@rpcbase/auth 0.110.0 → 0.111.0

package/dist/handler-BH38xcvj.js

@@ -0,0 +1,60 @@
+import { i as string, r as object, t as array } from "./schemas-BKnjeqQ9.js";
+import { r as restrictSessionMiddleware } from "./middleware-BbKZ_rOe.js";
+import { models } from "@rpcbase/db";
+//#region src/api/me/index.ts
+var Route = "/api/rb/auth/me";
+object({});
+object({
+	id: string().optional(),
+	email: string().email().optional(),
+	phone: string().optional(),
+	name: string().optional(),
+	tenants: array(string()).default([]),
+	currentTenantId: string().optional(),
+	signedInTenants: array(string()).default([]).optional(),
+	error: string().optional()
+});
+//#endregion
+//#region src/api/me/handler.ts
+var me = async (_payload, ctx) => {
+	const sessionUser = ctx.req.session?.user;
+	if (!sessionUser?.id) {
+		ctx.res.status(401);
+		return {
+			id: "",
+			currentTenantId: "",
+			signedInTenants: [],
+			tenants: [],
+			error: "not_authenticated"
+		};
+	}
+	const user = await (await models.getGlobal("RBUser", ctx)).findById(sessionUser.id);
+	if (!user) {
+		ctx.res.status(404);
+		return {
+			id: "",
+			currentTenantId: "",
+			signedInTenants: [],
+			tenants: [],
+			error: "user_not_found"
+		};
+	}
+	const tenantId = sessionUser.currentTenantId || user.tenants?.[0]?.toString?.() || "00000000";
+	return {
+		id: user._id.toString(),
+		email: user.email,
+		phone: user.get("phone"),
+		name: user.name,
+		tenants: (user.tenants || []).map(String),
+		currentTenantId: tenantId,
+		signedInTenants: sessionUser.signedInTenants || []
+	};
+};
+var handler_default = (api) => {
+	api.use(Route, restrictSessionMiddleware);
+	api.get(Route, me);
+};
+//#endregion
+export { handler_default as default };
+
+//# sourceMappingURL=handler-BH38xcvj.js.map

package/dist/handler-BH38xcvj.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler-BH38xcvj.js","names":["z","Route","requestSchema","object","RequestPayload","infer","responseSchema","id","string","optional","email","phone","name","tenants","array","default","currentTenantId","signedInTenants","error","ResponsePayload","Api","ApiHandler","Ctx","models","AuthSessionUser","restrictSessionMiddleware","Me","me","RequestPayload","ResponsePayload","_payload","ctx","Promise","sessionUser","req","session","user","id","res","status","currentTenantId","signedInTenants","tenants","error","User","getGlobal","findById","tenantId","toString","_id","email","phone","get","name","map","String","api","use","Route"],"sources":["../src/api/me/index.ts","../src/api/me/handler.ts"],"sourcesContent":["import { z } from \"zod\"\n\n\nexport const Route = \"/api/rb/auth/me\"\n\nexport const requestSchema = z.object({})\nexport type RequestPayload = z.infer<typeof requestSchema>\n\nexport const responseSchema = z.object({\n  id: z.string().optional(),\n  email: z.string().email().optional(),\n  phone: z.string().optional(),\n  name: z.string().optional(),\n  tenants: z.array(z.string()).default([]),\n  currentTenantId: z.string().optional(),\n  signedInTenants: z.array(z.string()).default([]).optional(),\n  error: z.string().optional(),\n})\n\nexport type ResponsePayload = z.infer<typeof responseSchema>\n","import { Api, ApiHandler, Ctx } from \"@rpcbase/api\"\nimport { models } from \"@rpcbase/db\"\n\nimport type { AuthSessionUser } from \"../../types\"\nimport { restrictSessionMiddleware } from \"../../middleware\"\n\nimport * as Me from \"./index\"\n\n\nconst me: ApiHandler<Me.RequestPayload, Me.ResponsePayload, AuthSessionUser> = async(\n  _payload: Me.RequestPayload,\n  ctx: Ctx<AuthSessionUser>\n): Promise<Me.ResponsePayload> => {\n  const sessionUser = ctx.req.session?.user\n\n  if (!sessionUser?.id) {\n    ctx.res.status(401)\n    return {\n      id: \"\",\n      currentTenantId: \"\",\n      signedInTenants: [],\n      tenants: [],\n      error: \"not_authenticated\",\n    } as unknown as Me.ResponsePayload\n  }\n\n  const User = await models.getGlobal(\"RBUser\", ctx)\n  const user = await User.findById(sessionUser.id)\n\n  if (!user) {\n    ctx.res.status(404)\n    return {\n      id: \"\",\n      currentTenantId: \"\",\n      signedInTenants: [],\n      tenants: [],\n      error: \"user_not_found\",\n    } as unknown as Me.ResponsePayload\n  }\n\n  const tenantId = sessionUser.currentTenantId || user.tenants?.[0]?.toString?.() || \"00000000\"\n\n  return {\n    id: user._id.toString(),\n    email: user.email,\n    phone: user.get(\"phone\") as string | undefined,\n    name: user.name,\n    tenants: (user.tenants || []).map(String),\n    currentTenantId: tenantId,\n    signedInTenants: sessionUser.signedInTenants || [],\n  }\n}\n\nexport default (api: Api<AuthSessionUser>) => {\n  api.use(Me.Route, restrictSessionMiddleware)\n  api.get(Me.Route, me)\n}\n"],"mappings":";;;;AAGA,IAAaC,QAAQ;AAEQD,OAAS,EAAE,CAAC;AAGXA,OAAS;CACrCO,IAAIP,QAAU,CAACS,UAAU;CACzBC,OAAOV,QAAU,CAACU,OAAO,CAACD,UAAU;CACpCE,OAAOX,QAAU,CAACS,UAAU;CAC5BG,MAAMZ,QAAU,CAACS,UAAU;CAC3BI,SAASb,MAAQA,QAAU,CAAC,CAACe,QAAQ,EAAE,CAAC;CACxCC,iBAAiBhB,QAAU,CAACS,UAAU;CACtCQ,iBAAiBjB,MAAQA,QAAU,CAAC,CAACe,QAAQ,EAAE,CAAC,CAACN,UAAU;CAC3DS,OAAOlB,QAAU,CAACS,UAAS;CAC5B,CAAC;;;ACRF,IAAMkB,KAAyE,OAC7EG,UACAC,QACgC;CAChC,MAAME,cAAcF,IAAIG,IAAIC,SAASC;AAErC,KAAI,CAACH,aAAaI,IAAI;AACpBN,MAAIO,IAAIC,OAAO,IAAI;AACnB,SAAO;GACLF,IAAI;GACJG,iBAAiB;GACjBC,iBAAiB,EAAE;GACnBC,SAAS,EAAE;GACXC,OAAO;GACR;;CAIH,MAAMP,OAAO,OADA,MAAMb,OAAOsB,UAAU,UAAUd,IAAI,EAC1Be,SAASb,YAAYI,GAAG;AAEhD,KAAI,CAACD,MAAM;AACTL,MAAIO,IAAIC,OAAO,IAAI;AACnB,SAAO;GACLF,IAAI;GACJG,iBAAiB;GACjBC,iBAAiB,EAAE;GACnBC,SAAS,EAAE;GACXC,OAAO;GACR;;CAGH,MAAMI,WAAWd,YAAYO,mBAAmBJ,KAAKM,UAAU,IAAIM,YAAY,IAAI;AAEnF,QAAO;EACLX,IAAID,KAAKa,IAAID,UAAU;EACvBE,OAAOd,KAAKc;EACZC,OAAOf,KAAKgB,IAAI,QAAQ;EACxBC,MAAMjB,KAAKiB;EACXX,UAAUN,KAAKM,WAAW,EAAE,EAAEY,IAAIC,OAAO;EACzCf,iBAAiBO;EACjBN,iBAAiBR,YAAYQ,mBAAmB,EAAA;EACjD;;AAGH,IAAA,mBAAgBe,QAA8B;AAC5CA,KAAIC,IAAI/B,OAAUD,0BAA0B;AAC5C+B,KAAIJ,IAAI1B,OAAUC,GAAG"}

