@hammadj/better-auth 1.5.0-beta.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE.md +20 -0
- package/README.md +33 -0
- package/dist/_virtual/rolldown_runtime.mjs +36 -0
- package/dist/adapters/drizzle-adapter/index.d.mts +1 -0
- package/dist/adapters/drizzle-adapter/index.mjs +3 -0
- package/dist/adapters/index.d.mts +23 -0
- package/dist/adapters/index.mjs +13 -0
- package/dist/adapters/index.mjs.map +1 -0
- package/dist/adapters/kysely-adapter/index.d.mts +1 -0
- package/dist/adapters/kysely-adapter/index.mjs +3 -0
- package/dist/adapters/memory-adapter/index.d.mts +1 -0
- package/dist/adapters/memory-adapter/index.mjs +3 -0
- package/dist/adapters/mongodb-adapter/index.d.mts +1 -0
- package/dist/adapters/mongodb-adapter/index.mjs +3 -0
- package/dist/adapters/prisma-adapter/index.d.mts +1 -0
- package/dist/adapters/prisma-adapter/index.mjs +3 -0
- package/dist/api/index.d.mts +40 -0
- package/dist/api/index.mjs +205 -0
- package/dist/api/index.mjs.map +1 -0
- package/dist/api/middlewares/index.d.mts +1 -0
- package/dist/api/middlewares/index.mjs +3 -0
- package/dist/api/middlewares/origin-check.d.mts +17 -0
- package/dist/api/middlewares/origin-check.mjs +140 -0
- package/dist/api/middlewares/origin-check.mjs.map +1 -0
- package/dist/api/rate-limiter/index.mjs +177 -0
- package/dist/api/rate-limiter/index.mjs.map +1 -0
- package/dist/api/routes/account.d.mts +10 -0
- package/dist/api/routes/account.mjs +493 -0
- package/dist/api/routes/account.mjs.map +1 -0
- package/dist/api/routes/callback.d.mts +5 -0
- package/dist/api/routes/callback.mjs +178 -0
- package/dist/api/routes/callback.mjs.map +1 -0
- package/dist/api/routes/email-verification.d.mts +29 -0
- package/dist/api/routes/email-verification.mjs +301 -0
- package/dist/api/routes/email-verification.mjs.map +1 -0
- package/dist/api/routes/error.d.mts +5 -0
- package/dist/api/routes/error.mjs +386 -0
- package/dist/api/routes/error.mjs.map +1 -0
- package/dist/api/routes/index.d.mts +11 -0
- package/dist/api/routes/index.mjs +13 -0
- package/dist/api/routes/ok.d.mts +5 -0
- package/dist/api/routes/ok.mjs +30 -0
- package/dist/api/routes/ok.mjs.map +1 -0
- package/dist/api/routes/password.d.mts +8 -0
- package/dist/api/routes/password.mjs +198 -0
- package/dist/api/routes/password.mjs.map +1 -0
- package/dist/api/routes/session.d.mts +52 -0
- package/dist/api/routes/session.mjs +478 -0
- package/dist/api/routes/session.mjs.map +1 -0
- package/dist/api/routes/sign-in.d.mts +8 -0
- package/dist/api/routes/sign-in.mjs +262 -0
- package/dist/api/routes/sign-in.mjs.map +1 -0
- package/dist/api/routes/sign-out.d.mts +5 -0
- package/dist/api/routes/sign-out.mjs +33 -0
- package/dist/api/routes/sign-out.mjs.map +1 -0
- package/dist/api/routes/sign-up.d.mts +7 -0
- package/dist/api/routes/sign-up.mjs +227 -0
- package/dist/api/routes/sign-up.mjs.map +1 -0
- package/dist/api/routes/update-user.d.mts +12 -0
- package/dist/api/routes/update-user.mjs +493 -0
- package/dist/api/routes/update-user.mjs.map +1 -0
- package/dist/api/state/oauth.d.mts +5 -0
- package/dist/api/state/oauth.mjs +8 -0
- package/dist/api/state/oauth.mjs.map +1 -0
- package/dist/api/state/should-session-refresh.d.mts +13 -0
- package/dist/api/state/should-session-refresh.mjs +16 -0
- package/dist/api/state/should-session-refresh.mjs.map +1 -0
- package/dist/api/to-auth-endpoints.mjs +197 -0
- package/dist/api/to-auth-endpoints.mjs.map +1 -0
- package/dist/auth/base.mjs +44 -0
- package/dist/auth/base.mjs.map +1 -0
- package/dist/auth/full.d.mts +30 -0
- package/dist/auth/full.mjs +32 -0
- package/dist/auth/full.mjs.map +1 -0
- package/dist/auth/minimal.d.mts +12 -0
- package/dist/auth/minimal.mjs +14 -0
- package/dist/auth/minimal.mjs.map +1 -0
- package/dist/auth/trusted-origins.mjs +31 -0
- package/dist/auth/trusted-origins.mjs.map +1 -0
- package/dist/client/broadcast-channel.d.mts +20 -0
- package/dist/client/broadcast-channel.mjs +46 -0
- package/dist/client/broadcast-channel.mjs.map +1 -0
- package/dist/client/config.mjs +90 -0
- package/dist/client/config.mjs.map +1 -0
- package/dist/client/fetch-plugins.mjs +18 -0
- package/dist/client/fetch-plugins.mjs.map +1 -0
- package/dist/client/focus-manager.d.mts +11 -0
- package/dist/client/focus-manager.mjs +32 -0
- package/dist/client/focus-manager.mjs.map +1 -0
- package/dist/client/index.d.mts +30 -0
- package/dist/client/index.mjs +21 -0
- package/dist/client/index.mjs.map +1 -0
- package/dist/client/lynx/index.d.mts +62 -0
- package/dist/client/lynx/index.mjs +24 -0
- package/dist/client/lynx/index.mjs.map +1 -0
- package/dist/client/lynx/lynx-store.d.mts +47 -0
- package/dist/client/lynx/lynx-store.mjs +47 -0
- package/dist/client/lynx/lynx-store.mjs.map +1 -0
- package/dist/client/online-manager.d.mts +12 -0
- package/dist/client/online-manager.mjs +35 -0
- package/dist/client/online-manager.mjs.map +1 -0
- package/dist/client/parser.mjs +73 -0
- package/dist/client/parser.mjs.map +1 -0
- package/dist/client/path-to-object.d.mts +57 -0
- package/dist/client/plugins/index.d.mts +58 -0
- package/dist/client/plugins/index.mjs +33 -0
- package/dist/client/plugins/infer-plugin.d.mts +9 -0
- package/dist/client/plugins/infer-plugin.mjs +11 -0
- package/dist/client/plugins/infer-plugin.mjs.map +1 -0
- package/dist/client/proxy.mjs +79 -0
- package/dist/client/proxy.mjs.map +1 -0
- package/dist/client/query.d.mts +23 -0
- package/dist/client/query.mjs +98 -0
- package/dist/client/query.mjs.map +1 -0
- package/dist/client/react/index.d.mts +63 -0
- package/dist/client/react/index.mjs +24 -0
- package/dist/client/react/index.mjs.map +1 -0
- package/dist/client/react/react-store.d.mts +47 -0
- package/dist/client/react/react-store.mjs +47 -0
- package/dist/client/react/react-store.mjs.map +1 -0
- package/dist/client/session-atom.mjs +29 -0
- package/dist/client/session-atom.mjs.map +1 -0
- package/dist/client/session-refresh.d.mts +28 -0
- package/dist/client/session-refresh.mjs +140 -0
- package/dist/client/session-refresh.mjs.map +1 -0
- package/dist/client/solid/index.d.mts +57 -0
- package/dist/client/solid/index.mjs +22 -0
- package/dist/client/solid/index.mjs.map +1 -0
- package/dist/client/solid/solid-store.mjs +24 -0
- package/dist/client/solid/solid-store.mjs.map +1 -0
- package/dist/client/svelte/index.d.mts +63 -0
- package/dist/client/svelte/index.mjs +20 -0
- package/dist/client/svelte/index.mjs.map +1 -0
- package/dist/client/types.d.mts +58 -0
- package/dist/client/vanilla.d.mts +62 -0
- package/dist/client/vanilla.mjs +20 -0
- package/dist/client/vanilla.mjs.map +1 -0
- package/dist/client/vue/index.d.mts +86 -0
- package/dist/client/vue/index.mjs +38 -0
- package/dist/client/vue/index.mjs.map +1 -0
- package/dist/client/vue/vue-store.mjs +26 -0
- package/dist/client/vue/vue-store.mjs.map +1 -0
- package/dist/context/create-context.mjs +211 -0
- package/dist/context/create-context.mjs.map +1 -0
- package/dist/context/helpers.mjs +62 -0
- package/dist/context/helpers.mjs.map +1 -0
- package/dist/context/init-minimal.mjs +20 -0
- package/dist/context/init-minimal.mjs.map +1 -0
- package/dist/context/init.mjs +22 -0
- package/dist/context/init.mjs.map +1 -0
- package/dist/cookies/cookie-utils.d.mts +29 -0
- package/dist/cookies/cookie-utils.mjs +105 -0
- package/dist/cookies/cookie-utils.mjs.map +1 -0
- package/dist/cookies/index.d.mts +67 -0
- package/dist/cookies/index.mjs +264 -0
- package/dist/cookies/index.mjs.map +1 -0
- package/dist/cookies/session-store.d.mts +36 -0
- package/dist/cookies/session-store.mjs +200 -0
- package/dist/cookies/session-store.mjs.map +1 -0
- package/dist/crypto/buffer.d.mts +8 -0
- package/dist/crypto/buffer.mjs +18 -0
- package/dist/crypto/buffer.mjs.map +1 -0
- package/dist/crypto/index.d.mts +27 -0
- package/dist/crypto/index.mjs +38 -0
- package/dist/crypto/index.mjs.map +1 -0
- package/dist/crypto/jwt.d.mts +8 -0
- package/dist/crypto/jwt.mjs +95 -0
- package/dist/crypto/jwt.mjs.map +1 -0
- package/dist/crypto/password.d.mts +12 -0
- package/dist/crypto/password.mjs +36 -0
- package/dist/crypto/password.mjs.map +1 -0
- package/dist/crypto/random.d.mts +5 -0
- package/dist/crypto/random.mjs +8 -0
- package/dist/crypto/random.mjs.map +1 -0
- package/dist/db/adapter-base.d.mts +8 -0
- package/dist/db/adapter-base.mjs +28 -0
- package/dist/db/adapter-base.mjs.map +1 -0
- package/dist/db/adapter-kysely.d.mts +8 -0
- package/dist/db/adapter-kysely.mjs +21 -0
- package/dist/db/adapter-kysely.mjs.map +1 -0
- package/dist/db/field-converter.d.mts +8 -0
- package/dist/db/field-converter.mjs +21 -0
- package/dist/db/field-converter.mjs.map +1 -0
- package/dist/db/field.d.mts +55 -0
- package/dist/db/field.mjs +11 -0
- package/dist/db/field.mjs.map +1 -0
- package/dist/db/get-migration.d.mts +23 -0
- package/dist/db/get-migration.mjs +339 -0
- package/dist/db/get-migration.mjs.map +1 -0
- package/dist/db/get-schema.d.mts +11 -0
- package/dist/db/get-schema.mjs +39 -0
- package/dist/db/get-schema.mjs.map +1 -0
- package/dist/db/index.d.mts +9 -0
- package/dist/db/index.mjs +36 -0
- package/dist/db/index.mjs.map +1 -0
- package/dist/db/internal-adapter.d.mts +14 -0
- package/dist/db/internal-adapter.mjs +616 -0
- package/dist/db/internal-adapter.mjs.map +1 -0
- package/dist/db/schema.d.mts +26 -0
- package/dist/db/schema.mjs +118 -0
- package/dist/db/schema.mjs.map +1 -0
- package/dist/db/to-zod.d.mts +36 -0
- package/dist/db/to-zod.mjs +26 -0
- package/dist/db/to-zod.mjs.map +1 -0
- package/dist/db/verification-token-storage.mjs +28 -0
- package/dist/db/verification-token-storage.mjs.map +1 -0
- package/dist/db/with-hooks.d.mts +33 -0
- package/dist/db/with-hooks.mjs +159 -0
- package/dist/db/with-hooks.mjs.map +1 -0
- package/dist/index.d.mts +52 -0
- package/dist/index.mjs +26 -0
- package/dist/integrations/next-js.d.mts +14 -0
- package/dist/integrations/next-js.mjs +78 -0
- package/dist/integrations/next-js.mjs.map +1 -0
- package/dist/integrations/node.d.mts +13 -0
- package/dist/integrations/node.mjs +16 -0
- package/dist/integrations/node.mjs.map +1 -0
- package/dist/integrations/solid-start.d.mts +23 -0
- package/dist/integrations/solid-start.mjs +17 -0
- package/dist/integrations/solid-start.mjs.map +1 -0
- package/dist/integrations/svelte-kit.d.mts +29 -0
- package/dist/integrations/svelte-kit.mjs +57 -0
- package/dist/integrations/svelte-kit.mjs.map +1 -0
- package/dist/integrations/tanstack-start-solid.d.mts +22 -0
- package/dist/integrations/tanstack-start-solid.mjs +61 -0
- package/dist/integrations/tanstack-start-solid.mjs.map +1 -0
- package/dist/integrations/tanstack-start.d.mts +22 -0
- package/dist/integrations/tanstack-start.mjs +61 -0
- package/dist/integrations/tanstack-start.mjs.map +1 -0
- package/dist/oauth2/index.d.mts +5 -0
- package/dist/oauth2/index.mjs +7 -0
- package/dist/oauth2/link-account.d.mts +31 -0
- package/dist/oauth2/link-account.mjs +144 -0
- package/dist/oauth2/link-account.mjs.map +1 -0
- package/dist/oauth2/state.d.mts +26 -0
- package/dist/oauth2/state.mjs +51 -0
- package/dist/oauth2/state.mjs.map +1 -0
- package/dist/oauth2/utils.d.mts +8 -0
- package/dist/oauth2/utils.mjs +31 -0
- package/dist/oauth2/utils.mjs.map +1 -0
- package/dist/plugins/access/access.d.mts +30 -0
- package/dist/plugins/access/access.mjs +46 -0
- package/dist/plugins/access/access.mjs.map +1 -0
- package/dist/plugins/access/index.d.mts +3 -0
- package/dist/plugins/access/index.mjs +3 -0
- package/dist/plugins/access/types.d.mts +17 -0
- package/dist/plugins/additional-fields/client.d.mts +14 -0
- package/dist/plugins/additional-fields/client.mjs +11 -0
- package/dist/plugins/additional-fields/client.mjs.map +1 -0
- package/dist/plugins/admin/access/index.d.mts +2 -0
- package/dist/plugins/admin/access/index.mjs +3 -0
- package/dist/plugins/admin/access/statement.d.mts +118 -0
- package/dist/plugins/admin/access/statement.mjs +53 -0
- package/dist/plugins/admin/access/statement.mjs.map +1 -0
- package/dist/plugins/admin/admin.d.mts +14 -0
- package/dist/plugins/admin/admin.mjs +95 -0
- package/dist/plugins/admin/admin.mjs.map +1 -0
- package/dist/plugins/admin/client.d.mts +14 -0
- package/dist/plugins/admin/client.mjs +36 -0
- package/dist/plugins/admin/client.mjs.map +1 -0
- package/dist/plugins/admin/error-codes.d.mts +5 -0
- package/dist/plugins/admin/error-codes.mjs +30 -0
- package/dist/plugins/admin/error-codes.mjs.map +1 -0
- package/dist/plugins/admin/has-permission.mjs +16 -0
- package/dist/plugins/admin/has-permission.mjs.map +1 -0
- package/dist/plugins/admin/index.d.mts +3 -0
- package/dist/plugins/admin/index.mjs +3 -0
- package/dist/plugins/admin/routes.mjs +855 -0
- package/dist/plugins/admin/routes.mjs.map +1 -0
- package/dist/plugins/admin/schema.d.mts +6 -0
- package/dist/plugins/admin/schema.mjs +34 -0
- package/dist/plugins/admin/schema.mjs.map +1 -0
- package/dist/plugins/admin/types.d.mts +89 -0
- package/dist/plugins/anonymous/client.d.mts +9 -0
- package/dist/plugins/anonymous/client.mjs +22 -0
- package/dist/plugins/anonymous/client.mjs.map +1 -0
- package/dist/plugins/anonymous/error-codes.d.mts +5 -0
- package/dist/plugins/anonymous/error-codes.mjs +16 -0
- package/dist/plugins/anonymous/error-codes.mjs.map +1 -0
- package/dist/plugins/anonymous/index.d.mts +14 -0
- package/dist/plugins/anonymous/index.mjs +163 -0
- package/dist/plugins/anonymous/index.mjs.map +1 -0
- package/dist/plugins/anonymous/schema.d.mts +5 -0
- package/dist/plugins/anonymous/schema.mjs +11 -0
- package/dist/plugins/anonymous/schema.mjs.map +1 -0
- package/dist/plugins/anonymous/types.d.mts +68 -0
- package/dist/plugins/api-key/adapter.mjs +468 -0
- package/dist/plugins/api-key/adapter.mjs.map +1 -0
- package/dist/plugins/api-key/client.d.mts +9 -0
- package/dist/plugins/api-key/client.mjs +19 -0
- package/dist/plugins/api-key/client.mjs.map +1 -0
- package/dist/plugins/api-key/error-codes.d.mts +5 -0
- package/dist/plugins/api-key/error-codes.mjs +34 -0
- package/dist/plugins/api-key/error-codes.mjs.map +1 -0
- package/dist/plugins/api-key/index.d.mts +17 -0
- package/dist/plugins/api-key/index.mjs +134 -0
- package/dist/plugins/api-key/index.mjs.map +1 -0
- package/dist/plugins/api-key/rate-limit.mjs +74 -0
- package/dist/plugins/api-key/rate-limit.mjs.map +1 -0
- package/dist/plugins/api-key/routes/create-api-key.mjs +252 -0
- package/dist/plugins/api-key/routes/create-api-key.mjs.map +1 -0
- package/dist/plugins/api-key/routes/delete-all-expired-api-keys.mjs +24 -0
- package/dist/plugins/api-key/routes/delete-all-expired-api-keys.mjs.map +1 -0
- package/dist/plugins/api-key/routes/delete-api-key.mjs +74 -0
- package/dist/plugins/api-key/routes/delete-api-key.mjs.map +1 -0
- package/dist/plugins/api-key/routes/get-api-key.mjs +158 -0
- package/dist/plugins/api-key/routes/get-api-key.mjs.map +1 -0
- package/dist/plugins/api-key/routes/index.mjs +71 -0
- package/dist/plugins/api-key/routes/index.mjs.map +1 -0
- package/dist/plugins/api-key/routes/list-api-keys.mjs +194 -0
- package/dist/plugins/api-key/routes/list-api-keys.mjs.map +1 -0
- package/dist/plugins/api-key/routes/update-api-key.mjs +248 -0
- package/dist/plugins/api-key/routes/update-api-key.mjs.map +1 -0
- package/dist/plugins/api-key/routes/verify-api-key.mjs +223 -0
- package/dist/plugins/api-key/routes/verify-api-key.mjs.map +1 -0
- package/dist/plugins/api-key/schema.d.mts +11 -0
- package/dist/plugins/api-key/schema.mjs +130 -0
- package/dist/plugins/api-key/schema.mjs.map +1 -0
- package/dist/plugins/api-key/types.d.mts +346 -0
- package/dist/plugins/bearer/index.d.mts +25 -0
- package/dist/plugins/bearer/index.mjs +66 -0
- package/dist/plugins/bearer/index.mjs.map +1 -0
- package/dist/plugins/captcha/constants.d.mts +10 -0
- package/dist/plugins/captcha/constants.mjs +22 -0
- package/dist/plugins/captcha/constants.mjs.map +1 -0
- package/dist/plugins/captcha/error-codes.mjs +16 -0
- package/dist/plugins/captcha/error-codes.mjs.map +1 -0
- package/dist/plugins/captcha/index.d.mts +14 -0
- package/dist/plugins/captcha/index.mjs +60 -0
- package/dist/plugins/captcha/index.mjs.map +1 -0
- package/dist/plugins/captcha/types.d.mts +28 -0
- package/dist/plugins/captcha/utils.mjs +11 -0
- package/dist/plugins/captcha/utils.mjs.map +1 -0
