@mesob/auth-hono 0.4.7 → 0.5.2

package/dist/index.js

@@ -11,23 +11,6 @@ import { deepmerge } from "deepmerge-ts";
 import { drizzle } from "drizzle-orm/node-postgres";
 import { Pool } from "pg";
 
-// src/db/relations.ts
-var relations_exports = {};
-__export(relations_exports, {
-  accountChangesInIamRelations: () => accountChangesInIamRelations,
-  accountsInIamRelations: () => accountsInIamRelations,
-  domainsInIamRelations: () => domainsInIamRelations,
-  permissionsInIamRelations: () => permissionsInIamRelations,
-  rolePermissionsInIamRelations: () => rolePermissionsInIamRelations,
-  rolesInIamRelations: () => rolesInIamRelations,
-  sessionsInIamRelations: () => sessionsInIamRelations,
-  tenantsInIamRelations: () => tenantsInIamRelations,
-  userRolesInIamRelations: () => userRolesInIamRelations,
-  usersInIamRelations: () => usersInIamRelations,
-  verificationsInIamRelations: () => verificationsInIamRelations
-});
-import { relations } from "drizzle-orm/relations";
-
 // src/db/schema.ts
 var schema_exports = {};
 __export(schema_exports, {
@@ -333,117 +316,8 @@ var domainsInIam = iam.table("domains", {
   check("domains_status_check", sql`status = ANY (ARRAY['PENDING'::text, 'ACTIVE'::text, 'DISABLED'::text, 'DELETED'::text])`)
 ]);
 
-// src/db/relations.ts
-var verificationsInIamRelations = relations(verificationsInIam, ({ one }) => ({
-  tenantsInIam: one(tenantsInIam, {
-    fields: [verificationsInIam.tenantId],
-    references: [tenantsInIam.id]
-  }),
-  usersInIam: one(usersInIam, {
-    fields: [verificationsInIam.userId],
-    references: [usersInIam.id]
-  })
-}));
-var tenantsInIamRelations = relations(tenantsInIam, ({ many }) => ({
-  verificationsInIam: many(verificationsInIam),
-  sessionsInIam: many(sessionsInIam),
-  accountChangesInIam: many(accountChangesInIam),
-  rolePermissionsInIam: many(rolePermissionsInIam),
-  accountsInIam: many(accountsInIam),
-  usersInIam: many(usersInIam),
-  rolesInIam: many(rolesInIam),
-  userRolesInIam: many(userRolesInIam),
-  domainsInIam: many(domainsInIam)
-}));
-var usersInIamRelations = relations(usersInIam, ({ one, many }) => ({
-  verificationsInIam: many(verificationsInIam),
-  sessionsInIam: many(sessionsInIam),
-  accountChangesInIam: many(accountChangesInIam),
-  accountsInIam: many(accountsInIam),
-  tenantsInIam: one(tenantsInIam, {
-    fields: [usersInIam.tenantId],
-    references: [tenantsInIam.id]
-  }),
-  userRolesInIam: many(userRolesInIam)
-}));
-var sessionsInIamRelations = relations(sessionsInIam, ({ one }) => ({
-  tenantsInIam: one(tenantsInIam, {
-    fields: [sessionsInIam.tenantId],
-    references: [tenantsInIam.id]
-  }),
-  usersInIam: one(usersInIam, {
-    fields: [sessionsInIam.userId],
-    references: [usersInIam.id]
-  })
-}));
-var accountChangesInIamRelations = relations(accountChangesInIam, ({ one }) => ({
-  tenantsInIam: one(tenantsInIam, {
-    fields: [accountChangesInIam.tenantId],
-    references: [tenantsInIam.id]
-  }),
-  usersInIam: one(usersInIam, {
-    fields: [accountChangesInIam.userId],
-    references: [usersInIam.id]
-  })
-}));
-var rolePermissionsInIamRelations = relations(rolePermissionsInIam, ({ one }) => ({
-  tenantsInIam: one(tenantsInIam, {
-    fields: [rolePermissionsInIam.tenantId],
-    references: [tenantsInIam.id]
-  }),
-  permissionsInIam: one(permissionsInIam, {
-    fields: [rolePermissionsInIam.permissionId],
-    references: [permissionsInIam.id]
-  }),
-  rolesInIam: one(rolesInIam, {
-    fields: [rolePermissionsInIam.tenantId],
-    references: [rolesInIam.tenantId]
-  })
-}));
-var permissionsInIamRelations = relations(permissionsInIam, ({ many }) => ({
-  rolePermissionsInIam: many(rolePermissionsInIam)
-}));
-var rolesInIamRelations = relations(rolesInIam, ({ one, many }) => ({
-  rolePermissionsInIam: many(rolePermissionsInIam),
-  tenantsInIam: one(tenantsInIam, {
-    fields: [rolesInIam.tenantId],
-    references: [tenantsInIam.id]
-  }),
-  userRolesInIam: many(userRolesInIam)
-}));
-var accountsInIamRelations = relations(accountsInIam, ({ one }) => ({
-  tenantsInIam: one(tenantsInIam, {
-    fields: [accountsInIam.tenantId],
-    references: [tenantsInIam.id]
-  }),
-  usersInIam: one(usersInIam, {
-    fields: [accountsInIam.userId],
-    references: [usersInIam.id]
-  })
-}));
-var userRolesInIamRelations = relations(userRolesInIam, ({ one }) => ({
-  tenantsInIam: one(tenantsInIam, {
-    fields: [userRolesInIam.tenantId],
-    references: [tenantsInIam.id]
-  }),
-  usersInIam: one(usersInIam, {
-    fields: [userRolesInIam.userId],
-    references: [usersInIam.id]
-  }),
-  rolesInIam: one(rolesInIam, {
-    fields: [userRolesInIam.tenantId],
-    references: [rolesInIam.tenantId]
-  })
-}));
-var domainsInIamRelations = relations(domainsInIam, ({ one }) => ({
-  tenantsInIam: one(tenantsInIam, {
-    fields: [domainsInIam.tenantId],
-    references: [tenantsInIam.id]
-  })
-}));
-
 // src/db/index.ts
-var schemaConfig = { schema: { ...schema_exports, ...relations_exports } };
+var schemaConfig = { schema: { ...schema_exports } };
 var createDatabase = (connectionString) => {
   const pool = new Pool({ connectionString });
   return drizzle({ client: pool, ...schemaConfig });
@@ -995,6 +869,8 @@ var checkAccountResponseSchema = z.object({
   verified: z.boolean(),
   hasPassword: z.boolean(),
   requiresPasswordSetup: z.boolean(),
+  needsVerification: z.boolean().optional(),
+  verificationId: z.string().uuid().optional(),
   account: authAccountSchema.nullable()
 });
 var updateProfileSchema = z.object({
@@ -1021,7 +897,7 @@ var pendingAccountChangeResponseSchema = z.object({
 });
 
 // src/routes/auth/handler/check-account.ts
-import { and as and5, eq as eq5, sql as sql4 } from "drizzle-orm";
+import { and as and6, eq as eq6, sql as sql4 } from "drizzle-orm";
 
 // src/lib/tenant.ts
 import { HTTPException as HTTPException2 } from "hono/http-exception";
@@ -1043,79 +919,9 @@ var ensureTenantId = (config, tenantId) => {
   return config.tenant.tenantId;
 };
 
