@happyvertical/smrt-users 0.30.0

package/dist/sveltekit.js

@@ -0,0 +1,978 @@
+import { O as OidcLoginError, h as DEFAULT_SESSION_TTL, X as withSessionPermissionContext, E as TerminalAuthRateLimitError, C as TerminalAuthError, W as resolveOidcProviderConfig, s as OidcLoginService, K as encodeOidcTransaction, V as getUsersOidcConfig, J as decodeOidcTransaction, F as TerminalAuthService, x as SessionService } from "./chunks/TerminalAuthService-DoAMQ_yn.js";
+import { createLogger } from "@happyvertical/logger";
+import { ObjectRegistry } from "@happyvertical/smrt-core";
+import { classnameToTablename } from "@happyvertical/smrt-core/utils";
+import { resolveApiActionSet, methodNameToKebab } from "@happyvertical/smrt-core/vite-plugin";
+const STANDARD_API_ACTIONS = [
+  "list",
+  "get",
+  "create",
+  "update",
+  "delete"
+];
+function createResourceListHandler(options) {
+  const {
+    ensureRegistry,
+    resolveSession = (event) => defaultResolveSession(event, options),
+    commandPolicy = defaultCommandPolicy,
+    resourceSlug = defaultResourceSlug,
+    kebabRoutes = false
+  } = options;
+  return async (event) => {
+    await ensureRegistry();
+    let session;
+    try {
+      session = await resolveSession(event);
+    } catch (error) {
+      if (error instanceof InvalidBearerError) {
+        return jsonResponse$1({ error: error.message }, 401);
+      }
+      throw error;
+    }
+    const resources = [];
+    const skipWarnings = [];
+    const slugSeen = /* @__PURE__ */ new Map();
+    for (const [registeredName, registered] of ObjectRegistry.getAllClasses()) {
+      const def = synthesizeDefinition(
+        registeredName,
+        registered
+      );
+      const cliConfig = def.decoratorConfig.cli;
+      if (!cliConfig) continue;
+      if (!isHttpCliConfig(cliConfig)) continue;
+      if (isCollectionClass(def)) continue;
+      const apiActionSet = resolveApiActionSet(
+        def
+      );
+      const includedMethods = resolveCliIncludedMethods(
+        cliConfig,
+        apiActionSet
+      );
+      if (includedMethods.length === 0) continue;
+      const slug = resourceSlug({
+        className: def.className,
+        collection: def.collection,
+        qualifiedName: def.qualifiedName,
+        packageName: def.packageName
+      });
+      const previous = slugSeen.get(slug);
+      if (previous && previous !== def.qualifiedName) {
+        return jsonResponse$1(
+          {
+            error: "resource-slug-collision",
+            slug,
+            classes: [previous, def.qualifiedName ?? def.className].filter(
+              Boolean
+            )
+          },
+          500
+        );
+      }
+      slugSeen.set(slug, def.qualifiedName ?? def.className);
+      const resourceShell = {
+        slug,
+        className: def.className,
+        qualifiedName: def.qualifiedName,
+        packageName: def.packageName,
+        label: humanLabel(def.className),
+        apiPath: resolveApiPath(def)
+      };
+      const classMeta = {
+        name: def.className,
+        qualifiedName: def.qualifiedName,
+        packageName: def.packageName,
+        decoratorConfig: def.decoratorConfig
+      };
+      const commandNameSeen = /* @__PURE__ */ new Set();
+      const candidates = [];
+      for (const methodName of includedMethods) {
+        const result = buildCommand(def, methodName, kebabRoutes);
+        if (!result.ok) {
+          skipWarnings.push({
+            ref: `${def.className}.${methodName}`,
+            reason: result.reason,
+            candidate: result.candidate,
+            resourceMeta: resourceShell,
+            classMeta
+          });
+          continue;
+        }
+        if (result.command.kind === "custom" && STANDARD_API_ACTIONS.includes(
+          result.command.commandName
+        )) {
+          return jsonResponse$1(
+            {
+              error: "command-name-shadows-crud",
+              className: def.className,
+              methodName,
+              commandName: result.command.commandName
+            },
+            500
+          );
+        }
+        if (commandNameSeen.has(result.command.commandName)) {
