@mars-stack/core 0.4.0

package/dist/auth/verification.d.ts

@@ -0,0 +1,54 @@
+import 'server-only';
+export type VerifyEmailTokenResult = {
+    ok: true;
+    status: 'verified' | 'already_verified';
+    email: string;
+} | {
+    ok: false;
+    error: 'invalid_or_expired' | 'email_mismatch' | 'user_not_found';
+};
+export interface VerificationTokenRecord {
+    identifier: string;
+    token: string;
+    expires: Date;
+}
+export interface EmailVerificationTokenStore {
+    findUnique(args: {
+        where: {
+            token: string;
+        };
+    }): Promise<VerificationTokenRecord | null>;
+    delete(args: {
+        where: {
+            token: string;
+        };
+    }): Promise<unknown>;
+}
+export interface EmailVerificationUserStore {
+    findUnique(args: {
+        where: {
+            email: string;
+        };
+        select: {
+            emailVerified: true;
+        };
+    }): Promise<{
+        emailVerified: Date | null;
+    } | null>;
+    update(args: {
+        where: {
+            email: string;
+        };
+        data: {
+            emailVerified: Date;
+        };
+    }): Promise<unknown>;
+}
+export declare function verifyEmailFromToken(params: {
+    token: string;
+    email?: string;
+    now?: Date;
+    verificationTokens: EmailVerificationTokenStore;
+    users: EmailVerificationUserStore;
+}): Promise<VerifyEmailTokenResult>;
+//# sourceMappingURL=verification.d.ts.map

package/dist/auth/verification.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verification.d.ts","sourceRoot":"","sources":["../../src/auth/verification.ts"],"names":[],"mappings":"AAAA,OAAO,aAAa,CAAC;AAMrB,MAAM,MAAM,sBAAsB,GAC9B;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,MAAM,EAAE,UAAU,GAAG,kBAAkB,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,GACpE;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,oBAAoB,GAAG,gBAAgB,GAAG,gBAAgB,CAAA;CAAE,CAAC;AAErF,MAAM,WAAW,uBAAuB;IACtC,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,IAAI,CAAC;CACf;AAED,MAAM,WAAW,2BAA2B;IAC1C,UAAU,CAAC,IAAI,EAAE;QAAE,KAAK,EAAE;YAAE,KAAK,EAAE,MAAM,CAAA;SAAE,CAAA;KAAE,GAAG,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC,CAAC;IACxF,MAAM,CAAC,IAAI,EAAE;QAAE,KAAK,EAAE;YAAE,KAAK,EAAE,MAAM,CAAA;SAAE,CAAA;KAAE,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CAC9D;AAED,MAAM,WAAW,0BAA0B;IACzC,UAAU,CAAC,IAAI,EAAE;QACf,KAAK,EAAE;YAAE,KAAK,EAAE,MAAM,CAAA;SAAE,CAAC;QACzB,MAAM,EAAE;YAAE,aAAa,EAAE,IAAI,CAAA;SAAE,CAAC;KACjC,GAAG,OAAO,CAAC;QAAE,aAAa,EAAE,IAAI,GAAG,IAAI,CAAA;KAAE,GAAG,IAAI,CAAC,CAAC;IACnD,MAAM,CAAC,IAAI,EAAE;QAAE,KAAK,EAAE;YAAE,KAAK,EAAE,MAAM,CAAA;SAAE,CAAC;QAAC,IAAI,EAAE;YAAE,aAAa,EAAE,IAAI,CAAA;SAAE,CAAA;KAAE,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CAC7F;AAED,wBAAsB,oBAAoB,CAAC,MAAM,EAAE;IACjD,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,GAAG,CAAC,EAAE,IAAI,CAAC;IACX,kBAAkB,EAAE,2BAA2B,CAAC;IAChD,KAAK,EAAE,0BAA0B,CAAC;CACnC,GAAG,OAAO,CAAC,sBAAsB,CAAC,CAyClC"}

