@parsrun/auth 0.1.0

package/dist/chunk-RHNVRCF3.js

@@ -0,0 +1,838 @@
+import { createAuthorizationGuard } from './chunk-NK4TJV2W.js';
+import { extractBearerToken } from './chunk-MOG4Y6I7.js';
+
+// src/adapters/types.ts
+function createAuthCookies(tokens, config) {
+  const prefix = config.prefix ?? "pars";
+  return [
+    {
+      name: `${prefix}.access_token`,
+      value: tokens.accessToken,
+      expires: tokens.accessExpiresAt,
+      path: config.path ?? "/",
+      domain: config.domain,
+      secure: config.secure ?? true,
+      sameSite: config.sameSite ?? "lax",
+      httpOnly: false
+      // Access token may be needed by JS
+    },
+    {
+      name: `${prefix}.refresh_token`,
+      value: tokens.refreshToken,
+      expires: tokens.refreshExpiresAt,
+      path: config.path ?? "/",
+      domain: config.domain,
+      secure: config.secure ?? true,
+      sameSite: config.sameSite ?? "lax",
+      httpOnly: config.httpOnly ?? true
+      // Refresh token should be HttpOnly
+    }
+  ];
+}
+function createLogoutCookies(config) {
+  const prefix = config.prefix ?? "pars";
+  const past = /* @__PURE__ */ new Date(0);
+  return [
+    {
+      name: `${prefix}.access_token`,
+      value: "",
+      expires: past,
+      path: config.path ?? "/",
+      domain: config.domain
+    },
+    {
+      name: `${prefix}.refresh_token`,
+      value: "",
+      expires: past,
+      path: config.path ?? "/",
+      domain: config.domain
+    }
+  ];
+}
+
+// src/adapters/hono.ts
+function setCookie(c, cookie) {
+  let cookieString = `${cookie.name}=${cookie.value}`;
+  if (cookie.expires) {
+    cookieString += `; Expires=${cookie.expires.toUTCString()}`;
+  }
+  if (cookie.maxAge !== void 0) {
+    cookieString += `; Max-Age=${cookie.maxAge}`;
+  }
+  if (cookie.path) {
+    cookieString += `; Path=${cookie.path}`;
+  }
+  if (cookie.domain) {
+    cookieString += `; Domain=${cookie.domain}`;
+  }
+  if (cookie.secure) {
+    cookieString += "; Secure";
+  }
+  if (cookie.httpOnly) {
+    cookieString += "; HttpOnly";
+  }
+  if (cookie.sameSite) {
+    cookieString += `; SameSite=${cookie.sameSite.charAt(0).toUpperCase() + cookie.sameSite.slice(1)}`;
+  }
+  c.header("Set-Cookie", cookieString, { append: true });
+}
+function getCookie(c, name) {
+  const cookieHeader = c.req.header("Cookie");
+  if (!cookieHeader) return void 0;
+  const cookies = cookieHeader.split(";").map((c2) => c2.trim());
+  for (const cookie of cookies) {
+    const [cookieName, ...valueParts] = cookie.split("=");
+    if (cookieName === name) {
+      return valueParts.join("=");
+    }
+  }
+  return void 0;
+}
+function createAuthMiddleware(config) {
+  const { auth, onUnauthorized } = config;
+  return async (c, next) => {
+    const authHeader = c.req.header("Authorization");
+    let token = extractBearerToken(authHeader);
+    if (!token) {
+      const cookiePrefix = config.cookies?.prefix ?? "pars";
+      token = getCookie(c, `${cookiePrefix}.access_token`) ?? null;
+    }
+    if (!token) {
+      if (onUnauthorized) {
+        return onUnauthorized(c, "No token provided");
+      }
+      return c.json({ error: "Unauthorized", message: "No token provided" }, 401);
+    }
+    const result = await auth.verifyAccessToken(token);
+    if (!result.valid || !result.payload) {
+      if (onUnauthorized) {
+        return onUnauthorized(c, result.error);
+      }
+      return c.json({ error: "Unauthorized", message: result.error }, 401);
+    }
+    const authContext = {
+      userId: result.payload.sub,
+      payload: result.payload,
+      ...result.payload.sid && { sessionId: result.payload.sid },
+      ...result.payload.tid && { tenantId: result.payload.tid },
+      ...result.payload.roles && { roles: result.payload.roles },
+      ...result.payload.permissions && { permissions: result.payload.permissions }
