@mdguggenbichler/slugbase-core 0.0.1

package/backend/dist/app-factory.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Creates the Express app with middleware (security, CORS, session, passport, tenant, CSRF, Swagger).
+ * Does NOT mount API routes, static files, or error handlers — those are added by registerCoreRoutes and the app entry.
+ */
+import express from 'express';
+import { DatabaseSessionStore } from './utils/session-store.js';
+export interface CreateAppOptions {
+    /** If provided, used instead of the default single-tenant middleware. Used by cloud to set req.tenantId from org/session. */
+    tenantMiddleware?: (req: express.Request, res: express.Response, next: express.NextFunction) => void;
+    /** Database-backed session store (must be created after DB init). */
+    sessionStore: InstanceType<typeof DatabaseSessionStore>;
+}
+/**
+ * Build Express app with all core middleware. Call registerCoreRoutes(app, deps) next to mount API routes.
+ */
+export declare function createApp(options: CreateAppOptions): express.Express;
+//# sourceMappingURL=app-factory.d.ts.map

package/backend/dist/app-factory.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"app-factory.d.ts","sourceRoot":"","sources":["../src/app-factory.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,OAAO,MAAM,SAAS,CAAC;AAgB9B,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAGhE,MAAM,WAAW,gBAAgB;IAC/B,6HAA6H;IAC7H,gBAAgB,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,CAAC,OAAO,EAAE,GAAG,EAAE,OAAO,CAAC,QAAQ,EAAE,IAAI,EAAE,OAAO,CAAC,YAAY,KAAK,IAAI,CAAC;IACrG,qEAAqE;IACrE,YAAY,EAAE,YAAY,CAAC,OAAO,oBAAoB,CAAC,CAAC;CACzD;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAsGpE"}

package/backend/dist/app-factory.js

@@ -0,0 +1,106 @@
+/**
+ * Creates the Express app with middleware (security, CORS, session, passport, tenant, CSRF, Swagger).
+ * Does NOT mount API routes, static files, or error handlers — those are added by registerCoreRoutes and the app entry.
+ */
+import express from 'express';
+import cors from 'cors';
+import cookieParser from 'cookie-parser';
+import session from 'express-session';
+import passport from 'passport';
+import swaggerUi from 'swagger-ui-express';
+import { setupOIDC } from './auth/oidc.js';
+import { setupJWT } from './auth/jwt.js';
+import { setupSecurityHeaders, generalRateLimiter, } from './middleware/security.js';
+import { tenantMiddleware } from './middleware/tenant.js';
+import { swaggerSpec } from './config/swagger.js';
+import { csrfProtection } from './middleware/security.js';
+import csrfRoutes from './routes/csrf.js';
+/**
+ * Build Express app with all core middleware. Call registerCoreRoutes(app, deps) next to mount API routes.
+ */
+export function createApp(options) {
+    const { sessionStore, tenantMiddleware: customTenantMiddleware } = options;
+    const app = express();
+    app.set('trust proxy', 1);
+    app.use(setupSecurityHeaders());
+    const frontendUrl = process.env.FRONTEND_URL || 'http://localhost:3000';
+    const allowedOriginsBase = [
+        frontendUrl,
+        'http://localhost:3000',
+        'http://localhost:3001',
+        'http://127.0.0.1:3000',
+        'http://127.0.0.1:3001',
+    ];
+    const extraOrigins = (process.env.CORS_EXTRA_ORIGINS || '')
+        .split(',')
+        .map((o) => o.trim())
+        .filter(Boolean);
+    const allowedOrigins = [...new Set([...allowedOriginsBase, ...extraOrigins])];
+    app.use(cors({
+        origin: (origin, callback) => {
+            if (!origin)
+                return callback(null, true);
+            if (allowedOrigins.includes(origin))
+                return callback(null, true);
+            if (process.env.NODE_ENV === 'development' && origin.includes('localhost'))
+                return callback(null, true);
+            callback(new Error('Not allowed by CORS'));
+        },
+        credentials: true,
+    }));
+    app.use(express.json({ limit: '10mb' }));
+    app.use(express.urlencoded({ extended: true, limit: '10mb' }));
+    app.use(cookieParser());
+    const DEFAULT_SESSION_SECRET = 'slugbase-session-secret-change-in-production';
+    const sessionSecret = process.env.SESSION_SECRET || process.env.JWT_SECRET || DEFAULT_SESSION_SECRET;
+    if (process.env.NODE_ENV === 'production' && sessionSecret === DEFAULT_SESSION_SECRET) {
+        throw new Error('Cannot use default session secret in production. Set SESSION_SECRET.');
+    }
+    const baseUrl = process.env.BASE_URL || 'http://localhost:5000';
+    const isHttps = baseUrl.startsWith('https://');
+    const isProduction = process.env.NODE_ENV === 'production' && isHttps;
+    app.use(session({
+        secret: sessionSecret,
+        resave: false,
+        saveUninitialized: true,
+        name: 'slugbase.sid',
+        store: sessionStore,
+        cookie: {
+            httpOnly: true,
+            secure: isProduction,
+            sameSite: 'lax',
+            maxAge: 10 * 60 * 1000,
+            path: '/',
+        },
+    }));
+    app.use(generalRateLimiter);
+    app.use(customTenantMiddleware ?? tenantMiddleware);
+    setupOIDC();
+    setupJWT();
+    app.use(passport.initialize());
+    app.use(passport.session());
+    app.use('/api-docs', swaggerUi.serve, swaggerUi.setup(swaggerSpec, {
+        customCss: '.swagger-ui .topbar { display: none }',
+        customSiteTitle: 'SlugBase API Documentation',
+    }));
+    app.use('/api/csrf-token', csrfRoutes);
+    app.use((req, res, next) => {
+        if (['GET', 'HEAD', 'OPTIONS'].includes(req.method))
+            return next();
+        if (req.path.startsWith('/api/password-reset') ||
+            req.path === '/api/auth/setup' ||
+            req.path === '/api/auth/refresh' ||
+            req.path === '/api/auth/register' ||
+            req.path === '/api/auth/verify-signup' ||
+            req.path === '/api/auth/resend-signup-verification' ||
+            req.path === '/api/auth/request-signup-resend' ||
+            req.path === '/api/health' ||
+            req.path === '/api/csrf-token' ||
+            req.path.startsWith('/api-docs')) {
+            return next();
+        }
+        csrfProtection(req, res, next);
+    });
+    return app;
+}
+//# sourceMappingURL=app-factory.js.map

