@prabhask5/stellar-engine 1.1.7 → 1.1.8

package/dist/auth/deviceVerification.js

@@ -1,36 +1,119 @@
 /**
- * Device Verification Module
+ * @fileoverview Device Verification Module
  *
- * Manages trusted devices for single-user and multi-user modes.
- * Uses Supabase `trusted_devices` table and `signInWithOtp()` for email-based
- * device verification on untrusted devices.
+ * Manages the trusted device registry and email-based OTP verification flow
+ * for both single-user and multi-user modes. When device verification is
+ * enabled, only devices present in the Supabase `trusted_devices` table (with
+ * a recent `last_used_at` timestamp) are allowed to proceed after
+ * authentication. Untrusted devices must complete an email OTP challenge.
+ *
+ * ## Architecture
+ *
+ * - **Device identification**: Each browser/device is assigned a persistent
+ *   unique ID via {@link getDeviceId} (stored in localStorage). This ID is
+ *   used as the key in the `trusted_devices` table.
+ * - **Trust expiry**: Trusted devices expire after a configurable number of
+ *   days (default: 90). The `last_used_at` column is refreshed on each
+ *   successful login via {@link touchTrustedDevice}.
+ * - **OTP flow**: Uses Supabase `signInWithOtp()` with `shouldCreateUser: false`
+ *   to send a magic link email. The confirm page verifies the token and trusts
+ *   both the originating device and the confirming device.
+ * - **Cross-device verification**: The originating device's ID is stored in
+ *   `user_metadata` as `pending_device_id` so the confirm page can trust it
+ *   even when opened on a different device (e.g., phone).
+ *
+ * ## Database Schema
+ *
+ * The `trusted_devices` table has a unique constraint on `(user_id, device_id)`:
+ *
+ * | Column       | Type      | Description                           |
+ * |-------------|-----------|---------------------------------------|
+ * | id          | uuid      | Primary key                           |
+ * | user_id     | uuid      | FK to auth.users                      |
+ * | device_id   | text      | Persistent browser/device identifier  |
+ * | device_label| text      | Human-readable label (e.g., "Chrome on macOS") |
+ * | trusted_at  | timestamp | When the device was first trusted     |
+ * | last_used_at| timestamp | Last successful login from this device |
+ *
+ * ## Security Considerations
+ *
+ * - **Device ID spoofing**: The device ID is stored in localStorage and can be
+ *   copied. This provides convenience-level trust, not cryptographic assurance.
+ *   An attacker who clones localStorage can impersonate a trusted device.
+ * - **OTP security**: OTP tokens are single-use and time-limited (configured
+ *   in Supabase). The `shouldCreateUser: false` flag prevents account creation
+ *   via the OTP endpoint.
+ * - **Trust duration**: The default 90-day trust window balances convenience
+ *   and security. Reduce this for higher-security applications.
+ * - **RLS**: The `trusted_devices` table should have Row Level Security
+ *   policies ensuring users can only read/write their own device records.
+ *
+ * @module deviceVerification
+ * @see {@link singleUser} for how device verification integrates into the auth flow
  */
 import { getEngineConfig } from '../config';
 import { supabase } from '../supabase/client';
 import { getDeviceId } from '../deviceId';
 import { debugLog, debugWarn, debugError } from '../debug';
+/** Default number of days a device remains trusted before requiring re-verification. */
 const DEFAULT_TRUST_DURATION_DAYS = 90;
-// ============================================================
+// =============================================================================
 // HELPERS
-// ============================================================
+// =============================================================================
+/**
+ * Get the configured trust duration in days.
+ *
+ * Falls back to {@link DEFAULT_TRUST_DURATION_DAYS} (90) if not configured.
+ *
+ * @returns The number of days a device should remain trusted.
+ */
 function getTrustDurationDays() {
     return (getEngineConfig().auth?.deviceVerification?.trustDurationDays ?? DEFAULT_TRUST_DURATION_DAYS);
 }
+/**
+ * Convert a snake_case database row into a camelCase {@link TrustedDevice} object.
+ *
+ * Supabase returns rows with snake_case column names, but the TypeScript
+ * interface uses camelCase. This function performs the field mapping.
+ *
+ * @param row - A raw database row from the `trusted_devices` table.
+ * @returns A properly typed {@link TrustedDevice} object.
+ */
 function snakeToCamelDevice(row) {
     return {
+        /** Primary key (UUID). */
         id: row.id,
+        /** The Supabase user ID that owns this device record. */
         userId: row.user_id,
+        /** The persistent device identifier from localStorage. */
         deviceId: row.device_id,
+        /** Human-readable label (e.g., "Chrome on macOS"). */
         deviceLabel: row.device_label,
+        /** ISO timestamp of when the device was first trusted. */
         trustedAt: row.trusted_at,
+        /** ISO timestamp of the most recent successful login from this device. */
         lastUsedAt: row.last_used_at
     };
 }
-// ============================================================
+// =============================================================================
 // DEVICE LABEL
-// ============================================================
+// =============================================================================
 /**
- * Generate a human-readable device label (e.g. "Chrome on macOS").
+ * Generate a human-readable device label from the browser's User-Agent string.
+ *
+ * Detects common browsers (Chrome, Firefox, Edge, Safari) and operating systems
+ * (macOS, Windows, Linux, iOS, Android, ChromeOS). Returns a combined label
+ * like "Chrome on macOS" for display in device management UIs.
+ *
+ * @returns A human-readable label describing the current browser and OS, or
+ *   "Unknown device" in non-browser environments.