- package/dist/plugins/captcha/verify-handlers/captchafox.mjs +27 -0
- package/dist/plugins/captcha/verify-handlers/captchafox.mjs.map +1 -0
- package/dist/plugins/captcha/verify-handlers/cloudflare-turnstile.mjs +25 -0
- package/dist/plugins/captcha/verify-handlers/cloudflare-turnstile.mjs.map +1 -0
- package/dist/plugins/captcha/verify-handlers/google-recaptcha.mjs +29 -0
- package/dist/plugins/captcha/verify-handlers/google-recaptcha.mjs.map +1 -0
- package/dist/plugins/captcha/verify-handlers/h-captcha.mjs +27 -0
- package/dist/plugins/captcha/verify-handlers/h-captcha.mjs.map +1 -0
- package/dist/plugins/captcha/verify-handlers/index.mjs +6 -0
- package/dist/plugins/custom-session/client.d.mts +10 -0
- package/dist/plugins/custom-session/client.mjs +11 -0
- package/dist/plugins/custom-session/client.mjs.map +1 -0
- package/dist/plugins/custom-session/index.d.mts +26 -0
- package/dist/plugins/custom-session/index.mjs +70 -0
- package/dist/plugins/custom-session/index.mjs.map +1 -0
- package/dist/plugins/device-authorization/client.d.mts +5 -0
- package/dist/plugins/device-authorization/client.mjs +18 -0
- package/dist/plugins/device-authorization/client.mjs.map +1 -0
- package/dist/plugins/device-authorization/error-codes.mjs +21 -0
- package/dist/plugins/device-authorization/error-codes.mjs.map +1 -0
- package/dist/plugins/device-authorization/index.d.mts +28 -0
- package/dist/plugins/device-authorization/index.mjs +50 -0
- package/dist/plugins/device-authorization/index.mjs.map +1 -0
- package/dist/plugins/device-authorization/routes.mjs +510 -0
- package/dist/plugins/device-authorization/routes.mjs.map +1 -0
- package/dist/plugins/device-authorization/schema.mjs +57 -0
- package/dist/plugins/device-authorization/schema.mjs.map +1 -0
- package/dist/plugins/email-otp/client.d.mts +7 -0
- package/dist/plugins/email-otp/client.mjs +18 -0
- package/dist/plugins/email-otp/client.mjs.map +1 -0
- package/dist/plugins/email-otp/error-codes.d.mts +5 -0
- package/dist/plugins/email-otp/error-codes.mjs +12 -0
- package/dist/plugins/email-otp/error-codes.mjs.map +1 -0
- package/dist/plugins/email-otp/index.d.mts +14 -0
- package/dist/plugins/email-otp/index.mjs +108 -0
- package/dist/plugins/email-otp/index.mjs.map +1 -0
- package/dist/plugins/email-otp/otp-token.mjs +29 -0
- package/dist/plugins/email-otp/otp-token.mjs.map +1 -0
- package/dist/plugins/email-otp/routes.mjs +564 -0
- package/dist/plugins/email-otp/routes.mjs.map +1 -0
- package/dist/plugins/email-otp/types.d.mts +74 -0
- package/dist/plugins/email-otp/utils.mjs +17 -0
- package/dist/plugins/email-otp/utils.mjs.map +1 -0
- package/dist/plugins/generic-oauth/client.d.mts +19 -0
- package/dist/plugins/generic-oauth/client.mjs +14 -0
- package/dist/plugins/generic-oauth/client.mjs.map +1 -0
- package/dist/plugins/generic-oauth/error-codes.d.mts +5 -0
- package/dist/plugins/generic-oauth/error-codes.mjs +15 -0
- package/dist/plugins/generic-oauth/error-codes.mjs.map +1 -0
- package/dist/plugins/generic-oauth/index.d.mts +34 -0
- package/dist/plugins/generic-oauth/index.mjs +137 -0
- package/dist/plugins/generic-oauth/index.mjs.map +1 -0
- package/dist/plugins/generic-oauth/providers/auth0.d.mts +37 -0
- package/dist/plugins/generic-oauth/providers/auth0.mjs +62 -0
- package/dist/plugins/generic-oauth/providers/auth0.mjs.map +1 -0
- package/dist/plugins/generic-oauth/providers/gumroad.d.mts +32 -0
- package/dist/plugins/generic-oauth/providers/gumroad.mjs +60 -0
- package/dist/plugins/generic-oauth/providers/gumroad.mjs.map +1 -0
- package/dist/plugins/generic-oauth/providers/hubspot.d.mts +37 -0
- package/dist/plugins/generic-oauth/providers/hubspot.mjs +60 -0
- package/dist/plugins/generic-oauth/providers/hubspot.mjs.map +1 -0
- package/dist/plugins/generic-oauth/providers/index.d.mts +9 -0
- package/dist/plugins/generic-oauth/providers/index.mjs +11 -0
- package/dist/plugins/generic-oauth/providers/keycloak.d.mts +37 -0
- package/dist/plugins/generic-oauth/providers/keycloak.mjs +62 -0
- package/dist/plugins/generic-oauth/providers/keycloak.mjs.map +1 -0
- package/dist/plugins/generic-oauth/providers/line.d.mts +55 -0
- package/dist/plugins/generic-oauth/providers/line.mjs +91 -0
- package/dist/plugins/generic-oauth/providers/line.mjs.map +1 -0
- package/dist/plugins/generic-oauth/providers/microsoft-entra-id.d.mts +37 -0
- package/dist/plugins/generic-oauth/providers/microsoft-entra-id.mjs +66 -0
- package/dist/plugins/generic-oauth/providers/microsoft-entra-id.mjs.map +1 -0
- package/dist/plugins/generic-oauth/providers/okta.d.mts +37 -0
- package/dist/plugins/generic-oauth/providers/okta.mjs +62 -0
- package/dist/plugins/generic-oauth/providers/okta.mjs.map +1 -0
- package/dist/plugins/generic-oauth/providers/patreon.d.mts +30 -0
- package/dist/plugins/generic-oauth/providers/patreon.mjs +59 -0
- package/dist/plugins/generic-oauth/providers/patreon.mjs.map +1 -0
- package/dist/plugins/generic-oauth/providers/slack.d.mts +30 -0
- package/dist/plugins/generic-oauth/providers/slack.mjs +61 -0
- package/dist/plugins/generic-oauth/providers/slack.mjs.map +1 -0
- package/dist/plugins/generic-oauth/routes.mjs +394 -0
- package/dist/plugins/generic-oauth/routes.mjs.map +1 -0
- package/dist/plugins/generic-oauth/types.d.mts +145 -0
- package/dist/plugins/haveibeenpwned/index.d.mts +21 -0
- package/dist/plugins/haveibeenpwned/index.mjs +56 -0
- package/dist/plugins/haveibeenpwned/index.mjs.map +1 -0
- package/dist/plugins/index.d.mts +68 -0
- package/dist/plugins/index.mjs +51 -0
- package/dist/plugins/jwt/adapter.mjs +27 -0
- package/dist/plugins/jwt/adapter.mjs.map +1 -0
- package/dist/plugins/jwt/client.d.mts +18 -0
- package/dist/plugins/jwt/client.mjs +19 -0
- package/dist/plugins/jwt/client.mjs.map +1 -0
- package/dist/plugins/jwt/index.d.mts +17 -0
- package/dist/plugins/jwt/index.mjs +202 -0
- package/dist/plugins/jwt/index.mjs.map +1 -0
- package/dist/plugins/jwt/schema.d.mts +5 -0
- package/dist/plugins/jwt/schema.mjs +23 -0
- package/dist/plugins/jwt/schema.mjs.map +1 -0
- package/dist/plugins/jwt/sign.d.mts +57 -0
- package/dist/plugins/jwt/sign.mjs +66 -0
- package/dist/plugins/jwt/sign.mjs.map +1 -0
- package/dist/plugins/jwt/types.d.mts +194 -0
- package/dist/plugins/jwt/utils.d.mts +42 -0
- package/dist/plugins/jwt/utils.mjs +64 -0
- package/dist/plugins/jwt/utils.mjs.map +1 -0
- package/dist/plugins/jwt/verify.d.mts +12 -0
- package/dist/plugins/jwt/verify.mjs +46 -0
- package/dist/plugins/jwt/verify.mjs.map +1 -0
- package/dist/plugins/last-login-method/client.d.mts +18 -0
- package/dist/plugins/last-login-method/client.mjs +32 -0
- package/dist/plugins/last-login-method/client.mjs.map +1 -0
- package/dist/plugins/last-login-method/index.d.mts +52 -0
- package/dist/plugins/last-login-method/index.mjs +77 -0
- package/dist/plugins/last-login-method/index.mjs.map +1 -0
- package/dist/plugins/magic-link/client.d.mts +5 -0
- package/dist/plugins/magic-link/client.mjs +11 -0
- package/dist/plugins/magic-link/client.mjs.map +1 -0
- package/dist/plugins/magic-link/index.d.mts +61 -0
- package/dist/plugins/magic-link/index.mjs +167 -0
- package/dist/plugins/magic-link/index.mjs.map +1 -0
- package/dist/plugins/magic-link/utils.mjs +12 -0
- package/dist/plugins/magic-link/utils.mjs.map +1 -0
- package/dist/plugins/mcp/authorize.mjs +133 -0
- package/dist/plugins/mcp/authorize.mjs.map +1 -0
- package/dist/plugins/mcp/index.d.mts +46 -0
- package/dist/plugins/mcp/index.mjs +717 -0
- package/dist/plugins/mcp/index.mjs.map +1 -0
- package/dist/plugins/multi-session/client.d.mts +8 -0
- package/dist/plugins/multi-session/client.mjs +20 -0
- package/dist/plugins/multi-session/client.mjs.map +1 -0
- package/dist/plugins/multi-session/error-codes.d.mts +5 -0
- package/dist/plugins/multi-session/error-codes.mjs +8 -0
- package/dist/plugins/multi-session/error-codes.mjs.map +1 -0
- package/dist/plugins/multi-session/index.d.mts +22 -0
- package/dist/plugins/multi-session/index.mjs +172 -0
- package/dist/plugins/multi-session/index.mjs.map +1 -0
- package/dist/plugins/oauth-proxy/index.d.mts +39 -0
- package/dist/plugins/oauth-proxy/index.mjs +305 -0
- package/dist/plugins/oauth-proxy/index.mjs.map +1 -0
- package/dist/plugins/oauth-proxy/utils.mjs +44 -0
- package/dist/plugins/oauth-proxy/utils.mjs.map +1 -0
- package/dist/plugins/oidc-provider/authorize.mjs +194 -0
- package/dist/plugins/oidc-provider/authorize.mjs.map +1 -0
- package/dist/plugins/oidc-provider/client.d.mts +8 -0
- package/dist/plugins/oidc-provider/client.mjs +11 -0
- package/dist/plugins/oidc-provider/client.mjs.map +1 -0
- package/dist/plugins/oidc-provider/error.mjs +17 -0
- package/dist/plugins/oidc-provider/error.mjs.map +1 -0
- package/dist/plugins/oidc-provider/index.d.mts +32 -0
- package/dist/plugins/oidc-provider/index.mjs +1093 -0
- package/dist/plugins/oidc-provider/index.mjs.map +1 -0
- package/dist/plugins/oidc-provider/schema.d.mts +26 -0
- package/dist/plugins/oidc-provider/schema.mjs +132 -0
- package/dist/plugins/oidc-provider/schema.mjs.map +1 -0
- package/dist/plugins/oidc-provider/types.d.mts +517 -0
- package/dist/plugins/oidc-provider/utils/prompt.mjs +19 -0
- package/dist/plugins/oidc-provider/utils/prompt.mjs.map +1 -0
- package/dist/plugins/oidc-provider/utils.mjs +15 -0
- package/dist/plugins/oidc-provider/utils.mjs.map +1 -0
- package/dist/plugins/one-tap/client.d.mts +159 -0
- package/dist/plugins/one-tap/client.mjs +214 -0
- package/dist/plugins/one-tap/client.mjs.map +1 -0
- package/dist/plugins/one-tap/index.d.mts +27 -0
- package/dist/plugins/one-tap/index.mjs +96 -0
- package/dist/plugins/one-tap/index.mjs.map +1 -0
- package/dist/plugins/one-time-token/client.d.mts +7 -0
- package/dist/plugins/one-time-token/client.mjs +11 -0
- package/dist/plugins/one-time-token/client.mjs.map +1 -0
- package/dist/plugins/one-time-token/index.d.mts +53 -0
- package/dist/plugins/one-time-token/index.mjs +82 -0
- package/dist/plugins/one-time-token/index.mjs.map +1 -0
- package/dist/plugins/one-time-token/utils.mjs +12 -0
- package/dist/plugins/one-time-token/utils.mjs.map +1 -0
- package/dist/plugins/open-api/generator.d.mts +115 -0
- package/dist/plugins/open-api/generator.mjs +315 -0
- package/dist/plugins/open-api/generator.mjs.map +1 -0
- package/dist/plugins/open-api/index.d.mts +45 -0
- package/dist/plugins/open-api/index.mjs +67 -0
- package/dist/plugins/open-api/index.mjs.map +1 -0
- package/dist/plugins/open-api/logo.mjs +15 -0
- package/dist/plugins/open-api/logo.mjs.map +1 -0
- package/dist/plugins/organization/access/index.d.mts +2 -0
- package/dist/plugins/organization/access/index.mjs +3 -0
- package/dist/plugins/organization/access/statement.d.mts +249 -0
- package/dist/plugins/organization/access/statement.mjs +81 -0
- package/dist/plugins/organization/access/statement.mjs.map +1 -0
- package/dist/plugins/organization/adapter.d.mts +205 -0
- package/dist/plugins/organization/adapter.mjs +624 -0
- package/dist/plugins/organization/adapter.mjs.map +1 -0
- package/dist/plugins/organization/call.mjs +19 -0
- package/dist/plugins/organization/call.mjs.map +1 -0
- package/dist/plugins/organization/client.d.mts +151 -0
- package/dist/plugins/organization/client.mjs +107 -0
- package/dist/plugins/organization/client.mjs.map +1 -0
- package/dist/plugins/organization/error-codes.d.mts +5 -0
- package/dist/plugins/organization/error-codes.mjs +65 -0
- package/dist/plugins/organization/error-codes.mjs.map +1 -0
- package/dist/plugins/organization/has-permission.mjs +35 -0
- package/dist/plugins/organization/has-permission.mjs.map +1 -0
- package/dist/plugins/organization/index.d.mts +5 -0
- package/dist/plugins/organization/index.mjs +4 -0
- package/dist/plugins/organization/organization.d.mts +252 -0
- package/dist/plugins/organization/organization.mjs +428 -0
- package/dist/plugins/organization/organization.mjs.map +1 -0
- package/dist/plugins/organization/permission.d.mts +26 -0
- package/dist/plugins/organization/permission.mjs +16 -0
- package/dist/plugins/organization/permission.mjs.map +1 -0
- package/dist/plugins/organization/routes/crud-access-control.d.mts +11 -0
- package/dist/plugins/organization/routes/crud-access-control.mjs +656 -0
- package/dist/plugins/organization/routes/crud-access-control.mjs.map +1 -0
- package/dist/plugins/organization/routes/crud-invites.d.mts +16 -0
- package/dist/plugins/organization/routes/crud-invites.mjs +555 -0
- package/dist/plugins/organization/routes/crud-invites.mjs.map +1 -0
- package/dist/plugins/organization/routes/crud-members.d.mts +13 -0
- package/dist/plugins/organization/routes/crud-members.mjs +473 -0
- package/dist/plugins/organization/routes/crud-members.mjs.map +1 -0
- package/dist/plugins/organization/routes/crud-org.d.mts +13 -0
- package/dist/plugins/organization/routes/crud-org.mjs +447 -0
- package/dist/plugins/organization/routes/crud-org.mjs.map +1 -0
- package/dist/plugins/organization/routes/crud-team.d.mts +15 -0
- package/dist/plugins/organization/routes/crud-team.mjs +676 -0
- package/dist/plugins/organization/routes/crud-team.mjs.map +1 -0
- package/dist/plugins/organization/schema.d.mts +376 -0
- package/dist/plugins/organization/schema.mjs +68 -0
- package/dist/plugins/organization/schema.mjs.map +1 -0
- package/dist/plugins/organization/types.d.mts +733 -0
- package/dist/plugins/phone-number/client.d.mts +8 -0
- package/dist/plugins/phone-number/client.mjs +20 -0
- package/dist/plugins/phone-number/client.mjs.map +1 -0
- package/dist/plugins/phone-number/error-codes.d.mts +5 -0
- package/dist/plugins/phone-number/error-codes.mjs +21 -0
- package/dist/plugins/phone-number/error-codes.mjs.map +1 -0
- package/dist/plugins/phone-number/index.d.mts +14 -0
- package/dist/plugins/phone-number/index.mjs +49 -0
- package/dist/plugins/phone-number/index.mjs.map +1 -0
- package/dist/plugins/phone-number/routes.mjs +459 -0
- package/dist/plugins/phone-number/routes.mjs.map +1 -0
- package/dist/plugins/phone-number/schema.d.mts +5 -0
- package/dist/plugins/phone-number/schema.mjs +20 -0
- package/dist/plugins/phone-number/schema.mjs.map +1 -0
- package/dist/plugins/phone-number/types.d.mts +118 -0
- package/dist/plugins/siwe/client.d.mts +5 -0
- package/dist/plugins/siwe/client.mjs +11 -0
- package/dist/plugins/siwe/client.mjs.map +1 -0
- package/dist/plugins/siwe/error-codes.mjs +13 -0
- package/dist/plugins/siwe/error-codes.mjs.map +1 -0
- package/dist/plugins/siwe/index.d.mts +26 -0
- package/dist/plugins/siwe/index.mjs +261 -0
- package/dist/plugins/siwe/index.mjs.map +1 -0
- package/dist/plugins/siwe/schema.d.mts +5 -0
- package/dist/plugins/siwe/schema.mjs +32 -0
- package/dist/plugins/siwe/schema.mjs.map +1 -0
- package/dist/plugins/siwe/types.d.mts +44 -0
- package/dist/plugins/two-factor/backup-codes/index.d.mts +91 -0
- package/dist/plugins/two-factor/backup-codes/index.mjs +277 -0
- package/dist/plugins/two-factor/backup-codes/index.mjs.map +1 -0
- package/dist/plugins/two-factor/client.d.mts +17 -0
- package/dist/plugins/two-factor/client.mjs +37 -0
- package/dist/plugins/two-factor/client.mjs.map +1 -0
- package/dist/plugins/two-factor/constant.mjs +8 -0
- package/dist/plugins/two-factor/constant.mjs.map +1 -0
- package/dist/plugins/two-factor/error-code.d.mts +5 -0
- package/dist/plugins/two-factor/error-code.mjs +18 -0
- package/dist/plugins/two-factor/error-code.mjs.map +1 -0
- package/dist/plugins/two-factor/index.d.mts +19 -0
- package/dist/plugins/two-factor/index.mjs +207 -0
- package/dist/plugins/two-factor/index.mjs.map +1 -0
- package/dist/plugins/two-factor/otp/index.d.mts +96 -0
- package/dist/plugins/two-factor/otp/index.mjs +199 -0
- package/dist/plugins/two-factor/otp/index.mjs.map +1 -0
- package/dist/plugins/two-factor/schema.d.mts +5 -0
- package/dist/plugins/two-factor/schema.mjs +36 -0
- package/dist/plugins/two-factor/schema.mjs.map +1 -0
- package/dist/plugins/two-factor/totp/index.d.mts +81 -0
- package/dist/plugins/two-factor/totp/index.mjs +157 -0
- package/dist/plugins/two-factor/totp/index.mjs.map +1 -0
- package/dist/plugins/two-factor/types.d.mts +65 -0
- package/dist/plugins/two-factor/utils.mjs +12 -0
- package/dist/plugins/two-factor/utils.mjs.map +1 -0
- package/dist/plugins/two-factor/verify-two-factor.mjs +76 -0