+    };
+    c.set("auth", authContext);
+    await next();
+  };
+}
+function createOptionalAuthMiddleware(config) {
+  const { auth } = config;
+  return async (c, next) => {
+    const authHeader = c.req.header("Authorization");
+    let token = extractBearerToken(authHeader);
+    if (!token) {
+      const cookiePrefix = config.cookies?.prefix ?? "pars";
+      token = getCookie(c, `${cookiePrefix}.access_token`) ?? null;
+    }
+    if (token) {
+      const result = await auth.verifyAccessToken(token);
+      if (result.valid && result.payload) {
+        const authContext = {
+          userId: result.payload.sub,
+          payload: result.payload,
+          ...result.payload.sid && { sessionId: result.payload.sid },
+          ...result.payload.tid && { tenantId: result.payload.tid },
+          ...result.payload.roles && { roles: result.payload.roles },
+          ...result.payload.permissions && { permissions: result.payload.permissions }
+        };
+        c.set("auth", authContext);
+      }
+    }
+    await next();
+  };
+}
+function createAuthRoutes(app, config) {
+  const { auth, cookies: cookieConfig } = config;
+  app.post("/otp/request", async (c) => {
+    try {
+      const body = await c.req.json();
+      if (!body.identifier || !body.type) {
+        return c.json({ error: "Bad Request", message: "identifier and type are required" }, 400);
+      }
+      const result = await auth.requestOTP({
+        identifier: body.identifier,
+        type: body.type
+      });
+      if (!result.success) {
+        return c.json({
+          success: false,
+          error: result.error,
+          remainingRequests: result.remainingRequests
+        }, 429);
+      }
+      return c.json({
+        success: true,
+        expiresAt: result.expiresAt,
+        remainingRequests: result.remainingRequests
+      });
+    } catch (error) {
+      if (config.onError) {
+        return config.onError(error, c);
+      }
+      return c.json({ error: "Internal Server Error" }, 500);
+    }
+  });
+  app.post("/otp/verify", async (c) => {
+    try {
+      const body = await c.req.json();
+      if (!body.identifier || !body.code) {
+        return c.json({ error: "Bad Request", message: "identifier and code are required" }, 400);
+      }
+      const ipAddress = c.req.header("x-forwarded-for") ?? c.req.header("x-real-ip");
+      const userAgent = c.req.header("user-agent");
+      const result = await auth.signIn({
+        provider: "otp",
+        identifier: body.identifier,
+        credential: body.code,
+        data: { type: body.type ?? "email" },
+        metadata: {
+          ...ipAddress && { ipAddress },
+          ...userAgent && { userAgent }
+        }
+      });
+      if (!result.success) {
+        return c.json({
+          success: false,
+          error: result.error,
+          errorCode: result.errorCode
+        }, 401);
+      }
+      if (result.tokens && cookieConfig) {
+        const cookies = createAuthCookies(result.tokens, cookieConfig);
+        for (const cookie of cookies) {
+          setCookie(c, cookie);
+        }
+      }
+      return c.json({
+        success: true,
+        user: result.user ? {
+          id: result.user.id,
+          email: result.user.email,
+          name: result.user.name
+        } : void 0,
+        tokens: result.tokens
+      });
+    } catch (error) {
+      if (config.onError) {
+        return config.onError(error, c);
+      }
+      return c.json({ error: "Internal Server Error" }, 500);
+    }
+  });
+  app.post("/sign-in", async (c) => {
+    try {
+      const body = await c.req.json();
+      if (!body.provider || !body.identifier) {
+        return c.json({
+          error: "Bad Request",
+          message: "provider and identifier are required"
