@pafi-dev/issuer 0.39.2 → 0.40.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1,10 +1,9 @@
1
1
  import {
2
2
  PafiAuthClient
3
- } from "../chunk-7VEYSL2C.js";
3
+ } from "../chunk-2Z3M2KQG.js";
4
4
  import {
5
- __decorateClass,
6
- __decorateParam
7
- } from "../chunk-BRKEJJFQ.js";
5
+ __name
6
+ } from "../chunk-7QVYU63E.js";
8
7
 
9
8
  // src/direct-auth/pafi-direct-auth.module.ts
10
9
  import { Module } from "@nestjs/common";
@@ -13,23 +12,39 @@ import { Module } from "@nestjs/common";
13
12
  import { Injectable, Inject } from "@nestjs/common";
14
13
 
15
14
  // src/direct-auth/pafi-direct-auth.module-options.ts
16
- var PAFI_DIRECT_AUTH_MODULE_OPTIONS = /* @__PURE__ */ Symbol(
17
- "PAFI_DIRECT_AUTH_MODULE_OPTIONS"
18
- );
15
+ var PAFI_DIRECT_AUTH_MODULE_OPTIONS = /* @__PURE__ */ Symbol("PAFI_DIRECT_AUTH_MODULE_OPTIONS");
19
16
 
20
17
  // src/direct-auth/services/pafi-auth-client.provider.ts
18
+ function _ts_decorate(decorators, target, key, desc) {
19
+ var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
20
+ if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
21
+ else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
22
+ return c > 3 && r && Object.defineProperty(target, key, r), r;
23
+ }
24
+ __name(_ts_decorate, "_ts_decorate");
25
+ function _ts_metadata(k, v) {
26
+ if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
27
+ }
28
+ __name(_ts_metadata, "_ts_metadata");
29
+ function _ts_param(paramIndex, decorator) {
30
+ return function(target, key) {
31
+ decorator(target, key, paramIndex);
32
+ };
33
+ }
34
+ __name(_ts_param, "_ts_param");
21
35
  var PafiAuthClientProvider = class {
22
- constructor(options) {
23
- this.options = options;
36
+ static {
37
+ __name(this, "PafiAuthClientProvider");
24
38
  }
25
39
  options;
26
40
  _client;
41
+ constructor(options) {
42
+ this.options = options;
43
+ }
27
44
  onModuleInit() {
28
45
  const jwk = this.options.clientPrivateJwk;
29
46
  if (!jwk.kid) {
30
- throw new Error(
31
- "PafiDirectAuthModule: clientPrivateJwk.kid is required \u2014 gateway uses kid for key lookup"
32
- );
47
+ throw new Error("PafiDirectAuthModule: clientPrivateJwk.kid is required \u2014 gateway uses kid for key lookup");
33
48
  }
34
49
  this._client = new PafiAuthClient({
35
50
  gatewayUrl: this.options.gatewayUrl,
@@ -42,25 +57,43 @@ var PafiAuthClientProvider = class {
42
57
  return this._client;
43
58
  }
44
59
  };
45
- PafiAuthClientProvider = __decorateClass([
60
+ PafiAuthClientProvider = _ts_decorate([
46
61
  Injectable(),
47
- __decorateParam(0, Inject(PAFI_DIRECT_AUTH_MODULE_OPTIONS))
62
+ _ts_param(0, Inject(PAFI_DIRECT_AUTH_MODULE_OPTIONS)),
63
+ _ts_metadata("design:type", Function),
64
+ _ts_metadata("design:paramtypes", [
65
+ typeof PafiDirectAuthModuleOptions === "undefined" ? Object : PafiDirectAuthModuleOptions
66
+ ])
48
67
  ], PafiAuthClientProvider);
49
68
 
50
69
  // src/direct-auth/services/pafi-session-verifier.service.ts
51
- import {
52
- Injectable as Injectable2,
53
- Inject as Inject2,
54
- UnauthorizedException
55
- } from "@nestjs/common";
70
+ import { Injectable as Injectable2, Inject as Inject2, UnauthorizedException } from "@nestjs/common";
56
71
