npm - @holeauth/core - Versions diffs - 0.0.1-alpha.0 - Mend

@holeauth/core 0.0.1-alpha.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (52) hide show

package/LICENSE +21 -0
package/README.md +5 -0
package/cjs-error.cjs +8 -0
package/dist/adapters/index.d.ts +1 -0
package/dist/adapters/index.js +3 -0
package/dist/adapters/index.js.map +1 -0
package/dist/cookies/index.d.ts +3 -0
package/dist/cookies/index.js +74 -0
package/dist/cookies/index.js.map +1 -0
package/dist/errors/index.d.ts +40 -0
package/dist/errors/index.js +70 -0
package/dist/errors/index.js.map +1 -0
package/dist/events/index.d.ts +3 -0
package/dist/events/index.js +52 -0
package/dist/events/index.js.map +1 -0
package/dist/flows/index.d.ts +4 -0
package/dist/flows/index.js +835 -0
package/dist/flows/index.js.map +1 -0
package/dist/index-BIXESLma.d.ts +58 -0
package/dist/index-BYtkmk9_.d.ts +18 -0
package/dist/index-BbEXbI_k.d.ts +116 -0
package/dist/index-BmYQquGs.d.ts +563 -0
package/dist/index-BwEvEa8-.d.ts +20 -0
package/dist/index-CHS-socJ.d.ts +97 -0
package/dist/index-CNtnPdzk.d.ts +136 -0
package/dist/index-CjEXpqaW.d.ts +22 -0
package/dist/index-CotvcK_b.d.ts +42 -0
package/dist/index-D57PvFMN.d.ts +105 -0
package/dist/index-DRN-5E_H.d.ts +26 -0
package/dist/index.d.ts +39 -0
package/dist/index.js +1757 -0
package/dist/index.js.map +1 -0
package/dist/jwt/index.d.ts +2 -0
package/dist/jwt/index.js +53 -0
package/dist/jwt/index.js.map +1 -0
package/dist/otp/index.d.ts +1 -0
package/dist/otp/index.js +16 -0
package/dist/otp/index.js.map +1 -0
package/dist/password/index.d.ts +1 -0
package/dist/password/index.js +75 -0
package/dist/password/index.js.map +1 -0
package/dist/plugins/index.d.ts +4 -0
package/dist/plugins/index.js +480 -0
package/dist/plugins/index.js.map +1 -0
package/dist/registry-CZhM1tEB.d.ts +101 -0
package/dist/session/index.d.ts +3 -0
package/dist/session/index.js +346 -0
package/dist/session/index.js.map +1 -0
package/dist/sso/index.d.ts +3 -0
package/dist/sso/index.js +475 -0
package/dist/sso/index.js.map +1 -0
package/package.json +121 -0

package/dist/index.js ADDED Viewed

@@ -0,0 +1,1757 @@
+import { SignJWT, jwtVerify, decodeJwt } from 'jose';
+var __defProp = Object.defineProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+// src/errors/index.ts
+var HoleauthError = class extends Error {
+  code;
+  status;
+  constructor(code, message, status = 400) {
+    super(message);
+    this.name = "HoleauthError";
+    this.code = code;
+    this.status = status;
+  }
+};
+var InvalidTokenError = class extends HoleauthError {
+  constructor(message = "Invalid token") {
+    super("INVALID_TOKEN", message, 401);
+  }
+};
+var SessionExpiredError = class extends HoleauthError {
+  constructor(message = "Session expired") {
+    super("SESSION_EXPIRED", message, 401);
+  }
+};
+var AdapterError = class extends HoleauthError {
+  constructor(message = "Adapter error") {
+    super("ADAPTER_ERROR", message, 500);
+  }
+};
+var ProviderError = class extends HoleauthError {
+  constructor(message = "Provider error") {
+    super("PROVIDER_ERROR", message, 502);
+  }
+};
+var CsrfError = class extends HoleauthError {
+  constructor(message = "CSRF validation failed") {
+    super("CSRF_FAILED", message, 403);
+  }
+};
+var CredentialsError = class extends HoleauthError {
+  constructor(message = "Invalid credentials") {
+    super("INVALID_CREDENTIALS", message, 401);
+  }
+};
+var AccountConflictError = class extends HoleauthError {
+  constructor(message = "Account conflict") {
+    super("ACCOUNT_CONFLICT", message, 409);
+  }
+};
+var RefreshReuseError = class extends HoleauthError {
+  constructor(message = "Refresh token reuse detected") {
+    super("REFRESH_REUSE", message, 401);
+  }
+};
+var PendingChallengeError = class extends HoleauthError {
+  constructor(message = "Pending challenge required") {
+    super("PENDING_CHALLENGE", message, 401);
+  }
+};
+var RegistrationDisabledError = class extends HoleauthError {
+  constructor(message = "Self-registration is disabled") {
+    super("REGISTRATION_DISABLED", message, 403);
+  }
+};
+var NotSupportedError = class extends HoleauthError {
+  constructor(message = "Operation not supported by adapter") {
+    super("NOT_SUPPORTED", message, 501);
+  }
+};
+// src/jwt/index.ts
+var jwt_exports = {};
+__export(jwt_exports, {
+  decode: () => decode,
+  sign: () => sign,
+  verify: () => verify
+});
+function toKey(secret) {
+  return typeof secret === "string" ? new TextEncoder().encode(secret) : secret;
+}
+async function sign(payload, secret, opts = {}) {
+  const jwt = new SignJWT(payload).setProtectedHeader({ alg: "HS256" }).setIssuedAt();
+  if (opts.issuer) jwt.setIssuer(opts.issuer);
+  if (opts.audience) jwt.setAudience(opts.audience);
+  if (opts.subject) jwt.setSubject(opts.subject);
+  if (opts.jti) jwt.setJti(opts.jti);
+  if (opts.expiresIn !== void 0) jwt.setExpirationTime(opts.expiresIn);
+  return jwt.sign(toKey(secret));
+}
+async function verify(token, secret) {
+  try {
+    const { payload } = await jwtVerify(token, toKey(secret));
+    return payload;
+  } catch (e) {
+    throw new InvalidTokenError(e.message);
+  }
+}
+function decode(token) {
+  try {
+    return decodeJwt(token);
+  } catch (e) {
+    throw new InvalidTokenError(e.message);
+  }
+}
+// src/session/index.ts
+var session_exports = {};
+__export(session_exports, {
+  getSessionOrRefresh: () => getSessionOrRefresh,
+  issueSession: () => issueSession,
+  revokeAllForUser: () => revokeAllForUser,
+  revokeByRefresh: () => revokeByRefresh,
+  revokeSession: () => revokeSession,
+  rotateRefresh: () => rotateRefresh,
+  sha256b64url: () => sha256b64url,
+  validateSession: () => validateSession
+});
+// src/cookies/csrf.ts
+var b64urlChars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
+function generateCsrfToken() {
+  const bytes = crypto.getRandomValues(new Uint8Array(32));
+  let out = "";
+  for (const b of bytes) out += b64urlChars[b % 64];
+  return out;
+}
+function verifyCsrf(cookieValue, headerValue) {
+  if (!cookieValue || !headerValue) return false;
+  if (cookieValue.length !== headerValue.length) return false;
+  let diff = 0;
+  for (let i = 0; i < cookieValue.length; i++) {
+    diff |= cookieValue.charCodeAt(i) ^ headerValue.charCodeAt(i);
+  }
+  return diff === 0;
+}
+var CSRF_HEADER = "x-csrf-token";
+// src/events/emitter.ts
+var busByConfig = /* @__PURE__ */ new WeakMap();
+function getBus(cfg) {
+  let bus = busByConfig.get(cfg);
+  if (!bus) {
+    bus = { byType: /* @__PURE__ */ new Map(), wildcard: /* @__PURE__ */ new Set() };
+    busByConfig.set(cfg, bus);
+  }
+  return bus;
+}
+function subscribe(cfg, type, handler) {
+  const bus = getBus(cfg);
+  if (type === "*") {
+    bus.wildcard.add(handler);
+    return () => bus.wildcard.delete(handler);
+  }
+  let set = bus.byType.get(type);
+  if (!set) {
+    set = /* @__PURE__ */ new Set();
+    bus.byType.set(type, set);
+  }
+  set.add(handler);
+  return () => set.delete(handler);
+}
+function unsubscribe(cfg, type, handler) {
+  const bus = getBus(cfg);
+  if (type === "*") {
+    bus.wildcard.delete(handler);
+    return;
+  }
+  bus.byType.get(type)?.delete(handler);
+}
+async function emit(cfg, event) {
+  const withTimestamp = { at: /* @__PURE__ */ new Date(), ...event };
+  await cfg.adapters.auditLog.record(withTimestamp);
+  const bus = getBus(cfg);