-// src/routes/auth/handler/check-account.ts
-var checkAccountHandler = async (c) => {
-  const body = c.req.valid("json");
-  const config = c.get("config");
-  const database = c.get("database");
-  const tenantId = c.get("tenantId");
-  const resolvedTenantId = ensureTenantId(config, tenantId);
-  const { username } = body;
-  const isEmail = username.includes("@");
-  const userTypeFilter = sql4`${usersInIam.userType} @> ARRAY[${config.userType}]::text[]`;
-  const whereClause = isEmail ? and5(
-    eq5(usersInIam.tenantId, resolvedTenantId),
-    userTypeFilter,
-    sql4`lower(${usersInIam.email}) = lower(${username})`
-  ) : and5(
-    eq5(usersInIam.tenantId, resolvedTenantId),
-    userTypeFilter,
-    eq5(usersInIam.phone, username)
-  );
-  const [result] = await database.select({
-    fullName: usersInIam.fullName,
-    email: usersInIam.email,
-    phone: usersInIam.phone,
-    verified: isEmail ? usersInIam.emailVerified : usersInIam.phoneVerified,
-    hasPassword: sql4`exists(
-        select 1
-        from ${accountsInIam}
-        where ${eq5(accountsInIam.tenantId, resolvedTenantId)}
-          and ${eq5(accountsInIam.userId, usersInIam.id)}
-          and ${eq5(accountsInIam.provider, "credentials")}
-          and ${sql4`${accountsInIam.password} is not null`}
-      )`
-  }).from(usersInIam).where(whereClause).limit(1);
-  const verified = result?.verified ?? false;
-  const hasPassword = result?.hasPassword ?? false;
-  return c.json(
-    {
-      exists: !!result,
-      verified,
-      hasPassword,
-      requiresPasswordSetup: !!result && verified && !hasPassword,
-      account: result ? {
-        fullName: result.fullName,
-        email: result.email,
-        phone: result.phone,
-        verified,
-        hasPassword,
-        requiresPasswordSetup: verified && !hasPassword
-      } : null
-    },
-    200
-  );
-};
-
-// src/routes/auth/handler/sign-in.ts
-import { logger as logger2 } from "@mesob/common";
-import { and as and9, eq as eq9 } from "drizzle-orm";
-
-// src/errors.ts
-var AUTH_ERRORS = {
-  USER_NOT_FOUND: "USER_NOT_FOUND",
-  INVALID_PASSWORD: "INVALID_PASSWORD",
-  USER_EXISTS: "USER_EXISTS",
-  VERIFICATION_EXPIRED: "VERIFICATION_EXPIRED",
-  VERIFICATION_MISMATCH: "VERIFICATION_MISMATCH",
-  VERIFICATION_NOT_FOUND: "VERIFICATION_NOT_FOUND",
-  TOO_MANY_ATTEMPTS: "TOO_MANY_ATTEMPTS",
-  REQUIRES_VERIFICATION: "REQUIRES_VERIFICATION",
-  UNAUTHORIZED: "UNAUTHORIZED",
-  ACCESS_DENIED: "ACCESS_DENIED",
-  HAS_NO_PASSWORD: "HAS_NO_PASSWORD",
-  PASSWORD_ALREADY_SET: "PASSWORD_ALREADY_SET"
-};
+// src/routes/auth/helper/verification.ts
+import { dayjs as dayjs2 } from "@mesob/common";
+import { and as and5, desc, eq as eq5, gt as gt2 } from "drizzle-orm";
 
 // src/lib/normalize-auth-response.ts
 var normalizeAuthUser = (user) => ({
@@ -1209,8 +1015,374 @@ var getRefreshedExpiresAt = ({
   return addDuration(duration);
 };
 