package/dist/auth/verification.js

@@ -0,0 +1,39 @@
+import { hashToken } from '../chunk-MXQ66RUN.js';
+import 'server-only';
+
+var VERIFICATION_TOKEN_DOMAIN = "email-verification-v1";
+async function verifyEmailFromToken(params) {
+  const now = params.now ?? /* @__PURE__ */ new Date();
+  const rawToken = params.token;
+  const emailFromRequest = params.email;
+  const tokenHash = await hashToken(rawToken, VERIFICATION_TOKEN_DOMAIN);
+  const verificationToken = await params.verificationTokens.findUnique({
+    where: { token: tokenHash }
+  });
+  if (!verificationToken || verificationToken.expires < now) {
+    return { ok: false, error: "invalid_or_expired" };
+  }
+  if (emailFromRequest && verificationToken.identifier !== emailFromRequest) {
+    return { ok: false, error: "email_mismatch" };
+  }
+  const emailToVerify = verificationToken.identifier;
+  const user = await params.users.findUnique({
+    where: { email: emailToVerify },
+    select: { emailVerified: true }
+  });
+  if (!user) return { ok: false, error: "user_not_found" };
+  if (!user.emailVerified) {
+    await params.users.update({
+      where: { email: emailToVerify },
+      data: { emailVerified: now }
+    });
+  }
+  await params.verificationTokens.delete({ where: { token: tokenHash } });
+  return {
+    ok: true,
+    status: user.emailVerified ? "already_verified" : "verified",
+    email: emailToVerify
+  };
+}
+
+export { verifyEmailFromToken };

package/dist/chunk-4LS3QDD5.js

@@ -0,0 +1,162 @@
+import 'server-only';
+import { EncryptJWT, jwtDecrypt } from 'jose';
+import { cookies } from 'next/headers';
+import { redirect } from 'next/navigation';
+import { cache } from 'react';
+
+// src/auth/session.ts
+var SESSION_KEY_DOMAIN = "mars-session-v1";
+var _key = null;
+async function deriveKey(secret) {
+  if (_key) return _key;
+  const encoder = new TextEncoder();
+  const keyMaterial = await crypto.subtle.importKey(
+    "raw",
+    encoder.encode(secret),
+    "HKDF",
+    false,
+    ["deriveBits"]
+  );
+  const bits = await crypto.subtle.deriveBits(
+    {
+      name: "HKDF",
+      hash: "SHA-256",
+      salt: encoder.encode(SESSION_KEY_DOMAIN),
+      info: new Uint8Array(0)
+    },
+    keyMaterial,
+    256
+  );
+  _key = new Uint8Array(bits);
+  return _key;
+}
+var SESSION_COOKIE_NAME = "session";
+var SESSION_IDLE_DURATION = 24 * 60 * 60 * 1e3;
+var SESSION_ABSOLUTE_DURATION = 7 * 24 * 60 * 60 * 1e3;
+var INACTIVITY_TIMEOUT = 30 * 60 * 1e3;
+async function encrypt(payload, secret) {
+  return new EncryptJWT(payload).setProtectedHeader({ alg: "dir", enc: "A256GCM" }).setIssuedAt().setExpirationTime(new Date(payload.expiresAt)).encrypt(await deriveKey(secret));
+}
+async function decrypt(session = "", secret) {
+  if (!session) return null;
+  try {
+    const { payload } = await jwtDecrypt(session, await deriveKey(secret));
+    const sessionPayload = payload;
+    if (typeof sessionPayload.createdAt !== "number" || typeof sessionPayload.credentialTag !== "string") {
+      return null;
+    }
+    if (Date.now() > sessionPayload.expiresAt) return null;
+    if (Date.now() - sessionPayload.lastActivity > INACTIVITY_TIMEOUT) return null;
+    if (Date.now() - sessionPayload.createdAt > SESSION_ABSOLUTE_DURATION) return null;
+    return sessionPayload;
+  } catch (error) {
+    console.warn(
