@pafi-dev/issuer 0.39.2 → 0.40.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -3,6 +3,7 @@ var __defProp = Object.defineProperty;
3
3
  var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
4
4
  var __getOwnPropNames = Object.getOwnPropertyNames;
5
5
  var __hasOwnProp = Object.prototype.hasOwnProperty;
6
+ var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
6
7
  var __export = (target, all) => {
7
8
  for (var name in all)
8
9
  __defProp(target, name, { get: all[name], enumerable: true });
@@ -16,15 +17,6 @@ var __copyProps = (to, from, except, desc) => {
16
17
  return to;
17
18
  };
18
19
  var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
19
- var __decorateClass = (decorators, target, key, kind) => {
20
- var result = kind > 1 ? void 0 : kind ? __getOwnPropDesc(target, key) : target;
21
- for (var i = decorators.length - 1, decorator; i >= 0; i--)
22
- if (decorator = decorators[i])
23
- result = (kind ? decorator(target, key, result) : decorator(result)) || result;
24
- if (kind && result) __defProp(target, key, result);
25
- return result;
26
- };
27
- var __decorateParam = (index, decorator) => (target, key) => decorator(target, key, index);
28
20
 
29
21
  // src/direct-auth/index.ts
30
22
  var direct_auth_exports = {};
@@ -62,117 +54,109 @@ async function signClientAssertion(args) {
62
54
  const alg = args.alg ?? args.privateJwk.alg ?? "ES256";
63
55
  const key = await (0, import_jose.importJWK)(args.privateJwk, alg);
64
56
  const now = Math.floor(Date.now() / 1e3);
65
- return new import_jose.SignJWT({}).setProtectedHeader({ alg, typ: "JWT", kid: args.privateJwk.kid }).setIssuer(args.clientId).setSubject(args.clientId).setAudience(`${args.gatewayUrl}/v1/token-exchange`).setIssuedAt(now).setExpirationTime(now + 60).setJti((0, import_node_crypto.randomUUID)()).sign(key);
57
+ return new import_jose.SignJWT({}).setProtectedHeader({
58
+ alg,
59
+ typ: "JWT",
60
+ kid: args.privateJwk.kid
61
+ }).setIssuer(args.clientId).setSubject(args.clientId).setAudience(`${args.gatewayUrl}/v1/token-exchange`).setIssuedAt(now).setExpirationTime(now + 60).setJti((0, import_node_crypto.randomUUID)()).sign(key);
66
62
  }
63
+ __name(signClientAssertion, "signClientAssertion");
67
64
 
68
65
  // src/auth-client/types.ts
69
66
  var PafiAuthError = class extends Error {
70
- constructor(message, status, code, correlationId) {
71
- super(message);
72
- this.status = status;
73
- this.code = code;
74
- this.correlationId = correlationId;
75
- this.name = "PafiAuthError";
67
+ static {
68
+ __name(this, "PafiAuthError");
76
69
  }
77
70
  status;
78
71
  code;
79
72
  correlationId;
73
+ constructor(message, status, code, correlationId) {
74
+ super(message), this.status = status, this.code = code, this.correlationId = correlationId;
75
+ this.name = "PafiAuthError";
76
+ }
80
77
  };
81
78
 
82
79
  // src/auth-client/pafi-auth-client.ts
83
80
  var PafiAuthClient = class {
81
+ static {
82
+ __name(this, "PafiAuthClient");
83
+ }
84
+ opts;
85
+ fetchImpl;
86
+ tokenExchangeAud;
84
87
  constructor(opts) {
85
88
  this.opts = opts;
86
89
  if (!opts.clientPrivateJwk.kid) {
87
- throw new Error(
88
- "PafiAuthClient: clientPrivateJwk.kid is required (gateway uses kid to look up the verification key)"
89
- );
90
+ throw new Error("PafiAuthClient: clientPrivateJwk.kid is required (gateway uses kid to look up the verification key)");
90
91
  }
91
92
  this.fetchImpl = opts.fetchImpl ?? fetch;
92
93
  this.tokenExchangeAud = `${opts.gatewayUrl}/v1/token-exchange`;
93
94
  }
94
- opts;
95
- fetchImpl;
96
- tokenExchangeAud;
97
95
  // ───────────────────────────────────────────────────────────────
98
96
  // EMAIL OTP — 2-step
99
97
  // ───────────────────────────────────────────────────────────────
100
98
  /**
101
- * Step 1: ask the gateway to send the user an OTP. Returns the
102
- * `challengeId` to echo back on {@link verifyEmail}.
103
- */
99
+ * Step 1: ask the gateway to send the user an OTP. Returns the
100
+ * `challengeId` to echo back on {@link verifyEmail}.
101
+ */
104
102
  async startEmail(args) {
105
- const res = await this.post(
106
- "/v1/auth/email/start",
107
- {
108
- issuer_id: this.opts.issuerId,
109
- email: args.email
110
- },
111
- args.correlationId
112
- );
103
+ const res = await this.post("/v1/auth/email/start", {
104
+ issuer_id: this.opts.issuerId,
105
+ email: args.email
106
+ }, args.correlationId);
113
107
  return {
114
108
  challengeId: res.challenge_id,
115
109
  expiresInSec: res.expires_in
116
110
  };
117
111
  }
118
112
  /**
119
- * Step 2: submit the OTP the user received. On success returns
120
- * {@link AuthSuccess} containing BOTH the long-lived
121
- * pafi_session_token (issuer verifies via gateway JWKS) AND the
122
- * short-lived pafi_jwt (issuer FE feeds to Privy).
