@rpcbase/auth 0.110.0 → 0.111.0

package/dist/oauth/index.js

@@ -1,772 +1,651 @@
 import crypto from "crypto";
 import { models } from "@rpcbase/db";
 import { hashPasswordForStorage } from "@rpcbase/server";
-const STORE_KEY = /* @__PURE__ */ Symbol.for("@rpcbase/auth/oauthProviders");
-const getStore = () => {
-  const anyGlobal = globalThis;
-  const existing = anyGlobal[STORE_KEY];
-  if (existing && typeof existing === "object" && existing.providers && typeof existing.providers === "object") {
-    return existing;
-  }
-  const created = {
-    providers: {}
-  };
-  anyGlobal[STORE_KEY] = created;
-  return created;
+//#region src/oauth/config.ts
+var STORE_KEY = Symbol.for("@rpcbase/auth/oauthProviders");
+var getStore = () => {
+	const anyGlobal = globalThis;
+	const existing = anyGlobal[STORE_KEY];
+	if (existing && typeof existing === "object" && existing.providers && typeof existing.providers === "object") return existing;
+	const created = { providers: {} };
+	anyGlobal[STORE_KEY] = created;
+	return created;
 };
-const normalizeProviders = (providers) => {
-  const result = {};
-  const isSafeRedirectPath2 = (candidate) => {
-    if (!candidate.startsWith("/")) return false;
-    if (candidate.startsWith("//")) return false;
-    return true;
-  };
-  for (const [providerIdRaw, value] of Object.entries(providers)) {
-    const providerId = providerIdRaw.trim();
-    if (!providerId) continue;
-    const issuer = typeof value?.issuer === "string" ? value.issuer.trim() : "";
-    const clientId = typeof value?.clientId === "string" ? value.clientId.trim() : "";
-    if (!issuer) throw new Error(`oauth provider "${providerId}" missing issuer`);
-    if (!clientId) throw new Error(`oauth provider "${providerId}" missing clientId`);
-    const clientSecret = typeof value?.clientSecret === "string" && value.clientSecret.trim() ? value.clientSecret : void 0;
-    const scope = typeof value?.scope === "string" ? value.scope.trim() : "";
-    if (!scope) throw new Error(`oauth provider "${providerId}" missing scope`);
-    const callbackPath = typeof value?.callbackPath === "string" ? value.callbackPath.trim() : "";
-    if (!callbackPath) throw new Error(`oauth provider "${providerId}" missing callbackPath`);
-    if (!isSafeRedirectPath2(callbackPath)) throw new Error(`oauth provider "${providerId}" has invalid callbackPath`);
-    result[providerId] = {
-      issuer,
-      clientId,
-      clientSecret,
-      scope,
-      callbackPath
-    };
-  }
-  return result;
+var normalizeProviders = (providers) => {
+	const result = {};
+	const isSafeRedirectPath = (candidate) => {
+		if (!candidate.startsWith("/")) return false;
+		if (candidate.startsWith("//")) return false;
+		return true;
+	};
+	for (const [providerIdRaw, value] of Object.entries(providers)) {
+		const providerId = providerIdRaw.trim();
+		if (!providerId) continue;
+		const issuer = typeof value?.issuer === "string" ? value.issuer.trim() : "";
+		const clientId = typeof value?.clientId === "string" ? value.clientId.trim() : "";
+		if (!issuer) throw new Error(`oauth provider "${providerId}" missing issuer`);
+		if (!clientId) throw new Error(`oauth provider "${providerId}" missing clientId`);
+		const clientSecret = typeof value?.clientSecret === "string" && value.clientSecret.trim() ? value.clientSecret : void 0;
+		const scope = typeof value?.scope === "string" ? value.scope.trim() : "";
+		if (!scope) throw new Error(`oauth provider "${providerId}" missing scope`);
+		const callbackPath = typeof value?.callbackPath === "string" ? value.callbackPath.trim() : "";
+		if (!callbackPath) throw new Error(`oauth provider "${providerId}" missing callbackPath`);
+		if (!isSafeRedirectPath(callbackPath)) throw new Error(`oauth provider "${providerId}" has invalid callbackPath`);
+		result[providerId] = {
+			issuer,
+			clientId,
+			clientSecret,
+			scope,
+			callbackPath
+		};
+	}
+	return result;
 };
-const configureOAuthProviders = (providers) => {
-  const store = getStore();
-  const normalized = normalizeProviders(providers);
-  store.providers = {
-    ...store.providers,
-    ...normalized
-  };
+var configureOAuthProviders = (providers) => {
+	const store = getStore();
+	const normalized = normalizeProviders(providers);
+	store.providers = {
+		...store.providers,
+		...normalized
+	};
 };
-const setOAuthProviders = (providers) => {
-  const store = getStore();
-  store.providers = normalizeProviders(providers);
+var setOAuthProviders = (providers) => {
+	const store = getStore();
+	store.providers = normalizeProviders(providers);
 };
-const getOAuthProviderConfig = (providerId) => {
-  const store = getStore();
-  return store.providers[providerId] ?? null;
+var getOAuthProviderConfig = (providerId) => {
+	return getStore().providers[providerId] ?? null;
 };
-const decodeBase64Url = (value) => {
-  const padded = value.replace(/-/g, "+").replace(/_/g, "/") + "===".slice((value.length + 3) % 4);
-  return Buffer.from(padded, "base64").toString("utf8");
+//#endregion
+//#region src/oauth/jwt.ts
+var decodeBase64Url = (value) => {
+	const padded = value.replace(/-/g, "+").replace(/_/g, "/") + "===".slice((value.length + 3) % 4);
+	return Buffer.from(padded, "base64").toString("utf8");
 };
-const decodeJwtPayload = (token) => {
-  const parts = token.split(".");
-  if (parts.length < 2) return null;
-  try {
-    const json = decodeBase64Url(parts[1]);
-    const parsed = JSON.parse(json);
-    if (!parsed || typeof parsed !== "object") return null;
-    return parsed;
-  } catch {
-    return null;
-  }
+var decodeJwtPayload = (token) => {
+	const parts = token.split(".");
+	if (parts.length < 2) return null;
+	try {
+		const json = decodeBase64Url(parts[1]);
+		const parsed = JSON.parse(json);
+		if (!parsed || typeof parsed !== "object") return null;
+		return parsed;
+	} catch {
+		return null;
+	}
 };
-const cache = /* @__PURE__ */ new Map();
-const normalizeIssuer = (raw) => raw.trim().replace(/\/+$/, "");
-const getOidcWellKnown = async (issuerRaw) => {
-  const issuer = normalizeIssuer(issuerRaw);
-  if (!issuer) {
-    throw new Error("OIDC issuer is required");
-  }
-  const existing = cache.get(issuer);
-  if (existing) {
-    return existing;
-  }
-  const loader = (async () => {
-    const url = new URL("/.well-known/openid-configuration", issuer);
-    const response = await fetch(url, {
-      headers: {
-        Accept: "application/json"
-      }
-    });
-    if (!response.ok) {
-      const body = await response.text().catch(() => "");
-      throw new Error(`Failed to fetch OIDC discovery document: ${response.status} ${body}`);