package/dist/handler-Bjxe8iM2.js

@@ -0,0 +1,67 @@
+import { n as requestSchema, t as Route } from "./sign-in-C9a-NvBu.js";
+import { models } from "@rpcbase/db";
+import { verifyPasswordFromStorage } from "@rpcbase/server";
+//#region src/api/sign-in/handler.ts
+var signIn = async (payload, ctx) => {
+	const User = await models.getGlobal("RBUser", ctx);
+	const parsed = requestSchema.safeParse(payload);
+	if (!parsed.success) {
+		ctx.res.status(400);
+		return {
+			success: false,
+			error: "invalid_payload"
+		};
+	}
+	const { email, password } = parsed.data;
+	const user = await User.findOne({ email }, {
+		password: 1,
+		tenants: 1,
+		tenantRoles: 1
+	});
+	if (!user?.password) {
+		ctx.res.status(401);
+		return {
+			success: false,
+			error: "invalid_credentials"
+		};
+	}
+	const stored = String(user.password);
+	if (!await verifyPasswordFromStorage(password, stored)) {
+		if (!stored.startsWith("$scrypt$")) console.warn("auth::sign-in invalid stored password format", user._id.toString());
+		ctx.res.status(401);
+		return {
+			success: false,
+			error: "invalid_credentials"
+		};
+	}
+	const tenantId = user.tenants?.[0]?.toString?.() || "00000000";
+	const signedInTenants = (user.tenants || []).map(String);
+	const tenantRolesMap = user.get("tenantRoles");
+	const tenantRoles = tenantRolesMap ? Object.fromEntries(tenantRolesMap.entries()) : void 0;
+	if (!ctx.req.session) {
+		ctx.res.status(500);
+		return {
+			success: false,
+			error: "session_unavailable"
+		};
+	}
+	ctx.req.session.user = {
+		id: user._id.toString(),
+		currentTenantId: tenantId,
+		signedInTenants: signedInTenants.length ? signedInTenants : [tenantId],
+		isEntryGateAuthorized: true,
+		tenantRoles
+	};
+	return {
+		success: true,
+		userId: user._id.toString(),
+		tenantId
+	};
+};
+var handler_default = (api) => {
+	api.post(Route, signIn);
+};
+//#endregion
+export { handler_default as default };
+
+//# sourceMappingURL=handler-Bjxe8iM2.js.map

package/dist/handler-Bjxe8iM2.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler-Bjxe8iM2.js","names":["Api","ApiHandler","Ctx","models","verifyPasswordFromStorage","AuthSessionUser","SignIn","signIn","RequestPayload","ResponsePayload","payload","ctx","Promise","User","getGlobal","parsed","requestSchema","safeParse","success","res","status","error","email","password","data","user","findOne","tenants","tenantRoles","stored","String","passwordMatches","startsWith","console","warn","_id","toString","tenantId","signedInTenants","map","tenantRolesMap","get","Map","Object","fromEntries","entries","undefined","req","session","id","currentTenantId","length","isEntryGateAuthorized","userId","api","post","Route"],"sources":["../src/api/sign-in/handler.ts"],"sourcesContent":["import { Api, ApiHandler, Ctx } from \"@rpcbase/api\"\nimport { models } from \"@rpcbase/db\"\nimport { verifyPasswordFromStorage } from \"@rpcbase/server\"\n\nimport type { AuthSessionUser } from \"../../types\"\n\nimport * as SignIn from \"./index\"\n\n\nconst signIn: ApiHandler<SignIn.RequestPayload, SignIn.ResponsePayload, AuthSessionUser> = async(\n  payload,\n  ctx: Ctx<AuthSessionUser>\n): Promise<SignIn.ResponsePayload> => {\n  const User = await models.getGlobal(\"RBUser\", ctx)\n\n  const parsed = SignIn.requestSchema.safeParse(payload)\n\n  if (!parsed.success) {\n    ctx.res.status(400)\n    return { success: false, error: \"invalid_payload\" }\n  }\n\n  const { email, password } = parsed.data\n\n  const user = await User.findOne({ email }, { password: 1, tenants: 1, tenantRoles: 1 })\n\n  if (!user?.password) {\n    ctx.res.status(401)\n    return { success: false, error: \"invalid_credentials\" }\n  }\n\n  const stored = String(user.password)\n  const passwordMatches = await verifyPasswordFromStorage(password, stored)\n\n  if (!passwordMatches) {\n    if (!stored.startsWith(\"$scrypt$\")) {\n      console.warn(\"auth::sign-in invalid stored password format\", user._id.toString())\n    }\n    ctx.res.status(401)\n    return { success: false, error: \"invalid_credentials\" }\n  }\n\n  const tenantId = user.tenants?.[0]?.toString?.() || \"00000000\"\n  const signedInTenants = (user.tenants || []).map(String)\n  const tenantRolesMap = user.get(\"tenantRoles\") as Map<string, string[]> | undefined\n  const tenantRoles = tenantRolesMap ? Object.fromEntries(tenantRolesMap.entries()) : undefined\n\n  if (!ctx.req.session) {\n    ctx.res.status(500)\n    return { success: false, error: \"session_unavailable\" }\n  }\n\n  ctx.req.session.user = {\n    id: user._id.toString(),\n    currentTenantId: tenantId,\n    signedInTenants: signedInTenants.length ? signedInTenants : [tenantId],\n    isEntryGateAuthorized: true,\n    tenantRoles,\n  }\n\n  return { success: true, userId: user._id.toString(), tenantId }\n}\n\nexport default (api: Api<AuthSessionUser>) => {\n  api.post(SignIn.Route, signIn)\n}\n"],"mappings":";;;;AASA,IAAMO,SAAqF,OACzFG,SACAC,QACoC;CACpC,MAAME,OAAO,MAAMV,OAAOW,UAAU,UAAUH,IAAI;CAElD,MAAMI,SAAAA,cAA8BE,UAAUP,QAAQ;AAEtD,KAAI,CAACK,OAAOG,SAAS;AACnBP,MAAIQ,IAAIC,OAAO,IAAI;AACnB,SAAO;GAAEF,SAAS;GAAOG,OAAO;GAAmB;;CAGrD,MAAM,EAAEC,OAAOC,aAAaR,OAAOS;CAEnC,MAAMC,OAAO,MAAMZ,KAAKa,QAAQ,EAAEJ,OAAO,EAAE;EAAEC,UAAU;EAAGI,SAAS;EAAGC,aAAa;EAAG,CAAC;AAEvF,KAAI,CAACH,MAAMF,UAAU;AACnBZ,MAAIQ,IAAIC,OAAO,IAAI;AACnB,SAAO;GAAEF,SAAS;GAAOG,OAAO;GAAuB;;CAGzD,MAAMQ,SAASC,OAAOL,KAAKF,SAAS;AAGpC,KAAI,CAFoB,MAAMnB,0BAA0BmB,UAAUM,OAAO,EAEnD;AACpB,MAAI,CAACA,OAAOG,WAAW,WAAW,CAChCC,SAAQC,KAAK,gDAAgDT,KAAKU,IAAIC,UAAU,CAAC;AAEnFzB,MAAIQ,IAAIC,OAAO,IAAI;AACnB,SAAO;GAAEF,SAAS;GAAOG,OAAO;GAAuB;;CAGzD,MAAMgB,WAAWZ,KAAKE,UAAU,IAAIS,YAAY,IAAI;CACpD,MAAME,mBAAmBb,KAAKE,WAAW,EAAE,EAAEY,IAAIT,OAAO;CACxD,MAAMU,iBAAiBf,KAAKgB,IAAI,cAAc;CAC9C,MAAMb,cAAcY,iBAAiBG,OAAOC,YAAYJ,eAAeK,SAAS,CAAC,GAAGC,KAAAA;AAEpF,KAAI,CAACnC,IAAIoC,IAAIC,SAAS;AACpBrC,MAAIQ,IAAIC,OAAO,IAAI;AACnB,SAAO;GAAEF,SAAS;GAAOG,OAAO;GAAuB;;AAGzDV,KAAIoC,IAAIC,QAAQvB,OAAO;EACrBwB,IAAIxB,KAAKU,IAAIC,UAAU;EACvBc,iBAAiBb;EACjBC,iBAAiBA,gBAAgBa,SAASb,kBAAkB,CAACD,SAAS;EACtEe,uBAAuB;EACvBxB;EACD;AAED,QAAO;EAAEV,SAAS;EAAMmC,QAAQ5B,KAAKU,IAAIC,UAAU;EAAEC;EAAU;;AAGjE,IAAA,mBAAgBiB,QAA8B;AAC5CA,KAAIC,KAAKjD,OAAcC,OAAO"}

