@nexpress/core 0.3.0 → 0.3.2

package/dist/auth.d.ts

@@ -1,5 +1,5 @@
-import { p as NpAccessFunction, n as NpUserRole, e as NpAuthUser } from './types-DI3gxsiY.js';
-export { F as NpPrincipal } from './types-DI3gxsiY.js';
+import { p as NpAccessFunction, m as NpUserRole, e as NpAuthUser } from './types-D31ppGJw.js';
+export { H as NpPrincipal } from './types-D31ppGJw.js';
 import { NodePgDatabase } from 'drizzle-orm/node-postgres';
 import { Options } from '@node-rs/argon2';
 
@@ -72,6 +72,29 @@ declare function verifyToken(token: string, secret: string, expectedUse?: NpToke
  */
 declare function isTokenVerificationError(err: unknown): boolean;
 
+/**
+ * Minimal public projection of a user row — `id` + `name` + `email`.
+ * Themes / plugins reach for this when they need to display a byline
+ * (post.author → user) without pulling in session machinery. Password
+ * hash + tokenVersion + reset state stay private to the auth module.
+ */
+interface NpUserBasic {
+    id: string;
+    name: string;
+    email: string;
+}
+/**
+ * Look up a user by id. Returns `null` when the id doesn't exist
+ * (caller handles missing-author UI). UUID validation lives at the
+ * caller — Postgres rejects malformed ids inside `eq()` and the
+ * surfacing error is already informative.
+ *
+ * This is the supported entry point for theme code that needs to
+ * render a byline from `posts.author: relationTo("users")`. Direct
+ * drizzle reads against `np_users` are private to the framework.
+ */
+declare function getUserById(id: string): Promise<NpUserBasic | null>;
+
 declare const ARGON2_OPTIONS: Options;
 declare function hashPassword(password: string): Promise<string>;
 declare function verifyPassword(passwordHash: string, password: string): Promise<boolean>;
@@ -637,4 +660,4 @@ interface NpConsumeMemberResetResult {
 }
 declare function consumeMemberPasswordReset(db: NodePgDatabase<Record<string, unknown>>, token: string, newPassword: string): Promise<NpConsumeMemberResetResult>;
 