+ *
+ * @example
+ * ```ts
+ * getDeviceLabel(); // => "Chrome on macOS"
+ * getDeviceLabel(); // => "Safari on iOS"
+ * getDeviceLabel(); // => "Firefox on Linux"
+ * ```
  */
 export function getDeviceLabel() {
     if (typeof navigator === 'undefined')
@@ -38,7 +121,8 @@ export function getDeviceLabel() {
     const ua = navigator.userAgent;
     let browser = 'Browser';
     let os = '';
-    // Detect browser
+    /* Detect browser — order matters: Edge contains "Chrome" in its UA,
+       so Edge must be checked before Chrome */
     if (ua.includes('Firefox'))
         browser = 'Firefox';
     else if (ua.includes('Edg/'))
@@ -47,9 +131,9 @@ export function getDeviceLabel() {
         browser = 'Chrome';
     else if (ua.includes('Safari') && !ua.includes('Chrome'))
         browser = 'Safari';
-    // Detect OS — mobile checks must come before desktop checks because
-    // mobile UA strings often contain desktop OS identifiers
-    // (e.g. iPhone UA contains "like Mac OS X", Android UA contains "Linux")
+    /* Detect OS — mobile checks must come before desktop checks because
+       mobile UA strings often contain desktop OS identifiers
+       (e.g., iPhone UA contains "like Mac OS X", Android UA contains "Linux") */
     if (ua.includes('iPhone') || ua.includes('iPad') || ua.includes('iPod'))
         os = 'iOS';
     else if (ua.includes('Android'))
@@ -64,32 +148,70 @@ export function getDeviceLabel() {
         os = 'Linux';
     return os ? `${browser} on ${os}` : browser;
 }
-// ============================================================
+// =============================================================================
 // EMAIL MASKING
-// ============================================================
+// =============================================================================
 /**
- * Mask an email address for display (e.g. "pr••••@gmail.com").
+ * Mask an email address for safe display in the UI.
+ *
+ * Shows the first 2 characters of the local part, replaces the rest with
+ * bullet characters, and preserves the full domain. This prevents shoulder-
+ * surfing while still letting the user confirm it's the right email.
+ *
+ * @param email - The full email address to mask.
+ * @returns The masked email string (e.g., "pr\u2022\u2022\u2022\u2022@gmail.com").
+ *
+ * @example
+ * ```ts
+ * maskEmail('prabhask@gmail.com');  // => "pr••••••@gmail.com"
+ * maskEmail('ab@example.com');      // => "ab@example.com"
+ * maskEmail('a@test.io');           // => "a•@test.io"
+ * ```
+ *
+ * @security This is a display-only mask. The original email should never be
+ *   exposed in logs or error messages shown to untrusted contexts.
  */
 export function maskEmail(email) {
     const [local, domain] = email.split('@');
     if (!domain)
         return email;
+    /* Show at most 2 characters to provide enough recognition without
+       revealing the full local part */
     const visible = Math.min(2, local.length);
     const masked = local.slice(0, visible) + '\u2022'.repeat(Math.max(1, local.length - visible));
     return `${masked}@${domain}`;
 }
-// ============================================================
+// =============================================================================
 // DEVICE TRUST QUERIES
-// ============================================================
+// =============================================================================
 /**
  * Check if the current device is trusted for a given user.
- * A device is trusted if it has a `trusted_devices` row with `last_used_at`
- * within the configured trust duration.
+ *
+ * Queries the `trusted_devices` table for a record matching the current
+ * device ID and user ID, with `last_used_at` within the configured trust
+ * duration window. Returns `false` on any error (fail-closed).
+ *
+ * @param userId - The Supabase user ID to check trust for.
+ * @returns `true` if the device is trusted and not expired, `false` otherwise.
+ *
+ * @example
+ * ```ts
+ * if (await isDeviceTrusted(user.id)) {
+ *   grantAccess();
+ * } else {
+ *   challengeWithOtp();
+ * }
+ * ```
+ *
+ * @security Fails closed: any error (network, RLS, etc.) returns `false`,
+ *   forcing the device verification flow rather than granting access.
  */
 export async function isDeviceTrusted(userId) {
     try {
         const deviceId = getDeviceId();
         const trustDays = getTrustDurationDays();
+        /* Calculate the cutoff date — devices not used within this window
+           are considered expired and must re-verify */
         const cutoff = new Date();
         cutoff.setDate(cutoff.getDate() - trustDays);
         const { data, error } = await supabase
@@ -112,7 +234,20 @@ export async function isDeviceTrusted(userId) {
 }
 /**
  * Trust the current device for a user.
- * Uses upsert on (user_id, device_id) unique constraint.
+ *
+ * Creates or updates a record in the `trusted_devices` table using upsert on
+ * the `(user_id, device_id)` unique constraint. Both `trusted_at` and
+ * `last_used_at` are set to the current time.
+ *
+ * @param userId - The Supabase user ID to associate the trust record with.
+ *
+ * @example
+ * ```ts
+ * // After successful OTP verification:
+ * await trustCurrentDevice(user.id);
+ * ```
+ *
+ * @see {@link trustPendingDevice} for trusting a remote device via user_metadata
  */
 export async function trustCurrentDevice(userId) {
     try {
@@ -139,6 +274,13 @@ export async function trustCurrentDevice(userId) {
 }
 /**
  * Update `last_used_at` for the current device (called on each successful login).
+ *
+ * This extends the trust window so that frequently-used devices do not expire.
+ * Also refreshes the device label in case the browser or OS was updated.
+ *
+ * @param userId - The Supabase user ID whose device record to update.
+ *
+ * @see {@link isDeviceTrusted} which checks the `last_used_at` timestamp
  */
 export async function touchTrustedDevice(userId) {
     try {
@@ -157,7 +299,23 @@ export async function touchTrustedDevice(userId) {
     }
 }
 /**
- * Get all trusted devices for a user.
+ * Get all trusted devices for a user, ordered by most recently used first.