- package/dist/plugins/two-factor/verify-two-factor.mjs.map +1 -0
- package/dist/plugins/username/client.d.mts +7 -0
- package/dist/plugins/username/client.mjs +18 -0
- package/dist/plugins/username/client.mjs.map +1 -0
- package/dist/plugins/username/error-codes.d.mts +5 -0
- package/dist/plugins/username/error-codes.mjs +17 -0
- package/dist/plugins/username/error-codes.mjs.map +1 -0
- package/dist/plugins/username/index.d.mts +74 -0
- package/dist/plugins/username/index.mjs +237 -0
- package/dist/plugins/username/index.mjs.map +1 -0
- package/dist/plugins/username/schema.d.mts +9 -0
- package/dist/plugins/username/schema.mjs +26 -0
- package/dist/plugins/username/schema.mjs.map +1 -0
- package/dist/social-providers/index.d.mts +1 -0
- package/dist/social-providers/index.mjs +3 -0
- package/dist/state.d.mts +42 -0
- package/dist/state.mjs +107 -0
- package/dist/state.mjs.map +1 -0
- package/dist/test-utils/headers.d.mts +9 -0
- package/dist/test-utils/headers.mjs +24 -0
- package/dist/test-utils/headers.mjs.map +1 -0
- package/dist/test-utils/index.d.mts +3 -0
- package/dist/test-utils/index.mjs +4 -0
- package/dist/test-utils/test-instance.d.mts +181 -0
- package/dist/test-utils/test-instance.mjs +210 -0
- package/dist/test-utils/test-instance.mjs.map +1 -0
- package/dist/types/adapter.d.mts +24 -0
- package/dist/types/api.d.mts +29 -0
- package/dist/types/auth.d.mts +30 -0
- package/dist/types/helper.d.mts +21 -0
- package/dist/types/index.d.mts +11 -0
- package/dist/types/index.mjs +1 -0
- package/dist/types/models.d.mts +17 -0
- package/dist/types/plugins.d.mts +16 -0
- package/dist/utils/boolean.mjs +8 -0
- package/dist/utils/boolean.mjs.map +1 -0
- package/dist/utils/constants.mjs +6 -0
- package/dist/utils/constants.mjs.map +1 -0
- package/dist/utils/date.mjs +8 -0
- package/dist/utils/date.mjs.map +1 -0
- package/dist/utils/get-request-ip.d.mts +7 -0
- package/dist/utils/get-request-ip.mjs +23 -0
- package/dist/utils/get-request-ip.mjs.map +1 -0
- package/dist/utils/hashing.mjs +21 -0
- package/dist/utils/hashing.mjs.map +1 -0
- package/dist/utils/hide-metadata.d.mts +7 -0
- package/dist/utils/hide-metadata.mjs +6 -0
- package/dist/utils/hide-metadata.mjs.map +1 -0
- package/dist/utils/index.d.mts +3 -0
- package/dist/utils/index.mjs +5 -0
- package/dist/utils/is-api-error.d.mts +7 -0
- package/dist/utils/is-api-error.mjs +11 -0
- package/dist/utils/is-api-error.mjs.map +1 -0
- package/dist/utils/is-atom.mjs +8 -0
- package/dist/utils/is-atom.mjs.map +1 -0
- package/dist/utils/is-promise.mjs +8 -0
- package/dist/utils/is-promise.mjs.map +1 -0
- package/dist/utils/middleware-response.mjs +6 -0
- package/dist/utils/middleware-response.mjs.map +1 -0
- package/dist/utils/password.mjs +26 -0
- package/dist/utils/password.mjs.map +1 -0
- package/dist/utils/plugin-helper.mjs +17 -0
- package/dist/utils/plugin-helper.mjs.map +1 -0
- package/dist/utils/shim.mjs +24 -0
- package/dist/utils/shim.mjs.map +1 -0
- package/dist/utils/time.d.mts +49 -0
- package/dist/utils/time.mjs +100 -0
- package/dist/utils/time.mjs.map +1 -0
- package/dist/utils/url.mjs +92 -0
- package/dist/utils/url.mjs.map +1 -0
- package/dist/utils/wildcard.mjs +108 -0
- package/dist/utils/wildcard.mjs.map +1 -0
- package/package.json +601 -0
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.mjs","names":[],"sources":["../../../src/plugins/oidc-provider/index.ts"],"sourcesContent":["import type {\n\tBetterAuthPlugin,\n\tGenericEndpointContext,\n} from \"@better-auth/core\";\nimport {\n\tcreateAuthEndpoint,\n\tcreateAuthMiddleware,\n} from \"@better-auth/core/api\";\nimport { getCurrentAuthContext } from \"@better-auth/core/context\";\nimport { base64 } from \"@better-auth/utils/base64\";\nimport { createHash } from \"@better-auth/utils/hash\";\nimport type { OpenAPIParameter } from \"better-call\";\nimport { jwtVerify, SignJWT } from \"jose\";\nimport * as z from \"zod\";\nimport { APIError, getSessionFromCtx, sessionMiddleware } from \"../../api\";\nimport { expireCookie, parseSetCookieHeader } from \"../../cookies\";\nimport {\n\tgenerateRandomString,\n\tsymmetricDecrypt,\n\tsymmetricEncrypt,\n} from \"../../crypto\";\nimport { mergeSchema } from \"../../db\";\nimport { HIDE_METADATA } from \"../../utils\";\nimport { getJwtToken, verifyJWT } from \"../jwt\";\nimport { authorize } from \"./authorize\";\nimport type { OAuthApplication } from \"./schema\";\nimport { schema } from \"./schema\";\nimport type {\n\tClient,\n\tCodeVerificationValue,\n\tOAuthAccessToken,\n\tOIDCMetadata,\n\tOIDCOptions,\n} from \"./types\";\nimport { defaultClientSecretHasher } from \"./utils\";\nimport { parsePrompt } from \"./utils/prompt\";\n\ndeclare module \"@better-auth/core\" {\n\tinterface BetterAuthPluginRegistry<AuthOptions, Options> {\n\t\t\"oidc-provider\": {\n\t\t\tcreator: typeof oidcProvider;\n\t\t};\n\t}\n}\n\n/**\n * Get a client by ID, checking trusted clients first, then database\n */\nexport async function getClient(\n\tclientId: string,\n\ttrustedClients: (Client & { skipConsent?: boolean | undefined })[] = [],\n): Promise<(Client & { skipConsent?: boolean | undefined }) | null> {\n\tconst {\n\t\tcontext: { adapter },\n\t} = await getCurrentAuthContext();\n\tconst trustedClient = trustedClients.find(\n\t\t(client) => client.clientId === clientId,\n\t);\n\tif (trustedClient) {\n\t\treturn trustedClient;\n\t}\n\treturn adapter\n\t\t.findOne<OAuthApplication>({\n\t\t\tmodel: \"oauthApplication\",\n\t\t\twhere: [{ field: \"clientId\", value: clientId }],\n\t\t})\n\t\t.then((res) => {\n\t\t\tif (!res) {\n\t\t\t\treturn null;\n\t\t\t}\n\t\t\t// omit sensitive fields\n\t\t\treturn {\n\t\t\t\tclientId: res.clientId,\n\t\t\t\tclientSecret: res.clientSecret,\n\t\t\t\ttype: res.type,\n\t\t\t\tname: res.name,\n\t\t\t\ticon: res.icon,\n\t\t\t\tdisabled: res.disabled,\n\t\t\t\tredirectUrls: (res.redirectUrls ?? \"\").split(\",\"),\n\t\t\t\tmetadata: res.metadata ? JSON.parse(res.metadata) : {},\n\t\t\t} satisfies Client;\n\t\t});\n}\n\nexport const getMetadata = (\n\tctx: GenericEndpointContext,\n\toptions?: OIDCOptions | undefined,\n): OIDCMetadata => {\n\tconst jwtPlugin = ctx.context.getPlugin(\"jwt\");\n\tconst issuer =\n\t\tjwtPlugin && jwtPlugin.options?.jwt && jwtPlugin.options.jwt.issuer\n\t\t\t? jwtPlugin.options.jwt.issuer\n\t\t\t: (ctx.context.options.baseURL as string);\n\tconst baseURL = ctx.context.baseURL;\n\tconst supportedAlgs = options?.useJWTPlugin\n\t\t? [\"RS256\", \"EdDSA\", \"none\"]\n\t\t: [\"HS256\", \"none\"];\n\treturn {\n\t\tissuer,\n\t\tauthorization_endpoint: `${baseURL}/oauth2/authorize`,\n\t\ttoken_endpoint: `${baseURL}/oauth2/token`,\n\t\tuserinfo_endpoint: `${baseURL}/oauth2/userinfo`,\n\t\tjwks_uri: `${baseURL}/jwks`,\n\t\tregistration_endpoint: `${baseURL}/oauth2/register`,\n\t\tend_session_endpoint: `${baseURL}/oauth2/endsession`,\n\t\tscopes_supported: [\"openid\", \"profile\", \"email\", \"offline_access\"],\n\t\tresponse_types_supported: [\"code\"],\n\t\tresponse_modes_supported: [\"query\"],\n\t\tgrant_types_supported: [\"authorization_code\", \"refresh_token\"],\n\t\tacr_values_supported: [\n\t\t\t\"urn:mace:incommon:iap:silver\",\n\t\t\t\"urn:mace:incommon:iap:bronze\",\n\t\t],\n\t\tsubject_types_supported: [\"public\"],\n\t\tid_token_signing_alg_values_supported: supportedAlgs,\n\t\ttoken_endpoint_auth_methods_supported: [\n\t\t\t\"client_secret_basic\",\n\t\t\t\"client_secret_post\",\n\t\t\t\"none\",\n\t\t],\n\t\tcode_challenge_methods_supported: [\"S256\"],\n\t\tclaims_supported: [\n\t\t\t\"sub\",\n\t\t\t\"iss\",\n\t\t\t\"aud\",\n\t\t\t\"exp\",\n\t\t\t\"nbf\",\n\t\t\t\"iat\",\n\t\t\t\"jti\",\n\t\t\t\"email\",\n\t\t\t\"email_verified\",\n\t\t\t\"name\",\n\t\t],\n\t\t...options?.metadata,\n\t};\n};\n\nconst oAuthConsentBodySchema = z.object({\n\taccept: z.boolean(),\n\tconsent_code: z.string().optional().nullish(),\n});\n\nconst oAuth2TokenBodySchema = z.record(z.any(), z.any());\n\nconst registerOAuthApplicationBodySchema = z.object({\n\tredirect_uris: z.array(z.string()).meta({\n\t\tdescription:\n\t\t\t'A list of redirect URIs. Eg: [\"https://client.example.com/callback\"]',\n\t}),\n\ttoken_endpoint_auth_method: z\n\t\t.enum([\"none\", \"client_secret_basic\", \"client_secret_post\"])\n\t\t.meta({\n\t\t\tdescription:\n\t\t\t\t'The authentication method for the token endpoint. Eg: \"client_secret_basic\"',\n\t\t})\n\t\t.default(\"client_secret_basic\")\n\t\t.optional(),\n\tgrant_types: z\n\t\t.array(\n\t\t\tz.enum([\n\t\t\t\t\"authorization_code\",\n\t\t\t\t\"implicit\",\n\t\t\t\t\"password\",\n\t\t\t\t\"client_credentials\",\n\t\t\t\t\"refresh_token\",\n\t\t\t\t\"urn:ietf:params:oauth:grant-type:jwt-bearer\",\n\t\t\t\t\"urn:ietf:params:oauth:grant-type:saml2-bearer\",\n\t\t\t]),\n\t\t)\n\t\t.meta({\n\t\t\tdescription:\n\t\t\t\t'The grant types supported by the application. Eg: [\"authorization_code\"]',\n\t\t})\n\t\t.default([\"authorization_code\"])\n\t\t.optional(),\n\tresponse_types: z\n\t\t.array(z.enum([\"code\", \"token\"]))\n\t\t.meta({\n\t\t\tdescription:\n\t\t\t\t'The response types supported by the application. Eg: [\"code\"]',\n\t\t})\n\t\t.default([\"code\"])\n\t\t.optional(),\n\tclient_name: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription: 'The name of the application. Eg: \"My App\"',\n\t\t})\n\t\t.optional(),\n\tclient_uri: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription:\n\t\t\t\t'The URI of the application. Eg: \"https://client.example.com\"',\n\t\t})\n\t\t.optional(),\n\tlogo_uri: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription:\n\t\t\t\t'The URI of the application logo. Eg: \"https://client.example.com/logo.png\"',\n\t\t})\n\t\t.optional(),\n\tscope: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription:\n\t\t\t\t'The scopes supported by the application. Separated by spaces. Eg: \"profile email\"',\n\t\t})\n\t\t.optional(),\n\tcontacts: z\n\t\t.array(z.string())\n\t\t.meta({\n\t\t\tdescription:\n\t\t\t\t'The contact information for the application. Eg: [\"admin@example.com\"]',\n\t\t})\n\t\t.optional(),\n\ttos_uri: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription:\n\t\t\t\t'The URI of the application terms of service. Eg: \"https://client.example.com/tos\"',\n\t\t})\n\t\t.optional(),\n\tpolicy_uri: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription:\n\t\t\t\t'The URI of the application privacy policy. Eg: \"https://client.example.com/policy\"',\n\t\t})\n\t\t.optional(),\n\tjwks_uri: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription:\n\t\t\t\t'The URI of the application JWKS. Eg: \"https://client.example.com/jwks\"',\n\t\t})\n\t\t.optional(),\n\tjwks: z\n\t\t.record(z.any(), z.any())\n\t\t.meta({\n\t\t\tdescription:\n\t\t\t\t'The JWKS of the application. Eg: {\"keys\": [{\"kty\": \"RSA\", \"alg\": \"RS256\", \"use\": \"sig\", \"n\": \"...\", \"e\": \"...\"}]}',\n\t\t})\n\t\t.optional(),\n\tmetadata: z\n\t\t.record(z.any(), z.any())\n\t\t.meta({\n\t\t\tdescription: 'The metadata of the application. Eg: {\"key\": \"value\"}',\n\t\t})\n\t\t.optional(),\n\tsoftware_id: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription: 'The software ID of the application. Eg: \"my-software\"',\n\t\t})\n\t\t.optional(),\n\tsoftware_version: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription: 'The software version of the application. Eg: \"1.0.0\"',\n\t\t})\n\t\t.optional(),\n\tsoftware_statement: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription: \"The software statement of the application.\",\n\t\t})\n\t\t.optional(),\n});\n\nconst DEFAULT_CODE_EXPIRES_IN = 600;\nconst DEFAULT_ACCESS_TOKEN_EXPIRES_IN = 3600;\nconst DEFAULT_REFRESH_TOKEN_EXPIRES_IN = 604800;\n\n/**\n * OpenID Connect (OIDC) plugin for Better Auth. This plugin implements the\n * authorization code flow and the token exchange flow. It also implements the\n * userinfo endpoint.\n *\n * @param options - The options for the OIDC plugin.\n * @returns A Better Auth plugin.\n */\nexport const oidcProvider = (options: OIDCOptions) => {\n\tconst modelName = {\n\t\toauthClient: \"oauthApplication\",\n\t\toauthAccessToken: \"oauthAccessToken\",\n\t\toauthConsent: \"oauthConsent\",\n\t};\n\n\tconst opts = {\n\t\tcodeExpiresIn: DEFAULT_CODE_EXPIRES_IN,\n\t\tdefaultScope: \"openid\",\n\t\taccessTokenExpiresIn: DEFAULT_ACCESS_TOKEN_EXPIRES_IN,\n\t\trefreshTokenExpiresIn: DEFAULT_REFRESH_TOKEN_EXPIRES_IN,\n\t\tallowPlainCodeChallengeMethod: true,\n\t\tstoreClientSecret: \"plain\" as const,\n\t\t...options,\n\t\tscopes: [\n\t\t\t\"openid\",\n\t\t\t\"profile\",\n\t\t\t\"email\",\n\t\t\t\"offline_access\",\n\t\t\t...(options?.scopes || []),\n\t\t],\n\t};\n\n\tconst trustedClients = options.trustedClients || [];\n\n\t/**\n\t * Store client secret according to the configured storage method\n\t */\n\tasync function storeClientSecret(\n\t\tctx: GenericEndpointContext,\n\t\tclientSecret: string,\n\t) {\n\t\tif (opts.storeClientSecret === \"encrypted\") {\n\t\t\treturn await symmetricEncrypt({\n\t\t\t\tkey: ctx.context.secret,\n\t\t\t\tdata: clientSecret,\n\t\t\t});\n\t\t}\n\t\tif (opts.storeClientSecret === \"hashed\") {\n\t\t\treturn await defaultClientSecretHasher(clientSecret);\n\t\t}\n\t\tif (\n\t\t\ttypeof opts.storeClientSecret === \"object\" &&\n\t\t\t\"hash\" in opts.storeClientSecret\n\t\t) {\n\t\t\treturn await opts.storeClientSecret.hash(clientSecret);\n\t\t}\n\t\tif (\n\t\t\ttypeof opts.storeClientSecret === \"object\" &&\n\t\t\t\"encrypt\" in opts.storeClientSecret\n\t\t) {\n\t\t\treturn await opts.storeClientSecret.encrypt(clientSecret);\n\t\t}\n\n\t\treturn clientSecret;\n\t}\n\n\t/**\n\t * Verify stored client secret against provided client secret\n\t */\n\tasync function verifyStoredClientSecret(\n\t\tctx: GenericEndpointContext,\n\t\tstoredClientSecret: string,\n\t\tclientSecret: string,\n\t): Promise<boolean> {\n\t\tif (opts.storeClientSecret === \"encrypted\") {\n\t\t\treturn (\n\t\t\t\t(await symmetricDecrypt({\n\t\t\t\t\tkey: ctx.context.secret,\n\t\t\t\t\tdata: storedClientSecret,\n\t\t\t\t})) === clientSecret\n\t\t\t);\n\t\t}\n\t\tif (opts.storeClientSecret === \"hashed\") {\n\t\t\tconst hashedClientSecret = await defaultClientSecretHasher(clientSecret);\n\t\t\treturn hashedClientSecret === storedClientSecret;\n\t\t}\n\t\tif (\n\t\t\ttypeof opts.storeClientSecret === \"object\" &&\n\t\t\t\"hash\" in opts.storeClientSecret\n\t\t) {\n\t\t\tconst hashedClientSecret =\n\t\t\t\tawait opts.storeClientSecret.hash(clientSecret);\n\t\t\treturn hashedClientSecret === storedClientSecret;\n\t\t}\n\t\tif (\n\t\t\ttypeof opts.storeClientSecret === \"object\" &&\n\t\t\t\"decrypt\" in opts.storeClientSecret\n\t\t) {\n\t\t\tconst decryptedClientSecret =\n\t\t\t\tawait opts.storeClientSecret.decrypt(storedClientSecret);\n\t\t\treturn decryptedClientSecret === clientSecret;\n\t\t}\n\n\t\treturn clientSecret === storedClientSecret;\n\t}\n\n\treturn {\n\t\tid: \"oidc-provider\",\n\t\thooks: {\n\t\t\tafter: [\n\t\t\t\t{\n\t\t\t\t\tmatcher() {\n\t\t\t\t\t\treturn true;\n\t\t\t\t\t},\n\t\t\t\t\thandler: createAuthMiddleware(async (ctx) => {\n\t\t\t\t\t\tconst loginPromptCookie = await ctx.getSignedCookie(\n\t\t\t\t\t\t\t\"oidc_login_prompt\",\n\t\t\t\t\t\t\tctx.context.secret,\n\t\t\t\t\t\t);\n\t\t\t\t\t\tconst cookieName = ctx.context.authCookies.sessionToken.name;\n\t\t\t\t\t\tconst parsedSetCookieHeader = parseSetCookieHeader(\n\t\t\t\t\t\t\tctx.context.responseHeaders?.get(\"set-cookie\") || \"\",\n\t\t\t\t\t\t);\n\t\t\t\t\t\tconst hasSessionToken = parsedSetCookieHeader.has(cookieName);\n\t\t\t\t\t\tif (!loginPromptCookie || !hasSessionToken) {\n\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t}\n\t\t\t\t\t\texpireCookie(ctx, {\n\t\t\t\t\t\t\tname: \"oidc_login_prompt\",\n\t\t\t\t\t\t\tattributes: { path: \"/\" },\n\t\t\t\t\t\t});\n\t\t\t\t\t\tconst sessionCookie = parsedSetCookieHeader.get(cookieName)?.value;\n\t\t\t\t\t\tconst sessionToken = sessionCookie?.split(\".