-export { ARGON2_OPTIONS, type ArcticLikeProvider, type ArcticLikeTokens, type FromArcticOptions, type IssuedOAuthState, type NpCapability, type NpConsumeMemberEmailVerifyResult, type NpConsumeMemberResetResult, type NpConsumeResetTokenOptions, type NpConsumeResetTokenResult, type NpCreateResetTokenOptions, type NpIssuedMemberToken, type NpIssuedResetToken, type NpMemberAuthRow, type NpMemberIdentityRow, type NpMemberResetRequestResult, type NpMemberTokenPayload, type NpPasswordResetPurpose, type NpResetRequestResult, type NpTokenPayload, type NpUserIdentityRow, type OAuthAuthorizeParams, type OAuthExchangeParams, type OAuthProfile, type OAuthProvider, type OAuthStatePayload, type ResolveMemberOAuthLoginInput, type ResolveMemberOAuthLoginResult, type ResolveOAuthLoginInput, type ResolveOAuthLoginResult, type ResolvedOAuthMember, type ResolvedOAuthUser, type VerifyOAuthStateResult, authenticated, can, consumeMemberEmailVerifyToken, consumeMemberPasswordReset, consumePasswordResetToken, createMemberEmailVerifyToken, createPasswordResetToken, fromArctic, getMemberFromTokenPayload, getOAuthProvider, hashPassword, invalidateAllMemberSessions, invalidateAllSessions, isAdmin, isEditorOrAbove, isOwnerOrAdmin, isTokenVerificationError, issueOAuthState, listMemberIdentities, listOAuthProviders, listUserIdentities, registerOAuthProvider, requestMemberPasswordReset, requestPasswordReset, resetOAuthProviders, resolveMemberOAuthLogin, resolveOAuthLogin, revokeMemberIdentity, revokeUserIdentity, sha256, signMemberToken, signToken, verifyCsrf, verifyMemberToken, verifyOAuthState, verifyPassword, verifyToken, verifyTokenFull };
+export { ARGON2_OPTIONS, type ArcticLikeProvider, type ArcticLikeTokens, type FromArcticOptions, type IssuedOAuthState, type NpCapability, type NpConsumeMemberEmailVerifyResult, type NpConsumeMemberResetResult, type NpConsumeResetTokenOptions, type NpConsumeResetTokenResult, type NpCreateResetTokenOptions, type NpIssuedMemberToken, type NpIssuedResetToken, type NpMemberAuthRow, type NpMemberIdentityRow, type NpMemberResetRequestResult, type NpMemberTokenPayload, type NpPasswordResetPurpose, type NpResetRequestResult, type NpTokenPayload, type NpUserBasic, type NpUserIdentityRow, type OAuthAuthorizeParams, type OAuthExchangeParams, type OAuthProfile, type OAuthProvider, type OAuthStatePayload, type ResolveMemberOAuthLoginInput, type ResolveMemberOAuthLoginResult, type ResolveOAuthLoginInput, type ResolveOAuthLoginResult, type ResolvedOAuthMember, type ResolvedOAuthUser, type VerifyOAuthStateResult, authenticated, can, consumeMemberEmailVerifyToken, consumeMemberPasswordReset, consumePasswordResetToken, createMemberEmailVerifyToken, createPasswordResetToken, fromArctic, getMemberFromTokenPayload, getOAuthProvider, getUserById, hashPassword, invalidateAllMemberSessions, invalidateAllSessions, isAdmin, isEditorOrAbove, isOwnerOrAdmin, isTokenVerificationError, issueOAuthState, listMemberIdentities, listOAuthProviders, listUserIdentities, registerOAuthProvider, requestMemberPasswordReset, requestPasswordReset, resetOAuthProviders, resolveMemberOAuthLogin, resolveOAuthLogin, revokeMemberIdentity, revokeUserIdentity, sha256, signMemberToken, signToken, verifyCsrf, verifyMemberToken, verifyOAuthState, verifyPassword, verifyToken, verifyTokenFull };

package/dist/auth.js

@@ -9,6 +9,7 @@ import {
   fromArctic,
   getMemberFromTokenPayload,
   getOAuthProvider,
+  getUserById,
   hashPassword,
   invalidateAllMemberSessions,
   invalidateAllSessions,
@@ -37,14 +38,14 @@ import {
   verifyPassword,
   verifyToken,
   verifyTokenFull
-} from "./chunk-QYP6E5FP.js";
+} from "./chunk-6UV2P5MW.js";
 import {
   can
 } from "./chunk-EQ2Z3KMD.js";
 import "./chunk-ML2E3P3X.js";
-import "./chunk-74CGJJDY.js";
-import "./chunk-ZCINJSS4.js";
+import "./chunk-RKM4GDWM.js";
 import "./chunk-SBCVAC2Z.js";
+import "./chunk-ZCINJSS4.js";
 import "./chunk-OROPGO65.js";
 import "./chunk-NFHS7CFV.js";
 import "./chunk-XANPEOJC.js";
@@ -62,6 +63,7 @@ export {
   fromArctic,
   getMemberFromTokenPayload,
   getOAuthProvider,
+  getUserById,
   hashPassword,
   invalidateAllMemberSessions,
   invalidateAllSessions,