+        }, 400);
+      }
+      const ipAddress = c.req.header("x-forwarded-for") ?? c.req.header("x-real-ip");
+      const userAgent = c.req.header("user-agent");
+      const result = await auth.signIn({
+        provider: body.provider,
+        identifier: body.identifier,
+        ...body.credential && { credential: body.credential },
+        ...body.data && { data: body.data },
+        metadata: {
+          ...ipAddress && { ipAddress },
+          ...userAgent && { userAgent }
+        }
+      });
+      if (!result.success) {
+        return c.json({
+          success: false,
+          error: result.error,
+          errorCode: result.errorCode,
+          requiresTwoFactor: result.requiresTwoFactor
+        }, 401);
+      }
+      if (result.tokens && cookieConfig) {
+        const cookies = createAuthCookies(result.tokens, cookieConfig);
+        for (const cookie of cookies) {
+          setCookie(c, cookie);
+        }
+      }
+      return c.json({
+        success: true,
+        user: result.user ? {
+          id: result.user.id,
+          email: result.user.email,
+          name: result.user.name
+        } : void 0,
+        tokens: result.tokens,
+        requiresTwoFactor: result.requiresTwoFactor
+      });
+    } catch (error) {
+      if (config.onError) {
+        return config.onError(error, c);
+      }
+      return c.json({ error: "Internal Server Error" }, 500);
+    }
+  });
+  app.post("/sign-out", async (c) => {
+    try {
+      const authContext = c.get("auth");
+      if (authContext?.sessionId) {
+        await auth.signOut(authContext.sessionId);
+      }
+      if (cookieConfig) {
+        const cookies = createLogoutCookies(cookieConfig);
+        for (const cookie of cookies) {
+          setCookie(c, cookie);
+        }
+      }
+      return c.json({ success: true });
+    } catch (error) {
+      if (config.onError) {
+        return config.onError(error, c);
+      }
+      return c.json({ error: "Internal Server Error" }, 500);
+    }
+  });
+  app.post("/refresh", async (c) => {
+    try {
+      let refreshToken;
+      try {
+        const body = await c.req.json();
+        refreshToken = body.refreshToken;
+      } catch {
+      }
+      if (!refreshToken) {
+        const cookiePrefix = cookieConfig?.prefix ?? "pars";
+        refreshToken = getCookie(c, `${cookiePrefix}.refresh_token`);
+      }
+      if (!refreshToken) {
+        return c.json({
+          success: false,
+          error: "No refresh token provided"
+        }, 401);
+      }
+      const result = await auth.refreshTokens(refreshToken);
+      if (!result.success) {
+        if (cookieConfig) {
+          const cookies = createLogoutCookies(cookieConfig);
+          for (const cookie of cookies) {
+            setCookie(c, cookie);
+          }
+        }
+        return c.json({
+          success: false,
+          error: result.error
+        }, 401);
+      }
+      if (result.tokens && cookieConfig) {
+        const cookies = createAuthCookies(result.tokens, cookieConfig);
+        for (const cookie of cookies) {
+          setCookie(c, cookie);
+        }
+      }
+      return c.json({
+        success: true,
+        tokens: result.tokens
+      });
+    } catch (error) {
+      if (config.onError) {
+        return config.onError(error, c);
+      }
+      return c.json({ error: "Internal Server Error" }, 500);
+    }
+  });
+  app.get("/me", async (c) => {
+    const authContext = c.get("auth");
+    if (!authContext) {
+      return c.json({ error: "Unauthorized" }, 401);
+    }
+    const user = await auth.getAdapter().findUserById(authContext.userId);
+    if (!user) {
+      return c.json({ error: "User not found" }, 404);
+    }
+    return c.json({
+      id: user.id,
+      email: user.email,
+      name: user.name,
