@rttnd/gau 1.4.0-beta.2 → 1.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (129) hide show
  1. package/dist/{chunk-KG42TKDW.js → chunk-5KEP3AIT.js} +1 -1
  2. package/dist/chunk-5KEP3AIT.js.map +1 -0
  3. package/dist/chunk-H7HMOWU7.js +1 -0
  4. package/dist/chunk-H7HMOWU7.js.map +1 -0
  5. package/dist/client/svelte/index.svelte.d.ts.map +1 -0
  6. package/dist/src/adapters/drizzle/index.d.ts.map +1 -0
  7. package/dist/src/adapters/drizzle/mysql.d.ts.map +1 -0
  8. package/dist/src/adapters/drizzle/pg.d.ts.map +1 -0
  9. package/dist/src/adapters/drizzle/sqlite.d.ts.map +1 -0
  10. package/dist/src/adapters/drizzle/transaction.d.ts.map +1 -0
  11. package/dist/src/adapters/index.d.ts.map +1 -0
  12. package/dist/src/adapters/memory/index.d.ts.map +1 -0
  13. package/dist/src/{src/cli → cli}/index.d.ts.map +1 -1
  14. package/dist/src/client/solid/Protected.d.ts.map +1 -1
  15. package/dist/src/client/solid/index.jsx +13 -7
  16. package/dist/src/client/svelte/index.svelte.js +1 -1
  17. package/dist/src/client/svelte/index.svelte.js.map +1 -1
  18. package/dist/src/core/cookies.d.ts +1 -0
  19. package/dist/src/core/cookies.d.ts.map +1 -1
  20. package/dist/src/core/createAuth.d.ts +69 -14
  21. package/dist/src/core/createAuth.d.ts.map +1 -1
  22. package/dist/src/core/errors.d.ts +4 -60
  23. package/dist/src/core/errors.d.ts.map +1 -1
  24. package/dist/src/core/handler.d.ts.map +1 -1
  25. package/dist/src/core/handlers/callback.d.ts.map +1 -1
  26. package/dist/src/core/handlers/index.js +1 -1
  27. package/dist/src/core/index.d.ts +5 -1
  28. package/dist/src/core/index.d.ts.map +1 -1
  29. package/dist/src/core/index.js +1 -1
  30. package/dist/src/core/templates.d.ts +0 -19
  31. package/dist/src/core/templates.d.ts.map +1 -1
  32. package/dist/src/index.d.ts.map +1 -0
  33. package/dist/src/index.js +1 -1
  34. package/dist/src/jwt/index.js +1 -1
  35. package/dist/src/runtimes/index.d.ts.map +1 -0
  36. package/dist/src/solidstart/index.d.ts.map +1 -0
  37. package/dist/src/solidstart/index.js +1 -1
  38. package/dist/src/solidstart/index.js.map +1 -1
  39. package/dist/src/sveltekit/index.d.ts.map +1 -0
  40. package/dist/src/sveltekit/index.js +1 -1
  41. package/dist/src/sveltekit/index.js.map +1 -1
  42. package/dist/templates-WVHIDNMP.js +1 -0
  43. package/package.json +1 -1
  44. package/dist/chunk-KG42TKDW.js.map +0 -1
  45. package/dist/chunk-QVJADO4S.js +0 -1
  46. package/dist/chunk-QVJADO4S.js.map +0 -1
  47. package/dist/src/client/svelte/index.svelte.d.ts.map +0 -1
  48. package/dist/src/src/adapters/drizzle/index.d.ts.map +0 -1
  49. package/dist/src/src/adapters/drizzle/mysql.d.ts.map +0 -1
  50. package/dist/src/src/adapters/drizzle/pg.d.ts.map +0 -1
  51. package/dist/src/src/adapters/drizzle/sqlite.d.ts.map +0 -1
  52. package/dist/src/src/adapters/drizzle/transaction.d.ts.map +0 -1
  53. package/dist/src/src/adapters/index.d.ts.map +0 -1
  54. package/dist/src/src/adapters/memory/index.d.ts.map +0 -1
  55. package/dist/src/src/client/token.d.ts +0 -11
  56. package/dist/src/src/client/token.d.ts.map +0 -1
  57. package/dist/src/src/core/cookies.d.ts +0 -24
  58. package/dist/src/src/core/cookies.d.ts.map +0 -1
  59. package/dist/src/src/core/createAuth.d.ts +0 -308
  60. package/dist/src/src/core/createAuth.d.ts.map +0 -1
  61. package/dist/src/src/core/errors.d.ts +0 -133
  62. package/dist/src/src/core/errors.d.ts.map +0 -1
  63. package/dist/src/src/core/handler.d.ts +0 -3
  64. package/dist/src/src/core/handler.d.ts.map +0 -1
  65. package/dist/src/src/core/handlers/callback.d.ts +0 -3
  66. package/dist/src/src/core/handlers/callback.d.ts.map +0 -1
  67. package/dist/src/src/core/handlers/cors.d.ts +0 -4
  68. package/dist/src/src/core/handlers/cors.d.ts.map +0 -1
  69. package/dist/src/src/core/handlers/index.d.ts +0 -8
  70. package/dist/src/src/core/handlers/index.d.ts.map +0 -1
  71. package/dist/src/src/core/handlers/link.d.ts +0 -4
  72. package/dist/src/src/core/handlers/link.d.ts.map +0 -1
  73. package/dist/src/src/core/handlers/login.d.ts +0 -4
  74. package/dist/src/src/core/handlers/login.d.ts.map +0 -1
  75. package/dist/src/src/core/handlers/session.d.ts +0 -3
  76. package/dist/src/src/core/handlers/session.d.ts.map +0 -1
  77. package/dist/src/src/core/handlers/token.d.ts +0 -3
  78. package/dist/src/src/core/handlers/token.d.ts.map +0 -1
  79. package/dist/src/src/core/handlers/utils.d.ts +0 -4
  80. package/dist/src/src/core/handlers/utils.d.ts.map +0 -1
  81. package/dist/src/src/core/hooks.d.ts +0 -50
  82. package/dist/src/src/core/hooks.d.ts.map +0 -1
  83. package/dist/src/src/core/index.d.ts +0 -98
  84. package/dist/src/src/core/index.d.ts.map +0 -1
  85. package/dist/src/src/core/templates.d.ts +0 -60
  86. package/dist/src/src/core/templates.d.ts.map +0 -1
  87. package/dist/src/src/core/utils.d.ts +0 -10
  88. package/dist/src/src/core/utils.d.ts.map +0 -1
  89. package/dist/src/src/index.d.ts.map +0 -1
  90. package/dist/src/src/jwt/index.d.ts +0 -2
  91. package/dist/src/src/jwt/index.d.ts.map +0 -1
  92. package/dist/src/src/jwt/jwt.d.ts +0 -48
  93. package/dist/src/src/jwt/jwt.d.ts.map +0 -1
  94. package/dist/src/src/jwt/utils.d.ts +0 -10
  95. package/dist/src/src/jwt/utils.d.ts.map +0 -1
  96. package/dist/src/src/oauth/index.d.ts +0 -52
  97. package/dist/src/src/oauth/index.d.ts.map +0 -1
  98. package/dist/src/src/oauth/providers/discord.d.ts +0 -3
  99. package/dist/src/src/oauth/providers/discord.d.ts.map +0 -1
  100. package/dist/src/src/oauth/providers/facebook.d.ts +0 -3
  101. package/dist/src/src/oauth/providers/facebook.d.ts.map +0 -1
  102. package/dist/src/src/oauth/providers/github.d.ts +0 -3
  103. package/dist/src/src/oauth/providers/github.d.ts.map +0 -1
  104. package/dist/src/src/oauth/providers/google.d.ts +0 -3
  105. package/dist/src/src/oauth/providers/google.d.ts.map +0 -1
  106. package/dist/src/src/oauth/providers/microsoft.d.ts +0 -8
  107. package/dist/src/src/oauth/providers/microsoft.d.ts.map +0 -1
  108. package/dist/src/src/oauth/utils.d.ts +0 -5
  109. package/dist/src/src/oauth/utils.d.ts.map +0 -1
  110. package/dist/src/src/runtimes/index.d.ts.map +0 -1
  111. package/dist/src/src/runtimes/tauri/index.d.ts +0 -8
  112. package/dist/src/src/runtimes/tauri/index.d.ts.map +0 -1
  113. package/dist/src/src/solidstart/index.d.ts.map +0 -1
  114. package/dist/src/src/sveltekit/index.d.ts.map +0 -1
  115. package/dist/templates-GI62CXWR.js +0 -1
  116. /package/dist/{src/client → client}/svelte/index.svelte.d.ts +0 -0
  117. /package/dist/src/{src/adapters → adapters}/drizzle/index.d.ts +0 -0
  118. /package/dist/src/{src/adapters → adapters}/drizzle/mysql.d.ts +0 -0
  119. /package/dist/src/{src/adapters → adapters}/drizzle/pg.d.ts +0 -0
  120. /package/dist/src/{src/adapters → adapters}/drizzle/sqlite.d.ts +0 -0
  121. /package/dist/src/{src/adapters → adapters}/drizzle/transaction.d.ts +0 -0
  122. /package/dist/src/{src/adapters → adapters}/index.d.ts +0 -0
  123. /package/dist/src/{src/adapters → adapters}/memory/index.d.ts +0 -0
  124. /package/dist/src/{src/cli → cli}/index.d.ts +0 -0
  125. /package/dist/src/{src/index.d.ts → index.d.ts} +0 -0
  126. /package/dist/src/{src/runtimes → runtimes}/index.d.ts +0 -0
  127. /package/dist/src/{src/solidstart → solidstart}/index.d.ts +0 -0
  128. /package/dist/src/{src/sveltekit → sveltekit}/index.d.ts +0 -0
  129. /package/dist/{templates-GI62CXWR.js.map → templates-WVHIDNMP.js.map} +0 -0
package/dist/chunk-QVJADO4S.js DELETED
@@ -1 +0,0 @@
1
- import{htmlResponse as e,renderCancelledPage as t,renderSuccessPage as r}from"./chunk-KG42TKDW.js";import{createJWTSignatureMessage as n,encodeJWT as o,JWSRegisteredHeaders as s,JWTRegisteredClaims as i,parseJWT as a}from"@oslojs/jwt";import{parse as c,serialize as l}from"cookie";var d={path:"/",sameSite:"lax",secure:!0,httpOnly:!0};function u(e){const t=new Map;if(e){const r=c(e);for(const e in r)t.set(e,r[e])}return t}var h=class{constructor(e,t){this.requestCookies=e,this.defaultOptions=t}#e=[];get(e){return this.requestCookies.get(e)}set(e,t,r){const n={...this.defaultOptions,...r};this.#e.push([e,t,n])}delete(e,t){this.set(e,"",{...t,expires:new Date(0),maxAge:0})}toHeaders(){const e=new Headers;for(const[t,r,n]of this.#e)e.append("Set-Cookie",l(t,r,n));return e}},f="__gau-csrf-token",p="__gau-session-token",w="__gau-session-strategy",g="__gau-linking-token",A="__gau-pkce-code-verifier",m="__gau-callback-uri",E="__gau-provider-options",y="__gau-client-challenge",I=600;import{serialize as O}from"cookie";function T(e){const t=u(e.headers.get("Cookie")).get(p);if(t)return{token:t,source:"cookie"};const r=e.headers.get("Authorization");return r?.startsWith("Bearer ")?{token:r.substring(7),source:"bearer"}:{}}function k({adapter:e,providers:t,basePath:r="/api/auth",jwt:n={},session:o={},cookies:s={},onOAuthExchange:i,mapExternalProfile:a,onBeforeLinkAccount:c,onAfterLinkAccount:l,trustHosts:u=[],autoLink:h="verifiedEmail",allowDifferentEmails:f=!0,updateUserInfoOnLink:w=!1,roles:g={},cors:A=!0,profiles:m,onError:E,errorRedirect:y}){const{algorithm:I="ES256",secret:k,iss:U,aud:v,ttl:N=604800}=n,_={...d,...s},L=o.strategy??"auto";if("ES256"===I&&void 0!==k&&"string"!=typeof k)throw new z("For ES256, the secret option must be a string.");const S=new Map(t.map(e=>[e.id,e])),R=!1!==A&&{allowedOrigins:(!0===A?"all":A.allowedOrigins)??"all",allowCredentials:(!0===A||A.allowCredentials)??!0,allowedHeaders:(!0===A?void 0:A.allowedHeaders)??["Content-Type","Authorization","Cookie"],allowedMethods:(!0===A?void 0:A.allowedMethods)??["GET","POST","OPTIONS"],exposeHeaders:!0===A?void 0:A.exposeHeaders,maxAge:!0===A?void 0:A.maxAge},D=m??{},C={defaultRole:g.defaultRole??"user",resolveOnCreate:g.resolveOnCreate,adminRoles:g.adminRoles??["admin"],adminUserIds:g.adminUserIds??[]};async function b(e,t={}){return re(e,function(e={}){const t={ttl:e.ttl,iss:e.iss??U,aud:e.aud??v,sub:e.sub};if("HS256"===I)return{algorithm:I,secret:e.secret??k,...t};{if(void 0!==e.secret&&"string"!=typeof e.secret)throw new z("For ES256, the secret option must be a string.");const r=e.secret??k;return{algorithm:I,privateKey:e.privateKey,secret:r,...t}}}(t))}async function H(e,t={}){const r=function(e={}){const t={iss:e.iss??U,aud:e.aud??v};if("HS256"===I)return{algorithm:I,secret:e.secret??k,...t};{if(void 0!==e.secret&&"string"!=typeof e.secret)throw new z("For ES256, the secret option must be a string.");const r=e.secret??k;return{algorithm:I,publicKey:e.publicKey,secret:r,...t}}}(t);try{return await ne(e,r)}catch{return null}}async function x(e,t={},r=N){return b({sub:e,...t},{ttl:r})}async function P(e,t={}){const{data:r={},ttl:n=N}=t,o=await x(e,r,n),s={..._,maxAge:n};return{token:o,cookie:O(p,o,s),cookieName:p,maxAge:n}}return{...e,providerMap:S,basePath:r,cookieOptions:_,jwt:{ttl:N},onOAuthExchange:i,mapExternalProfile:a,onBeforeLinkAccount:c,onAfterLinkAccount:l,signJWT:b,verifyJWT:H,createSession:x,validateSession:async function(t){const r=await H(t);if(!r)return null;const n=await e.getUserAndAccounts(r.sub);if(!n)return null;const{user:o,accounts:s}=n,i=Boolean(o&&(o.role&&C.adminRoles.includes(o.role)||C.adminUserIds.length>0&&C.adminUserIds.includes(o.id)));return{user:o?{...o,isAdmin:i}:null,session:{id:t,...r},accounts:s}},issueSession:P,refreshSession:async function(t,r={}){let n,o;if("string"==typeof t)n=t,o="token";else{const e=T(t);if(!e.token||!e.source)return null;n=e.token,o=e.source}const s=await H(n);if(!s||!s.sub)return null;if(null!=r.threshold&&r.threshold>0&&r.threshold<1){const{iat:e}=s;if(e){if(Math.floor(Date.now()/1e3)-e<(r.ttl??N)*r.threshold)return null}}if(!await e.getUser(s.sub))return null;const{sub:i,iat:a,exp:c,iss:l,aud:d,nbf:u,jti:h,...f}=s;return{...await P(s.sub,{data:f,ttl:r.ttl}),source:o}},getAccessToken:async function(t,r){const n=S.get(r);if(!n)return null;const o=(await e.getAccounts(t)).find(e=>e.provider===r);if(!o||!o.accessToken)return null;const s=Math.floor(Date.now()/1e3);if(!("number"==typeof o.expiresAt&&o.expiresAt<=s))return{accessToken:o.accessToken,expiresAt:o.expiresAt??null};if(!o.refreshToken||!n.refreshAccessToken)return null;try{const r=await n.refreshAccessToken(o.refreshToken,{}),s={userId:t,provider:o.provider,providerAccountId:o.providerAccountId,accessToken:r.accessToken??o.accessToken,refreshToken:r.refreshToken??o.refreshToken,expiresAt:r.expiresAt??null,idToken:r.idToken??o.idToken??null,tokenType:r.tokenType??o.tokenType??null,scope:r.scope??o.scope??null};return await(e.updateAccount?.(s)),{accessToken:s.accessToken,expiresAt:s.expiresAt}}catch{return null}},trustHosts:u,autoLink:h,allowDifferentEmails:f,profiles:D,updateUserInfoOnLink:w,sessionStrategy:L,development:!1,roles:C,cors:R,onError:E,errorRedirect:y}}var U={CSRF_INVALID:"Invalid CSRF token",PKCE_MISSING:"Missing PKCE code verifier",PKCE_CHALLENGE_MISSING:"Missing PKCE challenge",OAUTH_CANCELLED:"Authentication was cancelled",PROVIDER_NOT_FOUND:"Provider not found",AUTHORIZATION_URL_FAILED:"Could not create authorization URL",USER_NOT_FOUND:"User not found",USER_CREATE_FAILED:"Failed to create user",ACCOUNT_ALREADY_LINKED:"Account already linked to another user",ACCOUNT_LINK_FAILED:"Failed to link account",ACCOUNT_NOT_LINKED:"Account not linked",CANNOT_UNLINK_LAST_ACCOUNT:"Cannot unlink the last account",EMAIL_ALREADY_EXISTS:"An account with this email already exists",EMAIL_MISMATCH:"Email mismatch between existing account and provider",LINKING_NOT_ALLOWED:"Linking not allowed",LINK_ONLY_PROVIDER:"Sign-in with this provider is disabled. Please link it to an existing account.",UNAUTHORIZED:"Unauthorized",FORBIDDEN:"Forbidden",SESSION_INVALID:"Invalid session",SESSION_VALIDATION_FAILED:"Failed to validate session",TOKEN_INVALID:"Invalid token",TOKEN_EXPIRED:"Token expired",CODE_VERIFIER_INVALID:"Invalid code verifier",NOT_FOUND:"Not found",METHOD_NOT_ALLOWED:"Method not allowed",INVALID_REQUEST:"Invalid request",INVALID_REDIRECT_URL:"Invalid redirect URL",UNTRUSTED_HOST:"Untrusted redirect host",UNKNOWN_PROFILE:"Unknown profile",INTERNAL_ERROR:"An unexpected error occurred"},v=Object.fromEntries(Object.keys(U).map(e=>[e,e])),N={CSRF_INVALID:403,UNAUTHORIZED:401,FORBIDDEN:403,NOT_FOUND:404,METHOD_NOT_ALLOWED:405,INTERNAL_ERROR:500,USER_CREATE_FAILED:500,ACCOUNT_LINK_FAILED:500,AUTHORIZATION_URL_FAILED:500,SESSION_VALIDATION_FAILED:500,ACCOUNT_ALREADY_LINKED:409,EMAIL_ALREADY_EXISTS:409,LINKING_NOT_ALLOWED:403},_=class extends Error{code;status;redirectUrl;cause;constructor(e,t,r){const n="object"==typeof t?t:r??{};super("string"==typeof t?t:U[e]),this.name="GauError",this.code=e,this.status=n.status??N[e]??400,this.redirectUrl=n.redirectUrl,this.cause=n.cause}toJSON(){return{error:this.message,code:this.code,...this.redirectUrl&&{redirectUrl:this.redirectUrl}}}};function L(e,t){const r=new URL(e,"http://placeholder");return r.searchParams.set("code",t.code),r.searchParams.set("message",t.message),r.searchParams.set("status",String(t.status)),t.redirectUrl&&r.searchParams.set("redirect",t.redirectUrl),r.pathname+r.search}function S(e,t){if("GET"!==e.method)return!1;const r=new URL(e.url).pathname.substring(t.length).split("/").filter(Boolean);return(1!==r.length||"session"!==r[0])&&(1===r.length||2===r.length&&("callback"===r[0]||"link"===r[0]))}async function R(e,t){const{error:r,request:n}=e;if(t.onError)try{const r=await t.onError(e);if(r)return r}catch(e){console.error("onError handler threw:",e)}const o=S(n,t.basePath);if(t.errorRedirect&&o){const e=L(t.errorRedirect,r);return new Response(null,{status:302,headers:{Location:e}})}if(o){const{renderErrorPage:e,htmlResponse:t}=await import("./templates-GI62CXWR.js");return t(e({title:"Authentication Error",message:r.message,code:r.code,redirectUrl:r.redirectUrl}),r.status)}return new Response(JSON.stringify(r.toJSON()),{status:r.status,headers:{"Content-Type":"application/json; charset=utf-8"}})}async function D(e,t){if(e&&"function"==typeof e.onAfterLinkAccount)try{await e.onAfterLinkAccount(t)}catch(e){console.error("onAfterLinkAccount hook error:",e)}}async function C(n,o,s){const i=o.providerMap.get(s);if(!i)throw new _(v.PROVIDER_NOT_FOUND);const a=new URL(n.url),c=a.searchParams.get("code"),l=a.searchParams.get("state"),d=a.searchParams.get("error");if(!c||!l||d){let r="/";if(l&&l.includes("."))try{const e=l.split(".")[1];r=atob(e??"")