+          return jsonResponse$1(
+            {
+              error: "command-name-collision",
+              className: def.className,
+              commandName: result.command.commandName
+            },
+            500
+          );
+        }
+        commandNameSeen.add(result.command.commandName);
+        candidates.push(result.command);
+      }
+      const policyResults = await Promise.all(
+        candidates.map(
+          (candidate) => commandPolicy({
+            resource: resourceShell,
+            command: candidate,
+            session,
+            classMeta
+          })
+        )
+      );
+      const allowed = candidates.filter((_, i) => policyResults[i]);
+      if (allowed.length === 0) continue;
+      resources.push({ ...resourceShell, commands: allowed });
+    }
+    const warnResults = await Promise.all(
+      skipWarnings.map(
+        (w) => commandPolicy({
+          resource: w.resourceMeta,
+          command: w.candidate,
+          session,
+          classMeta: w.classMeta
+        })
+      )
+    );
+    const visibleWarnings = skipWarnings.filter((_, i) => warnResults[i]).map((w) => `${w.ref}: ${w.reason}`);
+    const body = {
+      user: session.user ? { authenticated: true, id: String(session.user.id ?? "") } : { authenticated: false },
+      warnings: visibleWarnings,
+      resources
+    };
+    return jsonResponse$1(body, 200, {
+      "cache-control": "private, no-store"
+    });
+  };
+}
+function synthesizeDefinition(_registeredName, registered) {
+  const methods = {};
+  for (const [name, value] of registered.methods.entries()) {
+    methods[name] = value;
+  }
+  const decoratorConfig = registered.config ?? {};
+  const collection = registered.collection ?? deriveCollectionFromConfig(decoratorConfig) ?? classnameToTablename(registered.name);
+  return {
+    className: registered.name,
+    qualifiedName: registered.qualifiedName,
+    packageName: registered.packageName,
+    collection,
+    decoratorConfig,
+    methods,
+    tools: registered.tools,
+    extends: registered.extends,
+    extendsTypeArg: registered.extendsTypeArg,
+    constructor: registered.constructor
+  };
+}
+function isCollectionClass(def) {
+  if (def.extends === "SmrtCollection") return true;
+  if (def.extendsTypeArg) return true;
+  return ctorChainContains(def.constructor, "SmrtCollection");
+}
+function ctorChainContains(ctor, name, depthCap = 16) {
+  let current = ctor;
+  for (let i = 0; i < depthCap && current; i += 1) {
+    if (current.name === name) return true;
+    const next = Object.getPrototypeOf(current);
+    if (!next || next === current) break;
+    current = next;
+  }
+  return false;
+}
+function deriveCollectionFromConfig(config) {
+  return config?.tableName ?? void 0;
+}
+function resolveCliIncludedMethods(cliConfig, apiActionSet) {
+  if (cliConfig === true) {
+    return STANDARD_API_ACTIONS.filter((a) => apiActionSet.has(a));
+  }
+  if (cliConfig === false) return [];
+  if (typeof cliConfig !== "object" || cliConfig === null) return [];
+  if (Array.isArray(cliConfig)) return [];
+  const obj = cliConfig;
+  if (obj.include !== void 0 && !Array.isArray(obj.include)) return [];
+  if (obj.exclude !== void 0 && !Array.isArray(obj.exclude)) return [];
+  if (obj.mirror !== void 0 && obj.mirror !== "api") return [];
+  const include = obj.include;
+  const exclude = obj.exclude;
+  let candidates;
+  if (obj.mirror === "api") {
+    candidates = [...apiActionSet];
+  } else if (include?.includes("*")) {
+    candidates = [...apiActionSet];
+  } else if (include && include.length > 0) {
+    candidates = include.filter((m) => apiActionSet.has(m));
+  } else {
+    candidates = STANDARD_API_ACTIONS.filter((a) => apiActionSet.has(a));
+  }
+  if (exclude && exclude.length > 0) {
+    const excludeSet = new Set(exclude);
+    candidates = candidates.filter((m) => !excludeSet.has(m));
+  }
+  return candidates;
+}
+function isHttpCliConfig(cliConfig) {
+  if (typeof cliConfig !== "object" || cliConfig === null) return true;
+  if (Array.isArray(cliConfig)) return true;
+  return cliConfig.http !== false;
+}