  import { createRemoteJWKSet, jwtVerify } from "jose";
72
+ function _ts_decorate2(decorators, target, key, desc) {
73
+ var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
74
+ if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
75
+ else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
76
+ return c > 3 && r && Object.defineProperty(target, key, r), r;
77
+ }
78
+ __name(_ts_decorate2, "_ts_decorate");
79
+ function _ts_metadata2(k, v) {
80
+ if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
81
+ }
82
+ __name(_ts_metadata2, "_ts_metadata");
83
+ function _ts_param2(paramIndex, decorator) {
84
+ return function(target, key) {
85
+ decorator(target, key, paramIndex);
86
+ };
87
+ }
88
+ __name(_ts_param2, "_ts_param");
57
89
  var PafiSessionVerifierService = class {
90
+ static {
91
+ __name(this, "PafiSessionVerifierService");
92
+ }
58
93
  jwks;
59
94
  expectedIssuer;
60
95
  constructor(options) {
61
- this.jwks = createRemoteJWKSet(
62
- new URL(`${options.gatewayUrl}/.well-known/jwks.json`)
63
- );
96
+ this.jwks = createRemoteJWKSet(new URL(`${options.gatewayUrl}/.well-known/jwks.json`));
64
97
  this.expectedIssuer = options.gatewayUrl;
65
98
  }
66
99
  async verify(token) {
@@ -70,14 +103,10 @@ var PafiSessionVerifierService = class {
70
103
  issuer: this.expectedIssuer
71
104
  }));
72
105
  } catch (err) {
73
- throw new UnauthorizedException(
74
- `Invalid pafi_session_token: ${err.message}`
75
- );
106
+ throw new UnauthorizedException(`Invalid pafi_session_token: ${err.message}`);
76
107
  }
77
108
  if (payload.scope !== "pafi-session") {
78
- throw new UnauthorizedException(
79
- `pafi_session_token has wrong scope: ${String(payload.scope)}`
80
- );
109
+ throw new UnauthorizedException(`pafi_session_token has wrong scope: ${String(payload.scope)}`);
81
110
  }
82
111
  if (typeof payload.sub !== "string") {
83
112
  throw new UnauthorizedException("pafi_session_token missing sub");
@@ -85,9 +114,7 @@ var PafiSessionVerifierService = class {
85
114
  if (typeof payload.exp !== "number" || typeof payload.iat !== "number") {
86
115
  throw new UnauthorizedException("pafi_session_token missing iat/exp");
87
116
  }
88
- const verifiedAttribute = parseVerifiedAttribute(
89
- payload.verified_attribute
90
- );
117
+ const verifiedAttribute = parseVerifiedAttribute(payload.verified_attribute);
91
118
  return {
92
119
  sub: payload.sub,
93
120
  scope: "pafi-session",
@@ -99,9 +126,13 @@ var PafiSessionVerifierService = class {
99
126
  };
100
127
  }
101
128
  };
102
- PafiSessionVerifierService = __decorateClass([
129
+ PafiSessionVerifierService = _ts_decorate2([
103
130
  Injectable2(),
104
- __decorateParam(0, Inject2(PAFI_DIRECT_AUTH_MODULE_OPTIONS))
131
+ _ts_param2(0, Inject2(PAFI_DIRECT_AUTH_MODULE_OPTIONS)),
132
+ _ts_metadata2("design:type", Function),
133
+ _ts_metadata2("design:paramtypes", [
134
+ typeof PafiDirectAuthModuleOptions === "undefined" ? Object : PafiDirectAuthModuleOptions
135
+ ])
105
136
  ], PafiSessionVerifierService);
106
137
  function parseVerifiedAttribute(raw) {
107
138
  if (!raw || typeof raw !== "object") return void 0;
@@ -112,6 +143,7 @@ function parseVerifiedAttribute(raw) {
112
143
  valueHash: typeof obj.value_hash === "string" ? obj.value_hash : void 0
