npm - @rpcbase/auth - Versions diffs - 0.89.0 → 0.91.0 - Mend

@rpcbase/auth 0.89.0 → 0.91.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (30) hide show

package/README.md +59 -12
package/dist/oauth/config.d.ts +2 -1
package/dist/oauth/config.d.ts.map +1 -1
package/dist/oauth/index.d.ts +5 -0
package/dist/oauth/index.d.ts.map +1 -0
package/dist/oauth/index.js +578 -0
package/dist/oauth/index.js.map +1 -0
package/dist/oauth/lib.d.ts +68 -0
package/dist/oauth/lib.d.ts.map +1 -0
package/dist/routes.d.ts +0 -2
package/dist/routes.d.ts.map +1 -1
package/dist/routes.js +7 -4
package/dist/routes.js.map +1 -1
package/package.json +6 -1
package/dist/api/oauth/callback/handler.d.ts +0 -5
package/dist/api/oauth/callback/handler.d.ts.map +0 -1
package/dist/api/oauth/callback/index.d.ts +0 -10
package/dist/api/oauth/callback/index.d.ts.map +0 -1
package/dist/api/oauth/start/handler.d.ts +0 -5
package/dist/api/oauth/start/handler.d.ts.map +0 -1
package/dist/api/oauth/start/index.d.ts +0 -10
package/dist/api/oauth/start/index.d.ts.map +0 -1
package/dist/handler-BXyRZsH5.js +0 -81
package/dist/handler-BXyRZsH5.js.map +0 -1
package/dist/handler-n7Lp9zg7.js +0 -235
package/dist/handler-n7Lp9zg7.js.map +0 -1
package/dist/providerId-Clk38lTZ.js +0 -59
package/dist/providerId-Clk38lTZ.js.map +0 -1
package/dist/routes-ChxNWaaP.js +0 -56
package/dist/routes-ChxNWaaP.js.map +0 -1

package/dist/oauth/index.js ADDED Viewed

@@ -0,0 +1,578 @@
+import crypto from "crypto";
+import { models } from "@rpcbase/db";
+import { hashPasswordForStorage } from "@rpcbase/server";
+const STORE_KEY = /* @__PURE__ */ Symbol.for("@rpcbase/auth/oauthProviders");
+const getStore = () => {
+  const anyGlobal = globalThis;
+  const existing = anyGlobal[STORE_KEY];
+  if (existing && typeof existing === "object" && existing.providers && typeof existing.providers === "object") {
+    return existing;
+  }
+  const created = { providers: {} };
+  anyGlobal[STORE_KEY] = created;
+  return created;
+};
+const normalizeProviders = (providers) => {
+  const result = {};
+  const isSafeRedirectPath2 = (candidate) => {
+    if (!candidate.startsWith("/")) return false;
+    if (candidate.startsWith("//")) return false;
+    return true;
+  };
+  for (const [providerIdRaw, value] of Object.entries(providers)) {
+    const providerId = providerIdRaw.trim();
+    if (!providerId) continue;
+    const issuer = typeof value?.issuer === "string" ? value.issuer.trim() : "";
+    const clientId = typeof value?.clientId === "string" ? value.clientId.trim() : "";
+    if (!issuer) throw new Error(`oauth provider "${providerId}" missing issuer`);
+    if (!clientId) throw new Error(`oauth provider "${providerId}" missing clientId`);
+    const clientSecret = typeof value?.clientSecret === "string" && value.clientSecret.trim() ? value.clientSecret : void 0;
+    const scope = typeof value?.scope === "string" ? value.scope.trim() : "";
+    if (!scope) throw new Error(`oauth provider "${providerId}" missing scope`);
+    const callbackPath = typeof value?.callbackPath === "string" ? value.callbackPath.trim() : "";
+    if (!callbackPath) throw new Error(`oauth provider "${providerId}" missing callbackPath`);
+    if (!isSafeRedirectPath2(callbackPath)) throw new Error(`oauth provider "${providerId}" has invalid callbackPath`);
+    result[providerId] = {
+      issuer,
+      clientId,
+      clientSecret,
+      scope,
+      callbackPath
+    };
+  }
+  return result;
+};
+const configureOAuthProviders = (providers) => {
+  const store = getStore();
+  const normalized = normalizeProviders(providers);
+  store.providers = { ...store.providers, ...normalized };
+};
+const setOAuthProviders = (providers) => {
+  const store = getStore();
