@hammadj/better-auth-core 1.5.0-beta.9

package/dist/types/plugin-client.d.mts

@@ -0,0 +1,112 @@
+import { LiteralString } from "./helper.mjs";
+import { BetterAuthPlugin } from "./plugin.mjs";
+import { BetterAuthOptions } from "./init-options.mjs";
+import { BetterFetch, BetterFetchOption, BetterFetchPlugin } from "@better-fetch/fetch";
+import { Atom, WritableAtom } from "nanostores";
+
+//#region src/types/plugin-client.d.ts
+interface ClientStore {
+  notify: (signal: string) => void;
+  listen: (signal: string, listener: () => void) => void;
+  atoms: Record<string, WritableAtom<any>>;
+}
+type ClientAtomListener = {
+  matcher: (path: string) => boolean;
+  signal: "$sessionSignal" | Omit<string, "$sessionSignal">;
+};
+/**
+ * Better-Fetch options but with additional options for the auth-client.
+ */
+type ClientFetchOption<Body = any, Query extends Record<string, any> = any, Params extends Record<string, any> | Array<string> | undefined = any, Res = any> = BetterFetchOption<Body, Query, Params, Res> & {
+  /**
+   * Certain endpoints, upon successful response, will trigger atom signals and thus rerendering all hooks related to that atom.
+   *
+   * This option is useful when you want to skip hook rerenders.
+   */
+  disableSignal?: boolean | undefined;
+};
+interface RevalidateOptions {
+  /**
+   * A time interval (in seconds) after which the session will be re-fetched.
+   * If set to `0` (default), the session is not polled.
+   *
+   * This helps prevent session expiry during idle periods by periodically
+   * refreshing the session.
+   *
+   * @default 0
+   */
+  refetchInterval?: number | undefined;
+  /**
+   * Automatically refetch the session when the user switches back to the window/tab.
+   * This option activates this behavior if set to `true` (default).
+   *
+   * Prevents expired sessions when users switch tabs and come back later.
+   *
+   * @default true
+   */
+  refetchOnWindowFocus?: boolean | undefined;
+  /**
+   * Set to `false` to stop polling when the device has no internet access
+   * (determined by `navigator.onLine`).
+   *
+   * @default false
+   * @see https://developer.mozilla.org/en-US/docs/Web/API/NavigatorOnLine/onLine
+   */
+  refetchWhenOffline?: boolean | undefined;
+}
+interface BetterAuthClientOptions {
+  fetchOptions?: ClientFetchOption | undefined;
+  plugins?: BetterAuthClientPlugin[] | undefined;
+  baseURL?: string | undefined;
+  basePath?: string | undefined;
+  disableDefaultFetchPlugins?: boolean | undefined;
+  $InferAuth?: BetterAuthOptions | undefined;
+  sessionOptions?: RevalidateOptions | undefined;
+}
+interface BetterAuthClientPlugin {
+  id: LiteralString;
+  /**
+   * only used for type inference. don't pass the
+   * actual plugin
+   */
+  $InferServerPlugin?: BetterAuthPlugin | undefined;
+  /**
+   * Custom actions
+   */
+  getActions?: ($fetch: BetterFetch, $store: ClientStore,
+  /**
+   * better-auth client options
+   */
+
+  options: BetterAuthClientOptions | undefined) => Record<string, any>;
+  /**
+   * State atoms that'll be resolved by each framework
+   * auth store.
+   */
+  getAtoms?: (($fetch: BetterFetch) => Record<string, Atom<any>>) | undefined;
+  /**
+   * specify path methods for server plugin inferred
+   * endpoints to force a specific method.
+   */
+  pathMethods?: Record<string, "POST" | "GET"> | undefined;
+  /**
+   * Better fetch plugins
+   */
+  fetchPlugins?: BetterFetchPlugin[] | undefined;
+  /**
+   * a list of recaller based on a matcher function.
+   * The signal name needs to match a signal in this
+   * plugin or any plugin the user might have added.
+   */
+  atomListeners?: ClientAtomListener[] | undefined;
+  /**
+   * The error codes returned by the plugin
+   */
+  $ERROR_CODES?: Record<string, {
+    code: string;
+    message: string;
+  }>;
+}
+//#endregion
+export { BetterAuthClientOptions, BetterAuthClientPlugin, ClientAtomListener, ClientFetchOption, ClientStore };
+//# sourceMappingURL=plugin-client.d.mts.map