113
144
  };
114
145
  }
146
+ __name(parseVerifiedAttribute, "parseVerifiedAttribute");
115
147
 
116
148
  // src/direct-auth/services/pafi-direct-auth.service.ts
117
149
  import { Injectable as Injectable3, Inject as Inject3, Logger } from "@nestjs/common";
@@ -123,18 +155,38 @@ var USER_STORE = /* @__PURE__ */ Symbol("USER_STORE");
123
155
  var SESSION_TOKEN_MINTER = /* @__PURE__ */ Symbol("SESSION_TOKEN_MINTER");
124
156
 
125
157
  // src/direct-auth/services/pafi-direct-auth.service.ts
126
- var PafiDirectAuthService = class {
158
+ function _ts_decorate3(decorators, target, key, desc) {
159
+ var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
160
+ if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
161
+ else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
162
+ return c > 3 && r && Object.defineProperty(target, key, r), r;
163
+ }
164
+ __name(_ts_decorate3, "_ts_decorate");
165
+ function _ts_metadata3(k, v) {
166
+ if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
167
+ }
168
+ __name(_ts_metadata3, "_ts_metadata");
169
+ function _ts_param3(paramIndex, decorator) {
170
+ return function(target, key) {
171
+ decorator(target, key, paramIndex);
172
+ };
173
+ }
174
+ __name(_ts_param3, "_ts_param");
175
+ var PafiDirectAuthService = class _PafiDirectAuthService {
176
+ static {
177
+ __name(this, "PafiDirectAuthService");
178
+ }
179
+ clientProvider;
180
+ sessionVerifier;
181
+ userStore;
182
+ sessionTokenMinter;
183
+ logger = new Logger(_PafiDirectAuthService.name);
127
184
  constructor(clientProvider, sessionVerifier, userStore, sessionTokenMinter) {
128
185
  this.clientProvider = clientProvider;
129
186
  this.sessionVerifier = sessionVerifier;
130
187
  this.userStore = userStore;
131
188
  this.sessionTokenMinter = sessionTokenMinter;
132
189
  }
133
- clientProvider;
134
- sessionVerifier;
135
- userStore;
136
- sessionTokenMinter;
137
- logger = new Logger(PafiDirectAuthService.name);
138
190
  // ── Email OTP ────────────────────────────────────────────────────
139
191
  async startEmail(args) {
140
192
  return this.clientProvider.client.startEmail({
@@ -187,105 +239,146 @@ var PafiDirectAuthService = class {
187
239
  pafiSessionToken: success.pafiSessionToken,
188
240
  canonicalId: success.canonicalId,
189
241
  isFirstLogin: success.isFirstLogin,
190
- ...success.verifiedEmail ? { verifiedEmail: success.verifiedEmail } : {}
242
+ ...success.verifiedEmail ? {
243
+ verifiedEmail: success.verifiedEmail
244
+ } : {}
191
245
  };
192
246
  }
193
247
  };
194
- PafiDirectAuthService = __decorateClass([
248
+ PafiDirectAuthService = _ts_decorate3([
195
249
  Injectable3(),
196
- __decorateParam(2, Inject3(USER_STORE)),
197
- __decorateParam(3, Inject3(SESSION_TOKEN_MINTER))
250
+ _ts_param3(2, Inject3(USER_STORE)),
251
+ _ts_param3(3, Inject3(SESSION_TOKEN_MINTER)),
252
+ _ts_metadata3("design:type", Function),
253
+ _ts_metadata3("design:paramtypes", [
254
+ typeof PafiAuthClientProvider === "undefined" ? Object : PafiAuthClientProvider,
255
+ typeof PafiSessionVerifierService === "undefined" ? Object : PafiSessionVerifierService,
256
+ typeof IUserStore === "undefined" ? Object : IUserStore,
257
