@notionx/core 0.1.0

package/dist/auth/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/util/env.ts","../../src/platform/runtime.ts","../../src/platform/cloudflare-runtime.ts","../../src/platform/current.ts","../../src/auth/auth.ts","../../src/auth/user-session.ts","../../src/auth/passwords.ts","../../src/internal/admin/settings.ts","../../src/internal/admin/schema-guard.ts","../../src/internal/admin/admin.ts","../../src/auth/users.ts","../../src/auth/rate-limit.ts","../../src/auth/turnstile.ts"],"sourcesContent":["// lib/env.ts - 集中获取 Cloudflare bindings\n// 用 cloudflare:workers 模块（workerd 内置），作为平台 adapter 的绑定入口\n\n/// <reference types=\"@cloudflare/workers-types\" />\nimport { env } from \"cloudflare:workers\";\n\nexport type AppEnv = {\n  DB: D1Database;\n  ASSETS: Fetcher;\n  IMAGES: ImagesBinding;\n  ASSETS_BUCKET?: R2Bucket;\n  CONTENT_CACHE?: KVNamespace;\n  ADMIN_PASSWORD: string;\n  ADMIN_EMAIL?: string;\n  SITE_URL?: string;\n  RESEND_API_KEY?: string;\n  RESEND_FROM?: string;\n  // Google OAuth 仍然兼容 Cloudflare Secret 作为兜底。\n  // 实际生效值以 app_settings.google_client_id / google_client_secret 为准。\n  GOOGLE_CLIENT_ID?: string;\n  GOOGLE_CLIENT_SECRET?: string;\n  /** Turnstile site key fallback when not stored in app_settings */\n  TURNSTILE_SITE_KEY?: string;\n  /** Turnstile secret — set via `wrangler secret put TURNSTILE_SECRET_KEY` */\n  TURNSTILE_SECRET_KEY?: string;\n  /** Notion integration token for the blog data source */\n  NOTION_TOKEN?: string;\n  /** Notion data source ID used by dataSources.query */\n  NOTION_DATA_SOURCE_ID?: string;\n  /** Notion data source ID for the public movie catalog */\n  NOTION_MOVIES_DATA_SOURCE_ID?: string;\n  /** Notion data source ID for localized movie copy */\n  NOTION_MOVIE_TRANSLATIONS_DATA_SOURCE_ID?: string;\n  /** Optional Notion API base URL for tests or proxies */\n  NOTION_API_BASE_URL?: string;\n  /** Optional Notion edit URL for admin handoff screens */\n  NOTION_EDIT_BASE_URL?: string;\n  /** Optional webhook verification token for Notion invalidation */\n  NOTION_WEBHOOK_VERIFICATION_TOKEN?: string;\n};\n\n// 强制类型：vinext 把 env 类型放在 env.d.ts（interface VinextEnv extends Env），\n// 但 TS server 经常解析不到。运行时一定有 DB，类型断言保证编译通过。\nexport const workerEnv = env as unknown as AppEnv;\n","import type { AppEnv } from \"../util/env\";\n\nexport type PlatformBindingEnv = Pick<\n  AppEnv,\n  \"ASSETS_BUCKET\" | \"CONTENT_CACHE\" | \"DB\" | \"IMAGES\"\n>;\n\nexport type StoredObject = {\n  body: ReadableStream;\n  size: number;\n  etag?: string;\n  contentType?: string;\n};\n\nexport type ObjectStoragePutOptions = {\n  contentType?: string;\n  cacheControl?: string;\n  metadata?: Record<string, string>;\n};\n\nexport type ObjectStorageListItem = {\n  key: string;\n  size: number;\n  uploaded: Date;\n};\n\nexport type ObjectStorageAdapter = {\n  kind: \"r2\";\n  get(key: string): Promise<StoredObject | null>;\n  put(\n    key: string,\n    value: ReadableStream | ArrayBuffer | ArrayBufferView | string | Blob,\n    options?: ObjectStoragePutOptions\n  ): Promise<void>;\n  delete(key: string): Promise<void>;\n  list(\n    options?: { prefix?: string; limit?: number }\n  ): Promise<ObjectStorageListItem[]>;\n};\n\nexport type ImageTransformOptions = {\n  width?: number;\n  format: \"image/avif\" | \"image/webp\";\n  quality: number;\n};\n\nexport type ImageTransformResult = {\n  body: ReadableStream;\n  contentType: string;\n  response(): Response;\n};\n\nexport type ImageTransformerAdapter = {\n  kind: \"cloudflare-images\" | \"external\";\n  transform(\n    body: ReadableStream,\n    options: ImageTransformOptions\n  ): Promise<ImageTransformResult>;\n};\n\nexport type PublicCacheAdapter = {\n  kind: \"cloudflare-cache\" | \"noop\" | \"external\";\n  match(key: string): Promise<Response | null>;\n  put(key: string, response: Response): Promise<void>;\n  delete(key: string): Promise<boolean>;\n};\n\nexport type KeyValueCacheGetOptions = {\n  cacheTtl?: number;\n};\n\nexport type KeyValueCachePutOptions = {\n  expirationTtl?: number;\n  metadata?: Record<string, string | number | boolean | null>;\n};\n\nexport type KeyValueCacheListOptions = {\n  prefix?: string;\n  limit?: number;\n  cursor?: string;\n};\n\nexport type KeyValueCacheListResult = {\n  keys: Array<{ name: string }>;\n  cursor?: string;\n  listComplete: boolean;\n};\n\nexport type KeyValueCacheAdapter = {\n  kind: \"workers-kv\" | \"noop\" | \"external\";\n  get<T = unknown>(\n    key: string,\n    options?: KeyValueCacheGetOptions\n  ): Promise<T | null>;\n  put<T = unknown>(\n    key: string,\n    value: T,\n    options?: KeyValueCachePutOptions\n  ): Promise<void>;\n  delete(key: string): Promise<void>;\n  list(options?: KeyValueCacheListOptions): Promise<KeyValueCacheListResult>;\n};\n\nexport type SqlValue = string | number | boolean | null;\n\nexport type SqlResult<T = Record<string, unknown>> = {\n  results?: T[];\n  success?: boolean;\n  meta?: {\n    changes?: number;\n    duration?: number;\n    last_row_id?: number;\n    rows_read?: number;\n    rows_written?: number;\n    [key: string]: unknown;\n  };\n};\n\nexport type SqlPreparedStatement = {\n  bind(...values: SqlValue[]): SqlPreparedStatement;\n  all<T = Record<string, unknown>>(): Promise<SqlResult<T>>;\n  first<T = Record<string, unknown>>(columnName?: string): Promise<T | null>;\n  run<T = Record<string, unknown>>(): Promise<SqlResult<T>>;\n};\n\nexport type SqlDatabaseAdapter = {\n  kind: \"d1\";\n  prepare(query: string): SqlPreparedStatement;\n  batch<T = Record<string, unknown>>(\n    statements: SqlPreparedStatement[]\n  ): Promise<SqlResult<T>[]>;\n};\n\nexport type RuntimePlatform = {\n  id: \"cloudflare-workers\";\n  database: SqlDatabaseAdapter | null;\n  objectStorage: ObjectStorageAdapter | null;\n  imageTransformer: ImageTransformerAdapter | null;\n  publicCache: PublicCacheAdapter | null;\n  keyValueCache: KeyValueCacheAdapter | null;\n};\n\ntype CloudflareCacheLike = Pick<Cache, \"match\" | \"put\" | \"delete\">;\ntype CloudflareKvLike = Pick<KVNamespace, \"get\" | \"put\" | \"delete\" | \"list\">;\n\nfunction cacheRequestForKey(key: string) {\n  return new Request(key, { method: \"GET\" });\n}\n\nexport function createCloudflarePublicCacheAdapter(\n  cache: CloudflareCacheLike\n): PublicCacheAdapter {\n  return {\n    kind: \"cloudflare-cache\",\n    async match(key) {\n      return (await cache.match(cacheRequestForKey(key))) ?? null;\n    },\n    put(key, response) {\n      return cache.put(cacheRequestForKey(key), response);\n    },\n    delete(key) {\n      return cache.delete(cacheRequestForKey(key));\n    },\n  };\n}\n\nexport function createNoopPublicCacheAdapter(kind: \"noop\" = \"noop\"): PublicCacheAdapter {\n  return {\n    kind,\n    async match() {\n      return null;\n    },\n    async put() {},\n    async delete() {\n      return false;\n    },\n  };\n}\n\nexport function createCloudflareKeyValueCacheAdapter(\n  namespace: CloudflareKvLike\n): KeyValueCacheAdapter {\n  return {\n    kind: \"workers-kv\",\n    async get<T = unknown>(\n      key: string,\n      options?: KeyValueCacheGetOptions\n    ): Promise<T | null> {\n      return (await namespace.get(key, {\n        type: \"json\",\n        cacheTtl: options?.cacheTtl,\n      })) as T | null;\n    },\n    async put(key, value, options) {\n      await namespace.put(key, JSON.stringify(value), {\n        expirationTtl: options?.expirationTtl,\n        metadata: options?.metadata,\n      });\n    },\n    delete(key) {\n      return namespace.delete(key);\n    },\n    async list(options) {\n      const result = await namespace.list({\n        prefix: options?.prefix,\n        limit: options?.limit,\n        cursor: options?.cursor,\n      });\n      return {\n        keys: result.keys.map((key) => ({ name: key.name })),\n        cursor: result.list_complete ? undefined : result.cursor,\n        listComplete: result.list_complete,\n      };\n    },\n  };\n}\n\nexport function createNoopKeyValueCacheAdapter(\n  kind: \"noop\" = \"noop\"\n): KeyValueCacheAdapter {\n  return {\n    kind,\n    async get() {\n      return null;\n    },\n    async put() {},\n    async delete() {},\n    async list() {\n      return { keys: [], listComplete: true };\n    },\n  };\n}\n\nfunction r2ObjectToStoredObject(object: R2ObjectBody): StoredObject {\n  return {\n    body: object.body,\n    size: object.size,\n    etag: object.etag,\n    contentType: object.httpMetadata?.contentType,\n  };\n}\n\nexport function createCloudflareRuntimePlatform(\n  env: PlatformBindingEnv,\n  options?: { publicCache?: CloudflareCacheLike | null }\n): RuntimePlatform {\n  const database: SqlDatabaseAdapter | null = env.DB\n    ? ({\n        kind: \"d1\",\n        prepare(query: string) {\n          return env.DB.prepare(query) as unknown as SqlPreparedStatement;\n        },\n        async batch(statements: SqlPreparedStatement[]) {\n          return (await env.DB.batch(\n            statements as unknown as D1PreparedStatement[]\n          )) as unknown as SqlResult<Record<string, unknown>>[];\n        },\n      } as unknown as SqlDatabaseAdapter)\n    : null;\n\n  const objectStorage: ObjectStorageAdapter | null = env.ASSETS_BUCKET\n    ? {\n        kind: \"r2\",\n        async get(key) {\n          const object = await env.ASSETS_BUCKET?.get(key);\n          return object ? r2ObjectToStoredObject(object) : null;\n        },\n        async put(key, value, options) {\n          await env.ASSETS_BUCKET?.put(key, value, {\n            httpMetadata: {\n              contentType: options?.contentType,\n              cacheControl: options?.cacheControl,\n            },\n            customMetadata: options?.metadata,\n          });\n        },\n        async delete(key) {\n          await env.ASSETS_BUCKET?.delete(key);\n        },\n        async list(options) {\n          const listed = await env.ASSETS_BUCKET?.list({\n            prefix: options?.prefix,\n            limit: options?.limit,\n          });\n          return (\n            listed?.objects.map((object) => ({\n              key: object.key,\n              size: object.size,\n              uploaded: object.uploaded,\n            })) ?? []\n          );\n        },\n      }\n    : null;\n\n  const imageTransformer: ImageTransformerAdapter | null = env.IMAGES\n    ? {\n        kind: \"cloudflare-images\",\n        async transform(body, options) {\n          const result = await env.IMAGES.input(body)\n            .transform(options.width ? { width: options.width } : {})\n            .output({\n              format: options.format,\n              quality: options.quality,\n            });\n          return {\n            body: result.image(),\n            contentType: result.contentType(),\n            response: () => result.response(),\n          };\n        },\n      }\n    : null;\n\n  const keyValueCache: KeyValueCacheAdapter | null = env.CONTENT_CACHE\n    ? createCloudflareKeyValueCacheAdapter(env.CONTENT_CACHE)\n    : null;\n\n  return {\n    id: \"cloudflare-workers\",\n    database,\n    objectStorage,\n    imageTransformer,\n    keyValueCache,\n    publicCache: options?.publicCache\n      ? createCloudflarePublicCacheAdapter(options.publicCache)\n      : null,\n  };\n}\n","import { workerEnv } from \"../util/env\";\nimport {\n  createCloudflarePublicCacheAdapter,\n  createCloudflareRuntimePlatform,\n} from \"./runtime\";\n\nfunction getDefaultCloudflareCache() {\n  const globalWithCaches = globalThis as typeof globalThis & {\n    caches?: CacheStorage & { default?: Cache };\n  };\n  return globalWithCaches.caches?.default ?? null;\n}\n\nexport function getRuntimePlatform() {\n  return createCloudflareRuntimePlatform(workerEnv, {\n    publicCache: getDefaultCloudflareCache(),\n  });\n}\n\nexport function getDatabase() {\n  const database = getRuntimePlatform().database;\n  if (!database) {\n    throw new Error(\"SQL database binding not configured\");\n  }\n  return database;\n}\n\nexport function getPublicCache() {\n  const cache = getDefaultCloudflareCache();\n  if (!cache) {\n    throw new Error(\"Cloudflare cache binding not configured\");\n  }\n  return createCloudflarePublicCacheAdapter(cache);\n}\n","import {\n  getPublicCache as getCloudflarePublicCache,\n  getRuntimePlatform as getCloudflareRuntimePlatform,\n} from \"./cloudflare-runtime\";\nimport { currentRuntimeId } from \"./selection\";\n\nexport function getRuntimePlatform() {\n  return getCloudflareRuntimePlatform();\n}\n\nexport function getDatabase() {\n  const platform = getRuntimePlatform();\n  const database = platform.database;\n  if (!database) {\n    throw new Error(`SQL database adapter not configured for ${platform.id}`);\n  }\n  return database;\n}\n\nexport function getPublicCache() {\n  return getCloudflarePublicCache();\n}\n\nexport function getKeyValueCache() {\n  return getRuntimePlatform().keyValueCache;\n}\n\nexport const runtimeSelection = {\n  currentRuntimeId,\n};\n","// Auth factory. Produces an `Auth` object whose methods are bound to the\n// supplied `AuthConfig` and the current platform runtime. Internal helpers\n// (session, users, rate-limit, turnstile) are pulled in by Task 3.2; for\n// now the factory exposes a fully-typed surface with placeholder\n// implementations so consumers can wire it up before the rest of the\n// internals land.\n\nimport type { AuthConfig } from \"../types\";\nimport { getRuntimePlatform } from \"../platform/current\";\nimport type { RuntimePlatform } from \"../platform/runtime\";\n\n/**\n * Minimal user shape. Expanded in Task 3.2 to mirror the full D1 row.\n */\nexport interface AuthUser {\n  id: number;\n  email: string;\n  role: string | null;\n}\n\n/**\n * Minimal viewer shape returned by `requireViewer` / `requireRole`.\n * Expanded in Task 3.2 to include session info and role flags.\n */\nexport interface AuthViewer {\n  id: number;\n  email: string;\n  role: string;\n  isAdmin: boolean;\n  isVip: boolean;\n}\n\n/**\n * Rate-limit verdict returned by `checkRateLimit`.\n */\nexport type AuthRateLimitResult =\n  | { ok: true }\n  | { ok: false; retryAfterSec: number; scope: \"email\" | \"ip\" };\n\n/**\n * Aggregate auth surface returned by `createAuth`. Each method is bound\n * to the configured database and cookie settings; consumers should not\n * need to pass these in again.\n */\nexport interface Auth {\n  requireViewer(request: Request): Promise<{ user: AuthViewer }>;\n  requireRole(\n    request: Request,\n    role: string\n  ): Promise<{ user: AuthViewer }>;\n  listUsers(): Promise<AuthUser[]>;\n  setUserRole(userId: number, role: string): Promise<void>;\n  checkRateLimit(\n    key: string,\n    limit: number,\n    windowMs: number\n  ): Promise<AuthRateLimitResult>;\n  verifyTurnstile(\n    token: string,\n    ip: string | null\n  ): Promise<boolean>;\n}\n\nfunction notImplemented(method: string): never {\n  throw new Error(\n    `createAuth: ${method} is not implemented yet. ` +\n      `It will be wired up in Task 3.2 (move auth internals).