-    }
-    const json = await response.json().catch(() => null);
-    if (!json || typeof json !== "object") {
-      throw new Error("Invalid OIDC discovery document");
-    }
-    const authorizationEndpoint = typeof json.authorization_endpoint === "string" ? json.authorization_endpoint : "";
-    const tokenEndpoint = typeof json.token_endpoint === "string" ? json.token_endpoint : "";
-    const issuerValue = typeof json.issuer === "string" ? json.issuer : issuer;
-    const userinfoEndpoint = typeof json.userinfo_endpoint === "string" ? json.userinfo_endpoint : void 0;
-    const jwksUri = typeof json.jwks_uri === "string" ? json.jwks_uri : void 0;
-    if (!authorizationEndpoint || !tokenEndpoint) {
-      throw new Error("OIDC discovery document missing required endpoints");
-    }
-    return {
-      issuer: issuerValue,
-      authorization_endpoint: authorizationEndpoint,
-      token_endpoint: tokenEndpoint,
-      userinfo_endpoint: userinfoEndpoint,
-      jwks_uri: jwksUri
-    };
-  })();
-  cache.set(issuer, loader);
-  try {
-    return await loader;
-  } catch (err) {
-    cache.delete(issuer);
-    throw err;
-  }
+//#endregion
+//#region src/oauth/oidc.ts
+var cache = /* @__PURE__ */ new Map();
+var normalizeIssuer = (raw) => raw.trim().replace(/\/+$/, "");
+var getOidcWellKnown = async (issuerRaw) => {
+	const issuer = normalizeIssuer(issuerRaw);
+	if (!issuer) throw new Error("OIDC issuer is required");
+	const existing = cache.get(issuer);
+	if (existing) return existing;
+	const loader = (async () => {
+		const url = new URL("/.well-known/openid-configuration", issuer);
+		const response = await fetch(url, { headers: { Accept: "application/json" } });
+		if (!response.ok) {
+			const body = await response.text().catch(() => "");
+			throw new Error(`Failed to fetch OIDC discovery document: ${response.status} ${body}`);
+		}
+		const json = await response.json().catch(() => null);
+		if (!json || typeof json !== "object") throw new Error("Invalid OIDC discovery document");
+		const authorizationEndpoint = typeof json.authorization_endpoint === "string" ? json.authorization_endpoint : "";
+		const tokenEndpoint = typeof json.token_endpoint === "string" ? json.token_endpoint : "";
+		const issuerValue = typeof json.issuer === "string" ? json.issuer : issuer;
+		const userinfoEndpoint = typeof json.userinfo_endpoint === "string" ? json.userinfo_endpoint : void 0;
+		const jwksUri = typeof json.jwks_uri === "string" ? json.jwks_uri : void 0;
+		if (!authorizationEndpoint || !tokenEndpoint) throw new Error("OIDC discovery document missing required endpoints");
+		return {
+			issuer: issuerValue,
+			authorization_endpoint: authorizationEndpoint,
+			token_endpoint: tokenEndpoint,
+			userinfo_endpoint: userinfoEndpoint,
+			jwks_uri: jwksUri
+		};
+	})();
+	cache.set(issuer, loader);
+	try {
+		return await loader;
+	} catch (err) {
+		cache.delete(issuer);
+		throw err;
+	}
 };
-const base64UrlEncode$1 = (input) => input.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
-const generatePkcePair = () => {
-  const verifier = base64UrlEncode$1(crypto.randomBytes(32));
-  const challenge = base64UrlEncode$1(crypto.createHash("sha256").update(verifier).digest());
-  return {
-    verifier,
-    challenge
-  };
+//#endregion
+//#region src/oauth/pkce.ts
+var base64UrlEncode$1 = (input) => input.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+var generatePkcePair = () => {
+	const verifier = base64UrlEncode$1(crypto.randomBytes(32));
+	return {
+		verifier,
+		challenge: base64UrlEncode$1(crypto.createHash("sha256").update(verifier).digest())
+	};
 };
-const RESERVED_KEYS = /* @__PURE__ */ new Set(["__proto__", "prototype", "constructor"]);
-const isSafeOAuthProviderId = (value) => {
-  const providerId = value.trim();
-  if (!providerId) return false;
-  if (providerId.length > 128) return false;
-  if (RESERVED_KEYS.has(providerId)) return false;
-  return /^[a-zA-Z0-9_-]+$/.test(providerId);
+//#endregion
+//#region src/oauth/providerId.ts
+var RESERVED_KEYS = new Set([
+	"__proto__",
+	"prototype",
+	"constructor"
+]);
+var isSafeOAuthProviderId = (value) => {
+	const providerId = value.trim();
+	if (!providerId) return false;
+	if (providerId.length > 128) return false;
+	if (RESERVED_KEYS.has(providerId)) return false;
+	return /^[a-zA-Z0-9_-]+$/.test(providerId);
 };
-const OAUTH_REQUEST_TTL_MS = 10 * 60 * 1e3;
-const OAUTH_STATE_COOKIE_NAME = "rb_oauth_state";
-const getQueryString = (value) => {
-  if (typeof value === "string") return value;
-  if (Array.isArray(value) && typeof value[0] === "string") return value[0];
-  return null;
+//#endregion
+//#region src/oauth/lib.ts
+var OAUTH_REQUEST_TTL_MS = 600 * 1e3;
+var OAUTH_STATE_COOKIE_NAME = "rb_oauth_state";
+var getQueryString = (value) => {
+	if (typeof value === "string") return value;
+	if (Array.isArray(value) && typeof value[0] === "string") return value[0];
+	return null;
 };
-const getCookieValue = (ctx, name) => {
-  const header = ctx.req.headers?.cookie;
-  if (typeof header !== "string" || !header) return null;
-  for (const part of header.split(";")) {
-    const [rawKey, ...rest] = part.split("=");
-    const key = rawKey?.trim();
-    if (!key || key !== name) continue;
-    const rawValue = rest.join("=").trim();
-    if (!rawValue) return "";
-    try {
-      return decodeURIComponent(rawValue);
-    } catch {
-      return rawValue;
-    }
-  }
-  return null;
+var getCookieValue = (ctx, name) => {
+	const header = ctx.req.headers?.cookie;
+	if (typeof header !== "string" || !header) return null;
+	for (const part of header.split(";")) {
+		const [rawKey, ...rest] = part.split("=");
+		const key = rawKey?.trim();
+		if (!key || key !== name) continue;
+		const rawValue = rest.join("=").trim();
+		if (!rawValue) return "";
+		try {
+			return decodeURIComponent(rawValue);
+		} catch {
+			return rawValue;
+		}
+	}
+	return null;
 };
-const isSafeRedirectPath = (candidate) => {
-  if (!candidate.startsWith("/")) return false;
-  if (candidate.startsWith("//")) return false;
-  return true;
+var isSafeRedirectPath = (candidate) => {
+	if (!candidate.startsWith("/")) return false;
+	if (candidate.startsWith("//")) return false;
+	return true;
 };
-const getRequestOrigin = (ctx) => {
-  const protoHeader = ctx.req.headers["x-forwarded-proto"];
-  const hostHeader = ctx.req.headers["x-forwarded-host"];
-  const protocol = typeof protoHeader === "string" ? protoHeader.split(",")[0].trim() : ctx.req.protocol;