+ typeof ISessionTokenMinter === "undefined" ? Object : ISessionTokenMinter
258
+ ])
198
259
  ], PafiDirectAuthService);
199
260
 
200
261
  // src/direct-auth/pafi-direct-auth.controller.ts
201
- import {
202
- Body,
203
- Controller,
204
- HttpCode,
205
- HttpStatus,
206
- Post
207
- } from "@nestjs/common";
262
+ import { Body, Controller, HttpCode, HttpStatus, Post } from "@nestjs/common";
208
263
  import { ApiOkResponse, ApiOperation, ApiTags } from "@nestjs/swagger";
209
264
 
210
265
  // src/direct-auth/pafi-direct-auth.dto.ts
211
266
  import { ApiProperty } from "@nestjs/swagger";
212
- import {
213
- IsEmail,
214
- IsNotEmpty,
215
- IsOptional,
216
- IsString,
217
- IsUrl,
218
- Length,
219
- MaxLength
220
- } from "class-validator";
267
+ import { IsEmail, IsNotEmpty, IsOptional, IsString, IsUrl, Length, MaxLength } from "class-validator";
268
+ function _ts_decorate4(decorators, target, key, desc) {
269
+ var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
270
+ if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
271
+ else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
272
+ return c > 3 && r && Object.defineProperty(target, key, r), r;
273
+ }
274
+ __name(_ts_decorate4, "_ts_decorate");
275
+ function _ts_metadata4(k, v) {
276
+ if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
277
+ }
278
+ __name(_ts_metadata4, "_ts_metadata");
221
279
  var EmailStartRequestDto = class {
280
+ static {
281
+ __name(this, "EmailStartRequestDto");
282
+ }
222
283
  email;
223
284
  };
224
- __decorateClass([
225
- ApiProperty({ example: "user1@example.com" }),
285
+ _ts_decorate4([
286
+ ApiProperty({
287
+ example: "user1@example.com"
288
+ }),
226
289
  IsEmail(),
227
- MaxLength(320)
228
- ], EmailStartRequestDto.prototype, "email", 2);
290
+ MaxLength(320),
291
+ _ts_metadata4("design:type", String)
292
+ ], EmailStartRequestDto.prototype, "email", void 0);
229
293
  var EmailVerifyRequestDto = class {
294
+ static {
295
+ __name(this, "EmailVerifyRequestDto");
296
+ }
230
297
  challengeId;
231
298
  otpCode;
232
299
  };
233
- __decorateClass([
300
+ _ts_decorate4([
234
301
  ApiProperty({
235
302
  description: "Challenge id returned by POST /auth/v2/email/start. Opaque to the FE; echo verbatim."
236
303
  }),
237
304
  IsString(),
238
305
  IsNotEmpty(),
239
- MaxLength(128)
240
- ], EmailVerifyRequestDto.prototype, "challengeId", 2);
241
- __decorateClass([
242
- ApiProperty({ example: "123456" }),
306
+ MaxLength(128),
307
+ _ts_metadata4("design:type", String)
308
+ ], EmailVerifyRequestDto.prototype, "challengeId", void 0);
309
+ _ts_decorate4([
310
+ ApiProperty({
311
+ example: "123456"
312
+ }),
243
313
  IsString(),
244
- Length(4, 10)
245
- ], EmailVerifyRequestDto.prototype, "otpCode", 2);
314
+ Length(4, 10),
315
+ _ts_metadata4("design:type", String)
316
+ ], EmailVerifyRequestDto.prototype, "otpCode", void 0);
246
317
  var GoogleExchangeRequestDto = class {
318
+ static {
319
+ __name(this, "GoogleExchangeRequestDto");
320
+ }
247
321
  idToken;
248
322
  };
249
- __decorateClass([
323
+ _ts_decorate4([
250
324
  ApiProperty({
251
325
  description: "Google-issued ID token (JWS). Obtain on FE via Google Identity Services using PAFI's Google OAuth client_id."