+      "Failed to decrypt session (likely legacy cookie):",
+      error instanceof Error ? error.message : String(error)
+    );
+    try {
+      const cookieStore = await cookies();
+      cookieStore.delete(SESSION_COOKIE_NAME);
+    } catch {
+    }
+    return null;
+  }
+}
+function createSessionManager(config) {
+  async function createSession(user) {
+    const now = Date.now();
+    const expiresAt = Math.min(now + SESSION_IDLE_DURATION, now + SESSION_ABSOLUTE_DURATION);
+    const fingerprint = crypto.randomUUID();
+    const sessionPayload = {
+      userId: user.id,
+      email: user.email,
+      name: user.name,
+      role: user.role,
+      fingerprint,
+      emailVerified: user.emailVerified,
+      credentialTag: user.credentialTag,
+      createdAt: now,
+      expiresAt,
+      lastActivity: now
+    };
+    const encryptedSession = await encrypt(sessionPayload, config.getJWTSecret());
+    const cookieStore = await cookies();
+    cookieStore.set(SESSION_COOKIE_NAME, encryptedSession, {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === "production",
+      sameSite: "lax",
+      path: "/",
+      expires: new Date(expiresAt)
+    });
+  }
+  async function getSession() {
+    const cookieStore = await cookies();
+    const encryptedSession = cookieStore.get(SESSION_COOKIE_NAME)?.value;
+    const session = await decrypt(encryptedSession, config.getJWTSecret());
+    if (!session) return null;
+    const isValidCredential = await config.validateCredential(session.userId, session.credentialTag);
+    if (!isValidCredential) {
+      cookieStore.delete(SESSION_COOKIE_NAME);
+      return null;
+    }
+    return session;
+  }
+  async function updateSession() {
+    const session = await getSession();
+    if (!session) return;
+    const now = Date.now();
+    const absoluteExpiry = session.createdAt + SESSION_ABSOLUTE_DURATION;
+    const nextIdleExpiry = now + SESSION_IDLE_DURATION;
+    const updatedSession = {
+      ...session,
+      lastActivity: now,
+      expiresAt: Math.min(nextIdleExpiry, absoluteExpiry)
+    };
+    const encryptedSession = await encrypt(updatedSession, config.getJWTSecret());
+    const cookieStore = await cookies();
+    cookieStore.set(SESSION_COOKIE_NAME, encryptedSession, {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === "production",
+      sameSite: "lax",
+      path: "/",
+      expires: new Date(updatedSession.expiresAt)
+    });
+  }
+  async function deleteSession() {
+    const cookieStore = await cookies();
+    cookieStore.delete(SESSION_COOKIE_NAME);
+  }
+  const verifySession = cache(async () => {
+    const session = await getSession();
+    if (!session) {
+      redirect(config.signInRoute);
+    }
+    return session;
+  });
+  const verifySessionForAPI = cache(async () => {
+    const session = await getSession();
+    return session;
+  });
+  async function getCurrentUser() {
+    const session = await getSession();
+    if (!session) return null;
+    return {
+      id: session.userId,
+      email: session.email,
+      name: session.name,
+      role: session.role,
+      emailVerified: session.emailVerified
+    };
+  }
+  return {
+    createSession,
+    getSession,
+    updateSession,
+    deleteSession,
+    verifySession,
+    verifySessionForAPI,
+    getCurrentUser
+  };
+}
+
+export { createSessionManager, decrypt, encrypt };