-  const host = typeof hostHeader === "string" ? hostHeader.split(",")[0].trim() : ctx.req.get("host");
-  return protocol && host ? `${protocol}://${host}` : "";
+var getRequestOrigin = (ctx) => {
+	const protoHeader = ctx.req.headers["x-forwarded-proto"];
+	const hostHeader = ctx.req.headers["x-forwarded-host"];
+	const protocol = typeof protoHeader === "string" ? protoHeader.split(",")[0].trim() : ctx.req.protocol;
+	const host = typeof hostHeader === "string" ? hostHeader.split(",")[0].trim() : ctx.req.get("host");
+	return protocol && host ? `${protocol}://${host}` : "";
 };
-const resolveCallbackPath = (callbackPath) => {
-  const trimmed = callbackPath.trim();
-  return trimmed && isSafeRedirectPath(trimmed) ? trimmed : null;
+var resolveCallbackPath = (callbackPath) => {
+	const trimmed = callbackPath.trim();
+	return trimmed && isSafeRedirectPath(trimmed) ? trimmed : null;
 };
-const readTextBody = async (req) => await new Promise((resolve, reject) => {
-  let body = "";
-  if (typeof req.setEncoding === "function") {
-    req.setEncoding("utf8");
-  }
-  req.on("data", (chunk) => {
-    body += String(chunk);
-    if (body.length > 32768) {
-      reject(new Error("request_body_too_large"));
-    }
-  });
-  req.on("end", () => resolve(body));
-  req.on("error", reject);
+var readTextBody = async (req) => await new Promise((resolve, reject) => {
+	let body = "";
+	if (typeof req.setEncoding === "function") req.setEncoding("utf8");
+	req.on("data", (chunk) => {
+		body += String(chunk);
+		if (body.length > 32768) reject(/* @__PURE__ */ new Error("request_body_too_large"));
+	});
+	req.on("end", () => resolve(body));
+	req.on("error", reject);
 });
-const getFormPostParams = async (ctx) => {
-  if (ctx.req.method !== "POST") return null;
-  const contentType = typeof ctx.req.headers["content-type"] === "string" ? ctx.req.headers["content-type"] : "";
-  if (!contentType.includes("application/x-www-form-urlencoded")) return null;
-  const body = await readTextBody(ctx.req);
-  const params = new URLSearchParams(body);
-  const result = {};
-  for (const [key, value] of params.entries()) {
-    result[key] = value;
-  }
-  return result;
+var getFormPostParams = async (ctx) => {
+	if (ctx.req.method !== "POST") return null;
+	if (!(typeof ctx.req.headers["content-type"] === "string" ? ctx.req.headers["content-type"] : "").includes("application/x-www-form-urlencoded")) return null;
+	const body = await readTextBody(ctx.req);
+	const params = new URLSearchParams(body);
+	const result = {};
+	for (const [key, value] of params.entries()) result[key] = value;
+	return result;
 };
-const resolveProviderId = (ctx, providerIdOverride) => (providerIdOverride ?? String(ctx.req.params?.provider ?? "")).trim();
-const RESERVED_AUTH_PARAM_KEYS = /* @__PURE__ */ new Set(["__proto__", "prototype", "constructor"]);
-const normalizeAuthorizationParams = (value) => {
-  if (!value || typeof value !== "object" || Array.isArray(value)) return void 0;
-  const result = {};
-  for (const [keyRaw, valueRaw] of Object.entries(value)) {
-    const key = keyRaw.trim();
-    if (!key) continue;
-    if (RESERVED_AUTH_PARAM_KEYS.has(key)) continue;
-    const val = typeof valueRaw === "string" ? valueRaw.trim() : "";
-    if (!val) continue;
-    result[key] = val;
-  }
-  return Object.keys(result).length ? result : void 0;
+var resolveProviderId = (ctx, providerIdOverride) => (providerIdOverride ?? String(ctx.req.params?.provider ?? "")).trim();
+var RESERVED_AUTH_PARAM_KEYS = new Set([
+	"__proto__",
+	"prototype",
+	"constructor"
+]);
+var normalizeAuthorizationParams = (value) => {
+	if (!value || typeof value !== "object" || Array.isArray(value)) return void 0;
+	const result = {};
+	for (const [keyRaw, valueRaw] of Object.entries(value)) {
+		const key = keyRaw.trim();
+		if (!key) continue;
+		if (RESERVED_AUTH_PARAM_KEYS.has(key)) continue;
+		const val = typeof valueRaw === "string" ? valueRaw.trim() : "";
+		if (!val) continue;
+		result[key] = val;
+	}
+	return Object.keys(result).length ? result : void 0;
 };
-const getOAuthStartRedirectUrl = async ({
-  ctx,
-  providerId: providerIdOverride,
-  returnTo,
-  authorizationParams
-}) => {
-  const providerId = resolveProviderId(ctx, providerIdOverride);
-  if (!providerId) {
-    return {
-      success: false,
-      error: "missing_provider",
-      statusCode: 400
-    };
-  }
-  if (!isSafeOAuthProviderId(providerId)) {
-    return {
-      success: false,
-      error: "invalid_provider",
-      statusCode: 400
-    };
-  }
-  const provider = getOAuthProviderConfig(providerId);
-  if (!provider) {
-    return {
-      success: false,
-      error: "unknown_provider",
-      statusCode: 404
-    };
-  }
-  const origin = getRequestOrigin(ctx);
-  if (!origin) {
-    return {
-      success: false,
-      error: "origin_unavailable",
-      statusCode: 500
-    };
-  }
-  const isHttps = origin.startsWith("https://");
-  const callbackPath = resolveCallbackPath(provider.callbackPath);
-  if (!callbackPath) {
-    return {
-      success: false,
-      error: "invalid_callback_path",
-      statusCode: 500
-    };
-  }
-  const state = crypto.randomBytes(16).toString("hex");
-  const {
-    verifier,
-    challenge
-  } = generatePkcePair();
-  const safeReturnTo = typeof returnTo === "string" && isSafeRedirectPath(returnTo) ? returnTo : void 0;
-  try {
-    const OAuthRequest = await models.getGlobal("RBOAuthRequest", ctx);
-    const now = /* @__PURE__ */ new Date();
-    await OAuthRequest.create({
-      _id: state,
-      providerId,
-      codeVerifier: verifier,
-      returnTo: safeReturnTo,
-      createdAt: now,
-      expiresAt: new Date(now.getTime() + OAUTH_REQUEST_TTL_MS)
-    });
-  } catch (err) {
-    console.warn("oauth::failed_to_store_request", err);
-    return {
-      success: false,
-      error: "oauth_request_store_failed",
-      statusCode: 500
-    };
-  }
-  try {
-    ctx.res.cookie(OAUTH_STATE_COOKIE_NAME, `${providerId}:${state}`, {
-      httpOnly: true,
-      secure: isHttps,
-      sameSite: isHttps ? "none" : "lax",
-      path: callbackPath,
-      maxAge: OAUTH_REQUEST_TTL_MS
-    });
-  } catch (err) {
-    console.warn("oauth::failed_to_set_state_cookie", err);
-    return {
-      success: false,
-      error: "oauth_cookie_set_failed",
-      statusCode: 500
-    };
-  }
-  const oidc = await getOidcWellKnown(provider.issuer);
-  const redirectUri = `${origin}${callbackPath}`;
-  const url = new URL(oidc.authorization_endpoint);
-  url.searchParams.set("client_id", provider.clientId);
-  url.searchParams.set("redirect_uri", redirectUri);