+  const typed = bus.byType.get(withTimestamp.type);
+  const fire = (h) => {
+    Promise.resolve().then(() => h(withTimestamp)).catch(() => {
+    });
+  };
+  if (typed) for (const h of typed) fire(h);
+  for (const h of bus.wildcard) fire(h);
+  if (cfg.onEvent) {
+    Promise.resolve().then(() => cfg.onEvent?.(withTimestamp)).catch(() => {
+    });
+  }
+}
+// src/plugins/runner-ref.ts
+var runners = /* @__PURE__ */ new WeakMap();
+function attachHookRunner(cfg, runner) {
+  runners.set(cfg, runner);
+}
+var NOOP = {
+  async runRegisterBefore() {
+  },
+  async runRegisterAfter() {
+  },
+  async runSignInBefore() {
+  },
+  async runSignInChallenge() {
+    return null;
+  },
+  async runSignInAfter() {
+  },
+  async runSignOutAfter() {
+  },
+  async runRefreshBefore() {
+  },
+  async runRefreshAfter() {
+  },
+  async runPasswordChangeBefore() {
+  },
+  async runPasswordChangeAfter() {
+  },
+  async runPasswordResetBefore() {
+  },
+  async runPasswordResetAfter() {
+  },
+  async runUserUpdateAfter() {
+  },
+  async runUserDeleteAfter() {
+  },
+  async runSessionIssue() {
+  },
+  async runSessionRotate() {
+  },
+  async runSessionRevoke() {
+  }
+};
+function getHookRunner(cfg) {
+  return runners.get(cfg) ?? NOOP;
+}
+// src/session/hash.ts
+async function sha256b64url(input) {
+  const buf = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(input));
+  const bytes = new Uint8Array(buf);
+  let s = "";
+  for (const b of bytes) s += String.fromCharCode(b);
+  return btoa(s).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+// src/session/issue.ts
+var ACCESS_DEFAULT = 900;
+var REFRESH_DEFAULT = 2592e3;
+async function issueSession(cfg, input) {
+  const accessTtl = cfg.tokens?.accessTtl ?? ACCESS_DEFAULT;
+  const refreshTtl = cfg.tokens?.refreshTtl ?? REFRESH_DEFAULT;
+  const now = Math.floor(Date.now() / 1e3);
+  const familyId = input.familyId ?? crypto.randomUUID();
+  const sessionId = crypto.randomUUID();
+  const nonce = crypto.randomUUID();
+  const [accessToken, refreshToken] = await Promise.all([
+    sign(
+      { sid: sessionId, sub: input.userId, fam: familyId, nce: nonce },
+      cfg.secrets.jwtSecret,
+      { expiresIn: `${accessTtl}s` }
+    ),
+    sign(
+      { sid: sessionId, sub: input.userId, fam: familyId, typ: "refresh", nce: nonce },
+      cfg.secrets.jwtSecret,
+      { expiresIn: `${refreshTtl}s`, jti: nonce }
+    )
+  ]);
+  const refreshTokenHash = await sha256b64url(refreshToken);
+  await cfg.adapters.session.createSession({
+    id: sessionId,
+    userId: input.userId,
+    familyId,
+    refreshTokenHash,
+    expiresAt: new Date((now + refreshTtl) * 1e3),
+    createdAt: /* @__PURE__ */ new Date(),
+    revokedAt: null,
+    ip: input.ip ?? null,
+    userAgent: input.userAgent ?? null
+  });
+  const csrfToken = generateCsrfToken();
+  await emit(cfg, {
+    type: "session.created",
+    userId: input.userId,
+    sessionId,
+    ip: input.ip ?? null,
+    userAgent: input.userAgent ?? null,
+    data: { familyId }
+  });
+  await getHookRunner(cfg).runSessionIssue({ userId: input.userId, sessionId, familyId });
+  return {
+    accessToken,
+    refreshToken,
+    csrfToken,
+    sessionId,
+    familyId,
+    accessExpiresAt: (now + accessTtl) * 1e3,
+    refreshExpiresAt: (now + refreshTtl) * 1e3
+  };
+}
+// src/session/rotate.ts
+var ACCESS_DEFAULT2 = 900;
+var REFRESH_DEFAULT2 = 2592e3;
+async function rotateRefresh(cfg, presentedRefresh, meta = {}) {
+  let claims;
+  try {
+    claims = await verify(presentedRefresh, cfg.secrets.jwtSecret);
+  } catch {
+    throw new InvalidTokenError("refresh token invalid");
+  }
+  if (claims.typ !== "refresh" || !claims.sid || !claims.sub || !claims.fam) {
+    throw new InvalidTokenError("refresh claims malformed");
+  }
+  const presentedHash = await sha256b64url(presentedRefresh);
+  const found = await cfg.adapters.session.getByRefreshHash(presentedHash);
+  if (!found || found.revokedAt) {
+    await cfg.adapters.session.revokeFamily(claims.fam);
+    await emit(cfg, {
+      type: "session.reuse_detected",
+      userId: claims.sub,
+      sessionId: claims.sid,
+      ip: meta.ip ?? null,
+      userAgent: meta.userAgent ?? null,
+      data: { familyId: claims.fam }
+    });
+    throw new RefreshReuseError();
+  }
+  if (found.expiresAt.getTime() < Date.now()) {
+    await cfg.adapters.session.revokeFamily(claims.fam);
+    throw new SessionExpiredError();
+  }
+  const accessTtl = cfg.tokens?.accessTtl ?? ACCESS_DEFAULT2;
+  const refreshTtl = cfg.tokens?.refreshTtl ?? REFRESH_DEFAULT2;
+  const now = Math.floor(Date.now() / 1e3);
+  const nonce = crypto.randomUUID();
+  const [accessToken, refreshToken] = await Promise.all([
+    sign(
+      { sid: found.id, sub: found.userId, fam: found.familyId, nce: nonce },
+      cfg.secrets.jwtSecret,
+      { expiresIn: `${accessTtl}s` }
+    ),
+    sign(
+      { sid: found.id, sub: found.userId, fam: found.familyId, typ: "refresh", nce: nonce },
+      cfg.secrets.jwtSecret,
+      { expiresIn: `${refreshTtl}s`, jti: nonce }
+    )
+  ]);
+  const newHash = await sha256b64url(refreshToken);
+  await cfg.adapters.session.rotateRefresh(
+    found.id,
+    newHash,
+    new Date((now + refreshTtl) * 1e3)
+  );
+  await emit(cfg, {
+    type: "session.rotated",
+    userId: found.userId,
+    sessionId: found.id,
+    ip: meta.ip ?? null,
+    userAgent: meta.userAgent ?? null,
+    data: { familyId: found.familyId }
+  });
+  await getHookRunner(cfg).runSessionRotate({
+    userId: found.userId,
+    sessionId: found.id,
+    familyId: found.familyId
+  });
+  return {
+    accessToken,
+    refreshToken,
+    csrfToken: generateCsrfToken(),
+    sessionId: found.id,
+    familyId: found.familyId,
+    accessExpiresAt: (now + accessTtl) * 1e3,
+    refreshExpiresAt: (now + refreshTtl) * 1e3
+  };
+}
+// src/session/validate.ts
+async function validateSession(cfg, token) {
+  try {
+    const p = await verify(
+      token,
+      cfg.secrets.jwtSecret
+    );
+    if (!p.sid || !p.sub) return null;
+    return {
+      sessionId: p.sid,
+      userId: p.sub,
+      expiresAt: (p.exp ?? 0) * 1e3,
+      familyId: p.fam
+    };
+  } catch {
+    return null;
+  }
+}
+// src/session/revoke.ts
+async function revokeSession(cfg, sessionId, userId) {
+  await cfg.adapters.session.deleteSession(sessionId);
+  await emit(cfg, {
+    type: "session.revoked",
+    userId: userId ?? null,
+    sessionId
+  });
+  await getHookRunner(cfg).runSessionRevoke({ userId: userId ?? null, sessionId });
+}
+async function revokeByRefresh(cfg, refreshToken) {
+  try {
+    const p = await verify(refreshToken, cfg.secrets.jwtSecret);
+    if (p.sid) {
+      await cfg.adapters.session.deleteSession(p.sid);
+      await emit(cfg, { type: "session.revoked", userId: p.sub ?? null, sessionId: p.sid });
+      await getHookRunner(cfg).runSessionRevoke({ userId: p.sub ?? null, sessionId: p.sid });
+    }
+  } catch {
+  }
+}
+async function revokeAllForUser(cfg, userId) {
+  if (cfg.adapters.session.revokeUser) {
+    await cfg.adapters.session.revokeUser(userId);
+    await emit(cfg, { type: "session.revoked", userId, data: { scope: "all" } });
+    await getHookRunner(cfg).runSessionRevoke({ userId, sessionId: null, scope: "all" });
+  }
+}
+// src/session/get-or-refresh.ts
+async function getSessionOrRefresh(instance, input) {
+  const { accessToken, refreshToken, ip, userAgent } = input;