+function buildCommand(def, methodName, kebabRoutes) {
+  const isCrud = STANDARD_API_ACTIONS.includes(methodName);
+  if (isCrud) {
+    return {
+      ok: true,
+      command: buildCrudCommand(methodName)
+    };
+  }
+  const methodDef = def.methods[methodName];
+  if (!methodDef) {
+    return {
+      ok: true,
+      command: buildCustomCommand(def, methodName, void 0, kebabRoutes)
+    };
+  }
+  const paramCount = methodDef.parameters?.length ?? 0;
+  if (paramCount > 1) {
+    return {
+      ok: false,
+      reason: "multi-arg unsupported (use single-options-object convention)",
+      candidate: buildCustomCommand(def, methodName, methodDef, kebabRoutes)
+    };
+  }
+  const candidate = buildCustomCommand(def, methodName, methodDef, kebabRoutes);
+  if (hasDynamicSegments(candidate.pathSegments)) {
+    return {
+      ok: false,
+      reason: "dynamic-path-params unsupported",
+      candidate
+    };
+  }
+  if (candidate.httpMethod === "DELETE" && candidate.kind === "custom") {
+    const methodHasParams = (methodDef.parameters?.length ?? 0) > 0;
+    if (methodHasParams || hasNonIdParameters(candidate.parameters)) {
+      return {
+        ok: false,
+        reason: "DELETE-with-body unsupported",
+        candidate
+      };
+    }
+  }
+  return { ok: true, command: candidate };
+}
+function buildCrudCommand(name) {
+  const item = name === "get" || name === "update" || name === "delete";
+  const httpMethod = name === "list" || name === "get" ? "GET" : name === "create" ? "POST" : name === "update" ? "PUT" : "DELETE";
+  return {
+    methodName: name,
+    commandName: name,
+    kind: "crud",
+    scope: item ? "item" : "collection",
+    httpMethod,
+    pathSegments: [],
+    description: defaultCrudDescription(name)
+  };
+}
+function buildCustomCommand(def, methodName, methodDef, kebabRoutes) {
+  const apiConfigObj = getApiConfigObject(def.decoratorConfig.api);
+  const routeConfig = apiConfigObj?.routes?.[methodName];
+  const defaultScope = methodDef?.isStatic ? "collection" : "item";
+  const scope = routeConfig?.scope ?? defaultScope;
+  const httpMethod = normalizeApiHttpMethod(routeConfig?.method);
+  let pathSegments;
+  if (routeConfig?.path) {
+    pathSegments = routeConfig.path.split("/").map((s) => s.trim()).filter(Boolean);
+    if (pathSegments.length === 0) pathSegments = [methodName];
+  } else {
+    pathSegments = [kebabRoutes ? methodNameToKebab(methodName) : methodName];
+  }
+  const parameters = resolveParametersSchema(def, methodName);
+  return {
+    methodName,
+    commandName: methodNameToKebab(methodName),
+    kind: "custom",
+    scope,
+    httpMethod,
+    pathSegments,
+    description: methodDef?.description,
+    parameters
+  };
+}
+function resolveParametersSchema(def, methodName, _methodDef) {
+  const tool = def.tools?.find((t) => t.function.name === methodName);
+  if (tool?.function.parameters) {
+    const params = tool.function.parameters;
+    if (hasUsableProperties(params)) return params;
+  }
+  return void 0;
+}
+function hasUsableProperties(schema) {
+  if (!schema || typeof schema !== "object") return false;
+  const props = schema.properties;
+  if (!props || typeof props !== "object") return false;
+  return Object.keys(props).length > 0;
+}
+function normalizeApiHttpMethod(method) {
+  switch (method?.toUpperCase()) {
+    case "GET":
+    case "POST":
+    case "PUT":
+    case "PATCH":
+    case "DELETE":
+      return method.toUpperCase();
+    default:
+      return "POST";
+  }
+}
+function getApiConfigObject(api) {
+  if (typeof api !== "object" || api === null) return void 0;
+  return api;
+}
+function hasDynamicSegments(segments) {
+  return segments.some((s) => /^\[.+\]$/.test(s) || s.startsWith(":"));
+}
+function hasNonIdParameters(parameters) {
+  if (!parameters || typeof parameters !== "object") return false;
+  const props = parameters.properties;
+  if (!props) return false;
+  const keys = Object.keys(props).filter((k) => k !== "id");
+  return keys.length > 0;
+}
+function defaultCrudDescription(name) {
+  switch (name) {
+    case "list":
+      return "List records";
+    case "get":
+      return "Get a record by id";
