@kingironman2011/better-auth-bsky 0.2.0

package/dist/server-DS4UMolW.js

@@ -0,0 +1,951 @@
+import { OAuthCallbackError, OAuthClient, buildPublicClientMetadata } from "@atcute/oauth-node-client";
+import { CompositeDidDocumentResolver, CompositeHandleResolver, DohJsonHandleResolver, LocalActorResolver, PlcDidDocumentResolver, WebDidDocumentResolver, WellKnownHandleResolver } from "@atcute/identity-resolver";
+import { Client } from "@atcute/client";
+import { APIError, createAuthEndpoint } from "better-auth/api";
+import { setSessionCookie } from "better-auth/cookies";
+import { isDid } from "@atcute/lexicons/syntax";
+const DEFAULT_CONFIG = {
+	lang: void 0,
+	message: void 0,
+	abortEarly: void 0,
+	abortPipeEarly: void 0
+};
+/**
+* Returns the global configuration.
+*
+* @param config The config to merge.
+*
+* @returns The configuration.
+*/
+/* @__NO_SIDE_EFFECTS__ */
+function getGlobalConfig(config$1) {
+	if (!config$1 && true) return DEFAULT_CONFIG;
+	return {
+		lang: config$1?.lang ?? void 0,
+		message: config$1?.message,
+		abortEarly: config$1?.abortEarly ?? void 0,
+		abortPipeEarly: config$1?.abortPipeEarly ?? void 0
+	};
+}
+/**
+* Stringifies an unknown input to a literal or type string.
+*
+* @param input The unknown input.
+*
+* @returns A literal or type string.
+*
+* @internal
+*/
+/* @__NO_SIDE_EFFECTS__ */
+function _stringify(input) {
+	const type = typeof input;
+	if (type === "string") return `"${input}"`;
+	if (type === "number" || type === "bigint" || type === "boolean") return `${input}`;
+	if (type === "object" || type === "function") return (input && Object.getPrototypeOf(input)?.constructor?.name) ?? "null";
+	return type;
+}
+/**
+* Adds an issue to the dataset.
+*
+* @param context The issue context.
+* @param label The issue label.
+* @param dataset The input dataset.
+* @param config The configuration.
+* @param other The optional props.
+*
+* @internal
+*/
+function _addIssue(context, label, dataset, config$1, other) {
+	const input = other && "input" in other ? other.input : dataset.value;
+	const expected = other?.expected ?? context.expects ?? null;
+	const received = other?.received ?? /* @__PURE__ */ _stringify(input);
+	const issue = {
+		kind: context.kind,
+		type: context.type,
+		input,
+		expected,
+		received,
+		message: `Invalid ${label}: ${expected ? `Expected ${expected} but r` : "R"}eceived ${received}`,
+		requirement: context.requirement,
+		path: other?.path,
+		issues: other?.issues,
+		lang: config$1.lang,
+		abortEarly: config$1.abortEarly,
+		abortPipeEarly: config$1.abortPipeEarly
+	};
+	const isSchema = context.kind === "schema";
+	const message$1 = other?.message ?? context.message ?? (context.reference, issue.lang, void 0) ?? (isSchema ? (issue.lang, void 0) : null) ?? config$1.message ?? (issue.lang, void 0);
+	if (message$1 !== void 0) issue.message = typeof message$1 === "function" ? message$1(issue) : message$1;
+	if (isSchema) dataset.typed = false;
+	if (dataset.issues) dataset.issues.push(issue);
+	else dataset.issues = [issue];
+}
+const _standardCache = /* @__PURE__ */ new WeakMap();
+/**
+* Returns the Standard Schema properties.
+*
+* @param context The schema context.
+*
+* @returns The Standard Schema properties.
+*/
+/* @__NO_SIDE_EFFECTS__ */
+function _getStandardProps(context) {
+	let cached = _standardCache.get(context);
+	if (!cached) {
+		cached = {
+			version: 1,
+			vendor: "valibot",
+			validate(value$1) {
+				return context["~run"]({ value: value$1 }, /* @__PURE__ */ getGlobalConfig());
+			}
+		};
+		_standardCache.set(context, cached);
+	}
+	return cached;
+}
+/**
+* Creates a description metadata action.
+*
+* @param description_ The description text.
+*
+* @returns A description action.