||"/"}catch{r="/"}const n=t({redirectUrl:r});return e(n)}const w=u(n.headers.get("Cookie")),I=new h(w,o.cookieOptions);let O,T="/";if(l.includes(".")){const[e,t]=l.split(".");O=e;try{T=atob(t??"")||"/"}catch{T="/"}}else O=l;const k=I.get(f);if(!k||k!==O)throw new _(v.CSRF_INVALID,{redirectUrl:T});const U=I.get(A);if(!U)throw new _(v.PKCE_MISSING,{redirectUrl:T});const N=I.get(m),L=I.get(E);let S;if(L)try{const e=atob(L),t=JSON.parse(e);S=t?.overrides}catch{}const R=I.get(g);R&&I.delete(g);const C=!!R;if(C){if(!await o.validateSession(R)){I.delete(f),I.delete(A),N&&I.delete(m),I.delete(E);const e=Q(T);return I.toHeaders().forEach((t,r)=>e.headers.append(r,t)),e}}const{user:b,tokens:H}=await i.validateCallback(c,U,N??void 0,S);{const e=C?await o.validateSession(R):null,t=await async function(e,t){if(!e||"function"!=typeof e.onOAuthExchange)return{handled:!1};try{const r=await e.onOAuthExchange(t);return r&&"object"==typeof r?r:{handled:!1}}catch(e){return console.error("onOAuthExchange hook error:",e),{handled:!1}}}(o,{request:n,providerId:s,state:l,code:c,codeVerifier:U,callbackUri:N,redirectTo:T,cookies:I,providerUser:b,tokens:H,isLinking:C,sessionUserId:e?.user?.id});if(t.handled){I.delete(f),I.delete(A),N&&I.delete(m),I.delete(E);const e=t.response;return I.toHeaders().forEach((t,r)=>e.headers.append(r,t)),e}}const x=await async function(e,t){if(!e||"function"!=typeof e.mapExternalProfile)return t.providerUser;try{const r=await e.mapExternalProfile(t);return r?{...t.providerUser,...r}:t.providerUser}catch(e){return console.error("mapExternalProfile hook error:",e),t.providerUser}}(o,{request:n,providerId:s,providerUser:b,tokens:H,isLinking:C});if(!C&&!0===o.providerMap.get(s)?.linkOnly)throw I.delete(f),I.delete(A),N&&I.delete(m),I.delete(E),new _(v.LINK_ONLY_PROVIDER,{redirectUrl:T});let P=null;const M=await o.getUserByAccount(s,x.id);if(C){if(P=(await o.validateSession(R)).user,!P)throw new _(v.USER_NOT_FOUND,{redirectUrl:T});if(M&&M.id!==P.id)throw new _(v.ACCOUNT_ALREADY_LINKED,{redirectUrl:T});if(!1===o.allowDifferentEmails){const e=P.email,t=x.email;if(e&&t&&e!==t)throw new _(v.EMAIL_MISMATCH,{redirectUrl:T})}if(P){const e={id:P.id};let t=!1;if(o.updateUserInfoOnLink?(x.name&&x.name!==P.name&&(e.name=x.name,t=!0),x.avatar&&x.avatar!==P.image&&(e.image=x.avatar,t=!0)):(!P.name&&x.name&&(e.name=x.name,t=!0),!P.image&&x.avatar&&(e.image=x.avatar,t=!0)),P.email&&x.email&&P.email===x.email&&!0===x.emailVerified&&(!P.emailVerified||o.updateUserInfoOnLink)&&(e.emailVerified=!0,t=!0),t)try{P=await o.updateUser(e)}catch(e){console.error("Failed to update user info on link:",e)}}}else P=M;if(!P){const e=o.autoLink??"verifiedEmail";if(x.email&&("always"===e||"verifiedEmail"===e&&!0===x.emailVerified)){const e=await o.getUserByEmail(x.email);e&&(P=x.emailVerified&&!e.emailVerified?await o.updateUser({id:e.id,emailVerified:!0}):e)}if(!P)try{if(x.email&&!0===x.emailVerified&&!1===o.autoLink){if(await o.getUserByEmail(x.email))throw new _(v.EMAIL_ALREADY_EXISTS,{redirectUrl:T})}let e;try{e=o.roles.resolveOnCreate?.({providerId:s,profile:x,request:n})}catch(e){console.error("roles.resolveOnCreate threw:",e)}const t=!0===x.emailVerified?x.email:null;P=await o.createUser({name:x.name,email:t,image:x.avatar,emailVerified:x.emailVerified,role:e??o.roles.defaultRole})}catch(e){if(e instanceof _)throw e;throw console.error("Failed to create user:",e),new _(v.USER_CREATE_FAILED,{cause:e,redirectUrl:T})}}if(P&&x.email){const{email:e,emailVerified:t}=P,{email:r,emailVerified:n}=x,s={id:P.id};let i=!1;if(e||!0!==n?e!==r||!0!==n||t||(s.emailVerified=!0,i=!0):(s.email=r,s.emailVerified=!0,i=!0),i)try{P=await o.updateUser(s)}catch(e){console.error("Failed to update user after sign-in:",e)}}if(M)try{const e=(await o.getAccounts(P.id)).find(e=>e.provider===s&&e.providerAccountId===x.id);if(e&&o.updateAccount){let t,r,i,a;try{t=H.refreshToken()}catch{t=e.refreshToken??null}try{const e=H.accessTokenExpiresAt();e&&(r=Math.floor(e.getTime()/1e3))}catch{r=e.expiresAt??void 0}try{i=H.idToken()}catch{i=e.idToken??null}try{a=H.scopes()?.join(" ")??e.scope??null}catch{a=e.scope??null}await o.updateAccount({userId:P.id,provider:s,providerAccountId:x.id,accessToken:H.accessToken()??e.accessToken??void 0,refreshToken:t,expiresAt:r??e.expiresAt??void 0,tokenType:H.tokenType?.()??e.tokenType??null,scope:a,idToken:i}),await D(o,{request:n,providerId:s,userId:P.id,providerUser:x,tokens:H,action:"update"})}}catch(e){console.error("Failed to update account tokens on sign-in:",e)}else{let e,t,r;try{e=H.refreshToken()}catch{e=null}try{const e=H.accessTokenExpiresAt();e&&(t=Math.floor(e.getTime()/1e3))}catch{}try{r=H.idToken()}catch{r=null}{const e=await async function(e,t){if(!e||"function"!=typeof e.onBeforeLinkAccount)return{allow:!0};try{return await e.onBeforeLinkAccount(t)||{allow:!0}}catch(e){return console.error("onBeforeLinkAccount hook error:",e),{allow:!0}}}(o,{request:n,providerId:s,userId:P.id,providerUser:x,tokens:H});if(!1===e.allow){const t=e.response??(()=>{throw new _(v.LINKING_NOT_ALLOWED,{redirectUrl:T})})();return I.toHeaders().forEach((e,r)=>t.headers.append(r,e)),t}}try{let i;try{i=H.scopes()?.join(" ")??null}catch{i=null}await o.linkAccount({userId:P.id,provider:s,providerAccountId:x.id,accessToken:H.accessToken(),refreshToken:e,expiresAt:t,tokenType:H.tokenType?.()??null,scope:i,idToken:r}),await D(o,{request:n,providerId:s,userId:P.id,providerUser:x,tokens:H,action:"link"})}catch(e){throw console.error("Error linking account:",e),new _(v.ACCOUNT_LINK_FAILED,{cause:e,redirectUrl:T})}}const F=await o.createSession(P.id),K=new URL(n.url),V=new URL(T,n.url),W="token"===o.sessionStrategy,j="cookie"===o.sessionStrategy,J="http:"!==V.protocol&&"https:"!==V.protocol,B=K.host!==V.host;if(W||!j&&(J||B)){const t=new URL(V),n=I.get(y);if(!n)throw new _(v.PKCE_CHALLENGE_MISSING,{redirectUrl:T});{const e=await o.signJWT({sub:P.id,challenge:n},{ttl:60});t.searchParams.set("code",e)}const s=r({redirectUrl:t.toString()});I.delete(f),I.delete(A),N&&I.delete(m),I.delete(E),I.delete(y);const i=e(s);return I.toHeaders().forEach((e,t)=>{i.headers.append(t,e)}),i}I.set(p,F,{maxAge:o.jwt.ttl,sameSite:o.development?"lax":"none",secure:!o.development}),I.delete(f),I.delete(A),N&&I.delete(m),I.delete(E);let q;if("false"===a.searchParams.get("redirect")){const e=await o.getAccounts(P.id),t=Boolean(P.role&&o.roles.adminRoles.includes(P.role)||o.roles.adminUserIds.includes(P.id));q=X({user:{...P,isAdmin:t,accounts:e}})}else q=Q(T);return I.toHeaders().forEach((e,t)=>{q.headers.append(t,e)}),q}function b(e,t){if(!1===t.cors)return!1;const r=t.cors;if("all"===r.allowedOrigins)return!0;if("trust"===r.allowedOrigins){if("all"===t.trustHosts)return!0;try{const r=new URL(e);return t.trustHosts.includes(r.host)||t.trustHosts.includes(r.hostname)}catch{return!1}}if(r.allowedOrigins.includes("*"))return!0;try{const t=new URL(e);return r.allowedOrigins.includes(e)||r.allowedOrigins.includes(t.origin)||r.allowedOrigins.includes(t.host)||r.allowedOrigins.includes(t.hostname)}catch{return r.allowedOrigins.includes(e)}}function H(e,t,r){if(!1===r.cors)return t;const n=e.headers.get("Origin")||e.headers.get("origin");if(!n)return t;if(!b(n,r))return t;const o=r.cors;t.headers.set("Vary","Origin");const s=o.allowCredentials,i="all"!==o.allowedOrigins||s?n:"*";return t.headers.set("Access-Control-Allow-Origin",i),s&&t.headers.set("Access-Control-Allow-Credentials","true"),t.headers.set("Access-Control-Allow-Headers",o.allowedHeaders.join(", ")),t.headers.set("Access-Control-Allow-Methods",o.allowedMethods.join(", ")),o.exposeHeaders?.length&&t.headers.set("Access-Control-Expose-Headers",o.exposeHeaders.join(", ")),t}function x(e,t){if(!1===t.cors)return new Response(null,{status:204});const r=e.headers.get("Origin")||e.headers.get("origin"),n=t.cors,o={};if(r&&b(r,t)){const e=n.allowCredentials,t="all"!==n.allowedOrigins||e?r:"*";o["Access-Control-Allow-Origin"]=t,e&&(o["Access-Control-Allow-Credentials"]="true")}return o["Access-Control-Allow-Headers"]=n.allowedHeaders.join(", "),o["Access-Control-Allow-Methods"]=n.allowedMethods.join(", "),null!=n.maxAge&&(o["Access-Control-Max-Age"]=String(n.maxAge)),n.exposeHeaders?.length&&(o["Access-Control-Expose-Headers"]=n.exposeHeaders.join(", ")),new Response(null,{status:204,headers:o})}import{generateCodeVerifier as P,generateState as M}from"arctic";function F(e,t,r){if("all"===t)return!0;const n=e.headers.get("origin");if(!n)return!1;let o;try{o=new URL(n).host}catch{return!1}if(r){if(o.startsWith("localhost")||o.startsWith("127.0.0.1"))return!0}const s=new URL(e.url),i=s.host;return n===`${s.protocol}//${i}`||t.includes(o)}async function K(e,t,r,n){const o=t.providerMap.get(r);if(!o)throw new _(v.PROVIDER_NOT_FOUND);const{state:s,codeVerifier:i}={state:M(),codeVerifier:P()},a=new URL(e.url),c=a.searchParams.get("redirectTo"),l=a.searchParams.get("profile"),d=a.searchParams.get("prompt");if(c){let r;try{if(c.startsWith("//"))throw new Error("Protocol-relative URL not allowed");r=new URL(c,a.origin)}catch{throw new _(v.INVALID_REDIRECT_URL,'Invalid "redirectTo" URL',{status:400})}const n=r.host,o=n===new URL(e.url).host,s="all"===t.trustHosts||t.trustHosts.includes(n);if(("http:"===r.protocol||"https:"===r.protocol)&&!o&&!s)throw new _(v.UNTRUSTED_HOST)}const p=c?`${s}.${btoa(c)}`:s;let w,I,O,T,k=a.searchParams.get("callbackUri");if(!k&&o.requiresRedirectUri&&(k=`${a.origin}${t.basePath}/callback/${r}`),l){const e=(t.profiles?.[r]??{})[l];if(!e)throw new _(v.UNKNOWN_PROFILE,`Unknown profile "${l}" for provider "${r}"`,{status:400});e.redirectUri&&(k=e.redirectUri),e.scopes&&(w=e.scopes),e.params&&(I={...e.params??{}});const{tenant:o,prompt:s}=e;if(null==o&&null==s||(O={...O??{},tenant:o,prompt:s}),!n&&!0===e.linkOnly)throw new _(v.LINK_ONLY_PROVIDER,"This profile is link-only. Please link it to an existing account.",{status:400})}if(d&&(I={...I??{},prompt:d}),!n&&!0===o.linkOnly)throw new _(v.LINK_ONLY_PROVIDER);try{T=await o.getAuthorizationUrl(p,i,{redirectUri:k??void 0,scopes:w,params:I,overrides:O})}catch(e){console.error("Error getting authorization URL:",e),T=null}if(!T)throw new _(v.AUTHORIZATION_URL_FAILED,"Could not create authorization URL",{status:500});const U=u(e.headers.get("Cookie")),N=new h(U,t.cookieOptions),L={maxAge:600,sameSite:t.development?"lax":"none",secure:!t.development};N.set(f,s,L),N.set(A,i,L),n?N.set(g,n,L):N.delete(g,{sameSite:t.development?"lax":"none",secure:!t.development}),k&&N.set(m,k,L);const S=JSON.stringify({params:I??{},overrides:O??{}});N.set(E,btoa(S),L);const R=a.searchParams.get("code_challenge");R&&N.set(y,R,L);if("false"===a.searchParams.get("redirect")){const e=X({url:T.toString()});return N.toHeaders().forEach((t,r)=>{e.headers.append(r,t)}),e}const D=Q(T.toString());return N.toHeaders().forEach((e,t)=>{D.headers.append(t,e)}),D}async function V(e,t,r){const n=new URL(e.url);let o=T(e).token;if(o||(o=n.searchParams.get("token")??void 0),!o)throw new _(v.UNAUTHORIZED);if(!await t.validateSession(o))throw new _(v.UNAUTHORIZED);n.searchParams.delete("token");return K(new Request(n.toString(),e),t,r,o)}async function W(e,t,r){const n=T(e).token;if(!n)throw new _(v.UNAUTHORIZED);const o=await t.validateSession(n);if(!o||!o.user)throw new _(v.UNAUTHORIZED);const s=o.accounts??[];if(s.length<=1)throw new _(v.CANNOT_UNLINK_LAST_ACCOUNT);const i=s.find(e=>e.provider===r);if(!i)throw new _(v.ACCOUNT_NOT_LINKED,`Provider "${r}" not linked`);await t.unlinkAccount(r,i.providerAccountId);if((await t.getAccounts(o.user.id)).length>0&&o.user.email)try{await t.updateUser({id:o.user.id,email:null,emailVerified:!1})}catch(e){console.error("Failed to clear stale email after unlinking:",e)}return X({message:"Account unlinked successfully"})}async function j(e,t,r){return K(e,t,r,null)}async function J(e,t){const r=u(e.headers.get("Cookie")),n=new h(r,t.cookieOptions);n.delete(p,{sameSite:t.development?"lax":"none",secure:!t.development}),n.delete(g,{sameSite:t.development?"lax":"none",secure:!t.development});const o=X({message:"Signed out"});return n.toHeaders().forEach((e,t)=>{o.headers.append(t,e)}),o}async function B(e,t){const{token:r}=T(e),n=Array.from(t.providerMap.keys());if(!r)return X({...Y,providers:n});try{const e=await t.validateSession(r);return e?X({...Z(e),providers:n}):X({...Y,providers:n},{status:401})}catch(e){throw console.error("Error validating session:",e),new _(v.SESSION_VALIDATION_FAILED,{cause:e})}}async function q(e,t){if("POST"!==e.method)throw new _(v.METHOD_NOT_ALLOWED);let r;try{r=await e.json()}catch{throw new _(v.INVALID_REQUEST,"Invalid JSON body",{status:400})}const{code:n,codeVerifier:o}=r;if(!n||!o)throw new _(v.INVALID_REQUEST,"Missing code or codeVerifier",{status:400});const s=await t.verifyJWT(n);if(!s)throw new _(v.TOKEN_EXPIRED,"Invalid or expired code");const{sub:i,challenge:a}=s,c=(new TextEncoder).encode(o),l=await crypto.subtle.digest("SHA-256",c),d=Array.from(new Uint8Array(l));if(a!==btoa(String.fromCharCode(...d)).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/,""))throw new _(v.CODE_VERIFIER_INVALID);return X({token:await t.createSession(i)})}function G(e){const{basePath:t}=e;return async function(r){if("OPTIONS"===r.method)return x(r,e);const n=new URL(r.url);if(!n.pathname.startsWith(t)){const n=new _(v.NOT_FOUND);return H(r,await R({error:n,request:r},{basePath:t,onError:e.onError,errorRedirect:e.errorRedirect}),e)}try{if("POST"===r.method&&!F(r,e.trustHosts,e.development)){const t=r.headers.get("origin")??"unknown",n=e.development?`Untrusted origin: '${t}'. Add this origin to 'trustHosts' in createAuth() or ensure you are using 'localhost' or '127.0.0.1' for development.`:"Forbidden";throw new _(v.FORBIDDEN,n,{status:403})}const o=n.pathname.substring(t.length).split("/").filter(Boolean),s=o[0];if(!s)throw new _(v.NOT_FOUND);let i;if("GET"===r.method)if("session"===s)i=await B(r,e);else if(2===o.length&&"link"===o[0])i=await V(r,e,o[1]);else if(2===o.length&&"callback"===o[0])i=await C(r,e,o[1]);else{if(1!==o.length)throw new _(v.NOT_FOUND);i=await j(r,e,s)}else{if("POST"!==r.method)throw new _(v.METHOD_NOT_ALLOWED);if(1===o.length&&"signout"===s)i=await J(r,e);else if(1===o.length&&"token"===s)i=await q(r,e);else{if(2!==o.length||"unlink"!==o[0])throw new _(v.NOT_FOUND);i=await W(r,e,o[1])}}try{i.headers.set("Cache-Control","no-store, private"),i.headers.set("Pragma","no-cache"),i.headers.set("Expires","0")}catch{}return H(r,i,e)}catch(n){if(n instanceof _){return H(r,await R({error:n,request:r},{basePath:t,onError:e.onError,errorRedirect:e.errorRedirect}),e)}console.error("Unexpected error in gau handler:",n);const o=new _(v.INTERNAL_ERROR,{cause:n});return H(r,await R({error:o,request:r},{basePath:t,onError:e.onError,errorRedirect:e.errorRedirect}),e)}}}var Y={user:null,session:null,accounts:null};function Z(e){return{user:e.user,session:e.session,accounts:e.accounts?.map(e=>({provider:e.provider,providerAccountId:e.providerAccountId}))??null,providers:e.providers}}var z=class extends Error{cause;constructor(e,t){super(e),this.name="AuthError",this.cause=t}};function X(e,t={}){const r=new Headers(t.headers);return r.has("Content-Type")||r.set("Content-Type","application/json; charset=utf-8"),new Response(JSON.stringify(e),{...t,headers:r})}function Q(e,t=302){return new Response(null,{status:t,headers:{Location:e}})}var ee="X-Refreshed-Token";async function te(e){try{const t=function(e){const t=e.replace(/-/g,"+").replace(/_/g,"/"),r=(4-t.length%4)%4,n=t.padEnd(t.length+r,"=");try{const e=atob(n),t=e.length,r=new Uint8Array(t);for(let n=0;n<t;n++)r[n]=e.charCodeAt(n);return r}catch{throw new z("Invalid base64url string")}}(e),r=await crypto.subtle.importKey("pkcs8",t.slice(),{name:"ECDSA",namedCurve:"P-256"},!0,["sign"]),n=await crypto.subtle.exportKey("jwk",r);delete n.d,n.key_ops=["verify"];return{privateKey:r,publicKey:await crypto.subtle.importKey("jwk",n,{name:"ECDSA",namedCurve:"P-256"},!0,["verify"])}}catch(e){if(e instanceof z)throw e;throw new z("Invalid secret. Must be a base64url-encoded PKCS#8 private key for ES256. Use `bunx gau secret` to generate one.",e)}}async function re(e,t={}){let{algorithm:r="ES256",ttl:s,iss:i,aud:a,sub:c,privateKey:l,secret:d}=t;if("ES256"===r){if(!l){if("string"!