123
- */
113
+ * Step 2: submit the OTP the user received. On success returns
114
+ * {@link AuthSuccess} containing BOTH the long-lived
115
+ * pafi_session_token (issuer verifies via gateway JWKS) AND the
116
+ * short-lived pafi_jwt (issuer FE feeds to Privy).
117
+ */
124
118
  async verifyEmail(args) {
125
- const res = await this.post(
126
- "/v1/auth/email/verify",
127
- {
128
- challenge_id: args.challengeId,
129
- otp_code: args.otpCode
130
- },
131
- args.correlationId
132
- );
119
+ const res = await this.post("/v1/auth/email/verify", {
120
+ challenge_id: args.challengeId,
121
+ otp_code: args.otpCode
122
+ }, args.correlationId);
133
123
  return mapAuthSuccess(res);
134
124
  }
135
125
  // ───────────────────────────────────────────────────────────────
136
126
  // GOOGLE — 1-step exchange
137
127
  // ───────────────────────────────────────────────────────────────
138
128
  /**
139
- * Hand the gateway an id_token the issuer FE obtained from Google
140
- * Identity Services (using PAFI's shared client_id). Gateway verifies
141
- * signature + audience + `email_verified` before resolving identity.
142
- */
129
+ * Hand the gateway an id_token the issuer FE obtained from Google
130
+ * Identity Services (using PAFI's shared client_id). Gateway verifies
131
+ * signature + audience + `email_verified` before resolving identity.
132
+ */
143
133
  async exchangeGoogle(args) {
144
- const res = await this.post(
145
- "/v1/auth/google/exchange",
146
- {
147
- issuer_id: this.opts.issuerId,
148
- id_token: args.idToken
149
- },
150
- args.correlationId
151
- );
134
+ const res = await this.post("/v1/auth/google/exchange", {
135
+ issuer_id: this.opts.issuerId,
136
+ id_token: args.idToken
137
+ }, args.correlationId);
152
138
  return mapAuthSuccess(res);
153
139
  }
154
140
  // ───────────────────────────────────────────────────────────────
155
141
  // KAKAO — 1-step exchange (authorization code)
156
142
  // ───────────────────────────────────────────────────────────────
157
143
  /**
158
- * Hand the gateway the authorization code returned by Kakao's
159
- * redirect. Gateway exchanges with Kakao (server-to-server using
160
- * PAFI's client_secret), verifies id_token, resolves identity.
161
- *
162
- * `redirectUri` must match the URL the FE used when starting the
163
- * Kakao flow. Falls back to the gateway's KAKAO_REDIRECT_URI when
164
- * omitted — pass an explicit value for multi-environment FEs.
165
- */
144
+ * Hand the gateway the authorization code returned by Kakao's
145
+ * redirect. Gateway exchanges with Kakao (server-to-server using
146
+ * PAFI's client_secret), verifies id_token, resolves identity.
147
+ *
148
+ * `redirectUri` must match the URL the FE used when starting the
149
+ * Kakao flow. Falls back to the gateway's KAKAO_REDIRECT_URI when
150
+ * omitted — pass an explicit value for multi-environment FEs.
151
+ */
166
152
  async exchangeKakao(args) {
167
- const res = await this.post(
168
- "/v1/auth/kakao/exchange",
169
- {
170
- issuer_id: this.opts.issuerId,
171
- code: args.code,
172
- ...args.redirectUri ? { redirect_uri: args.redirectUri } : {}
173
- },
174
- args.correlationId
175
- );
153
+ const res = await this.post("/v1/auth/kakao/exchange", {
154
+ issuer_id: this.opts.issuerId,
155
+ code: args.code,
156
+ ...args.redirectUri ? {
157
+ redirect_uri: args.redirectUri
158
+ } : {}
159
+ }, args.correlationId);
176
160
  return mapAuthSuccess(res);
177
161
  }
178
162
  // ───────────────────────────────────────────────────────────────
@@ -198,21 +182,11 @@ var PafiAuthClient = class {
198
182
  try {
199
183
  parsed = text ? JSON.parse(text) : {};
200
184
  } catch {
201
- throw new PafiAuthError(
202
- `Non-JSON response from gateway (${path}): ${text.slice(0, 120)}`,
203
- res.status,
204
- "non_json_response",
205
- finalCorrelationId
206
- );
185
+ throw new PafiAuthError(`Non-JSON response from gateway (${path}): ${text.slice(0, 120)}`, res.status, "non_json_response", finalCorrelationId);
207
186
  }
208
187
  if (!res.ok) {
209
188
  const err = parsed;
210
- throw new PafiAuthError(
211
- err.error_description ?? err.error ?? `Gateway returned HTTP ${res.status}`,
212
- res.status,
213
- err.error ?? "unknown_error",
214
- err.correlation_id ?? finalCorrelationId
215
- );
189
+ throw new PafiAuthError(err.error_description ?? err.error ?? `Gateway returned HTTP ${res.status}`, res.status, err.error ?? "unknown_error", err.correlation_id ?? finalCorrelationId);
216
190
  }
217
191
  return parsed;
218
192
  }
@@ -224,28 +198,47 @@ function mapAuthSuccess(res) {