+// src/routes/auth/helper/verification.ts
+var createVerification = async ({
+  tx,
+  tenantId,
+  userId,
+  type,
+  to,
+  config
+}) => {
+  const isPhone = type === "phone-otp-sign-up";
+  const code = generateOtpCode(
+    isPhone ? config.phone.otpLength : config.email.otpLength
+  );
+  const hashedCode = await hashToken(code, config.secret);
+  const expiresAt = addDuration(
+    isPhone ? config.phone.expiresIn : config.email.expiresIn
+  );
+  const [verification] = await tx.insert(verificationsInIam).values({
+    tenantId,
+    userId,
+    type,
+    code: hashedCode,
+    expiresAt,
+    to,
+    attempt: 0
+  }).returning();
+  return { verificationId: verification.id, code, hash: hashedCode };
+};
+var sendVerification = async ({
+  channel,
+  to,
+  code,
+  config,
+  hash,
+  type
+}) => {
+  if (channel === "phone" && config.phone.sendVerificationOTP) {
+    await config.phone.sendVerificationOTP({
+      phone: to,
+      code,
+      hash,
+      type
+    });
+  } else if (config.email.sendVerificationOTP) {
+    await config.email.sendVerificationOTP({
+      email: to,
+      code,
+      hash,
+      type
+    });
+  }
+};
+var checkVerificationResend = async ({
+  database,
+  tenantId,
+  userId,
+  type,
+  resendInterval
+}) => {
+  if (!resendInterval) {
+    return { blocked: false };
+  }
+  const [verification] = await database.select({
+    id: verificationsInIam.id,
+    createdAt: verificationsInIam.createdAt
+  }).from(verificationsInIam).where(
+    and5(
+      eq5(verificationsInIam.tenantId, tenantId),
+      eq5(verificationsInIam.userId, userId),
+      eq5(verificationsInIam.type, type)
+    )
+  ).orderBy(desc(verificationsInIam.createdAt)).limit(1);
+  if (!verification) {
+    return { blocked: false };
+  }
+  const cooldownSeconds = parseDuration(resendInterval);
+  const createdAt = dayjs2(verification.createdAt);
+  const blocked = dayjs2().diff(createdAt, "second") < cooldownSeconds;
+  return { blocked, verificationId: verification.id };
+};
+var ensureVerificationForCheckAccount = async ({
+  database,
+  tenantId,
+  userId,
+  type,
+  to,
+  config
+}) => {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const [existing] = await database.select({
+    id: verificationsInIam.id,
+    expiresAt: verificationsInIam.expiresAt
+  }).from(verificationsInIam).where(
+    and5(
+      eq5(verificationsInIam.tenantId, tenantId),
+      eq5(verificationsInIam.userId, userId),
+      eq5(verificationsInIam.type, type),
+      gt2(verificationsInIam.expiresAt, now)
+    )
+  ).orderBy(desc(verificationsInIam.createdAt)).limit(1);
+  if (existing) {
+    return { verificationId: existing.id };
+  }
+  await database.delete(verificationsInIam).where(
+    and5(
+      eq5(verificationsInIam.tenantId, tenantId),
+      eq5(verificationsInIam.userId, userId),
+      eq5(verificationsInIam.type, type)
+    )
+  );
+  const isPhone = type === "phone-otp";
+  const code = generateOtpCode(
+    isPhone ? config.phone.otpLength : config.email.otpLength
+  );
+  const hashedCode = await hashToken(code, config.secret);
+  const expiresAt = addDuration(
+    isPhone ? config.phone.expiresIn : config.email.expiresIn
+  );
+  const [verification] = await database.insert(verificationsInIam).values({
+    tenantId,
+    userId,
+    type,
+    code: hashedCode,
+    expiresAt,
+    to,
+    attempt: 0
+  }).returning();
+  if (isPhone && config.phone.sendVerificationOTP) {
+    await config.phone.sendVerificationOTP({
+      phone: to,
+      code,
+      hash: hashedCode,
+      type
+    });
+  } else if (!isPhone && config.email.sendVerificationOTP) {
+    await config.email.sendVerificationOTP({
+      email: to,
+      code,
+      hash: hashedCode,
+      type
+    });
+  }
+  return { verificationId: verification.id };
+};
+var handleEmailVerification = async ({
+  c,
+  user,
+  config,
+  database,
+  tenantId
+}) => {
+  if (!user.email) {
+    return c.json({ error: "User email not found" }, 401);
+  }
+  await database.delete(verificationsInIam).where(
+    and5(
+      eq5(verificationsInIam.tenantId, tenantId),
+      eq5(verificationsInIam.userId, user.id),
+      eq5(verificationsInIam.type, "email-verification")
+    )
+  );
+  const code = generateOtpCode(config.email.otpLength);
+  const hashedCode = await hashToken(code, config.secret);
+  const expiresAt = addDuration(config.email.expiresIn);
+  const [verification] = await database.insert(verificationsInIam).values({
+    tenantId,
+    userId: user.id,
+    type: "email-verification",
+    code: hashedCode,
+    expiresAt,
+    to: user.email,
+    attempt: 0
+  }).returning({
+    id: verificationsInIam.id,
+    tenantId: verificationsInIam.tenantId,
+    userId: verificationsInIam.userId,
+    type: verificationsInIam.type,
+    code: verificationsInIam.code,
+    to: verificationsInIam.to,
+    expiresAt: verificationsInIam.expiresAt,
+    createdAt: verificationsInIam.createdAt,
+    attempt: verificationsInIam.attempt
+  });
+  if (config.email.sendVerificationOTP) {
+    await config.email.sendVerificationOTP({
+      email: user.email,
+      code,
+      hash: hashedCode,
+      type: "email-verification"
+    });
+  }
+  return c.json(
+    {
+      user: normalizeAuthUser(user),
+      session: null,
+      verificationId: verification.id,
+      requiresVerification: true
+    },
+    200
+  );
+};
+var handlePhoneVerification = async ({
+  c,
+  user,
+  config,
+  database,
+  tenantId
+}) => {
+  if (!user.phone) {
+    return c.json({ error: "User phone not found" }, 401);
+  }
+  await database.delete(verificationsInIam).where(
+    and5(
+      eq5(verificationsInIam.tenantId, tenantId),
+      eq5(verificationsInIam.userId, user.id),
+      eq5(verificationsInIam.type, "phone-otp")
+    )
+  );
+  const code = generateOtpCode(config.phone.otpLength);
+  const hashedCode = await hashToken(code, config.secret);
+  const expiresAt = addDuration(config.phone.expiresIn);
+  const [verification] = await database.insert(verificationsInIam).values({
+    tenantId,
+    userId: user.id,
+    type: "phone-otp",
+    code: hashedCode,
+    expiresAt,
+    to: user.phone,
+    attempt: 0
+  }).returning({
+    id: verificationsInIam.id,
+    tenantId: verificationsInIam.tenantId,
+    userId: verificationsInIam.userId,
+    type: verificationsInIam.type,
+    code: verificationsInIam.code,
+    to: verificationsInIam.to,
+    expiresAt: verificationsInIam.expiresAt,
+    createdAt: verificationsInIam.createdAt,
+    attempt: verificationsInIam.attempt
+  });
+  if (config.phone.sendVerificationOTP) {
+    await config.phone.sendVerificationOTP({
+      phone: user.phone,
+      code,
+      hash: hashedCode,
+      type: "phone-otp"
+    });
+  }
+  return c.json(
+    {
+      user: normalizeAuthUser(user),
+      session: null,
+      verificationId: verification.id,
+      requiresVerification: true
+    },
+    200
+  );
+};
+
+// src/routes/auth/handler/check-account.ts
+var checkAccountHandler = async (c) => {
+  const body = c.req.valid("json");
+  const config = c.get("config");
+  const database = c.get("database");
+  const tenantId = c.get("tenantId");
+  const resolvedTenantId = ensureTenantId(config, tenantId);
+  const { username } = body;
+  const isEmail = username.includes("@");
+  const disabledChannelResponse = {
+    exists: false,
+    verified: false,
+    hasPassword: false,
+    requiresPasswordSetup: false,
+    account: null
+  };
+  if (isEmail && !config.email.enabled) {
+    return c.json(disabledChannelResponse, 200);
+  }
+  if (!(isEmail || config.phone.enabled)) {
+    return c.json(disabledChannelResponse, 200);
+  }
+  const userTypeFilter = sql4`${usersInIam.userType} @> ARRAY[${config.userType}]::text[]`;
+  const whereClause = isEmail ? and6(
+    eq6(usersInIam.tenantId, resolvedTenantId),
+    userTypeFilter,
+    sql4`lower(${usersInIam.email}) = lower(${username})`
+  ) : and6(
+    eq6(usersInIam.tenantId, resolvedTenantId),
+    userTypeFilter,
+    eq6(usersInIam.phone, username)
+  );
+  const [result] = await database.select({
+    id: usersInIam.id,
+    fullName: usersInIam.fullName,
+    email: usersInIam.email,
+    phone: usersInIam.phone,
+    verified: isEmail ? usersInIam.emailVerified : usersInIam.phoneVerified,
+    hasPassword: sql4`exists(
+        select 1
+        from ${accountsInIam}
+        where ${eq6(accountsInIam.tenantId, resolvedTenantId)}
+          and ${eq6(accountsInIam.userId, usersInIam.id)}
+          and ${eq6(accountsInIam.provider, "credentials")}
+          and ${sql4`${accountsInIam.password} is not null`}
+      )`
+  }).from(usersInIam).where(whereClause).limit(1);
+  const verified = result?.verified ?? false;
+  const hasPassword = result?.hasPassword ?? false;
+  let needsVerification = false;
+  let verificationId;
+  if (result && !verified) {
+    const type = isEmail ? "email-verification" : "phone-otp";
+    const to = isEmail ? result.email ?? username : result.phone ?? username;
+    if (to) {
+      const { verificationId: vid } = await ensureVerificationForCheckAccount({
+        database,
+        tenantId: resolvedTenantId,
+        userId: result.id,
+        type,
+        to,
+        config
+      });
+      needsVerification = true;
+      verificationId = vid;
+    }
+  }
+  return c.json(
+    {
+      exists: !!result,
+      verified,
+      hasPassword,
+      requiresPasswordSetup: !!result && verified && !hasPassword,
+      ...needsVerification && verificationId ? { needsVerification: true, verificationId } : {},
+      account: result ? {
+        fullName: result.fullName,
+        email: result.email,
+        phone: result.phone,
+        verified,
+        hasPassword,
+        requiresPasswordSetup: verified && !hasPassword
+      } : null
+    },
+    200
+  );
+};
+
+// src/routes/auth/handler/sign-in.ts
+import { logger as logger2 } from "@mesob/common";
+import { and as and9, eq as eq9 } from "drizzle-orm";
+
+// src/errors.ts
+var AUTH_ERRORS = {
+  USER_NOT_FOUND: "USER_NOT_FOUND",
+  INVALID_PASSWORD: "INVALID_PASSWORD",
+  USER_EXISTS: "USER_EXISTS",
+  VERIFICATION_EXPIRED: "VERIFICATION_EXPIRED",
+  VERIFICATION_MISMATCH: "VERIFICATION_MISMATCH",
+  VERIFICATION_NOT_FOUND: "VERIFICATION_NOT_FOUND",
+  TOO_MANY_ATTEMPTS: "TOO_MANY_ATTEMPTS",
+  REQUIRES_VERIFICATION: "REQUIRES_VERIFICATION",
+  UNAUTHORIZED: "UNAUTHORIZED",
+  ACCESS_DENIED: "ACCESS_DENIED",
+  HAS_NO_PASSWORD: "HAS_NO_PASSWORD",
+  PASSWORD_ALREADY_SET: "PASSWORD_ALREADY_SET"
+};
+
 // src/routes/auth/helper/session.ts
-import { and as and6, asc, eq as eq6, gt as gt2, inArray, sql as sql5 } from "drizzle-orm";
+import { and as and7, asc, eq as eq7, gt as gt3, inArray, sql as sql5 } from "drizzle-orm";
 var createSessionRecord = async ({
   tx,
   tenantId,
@@ -1279,10 +1451,10 @@ var cleanupOldSessions = async ({
   maxSessions
 }) => {
   const [{ count }] = await database.select({ count: sql5`count(*)` }).from(sessionsInIam).where(
-    and6(
-      eq6(sessionsInIam.tenantId, tenantId),
-      eq6(sessionsInIam.userId, userId),
-      gt2(sessionsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString())
+    and7(
+      eq7(sessionsInIam.tenantId, tenantId),
+      eq7(sessionsInIam.userId, userId),
+      gt3(sessionsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString())
     )
   );
   if (count <= maxSessions) {
@@ -1290,19 +1462,19 @@ var cleanupOldSessions = async ({
   }
   const toDeleteCount = count - maxSessions;
   const idsToDelete = await database.select({ id: sessionsInIam.id }).from(sessionsInIam).where(
-    and6(
-      eq6(sessionsInIam.tenantId, tenantId),
-      eq6(sessionsInIam.userId, userId),
-      gt2(sessionsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString())
+    and7(
+      eq7(sessionsInIam.tenantId, tenantId),
+      eq7(sessionsInIam.userId, userId),
+      gt3(sessionsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString())
     )
   ).orderBy(asc(sessionsInIam.createdAt)).limit(toDeleteCount);
   if (!idsToDelete.length) {
     return;
   }
   await database.delete(sessionsInIam).where(
-    and6(
-      eq6(sessionsInIam.tenantId, tenantId),
-      eq6(sessionsInIam.userId, userId),
+    and7(
+      eq7(sessionsInIam.tenantId, tenantId),
+      eq7(sessionsInIam.userId, userId),
       inArray(
         sessionsInIam.id,
         idsToDelete.map((s) => s.id)
@@ -1312,17 +1484,17 @@ var cleanupOldSessions = async ({
 };
 