=typeof d)throw new z("Missing secret for ES256 signing. It must be a base64url-encoded string.");({privateKey:l}=await te(d))}}else if("HS256"===r&&!d)throw new z("Missing secret for HS256 signing");const u=Math.floor(Date.now()/1e3),h={iat:u,iss:i,aud:a,sub:c,...e};null!=s&&s>0&&(h.exp=u+s);const f="HS256"===r,p=f?"HS256":"ES256",w=JSON.stringify({alg:p,typ:"JWT"}),g=JSON.stringify(h),A=n(w,g);let m;if(f){const e="string"==typeof d?(new TextEncoder).encode(d):d,t=await crypto.subtle.importKey("raw",e,{name:"HMAC",hash:"SHA-256"},!1,["sign"]);m=new Uint8Array(await crypto.subtle.sign("HMAC",t,A))}else m=new Uint8Array(await crypto.subtle.sign({name:"ECDSA",hash:"SHA-256"},l,A));return o(w,g,m)}async function ne(e,t){let{algorithm:r="ES256",publicKey:n,secret:o,iss:c,aud:l}=t;if("ES256"===r&&!n){if("string"!=typeof o)throw new z("Missing secret for ES256 verification. Must be a base64url-encoded string.");({publicKey:n}=await te(o))}if("HS256"===r&&!o)throw new z("Missing secret for HS256 verification");const[d,u,h,f]=a(e),p=new s(d).algorithm();let w=!1;if("HS256"===r){if("HS256"!==p)throw new Error(`JWT algorithm is "${p}", but verifier was configured for "HS256"`);const e="string"==typeof o?(new TextEncoder).encode(o):o,t=await crypto.subtle.importKey("raw",e,{name:"HMAC",hash:"SHA-256"},!1,["sign"]);w=function(e,t){let r=e.length^t.length;const n=Math.max(e.length,t.length);for(let o=0;o<n;o++)r|=(e[o]??0)^(t[o]??0);return 0===r}(new Uint8Array(await crypto.subtle.sign("HMAC",t,f)),new Uint8Array(h))}else{if("ES256"!==p)throw new z(`JWT algorithm is "${p}", but verifier was configured for "ES256"`);const e=new Uint8Array(h);if(w=await crypto.subtle.verify({name:"ECDSA",hash:"SHA-256"},n,e,f),!w&&64===e.length)try{const t=function(e){if(64!==e.length)throw new Error("Invalid raw signature length");let t=e.slice(0,32),r=e.slice(32),n=0;for(;n<t.length-1&&0===t[n];)n++;t=t.slice(n);let o=0;for(;o<r.length-1&&0===r[o];)o++;if(r=r.slice(o),t.length>0&&128&t[0]){const e=new Uint8Array(t.length+1);e[0]=0,e.set(t,1),t=e}if(r.length>0&&128&r[0]){const e=new Uint8Array(r.length+1);e[0]=0,e.set(r,1),r=e}const s=t.length,i=r.length,a=2+s+2+i,c=new Uint8Array(2+a);return c[0]=48,c[1]=a,c[2]=2,c[3]=s,c.set(t,4),c[4+s]=2,c[5+s]=i,c.set(r,6+s),c}(e);w=await crypto.subtle.verify({name:"ECDSA",hash:"SHA-256"},n,t,f)}catch{w=!1}}if(!w)throw new z("Invalid JWT signature");const g=new i(u);if(g.hasExpiration()&&!g.verifyExpiration())throw new z("JWT expired");if(g.hasNotBefore()&&!g.verifyNotBefore())throw new z("JWT not yet valid");if(c&&u.iss!==c)throw new z("Invalid JWT issuer");if(l){const e=Array.isArray(l)?l:[l],t=u.aud?Array.isArray(u.aud)?u.aud:[u.aud]:[];if(!e.some(e=>t.includes(e)))throw new z("Invalid JWT audience")}return u}export{d as DEFAULT_COOKIE_SERIALIZE_OPTIONS,u as parseCookies,h as Cookies,f as CSRF_COOKIE_NAME,p as SESSION_COOKIE_NAME,w as SESSION_STRATEGY_COOKIE_NAME,g as LINKING_TOKEN_COOKIE_NAME,A as PKCE_COOKIE_NAME,m as CALLBACK_URI_COOKIE_NAME,E as PROVIDER_OPTIONS_COOKIE_NAME,y as CLIENT_CHALLENGE_COOKIE_NAME,I as CSRF_MAX_AGE,re as sign,ne as verify,T as getSessionTokenFromRequest,k as createAuth,U as ErrorMessages,v as ErrorCodes,N as ErrorStatuses,_ as GauError,L as createErrorRedirectUrl,S as isUserFacingRequest,R as handleError,C as handleCallback,H as applyCors,x as handlePreflight,F as verifyRequestOrigin,V as handleLink,W as handleUnlink,j as handleSignIn,J as handleSignOut,B as handleSession,q as handleToken,G as createHandler,Y as NULL_SESSION,Z as toClientSession,z as AuthError,X as json,Q as redirect,ee as REFRESHED_TOKEN_HEADER};//# sourceMappingURL=chunk-QVJADO4S.js.map
package/dist/chunk-QVJADO4S.js.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"sources":["../src/jwt/jwt.ts","../src/core/cookies.ts","../src/core/createAuth.ts","../src/core/utils.ts","../src/core/errors.ts","../src/core/hooks.ts","../src/core/handlers/callback.ts","../src/core/handlers/cors.ts","../src/oauth/utils.ts","../src/core/handlers/utils.ts","../src/core/handlers/link.ts","../src/core/handlers/login.ts","../src/core/handlers/session.ts","../src/core/handlers/token.ts","../src/core/handler.ts","../src/core/index.ts","../src/jwt/utils.ts"],"sourcesContent":["/// <reference types=\"node\" />\nimport {\n createJWTSignatureMessage,\n encodeJWT,\n JWSRegisteredHeaders,\n JWTRegisteredClaims,\n parseJWT,\n} from '@oslojs/jwt'\nimport { AuthError } from '../core/index'\nimport { constantTimeEqual, deriveKeysFromSecret, rawToDer } from './utils'\n\nexport type SupportedAlgorithm = 'ES256' | 'HS256'\n\ninterface CommonSignOptions {\n /** Time-to-live in seconds (exp claim). If omitted the token will not expire. */\n ttl?: number\n}\n\nexport type SignOptions\n = | ({ algorithm?: 'ES256', privateKey?: CryptoKey, secret?: string }\n & CommonSignOptions & { iss?: string, aud?: string | string[], sub?: string })\n | ({ algorithm: 'HS256', secret?: string | Uint8Array, privateKey?: never }\n & CommonSignOptions & { iss?: string, aud?: string | string[], sub?: string })\n\n/**\n * Create a signed JWT.\n * Defaults to ES256 when a privateKey is supplied. Falls back to HS256 when a secret is supplied.\n */\nexport async function sign<T extends Record<string, unknown>>(payload: T, options: SignOptions = {}): Promise<string> {\n let { algorithm = 'ES256', ttl, iss, aud, sub, privateKey, secret } = options\n\n if (algorithm === 'ES256') {\n if (!privateKey) {\n if (typeof secret !== 'string')\n throw new AuthError('Missing secret for ES256 signing. It must be a base64url-encoded string.');\n\n ({ privateKey } = await deriveKeysFromSecret(secret))\n }\n }\n else if (algorithm === 'HS256' && !secret) {\n throw new AuthError('Missing secret for HS256 signing')\n }\n\n const now = Math.floor(Date.now() / 1000)\n\n const jwtPayload: Record<string, unknown> = { iat: now, iss, aud, sub, ...payload }\n\n if (ttl != null && ttl > 0)\n jwtPayload.exp = now + ttl\n\n const isHS256 = algorithm === 'HS256'\n const alg: SupportedAlgorithm = isHS256 ? 'HS256' : 'ES256'\n\n const headerJSON = JSON.stringify({ alg, typ: 'JWT' })\n const payloadJSON = JSON.stringify(jwtPayload)\n\n const signatureMessage = createJWTSignatureMessage(headerJSON, payloadJSON)\n\n let signature: Uint8Array\n\n if (isHS256) {\n // HS256 (HMAC-SHA256)\n const secretBytes = typeof secret === 'string'\n ? new TextEncoder().encode(secret)\n : secret\n\n const cryptoKey = await crypto.subtle.importKey(\n 'raw',\n secretBytes as BufferSource,\n { name: 'HMAC', hash: 'SHA-256' },\n false,\n ['sign'],\n )\n\n signature = new Uint8Array(await crypto.subtle.sign('HMAC', cryptoKey, signatureMessage as BufferSource))\n }\n else {\n // ES256 (ECDSA-SHA256)\n // Runtimes like Bun's return the raw (r||s) signature directly, not DER-encoded.\n signature = new Uint8Array(\n await crypto.subtle.sign(\n { name: 'ECDSA', hash: 'SHA-256' },\n privateKey!,\n signatureMessage as BufferSource,\n ),\n )\n }\n\n return encodeJWT(headerJSON, payloadJSON, signature)\n}\n\nexport type VerifyOptions\n = | { algorithm?: 'ES256', publicKey?: CryptoKey, secret?: string, iss?: string, aud?: string | string[] }\n | { algorithm: 'HS256', secret?: string | Uint8Array, publicKey?: never, iss?: string, aud?: string | string[] }\n\n/**\n * Verify a JWT and return its payload when the signature is valid.\n * The algorithm is inferred from options – ES256 by default.\n * Throws when verification fails or the token is expired.\n */\nexport async function verify<T = Record<string, unknown>>(token: string, options: VerifyOptions): Promise<T> {\n let { algorithm = 'ES256', publicKey, secret, iss, aud } = options\n\n if (algorithm === 'ES256') {\n if (!publicKey) {\n if (typeof secret !== 'string')\n throw new AuthError('Missing secret for ES256 verification. Must be a base64url-encoded string.');\n\n ({ publicKey } = await deriveKeysFromSecret(secret))\n }\n }\n\n if (algorithm === 'HS256' && !secret)\n throw new AuthError('Missing secret for HS256 verification')\n\n const [header, payload, signature, signatureMessage] = parseJWT(token)\n\n const headerParams = new JWSRegisteredHeaders(header)\n const headerAlg = headerParams.algorithm()\n\n let validSignature = false\n\n // HS256 verification path\n if (algorithm === 'HS256') {\n if (headerAlg !== 'HS256')\n throw new Error(`JWT algorithm is \"${headerAlg}\", but verifier was configured for \"HS256\"`)\n\n const secretBytes = typeof secret === 'string'\n ? new TextEncoder().encode(secret)\n : secret\n\n const cryptoKey = await crypto.subtle.importKey(\n 'raw',\n secretBytes as BufferSource,\n { name: 'HMAC', hash: 'SHA-256' },\n false,\n ['sign'],\n )\n\n const expectedSig = new Uint8Array(await crypto.subtle.sign('HMAC', cryptoKey, signatureMessage as BufferSource))\n validSignature = constantTimeEqual(expectedSig, new Uint8Array(signature))\n }\n // ES256 verification path (default)\n else {\n if (headerAlg !== 'ES256')\n throw new AuthError(`JWT algorithm is \"${headerAlg}\", but verifier was configured for \"ES256\"`)\n\n const signatureBytes = new Uint8Array(signature)\n\n // Runtimes like Node.js return DER-encoded signatures. Others (Bun) return raw (r||s).\n // We try DER first, as it's more common in Node environments.\n validSignature = await crypto.subtle.verify(\n { name: 'ECDSA', hash: 'SHA-256' },\n publicKey!,\n signatureBytes as BufferSource,\n signatureMessage as BufferSource,\n )\n\n if (!validSignature && signatureBytes.length === 64) {\n // If DER verification fails and the signature is 64 bytes, it might be a raw signature.\n // Convert it to DER and try again.\n try {\n const derSig = rawToDer(signatureBytes)\n validSignature = await crypto.subtle.verify(\n { name: 'ECDSA', hash: 'SHA-256' },\n publicKey!,\n derSig as BufferSource,\n signatureMessage as BufferSource,\n )\n }\n catch {\n // rawToDer can throw if the signature is not 64 bytes, but we already checked.\n // This catch is for other unexpected errors.\n validSignature = false\n }\n }\n }\n\n if (!validSignature)\n throw new AuthError('Invalid JWT signature')\n\n const claims = new JWTRegisteredClaims(payload)\n if (claims.hasExpiration() && !claims.verifyExpiration())\n throw new AuthError('JWT expired')\n if (claims.hasNotBefore() && !claims.verifyNotBefore())\n throw new AuthError('JWT not yet valid')\n if (iss && (payload as any).iss !== iss)\n throw new AuthError('Invalid JWT issuer')\n\n if (aud) {\n const expectedAudience = Array.isArray(aud) ? aud : [aud]\n const tokenAudience = (payload as any).aud\n ? (Array.isArray((payload as any).aud) ? (payload as any).aud : [(payload as any).aud])\n : []\n\n if (!expectedAudience.some(audValue => tokenAudience.includes(audValue)))\n throw new AuthError('Invalid JWT audience')\n }\n\n return payload as T\n}\n","import type { SerializeOptions } from 'cookie'\nimport { parse, serialize } from 'cookie'\n\nexport const DEFAULT_COOKIE_SERIALIZE_OPTIONS: SerializeOptions = {\n path: '/',\n sameSite: 'lax',\n secure: true,\n httpOnly: true,\n}\n\nexport type Cookie = [string, string, SerializeOptions]\n\nexport function parseCookies(cookieHeader: string | null | undefined): Map<string, string> {\n const cookies = new Map<string, string>()\n if (cookieHeader) {\n const parsed = parse(cookieHeader)\n for (const name in parsed)\n cookies.set(name, parsed[name]!)\n }\n return cookies\n}\n\nexport class Cookies {\n #new: Cookie[] = []\n\n constructor(\n private readonly requestCookies: Map<string, string>,\n private readonly defaultOptions: SerializeOptions,\n ) {}\n\n get(name: string): string | undefined {\n return this.requestCookies.get(name)\n }\n\n set(name: string, value: string, options?: SerializeOptions): void {\n const combinedOptions = { ...this.defaultOptions, ...options }\n this.#new.push([name, value, combinedOptions])\n }\n\n delete(name: string, options?: Omit<SerializeOptions, 'expires' | 'maxAge'>): void {\n this.set(name, '', { ...options, expires: new Date(0), maxAge: 0 })\n }\n\n toHeaders(): Headers {\n const headers = new Headers()\n for (const [name, value, options] of this.#new)\n headers.append('Set-Cookie', serialize(name, value, options))\n\n return headers\n }\n}\n\nexport const CSRF_COOKIE_NAME = '__gau-csrf-token'\nexport const SESSION_COOKIE_NAME = '__gau-session-token'\nexport const SESSION_STRATEGY_COOKIE_NAME = '__gau-session-strategy'\nexport const LINKING_TOKEN_COOKIE_NAME = '__gau-linking-token'\nexport const PKCE_COOKIE_NAME = '__gau-pkce-code-verifier'\nexport const CALLBACK_URI_COOKIE_NAME = '__gau-callback-uri'\nexport const PROVIDER_OPTIONS_COOKIE_NAME = '__gau-provider-options'\nexport const CLIENT_CHALLENGE_COOKIE_NAME = '__gau-client-challenge'\n\nexport const CSRF_MAX_AGE = 60 * 10 // 10 minutes\n","import type { OAuth2Tokens } from 'arctic'\nimport type { SerializeOptions } from 'cookie'\nimport type { SignOptions, VerifyOptions } from '../jwt'\nimport type { AuthUser, OAuthProvider, OAuthProviderConfig, ProviderProfileOverrides } from '../oauth'\nimport type { Cookies } from './cookies'\nimport type { GauError } from './errors'\nimport type { Adapter, GauServerSession } from './index'\nimport { serialize } from 'cookie'\nimport { sign, verify } from '../jwt'\nimport { DEFAULT_COOKIE_SERIALIZE_OPTIONS, SESSION_COOKIE_NAME } from './cookies'\nimport { AuthError } from './index'\nimport { getSessionTokenFromRequest } from './utils'\n\ntype ProviderId<P> = P extends OAuthProvider<infer T> ? T : never\nexport type ProviderIds<T> = T extends { providerMap: Map<infer K extends string, any> } ? K : string\n\nexport type ProfileName<T, P extends string> = T extends { profiles: infer R }\n ? P extends keyof R\n ? keyof R[P]\n : never\n : never\n\nexport interface CreateAuthOptions<TProviders extends OAuthProvider[]> {\n /** The database adapter to use for storing users and accounts. */\n adapter: Adapter\n /** Array of OAuth providers to support. */\n providers: TProviders\n /** Base path for authentication routes (defaults to '/api/auth'). */\n basePath?: string\n /** Session management options */\n session?: {\n /** Strategy to use for sessions: 'auto' (default), 'cookie', or 'token'. */\n strategy?: 'auto' | 'cookie' | 'token'\n }\n /** Configuration for JWT signing and verification. */\n jwt?: {\n /** Signing algorithm: 'ES256' (default) or 'HS256'. */\n algorithm?: 'ES256' | 'HS256'\n /** Secret for HS256 or base64url-encoded private key for ES256 (overrides AUTH_SECRET). */\n secret?: string\n /** Issuer claim (iss) for JWTs. */\n iss?: string\n /** Audience claim (aud) for JWTs. */\n aud?: string\n /** Default time-to-live in seconds for JWTs (defaults to 1 day). */\n ttl?: number\n }\n /** Custom options for session cookies. */\n cookies?: Partial<SerializeOptions>\n /**\n * Hook that fires right after provider.validateCallback() returns tokens,\n * but before any user lookup/link/create logic. Return { handled: true, response }\n * to short-circuit the default flow and send a custom response.\n */\n onOAuthExchange?: (context: {\n request: Request\n providerId: string\n state: string\n code: string\n codeVerifier: string\n callbackUri?: string | null\n redirectTo: string\n cookies: Cookies\n providerUser: AuthUser\n tokens: OAuth2Tokens\n isLinking: boolean\n sessionUserId?: string\n }) => Promise<{ handled: true, response: Response } | { handled: false }>\n /** Map/override the provider's profile right after token exchange. */\n mapExternalProfile?: (context: {\n request: Request\n providerId: string\n providerUser: AuthUser\n tokens: OAuth2Tokens\n isLinking: boolean\n }) => Promise<AuthUser | Partial<AuthUser> | null | undefined>\n /** Gate the link action just before persisting an account. */\n onBeforeLinkAccount?: (context: {\n request: Request\n providerId: string\n userId: string\n providerUser: AuthUser\n tokens: OAuth2Tokens\n }) => Promise<{ allow: true } | { allow: false, response?: Response }>\n /** Observe or augment after link/update tokens. */\n onAfterLinkAccount?: (context: {\n request: Request\n providerId: string\n userId: string\n providerUser: AuthUser\n tokens: OAuth2Tokens\n action: 'link' | 'update'\n }) => Promise<void>\n /** Trusted hosts for CSRF protection: 'all' or array of hostnames (defaults to []). */\n trustHosts?: 'all' | string[]\n /** Account linking behavior: 'verifiedEmail' (default), 'always', or false. */\n autoLink?: 'verifiedEmail' | 'always' | false\n /** Allow linking providers whose primary emails differ from the user's current primary email. Defaults to true. */\n allowDifferentEmails?: boolean\n /** When linking a new provider, update missing user info (name/image/emailVerified) from provider profile. Defaults to false. */\n updateUserInfoOnLink?: boolean\n /** Optional configuration for role-based access control. */\n roles?: {\n /** Default role for newly created users. */\n defaultRole?: string\n /** Dynamically resolve the role at the moment of user creation. Return undefined to fall back to defaultRole. */\n resolveOnCreate?: (context: { providerId: string, profile: any, request: Request }) => string | undefined\n /** Roles that are considered admin-like for helper predicates and `session.user.isAdmin`. */\n adminRoles?: string[]\n /** Users that are always treated as admin for helper predicates and `session.user.isAdmin`. */\n adminUserIds?: string[]\n }\n /**\n * CORS configuration. When true (default): request Origin & allow credentials\n * When false, CORS headers are not added at all.