@mastra/auth-clerk 1.0.2-alpha.0 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/CHANGELOG.md +43 -0
  2. package/dist/index.cjs +406 -158
  3. package/dist/index.cjs.map +1 -1
  4. package/dist/index.d.ts +113 -2
  5. package/dist/index.d.ts.map +1 -1
  6. package/dist/index.js +405 -157
  7. package/dist/index.js.map +1 -1
  8. package/package.json +14 -11
package/dist/index.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../../../packages/core/src/logger/constants.ts","../../../packages/core/src/logger/logger.ts","../../../packages/core/src/logger/default-logger.ts","../../../packages/core/src/base.ts","../../../packages/core/src/server/auth.ts","../src/index.ts"],"names":["createClerkClient","verifyJwks"],"mappings":";;;;;;;;AACO,IAAM,gBAAA,GAAmB;EAM9B,GAAA,EAAK,KAaP,CAAA;AAIO,IAAM,QAAA,GAAW;EACtB,KAAA,EAAO,OAAA;EACP,IAAA,EAAM,MAAA;EACN,IAAA,EAAM,MAAA;EACN,KAAA,EAAO,OAET,CAAA;ACKO,IAAe,eAAf,MAAqD;AAChD,EAAA,IAAA;AACA,EAAA,KAAA;AACA,EAAA,UAAA;EAEV,WAAA,CACE,OAAA,GAII,EAAA,EACJ;AACA,IAAA,IAAA,CAAK,IAAA,GAAO,QAAQ,IAAA,IAAQ,QAAA;AAC5B,IAAA,IAAA,CAAK,KAAA,GAAQ,OAAA,CAAQ,KAAA,IAAS,QAAA,CAAS,KAAA;AACvC,IAAA,IAAA,CAAK,UAAA,GAAa,IAAI,GAAA,CAAI,MAAA,CAAO,QAAQ,OAAA,CAAQ,UAAA,IAAc,EAAE,CAAC,CAAA;AACpE,EAAA;EAOA,aAAA,GAAgB;AACd,IAAA,OAAO,IAAA,CAAK,UAAA;AACd,EAAA;AAEA,EAAA,cAAA,CAAe,MAAA,EAAqB;AAAC,EAAA;EAErC,MAAM,QAAA,CACJ,aACA,MAAA,EAQA;AACA,IAAA,IAAI,CAAC,WAAA,IAAe,CAAC,KAAK,UAAA,CAAW,GAAA,CAAI,WAAW,CAAA,EAAG;AACrD,MAAA,OAAO,EAAE,IAAA,EAAM,EAAA,EAAI,OAAO,CAAA,EAAG,IAAA,EAAM,MAAA,EAAQ,IAAA,IAAQ,GAAG,OAAA,EAAS,MAAA,EAAQ,OAAA,IAAW,GAAA,EAAK,SAAS,KAAA,EAAA;AAClG,IAAA;AAEA,IAAA,OACE,KAAK,UAAA,CAAW,GAAA,CAAI,WAAW,CAAA,CAAG,QAAA,CAAS,MAAM,CAAA,IAAK;AACpD,MAAA,IAAA,EAAM,EAAA;MACN,KAAA,EAAO,CAAA;AACP,MAAA,IAAA,EAAM,QAAQ,IAAA,IAAQ,CAAA;AACtB,MAAA,OAAA,EAAS,QAAQ,OAAA,IAAW,GAAA;MAC5B,OAAA,EAAS;AAAA,KAAA;AAGf,EAAA;AAEA,EAAA,MAAM,eAAA,CAAgB;AACpB,IAAA,WAAA;AACA,IAAA,KAAA;AACA,IAAA,QAAA;AACA,IAAA,MAAA;AACA,IAAA,QAAA;AACA,IAAA,OAAA;AACA,IAAA,IAAA;AACA,IAAA;GAAA,EAUC;AACD,IAAA,IAAI,CAAC,eAAe,CAAC,IAAA,CAAK,WAAW,GAAA,CAAI,WAAW,CAAA,IAAK,CAAC,KAAA,EAAO;AAC/D,MAAA,OAAO,EAAE,IAAA,EAAM,EAAA,EAAI,KAAA,EAAO,CAAA,EAAG,IAAA,EAAM,IAAA,IAAQ,CAAA,EAAG,OAAA,EAAS,OAAA,IAAW,GAAA,EAAK,SAAS,KAAA,EAAA;AAClF,IAAA;AAEA,IAAA,OACE,IAAA,CAAK,UAAA,CACF,GAAA,CAAI,WAAW,EACf,eAAA,CAAgB,EAAE,KAAA,EAAO,QAAA,EAAU,QAAQ,QAAA,EAAU,OAAA,EAAS,IAAA,EAAM,OAAA,EAAS,CAAA,IAAK;AACnF,MAAA,IAAA,EAAM,EAAA;MACN,KAAA,EAAO,CAAA;AACP,MAAA,IAAA,EAAM,IAAA,IAAQ,CAAA;AACd,MAAA,OAAA,EAAS,OAAA,IAAW,GAAA;MACpB,OAAA,EAAS;AAAA,KAAA;AAGf,EAAA;AACF,CAAA;AC5GO,IAAM,aAAA,GAAN,cAA4B,YAAA,CAAa;EAC9C,WAAA,CACE,OAAA,GAGI,EAAA,EACJ;AACA,IAAA,KAAA,CAAM,OAAO,CAAA;AACf,EAAA;AAEA,EAAA,KAAA,CAAM,YAAoB,IAAA,EAAmB;AAC3C,IAAA,IAAI,IAAA,CAAK,KAAA,KAAU,QAAA,CAAS,KAAA,EAAO;AACjC,MAAA,OAAA,CAAQ,IAAA,CAAK,OAAA,EAAS,GAAG,IAAI,CAAA;AAC/B,IAAA;AACF,EAAA;AAEA,EAAA,IAAA,CAAK,YAAoB,IAAA,EAAmB;AAC1C,IAAA,IAAI,KAAK,KAAA,KAAU,QAAA,CAAS,QAAQ,IAAA,CAAK,KAAA,KAAU,SAAS,KAAA,EAAO;AACjE,MAAA,OAAA,CAAQ,IAAA,CAAK,OAAA,EAAS,GAAG,IAAI,CAAA;AAC/B,IAAA;AACF,EAAA;AAEA,EAAA,IAAA,CAAK,YAAoB,IAAA,EAAmB;AAC1C,IAAA,IAAI,IAAA,CAAK,KAAA,KAAU,QAAA,CAAS,IAAA,IAAQ,IAAA,CAAK,KAAA,KAAU,QAAA,CAAS,IAAA,IAAQ,IAAA,CAAK,KAAA,KAAU,QAAA,CAAS,KAAA,EAAO;AACjG,MAAA,OAAA,CAAQ,IAAA,CAAK,OAAA,EAAS,GAAG,IAAI,CAAA;AAC/B,IAAA;AACF,EAAA;AAEA,EAAA,KAAA,CAAM,YAAoB,IAAA,EAAmB;AAC3C,IAAA,IACE,IAAA,CAAK,KAAA,KAAU,QAAA,CAAS,KAAA,IACxB,KAAK,KAAA,KAAU,QAAA,CAAS,IAAA,IACxB,IAAA,CAAK,UAAU,QAAA,CAAS,IAAA,IACxB,IAAA,CAAK,KAAA,KAAU,SAAS,KAAA,EACxB;AACA,MAAA,OAAA,CAAQ,KAAA,CAAM,OAAA,EAAS,GAAG,IAAI,CAAA;AAChC,IAAA;AACF,EAAA;EAEA,MAAM,QAAA,CACJ,cACA,OAAA,EAQA;AACA,IAAA,OAAO,EAAE,IAAA,EAAM,EAAA,EAAI,OAAO,CAAA,EAAG,IAAA,EAAM,OAAA,EAAS,IAAA,IAAQ,GAAG,OAAA,EAAS,OAAA,EAAS,OAAA,IAAW,GAAA,EAAK,SAAS,KAAA,EAAA;AACpG,EAAA;AAEA,EAAA,MAAM,gBAAgB,KAAA,EASnB;AACD,IAAA,OAAO,EAAE,IAAA,EAAM,EAAA,EAAI,OAAO,CAAA,EAAG,IAAA,EAAM,KAAA,CAAM,IAAA,IAAQ,GAAG,OAAA,EAAS,KAAA,CAAM,OAAA,IAAW,GAAA,EAAK,SAAS,KAAA,EAAA;AAC9F,EAAA;AACF,CAAA;;;AC7EO,IAAM,aAAN,MAAiB;AACtB,EAAA,SAAA,GAA8B,gBAAA,CAAiB,GAAA;AACrC,EAAA,MAAA;AACV,EAAA,IAAA;AACA,EAAA,UAAA;EAEA,WAAA,CAAY;AACV,IAAA,SAAA;AACA,IAAA,IAAA;AACA,IAAA;GAAA,EAKC;AACD,IAAA,IAAA,CAAK,SAAA,GAAY,aAAa,gBAAA,CAAiB,GAAA;AAC/C,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,IAAA,CAAK,UAAA,GAAa,SAAA;AAClB,IAAA,IAAA,CAAK,MAAA,GAAS,IAAI,aAAA,CAAc,EAAE,IAAA,EAAM,CAAA,EAAG,IAAA,CAAK,SAAS,CAAA,GAAA,EAAM,IAAA,CAAK,IAAI,CAAA,CAAA,EAAI,CAAA;AAC9E,EAAA;;;;;EAMA,WAAA,GAAmD;AACjD,IAAA,OAAO,IAAA,CAAK,UAAA;AACd,EAAA;;;;;AAMA,EAAA,cAAA,CAAe,SAAA,EAA0C;AACvD,IAAA,IAAA,CAAK,UAAA,GAAa,SAAA;AACpB,EAAA;;;;;AAMA,EAAA,WAAA,CAAY,MAAA,EAAuB;AACjC,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AAEd,IAAA,IAAI,IAAA,CAAK,SAAA,KAAc,gBAAA,CAAiB,GAAA,EAAK;AAC3C,MAAA,IAAA,CAAK,MAAA,CAAO,MAAM,CAAA,0BAAA,EAA6B,IAAA,CAAK,SAAS,CAAA,QAAA,EAAW,IAAA,CAAK,IAAI,CAAA,CAAA,CAAG,CAAA;AACtF,IAAA;AACF,EAAA;AACF,CAAA;;;ACnCO,IAAe,kBAAA,GAAf,cAA2D,UAAA,CAAW;AACpE,EAAA,SAAA;AACA,EAAA,MAAA;AAEP,EAAA,WAAA,CAAY,OAAA,EAA4C;AACtD,IAAA,KAAA,CAAM,EAAE,SAAA,EAAW,MAAA,EAAQ,IAAA,EAAM,OAAA,EAAS,MAAM,CAAA;AAEhD,IAAA,IAAI,SAAS,aAAA,EAAe;AAC1B,MAAA,IAAA,CAAK,aAAA,GAAgB,OAAA,CAAQ,aAAA,CAAc,IAAA,CAAK,IAAI,CAAA;AACtD,IAAA;AAEA,IAAA,IAAA,CAAK,YAAY,OAAA,EAAS,SAAA;AAC1B,IAAA,IAAA,CAAK,SAAS,OAAA,EAAS,MAAA;AACzB,EAAA;AAkBU,EAAA,eAAA,CAAgB,IAAA,EAAyC;AACjE,IAAA,IAAI,MAAM,aAAA,EAAe;AACvB,MAAA,IAAA,CAAK,aAAA,GAAgB,IAAA,CAAK,aAAA,CAAc,IAAA,CAAK,IAAI,CAAA;AACnD,IAAA;AACA,IAAA,IAAI,MAAM,SAAA,EAAW;AACnB,MAAA,IAAA,CAAK,YAAY,IAAA,CAAK,SAAA;AACxB,IAAA;AACA,IAAA,IAAI,MAAM,MAAA,EAAQ;AAChB,MAAA,IAAA,CAAK,SAAS,IAAA,CAAK,MAAA;AACrB,IAAA;AACF,EAAA;AACF,CAAA;;;AC5CO,IAAM,eAAA,GAAN,cAA8B,kBAAA,CAA8B;AAAA,EACvD,KAAA;AAAA,EACA,OAAA;AAAA,EAEV,YAAY,OAAA,EAAkC;AAC5C,IAAA,KAAA,CAAM,EAAE,IAAA,EAAM,OAAA,EAAS,IAAA,IAAQ,SAAS,CAAA;AAExC,IAAA,MAAM,OAAA,GAAU,OAAA,EAAS,OAAA,IAAW,OAAA,CAAQ,GAAA,CAAI,cAAA;AAChD,IAAA,MAAM,SAAA,GAAY,OAAA,EAAS,SAAA,IAAa,OAAA,CAAQ,GAAA,CAAI,gBAAA;AACpD,IAAA,MAAM,cAAA,GAAiB,OAAA,EAAS,cAAA,IAAkB,OAAA,CAAQ,GAAA,CAAI,qBAAA;AAE9D,IAAA,IAAI,CAAC,OAAA,IAAW,CAAC,SAAA,IAAa,CAAC,cAAA,EAAgB;AAC7C,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAEA,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,QAAQA,yBAAA,CAAkB;AAAA,MAC7B,SAAA;AAAA,MACA;AAAA,KACD,CAAA;AAED,IAAA,IAAA,CAAK,gBAAgB,OAAO,CAAA;AAAA,EAC9B;AAAA,EAEA,MAAM,kBAAkB,KAAA,EAA0C;AAChE,IAAA,MAAM,IAAA,GAAO,MAAMC,eAAA,CAAW,KAAA,EAAO,KAAK,OAAO,CAAA;AACjD,IAAA,OAAO,IAAA;AAAA,EACT;AAAA,EAEA,MAAM,cAAc,IAAA,EAAiB;AACnC,IAAA,OAAO,CAAC,CAAC,IAAA,CAAK,GAAA;AAAA,EAChB;AACF","file":"index.cjs","sourcesContent":["// Constants and Types (keeping from original implementation)\nexport const RegisteredLogger = {\n AGENT: 'AGENT',\n OBSERVABILITY: 'OBSERVABILITY',\n AUTH: 'AUTH',\n NETWORK: 'NETWORK',\n WORKFLOW: 'WORKFLOW',\n LLM: 'LLM',\n TTS: 'TTS',\n VOICE: 'VOICE',\n VECTOR: 'VECTOR',\n BUNDLER: 'BUNDLER',\n DEPLOYER: 'DEPLOYER',\n MEMORY: 'MEMORY',\n STORAGE: 'STORAGE',\n EMBEDDINGS: 'EMBEDDINGS',\n MCP_SERVER: 'MCP_SERVER',\n SERVER_CACHE: 'SERVER_CACHE',\n SERVER: 'SERVER',\n WORKSPACE: 'WORKSPACE',\n} as const;\n\nexport type RegisteredLogger = (typeof RegisteredLogger)[keyof typeof RegisteredLogger];\n\nexport const LogLevel = {\n DEBUG: 'debug',\n INFO: 'info',\n WARN: 'warn',\n ERROR: 'error',\n NONE: 'silent',\n} as const;\n\nexport type LogLevel = (typeof LogLevel)[keyof typeof LogLevel];\n","import type { MastraError } from '../error';\nimport { LogLevel } from './constants';\nimport type { BaseLogMessage, LoggerTransport } from './transport';\n\nexport interface IMastraLogger {\n debug(message: string, ...args: any[]): void;\n info(message: string, ...args: any[]): void;\n warn(message: string, ...args: any[]): void;\n error(message: string, ...args: any[]): void;\n trackException(error: MastraError): void;\n\n getTransports(): Map<string, LoggerTransport>;\n listLogs(\n _transportId: string,\n _params?: {\n fromDate?: Date;\n toDate?: Date;\n logLevel?: LogLevel;\n filters?: Record<string, any>;\n page?: number;\n perPage?: number;\n },\n ): Promise<{ logs: BaseLogMessage[]; total: number; page: number; perPage: number; hasMore: boolean }>;\n listLogsByRunId(_args: {\n transportId: string;\n runId: string;\n fromDate?: Date;\n toDate?: Date;\n logLevel?: LogLevel;\n filters?: Record<string, any>;\n page?: number;\n perPage?: number;\n }): Promise<{ logs: BaseLogMessage[]; total: number; page: number; perPage: number; hasMore: boolean }>;\n}\n\nexport abstract class MastraLogger implements IMastraLogger {\n protected name: string;\n protected level: LogLevel;\n protected transports: Map<string, LoggerTransport>;\n\n constructor(\n options: {\n name?: string;\n level?: LogLevel;\n transports?: Record<string, LoggerTransport>;\n } = {},\n ) {\n this.name = options.name || 'Mastra';\n this.level = options.level || LogLevel.ERROR;\n this.transports = new Map(Object.entries(options.transports || {}));\n }\n\n abstract debug(message: string, ...args: any[]): void;\n abstract info(message: string, ...args: any[]): void;\n abstract warn(message: string, ...args: any[]): void;\n abstract error(message: string, ...args: any[]): void;\n\n getTransports() {\n return this.transports;\n }\n\n trackException(_error: MastraError) {}\n\n async listLogs(\n transportId: string,\n params?: {\n fromDate?: Date;\n toDate?: Date;\n logLevel?: LogLevel;\n filters?: Record<string, any>;\n page?: number;\n perPage?: number;\n },\n ) {\n if (!transportId || !this.transports.has(transportId)) {\n return { logs: [], total: 0, page: params?.page ?? 1, perPage: params?.perPage ?? 100, hasMore: false };\n }\n\n return (\n this.transports.get(transportId)!.listLogs(params) ?? {\n logs: [],\n total: 0,\n page: params?.page ?? 1,\n perPage: params?.perPage ?? 100,\n hasMore: false,\n }\n );\n }\n\n async listLogsByRunId({\n transportId,\n runId,\n fromDate,\n toDate,\n logLevel,\n filters,\n page,\n perPage,\n }: {\n transportId: string;\n runId: string;\n fromDate?: Date;\n toDate?: Date;\n logLevel?: LogLevel;\n filters?: Record<string, any>;\n page?: number;\n perPage?: number;\n }) {\n if (!transportId || !this.transports.has(transportId) || !runId) {\n return { logs: [], total: 0, page: page ?? 1, perPage: perPage ?? 100, hasMore: false };\n }\n\n return (\n this.transports\n .get(transportId)!\n .listLogsByRunId({ runId, fromDate, toDate, logLevel, filters, page, perPage }) ?? {\n logs: [],\n total: 0,\n page: page ?? 1,\n perPage: perPage ?? 100,\n hasMore: false,\n }\n );\n }\n}\n","import { LogLevel } from './constants';\nimport { MastraLogger } from './logger';\nimport type { LoggerTransport } from './transport';\n\nexport const createLogger = (options: {\n name?: string;\n level?: LogLevel;\n transports?: Record<string, LoggerTransport>;\n}) => {\n const logger = new ConsoleLogger(options);\n\n logger.warn(`createLogger is deprecated. Please use \"new ConsoleLogger()\" from \"@mastra/core/logger\" instead.`);\n\n return logger;\n};\n\nexport class ConsoleLogger extends MastraLogger {\n constructor(\n options: {\n name?: string;\n level?: LogLevel;\n } = {},\n ) {\n super(options);\n }\n\n debug(message: string, ...args: any[]): void {\n if (this.level === LogLevel.DEBUG) {\n console.info(message, ...args);\n }\n }\n\n info(message: string, ...args: any[]): void {\n if (this.level === LogLevel.INFO || this.level === LogLevel.DEBUG) {\n console.info(message, ...args);\n }\n }\n\n warn(message: string, ...args: any[]): void {\n if (this.level === LogLevel.WARN || this.level === LogLevel.INFO || this.level === LogLevel.DEBUG) {\n console.info(message, ...args);\n }\n }\n\n error(message: string, ...args: any[]): void {\n if (\n this.level === LogLevel.ERROR ||\n this.level === LogLevel.WARN ||\n this.level === LogLevel.INFO ||\n this.level === LogLevel.DEBUG\n ) {\n console.error(message, ...args);\n }\n }\n\n async listLogs(\n _transportId: string,\n _params?: {\n fromDate?: Date;\n toDate?: Date;\n logLevel?: LogLevel;\n filters?: Record<string, any>;\n page?: number;\n perPage?: number;\n },\n ) {\n return { logs: [], total: 0, page: _params?.page ?? 1, perPage: _params?.perPage ?? 100, hasMore: false };\n }\n\n async listLogsByRunId(_args: {\n transportId: string;\n runId: string;\n fromDate?: Date;\n toDate?: Date;\n logLevel?: LogLevel;\n filters?: Record<string, any>;\n page?: number;\n perPage?: number;\n }) {\n return { logs: [], total: 0, page: _args.page ?? 1, perPage: _args.perPage ?? 100, hasMore: false };\n }\n}\n","import type { IMastraLogger } from './logger';\nimport { RegisteredLogger } from './logger/constants';\nimport { ConsoleLogger } from './logger/default-logger';\n\nexport class MastraBase {\n component: RegisteredLogger = RegisteredLogger.LLM;\n protected logger: IMastraLogger;\n name?: string;\n #rawConfig?: Record<string, unknown>;\n\n constructor({\n component,\n name,\n rawConfig,\n }: {\n component?: RegisteredLogger;\n name?: string;\n rawConfig?: Record<string, unknown>;\n }) {\n this.component = component || RegisteredLogger.LLM;\n this.name = name;\n this.#rawConfig = rawConfig;\n this.logger = new ConsoleLogger({ name: `${this.component} - ${this.name}` });\n }\n\n /**\n * Returns the raw storage configuration this primitive was created from,\n * or undefined if it was created from code.\n */\n toRawConfig(): Record<string, unknown> | undefined {\n return this.#rawConfig;\n }\n\n /**\n * Sets the raw storage configuration for this primitive.\n * @internal\n */\n __setRawConfig(rawConfig: Record<string, unknown>): void {\n this.#rawConfig = rawConfig;\n }\n\n /**\n * Set the logger for the agent\n * @param logger\n */\n __setLogger(logger: IMastraLogger) {\n this.logger = logger;\n\n if (this.component !== RegisteredLogger.LLM) {\n this.logger.debug(`Logger updated [component=${this.component}] [name=${this.name}]`);\n }\n }\n}\n\nexport * from './types';\n","import type { HonoRequest } from 'hono';\nimport { MastraBase } from '../base';\nimport type { MastraAuthConfig } from './types';\n\nexport interface MastraAuthProviderOptions<TUser = unknown> {\n name?: string;\n authorizeUser?: (user: TUser, request: HonoRequest) => Promise<boolean> | boolean;\n /**\n * Protected paths for the auth provider\n */\n protected?: MastraAuthConfig['protected'];\n /**\n * Public paths for the auth provider\n */\n public?: MastraAuthConfig['public'];\n}\n\nexport abstract class MastraAuthProvider<TUser = unknown> extends MastraBase {\n public protected?: MastraAuthConfig['protected'];\n public public?: MastraAuthConfig['public'];\n\n constructor(options?: MastraAuthProviderOptions<TUser>) {\n super({ component: 'AUTH', name: options?.name });\n\n if (options?.authorizeUser) {\n this.authorizeUser = options.authorizeUser.bind(this);\n }\n\n this.protected = options?.protected;\n this.public = options?.public;\n }\n\n /**\n * Authenticate a token and return the payload\n * @param token - The token to authenticate\n * @param request - The request\n * @returns The payload\n */\n abstract authenticateToken(token: string, request: HonoRequest): Promise<TUser | null>;\n\n /**\n * Authorize a user for a path and method\n * @param user - The user to authorize\n * @param request - The request\n * @returns The authorization result\n */\n abstract authorizeUser(user: TUser, request: HonoRequest): Promise<boolean> | boolean;\n\n protected registerOptions(opts?: MastraAuthProviderOptions<TUser>) {\n if (opts?.authorizeUser) {\n this.authorizeUser = opts.authorizeUser.bind(this);\n }\n if (opts?.protected) {\n this.protected = opts.protected;\n }\n if (opts?.public) {\n this.public = opts.public;\n }\n }\n}\n","import { createClerkClient } from '@clerk/backend';\nimport type { ClerkClient } from '@clerk/backend';\nimport { verifyJwks } from '@mastra/auth';\nimport type { JwtPayload } from '@mastra/auth';\nimport type { MastraAuthProviderOptions } from '@mastra/core/server';\nimport { MastraAuthProvider } from '@mastra/core/server';\n\ntype ClerkUser = JwtPayload;\n\ninterface MastraAuthClerkOptions extends MastraAuthProviderOptions<ClerkUser> {\n jwksUri?: string;\n secretKey?: string;\n publishableKey?: string;\n}\n\nexport class MastraAuthClerk extends MastraAuthProvider<ClerkUser> {\n protected clerk: ClerkClient;\n protected jwksUri: string;\n\n constructor(options?: MastraAuthClerkOptions) {\n super({ name: options?.name ?? 'clerk' });\n\n const jwksUri = options?.jwksUri ?? process.env.CLERK_JWKS_URI;\n const secretKey = options?.secretKey ?? process.env.CLERK_SECRET_KEY;\n const publishableKey = options?.publishableKey ?? process.env.CLERK_PUBLISHABLE_KEY;\n\n if (!jwksUri || !secretKey || !publishableKey) {\n throw new Error(\n 'Clerk JWKS URI, secret key and publishable key are required, please provide them in the options or set the environment variables CLERK_JWKS_URI, CLERK_SECRET_KEY and CLERK_PUBLISHABLE_KEY',\n );\n }\n\n this.jwksUri = jwksUri;\n this.clerk = createClerkClient({\n secretKey,\n publishableKey,\n });\n\n this.registerOptions(options);\n }\n\n async authenticateToken(token: string): Promise<ClerkUser | null> {\n const user = await verifyJwks(token, this.jwksUri);\n return user;\n }\n\n async authorizeUser(user: ClerkUser) {\n return !!user.sub;\n }\n}\n"]}