252
326
  }),
253
327
  IsString(),
254
328
  IsNotEmpty(),
255
- MaxLength(8192)
256
- ], GoogleExchangeRequestDto.prototype, "idToken", 2);
329
+ MaxLength(8192),
330
+ _ts_metadata4("design:type", String)
331
+ ], GoogleExchangeRequestDto.prototype, "idToken", void 0);
257
332
  var KakaoExchangeRequestDto = class {
333
+ static {
334
+ __name(this, "KakaoExchangeRequestDto");
335
+ }
258
336
  code;
259
337
  redirectUri;
260
338
  };
261
- __decorateClass([
339
+ _ts_decorate4([
262
340
  ApiProperty({
263
341
  description: "Authorization code returned by Kakao to the FE redirect URL."
264
342
  }),
265
343
  IsString(),
266
344
  IsNotEmpty(),
267
- MaxLength(2048)
268
- ], KakaoExchangeRequestDto.prototype, "code", 2);
269
- __decorateClass([
345
+ MaxLength(2048),
346
+ _ts_metadata4("design:type", String)
347
+ ], KakaoExchangeRequestDto.prototype, "code", void 0);
348
+ _ts_decorate4([
270
349
  ApiProperty({
271
350
  description: "Redirect URI the FE used when initiating the Kakao flow. Optional \u2014 gateway falls back to its own KAKAO_REDIRECT_URI env.",
272
351
  required: false
273
352
  }),
274
353
  IsOptional(),
275
- IsUrl({ require_tld: false, require_protocol: true }),
276
- MaxLength(2048)
277
- ], KakaoExchangeRequestDto.prototype, "redirectUri", 2);
354
+ IsUrl({
355
+ require_tld: false,
356
+ require_protocol: true
357
+ }),
358
+ MaxLength(2048),
359
+ _ts_metadata4("design:type", String)
360
+ ], KakaoExchangeRequestDto.prototype, "redirectUri", void 0);
278
361
  var EmailStartResponseDto = class {
362
+ static {
363
+ __name(this, "EmailStartResponseDto");
364
+ }
279
365
  challengeId;
280
366
  expiresInSec;
281
367
  };
282
- __decorateClass([
283
- ApiProperty()
284
- ], EmailStartResponseDto.prototype, "challengeId", 2);
285
- __decorateClass([
286
- ApiProperty({ description: "Seconds until the challenge expires." })
287
- ], EmailStartResponseDto.prototype, "expiresInSec", 2);
368
+ _ts_decorate4([
369
+ ApiProperty(),
370
+ _ts_metadata4("design:type", String)
371
+ ], EmailStartResponseDto.prototype, "challengeId", void 0);
372
+ _ts_decorate4([
373
+ ApiProperty({
374
+ description: "Seconds until the challenge expires."
375
+ }),
376
+ _ts_metadata4("design:type", Number)
377
+ ], EmailStartResponseDto.prototype, "expiresInSec", void 0);
288
378
  var PafiAuthSuccessDto = class {
379
+ static {
380
+ __name(this, "PafiAuthSuccessDto");
381
+ }
289
382
  sessionToken;
290
383
  sessionExpiresAt;
291
384
  pafiJwt;
@@ -294,47 +387,80 @@ var PafiAuthSuccessDto = class {
294
387
  isFirstLogin;
295
388
  verifiedEmail;
296
389
  };
297
- __decorateClass([
390
+ _ts_decorate4([
298
391
  ApiProperty({
299
392
  description: "Issuer-native session token (typically HS256, minted by ISessionTokenMinter) \u2014 Bearer-auth for subsequent issuer API calls."