\n * Provide an object to fine-tune behaviour.\n */\n cors?: true | false | {\n /**\n * Allowed origins.\n * - 'all' (default) allows any origin (reflected when credentials enabled),\n * - 'trust' reuses the createAuth trustHosts list\n * - specify an explicit array of full origins (e.g. https://app.example.com)\n * or hostnames (e.g. app.example.com).\n * When array contains '*', it's treated as 'all'.\n */\n allowedOrigins?: 'all' | 'trust' | string[]\n /** Whether to send Access-Control-Allow-Credentials (defaults to true). */\n allowCredentials?: boolean\n /** Allowed headers (defaults to ['Content-Type','Authorization','Cookie']). */\n allowedHeaders?: string[]\n /** Allowed methods (defaults to ['GET','POST','OPTIONS']). */\n allowedMethods?: string[]\n /** Exposed headers (optional). */\n exposeHeaders?: string[]\n /** Preflight max age in seconds (optional). */\n maxAge?: number\n }\n /**\n * Named, server-defined profiles that group provider specific settings.\n * Clients can reference a profile by name (e.g. signIn('github', { profile: 'myprofile' })).\n */\n profiles?: ProfilesConfig<TProviders>\n /**\n * Custom error handler. Return a Response to override default behavior.\n * Return undefined to use default handling (errorRedirect or HTML page).\n *\n * @example\n * onError: ({ error, request }) => {\n * console.error('Auth error:', error.code, error.message)\n * if (error.code === 'CSRF_INVALID') {\n * return redirect('/login?error=session_expired')\n * }\n * }\n */\n onError?: (context: {\n error: GauError\n request: Request\n }) => Response | Promise<Response | undefined> | undefined\n /**\n * URL to redirect user-facing errors to.\n * Error details passed as query params: ?code=...&message=...&status=...&redirect=...\n *\n * If not set, gau renders its built-in error page for user-facing errors,\n * or returns JSON for API errors.\n *\n * @example\n * errorRedirect: '/auth/error' // Your custom error page\n */\n errorRedirect?: string\n}\n\n/**\n * Options for issuing a session.\n */\nexport interface IssueSessionOptions {\n /** Custom claims to include in the session JWT. */\n data?: Record<string, unknown>\n /** Time-to-live in seconds (defaults to auth's configured jwt.ttl). */\n ttl?: number\n}\n\n/**\n * Result of issuing a session.\n */\nexport interface IssueSessionResult {\n /** The raw JWT session token (for Bearer auth or storage). */\n token: string\n /** The serialized Set-Cookie header value (for web apps). */\n cookie: string\n /** The cookie name used by gau. */\n cookieName: string\n /** The maxAge in seconds. */\n maxAge: number\n}\n\n/**\n * Options for refreshing a session.\n */\nexport interface RefreshSessionOptions {\n /** Override the default TTL for the new token. */\n ttl?: number\n /**\n * Only refresh if past this fraction of TTL (0-1).\n * Example: 0.5 means only refresh if session is past 50% of its lifetime.\n */\n threshold?: number\n}\n\n/**\n * Result of refreshing a session. Extends IssueSessionResult with source information.\n */\nexport interface RefreshSessionResult extends IssueSessionResult {\n /**\n * How the original token was provided.\n * - 'cookie': Token was extracted from the Cookie header\n * - 'bearer': Token was extracted from Authorization: Bearer header\n * - 'token': A raw token string was passed directly\n */\n source: 'cookie' | 'bearer' | 'token'\n}\n\nexport type Auth<TProviders extends OAuthProvider[] = any> = Adapter & {\n providerMap: Map<ProviderId<TProviders[number]>, TProviders[number]>\n basePath: string\n cookieOptions: SerializeOptions\n jwt: { ttl: number }\n onOAuthExchange?: CreateAuthOptions<TProviders>['onOAuthExchange']\n mapExternalProfile?: CreateAuthOptions<TProviders>['mapExternalProfile']\n onBeforeLinkAccount?: CreateAuthOptions<TProviders>['onBeforeLinkAccount']\n onAfterLinkAccount?: CreateAuthOptions<TProviders>['onAfterLinkAccount']\n signJWT: <U extends Record<string, unknown>>(payload: U, customOptions?: Partial<SignOptions>) => Promise<string>\n verifyJWT: <U = Record<string, unknown>>(token: string, customOptions?: Partial<VerifyOptions>) => Promise<U | null>\n createSession: (userId: string, data?: Record<string, unknown>, ttl?: number) => Promise<string>\n validateSession: (token: string) => Promise<GauServerSession | null>\n /**\n * Issue a session for a user, returning both the token and a Set-Cookie header.\n * Useful for guest login, invite redemption, admin impersonation, etc.\n */\n issueSession: (userId: string, options?: IssueSessionOptions) => Promise<IssueSessionResult>\n /**\n * Refresh an existing session, issuing a new token with extended TTL.\n * Preserves custom claims from the original token.\n *\n * @param tokenOrRequest - The existing session token, or a Request to extract the token from\n * @param options.ttl - Override the default TTL for the new token\n * @param options.threshold - Only refresh if past this fraction of TTL (0-1).\n * When set, returns null if below threshold.\n * Example: 0.5 means only refresh if session is past 50% of its lifetime.\n * @returns The refreshed session with source info, or null if invalid/expired/below threshold\n */\n refreshSession: (tokenOrRequest: string | Request, options?: RefreshSessionOptions) => Promise<RefreshSessionResult | null>\n /**\n * Get a valid access token for a linked provider. If the stored token is expired and a refresh token exists,\n * this will refresh it using the provider's refreshAccessToken and persist rotated tokens.\n */\n getAccessToken: (userId: string, providerId: string) => Promise<{ accessToken: string, expiresAt?: number | null } | null>\n trustHosts: 'all' | string[]\n autoLink: 'verifiedEmail' | 'always' | false\n allowDifferentEmails: boolean\n updateUserInfoOnLink: boolean\n sessionStrategy: 'auto' | 'cookie' | 'token'\n development: boolean\n roles: {\n defaultRole: string\n resolveOnCreate?: (context: { providerId: string, profile: any, request: Request }) => string | undefined\n adminRoles: string[]\n adminUserIds: string[]\n }\n cors: false | {\n allowedOrigins: 'all' | 'trust' | string[]\n allowCredentials: boolean\n allowedHeaders: string[]\n allowedMethods: string[]\n exposeHeaders?: string[]\n maxAge?: number\n }\n profiles: ResolvedProfiles<TProviders>\n onError?: CreateAuthOptions<TProviders>['onError']\n errorRedirect?: string\n}\n\nexport interface ProfileDefinition {\n scopes?: string[]\n redirectUri?: string\n /** When true, this profile can only be linked to an existing session; standalone sign-in is disabled. */\n linkOnly?: boolean\n /** Additional provider-specific authorization params. */\n params?: Record<string, string>\n}\n\ntype ProviderIdOfArray<TProviders extends OAuthProvider[]> = ProviderId<TProviders[number]>\ntype ProviderConfigFor<TProviders extends OAuthProvider[], K extends string>\n = Extract<TProviders[number], OAuthProvider<K, any>> extends OAuthProvider<any, infer C> ? C : OAuthProviderConfig\n\nexport type ProfilesConfig<TProviders extends OAuthProvider[]> = Partial<{\n [K in ProviderIdOfArray<TProviders>]: Record<string, ProfileDefinition & ProviderProfileOverrides<ProviderConfigFor<TProviders, K>>>\n}>\nexport type ResolvedProfiles<TProviders extends OAuthProvider[]> = ProfilesConfig<TProviders>\n\nexport function createAuth<const TProviders extends OAuthProvider[]>({\n adapter,\n providers,\n basePath = '/api/auth',\n jwt: jwtConfig = {},\n session: sessionConfig = {},\n cookies: cookieConfig = {},\n onOAuthExchange,\n mapExternalProfile,\n onBeforeLinkAccount,\n onAfterLinkAccount,\n trustHosts = [],\n autoLink = 'verifiedEmail',\n allowDifferentEmails = true,\n updateUserInfoOnLink = false,\n roles: rolesConfig = {},\n cors = true,\n profiles: profilesConfig,\n onError,\n errorRedirect,\n}: CreateAuthOptions<TProviders>): Auth<TProviders> {\n const { algorithm = 'ES256', secret, iss, aud, ttl: defaultTTL = 3600 * 24 * 7 } = jwtConfig\n const cookieOptions = { ...DEFAULT_COOKIE_SERIALIZE_OPTIONS, ...cookieConfig }\n\n const sessionStrategy: 'auto' | 'cookie' | 'token' = sessionConfig.strategy ?? 'auto'\n\n if (algorithm === 'ES256' && secret !== undefined && typeof secret !== 'string')\n throw new AuthError('For ES256, the secret option must be a string.')\n\n const providerMap = new Map(providers.map(p => [p.id, p]))\n\n const resolvedCors: Auth['cors'] = cors === false\n ? false\n : {\n allowedOrigins: (cors === true ? 'all' : cors.allowedOrigins) ?? 'all',\n allowCredentials: (cors === true ? true : cors.allowCredentials) ?? true,\n allowedHeaders: (cors === true ? undefined : cors.allowedHeaders) ?? ['Content-Type', 'Authorization', 'Cookie'],\n allowedMethods: (cors === true ? undefined : cors.allowedMethods) ?? ['GET', 'POST', 'OPTIONS'],\n exposeHeaders: cors === true ? undefined : cors.exposeHeaders,\n maxAge: cors === true ? undefined : cors.maxAge,\n }\n\n const resolvedProfiles = (profilesConfig ?? {}) as ResolvedProfiles<TProviders>\n const resolvedRoles = {\n defaultRole: rolesConfig.defaultRole ?? 'user',\n resolveOnCreate: rolesConfig.resolveOnCreate,\n adminRoles: rolesConfig.adminRoles ?? ['admin'],\n adminUserIds: rolesConfig.adminUserIds ?? [],\n }\n\n function buildSignOptions(custom: Partial<SignOptions> = {}): SignOptions {\n const base = { ttl: custom.ttl, iss: custom.iss ?? iss, aud: custom.aud ?? aud, sub: custom.sub }\n if (algorithm === 'HS256') {\n return { algorithm, secret: custom.secret ?? secret, ...base }\n }\n else {\n if (custom.secret !== undefined && typeof custom.secret !== 'string')\n throw new AuthError('For ES256, the secret option must be a string.')\n const esSecret = custom.secret ?? secret\n return { algorithm, privateKey: custom.privateKey, secret: esSecret, ...base }\n }\n }\n\n function buildVerifyOptions(custom: Partial<VerifyOptions> = {}): VerifyOptions {\n const base = { iss: custom.iss ?? iss, aud: custom.aud ?? aud }\n if (algorithm === 'HS256') {\n return { algorithm, secret: custom.secret ?? secret, ...base }\n }\n else {\n if (custom.secret !== undefined && typeof custom.secret !== 'string')\n throw new AuthError('For ES256, the secret option must be a string.')\n const esSecret = custom.secret ?? secret\n return { algorithm, publicKey: custom.publicKey, secret: esSecret, ...base }\n }\n }\n\n async function signJWT<U extends Record<string, unknown>>(payload: U, customOptions: Partial<SignOptions> = {}): Promise<string> {\n return sign(payload, buildSignOptions(customOptions))\n }\n\n async function verifyJWT<U = Record<string, unknown>>(token: string, customOptions: Partial<VerifyOptions> = {}): Promise<U | null> {\n const options = buildVerifyOptions(customOptions)\n try {\n return await verify<U>(token, options)\n }\n catch {\n return null\n }\n }\n\n async function createSession(userId: string, data: Record<string, unknown> = {}, ttl = defaultTTL): Promise<string> {\n const payload = { sub: userId, ...data }\n return signJWT(payload, { ttl })\n }\n\n async function issueSession(userId: string, options: IssueSessionOptions = {}): Promise<IssueSessionResult> {\n const { data = {}, ttl = defaultTTL } = options\n const token = await createSession(userId, data, ttl)\n\n const cookieOpts: SerializeOptions = {\n ...cookieOptions,\n maxAge: ttl,\n }\n\n const cookie = serialize(SESSION_COOKIE_NAME, token, cookieOpts)\n\n return {\n token,\n cookie,\n cookieName: SESSION_COOKIE_NAME,\n maxAge: ttl,\n }\n }\n\n async function refreshSession(tokenOrRequest: string | Request, options: RefreshSessionOptions = {}): Promise<RefreshSessionResult | null> {\n let token: string | undefined\n let source: RefreshSessionResult['source']\n\n if (typeof tokenOrRequest === 'string') {\n token = tokenOrRequest\n source = 'token'\n }\n else {\n const extracted = getSessionTokenFromRequest(tokenOrRequest)\n if (!extracted.token || !extracted.source)\n return null\n token = extracted.token\n source = extracted.source\n }\n\n const payload = await verifyJWT<{ sub: string, iat?: number } & Record<string, unknown>>(token)\n if (!payload || !payload.sub)\n return null\n\n if (options.threshold != null && options.threshold > 0 && options.threshold < 1) {\n const { iat } = payload\n if (iat) {\n const now = Math.floor(Date.now() / 1000)\n const sessionAge = now - iat\n const ttl = options.ttl ?? defaultTTL\n const thresholdSeconds = ttl * options.threshold\n\n if (sessionAge < thresholdSeconds)\n return null\n }\n }\n\n const user = await adapter.getUser(payload.sub)\n if (!user)\n return null\n const { sub, iat, exp, iss, aud, nbf, jti, ...customClaims } = payload\n\n const result = await issueSession(payload.sub, {\n data: customClaims,\n ttl: options.ttl,\n })\n\n return { ...result, source }\n }\n\n async function validateSession(token: string): Promise<GauServerSession | null> {\n const payload = await verifyJWT<{ sub: string } & Record<string, unknown>>(token)\n if (!payload)\n return null\n\n const userAndAccounts = await adapter.getUserAndAccounts(payload.sub)\n if (!userAndAccounts)\n return null\n\n const { user, accounts } = userAndAccounts\n const isAdmin = Boolean(\n user\n && (\n (user.role && resolvedRoles.adminRoles.includes(user.role))\n || (resolvedRoles.adminUserIds.length > 0 && resolvedRoles.adminUserIds.includes(user.id))\n ),\n )\n const sessionUser = user ? { ...user, isAdmin } : null\n\n return { user: sessionUser, session: { id: token, ...payload }, accounts }\n }\n\n async function getAccessToken(userId: string, providerId: string) {\n const provider = providerMap.get(providerId)\n if (!provider)\n return null\n\n const accounts = await adapter.getAccounts(userId)\n const account = accounts.find(a => a.provider === providerId)\n if (!account || !account.accessToken)\n return null\n\n const now = Math.floor(Date.now() / 1000)\n const isExpired = typeof account.expiresAt === 'number' ? account.expiresAt <= now : false\n\n if (!isExpired)\n return { accessToken: account.accessToken, expiresAt: account.expiresAt ?? null }\n\n if (!account.refreshToken || !provider.refreshAccessToken)\n return null\n\n try {\n const refreshed = await provider.refreshAccessToken(account.refreshToken, {})\n const updated = {\n userId,\n provider: account.provider,\n providerAccountId: account.providerAccountId,\n accessToken: refreshed.accessToken ?? account.accessToken,\n refreshToken: refreshed.refreshToken ?? account.refreshToken,\n expiresAt: refreshed.expiresAt ?? null,\n idToken: refreshed.idToken ?? account.idToken ?? null,\n tokenType: refreshed.tokenType ?? account.tokenType ?? null,\n scope: refreshed.scope ?? account.scope ?? null,\n }\n await adapter.updateAccount?.(updated)\n return { accessToken: updated.accessToken!, expiresAt: updated.expiresAt }\n }\n catch {\n return null\n }\n }\n\n return {\n ...adapter,\n providerMap: providerMap as Map<ProviderId<TProviders[number]>, TProviders[number]>,\n basePath,\n cookieOptions,\n jwt: {\n ttl: defaultTTL,\n },\n onOAuthExchange,\n mapExternalProfile,\n onBeforeLinkAccount,\n onAfterLinkAccount,\n signJWT,\n verifyJWT,\n createSession,\n validateSession,\n issueSession,\n refreshSession,\n getAccessToken,\n trustHosts,\n autoLink,\n allowDifferentEmails,\n profiles: resolvedProfiles,\n updateUserInfoOnLink,\n sessionStrategy,\n development: false,\n roles: resolvedRoles,\n cors: resolvedCors,\n onError,\n errorRedirect,\n }\n}\n","import { parseCookies, SESSION_COOKIE_NAME } from './cookies'\n\nexport type SessionTokenSource = 'cookie' | 'bearer'\n\n/**\n * Extract the session token from a Request.