package/dist/{can-FKIEV54H.js → can-UJ2NAOIR.js}

@@ -3,10 +3,10 @@ import {
   isMemberBanned,
   memberCan,
   withMemberWrite
-} from "./chunk-PQBJWZ7D.js";
+} from "./chunk-RJ76SKWQ.js";
 import "./chunk-U4QCCLAW.js";
-import "./chunk-ZCINJSS4.js";
 import "./chunk-SBCVAC2Z.js";
+import "./chunk-ZCINJSS4.js";
 import "./chunk-XANPEOJC.js";
 import "./chunk-X7K5F2UI.js";
 import "./chunk-PZ5AY32C.js";
@@ -16,4 +16,4 @@ export {
   memberCan,
   withMemberWrite
 };
-//# sourceMappingURL=can-FKIEV54H.js.map
+//# sourceMappingURL=can-UJ2NAOIR.js.map

package/dist/{chunk-CHQJG4BB.js → chunk-2N53KKIL.js}

@@ -1,6 +1,6 @@
 import {
   getStorageAdapter
-} from "./chunk-DWG3RZH2.js";
+} from "./chunk-2VZZ7M26.js";
 import {
   getDb
 } from "./chunk-XANPEOJC.js";
@@ -38,4 +38,4 @@ async function getMediaUrl(id, options = {}) {
 export {
   getMediaUrl
 };
-//# sourceMappingURL=chunk-CHQJG4BB.js.map
+//# sourceMappingURL=chunk-2N53KKIL.js.map

package/dist/{chunk-DWG3RZH2.js → chunk-2VZZ7M26.js}

@@ -170,7 +170,7 @@ async function uploadMedia(file, uploader, folderId) {
   return { id, status: "processing" };
 }
 async function assertMemberUploadQuota(memberId, txDb) {
-  const { getCommunitySettings } = await import("./settings-JODDWMDB.js");
+  const { getCommunitySettings } = await import("./settings-OZWM6L2K.js");
   const { NpRateLimitError } = await import("./errors-5OS3S2J3.js");
   const settings = await getCommunitySettings();
   const { perDay, total } = settings.memberUploadQuota;
@@ -535,4 +535,4 @@ export {
   listMedia,
   cleanupDeletedMedia
 };
-//# sourceMappingURL=chunk-DWG3RZH2.js.map
+//# sourceMappingURL=chunk-2VZZ7M26.js.map

package/dist/{chunk-4EPNN4XG.js → chunk-54KUQF3S.js}

@@ -1,6 +1,6 @@
 import {
   runHook
-} from "./chunk-HTDDXBMY.js";
+} from "./chunk-ZA3IRJUQ.js";
 import {
   getAllCollectionSlugs,
   getCollectionConfig,
@@ -80,4 +80,4 @@ async function publishScheduledDocuments(atTime = /* @__PURE__ */ new Date()) {
 export {
   publishScheduledDocuments
 };
-//# sourceMappingURL=chunk-4EPNN4XG.js.map
+//# sourceMappingURL=chunk-54KUQF3S.js.map

package/dist/{chunk-QYP6E5FP.js → chunk-6UV2P5MW.js}

@@ -3,7 +3,7 @@ import {
 } from "./chunk-ML2E3P3X.js";
 import {
   getCommunitySettings
-} from "./chunk-74CGJJDY.js";
+} from "./chunk-RKM4GDWM.js";
 import {
   NpAuthError,
   NpForbiddenError,
@@ -65,6 +65,18 @@ function isTokenVerificationError(err) {
   return false;
 }
 
+// src/auth/users.ts
+import { eq } from "drizzle-orm";
+async function getUserById(id) {
+  const db = getDb();
+  const [user] = await db.select({
+    id: npUsers.id,
+    name: npUsers.name,
+    email: npUsers.email
+  }).from(npUsers).where(eq(npUsers.id, id)).limit(1);
+  return user ?? null;
+}
+
 // src/auth/password.ts
 import { hash, verify } from "@node-rs/argon2";
 var ARGON2_OPTIONS = {
@@ -122,7 +134,7 @@ function resetOAuthProviders() {
 }
 