+*/
+/* @__NO_SIDE_EFFECTS__ */
+function description(description_) {
+	return {
+		kind: "metadata",
+		type: "description",
+		reference: description,
+		description: description_
+	};
+}
+/**
+* Returns the fallback value of the schema.
+*
+* @param schema The schema to get it from.
+* @param dataset The output dataset if available.
+* @param config The config if available.
+*
+* @returns The fallback value.
+*/
+/* @__NO_SIDE_EFFECTS__ */
+function getFallback(schema, dataset, config$1) {
+	return typeof schema.fallback === "function" ? schema.fallback(dataset, config$1) : schema.fallback;
+}
+/**
+* Returns the default value of the schema.
+*
+* @param schema The schema to get it from.
+* @param dataset The input dataset if available.
+* @param config The config if available.
+*
+* @returns The default value.
+*/
+/* @__NO_SIDE_EFFECTS__ */
+function getDefault(schema, dataset, config$1) {
+	return typeof schema.default === "function" ? schema.default(dataset, config$1) : schema.default;
+}
+/* @__NO_SIDE_EFFECTS__ */
+function object(entries$1, message$1) {
+	return {
+		kind: "schema",
+		type: "object",
+		reference: object,
+		expects: "Object",
+		async: false,
+		entries: entries$1,
+		message: message$1,
+		get "~standard"() {
+			return /* @__PURE__ */ _getStandardProps(this);
+		},
+		"~run"(dataset, config$1) {
+			const input = dataset.value;
+			if (input && typeof input === "object") {
+				dataset.typed = true;
+				dataset.value = {};
+				for (const key in this.entries) {
+					const valueSchema = this.entries[key];
+					if (key in input || (valueSchema.type === "exact_optional" || valueSchema.type === "optional" || valueSchema.type === "nullish") && valueSchema.default !== void 0) {
+						const value$1 = key in input ? input[key] : /* @__PURE__ */ getDefault(valueSchema);
+						const valueDataset = valueSchema["~run"]({ value: value$1 }, config$1);
+						if (valueDataset.issues) {
+							const pathItem = {
+								type: "object",
+								origin: "value",
+								input,
+								key,
+								value: value$1
+							};
+							for (const issue of valueDataset.issues) {
+								if (issue.path) issue.path.unshift(pathItem);
+								else issue.path = [pathItem];
+								dataset.issues?.push(issue);
+							}
+							if (!dataset.issues) dataset.issues = valueDataset.issues;
+							if (config$1.abortEarly) {
+								dataset.typed = false;
+								break;
+							}
+						}
+						if (!valueDataset.typed) dataset.typed = false;
+						dataset.value[key] = valueDataset.value;
+					} else if (valueSchema.fallback !== void 0) dataset.value[key] = /* @__PURE__ */ getFallback(valueSchema);
+					else if (valueSchema.type !== "exact_optional" && valueSchema.type !== "optional" && valueSchema.type !== "nullish") {
+						_addIssue(this, "key", dataset, config$1, {
+							input: void 0,
+							expected: `"${key}"`,
+							path: [{
+								type: "object",
+								origin: "key",
+								input,
+								key,
+								value: input[key]
+							}]
+						});
+						if (config$1.abortEarly) break;
+					}
+				}
+			} else _addIssue(this, "type", dataset, config$1);
+			return dataset;
+		}
+	};
+}
+/* @__NO_SIDE_EFFECTS__ */
+function optional(wrapped, default_) {
+	return {
+		kind: "schema",
+		type: "optional",
+		reference: optional,
+		expects: `(${wrapped.expects} | undefined)`,
+		async: false,
+		wrapped,
+		default: default_,
+		get "~standard"() {
+			return /* @__PURE__ */ _getStandardProps(this);
+		},
+		"~run"(dataset, config$1) {
+			if (dataset.value === void 0) {
+				if (this.default !== void 0) dataset.value = /* @__PURE__ */ getDefault(this, dataset, config$1);
+				if (dataset.value === void 0) {
+					dataset.typed = true;
+					return dataset;
+				}
+			}
+			return this.wrapped["~run"](dataset, config$1);
+		}
+	};
+}
+/* @__NO_SIDE_EFFECTS__ */
+function string(message$1) {
+	return {