-  url.searchParams.set("response_type", "code");
-  url.searchParams.set("scope", provider.scope);
-  url.searchParams.set("state", state);
-  url.searchParams.set("code_challenge", challenge);
-  url.searchParams.set("code_challenge_method", "S256");
-  const extraAuthorizationParams = normalizeAuthorizationParams(authorizationParams);
-  for (const [key, value] of Object.entries(extraAuthorizationParams ?? {})) {
-    if (url.searchParams.has(key)) continue;
-    url.searchParams.set(key, value);
-  }
-  return {
-    success: true,
-    redirectUrl: url.toString()
-  };
+var getOAuthStartRedirectUrl = async ({ ctx, providerId: providerIdOverride, returnTo, authorizationParams }) => {
+	const providerId = resolveProviderId(ctx, providerIdOverride);
+	if (!providerId) return {
+		success: false,
+		error: "missing_provider",
+		statusCode: 400
+	};
+	if (!isSafeOAuthProviderId(providerId)) return {
+		success: false,
+		error: "invalid_provider",
+		statusCode: 400
+	};
+	const provider = getOAuthProviderConfig(providerId);
+	if (!provider) return {
+		success: false,
+		error: "unknown_provider",
+		statusCode: 404
+	};
+	const origin = getRequestOrigin(ctx);
+	if (!origin) return {
+		success: false,
+		error: "origin_unavailable",
+		statusCode: 500
+	};
+	const isHttps = origin.startsWith("https://");
+	const callbackPath = resolveCallbackPath(provider.callbackPath);
+	if (!callbackPath) return {
+		success: false,
+		error: "invalid_callback_path",
+		statusCode: 500
+	};
+	const state = crypto.randomBytes(16).toString("hex");
+	const { verifier, challenge } = generatePkcePair();
+	const safeReturnTo = typeof returnTo === "string" && isSafeRedirectPath(returnTo) ? returnTo : void 0;
+	try {
+		const OAuthRequest = await models.getGlobal("RBOAuthRequest", ctx);
+		const now = /* @__PURE__ */ new Date();
+		await OAuthRequest.create({
+			_id: state,
+			providerId,
+			codeVerifier: verifier,
+			returnTo: safeReturnTo,
+			createdAt: now,
+			expiresAt: new Date(now.getTime() + OAUTH_REQUEST_TTL_MS)
+		});
+	} catch (err) {
+		console.warn("oauth::failed_to_store_request", err);
+		return {
+			success: false,
+			error: "oauth_request_store_failed",
+			statusCode: 500
+		};
+	}
+	try {
+		ctx.res.cookie(OAUTH_STATE_COOKIE_NAME, `${providerId}:${state}`, {
+			httpOnly: true,
+			secure: isHttps,
+			sameSite: isHttps ? "none" : "lax",
+			path: callbackPath,
+			maxAge: OAUTH_REQUEST_TTL_MS
+		});
+	} catch (err) {
+		console.warn("oauth::failed_to_set_state_cookie", err);
+		return {
+			success: false,
+			error: "oauth_cookie_set_failed",
+			statusCode: 500
+		};
+	}
+	const oidc = await getOidcWellKnown(provider.issuer);
+	const redirectUri = `${origin}${callbackPath}`;
+	const url = new URL(oidc.authorization_endpoint);
+	url.searchParams.set("client_id", provider.clientId);
+	url.searchParams.set("redirect_uri", redirectUri);
+	url.searchParams.set("response_type", "code");
+	url.searchParams.set("scope", provider.scope);
+	url.searchParams.set("state", state);
+	url.searchParams.set("code_challenge", challenge);
+	url.searchParams.set("code_challenge_method", "S256");
+	const extraAuthorizationParams = normalizeAuthorizationParams(authorizationParams);
+	for (const [key, value] of Object.entries(extraAuthorizationParams ?? {})) {
+		if (url.searchParams.has(key)) continue;
+		url.searchParams.set(key, value);
+	}
+	return {
+		success: true,
+		redirectUrl: url.toString()
+	};
 };
-const OAUTH_SUCCESS_REDIRECT_PATH = "/onboarding";
-const AUTH_ERROR_REDIRECT_BASE = "/auth/sign-in";
-const processOAuthCallback = async ({
-  ctx,
-  providerId: providerIdOverride,
-  createUserOnFirstSignIn,
-  missingUserRedirectPath,
-  successRedirectPath
-}) => {
-  const providerId = resolveProviderId(ctx, providerIdOverride);
-  if (!providerId) {
-    return {
-      success: false,
-      type: "error",
-      error: "missing_provider",
-      redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=missing_provider`
-    };
-  }
-  if (!isSafeOAuthProviderId(providerId)) {
-    return {
-      success: false,
-      type: "error",
-      error: "invalid_provider",
-      redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=invalid_provider`
-    };
-  }
-  const provider = getOAuthProviderConfig(providerId);
-  if (!provider) {
-    return {
-      success: false,
-      type: "error",
-      error: "unknown_provider",
-      redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=unknown_provider`
-    };
-  }
-  const origin = getRequestOrigin(ctx);
-  if (!origin) {
-    return {
-      success: false,
-      type: "error",
-      error: "origin_unavailable",
-      redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=origin_unavailable`
-    };
-  }
-  const isHttps = origin.startsWith("https://");
-  const callbackPath = resolveCallbackPath(provider.callbackPath);
-  if (!callbackPath) {
-    return {
-      success: false,
-      type: "error",
-      error: "invalid_callback_path",
-      redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=invalid_callback_path`
-    };
-  }
-  const bodyParams = await getFormPostParams(ctx);
-  const code = (getQueryString(bodyParams?.code) ?? getQueryString(ctx.req.query?.code))?.trim() ?? "";
-  const state = (getQueryString(bodyParams?.state) ?? getQueryString(ctx.req.query?.state))?.trim() ?? "";
-  const oauthUserRaw = (getQueryString(bodyParams?.user) ?? getQueryString(ctx.req.query?.user))?.trim() ?? "";
-  if (!code || !state) {
-    return {
-      success: false,
-      type: "error",
-      error: "missing_code_or_state",
-      redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=missing_code_or_state`
-    };
-  }
-  const stateCookieValue = getCookieValue(ctx, OAUTH_STATE_COOKIE_NAME);
-  if (stateCookieValue !== `${providerId}:${state}`) {
-    return {
-      success: false,
-      type: "error",
-      error: "invalid_state",
-      redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=invalid_state`
-    };
-  }
-  let oauthRequest = null;
-  let OAuthRequestModel = null;
-  try {
-    OAuthRequestModel = await models.getGlobal("RBOAuthRequest", ctx);
-    oauthRequest = await OAuthRequestModel.findOne({
-      _id: state,
-      providerId
-    }).lean();
-  } catch (err) {
-    console.warn("oauth::failed_to_load_request", err);
-    return {
-      success: false,
-      type: "error",
-      error: "oauth_request_load_failed",
-      redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=oauth_request_load_failed`
-    };
-  }
-  if (!oauthRequest) {
-    return {
-      success: false,
-      type: "error",