package/dist/chunk-ABBUHT5Z.js

@@ -0,0 +1,110 @@
+// src/seo/faq.ts
+function toPlainTextFromFaqBlocks(blocks) {
+  const lines = [];
+  for (const block of blocks) {
+    if (block.type === "paragraph") {
+      const paragraph = block.parts.map((part) => part.type === "text" ? part.value : part.text).join("").replace(/\s+/g, " ").trim();
+      if (paragraph) lines.push(paragraph);
+      continue;
+    }
+    const listLine = block.items.map((item) => item.trim()).filter(Boolean).join("; ");
+    if (listLine) lines.push(listLine);
+  }
+  return lines.join("\n");
+}
+
+// src/seo/index.ts
+function buildFaqPageJsonLd(items) {
+  return {
+    "@context": "https://schema.org",
+    "@type": "FAQPage",
+    mainEntity: items.map((item) => ({
+      "@type": "Question",
+      name: item.question,
+      acceptedAnswer: {
+        "@type": "Answer",
+        text: item.answer
+      }
+    }))
+  };
+}
+function createSeoBuilders(config) {
+  const SITE_URL = config.url;
+  const SITE_NAME = config.name;
+  function buildOrganizationJsonLd() {
+    return {
+      "@context": "https://schema.org",
+      "@type": "Organization",
+      name: SITE_NAME,
+      url: SITE_URL,
+      ...config.supportEmail && { email: config.supportEmail }
+    };
+  }
+  function buildWebSiteJsonLd() {
+    return {
+      "@context": "https://schema.org",
+      "@type": "WebSite",
+      name: SITE_NAME,
+      url: SITE_URL
+    };
+  }
+  function buildSiteNavigationJsonLd(items) {
+    return {
+      "@context": "https://schema.org",
+      "@type": "SiteNavigationElement",
+      name: "Main Navigation",
+      hasPart: items.map((item) => ({
+        "@type": "WebPage",
+        name: item.name,
+        url: new URL(item.url, SITE_URL).toString()
+      }))
+    };
+  }
+  function buildBreadcrumbListJsonLd(items) {
+    return {
+      "@context": "https://schema.org",
+      "@type": "BreadcrumbList",
+      itemListElement: items.map((item, index) => ({
+        "@type": "ListItem",
+        position: index + 1,
+        name: item.name,
+        item: new URL(item.url, SITE_URL).toString()
+      }))
+    };
+  }
+  function buildArticleJsonLd(article) {
+    return {
+      "@context": "https://schema.org",
+      "@type": "Article",
+      headline: article.title,
+      description: article.description,
+      url: new URL(`/blog/${article.slug}`, SITE_URL).toString(),
+      datePublished: article.date,
+      dateModified: article.date,
+      author: {
+        "@type": "Organization",
+        name: article.author,
+        url: SITE_URL
+      },
+      publisher: {
+        "@type": "Organization",
+        name: SITE_NAME,
+        url: SITE_URL
+      },
+      keywords: article.tags,
+      mainEntityOfPage: {
+        "@type": "WebPage",
+        "@id": new URL(`/blog/${article.slug}`, SITE_URL).toString()
+      }
+    };
+  }
+  return {
+    buildOrganizationJsonLd,
+    buildWebSiteJsonLd,
+    buildSiteNavigationJsonLd,
+    buildBreadcrumbListJsonLd,
+    buildArticleJsonLd
+  };
+}
+
+export { buildFaqPageJsonLd, createSeoBuilders, toPlainTextFromFaqBlocks };