 // src/routes/auth/helper/user.ts
-import { and as and7, eq as eq7, gt as gt3, sql as sql6 } from "drizzle-orm";
+import { and as and8, eq as eq8, gt as gt4, sql as sql6 } from "drizzle-orm";
 var checkExistingUserStatus = async ({
   tx,
   identifier,
   tenantId,
   isEmail
 }) => {
-  const whereClause = isEmail ? and7(
-    eq7(usersInIam.tenantId, tenantId),
+  const whereClause = isEmail ? and8(
+    eq8(usersInIam.tenantId, tenantId),
     sql6`lower(${usersInIam.email}) = lower(${identifier})`
-  ) : and7(eq7(usersInIam.tenantId, tenantId), eq7(usersInIam.phone, identifier));
+  ) : and8(eq8(usersInIam.tenantId, tenantId), eq8(usersInIam.phone, identifier));
   const [existingUser] = await tx.select().from(usersInIam).where(whereClause).limit(1);
   if (!existingUser) {
     return { action: "proceed" };
@@ -1332,10 +1504,10 @@ var checkExistingUserStatus = async ({
     return { action: "error", code: AUTH_ERRORS.USER_EXISTS };
   }
   const [pendingVerification] = await tx.select().from(verificationsInIam).where(
-    and7(
-      eq7(verificationsInIam.userId, existingUser.id),
-      eq7(verificationsInIam.tenantId, tenantId),
-      gt3(verificationsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString())
+    and8(
+      eq8(verificationsInIam.userId, existingUser.id),
+      eq8(verificationsInIam.tenantId, tenantId),
+      gt4(verificationsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString())
     )
   ).limit(1);
   if (pendingVerification) {
@@ -1354,18 +1526,18 @@ var deleteUnverifiedUser = async ({
   tenantId
 }) => {
   await tx.delete(verificationsInIam).where(
-    and7(
-      eq7(verificationsInIam.userId, userId),
-      eq7(verificationsInIam.tenantId, tenantId)
+    and8(
+      eq8(verificationsInIam.userId, userId),
+      eq8(verificationsInIam.tenantId, tenantId)
     )
   );
   await tx.delete(accountsInIam).where(
-    and7(
-      eq7(accountsInIam.userId, userId),
-      eq7(accountsInIam.tenantId, tenantId)
+    and8(
+      eq8(accountsInIam.userId, userId),
+      eq8(accountsInIam.tenantId, tenantId)
     )
   );
-  await tx.delete(usersInIam).where(and7(eq7(usersInIam.id, userId), eq7(usersInIam.tenantId, tenantId)));
+  await tx.delete(usersInIam).where(and8(eq8(usersInIam.id, userId), eq8(usersInIam.tenantId, tenantId)));
 };
 var createUserWithAccount = async ({
   tx,
@@ -1405,14 +1577,14 @@ var fetchUserForLogin = async ({
   userType
 }) => {
   const userTypeFilter = sql6`${usersInIam.userType} @> ARRAY[${userType}]::text[]`;
-  const whereClause = isEmail ? and7(
-    eq7(usersInIam.tenantId, tenantId),
+  const whereClause = isEmail ? and8(
+    eq8(usersInIam.tenantId, tenantId),
     userTypeFilter,
     sql6`lower(${usersInIam.email}) = lower(${identifier})`
-  ) : and7(
-    eq7(usersInIam.tenantId, tenantId),
+  ) : and8(
+    eq8(usersInIam.tenantId, tenantId),
     userTypeFilter,
-    eq7(usersInIam.phone, identifier)
+    eq8(usersInIam.phone, identifier)
   );
   const [row] = await database.select({
     id: usersInIam.id,
@@ -1430,9 +1602,9 @@ var fetchUserForLogin = async ({
     hasPassword: sql6`exists(
         select 1
         from ${accountsInIam}
-        where ${eq7(accountsInIam.tenantId, tenantId)}
-          and ${eq7(accountsInIam.userId, usersInIam.id)}
-          and ${eq7(accountsInIam.provider, "credentials")}
+        where ${eq8(accountsInIam.tenantId, tenantId)}
+          and ${eq8(accountsInIam.userId, usersInIam.id)}
+          and ${eq8(accountsInIam.provider, "credentials")}
           and ${sql6`${accountsInIam.password} is not null`}
       )`
   }).from(usersInIam).where(whereClause).limit(1);
@@ -1457,207 +1629,10 @@ var fetchUserByIdWithRoles = async ({
     bannedUntil: usersInIam.bannedUntil,
     loginAttempt: usersInIam.loginAttempt,
     ...getUserAuthSelect(tenantId)
-  }).from(usersInIam).where(and7(eq7(usersInIam.id, userId), eq7(usersInIam.tenantId, tenantId))).limit(1);
+  }).from(usersInIam).where(and8(eq8(usersInIam.id, userId), eq8(usersInIam.tenantId, tenantId))).limit(1);
   return result || null;
 };
 