-      error: "invalid_state",
-      redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=invalid_state`
-    };
-  }
-  const returnTo = typeof oauthRequest.returnTo === "string" ? oauthRequest.returnTo : void 0;
-  const codeVerifier = typeof oauthRequest.codeVerifier === "string" ? oauthRequest.codeVerifier : "";
-  if (!codeVerifier) {
-    return {
-      success: false,
-      type: "error",
-      error: "missing_code_verifier",
-      redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=missing_code_verifier`
-    };
-  }
-  const oidc = await getOidcWellKnown(provider.issuer);
-  const redirectUri = `${origin}${callbackPath}`;
-  const tokenBody = new URLSearchParams();
-  tokenBody.set("grant_type", "authorization_code");
-  tokenBody.set("code", code);
-  tokenBody.set("redirect_uri", redirectUri);
-  tokenBody.set("client_id", provider.clientId);
-  tokenBody.set("code_verifier", codeVerifier);
-  if (provider.clientSecret) {
-    tokenBody.set("client_secret", provider.clientSecret);
-  }
-  const tokenResponse = await fetch(oidc.token_endpoint, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/x-www-form-urlencoded",
-      Accept: "application/json"
-    },
-    body: tokenBody.toString()
-  });
-  const tokenJson = await tokenResponse.json().catch(() => null);
-  if (!tokenResponse.ok || !tokenJson || typeof tokenJson !== "object") {
-    const body = tokenJson ? JSON.stringify(tokenJson) : "";
-    console.warn("oauth::token_exchange failed", tokenResponse.status, body);
-    return {
-      success: false,
-      type: "error",
-      error: "token_exchange_failed",
-      redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=token_exchange_failed`
-    };
-  }
-  const accessToken = typeof tokenJson.access_token === "string" ? tokenJson.access_token : "";
-  const refreshToken = typeof tokenJson.refresh_token === "string" ? tokenJson.refresh_token : void 0;
-  const idToken = typeof tokenJson.id_token === "string" ? tokenJson.id_token : void 0;
-  const scope = typeof tokenJson.scope === "string" ? tokenJson.scope : void 0;
-  const tokenType = typeof tokenJson.token_type === "string" ? tokenJson.token_type : void 0;
-  const expiresIn = typeof tokenJson.expires_in === "number" ? tokenJson.expires_in : typeof tokenJson.expires_in === "string" ? Number(tokenJson.expires_in) : void 0;
-  const expiresInSeconds = typeof expiresIn === "number" && Number.isFinite(expiresIn) ? expiresIn : null;
-  const expiresAt = expiresInSeconds !== null ? new Date(Date.now() + expiresInSeconds * 1e3) : void 0;
-  let userInfo = null;
-  if (oidc.userinfo_endpoint && accessToken) {
-    const userInfoResponse = await fetch(oidc.userinfo_endpoint, {
-      headers: {
-        Authorization: `Bearer ${accessToken}`,
-        Accept: "application/json"
-      }
-    });
-    if (userInfoResponse.ok) {
-      userInfo = await userInfoResponse.json().catch(() => null);
-    }
-  }
-  const idTokenPayload = idToken ? decodeJwtPayload(idToken) : null;
-  const accessTokenPayload = decodeJwtPayload(accessToken);
-  const subject = typeof userInfo?.sub === "string" ? userInfo.sub : typeof idTokenPayload?.sub === "string" ? idTokenPayload.sub : typeof accessTokenPayload?.sub === "string" ? accessTokenPayload.sub : "";
-  if (!subject) {
-    return {
-      success: false,
-      type: "error",
-      error: "missing_subject",
-      redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=missing_subject`
-    };
-  }
-  const email = typeof userInfo?.email === "string" ? userInfo.email : typeof idTokenPayload?.email === "string" ? idTokenPayload.email : void 0;
-  const name = typeof userInfo?.name === "string" ? userInfo.name : typeof idTokenPayload?.name === "string" ? idTokenPayload.name : void 0;
-  let oauthUser = null;
-  if (oauthUserRaw) {
-    try {
-      oauthUser = JSON.parse(oauthUserRaw);
-    } catch {
-      oauthUser = null;
-    }
-  }
-  const oauthUserRecord = oauthUser && typeof oauthUser === "object" ? oauthUser : null;
-  const oauthUserEmail = typeof oauthUserRecord?.email === "string" ? oauthUserRecord.email.trim() : "";
-  const oauthUserNameRecord = oauthUserRecord?.name && typeof oauthUserRecord.name === "object" ? oauthUserRecord.name : null;
-  const oauthUserNameFirst = typeof oauthUserNameRecord?.firstName === "string" ? oauthUserNameRecord.firstName.trim() : "";
-  const oauthUserNameLast = typeof oauthUserNameRecord?.lastName === "string" ? oauthUserNameRecord.lastName.trim() : "";
-  const oauthUserName = [oauthUserNameFirst, oauthUserNameLast].filter(Boolean).join(" ").trim();
-  const resolvedEmail = email ?? (oauthUserEmail || void 0);
-  const resolvedName = name ?? (oauthUserName || void 0);
-  const [User, Tenant] = await Promise.all([models.getGlobal("RBUser", ctx), models.getGlobal("RBTenant", ctx)]);
-  const subjectQueryKey = `oauthProviders.${providerId}.subject`;
-  let user = await User.findOne({
-    [subjectQueryKey]: subject
-  });
-  if (!user && resolvedEmail) {
-    user = await User.findOne({
-      email: resolvedEmail
-    });
-  }
-  const shouldCreateUser = createUserOnFirstSignIn ?? true;
-  if (!user && !shouldCreateUser) {
-    const redirectPath2 = missingUserRedirectPath;
-    const result = {
-      success: false,
-      type: "missing_user",
-      providerId,
-      subject,
-      email: resolvedEmail,
-      name: resolvedName
-    };
-    if (redirectPath2 && isSafeRedirectPath(redirectPath2)) {
-      const url = new URL(redirectPath2, origin);
-      url.searchParams.set("oauth_provider", providerId);
-      if (resolvedEmail) url.searchParams.set("email", resolvedEmail);
-      if (resolvedName) url.searchParams.set("name", resolvedName);
-      result.redirectPath = `${url.pathname}${url.search}`;
-    }
-    return result;
-  }
-  if (!ctx.req.session) {
-    return {
-      success: false,
-      type: "error",
-      error: "session_unavailable",
-      redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=session_unavailable`
-    };
-  }
-  const now = /* @__PURE__ */ new Date();
-  let providerCreatedAt;
-  const oauthProviders = user?.get("oauthProviders");
-  const existingProvider = oauthProviders?.get(providerId);
-  if (existingProvider?.createdAt instanceof Date) {
-    providerCreatedAt = existingProvider.createdAt;
-  }
-  const oauthProviderPayload = {
-    subject,
-    email: resolvedEmail,
-    name: resolvedName,
-    accessToken,
-    refreshToken,
-    idToken,
-    scope,
-    tokenType,
-    expiresAt,
-    rawUserInfo: userInfo ?? void 0,
-    createdAt: providerCreatedAt ?? now,