package/backend/dist/app-factory.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"app-factory.js","sourceRoot":"","sources":["../src/app-factory.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,OAAO,MAAM,SAAS,CAAC;AAC9B,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,YAAY,MAAM,eAAe,CAAC;AACzC,OAAO,OAAO,MAAM,iBAAiB,CAAC;AACtC,OAAO,QAAQ,MAAM,UAAU,CAAC;AAChC,OAAO,SAAS,MAAM,oBAAoB,CAAC;AAC3C,OAAO,EAAE,SAAS,EAAsB,MAAM,gBAAgB,CAAC;AAC/D,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EACL,oBAAoB,EACpB,kBAAkB,GAEnB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAE1D,OAAO,UAAU,MAAM,kBAAkB,CAAC;AAS1C;;GAEG;AACH,MAAM,UAAU,SAAS,CAAC,OAAyB;IACjD,MAAM,EAAE,YAAY,EAAE,gBAAgB,EAAE,sBAAsB,EAAE,GAAG,OAAO,CAAC;IAE3E,MAAM,GAAG,GAAG,OAAO,EAAE,CAAC;IACtB,GAAG,CAAC,GAAG,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC;IAE1B,GAAG,CAAC,GAAG,CAAC,oBAAoB,EAAE,CAAC,CAAC;IAEhC,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,uBAAuB,CAAC;IACxE,MAAM,kBAAkB,GAAG;QACzB,WAAW;QACX,uBAAuB;QACvB,uBAAuB;QACvB,uBAAuB;QACvB,uBAAuB;KACxB,CAAC;IACF,MAAM,YAAY,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAI,EAAE,CAAC;SACxD,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SAC5B,MAAM,CAAC,OAAO,CAAC,CAAC;IACnB,MAAM,cAAc,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,kBAAkB,EAAE,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;IAE9E,GAAG,CAAC,GAAG,CACL,IAAI,CAAC;QACH,MAAM,EAAE,CAAC,MAA0B,EAAE,QAAsD,EAAE,EAAE;YAC7F,IAAI,CAAC,MAAM;gBAAE,OAAO,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;YACzC,IAAI,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC;gBAAE,OAAO,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;YACjE,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,aAAa,IAAI,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC;gBAAE,OAAO,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;YACxG,QAAQ,CAAC,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC,CAAC;QAC7C,CAAC;QACD,WAAW,EAAE,IAAI;KAClB,CAAC,CACH,CAAC;IACF,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC;IACzC,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC;IAC/D,GAAG,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC,CAAC;IAExB,MAAM,sBAAsB,GAAG,8CAA8C,CAAC;IAC9E,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,sBAAsB,CAAC;IACrG,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,IAAI,aAAa,KAAK,sBAAsB,EAAE,CAAC;QACtF,MAAM,IAAI,KAAK,CAAC,sEAAsE,CAAC,CAAC;IAC1F,CAAC;IACD,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,uBAAuB,CAAC;IAChE,MAAM,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;IAC/C,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,IAAI,OAAO,CAAC;IAEtE,GAAG,CAAC,GAAG,CACL,OAAO,CAAC;QACN,MAAM,EAAE,aAAa;QACrB,MAAM,EAAE,KAAK;QACb,iBAAiB,EAAE,IAAI;QACvB,IAAI,EAAE,cAAc;QACpB,KAAK,EAAE,YAAY;QACnB,MAAM,EAAE;YACN,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,YAAY;YACpB,QAAQ,EAAE,KAAK;YACf,MAAM,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI;YACtB,IAAI,EAAE,GAAG;SACV;KACF,CAAC,CACH,CAAC;IAEF,GAAG,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;IAC5B,GAAG,CAAC,GAAG,CAAC,sBAAsB,IAAI,gBAAgB,CAAC,CAAC;IAEpD,SAAS,EAAE,CAAC;IACZ,QAAQ,EAAE,CAAC;IACX,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;IAC/B,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,CAAC;IAE5B,GAAG,CAAC,GAAG,CACL,WAAW,EACX,SAAS,CAAC,KAAK,EACf,SAAS,CAAC,KAAK,CAAC,WAAW,EAAE;QAC3B,SAAS,EAAE,uCAAuC;QAClD,eAAe,EAAE,4BAA4B;KAC9C,CAAC,CACH,CAAC;IAEF,GAAG,CAAC,GAAG,CAAC,iBAAiB,EAAE,UAAU,CAAC,CAAC;IAEvC,GAAG,CAAC,GAAG,CAAC,CAAC,GAAoB,EAAE,GAAqB,EAAE,IAA0B,EAAE,EAAE;QAClF,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC;YAAE,OAAO,IAAI,EAAE,CAAC;QACnE,IACE,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,qBAAqB,CAAC;YAC1C,GAAG,CAAC,IAAI,KAAK,iBAAiB;YAC9B,GAAG,CAAC,IAAI,KAAK,mBAAmB;YAChC,GAAG,CAAC,IAAI,KAAK,oBAAoB;YACjC,GAAG,CAAC,IAAI,KAAK,yBAAyB;YACtC,GAAG,CAAC,IAAI,KAAK,sCAAsC;YACnD,GAAG,CAAC,IAAI,KAAK,iCAAiC;YAC9C,GAAG,CAAC,IAAI,KAAK,aAAa;YAC1B,GAAG,CAAC,IAAI,KAAK,iBAAiB;YAC9B,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,EAChC,CAAC;YACD,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QACD,cAAc,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;IACjC,CAAC,CAAC,CAAC;IAEH,OAAO,GAAG,CAAC;AACb,CAAC"}

package/backend/dist/auth/authorization.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Centralized authorization: can user access or modify a resource?
+ * Used by bookmarks, folders, and tags routes to avoid duplicated checks and IDOR.
+ */
+/** Get team IDs the user is a member of (for share checks). */
+export declare function getTeamIdsForUser(userId: string, tenantId?: string): Promise<string[]>;
+/** Legacy compatibility helper; org scoping is removed in selfhost-core. */
+export declare function getTeamIdsForUserInOrg(userId: string, _orgId: string, tenantId?: string): Promise<string[]>;
+/**
+ * Can the user read this bookmark? (owner, or shared via user/team/folder)
+ * @param _orgId - Legacy arg kept for compatibility.
+ */
+export declare function canAccessBookmark(userId: string, bookmarkId: string, _orgId?: string | null, tenantId?: string): Promise<boolean>;
+/** Can the user update/delete this bookmark? (owner only) */
+export declare function canModifyBookmark(userId: string, bookmarkId: string, tenantId?: string): Promise<boolean>;
+/**
+ * Can the user read this folder? (owner or shared via user/team)
+ * @param _orgId - Legacy arg kept for compatibility.
+ */
+export declare function canAccessFolder(userId: string, folderId: string, _orgId?: string | null, tenantId?: string): Promise<boolean>;
+/** Can the user update/delete this folder? (owner only) */
+export declare function canModifyFolder(userId: string, folderId: string, tenantId?: string): Promise<boolean>;
+/** Can the user read this tag? (owner only; tags are not shared) */
+export declare function canAccessTag(userId: string, tagId: string, tenantId?: string): Promise<boolean>;
+//# sourceMappingURL=authorization.d.ts.map