 // src/auth/oauth-resolve.ts
-import { eq, and, sql } from "drizzle-orm";
+import { eq as eq2, and, sql } from "drizzle-orm";
 var SYNTHETIC_EMAIL_SUFFIX = ".oauth.local";
 function syntheticEmail(provider, providerUserId) {
   return `${providerUserId}@${provider}${SYNTHETIC_EMAIL_SUFFIX}`;
@@ -142,13 +154,13 @@ async function resolveOAuthLogin(input) {
     identityId: npUserOAuthIdentities.id
   }).from(npUserOAuthIdentities).where(
     and(
-      eq(npUserOAuthIdentities.provider, provider),
-      eq(npUserOAuthIdentities.providerUserId, profile.providerUserId)
+      eq2(npUserOAuthIdentities.provider, provider),
+      eq2(npUserOAuthIdentities.providerUserId, profile.providerUserId)
     )
   ).limit(1);
   if (existingLink) {
     const metadata = mergeMetadata(profile);
-    await db.update(npUserOAuthIdentities).set({ metadata, updatedAt: /* @__PURE__ */ new Date() }).where(eq(npUserOAuthIdentities.id, existingLink.identityId));
+    await db.update(npUserOAuthIdentities).set({ metadata, updatedAt: /* @__PURE__ */ new Date() }).where(eq2(npUserOAuthIdentities.id, existingLink.identityId));
     const user = await loadUser(db, existingLink.userId);
     return { user, created: false, linked: false };
   }
@@ -160,7 +172,7 @@ async function resolveOAuthLogin(input) {
       name: npUsers.name,
       role: npUsers.role,
       tokenVersion: npUsers.tokenVersion
-    }).from(npUsers).where(eq(sql`lower(${npUsers.email})`, normalizedEmail)).limit(1);
+    }).from(npUsers).where(eq2(sql`lower(${npUsers.email})`, normalizedEmail)).limit(1);
     if (existingUser) {
       await db.insert(npUserOAuthIdentities).values({
         userId: existingUser.id,
@@ -211,7 +223,7 @@ async function loadUser(db, userId) {
     name: npUsers.name,
     role: npUsers.role,
     tokenVersion: npUsers.tokenVersion
-  }).from(npUsers).where(eq(npUsers.id, userId)).limit(1);
+  }).from(npUsers).where(eq2(npUsers.id, userId)).limit(1);
   if (!row) {
     throw new Error(`User ${userId} referenced by oauth identity is missing`);
   }
@@ -219,7 +231,7 @@ async function loadUser(db, userId) {
 }
 
 // src/auth/oauth-resolve-member.ts
-import { and as and2, eq as eq2, sql as sql2 } from "drizzle-orm";
+import { and as and2, eq as eq3, sql as sql2 } from "drizzle-orm";
 var SYNTHETIC_EMAIL_SUFFIX2 = ".oauth.local";
 var HANDLE_FALLBACK = "user";
 var HANDLE_RANDOM_SUFFIX_BYTES = 4;
@@ -254,7 +266,7 @@ async function loadMember(db, memberId) {
     displayName: npMembers.displayName,
     status: npMembers.status,
     tokenVersion: npMembers.tokenVersion
-  }).from(npMembers).where(eq2(npMembers.id, memberId)).limit(1);
+  }).from(npMembers).where(eq3(npMembers.id, memberId)).limit(1);
   if (!row) {
     throw new Error(`Member ${memberId} referenced by oauth identity is missing`);
   }
@@ -265,12 +277,12 @@ async function resolveMemberOAuthLogin(input) {
   const { provider, profile } = input;
   const [existingLink] = await db.select({ memberId: npMemberIdentities.memberId, identityId: npMemberIdentities.id }).from(npMemberIdentities).where(
     and2(
-      eq2(npMemberIdentities.provider, provider),
-      eq2(npMemberIdentities.subject, profile.providerUserId)
+      eq3(npMemberIdentities.provider, provider),
+      eq3(npMemberIdentities.subject, profile.providerUserId)
     )
   ).limit(1);
   if (existingLink) {
-    await db.update(npMemberIdentities).set({ metadata: mergeMetadata2(profile), updatedAt: /* @__PURE__ */ new Date() }).where(eq2(npMemberIdentities.id, existingLink.identityId));
+    await db.update(npMemberIdentities).set({ metadata: mergeMetadata2(profile), updatedAt: /* @__PURE__ */ new Date() }).where(eq3(npMemberIdentities.id, existingLink.identityId));
     const member = await loadMember(db, existingLink.memberId);
     return { member, created: false, linked: false };
   }
@@ -283,7 +295,7 @@ async function resolveMemberOAuthLogin(input) {
       displayName: npMembers.displayName,
       status: npMembers.status,
       tokenVersion: npMembers.tokenVersion
-    }).from(npMembers).where(eq2(sql2`lower(${npMembers.email})`, normalizedEmail)).limit(1);
+    }).from(npMembers).where(eq3(sql2`lower(${npMembers.email})`, normalizedEmail)).limit(1);
     if (existingMember) {
       if (existingMember.status !== "active") {
         return { member: existingMember, created: false, linked: false };
@@ -409,7 +421,7 @@ function fromArctic(factory, opts) {
 