+  if (accessToken) {
+    const session2 = await validateSession(instance.config, accessToken);
+    if (session2 && session2.expiresAt > Date.now()) {
+      return { session: session2, tokens: null, refreshed: false };
+    }
+  }
+  if (!refreshToken) {
+    return { session: null, tokens: null, refreshed: false };
+  }
+  let tokens;
+  try {
+    tokens = await instance.refresh({ refreshToken, ip, userAgent });
+  } catch {
+    return { session: null, tokens: null, refreshed: false };
+  }
+  const session = await validateSession(instance.config, tokens.accessToken);
+  return { session, tokens, refreshed: true };
+}
+// src/password/index.ts
+var password_exports = {};
+__export(password_exports, {
+  hash: () => hash,
+  verify: () => verify2
+});
+var ITER = 1e5;
+var KEYLEN = 32;
+var SALT_LEN = 16;
+function b64(buf) {
+  const bytes = buf instanceof Uint8Array ? buf : new Uint8Array(buf);
+  let s = "";
+  for (const b of bytes) s += String.fromCharCode(b);
+  return btoa(s);
+}
+function fromB64(s) {
+  const bin = atob(s);
+  const out = new Uint8Array(bin.length);
+  for (let i = 0; i < bin.length; i++) out[i] = bin.charCodeAt(i);
+  return out;
+}
+async function pbkdf2Hash(password, salt) {
+  const keyMaterial = new TextEncoder().encode(password);
+  const key = await crypto.subtle.importKey("raw", keyMaterial, "PBKDF2", false, ["deriveBits"]);
+  const bits = await crypto.subtle.deriveBits(
+    { name: "PBKDF2", salt, iterations: ITER, hash: "SHA-256" },
+    key,
+    KEYLEN * 8
+  );
+  return new Uint8Array(bits);
+}
+async function tryArgon2() {
+  try {
+    const mod = await import(
+      /* webpackIgnore: true */
+      /* turbopackIgnore: true */
+      /* @vite-ignore */
+      '@node-rs/argon2'
+    ).catch(() => null);
+    return mod ?? null;
+  } catch {
+    return null;
+  }
+}
+async function hash(password) {
+  const argon = await tryArgon2();
+  if (argon) {
+    return argon.hash(password);
+  }
+  const salt = crypto.getRandomValues(new Uint8Array(SALT_LEN));
+  const h = await pbkdf2Hash(password, salt);
+  return `pbkdf2-sha256$${ITER}$${b64(salt)}$${b64(h)}`;
+}
+async function verify2(password, stored) {
+  if (stored.startsWith("$argon2")) {
+    const argon = await tryArgon2();
+    if (!argon) return false;
+    return argon.verify(stored, password);
+  }
+  const [scheme, iterStr, saltB64, hashB64] = stored.split("$");
+  if (scheme !== "pbkdf2-sha256" || !iterStr || !saltB64 || !hashB64) return false;
+  const salt = fromB64(saltB64);
+  const expected = fromB64(hashB64);
+  const keyMaterial = new TextEncoder().encode(password);
+  const key = await crypto.subtle.importKey("raw", keyMaterial, "PBKDF2", false, ["deriveBits"]);
+  const bits = await crypto.subtle.deriveBits(
+    { name: "PBKDF2", salt, iterations: Number(iterStr), hash: "SHA-256" },
+    key,
+    expected.length * 8
+  );
+  const out = new Uint8Array(bits);
+  if (out.length !== expected.length) return false;
+  let diff = 0;
+  for (let i = 0; i < out.length; i++) diff |= out[i] ^ expected[i];
+  return diff === 0;
+}
+// src/otp/index.ts
+var otp_exports = {};
+__export(otp_exports, {
+  createChallenge: () => createChallenge,
+  generateNumericOtp: () => generateNumericOtp,
+  isExpired: () => isExpired
+});
+function generateNumericOtp(length = 6) {
+  const max = 10 ** length;
+  const n = crypto.getRandomValues(new Uint32Array(1))[0] % max;
+  return n.toString().padStart(length, "0");
+}
+function createChallenge(ttlSeconds = 600, length = 6) {
+  return { code: generateNumericOtp(length), expiresAt: Date.now() + ttlSeconds * 1e3 };
+}
+function isExpired(challenge) {
+  return Date.now() > challenge.expiresAt;
+}
+// src/sso/index.ts
+var sso_exports = {};
+__export(sso_exports, {
+  GithubProvider: () => GithubProvider,
+  GoogleProvider: () => GoogleProvider,
+  authorize: () => authorize,
+  base64url: () => base64url,
+  buildAuthorizeUrl: () => buildAuthorizeUrl,
+  callback: () => callback,
+  exchangeCode: () => exchangeCode,
+  fetchUserInfo: () => fetchUserInfo,
+  findProvider: () => findProvider,
+  generateNonce: () => generateNonce,
+  generatePkcePair: () => generatePkcePair,
+  generateState: () => generateState
+});
+// src/sso/client.ts
+function buildAuthorizeUrl(p) {
+  const url = new URL(p.issuerAuthUrl);
+  url.searchParams.set("response_type", "code");
+  url.searchParams.set("client_id", p.clientId);
+  url.searchParams.set("redirect_uri", p.redirectUri);
+  url.searchParams.set("scope", (p.scopes ?? ["openid", "email", "profile"]).join(" "));
+  url.searchParams.set("state", p.state);
+  url.searchParams.set("code_challenge", p.codeChallenge);
+  url.searchParams.set("code_challenge_method", "S256");
+  if (p.nonce) url.searchParams.set("nonce", p.nonce);
+  for (const [k, v] of Object.entries(p.extra ?? {})) url.searchParams.set(k, v);
+  return url.toString();
+}
+async function generatePkcePair() {
+  const bytes = crypto.getRandomValues(new Uint8Array(32));
+  const verifier = base64url(bytes);
+  const hash2 = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(verifier));
+  return { verifier, challenge: base64url(new Uint8Array(hash2)) };
+}
+function generateState() {
+  return base64url(crypto.getRandomValues(new Uint8Array(16)));
+}
+function generateNonce() {
+  return base64url(crypto.getRandomValues(new Uint8Array(16)));
+}
+async function exchangeCode(i) {
+  const body = new URLSearchParams({
+    grant_type: "authorization_code",
+    code: i.code,
+    redirect_uri: i.redirectUri,
+    client_id: i.clientId,
+    client_secret: i.clientSecret,
+    code_verifier: i.codeVerifier
+  });
+  const res = await fetch(i.tokenUrl, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded", Accept: "application/json" },
+    body
+  });
+  if (!res.ok) throw new ProviderError(`Token exchange failed: ${res.status}`);
+  return await res.json();
+}
+async function fetchUserInfo(userinfoUrl, accessToken) {
+  const res = await fetch(userinfoUrl, {
+    headers: { Authorization: `Bearer ${accessToken}`, Accept: "application/json" }
+  });
+  if (!res.ok) throw new ProviderError(`Userinfo failed: ${res.status}`);
+  return await res.json();
+}
+function base64url(bytes) {
+  let s = "";
+  for (const b of bytes) s += String.fromCharCode(b);
+  return btoa(s).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+// src/sso/authorize.ts
+function findProvider(cfg, id) {
+  const p = cfg.providers?.find((x) => x.id === id);
+  if (!p) throw new ProviderError(`unknown provider: ${id}`);
+  return p;
+}
+async function authorize(cfg, providerId) {
+  const p = findProvider(cfg, providerId);
+  const state = generateState();
+  const { verifier, challenge } = await generatePkcePair();
+  const nonce = p.kind === "oidc" ? generateNonce() : void 0;
+  const url = buildAuthorizeUrl({
+    issuerAuthUrl: p.authorizationUrl,
+    clientId: p.clientId,
+    redirectUri: p.redirectUri,
+    scopes: p.scopes,
+    state,
+    codeChallenge: challenge,
+    nonce
+  });
+  await emit(cfg, { type: "sso.authorize", data: { provider: providerId } });
+  return { url, state, codeVerifier: verifier, nonce };
+}
+// src/sso/callback.ts
+async function exchangeAndProfile(p, input) {
+  const tokens = await exchangeCode({
+    tokenUrl: p.tokenUrl,
+    clientId: p.clientId,
+    clientSecret: p.clientSecret,
+    redirectUri: p.redirectUri,