\")[0]!;\n\t\t\t\t\t\tif (!sessionToken) {\n\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tconst session =\n\t\t\t\t\t\t\t(await ctx.context.internalAdapter.findSession(sessionToken)) ||\n\t\t\t\t\t\t\tctx.context.newSession;\n\t\t\t\t\t\tif (!session) {\n\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tctx.query = JSON.parse(loginPromptCookie);\n\n\t\t\t\t\t\t// Remove \"login\" from prompt since user just logged in\n\t\t\t\t\t\tconst promptSet = parsePrompt(String(ctx.query?.prompt));\n\t\t\t\t\t\tif (promptSet.has(\"login\")) {\n\t\t\t\t\t\t\tconst newPromptSet = new Set(promptSet);\n\t\t\t\t\t\t\tnewPromptSet.delete(\"login\");\n\t\t\t\t\t\t\tctx.query = {\n\t\t\t\t\t\t\t\t...ctx.query,\n\t\t\t\t\t\t\t\tprompt: Array.from(newPromptSet).join(\" \"),\n\t\t\t\t\t\t\t};\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tctx.context.session = session;\n\t\t\t\t\t\tconst response = await authorize(ctx, opts);\n\t\t\t\t\t\treturn response;\n\t\t\t\t\t}),\n\t\t\t\t},\n\t\t\t],\n\t\t},\n\t\tendpoints: {\n\t\t\tgetOpenIdConfig: createAuthEndpoint(\n\t\t\t\t\"/.well-known/openid-configuration\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"GET\",\n\t\t\t\t\toperationId: \"getOpenIdConfig\",\n\t\t\t\t\tmetadata: HIDE_METADATA,\n\t\t\t\t},\n\t\t\t\tasync (ctx) => {\n\t\t\t\t\tconst metadata = getMetadata(ctx, options);\n\t\t\t\t\treturn ctx.json(metadata);\n\t\t\t\t},\n\t\t\t),\n\t\t\toAuth2authorize: createAuthEndpoint(\n\t\t\t\t\"/oauth2/authorize\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"GET\",\n\t\t\t\t\toperationId: \"oauth2Authorize\",\n\t\t\t\t\tquery: z.record(z.string(), z.any()),\n\t\t\t\t\tmetadata: {\n\t\t\t\t\t\topenapi: {\n\t\t\t\t\t\t\tdescription: \"Authorize an OAuth2 request\",\n\t\t\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\t\t\tdescription: \"Authorization response generated successfully\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tadditionalProperties: true,\n\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"Authorization response, contents depend on the authorize function implementation\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tasync (ctx) => {\n\t\t\t\t\treturn authorize(ctx, opts);\n\t\t\t\t},\n\t\t\t),\n\t\t\toAuthConsent: createAuthEndpoint(\n\t\t\t\t\"/oauth2/consent\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"POST\",\n\t\t\t\t\toperationId: \"oauth2Consent\",\n\t\t\t\t\tbody: oAuthConsentBodySchema,\n\t\t\t\t\tuse: [sessionMiddleware],\n\t\t\t\t\tmetadata: {\n\t\t\t\t\t\topenapi: {\n\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\"Handle OAuth2 consent. Supports both URL parameter-based flows (consent_code in body) and cookie-based flows (signed cookie).\",\n\t\t\t\t\t\t\trequestBody: {\n\t\t\t\t\t\t\t\trequired: true,\n\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\taccept: {\n\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"Whether the user accepts or denies the consent request\",\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\tconsent_code: {\n\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"The consent code from the authorization request. Optional if using cookie-based flow.\",\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\trequired: [\"accept\"],\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\t\t\tdescription: \"Consent processed successfully\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\tredirectURI: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tformat: \"uri\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"The URI to redirect to, either with an authorization code or an error\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\trequired: [\"redirectURI\"],\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tasync (ctx) => {\n\t\t\t\t\t// Support both consent flow methods:\n\t\t\t\t\t// 1. URL parameter-based: consent_code in request body (standard OAuth2 pattern)\n\t\t\t\t\t// 2. Cookie-based: using signed cookie for stateful consent flows\n\t\t\t\t\tlet consentCode: string | null = ctx.body.consent_code || null;\n\n\t\t\t\t\tif (!consentCode) {\n\t\t\t\t\t\t// Check for cookie-based consent flow\n\t\t\t\t\t\tconst cookieValue = await ctx.getSignedCookie(\n\t\t\t\t\t\t\t\"oidc_consent_prompt\",\n\t\t\t\t\t\t\tctx.context.secret,\n\t\t\t\t\t\t);\n\t\t\t\t\t\tif (cookieValue) {\n\t\t\t\t\t\t\tconsentCode = cookieValue;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t\tif (!consentCode) {\n\t\t\t\t\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\t\t\t\t\terror_description:\n\t\t\t\t\t\t\t\t\"consent_code is required (either in body or cookie)\",\n\t\t\t\t\t\t\terror: \"invalid_request\",\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\n\t\t\t\t\tconst verification =\n\t\t\t\t\t\tawait ctx.context.internalAdapter.findVerificationValue(\n\t\t\t\t\t\t\tconsentCode,\n\t\t\t\t\t\t);\n\t\t\t\t\tif (!verification) {\n\t\t\t\t\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\t\t\t\t\terror_description: \"Invalid code\",\n\t\t\t\t\t\t\terror: \"invalid_request\",\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t\tif (verification.expiresAt < new Date()) {\n\t\t\t\t\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\t\t\t\t\terror_description: \"Code expired\",\n\t\t\t\t\t\t\terror: \"invalid_request\",\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\n\t\t\t\t\t// Clear the cookie\n\t\t\t\t\texpireCookie(ctx, {\n\t\t\t\t\t\tname: \"oidc_consent_prompt\",\n\t\t\t\t\t\tattributes: { path: \"/\" },\n\t\t\t\t\t});\n\n\t\t\t\t\tconst value = JSON.parse(verification.value) as CodeVerificationValue;\n\t\t\t\t\tif (!value.requireConsent) {\n\t\t\t\t\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\t\t\t\t\terror_description: \"Consent not required\",\n\t\t\t\t\t\t\terror: \"invalid_request\",\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\n\t\t\t\t\tif (!ctx.body.accept) {\n\t\t\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationValue(\n\t\t\t\t\t\t\tverification.id,\n\t\t\t\t\t\t);\n\t\t\t\t\t\treturn ctx.json({\n\t\t\t\t\t\t\tredirectURI: `${value.redirectURI}?error=access_denied&error_description=User denied access`,\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t\tconst code = generateRandomString(32, \"a-z\", \"A-Z\", \"0-9\");\n\t\t\t\t\tconst codeExpiresInMs =\n\t\t\t\t\t\t(opts?.codeExpiresIn ?? DEFAULT_CODE_EXPIRES_IN) * 1000;\n\t\t\t\t\tconst expiresAt = new Date(Date.now() + codeExpiresInMs);\n\t\t\t\t\tawait ctx.context.internalAdapter.updateVerificationValue(\n\t\t\t\t\t\tverification.id,\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tvalue: JSON.stringify({\n\t\t\t\t\t\t\t\t...value,\n\t\t\t\t\t\t\t\trequireConsent: false,\n\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\tidentifier: code,\n\t\t\t\t\t\t\texpiresAt,\n\t\t\t\t\t\t},\n\t\t\t\t\t);\n\t\t\t\t\tawait ctx.context.adapter.create({\n\t\t\t\t\t\tmodel: modelName.oauthConsent,\n\t\t\t\t\t\tdata: {\n\t\t\t\t\t\t\tclientId: value.clientId,\n\t\t\t\t\t\t\tuserId: value.userId,\n\t\t\t\t\t\t\tscopes: value.scope.join(\" \"),\n\t\t\t\t\t\t\tconsentGiven: true,\n\t\t\t\t\t\t\tcreatedAt: new Date(),\n\t\t\t\t\t\t\tupdatedAt: new Date(),\n\t\t\t\t\t\t},\n\t\t\t\t\t});\n\t\t\t\t\tconst redirectURI = new URL(value.redirectURI);\n\t\t\t\t\tredirectURI.searchParams.set(\"code\", code);\n\t\t\t\t\tif (value.state) redirectURI.searchParams.set(\"state\", value.state);\n\t\t\t\t\treturn ctx.json({\n\t\t\t\t\t\tredirectURI: redirectURI.toString(),\n\t\t\t\t\t});\n\t\t\t\t},\n\t\t\t),\n\t\t\toAuth2token: createAuthEndpoint(\n\t\t\t\t\"/oauth2/token\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"POST\",\n\t\t\t\t\toperationId: \"oauth2Token\",\n\t\t\t\t\tbody: oAuth2TokenBodySchema,\n\t\t\t\t\tmetadata: {\n\t\t\t\t\t\t...HIDE_METADATA,\n\t\t\t\t\t\tallowedMediaTypes: [\n\t\t\t\t\t\t\t\"application/x-www-form-urlencoded\",\n\t\t\t\t\t\t\t\"application/json\",\n\t\t\t\t\t\t],\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tasync (ctx) => {\n\t\t\t\t\tlet { body } = ctx;\n\t\t\t\t\tif (!body) {\n\t\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\t\terror_description: \"request body not found\",\n\t\t\t\t\t\t\terror: \"invalid_request\",\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t\tif (body instanceof FormData) {\n\t\t\t\t\t\tbody = Object.fromEntries(body.entries());\n\t\t\t\t\t}\n\t\t\t\t\tif (!(body instanceof Object)) {\n\t\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\t\terror_description: \"request body is not an object\",\n\t\t\t\t\t\t\terror: \"invalid_request\",\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t\tlet { client_id, client_secret } = body;\n\t\t\t\t\tconst authorization =\n\t\t\t\t\t\tctx.request?.headers.get(\"authorization\") || null;\n\t\t\t\t\tif (\n\t\t\t\t\t\tauthorization &&\n\t\t\t\t\t\t!client_id &&\n\t\t\t\t\t\t!client_secret &&\n\t\t\t\t\t\tauthorization.startsWith(\"Basic \")\n\t\t\t\t\t) {\n\t\t\t\t\t\ttry {\n\t\t\t\t\t\t\tconst encoded = authorization.replace(\"Basic \", \"\");\n\t\t\t\t\t\t\tconst decoded = new TextDecoder().decode(base64.decode(encoded));\n\t\t\t\t\t\t\tif (!decoded.includes(\":\")) {\n\t\t\t\t\t\t\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\t\t\t\t\t\t\terror_description: \"invalid authorization header format\",\n\t\t\t\t\t\t\t\t\terror: \"invalid_client\",\n\t\t\t\t\t\t\t\t});\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tconst [id, secret] = decoded.split(\":\");\n\t\t\t\t\t\t\tif (!id || !secret) {\n\t\t\t\t\t\t\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\t\t\t\t\t\t\terror_description: \"invalid authorization header format\",\n\t\t\t\t\t\t\t\t\terror: \"invalid_client\",\n\t\t\t\t\t\t\t\t});\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tclient_id = id;\n\t\t\t\t\t\t\tclient_secret = secret;\n\t\t\t\t\t\t} catch {\n\t\t\t\t\t\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\t\t\t\t\t\terror_description: \"invalid authorization header format\",\n\t\t\t\t\t\t\t\terror: \"invalid_client\",\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t\tconst now = Date.now();\n\t\t\t\t\tconst iat = Math.floor(now / 1000);\n\t\t\t\t\tconst exp = iat + (opts.accessTokenExpiresIn ?? 3600);\n\n\t\t\t\t\tconst accessTokenExpiresAt = new Date(exp * 1000);\n\t\t\t\t\tconst refreshTokenExpiresAt = new Date(\n\t\t\t\t\t\t(iat + (opts.refreshTokenExpiresIn ?? 604800)) * 1000,\n\t\t\t\t\t);\n\n\t\t\t\t\tconst {\n\t\t\t\t\t\tgrant_type,\n\t\t\t\t\t\tcode,\n\t\t\t\t\t\tredirect_uri,\n\t\t\t\t\t\trefresh_token,\n\t\t\t\t\t\tcode_verifier,\n\t\t\t\t\t} = body;\n\t\t\t\t\tif (grant_type === \"refresh_token\") {\n\t\t\t\t\t\tif (!refresh_token) {\n\t\t\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\t\t\terror_description: \"refresh_token is required\",\n\t\t\t\t\t\t\t\terror: \"invalid_request\",\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t}\n\t\t\t\t\t\tconst token = await ctx.context.adapter.findOne<OAuthAccessToken>({\n\t\t\t\t\t\t\tmodel: modelName.oauthAccessToken,\n\t\t\t\t\t\t\twhere: [\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tfield: \"refreshToken\",\n\t\t\t\t\t\t\t\t\tvalue: refresh_token.toString(),\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t],\n\t\t\t\t\t\t});\n\t\t\t\t\t\tif (!token) {\n\t\t\t\t\t\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\t\t\t\t\t\terror_description: \"invalid refresh token\",\n\t\t\t\t\t\t\t\terror: \"invalid_grant\",\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (token.clientId !== client_id?.toString()) {\n\t\t\t\t\t\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\t\t\t\t\t\terror_description: \"invalid client_id\",\n\t\t\t\t\t\t\t\terror: \"invalid_client\",\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (token.refreshTokenExpiresAt < new Date()) {\n\t\t\t\t\t\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\t\t\t\t\t\terror_description: \"refresh token expired\",\n\t\t\t\t\t\t\t\terror: \"invalid_grant\",\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t}\n\t\t\t\t\t\tconst accessToken = generateRandomString(32, \"a-z\", \"A-Z\");\n\t\t\t\t\t\tconst newRefreshToken = generateRandomString(32, \"a-z\", \"A-Z\");\n\n\t\t\t\t\t\tawait ctx.context.adapter.create({\n\t\t\t\t\t\t\tmodel: modelName.oauthAccessToken,\n\t\t\t\t\t\t\tdata: {\n\t\t\t\t\t\t\t\taccessToken,\n\t\t\t\t\t\t\t\trefreshToken: newRefreshToken,\n\t\t\t\t\t\t\t\taccessTokenExpiresAt,\n\t\t\t\t\t\t\t\trefreshTokenExpiresAt,\n\t\t\t\t\t\t\t\tclientId: client_id.toString(),\n\t\t\t\t\t\t\t\tuserId: token.userId,\n\t\t\t\t\t\t\t\tscopes: token.scopes,\n\t\t\t\t\t\t\t\tcreatedAt: new Date(iat * 1000),\n\t\t\t\t\t\t\t\tupdatedAt: new Date(iat * 1000),\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t});\n\t\t\t\t\t\treturn ctx.json({\n\t\t\t\t\t\t\taccess_token: accessToken,\n\t\t\t\t\t\t\ttoken_type: \"Bearer\",\n\t\t\t\t\t\t\texpires_in: opts.accessTokenExpiresIn,\n\t\t\t\t\t\t\trefresh_token: newRefreshToken,\n\t\t\t\t\t\t\tscope: token.scopes,\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\n\t\t\t\t\tif (!code) {\n\t\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\t\terror_description: \"code is required\",\n\t\t\t\t\t\t\terror: \"invalid_request\",\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\n\t\t\t\t\tif (options.requirePKCE && !code_verifier) {\n\t\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\t\terror_description: \"code verifier is missing\",\n\t\t\t\t\t\t\terror: \"invalid_request\",\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\n\t\t\t\t\t/**\n\t\t\t\t\t * We need to check if the code is valid before we can proceed\n\t\t\t\t\t * with the rest of the request.\n\t\t\t\t\t */\n\t\t\t\t\tconst verificationValue =\n\t\t\t\t\t\tawait ctx.context.internalAdapter.findVerificationValue(\n\t\t\t\t\t\t\tcode.toString(),\n\t\t\t\t\t\t);\n\t\t\t\t\tif (!verificationValue) {\n\t\t\t\t\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\t\t\t\t\terror_description: \"invalid code\",\n\t\t\t\t\t\t\terror: \"invalid_grant\",\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t\tif (verificationValue.expiresAt < new Date()) {\n\t\t\t\t\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\t\t\t\t\terror_description: \"code expired\",\n\t\t\t\t\t\t\terror: \"invalid_grant\",\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\n\t\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationValue(\n\t\t\t\t\t\tverificationValue.id,\n\t\t\t\t\t);\n\t\t\t\t\tif (!client_id) {\n\t\t\t\t\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\t\t\t\t\terror_description: \"client_id is required\",\n\t\t\t\t\t\t\terror: \"invalid_client\",\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t\tif (!grant_type) {\n\t\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\t\terror_description: \"grant_type is required\",\n\t\t\t\t\t\t\terror: \"invalid_request\",\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t\tif (grant_type !== \"authorization_code\") {\n\t\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\t\terror_description: \"grant_type must be 'authorization_code'\",\n\t\t\t\t\t\t\terror: \"unsupported_grant_type\",\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\n\t\t\t\t\tif (!redirect_uri) {\n\t\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\t\terror_description: \"redirect_uri is required\",\n\t\t\t\t\t\t\terror: \"invalid_request\",\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\n\t\t\t\t\tconst client = await getClient(client_id.toString(), trustedClients);\n\t\t\t\t\tif (!client) {\n\t\t\t\t\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\t\t\t\t\terror_description: \"invalid client_id\",\n\t\t\t\t\t\t\terror: \"invalid_client\",\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t\tif (client.disabled) {\n\t\t\t\t\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\t\t\t\t\terror_description: \"client is disabled\",\n\t\t\t\t\t\t\terror: \"invalid_client\",\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\n\t\t\t\t\tconst value = JSON.parse(\n\t\t\t\t\t\tverificationValue.value,\n\t\t\t\t\t) as CodeVerificationValue;\n\t\t\t\t\tif (value.clientId !== client_id.toString()) {\n\t\t\t\t\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\t\t\t\t\terror_description: \"invalid client_id\",\n\t\t\t\t\t\t\terror: \"invalid_client\",\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t\tif (value.redirectURI !