@mesob/auth-hono 0.5.2 → 0.5.4

package/dist/lib/normalize-auth-response.js

@@ -7,7 +7,10 @@ var normalizeAuthUser = (user) => ({
   phone: user.phone,
   image: user.image,
   emailVerified: user.emailVerified,
-  phoneVerified: user.phoneVerified
+  phoneVerified: user.phoneVerified,
+  roles: user.roles ?? null,
+  roleCodes: user.roleCodes ?? null,
+  permissions: user.permissions ?? null
 });
 var normalizeAuthSession = (session) => session ? {
   id: session.id,

package/dist/lib/normalize-auth-response.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/lib/normalize-auth-response.ts"],"sourcesContent":["import type { Session, User } from '../types';\n\nexport const normalizeAuthUser = (\n  user: Pick<\n    User,\n    | 'id'\n    | 'tenantId'\n    | 'fullName'\n    | 'email'\n    | 'phone'\n    | 'image'\n    | 'emailVerified'\n    | 'phoneVerified'\n  >,\n) => ({\n  id: user.id,\n  tenantId: user.tenantId,\n  fullName: user.fullName,\n  email: user.email,\n  phone: user.phone,\n  image: user.image,\n  emailVerified: user.emailVerified,\n  phoneVerified: user.phoneVerified,\n});\n\nexport const normalizeAuthSession = (\n  session: Pick<Session, 'id' | 'expiresAt'> | null,\n) =>\n  session\n    ? {\n        id: session.id,\n        expiresAt: session.expiresAt,\n      }\n    : null;\n"],"mappings":";AAEO,IAAM,oBAAoB,CAC/B,UAWI;AAAA,EACJ,IAAI,KAAK;AAAA,EACT,UAAU,KAAK;AAAA,EACf,UAAU,KAAK;AAAA,EACf,OAAO,KAAK;AAAA,EACZ,OAAO,KAAK;AAAA,EACZ,OAAO,KAAK;AAAA,EACZ,eAAe,KAAK;AAAA,EACpB,eAAe,KAAK;AACtB;AAEO,IAAM,uBAAuB,CAClC,YAEA,UACI;AAAA,EACE,IAAI,QAAQ;AAAA,EACZ,WAAW,QAAQ;AACrB,IACA;","names":[]}
+{"version":3,"sources":["../../src/lib/normalize-auth-response.ts"],"sourcesContent":["import type { Session, User } from '../types';\n\nexport const normalizeAuthUser = (\n  user: Pick<\n    User,\n    | 'id'\n    | 'tenantId'\n    | 'fullName'\n    | 'email'\n    | 'phone'\n    | 'image'\n    | 'emailVerified'\n    | 'phoneVerified'\n  > &\n    Pick<Partial<User>, 'roles' | 'roleCodes' | 'permissions'>,\n) => ({\n  id: user.id,\n  tenantId: user.tenantId,\n  fullName: user.fullName,\n  email: user.email,\n  phone: user.phone,\n  image: user.image,\n  emailVerified: user.emailVerified,\n  phoneVerified: user.phoneVerified,\n  roles: user.roles ?? null,\n  roleCodes: user.roleCodes ?? null,\n  permissions: user.permissions ?? null,\n});\n\nexport const normalizeAuthSession = (\n  session: Pick<Session, 'id' | 'expiresAt'> | null,\n) =>\n  session\n    ? {\n        id: session.id,\n        expiresAt: session.expiresAt,\n      }\n    : null;\n"],"mappings":";AAEO,IAAM,oBAAoB,CAC/B,UAYI;AAAA,EACJ,IAAI,KAAK;AAAA,EACT,UAAU,KAAK;AAAA,EACf,UAAU,KAAK;AAAA,EACf,OAAO,KAAK;AAAA,EACZ,OAAO,KAAK;AAAA,EACZ,OAAO,KAAK;AAAA,EACZ,eAAe,KAAK;AAAA,EACpB,eAAe,KAAK;AAAA,EACpB,OAAO,KAAK,SAAS;AAAA,EACrB,WAAW,KAAK,aAAa;AAAA,EAC7B,aAAa,KAAK,eAAe;AACnC;AAEO,IAAM,uBAAuB,CAClC,YAEA,UACI;AAAA,EACE,IAAI,QAAQ;AAAA,EACZ,WAAW,QAAQ;AACrB,IACA;","names":[]}

package/dist/lib/normalize-rate-limit-ip.d.ts

@@ -0,0 +1,5 @@
+/** Stable client key for auth rate limits (IPv6 canonical + optional prefix). */
+/** IPv4 full address; IPv6 masked to prefixBits (1–128), default subnet /64. */
+declare function rateLimitClientKey(raw: string, ipv6SubnetBits: number): string;
+
+export { rateLimitClientKey };

