npm - @inai-dev/hono - Versions diffs - 1.0.0 - Mend

@inai-dev/hono 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

package/dist/api-routes.cjs +175 -0
package/dist/api-routes.cjs.map +1 -0
package/dist/api-routes.d.cts +7 -0
package/dist/api-routes.d.ts +7 -0
package/dist/api-routes.js +155 -0
package/dist/api-routes.js.map +1 -0
package/dist/index.cjs +280 -0
package/dist/index.cjs.map +1 -0
package/dist/index.d.cts +14 -0
package/dist/index.d.ts +14 -0
package/dist/index.js +251 -0
package/dist/index.js.map +1 -0
package/dist/middleware-CH4i5x6z.d.cts +22 -0
package/dist/middleware-CH4i5x6z.d.ts +22 -0
package/dist/middleware.cjs +172 -0
package/dist/middleware.cjs.map +1 -0
package/dist/middleware.d.cts +3 -0
package/dist/middleware.d.ts +3 -0
package/dist/middleware.js +151 -0
package/dist/middleware.js.map +1 -0
package/package.json +73 -0

package/dist/api-routes.cjs ADDED Viewed

@@ -0,0 +1,175 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// src/api-routes.ts
+var api_routes_exports = {};
+__export(api_routes_exports, {
+  createAuthRoutes: () => createAuthRoutes
+});
+module.exports = __toCommonJS(api_routes_exports);
+var import_hono = require("hono");
+var import_backend = require("@inai-dev/backend");
+// src/helpers.ts
+var import_cookie = require("hono/cookie");
+var import_shared = require("@inai-dev/shared");
+function getRefreshTokenFromContext(c) {
+  return (0, import_cookie.getCookie)(c, import_shared.COOKIE_REFRESH_TOKEN) ?? null;
+}
+function setAuthCookies(c, tokens, user) {
+  const isProduction = typeof process !== "undefined" && process.env?.NODE_ENV === "production";
+  const claims = (0, import_shared.decodeJWTPayload)(tokens.access_token);
+  const expiresAt = claims ? new Date(claims.exp * 1e3).toISOString() : new Date(Date.now() + tokens.expires_in * 1e3).toISOString();
+  (0, import_cookie.setCookie)(c, import_shared.COOKIE_AUTH_TOKEN, tokens.access_token, {
+    httpOnly: true,
+    secure: isProduction,
+    sameSite: "Lax",
+    path: "/",
+    maxAge: tokens.expires_in
+  });
+  (0, import_cookie.setCookie)(c, import_shared.COOKIE_REFRESH_TOKEN, tokens.refresh_token, {
+    httpOnly: true,
+    secure: isProduction,
+    sameSite: "Strict",
+    path: "/api/auth",
+    maxAge: 7 * 24 * 60 * 60
+  });
+  (0, import_cookie.setCookie)(
+    c,
+    import_shared.COOKIE_AUTH_SESSION,
+    JSON.stringify({
+      user,
+      expiresAt,
+      permissions: claims?.permissions ?? [],
+      orgId: claims?.org_id,
+      orgRole: claims?.org_role,
+      appId: claims?.app_id,
+      envId: claims?.env_id
+    }),
+    {
+      httpOnly: false,
+      secure: isProduction,
+      sameSite: "Lax",
+      path: "/",
+      maxAge: tokens.expires_in
+    }
+  );
+}
+function clearAuthCookies(c) {
+  (0, import_cookie.deleteCookie)(c, import_shared.COOKIE_AUTH_TOKEN, { path: "/" });
+  (0, import_cookie.deleteCookie)(c, import_shared.COOKIE_REFRESH_TOKEN, { path: "/api/auth" });
+  (0, import_cookie.deleteCookie)(c, import_shared.COOKIE_AUTH_SESSION, { path: "/" });
+}
+// src/api-routes.ts
+function createAuthRoutes(config = {}) {
+  const app = new import_hono.Hono();
+  const client = new import_backend.InAIAuthClient(config);
+  app.post("/login", async (c) => {
+    try {
+      const body = await c.req.json();
+      const result = await client.login({
+        email: body.email,
+        password: body.password
+      });
+      if (result.mfa_required) {
+        return c.json({ mfa_required: true, mfa_token: result.mfa_token });
+      }
+      const tokens = result;
+      const user = result.user ?? (await client.getMe(tokens.access_token)).data;
+      setAuthCookies(c, tokens, user);
+      return c.json({ user });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Login failed";
+      return c.json({ error: message }, 401);
+    }
+  });
+  app.post("/register", async (c) => {
+    try {
+      const body = await c.req.json();
+      const result = await client.register({
+        email: body.email,
+        password: body.password,
+        firstName: body.firstName,
+        lastName: body.lastName
+      });
+      if (!result.access_token) {
+        return c.json({ needs_email_verification: true, user: result.user });
+      }
+      const tokens = result;
+      const user = result.user ?? (await client.getMe(tokens.access_token)).data;
+      setAuthCookies(c, tokens, user);
+      return c.json({ user });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Registration failed";
+      return c.json({ error: message }, 400);
+    }
+  });
+  app.post("/mfa-challenge", async (c) => {
+    try {
+      const body = await c.req.json();
+      const tokens = await client.mfaChallenge({
+        mfa_token: body.mfa_token,
+        code: body.code
+      });