== redirect_uri.toString()) {\n\t\t\t\t\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\t\t\t\t\terror_description: \"invalid redirect_uri\",\n\t\t\t\t\t\t\terror: \"invalid_client\",\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t\tif (value.codeChallenge && !code_verifier) {\n\t\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\t\terror_description: \"code verifier is missing\",\n\t\t\t\t\t\t\terror: \"invalid_request\",\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t\tif (client.type === \"public\") {\n\t\t\t\t\t\t// For public clients (type: 'public'), validate PKCE instead of client_secret\n\t\t\t\t\t\tif (!code_verifier) {\n\t\t\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\t\t\terror_description:\n\t\t\t\t\t\t\t\t\t\"code verifier is required for public clients\",\n\t\t\t\t\t\t\t\terror: \"invalid_request\",\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t}\n\t\t\t\t\t\t// PKCE validation happens later in the flow, so we skip client_secret validation\n\t\t\t\t\t} else {\n\t\t\t\t\t\tif (!client.clientSecret || !client_secret) {\n\t\t\t\t\t\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\t\t\t\t\t\terror_description:\n\t\t\t\t\t\t\t\t\t\"client_secret is required for confidential clients\",\n\t\t\t\t\t\t\t\terror: \"invalid_client\",\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t}\n\t\t\t\t\t\tconst isValidSecret = await verifyStoredClientSecret(\n\t\t\t\t\t\t\tctx,\n\t\t\t\t\t\t\tclient.clientSecret,\n\t\t\t\t\t\t\tclient_secret.toString(),\n\t\t\t\t\t\t);\n\t\t\t\t\t\tif (!isValidSecret) {\n\t\t\t\t\t\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\t\t\t\t\t\terror_description: \"invalid client_secret\",\n\t\t\t\t\t\t\t\terror: \"invalid_client\",\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t\tconst challenge =\n\t\t\t\t\t\tvalue.codeChallengeMethod === \"plain\"\n\t\t\t\t\t\t\t? code_verifier\n\t\t\t\t\t\t\t: await createHash(\"SHA-256\", \"base64urlnopad\").digest(\n\t\t\t\t\t\t\t\t\tcode_verifier,\n\t\t\t\t\t\t\t\t);\n\n\t\t\t\t\tif (challenge !== value.codeChallenge) {\n\t\t\t\t\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\t\t\t\t\terror_description: \"code verification failed\",\n\t\t\t\t\t\t\terror: \"invalid_request\",\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\n\t\t\t\t\tconst requestedScopes = value.scope;\n\t\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationValue(\n\t\t\t\t\t\tverificationValue.id,\n\t\t\t\t\t);\n\t\t\t\t\tconst accessToken = generateRandomString(32, \"a-z\", \"A-Z\");\n\t\t\t\t\tconst refreshToken = generateRandomString(32, \"A-Z\", \"a-z\");\n\t\t\t\t\tawait ctx.context.adapter.create({\n\t\t\t\t\t\tmodel: modelName.oauthAccessToken,\n\t\t\t\t\t\tdata: {\n\t\t\t\t\t\t\taccessToken,\n\t\t\t\t\t\t\trefreshToken,\n\t\t\t\t\t\t\taccessTokenExpiresAt,\n\t\t\t\t\t\t\trefreshTokenExpiresAt,\n\t\t\t\t\t\t\tclientId: client_id.toString(),\n\t\t\t\t\t\t\tuserId: value.userId,\n\t\t\t\t\t\t\tscopes: requestedScopes.join(\" \"),\n\t\t\t\t\t\t\tcreatedAt: new Date(iat * 1000),\n\t\t\t\t\t\t\tupdatedAt: new Date(iat * 1000),\n\t\t\t\t\t\t},\n\t\t\t\t\t});\n\t\t\t\t\tconst user = await ctx.context.internalAdapter.findUserById(\n\t\t\t\t\t\tvalue.userId,\n\t\t\t\t\t);\n\t\t\t\t\tif (!user) {\n\t\t\t\t\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\t\t\t\t\terror_description: \"user not found\",\n\t\t\t\t\t\t\terror: \"invalid_grant\",\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\n\t\t\t\t\tconst profile = {\n\t\t\t\t\t\tgiven_name: user.name.split(\" \")[0]!,\n\t\t\t\t\t\tfamily_name: user.name.split(\" \")[1]!,\n\t\t\t\t\t\tname: user.name,\n\t\t\t\t\t\tprofile: user.image,\n\t\t\t\t\t\tupdated_at: new Date(user.updatedAt).toISOString(),\n\t\t\t\t\t};\n\t\t\t\t\tconst email = {\n\t\t\t\t\t\temail: user.email,\n\t\t\t\t\t\temail_verified: user.emailVerified,\n\t\t\t\t\t};\n\t\t\t\t\tconst userClaims = {\n\t\t\t\t\t\t...(requestedScopes.includes(\"profile\") ? profile : {}),\n\t\t\t\t\t\t...(requestedScopes.includes(\"email\") ? email : {}),\n\t\t\t\t\t};\n\n\t\t\t\t\tconst additionalUserClaims = options.getAdditionalUserInfoClaim\n\t\t\t\t\t\t? await options.getAdditionalUserInfoClaim(\n\t\t\t\t\t\t\t\tuser,\n\t\t\t\t\t\t\t\trequestedScopes,\n\t\t\t\t\t\t\t\tclient,\n\t\t\t\t\t\t\t)\n\t\t\t\t\t\t: {};\n\n\t\t\t\t\tconst payload = {\n\t\t\t\t\t\tsub: user.id,\n\t\t\t\t\t\taud: client_id.toString(),\n\t\t\t\t\t\tiat: iat,\n\t\t\t\t\t\tauth_time: ctx.context.session\n\t\t\t\t\t\t\t? new Date(ctx.context.session.session.createdAt).getTime()\n\t\t\t\t\t\t\t: undefined,\n\t\t\t\t\t\tnonce: value.nonce,\n\t\t\t\t\t\tacr: \"urn:mace:incommon:iap:silver\", // default to silver - ⚠︎ this should be configurable and should be validated against the client's metadata\n\t\t\t\t\t\t...userClaims,\n\t\t\t\t\t\t...additionalUserClaims,\n\t\t\t\t\t};\n\t\t\t\t\tconst expirationTime =\n\t\t\t\t\t\tMath.floor(Date.now() / 1000) +\n\t\t\t\t\t\t(opts?.accessTokenExpiresIn ?? DEFAULT_ACCESS_TOKEN_EXPIRES_IN);\n\n\t\t\t\t\tlet idToken: string;\n\n\t\t\t\t\t// The JWT plugin is enabled, so we use the JWKS keys to sign\n\t\t\t\t\tif (options.useJWTPlugin) {\n\t\t\t\t\t\tconst jwtPlugin = ctx.context.getPlugin(\"jwt\");\n\t\t\t\t\t\tif (!jwtPlugin) {\n\t\t\t\t\t\t\tctx.context.logger.error(\n\t\t\t\t\t\t\t\t\"OIDC: `useJWTPlugin` is enabled but the JWT plugin is not available. Make sure you have the JWT Plugin in your plugins array or set `useJWTPlugin` to false.\",\n\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\tthrow new APIError(\"INTERNAL_SERVER_ERROR\", {\n\t\t\t\t\t\t\t\terror_description: \"JWT plugin is not enabled\",\n\t\t\t\t\t\t\t\terror: \"internal_server_error\",\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t}\n\t\t\t\t\t\tidToken = await getJwtToken(\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t...ctx,\n\t\t\t\t\t\t\t\tcontext: {\n\t\t\t\t\t\t\t\t\t...ctx.context,\n\t\t\t\t\t\t\t\t\tsession: {\n\t\t\t\t\t\t\t\t\t\tsession: {\n\t\t\t\t\t\t\t\t\t\t\tid: generateRandomString(32, \"a-z\", \"A-Z\"),\n\t\t\t\t\t\t\t\t\t\t\tcreatedAt: new Date(iat * 1000),\n\t\t\t\t\t\t\t\t\t\t\tupdatedAt: new Date(iat * 1000),\n\t\t\t\t\t\t\t\t\t\t\tuserId: user.id,\n\t\t\t\t\t\t\t\t\t\t\texpiresAt: accessTokenExpiresAt,\n\t\t\t\t\t\t\t\t\t\t\ttoken: accessToken,\n\t\t\t\t\t\t\t\t\t\t\tipAddress: ctx.request?.headers.get(\"x-forwarded-for\"),\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\tuser,\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t...jwtPlugin.options,\n\t\t\t\t\t\t\t\tjwt: {\n\t\t\t\t\t\t\t\t\t...jwtPlugin.options?.jwt,\n\t\t\t\t\t\t\t\t\tgetSubject: () => user.id,\n\t\t\t\t\t\t\t\t\taudience: client_id.toString(),\n\t\t\t\t\t\t\t\t\tissuer:\n\t\t\t\t\t\t\t\t\t\tjwtPlugin.options?.jwt?.issuer ??\n\t\t\t\t\t\t\t\t\t\tctx.context.options.baseURL,\n\t\t\t\t\t\t\t\t\texpirationTime,\n\t\t\t\t\t\t\t\t\tdefinePayload: () => payload,\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t);\n\n\t\t\t\t\t\t// If the JWT token is not enabled, create a key and use it to sign\n\t\t\t\t\t} else {\n\t\t\t\t\t\tidToken = await new SignJWT(payload)\n\t\t\t\t\t\t\t.setProtectedHeader({ alg: \"HS256\" })\n\t\t\t\t\t\t\t.setIssuedAt(iat)\n\t\t\t\t\t\t\t.setExpirationTime(accessTokenExpiresAt)\n\t\t\t\t\t\t\t.sign(new TextEncoder().encode(client.clientSecret));\n\t\t\t\t\t}\n\n\t\t\t\t\treturn ctx.json(\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\taccess_token: accessToken,\n\t\t\t\t\t\t\ttoken_type: \"Bearer\",\n\t\t\t\t\t\t\texpires_in: opts.accessTokenExpiresIn,\n\t\t\t\t\t\t\trefresh_token: requestedScopes.includes(\"offline_access\")\n\t\t\t\t\t\t\t\t? refreshToken\n\t\t\t\t\t\t\t\t: undefined,\n\t\t\t\t\t\t\tscope: requestedScopes.join(\" \"),\n\t\t\t\t\t\t\tid_token: requestedScopes.includes(\"openid\")\n\t\t\t\t\t\t\t\t? idToken\n\t\t\t\t\t\t\t\t: undefined,\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\theaders: {\n\t\t\t\t\t\t\t\t\"Cache-Control\": \"no-store\",\n\t\t\t\t\t\t\t\tPragma: \"no-cache\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t);\n\t\t\t\t},\n\t\t\t),\n\t\t\toAuth2userInfo: createAuthEndpoint(\n\t\t\t\t\"/oauth2/userinfo\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"GET\",\n\t\t\t\t\toperationId: \"oauth2Userinfo\",\n\t\t\t\t\tmetadata: {\n\t\t\t\t\t\t...HIDE_METADATA,\n\t\t\t\t\t\topenapi: {\n\t\t\t\t\t\t\tdescription: \"Get OAuth2 user information\",\n\t\t\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\t\t\tdescription: \"User information retrieved successfully\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\tsub: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Subject identifier (user ID)\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\temail: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tformat: \"email\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tnullable: true,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"User's email address, included if 'email' scope is granted\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tname: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tnullable: true,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"User's full name, included if 'profile' scope is granted\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tpicture: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tformat: \"uri\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tnullable: true,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"User's profile picture URL, included if 'profile' scope is granted\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tgiven_name: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tnullable: true,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"User's given name, included if 'profile' scope is granted\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tfamily_name: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tnullable: true,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"User's family name, included if 'profile' scope is granted\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\temail_verified: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tnullable: true,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"Whether the email is verified, included if 'email' scope is granted\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\trequired: [\"sub\"],\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tasync (ctx) => {\n\t\t\t\t\tif (!ctx.request) {\n\t\t\t\t\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\t\t\t\t\terror_description: \"request not found\",\n\t\t\t\t\t\t\terror: \"invalid_request\",\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t\tconst authorization = ctx.request.headers.get(\"authorization\");\n\t\t\t\t\tif (!authorization) {\n\t\t\t\t\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\t\t\t\t\terror_description: \"authorization header not found\",\n\t\t\t\t\t\t\terror: \"invalid_request\",\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t\tconst token = authorization.replace(\"Bearer \", \"\");\n\t\t\t\t\tconst accessToken =\n\t\t\t\t\t\tawait ctx.context.adapter.findOne<OAuthAccessToken>({\n\t\t\t\t\t\t\tmodel: modelName.oauthAccessToken,\n\t\t\t\t\t\t\twhere: [\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tfield: \"accessToken\",\n\t\t\t\t\t\t\t\t\tvalue: token,\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t],\n\t\t\t\t\t\t});\n\t\t\t\t\tif (!accessToken) {\n\t\t\t\t\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\t\t\t\t\terror_description: \"invalid access token\",\n\t\t\t\t\t\t\terror: \"invalid_token\",\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t\tif (accessToken.accessTokenExpiresAt < new Date()) {\n\t\t\t\t\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\t\t\t\t\terror_description: \"The Access Token expired\",\n\t\t\t\t\t\t\terror: \"invalid_token\",\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\n\t\t\t\t\tconst client = await getClient(accessToken.clientId, trustedClients);\n\t\t\t\t\tif (!client) {\n\t\t\t\t\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\t\t\t\t\terror_description: \"client not found\",\n\t\t\t\t\t\t\terror: \"invalid_token\",\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\n\t\t\t\t\tconst user = await ctx.context.internalAdapter.findUserById(\n\t\t\t\t\t\taccessToken.userId,\n\t\t\t\t\t);\n\t\t\t\t\tif (!user) {\n\t\t\t\t\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\t\t\t\t\terror_description: \"user not found\",\n\t\t\t\t\t\t\terror: \"invalid_token\",\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t\tconst requestedScopes = accessToken.scopes.split(\" \");\n\t\t\t\t\tconst baseUserClaims = {\n\t\t\t\t\t\tsub: user.id,\n\t\t\t\t\t\temail: requestedScopes.includes(\"email\") ? user.email : undefined,\n\t\t\t\t\t\tname: requestedScopes.includes(\"profile\") ? user.name : undefined,\n\t\t\t\t\t\tpicture: requestedScopes.includes(\"profile\")\n\t\t\t\t\t\t\t? user.image\n\t\t\t\t\t\t\t: undefined,\n\t\t\t\t\t\tgiven_name: requestedScopes.includes(\"profile\")\n\t\t\t\t\t\t\t? user.name.split(\" \")[0]!\n\t\t\t\t\t\t\t: undefined,\n\t\t\t\t\t\tfamily_name: requestedScopes.includes(\"profile\")\n\t\t\t\t\t\t\t? user.name.split(\" \")[1]!\n\t\t\t\t\t\t\t: undefined,\n\t\t\t\t\t\temail_verified: requestedScopes.includes(\"email\")\n\t\t\t\t\t\t\t? user.emailVerified\n\t\t\t\t\t\t\t: undefined,\n\t\t\t\t\t};\n\t\t\t\t\tconst userClaims = options.getAdditionalUserInfoClaim\n\t\t\t\t\t\t? await options.getAdditionalUserInfoClaim(\n\t\t\t\t\t\t\t\tuser,\n\t\t\t\t\t\t\t\trequestedScopes,\n\t\t\t\t\t\t\t\tclient,\n\t\t\t\t\t\t\t)\n\t\t\t\t\t\t: baseUserClaims;\n\t\t\t\t\treturn ctx.json({\n\t\t\t\t\t\t...baseUserClaims,\n\t\t\t\t\t\t...userClaims,\n\t\t\t\t\t});\n\t\t\t\t},\n\t\t\t),\n\t\t\t/**\n\t\t\t * ### Endpoint\n\t\t\t *\n\t\t\t * POST `/oauth2/register`\n\t\t\t *\n\t\t\t * ### API Methods\n\t\t\t *\n\t\t\t * **server:**\n\t\t\t * `auth.api.registerOAuthApplication`\n\t\t\t *\n\t\t\t * **client:**\n\t\t\t * `authClient.oauth2.register`\n\t\t\t *\n\t\t\t * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/oidc-provider#api-method-oauth2-register)\n\t\t\t */\n\t\t\tregisterOAuthApplication: createAuthEndpoint(\n\t\t\t\t\"/oauth2/register\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"POST\",\n\t\t\t\t\tbody: registerOAuthApplicationBodySchema,\n\t\t\t\t\tmetadata: {\n\t\t\t\t\t\topenapi: {\n\t\t\t\t\t\t\tdescription: \"Register an OAuth2 application\",\n\t\t\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\t\t\tdescription: \"OAuth2 application registered successfully\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\tname: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Name of the OAuth2 application\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\ticon: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tnullable: true,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Icon URL for the application\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tmetadata: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tadditionalProperties: true,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tnullable: true,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"Additional metadata for the application\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tclientId: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Unique identifier for the client\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tclientSecret: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Secret key for the client\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tredirectURLs: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"array\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\titems: { type: \"string\", format: \"uri\" },\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"List of allowed redirect URLs\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\ttype: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Type of the client\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tenum: [\"web\"],\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tauthenticationScheme: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"Authentication scheme used by the client\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tenum: [\"client_secret\"],\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tdisabled: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Whether