package/dist/lib/normalize-rate-limit-ip.js

@@ -0,0 +1,159 @@
+// src/lib/normalize-rate-limit-ip.ts
+function parseIpv4Dotted(s) {
+  const p = s.split(".");
+  if (p.length !== 4) {
+    return null;
+  }
+  const b = new Uint8Array(4);
+  for (let i = 0; i < 4; i++) {
+    if (!/^\d{1,3}$/.test(p[i])) {
+      return null;
+    }
+    const n = Number(p[i]);
+    if (!Number.isInteger(n) || n < 0 || n > 255) {
+      return null;
+    }
+    b[i] = n;
+  }
+  return b;
+}
+function ipv4Key(bytes) {
+  return `4:${bytes[0]}.${bytes[1]}.${bytes[2]}.${bytes[3]}`;
+}
+function maskIpv6InPlace(bytes, prefixBits) {
+  if (prefixBits >= 128) {
+    return;
+  }
+  const whole = Math.floor(prefixBits / 8);
+  const rem = prefixBits % 8;
+  if (rem === 0) {
+    for (let i = whole; i < 16; i++) {
+      bytes[i] = 0;
+    }
+  } else {
+    for (let i = whole + 1; i < 16; i++) {
+      bytes[i] = 0;
+    }
+    const keep = 255 << 8 - rem & 255;
+    bytes[whole] &= keep;
+  }
+}
+function isIpv4MappedIpv6(bytes) {
+  for (let i = 0; i < 10; i++) {
+    if (bytes[i] !== 0) {
+      return false;
+    }
+  }
+  return bytes[10] === 255 && bytes[11] === 255;
+}
+function parseIpv6HextetsToBytes(s) {
+  const buf = new Uint8Array(16);
+  if (s === "") {
+    return buf;
+  }
+  const double = s.includes("::");
+  if (double && s.split("::").length > 2) {
+    return null;
+  }
+  const [leftRaw, rightRaw] = double ? s.split("::", 2) : [s, ""];
+  const left = leftRaw ? leftRaw.split(":").filter(Boolean) : [];
+  const right = rightRaw ? rightRaw.split(":").filter(Boolean) : [];
+  const partsLen = left.length + right.length;
+  if (double) {
+    if (partsLen > 8) {
+      return null;
+    }
+  } else if (partsLen !== 8) {
+    return null;
+  }
+  const pad = double ? 8 - partsLen : 0;
+  const all = [...left, ...Array(pad).fill("0"), ...right];
+  if (all.length !== 8) {
+    return null;
+  }
+  for (let i = 0; i < 8; i++) {
+    const h = all[i];
+    if (!h || h.includes(".")) {
+      return null;
+    }
+    const v = Number.parseInt(h, 16);
+    if (v > 65535 || Number.isNaN(v)) {
+      return null;
+    }
+    buf[i * 2] = v >> 8;
+    buf[i * 2 + 1] = v & 255;
+  }
+  return buf;
+}
+function parseIpv6ToBytes(address) {
+  let a = address.trim().toLowerCase();
+  if (a.startsWith("[") && a.endsWith("]")) {
+    a = a.slice(1, -1);
+  }
+  const zi = a.indexOf("%");
+  if (zi >= 0) {
+    a = a.slice(0, zi);
+  }
+  if (a === "") {
+    return null;
+  }
+  if (!a.includes(":")) {
+    const v4 = parseIpv4Dotted(a);
+    return v4 ? v4 : null;
+  }
+  const lastColon = a.lastIndexOf(":");
+  if (lastColon > 0) {
+    const maybeV4 = a.slice(lastColon + 1);
+    if (/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(maybeV4)) {
+      const v4b = parseIpv4Dotted(maybeV4);
+      if (!v4b) {
+        return null;
+      }
+      const prefix = a.slice(0, lastColon);
+      const w1 = v4b[0] << 8 | v4b[1];
+      const w2 = v4b[2] << 8 | v4b[3];
+      const tailHex = `${w1.toString(16)}:${w2.toString(16)}`;
+      let merged;
+      if (!prefix) {
+        merged = tailHex;
+      } else if (prefix.endsWith(":")) {
+        merged = `${prefix}${tailHex}`;
+      } else {
+        merged = `${prefix}:${tailHex}`;
+      }
+      return parseIpv6HextetsToBytes(merged);
+    }
+  }
+  return parseIpv6HextetsToBytes(a);
+}
+function bytesToHex(bytes) {
+  let o = "";
+  for (let i = 0; i < bytes.length; i++) {
+    o += bytes[i].toString(16).padStart(2, "0");
+  }
+  return o;
+}
+function rateLimitClientKey(raw, ipv6SubnetBits) {
+  const s = raw.trim();
+  if (!s || s === "unknown") {
+    return "unknown";
+  }
+  const prefixBits = Number.isFinite(ipv6SubnetBits) && ipv6SubnetBits >= 1 && ipv6SubnetBits <= 128 ? Math.floor(ipv6SubnetBits) : 64;
+  if (!s.includes(":")) {
+    const v4 = parseIpv4Dotted(s);
+    return v4 ? ipv4Key(v4) : `raw:${s}`;
+  }
+  const bytes = parseIpv6ToBytes(s);
+  if (!bytes) {
+    return `raw:${s}`;
+  }
+  if (isIpv4MappedIpv6(bytes)) {
+    return ipv4Key(bytes.subarray(12, 16));
+  }
+  maskIpv6InPlace(bytes, prefixBits);
+  return `6:${bytesToHex(bytes)}`;
+}
+export {
+  rateLimitClientKey
+};
+//# sourceMappingURL=normalize-rate-limit-ip.js.map