package/dist/handler-CVeU9Nyf.js

@@ -0,0 +1,85 @@
+import { i as string, n as boolean, r as object } from "./schemas-BKnjeqQ9.js";
+import { models } from "@rpcbase/db";
+//#region src/api/verify-otp/index.ts
+var Route = "/api/rb/auth/verify-otp";
+var requestSchema = object({
+	email: string().email(),
+	code: string().length(6, "Code must be 6 digits"),
+	rememberMe: boolean().default(true)
+});
+object({
+	success: boolean(),
+	error: string().optional(),
+	userId: string().optional(),
+	tenantId: string().optional()
+});
+//#endregion
+//#region src/api/verify-otp/handler.ts
+var verifyOtp = async (payload, ctx) => {
+	const User = await models.getGlobal("RBUser", ctx);
+	const parsed = requestSchema.safeParse(payload);
+	if (!parsed.success) {
+		ctx.res.status(400);
+		return {
+			success: false,
+			error: "invalid_payload"
+		};
+	}
+	const { email, code } = parsed.data;
+	const user = await User.findOne({ email }, {
+		emailVerificationCode: 1,
+		emailVerificationExpiresAt: 1,
+		tenants: 1,
+		tenantRoles: 1
+	});
+	if (!user) {
+		ctx.res.status(404);
+		return {
+			success: false,
+			error: "user_not_found"
+		};
+	}
+	const storedCode = user.emailVerificationCode;
+	const expiresAt = user.emailVerificationExpiresAt;
+	const isExpired = expiresAt instanceof Date && expiresAt.getTime() < Date.now();
+	if (!storedCode || storedCode !== code || isExpired) {
+		ctx.res.status(400);
+		return {
+			success: false,
+			error: "invalid_code"
+		};
+	}
+	user.emailVerificationCode = void 0;
+	user.emailVerificationExpiresAt = void 0;
+	await user.save();
+	const tenantId = user.tenants?.[0]?.toString?.() || "00000000";
+	const signedInTenants = (user.tenants || []).map(String);
+	const tenantRolesMap = user.get("tenantRoles");
+	const tenantRoles = tenantRolesMap ? Object.fromEntries(tenantRolesMap.entries()) : void 0;
+	if (!ctx.req.session) {
+		ctx.res.status(500);
+		return {
+			success: false,
+			error: "session_unavailable"
+		};
+	}
+	ctx.req.session.user = {
+		id: user._id.toString(),
+		currentTenantId: tenantId,
+		signedInTenants: signedInTenants.length ? signedInTenants : [tenantId],
+		isEntryGateAuthorized: true,
+		tenantRoles
+	};
+	return {
+		success: true,
+		userId: user._id.toString(),
+		tenantId
+	};
+};
+var handler_default = (api) => {
+	api.post(Route, verifyOtp);
+};
+//#endregion
+export { handler_default as default };
+
+//# sourceMappingURL=handler-CVeU9Nyf.js.map

package/dist/handler-CVeU9Nyf.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler-CVeU9Nyf.js","names":["z","Route","requestSchema","object","email","string","code","length","rememberMe","boolean","default","RequestPayload","infer","responseSchema","success","error","optional","userId","tenantId","ResponsePayload","Api","ApiHandler","Ctx","models","AuthSessionUser","VerifyOtp","verifyOtp","RequestPayload","ResponsePayload","payload","ctx","Promise","User","getGlobal","parsed","requestSchema","safeParse","success","res","status","error","email","code","data","user","findOne","emailVerificationCode","emailVerificationExpiresAt","tenants","tenantRoles","storedCode","expiresAt","isExpired","Date","getTime","now","undefined","save","tenantId","toString","signedInTenants","map","String","tenantRolesMap","get","Map","Object","fromEntries","entries","req","session","id","_id","currentTenantId","length","isEntryGateAuthorized","userId","api","post","Route"],"sources":["../src/api/verify-otp/index.ts","../src/api/verify-otp/handler.ts"],"sourcesContent":["import { z } from \"zod\"\n\n\nexport const Route = \"/api/rb/auth/verify-otp\"\n\nexport const requestSchema = z.object({\n  email: z.string().email(),\n  code: z.string().length(6, \"Code must be 6 digits\"),\n  rememberMe: z.boolean().default(true),\n})\n\nexport type RequestPayload = z.infer<typeof requestSchema>\n\nexport const responseSchema = z.object({\n  success: z.boolean(),\n  error: z.string().optional(),\n  userId: z.string().optional(),\n  tenantId: z.string().optional(),\n})\n\nexport type ResponsePayload = z.infer<typeof responseSchema>\n","import { Api, ApiHandler, Ctx } from \"@rpcbase/api\"\nimport { models } from \"@rpcbase/db\"\n\nimport type { AuthSessionUser } from \"../../types\"\n\nimport * as VerifyOtp from \"./index\"\n\n\nconst verifyOtp: ApiHandler<VerifyOtp.RequestPayload, VerifyOtp.ResponsePayload, AuthSessionUser> = async (\n  payload,\n  ctx: Ctx<AuthSessionUser>\n): Promise<VerifyOtp.ResponsePayload> => {\n  const User = await models.getGlobal(\"RBUser\", ctx)\n\n  const parsed = VerifyOtp.requestSchema.safeParse(payload)\n\n  if (!parsed.success) {\n    ctx.res.status(400)\n    return { success: false, error: \"invalid_payload\" }\n  }\n\n  const { email, code } = parsed.data\n\n  const user = await User.findOne({ email }, { emailVerificationCode: 1, emailVerificationExpiresAt: 1, tenants: 1, tenantRoles: 1 })\n\n  if (!user) {\n    ctx.res.status(404)\n    return { success: false, error: \"user_not_found\" }\n  }\n\n  const storedCode = user.emailVerificationCode\n  const expiresAt = user.emailVerificationExpiresAt\n\n  const isExpired = expiresAt instanceof Date && expiresAt.getTime() < Date.now()\n  if (!storedCode || storedCode !== code || isExpired) {\n    ctx.res.status(400)\n    return { success: false, error: \"invalid_code\" }\n  }\n\n  user.emailVerificationCode = undefined\n  user.emailVerificationExpiresAt = undefined\n  await user.save()\n\n  const tenantId = user.tenants?.[0]?.toString?.() || \"00000000\"\n  const signedInTenants = (user.tenants || []).map(String)\n  const tenantRolesMap = user.get(\"tenantRoles\") as Map<string, string[]> | undefined\n  const tenantRoles = tenantRolesMap ? Object.fromEntries(tenantRolesMap.entries()) : undefined\n\n  if (!ctx.req.session) {\n    ctx.res.status(500)\n    return { success: false, error: \"session_unavailable\" }\n  }\n\n  ctx.req.session.user = {\n    id: user._id.toString(),\n    currentTenantId: tenantId,\n    signedInTenants: signedInTenants.length ? signedInTenants : [tenantId],\n    isEntryGateAuthorized: true,\n    tenantRoles,\n  }\n\n  return { success: true, userId: user._id.toString(), tenantId }\n}\n\nexport default (api: Api<AuthSessionUser>) => {\n  api.post(VerifyOtp.Route, verifyOtp)\n}\n"],"mappings":";;;AAGA,IAAaC,QAAQ;AAErB,IAAaC,gBAAgBF,OAAS;CACpCI,OAAOJ,QAAU,CAACI,OAAO;CACzBE,MAAMN,QAAU,CAACO,OAAO,GAAG,wBAAwB;CACnDC,YAAYR,SAAW,CAACU,QAAQ,KAAI;CACrC,CAAC;AAI4BV,OAAS;CACrCc,SAASd,SAAW;CACpBe,OAAOf,QAAU,CAACgB,UAAU;CAC5BC,QAAQjB,QAAU,CAACgB,UAAU;CAC7BE,UAAUlB,QAAU,CAACgB,UAAS;CAC/B,CAAC;;;ACVF,IAAMU,YAA8F,OAClGG,SACAC,QACuC;CACvC,MAAME,OAAO,MAAMT,OAAOU,UAAU,UAAUH,IAAI;CAElD,MAAMI,SAAAA,cAAiCE,UAAUP,QAAQ;AAEzD,KAAI,CAACK,OAAOG,SAAS;AACnBP,MAAIQ,IAAIC,OAAO,IAAI;AACnB,SAAO;GAAEF,SAAS;GAAOG,OAAO;GAAmB;;CAGrD,MAAM,EAAEC,OAAOC,SAASR,OAAOS;CAE/B,MAAMC,OAAO,MAAMZ,KAAKa,QAAQ,EAAEJ,OAAO,EAAE;EAAEK,uBAAuB;EAAGC,4BAA4B;EAAGC,SAAS;EAAGC,aAAa;EAAG,CAAC;AAEnI,KAAI,CAACL,MAAM;AACTd,MAAIQ,IAAIC,OAAO,IAAI;AACnB,SAAO;GAAEF,SAAS;GAAOG,OAAO;GAAkB;;CAGpD,MAAMU,aAAaN,KAAKE;CACxB,MAAMK,YAAYP,KAAKG;CAEvB,MAAMK,YAAYD,qBAAqBE,QAAQF,UAAUG,SAAS,GAAGD,KAAKE,KAAK;AAC/E,KAAI,CAACL,cAAcA,eAAeR,QAAQU,WAAW;AACnDtB,MAAIQ,IAAIC,OAAO,IAAI;AACnB,SAAO;GAAEF,SAAS;GAAOG,OAAO;GAAgB;;AAGlDI,MAAKE,wBAAwBU,KAAAA;AAC7BZ,MAAKG,6BAA6BS,KAAAA;AAClC,OAAMZ,KAAKa,MAAM;CAEjB,MAAMC,WAAWd,KAAKI,UAAU,IAAIW,YAAY,IAAI;CACpD,MAAMC,mBAAmBhB,KAAKI,WAAW,EAAE,EAAEa,IAAIC,OAAO;CACxD,MAAMC,iBAAiBnB,KAAKoB,IAAI,cAAc;CAC9C,MAAMf,cAAcc,iBAAiBG,OAAOC,YAAYJ,eAAeK,SAAS,CAAC,GAAGZ,KAAAA;AAEpF,KAAI,CAAC1B,IAAIuC,IAAIC,SAAS;AACpBxC,MAAIQ,IAAIC,OAAO,IAAI;AACnB,SAAO;GAAEF,SAAS;GAAOG,OAAO;GAAuB;;AAGzDV,KAAIuC,IAAIC,QAAQ1B,OAAO;EACrB2B,IAAI3B,KAAK4B,IAAIb,UAAU;EACvBc,iBAAiBf;EACjBE,iBAAiBA,gBAAgBc,SAASd,kBAAkB,CAACF,SAAS;EACtEiB,uBAAuB;EACvB1B;EACD;AAED,QAAO;EAAEZ,SAAS;EAAMuC,QAAQhC,KAAK4B,IAAIb,UAAU;EAAED;EAAU;;AAGjE,IAAA,mBAAgBmB,QAA8B;AAC5CA,KAAIC,KAAKrD,OAAiBC,UAAU"}