300
- })
301
- ], PafiAuthSuccessDto.prototype, "sessionToken", 2);
302
- __decorateClass([
303
- ApiProperty({ description: "Issuer session token expiration (ISO 8601)." })
304
- ], PafiAuthSuccessDto.prototype, "sessionExpiresAt", 2);
305
- __decorateClass([
393
+ }),
394
+ _ts_metadata4("design:type", String)
395
+ ], PafiAuthSuccessDto.prototype, "sessionToken", void 0);
396
+ _ts_decorate4([
397
+ ApiProperty({
398
+ description: "Issuer session token expiration (ISO 8601)."
399
+ }),
400
+ _ts_metadata4("design:type", String)
401
+ ], PafiAuthSuccessDto.prototype, "sessionExpiresAt", void 0);
402
+ _ts_decorate4([
306
403
  ApiProperty({
307
404
  description: "Short-lived PAFI JWT (60s) \u2014 FE feeds verbatim to Privy.loginWithCustomAuth() to provision the embedded wallet."
308
- })
309
- ], PafiAuthSuccessDto.prototype, "pafiJwt", 2);
310
- __decorateClass([
405
+ }),
406
+ _ts_metadata4("design:type", String)
407
+ ], PafiAuthSuccessDto.prototype, "pafiJwt", void 0);
408
+ _ts_decorate4([
311
409
  ApiProperty({
312
410
  description: "Long-lived PAFI session token (24h) \u2014 opaque to FE; keep alongside sessionToken if you ever need to call the gateway directly."
313
- })
314
- ], PafiAuthSuccessDto.prototype, "pafiSessionToken", 2);
315
- __decorateClass([
316
- ApiProperty({ description: "canonical_pafi_user_id assigned by the gateway." })
317
- ], PafiAuthSuccessDto.prototype, "canonicalId", 2);
318
- __decorateClass([
411
+ }),
412
+ _ts_metadata4("design:type", String)
413
+ ], PafiAuthSuccessDto.prototype, "pafiSessionToken", void 0);
414
+ _ts_decorate4([
415
+ ApiProperty({
416
+ description: "canonical_pafi_user_id assigned by the gateway."
417
+ }),
418
+ _ts_metadata4("design:type", String)
419
+ ], PafiAuthSuccessDto.prototype, "canonicalId", void 0);
420
+ _ts_decorate4([
319
421
  ApiProperty({
320
422
  description: "True the first time the user appears at the gateway."
321
- })
322
- ], PafiAuthSuccessDto.prototype, "isFirstLogin", 2);
323
- __decorateClass([
423
+ }),
424
+ _ts_metadata4("design:type", Boolean)
425
+ ], PafiAuthSuccessDto.prototype, "isFirstLogin", void 0);
426
+ _ts_decorate4([
324
427
  ApiProperty({
325
428
  description: "Verified email (when the auth method exposed one \u2014 email OTP and Google always; Kakao only if the user shared their email).",
326
429
  required: false
327
- })
328
- ], PafiAuthSuccessDto.prototype, "verifiedEmail", 2);
430
+ }),
431
+ _ts_metadata4("design:type", String)
432
+ ], PafiAuthSuccessDto.prototype, "verifiedEmail", void 0);
329
433
 
330
434
  // src/direct-auth/pafi-direct-auth.controller.ts
435
+ function _ts_decorate5(decorators, target, key, desc) {
436
+ var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
437
+ if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
438
+ else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
439
+ return c > 3 && r && Object.defineProperty(target, key, r), r;
440
+ }
441
+ __name(_ts_decorate5, "_ts_decorate");
442
+ function _ts_metadata5(k, v) {
443
+ if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
444
+ }
445
+ __name(_ts_metadata5, "_ts_metadata");
446
+ function _ts_param4(paramIndex, decorator) {
447
+ return function(target, key) {
448
+ decorator(target, key, paramIndex);
449
+ };
450
+ }
451
+ __name(_ts_param4, "_ts_param");
331
452
  var PafiDirectAuthController = class {
453
+ static {
454
+ __name(this, "PafiDirectAuthController");