+ *
+ * Used by device management UIs to display a list of trusted devices with
+ * options to revoke trust.
+ *
+ * @param userId - The Supabase user ID to fetch devices for.
+ * @returns An array of {@link TrustedDevice} objects, or an empty array on error.
+ *
+ * @example
+ * ```ts
+ * const devices = await getTrustedDevices(user.id);
+ * devices.forEach(d => {
+ *   console.log(`${d.deviceLabel} — last used ${d.lastUsedAt}`);
+ * });
+ * ```
+ *
+ * @see {@link removeTrustedDevice} for revoking trust on a specific device
  */
 export async function getTrustedDevices(userId) {
     try {
@@ -178,7 +336,21 @@ export async function getTrustedDevices(userId) {
     }
 }
 /**
- * Remove a trusted device by ID.
+ * Remove a trusted device by its primary key ID.
+ *
+ * Used by the device management UI to allow users to revoke trust on devices
+ * they no longer control (e.g., lost phone, sold laptop). After removal, the
+ * device will be challenged with OTP verification on its next login.
+ *
+ * @param id - The UUID primary key of the `trusted_devices` row to delete.
+ *
+ * @example
+ * ```ts
+ * // Revoke trust on a specific device:
+ * await removeTrustedDevice('550e8400-e29b-41d4-a716-446655440000');
+ * ```
+ *
+ * @security Ensure RLS policies restrict deletion to the owning user.
  */
 export async function removeTrustedDevice(id) {
     try {
@@ -194,19 +366,39 @@ export async function removeTrustedDevice(id) {
         debugError('[DeviceVerification] Remove device error:', e);
     }
 }
-// ============================================================
+// =============================================================================
 // OTP VERIFICATION FLOW
-// ============================================================
+// =============================================================================
 /**
- * Send a device verification OTP email.
+ * Send a device verification OTP email to the user.
+ *
+ * This function performs two actions:
+ * 1. **Stores pending device info** in Supabase `user_metadata` so that the
+ *    confirm page can trust the originating device even if the link is opened
+ *    on a different device.
+ * 2. **Sends an OTP email** via `signInWithOtp()` with `shouldCreateUser: false`
+ *    to prevent account creation through this endpoint.
+ *
+ * The existing session is intentionally kept alive so that
+ * {@link pollDeviceVerification} can continue checking trust status.
+ *
+ * @param email - The user's email address to send the OTP to.
+ * @returns An object with `error` (string or null).
  *
- * Keeps the session alive (needed for cross-device polling) and stores
- * this device's ID in user_metadata so the confirm page can trust it.
+ * @throws Never throws directly; all errors are caught and returned.
+ *
+ * @security The `shouldCreateUser: false` flag prevents this endpoint from
+ *   being abused to create new accounts. The OTP is time-limited and
+ *   single-use (configured in Supabase dashboard).
+ *
+ * @see {@link verifyDeviceCode} for verifying the OTP token
+ * @see {@link trustPendingDevice} for trusting the originating device from the confirm page
  */
 export async function sendDeviceVerification(email) {
     try {
-        // Store the pending device info in user_metadata so the confirm page
-        // can trust THIS device even if the link is opened on a different one.
+        /* Store the pending device info in user_metadata so the confirm page
+           can trust THIS device even if the link is opened on a different one.
+           This enables the cross-device verification pattern. */
         const deviceId = getDeviceId();
         const deviceLabel = getDeviceLabel();
         await supabase.auth.updateUser({
@@ -229,11 +421,32 @@ export async function sendDeviceVerification(email) {
     }
 }
 /**
- * Trust the pending device stored in user_metadata.
+ * Trust the pending device stored in `user_metadata`.
+ *
+ * Called from the confirm page after a device OTP is verified. This function
+ * trusts the ORIGINATING device (the one that entered the PIN and triggered
+ * verification), not necessarily the device opening the confirmation link.
+ *
+ * ## Cross-Device Flow
  *
- * Called from the confirm page after a device OTP is verified. This trusts
- * the ORIGINATING device (the one that entered the PIN and triggered
- * verification), not the device opening the confirmation link.
+ * 1. Device A enters the PIN -> untrusted -> OTP sent, device A's ID stored
+ *    in `user_metadata.pending_device_id`.
+ * 2. User opens the OTP link on Device B (or Device A).
+ * 3. This function reads `pending_device_id` from metadata and trusts Device A.
+ * 4. Device A polls via {@link pollDeviceVerification} and discovers it's now trusted.
+ * 5. Both Device A and the confirming device (B) are trusted.
+ *
+ * If no `pending_device_id` is found in metadata (same-browser case where the
+ * link was opened in the same browser), falls back to trusting the current
+ * device only.
+ *
+ * @example
+ * ```ts
+ * // Called from the /confirm page after OTP verification:
+ * await trustPendingDevice();
+ * ```
+ *
+ * @see {@link sendDeviceVerification} which stores the pending device ID
  */
 export async function trustPendingDevice() {
     try {
@@ -245,12 +458,15 @@ export async function trustPendingDevice() {
         const pendingDeviceId = user.user_metadata?.pending_device_id;
         const pendingDeviceLabel = user.user_metadata?.pending_device_label;
         if (!pendingDeviceId) {
-            // No pending device — fall back to trusting the current device (same-browser case)
+            /* No pending device — fall back to trusting the current device.