+      avatar: user.avatar,
+      emailVerified: user.emailVerified,
+      twoFactorEnabled: user.twoFactorEnabled
+    });
+  });
+  app.get("/sessions", async (c) => {
+    const authContext = c.get("auth");
+    if (!authContext) {
+      return c.json({ error: "Unauthorized" }, 401);
+    }
+    const sessions = await auth.getSessions(authContext.userId, authContext.sessionId);
+    return c.json({ sessions });
+  });
+  app.delete("/sessions/:id", async (c) => {
+    const authContext = c.get("auth");
+    if (!authContext) {
+      return c.json({ error: "Unauthorized" }, 401);
+    }
+    const sessionId = c.req.param("id");
+    const sessions = await auth.getSessions(authContext.userId);
+    const session = sessions.find((s) => s.id === sessionId);
+    if (!session) {
+      return c.json({ error: "Session not found" }, 404);
+    }
+    await auth.revokeSession(sessionId);
+    return c.json({ success: true });
+  });
+  app.delete("/sessions", async (c) => {
+    const authContext = c.get("auth");
+    if (!authContext) {
+      return c.json({ error: "Unauthorized" }, 401);
+    }
+    await auth.revokeAllSessions(authContext.userId);
+    if (cookieConfig) {
+      const cookies = createLogoutCookies(cookieConfig);
+      for (const cookie of cookies) {
+        setCookie(c, cookie);
+      }
+    }
+    return c.json({ success: true });
+  });
+  app.get("/providers", async (c) => {
+    const providers = auth.getProviders();
+    return c.json({ providers });
+  });
+  app.get("/tenants", async (c) => {
+    const authContext = c.get("auth");
+    if (!authContext) {
+      return c.json({ error: "Unauthorized" }, 401);
+    }
+    try {
+      const tenants = await auth.getUserTenants(authContext.userId);
+      return c.json({
+        tenants: tenants.map((t) => ({
+          id: t.tenant.id,
+          name: t.tenant.name,
+          slug: t.tenant.slug,
+          role: t.membership.role,
+          status: t.tenant.status
+        })),
+        currentTenantId: authContext.tenantId
+      });
+    } catch (error) {
+      if (config.onError) {
+        return config.onError(error, c);
+      }
+      return c.json({ error: "Internal Server Error" }, 500);
+    }
+  });
+  app.post("/tenants/switch", async (c) => {
+    const authContext = c.get("auth");
+    if (!authContext?.sessionId) {
+      return c.json({ error: "Unauthorized" }, 401);
+    }
+    try {
+      const body = await c.req.json();
+      if (!body.tenantId) {
+        return c.json({ error: "Bad Request", message: "tenantId is required" }, 400);
+      }
+      const result = await auth.switchTenant(authContext.sessionId, body.tenantId);
+      if (!result.success) {
+        return c.json({ success: false, error: result.error }, 403);
+      }
+      if (result.tokens && cookieConfig) {
+        const cookies = createAuthCookies(result.tokens, cookieConfig);
+        for (const cookie of cookies) {
+          setCookie(c, cookie);
+        }
+      }
+      return c.json({
+        success: true,
+        tokens: result.tokens
+      });
+    } catch (error) {
+      if (config.onError) {
+        return config.onError(error, c);
+      }
+      return c.json({ error: "Internal Server Error" }, 500);
+    }
+  });
+  app.get("/tenants/current", async (c) => {
+    const authContext = c.get("auth");
+    if (!authContext) {
+      return c.json({ error: "Unauthorized" }, 401);
+    }
+    if (!authContext.tenantId) {
+      return c.json({ tenant: null, membership: null });
+    }
+    try {
+      const membership = await auth.getTenantMembership(
+        authContext.userId,
+        authContext.tenantId
+      );
+      if (!membership) {
+        return c.json({ tenant: null, membership: null });
+      }
+      const tenant = await auth.getAdapter().findTenantById?.(authContext.tenantId);