package/dist/lib/normalize-rate-limit-ip.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/lib/normalize-rate-limit-ip.ts"],"sourcesContent":["/** Stable client key for auth rate limits (IPv6 canonical + optional prefix). */\n\nfunction parseIpv4Dotted(s: string): Uint8Array | null {\n  const p = s.split('.');\n  if (p.length !== 4) {\n    return null;\n  }\n  const b = new Uint8Array(4);\n  for (let i = 0; i < 4; i++) {\n    if (!/^\\d{1,3}$/.test(p[i])) {\n      return null;\n    }\n    const n = Number(p[i]);\n    if (!Number.isInteger(n) || n < 0 || n > 255) {\n      return null;\n    }\n    b[i] = n;\n  }\n  return b;\n}\n\nfunction ipv4Key(bytes: Uint8Array): string {\n  return `4:${bytes[0]}.${bytes[1]}.${bytes[2]}.${bytes[3]}`;\n}\n\nfunction maskIpv6InPlace(bytes: Uint8Array, prefixBits: number): void {\n  if (prefixBits >= 128) {\n    return;\n  }\n  const whole = Math.floor(prefixBits / 8);\n  const rem = prefixBits % 8;\n  if (rem === 0) {\n    for (let i = whole; i < 16; i++) {\n      bytes[i] = 0;\n    }\n  } else {\n    for (let i = whole + 1; i < 16; i++) {\n      bytes[i] = 0;\n    }\n    const keep = (0xff << (8 - rem)) & 0xff;\n    bytes[whole] &= keep;\n  }\n}\n\nfunction isIpv4MappedIpv6(bytes: Uint8Array): boolean {\n  for (let i = 0; i < 10; i++) {\n    if (bytes[i] !== 0) {\n      return false;\n    }\n  }\n  return bytes[10] === 0xff && bytes[11] === 0xff;\n}\n\nfunction parseIpv6HextetsToBytes(s: string): Uint8Array | null {\n  const buf = new Uint8Array(16);\n  if (s === '') {\n    return buf;\n  }\n  const double = s.includes('::');\n  if (double && s.split('::').length > 2) {\n    return null;\n  }\n  const [leftRaw, rightRaw] = double ? s.split('::', 2) : [s, ''];\n  const left = leftRaw ? leftRaw.split(':').filter(Boolean) : [];\n  const right = rightRaw ? rightRaw.split(':').filter(Boolean) : [];\n  const partsLen = left.length + right.length;\n  if (double) {\n    if (partsLen > 8) {\n      return null;\n    }\n  } else if (partsLen !== 8) {\n    return null;\n  }\n  const pad = double ? 8 - partsLen : 0;\n  const all = [...left, ...Array(pad).fill('0'), ...right];\n  if (all.length !== 8) {\n    return null;\n  }\n  for (let i = 0; i < 8; i++) {\n    const h = all[i];\n    if (!h || h.includes('.')) {\n      return null;\n    }\n    const v = Number.parseInt(h, 16);\n    if (v > 0xffff || Number.isNaN(v)) {\n      return null;\n    }\n    buf[i * 2] = v >> 8;\n    buf[i * 2 + 1] = v & 0xff;\n  }\n  return buf;\n}\n\nfunction parseIpv6ToBytes(address: string): Uint8Array | null {\n  let a = address.trim().toLowerCase();\n  if (a.startsWith('[') && a.endsWith(']')) {\n    a = a.slice(1, -1);\n  }\n  const zi = a.indexOf('%');\n  if (zi >= 0) {\n    a = a.slice(0, zi);\n  }\n  if (a === '') {\n    return null;\n  }\n\n  if (!a.includes(':')) {\n    const v4 = parseIpv4Dotted(a);\n    return v4 ? v4 : null;\n  }\n\n  const lastColon = a.lastIndexOf(':');\n  if (lastColon > 0) {\n    const maybeV4 = a.slice(lastColon + 1);\n    if (/^\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}$/.test(maybeV4)) {\n      const v4b = parseIpv4Dotted(maybeV4);\n      if (!v4b) {\n        return null;\n      }\n      const prefix = a.slice(0, lastColon);\n      const w1 = (v4b[0] << 8) | v4b[1];\n      const w2 = (v4b[2] << 8) | v4b[3];\n      const tailHex = `${w1.toString(16)}:${w2.toString(16)}`;\n      let merged: string;\n      if (!prefix) {\n        merged = tailHex;\n      } else if (prefix.endsWith(':')) {\n        merged = `${prefix}${tailHex}`;\n      } else {\n        merged = `${prefix}:${tailHex}`;\n      }\n      return parseIpv6HextetsToBytes(merged);\n    }\n  }\n\n  return parseIpv6HextetsToBytes(a);\n}\n\nfunction bytesToHex(bytes: Uint8Array): string {\n  let o = '';\n  for (let i = 0; i < bytes.length; i++) {\n    o += bytes[i].toString(16).padStart(2, '0');\n  }\n  return o;\n}\n\n/** IPv4 full address; IPv6 masked to prefixBits (1–128), default subnet /64. */\nexport function rateLimitClientKey(\n  raw: string,\n  ipv6SubnetBits: number,\n): string {\n  const s = raw.trim();\n  if (!s || s === 'unknown') {\n    return 'unknown';\n  }\n\n  const prefixBits =\n    Number.isFinite(ipv6SubnetBits) &&\n    ipv6SubnetBits >= 1 &&\n    ipv6SubnetBits <= 128\n      ? Math.floor(ipv6SubnetBits)\n      : 64;\n\n  if (!s.includes(':')) {\n    const v4 = parseIpv4Dotted(s);\n    return v4 ? ipv4Key(v4) : `raw:${s}`;\n  }\n\n  const bytes = parseIpv6ToBytes(s);\n  if (!bytes) {\n    return `raw:${s}`;\n  }\n\n  if (isIpv4MappedIpv6(bytes)) {\n    return ipv4Key(bytes.subarray(12, 16));\n  }\n\n  maskIpv6InPlace(bytes, prefixBits);\n  return `6:${bytesToHex(bytes)}`;\n}\n"],"mappings":";AAEA,SAAS,gBAAgB,GAA8B;AACrD,QAAM,IAAI,EAAE,MAAM,GAAG;AACrB,MAAI,EAAE,WAAW,GAAG;AAClB,WAAO;AAAA,EACT;AACA,QAAM,IAAI,IAAI,WAAW,CAAC;AAC1B,WAAS,IAAI,GAAG,IAAI,GAAG,KAAK;AAC1B,QAAI,CAAC,YAAY,KAAK,EAAE,CAAC,CAAC,GAAG;AAC3B,aAAO;AAAA,IACT;AACA,UAAM,IAAI,OAAO,EAAE,CAAC,CAAC;AACrB,QAAI,CAAC,OAAO,UAAU,CAAC,KAAK,IAAI,KAAK,IAAI,KAAK;AAC5C,aAAO;AAAA,IACT;AACA,MAAE,CAAC,IAAI;AAAA,EACT;AACA,SAAO;AACT;AAEA,SAAS,QAAQ,OAA2B;AAC1C,SAAO,KAAK,MAAM,CAAC,CAAC,IAAI,MAAM,CAAC,CAAC,IAAI,MAAM,CAAC,CAAC,IAAI,MAAM,CAAC,CAAC;AAC1D;AAEA,SAAS,gBAAgB,OAAmB,YAA0B;AACpE,MAAI,cAAc,KAAK;AACrB;AAAA,EACF;AACA,QAAM,QAAQ,KAAK,MAAM,aAAa,CAAC;AACvC,QAAM,MAAM,aAAa;AACzB,MAAI,QAAQ,GAAG;AACb,aAAS,IAAI,OAAO,IAAI,IAAI,KAAK;AAC/B,YAAM,CAAC,IAAI;AAAA,IACb;AAAA,EACF,OAAO;AACL,aAAS,IAAI,QAAQ,GAAG,IAAI,IAAI,KAAK;AACnC,YAAM,CAAC,IAAI;AAAA,IACb;AACA,UAAM,OAAQ,OAAS,IAAI,MAAQ;AACnC,UAAM,KAAK,KAAK;AAAA,EAClB;AACF;AAEA,SAAS,iBAAiB,OAA4B;AACpD,WAAS,IAAI,GAAG,IAAI,IAAI,KAAK;AAC3B,QAAI,MAAM,CAAC,MAAM,GAAG;AAClB,aAAO;AAAA,IACT;AAAA,EACF;AACA,SAAO,MAAM,EAAE,MAAM,OAAQ,MAAM,EAAE,MAAM;AAC7C;AAEA,SAAS,wBAAwB,GAA8B;AAC7D,QAAM,MAAM,IAAI,WAAW,EAAE;AAC7B,MAAI,MAAM,IAAI;AACZ,WAAO;AAAA,EACT;AACA,QAAM,SAAS,EAAE,SAAS,IAAI;AAC9B,MAAI,UAAU,EAAE,MAAM,IAAI,EAAE,SAAS,GAAG;AACtC,WAAO;AAAA,EACT;AACA,QAAM,CAAC,SAAS,QAAQ,IAAI,SAAS,EAAE,MAAM,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE;AAC9D,QAAM,OAAO,UAAU,QAAQ,MAAM,GAAG,EAAE,OAAO,OAAO,IAAI,CAAC;AAC7D,QAAM,QAAQ,WAAW,SAAS,MAAM,GAAG,EAAE,OAAO,OAAO,IAAI,CAAC;AAChE,QAAM,WAAW,KAAK,SAAS,MAAM;AACrC,MAAI,QAAQ;AACV,QAAI,WAAW,GAAG;AAChB,aAAO;AAAA,IACT;AAAA,EACF,WAAW,aAAa,GAAG;AACzB,WAAO;AAAA,EACT;AACA,QAAM,MAAM,SAAS,IAAI,WAAW;AACpC,QAAM,MAAM,CAAC,GAAG,MAAM,GAAG,MAAM,GAAG,EAAE,KAAK,GAAG,GAAG,GAAG,KAAK;AACvD,MAAI,IAAI,WAAW,GAAG;AACpB,WAAO;AAAA,EACT;AACA,WAAS,IAAI,GAAG,IAAI,GAAG,KAAK;AAC1B,UAAM,IAAI,IAAI,CAAC;AACf,QAAI,CAAC,KAAK,EAAE,SAAS,GAAG,GAAG;AACzB,aAAO;AAAA,IACT;AACA,UAAM,IAAI,OAAO,SAAS,GAAG,EAAE;AAC/B,QAAI,IAAI,SAAU,OAAO,MAAM,CAAC,GAAG;AACjC,aAAO;AAAA,IACT;AACA,QAAI,IAAI,CAAC,IAAI,KAAK;AAClB,QAAI,IAAI,IAAI,CAAC,IAAI,IAAI;AAAA,EACvB;AACA,SAAO;AACT;AAEA,SAAS,iBAAiB,SAAoC;AAC5D,MAAI,IAAI,QAAQ,KAAK,EAAE,YAAY;AACnC,MAAI,EAAE,WAAW,GAAG,KAAK,EAAE,SAAS,GAAG,GAAG;AACxC,QAAI,EAAE,MAAM,GAAG,EAAE;AAAA,EACnB;AACA,QAAM,KAAK,EAAE,QAAQ,GAAG;AACxB,MAAI,MAAM,GAAG;AACX,QAAI,EAAE,MAAM,GAAG,EAAE;AAAA,EACnB;AACA,MAAI,MAAM,IAAI;AACZ,WAAO;AAAA,EACT;AAEA,MAAI,CAAC,EAAE,SAAS,GAAG,GAAG;AACpB,UAAM,KAAK,gBAAgB,CAAC;AAC5B,WAAO,KAAK,KAAK;AAAA,EACnB;AAEA,QAAM,YAAY,EAAE,YAAY,GAAG;AACnC,MAAI,YAAY,GAAG;AACjB,UAAM,UAAU,EAAE,MAAM,YAAY,CAAC;AACrC,QAAI,uCAAuC,KAAK,OAAO,GAAG;AACxD,YAAM,MAAM,gBAAgB,OAAO;AACnC,UAAI,CAAC,KAAK;AACR,eAAO;AAAA,MACT;AACA,YAAM,SAAS,EAAE,MAAM,GAAG,SAAS;AACnC,YAAM,KAAM,IAAI,CAAC,KAAK,IAAK,IAAI,CAAC;AAChC,YAAM,KAAM,IAAI,CAAC,KAAK,IAAK,IAAI,CAAC;AAChC,YAAM,UAAU,GAAG,GAAG,SAAS,EAAE,CAAC,IAAI,GAAG,SAAS,EAAE,CAAC;AACrD,UAAI;AACJ,UAAI,CAAC,QAAQ;AACX,iBAAS;AAAA,MACX,WAAW,OAAO,SAAS,GAAG,GAAG;AAC/B,iBAAS,GAAG,MAAM,GAAG,OAAO;AAAA,MAC9B,OAAO;AACL,iBAAS,GAAG,MAAM,IAAI,OAAO;AAAA,MAC/B;AACA,aAAO,wBAAwB,MAAM;AAAA,IACvC;AAAA,EACF;AAEA,SAAO,wBAAwB,CAAC;AAClC;AAEA,SAAS,WAAW,OAA2B;AAC7C,MAAI,IAAI;AACR,WAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;AACrC,SAAK,MAAM,CAAC,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG;AAAA,EAC5C;AACA,SAAO;AACT;AAGO,SAAS,mBACd,KACA,gBACQ;AACR,QAAM,IAAI,IAAI,KAAK;AACnB,MAAI,CAAC,KAAK,MAAM,WAAW;AACzB,WAAO;AAAA,EACT;AAEA,QAAM,aACJ,OAAO,SAAS,cAAc,KAC9B,kBAAkB,KAClB,kBAAkB,MACd,KAAK,MAAM,cAAc,IACzB;AAEN,MAAI,CAAC,EAAE,SAAS,GAAG,GAAG;AACpB,UAAM,KAAK,gBAAgB,CAAC;AAC5B,WAAO,KAAK,QAAQ,EAAE,IAAI,OAAO,CAAC;AAAA,EACpC;AAEA,QAAM,QAAQ,iBAAiB,CAAC;AAChC,MAAI,CAAC,OAAO;AACV,WAAO,OAAO,CAAC;AAAA,EACjB;AAEA,MAAI,iBAAiB,KAAK,GAAG;AAC3B,WAAO,QAAQ,MAAM,SAAS,IAAI,EAAE,CAAC;AAAA,EACvC;AAEA,kBAAgB,OAAO,UAAU;AACjC,SAAO,KAAK,WAAW,KAAK,CAAC;AAC/B;","names":[]}