+      const { data: user } = await client.getMe(tokens.access_token);
+      setAuthCookies(c, tokens, user);
+      return c.json({ user });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "MFA verification failed";
+      return c.json({ error: message }, 401);
+    }
+  });
+  app.post("/refresh", async (c) => {
+    try {
+      const refreshToken = getRefreshTokenFromContext(c);
+      if (!refreshToken) {
+        clearAuthCookies(c);
+        return c.json({ error: "No refresh token" }, 401);
+      }
+      const tokens = await client.refresh(refreshToken);
+      const { data: user } = await client.getMe(tokens.access_token);
+      setAuthCookies(c, tokens, user);
+      return c.json({ user });
+    } catch {
+      clearAuthCookies(c);
+      return c.json({ error: "Refresh failed" }, 401);
+    }
+  });
+  app.post("/logout", async (c) => {
+    try {
+      const refreshToken = getRefreshTokenFromContext(c);
+      if (refreshToken) {
+        await client.logout(refreshToken).catch(() => {
+        });
+      }
+      clearAuthCookies(c);
+      return c.json({ success: true });
+    } catch {
+      clearAuthCookies(c);
+      return c.json({ success: true });
+    }
+  });
+  return app;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createAuthRoutes
+});
+//# sourceMappingURL=api-routes.cjs.map

package/dist/api-routes.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/api-routes.ts","../src/helpers.ts"],"sourcesContent":["import { Hono } from \"hono\";\nimport type { InAIAuthConfig, TokenPair, UserResource, LoginResult } from \"@inai-dev/types\";\nimport { InAIAuthClient } from \"@inai-dev/backend\";\nimport {\n setAuthCookies,\n clearAuthCookies,\n getRefreshTokenFromContext,\n} from \"./helpers\";\n\nexport function createAuthRoutes(config: InAIAuthConfig = {}) {\n const app = new Hono();\n const client = new InAIAuthClient(config);\n\n app.post(\"/login\", async (c) => {\n try {\n const body = await c.req.json<Record<string, string>>();\n const result = await client.login({\n email: body.email,\n password: body.password,\n }) as LoginResult & { user?: UserResource };\n\n if (result.mfa_required) {\n return c.json({ mfa_required: true, mfa_token: result.mfa_token });\n }\n\n const tokens = result as unknown as TokenPair;\n const user =\n result.user ?? (await client.getMe(tokens.access_token)).data;\n setAuthCookies(c, tokens, user);\n\n return c.json({ user });\n } catch (err) {\n const message = err instanceof Error ? err.message : \"Login failed\";\n return c.json({ error: message }, 401);\n }\n });\n\n app.post(\"/register\", async (c) => {\n try {\n const body = await c.req.json<Record<string, string>>();\n const result = await client.register({\n email: body.email,\n password: body.password,\n firstName: body.firstName,\n lastName: body.lastName,\n });\n\n if (!result.access_token) {\n return c.json({ needs_email_verification: true, user: result.user });\n }\n\n const tokens = result as unknown as TokenPair;\n const user =\n result.user ?? (await client.getMe(tokens.access_token)).data;\n setAuthCookies(c, tokens, user);\n\n return c.json({ user });\n } catch (err) {\n const message =\n err instanceof Error ? err.message : \"Registration failed\";\n return c.json({ error: message }, 400);\n }\n });\n\n app.post(\"/mfa-challenge\", async (c) => {\n try {\n const body = await c.req.json<Record<string, string>>();\n const tokens = await client.mfaChallenge({\n mfa_token: body.mfa_token,\n code: body.code,\n });\n\n const { data: user } = await client.getMe(tokens.access_token);\n setAuthCookies(c, tokens, user);\n\n return c.json({ user });\n } catch (err) {\n const message =\n err instanceof Error ? err.message : \"MFA verification failed\";\n return c.json({ error: message }, 401);\n }\n });\n\n app.post(\"/refresh\", async (c) => {\n try {\n const refreshToken = getRefreshTokenFromContext(c);\n\n if (!refreshToken) {\n clearAuthCookies(c);\n return c.json({ error: \"No refresh token\" }, 401);\n }\n\n const tokens = await client.refresh(refreshToken);\n const { data: user } = await client.getMe(tokens.access_token);\n setAuthCookies(c, tokens, user);\n\n return c.json({ user });\n } catch {\n clearAuthCookies(c);\n return c.json({ error: \"Refresh failed\" }, 401);\n }\n });\n\n app.post(\"/logout\", async (c) => {\n try {\n const refreshToken = getRefreshTokenFromContext(c);\n if (refreshToken) {\n await client.logout(refreshToken).catch(() => {});\n }\n clearAuthCookies(c);\n return c.json({ success: true });\n } catch {\n clearAuthCookies(c);\n return c.json({ success: true });\n }\n });\n\n return app;\n}\n","import type { Context } from \"hono\";\nimport { getCookie, setCookie, deleteCookie } from \"hono/cookie\";\nimport type { AuthObject, TokenPair, UserResource, PlatformUserResource } from \"@inai-dev/types\";\nimport {\n COOKIE_AUTH_TOKEN,\n COOKIE_REFRESH_TOKEN,\n COOKIE_AUTH_SESSION,\n decodeJWTPayload,\n} from \"@inai-dev/shared\";\n\nexport function getAuth(c: Context): AuthObject | null {\n return c.get(\"inaiAuth\") ?? null;\n}\n\nexport function getTokenFromContext(c: Context): string | null {\n const authHeader = c.req.header(\"Authorization\");\n if (authHeader?.startsWith(\"Bearer \")) {\n return authHeader.slice(7);\n }\n\n return getCookie(c, COOKIE_AUTH_TOKEN) ?? null;\n}\n\nexport function getRefreshTokenFromContext(c: Context): string | null {\n return getCookie(c, COOKIE_REFRESH_TOKEN) ?? null;\n}\n\nexport function setAuthCookies(\n c: Context,\n tokens: TokenPair,\n user: UserResource | PlatformUserResource,\n): void {\n const isProduction =\n typeof process !== \"undefined\" && process.env?.NODE_ENV === \"production\";\n const claims = decodeJWTPayload(tokens.access_token);\n const expiresAt = claims\n ? new Date(claims.exp * 1000).toISOString()\n : new Date(Date.now() + tokens.expires_in * 1000).toISOString();\n\n setCookie(c, COOKIE_AUTH_TOKEN, tokens.access_token, {\n httpOnly: true,\n secure: isProduction,\n sameSite: \"Lax\",\n path: \"/\",\n maxAge: tokens.expires_in,\n });\n\n setCookie(c, COOKIE_REFRESH_TOKEN, tokens.refresh_token, {\n httpOnly: true,\n secure: isProduction,\n sameSite: \"Strict\",\n path: \"/api/auth\",\n maxAge: 7 * 24 * 60 * 60,\n });\n\n setCookie(\n c,\n COOKIE_AUTH_SESSION,\n JSON.stringify({\n user,\n expiresAt,\n permissions: claims?.permissions ?? [],\n orgId: claims?.org_id,\n orgRole: claims?.org_role,\n appId: claims?.app_id,\n envId: claims?.env_id,\n }),\n {\n httpOnly: false,\n secure: isProduction,\n sameSite: \"Lax\",\n path: \"/\",\n maxAge: tokens.expires_in,\n },\n );\n}\n\nexport function clearAuthCookies(c: Context): void {\n deleteCookie(c, COOKIE_AUTH_TOKEN, { path: \"/\" });\n deleteCookie(c, COOKIE_REFRESH_TOKEN, { path: \"/api/auth\" });\n deleteCookie(c, COOKIE_AUTH_SESSION, { path: \"/\" });\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,kBAAqB;AAErB,qBAA+B;;;ACD/B,oBAAmD;AAEnD,oBAKO;AAeA,SAAS,2BAA2B,GAA2B;AACpE,aAAO,yBAAU,GAAG,kCAAoB,KAAK;AAC/C;AAEO,SAAS,eACd,GACA,QACA,MACM;AACN,QAAM,eACJ,OAAO,YAAY,eAAe,QAAQ,KAAK,aAAa;AAC9D,QAAM,aAAS,gCAAiB,OAAO,YAAY;AACnD,QAAM,YAAY,SACd,IAAI,KAAK,OAAO,MAAM,GAAI,EAAE,YAAY,IACxC,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,aAAa,GAAI,EAAE,YAAY;AAEhE,+BAAU,GAAG,iCAAmB,OAAO,cAAc;AAAA,IACnD,UAAU;AAAA,IACV,QAAQ;AAAA,IACR,UAAU;AAAA,IACV,MAAM;AAAA,IACN,QAAQ,OAAO;AAAA,EACjB,CAAC;AAED,+BAAU,GAAG,oCAAsB,OAAO,eAAe;AAAA,IACvD,UAAU;AAAA,IACV,QAAQ;AAAA,IACR,UAAU;AAAA,IACV,MAAM;AAAA,IACN,QAAQ,IAAI,KAAK,KAAK;AAAA,EACxB,CAAC;AAED;AAAA,IACE;AAAA,IACA;AAAA,IACA,KAAK,UAAU;AAAA,MACb;AAAA,MACA;AAAA,MACA,aAAa,QAAQ,eAAe,CAAC;AAAA,MACrC,OAAO,QAAQ;AAAA,MACf,SAAS,QAAQ;AAAA,MACjB,OAAO,QAAQ;AAAA,MACf,OAAO,QAAQ;AAAA,IACjB,CAAC;AAAA,IACD;AAAA,MACE,UAAU;AAAA,MACV,QAAQ;AAAA,MACR,UAAU;AAAA,MACV,MAAM;AAAA,MACN,QAAQ,OAAO;AAAA,IACjB;AAAA,EACF;AACF;AAEO,SAAS,iBAAiB,GAAkB;AACjD,kCAAa,GAAG,iCAAmB,EAAE,MAAM,IAAI,CAAC;AAChD,kCAAa,GAAG,oCAAsB,EAAE,MAAM,YAAY,CAAC;AAC3D,kCAAa,GAAG,mCAAqB,EAAE,MAAM,IAAI,CAAC;AACpD;;;ADxEO,SAAS,iBAAiB,SAAyB,CAAC,GAAG;AAC5D,QAAM,MAAM,IAAI,iBAAK;AACrB,QAAM,SAAS,IAAI,8BAAe,MAAM;AAExC,MAAI,KAAK,UAAU,OAAO,MAAM;AAC9B,QAAI;AACF,YAAM,OAAO,MAAM,EAAE,IAAI,KAA6B;AACtD,YAAM,SAAS,MAAM,OAAO,MAAM;AAAA,QAChC,OAAO,KAAK;AAAA,QACZ,UAAU,KAAK;AAAA,MACjB,CAAC;AAED,UAAI,OAAO,cAAc;AACvB,eAAO,EAAE,KAAK,EAAE,cAAc,MAAM,WAAW,OAAO,UAAU,CAAC;AAAA,MACnE;AAEA,YAAM,SAAS;AACf,YAAM,OACJ,OAAO,SAAS,MAAM,OAAO,MAAM,OAAO,YAAY,GAAG;AAC3D,qBAAe,GAAG,QAAQ,IAAI;AAE9B,aAAO,EAAE,KAAK,EAAE,KAAK,CAAC;AAAA,IACxB,SAAS,KAAK;AACZ,YAAM,UAAU,eAAe,QAAQ,IAAI,UAAU;AACrD,aAAO,EAAE,KAAK,EAAE,OAAO,QAAQ,GAAG,GAAG;AAAA,IACvC;AAAA,EACF,CAAC;AAED,MAAI,KAAK,aAAa,OAAO,MAAM;AACjC,QAAI;AACF,YAAM,OAAO,MAAM,EAAE,IAAI,KAA6B;AACtD,YAAM,SAAS,MAAM,OAAO,SAAS;AAAA,QACnC,OAAO,KAAK;AAAA,QACZ,UAAU,KAAK;AAAA,QACf,WAAW,KAAK;AAAA,QAChB,UAAU,KAAK;AAAA,MACjB,CAAC;AAED,UAAI,CAAC,OAAO,cAAc;AACxB,eAAO,EAAE,KAAK,EAAE,0BAA0B,MAAM,MAAM,OAAO,KAAK,CAAC;AAAA,MACrE;AAEA,YAAM,SAAS;AACf,YAAM,OACJ,OAAO,SAAS,MAAM,OAAO,MAAM,OAAO,YAAY,GAAG;AAC3D,qBAAe,GAAG,QAAQ,IAAI;AAE9B,aAAO,EAAE,KAAK,EAAE,KAAK,CAAC;AAAA,IACxB,SAAS,KAAK;AACZ,YAAM,UACJ,eAAe,QAAQ,IAAI,UAAU;AACvC,aAAO,EAAE,KAAK,EAAE,OAAO,QAAQ,GAAG,GAAG;AAAA,IACvC;AAAA,EACF,CAAC;AAED,MAAI,KAAK,kBAAkB,OAAO,MAAM;AACtC,QAAI;AACF,YAAM,OAAO,MAAM,EAAE,IAAI,KAA6B;AACtD,YAAM,SAAS,MAAM,OAAO,aAAa;AAAA,QACvC,WAAW,KAAK;AAAA,QAChB,MAAM,KAAK;AAAA,MACb,CAAC;AAED,YAAM,EAAE,MAAM,KAAK,IAAI,MAAM,OAAO,MAAM,OAAO,YAAY;AAC7D,qBAAe,GAAG,QAAQ,IAAI;AAE9B,aAAO,EAAE,KAAK,EAAE,KAAK,CAAC;AAAA,IACxB,SAAS,KAAK;AACZ,YAAM,UACJ,eAAe,QAAQ,IAAI,UAAU;AACvC,aAAO,EAAE,KAAK,EAAE,OAAO,QAAQ,GAAG,GAAG;AAAA,IACvC;AAAA,EACF,CAAC;AAED,MAAI,KAAK,YAAY,OAAO,MAAM;AAChC,QAAI;AACF,YAAM,eAAe,2BAA2B,CAAC;AAEjD,UAAI,CAAC,cAAc;AACjB,yBAAiB,CAAC;AAClB,eAAO,EAAE,KAAK,EAAE,OAAO,mBAAmB,GAAG,GAAG;AAAA,MAClD;AAEA,YAAM,SAAS,MAAM,OAAO,QAAQ,YAAY;AAChD,YAAM,EAAE,MAAM,KAAK,IAAI,MAAM,OAAO,MAAM,OAAO,YAAY;AAC7D,qBAAe,GAAG,QAAQ,IAAI;AAE9B,aAAO,EAAE,KAAK,EAAE,KAAK,CAAC;AAAA,IACxB,QAAQ;AACN,uBAAiB,CAAC;AAClB,aAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,GAAG,GAAG;AAAA,IAChD;AAAA,EACF,CAAC;AAED,MAAI,KAAK,WAAW,OAAO,MAAM;AAC/B,QAAI;AACF,YAAM,eAAe,2BAA2B,CAAC;AACjD,UAAI,cAAc;AAChB,cAAM,OAAO,OAAO,YAAY,EAAE,MAAM,MAAM;AAAA,QAAC,CAAC;AAAA,MAClD;AACA,uBAAiB,CAAC;AAClB,aAAO,EAAE,KAAK,EAAE,SAAS,KAAK,CAAC;AAAA,IACjC,QAAQ;AACN,uBAAiB,CAAC;AAClB,aAAO,EAAE,KAAK,EAAE,SAAS,KAAK,CAAC;AAAA,IACjC;AAAA,EACF,CAAC;AAED,SAAO;AACT;","names":[]}

package/dist/api-routes.d.cts ADDED Viewed

@@ -0,0 +1,7 @@
+import * as hono_types from 'hono/types';
+import { Hono } from 'hono';
+import { InAIAuthConfig } from '@inai-dev/types';
+declare function createAuthRoutes(config?: InAIAuthConfig): Hono<hono_types.BlankEnv, hono_types.BlankSchema, "/">;
+export { createAuthRoutes };

package/dist/api-routes.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+import * as hono_types from 'hono/types';
+import { Hono } from 'hono';
+import { InAIAuthConfig } from '@inai-dev/types';
+declare function createAuthRoutes(config?: InAIAuthConfig): Hono<hono_types.BlankEnv, hono_types.BlankSchema, "/">;
+export { createAuthRoutes };

package/dist/api-routes.js ADDED Viewed

@@ -0,0 +1,155 @@
+// src/api-routes.ts
+import { Hono } from "hono";
+import { InAIAuthClient } from "@inai-dev/backend";
+// src/helpers.ts
+import { getCookie, setCookie, deleteCookie } from "hono/cookie";
+import {
+  COOKIE_AUTH_TOKEN,
+  COOKIE_REFRESH_TOKEN,
+  COOKIE_AUTH_SESSION,
+  decodeJWTPayload
+} from "@inai-dev/shared";
+function getRefreshTokenFromContext(c) {
+  return getCookie(c, COOKIE_REFRESH_TOKEN) ?? null;
+}
+function setAuthCookies(c, tokens, user) {
+  const isProduction = typeof process !== "undefined" && process.env?.NODE_ENV === "production";
+  const claims = decodeJWTPayload(tokens.access_token);
+  const expiresAt = claims ? new Date(claims.exp * 1e3).toISOString() : new Date(Date.now() + tokens.expires_in * 1e3).toISOString();
+  setCookie(c, COOKIE_AUTH_TOKEN, tokens.access_token, {
+    httpOnly: true,
+    secure: isProduction,
+    sameSite: "Lax",
+    path: "/",
+    maxAge: tokens.expires_in
+  });
+  setCookie(c, COOKIE_REFRESH_TOKEN, tokens.refresh_token, {
+    httpOnly: true,
+    secure: isProduction,
+    sameSite: "Strict",
+    path: "/api/auth",
+    maxAge: 7 * 24 * 60 * 60
+  });
+  setCookie(
+    c,
+    COOKIE_AUTH_SESSION,
+    JSON.stringify({
+      user,
+      expiresAt,
+      permissions: claims?.permissions ?? [],
+      orgId: claims?.org_id,
+      orgRole: claims?.org_role,
+      appId: claims?.app_id,
+      envId: claims?.env_id
+    }),
+    {
+      httpOnly: false,
+      secure: isProduction,
+      sameSite: "Lax",
+      path: "/",
+      maxAge: tokens.expires_in
+    }
+  );
+}
+function clearAuthCookies(c) {
+  deleteCookie(c, COOKIE_AUTH_TOKEN, { path: "/" });
+  deleteCookie(c, COOKIE_REFRESH_TOKEN, { path: "/api/auth" });
+  deleteCookie(c, COOKIE_AUTH_SESSION, { path: "/" });
+}
+// src/api-routes.ts
+function createAuthRoutes(config = {}) {
+  const app = new Hono();
+  const client = new InAIAuthClient(config);
+  app.post("/login", async (c) => {
+    try {
+      const body = await c.req.json();
+      const result = await client.login({
+        email: body.email,
+        password: body.password
+      });
+      if (result.mfa_required) {
+        return c.json({ mfa_required: true, mfa_token: result.mfa_token });
+      }
+      const tokens = result;
+      const user = result.user ?? (await client.getMe(tokens.access_token)).data;
+      setAuthCookies(c, tokens, user);
+      return c.json({ user });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Login failed";
+      return c.json({ error: message }, 401);
+    }
+  });
+  app.post("/register", async (c) => {
+    try {
+      const body = await c.req.json();
+      const result = await client.register({
+        email: body.email,
+        password: body.password,
+        firstName: body.firstName,
+        lastName: body.lastName
+      });
+      if (!result.access_token) {
+        return c.json({ needs_email_verification: true, user: result.user });
+      }
+      const tokens = result;
+      const user = result.user ?? (await client.getMe(tokens.access_token)).data;
+      setAuthCookies(c, tokens, user);
+      return c.json({ user });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Registration failed";
+      return c.json({ error: message }, 400);
+    }
+  });
+  app.post("/mfa-challenge", async (c) => {
+    try {