-// src/routes/auth/helper/verification.ts
-import { dayjs as dayjs2 } from "@mesob/common";
-import { and as and8, desc, eq as eq8 } from "drizzle-orm";
-var createVerification = async ({
-  tx,
-  tenantId,
-  userId,
-  type,
-  to,
-  config
-}) => {
-  const isPhone = type === "phone-otp-sign-up";
-  const code = generateOtpCode(
-    isPhone ? config.phone.otpLength : config.email.otpLength
-  );
-  const hashedCode = await hashToken(code, config.secret);
-  const expiresAt = addDuration(
-    isPhone ? config.phone.expiresIn : config.email.expiresIn
-  );
-  const [verification] = await tx.insert(verificationsInIam).values({
-    tenantId,
-    userId,
-    type,
-    code: hashedCode,
-    expiresAt,
-    to,
-    attempt: 0
-  }).returning();
-  return { verificationId: verification.id, code, hash: hashedCode };
-};
-var sendVerification = async ({
-  channel,
-  to,
-  code,
-  config,
-  hash,
-  type
-}) => {
-  if (channel === "phone" && config.phone.sendVerificationOTP) {
-    await config.phone.sendVerificationOTP({
-      phone: to,
-      code,
-      hash,
-      type
-    });
-  } else if (config.email.sendVerificationOTP) {
-    await config.email.sendVerificationOTP({
-      email: to,
-      code,
-      hash,
-      type
-    });
-  }
-};
-var checkVerificationResend = async ({
-  database,
-  tenantId,
-  userId,
-  type,
-  resendInterval
-}) => {
-  if (!resendInterval) {
-    return { blocked: false };
-  }
-  const [verification] = await database.select({
-    id: verificationsInIam.id,
-    createdAt: verificationsInIam.createdAt
-  }).from(verificationsInIam).where(
-    and8(
-      eq8(verificationsInIam.tenantId, tenantId),
-      eq8(verificationsInIam.userId, userId),
-      eq8(verificationsInIam.type, type)
-    )
-  ).orderBy(desc(verificationsInIam.createdAt)).limit(1);
-  if (!verification) {
-    return { blocked: false };
-  }
-  const cooldownSeconds = parseDuration(resendInterval);
-  const createdAt = dayjs2(verification.createdAt);
-  const blocked = dayjs2().diff(createdAt, "second") < cooldownSeconds;
-  return { blocked, verificationId: verification.id };
-};
-var handleEmailVerification = async ({
-  c,
-  user,
-  config,
-  database,
-  tenantId
-}) => {
-  if (!user.email) {
-    return c.json({ error: "User email not found" }, 401);
-  }
-  await database.delete(verificationsInIam).where(
-    and8(
-      eq8(verificationsInIam.tenantId, tenantId),
-      eq8(verificationsInIam.userId, user.id),
-      eq8(verificationsInIam.type, "email-verification")
-    )
-  );
-  const code = generateOtpCode(config.email.otpLength);
-  const hashedCode = await hashToken(code, config.secret);
-  const expiresAt = addDuration(config.email.expiresIn);
-  const [verification] = await database.insert(verificationsInIam).values({
-    tenantId,
-    userId: user.id,
-    type: "email-verification",
-    code: hashedCode,
-    expiresAt,
-    to: user.email,
-    attempt: 0
-  }).returning({
-    id: verificationsInIam.id,
-    tenantId: verificationsInIam.tenantId,
-    userId: verificationsInIam.userId,
-    type: verificationsInIam.type,
-    code: verificationsInIam.code,
-    to: verificationsInIam.to,
-    expiresAt: verificationsInIam.expiresAt,
-    createdAt: verificationsInIam.createdAt,
-    attempt: verificationsInIam.attempt
-  });
-  if (config.email.sendVerificationOTP) {
-    await config.email.sendVerificationOTP({
-      email: user.email,
-      code,
-      hash: hashedCode,
-      type: "email-verification"
-    });
-  }
-  return c.json(
-    {
-      user: normalizeAuthUser(user),
-      session: null,
-      verificationId: verification.id,
-      requiresVerification: true
-    },
-    200
-  );
-};
-var handlePhoneVerification = async ({
-  c,
-  user,
-  config,
-  database,
-  tenantId
-}) => {
-  if (!user.phone) {
-    return c.json({ error: "User phone not found" }, 401);
-  }
-  await database.delete(verificationsInIam).where(
-    and8(
-      eq8(verificationsInIam.tenantId, tenantId),
-      eq8(verificationsInIam.userId, user.id),
-      eq8(verificationsInIam.type, "phone-otp")
-    )
-  );
-  const code = generateOtpCode(config.phone.otpLength);
-  const hashedCode = await hashToken(code, config.secret);
-  const expiresAt = addDuration(config.phone.expiresIn);
-  const [verification] = await database.insert(verificationsInIam).values({
-    tenantId,
-    userId: user.id,
-    type: "phone-otp",
-    code: hashedCode,
-    expiresAt,
-    to: user.phone,
-    attempt: 0
-  }).returning({
-    id: verificationsInIam.id,
-    tenantId: verificationsInIam.tenantId,
-    userId: verificationsInIam.userId,
-    type: verificationsInIam.type,
-    code: verificationsInIam.code,
-    to: verificationsInIam.to,
-    expiresAt: verificationsInIam.expiresAt,
-    createdAt: verificationsInIam.createdAt,
-    attempt: verificationsInIam.attempt
-  });
-  if (config.phone.sendVerificationOTP) {
-    await config.phone.sendVerificationOTP({
-      phone: user.phone,
-      code,
-      hash: hashedCode,
-      type: "phone-otp"
-    });
-  }
-  return c.json(
-    {
-      user: normalizeAuthUser(user),
-      session: null,
-      verificationId: verification.id,
-      requiresVerification: true
-    },
-    200
-  );
-};
-
 // src/routes/auth/handler/sign-in.ts
 var signInHandler = (
   // biome-ignore lint/complexity/noExcessiveCognitiveComplexity: auth flow combines lockout, verification, and session creation
@@ -1821,7 +1796,7 @@ var signInHandler = (
 );
 
