npm - @notionx/core - Versions diffs - 0.1.0 - Mend

@notionx/core 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (208) hide show

package/dist/admin/index.d.ts +137 -0
package/dist/admin/index.js +206 -0
package/dist/admin/index.js.map +1 -0
package/dist/admin/pages/index.d.ts +324 -0
package/dist/admin/pages/index.js +827 -0
package/dist/admin/pages/index.js.map +1 -0
package/dist/auth/auth-pages/forgot-password.d.ts +20 -0
package/dist/auth/auth-pages/forgot-password.js +70 -0
package/dist/auth/auth-pages/forgot-password.js.map +1 -0
package/dist/auth/auth-pages/index.d.ts +6 -0
package/dist/auth/auth-pages/index.js +342 -0
package/dist/auth/auth-pages/index.js.map +1 -0
package/dist/auth/auth-pages/login.d.ts +30 -0
package/dist/auth/auth-pages/login.js +125 -0
package/dist/auth/auth-pages/login.js.map +1 -0
package/dist/auth/auth-pages/register.d.ts +17 -0
package/dist/auth/auth-pages/register.js +81 -0
package/dist/auth/auth-pages/register.js.map +1 -0
package/dist/auth/auth-pages/reset-password.d.ts +18 -0
package/dist/auth/auth-pages/reset-password.js +72 -0
package/dist/auth/auth-pages/reset-password.js.map +1 -0
package/dist/auth/index.d.ts +72 -0
package/dist/auth/index.js +1011 -0
package/dist/auth/index.js.map +1 -0
package/dist/auth/passwords.d.ts +6 -0
package/dist/auth/passwords.js +79 -0
package/dist/auth/passwords.js.map +1 -0
package/dist/auth/rate-limit.d.ts +28 -0
package/dist/auth/rate-limit.js +245 -0
package/dist/auth/rate-limit.js.map +1 -0
package/dist/auth/routes/google-callback.d.ts +6 -0
package/dist/auth/routes/google-callback.js +404 -0
package/dist/auth/routes/google-callback.js.map +1 -0
package/dist/auth/routes/google.d.ts +6 -0
package/dist/auth/routes/google.js +250 -0
package/dist/auth/routes/google.js.map +1 -0
package/dist/auth/routes/index.d.ts +22 -0
package/dist/auth/routes/index.js +619 -0
package/dist/auth/routes/index.js.map +1 -0
package/dist/auth/routes/verify-email.d.ts +6 -0
package/dist/auth/routes/verify-email.js +317 -0
package/dist/auth/routes/verify-email.js.map +1 -0
package/dist/auth/routes/viewer.d.ts +6 -0
package/dist/auth/routes/viewer.js +372 -0
package/dist/auth/routes/viewer.js.map +1 -0
package/dist/auth/session.d.ts +9 -0
package/dist/auth/session.js +1 -0
package/dist/auth/session.js.map +1 -0
package/dist/auth/turnstile.d.ts +20 -0
package/dist/auth/turnstile.js +301 -0
package/dist/auth/turnstile.js.map +1 -0
package/dist/auth/user-session.d.ts +42 -0
package/dist/auth/user-session.js +419 -0
package/dist/auth/user-session.js.map +1 -0
package/dist/auth/users.d.ts +112 -0
package/dist/auth/users.js +558 -0
package/dist/auth/users.js.map +1 -0
package/dist/bootstrap-CN2g76M6.d.ts +67 -0
package/dist/cache/index.d.ts +6 -0
package/dist/cache/index.js +47 -0
package/dist/cache/index.js.map +1 -0
package/dist/content/admin-summary.d.ts +24 -0
package/dist/content/admin-summary.js +36 -0
package/dist/content/admin-summary.js.map +1 -0
package/dist/content/index.d.ts +9 -0
package/dist/content/index.js +473 -0
package/dist/content/index.js.map +1 -0
package/dist/content/models.d.ts +69 -0
package/dist/content/models.js +24 -0
package/dist/content/models.js.map +1 -0
package/dist/content/prewarm.d.ts +28 -0
package/dist/content/prewarm.js +56 -0
package/dist/content/prewarm.js.map +1 -0
package/dist/content/revalidate.d.ts +37 -0
package/dist/content/revalidate.js +170 -0
package/dist/content/revalidate.js.map +1 -0
package/dist/content/search-index.d.ts +54 -0
package/dist/content/search-index.js +172 -0
package/dist/content/search-index.js.map +1 -0