+    code: input.code,
+    codeVerifier: input.codeVerifier
+  });
+  const accessToken = typeof tokens.access_token === "string" ? tokens.access_token : null;
+  if (!accessToken) throw new ProviderError("no access_token in response");
+  if (p.kind === "oidc") {
+    const idToken = typeof tokens.id_token === "string" ? tokens.id_token : null;
+    if (idToken) {
+      const claims = decode(idToken);
+      if (claims.sub && claims.email) {
+        return {
+          tokens,
+          profile: {
+            providerAccountId: claims.sub,
+            email: claims.email.toLowerCase(),
+            name: claims.name ?? null,
+            image: claims.picture ?? null,
+            emailVerified: claims.email_verified ?? false
+          }
+        };
+      }
+    }
+    const ui = await fetchUserInfo(p.userinfoUrl, accessToken);
+    const sub = ui.sub ?? "";
+    const email2 = typeof ui.email === "string" ? ui.email.toLowerCase() : "";
+    if (!sub || !email2) throw new ProviderError("userinfo missing sub/email");
+    return {
+      tokens,
+      profile: {
+        providerAccountId: sub,
+        email: email2,
+        name: ui.name ?? null,
+        image: ui.picture ?? null,
+        emailVerified: Boolean(ui.email_verified)
+      }
+    };
+  }
+  const raw = await fetchUserInfo(p.userinfoUrl, accessToken);
+  const mapped = p.profile(raw);
+  if (!mapped.providerAccountId) throw new ProviderError("provider profile missing id");
+  let email = mapped.email.toLowerCase();
+  let verified = false;
+  if (!email && p.id === "github") {
+    const emails = await fetchUserInfo("https://api.github.com/user/emails", accessToken);
+    const primary = Array.isArray(emails) ? emails.find((e) => e.primary) : void 0;
+    if (primary) {
+      email = primary.email.toLowerCase();
+      verified = primary.verified;
+    }
+  }
+  if (!email) throw new ProviderError("provider did not return an email");
+  return {
+    tokens,
+    profile: {
+      providerAccountId: mapped.providerAccountId,
+      email,
+      name: mapped.name ?? null,
+      image: mapped.image ?? null,
+      emailVerified: verified
+    }
+  };
+}
+async function resolveUser(cfg, provider, profile, rawTokens) {
+  const account = cfg.adapters.account;
+  if (account) {
+    const existing = await account.getAccountByProvider(provider.id, profile.providerAccountId);
+    if (existing) {
+      const u = await cfg.adapters.user.getUserById(existing.userId);
+      if (u) return u;
+    }
+  }
+  const byEmail = await cfg.adapters.user.getUserByEmail(profile.email);
+  if (byEmail) {
+    if (!cfg.allowDangerousEmailAccountLinking || !profile.emailVerified) {
+      throw new AccountConflictError(
+        `an account with email ${profile.email} already exists; enable allowDangerousEmailAccountLinking or sign in with password first`
+      );
+    }
+    if (account) {
+      const linked = await account.linkAccount({
+        userId: byEmail.id,
+        provider: provider.id,
+        providerAccountId: profile.providerAccountId,
+        email: profile.email,
+        accessToken: rawTokens.access_token ?? null,
+        refreshToken: rawTokens.refresh_token ?? null,
+        idToken: rawTokens.id_token ?? null,
+        tokenType: rawTokens.token_type ?? null,
+        scope: rawTokens.scope ?? null,
+        expiresAt: typeof rawTokens.expires_in === "number" ? new Date(Date.now() + rawTokens.expires_in * 1e3) : null
+      });
+      await emit(cfg, {
+        type: "account.linked",
+        userId: byEmail.id,
+        data: { provider: provider.id, accountId: linked.id, auto: true }
+      });
+    }
+    return byEmail;
+  }
+  const user = await cfg.adapters.user.createUser({
+    email: profile.email,
+    name: profile.name ?? null,
+    image: profile.image ?? null,
+    emailVerified: profile.emailVerified ? /* @__PURE__ */ new Date() : null
+  });
+  if (account) {
+    const linked = await account.linkAccount({
+      userId: user.id,
+      provider: provider.id,
+      providerAccountId: profile.providerAccountId,
+      email: profile.email,
+      accessToken: rawTokens.access_token ?? null,
+      refreshToken: rawTokens.refresh_token ?? null,
+      idToken: rawTokens.id_token ?? null,
+      tokenType: rawTokens.token_type ?? null,
+      scope: rawTokens.scope ?? null,
+      expiresAt: typeof rawTokens.expires_in === "number" ? new Date(Date.now() + rawTokens.expires_in * 1e3) : null
+    });
+    await emit(cfg, {
+      type: "account.linked",
+      userId: user.id,
+      data: { provider: provider.id, accountId: linked.id, onCreate: true }
+    });
+  }
+  return user;
+}
+async function callback(cfg, providerId, input) {
+  const p = findProvider(cfg, providerId);
+  try {
+    const { tokens: rawTokens, profile } = await exchangeAndProfile(p, input);
+    const user = await resolveUser(cfg, p, profile, rawTokens);
+    const tokens = await issueSession(cfg, {
+      userId: user.id,
+      ip: input.ip ?? null,
+      userAgent: input.userAgent ?? null
+    });
+    await emit(cfg, {
+      type: "sso.callback_ok",
+      userId: user.id,
+      sessionId: tokens.sessionId,
+      data: { provider: providerId }
+    });
+    return { user, tokens };
+  } catch (e) {
+    await emit(cfg, {
+      type: "sso.callback_failed",
+      data: { provider: providerId, error: e.message }
+    });
+    throw e;
+  }
+}
+// src/sso/providers/google.ts
+function GoogleProvider(opts) {
+  return {
+    kind: "oidc",
+    id: opts.id ?? "google",
+    name: "Google",
+    clientId: opts.clientId,
+    clientSecret: opts.clientSecret,
+    redirectUri: opts.redirectUri,
+    scopes: opts.scopes ?? ["openid", "email", "profile"],
+    issuer: "https://accounts.google.com",
+    authorizationUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+    tokenUrl: "https://oauth2.googleapis.com/token",
+    userinfoUrl: "https://openidconnect.googleapis.com/v1/userinfo"
+  };
+}
+// src/sso/providers/github.ts
+function GithubProvider(opts) {
+  return {
+    kind: "oauth2",
+    id: opts.id ?? "github",
+    name: "GitHub",
+    clientId: opts.clientId,
+    clientSecret: opts.clientSecret,
+    redirectUri: opts.redirectUri,
+    scopes: opts.scopes ?? ["read:user", "user:email"],
+    authorizationUrl: "https://github.com/login/oauth/authorize",
+    tokenUrl: "https://github.com/login/oauth/access_token",
+    userinfoUrl: "https://api.github.com/user",
+    profile: (raw) => {
+      const p = raw ?? {};
+      return {
+        providerAccountId: String(p.id ?? p.login ?? ""),
+        email: p.email ?? "",
+        name: p.name ?? p.login ?? null,
+        image: p.avatar_url ?? null
+      };
+    }
+  };
+}
+// src/adapters/index.ts
+var adapters_exports = {};
+// src/cookies/index.ts
+var cookies_exports = {};
+__export(cookies_exports, {
+  CSRF_HEADER: () => CSRF_HEADER,
+  buildCookie: () => buildCookie,
+  cookieName: () => cookieName,
+  deleteCookie: () => deleteCookie,
+  generateCsrfToken: () => generateCsrfToken,
+  isProduction: () => isProduction,
+  serializeCookie: () => serializeCookie,
+  verifyCsrf: () => verifyCsrf
+});
+// src/cookies/spec.ts
+function cookieName(cfg, kind) {
+  const prefix = cfg.tokens?.cookiePrefix ?? "holeauth";
+  switch (kind) {
+    case "access":
+      return `${prefix}.at`;
+    case "refresh":
+      return `${prefix}.rt`;
+    case "csrf":