 // src/routes/auth/handler/sign-out.ts
-import { and as and10, eq as eq10, gt as gt4 } from "drizzle-orm";
+import { and as and10, eq as eq10, gt as gt5 } from "drizzle-orm";
 import { getCookie } from "hono/cookie";
 var signOutHandler = async (c) => {
   const config = c.get("config");
@@ -1845,7 +1820,7 @@ var signOutHandler = async (c) => {
   }).from(sessionsInIam).where(
     and10(
       eq10(sessionsInIam.token, hashedToken),
-      gt4(sessionsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString())
+      gt5(sessionsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString())
     )
   ).limit(1);
   if (session) {
@@ -1884,6 +1859,20 @@ var SignUpError = class extends Error {
     this.status = status;
   }
 };
+var normalizeSignupDomain = (value) => {
+  return value.trim().toLowerCase().replace(/^@/, "");
+};
+var isAllowedSignupEmail = (email, allowedDomains) => {
+  const domain = email.split("@")[1]?.toLowerCase();
+  if (!domain) {
+    return false;
+  }
+  const normalizedDomains = allowedDomains.map(normalizeSignupDomain).filter(Boolean);
+  if (normalizedDomains.length === 0) {
+    return true;
+  }
+  return normalizedDomains.includes(domain);
+};
 var signUpHandler = async (c) => {
   const body = c.req.valid("json");
   const config = c.get("config");
@@ -1895,7 +1884,19 @@ var signUpHandler = async (c) => {
   if (!identifier) {
     return c.json({ error: "Either email or phone is required" }, 409);
   }
+  if (config.signUp && !config.signUp.enabled) {
+    return c.json({ error: "Sign up is disabled" }, 403);
+  }
   const isEmail = identifier.includes("@");
+  if (isEmail && config.signUp && !config.signUp.emailEnabled) {
+    return c.json({ error: "Email sign up is disabled" }, 403);
+  }
+  if (!isEmail && config.signUp && !config.signUp.phoneEnabled) {
+    return c.json({ error: "Phone sign up is disabled" }, 403);
+  }
+  if (isEmail && config.signUp?.allowedEmailDomains && !isAllowedSignupEmail(identifier, config.signUp.allowedEmailDomains)) {
+    return c.json({ error: "Email domain is not allowed for sign up" }, 403);
+  }
   if (phone) {
     const phoneValidator = createPhoneField(config);
     if (!phoneValidator.validate(phone)) {
@@ -2832,7 +2833,7 @@ var email_route_default = emailRoutes;
 import { createRoute as createRoute4, OpenAPIHono as OpenAPIHono4 } from "@hono/zod-openapi";
 
 // src/routes/password/handler/change.ts
-import { and as and18, eq as eq18, gt as gt5, ne } from "drizzle-orm";
+import { and as and18, eq as eq18, gt as gt6, ne } from "drizzle-orm";
 import { getCookie as getCookie2 } from "hono/cookie";
 var changePasswordHandler = async (c) => {
   const body = c.req.valid("json");
@@ -2878,7 +2879,7 @@ var changePasswordHandler = async (c) => {
       and18(
         eq18(sessionsInIam.tenantId, resolvedTenantId),
         eq18(sessionsInIam.userId, userId),
-        gt5(sessionsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString()),
+        gt6(sessionsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString()),
         ne(sessionsInIam.token, hashedToken)
       )
     );
@@ -3075,7 +3076,7 @@ var forgotPasswordHandler = async (c) => {
 };
 
 // src/routes/password/handler/reset.ts
-import { and as and20, eq as eq20, gt as gt6 } from "drizzle-orm";
+import { and as and20, eq as eq20, gt as gt7 } from "drizzle-orm";
 
 // src/routes/password/helper/session.ts
 var createPasswordResetSession = async ({
@@ -3155,7 +3156,7 @@ var resetPasswordHandler = async (c) => {
     and20(
       eq20(sessionsInIam.tenantId, resolvedTenantId),
       eq20(sessionsInIam.userId, verification.userId),
-      gt6(sessionsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString())
+      gt7(sessionsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString())
     )
   );
   await database.delete(verificationsInIam).where(eq20(verificationsInIam.id, verificationId));
@@ -4025,6 +4026,14 @@ var phoneVerificationRequestHandler = async (c) => {
     return c.json({ error: "Phone authentication is disabled" }, 400);
   }
   const { phone, context } = body;
+  if (context === "sign-up" && config.signUp) {
+    if (!config.signUp.enabled) {
+      return c.json({ error: "Sign up is disabled" }, 400);
+    }
+    if (!config.signUp.phoneEnabled) {
+      return c.json({ error: "Phone sign up is disabled" }, 400);
+    }
+  }
   if (!phone) {
     return c.json({ error: "Phone required" }, 400);
   }
@@ -4221,7 +4230,7 @@ import { createRoute as createRoute7, OpenAPIHono as OpenAPIHono7 } from "@hono/
 import { z as z4 } from "zod";
 
 // src/routes/profile/handler/account-change-pending.ts
-import { and as and26, eq as eq27, gt as gt7, sql as sql13 } from "drizzle-orm";
+import { and as and26, eq as eq27, gt as gt8, sql as sql13 } from "drizzle-orm";
 var accountChangePendingHandler = async (c) => {
   const config = c.get("config");
   const database = c.get("database");
@@ -4259,7 +4268,7 @@ var accountChangePendingHandler = async (c) => {
         eq27(verificationsInIam.userId, userId),
         eq27(verificationsInIam.type, "email-verification"),
         eq27(verificationsInIam.to, accountChange.newEmail),
-        gt7(verificationsInIam.expiresAt, sql13`CURRENT_TIMESTAMP`)
+        gt8(verificationsInIam.expiresAt, sql13`CURRENT_TIMESTAMP`)
       )
     ).limit(1);
     verification = v || null;
@@ -4274,7 +4283,7 @@ var accountChangePendingHandler = async (c) => {
         eq27(verificationsInIam.userId, userId),
         eq27(verificationsInIam.type, "phone-otp-change-phone"),
         eq27(verificationsInIam.to, accountChange.newPhone),
-        gt7(verificationsInIam.expiresAt, sql13`CURRENT_TIMESTAMP`)
+        gt8(verificationsInIam.expiresAt, sql13`CURRENT_TIMESTAMP`)
       )
     ).limit(1);
     verification = v || null;
@@ -6959,6 +6968,9 @@ var banUserHandler = async (c) => {
   return c.json({ user: normalizeUser(userWithRoles) }, 200);
 };
 