+      return c.json({
+        tenant: tenant ? {
+          id: tenant.id,
+          name: tenant.name,
+          slug: tenant.slug,
+          status: tenant.status
+        } : null,
+        membership: {
+          role: membership.role,
+          permissions: membership.permissions,
+          status: membership.status
+        }
+      });
+    } catch (error) {
+      if (config.onError) {
+        return config.onError(error, c);
+      }
+      return c.json({ error: "Internal Server Error" }, 500);
+    }
+  });
+  app.post("/tenants/:tenantId/invite", async (c) => {
+    const authContext = c.get("auth");
+    if (!authContext) {
+      return c.json({ error: "Unauthorized" }, 401);
+    }
+    try {
+      const tenantId = c.req.param("tenantId");
+      const body = await c.req.json();
+      if (!body.email || !body.role) {
+        return c.json({ error: "Bad Request", message: "email and role are required" }, 400);
+      }
+      const isAdmin = await auth.hasRoleInTenant(authContext.userId, tenantId, "admin") || await auth.hasRoleInTenant(authContext.userId, tenantId, "owner");
+      if (!isAdmin) {
+        return c.json({ error: "Forbidden", message: "Admin access required" }, 403);
+      }
+      const result = await auth.inviteToTenant({
+        email: body.email,
+        tenantId,
+        role: body.role,
+        permissions: body.permissions,
+        invitedBy: authContext.userId,
+        message: body.message
+      });
+      if (!result.success) {
+        return c.json({ success: false, error: result.error }, 400);
+      }
+      return c.json({
+        success: true,
+        invitationUrl: result.invitationUrl,
+        expiresAt: result.invitation?.expiresAt
+      });
+    } catch (error) {
+      if (config.onError) {
+        return config.onError(error, c);
+      }
+      return c.json({ error: "Internal Server Error" }, 500);
+    }
+  });
+  app.get("/invitation", async (c) => {
+    try {
+      const token = c.req.query("token");
+      if (!token) {
+        return c.json({ error: "Bad Request", message: "token is required" }, 400);
+      }
+      const result = await auth.checkInvitation(token);
+      return c.json(result);
+    } catch (error) {
+      if (config.onError) {
+        return config.onError(error, c);
+      }
+      return c.json({ error: "Internal Server Error" }, 500);
+    }
+  });
+  app.post("/invitation/accept", async (c) => {
+    const authContext = c.get("auth");
+    if (!authContext) {
+      return c.json({ error: "Unauthorized" }, 401);
+    }
+    try {
+      const body = await c.req.json();
+      if (!body.token) {
+        return c.json({ error: "Bad Request", message: "token is required" }, 400);
+      }
+      const result = await auth.acceptInvitation(body.token, authContext.userId);
+      if (!result.success) {
+        return c.json({ success: false, error: result.error }, 400);
+      }
+      return c.json({
+        success: true,
+        tenant: result.tenant ? {
+          id: result.tenant.id,
+          name: result.tenant.name,
+          slug: result.tenant.slug
+        } : void 0,
+        membership: result.membership ? {
+          role: result.membership.role,
+          status: result.membership.status
+        } : void 0
+      });
+    } catch (error) {
+      if (config.onError) {
+        return config.onError(error, c);
+      }
+      return c.json({ error: "Internal Server Error" }, 500);
+    }
+  });
+  app.delete("/tenants/:tenantId/members/:userId", async (c) => {
+    const authContext = c.get("auth");
+    if (!authContext) {
+      return c.json({ error: "Unauthorized" }, 401);
+    }
+    try {
+      const tenantId = c.req.param("tenantId");
+      const userId = c.req.param("userId");