+      const body = await c.req.json();
+      const tokens = await client.mfaChallenge({
+        mfa_token: body.mfa_token,
+        code: body.code
+      });
+      const { data: user } = await client.getMe(tokens.access_token);
+      setAuthCookies(c, tokens, user);
+      return c.json({ user });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "MFA verification failed";
+      return c.json({ error: message }, 401);
+    }
+  });
+  app.post("/refresh", async (c) => {
+    try {
+      const refreshToken = getRefreshTokenFromContext(c);
+      if (!refreshToken) {
+        clearAuthCookies(c);
+        return c.json({ error: "No refresh token" }, 401);
+      }
+      const tokens = await client.refresh(refreshToken);
+      const { data: user } = await client.getMe(tokens.access_token);
+      setAuthCookies(c, tokens, user);
+      return c.json({ user });
+    } catch {
+      clearAuthCookies(c);
+      return c.json({ error: "Refresh failed" }, 401);
+    }
+  });
+  app.post("/logout", async (c) => {
+    try {
+      const refreshToken = getRefreshTokenFromContext(c);
+      if (refreshToken) {
+        await client.logout(refreshToken).catch(() => {
+        });
+      }
+      clearAuthCookies(c);
+      return c.json({ success: true });
+    } catch {
+      clearAuthCookies(c);
+      return c.json({ success: true });
+    }
+  });
+  return app;
+}
+export {
+  createAuthRoutes
+};
+//# sourceMappingURL=api-routes.js.map

package/dist/api-routes.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/api-routes.ts","../src/helpers.ts"],"sourcesContent":["import { Hono } from \"hono\";\nimport type { InAIAuthConfig, TokenPair, UserResource, LoginResult } from \"@inai-dev/types\";\nimport { InAIAuthClient } from \"@inai-dev/backend\";\nimport {\n setAuthCookies,\n clearAuthCookies,\n getRefreshTokenFromContext,\n} from \"./helpers\";\n\nexport function createAuthRoutes(config: InAIAuthConfig = {}) {\n const app = new Hono();\n const client = new InAIAuthClient(config);\n\n app.post(\"/login\", async (c) => {\n try {\n const body = await c.req.json<Record<string, string>>();\n const result = await client.login({\n email: body.email,\n password: body.password,\n }) as LoginResult & { user?: UserResource };\n\n if (result.mfa_required) {\n return c.json({ mfa_required: true, mfa_token: result.mfa_token });\n }\n\n const tokens = result as unknown as TokenPair;\n const user =\n result.user ?? (await client.getMe(tokens.access_token)).data;\n setAuthCookies(c, tokens, user);\n\n return c.json({ user });\n } catch (err) {\n const message = err instanceof Error ? err.message : \"Login failed\";\n return c.json({ error: message }, 401);\n }\n });\n\n app.post(\"/register\", async (c) => {\n try {\n const body = await c.req.json<Record<string, string>>();\n const result = await client.register({\n email: body.email,\n password: body.password,\n firstName: body.firstName,\n lastName: body.lastName,\n });\n\n if (!result.access_token) {\n return c.json({ needs_email_verification: true, user: result.user });\n }\n\n const tokens = result as unknown as TokenPair;\n const user =\n result.user ?? (await client.getMe(tokens.access_token)).data;\n setAuthCookies(c, tokens, user);\n\n return c.json({ user });\n } catch (err) {\n const message =\n err instanceof Error ? err.message : \"Registration failed\";\n return c.json({ error: message }, 400);\n }\n });\n\n app.post(\"/mfa-challenge\", async (c) => {\n try {\n const body = await c.req.json<Record<string, string>>();\n const tokens = await client.mfaChallenge({\n mfa_token: body.mfa_token,\n code: body.code,\n });\n\n const { data: user } = await client.getMe(tokens.access_token);\n setAuthCookies(c, tokens, user);\n\n return c.json({ user });\n } catch (err) {\n const message =\n err instanceof Error ? err.message : \"MFA verification failed\";\n return c.json({ error: message }, 401);\n }\n });\n\n app.post(\"/refresh\", async (c) => {\n try {\n const refreshToken = getRefreshTokenFromContext(c);\n\n if (!refreshToken) {\n clearAuthCookies(c);\n return c.json({ error: \"No refresh token\" }, 401);\n }\n\n const tokens = await client.refresh(refreshToken);\n const { data: user } = await client.getMe(tokens.access_token);\n setAuthCookies(c, tokens, user);\n\n return c.json({ user });\n } catch {\n clearAuthCookies(c);\n return c.json({ error: \"Refresh failed\" }, 401);\n }\n });\n\n app.post(\"/logout\", async (c) => {\n try {\n const refreshToken = getRefreshTokenFromContext(c);\n if (refreshToken) {\n await client.logout(refreshToken).catch(() => {});\n }\n clearAuthCookies(c);\n return c.json({ success: true });\n } catch {\n clearAuthCookies(c);\n return c.json({ success: true });\n }\n });\n\n return app;\n}\n","import type { Context } from \"hono\";\nimport { getCookie, setCookie, deleteCookie } from \"hono/cookie\";\nimport type { AuthObject, TokenPair, UserResource, PlatformUserResource } from \"@inai-dev/types\";\nimport {\n COOKIE_AUTH_TOKEN,\n COOKIE_REFRESH_TOKEN,\n COOKIE_AUTH_SESSION,\n decodeJWTPayload,\n} from \"@inai-dev/shared\";\n\nexport function getAuth(c: Context): AuthObject | null {\n return c.get(\"inaiAuth\") ?? null;\n}\n\nexport function getTokenFromContext(c: Context): string | null {\n const authHeader = c.req.header(\"Authorization\");\n if (authHeader?.startsWith(\"Bearer \")) {\n return authHeader.slice(7);\n }\n\n return getCookie(c, COOKIE_AUTH_TOKEN) ?? null;\n}\n\nexport function getRefreshTokenFromContext(c: Context): string | null {\n return getCookie(c, COOKIE_REFRESH_TOKEN) ?? null;\n}\n\nexport function setAuthCookies(\n c: Context,\n tokens: TokenPair,\n user: UserResource | PlatformUserResource,\n): void {\n const isProduction =\n typeof process !== \"undefined\" && process.env?.NODE_ENV === \"production\";\n const claims = decodeJWTPayload(tokens.access_token);\n const expiresAt = claims\n ? new Date(claims.exp * 1000).toISOString()\n : new Date(Date.now() + tokens.expires_in * 1000).toISOString();\n\n setCookie(c, COOKIE_AUTH_TOKEN, tokens.access_token, {\n httpOnly: true,\n secure: isProduction,\n sameSite: \"Lax\",\n path: \"/\",\n maxAge: tokens.expires_in,\n });\n\n setCookie(c, COOKIE_REFRESH_TOKEN, tokens.refresh_token, {\n httpOnly: true,\n secure: isProduction,\n sameSite: \"Strict\",\n path: \"/api/auth\",\n maxAge: 7 * 24 * 60 * 60,\n });\n\n setCookie(\n c,\n COOKIE_AUTH_SESSION,\n JSON.stringify({\n user,\n expiresAt,\n permissions: claims?.permissions ?? [],\n orgId: claims?.org_id,\n orgRole: claims?.org_role,\n appId: claims?.app_id,\n envId: claims?.env_id,\n }),\n {\n httpOnly: false,\n secure: isProduction,\n sameSite: \"Lax\",\n path: \"/\",\n maxAge: tokens.expires_in,\n },\n );\n}\n\nexport function clearAuthCookies(c: Context): void {\n deleteCookie(c, COOKIE_AUTH_TOKEN, { path: \"/\" });\n deleteCookie(c, COOKIE_REFRESH_TOKEN, { path: \"/api/auth\" });\n deleteCookie(c, COOKIE_AUTH_SESSION, { path: \"/\" });\n}\n"],"mappings":";AAAA,SAAS,YAAY;AAErB,SAAS,sBAAsB;;;ACD/B,SAAS,WAAW,WAAW,oBAAoB;AAEnD;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAeA,SAAS,2BAA2B,GAA2B;AACpE,SAAO,UAAU,GAAG,oBAAoB,KAAK;AAC/C;AAEO,SAAS,eACd,GACA,QACA,MACM;AACN,QAAM,eACJ,OAAO,YAAY,eAAe,QAAQ,KAAK,aAAa;AAC9D,QAAM,SAAS,iBAAiB,OAAO,YAAY;AACnD,QAAM,YAAY,SACd,IAAI,KAAK,OAAO,MAAM,GAAI,EAAE,YAAY,IACxC,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,aAAa,GAAI,EAAE,YAAY;AAEhE,YAAU,GAAG,mBAAmB,OAAO,cAAc;AAAA,IACnD,UAAU;AAAA,IACV,QAAQ;AAAA,IACR,UAAU;AAAA,IACV,MAAM;AAAA,IACN,QAAQ,OAAO;AAAA,EACjB,CAAC;AAED,YAAU,GAAG,sBAAsB,OAAO,eAAe;AAAA,IACvD,UAAU;AAAA,IACV,QAAQ;AAAA,IACR,UAAU;AAAA,IACV,MAAM;AAAA,IACN,QAAQ,IAAI,KAAK,KAAK;AAAA,EACxB,CAAC;AAED;AAAA,IACE;AAAA,IACA;AAAA,IACA,KAAK,UAAU;AAAA,MACb;AAAA,MACA;AAAA,MACA,aAAa,QAAQ,eAAe,CAAC;AAAA,MACrC,OAAO,QAAQ;AAAA,MACf,SAAS,QAAQ;AAAA,MACjB,OAAO,QAAQ;AAAA,MACf,OAAO,QAAQ;AAAA,IACjB,CAAC;AAAA,IACD;AAAA,MACE,UAAU;AAAA,MACV,QAAQ;AAAA,MACR,UAAU;AAAA,MACV,MAAM;AAAA,MACN,QAAQ,OAAO;AAAA,IACjB;AAAA,EACF;AACF;AAEO,SAAS,iBAAiB,GAAkB;AACjD,eAAa,GAAG,mBAAmB,EAAE,MAAM,IAAI,CAAC;AAChD,eAAa,GAAG,sBAAsB,EAAE,MAAM,YAAY,CAAC;AAC3D,eAAa,GAAG,qBAAqB,EAAE,MAAM,IAAI,CAAC;AACpD;;;ADxEO,SAAS,iBAAiB,SAAyB,CAAC,GAAG;AAC5D,QAAM,MAAM,IAAI,KAAK;AACrB,QAAM,SAAS,IAAI,eAAe,MAAM;AAExC,MAAI,KAAK,UAAU,OAAO,MAAM;AAC9B,QAAI;AACF,YAAM,OAAO,MAAM,EAAE,IAAI,KAA6B;AACtD,YAAM,SAAS,MAAM,OAAO,MAAM;AAAA,QAChC,OAAO,KAAK;AAAA,QACZ,UAAU,KAAK;AAAA,MACjB,CAAC;AAED,UAAI,OAAO,cAAc;AACvB,eAAO,EAAE,KAAK,EAAE,cAAc,MAAM,WAAW,OAAO,UAAU,CAAC;AAAA,MACnE;AAEA,YAAM,SAAS;AACf,YAAM,OACJ,OAAO,SAAS,MAAM,OAAO,MAAM,OAAO,YAAY,GAAG;AAC3D,qBAAe,GAAG,QAAQ,IAAI;AAE9B,aAAO,EAAE,KAAK,EAAE,KAAK,CAAC;AAAA,IACxB,SAAS,KAAK;AACZ,YAAM,UAAU,eAAe,QAAQ,IAAI,UAAU;AACrD,aAAO,EAAE,KAAK,EAAE,OAAO,QAAQ,GAAG,GAAG;AAAA,IACvC;AAAA,EACF,CAAC;AAED,MAAI,KAAK,aAAa,OAAO,MAAM;AACjC,QAAI;AACF,YAAM,OAAO,MAAM,EAAE,IAAI,KAA6B;AACtD,YAAM,SAAS,MAAM,OAAO,SAAS;AAAA,QACnC,OAAO,KAAK;AAAA,QACZ,UAAU,KAAK;AAAA,QACf,WAAW,KAAK;AAAA,QAChB,UAAU,KAAK;AAAA,MACjB,CAAC;AAED,UAAI,CAAC,OAAO,cAAc;AACxB,eAAO,EAAE,KAAK,EAAE,0BAA0B,MAAM,MAAM,OAAO,KAAK,CAAC;AAAA,MACrE;AAEA,YAAM,SAAS;AACf,YAAM,OACJ,OAAO,SAAS,MAAM,OAAO,MAAM,OAAO,YAAY,GAAG;AAC3D,qBAAe,GAAG,QAAQ,IAAI;AAE9B,aAAO,EAAE,KAAK,EAAE,KAAK,CAAC;AAAA,IACxB,SAAS,KAAK;AACZ,YAAM,UACJ,eAAe,QAAQ,IAAI,UAAU;AACvC,aAAO,EAAE,KAAK,EAAE,OAAO,QAAQ,GAAG,GAAG;AAAA,IACvC;AAAA,EACF,CAAC;AAED,MAAI,KAAK,kBAAkB,OAAO,MAAM;AACtC,QAAI;AACF,YAAM,OAAO,MAAM,EAAE,IAAI,KAA6B;AACtD,YAAM,SAAS,MAAM,OAAO,aAAa;AAAA,QACvC,WAAW,KAAK;AAAA,QAChB,MAAM,KAAK;AAAA,MACb,CAAC;AAED,YAAM,EAAE,MAAM,KAAK,IAAI,MAAM,OAAO,MAAM,OAAO,YAAY;AAC7D,qBAAe,GAAG,QAAQ,IAAI;AAE9B,aAAO,EAAE,KAAK,EAAE,KAAK,CAAC;AAAA,IACxB,SAAS,KAAK;AACZ,YAAM,