-    updatedAt: now
-  };
-  if (!user) {
-    const tenantId2 = crypto.randomUUID();
-    const password = await hashPasswordForStorage(crypto.randomBytes(32).toString("hex"));
-    user = new User({
-      email: resolvedEmail,
-      name: resolvedName,
-      password,
-      tenants: [tenantId2],
-      tenantRoles: {
-        [tenantId2]: ["owner"]
-      },
-      oauthProviders: {
-        [providerId]: oauthProviderPayload
-      }
-    });
-    await user.save();
-    try {
-      await Tenant.create({
-        tenantId: tenantId2,
-        name: resolvedEmail || subject
-      });
-    } catch (err) {
-      console.warn("oauth::failed_to_create_tenant", err);
-    }
-  } else {
-    const setFields = {
-      [`oauthProviders.${providerId}`]: oauthProviderPayload
-    };
-    if (!user.email && resolvedEmail) {
-      setFields.email = resolvedEmail;
-    }
-    if (!user.name && resolvedName) {
-      setFields.name = resolvedName;
-    }
-    await User.updateOne({
-      _id: user._id
-    }, {
-      $set: setFields
-    });
-  }
-  const tenantId = user.tenants?.[0]?.toString?.() || "00000000";
-  const signedInTenants = (user.tenants || []).map(String);
-  const tenantRolesMap = user.get("tenantRoles");
-  const tenantRoles = tenantRolesMap ? Object.fromEntries(tenantRolesMap.entries()) : void 0;
-  ctx.req.session.user = {
-    id: user._id.toString(),
-    currentTenantId: tenantId,
-    signedInTenants: signedInTenants.length ? signedInTenants : [tenantId],
-    isEntryGateAuthorized: true,
-    tenantRoles
-  };
-  try {
-    if (OAuthRequestModel) {
-      await OAuthRequestModel.deleteOne({
-        _id: state,
-        providerId
-      });
-    }
-  } catch (err) {
-    console.warn("oauth::failed_to_delete_request", err);
-  }
-  try {
-    ctx.res.clearCookie(OAUTH_STATE_COOKIE_NAME, {
-      httpOnly: true,
-      secure: isHttps,
-      sameSite: isHttps ? "none" : "lax",
-      path: callbackPath
-    });
-  } catch (err) {
-    console.warn("oauth::failed_to_clear_state_cookie", err);
-  }
-  const redirectPath = returnTo && isSafeRedirectPath(returnTo) ? returnTo : successRedirectPath && isSafeRedirectPath(successRedirectPath) ? successRedirectPath : OAUTH_SUCCESS_REDIRECT_PATH;
-  return {
-    success: true,
-    type: "signed_in",
-    redirectPath,
-    userId: user._id.toString(),
-    tenantId,
-    signedInTenants: signedInTenants.length ? signedInTenants : [tenantId]
-  };
+var OAUTH_SUCCESS_REDIRECT_PATH = "/onboarding";
+var AUTH_ERROR_REDIRECT_BASE = "/auth/sign-in";
+var processOAuthCallback = async ({ ctx, providerId: providerIdOverride, createUserOnFirstSignIn, missingUserRedirectPath, successRedirectPath }) => {
+	const providerId = resolveProviderId(ctx, providerIdOverride);
+	if (!providerId) return {
+		success: false,
+		type: "error",
+		error: "missing_provider",
+		redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=missing_provider`
+	};
+	if (!isSafeOAuthProviderId(providerId)) return {
+		success: false,
+		type: "error",
+		error: "invalid_provider",
+		redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=invalid_provider`
+	};
+	const provider = getOAuthProviderConfig(providerId);
+	if (!provider) return {
+		success: false,
+		type: "error",
+		error: "unknown_provider",
+		redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=unknown_provider`
+	};
+	const origin = getRequestOrigin(ctx);
+	if (!origin) return {
+		success: false,
+		type: "error",
+		error: "origin_unavailable",
+		redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=origin_unavailable`
+	};
+	const isHttps = origin.startsWith("https://");
+	const callbackPath = resolveCallbackPath(provider.callbackPath);
+	if (!callbackPath) return {
+		success: false,
+		type: "error",
+		error: "invalid_callback_path",
+		redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=invalid_callback_path`
+	};
+	const bodyParams = await getFormPostParams(ctx);
+	const code = (getQueryString(bodyParams?.code) ?? getQueryString(ctx.req.query?.code))?.trim() ?? "";
+	const state = (getQueryString(bodyParams?.state) ?? getQueryString(ctx.req.query?.state))?.trim() ?? "";
+	const oauthUserRaw = (getQueryString(bodyParams?.user) ?? getQueryString(ctx.req.query?.user))?.trim() ?? "";
+	if (!code || !state) return {
+		success: false,
+		type: "error",
+		error: "missing_code_or_state",
+		redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=missing_code_or_state`
+	};
+	if (getCookieValue(ctx, OAUTH_STATE_COOKIE_NAME) !== `${providerId}:${state}`) return {
+		success: false,
+		type: "error",
+		error: "invalid_state",
+		redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=invalid_state`
+	};
+	let oauthRequest = null;
+	let OAuthRequestModel = null;
+	try {
+		OAuthRequestModel = await models.getGlobal("RBOAuthRequest", ctx);
+		oauthRequest = await OAuthRequestModel.findOne({
+			_id: state,
+			providerId
+		}).lean();
+	} catch (err) {
+		console.warn("oauth::failed_to_load_request", err);
+		return {
+			success: false,
+			type: "error",
+			error: "oauth_request_load_failed",
+			redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=oauth_request_load_failed`
+		};
+	}
+	if (!oauthRequest) return {
+		success: false,
+		type: "error",
+		error: "invalid_state",
+		redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=invalid_state`
+	};
+	const returnTo = typeof oauthRequest.returnTo === "string" ? oauthRequest.returnTo : void 0;
+	const codeVerifier = typeof oauthRequest.codeVerifier === "string" ? oauthRequest.codeVerifier : "";
+	if (!codeVerifier) return {
+		success: false,
+		type: "error",
+		error: "missing_code_verifier",
+		redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=missing_code_verifier`
+	};
+	const oidc = await getOidcWellKnown(provider.issuer);
+	const redirectUri = `${origin}${callbackPath}`;
+	const tokenBody = new URLSearchParams();
+	tokenBody.set("grant_type", "authorization_code");
+	tokenBody.set("code", code);
+	tokenBody.set("redirect_uri", redirectUri);
+	tokenBody.set("client_id", provider.clientId);
+	tokenBody.set("code_verifier", codeVerifier);
+	if (provider.clientSecret) tokenBody.set("client_secret", provider.clientSecret);
+	const tokenResponse = await fetch(oidc.token_endpoint, {
+		method: "POST",
+		headers: {
+			"Content-Type": "application/x-www-form-urlencoded",
+			Accept: "application/json"
+		},
+		body: tokenBody.toString()
+	});
+	const tokenJson = await tokenResponse.json().catch(() => null);
+	if (!tokenResponse.ok || !tokenJson || typeof tokenJson !== "object") {
+		const body = tokenJson ? JSON.stringify(tokenJson) : "";