\n * Prefers Cookie, then falls back to Authorization: Bearer.\n */\nexport function getSessionTokenFromRequest(request: Request): { token?: string, source?: SessionTokenSource } {\n const cookies = parseCookies(request.headers.get('Cookie'))\n const cookieToken = cookies.get(SESSION_COOKIE_NAME)\n if (cookieToken)\n return { token: cookieToken, source: 'cookie' }\n\n const authHeader = request.headers.get('Authorization')\n if (authHeader?.startsWith('Bearer '))\n return { token: authHeader.substring(7), source: 'bearer' }\n\n return {}\n}\n","/**\n * Default messages for each error code.\n * This is the single source of truth for error codes and their messages.\n */\nexport const ErrorMessages = {\n // OAuth Flow Errors\n CSRF_INVALID: 'Invalid CSRF token',\n PKCE_MISSING: 'Missing PKCE code verifier',\n PKCE_CHALLENGE_MISSING: 'Missing PKCE challenge',\n OAUTH_CANCELLED: 'Authentication was cancelled',\n PROVIDER_NOT_FOUND: 'Provider not found',\n AUTHORIZATION_URL_FAILED: 'Could not create authorization URL',\n\n // Account/User Errors\n USER_NOT_FOUND: 'User not found',\n USER_CREATE_FAILED: 'Failed to create user',\n ACCOUNT_ALREADY_LINKED: 'Account already linked to another user',\n ACCOUNT_LINK_FAILED: 'Failed to link account',\n ACCOUNT_NOT_LINKED: 'Account not linked',\n CANNOT_UNLINK_LAST_ACCOUNT: 'Cannot unlink the last account',\n EMAIL_ALREADY_EXISTS: 'An account with this email already exists',\n EMAIL_MISMATCH: 'Email mismatch between existing account and provider',\n LINKING_NOT_ALLOWED: 'Linking not allowed',\n LINK_ONLY_PROVIDER: 'Sign-in with this provider is disabled. Please link it to an existing account.',\n\n // Session/Auth Errors\n UNAUTHORIZED: 'Unauthorized',\n FORBIDDEN: 'Forbidden',\n SESSION_INVALID: 'Invalid session',\n SESSION_VALIDATION_FAILED: 'Failed to validate session',\n\n // Token Errors\n TOKEN_INVALID: 'Invalid token',\n TOKEN_EXPIRED: 'Token expired',\n CODE_VERIFIER_INVALID: 'Invalid code verifier',\n\n // Request Errors\n NOT_FOUND: 'Not found',\n METHOD_NOT_ALLOWED: 'Method not allowed',\n INVALID_REQUEST: 'Invalid request',\n INVALID_REDIRECT_URL: 'Invalid redirect URL',\n UNTRUSTED_HOST: 'Untrusted redirect host',\n UNKNOWN_PROFILE: 'Unknown profile',\n\n // Internal Errors\n INTERNAL_ERROR: 'An unexpected error occurred',\n} as const\n\n/** Error code type derived from ErrorMessages keys */\nexport type ErrorCode = keyof typeof ErrorMessages\n\n/**\n * Error codes object for developer ergonomics.\n * Usage: `ErrorCodes.CSRF_INVALID` instead of `'CSRF_INVALID'`\n */\nexport const ErrorCodes: { [K in ErrorCode]: K } = Object.fromEntries(\n Object.keys(ErrorMessages).map(k => [k, k]),\n) as { [K in ErrorCode]: K }\n\n/**\n * Default HTTP status codes for each error code.\n * Errors not listed here default to 400.\n */\nexport const ErrorStatuses: Partial<Record<ErrorCode, number>> = {\n CSRF_INVALID: 403,\n UNAUTHORIZED: 401,\n FORBIDDEN: 403,\n NOT_FOUND: 404,\n METHOD_NOT_ALLOWED: 405,\n INTERNAL_ERROR: 500,\n USER_CREATE_FAILED: 500,\n ACCOUNT_LINK_FAILED: 500,\n AUTHORIZATION_URL_FAILED: 500,\n SESSION_VALIDATION_FAILED: 500,\n ACCOUNT_ALREADY_LINKED: 409,\n EMAIL_ALREADY_EXISTS: 409,\n LINKING_NOT_ALLOWED: 403,\n}\n\nexport interface GauErrorOptions {\n /** HTTP status code (uses default for error code if not specified) */\n status?: number\n /** URL to redirect to after showing error (for OAuth flow errors) */\n redirectUrl?: string\n /** Original error that caused this error */\n cause?: unknown\n}\n\n/**\n * Structured error class for gau authentication errors.\n * Contains all information needed for error handling and user feedback.\n *\n * @example\n * // Using default message\n * throw new GauError(ErrorCodes.CSRF_INVALID, { status: 403 })\n *\n * // Using custom message\n * throw new GauError(ErrorCodes.PROVIDER_NOT_FOUND, `Provider \"${id}\" not found`)\n */\nexport class GauError extends Error {\n readonly code: ErrorCode\n readonly status: number\n readonly redirectUrl?: string\n override readonly cause?: unknown\n\n constructor(\n code: ErrorCode,\n messageOrOptions?: string | GauErrorOptions,\n options?: GauErrorOptions,\n ) {\n // Handle overloaded signatures\n const message = typeof messageOrOptions === 'string'\n ? messageOrOptions\n : ErrorMessages[code]\n const opts = typeof messageOrOptions === 'object'\n ? messageOrOptions\n : options ?? {}\n\n super(message)\n this.name = 'GauError'\n this.code = code\n this.status = opts.status ?? ErrorStatuses[code] ?? 400\n this.redirectUrl = opts.redirectUrl\n this.cause = opts.cause\n }\n\n /**\n * Convert to JSON-serializable object for API responses.\n */\n toJSON() {\n return {\n error: this.message,\n code: this.code,\n ...(this.redirectUrl && { redirectUrl: this.redirectUrl }),\n }\n }\n}\n\n/**\n * Create an error redirect URL with query params.\n * Used when errorRedirect is configured.\n */\nexport function createErrorRedirectUrl(baseUrl: string, error: GauError): string {\n const url = new URL(baseUrl, 'http://placeholder')\n url.searchParams.set('code', error.code)\n url.searchParams.set('message', error.message)\n url.searchParams.set('status', String(error.status))\n if (error.redirectUrl)\n url.searchParams.set('redirect', error.redirectUrl)\n\n return url.pathname + url.search\n}\n\n/**\n * Context passed to error handlers.\n */\nexport interface ErrorContext {\n error: GauError\n request: Request\n}\n\n/**\n * Configuration for error handling.\n */\nexport interface ErrorHandlerConfig {\n basePath: string\n onError?: (context: ErrorContext) => Response | Promise<Response | undefined> | undefined\n errorRedirect?: string\n}\n\n/**\n * Determine if a request is user-facing (browser OAuth flow)\n * vs API (programmatic fetch).\n *\n * Uses route-based detection (reliable) rather than Accept headers (unreliable).\n *\n * User-facing routes (browser navigates directly):\n * - GET /:provider → OAuth sign-in start\n * - GET /callback/:provider → OAuth callback from provider\n * - GET /link/:provider → Account linking start\n *\n * API routes (JS fetch):\n * - GET /session → Get current session\n * - POST /signout → Sign out\n * - POST /token → PKCE token exchange\n * - POST /unlink/:provider → Unlink account\n */\nexport function isUserFacingRequest(request: Request, basePath: string): boolean {\n // POST requests are always API calls\n if (request.method !== 'GET')\n return false\n\n const url = new URL(request.url)\n const path = url.pathname.substring(basePath.length)\n const parts = path.split('/').filter(Boolean)\n\n // GET /session is an API call\n if (parts.length === 1 && parts[0] === 'session')\n return false\n\n // GET /:provider (sign-in start) - user-facing\n if (parts.length === 1)\n return true\n\n // GET /callback/:provider or GET /link/:provider - user-facing\n if (parts.length === 2 && (parts[0] === 'callback' || parts[0] === 'link'))\n return true\n\n return false\n}\n\n/**\n * Handle an error according to configuration.\n * Returns the appropriate Response based on context.\n *\n * Priority:\n * 1. Custom onError handler (if returns Response)\n * 2. errorRedirect (for user-facing requests only)\n * 3. Default: HTML error page for user-facing, JSON for API\n */\nexport async function handleError(\n context: ErrorContext,\n config: ErrorHandlerConfig,\n): Promise<Response> {\n const { error, request } = context\n\n // 1. Try custom onError handler\n if (config.onError) {\n try {\n const response = await config.onError(context)\n if (response)\n return response\n }\n catch (e) {\n console.error('onError handler threw:', e)\n }\n }\n\n // Determine if this is a user-facing request\n const userFacing = isUserFacingRequest(request, config.basePath)\n\n // 2. Try errorRedirect (only for user-facing requests)\n if (config.errorRedirect && userFacing) {\n const redirectUrl = createErrorRedirectUrl(config.errorRedirect, error)\n return new Response(null, {\n status: 302,\n headers: { Location: redirectUrl },\n })\n }\n\n // 3. Default handling\n if (userFacing) {\n // Import dynamically to avoid circular dependency\n const { renderErrorPage, htmlResponse } = await import('./templates')\n const html = renderErrorPage({\n title: 'Authentication Error',\n message: error.message,\n code: error.code,\n redirectUrl: error.redirectUrl,\n })\n return htmlResponse(html, error.status)\n }\n\n // API response - return JSON\n return new Response(JSON.stringify(error.toJSON()), {\n status: error.status,\n headers: { 'Content-Type': 'application/json; charset=utf-8' },\n })\n}\n","import type { OAuth2Tokens } from 'arctic'\nimport type { Cookies } from './cookies'\nimport type { Auth } from './createAuth'\n\nexport interface OAuthExchangeContext {\n request: Request\n providerId: string\n state: string\n code: string\n codeVerifier: string\n callbackUri?: string | null\n redirectTo: string\n cookies: Cookies\n providerUser: any\n tokens: OAuth2Tokens\n isLinking: boolean\n sessionUserId?: string\n}\n\nexport type OAuthExchangeResult = { handled: true, response: Response } | { handled: false }\n\nexport async function runOnOAuthExchange(auth: Auth | undefined, ctx: OAuthExchangeContext): Promise<OAuthExchangeResult> {\n if (!auth || typeof auth.onOAuthExchange !== 'function')\n return { handled: false }\n try {\n const res = await auth.onOAuthExchange(ctx)\n if (!res || typeof res !== 'object')\n return { handled: false }\n return res\n }\n catch (e) {\n console.error('onOAuthExchange hook error:', e)\n return { handled: false }\n }\n}\n\nexport interface MapExternalProfileContext {\n request: Request\n providerId: string\n providerUser: any\n tokens: OAuth2Tokens\n isLinking: boolean\n}\n\nexport async function maybeMapExternalProfile(auth: Auth | undefined, ctx: MapExternalProfileContext): Promise<any> {\n if (!auth || typeof auth.mapExternalProfile !== 'function')\n return ctx.providerUser\n try {\n const mapped = await auth.mapExternalProfile(ctx)\n if (!mapped)\n return ctx.providerUser\n return { ...ctx.providerUser, ...mapped }\n }\n catch (e) {\n console.error('mapExternalProfile hook error:', e)\n return ctx.providerUser\n }\n}\n\nexport interface BeforeLinkAccountContext {\n request: Request\n providerId: string\n userId: string\n providerUser: any\n tokens: OAuth2Tokens\n}\n\nexport async function runOnBeforeLinkAccount(auth: Auth | undefined, ctx: BeforeLinkAccountContext): Promise<{ allow: true } | { allow: false, response?: Response }> {\n if (!auth || typeof auth.onBeforeLinkAccount !== 'function')\n return { allow: true }\n try {\n const res = await auth.onBeforeLinkAccount(ctx)\n if (!res)\n return { allow: true }\n return res\n }\n catch (e) {\n console.error('onBeforeLinkAccount hook error:', e)\n return { allow: true }\n }\n}\n\nexport interface AfterLinkAccountContext extends BeforeLinkAccountContext { action: 'link' | 'update' }\n\nexport async function runOnAfterLinkAccount(auth: Auth | undefined, ctx: AfterLinkAccountContext): Promise<void> {\n if (!auth || typeof auth.onAfterLinkAccount !== 'function')\n return\n try {\n await auth.onAfterLinkAccount(ctx)\n }\n catch (e) {\n console.error('onAfterLinkAccount hook error:', e)\n }\n}\n","import type { Auth } from '../createAuth'\nimport type { User } from '../index'\nimport {\n CALLBACK_URI_COOKIE_NAME,\n CLIENT_CHALLENGE_COOKIE_NAME,\n Cookies,\n CSRF_COOKIE_NAME,\n LINKING_TOKEN_COOKIE_NAME,\n parseCookies,\n PKCE_COOKIE_NAME,\n PROVIDER_OPTIONS_COOKIE_NAME,\n SESSION_COOKIE_NAME,\n} from '../cookies'\nimport { ErrorCodes, GauError } from '../errors'\nimport { maybeMapExternalProfile, runOnAfterLinkAccount, runOnBeforeLinkAccount, runOnOAuthExchange } from '../hooks'\nimport { json, redirect } from '../index'\nimport { htmlResponse, renderCancelledPage, renderSuccessPage } from '../templates'\n\nexport async function handleCallback(request: Request, auth: Auth, providerId: string): Promise<Response> {\n const provider = auth.providerMap.get(providerId)\n if (!provider)\n throw new GauError(ErrorCodes.PROVIDER_NOT_FOUND)\n\n const url = new URL(request.url)\n const code = url.searchParams.get('code')\n const state = url.searchParams.get('state')\n const error = url.searchParams.get('error')\n\n if (!code || !state || error) {\n // Try to extract redirect URL from state if available\n let redirectTo = '/'\n if (state && state.includes('.')) {\n try {\n const encodedRedirect = state.split('.')[1]\n redirectTo = atob(encodedRedirect ?? '') || '/'\n }\n catch {\n redirectTo = '/'\n }\n }\n\n // OAuth was cancelled - show a nice page and redirect back\n const html = renderCancelledPage({ redirectUrl: redirectTo })\n return htmlResponse(html)\n }\n\n const requestCookies = parseCookies(request.headers.get('Cookie'))\n const cookies = new Cookies(requestCookies, auth.cookieOptions)\n\n let savedState: string | undefined\n let redirectTo = '/'\n if (state.includes('.')) {\n const [originalSavedState, encodedRedirect] = state.split('.')\n savedState = originalSavedState\n try {\n redirectTo = atob(encodedRedirect ?? '') || '/'\n }\n catch {\n redirectTo = '/'\n }\n }\n else {\n savedState = state\n }\n\n const csrfToken = cookies.get(CSRF_COOKIE_NAME)\n\n if (!csrfToken || csrfToken !== savedState)\n throw new GauError(ErrorCodes.CSRF_INVALID, { redirectUrl: redirectTo })\n\n const codeVerifier = cookies.get(PKCE_COOKIE_NAME)\n if (!codeVerifier)\n throw new GauError(ErrorCodes.PKCE_MISSING, { redirectUrl: redirectTo })\n\n const callbackUri = cookies.get(CALLBACK_URI_COOKIE_NAME)\n const providerOptionsRaw = cookies.get(PROVIDER_OPTIONS_COOKIE_NAME)\n let providerOverrides: any | undefined\n if (providerOptionsRaw) {\n try {\n const decoded = atob(providerOptionsRaw)\n const parsed = JSON.parse(decoded)\n providerOverrides = parsed?.overrides\n }\n catch {}\n }\n const linkingToken = cookies.get(LINKING_TOKEN_COOKIE_NAME)\n\n if (linkingToken)\n cookies.delete(LINKING_TOKEN_COOKIE_NAME)\n\n const isLinking = !!linkingToken\n\n if (isLinking) {\n const session = await auth.validateSession(linkingToken!)\n if (!session) {\n cookies.delete(CSRF_COOKIE_NAME)\n cookies.delete(PKCE_COOKIE_NAME)\n if (callbackUri)\n cookies.delete(CALLBACK_URI_COOKIE_NAME)\n cookies.delete(PROVIDER_OPTIONS_COOKIE_NAME)\n const response = redirect(redirectTo)\n cookies.toHeaders().forEach((value, key) => response.headers.append(key, value))\n return response\n }\n }\n\n const { user: rawProviderUser, tokens } = await provider.validateCallback(code, codeVerifier, callbackUri ?? undefined, providerOverrides)\n\n {\n const session = isLinking ? await auth.validateSession(linkingToken!) : null\n const hookResult = await runOnOAuthExchange(auth, {\n request,\n providerId,\n state,\n code,\n codeVerifier,\n callbackUri,\n redirectTo,\n cookies,\n providerUser: rawProviderUser,\n tokens,\n isLinking,\n sessionUserId: session?.user?.id,\n })\n if (hookResult.handled) {\n cookies.delete(CSRF_COOKIE_NAME)\n cookies.delete(PKCE_COOKIE_NAME)\n if (callbackUri)\n cookies.delete(CALLBACK_URI_COOKIE_NAME)\n cookies.delete(PROVIDER_OPTIONS_COOKIE_NAME)\n const response = hookResult.response\n cookies.toHeaders().forEach((value, key) => response.headers.append(key, value))\n return response\n }\n }\n\n const providerUser = await maybeMapExternalProfile(auth, {\n request,\n providerId,\n providerUser: rawProviderUser,\n tokens,\n isLinking,\n })\n\n // Enforce provider-level link-only when not linking (profile-level enforced at redirect time)\n if (!isLinking && (auth.providerMap.get(providerId)?.linkOnly === true)) {\n cookies.delete(CSRF_COOKIE_NAME)\n cookies.delete(PKCE_COOKIE_NAME)\n if (callbackUri)\n cookies.delete(CALLBACK_URI_COOKIE_NAME)\n cookies.delete(PROVIDER_OPTIONS_COOKIE_NAME)\n throw new GauError(ErrorCodes.LINK_ONLY_PROVIDER, { redirectUrl: redirectTo })\n }\n\n let user: User | null = null\n\n const userFromAccount = await auth.getUserByAccount(providerId, providerUser.id)\n\n if (isLinking) {\n const session = await auth.validateSession(linkingToken)\n user = session!.user\n\n if (!user)\n throw new GauError(ErrorCodes.USER_NOT_FOUND, { redirectUrl: redirectTo })\n\n if (userFromAccount && userFromAccount.id !== user.id)\n throw new GauError(ErrorCodes.ACCOUNT_ALREADY_LINKED, { redirectUrl: redirectTo })\n\n if (auth.allowDifferentEmails === false) {\n const currentEmail = user.email\n const providerEmail = providerUser.email\n if (currentEmail && providerEmail && currentEmail !