455
+ }
456
+ directAuth;
332
457
  constructor(directAuth) {
333
458
  this.directAuth = directAuth;
334
459
  }
335
- directAuth;
336
460
  async startEmail(body) {
337
- const res = await this.directAuth.startEmail({ email: body.email });
461
+ const res = await this.directAuth.startEmail({
462
+ email: body.email
463
+ });
338
464
  return {
339
465
  challengeId: res.challengeId,
340
466
  expiresInSec: res.expiresInSec
@@ -347,7 +473,9 @@ var PafiDirectAuthController = class {
347
473
  });
348
474
  }
349
475
  async exchangeGoogle(body) {
350
- return this.directAuth.exchangeGoogle({ idToken: body.idToken });
476
+ return this.directAuth.exchangeGoogle({
477
+ idToken: body.idToken
478
+ });
351
479
  }
352
480
  async exchangeKakao(body) {
353
481
  return this.directAuth.exchangeKakao({
@@ -356,58 +484,102 @@ var PafiDirectAuthController = class {
356
484
  });
357
485
  }
358
486
  };
359
- __decorateClass([
487
+ _ts_decorate5([
360
488
  Post("email/start"),
361
489
  HttpCode(HttpStatus.OK),
362
490
  ApiOperation({
363
491
  summary: "Step 1: ask gateway to send an OTP to the user email.",
364
492
  description: "Gateway generates the OTP, sends it via its configured email provider, and returns an opaque challenge_id. The FE echoes that challenge_id back on step 2 along with the code the user typed."
365
493
  }),
366
- ApiOkResponse({ type: EmailStartResponseDto }),
367
- __decorateParam(0, Body())
368
- ], PafiDirectAuthController.prototype, "startEmail", 1);
369
- __decorateClass([
494
+ ApiOkResponse({
495
+ type: EmailStartResponseDto
496
+ }),
497
+ _ts_param4(0, Body()),
498
+ _ts_metadata5("design:type", Function),
499
+ _ts_metadata5("design:paramtypes", [
500
+ typeof EmailStartRequestDto === "undefined" ? Object : EmailStartRequestDto
501
+ ]),
502
+ _ts_metadata5("design:returntype", Promise)
503
+ ], PafiDirectAuthController.prototype, "startEmail", null);
504
+ _ts_decorate5([
370
505
  Post("email/verify"),
371
506
  HttpCode(HttpStatus.OK),
372
507
  ApiOperation({
373
508
  summary: "Step 2: submit the OTP to complete email sign-in.",
374
509
  description: "Gateway verifies the OTP, derives canonical_id from the verified email, and mints both a pafi_session_token (24h, gateway-signed) and pafi_jwt (60s, for Privy.loginWithCustomAuth). Issuer wraps these in a session token of its own (sub = canonical_id) so existing guards keep working."
375
510
  }),
376
- ApiOkResponse({ type: PafiAuthSuccessDto }),
377
- __decorateParam(0, Body())
378
- ], PafiDirectAuthController.prototype, "verifyEmail", 1);
379
- __decorateClass([
511
+ ApiOkResponse({
512
+ type: PafiAuthSuccessDto
513
+ }),
514
+ _ts_param4(0, Body()),
515
+ _ts_metadata5("design:type", Function),
516
+ _ts_metadata5("design:paramtypes", [
517
+ typeof EmailVerifyRequestDto === "undefined" ? Object : EmailVerifyRequestDto
518
+ ]),
519
+ _ts_metadata5("design:returntype", Promise)
520
+ ], PafiDirectAuthController.prototype, "verifyEmail", null);
521
+ _ts_decorate5([
380
522
  Post("google/exchange"),
381
523
  HttpCode(HttpStatus.OK),
382
524
  ApiOperation({
383
525
  summary: "Sign in with Google.",
384
526
  description: "Hand the gateway a Google-issued id_token (FE obtains via Google Identity Services using PAFI's shared client_id). Gateway verifies signature + email_verified, derives canonical_id from the email, returns the same token bundle as /email/verify."