package/dist/handler-CrTy-N1A.js

@@ -0,0 +1,51 @@
+import { i as string, n as boolean, r as object } from "./schemas-BKnjeqQ9.js";
+import { models } from "@rpcbase/db";
+import { hashPasswordForStorage } from "@rpcbase/server";
+//#region src/api/set-new-password/index.ts
+var Route = "/api/rb/auth/set-new-password";
+var requestSchema = object({
+	email: string().email(),
+	resetToken: string().min(1),
+	password: string().min(8, { message: "Password must be at least 8 characters long." })
+});
+object({
+	success: boolean(),
+	error: string().optional()
+});
+//#endregion
+//#region src/api/set-new-password/handler.ts
+var setNewPassword = async (payload, ctx) => {
+	const User = await models.getGlobal("RBUser", ctx);
+	const parsed = requestSchema.safeParse(payload);
+	if (!parsed.success) {
+		ctx.res.status(400);
+		return {
+			success: false,
+			error: "invalid_payload"
+		};
+	}
+	const { email, resetToken, password } = parsed.data;
+	const user = await User.findOne({ email });
+	const storedToken = user?.passwordResetToken;
+	const tokenExpiresAt = user?.passwordResetTokenExpiresAt;
+	const isExpired = tokenExpiresAt instanceof Date && tokenExpiresAt.getTime() < Date.now();
+	if (!user || !storedToken || storedToken !== resetToken || isExpired) {
+		ctx.res.status(400);
+		return {
+			success: false,
+			error: "invalid_token"
+		};
+	}
+	user.password = await hashPasswordForStorage(password);
+	user.passwordResetToken = void 0;
+	user.passwordResetTokenExpiresAt = void 0;
+	await user.save();
+	return { success: true };
+};
+var handler_default = (api) => {
+	api.post(Route, setNewPassword);
+};
+//#endregion
+export { handler_default as default };
+
+//# sourceMappingURL=handler-CrTy-N1A.js.map

package/dist/handler-CrTy-N1A.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler-CrTy-N1A.js","names":["z","Route","requestSchema","object","email","string","resetToken","min","password","message","RequestPayload","infer","responseSchema","success","boolean","error","optional","ResponsePayload","Api","ApiHandler","Ctx","models","hashPasswordForStorage","AuthSessionUser","SetNewPassword","setNewPassword","RequestPayload","ResponsePayload","payload","ctx","Promise","User","getGlobal","parsed","requestSchema","safeParse","success","res","status","error","email","resetToken","password","data","user","findOne","storedToken","passwordResetToken","tokenExpiresAt","passwordResetTokenExpiresAt","isExpired","Date","getTime","now","hashedPassword","undefined","save","api","post","Route"],"sources":["../src/api/set-new-password/index.ts","../src/api/set-new-password/handler.ts"],"sourcesContent":["import { z } from \"zod\"\n\n\nexport const Route = \"/api/rb/auth/set-new-password\"\n\nexport const requestSchema = z.object({\n  email: z.string().email(),\n  resetToken: z.string().min(1),\n  password: z.string().min(8, { message: \"Password must be at least 8 characters long.\" }),\n})\n\nexport type RequestPayload = z.infer<typeof requestSchema>\n\nexport const responseSchema = z.object({\n  success: z.boolean(),\n  error: z.string().optional(),\n})\n\nexport type ResponsePayload = z.infer<typeof responseSchema>\n","import { Api, ApiHandler, Ctx } from \"@rpcbase/api\"\nimport { models } from \"@rpcbase/db\"\nimport { hashPasswordForStorage } from \"@rpcbase/server\"\n\nimport type { AuthSessionUser } from \"../../types\"\n\nimport * as SetNewPassword from \"./index\"\n\n\nconst setNewPassword: ApiHandler<\n  SetNewPassword.RequestPayload,\n  SetNewPassword.ResponsePayload,\n  AuthSessionUser\n> = async(\n  payload,\n  ctx: Ctx<AuthSessionUser>\n): Promise<SetNewPassword.ResponsePayload> => {\n  const User = await models.getGlobal(\"RBUser\", ctx)\n\n  const parsed = SetNewPassword.requestSchema.safeParse(payload)\n\n  if (!parsed.success) {\n    ctx.res.status(400)\n    return { success: false, error: \"invalid_payload\" }\n  }\n\n  const { email, resetToken, password } = parsed.data\n\n  const user = await User.findOne({ email })\n  const storedToken = user?.passwordResetToken\n  const tokenExpiresAt = user?.passwordResetTokenExpiresAt\n  const isExpired = tokenExpiresAt instanceof Date && tokenExpiresAt.getTime() < Date.now()\n\n  if (!user || !storedToken || storedToken !== resetToken || isExpired) {\n    ctx.res.status(400)\n    return { success: false, error: \"invalid_token\" }\n  }\n\n  const hashedPassword = await hashPasswordForStorage(password)\n  user.password = hashedPassword\n  user.passwordResetToken = undefined\n  user.passwordResetTokenExpiresAt = undefined\n  await user.save()\n\n  return { success: true }\n}\n\nexport default (api: Api<AuthSessionUser>) => {\n  api.post(SetNewPassword.Route, setNewPassword)\n}\n"],"mappings":";;;;AAGA,IAAaC,QAAQ;AAErB,IAAaC,gBAAgBF,OAAS;CACpCI,OAAOJ,QAAU,CAACI,OAAO;CACzBE,YAAYN,QAAU,CAACO,IAAI,EAAE;CAC7BC,UAAUR,QAAU,CAACO,IAAI,GAAG,EAAEE,SAAS,gDAAgD,CAAA;CACxF,CAAC;AAI4BT,OAAS;CACrCa,SAASb,SAAW;CACpBe,OAAOf,QAAU,CAACgB,UAAS;CAC5B,CAAC;;;ACPF,IAAMS,iBAIF,OACFG,SACAC,QAC4C;CAC5C,MAAME,OAAO,MAAMV,OAAOW,UAAU,UAAUH,IAAI;CAElD,MAAMI,SAAAA,cAAsCE,UAAUP,QAAQ;AAE9D,KAAI,CAACK,OAAOG,SAAS;AACnBP,MAAIQ,IAAIC,OAAO,IAAI;AACnB,SAAO;GAAEF,SAAS;GAAOG,OAAO;GAAmB;;CAGrD,MAAM,EAAEC,OAAOC,YAAYC,aAAaT,OAAOU;CAE/C,MAAMC,OAAO,MAAMb,KAAKc,QAAQ,EAAEL,OAAO,CAAC;CAC1C,MAAMM,cAAcF,MAAMG;CAC1B,MAAMC,iBAAiBJ,MAAMK;CAC7B,MAAMC,YAAYF,0BAA0BG,QAAQH,eAAeI,SAAS,GAAGD,KAAKE,KAAK;AAEzF,KAAI,CAACT,QAAQ,CAACE,eAAeA,gBAAgBL,cAAcS,WAAW;AACpErB,MAAIQ,IAAIC,OAAO,IAAI;AACnB,SAAO;GAAEF,SAAS;GAAOG,OAAO;GAAiB;;AAInDK,MAAKF,WADkB,MAAMpB,uBAAuBoB,SAAS;AAE7DE,MAAKG,qBAAqBQ,KAAAA;AAC1BX,MAAKK,8BAA8BM,KAAAA;AACnC,OAAMX,KAAKY,MAAM;AAEjB,QAAO,EAAEpB,SAAS,MAAM;;AAG1B,IAAA,mBAAgBqB,QAA8B;AAC5CA,KAAIC,KAAKlC,OAAsBC,eAAe"}