UACJ,eAAe,QAAQ,IAAI,UAAU;AACvC,aAAO,EAAE,KAAK,EAAE,OAAO,QAAQ,GAAG,GAAG;AAAA,IACvC;AAAA,EACF,CAAC;AAED,MAAI,KAAK,YAAY,OAAO,MAAM;AAChC,QAAI;AACF,YAAM,eAAe,2BAA2B,CAAC;AAEjD,UAAI,CAAC,cAAc;AACjB,yBAAiB,CAAC;AAClB,eAAO,EAAE,KAAK,EAAE,OAAO,mBAAmB,GAAG,GAAG;AAAA,MAClD;AAEA,YAAM,SAAS,MAAM,OAAO,QAAQ,YAAY;AAChD,YAAM,EAAE,MAAM,KAAK,IAAI,MAAM,OAAO,MAAM,OAAO,YAAY;AAC7D,qBAAe,GAAG,QAAQ,IAAI;AAE9B,aAAO,EAAE,KAAK,EAAE,KAAK,CAAC;AAAA,IACxB,QAAQ;AACN,uBAAiB,CAAC;AAClB,aAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,GAAG,GAAG;AAAA,IAChD;AAAA,EACF,CAAC;AAED,MAAI,KAAK,WAAW,OAAO,MAAM;AAC/B,QAAI;AACF,YAAM,eAAe,2BAA2B,CAAC;AACjD,UAAI,cAAc;AAChB,cAAM,OAAO,OAAO,YAAY,EAAE,MAAM,MAAM;AAAA,QAAC,CAAC;AAAA,MAClD;AACA,uBAAiB,CAAC;AAClB,aAAO,EAAE,KAAK,EAAE,SAAS,KAAK,CAAC;AAAA,IACjC,QAAQ;AACN,uBAAiB,CAAC;AAClB,aAAO,EAAE,KAAK,EAAE,SAAS,KAAK,CAAC;AAAA,IACjC;AAAA,EACF,CAAC;AAED,SAAO;AACT;","names":[]}

package/dist/index.cjs ADDED Viewed

@@ -0,0 +1,280 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// src/index.ts
+var src_exports = {};
+__export(src_exports, {
+  clearAuthCookies: () => clearAuthCookies,
+  createAuthRoutes: () => createAuthRoutes,
+  getAuth: () => getAuth,
+  getRefreshTokenFromContext: () => getRefreshTokenFromContext,
+  getTokenFromContext: () => getTokenFromContext,
+  inaiAuthMiddleware: () => inaiAuthMiddleware,
+  requireAuth: () => requireAuth,
+  setAuthCookies: () => setAuthCookies
+});
+module.exports = __toCommonJS(src_exports);
+// src/middleware.ts
+var import_backend = require("@inai-dev/backend");
+var import_shared2 = require("@inai-dev/shared");
+// src/helpers.ts
+var import_cookie = require("hono/cookie");
+var import_shared = require("@inai-dev/shared");
+function getAuth(c) {
+  return c.get("inaiAuth") ?? null;
+}
+function getTokenFromContext(c) {
+  const authHeader = c.req.header("Authorization");
+  if (authHeader?.startsWith("Bearer ")) {
+    return authHeader.slice(7);
+  }
+  return (0, import_cookie.getCookie)(c, import_shared.COOKIE_AUTH_TOKEN) ?? null;
+}
+function getRefreshTokenFromContext(c) {
+  return (0, import_cookie.getCookie)(c, import_shared.COOKIE_REFRESH_TOKEN) ?? null;
+}
+function setAuthCookies(c, tokens, user) {
+  const isProduction = typeof process !== "undefined" && process.env?.NODE_ENV === "production";
+  const claims = (0, import_shared.decodeJWTPayload)(tokens.access_token);
+  const expiresAt = claims ? new Date(claims.exp * 1e3).toISOString() : new Date(Date.now() + tokens.expires_in * 1e3).toISOString();
+  (0, import_cookie.setCookie)(c, import_shared.COOKIE_AUTH_TOKEN, tokens.access_token, {
+    httpOnly: true,
+    secure: isProduction,
+    sameSite: "Lax",
+    path: "/",
+    maxAge: tokens.expires_in
+  });
+  (0, import_cookie.setCookie)(c, import_shared.COOKIE_REFRESH_TOKEN, tokens.refresh_token, {
+    httpOnly: true,
+    secure: isProduction,
+    sameSite: "Strict",
+    path: "/api/auth",
+    maxAge: 7 * 24 * 60 * 60
+  });
+  (0, import_cookie.setCookie)(
+    c,
+    import_shared.COOKIE_AUTH_SESSION,
+    JSON.stringify({
+      user,
+      expiresAt,
+      permissions: claims?.permissions ?? [],
+      orgId: claims?.org_id,
+      orgRole: claims?.org_role,
+      appId: claims?.app_id,
+      envId: claims?.env_id
+    }),
+    {
+      httpOnly: false,
+      secure: isProduction,
+      sameSite: "Lax",
+      path: "/",
+      maxAge: tokens.expires_in
+    }
+  );
+}
+function clearAuthCookies(c) {
+  (0, import_cookie.deleteCookie)(c, import_shared.COOKIE_AUTH_TOKEN, { path: "/" });
+  (0, import_cookie.deleteCookie)(c, import_shared.COOKIE_REFRESH_TOKEN, { path: "/api/auth" });
+  (0, import_cookie.deleteCookie)(c, import_shared.COOKIE_AUTH_SESSION, { path: "/" });
+}
+// src/middleware.ts
+function matchesRoute(pathname, patterns) {
+  return patterns.some((pattern) => {
+    if (pattern.endsWith("*")) {
+      return pathname.startsWith(pattern.slice(0, -1));
+    }
+    return pathname === pattern;
+  });
+}
+function isPublicRoute(path, publicRoutes) {
+  if (typeof publicRoutes === "function") return publicRoutes(path);
+  return matchesRoute(path, publicRoutes);
+}
+function inaiAuthMiddleware(config = {}) {
+  const {
+    authMode = "app",
+    publicRoutes = [],
+    onUnauthorized,
+    ...authClientConfig
+  } = config;
+  const client = new import_backend.InAIAuthClient(authClientConfig);
+  const isPlatform = authMode === "platform";
+  const defaultUnauthorized = (c) => c.json({ error: "Unauthorized" }, 401);
+  const handleUnauthorized = onUnauthorized ?? defaultUnauthorized;
+  return async function middleware(c, next) {
+    const path = new URL(c.req.url).pathname;
+    if (isPublicRoute(path, publicRoutes)) {
+      c.set("inaiAuth", null);
+      await next();
+      return;
+    }
+    const token = getTokenFromContext(c);