+// src/routes/users/helper/invite.ts
+import { and as and52, eq as eq57 } from "drizzle-orm";
+
 // src/routes/users/helper/user.ts
 import { and as and51, eq as eq56, sql as sql26 } from "drizzle-orm";
 var checkUserExists = async ({
@@ -7028,7 +7040,89 @@ var inviteUser = (
       isEmail
     });
     if (existing) {
-      throw new Error("User already exists");
+      const identifierVerified = isEmail ? existing.emailVerified : existing.phoneVerified;
+      const hasInviteType = Array.isArray(existing.userType) && existing.userType.includes(config.userType);
+      if (identifierVerified && hasInviteType) {
+        throw new Error("User already exists");
+      }
+      const updates = {};
+      if (!identifierVerified) {
+        if (payload.emailVerified !== void 0 && payload.email) {
+          updates.emailVerified = Boolean(payload.emailVerified);
+        }
+        if (payload.phoneVerified !== void 0 && payload.phone) {
+          updates.phoneVerified = Boolean(payload.phoneVerified);
+        }
+      }
+      if (!hasInviteType) {
+        updates.userType = [config.userType];
+      }
+      let user2;
+      if (Object.keys(updates).length > 0) {
+        const [updated] = await database.update(usersInIam).set(updates).where(eq57(usersInIam.id, existing.id)).returning();
+        if (!updated) {
+          throw new Error("User update failed");
+        }
+        user2 = updated;
+      } else {
+        user2 = existing;
+      }
+      const [credAccount] = await database.select().from(accountsInIam).where(
+        and52(
+          eq57(accountsInIam.tenantId, tenantId),
+          eq57(accountsInIam.userId, user2.id),
+          eq57(accountsInIam.provider, "credentials")
+        )
+      ).limit(1);
+      const hasPassword2 = Boolean(credAccount?.password);
+      const resolvedInviteUrl2 = resolveInviteUrl({
+        inviteUrl: payload.inviteUrl,
+        identifier,
+        hasPassword: hasPassword2
+      });
+      const delivery2 = {};
+      if (payload.sendVia?.includes("email")) {
+        if (payload.email && config.email.sendInvitation) {
+          try {
+            await config.email.sendInvitation({
+              email: payload.email,
+              fullName: user2.fullName,
+              identifier,
+              inviteUrl: resolvedInviteUrl2,
+              tenantId
+            });
+            delivery2.email = "sent";
+          } catch {
+            delivery2.email = "failed";
+          }
+        } else {
+          delivery2.email = "skipped";
+        }
+      }
+      if (payload.sendVia?.includes("sms")) {
+        if (payload.phone && config.phone.sendInvitation) {
+          try {
+            await config.phone.sendInvitation({
+              phone: payload.phone,
+              fullName: user2.fullName,
+              identifier,
+              inviteUrl: resolvedInviteUrl2,
+              tenantId
+            });
+            delivery2.sms = "sent";
+          } catch {
+            delivery2.sms = "failed";
+          }
+        } else {
+          delivery2.sms = "skipped";
+        }
+      }
+      return {
+        user: normalizeUser(user2),
+        delivery: delivery2,
+        inviteUrl: resolvedInviteUrl2,
+        hasPassword: hasPassword2
+      };
     }
     const userHandle = payload.handle || generateHandle();
     const existingHandle = await checkHandleExists({
@@ -7213,16 +7307,16 @@ var createUserHandler = async (c) => {
 };
 
 // src/routes/users/handler/delete-user.ts
-import { and as and52, eq as eq57 } from "drizzle-orm";
+import { and as and53, eq as eq58 } from "drizzle-orm";
 var deleteUserHandler = async (c) => {
   const { id } = c.req.valid("param");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
-  const [existing] = await database.select().from(usersInIam).where(and52(eq57(usersInIam.id, id), eq57(usersInIam.tenantId, tenantId))).limit(1);
+  const [existing] = await database.select().from(usersInIam).where(and53(eq58(usersInIam.id, id), eq58(usersInIam.tenantId, tenantId))).limit(1);
   if (!existing) {
     return c.json({ error: "User not found" }, 404);
   }
-  await database.delete(usersInIam).where(and52(eq57(usersInIam.id, id), eq57(usersInIam.tenantId, tenantId)));
+  await database.delete(usersInIam).where(and53(eq58(usersInIam.id, id), eq58(usersInIam.tenantId, tenantId)));
   return c.json({ message: "User deleted" }, 200);
 };
 
@@ -7266,7 +7360,7 @@ var inviteUserHandler = async (c) => {
 };
 
 // src/routes/users/handler/list-users.ts
-import { and as and53, asc as asc5, desc as desc5, eq as eq58, gt as gt8, ilike as ilike4, inArray as inArray6, or as or4, sql as sql27 } from "drizzle-orm";
+import { and as and54, asc as asc5, desc as desc5, eq as eq59, gt as gt9, ilike as ilike4, inArray as inArray6, or as or4, sql as sql27 } from "drizzle-orm";
 var userSelect = {
   id: usersInIam.id,
   tenantId: usersInIam.tenantId,
@@ -7319,7 +7413,7 @@ var listUsersHandler = async (c) => {
   const limit = query.limit || 20;
   const offset = (page - 1) * limit;
   const userTypeFilter = query.userType && query.userType !== "all" ? query.userType : null;
-  const conditions = [eq58(usersInIam.tenantId, tenantId)];
+  const conditions = [eq59(usersInIam.tenantId, tenantId)];
   if (userTypeFilter) {
     conditions.push(
       sql27`${usersInIam.userType} @> ARRAY[${userTypeFilter}]::text[]`
@@ -7347,19 +7441,19 @@ var listUsersHandler = async (c) => {
   }
   if (query.filter === "verified") {
     const verifiedCond = or4(
-      eq58(usersInIam.emailVerified, true),
-      eq58(usersInIam.phoneVerified, true)
+      eq59(usersInIam.emailVerified, true),
+      eq59(usersInIam.phoneVerified, true)
     );
     if (verifiedCond) {
       conditions.push(verifiedCond);
     }
   } else if (query.filter === "unverified") {
-    conditions.push(eq58(usersInIam.emailVerified, false));
-    conditions.push(eq58(usersInIam.phoneVerified, false));
+    conditions.push(eq59(usersInIam.emailVerified, false));
+    conditions.push(eq59(usersInIam.phoneVerified, false));
   }
   const orderDir = query.order === "asc" ? asc5 : desc5;
   const sortCol = query.sort && sortColumnMap4[query.sort] ? sortColumnMap4[query.sort] : usersInIam.fullName;
-  const whereClause = and53(...conditions);
+  const whereClause = and54(...conditions);
   const [users, totalResult] = await Promise.all([
     database.select(userSelect).from(usersInIam).where(whereClause).orderBy(orderDir(sortCol)).limit(limit).offset(offset),
     database.select({ count: sql27`count(*)` }).from(usersInIam).where(whereClause)
@@ -7370,10 +7464,10 @@ var listUsersHandler = async (c) => {
     userId: sessionsInIam.userId,
     count: sql27`count(*)::int`.as("count")
   }).from(sessionsInIam).where(
-    and53(
-      eq58(sessionsInIam.tenantId, tenantId),
+    and54(
+      eq59(sessionsInIam.tenantId, tenantId),
       inArray6(sessionsInIam.userId, userIds),
-      gt8(sessionsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString())
+      gt9(sessionsInIam.expiresAt, (/* @__PURE__ */ new Date()).toISOString())
     )
   ).groupBy(sessionsInIam.userId) : [];
   const sessionCountByUser = new Map(
@@ -7385,13 +7479,13 @@ var listUsersHandler = async (c) => {
     name: rolesInIam.name
   }).from(userRolesInIam).innerJoin(
     rolesInIam,
-    and53(
-      eq58(rolesInIam.tenantId, userRolesInIam.tenantId),
-      eq58(rolesInIam.id, userRolesInIam.roleId)
+    and54(
+      eq59(rolesInIam.tenantId, userRolesInIam.tenantId),
+      eq59(rolesInIam.id, userRolesInIam.roleId)
     )
   ).where(
-    and53(
-      eq58(userRolesInIam.tenantId, tenantId),
+    and54(
+      eq59(userRolesInIam.tenantId, tenantId),
       inArray6(userRolesInIam.userId, userIds)
     )
   ) : [];
@@ -7421,13 +7515,13 @@ var listUsersHandler = async (c) => {
 };
 