package/dist/types/plugin.d.mts

@@ -0,0 +1,125 @@
+import { BetterAuthPluginDBSchema } from "../db/plugin.mjs";
+import "../db/index.mjs";
+import { Awaitable, LiteralString } from "./helper.mjs";
+import { BetterAuthOptions } from "./init-options.mjs";
+import { AuthContext } from "./context.mjs";
+import { AuthMiddleware } from "../api/index.mjs";
+import { Endpoint, EndpointContext, InputContext, Middleware } from "better-call";
+import { Migration } from "kysely";
+
+//#region src/types/plugin.d.ts
+type DeepPartial<T> = T extends Function ? T : T extends object ? { [K in keyof T]?: DeepPartial<T[K]> } : T;
+type HookEndpointContext = Partial<EndpointContext<string, any> & Omit<InputContext<string, any>, "method">> & {
+  path?: string;
+  context: AuthContext & {
+    returned?: unknown | undefined;
+    responseHeaders?: Headers | undefined;
+  };
+  headers?: Headers | undefined;
+};
+type BetterAuthPlugin = {
+  id: LiteralString;
+  /**
+   * The init function is called when the plugin is initialized.
+   * You can return a new context or modify the existing context.
+   */
+  init?: ((ctx: AuthContext) => Awaitable<{
+    context?: DeepPartial<Omit<AuthContext, "options">>;
+    options?: Partial<BetterAuthOptions>;
+  }> | void | Promise<void>) | undefined;
+  endpoints?: {
+    [key: string]: Endpoint;
+  } | undefined;
+  middlewares?: {
+    path: string;
+    middleware: Middleware;
+  }[] | undefined;
+  onRequest?: ((request: Request, ctx: AuthContext) => Promise<{
+    response: Response;
+  } | {
+    request: Request;
+  } | void>) | undefined;
+  onResponse?: ((response: Response, ctx: AuthContext) => Promise<{
+    response: Response;
+  } | void>) | undefined;
+  hooks?: {
+    before?: {
+      matcher: (context: HookEndpointContext) => boolean;
+      handler: AuthMiddleware;
+    }[];
+    after?: {
+      matcher: (context: HookEndpointContext) => boolean;
+      handler: AuthMiddleware;
+    }[];
+  } | undefined;
+  /**
+   * Schema the plugin needs
+   *
+   * This will also be used to migrate the database. If the fields are dynamic from the plugins
+   * configuration each time the configuration is changed a new migration will be created.
+   *
+   * NOTE: If you want to create migrations manually using
+   * migrations option or any other way you
+   * can disable migration per table basis.
+   *
+   * @example
+   * ```ts
+   * schema: {
+   * 	user: {
+   * 		fields: {
+   * 			email: {
+   * 				 type: "string",
+   * 			},
+   * 			emailVerified: {
+   * 				type: "boolean",
+   * 				defaultValue: false,
+   * 			},
+   * 		},
+   * 	}
+   * } as AuthPluginSchema
+   * ```
+   */
+  schema?: BetterAuthPluginDBSchema | undefined;
+  /**
+   * The migrations of the plugin. If you define schema that will automatically create
+   * migrations for you.
+   *
+   * ⚠️ Only uses this if you dont't want to use the schema option and you disabled migrations for
+   * the tables.
+   */
+  migrations?: Record<string, Migration> | undefined;
+  /**
+   * The options of the plugin
+   */
+  options?: Record<string, any> | undefined;
+  /**
+   * types to be inferred
+   */
+  $Infer?: Record<string, any> | undefined;
+  /**
+   * The rate limit rules to apply to specific paths.
+   */
+  rateLimit?: {
+    window: number;
+    max: number;
+    pathMatcher: (path: string) => boolean;
+  }[] | undefined;
+  /**
+   * The error codes returned by the plugin
+   */
+  $ERROR_CODES?: Record<string, {
+    code: string;
+    message: string;
+  }> | undefined;
+  /**
+   * All database operations that are performed by the plugin
+   *
+   * This will override the default database operations
+   */
+  adapter?: {
+    [key: string]: (...args: any[]) => Awaitable<any>;
+  };
+};
+//#endregion
+export { BetterAuthPlugin, HookEndpointContext };
+//# sourceMappingURL=plugin.d.mts.map

package/dist/utils/db.d.mts

@@ -0,0 +1,12 @@
+import { DBFieldAttribute } from "../db/type.mjs";
+import "../db/index.mjs";
+
+//#region src/utils/db.d.ts
+/**
+ * Filters output data by removing fields with the `returned: false` attribute.
+ * This ensures sensitive fields are not exposed in API responses.
+ */
+declare function filterOutputFields<T extends Record<string, unknown> | null>(data: T, additionalFields: Record<string, DBFieldAttribute> | undefined): T;
+//#endregion
+export { filterOutputFields };
+//# sourceMappingURL=db.d.mts.map

package/dist/utils/db.mjs

@@ -0,0 +1,17 @@
+//#region src/utils/db.ts
+/**
+* Filters output data by removing fields with the `returned: false` attribute.
+* This ensures sensitive fields are not exposed in API responses.
+*/
+function filterOutputFields(data, additionalFields) {
+	if (!data || !additionalFields) return data;
+	const returnFiltered = Object.entries(additionalFields).filter(([, { returned }]) => returned === false).map(([key]) => key);
+	return Object.entries(structuredClone(data)).filter(([key]) => !returnFiltered.includes(key)).reduce((acc, [key, value]) => ({
+		...acc,
+		[key]: value
+	}), {});
+}
+
+//#endregion
+export { filterOutputFields };
+//# sourceMappingURL=db.mjs.map

package/dist/utils/db.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"db.mjs","names":[],"sources":["../../src/utils/db.ts"],"sourcesContent":["import type { DBFieldAttribute } from \"../db\";\n\n/**\n * Filters output data by removing fields with the `returned: false` attribute.\n * This ensures sensitive fields are not exposed in API responses.\n */\nexport function filterOutputFields<T extends Record<string, unknown> | null>(\n\tdata: T,\n\tadditionalFields: Record<string, DBFieldAttribute> | undefined,\n): T {\n\tif (!data || !additionalFields) {\n\t\treturn data;\n\t}\n\tconst returnFiltered = Object.entries(additionalFields)\n\t\t.filter(([, { returned }]) => returned === false)\n\t\t.map(([key]) => key);\n\treturn Object.entries(structuredClone(data))\n\t\t.filter(([key]) => !returnFiltered.includes(key))\n\t\t.reduce((acc, [key, value]) => ({ ...acc, [key]: value }), {} as T);\n}\n"],"mappings":";;;;;AAMA,SAAgB,mBACf,MACA,kBACI;AACJ,KAAI,CAAC,QAAQ,CAAC,iBACb,QAAO;CAER,MAAM,iBAAiB,OAAO,QAAQ,iBAAiB,CACrD,QAAQ,GAAG,EAAE,gBAAgB,aAAa,MAAM,CAChD,KAAK,CAAC,SAAS,IAAI;AACrB,QAAO,OAAO,QAAQ,gBAAgB,KAAK,CAAC,CAC1C,QAAQ,CAAC,SAAS,CAAC,eAAe,SAAS,IAAI,CAAC,CAChD,QAAQ,KAAK,CAAC,KAAK,YAAY;EAAE,GAAG;GAAM,MAAM;EAAO,GAAG,EAAE,CAAM"}