package/backend/dist/auth/authorization.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorization.d.ts","sourceRoot":"","sources":["../../src/auth/authorization.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAgBH,+DAA+D;AAC/D,wBAAsB,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,GAAE,MAAkB,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAKvG;AAED,4EAA4E;AAC5E,wBAAsB,sBAAsB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,GAAE,MAAkB,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAE5H;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,EAAE,QAAQ,GAAE,MAAkB,GAAG,OAAO,CAAC,OAAO,CAAC,CA2BlJ;AAED,6DAA6D;AAC7D,wBAAsB,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,GAAE,MAAkB,GAAG,OAAO,CAAC,OAAO,CAAC,CAI1H;AAED;;;GAGG;AACH,wBAAsB,eAAe,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,EAAE,QAAQ,GAAE,MAAkB,GAAG,OAAO,CAAC,OAAO,CAAC,CAkB9I;AAED,2DAA2D;AAC3D,wBAAsB,eAAe,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,GAAE,MAAkB,GAAG,OAAO,CAAC,OAAO,CAAC,CAItH;AAED,oEAAoE;AACpE,wBAAsB,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,GAAE,MAAkB,GAAG,OAAO,CAAC,OAAO,CAAC,CAIhH"}

package/backend/dist/auth/authorization.js

@@ -0,0 +1,100 @@
+/**
+ * Centralized authorization: can user access or modify a resource?
+ * Used by bookmarks, folders, and tags routes to avoid duplicated checks and IDOR.
+ */
+import { queryOne, query } from '../db/index.js';
+const DB_TYPE = process.env.DB_TYPE || 'sqlite';
+/** Convert ? placeholders to $1, $2 for PostgreSQL */
+function toPg(sql) {
+    let n = 0;
+    return sql.replace(/\?/g, () => `$${++n}`);
+}
+function runSql(sql, params) {
+    return DB_TYPE === 'postgresql' ? [toPg(sql), params] : [sql, params];
+}
+/** Get team IDs the user is a member of (for share checks). */
+export async function getTeamIdsForUser(userId, tenantId = 'default') {
+    const [q, p] = runSql('SELECT team_id FROM team_members WHERE user_id = ? AND tenant_id = ?', [userId, tenantId]);
+    const rows = await query(q, p);
+    const list = Array.isArray(rows) ? rows : rows ? [rows] : [];
+    return list.map((r) => r.team_id);
+}
+/** Legacy compatibility helper; org scoping is removed in selfhost-core. */
+export async function getTeamIdsForUserInOrg(userId, _orgId, tenantId = 'default') {
+    return getTeamIdsForUser(userId, tenantId);
+}
+/**
+ * Can the user read this bookmark? (owner, or shared via user/team/folder)
+ * @param _orgId - Legacy arg kept for compatibility.
+ */
+export async function canAccessBookmark(userId, bookmarkId, _orgId, tenantId = 'default') {
+    const teamIds = await getTeamIdsForUser(userId, tenantId);
+    const teamPlaceholders = teamIds.length > 0 ? teamIds.map(() => '?').join(',') : 'NULL';
+    const busCondition = 'bus.user_id = ?';
+    const fusCondition = 'fus.user_id = ?';
+    const sql = `
+    SELECT 1 FROM bookmarks b
+    LEFT JOIN bookmark_user_shares bus ON b.id = bus.bookmark_id
+    LEFT JOIN bookmark_team_shares bts ON b.id = bts.bookmark_id
+    LEFT JOIN bookmark_folders bf ON b.id = bf.bookmark_id
+    LEFT JOIN folder_user_shares fus ON bf.folder_id = fus.folder_id
+    LEFT JOIN folder_team_shares fts ON bf.folder_id = fts.folder_id
+    WHERE b.id = ? AND b.tenant_id = ? AND (b.user_id = ?
+      OR ${busCondition}
+      OR (bts.team_id IN (${teamPlaceholders}) AND bts.team_id IS NOT NULL)
+      OR ${fusCondition}
+      OR (fts.team_id IN (${teamPlaceholders}) AND fts.team_id IS NOT NULL AND bf.folder_id IS NOT NULL))
+  `;
+    const params = [bookmarkId, tenantId, userId];
+    params.push(userId, userId);
+    if (teamIds.length > 0) {
+        params.push(...teamIds);
+        params.push(...teamIds);
+    }
+    const [q, p] = runSql(sql, params);
+    const row = await queryOne(q, p);
+    return !!row;
+}
+/** Can the user update/delete this bookmark? (owner only) */
+export async function canModifyBookmark(userId, bookmarkId, tenantId = 'default') {
+    const [q, p] = runSql('SELECT 1 FROM bookmarks WHERE id = ? AND user_id = ? AND tenant_id = ?', [bookmarkId, userId, tenantId]);
+    const row = await queryOne(q, p);
+    return !!row;
+}
+/**
+ * Can the user read this folder? (owner or shared via user/team)
+ * @param _orgId - Legacy arg kept for compatibility.
+ */
+export async function canAccessFolder(userId, folderId, _orgId, tenantId = 'default') {
+    const teamIds = await getTeamIdsForUser(userId, tenantId);
+    const teamPlaceholders = teamIds.length > 0 ? teamIds.map(() => '?').join(',') : 'NULL';
+    const fusCondition = 'fus.user_id = ?';
+    const sql = `
+    SELECT 1 FROM folders f
+    LEFT JOIN folder_user_shares fus ON f.id = fus.folder_id
+    LEFT JOIN folder_team_shares fts ON f.id = fts.folder_id
+    WHERE f.id = ? AND f.tenant_id = ? AND (f.user_id = ?
+      OR ${fusCondition}
+      OR (fts.team_id IN (${teamPlaceholders}) AND fts.team_id IS NOT NULL))
+  `;
+    const params = [folderId, tenantId, userId];
+    params.push(userId);
+    if (teamIds.length > 0)
+        params.push(...teamIds);
+    const [q, p] = runSql(sql, params);
+    const row = await queryOne(q, p);
+    return !!row;
+}
+/** Can the user update/delete this folder? (owner only) */
+export async function canModifyFolder(userId, folderId, tenantId = 'default') {
+    const [q, p] = runSql('SELECT 1 FROM folders WHERE id = ? AND user_id = ? AND tenant_id = ?', [folderId, userId, tenantId]);
+    const row = await queryOne(q, p);
+    return !!row;
+}
+/** Can the user read this tag? (owner only; tags are not shared) */
+export async function canAccessTag(userId, tagId, tenantId = 'default') {
+    const [q, p] = runSql('SELECT 1 FROM tags WHERE id = ? AND user_id = ? AND tenant_id = ?', [tagId, userId, tenantId]);
+    const row = await queryOne(q, p);
+    return !!row;
+}
+//# sourceMappingURL=authorization.js.map