package/dist/content/search.d.ts +8 -0
package/dist/content/search.js +57 -0
package/dist/content/search.js.map +1 -0
package/dist/doctor/cli.d.ts +1 -0
package/dist/doctor/cli.js +360 -0
package/dist/doctor/cli.js.map +1 -0
package/dist/doctor/index.d.ts +139 -0
package/dist/doctor/index.js +289 -0
package/dist/doctor/index.js.map +1 -0
package/dist/email/index.d.ts +38 -0
package/dist/email/index.js +126 -0
package/dist/email/index.js.map +1 -0
package/dist/env-C5qu-0R-.d.ts +35 -0
package/dist/hooks/index.d.ts +2 -0
package/dist/hooks/index.js +1 -0
package/dist/hooks/index.js.map +1 -0
package/dist/i18n/index.d.ts +26 -0
package/dist/i18n/index.js +73 -0
package/dist/i18n/index.js.map +1 -0
package/dist/index.d.ts +8 -0
package/dist/index.js +1281 -0
package/dist/index.js.map +1 -0
package/dist/internal/admin/index.d.ts +75 -0
package/dist/internal/admin/index.js +365 -0
package/dist/internal/admin/index.js.map +1 -0
package/dist/media/index.d.ts +24 -0
package/dist/media/index.js +86 -0
package/dist/media/index.js.map +1 -0
package/dist/media/routes/index.d.ts +1 -0
package/dist/media/routes/index.js +585 -0
package/dist/media/routes/index.js.map +1 -0
package/dist/media/routes/notion-media.d.ts +19 -0
package/dist/media/routes/notion-media.js +588 -0
package/dist/media/routes/notion-media.js.map +1 -0
package/dist/middleware.d.ts +95 -0
package/dist/middleware.js +79 -0
package/dist/middleware.js.map +1 -0
package/dist/notion/block-text.d.ts +5 -0
package/dist/notion/block-text.js +37 -0
package/dist/notion/block-text.js.map +1 -0
package/dist/notion/blocks.d.ts +24 -0
package/dist/notion/blocks.js +46 -0
package/dist/notion/blocks.js.map +1 -0
package/dist/notion/client.d.ts +7 -0
package/dist/notion/client.js +13 -0
package/dist/notion/client.js.map +1 -0
package/dist/notion/config.d.ts +25 -0
package/dist/notion/config.js +147 -0
package/dist/notion/config.js.map +1 -0
package/dist/notion/content-cache.d.ts +45 -0
package/dist/notion/content-cache.js +166 -0
package/dist/notion/content-cache.js.map +1 -0
package/dist/notion/generic-source.d.ts +61 -0
package/dist/notion/generic-source.js +408 -0
package/dist/notion/generic-source.js.map +1 -0
package/dist/notion/index.d.ts +13 -0
package/dist/notion/index.js +1278 -0
package/dist/notion/index.js.map +1 -0
package/dist/notion/mappers.d.ts +1 -0
package/dist/notion/mappers.js +152 -0
package/dist/notion/mappers.js.map +1 -0
package/dist/notion/media.d.ts +22 -0
package/dist/notion/media.js +209 -0
package/dist/notion/media.js.map +1 -0
package/dist/notion/property-mappers.d.ts +24 -0
package/dist/notion/property-mappers.js +152 -0
package/dist/notion/property-mappers.js.map +1 -0
package/dist/notion/routes/index.d.ts +8 -0
package/dist/notion/routes/index.js +428 -0
package/dist/notion/routes/index.js.map +1 -0
package/dist/notion/routes/webhook.d.ts +98 -0
package/dist/notion/routes/webhook.js +428 -0
package/dist/notion/routes/webhook.js.map +1 -0
package/dist/notion/types.d.ts +152 -0
package/dist/notion/types.js +1 -0
package/dist/notion/types.js.map +1 -0
package/dist/notion/webhook.d.ts +83 -0
package/dist/notion/webhook.js +490 -0
package/dist/notion/webhook.js.map +1 -0
package/dist/platform/capabilities.d.ts +34 -0
package/dist/platform/capabilities.js +42 -0
package/dist/platform/capabilities.js.map +1 -0
package/dist/platform/current.d.ts +13 -0
package/dist/platform/current.js +181 -0
package/dist/platform/current.js.map +1 -0
package/dist/platform/index.d.ts +5 -0
package/dist/platform/index.js +269 -0
package/dist/platform/index.js.map +1 -0