+		kind: "schema",
+		type: "string",
+		reference: string,
+		expects: "string",
+		async: false,
+		message: message$1,
+		get "~standard"() {
+			return /* @__PURE__ */ _getStandardProps(this);
+		},
+		"~run"(dataset, config$1) {
+			if (typeof dataset.value === "string") dataset.typed = true;
+			else _addIssue(this, "type", dataset, config$1);
+			return dataset;
+		}
+	};
+}
+/* @__NO_SIDE_EFFECTS__ */
+function pipe(...pipe$1) {
+	return {
+		...pipe$1[0],
+		pipe: pipe$1,
+		get "~standard"() {
+			return /* @__PURE__ */ _getStandardProps(this);
+		},
+		"~run"(dataset, config$1) {
+			for (const item of pipe$1) if (item.kind !== "metadata") {
+				if (dataset.issues && (item.kind === "schema" || item.kind === "transformation")) {
+					dataset.typed = false;
+					break;
+				}
+				if (!dataset.issues || !config$1.abortEarly && !config$1.abortPipeEarly) dataset = item["~run"](dataset, config$1);
+			}
+			return dataset;
+		}
+	};
+}
+//#endregion
+//#region src/types.ts
+/** Database schema field definitions for better-auth plugin schema. */
+const atprotoSchema = {
+	user: { fields: {
+		atprotoDid: {
+			type: "string",
+			unique: true,
+			required: false,
+			returned: true,
+			input: false
+		},
+		atprotoHandle: {
+			type: "string",
+			required: false,
+			returned: true,
+			input: false
+		}
+	} },
+	atprotoSession: { fields: {
+		did: {
+			type: "string",
+			unique: true,
+			required: true
+		},
+		sessionData: {
+			type: "string",
+			required: true
+		},
+		userId: {
+			type: "string",
+			required: true,
+			references: {
+				model: "user",
+				field: "id",
+				onDelete: "cascade"
+			}
+		},
+		handle: {
+			type: "string",
+			required: true
+		},
+		pdsUrl: {
+			type: "string",
+			required: true
+		},
+		updatedAt: {
+			type: "date",
+			required: true
+		}
+	} },
+	atprotoState: { fields: {
+		stateKey: {
+			type: "string",
+			unique: true,
+			required: true
+		},
+		stateData: {
+			type: "string",
+			required: true
+		},
+		expiresAt: {
+			type: "number",
+			required: true
+		}
+	} }
+};
+//#endregion
+//#region src/stores.ts
+/** Database-backed session store for @atcute/oauth-node-client. */
+var DbSessionStore = class {
+	adapter;
+	constructor(adapter) {
+		this.adapter = adapter;
+	}
+	async get(did) {
+		const row = await this.adapter.findOne({
+			model: "atprotoSession",
+			where: [{
+				field: "did",
+				value: did
+			}]
+		});
+		if (!row) return void 0;
+		return JSON.parse(row.sessionData);
+	}
+	async set(did, session) {
+		const data = JSON.stringify(session);
+		if (await this.adapter.findOne({
+			model: "atprotoSession",
+			where: [{
+				field: "did",
+				value: did
+			}]
+		})) await this.adapter.update({
+			model: "atprotoSession",
+			where: [{
+				field: "did",
+				value: did
+			}],
+			update: {
+				sessionData: data,
+				updatedAt: /* @__PURE__ */ new Date()
+			}
+		});
+		else await this.adapter.create({
+			model: "atprotoSession",
+			data: {
+				did,
+				sessionData: data,
+				userId: "",
+				handle: "",
+				pdsUrl: "",
+				updatedAt: /* @__PURE__ */ new Date()
+			}
+		});
+	}
+	async delete(did) {
+		await this.adapter.delete({
+			model: "atprotoSession",
+			where: [{
+				field: "did",
+				value: did
+			}]
+		});
+	}
+	async clear() {
+		await this.adapter.deleteMany({
+			model: "atprotoSession",
+			where: [{
+				field: "did",
+				value: {
+					operator: "ne",
+					value: ""
+				}
+			}]
+		});
+	}
+};
+/** Database-backed state store for @atcute/oauth-node-client. */
+var DbStateStore = class {
+	adapter;
+	constructor(adapter) {
+		this.adapter = adapter;
+	}
+	async get(stateKey) {
+		const row = await this.adapter.findOne({
+			model: "atprotoState",
+			where: [{
+				field: "stateKey",
+				value: stateKey
+			}]
+		});
+		if (!row) return void 0;
+		if (row.expiresAt < Date.now()) {
+			await this.delete(stateKey);