package/dist/handler-D2-FmmDc.js

@@ -0,0 +1,56 @@
+import { i as string, n as boolean, r as object } from "./schemas-BKnjeqQ9.js";
+import crypto from "crypto";
+import { models } from "@rpcbase/db";
+//#region src/api/verify-password-reset-otp/index.ts
+var Route = "/api/rb/auth/verify-password-reset-otp";
+var requestSchema = object({
+	email: string().email(),
+	code: string().length(6, "Code must be 6 digits")
+});
+object({
+	success: boolean(),
+	error: string().optional(),
+	resetToken: string().optional()
+});
+//#endregion
+//#region src/api/verify-password-reset-otp/handler.ts
+var verifyPasswordResetOtp = async (payload, ctx) => {
+	const User = await models.getGlobal("RBUser", ctx);
+	const parsed = requestSchema.safeParse(payload);
+	if (!parsed.success) {
+		ctx.res.status(400);
+		return {
+			success: false,
+			error: "invalid_payload"
+		};
+	}
+	const { email, code } = parsed.data;
+	const user = await User.findOne({ email });
+	const storedCode = user?.passwordResetCode;
+	const expiresAt = user?.passwordResetCodeExpiresAt;
+	const isExpired = expiresAt instanceof Date && expiresAt.getTime() < Date.now();
+	if (!user || !storedCode || storedCode !== code || isExpired) {
+		ctx.res.status(400);
+		return {
+			success: false,
+			error: "invalid_code"
+		};
+	}
+	const resetToken = crypto.randomBytes(24).toString("hex");
+	user.passwordResetCode = void 0;
+	user.passwordResetCodeExpiresAt = void 0;
+	user.passwordResetToken = resetToken;
+	user.passwordResetTokenExpiresAt = new Date(Date.now() + 900 * 1e3);
+	await user.save();
+	return {
+		success: true,
+		resetToken
+	};
+};
+var handler_default = (api) => {
+	api.post(Route, verifyPasswordResetOtp);
+};
+//#endregion
+export { handler_default as default };
+
+//# sourceMappingURL=handler-D2-FmmDc.js.map

package/dist/handler-D2-FmmDc.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler-D2-FmmDc.js","names":["z","Route","requestSchema","object","email","string","code","length","RequestPayload","infer","responseSchema","success","boolean","error","optional","resetToken","ResponsePayload","crypto","Api","ApiHandler","Ctx","models","AuthSessionUser","VerifyPasswordResetOtp","verifyPasswordResetOtp","RequestPayload","ResponsePayload","payload","ctx","Promise","User","getGlobal","parsed","requestSchema","safeParse","success","res","status","error","email","code","data","user","findOne","storedCode","passwordResetCode","expiresAt","passwordResetCodeExpiresAt","isExpired","Date","getTime","now","resetToken","randomBytes","toString","undefined","passwordResetToken","passwordResetTokenExpiresAt","save","api","post","Route"],"sources":["../src/api/verify-password-reset-otp/index.ts","../src/api/verify-password-reset-otp/handler.ts"],"sourcesContent":["import { z } from \"zod\"\n\n\nexport const Route = \"/api/rb/auth/verify-password-reset-otp\"\n\nexport const requestSchema = z.object({\n  email: z.string().email(),\n  code: z.string().length(6, \"Code must be 6 digits\"),\n})\n\nexport type RequestPayload = z.infer<typeof requestSchema>\n\nexport const responseSchema = z.object({\n  success: z.boolean(),\n  error: z.string().optional(),\n  resetToken: z.string().optional(),\n})\n\nexport type ResponsePayload = z.infer<typeof responseSchema>\n","import crypto from \"crypto\"\n\nimport { Api, ApiHandler, Ctx } from \"@rpcbase/api\"\nimport { models } from \"@rpcbase/db\"\n\nimport type { AuthSessionUser } from \"../../types\"\n\nimport * as VerifyPasswordResetOtp from \"./index\"\n\n\nconst verifyPasswordResetOtp: ApiHandler<\n  VerifyPasswordResetOtp.RequestPayload,\n  VerifyPasswordResetOtp.ResponsePayload,\n  AuthSessionUser\n> = async(\n  payload,\n  ctx: Ctx<AuthSessionUser>\n): Promise<VerifyPasswordResetOtp.ResponsePayload> => {\n  const User = await models.getGlobal(\"RBUser\", ctx)\n\n  const parsed = VerifyPasswordResetOtp.requestSchema.safeParse(payload)\n\n  if (!parsed.success) {\n    ctx.res.status(400)\n    return { success: false, error: \"invalid_payload\" }\n  }\n\n  const { email, code } = parsed.data\n  const user = await User.findOne({ email })\n\n  const storedCode = user?.passwordResetCode\n  const expiresAt = user?.passwordResetCodeExpiresAt\n  const isExpired = expiresAt instanceof Date && expiresAt.getTime() < Date.now()\n\n  if (!user || !storedCode || storedCode !== code || isExpired) {\n    ctx.res.status(400)\n    return { success: false, error: \"invalid_code\" }\n  }\n\n  const resetToken = crypto.randomBytes(24).toString(\"hex\")\n\n  user.passwordResetCode = undefined\n  user.passwordResetCodeExpiresAt = undefined\n  user.passwordResetToken = resetToken\n  user.passwordResetTokenExpiresAt = new Date(Date.now() + 15 * 60 * 1000)\n  await user.save()\n\n  return { success: true, resetToken }\n}\n\nexport default (api: Api<AuthSessionUser>) => {\n  api.post(VerifyPasswordResetOtp.Route, verifyPasswordResetOtp)\n}\n"],"mappings":";;;;AAGA,IAAaC,QAAQ;AAErB,IAAaC,gBAAgBF,OAAS;CACpCI,OAAOJ,QAAU,CAACI,OAAO;CACzBE,MAAMN,QAAU,CAACO,OAAO,GAAG,wBAAuB;CACnD,CAAC;AAI4BP,OAAS;CACrCW,SAASX,SAAW;CACpBa,OAAOb,QAAU,CAACc,UAAU;CAC5BC,YAAYf,QAAU,CAACc,UAAS;CACjC,CAAC;;;ACNF,IAAMU,yBAIF,OACFG,SACAC,QACoD;CACpD,MAAME,OAAO,MAAMT,OAAOU,UAAU,UAAUH,IAAI;CAElD,MAAMI,SAAAA,cAA8CE,UAAUP,QAAQ;AAEtE,KAAI,CAACK,OAAOG,SAAS;AACnBP,MAAIQ,IAAIC,OAAO,IAAI;AACnB,SAAO;GAAEF,SAAS;GAAOG,OAAO;GAAmB;;CAGrD,MAAM,EAAEC,OAAOC,SAASR,OAAOS;CAC/B,MAAMC,OAAO,MAAMZ,KAAKa,QAAQ,EAAEJ,OAAO,CAAC;CAE1C,MAAMK,aAAaF,MAAMG;CACzB,MAAMC,YAAYJ,MAAMK;CACxB,MAAMC,YAAYF,qBAAqBG,QAAQH,UAAUI,SAAS,GAAGD,KAAKE,KAAK;AAE/E,KAAI,CAACT,QAAQ,CAACE,cAAcA,eAAeJ,QAAQQ,WAAW;AAC5DpB,MAAIQ,IAAIC,OAAO,IAAI;AACnB,SAAO;GAAEF,SAAS;GAAOG,OAAO;GAAgB;;CAGlD,MAAMc,aAAanC,OAAOoC,YAAY,GAAG,CAACC,SAAS,MAAM;AAEzDZ,MAAKG,oBAAoBU,KAAAA;AACzBb,MAAKK,6BAA6BQ,KAAAA;AAClCb,MAAKc,qBAAqBJ;AAC1BV,MAAKe,8BAA8B,IAAIR,KAAKA,KAAKE,KAAK,GAAG,MAAU,IAAK;AACxE,OAAMT,KAAKgB,MAAM;AAEjB,QAAO;EAAEvB,SAAS;EAAMiB;EAAY;;AAGtC,IAAA,mBAAgBO,QAA8B;AAC5CA,KAAIC,KAAKrC,OAA8BC,uBAAuB"}