the client is disabled\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tenum: [false],\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tuserId: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tnullable: true,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"ID of the user who registered the client, null if registered anonymously\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tcreatedAt: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tformat: \"date-time\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Creation timestamp\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tupdatedAt: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tformat: \"date-time\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Last update timestamp\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\trequired: [\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"name\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"clientId\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"clientSecret\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"redirectURLs\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"type\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"authenticationScheme\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"disabled\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"createdAt\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"updatedAt\",\n\t\t\t\t\t\t\t\t\t\t\t\t],\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tasync (ctx) => {\n\t\t\t\t\tconst body = ctx.body;\n\t\t\t\t\tconst session = await getSessionFromCtx(ctx);\n\n\t\t\t\t\t// Check authorization\n\t\t\t\t\tif (!session && !options.allowDynamicClientRegistration) {\n\t\t\t\t\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\t\t\t\t\terror: \"invalid_token\",\n\t\t\t\t\t\t\terror_description:\n\t\t\t\t\t\t\t\t\"Authentication required for client registration\",\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\n\t\t\t\t\t// Validate redirect URIs for redirect-based flows\n\t\t\t\t\tif (\n\t\t\t\t\t\t(!body.grant_types ||\n\t\t\t\t\t\t\tbody.grant_types.includes(\"authorization_code\") ||\n\t\t\t\t\t\t\tbody.grant_types.includes(\"implicit\")) &&\n\t\t\t\t\t\t(!body.redirect_uris || body.redirect_uris.length === 0)\n\t\t\t\t\t) {\n\t\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\t\terror: \"invalid_redirect_uri\",\n\t\t\t\t\t\t\terror_description:\n\t\t\t\t\t\t\t\t\"Redirect URIs are required for authorization_code and implicit grant types\",\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\n\t\t\t\t\t// Validate correlation between grant_types and response_types\n\t\t\t\t\tif (body.grant_types && body.response_types) {\n\t\t\t\t\t\tif (\n\t\t\t\t\t\t\tbody.grant_types.includes(\"authorization_code\") &&\n\t\t\t\t\t\t\t!body.response_types.includes(\"code\")\n\t\t\t\t\t\t) {\n\t\t\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\t\t\terror: \"invalid_client_metadata\",\n\t\t\t\t\t\t\t\terror_description:\n\t\t\t\t\t\t\t\t\t\"When 'authorization_code' grant type is used, 'code' response type must be included\",\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (\n\t\t\t\t\t\t\tbody.grant_types.includes(\"implicit\") &&\n\t\t\t\t\t\t\t!body.response_types.includes(\"token\")\n\t\t\t\t\t\t) {\n\t\t\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\t\t\terror: \"invalid_client_metadata\",\n\t\t\t\t\t\t\t\terror_description:\n\t\t\t\t\t\t\t\t\t\"When 'implicit' grant type is used, 'token' response type must be included\",\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t\tconst clientId =\n\t\t\t\t\t\toptions.generateClientId?.() ||\n\t\t\t\t\t\tgenerateRandomString(32, \"a-z\", \"A-Z\");\n\t\t\t\t\tconst clientSecret =\n\t\t\t\t\t\toptions.generateClientSecret?.() ||\n\t\t\t\t\t\tgenerateRandomString(32, \"a-z\", \"A-Z\");\n\n\t\t\t\t\tconst storedClientSecret = await storeClientSecret(ctx, clientSecret);\n\n\t\t\t\t\t// Create the client with the existing schema\n\t\t\t\t\tconst client: Client = await ctx.context.adapter.create({\n\t\t\t\t\t\tmodel: modelName.oauthClient,\n\t\t\t\t\t\tdata: {\n\t\t\t\t\t\t\tname: body.client_name,\n\t\t\t\t\t\t\ticon: body.logo_uri,\n\t\t\t\t\t\t\tmetadata: body.metadata ? JSON.stringify(body.metadata) : null,\n\t\t\t\t\t\t\tclientId: clientId,\n\t\t\t\t\t\t\tclientSecret: storedClientSecret,\n\t\t\t\t\t\t\tredirectUrls: body.redirect_uris.join(\",\"),\n\t\t\t\t\t\t\ttype: \"web\",\n\t\t\t\t\t\t\tauthenticationScheme:\n\t\t\t\t\t\t\t\tbody.token_endpoint_auth_method || \"client_secret_basic\",\n\t\t\t\t\t\t\tdisabled: false,\n\t\t\t\t\t\t\tuserId: session?.session.userId,\n\t\t\t\t\t\t\tcreatedAt: new Date(),\n\t\t\t\t\t\t\tupdatedAt: new Date(),\n\t\t\t\t\t\t},\n\t\t\t\t\t});\n\n\t\t\t\t\t// Format the response according to RFC7591\n\t\t\t\t\treturn ctx.json(\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tclient_id: clientId,\n\t\t\t\t\t\t\t...(client.type !== \"public\"\n\t\t\t\t\t\t\t\t? {\n\t\t\t\t\t\t\t\t\t\tclient_secret: clientSecret,\n\t\t\t\t\t\t\t\t\t\tclient_secret_expires_at: 0, // 0 means it doesn't expire\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t: {}),\n\t\t\t\t\t\t\tclient_id_issued_at: Math.floor(Date.now() / 1000),\n\t\t\t\t\t\t\tclient_secret_expires_at: 0, // 0 means it doesn't expire\n\t\t\t\t\t\t\tredirect_uris: body.redirect_uris,\n\t\t\t\t\t\t\ttoken_endpoint_auth_method:\n\t\t\t\t\t\t\t\tbody.token_endpoint_auth_method || \"client_secret_basic\",\n\t\t\t\t\t\t\tgrant_types: body.grant_types || [\"authorization_code\"],\n\t\t\t\t\t\t\tresponse_types: body.response_types || [\"code\"],\n\t\t\t\t\t\t\tclient_name: body.client_name,\n\t\t\t\t\t\t\tclient_uri: body.client_uri,\n\t\t\t\t\t\t\tlogo_uri: body.logo_uri,\n\t\t\t\t\t\t\tscope: body.scope,\n\t\t\t\t\t\t\tcontacts: body.contacts,\n\t\t\t\t\t\t\ttos_uri: body.tos_uri,\n\t\t\t\t\t\t\tpolicy_uri: body.policy_uri,\n\t\t\t\t\t\t\tjwks_uri: body.jwks_uri,\n\t\t\t\t\t\t\tjwks: body.jwks,\n\t\t\t\t\t\t\tsoftware_id: body.software_id,\n\t\t\t\t\t\t\tsoftware_version: body.software_version,\n\t\t\t\t\t\t\tsoftware_statement: body.software_statement,\n\t\t\t\t\t\t\tmetadata: body.metadata,\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tstatus: 201,\n\t\t\t\t\t\t\theaders: {\n\t\t\t\t\t\t\t\t\"Cache-Control\": \"no-store\",\n\t\t\t\t\t\t\t\tPragma: \"no-cache\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t);\n\t\t\t\t},\n\t\t\t),\n\t\t\tgetOAuthClient: createAuthEndpoint(\n\t\t\t\t\"/oauth2/client/:id\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"GET\",\n\t\t\t\t\tuse: [sessionMiddleware],\n\t\t\t\t\tmetadata: {\n\t\t\t\t\t\topenapi: {\n\t\t\t\t\t\t\tdescription: \"Get OAuth2 client details\",\n\t\t\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\t\t\tdescription: \"OAuth2 client retrieved successfully\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\tclientId: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Unique identifier for the client\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tname: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Name of the OAuth2 application\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\ticon: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tnullable: true,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Icon URL for the application\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\trequired: [\"clientId\", \"name\"],\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tasync (\n\t\t\t\t\tctx,\n\t\t\t\t): Promise<{\n\t\t\t\t\tclientId: string;\n\t\t\t\t\tname: string;\n\t\t\t\t\ticon: string | null;\n\t\t\t\t}> => {\n\t\t\t\t\tconst client = await getClient(ctx.params.id, trustedClients);\n\t\t\t\t\tif (!client) {\n\t\t\t\t\t\tthrow new APIError(\"NOT_FOUND\", {\n\t\t\t\t\t\t\terror_description: \"client not found\",\n\t\t\t\t\t\t\terror: \"not_found\",\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t\treturn ctx.json({\n\t\t\t\t\t\tclientId: client.clientId,\n\t\t\t\t\t\tname: client.name,\n\t\t\t\t\t\ticon: client.icon || null,\n\t\t\t\t\t});\n\t\t\t\t},\n\t\t\t),\n\t\t\t/**\n\t\t\t * ### Endpoint\n\t\t\t *\n\t\t\t * GET/POST `/oauth2/endsession`\n\t\t\t *\n\t\t\t * Implements RP-Initiated Logout as per OpenID Connect RP-Initiated Logout 1.0.\n\t\t\t * Allows relying parties to request that an OpenID Provider log out the end-user.\n\t\t\t *\n\t\t\t * @see [OpenID Connect RP-Initiated Logout Spec](https://openid.net/specs/openid-connect-rpinitiated-1_0.html)\n\t\t\t */\n\t\t\tendSession: createAuthEndpoint(\n\t\t\t\t\"/oauth2/endsession\",\n\t\t\t\t{\n\t\t\t\t\tmethod: [\"GET\", \"POST\"],\n\t\t\t\t\tquery: z\n\t\t\t\t\t\t.object({\n\t\t\t\t\t\t\tid_token_hint: z.string().optional(),\n\t\t\t\t\t\t\tlogout_hint: z.string().optional(),\n\t\t\t\t\t\t\tclient_id: z.string().optional(),\n\t\t\t\t\t\t\tpost_logout_redirect_uri: z.string().optional(),\n\t\t\t\t\t\t\tstate: z.string().optional(),\n\t\t\t\t\t\t\tui_locales: z.string().optional(),\n\t\t\t\t\t\t})\n\t\t\t\t\t\t.optional(),\n\t\t\t\t\tmetadata: {\n\t\t\t\t\t\t...HIDE_METADATA,\n\t\t\t\t\t\topenapi: {\n\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\"RP-Initiated Logout endpoint. Logs out the end-user and optionally redirects to a post-logout URI.\",\n\t\t\t\t\t\t\tparameters: [\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tname: \"id_token_hint\",\n\t\t\t\t\t\t\t\t\tin: \"query\",\n\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\"Previously issued ID Token passed as a hint about the End-User's current authenticated session\",\n\t\t\t\t\t\t\t\t\trequired: false,\n\t\t\t\t\t\t\t\t\tschema: { type: \"string\" },\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tname: \"logout_hint\",\n\t\t\t\t\t\t\t\t\tin: \"query\",\n\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\"Hint to the Authorization Server about the End-User that is logging out\",\n\t\t\t\t\t\t\t\t\trequired: false,\n\t\t\t\t\t\t\t\t\tschema: { type: \"string\" },\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tname: \"client_id\",\n\t\t\t\t\t\t\t\t\tin: \"query\",\n\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\"OAuth 2.0 Client Identifier. Required if post_logout_redirect_uri is used without id_token_hint\",\n\t\t\t\t\t\t\t\t\trequired: false,\n\t\t\t\t\t\t\t\t\tschema: { type: \"string\" },\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tname: \"post_logout_redirect_uri\",\n\t\t\t\t\t\t\t\t\tin: \"query\",\n\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\"URL to which the RP is requesting that the End-User's User Agent be redirected after a logout has been performed\",\n\t\t\t\t\t\t\t\t\trequired: false,\n\t\t\t\t\t\t\t\t\tschema: { type: \"string\", format: \"uri\" },\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tname: \"state\",\n\t\t\t\t\t\t\t\t\tin: \"query\",\n\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\"Opaque value used by the RP to maintain state between the logout request and the callback\",\n\t\t\t\t\t\t\t\t\trequired: false,\n\t\t\t\t\t\t\t\t\tschema: { type: \"string\" },\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tname: \"ui_locales\",\n\t\t\t\t\t\t\t\t\tin: \"query\",\n\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\"End-User's preferred languages and scripts for the user interface\",\n\t\t\t\t\t\t\t\t\trequired: false,\n\t\t\t\t\t\t\t\t\tschema: { type: \"string\" },\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t] as OpenAPIParameter[],\n\t\t\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\t\t\"302\": {\n\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\"Redirect to post_logout_redirect_uri or logout confirmation page\",\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\t\t\tdescription: \"Logout completed successfully\",\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tasync (ctx) => {\n\t\t\t\t\tconst { id_token_hint, client_id, post_logout_redirect_uri, state } =\n\t\t\t\t\t\tctx.query || {};\n\n\t\t\t\t\tlet validatedClientId: string | null = null;\n\t\t\t\t\tlet validatedUserId: string | null = null;\n\n\t\t\t\t\t// Validate id_token_hint if provided\n\t\t\t\t\tif (id_token_hint) {\n\t\t\t\t\t\ttry {\n\t\t\t\t\t\t\tconst jwtPlugin = ctx.context.getPlugin(\"jwt\");\n\t\t\t\t\t\t\tif (jwtPlugin && jwtPlugin.options && options?.useJWTPlugin) {\n\t\t\t\t\t\t\t\t// For JWT plugin tokens, verify using JWKS\n\t\t\t\t\t\t\t\tconst verified = await verifyJWT(\n\t\t\t\t\t\t\t\t\tid_token_hint,\n\t\t\t\t\t\t\t\t\tjwtPlugin.options,\n\t\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\t\tif (verified) {\n\t\t\t\t\t\t\t\t\tvalidatedUserId = verified.sub;\n\t\t\t\t\t\t\t\t\tvalidatedClientId = verified.aud\n\t\t\t\t\t\t\t\t\t\t? typeof verified.aud === \"string\"\n\t\t\t\t\t\t\t\t\t\t\t? verified.aud\n\t\t\t\t\t\t\t\t\t\t\t: verified.aud[0]!\n\t\t\t\t\t\t\t\t\t\t: null;\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t\t// For HS256 tokens, we need the client_id to verify\n\t\t\t\t\t\t\t\tif (client_id) {\n\t\t\t\t\t\t\t\t\tconst client = await getClient(client_id, trustedClients);\n\t\t\t\t\t\t\t\t\tif (client && client.clientSecret) {\n\t\t\t\t\t\t\t\t\t\ttry {\n\t\t\t\t\t\t\t\t\t\t\tconst { payload } = await jwtVerify(\n\t\t\t\t\t\t\t\t\t\t\t\tid_token_hint,\n\t\t\t\t\t\t\t\t\t\t\t\tnew TextEncoder().encode(client.clientSecret),\n\t\t\t\t\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\t\t\t\t\tvalidatedUserId = payload.sub as string;\n\t\t\t\t\t\t\t\t\t\t\tvalidatedClientId = payload.aud as string;\n\t\t\t\t\t\t\t\t\t\t} catch {\n\t\t\t\t\t\t\t\t\t\t\t// Invalid token, continue with logout but no validation\n\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t} catch {\n\t\t\t\t\t\t\t// Invalid id_token_hint, but we continue with logout anyway\n\t\t\t\t\t\t\tctx.context.logger.debug(\n\t\t\t\t\t\t\t\t\"Invalid id_token_hint provided to end_session endpoint\",\n\t\t\t\t\t\t\t);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t\t// Validate client_id if provided\n\t\t\t\t\tif (client_id) {\n\t\t\t\t\t\tconst client = await getClient(client_id, trustedClients);\n\t\t\t\t\t\tif (!client) {\n\t\t\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\t\t\terror: \"invalid_client\",\n\t\t\t\t\t\t\t\terror_description: \"Invalid client_id\",\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t}\n\t\t\t\t\t\t// If we have a validated client from the token, ensure they match\n\t\t\t\t\t\tif (validatedClientId && validatedClientId !