package/dist/platform/runtime.d.ts +118 -0
package/dist/platform/runtime.js +160 -0
package/dist/platform/runtime.js.map +1 -0
package/dist/platform/selection.d.ts +10 -0
package/dist/platform/selection.js +22 -0
package/dist/platform/selection.js.map +1 -0
package/dist/storage/index.d.ts +17 -0
package/dist/storage/index.js +218 -0
package/dist/storage/index.js.map +1 -0
package/dist/storage/routes/cdn.d.ts +19 -0
package/dist/storage/routes/cdn.js +289 -0
package/dist/storage/routes/cdn.js.map +1 -0
package/dist/storage/routes/files.d.ts +27 -0
package/dist/storage/routes/files.js +216 -0
package/dist/storage/routes/files.js.map +1 -0
package/dist/storage/routes/index.d.ts +2 -0
package/dist/storage/routes/index.js +352 -0
package/dist/storage/routes/index.js.map +1 -0
package/dist/types-BsAcZSNX.d.ts +94 -0
package/dist/types.d.ts +78 -0
package/dist/types.js +1 -0
package/dist/types.js.map +1 -0
package/dist/util/index.d.ts +18 -0
package/dist/util/index.js +48 -0
package/dist/util/index.js.map +1 -0
package/dist/worker/index.d.ts +6 -0
package/dist/worker/index.js +1026 -0
package/dist/worker/index.js.map +1 -0
package/dist/worker/routes/content-prewarm.d.ts +34 -0
package/dist/worker/routes/content-prewarm.js +38 -0
package/dist/worker/routes/content-prewarm.js.map +1 -0
package/dist/worker/routes/content-revalidate.d.ts +81 -0
package/dist/worker/routes/content-revalidate.js +64 -0
package/dist/worker/routes/content-revalidate.js.map +1 -0
package/dist/worker/routes/health.d.ts +14 -0
package/dist/worker/routes/health.js +278 -0
package/dist/worker/routes/health.js.map +1 -0
package/dist/worker/routes/index.d.ts +6 -0
package/dist/worker/routes/index.js +373 -0
package/dist/worker/routes/index.js.map +1 -0
package/package.json +124 -0

package/dist/auth/routes/index.js ADDED Viewed

@@ -0,0 +1,619 @@
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+// src/auth/routes/google.ts
+import { NextResponse } from "next/server";
+// src/internal/admin/settings.ts
+import { cache } from "react";
+// src/util/env.ts
+import { env } from "cloudflare:workers";
+var workerEnv = env;
+// src/platform/runtime.ts
+function cacheRequestForKey(key) {
+  return new Request(key, { method: "GET" });
+}
+function createCloudflarePublicCacheAdapter(cache2) {
+  return {
+    kind: "cloudflare-cache",
+    async match(key) {
+      return await cache2.match(cacheRequestForKey(key)) ?? null;
+    },
+    put(key, response) {
+      return cache2.put(cacheRequestForKey(key), response);
+    },
+    delete(key) {
+      return cache2.delete(cacheRequestForKey(key));
+    }
+  };
+}
+function createCloudflareKeyValueCacheAdapter(namespace) {
+  return {
+    kind: "workers-kv",
+    async get(key, options) {
+      return await namespace.get(key, {
+        type: "json",
+        cacheTtl: options?.cacheTtl
+      });
+    },
+    async put(key, value, options) {
+      await namespace.put(key, JSON.stringify(value), {
+        expirationTtl: options?.expirationTtl,
+        metadata: options?.metadata
+      });
+    },
+    delete(key) {
+      return namespace.delete(key);
+    },
+    async list(options) {
+      const result = await namespace.list({
+        prefix: options?.prefix,
+        limit: options?.limit,
+        cursor: options?.cursor
+      });
+      return {
+        keys: result.keys.map((key) => ({ name: key.name })),
+        cursor: result.list_complete ? void 0 : result.cursor,
+        listComplete: result.list_complete
+      };
+    }
+  };
+}
+function r2ObjectToStoredObject(object) {
+  return {