+               This handles the same-browser case where the OTP link is opened
+               in the same browser that initiated verification. */
             await trustCurrentDevice(user.id);
             return;
         }
         const now = new Date().toISOString();
-        // Trust the originating device
+        /* Trust the originating device (the one that entered the PIN) by
+           upserting its device ID into the trusted_devices table */
         const { error: upsertError } = await supabase.from('trusted_devices').upsert({
             user_id: user.id,
             device_id: pendingDeviceId,
@@ -264,9 +480,11 @@ export async function trustPendingDevice() {
         else {
             debugLog('[DeviceVerification] Pending device trusted:', pendingDeviceLabel);
         }
-        // Also trust the current device (the one opening the confirmation link)
+        /* Also trust the current device (the one opening the confirmation link),
+           since the user has demonstrated control of the email on this device too */
         await trustCurrentDevice(user.id);
-        // Clear pending device from metadata
+        /* Clear pending device from metadata to prevent stale references.
+           Setting to null removes the keys from user_metadata. */
         await supabase.auth.updateUser({
             data: { pending_device_id: null, pending_device_label: null }
         });
@@ -276,7 +494,32 @@ export async function trustPendingDevice() {
     }
 }
 /**
- * Verify a device verification OTP token hash (from email link).
+ * Verify a device verification OTP token hash from an email link.
+ *
+ * Called from the confirm page with the `token_hash` query parameter extracted
+ * from the magic link URL. On success, Supabase establishes a session for the
+ * user, which enables subsequent calls to trust devices.
+ *
+ * @param tokenHash - The token hash from the email link's URL query parameters.
+ * @returns An object with `error` (string or null).
+ *
+ * @throws Never throws directly; all errors are caught and returned.
+ *
+ * @example
+ * ```ts
+ * // On the /confirm page:
+ * const params = new URLSearchParams(window.location.search);
+ * const tokenHash = params.get('token_hash');
+ * if (tokenHash) {
+ *   const result = await verifyDeviceCode(tokenHash);
+ *   if (!result.error) {
+ *     await trustPendingDevice();
+ *   }
+ * }
+ * ```
+ *
+ * @see {@link sendDeviceVerification} which sends the OTP email
+ * @see {@link trustPendingDevice} which should be called after successful verification
  */
 export async function verifyDeviceCode(tokenHash) {
     try {
@@ -296,8 +539,18 @@ export async function verifyDeviceCode(tokenHash) {
         return { error: e instanceof Error ? e.message : 'Verification failed' };
     }
 }
+// =============================================================================
+// PUBLIC UTILITIES
+// =============================================================================
 /**
- * Get the current device ID (exposed for consumers).
+ * Get the current device's persistent unique identifier.
+ *
+ * Exposed as a convenience for consumers who need to reference the device ID
+ * (e.g., for display in a device management UI or for debugging).
+ *
+ * @returns The persistent device ID string from localStorage.
+ *
+ * @see {@link getDeviceId} from the `deviceId` module for the underlying implementation
  */
 export function getCurrentDeviceId() {
     return getDeviceId();

package/dist/auth/deviceVerification.js.map

@@ -1 +1 @@
-{"version":3,"file":"deviceVerification.js","sourceRoot":"","sources":["../../src/auth/deviceVerification.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAE3D,MAAM,2BAA2B,GAAG,EAAE,CAAC;AAEvC,+DAA+D;AAC/D,UAAU;AACV,+DAA+D;AAE/D,SAAS,oBAAoB;IAC3B,OAAO,CACL,eAAe,EAAE,CAAC,IAAI,EAAE,kBAAkB,EAAE,iBAAiB,IAAI,2BAA2B,CAC7F,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CAAC,GAA4B;IACtD,OAAO;QACL,EAAE,EAAE,GAAG,CAAC,EAAY;QACpB,MAAM,EAAE,GAAG,CAAC,OAAiB;QAC7B,QAAQ,EAAE,GAAG,CAAC,SAAmB;QACjC,WAAW,EAAE,GAAG,CAAC,YAAkC;QACnD,SAAS,EAAE,GAAG,CAAC,UAAoB;QACnC,UAAU,EAAE,GAAG,CAAC,YAAsB;KACvC,CAAC;AACJ,CAAC;AAED,+DAA+D;AAC/D,eAAe;AACf,+DAA+D;AAE/D;;GAEG;AACH,MAAM,UAAU,cAAc;IAC5B,IAAI,OAAO,SAAS,KAAK,WAAW;QAAE,OAAO,gBAAgB,CAAC;IAE9D,MAAM,EAAE,GAAG,SAAS,CAAC,SAAS,CAAC;IAC/B,IAAI,OAAO,GAAG,SAAS,CAAC;IACxB,IAAI,EAAE,GAAG,EAAE,CAAC;IAEZ,iBAAiB;IACjB,IAAI,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,OAAO,GAAG,SAAS,CAAC;SAC3C,IAAI,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,GAAG,MAAM,CAAC;SAC1C,IAAI,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,GAAG,QAAQ,CAAC;SACtE,IAAI,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAAE,OAAO,GAAG,QAAQ,CAAC;IAE7E,oEAAoE;IACpE,yDAAyD;IACzD,yEAAyE;IACzE,IAAI,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,EAAE,GAAG,KAAK,CAAC;SAC/E,IAAI,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,EAAE,GAAG,SAAS,CAAC;SAC3C,IAAI,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC;QAAE,EAAE,GAAG,OAAO,CAAC;SAC1C,IAAI,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,EAAE,GAAG,SAAS,CAAC;SAC3C,IAAI,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,EAAE,GAAG,UAAU,CAAC;SACzC,IAAI,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC;QAAE,EAAE,GAAG,OAAO,CAAC;IAE5C,OAAO,EAAE,CAAC,CAAC,CAAC,GAAG,OAAO,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