package/dist/lib/normalize-user.d.ts

@@ -1,4 +1,4 @@
-import { U as User } from '../index-CDgzxZzO.js';
+import { U as User } from '../index-v_uxUd8A.js';
 import 'hono';
 import '@hono/zod-openapi';
 import '@mesob/common';

package/dist/lib/openapi-config.d.ts

@@ -1,4 +1,4 @@
-import { A as AuthConfig } from '../index-CDgzxZzO.js';
+import { A as AuthConfig } from '../index-v_uxUd8A.js';
 import 'hono';
 import '@hono/zod-openapi';
 import '@mesob/common';

package/dist/lib/phone-validation.d.ts

@@ -1,4 +1,4 @@
-import { A as AuthConfig } from '../index-CDgzxZzO.js';
+import { A as AuthConfig } from '../index-v_uxUd8A.js';
 import 'hono';
 import '@hono/zod-openapi';
 import '@mesob/common';

package/dist/lib/session-cache.d.ts

@@ -0,0 +1,22 @@
+import { D as Database } from '../index-Dhe5obDc.js';
+import { A as AuthConfig, f as Session, U as User } from '../index-v_uxUd8A.js';
+import 'drizzle-orm/node-postgres';
+import 'drizzle-orm';
+import 'drizzle-orm/pg-core';
+import 'pg';
+import 'hono';
+import '@hono/zod-openapi';
+import '@mesob/common';
+
+type SessionCachePayload = {
+    session: Session;
+    user: User;
+};
+declare const sessionCacheKey: (config: AuthConfig, hashedToken: string) => string;
+declare function readSessionCache(config: AuthConfig, hashedToken: string): Promise<SessionCachePayload | null>;
+declare function writeSessionCache(config: AuthConfig, hashedToken: string, payload: SessionCachePayload): Promise<void>;
+declare function deleteSessionCacheKeys(config: AuthConfig, hashedTokens: string[]): Promise<void>;
+declare function invalidateSessionCacheForHashedToken(config: AuthConfig, hashedToken: string): Promise<void>;
+declare function invalidateSessionCacheForUser(config: AuthConfig, database: Database, userId: string, tenantId: string): Promise<void>;
+
+export { type SessionCachePayload, deleteSessionCacheKeys, invalidateSessionCacheForHashedToken, invalidateSessionCacheForUser, readSessionCache, sessionCacheKey, writeSessionCache };