package/dist/handler-D4-sXlBe.js

@@ -0,0 +1,74 @@
+import { n as requestSchema, t as Route } from "./sign-up-DqDJxb2D.js";
+import crypto from "crypto";
+import { models } from "@rpcbase/db";
+import { hashPasswordForStorage, sendEmail } from "@rpcbase/server";
+//#region src/api/sign-up/handler.ts
+var signUp = async (payload, ctx) => {
+	const User = await models.getGlobal("RBUser", ctx);
+	const Tenant = await models.getGlobal("RBTenant", ctx);
+	const parsed = requestSchema.safeParse(payload);
+	if (!parsed.success) {
+		ctx.res.status(400);
+		return {
+			success: false,
+			error: "invalid_payload"
+		};
+	}
+	const { email, password, rememberMe: _rememberMe } = parsed.data;
+	if (await User.findOne({ email })) {
+		console.log("user with email already exists", email);
+		ctx.res.status(409);
+		return {
+			success: false,
+			error: "user_exists"
+		};
+	}
+	const hashedPassword = await hashPasswordForStorage(password);
+	const tenantId = crypto.randomUUID();
+	const emailVerificationCode = crypto.randomInt(0, 1e6).toString().padStart(6, "0");
+	const emailVerificationExpiresAt = new Date(Date.now() + 600 * 1e3);
+	const user = new User({
+		email,
+		password: hashedPassword,
+		tenants: [tenantId],
+		tenantRoles: { [tenantId]: ["owner"] },
+		emailVerificationCode,
+		emailVerificationExpiresAt
+	});
+	await user.save();
+	try {
+		await sendEmail({
+			to: email,
+			subject: `Verify your email: ${emailVerificationCode}`,
+			html: `
+        <p>Welcome to rpcbase!</p>
+        <p>Your verification code is <strong>${emailVerificationCode}</strong>. It expires in 10 minutes.</p>
+        <p>If you didn't request this, you can ignore this message.</p>
+      `,
+			text: `Welcome to rpcbase! Your verification code is ${emailVerificationCode}. It expires in 10 minutes. If you didn't request this, you can ignore this message.`
+		});
+	} catch (err) {
+		console.warn("failed to send sign-up email", err);
+	}
+	try {
+		await Tenant.create({
+			tenantId,
+			name: email
+		});
+	} catch (err) {
+		console.warn("failed to create tenant for user", err);
+	}
+	console.log("created new user", user._id.toString());
+	return {
+		success: true,
+		userId: user._id.toString(),
+		tenantId
+	};
+};
+var handler_default = (api) => {
+	api.post(Route, signUp);
+};
+//#endregion
+export { handler_default as default };
+
+//# sourceMappingURL=handler-D4-sXlBe.js.map

package/dist/handler-D4-sXlBe.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler-D4-sXlBe.js","names":["crypto","Api","Ctx","ApiHandler","models","hashPasswordForStorage","sendEmail","AuthSessionUser","SignUp","signUp","RequestPayload","ResponsePayload","payload","ctx","Promise","User","getGlobal","Tenant","parsed","requestSchema","safeParse","success","res","status","error","email","password","rememberMe","_rememberMe","data","existingUser","findOne","console","log","hashedPassword","tenantId","randomUUID","emailVerificationCode","randomInt","toString","padStart","emailVerificationExpiresAt","Date","now","user","tenants","tenantRoles","save","to","subject","html","text","err","warn","create","name","_id","userId","api","post","Route"],"sources":["../src/api/sign-up/handler.ts"],"sourcesContent":["import crypto from \"crypto\"\n\nimport { Api, Ctx, ApiHandler } from \"@rpcbase/api\"\nimport { models } from \"@rpcbase/db\"\nimport { hashPasswordForStorage, sendEmail } from \"@rpcbase/server\"\n\nimport type { AuthSessionUser } from \"../../types\"\n\nimport * as SignUp from \"./index\"\n\n\nconst signUp: ApiHandler<SignUp.RequestPayload, SignUp.ResponsePayload, AuthSessionUser> = async(\n  payload,\n  ctx: Ctx<AuthSessionUser>\n): Promise<SignUp.ResponsePayload> => {\n  const User = await models.getGlobal(\"RBUser\", ctx)\n  const Tenant = await models.getGlobal(\"RBTenant\", ctx)\n\n  const parsed = SignUp.requestSchema.safeParse(payload)\n\n  if (!parsed.success) {\n    ctx.res.status(400)\n    return { success: false, error: \"invalid_payload\" }\n  }\n\n  // eslint-disable-next-line @typescript-eslint/no-unused-vars\n  const { email, password, rememberMe: _rememberMe } = parsed.data\n\n  const existingUser = await User.findOne({ email })\n\n  if (existingUser) {\n    console.log(\"user with email already exists\", email)\n    // For security, we don't want to reveal if an email is registered.\n    // But for this implementation, we'll make it simple.\n    ctx.res.status(409)\n    return { success: false, error: \"user_exists\" }\n  }\n\n  const hashedPassword = await hashPasswordForStorage(password)\n\n  const tenantId = crypto.randomUUID()\n\n  const emailVerificationCode = crypto.randomInt(0, 1_000_000).toString().padStart(6, \"0\")\n  const emailVerificationExpiresAt = new Date(Date.now() + 10 * 60 * 1000)\n\n  const user = new User({\n    email,\n    password: hashedPassword,\n    tenants: [tenantId],\n    tenantRoles: {\n      [tenantId]: [\"owner\"],\n    },\n    emailVerificationCode,\n    emailVerificationExpiresAt,\n  })\n  await user.save()\n\n  try {\n    await sendEmail({\n      to: email,\n      subject: `Verify your email: ${emailVerificationCode}`,\n      html: `\n        <p>Welcome to rpcbase!</p>\n        <p>Your verification code is <strong>${emailVerificationCode}</strong>. It expires in 10 minutes.</p>\n        <p>If you didn't request this, you can ignore this message.</p>\n      `,\n      text: `Welcome to rpcbase! Your verification code is ${emailVerificationCode}. It expires in 10 minutes. If you didn't request this, you can ignore this message.`,\n    })\n  } catch (err) {\n    console.warn(\"failed to send sign-up email\", err)\n  }\n\n  try {\n    await Tenant.create({\n      tenantId,\n      name: email,\n    })\n  } catch (err) {\n    // best-effort tenant creation; log and continue\n    console.warn(\"failed to create tenant for user\", err)\n  }\n\n  console.log(\"created new user\", user._id.toString())\n\n  return { success: true, userId: user._id.toString(), tenantId }\n}\n\nexport default (api: Api<AuthSessionUser>) => {\n  api.post(SignUp.Route, signUp)\n}\n"],"mappings":";;;;;AAWA,IAAMS,SAAqF,OACzFG,SACAC,QACoC;CACpC,MAAME,OAAO,MAAMX,OAAOY,UAAU,UAAUH,IAAI;CAClD,MAAMI,SAAS,MAAMb,OAAOY,UAAU,YAAYH,IAAI;CAEtD,MAAMK,SAAAA,cAA8BE,UAAUR,QAAQ;AAEtD,KAAI,CAACM,OAAOG,SAAS;AACnBR,MAAIS,IAAIC,OAAO,IAAI;AACnB,SAAO;GAAEF,SAAS;GAAOG,OAAO;GAAmB;;CAIrD,MAAM,EAAEC,OAAOC,UAAUC,YAAYC,gBAAgBV,OAAOW;AAI5D,KAFqB,MAAMd,KAAKgB,QAAQ,EAAEN,OAAO,CAAC,EAEhC;AAChBO,UAAQC,IAAI,kCAAkCR,MAAM;AAGpDZ,MAAIS,IAAIC,OAAO,IAAI;AACnB,SAAO;GAAEF,SAAS;GAAOG,OAAO;GAAe;;CAGjD,MAAMU,iBAAiB,MAAM7B,uBAAuBqB,SAAS;CAE7D,MAAMS,WAAWnC,OAAOoC,YAAY;CAEpC,MAAMC,wBAAwBrC,OAAOsC,UAAU,GAAG,IAAU,CAACC,UAAU,CAACC,SAAS,GAAG,IAAI;CACxF,MAAMC,6BAA6B,IAAIC,KAAKA,KAAKC,KAAK,GAAG,MAAU,IAAK;CAExE,MAAMC,OAAO,IAAI7B,KAAK;EACpBU;EACAC,UAAUQ;EACVW,SAAS,CAACV,SAAS;EACnBW,aAAa,GACVX,WAAW,CAAC,QAAO,EACrB;EACDE;EACAI;EACD,CAAC;AACF,OAAMG,KAAKG,MAAM;AAEjB,KAAI;AACF,QAAMzC,UAAU;GACd0C,IAAIvB;GACJwB,SAAS,sBAAsBZ;GAC/Ba,MAAM;;+CAEmCb,sBAAqB;;;GAG9Dc,MAAM,iDAAiDd,sBAAqB;GAC7E,CAAC;UACKe,KAAK;AACZpB,UAAQqB,KAAK,gCAAgCD,IAAI;;AAGnD,KAAI;AACF,QAAMnC,OAAOqC,OAAO;GAClBnB;GACAoB,MAAM9B;GACP,CAAC;UACK2B,KAAK;AAEZpB,UAAQqB,KAAK,oCAAoCD,IAAI;;AAGvDpB,SAAQC,IAAI,oBAAoBW,KAAKY,IAAIjB,UAAU,CAAC;AAEpD,QAAO;EAAElB,SAAS;EAAMoC,QAAQb,KAAKY,IAAIjB,UAAU;EAAEJ;EAAU;;AAGjE,IAAA,mBAAgBuB,QAA8B;AAC5CA,KAAIC,KAAKnD,OAAcC,OAAO"}