package/dist/utils/deprecate.d.mts

@@ -0,0 +1,10 @@
+import { InternalLogger } from "../env/logger.mjs";
+
+//#region src/utils/deprecate.d.ts
+/**
+ * Wraps a function to log a deprecation warning at once.
+ */
+declare function deprecate<T extends (...args: any[]) => any>(fn: T, message: string, logger?: InternalLogger): T;
+//#endregion
+export { deprecate };
+//# sourceMappingURL=deprecate.d.mts.map

package/dist/utils/deprecate.mjs

@@ -0,0 +1,18 @@
+//#region src/utils/deprecate.ts
+/**
+* Wraps a function to log a deprecation warning at once.
+*/
+function deprecate(fn, message, logger) {
+	let warned = false;
+	return function(...args) {
+		if (!warned) {
+			(logger?.warn ?? console.warn)(`[Deprecation] ${message}`);
+			warned = true;
+		}
+		return fn.apply(this, args);
+	};
+}
+
+//#endregion
+export { deprecate };
+//# sourceMappingURL=deprecate.mjs.map

package/dist/utils/deprecate.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"deprecate.mjs","names":[],"sources":["../../src/utils/deprecate.ts"],"sourcesContent":["import type { InternalLogger } from \"../env\";\n\n/**\n * Wraps a function to log a deprecation warning at once.\n */\nexport function deprecate<T extends (...args: any[]) => any>(\n\tfn: T,\n\tmessage: string,\n\tlogger?: InternalLogger,\n): T {\n\tlet warned = false;\n\n\treturn function (this: any, ...args: Parameters<T>): ReturnType<T> {\n\t\tif (!warned) {\n\t\t\tconst warn = logger?.warn ?? console.warn;\n\t\t\twarn(`[Deprecation] ${message}`);\n\t\t\twarned = true;\n\t\t}\n\t\treturn fn.apply(this, args);\n\t} as T;\n}\n"],"mappings":";;;;AAKA,SAAgB,UACf,IACA,SACA,QACI;CACJ,IAAI,SAAS;AAEb,QAAO,SAAqB,GAAG,MAAoC;AAClE,MAAI,CAAC,QAAQ;AAEZ,IADa,QAAQ,QAAQ,QAAQ,MAChC,iBAAiB,UAAU;AAChC,YAAS;;AAEV,SAAO,GAAG,MAAM,MAAM,KAAK"}

package/dist/utils/error-codes.d.mts

@@ -0,0 +1,13 @@
+//#region src/utils/error-codes.d.ts
+type UpperLetter = "A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" | "J" | "K" | "L" | "M" | "N" | "O" | "P" | "Q" | "R" | "S" | "T" | "U" | "V" | "W" | "X" | "Y" | "Z";
+type SpecialCharacter = "_";
+type IsValidUpperSnakeCase<S extends string> = S extends `${infer F}${infer R}` ? F extends UpperLetter | SpecialCharacter ? IsValidUpperSnakeCase<R> : false : true;
+type InvalidKeyError<K extends string> = `Invalid error code key: "${K}" - must only contain uppercase letters (A-Z) and underscores (_)`;
+type ValidateErrorCodes<T> = { [K in keyof T]: K extends string ? IsValidUpperSnakeCase<K> extends false ? InvalidKeyError<K> : T[K] : T[K] };
+declare function defineErrorCodes<const T extends Record<string, string>>(codes: ValidateErrorCodes<T>): { [K in keyof T]: {
+  code: K;
+  message: T[K];
+} };
+//#endregion
+export { defineErrorCodes };
+//# sourceMappingURL=error-codes.d.mts.map

package/dist/utils/error-codes.mjs

@@ -0,0 +1,12 @@
+//#region src/utils/error-codes.ts
+function defineErrorCodes(codes) {
+	return Object.fromEntries(Object.entries(codes).map(([key, value]) => [key, {
+		code: key,
+		message: value,
+		toString: () => value
+	}]));
+}
+
+//#endregion
+export { defineErrorCodes };
+//# sourceMappingURL=error-codes.mjs.map

package/dist/utils/error-codes.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"error-codes.mjs","names":[],"sources":["../../src/utils/error-codes.ts"],"sourcesContent":["type UpperLetter =\n\t| \"A\"\n\t| \"B\"\n\t| \"C\"\n\t| \"D\"\n\t| \"E\"\n\t| \"F\"\n\t| \"G\"\n\t| \"H\"\n\t| \"I\"\n\t| \"J\"\n\t| \"K\"\n\t| \"L\"\n\t| \"M\"\n\t| \"N\"\n\t| \"O\"\n\t| \"P\"\n\t| \"Q\"\n\t| \"R\"\n\t| \"S\"\n\t| \"T\"\n\t| \"U\"\n\t| \"V\"\n\t| \"W\"\n\t| \"X\"\n\t| \"Y\"\n\t| \"Z\";\ntype SpecialCharacter = \"_\";\n\ntype IsValidUpperSnakeCase<S extends string> = S extends `${infer F}${infer R}`\n\t? F extends UpperLetter | SpecialCharacter\n\t\t? IsValidUpperSnakeCase<R>\n\t\t: false\n\t: true;\n\ntype InvalidKeyError<K extends string> =\n\t`Invalid error code key: \"${K}\" - must only contain uppercase letters (A-Z) and underscores (_)`;\n\ntype ValidateErrorCodes<T> = {\n\t[K in keyof T]: K extends string\n\t\t? IsValidUpperSnakeCase<K> extends false\n\t\t\t? InvalidKeyError<K>\n\t\t\t: T[K]\n\t\t: T[K];\n};\n\nexport function defineErrorCodes<const T extends Record<string, string>>(\n\tcodes: ValidateErrorCodes<T>,\n): {\n\t[K in keyof T]: {\n\t\tcode: K;\n\t\tmessage: T[K];\n\t};\n} {\n\treturn Object.fromEntries(\n\t\tObject.entries(codes).map(([key, value]) => [\n\t\t\tkey,\n\t\t\t{\n\t\t\t\tcode: key,\n\t\t\t\tmessage: value,\n\t\t\t\ttoString: () => value,\n\t\t\t},\n\t\t]),\n\t) as any;\n}\n"],"mappings":";AA8CA,SAAgB,iBACf,OAMC;AACD,QAAO,OAAO,YACb,OAAO,QAAQ,MAAM,CAAC,KAAK,CAAC,KAAK,WAAW,CAC3C,KACA;EACC,MAAM;EACN,SAAS;EACT,gBAAgB;EAChB,CACD,CAAC,CACF"}

