@holeauth/core 0.0.1-alpha.0

package/dist/flows/index.js

@@ -0,0 +1,835 @@
+import { SignJWT, jwtVerify } from 'jose';
+
+// src/password/index.ts
+var ITER = 1e5;
+var KEYLEN = 32;
+var SALT_LEN = 16;
+function b64(buf) {
+  const bytes = buf instanceof Uint8Array ? buf : new Uint8Array(buf);
+  let s = "";
+  for (const b of bytes) s += String.fromCharCode(b);
+  return btoa(s);
+}
+function fromB64(s) {
+  const bin = atob(s);
+  const out = new Uint8Array(bin.length);
+  for (let i = 0; i < bin.length; i++) out[i] = bin.charCodeAt(i);
+  return out;
+}
+async function pbkdf2Hash(password, salt) {
+  const keyMaterial = new TextEncoder().encode(password);
+  const key = await crypto.subtle.importKey("raw", keyMaterial, "PBKDF2", false, ["deriveBits"]);
+  const bits = await crypto.subtle.deriveBits(
+    { name: "PBKDF2", salt, iterations: ITER, hash: "SHA-256" },
+    key,
+    KEYLEN * 8
+  );
+  return new Uint8Array(bits);
+}
+async function tryArgon2() {
+  try {
+    const mod = await import(
+      /* webpackIgnore: true */
+      /* turbopackIgnore: true */
+      /* @vite-ignore */
+      '@node-rs/argon2'
+    ).catch(() => null);
+    return mod ?? null;
+  } catch {
+    return null;
+  }
+}
+async function hash(password) {
+  const argon = await tryArgon2();
+  if (argon) {
+    return argon.hash(password);
+  }
+  const salt = crypto.getRandomValues(new Uint8Array(SALT_LEN));
+  const h = await pbkdf2Hash(password, salt);
+  return `pbkdf2-sha256$${ITER}$${b64(salt)}$${b64(h)}`;
+}
+async function verify(password, stored) {
+  if (stored.startsWith("$argon2")) {
+    const argon = await tryArgon2();
+    if (!argon) return false;
+    return argon.verify(stored, password);
+  }
+  const [scheme, iterStr, saltB64, hashB64] = stored.split("$");
+  if (scheme !== "pbkdf2-sha256" || !iterStr || !saltB64 || !hashB64) return false;
+  const salt = fromB64(saltB64);
+  const expected = fromB64(hashB64);
+  const keyMaterial = new TextEncoder().encode(password);
+  const key = await crypto.subtle.importKey("raw", keyMaterial, "PBKDF2", false, ["deriveBits"]);
+  const bits = await crypto.subtle.deriveBits(
+    { name: "PBKDF2", salt, iterations: Number(iterStr), hash: "SHA-256" },
+    key,
+    expected.length * 8
+  );
+  const out = new Uint8Array(bits);
+  if (out.length !== expected.length) return false;
+  let diff = 0;
+  for (let i = 0; i < out.length; i++) diff |= out[i] ^ expected[i];
+  return diff === 0;
+}
+
+// src/errors/index.ts
+var HoleauthError = class extends Error {
+  code;
+  status;
+  constructor(code, message, status = 400) {
+    super(message);
+    this.name = "HoleauthError";
+    this.code = code;
+    this.status = status;
+  }
+};
+var InvalidTokenError = class extends HoleauthError {
+  constructor(message = "Invalid token") {
+    super("INVALID_TOKEN", message, 401);
+  }
+};
+var SessionExpiredError = class extends HoleauthError {
+  constructor(message = "Session expired") {
+    super("SESSION_EXPIRED", message, 401);
+  }
+};
+var CredentialsError = class extends HoleauthError {
+  constructor(message = "Invalid credentials") {
+    super("INVALID_CREDENTIALS", message, 401);
+  }
+};
+var AccountConflictError = class extends HoleauthError {
+  constructor(message = "Account conflict") {
+    super("ACCOUNT_CONFLICT", message, 409);
+  }
+};
+var RefreshReuseError = class extends HoleauthError {
+  constructor(message = "Refresh token reuse detected") {