`\n  );\n}\n\n/**\n * Build an `Auth` object bound to `config` and the current platform\n * runtime. The returned methods share the same database/cookie context,\n * removing the need for module-level singletons.\n *\n * Runtime/database validation is deferred to the first call so callers\n * that only need the typed surface (e.g. tests) can still construct the\n * factory in environments without a configured D1 binding.\n */\nexport function createAuth(config: AuthConfig): Auth {\n  // Resolve the runtime lazily so the factory can be constructed in\n  // environments that do not have a real database (unit tests, build\n  // steps, type-only imports). The real implementations in Task 3.2 will\n  // assert on `runtime.database` and `config.databaseBinding` here.\n  const getRuntime = (): RuntimePlatform => getRuntimePlatform();\n  // Reference `config` so the parameter is not flagged as unused before\n  // Task 3.2 wires the real implementations against it. Will be removed\n  // once the helpers are in place.\n  void config;\n\n  return {\n    async requireViewer(_request) {\n      void getRuntime();\n      notImplemented(\"requireViewer\");\n    },\n    async requireRole(_request, _role) {\n      void getRuntime();\n      notImplemented(\"requireRole\");\n    },\n    async listUsers() {\n      void getRuntime();\n      notImplemented(\"listUsers\");\n    },\n    async setUserRole(_userId, _role) {\n      void getRuntime();\n      notImplemented(\"setUserRole\");\n    },\n    async checkRateLimit(_key, _limit, _windowMs) {\n      void getRuntime();\n      notImplemented(\"checkRateLimit\");\n    },\n    async verifyTurnstile(_token, _ip) {\n      void getRuntime();\n      notImplemented(\"verifyTurnstile\");\n    },\n  };\n}\n","// auth/user-session.ts - OAuth (Google) session cookie helpers.\n//\n// The session is an HMAC-SHA256-signed base64-encoded JSON payload\n// containing the user identity and an expiry. The HMAC key is the\n// `ADMIN_PASSWORD` secret so projects can reuse one Cloudflare secret\n// for both admin-password and OAuth cookies. The `session_rev` field\n// is incremented to invalidate every cookie for a user at once\n// (used on password reset, account delete, etc.).\n\nimport { cookies } from \"next/headers\";\nimport { getUserById } from \"./users\";\nimport { getDatabase } from \"../platform/current\";\nimport type { SessionUser } from \"./session\";\n\nconst SESSION_TTL_SECONDS = 60 * 60 * 24 * 7; // 7 days\nconst USER_COOKIE_NAME = \"vinext_user_session\";\nconst ADMIN_COOKIE_NAME = \"vinext_admin_session\";\n\n/** Cookie name holding the OAuth (Google) user session. */\nexport const USER_COOKIE = USER_COOKIE_NAME;\n\n/** Cookie name holding the admin-password session. */\nexport const ADMIN_COOKIE = ADMIN_COOKIE_NAME;\n\ninterface WorkerEnvLike {\n  ADMIN_PASSWORD?: string;\n}\n\nfunction getAdminPassword(): string {\n  // Prefer the platform env (Cloudflare / vite dev with .dev.vars). Falls\n  // back to process.env for environments where neither is configured.\n  // The fallback value is intentionally weak; production deployments\n  // must set ADMIN_PASSWORD via `wrangler secret put`.\n  let fromWorker: string | undefined;\n  try {\n    // The optional import keeps this module usable in unit tests that\n    // do not have the `cloudflare:workers` virtual module.\n    // eslint-disable-next-line @typescript-eslint/no-require-imports\n    const mod = require(\"cloudflare:workers\") as { env?: WorkerEnvLike };\n    fromWorker = mod.env?.ADMIN_PASSWORD;\n  } catch {\n    fromWorker = undefined;\n  }\n  if (fromWorker) return fromWorker;\n  return process.env.ADMIN_PASSWORD ?? \"vinext-admin-2026\";\n}\n\nasync function hmac(secret: string, message: string): Promise<string> {\n  const enc = new TextEncoder();\n  const key = await crypto.subtle.importKey(\n    \"raw\",\n    enc.encode(secret),\n    { name: \"HMAC\", hash: \"SHA-256\" },\n    false,\n    [\"sign\"]\n  );\n  const sig = await crypto.subtle.sign(\"HMAC\", key, enc.encode(message));\n  return [...new Uint8Array(sig)]\n    .map((b) => b.toString(16).padStart(2, \"0\"))\n    .join(\"\");\n}\n\nasync function constantTimeEqual(a: string, b: string): Promise<boolean> {\n  const aBytes = new TextEncoder().encode(a);\n  const bBytes = new TextEncoder().encode(b);\n  if (aBytes.length !== bBytes.length) return false;\n  let diff = 0;\n  for (let i = 0; i < aBytes.length; i++) {\n    diff |= aBytes[i]! ^ bBytes[i]!;\n  }\n  return diff === 0;\n}\n\nasync function signPayload(payload: string): Promise<string> {\n  return hmac(getAdminPassword(), payload);\n}\n\nfunction utf8ToBase64(s: string): string {\n  const bytes = new TextEncoder().encode(s);\n  let bin = \"\";\n  for (const b of bytes) bin += String.fromCharCode(b);\n  return btoa(bin);\n}\n\nfunction base64ToUtf8(b64: string): string {\n  const bin = atob(b64);\n  const bytes = new Uint8Array(bin.length);\n  for (let i = 0; i < bin.length; i++) bytes[i] = bin.charCodeAt(i);\n  return new TextDecoder().decode(bytes);\n}\n\n/** 给 OAuth 用户发 token：HMAC 签名 + base64-encoded JSON payload */\nexport async function signUserToken(user: SessionUser): Promise<string> {\n  const exp = Math.floor(Date.now() / 1000) + SESSION_TTL_SECONDS;\n  const payload = { ...user, exp };\n  const json = JSON.stringify(payload);\n  const b64 = utf8ToBase64(json);\n  const sig = await signPayload(b64);\n  return `${b64}.${sig}`;\n}\n\nexport async function setUserSessionCookie(user: SessionUser) {\n  const token = await signUserToken(user);\n  const jar = await cookies();\n  jar.set(USER_COOKIE_NAME, token, {\n    httpOnly: true,\n    secure: process.env.NODE_ENV === \"production\",\n    sameSite: \"lax\",\n    path: \"/\",\n    maxAge: SESSION_TTL_SECONDS,\n  });\n}\n\n/** 校验用户 session token：签名、过期、session_rev 是否与数据库一致 */\nexport async function verifyUserToken(\n  token: string | undefined\n): Promise<SessionUser | null> {\n  if (!token) return null;\n  const parts = token.split(\".\");\n  if (parts.length !== 2) return null;\n  const [b64, sig] = parts;\n  const expected = await signPayload(b64!);\n  if (!(await constantTimeEqual(sig!, expected))) return null;\n  try {\n    const json = base64ToUtf8(b64!);\n    const payload = JSON.parse(json) as SessionUser & { exp: number };\n    if (payload.exp < Math.floor(Date.now() / 1000)) return null;\n\n    const dbUser = await getUserById(payload.uid);\n    if (!dbUser) return null;\n    if (dbUser.email !== payload.email) return null;\n    const tokenRev = payload.rev ?? 0;\n    const dbRev = dbUser.session_rev ?? 0;\n    if (tokenRev !== dbRev) return null;\n\n    return {\n      uid: payload.uid,\n      email: payload.email,\n      name: payload.name,\n      picture: payload.picture,\n      rev: dbRev,\n    };\n  } catch {\n    return null;\n  }\n}\n\n/** 当前 OAuth 用户（如果登录了），admin 密码登录时返 null */\nexport async function getCurrentUser(): Promise<SessionUser | null> {\n  const jar = await cookies();\n  const token = jar.get(USER_COOKIE_NAME)?.value;\n  return verifyUserToken(token);\n}\n\nexport async function clearUserSessionCookie() {\n  const jar = await cookies();\n  jar.set(USER_COOKIE_NAME, \"\", { path: \"/\", maxAge: 0 });\n}\n\n// ====== Admin-password session ======\n\nasync function signAdminToken(): Promise<string> {\n  const password = getAdminPassword();\n  const exp = Math.floor(Date.now() / 1000) + SESSION_TTL_SECONDS;\n  const payload = `ok.${exp}`;\n  const sig = await hmac(password, payload);\n  return `${payload}.${sig}`;\n}\n\nasync function verifyAdminToken(token: string | undefined): Promise<boolean> {\n  if (!token) return false;\n  const parts = token.split(\".\");\n  if (parts.length !== 3) return false;\n  const [flag, expStr, sig] = parts;\n  if (flag !== \"ok\") return false;\n  const exp = Number(expStr);\n  if (!Number.isFinite(exp) || exp < Math.floor(Date.now() / 1000)) return false;\n  const password = getAdminPassword();\n  const expected = await hmac(password, `${flag}.${exp}`);\n  return constantTimeEqual(sig!, expected);\n}\n\nexport async function checkPassword(input: string): Promise<boolean> {\n  const expected = getAdminPassword();\n  return constantTimeEqual(input, expected);\n}\n\nexport async function setSessionCookie() {\n  const token = await signAdminToken();\n  const jar = await cookies();\n  jar.set(ADMIN_COOKIE_NAME, token, {\n    httpOnly: true,\n    secure: process.env.NODE_ENV === \"production\",\n    sameSite: \"lax\",\n    path: \"/\",\n    maxAge: SESSION_TTL_SECONDS,\n  });\n}\n\nexport async function clearSessionCookie() {\n  const jar = await cookies();\n  jar.set(ADMIN_COOKIE_NAME, \"\", { path: \"/\", maxAge: 0 });\n}\n\nfunction getAdminEmailFromEnv(): string {\n  let fromWorker: string | undefined;\n  try {\n    // eslint-disable-next-line @typescript-eslint/no-require-imports\n    const mod = require(\"cloudflare:workers\") as { env?: { ADMIN_EMAIL?: string } };\n    fromWorker = mod.env?.ADMIN_EMAIL;\n  } catch {\n    fromWorker = undefined;\n  }\n  return (fromWorker || \"zhaofilms@gmail.com\").toLowerCase();\n}\n\nexport type AuthViewer = {\n  email: string;\n  user: SessionUser | null;\n  role: \"user\" | \"vip\" | \"admin\";\n  isAdmin: boolean;\n  isVip: boolean;\n  canViewVipContent: boolean;\n};\n\n/**\n * Combined viewer: returns an `AuthViewer` for the current request\n * regardless of which login method (admin password vs OAuth) the\n * user used. `null` means the request is unauthenticated.\n */\nexport async function getAuthViewer(): Promise<AuthViewer | null> {\n  const jar = await cookies();\n\n  if (await verifyAdminToken(jar.get(ADMIN_COOKIE_NAME)?.value)) {\n    return {\n      email: getAdminEmailFromEnv(),\n      user: null,\n      role: \"admin\",\n      isAdmin: true,\n      isVip: true,\n      canViewVipContent: true,\n    };\n  }\n\n  const user = await verifyUserToken(jar.get(USER_COOKIE_NAME)?.value);\n  if (!user) return null;\n\n  const dbUser = await getUserById(user.uid);\n  if (!dbUser) return null;\n  const role: \"user\" | \"vip\" | \"admin\" =\n    dbUser.role === \"admin\" || dbUser.role === \"vip\" ? dbUser.role : \"user\";\n  const isAdmin = role === \"admin\";\n  const isVip = role === \"vip\" || isAdmin;\n\n  return {\n    email: user.email,\n    user,\n    role,\n    isAdmin,\n    isVip,\n    canViewVipContent: isVip,\n  };\n}\n\n/**\n * Extended isAuthenticated: admin password login or OAuth login both\n * count as authenticated.\n */\nexport async function isAuthenticated(): Promise<boolean> {\n  const jar = await cookies();\n  if (await verifyAdminToken(jar.get(ADMIN_COOKIE_NAME)?.value)) return true;\n  if (await verifyUserToken(jar.get(USER_COOKIE_NAME)?.value)) return true;\n  return false;\n}\n\n// Re-export the database helper to keep callers from having to reach\n// into the platform layer just to update session_rev after a reset.\nexport { getDatabase };\n","// PBKDF2-SHA256 password hashing for the email/password auth flow.\n// Cloudflare Workers WebCrypto rejects iteration counts above 100000.\n\nconst HASH_PREFIX = \"pbkdf2_sha256\";\n// Cloudflare Workers WebCrypto currently rejects PBKDF2 iteration counts above 100000.\nconst PBKDF2_ITERATIONS = 100000;\nconst SALT_BYTES = 16;\n\nfunction bytesToBase64(bytes: Uint8Array): string {\n  let bin = \"\";\n  for (const b of bytes) bin += String.fromCharCode(b);\n  return btoa(bin);\n}\n\nfunction base64ToBytes(input: string): Uint8Array {\n  const bin = atob(input);\n  const bytes = new Uint8Array(bin.length);\n  for (let i = 0; i < bin.length; i++) bytes[i] = bin.charCodeAt(i);\n  return bytes;\n}\n\nasync function deriveKey(\n  password: string,\n  salt: Uint8Array,\n  iterations: number\n): Promise<Uint8Array> {\n  const normalizedSalt = Uint8Array.from(salt) as unknown as BufferSource;\n  const baseKey = await crypto.subtle.importKey(\n    \"raw\",\n    new TextEncoder().encode(password),\n    \"PBKDF2\",\n    false,\n    [\"deriveBits\"]\n  );\n  const derived = await crypto.subtle.deriveBits(\n    {\n      name: \"PBKDF2\",\n      hash: \"SHA-256\",\n      salt: normalizedSalt,\n      iterations,\n    },\n    baseKey,\n    256\n  );\n  return new Uint8Array(derived);\n}\n\nasync function constantTimeEqual(\n  left: Uint8Array,\n  right: Uint8Array\n): Promise<boolean> {\n  if (left.length !== right.length) return false;\n  let diff = 0;\n  for (let i = 0; i < left.length; i++) {\n    diff |= left[i]! ^ right[i]!;\n  }\n  return diff === 0;\n}\n\nexport async function hashPassword(password: string): Promise<string> {\n  const salt = crypto.getRandomValues(new Uint8Array(SALT_BYTES));\n  const derived = await deriveKey(password, salt, PBKDF2_ITERATIONS);\n  return [\n    HASH_PREFIX,\n    String(PBKDF2_ITERATIONS),\n    bytesToBase64(salt),\n    bytesToBase64(derived),\n  ].join(\"$\");\n}\n\n/** 注册/改密时的强度校验，失败返回中文错误信息。 */\nexport function validatePasswordStrength(password: string): string | null {\n  if (password.length < 8) return \"密码至少需要 8 位\";\n  if (!/[a-zA-Z]/.test(password) || !/\\d/.test(password)) {\n    return \"密码需要同时包含字母和数字\";\n  }\n  return null;\n}\n\nexport async function verifyPassword(\n  password: string,\n  storedHash: string\n): Promise<boolean> {\n  const [prefix, iterationsStr, saltB64, hashB64] = storedHash.split(\"$\");\n  if (\n    prefix !== HASH_PREFIX ||\n    !iterationsStr ||\n    !saltB64 ||\n    !hashB64\n  ) {\n    return false;\n  }\n\n  const iterations = Number(iterationsStr);\n  if (!Number.isFinite(iterations) || iterations <= 0) return false;\n\n  const salt = base64ToBytes(saltB64);\n  const expected = base64ToBytes(hashB64);\n  const derived = await deriveKey(password, salt, iterations);\n  return constantTimeEqual(derived, expected);\n}\n","// lib/settings.ts - 读取和更新后台系统设置（单管理员模型）\n// 数据保存在 SQL 表 app_settings，目前固定为 1 行。\n//\n// Internal to the package — not exposed via package.json exports. The\n// auth helpers (turnstile.ts, users.ts) call into the read functions;\n// admin pages in the starter import the update functions through a\n// re-export shim at `apps/moviebluebook/lib/settings.ts`.\n\nimport { cache } from \"react\";\nimport { workerEnv } from \"../../util/env\";\nimport { getDatabase } from \"../../platform/current\";\nimport {\n  buildTurnstilePublicConfig,\n  DEFAULT_TURNSTILE_PUBLIC_CONFIG,\n  isSchemaDriftError,\n} from \"./schema-guard\";\n\nexport type AppSettings = {\n  site_title: string;\n  google_enabled: 0 | 1;\n  google_client_id: string | null;\n  google_client_secret: string | null;\n  google_updated_at: string | null;\n  turnstile_enabled: 0 | 1;\n  turnstile_site_key: string | null;\n  turnstile_updated_at: string | null;\n  admin_email: string;\n  updated_at: string;\n};\n\ntype Row = {\n  site_title: string;\n  google_enabled: number;\n  google_client_id: string | null;\n  google_client_secret: string | null;\n  google_updated_at: string | null;\n  turnstile_enabled: number;\n  turnstile_site_key: string | null;\n  turnstile_updated_at: string | null;\n  admin_email: string;\n  updated_at: string;\n};\n\nconst DEFAULT_ADMIN_EMAIL = \"zhaofilms@gmail.com\";\n\nfunction rowToSettings(r: Row): AppSettings {\n  return {\n    site_title: r.site_title,\n    google_enabled: r.google_enabled === 1 ? 