+    case "create":
+      return "Create a new record";
+    case "update":
+      return "Update an existing record";
+    case "delete":
+      return "Delete a record";
+  }
+}
+function resolveApiPath(def) {
+  return def.collection;
+}
+function defaultResourceSlug(meta) {
+  return meta.collection;
+}
+function humanLabel(className) {
+  return className.replace(/([A-Z]+)([A-Z][a-z])/g, "$1 $2").replace(/([a-z0-9])([A-Z])/g, "$1 $2");
+}
+class InvalidBearerError extends Error {
+  constructor(message = "Invalid or expired bearer token.") {
+    super(message);
+    this.name = "InvalidBearerError";
+  }
+}
+async function defaultResolveSession(event, options) {
+  const locals = event.locals ?? {};
+  if (locals.user) {
+    return {
+      user: locals.user,
+      membership: locals.membership ?? null,
+      permissions: locals.permissions ?? [],
+      tenantId: locals.tenantId ?? null,
+      sessionId: locals.sessionId ?? null
+    };
+  }
+  const bearer = parseBearerToken(event.request.headers.get("authorization"));
+  if (bearer) {
+    const ctx = await loadBearerSessionContext(bearer, options);
+    if (!ctx) {
+      throw new InvalidBearerError();
+    }
+    return {
+      user: ctx.user,
+      membership: ctx.membership ?? null,
+      permissions: ctx.permissions,
+      tenantId: ctx.tenantId,
+      sessionId: ctx.sessionId
+    };
+  }
+  return {
+    user: null,
+    membership: null,
+    permissions: [],
+    tenantId: null,
+    sessionId: null
+  };
+}
+function defaultCommandPolicy(ctx) {
+  return ctx.session.user != null;
+}
+function jsonResponse$1(body, status = 200, extraHeaders = {}) {
+  return new Response(JSON.stringify(body), {
+    status,
+    headers: {
+      "content-type": "application/json",
+      ...extraHeaders
+    }
+  });
+}
+const defaultSessionLocals = {
+  user: null,
+  membership: null,
+  permissions: [],
+  tenantId: null,
+  sessionId: null
+};
+const logger = createLogger({ level: "info" });
+function createSessionHandler(options) {
+  const cookieName = options.cookieName ?? "sid";
+  const ttl = options.ttl ?? DEFAULT_SESSION_TTL;
+  const skipPaths = options.skipPaths ?? [];
+  options.cookiePath ?? "/";
+  options.cookieSameSite ?? "lax";
+  let sessionService = null;
+  const getSessionService = async () => {
+    if (!sessionService) {
+      sessionService = await SessionService.create({
+        ...options,
+        defaultTTL: ttl,
+        autoExtend: options.autoExtend ?? false
+      });
+    }
+    return sessionService;
+  };
+  return async ({ event, resolve }) => {
+    event.locals.user = null;
+    event.locals.membership = null;
+    event.locals.permissions = [];
+    event.locals.tenantId = null;
+    event.locals.sessionId = null;
+    if (skipPaths.some((path) => event.url.pathname.startsWith(path))) {
+      return resolve(event);
+    }
+    const sessionId = event.cookies.get(cookieName);
+    if (!sessionId && !options.postgresRls) {
+      return resolve(event);
+    }
+    try {
+      const service = await getSessionService();
+      return await withSessionPermissionContext(
+        {
+          ...options,
+          enterTenantContext: options.enterTenantContext,
+          postgresRls: options.postgresRls,
+          sessionId,
+          sessionService: service
+        },
+        async (context) => {
+          if (context.session) {
+            event.locals.user = context.user;
+            event.locals.membership = context.membership ?? null;
+            event.locals.permissions = context.permissions;
+            event.locals.tenantId = context.tenantId;
+            event.locals.sessionId = context.sessionId;
+          }
+          return resolve(event);
+        }
+      );
+    } catch (error) {
+      logger.error("Session or request context initialization error", {
+        error
+      });
+      if (options.postgresRls) {
+        return new Response("Internal Server Error", { status: 500 });
+      }
+      return resolve(event);
+    }
+  };
+}
+const sessionServiceCache = /* @__PURE__ */ new Map();
+async function getOrCreateSessionService(options, ttl) {
+  const cacheKey = JSON.stringify(options.db);