package/dist/utils/id.d.mts

@@ -0,0 +1,5 @@
+//#region src/utils/id.d.ts
+declare const generateId: (size?: number) => string;
+//#endregion
+export { generateId };
+//# sourceMappingURL=id.d.mts.map

package/dist/utils/id.mjs

@@ -0,0 +1,10 @@
+import { createRandomStringGenerator } from "@better-auth/utils/random";
+
+//#region src/utils/id.ts
+const generateId = (size) => {
+	return createRandomStringGenerator("a-z", "A-Z", "0-9")(size || 32);
+};
+
+//#endregion
+export { generateId };
+//# sourceMappingURL=id.mjs.map

package/dist/utils/id.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"id.mjs","names":[],"sources":["../../src/utils/id.ts"],"sourcesContent":["import { createRandomStringGenerator } from \"@better-auth/utils/random\";\n\nexport const generateId = (size?: number) => {\n\treturn createRandomStringGenerator(\"a-z\", \"A-Z\", \"0-9\")(size || 32);\n};\n"],"mappings":";;;AAEA,MAAa,cAAc,SAAkB;AAC5C,QAAO,4BAA4B,OAAO,OAAO,MAAM,CAAC,QAAQ,GAAG"}

package/dist/utils/ip.d.mts

@@ -0,0 +1,55 @@
+//#region src/utils/ip.d.ts
+/**
+ * Normalizes an IP address for consistent rate limiting.
+ *
+ * Features:
+ * - Normalizes IPv6 to canonical lowercase form
+ * - Converts IPv4-mapped IPv6 to IPv4
+ * - Supports IPv6 subnet extraction
+ * - Handles all edge cases (::1, ::, etc.)
+ */
+interface NormalizeIPOptions {
+  /**
+   * For IPv6 addresses, extract the subnet prefix instead of full address.
+   * Common values: 32, 48, 64, 128 (default: 128 = full address)
+   *
+   * @default 128
+   */
+  ipv6Subnet?: 128 | 64 | 48 | 32;
+}
+/**
+ * Checks if an IP is valid IPv4 or IPv6
+ */
+declare function isValidIP(ip: string): boolean;
+/**
+ * Normalizes an IP address (IPv4 or IPv6) for consistent rate limiting.
+ *
+ * @param ip - The IP address to normalize
+ * @param options - Normalization options
+ * @returns Normalized IP address
+ *
+ * @example
+ * normalizeIP("2001:DB8::1")
+ * // -> "2001:0db8:0000:0000:0000:0000:0000:0000"
+ *
+ * @example
+ * normalizeIP("::ffff:192.0.2.1")
+ * // -> "192.0.2.1" (converted to IPv4)
+ *
+ * @example
+ * normalizeIP("2001:db8::1", { ipv6Subnet: 64 })
+ * // -> "2001:0db8:0000:0000:0000:0000:0000:0000" (subnet /64)
+ */
+declare function normalizeIP(ip: string, options?: NormalizeIPOptions): string;
+/**
+ * Creates a rate limit key from IP and path
+ * Uses a separator to prevent collision attacks
+ *
+ * @param ip - The IP address (should be normalized)
+ * @param path - The request path
+ * @returns Rate limit key
+ */
+declare function createRateLimitKey(ip: string, path: string): string;
+//#endregion
+export { createRateLimitKey, isValidIP, normalizeIP };
+//# sourceMappingURL=ip.d.mts.map