1 : 0,\n    google_client_id: r.google_client_id,\n    google_client_secret: r.google_client_secret,\n    google_updated_at: r.google_updated_at,\n    turnstile_enabled: r.turnstile_enabled === 1 ? 1 : 0,\n    turnstile_site_key: r.turnstile_site_key,\n    turnstile_updated_at: r.turnstile_updated_at,\n    admin_email: r.admin_email,\n    updated_at: r.updated_at,\n  };\n}\n\nconst getAppSettingsCached = cache(async (): Promise<AppSettings> => {\n  const row = await getDatabase().prepare(\n    `SELECT site_title, google_enabled, google_client_id, google_client_secret,\n            google_updated_at, turnstile_enabled, turnstile_site_key,\n            turnstile_updated_at, admin_email, updated_at\n       FROM app_settings WHERE id = 1`\n  ).first<Row>();\n  if (!row) {\n    // 极端情况：迁移未执行\n    return {\n      site_title: \"vinext Blog\",\n      google_enabled: 0,\n      google_client_id: null,\n      google_client_secret: null,\n      google_updated_at: null,\n      turnstile_enabled: 0,\n      turnstile_site_key: null,\n      turnstile_updated_at: null,\n      admin_email: DEFAULT_ADMIN_EMAIL,\n      updated_at: \"\",\n    };\n  }\n  return rowToSettings(row);\n});\n\nexport async function getAppSettings(): Promise<AppSettings> {\n  return getAppSettingsCached();\n}\n\n/** Turnstile 前端可见配置（site key 公开；secret 在 env）。 */\nexport async function getTurnstilePublicConfig(): Promise<{\n  enabled: boolean;\n  siteKey: string | null;\n  secretConfigured: boolean;\n}> {\n  try {\n    const s = await getAppSettings();\n    return buildTurnstilePublicConfig(s, workerEnv);\n  } catch (error) {\n    if (isSchemaDriftError(error)) {\n      console.error(\n        \"[settings] turnstile config unavailable due to schema drift; falling back to disabled state\",\n        error\n      );\n      return { ...DEFAULT_TURNSTILE_PUBLIC_CONFIG };\n    }\n    throw error;\n  }\n}\n\nexport async function updateTurnstileConfig(input: {\n  enabled: boolean;\n  siteKey: string;\n}): Promise<void> {\n  const enabled = input.enabled ? 1 : 0;\n  await getDatabase().prepare(\n    `UPDATE app_settings\n        SET turnstile_enabled = ?,\n            turnstile_site_key = ?,\n            turnstile_updated_at = datetime('now'),\n            updated_at = datetime('now')\n      WHERE id = 1`\n  )\n    .bind(enabled, input.siteKey || null)\n    .run();\n}\n\nexport async function disableTurnstileConfig(): Promise<void> {\n  await getDatabase().prepare(\n    `UPDATE app_settings\n        SET turnstile_enabled = 0,\n            turnstile_updated_at = datetime('now'),\n            updated_at = datetime('now')\n      WHERE id = 1`\n  ).run();\n}\n\n/** Google 登录实际配置：只有 enabled 且 id+secret 都存在才认为可用 */\nexport async function getGoogleOAuthConfig(): Promise<{\n  enabled: boolean;\n  clientId: string;\n  clientSecret: string;\n} | null> {\n  const s = await getAppSettings();\n  if (!s.google_enabled) return null;\n  if (!s.google_client_id || !s.google_client_secret) return null;\n  return {\n    enabled: true,\n    clientId: s.google_client_id,\n    clientSecret: s.google_client_secret,\n  };\n}\n\nexport async function updateGoogleOAuthConfig(input: {\n  enabled: boolean;\n  clientId: string;\n  clientSecret: string;\n}): Promise<void> {\n  const enabled = input.enabled ? 1 : 0;\n  await getDatabase().prepare(\n    `UPDATE app_settings\n        SET google_enabled = ?,\n            google_client_id = ?,\n            google_client_secret = ?,\n            google_updated_at = datetime('now'),\n            updated_at = datetime('now')\n      WHERE id = 1`\n  )\n    .bind(enabled, input.clientId, input.clientSecret)\n    .run();\n}\n\nexport async function clearGoogleOAuthConfig(): Promise<void> {\n  await getDatabase().prepare(\n    `UPDATE app_settings\n        SET google_enabled = 0,\n            google_client_id = NULL,\n            google_client_secret = NULL,\n            google_updated_at = datetime('now'),\n            updated_at = datetime('now')\n      WHERE id = 1`\n  ).run();\n}\n\nexport async function updateSiteTitle(title: string): Promise<void> {\n  await getDatabase().prepare(\n    `UPDATE app_settings SET site_title = ?, updated_at = datetime('now') WHERE id = 1`\n  )\n    .bind(title)\n    .run();\n}\n","export const REQUIRED_SCHEMA_CHECKS = [\n  {\n    key: \"app_settings.turnstile_enabled\",\n    sql: \"SELECT turnstile_enabled FROM app_settings LIMIT 1\",\n  },\n  {\n    key: \"users.session_rev\",\n    sql: \"SELECT session_rev FROM users LIMIT 1\",\n  },\n  {\n    key: \"auth_rate_limits\",\n    sql: \"SELECT 1 FROM auth_rate_limits LIMIT 1\",\n  },\n];\n\nexport const DEFAULT_TURNSTILE_PUBLIC_CONFIG = {\n  enabled: false,\n  siteKey: null,\n  secretConfigured: false,\n};\n\nexport function isSchemaDriftError(error: unknown): boolean {\n  const message = error instanceof Error ? error.message : String(error ?? \"\");\n  return (\n    message.includes(\"no such column\") || message.includes(\"no such table\")\n  );\n}\n\nexport function buildTurnstilePublicConfig(\n  settings: { turnstile_enabled: number; turnstile_site_key: string | null },\n  envLike: { TURNSTILE_SITE_KEY?: string; TURNSTILE_SECRET_KEY?: string }\n): { enabled: boolean; siteKey: string | null; secretConfigured: boolean } {\n  const envSiteKey = envLike.TURNSTILE_SITE_KEY?.trim() || null;\n  const siteKey = settings.turnstile_site_key?.trim() || envSiteKey || null;\n  const secretConfigured = Boolean(envLike.TURNSTILE_SECRET_KEY?.trim());\n  const enabled =\n    (settings.turnstile_enabled === 1 || Boolean(envSiteKey)) &&\n    Boolean(siteKey) &&\n    secretConfigured;\n\n  return {\n    enabled,\n    siteKey,\n    secretConfigured,\n  };\n}\n\nexport async function runSchemaHealthChecks(db: {\n  prepare: (sql: string) => { first: () => Promise<unknown> };\n}): Promise<{ ok: boolean; missing: string[]; errors: string[] }> {\n  const missing: string[] = [];\n  const errors: string[] = [];\n\n  for (const check of REQUIRED_SCHEMA_CHECKS) {\n    try {\n      await db.prepare(check.sql).first();\n    } catch (error) {\n      if (isSchemaDriftError(error)) {\n        missing.push(check.key);\n      } else {\n        const message = error instanceof Error ? error.message : String(error);\n        errors.push(`${check.key}: ${message}`);\n      }\n    }\n  }\n\n  return {\n    ok: missing.length === 0 && errors.length === 0,\n    missing,\n    errors,\n  };\n}\n","// lib/admin.ts - 单管理员身份识别\n// 设计：固定 admin_email = app_settings.admin_email（默认 zhaofilms@gmail.com）\n// 任何登录方式下，邮箱匹配即视为管理员。\n//\n// Internal to the package — not exposed via package.json exports.\n// The auth helpers (users.ts) call `isAdminEmail` to decide whether a\n// newly registered user gets the `admin` role. The starter still\n// re-exports this through `apps/moviebluebook/lib/admin.ts` for backward\n// compatibility with its own admin pages and tests.\n\nimport { getAppSettings } from \"./settings\";\nimport { getDatabase } from \"../../platform/current\";\n\nexport const DEFAULT_ADMIN_EMAIL = \"zhaofilms@gmail.com\";\n\nexport function normalizeEmail(email: string): string {\n  return email.trim().toLowerCase();\n}\n\nexport async function isAdminEmail(email: string): Promise<boolean> {\n  if (!email) return false;\n  const settings = await getAppSettings();\n  return normalizeEmail(email) === normalizeEmail(settings.admin_email);\n}\n\n/**\n * 提升某邮箱为管理员（仅在系统启动时、且匹配 admin_email 时调用）。\n * 实际上是把 users.role 置为 'admin'，并清空其它冲突状态。\n */\nexport async function ensureAdminUser(email: string): Promise<void> {\n  const normalized = normalizeEmail(email);\n  if (!(await isAdminEmail(normalized))) return;\n  await getDatabase().prepare(\n    `UPDATE users SET role = 'admin' WHERE email = ?`\n  ).bind(normalized).run();\n}\n","// auth/users.ts - user persistence for Google OAuth and email/password auth\n//\n// Internal-only module of the auth feature. The exported functions back\n// the email/password registration flow, Google OAuth upserts, the admin\n// user-management API, and the bootstrap that creates the first admin\n// account. Table names and database binding come from the platform\n// runtime (`getDatabase`) which is configured by the consuming app.\n\nimport { hashPassword, verifyPassword } from \"./passwords\";\nimport { isAdminEmail } from \"../internal/admin/admin\";\nimport { getAppSettings } from \"../internal/admin/settings\";\nimport { getDatabase } from \"../platform/current\";\nimport type { SessionUser } from \"./session\";\n\nexport type UserRole = \"user\" | \"vip\" | \"admin\";\nexport type UserListItem = User & { post_count: number };\n\nexport type User = {\n  id: number;\n  email: string;\n  name: string | null;\n  picture: string | null;\n  google_sub: string | null;\n  password_hash: string | null;\n  email_verified: number;\n  email_verify_token: string | null;\n  email_verify_expires_at: string | null;\n  password_reset_token: string | null;\n  password_reset_expires_at: string | null;\n  session_rev: number;\n  role: UserRole | null;\n  created_at: string;\n  last_seen_at: string;\n};\n\nfunction normalizeEmail(email: string): string {\n  return email.trim().toLowerCase();\n}\n\nasync function defaultRoleFor(email: string): Promise<\"user\" | \"admin\"> {\n  return (await isAdminEmail(email)) ? \"admin\" : \"user\";\n}\n\nexport function normalizeUserRole(role: string | null | undefined): UserRole {\n  if (role === \"admin\" || role === \"vip\") return role;\n  return \"user\";\n}\n\nfunction createRandomToken(): string {\n  return [...crypto.getRandomValues(new Uint8Array(24))]\n    .map((b) => b.toString(16).padStart(2, \"0\"))\n    .join(\"\");\n}\n\nexport function userToSession(user: User): SessionUser {\n  return {\n    uid: user.id,\n    email: user.email,\n    name: user.name,\n    picture: user.picture,\n    rev: user.session_rev ?? 0,\n  };\n}\n\nexport async function upsertGoogleUser(input: {\n  email: string;\n  name: string;\n  picture: string;\n  googleSub: string;\n}): Promise<User> {\n  const db = getDatabase();\n  const email = normalizeEmail(input.email);\n\n  const existing = await db.prepare(\n    `SELECT * FROM users WHERE google_sub = ? OR email = ? LIMIT 1`\n  )\n    .bind(input.googleSub, email)\n    .first<User>();\n\n  if (existing) {\n    await db.prepare(\n      `UPDATE users\n       SET email = ?, name = ?, picture = ?, google_sub = ?, email_verified = 1,\n           email_verify_token = NULL, email_verify_expires_at = NULL,\n           last_seen_at = datetime('now')\n       WHERE id = ?`\n    )\n      .bind(email, input.name, input.picture, input.googleSub, existing.id)\n      .run();\n  } else {\n    const role = await defaultRoleFor(email);\n    await db.prepare(\n      `INSERT INTO users (\n        email, name, picture, google_sub, email_verified, role, last_seen_at\n      ) VALUES (?, ?, ?, ?, 1, ?, datetime('now'))`\n    )\n      .bind(email, input.name, input.picture, input.googleSub, role)\n      .run();\n  }\n\n  if (await isAdminEmail(email)) {\n    await db.prepare(\n      `UPDATE users SET role = 'admin' WHERE email = ?`\n    ).bind(email).run();\n  }\n\n  const user = await getUserByEmail(email);\n  if (!user) throw new Error(\"User upsert failed\");\n  return user;\n}\n\nexport async function createEmailUser(input: {\n  email: string;\n  password: string;\n}): Promise<\n  | { ok: true; user: User; verifyToken: string }\n  | { ok: false; reason: \"exists\" }\n> {\n  const email = normalizeEmail(input.email);\n  const existing = await getUserByEmail(email);\n  if (existing) {\n    return { ok: false, reason: \"exists\" };\n  }\n\n  const passwordHash = await hashPassword(input.password);\n  const verifyToken = createRandomToken();\n  const verifyExpiresAt = new Date(Date.now() + 1000 * 60 * 60 * 24).toISOString();\n\n  const role = await defaultRoleFor(email);\n  const db = getDatabase();\n  await db.prepare(\n    `INSERT INTO users (\n      email, password_hash, email_verified, email_verify_token,\n      email_verify_expires_at, role, last_seen_at\n    ) VALUES (?, ?, 0, ?, ?, ?, datetime('now'))`\n  )\n    .bind(email, passwordHash, verifyToken, verifyExpiresAt, role)\n    .run();\n\n  if (role === \"admin\") {\n    await db.prepare(\n      `UPDATE users SET role = 'admin' WHERE email = ?`\n    ).bind(email).run();\n  }\n\n  const user = await getUserByEmail(email);\n  if (!user) throw new Error(\"User creation failed\");\n  return { ok: true, user, verifyToken };\n}\n\nexport async function verifyEmailUser(token: string): Promise<User | null> {\n  const user = await getDatabase().prepare(\n    `SELECT * FROM users WHERE email_verify_token = ?`\n  )\n    .bind(token)\n    .first<User>();\n\n  if (!user || !user.email_verify_expires_at) return null;\n  if (new Date(user.email_verify_expires_at).getTime() < Date.now()) {\n    return null;\n  }\n\n  await getDatabase().prepare(\n    `UPDATE users\n     SET email_verified = 1,\n         email_verify_token = NULL,\n         email_verify_expires_at = NULL,\n         last_seen_at = datetime('now')\n     WHERE id = ?`\n  )\n    .bind(user.id)\n    .run();\n\n  return getUserByEmail(user.email);\n}\n\nexport async function issueVerificationToken(\n  email: string\n): Promise<\n  | { ok: true; token: string; user: User }\n  | { ok: false; reason: \"not_found\" | \"already_verified\" | \"no_password\" }\n> {\n  const user = await getUserByEmail(email);\n  if (!user) return { ok: false, reason: \"not_found\" };\n  if (!user.password_hash) return { ok: false, reason: \"no_password\" };\n  if (user.email_verified) return { ok: false, reason: \"already_verified\" };\n\n  const verifyToken = createRandomToken();\n  const verifyExpiresAt = new Date(Date.now() + 1000 * 60 * 60 * 24).toISOString();\n\n  await getDatabase().prepare(\n    `UPDATE users\n     SET email_verify_token = ?, email_verify_expires_at = ?\n     WHERE id = ?`\n  )\n    .bind(verifyToken, verifyExpiresAt, user.id)\n    .run();\n\n  const updated = await getUserByEmail(email);\n  if (!updated) return { ok: false, reason: \"not_found\" };\n  return { ok: true, token: verifyToken, user: updated };\n}\n\nexport async function issuePasswordResetToken(\n  email: string\n): Promise<\n  | { ok: true; token: string; user: User }\n  | { ok: false; reason: \"not_found\" | \"no_password\" | \"unverified\" }\n> {\n  const user = await getUserByEmail(email);\n  if (!user || !user.password_hash) {\n    return { ok: false, reason: \"not_found\" };\n  }\n  if (!user.email_verified) {\n    return { ok: false, reason: \"unverified\" };\n  }\n\n  const resetToken = createRandomToken();\n  const resetExpiresAt = new Date(Date.now() + 1000 * 60 * 60).toISOString();\n\n  await getDatabase().prepare(\n    `UPDATE users\n     SET password_reset_token = ?, password_reset_expires_at = ?