package/backend/dist/auth/authorization.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorization.js","sourceRoot":"","sources":["../../src/auth/authorization.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,gBAAgB,CAAC;AAEjD,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,QAAQ,CAAC;AAEhD,sDAAsD;AACtD,SAAS,IAAI,CAAC,GAAW;IACvB,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,OAAO,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC,CAAC;AAC7C,CAAC;AAED,SAAS,MAAM,CAAC,GAAW,EAAE,MAAa;IACxC,OAAO,OAAO,KAAK,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;AACxE,CAAC;AAED,+DAA+D;AAC/D,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,MAAc,EAAE,WAAmB,SAAS;IAClF,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,MAAM,CAAC,sEAAsE,EAAE,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;IAClH,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAC/B,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAC7D,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;AACzC,CAAC;AAED,4EAA4E;AAC5E,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,MAAc,EAAE,MAAc,EAAE,WAAmB,SAAS;IACvG,OAAO,iBAAiB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;AAC7C,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,MAAc,EAAE,UAAkB,EAAE,MAAsB,EAAE,WAAmB,SAAS;IAC9H,MAAM,OAAO,GAAG,MAAM,iBAAiB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC1D,MAAM,gBAAgB,GAAG,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;IACxF,MAAM,YAAY,GAAG,iBAAiB,CAAC;IACvC,MAAM,YAAY,GAAG,iBAAiB,CAAC;IACvC,MAAM,GAAG,GAAG;;;;;;;;WAQH,YAAY;4BACK,gBAAgB;WACjC,YAAY;4BACK,gBAAgB;GACzC,CAAC;IACF,MAAM,MAAM,GAAU,CAAC,UAAU,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;IACrD,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC5B,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,CAAC;QACxB,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,CAAC;IAC1B,CAAC;IACD,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IACnC,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACjC,OAAO,CAAC,CAAC,GAAG,CAAC;AACf,CAAC;AAED,6DAA6D;AAC7D,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,MAAc,EAAE,UAAkB,EAAE,WAAmB,SAAS;IACtG,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,MAAM,CAAC,wEAAwE,EAAE,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;IAChI,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACjC,OAAO,CAAC,CAAC,GAAG,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,MAAc,EAAE,QAAgB,EAAE,MAAsB,EAAE,WAAmB,SAAS;IAC1H,MAAM,OAAO,GAAG,MAAM,iBAAiB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC1D,MAAM,gBAAgB,GAAG,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;IACxF,MAAM,YAAY,GAAG,iBAAiB,CAAC;IACvC,MAAM,GAAG,GAAG;;;;;WAKH,YAAY;4BACK,gBAAgB;GACzC,CAAC;IACF,MAAM,MAAM,GAAU,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;IACnD,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACpB,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC;QAAE,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,CAAC;IAChD,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IACnC,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACjC,OAAO,CAAC,CAAC,GAAG,CAAC;AACf,CAAC;AAED,2DAA2D;AAC3D,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,MAAc,EAAE,QAAgB,EAAE,WAAmB,SAAS;IAClG,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,MAAM,CAAC,sEAAsE,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;IAC5H,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACjC,OAAO,CAAC,CAAC,GAAG,CAAC;AACf,CAAC;AAED,oEAAoE;AACpE,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,MAAc,EAAE,KAAa,EAAE,WAAmB,SAAS;IAC5F,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,MAAM,CAAC,mEAAmE,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;IACtH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACjC,OAAO,CAAC,CAAC,GAAG,CAAC;AACf,CAAC"}

package/backend/dist/auth/jwt.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Setup JWT strategy for Passport
+ */
+export declare function setupJWT(): void;
+//# sourceMappingURL=jwt.d.ts.map

package/backend/dist/auth/jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../src/auth/jwt.ts"],"names":[],"mappings":"AAYA;;GAEG;AACH,wBAAgB,QAAQ,SAwBvB"}

package/backend/dist/auth/jwt.js

@@ -0,0 +1,34 @@
+import passport from 'passport';
+import { Strategy as JwtStrategy } from 'passport-jwt';
+import { queryOne } from '../db/index.js';
+import { extractTokenFromRequest } from '../utils/jwt.js';
+// JWT_SECRET is validated at startup via validateEnvironmentVariables()
+// This will throw if not set, preventing insecure defaults
+const JWT_SECRET = process.env.JWT_SECRET;
+if (!JWT_SECRET) {
+    throw new Error('JWT_SECRET environment variable is required. Please set it before starting the server.');
+}
+/**
+ * Setup JWT strategy for Passport
+ */
+export function setupJWT() {
+    passport.use('jwt', new JwtStrategy({
+        jwtFromRequest: (req) => extractTokenFromRequest(req),
+        secretOrKey: JWT_SECRET,
+        algorithms: ['HS256'],
+        passReqToCallback: true,
+    }, async (req, payload, done) => {
+        try {
+            // Fetch fresh user data from database
+            const user = await queryOne('SELECT * FROM users WHERE id = ?', [payload.id]);
+            if (!user) {
+                return done(null, false);
+            }
+            return done(null, user);
+        }
+        catch (error) {
+            return done(error, false);
+        }
+    }));
+}
+//# sourceMappingURL=jwt.js.map

package/backend/dist/auth/jwt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../../src/auth/jwt.ts"],"names":[],"mappings":"AAAA,OAAO,QAAQ,MAAM,UAAU,CAAC;AAChC,OAAO,EAAE,QAAQ,IAAI,WAAW,EAAc,MAAM,cAAc,CAAC;AACnE,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAC1C,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAE1D,wEAAwE;AACxE,2DAA2D;AAC3D,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,UAAoB,CAAC;AACpD,IAAI,CAAC,UAAU,EAAE,CAAC;IAChB,MAAM,IAAI,KAAK,CAAC,wFAAwF,CAAC,CAAC;AAC5G,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,QAAQ;IACtB,QAAQ,CAAC,GAAG,CACV,KAAK,EACL,IAAI,WAAW,CACb;QACE,cAAc,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,uBAAuB,CAAC,GAAG,CAAC;QACrD,WAAW,EAAE,UAAU;QACvB,UAAU,EAAE,CAAC,OAAO,CAAC;QACrB,iBAAiB,EAAE,IAAI;KACxB,EACD,KAAK,EAAE,GAAQ,EAAE,OAAY,EAAE,IAAS,EAAE,EAAE;QAC1C,IAAI,CAAC;YACH,sCAAsC;YACtC,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,kCAAkC,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC;YAC9E,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,OAAO,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;YAC3B,CAAC;YACD,OAAO,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QAC1B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,IAAI,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC,CACF,CACF,CAAC;AACJ,CAAC"}