package/dist/utils/ip.mjs

@@ -0,0 +1,119 @@
+import * as z from "zod";
+
+//#region src/utils/ip.ts
+/**
+* Checks if an IP is valid IPv4 or IPv6
+*/
+function isValidIP(ip) {
+	return z.ipv4().safeParse(ip).success || z.ipv6().safeParse(ip).success;
+}
+/**
+* Checks if an IP is IPv6
+*/
+function isIPv6(ip) {
+	return z.ipv6().safeParse(ip).success;
+}
+/**
+* Converts IPv4-mapped IPv6 address to IPv4
+* e.g., "::ffff:192.0.2.1" -> "192.0.2.1"
+*/
+function extractIPv4FromMapped(ipv6) {
+	const lower = ipv6.toLowerCase();
+	if (lower.startsWith("::ffff:")) {
+		const ipv4Part = lower.substring(7);
+		if (z.ipv4().safeParse(ipv4Part).success) return ipv4Part;
+	}
+	const parts = ipv6.split(":");
+	if (parts.length === 7 && parts[5]?.toLowerCase() === "ffff") {
+		const ipv4Part = parts[6];
+		if (ipv4Part && z.ipv4().safeParse(ipv4Part).success) return ipv4Part;
+	}
+	if (lower.includes("::ffff:") || lower.includes(":ffff:")) {
+		const groups = expandIPv6(ipv6);
+		if (groups.length === 8 && groups[0] === "0000" && groups[1] === "0000" && groups[2] === "0000" && groups[3] === "0000" && groups[4] === "0000" && groups[5] === "ffff" && groups[6] && groups[7]) return `${Number.parseInt(groups[6].substring(0, 2), 16)}.${Number.parseInt(groups[6].substring(2, 4), 16)}.${Number.parseInt(groups[7].substring(0, 2), 16)}.${Number.parseInt(groups[7].substring(2, 4), 16)}`;
+	}
+	return null;
+}
+/**
+* Expands a compressed IPv6 address to full form
+* e.g., "2001:db8::1" -> ["2001", "0db8", "0000", "0000", "0000", "0000", "0000", "0001"]
+*/
+function expandIPv6(ipv6) {
+	if (ipv6.includes("::")) {
+		const sides = ipv6.split("::");
+		const left = sides[0] ? sides[0].split(":") : [];
+		const right = sides[1] ? sides[1].split(":") : [];
+		const missingGroups = 8 - left.length - right.length;
+		const zeros = Array(missingGroups).fill("0000");
+		const paddedLeft = left.map((g) => g.padStart(4, "0"));
+		const paddedRight = right.map((g) => g.padStart(4, "0"));
+		return [
+			...paddedLeft,
+			...zeros,
+			...paddedRight
+		];
+	}
+	return ipv6.split(":").map((g) => g.padStart(4, "0"));
+}
+/**
+* Normalizes an IPv6 address to canonical form
+* e.g., "2001:DB8::1" -> "2001:0db8:0000:0000:0000:0000:0000:0001"
+*/
+function normalizeIPv6(ipv6, subnetPrefix) {
+	const groups = expandIPv6(ipv6);
+	if (subnetPrefix && subnetPrefix < 128) {
+		let bitsRemaining = subnetPrefix;
+		return groups.map((group) => {
+			if (bitsRemaining <= 0) return "0000";
+			if (bitsRemaining >= 16) {
+				bitsRemaining -= 16;
+				return group;
+			}
+			const masked = Number.parseInt(group, 16) & (65535 << 16 - bitsRemaining & 65535);
+			bitsRemaining = 0;
+			return masked.toString(16).padStart(4, "0");
+		}).join(":").toLowerCase();
+	}
+	return groups.join(":").toLowerCase();
+}
+/**
+* Normalizes an IP address (IPv4 or IPv6) for consistent rate limiting.
+*
+* @param ip - The IP address to normalize
+* @param options - Normalization options
+* @returns Normalized IP address
+*
+* @example
+* normalizeIP("2001:DB8::1")
+* // -> "2001:0db8:0000:0000:0000:0000:0000:0000"
+*
+* @example
+* normalizeIP("::ffff:192.0.2.1")
+* // -> "192.0.2.1" (converted to IPv4)
+*
+* @example
+* normalizeIP("2001:db8::1", { ipv6Subnet: 64 })
+* // -> "2001:0db8:0000:0000:0000:0000:0000:0000" (subnet /64)
+*/
+function normalizeIP(ip, options = {}) {
+	if (z.ipv4().safeParse(ip).success) return ip.toLowerCase();
+	if (!isIPv6(ip)) return ip.toLowerCase();
+	const ipv4 = extractIPv4FromMapped(ip);
+	if (ipv4) return ipv4.toLowerCase();
+	return normalizeIPv6(ip, options.ipv6Subnet || 64);
+}
+/**
+* Creates a rate limit key from IP and path
+* Uses a separator to prevent collision attacks
+*
+* @param ip - The IP address (should be normalized)
+* @param path - The request path
+* @returns Rate limit key
+*/
+function createRateLimitKey(ip, path) {
+	return `${ip}|${path}`;
+}
+
+//#endregion
+export { createRateLimitKey, isValidIP, normalizeIP };
+//# sourceMappingURL=ip.mjs.map