+    if (!token || (0, import_shared2.isTokenExpired)(token)) {
+      const refreshToken = getRefreshTokenFromContext(c);
+      if (refreshToken) {
+        try {
+          const tokens = isPlatform ? await client.platformRefresh(refreshToken) : await client.refresh(refreshToken);
+          const { data: user } = isPlatform ? await client.platformGetMe(tokens.access_token) : await client.getMe(tokens.access_token);
+          setAuthCookies(c, tokens, user);
+          const authObj2 = (0, import_backend.buildAuthObjectFromToken)(tokens.access_token);
+          c.set("inaiAuth", authObj2);
+          await next();
+          return;
+        } catch {
+          clearAuthCookies(c);
+          return handleUnauthorized(c);
+        }
+      }
+      return handleUnauthorized(c);
+    }
+    const authObj = (0, import_backend.buildAuthObjectFromToken)(token);
+    if (!authObj) {
+      return handleUnauthorized(c);
+    }
+    c.set("inaiAuth", authObj);
+    await next();
+  };
+}
+function requireAuth(config = {}) {
+  return async function middleware(c, next) {
+    const auth = getAuth(c);
+    if (!auth?.userId) {
+      return c.json({ error: "Unauthorized" }, 401);
+    }
+    if (config.role || config.permission) {
+      const hasAccess = auth.has({
+        role: config.role,
+        permission: config.permission
+      });
+      if (!hasAccess) {
+        return c.json({ error: "Forbidden" }, 403);
+      }
+    }
+    await next();
+  };
+}
+// src/api-routes.ts
+var import_hono = require("hono");
+var import_backend2 = require("@inai-dev/backend");
+function createAuthRoutes(config = {}) {
+  const app = new import_hono.Hono();
+  const client = new import_backend2.InAIAuthClient(config);
+  app.post("/login", async (c) => {
+    try {
+      const body = await c.req.json();
+      const result = await client.login({
+        email: body.email,
+        password: body.password
+      });
+      if (result.mfa_required) {
+        return c.json({ mfa_required: true, mfa_token: result.mfa_token });
+      }
+      const tokens = result;
+      const user = result.user ?? (await client.getMe(tokens.access_token)).data;
+      setAuthCookies(c, tokens, user);
+      return c.json({ user });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Login failed";
+      return c.json({ error: message }, 401);
+    }
+  });
+  app.post("/register", async (c) => {
+    try {
+      const body = await c.req.json();
+      const result = await client.register({
+        email: body.email,
+        password: body.password,
+        firstName: body.firstName,
+        lastName: body.lastName
+      });
+      if (!result.access_token) {
+        return c.json({ needs_email_verification: true, user: result.user });
+      }
+      const tokens = result;
+      const user = result.user ?? (await client.getMe(tokens.access_token)).data;
+      setAuthCookies(c, tokens, user);
+      return c.json({ user });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Registration failed";
+      return c.json({ error: message }, 400);
+    }
+  });
+  app.post("/mfa-challenge", async (c) => {
+    try {
+      const body = await c.req.json();
+      const tokens = await client.mfaChallenge({
+        mfa_token: body.mfa_token,
+        code: body.code
+      });
+      const { data: user } = await client.getMe(tokens.access_token);
+      setAuthCookies(c, tokens, user);
+      return c.json({ user });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "MFA verification failed";
+      return c.json({ error: message }, 401);
+    }
+  });
+  app.post("/refresh", async (c) => {
+    try {
+      const refreshToken = getRefreshTokenFromContext(c);
+      if (!refreshToken) {
+        clearAuthCookies(c);
+        return c.json({ error: "No refresh token" }, 401);
+      }
+      const tokens = await client.refresh(refreshToken);
+      const { data: user } = await client.getMe(tokens.access_token);
+      setAuthCookies(c, tokens, user);
+      return c.json({ user });
+    } catch {
+      clearAuthCookies(c);
+      return c.json({ error: "Refresh failed" }, 401);
+    }
+  });
+  app.post("/logout", async (c) => {
+    try {
+      const refreshToken = getRefreshTokenFromContext(c);
+      if (refreshToken) {
+        await client.logout(refreshToken).catch(() => {
+        });
+      }
+      clearAuthCookies(c);
+      return c.json({ success: true });
+    } catch {
+      clearAuthCookies(c);
+      return c.json({ success: true });
+    }
+  });
+  return app;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  clearAuthCookies,
+  createAuthRoutes,
+  getAuth,
+  getRefreshTokenFromContext,
+  getTokenFromContext,
+  inaiAuthMiddleware,
+  requireAuth,
+  setAuthCookies
+});
+//# sourceMappingURL=index.cjs.map