+      return `${prefix}.csrf`;
+    case "pending":
+      return `${prefix}.pending`;
+    case "oauthState":
+      return `${prefix}.oauth.state`;
+    case "oauthPkce":
+      return `${prefix}.oauth.pkce`;
+  }
+}
+function isProduction() {
+  return globalThis.process?.env?.NODE_ENV === "production";
+}
+function buildCookie(cfg, input) {
+  const httpOnly = input.httpOnly ?? input.kind !== "csrf";
+  const secure = cfg.tokens?.cookieSecure ?? isProduction();
+  return {
+    name: cookieName(cfg, input.kind),
+    value: input.value,
+    maxAge: input.maxAge,
+    httpOnly,
+    secure,
+    sameSite: input.sameSite ?? cfg.tokens?.sameSite ?? "lax",
+    path: input.path ?? "/",
+    domain: cfg.tokens?.cookieDomain
+  };
+}
+function serializeCookie(c) {
+  const parts = [`${c.name}=${encodeURIComponent(c.value)}`];
+  parts.push(`Path=${c.path}`);
+  if (c.domain) parts.push(`Domain=${c.domain}`);
+  if (c.maxAge !== void 0) {
+    parts.push(`Max-Age=${c.maxAge}`);
+    if (c.maxAge === 0) parts.push("Expires=Thu, 01 Jan 1970 00:00:00 GMT");
+  }
+  if (c.httpOnly) parts.push("HttpOnly");
+  if (c.secure) parts.push("Secure");
+  parts.push(`SameSite=${c.sameSite.charAt(0).toUpperCase()}${c.sameSite.slice(1)}`);
+  return parts.join("; ");
+}
+function deleteCookie(cfg, kind) {
+  return buildCookie(cfg, { kind, value: "", maxAge: 0 });
+}
+// src/events/index.ts
+var events_exports = {};
+__export(events_exports, {
+  emit: () => emit,
+  subscribe: () => subscribe,
+  unsubscribe: () => unsubscribe
+});
+// src/flows/index.ts
+var flows_exports = {};
+__export(flows_exports, {
+  changePassword: () => changePassword,
+  consumeInvite: () => consumeInvite,
+  consumePasswordReset: () => consumePasswordReset,
+  createInvite: () => createInvite,
+  deleteUser: () => deleteUser,
+  getInviteInfo: () => getInviteInfo,
+  issuePendingToken: () => issuePendingToken,
+  listInvites: () => listInvites,
+  refresh: () => refresh,
+  register: () => register,
+  requestPasswordReset: () => requestPasswordReset,
+  revokeInvite: () => revokeInvite,
+  signIn: () => signIn,
+  signOut: () => signOut,
+  updateUser: () => updateUser,
+  verifyPendingToken: () => verifyPendingToken
+});
+// src/flows/register.ts
+async function register(cfg, hooks, input) {
+  if (cfg.registration?.selfServe === false) {
+    throw new RegistrationDisabledError();
+  }
+  const email = input.email.trim().toLowerCase();
+  await hooks.runRegisterBefore({ email, password: input.password, name: input.name ?? null });
+  const existing = await cfg.adapters.user.getUserByEmail(email);
+  if (existing) throw new AccountConflictError("email already registered");
+  const passwordHash = await hash(input.password);
+  const user = await cfg.adapters.user.createUser({
+    email,
+    name: input.name ?? null,
+    passwordHash,
+    emailVerified: null
+  });
+  await emit(cfg, { type: "user.registered", userId: user.id, data: { email } });
+  await hooks.runRegisterAfter(user);
+  return user;
+}
+// src/flows/signin.ts
+async function signIn(cfg, hooks, input) {
+  const email = input.email.trim().toLowerCase();
+  await hooks.runSignInBefore({ email, ip: input.ip, userAgent: input.userAgent });
+  const user = await cfg.adapters.user.getUserByEmail(email);
+  if (!user || !user.passwordHash) throw new CredentialsError();
+  const ok = await verify2(input.password, user.passwordHash);
+  if (!ok) throw new CredentialsError();
+  const challenge = await hooks.runSignInChallenge(user, {
+    ip: input.ip,
+    userAgent: input.userAgent
+  });
+  if (challenge) {
+    await emit(cfg, {
+      type: "user.signed_in",
+      userId: user.id,
+      ip: input.ip ?? null,
+      userAgent: input.userAgent ?? null,
+      data: { stage: "pending", pluginId: challenge.pluginId }
+    });
+    return {
+      kind: "pending",
+      pluginId: challenge.pluginId,
+      userId: user.id,
+      pendingToken: challenge.pendingToken,
+      pendingExpiresAt: challenge.expiresAt,
+      data: challenge.data ?? null
+    };
+  }
+  const tokens = await issueSession(cfg, {
+    userId: user.id,
+    ip: input.ip ?? null,
+    userAgent: input.userAgent ?? null
+  });
+  await emit(cfg, {
+    type: "user.signed_in",
+    userId: user.id,
+    sessionId: tokens.sessionId,
+    ip: input.ip ?? null,
+    userAgent: input.userAgent ?? null,
+    data: { method: "password" }
+  });
+  await hooks.runSignInAfter({ user, tokens, method: "password" });
+  return { kind: "ok", user, tokens };
+}
+async function issuePendingToken(cfg, input) {
+  const ttl = input.ttlSeconds ?? cfg.tokens?.pendingTtl ?? 300;
+  const now = Math.floor(Date.now() / 1e3);
+  const token = await sign(
+    { sub: input.userId, typ: "pending", pid: input.pluginId, ...input.extra ?? {} },
+    cfg.secrets.jwtSecret,
+    { expiresIn: `${ttl}s` }
+  );
+  return { token, expiresAt: (now + ttl) * 1e3 };
+}
+async function verifyPendingToken(cfg, token, expectedPluginId) {
+  const claims = await verify(
+    token,
+    cfg.secrets.jwtSecret
+  );
+  if (claims.typ !== "pending" || claims.pid !== expectedPluginId || !claims.sub) {
+    throw new CredentialsError("pending token invalid");
+  }
+  const { sub, typ, pid, exp, iat, nbf, jti, ...extra } = claims;
+  return { userId: sub, extra };
+}
+// src/flows/signout.ts
+async function signOut(cfg, hooks, input) {
+  let userId = null;
+  let sessionId = null;
+  if (input.refreshToken) {
+    await revokeByRefresh(cfg, input.refreshToken);
+  } else if (input.accessToken) {
+    try {
+      const p = await verify(input.accessToken, cfg.secrets.jwtSecret);
+      if (p.sid) {
+        sessionId = p.sid;
+        userId = p.sub ?? null;
+        await revokeSession(cfg, p.sid, p.sub);
+      }
+    } catch {
+    }
+  }
+  await emit(cfg, {
+    type: "user.signed_out",
+    userId,
+    sessionId
+  });
+  await hooks.runSignOutAfter({ userId, sessionId });
+}
+// src/flows/refresh.ts
+async function refresh(cfg, hooks, input) {
+  await hooks.runRefreshBefore({ ip: input.ip, userAgent: input.userAgent });
+  const tokens = await rotateRefresh(cfg, input.refreshToken, {
+    ip: input.ip ?? null,
+    userAgent: input.userAgent ?? null
+  });
+  let userId = "";
+  try {
+    const p = await verify(tokens.accessToken, cfg.secrets.jwtSecret);
+    userId = p.sub ?? "";
+  } catch {
+  }
+  await hooks.runRefreshAfter({
+    userId,
+    sessionId: tokens.sessionId,
+    tokens
+  });
+  return tokens;
+}
+// src/flows/tx.ts
+async function runInTransaction(cfg, fn) {
+  const tx = cfg.adapters.transaction;
+  if (!tx) return fn();
+  return tx.run(fn);
+}
+// src/flows/password-change.ts
+async function changePassword(cfg, hooks, input) {
+  await hooks.runPasswordChangeBefore(input);
+  const user = await cfg.adapters.user.getUserById(input.userId);
+  if (!user || !user.passwordHash) throw new CredentialsError("user has no password");
+  const ok = await verify2(input.currentPassword, user.passwordHash);
+  if (!ok) throw new CredentialsError();
+  const passwordHash = await hash(input.newPassword);
+  await runInTransaction(cfg, async () => {
+    await cfg.adapters.user.updateUser(user.id, { passwordHash });
+    if (input.revokeOtherSessions !== false) {
+      await revokeAllForUser(cfg, user.id);
+    }
+  });
+  await emit(cfg, { type: "user.password_changed", userId: user.id });