package/dist/utils/ip.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"ip.mjs","names":[],"sources":["../../src/utils/ip.ts"],"sourcesContent":["import * as z from \"zod\";\n\n/**\n * Normalizes an IP address for consistent rate limiting.\n *\n * Features:\n * - Normalizes IPv6 to canonical lowercase form\n * - Converts IPv4-mapped IPv6 to IPv4\n * - Supports IPv6 subnet extraction\n * - Handles all edge cases (::1, ::, etc.)\n */\n\ninterface NormalizeIPOptions {\n\t/**\n\t * For IPv6 addresses, extract the subnet prefix instead of full address.\n\t * Common values: 32, 48, 64, 128 (default: 128 = full address)\n\t *\n\t * @default 128\n\t */\n\tipv6Subnet?: 128 | 64 | 48 | 32;\n}\n\n/**\n * Checks if an IP is valid IPv4 or IPv6\n */\nexport function isValidIP(ip: string): boolean {\n\treturn z.ipv4().safeParse(ip).success || z.ipv6().safeParse(ip).success;\n}\n\n/**\n * Checks if an IP is IPv6\n */\nfunction isIPv6(ip: string): boolean {\n\treturn z.ipv6().safeParse(ip).success;\n}\n\n/**\n * Converts IPv4-mapped IPv6 address to IPv4\n * e.g., \"::ffff:192.0.2.1\" -> \"192.0.2.1\"\n */\nfunction extractIPv4FromMapped(ipv6: string): string | null {\n\tconst lower = ipv6.toLowerCase();\n\n\t// Handle ::ffff:192.0.2.1 format\n\tif (lower.startsWith(\"::ffff:\")) {\n\t\tconst ipv4Part = lower.substring(7);\n\t\t// Check if it's a valid IPv4\n\t\tif (z.ipv4().safeParse(ipv4Part).success) {\n\t\t\treturn ipv4Part;\n\t\t}\n\t}\n\n\t// Handle full form: 0:0:0:0:0:ffff:192.0.2.1\n\tconst parts = ipv6.split(\":\");\n\tif (parts.length === 7 && parts[5]?.toLowerCase() === \"ffff\") {\n\t\tconst ipv4Part = parts[6];\n\t\tif (ipv4Part && z.ipv4().safeParse(ipv4Part).success) {\n\t\t\treturn ipv4Part;\n\t\t}\n\t}\n\n\t// Handle hex-encoded IPv4 in mapped address\n\t// e.g., ::ffff:c000:0201 -> 192.0.2.1\n\tif (lower.includes(\"::ffff:\") || lower.includes(\":ffff:\")) {\n\t\tconst groups = expandIPv6(ipv6);\n\t\tif (\n\t\t\tgroups.length === 8 &&\n\t\t\tgroups[0] === \"0000\" &&\n\t\t\tgroups[1] === \"0000\" &&\n\t\t\tgroups[2] === \"0000\" &&\n\t\t\tgroups[3] === \"0000\" &&\n\t\t\tgroups[4] === \"0000\" &&\n\t\t\tgroups[5] === \"ffff\" &&\n\t\t\tgroups[6] &&\n\t\t\tgroups[7]\n\t\t) {\n\t\t\t// Convert last two groups to IPv4\n\t\t\tconst byte1 = Number.parseInt(groups[6].substring(0, 2), 16);\n\t\t\tconst byte2 = Number.parseInt(groups[6].substring(2, 4), 16);\n\t\t\tconst byte3 = Number.parseInt(groups[7].substring(0, 2), 16);\n\t\t\tconst byte4 = Number.parseInt(groups[7].substring(2, 4), 16);\n\t\t\treturn `${byte1}.${byte2}.${byte3}.${byte4}`;\n\t\t}\n\t}\n\n\treturn null;\n}\n\n/**\n * Expands a compressed IPv6 address to full form\n * e.g., \"2001:db8::1\" -> [\"2001\", \"0db8\", \"0000\", \"0000\", \"0000\", \"0000\", \"0000\", \"0001\"]\n */\nfunction expandIPv6(ipv6: string): string[] {\n\t// Handle :: notation (zero compression)\n\tif (ipv6.includes(\"::\")) {\n\t\tconst sides = ipv6.split(\"::\");\n\t\tconst left = sides[0] ? sides[0].split(\":\") : [];\n\t\tconst right = sides[1] ? sides[1].split(\":\") : [];\n\n\t\t// Calculate missing groups\n\t\tconst totalGroups = 8;\n\t\tconst missingGroups = totalGroups - left.length - right.length;\n\t\tconst zeros = Array(missingGroups).fill(\"0000\");\n\n\t\t// Pad existing groups to 4 digits\n\t\tconst paddedLeft = left.map((g) => g.padStart(4, \"0\"));\n\t\tconst paddedRight = right.map((g) => g.padStart(4, \"0\"));\n\n\t\treturn [...paddedLeft, ...zeros, ...paddedRight];\n\t}\n\n\t// No compression, just pad each group\n\treturn ipv6.split(\":\").map((g) => g.padStart(4, \"0\"));\n}\n\n/**\n * Normalizes an IPv6 address to canonical form\n * e.g., \"2001:DB8::1\" -> \"2001:0db8:0000:0000:0000:0000:0000:0001\"\n */\nfunction normalizeIPv6(\n\tipv6: string,\n\tsubnetPrefix?: 128 | 32 | 48 | 64,\n): string {\n\tconst groups = expandIPv6(ipv6);\n\n\tif (subnetPrefix && subnetPrefix < 128) {\n\t\t// Apply subnet mask\n\t\tconst prefix = subnetPrefix;\n\t\tlet bitsRemaining: number = prefix;\n\n\t\tconst maskedGroups = groups.map((group) => {\n\t\t\tif (bitsRemaining <= 0) {\n\t\t\t\treturn \"0000\";\n\t\t\t}\n\t\t\tif (bitsRemaining >= 16) {\n\t\t\t\tbitsRemaining -= 16;\n\t\t\t\treturn group;\n\t\t\t}\n\n\t\t\t// Partial mask for this group\n\t\t\tconst value = Number.parseInt(group, 16);\n\t\t\tconst mask = (0xffff << (16 - bitsRemaining)) & 0xffff;\n\t\t\tconst masked = value & mask;\n\t\t\tbitsRemaining = 0;\n\t\t\treturn masked.toString(16).padStart(4, \"0\");\n\t\t});\n\n\t\treturn maskedGroups.join(\":\").toLowerCase();\n\t}\n\n\treturn groups.join(\":\").toLowerCase();\n}\n\n/**\n * Normalizes an IP address (IPv4 or IPv6) for consistent rate limiting.