224
198
  canonicalId: res.canonical_id,
225
199
  expiresAt: res.expires_at,
226
200
  isFirstLogin: res.is_first_login,
227
- ...res.verified_email ? { verifiedEmail: res.verified_email } : {}
201
+ ...res.verified_email ? {
202
+ verifiedEmail: res.verified_email
203
+ } : {}
228
204
  };
229
205
  }
206
+ __name(mapAuthSuccess, "mapAuthSuccess");
230
207
 
231
208
  // src/direct-auth/pafi-direct-auth.module-options.ts
232
- var PAFI_DIRECT_AUTH_MODULE_OPTIONS = /* @__PURE__ */ Symbol(
233
- "PAFI_DIRECT_AUTH_MODULE_OPTIONS"
234
- );
209
+ var PAFI_DIRECT_AUTH_MODULE_OPTIONS = /* @__PURE__ */ Symbol("PAFI_DIRECT_AUTH_MODULE_OPTIONS");
235
210
 
236
211
  // src/direct-auth/services/pafi-auth-client.provider.ts
212
+ function _ts_decorate(decorators, target, key, desc) {
213
+ var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
214
+ if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
215
+ else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
216
+ return c > 3 && r && Object.defineProperty(target, key, r), r;
217
+ }
218
+ __name(_ts_decorate, "_ts_decorate");
219
+ function _ts_metadata(k, v) {
220
+ if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
221
+ }
222
+ __name(_ts_metadata, "_ts_metadata");
223
+ function _ts_param(paramIndex, decorator) {
224
+ return function(target, key) {
225
+ decorator(target, key, paramIndex);
226
+ };
227
+ }
228
+ __name(_ts_param, "_ts_param");
237
229
  var PafiAuthClientProvider = class {
238
- constructor(options) {
239
- this.options = options;
230
+ static {
231
+ __name(this, "PafiAuthClientProvider");
240
232
  }
241
233
  options;
242
234
  _client;
235
+ constructor(options) {
236
+ this.options = options;
237
+ }
243
238
  onModuleInit() {
244
239
  const jwk = this.options.clientPrivateJwk;
245
240
  if (!jwk.kid) {
246
- throw new Error(
247
- "PafiDirectAuthModule: clientPrivateJwk.kid is required \u2014 gateway uses kid for key lookup"
248
- );
241
+ throw new Error("PafiDirectAuthModule: clientPrivateJwk.kid is required \u2014 gateway uses kid for key lookup");
249
242
  }
250
243
  this._client = new PafiAuthClient({
251
244
  gatewayUrl: this.options.gatewayUrl,
@@ -258,21 +251,43 @@ var PafiAuthClientProvider = class {
258
251
  return this._client;
259
252
  }
260
253
  };
261
- PafiAuthClientProvider = __decorateClass([
254
+ PafiAuthClientProvider = _ts_decorate([
262
255
  (0, import_common.Injectable)(),
263
- __decorateParam(0, (0, import_common.Inject)(PAFI_DIRECT_AUTH_MODULE_OPTIONS))
256
+ _ts_param(0, (0, import_common.Inject)(PAFI_DIRECT_AUTH_MODULE_OPTIONS)),
257
+ _ts_metadata("design:type", Function),
258
+ _ts_metadata("design:paramtypes", [
259
+ typeof PafiDirectAuthModuleOptions === "undefined" ? Object : PafiDirectAuthModuleOptions
260
+ ])
264
261
  ], PafiAuthClientProvider);
265
262
 
266
263
  // src/direct-auth/services/pafi-session-verifier.service.ts
267
264
  var import_common2 = require("@nestjs/common");
268
265
  var import_jose2 = require("jose");
266
+ function _ts_decorate2(decorators, target, key, desc) {
267
+ var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
268
+ if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
269
+ else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
270
+ return c > 3 && r && Object.defineProperty(target, key, r), r;
271
+ }
272
+ __name(_ts_decorate2, "_ts_decorate");
273
+ function _ts_metadata2(k, v) {
274
+ if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
275
+ }
276
+ __name(_ts_metadata2, "_ts_metadata");
277
+ function _ts_param2(paramIndex, decorator) {
278
+ return function(target, key) {
279
+ decorator(target, key, paramIndex);
280
+ };
281
+ }
282
+ __name(_ts_param2, "_ts_param");
269
283
  var PafiSessionVerifierService = class {
284
+ static {
285
+ __name(this, "PafiSessionVerifierService");
286
+ }
270
287
  jwks;
271
288
  expectedIssuer;
272
289
  constructor(options) {
273
- this.jwks = (0, import_jose2.createRemoteJWKSet)(
274
- new URL(`${options.gatewayUrl}/.well-known/jwks.json`)
275
- );
290
+ this.jwks = (0, import_jose2.createRemoteJWKSet)(new URL(`${options.gatewayUrl}/.well-known/jwks.json`));
276
291
  this.expectedIssuer = options.gatewayUrl;
277
292
  }
278
293
  async verify(token) {
@@ -282,14 +297,10 @@ var PafiSessionVerifierService = class {
282
297
  issuer: this.expectedIssuer
283
298
  }));
284
299
  } catch (err) {
285
- throw new import_common2.UnauthorizedException(
286
- `Invalid pafi_session_token: ${err.message}`
287
- );
300
+ throw new import_common2.UnauthorizedException(`Invalid pafi_session_token: ${err.message}`);