+    super("REFRESH_REUSE", message, 401);
+  }
+};
+var RegistrationDisabledError = class extends HoleauthError {
+  constructor(message = "Self-registration is disabled") {
+    super("REGISTRATION_DISABLED", message, 403);
+  }
+};
+var NotSupportedError = class extends HoleauthError {
+  constructor(message = "Operation not supported by adapter") {
+    super("NOT_SUPPORTED", message, 501);
+  }
+};
+
+// src/events/emitter.ts
+var busByConfig = /* @__PURE__ */ new WeakMap();
+function getBus(cfg) {
+  let bus = busByConfig.get(cfg);
+  if (!bus) {
+    bus = { byType: /* @__PURE__ */ new Map(), wildcard: /* @__PURE__ */ new Set() };
+    busByConfig.set(cfg, bus);
+  }
+  return bus;
+}
+async function emit(cfg, event) {
+  const withTimestamp = { at: /* @__PURE__ */ new Date(), ...event };
+  await cfg.adapters.auditLog.record(withTimestamp);
+  const bus = getBus(cfg);
+  const typed = bus.byType.get(withTimestamp.type);
+  const fire = (h) => {
+    Promise.resolve().then(() => h(withTimestamp)).catch(() => {
+    });
+  };
+  if (typed) for (const h of typed) fire(h);
+  for (const h of bus.wildcard) fire(h);
+  if (cfg.onEvent) {
+    Promise.resolve().then(() => cfg.onEvent?.(withTimestamp)).catch(() => {
+    });
+  }
+}
+
+// src/flows/register.ts
+async function register(cfg, hooks, input) {
+  if (cfg.registration?.selfServe === false) {
+    throw new RegistrationDisabledError();
+  }
+  const email = input.email.trim().toLowerCase();
+  await hooks.runRegisterBefore({ email, password: input.password, name: input.name ?? null });
+  const existing = await cfg.adapters.user.getUserByEmail(email);
+  if (existing) throw new AccountConflictError("email already registered");
+  const passwordHash = await hash(input.password);
+  const user = await cfg.adapters.user.createUser({
+    email,
+    name: input.name ?? null,
+    passwordHash,
+    emailVerified: null
+  });
+  await emit(cfg, { type: "user.registered", userId: user.id, data: { email } });
+  await hooks.runRegisterAfter(user);
+  return user;
+}
+function toKey(secret) {
+  return typeof secret === "string" ? new TextEncoder().encode(secret) : secret;
+}
+async function sign(payload, secret, opts = {}) {
+  const jwt = new SignJWT(payload).setProtectedHeader({ alg: "HS256" }).setIssuedAt();
+  if (opts.issuer) jwt.setIssuer(opts.issuer);
+  if (opts.audience) jwt.setAudience(opts.audience);
+  if (opts.subject) jwt.setSubject(opts.subject);
+  if (opts.jti) jwt.setJti(opts.jti);
+  if (opts.expiresIn !== void 0) jwt.setExpirationTime(opts.expiresIn);
+  return jwt.sign(toKey(secret));
+}
+async function verify2(token, secret) {
+  try {
+    const { payload } = await jwtVerify(token, toKey(secret));
+    return payload;
+  } catch (e) {
+    throw new InvalidTokenError(e.message);
+  }
+}
+
+// src/cookies/csrf.ts
+var b64urlChars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
+function generateCsrfToken() {
+  const bytes = crypto.getRandomValues(new Uint8Array(32));
+  let out = "";
+  for (const b of bytes) out += b64urlChars[b % 64];
+  return out;
+}
+
+// src/plugins/runner-ref.ts
+var runners = /* @__PURE__ */ new WeakMap();
+var NOOP = {
+  async runRegisterBefore() {
+  },
+  async runRegisterAfter() {
+  },
+  async runSignInBefore() {
+  },
+  async runSignInChallenge() {
+    return null;
+  },
+  async runSignInAfter() {
+  },
+  async runSignOutAfter() {
+  },