package/dist/lib/session-cache.js

@@ -0,0 +1,396 @@
+// src/db/orm/session.ts
+import { and, eq, gt } from "drizzle-orm";
+
+// src/db/schema.ts
+import { pgSchema, index, foreignKey, pgPolicy, check, uuid, varchar, timestamp, text, smallint, unique, inet, jsonb, boolean, uniqueIndex } from "drizzle-orm/pg-core";
+import { sql } from "drizzle-orm";
+var iam = pgSchema("iam");
+var verificationsInIam = iam.table("verifications", {
+  id: uuid().default(sql`uuid_generate_v7()`).primaryKey().notNull(),
+  tenantId: varchar("tenant_id", { length: 30 }).notNull(),
+  createdAt: timestamp("created_at", { withTimezone: true, mode: "string" }).default(sql`CURRENT_TIMESTAMP`).notNull(),
+  updatedAt: timestamp("updated_at", { withTimezone: true, mode: "string" }).default(sql`CURRENT_TIMESTAMP`).notNull(),
+  userId: uuid("user_id").notNull(),
+  code: text().notNull(),
+  expiresAt: timestamp("expires_at", { withTimezone: true, mode: "string" }).notNull(),
+  type: text(),
+  attempt: smallint().default(0),
+  to: text()
+}, (table) => [
+  index("verifications_expires_at_idx").using("btree", table.expiresAt.asc().nullsLast().op("timestamptz_ops")),
+  index("verifications_lookup_idx").using("btree", table.tenantId.asc().nullsLast().op("text_ops"), table.userId.asc().nullsLast().op("text_ops"), table.type.asc().nullsLast().op("uuid_ops"), table.to.asc().nullsLast().op("text_ops"), table.code.asc().nullsLast().op("text_ops")),
+  foreignKey({
+    columns: [table.tenantId],
+    foreignColumns: [tenantsInIam.id],
+    name: "verifications_tenant_id_fkey"
+  }).onUpdate("cascade").onDelete("cascade"),
+  foreignKey({
+    columns: [table.userId],
+    foreignColumns: [usersInIam.id],
+    name: "verifications_user_id_fkey"
+  }).onUpdate("cascade").onDelete("cascade"),
+  pgPolicy("tenant_isolation", { as: "permissive", for: "all", to: ["public"], using: sql`((tenant_id)::text = (iam.current_tenant_id())::text)`, withCheck: sql`((tenant_id)::text = (iam.current_tenant_id())::text)` }),
+  check("verifications_attempt_nonnegative_check", sql`attempt >= 0`),
+  check("verifications_expires_after_created_check", sql`expires_at > created_at`)
+]);
+var sessionsInIam = iam.table("sessions", {
+  id: uuid().default(sql`uuid_generate_v7()`).primaryKey().notNull(),
+  tenantId: varchar("tenant_id", { length: 30 }).notNull(),
+  createdAt: timestamp("created_at", { withTimezone: true, mode: "string" }).default(sql`CURRENT_TIMESTAMP`).notNull(),
+  updatedAt: timestamp("updated_at", { withTimezone: true, mode: "string" }).default(sql`CURRENT_TIMESTAMP`).notNull(),
+  userId: uuid("user_id").notNull(),
+  expiresAt: timestamp("expires_at", { withTimezone: true, mode: "string" }).notNull(),
+  userAgent: text("user_agent"),
+  ip: inet(),
+  meta: jsonb(),
+  token: text().notNull(),
+  rotatedAt: timestamp("rotated_at", { withTimezone: true, mode: "string" }).default(sql`CURRENT_TIMESTAMP`)
+}, (table) => [
+  index("sessions_expires_at_idx").using("btree", table.expiresAt.asc().nullsLast().op("timestamptz_ops")),
+  index("sessions_tenant_user_idx").using("btree", table.tenantId.asc().nullsLast().op("uuid_ops"), table.userId.asc().nullsLast().op("text_ops")),
+  foreignKey({
+    columns: [table.tenantId],
+    foreignColumns: [tenantsInIam.id],
+    name: "sessions_tenant_id_fkey"
+  }).onUpdate("cascade").onDelete("cascade"),
+  foreignKey({
+    columns: [table.userId],
+    foreignColumns: [usersInIam.id],
+    name: "sessions_user_id_fkey"
+  }).onUpdate("cascade").onDelete("cascade"),
+  unique("sessions_token_key").on(table.token),
+  pgPolicy("tenant_isolation", { as: "permissive", for: "all", to: ["public"], using: sql`((tenant_id)::text = (iam.current_tenant_id())::text)`, withCheck: sql`((tenant_id)::text = (iam.current_tenant_id())::text)` }),
+  check("sessions_expires_after_created_check", sql`expires_at > created_at`)
+]);
+var accountChangesInIam = iam.table("account_changes", {
+  id: uuid().default(sql`uuid_generate_v7()`).primaryKey().notNull(),
+  tenantId: varchar("tenant_id", { length: 30 }).notNull(),
+  userId: uuid("user_id").notNull(),
+  createdAt: timestamp("created_at", { withTimezone: true, mode: "string" }).default(sql`CURRENT_TIMESTAMP`).notNull(),
+  updatedAt: timestamp("updated_at", { withTimezone: true, mode: "string" }).default(sql`CURRENT_TIMESTAMP`).notNull(),
+  changeType: text("change_type").notNull(),
+  oldEmail: varchar("old_email"),
+  newEmail: varchar("new_email"),
+  oldPhone: text("old_phone"),
+  newPhone: text("new_phone"),
+  status: varchar().notNull(),
+  expiresAt: timestamp("expires_at", { withTimezone: true, mode: "string" }).notNull(),
+  confirmedAt: timestamp("confirmed_at", { withTimezone: true, mode: "string" }),
+  cancelledAt: timestamp("cancelled_at", { withTimezone: true, mode: "string" }),
+  reason: text()
+}, (table) => [
+  index("account_changes_expires_at_idx").using("btree", table.expiresAt.asc().nullsLast().op("timestamptz_ops")),
+  index("account_changes_tenant_user_status_idx").using("btree", table.tenantId.asc().nullsLast().op("uuid_ops"), table.userId.asc().nullsLast().op("text_ops"), table.status.asc().nullsLast().op("uuid_ops")),
+  index("idx_account_changes_expired").using("btree", table.expiresAt.asc().nullsLast().op("text_ops"), table.status.asc().nullsLast().op("text_ops")).where(sql`((status)::text = 'pending'::text)`),
+  foreignKey({
+    columns: [table.tenantId],
+    foreignColumns: [tenantsInIam.id],
+    name: "account_changes_tenant_id_fkey"
+  }).onUpdate("cascade").onDelete("cascade"),
+  foreignKey({
+    columns: [table.userId],
+    foreignColumns: [usersInIam.id],
+    name: "account_changes_user_id_fkey"
+  }).onUpdate("cascade").onDelete("cascade"),
+  pgPolicy("tenant_isolation", { as: "permissive", for: "all", to: ["public"], using: sql`((tenant_id)::text = (iam.current_tenant_id())::text)`, withCheck: sql`((tenant_id)::text = (iam.current_tenant_id())::text)` }),
+  check("account_changes_expires_after_created_check", sql`expires_at > created_at`),
+  check("account_changes_change_type_check", sql`((change_type = 'EMAIL'::text) AND (old_email IS NOT NULL) AND (new_email IS NOT NULL) AND (old_phone IS NULL) AND (new_phone IS NULL)) OR ((change_type = 'PHONE'::text) AND (old_phone IS NOT NULL) AND (new_phone IS NOT NULL) AND (old_email IS NULL) AND (new_email IS NULL))`),
+  check("account_changes_status_check", sql`(status)::text = ANY (ARRAY[('PENDING'::character varying)::text, ('APPLIED'::character varying)::text, ('CANCELLED'::character varying)::text, ('EXPIRED'::character varying)::text])`)
+]);
+var tenantsInIam = iam.table("tenants", {
+  id: varchar({ length: 30 }).primaryKey().notNull(),
+  createdAt: timestamp("created_at", { withTimezone: true, mode: "string" }).default(sql`CURRENT_TIMESTAMP`).notNull(),
+  updatedAt: timestamp("updated_at", { withTimezone: true, mode: "string" }).default(sql`CURRENT_TIMESTAMP`).notNull(),
+  name: jsonb().notNull(),
+  description: jsonb(),
+  theme: jsonb(),
+  supportedLanguages: jsonb("supported_languages"),
+  defaultLanguage: text("default_language"),
+  supportedCurrency: jsonb("supported_currency"),
+  defaultCurrency: text("default_currency"),
+  timezone: text(),
+  isActive: boolean("is_active").default(true).notNull(),
+  locale: jsonb(),