288
301
  }
289
302
  if (payload.scope !== "pafi-session") {
290
- throw new import_common2.UnauthorizedException(
291
- `pafi_session_token has wrong scope: ${String(payload.scope)}`
292
- );
303
+ throw new import_common2.UnauthorizedException(`pafi_session_token has wrong scope: ${String(payload.scope)}`);
293
304
  }
294
305
  if (typeof payload.sub !== "string") {
295
306
  throw new import_common2.UnauthorizedException("pafi_session_token missing sub");
@@ -297,9 +308,7 @@ var PafiSessionVerifierService = class {
297
308
  if (typeof payload.exp !== "number" || typeof payload.iat !== "number") {
298
309
  throw new import_common2.UnauthorizedException("pafi_session_token missing iat/exp");
299
310
  }
300
- const verifiedAttribute = parseVerifiedAttribute(
301
- payload.verified_attribute
302
- );
311
+ const verifiedAttribute = parseVerifiedAttribute(payload.verified_attribute);
303
312
  return {
304
313
  sub: payload.sub,
305
314
  scope: "pafi-session",
@@ -311,9 +320,13 @@ var PafiSessionVerifierService = class {
311
320
  };
312
321
  }
313
322
  };
314
- PafiSessionVerifierService = __decorateClass([
323
+ PafiSessionVerifierService = _ts_decorate2([
315
324
  (0, import_common2.Injectable)(),
316
- __decorateParam(0, (0, import_common2.Inject)(PAFI_DIRECT_AUTH_MODULE_OPTIONS))
325
+ _ts_param2(0, (0, import_common2.Inject)(PAFI_DIRECT_AUTH_MODULE_OPTIONS)),
326
+ _ts_metadata2("design:type", Function),
327
+ _ts_metadata2("design:paramtypes", [
328
+ typeof PafiDirectAuthModuleOptions === "undefined" ? Object : PafiDirectAuthModuleOptions
329
+ ])
317
330
  ], PafiSessionVerifierService);
318
331
  function parseVerifiedAttribute(raw) {
319
332
  if (!raw || typeof raw !== "object") return void 0;
@@ -324,6 +337,7 @@ function parseVerifiedAttribute(raw) {
324
337
  valueHash: typeof obj.value_hash === "string" ? obj.value_hash : void 0
325
338
  };
326
339
  }
340
+ __name(parseVerifiedAttribute, "parseVerifiedAttribute");
327
341
 
328
342
  // src/direct-auth/services/pafi-direct-auth.service.ts
329
343
  var import_common3 = require("@nestjs/common");
@@ -335,18 +349,38 @@ var USER_STORE = /* @__PURE__ */ Symbol("USER_STORE");
335
349
  var SESSION_TOKEN_MINTER = /* @__PURE__ */ Symbol("SESSION_TOKEN_MINTER");
336
350
 
337
351
  // src/direct-auth/services/pafi-direct-auth.service.ts
338
- var PafiDirectAuthService = class {
352
+ function _ts_decorate3(decorators, target, key, desc) {
353
+ var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
354
+ if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
355
+ else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
356
+ return c > 3 && r && Object.defineProperty(target, key, r), r;
357
+ }
358
+ __name(_ts_decorate3, "_ts_decorate");
359
+ function _ts_metadata3(k, v) {
360
+ if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
361
+ }
362
+ __name(_ts_metadata3, "_ts_metadata");
363
+ function _ts_param3(paramIndex, decorator) {
364
+ return function(target, key) {
365
+ decorator(target, key, paramIndex);
366
+ };
367
+ }
368
+ __name(_ts_param3, "_ts_param");
369
+ var PafiDirectAuthService = class _PafiDirectAuthService {
370
+ static {
371
+ __name(this, "PafiDirectAuthService");
372
+ }
373
+ clientProvider;
374
+ sessionVerifier;
375
+ userStore;
376
+ sessionTokenMinter;
377
+ logger = new import_common3.Logger(_PafiDirectAuthService.name);
339
378
  constructor(clientProvider, sessionVerifier, userStore, sessionTokenMinter) {
340
379
  this.clientProvider = clientProvider;
341
380
  this.sessionVerifier = sessionVerifier;
342
381
  this.userStore = userStore;
343
382
  this.sessionTokenMinter = sessionTokenMinter;
344
383
  }
345
- clientProvider;
346
- sessionVerifier;
347
- userStore;
348
- sessionTokenMinter;
349
- logger = new import_common3.Logger(PafiDirectAuthService.name);
350
384
  // ── Email OTP ────────────────────────────────────────────────────
351
385
  async startEmail(args) {
352
386
  return this.clientProvider.client.startEmail({
@@ -399,14 +433,23 @@ var PafiDirectAuthService = class {
399
433
  pafiSessionToken: success.pafiSessionToken,
400
434
  canonicalId: success.canonicalId,
401
435
  isFirstLogin: success.isFirstLogin,
402
- ...success.verifiedEmail ? { verifiedEmail: success.verifiedEmail } : {}
436
+ ...success.verifiedEmail ? {
437
+ verifiedEmail: success.verifiedEmail
438
+ } : {}
403
439
  };
404
440
  }
405
441
  };
406
- PafiDirectAuthService = __decorateClass([
442
+ PafiDirectAuthService = _ts_decorate3([
407
443
  (0, import_common3.Injectable)(),