 // src/auth/session.ts
 import { webcrypto } from "crypto";
-import { eq as eq3, sql as sql3 } from "drizzle-orm";
+import { eq as eq4, sql as sql3 } from "drizzle-orm";
 async function sha256(input) {
   const digest = await webcrypto.subtle.digest(
     "SHA-256",
@@ -428,7 +440,7 @@ async function verifyTokenFull(token, secret, db, expectedUse = "access") {
     name: npUsers.name,
     role: npUsers.role,
     tokenVersion: npUsers.tokenVersion
-  }).from(npUsers).where(eq3(npUsers.id, payload.sub)).limit(1);
+  }).from(npUsers).where(eq4(npUsers.id, payload.sub)).limit(1);
   if (!user || user.tokenVersion !== payload.ver) {
     return null;
   }
@@ -438,47 +450,47 @@ async function invalidateAllSessions(userId, db) {
   await db.transaction(async (tx) => {
     await tx.update(npUsers).set({
       tokenVersion: sql3`${npUsers.tokenVersion} + 1`
-    }).where(eq3(npUsers.id, userId));
-    await tx.delete(npSessions).where(eq3(npSessions.userId, userId));
+    }).where(eq4(npUsers.id, userId));
+    await tx.delete(npSessions).where(eq4(npSessions.userId, userId));
   });
 }
 