;AAC9C,CAAC;AAED,+DAA+D;AAC/D,gBAAgB;AAChB,+DAA+D;AAE/D;;GAEG;AACH,MAAM,UAAU,SAAS,CAAC,KAAa;IACrC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACzC,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAE1B,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC;IAC9F,OAAO,GAAG,MAAM,IAAI,MAAM,EAAE,CAAC;AAC/B,CAAC;AAED,+DAA+D;AAC/D,uBAAuB;AACvB,+DAA+D;AAE/D;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,MAAc;IAClD,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC;QAC/B,MAAM,SAAS,GAAG,oBAAoB,EAAE,CAAC;QACzC,MAAM,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QAC1B,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,SAAS,CAAC,CAAC;QAE7C,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ;aACnC,IAAI,CAAC,iBAAiB,CAAC;aACvB,MAAM,CAAC,kBAAkB,CAAC;aAC1B,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;aACrB,EAAE,CAAC,WAAW,EAAE,QAAQ,CAAC;aACzB,GAAG,CAAC,cAAc,EAAE,MAAM,CAAC,WAAW,EAAE,CAAC;aACzC,KAAK,CAAC,CAAC,CAAC,CAAC;QAEZ,IAAI,KAAK,EAAE,CAAC;YACV,SAAS,CAAC,0CAA0C,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;YACrE,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO,CAAC,IAAI,EAAE,MAAM,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;IACjC,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,UAAU,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;QACzD,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,MAAc;IACrD,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,cAAc,EAAE,CAAC;QAC/B,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAErC,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,MAAM,CAC7D;YACE,OAAO,EAAE,MAAM;YACf,SAAS,EAAE,QAAQ;YACnB,YAAY,EAAE,KAAK;YACnB,UAAU,EAAE,GAAG;YACf,YAAY,EAAE,GAAG;SAClB,EACD,EAAE,UAAU,EAAE,mBAAmB,EAAE,CACpC,CAAC;QAEF,IAAI,KAAK,EAAE,CAAC;YACV,UAAU,CAAC,2CAA2C,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;QACzE,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,sCAAsC,EAAE,KAAK,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,UAAU,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,MAAc;IACrD,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC;QAE/B,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ;aAC7B,IAAI,CAAC,iBAAiB,CAAC;aACvB,MAAM,CAAC,EAAE,YAAY,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,YAAY,EAAE,cAAc,EAAE,EAAE,CAAC;aAClF,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;aACrB,EAAE,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;QAE7B,IAAI,KAAK,EAAE,CAAC;YACV,SAAS,CAAC,2CAA2C,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;QACxE,CAAC;IACH,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,SAAS,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC;IAC3D,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,MAAc;IACpD,IAAI,CAAC;QACH,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ;aACnC,IAAI,CAAC,iBAAiB,CAAC;aACvB,MAAM,CAAC,gEAAgE,CAAC;aACxE,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;aACrB,KAAK,CAAC,cAAc,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC,CAAC;QAE/C,IAAI,KAAK,EAAE,CAAC;YACV,UAAU,CAAC,0CAA0C,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;YACtE,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,OAAO,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;IAC9C,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,UAAU,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;QACzD,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,EAAU;IAClD,IAAI,CAAC;QACH,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QAE/E,IAAI,KAAK,EAAE,CAAC;YACV,UAAU,CAAC,4CAA4C,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;QAC1E,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,sCAAsC,EAAE,EAAE,CAAC,CAAC;QACvD,CAAC;IACH,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,UAAU,CAAC,2CAA2C,EAAE,CAAC,CAAC,CAAC;IAC7D,CAAC;AACH,CAAC;AAED,+DAA+D;AAC/D,wBAAwB;AACxB,+DAA+D;AAE/D;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,KAAa;IACxD,IAAI,CAAC;QACH,qEAAqE;QACrE,uEAAuE;QACvE,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC;QAC/B,MAAM,WAAW,GAAG,cAAc,EAAE,CAAC;QACrC,MAAM,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC;YAC7B,IAAI,EAAE,EAAE,iBAAiB,EAAE,QAAQ,EAAE,oBAAoB,EAAE,WAAW,EAAE;SACzE,CAAC,CAAC;QAEH,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC;YAClD,KAAK;YACL,OAAO,EAAE,EAAE,gBAAgB,EAAE,KAAK,EAAE;SACrC,CAAC,CAAC;QAEH,IAAI,KAAK,EAAE,CAAC;YACV,UAAU,CAAC,uCAAuC,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;YACnE,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC;QAClC,CAAC;QAED,QAAQ,CAAC,mCAAmC,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;QAChE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,UAAU,CAAC,sCAAsC,EAAE,CAAC,CAAC,CAAC;QACtD,OAAO,EAAE,KAAK,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,mCAAmC,EAAE,CAAC;IACzF,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB;IACtC,IAAI,CAAC;QACH,MAAM,EACJ,IAAI,EAAE,EAAE,IAAI,EAAE,EACd,KAAK,EACN,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;QAClC,IAAI,KAAK,IAAI,CAAC,IAAI,EAAE,CAAC;YACnB,SAAS,CAAC,kDAAkD,CAAC,CAAC;YAC9D,OAAO;QACT,CAAC;QAED,MAAM,eAAe,GAAG,IAAI,CAAC,aAAa,EAAE,iBAAiB,CAAC;QAC9D,MAAM,kBAAkB,GAAG,IAAI,CAAC,aAAa,EAAE,oBAAoB,CAAC;QAEpE,IAAI,CAAC,eAAe,EAAE,CAAC;YACrB,mFAAmF;YACnF,MAAM,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAClC,OAAO;QACT,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAErC,+BAA+B;QAC/B,MAAM,EAAE,KAAK,EAAE,WAAW,EAAE,