== providerEmail)\n throw new GauError(ErrorCodes.EMAIL_MISMATCH, { redirectUrl: redirectTo })\n }\n\n if (user) {\n const update: Partial<User> & { id: string } = { id: user.id }\n let needsUpdate = false\n\n if (auth.updateUserInfoOnLink) {\n if (providerUser.name && providerUser.name !== user.name) {\n update.name = providerUser.name\n needsUpdate = true\n }\n if (providerUser.avatar && providerUser.avatar !== user.image) {\n update.image = providerUser.avatar\n needsUpdate = true\n }\n }\n else {\n if (!user.name && providerUser.name) {\n update.name = providerUser.name\n needsUpdate = true\n }\n if (!user.image && providerUser.avatar) {\n update.image = providerUser.avatar\n needsUpdate = true\n }\n }\n\n if (\n user.email\n && providerUser.email\n && user.email === providerUser.email\n && providerUser.emailVerified === true\n && (!user.emailVerified || auth.updateUserInfoOnLink)\n ) {\n update.emailVerified = true\n needsUpdate = true\n }\n\n if (needsUpdate) {\n try {\n user = await auth.updateUser(update)\n }\n catch (e) {\n console.error('Failed to update user info on link:', e)\n }\n }\n }\n }\n else {\n user = userFromAccount\n }\n\n if (!user) {\n const autoLink = auth.autoLink ?? 'verifiedEmail'\n const shouldLinkByEmail = providerUser.email && (\n (autoLink === 'always')\n || (autoLink === 'verifiedEmail' && providerUser.emailVerified === true)\n )\n if (shouldLinkByEmail) {\n const existingUser = await auth.getUserByEmail(providerUser.email!)\n if (existingUser) {\n // If the email is verified by the new provider, and the existing user's email is not,\n // update the user's email verification status.\n if (providerUser.emailVerified && !existingUser.emailVerified) {\n user = await auth.updateUser({\n id: existingUser.id,\n emailVerified: true,\n })\n }\n else {\n user = existingUser\n }\n }\n }\n if (!user) {\n try {\n if (providerUser.email && providerUser.emailVerified === true && auth.autoLink === false) {\n const existingWithSameEmail = await auth.getUserByEmail(providerUser.email)\n if (existingWithSameEmail)\n throw new GauError(ErrorCodes.EMAIL_ALREADY_EXISTS, { redirectUrl: redirectTo })\n }\n\n let resolvedRole: string | undefined\n try {\n resolvedRole = auth.roles.resolveOnCreate?.({ providerId, profile: providerUser, request: request as unknown as Request })\n }\n catch (e) {\n console.error('roles.resolveOnCreate threw:', e)\n }\n\n const emailToStore = providerUser.emailVerified === true ? providerUser.email : null\n\n user = await auth.createUser({\n name: providerUser.name,\n email: emailToStore,\n image: providerUser.avatar,\n emailVerified: providerUser.emailVerified,\n role: resolvedRole ?? auth.roles.defaultRole,\n })\n }\n catch (error) {\n if (error instanceof GauError)\n throw error\n console.error('Failed to create user:', error)\n throw new GauError(ErrorCodes.USER_CREATE_FAILED, { cause: error, redirectUrl: redirectTo })\n }\n }\n }\n\n // self-healing: update user's email if it's missing or unverified and the provider returns a verified email\n if (user && providerUser.email) {\n const { email: currentEmail, emailVerified: currentEmailVerified } = user\n const { email: providerEmail, emailVerified: providerEmailVerified } = providerUser\n\n const update: Partial<User> & { id: string } = { id: user.id }\n let needsUpdate = false\n\n // user has no primary email. promote the provider's email but only if it's verified.\n if (!currentEmail && providerEmailVerified === true) {\n update.email = providerEmail\n update.emailVerified = true\n needsUpdate = true\n }\n // user has an unverified primary email, and the provider confirms this same email is verified.\n else if (\n currentEmail === providerEmail\n && providerEmailVerified === true\n && !currentEmailVerified\n ) {\n update.emailVerified = true\n needsUpdate = true\n }\n\n if (needsUpdate) {\n try {\n user = await auth.updateUser(update)\n }\n catch (error) {\n console.error('Failed to update user after sign-in:', error)\n }\n }\n }\n\n if (!userFromAccount) {\n // GitHub sometimes doesn't return these which causes arctic to throw an error\n let refreshToken: string | null\n try {\n refreshToken = tokens.refreshToken()\n }\n catch {\n refreshToken = null\n }\n\n let expiresAt: number | undefined\n try {\n const expiresAtDate = tokens.accessTokenExpiresAt()\n if (expiresAtDate)\n expiresAt = Math.floor(expiresAtDate.getTime() / 1000)\n }\n catch {\n }\n\n let idToken: string | null\n try {\n idToken = tokens.idToken()\n }\n catch {\n idToken = null\n }\n\n {\n const pre = await runOnBeforeLinkAccount(auth, {\n request,\n providerId,\n userId: user.id,\n providerUser,\n tokens,\n })\n if (pre.allow === false) {\n const response = pre.response ?? (() => {\n throw new GauError(ErrorCodes.LINKING_NOT_ALLOWED, { redirectUrl: redirectTo })\n })()\n cookies.toHeaders().forEach((value, key) => response.headers.append(key, value))\n return response\n }\n }\n\n try {\n let scope: string | null\n try {\n scope = tokens.scopes()?.join(' ') ?? null\n }\n catch {\n scope = null\n }\n\n await auth.linkAccount({\n userId: user.id,\n provider: providerId,\n providerAccountId: providerUser.id,\n accessToken: tokens.accessToken(),\n refreshToken,\n expiresAt,\n tokenType: tokens.tokenType?.() ?? null,\n scope,\n idToken,\n })\n await runOnAfterLinkAccount(auth, {\n request,\n providerId,\n userId: user.id,\n providerUser,\n tokens,\n action: 'link',\n })\n }\n catch (error) {\n console.error('Error linking account:', error)\n throw new GauError(ErrorCodes.ACCOUNT_LINK_FAILED, { cause: error, redirectUrl: redirectTo })\n }\n }\n else {\n // Existing account: update stored tokens on sign-in (access/refresh/expires/idToken/etc.)\n try {\n const accounts = await auth.getAccounts(user!.id)\n const existing = accounts.find(a => a.provider === providerId && a.providerAccountId === providerUser.id)\n\n if (existing && auth.updateAccount) {\n let refreshToken: string | null\n try {\n refreshToken = tokens.refreshToken()\n }\n catch {\n refreshToken = existing.refreshToken ?? null\n }\n\n let expiresAt: number | undefined\n try {\n const expiresAtDate = tokens.accessTokenExpiresAt()\n if (expiresAtDate)\n expiresAt = Math.floor(expiresAtDate.getTime() / 1000)\n }\n catch {\n expiresAt = existing.expiresAt ?? undefined\n }\n\n let idToken: string | null\n try {\n idToken = tokens.idToken()\n }\n catch {\n idToken = existing.idToken ?? null\n }\n\n let scope: string | null\n try {\n scope = tokens.scopes()?.join(' ') ?? existing.scope ?? null\n }\n catch {\n scope = existing.scope ?? null\n }\n\n await auth.updateAccount({\n userId: user!.id,\n provider: providerId,\n providerAccountId: providerUser.id,\n accessToken: tokens.accessToken() ?? existing.accessToken ?? undefined,\n refreshToken,\n expiresAt: expiresAt ?? existing.expiresAt ?? undefined,\n tokenType: tokens.tokenType?.() ?? existing.tokenType ?? null,\n scope,\n idToken,\n })\n await runOnAfterLinkAccount(auth, {\n request,\n providerId,\n userId: user!.id,\n providerUser,\n tokens,\n action: 'update',\n })\n }\n }\n catch (error) {\n console.error('Failed to update account tokens on sign-in:', error)\n }\n }\n\n const sessionToken = await auth.createSession(user.id)\n\n const requestUrl = new URL(request.url)\n const redirectUrl = new URL(redirectTo, request.url)\n\n const forceToken = auth.sessionStrategy === 'token'\n const forceCookie = auth.sessionStrategy === 'cookie'\n\n const isCustomScheme = redirectUrl.protocol !== 'http:' && redirectUrl.protocol !== 'https:'\n const isCrossHost = requestUrl.host !== redirectUrl.host\n\n // For Tauri, we can't set a cookie on a custom protocol or a different host,\n // so we pass the token in the URL. Additionally, return a small HTML page\n // that immediately navigates to the deep-link and attempts to close the window,\n // so the external OAuth tab does not stay open.\n if (forceToken || (!forceCookie && (isCustomScheme || isCrossHost))) {\n const destination = new URL(redirectUrl)\n const clientChallenge = cookies.get(CLIENT_CHALLENGE_COOKIE_NAME)\n\n if (clientChallenge) {\n // PKCE\n const authCode = await auth.signJWT({\n sub: user.id,\n challenge: clientChallenge,\n }, { ttl: 60 })\n\n destination.searchParams.set('code', authCode)\n }\n else {\n throw new GauError(ErrorCodes.PKCE_CHALLENGE_MISSING, { redirectUrl: redirectTo })\n }\n\n // Use success page template instead of inline HTML\n const html = renderSuccessPage({ redirectUrl: destination.toString() })\n\n // Clear temporary cookies (CSRF/PKCE/Callback URI) so they don't linger\n cookies.delete(CSRF_COOKIE_NAME)\n cookies.delete(PKCE_COOKIE_NAME)\n if (callbackUri)\n cookies.delete(CALLBACK_URI_COOKIE_NAME)\n cookies.delete(PROVIDER_OPTIONS_COOKIE_NAME)\n cookies.delete(CLIENT_CHALLENGE_COOKIE_NAME)\n\n const response = htmlResponse(html)\n cookies.toHeaders().forEach((value, key) => {\n response.headers.append(key, value)\n })\n return response\n }\n\n cookies.set(SESSION_COOKIE_NAME, sessionToken, {\n maxAge: auth.jwt.ttl,\n sameSite: auth.development ? 'lax' : 'none',\n secure: !auth.development,\n })\n cookies.delete(CSRF_COOKIE_NAME)\n cookies.delete(PKCE_COOKIE_NAME)\n if (callbackUri)\n cookies.delete(CALLBACK_URI_COOKIE_NAME)\n cookies.delete(PROVIDER_OPTIONS_COOKIE_NAME)\n\n const redirectParam = url.searchParams.get('redirect')\n\n let response: Response\n if (redirectParam === 'false') {\n const accounts = await auth.getAccounts(user.id)\n const isAdmin = Boolean(\n (user.role && auth.roles.adminRoles.includes(user.role))\n || auth.roles.adminUserIds.includes(user.id),\n )\n response = json({ user: { ...user, isAdmin, accounts } })\n }\n else {\n response = redirect(redirectTo)\n }\n\n cookies.toHeaders().forEach((value, key) => {\n response.headers.append(key, value)\n })\n\n return response\n}\n","import type { Auth } from '../createAuth'\n\nfunction originAllowed(origin: string, auth: Auth): boolean {\n if (auth.cors === false)\n return false\n const cfg = auth.cors\n if (cfg.allowedOrigins === 'all')\n return true\n if (cfg.allowedOrigins === 'trust') {\n if (auth.trustHosts === 'all')\n return true\n try {\n const u = new URL(origin)\n return auth.trustHosts.includes(u.host) || auth.trustHosts.includes(u.hostname)\n }\n catch {\n return false\n }\n }\n if (cfg.allowedOrigins.includes('*'))\n return true\n try {\n const u = new URL(origin)\n return cfg.allowedOrigins.includes(origin) || cfg.allowedOrigins.includes(u.origin) || cfg.allowedOrigins.includes(u.host) || cfg.allowedOrigins.includes(u.hostname)\n }\n catch {\n return cfg.allowedOrigins.includes(origin)\n }\n}\n\nexport function applyCors(request: Request, response: Response, auth: Auth): Response {\n if (auth.cors === false)\n return response\n\n const origin = request.headers.get('Origin') || request.headers.get('origin')\n if (!origin)\n return response\n\n if (!originAllowed(origin, auth))\n return response\n\n const cfg = auth.cors\n response.headers.set('Vary', 'Origin')\n const allowCreds = cfg.allowCredentials\n const allowOriginValue = (cfg.allowedOrigins === 'all' && !allowCreds) ? '*' : origin\n response.headers.set('Access-Control-Allow-Origin', allowOriginValue)\n if (allowCreds)\n response.headers.set('Access-Control-Allow-Credentials', 'true')\n response.headers.set('Access-Control-Allow-Headers', cfg.allowedHeaders.join(', '))\n response.headers.set('Access-Control-Allow-Methods', cfg.allowedMethods.join(', '))\n if (cfg.exposeHeaders?.length)\n response.headers.set('Access-Control-Expose-Headers', cfg.exposeHeaders.join(', '))\n return response\n}\n\nexport function handlePreflight(request: Request, auth: Auth): Response {\n if (auth.cors === false)\n return new Response(null, { status: 204 })\n\n const origin = request.headers.get('Origin') || request.headers.get('origin')\n const cfg = auth.cors\n const headers: Record<string, string> = {}\n if (origin && originAllowed(origin, auth)) {\n const allowCreds = cfg.allowCredentials\n const allowOriginValue = (cfg.allowedOrigins === 'all' && !allowCreds) ? '*' : origin\n headers['Access-Control-Allow-Origin'] = allowOriginValue\n if (allowCreds)\n headers['Access-Control-Allow-Credentials'] = 'true'\n }\n headers['Access-Control-Allow-Headers'] = cfg.allowedHeaders.join(', ')\n headers['Access-Control-Allow-Methods'] = cfg.allowedMethods.join(', ')\n if (cfg.maxAge != null)\n headers['Access-Control-Max-Age'] = String(cfg.maxAge)\n if (cfg.exposeHeaders?.length)\n headers['Access-Control-Expose-Headers'] = cfg.exposeHeaders.join(', ')\n return new Response(null, { status: 204, headers })\n}\n","import { generateCodeVerifier, generateState } from 'arctic'\n\nexport function createOAuthUris() {\n const state = generateState()\n const codeVerifier = generateCodeVerifier()\n\n return {\n state,\n codeVerifier,\n }\n}\n","import type { Auth } from '../createAuth'\nimport { createOAuthUris } from '../../oauth/utils'\nimport {\n CALLBACK_URI_COOKIE_NAME,\n CLIENT_CHALLENGE_COOKIE_NAME,\n Cookies,\n CSRF_COOKIE_NAME,\n CSRF_MAX_AGE,\n LINKING_TOKEN_COOKIE_NAME,\n parseCookies,\n PKCE_COOKIE_NAME,\n PROVIDER_OPTIONS_COOKIE_NAME,\n} from '../cookies'\nimport { ErrorCodes, GauError } from '../errors'\nimport { json, redirect } from '../index'\n\nexport function verifyRequestOrigin(request: Request, trustHosts: 'all' | string[], development: boolean): boolean {\n if (trustHosts === 'all')\n return true\n\n const origin = request.headers.get('origin')\n\n if (!origin)\n return false\n\n let originHost: string\n try {\n originHost = new URL(origin).host\n }\n catch {\n return false\n }\n\n if (development) {\n const isLocal = originHost.startsWith('localhost') || originHost.startsWith('127.0.0.1')\n if (isLocal)\n return true\n }\n\n const requestUrl = new URL(request.url)\n const requestHost = requestUrl.host\n const requestOrigin = `${requestUrl.protocol}//${requestHost}`\n\n if (origin === requestOrigin)\n return true\n\n return trustHosts.includes(originHost)\n}\n\nexport async function prepareOAuthRedirect(\n request: Request,\n auth: Auth,\n providerId: string,\n linkingToken: string | null,\n): Promise<Response> {\n const provider = auth.providerMap.get(providerId)\n if (!provider)\n throw new GauError(ErrorCodes.PROVIDER_NOT_FOUND)\n\n const { state: originalState, codeVerifier } = createOAuthUris()\n const url = new URL(request.url)\n const redirectTo = url.searchParams.get('redirectTo')\n const profileName = url.searchParams.get('profile')\n const promptParam = url.searchParams.get('prompt')\n\n if (redirectTo) {\n let parsedRedirect: URL\n try {\n if (redirectTo.startsWith('//'))\n throw new Error('Protocol-relative URL not allowed')\n parsedRedirect = new URL(redirectTo, url.origin)\n }\n catch {\n throw new GauError(ErrorCodes.INVALID_REDIRECT_URL, 'Invalid \"redirectTo\" URL', { status: 400 })\n }\n\n const redirectHost = parsedRedirect.host\n const currentHost = new URL(request.url).host\n\n const isSameHost = redirectHost === currentHost\n const isTrusted = auth.trustHosts === 'all' || auth.trustHosts.includes(redirectHost)\n const isHttp = parsedRedirect.protocol === 'http:' || parsedRedirect.protocol === 'https:'\n\n if (isHttp && !isSameHost && !isTrusted)\n throw new GauError(ErrorCodes.UNTRUSTED_HOST)\n }\n\n const state = redirectTo ? `${originalState}.${btoa(redirectTo)}` : originalState\n let callbackUri = url.searchParams.get('callbackUri')\n if (!callbackUri && provider.requiresRedirectUri)\n callbackUri = `${url.origin}${auth.basePath}/callback/${providerId}`\n\n let scopesOverride: string[] | undefined\n let extraParams: Record<string, string> | undefined\n let overrides: any | undefined\n if (profileName) {\n const providerProfiles = auth.profiles?.[providerId] ?? {}\n const selected = providerProfiles[profileName]\n if (!selected)\n throw new GauError(ErrorCodes.UNKNOWN_PROFILE, `Unknown profile \"${profileName}\" for provider \"${providerId}\"`, { status: 400 })\n if (selected.redirectUri)\n callbackUri = selected.redirectUri\n if (selected.scopes)\n scopesOverride = selected.scopes\n if (selected.params)\n extraParams = { ...(selected.params ?? {}) }\n const { tenant, prompt } = selected as any\n if (tenant != null || prompt != null)\n overrides = { ...