+    body: object.body,
+    size: object.size,
+    etag: object.etag,
+    contentType: object.httpMetadata?.contentType
+  };
+}
+function createCloudflareRuntimePlatform(env2, options) {
+  const database = env2.DB ? {
+    kind: "d1",
+    prepare(query) {
+      return env2.DB.prepare(query);
+    },
+    async batch(statements) {
+      return await env2.DB.batch(
+        statements
+      );
+    }
+  } : null;
+  const objectStorage = env2.ASSETS_BUCKET ? {
+    kind: "r2",
+    async get(key) {
+      const object = await env2.ASSETS_BUCKET?.get(key);
+      return object ? r2ObjectToStoredObject(object) : null;
+    },
+    async put(key, value, options2) {
+      await env2.ASSETS_BUCKET?.put(key, value, {
+        httpMetadata: {
+          contentType: options2?.contentType,
+          cacheControl: options2?.cacheControl
+        },
+        customMetadata: options2?.metadata
+      });
+    },
+    async delete(key) {
+      await env2.ASSETS_BUCKET?.delete(key);
+    },
+    async list(options2) {
+      const listed = await env2.ASSETS_BUCKET?.list({
+        prefix: options2?.prefix,
+        limit: options2?.limit
+      });
+      return listed?.objects.map((object) => ({
+        key: object.key,
+        size: object.size,
+        uploaded: object.uploaded
+      })) ?? [];
+    }
+  } : null;
+  const imageTransformer = env2.IMAGES ? {
+    kind: "cloudflare-images",
+    async transform(body, options2) {
+      const result = await env2.IMAGES.input(body).transform(options2.width ? { width: options2.width } : {}).output({
+        format: options2.format,
+        quality: options2.quality
+      });
+      return {
+        body: result.image(),
+        contentType: result.contentType(),
+        response: () => result.response()
+      };
+    }
+  } : null;
+  const keyValueCache = env2.CONTENT_CACHE ? createCloudflareKeyValueCacheAdapter(env2.CONTENT_CACHE) : null;
+  return {
+    id: "cloudflare-workers",
+    database,
+    objectStorage,
+    imageTransformer,
+    keyValueCache,
+    publicCache: options?.publicCache ? createCloudflarePublicCacheAdapter(options.publicCache) : null
+  };
+}
+// src/platform/cloudflare-runtime.ts
+function getDefaultCloudflareCache() {
+  const globalWithCaches = globalThis;
+  return globalWithCaches.caches?.default ?? null;
+}
+function getRuntimePlatform() {
+  return createCloudflareRuntimePlatform(workerEnv, {
+    publicCache: getDefaultCloudflareCache()
+  });
+}
+// src/platform/current.ts
+function getRuntimePlatform2() {
+  return getRuntimePlatform();
+}
+function getDatabase() {
+  const platform = getRuntimePlatform2();
+  const database = platform.database;
+  if (!database) {
+    throw new Error(`SQL database adapter not configured for ${platform.id}`);
+  }
+  return database;
+}
+// src/internal/admin/settings.ts
+var DEFAULT_ADMIN_EMAIL = "zhaofilms@gmail.com";
+function rowToSettings(r) {
+  return {
+    site_title: r.site_title,
+    google_enabled: r.google_enabled === 1 ? 1 : 0,
+    google_client_id: r.google_client_id,
+    google_client_secret: r.google_client_secret,
+    google_updated_at: r.google_updated_at,
+    turnstile_enabled: r.turnstile_enabled === 1 ? 1 : 0,
+    turnstile_site_key: r.turnstile_site_key,
+    turnstile_updated_at: r.turnstile_updated_at,
+    admin_email: r.admin_email,
+    updated_at: r.updated_at
+  };
+}
+var getAppSettingsCached = cache(async () => {
+  const row = await getDatabase().prepare(
+    `SELECT site_title, google_enabled, google_client_id, google_client_secret,