+  await hooks.runPasswordChangeAfter({ userId: user.id });
+}
+// src/utils/base64url.ts
+var ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
+function enc(n) {
+  return ALPHABET.charAt(n & 63);
+}
+function bytesToBase64Url(bytes) {
+  let out = "";
+  let i = 0;
+  for (; i + 3 <= bytes.length; i += 3) {
+    const b0 = bytes[i] ?? 0;
+    const b1 = bytes[i + 1] ?? 0;
+    const b2 = bytes[i + 2] ?? 0;
+    const n = b0 << 16 | b1 << 8 | b2;
+    out += enc(n >> 18) + enc(n >> 12) + enc(n >> 6) + enc(n);
+  }
+  const rem = bytes.length - i;
+  if (rem === 1) {
+    const n = (bytes[i] ?? 0) << 16;
+    out += enc(n >> 18) + enc(n >> 12);
+  } else if (rem === 2) {
+    const n = (bytes[i] ?? 0) << 16 | (bytes[i + 1] ?? 0) << 8;
+    out += enc(n >> 18) + enc(n >> 12) + enc(n >> 6);
+  }
+  return out;
+}
+function randomBase64Url(bytes = 32) {
+  const a = new Uint8Array(bytes);
+  crypto.getRandomValues(a);
+  return bytesToBase64Url(a);
+}
+// src/flows/password-reset.ts
+var RESET_TTL_SECONDS = 60 * 30;
+function randomToken(bytes = 32) {
+  return randomBase64Url(bytes);
+}
+function requireVerificationAdapter(cfg) {
+  const v = cfg.adapters.verificationToken;
+  if (!v) {
+    throw new HoleauthError(
+      "VERIFICATION_NOT_CONFIGURED",
+      "passwordReset requires adapters.verificationToken",
+      500
+    );
+  }
+  return v;
+}
+async function requestPasswordReset(cfg, hooks, input) {
+  const email = input.email.trim().toLowerCase();
+  await hooks.runPasswordResetBefore({ email });
+  const user = await cfg.adapters.user.getUserByEmail(email);
+  if (!user) {
+    return {};
+  }
+  const verification = requireVerificationAdapter(cfg);
+  const token = randomToken(32);
+  await verification.create({
+    identifier: email,
+    token,
+    expiresAt: new Date(Date.now() + RESET_TTL_SECONDS * 1e3)
+  });
+  await emit(cfg, {
+    type: "user.password_reset_requested",
+    userId: user.id,
+    data: { email }
+  });
+  await hooks.runPasswordResetAfter({ userId: user.id, stage: "request" });
+  return { token, userId: user.id };
+}
+async function consumePasswordReset(cfg, hooks, input) {
+  const email = input.email.trim().toLowerCase();
+  await hooks.runPasswordResetBefore({ email, token: input.token, newPassword: input.newPassword });
+  const verification = requireVerificationAdapter(cfg);
+  const row = await verification.consume(email, input.token);
+  if (!row) throw new CredentialsError("reset token invalid");
+  if (row.expiresAt.getTime() < Date.now()) throw new CredentialsError("reset token expired");
+  const user = await cfg.adapters.user.getUserByEmail(email);
+  if (!user) throw new CredentialsError();
+  const passwordHash = await hash(input.newPassword);
+  await runInTransaction(cfg, async () => {
+    await cfg.adapters.user.updateUser(user.id, { passwordHash });
+    await revokeAllForUser(cfg, user.id);
+  });
+  await emit(cfg, { type: "user.password_reset", userId: user.id });
+  await hooks.runPasswordResetAfter({ userId: user.id, stage: "consume" });
+}
+// src/flows/user-mutation.ts
+async function updateUser(cfg, hooks, userId, patch) {
+  if ("passwordHash" in patch) {
+    throw new CredentialsError("use changePassword to update passwords");
+  }
+  const next = await cfg.adapters.user.updateUser(userId, patch);
+  await emit(cfg, { type: "user.updated", userId, data: { patch: Object.keys(patch) } });
+  await hooks.runUserUpdateAfter({ user: next, patch });
+  return next;
+}
+async function deleteUser(cfg, hooks, userId) {
+  await emit(cfg, { type: "user.delete_requested", userId });
+  await hooks.runUserDeleteAfter({ userId });
+  await runInTransaction(cfg, async () => {
+    await revokeAllForUser(cfg, userId);
+    await cfg.adapters.user.deleteUser(userId);
+  });
+  await emit(cfg, { type: "user.deleted", userId });
+}
+// src/flows/invite.ts
+var INVITE_PREFIX = "invite:";
+var TOKEN_TYPE = "invite";
+function requireVerification(cfg) {
+  const v = cfg.adapters.verificationToken;
+  if (!v) {
+    throw new HoleauthError(
+      "VERIFICATION_NOT_CONFIGURED",
+      "invites require adapters.verificationToken",
+      500
+    );
+  }
+  return v;
+}
+function buildIdentifier(email) {
+  const rand = randomBase64Url(9);
+  return `${INVITE_PREFIX}${email}:${rand}`;
+}
+function parseIdentifier(identifier) {
+  if (!identifier.startsWith(INVITE_PREFIX)) return null;
+  const rest = identifier.slice(INVITE_PREFIX.length);
+  const lastColon = rest.lastIndexOf(":");
+  if (lastColon < 0) return null;
+  return { email: rest.slice(0, lastColon) };
+}
+async function createInvite(cfg, _hooks, input) {
+  const email = input.email.trim().toLowerCase();
+  if (!email.includes("@")) {
+    throw new HoleauthError("INVALID_EMAIL", "invalid email", 400);
+  }
+  const existing = await cfg.adapters.user.getUserByEmail(email);
+  if (existing) {
+    throw new AccountConflictError("user with this email already exists");
+  }
+  const ttl = input.ttlSeconds ?? cfg.registration?.inviteTtlSeconds;
+  if (!ttl || ttl <= 0) {
+    throw new HoleauthError(
+      "TTL_REQUIRED",
+      "invite TTL is required (set input.ttlSeconds or config.registration.inviteTtlSeconds)",
+      400
+    );
+  }
+  const verification = requireVerification(cfg);
+  const identifier = buildIdentifier(email);
+  const expSeconds = Math.floor(Date.now() / 1e3) + ttl;
+  const expiresAt = new Date(expSeconds * 1e3);
+  const token = await sign(
+    {
+      sub: email,
+      name: input.name ?? null,
+      gid: input.groupIds ?? [],
+      by: input.invitedBy ?? null,
+      meta: input.metadata ?? null,
+      typ: TOKEN_TYPE
+    },
+    cfg.secrets.jwtSecret,
+    { expiresIn: `${ttl}s`, jti: identifier, subject: email }
+  );
+  const tokenHash = await sha256b64url(token);
+  await verification.create({ identifier, token: tokenHash, expiresAt });
+  const url = cfg.registration?.inviteUrl?.({ token, email }) ?? void 0;
+  await emit(cfg, {
+    type: "user.invited",
+    userId: input.invitedBy ?? null,
+    data: { email, identifier, groupIds: input.groupIds ?? [] }
+  });
+  return { token, url, identifier, expiresAt: expSeconds * 1e3 };
+}
+async function decodeInvite(cfg, token) {
+  const claims = await verify(token, cfg.secrets.jwtSecret);
+  if (claims.typ !== TOKEN_TYPE) {
+    throw new CredentialsError("not an invite token");
+  }
+  if (!claims.sub || !claims.jti) {
+    throw new CredentialsError("invite token missing claims");
+  }
+  return {
+    email: claims.sub,
+    name: claims.name ?? null,
+    groupIds: claims.gid ?? [],
+    invitedBy: claims.by ?? null,
+    metadata: claims.meta ?? null,
+    expiresAt: (claims.exp ?? 0) * 1e3,
+    identifier: claims.jti
+  };
+}
+async function getInviteInfo(cfg, input) {
+  return decodeInvite(cfg, input.token);
+}
+async function consumeInvite(cfg, hooks, input) {
+  const claims = await decodeInvite(cfg, input.token);
+  const email = claims.email.trim().toLowerCase();
+  const verification = requireVerification(cfg);
+  const tokenHash = await sha256b64url(input.token);
+  const row = await verification.consume(claims.identifier, tokenHash);
+  if (!row) throw new CredentialsError("invite invalid or already used");
+  if (row.expiresAt.getTime() < Date.now()) {
+    throw new CredentialsError("invite expired");
+  }
+  await hooks.runRegisterBefore({
+    email,
+    password: input.password,