+			return;
+		}
+		return JSON.parse(row.stateData);
+	}
+	async set(stateKey, state) {
+		const data = JSON.stringify(state);
+		await this.adapter.create({
+			model: "atprotoState",
+			data: {
+				stateKey,
+				stateData: data,
+				expiresAt: state.expiresAt
+			}
+		});
+	}
+	async delete(stateKey) {
+		await this.adapter.delete({
+			model: "atprotoState",
+			where: [{
+				field: "stateKey",
+				value: stateKey
+			}]
+		});
+	}
+	async clear() {
+		await this.adapter.deleteMany({
+			model: "atprotoState",
+			where: [{
+				field: "stateKey",
+				value: {
+					operator: "ne",
+					value: ""
+				}
+			}]
+		});
+	}
+};
+//#endregion
+//#region src/server.ts
+/** Safely extract a string field from an unknown record. */
+function getString(data, key) {
+	const val = data[key];
+	return typeof val === "string" ? val : void 0;
+}
+/** Parse a JSON response body into a plain record. */
+async function parseJsonResponse(resp) {
+	const body = await resp.json();
+	if (typeof body === "object" && body !== null && !Array.isArray(body)) return body;
+	return {};
+}
+/** Convert a string to a Did, validating at runtime. Returns undefined if invalid. */
+function toDid(value) {
+	return isDid(value) ? value : void 0;
+}
+function isLoopbackUrl(url) {
+	try {
+		const { hostname } = new URL(url);
+		return hostname === "localhost" || hostname === "127.0.0.1";
+	} catch {
+		return false;
+	}
+}
+/** Normalize scope option to a single space-joined string. Always includes "atproto" as the base. */
+function normalizeScope(scope) {
+	if (!scope) return "atproto";
+	const parts = (Array.isArray(scope) ? scope.join(" ") : scope).split(/\s+/).filter(Boolean);
+	if (!parts.includes("atproto")) parts.unshift("atproto");
+	return parts.join(" ");
+}
+function buildMetadata(baseURL, options) {
+	const isLoopback = isLoopbackUrl(baseURL);
+	const callbackPath = options.callbackPath ?? "/atproto/callback";
+	const scope = normalizeScope(options.scope);
+	const isConfidential = !!options.keyset?.length;
+	const redirectUri = isLoopback ? `http://127.0.0.1:${new URL(baseURL).port}${new URL(baseURL).pathname}${callbackPath}` : `${baseURL}${callbackPath}`;
+	if (isLoopback) {
+		if (isConfidential) console.warn("[atproto] keyset provided but baseURL is loopback — falling back to public client mode. Use an HTTPS baseURL for confidential client support.");
+		return {
+			redirect_uris: [redirectUri],
+			scope
+		};
+	}
+	if (isConfidential) return {
+		client_id: `${baseURL}${options.clientMetadataPath ?? "/oauth-client-metadata.json"}`,
+		client_name: options.clientName,
+		client_uri: options.clientUri,
+		logo_uri: options.logoUri,
+		tos_uri: options.tosUri,
+		policy_uri: options.policyUri,
+		redirect_uris: [redirectUri],
+		scope,
+		grant_types: ["authorization_code", "refresh_token"],
+		response_types: ["code"],
+		application_type: "web",
+		token_endpoint_auth_method: "private_key_jwt",
+		dpop_bound_access_tokens: true,
+		jwks_uri: `${baseURL}${options.jwksPath ?? "/.well-known/jwks.json"}`
+	};
+	return buildPublicClientMetadata({
+		client_id: `${baseURL}${options.clientMetadataPath ?? "/oauth-client-metadata.json"}`,
+		client_name: options.clientName,
+		client_uri: options.clientUri,
+		logo_uri: options.logoUri,
+		tos_uri: options.tosUri,
+		policy_uri: options.policyUri,
+		redirect_uris: [redirectUri],
+		scope
+	});
+}
+function createActorResolver() {
+	return new LocalActorResolver({
+		handleResolver: new CompositeHandleResolver({ methods: {
+			dns: new DohJsonHandleResolver({ dohUrl: "https://cloudflare-dns.com/dns-query" }),
+			http: new WellKnownHandleResolver()
+		} }),
+		didDocumentResolver: new CompositeDidDocumentResolver({ methods: {
+			plc: new PlcDidDocumentResolver(),
+			web: new WebDidDocumentResolver()
+		} })
+	});
+}
+/**
+* Fetch an ATProto profile using the Bluesky public API.