(overrides ?? {}), tenant, prompt }\n if (!linkingToken && selected.linkOnly === true)\n throw new GauError(ErrorCodes.LINK_ONLY_PROVIDER, 'This profile is link-only. Please link it to an existing account.', { status: 400 })\n }\n\n if (promptParam)\n extraParams = { ...(extraParams ?? {}), prompt: promptParam }\n\n if (!linkingToken && (provider.linkOnly === true))\n throw new GauError(ErrorCodes.LINK_ONLY_PROVIDER)\n\n let authUrl: URL | null\n try {\n authUrl = await provider.getAuthorizationUrl(state, codeVerifier, {\n redirectUri: callbackUri ?? undefined,\n scopes: scopesOverride,\n params: extraParams,\n overrides,\n })\n }\n catch (error) {\n console.error('Error getting authorization URL:', error)\n authUrl = null\n }\n\n if (!authUrl)\n throw new GauError(ErrorCodes.AUTHORIZATION_URL_FAILED, 'Could not create authorization URL', { status: 500 })\n\n const requestCookies = parseCookies(request.headers.get('Cookie'))\n const cookies = new Cookies(requestCookies, auth.cookieOptions)\n\n const temporaryCookieOptions = {\n maxAge: CSRF_MAX_AGE,\n sameSite: auth.development ? 'lax' : 'none',\n secure: !auth.development,\n } as const\n\n cookies.set(CSRF_COOKIE_NAME, originalState, temporaryCookieOptions)\n cookies.set(PKCE_COOKIE_NAME, codeVerifier, temporaryCookieOptions)\n if (linkingToken) {\n cookies.set(LINKING_TOKEN_COOKIE_NAME, linkingToken, temporaryCookieOptions)\n }\n else {\n cookies.delete(LINKING_TOKEN_COOKIE_NAME, {\n sameSite: auth.development ? 'lax' : 'none',\n secure: !auth.development,\n })\n }\n\n if (callbackUri)\n cookies.set(CALLBACK_URI_COOKIE_NAME, callbackUri, temporaryCookieOptions)\n\n const serializedOptions = JSON.stringify({ params: extraParams ?? {}, overrides: overrides ?? {} })\n cookies.set(PROVIDER_OPTIONS_COOKIE_NAME, btoa(serializedOptions), temporaryCookieOptions)\n\n const codeChallenge = url.searchParams.get('code_challenge')\n if (codeChallenge)\n cookies.set(CLIENT_CHALLENGE_COOKIE_NAME, codeChallenge, temporaryCookieOptions)\n\n const redirectParam = url.searchParams.get('redirect')\n\n if (redirectParam === 'false') {\n const response = json({ url: authUrl.toString() })\n cookies.toHeaders().forEach((value, key) => {\n response.headers.append(key, value)\n })\n return response\n }\n\n const response = redirect(authUrl.toString())\n cookies.toHeaders().forEach((value, key) => {\n response.headers.append(key, value)\n })\n\n return response\n}\n","import type { Auth } from '../createAuth'\nimport { ErrorCodes, GauError } from '../errors'\nimport { json } from '../index'\nimport { getSessionTokenFromRequest } from '../utils'\nimport { prepareOAuthRedirect } from './utils'\n\nexport async function handleLink(request: Request, auth: Auth, providerId: string): Promise<Response> {\n const url = new URL(request.url)\n let sessionToken = getSessionTokenFromRequest(request).token\n\n if (!sessionToken)\n sessionToken = url.searchParams.get('token') ?? undefined\n\n if (!sessionToken)\n throw new GauError(ErrorCodes.UNAUTHORIZED)\n\n const session = await auth.validateSession(sessionToken)\n if (!session)\n throw new GauError(ErrorCodes.UNAUTHORIZED)\n\n url.searchParams.delete('token')\n const cleanRequest = new Request(url.toString(), request as Request)\n\n return prepareOAuthRedirect(cleanRequest, auth, providerId, sessionToken)\n}\n\nexport async function handleUnlink(request: Request, auth: Auth, providerId: string): Promise<Response> {\n const sessionToken = getSessionTokenFromRequest(request).token\n\n if (!sessionToken)\n throw new GauError(ErrorCodes.UNAUTHORIZED)\n\n const session = await auth.validateSession(sessionToken)\n if (!session || !session.user)\n throw new GauError(ErrorCodes.UNAUTHORIZED)\n\n const accounts = session.accounts ?? []\n\n if (accounts.length <= 1)\n throw new GauError(ErrorCodes.CANNOT_UNLINK_LAST_ACCOUNT)\n\n const accountToUnlink = accounts.find(a => a.provider === providerId)\n if (!accountToUnlink)\n throw new GauError(ErrorCodes.ACCOUNT_NOT_LINKED, `Provider \"${providerId}\" not linked`)\n\n await auth.unlinkAccount(providerId, accountToUnlink.providerAccountId)\n\n const remainingAccounts = await auth.getAccounts(session.user.id)\n\n // if there are remaining accounts, we need to potentially update the user's primary info\n // TODO: for now we just clear the email\n if (remainingAccounts.length > 0 && session.user.email) {\n try {\n await auth.updateUser({\n id: session.user.id,\n email: null,\n emailVerified: false,\n })\n }\n catch (error) {\n console.error('Failed to clear stale email after unlinking:', error)\n }\n }\n\n return json({ message: 'Account unlinked successfully' })\n}\n","import type { Auth } from '../createAuth'\nimport { Cookies, LINKING_TOKEN_COOKIE_NAME, parseCookies, SESSION_COOKIE_NAME } from '../cookies'\n\nimport { json } from '../index'\nimport { prepareOAuthRedirect } from './utils'\n\nexport async function handleSignIn(request: Request, auth: Auth, providerId: string): Promise<Response> {\n return prepareOAuthRedirect(request, auth, providerId, null)\n}\n\nexport async function handleSignOut(request: Request, auth: Auth): Promise<Response> {\n const requestCookies = parseCookies(request.headers.get('Cookie'))\n const cookies = new Cookies(requestCookies, auth.cookieOptions)\n cookies.delete(SESSION_COOKIE_NAME, {\n sameSite: auth.development ? 'lax' : 'none',\n secure: !auth.development,\n })\n cookies.delete(LINKING_TOKEN_COOKIE_NAME, {\n sameSite: auth.development ? 'lax' : 'none',\n secure: !auth.development,\n })\n\n const response = json({ message: 'Signed out' })\n cookies.toHeaders().forEach((value, key) => {\n response.headers.append(key, value)\n })\n\n return response\n}\n","import type { Auth } from '../createAuth'\nimport { ErrorCodes, GauError } from '../errors'\nimport { json, NULL_SESSION, toClientSession } from '../index'\nimport { getSessionTokenFromRequest } from '../utils'\n\nexport async function handleSession(request: Request, auth: Auth): Promise<Response> {\n const { token: sessionToken } = getSessionTokenFromRequest(request)\n\n const providers = Array.from(auth.providerMap.keys())\n\n if (!sessionToken)\n return json({ ...NULL_SESSION, providers })\n\n try {\n const sessionData = await auth.validateSession(sessionToken)\n\n if (!sessionData)\n return json({ ...NULL_SESSION, providers }, { status: 401 })\n\n return json({ ...toClientSession(sessionData), providers })\n }\n catch (error) {\n console.error('Error validating session:', error)\n throw new GauError(ErrorCodes.SESSION_VALIDATION_FAILED, { cause: error })\n }\n}\n","import type { Auth } from '../createAuth'\nimport { ErrorCodes, GauError } from '../errors'\nimport { json } from '../index'\n\nexport async function handleToken(request: Request, auth: Auth): Promise<Response> {\n if (request.method !== 'POST')\n throw new GauError(ErrorCodes.METHOD_NOT_ALLOWED)\n\n let body: any\n try {\n body = await request.json()\n }\n catch {\n throw new GauError(ErrorCodes.INVALID_REQUEST, 'Invalid JSON body', { status: 400 })\n }\n\n const { code, codeVerifier } = body\n\n if (!code || !codeVerifier)\n throw new GauError(ErrorCodes.INVALID_REQUEST, 'Missing code or codeVerifier', { status: 400 })\n\n const payload = await auth.verifyJWT<{ sub: string, challenge: string }>(code)\n if (!payload)\n throw new GauError(ErrorCodes.TOKEN_EXPIRED, 'Invalid or expired code')\n\n const { sub: userId, challenge } = payload\n\n const encoder = new TextEncoder()\n const data = encoder.encode(codeVerifier)\n const hashBuffer = await crypto.subtle.digest('SHA-256', data)\n const hashArray = Array.from(new Uint8Array(hashBuffer))\n const expectedChallenge = btoa(String.fromCharCode(...hashArray))\n .replace(/\\+/g, '-')\n .replace(/\\//g, '_')\n .replace(/=+$/, '')\n\n if (challenge !== expectedChallenge)\n throw new GauError(ErrorCodes.CODE_VERIFIER_INVALID)\n\n const sessionToken = await auth.createSession(userId)\n\n return json({ token: sessionToken })\n}\n","import type { Auth } from './createAuth'\nimport { ErrorCodes, GauError, handleError } from './errors'\nimport {\n applyCors,\n handleCallback,\n handleLink,\n handlePreflight,\n handleSession,\n handleSignIn,\n handleSignOut,\n handleToken,\n handleUnlink,\n verifyRequestOrigin,\n} from './handlers'\n\nexport function createHandler(auth: Auth): (request: Request) => Promise<Response> {\n const { basePath } = auth\n\n return async function (request: Request): Promise<Response> {\n // Handle preflight requests early\n if (request.method === 'OPTIONS')\n return handlePreflight(request, auth)\n\n const url = new URL(request.url)\n\n // Check if request is for this handler\n if (!url.pathname.startsWith(basePath)) {\n const error = new GauError(ErrorCodes.NOT_FOUND)\n const response = await handleError(\n { error, request },\n { basePath, onError: auth.onError, errorRedirect: auth.errorRedirect },\n )\n return applyCors(request, response, auth)\n }\n\n try {\n // CSRF protection for POST requests\n if (request.method === 'POST' && !verifyRequestOrigin(request, auth.trustHosts, auth.development)) {\n const origin = request.headers.get('origin') ?? 'unknown'\n const message = auth.development\n ? `Untrusted origin: '${origin}'. Add this origin to 'trustHosts' in createAuth() or ensure you are using 'localhost' or '127.0.0.1' for development.`\n : 'Forbidden'\n throw new GauError(ErrorCodes.FORBIDDEN, message, { status: 403 })\n }\n\n const path = url.pathname.substring(basePath.length)\n const parts = path.split('/').filter(Boolean)\n const action = parts[0]\n\n if (!action)\n throw new GauError(ErrorCodes.NOT_FOUND)\n\n let response: Response\n\n if (request.method === 'GET') {\n if (action === 'session')\n response = await handleSession(request, auth)\n else if (parts.length === 2 && parts[0] === 'link')\n response = await handleLink(request, auth, parts[1] as string)\n else if (parts.length === 2 && parts[0] === 'callback')\n response = await handleCallback(request, auth, parts[1] as string)\n else if (parts.length === 1)\n response = await handleSignIn(request, auth, action)\n else\n throw new GauError(ErrorCodes.NOT_FOUND)\n }\n else if (request.method === 'POST') {\n if (parts.length === 1 && action === 'signout')\n response = await handleSignOut(request, auth)\n else if (parts.length === 1 && action === 'token')\n response = await handleToken(request, auth)\n else if (parts.length === 2 && parts[0] === 'unlink')\n response = await handleUnlink(request, auth, parts[1] as string)\n else\n throw new GauError(ErrorCodes.NOT_FOUND)\n }\n else {\n throw new GauError(ErrorCodes.METHOD_NOT_ALLOWED)\n }\n\n // Add cache headers\n try {\n response.headers.set('Cache-Control', 'no-store, private')\n response.headers.set('Pragma', 'no-cache')\n response.headers.set('Expires', '0')\n }\n catch {}\n\n return applyCors(request, response, auth)\n }\n catch (error) {\n // Handle GauError\n if (error instanceof GauError) {\n const response = await handleError(\n { error, request },\n { basePath, onError: auth.onError, errorRedirect: auth.errorRedirect },\n )\n return applyCors(request, response, auth)\n }\n\n // Unknown error - wrap in GauError\n console.error('Unexpected error in gau handler:', error)\n const gauError = new GauError(\n ErrorCodes.INTERNAL_ERROR,\n { cause: error },\n )\n const response = await handleError(\n { error: gauError, request },\n { basePath, onError: auth.onError, errorRedirect: auth.errorRedirect },\n )\n return applyCors(request, response, auth)\n }\n }\n}\n","export interface User {\n id: string\n name?: string | null\n email?: string | null\n emailVerified?: boolean | null\n image?: string | null\n role?: string | null\n isAdmin?: boolean\n}\n\nexport interface Session {\n id: string\n sub: string\n [key: string]: unknown\n}\n\nexport interface ClientAccount {\n provider: string\n providerAccountId: string\n}\n\n/**\n * Client-safe session data.\n */\nexport interface GauSession<TProviders extends string = string> {\n user: User | null\n session: Session | null\n accounts?: ClientAccount[] | null\n providers?: TProviders[]\n}\n\n/**\n * Full server-side session with complete account data including tokens.\n *\n * Never serialize this to the client - contains sensitive access/refresh tokens.\n */\nexport interface GauServerSession<TProviders extends string = string> {\n user: User | null\n session: Session | null\n accounts?: Account[] | null\n providers?: TProviders[]\n}\n\nexport const NULL_SESSION = {\n user: null,\n session: null,\n accounts: null,\n} as const\n\nexport function toClientSession<TProviders extends string = string>(\n serverSession: GauServerSession<TProviders>,\n): GauSession<TProviders> {\n return {\n user: serverSession.user,\n session: serverSession.session,\n accounts: serverSession.accounts?.map(acc => ({\n provider: acc.provider,\n providerAccountId: acc.providerAccountId,\n })) ?? null,\n providers: serverSession.providers,\n }\n}\n\nexport interface NewUser extends Omit<User, 'id' | 'accounts' | 'isAdmin'> {\n id?: string\n}\n\nexport interface Account {\n userId: string\n provider: string\n providerAccountId: string\n type?: string // e.g. \"oauth\"\n accessToken?: string | null\n refreshToken?: string | null\n expiresAt?: number | null // epoch seconds\n idToken?: string | null\n scope?: string | null\n tokenType?: string | null\n sessionState?: string | null\n}\n\nexport interface NewAccount extends Account {}\n\nexport interface Adapter {\n getUser: (id: string) => Promise<User | null>\n getUserByEmail: (email: string) => Promise<User | null>\n getUserByAccount: (provider: string, providerAccountId: string) => Promise<User | null>\n getAccounts: (userId: string) => Promise<Account[]>\n getUserAndAccounts: (userId: string) => Promise<{ user: User, accounts: Account[] } | null>\n createUser: (data: NewUser) => Promise<User>\n linkAccount: (data: NewAccount) => Promise<void>\n unlinkAccount: (provider: string, providerAccountId: string) => Promise<void>\n updateAccount?: (data: Partial<Account> & { userId: string, provider: string, providerAccountId: string }) => Promise<void>\n updateUser: (data: Partial<User> & { id: string }) => Promise<User>\n deleteUser: (id: string) => Promise<void>\n}\n\nexport class AuthError extends Error {\n override readonly cause?: unknown\n constructor(message: string, cause?: unknown) {\n super(message)\n this.name = 'AuthError'\n this.cause = cause\n }\n}\n\nexport function json<T>(data: T, init: ResponseInit = {}): Response {\n const headers = new Headers(init.headers)\n if (!headers.has('Content-Type'))\n headers.set('Content-Type', 'application/json; charset=utf-8')\n return new Response(JSON.stringify(data), { ...init, headers })\n}\n\nexport function redirect(url: string, status: 302 | 303 = 302): Response {\n return new Response(null, {\n status,\n headers: {\n Location: url,\n },\n })\n}\n\nexport * from './cookies'\nexport * from './createAuth'\nexport * from './errors'\nexport * from './handler'\nexport * from './templates'\nexport * from './utils'\n\nexport const REFRESHED_TOKEN_HEADER = 'X-Refreshed-Token'\n","import { AuthError } from '../core/index'\n\nexport function constantTimeEqual(a: Uint8Array, b: Uint8Array): boolean {\n let diff = a.length ^ b.length\n const len = Math.max(a.length, b.length)\n for (let i = 0; i < len; i++)\n diff |= (a[i] ?? 0) ^ (b[i] ?? 0)\n\n return diff === 0\n}\n\nfunction base64UrlToArray(base64Url: string): Uint8Array {\n const base64 = base64Url.replace(/-/g, '+').replace(/_/g, '/')\n const padLength = (4 - (base64.length % 4)) % 4\n const padded = base64.padEnd(base64.length + padLength, '=')\n try {\n const binary_string = atob(padded)\n const len = binary_string.length\n const bytes = new Uint8Array(len)\n for (let i = 0; i < len; i++)\n bytes[i] = binary_string.charCodeAt(i)\n\n return bytes\n }\n catch {\n throw new AuthError('Invalid base64url string')\n }\n}\n\nexport async function deriveKeysFromSecret(secret: string): Promise<{ privateKey: CryptoKey, publicKey: CryptoKey }> {\n try {\n const secretBytes = base64UrlToArray(secret)\n const privateKey = await crypto.subtle.importKey(\n 'pkcs8',\n secretBytes.slice(),\n { name: 'ECDSA', namedCurve: 'P-256' },\n true,\n ['sign'],\n )\n\n const jwk = await crypto.subtle.exportKey('jwk', privateKey)\n delete jwk.d\n jwk.key_ops = ['verify']\n\n const publicKey = await crypto.subtle.importKey(\n 'jwk',\n jwk,\n { name: 'ECDSA', namedCurve: 'P-256' },\n true,\n ['verify'],\n )\n return { privateKey, publicKey }\n }\n catch (error) {\n if (error instanceof AuthError)\n throw error\n throw new AuthError('Invalid secret. Must be a base64url-encoded PKCS#8 private key for ES256. Use `bunx gau secret` to generate one.', error)\n }\n}\n\n/**\n * Convert JWS raw signature (r || s) to DER-encoded format for WebCrypto.