+      const isAdmin = await auth.hasRoleInTenant(authContext.userId, tenantId, "admin") || await auth.hasRoleInTenant(authContext.userId, tenantId, "owner");
+      const isSelf = authContext.userId === userId;
+      if (!isAdmin && !isSelf) {
+        return c.json({ error: "Forbidden", message: "Admin access required" }, 403);
+      }
+      await auth.removeTenantMember(userId, tenantId);
+      return c.json({ success: true });
+    } catch (error) {
+      if (config.onError) {
+        return config.onError(error, c);
+      }
+      return c.json({ error: "Internal Server Error" }, 500);
+    }
+  });
+  app.patch("/tenants/:tenantId/members/:userId", async (c) => {
+    const authContext = c.get("auth");
+    if (!authContext) {
+      return c.json({ error: "Unauthorized" }, 401);
+    }
+    try {
+      const tenantId = c.req.param("tenantId");
+      const userId = c.req.param("userId");
+      const body = await c.req.json();
+      const isAdmin = await auth.hasRoleInTenant(authContext.userId, tenantId, "admin") || await auth.hasRoleInTenant(authContext.userId, tenantId, "owner");
+      if (!isAdmin) {
+        return c.json({ error: "Forbidden", message: "Admin access required" }, 403);
+      }
+      const membership = await auth.updateTenantMember(userId, tenantId, body);
+      return c.json({
+        success: true,
+        membership: {
+          role: membership.role,
+          permissions: membership.permissions,
+          status: membership.status
+        }
+      });
+    } catch (error) {
+      if (config.onError) {
+        return config.onError(error, c);
+      }
+      return c.json({ error: "Internal Server Error" }, 500);
+    }
+  });
+  return app;
+}
+function createHonoAuth(config) {
+  return {
+    /** Auth middleware (requires authentication) */
+    middleware: createAuthMiddleware(config),
+    /** Optional auth middleware (attaches auth if present) */
+    optionalMiddleware: createOptionalAuthMiddleware(config),
+    /** Create auth routes on an app */
+    createRoutes: (app) => createAuthRoutes(app, config)
+  };
+}
+function toAuthorizationContext(auth) {
+  return {
+    userId: auth.userId,
+    tenantId: auth.tenantId,
+    roles: auth.roles,
+    permissions: auth.permissions
+  };
+}
+function requireRole(...allowedRoles) {
+  return async (c, next) => {
+    const auth = c.get("auth");
+    if (!auth) {
+      return c.json({ error: "Unauthorized", message: "Authentication required" }, 401);
+    }
+    const guard = createAuthorizationGuard(toAuthorizationContext(auth));
+    if (!guard.hasAnyRole(allowedRoles)) {
+      return c.json(
+        {
+          error: "Forbidden",
+          message: "Insufficient role",
+          required: allowedRoles,
+          current: auth.roles ?? []
+        },
+        403
+      );
+    }
+    await next();
+  };
+}
+function requirePermission(...permissions) {
+  return async (c, next) => {
+    const auth = c.get("auth");
+    if (!auth) {
+      return c.json({ error: "Unauthorized", message: "Authentication required" }, 401);
+    }
+    const guard = createAuthorizationGuard(toAuthorizationContext(auth));
+    if (!guard.hasAllPermissions(permissions)) {
+      return c.json(
+        {
+          error: "Forbidden",
+          message: "Missing required permissions",
+          required: permissions,
+          current: auth.permissions ?? []
+        },
+        403
+      );
+    }
+    await next();
+  };
+}
+function requireAnyPermission(...permissions) {
+  return async (c, next) => {
+    const auth = c.get("auth");
+    if (!auth) {
+      return c.json({ error: "Unauthorized", message: "Authentication required" }, 401);
+    }
+    const guard = createAuthorizationGuard(toAuthorizationContext(auth));
+    if (!guard.hasAnyPermission(permissions)) {
+      return c.json(
+        {