+  let service = sessionServiceCache.get(cacheKey);
+  if (!service) {
+    service = await SessionService.create({
+      ...options,
+      defaultTTL: ttl
+    });
+    sessionServiceCache.set(cacheKey, service);
+  }
+  return service;
+}
+async function createSessionCookie(event, userId, tenantId, options) {
+  const cookieName = options.cookieName ?? "sid";
+  const ttl = options.ttl ?? DEFAULT_SESSION_TTL;
+  const cookiePath = options.cookiePath ?? "/";
+  const cookieSameSite = options.cookieSameSite ?? "lax";
+  const cookieSecure = options.cookieSecure ?? event.url.protocol === "https:";
+  const service = await getOrCreateSessionService(options, ttl);
+  const sessionId = await service.createSession(userId, tenantId, {
+    ttl,
+    userAgent: options.userAgent,
+    ipAddress: options.ipAddress,
+    data: options.data
+  });
+  event.cookies.set(cookieName, sessionId, {
+    path: cookiePath,
+    httpOnly: true,
+    secure: cookieSecure,
+    sameSite: cookieSameSite,
+    maxAge: ttl
+  });
+  return sessionId;
+}
+async function destroySessionCookie(event, options) {
+  const cookieName = options.cookieName ?? "sid";
+  const cookiePath = options.cookiePath ?? "/";
+  const ttl = options.ttl ?? DEFAULT_SESSION_TTL;
+  const sessionId = event.cookies.get(cookieName);
+  if (sessionId) {
+    try {
+      const service = await getOrCreateSessionService(options, ttl);
+      await service.destroySession(sessionId);
+    } catch (error) {
+      logger.error("Session destruction error", { error });
+    }
+  }
+  event.cookies.delete(cookieName, { path: cookiePath });
+}
+async function switchSessionTenant(event, tenantId, options) {
+  const cookieName = options.cookieName ?? "sid";
+  const ttl = options.ttl ?? DEFAULT_SESSION_TTL;
+  const sessionId = event.cookies.get(cookieName);
+  if (!sessionId) return false;
+  const service = await getOrCreateSessionService(options, ttl);
+  return service.switchTenant(sessionId, tenantId);
+}
+function getOidcProviderName(event, options) {
+  if (typeof options.provider === "function") {
+    return options.provider(event);
+  }
+  return options.provider ?? event.params?.provider ?? options.defaultProvider;
+}
+function getOidcTransactionCookieName(providerName, options) {
+  const prefix = options.transactionCookiePrefix ?? "smrt_oidc";
+  const safeProvider = providerName.replace(/[^a-z0-9_-]/giu, "_");
+  return `${prefix}_${safeProvider}`;
+}
+function useSecureCookie(event, explicit) {
+  return explicit ?? event.url.protocol === "https:";
+}
+function resolveCallbackPath(providerName, options) {
+  if (typeof options.callbackPath === "function") {
+    return options.callbackPath(providerName);
+  }
+  return options.callbackPath ?? `/auth/${providerName}/callback`;
+}
+function resolveProviderWithRedirectUri(event, providerName, provider, options) {
+  return {
+    ...provider,
+    redirectUri: provider.redirectUri ?? new URL(
+      resolveCallbackPath(providerName, options),
+      event.url.origin
+    ).toString()
+  };
+}
+function createOidcService(event, options) {
+  const providerName = getOidcProviderName(event, options);
+  const resolved = resolveOidcProviderConfig(providerName, options);
+  const provider = resolveProviderWithRedirectUri(
+    event,
+    resolved.providerName,
+    resolved.provider,
+    options
+  );
+  return new OidcLoginService({
+    ...options,
+    provider,
+    providerName: resolved.providerName
+  });
+}
+function getReturnTo(event, options) {
+  const param = options.returnToParam ?? "returnTo";
+  return getLocalReturnTo(event.url.searchParams.get(param));
+}
+function getLocalReturnTo(returnTo) {
+  if (!returnTo) return void 0;
+  if (returnTo.startsWith("/") && !returnTo.startsWith("//")) {
+    return returnTo;
+  }
+  return void 0;
+}
+function getTransactionCookieSameSite(event, options) {
+  if (options.transactionCookieSameSite) {
+    return options.transactionCookieSameSite;
+  }
+  return useSecureCookie(event, options.transactionCookieSecure) ? "none" : "lax";
+}
+function getTransactionCookieSecret(provider, options) {
+  const secret = options.transactionCookieSecret ?? provider.clientSecret;