1
+ {"version":3,"sources":["../src/index.ts"],"names":["MastraAuthProvider","createClerkClient","verifyJwks"],"mappings":";;;;;;;AAmBA,IAAM,mBAAA,GAAsB,eAAA;AAG5B,IAAM,sBAAA,GAAyB,KAAA;AAG/B,IAAM,cAAA,GAAiB,CAAC,QAAA,EAAU,SAAA,EAAW,OAAO,CAAA;AAGpD,IAAM,WAAA,GAAc,EAAA;AAGpB,IAAM,SAAA,GAAY,EAAA;AAKlB,eAAe,SAAA,CAAU,QAAA,EAAkB,IAAA,EAAkB,KAAA,EAA8B;AACzF,EAAA,MAAM,OAAA,GAAU,IAAI,WAAA,EAAY;AAChC,EAAA,MAAM,WAAA,GAAc,MAAM,MAAA,CAAO,MAAA,CAAO,SAAA,CAAU,KAAA,EAAO,OAAA,CAAQ,MAAA,CAAO,QAAQ,CAAA,EAAG,QAAA,EAAU,KAAA,EAAO;AAAA,IAClG,YAAA;AAAA,IACA;AAAA,GACD,CAAA;AACD,EAAA,OAAO,OAAO,MAAA,CAAO,SAAA;AAAA,IACnB,EAAE,IAAA,EAAM,QAAA,EAAU,MAAM,UAAA,EAAY,GAAA,EAAQ,MAAM,SAAA,EAAU;AAAA,IAC5D,WAAA;AAAA,IACA,EAAE,IAAA,EAAM,SAAA,EAAW,MAAA,EAAQ,GAAA,EAAI;AAAA,IAC/B,KAAA;AAAA,IACA,CAAC,KAAK;AAAA,GACR;AACF;AAMA,eAAe,cAAA,CAAe,MAAe,QAAA,EAAmC;AAC9E,EAAA,MAAM,OAAA,GAAU,IAAI,WAAA,EAAY;AAChC,EAAA,MAAM,OAAO,MAAA,CAAO,eAAA,CAAgB,IAAI,UAAA,CAAW,WAAW,CAAC,CAAA;AAC/D,EAAA,MAAM,GAAA,GAAM,MAAM,SAAA,CAAU,QAAA,EAAU,MAAM,SAAS,CAAA;AACrD,EAAA,MAAM,KAAK,MAAA,CAAO,eAAA,CAAgB,IAAI,UAAA,CAAW,SAAS,CAAC,CAAA;AAC3D,EAAA,MAAM,YAAY,MAAM,MAAA,CAAO,MAAA,CAAO,OAAA,CAAQ,EAAE,IAAA,EAAM,SAAA,EAAW,EAAA,EAAG,EAAG,KAAK,OAAA,CAAQ,MAAA,CAAO,KAAK,SAAA,CAAU,IAAI,CAAC,CAAC,CAAA;AAChH,EAAA,MAAM,QAAA,GAAW,IAAI,UAAA,CAAW,IAAA,CAAK,MAAA,GAAS,EAAA,CAAG,MAAA,GAAS,IAAI,UAAA,CAAW,SAAS,CAAA,CAAE,MAAM,CAAA;AAC1F,EAAA,QAAA,CAAS,IAAI,IAAI,CAAA;AACjB,EAAA,QAAA,CAAS,GAAA,CAAI,EAAA,EAAI,IAAA,CAAK,MAAM,CAAA;AAC5B,EAAA,QAAA,CAAS,GAAA,CAAI,IAAI,UAAA,CAAW,SAAS,GAAG,IAAA,CAAK,MAAA,GAAS,GAAG,MAAM,CAAA;AAC/D,EAAA,OAAO,IAAA,CAAK,MAAA,CAAO,YAAA,CAAa,GAAG,QAAQ,CAAC,CAAA;AAC9C;AAKA,eAAe,cAAA,CAAe,WAAmB,QAAA,EAAoC;AACnF,EAAA,MAAM,QAAA,GAAW,UAAA,CAAW,IAAA,CAAK,IAAA,CAAK,SAAS,GAAG,CAAA,CAAA,KAAK,CAAA,CAAE,UAAA,CAAW,CAAC,CAAC,CAAA;AACtE,EAAA,MAAM,IAAA,GAAO,QAAA,CAAS,KAAA,CAAM,CAAA,EAAG,WAAW,CAAA;AAC1C,EAAA,MAAM,EAAA,GAAK,QAAA,CAAS,KAAA,CAAM,WAAA,EAAa,cAAc,SAAS,CAAA;AAC9D,EAAA,MAAM,IAAA,GAAO,QAAA,CAAS,KAAA,CAAM,WAAA,GAAc,SAAS,CAAA;AACnD,EAAA,MAAM,GAAA,GAAM,MAAM,SAAA,CAAU,QAAA,EAAU,MAAM,SAAS,CAAA;AACrD,EAAA,MAAM,SAAA,GAAY,MAAM,MAAA,CAAO,MAAA,CAAO,OAAA,CAAQ,EAAE,IAAA,EAAM,SAAA,EAAW,EAAA,EAAG,EAAG,GAAA,EAAK,IAAI,CAAA;AAChF,EAAA,OAAO,KAAK,KAAA,CAAM,IAAI,aAAY,CAAE,MAAA,CAAO,SAAS,CAAC,CAAA;AACvD;AAGA,IAAM,qBAAA,GAAwB,KAAK,EAAA,GAAK,GAAA;AAexC,eAAe,QAAA,CAAS,MAAc,MAAA,EAAiC;AACrE,EAAA,MAAM,OAAA,GAAU,IAAI,WAAA,EAAY;AAChC,EAAA,MAAM,OAAA,GAAU,OAAA,CAAQ,MAAA,CAAO,MAAM,CAAA;AACrC,EAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,MAAA,CAAO,IAAI,CAAA;AAGrC,EAAA,MAAM,YAAY,MAAM,MAAA,CAAO,MAAA,CAAO,SAAA,CAAU,OAAO,OAAA,EAAS,EAAE,IAAA,EAAM,MAAA,EAAQ,MAAM,SAAA,EAAU,EAAG,KAAA,EAAO,CAAC,MAAM,CAAC,CAAA;AAGlH,EAAA,MAAM,YAAY,MAAM,MAAA,CAAO,OAAO,IAAA,CAAK,MAAA,EAAQ,WAAW,SAAS,CAAA;AAGvE,EAAA,MAAM,QAAA,GAAW,IAAI,UAAA,CAAW,SAAS,CAAA;AACzC,EAAA,OAAO,KAAK,MAAA,CAAO,YAAA,CAAa,GAAG,QAAQ,CAAC,CAAA,CACzC,OAAA,CAAQ,KAAA,EAAO,GAAG,EAClB,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAClB,OAAA,CAAQ,MAAM,EAAE,CAAA;AACrB;AAKA,SAAS,eAAA,CAAgB,GAAW,CAAA,EAAoB;AACtD,EAAA,IAAI,CAAA,CAAE,MAAA,KAAW,CAAA,CAAE,MAAA,EAAQ,OAAO,KAAA;AAClC,EAAA,IAAI,MAAA,GAAS,CAAA;AACb,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,CAAA,CAAE,QAAQ,CAAA,EAAA,EAAK;AACjC,IAAA,MAAA,IAAU,EAAE,UAAA,CAAW,CAAC,CAAA,GAAI,CAAA,CAAE,WAAW,CAAC,CAAA;AAAA,EAC5C;AACA,EAAA,OAAO,MAAA,KAAW,CAAA;AACpB;AAMA,eAAe,gBAAA,CAAiB,aAAA,EAAuB,WAAA,EAAqB,MAAA,EAAiC;AAC3G,EAAA,MAAM,OAAA,GAAwB;AAAA,IAC5B,CAAA,EAAG,aAAA;AAAA,IACH,CAAA,EAAG,WAAA;AAAA,IACH,CAAA,EAAG,IAAA,CAAK,GAAA,EAAI,GAAI;AAAA,GAClB;AACA,EAAA,MAAM,UAAA,GAAa,IAAA,CAAK,IAAA,CAAK,SAAA,CAAU,OAAO,CAAC,CAAA;AAC/C,EAAA,MAAM,SAAA,GAAY,MAAM,QAAA,CAAS,UAAA,EAAY,MAAM,CAAA;AACnD,EAAA,OAAO,CAAA,EAAG,UAAU,CAAA,CAAA,EAAI,SAAS,CAAA,CAAA;AACnC;AAMA,eAAe,gBAAA,CACb,YACA,MAAA,EACyD;AACzD,EAAA,MAAM,KAAA,GAAQ,UAAA,CAAW,KAAA,CAAM,GAAG,CAAA;AAClC,EAAA,IAAI,KAAA,CAAM,WAAW,CAAA,EAAG;AACtB,IAAA,MAAM,IAAI,MAAM,4BAA4B,CAAA;AAAA,EAC9C;AAEA,EAAA,MAAM,CAAC,UAAA,EAAY,SAAS,CAAA,GAAI,KAAA;AAChC,EAAA,MAAM,WAAA,GAAc,MAAM,QAAA,CAAS,UAAA,EAAa,MAAM,CAAA;AACtD,EAAA,IAAI,CAAC,eAAA,CAAgB,SAAA,EAAY,WAAW,CAAA,EAAG;AAC7C,IAAA,MAAM,IAAI,MAAM,+BAA+B,CAAA;AAAA,EACjD;AAEA,EAAA,MAAM,OAAA,GAAU,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,UAAW,CAAC,CAAA;AAC5C,EAAA,IAAI,OAAA,CAAQ,CAAA,GAAI,IAAA,CAAK,GAAA,EAAI,EAAG;AAC1B,IAAA,MAAM,IAAI,MAAM,yBAAyB,CAAA;AAAA,EAC3C;AAEA,EAAA,OAAO,EAAE,aAAA,EAAe,OAAA,CAAQ,CAAA,EAAG,WAAA,EAAa,QAAQ,CAAA,EAAE;AAC5D;AAKA,SAAS,YAAY,GAAA,EAAqB;AACxC,EAAA,OAAO,GAAA,CAAI,OAAA,CAAQ,qBAAA,EAAuB,MAAM,CAAA;AAClD;AAMA,SAAS,cAAc,cAAA,EAAgC;AACrD,EAAA,MAAM,aAAA,GAAgB,cAAA,CAAe,OAAA,CAAQ,kBAAA,EAAoB,EAAE,CAAA;AACnE,EAAA,MAAM,OAAA,GAAU,KAAK,aAAa,CAAA;AAClC,EAAA,MAAM,MAAA,GAAS,OAAA,CAAQ,OAAA,CAAQ,KAAA,EAAO,EAAE,CAAA;AACxC,EAAA,OAAO,WAAW,MAAM,CAAA,CAAA;AAC1B;AAyEO,IAAM,eAAA,GAAN,cAA8BA,yBAAA,CAA+D;AAAA,EACxF,KAAA;AAAA,EACA,OAAA;AAAA,EACA,cAAA;AAAA,EACA,OAAA;AAAA;AAAA,EAGF,aAAA;AAAA,EACA,iBAAA;AAAA,EACA,YAAA;AAAA,EACA,MAAA;AAAA,EACA,UAAA;AAAA,EACA,YAAA;AAAA,EACA,cAAA;AAAA,EACA,aAAA;AAAA,EACA,UAAA;AAAA,EAER,YAAY,OAAA,EAAkC;AAC5C,IAAA,KAAA,CAAM,EAAE,IAAA,EAAM,OAAA,EAAS,IAAA,IAAQ,SAAS,CAAA;AAExC,IAAA,MAAM,OAAA,GAAU,OAAA,EAAS,OAAA,IAAW,OAAA,CAAQ,GAAA,CAAI,cAAA;AAChD,IAAA,MAAM,SAAA,GAAY,OAAA,EAAS,SAAA,IAAa,OAAA,CAAQ,GAAA,CAAI,gBAAA;AACpD,IAAA,MAAM,cAAA,GAAiB,OAAA,EAAS,cAAA,IAAkB,OAAA,CAAQ,GAAA,CAAI,qBAAA;AAE9D,IAAA,IAAI,CAAC,OAAA,IAAW,CAAC,SAAA,IAAa,CAAC,cAAA,EAAgB;AAC7C,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAEA,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,cAAA,GAAiB,cAAA;AACtB,IAAA,IAAA,CAAK,OAAA,GAAU,cAAc,cAAc,CAAA;AAC3C,IAAA,IAAA,CAAK,QAAQC,yBAAA,CAAkB;AAAA,MAC7B,SAAA;AAAA,MACA;AAAA,KACD,CAAA;AAGD,IAAA,MAAM,aAAA,GAAgB,OAAA,EAAS,aAAA,IAAiB,OAAA,CAAQ,GAAA,CAAI,qBAAA;AAC5D,IAAA,MAAM,iBAAA,GAAoB,OAAA,EAAS,iBAAA,IAAqB,OAAA,CAAQ,GAAA,CAAI,yBAAA;AACpE,IAAA,MAAM,WAAA,GAAc,OAAA,EAAS,WAAA,IAAe,OAAA,CAAQ,GAAA,CAAI,wBAAA;AACxD,IAAA,MAAM,cAAA,GACJ,OAAA,EAAS,OAAA,EAAS,cAAA,IAClB,OAAA,CAAQ,GAAA,CAAI,qBAAA,IACZ,MAAA,CAAO,UAAA,EAAW,GAAI,MAAA,CAAO,UAAA,EAAW;AAE1C,IAAA,IAAA,CAAK,gBAAgB,aAAA,IAAiB,IAAA;AACtC,IAAA,IAAA,CAAK,oBAAoB,iBAAA,IAAqB,IAAA;AAC9C,IAAA,IAAA,CAAK,eAAe,WAAA,IAAe,IAAA;AACnC,IAAA,IAAA,CAAK,MAAA,GAAS,SAAS,MAAA,IAAU,cAAA;AACjC,IAAA,IAAA,CAAK,UAAA,GAAa,OAAA,EAAS,OAAA,EAAS,UAAA,IAAc,mBAAA;AAClD,IAAA,IAAA,CAAK,YAAA,GAAe,OAAA,EAAS,OAAA,EAAS,YAAA,IAAgB,sBAAA;AACtD,IAAA,IAAA,CAAK,cAAA,GAAiB,cAAA;AACtB,IAAA,IAAA,CAAK,gBAAgB,OAAA,EAAS,OAAA,EAAS,aAAA,IAAiB,OAAA,CAAQ,IAAI,QAAA,KAAa,YAAA;AAGjF,IAAA,IAAA,CAAK,UAAA,GAAa,CAAC,EAAE,aAAA,IAAiB,iBAAA,CAAA;AAEtC,IAAA,IAAI,KAAK,UAAA,EAAY;AACnB,MAAA,IAAI,cAAA,CAAe,SAAS,EAAA,EAAI;AAC9B,QAAA,MAAM,IAAI,KAAA;AAAA,UACR;AAAA,SACF;AAAA,MACF;AAEA,MAAA,IAAI,CAAC,OAAA,EAAS,OAAA,EAAS,kBAAkB,CAAC,OAAA,CAAQ,IAAI,qBAAA,EAAuB;AAC3E,QAAA,OAAA,CAAQ,IAAA;AAAA,UACN;AAAA,SACF;AAAA,MACF;AAIA,MAAA,IAAA,CAAK,kBAAA,EAAmB;AACxB,MAAA,IAAA,CAAK,sBAAA,EAAuB;AAAA,IAC9B;AAEA,IAAA,IAAA,CAAK,gBAAgB,OAAO,CAAA;AAAA,EAC9B;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,iBAAA,CACJ,KAAA,EACA,OAAA,EAC2B;AAI3B,IAAA,IAAI,IAAA,CAAK,cAAc,OAAA,EAAS;AAC9B,MAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,wBAAA,CAAyB,OAAkB,CAAA;AAC1E,MAAA,IAAI,aAAa,OAAO,WAAA;AAAA,IAC1B;AAGA,IAAA,IAAI,CAAC,KAAA,IAAS,OAAO,KAAA,KAAU,QAAA,EAAU;AACvC,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,IAAI;AACF,MAAA,MAAM,IAAA,GAAO,MAAMC,eAAA,CAAW,KAAA,EAAO,KAAK,OAAO,CAAA;AACjD,MAAA,OAAO,IAAA;AAAA,IACT,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA,EAEA,MAAM,cAAc,IAAA,EAAiB;AAEnC,IAAA,OAAO,CAAC,EAAE,IAAA,CAAK,GAAA,IAAQ,IAAA,CAA2B,EAAA,CAAA;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASQ,aAAa,OAAA,EAAiC;AACpD,IAAA,MAAM,UAAA,GAAa,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,eAAe,CAAA;AACtD,IAAA,IAAI,UAAA,EAAY;AACd,MAAA,MAAM,QAAQ,UAAA,CAAW,OAAA,CAAQ,aAAA,EAAe,EAAE,EAAE,IAAA,EAAK;AACzD,MAAA,IAAI,OAAO,OAAO,KAAA;AAAA,IACpB;AAEA,IAAA,MAAM,MAAA,GAAS,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AAC3C,IAAA,IAAI,MAAA,EAAQ;AAEV,MAAA,MAAM,KAAA,GAAQ,MAAA,CAAO,KAAA,CAAM,mBAAmB,CAAA;AAC9C,MAAA,IAAI,KAAA,GAAQ,CAAC,CAAA,EAAG,OAAO,MAAM,CAAC,CAAA;AAAA,IAChC;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA,EAEA,MAAM,eAAe,OAAA,EAA0C;AAE7D,IAAA,IAAI,KAAK,UAAA,EAAY;AACnB,MAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,wBAAA,CAAyB,OAAO,CAAA;AAC/D,MAAA,IAAI,aAAa,OAAO,WAAA;AAAA,IAC1B;AAGA,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,YAAA,CAAa,OAAO,CAAA;AACvC,IAAA,IAAI,CAAC,OAAO,OAAO,IAAA;AAEnB,IAAA,IAAI;AACF,MAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,iBAAA,CAAkB,KAAK,CAAA;AAClD,MAAA,IAAI,CAAC,OAAA,EAAS,GAAA,EAAK,OAAO,IAAA;AAG1B,MAAA,IAAI;AACF,QAAA,MAAM,YAAY,MAAM,IAAA,CAAK,MAAM,KAAA,CAAM,OAAA,CAAQ,QAAQ,GAAG,CAAA;AAC5D,QAAA,OAAO;AAAA,UACL,IAAI,SAAA,CAAU,EAAA;AAAA,UACd,KAAA,EAAO,SAAA,CAAU,cAAA,GAAiB,CAAC,CAAA,EAAG,YAAA;AAAA,UACtC,IAAA,EAAM,CAAC,SAAA,CAAU,SAAA,EAAW,SAAA,CAAU,QAAQ,CAAA,CAAE,MAAA,CAAO,OAAO,CAAA,CAAE,IAAA,CAAK,GAAG,CAAA,IAAK,MAAA;AAAA,UAC7E,WAAW,SAAA,CAAU,QAAA;AAAA,UACrB,UAAU,SAAA,CAAU;AAAA,SACtB;AAAA,MACF,CAAA,CAAA,MAAQ;AAEN,QAAA,OAAO;AAAA,UACL,IAAI,OAAA,CAAQ,GAAA;AAAA,UACZ,KAAA,EAAQ,QAAQ,KAAA,IAAoB,MAAA;AAAA,UACpC,IAAA,EAAO,QAAQ,IAAA,IAAmB;AAAA,SACpC;AAAA,MACF;AAAA,IACF,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA,EAEA,MAAM,QAAQ,MAAA,EAAwC;AACpD,IAAA,IAAI;AACF,MAAA,MAAM,YAAY,MAAM,IAAA,CAAK,KAAA,CAAM,KAAA,CAAM,QAAQ,MAAM,CAAA;AACvD,MAAA,OAAO;AAAA,QACL,IAAI,SAAA,CAAU,EAAA;AAAA,QACd,KAAA,EAAO,SAAA,CAAU,cAAA,GAAiB,CAAC,CAAA,EAAG,YAAA;AAAA,QACtC,IAAA,EAAM,CAAC,SAAA,CAAU,SAAA,EAAW,SAAA,CAAU,QAAQ,CAAA,CAAE,MAAA,CAAO,OAAO,CAAA,CAAE,IAAA,CAAK,GAAG,CAAA,IAAK,MAAA;AAAA,QAC7E,WAAW,SAAA,CAAU,QAAA;AAAA,QACrB,UAAU,SAAA,CAAU;AAAA,OACtB;AAAA,IACF,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA,EAEA,kBAAkB,IAAA,EAAsB;AACtC,IAAA,OAAO,CAAA,MAAA,EAAS,KAAK,EAAE,CAAA,CAAA;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,YAAA,GAAwB;AACtB,IAAA,OAAO,IAAA,CAAK,UAAA;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,UAAA,GAAqB;AACnB,IAAA,OAAO,IAAA,CAAK,OAAA;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKQ,YAAY,MAAA,EAAwB;AAC1C,IAAA,MAAM,KAAA,GAAQ,2CAA2C,MAAM,CAAA,CAAA;AAC/D,IAAA,OAAO,IAAA,CAAK,aAAA,GAAgB,CAAA,EAAG,KAAK,CAAA,QAAA,CAAA,GAAa,KAAA;AAAA,EACnD;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,yBACZ,OAAA,EACwB;AAExB,IAAA,MAAM,MAAA,GACJ,QAAA,IAAY,OAAA,IAAW,OAAQ,QAAgB,MAAA,KAAW,UAAA,GACrD,OAAA,CAAgB,MAAA,CAAO,QAAQ,CAAA,GAC/B,OAAA,CAAoB,OAAA,EAAS,IAAI,QAAQ,CAAA;AAChD,IAAA,IAAI,CAAC,QAAQ,OAAO,IAAA;AAEpB,IAAA,MAAM,KAAA,GAAQ,MAAA,CAAO,KAAA,CAAM,IAAI,MAAA,CAAO,CAAA,WAAA,EAAc,WAAA,CAAY,IAAA,CAAK,UAAU,CAAC,CAAA,QAAA,CAAU,CAAC,CAAA;AAC3F,IAAA,IAAI,CAAC,KAAA,GAAQ,CAAC,CAAA,EAAG,OAAO,IAAA;AAExB,IAAA,IAAI;AACF,MAAA,MAAM,WAAA,GAAe,MAAM,cAAA,CAAe,kBAAA,CAAmB,MAAM,CAAC,CAAC,CAAA,EAAG,IAAA,CAAK,cAAc,CAAA;AAK3F,MAAA,IAAI,WAAA,CAAY,SAAA,GAAY,IAAA,CAAK,GAAA,EAAI,EAAG;AACtC,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,OAAO,WAAA,CAAY,IAAA;AAAA,IACrB,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUQ,kBAAA,GAAqB;AAC3B,IAAA,MAAM,IAAA,GAAO,IAAA;AAEb,IAAC,IAAA,CAAyC,WAAA,GAAc,eACtD,WAAA,EACA,KAAA,EACiB;AAGjB,MAAA,MAAM,iBAAA,GAAoB,eAAe,IAAA,CAAK,YAAA;AAC9C,MAAA,IAAI,CAAC,iBAAA,EAAmB;AACtB,QAAA,MAAM,IAAI,MAAM,wCAAwC,CAAA;AAAA,MAC1D;AAEA,MAAA,MAAM,cAAc,MAAM,gBAAA,CAAiB,KAAA,EAAO,iBAAA,EAAmB,KAAK,cAAc,CAAA;AAExF,MAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,QACjC,WAAW,IAAA,CAAK,aAAA;AAAA,QAChB,aAAA,EAAe,MAAA;AAAA,QACf,KAAA,EAAO,IAAA,CAAK,MAAA,CAAO,IAAA,CAAK,GAAG,CAAA;AAAA,QAC3B,YAAA,EAAc,iBAAA;AAAA,QACd,KAAA,EAAO;AAAA,OACR,CAAA;AAED,MAAA,OAAO,GAAG,IAAA,CAAK,OAAO,CAAA,iBAAA,EAAoB,MAAA,CAAO,UAAU,CAAA,CAAA;AAAA,IAC7D,CAAA;AAEA,IAAC,IAAA,CAAyC,cAAA,GAAiB,eACzD,IAAA,EACA,UAAA,EACoC;AAEpC,MAAA,MAAM,EAAE,WAAA,EAAY,GAAI,MAAM,gBAAA,CAAiB,UAAA,EAAY,KAAK,cAAc,CAAA;AAG9E,MAAA,MAAM,gBAAgB,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,OAAO,CAAA,YAAA,CAAA,EAAgB;AAAA,QAC/D,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,cAAA,EAAgB,mCAAA;AAAA,UAChB,aAAA,EAAe,CAAA,MAAA,EAAS,IAAA,CAAK,CAAA,EAAG,IAAA,CAAK,aAAa,CAAA,CAAA,EAAI,IAAA,CAAK,iBAAiB,CAAA,CAAE,CAAC,CAAA;AAAA,SACjF;AAAA,QACA,IAAA,EAAM,IAAI,eAAA,CAAgB;AAAA,UACxB,UAAA,EAAY,oBAAA;AAAA,UACZ,IAAA;AAAA,UACA,YAAA,EAAc;AAAA,SACf,CAAA;AAAA,QACD,MAAA,EAAQ,WAAA,CAAY,OAAA,CAAQ,GAAM;AAAA;AAAA,OACnC,CAAA;AAED,MAAA,IAAI,CAAC,cAAc,EAAA,EAAI;AACrB,QAAA,MAAM,KAAA,GAAQ,MAAM,aAAA,CAAc,IAAA,EAAK;AACvC,QAAA,MAAM,IAAI,KAAA,CAAM,CAAA,uBAAA,EAA0B,KAAK,CAAA,CAAE,CAAA;AAAA,MACnD;AAEA,MAAA,MAAM,MAAA,GAAU,MAAM,aAAA,CAAc,IAAA,EAAK;AASzC,MAAA,IAAI,IAAA;AACJ,MAAA,IAAI,OAAO,QAAA,EAAU;AACnB,QAAA,MAAM,UAAU,MAAMA,eAAA,CAAW,MAAA,CAAO,QAAA,EAAU,KAAK,OAAO,CAAA;AAC9D,QAAA,IAAA,GAAO;AAAA,UACL,IAAI,OAAA,CAAQ,GAAA;AAAA,UACZ,KAAA,EAAQ,QAAQ,KAAA,IAAoB,MAAA;AAAA,UACpC,IAAA,EAAO,QAAQ,IAAA,IAAmB,MAAA;AAAA,UAClC,SAAA,EAAY,QAAQ,OAAA,IAAsB;AAAA,SAC5C;AAAA,MACF,CAAA,MAAO;AACL,QAAA,MAAM,mBAAmB,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,OAAO,CAAA,eAAA,CAAA,EAAmB;AAAA,UACrE,SAAS,EAAE,aAAA,EAAe,CAAA,OAAA,EAAU,MAAA,CAAO,YAAY,CAAA,CAAA,EAAG;AAAA,UAC1D,MAAA,EAAQ,WAAA,CAAY,OAAA,CAAQ,GAAM;AAAA;AAAA,SACnC,CAAA;AAED,QAAA,IAAI,CAAC,iBAAiB,EAAA,EAAI;AACxB,UAAA,MAAM,IAAI,MAAM,sCAAsC,CAAA;AAAA,QACxD;AAEA,QAAA,MAAM,QAAA,GAAY,MAAM,gBAAA,CAAiB,IAAA,EAAK;AAM9C,QAAA,IAAA,GAAO;AAAA,UACL,IAAI,QAAA,CAAS,GAAA;AAAA,UACb,OAAO,QAAA,CAAS,KAAA;AAAA,UAChB,MAAM,QAAA,CAAS,IAAA;AAAA,UACf,WAAW,QAAA,CAAS;AAAA,SACtB;AAAA,MACF;AAGA,MAAA,IAAI;AACF,QAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,OAAA,CAAQ,KAAK,EAAE,CAAA;AAC3C,QAAA,IAAI,QAAA,EAAU;AACZ,UAAA,IAAA,GAAO,QAAA;AAAA,QACT;AAAA,MACF,CAAA,CAAA,MAAQ;AAAA,MAER;AAGA,MAAA,MAAM,WAAA,GAAc;AAAA,QAClB,IAAA;AAAA,QACA,SAAA,EAAW,IAAA,CAAK,GAAA,EAAI,GAAI,KAAK,YAAA,GAAe;AAAA,OAC9C;AAEA,MAAA,MAAM,gBAAA,GAAmB,MAAM,cAAA,CAAe,WAAA,EAAa,KAAK,cAAc,CAAA;AAC9E,MAAA,MAAM,WAAA,GAAc,CAAA,EAAG,IAAA,CAAK,UAAU,CAAA,CAAA,EAAI,kBAAA,CAAmB,gBAAgB,CAAC,CAAA,EAAA,EAAK,IAAA,CAAK,WAAA,CAAY,IAAA,CAAK,YAAY,CAAC,CAAA,CAAA;AAEtH,MAAA,OAAO;AAAA,QACL,IAAA;AAAA,QACA,MAAA,EAAQ;AAAA,UACN,aAAa,MAAA,CAAO,YAAA;AAAA,UACpB,cAAc,MAAA,CAAO,aAAA;AAAA,UACrB,SAAS,MAAA,CAAO,QAAA;AAAA,UAChB,SAAA,EAAW,IAAI,IAAA,CAAK,IAAA,CAAK,KAAI,GAAI,MAAA,CAAO,aAAa,GAAI;AAAA,SAC3D;AAAA,QACA,OAAA,EAAS,CAAC,WAAW;AAAA,OACvB;AAAA,IACF,CAAA;AAEA,IAAC,IAAA,CAAyC,uBAAuB,WAA4B;AAC3F,MAAA,OAAO;AAAA,QACL,QAAA,EAAU,OAAA;AAAA,QACV,IAAA,EAAM,oBAAA;AAAA,QACN,WAAA,EAAa;AAAA,OACf;AAAA,IACF,CAAA;AAEA,IAAC,IAAA,CAAyC,eAAA,GAAkB,SAAU,MAAA,EAA0B;AAC9F,MAAA,OAAO,EAAC;AAAA,IACV,CAAA;AAEA,IAAC,IAAA,CAAyC,YAAA,GAAe,eACvD,YAAA,EACA,QAAA,EACwB;AACxB,MAAA,OAAO,IAAA;AAAA,IACT,CAAA;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASQ,sBAAA,GAAyB;AAC/B,IAAA,MAAM,IAAA,GAAO,IAAA;AAEb,IAAC,IAAA,CAA8C,aAAA,GAAgB,eAC7D,MAAA,EACA,QAAA,EACkB;AAClB,MAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,MAAA,OAAO;AAAA,QACL,EAAA,EAAI,OAAO,UAAA,EAAW;AAAA,QACtB,MAAA;AAAA,QACA,SAAA,EAAW,GAAA;AAAA,QACX,SAAA,EAAW,IAAI,IAAA,CAAK,GAAA,CAAI,SAAQ,GAAI,IAAA,CAAK,eAAe,GAAI,CAAA;AAAA,QAC5D;AAAA,OACF;AAAA,IACF,CAAA;AAGA,IAAC,IAAA,CAA8C,eAAA,GAAkB,eAC/D,UAAA,EACyB;AACzB,MAAA,OAAO,IAAA;AAAA,IACT,CAAA;AAGA,IAAC,IAAA,CAA8C,cAAA,GAAiB,eAC9D,UAAA,EACe;AAAA,IAAC,CAAA;AAGlB,IAAC,IAAA,CAA8C,cAAA,GAAiB,eAC9D,UAAA,EACyB;AACzB,MAAA,OAAO,IAAA;AAAA,IACT,CAAA;AAEA,IAAC,IAAA,CAA8C,uBAAA,GAA0B,SACvE,OAAA,EACe;AACf,MAAA,MAAM,MAAA,GAAS,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AAC3C,MAAA,IAAI,CAAC,QAAQ,OAAO,IAAA;AACpB,MAAA,MAAM,KAAA,GAAQ,MAAA,CAAO,KAAA,CAAM,IAAI,MAAA,CAAO,CAAA,WAAA,EAAc,WAAA,CAAY,IAAA,CAAK,UAAU,CAAC,CAAA,QAAA,CAAU,CAAC,CAAA;AAC3F,MAAA,OAAO,QAAQ,CAAC,CAAA,GAAI,mBAAmB,KAAA,CAAM,CAAC,CAAC,CAAA,GAAI,IAAA;AAAA,IACrD,CAAA;AAEA,IAAC,IAAA,CAA8C,iBAAA,GAAoB,SACjE,QAAA,EACwB;AACxB,MAAA,OAAO,EAAC;AAAA,IACV,CAAA;AAEA,IAAC,IAAA,CAA8C,yBAAyB,WAAoC;AAC1G,MAAA,OAAO;AAAA,QACL,YAAA,EAAc,GAAG,IAAA,CAAK,UAAU,MAAM,IAAA,CAAK,WAAA,CAAY,CAAC,CAAC,CAAA;AAAA,OAC3D;AAAA,IACF,CAAA;AAAA,EACF;AACF","file":"index.cjs","sourcesContent":["import { createClerkClient } from '@clerk/backend';\nimport type { ClerkClient } from '@clerk/backend';\nimport { verifyJwks } from '@mastra/auth';\nimport type { JwtPayload } from '@mastra/auth';\nimport type {\n ISSOProvider,\n ISessionProvider,\n IUserProvider,\n Session,\n SSOCallbackResult,\n SSOLoginConfig,\n} from '@mastra/core/auth';\nimport type { EEUser } from '@mastra/core/auth/ee';\nimport type { MastraAuthProviderOptions } from '@mastra/core/server';\nimport { MastraAuthProvider } from '@mastra/core/server';\n\ntype ClerkUser = JwtPayload;\n\n/** Default cookie name for Clerk SSO sessions */\nconst DEFAULT_COOKIE_NAME = 'clerk_session';\n\n/** Default cookie max age (24 hours) */\nconst DEFAULT_COOKIE_MAX_AGE = 86400;\n\n/** Default OAuth scopes */\nconst DEFAULT_SCOPES = ['openid', 'profile', 'email'];\n\n/** PBKDF2 salt length in bytes */\nconst SALT_LENGTH = 16;\n\n/** AES-GCM IV length in bytes */\nconst IV_LENGTH = 12;\n\n/**\n * Derive an AES-GCM key from password + salt using PBKDF2.\n */\nasync function deriveKey(password: string, salt: Uint8Array, usage: 'encrypt' | 'decrypt') {\n const encoder = new TextEncoder();\n const keyMaterial = await crypto.subtle.importKey('raw', encoder.encode(password), 'PBKDF2', false, [\n 'deriveBits',\n 'deriveKey',\n ]);\n return crypto.subtle.deriveKey(\n { name: 'PBKDF2', salt, iterations: 100000, hash: 'SHA-256' },\n keyMaterial,\n { name: 'AES-GCM', length: 256 },\n false,\n [usage],\n );\n}\n\n/**\n * Encrypt session data for cookie storage.\n * Format: base64(salt || iv || ciphertext)\n */\nasync function encryptSession(data: unknown, password: string): Promise<string> {\n const encoder = new TextEncoder();\n const salt = crypto.getRandomValues(new Uint8Array(SALT_LENGTH));\n const key = await deriveKey(password, salt, 'encrypt');\n const iv = crypto.getRandomValues(new Uint8Array(IV_LENGTH));\n const encrypted = await crypto.subtle.encrypt({ name: 'AES-GCM', iv }, key, encoder.encode(JSON.stringify(data)));\n const combined = new Uint8Array(salt.length + iv.length + new Uint8Array(encrypted).length);\n combined.set(salt);\n combined.set(iv, salt.length);\n combined.set(new Uint8Array(encrypted), salt.length + iv.length);\n return btoa(String.fromCharCode(...combined));\n}\n\n/**\n * Decrypt session data from cookie.\n */\nasync function decryptSession(encrypted: string, password: string): Promise<unknown> {\n const combined = Uint8Array.from(atob(encrypted), c => c.charCodeAt(0));\n const salt = combined.slice(0, SALT_LENGTH);\n const iv = combined.slice(SALT_LENGTH, SALT_LENGTH + IV_LENGTH);\n const data = combined.slice(SALT_LENGTH + IV_LENGTH);\n const key = await deriveKey(password, salt, 'decrypt');\n const decrypted = await crypto.subtle.decrypt({ name: 'AES-GCM', iv }, key, data);\n return JSON.parse(new TextDecoder().decode(decrypted));\n}\n\n/** OAuth state token expiry (10 minutes) */\nconst STATE_TOKEN_EXPIRY_MS = 10 * 60 * 1000;\n\ninterface StatePayload {\n /** Original state from caller */\n s: string;\n /** Redirect URI */\n r: string;\n /** Expiry timestamp */\n e: number;\n}\n\n/**\n * Sign data using HMAC-SHA256 (Web Crypto API).\n * Returns base64url-encoded signature.\n */\nasync function hmacSign(data: string, secret: string): Promise<string> {\n const encoder = new TextEncoder();\n const keyData = encoder.encode(secret);\n const dataBytes = encoder.encode(data);\n\n // Import the secret key for HMAC-SHA256\n const cryptoKey = await crypto.subtle.importKey('raw', keyData, { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);\n\n // Sign the data\n const signature = await crypto.subtle.sign('HMAC', cryptoKey, dataBytes);\n\n // Convert to base64url\n const sigBytes = new Uint8Array(signature);\n return btoa(String.fromCharCode(...sigBytes))\n .replace(/\\+/g, '-')\n .replace(/\\//g, '_')\n .replace(/=/g, '');\n}\n\n/**\n * Timing-safe string comparison.\n */\nfunction timingSafeEqual(a: string, b: string): boolean {\n if (a.length !== b.length) return false;\n let result = 0;\n for (let i = 0; i < a.length; i++) {\n result |= a.charCodeAt(i) ^ b.charCodeAt(i);\n }\n return result === 0;\n}\n\n/**\n * Create a signed state token for OAuth CSRF protection (stateless).\n * Format: base64(payload).base64url(signature)\n */\nasync function createStateToken(originalState: string, redirectUri: string, secret: string): Promise<string> {\n const payload: StatePayload = {\n s: originalState,\n r: redirectUri,\n e: Date.now() + STATE_TOKEN_EXPIRY_MS,\n };\n const payloadB64 = btoa(JSON.stringify(payload));\n const signature = await hmacSign(payloadB64, secret);\n return `${payloadB64}.${signature}`;\n}\n\n/**\n * Verify and decode a state token.\n * Returns the original state and redirectUri if valid and not expired.\n */\nasync function verifyStateToken(\n stateToken: string,\n secret: string,\n): Promise<{ originalState: string; redirectUri: string }> {\n const parts = stateToken.split('.');\n if (parts.length !== 2) {\n throw new Error('Invalid state token format');\n }\n\n const [payloadB64, signature] = parts;\n const expectedSig = await hmacSign(payloadB64!, secret);\n if (!timingSafeEqual(signature!, expectedSig)) {\n throw new Error('Invalid state token signature');\n }\n\n const payload = JSON.parse(atob(payloadB64!)) as StatePayload;\n if (payload.e < Date.now()) {\n throw new Error('State token has expired');\n }\n\n return { originalState: payload.s, redirectUri: payload.r };\n}\n\n/**\n * Escape special regex characters in a string.\n */\nfunction escapeRegex(str: string): string {\n return str.replace(/[.*+?^${}()|[\\]\\\\]/g, '\\\\$&');\n}\n\n/**\n * Derive the Frontend API (FAPI) URL from a Clerk publishable key.\n * The publishable key is: prefix + base64(fapiDomain + \"$\")\n */\nfunction deriveFapiUrl(publishableKey: string): string {\n const withoutPrefix = publishableKey.replace(/^pk_(test|live)_/, '');\n const decoded = atob(withoutPrefix);\n const domain = decoded.replace(/\\$$/, '');\n return `https://${domain}`;\n}\n\ninterface MastraAuthClerkSessionOptions {\n /** Cookie name for the session (default: 'clerk_session') */\n cookieName?: string;\n /** Cookie max age in seconds (default: 86400 = 24 hours) */\n cookieMaxAge?: number;\n /** Cookie encryption password (min 32 chars). Falls back to CLERK_COOKIE_PASSWORD env var */\n cookiePassword?: string;\n /** Use Secure flag on cookies (default: true in production) */\n secureCookies?: boolean;\n}\n\ninterface MastraAuthClerkOptions extends MastraAuthProviderOptions<ClerkUser> {\n jwksUri?: string;\n secretKey?: string;\n publishableKey?: string;\n /**\n * OAuth Client ID for Clerk as IdP (SSO).\n * Create an OAuth Application in the Clerk Dashboard to get this.\n * Falls back to CLERK_OAUTH_CLIENT_ID env var.\n */\n oauthClientId?: string;\n /**\n * OAuth Client Secret for Clerk as IdP (SSO).\n * Falls back to CLERK_OAUTH_CLIENT_SECRET env var.\n */\n oauthClientSecret?: string;\n /**\n * OAuth redirect URI for the SSO callback.\n * Falls back to CLERK_OAUTH_REDIRECT_URI env var.\n * Typically: http://localhost:4111/api/auth/sso/callback\n */\n redirectUri?: string;\n /**\n * OAuth scopes to request (default: ['openid', 'profile', 'email'])\n */\n scopes?: string[];\n /**\n * Session configuration for SSO cookie management.