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,MAAM,CAC1E;YACE,OAAO,EAAE,IAAI,CAAC,EAAE;YAChB,SAAS,EAAE,eAAe;YAC1B,YAAY,EAAE,kBAAkB,IAAI,gBAAgB;YACpD,UAAU,EAAE,GAAG;YACf,YAAY,EAAE,GAAG;SAClB,EACD,EAAE,UAAU,EAAE,mBAAmB,EAAE,CACpC,CAAC;QAEF,IAAI,WAAW,EAAE,CAAC;YAChB,UAAU,CAAC,wDAAwD,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;QAC5F,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,8CAA8C,EAAE,kBAAkB,CAAC,CAAC;QAC/E,CAAC;QAED,wEAAwE;QACxE,MAAM,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAElC,qCAAqC;QACrC,MAAM,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC;YAC7B,IAAI,EAAE,EAAE,iBAAiB,EAAE,IAAI,EAAE,oBAAoB,EAAE,IAAI,EAAE;SAC9D,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,UAAU,CAAC,gDAAgD,EAAE,CAAC,CAAC,CAAC;IAClE,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,SAAiB;IACtD,IAAI,CAAC;QACH,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC;YAC9C,UAAU,EAAE,SAAS;YACrB,IAAI,EAAE,OAAO;SACd,CAAC,CAAC;QAEH,IAAI,KAAK,EAAE,CAAC;YACV,UAAU,CAAC,yCAAyC,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;YACrE,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC;QAClC,CAAC;QAED,QAAQ,CAAC,gDAAgD,CAAC,CAAC;QAC3D,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,UAAU,CAAC,wCAAwC,EAAE,CAAC,CAAC,CAAC;QACxD,OAAO,EAAE,KAAK,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,qBAAqB,EAAE,CAAC;IAC3E,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB;IAChC,OAAO,WAAW,EAAE,CAAC;AACvB,CAAC"}
+{"version":3,"file":"deviceVerification.js","sourceRoot":"","sources":["../../src/auth/deviceVerification.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoDG;AAGH,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAE3D,wFAAwF;AACxF,MAAM,2BAA2B,GAAG,EAAE,CAAC;AAEvC,gFAAgF;AAChF,UAAU;AACV,gFAAgF;AAEhF;;;;;;GAMG;AACH,SAAS,oBAAoB;IAC3B,OAAO,CACL,eAAe,EAAE,CAAC,IAAI,EAAE,kBAAkB,EAAE,iBAAiB,IAAI,2BAA2B,CAC7F,CAAC;AACJ,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,kBAAkB,CAAC,GAA4B;IACtD,OAAO;QACL,0BAA0B;QAC1B,EAAE,EAAE,GAAG,CAAC,EAAY;QACpB,yDAAyD;QACzD,MAAM,EAAE,GAAG,CAAC,OAAiB;QAC7B,0DAA0D;QAC1D,QAAQ,EAAE,GAAG,CAAC,SAAmB;QACjC,sDAAsD;QACtD,WAAW,EAAE,GAAG,CAAC,YAAkC;QACnD,0DAA0D;QAC1D,SAAS,EAAE,GAAG,CAAC,UAAoB;QACnC,0EAA0E;QAC1E,UAAU,EAAE,GAAG,CAAC,YAAsB;KACvC,CAAC;AACJ,CAAC;AAED,gFAAgF;AAChF,eAAe;AACf,gFAAgF;AAEhF;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,cAAc;IAC5B,IAAI,OAAO,SAAS,KAAK,WAAW;QAAE,OAAO,gBAAgB,CAAC;IAE9D,MAAM,EAAE,GAAG,SAAS,CAAC,SAAS,CAAC;IAC/B,IAAI,OAAO,GAAG,SAAS,CAAC;IACxB,IAAI,EAAE,GAAG,EAAE,CAAC;IAEZ;+CAC2C;IAC3C,IAAI,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,OAAO,GAAG,SAAS,CAAC;SAC3C,IAAI,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,GAAG,MAAM,CAAC;SAC1C,IAAI,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,GAAG,QAAQ,CAAC;SACtE,IAAI,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAAE,OAAO,GAAG,QAAQ,CAAC;IAE7E;;iFAE6E;IAC7E,IAAI,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,EAAE,GAAG,KAAK,CAAC;SAC/E,IAAI,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,EAAE,GAAG,SAAS,CAAC;SAC3C,IAAI,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC;QAAE,EAAE,GAAG,OAAO,CAAC;SAC1C,IAAI,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,EAAE,GAAG,SAAS,CAAC;SAC3C,IAAI,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,EAAE,GAAG,UAAU,CAAC;SACzC,IAAI,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC;QAAE,EAAE,GAAG,OAAO,CAAC;IAE5C,OAAO,EAAE,CAAC,CAAC,CAAC,GAAG,OAAO,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;AAC9C,CAAC;AAED,gFAAgF;AAChF,gBAAgB;AAChB,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,UAAU,SAAS,CAAC,KAAa;IACrC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACzC,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAE1B;uCACmC;IACnC,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC;IAC9F,OAAO,GAAG,MAAM,IAAI,MAAM,EAAE,CAAC;AAC/B,CAAC;AAED,gFAAgF;AAChF,uBAAuB;AACvB,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,MAAc;IAClD,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC;QAC/B,MAAM,SAAS,GAAG,oBAAoB,EAAE,CAAC;QAEzC;uDAC+C;QAC/C,MAAM,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QAC1B,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,SAAS,CAAC,CAAC;QAE7C,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ;aACnC,IAAI,CAAC,iBAAiB,CAAC;aACvB,MAAM,CAAC,kBAAkB,CAAC;aAC1B,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;aACrB,EAAE,CAAC,WAAW,EAAE,QAAQ,CAAC;aACzB,GAAG,CAAC,cAAc,EAAE,MAAM,CAAC,WAAW,EAAE,CAAC;aACzC,KAAK,CAAC,CAAC,CAAC,CAAC;QAEZ,IAAI,KAAK,EAAE,CAAC;YACV,SAAS,CAAC,0CAA0C,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;YACrE,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO,CAAC,IAAI,EAAE,MAAM,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;IACjC,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,UAAU,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;QACzD,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,MAAc;IACrD,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,cAAc,EAAE,CAAC;QAC/B,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAErC,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,MAAM,CAC7D;YACE,OAAO,EAAE,MAAM;YACf,SAAS,EAAE,QAAQ;YACnB,YAAY,EAAE,KAAK;YACnB,UAAU,EAAE,GAAG;YACf,YAAY,EAAE,GAAG;SAClB,EACD,EAAE,UAAU,EAAE,mBAAmB,EAAE,CACpC,CAAC;QAEF,IAAI,KAAK,EAAE,CAAC;YACV,UAAU,CAAC,2CAA2C,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;QACzE,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