+  return secret && secret.length > 0 ? secret : void 0;
+}
+function bytesToBase64Url(bytes) {
+  let binary = "";
+  for (const byte of bytes) {
+    binary += String.fromCharCode(byte);
+  }
+  return btoa(binary).replaceAll("+", "-").replaceAll("/", "_").replace(/=+$/u, "");
+}
+async function signTransactionPayload(payload, secret) {
+  const key = await crypto.subtle.importKey(
+    "raw",
+    new TextEncoder().encode(secret),
+    { hash: "SHA-256", name: "HMAC" },
+    false,
+    ["sign"]
+  );
+  const signature = await crypto.subtle.sign(
+    "HMAC",
+    key,
+    new TextEncoder().encode(payload)
+  );
+  return bytesToBase64Url(new Uint8Array(signature));
+}
+function timingSafeEqual(left, right) {
+  const leftBytes = new TextEncoder().encode(left);
+  const rightBytes = new TextEncoder().encode(right);
+  let diff = leftBytes.length ^ rightBytes.length;
+  const length = Math.max(leftBytes.length, rightBytes.length);
+  for (let index = 0; index < length; index += 1) {
+    diff |= (leftBytes[index] ?? 0) ^ (rightBytes[index] ?? 0);
+  }
+  return diff === 0;
+}
+async function encodeOidcTransactionCookie(transaction, secret) {
+  const payload = encodeOidcTransaction(transaction);
+  if (!secret) return payload;
+  const signature = await signTransactionPayload(payload, secret);
+  return `${payload}.${signature}`;
+}
+async function decodeOidcTransactionCookie(value, secret) {
+  if (!secret) return decodeOidcTransaction(value);
+  const separatorIndex = value.lastIndexOf(".");
+  if (separatorIndex < 0) {
+    throw new OidcLoginError("Invalid OIDC login transaction signature.");
+  }
+  const payload = value.slice(0, separatorIndex);
+  const signature = value.slice(separatorIndex + 1);
+  const expectedSignature = await signTransactionPayload(payload, secret);
+  if (!timingSafeEqual(signature, expectedSignature)) {
+    throw new OidcLoginError("Invalid OIDC login transaction signature.");
+  }
+  return decodeOidcTransaction(payload);
+}
+function getTransactionTtl(options) {
+  return options.transactionTtl ?? getUsersOidcConfig().transactionTtl ?? 10 * 60;
+}
+async function resolveTenantId(result, event, options) {
+  if (typeof options.tenantId === "function") {
+    return options.tenantId(result, event);
+  }
+  return options.tenantId;
+}
+function redirectResponse(location) {
+  return new Response(null, {
+    headers: { location: location.toString() },
+    status: 303
+  });
+}
+function failureResponse(error) {
+  const message = error instanceof Error ? error.message : "OIDC login failed.";
+  return new Response(message, {
+    status: 401,
+    headers: {
+      "content-type": "text/plain; charset=utf-8"
+    }
+  });
+}
+function resolveSuccessRedirect(result, event, options) {
+  if (typeof options.successRedirect === "function") {
+    return options.successRedirect(result, event);
+  }
+  return options.successRedirect ?? result.returnTo ?? "/";
+}
+function resolveFailureRedirect(error, event, options) {
+  if (!options.failureRedirect) return void 0;
+  if (typeof options.failureRedirect === "function") {
+    return options.failureRedirect(error, event);
+  }
+  return options.failureRedirect;
+}
+async function beginOidcLogin(event, options) {
+  const service = createOidcService(event, options);
+  const transaction = service.createTransaction(getReturnTo(event, options));
+  const result = await service.createAuthorizationUrl({ transaction });
+  event.cookies.set(
+    getOidcTransactionCookieName(service.providerName, options),
+    await encodeOidcTransactionCookie(
+      transaction,
+      getTransactionCookieSecret(service.provider, options)
+    ),
+    {
+      httpOnly: true,
+      maxAge: getTransactionTtl(options),
+      path: options.transactionCookiePath ?? "/",
+      sameSite: getTransactionCookieSameSite(event, options),
+      secure: useSecureCookie(event, options.transactionCookieSecure)
+    }
+  );
+  return {
+    providerName: service.providerName,
+    transaction,
+    url: result.url
+  };
+}
+async function completeOidcLogin(event, options) {
+  const service = createOidcService(event, options);
