string): Promise<{
+        url: string;
+        state: string;
+    }>;
+    /** Handle OAuth/OIDC callback after provider redirect */
+    handleCallback(code: string, state: string): Promise<AuthPluginSessionResult>;
+    /** Verify state is valid (non-destructive peek) */
+    verifyState(state: string): Promise<AuthPluginState | null>;
+    /** Clear state after use */
+    clearState(state: string): Promise<void>;
+}
+/**
+ * Build the backend's callback URL from the request.
+ * Supports BACKEND_URL env var override (consistent across all plugins).
+ */
+declare function buildCallbackUrl(moduleName: string, req?: Request): string;
+/**
+ * Create an auth plugin service from an adapter.
+ *
+ * @example
+ * ```typescript
+ * const service = createAuthPluginService({
+ *   adapter: createGoogleAdapter(ctx),
+ *   ctx
+ * })
+ * ```
+ */
+declare function createAuthPluginService<TConfig extends AuthPluginBaseConfig>(options: {
+    adapter: AuthPluginAdapter<TConfig>;
+    ctx: ModuleContext;
+}): AuthPluginService;
+/**
+ * Auth Plugin Controller Factory
+ *
+ * Generates the 4 standard action definitions that every auth plugin needs:
+ * - authorize: Start OAuth/OIDC flow (GET, skipAuth)
+ * - callback: Handle provider callback (GET, skipAuth)
+ * - link: Link existing account (GET, requires auth)
+ * - status: Check if provider is linked (GET, requires auth)
+ */
+interface AuthControllerOptions {
+    /** Provider identifier (e.g., 'google', 'github') */
+    provider: string;
+    /** Module name for URL paths (e.g., 'google_auth') */
+    moduleName: string;
+    /** CASL subject for permissions (e.g., 'GoogleAuth') */
+    caslSubject: string;
+    /** Additional friendly error messages for the callback handler */
+    friendlyErrors?: Record<string, string>;
+}
+/**
+ * Create the 4 standard auth plugin actions.
+ *
+ * @param options - Controller configuration
+ * @param getAuthService - Getter for the auth plugin service (deferred to avoid init order issues)
+ */
+declare function createAuthPluginActions(options: AuthControllerOptions, getAuthService: () => AuthPluginService): ActionDefinition[];
+/**
+ * Unified Auth Providers Config Entity
+ *
+ * Single table `auth_providers_config` with one row per provider.
+ * Replaces separate tables (google_auth_config, pocketid_config, github_auth_config).
+ *
+ * Provider-specific fields (hosted_domain, issuer_url) go in `extra_config` JSON.
+ */
+/**
+ * Unified config entity for all auth providers.
+ *
+ * Each provider gets one row, identified by the `provider` column.
+ * The `scopeField: 'provider'` makes each provider a separate "scope",
+ * so the config UI shows each provider's settings independently.
+ *
+ * Usage: Include this entity in the core auth module's definitions.
+ *
+ * @example Backend auth module
+ * ```typescript
+ * import { authProvidersConfigEntity } from '@gzl10/nexus-sdk'
+ *
+ * export const authModule: ModuleManifest = {
+ *   definitions: [..., authProvidersConfigEntity],
+ * }
+ * ```
+ */
+declare const authProvidersConfigEntity: SingleEntityDefinition;
+/**
+ * Auth Config Module Factory
+ *
+ * Creates a module that seeds the provider's row in the unified
+ * `auth_providers_config` table and registers a config service.
+ *
+ * The entity itself is registered by the core auth module.
+ * This module only handles seeding + config service registration.
+ */
+interface AuthConfigModuleOptions {
+    /** Module name (e.g., 'google_auth_config') */
+    name: string;
+    /** Module label */
+    label: LocalizedString;
+    /** Provider identifier (e.g., 'google', 'github', 'pocketid') */
+    provider: string;
+    /** Environment variable prefix (e.g., 'GOOGLE' reads GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET) */
+    envPrefix: string;
+    /** Default scopes for this provider */
+    defaultScopes: string;
+    /** Default role for new users (default: 'USER') */
+    defaultRole?: string;
+    /** Extra config values for the seed (e.g., { issuer_url: '...' }) */
+    extraConfig?: Record<string, unknown>;
+}
+/**
+ * Create the config module for an auth plugin.
+ *
+ * This module:
+ * 1. Seeds the provider's row from environment variables
+ * 2. Registers a config service scoped to this provider
+ *
+ * Note: The `auth_providers_config` entity is registered by the core auth module.
+ *
+ * @example
+ * ```typescript
+ * const configModule = createAuthConfigModule({
+ *   name: 'google_auth_config',
+ *   label: { en: 'Google Auth Config' },
+ *   provider: 'google',
+ *   envPrefix: 'GOOGLE',
+ *   defaultScopes: 'openid profile email',
+ *   extraConfig: { hosted_domain: null }
+ * })
+ * ```
+ */
+declare function createAuthConfigModule(options: AuthConfigModuleOptions): ModuleManifest;
+/**
+ * Auth Module Factory
+ *
+ * Creates the complete auth module for a plugin, including:
+ * - Auth plugin service (state management, identity resolution, session creation)
+ * - Auth controller (4 actions: authorize, callback, link, status)
+ * - AuthProviderService registration (for dynamic login buttons in UI)
+ */
+interface AuthModuleOptions<TConfig extends AuthPluginBaseConfig = AuthPluginBaseConfig> {
+    /** Module name (e.g., 'google_auth') */
+    name: string;
+    /** Module label */
+    label: LocalizedString;
+    /** Config module dependency name (e.g., 'google_auth_config') */
+    configDependency: string;
+    /** Provider identifier (e.g., 'google') */
+    provider: string;
+    /** CASL subject for permissions (e.g., 'GoogleAuth') */
+    caslSubject: string;
+    /** Provider info for the dynamic login button (icon, color, label) */
+    providerInfo: Omit<AuthProviderInfo, 'authorizeEndpoint'>;
+    /** Factory function to create the provider-specific adapter */
+    createAdapter: (ctx: ModuleContext) => AuthPluginAdapter<TConfig>;
+    /** Additional friendly error messages for the callback */
+    friendlyErrors?: Record<string, string>;
+}
+/**
+ * Create the auth module for a plugin.
+ *
+ * @example Google Auth
+ * ```typescript
+ * const authModule = createAuthModule({
+ *   name: 'google_auth',
+ *   label: { en: 'Google Auth' },
+ *   configDependency: 'google_auth_config',
+ *   provider: 'google',
+ *   caslSubject: 'GoogleAuth',
+ *   providerInfo: {
+ *     code: 'GOOGLE_AUTH',
+ *     provider: 'google',
+ *     icon: 'mdi:google',
+ *     label: { en: 'Sign in with Google' },
+ *     color: '#4285F4'
+ *   },
+ *   createAdapter: createGoogleAdapter
+ * })
+ * ```
+ */
+declare function createAuthModule<TConfig extends AuthPluginBaseConfig = AuthPluginBaseConfig>(options: AuthModuleOptions<TConfig>): ModuleManifest;
+export { type AuthConfigModuleOptions, type AuthControllerOptions, type AuthIdentity, type AuthModuleOptions, type AuthPluginAdapter, type AuthPluginBaseConfig, type AuthPluginConfigService, type AuthPluginService, type AuthPluginSessionResult, type AuthPluginState, type AuthPluginUserInfo, type BuildAuthUrlParams, type CoreAuthService, type LinkIdentityInput, authProvidersConfigEntity, buildCallbackUrl, createAuthConfigModule, createAuthModule, createAuthPluginActions, createAuthPluginService };