+  settings: jsonb(),
+  seo: jsonb()
+}, (table) => [
+  index("tenants_is_active_idx").using("btree", table.isActive.asc().nullsLast().op("bool_ops"))
+]);
+var rolePermissionsInIam = iam.table("role_permissions", {
+  id: uuid().default(sql`uuid_generate_v7()`).primaryKey().notNull(),
+  tenantId: varchar("tenant_id", { length: 30 }).notNull(),
+  permissionId: text("permission_id").notNull(),
+  roleId: uuid("role_id").notNull()
+}, (table) => [
+  index("idx_role_permissions_permission_id").using("btree", table.tenantId.asc().nullsLast().op("text_ops"), table.permissionId.asc().nullsLast().op("text_ops")),
+  foreignKey({
+    columns: [table.tenantId],
+    foreignColumns: [tenantsInIam.id],
+    name: "role_permissions_tenant_id_fkey"
+  }).onUpdate("cascade").onDelete("cascade"),
+  foreignKey({
+    columns: [table.permissionId],
+    foreignColumns: [permissionsInIam.id],
+    name: "role_permissions_permission_id_fkey"
+  }).onUpdate("cascade").onDelete("cascade"),
+  foreignKey({
+    columns: [table.tenantId, table.roleId],
+    foreignColumns: [rolesInIam.tenantId, rolesInIam.id],
+    name: "role_permissions_tenant_role_fkey"
+  }).onDelete("cascade"),
+  unique("role_permissions_tenant_role_permission_unique").on(table.tenantId, table.permissionId, table.roleId),
+  pgPolicy("tenant_isolation", { as: "permissive", for: "all", to: ["public"], using: sql`((tenant_id)::text = (iam.current_tenant_id())::text)`, withCheck: sql`((tenant_id)::text = (iam.current_tenant_id())::text)` })
+]);
+var permissionsInIam = iam.table("permissions", {
+  id: text().primaryKey().notNull(),
+  description: jsonb().notNull(),
+  activity: text().notNull(),
+  application: text().notNull(),
+  feature: text().notNull()
+}, (table) => [
+  unique("permissions_activity_application_feature_key").on(table.activity, table.application, table.feature)
+]);
+var accountsInIam = iam.table("accounts", {
+  id: uuid().default(sql`uuid_generate_v7()`).primaryKey().notNull(),
+  tenantId: varchar("tenant_id", { length: 30 }).notNull(),
+  userId: uuid("user_id").notNull(),
+  provider: text().notNull(),
+  providerAccountId: text("provider_account_id").notNull(),
+  password: text(),
+  passwordLastChangedAt: timestamp("password_last_changed_at", { withTimezone: true, mode: "string" }),
+  idToken: text("id_token"),
+  accessToken: text("access_token"),
+  accessTokenExpiresAt: timestamp("access_token_expires_at", { withTimezone: true, mode: "string" }),
+  refreshToken: text("refresh_token"),
+  refreshTokenExpiresAt: timestamp("refresh_token_expires_at", { withTimezone: true, mode: "string" }),
+  scope: text(),
+  expiresAt: timestamp("expires_at", { withTimezone: true, mode: "string" }),
+  meta: jsonb()
+}, (table) => [
+  index("idx_accounts_provider_lookup").using("btree", table.tenantId.asc().nullsLast().op("text_ops"), table.provider.asc().nullsLast().op("text_ops"), table.providerAccountId.asc().nullsLast().op("text_ops")),
+  index("idx_accounts_user_id").using("btree", table.tenantId.asc().nullsLast().op("text_ops"), table.userId.asc().nullsLast().op("text_ops")),
+  foreignKey({
+    columns: [table.tenantId],
+    foreignColumns: [tenantsInIam.id],
+    name: "accounts_tenant_id_fkey"
+  }).onUpdate("cascade").onDelete("cascade"),
+  foreignKey({
+    columns: [table.userId],
+    foreignColumns: [usersInIam.id],
+    name: "accounts_user_id_fkey"
+  }).onUpdate("cascade").onDelete("cascade"),
+  unique("accounts_tenant_provider_account_unique").on(table.tenantId, table.provider, table.providerAccountId),
+  pgPolicy("tenant_isolation", { as: "permissive", for: "all", to: ["public"], using: sql`((tenant_id)::text = (iam.current_tenant_id())::text)`, withCheck: sql`((tenant_id)::text = (iam.current_tenant_id())::text)` })
+]);
+var usersInIam = iam.table("users", {
+  id: uuid().default(sql`uuid_generate_v7()`).primaryKey().notNull(),
+  tenantId: varchar("tenant_id", { length: 30 }).notNull(),
+  createdAt: timestamp("created_at", { withTimezone: true, mode: "string" }).default(sql`CURRENT_TIMESTAMP`).notNull(),
+  updatedAt: timestamp("updated_at", { withTimezone: true, mode: "string" }).default(sql`CURRENT_TIMESTAMP`).notNull(),
+  fullName: text("full_name").notNull(),
+  image: text(),
+  phone: text(),
+  email: text(),
+  handle: text().notNull(),
+  emailVerified: boolean("email_verified").default(false).notNull(),
+  phoneVerified: boolean("phone_verified").default(false).notNull(),
+  bannedUntil: timestamp("banned_until", { withTimezone: true, mode: "string" }),
+  lastSignInAt: timestamp("last_sign_in_at", { withTimezone: true, mode: "string" }),
+  loginAttempt: smallint("login_attempt").default(0).notNull(),
+  userType: text("user_type").array().default(["RAY"]).notNull()
+}, (table) => [
+  index("idx_users_auth_lookup").using("btree", table.tenantId.asc().nullsLast().op("bool_ops"), table.email.asc().nullsLast().op("bool_ops"), table.id.asc().nullsLast().op("timestamptz_ops"), table.emailVerified.asc().nullsLast().op("timestamptz_ops"), table.bannedUntil.asc().nullsLast().op("uuid_ops")).where(sql`(email IS NOT NULL)`),
+  index("idx_users_email_lookup").using("btree", table.tenantId.asc().nullsLast().op("text_ops"), table.email.asc().nullsLast().op("text_ops")).where(sql`(email IS NOT NULL)`),
+  index("idx_users_handle_lookup").using("btree", table.tenantId.asc().nullsLast().op("text_ops"), table.handle.asc().nullsLast().op("text_ops")),
+  index("idx_users_phone_lookup").using("btree", table.tenantId.asc().nullsLast().op("text_ops"), table.phone.asc().nullsLast().op("text_ops")).where(sql`(phone IS NOT NULL)`),
+  index("idx_users_tenant_email_unique").using("btree", table.tenantId.asc().nullsLast().op("text_ops"), table.email.asc().nullsLast().op("text_ops")).where(sql`(email IS NOT NULL)`),
+  index("idx_users_tenant_is_admin").using("btree", table.tenantId.asc().nullsLast().op("text_ops")).where(sql`(user_type @> ARRAY['admin'::text])`),
+  index("idx_users_tenant_is_candidate").using("btree", table.tenantId.asc().nullsLast().op("text_ops")).where(sql`(user_type @> ARRAY['candidate'::text])`),
+  index("idx_users_tenant_is_employee").using("btree", table.tenantId.asc().nullsLast().op("text_ops")).where(sql`(user_type @> ARRAY['employee'::text])`),
+  index("idx_users_user_types_gin").using("gin", table.userType.asc().nullsLast().op("array_ops")),
+  uniqueIndex("users_tenant_lower_email_idx").using("btree", sql`tenant_id`, sql`lower(email)`),
+  uniqueIndex("users_tenant_lower_handle_idx").using("btree", sql`tenant_id`, sql`lower(handle)`),
+  foreignKey({
+    columns: [table.tenantId],
+    foreignColumns: [tenantsInIam.id],
+    name: "users_tenant_id_fkey"
+  }).onUpdate("cascade").onDelete("cascade"),
+  unique("users_tenant_phone_key").on(table.tenantId, table.phone),
+  pgPolicy("tenant_isolation", { as: "permissive", for: "all", to: ["public"], using: sql`((tenant_id)::text = (iam.current_tenant_id())::text)`, withCheck: sql`((tenant_id)::text = (iam.current_tenant_id())::text)` }),
+  check("users_login_attempt_nonnegative_check", sql`login_attempt >= 0`),
+  check("users_contact_required_check", sql`(email IS NOT NULL) OR (phone IS NOT NULL)`),
+  check("users_user_type_check", sql`user_type <@ ARRAY['candidate'::text, 'employee'::text, 'admin'::text]`)
+]);
+var rolesInIam = iam.table("roles", {
+  tenantId: varchar("tenant_id", { length: 30 }).notNull(),
+  createdAt: timestamp("created_at", { withTimezone: true, mode: "string" }).default(sql`CURRENT_TIMESTAMP`).notNull(),
+  updatedAt: timestamp("updated_at", { withTimezone: true, mode: "string" }).default(sql`CURRENT_TIMESTAMP`).notNull(),
+  name: jsonb().notNull(),
+  description: jsonb().notNull(),
+  code: text().notNull(),
+  id: uuid().default(sql`uuid_generate_v7()`).primaryKey().notNull(),
+  isSystem: boolean("is_system").default(false).notNull(),
+  isEditable: boolean("is_editable").default(true).notNull(),
+  isDeletable: boolean("is_deletable").default(true).notNull()
+}, (table) => [
+  foreignKey({
+    columns: [table.tenantId],
+    foreignColumns: [tenantsInIam.id],
+    name: "roles_tenant_id_fkey"
+  }).onUpdate("cascade").onDelete("cascade"),
+  unique("roles_tenant_code_unique").on(table.tenantId, table.code),
+  unique("roles_tenant_id_unique").on(table.tenantId, table.id),
+  pgPolicy("tenant_isolation", { as: "permissive", for: "all", to: ["public"], using: sql`((tenant_id)::text = (iam.current_tenant_id())::text)`, withCheck: sql`((tenant_id)::text = (iam.current_tenant_id())::text)` })
+]);
+var userRolesInIam = iam.table("user_roles", {
+  id: uuid().default(sql`uuid_generate_v7()`).primaryKey().notNull(),
+  tenantId: varchar("tenant_id", { length: 30 }).notNull(),
+  userId: uuid("user_id").notNull(),
+  roleId: uuid("role_id").notNull()
+}, (table) => [
+  index("idx_user_roles_tenant_user").using("btree", table.tenantId.asc().nullsLast().op("text_ops"), table.userId.asc().nullsLast().op("uuid_ops")),
+  foreignKey({
+    columns: [table.tenantId],
+    foreignColumns: [tenantsInIam.id],
+    name: "user_roles_tenant_id_fkey"
+  }).onUpdate("cascade").onDelete("cascade"),
+  foreignKey({
+    columns: [table.userId],
+    foreignColumns: [usersInIam.id],
+    name: "user_roles_user_id_fkey"
+  }).onUpdate("cascade").onDelete("cascade"),
+  foreignKey({
+    columns: [table.tenantId, table.roleId],
+    foreignColumns: [rolesInIam.tenantId, rolesInIam.id],
+    name: "user_roles_tenant_role_fkey"
+  }).onDelete("cascade"),
+  unique("user_roles_tenant_user_role_unique").on(table.tenantId, table.userId, table.roleId),
+  pgPolicy("tenant_isolation", { as: "permissive", for: "all", to: ["public"], using: sql`((tenant_id)::text = (iam.current_tenant_id())::text)`, withCheck: sql`((tenant_id)::text = (iam.current_tenant_id())::text)` })
+]);
+var domainsInIam = iam.table("domains", {
+  id: uuid().default(sql`uuid_generate_v7()`).primaryKey().notNull(),
+  tenantId: varchar("tenant_id", { length: 30 }).notNull(),
+  domain: text().notNull(),
+  status: text().default("pending").notNull(),
+  meta: jsonb(),
+  isPrimary: boolean("is_primary").default(false).notNull(),
+  createdAt: timestamp("created_at", { withTimezone: true, mode: "string" }).default(sql`CURRENT_TIMESTAMP`).notNull(),
+  updatedAt: timestamp("updated_at", { withTimezone: true, mode: "string" }).default(sql`CURRENT_TIMESTAMP`).notNull()
+}, (table) => [
+  uniqueIndex("domains_domain_unique_idx").using("btree", sql`lower(domain)`),
+  uniqueIndex("domains_primary_per_tenant_idx").using("btree", table.tenantId.asc().nullsLast().op("text_ops")).where(sql`(is_primary = true)`),
+  index("domains_tenant_status_idx").using("btree", table.tenantId.asc().nullsLast().op("text_ops"), table.status.asc().nullsLast().op("text_ops")),
+  index("idx_domains_tenant_domain_status").using("btree", table.tenantId.asc().nullsLast().op("text_ops"), table.domain.asc().nullsLast().op("text_ops"), table.status.asc().nullsLast().op("text_ops")),
+  foreignKey({
+    columns: [table.tenantId],
+    foreignColumns: [tenantsInIam.id],
+    name: "domains_tenant_id_fkey"
+  }).onUpdate("cascade").onDelete("cascade"),
+  pgPolicy("tenant_isolation", { as: "permissive", for: "all", to: ["public"], using: sql`((tenant_id)::text = (iam.current_tenant_id())::text)`, withCheck: sql`((tenant_id)::text = (iam.current_tenant_id())::text)` }),
+  check("domains_domain_format_check", sql`domain ~ '^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?)+$'::text`),
+  check("domains_status_check", sql`status = ANY (ARRAY['PENDING'::text, 'ACTIVE'::text, 'DISABLED'::text, 'DELETED'::text])`)
+]);
+
+// src/db/orm/session.ts
+var listHashedTokensForUser = async ({
+  database,
+  userId,
+  tenantId
+}) => {
+  const rows = await database.select({ token: sessionsInIam.token }).from(sessionsInIam).where(
+    and(
+      eq(sessionsInIam.userId, userId),
+      eq(sessionsInIam.tenantId, tenantId)
+    )
+  );
+  return rows.map((r) => r.token);
+};
+
+// src/db/orm/tenant.ts
+import { and as and2, eq as eq2, sql as sql2 } from "drizzle-orm";
+
+// src/db/orm/user.ts
+import { and as and4, eq as eq4 } from "drizzle-orm";
+
+// src/lib/user-auth-select.ts
+import { and as and3, eq as eq3, sql as sql3 } from "drizzle-orm";
+
+// src/lib/cookie.ts
+import { deleteCookie as honoDel, setCookie as honoSet } from "hono/cookie";
+var isProduction = process.env.NODE_ENV === "production";
+var getSessionKeyNamespace = (config) => {
+  const p = config.prefix?.trim();
+  return p && p.length > 0 ? p : "msb";
+};
+
+// src/lib/session-cache.ts
+var sessionCacheKey = (config, hashedToken) => `${getSessionKeyNamespace(config)}:sc:v1:${hashedToken}`;
+async function readSessionCache(config, hashedToken) {
+  const sc = config.sessionCache;
+  if (!sc?.enabled) {
+    return null;
+  }
+  const raw = await sc.kv.get(sessionCacheKey(config, hashedToken));
+  if (!raw) {
+    return null;
+  }
+  try {
+    const parsed = JSON.parse(raw);
+    if (!parsed?.session?.expiresAt || new Date(parsed.session.expiresAt) <= /* @__PURE__ */ new Date()) {
+      await sc.kv.delete(sessionCacheKey(config, hashedToken));
+      return null;
+    }
+    return parsed;
+  } catch {
+    await sc.kv.delete(sessionCacheKey(config, hashedToken));
+    return null;
+  }
+}
+async function writeSessionCache(config, hashedToken, payload) {
+  const sc = config.sessionCache;
+  if (!sc?.enabled) {
+    return;
+  }
+  const ttl = sc.ttlSeconds ?? Math.max(
+    60,
+    Math.ceil(
+      (new Date(payload.session.expiresAt).getTime() - Date.now()) / 1e3
+    )
+  );
+  await sc.kv.put(
+    sessionCacheKey(config, hashedToken),
+    JSON.stringify(payload),
+    {
+      expirationTtl: Math.min(Math.max(ttl, 60), 2147483647)
+    }
+  );
+}
+async function deleteSessionCacheKeys(config, hashedTokens) {
+  const sc = config.sessionCache;
+  if (!sc?.enabled || hashedTokens.length === 0) {
+    return;
+  }
+  await Promise.all(
+    hashedTokens.map((t) => sc.kv.delete(sessionCacheKey(config, t)))
+  );
+}
+async function invalidateSessionCacheForHashedToken(config, hashedToken) {
+  await deleteSessionCacheKeys(config, [hashedToken]);
+}
+async function invalidateSessionCacheForUser(config, database, userId, tenantId) {
+  const tokens = await listHashedTokensForUser({
+    database,
+    userId,
+    tenantId
+  });
+  await deleteSessionCacheKeys(config, tokens);
+}
+export {
+  deleteSessionCacheKeys,
+  invalidateSessionCacheForHashedToken,
+  invalidateSessionCacheForUser,
+  readSessionCache,
+  sessionCacheKey,
+  writeSessionCache
+};
+//# sourceMappingURL=session-cache.js.map