\n */\n session?: MastraAuthClerkSessionOptions;\n}\n\n/**\n * Clerk authentication provider for Mastra.\n *\n * Always implements IUserProvider for JWT-based user detection.\n *\n * When OAuth credentials are configured (oauthClientId + oauthClientSecret),\n * also dynamically adds ISSOProvider + ISessionProvider methods for Studio login\n * using Clerk as an OAuth 2.0 / OIDC Identity Provider.\n *\n * @example Basic usage (IUserProvider only — validates JWTs)\n * ```typescript\n * const auth = new MastraAuthClerk({\n * jwksUri: 'https://your-app.clerk.accounts.dev/.well-known/jwks.json',\n * secretKey: 'sk_test_...',\n * publishableKey: 'pk_test_...',\n * });\n * ```\n *\n * @example With SSO for Studio login\n * ```typescript\n * const auth = new MastraAuthClerk({\n * jwksUri: 'https://your-app.clerk.accounts.dev/.well-known/jwks.json',\n * secretKey: 'sk_test_...',\n * publishableKey: 'pk_test_...',\n * oauthClientId: 'your-oauth-client-id',\n * oauthClientSecret: 'your-oauth-client-secret',\n * });\n * ```\n */\nexport class MastraAuthClerk extends MastraAuthProvider<ClerkUser> implements IUserProvider<EEUser> {\n protected clerk: ClerkClient;\n protected jwksUri: string;\n protected publishableKey: string;\n protected fapiUrl: string;\n\n // SSO fields\n private oauthClientId: string | null;\n private oauthClientSecret: string | null;\n private _redirectUri: string | null;\n private scopes: string[];\n private cookieName: string;\n private cookieMaxAge: number;\n private cookiePassword: string;\n private secureCookies: boolean;\n private ssoEnabled: boolean;\n\n constructor(options?: MastraAuthClerkOptions) {\n super({ name: options?.name ?? 'clerk' });\n\n const jwksUri = options?.jwksUri ?? process.env.CLERK_JWKS_URI;\n const secretKey = options?.secretKey ?? process.env.CLERK_SECRET_KEY;\n const publishableKey = options?.publishableKey ?? process.env.CLERK_PUBLISHABLE_KEY;\n\n if (!jwksUri || !secretKey || !publishableKey) {\n throw new Error(\n 'Clerk JWKS URI, secret key and publishable key are required, please provide them in the options or set the environment variables CLERK_JWKS_URI, CLERK_SECRET_KEY and CLERK_PUBLISHABLE_KEY',\n );\n }\n\n this.jwksUri = jwksUri;\n this.publishableKey = publishableKey;\n this.fapiUrl = deriveFapiUrl(publishableKey);\n this.clerk = createClerkClient({\n secretKey,\n publishableKey,\n });\n\n // SSO configuration (optional — enables Studio login)\n const oauthClientId = options?.oauthClientId ?? process.env.CLERK_OAUTH_CLIENT_ID;\n const oauthClientSecret = options?.oauthClientSecret ?? process.env.CLERK_OAUTH_CLIENT_SECRET;\n const redirectUri = options?.redirectUri ?? process.env.CLERK_OAUTH_REDIRECT_URI;\n const cookiePassword =\n options?.session?.cookiePassword ??\n process.env.CLERK_COOKIE_PASSWORD ??\n crypto.randomUUID() + crypto.randomUUID();\n\n this.oauthClientId = oauthClientId ?? null;\n this.oauthClientSecret = oauthClientSecret ?? null;\n this._redirectUri = redirectUri ?? null;\n this.scopes = options?.scopes ?? DEFAULT_SCOPES;\n this.cookieName = options?.session?.cookieName ?? DEFAULT_COOKIE_NAME;\n this.cookieMaxAge = options?.session?.cookieMaxAge ?? DEFAULT_COOKIE_MAX_AGE;\n this.cookiePassword = cookiePassword;\n this.secureCookies = options?.session?.secureCookies ?? process.env.NODE_ENV === 'production';\n\n // SSO is enabled when OAuth credentials are configured\n this.ssoEnabled = !!(oauthClientId && oauthClientSecret);\n\n if (this.ssoEnabled) {\n if (cookiePassword.length < 32) {\n throw new Error(\n 'Cookie password must be at least 32 characters for SSO. Set CLERK_COOKIE_PASSWORD environment variable.',\n );\n }\n\n if (!options?.session?.cookiePassword && !process.env.CLERK_COOKIE_PASSWORD) {\n console.warn(\n '[MastraAuthClerk] No cookie password set — using auto-generated value. Sessions will not survive restarts. Set CLERK_COOKIE_PASSWORD for production use.',\n );\n }\n\n // Dynamically add ISSOProvider + ISessionProvider methods\n // so that duck-typing detection (implementsInterface) only finds them when SSO is configured\n this._attachSSOProvider();\n this._attachSessionProvider();\n }\n\n this.registerOptions(options);\n }\n\n // ============================================================================\n // MastraAuthProvider Implementation\n // ============================================================================\n\n async authenticateToken(\n token: string,\n request?: Request | { header(name: string): string | undefined },\n ): Promise<ClerkUser | null> {\n // When SSO is enabled, try the encrypted session cookie first (like Okta pattern).\n // The auth middleware may call this with an empty token for browser requests\n // that only carry a session cookie.\n if (this.ssoEnabled && request) {\n const sessionUser = await this.getUserFromSessionCookie(request as Request);\n if (sessionUser) return sessionUser as unknown as ClerkUser;\n }\n\n // Fall back to JWT verification from Authorization header\n if (!token || typeof token !== 'string') {\n return null;\n }\n\n try {\n const user = await verifyJwks(token, this.jwksUri);\n return user;\n } catch {\n return null;\n }\n }\n\n async authorizeUser(user: ClerkUser) {\n // Session cookie users have `id`, JWT users have `sub`\n return !!(user.sub || (user as unknown as EEUser).id);\n }\n\n // ============================================================================\n // IUserProvider Implementation\n // ============================================================================\n\n /**\n * Extract the bearer token from the request's Authorization header or __session cookie.\n */\n private extractToken(request: Request): string | null {\n const authHeader = request.headers.get('Authorization');\n if (authHeader) {\n const token = authHeader.replace(/^Bearer\\s+/i, '').trim();\n if (token) return token;\n }\n\n const cookie = request.headers.get('Cookie');\n if (cookie) {\n // Clerk's default session cookie is __session\n const match = cookie.match(/__session=([^;]+)/);\n if (match?.[1]) return match[1];\n }\n\n return null;\n }\n\n async getCurrentUser(request: Request): Promise<EEUser | null> {\n // First try to get user from our SSO session cookie\n if (this.ssoEnabled) {\n const sessionUser = await this.getUserFromSessionCookie(request);\n if (sessionUser) return sessionUser;\n }\n\n // Fall back to token-based auth (Authorization header or __session cookie)\n const token = this.extractToken(request);\n if (!token) return null;\n\n try {\n const payload = await this.authenticateToken(token);\n if (!payload?.sub) return null;\n\n // Try to fetch full user details from Clerk API\n try {\n const clerkUser = await this.clerk.users.getUser(payload.sub);\n return {\n id: clerkUser.id,\n email: clerkUser.emailAddresses?.[0]?.emailAddress,\n name: [clerkUser.firstName, clerkUser.lastName].filter(Boolean).join(' ') || undefined,\n avatarUrl: clerkUser.imageUrl,\n metadata: clerkUser.publicMetadata as Record<string, unknown> | undefined,\n };\n } catch {\n // Fall back to JWT claims if Clerk API call fails\n return {\n id: payload.sub,\n email: (payload.email as string) ?? undefined,\n name: (payload.name as string) ?? undefined,\n };\n }\n } catch {\n return null;\n }\n }\n\n async getUser(userId: string): Promise<EEUser | null> {\n try {\n const clerkUser = await this.clerk.users.getUser(userId);\n return {\n id: clerkUser.id,\n email: clerkUser.emailAddresses?.[0]?.emailAddress,\n name: [clerkUser.firstName, clerkUser.lastName].filter(Boolean).join(' ') || undefined,\n avatarUrl: clerkUser.imageUrl,\n metadata: clerkUser.publicMetadata as Record<string, unknown> | undefined,\n };\n } catch {\n return null;\n }\n }\n\n getUserProfileUrl(user: EEUser): string {\n return `/user/${user.id}`;\n }\n\n // ============================================================================\n // Helper Methods\n // ============================================================================\n\n /**\n * Check if SSO is enabled (OAuth credentials are configured).