package/backend/dist/auth/oidc.d.ts

@@ -0,0 +1,4 @@
+export declare function setupOIDC(): void;
+export declare function loadOIDCStrategies(tenantId?: string): Promise<void>;
+export declare function reloadOIDCStrategies(): Promise<void>;
+//# sourceMappingURL=oidc.d.ts.map

package/backend/dist/auth/oidc.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc.d.ts","sourceRoot":"","sources":["../../src/auth/oidc.ts"],"names":[],"mappings":"AASA,wBAAgB,SAAS,SAgBxB;AAkKD,wBAAsB,kBAAkB,CAAC,QAAQ,GAAE,MAA6B,iBAe/E;AAGD,wBAAsB,oBAAoB,kBAsBzC"}

package/backend/dist/auth/oidc.js

@@ -0,0 +1,201 @@
+import passport from 'passport';
+import { Strategy as OpenIDConnectStrategy } from 'passport-openidconnect';
+import { queryOne, execute, query } from '../db/index.js';
+import { v4 as uuidv4 } from 'uuid';
+import { decrypt } from '../utils/encryption.js';
+import { generateUserKey } from '../utils/user-key.js';
+import { getDefaultTenantId } from '../utils/tenant.js';
+export function setupOIDC() {
+    // Serialization for OIDC OAuth flow (sessions are only used during OAuth redirect)
+    // After OAuth completes, we convert to JWT and destroy the session
+    passport.serializeUser((user, done) => {
+        // Store minimal user info in session (only needed during OAuth flow)
+        done(null, user.id);
+    });
+    passport.deserializeUser(async (id, done) => {
+        try {
+            const user = await queryOne('SELECT * FROM users WHERE id = ?', [id]);
+            done(null, user);
+        }
+        catch (error) {
+            done(error, null);
+        }
+    });
+}
+/** Register a single OIDC strategy from DB-backed configuration. */
+async function registerOIDCStrategy(provider, clientSecret) {
+    if (!provider.client_id || !clientSecret || !provider.issuer_url || !provider.provider_key) {
+        throw new Error(`Missing required fields for provider ${provider.provider_key || provider.id}`);
+    }
+    const verifyFunction = async (iss, profile, context, idToken, accessToken, refreshToken, params, cb) => {
+        // Extract sub from profile (profile.id is the sub claim) - do this before try block so it's available in catch
+        const sub = profile.id || profile.sub;
+        if (!sub) {
+            console.error(`[OIDC] No sub found in profile for provider: ${provider.provider_key}`);
+            return cb(new Error('Sub claim is required for OIDC authentication'), null);
+        }
+        try {
+            const email = profile.emails?.[0]?.value || profile.email;
+            if (!email) {
+                console.error(`[OIDC] No email found in profile for provider: ${provider.provider_key}`);
+                return cb(new Error('Email is required for OIDC authentication'), null);
+            }
+            // Use email as primary identifier - check if user exists by email
+            let user = await queryOne('SELECT * FROM users WHERE email = ?', [email]);
+            if (user) {
+                // User exists - update OIDC info if not set
+                if (!user.oidc_sub || !user.oidc_provider) {
+                    await execute('UPDATE users SET oidc_sub = ?, oidc_provider = ? WHERE id = ?', [sub, provider.provider_key, user.id]);
+                    user = await queryOne('SELECT * FROM users WHERE id = ?', [user.id]);
+                }
+                // If user exists with different OIDC provider, that's fine - email is the identifier
+                return cb(null, user);
+            }
+            // User doesn't exist - check if auto-creation is enabled
+            // Handle both SQLite (0/1) and PostgreSQL (true/false) boolean values
+            // Also handle string representations from database queries
+            const autoCreateValue = provider.auto_create_users;
+            const autoCreate = autoCreateValue === true ||
+                autoCreateValue === 1 ||
+                autoCreateValue === '1' ||
+                (autoCreateValue !== false &&
+                    autoCreateValue !== 0 &&
+                    autoCreateValue !== '0' &&
+                    autoCreateValue !== null &&
+                    autoCreateValue !== undefined);
+            if (!autoCreate) {
+                console.error('OIDC auto-creation disabled. Provider:', provider.provider_key, 'auto_create_users:', autoCreateValue);
+                return cb(new Error('AUTO_CREATE_DISABLED'), null);
+            }
+            // Create new user
+            const userId = uuidv4();
+            let userKey = await generateUserKey();
+            const name = profile.displayName || profile.name || email;
+            // Determine user role
+            let isAdmin = false;
+            const defaultRole = provider.default_role || 'user';
+            if (defaultRole === 'admin') {
+                isAdmin = true;
+            }
+            else {
+                // Check if this is the first user (auto-admin for first user, regardless of default_role)
+                const userCount = await queryOne('SELECT COUNT(*) as count FROM users', []);
+                isAdmin = !userCount || parseInt(userCount.count) === 0;
+            }
+            // Retry logic for user_key collisions (should be extremely rare)
+            let retries = 0;
+            const maxRetries = 3;
+            while (retries < maxRetries) {
+                try {
+                    await execute(`INSERT INTO users (id, email, name, user_key, is_admin, oidc_sub, oidc_provider) 
+                     VALUES (?, ?, ?, ?, ?, ?, ?)`, [userId, email, name, userKey, isAdmin, sub, provider.provider_key]);
+                    break; // Success, exit retry loop
+                }
+                catch (error) {
+                    // If user_key collision, generate new key and retry
+                    if (error.message && (error.message.includes('UNIQUE constraint') || error.message.includes('duplicate'))
+                        && error.message.includes('user_key')) {
+                        retries++;
+                        if (retries >= maxRetries) {
+                            return cb(new Error('Failed to create user. Please try again.'), null);
+                        }
+                        userKey = await generateUserKey();
+                        continue; // Retry with new key
+                    }
+                    // For other errors (like email duplicate), throw to outer catch
+                    throw error;
+                }
+            }
+            user = await queryOne('SELECT * FROM users WHERE id = ?', [userId]);
+            return cb(null, user);
+        }
+        catch (error) {
+            console.error(`[OIDC] Error during user creation/update:`, {
+                message: error.message,
+                stack: error.stack,
+                name: error.name,
+            });
+            // Handle unique constraint violation (email already exists)
+            if (error.message && (error.message.includes('UNIQUE constraint') || error.message.includes('duplicate'))) {
+                // Try to get the existing user by email
+                const existingUser = await queryOne('SELECT * FROM users WHERE email = ?', [profile.emails?.[0]?.value || profile.email]);
+                if (existingUser) {
+                    // Update OIDC info for existing user
+                    await execute('UPDATE users SET oidc_sub = ?, oidc_provider = ? WHERE id = ?', [sub, provider.provider_key, existingUser.id]);
+                    const updatedUser = await queryOne('SELECT * FROM users WHERE id = ?', [existingUser.id]);
+                    return cb(null, updatedUser);
+                }
+            }
+            console.error(`[OIDC] Fatal error, cannot proceed:`, error);
+            return cb(error, null);
+        }
+    };
+    const baseUrl = process.env.BASE_URL || 'http://localhost:5000';
+    const callbackURL = `${baseUrl}/api/auth/${provider.provider_key}/callback`;
+    const authorizationURL = provider.authorization_url || `${provider.issuer_url}/authorize`;
+    const tokenURL = provider.token_url || `${provider.issuer_url}/token`;
+    const userInfoURL = provider.userinfo_url || `${provider.issuer_url}/userinfo`;
+    const strategyConfig = {
+        issuer: provider.issuer_url,
+        authorizationURL,
+        tokenURL,
+        userInfoURL,
+        clientID: provider.client_id,
+        clientSecret,
+        callbackURL,
+        scope: (typeof provider.scopes === 'string' ? provider.scopes : '').split(' ').filter(Boolean),
+        skipUserProfile: false,
+    };
+    passport.use(provider.provider_key, new OpenIDConnectStrategy(strategyConfig, verifyFunction));
+}
+class DatabaseOidcConfigProvider {
+    async getProviders(tenantId) {
+        const providers = await query('SELECT id, provider_key, client_id, client_secret, issuer_url, authorization_url, token_url, userinfo_url, scopes, auto_create_users, default_role FROM oidc_providers WHERE tenant_id = ?', [tenantId]);
+        return Array.isArray(providers) ? providers : (providers ? [providers] : []);
+    }
+}
+const oidcProviderStore = new DatabaseOidcConfigProvider();
+export async function loadOIDCStrategies(tenantId = getDefaultTenantId()) {
+    try {
+        const providersList = await oidcProviderStore.getProviders(tenantId);
+        if (providersList.length === 0)
+            return;
+        for (const provider of providersList) {
+            try {
+                const decryptedSecret = decrypt(provider.client_secret);
+                await registerOIDCStrategy(provider, decryptedSecret);
+            }
+            catch (providerError) {
+                console.error(`Error loading OIDC provider ${provider.provider_key || provider.id}:`, providerError.message || providerError);
+            }
+        }
+    }
+    catch (error) {
+        console.error('Error loading OIDC strategies:', error.message || error);
+    }
+}
+export async function reloadOIDCStrategies() {
+    try {
+        // Remove existing strategies (except 'jwt' which is our JWT strategy)
+        // Use a type assertion to access internal strategies map
+        const strategies = Object.keys(passport._strategies || {});
+        strategies.forEach((key) => {
+            if (key !== 'jwt') {
+                try {
+                    passport.unuse(key);
+                }
+                catch (error) {
+                    // Ignore errors when removing strategies
+                    console.warn(`Could not remove OIDC strategy ${key}:`, error.message || error);
+                }
+            }
+        });
+        // Reload from database
+        await loadOIDCStrategies();
+    }
+    catch (error) {
+        console.error('Error reloading OIDC strategies:', error.message || error);
+        // Don't throw - allow the operation to continue even if strategy reload fails
+    }
+}
+//# sourceMappingURL=oidc.js.map