\n     WHERE id = ?`\n  )\n    .bind(resetToken, resetExpiresAt, user.id)\n    .run();\n\n  const updated = await getUserByEmail(email);\n  if (!updated) return { ok: false, reason: \"not_found\" };\n  return { ok: true, token: resetToken, user: updated };\n}\n\nexport async function resetPasswordWithToken(input: {\n  token: string;\n  password: string;\n}): Promise<\n  | { ok: true; user: User }\n  | { ok: false; reason: \"invalid\" }\n> {\n  const user = await getDatabase().prepare(\n    `SELECT * FROM users WHERE password_reset_token = ?`\n  )\n    .bind(input.token)\n    .first<User>();\n\n  if (!user || !user.password_reset_expires_at) {\n    return { ok: false, reason: \"invalid\" };\n  }\n  if (new Date(user.password_reset_expires_at).getTime() < Date.now()) {\n    return { ok: false, reason: \"invalid\" };\n  }\n\n  const passwordHash = await hashPassword(input.password);\n  await getDatabase().prepare(\n    `UPDATE users\n     SET password_hash = ?,\n         password_reset_token = NULL,\n         password_reset_expires_at = NULL,\n         session_rev = session_rev + 1,\n         last_seen_at = datetime('now')\n     WHERE id = ?`\n  )\n    .bind(passwordHash, user.id)\n    .run();\n\n  const updated = await getUserById(user.id);\n  if (!updated) return { ok: false, reason: \"invalid\" };\n  return { ok: true, user: updated };\n}\n\nexport async function changeUserPassword(input: {\n  userId: number;\n  currentPassword: string;\n  newPassword: string;\n}): Promise<\n  | { ok: true; user: User }\n  | { ok: false; reason: \"invalid\" | \"no_password\" }\n> {\n  const user = await getUserById(input.userId);\n  if (!user || !user.password_hash) {\n    return { ok: false, reason: \"no_password\" };\n  }\n\n  const matches = await verifyPassword(\n    input.currentPassword,\n    user.password_hash\n  );\n  if (!matches) {\n    return { ok: false, reason: \"invalid\" };\n  }\n\n  const passwordHash = await hashPassword(input.newPassword);\n  await getDatabase().prepare(\n    `UPDATE users\n     SET password_hash = ?,\n         session_rev = session_rev + 1,\n         last_seen_at = datetime('now')\n     WHERE id = ?`\n  )\n    .bind(passwordHash, user.id)\n    .run();\n\n  const updated = await getUserById(user.id);\n  if (!updated) return { ok: false, reason: \"invalid\" };\n  return { ok: true, user: updated };\n}\n\nexport async function authenticateEmailUser(input: {\n  email: string;\n  password: string;\n}): Promise<\n  | { ok: true; user: User }\n  | { ok: false; reason: \"invalid\" | \"unverified\" }\n> {\n  const email = normalizeEmail(input.email);\n  const user = await getUserByEmail(email);\n  if (!user || !user.password_hash) {\n    return { ok: false, reason: \"invalid\" };\n  }\n\n  const matches = await verifyPassword(input.password, user.password_hash);\n  if (!matches) {\n    return { ok: false, reason: \"invalid\" };\n  }\n  if (!user.email_verified) {\n    return { ok: false, reason: \"unverified\" };\n  }\n\n  await getDatabase().prepare(\n    `UPDATE users SET last_seen_at = datetime('now') WHERE id = ?`\n  )\n    .bind(user.id)\n    .run();\n\n  return { ok: true, user: { ...user, email } };\n}\n\nexport async function getUserByEmail(email: string): Promise<User | null> {\n  return await getDatabase().prepare(`SELECT * FROM users WHERE email = ?`)\n    .bind(normalizeEmail(email))\n    .first<User>();\n}\n\nexport async function getUserById(id: number): Promise<User | null> {\n  return await getDatabase().prepare(`SELECT * FROM users WHERE id = ?`)\n    .bind(id)\n    .first<User>();\n}\n\nexport async function listUsers(limit = 100): Promise<User[]> {\n  const { results } = await getDatabase().prepare(\n    `SELECT * FROM users ORDER BY created_at DESC LIMIT ?`\n  )\n    .bind(limit)\n    .all<User>();\n  return results || [];\n}\n\nexport async function listUsersWithPostCounts(\n  limit = 100\n): Promise<UserListItem[]> {\n  const { results } = await getDatabase().prepare(\n    `SELECT u.*,\n            (SELECT COUNT(*) FROM posts p WHERE p.owner_email = u.email) AS post_count\n       FROM users u\n      ORDER BY u.created_at DESC\n      LIMIT ?`\n  )\n    .bind(limit)\n    .all<UserListItem>();\n  return results || [];\n}\n\n/** 递增 session_rev，使该用户所有已签发 cookie 立即失效。 */\nexport async function revokeUserSessions(userId: number): Promise<boolean> {\n  const user = await getUserById(userId);\n  if (!user) return false;\n  await getDatabase().prepare(\n    `UPDATE users SET session_rev = session_rev + 1 WHERE id = ?`\n  )\n    .bind(userId)\n    .run();\n  return true;\n}\n\nexport async function setUserRole(\n  userId: number,\n  role: Exclude<UserRole, \"admin\">\n): Promise<\n  | { ok: true; user: User }\n  | { ok: false; reason: \"not_found\" | \"is_admin\" }\n> {\n  const user = await getUserById(userId);\n  if (!user) return { ok: false, reason: \"not_found\" };\n  if (await isAdminEmail(user.email)) {\n    return { ok: false, reason: \"is_admin\" };\n  }\n\n  await getDatabase().prepare(\n    `UPDATE users\n        SET role = ?,\n            last_seen_at = datetime('now')\n      WHERE id = ?`\n  )\n    .bind(role, userId)\n    .run();\n\n  const updated = await getUserById(userId);\n  if (!updated) return { ok: false, reason: \"not_found\" };\n  return { ok: true, user: updated };\n}\n\nexport async function deleteUserAccount(userId: number): Promise<\n  | { ok: true; email: string }\n  | { ok: false; reason: \"not_found\" | \"is_admin\" }\n> {\n  const user = await getUserById(userId);\n  if (!user) return { ok: false, reason: \"not_found\" };\n  if (await isAdminEmail(user.email)) {\n    return { ok: false, reason: \"is_admin\" };\n  }\n\n  const settings = await getAppSettings();\n  const adminEmail = settings.admin_email;\n\n  const db = getDatabase();\n  await db.batch([\n    db.prepare(\n      `UPDATE posts SET owner_email = ? WHERE owner_email = ?`\n    ).bind(adminEmail, user.email),\n    db.prepare(`DELETE FROM users WHERE id = ?`).bind(userId),\n  ]);\n\n  return { ok: true, email: user.email };\n}\n","// SQL-backed rate limiting for auth endpoints (per email + per IP).\n\nimport { getDatabase } from \"../platform/current\";\n\nconst WINDOW_MS = 15 * 60 * 1000;\nconst MAX_EMAIL_ATTEMPTS = 5;\nconst MAX_IP_ATTEMPTS = 30;\n\nexport type AuthRateLimitKind = \"login\" | \"forgot\" | \"resend\" | \"register\";\n\ntype RateLimitResult =\n  | { ok: true }\n  | { ok: false; retryAfterSec: number; scope: \"email\" | \"ip\" };\n\ntype RateLimitBucket = \"email\" | \"ip\";\n\nfunction scopeKey(\n  kind: AuthRateLimitKind,\n  bucket: RateLimitBucket,\n  identifier: string\n): string {\n  const normalized =\n    bucket === \"email\"\n      ? identifier.trim().toLowerCase()\n      : identifier.trim();\n  return `${kind}:${bucket}:${normalized}`;\n}\n\nasync function readScope(scope: string): Promise<{\n  attempts: number;\n  window_start: number;\n} | null> {\n  return getDatabase().prepare(\n    `SELECT attempts, window_start FROM auth_rate_limits WHERE scope = ?`\n  )\n    .bind(scope)\n    .first<{ attempts: number; window_start: number }>();\n}\n\nasync function checkScoped(\n  kind: AuthRateLimitKind,\n  bucket: RateLimitBucket,\n  identifier: string,\n  maxAttempts: number\n): Promise<RateLimitResult> {\n  const scope = scopeKey(kind, bucket, identifier);\n  const row = await readScope(scope);\n  const now = Date.now();\n\n  if (!row) return { ok: true };\n  if (now - row.window_start >= WINDOW_MS) return { ok: true };\n\n  if (row.attempts >= maxAttempts) {\n    const retryAfterSec = Math.ceil(\n      (row.window_start + WINDOW_MS - now) / 1000\n    );\n    return {\n      ok: false,\n      retryAfterSec: Math.max(retryAfterSec, 1),\n      scope: bucket,\n    };\n  }\n\n  return { ok: true };\n}\n\n/** @deprecated 仅邮箱维度；请改用 enforceAuthRateLimits */\nexport async function checkAuthRateLimit(\n  kind: AuthRateLimitKind,\n  email: string\n): Promise<RateLimitResult> {\n  return checkScoped(kind, \"email\", email, MAX_EMAIL_ATTEMPTS);\n}\n\nexport async function enforceAuthRateLimits(\n  kind: AuthRateLimitKind,\n  ctx: { email?: string; ip: string | null }\n): Promise<RateLimitResult> {\n  if (ctx.email) {\n    const emailLimit = await checkScoped(\n      kind,\n      \"email\",\n      ctx.email,\n      MAX_EMAIL_ATTEMPTS\n    );\n    if (!emailLimit.ok) return emailLimit;\n  }\n  if (ctx.ip) {\n    const ipLimit = await checkScoped(kind, \"ip\", ctx.ip, MAX_IP_ATTEMPTS);\n    if (!ipLimit.ok) return ipLimit;\n  }\n  return { ok: true };\n}\n\nasync function recordScoped(\n  kind: AuthRateLimitKind,\n  bucket: RateLimitBucket,\n  identifier: string\n): Promise<void> {\n  const scope = scopeKey(kind, bucket, identifier);\n  const now = Date.now();\n  const row = await readScope(scope);\n\n  if (!row || now - row.window_start >= WINDOW_MS) {\n    await getDatabase().prepare(\n      `INSERT INTO auth_rate_limits (scope, attempts, window_start)\n       VALUES (?, 1, ?)\n       ON CONFLICT(scope) DO UPDATE SET attempts = 1, window_start = excluded.window_start`\n    )\n      .bind(scope, now)\n      .run();\n    return;\n  }\n\n  await getDatabase().prepare(\n    `UPDATE auth_rate_limits SET attempts = attempts + 1 WHERE scope = ?`\n  )\n    .bind(scope)\n    .run();\n}\n\nexport async function recordAuthFailures(\n  kind: AuthRateLimitKind,\n  ctx: { email?: string; ip: string | null }\n): Promise<void> {\n  if (ctx.email) await recordScoped(kind, \"email\", ctx.email);\n  if (ctx.ip) await recordScoped(kind, \"ip\", ctx.ip);\n}\n\n/** @deprecated 请改用 recordAuthFailures */\nexport async function recordAuthFailure(\n  kind: AuthRateLimitKind,\n  email: string\n): Promise<void> {\n  await recordScoped(kind, \"email\", email);\n}\n\nasync function clearScoped(\n  kind: AuthRateLimitKind,\n  bucket: RateLimitBucket,\n  identifier: string\n): Promise<void> {\n  await getDatabase().prepare(`DELETE FROM auth_rate_limits WHERE scope = ?`)\n    .bind(scopeKey(kind, bucket, identifier))\n    .run();\n}\n\nexport async function clearAuthRateLimits(\n  kind: AuthRateLimitKind,\n  ctx: { email?: string; ip: string | null }\n): Promise<void> {\n  if (ctx.email) await clearScoped(kind, \"email\", ctx.email);\n  if (ctx.ip) await clearScoped(kind, \"ip\", ctx.ip);\n}\n\n/** @deprecated 请改用 clearAuthRateLimits */\nexport async function clearAuthRateLimit(\n  kind: AuthRateLimitKind,\n  email: string\n): Promise<void> {\n  await clearScoped(kind, \"email\", email);\n}\n","// auth/turnstile.ts - Cloudflare Turnstile server-side token verification.\n// Widget: https://dash.cloudflare.com/?to=/:account/turnstile\n// Same Cloudflare account as Workers, but created as a separate Turnstile product.\n\nimport { workerEnv } from \"../util/env\";\nimport { getTurnstilePublicConfig } from \"../internal/admin/settings\";\n\nconst SITEVERIFY_URL =\n  \"https://challenges.cloudflare.com/turnstile/v0/siteverify\";\n\nexport type TurnstileRuntimeConfig = {\n  enabled: boolean;\n  siteKey: string;\n  secretKey: string;\n};\n\n/** 是否应对当前请求执行 Turnstile 校验（开关 + site key + secret 齐全）。 */\nexport async function getTurnstileRuntimeConfig(): Promise<TurnstileRuntimeConfig | null> {\n  const pub = await getTurnstilePublicConfig();\n  const secretKey = workerEnv.TURNSTILE_SECRET_KEY?.trim();\n  if (!pub.enabled || !pub.siteKey || !secretKey) return null;\n  return { enabled: true, siteKey: pub.siteKey, secretKey };\n}\n\ntype SiteverifyResponse = {\n  success: boolean;\n  \"error-codes\"?: string[];\n};\n\nexport async function verifyTurnstileToken(\n  token: string,\n  remoteIp: string | null\n): Promise<{ ok: true } | { ok: false; codes: string[] }> {\n  const config = await getTurnstileRuntimeConfig();\n  if (!config) {\n    // #region debug-point C:runtime-config-missing\n    console.error(\"[DEBUG-TURNSTILE] runtime config missing\", {\n      tokenLength: token.length,\n      remoteIpPresent: Boolean(remoteIp),\n    });\n    // #endregion\n    return { ok: true };\n  }\n\n  if (!token) {\n    // #region debug-point B:missing-token\n    console.error(\"[DEBUG-TURNSTILE] missing token\", {\n      siteKeySuffix: config.siteKey.slice(-6),\n      remoteIpPresent: Boolean(remoteIp),\n    });\n    // #endregion\n    return { ok: false, codes: [\"missing-input-response\"] };\n  }\n\n  const body = new URLSearchParams();\n  body.set(\"secret\", config.secretKey);\n  body.set(\"response\", token);\n  if (remoteIp) body.set(\"remoteip\", remoteIp);\n\n  const res = await fetch(SITEVERIFY_URL, {\n    method: \"POST\",\n    headers: { \"content-type\": \"application/x-www-form-urlencoded\" },\n    body,\n  });\n\n  if (!res.ok) {\n    // #region debug-point C:siteverify-http-error\n    console.error(\"[DEBUG-TURNSTILE] siteverify http error\", {\n      siteKeySuffix: config.siteKey.slice(-6),\n      tokenLength: token.length,\n      status: res.status,\n    });\n    // #endregion\n    return { ok: false, codes: [`http-${res.status}`] };\n  }\n\n  const data = (await res.json()) as SiteverifyResponse;\n  if (data.success) return { ok: true };\n  // #region debug-point C:siteverify-failed\n  console.error(\"[DEBUG-TURNSTILE] siteverify failed\", {\n    siteKeySuffix: config.siteKey.slice(-6),\n    tokenLength: token.length,\n    codes: data[\"error-codes\"] ?? [\"verification-failed\"],\n  });\n  // #endregion\n  return { ok: false, codes: data[\"error-codes\"] ?? [\"verification-failed\"] };\n}\n\nexport async function verifyTurnstileFromForm(\n  formData: FormData,\n  remoteIp: string | null\n): Promise<{ ok: true } | { ok: false }> {\n  const token = String(formData.get(\"cf-turnstile-response\") ?? \"\").trim();\n  // #region debug-point B:form-token-read\n  console.error(\"[DEBUG-TURNSTILE] form token read\", {\n    tokenLength: token.length,\n    remoteIpPresent: Boolean(remoteIp),\n  });\n  // #endregion\n  const result = await verifyTurnstileToken(token, remoteIp);\n  return result.ok ? { ok: true } : { ok: false };\n}\n"],"mappings":";;;;;;;;AAIA,SAAS,WAAW;AAuCb,IAAM,YAAY;;;ACsGzB,SAAS,mBAAmB,KAAa;AACvC,SAAO,IAAI,QAAQ,KAAK,EAAE,QAAQ,MAAM,CAAC;AAC3C;AAEO,SAAS,mCACdA,QACoB;AACpB,SAAO;AAAA,IACL,MAAM;AAAA,IACN,MAAM,MAAM,KAAK;AACf,aAAQ,MAAMA,OAAM,MAAM,mBAAmB,GAAG,CAAC,KAAM;AAAA,IACzD;AAAA,IACA,IAAI,KAAK,UAAU;AACjB,aAAOA,OAAM,IAAI,mBAAmB,GAAG,GAAG,QAAQ;AAAA,IACpD;AAAA,IACA,OAAO,KAAK;AACV,aAAOA,OAAM,OAAO,mBAAmB,GAAG,CAAC;AAAA,IAC7C;AAAA,EACF;AACF;AAeO,SAAS,qCACd,WACsB;AACtB,SAAO;AAAA,IACL,MAAM;AAAA,IACN,MAAM,IACJ,KACA,SACmB;AACnB,aAAQ,MAAM,UAAU,IAAI,KAAK;AAAA,QAC/B,MAAM;AAAA,QACN,UAAU,SAAS;AAAA,MACrB,CAAC;AAAA,IACH;AAAA,IACA,MAAM,IAAI,KAAK,OAAO,SAAS;AAC7B,YAAM,UAAU,IAAI,KAAK,KAAK,UAAU,KAAK,GAAG;AAAA,QAC9C,eAAe,SAAS;AAAA,QACxB,UAAU,SAAS;AAAA,MACrB,CAAC;AAAA,IACH;AAAA,IACA,OAAO,KAAK;AACV,aAAO,UAAU,OAAO,GAAG;AAAA,IAC7B;AAAA,IACA,MAAM,KAAK,SAAS;AAClB,YAAM,SAAS,MAAM,UAAU,KAAK;AAAA,QAClC,QAAQ,SAAS;AAAA,QACjB,OAAO,SAAS;AAAA,QAChB,QAAQ,SAAS;AAAA,MACnB,CAAC;AACD,aAAO;AAAA,QACL,MAAM,OAAO,KAAK,IAAI,CAAC,SAAS,EAAE,MAAM,IAAI,KAAK,EAAE;AAAA,QACnD,QAAQ,OAAO,gBAAgB,SAAY,OAAO;AAAA,QAClD,cAAc,OAAO;AAAA,MACvB;AAAA,IACF;AAAA,EACF;AACF;AAkBA,SAAS,uBAAuB,QAAoC;AAClE,SAAO;AAAA,IACL,MAAM,OAAO;AAAA,IACb,MAAM,OAAO;AAAA,IACb,MAAM,OAAO;AAAA,IACb,aAAa,OAAO,cAAc;AAAA,EACpC;AACF;AAEO,SAAS,gCACdC,MACA,SACiB;AACjB,QAAM,WAAsCA,KAAI,KAC3C;AAAA,IACC,MAAM;AAAA,IACN,QAAQ,OAAe;AACrB,aAAOA,KAAI,GAAG,QAAQ,KAAK;AAAA,IAC7B;AAAA,IACA,MAAM,MAAM,YAAoC;AAC9C,aAAQ,MAAMA,KAAI,GAAG;AAAA,QACnB;AAAA,MACF;AAAA,IACF;AAAA,EACF,IACA;AAEJ,QAAM,gBAA6CA,KAAI,gBACnD;AAAA,IACE,MAAM;AAAA,IACN,MAAM,IAAI,KAAK;AACb,YAAM,SAAS,MAAMA,KAAI,eAAe,IAAI,GAAG;AAC/C,aAAO,SAAS,uBAAuB,MAAM,IAAI;AAAA,IACnD;AAAA,IACA,MAAM,IAAI,KAAK,OAAOC,UAAS;AAC7B,YAAMD,KAAI,eAAe,IAAI,KAAK,OAAO;AAAA,QACvC,cAAc;AAAA,UACZ,aAAaC,UAAS;AAAA,UACtB,cAAcA,UAAS;AAAA,QACzB;AAAA,QACA,gBAAgBA,UAAS;AAAA,MAC3B,CAAC;AAAA,IACH;AAAA,IACA,MAAM,OAAO,KAAK;AAChB,YAAMD,KAAI,eAAe,OAAO,GAAG;AAAA,IACrC;AAAA,IACA,MAAM,KAAKC,UAAS;AAClB,YAAM,SAAS,MAAMD,KAAI,eAAe,KAAK;AAAA,QAC3C,QAAQC,UAAS;AAAA,QACjB,OAAOA,UAAS;AAAA,MAClB,CAAC;AACD,aACE,QAAQ,QAAQ,IAAI,CAAC,YAAY;AAAA,QAC/B,KAAK,OAAO;AAAA,QACZ,MAAM,OAAO;AAAA,QACb,UAAU,OAAO;AAAA,MACnB,EAAE,KAAK,CAAC;AAAA,IAEZ;AAAA,EACF,IACA;AAEJ,QAAM,mBAAmDD,KAAI,SACzD;AAAA,IACE,MAAM;AAAA,IACN,MAAM,UAAU,MAAMC,UAAS;AAC7B,YAAM,SAAS,MAAMD,KAAI,OAAO,MAAM,IAAI,EACvC,UAAUC,SAAQ,QAAQ,EAAE,OAAOA,SAAQ,MAAM,IAAI,CAAC,CAAC,EACvD,OAAO;AAAA,QACN,QAAQA,SAAQ;AAAA,QAChB,SAASA,SAAQ;AAAA,MACnB,CAAC;AACH,aAAO;AAAA,QACL,MAAM,OAAO,MAAM;AAAA,QACnB,aAAa,OAAO,YAAY;AAAA,QAChC,UAAU,MAAM,OAAO,SAAS;AAAA,MAClC;AAAA,IACF;AAAA,EACF,IACA;AAEJ,QAAM,gBAA6CD,KAAI,gBACnD,qCAAqCA,KAAI,aAAa,IACtD;AAEJ,SAAO;AAAA,IACL,IAAI;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,aAAa,SAAS,cAClB,mCAAmC,QAAQ,WAAW,IACtD;AAAA,EACN;AACF;;;AClUA,SAAS,4BAA4B;AACnC,QAAM,mBAAmB;AAGzB,SAAO,iBAAiB,QAAQ,WAAW;AAC7C;AAEO,SAAS,qBAAqB;AACnC,SAAO,gCAAgC,WAAW;AAAA,IAChD,aAAa,0BAA0B;AAAA,EACzC,CAAC;AACH;;;ACXO,SAASE,sBAAqB;AACnC,SAAO,mBAA6B;AACtC;AAEO,SAAS,cAAc;AAC5B,QAAM,WAAWA,oBAAmB;AACpC,QAAM,WAAW,SAAS;AAC1B,MAAI,CAAC,UAAU;AACb,UAAM,IAAI,MAAM,2CAA2C,SAAS,EAAE,EAAE;AAAA,EAC1E;AACA,SAAO;AACT;;;AC8CA,SAAS,eAAe,QAAuB;AAC7C,QAAM,IAAI;AAAA,IACR,eAAe,MAAM;AAAA,EAEvB;AACF;AAWO,SAAS,WAAW,QAA0B;AAKnD,QAAM,aAAa,MAAuBC,oBAAmB;AAI7D,OAAK;AAEL,SAAO;AAAA,IACL,MAAM,cAAc,UAAU;AAC5B,WAAK,WAAW;AAChB,qBAAe,eAAe;AAAA,IAChC;AAAA,IACA,MAAM,YAAY,UAAU,OAAO;AACjC,WAAK,WAAW;AAChB,qBAAe,aAAa;AAAA,IAC9B;AAAA,IACA,MAAM,YAAY;AAChB,WAAK,WAAW;AAChB,qBAAe,WAAW;AAAA,IAC5B;AAAA,IACA,MAAM,YAAY,SAAS,OAAO;AAChC,WAAK,WAAW;AAChB,qBAAe,aAAa;AAAA,IAC9B;AAAA,IACA,MAAM,eAAe,MAAM,QAAQ,WAAW;AAC5C,WAAK,WAAW;AAChB,qBAAe,gBAAgB;AAAA,IACjC;AAAA,IACA,MAAM,gBAAgB,QAAQ,KAAK;AACjC,WAAK,WAAW;AAChB,qBAAe,iBAAiB;AAAA,IAClC;AAAA,EACF;AACF;;;AC3GA,SAAS,eAAe;;;ACNxB,IAAM,cAAc;AAEpB,IAAM,oBAAoB;AAC1B,IAAM,aAAa;AAEnB,SAAS,cAAc,OAA2B;AAChD,MAAI,MAAM;AACV,aAAW,KAAK,MAAO,QAAO,OAAO,aAAa,CAAC;AACnD,SAAO,KAAK,GAAG;AACjB;AAEA,SAAS,cAAc,OAA2B;AAChD,QAAM,MAAM,KAAK,KAAK;AACtB,QAAM,QAAQ,IAAI,WAAW,IAAI,MAAM;AACvC,WAAS,IAAI,GAAG,IAAI,IAAI,QAAQ,IAAK,OAAM,CAAC,IAAI,IAAI,WAAW,CAAC;AAChE,SAAO;AACT;AAEA,eAAe,UACb,UACA,MACA,YACqB;AACrB,QAAM,iBAAiB,WAAW,KAAK,IAAI;AAC3C,QAAM,UAAU,MAAM,OAAO,OAAO;AAAA,IAClC;AAAA,IACA,IAAI,YAAY,EAAE,OAAO,QAAQ;AAAA,IACjC;AAAA,IACA;AAAA,IACA,CAAC,YAAY;AAAA,EACf;AACA,QAAM,UAAU,MAAM,OAAO,OAAO;AAAA,IAClC;AAAA,MACE,MAAM;AAAA,MACN,MAAM;AAAA,MACN,MAAM;AAAA,MACN;AAAA,IACF;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACA,SAAO,IAAI,WAAW,OAAO;AAC/B;AAEA,eAAe,kBACb,MACA,OACkB;AAClB,MAAI,KAAK,WAAW,MAAM,OAAQ,QAAO;AACzC,MAAI,OAAO;AACX,WAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK;AACpC,YAAQ,KAAK,CAAC,IAAK,MAAM,CAAC;AAAA,EAC5B;AACA,SAAO,SAAS;AAClB;AAEA,eAAsB,aAAa,UAAmC;AACpE,QAAM,OAAO,OAAO,gBAAgB,IAAI,WAAW,UAAU,CAAC;AAC9D,QAAM,UAAU,MAAM,UAAU,UAAU,MAAM,iBAAiB;AACjE,SAAO;AAAA,IACL;AAAA,IACA,OAAO,iBAAiB;AAAA,IACxB,cAAc,IAAI;AAAA,IAClB,cAAc,OAAO;AAAA,EACvB,EAAE,KAAK,GAAG;AACZ;AAGO,SAAS,yBAAyB,UAAiC;AACxE,MAAI,SAAS,SAAS,EAAG,QAAO;AAChC,MAAI,CAAC,WAAW,KAAK,QAAQ,KAAK,CAAC,KAAK,KAAK,QAAQ,GAAG;AACtD,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAEA,eAAsB,eACpB,UACA,YACkB;AAClB,QAAM,CAAC,QAAQ,eAAe,SAAS,OAAO,IAAI,WAAW,MAAM,GAAG;AACtE,MACE,WAAW,eACX,CAAC,iBACD,CAAC,WACD,CAAC,SACD;AACA,WAAO;AAAA,EACT;AAEA,QAAM,aAAa,OAAO,aAAa;AACvC,MAAI,CAAC,OAAO,SAAS,UAAU,KAAK,cAAc,EAAG,QAAO;AAE5D,QAAM,OAAO,cAAc,OAAO;AAClC,QAAM,WAAW,cAAc,OAAO;AACtC,QAAM,UAAU,MAAM,UAAU,UAAU,MAAM,UAAU;AAC1D,SAAO,kBAAkB,SAAS,QAAQ;AAC5C;;;AC5FA,SAAS,aAAa;;;ACOf,IAAM,kCAAkC;AAAA,EAC7C,SAAS;AAAA,EACT,SAAS;AAAA,EACT,kBAAkB;AACpB;AAEO,SAAS,mBAAmB,OAAyB;AAC1D,QAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU,OAAO,SAAS,EAAE;AAC3E,SACE,QAAQ,SAAS,gBAAgB,KAAK,QAAQ,SAAS,eAAe;AAE1E;AAEO,SAAS,2BACd,UACA,SACyE;AACzE,QAAM,aAAa,QAAQ,oBAAoB,KAAK,KAAK;AACzD,QAAM,UAAU,SAAS,oBAAoB,KAAK,KAAK,cAAc;AACrE,QAAM,mBAAmB,QAAQ,QAAQ,sBAAsB,KAAK,CAAC;AACrE,QAAM,WACH,SAAS,sBAAsB,KAAK,QAAQ,UAAU,MACvD,QAAQ,OAAO,KACf;AAEF,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;;;ADFA,IAAM,sBAAsB;AAE5B,SAAS,cAAc,GAAqB;AAC1C,SAAO;AAAA,IACL,YAAY,EAAE;AAAA,IACd,gBAAgB,EAAE,mBAAmB,IAAI,IAAI;AAAA,IAC7C,kBAAkB,EAAE;AAAA,IACpB,sBAAsB,EAAE;AAAA,IACxB,mBAAmB,EAAE;AAAA,IACrB,mBAAmB,EAAE,sBAAsB,IAAI,IAAI;AAAA,IACnD,oBAAoB,EAAE;AAAA,IACtB,sBAAsB,EAAE;AAAA,IACxB,aAAa,EAAE;AAAA,IACf,YAAY,EAAE;AAAA,EAChB;AACF;AAEA,IAAM,uBAAuB,MAAM,YAAkC;AACnE,QAAM,MAAM,MAAM,YAAY,EAAE;AAAA,IAC9B;AAAA;AAAA;AAAA;AAAA,EAIF,EAAE,MAAW;AACb,MAAI,CAAC,KAAK;AAER,WAAO;AAAA,MACL,YAAY;AAAA,MACZ,gBAAgB;AAAA,MAChB,kBAAkB;AAAA,MAClB,sBAAsB;AAAA,MACtB,mBAAmB;AAAA,MACnB,mBAAmB;AAAA,MACnB,oBAAoB;AAAA,MACpB,sBAAsB;AAAA,MACtB,aAAa;AAAA,MACb,YAAY;AAAA,IACd;AAAA,EACF;AACA,SAAO,cAAc,GAAG;AAC1B,CAAC;AAED,eAAsB,iBAAuC;AAC3D,SAAO,qBAAqB;AAC9B;AAGA,eAAsB,2BAInB;AACD,MAAI;AACF,UAAM,IAAI,MAAM,eAAe;AAC/B,WAAO,2BAA2B,GAAG,SAAS;AAAA,EAChD,SAAS,OAAO;AACd,QAAI,mBAAmB,KAAK,GAAG;AAC7B,cAAQ;AAAA,QACN;AAAA,QACA;AAAA,MACF;AACA,aAAO,EAAE,GAAG,gCAAgC;AAAA,IAC9C;AACA,UAAM;AAAA,EACR;AACF;;;AE7FO,SAAS,eAAe,OAAuB;AACpD,SAAO,MAAM,KAAK,EAAE,YAAY;AAClC;AAEA,eAAsB,aAAa,OAAiC;AAClE,MAAI,CAAC,MAAO,QAAO;AACnB,QAAM,WAAW,MAAM,eAAe;AACtC,SAAO,eAAe,KAAK,MAAM,eAAe,SAAS,WAAW;AACtE;;;ACYA,SAASC,gBAAe,OAAuB;AAC7C,SAAO,MAAM,KAAK,EAAE,YAAY;AAClC;AAEA,eAAe,eAAe,OAA0C;AACtE,SAAQ,MAAM,aAAa,KAAK,IAAK,UAAU;AACjD;AAEO,SAAS,kBAAkB,MAA2C;AAC3E,MAAI,SAAS,WAAW,SAAS,MAAO,QAAO;AAC/C,SAAO;AACT;AAEA,SAAS,oBAA4B;AACnC,SAAO,CAAC,GAAG,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC,CAAC,EAClD,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EAC1C,KAAK,EAAE;AACZ;AAEO,SAAS,cAAc,MAAyB;AACrD,SAAO;AAAA,IACL,KAAK,KAAK;AAAA,IACV,OAAO,KAAK;AAAA,IACZ,MAAM,KAAK;AAAA,IACX,SAAS,KAAK;AAAA,IACd,KAAK,KAAK,eAAe;AAAA,EAC3B;AACF;AAEA,eAAsB,iBAAiB,OAKrB;AAChB,QAAM,KAAK,YAAY;AACvB,QAAM,QAAQA,gBAAe,MAAM,KAAK;AAExC,QAAM,WAAW,MAAM,GAAG;AAAA,IACxB;AAAA,EACF,EACG,KAAK,MAAM,WAAW,KAAK,EAC3B,MAAY;AAEf,MAAI,UAAU;AACZ,UAAM,GAAG;AAAA,MACP;AAAA;AAAA;AAAA;AAAA;AAAA,IAKF,EACG,KAAK,OAAO,MAAM,MAAM,MAAM,SAAS,MAAM,WAAW,SAAS,EAAE,EACnE,IAAI;AAAA,EACT,OAAO;AACL,UAAM,OAAO,MAAM,eAAe,KAAK;AACvC,UAAM,GAAG;AAAA,MACP;AAAA;AAAA;AAAA,IAGF,EACG,KAAK,OAAO,MAAM,MAAM,MAAM,SAAS,MAAM,WAAW,IAAI,EAC5D,IAAI;AAAA,EACT;AAEA,MAAI,MAAM,aAAa,KAAK,GAAG;AAC7B,UAAM,GAAG;AAAA,MACP;AAAA,IACF,EAAE,KAAK,KAAK,EAAE,IAAI;AAAA,EACpB;AAEA,QAAM,OAAO,MAAM,eAAe,KAAK;AACvC,MAAI,CAAC,KAAM,OAAM,IAAI,MAAM,oBAAoB;AAC/C,SAAO;AACT;AAEA,eAAsB,gBAAgB,OAMpC;AACA,QAAM,QAAQA,gBAAe,MAAM,KAAK;AACxC,QAAM,WAAW,MAAM,eAAe,KAAK;AAC3C,MAAI,UAAU;AACZ,WAAO,EAAE,IAAI,OAAO,QAAQ,SAAS;AAAA,EACvC;AAEA,QAAM,eAAe,MAAM,aAAa,MAAM,QAAQ;AACtD,QAAM,cAAc,kBAAkB;AACtC,QAAM,kBAAkB,IAAI,KAAK,KAAK,IAAI,IAAI,MAAO,KAAK,KAAK,EAAE,EAAE,YAAY;AAE/E,QAAM,OAAO,MAAM,eAAe,KAAK;AACvC,QAAM,KAAK,YAAY;AACvB,QAAM,GAAG;AAAA,IACP;AAAA;AAAA;AAAA;AAAA,EAIF,EACG,KAAK,OAAO,cAAc,aAAa,iBAAiB,IAAI,EAC5D,IAAI;AAEP,MAAI,SAAS,SAAS;AACpB,UAAM,GAAG;AAAA,MACP;AAAA,IACF,EAAE,KAAK,KAAK,EAAE,IAAI;AAAA,EACpB;AAEA,QAAM,OAAO,MAAM,eAAe,KAAK;AACvC,MAAI,CAAC,KAAM,OAAM,IAAI,MAAM,sBAAsB;AACjD,SAAO,EAAE,IAAI,MAAM,MAAM,YAAY;AACvC;AAEA,eAAsB,gBAAgB,OAAqC;AACzE,QAAM,OAAO,MAAM,YAAY,EAAE;AAAA,IAC/B;AAAA,EACF,EACG,KAAK,KAAK,EACV,MAAY;AAEf,MAAI,CAAC,QAAQ,CAAC,KAAK,wBAAyB,QAAO;AACnD,MAAI,IAAI,KAAK,KAAK,uBAAuB,EAAE,QAAQ,IAAI,KAAK,IAAI,GAAG;AACjE,WAAO;AAAA,EACT;AAEA,QAAM,YAAY,EAAE;AAAA,IAClB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMF,EACG,KAAK,KAAK,EAAE,EACZ,IAAI;AAEP,SAAO,eAAe,KAAK,KAAK;AAClC;AAEA,eAAsB,uBACpB,OAIA;AACA,QAAM,OAAO,MAAM,eAAe,KAAK;AACvC,MAAI,CAAC,KAAM,QAAO,EAAE,IAAI,OAAO,QAAQ,YAAY;AACnD,MAAI,CAAC,KAAK,cAAe,QAAO,EAAE,IAAI,OAAO,QAAQ,cAAc;AACnE,MAAI,KAAK,eAAgB,QAAO,EAAE,IAAI,OAAO,QAAQ,mBAAmB;AAExE,QAAM,cAAc,kBAAkB;AACtC,QAAM,kBAAkB,IAAI,KAAK,KAAK,IAAI,IAAI,MAAO,KAAK,KAAK,EAAE,EAAE,YAAY;AAE/E,QAAM,YAAY,EAAE;AAAA,IAClB;AAAA;AAAA;AAAA,EAGF,EACG,KAAK,aAAa,iBAAiB,KAAK,EAAE,EAC1C,IAAI;AAEP,QAAM,UAAU,MAAM,eAAe,KAAK;AAC1C,MAAI,CAAC,QAAS,QAAO,EAAE,IAAI,OAAO,QAAQ,YAAY;AACtD,SAAO,EAAE,IAAI,MAAM,OAAO,aAAa,MAAM,QAAQ;AACvD;AAEA,eAAsB,wBACpB,OAIA;AACA,QAAM,OAAO,MAAM,eAAe,KAAK;AACvC,MAAI,CAAC,QAAQ,CAAC,KAAK,eAAe;AAChC,WAAO,EAAE,IAAI,OAAO,QAAQ,YAAY;AAAA,EAC1C;AACA,MAAI,CAAC,KAAK,gBAAgB;AACxB,WAAO,EAAE,IAAI,OAAO,QAAQ,aAAa;AAAA,EAC3C;AAEA,QAAM,aAAa,kBAAkB;AACrC,QAAM,iBAAiB,IAAI,KAAK,KAAK,IAAI,IAAI,MAAO,KAAK,EAAE,EAAE,YAAY;AAEzE,QAAM,YAAY,EAAE;AAAA,IAClB;AAAA;AAAA;AAAA,EAGF,EACG,KAAK,YAAY,gBAAgB,KAAK,EAAE,EACxC,IAAI;AAEP,QAAM,UAAU,MAAM,eAAe,KAAK;AAC1C,MAAI,CAAC,QAAS,QAAO,EAAE,IAAI,OAAO,QAAQ,YAAY;AACtD,SAAO,EAAE,IAAI,MAAM,OAAO,YAAY,MAAM,QAAQ;AACtD;AAEA,eAAsB,uBAAuB,OAM3C;AACA,QAAM,OAAO,MAAM,YAAY,EAAE;AAAA,IAC/B;AAAA,EACF,EACG,KAAK,MAAM,KAAK,EAChB,MAAY;AAEf,MAAI,CAAC,QAAQ,CAAC,KAAK,2BAA2B;AAC5C,WAAO,EAAE,IAAI,OAAO,QAAQ,UAAU;AAAA,EACxC;AACA,MAAI,IAAI,KAAK,KAAK,yBAAyB,EAAE,QAAQ,IAAI,KAAK,IAAI,GAAG;AACnE,WAAO,EAAE,IAAI,OAAO,QAAQ,UAAU;AAAA,EACxC;AAEA,QAAM,eAAe,MAAM,aAAa,MAAM,QAAQ;AACtD,QAAM,YAAY,EAAE;AAAA,IAClB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOF,EACG,KAAK,cAAc,KAAK,EAAE,EAC1B,IAAI;AAEP,QAAM,UAAU,MAAM,YAAY,KAAK,EAAE;AACzC,MAAI,CAAC,QAAS,QAAO,EAAE,IAAI,OAAO,QAAQ,UAAU;AACpD,SAAO,EAAE,IAAI,MAAM,MAAM,QAAQ;AACnC;AAEA,eAAsB,mBAAmB,OAOvC;AACA,QAAM,OAAO,MAAM,YAAY,MAAM,MAAM;AAC3C,MAAI,CAAC,QAAQ,CAAC,KAAK,eAAe;AAChC,WAAO,EAAE,IAAI,OAAO,QAAQ,cAAc;AAAA,EAC5C;AAEA,QAAM,UAAU,MAAM;AAAA,IACpB,MAAM;AAAA,IACN,KAAK;AAAA,EACP;AACA,MAAI,CAAC,SAAS;AACZ,WAAO,EAAE,IAAI,OAAO,QAAQ,UAAU;AAAA,EACxC;AAEA,QAAM,eAAe,MAAM,aAAa,MAAM,WAAW;AACzD,QAAM,YAAY,EAAE;AAAA,IAClB;AAAA;AAAA;AAAA;AAAA;AAAA,EAKF,EACG,KAAK,cAAc,KAAK,EAAE,EAC1B,IAAI;AAEP,QAAM,UAAU,MAAM,YAAY,KAAK,EAAE;AACzC,MAAI,CAAC,QAAS,QAAO,EAAE,IAAI,OAAO,QAAQ,UAAU;AACpD,SAAO,EAAE,IAAI,MAAM,MAAM,QAAQ;AACnC;AAEA,eAAsB,sBAAsB,OAM1C;AACA,QAAM,QAAQA,gBAAe,MAAM,KAAK;AACxC,QAAM,OAAO,MAAM,eAAe,KAAK;AACvC,MAAI,CAAC,QAAQ,CAAC,KAAK,eAAe;AAChC,WAAO,EAAE,IAAI,OAAO,QAAQ,UAAU;AAAA,EACxC;AAEA,QAAM,UAAU,MAAM,eAAe,MAAM,UAAU,KAAK,aAAa;AACvE,MAAI,CAAC,SAAS;AACZ,WAAO,EAAE,IAAI,OAAO,QAAQ,UAAU;AAAA,EACxC;AACA,MAAI,CAAC,KAAK,gBAAgB;AACxB,WAAO,EAAE,IAAI,OAAO,QAAQ,aAAa;AAAA,EAC3C;AAEA,QAAM,YAAY,EAAE;AAAA,IAClB;AAAA,EACF,EACG,KAAK,KAAK,EAAE,EACZ,IAAI;AAEP,SAAO,EAAE,IAAI,MAAM,MAAM,EAAE,GAAG,MAAM,MAAM,EAAE;AAC9C;AAEA,eAAsB,eAAe,OAAqC;AACxE,SAAO,MAAM,YAAY,EAAE,QAAQ,qCAAqC,EACrE,KAAKA,gBAAe,KAAK,CAAC,EAC1B,MAAY;AACjB;AAEA,eAAsB,YAAY,IAAkC;AAClE,SAAO,MAAM,YAAY,EAAE,QAAQ,kCAAkC,EAClE,KAAK,EAAE,EACP,MAAY;AACjB;AAEA,eAAsB,UAAU,QAAQ,KAAsB;AAC5D,QAAM,EAAE,QAAQ,IAAI,MAAM,YAAY,EAAE;AAAA,IACtC;AAAA,EACF,EACG,KAAK,KAAK,EACV,IAAU;AACb,SAAO,WAAW,CAAC;AACrB;AAEA,eAAsB,wBACpB,QAAQ,KACiB;AACzB,QAAM,EAAE,QAAQ,IAAI,MAAM,YAAY,EAAE;AAAA,IACtC;AAAA;AAAA;AAAA;AAAA;AAAA,EAKF,EACG,KAAK,KAAK,EACV,IAAkB;AACrB,SAAO,WAAW,CAAC;AACrB;AAGA,eAAsB,mBAAmB,QAAkC;AACzE,QAAM,OAAO,MAAM,YAAY,MAAM;AACrC,MAAI,CAAC,KAAM,QAAO;AAClB,QAAM,YAAY,EAAE;AAAA,IAClB;AAAA,EACF,EACG,KAAK,MAAM,EACX,IAAI;AACP,SAAO;AACT;AAEA,eAAsB,YACpB,QACA,MAIA;AACA,QAAM,OAAO,MAAM,YAAY,MAAM;AACrC,MAAI,CAAC,KAAM,QAAO,EAAE,IAAI,OAAO,QAAQ,YAAY;AACnD,MAAI,MAAM,aAAa,KAAK,KAAK,GAAG;AAClC,WAAO,EAAE,IAAI,OAAO,QAAQ,WAAW;AAAA,EACzC;AAEA,QAAM,YAAY,EAAE;AAAA,IAClB;AAAA;AAAA;AAAA;AAAA,EAIF,EACG,KAAK,MAAM,MAAM,EACjB,IAAI;AAEP,QAAM,UAAU,MAAM,YAAY,MAAM;AACxC,MAAI,CAAC,QAAS,QAAO,EAAE,IAAI,OAAO,QAAQ,YAAY;AACtD,SAAO,EAAE,IAAI,MAAM,MAAM,QAAQ;AACnC;AAEA,eAAsB,kBAAkB,QAGtC;AACA,QAAM,OAAO,MAAM,YAAY,MAAM;AACrC,MAAI,CAAC,KAAM,QAAO,EAAE,IAAI,OAAO,QAAQ,YAAY;AACnD,MAAI,MAAM,aAAa,KAAK,KAAK,GAAG;AAClC,WAAO,EAAE,IAAI,OAAO,QAAQ,WAAW;AAAA,EACzC;AAEA,QAAM,WAAW,MAAM,eAAe;AACtC,QAAM,aAAa,SAAS;AAE5B,QAAM,KAAK,YAAY;AACvB,QAAM,GAAG,MAAM;AAAA,IACb,GAAG;AAAA,MACD;AAAA,IACF,EAAE,KAAK,YAAY,KAAK,KAAK;AAAA,IAC7B,GAAG,QAAQ,gCAAgC,EAAE,KAAK,MAAM;AAAA,EAC1D,CAAC;AAED,SAAO,EAAE,IAAI,MAAM,OAAO,KAAK,MAAM;AACvC;;;ALraA,IAAM,sBAAsB,KAAK,KAAK,KAAK;AAC3C,IAAM,mBAAmB;AACzB,IAAM,oBAAoB;AAGnB,IAAM,cAAc;AAGpB,IAAM,eAAe;AAM5B,SAAS,mBAA2B;AAKlC,MAAI;AACJ,MAAI;AAIF,UAAM,MAAM,UAAQ,oBAAoB;AACxC,iBAAa,IAAI,KAAK;AAAA,EACxB,QAAQ;AACN,iBAAa;AAAA,EACf;AACA,MAAI,WAAY,QAAO;AACvB,SAAO,QAAQ,IAAI,kBAAkB;AACvC;AAEA,eAAe,KAAK,QAAgB,SAAkC;AACpE,QAAM,MAAM,IAAI,YAAY;AAC5B,QAAM,MAAM,MAAM,OAAO,OAAO;AAAA,IAC9B;AAAA,IACA,IAAI,OAAO,MAAM;AAAA,IACjB,EAAE,MAAM,QAAQ,MAAM,UAAU;AAAA,IAChC;AAAA,IACA,CAAC,MAAM;AAAA,EACT;AACA,QAAM,MAAM,MAAM,OAAO,OAAO,KAAK,QAAQ,KAAK,IAAI,OAAO,OAAO,CAAC;AACrE,SAAO,CAAC,GAAG,IAAI,WAAW,GAAG,CAAC,EAC3B,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EAC1C,KAAK,EAAE;AACZ;AAEA,eAAeC,mBAAkB,GAAW,GAA6B;AACvE,QAAM,SAAS,IAAI,YAAY,EAAE,OAAO,CAAC;AACzC,QAAM,SAAS,IAAI,YAAY,EAAE,OAAO,CAAC;AACzC,MAAI,OAAO,WAAW,OAAO,OAAQ,QAAO;AAC5C,MAAI,OAAO;AACX,WAAS,IAAI,GAAG,IAAI,OAAO,QAAQ,KAAK;AACtC,YAAQ,OAAO,CAAC,IAAK,OAAO,CAAC;AAAA,EAC/B;AACA,SAAO,SAAS;AAClB;AAEA,eAAe,YAAY,SAAkC;AAC3D,SAAO,KAAK,iBAAiB,GAAG,OAAO;AACzC;AAEA,SAAS,aAAa,GAAmB;AACvC,QAAM,QAAQ,IAAI,YAAY,EAAE,OAAO,CAAC;AACxC,MAAI,MAAM;AACV,aAAW,KAAK,MAAO,QAAO,OAAO,aAAa,CAAC;AACnD,SAAO,KAAK,GAAG;AACjB;AAEA,SAAS,aAAa,KAAqB;AACzC,QAAM,MAAM,KAAK,GAAG;AACpB,QAAM,QAAQ,IAAI,WAAW,IAAI,MAAM;AACvC,WAAS,IAAI,GAAG,IAAI,IAAI,QAAQ,IAAK,OAAM,CAAC,IAAI,IAAI,WAAW,CAAC;AAChE,SAAO,IAAI,YAAY,EAAE,OAAO,KAAK;AACvC;AAGA,eAAsB,cAAc,MAAoC;AACtE,QAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI;AAC5C,QAAM,UAAU,EAAE,GAAG,MAAM,IAAI;AAC/B,QAAM,OAAO,KAAK,UAAU,OAAO;AACnC,QAAM,MAAM,aAAa,IAAI;AAC7B,QAAM,MAAM,MAAM,YAAY,GAAG;AACjC,SAAO,GAAG,GAAG,IAAI,GAAG;AACtB;AAEA,eAAsB,qBAAqB,MAAmB;AAC5D,QAAM,QAAQ,MAAM,cAAc,IAAI;AACtC,QAAM,MAAM,MAAM,QAAQ;AAC1B,MAAI,IAAI,kBAAkB,OAAO;AAAA,IAC/B,UAAU;AAAA,IACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,IACjC,UAAU;AAAA,IACV,MAAM;AAAA,IACN,QAAQ;AAAA,EACV,CAAC;AACH;AAGA,eAAsB,gBACpB,OAC6B;AAC7B,MAAI,CAAC,MAAO,QAAO;AACnB,QAAM,QAAQ,MAAM,MAAM,GAAG;AAC7B,MAAI,MAAM,WAAW,EAAG,QAAO;AAC/B,QAAM,CAAC,KAAK,GAAG,IAAI;AACnB,QAAM,WAAW,MAAM,YAAY,GAAI;AACvC,MAAI,CAAE,MAAMA,mBAAkB,KAAM,QAAQ,EAAI,QAAO;AACvD,MAAI;AACF,UAAM,OAAO,aAAa,GAAI;AAC9B,UAAM,UAAU,KAAK,MAAM,IAAI;AAC/B,QAAI,QAAQ,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,EAAG,QAAO;AAExD,UAAM,SAAS,MAAM,YAAY,QAAQ,GAAG;AAC5C,QAAI,CAAC,OAAQ,QAAO;AACpB,QAAI,OAAO,UAAU,QAAQ,MAAO,QAAO;AAC3C,UAAM,WAAW,QAAQ,OAAO;AAChC,UAAM,QAAQ,OAAO,eAAe;AACpC,QAAI