\n */\n isSSOEnabled(): boolean {\n return this.ssoEnabled;\n }\n\n /**\n * Get the derived Frontend API URL.\n */\n getFapiUrl(): string {\n return this.fapiUrl;\n }\n\n /**\n * Build consistent cookie attribute string for set/clear operations.\n */\n private cookieFlags(maxAge: number): string {\n const flags = `Path=/; HttpOnly; SameSite=Lax; Max-Age=${maxAge}`;\n return this.secureCookies ? `${flags}; Secure` : flags;\n }\n\n /**\n * Extract user from the encrypted SSO session cookie.\n */\n private async getUserFromSessionCookie(\n request: Request | { header(name: string): string | undefined },\n ): Promise<EEUser | null> {\n // Handle both standard Request and HonoRequest (.header() vs .headers.get())\n const cookie =\n 'header' in request && typeof (request as any).header === 'function'\n ? (request as any).header('cookie')\n : (request as Request).headers?.get('cookie');\n if (!cookie) return null;\n\n const match = cookie.match(new RegExp(`(?:^|;\\\\s*)${escapeRegex(this.cookieName)}=([^;]+)`));\n if (!match?.[1]) return null;\n\n try {\n const sessionData = (await decryptSession(decodeURIComponent(match[1]), this.cookiePassword)) as {\n user: EEUser;\n expiresAt: number;\n };\n\n if (sessionData.expiresAt < Date.now()) {\n return null; // Session expired\n }\n\n return sessionData.user;\n } catch {\n return null; // Invalid/corrupt cookie\n }\n }\n\n // ============================================================================\n // Dynamic ISSOProvider attachment (only when OAuth is configured)\n // ============================================================================\n\n /**\n * Dynamically attach ISSOProvider methods to this instance.\n * This ensures duck-typing detection only finds these methods when SSO is configured.\n */\n private _attachSSOProvider() {\n const self = this;\n\n (this as unknown as ISSOProvider<EEUser>).getLoginUrl = async function (\n redirectUri: string,\n state: string,\n ): Promise<string> {\n // Create signed state token containing redirectUri and expiry\n // This is stateless — works in serverless and load-balanced environments\n const actualRedirectUri = redirectUri ?? self._redirectUri;\n if (!actualRedirectUri) {\n throw new Error('Redirect URI is required for SSO login');\n }\n\n const signedState = await createStateToken(state, actualRedirectUri, self.cookiePassword);\n\n const params = new URLSearchParams({\n client_id: self.oauthClientId!,\n response_type: 'code',\n scope: self.scopes.join(' '),\n redirect_uri: actualRedirectUri,\n state: signedState,\n });\n\n return `${self.fapiUrl}/oauth/authorize?${params.toString()}`;\n };\n\n (this as unknown as ISSOProvider<EEUser>).handleCallback = async function (\n code: string,\n stateToken: string,\n ): Promise<SSOCallbackResult<EEUser>> {\n // Verify and decode the signed state token (throws if invalid/expired)\n const { redirectUri } = await verifyStateToken(stateToken, self.cookiePassword);\n\n // Exchange code for tokens using client_secret (confidential client)\n const tokenResponse = await fetch(`${self.fapiUrl}/oauth/token`, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/x-www-form-urlencoded',\n Authorization: `Basic ${btoa(`${self.oauthClientId}:${self.oauthClientSecret}`)}`,\n },\n body: new URLSearchParams({\n grant_type: 'authorization_code',\n code,\n redirect_uri: redirectUri,\n }),\n signal: AbortSignal.timeout(10_000), // 10 second timeout\n });\n\n if (!tokenResponse.ok) {\n const error = await tokenResponse.text();\n throw new Error(`Token exchange failed: ${error}`);\n }\n\n const tokens = (await tokenResponse.json()) as {\n access_token: string;\n id_token?: string;\n refresh_token?: string;\n expires_in: number;\n token_type: string;\n };\n\n // Get user info — try ID token first, fall back to userinfo endpoint\n let user: EEUser;\n if (tokens.id_token) {\n const payload = await verifyJwks(tokens.id_token, self.jwksUri);\n user = {\n id: payload.sub!,\n email: (payload.email as string) ?? undefined,\n name: (payload.name as string) ?? undefined,\n avatarUrl: (payload.picture as string) ?? undefined,\n };\n } else {\n const userInfoResponse = await fetch(`${self.fapiUrl}/oauth/userinfo`, {\n headers: { Authorization: `Bearer ${tokens.access_token}` },\n signal: AbortSignal.timeout(10_000), // 10 second timeout\n });\n\n if (!userInfoResponse.ok) {\n throw new Error('Failed to fetch user info from Clerk');\n }\n\n const userInfo = (await userInfoResponse.json()) as {\n sub: string;\n email?: string;\n name?: string;\n picture?: string;\n };\n user = {\n id: userInfo.sub,\n email: userInfo.email,\n name: userInfo.name,\n avatarUrl: userInfo.picture,\n };\n }\n\n // Try to enrich user with full Clerk data\n try {\n const fullUser = await self.getUser(user.id);\n if (fullUser) {\n user = fullUser;\n }\n } catch {\n // Use the user info we already have\n }\n\n // Create encrypted session cookie\n const sessionData = {\n user,\n expiresAt: Date.now() + self.cookieMaxAge * 1000,\n };\n\n const encryptedSession = await encryptSession(sessionData, self.cookiePassword);\n const cookieValue = `${self.cookieName}=${encodeURIComponent(encryptedSession)}; ${self.cookieFlags(self.cookieMaxAge)}`;\n\n return {\n user,\n tokens: {\n accessToken: tokens.access_token,\n refreshToken: tokens.refresh_token,\n idToken: tokens.id_token,\n expiresAt: new Date(Date.now() + tokens.expires_in * 1000),\n },\n cookies: [cookieValue],\n };\n };\n\n (this as unknown as ISSOProvider<EEUser>).getLoginButtonConfig = function (): SSOLoginConfig {\n return {\n provider: 'clerk',\n text: 'Sign in with Clerk',\n description: 'Sign in using your Clerk account',\n };\n };\n\n (this as unknown as ISSOProvider<EEUser>).getLoginCookies = function (_state: string): string[] {\n return [];\n };\n\n (this as unknown as ISSOProvider<EEUser>).getLogoutUrl = async function (\n _redirectUri: string,\n _request?: Request,\n ): Promise<string | null> {\n return null;\n };\n }\n\n // ============================================================================\n // Dynamic ISessionProvider attachment (only when OAuth is configured)\n // ============================================================================\n\n /**\n * Dynamically attach ISessionProvider methods to this instance.\n */\n private _attachSessionProvider() {\n const self = this;\n\n (this as unknown as ISessionProvider<Session>).createSession = async function (\n userId: string,\n metadata?: Record<string, unknown>,\n ): Promise<Session> {\n const now = new Date();\n return {\n id: crypto.randomUUID(),\n userId,\n createdAt: now,\n expiresAt: new Date(now.getTime() + self.cookieMaxAge * 1000),\n metadata,\n };\n };\n\n // Cookie-only sessions — validation happens via decryption in getUserFromSessionCookie/authenticateToken\n (this as unknown as ISessionProvider<Session>).validateSession = async function (\n _sessionId: string,\n ): Promise<Session | null> {\n return null;\n };\n\n // Cookie-only sessions — destruction happens via getClearSessionHeaders setting Max-Age=0\n (this as unknown as ISessionProvider<Session>).destroySession = async function (\n _sessionId: string,\n ): Promise<void> {};\n\n // Cookie-only sessions — refresh not supported; user must re-authenticate after expiry\n (this as unknown as ISessionProvider<Session>).refreshSession = async function (\n _sessionId: string,\n ): Promise<Session | null> {\n return null;\n };\n\n (this as unknown as ISessionProvider<Session>).getSessionIdFromRequest = function (\n request: Request,\n ): string | null {\n const cookie = request.headers.get('Cookie');\n if (!cookie) return null;\n const match = cookie.match(new RegExp(`(?:^|;\\\\s*)${escapeRegex(self.cookieName)}=([^;]+)`));\n return match?.[1] ? decodeURIComponent(match[1]) : null;\n };\n\n (this as unknown as ISessionProvider<Session>).getSessionHeaders = function (\n _session: Session,\n ): Record<string, string> {\n return {};\n };\n\n (this as unknown as ISessionProvider<Session>).getClearSessionHeaders = function (): Record<string, string> {\n return {\n 'Set-Cookie': `${self.cookieName}=; ${self.cookieFlags(0)}`,\n };\n };\n }\n}\n"]}