package/dist/shared/index.js ADDED Viewed

@@ -0,0 +1,17 @@
+import {
+  authProvidersConfigEntity,
+  buildCallbackUrl,
+  createAuthConfigModule,
+  createAuthModule,
+  createAuthPluginActions,
+  createAuthPluginService
+} from "../chunk-TPBCCFGG.js";
+export {
+  authProvidersConfigEntity,
+  buildCallbackUrl,
+  createAuthConfigModule,
+  createAuthModule,
+  createAuthPluginActions,
+  createAuthPluginService
+};
+//# sourceMappingURL=index.js.map

package/dist/shared/index.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/image.png ADDED Viewed

Binary file

package/package.json ADDED Viewed

@@ -0,0 +1,42 @@
+{
+  "name": "@gzl10/nexus-plugin-auth-providers",
+  "version": "0.14.0",
+  "type": "module",
+  "description": "Consolidated auth providers plugin for Nexus BaaS (Google, GitHub, GitLab, Microsoft, PocketID, Generic OIDC)",
+  "license": "MIT",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    },
+    "./shared": {
+      "import": "./dist/shared/index.js",
+      "types": "./dist/shared/index.d.ts"
+    }
+  },
+  "files": [
+    "dist",
+    "image.png"
+  ],
+  "peerDependencies": {
+    "@gzl10/nexus-sdk": ">=0.14.0",
+    "express": "^5.0.0"
+  },
+  "peerDependenciesMeta": {
+    "express": {
+      "optional": true
+    }
+  },
+  "dependencies": {
+    "ofetch": "^1.4.0"
+  },
+  "devDependencies": {
+    "@gzl10/nexus-sdk": "0.15.0"
+  },
+  "scripts": {
+    "build": "tsup",
+    "lint": "eslint .",
+    "test": "vitest run --passWithNoTests",
+    "typecheck": "tsc --noEmit"
+  }
+}