package/backend/dist/auth/oidc.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc.js","sourceRoot":"","sources":["../../src/auth/oidc.ts"],"names":[],"mappings":"AAAA,OAAO,QAAQ,MAAM,UAAU,CAAC;AAChC,OAAO,EAAE,QAAQ,IAAI,qBAAqB,EAAW,MAAM,wBAAwB,CAAC;AACpF,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,gBAAgB,CAAC;AAC1D,OAAO,EAAE,EAAE,IAAI,MAAM,EAAE,MAAM,MAAM,CAAC;AACpC,OAAO,EAAE,OAAO,EAAE,MAAM,wBAAwB,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAEvD,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAExD,MAAM,UAAU,SAAS;IACvB,mFAAmF;IACnF,mEAAmE;IACnE,QAAQ,CAAC,aAAa,CAAC,CAAC,IAAS,EAAE,IAAI,EAAE,EAAE;QACzC,qEAAqE;QACrE,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;IACtB,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,eAAe,CAAC,KAAK,EAAE,EAAU,EAAE,IAAI,EAAE,EAAE;QAClD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,kCAAkC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;YACtE,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QACnB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACpB,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED,oEAAoE;AACpE,KAAK,UAAU,oBAAoB,CAAC,QAA4B,EAAE,YAAoB;IACpF,IAAI,CAAC,QAAQ,CAAC,SAAS,IAAI,CAAC,YAAY,IAAI,CAAC,QAAQ,CAAC,UAAU,IAAI,CAAC,QAAQ,CAAC,YAAY,EAAE,CAAC;QAC3F,MAAM,IAAI,KAAK,CAAC,wCAAwC,QAAQ,CAAC,YAAY,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC,CAAC;IAClG,CAAC;IAED,MAAM,cAAc,GAAG,KAAK,EAAE,GAAW,EAAE,OAAgB,EAAE,OAAY,EAAE,OAAe,EAAE,WAAmB,EAAE,YAAoB,EAAE,MAAW,EAAE,EAAoC,EAAE,EAAE;QAClL,+GAA+G;QAC/G,MAAM,GAAG,GAAG,OAAO,CAAC,EAAE,IAAK,OAAe,CAAC,GAAG,CAAC;QAC/C,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,OAAO,CAAC,KAAK,CAAC,gDAAgD,QAAQ,CAAC,YAAY,EAAE,CAAC,CAAC;YACvF,OAAO,EAAE,CAAC,IAAI,KAAK,CAAC,+CAA+C,CAAC,EAAE,IAAI,CAAC,CAAC;QAC9E,CAAC;QAED,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,IAAK,OAAe,CAAC,KAAK,CAAC;YACnE,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,CAAC,KAAK,CAAC,kDAAkD,QAAQ,CAAC,YAAY,EAAE,CAAC,CAAC;gBACzF,OAAO,EAAE,CAAC,IAAI,KAAK,CAAC,2CAA2C,CAAC,EAAE,IAAI,CAAC,CAAC;YAC1E,CAAC;YAED,kEAAkE;YAClE,IAAI,IAAI,GAAG,MAAM,QAAQ,CACvB,qCAAqC,EACrC,CAAC,KAAK,CAAC,CACR,CAAC;YAEF,IAAI,IAAI,EAAE,CAAC;gBACT,4CAA4C;gBAC5C,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;oBAC1C,MAAM,OAAO,CACX,+DAA+D,EAC/D,CAAC,GAAG,EAAE,QAAQ,CAAC,YAAY,EAAE,IAAI,CAAC,EAAE,CAAC,CACtC,CAAC;oBACF,IAAI,GAAG,MAAM,QAAQ,CAAC,kCAAkC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;gBACvE,CAAC;gBACD,qFAAqF;gBACrF,OAAO,EAAE,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;YACxB,CAAC;YAED,yDAAyD;YACzD,sEAAsE;YACtE,2DAA2D;YAC3D,MAAM,eAAe,GAAG,QAAQ,CAAC,iBAAiB,CAAC;YACnD,MAAM,UAAU,GAAG,eAAe,KAAK,IAAI;gBACxB,eAAe,KAAK,CAAC;gBACrB,eAAe,KAAK,GAAG;gBACvB,CAAC,eAAe,KAAK,KAAK;oBACzB,eAAe,KAAK,CAAC;oBACrB,eAAe,KAAK,GAAG;oBACvB,eAAe,KAAK,IAAI;oBACxB,eAAe,KAAK,SAAS,CAAC,CAAC;YACnD,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,OAAO,CAAC,KAAK,CAAC,wCAAwC,EAAE,QAAQ,CAAC,YAAY,EAAE,oBAAoB,EAAE,eAAe,CAAC,CAAC;gBACtH,OAAO,EAAE,CAAC,IAAI,KAAK,CAAC,sBAAsB,CAAC,EAAE,IAAI,CAAC,CAAC;YACrD,CAAC;YAED,kBAAkB;YAClB,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC;YACxB,IAAI,OAAO,GAAG,MAAM,eAAe,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,OAAO,CAAC,WAAW,IAAI,OAAO,CAAC,IAAI,IAAI,KAAK,CAAC;YAE1D,sBAAsB;YACtB,IAAI,OAAO,GAAG,KAAK,CAAC;YACpB,MAAM,WAAW,GAAG,QAAQ,CAAC,YAAY,IAAI,MAAM,CAAC;YAEpD,IAAI,WAAW,KAAK,OAAO,EAAE,CAAC;gBAC5B,OAAO,GAAG,IAAI,CAAC;YACjB,CAAC;iBAAM,CAAC;gBACN,0FAA0F;gBAC1F,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,qCAAqC,EAAE,EAAE,CAAC,CAAC;gBAC5E,OAAO,GAAG,CAAC,SAAS,IAAI,QAAQ,CAAE,SAAiB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;YACnE,CAAC;YAED,iEAAiE;YACjE,IAAI,OAAO,GAAG,CAAC,CAAC;YAChB,MAAM,UAAU,GAAG,CAAC,CAAC;YACrB,OAAO,OAAO,GAAG,UAAU,EAAE,CAAC;gBAC5B,IAAI,CAAC;oBACH,MAAM,OAAO,CACX;kDAC8B,EAC9B,CAAC,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,CAAC,YAAY,CAAC,CACpE,CAAC;oBACF,MAAM,CAAC,2BAA2B;gBACpC,CAAC;gBAAC,OAAO,KAAU,EAAE,CAAC;oBACpB,oDAAoD;oBACpD,IAAI,KAAK,CAAC,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