+  const cookieName = getOidcTransactionCookieName(
+    service.providerName,
+    options
+  );
+  const cookiePath = options.transactionCookiePath ?? "/";
+  try {
+    const rawTransaction = event.cookies.get(cookieName);
+    if (!rawTransaction) {
+      throw new OidcLoginError("Missing OIDC login transaction cookie.");
+    }
+    const decodedTransaction = await decodeOidcTransactionCookie(
+      rawTransaction,
+      getTransactionCookieSecret(service.provider, options)
+    );
+    const transaction = {
+      ...decodedTransaction,
+      returnTo: getLocalReturnTo(decodedTransaction.returnTo)
+    };
+    const ttl = getTransactionTtl(options);
+    if (Date.now() - transaction.createdAt > ttl * 1e3) {
+      throw new OidcLoginError("OIDC login transaction has expired.");
+    }
+    const result = await service.completeLogin(event.url, transaction);
+    const tenantId = await resolveTenantId(result, event, options);
+    const sessionId = await createSessionCookie(
+      event,
+      result.user.id,
+      tenantId ?? void 0,
+      {
+        ...options,
+        cookieName: options.sessionCookieName,
+        cookiePath: options.sessionCookiePath,
+        cookieSameSite: options.sessionCookieSameSite,
+        cookieSecure: useSecureCookie(event, options.sessionCookieSecure),
+        data: {
+          oidcIssuer: result.claims.iss,
+          oidcProvider: service.providerName
+        },
+        ipAddress: event.getClientAddress?.(),
+        ttl: options.sessionTtl,
+        userAgent: event.request.headers.get("user-agent") ?? void 0
+      }
+    );
+    return {
+      ...result,
+      providerName: service.providerName,
+      returnTo: transaction.returnTo,
+      sessionId
+    };
+  } finally {
+    event.cookies.delete(cookieName, { path: cookiePath });
+  }
+}
+function createOidcLoginHandler(options) {
+  return async (event) => {
+    const { url } = await beginOidcLogin(event, options);
+    return redirectResponse(url);
+  };
+}
+function createOidcCallbackHandler(options) {
+  return async (event) => {
+    try {
+      const result = await completeOidcLogin(event, options);
+      const redirectTo = await resolveSuccessRedirect(result, event, options);
+      return redirectResponse(redirectTo);
+    } catch (error) {
+      const failureRedirect = resolveFailureRedirect(error, event, options);
+      if (failureRedirect) return redirectResponse(failureRedirect);
+      return failureResponse(error);
+    }
+  };
+}
+const terminalAuthServiceCache = /* @__PURE__ */ new Map();
+function terminalAuthCacheKey(options) {
+  return JSON.stringify({
+    db: options.db,
+    cookie: options.sessionCookieName,
+    prefix: options.userCodePrefix,
+    reqTtl: options.requestTtlSeconds,
+    sessTtl: options.sessionTtlSeconds,
+    poll: options.pollIntervalSeconds,
+    path: options.verificationPath,
+    autoExtend: options.sessionAutoExtend,
+    maxAttempts: options.maxApproveAttempts,
+    attemptWindow: options.approveAttemptWindowSeconds
+  });
+}
+async function getOrCreateTerminalAuthService(options) {
+  const key = terminalAuthCacheKey(options);
+  let service = terminalAuthServiceCache.get(key);
+  if (!service) {
+    service = await TerminalAuthService.create(options);
+    terminalAuthServiceCache.set(key, service);
+  }
+  return service;
+}
+function parseBearerToken(authorization) {
+  const match = authorization?.match(/^Bearer\s+(.+)$/iu);
+  return match?.[1]?.trim() || null;
+}
+function createTerminalAuthStartHandler(options) {
+  return async (event) => {
+    const service = await getOrCreateTerminalAuthService(options);
+    const origin = typeof options.verificationOrigin === "function" ? options.verificationOrigin(event) : options.verificationOrigin ?? event.url.origin;
+    const result = await service.createRequest(origin);
+    return jsonResponse(result, 201);
+  };
+}
+function createTerminalAuthTokenHandler(options) {
+  return async (event) => {
+    const body = await event.request.json().catch(() => null);
+    const deviceCode = typeof body?.deviceCode === "string" ? body.deviceCode.trim() : "";
+    if (!deviceCode) {