+            google_updated_at, turnstile_enabled, turnstile_site_key,
+            turnstile_updated_at, admin_email, updated_at
+       FROM app_settings WHERE id = 1`
+  ).first();
+  if (!row) {
+    return {
+      site_title: "vinext Blog",
+      google_enabled: 0,
+      google_client_id: null,
+      google_client_secret: null,
+      google_updated_at: null,
+      turnstile_enabled: 0,
+      turnstile_site_key: null,
+      turnstile_updated_at: null,
+      admin_email: DEFAULT_ADMIN_EMAIL,
+      updated_at: ""
+    };
+  }
+  return rowToSettings(row);
+});
+async function getAppSettings() {
+  return getAppSettingsCached();
+}
+async function getGoogleOAuthConfig() {
+  const s = await getAppSettings();
+  if (!s.google_enabled) return null;
+  if (!s.google_client_id || !s.google_client_secret) return null;
+  return {
+    enabled: true,
+    clientId: s.google_client_id,
+    clientSecret: s.google_client_secret
+  };
+}
+// src/auth/routes/google.ts
+var STATE_COOKIE = "vinext_oauth_state";
+async function GET(request) {
+  const config = await getGoogleOAuthConfig();
+  if (!config) {
+    return new NextResponse(
+      "Google OAuth not configured. Enable it in admin /admin/settings.",
+      { status: 503 }
+    );
+  }
+  const state = [...crypto.getRandomValues(new Uint8Array(24))].map((b) => b.toString(16).padStart(2, "0")).join("");
+  const url = new URL(request.url);
+  const origin = `${url.protocol}//${url.host}`;
+  const redirectUri = `${origin}/api/auth/google/callback`;
+  const googleAuthUrl = new URL("https://accounts.google.com/o/oauth2/v2/auth");
+  googleAuthUrl.searchParams.set("client_id", config.clientId);
+  googleAuthUrl.searchParams.set("redirect_uri", redirectUri);
+  googleAuthUrl.searchParams.set("response_type", "code");
+  googleAuthUrl.searchParams.set("scope", "openid email profile");
+  googleAuthUrl.searchParams.set("state", state);
+  googleAuthUrl.searchParams.set("access_type", "offline");
+  googleAuthUrl.searchParams.set("prompt", "consent");
+  const res = NextResponse.redirect(googleAuthUrl.toString());
+  res.cookies.set(STATE_COOKIE, state, {
+    httpOnly: true,
+    secure: url.protocol === "https:",
+    sameSite: "lax",
+    path: "/",
+    maxAge: 600
+  });
+  return res;
+}
+// src/auth/routes/google-callback.ts
+import { NextResponse as NextResponse2 } from "next/server";
+import { cookies as cookies2 } from "next/headers";
+// src/internal/admin/admin.ts
+function normalizeEmail(email) {
+  return email.trim().toLowerCase();
+}
+async function isAdminEmail(email) {
+  if (!email) return false;
+  const settings = await getAppSettings();
+  return normalizeEmail(email) === normalizeEmail(settings.admin_email);
+}
+// src/auth/users.ts
+function normalizeEmail2(email) {
+  return email.trim().toLowerCase();
+}
+async function defaultRoleFor(email) {
+  return await isAdminEmail(email) ? "admin" : "user";
+}
+function userToSession(user) {
+  return {
+    uid: user.id,
+    email: user.email,
+    name: user.name,
+    picture: user.picture,
+    rev: user.session_rev ?? 0
+  };
+}
+async function upsertGoogleUser(input) {
+  const db = getDatabase();
+  const email = normalizeEmail2(input.email);
+  const existing = await db.prepare(
+    `SELECT * FROM users WHERE google_sub = ? OR email = ? LIMIT 1`
+  ).bind(input.googleSub, email).first();
+  if (existing) {
+    await db.prepare(
+      `UPDATE users
+       SET email = ?, name = ?, picture = ?, google_sub = ?, email_verified = 1,
+           email_verify_token = NULL, email_verify_expires_at = NULL,