+  async runRefreshBefore() {
+  },
+  async runRefreshAfter() {
+  },
+  async runPasswordChangeBefore() {
+  },
+  async runPasswordChangeAfter() {
+  },
+  async runPasswordResetBefore() {
+  },
+  async runPasswordResetAfter() {
+  },
+  async runUserUpdateAfter() {
+  },
+  async runUserDeleteAfter() {
+  },
+  async runSessionIssue() {
+  },
+  async runSessionRotate() {
+  },
+  async runSessionRevoke() {
+  }
+};
+function getHookRunner(cfg) {
+  return runners.get(cfg) ?? NOOP;
+}
+
+// src/session/hash.ts
+async function sha256b64url(input) {
+  const buf = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(input));
+  const bytes = new Uint8Array(buf);
+  let s = "";
+  for (const b of bytes) s += String.fromCharCode(b);
+  return btoa(s).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+
+// src/session/issue.ts
+var ACCESS_DEFAULT = 900;
+var REFRESH_DEFAULT = 2592e3;
+async function issueSession(cfg, input) {
+  const accessTtl = cfg.tokens?.accessTtl ?? ACCESS_DEFAULT;
+  const refreshTtl = cfg.tokens?.refreshTtl ?? REFRESH_DEFAULT;
+  const now = Math.floor(Date.now() / 1e3);
+  const familyId = input.familyId ?? crypto.randomUUID();
+  const sessionId = crypto.randomUUID();
+  const nonce = crypto.randomUUID();
+  const [accessToken, refreshToken] = await Promise.all([
+    sign(
+      { sid: sessionId, sub: input.userId, fam: familyId, nce: nonce },
+      cfg.secrets.jwtSecret,
+      { expiresIn: `${accessTtl}s` }
+    ),
+    sign(
+      { sid: sessionId, sub: input.userId, fam: familyId, typ: "refresh", nce: nonce },
+      cfg.secrets.jwtSecret,
+      { expiresIn: `${refreshTtl}s`, jti: nonce }
+    )
+  ]);
+  const refreshTokenHash = await sha256b64url(refreshToken);
+  await cfg.adapters.session.createSession({
+    id: sessionId,
+    userId: input.userId,
+    familyId,
+    refreshTokenHash,
+    expiresAt: new Date((now + refreshTtl) * 1e3),
+    createdAt: /* @__PURE__ */ new Date(),
+    revokedAt: null,
+    ip: input.ip ?? null,
+    userAgent: input.userAgent ?? null
+  });
+  const csrfToken = generateCsrfToken();
+  await emit(cfg, {
+    type: "session.created",
+    userId: input.userId,
+    sessionId,
+    ip: input.ip ?? null,
+    userAgent: input.userAgent ?? null,
+    data: { familyId }
+  });
+  await getHookRunner(cfg).runSessionIssue({ userId: input.userId, sessionId, familyId });
+  return {
+    accessToken,
+    refreshToken,
+    csrfToken,
+    sessionId,
+    familyId,
+    accessExpiresAt: (now + accessTtl) * 1e3,
+    refreshExpiresAt: (now + refreshTtl) * 1e3
+  };
+}
+
+// src/flows/signin.ts
+async function signIn(cfg, hooks, input) {
+  const email = input.email.trim().toLowerCase();
+  await hooks.runSignInBefore({ email, ip: input.ip, userAgent: input.userAgent });
+  const user = await cfg.adapters.user.getUserByEmail(email);
+  if (!user || !user.passwordHash) throw new CredentialsError();
+  const ok = await verify(input.password, user.passwordHash);
+  if (!ok) throw new CredentialsError();
+  const challenge = await hooks.runSignInChallenge(user, {
+    ip: input.ip,
+    userAgent: input.userAgent
+  });
+  if (challenge) {
+    await emit(cfg, {
+      type: "user.signed_in",
+      userId: user.id,
+      ip: input.ip ?? null,
+      userAgent: input.userAgent ?? null,
+      data: { stage: "pending", pluginId: challenge.pluginId }
+    });
+    return {
+      kind: "pending",
+      pluginId: challenge.pluginId,