;2BAClG,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;wBAC1C,OAAO,EAAE,CAAC;wBACV,IAAI,OAAO,IAAI,UAAU,EAAE,CAAC;4BAC1B,OAAO,EAAE,CAAC,IAAI,KAAK,CAAC,0CAA0C,CAAC,EAAE,IAAI,CAAC,CAAC;wBACzE,CAAC;wBACD,OAAO,GAAG,MAAM,eAAe,EAAE,CAAC;wBAClC,SAAS,CAAC,qBAAqB;oBACjC,CAAC;oBACD,gEAAgE;oBAChE,MAAM,KAAK,CAAC;gBACd,CAAC;YACH,CAAC;YAED,IAAI,GAAG,MAAM,QAAQ,CAAC,kCAAkC,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC;YACpE,OAAO,EAAE,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QACxB,CAAC;QAAC,OAAO,KAAU,EAAE,CAAC;YACpB,OAAO,CAAC,KAAK,CAAC,2CAA2C,EAAE;gBACzD,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,IAAI,EAAE,KAAK,CAAC,IAAI;aACjB,CAAC,CAAC;YAEH,4DAA4D;YAC5D,IAAI,KAAK,CAAC,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;gBAC1G,wCAAwC;gBACxC,MAAM,YAAY,GAAG,MAAM,QAAQ,CAAC,qCAAqC,EAAE,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,IAAK,OAAe,CAAC,KAAK,CAAC,CAAC,CAAC;gBACnI,IAAI,YAAY,EAAE,CAAC;oBACjB,qCAAqC;oBACrC,MAAM,OAAO,CACX,+DAA+D,EAC/D,CAAC,GAAG,EAAE,QAAQ,CAAC,YAAY,EAAE,YAAY,CAAC,EAAE,CAAC,CAC9C,CAAC;oBACF,MAAM,WAAW,GAAG,MAAM,QAAQ,CAAC,kCAAkC,EAAE,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC,CAAC;oBAC1F,OAAO,EAAE,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;gBAC/B,CAAC;YACH,CAAC;YACD,OAAO,CAAC,KAAK,CAAC,qCAAqC,EAAE,KAAK,CAAC,CAAC;YAC5D,OAAO,EAAE,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACzB,CAAC;IACX,CAAC,CAAC;IAEF,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,uBAAuB,CAAC;IAChE,MAAM,WAAW,GAAG,GAAG,OAAO,aAAa,QAAQ,CAAC,YAAY,WAAW,CAAC;IAC5E,MAAM,gBAAgB,GAAG,QAAQ,CAAC,iBAAiB,IAAI,GAAG,QAAQ,CAAC,UAAU,YAAY,CAAC;IAC1F,MAAM,QAAQ,GAAG,QAAQ,CAAC,SAAS,IAAI,GAAG,QAAQ,CAAC,UAAU,QAAQ,CAAC;IACtE,MAAM,WAAW,GAAG,QAAQ,CAAC,YAAY,IAAI,GAAG,QAAQ,CAAC,UAAU,WAAW,CAAC;IAC/E,MAAM,cAAc,GAAQ;QAC1B,MAAM,EAAE,QAAQ,CAAC,UAAU;QAC3B,gBAAgB;QAChB,QAAQ;QACR,WAAW;QACX,QAAQ,EAAE,QAAQ,CAAC,SAAS;QAC5B,YAAY;QACZ,WAAW;QACX,KAAK,EAAE,CAAC,OAAO,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;QAC9F,eAAe,EAAE,KAAK;KACvB,CAAC;IACF,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,YAAY,EAAE,IAAI,qBAAqB,CAAC,cAAc,EAAE,cAAqB,CAAC,CAAC,CAAC;AACxG,CAAC;AAED,MAAM,0BAA0B;IAC9B,KAAK,CAAC,YAAY,CAAC,QAAgB;QACjC,MAAM,SAAS,GAAG,MAAM,KAAK,CAC3B,4LAA4L,EAC5L,CAAC,QAAQ,CAAC,CACX,CAAC;QACF,OAAO,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAE,SAAkC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAA+B,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAC/H,CAAC;CACF;AAED,MAAM,iBAAiB,GAAuB,IAAI,0BAA0B,EAAE,CAAC;AAE/E,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,WAAmB,kBAAkB,EAAE;IAC9E,IAAI,CAAC;QACH,MAAM,aAAa,GAAG,MAAM,iBAAiB,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;QACrE,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO;QACvC,KAAK,MAAM,QAAQ,IAAI,aAAa,EAAE,CAAC;YACrC,IAAI,CAAC;gBACH,MAAM,eAAe,GAAG,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;gBACxD,MAAM,oBAAoB,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;YACxD,CAAC;YAAC,OAAO,aAAkB,EAAE,CAAC;gBAC5B,OAAO,CAAC,KAAK,CAAC,+BAA+B,QAAQ,CAAC,YAAY,IAAI,QAAQ,CAAC,EAAE,GAAG,EAAE,aAAa,CAAC,OAAO,IAAI,aAAa,CAAC,CAAC;YAChI,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,KAAU,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CAAC,gCAAgC,EAAE,KAAK,CAAC,OAAO,IAAI,KAAK,CAAC,CAAC;IAC1E,CAAC;AACH,CAAC;AAGD,MAAM,CAAC,KAAK,UAAU,oBAAoB;IACxC,IAAI,CAAC;QACH,sEAAsE;QACtE,yDAAyD;QACzD,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAE,QAAgB,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;QACpE,UAAU,CAAC,OAAO,CAAC,CAAC,GAAW,EAAE,EAAE;YACjC,IAAI,GAAG,KAAK,KAAK,EAAE,CAAC;gBAClB,IAAI,CAAC;oBACH,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;gBACtB,CAAC;gBAAC,OAAO,KAAU,EAAE,CAAC;oBACpB,yCAAyC;oBACzC,OAAO,CAAC,IAAI,CAAC,kCAAkC,GAAG,GAAG,EAAE,KAAK,CAAC,OAAO,IAAI,KAAK,CAAC,CAAC;gBACjF,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,uBAAuB;QACvB,MAAM,kBAAkB,EAAE,CAAC;IAC7B,CAAC;IAAC,OAAO,KAAU,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CAAC,kCAAkC,EAAE,KAAK,CAAC,OAAO,IAAI,KAAK,CAAC,CAAC;QAC1E,8EAA8E;IAChF,CAAC;AACH,CAAC"}