 // src/routes/users/handler/search-users.ts
-import { and as and54, eq as eq59, ilike as ilike5, or as or5 } from "drizzle-orm";
+import { and as and55, eq as eq60, ilike as ilike5, or as or5 } from "drizzle-orm";
 var searchUsersHandler = async (c) => {
   const query = c.req.valid("query");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
   const limit = query.limit || 20;
-  const conditions = [eq59(usersInIam.tenantId, tenantId)];
+  const conditions = [eq60(usersInIam.tenantId, tenantId)];
   if (query.search && query.search.trim().length > 0) {
     const searchCondition = or5(
       ilike5(usersInIam.fullName, `%${query.search}%`),
@@ -7445,25 +7539,25 @@ var searchUsersHandler = async (c) => {
     phone: usersInIam.phone,
     handle: usersInIam.handle,
     image: usersInIam.image
-  }).from(usersInIam).where(and54(...conditions)).limit(limit);
+  }).from(usersInIam).where(and55(...conditions)).limit(limit);
   return c.json({ users }, 200);
 };
 
 // src/routes/users/handler/update-user.ts
-import { and as and55, eq as eq60, inArray as inArray7, sql as sql28 } from "drizzle-orm";
+import { and as and56, eq as eq61, inArray as inArray7, sql as sql28 } from "drizzle-orm";
 var updateUserHandler = async (c) => {
   const { id } = c.req.valid("param");
   const body = c.req.valid("json");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
-  const [existing] = await database.select().from(usersInIam).where(and55(eq60(usersInIam.id, id), eq60(usersInIam.tenantId, tenantId))).limit(1);
+  const [existing] = await database.select().from(usersInIam).where(and56(eq61(usersInIam.id, id), eq61(usersInIam.tenantId, tenantId))).limit(1);
   if (!existing) {
     return c.json({ error: "User not found" }, 404);
   }
   if (body.handle && body.handle !== existing.handle) {
     const [handleExists] = await database.select().from(usersInIam).where(
-      and55(
-        eq60(usersInIam.tenantId, tenantId),
+      and56(
+        eq61(usersInIam.tenantId, tenantId),
         sql28`lower(${usersInIam.handle}) = lower(${body.handle})`
       )
     ).limit(1);
@@ -7496,7 +7590,7 @@ var updateUserHandler = async (c) => {
   const [updated] = await database.update(usersInIam).set({
     ...updateData,
     updatedAt: sql28`CURRENT_TIMESTAMP`
-  }).where(and55(eq60(usersInIam.id, id), eq60(usersInIam.tenantId, tenantId))).returning({
+  }).where(and56(eq61(usersInIam.id, id), eq61(usersInIam.tenantId, tenantId))).returning({
     id: usersInIam.id,
     tenantId: usersInIam.tenantId,
     fullName: usersInIam.fullName,
@@ -7515,8 +7609,8 @@ var updateUserHandler = async (c) => {
     const roleIds = body.roleIds;
     if (roleIds.length > 0) {
       const validRoles = await database.select({ id: rolesInIam.id, code: rolesInIam.code }).from(rolesInIam).where(
-        and55(
-          eq60(rolesInIam.tenantId, tenantId),
+        and56(
+          eq61(rolesInIam.tenantId, tenantId),
           inArray7(rolesInIam.id, roleIds)
         )
       );
@@ -7525,9 +7619,9 @@ var updateUserHandler = async (c) => {
       );
       const toInsert = roleIds.filter((rid) => assignableIds.has(rid));
       await database.delete(userRolesInIam).where(
-        and55(
-          eq60(userRolesInIam.tenantId, tenantId),
-          eq60(userRolesInIam.userId, id)
+        and56(
+          eq61(userRolesInIam.tenantId, tenantId),
+          eq61(userRolesInIam.userId, id)
         )
       );
       if (toInsert.length > 0) {
@@ -7541,9 +7635,9 @@ var updateUserHandler = async (c) => {
       }
     } else {
       await database.delete(userRolesInIam).where(
-        and55(
-          eq60(userRolesInIam.tenantId, tenantId),
-          eq60(userRolesInIam.userId, id)
+        and56(
+          eq61(userRolesInIam.tenantId, tenantId),
+          eq61(userRolesInIam.userId, id)
         )
       );
     }
@@ -7957,31 +8051,31 @@ var users_route_default = userRoutes;
 import { createRoute as createRoute15, OpenAPIHono as OpenAPIHono15 } from "@hono/zod-openapi";
 
 // src/routes/verifications/handler/invalidate-verification.ts
-import { and as and56, eq as eq61 } from "drizzle-orm";
+import { and as and57, eq as eq62 } from "drizzle-orm";
 var invalidateVerificationHandler = async (c) => {
   const { id } = c.req.valid("param");
   const database = c.get("database");
   const tenantId = c.get("tenantId");
   const [existing] = await database.select().from(verificationsInIam).where(
-    and56(
-      eq61(verificationsInIam.id, id),
-      eq61(verificationsInIam.tenantId, tenantId)
+    and57(
+      eq62(verificationsInIam.id, id),
+      eq62(verificationsInIam.tenantId, tenantId)
     )
   ).limit(1);
   if (!existing) {
     return c.json({ error: "Verification not found" }, 404);
   }
   await database.delete(verificationsInIam).where(
-    and56(
-      eq61(verificationsInIam.id, id),
-      eq61(verificationsInIam.tenantId, tenantId)
+    and57(
+      eq62(verificationsInIam.id, id),
+      eq62(verificationsInIam.tenantId, tenantId)
     )
   );
   return c.json({ message: "Verification invalidated" }, 200);
 };
 
 // src/routes/verifications/handler/list-verifications.ts
-import { and as and57, eq as eq62, sql as sql29 } from "drizzle-orm";
+import { and as and58, eq as eq63, sql as sql29 } from "drizzle-orm";
 var listVerificationsHandler = async (c) => {
   const query = c.req.valid("query");
   const database = c.get("database");
@@ -7989,12 +8083,12 @@ var listVerificationsHandler = async (c) => {
   const page = query.page || 1;
   const limit = query.limit || 20;
   const offset = (page - 1) * limit;
-  const conditions = [eq62(verificationsInIam.tenantId, tenantId)];
+  const conditions = [eq63(verificationsInIam.tenantId, tenantId)];
   if (query.userId) {
-    conditions.push(eq62(verificationsInIam.userId, query.userId));
+    conditions.push(eq63(verificationsInIam.userId, query.userId));
   }
   if (query.type) {
-    conditions.push(eq62(verificationsInIam.type, query.type));
+    conditions.push(eq63(verificationsInIam.type, query.type));
   }
   if (query.status) {
     if (query.status === "active") {
@@ -8008,8 +8102,8 @@ var listVerificationsHandler = async (c) => {
     }
   }
   const [verifications, totalResult] = await Promise.all([
-    database.select().from(verificationsInIam).where(and57(...conditions)).limit(limit).offset(offset),
-    database.select({ count: sql29`count(*)` }).from(verificationsInIam).where(and57(...conditions))
+    database.select().from(verificationsInIam).where(and58(...conditions)).limit(limit).offset(offset),
+    database.select({ count: sql29`count(*)` }).from(verificationsInIam).where(and58(...conditions))
   ]);
   const total = Number(totalResult[0]?.count || 0);
   return c.json({ verifications, total, page, limit }, 200);
@@ -8519,6 +8613,12 @@ var defaultAuthConfig = {
     ...defaultConfig,
     phoneRegex: defaultPhoneRegex
   },
+  signUp: {
+    enabled: true,
+    emailEnabled: true,
+    phoneEnabled: true,
+    allowedEmailDomains: []
+  },
   security: {
     maxLoginAttempts: 5,
     lockoutDuration: "15m"