package/dist/chunk-CTYAVMOF.js

@@ -0,0 +1,15 @@
+// src/utils/optional-import.ts
+async function importOptional(specifier) {
+  try {
+    return await import(
+      /* webpackIgnore: true */
+      specifier
+    );
+  } catch {
+    throw new Error(
+      `"${specifier}" is required for this provider but is not installed. Install it with: npm install ${specifier}`
+    );
+  }
+}
+
+export { importOptional };

package/dist/chunk-GVLH2GQP.js

@@ -0,0 +1,14 @@
+import { bytesToHex } from './chunk-MXQ66RUN.js';
+import 'server-only';
+
+var CREDENTIAL_TAG_DOMAIN = "credential-tag-v1";
+var NO_PASSWORD_TAG = "no-password";
+async function buildCredentialTag(passwordHash, _revocationSeed) {
+  if (!passwordHash) return NO_PASSWORD_TAG;
+  const payload = `${CREDENTIAL_TAG_DOMAIN}:${passwordHash}`;
+  const data = new TextEncoder().encode(payload);
+  const digest = await crypto.subtle.digest("SHA-256", data);
+  return bytesToHex(new Uint8Array(digest));
+}
+
+export { NO_PASSWORD_TAG, buildCredentialTag };

package/dist/chunk-HOSMMQMA.js

@@ -0,0 +1,109 @@
+import { importOptional } from './chunk-CTYAVMOF.js';
+
+// src/email/index.ts
+function createSendGridProvider(appName) {
+  return {
+    async send(params) {
+      const sgMail = await importOptional("@sendgrid/mail");
+      const apiKey = process.env.SENDGRID_API_KEY;
+      const fromEmail = process.env.SENDGRID_FROM_EMAIL;
+      if (!apiKey) throw new Error("SENDGRID_API_KEY is not set");
+      if (!fromEmail) throw new Error("SENDGRID_FROM_EMAIL is not set");
+      sgMail.default.setApiKey(apiKey);
+      const msg = {
+        to: params.to,
+        from: { email: fromEmail, name: appName },
+        subject: params.subject,
+        text: params.text ?? params.html.replace(/<[^>]*>/g, " ").replace(/\s+/g, " ").trim(),
+        html: params.html,
+        mailSettings: {
+          bypassListManagement: { enable: true },
+          sandboxMode: { enable: false }
+        },
+        trackingSettings: {
+          clickTracking: { enable: false },
+          openTracking: { enable: false },
+          subscriptionTracking: { enable: false }
+        }
+      };
+      try {
+        await sgMail.default.send(msg);
+      } catch (error) {
+        console.error("Error sending email:", error);
+        const emailError = error;
+        if (emailError.response) {
+          console.error("Email error details:", emailError.response.body.errors);
+        }
+        throw error;
+      }
+    }
+  };
+}
+function createResendProvider(appName) {
+  return {
+    async send(params) {
+      const { Resend } = await importOptional("resend");
+      const apiKey = process.env.RESEND_API_KEY;
+      const fromEmail = process.env.RESEND_FROM_EMAIL;
+      if (!apiKey) throw new Error("RESEND_API_KEY is not set");
+      if (!fromEmail) throw new Error("RESEND_FROM_EMAIL is not set");
+      const resend = new Resend(apiKey);
+      await resend.emails.send({
+        from: `${appName} <${fromEmail}>`,
+        to: params.to,
+        subject: params.subject,
+        html: params.html,
+        text: params.text
+      });
+    }
+  };
+}
+function extractUrls(text) {
+  const urlPattern = /https?:\/\/[^\s<>"')\]]+/g;
+  return [...new Set(text.match(urlPattern) ?? [])];
+}
+function formatConsoleEmail(params) {
+  const body = params.text ?? params.html.replace(/<[^>]*>/g, " ").replace(/\s+/g, " ").trim();
+  const urls = extractUrls(params.text ?? params.html);
+  const separator = "-".repeat(60);
+  const lines = [
+    separator,
+    "  EMAIL (console mode)",
+    `  To:      ${params.to}`,
+    `  Subject: ${params.subject}`
+  ];
+  if (urls.length > 0) {
+    lines.push("");
+    lines.push(urls.length === 1 ? "  Action link:" : "  Links:");
+    for (const url of urls) {
+      lines.push(`     ${url}`);
+    }
+  }
+  const preview = body.length > 200 ? body.slice(0, 200) + "..." : body;
+  lines.push("");
+  lines.push(`  Body: ${preview}`);
+  lines.push(separator);
+  return lines.join("\n");
+}
+function createConsoleProvider() {
+  return {
+    async send(params) {
+      console.log(formatConsoleEmail(params));
+    }
+  };
+}
+var providerFactories = {
+  sendgrid: createSendGridProvider,
+  resend: createResendProvider,
+  console: () => createConsoleProvider()
+};
+function createEmailService(config) {
+  const factory = providerFactories[config.provider] ?? providerFactories.console;
+  const provider = factory(config.appName);
+  async function sendEmail(params) {
+    return provider.send(params);
+  }
+  return { sendEmail };
+}
+
+export { createEmailService, formatConsoleEmail };

package/dist/chunk-MXQ66RUN.js

@@ -0,0 +1,28 @@
+import 'server-only';
+
+// src/auth/crypto-utils.ts
+function constantTimeEqual(a, b) {
+  const maxLen = Math.max(a.length, b.length);
+  let result = 0;
+  for (let i = 0; i < maxLen; i++) {
+    const ac = i < a.length ? a.charCodeAt(i) : 0;
+    const bc = i < b.length ? b.charCodeAt(i) : 0;
+    result |= ac ^ bc;
+  }
+  result |= a.length ^ b.length;
+  return result === 0;
+}
+function bytesToHex(bytes) {
+  return Array.from(bytes).map((byte) => byte.toString(16).padStart(2, "0")).join("");
+}
+function escapeHtml(str) {
+  return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
+}
+async function hashToken(token, domain) {
+  const payload = `${domain}:${token}`;
+  const data = new TextEncoder().encode(payload);
+  const digest = await crypto.subtle.digest("SHA-256", data);
+  return bytesToHex(new Uint8Array(digest));
+}
+
+export { bytesToHex, constantTimeEqual, escapeHtml, hashToken };