+      userId: user.id,
+      pendingToken: challenge.pendingToken,
+      pendingExpiresAt: challenge.expiresAt,
+      data: challenge.data ?? null
+    };
+  }
+  const tokens = await issueSession(cfg, {
+    userId: user.id,
+    ip: input.ip ?? null,
+    userAgent: input.userAgent ?? null
+  });
+  await emit(cfg, {
+    type: "user.signed_in",
+    userId: user.id,
+    sessionId: tokens.sessionId,
+    ip: input.ip ?? null,
+    userAgent: input.userAgent ?? null,
+    data: { method: "password" }
+  });
+  await hooks.runSignInAfter({ user, tokens, method: "password" });
+  return { kind: "ok", user, tokens };
+}
+async function issuePendingToken(cfg, input) {
+  const ttl = input.ttlSeconds ?? cfg.tokens?.pendingTtl ?? 300;
+  const now = Math.floor(Date.now() / 1e3);
+  const token = await sign(
+    { sub: input.userId, typ: "pending", pid: input.pluginId, ...input.extra ?? {} },
+    cfg.secrets.jwtSecret,
+    { expiresIn: `${ttl}s` }
+  );
+  return { token, expiresAt: (now + ttl) * 1e3 };
+}
+async function verifyPendingToken(cfg, token, expectedPluginId) {
+  const claims = await verify2(
+    token,
+    cfg.secrets.jwtSecret
+  );
+  if (claims.typ !== "pending" || claims.pid !== expectedPluginId || !claims.sub) {
+    throw new CredentialsError("pending token invalid");
+  }
+  const { sub, typ, pid, exp, iat, nbf, jti, ...extra } = claims;
+  return { userId: sub, extra };
+}
+
+// src/session/revoke.ts
+async function revokeSession(cfg, sessionId, userId) {
+  await cfg.adapters.session.deleteSession(sessionId);
+  await emit(cfg, {
+    type: "session.revoked",
+    userId: userId ?? null,
+    sessionId
+  });
+  await getHookRunner(cfg).runSessionRevoke({ userId: userId ?? null, sessionId });
+}
+async function revokeByRefresh(cfg, refreshToken) {
+  try {
+    const p = await verify2(refreshToken, cfg.secrets.jwtSecret);
+    if (p.sid) {
+      await cfg.adapters.session.deleteSession(p.sid);
+      await emit(cfg, { type: "session.revoked", userId: p.sub ?? null, sessionId: p.sid });
+      await getHookRunner(cfg).runSessionRevoke({ userId: p.sub ?? null, sessionId: p.sid });
+    }
+  } catch {
+  }
+}
+async function revokeAllForUser(cfg, userId) {
+  if (cfg.adapters.session.revokeUser) {
+    await cfg.adapters.session.revokeUser(userId);
+    await emit(cfg, { type: "session.revoked", userId, data: { scope: "all" } });
+    await getHookRunner(cfg).runSessionRevoke({ userId, sessionId: null, scope: "all" });
+  }
+}
+
+// src/flows/signout.ts
+async function signOut(cfg, hooks, input) {
+  let userId = null;
+  let sessionId = null;
+  if (input.refreshToken) {
+    await revokeByRefresh(cfg, input.refreshToken);
+  } else if (input.accessToken) {
+    try {
+      const p = await verify2(input.accessToken, cfg.secrets.jwtSecret);
+      if (p.sid) {
+        sessionId = p.sid;
+        userId = p.sub ?? null;
+        await revokeSession(cfg, p.sid, p.sub);
+      }
+    } catch {
+    }
+  }
+  await emit(cfg, {
+    type: "user.signed_out",
+    userId,
+    sessionId
+  });
+  await hooks.runSignOutAfter({ userId, sessionId });
+}
+
+// src/session/rotate.ts
+var ACCESS_DEFAULT2 = 900;
+var REFRESH_DEFAULT2 = 2592e3;
+async function rotateRefresh(cfg, presentedRefresh, meta = {}) {
+  let claims;
+  try {
+    claims = await verify2(presentedRefresh, cfg.secrets.jwtSecret);
+  } catch {
+    throw new InvalidTokenError("refresh token invalid");