,sCAAsC,EAAE,KAAK,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,UAAU,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,MAAc;IACrD,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC;QAE/B,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ;aAC7B,IAAI,CAAC,iBAAiB,CAAC;aACvB,MAAM,CAAC,EAAE,YAAY,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,YAAY,EAAE,cAAc,EAAE,EAAE,CAAC;aAClF,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;aACrB,EAAE,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;QAE7B,IAAI,KAAK,EAAE,CAAC;YACV,SAAS,CAAC,2CAA2C,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;QACxE,CAAC;IACH,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,SAAS,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC;IAC3D,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,MAAc;IACpD,IAAI,CAAC;QACH,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ;aACnC,IAAI,CAAC,iBAAiB,CAAC;aACvB,MAAM,CAAC,gEAAgE,CAAC;aACxE,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;aACrB,KAAK,CAAC,cAAc,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC,CAAC;QAE/C,IAAI,KAAK,EAAE,CAAC;YACV,UAAU,CAAC,0CAA0C,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;YACtE,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,OAAO,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;IAC9C,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,UAAU,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;QACzD,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,EAAU;IAClD,IAAI,CAAC;QACH,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QAE/E,IAAI,KAAK,EAAE,CAAC;YACV,UAAU,CAAC,4CAA4C,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;QAC1E,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,sCAAsC,EAAE,EAAE,CAAC,CAAC;QACvD,CAAC;IACH,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,UAAU,CAAC,2CAA2C,EAAE,CAAC,CAAC,CAAC;IAC7D,CAAC;AACH,CAAC;AAED,gFAAgF;AAChF,wBAAwB;AACxB,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,KAAa;IACxD,IAAI,CAAC;QACH;;iEAEyD;QACzD,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC;QAC/B,MAAM,WAAW,GAAG,cAAc,EAAE,CAAC;QACrC,MAAM,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC;YAC7B,IAAI,EAAE,EAAE,iBAAiB,EAAE,QAAQ,EAAE,oBAAoB,EAAE,WAAW,EAAE;SACzE,CAAC,CAAC;QAEH,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC;YAClD,KAAK;YACL,OAAO,EAAE,EAAE,gBAAgB,EAAE,KAAK,EAAE;SACrC,CAAC,CAAC;QAEH,IAAI,KAAK,EAAE,CAAC;YACV,UAAU,CAAC,uCAAuC,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;YACnE,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC;QAClC,CAAC;QAED,QAAQ,CAAC,mCAAmC,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;QAChE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,UAAU,CAAC,sCAAsC,EAAE,CAAC,CAAC,CAAC;QACtD,OAAO,EAAE,KAAK,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,mCAAmC,EAAE,CAAC;IACzF,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB;IACtC,IAAI,CAAC;QACH,MAAM,EACJ,IAAI,EAAE,EAAE,IAAI,EAAE,EACd,KAAK,EACN,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;QAClC,IAAI,KAAK,IAAI,CAAC,IAAI,EAAE,CAAC;YACnB,SAAS,CAAC,kDAAkD,CAAC,CAAC;YAC9D,OAAO;QACT,CAAC;QAED,MAAM,eAAe,GAAG,IAAI,CAAC,aAAa,EAAE,iBAAiB,CAAC;QAC9D,MAAM,kBAAkB,GAAG,IAAI,CAAC,aAAa,EAAE,oBAAoB,CAAC;QAEpE,IAAI,CAAC,eAAe,EAAE,CAAC;YACrB;;kEAEsD;YACtD,MAAM,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAClC,OAAO;QACT,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAErC;oEAC4D;QAC5D,MAAM,EAAE,KAAK,EAAE,WAAW,EAAE,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,MAAM,CAC1E;YACE,OAAO,EAAE,IAAI,CAAC,EAAE;YAChB,SAAS,EAAE,eAAe;YAC1B,YAAY,EAAE,kBAAkB,IAAI,gBAAgB;YACpD,UAAU,EAAE,GAAG;YACf,YAAY,EAAE,GAAG;SAClB,EACD,EAAE,UAAU,EAAE,mBAAmB,EAAE,CACpC,CAAC;QAEF,IAAI,WAAW,EAAE,CAAC;YAChB,UAAU,CAAC,wDAAwD,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;QAC5F,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,8CAA8C,EAAE,kBAAkB,CAAC,CAAC;QAC/E,CAAC;QAED;qFAC6E;QAC7E,MAAM,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAElC;kEAC0D;QAC1D,MAAM,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC;YAC7B,IAAI,EAAE,EAAE,iBAAiB,EAAE,IAAI,EAAE,oBAAoB,EAAE,IAAI,EAAE;SAC9D,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,UAAU,CAAC,gDAAgD,EAAE,CAAC,CAAC,CAAC;IAClE,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,SAAiB;IACtD,IAAI,CAAC;QACH,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC;YAC9C,UAAU,EAAE,SAAS;YACrB,IAAI,EAAE,OAAO;SACd,CAAC,CAAC;QAEH,IAAI,KAAK,EAAE,CAAC;YACV,UAAU,CAAC,yCAAyC,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;YACrE,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC;QAClC,CAAC;QAED,QAAQ,CAAC,gDAAgD,CAAC,CAAC;QAC3D,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,UAAU,CAAC,wCAAwC,EAAE,CAAC,CAAC,CAAC;QACxD,OAAO,EAAE,KAAK,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,qBAAqB,EAAE,CAAC;IAC3E,CAAC;AACH,CAAC;AAED,gFAAgF;AAChF,mBAAmB;AACnB,gFAAgF;AAEhF;;;;;;;;;GASG;AACH,MAAM,UAAU,kBAAkB;IAChC,OAAO,WAAW,EAAE,CAAC;AACvB,CAAC"}

package/dist/auth/displayUtils.d.ts

@@ -0,0 +1,98 @@
+/**
+ * @fileoverview Auth Display Utilities
+ *
+ * Pure helper functions that resolve user-facing display values (first name,
+ * user ID, avatar initial) from the auth state. Each function handles the
+ * full fallback chain across online (Supabase session) and offline (cached
+ * credentials) modes, so consuming components don't need to duplicate the
+ * resolution logic.