\n *\n * @param ip - The IP address to normalize\n * @param options - Normalization options\n * @returns Normalized IP address\n *\n * @example\n * normalizeIP(\"2001:DB8::1\")\n * // -> \"2001:0db8:0000:0000:0000:0000:0000:0000\"\n *\n * @example\n * normalizeIP(\"::ffff:192.0.2.1\")\n * // -> \"192.0.2.1\" (converted to IPv4)\n *\n * @example\n * normalizeIP(\"2001:db8::1\", { ipv6Subnet: 64 })\n * // -> \"2001:0db8:0000:0000:0000:0000:0000:0000\" (subnet /64)\n */\nexport function normalizeIP(\n\tip: string,\n\toptions: NormalizeIPOptions = {},\n): string {\n\t// IPv4 addresses are already normalized\n\tif (z.ipv4().safeParse(ip).success) {\n\t\treturn ip.toLowerCase();\n\t}\n\n\t// Check if it's IPv6\n\tif (!isIPv6(ip)) {\n\t\t// Return as-is if not valid (shouldn't happen due to prior validation)\n\t\treturn ip.toLowerCase();\n\t}\n\n\t// Check for IPv4-mapped IPv6\n\tconst ipv4 = extractIPv4FromMapped(ip);\n\tif (ipv4) {\n\t\treturn ipv4.toLowerCase();\n\t}\n\n\t// Normalize IPv6\n\tconst subnetPrefix = options.ipv6Subnet || 64;\n\treturn normalizeIPv6(ip, subnetPrefix);\n}\n\n/**\n * Creates a rate limit key from IP and path\n * Uses a separator to prevent collision attacks\n *\n * @param ip - The IP address (should be normalized)\n * @param path - The request path\n * @returns Rate limit key\n */\nexport function createRateLimitKey(ip: string, path: string): string {\n\t// Use | as separator to prevent collision attacks\n\t// e.g., \"192.0.2.1\" + \"/sign-in\" vs \"192.0.2\" + \".1/sign-in\"\n\treturn `${ip}|${path}`;\n}\n"],"mappings":";;;;;;AAyBA,SAAgB,UAAU,IAAqB;AAC9C,QAAO,EAAE,MAAM,CAAC,UAAU,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,UAAU,GAAG,CAAC;;;;;AAMjE,SAAS,OAAO,IAAqB;AACpC,QAAO,EAAE,MAAM,CAAC,UAAU,GAAG,CAAC;;;;;;AAO/B,SAAS,sBAAsB,MAA6B;CAC3D,MAAM,QAAQ,KAAK,aAAa;AAGhC,KAAI,MAAM,WAAW,UAAU,EAAE;EAChC,MAAM,WAAW,MAAM,UAAU,EAAE;AAEnC,MAAI,EAAE,MAAM,CAAC,UAAU,SAAS,CAAC,QAChC,QAAO;;CAKT,MAAM,QAAQ,KAAK,MAAM,IAAI;AAC7B,KAAI,MAAM,WAAW,KAAK,MAAM,IAAI,aAAa,KAAK,QAAQ;EAC7D,MAAM,WAAW,MAAM;AACvB,MAAI,YAAY,EAAE,MAAM,CAAC,UAAU,SAAS,CAAC,QAC5C,QAAO;;AAMT,KAAI,MAAM,SAAS,UAAU,IAAI,MAAM,SAAS,SAAS,EAAE;EAC1D,MAAM,SAAS,WAAW,KAAK;AAC/B,MACC,OAAO,WAAW,KAClB,OAAO,OAAO,UACd,OAAO,OAAO,UACd,OAAO,OAAO,UACd,OAAO,OAAO,UACd,OAAO,OAAO,UACd,OAAO,OAAO,UACd,OAAO,MACP,OAAO,GAOP,QAAO,GAJO,OAAO,SAAS,OAAO,GAAG,UAAU,GAAG,EAAE,EAAE,GAAG,CAI5C,GAHF,OAAO,SAAS,OAAO,GAAG,UAAU,GAAG,EAAE,EAAE,GAAG,CAGnC,GAFX,OAAO,SAAS,OAAO,GAAG,UAAU,GAAG,EAAE,EAAE,GAAG,CAE1B,GADpB,OAAO,SAAS,OAAO,GAAG,UAAU,GAAG,EAAE,EAAE,GAAG;;AAK9D,QAAO;;;;;;AAOR,SAAS,WAAW,MAAwB;AAE3C,KAAI,KAAK,SAAS,KAAK,EAAE;EACxB,MAAM,QAAQ,KAAK,MAAM,KAAK;EAC9B,MAAM,OAAO,MAAM,KAAK,MAAM,GAAG,MAAM,IAAI,GAAG,EAAE;EAChD,MAAM,QAAQ,MAAM,KAAK,MAAM,GAAG,MAAM,IAAI,GAAG,EAAE;EAIjD,MAAM,gBADc,IACgB,KAAK,SAAS,MAAM;EACxD,MAAM,QAAQ,MAAM,cAAc,CAAC,KAAK,OAAO;EAG/C,MAAM,aAAa,KAAK,KAAK,MAAM,EAAE,SAAS,GAAG,IAAI,CAAC;EACtD,MAAM,cAAc,MAAM,KAAK,MAAM,EAAE,SAAS,GAAG,IAAI,CAAC;AAExD,SAAO;GAAC,GAAG;GAAY,GAAG;GAAO,GAAG;GAAY;;AAIjD,QAAO,KAAK,MAAM,IAAI,CAAC,KAAK,MAAM,EAAE,SAAS,GAAG,IAAI,CAAC;;;;;;AAOtD,SAAS,cACR,MACA,cACS;CACT,MAAM,SAAS,WAAW,KAAK;AAE/B,KAAI,gBAAgB,eAAe,KAAK;EAGvC,IAAI,gBADW;AAoBf,SAjBqB,OAAO,KAAK,UAAU;AAC1C,OAAI,iBAAiB,EACpB,QAAO;AAER,OAAI,iBAAiB,IAAI;AACxB,qBAAiB;AACjB,WAAO;;GAMR,MAAM,SAFQ,OAAO,SAAS,OAAO,GAAG,IAC1B,SAAW,KAAK,gBAAkB;AAEhD,mBAAgB;AAChB,UAAO,OAAO,SAAS,GAAG,CAAC,SAAS,GAAG,IAAI;IAC1C,CAEkB,KAAK,IAAI,CAAC,aAAa;;AAG5C,QAAO,OAAO,KAAK,IAAI,CAAC,aAAa;;;;;;;;;;;;;;;;;;;;;AAsBtC,SAAgB,YACf,IACA,UAA8B,EAAE,EACvB;AAET,KAAI,EAAE,MAAM,CAAC,UAAU,GAAG,CAAC,QAC1B,QAAO,GAAG,aAAa;AAIxB,KAAI,CAAC,OAAO,GAAG,CAEd,QAAO,GAAG,aAAa;CAIxB,MAAM,OAAO,sBAAsB,GAAG;AACtC,KAAI,KACH,QAAO,KAAK,aAAa;AAK1B,QAAO,cAAc,IADA,QAAQ,cAAc,GACL;;;;;;;;;;AAWvC,SAAgB,mBAAmB,IAAY,MAAsB;AAGpE,QAAO,GAAG,GAAG,GAAG"}