+  }
+  if (claims.typ !== "refresh" || !claims.sid || !claims.sub || !claims.fam) {
+    throw new InvalidTokenError("refresh claims malformed");
+  }
+  const presentedHash = await sha256b64url(presentedRefresh);
+  const found = await cfg.adapters.session.getByRefreshHash(presentedHash);
+  if (!found || found.revokedAt) {
+    await cfg.adapters.session.revokeFamily(claims.fam);
+    await emit(cfg, {
+      type: "session.reuse_detected",
+      userId: claims.sub,
+      sessionId: claims.sid,
+      ip: meta.ip ?? null,
+      userAgent: meta.userAgent ?? null,
+      data: { familyId: claims.fam }
+    });
+    throw new RefreshReuseError();
+  }
+  if (found.expiresAt.getTime() < Date.now()) {
+    await cfg.adapters.session.revokeFamily(claims.fam);
+    throw new SessionExpiredError();
+  }
+  const accessTtl = cfg.tokens?.accessTtl ?? ACCESS_DEFAULT2;
+  const refreshTtl = cfg.tokens?.refreshTtl ?? REFRESH_DEFAULT2;
+  const now = Math.floor(Date.now() / 1e3);
+  const nonce = crypto.randomUUID();
+  const [accessToken, refreshToken] = await Promise.all([
+    sign(
+      { sid: found.id, sub: found.userId, fam: found.familyId, nce: nonce },
+      cfg.secrets.jwtSecret,
+      { expiresIn: `${accessTtl}s` }
+    ),
+    sign(
+      { sid: found.id, sub: found.userId, fam: found.familyId, typ: "refresh", nce: nonce },
+      cfg.secrets.jwtSecret,
+      { expiresIn: `${refreshTtl}s`, jti: nonce }
+    )
+  ]);
+  const newHash = await sha256b64url(refreshToken);
+  await cfg.adapters.session.rotateRefresh(
+    found.id,
+    newHash,
+    new Date((now + refreshTtl) * 1e3)
+  );
+  await emit(cfg, {
+    type: "session.rotated",
+    userId: found.userId,
+    sessionId: found.id,
+    ip: meta.ip ?? null,
+    userAgent: meta.userAgent ?? null,
+    data: { familyId: found.familyId }
+  });
+  await getHookRunner(cfg).runSessionRotate({
+    userId: found.userId,
+    sessionId: found.id,
+    familyId: found.familyId
+  });
+  return {
+    accessToken,
+    refreshToken,
+    csrfToken: generateCsrfToken(),
+    sessionId: found.id,
+    familyId: found.familyId,
+    accessExpiresAt: (now + accessTtl) * 1e3,
+    refreshExpiresAt: (now + refreshTtl) * 1e3
+  };
+}
+
+// src/flows/refresh.ts
+async function refresh(cfg, hooks, input) {
+  await hooks.runRefreshBefore({ ip: input.ip, userAgent: input.userAgent });
+  const tokens = await rotateRefresh(cfg, input.refreshToken, {
+    ip: input.ip ?? null,
+    userAgent: input.userAgent ?? null
+  });
+  let userId = "";
+  try {
+    const p = await verify2(tokens.accessToken, cfg.secrets.jwtSecret);
+    userId = p.sub ?? "";
+  } catch {
+  }
+  await hooks.runRefreshAfter({
+    userId,
+    sessionId: tokens.sessionId,
+    tokens
+  });
+  return tokens;
+}
+
+// src/flows/tx.ts
+async function runInTransaction(cfg, fn) {
+  const tx = cfg.adapters.transaction;
+  if (!tx) return fn();
+  return tx.run(fn);
+}
+
+// src/flows/password-change.ts
+async function changePassword(cfg, hooks, input) {
+  await hooks.runPasswordChangeBefore(input);
+  const user = await cfg.adapters.user.getUserById(input.userId);
+  if (!user || !user.passwordHash) throw new CredentialsError("user has no password");
+  const ok = await verify(input.currentPassword, user.passwordHash);
+  if (!ok) throw new CredentialsError();
+  const passwordHash = await hash(input.newPassword);
+  await runInTransaction(cfg, async () => {