+           last_seen_at = datetime('now')
+       WHERE id = ?`
+    ).bind(email, input.name, input.picture, input.googleSub, existing.id).run();
+  } else {
+    const role = await defaultRoleFor(email);
+    await db.prepare(
+      `INSERT INTO users (
+        email, name, picture, google_sub, email_verified, role, last_seen_at
+      ) VALUES (?, ?, ?, ?, 1, ?, datetime('now'))`
+    ).bind(email, input.name, input.picture, input.googleSub, role).run();
+  }
+  if (await isAdminEmail(email)) {
+    await db.prepare(
+      `UPDATE users SET role = 'admin' WHERE email = ?`
+    ).bind(email).run();
+  }
+  const user = await getUserByEmail(email);
+  if (!user) throw new Error("User upsert failed");
+  return user;
+}
+async function verifyEmailUser(token) {
+  const user = await getDatabase().prepare(
+    `SELECT * FROM users WHERE email_verify_token = ?`
+  ).bind(token).first();
+  if (!user || !user.email_verify_expires_at) return null;
+  if (new Date(user.email_verify_expires_at).getTime() < Date.now()) {
+    return null;
+  }
+  await getDatabase().prepare(
+    `UPDATE users
+     SET email_verified = 1,
+         email_verify_token = NULL,
+         email_verify_expires_at = NULL,
+         last_seen_at = datetime('now')
+     WHERE id = ?`
+  ).bind(user.id).run();
+  return getUserByEmail(user.email);
+}
+async function getUserByEmail(email) {
+  return await getDatabase().prepare(`SELECT * FROM users WHERE email = ?`).bind(normalizeEmail2(email)).first();
+}
+async function getUserById(id) {
+  return await getDatabase().prepare(`SELECT * FROM users WHERE id = ?`).bind(id).first();
+}
+// src/auth/user-session.ts
+import { cookies } from "next/headers";
+var SESSION_TTL_SECONDS = 60 * 60 * 24 * 7;
+var USER_COOKIE_NAME = "vinext_user_session";
+var ADMIN_COOKIE_NAME = "vinext_admin_session";
+var USER_COOKIE = USER_COOKIE_NAME;
+function getAdminPassword() {
+  let fromWorker;
+  try {
+    const mod = __require("cloudflare:workers");
+    fromWorker = mod.env?.ADMIN_PASSWORD;
+  } catch {
+    fromWorker = void 0;
+  }
+  if (fromWorker) return fromWorker;
+  return process.env.ADMIN_PASSWORD ?? "vinext-admin-2026";
+}
+async function hmac(secret, message) {
+  const enc = new TextEncoder();
+  const key = await crypto.subtle.importKey(
+    "raw",
+    enc.encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const sig = await crypto.subtle.sign("HMAC", key, enc.encode(message));
+  return [...new Uint8Array(sig)].map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function constantTimeEqual(a, b) {
+  const aBytes = new TextEncoder().encode(a);
+  const bBytes = new TextEncoder().encode(b);
+  if (aBytes.length !== bBytes.length) return false;
+  let diff = 0;
+  for (let i = 0; i < aBytes.length; i++) {
+    diff |= aBytes[i] ^ bBytes[i];
+  }
+  return diff === 0;
+}
+async function signPayload(payload) {
+  return hmac(getAdminPassword(), payload);
+}
+function utf8ToBase64(s) {
+  const bytes = new TextEncoder().encode(s);
+  let bin = "";
+  for (const b of bytes) bin += String.fromCharCode(b);
+  return btoa(bin);
+}
+function base64ToUtf8(b64) {
+  const bin = atob(b64);
+  const bytes = new Uint8Array(bin.length);
+  for (let i = 0; i < bin.length; i++) bytes[i] = bin.charCodeAt(i);
+  return new TextDecoder().decode(bytes);
+}
+async function signUserToken(user) {
+  const exp = Math.floor(Date.now() / 1e3) + SESSION_TTL_SECONDS;
+  const payload = { ...user, exp };
+  const json = JSON.stringify(payload);
+  const b64 = utf8ToBase64(json);
+  const sig = await signPayload(b64);