+* This is a fallback when an authenticated session is not available.
+*/
+async function fetchAtprotoProfilePublic(did) {
+	try {
+		const url = `https://public.api.bsky.app/xrpc/app.bsky.actor.getProfile?actor=${encodeURIComponent(did)}`;
+		const resp = await fetch(url);
+		if (!resp.ok) return null;
+		const data = await parseJsonResponse(resp);
+		return {
+			did: getString(data, "did") ?? did,
+			handle: getString(data, "handle") ?? did,
+			displayName: getString(data, "displayName"),
+			avatar: getString(data, "avatar"),
+			banner: getString(data, "banner"),
+			description: getString(data, "description")
+		};
+	} catch {
+		return null;
+	}
+}
+/**
+* Fetch an ATProto profile using an authenticated XRPC client.
+* Falls back to the public API if the authenticated call fails.
+*/
+async function fetchAtprotoProfile(oauthClient, did) {
+	try {
+		const validDid = toDid(did);
+		if (!validDid) throw new Error(`Invalid DID: ${did}`);
+		const resp = await (await oauthClient.restore(validDid)).handle(`/xrpc/app.bsky.actor.getProfile?actor=${encodeURIComponent(did)}`);
+		if (!resp.ok) throw new Error(`Profile fetch failed: ${resp.status}`);
+		const profile = await parseJsonResponse(resp);
+		return {
+			did: getString(profile, "did") ?? did,
+			handle: getString(profile, "handle") ?? did,
+			displayName: getString(profile, "displayName"),
+			avatar: getString(profile, "avatar"),
+			banner: getString(profile, "banner"),
+			description: getString(profile, "description")
+		};
+	} catch {}
+	const publicProfile = await fetchAtprotoProfilePublic(did);
+	if (publicProfile) return publicProfile;
+	return {
+		did,
+		handle: did
+	};
+}
+/**
+* Generate a deterministic placeholder email for an ATProto DID.
+* ATProto doesn't expose user emails, but better-auth requires one.
+* Uses the RFC 2606 reserved `.invalid` TLD.
+*/
+function atprotoPlaceholderEmail(did) {
+	return `${did.replaceAll(":", "_")}@atproto.invalid`;
+}
+const ATPROTO_ERROR_CODES = {
+	INVALID_HANDLE: {
+		code: "INVALID_HANDLE",
+		message: "Invalid ATProto handle or DID"
+	},
+	AUTHORIZATION_FAILED: {
+		code: "AUTHORIZATION_FAILED",
+		message: "Failed to start ATProto authorization"
+	},
+	CALLBACK_FAILED: {
+		code: "CALLBACK_FAILED",
+		message: "ATProto OAuth callback failed"
+	},
+	SESSION_NOT_FOUND: {
+		code: "SESSION_NOT_FOUND",
+		message: "No ATProto session found for the current user"
+	},
+	SIGNUP_DISABLED: {
+		code: "SIGNUP_DISABLED",
+		message: "New user registration via ATProto is disabled"
+	},
+	ACCOUNT_LINKING_DISABLED: {
+		code: "ACCOUNT_LINKING_DISABLED",
+		message: "Account linking is not enabled"
+	}
+};
+/**
+* ATProto OAuth plugin for better-auth.
+*
+* Integrates ATProto OAuth 2.1 (DPoP + PAR + PKCE) via @atcute/oauth-node-client.
+* Supports both confidential (with keyset) and public client modes.