package/dist/handler-D87G4mz9.js

@@ -0,0 +1,67 @@
+import { i as string, n as boolean, r as object } from "./schemas-BKnjeqQ9.js";
+import crypto from "crypto";
+import { models } from "@rpcbase/db";
+import { sendEmail } from "@rpcbase/server";
+//#region src/api/request-password-reset/index.ts
+var Route = "/api/rb/auth/request-password-reset";
+var requestSchema = object({ email: string().email() });
+object({
+	success: boolean(),
+	error: string().optional()
+});
+//#endregion
+//#region src/api/request-password-reset/handler.ts
+var maskEmailForLog = (email) => {
+	const [localRaw, domainRaw = ""] = email.split("@");
+	const local = localRaw || "";
+	const domain = domainRaw || "";
+	const localPrefix = local.slice(0, Math.min(3, local.length));
+	const localMask = "*".repeat(Math.max(5, local.length - localPrefix.length));
+	if (!domain) return `${localPrefix}${localMask}@****`;
+	const domainTailLength = Math.min(7, domain.length);
+	const domainTail = domain.slice(-domainTailLength);
+	return `${localPrefix}${localMask}@${"*".repeat(Math.max(4, domain.length - domainTailLength))}${domainTail}`;
+};
+var requestPasswordReset = async (payload, ctx) => {
+	const User = await models.getGlobal("RBUser", ctx);
+	const parsed = requestSchema.safeParse(payload);
+	if (!parsed.success) {
+		ctx.res.status(400);
+		return {
+			success: false,
+			error: "invalid_payload"
+		};
+	}
+	const { email } = parsed.data;
+	const user = await User.findOne({ email });
+	if (!user) return { success: true };
+	const passwordResetCode = crypto.randomInt(0, 1e6).toString().padStart(6, "0");
+	const passwordResetCodeExpiresAt = new Date(Date.now() + 600 * 1e3);
+	user.passwordResetCode = passwordResetCode;
+	user.passwordResetCodeExpiresAt = passwordResetCodeExpiresAt;
+	user.passwordResetToken = void 0;
+	user.passwordResetTokenExpiresAt = void 0;
+	await user.save();
+	try {
+		console.info(`sending password reset to email ${maskEmailForLog(email)}`);
+		await sendEmail({
+			to: email,
+			subject: `Your password reset code: ${passwordResetCode}`,
+			html: `
+        <p>Your password reset code is <strong>${passwordResetCode}</strong>. It expires in 10 minutes.</p>
+        <p>If you didn't request this, you can ignore this message.</p>
+      `,
+			text: `Your password reset code is ${passwordResetCode}. It expires in 10 minutes. If you didn't request this, you can ignore this message.`
+		});
+	} catch (err) {
+		console.warn("failed to send password reset email", err);
+	}
+	return { success: true };
+};
+var handler_default = (api) => {
+	api.post(Route, requestPasswordReset);
+};
+//#endregion
+export { handler_default as default };
+
+//# sourceMappingURL=handler-D87G4mz9.js.map

package/dist/handler-D87G4mz9.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler-D87G4mz9.js","names":["z","Route","requestSchema","object","email","string","RequestPayload","infer","responseSchema","success","boolean","error","optional","ResponsePayload","crypto","Api","ApiHandler","Ctx","models","sendEmail","AuthSessionUser","RequestPasswordReset","maskEmailForLog","email","localRaw","domainRaw","split","local","domain","localPrefix","slice","Math","min","length","localMask","repeat","max","domainTailLength","domainTail","domainMask","requestPasswordReset","RequestPayload","ResponsePayload","payload","ctx","Promise","User","getGlobal","parsed","requestSchema","safeParse","success","res","status","error","data","user","findOne","passwordResetCode","randomInt","toString","padStart","passwordResetCodeExpiresAt","Date","now","passwordResetToken","undefined","passwordResetTokenExpiresAt","save","console","info","to","subject","html","text","err","warn","api","post","Route"],"sources":["../src/api/request-password-reset/index.ts","../src/api/request-password-reset/handler.ts"],"sourcesContent":["import { z } from \"zod\"\n\n\nexport const Route = \"/api/rb/auth/request-password-reset\"\n\nexport const requestSchema = z.object({\n  email: z.string().email(),\n})\n\nexport type RequestPayload = z.infer<typeof requestSchema>\n\nexport const responseSchema = z.object({\n  success: z.boolean(),\n  error: z.string().optional(),\n})\n\nexport type ResponsePayload = z.infer<typeof responseSchema>\n","import crypto from \"crypto\"\n\nimport { Api, ApiHandler, Ctx } from \"@rpcbase/api\"\nimport { models } from \"@rpcbase/db\"\nimport { sendEmail } from \"@rpcbase/server\"\n\nimport type { AuthSessionUser } from \"../../types\"\n\nimport * as RequestPasswordReset from \"./index\"\n\n\nconst maskEmailForLog = (email: string) => {\n  const [localRaw, domainRaw = \"\"] = email.split(\"@\")\n  const local = localRaw || \"\"\n  const domain = domainRaw || \"\"\n  const localPrefix = local.slice(0, Math.min(3, local.length))\n  const localMask = \"*\".repeat(Math.max(5, local.length - localPrefix.length))\n\n  if (!domain) {\n    return `${localPrefix}${localMask}@****`\n  }\n\n  const domainTailLength = Math.min(7, domain.length)\n  const domainTail = domain.slice(-domainTailLength)\n  const domainMask = \"*\".repeat(Math.max(4, domain.length - domainTailLength))\n\n  return `${localPrefix}${localMask}@${domainMask}${domainTail}`\n}\n\n\nconst requestPasswordReset: ApiHandler<\n  RequestPasswordReset.RequestPayload,\n  RequestPasswordReset.ResponsePayload,\n  AuthSessionUser\n> = async(\n  payload,\n  ctx: Ctx<AuthSessionUser>\n): Promise<RequestPasswordReset.ResponsePayload> => {\n  const User = await models.getGlobal(\"RBUser\", ctx)\n\n  const parsed = RequestPasswordReset.requestSchema.safeParse(payload)\n\n  if (!parsed.success) {\n    ctx.res.status(400)\n    return { success: false, error: \"invalid_payload\" }\n  }\n\n  const { email } = parsed.data\n  const user = await User.findOne({ email })\n\n  if (!user) {\n    return { success: true }\n  }\n\n  const passwordResetCode = crypto.randomInt(0, 1_000_000).toString().padStart(6, \"0\")\n  const passwordResetCodeExpiresAt = new Date(Date.now() + 10 * 60 * 1000)\n\n  user.passwordResetCode = passwordResetCode\n  user.passwordResetCodeExpiresAt = passwordResetCodeExpiresAt\n  user.passwordResetToken = undefined\n  user.passwordResetTokenExpiresAt = undefined\n  await user.save()\n\n  try {\n    console.info(`sending password reset to email ${maskEmailForLog(email)}`)\n    await sendEmail({\n      to: email,\n      subject: `Your password reset code: ${passwordResetCode}`,\n      html: `\n        <p>Your password reset code is <strong>${passwordResetCode}</strong>. It expires in 10 minutes.</p>\n        <p>If you didn't request this, you can ignore this message.</p>\n      `,\n      text: `Your password reset code is ${passwordResetCode}. It expires in 10 minutes. If you didn't request this, you can ignore this message.`,\n    })\n  } catch (err) {\n    console.warn(\"failed to send password reset email\", err)\n  }\n\n  return { success: true }\n}\n\nexport default (api: Api<AuthSessionUser>) => {\n  api.post(RequestPasswordReset.Route, requestPasswordReset)\n}\n"],"mappings":";;;;;AAGA,IAAaC,QAAQ;AAErB,IAAaC,gBAAgBF,OAAS,EACpCI,OAAOJ,QAAU,CAACI,OAAM,EACzB,CAAC;AAI4BJ,OAAS;CACrCS,SAAST,SAAW;CACpBW,OAAOX,QAAU,CAACY,UAAS;CAC5B,CAAC;;;ACHF,IAAMU,mBAAmBC,UAAkB;CACzC,MAAM,CAACC,UAAUC,YAAY,MAAMF,MAAMG,MAAM,IAAI;CACnD,MAAMC,QAAQH,YAAY;CAC1B,MAAMI,SAASH,aAAa;CAC5B,MAAMI,cAAcF,MAAMG,MAAM,GAAGC,KAAKC,IAAI,GAAGL,MAAMM,OAAO,CAAC;CAC7D,MAAMC,YAAY,IAAIC,OAAOJ,KAAKK,IAAI,GAAGT,MAAMM,SAASJ,YAAYI,OAAO,CAAC;AAE5E,KAAI,CAACL,OACH,QAAO,GAAGC,cAAcK,UAAS;CAGnC,MAAMG,mBAAmBN,KAAKC,IAAI,GAAGJ,OAAOK,OAAO;CACnD,MAAMK,aAAaV,OAAOE,MAAM,CAACO,iBAAiB;AAGlD,QAAO,GAAGR,cAAcK,UAAS,GAFd,IAAIC,OAAOJ,KAAKK,IAAI,GAAGR,OAAOK,SAASI,iBAAiB,CAAC,GAE1BC;;AAIpD,IAAME,uBAIF,OACFG,SACAC,QACkD;CAClD,MAAME,OAAO,MAAM5B,OAAO6B,UAAU,UAAUH,IAAI;CAElD,MAAMI,SAAAA,cAA4CE,UAAUP,QAAQ;AAEpE,KAAI,CAACK,OAAOG,SAAS;AACnBP,MAAIQ,IAAIC,OAAO,IAAI;AACnB,SAAO;GAAEF,SAAS;GAAOG,OAAO;GAAmB;;CAGrD,MAAM,EAAE/B,UAAUyB,OAAOO;CACzB,MAAMC,OAAO,MAAMV,KAAKW,QAAQ,EAAElC,OAAO,CAAC;AAE1C,KAAI,CAACiC,KACH,QAAO,EAAEL,SAAS,MAAM;CAG1B,MAAMO,oBAAoB5C,OAAO6C,UAAU,GAAG,IAAU,CAACC,UAAU,CAACC,SAAS,GAAG,IAAI;CACpF,MAAMC,6BAA6B,IAAIC,KAAKA,KAAKC,KAAK,GAAG,MAAU,IAAK;AAExER,MAAKE,oBAAoBA;AACzBF,MAAKM,6BAA6BA;AAClCN,MAAKS,qBAAqBC,KAAAA;AAC1BV,MAAKW,8BAA8BD,KAAAA;AACnC,OAAMV,KAAKY,MAAM;AAEjB,KAAI;AACFC,UAAQC,KAAK,mCAAmChD,gBAAgBC,MAAM,GAAG;AACzE,QAAMJ,UAAU;GACdoD,IAAIhD;GACJiD,SAAS,6BAA6Bd;GACtCe,MAAM;iDACqCf,kBAAiB;;;GAG5DgB,MAAM,+BAA+BhB,kBAAiB;GACvD,CAAC;UACKiB,KAAK;AACZN,UAAQO,KAAK,uCAAuCD,IAAI;;AAG1D,QAAO,EAAExB,SAAS,MAAM;;AAG1B,IAAA,mBAAgB0B,QAA8B;AAC5CA,KAAIC,KAAKzD,OAA4BmB,qBAAqB"}