 // src/auth/identities-admin.ts
-import { and as and3, desc, eq as eq4 } from "drizzle-orm";
+import { and as and3, desc, eq as eq5 } from "drizzle-orm";
 async function assertUserExists(userId) {
   const db = getDb();
-  const [row] = await db.select({ id: npUsers.id }).from(npUsers).where(eq4(npUsers.id, userId)).limit(1);
+  const [row] = await db.select({ id: npUsers.id }).from(npUsers).where(eq5(npUsers.id, userId)).limit(1);
   if (!row) throw new NpNotFoundError("user", userId);
 }
 async function assertMemberExists(memberId) {
   const db = getDb();
-  const [row] = await db.select({ id: npMembers.id }).from(npMembers).where(eq4(npMembers.id, memberId)).limit(1);
+  const [row] = await db.select({ id: npMembers.id }).from(npMembers).where(eq5(npMembers.id, memberId)).limit(1);
   if (!row) throw new NpNotFoundError("member", memberId);
 }
 async function listUserIdentities(userId) {
   await assertUserExists(userId);
   const db = getDb();
-  const rows = await db.select().from(npUserOAuthIdentities).where(eq4(npUserOAuthIdentities.userId, userId)).orderBy(desc(npUserOAuthIdentities.createdAt));
+  const rows = await db.select().from(npUserOAuthIdentities).where(eq5(npUserOAuthIdentities.userId, userId)).orderBy(desc(npUserOAuthIdentities.createdAt));
   return rows;
 }
 async function listMemberIdentities(memberId) {
   await assertMemberExists(memberId);
   const db = getDb();
-  const rows = await db.select().from(npMemberIdentities).where(eq4(npMemberIdentities.memberId, memberId)).orderBy(desc(npMemberIdentities.createdAt));
+  const rows = await db.select().from(npMemberIdentities).where(eq5(npMemberIdentities.memberId, memberId)).orderBy(desc(npMemberIdentities.createdAt));
   return rows;
 }
 async function revokeUserIdentity(userId, identityId, actor) {
   const db = getDb();
   const [existing] = await db.select().from(npUserOAuthIdentities).where(
     and3(
-      eq4(npUserOAuthIdentities.id, identityId),
-      eq4(npUserOAuthIdentities.userId, userId)
+      eq5(npUserOAuthIdentities.id, identityId),
+      eq5(npUserOAuthIdentities.userId, userId)
     )
   ).limit(1);
   if (!existing) {
     throw new NpNotFoundError("identity", identityId);
   }
-  const deleted = await db.delete(npUserOAuthIdentities).where(eq4(npUserOAuthIdentities.id, identityId)).returning({ id: npUserOAuthIdentities.id });
+  const deleted = await db.delete(npUserOAuthIdentities).where(eq5(npUserOAuthIdentities.id, identityId)).returning({ id: npUserOAuthIdentities.id });
   if (deleted.length === 0) return;
   await recordAuditEvent({
     actor: { kind: "staff", userId: actor.staffUserId },
@@ -496,12 +508,12 @@ async function revokeMemberIdentity(memberId, identityId, actor) {
   const db = getDb();
   const [existing] = await db.select().from(npMemberIdentities).where(
     and3(
-      eq4(npMemberIdentities.id, identityId),
-      eq4(npMemberIdentities.memberId, memberId)
+      eq5(npMemberIdentities.id, identityId),
+      eq5(npMemberIdentities.memberId, memberId)
     )
   ).limit(1);
   if (!existing) throw new NpNotFoundError("identity", identityId);
-  const deleted = await db.delete(npMemberIdentities).where(eq4(npMemberIdentities.id, identityId)).returning({ id: npMemberIdentities.id });
+  const deleted = await db.delete(npMemberIdentities).where(eq5(npMemberIdentities.id, identityId)).returning({ id: npMemberIdentities.id });
   if (deleted.length === 0) return;
   await recordAuditEvent({
     actor: { kind: "staff", userId: actor.staffUserId },
@@ -518,7 +530,7 @@ async function revokeMemberIdentity(memberId, identityId, actor) {
 
 // src/auth/reset-token.ts
 import { randomBytes as randomBytes3 } from "crypto";
-import { and as and4, eq as eq5, gt, isNotNull, sql as sql4 } from "drizzle-orm";
+import { and as and4, eq as eq6, gt, isNotNull, sql as sql4 } from "drizzle-orm";
 var MIN_PASSWORD_LENGTH = 8;
 function generateRawToken() {
   return randomBytes3(32).toString("hex");
@@ -532,7 +544,7 @@ async function createPasswordResetToken(db, options) {
     passwordResetExpiresAt: expiresAt,
     passwordResetPurpose: options.purpose,
     updatedAt: /* @__PURE__ */ new Date()
-  }).where(eq5(npUsers.id, options.userId));
+  }).where(eq6(npUsers.id, options.userId));
   return { token, expiresAt, purpose: options.purpose };
 }
 async function requestPasswordReset(db, email, ttlMs) {
@@ -541,7 +553,7 @@ async function requestPasswordReset(db, email, ttlMs) {
     id: npUsers.id,
     email: npUsers.email,
     name: npUsers.name
-  }).from(npUsers).where(eq5(npUsers.email, normalizedEmail)).limit(1);
+  }).from(npUsers).where(eq6(npUsers.email, normalizedEmail)).limit(1);
   if (!user) {
     return { userId: null, name: null, email: null, issued: null };
   }
@@ -574,7 +586,7 @@ async function consumePasswordResetToken(db, options) {
     purpose: npUsers.passwordResetPurpose
   }).from(npUsers).where(
     and4(
-      eq5(npUsers.passwordResetTokenHash, tokenHash),
+      eq6(npUsers.passwordResetTokenHash, tokenHash),
       isNotNull(npUsers.passwordResetExpiresAt),
       gt(npUsers.passwordResetExpiresAt, now)
     )
@@ -595,8 +607,8 @@ async function consumePasswordResetToken(db, options) {
       lockUntil: null,
       tokenVersion: sql4`${npUsers.tokenVersion} + 1`,
       updatedAt: /* @__PURE__ */ new Date()
-    }).where(eq5(npUsers.id, user.id));
-    await tx.delete(npSessions).where(eq5(npSessions.userId, user.id));
+    }).where(eq6(npUsers.id, user.id));
+    await tx.delete(npSessions).where(eq6(npSessions.userId, user.id));
   });
   return {
     userId: user.id,
@@ -631,7 +643,7 @@ async function verifyMemberToken(token, secret, expectedUse) {
 }
 