+    await cfg.adapters.user.updateUser(user.id, { passwordHash });
+    if (input.revokeOtherSessions !== false) {
+      await revokeAllForUser(cfg, user.id);
+    }
+  });
+  await emit(cfg, { type: "user.password_changed", userId: user.id });
+  await hooks.runPasswordChangeAfter({ userId: user.id });
+}
+
+// src/utils/base64url.ts
+var ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
+function enc(n) {
+  return ALPHABET.charAt(n & 63);
+}
+function bytesToBase64Url(bytes) {
+  let out = "";
+  let i = 0;
+  for (; i + 3 <= bytes.length; i += 3) {
+    const b0 = bytes[i] ?? 0;
+    const b1 = bytes[i + 1] ?? 0;
+    const b2 = bytes[i + 2] ?? 0;
+    const n = b0 << 16 | b1 << 8 | b2;
+    out += enc(n >> 18) + enc(n >> 12) + enc(n >> 6) + enc(n);
+  }
+  const rem = bytes.length - i;
+  if (rem === 1) {
+    const n = (bytes[i] ?? 0) << 16;
+    out += enc(n >> 18) + enc(n >> 12);
+  } else if (rem === 2) {
+    const n = (bytes[i] ?? 0) << 16 | (bytes[i + 1] ?? 0) << 8;
+    out += enc(n >> 18) + enc(n >> 12) + enc(n >> 6);
+  }
+  return out;
+}
+function randomBase64Url(bytes = 32) {
+  const a = new Uint8Array(bytes);
+  crypto.getRandomValues(a);
+  return bytesToBase64Url(a);
+}
+
+// src/flows/password-reset.ts
+var RESET_TTL_SECONDS = 60 * 30;
+function randomToken(bytes = 32) {
+  return randomBase64Url(bytes);
+}
+function requireVerificationAdapter(cfg) {
+  const v = cfg.adapters.verificationToken;
+  if (!v) {
+    throw new HoleauthError(
+      "VERIFICATION_NOT_CONFIGURED",
+      "passwordReset requires adapters.verificationToken",
+      500
+    );
+  }
+  return v;
+}
+async function requestPasswordReset(cfg, hooks, input) {
+  const email = input.email.trim().toLowerCase();
+  await hooks.runPasswordResetBefore({ email });
+  const user = await cfg.adapters.user.getUserByEmail(email);
+  if (!user) {
+    return {};
+  }
+  const verification = requireVerificationAdapter(cfg);
+  const token = randomToken(32);
+  await verification.create({
+    identifier: email,
+    token,
+    expiresAt: new Date(Date.now() + RESET_TTL_SECONDS * 1e3)
+  });
+  await emit(cfg, {
+    type: "user.password_reset_requested",
+    userId: user.id,
+    data: { email }
+  });
+  await hooks.runPasswordResetAfter({ userId: user.id, stage: "request" });
+  return { token, userId: user.id };
+}
+async function consumePasswordReset(cfg, hooks, input) {
+  const email = input.email.trim().toLowerCase();
+  await hooks.runPasswordResetBefore({ email, token: input.token, newPassword: input.newPassword });
+  const verification = requireVerificationAdapter(cfg);
+  const row = await verification.consume(email, input.token);
+  if (!row) throw new CredentialsError("reset token invalid");
+  if (row.expiresAt.getTime() < Date.now()) throw new CredentialsError("reset token expired");
+  const user = await cfg.adapters.user.getUserByEmail(email);
+  if (!user) throw new CredentialsError();
+  const passwordHash = await hash(input.newPassword);
+  await runInTransaction(cfg, async () => {
+    await cfg.adapters.user.updateUser(user.id, { passwordHash });
+    await revokeAllForUser(cfg, user.id);
+  });
+  await emit(cfg, { type: "user.password_reset", userId: user.id });
+  await hooks.runPasswordResetAfter({ userId: user.id, stage: "consume" });
+}
+
+// src/flows/user-mutation.ts
+async function updateUser(cfg, hooks, userId, patch) {
+  if ("passwordHash" in patch) {