+*/
+const atproto = (options) => {
+	let oauthClient;
+	const signInPath = options.signInPath ?? "/sign-in/atproto";
+	const callbackPath = options.callbackPath ?? "/atproto/callback";
+	return {
+		id: "atproto",
+		schema: atprotoSchema,
+		rateLimit: [{
+			pathMatcher: (path) => path === signInPath,
+			window: 60,
+			max: 5
+		}, {
+			pathMatcher: (path) => path === callbackPath,
+			window: 60,
+			max: 10
+		}],
+		init(ctx) {
+			const baseURL = ctx.baseURL;
+			const adapter = ctx.adapter;
+			const sessionStore = new DbSessionStore(adapter);
+			const stateStore = new DbStateStore(adapter);
+			const metadata = buildMetadata(baseURL, options);
+			const actorResolver = createActorResolver();
+			if (!!options.keyset?.length && !isLoopbackUrl(baseURL)) oauthClient = new OAuthClient({
+				metadata,
+				keyset: options.keyset,
+				actorResolver,
+				stores: {
+					sessions: sessionStore,
+					states: stateStore
+				}
+			});
+			else oauthClient = new OAuthClient({
+				metadata,
+				actorResolver,
+				stores: {
+					sessions: sessionStore,
+					states: stateStore
+				}
+			});
+		},
+		endpoints: {
+			atprotoClientMetadata: createAuthEndpoint(options.clientMetadataPath ?? "/oauth-client-metadata.json", { method: "GET" }, async (ctx) => {
+				return ctx.json(oauthClient.metadata);
+			}),
+			atprotoJwks: createAuthEndpoint(options.jwksPath ?? "/.well-known/jwks.json", { method: "GET" }, async (ctx) => {
+				const jwks = oauthClient.jwks;
+				if (!jwks) throw APIError.fromStatus("NOT_FOUND", { message: "JWKS not available (public client mode)" });
+				return ctx.json(jwks);
+			}),
+			signInAtproto: createAuthEndpoint(signInPath, {
+				method: "POST",
+				body: /* @__PURE__ */ object({
+					handle: /* @__PURE__ */ pipe(/* @__PURE__ */ string(), /* @__PURE__ */ description("ATProto handle (e.g. user.bsky.social) or DID")),
+					callbackURL: /* @__PURE__ */ optional(/* @__PURE__ */ pipe(/* @__PURE__ */ string(), /* @__PURE__ */ description("URL to redirect to after sign-in")))
+				})
+			}, async (ctx) => {
+				const { handle, callbackURL } = ctx.body;
+				if (!handle || handle.length < 3) throw APIError.from("BAD_REQUEST", ATPROTO_ERROR_CODES.INVALID_HANDLE);
+				try {
+					const identifier = handle;
+					const result = await oauthClient.authorize({
+						target: {
+							type: "account",
+							identifier
+						},
+						state: callbackURL ? JSON.stringify({ callbackURL }) : void 0
+					});
+					return ctx.json({
+						url: result.url.toString(),
+						redirect: true
+					});
+				} catch (e) {
+					console.error("[atproto] authorize failed:", e);
+					throw APIError.from("INTERNAL_SERVER_ERROR", ATPROTO_ERROR_CODES.AUTHORIZATION_FAILED);
+				}
+			}),
+			atprotoCallback: createAuthEndpoint(callbackPath, {
+				method: "GET",
+				query: /* @__PURE__ */ object({
+					code: /* @__PURE__ */ optional(/* @__PURE__ */ string()),
+					state: /* @__PURE__ */ optional(/* @__PURE__ */ string()),
+					iss: /* @__PURE__ */ optional(/* @__PURE__ */ string()),
+					error: /* @__PURE__ */ optional(/* @__PURE__ */ string()),
+					error_description: /* @__PURE__ */ optional(/* @__PURE__ */ string())
+				})
+			}, async (ctx) => {
+				if (ctx.query.error) {
+					const errorUrl = `${ctx.context.baseURL}/error?error=${ctx.query.error}`;
+					throw ctx.redirect(errorUrl);
+				}
+				try {
+					const params = new URLSearchParams();
+					if (ctx.query.code) params.set("code", ctx.query.code);
+					if (ctx.query.state) params.set("state", ctx.query.state);
+					if (ctx.query.iss) params.set("iss", ctx.query.iss);
+					const { session: oauthSession, state: userState } = await oauthClient.callback(params);
+					const did = oauthSession.did;
+					const pdsUrl = (await oauthSession.getTokenInfo(false)).aud;
+					const profile = await fetchAtprotoProfile(oauthClient, did);
+					const mappedFields = options.mapProfileToUser ? options.mapProfileToUser(profile) : {