package/dist/handler-DKrwSIQz.js

@@ -0,0 +1,19 @@
+import { n as boolean, r as object } from "./schemas-BKnjeqQ9.js";
+//#region src/api/sign-out/index.ts
+var Route = "/api/rb/auth/sign-out";
+object({});
+object({ success: boolean() });
+//#endregion
+//#region src/api/sign-out/handler.ts
+var handleSignOut = async (_, ctx) => {
+	if (!ctx.req.session) return { success: true };
+	await new Promise((resolve) => ctx.req.session.destroy(() => resolve()));
+	return { success: true };
+};
+var handler_default = (api) => {
+	api.post(Route, handleSignOut);
+};
+//#endregion
+export { handler_default as default };
+
+//# sourceMappingURL=handler-DKrwSIQz.js.map

package/dist/handler-DKrwSIQz.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler-DKrwSIQz.js","names":["z","Route","requestSchema","object","RequestPayload","infer","responseSchema","success","boolean","ResponsePayload","Api","Ctx","SignOut","handleSignOut","_","RequestPayload","ctx","Promise","ResponsePayload","req","session","success","resolve","destroy","api","post","Route"],"sources":["../src/api/sign-out/index.ts","../src/api/sign-out/handler.ts"],"sourcesContent":["import { z } from \"zod\"\n\n\nexport const Route = \"/api/rb/auth/sign-out\"\n\n// No request payload needed for signout\nexport const requestSchema = z.object({})\n\nexport type RequestPayload = z.infer<typeof requestSchema>;\n\nexport const responseSchema = z.object({\n  success: z.boolean()\n})\n\nexport type ResponsePayload = z.infer<typeof responseSchema>;\n","import { Api, Ctx } from \"@rpcbase/api\"\n\nimport * as SignOut from \"./index\"\n\n\nconst handleSignOut = async(_: SignOut.RequestPayload, ctx: Ctx): Promise<SignOut.ResponsePayload> => {\n  // Destroy the session\n  if (!ctx.req.session) {\n    return { success: true }\n  }\n\n  await new Promise<void>((resolve) => ctx.req.session!.destroy(() => resolve()))\n\n  return {\n    success: true\n  }\n}\n\nexport default (api: Api) => {\n  api.post(SignOut.Route, handleSignOut)\n}\n"],"mappings":";;AAGA,IAAaC,QAAQ;AAGQD,OAAS,EAAE,CAAC;AAIXA,OAAS,EACrCO,SAASP,SAAU,EACpB,CAAC;;;ACPF,IAAMa,gBAAgB,OAAMC,GAA2BE,QAA+C;AAEpG,KAAI,CAACA,IAAIG,IAAIC,QACX,QAAO,EAAEC,SAAS,MAAM;AAG1B,OAAM,IAAIJ,SAAeK,YAAYN,IAAIG,IAAIC,QAASG,cAAcD,SAAS,CAAC,CAAC;AAE/E,QAAO,EACLD,SAAS,MACV;;AAGH,IAAA,mBAAgBG,QAAa;AAC3BA,KAAIC,KAAKb,OAAeC,cAAc"}

package/dist/handler-tJUJWqII.js

@@ -0,0 +1,59 @@
+import { i as string, n as boolean, r as object } from "./schemas-BKnjeqQ9.js";
+import crypto from "crypto";
+import { models } from "@rpcbase/db";
+import { sendEmail } from "@rpcbase/server";
+//#region src/api/resend-otp/index.ts
+var Route = "/api/rb/auth/resend-otp";
+var requestSchema = object({ email: string().email() });
+object({
+	success: boolean(),
+	error: string().optional()
+});
+//#endregion
+//#region src/api/resend-otp/handler.ts
+var resendOtp = async (payload, ctx) => {
+	const User = await models.getGlobal("RBUser", ctx);
+	const parsed = requestSchema.safeParse(payload);
+	if (!parsed.success) {
+		ctx.res.status(400);
+		return {
+			success: false,
+			error: "invalid_payload"
+		};
+	}
+	const { email } = parsed.data;
+	const user = await User.findOne({ email });
+	if (!user) {
+		ctx.res.status(404);
+		return {
+			success: false,
+			error: "user_not_found"
+		};
+	}
+	const emailVerificationCode = crypto.randomInt(0, 1e6).toString().padStart(6, "0");
+	const emailVerificationExpiresAt = new Date(Date.now() + 600 * 1e3);
+	user.emailVerificationCode = emailVerificationCode;
+	user.emailVerificationExpiresAt = emailVerificationExpiresAt;
+	await user.save();
+	try {
+		await sendEmail({
+			to: email,
+			subject: `Your verification code: ${emailVerificationCode}`,
+			html: `
+        <p>Your verification code is <strong>${emailVerificationCode}</strong>. It expires in 10 minutes.</p>
+        <p>If you didn't request this, you can ignore this message.</p>
+      `,
+			text: `Your verification code is ${emailVerificationCode}. It expires in 10 minutes. If you didn't request this, you can ignore this message.`
+		});
+	} catch (err) {
+		console.warn("failed to resend otp email", err);
+	}
+	return { success: true };
+};
+var handler_default = (api) => {
+	api.post(Route, resendOtp);
+};
+//#endregion
+export { handler_default as default };
+
+//# sourceMappingURL=handler-tJUJWqII.js.map