408
- __decorateParam(2, (0, import_common3.Inject)(USER_STORE)),
409
- __decorateParam(3, (0, import_common3.Inject)(SESSION_TOKEN_MINTER))
444
+ _ts_param3(2, (0, import_common3.Inject)(USER_STORE)),
445
+ _ts_param3(3, (0, import_common3.Inject)(SESSION_TOKEN_MINTER)),
446
+ _ts_metadata3("design:type", Function),
447
+ _ts_metadata3("design:paramtypes", [
448
+ typeof PafiAuthClientProvider === "undefined" ? Object : PafiAuthClientProvider,
449
+ typeof PafiSessionVerifierService === "undefined" ? Object : PafiSessionVerifierService,
450
+ typeof IUserStore === "undefined" ? Object : IUserStore,
451
+ typeof ISessionTokenMinter === "undefined" ? Object : ISessionTokenMinter
452
+ ])
410
453
  ], PafiDirectAuthService);
411
454
 
412
455
  // src/direct-auth/pafi-direct-auth.controller.ts
@@ -416,74 +459,120 @@ var import_swagger2 = require("@nestjs/swagger");
416
459
  // src/direct-auth/pafi-direct-auth.dto.ts
417
460
  var import_swagger = require("@nestjs/swagger");
418
461
  var import_class_validator = require("class-validator");
462
+ function _ts_decorate4(decorators, target, key, desc) {
463
+ var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
464
+ if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
465
+ else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
466
+ return c > 3 && r && Object.defineProperty(target, key, r), r;
467
+ }
468
+ __name(_ts_decorate4, "_ts_decorate");
469
+ function _ts_metadata4(k, v) {
470
+ if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
471
+ }
472
+ __name(_ts_metadata4, "_ts_metadata");
419
473
  var EmailStartRequestDto = class {
474
+ static {
475
+ __name(this, "EmailStartRequestDto");
476
+ }
420
477
  email;
421
478
  };
422
- __decorateClass([
423
- (0, import_swagger.ApiProperty)({ example: "user1@example.com" }),
479
+ _ts_decorate4([
480
+ (0, import_swagger.ApiProperty)({
481
+ example: "user1@example.com"
482
+ }),
424
483
  (0, import_class_validator.IsEmail)(),
425
- (0, import_class_validator.MaxLength)(320)
426
- ], EmailStartRequestDto.prototype, "email", 2);
484
+ (0, import_class_validator.MaxLength)(320),
485
+ _ts_metadata4("design:type", String)
486
+ ], EmailStartRequestDto.prototype, "email", void 0);
427
487
  var EmailVerifyRequestDto = class {
488
+ static {
489
+ __name(this, "EmailVerifyRequestDto");
490
+ }
428
491
  challengeId;
429
492
  otpCode;
430
493
  };
431
- __decorateClass([
494
+ _ts_decorate4([
432
495
  (0, import_swagger.ApiProperty)({
433
496
  description: "Challenge id returned by POST /auth/v2/email/start. Opaque to the FE; echo verbatim."
434
497
  }),
435
498
  (0, import_class_validator.IsString)(),
436
499
  (0, import_class_validator.IsNotEmpty)(),
437
- (0, import_class_validator.MaxLength)(128)
438
- ], EmailVerifyRequestDto.prototype, "challengeId", 2);
439
- __decorateClass([
440
- (0, import_swagger.ApiProperty)({ example: "123456" }),
500
+ (0, import_class_validator.MaxLength)(128),
501
+ _ts_metadata4("design:type", String)
502
+ ], EmailVerifyRequestDto.prototype, "challengeId", void 0);
503
+ _ts_decorate4([
504
+ (0, import_swagger.ApiProperty)({
505
+ example: "123456"
506
+ }),
441
507
  (0, import_class_validator.IsString)(),
442
- (0, import_class_validator.Length)(4, 10)
443
- ], EmailVerifyRequestDto.prototype, "otpCode", 2);
508
+ (0, import_class_validator.Length)(4, 10),
509
+ _ts_metadata4("design:type", String)
510
+ ], EmailVerifyRequestDto.prototype, "otpCode", void 0);
444
511
  var GoogleExchangeRequestDto = class {
512
+ static {
513
+ __name(this, "GoogleExchangeRequestDto");
514
+ }
445
515
  idToken;
446
516
  };
447
- __decorateClass([
517
+ _ts_decorate4([
448
518
  (0, import_swagger.ApiProperty)({
449
519
  description: "Google-issued ID token (JWS). Obtain on FE via Google Identity Services using PAFI's Google OAuth client_id."
450
520
  }),
451
521
  (0, import_class_validator.IsString)(),
452
522
  (0, import_class_validator.IsNotEmpty)(),
453
- (0, import_class_validator.MaxLength)(8192)
454
- ], GoogleExchangeRequestDto.prototype, "idToken", 2);
523
+ (0, import_class_validator.MaxLength)(8192),
524
+ _ts_metadata4("design:type", String)
525
+ ], GoogleExchangeRequestDto.prototype, "idToken", void 0);
455
526
  var KakaoExchangeRequestDto = class {
527
+ static {
528
+ __name(this, "KakaoExchangeRequestDto");
529
+ }
456
530
  code;
457
531
  redirectUri;
458
532
  };
459
- __decorateClass([
533
+ _ts_decorate4([
460
534
  (0, import_swagger.ApiProperty)({
461
535
  description: "Authorization code returned by Kakao to the FE redirect URL."