package/dist/utils/json.d.mts

@@ -0,0 +1,5 @@
+//#region src/utils/json.d.ts
+declare function safeJSONParse<T>(data: unknown): T | null;
+//#endregion
+export { safeJSONParse };
+//# sourceMappingURL=json.d.mts.map

package/dist/utils/json.mjs

@@ -0,0 +1,26 @@
+import { logger } from "../env/logger.mjs";
+import "../env/index.mjs";
+
+//#region src/utils/json.ts
+function safeJSONParse(data) {
+	function reviver(_, value) {
+		if (typeof value === "string") {
+			if (/^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?Z$/.test(value)) {
+				const date = new Date(value);
+				if (!isNaN(date.getTime())) return date;
+			}
+		}
+		return value;
+	}
+	try {
+		if (typeof data !== "string") return data;
+		return JSON.parse(data, reviver);
+	} catch (e) {
+		logger.error("Error parsing JSON", { error: e });
+		return null;
+	}
+}
+
+//#endregion
+export { safeJSONParse };
+//# sourceMappingURL=json.mjs.map

package/dist/utils/json.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"json.mjs","names":[],"sources":["../../src/utils/json.ts"],"sourcesContent":["import { logger } from \"../env\";\n\nexport function safeJSONParse<T>(data: unknown): T | null {\n\tfunction reviver(_: string, value: any): any {\n\t\tif (typeof value === \"string\") {\n\t\t\tconst iso8601Regex = /^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(?:\\.\\d+)?Z$/;\n\t\t\tif (iso8601Regex.test(value)) {\n\t\t\t\tconst date = new Date(value);\n\t\t\t\tif (!isNaN(date.getTime())) {\n\t\t\t\t\treturn date;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\treturn value;\n\t}\n\ttry {\n\t\tif (typeof data !== \"string\") {\n\t\t\treturn data as T;\n\t\t}\n\t\treturn JSON.parse(data, reviver);\n\t} catch (e) {\n\t\tlogger.error(\"Error parsing JSON\", { error: e });\n\t\treturn null;\n\t}\n}\n"],"mappings":";;;;AAEA,SAAgB,cAAiB,MAAyB;CACzD,SAAS,QAAQ,GAAW,OAAiB;AAC5C,MAAI,OAAO,UAAU,UAEpB;OADqB,mDACJ,KAAK,MAAM,EAAE;IAC7B,MAAM,OAAO,IAAI,KAAK,MAAM;AAC5B,QAAI,CAAC,MAAM,KAAK,SAAS,CAAC,CACzB,QAAO;;;AAIV,SAAO;;AAER,KAAI;AACH,MAAI,OAAO,SAAS,SACnB,QAAO;AAER,SAAO,KAAK,MAAM,MAAM,QAAQ;UACxB,GAAG;AACX,SAAO,MAAM,sBAAsB,EAAE,OAAO,GAAG,CAAC;AAChD,SAAO"}

package/dist/utils/string.d.mts

@@ -0,0 +1,5 @@
+//#region src/utils/string.d.ts
+declare function capitalizeFirstLetter(str: string): string;
+//#endregion
+export { capitalizeFirstLetter };
+//# sourceMappingURL=string.d.mts.map

package/dist/utils/string.mjs

@@ -0,0 +1,8 @@
+//#region src/utils/string.ts
+function capitalizeFirstLetter(str) {
+	return str.charAt(0).toUpperCase() + str.slice(1);
+}
+
+//#endregion
+export { capitalizeFirstLetter };
+//# sourceMappingURL=string.mjs.map

package/dist/utils/string.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"string.mjs","names":[],"sources":["../../src/utils/string.ts"],"sourcesContent":["export function capitalizeFirstLetter(str: string) {\n\treturn str.charAt(0).toUpperCase() + str.slice(1);\n}\n"],"mappings":";AAAA,SAAgB,sBAAsB,KAAa;AAClD,QAAO,IAAI,OAAO,EAAE,CAAC,aAAa,GAAG,IAAI,MAAM,EAAE"}

package/dist/utils/url.d.mts

@@ -0,0 +1,21 @@
+//#region src/utils/url.d.ts
+/**
+ * Normalizes a request pathname by removing the basePath prefix and trailing slashes.
+ * This is useful for matching paths against configured path lists.
+ *
+ * @param requestUrl - The full request URL
+ * @param basePath - The base path of the auth API (e.g., "/api/auth")
+ * @returns The normalized path without basePath prefix or trailing slashes,
+ *          or "/" if URL parsing fails
+ *
+ * @example
+ * normalizePathname("http://localhost:3000/api/auth/sso/saml2/callback/provider1", "/api/auth")
+ * // Returns: "/sso/saml2/callback/provider1"
+ *
+ * normalizePathname("http://localhost:3000/sso/saml2/callback/provider1/", "/")
+ * // Returns: "/sso/saml2/callback/provider1"
+ */
+declare function normalizePathname(requestUrl: string, basePath: string): string;
+//#endregion
+export { normalizePathname };
+//# sourceMappingURL=url.d.mts.map