+  store.providers = normalizeProviders(providers);
+};
+const getOAuthProviderConfig = (providerId) => {
+  const store = getStore();
+  return store.providers[providerId] ?? null;
+};
+const decodeBase64Url = (value) => {
+  const padded = value.replace(/-/g, "+").replace(/_/g, "/") + "===".slice((value.length + 3) % 4);
+  return Buffer.from(padded, "base64").toString("utf8");
+};
+const decodeJwtPayload = (token) => {
+  const parts = token.split(".");
+  if (parts.length < 2) return null;
+  try {
+    const json = decodeBase64Url(parts[1]);
+    const parsed = JSON.parse(json);
+    if (!parsed || typeof parsed !== "object") return null;
+    return parsed;
+  } catch {
+    return null;
+  }
+};
+const cache = /* @__PURE__ */ new Map();
+const normalizeIssuer = (raw) => raw.trim().replace(/\/+$/, "");
+const getOidcWellKnown = async (issuerRaw) => {
+  const issuer = normalizeIssuer(issuerRaw);
+  if (!issuer) {
+    throw new Error("OIDC issuer is required");
+  }
+  const existing = cache.get(issuer);
+  if (existing) {
+    return existing;
+  }
+  const loader = (async () => {
+    const url = new URL("/.well-known/openid-configuration", issuer);
+    const response = await fetch(url, { headers: { Accept: "application/json" } });
+    if (!response.ok) {
+      const body = await response.text().catch(() => "");
+      throw new Error(`Failed to fetch OIDC discovery document: ${response.status} ${body}`);
+    }
+    const json = await response.json().catch(() => null);
+    if (!json || typeof json !== "object") {
+      throw new Error("Invalid OIDC discovery document");
+    }
+    const authorizationEndpoint = typeof json.authorization_endpoint === "string" ? json.authorization_endpoint : "";
+    const tokenEndpoint = typeof json.token_endpoint === "string" ? json.token_endpoint : "";
+    const issuerValue = typeof json.issuer === "string" ? json.issuer : issuer;
+    const userinfoEndpoint = typeof json.userinfo_endpoint === "string" ? json.userinfo_endpoint : void 0;
+    const jwksUri = typeof json.jwks_uri === "string" ? json.jwks_uri : void 0;
+    if (!authorizationEndpoint || !tokenEndpoint) {
+      throw new Error("OIDC discovery document missing required endpoints");
+    }
+    return {
+      issuer: issuerValue,
+      authorization_endpoint: authorizationEndpoint,
+      token_endpoint: tokenEndpoint,
+      userinfo_endpoint: userinfoEndpoint,
+      jwks_uri: jwksUri
+    };
+  })();
+  cache.set(issuer, loader);
+  try {
+    return await loader;
+  } catch (err) {
+    cache.delete(issuer);
+    throw err;
+  }
+};
+const base64UrlEncode$1 = (input) => input.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+const generatePkcePair = () => {
+  const verifier = base64UrlEncode$1(crypto.randomBytes(32));
+  const challenge = base64UrlEncode$1(crypto.createHash("sha256").update(verifier).digest());
+  return { verifier, challenge };
+};
+const RESERVED_KEYS = /* @__PURE__ */ new Set(["__proto__", "prototype", "constructor"]);
+const isSafeOAuthProviderId = (value) => {
+  const providerId = value.trim();
+  if (!providerId) return false;
+  if (providerId.length > 128) return false;
+  if (RESERVED_KEYS.has(providerId)) return false;
+  return /^[a-zA-Z0-9_-]+$/.test(providerId);
+};
+const getQueryString = (value) => {
+  if (typeof value === "string") return value;
+  if (Array.isArray(value) && typeof value[0] === "string") return value[0];
+  return null;
+};
+const isSafeRedirectPath = (candidate) => {
+  if (!candidate.startsWith("/")) return false;
+  if (candidate.startsWith("//")) return false;
+  return true;
+};
+const getRequestOrigin = (ctx) => {
+  const protoHeader = ctx.req.headers["x-forwarded-proto"];
+  const hostHeader = ctx.req.headers["x-forwarded-host"];
+  const protocol = typeof protoHeader === "string" ? protoHeader.split(",")[0].trim() : ctx.req.protocol;
+  const host = typeof hostHeader === "string" ? hostHeader.split(",")[0].trim() : ctx.req.get("host");
+  return protocol && host ? `${protocol}://${host}` : "";
+};
+const resolveCallbackPath = (callbackPath) => {
+  const trimmed = callbackPath.trim();
+  return trimmed && isSafeRedirectPath(trimmed) ? trimmed : null;
+};
+const readTextBody = async (req) => await new Promise((resolve, reject) => {
+  let body = "";
+  if (typeof req.setEncoding === "function") {
+    req.setEncoding("utf8");
+  }
+  req.on("data", (chunk) => {
+    body += chunk;
+    if (body.length > 32768) {
+      reject(new Error("request_body_too_large"));
+    }
+  });
+  req.on("end", () => resolve(body));
+  req.on("error", reject);
+});
+const getFormPostParams = async (ctx) => {
+  if (ctx.req.method !== "POST") return null;
+  const contentType = typeof ctx.req.headers["content-type"] === "string" ? ctx.req.headers["content-type"] : "";
+  if (!contentType.includes("application/x-www-form-urlencoded")) return null;
+  const body = await readTextBody(ctx.req);
+  const params = new URLSearchParams(body);
+  const result = {};
+  for (const [key, value] of params.entries()) {
+    result[key] = value;
+  }
+  return result;
+};
+const resolveProviderId = (ctx, providerIdOverride) => (providerIdOverride ?? String(ctx.req.params?.provider ?? "")).trim();
+const RESERVED_AUTH_PARAM_KEYS = /* @__PURE__ */ new Set(["__proto__", "prototype", "constructor"]);
+const normalizeAuthorizationParams = (value) => {
+  if (!value || typeof value !== "object" || Array.isArray(value)) return void 0;
+  const result = {};
+  for (const [keyRaw, valueRaw] of Object.entries(value)) {
+    const key = keyRaw.trim();
+    if (!key) continue;
+    if (RESERVED_AUTH_PARAM_KEYS.has(key)) continue;
+    const val = typeof valueRaw === "string" ? valueRaw.trim() : "";
+    if (!val) continue;
+    result[key] = val;
+  }
+  return Object.keys(result).length ? result : void 0;
+};
+const getOAuthStartRedirectUrl = async ({
+  ctx,
+  providerId: providerIdOverride,
+  returnTo,
+  authorizationParams
+}) => {
+  const providerId = resolveProviderId(ctx, providerIdOverride);
+  if (!providerId) {
+    return { success: false, error: "missing_provider", statusCode: 400 };
+  }
+  if (!isSafeOAuthProviderId(providerId)) {
+    return { success: false, error: "invalid_provider", statusCode: 400 };
+  }
+  const provider = getOAuthProviderConfig(providerId);
+  if (!provider) {
+    return { success: false, error: "unknown_provider", statusCode: 404 };
+  }
+  if (!ctx.req.session) {
+    return { success: false, error: "session_unavailable", statusCode: 500 };
+  }
+  const origin = getRequestOrigin(ctx);
+  if (!origin) {
+    return { success: false, error: "origin_unavailable", statusCode: 500 };
+  }
+  const callbackPath = resolveCallbackPath(provider.callbackPath);
+  if (!callbackPath) {
+    return { success: false, error: "invalid_callback_path", statusCode: 500 };
+  }
+  const state = crypto.randomBytes(16).toString("hex");
+  const { verifier, challenge } = generatePkcePair();
+  const sessionAny = ctx.req.session;
+  const rbOauthRaw = sessionAny.rbOauth;
+  if (!rbOauthRaw || typeof rbOauthRaw !== "object" || Array.isArray(rbOauthRaw)) {
+    sessionAny.rbOauth = /* @__PURE__ */ Object.create(null);
+  } else if (Object.getPrototypeOf(rbOauthRaw) !== null) {
+    sessionAny.rbOauth = Object.assign(/* @__PURE__ */ Object.create(null), rbOauthRaw);
+  }
+  const safeReturnTo = typeof returnTo === "string" && isSafeRedirectPath(returnTo) ? returnTo : void 0;
+  sessionAny.rbOauth[providerId] = {
+    state,
+    codeVerifier: verifier,
+    createdAt: Date.now(),
+    returnTo: safeReturnTo
+  };
+  const oidc = await getOidcWellKnown(provider.issuer);
+  const redirectUri = `${origin}${callbackPath}`;
+  const url = new URL(oidc.authorization_endpoint);
+  url.searchParams.set("client_id", provider.clientId);
+  url.searchParams.set("redirect_uri", redirectUri);
+  url.searchParams.set("response_type", "code");
+  url.searchParams.set("scope", provider.scope);
+  url.searchParams.set("state", state);
+  url.searchParams.set("code_challenge", challenge);
+  url.searchParams.set("code_challenge_method", "S256");
+  const extraAuthorizationParams = normalizeAuthorizationParams(authorizationParams);
+  for (const [key, value] of Object.entries(extraAuthorizationParams ?? {})) {
+    if (url.searchParams.has(key)) continue;
+    url.searchParams.set(key, value);
+  }
+  return { success: true, redirectUrl: url.toString() };
+};
+const OAUTH_SUCCESS_REDIRECT_PATH = "/onboarding";
+const AUTH_ERROR_REDIRECT_BASE = "/auth/sign-in";
+const processOAuthCallback = async ({
+  ctx,
+  providerId: providerIdOverride,
+  createUserOnFirstSignIn,
+  missingUserRedirectPath,
+  successRedirectPath
+}) => {
+  const providerId = resolveProviderId(ctx, providerIdOverride);
+  if (!providerId) {
+    return { success: false, type: "error", error: "missing_provider", redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=missing_provider` };
+  }
+  if (!isSafeOAuthProviderId(providerId)) {
+    return { success: false, type: "error", error: "invalid_provider", redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=invalid_provider` };
+  }
+  const provider = getOAuthProviderConfig(providerId);
+  if (!provider) {
+    return { success: false, type: "error", error: "unknown_provider", redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=unknown_provider` };
+  }
+  if (!ctx.req.session) {
+    return { success: false, type: "error", error: "session_unavailable", redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=session_unavailable` };
+  }
+  const origin = getRequestOrigin(ctx);
+  if (!origin) {
+    return { success: false, type: "error", error: "origin_unavailable", redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=origin_unavailable` };
+  }
+  const callbackPath = resolveCallbackPath(provider.callbackPath);
+  if (!callbackPath) {
+    return { success: false, type: "error", error: "invalid_callback_path", redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=invalid_callback_path` };
+  }
+  const bodyParams = await getFormPostParams(ctx);
+  const code = (getQueryString(bodyParams?.code) ?? getQueryString(ctx.req.query?.code))?.trim() ?? "";
+  const state = (getQueryString(bodyParams?.state) ?? getQueryString(ctx.req.query?.state))?.trim() ?? "";
+  const oauthUserRaw = (getQueryString(bodyParams?.user) ?? getQueryString(ctx.req.query?.user))?.trim() ?? "";
+  const sessionAny = ctx.req.session;
+  const sessionState = sessionAny.rbOauth?.[providerId];
+  const returnTo = typeof sessionState?.returnTo === "string" ? sessionState.returnTo : void 0;
+  if (!code || !state) {
+    return { success: false, type: "error", error: "missing_code_or_state", redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=missing_code_or_state` };
+  }
+  if (!sessionState || typeof sessionState.state !== "string" || sessionState.state !== state) {
+    return { success: false, type: "error", error: "invalid_state", redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=invalid_state` };
+  }
+  const codeVerifier = typeof sessionState.codeVerifier === "string" ? sessionState.codeVerifier : "";
+  if (!codeVerifier) {
+    return { success: false, type: "error", error: "missing_code_verifier", redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=missing_code_verifier` };
+  }
+  delete sessionAny.rbOauth?.[providerId];
+  if (sessionAny.rbOauth && Object.keys(sessionAny.rbOauth).length === 0) {
+    delete sessionAny.rbOauth;
+  }
+  const oidc = await getOidcWellKnown(provider.issuer);
+  const redirectUri = `${origin}${callbackPath}`;
+  const tokenBody = new URLSearchParams();
+  tokenBody.set("grant_type", "authorization_code");
+  tokenBody.set("code", code);
+  tokenBody.set("redirect_uri", redirectUri);
+  tokenBody.set("client_id", provider.clientId);
+  tokenBody.set("code_verifier", codeVerifier);
+  if (provider.clientSecret) {
+    tokenBody.set("client_secret", provider.clientSecret);
+  }
+  const tokenResponse = await fetch(oidc.token_endpoint, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      Accept: "application/json"
+    },
+    body: tokenBody.toString()
+  });
+  const tokenJson = await tokenResponse.json().catch(() => null);
+  if (!tokenResponse.ok || !tokenJson || typeof tokenJson !== "object") {
+    const body = tokenJson ? JSON.stringify(tokenJson) : "";
+    console.warn("oauth::token_exchange failed", tokenResponse.status, body);
+    return { success: false, type: "error", error: "token_exchange_failed", redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=token_exchange_failed` };
+  }
+  const accessToken = typeof tokenJson.access_token === "string" ? tokenJson.access_token : "";
+  const refreshToken = typeof tokenJson.refresh_token === "string" ? tokenJson.refresh_token : void 0;
+  const idToken = typeof tokenJson.id_token === "string" ? tokenJson.id_token : void 0;
+  const scope = typeof tokenJson.scope === "string" ? tokenJson.scope : void 0;
+  const tokenType = typeof tokenJson.token_type === "string" ? tokenJson.token_type : void 0;
+  const expiresIn = typeof tokenJson.expires_in === "number" ? tokenJson.expires_in : typeof tokenJson.expires_in === "string" ? Number(tokenJson.expires_in) : void 0;
+  const expiresInSeconds = typeof expiresIn === "number" && Number.isFinite(expiresIn) ? expiresIn : null;
+  const expiresAt = expiresInSeconds !== null ? new Date(Date.now() + expiresInSeconds * 1e3) : void 0;
+  let userInfo = null;
+  if (oidc.userinfo_endpoint && accessToken) {
+    const userInfoResponse = await fetch(oidc.userinfo_endpoint, {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        Accept: "application/json"
+      }
+    });
+    if (userInfoResponse.ok) {
+      userInfo = await userInfoResponse.json().catch(() => null);
+    }
+  }
+  const idTokenPayload = idToken ? decodeJwtPayload(idToken) : null;
+  const accessTokenPayload = decodeJwtPayload(accessToken);
+  const subject = typeof userInfo?.sub === "string" ? userInfo.sub : typeof idTokenPayload?.sub === "string" ? idTokenPayload.sub : typeof accessTokenPayload?.sub === "string" ? accessTokenPayload.sub : "";
+  if (!subject) {
+    return { success: false, type: "error", error: "missing_subject", redirectPath: `${AUTH_ERROR_REDIRECT_BASE}?error=missing_subject` };
+  }
+  const email = typeof userInfo?.email === "string" ? userInfo.email : typeof idTokenPayload?.email === "string" ? idTokenPayload.email : void 0;
+  const name = typeof userInfo?.name === "string" ? userInfo.name : typeof idTokenPayload?.name === "string" ? idTokenPayload.name : void 0;
+  let oauthUser = null;
+  if (oauthUserRaw) {
+    try {
+      oauthUser = JSON.parse(oauthUserRaw);
+    } catch {
+      oauthUser = null;
+    }
+  }
+  const oauthUserEmail = typeof oauthUser?.email === "string" ? String(oauthUser.email).trim() : "";
+  const oauthUserNameFirst = typeof oauthUser?.name?.firstName === "string" ? String(oauthUser.name.firstName).trim() : "";
+  const oauthUserNameLast = typeof oauthUser?.name?.lastName === "string" ? String(oauthUser.name.lastName).trim() : "";
+  const oauthUserName = [oauthUserNameFirst, oauthUserNameLast].filter(Boolean).join(" ").trim();
+  const resolvedEmail = email ?? (oauthUserEmail || void 0);
+  const resolvedName = name ?? (oauthUserName || void 0);
+  const [User, Tenant] = await Promise.all([
+    models.getGlobal("RBUser", ctx),
+    models.getGlobal("RBTenant", ctx)
+  ]);
+  const subjectQueryKey = `oauthProviders.${providerId}.subject`;
+  let user = await User.findOne({ [subjectQueryKey]: subject });
+  if (!user && resolvedEmail) {
+    user = await User.findOne({ email: resolvedEmail });
+  }
+  const shouldCreateUser = createUserOnFirstSignIn ?? true;
+  if (!user && !shouldCreateUser) {
+    const redirectPath2 = missingUserRedirectPath;
+    const result = {
+      success: false,
+      type: "missing_user",
+      providerId,
+      subject,
+      email: resolvedEmail,
+      name: resolvedName
+    };
+    if (redirectPath2 && isSafeRedirectPath(redirectPath2)) {
+      const url = new URL(redirectPath2, origin);
+      url.searchParams.set("oauth_provider", providerId);
+      if (resolvedEmail) url.searchParams.set("email", resolvedEmail);
+      if (resolvedName) url.searchParams.set("name", resolvedName);
+      result.redirectPath = `${url.pathname}${url.search}`;
+    }
+    return result;
+  }
+  const now = /* @__PURE__ */ new Date();
+  let providerCreatedAt;
+  const oauthProvidersValue = user ? user.oauthProviders : void 0;
+  if (oauthProvidersValue instanceof Map) {
+    const existing = oauthProvidersValue.get(providerId);
+    if (existing?.createdAt instanceof Date) providerCreatedAt = existing.createdAt;
+  } else if (oauthProvidersValue && typeof oauthProvidersValue === "object") {
+    const existing = oauthProvidersValue[providerId];
+    if (existing?.createdAt instanceof Date) providerCreatedAt = existing.createdAt;
+  }
+  const oauthProviderPayload = {
+    subject,
+    email: resolvedEmail,
+    name: resolvedName,
+    accessToken,
+    refreshToken,
+    idToken,
+    scope,
+    tokenType,
+    expiresAt,
+    rawUserInfo: userInfo ?? void 0,
+    createdAt: providerCreatedAt ?? now,
+    updatedAt: now
+  };
+  if (!user) {
+    const tenantId2 = crypto.randomUUID();
+    const password = await hashPasswordForStorage(crypto.randomBytes(32).toString("hex"));
+    user = new User({
+      email: resolvedEmail,
+      name: resolvedName,
+      password,
+      tenants: [tenantId2],
+      tenantRoles: {
+        [tenantId2]: ["owner"]
+      },
+      oauthProviders: {
+        [providerId]: oauthProviderPayload
+      }
+    });
+    await user.save();
+    try {
+      await Tenant.create({
+        tenantId: tenantId2,
+        name: resolvedEmail || subject
+      });
+    } catch (err) {
+      console.warn("oauth::failed_to_create_tenant", err);
+    }
+  } else {
+    const setFields = {
+      [`oauthProviders.${providerId}`]: oauthProviderPayload
+    };
+    if (!user.email && resolvedEmail) {
+      setFields.email = resolvedEmail;
+    }
+    if (!user.name && resolvedName) {
+      setFields.name = resolvedName;
+    }
+    await User.updateOne({ _id: user._id }, { $set: setFields });
+  }
+  const tenantId = user.tenants?.[0]?.toString?.() || "00000000";
+  const signedInTenants = (user.tenants || []).map((t) => t.toString?.() || String(t)) || [tenantId];
+  const tenantRolesRaw = user.tenantRoles;
+  const tenantRoles = tenantRolesRaw instanceof Map ? Object.fromEntries(tenantRolesRaw.entries()) : tenantRolesRaw && typeof tenantRolesRaw === "object" ? tenantRolesRaw : void 0;
+  ctx.req.session.user = {
+    id: user._id.toString(),
+    currentTenantId: tenantId,
+    signedInTenants: signedInTenants.length ? signedInTenants : [tenantId],
+    isEntryGateAuthorized: true,
+    tenantRoles
+  };
+  const redirectPath = returnTo && isSafeRedirectPath(returnTo) ? returnTo : successRedirectPath && isSafeRedirectPath(successRedirectPath) ? successRedirectPath : OAUTH_SUCCESS_REDIRECT_PATH;
+  return {
+    success: true,
+    type: "signed_in",
+    redirectPath,
+    userId: user._id.toString(),
+    tenantId,
+    signedInTenants: signedInTenants.length ? signedInTenants : [tenantId]
+  };
+};
+const createOAuthStartHandler = ({
+  providerId,
+  getAuthorizationParams
+} = {}) => async (_payload, ctx) => {
+  const resolvedProviderId = resolveProviderId(ctx, providerId);
+  const providerAuthorizationParams = resolvedProviderId && getAuthorizationParams ? getAuthorizationParams(resolvedProviderId) : void 0;
+  const returnTo = getQueryString(ctx.req.query?.returnTo)?.trim();
+  const result = await getOAuthStartRedirectUrl({
+    ctx,
+    providerId: resolvedProviderId,
+    returnTo,
+    authorizationParams: providerAuthorizationParams
+  });
+  if (!result.success) {
+    ctx.res.status(result.statusCode);
+    return { success: false, error: result.error };
+  }
+  ctx.res.redirect(result.redirectUrl);
+  return { success: true };
+};
+const createOAuthCallbackHandler = ({
+  providerId,
+  createUserOnFirstSignIn,
+  missingUserRedirectPath,
+  successRedirectPath
+} = {}) => async (_payload, ctx) => {
+  const result = await processOAuthCallback({
+    ctx,
+    providerId,
+    createUserOnFirstSignIn,
+    missingUserRedirectPath,
+    successRedirectPath
+  });
+  if (result.type === "error") {
+    ctx.res.redirect(result.redirectPath);
+    return { success: false, error: result.error };
+  }
+  if (result.type === "missing_user") {
+    if (result.redirectPath) {
+      ctx.res.redirect(result.redirectPath);
+    } else {
+      ctx.res.redirect("/auth/sign-up");
+    }
+    return { success: false, error: "user_not_found" };
+  }
+  ctx.res.redirect(result.redirectPath);
+  return { success: true };
+};
+const base64UrlEncode = (input) => Buffer.from(input).toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+const createAppleClientSecret = ({
+  teamId,
+  clientId,
+  keyId,
+  privateKeyPem,
+  now = /* @__PURE__ */ new Date(),
+  expiresInSeconds = 10 * 60
+}) => {
+  const teamIdValue = teamId.trim();
+  const clientIdValue = clientId.trim();
+  const keyIdValue = keyId.trim();
+  const privateKeyPemValue = privateKeyPem.trim();
+  if (!teamIdValue) throw new Error("teamId is required");
+  if (!clientIdValue) throw new Error("clientId is required");
+  if (!keyIdValue) throw new Error("keyId is required");
+  if (!privateKeyPemValue) throw new Error("privateKeyPem is required");
+  const nowSeconds = Math.floor(now.getTime() / 1e3);
+  const expiresIn = Number.isFinite(expiresInSeconds) ? expiresInSeconds : 10 * 60;
+  const exp = nowSeconds + Math.max(60, Math.min(expiresIn, 60 * 60 * 24 * 180));
+  const header = { alg: "ES256", kid: keyIdValue, typ: "JWT" };
+  const payload = {
+    iss: teamIdValue,
+    iat: nowSeconds,
+    exp,
+    aud: "https://appleid.apple.com",
+    sub: clientIdValue
+  };
+  const signingInput = `${base64UrlEncode(JSON.stringify(header))}.${base64UrlEncode(JSON.stringify(payload))}`;
+  const signature = crypto.sign("sha256", Buffer.from(signingInput), {
+    key: privateKeyPemValue,
+    dsaEncoding: "ieee-p1363"
+  });
+  return `${signingInput}.${base64UrlEncode(signature)}`;
+};
+export {
+  configureOAuthProviders,
+  createAppleClientSecret,
+  createOAuthCallbackHandler,
+  createOAuthStartHandler,
+  getOAuthStartRedirectUrl,
+  processOAuthCallback,
+  setOAuthProviders
+};
+//# sourceMappingURL=index.js.map