+  return `${b64}.${sig}`;
+}
+async function verifyUserToken(token) {
+  if (!token) return null;
+  const parts = token.split(".");
+  if (parts.length !== 2) return null;
+  const [b64, sig] = parts;
+  const expected = await signPayload(b64);
+  if (!await constantTimeEqual(sig, expected)) return null;
+  try {
+    const json = base64ToUtf8(b64);
+    const payload = JSON.parse(json);
+    if (payload.exp < Math.floor(Date.now() / 1e3)) return null;
+    const dbUser = await getUserById(payload.uid);
+    if (!dbUser) return null;
+    if (dbUser.email !== payload.email) return null;
+    const tokenRev = payload.rev ?? 0;
+    const dbRev = dbUser.session_rev ?? 0;
+    if (tokenRev !== dbRev) return null;
+    return {
+      uid: payload.uid,
+      email: payload.email,
+      name: payload.name,
+      picture: payload.picture,
+      rev: dbRev
+    };
+  } catch {
+    return null;
+  }
+}
+async function verifyAdminToken(token) {
+  if (!token) return false;
+  const parts = token.split(".");
+  if (parts.length !== 3) return false;
+  const [flag, expStr, sig] = parts;
+  if (flag !== "ok") return false;
+  const exp = Number(expStr);
+  if (!Number.isFinite(exp) || exp < Math.floor(Date.now() / 1e3)) return false;
+  const password = getAdminPassword();
+  const expected = await hmac(password, `${flag}.${exp}`);
+  return constantTimeEqual(sig, expected);
+}
+function getAdminEmailFromEnv() {
+  let fromWorker;
+  try {
+    const mod = __require("cloudflare:workers");
+    fromWorker = mod.env?.ADMIN_EMAIL;
+  } catch {
+    fromWorker = void 0;
+  }
+  return (fromWorker || "zhaofilms@gmail.com").toLowerCase();
+}
+async function getAuthViewer() {
+  const jar = await cookies();
+  if (await verifyAdminToken(jar.get(ADMIN_COOKIE_NAME)?.value)) {
+    return {
+      email: getAdminEmailFromEnv(),
+      user: null,
+      role: "admin",
+      isAdmin: true,
+      isVip: true,
+      canViewVipContent: true
+    };
+  }
+  const user = await verifyUserToken(jar.get(USER_COOKIE_NAME)?.value);
+  if (!user) return null;
+  const dbUser = await getUserById(user.uid);
+  if (!dbUser) return null;
+  const role = dbUser.role === "admin" || dbUser.role === "vip" ? dbUser.role : "user";
+  const isAdmin = role === "admin";
+  const isVip = role === "vip" || isAdmin;
+  return {
+    email: user.email,
+    user,
+    role,
+    isAdmin,
+    isVip,
+    canViewVipContent: isVip
+  };
+}
+// src/auth/routes/google-callback.ts
+var STATE_COOKIE2 = "vinext_oauth_state";
+async function GET2(request) {
+  const config = await getGoogleOAuthConfig();
+  if (!config) {
+    return new NextResponse2("Google OAuth not configured", { status: 503 });
+  }
+  const url = new URL(request.url);
+  const code = url.searchParams.get("code");
+  const state = url.searchParams.get("state");
+  const error = url.searchParams.get("error");
+  if (error) {
+    return new NextResponse2(`Google OAuth error: ${error}`, { status: 400 });
+  }
+  if (!code || !state) {
+    return new NextResponse2("Missing code or state", { status: 400 });
+  }
+  const jar = await cookies2();
+  const savedState = jar.get(STATE_COOKIE2)?.value;
+  if (!savedState || savedState !== state) {
+    return new NextResponse2("Invalid state (CSRF protection)", { status: 400 });
+  }
+  const origin = `${url.protocol}//${url.host}`;
+  const redirectUri = `${origin}/api/auth/google/callback`;
+  try {
+    const tokenRes = await fetch("https://oauth2.googleapis.com/token", {
+      method: "POST",