462
536
  }),
463
537
  (0, import_class_validator.IsString)(),
464
538
  (0, import_class_validator.IsNotEmpty)(),
465
- (0, import_class_validator.MaxLength)(2048)
466
- ], KakaoExchangeRequestDto.prototype, "code", 2);
467
- __decorateClass([
539
+ (0, import_class_validator.MaxLength)(2048),
540
+ _ts_metadata4("design:type", String)
541
+ ], KakaoExchangeRequestDto.prototype, "code", void 0);
542
+ _ts_decorate4([
468
543
  (0, import_swagger.ApiProperty)({
469
544
  description: "Redirect URI the FE used when initiating the Kakao flow. Optional \u2014 gateway falls back to its own KAKAO_REDIRECT_URI env.",
470
545
  required: false
471
546
  }),
472
547
  (0, import_class_validator.IsOptional)(),
473
- (0, import_class_validator.IsUrl)({ require_tld: false, require_protocol: true }),
474
- (0, import_class_validator.MaxLength)(2048)
475
- ], KakaoExchangeRequestDto.prototype, "redirectUri", 2);
548
+ (0, import_class_validator.IsUrl)({
549
+ require_tld: false,
550
+ require_protocol: true
551
+ }),
552
+ (0, import_class_validator.MaxLength)(2048),
553
+ _ts_metadata4("design:type", String)
554
+ ], KakaoExchangeRequestDto.prototype, "redirectUri", void 0);
476
555
  var EmailStartResponseDto = class {
556
+ static {
557
+ __name(this, "EmailStartResponseDto");
558
+ }
477
559
  challengeId;
478
560
  expiresInSec;
479
561
  };
480
- __decorateClass([
481
- (0, import_swagger.ApiProperty)()
482
- ], EmailStartResponseDto.prototype, "challengeId", 2);
483
- __decorateClass([
484
- (0, import_swagger.ApiProperty)({ description: "Seconds until the challenge expires." })
485
- ], EmailStartResponseDto.prototype, "expiresInSec", 2);
562
+ _ts_decorate4([
563
+ (0, import_swagger.ApiProperty)(),
564
+ _ts_metadata4("design:type", String)
565
+ ], EmailStartResponseDto.prototype, "challengeId", void 0);
566
+ _ts_decorate4([
567
+ (0, import_swagger.ApiProperty)({
568
+ description: "Seconds until the challenge expires."
569
+ }),
570
+ _ts_metadata4("design:type", Number)
571
+ ], EmailStartResponseDto.prototype, "expiresInSec", void 0);
486
572
  var PafiAuthSuccessDto = class {
573
+ static {
574
+ __name(this, "PafiAuthSuccessDto");
575
+ }
487
576
  sessionToken;
488
577
  sessionExpiresAt;
489
578
  pafiJwt;
@@ -492,47 +581,80 @@ var PafiAuthSuccessDto = class {
492
581
  isFirstLogin;
493
582
  verifiedEmail;
494
583
  };
495
- __decorateClass([
584
+ _ts_decorate4([
496
585
  (0, import_swagger.ApiProperty)({
497
586
  description: "Issuer-native session token (typically HS256, minted by ISessionTokenMinter) \u2014 Bearer-auth for subsequent issuer API calls."
498
- })
499
- ], PafiAuthSuccessDto.prototype, "sessionToken", 2);
500
- __decorateClass([
501
- (0, import_swagger.ApiProperty)({ description: "Issuer session token expiration (ISO 8601)." })
502
- ], PafiAuthSuccessDto.prototype, "sessionExpiresAt", 2);
503
- __decorateClass([
587
+ }),
588
+ _ts_metadata4("design:type", String)
589
+ ], PafiAuthSuccessDto.prototype, "sessionToken", void 0);
590
+ _ts_decorate4([
591
+ (0, import_swagger.ApiProperty)({
592
+ description: "Issuer session token expiration (ISO 8601)."
593
+ }),
594
+ _ts_metadata4("design:type", String)
595
+ ], PafiAuthSuccessDto.prototype, "sessionExpiresAt", void 0);
596
+ _ts_decorate4([
504
597
  (0, import_swagger.ApiProperty)({
505
598
  description: "Short-lived PAFI JWT (60s) \u2014 FE feeds verbatim to Privy.loginWithCustomAuth() to provision the embedded wallet."
506
- })
507
- ], PafiAuthSuccessDto.prototype, "pafiJwt", 2);
508
- __decorateClass([
599
+ }),
600
+ _ts_metadata4("design:type", String)
601
+ ], PafiAuthSuccessDto.prototype, "pafiJwt", void 0);
602
+ _ts_decorate4([
509
603
  (0, import_swagger.ApiProperty)({
510
604
  description: "Long-lived PAFI session token (24h) \u2014 opaque to FE; keep alongside sessionToken if you ever need to call the gateway directly."
511
- })
512
- ], PafiAuthSuccessDto.prototype, "pafiSessionToken", 2);
513
- __decorateClass([
514
- (0, import_swagger.ApiProperty)({ description: "canonical_pafi_user_id assigned by the gateway." })
515
- ], PafiAuthSuccessDto.prototype, "canonicalId", 2);
516
- __decorateClass([
605
+ }),
606
+ _ts_metadata4("design:type", String)
607
+ ], PafiAuthSuccessDto.prototype, "pafiSessionToken", void 0);
608
+ _ts_decorate4([
609
+ (0, import_swagger.ApiProperty)({
610
+ description: "canonical_pafi_user_id assigned by the gateway."