+    throw new CredentialsError("use changePassword to update passwords");
+  }
+  const next = await cfg.adapters.user.updateUser(userId, patch);
+  await emit(cfg, { type: "user.updated", userId, data: { patch: Object.keys(patch) } });
+  await hooks.runUserUpdateAfter({ user: next, patch });
+  return next;
+}
+async function deleteUser(cfg, hooks, userId) {
+  await emit(cfg, { type: "user.delete_requested", userId });
+  await hooks.runUserDeleteAfter({ userId });
+  await runInTransaction(cfg, async () => {
+    await revokeAllForUser(cfg, userId);
+    await cfg.adapters.user.deleteUser(userId);
+  });
+  await emit(cfg, { type: "user.deleted", userId });
+}
+
+// src/flows/invite.ts
+var INVITE_PREFIX = "invite:";
+var TOKEN_TYPE = "invite";
+function requireVerification(cfg) {
+  const v = cfg.adapters.verificationToken;
+  if (!v) {
+    throw new HoleauthError(
+      "VERIFICATION_NOT_CONFIGURED",
+      "invites require adapters.verificationToken",
+      500
+    );
+  }
+  return v;
+}
+function buildIdentifier(email) {
+  const rand = randomBase64Url(9);
+  return `${INVITE_PREFIX}${email}:${rand}`;
+}
+function parseIdentifier(identifier) {
+  if (!identifier.startsWith(INVITE_PREFIX)) return null;
+  const rest = identifier.slice(INVITE_PREFIX.length);
+  const lastColon = rest.lastIndexOf(":");
+  if (lastColon < 0) return null;
+  return { email: rest.slice(0, lastColon) };
+}
+async function createInvite(cfg, _hooks, input) {
+  const email = input.email.trim().toLowerCase();
+  if (!email.includes("@")) {
+    throw new HoleauthError("INVALID_EMAIL", "invalid email", 400);
+  }
+  const existing = await cfg.adapters.user.getUserByEmail(email);
+  if (existing) {
+    throw new AccountConflictError("user with this email already exists");
+  }
+  const ttl = input.ttlSeconds ?? cfg.registration?.inviteTtlSeconds;
+  if (!ttl || ttl <= 0) {
+    throw new HoleauthError(
+      "TTL_REQUIRED",
+      "invite TTL is required (set input.ttlSeconds or config.registration.inviteTtlSeconds)",
+      400
+    );
+  }
+  const verification = requireVerification(cfg);
+  const identifier = buildIdentifier(email);
+  const expSeconds = Math.floor(Date.now() / 1e3) + ttl;
+  const expiresAt = new Date(expSeconds * 1e3);
+  const token = await sign(
+    {
+      sub: email,
+      name: input.name ?? null,
+      gid: input.groupIds ?? [],
+      by: input.invitedBy ?? null,
+      meta: input.metadata ?? null,
+      typ: TOKEN_TYPE
+    },
+    cfg.secrets.jwtSecret,
+    { expiresIn: `${ttl}s`, jti: identifier, subject: email }
+  );
+  const tokenHash = await sha256b64url(token);
+  await verification.create({ identifier, token: tokenHash, expiresAt });
+  const url = cfg.registration?.inviteUrl?.({ token, email }) ?? void 0;
+  await emit(cfg, {
+    type: "user.invited",
+    userId: input.invitedBy ?? null,
+    data: { email, identifier, groupIds: input.groupIds ?? [] }
+  });
+  return { token, url, identifier, expiresAt: expSeconds * 1e3 };
+}
+async function decodeInvite(cfg, token) {
+  const claims = await verify2(token, cfg.secrets.jwtSecret);
+  if (claims.typ !== TOKEN_TYPE) {
+    throw new CredentialsError("not an invite token");
+  }
+  if (!claims.sub || !claims.jti) {
+    throw new CredentialsError("invite token missing claims");
+  }
+  return {
+    email: claims.sub,
+    name: claims.name ?? null,
+    groupIds: claims.gid ?? [],
+    invitedBy: claims.by ?? null,