+      return jsonResponse({ error: "deviceCode is required." }, 400);
+    }
+    const service = await getOrCreateTerminalAuthService(options);
+    const result = await service.exchangeDeviceCode(deviceCode);
+    return jsonResponse(result);
+  };
+}
+function createBearerSessionDeleteHandler(options) {
+  return async (event) => {
+    const token = parseBearerToken(event.request.headers.get("authorization"));
+    if (token) {
+      try {
+        const service = await getOrCreateTerminalAuthService(options);
+        await service.destroyBearerSession(token);
+      } catch (error) {
+        logger.error("Terminal bearer session revocation error", { error });
+      }
+    }
+    return jsonResponse({ authenticated: false });
+  };
+}
+async function loadBearerSessionContext(token, options) {
+  const service = await getOrCreateTerminalAuthService(options);
+  return service.loadBearerSession(token);
+}
+function mountTerminalLoginPage(options) {
+  const codeParam = options.codeQueryParam ?? "code";
+  return {
+    load: async (event) => {
+      const userCode = event.url.searchParams.get(codeParam)?.trim().toUpperCase() ?? "";
+      let requestStatus = null;
+      if (userCode) {
+        const service = await getOrCreateTerminalAuthService(options);
+        const request = await service.getRequestForUserCode(userCode);
+        requestStatus = request?.status ?? null;
+      }
+      return { requestStatus, userCode };
+    },
+    approve: async (event) => {
+      const formData = await event.request.formData();
+      const userCode = formData.get("userCode")?.toString().trim().toUpperCase() ?? "";
+      if (!userCode) {
+        return {
+          type: "failure",
+          status: 400,
+          data: {
+            status: 400,
+            error: "Enter a terminal login code.",
+            userCode
+          }
+        };
+      }
+      const user = options.resolveUser(event);
+      const tenantId = options.resolveTenantId(event);
+      if (!user?.id) {
+        return {
+          type: "failure",
+          status: 401,
+          data: {
+            status: 401,
+            error: "Sign in before approving terminal access.",
+            userCode
+          }
+        };
+      }
+      try {
+        const service = await getOrCreateTerminalAuthService(options);
+        const approveInput = {
+          ipAddress: event.getClientAddress?.(),
+          tenantId: tenantId ?? null,
+          user: {
+            email: user.email ?? "",
+            id: user.id
+          },
+          userAgent: event.request.headers.get("user-agent") ?? void 0,
+          userCode
+        };
+        const request = await service.approveRequest(approveInput);
+        return {
+          approved: true,
+          requestStatus: request.status,
+          userCode
+        };
+      } catch (error) {
+        if (error instanceof TerminalAuthRateLimitError) {
+          return {
+            type: "failure",
+            status: 429,
+            data: { status: 429, error: error.message, userCode }
+          };
+        }
+        const message = error instanceof TerminalAuthError ? error.message : error instanceof Error ? error.message : "Unable to approve terminal login.";
+        return {
+          type: "failure",
+          status: 400,
+          data: { status: 400, error: message, userCode }
+        };
+      }
+    }
+  };
+}
+function jsonResponse(body, status = 200) {
+  return new Response(JSON.stringify(body), {
+    status,
+    headers: { "content-type": "application/json" }
+  });
+}
+export {
+  InvalidBearerError,
+  TerminalAuthError,
+  TerminalAuthRateLimitError,
+  TerminalAuthService,
+  beginOidcLogin,
+  completeOidcLogin,
+  createBearerSessionDeleteHandler,
+  createOidcCallbackHandler,
+  createOidcLoginHandler,
+  createResourceListHandler,
+  createSessionCookie,
+  createSessionHandler,
+  createTerminalAuthStartHandler,
+  createTerminalAuthTokenHandler,
+  defaultSessionLocals,
+  destroySessionCookie,
+  loadBearerSessionContext,
+  mountTerminalLoginPage,
+  parseBearerToken,
+  switchSessionTenant
+};
+//# sourceMappingURL=sveltekit.js.map