package/dist/chunk-PZE3JGXO.js

@@ -0,0 +1,149 @@
+import { constantTimeEqual, bytesToHex } from './chunk-MXQ66RUN.js';
+import 'server-only';
+import { cookies } from 'next/headers';
+
+var CSRF_TOKEN_NAME = "csrf-token";
+var CSRF_HEADER_NAME = "x-csrf-token";
+var CSRF_KEY_DOMAIN_SEPARATOR = "csrf-protection-key-v1";
+function stringToUint8Array(str) {
+  return new TextEncoder().encode(str);
+}
+function generateRandomBytes(length) {
+  const array = new Uint8Array(length);
+  crypto.getRandomValues(array);
+  return bytesToHex(array);
+}
+async function createHMAC(key, data) {
+  const keyData = stringToUint8Array(key);
+  const messageData = stringToUint8Array(data);
+  const cryptoKey = await crypto.subtle.importKey(
+    "raw",
+    keyData.buffer,
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const signature = await crypto.subtle.sign("HMAC", cryptoKey, messageData.buffer);
+  return bytesToHex(new Uint8Array(signature));
+}
+function createCSRFProtection(config) {
+  let _csrfDerivedKey = null;
+  async function getCSRFSecret() {
+    if (_csrfDerivedKey) return _csrfDerivedKey;
+    const jwtSecret = config.getJWTSecret();
+    _csrfDerivedKey = await createHMAC(jwtSecret, CSRF_KEY_DOMAIN_SEPARATOR);
+    return _csrfDerivedKey;
+  }
+  async function generateCSRFToken(sessionFingerprint) {
+    const timestamp = Date.now();
+    const randomToken = generateRandomBytes(32);
+    const payload = sessionFingerprint ? `${randomToken}.${timestamp}.${sessionFingerprint}` : `${randomToken}.${timestamp}`;
+    const secret = await getCSRFSecret();
+    const signature = await createHMAC(secret, payload);
+    return `${payload}.${signature}`;
+  }
+  async function verifyCSRFToken(token, expectedFingerprint) {
+    if (!token) return false;
+    try {
+      const parts = token.split(".");
+      const isBound = expectedFingerprint !== void 0 && expectedFingerprint !== "";
+      if (isBound) {
+        if (parts.length !== 4) return false;
+        const [randomToken2, timestamp2, fingerprint, signature2] = parts;
+        if (!constantTimeEqual(fingerprint, expectedFingerprint)) return false;
+        const payload2 = `${randomToken2}.${timestamp2}.${fingerprint}`;
+        const secret2 = await getCSRFSecret();
+        const expectedSignature2 = await createHMAC(secret2, payload2);
+        if (!constantTimeEqual(signature2, expectedSignature2)) return false;
+        const tokenAge2 = Date.now() - parseInt(timestamp2, 10);
+        if (tokenAge2 > 60 * 60 * 1e3) return false;
+        return true;
+      }
+      if (parts.length !== 3) return false;
+      const [randomToken, timestamp, signature] = parts;
+      const payload = `${randomToken}.${timestamp}`;
+      const secret = await getCSRFSecret();
+      const expectedSignature = await createHMAC(secret, payload);
+      if (!constantTimeEqual(signature, expectedSignature)) return false;
+      const tokenAge = Date.now() - parseInt(timestamp, 10);
+      if (tokenAge > 60 * 60 * 1e3) return false;
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  async function requireCSRFToken(sessionFingerprint) {
+    const cookieStore = await cookies();
+    const existingToken = cookieStore.get(CSRF_TOKEN_NAME)?.value;
+    if (existingToken && await verifyCSRFToken(existingToken, sessionFingerprint)) {
+      return existingToken;
+    }
+    const newToken = await generateCSRFToken(sessionFingerprint);
+    cookieStore.set(CSRF_TOKEN_NAME, newToken, {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === "production",
+      sameSite: "strict",
+      maxAge: 60 * 60,
+      path: "/"
+    });
+    return newToken;
+  }
+  function validateOrigin(request) {
+    const origin = request.headers.get("origin");
+    const host = request.headers.get("host");
+    if (!origin || !host) return false;
+    try {
+      const originUrl = new URL(origin);
+      return originUrl.host === host;
+    } catch {
+      return false;
+    }
+  }
+  function getClientInfo(request) {
+    const forwarded = request.headers.get("x-forwarded-for");
+    const realIp = request.headers.get("x-real-ip");
+    const ipAddress = forwarded?.split(",")[0] || realIp || "unknown";
+    const userAgent = request.headers.get("user-agent") || "unknown";
+    return { ipAddress, userAgent };
+  }
+  async function validateCSRFRequest(request, sessionFingerprint) {
+    if (!["POST", "PUT", "DELETE", "PATCH"].includes(request.method)) return true;
+    const { ipAddress, userAgent } = getClientInfo(request);
+    const endpoint = request.nextUrl.pathname;
+    if (!validateOrigin(request)) {
+      config.logViolation({
+        ipAddress,
+        userAgent,
+        endpoint: `${endpoint} - Origin validation failed`
+      });
+      return false;
+    }
+    const headerToken = request.headers.get(CSRF_HEADER_NAME);
+    if (!headerToken) {
+      config.logViolation({
+        ipAddress,
+        userAgent,
+        endpoint: `${endpoint} - Missing CSRF token`
+      });
+      return false;
+    }
+    const isValid = await verifyCSRFToken(headerToken, sessionFingerprint);
+    if (!isValid) {
+      config.logViolation({
+        ipAddress,
+        userAgent,
+        endpoint: `${endpoint} - Invalid CSRF token`
+      });
+      return false;
+    }
+    return true;
+  }
+  return {
+    generateCSRFToken,
+    verifyCSRFToken,
+    requireCSRFToken,
+    validateCSRFRequest
+  };
+}
+
+export { createCSRFProtection };