+    name: input.name ?? claims.name ?? null
+  });
+  const existing = await cfg.adapters.user.getUserByEmail(email);
+  if (existing) throw new AccountConflictError("email already registered");
+  const passwordHash = await hash(input.password);
+  const user = await cfg.adapters.user.createUser({
+    email,
+    name: input.name ?? claims.name ?? null,
+    passwordHash,
+    emailVerified: /* @__PURE__ */ new Date()
+  });
+  await emit(cfg, { type: "user.registered", userId: user.id, data: { email, via: "invite" } });
+  await emit(cfg, {
+    type: "user.invite_consumed",
+    userId: user.id,
+    data: {
+      email,
+      identifier: claims.identifier,
+      groupIds: claims.groupIds ?? [],
+      invitedBy: claims.invitedBy ?? null,
+      metadata: claims.metadata ?? null
+    }
+  });
+  await hooks.runRegisterAfter(user);
+  let tokens;
+  if (input.autoSignIn) {
+    tokens = await issueSession(cfg, {
+      userId: user.id,
+      ip: input.ip ?? null,
+      userAgent: input.userAgent ?? null
+    });
+    await emit(cfg, {
+      type: "user.signed_in",
+      userId: user.id,
+      sessionId: tokens.sessionId,
+      ip: input.ip ?? null,
+      userAgent: input.userAgent ?? null,
+      data: { method: "invite" }
+    });
+  }
+  return { user, tokens, groupIds: claims.groupIds ?? [] };
+}
+async function revokeInvite(cfg, input) {
+  const verification = requireVerification(cfg);
+  if (!verification.deleteByIdentifier) {
+    throw new NotSupportedError("verificationToken adapter does not support deleteByIdentifier");
+  }
+  await verification.deleteByIdentifier(input.identifier);
+  await emit(cfg, {
+    type: "user.invite_revoked",
+    data: { identifier: input.identifier }
+  });
+}
+async function listInvites(cfg) {
+  const verification = requireVerification(cfg);
+  if (!verification.listByIdentifierPrefix) {
+    throw new NotSupportedError(
+      "verificationToken adapter does not support listByIdentifierPrefix"
+    );
+  }
+  const rows = await verification.listByIdentifierPrefix(INVITE_PREFIX);
+  const out = [];
+  for (const r of rows) {
+    const parsed = parseIdentifier(r.identifier);
+    if (!parsed) continue;
+    out.push({
+      identifier: r.identifier,
+      email: parsed.email,
+      expiresAt: r.expiresAt.getTime()
+    });
+  }
+  return out;
+}
+// src/plugins/index.ts
+var plugins_exports = {};
+__export(plugins_exports, {
+  buildRegistry: () => buildRegistry,
+  definePlugin: () => definePlugin,
+  emptyRegistry: () => emptyRegistry,
+  runOnInit: () => runOnInit
+});
+// src/plugins/define.ts
+function definePlugin(p) {
+  return p;
+}
+// src/plugins/registry.ts
+var CORE_ROUTE_PATHS = /* @__PURE__ */ new Set([
+  "GET /session",
+  "GET /csrf",
+  "GET /authorize/:provider",
+  "GET /callback/:provider",
+  "POST /register",
+  "POST /signin",
+  "POST /signout",
+  "POST /refresh",
+  "POST /password/change",
+  "POST /password/reset/request",
+  "POST /password/reset/consume",
+  "GET /invite/info",
+  "GET /invite/list",
+  "POST /invite/create",
+  "POST /invite/consume",
+  "POST /invite/revoke"
+]);
+function defaultLogger(cfg) {
+  const prefix = "[holeauth]";
+  const silent = cfg.logger?.silent === true;
+  return {
+    debug: silent ? () => {
+    } : (m, d) => console.debug(prefix, m, d ?? ""),
+    info: silent ? () => {
+    } : (m, d) => console.info(prefix, m, d ?? ""),
+    warn: (m, d) => console.warn(prefix, m, d ?? ""),
+    error: (m, e) => console.error(prefix, m, e ?? "")
+  };
+}
+function topoSort(plugins) {
+  const byId = /* @__PURE__ */ new Map();
+  for (const p of plugins) {
+    if (byId.has(p.id)) throw new Error(`holeauth: duplicate plugin id "${p.id}"`);
+    byId.set(p.id, p);
+  }
+  const inDeg = /* @__PURE__ */ new Map();
+  const dependents = /* @__PURE__ */ new Map();
+  for (const p of plugins) {
+    inDeg.set(p.id, 0);
+    dependents.set(p.id, []);
+  }
+  for (const p of plugins) {
+    for (const dep of p.dependsOn ?? []) {
+      if (!byId.has(dep)) {
+        throw new Error(`holeauth: plugin "${p.id}" depends on missing plugin "${dep}"`);
+      }
+      inDeg.set(p.id, (inDeg.get(p.id) ?? 0) + 1);
+      dependents.get(dep).push(p.id);
+    }
+  }
+  const queue = [];
+  for (const [id, d] of inDeg) if (d === 0) queue.push(id);
+  const sorted = [];
+  while (queue.length) {
+    const id = queue.shift();
+    sorted.push(byId.get(id));
+    for (const dep of dependents.get(id) ?? []) {
+      const next = (inDeg.get(dep) ?? 0) - 1;
+      inDeg.set(dep, next);
+      if (next === 0) queue.push(dep);
+    }
+  }
+  if (sorted.length !== plugins.length) {
+    throw new Error("holeauth: plugin dependsOn graph has a cycle");
+  }
+  return sorted;
+}
+function buildPluginEvents(cfg) {
+  return {
+    on(type, handler) {
+      return subscribe(cfg, type, handler);
+    },
+    off(type, handler) {
+      unsubscribe(cfg, type, handler);
+    },
+    async emit(e) {
+      await emit(cfg, e);
+    }
+  };
+}
+function routeKey(r) {
+  return `${r.method} ${r.path}`;
+}
+function validatePluginRoutes(plugins) {
+  const seen = /* @__PURE__ */ new Map();
+  const out = [];
+  for (const p of plugins) {
+    for (const r of p.routes ?? []) {
+      if (!r.path.startsWith("/")) {
+        throw new Error(
+          `holeauth: plugin "${p.id}" declared route with invalid path "${r.path}" (must start with '/')`
+        );
+      }
+      const key = routeKey(r);
+      if (CORE_ROUTE_PATHS.has(key)) {
+        throw new Error(
+          `holeauth: plugin "${p.id}" route ${key} conflicts with a core route`
+        );
+      }
+      const prev = seen.get(key);
+      if (prev) {
+        throw new Error(
+          `holeauth: plugin "${p.id}" route ${key} conflicts with plugin "${prev}"`
+        );
+      }
+      seen.set(key, p.id);
+      out.push(r);
+    }
+  }
+  return out;
+}
+function makeHookRunner(plugins, ctx) {
+  const logger = ctx.logger;
+  async function runAfter(label, fns, data) {
+    for (const fn of fns) {
+      try {
+        await fn(data, ctx);
+      } catch (err) {
+        logger.error(`hook ${label} threw`, err);
+        void ctx.events.emit({
+          type: "plugin.error",
+          data: { hook: label, error: String(err?.message ?? err) }
+        }).catch(() => {
+        });
+      }
+    }
+  }
+  async function runBefore(fns, input) {
+    for (const fn of fns) await fn(input, ctx);
+  }
+  const pick = (group, slot) => plugins.map((p) => {
+    const g = p.hooks?.[group];
+    return g?.[slot];
+  }).filter((x) => !!x);
+  const regBefore = pick("register", "before");
+  const regAfter = pick("register", "after");
+  const siBefore = pick("signIn", "before");
+  const siChallenge = plugins.map((p) => ({ id: p.id, fn: p.hooks?.signIn?.challenge })).filter((x) => !!x.fn);
+  const siAfter = pick("signIn", "after");
+  const soAfter = pick("signOut", "after");
+  const rfBefore = pick("refresh", "before");
+  const rfAfter = pick("refresh", "after");
+  const pcBefore = pick("passwordChange", "before");
+  const pcAfter = pick("passwordChange", "after");
+  const prBefore = pick("passwordReset", "before");
+  const prAfter = pick("passwordReset", "after");
+  const uuAfter = pick("userUpdate", "after");
+  const udAfter = pick("userDelete", "after");
+  const seIssue = pick("session", "onIssue");
+  const seRotate = pick("session", "onRotate");