package/dist/index.d.ts CHANGED
@@ -1,19 +1,130 @@
1
1
  import type { ClerkClient } from '@clerk/backend';
2
2
  import type { JwtPayload } from '@mastra/auth';
3
+ import type { IUserProvider } from '@mastra/core/auth';
4
+ import type { EEUser } from '@mastra/core/auth/ee';
3
5
  import type { MastraAuthProviderOptions } from '@mastra/core/server';
4
6
  import { MastraAuthProvider } from '@mastra/core/server';
5
7
  type ClerkUser = JwtPayload;
8
+ interface MastraAuthClerkSessionOptions {
9
+ /** Cookie name for the session (default: 'clerk_session') */
10
+ cookieName?: string;
11
+ /** Cookie max age in seconds (default: 86400 = 24 hours) */
12
+ cookieMaxAge?: number;
13
+ /** Cookie encryption password (min 32 chars). Falls back to CLERK_COOKIE_PASSWORD env var */
14
+ cookiePassword?: string;
15
+ /** Use Secure flag on cookies (default: true in production) */
16
+ secureCookies?: boolean;
17
+ }
6
18
  interface MastraAuthClerkOptions extends MastraAuthProviderOptions<ClerkUser> {
7
19
  jwksUri?: string;
8
20
  secretKey?: string;
9
21
  publishableKey?: string;
22
+ /**
23
+ * OAuth Client ID for Clerk as IdP (SSO).
24
+ * Create an OAuth Application in the Clerk Dashboard to get this.
25
+ * Falls back to CLERK_OAUTH_CLIENT_ID env var.
26
+ */
27
+ oauthClientId?: string;
28
+ /**
29
+ * OAuth Client Secret for Clerk as IdP (SSO).
30
+ * Falls back to CLERK_OAUTH_CLIENT_SECRET env var.
31
+ */
32
+ oauthClientSecret?: string;
33
+ /**
34
+ * OAuth redirect URI for the SSO callback.
35
+ * Falls back to CLERK_OAUTH_REDIRECT_URI env var.
36
+ * Typically: http://localhost:4111/api/auth/sso/callback
37
+ */
38
+ redirectUri?: string;
39
+ /**
40
+ * OAuth scopes to request (default: ['openid', 'profile', 'email'])
41
+ */
42
+ scopes?: string[];
43
+ /**
44
+ * Session configuration for SSO cookie management.
45
+ */
46
+ session?: MastraAuthClerkSessionOptions;
10
47
  }
11
- export declare class MastraAuthClerk extends MastraAuthProvider<ClerkUser> {
48
+ /**
49
+ * Clerk authentication provider for Mastra.
50
+ *
51
+ * Always implements IUserProvider for JWT-based user detection.
52
+ *
53
+ * When OAuth credentials are configured (oauthClientId + oauthClientSecret),
54
+ * also dynamically adds ISSOProvider + ISessionProvider methods for Studio login
55
+ * using Clerk as an OAuth 2.0 / OIDC Identity Provider.
56
+ *
57
+ * @example Basic usage (IUserProvider only — validates JWTs)
58
+ * ```typescript
59
+ * const auth = new MastraAuthClerk({
60
+ * jwksUri: 'https://your-app.clerk.accounts.dev/.well-known/jwks.json',
61
+ * secretKey: 'sk_test_...',
62
+ * publishableKey: 'pk_test_...',
63
+ * });
64
+ * ```
65
+ *
66
+ * @example With SSO for Studio login
67
+ * ```typescript
68
+ * const auth = new MastraAuthClerk({
69
+ * jwksUri: 'https://your-app.clerk.accounts.dev/.well-known/jwks.json',
70
+ * secretKey: 'sk_test_...',
71
+ * publishableKey: 'pk_test_...',
72
+ * oauthClientId: 'your-oauth-client-id',
73
+ * oauthClientSecret: 'your-oauth-client-secret',
74
+ * });
75
+ * ```
76
+ */
77
+ export declare class MastraAuthClerk extends MastraAuthProvider<ClerkUser> implements IUserProvider<EEUser> {
12
78
  protected clerk: ClerkClient;
13
79
  protected jwksUri: string;
80
+ protected publishableKey: string;
81
+ protected fapiUrl: string;
82
+ private oauthClientId;
83
+ private oauthClientSecret;
84
+ private _redirectUri;
85
+ private scopes;
86
+ private cookieName;
87
+ private cookieMaxAge;
88
+ private cookiePassword;
89
+ private secureCookies;
90
+ private ssoEnabled;
14
91
  constructor(options?: MastraAuthClerkOptions);
15
- authenticateToken(token: string): Promise<ClerkUser | null>;
92
+ authenticateToken(token: string, request?: Request | {
93
+ header(name: string): string | undefined;
94
+ }): Promise<ClerkUser | null>;
16
95
  authorizeUser(user: ClerkUser): Promise<boolean>;
96
+ /**
97
+ * Extract the bearer token from the request's Authorization header or __session cookie.
98
+ */
99
+ private extractToken;
100
+ getCurrentUser(request: Request): Promise<EEUser | null>;
101
+ getUser(userId: string): Promise<EEUser | null>;
102
+ getUserProfileUrl(user: EEUser): string;
103
+ /**
104
+ * Check if SSO is enabled (OAuth credentials are configured).
105
+ */
106
+ isSSOEnabled(): boolean;
107
+ /**
108
+ * Get the derived Frontend API URL.
109
+ */
110
+ getFapiUrl(): string;
111
+ /**
112
+ * Build consistent cookie attribute string for set/clear operations.
113
+ */
114
+ private cookieFlags;
115
+ /**
116
+ * Extract user from the encrypted SSO session cookie.
117
+ */
118
+ private getUserFromSessionCookie;
119
+ /**
120
+ * Dynamically attach ISSOProvider methods to this instance.
121
+ * This ensures duck-typing detection only finds these methods when SSO is configured.
122
+ */
123
+ private _attachSSOProvider;
124
+ /**
125
+ * Dynamically attach ISessionProvider methods to this instance.
126
+ */
127
+ private _attachSessionProvider;
17
128
  }
18
129
  export {};
19
130
  //# sourceMappingURL=index.d.ts.map
package/dist/index.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAElD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAC/C,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,qBAAqB,CAAC;AACrE,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAEzD,KAAK,SAAS,GAAG,UAAU,CAAC;AAE5B,UAAU,sBAAuB,SAAQ,yBAAyB,CAAC,SAAS,CAAC;IAC3E,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,qBAAa,eAAgB,SAAQ,kBAAkB,CAAC,SAAS,CAAC;IAChE,SAAS,CAAC,KAAK,EAAE,WAAW,CAAC;IAC7B,SAAS,CAAC,OAAO,EAAE,MAAM,CAAC;gBAEd,OAAO,CAAC,EAAE,sBAAsB;IAsBtC,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC;IAK3D,aAAa,CAAC,IAAI,EAAE,SAAS;CAGpC"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAElD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAC/C,OAAO,KAAK,EAGV,aAAa,EAId,MAAM,mBAAmB,CAAC;AAC3B,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AACnD,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,qBAAqB,CAAC;AACrE,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAEzD,KAAK,SAAS,GAAG,UAAU,CAAC;AA4K5B,UAAU,6BAA6B;IACrC,6DAA6D;IAC7D,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,4DAA4D;IAC5D,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,6FAA6F;IAC7F,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,+DAA+D;IAC/D,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAED,UAAU,sBAAuB,SAAQ,yBAAyB,CAAC,SAAS,CAAC;IAC3E,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB;;;;OAIG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;;OAGG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;OAEG;IACH,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB;;OAEG;IACH,OAAO,CAAC,EAAE,6BAA6B,CAAC;CACzC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,qBAAa,eAAgB,SAAQ,kBAAkB,CAAC,SAAS,CAAE,YAAW,aAAa,CAAC,MAAM,CAAC;IACjG,SAAS,CAAC,KAAK,EAAE,WAAW,CAAC;IAC7B,SAAS,CAAC,OAAO,EAAE,MAAM,CAAC;IAC1B,SAAS,CAAC,cAAc,EAAE,MAAM,CAAC;IACjC,SAAS,CAAC,OAAO,EAAE,MAAM,CAAC;IAG1B,OAAO,CAAC,aAAa,CAAgB;IACrC,OAAO,CAAC,iBAAiB,CAAgB;IACzC,OAAO,CAAC,YAAY,CAAgB;IACpC,OAAO,CAAC,MAAM,CAAW;IACzB,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,YAAY,CAAS;IAC7B,OAAO,CAAC,cAAc,CAAS;IAC/B,OAAO,CAAC,aAAa,CAAU;IAC/B,OAAO,CAAC,UAAU,CAAU;gBAEhB,OAAO,CAAC,EAAE,sBAAsB;IAoEtC,iBAAiB,CACrB,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,OAAO,GAAG;QAAE,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAA;KAAE,GAC/D,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC;IAsBtB,aAAa,CAAC,IAAI,EAAE,SAAS;IASnC;;OAEG;IACH,OAAO,CAAC,YAAY;IAiBd,cAAc,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAsCxD,OAAO,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAerD,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM;IAQvC;;OAEG;IACH,YAAY,IAAI,OAAO;IAIvB;;OAEG;IACH,UAAU,IAAI,MAAM;IAIpB;;OAEG;IACH,OAAO,CAAC,WAAW;IAKnB;;OAEG;YACW,wBAAwB;IAiCtC;;;OAGG;IACH,OAAO,CAAC,kBAAkB;IAuJ1B;;OAEG;IACH,OAAO,CAAC,sBAAsB;CAyD/B"}