+    metadata: claims.meta ?? null,
+    expiresAt: (claims.exp ?? 0) * 1e3,
+    identifier: claims.jti
+  };
+}
+async function getInviteInfo(cfg, input) {
+  return decodeInvite(cfg, input.token);
+}
+async function consumeInvite(cfg, hooks, input) {
+  const claims = await decodeInvite(cfg, input.token);
+  const email = claims.email.trim().toLowerCase();
+  const verification = requireVerification(cfg);
+  const tokenHash = await sha256b64url(input.token);
+  const row = await verification.consume(claims.identifier, tokenHash);
+  if (!row) throw new CredentialsError("invite invalid or already used");
+  if (row.expiresAt.getTime() < Date.now()) {
+    throw new CredentialsError("invite expired");
+  }
+  await hooks.runRegisterBefore({
+    email,
+    password: input.password,
+    name: input.name ?? claims.name ?? null
+  });
+  const existing = await cfg.adapters.user.getUserByEmail(email);
+  if (existing) throw new AccountConflictError("email already registered");
+  const passwordHash = await hash(input.password);
+  const user = await cfg.adapters.user.createUser({
+    email,
+    name: input.name ?? claims.name ?? null,
+    passwordHash,
+    emailVerified: /* @__PURE__ */ new Date()
+  });
+  await emit(cfg, { type: "user.registered", userId: user.id, data: { email, via: "invite" } });
+  await emit(cfg, {
+    type: "user.invite_consumed",
+    userId: user.id,
+    data: {
+      email,
+      identifier: claims.identifier,
+      groupIds: claims.groupIds ?? [],
+      invitedBy: claims.invitedBy ?? null,
+      metadata: claims.metadata ?? null
+    }
+  });
+  await hooks.runRegisterAfter(user);
+  let tokens;
+  if (input.autoSignIn) {
+    tokens = await issueSession(cfg, {
+      userId: user.id,
+      ip: input.ip ?? null,
+      userAgent: input.userAgent ?? null
+    });
+    await emit(cfg, {
+      type: "user.signed_in",
+      userId: user.id,
+      sessionId: tokens.sessionId,
+      ip: input.ip ?? null,
+      userAgent: input.userAgent ?? null,
+      data: { method: "invite" }
+    });
+  }
+  return { user, tokens, groupIds: claims.groupIds ?? [] };
+}
+async function revokeInvite(cfg, input) {
+  const verification = requireVerification(cfg);
+  if (!verification.deleteByIdentifier) {
+    throw new NotSupportedError("verificationToken adapter does not support deleteByIdentifier");
+  }
+  await verification.deleteByIdentifier(input.identifier);
+  await emit(cfg, {
+    type: "user.invite_revoked",
+    data: { identifier: input.identifier }
+  });
+}
+async function listInvites(cfg) {
+  const verification = requireVerification(cfg);
+  if (!verification.listByIdentifierPrefix) {
+    throw new NotSupportedError(
+      "verificationToken adapter does not support listByIdentifierPrefix"
+    );
+  }
+  const rows = await verification.listByIdentifierPrefix(INVITE_PREFIX);
+  const out = [];
+  for (const r of rows) {
+    const parsed = parseIdentifier(r.identifier);
+    if (!parsed) continue;
+    out.push({
+      identifier: r.identifier,
+      email: parsed.email,
+      expiresAt: r.expiresAt.getTime()
+    });
+  }
+  return out;
+}
+
+export { changePassword, consumeInvite, consumePasswordReset, createInvite, deleteUser, getInviteInfo, issuePendingToken, listInvites, refresh, register, requestPasswordReset, revokeInvite, signIn, signOut, updateUser, verifyPendingToken };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map