+  const seRevoke = pick("session", "onRevoke");
+  return {
+    runRegisterBefore: (i) => runBefore(regBefore, i),
+    runRegisterAfter: (u) => runAfter("register.after", regAfter, u),
+    runSignInBefore: (i) => runBefore(siBefore, i),
+    async runSignInChallenge(user, input) {
+      let winner = null;
+      for (const { id, fn } of siChallenge) {
+        let result;
+        try {
+          result = await fn(user, input, ctx) ?? null;
+        } catch (err) {
+          logger.error(`signIn.challenge[${id}] threw`, err);
+          continue;
+        }
+        if (!result) continue;
+        if (result.pluginId !== id) {
+          logger.warn(
+            `signIn.challenge[${id}] returned pluginId="${result.pluginId}"; forcing "${id}"`
+          );
+          result.pluginId = id;
+        }
+        if (winner) {
+          logger.warn(
+            `multiple signIn.challenge winners \u2014 using first ("${winner.pluginId}"), ignoring "${result.pluginId}"`
+          );
+          continue;
+        }
+        winner = result;
+      }
+      return winner;
+    },
+    runSignInAfter: (d) => runAfter("signIn.after", siAfter, d),
+    runSignOutAfter: (d) => runAfter("signOut.after", soAfter, d),
+    runRefreshBefore: (i) => runBefore(rfBefore, i),
+    runRefreshAfter: (d) => runAfter("refresh.after", rfAfter, d),
+    runPasswordChangeBefore: (i) => runBefore(pcBefore, i),
+    runPasswordChangeAfter: (d) => runAfter("passwordChange.after", pcAfter, d),
+    runPasswordResetBefore: (i) => runBefore(prBefore, i),
+    runPasswordResetAfter: (d) => runAfter("passwordReset.after", prAfter, d),
+    runUserUpdateAfter: (d) => runAfter("userUpdate.after", uuAfter, d),
+    runUserDeleteAfter: (d) => runAfter("userDelete.after", udAfter, d),
+    runSessionIssue: (d) => runAfter("session.onIssue", seIssue, d),
+    runSessionRotate: (d) => runAfter("session.onRotate", seRotate, d),
+    runSessionRevoke: (d) => runAfter("session.onRevoke", seRevoke, d)
+  };
+}
+function makeCoreSurface(cfg, getHooks) {
+  return {
+    getUserById: (id) => cfg.adapters.user.getUserById(id),
+    getUserByEmail: (email) => cfg.adapters.user.getUserByEmail(email),
+    async issueSession(input) {
+      return issueSession(cfg, {
+        userId: input.userId,
+        ip: input.ip ?? null,
+        userAgent: input.userAgent ?? null
+      });
+    },
+    async revokeSession(sessionId, userId) {
+      return revokeSession(cfg, sessionId, userId);
+    },
+    async completeSignIn(userId, input) {
+      const user = await cfg.adapters.user.getUserById(userId);
+      if (!user) throw new Error("completeSignIn: user not found");
+      const tokens = await issueSession(cfg, {
+        userId: user.id,
+        ip: input.ip ?? null,
+        userAgent: input.userAgent ?? null
+      });
+      await emit(cfg, {
+        type: "user.signed_in",
+        userId: user.id,
+        sessionId: tokens.sessionId,
+        ip: input.ip ?? null,
+        userAgent: input.userAgent ?? null,
+        data: { method: input.method }
+      });
+      await getHooks().runSignInAfter({ user, tokens, method: input.method });
+      return { user, tokens };
+    },
+    async issueSignInResult(user, input) {
+      const tokens = await issueSession(cfg, {
+        userId: user.id,
+        ip: input.ip ?? null,
+        userAgent: input.userAgent ?? null
+      });
+      return { kind: "ok", user, tokens };
+    }
+  };
+}
+function buildRegistry(cfg, rawPlugins = []) {
+  const plugins = topoSort(rawPlugins);
+  const routes = validatePluginRoutes(plugins);
+  const apiMap = {};
+  let hookRunner;
+  const ctx = {
+    config: cfg,
+    events: buildPluginEvents(cfg),
+    logger: defaultLogger(cfg),
+    core: makeCoreSurface(cfg, () => hookRunner),
+    getPlugin(id) {
+      const v = apiMap[id];
+      if (v === void 0) throw new Error(`holeauth: plugin "${id}" not registered`);
+      return v;
+    },
+    getPluginAdapter(id) {
+      return cfg.pluginAdapters?.[id];
+    }
+  };
+  for (const p of plugins) {
+    apiMap[p.id] = p.api(ctx);
+  }
+  hookRunner = makeHookRunner(plugins, ctx);
+  return {
+    plugins,
+    api: apiMap,
+    routes,
+    hooks: hookRunner,
+    ctx
+  };
+}
+function emptyRegistry(cfg) {
+  return buildRegistry(cfg, []);
+}
+async function runOnInit(registry) {
+  for (const p of registry.plugins) {
+    if (p.onInit) await p.onInit(registry.ctx);
+  }
+}
+// src/define.ts
+var REGISTRY_KEY = /* @__PURE__ */ Symbol.for("holeauth.registry");
+var INTERNAL_REGISTRY_KEY = REGISTRY_KEY;
+function getRegistry(instance) {
+  const r = instance[REGISTRY_KEY];
+  if (!r) throw new Error("holeauth: instance has no plugin registry attached");
+  return r;
+}
+function defineHoleauth(config) {
+  const registry = buildRegistry(config, config.plugins ?? []);
+  attachHookRunner(config, registry.hooks);
+  const instance = {
+    config,
+    register(input) {
+      return register(config, registry.hooks, input);
+    },
+    signIn(input) {
+      return signIn(config, registry.hooks, input);
+    },
+    signOut(input) {
+      return signOut(config, registry.hooks, input);
+    },
+    refresh(input) {
+      return refresh(config, registry.hooks, input);
+    },
+    async getSession(accessToken) {
+      if (!accessToken) return null;
+      return validateSession(config, accessToken);
+    },
+    changePassword(input) {
+      return changePassword(config, registry.hooks, input);
+    },
+    requestPasswordReset(input) {
+      return requestPasswordReset(config, registry.hooks, input);
+    },
+    consumePasswordReset(input) {
+      return consumePasswordReset(config, registry.hooks, input);
+    },
+    updateUser(userId, patch) {
+      return updateUser(config, registry.hooks, userId, patch);
+    },
+    deleteUser(userId) {
+      return deleteUser(config, registry.hooks, userId);
+    },
+    createInvite(input) {
+      return createInvite(config, registry.hooks, input);
+    },
+    getInviteInfo(input) {
+      return getInviteInfo(config, input);
+    },
+    consumeInvite(input) {
+      return consumeInvite(config, registry.hooks, input);
+    },
+    revokeInvite(input) {
+      return revokeInvite(config, input);
+    },
+    listInvites() {
+      return listInvites(config);
+    },
+    sso: {
+      authorize: (providerId) => authorize(config, providerId),
+      callback: (providerId, input) => callback(config, providerId, input)
+    }
+  };
+  const merged = { ...instance, ...registry.api };
+  Object.defineProperty(merged, REGISTRY_KEY, {
+    value: registry,
+    enumerable: false,
+    configurable: false,
+    writable: false
+  });
+  void runOnInit(registry).catch((err) => {
+    registry.ctx.logger.error("plugin.onInit failed", err);
+  });
+  return merged;
+}
+export { AccountConflictError, AdapterError, CredentialsError, CsrfError, HoleauthError, INTERNAL_REGISTRY_KEY, InvalidTokenError, NotSupportedError, PendingChallengeError, ProviderError, RefreshReuseError, RegistrationDisabledError, SessionExpiredError, adapters_exports as adapters, cookies_exports as cookies, defineHoleauth, definePlugin, events_exports as events, flows_exports as flows, getRegistry, jwt_exports as jwt, otp_exports as otp, password_exports as password, plugins_exports as plugins, session_exports as session, sso_exports as sso };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map