,aAAa,MAAO,QAAO;AAE/B,WAAO;AAAA,MACL,KAAK,QAAQ;AAAA,MACb,OAAO,QAAQ;AAAA,MACf,MAAM,QAAQ;AAAA,MACd,SAAS,QAAQ;AAAA,MACjB,KAAK;AAAA,IACP;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAGA,eAAsB,iBAA8C;AAClE,QAAM,MAAM,MAAM,QAAQ;AAC1B,QAAM,QAAQ,IAAI,IAAI,gBAAgB,GAAG;AACzC,SAAO,gBAAgB,KAAK;AAC9B;AAEA,eAAsB,yBAAyB;AAC7C,QAAM,MAAM,MAAM,QAAQ;AAC1B,MAAI,IAAI,kBAAkB,IAAI,EAAE,MAAM,KAAK,QAAQ,EAAE,CAAC;AACxD;AAIA,eAAe,iBAAkC;AAC/C,QAAM,WAAW,iBAAiB;AAClC,QAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI;AAC5C,QAAM,UAAU,MAAM,GAAG;AACzB,QAAM,MAAM,MAAM,KAAK,UAAU,OAAO;AACxC,SAAO,GAAG,OAAO,IAAI,GAAG;AAC1B;AAEA,eAAe,iBAAiB,OAA6C;AAC3E,MAAI,CAAC,MAAO,QAAO;AACnB,QAAM,QAAQ,MAAM,MAAM,GAAG;AAC7B,MAAI,MAAM,WAAW,EAAG,QAAO;AAC/B,QAAM,CAAC,MAAM,QAAQ,GAAG,IAAI;AAC5B,MAAI,SAAS,KAAM,QAAO;AAC1B,QAAM,MAAM,OAAO,MAAM;AACzB,MAAI,CAAC,OAAO,SAAS,GAAG,KAAK,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,EAAG,QAAO;AACzE,QAAM,WAAW,iBAAiB;AAClC,QAAM,WAAW,MAAM,KAAK,UAAU,GAAG,IAAI,IAAI,GAAG,EAAE;AACtD,SAAOA,mBAAkB,KAAM,QAAQ;AACzC;AAEA,eAAsB,cAAc,OAAiC;AACnE,QAAM,WAAW,iBAAiB;AAClC,SAAOA,mBAAkB,OAAO,QAAQ;AAC1C;AAEA,eAAsB,mBAAmB;AACvC,QAAM,QAAQ,MAAM,eAAe;AACnC,QAAM,MAAM,MAAM,QAAQ;AAC1B,MAAI,IAAI,mBAAmB,OAAO;AAAA,IAChC,UAAU;AAAA,IACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,IACjC,UAAU;AAAA,IACV,MAAM;AAAA,IACN,QAAQ;AAAA,EACV,CAAC;AACH;AAEA,eAAsB,qBAAqB;AACzC,QAAM,MAAM,MAAM,QAAQ;AAC1B,MAAI,IAAI,mBAAmB,IAAI,EAAE,MAAM,KAAK,QAAQ,EAAE,CAAC;AACzD;AAEA,SAAS,uBAA+B;AACtC,MAAI;AACJ,MAAI;AAEF,UAAM,MAAM,UAAQ,oBAAoB;AACxC,iBAAa,IAAI,KAAK;AAAA,EACxB,QAAQ;AACN,iBAAa;AAAA,EACf;AACA,UAAQ,cAAc,uBAAuB,YAAY;AAC3D;AAgBA,eAAsB,gBAA4C;AAChE,QAAM,MAAM,MAAM,QAAQ;AAE1B,MAAI,MAAM,iBAAiB,IAAI,IAAI,iBAAiB,GAAG,KAAK,GAAG;AAC7D,WAAO;AAAA,MACL,OAAO,qBAAqB;AAAA,MAC5B,MAAM;AAAA,MACN,MAAM;AAAA,MACN,SAAS;AAAA,MACT,OAAO;AAAA,MACP,mBAAmB;AAAA,IACrB;AAAA,EACF;AAEA,QAAM,OAAO,MAAM,gBAAgB,IAAI,IAAI,gBAAgB,GAAG,KAAK;AACnE,MAAI,CAAC,KAAM,QAAO;AAElB,QAAM,SAAS,MAAM,YAAY,KAAK,GAAG;AACzC,MAAI,CAAC,OAAQ,QAAO;AACpB,QAAM,OACJ,OAAO,SAAS,WAAW,OAAO,SAAS,QAAQ,OAAO,OAAO;AACnE,QAAM,UAAU,SAAS;AACzB,QAAM,QAAQ,SAAS,SAAS;AAEhC,SAAO;AAAA,IACL,OAAO,KAAK;AAAA,IACZ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,mBAAmB;AAAA,EACrB;AACF;AAMA,eAAsB,kBAAoC;AACxD,QAAM,MAAM,MAAM,QAAQ;AAC1B,MAAI,MAAM,iBAAiB,IAAI,IAAI,iBAAiB,GAAG,KAAK,EAAG,QAAO;AACtE,MAAI,MAAM,gBAAgB,IAAI,IAAI,gBAAgB,GAAG,KAAK,EAAG,QAAO;AACpE,SAAO;AACT;;;AM7QA,IAAM,YAAY,KAAK,KAAK;AAC5B,IAAM,qBAAqB;AAC3B,IAAM,kBAAkB;AAUxB,SAAS,SACP,MACA,QACA,YACQ;AACR,QAAM,aACJ,WAAW,UACP,WAAW,KAAK,EAAE,YAAY,IAC9B,WAAW,KAAK;AACtB,SAAO,GAAG,IAAI,IAAI,MAAM,IAAI,UAAU;AACxC;AAEA,eAAe,UAAU,OAGf;AACR,SAAO,YAAY,EAAE;AAAA,IACnB;AAAA,EACF,EACG,KAAK,KAAK,EACV,MAAkD;AACvD;AAEA,eAAe,YACb,MACA,QACA,YACA,aAC0B;AAC1B,QAAM,QAAQ,SAAS,MAAM,QAAQ,UAAU;AAC/C,QAAM,MAAM,MAAM,UAAU,KAAK;AACjC,QAAM,MAAM,KAAK,IAAI;AAErB,MAAI,CAAC,IAAK,QAAO,EAAE,IAAI,KAAK;AAC5B,MAAI,MAAM,IAAI,gBAAgB,UAAW,QAAO,EAAE,IAAI,KAAK;AAE3D,MAAI,IAAI,YAAY,aAAa;AAC/B,UAAM,gBAAgB,KAAK;AAAA,OACxB,IAAI,eAAe,YAAY,OAAO;AAAA,IACzC;AACA,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,eAAe,KAAK,IAAI,eAAe,CAAC;AAAA,MACxC,OAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO,EAAE,IAAI,KAAK;AACpB;AAGA,eAAsB,mBACpB,MACA,OAC0B;AAC1B,SAAO,YAAY,MAAM,SAAS,OAAO,kBAAkB;AAC7D;AAEA,eAAsB,sBACpB,MACA,KAC0B;AAC1B,MAAI,IAAI,OAAO;AACb,UAAM,aAAa,MAAM;AAAA,MACvB;AAAA,MACA;AAAA,MACA,IAAI;AAAA,MACJ;AAAA,IACF;AACA,QAAI,CAAC,WAAW,GAAI,QAAO;AAAA,EAC7B;AACA,MAAI,IAAI,IAAI;AACV,UAAM,UAAU,MAAM,YAAY,MAAM,MAAM,IAAI,IAAI,eAAe;AACrE,QAAI,CAAC,QAAQ,GAAI,QAAO;AAAA,EAC1B;AACA,SAAO,EAAE,IAAI,KAAK;AACpB;AAEA,eAAe,aACb,MACA,QACA,YACe;AACf,QAAM,QAAQ,SAAS,MAAM,QAAQ,UAAU;AAC/C,QAAM,MAAM,KAAK,IAAI;AACrB,QAAM,MAAM,MAAM,UAAU,KAAK;AAEjC,MAAI,CAAC,OAAO,MAAM,IAAI,gBAAgB,WAAW;AAC/C,UAAM,YAAY,EAAE;AAAA,MAClB;AAAA;AAAA;AAAA,IAGF,EACG,KAAK,OAAO,GAAG,EACf,IAAI;AACP;AAAA,EACF;AAEA,QAAM,YAAY,EAAE;AAAA,IAClB;AAAA,EACF,EACG,KAAK,KAAK,EACV,IAAI;AACT;AAEA,eAAsB,mBACpB,MACA,KACe;AACf,MAAI,IAAI,MAAO,OAAM,aAAa,MAAM,SAAS,IAAI,KAAK;AAC1D,MAAI,IAAI,GAAI,OAAM,aAAa,MAAM,MAAM,IAAI,EAAE;AACnD;AAGA,eAAsB,kBACpB,MACA,OACe;AACf,QAAM,aAAa,MAAM,SAAS,KAAK;AACzC;AAEA,eAAe,YACb,MACA,QACA,YACe;AACf,QAAM,YAAY,EAAE,QAAQ,8CAA8C,EACvE,KAAK,SAAS,MAAM,QAAQ,UAAU,CAAC,EACvC,IAAI;AACT;AAEA,eAAsB,oBACpB,MACA,KACe;AACf,MAAI,IAAI,MAAO,OAAM,YAAY,MAAM,SAAS,IAAI,KAAK;AACzD,MAAI,IAAI,GAAI,OAAM,YAAY,MAAM,MAAM,IAAI,EAAE;AAClD;AAGA,eAAsB,mBACpB,MACA,OACe;AACf,QAAM,YAAY,MAAM,SAAS,KAAK;AACxC;;;AC1JA,IAAM,iBACJ;AASF,eAAsB,4BAAoE;AACxF,QAAM,MAAM,MAAM,yBAAyB;AAC3C,QAAM,YAAY,UAAU,sBAAsB,KAAK;AACvD,MAAI,CAAC,IAAI,WAAW,CAAC,IAAI,WAAW,CAAC,UAAW,QAAO;AACvD,SAAO,EAAE,SAAS,MAAM,SAAS,IAAI,SAAS,UAAU;AAC1D;AAOA,eAAsB,qBACpB,OACA,UACwD;AACxD,QAAM,SAAS,MAAM,0BAA0B;AAC/C,MAAI,CAAC,QAAQ;AAEX,YAAQ,MAAM,4CAA4C;AAAA,MACxD,aAAa,MAAM;AAAA,MACnB,iBAAiB,QAAQ,QAAQ;AAAA,IACnC,CAAC;AAED,WAAO,EAAE,IAAI,KAAK;AAAA,EACpB;AAEA,MAAI,CAAC,OAAO;AAEV,YAAQ,MAAM,mCAAmC;AAAA,MAC/C,eAAe,OAAO,QAAQ,MAAM,EAAE;AAAA,MACtC,iBAAiB,QAAQ,QAAQ;AAAA,IACnC,CAAC;AAED,WAAO,EAAE,IAAI,OAAO,OAAO,CAAC,wBAAwB,EAAE;AAAA,EACxD;AAEA,QAAM,OAAO,IAAI,gBAAgB;AACjC,OAAK,IAAI,UAAU,OAAO,SAAS;AACnC,OAAK,IAAI,YAAY,KAAK;AAC1B,MAAI,SAAU,MAAK,IAAI,YAAY,QAAQ;AAE3C,QAAM,MAAM,MAAM,MAAM,gBAAgB;AAAA,IACtC,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,IAC/D;AAAA,EACF,CAAC;AAED,MAAI,CAAC,IAAI,IAAI;AAEX,YAAQ,MAAM,2CAA2C;AAAA,MACvD,eAAe,OAAO,QAAQ,MAAM,EAAE;AAAA,MACtC,aAAa,MAAM;AAAA,MACnB,QAAQ,IAAI;AAAA,IACd,CAAC;AAED,WAAO,EAAE,IAAI,OAAO,OAAO,CAAC,QAAQ,IAAI,MAAM,EAAE,EAAE;AAAA,EACpD;AAEA,QAAM,OAAQ,MAAM,IAAI,KAAK;AAC7B,MAAI,KAAK,QAAS,QAAO,EAAE,IAAI,KAAK;AAEpC,UAAQ,MAAM,uCAAuC;AAAA,IACnD,eAAe,OAAO,QAAQ,MAAM,EAAE;AAAA,IACtC,aAAa,MAAM;AAAA,IACnB,OAAO,KAAK,aAAa,KAAK,CAAC,qBAAqB;AAAA,EACtD,CAAC;AAED,SAAO,EAAE,IAAI,OAAO,OAAO,KAAK,aAAa,KAAK,CAAC,qBAAqB,EAAE;AAC5E;AAEA,eAAsB,wBACpB,UACA,UACuC;AACvC,QAAM,QAAQ,OAAO,SAAS,IAAI,uBAAuB,KAAK,EAAE,EAAE,KAAK;AAEvE,UAAQ,MAAM,qCAAqC;AAAA,IACjD,aAAa,MAAM;AAAA,IACnB,iBAAiB,QAAQ,QAAQ;AAAA,EACnC,CAAC;AAED,QAAM,SAAS,MAAM,qBAAqB,OAAO,QAAQ;AACzD,SAAO,OAAO,KAAK,EAAE,IAAI,KAAK,IAAI,EAAE,IAAI,MAAM;AAChD;","names":["cache","env","options","getRuntimePlatform","getRuntimePlatform","normalizeEmail","constantTimeEqual"]}

package/dist/auth/passwords.d.ts

@@ -0,0 +1,6 @@
+declare function hashPassword(password: string): Promise<string>;
+/** 注册/改密时的强度校验，失败返回中文错误信息。 */
+declare function validatePasswordStrength(password: string): string | null;
+declare function verifyPassword(password: string, storedHash: string): Promise<boolean>;
+
+export { hashPassword, validatePasswordStrength, verifyPassword };

package/dist/auth/passwords.js

@@ -0,0 +1,79 @@
+// src/auth/passwords.ts
+var HASH_PREFIX = "pbkdf2_sha256";
+var PBKDF2_ITERATIONS = 1e5;
+var SALT_BYTES = 16;
+function bytesToBase64(bytes) {
+  let bin = "";
+  for (const b of bytes) bin += String.fromCharCode(b);
+  return btoa(bin);
+}
+function base64ToBytes(input) {
+  const bin = atob(input);
+  const bytes = new Uint8Array(bin.length);
+  for (let i = 0; i < bin.length; i++) bytes[i] = bin.charCodeAt(i);
+  return bytes;
+}
+async function deriveKey(password, salt, iterations) {
+  const normalizedSalt = Uint8Array.from(salt);
+  const baseKey = await crypto.subtle.importKey(
+    "raw",
+    new TextEncoder().encode(password),
+    "PBKDF2",
+    false,
+    ["deriveBits"]
+  );
+  const derived = await crypto.subtle.deriveBits(
+    {
+      name: "PBKDF2",
+      hash: "SHA-256",
+      salt: normalizedSalt,
+      iterations
+    },
+    baseKey,
+    256
+  );
+  return new Uint8Array(derived);
+}
+async function constantTimeEqual(left, right) {
+  if (left.length !== right.length) return false;
+  let diff = 0;
+  for (let i = 0; i < left.length; i++) {
+    diff |= left[i] ^ right[i];
+  }
+  return diff === 0;
+}
+async function hashPassword(password) {
+  const salt = crypto.getRandomValues(new Uint8Array(SALT_BYTES));
+  const derived = await deriveKey(password, salt, PBKDF2_ITERATIONS);
+  return [
+    HASH_PREFIX,
+    String(PBKDF2_ITERATIONS),
+    bytesToBase64(salt),
+    bytesToBase64(derived)
+  ].join("$");
+}
+function validatePasswordStrength(password) {
+  if (password.length < 8) return "\u5BC6\u7801\u81F3\u5C11\u9700\u8981 8 \u4F4D";
+  if (!/[a-zA-Z]/.test(password) || !/\d/.test(password)) {
+    return "\u5BC6\u7801\u9700\u8981\u540C\u65F6\u5305\u542B\u5B57\u6BCD\u548C\u6570\u5B57";
+  }
+  return null;
+}
+async function verifyPassword(password, storedHash) {
+  const [prefix, iterationsStr, saltB64, hashB64] = storedHash.split("$");
+  if (prefix !== HASH_PREFIX || !iterationsStr || !saltB64 || !hashB64) {
+    return false;
+  }
+  const iterations = Number(iterationsStr);
+  if (!Number.isFinite(iterations) || iterations <= 0) return false;
+  const salt = base64ToBytes(saltB64);
+  const expected = base64ToBytes(hashB64);
+  const derived = await deriveKey(password, salt, iterations);
+  return constantTimeEqual(derived, expected);
+}
+export {
+  hashPassword,
+  validatePasswordStrength,
+  verifyPassword
+};
+//# sourceMappingURL=passwords.js.map

package/dist/auth/passwords.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/auth/passwords.ts"],"sourcesContent":["// PBKDF2-SHA256 password hashing for the email/password auth flow.\n// Cloudflare Workers WebCrypto rejects iteration counts above 100000.\n\nconst HASH_PREFIX = \"pbkdf2_sha256\";\n// Cloudflare Workers WebCrypto currently rejects PBKDF2 iteration counts above 100000.\nconst PBKDF2_ITERATIONS = 100000;\nconst SALT_BYTES = 16;\n\nfunction bytesToBase64(bytes: Uint8Array): string {\n  let bin = \"\";\n  for (const b of bytes) bin += String.fromCharCode(b);\n  return btoa(bin);\n}\n\nfunction base64ToBytes(input: string): Uint8Array {\n  const bin = atob(input);\n  const bytes = new Uint8Array(bin.length);\n  for (let i = 0; i < bin.length; i++) bytes[i] = bin.charCodeAt(i);\n  return bytes;\n}\n\nasync function deriveKey(\n  password: string,\n  salt: Uint8Array,\n  iterations: number\n): Promise<Uint8Array> {\n  const normalizedSalt = Uint8Array.from(salt) as unknown as BufferSource;\n  const baseKey = await crypto.subtle.importKey(\n    \"raw\",\n    new TextEncoder().encode(password),\n    \"PBKDF2\",\n    false,\n    [\"deriveBits\"]\n  );\n  const derived = await crypto.subtle.deriveBits(\n    {\n      name: \"PBKDF2\",\n      hash: \"SHA-256\",\n      salt: normalizedSalt,\n      iterations,\n    },\n    baseKey,\n    256\n  );\n  return new Uint8Array(derived);\n}\n\nasync function constantTimeEqual(\n  left: Uint8Array,\n  right: Uint8Array\n): Promise<boolean> {\n  if (left.length !== right.length) return false;\n  let diff = 0;\n  for (let i = 0; i < left.length; i++) {\n    diff |= left[i]! ^ right[i]!;\n  }\n  return diff === 0;\n}\n\nexport async function hashPassword(password: string): Promise<string> {\n  const salt = crypto.getRandomValues(new Uint8Array(SALT_BYTES));\n  const derived = await deriveKey(password, salt, PBKDF2_ITERATIONS);\n  return [\n    HASH_PREFIX,\n    String(PBKDF2_ITERATIONS),\n    bytesToBase64(salt),\n    bytesToBase64(derived),\n  ].join(\"$\");\n}\n\n/** 注册/改密时的强度校验，失败返回中文错误信息。 */\nexport function validatePasswordStrength(password: string): string | null {\n  if (password.length < 8) return \"密码至少需要 8 位\";\n  if (!/[a-zA-Z]/.test(password) || !/\\d/.test(password)) {\n    return \"密码需要同时包含字母和数字\";\n  }\n  return null;\n}\n\nexport async function verifyPassword(\n  password: string,\n  storedHash: string\n): Promise<boolean> {\n  const [prefix, iterationsStr, saltB64, hashB64] = storedHash.split(\"$\");\n  if (\n    prefix !== HASH_PREFIX ||\n    !iterationsStr ||\n    !saltB64 ||\n    !hashB64\n  ) {\n    return false;\n  }\n\n  const iterations = Number(iterationsStr);\n  if (!Number.isFinite(iterations) || iterations <= 0) return false;\n\n  const salt = base64ToBytes(saltB64);\n  const expected = base64ToBytes(hashB64);\n  const derived = await deriveKey(password, salt, iterations);\n  return constantTimeEqual(derived, expected);\n}\n"],"mappings":";AAGA,IAAM,cAAc;AAEpB,IAAM,oBAAoB;AAC1B,IAAM,aAAa;AAEnB,SAAS,cAAc,OAA2B;AAChD,MAAI,MAAM;AACV,aAAW,KAAK,MAAO,QAAO,OAAO,aAAa,CAAC;AACnD,SAAO,KAAK,GAAG;AACjB;AAEA,SAAS,cAAc,OAA2B;AAChD,QAAM,MAAM,KAAK,KAAK;AACtB,QAAM,QAAQ,IAAI,WAAW,IAAI,MAAM;AACvC,WAAS,IAAI,GAAG,IAAI,IAAI,QAAQ,IAAK,OAAM,CAAC,IAAI,IAAI,WAAW,CAAC;AAChE,SAAO;AACT;AAEA,eAAe,UACb,UACA,MACA,YACqB;AACrB,QAAM,iBAAiB,WAAW,KAAK,IAAI;AAC3C,QAAM,UAAU,MAAM,OAAO,OAAO;AAAA,IAClC;AAAA,IACA,IAAI,YAAY,EAAE,OAAO,QAAQ;AAAA,IACjC;AAAA,IACA;AAAA,IACA,CAAC,YAAY;AAAA,EACf;AACA,QAAM,UAAU,MAAM,OAAO,OAAO;AAAA,IAClC;AAAA,MACE,MAAM;AAAA,MACN,MAAM;AAAA,MACN,MAAM;AAAA,MACN;AAAA,IACF;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACA,SAAO,IAAI,WAAW,OAAO;AAC/B;AAEA,eAAe,kBACb,MACA,OACkB;AAClB,MAAI,KAAK,WAAW,MAAM,OAAQ,QAAO;AACzC,MAAI,OAAO;AACX,WAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK;AACpC,YAAQ,KAAK,CAAC,IAAK,MAAM,CAAC;AAAA,EAC5B;AACA,SAAO,SAAS;AAClB;AAEA,eAAsB,aAAa,UAAmC;AACpE,QAAM,OAAO,OAAO,gBAAgB,IAAI,WAAW,UAAU,CAAC;AAC9D,QAAM,UAAU,MAAM,UAAU,UAAU,MAAM,iBAAiB;AACjE,SAAO;AAAA,IACL;AAAA,IACA,OAAO,iBAAiB;AAAA,IACxB,cAAc,IAAI;AAAA,IAClB,cAAc,OAAO;AAAA,EACvB,EAAE,KAAK,GAAG;AACZ;AAGO,SAAS,yBAAyB,UAAiC;AACxE,MAAI,SAAS,SAAS,EAAG,QAAO;AAChC,MAAI,CAAC,WAAW,KAAK,QAAQ,KAAK,CAAC,KAAK,KAAK,QAAQ,GAAG;AACtD,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAEA,eAAsB,eACpB,UACA,YACkB;AAClB,QAAM,CAAC,QAAQ,eAAe,SAAS,OAAO,IAAI,WAAW,MAAM,GAAG;AACtE,MACE,WAAW,eACX,CAAC,iBACD,CAAC,WACD,CAAC,SACD;AACA,WAAO;AAAA,EACT;AAEA,QAAM,aAAa,OAAO,aAAa;AACvC,MAAI,CAAC,OAAO,SAAS,UAAU,KAAK,cAAc,EAAG,QAAO;AAE5D,QAAM,OAAO,cAAc,OAAO;AAClC,QAAM,WAAW,cAAc,OAAO;AACtC,QAAM,UAAU,MAAM,UAAU,UAAU,MAAM,UAAU;AAC1D,SAAO,kBAAkB,SAAS,QAAQ;AAC5C;","names":[]}

package/dist/auth/rate-limit.d.ts

@@ -0,0 +1,28 @@
+type AuthRateLimitKind = "login" | "forgot" | "resend" | "register";
+type RateLimitResult = {
+    ok: true;
+} | {
+    ok: false;
+    retryAfterSec: number;
+    scope: "email" | "ip";
+};
+/** @deprecated 仅邮箱维度；请改用 enforceAuthRateLimits */
+declare function checkAuthRateLimit(kind: AuthRateLimitKind, email: string): Promise<RateLimitResult>;
+declare function enforceAuthRateLimits(kind: AuthRateLimitKind, ctx: {
+    email?: string;
+    ip: string | null;
+}): Promise<RateLimitResult>;
+declare function recordAuthFailures(kind: AuthRateLimitKind, ctx: {
+    email?: string;
+    ip: string | null;
+}): Promise<void>;
+/** @deprecated 请改用 recordAuthFailures */
+declare function recordAuthFailure(kind: AuthRateLimitKind, email: string): Promise<void>;
+declare function clearAuthRateLimits(kind: AuthRateLimitKind, ctx: {
+    email?: string;
+    ip: string | null;
+}): Promise<void>;
+/** @deprecated 请改用 clearAuthRateLimits */
+declare function clearAuthRateLimit(kind: AuthRateLimitKind, email: string): Promise<void>;
+
+export { type AuthRateLimitKind, checkAuthRateLimit, clearAuthRateLimit, clearAuthRateLimits, enforceAuthRateLimits, recordAuthFailure, recordAuthFailures };

package/dist/auth/rate-limit.js

@@ -0,0 +1,245 @@
+// src/util/env.ts
+import { env } from "cloudflare:workers";