611
+ }),
612
+ _ts_metadata4("design:type", String)
613
+ ], PafiAuthSuccessDto.prototype, "canonicalId", void 0);
614
+ _ts_decorate4([
517
615
  (0, import_swagger.ApiProperty)({
518
616
  description: "True the first time the user appears at the gateway."
519
- })
520
- ], PafiAuthSuccessDto.prototype, "isFirstLogin", 2);
521
- __decorateClass([
617
+ }),
618
+ _ts_metadata4("design:type", Boolean)
619
+ ], PafiAuthSuccessDto.prototype, "isFirstLogin", void 0);
620
+ _ts_decorate4([
522
621
  (0, import_swagger.ApiProperty)({
523
622
  description: "Verified email (when the auth method exposed one \u2014 email OTP and Google always; Kakao only if the user shared their email).",
524
623
  required: false
525
- })
526
- ], PafiAuthSuccessDto.prototype, "verifiedEmail", 2);
624
+ }),
625
+ _ts_metadata4("design:type", String)
626
+ ], PafiAuthSuccessDto.prototype, "verifiedEmail", void 0);
527
627
 
528
628
  // src/direct-auth/pafi-direct-auth.controller.ts
629
+ function _ts_decorate5(decorators, target, key, desc) {
630
+ var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
631
+ if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
632
+ else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
633
+ return c > 3 && r && Object.defineProperty(target, key, r), r;
634
+ }
635
+ __name(_ts_decorate5, "_ts_decorate");
636
+ function _ts_metadata5(k, v) {
637
+ if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
638
+ }
639
+ __name(_ts_metadata5, "_ts_metadata");
640
+ function _ts_param4(paramIndex, decorator) {
641
+ return function(target, key) {
642
+ decorator(target, key, paramIndex);
643
+ };
644
+ }
645
+ __name(_ts_param4, "_ts_param");
529
646
  var PafiDirectAuthController = class {
647
+ static {
648
+ __name(this, "PafiDirectAuthController");
649
+ }
650
+ directAuth;
530
651
  constructor(directAuth) {
531
652
  this.directAuth = directAuth;
532
653
  }
533
- directAuth;
534
654
  async startEmail(body) {
535
- const res = await this.directAuth.startEmail({ email: body.email });
655
+ const res = await this.directAuth.startEmail({
656
+ email: body.email
657
+ });
536
658
  return {
537
659
  challengeId: res.challengeId,
538
660
  expiresInSec: res.expiresInSec
@@ -545,7 +667,9 @@ var PafiDirectAuthController = class {
545
667
  });
546
668
  }
547
669
  async exchangeGoogle(body) {
548
- return this.directAuth.exchangeGoogle({ idToken: body.idToken });
670
+ return this.directAuth.exchangeGoogle({
671
+ idToken: body.idToken
672
+ });
549
673
  }
550
674
  async exchangeKakao(body) {
551
675
  return this.directAuth.exchangeKakao({
@@ -554,58 +678,102 @@ var PafiDirectAuthController = class {
554
678
  });
555
679
  }
556
680
  };
557
- __decorateClass([
681
+ _ts_decorate5([
558
682
  (0, import_common4.Post)("email/start"),
559
683
  (0, import_common4.HttpCode)(import_common4.HttpStatus.OK),
560
684
  (0, import_swagger2.ApiOperation)({
561
685
  summary: "Step 1: ask gateway to send an OTP to the user email.",
562
686
  description: "Gateway generates the OTP, sends it via its configured email provider, and returns an opaque challenge_id. The FE echoes that challenge_id back on step 2 along with the code the user typed."
563
687
  }),
564
- (0, import_swagger2.ApiOkResponse)({ type: EmailStartResponseDto }),
565
- __decorateParam(0, (0, import_common4.Body)())
566
- ], PafiDirectAuthController.prototype, "startEmail", 1);
567
- __decorateClass([
688
+ (0, import_swagger2.ApiOkResponse)({
689
+ type: EmailStartResponseDto
690
+ }),
691
+ _ts_param4(0, (0, import_common4.Body)()),
692
+ _ts_metadata5("design:type", Function),
693
+ _ts_metadata5("design:paramtypes", [
694
+ typeof EmailStartRequestDto === "undefined" ? Object : EmailStartRequestDto
695
+ ]),
696
+ _ts_metadata5("design:returntype", Promise)
697
+ ], PafiDirectAuthController.prototype, "startEmail", null);
698
+ _ts_decorate5([
568
699
  (0, import_common4.Post)("email/verify"),
569
700
  (0, import_common4.HttpCode)(import_common4.HttpStatus.OK),
570
701
  (0, import_swagger2.ApiOperation)({
571
702
  summary: "Step 2: submit the OTP to complete email sign-in.",
572
703
  description: "Gateway verifies the OTP, derives canonical_id from the verified email, and mints both a pafi_session_token (24h, gateway-signed) and pafi_jwt (60s, for Privy.loginWithCustomAuth). Issuer wraps these in a session token of its own (sub = canonical_id) so existing guards keep working."