+          error: "Forbidden",
+          message: "Missing required permissions",
+          required: permissions,
+          current: auth.permissions ?? []
+        },
+        403
+      );
+    }
+    await next();
+  };
+}
+function requireTenant() {
+  return async (c, next) => {
+    const auth = c.get("auth");
+    if (!auth) {
+      return c.json({ error: "Unauthorized", message: "Authentication required" }, 401);
+    }
+    if (!auth.tenantId) {
+      return c.json(
+        { error: "Forbidden", message: "Tenant context required" },
+        403
+      );
+    }
+    await next();
+  };
+}
+function requireTenantAccess(getTenantId, options) {
+  return async (c, next) => {
+    const auth = c.get("auth");
+    if (!auth) {
+      return c.json({ error: "Unauthorized", message: "Authentication required" }, 401);
+    }
+    const requestedTenantId = getTenantId(c);
+    if (!requestedTenantId) {
+      await next();
+      return;
+    }
+    const guard = createAuthorizationGuard(toAuthorizationContext(auth));
+    if (options?.bypassRoles && guard.hasAnyRole(options.bypassRoles)) {
+      await next();
+      return;
+    }
+    if (auth.tenantId !== requestedTenantId) {
+      return c.json(
+        {
+          error: "Forbidden",
+          message: "Access denied to this tenant",
+          requestedTenant: requestedTenantId
+        },
+        403
+      );
+    }
+    await next();
+  };
+}
+function requireAdmin() {
+  return async (c, next) => {
+    const auth = c.get("auth");
+    if (!auth) {
+      return c.json({ error: "Unauthorized", message: "Authentication required" }, 401);
+    }
+    const guard = createAuthorizationGuard(toAuthorizationContext(auth));
+    const isAdmin = guard.hasRole("admin") || guard.hasRole("owner") || guard.hasRole("superadmin") || guard.hasRole("super_admin") || guard.hasPermission("*");
+    if (!isAdmin) {
+      return c.json({ error: "Forbidden", message: "Admin access required" }, 403);
+    }
+    await next();
+  };
+}
+function requireOwnerOrPermission(getOwnerId, permission) {
+  return async (c, next) => {
+    const auth = c.get("auth");
+    if (!auth) {
+      return c.json({ error: "Unauthorized", message: "Authentication required" }, 401);
+    }
+    const guard = createAuthorizationGuard(toAuthorizationContext(auth));
+    if (guard.hasPermission(permission)) {
+      await next();
+      return;
+    }
+    const ownerId = await getOwnerId(c);
+    if (auth.userId === ownerId) {
+      await next();
+      return;
+    }
+    return c.json(
+      {
+        error: "Forbidden",
+        message: "Resource owner or permission required",
+        requiredPermission: permission
+      },
+      403
+    );
+  };
+}
+function requireAll(...middlewares) {
+  return async (c, next) => {
+    for (const middleware of middlewares) {
+      let passed = false;
+      await middleware(c, async () => {
+        passed = true;
+      });
+      if (!passed) {
+        return;
+      }
+    }
+    await next();
+  };
+}
+function requireAny(...middlewares) {
+  return async (c, next) => {
+    for (const middleware of middlewares) {
+      let passed = false;
+      await middleware(c, async () => {
+        passed = true;
+      });
+      if (passed) {
+        await next();
+        return;
+      }
+    }
+    return c.json(
+      { error: "Forbidden", message: "None of the authorization requirements were met" },
+      403
+    );
+  };
+}
+
+export { createAuthCookies, createAuthMiddleware, createAuthRoutes, createHonoAuth, createLogoutCookies, createOptionalAuthMiddleware, requireAdmin, requireAll, requireAny, requireAnyPermission, requireOwnerOrPermission, requirePermission, requireRole, requireTenant, requireTenantAccess };
+//# sourceMappingURL=chunk-RHNVRCF3.js.map
+//# sourceMappingURL=chunk-RHNVRCF3.js.map