+						name: profile.displayName || profile.handle,
+						image: profile.avatar
+					};
+					const email = mappedFields.email || atprotoPlaceholderEmail(did);
+					const existingAccount = await ctx.context.internalAdapter.findAccountByProviderId(did, "atproto");
+					let userId;
+					if (existingAccount) {
+						userId = existingAccount.userId;
+						await ctx.context.internalAdapter.updateUser(userId, {
+							name: mappedFields.name,
+							image: mappedFields.image,
+							atprotoDid: did,
+							atprotoHandle: profile.handle
+						});
+					} else {
+						const { getSessionFromCtx } = await import("better-auth/api");
+						const currentSession = await getSessionFromCtx(ctx).catch(() => null);
+						if (currentSession) {
+							if (!(ctx.context.options.account?.accountLinking?.enabled !== false)) throw APIError.from("FORBIDDEN", ATPROTO_ERROR_CODES.ACCOUNT_LINKING_DISABLED);
+							await ctx.context.internalAdapter.linkAccount({
+								userId: currentSession.user.id,
+								providerId: "atproto",
+								accountId: did,
+								accessToken: "atproto-session",
+								refreshToken: "atproto-session",
+								scope: normalizeScope(options.scope)
+							});
+							userId = currentSession.user.id;
+							await ctx.context.internalAdapter.updateUser(userId, {
+								atprotoDid: did,
+								atprotoHandle: profile.handle,
+								...mappedFields.image ? { image: mappedFields.image } : {}
+							});
+						} else {
+							if (options.disableSignUp) throw APIError.from("FORBIDDEN", ATPROTO_ERROR_CODES.SIGNUP_DISABLED);
+							const newUser = await ctx.context.internalAdapter.createUser({
+								name: mappedFields.name || profile.handle,
+								email,
+								emailVerified: false,
+								image: mappedFields.image || null,
+								atprotoDid: did,
+								atprotoHandle: profile.handle,
+								createdAt: /* @__PURE__ */ new Date(),
+								updatedAt: /* @__PURE__ */ new Date()
+							});
+							await ctx.context.internalAdapter.createAccount({
+								userId: newUser.id,
+								providerId: "atproto",
+								accountId: did,
+								accessToken: "atproto-session",
+								refreshToken: "atproto-session",
+								scope: normalizeScope(options.scope)
+							});
+							userId = newUser.id;
+						}
+					}
+					if (await ctx.context.adapter.findOne({
+						model: "atprotoSession",
+						where: [{
+							field: "did",
+							value: did
+						}]
+					})) await ctx.context.adapter.update({
+						model: "atprotoSession",
+						where: [{
+							field: "did",
+							value: did
+						}],
+						update: {
+							userId,
+							handle: profile.handle,
+							pdsUrl,
+							updatedAt: /* @__PURE__ */ new Date()
+						}
+					});
+					else await ctx.context.adapter.create({
+						model: "atprotoSession",
+						data: {
+							did,
+							sessionData: "{}",
+							userId,
+							handle: profile.handle,
+							pdsUrl,
+							updatedAt: /* @__PURE__ */ new Date()
+						}
+					});
+					const foundUser = await ctx.context.internalAdapter.findUserById(userId);
+					if (!foundUser) throw APIError.from("INTERNAL_SERVER_ERROR", ATPROTO_ERROR_CODES.CALLBACK_FAILED);
+					await setSessionCookie(ctx, {
+						session: await ctx.context.internalAdapter.createSession(userId),
+						user: foundUser
+					});
+					let callbackURL = "/";
+					if (userState) try {
+						const parsed = typeof userState === "string" ? JSON.parse(userState) : userState;
+						if (parsed.callbackURL && typeof parsed.callbackURL === "string") callbackURL = parsed.callbackURL;
+					} catch {}
+					if (!callbackURL.startsWith("/") || callbackURL.startsWith("//")) callbackURL = "/";
+					throw ctx.redirect(callbackURL);
+				} catch (e) {
+					if (e && typeof e === "object" && ("statusCode" in e || "status" in e)) throw e;
+					if (e instanceof OAuthCallbackError) {
+						const errorUrl = `${ctx.context.baseURL}/error?error=${e.error}`;
+						throw ctx.redirect(errorUrl);