573
704
  }),
574
- (0, import_swagger2.ApiOkResponse)({ type: PafiAuthSuccessDto }),
575
- __decorateParam(0, (0, import_common4.Body)())
576
- ], PafiDirectAuthController.prototype, "verifyEmail", 1);
577
- __decorateClass([
705
+ (0, import_swagger2.ApiOkResponse)({
706
+ type: PafiAuthSuccessDto
707
+ }),
708
+ _ts_param4(0, (0, import_common4.Body)()),
709
+ _ts_metadata5("design:type", Function),
710
+ _ts_metadata5("design:paramtypes", [
711
+ typeof EmailVerifyRequestDto === "undefined" ? Object : EmailVerifyRequestDto
712
+ ]),
713
+ _ts_metadata5("design:returntype", Promise)
714
+ ], PafiDirectAuthController.prototype, "verifyEmail", null);
715
+ _ts_decorate5([
578
716
  (0, import_common4.Post)("google/exchange"),
579
717
  (0, import_common4.HttpCode)(import_common4.HttpStatus.OK),
580
718
  (0, import_swagger2.ApiOperation)({
581
719
  summary: "Sign in with Google.",
582
720
  description: "Hand the gateway a Google-issued id_token (FE obtains via Google Identity Services using PAFI's shared client_id). Gateway verifies signature + email_verified, derives canonical_id from the email, returns the same token bundle as /email/verify."
583
721
  }),
584
- (0, import_swagger2.ApiOkResponse)({ type: PafiAuthSuccessDto }),
585
- __decorateParam(0, (0, import_common4.Body)())
586
- ], PafiDirectAuthController.prototype, "exchangeGoogle", 1);
587
- __decorateClass([
722
+ (0, import_swagger2.ApiOkResponse)({
723
+ type: PafiAuthSuccessDto
724
+ }),
725
+ _ts_param4(0, (0, import_common4.Body)()),
726
+ _ts_metadata5("design:type", Function),
727
+ _ts_metadata5("design:paramtypes", [
728
+ typeof GoogleExchangeRequestDto === "undefined" ? Object : GoogleExchangeRequestDto
729
+ ]),
730
+ _ts_metadata5("design:returntype", Promise)
731
+ ], PafiDirectAuthController.prototype, "exchangeGoogle", null);
732
+ _ts_decorate5([
588
733
  (0, import_common4.Post)("kakao/exchange"),
589
734
  (0, import_common4.HttpCode)(import_common4.HttpStatus.OK),
590
735
  (0, import_swagger2.ApiOperation)({
591
736
  summary: "Sign in with Kakao.",
592
737
  description: "Hand the gateway the authorization code Kakao redirected back to the FE. Gateway exchanges with Kakao server-to-server (using PAFI-held client_secret), verifies the id_token, and returns the same token bundle as /email/verify. canonical_id derives from email when present, else from the Kakao sub."
593
738
  }),
594
- (0, import_swagger2.ApiOkResponse)({ type: PafiAuthSuccessDto }),
595
- __decorateParam(0, (0, import_common4.Body)())
596
- ], PafiDirectAuthController.prototype, "exchangeKakao", 1);
597
- PafiDirectAuthController = __decorateClass([
739
+ (0, import_swagger2.ApiOkResponse)({
740
+ type: PafiAuthSuccessDto
741
+ }),
742
+ _ts_param4(0, (0, import_common4.Body)()),
743
+ _ts_metadata5("design:type", Function),
744
+ _ts_metadata5("design:paramtypes", [
745
+ typeof KakaoExchangeRequestDto === "undefined" ? Object : KakaoExchangeRequestDto
746
+ ]),
747
+ _ts_metadata5("design:returntype", Promise)
748
+ ], PafiDirectAuthController.prototype, "exchangeKakao", null);
749
+ PafiDirectAuthController = _ts_decorate5([
598
750
  (0, import_swagger2.ApiTags)("pafi-auth-v2"),
599
- (0, import_common4.Controller)("auth/v2")
751
+ (0, import_common4.Controller)("auth/v2"),
752
+ _ts_metadata5("design:type", Function),
753
+ _ts_metadata5("design:paramtypes", [
754
+ typeof PafiDirectAuthService === "undefined" ? Object : PafiDirectAuthService
755
+ ])
600
756
  ], PafiDirectAuthController);
601
757
 
602
758
  // src/direct-auth/pafi-direct-auth.module.ts
603
- var PafiDirectAuthModule = class {
759
+ function _ts_decorate6(decorators, target, key, desc) {
760
+ var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
761
+ if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
762
+ else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
763
+ return c > 3 && r && Object.defineProperty(target, key, r), r;
764
+ }
765
+ __name(_ts_decorate6, "_ts_decorate");
766
+ var PafiDirectAuthModule = class _PafiDirectAuthModule {
767
+ static {
768
+ __name(this, "PafiDirectAuthModule");
769
+ }
604
770
  static forRoot(options) {
605
771
  return {
606
- module: PafiDirectAuthModule,
772
+ module: _PafiDirectAuthModule,
607
773
  imports: options.imports ?? [],
608
- controllers: [PafiDirectAuthController],
774
+ controllers: [
775
+ PafiDirectAuthController
776
+ ],
609
777
  providers: [
610
778
  {
611
779
  provide: PAFI_DIRECT_AUTH_MODULE_OPTIONS,
@@ -639,7 +807,7 @@ var PafiDirectAuthModule = class {
639
807
  };
640
808
  }
641
809
  };
642
- PafiDirectAuthModule = __decorateClass([
810
+ PafiDirectAuthModule = _ts_decorate6([
643
811
  (0, import_common5.Module)({})
644
812
  ], PafiDirectAuthModule);
645
813
  // Annotate the CommonJS export names for ESM import in node: