@rpcbase/auth 0.118.0 → 0.120.0

package/dist/oauth/index.js

@@ -1,651 +1,772 @@
 import crypto from "crypto";
 import { models } from "@rpcbase/db";
 import { hashPasswordForStorage } from "@rpcbase/server";
-//#region src/oauth/config.ts
-var STORE_KEY = Symbol.for("@rpcbase/auth/oauthProviders");
-var getStore = () => {
-	const anyGlobal = globalThis;
-	const existing = anyGlobal[STORE_KEY];
-	if (existing && typeof existing === "object" && existing.providers && typeof existing.providers === "object") return existing;
-	const created = { providers: {} };
-	anyGlobal[STORE_KEY] = created;
-	return created;
+const STORE_KEY = /* @__PURE__ */ Symbol.for("@rpcbase/auth/oauthProviders");
+const getStore = () => {
+  const anyGlobal = globalThis;
+  const existing = anyGlobal[STORE_KEY];
+  if (existing && typeof existing === "object" && existing.providers && typeof existing.providers === "object") {
+    return existing;
+  }
+  const created = {
+    providers: {}
+  };
+  anyGlobal[STORE_KEY] = created;
+  return created;
 };
-var normalizeProviders = (providers) => {
-	const result = {};
-	const isSafeRedirectPath = (candidate) => {
-		if (!candidate.startsWith("/")) return false;
-		if (candidate.startsWith("//")) return false;
-		return true;
-	};
-	for (const [providerIdRaw, value] of Object.entries(providers)) {
-		const providerId = providerIdRaw.trim();
-		if (!providerId) continue;
-		const issuer = typeof value?.issuer === "string" ? value.issuer.trim() : "";
-		const clientId = typeof value?.clientId === "string" ? value.clientId.trim() : "";
-		if (!issuer) throw new Error(`oauth provider "${providerId}" missing issuer`);
-		if (!clientId) throw new Error(`oauth provider "${providerId}" missing clientId`);
-		const clientSecret = typeof value?.clientSecret === "string" && value.clientSecret.trim() ? value.clientSecret : void 0;
-		const scope = typeof value?.scope === "string" ? value.scope.trim() : "";
-		if (!scope) throw new Error(`oauth provider "${providerId}" missing scope`);
-		const callbackPath = typeof value?.callbackPath === "string" ? value.callbackPath.trim() : "";
-		if (!callbackPath) throw new Error(`oauth provider "${providerId}" missing callbackPath`);
-		if (!isSafeRedirectPath(callbackPath)) throw new Error(`oauth provider "${providerId}" has invalid callbackPath`);
-		result[providerId] = {
-			issuer,
-			clientId,
-			clientSecret,
-			scope,
-			callbackPath
-		};
-	}
-	return result;
+const normalizeProviders = (providers) => {
+  const result = {};
+  const isSafeRedirectPath2 = (candidate) => {
+    if (!candidate.startsWith("/")) return false;
+    if (candidate.startsWith("//")) return false;
+    return true;
+  };
+  for (const [providerIdRaw, value] of Object.entries(providers)) {
+    const providerId = providerIdRaw.trim();
+    if (!providerId) continue;
+    const issuer = typeof value?.issuer === "string" ? value.issuer.trim() : "";
+    const clientId = typeof value?.clientId === "string" ? value.clientId.trim() : "";
+    if (!issuer) throw new Error(`oauth provider "${providerId}" missing issuer`);
+    if (!clientId) throw new Error(`oauth provider "${providerId}" missing clientId`);
+    const clientSecret = typeof value?.clientSecret === "string" && value.clientSecret.trim() ? value.clientSecret : void 0;
+    const scope = typeof value?.scope === "string" ? value.scope.trim() : "";
+    if (!scope) throw new Error(`oauth provider "${providerId}" missing scope`);
+    const callbackPath = typeof value?.callbackPath === "string" ? value.callbackPath.trim() : "";
+    if (!callbackPath) throw new Error(`oauth provider "${providerId}" missing callbackPath`);
+    if (!isSafeRedirectPath2(callbackPath)) throw new Error(`oauth provider "${providerId}" has invalid callbackPath`);
+    result[providerId] = {
+      issuer,
+      clientId,
+      clientSecret,
+      scope,
+      callbackPath
+    };
+  }
+  return result;
 };
-var configureOAuthProviders = (providers) => {
-	const store = getStore();
-	const normalized = normalizeProviders(providers);
-	store.providers = {
-		...store.providers,
-		...normalized
-	};
+const configureOAuthProviders = (providers) => {
+  const store = getStore();
+  const normalized = normalizeProviders(providers);
+  store.providers = {
+    ...store.providers,
+    ...normalized
+  };
 };
-var setOAuthProviders = (providers) => {
-	const store = getStore();
-	store.providers = normalizeProviders(providers);
+const setOAuthProviders = (providers) => {
+  const store = getStore();
+  store.providers = normalizeProviders(providers);
 };
-var getOAuthProviderConfig = (providerId) => {
-	return getStore().providers[providerId] ?? null;
+const getOAuthProviderConfig = (providerId) => {
+  const store = getStore();
+  return store.providers[providerId] ?? null;
 };
-//#endregion
-//#region src/oauth/jwt.ts
-var decodeBase64Url = (value) => {
-	const padded = value.replace(/-/g, "+").replace(/_/g, "/") + "===".slice((value.length + 3) % 4);
-	return Buffer.from(padded, "base64").toString("utf8");
+const decodeBase64Url = (value) => {
+  const padded = value.replace(/-/g, "+").replace(/_/g, "/") + "===".slice((value.length + 3) % 4);
+  return Buffer.from(padded, "base64").toString("utf8");
 };
-var decodeJwtPayload = (token) => {
-	const parts = token.split(".");
-	if (parts.length < 2) return null;
-	try {
-		const json = decodeBase64Url(parts[1]);
-		const parsed = JSON.parse(json);
-		if (!parsed || typeof parsed !== "object") return null;
-		return parsed;
-	} catch {
-		return null;
-	}
+const decodeJwtPayload = (token) => {
+  const parts = token.split(".");
+  if (parts.length < 2) return null;
+  try {
+    const json = decodeBase64Url(parts[1]);
+    const parsed = JSON.parse(json);
+    if (!parsed || typeof parsed !== "object") return null;
+    return parsed;
+  } catch {
+    return null;
+  }
 };
-//#endregion
-//#region src/oauth/oidc.ts
-var cache = /* @__PURE__ */ new Map();
-var normalizeIssuer = (raw) => raw.trim().replace(/\/+$/, "");
-var getOidcWellKnown = async (issuerRaw) => {
-	const issuer = normalizeIssuer(issuerRaw);
-	if (!issuer) throw new Error("OIDC issuer is required");
-	const existing = cache.get(issuer);
-	if (existing) return existing;
-	const loader = (async () => {
-		const url = new URL("/.well-known/openid-configuration", issuer);
-		const response = await fetch(url, { headers: { Accept: "application/json" } });
-		if (!response.ok) {
-			const body = await response.text().catch(() => "");
-			throw new Error(`Failed to fetch OIDC discovery document: ${response.status} ${body}`);
-		}
-		const json = await response.json().catch(() => null);
-		if (!json || typeof json !== "object") throw new Error("Invalid OIDC discovery document");
-		const authorizationEndpoint = typeof json.authorization_endpoint === "string" ? json.authorization_endpoint : "";
-		const tokenEndpoint = typeof json.token_endpoint === "string" ? json.token_endpoint : "";
-		const issuerValue = typeof json.issuer === "string" ? json.issuer : issuer;
-		const userinfoEndpoint = typeof json.userinfo_endpoint === "string" ? json.userinfo_endpoint : void 0;
-		const jwksUri = typeof json.jwks_uri === "string" ? json.jwks_uri : void 0;
-		if (!authorizationEndpoint || !tokenEndpoint) throw new Error("OIDC discovery document missing required endpoints");
-		return {
-			issuer: issuerValue,
-			authorization_endpoint: authorizationEndpoint,
-			token_endpoint: tokenEndpoint,
-			userinfo_endpoint: userinfoEndpoint,
-			jwks_uri: jwksUri
-		};
-	})();
-	cache.set(issuer, loader);
-	try {
-		return await loader;
-	} catch (err) {
-		cache.delete(issuer);
-		throw err;
-	}
+const cache = /* @__PURE__ */ new Map();
+const normalizeIssuer = (raw) => raw.trim().replace(/\/+$/, "");
+const getOidcWellKnown = async (issuerRaw) => {
+  const issuer = normalizeIssuer(issuerRaw);
+  if (!issuer) {
+    throw new Error("OIDC issuer is required");
+  }
+  const existing = cache.get(issuer);
+  if (existing) {
+    return existing;
+  }
+  const loader = (async () => {
+    const url = new URL("/.well-known/openid-configuration", issuer);
+    const response = await fetch(url, {
+      headers: {
+        Accept: "application/json"
+      }
+    });
+    if (!response.ok) {
+      const body = await response.text().catch(() => "");
+      throw new Error(`Failed to fetch OIDC discovery document: ${response.status} ${body}`);
+    }
+    const json = await response.json().catch(() => null);
+    if (!json || typeof json !== "object") {
+      throw new Error("Invalid OIDC discovery document");
+    }
+    const authorizationEndpoint = typeof json.authorization_endpoint === "string" ? json.authorization_endpoint : "";
+    const tokenEndpoint = typeof json.token_endpoint === "string" ? json.token_endpoint : "";
+    const issuerValue = typeof json.issuer === "string" ? json.issuer : issuer;
+    const userinfoEndpoint = typeof json.userinfo_endpoint === "string" ? json.userinfo_endpoint : void 0;
+    const jwksUri = typeof json.jwks_uri === "string" ? json.jwks_uri : void 0;
+    if (!authorizationEndpoint || !tokenEndpoint) {
+      throw new Error("OIDC discovery document missing required endpoints");
+    }
+    return {
+      issuer: issuerValue,
+      authorization_endpoint: authorizationEndpoint,
+      token_endpoint: tokenEndpoint,
+      userinfo_endpoint: userinfoEndpoint,
+      jwks_uri: jwksUri
+    };
+  })();
+  cache.set(issuer, loader);
+  try {
+    return await loader;
+  } catch (err) {
+    cache.delete(issuer);
+    throw err;
+  }
 };
-//#endregion
-//#region src/oauth/pkce.ts
-var base64UrlEncode$1 = (input) => input.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
-var generatePkcePair = () => {
-	const verifier = base64UrlEncode$1(crypto.randomBytes(32));
-	return {
-		verifier,
-		challenge: base64UrlEncode$1(crypto.createHash("sha256").update(verifier).digest())
-	};
+const base64UrlEncode$1 = (input) => input.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+const generatePkcePair = () => {
+  const verifier = base64UrlEncode$1(crypto.randomBytes(32));
+  const challenge = base64UrlEncode$1(crypto.createHash("sha256").update(verifier).digest());
+  return {
+    verifier,
+    challenge
+  };
 };
-//#endregion
-//#region src/oauth/providerId.ts
-var RESERVED_KEYS = new Set([
-	"__proto__",
-	"prototype",
-	"constructor"
-]);
-var isSafeOAuthProviderId = (value) => {
-	const providerId = value.trim();
-	if (!providerId) return false;
-	if (providerId.length > 128) return false;
-	if (RESERVED_KEYS.has(providerId)) return false;
-	return /^[a-zA-Z0-9_-]+$/.test(providerId);
+const RESERVED_KEYS = /* @__PURE__ */ new Set(["__proto__", "prototype", "constructor"]);
+const isSafeOAuthProviderId = (value) => {
+  const providerId = value.trim();
+  if (!providerId) return false;
+  if (providerId.length > 128) return false;
+  if (RESERVED_KEYS.has(providerId)) return false;
+  return /^[a-zA-Z0-9_-]+$/.test(providerId);
 };
-//#endregion
-//#region src/oauth/lib.ts
-var OAUTH_REQUEST_TTL_MS = 600 * 1e3;
-var OAUTH_STATE_COOKIE_NAME = "rb_oauth_state";
-var getQueryString = (value) => {
-	if (typeof value === "string") return value;
-	if (Array.isArray(value) && typeof value[0] === "string") return value[0];
-	return null;
+const OAUTH_REQUEST_TTL_MS = 10 * 60 * 1e3;
+const OAUTH_STATE_COOKIE_NAME = "rb_oauth_state";
+const getQueryString = (value) => {
+  if (typeof value === "string") return value;
+  if (Array.isArray(value) && typeof value[0] === "string") return value[0];
+  return null;
 };
-var getCookieValue = (ctx, name) => {
-	const header = ctx.req.headers?.cookie;
-	if (typeof header !== "string" || !header) return null;
-	for (const part of header.split(";")) {
-		const [rawKey, ...rest] = part.split("=");
-		const key = rawKey?.trim();
-		if (!key || key !== name) continue;
-		const rawValue = rest.join("=").trim();
-		if (!rawValue) return "";
-		try {
-			return decodeURIComponent(rawValue);
-		} catch {
-			return rawValue;
-		}
-	}
-	return null;
+const getCookieValue = (ctx, name) => {
+  const header = ctx.req.headers?.cookie;
+  if (typeof header !== "string" || !header) return null;
+  for (const part of header.split(";")) {
+    const [rawKey, ...rest] = part.split("=");
+    const key = rawKey?.trim();
+    if (!key || key !== name) continue;
+    const rawValue = rest.join("=").trim();
+    if (!rawValue) return "";
+    try {
+      return decodeURIComponent(rawValue);
+    } catch {
+      return rawValue;
+    }
+  }
+  return null;
 };
-var isSafeRedirectPath = (candidate) => {
-	if (!candidate.startsWith("/")) return false;
-	if (candidate.startsWith("//")) return false;
-	return true;
+const isSafeRedirectPath = (candidate) => {
+  if (!candidate.startsWith("/")) return false;
+  if (candidate.startsWith("//")) return false;
+  return true;
 };
-var getRequestOrigin = (ctx) => {
-	const protoHeader = ctx.req.headers["x-forwarded-proto"];
-	const hostHeader = ctx.req.headers["x-forwarded-host"];
-	const protocol = typeof protoHeader === "string" ? protoHeader.split(",")[0].trim() : ctx.req.protocol;
-	const host = typeof hostHeader === "string" ? hostHeader.split(",")[0].trim() : ctx.req.get("host");
-	return protocol && host ? `${protocol}://${host}` : "";
+const getRequestOrigin = (ctx) => {
+  const protoHeader = ctx.req.headers["x-forwarded-proto"];
+  const hostHeader = ctx.req.headers["x-forwarded-host"];
+  const protocol = typeof protoHeader === "string" ? protoHeader.split(",")[0].trim() : ctx.req.protocol;
+  const host = typeof hostHeader === "string" ? hostHeader.split(",")[0].trim() : ctx.req.get("host");
+  return protocol && host ? `${protocol}://${host}` : "";
 };
-var resolveCallbackPath = (callbackPath) => {
-	const trimmed = callbackPath.trim();
-	return trimmed && isSafeRedirectPath(trimmed) ? trimmed : null;
+const resolveCallbackPath = (callbackPath) => {
+  const trimmed = callbackPath.trim();
+  return trimmed && isSafeRedirectPath(trimmed) ? trimmed : null;
 };
-var readTextBody = async (req) => await new Promise((resolve, reject) => {
-	let body = "";
-	if (typeof req.setEncoding === "function") req.setEncoding("utf8");
-	req.on("data", (chunk) => {
-		body += String(chunk);
-		if (body.length > 32768) reject(/* @__PURE__ */ new Error("request_body_too_large"));
-	});
-	req.on("end", () => resolve(body));
-	req.on("error", reject);
+const readTextBody = async (req) => await new Promise((resolve, reject) => {
+  let body = "";
+  if (typeof req.setEncoding === "function") {
+    req.setEncoding("utf8");
+  }
+  req.on("data", (chunk) => {
+    body += String(chunk);
+    if (body.length > 32768) {
+      reject(new Error("request_body_too_large"));
+    }
+  });
+  req.on("end", () => resolve(body));
+  req.on("error", reject);
 });
-var getFormPostParams = async (ctx) => {
-	if (ctx.req.method !== "POST") return null;
-	if (!(typeof ctx.req.headers["content-type"] === "string" ? ctx.req.headers["content-type"] : "").includes("application/x-www-form-urlencoded")) return null;
-	const body = await readTextBody(ctx.req);
-	const params = new URLSearchParams(body);
-	const result = {};
-	for (const [key, value] of params.entries()) result[key] = value;
-	return result;
+const getFormPostParams = async (ctx) => {
+  if (ctx.req.method !== "POST") return null;
+  const contentType = typeof ctx.req.headers["content-type"] === "string" ? ctx.req.headers["content-type"] : "";
+  if (!contentType.includes("application/x-www-form-urlencoded")) return null;
+  const body = await readTextBody(ctx.req);
+  const params = new URLSearchParams(body);
+  const result = {};
+  for (const [key, value] of params.entries()) {
+    result[key] = value;
+  }
+  return result;
 };
-var resolveProviderId = (ctx, providerIdOverride) => (providerIdOverride ?? String(ctx.req.params?.provider ?? "")).trim();
-var RESERVED_AUTH_PARAM_KEYS = new Set([
-	"__proto__",
-	"prototype",
-	"constructor"
-]);
-var normalizeAuthorizationParams = (value) => {
-	if (!value || typeof value !== "object" || Array.isArray(value)) return void 0;
-	const result = {};
-	for (const [keyRaw, valueRaw] of Object.entries(value)) {
-		const key = keyRaw.trim();
-		if (!key) continue;
-		if (RESERVED_AUTH_PARAM_KEYS.has(key)) continue;
-		const val = typeof valueRaw === "string" ? valueRaw.trim() : "";
-		if (!val) continue;
-		result[key] = val;
-	}
-	return Object.keys(result).length ? result : void 0;
+const resolveProviderId = (ctx, providerIdOverride) => (providerIdOverride ?? String(ctx.req.params?.provider ?? "")).trim();
+const RESERVED_AUTH_PARAM_KEYS = /* @__PURE__ */ new Set(["__proto__", "prototype", "constructor"]);
+const normalizeAuthorizationParams = (value) => {
+  if (!value || typeof value !== "object" || Array.isArray(value)) return void 0;
+  const result = {};
+  for (const [keyRaw, valueRaw] of Object.entries(value)) {
+    const key = keyRaw.trim();
+    if (!key) continue;
+    if (RESERVED_AUTH_PARAM_KEYS.has(key)) continue;
+    const val = typeof valueRaw === "string" ? valueRaw.trim() : "";
+    if (!val) continue;
+    result[key] = val;
+  }
+  return Object.keys(result).length ? result : void 0;
 };
-var getOAuthStartRedirectUrl = async ({ ctx, providerId: providerIdOverride, returnTo, authorizationParams }) => {
-	const providerId = resolveProviderId(ctx, providerIdOverride);
-	if (!providerId) return {
-		success: false,
-		error: "missing_provider",
-		statusCode: 400
-	};
-	if (!isSafeOAuthProviderId(providerId)) return {
-		success: false,
-		error: "invalid_provider",
-		statusCode: 400
-	};
-	const provider = getOAuthProviderConfig(providerId);
-	if (!provider) return {
-		success: false,
-		error: "unknown_provider",
-		statusCode: 404
-	};
-	const origin = getRequestOrigin(ctx);
-	if (!origin) return {
-		success: false,
-		error: "origin_unavailable",
-		statusCode: 500
-	};
-	const isHttps = origin.startsWith("https://");
-	const callbackPath = resolveCallbackPath(provider.callbackPath);
-	if (!callbackPath) return {
-		success: false,
-		error: "invalid_callback_path",
-		statusCode: 500
-	};
-	const state = crypto.randomBytes(16).toString("hex");
-	const { verifier, challenge } = generatePkcePair();
-	const safeReturnTo = typeof returnTo === "string" && isSafeRedirectPath(returnTo) ? returnTo : void 0;
-	try {
-		const OAuthRequest = await models.getGlobal("RBOAuthRequest", ctx);
-		const now = /* @__PURE__ */ new Date();
-		await OAuthRequest.create({
-			_id: state,
-			providerId,
-			codeVerifier: verifier,
-			returnTo: safeReturnTo,
-			createdAt: now,
-			expiresAt: new Date(now.getTime() + OAUTH_REQUEST_TTL_MS)
-		});
-	} catch (err) {
-		console.warn("oauth::failed_to_store_request", err);
-		return {
-			success: false,
-			error: "oauth_request_store_failed",
-			statusCode: 500
-		};
-	}
-	try {
-		ctx.res.cookie(OAUTH_STATE_COOKIE_NAME, `${providerId}:${state}`, {
-			httpOnly: true,
-			secure: isHttps,
-			sameSite: isHttps ? "none" : "lax",
-			path: callbackPath,
-			maxAge: OAUTH_REQUEST_TTL_MS
-		});
-	} catch (err) {
-		console.warn("oauth::failed_to_set_state_cookie", err);
-		return {
-			success: false,
-			error: "oauth_cookie_set_failed",
-			statusCode: 500
-		};
-	}
-	const oidc = await getOidcWellKnown(provider.issuer);
-	const redirectUri = `${origin}${callbackPath}`;
-	const url = new URL(oidc.authorization_endpoint);
-	url.searchParams.set("client_id", provider.clientId);
-	url.searchParams.set("redirect_uri", redirectUri);
-	url.searchParams.set("response_type", "code");
-	url.searchParams.set("scope", provider.scope);
-	url.searchParams.set("state", state);
-	url.searchParams.set("code_challenge", challenge);
-	url.searchParams.set("code_challenge_method", "S256");
-	const extraAuthorizationParams = normalizeAuthorizationParams(authorizationParams);
-	for (const [key, value] of Object.entries(extraAuthorizationParams ?? {})) {
-		if (url.searchParams.has(key)) continue;
-		url.searchParams.set(key, value);
-	}
-	return {
-		success: true,
-		redirectUrl: url.toString()
-	};
+const getOAuthStartRedirectUrl = async ({
+  ctx,
+  providerId: providerIdOverride,
+  returnTo,
+  authorizationParams
+}) => {
+  const providerId = resolveProviderId(ctx, providerIdOverride);
+  if (!providerId) {
+    return {
+      success: false,
+      error: "missing_provider",
+      statusCode: 400
+    };
+  }
+  if (!isSafeOAuthProviderId(providerId)) {
+    return {
+      success: false,
+      error: "invalid_provider",
+      statusCode: 400
+    };
+  }
+  const provider = getOAuthProviderConfig(providerId);
+  if (!provider) {
+    return {
+      success: false,
+      error: "unknown_provider",
+      statusCode: 404
+    };
+  }
+  const origin = getRequestOrigin(ctx);
+  if (!origin) {
+    return {
+      success: false,
+      error: "origin_unavailable",
+      statusCode: 500
+    };
+  }
+  const isHttps = origin.startsWith("https://");
+  const callbackPath = resolveCallbackPath(provider.callbackPath);
+  if (!callbackPath) {
+    return {
+      success: false,
+      error: "invalid_callback_path",
+      statusCode: 500
+    };
+  }
+  const state = crypto.randomBytes(16).toString("hex");
+  const {
+    verifier,
+    challenge
+  } = generatePkcePair();
+  const safeReturnTo = typeof returnTo === "string" && isSafeRedirectPath(returnTo) ? returnTo : void 0;
+  try {
+    const OAuthRequest = await models.getGlobal("RBOAuthRequest", ctx);
+    const now = /* @__PURE__ */ new Date();
+    await OAuthRequest.create({
+      _id: state,
+      providerId,
+      codeVerifier: verifier,
+      returnTo: safeReturnTo,
+      createdAt: now,
+      expiresAt: new Date(now.getTime() + OAUTH_REQUEST_TTL_MS)
+    });
+  } catch (err) {
+    console.warn("oauth::failed_to_store_request", err);
+    return {
+      success: false,
+      error: "oauth_request_store_failed",
+      statusCode: 500
+    };
+  }
+  try {
+    ctx.res.cookie(OAUTH_STATE_COOKIE_NAME, `${providerId}:${state}`, {
+      httpOnly: true,
+      secure: isHttps,
+      sameSite: isHttps ? "none" : "lax",
+      path: callbackPath,
+      maxAge: OAUTH_REQUEST_TTL_MS
+    });
+  } catch (err) {
+    console.warn("oauth::failed_to_set_state_cookie", err);
+    return {
+      success: false,
+      error: "oauth_cookie_set_failed",
+      statusCode: 500
+    };
+  }
+  const oidc = await getOidcWellKnown(provider.issuer);
+  const redirectUri = `${origin}${callbackPath}`;
+  const url = new URL(oidc.authorization_endpoint);
+  url.searchParams.set("client_id", provider.clientId);
+  url.searchParams.set("redirect_uri", redirectUri);
+  url.searchParams.set("response_type", "code");
+  url.searchParams.set("scope", provider.scope);
+  url.searchParams.set("state", state);
+  url.searchParams.set("code_challenge", challenge);
+  url.searchParams.set("code_challenge_method", "S256");
+  const extraAuthorizationParams = normalizeAuthorizationParams(authorizationParams);
+  for (const [key, value] of Object.entries(extraAuthorizationParams ?? {})) {
+    if (url.searchParams.has(key)) continue;
+    url.searchParams.set(key, value);
+  }
+  return {
+    success: true,
+    redirectUrl: url.toString()
+  };
 };
-var OAUTH_SUCCESS_REDIRECT_PATH = "/onboarding";
-var AUTH_ERROR_REDIRECT_BASE = "/auth/sign-in";
-var processOAuthCallback = async ({ ctx, providerId: providerIdOverride, createUserOnFirstSignIn, missingUserRedirectPath, successRedirectPath }) => {
-	const providerId = resolveProviderId(ctx, providerIdOverride);
-	if (!providerId) return {
-		success: false,
-		type: "error",
-		error: "missing_provider",
-		redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=missing_provider`
-	};
-	if (!isSafeOAuthProviderId(providerId)) return {
-		success: false,
-		type: "error",
-		error: "invalid_provider",
-		redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=invalid_provider`
-	};
-	const provider = getOAuthProviderConfig(providerId);
-	if (!provider) return {
-		success: false,
-		type: "error",
-		error: "unknown_provider",
-		redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=unknown_provider`
-	};
-	const origin = getRequestOrigin(ctx);
-	if (!origin) return {
-		success: false,
-		type: "error",
-		error: "origin_unavailable",
-		redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=origin_unavailable`
-	};
-	const isHttps = origin.startsWith("https://");
-	const callbackPath = resolveCallbackPath(provider.callbackPath);
-	if (!callbackPath) return {
-		success: false,
-		type: "error",
-		error: "invalid_callback_path",
-		redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=invalid_callback_path`
-	};
-	const bodyParams = await getFormPostParams(ctx);
-	const code = (getQueryString(bodyParams?.code) ?? getQueryString(ctx.req.query?.code))?.trim() ?? "";
-	const state = (getQueryString(bodyParams?.state) ?? getQueryString(ctx.req.query?.state))?.trim() ?? "";
-	const oauthUserRaw = (getQueryString(bodyParams?.user) ?? getQueryString(ctx.req.query?.user))?.trim() ?? "";
-	if (!code || !state) return {
-		success: false,
-		type: "error",
-		error: "missing_code_or_state",
-		redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=missing_code_or_state`
-	};
-	if (getCookieValue(ctx, OAUTH_STATE_COOKIE_NAME) !== `${providerId}:${state}`) return {
-		success: false,
-		type: "error",
-		error: "invalid_state",
-		redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=invalid_state`
-	};
-	let oauthRequest = null;
-	let OAuthRequestModel = null;
-	try {
-		OAuthRequestModel = await models.getGlobal("RBOAuthRequest", ctx);
-		oauthRequest = await OAuthRequestModel.findOne({
-			_id: state,
-			providerId
-		}).lean();
-	} catch (err) {
-		console.warn("oauth::failed_to_load_request", err);
-		return {
-			success: false,
-			type: "error",
-			error: "oauth_request_load_failed",
-			redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=oauth_request_load_failed`
-		};
-	}
-	if (!oauthRequest) return {
-		success: false,
-		type: "error",
-		error: "invalid_state",
-		redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=invalid_state`
-	};
-	const returnTo = typeof oauthRequest.returnTo === "string" ? oauthRequest.returnTo : void 0;
-	const codeVerifier = typeof oauthRequest.codeVerifier === "string" ? oauthRequest.codeVerifier : "";
-	if (!codeVerifier) return {
-		success: false,
-		type: "error",
-		error: "missing_code_verifier",
-		redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=missing_code_verifier`
-	};
-	const oidc = await getOidcWellKnown(provider.issuer);
-	const redirectUri = `${origin}${callbackPath}`;
-	const tokenBody = new URLSearchParams();
-	tokenBody.set("grant_type", "authorization_code");
-	tokenBody.set("code", code);
-	tokenBody.set("redirect_uri", redirectUri);
-	tokenBody.set("client_id", provider.clientId);
-	tokenBody.set("code_verifier", codeVerifier);
-	if (provider.clientSecret) tokenBody.set("client_secret", provider.clientSecret);
-	const tokenResponse = await fetch(oidc.token_endpoint, {
-		method: "POST",
-		headers: {
-			"Content-Type": "application/x-www-form-urlencoded",
-			Accept: "application/json"
-		},
-		body: tokenBody.toString()
-	});
-	const tokenJson = await tokenResponse.json().catch(() => null);
-	if (!tokenResponse.ok || !tokenJson || typeof tokenJson !== "object") {
-		const body = tokenJson ? JSON.stringify(tokenJson) : "";
-		console.warn("oauth::token_exchange failed", tokenResponse.status, body);
-		return {
-			success: false,
-			type: "error",
-			error: "token_exchange_failed",
-			redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=token_exchange_failed`
-		};
-	}
-	const accessToken = typeof tokenJson.access_token === "string" ? tokenJson.access_token : "";
-	const refreshToken = typeof tokenJson.refresh_token === "string" ? tokenJson.refresh_token : void 0;
-	const idToken = typeof tokenJson.id_token === "string" ? tokenJson.id_token : void 0;
-	const scope = typeof tokenJson.scope === "string" ? tokenJson.scope : void 0;
-	const tokenType = typeof tokenJson.token_type === "string" ? tokenJson.token_type : void 0;
-	const expiresIn = typeof tokenJson.expires_in === "number" ? tokenJson.expires_in : typeof tokenJson.expires_in === "string" ? Number(tokenJson.expires_in) : void 0;
-	const expiresInSeconds = typeof expiresIn === "number" && Number.isFinite(expiresIn) ? expiresIn : null;
-	const expiresAt = expiresInSeconds !== null ? new Date(Date.now() + expiresInSeconds * 1e3) : void 0;
-	let userInfo = null;
-	if (oidc.userinfo_endpoint && accessToken) {
-		const userInfoResponse = await fetch(oidc.userinfo_endpoint, { headers: {
-			Authorization: `Bearer ${accessToken}`,
-			Accept: "application/json"
-		} });
-		if (userInfoResponse.ok) userInfo = await userInfoResponse.json().catch(() => null);
-	}
-	const idTokenPayload = idToken ? decodeJwtPayload(idToken) : null;
-	const accessTokenPayload = decodeJwtPayload(accessToken);
-	const subject = typeof userInfo?.sub === "string" ? userInfo.sub : typeof idTokenPayload?.sub === "string" ? idTokenPayload.sub : typeof accessTokenPayload?.sub === "string" ? accessTokenPayload.sub : "";
-	if (!subject) return {
-		success: false,
-		type: "error",
-		error: "missing_subject",
-		redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=missing_subject`
-	};
-	const email = typeof userInfo?.email === "string" ? userInfo.email : typeof idTokenPayload?.email === "string" ? idTokenPayload.email : void 0;
-	const name = typeof userInfo?.name === "string" ? userInfo.name : typeof idTokenPayload?.name === "string" ? idTokenPayload.name : void 0;
-	let oauthUser = null;
-	if (oauthUserRaw) try {
-		oauthUser = JSON.parse(oauthUserRaw);
-	} catch {
-		oauthUser = null;
-	}
-	const oauthUserRecord = oauthUser && typeof oauthUser === "object" ? oauthUser : null;
-	const oauthUserEmail = typeof oauthUserRecord?.email === "string" ? oauthUserRecord.email.trim() : "";
-	const oauthUserNameRecord = oauthUserRecord?.name && typeof oauthUserRecord.name === "object" ? oauthUserRecord.name : null;
-	const oauthUserName = [typeof oauthUserNameRecord?.firstName === "string" ? oauthUserNameRecord.firstName.trim() : "", typeof oauthUserNameRecord?.lastName === "string" ? oauthUserNameRecord.lastName.trim() : ""].filter(Boolean).join(" ").trim();
-	const resolvedEmail = email ?? (oauthUserEmail || void 0);
-	const resolvedName = name ?? (oauthUserName || void 0);
-	const [User, Tenant] = await Promise.all([models.getGlobal("RBUser", ctx), models.getGlobal("RBTenant", ctx)]);
-	const subjectQueryKey = `oauthProviders.${providerId}.subject`;
-	let user = await User.findOne({ [subjectQueryKey]: subject });
-	if (!user && resolvedEmail) user = await User.findOne({ email: resolvedEmail });
-	if (!user && !(createUserOnFirstSignIn ?? true)) {
-		const redirectPath = missingUserRedirectPath;
-		const result = {
-			success: false,
-			type: "missing_user",
-			providerId,
-			subject,
-			email: resolvedEmail,
-			name: resolvedName
-		};
-		if (redirectPath && isSafeRedirectPath(redirectPath)) {
-			const url = new URL(redirectPath, origin);
-			url.searchParams.set("oauth_provider", providerId);
-			if (resolvedEmail) url.searchParams.set("email", resolvedEmail);
-			if (resolvedName) url.searchParams.set("name", resolvedName);
-			result.redirectPath = `${url.pathname}${url.search}`;
-		}
-		return result;
-	}
-	if (!ctx.req.session) return {
-		success: false,
-		type: "error",
-		error: "session_unavailable",
-		redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=session_unavailable`
-	};
-	const now = /* @__PURE__ */ new Date();
-	let providerCreatedAt;
-	const existingProvider = (user?.get("oauthProviders"))?.get(providerId);
-	if (existingProvider?.createdAt instanceof Date) providerCreatedAt = existingProvider.createdAt;
-	const oauthProviderPayload = {
-		subject,
-		email: resolvedEmail,
-		name: resolvedName,
-		accessToken,
-		refreshToken,
-		idToken,
-		scope,
-		tokenType,
-		expiresAt,
-		rawUserInfo: userInfo ?? void 0,
-		createdAt: providerCreatedAt ?? now,
-		updatedAt: now
-	};
-	if (!user) {
-		const tenantId = crypto.randomUUID();
-		user = new User({
-			email: resolvedEmail,
-			name: resolvedName,
-			password: await hashPasswordForStorage(crypto.randomBytes(32).toString("hex")),
-			tenants: [tenantId],
-			tenantRoles: { [tenantId]: ["owner"] },
-			oauthProviders: { [providerId]: oauthProviderPayload }
-		});
-		await user.save();
-		try {
-			await Tenant.create({
-				tenantId,
-				name: resolvedEmail || subject
-			});
-		} catch (err) {
-			console.warn("oauth::failed_to_create_tenant", err);
-		}
-	} else {
-		const setFields = { [`oauthProviders.${providerId}`]: oauthProviderPayload };
-		if (!user.email && resolvedEmail) setFields.email = resolvedEmail;
-		if (!user.name && resolvedName) setFields.name = resolvedName;
-		await User.updateOne({ _id: user._id }, { $set: setFields });
-	}
-	const tenantId = user.tenants?.[0]?.toString?.() || "00000000";
-	const signedInTenants = (user.tenants || []).map(String);
-	const tenantRolesMap = user.get("tenantRoles");
-	const tenantRoles = tenantRolesMap ? Object.fromEntries(tenantRolesMap.entries()) : void 0;
-	ctx.req.session.user = {
-		id: user._id.toString(),
-		currentTenantId: tenantId,
-		signedInTenants: signedInTenants.length ? signedInTenants : [tenantId],
-		isEntryGateAuthorized: true,
-		tenantRoles
-	};
-	try {
-		if (OAuthRequestModel) await OAuthRequestModel.deleteOne({
-			_id: state,
-			providerId
-		});
-	} catch (err) {
-		console.warn("oauth::failed_to_delete_request", err);
-	}
-	try {
-		ctx.res.clearCookie(OAUTH_STATE_COOKIE_NAME, {
-			httpOnly: true,
-			secure: isHttps,
-			sameSite: isHttps ? "none" : "lax",
-			path: callbackPath
-		});
-	} catch (err) {
-		console.warn("oauth::failed_to_clear_state_cookie", err);
-	}
-	return {
-		success: true,
-		type: "signed_in",
-		redirectPath: returnTo && isSafeRedirectPath(returnTo) ? returnTo : successRedirectPath && isSafeRedirectPath(successRedirectPath) ? successRedirectPath : OAUTH_SUCCESS_REDIRECT_PATH,
-		userId: user._id.toString(),
-		tenantId,
-		signedInTenants: signedInTenants.length ? signedInTenants : [tenantId]
-	};
+const OAUTH_SUCCESS_REDIRECT_PATH = "/onboarding";
+const AUTH_ERROR_REDIRECT_BASE = "/auth/sign-in";
+const processOAuthCallback = async ({
+  ctx,
+  providerId: providerIdOverride,
+  createUserOnFirstSignIn,
+  missingUserRedirectPath,
+  successRedirectPath
+}) => {
+  const providerId = resolveProviderId(ctx, providerIdOverride);
+  if (!providerId) {
+    return {
+      success: false,
+      type: "error",
+      error: "missing_provider",
+      redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=missing_provider`
+    };
+  }
+  if (!isSafeOAuthProviderId(providerId)) {
+    return {
+      success: false,
+      type: "error",
+      error: "invalid_provider",
+      redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=invalid_provider`
+    };
+  }
+  const provider = getOAuthProviderConfig(providerId);
+  if (!provider) {
+    return {
+      success: false,
+      type: "error",
+      error: "unknown_provider",
+      redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=unknown_provider`
+    };
+  }
+  const origin = getRequestOrigin(ctx);
+  if (!origin) {
+    return {
+      success: false,
+      type: "error",
+      error: "origin_unavailable",
+      redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=origin_unavailable`
+    };
+  }
+  const isHttps = origin.startsWith("https://");
+  const callbackPath = resolveCallbackPath(provider.callbackPath);
+  if (!callbackPath) {
+    return {
+      success: false,
+      type: "error",
+      error: "invalid_callback_path",
+      redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=invalid_callback_path`
+    };
+  }
+  const bodyParams = await getFormPostParams(ctx);
+  const code = (getQueryString(bodyParams?.code) ?? getQueryString(ctx.req.query?.code))?.trim() ?? "";
+  const state = (getQueryString(bodyParams?.state) ?? getQueryString(ctx.req.query?.state))?.trim() ?? "";
+  const oauthUserRaw = (getQueryString(bodyParams?.user) ?? getQueryString(ctx.req.query?.user))?.trim() ?? "";
+  if (!code || !state) {
+    return {
+      success: false,
+      type: "error",
+      error: "missing_code_or_state",
+      redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=missing_code_or_state`
+    };
+  }
+  const stateCookieValue = getCookieValue(ctx, OAUTH_STATE_COOKIE_NAME);
+  if (stateCookieValue !== `${providerId}:${state}`) {
+    return {
+      success: false,
+      type: "error",
+      error: "invalid_state",
+      redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=invalid_state`
+    };
+  }
+  let oauthRequest = null;
+  let OAuthRequestModel = null;
+  try {
+    OAuthRequestModel = await models.getGlobal("RBOAuthRequest", ctx);
+    oauthRequest = await OAuthRequestModel.findOne({
+      _id: state,
+      providerId
+    }).lean();
+  } catch (err) {
+    console.warn("oauth::failed_to_load_request", err);
+    return {
+      success: false,
+      type: "error",
+      error: "oauth_request_load_failed",
+      redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=oauth_request_load_failed`
+    };
+  }
+  if (!oauthRequest) {
+    return {
+      success: false,
+      type: "error",
+      error: "invalid_state",
+      redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=invalid_state`
+    };
+  }
+  const returnTo = typeof oauthRequest.returnTo === "string" ? oauthRequest.returnTo : void 0;
+  const codeVerifier = typeof oauthRequest.codeVerifier === "string" ? oauthRequest.codeVerifier : "";
+  if (!codeVerifier) {
+    return {
+      success: false,
+      type: "error",
+      error: "missing_code_verifier",
+      redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=missing_code_verifier`
+    };
+  }
+  const oidc = await getOidcWellKnown(provider.issuer);
+  const redirectUri = `${origin}${callbackPath}`;
+  const tokenBody = new URLSearchParams();
+  tokenBody.set("grant_type", "authorization_code");
+  tokenBody.set("code", code);
+  tokenBody.set("redirect_uri", redirectUri);
+  tokenBody.set("client_id", provider.clientId);
+  tokenBody.set("code_verifier", codeVerifier);
+  if (provider.clientSecret) {
+    tokenBody.set("client_secret", provider.clientSecret);
+  }
+  const tokenResponse = await fetch(oidc.token_endpoint, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      Accept: "application/json"
+    },
+    body: tokenBody.toString()
+  });
+  const tokenJson = await tokenResponse.json().catch(() => null);
+  if (!tokenResponse.ok || !tokenJson || typeof tokenJson !== "object") {
+    const body = tokenJson ? JSON.stringify(tokenJson) : "";
+    console.warn("oauth::token_exchange failed", tokenResponse.status, body);
+    return {
+      success: false,
+      type: "error",
+      error: "token_exchange_failed",
+      redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=token_exchange_failed`
+    };
+  }
+  const accessToken = typeof tokenJson.access_token === "string" ? tokenJson.access_token : "";
+  const refreshToken = typeof tokenJson.refresh_token === "string" ? tokenJson.refresh_token : void 0;
+  const idToken = typeof tokenJson.id_token === "string" ? tokenJson.id_token : void 0;
+  const scope = typeof tokenJson.scope === "string" ? tokenJson.scope : void 0;
+  const tokenType = typeof tokenJson.token_type === "string" ? tokenJson.token_type : void 0;
+  const expiresIn = typeof tokenJson.expires_in === "number" ? tokenJson.expires_in : typeof tokenJson.expires_in === "string" ? Number(tokenJson.expires_in) : void 0;
+  const expiresInSeconds = typeof expiresIn === "number" && Number.isFinite(expiresIn) ? expiresIn : null;
+  const expiresAt = expiresInSeconds !== null ? new Date(Date.now() + expiresInSeconds * 1e3) : void 0;
+  let userInfo = null;
+  if (oidc.userinfo_endpoint && accessToken) {
+    const userInfoResponse = await fetch(oidc.userinfo_endpoint, {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        Accept: "application/json"
+      }
+    });
+    if (userInfoResponse.ok) {
+      userInfo = await userInfoResponse.json().catch(() => null);
+    }
+  }
+  const idTokenPayload = idToken ? decodeJwtPayload(idToken) : null;
+  const accessTokenPayload = decodeJwtPayload(accessToken);
+  const subject = typeof userInfo?.sub === "string" ? userInfo.sub : typeof idTokenPayload?.sub === "string" ? idTokenPayload.sub : typeof accessTokenPayload?.sub === "string" ? accessTokenPayload.sub : "";
+  if (!subject) {
+    return {
+      success: false,
+      type: "error",
+      error: "missing_subject",
+      redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=missing_subject`
+    };
+  }
+  const email = typeof userInfo?.email === "string" ? userInfo.email : typeof idTokenPayload?.email === "string" ? idTokenPayload.email : void 0;
+  const name = typeof userInfo?.name === "string" ? userInfo.name : typeof idTokenPayload?.name === "string" ? idTokenPayload.name : void 0;
+  let oauthUser = null;
+  if (oauthUserRaw) {
+    try {
+      oauthUser = JSON.parse(oauthUserRaw);
+    } catch {
+      oauthUser = null;
+    }
+  }
+  const oauthUserRecord = oauthUser && typeof oauthUser === "object" ? oauthUser : null;
+  const oauthUserEmail = typeof oauthUserRecord?.email === "string" ? oauthUserRecord.email.trim() : "";
+  const oauthUserNameRecord = oauthUserRecord?.name && typeof oauthUserRecord.name === "object" ? oauthUserRecord.name : null;
+  const oauthUserNameFirst = typeof oauthUserNameRecord?.firstName === "string" ? oauthUserNameRecord.firstName.trim() : "";
+  const oauthUserNameLast = typeof oauthUserNameRecord?.lastName === "string" ? oauthUserNameRecord.lastName.trim() : "";
+  const oauthUserName = [oauthUserNameFirst, oauthUserNameLast].filter(Boolean).join(" ").trim();
+  const resolvedEmail = email ?? (oauthUserEmail || void 0);
+  const resolvedName = name ?? (oauthUserName || void 0);
+  const [User, Tenant] = await Promise.all([models.getGlobal("RBUser", ctx), models.getGlobal("RBTenant", ctx)]);
+  const subjectQueryKey = `oauthProviders.${providerId}.subject`;
+  let user = await User.findOne({
+    [subjectQueryKey]: subject
+  });
+  if (!user && resolvedEmail) {
+    user = await User.findOne({
+      email: resolvedEmail
+    });
+  }
+  const shouldCreateUser = createUserOnFirstSignIn ?? true;
+  if (!user && !shouldCreateUser) {
+    const redirectPath2 = missingUserRedirectPath;
+    const result = {
+      success: false,
+      type: "missing_user",
+      providerId,
+      subject,
+      email: resolvedEmail,
+      name: resolvedName
+    };
+    if (redirectPath2 && isSafeRedirectPath(redirectPath2)) {
+      const url = new URL(redirectPath2, origin);
+      url.searchParams.set("oauth_provider", providerId);
+      if (resolvedEmail) url.searchParams.set("email", resolvedEmail);
+      if (resolvedName) url.searchParams.set("name", resolvedName);
+      result.redirectPath = `${url.pathname}${url.search}`;
+    }
+    return result;
+  }
+  if (!ctx.req.session) {
+    return {
+      success: false,
+      type: "error",
+      error: "session_unavailable",
+      redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=session_unavailable`
+    };
+  }
+  const now = /* @__PURE__ */ new Date();
+  let providerCreatedAt;
+  const oauthProviders = user?.get("oauthProviders");
+  const existingProvider = oauthProviders?.get(providerId);
+  if (existingProvider?.createdAt instanceof Date) {
+    providerCreatedAt = existingProvider.createdAt;
+  }
+  const oauthProviderPayload = {
+    subject,
+    email: resolvedEmail,
+    name: resolvedName,
+    accessToken,
+    refreshToken,
+    idToken,
+    scope,
+    tokenType,
+    expiresAt,
+    rawUserInfo: userInfo ?? void 0,
+    createdAt: providerCreatedAt ?? now,
+    updatedAt: now
+  };
+  if (!user) {
+    const tenantId2 = crypto.randomUUID();
+    const password = await hashPasswordForStorage(crypto.randomBytes(32).toString("hex"));
+    user = new User({
+      email: resolvedEmail,
+      name: resolvedName,
+      password,
+      tenants: [tenantId2],
+      tenantRoles: {
+        [tenantId2]: ["owner"]
+      },
+      oauthProviders: {
+        [providerId]: oauthProviderPayload
+      }
+    });
+    await user.save();
+    try {
+      await Tenant.create({
+        tenantId: tenantId2,
+        name: resolvedEmail || subject
+      });
+    } catch (err) {
+      console.warn("oauth::failed_to_create_tenant", err);
+    }
+  } else {
+    const setFields = {
+      [`oauthProviders.${providerId}`]: oauthProviderPayload
+    };
+    if (!user.email && resolvedEmail) {
+      setFields.email = resolvedEmail;
+    }
+    if (!user.name && resolvedName) {
+      setFields.name = resolvedName;
+    }
+    await User.updateOne({
+      _id: user._id
+    }, {
+      $set: setFields
+    });
+  }
+  const tenantId = user.tenants?.[0]?.toString?.() || "00000000";
+  const signedInTenants = (user.tenants || []).map(String);
+  const tenantRolesMap = user.get("tenantRoles");
+  const tenantRoles = tenantRolesMap ? Object.fromEntries(tenantRolesMap.entries()) : void 0;
+  ctx.req.session.user = {
+    id: user._id.toString(),
+    currentTenantId: tenantId,
+    signedInTenants: signedInTenants.length ? signedInTenants : [tenantId],
+    isEntryGateAuthorized: true,
+    tenantRoles
+  };
+  try {
+    if (OAuthRequestModel) {
+      await OAuthRequestModel.deleteOne({
+        _id: state,
+        providerId
+      });
+    }
+  } catch (err) {
+    console.warn("oauth::failed_to_delete_request", err);
+  }
+  try {
+    ctx.res.clearCookie(OAUTH_STATE_COOKIE_NAME, {
+      httpOnly: true,
+      secure: isHttps,
+      sameSite: isHttps ? "none" : "lax",
+      path: callbackPath
+    });
+  } catch (err) {
+    console.warn("oauth::failed_to_clear_state_cookie", err);
+  }
+  const redirectPath = returnTo && isSafeRedirectPath(returnTo) ? returnTo : successRedirectPath && isSafeRedirectPath(successRedirectPath) ? successRedirectPath : OAUTH_SUCCESS_REDIRECT_PATH;
+  return {
+    success: true,
+    type: "signed_in",
+    redirectPath,
+    userId: user._id.toString(),
+    tenantId,
+    signedInTenants: signedInTenants.length ? signedInTenants : [tenantId]
+  };
 };
-var createOAuthStartHandler = ({ providerId, getAuthorizationParams } = {}) => async (_payload, ctx) => {
-	const resolvedProviderId = resolveProviderId(ctx, providerId);
-	const providerAuthorizationParams = resolvedProviderId && getAuthorizationParams ? getAuthorizationParams(resolvedProviderId) : void 0;
-	const returnTo = getQueryString(ctx.req.query?.returnTo)?.trim();
-	const result = await getOAuthStartRedirectUrl({
-		ctx,
-		providerId: resolvedProviderId,
-		returnTo,
-		authorizationParams: providerAuthorizationParams
-	});
-	if (!result.success) {
-		ctx.res.status(result.statusCode);
-		return {
-			success: false,
-			error: result.error
-		};
-	}
-	ctx.res.redirect(result.redirectUrl);
-	return { success: true };
+const createOAuthStartHandler = ({
+  providerId,
+  getAuthorizationParams
+} = {}) => async (_payload, ctx) => {
+  const resolvedProviderId = resolveProviderId(ctx, providerId);
+  const providerAuthorizationParams = resolvedProviderId && getAuthorizationParams ? getAuthorizationParams(resolvedProviderId) : void 0;
+  const returnTo = getQueryString(ctx.req.query?.returnTo)?.trim();
+  const result = await getOAuthStartRedirectUrl({
+    ctx,
+    providerId: resolvedProviderId,
+    returnTo,
+    authorizationParams: providerAuthorizationParams
+  });
+  if (!result.success) {
+    ctx.res.status(result.statusCode);
+    return {
+      success: false,
+      error: result.error
+    };
+  }
+  ctx.res.redirect(result.redirectUrl);
+  return {
+    success: true
+  };
 };
-var createOAuthCallbackHandler = ({ providerId, createUserOnFirstSignIn, missingUserRedirectPath, successRedirectPath } = {}) => async (_payload, ctx) => {
-	const result = await processOAuthCallback({
-		ctx,
-		providerId,
-		createUserOnFirstSignIn,
-		missingUserRedirectPath,
-		successRedirectPath
-	});
-	if (result.type === "error") {
-		ctx.res.redirect(result.redirectPath);
-		return {
-			success: false,
-			error: result.error
-		};
-	}
-	if (result.type === "missing_user") {
-		if (result.redirectPath) ctx.res.redirect(result.redirectPath);
-		else ctx.res.redirect("/auth/sign-up");
-		return {
-			success: false,
-			error: "user_not_found"
-		};
-	}
-	ctx.res.redirect(result.redirectPath);
-	return { success: true };
+const createOAuthCallbackHandler = ({
+  providerId,
+  createUserOnFirstSignIn,
+  missingUserRedirectPath,
+  successRedirectPath
+} = {}) => async (_payload, ctx) => {
+  const result = await processOAuthCallback({
+    ctx,
+    providerId,
+    createUserOnFirstSignIn,
+    missingUserRedirectPath,
+    successRedirectPath
+  });
+  if (result.type === "error") {
+    ctx.res.redirect(result.redirectPath);
+    return {
+      success: false,
+      error: result.error
+    };
+  }
+  if (result.type === "missing_user") {
+    if (result.redirectPath) {
+      ctx.res.redirect(result.redirectPath);
+    } else {
+      ctx.res.redirect("/auth/sign-up");
+    }
+    return {
+      success: false,
+      error: "user_not_found"
+    };
+  }
+  ctx.res.redirect(result.redirectPath);
+  return {
+    success: true
+  };
 };
-var base64UrlEncode = (input) => Buffer.from(input).toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
-var createAppleClientSecret = ({ teamId, clientId, keyId, privateKeyPem, now = /* @__PURE__ */ new Date(), expiresInSeconds = 600 }) => {
-	const teamIdValue = teamId.trim();
-	const clientIdValue = clientId.trim();
-	const keyIdValue = keyId.trim();
-	const privateKeyPemValue = privateKeyPem.trim();
-	if (!teamIdValue) throw new Error("teamId is required");
-	if (!clientIdValue) throw new Error("clientId is required");
-	if (!keyIdValue) throw new Error("keyId is required");
-	if (!privateKeyPemValue) throw new Error("privateKeyPem is required");
-	const nowSeconds = Math.floor(now.getTime() / 1e3);
-	const exp = nowSeconds + Math.max(60, Math.min(Number.isFinite(expiresInSeconds) ? expiresInSeconds : 600, 3600 * 24 * 180));
-	const header = {
-		alg: "ES256",
-		kid: keyIdValue,
-		typ: "JWT"
-	};
-	const payload = {
-		iss: teamIdValue,
-		iat: nowSeconds,
-		exp,
-		aud: "https://appleid.apple.com",
-		sub: clientIdValue
-	};
-	const signingInput = `${base64UrlEncode(JSON.stringify(header))}.${base64UrlEncode(JSON.stringify(payload))}`;
-	return `${signingInput}.${base64UrlEncode(crypto.sign("sha256", Buffer.from(signingInput), {
-		key: privateKeyPemValue,
-		dsaEncoding: "ieee-p1363"
-	}))}`;
+const base64UrlEncode = (input) => Buffer.from(input).toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+const createAppleClientSecret = ({
+  teamId,
+  clientId,
+  keyId,
+  privateKeyPem,
+  now = /* @__PURE__ */ new Date(),
+  expiresInSeconds = 10 * 60
+}) => {
+  const teamIdValue = teamId.trim();
+  const clientIdValue = clientId.trim();
+  const keyIdValue = keyId.trim();
+  const privateKeyPemValue = privateKeyPem.trim();
+  if (!teamIdValue) throw new Error("teamId is required");
+  if (!clientIdValue) throw new Error("clientId is required");
+  if (!keyIdValue) throw new Error("keyId is required");
+  if (!privateKeyPemValue) throw new Error("privateKeyPem is required");
+  const nowSeconds = Math.floor(now.getTime() / 1e3);
+  const expiresIn = Number.isFinite(expiresInSeconds) ? expiresInSeconds : 10 * 60;
+  const exp = nowSeconds + Math.max(60, Math.min(expiresIn, 60 * 60 * 24 * 180));
+  const header = {
+    alg: "ES256",
+    kid: keyIdValue,
+    typ: "JWT"
+  };
+  const payload = {
+    iss: teamIdValue,
+    iat: nowSeconds,
+    exp,
+    aud: "https://appleid.apple.com",
+    sub: clientIdValue
+  };
+  const signingInput = `${base64UrlEncode(JSON.stringify(header))}.${base64UrlEncode(JSON.stringify(payload))}`;
+  const signature = crypto.sign("sha256", Buffer.from(signingInput), {
+    key: privateKeyPemValue,
+    dsaEncoding: "ieee-p1363"
+  });
+  return `${signingInput}.${base64UrlEncode(signature)}`;
 };
-//#endregion
-export { configureOAuthProviders, createAppleClientSecret, createOAuthCallbackHandler, createOAuthStartHandler, getOAuthStartRedirectUrl, processOAuthCallback, setOAuthProviders };
-
-//# sourceMappingURL=index.js.map
+export {
+  configureOAuthProviders,
+  createAppleClientSecret,
+  createOAuthCallbackHandler,
+  createOAuthStartHandler,
+  getOAuthStartRedirectUrl,
+  processOAuthCallback,
+  setOAuthProviders
+};
+//# sourceMappingURL=index.js.map