 // src/auth/member-session.ts
-import { and as and5, eq as eq6, gt as gt2, sql as sql5 } from "drizzle-orm";
+import { and as and5, eq as eq7, gt as gt2, sql as sql5 } from "drizzle-orm";
 async function getMemberFromTokenPayload(db, payload, accessToken) {
   const [row] = await db.select({
     id: npMembers.id,
@@ -640,7 +652,7 @@ async function getMemberFromTokenPayload(db, payload, accessToken) {
     displayName: npMembers.displayName,
     status: npMembers.status,
     tokenVersion: npMembers.tokenVersion
-  }).from(npMembers).where(eq6(npMembers.id, payload.sub)).limit(1);
+  }).from(npMembers).where(eq7(npMembers.id, payload.sub)).limit(1);
   if (!row) return null;
   if (row.tokenVersion !== payload.ver) return null;
   if (accessToken) {
@@ -648,8 +660,8 @@ async function getMemberFromTokenPayload(db, payload, accessToken) {
     const now = /* @__PURE__ */ new Date();
     const [session] = await db.select({ id: npMemberSessions.id }).from(npMemberSessions).where(
       and5(
-        eq6(npMemberSessions.memberId, row.id),
-        eq6(npMemberSessions.tokenHash, tokenHash),
+        eq7(npMemberSessions.memberId, row.id),
+        eq7(npMemberSessions.tokenHash, tokenHash),
         gt2(npMemberSessions.expiresAt, now)
       )
     ).limit(1);
@@ -662,14 +674,14 @@ async function invalidateAllMemberSessions(db, memberId) {
     await tx.update(npMembers).set({
       tokenVersion: sql5`${npMembers.tokenVersion} + 1`,
       updatedAt: /* @__PURE__ */ new Date()
-    }).where(eq6(npMembers.id, memberId));
-    await tx.delete(npMemberSessions).where(eq6(npMemberSessions.memberId, memberId));
+    }).where(eq7(npMembers.id, memberId));
+    await tx.delete(npMemberSessions).where(eq7(npMemberSessions.memberId, memberId));
   });
 }
 