+var workerEnv = env;
+
+// src/platform/runtime.ts
+function cacheRequestForKey(key) {
+  return new Request(key, { method: "GET" });
+}
+function createCloudflarePublicCacheAdapter(cache) {
+  return {
+    kind: "cloudflare-cache",
+    async match(key) {
+      return await cache.match(cacheRequestForKey(key)) ?? null;
+    },
+    put(key, response) {
+      return cache.put(cacheRequestForKey(key), response);
+    },
+    delete(key) {
+      return cache.delete(cacheRequestForKey(key));
+    }
+  };
+}
+function createCloudflareKeyValueCacheAdapter(namespace) {
+  return {
+    kind: "workers-kv",
+    async get(key, options) {
+      return await namespace.get(key, {
+        type: "json",
+        cacheTtl: options?.cacheTtl
+      });
+    },
+    async put(key, value, options) {
+      await namespace.put(key, JSON.stringify(value), {
+        expirationTtl: options?.expirationTtl,
+        metadata: options?.metadata
+      });
+    },
+    delete(key) {
+      return namespace.delete(key);
+    },
+    async list(options) {
+      const result = await namespace.list({
+        prefix: options?.prefix,
+        limit: options?.limit,
+        cursor: options?.cursor
+      });
+      return {
+        keys: result.keys.map((key) => ({ name: key.name })),
+        cursor: result.list_complete ? void 0 : result.cursor,
+        listComplete: result.list_complete
+      };
+    }
+  };
+}
+function r2ObjectToStoredObject(object) {
+  return {
+    body: object.body,
+    size: object.size,
+    etag: object.etag,
+    contentType: object.httpMetadata?.contentType
+  };
+}
+function createCloudflareRuntimePlatform(env2, options) {
+  const database = env2.DB ? {
+    kind: "d1",
+    prepare(query) {
+      return env2.DB.prepare(query);
+    },
+    async batch(statements) {
+      return await env2.DB.batch(
+        statements
+      );
+    }
+  } : null;
+  const objectStorage = env2.ASSETS_BUCKET ? {
+    kind: "r2",
+    async get(key) {
+      const object = await env2.ASSETS_BUCKET?.get(key);
+      return object ? r2ObjectToStoredObject(object) : null;
+    },
+    async put(key, value, options2) {
+      await env2.ASSETS_BUCKET?.put(key, value, {
+        httpMetadata: {
+          contentType: options2?.contentType,
+          cacheControl: options2?.cacheControl
+        },
+        customMetadata: options2?.metadata
+      });
+    },
+    async delete(key) {
+      await env2.ASSETS_BUCKET?.delete(key);
+    },
+    async list(options2) {
+      const listed = await env2.ASSETS_BUCKET?.list({
+        prefix: options2?.prefix,
+        limit: options2?.limit
+      });
+      return listed?.objects.map((object) => ({
+        key: object.key,
+        size: object.size,
+        uploaded: object.uploaded
+      })) ?? [];
+    }
+  } : null;
+  const imageTransformer = env2.IMAGES ? {
+    kind: "cloudflare-images",
+    async transform(body, options2) {
+      const result = await env2.IMAGES.input(body).transform(options2.width ? { width: options2.width } : {}).output({
+        format: options2.format,
+        quality: options2.quality
+      });
+      return {
+        body: result.image(),
+        contentType: result.contentType(),
+        response: () => result.response()
+      };
+    }
+  } : null;
+  const keyValueCache = env2.CONTENT_CACHE ? createCloudflareKeyValueCacheAdapter(env2.CONTENT_CACHE) : null;
+  return {
+    id: "cloudflare-workers",
+    database,
+    objectStorage,
+    imageTransformer,
+    keyValueCache,
+    publicCache: options?.publicCache ? createCloudflarePublicCacheAdapter(options.publicCache) : null
+  };
+}
+
+// src/platform/cloudflare-runtime.ts
+function getDefaultCloudflareCache() {
+  const globalWithCaches = globalThis;
+  return globalWithCaches.caches?.default ?? null;
+}
+function getRuntimePlatform() {
+  return createCloudflareRuntimePlatform(workerEnv, {
+    publicCache: getDefaultCloudflareCache()
+  });
+}
+
+// src/platform/current.ts
+function getRuntimePlatform2() {
+  return getRuntimePlatform();
+}
+function getDatabase() {
+  const platform = getRuntimePlatform2();
+  const database = platform.database;
+  if (!database) {
+    throw new Error(`SQL database adapter not configured for ${platform.id}`);
+  }
+  return database;
+}
+
+// src/auth/rate-limit.ts
+var WINDOW_MS = 15 * 60 * 1e3;
+var MAX_EMAIL_ATTEMPTS = 5;
+var MAX_IP_ATTEMPTS = 30;
+function scopeKey(kind, bucket, identifier) {
+  const normalized = bucket === "email" ? identifier.trim().toLowerCase() : identifier.trim();
+  return `${kind}:${bucket}:${normalized}`;
+}
+async function readScope(scope) {
+  return getDatabase().prepare(
+    `SELECT attempts, window_start FROM auth_rate_limits WHERE scope = ?`
+  ).bind(scope).first();
+}
+async function checkScoped(kind, bucket, identifier, maxAttempts) {
+  const scope = scopeKey(kind, bucket, identifier);
+  const row = await readScope(scope);
+  const now = Date.now();
+  if (!row) return { ok: true };
+  if (now - row.window_start >= WINDOW_MS) return { ok: true };
+  if (row.attempts >= maxAttempts) {
+    const retryAfterSec = Math.ceil(
+      (row.window_start + WINDOW_MS - now) / 1e3
+    );
+    return {
+      ok: false,
+      retryAfterSec: Math.max(retryAfterSec, 1),
+      scope: bucket
+    };
+  }
+  return { ok: true };
+}
+async function checkAuthRateLimit(kind, email) {
+  return checkScoped(kind, "email", email, MAX_EMAIL_ATTEMPTS);
+}
+async function enforceAuthRateLimits(kind, ctx) {
+  if (ctx.email) {
+    const emailLimit = await checkScoped(
+      kind,
+      "email",
+      ctx.email,
+      MAX_EMAIL_ATTEMPTS
+    );
+    if (!emailLimit.ok) return emailLimit;
+  }
+  if (ctx.ip) {
+    const ipLimit = await checkScoped(kind, "ip", ctx.ip, MAX_IP_ATTEMPTS);
+    if (!ipLimit.ok) return ipLimit;
+  }
+  return { ok: true };
+}
+async function recordScoped(kind, bucket, identifier) {
+  const scope = scopeKey(kind, bucket, identifier);
+  const now = Date.now();
+  const row = await readScope(scope);
+  if (!row || now - row.window_start >= WINDOW_MS) {
+    await getDatabase().prepare(
+      `INSERT INTO auth_rate_limits (scope, attempts, window_start)
+       VALUES (?, 1, ?)
+       ON CONFLICT(scope) DO UPDATE SET attempts = 1, window_start = excluded.window_start`
+    ).bind(scope, now).run();
+    return;
+  }
+  await getDatabase().prepare(
+    `UPDATE auth_rate_limits SET attempts = attempts + 1 WHERE scope = ?`
+  ).bind(scope).run();
+}
+async function recordAuthFailures(kind, ctx) {
+  if (ctx.email) await recordScoped(kind, "email", ctx.email);
+  if (ctx.ip) await recordScoped(kind, "ip", ctx.ip);
+}
+async function recordAuthFailure(kind, email) {
+  await recordScoped(kind, "email", email);
+}
+async function clearScoped(kind, bucket, identifier) {
+  await getDatabase().prepare(`DELETE FROM auth_rate_limits WHERE scope = ?`).bind(scopeKey(kind, bucket, identifier)).run();
+}
+async function clearAuthRateLimits(kind, ctx) {
+  if (ctx.email) await clearScoped(kind, "email", ctx.email);
+  if (ctx.ip) await clearScoped(kind, "ip", ctx.ip);
+}
+async function clearAuthRateLimit(kind, email) {
+  await clearScoped(kind, "email", email);
+}
+export {
+  checkAuthRateLimit,
+  clearAuthRateLimit,
+  clearAuthRateLimits,
+  enforceAuthRateLimits,
+  recordAuthFailure,
+  recordAuthFailures
+};
+//# sourceMappingURL=rate-limit.js.map

package/dist/auth/rate-limit.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/util/env.ts","../../src/platform/runtime.ts","../../src/platform/cloudflare-runtime.ts","../../src/platform/current.ts","../../src/auth/rate-limit.ts"],"sourcesContent":["// lib/env.ts - 集中获取 Cloudflare bindings\n// 用 cloudflare:workers 模块（workerd 内置），作为平台 adapter 的绑定入口\n\n/// <reference types=\"@cloudflare/workers-types\" />\nimport { env } from \"cloudflare:workers\";\n\nexport type AppEnv = {\n  DB: D1Database;\n  ASSETS: Fetcher;\n  IMAGES: ImagesBinding;\n  ASSETS_BUCKET?: R2Bucket;\n  CONTENT_CACHE?: KVNamespace;\n  ADMIN_PASSWORD: string;\n  ADMIN_EMAIL?: string;\n  SITE_URL?: string;\n  RESEND_API_KEY?: string;\n  RESEND_FROM?: string;\n  // Google OAuth 仍然兼容 Cloudflare Secret 作为兜底。\n  // 实际生效值以 app_settings.google_client_id / google_client_secret 为准。\n  GOOGLE_CLIENT_ID?: string;\n  GOOGLE_CLIENT_SECRET?: string;\n  /** Turnstile site key fallback when not stored in app_settings */\n  TURNSTILE_SITE_KEY?: string;\n  /** Turnstile secret — set via `wrangler secret put TURNSTILE_SECRET_KEY` */\n  TURNSTILE_SECRET_KEY?: string;\n  /** Notion integration token for the blog data source */\n  NOTION_TOKEN?: string;\n  /** Notion data source ID used by dataSources.query */\n  NOTION_DATA_SOURCE_ID?: string;\n  /** Notion data source ID for the public movie catalog */\n  NOTION_MOVIES_DATA_SOURCE_ID?: string;\n  /** Notion data source ID for localized movie copy */\n  NOTION_MOVIE_TRANSLATIONS_DATA_SOURCE_ID?: string;\n  /** Optional Notion API base URL for tests or proxies */\n  NOTION_API_BASE_URL?: string;\n  /** Optional Notion edit URL for admin handoff screens */\n  NOTION_EDIT_BASE_URL?: string;\n  /** Optional webhook verification token for Notion invalidation */\n  NOTION_WEBHOOK_VERIFICATION_TOKEN?: string;\n};\n\n// 强制类型：vinext 把 env 类型放在 env.d.ts（interface VinextEnv extends Env），\n// 但 TS server 经常解析不到。运行时一定有 DB，类型断言保证编译通过。\nexport const workerEnv = env as unknown as AppEnv;\n","import type { AppEnv } from \"../util/env\";\n\nexport type PlatformBindingEnv = Pick<\n  AppEnv,\n  \"ASSETS_BUCKET\" | \"CONTENT_CACHE\" | \"DB\" | \"IMAGES\"\n>;\n\nexport type StoredObject = {\n  body: ReadableStream;\n  size: number;\n  etag?: string;\n  contentType?: string;\n};\n\nexport type ObjectStoragePutOptions = {\n  contentType?: string;\n  cacheControl?: string;\n  metadata?: Record<string, string>;\n};\n\nexport type ObjectStorageListItem = {\n  key: string;\n  size: number;\n  uploaded: Date;\n};\n\nexport type ObjectStorageAdapter = {\n  kind: \"r2\";\n  get(key: string): Promise<StoredObject | null>;\n  put(\n    key: string,\n    value: ReadableStream | ArrayBuffer | ArrayBufferView | string | Blob,\n    options?: ObjectStoragePutOptions\n  ): Promise<void>;\n  delete(key: string): Promise<void>;\n  list(\n    options?: { prefix?: string; limit?: number }\n  ): Promise<ObjectStorageListItem[]>;\n};\n\nexport type ImageTransformOptions = {\n  width?: number;\n  format: \"image/avif\" | \"image/webp\";\n  quality: number;\n};\n\nexport type ImageTransformResult = {\n  body: ReadableStream;\n  contentType: string;\n  response(): Response;\n};\n\nexport type ImageTransformerAdapter = {\n  kind: \"cloudflare-images\" | \"external\";\n  transform(\n    body: ReadableStream,\n    options: ImageTransformOptions\n  ): Promise<ImageTransformResult>;\n};\n\nexport type PublicCacheAdapter = {\n  kind: \"cloudflare-cache\" | \"noop\" | \"external\";\n  match(key: string): Promise<Response | null>;\n  put(key: string, response: Response): Promise<void>;\n  delete(key: string): Promise<boolean>;\n};\n\nexport type KeyValueCacheGetOptions = {\n  cacheTtl?: number;\n};\n\nexport type KeyValueCachePutOptions = {\n  expirationTtl?: number;\n  metadata?: Record<string, string | number | boolean | null>;\n};\n\nexport type KeyValueCacheListOptions = {\n  prefix?: string;\n  limit?: number;\n  cursor?: string;\n};\n\nexport type KeyValueCacheListResult = {\n  keys: Array<{ name: string }>;\n  cursor?: string;\n  listComplete: boolean;\n};\n\nexport type KeyValueCacheAdapter = {\n  kind: \"workers-kv\" | \"noop\" | \"external\";\n  get<T = unknown>(\n    key: string,\n    options?: KeyValueCacheGetOptions\n  ): Promise<T | null>;\n  put<T = unknown>(\n    key: string,\n    value: T,\n    options?: KeyValueCachePutOptions\n  ): Promise<void>;\n  delete(key: string): Promise<void>;\n  list(options?: KeyValueCacheListOptions): Promise<KeyValueCacheListResult>;\n};\n\nexport type SqlValue = string | number | boolean | null;\n\nexport type SqlResult<T = Record<string, unknown>> = {\n  results?: T[];\n  success?: boolean;\n  meta?: {\n    changes?: number;\n    duration?: number;\n    last_row_id?: number;\n    rows_read?: number;\n    rows_written?: number;\n    [key: string]: unknown;\n  };\n};\n\nexport type SqlPreparedStatement = {\n  bind(...values: SqlValue[]): SqlPreparedStatement;\n  all<T = Record<string, unknown>>(): Promise<SqlResult<T>>;\n  first<T = Record<string, unknown>>(columnName?: string): Promise<T | null>;\n  run<T = Record<string, unknown>>(): Promise<SqlResult<T>>;\n};\n\nexport type SqlDatabaseAdapter = {\n  kind: \"d1\";\n  prepare(query: string): SqlPreparedStatement;\n  batch<T = Record<string, unknown>>(\n    statements: SqlPreparedStatement[]\n  ): Promise<SqlResult<T>[]>;\n};\n\nexport type RuntimePlatform = {\n  id: \"cloudflare-workers\";\n  database: SqlDatabaseAdapter | null;\n  objectStorage: ObjectStorageAdapter | null;\n  imageTransformer: ImageTransformerAdapter | null;\n  publicCache: PublicCacheAdapter | null;\n  keyValueCache: KeyValueCacheAdapter | null;\n};\n\ntype CloudflareCacheLike = Pick<Cache, \"match\" | \"put\" | \"delete\">;\ntype CloudflareKvLike = Pick<KVNamespace, \"get\" | \"put\" | \"delete\" | \"list\">;\n\nfunction cacheRequestForKey(key: string) {\n  return new Request(key, { method: \"GET\" });\n}\n\nexport function createCloudflarePublicCacheAdapter(\n  cache: CloudflareCacheLike\n): PublicCacheAdapter {\n  return {\n    kind: \"cloudflare-cache\",\n    async match(key) {\n      return (await cache.match(cacheRequestForKey(key))) ?? null;\n    },\n    put(key, response) {\n      return cache.put(cacheRequestForKey(key), response);\n    },\n    delete(key) {\n      return cache.delete(cacheRequestForKey(key));\n    },\n  };\n}\n\nexport function createNoopPublicCacheAdapter(kind: \"noop\" = \"noop\"): PublicCacheAdapter {\n  return {\n    kind,\n    async match() {\n      return null;\n    },\n    async put() {},\n    async delete() {\n      return false;\n    },\n  };\n}\n\nexport function createCloudflareKeyValueCacheAdapter(\n  namespace: CloudflareKvLike\n): KeyValueCacheAdapter {\n  return {\n    kind: \"workers-kv\",\n    async get<T = unknown>(\n      key: string,\n      options?: KeyValueCacheGetOptions\n    ): Promise<T | null> {\n      return (await namespace.get(key, {\n        type: \"json\",\n        cacheTtl: options?.cacheTtl,\n      })) as T | null;\n    },\n    async put(key, value, options) {\n      await namespace.put(key, JSON.stringify(value), {\n        expirationTtl: options?.expirationTtl,\n        metadata: options?.metadata,\n      });\n    },\n    delete(key) {\n      return namespace.delete(key);\n    },\n    async list(options) {\n      const result = await namespace.list({\n        prefix: options?.prefix,\n        limit: options?.limit,\n        cursor: options?.cursor,\n      });\n      return {\n        keys: result.keys.map((key) => ({ name: key.name })),\n        cursor: result.list_complete ? undefined : result.cursor,\n        listComplete: result.list_complete,\n      };\n    },\n  };\n}\n\nexport function createNoopKeyValueCacheAdapter(\n  kind: \"noop\" = \"noop\"\n): KeyValueCacheAdapter {\n  return {\n    kind,\n    async get() {\n      return null;\n    },\n    async put() {},\n    async delete() {},\n    async list() {\n      return { keys: [], listComplete: true };\n    },\n  };\n}\n\nfunction r2ObjectToStoredObject(object: R2ObjectBody): StoredObject {\n  return {\n    body: object.body,\n    size: object.size,\n    etag: object.etag,\n    contentType: object.httpMetadata?.contentType,\n  };\n}\n\nexport function createCloudflareRuntimePlatform(\n  env: PlatformBindingEnv,\n  options?: { publicCache?: CloudflareCacheLike | null }\n): RuntimePlatform {\n  const database: SqlDatabaseAdapter | null = env.DB\n    ? ({\n        kind: \"d1\",\n        prepare(query: string) {\n          return env.DB.prepare(query) as unknown as SqlPreparedStatement;\n        },\n        async batch(statements: SqlPreparedStatement[]) {\n          return (await env.DB.batch(\n            statements as unknown as D1PreparedStatement[]\n          )) as unknown as SqlResult<Record<string, unknown>>[];\n        },\n      } as unknown as SqlDatabaseAdapter)\n    : null;\n\n  const objectStorage: ObjectStorageAdapter | null = env.ASSETS_BUCKET\n    ? {\n        kind: \"r2\",\n        async get(key) {\n          const object = await env.ASSETS_BUCKET?.get(key);\n          return object ? r2ObjectToStoredObject(object) : null;\n        },\n        async put(key, value, options) {\n          await env.ASSETS_BUCKET?.put(key, value, {\n            httpMetadata: {\n              contentType: options?.contentType,\n              cacheControl: options?.cacheControl,\n            },\n            customMetadata: options?.metadata,\n          });\n        },\n        async delete(key) {\n          await env.ASSETS_BUCKET?.delete(key);\n        },\n        async list(options) {\n          const listed = await env.ASSETS_BUCKET?.list({\n            prefix: options?.prefix,\n            limit: options?.limit,\n          });\n          return (\n            listed?.objects.map((object) => ({\n              key: object.key,\n              size: object.size,\n              uploaded: object.uploaded,\n            })) ?? []\n          );\n        },\n      }\n    : null;\n\n  const imageTransformer: ImageTransformerAdapter | null = env.IMAGES\n    ? {\n        kind: \"cloudflare-images\",\n        async transform(body, options) {\n          const result = await env.IMAGES.input(body)\n            .transform(options.width ? { width: options.width } : {})\n            .output({\n              format: options.format,\n              quality: options.quality,\n            });\n          return {\n            body: result.image(),\n            contentType: result.contentType(),\n            response: () => result.response(),\n          };\n        },\n      }\n    : null;\n\n  const keyValueCache: KeyValueCacheAdapter | null = env.CONTENT_CACHE\n    ? createCloudflareKeyValueCacheAdapter(env.CONTENT_CACHE)\n    : null;\n\n  return {\n    id: \"cloudflare-workers\",\n    database,\n    objectStorage,\n    imageTransformer,\n    keyValueCache,\n    publicCache: options?.publicCache\n      ? createCloudflarePublicCacheAdapter(options.publicCache)\n      : null,\n  };\n}\n","import { workerEnv } from \"../util/env\";\nimport {\n  createCloudflarePublicCacheAdapter,\n  createCloudflareRuntimePlatform,\n} from \"./runtime\";\n\nfunction getDefaultCloudflareCache() {\n  const globalWithCaches = globalThis as typeof globalThis & {\n    caches?: CacheStorage & { default?: Cache };\n  };\n  return globalWithCaches.caches?.default ?? null;\n}\n\nexport function getRuntimePlatform() {\n  return createCloudflareRuntimePlatform(workerEnv, {\n    publicCache: getDefaultCloudflareCache(),\n  });\n}\n\nexport function getDatabase() {\n  const database = getRuntimePlatform().database;\n  if (!database) {\n    throw new Error(\"SQL database binding not configured\");\n  }\n  return database;\n}\n\nexport function getPublicCache() {\n  const cache = getDefaultCloudflareCache();\n  if (!cache) {\n    throw new Error(\"Cloudflare cache binding not configured\");\n  }\n  return createCloudflarePublicCacheAdapter(cache);\n}\n","import {\n  getPublicCache as getCloudflarePublicCache,\n  getRuntimePlatform as getCloudflareRuntimePlatform,\n} from \"./cloudflare-runtime\";\nimport { currentRuntimeId } from \"./selection\";\n\nexport function getRuntimePlatform() {\n  return getCloudflareRuntimePlatform();\n}\n\nexport function getDatabase() {\n  const platform = getRuntimePlatform();\n  const database = platform.database;\n  if (!database) {\n    throw new Error(`SQL database adapter not configured for ${platform.id}`);\n  }\n  return database;\n}\n\nexport function getPublicCache() {\n  return getCloudflarePublicCache();\n}\n\nexport function getKeyValueCache() {\n  return getRuntimePlatform().keyValueCache;\n}\n\nexport const runtimeSelection = {\n  currentRuntimeId,\n};\n","// SQL-backed rate limiting for auth endpoints (per email + per IP).\n\nimport { getDatabase } from \"../platform/current\";\n\nconst WINDOW_MS = 15 * 60 * 1000;\nconst MAX_EMAIL_ATTEMPTS = 5;\nconst MAX_IP_ATTEMPTS = 30;\n\nexport type AuthRateLimitKind = \"login\" | \"forgot\" | \"resend\" | \"register\";\n\ntype RateLimitResult =\n  | { ok: true }\n  | { ok: false; retryAfterSec: number; scope: \"email\" | \"ip\" };\n\ntype RateLimitBucket = \"email\" | \"ip\";\n\nfunction scopeKey(\n  kind: AuthRateLimitKind,\n  bucket: RateLimitBucket,\n  identifier: string\n): string {\n  const normalized =\n    bucket === \"email\"\n      ? identifier.trim().toLowerCase()\n      : identifier.trim();\n  return `${kind}:${bucket}:${normalized}`;\n}\n\nasync function readScope(scope: string): Promise<{\n  attempts: number;\n  window_start: number;\n} | null> {\n  return getDatabase().prepare(\n    `SELECT attempts, window_start FROM auth_rate_limits WHERE scope = ?`\n  )\n    .bind(scope)\n    .first<{ attempts: number; window_start: number }>();\n}\n\nasync function checkScoped(\n  kind: AuthRateLimitKind,\n  bucket: RateLimitBucket,\n  identifier: string,\n  maxAttempts: number\n): Promise<RateLimitResult> {\n  const scope = scopeKey(kind, bucket, identifier);\n  const row = await readScope(scope);\n  const now = Date.now();\n\n  if (!row) return { ok: true };\n  if (now - row.window_start >= WINDOW_MS) return { ok: true };\n\n  if (row.attempts >= maxAttempts) {\n    const retryAfterSec = Math.ceil(\n      (row.window_start + WINDOW_MS - now) / 1000\n    );\n    return {\n      ok: false,\n      retryAfterSec: Math.max(retryAfterSec, 1),\n      scope: bucket,\n    };\n  }\n\n  return { ok: true };\n}\n\n/** @deprecated 仅邮箱维度；请改用 enforceAuthRateLimits */\nexport async function checkAuthRateLimit(\n  kind: AuthRateLimitKind,\n  email: string\n): Promise<RateLimitResult> {\n  return checkScoped(kind, \"email\", email, MAX_EMAIL_ATTEMPTS);\n}\n\nexport async function enforceAuthRateLimits(\n  kind: AuthRateLimitKind,\n  ctx: { email?: string; ip: string | null }\n): Promise<RateLimitResult> {\n  if (ctx.email) {\n    const emailLimit = await checkScoped(\n      kind,\n      \"email\",\n      ctx.email,\n      MAX_EMAIL_ATTEMPTS\n    );\n    if (!emailLimit.ok) return emailLimit;\n  }\n  if (ctx.ip) {\n    const ipLimit = await checkScoped(kind, \"ip\", ctx.ip, MAX_IP_ATTEMPTS);\n    if (!ipLimit.ok) return ipLimit;\n  }\n  return { ok: true };\n}\n\nasync function recordScoped(\n  kind: AuthRateLimitKind,\n  bucket: RateLimitBucket,\n  identifier: string\n): Promise<void> {\n  const scope = scopeKey(kind, bucket, identifier);\n  const now = Date.now();\n  const row = await readScope(scope);\n\n  if (!row || now - row.window_start >= WINDOW_MS) {\n    await getDatabase().prepare(\n      `INSERT INTO auth_rate_limits (scope, attempts, window_start)\n       VALUES (?, 1, ?)\n       ON CONFLICT(scope) DO UPDATE SET attempts = 1, window_start = excluded.window_start`\n    )\n      .bind(scope, now)\n      .run();\n    return;\n  }\n\n  await getDatabase().prepare(\n    `UPDATE auth_rate_limits SET attempts = attempts + 1 WHERE scope = ?`\n  )\n    .bind(scope)\n    .run();\n}\n\nexport async function recordAuthFailures(\n  kind: AuthRateLimitKind,\n  ctx: { email?: string; ip: string | null }\n): Promise<void> {\n  if (ctx.email) await recordScoped(kind, \"email\", ctx.email);\n  if (ctx.ip) await recordScoped(kind, \"ip\", ctx.ip);\n}\n\n/** @deprecated 请改用 recordAuthFailures */\nexport async function recordAuthFailure(\n  kind: AuthRateLimitKind,\n  email: string\n): Promise<void> {\n  await recordScoped(kind, \"email\", email);\n}\n\nasync function clearScoped(\n  kind: AuthRateLimitKind,\n  bucket: RateLimitBucket,\n  identifier: string\n): Promise<void> {\n  await getDatabase().prepare(`DELETE FROM auth_rate_limits WHERE scope = ?`)\n    .bind(scopeKey(kind, bucket, identifier))\n    .run();\n}\n\nexport async function clearAuthRateLimits(\n  kind: AuthRateLimitKind,\n  ctx: { email?: string; ip: string | null }\n): Promise<void> {\n  if (ctx.email) await clearScoped(kind, \"email\", ctx.email);\n  if (ctx.ip) await clearScoped(kind, \"ip\", ctx.ip);\n}\n\n/** @deprecated 请改用 clearAuthRateLimits */\nexport async function clearAuthRateLimit(\n  kind: AuthRateLimitKind,\n  email: string\n): Promise<void> {\n  await clearScoped(kind, \"email\", email);\n}\n"],"mappings":";AAIA,SAAS,WAAW;AAuCb,IAAM,YAAY;;;ACsGzB,SAAS,mBAAmB,KAAa;AACvC,SAAO,IAAI,QAAQ,KAAK,EAAE,QAAQ,MAAM,CAAC;AAC3C;AAEO,SAAS,mCACd,OACoB;AACpB,SAAO;AAAA,IACL,MAAM;AAAA,IACN,MAAM,MAAM,KAAK;AACf,aAAQ,MAAM,MAAM,MAAM,mBAAmB,GAAG,CAAC,KAAM;AAAA,IACzD;AAAA,IACA,IAAI,KAAK,UAAU;AACjB,aAAO,MAAM,IAAI,mBAAmB,GAAG,GAAG,QAAQ;AAAA,IACpD;AAAA,IACA,OAAO,KAAK;AACV,aAAO,MAAM,OAAO,mBAAmB,GAAG,CAAC;AAAA,IAC7C;AAAA,EACF;AACF;AAeO,SAAS,qCACd,WACsB;AACtB,SAAO;AAAA,IACL,MAAM;AAAA,IACN,MAAM,IACJ,KACA,SACmB;AACnB,aAAQ,MAAM,UAAU,IAAI,KAAK;AAAA,QAC/B,MAAM;AAAA,QACN,UAAU,SAAS;AAAA,MACrB,CAAC;AAAA,IACH;AAAA,IACA,MAAM,IAAI,KAAK,OAAO,SAAS;AAC7B,YAAM,UAAU,IAAI,KAAK,KAAK,UAAU,KAAK,GAAG;AAAA,QAC9C,eAAe,SAAS;AAAA,QACxB,UAAU,SAAS;AAAA,MACrB,CAAC;AAAA,IACH;AAAA,IACA,OAAO,KAAK;AACV,aAAO,UAAU,OAAO,GAAG;AAAA,IAC7B;AAAA,IACA,MAAM,KAAK,SAAS;AAClB,YAAM,SAAS,MAAM,UAAU,KAAK;AAAA,QAClC,QAAQ,SAAS;AAAA,QACjB,OAAO,SAAS;AAAA,QAChB,QAAQ,SAAS;AAAA,MACnB,CAAC;AACD,aAAO;AAAA,QACL,MAAM,OAAO,KAAK,IAAI,CAAC,SAAS,EAAE,MAAM,IAAI,KAAK,EAAE;AAAA,QACnD,QAAQ,OAAO,gBAAgB,SAAY,OAAO;AAAA,QAClD,cAAc,OAAO;AAAA,MACvB;AAAA,IACF;AAAA,EACF;AACF;AAkBA,SAAS,uBAAuB,QAAoC;AAClE,SAAO;AAAA,IACL,MAAM,OAAO;AAAA,IACb,MAAM,OAAO;AAAA,IACb,MAAM,OAAO;AAAA,IACb,aAAa,OAAO,cAAc;AAAA,EACpC;AACF;AAEO,SAAS,gCACdA,MACA,SACiB;AACjB,QAAM,WAAsCA,KAAI,KAC3C;AAAA,IACC,MAAM;AAAA,IACN,QAAQ,OAAe;AACrB,aAAOA,KAAI,GAAG,QAAQ,KAAK;AAAA,IAC7B;AAAA,IACA,MAAM,MAAM,YAAoC;AAC9C,aAAQ,MAAMA,KAAI,GAAG;AAAA,QACnB;AAAA,MACF;AAAA,IACF;AAAA,EACF,IACA;AAEJ,QAAM,gBAA6CA,KAAI,gBACnD;AAAA,IACE,MAAM;AAAA,IACN,MAAM,IAAI,KAAK;AACb,YAAM,SAAS,MAAMA,KAAI,eAAe,IAAI,GAAG;AAC/C,aAAO,SAAS,uBAAuB,MAAM,IAAI;AAAA,IACnD;AAAA,IACA,MAAM,IAAI,KAAK,OAAOC,UAAS;AAC7B,YAAMD,KAAI,eAAe,IAAI,KAAK,OAAO;AAAA,QACvC,cAAc;AAAA,UACZ,aAAaC,UAAS;AAAA,UACtB,cAAcA,UAAS;AAAA,QACzB;AAAA,QACA,gBAAgBA,UAAS;AAAA,MAC3B,CAAC;AAAA,IACH;AAAA,IACA,MAAM,OAAO,KAAK;AAChB,YAAMD,KAAI,eAAe,OAAO,GAAG;AAAA,IACrC;AAAA,IACA,MAAM,KAAKC,UAAS;AAClB,YAAM,SAAS,MAAMD,KAAI,eAAe,KAAK;AAAA,QAC3C,QAAQC,UAAS;AAAA,QACjB,OAAOA,UAAS;AAAA,MAClB,CAAC;AACD,aACE,QAAQ,QAAQ,IAAI,CAAC,YAAY;AAAA,QAC/B,KAAK,OAAO;AAAA,QACZ,MAAM,OAAO;AAAA,QACb,UAAU,OAAO;AAAA,MACnB,EAAE,KAAK,CAAC;AAAA,IAEZ;AAAA,EACF,IACA;AAEJ,QAAM,mBAAmDD,KAAI,SACzD;AAAA,IACE,MAAM;AAAA,IACN,MAAM,UAAU,MAAMC,UAAS;AAC7B,YAAM,SAAS,MAAMD,KAAI,OAAO,MAAM,IAAI,EACvC,UAAUC,SAAQ,QAAQ,EAAE,OAAOA,SAAQ,MAAM,IAAI,CAAC,CAAC,EACvD,OAAO;AAAA,QACN,QAAQA,SAAQ;AAAA,QAChB,SAASA,SAAQ;AAAA,MACnB,CAAC;AACH,aAAO;AAAA,QACL,MAAM,OAAO,MAAM;AAAA,QACnB,aAAa,OAAO,YAAY;AAAA,QAChC,UAAU,MAAM,OAAO,SAAS;AAAA,MAClC;AAAA,IACF;AAAA,EACF,IACA;AAEJ,QAAM,gBAA6CD,KAAI,gBACnD,qCAAqCA,KAAI,aAAa,IACtD;AAEJ,SAAO;AAAA,IACL,IAAI;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,aAAa,SAAS,cAClB,mCAAmC,QAAQ,WAAW,IACtD;AAAA,EACN;AACF;;;AClUA,SAAS,4BAA4B;AACnC,QAAM,mBAAmB;AAGzB,SAAO,iBAAiB,QAAQ,WAAW;AAC7C;AAEO,SAAS,qBAAqB;AACnC,SAAO,gCAAgC,WAAW;AAAA,IAChD,aAAa,0BAA0B;AAAA,EACzC,CAAC;AACH;;;ACXO,SAASE,sBAAqB;AACnC,SAAO,mBAA6B;AACtC;AAEO,SAAS,cAAc;AAC5B,QAAM,WAAWA,oBAAmB;AACpC,QAAM,WAAW,SAAS;AAC1B,MAAI,CAAC,UAAU;AACb,UAAM,IAAI,MAAM,2CAA2C,SAAS,EAAE,EAAE;AAAA,EAC1E;AACA,SAAO;AACT;;;ACbA,IAAM,YAAY,KAAK,KAAK;AAC5B,IAAM,qBAAqB;AAC3B,IAAM,kBAAkB;AAUxB,SAAS,SACP,MACA,QACA,YACQ;AACR,QAAM,aACJ,WAAW,UACP,WAAW,KAAK,EAAE,YAAY,IAC9B,WAAW,KAAK;AACtB,SAAO,GAAG,IAAI,IAAI,MAAM,IAAI,UAAU;AACxC;AAEA,eAAe,UAAU,OAGf;AACR,SAAO,YAAY,EAAE;AAAA,IACnB;AAAA,EACF,EACG,KAAK,KAAK,EACV,MAAkD;AACvD;AAEA,eAAe,YACb,MACA,QACA,YACA,aAC0B;AAC1B,QAAM,QAAQ,SAAS,MAAM,QAAQ,UAAU;AAC/C,QAAM,MAAM,MAAM,UAAU,KAAK;AACjC,QAAM,MAAM,KAAK,IAAI;AAErB,MAAI,CAAC,IAAK,QAAO,EAAE,IAAI,KAAK;AAC5B,MAAI,MAAM,IAAI,gBAAgB,UAAW,QAAO,EAAE,IAAI,KAAK;AAE3D,MAAI,IAAI,YAAY,aAAa;AAC/B,UAAM,gBAAgB,KAAK;AAAA,OACxB,IAAI,eAAe,YAAY,OAAO;AAAA,IACzC;AACA,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,eAAe,KAAK,IAAI,eAAe,CAAC;AAAA,MACxC,OAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO,EAAE,IAAI,KAAK;AACpB;AAGA,eAAsB,mBACpB,MACA,OAC0B;AAC1B,SAAO,YAAY,MAAM,SAAS,OAAO,kBAAkB;AAC7D;AAEA,eAAsB,sBACpB,MACA,KAC0B;AAC1B,MAAI,IAAI,OAAO;AACb,UAAM,aAAa,MAAM;AAAA,MACvB;AAAA,MACA;AAAA,MACA,IAAI;AAAA,MACJ;AAAA,IACF;AACA,QAAI,CAAC,WAAW,GAAI,QAAO;AAAA,EAC7B;AACA,MAAI,IAAI,IAAI;AACV,UAAM,UAAU,MAAM,YAAY,MAAM,MAAM,IAAI,IAAI,eAAe;AACrE,QAAI,CAAC,QAAQ,GAAI,QAAO;AAAA,EAC1B;AACA,SAAO,EAAE,IAAI,KAAK;AACpB;AAEA,eAAe,aACb,MACA,QACA,YACe;AACf,QAAM,QAAQ,SAAS,MAAM,QAAQ,UAAU;AAC/C,QAAM,MAAM,KAAK,IAAI;AACrB,QAAM,MAAM,MAAM,UAAU,KAAK;AAEjC,MAAI,CAAC,OAAO,MAAM,IAAI,gBAAgB,WAAW;AAC/C,UAAM,YAAY,EAAE;AAAA,MAClB;AAAA;AAAA;AAAA,IAGF,EACG,KAAK,OAAO,GAAG,EACf,IAAI;AACP;AAAA,EACF;AAEA,QAAM,YAAY,EAAE;AAAA,IAClB;AAAA,EACF,EACG,KAAK,KAAK,EACV,IAAI;AACT;AAEA,eAAsB,mBACpB,MACA,KACe;AACf,MAAI,IAAI,MAAO,OAAM,aAAa,MAAM,SAAS,IAAI,KAAK;AAC1D,MAAI,IAAI,GAAI,OAAM,aAAa,MAAM,MAAM,IAAI,EAAE;AACnD;AAGA,eAAsB,kBACpB,MACA,OACe;AACf,QAAM,aAAa,MAAM,SAAS,KAAK;AACzC;AAEA,eAAe,YACb,MACA,QACA,YACe;AACf,QAAM,YAAY,EAAE,QAAQ,8CAA8C,EACvE,KAAK,SAAS,MAAM,QAAQ,UAAU,CAAC,EACvC,IAAI;AACT;AAEA,eAAsB,oBACpB,MACA,KACe;AACf,MAAI,IAAI,MAAO,OAAM,YAAY,MAAM,SAAS,IAAI,KAAK;AACzD,MAAI,IAAI,GAAI,OAAM,YAAY,MAAM,MAAM,IAAI,EAAE;AAClD;AAGA,eAAsB,mBACpB,MACA,OACe;AACf,QAAM,YAAY,MAAM,SAAS,KAAK;AACxC;","names":["env","options","getRuntimePlatform"]}

package/dist/auth/routes/google-callback.d.ts

@@ -0,0 +1,6 @@
+import { NextResponse } from 'next/server';
+
+declare const dynamic = "force-dynamic";
+declare function GET(request: Request): Promise<NextResponse<unknown>>;
+
+export { GET, dynamic };