385
527
  }),
386
- ApiOkResponse({ type: PafiAuthSuccessDto }),
387
- __decorateParam(0, Body())
388
- ], PafiDirectAuthController.prototype, "exchangeGoogle", 1);
389
- __decorateClass([
528
+ ApiOkResponse({
529
+ type: PafiAuthSuccessDto
530
+ }),
531
+ _ts_param4(0, Body()),
532
+ _ts_metadata5("design:type", Function),
533
+ _ts_metadata5("design:paramtypes", [
534
+ typeof GoogleExchangeRequestDto === "undefined" ? Object : GoogleExchangeRequestDto
535
+ ]),
536
+ _ts_metadata5("design:returntype", Promise)
537
+ ], PafiDirectAuthController.prototype, "exchangeGoogle", null);
538
+ _ts_decorate5([
390
539
  Post("kakao/exchange"),
391
540
  HttpCode(HttpStatus.OK),
392
541
  ApiOperation({
393
542
  summary: "Sign in with Kakao.",
394
543
  description: "Hand the gateway the authorization code Kakao redirected back to the FE. Gateway exchanges with Kakao server-to-server (using PAFI-held client_secret), verifies the id_token, and returns the same token bundle as /email/verify. canonical_id derives from email when present, else from the Kakao sub."
395
544
  }),
396
- ApiOkResponse({ type: PafiAuthSuccessDto }),
397
- __decorateParam(0, Body())
398
- ], PafiDirectAuthController.prototype, "exchangeKakao", 1);
399
- PafiDirectAuthController = __decorateClass([
545
+ ApiOkResponse({
546
+ type: PafiAuthSuccessDto
547
+ }),
548
+ _ts_param4(0, Body()),
549
+ _ts_metadata5("design:type", Function),
550
+ _ts_metadata5("design:paramtypes", [
551
+ typeof KakaoExchangeRequestDto === "undefined" ? Object : KakaoExchangeRequestDto
552
+ ]),
553
+ _ts_metadata5("design:returntype", Promise)
554
+ ], PafiDirectAuthController.prototype, "exchangeKakao", null);
555
+ PafiDirectAuthController = _ts_decorate5([
400
556
  ApiTags("pafi-auth-v2"),
401
- Controller("auth/v2")
557
+ Controller("auth/v2"),
558
+ _ts_metadata5("design:type", Function),
559
+ _ts_metadata5("design:paramtypes", [
560
+ typeof PafiDirectAuthService === "undefined" ? Object : PafiDirectAuthService
561
+ ])
402
562
  ], PafiDirectAuthController);
403
563
 
404
564
  // src/direct-auth/pafi-direct-auth.module.ts
405
- var PafiDirectAuthModule = class {
565
+ function _ts_decorate6(decorators, target, key, desc) {
566
+ var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
567
+ if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
568
+ else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
569
+ return c > 3 && r && Object.defineProperty(target, key, r), r;
570
+ }
571
+ __name(_ts_decorate6, "_ts_decorate");
572
+ var PafiDirectAuthModule = class _PafiDirectAuthModule {
573
+ static {
574
+ __name(this, "PafiDirectAuthModule");
575
+ }
406
576
  static forRoot(options) {
407
577
  return {
408
- module: PafiDirectAuthModule,
578
+ module: _PafiDirectAuthModule,
409
579
  imports: options.imports ?? [],
410
- controllers: [PafiDirectAuthController],
580
+ controllers: [
581
+ PafiDirectAuthController
582
+ ],
411
583
  providers: [
412
584
  {
413
585
  provide: PAFI_DIRECT_AUTH_MODULE_OPTIONS,
@@ -441,7 +613,7 @@ var PafiDirectAuthModule = class {
441
613
  };
442
614
  }
443
615
  };
444
- PafiDirectAuthModule = __decorateClass([
616
+ PafiDirectAuthModule = _ts_decorate6([
445
617
  Module({})
446
618
  ], PafiDirectAuthModule);
447
619
  export {