 // src/auth/member-credentials.ts
 import { randomBytes as randomBytes5 } from "crypto";
-import { and as and6, eq as eq7, gt as gt3, isNotNull as isNotNull2, sql as sql6 } from "drizzle-orm";
+import { and as and6, eq as eq8, gt as gt3, isNotNull as isNotNull2, sql as sql6 } from "drizzle-orm";
 var MIN_PASSWORD_LENGTH2 = 8;
 function generateRawToken2() {
   return randomBytes5(32).toString("hex");
@@ -682,7 +694,7 @@ async function createMemberEmailVerifyToken(db, memberId, ttlMs) {
     emailVerifyTokenHash: tokenHash,
     emailVerifyExpiresAt: expiresAt,
     updatedAt: /* @__PURE__ */ new Date()
-  }).where(eq7(npMembers.id, memberId));
+  }).where(eq8(npMembers.id, memberId));
   return { token, expiresAt };
 }
 async function consumeMemberEmailVerifyToken(db, token) {
@@ -700,7 +712,7 @@ async function consumeMemberEmailVerifyToken(db, token) {
     displayName: npMembers.displayName
   }).from(npMembers).where(
     and6(
-      eq7(npMembers.emailVerifyTokenHash, tokenHash),
+      eq8(npMembers.emailVerifyTokenHash, tokenHash),
       isNotNull2(npMembers.emailVerifyExpiresAt),
       gt3(npMembers.emailVerifyExpiresAt, now)
     )
@@ -719,7 +731,7 @@ async function consumeMemberEmailVerifyToken(db, token) {
     emailVerifyTokenHash: null,
     emailVerifyExpiresAt: null,
     updatedAt: now
-  }).where(eq7(npMembers.id, member.id));
+  }).where(eq8(npMembers.id, member.id));
   return {
     memberId: member.id,
     email: member.email,
@@ -734,7 +746,7 @@ async function requestMemberPasswordReset(db, email, ttlMs) {
     email: npMembers.email,
     displayName: npMembers.displayName,
     status: npMembers.status
-  }).from(npMembers).where(eq7(npMembers.email, normalizedEmail)).limit(1);
+  }).from(npMembers).where(eq8(npMembers.email, normalizedEmail)).limit(1);
   if (!member || member.status === "deleted") {
     return { memberId: null, displayName: null, email: null, issued: null };
   }
@@ -745,7 +757,7 @@ async function requestMemberPasswordReset(db, email, ttlMs) {
     passwordResetTokenHash: tokenHash,
     passwordResetExpiresAt: expiresAt,
     updatedAt: /* @__PURE__ */ new Date()
-  }).where(eq7(npMembers.id, member.id));
+  }).where(eq8(npMembers.id, member.id));
   return {
     memberId: member.id,
     displayName: member.displayName,
@@ -771,7 +783,7 @@ async function consumeMemberPasswordReset(db, token, newPassword) {
   const now = /* @__PURE__ */ new Date();
   const [member] = await db.select({ id: npMembers.id, email: npMembers.email }).from(npMembers).where(
     and6(
-      eq7(npMembers.passwordResetTokenHash, tokenHash),
+      eq8(npMembers.passwordResetTokenHash, tokenHash),
       isNotNull2(npMembers.passwordResetExpiresAt),
       gt3(npMembers.passwordResetExpiresAt, now)
     )
@@ -796,8 +808,8 @@ async function consumeMemberPasswordReset(db, token, newPassword) {
       emailVerified: true,
       status: sql6`case when ${npMembers.status} = 'pending' then 'active' else ${npMembers.status} end`,
       updatedAt: /* @__PURE__ */ new Date()
-    }).where(eq7(npMembers.id, member.id));
-    await tx.delete(npMemberSessions).where(eq7(npMemberSessions.memberId, member.id));
+    }).where(eq8(npMembers.id, member.id));
+    await tx.delete(npMemberSessions).where(eq8(npMemberSessions.memberId, member.id));
   });
   return { memberId: member.id, email: member.email };
 }
@@ -810,6 +822,7 @@ export {
   signToken,
   verifyToken,
   isTokenVerificationError,
+  getUserById,
   ARGON2_OPTIONS,
   hashPassword,
   verifyPassword,
@@ -842,4 +855,4 @@ export {
   requestMemberPasswordReset,
   consumeMemberPasswordReset
 };
-//# sourceMappingURL=chunk-QYP6E5FP.js.map
+//# sourceMappingURL=chunk-6UV2P5MW.js.map