+					}
+					throw APIError.from("INTERNAL_SERVER_ERROR", ATPROTO_ERROR_CODES.CALLBACK_FAILED);
+				}
+			}),
+			atprotoGetSession: createAuthEndpoint("/atproto/session", { method: "GET" }, async (ctx) => {
+				const { getSessionFromCtx } = await import("better-auth/api");
+				const currentSession = await getSessionFromCtx(ctx);
+				if (!currentSession) throw APIError.fromStatus("UNAUTHORIZED", { message: "Not authenticated" });
+				const atprotoSession = await ctx.context.adapter.findOne({
+					model: "atprotoSession",
+					where: [{
+						field: "userId",
+						value: currentSession.user.id
+					}]
+				});
+				if (!atprotoSession) throw APIError.from("NOT_FOUND", ATPROTO_ERROR_CODES.SESSION_NOT_FOUND);
+				const user = currentSession.user;
+				return ctx.json({
+					did: atprotoSession.did,
+					handle: atprotoSession.handle,
+					pdsUrl: atprotoSession.pdsUrl,
+					atprotoDid: getString(user, "atprotoDid") ?? null,
+					atprotoHandle: getString(user, "atprotoHandle") ?? null
+				});
+			}),
+			atprotoRestore: createAuthEndpoint("/atproto/restore", { method: "POST" }, async (ctx) => {
+				const { getSessionFromCtx } = await import("better-auth/api");
+				const currentSession = await getSessionFromCtx(ctx);
+				if (!currentSession) throw APIError.fromStatus("UNAUTHORIZED", { message: "Not authenticated" });
+				const atprotoSession = await ctx.context.adapter.findOne({
+					model: "atprotoSession",
+					where: [{
+						field: "userId",
+						value: currentSession.user.id
+					}]
+				});
+				if (!atprotoSession) return ctx.json({ active: false });
+				try {
+					const validDid = toDid(atprotoSession.did);
+					if (!validDid) return ctx.json({ active: false });
+					await oauthClient.restore(validDid);
+					return ctx.json({
+						active: true,
+						did: atprotoSession.did,
+						handle: atprotoSession.handle
+					});
+				} catch {
+					return ctx.json({ active: false });
+				}
+			}),
+			atprotoSignOut: createAuthEndpoint("/atproto/sign-out", { method: "POST" }, async (ctx) => {
+				const { getSessionFromCtx } = await import("better-auth/api");
+				const currentSession = await getSessionFromCtx(ctx);
+				if (!currentSession) throw APIError.fromStatus("UNAUTHORIZED", { message: "Not authenticated" });
+				const atprotoSession = await ctx.context.adapter.findOne({
+					model: "atprotoSession",
+					where: [{
+						field: "userId",
+						value: currentSession.user.id
+					}]
+				});
+				if (atprotoSession) try {
+					const validDid = toDid(atprotoSession.did);
+					if (validDid) await oauthClient.revoke(validDid);
+				} catch {}
+				return ctx.json({ success: true });
+			}),
+			getAtprotoClient: createAuthEndpoint({
+				method: "POST",
+				body: /* @__PURE__ */ object({
+					did: /* @__PURE__ */ optional(/* @__PURE__ */ string()),
+					userId: /* @__PURE__ */ optional(/* @__PURE__ */ string())
+				}),
+				metadata: { SERVER_ONLY: true }
+			}, async (ctx) => {
+				const { did: inputDid, userId } = ctx.body;
+				let did = inputDid;
+				if (!did && userId) {
+					const atprotoSession = await ctx.context.adapter.findOne({
+						model: "atprotoSession",
+						where: [{
+							field: "userId",
+							value: userId
+						}]
+					});
+					if (atprotoSession) did = atprotoSession.did;
+				}
+				if (!did) throw APIError.from("BAD_REQUEST", ATPROTO_ERROR_CODES.SESSION_NOT_FOUND);
+				const validDid = toDid(did);
+				if (!validDid) throw APIError.from("BAD_REQUEST", ATPROTO_ERROR_CODES.INVALID_HANDLE);
+				const oauthSession = await oauthClient.restore(validDid);
+				return {
+					client: new Client({ handler: oauthSession }),
+					session: oauthSession
+				};
+			})
+		},
+		$ERROR_CODES: ATPROTO_ERROR_CODES
+	};
+};
+//#endregion
+export { DbStateStore as a, DbSessionStore as i, atprotoPlaceholderEmail as n, atprotoSchema as o, fetchAtprotoProfilePublic as r, atproto as t };
+
+//# sourceMappingURL=server-DS4UMolW.js.map