== client_id) {\n\t\t\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\t\t\terror: \"invalid_request\",\n\t\t\t\t\t\t\t\terror_description:\n\t\t\t\t\t\t\t\t\t\"client_id does not match the ID Token's audience\",\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t}\n\t\t\t\t\t\tvalidatedClientId = client_id;\n\t\t\t\t\t}\n\n\t\t\t\t\t// Validate post_logout_redirect_uri if provided\n\t\t\t\t\tif (post_logout_redirect_uri) {\n\t\t\t\t\t\tif (!validatedClientId) {\n\t\t\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\t\t\terror: \"invalid_request\",\n\t\t\t\t\t\t\t\terror_description:\n\t\t\t\t\t\t\t\t\t\"client_id is required when using post_logout_redirect_uri without a valid id_token_hint\",\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tconst client = await getClient(validatedClientId, trustedClients);\n\t\t\t\t\t\tif (!client) {\n\t\t\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\t\t\terror: \"invalid_client\",\n\t\t\t\t\t\t\t\terror_description: \"Invalid client\",\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tconst isValidRedirectUri = client.redirectUrls.some(\n\t\t\t\t\t\t\t(registeredUri) => post_logout_redirect_uri === registeredUri,\n\t\t\t\t\t\t);\n\n\t\t\t\t\t\tif (!isValidRedirectUri) {\n\t\t\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\t\t\terror: \"invalid_request\",\n\t\t\t\t\t\t\t\terror_description:\n\t\t\t\t\t\t\t\t\t\"post_logout_redirect_uri is not registered for this client\",\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t\tconst session = await getSessionFromCtx(ctx);\n\n\t\t\t\t\tif (validatedUserId || session) {\n\t\t\t\t\t\tconst userId = validatedUserId || session?.user.id;\n\t\t\t\t\t\tif (userId) {\n\t\t\t\t\t\t\tawait ctx.context.adapter.deleteMany({\n\t\t\t\t\t\t\t\tmodel: modelName.oauthAccessToken,\n\t\t\t\t\t\t\t\twhere: [{ field: \"userId\", value: userId }],\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t\tif (session) {\n\t\t\t\t\t\tawait ctx.context.internalAdapter.deleteSession(\n\t\t\t\t\t\t\tsession.session.token,\n\t\t\t\t\t\t);\n\t\t\t\t\t\texpireCookie(ctx, ctx.context.authCookies.sessionToken);\n\t\t\t\t\t}\n\n\t\t\t\t\tif (post_logout_redirect_uri) {\n\t\t\t\t\t\ttry {\n\t\t\t\t\t\t\tconst redirectUrl = new URL(post_logout_redirect_uri);\n\t\t\t\t\t\t\tif (state) {\n\t\t\t\t\t\t\t\tredirectUrl.searchParams.set(\"state\", state);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\treturn ctx.redirect(redirectUrl.toString());\n\t\t\t\t\t\t} catch {\n\t\t\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\t\t\terror: \"invalid_request\",\n\t\t\t\t\t\t\t\terror_description: \"Invalid post_logout_redirect_uri format\",\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t\treturn ctx.json({\n\t\t\t\t\t\tsuccess: true,\n\t\t\t\t\t\tmessage: \"Logout successful\",\n\t\t\t\t\t});\n\t\t\t\t},\n\t\t\t),\n\t\t},\n\t\tschema: mergeSchema(schema, options?.schema),\n\t\tget options() {\n\t\t\treturn opts;\n\t\t},\n\t} satisfies BetterAuthPlugin;\n};\nexport type * from \"./types\";\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgDA,eAAsB,UACrB,UACA,iBAAqE,EAAE,EACJ;CACnE,MAAM,EACL,SAAS,EAAE,cACR,MAAM,uBAAuB;CACjC,MAAM,gBAAgB,eAAe,MACnC,WAAW,OAAO,aAAa,SAChC;AACD,KAAI,cACH,QAAO;AAER,QAAO,QACL,QAA0B;EAC1B,OAAO;EACP,OAAO,CAAC;GAAE,OAAO;GAAY,OAAO;GAAU,CAAC;EAC/C,CAAC,CACD,MAAM,QAAQ;AACd,MAAI,CAAC,IACJ,QAAO;AAGR,SAAO;GACN,UAAU,IAAI;GACd,cAAc,IAAI;GAClB,MAAM,IAAI;GACV,MAAM,IAAI;GACV,MAAM,IAAI;GACV,UAAU,IAAI;GACd,eAAe,IAAI,gBAAgB,IAAI,MAAM,IAAI;GACjD,UAAU,IAAI,WAAW,KAAK,MAAM,IAAI,SAAS,GAAG,EAAE;GACtD;GACA;;AAGJ,MAAa,eACZ,KACA,YACkB;CAClB,MAAM,YAAY,IAAI,QAAQ,UAAU,MAAM;CAC9C,MAAM,SACL,aAAa,UAAU,SAAS,OAAO,UAAU,QAAQ,IAAI,SAC1D,UAAU,QAAQ,IAAI,SACrB,IAAI,QAAQ,QAAQ;CACzB,MAAM,UAAU,IAAI,QAAQ;CAC5B,MAAM,gBAAgB,SAAS,eAC5B;EAAC;EAAS;EAAS;EAAO,GAC1B,CAAC,SAAS,OAAO;AACpB,QAAO;EACN;EACA,wBAAwB,GAAG,QAAQ;EACnC,gBAAgB,GAAG,QAAQ;EAC3B,mBAAmB,GAAG,QAAQ;EAC9B,UAAU,GAAG,QAAQ;EACrB,uBAAuB,GAAG,QAAQ;EAClC,sBAAsB,GAAG,QAAQ;EACjC,kBAAkB;GAAC;GAAU;GAAW;GAAS;GAAiB;EAClE,0BAA0B,CAAC,OAAO;EAClC,0BAA0B,CAAC,QAAQ;EACnC,uBAAuB,CAAC,sBAAsB,gBAAgB;EAC9D,sBAAsB,CACrB,gCACA,+BACA;EACD,yBAAyB,CAAC,SAAS;EACnC,uCAAuC;EACvC,uCAAuC;GACtC;GACA;GACA;GACA;EACD,kCAAkC,CAAC,OAAO;EAC1C,kBAAkB;GACjB;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;EACD,GAAG,SAAS;EACZ;;AAGF,MAAM,yBAAyB,EAAE,OAAO;CACvC,QAAQ,EAAE,SAAS;CACnB,cAAc,EAAE,QAAQ,CAAC,UAAU,CAAC,SAAS;CAC7C,CAAC;AAEF,MAAM,wBAAwB,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,KAAK,CAAC;AAExD,MAAM,qCAAqC,EAAE,OAAO;CACnD,eAAe,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,KAAK,EACvC,aACC,0EACD,CAAC;CACF,4BAA4B,EAC1B,KAAK;EAAC;EAAQ;EAAuB;EAAqB,CAAC,CAC3D,KAAK,EACL,aACC,iFACD,CAAC,CACD,QAAQ,sBAAsB,CAC9B,UAAU;CACZ,aAAa,EACX,MACA,EAAE,KAAK;EACN;EACA;EACA;EACA;EACA;EACA;EACA;EACA,CAAC,CACF,CACA,KAAK,EACL,aACC,8EACD,CAAC,CACD,QAAQ,CAAC,qBAAqB,CAAC,CAC/B,UAAU;CACZ,gBAAgB,EACd,MAAM,EAAE,KAAK,CAAC,QAAQ,QAAQ,CAAC,CAAC,CAChC,KAAK,EACL,aACC,mEACD,CAAC,CACD,QAAQ,CAAC,OAAO,CAAC,CACjB,UAAU;CACZ,aAAa,EACX,QAAQ,CACR,KAAK,EACL,aAAa,+CACb,CAAC,CACD,UAAU;CACZ,YAAY,EACV,QAAQ,CACR,KAAK,EACL,aACC,kEACD,CAAC,CACD,UAAU;CACZ,UAAU,EACR,QAAQ,CACR,KAAK,EACL,aACC,gFACD,CAAC,CACD,UAAU;CACZ,OAAO,EACL,QAAQ,CACR,KAAK,EACL,aACC,uFACD,CAAC,CACD,UAAU;CACZ,UAAU,EACR,MAAM,EAAE,QAAQ,CAAC,CACjB,KAAK,EACL,aACC,4EACD,CAAC,CACD,UAAU;CACZ,SAAS,EACP,QAAQ,CACR,KAAK,EACL,aACC,uFACD,CAAC,CACD,UAAU;CACZ,YAAY,EACV,QAAQ,CACR,KAAK,EACL,aACC,wFACD,CAAC,CACD,UAAU;CACZ,UAAU,EACR,QAAQ,CACR,KAAK,EACL,aACC,4EACD,CAAC,CACD,UAAU;CACZ,MAAM,EACJ,OAAO,EAAE,KAAK,EAAE,EAAE,KAAK,CAAC,CACxB,KAAK,EACL,aACC,2IACD,CAAC,CACD,UAAU;CACZ,UAAU,EACR,OAAO,EAAE,KAAK,EAAE,EAAE,KAAK,CAAC,CACxB,KAAK,EACL,aAAa,6DACb,CAAC,CACD,UAAU;CACZ,aAAa,EACX,QAAQ,CACR,KAAK,EACL,aAAa,2DACb,CAAC,CACD,UAAU;CACZ,kBAAkB,EAChB,QAAQ,CACR,KAAK,EACL,aAAa,0DACb,CAAC,CACD,UAAU;CACZ,oBAAoB,EAClB,QAAQ,CACR,KAAK,EACL,aAAa,8CACb,CAAC,CACD,UAAU;CACZ,CAAC;AAEF,MAAM,0BAA0B;AAChC,MAAM,kCAAkC;AACxC,MAAM,mCAAmC;;;;;;;;;AAUzC,MAAa,gBAAgB,YAAyB;CACrD,MAAM,YAAY;EACjB,aAAa;EACb,kBAAkB;EAClB,cAAc;EACd;CAED,MAAM,OAAO;EACZ,eAAe;EACf,cAAc;EACd,sBAAsB;EACtB,uBAAuB;EACvB,+BAA+B;EAC/B,mBAAmB;EACnB,GAAG;EACH,QAAQ;GACP;GACA;GACA;GACA;GACA,GAAI,SAAS,UAAU,EAAE;GACzB;EACD;CAED,MAAM,iBAAiB,QAAQ,kBAAkB,EAAE;;;;CAKnD,eAAe,kBACd,KACA,cACC;AACD,MAAI,KAAK,sBAAsB,YAC9B,QAAO,MAAM,iBAAiB;GAC7B,KAAK,IAAI,QAAQ;GACjB,MAAM;GACN,CAAC;AAEH,MAAI,KAAK,sBAAsB,SAC9B,QAAO,MAAM,0BAA0B,aAAa;AAErD,MACC,OAAO,KAAK,sBAAsB,YAClC,UAAU,KAAK,kBAEf,QAAO,MAAM,KAAK,kBAAkB,KAAK,aAAa;AAEvD,MACC,OAAO,KAAK,sBAAsB,YAClC,aAAa,KAAK,kBAElB,QAAO,MAAM,KAAK,kBAAkB,QAAQ,aAAa;AAG1D,SAAO;;;;;CAMR,eAAe,yBACd,KACA,oBACA,cACmB;AACnB,MAAI,KAAK,sBAAsB,YAC9B,QACE,MAAM,iBAAiB;GACvB,KAAK,IAAI,QAAQ;GACjB,MAAM;GACN,CAAC,KAAM;AAGV,MAAI,KAAK,sBAAsB,SAE9B,QAD2B,MAAM,0BAA0B,aAAa,KAC1C;AAE/B,MACC,OAAO,KAAK,sBAAsB,YAClC,UAAU,KAAK,kBAIf,QADC,MAAM,KAAK,kBAAkB,KAAK,aAAa,KAClB;AAE/B,MACC,OAAO,KAAK,sBAAsB,YAClC,aAAa,KAAK,kBAIlB,QADC,MAAM,KAAK,kBAAkB,QAAQ,mBAAmB,KACxB;AAGlC,SAAO,iBAAiB;;AAGzB,QAAO;EACN,IAAI;EACJ,OAAO,EACN,OAAO,CACN;GACC,UAAU;AACT,WAAO;;GAER,SAAS,qBAAqB,OAAO,QAAQ;IAC5C,MAAM,oBAAoB,MAAM,IAAI,gBACnC,qBACA,IAAI,QAAQ,OACZ;IACD,MAAM,aAAa,IAAI,QAAQ,YAAY,aAAa;IACxD,MAAM,wBAAwB,qBAC7B,IAAI,QAAQ,iBAAiB,IAAI,aAAa,IAAI,GAClD;IACD,MAAM,kBAAkB,sBAAsB,IAAI,WAAW;AAC7D,QAAI,CAAC,qBAAqB,CAAC,gBAC1B;AAED,iBAAa,KAAK;KACjB,MAAM;KACN,YAAY,EAAE,MAAM,KAAK;KACzB,CAAC;IAEF,MAAM,gBADgB,sBAAsB,IAAI,WAAW,EAAE,QACzB,MAAM,IAAI,CAAC;AAC/C,QAAI,CAAC,aACJ;IAED,MAAM,UACJ,MAAM,IAAI,QAAQ,gBAAgB,YAAY,aAAa,IAC5D,IAAI,QAAQ;AACb,QAAI,CAAC,QACJ;AAED,QAAI,QAAQ,KAAK,MAAM,kBAAkB;IAGzC,MAAM,YAAY,YAAY,OAAO,IAAI,OAAO,OAAO,CAAC;AACxD,QAAI,UAAU,IAAI,QAAQ,EAAE;KAC3B,MAAM,eAAe,IAAI,IAAI,UAAU;AACvC,kBAAa,OAAO,QAAQ;AAC5B,SAAI,QAAQ;MACX,GAAG,IAAI;MACP,QAAQ,MAAM,KAAK,aAAa,CAAC,KAAK,IAAI;MAC1C;;AAGF,QAAI,QAAQ,UAAU;AAEtB,WADiB,MAAM,UAAU,KAAK,KAAK;KAE1C;GACF,CACD,EACD;EACD,WAAW;GACV,iBAAiB,mBAChB,qCACA;IACC,QAAQ;IACR,aAAa;IACb,UAAU;IACV,EACD,OAAO,QAAQ;IACd,MAAM,WAAW,YAAY,KAAK,QAAQ;AAC1C,WAAO,IAAI,KAAK,SAAS;KAE1B;GACD,iBAAiB,mBAChB,qBACA;IACC,QAAQ;IACR,aAAa;IACb,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,KAAK,CAAC;IACpC,UAAU,EACT,SAAS;KACR,aAAa;KACb,WAAW,EACV,OAAO;MACN,aAAa;MACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;OACP,MAAM;OACN,sBAAsB;OACtB,aACC;OACD,EACD,EACD;MACD,EACD;KACD,EACD;IACD,EACD,OAAO,QAAQ;AACd,WAAO,UAAU,KAAK,KAAK;KAE5B;GACD,cAAc,mBACb,mBACA;IACC,QAAQ;IACR,aAAa;IACb,MAAM;IACN,KAAK,CAAC,kBAAkB;IACxB,UAAU,EACT,SAAS;KACR,aACC;KACD,aAAa;MACZ,UAAU;MACV,SAAS,EACR,oBAAoB,EACnB,QAAQ;OACP,MAAM;OACN,YAAY;QACX,QAAQ;SACP,MAAM;SACN,aACC;SACD;QACD,cAAc;SACb,MAAM;SACN,aACC;SACD;QACD;OACD,UAAU,CAAC,SAAS;OACpB,EACD,EACD;MACD;KACD,WAAW,EACV,OAAO;MACN,aAAa;MACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;OACP,MAAM;OACN,YAAY,EACX,aAAa;QACZ,MAAM;QACN,QAAQ;QACR,aACC;QACD,EACD;OACD,UAAU,CAAC,cAAc;OACzB,EACD,EACD;MACD,EACD;KACD,EACD;IACD,EACD,OAAO,QAAQ;IAId,IAAI,cAA6B,IAAI,KAAK,gBAAgB;AAE1D,QAAI,CAAC,aAAa;KAEjB,MAAM,cAAc,MAAM,IAAI,gBAC7B,uBACA,IAAI,QAAQ,OACZ;AACD,SAAI,YACH,eAAc;;AAIhB,QAAI,CAAC,YACJ,OAAM,IAAI,SAAS,gBAAgB;KAClC,mBACC;KACD,OAAO;KACP,CAAC;IAGH,MAAM,eACL,MAAM,IAAI,QAAQ,gBAAgB,sBACjC,YACA;AACF,QAAI,CAAC,aACJ,OAAM,IAAI,SAAS,gBAAgB;KAClC,mBAAmB;KACnB,OAAO;KACP,CAAC;AAEH,QAAI,aAAa,4BAAY,IAAI,MAAM,CACtC,OAAM,IAAI,SAAS,gBAAgB;KAClC,mBAAmB;KACnB,OAAO;KACP,CAAC;AAIH,iBAAa,KAAK;KACjB,MAAM;KACN,YAAY,EAAE,MAAM,KAAK;KACzB,CAAC;IAEF,MAAM,QAAQ,KAAK,MAAM,aAAa,MAAM;AAC5C,QAAI,CAAC,MAAM,eACV,OAAM,IAAI,SAAS,gBAAgB;KAClC,mBAAmB;KACnB,OAAO;KACP,CAAC;AAGH,QAAI,CAAC,IAAI,KAAK,QAAQ;AACrB,WAAM,IAAI,QAAQ,gBAAgB,wBACjC,aAAa,GACb;AACD,YAAO,IAAI,KAAK,EACf,aAAa,GAAG,MAAM,YAAY,4DAClC,CAAC;;IAEH,MAAM,OAAO,qBAAqB,IAAI,OAAO,OAAO,MAAM;IAC1D,MAAM,mBACJ,MAAM,iBAAiB,2BAA2B;IACpD,MAAM,YAAY,IAAI,KAAK,KAAK,KAAK,GAAG,gBAAgB;AACxD,UAAM,IAAI,QAAQ,gBAAgB,wBACjC,aAAa,IACb;KACC,OAAO,KAAK,UAAU;MACrB,GAAG;MACH,gBAAgB;MAChB,CAAC;KACF,YAAY;KACZ;KACA,CACD;AACD,UAAM,IAAI,QAAQ,QAAQ,OAAO;KAChC,OAAO,UAAU;KACjB,MAAM;MACL,UAAU,MAAM;MAChB,QAAQ,MAAM;MACd,QAAQ,MAAM,MAAM,KAAK,IAAI;MAC7B,cAAc;MACd,2BAAW,IAAI,MAAM;MACrB,2BAAW,IAAI,MAAM;MACrB;KACD,CAAC;IACF,MAAM,cAAc,IAAI,IAAI,MAAM,YAAY;AAC9C,gBAAY,aAAa,IAAI,QAAQ,KAAK;AAC1C,QAAI,MAAM,MAAO,aAAY,aAAa,IAAI,SAAS,MAAM,MAAM;AACnE,WAAO,IAAI,KAAK,EACf,aAAa,YAAY,UAAU,EACnC,CAAC;KAEH;GACD,aAAa,mBACZ,iBACA;IACC,QAAQ;IACR,aAAa;IACb,MAAM;IACN,UAAU;KACT,GAAG;KACH,mBAAmB,CAClB,qCACA,mBACA;KACD;IACD,EACD,OAAO,QAAQ;IACd,IAAI,EAAE,SAAS;AACf,QAAI,CAAC,KACJ,OAAM,IAAI,SAAS,eAAe;KACjC,mBAAmB;KACnB,OAAO;KACP,CAAC;AAEH,QAAI,gBAAgB,SACnB,QAAO,OAAO,YAAY,KAAK,SAAS,CAAC;AAE1C,QAAI,EAAE,gBAAgB,QACrB,OAAM,IAAI,SAAS,eAAe;KACjC,mBAAmB;KACnB,OAAO;KACP,CAAC;IAEH,IAAI,EAAE,WAAW,kBAAkB;IACnC,MAAM,gBACL,IAAI,SAAS,QAAQ,IAAI,gBAAgB,IAAI;AAC9C,QACC,iBACA,CAAC,aACD,CAAC,iBACD,cAAc,WAAW,SAAS,CAElC,KAAI;KACH,MAAM,UAAU,cAAc,QAAQ,UAAU,GAAG;KACnD,MAAM,UAAU,IAAI,aAAa,CAAC,OAAO,OAAO,OAAO,QAAQ,CAAC;AAChE,SAAI,CAAC,QAAQ,SAAS,IAAI,CACzB,OAAM,IAAI,SAAS,gBAAgB;MAClC,mBAAmB;MACnB,OAAO;MACP,CAAC;KAEH,MAAM,CAAC,IAAI,UAAU,QAAQ,MAAM,IAAI;AACvC,SAAI,CAAC,MAAM,CAAC,OACX,OAAM,IAAI,SAAS,gBAAgB;MAClC,mBAAmB;MACnB,OAAO;MACP,CAAC;AAEH,iBAAY;AACZ,qBAAgB;YACT;AACP,WAAM,IAAI,SAAS,gBAAgB;MAClC,mBAAmB;MACnB,OAAO;MACP,CAAC;;IAIJ,MAAM,MAAM,KAAK,KAAK;IACtB,MAAM,MAAM,KAAK,MAAM,MAAM,IAAK;IAClC,MAAM,MAAM,OAAO,KAAK,wBAAwB;IAEhD,MAAM,uCAAuB,IAAI,KAAK,MAAM,IAAK;IACjD,MAAM,wCAAwB,IAAI,MAChC,OAAO,KAAK,yBAAyB,WAAW,IACjD;IAED,MAAM,EACL,YACA,MACA,cACA,eACA,kBACG;AACJ,QAAI,eAAe,iBAAiB;AACnC,SAAI,CAAC,cACJ,OAAM,IAAI,SAAS,eAAe;MACjC,mBAAmB;MACnB,OAAO;MACP,CAAC;KAEH,MAAM,QAAQ,MAAM,IAAI,QAAQ,QAAQ,QAA0B;MACjE,OAAO,UAAU;MACjB,OAAO,CACN;OACC,OAAO;OACP,OAAO,cAAc,UAAU;OAC/B,CACD;MACD,CAAC;AACF,SAAI,CAAC,MACJ,OAAM,IAAI,SAAS,gBAAgB;MAClC,mBAAmB;MACnB,OAAO;MACP,CAAC;AAEH,SAAI,MAAM,aAAa,WAAW,UAAU,CAC3C,OAAM,IAAI,SAAS,gBAAgB;MAClC,mBAAmB;MACnB,OAAO;MACP,CAAC;AAEH,SAAI,MAAM,wCAAwB,IAAI,MAAM,CAC3C,OAAM,IAAI,SAAS,gBAAgB;MAClC,mBAAmB;MACnB,OAAO;MACP,CAAC;KAEH,MAAM,cAAc,qBAAqB,IAAI,OAAO,MAAM;KAC1D,MAAM,kBAAkB,qBAAqB,IAAI,OAAO,MAAM;AAE9D,WAAM,IAAI,QAAQ,QAAQ,OAAO;MAChC,OAAO,UAAU;MACjB,MAAM;OACL;OACA,cAAc;OACd;OACA;OACA,UAAU,UAAU,UAAU;OAC9B,QAAQ,MAAM;OACd,QAAQ,MAAM;OACd,2BAAW,IAAI,KAAK,MAAM,IAAK;OAC/B,2BAAW,IAAI,KAAK,MAAM,IAAK;OAC/B;MACD,CAAC;AACF,YAAO,IAAI,KAAK;MACf,cAAc;MACd,YAAY;MACZ,YAAY,KAAK;MACjB,eAAe;MACf,OAAO,MAAM;MACb,CAAC;;AAGH,QAAI,CAAC,KACJ,OAAM,IAAI,SAAS,eAAe;KACjC,mBAAmB;KACnB,OAAO;KACP,CAAC;AAGH,QAAI,QAAQ,eAAe,CAAC,cAC3B,OAAM,IAAI,SAAS,eAAe;KACjC,mBAAmB;KACnB,OAAO;KACP,CAAC;;;;;IAOH,MAAM,oBACL,MAAM,IAAI,QAAQ,gBAAgB,sBACjC,KAAK,UAAU,CACf;AACF,QAAI,CAAC,kBACJ,OAAM,IAAI,SAAS,gBAAgB;KAClC,mBAAmB;KACnB,OAAO;KACP,CAAC;AAEH,QAAI,kBAAkB,4BAAY,IAAI,MAAM,CAC3C,OAAM,IAAI,SAAS,gBAAgB;KAClC,mBAAmB;KACnB,OAAO;KACP,CAAC;AAGH,UAAM,IAAI,QAAQ,gBAAgB,wBACjC,kBAAkB,GAClB;AACD,QAAI,CAAC,UACJ,OAAM,IAAI,SAAS,gBAAgB;KAClC,mBAAmB;KACnB,OAAO;KACP,CAAC;AAEH,QAAI,CAAC,WACJ,OAAM,IAAI,SAAS,eAAe;KACjC,mBAAmB;KACnB,OAAO;KACP,CAAC;AAEH,QAAI,eAAe,qBAClB,OAAM,IAAI,SAAS,eAAe;KACjC,mBAAmB;KACnB,OAAO;KACP,CAAC;AAGH,QAAI,CAAC,aACJ,OAAM,IAAI,SAAS,eAAe;KACjC,mBAAmB;KACnB,OAAO;KACP,CAAC;IAGH,MAAM,SAAS,MAAM,UAAU,UAAU,UAAU,EAAE,eAAe;AACpE,QAAI,CAAC,OACJ,OAAM,IAAI,SAAS,gBAAgB;KAClC,mBAAmB;KACnB,OAAO;KACP,CAAC;AAEH,QAAI,OAAO,SACV,OAAM,IAAI,SAAS,gBAAgB;KAClC,mBAAmB;KACnB,OAAO;KACP,CAAC;IAGH,MAAM,QAAQ,KAAK,MAClB,kBAAkB,MAClB;AACD,QAAI,MAAM,aAAa,UAAU,UAAU,CAC1C,OAAM,IAAI,SAAS,gBAAgB;KAClC,mBAAmB;KACnB,OAAO;KACP,CAAC;AAEH,QAAI,MAAM,gBAAgB,aAAa,UAAU,CAChD,OAAM,IAAI,SAAS,gBAAgB;KAClC,mBAAmB;KACnB,OAAO;KACP,CAAC;AAEH,QAAI,MAAM,iBAAiB,CAAC,cAC3B,OAAM,IAAI,SAAS,eAAe;KACjC,mBAAmB;KACnB,OAAO;KACP,CAAC;AAEH,QAAI,OAAO,SAAS,UAEnB;SAAI,CAAC,cACJ,OAAM,IAAI,SAAS,eAAe;MACjC,mBACC;MACD,OAAO;MACP,CAAC;WAGG;AACN,SAAI,CAAC,OAAO,gBAAgB,CAAC,cAC5B,OAAM,IAAI,SAAS,gBAAgB;MAClC,mBACC;MACD,OAAO;MACP,CAAC;AAOH,SAAI,CALkB,MAAM,yBAC3B,KACA,OAAO,cACP,cAAc,UAAU,CACxB,CAEA,OAAM,IAAI,SAAS,gBAAgB;MAClC,mBAAmB;MACnB,OAAO;MACP,CAAC;;AAUJ,SANC,MAAM,wBAAwB,UAC3B,gBACA,MAAM,WAAW,WAAW,iBAAiB,CAAC,OAC9C,cACA,MAEc,MAAM,cACvB,OAAM,IAAI,SAAS,gBAAgB;KAClC,mBAAmB;KACnB,OAAO;KACP,CAAC;IAGH,MAAM,kBAAkB,MAAM;AAC9B,UAAM,IAAI,QAAQ,gBAAgB,wBACjC,kBAAkB,GAClB;IACD,MAAM,cAAc,qBAAqB,IAAI,OAAO,MAAM;IAC1D,MAAM,eAAe,qBAAqB,IAAI,OAAO,MAAM;AAC3D,UAAM,IAAI,QAAQ,QAAQ,OAAO;KAChC,OAAO,UAAU;KACjB,MAAM;MACL;MACA;MACA;MACA;MACA,UAAU,UAAU,UAAU;MAC9B,QAAQ,MAAM;MACd,QAAQ,gBAAgB,KAAK,IAAI;MACjC,2BAAW,IAAI,KAAK,MAAM,IAAK;MAC/B,2BAAW,IAAI,KAAK,MAAM,IAAK;MAC/B;KACD,CAAC;IACF,MAAM,OAAO,MAAM,IAAI,QAAQ,gBAAgB,aAC9C,MAAM,OACN;AACD,QAAI,CAAC,KACJ,OAAM,IAAI,SAAS,gBAAgB;KAClC,mBAAmB;KACnB,OAAO;KACP,CAAC;IAGH,MAAM,UAAU;KACf,YAAY,KAAK,KAAK,MAAM,IAAI,CAAC;KACjC,aAAa,KAAK,KAAK,MAAM,IAAI,CAAC;KAClC,MAAM,KAAK;KACX,SAAS,KAAK;KACd,YAAY,IAAI,KAAK,KAAK,UAAU,CAAC,aAAa;KAClD;IACD,MAAM,QAAQ;KACb,OAAO,KAAK;KACZ,gBAAgB,KAAK;KACrB;IACD,MAAM,aAAa;KAClB,GAAI,gBAAgB,SAAS,UAAU,GAAG,UAAU,EAAE;KACtD,GAAI,gBAAgB,SAAS,QAAQ,GAAG,QAAQ,EAAE;KAClD;IAED,MAAM,uBAAuB,QAAQ,6BAClC,MAAM,QAAQ,2BACd,MACA,iBACA,OACA,GACA,EAAE;IAEL,MAAM,UAAU;KACf,KAAK,KAAK;KACV,KAAK,UAAU,UAAU;KACpB;KACL,WAAW,IAAI,QAAQ,UACpB,IAAI,KAAK,IAAI,QAAQ,QAAQ,QAAQ,UAAU,CAAC,SAAS,GACzD;KACH,OAAO,MAAM;KACb,KAAK;KACL,GAAG;KACH,GAAG;KACH;IACD,MAAM,iBACL,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK,IAC5B,MAAM,wBAAwB;IAEhC,IAAI;AAGJ,QAAI,QAAQ,cAAc;KACzB,MAAM,YAAY,IAAI,QAAQ,UAAU,MAAM;AAC9C,SAAI,CAAC,WAAW;AACf,UAAI,QAAQ,OAAO,MAClB,+JACA;AACD,YAAM,IAAI,SAAS,yBAAyB;OAC3C,mBAAmB;OACnB,OAAO;OACP,CAAC;;AAEH,eAAU,MAAM,YACf;MACC,GAAG;MACH,SAAS;OACR,GAAG,IAAI;OACP,SAAS;QACR,SAAS;SACR,IAAI,qBAAqB,IAAI,OAAO,MAAM;SAC1C,2BAAW,IAAI,KAAK,MAAM,IAAK;SAC/B,2BAAW,IAAI,KAAK,MAAM,IAAK;SAC/B,QAAQ,KAAK;SACb,WAAW;SACX,OAAO;SACP,WAAW,IAAI,SAAS,QAAQ,IAAI,kBAAkB;SACtD;QACD;QACA;OACD;MACD,EACD;MACC,GAAG,UAAU;MACb,KAAK;OACJ,GAAG,UAAU,SAAS;OACtB,kBAAkB,KAAK;OACvB,UAAU,UAAU,UAAU;OAC9B,QACC,UAAU,SAAS,KAAK,UACxB,IAAI,QAAQ,QAAQ;OACrB;OACA,qBAAqB;OACrB;MACD,CACD;UAID,WAAU,MAAM,IAAI,QAAQ,QAAQ,CAClC,mBAAmB,EAAE,KAAK,SAAS,CAAC,CACpC,YAAY,IAAI,CAChB,kBAAkB,qBAAqB,CACvC,KAAK,IAAI,aAAa,CAAC,OAAO,OAAO,aAAa,CAAC;AAGtD,WAAO,IAAI,KACV;KACC,cAAc;KACd,YAAY;KACZ,YAAY,KAAK;KACjB,eAAe,gBAAgB,SAAS,iBAAiB,GACtD,eACA;KACH,OAAO,gBAAgB,KAAK,IAAI;KAChC,UAAU,gBAAgB,SAAS,SAAS,GACzC,UACA;KACH,EACD,EACC,SAAS;KACR,iBAAiB;KACjB,QAAQ;KACR,EACD,CACD;KAEF;GACD,gBAAgB,mBACf,oBACA;IACC,QAAQ;IACR,aAAa;IACb,UAAU;KACT,GAAG;KACH,SAAS;MACR,aAAa;MACb,WAAW,EACV,OAAO;OACN,aAAa;OACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;QACP,MAAM;QACN,YAAY;SACX,KAAK;UACJ,MAAM;UACN,aAAa;UACb;SACD,OAAO;UACN,MAAM;UACN,QAAQ;UACR,UAAU;UACV,aACC;UACD;SACD,MAAM;UACL,MAAM;UACN,UAAU;UACV,aACC;UACD;SACD,SAAS;UACR,MAAM;UACN,QAAQ;UACR,UAAU;UACV,aACC;UACD;SACD,YAAY;UACX,MAAM;UACN,UAAU;UACV,aACC;UACD;SACD,aAAa;UACZ,MAAM;UACN,UAAU;UACV,aACC;UACD;SACD,gBAAgB;UACf,MAAM;UACN,UAAU;UACV,aACC;UACD;SACD;QACD,UAAU,CAAC,MAAM;QACjB,EACD,EACD;OACD,EACD;MACD;KACD;IACD,EACD,OAAO,QAAQ;AACd,QAAI,CAAC,IAAI,QACR,OAAM,IAAI,SAAS,gBAAgB;KAClC,mBAAmB;KACnB,OAAO;KACP,CAAC;IAEH,MAAM,gBAAgB,IAAI,QAAQ,QAAQ,IAAI,gBAAgB;AAC9D,QAAI,CAAC,cACJ,OAAM,IAAI,SAAS,gBAAgB;KAClC,mBAAmB;KACnB,OAAO;KACP,CAAC;IAEH,MAAM,QAAQ,cAAc,QAAQ,WAAW,GAAG;IAClD,MAAM,cACL,MAAM,IAAI,QAAQ,QAAQ,QAA0B;KACnD,OAAO,UAAU;KACjB,OAAO,CACN;MACC,OAAO;MACP,OAAO;MACP,CACD;KACD,CAAC;AACH,QAAI,CAAC,YACJ,OAAM,IAAI,SAAS,gBAAgB;KAClC,mBAAmB;KACnB,OAAO;KACP,CAAC;AAEH,QAAI,YAAY,uCAAuB,IAAI,MAAM,CAChD,OAAM,IAAI,SAAS,gBAAgB;KAClC,mBAAmB;KACnB,OAAO;KACP,CAAC;IAGH,MAAM,SAAS,MAAM,UAAU,YAAY,UAAU,eAAe;AACpE,QAAI,CAAC,OACJ,OAAM,IAAI,SAAS,gBAAgB;KAClC,mBAAmB;KACnB,OAAO;KACP,CAAC;IAGH,MAAM,OAAO,MAAM,IAAI,QAAQ,gBAAgB,aAC9C,YAAY,OACZ;AACD,QAAI,CAAC,KACJ,OAAM,IAAI,SAAS,gBAAgB;KAClC,mBAAmB;KACnB,OAAO;KACP,CAAC;IAEH,MAAM,kBAAkB,YAAY,OAAO,MAAM,IAAI;IACrD,MAAM,iBAAiB;KACtB,KAAK,KAAK;KACV,OAAO,gBAAgB,SAAS,QAAQ,GAAG,KAAK,QAAQ;KACxD,MAAM,gBAAgB,SAAS,UAAU,GAAG,KAAK,OAAO;KACxD,SAAS,gBAAgB,SAAS,UAAU,GACzC,KAAK,QACL;KACH,YAAY,gBAAgB,SAAS,UAAU,GAC5C,KAAK,KAAK,MAAM,IAAI,CAAC,KACrB;KACH,aAAa,gBAAgB,SAAS,UAAU,GAC7C,KAAK,KAAK,MAAM,IAAI,CAAC,KACrB;KACH,gBAAgB,gBAAgB,SAAS,QAAQ,GAC9C,KAAK,gBACL;KACH;IACD,MAAM,aAAa,QAAQ,6BACxB,MAAM,QAAQ,2BACd,MACA,iBACA,OACA,GACA;AACH,WAAO,IAAI,KAAK;KACf,GAAG;KACH,GAAG;KACH,CAAC;KAEH;GAgBD,0BAA0B,mBACzB,oBACA;IACC,QAAQ;IACR,MAAM;IACN,UAAU,EACT,SAAS;KACR,aAAa;KACb,WAAW,EACV,OAAO;MACN,aAAa;MACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