+		console.warn("oauth::token_exchange failed", tokenResponse.status, body);
+		return {
+			success: false,
+			type: "error",
+			error: "token_exchange_failed",
+			redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=token_exchange_failed`
+		};
+	}
+	const accessToken = typeof tokenJson.access_token === "string" ? tokenJson.access_token : "";
+	const refreshToken = typeof tokenJson.refresh_token === "string" ? tokenJson.refresh_token : void 0;
+	const idToken = typeof tokenJson.id_token === "string" ? tokenJson.id_token : void 0;
+	const scope = typeof tokenJson.scope === "string" ? tokenJson.scope : void 0;
+	const tokenType = typeof tokenJson.token_type === "string" ? tokenJson.token_type : void 0;
+	const expiresIn = typeof tokenJson.expires_in === "number" ? tokenJson.expires_in : typeof tokenJson.expires_in === "string" ? Number(tokenJson.expires_in) : void 0;
+	const expiresInSeconds = typeof expiresIn === "number" && Number.isFinite(expiresIn) ? expiresIn : null;
+	const expiresAt = expiresInSeconds !== null ? new Date(Date.now() + expiresInSeconds * 1e3) : void 0;
+	let userInfo = null;
+	if (oidc.userinfo_endpoint && accessToken) {
+		const userInfoResponse = await fetch(oidc.userinfo_endpoint, { headers: {
+			Authorization: `Bearer ${accessToken}`,
+			Accept: "application/json"
+		} });
+		if (userInfoResponse.ok) userInfo = await userInfoResponse.json().catch(() => null);
+	}
+	const idTokenPayload = idToken ? decodeJwtPayload(idToken) : null;
+	const accessTokenPayload = decodeJwtPayload(accessToken);
+	const subject = typeof userInfo?.sub === "string" ? userInfo.sub : typeof idTokenPayload?.sub === "string" ? idTokenPayload.sub : typeof accessTokenPayload?.sub === "string" ? accessTokenPayload.sub : "";
+	if (!subject) return {
+		success: false,
+		type: "error",
+		error: "missing_subject",
+		redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=missing_subject`
+	};
+	const email = typeof userInfo?.email === "string" ? userInfo.email : typeof idTokenPayload?.email === "string" ? idTokenPayload.email : void 0;
+	const name = typeof userInfo?.name === "string" ? userInfo.name : typeof idTokenPayload?.name === "string" ? idTokenPayload.name : void 0;
+	let oauthUser = null;
+	if (oauthUserRaw) try {
+		oauthUser = JSON.parse(oauthUserRaw);
+	} catch {
+		oauthUser = null;
+	}
+	const oauthUserRecord = oauthUser && typeof oauthUser === "object" ? oauthUser : null;
+	const oauthUserEmail = typeof oauthUserRecord?.email === "string" ? oauthUserRecord.email.trim() : "";
+	const oauthUserNameRecord = oauthUserRecord?.name && typeof oauthUserRecord.name === "object" ? oauthUserRecord.name : null;
+	const oauthUserName = [typeof oauthUserNameRecord?.firstName === "string" ? oauthUserNameRecord.firstName.trim() : "", typeof oauthUserNameRecord?.lastName === "string" ? oauthUserNameRecord.lastName.trim() : ""].filter(Boolean).join(" ").trim();
+	const resolvedEmail = email ?? (oauthUserEmail || void 0);
+	const resolvedName = name ?? (oauthUserName || void 0);
+	const [User, Tenant] = await Promise.all([models.getGlobal("RBUser", ctx), models.getGlobal("RBTenant", ctx)]);
+	const subjectQueryKey = `oauthProviders.${providerId}.subject`;
+	let user = await User.findOne({ [subjectQueryKey]: subject });
+	if (!user && resolvedEmail) user = await User.findOne({ email: resolvedEmail });
+	if (!user && !(createUserOnFirstSignIn ?? true)) {
+		const redirectPath = missingUserRedirectPath;
+		const result = {
+			success: false,
+			type: "missing_user",
+			providerId,
+			subject,
+			email: resolvedEmail,
+			name: resolvedName
+		};
+		if (redirectPath && isSafeRedirectPath(redirectPath)) {
+			const url = new URL(redirectPath, origin);
+			url.searchParams.set("oauth_provider", providerId);
+			if (resolvedEmail) url.searchParams.set("email", resolvedEmail);
+			if (resolvedName) url.searchParams.set("name", resolvedName);
+			result.redirectPath = `${url.pathname}${url.search}`;
+		}
+		return result;
+	}
+	if (!ctx.req.session) return {
+		success: false,
+		type: "error",
+		error: "session_unavailable",
+		redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=session_unavailable`
+	};
+	const now = /* @__PURE__ */ new Date();
+	let providerCreatedAt;
+	const existingProvider = (user?.get("oauthProviders"))?.get(providerId);
+	if (existingProvider?.createdAt instanceof Date) providerCreatedAt = existingProvider.createdAt;
+	const oauthProviderPayload = {
+		subject,
+		email: resolvedEmail,
+		name: resolvedName,
+		accessToken,
+		refreshToken,
+		idToken,
+		scope,
+		tokenType,
+		expiresAt,
+		rawUserInfo: userInfo ?? void 0,
+		createdAt: providerCreatedAt ?? now,
+		updatedAt: now
+	};
+	if (!user) {
+		const tenantId = crypto.randomUUID();
+		user = new User({
+			email: resolvedEmail,
+			name: resolvedName,
+			password: await hashPasswordForStorage(crypto.randomBytes(32).toString("hex")),
+			tenants: [tenantId],
+			tenantRoles: { [tenantId]: ["owner"] },
+			oauthProviders: { [providerId]: oauthProviderPayload }
+		});
+		await user.save();
+		try {
+			await Tenant.create({
+				tenantId,
+				name: resolvedEmail || subject
+			});
+		} catch (err) {
+			console.warn("oauth::failed_to_create_tenant", err);
+		}
+	} else {
+		const setFields = { [`oauthProviders.${providerId}`]: oauthProviderPayload };
+		if (!user.email && resolvedEmail) setFields.email = resolvedEmail;
+		if (!user.name && resolvedName) setFields.name = resolvedName;
+		await User.updateOne({ _id: user._id }, { $set: setFields });
+	}
+	const tenantId = user.tenants?.[0]?.toString?.() || "00000000";
+	const signedInTenants = (user.tenants || []).map(String);
+	const tenantRolesMap = user.get("tenantRoles");
+	const tenantRoles = tenantRolesMap ? Object.fromEntries(tenantRolesMap.entries()) : void 0;
+	ctx.req.session.user = {
+		id: user._id.toString(),
+		currentTenantId: tenantId,
+		signedInTenants: signedInTenants.length ? signedInTenants : [tenantId],
+		isEntryGateAuthorized: true,
+		tenantRoles
+	};
+	try {
+		if (OAuthRequestModel) await OAuthRequestModel.deleteOne({
+			_id: state,
+			providerId
+		});
+	} catch (err) {
+		console.warn("oauth::failed_to_delete_request", err);
+	}
+	try {
+		ctx.res.clearCookie(OAUTH_STATE_COOKIE_NAME, {
+			httpOnly: true,
+			secure: isHttps,
+			sameSite: isHttps ? "none" : "lax",
+			path: callbackPath
+		});
+	} catch (err) {
+		console.warn("oauth::failed_to_clear_state_cookie", err);
+	}
+	return {
+		success: true,
+		type: "signed_in",