package/backend/dist/config/cloud-providers.d.ts

@@ -0,0 +1,18 @@
+/**
+ * CLOUD mode: fixed OIDC providers from environment (Google, Microsoft, GitHub).
+ * Only include providers where both client_id and client_secret are set.
+ */
+export interface CloudProviderConfig {
+    provider_key: string;
+    client_id: string;
+    client_secret: string;
+    issuer_url: string;
+    authorization_url?: string;
+    token_url?: string;
+    userinfo_url?: string;
+    scopes: string;
+    auto_create_users: boolean;
+    default_role: string;
+}
+export declare function getCloudProviders(): CloudProviderConfig[];
+//# sourceMappingURL=cloud-providers.d.ts.map

package/backend/dist/config/cloud-providers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cloud-providers.d.ts","sourceRoot":"","sources":["../../src/config/cloud-providers.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,WAAW,mBAAmB;IAClC,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,iBAAiB,EAAE,OAAO,CAAC;IAC3B,YAAY,EAAE,MAAM,CAAC;CACtB;AASD,wBAAgB,iBAAiB,IAAI,mBAAmB,EAAE,CAoDzD"}

package/backend/dist/config/cloud-providers.js

@@ -0,0 +1,60 @@
+/**
+ * CLOUD mode: fixed OIDC providers from environment (Google, Microsoft, GitHub).
+ * Only include providers where both client_id and client_secret are set.
+ */
+const GOOGLE_ISSUER = 'https://accounts.google.com';
+const MICROSOFT_TENANT = process.env.OIDC_MICROSOFT_TENANT || 'common';
+const MICROSOFT_ISSUER = `https://login.microsoftonline.com/${MICROSOFT_TENANT}/v2.0`;
+const GITHUB_AUTH = 'https://github.com/login/oauth/authorize';
+const GITHUB_TOKEN = 'https://github.com/login/oauth/access_token';
+const GITHUB_USER = 'https://api.github.com/user';
+export function getCloudProviders() {
+    const providers = [];
+    const googleId = process.env.OIDC_GOOGLE_CLIENT_ID?.trim();
+    const googleSecret = process.env.OIDC_GOOGLE_CLIENT_SECRET?.trim();
+    if (googleId && googleSecret) {
+        providers.push({
+            provider_key: 'google',
+            client_id: googleId,
+            client_secret: googleSecret,
+            issuer_url: GOOGLE_ISSUER,
+            scopes: 'openid profile email',
+            auto_create_users: true,
+            default_role: 'user',
+        });
+    }
+    const msId = process.env.OIDC_MICROSOFT_CLIENT_ID?.trim();
+    const msSecret = process.env.OIDC_MICROSOFT_CLIENT_SECRET?.trim();
+    if (msId && msSecret) {
+        providers.push({
+            provider_key: 'microsoft',
+            client_id: msId,
+            client_secret: msSecret,
+            issuer_url: MICROSOFT_ISSUER,
+            authorization_url: `${MICROSOFT_ISSUER}/authorize`,
+            token_url: `${MICROSOFT_ISSUER}/token`,
+            userinfo_url: 'https://graph.microsoft.com/oidc/userinfo',
+            scopes: 'openid profile email',
+            auto_create_users: true,
+            default_role: 'user',
+        });
+    }
+    const ghId = process.env.OIDC_GITHUB_CLIENT_ID?.trim();
+    const ghSecret = process.env.OIDC_GITHUB_CLIENT_SECRET?.trim();
+    if (ghId && ghSecret) {
+        providers.push({
+            provider_key: 'github',
+            client_id: ghId,
+            client_secret: ghSecret,
+            issuer_url: 'https://github.com',
+            authorization_url: GITHUB_AUTH,
+            token_url: GITHUB_TOKEN,
+            userinfo_url: GITHUB_USER,
+            scopes: 'openid user:email',
+            auto_create_users: true,
+            default_role: 'user',
+        });
+    }
+    return providers;
+}
+//# sourceMappingURL=cloud-providers.js.map