+ *
+ * Resolution strategy (consistent across all helpers):
+ *   1. Check the Supabase session (`Session.user`) first.
+ *   2. Fall back to the offline credential cache (`OfflineCredentials`).
+ *   3. Return a caller-provided fallback or a sensible default.
+ *
+ * These functions are stateless and framework-agnostic — they accept plain
+ * data and return plain values. Wrap them in `$derived` / `$derived.by` in
+ * Svelte 5 components to make them reactive.
+ *
+ * @module auth/displayUtils
+ */
+import type { Session } from '@supabase/supabase-js';
+import type { OfflineCredentials } from '../types';
+/**
+ * Resolve the user's first name for greeting / display purposes.
+ *
+ * Fallback chain:
+ *   1. `firstName` / `first_name` from the Supabase session profile
+ *      (extracted via `getUserProfile()`, which respects the app's
+ *      `profileExtractor` config)
+ *   2. Email username (everything before `@`) from the Supabase session
+ *   3. `firstName` from the offline cached profile
+ *   4. Email username from the offline cached profile
+ *   5. The provided `fallback` string (default: `'Explorer'`)
+ *
+ * @param session - The current Supabase session, or `null`.
+ * @param offlineProfile - The cached offline credentials, or `null`.
+ * @param fallback - Value returned when no name can be resolved.
+ *                   Defaults to `'Explorer'`.
+ * @returns The resolved first name string.
+ *
+ * @example
+ * ```ts
+ * // In a Svelte 5 component:
+ * const firstName = $derived(
+ *   resolveFirstName($authState.session, $authState.offlineProfile)
+ * );
+ * ```
+ *
+ * @example
+ * ```ts
+ * // With a custom fallback:
+ * const greeting = resolveFirstName(session, offline, 'there');
+ * // → "Hey, there!" when no name is available
+ * ```
+ */
+export declare function resolveFirstName(session: Session | null, offlineProfile: OfflineCredentials | null, fallback?: string): string;
+/**
+ * Resolve the current user's UUID from auth state.
+ *
+ * Checks the Supabase session first, then falls back to the offline
+ * credential cache. Returns an empty string when no user is authenticated.
+ *
+ * @param session - The current Supabase session, or `null`.
+ * @param offlineProfile - The cached offline credentials, or `null`.
+ * @returns The user's UUID, or `''` if unauthenticated.
+ *
+ * @example
+ * ```ts
+ * const userId = resolveUserId(data.session, data.offlineProfile);
+ * if (!userId) {
+ *   error = 'Not authenticated';
+ *   return;
+ * }
+ * ```
+ */
+export declare function resolveUserId(session: Session | null, offlineProfile: OfflineCredentials | null): string;
+/**
+ * Resolve a single uppercase initial letter for avatar display.
+ *
+ * Uses {@link resolveFirstName} to derive the name, then returns the
+ * first character uppercased. If the resolved name is empty, returns
+ * the `fallback` character.
+ *
+ * @param session - The current Supabase session, or `null`.
+ * @param offlineProfile - The cached offline credentials, or `null`.
+ * @param fallback - Character to use when no initial can be derived.
+ *                   Defaults to `'?'`.
+ * @returns A single uppercase character.
+ *
+ * @example
+ * ```svelte
+ * <span class="avatar">
+ *   {resolveAvatarInitial($authState.session, $authState.offlineProfile)}
+ * </span>
+ * ```
+ */
+export declare function resolveAvatarInitial(session: Session | null, offlineProfile: OfflineCredentials | null, fallback?: string): string;
+//# sourceMappingURL=displayUtils.d.ts.map

package/dist/auth/displayUtils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"displayUtils.d.ts","sourceRoot":"","sources":["../../src/auth/displayUtils.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAOnD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AACH,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,OAAO,GAAG,IAAI,EACvB,cAAc,EAAE,kBAAkB,GAAG,IAAI,EACzC,QAAQ,GAAE,MAAmB,GAC5B,MAAM,CAqBR;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,aAAa,CAC3B,OAAO,EAAE,OAAO,GAAG,IAAI,EACvB,cAAc,EAAE,kBAAkB,GAAG,IAAI,GACxC,MAAM,CAQR;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,oBAAoB,CAClC,OAAO,EAAE,OAAO,GAAG,IAAI,EACvB,cAAc,EAAE,kBAAkB,GAAG,IAAI,EACzC,QAAQ,GAAE,MAAY,GACrB,MAAM,CAMR"}