;OACP,MAAM;OACN,YAAY;QACX,MAAM;SACL,MAAM;SACN,aAAa;SACb;QACD,MAAM;SACL,MAAM;SACN,UAAU;SACV,aAAa;SACb;QACD,UAAU;SACT,MAAM;SACN,sBAAsB;SACtB,UAAU;SACV,aACC;SACD;QACD,UAAU;SACT,MAAM;SACN,aAAa;SACb;QACD,cAAc;SACb,MAAM;SACN,aAAa;SACb;QACD,cAAc;SACb,MAAM;SACN,OAAO;UAAE,MAAM;UAAU,QAAQ;UAAO;SACxC,aAAa;SACb;QACD,MAAM;SACL,MAAM;SACN,aAAa;SACb,MAAM,CAAC,MAAM;SACb;QACD,sBAAsB;SACrB,MAAM;SACN,aACC;SACD,MAAM,CAAC,gBAAgB;SACvB;QACD,UAAU;SACT,MAAM;SACN,aAAa;SACb,MAAM,CAAC,MAAM;SACb;QACD,QAAQ;SACP,MAAM;SACN,UAAU;SACV,aACC;SACD;QACD,WAAW;SACV,MAAM;SACN,QAAQ;SACR,aAAa;SACb;QACD,WAAW;SACV,MAAM;SACN,QAAQ;SACR,aAAa;SACb;QACD;OACD,UAAU;QACT;QACA;QACA;QACA;QACA;QACA;QACA;QACA;QACA;QACA;OACD,EACD,EACD;MACD,EACD;KACD,EACD;IACD,EACD,OAAO,QAAQ;IACd,MAAM,OAAO,IAAI;IACjB,MAAM,UAAU,MAAM,kBAAkB,IAAI;AAG5C,QAAI,CAAC,WAAW,CAAC,QAAQ,+BACxB,OAAM,IAAI,SAAS,gBAAgB;KAClC,OAAO;KACP,mBACC;KACD,CAAC;AAIH,SACE,CAAC,KAAK,eACN,KAAK,YAAY,SAAS,qBAAqB,IAC/C,KAAK,YAAY,SAAS,WAAW,MACrC,CAAC,KAAK,iBAAiB,KAAK,cAAc,WAAW,GAEtD,OAAM,IAAI,SAAS,eAAe;KACjC,OAAO;KACP,mBACC;KACD,CAAC;AAIH,QAAI,KAAK,eAAe,KAAK,gBAAgB;AAC5C,SACC,KAAK,YAAY,SAAS,qBAAqB,IAC/C,CAAC,KAAK,eAAe,SAAS,OAAO,CAErC,OAAM,IAAI,SAAS,eAAe;MACjC,OAAO;MACP,mBACC;MACD,CAAC;AAEH,SACC,KAAK,YAAY,SAAS,WAAW,IACrC,CAAC,KAAK,eAAe,SAAS,QAAQ,CAEtC,OAAM,IAAI,SAAS,eAAe;MACjC,OAAO;MACP,mBACC;MACD,CAAC;;IAIJ,MAAM,WACL,QAAQ,oBAAoB,IAC5B,qBAAqB,IAAI,OAAO,MAAM;IACvC,MAAM,eACL,QAAQ,wBAAwB,IAChC,qBAAqB,IAAI,OAAO,MAAM;IAEvC,MAAM,qBAAqB,MAAM,kBAAkB,KAAK,aAAa;IAGrE,MAAM,SAAiB,MAAM,IAAI,QAAQ,QAAQ,OAAO;KACvD,OAAO,UAAU;KACjB,MAAM;MACL,MAAM,KAAK;MACX,MAAM,KAAK;MACX,UAAU,KAAK,WAAW,KAAK,UAAU,KAAK,SAAS,GAAG;MAChD;MACV,cAAc;MACd,cAAc,KAAK,cAAc,KAAK,IAAI;MAC1C,MAAM;MACN,sBACC,KAAK,8BAA8B;MACpC,UAAU;MACV,QAAQ,SAAS,QAAQ;MACzB,2BAAW,IAAI,MAAM;MACrB,2BAAW,IAAI,MAAM;MACrB;KACD,CAAC;AAGF,WAAO,IAAI,KACV;KACC,WAAW;KACX,GAAI,OAAO,SAAS,WACjB;MACA,eAAe;MACf,0BAA0B;MAC1B,GACA,EAAE;KACL,qBAAqB,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;KAClD,0BAA0B;KAC1B,eAAe,KAAK;KACpB,4BACC,KAAK,8BAA8B;KACpC,aAAa,KAAK,eAAe,CAAC,qBAAqB;KACvD,gBAAgB,KAAK,kBAAkB,CAAC,OAAO;KAC/C,aAAa,KAAK;KAClB,YAAY,KAAK;KACjB,UAAU,KAAK;KACf,OAAO,KAAK;KACZ,UAAU,KAAK;KACf,SAAS,KAAK;KACd,YAAY,KAAK;KACjB,UAAU,KAAK;KACf,MAAM,KAAK;KACX,aAAa,KAAK;KAClB,kBAAkB,KAAK;KACvB,oBAAoB,KAAK;KACzB,UAAU,KAAK;KACf,EACD;KACC,QAAQ;KACR,SAAS;MACR,iBAAiB;MACjB,QAAQ;MACR;KACD,CACD;KAEF;GACD,gBAAgB,mBACf,sBACA;IACC,QAAQ;IACR,KAAK,CAAC,kBAAkB;IACxB,UAAU,EACT,SAAS;KACR,aAAa;KACb,WAAW,EACV,OAAO;MACN,aAAa;MACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;OACP,MAAM;OACN,YAAY;QACX,UAAU;SACT,MAAM;SACN,aAAa;SACb;QACD,MAAM;SACL,MAAM;SACN,aAAa;SACb;QACD,MAAM;SACL,MAAM;SACN,UAAU;SACV,aAAa;SACb;QACD;OACD,UAAU,CAAC,YAAY,OAAO;OAC9B,EACD,EACD;MACD,EACD;KACD,EACD;IACD,EACD,OACC,QAKK;IACL,MAAM,SAAS,MAAM,UAAU,IAAI,OAAO,IAAI,eAAe;AAC7D,QAAI,CAAC,OACJ,OAAM,IAAI,SAAS,aAAa;KAC/B,mBAAmB;KACnB,OAAO;KACP,CAAC;AAEH,WAAO,IAAI,KAAK;KACf,UAAU,OAAO;KACjB,MAAM,OAAO;KACb,MAAM,OAAO,QAAQ;KACrB,CAAC;KAEH;GAWD,YAAY,mBACX,sBACA;IACC,QAAQ,CAAC,OAAO,OAAO;IACvB,OAAO,EACL,OAAO;KACP,eAAe,EAAE,QAAQ,CAAC,UAAU;KACpC,aAAa,EAAE,QAAQ,CAAC,UAAU;KAClC,WAAW,EAAE,QAAQ,CAAC,UAAU;KAChC,0BAA0B,EAAE,QAAQ,CAAC,UAAU;KAC/C,OAAO,EAAE,QAAQ,CAAC,UAAU;KAC5B,YAAY,EAAE,QAAQ,CAAC,UAAU;KACjC,CAAC,CACD,UAAU;IACZ,UAAU;KACT,GAAG;KACH,SAAS;MACR,aACC;MACD,YAAY;OACX;QACC,MAAM;QACN,IAAI;QACJ,aACC;QACD,UAAU;QACV,QAAQ,EAAE,MAAM,UAAU;QAC1B;OACD;QACC,MAAM;QACN,IAAI;QACJ,aACC;QACD,UAAU;QACV,QAAQ,EAAE,MAAM,UAAU;QAC1B;OACD;QACC,MAAM;QACN,IAAI;QACJ,aACC;QACD,UAAU;QACV,QAAQ,EAAE,MAAM,UAAU;QAC1B;OACD;QACC,MAAM;QACN,IAAI;QACJ,aACC;QACD,UAAU;QACV,QAAQ;SAAE,MAAM;SAAU,QAAQ;SAAO;QACzC;OACD;QACC,MAAM;QACN,IAAI;QACJ,aACC;QACD,UAAU;QACV,QAAQ,EAAE,MAAM,UAAU;QAC1B;OACD;QACC,MAAM;QACN,IAAI;QACJ,aACC;QACD,UAAU;QACV,QAAQ,EAAE,MAAM,UAAU;QAC1B;OACD;MACD,WAAW;OACV,OAAO,EACN,aACC,oEACD;OACD,OAAO,EACN,aAAa,iCACb;OACD;MACD;KACD;IACD,EACD,OAAO,QAAQ;IACd,MAAM,EAAE,eAAe,WAAW,0BAA0B,UAC3D,IAAI,SAAS,EAAE;IAEhB,IAAI,oBAAmC;IACvC,IAAI,kBAAiC;AAGrC,QAAI,cACH,KAAI;KACH,MAAM,YAAY,IAAI,QAAQ,UAAU,MAAM;AAC9C,SAAI,aAAa,UAAU,WAAW,SAAS,cAAc;MAE5D,MAAM,WAAW,MAAM,UACtB,eACA,UAAU,QACV;AACD,UAAI,UAAU;AACb,yBAAkB,SAAS;AAC3B,2BAAoB,SAAS,MAC1B,OAAO,SAAS,QAAQ,WACvB,SAAS,MACT,SAAS,IAAI,KACd;;gBAIA,WAAW;MACd,MAAM,SAAS,MAAM,UAAU,WAAW,eAAe;AACzD,UAAI,UAAU,OAAO,aACpB,KAAI;OACH,MAAM,EAAE,YAAY,MAAM,UACzB,eACA,IAAI,aAAa,CAAC,OAAO,OAAO,aAAa,CAC7C;AACD,yBAAkB,QAAQ;AAC1B,2BAAoB,QAAQ;cACrB;;YAMJ;AAEP,SAAI,QAAQ,OAAO,MAClB,yDACA;;AAKH,QAAI,WAAW;AAEd,SAAI,CADW,MAAM,UAAU,WAAW,eAAe,CAExD,OAAM,IAAI,SAAS,eAAe;MACjC,OAAO;MACP,mBAAmB;MACnB,CAAC;AAGH,SAAI,qBAAqB,sBAAsB,UAC9C,OAAM,IAAI,SAAS,eAAe;MACjC,OAAO;MACP,mBACC;MACD,CAAC;AAEH,yBAAoB;;AAIrB,QAAI,0BAA0B;AAC7B,SAAI,CAAC,kBACJ,OAAM,IAAI,SAAS,eAAe;MACjC,OAAO;MACP,mBACC;MACD,CAAC;KAGH,MAAM,SAAS,MAAM,UAAU,mBAAmB,eAAe;AACjE,SAAI,CAAC,OACJ,OAAM,IAAI,SAAS,eAAe;MACjC,OAAO;MACP,mBAAmB;MACnB,CAAC;AAOH,SAAI,CAJuB,OAAO,aAAa,MAC7C,kBAAkB,6BAA6B,cAChD,CAGA,OAAM,IAAI,SAAS,eAAe;MACjC,OAAO;MACP,mBACC;MACD,CAAC;;IAIJ,MAAM,UAAU,MAAM,kBAAkB,IAAI;AAE5C,QAAI,mBAAmB,SAAS;KAC/B,MAAM,SAAS,mBAAmB,SAAS,KAAK;AAChD,SAAI,OACH,OAAM,IAAI,QAAQ,QAAQ,WAAW;MACpC,OAAO,UAAU;MACjB,OAAO,CAAC;OAAE,OAAO;OAAU,OAAO;OAAQ,CAAC;MAC3C,CAAC;;AAIJ,QAAI,SAAS;AACZ,WAAM,IAAI,QAAQ,gBAAgB,cACjC,QAAQ,QAAQ,MAChB;AACD,kBAAa,KAAK,IAAI,QAAQ,YAAY,aAAa;;AAGxD,QAAI,yBACH,KAAI;KACH,MAAM,cAAc,IAAI,IAAI,yBAAyB;AACrD,SAAI,MACH,aAAY,aAAa,IAAI,SAAS,MAAM;AAE7C,YAAO,IAAI,SAAS,YAAY,UAAU,CAAC;YACpC;AACP,WAAM,IAAI,SAAS,eAAe;MACjC,OAAO;MACP,mBAAmB;MACnB,CAAC;;AAIJ,WAAO,IAAI,KAAK;KACf,SAAS;KACT,SAAS;KACT,CAAC;KAEH;GACD;EACD,QAAQ,YAAY,QAAQ,SAAS,OAAO;EAC5C,IAAI,UAAU;AACb,UAAO;;EAER"}
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
import * as z from "zod";
|
|
2
|
+
|
|
3
|
+
//#region src/plugins/oidc-provider/schema.d.ts
|
|
4
|
+
declare const oAuthApplicationSchema: z.ZodObject<{
|
|
5
|
+
clientId: z.ZodString;
|
|
6
|
+
clientSecret: z.ZodOptional<z.ZodString>;
|
|
7
|
+
type: z.ZodEnum<{
|
|
8
|
+
public: "public";
|
|
9
|
+
web: "web";
|
|
10
|
+
native: "native";
|
|
11
|
+
"user-agent-based": "user-agent-based";
|
|
12
|
+
}>;
|
|
13
|
+
name: z.ZodString;
|
|
14
|
+
icon: z.ZodOptional<z.ZodString>;
|
|
15
|
+
metadata: z.ZodOptional<z.ZodString>;
|
|
16
|
+
disabled: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
|
|
17
|
+
redirectUrls: z.ZodString;
|
|
18
|
+
userId: z.ZodOptional<z.ZodString>;
|
|
19
|
+
createdAt: z.ZodDate;
|
|
20
|
+
updatedAt: z.ZodDate;
|
|
21
|
+
}, z.core.$strip>;
|
|
22
|
+
type OAuthApplication = z.infer<typeof oAuthApplicationSchema>;
|
|
23
|
+
declare const schema: BetterAuthPluginDBSchema;
|
|
24
|
+
//#endregion
|
|
25
|
+
export { OAuthApplication, schema };
|
|
26
|
+
//# sourceMappingURL=schema.d.mts.map
|
|
@@ -0,0 +1,132 @@
|
|
|
1
|
+
import * as z from "zod";
|
|
2
|
+
|
|
3
|
+
//#region src/plugins/oidc-provider/schema.ts
|
|
4
|
+
z.object({
|
|
5
|
+
clientId: z.string(),
|
|
6
|
+
clientSecret: z.string().optional(),
|
|
7
|
+
type: z.enum([
|
|
8
|
+
"web",
|
|
9
|
+
"native",
|
|
10
|
+
"user-agent-based",
|
|
11
|
+
"public"
|
|
12
|
+
]),
|
|
13
|
+
name: z.string(),
|
|
14
|
+
icon: z.string().optional(),
|
|
15
|
+
metadata: z.string().optional(),
|
|
16
|
+
disabled: z.boolean().optional().default(false),
|
|
17
|
+
redirectUrls: z.string(),
|
|
18
|
+
userId: z.string().optional(),
|
|
19
|
+
createdAt: z.date(),
|
|
20
|
+
updatedAt: z.date()
|
|
21
|
+
});
|
|
22
|
+
const schema = {
|
|
23
|
+
oauthApplication: {
|
|
24
|
+
modelName: "oauthApplication",
|
|
25
|
+
fields: {
|
|
26
|
+
name: { type: "string" },
|
|
27
|
+
icon: {
|
|
28
|
+
type: "string",
|
|
29
|
+
required: false
|
|
30
|
+
},
|
|
31
|
+
metadata: {
|
|
32
|
+
type: "string",
|
|
33
|
+
required: false
|
|
34
|
+
},
|
|
35
|
+
clientId: {
|
|
36
|
+
type: "string",
|
|
37
|
+
unique: true
|
|
38
|
+
},
|
|
39
|
+
clientSecret: {
|
|
40
|
+
type: "string",
|
|
41
|
+
required: false
|
|
42
|
+
},
|
|
43
|
+
redirectUrls: { type: "string" },
|
|
44
|
+
type: { type: "string" },
|
|
45
|
+
disabled: {
|
|
46
|
+
type: "boolean",
|
|
47
|
+
required: false,
|
|
48
|
+
defaultValue: false
|
|
49
|
+
},
|
|
50
|
+
userId: {
|
|
51
|
+
type: "string",
|
|
52
|
+
required: false,
|
|
53
|
+
references: {
|
|
54
|
+
model: "user",
|
|
55
|
+
field: "id",
|
|
56
|
+
onDelete: "cascade"
|
|
57
|
+
},
|
|
58
|
+
index: true
|
|
59
|
+
},
|
|
60
|
+
createdAt: { type: "date" },
|
|
61
|
+
updatedAt: { type: "date" }
|
|
62
|
+
}
|
|
63
|
+
},
|
|
64
|
+
oauthAccessToken: {
|
|
65
|
+
modelName: "oauthAccessToken",
|
|
66
|
+
fields: {
|
|
67
|
+
accessToken: {
|
|
68
|
+
type: "string",
|
|
69
|
+
unique: true
|
|
70
|
+
},
|
|
71
|
+
refreshToken: {
|
|
72
|
+
type: "string",
|
|
73
|
+
unique: true
|
|
74
|
+
},
|
|
75
|
+
accessTokenExpiresAt: { type: "date" },
|
|
76
|
+
refreshTokenExpiresAt: { type: "date" },
|
|
77
|
+
clientId: {
|
|
78
|
+
type: "string",
|
|
79
|
+
references: {
|
|
80
|
+
model: "oauthApplication",
|
|
81
|
+
field: "clientId",
|
|
82
|
+
onDelete: "cascade"
|
|
83
|
+
},
|
|
84
|
+
index: true
|
|
85
|
+
},
|
|
86
|
+
userId: {
|
|
87
|
+
type: "string",
|
|
88
|
+
required: false,
|
|
89
|
+
references: {
|
|
90
|
+
model: "user",
|
|
91
|
+
field: "id",
|
|
92
|
+
onDelete: "cascade"
|
|
93
|
+
},
|
|
94
|
+
index: true
|
|
95
|
+
},
|
|
96
|
+
scopes: { type: "string" },
|
|
97
|
+
createdAt: { type: "date" },
|
|
98
|
+
updatedAt: { type: "date" }
|
|
99
|
+
}
|
|
100
|
+
},
|
|
101
|
+
oauthConsent: {
|
|
102
|
+
modelName: "oauthConsent",
|
|
103
|
+
fields: {
|
|
104
|
+
clientId: {
|
|
105
|
+
type: "string",
|
|
106
|
+
references: {
|
|
107
|
+
model: "oauthApplication",
|
|
108
|
+
field: "clientId",
|
|
109
|
+
onDelete: "cascade"
|
|
110
|
+
},
|
|
111
|
+
index: true
|
|
112
|
+
},
|
|
113
|
+
userId: {
|
|
114
|
+
type: "string",
|
|
115
|
+
references: {
|
|
116
|
+
model: "user",
|
|
117
|
+
field: "id",
|
|
118
|
+
onDelete: "cascade"
|
|
119
|
+
},
|
|
120
|
+
index: true
|
|
121
|
+
},
|
|
122
|
+
scopes: { type: "string" },
|
|
123
|
+
createdAt: { type: "date" },
|
|
124
|
+
updatedAt: { type: "date" },
|
|
125
|
+
consentGiven: { type: "boolean" }
|
|
126
|
+
}
|
|
127
|
+
}
|
|
128
|
+
};
|
|
129
|
+
|
|
130
|
+
//#endregion
|
|
131
|
+
export { schema };
|
|
132
|
+
//# sourceMappingURL=schema.mjs.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"schema.mjs","names":[],"sources":["../../../src/plugins/oidc-provider/schema.ts"],"sourcesContent":["import type { BetterAuthPluginDBSchema } from \"@better-auth/core/db\";\nimport * as z from \"zod\";\n\nconst oAuthApplicationSchema = z.object({\n\t/**\n\t * Client ID\n\t *\n\t * size 32\n\t *\n\t * as described on https://www.rfc-editor.org/rfc/rfc6749.html#section-2.2\n\t */\n\tclientId: z.string(),\n\t/**\n\t * Client Secret\n\t *\n\t * A secret for the client, if required by the authorization server.\n\t * Optional for public clients using PKCE.\n\t *\n\t * size 32\n\t */\n\tclientSecret: z.string().optional(),\n\t/**\n\t * The client type\n\t *\n\t * as described on https://www.rfc-editor.org/rfc/rfc6749.html#section-2.1\n\t *\n\t * - web - A web application\n\t * - native - A mobile application\n\t * - user-agent-based - A user-agent-based application\n\t * - public - A public client (PKCE-enabled, no client_secret)\n\t */\n\ttype: z.enum([\"web\", \"native\", \"user-agent-based\", \"public\"]),\n\t/**\n\t * The name of the client.\n\t */\n\tname: z.string(),\n\t/**\n\t * The icon of the client.\n\t */\n\ticon: z.string().optional(),\n\t/**\n\t * Additional metadata about the client.\n\t */\n\tmetadata: z.string().optional(),\n\t/**\n\t * Whether the client is disabled or not.\n\t */\n\tdisabled: z.boolean().optional().default(false),\n\n\t// Database fields\n\tredirectUrls: z.string(),\n\tuserId: z.string().optional(),\n\tcreatedAt: z.date(),\n\tupdatedAt: z.date(),\n});\n\nexport type OAuthApplication = z.infer<typeof oAuthApplicationSchema>;\n\nexport const schema = {\n\toauthApplication: {\n\t\tmodelName: \"oauthApplication\",\n\t\tfields: {\n\t\t\tname: {\n\t\t\t\ttype: \"string\",\n\t\t\t},\n\t\t\ticon: {\n\t\t\t\ttype: \"string\",\n\t\t\t\trequired: false,\n\t\t\t},\n\t\t\tmetadata: {\n\t\t\t\ttype: \"string\",\n\t\t\t\trequired: false,\n\t\t\t},\n\t\t\tclientId: {\n\t\t\t\ttype: \"string\",\n\t\t\t\tunique: true,\n\t\t\t},\n\t\t\tclientSecret: {\n\t\t\t\ttype: \"string\",\n\t\t\t\trequired: false,\n\t\t\t},\n\t\t\tredirectUrls: {\n\t\t\t\ttype: \"string\",\n\t\t\t},\n\t\t\ttype: {\n\t\t\t\ttype: \"string\",\n\t\t\t},\n\t\t\tdisabled: {\n\t\t\t\ttype: \"boolean\",\n\t\t\t\trequired: false,\n\t\t\t\tdefaultValue: false,\n\t\t\t},\n\t\t\tuserId: {\n\t\t\t\ttype: \"string\",\n\t\t\t\trequired: false,\n\t\t\t\treferences: {\n\t\t\t\t\tmodel: \"user\",\n\t\t\t\t\tfield: \"id\",\n\t\t\t\t\tonDelete: \"cascade\",\n\t\t\t\t},\n\t\t\t\tindex: true,\n\t\t\t},\n\t\t\tcreatedAt: {\n\t\t\t\ttype: \"date\",\n\t\t\t},\n\t\t\tupdatedAt: {\n\t\t\t\ttype: \"date\",\n\t\t\t},\n\t\t},\n\t},\n\toauthAccessToken: {\n\t\tmodelName: \"oauthAccessToken\",\n\t\tfields: {\n\t\t\taccessToken: {\n\t\t\t\ttype: \"string\",\n\t\t\t\tunique: true,\n\t\t\t},\n\t\t\trefreshToken: {\n\t\t\t\ttype: \"string\",\n\t\t\t\tunique: true,\n\t\t\t},\n\t\t\taccessTokenExpiresAt: {\n\t\t\t\ttype: \"date\",\n\t\t\t},\n\t\t\trefreshTokenExpiresAt: {\n\t\t\t\ttype: \"date\",\n\t\t\t},\n\t\t\tclientId: {\n\t\t\t\ttype: \"string\",\n\t\t\t\treferences: {\n\t\t\t\t\tmodel: \"oauthApplication\",\n\t\t\t\t\tfield: \"clientId\",\n\t\t\t\t\tonDelete: \"cascade\",\n\t\t\t\t},\n\t\t\t\tindex: true,\n\t\t\t},\n\t\t\tuserId: {\n\t\t\t\ttype: \"string\",\n\t\t\t\trequired: false,\n\t\t\t\treferences: {\n\t\t\t\t\tmodel: \"user\",\n\t\t\t\t\tfield: \"id\",\n\t\t\t\t\tonDelete: \"cascade\",\n\t\t\t\t},\n\t\t\t\tindex: true,\n\t\t\t},\n\t\t\tscopes: {\n\t\t\t\ttype: \"string\",\n\t\t\t},\n\t\t\tcreatedAt: {\n\t\t\t\ttype: \"date\",\n\t\t\t},\n\t\t\tupdatedAt: {\n\t\t\t\ttype: \"date\",\n\t\t\t},\n\t\t},\n\t},\n\toauthConsent: {\n\t\tmodelName: \"oauthConsent\",\n\t\tfields: {\n\t\t\tclientId: {\n\t\t\t\ttype: \"string\",\n\t\t\t\treferences: {\n\t\t\t\t\tmodel: \"oauthApplication\",\n\t\t\t\t\tfield: \"clientId\",\n\t\t\t\t\tonDelete: \"cascade\",\n\t\t\t\t},\n\t\t\t\tindex: true,\n\t\t\t},\n\t\t\tuserId: {\n\t\t\t\ttype: \"string\",\n\t\t\t\treferences: {\n\t\t\t\t\tmodel: \"user\",\n\t\t\t\t\tfield: \"id\",\n\t\t\t\t\tonDelete: \"cascade\",\n\t\t\t\t},\n\t\t\t\tindex: true,\n\t\t\t},\n\t\t\tscopes: {\n\t\t\t\ttype: \"string\",\n\t\t\t},\n\t\t\tcreatedAt: {\n\t\t\t\ttype: \"date\",\n\t\t\t},\n\t\t\tupdatedAt: {\n\t\t\t\ttype: \"date\",\n\t\t\t},\n\t\t\tconsentGiven: {\n\t\t\t\ttype: \"boolean\",\n\t\t\t},\n\t\t},\n\t},\n} satisfies BetterAuthPluginDBSchema;\n"],"mappings":";;;AAG+B,EAAE,OAAO;CAQvC,UAAU,EAAE,QAAQ;CASpB,cAAc,EAAE,QAAQ,CAAC,UAAU;CAWnC,MAAM,EAAE,KAAK;EAAC;EAAO;EAAU;EAAoB;EAAS,CAAC;CAI7D,MAAM,EAAE,QAAQ;CAIhB,MAAM,EAAE,QAAQ,CAAC,UAAU;CAI3B,UAAU,EAAE,QAAQ,CAAC,UAAU;CAI/B,UAAU,EAAE,SAAS,CAAC,UAAU,CAAC,QAAQ,MAAM;CAG/C,cAAc,EAAE,QAAQ;CACxB,QAAQ,EAAE,QAAQ,CAAC,UAAU;CAC7B,WAAW,EAAE,MAAM;CACnB,WAAW,EAAE,MAAM;CACnB,CAAC;AAIF,MAAa,SAAS;CACrB,kBAAkB;EACjB,WAAW;EACX,QAAQ;GACP,MAAM,EACL,MAAM,UACN;GACD,MAAM;IACL,MAAM;IACN,UAAU;IACV;GACD,UAAU;IACT,MAAM;IACN,UAAU;IACV;GACD,UAAU;IACT,MAAM;IACN,QAAQ;IACR;GACD,cAAc;IACb,MAAM;IACN,UAAU;IACV;GACD,cAAc,EACb,MAAM,UACN;GACD,MAAM,EACL,MAAM,UACN;GACD,UAAU;IACT,MAAM;IACN,UAAU;IACV,cAAc;IACd;GACD,QAAQ;IACP,MAAM;IACN,UAAU;IACV,YAAY;KACX,OAAO;KACP,OAAO;KACP,UAAU;KACV;IACD,OAAO;IACP;GACD,WAAW,EACV,MAAM,QACN;GACD,WAAW,EACV,MAAM,QACN;GACD;EACD;CACD,kBAAkB;EACjB,WAAW;EACX,QAAQ;GACP,aAAa;IACZ,MAAM;IACN,QAAQ;IACR;GACD,cAAc;IACb,MAAM;IACN,QAAQ;IACR;GACD,sBAAsB,EACrB,MAAM,QACN;GACD,uBAAuB,EACtB,MAAM,QACN;GACD,UAAU;IACT,MAAM;IACN,YAAY;KACX,OAAO;KACP,OAAO;KACP,UAAU;KACV;IACD,OAAO;IACP;GACD,QAAQ;IACP,MAAM;IACN,UAAU;IACV,YAAY;KACX,OAAO;KACP,OAAO;KACP,UAAU;KACV;IACD,OAAO;IACP;GACD,QAAQ,EACP,MAAM,UACN;GACD,WAAW,EACV,MAAM,QACN;GACD,WAAW,EACV,MAAM,QACN;GACD;EACD;CACD,cAAc;EACb,WAAW;EACX,QAAQ;GACP,UAAU;IACT,MAAM;IACN,YAAY;KACX,OAAO;KACP,OAAO;KACP,UAAU;KACV;IACD,OAAO;IACP;GACD,QAAQ;IACP,MAAM;IACN,YAAY;KACX,OAAO;KACP,OAAO;KACP,UAAU;KACV;IACD,OAAO;IACP;GACD,QAAQ,EACP,MAAM,UACN;GACD,WAAW,EACV,MAAM,QACN;GACD,WAAW,EACV,MAAM,QACN;GACD,cAAc,EACb,MAAM,WACN;GACD;EACD;CACD"}
|