+		redirectPath: returnTo && isSafeRedirectPath(returnTo) ? returnTo : successRedirectPath && isSafeRedirectPath(successRedirectPath) ? successRedirectPath : OAUTH_SUCCESS_REDIRECT_PATH,
+		userId: user._id.toString(),
+		tenantId,
+		signedInTenants: signedInTenants.length ? signedInTenants : [tenantId]
+	};
 };
-const createOAuthStartHandler = ({
-  providerId,
-  getAuthorizationParams
-} = {}) => async (_payload, ctx) => {
-  const resolvedProviderId = resolveProviderId(ctx, providerId);
-  const providerAuthorizationParams = resolvedProviderId && getAuthorizationParams ? getAuthorizationParams(resolvedProviderId) : void 0;
-  const returnTo = getQueryString(ctx.req.query?.returnTo)?.trim();
-  const result = await getOAuthStartRedirectUrl({
-    ctx,
-    providerId: resolvedProviderId,
-    returnTo,
-    authorizationParams: providerAuthorizationParams
-  });
-  if (!result.success) {
-    ctx.res.status(result.statusCode);
-    return {
-      success: false,
-      error: result.error
-    };
-  }
-  ctx.res.redirect(result.redirectUrl);
-  return {
-    success: true
-  };
+var createOAuthStartHandler = ({ providerId, getAuthorizationParams } = {}) => async (_payload, ctx) => {
+	const resolvedProviderId = resolveProviderId(ctx, providerId);
+	const providerAuthorizationParams = resolvedProviderId && getAuthorizationParams ? getAuthorizationParams(resolvedProviderId) : void 0;
+	const returnTo = getQueryString(ctx.req.query?.returnTo)?.trim();
+	const result = await getOAuthStartRedirectUrl({
+		ctx,
+		providerId: resolvedProviderId,
+		returnTo,
+		authorizationParams: providerAuthorizationParams
+	});
+	if (!result.success) {
+		ctx.res.status(result.statusCode);
+		return {
+			success: false,
+			error: result.error
+		};
+	}
+	ctx.res.redirect(result.redirectUrl);
+	return { success: true };
 };
-const createOAuthCallbackHandler = ({
-  providerId,
-  createUserOnFirstSignIn,
-  missingUserRedirectPath,
-  successRedirectPath
-} = {}) => async (_payload, ctx) => {
-  const result = await processOAuthCallback({
-    ctx,
-    providerId,
-    createUserOnFirstSignIn,
-    missingUserRedirectPath,
-    successRedirectPath
-  });
-  if (result.type === "error") {
-    ctx.res.redirect(result.redirectPath);
-    return {
-      success: false,
-      error: result.error
-    };
-  }
-  if (result.type === "missing_user") {
-    if (result.redirectPath) {
-      ctx.res.redirect(result.redirectPath);
-    } else {
-      ctx.res.redirect("/auth/sign-up");
-    }
-    return {
-      success: false,
-      error: "user_not_found"
-    };
-  }
-  ctx.res.redirect(result.redirectPath);
-  return {
-    success: true
-  };
+var createOAuthCallbackHandler = ({ providerId, createUserOnFirstSignIn, missingUserRedirectPath, successRedirectPath } = {}) => async (_payload, ctx) => {
+	const result = await processOAuthCallback({
+		ctx,
+		providerId,
+		createUserOnFirstSignIn,
+		missingUserRedirectPath,
+		successRedirectPath
+	});
+	if (result.type === "error") {
+		ctx.res.redirect(result.redirectPath);
+		return {
+			success: false,
+			error: result.error
+		};
+	}
+	if (result.type === "missing_user") {
+		if (result.redirectPath) ctx.res.redirect(result.redirectPath);
+		else ctx.res.redirect("/auth/sign-up");
+		return {
+			success: false,
+			error: "user_not_found"
+		};
+	}
+	ctx.res.redirect(result.redirectPath);
+	return { success: true };
 };
-const base64UrlEncode = (input) => Buffer.from(input).toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
-const createAppleClientSecret = ({
-  teamId,
-  clientId,
-  keyId,
-  privateKeyPem,
-  now = /* @__PURE__ */ new Date(),
-  expiresInSeconds = 10 * 60
-}) => {
-  const teamIdValue = teamId.trim();
-  const clientIdValue = clientId.trim();
-  const keyIdValue = keyId.trim();
-  const privateKeyPemValue = privateKeyPem.trim();
-  if (!teamIdValue) throw new Error("teamId is required");
-  if (!clientIdValue) throw new Error("clientId is required");
-  if (!keyIdValue) throw new Error("keyId is required");
-  if (!privateKeyPemValue) throw new Error("privateKeyPem is required");
-  const nowSeconds = Math.floor(now.getTime() / 1e3);
-  const expiresIn = Number.isFinite(expiresInSeconds) ? expiresInSeconds : 10 * 60;
-  const exp = nowSeconds + Math.max(60, Math.min(expiresIn, 60 * 60 * 24 * 180));
-  const header = {
-    alg: "ES256",
-    kid: keyIdValue,
-    typ: "JWT"
-  };
-  const payload = {
-    iss: teamIdValue,
-    iat: nowSeconds,
-    exp,
-    aud: "https://appleid.apple.com",
-    sub: clientIdValue
-  };
-  const signingInput = `${base64UrlEncode(JSON.stringify(header))}.${base64UrlEncode(JSON.stringify(payload))}`;
-  const signature = crypto.sign("sha256", Buffer.from(signingInput), {
-    key: privateKeyPemValue,
-    dsaEncoding: "ieee-p1363"
-  });
-  return `${signingInput}.${base64UrlEncode(signature)}`;
+var base64UrlEncode = (input) => Buffer.from(input).toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+var createAppleClientSecret = ({ teamId, clientId, keyId, privateKeyPem, now = /* @__PURE__ */ new Date(), expiresInSeconds = 600 }) => {
+	const teamIdValue = teamId.trim();
+	const clientIdValue = clientId.trim();
+	const keyIdValue = keyId.trim();
+	const privateKeyPemValue = privateKeyPem.trim();
+	if (!teamIdValue) throw new Error("teamId is required");
+	if (!clientIdValue) throw new Error("clientId is required");
+	if (!keyIdValue) throw new Error("keyId is required");
+	if (!privateKeyPemValue) throw new Error("privateKeyPem is required");
+	const nowSeconds = Math.floor(now.getTime() / 1e3);
+	const exp = nowSeconds + Math.max(60, Math.min(Number.isFinite(expiresInSeconds) ? expiresInSeconds : 600, 3600 * 24 * 180));
+	const header = {
+		alg: "ES256",
+		kid: keyIdValue,
+		typ: "JWT"
+	};
+	const payload = {
+		iss: teamIdValue,
+		iat: nowSeconds,
+		exp,
+		aud: "https://appleid.apple.com",
+		sub: clientIdValue
+	};
+	const signingInput = `${base64UrlEncode(JSON.stringify(header))}.${base64UrlEncode(JSON.stringify(payload))}`;
+	return `${signingInput}.${base64UrlEncode(crypto.sign("sha256", Buffer.from(signingInput), {
+		key: privateKeyPemValue,
+		dsaEncoding: "ieee-p1363"
+	}))}`;
 };
-export {
-  configureOAuthProviders,
-  createAppleClientSecret,
-  createOAuthCallbackHandler,
-  createOAuthStartHandler,
-  getOAuthStartRedirectUrl,
-  processOAuthCallback,
-  setOAuthProviders
-};
-//# sourceMappingURL=index.js.map
+//#endregion
+export { configureOAuthProviders, createAppleClientSecret, createOAuthCallbackHandler, createOAuthStartHandler, getOAuthStartRedirectUrl, processOAuthCallback, setOAuthProviders };
+
+//# sourceMappingURL=index.js.map