+      headers: { "content-type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams({
+        code,
+        client_id: config.clientId,
+        client_secret: config.clientSecret,
+        redirect_uri: redirectUri,
+        grant_type: "authorization_code"
+      })
+    });
+    if (!tokenRes.ok) {
+      const t = await tokenRes.text();
+      throw new Error(`Token exchange failed: ${tokenRes.status} ${t}`);
+    }
+    const tokens = await tokenRes.json();
+    const userRes = await fetch("https://www.googleapis.com/oauth2/v2/userinfo", {
+      headers: { Authorization: `Bearer ${tokens.access_token}` }
+    });
+    if (!userRes.ok) throw new Error("Failed to fetch user info");
+    const profile = await userRes.json();
+    if (!profile.verified_email) {
+      return new NextResponse2("Google email not verified", { status: 403 });
+    }
+    const user = await upsertGoogleUser({
+      email: profile.email,
+      name: profile.name,
+      picture: profile.picture,
+      googleSub: profile.id
+    });
+    const token = await signUserToken(userToSession(user));
+    const res = NextResponse2.redirect(`${origin}/admin`);
+    res.cookies.set(USER_COOKIE, token, {
+      httpOnly: true,
+      secure: url.protocol === "https:",
+      sameSite: "lax",
+      path: "/",
+      maxAge: 60 * 60 * 24 * 7
+    });
+    res.cookies.set(STATE_COOKIE2, "", { path: "/", maxAge: 0 });
+    return res;
+  } catch (e) {
+    const msg = e instanceof Error ? e.message : String(e);
+    return new NextResponse2(`OAuth callback error: ${msg}`, { status: 500 });
+  }
+}
+// src/auth/routes/verify-email.ts
+import { NextResponse as NextResponse3 } from "next/server";
+async function GET3(request) {
+  const url = new URL(request.url);
+  const token = url.searchParams.get("token");
+  if (!token) {
+    return NextResponse3.redirect(new URL("/login?verifyError=invalid", url));
+  }
+  const user = await verifyEmailUser(token);
+  if (!user) {
+    return NextResponse3.redirect(new URL("/login?verifyError=invalid", url));
+  }
+  const sessionToken = await signUserToken(userToSession(user));
+  const res = NextResponse3.redirect(new URL("/admin?verified=1", url));
+  res.cookies.set(USER_COOKIE, sessionToken, {
+    httpOnly: true,
+    secure: url.protocol === "https:",
+    sameSite: "lax",
+    path: "/",
+    maxAge: 60 * 60 * 24 * 7
+  });
+  return res;
+}
+// src/auth/routes/viewer.ts
+import { NextResponse as NextResponse4 } from "next/server";
+function jsonResponse(body, init) {
+  const headers = new Headers(init?.headers);
+  headers.set("Cache-Control", "no-store");
+  return NextResponse4.json(body, { ...init, headers });
+}
+async function GET4() {
+  const viewer = await getAuthViewer();
+  if (!viewer) {
+    return jsonResponse(
+      { ok: false, reason: "unauthenticated" },
+      { status: 401 }
+    );
+  }
+  return jsonResponse({
+    ok: true,
+    email: viewer.email,
+    role: viewer.role,
+    isAdmin: viewer.isAdmin,
+    isVip: viewer.isVip,
+    canViewVipContent: viewer.canViewVipContent,
+    user: viewer.user ? {
+      name: viewer.user.name,
+      picture: viewer.user.picture
+    } : null
+  });
+}
+// src/auth/routes/index.ts
+var authRoutes = {
+  "/api/auth/google": { GET: "./google" },
+  "/api/auth/google/callback": { GET: "./google-callback" },
+  "/api/auth/verify-email": { GET: "./verify-email" },
+  "/api/auth/viewer": { GET: "./viewer" }
+};
+export {
+  authRoutes,
+  GET2 as googleCallbackGET,
+  GET as googleGET,
+  GET3 as verifyEmailGET,
+  GET4 as viewerGET
+};
+//# sourceMappingURL=index.js.map