\n */\nexport function rawToDer(raw: Uint8Array): Uint8Array {\n if (raw.length !== 64)\n throw new Error('Invalid raw signature length')\n\n let r = raw.slice(0, 32)\n let s = raw.slice(32)\n\n let rOffset = 0\n while (rOffset < r.length - 1 && r[rOffset] === 0) rOffset++\n r = r.slice(rOffset)\n\n let sOffset = 0\n while (sOffset < s.length - 1 && s[sOffset] === 0) sOffset++\n s = s.slice(sOffset)\n\n if (r.length > 0 && r[0]! & 0x80) {\n const rPadded = new Uint8Array(r.length + 1)\n rPadded[0] = 0\n rPadded.set(r, 1)\n r = rPadded\n }\n if (s.length > 0 && s[0]! & 0x80) {\n const sPadded = new Uint8Array(s.length + 1)\n sPadded[0] = 0\n sPadded.set(s, 1)\n s = sPadded\n }\n\n const rLength = r.length\n const sLength = s.length\n const totalLength = 2 + rLength + 2 + sLength\n\n const der = new Uint8Array(2 + totalLength)\n der[0] = 0x30 // SEQUENCE\n der[1] = totalLength\n der[2] = 0x02 // INTEGER\n der[3] = rLength\n der.set(r, 4)\n der[4 + rLength] = 0x02 // INTEGER\n der[5 + rLength] = sLength\n der.set(s, 6 + rLength)\n\n return der\n}\n"],"mappings":";;;;;;;AACA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;;;ACNP,SAAS,OAAO,iBAAiB;AAE1B,IAAM,mCAAqD;AAAA,EAChE,MAAM;AAAA,EACN,UAAU;AAAA,EACV,QAAQ;AAAA,EACR,UAAU;AACZ;AAIO,SAAS,aAAa,cAA8D;AACzF,QAAM,UAAU,oBAAI,IAAoB;AACxC,MAAI,cAAc;AAChB,UAAM,SAAS,MAAM,YAAY;AACjC,eAAW,QAAQ;AACjB,cAAQ,IAAI,MAAM,OAAO,IAAI,CAAE;AAAA,EACnC;AACA,SAAO;AACT;AAEO,IAAM,UAAN,MAAc;AAAA,EAGnB,YACmB,gBACA,gBACjB;AAFiB;AACA;AAAA,EAChB;AAAA,EALH,OAAiB,CAAC;AAAA,EAOlB,IAAI,MAAkC;AACpC,WAAO,KAAK,eAAe,IAAI,IAAI;AAAA,EACrC;AAAA,EAEA,IAAI,MAAc,OAAe,SAAkC;AACjE,UAAM,kBAAkB,EAAE,GAAG,KAAK,gBAAgB,GAAG,QAAQ;AAC7D,SAAK,KAAK,KAAK,CAAC,MAAM,OAAO,eAAe,CAAC;AAAA,EAC/C;AAAA,EAEA,OAAO,MAAc,SAA8D;AACjF,SAAK,IAAI,MAAM,IAAI,EAAE,GAAG,SAAS,SAAS,oBAAI,KAAK,CAAC,GAAG,QAAQ,EAAE,CAAC;AAAA,EACpE;AAAA,EAEA,YAAqB;AACnB,UAAM,UAAU,IAAI,QAAQ;AAC5B,eAAW,CAAC,MAAM,OAAO,OAAO,KAAK,KAAK;AACxC,cAAQ,OAAO,cAAc,UAAU,MAAM,OAAO,OAAO,CAAC;AAE9D,WAAO;AAAA,EACT;AACF;AAEO,IAAM,mBAAmB;AACzB,IAAM,sBAAsB;AAC5B,IAAM,+BAA+B;AACrC,IAAM,4BAA4B;AAClC,IAAM,mBAAmB;AACzB,IAAM,2BAA2B;AACjC,IAAM,+BAA+B;AACrC,IAAM,+BAA+B;AAErC,IAAM,eAAe,KAAK;;;ACtDjC,SAAS,aAAAA,kBAAiB;;;ACCnB,SAAS,2BAA2B,SAAmE;AAC5G,QAAM,UAAU,aAAa,QAAQ,QAAQ,IAAI,QAAQ,CAAC;AAC1D,QAAM,cAAc,QAAQ,IAAI,mBAAmB;AACnD,MAAI;AACF,WAAO,EAAE,OAAO,aAAa,QAAQ,SAAS;AAEhD,QAAM,aAAa,QAAQ,QAAQ,IAAI,eAAe;AACtD,MAAI,YAAY,WAAW,SAAS;AAClC,WAAO,EAAE,OAAO,WAAW,UAAU,CAAC,GAAG,QAAQ,SAAS;AAE5D,SAAO,CAAC;AACV;;;ADyRO,SAAS,WAAqD;AAAA,EACnE;AAAA,EACA;AAAA,EACA,WAAW;AAAA,EACX,KAAK,YAAY,CAAC;AAAA,EAClB,SAAS,gBAAgB,CAAC;AAAA,EAC1B,SAAS,eAAe,CAAC;AAAA,EACzB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA,aAAa,CAAC;AAAA,EACd,WAAW;AAAA,EACX,uBAAuB;AAAA,EACvB,uBAAuB;AAAA,EACvB,OAAO,cAAc,CAAC;AAAA,EACtB,OAAO;AAAA,EACP,UAAU;AAAA,EACV;AAAA,EACA;AACF,GAAoD;AAClD,QAAM,EAAE,YAAY,SAAS,QAAQ,KAAK,KAAK,KAAK,aAAa,OAAO,KAAK,EAAE,IAAI;AACnF,QAAM,gBAAgB,EAAE,GAAG,kCAAkC,GAAG,aAAa;AAE7E,QAAM,kBAA+C,cAAc,YAAY;AAE/E,MAAI,cAAc,WAAW,WAAW,UAAa,OAAO,WAAW;AACrE,UAAM,IAAI,UAAU,gDAAgD;AAEtE,QAAM,cAAc,IAAI,IAAI,UAAU,IAAI,OAAK,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC;AAEzD,QAAM,eAA6B,SAAS,QACxC,QACA;AAAA,IACE,iBAAiB,SAAS,OAAO,QAAQ,KAAK,mBAAmB;AAAA,IACjE,mBAAmB,SAAS,OAAO,OAAO,KAAK,qBAAqB;AAAA,IACpE,iBAAiB,SAAS,OAAO,SAAY,KAAK,mBAAmB,CAAC,gBAAgB,iBAAiB,QAAQ;AAAA,IAC/G,iBAAiB,SAAS,OAAO,SAAY,KAAK,mBAAmB,CAAC,OAAO,QAAQ,SAAS;AAAA,IAC9F,eAAe,SAAS,OAAO,SAAY,KAAK;AAAA,IAChD,QAAQ,SAAS,OAAO,SAAY,KAAK;AAAA,EAC3C;AAEJ,QAAM,mBAAoB,kBAAkB,CAAC;AAC7C,QAAM,gBAAgB;AAAA,IACpB,aAAa,YAAY,eAAe;AAAA,IACxC,iBAAiB,YAAY;AAAA,IAC7B,YAAY,YAAY,cAAc,CAAC,OAAO;AAAA,IAC9C,cAAc,YAAY,gBAAgB,CAAC;AAAA,EAC7C;AAEA,WAAS,iBAAiB,SAA+B,CAAC,GAAgB;AACxE,UAAM,OAAO,EAAE,KAAK,OAAO,KAAK,KAAK,OAAO,OAAO,KAAK,KAAK,OAAO,OAAO,KAAK,KAAK,OAAO,IAAI;AAChG,QAAI,cAAc,SAAS;AACzB,aAAO,EAAE,WAAW,QAAQ,OAAO,UAAU,QAAQ,GAAG,KAAK;AAAA,IAC/D,OACK;AACH,UAAI,OAAO,WAAW,UAAa,OAAO,OAAO,WAAW;AAC1D,cAAM,IAAI,UAAU,gDAAgD;AACtE,YAAM,WAAW,OAAO,UAAU;AAClC,aAAO,EAAE,WAAW,YAAY,OAAO,YAAY,QAAQ,UAAU,GAAG,KAAK;AAAA,IAC/E;AAAA,EACF;AAEA,WAAS,mBAAmB,SAAiC,CAAC,GAAkB;AAC9E,UAAM,OAAO,EAAE,KAAK,OAAO,OAAO,KAAK,KAAK,OAAO,OAAO,IAAI;AAC9D,QAAI,cAAc,SAAS;AACzB,aAAO,EAAE,WAAW,QAAQ,OAAO,UAAU,QAAQ,GAAG,KAAK;AAAA,IAC/D,OACK;AACH,UAAI,OAAO,WAAW,UAAa,OAAO,OAAO,WAAW;AAC1D,cAAM,IAAI,UAAU,gDAAgD;AACtE,YAAM,WAAW,OAAO,UAAU;AAClC,aAAO,EAAE,WAAW,WAAW,OAAO,WAAW,QAAQ,UAAU,GAAG,KAAK;AAAA,IAC7E;AAAA,EACF;AAEA,iBAAe,QAA2C,SAAY,gBAAsC,CAAC,GAAoB;AAC/H,WAAO,KAAK,SAAS,iBAAiB,aAAa,CAAC;AAAA,EACtD;AAEA,iBAAe,UAAuC,OAAe,gBAAwC,CAAC,GAAsB;AAClI,UAAM,UAAU,mBAAmB,aAAa;AAChD,QAAI;AACF,aAAO,MAAM,OAAU,OAAO,OAAO;AAAA,IACvC,QACM;AACJ,aAAO;AAAA,IACT;AAAA,EACF;AAEA,iBAAe,cAAc,QAAgB,OAAgC,CAAC,GAAG,MAAM,YAA6B;AAClH,UAAM,UAAU,EAAE,KAAK,QAAQ,GAAG,KAAK;AACvC,WAAO,QAAQ,SAAS,EAAE,IAAI,CAAC;AAAA,EACjC;AAEA,iBAAe,aAAa,QAAgB,UAA+B,CAAC,GAAgC;AAC1G,UAAM,EAAE,OAAO,CAAC,GAAG,MAAM,WAAW,IAAI;AACxC,UAAM,QAAQ,MAAM,cAAc,QAAQ,MAAM,GAAG;AAEnD,UAAM,aAA+B;AAAA,MACnC,GAAG;AAAA,MACH,QAAQ;AAAA,IACV;AAEA,UAAM,SAASC,WAAU,qBAAqB,OAAO,UAAU;AAE/D,WAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA,YAAY;AAAA,MACZ,QAAQ;AAAA,IACV;AAAA,EACF;AAEA,iBAAe,eAAe,gBAAkC,UAAiC,CAAC,GAAyC;AACzI,QAAI;AACJ,QAAI;AAEJ,QAAI,OAAO,mBAAmB,UAAU;AACtC,cAAQ;AACR,eAAS;AAAA,IACX,OACK;AACH,YAAM,YAAY,2BAA2B,cAAc;AAC3D,UAAI,CAAC,UAAU,SAAS,CAAC,UAAU;AACjC,eAAO;AACT,cAAQ,UAAU;AAClB,eAAS,UAAU;AAAA,IACrB;AAEA,UAAM,UAAU,MAAM,UAAmE,KAAK;AAC9F,QAAI,CAAC,WAAW,CAAC,QAAQ;AACvB,aAAO;AAET,QAAI,QAAQ,aAAa,QAAQ,QAAQ,YAAY,KAAK,QAAQ,YAAY,GAAG;AAC/E,YAAM,EAAE,KAAAC,KAAI,IAAI;AAChB,UAAIA,MAAK;AACP,cAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,cAAM,aAAa,MAAMA;AACzB,cAAM,MAAM,QAAQ,OAAO;AAC3B,cAAM,mBAAmB,MAAM,QAAQ;AAEvC,YAAI,aAAa;AACf,iBAAO;AAAA,MACX;AAAA,IACF;AAEA,UAAM,OAAO,MAAM,QAAQ,QAAQ,QAAQ,GAAG;AAC9C,QAAI,CAAC;AACH,aAAO;AACT,UAAM,EAAE,KAAK,KAAK,KAAK,KAAAC,MAAK,KAAAC,MAAK,KAAK,KAAK,GAAG,aAAa,IAAI;AAE/D,UAAM,SAAS,MAAM,aAAa,QAAQ,KAAK;AAAA,MAC7C,MAAM;AAAA,MACN,KAAK,QAAQ;AAAA,IACf,CAAC;AAED,WAAO,EAAE,GAAG,QAAQ,OAAO;AAAA,EAC7B;AAEA,iBAAe,gBAAgB,OAAiD;AAC9E,UAAM,UAAU,MAAM,UAAqD,KAAK;AAChF,QAAI,CAAC;AACH,aAAO;AAET,UAAM,kBAAkB,MAAM,QAAQ,mBAAmB,QAAQ,GAAG;AACpE,QAAI,CAAC;AACH,aAAO;AAET,UAAM,EAAE,MAAM,SAAS,IAAI;AAC3B,UAAM,UAAU;AAAA,MACd,SAEG,KAAK,QAAQ,cAAc,WAAW,SAAS,KAAK,IAAI,KACrD,cAAc,aAAa,SAAS,KAAK,cAAc,aAAa,SAAS,KAAK,EAAE;AAAA,IAE5F;AACA,UAAM,cAAc,OAAO,EAAE,GAAG,MAAM,QAAQ,IAAI;AAElD,WAAO,EAAE,MAAM,aAAa,SAAS,EAAE,IAAI,OAAO,GAAG,QAAQ,GAAG,SAAS;AAAA,EAC3E;AAEA,iBAAe,eAAe,QAAgB,YAAoB;AAChE,UAAM,WAAW,YAAY,IAAI,UAAU;AAC3C,QAAI,CAAC;AACH,aAAO;AAET,UAAM,WAAW,MAAM,QAAQ,YAAY,MAAM;AACjD,UAAM,UAAU,SAAS,KAAK,OAAK,EAAE,aAAa,UAAU;AAC5D,QAAI,CAAC,WAAW,CAAC,QAAQ;AACvB,aAAO;AAET,UAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,UAAM,YAAY,OAAO,QAAQ,cAAc,WAAW,QAAQ,aAAa,MAAM;AAErF,QAAI,CAAC;AACH,aAAO,EAAE,aAAa,QAAQ,aAAa,WAAW,QAAQ,aAAa,KAAK;AAElF,QAAI,CAAC,QAAQ,gBAAgB,CAAC,SAAS;AACrC,aAAO;AAET,QAAI;AACF,YAAM,YAAY,MAAM,SAAS,mBAAmB,QAAQ,cAAc,CAAC,CAAC;AAC5E,YAAM,UAAU;AAAA,QACd;AAAA,QACA,UAAU,QAAQ;AAAA,QAClB,mBAAmB,QAAQ;AAAA,QAC3B,aAAa,UAAU,eAAe,QAAQ;AAAA,QAC9C,cAAc,UAAU,gBAAgB,QAAQ;AAAA,QAChD,WAAW,UAAU,aAAa;AAAA,QAClC,SAAS,UAAU,WAAW,QAAQ,WAAW;AAAA,QACjD,WAAW,UAAU,aAAa,QAAQ,aAAa;AAAA,QACvD,OAAO,UAAU,SAAS,QAAQ,SAAS;AAAA,MAC7C;AACA,YAAM,QAAQ,gBAAgB,OAAO;AACrC,aAAO,EAAE,aAAa,QAAQ,aAAc,WAAW,QAAQ,UAAU;AAAA,IAC3E,QACM;AACJ,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AAAA,IACL,GAAG;AAAA,IACH;AAAA,IACA;AAAA,IACA;AAAA,IACA,KAAK;AAAA,MACH,KAAK;AAAA,IACP;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,UAAU;AAAA,IACV;AAAA,IACA;AAAA,IACA,aAAa;AAAA,IACb,OAAO;AAAA,IACP,MAAM;AAAA,IACN;AAAA,IACA;AAAA,EACF;AACF;;;AEriBO,IAAM,gBAAgB;AAAA;AAAA,EAE3B,cAAc;AAAA,EACd,cAAc;AAAA,EACd,wBAAwB;AAAA,EACxB,iBAAiB;AAAA,EACjB,oBAAoB;AAAA,EACpB,0BAA0B;AAAA;AAAA,EAG1B,gBAAgB;AAAA,EAChB,oBAAoB;AAAA,EACpB,wBAAwB;AAAA,EACxB,qBAAqB;AAAA,EACrB,oBAAoB;AAAA,EACpB,4BAA4B;AAAA,EAC5B,sBAAsB;AAAA,EACtB,gBAAgB;AAAA,EAChB,qBAAqB;AAAA,EACrB,oBAAoB;AAAA;AAAA,EAGpB,cAAc;AAAA,EACd,WAAW;AAAA,EACX,iBAAiB;AAAA,EACjB,2BAA2B;AAAA;AAAA,EAG3B,eAAe;AAAA,EACf,eAAe;AAAA,EACf,uBAAuB;AAAA;AAAA,EAGvB,WAAW;AAAA,EACX,oBAAoB;AAAA,EACpB,iBAAiB;AAAA,EACjB,sBAAsB;AAAA,EACtB,gBAAgB;AAAA,EAChB,iBAAiB;AAAA;AAAA,EAGjB,gBAAgB;AAClB;AASO,IAAM,aAAsC,OAAO;AAAA,EACxD,OAAO,KAAK,aAAa,EAAE,IAAI,OAAK,CAAC,GAAG,CAAC,CAAC;AAC5C;AAMO,IAAM,gBAAoD;AAAA,EAC/D,cAAc;AAAA,EACd,cAAc;AAAA,EACd,WAAW;AAAA,EACX,WAAW;AAAA,EACX,oBAAoB;AAAA,EACpB,gBAAgB;AAAA,EAChB,oBAAoB;AAAA,EACpB,qBAAqB;AAAA,EACrB,0BAA0B;AAAA,EAC1B,2BAA2B;AAAA,EAC3B,wBAAwB;AAAA,EACxB,sBAAsB;AAAA,EACtB,qBAAqB;AACvB;AAsBO,IAAM,WAAN,cAAuB,MAAM;AAAA,EACzB;AAAA,EACA;AAAA,EACA;AAAA,EACS;AAAA,EAElB,YACE,MACA,kBACA,SACA;AAEA,UAAM,UAAU,OAAO,qBAAqB,WACxC,mBACA,cAAc,IAAI;AACtB,UAAM,OAAO,OAAO,qBAAqB,WACrC,mBACA,WAAW,CAAC;AAEhB,UAAM,OAAO;AACb,SAAK,OAAO;AACZ,SAAK,OAAO;AACZ,SAAK,SAAS,KAAK,UAAU,cAAc,IAAI,KAAK;AACpD,SAAK,cAAc,KAAK;AACxB,SAAK,QAAQ,KAAK;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA,EAKA,SAAS;AACP,WAAO;AAAA,MACL,OAAO,KAAK;AAAA,MACZ,MAAM,KAAK;AAAA,MACX,GAAI,KAAK,eAAe,EAAE,aAAa,KAAK,YAAY;AAAA,IAC1D;AAAA,EACF;AACF;AAMO,SAAS,uBAAuB,SAAiB,OAAyB;AAC/E,QAAM,MAAM,IAAI,IAAI,SAAS,oBAAoB;AACjD,MAAI,aAAa,IAAI,QAAQ,MAAM,IAAI;AACvC,MAAI,aAAa,IAAI,WAAW,MAAM,OAAO;AAC7C,MAAI,aAAa,IAAI,UAAU,OAAO,MAAM,MAAM,CAAC;AACnD,MAAI,MAAM;AACR,QAAI,aAAa,IAAI,YAAY,MAAM,WAAW;AAEpD,SAAO,IAAI,WAAW,IAAI;AAC5B;AAoCO,SAAS,oBAAoB,SAAkB,UAA2B;AAE/E,MAAI,QAAQ,WAAW;AACrB,WAAO;AAET,QAAM,MAAM,IAAI,IAAI,QAAQ,GAAG;AAC/B,QAAM,OAAO,IAAI,SAAS,UAAU,SAAS,MAAM;AACnD,QAAM,QAAQ,KAAK,MAAM,GAAG,EAAE,OAAO,OAAO;AAG5C,MAAI,MAAM,WAAW,KAAK,MAAM,CAAC,MAAM;AACrC,WAAO;AAGT,MAAI,MAAM,WAAW;AACnB,WAAO;AAGT,MAAI,MAAM,WAAW,MAAM,MAAM,CAAC,MAAM,cAAc,MAAM,CAAC,MAAM;AACjE,WAAO;AAET,SAAO;AACT;AAWA,eAAsB,YACpB,SACA,QACmB;AACnB,QAAM,EAAE,OAAO,QAAQ,IAAI;AAG3B,MAAI,OAAO,SAAS;AAClB,QAAI;AACF,YAAM,WAAW,MAAM,OAAO,QAAQ,OAAO;AAC7C,UAAI;AACF,eAAO;AAAA,IACX,SACO,GAAG;AACR,cAAQ,MAAM,0BAA0B,CAAC;AAAA,IAC3C;AAAA,EACF;AAGA,QAAM,aAAa,oBAAoB,SAAS,OAAO,QAAQ;AAG/D,MAAI,OAAO,iBAAiB,YAAY;AACtC,UAAM,cAAc,uBAAuB,OAAO,eAAe,KAAK;AACtE,WAAO,IAAI,SAAS,MAAM;AAAA,MACxB,QAAQ;AAAA,MACR,SAAS,EAAE,UAAU,YAAY;AAAA,IACnC,CAAC;AAAA,EACH;AAGA,MAAI,YAAY;AAEd,UAAM,EAAE,iBAAiB,cAAAC,cAAa,IAAI,MAAM,OAAO,yBAAa;AACpE,UAAM,OAAO,gBAAgB;AAAA,MAC3B,OAAO;AAAA,MACP,SAAS,MAAM;AAAA,MACf,MAAM,MAAM;AAAA,MACZ,aAAa,MAAM;AAAA,IACrB,CAAC;AACD,WAAOA,cAAa,MAAM,MAAM,MAAM;AAAA,EACxC;AAGA,SAAO,IAAI,SAAS,KAAK,UAAU,MAAM,OAAO,CAAC,GAAG;AAAA,IAClD,QAAQ,MAAM;AAAA,IACd,SAAS,EAAE,gBAAgB,kCAAkC;AAAA,EAC/D,CAAC;AACH;;;ACvPA,eAAsB,mBAAmB,MAAwB,KAAyD;AACxH,MAAI,CAAC,QAAQ,OAAO,KAAK,oBAAoB;AAC3C,WAAO,EAAE,SAAS,MAAM;AAC1B,MAAI;AACF,UAAM,MAAM,MAAM,KAAK,gBAAgB,GAAG;AAC1C,QAAI,CAAC,OAAO,OAAO,QAAQ;AACzB,aAAO,EAAE,SAAS,MAAM;AAC1B,WAAO;AAAA,EACT,SACO,GAAG;AACR,YAAQ,MAAM,+BAA+B,CAAC;AAC9C,WAAO,EAAE,SAAS,MAAM;AAAA,EAC1B;AACF;AAUA,eAAsB,wBAAwB,MAAwB,KAA8C;AAClH,MAAI,CAAC,QAAQ,OAAO,KAAK,uBAAuB;AAC9C,WAAO,IAAI;AACb,MAAI;AACF,UAAM,SAAS,MAAM,KAAK,mBAAmB,GAAG;AAChD,QAAI,CAAC;AACH,aAAO,IAAI;AACb,WAAO,EAAE,GAAG,IAAI,cAAc,GAAG,OAAO;AAAA,EAC1C,SACO,GAAG;AACR,YAAQ,MAAM,kCAAkC,CAAC;AACjD,WAAO,IAAI;AAAA,EACb;AACF;AAUA,eAAsB,uBAAuB,MAAwB,KAAiG;AACpK,MAAI,CAAC,QAAQ,OAAO,KAAK,wBAAwB;AAC/C,WAAO,EAAE,OAAO,KAAK;AACvB,MAAI;AACF,UAAM,MAAM,MAAM,KAAK,oBAAoB,GAAG;AAC9C,QAAI,CAAC;AACH,aAAO,EAAE,OAAO,KAAK;AACvB,WAAO;AAAA,EACT,SACO,GAAG;AACR,YAAQ,MAAM,mCAAmC,CAAC;AAClD,WAAO,EAAE,OAAO,KAAK;AAAA,EACvB;AACF;AAIA,eAAsB,sBAAsB,MAAwB,KAA6C;AAC/G,MAAI,CAAC,QAAQ,OAAO,KAAK,uBAAuB;AAC9C;AACF,MAAI;AACF,UAAM,KAAK,mBAAmB,GAAG;AAAA,EACnC,SACO,GAAG;AACR,YAAQ,MAAM,kCAAkC,CAAC;AAAA,EACnD;AACF;;;AC3EA,eAAsB,eAAe,SAAkB,MAAY,YAAuC;AACxG,QAAM,WAAW,KAAK,YAAY,IAAI,UAAU;AAChD,MAAI,CAAC;AACH,UAAM,IAAI,SAAS,WAAW,kBAAkB;AAElD,QAAM,MAAM,IAAI,IAAI,QAAQ,GAAG;AAC/B,QAAM,OAAO,IAAI,aAAa,IAAI,MAAM;AACxC,QAAM,QAAQ,IAAI,aAAa,IAAI,OAAO;AAC1C,QAAM,QAAQ,IAAI,aAAa,IAAI,OAAO;AAE1C,MAAI,CAAC,QAAQ,CAAC,SAAS,OAAO;AAE5B,QAAIC,cAAa;AACjB,QAAI,SAAS,MAAM,SAAS,GAAG,GAAG;AAChC,UAAI;AACF,cAAM,kBAAkB,MAAM,MAAM,GAAG,EAAE,CAAC;AAC1C,QAAAA,cAAa,KAAK,mBAAmB,EAAE,KAAK;AAAA,MAC9C,QACM;AACJ,QAAAA,cAAa;AAAA,MACf;AAAA,IACF;AAGA,UAAM,OAAO,oBAAoB,EAAE,aAAaA,YAAW,CAAC;AAC5D,WAAO,aAAa,IAAI;AAAA,EAC1B;AAEA,QAAM,iBAAiB,aAAa,QAAQ,QAAQ,IAAI,QAAQ,CAAC;AACjE,QAAM,UAAU,IAAI,QAAQ,gBAAgB,KAAK,aAAa;AAE9D,MAAI;AACJ,MAAI,aAAa;AACjB,MAAI,MAAM,SAAS,GAAG,GAAG;AACvB,UAAM,CAAC,oBAAoB,eAAe,IAAI,MAAM,MAAM,GAAG;AAC7D,iBAAa;AACb,QAAI;AACF,mBAAa,KAAK,mBAAmB,EAAE,KAAK;AAAA,IAC9C,QACM;AACJ,mBAAa;AAAA,IACf;AAAA,EACF,OACK;AACH,iBAAa;AAAA,EACf;AAEA,QAAM,YAAY,QAAQ,IAAI,gBAAgB;AAE9C,MAAI,CAAC,aAAa,cAAc;AAC9B,UAAM,IAAI,SAAS,WAAW,cAAc,EAAE,aAAa,WAAW,CAAC;AAEzE,QAAM,eAAe,QAAQ,IAAI,gBAAgB;AACjD,MAAI,CAAC;AACH,UAAM,IAAI,SAAS,WAAW,cAAc,EAAE,aAAa,WAAW,CAAC;AAEzE,QAAM,cAAc,QAAQ,IAAI,wBAAwB;AACxD,QAAM,qBAAqB,QAAQ,IAAI,4BAA4B;AACnE,MAAI;AACJ,MAAI,oBAAoB;AACtB,QAAI;AACF,YAAM,UAAU,KAAK,kBAAkB;AACvC,YAAM,SAAS,KAAK,MAAM,OAAO;AACjC,0BAAoB,QAAQ;AAAA,IAC9B,QACM;AAAA,IAAC;AAAA,EACT;AACA,QAAM,eAAe,QAAQ,IAAI,yBAAyB;AAE1D,MAAI;AACF,YAAQ,OAAO,yBAAyB;AAE1C,QAAM,YAAY,CAAC,CAAC;AAEpB,MAAI,WAAW;AACb,UAAM,UAAU,MAAM,KAAK,gBAAgB,YAAa;AACxD,QAAI,CAAC,SAAS;AACZ,cAAQ,OAAO,gBAAgB;AAC/B,cAAQ,OAAO,gBAAgB;AAC/B,UAAI;AACF,gBAAQ,OAAO,wBAAwB;AACzC,cAAQ,OAAO,4BAA4B;AAC3C,YAAMC,YAAW,SAAS,UAAU;AACpC,cAAQ,UAAU,EAAE,QAAQ,CAAC,OAAO,QAAQA,UAAS,QAAQ,OAAO,KAAK,KAAK,CAAC;AAC/E,aAAOA;AAAA,IACT;AAAA,EACF;AAEA,QAAM,EAAE,MAAM,iBAAiB,OAAO,IAAI,MAAM,SAAS,iBAAiB,MAAM,cAAc,eAAe,QAAW,iBAAiB;AAEzI;AACE,UAAM,UAAU,YAAY,MAAM,KAAK,gBAAgB,YAAa,IAAI;AACxE,UAAM,aAAa,MAAM,mBAAmB,MAAM;AAAA,MAChD;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA,cAAc;AAAA,MACd;AAAA,MACA;AAAA,MACA,eAAe,SAAS,MAAM;AAAA,IAChC,CAAC;AACD,QAAI,WAAW,SAAS;AACtB,cAAQ,OAAO,gBAAgB;AAC/B,cAAQ,OAAO,gBAAgB;AAC/B,UAAI;AACF,gBAAQ,OAAO,wBAAwB;AACzC,cAAQ,OAAO,4BAA4B;AAC3C,YAAMA,YAAW,WAAW;AAC5B,cAAQ,UAAU,EAAE,QAAQ,CAAC,OAAO,QAAQA,UAAS,QAAQ,OAAO,KAAK,KAAK,CAAC;AAC/E,aAAOA;AAAA,IACT;AAAA,EACF;AAEA,QAAM,eAAe,MAAM,wBAAwB,MAAM;AAAA,IACvD;AAAA,IACA;AAAA,IACA,cAAc;AAAA,IACd;AAAA,IACA;AAAA,EACF,CAAC;AAGD,MAAI,CAAC,aAAc,KAAK,YAAY,IAAI,UAAU,GAAG,aAAa,MAAO;AACvE,YAAQ,OAAO,gBAAgB;AAC/B,YAAQ,OAAO,gBAAgB;AAC/B,QAAI;AACF,cAAQ,OAAO,wBAAwB;AACzC,YAAQ,OAAO,4BAA4B;AAC3C,UAAM,IAAI,SAAS,WAAW,oBAAoB,EAAE,aAAa,WAAW,CAAC;AAAA,EAC/E;AAEA,MAAI,OAAoB;AAExB,QAAM,kBAAkB,MAAM,KAAK,iBAAiB,YAAY,aAAa,EAAE;AAE/E,MAAI,WAAW;AACb,UAAM,UAAU,MAAM,KAAK,gBAAgB,YAAY;AACvD,WAAO,QAAS;AAEhB,QAAI,CAAC;AACH,YAAM,IAAI,SAAS,WAAW,gBAAgB,EAAE,aAAa,WAAW,CAAC;AAE3E,QAAI,mBAAmB,gBAAgB,OAAO,KAAK;AACjD,YAAM,IAAI,SAAS,WAAW,wBAAwB,EAAE,aAAa,WAAW,CAAC;AAEnF,QAAI,KAAK,yBAAyB,OAAO;AACvC,YAAM,eAAe,KAAK;AAC1B,YAAM,gBAAgB,aAAa;AACnC,UAAI,gBAAgB,iBAAiB,iBAAiB;AACpD,cAAM,IAAI,SAAS,WAAW,gBAAgB,EAAE,aAAa,WAAW,CAAC;AAAA,IAC7E;AAEA,QAAI,MAAM;AACR,YAAM,SAAyC,EAAE,IAAI,KAAK,GAAG;AAC7D,UAAI,cAAc;AAElB,UAAI,KAAK,sBAAsB;AAC7B,YAAI,aAAa,QAAQ,aAAa,SAAS,KAAK,MAAM;AACxD,iBAAO,OAAO,aAAa;AAC3B,wBAAc;AAAA,QAChB;AACA,YAAI,aAAa,UAAU,aAAa,WAAW,KAAK,OAAO;AAC7D,iBAAO,QAAQ,aAAa;AAC5B,wBAAc;AAAA,QAChB;AAAA,MACF,OACK;AACH,YAAI,CAAC,KAAK,QAAQ,aAAa,MAAM;AACnC,iBAAO,OAAO,aAAa;AAC3B,wBAAc;AAAA,QAChB;AACA,YAAI,CAAC,KAAK,SAAS,aAAa,QAAQ;AACtC,iBAAO,QAAQ,aAAa;AAC5B,wBAAc;AAAA,QAChB;AAAA,MACF;AAEA,UACE,KAAK,SACF,aAAa,SACb,KAAK,UAAU,aAAa,SAC5B,aAAa,kBAAkB,SAC9B,CAAC,KAAK,iBAAiB,KAAK,uBAChC;AACA,eAAO,gBAAgB;AACvB,sBAAc;AAAA,MAChB;AAEA,UAAI,aAAa;AACf,YAAI;AACF,iBAAO,MAAM,KAAK,WAAW,MAAM;AAAA,QACrC,SACO,GAAG;AACR,kBAAQ,MAAM,uCAAuC,CAAC;AAAA,QACxD;AAAA,MACF;AAAA,IACF;AAAA,EACF,OACK;AACH,WAAO;AAAA,EACT;AAEA,MAAI,CAAC,MAAM;AACT,UAAM,WAAW,KAAK,YAAY;AAClC,UAAM,oBAAoB,aAAa,UACpC,aAAa,YACV,aAAa,mBAAmB,aAAa,kBAAkB;AAErE,QAAI,mBAAmB;AACrB,YAAM,eAAe,MAAM,KAAK,eAAe,aAAa,KAAM;AAClE,UAAI,cAAc;AAGhB,YAAI,aAAa,iBAAiB,CAAC,aAAa,eAAe;AAC7D,iBAAO,MAAM,KAAK,WAAW;AAAA,YAC3B,IAAI,aAAa;AAAA,YACjB,eAAe;AAAA,UACjB,CAAC;AAAA,QACH,OACK;AACH,iBAAO;AAAA,QACT;AAAA,MACF;AAAA,IACF;AACA,QAAI,CAAC,MAAM;AACT,UAAI;AACF,YAAI,aAAa,SAAS,aAAa,kBAAkB,QAAQ,KAAK,aAAa,OAAO;AACxF,gBAAM,wBAAwB,MAAM,KAAK,eAAe,aAAa,KAAK;AAC1E,cAAI;AACF,kBAAM,IAAI,SAAS,WAAW,sBAAsB,EAAE,aAAa,WAAW,CAAC;AAAA,QACnF;AAEA,YAAI;AACJ,YAAI;AACF,yBAAe,KAAK,MAAM,kBAAkB,EAAE,YAAY,SAAS,cAAc,QAAuC,CAAC;AAAA,QAC3H,SACO,GAAG;AACR,kBAAQ,MAAM,gCAAgC,CAAC;AAAA,QACjD;AAEA,cAAM,eAAe,aAAa,kBAAkB,OAAO,aAAa,QAAQ;AAEhF,eAAO,MAAM,KAAK,WAAW;AAAA,UAC3B,MAAM,aAAa;AAAA,UACnB,OAAO;AAAA,UACP,OAAO,aAAa;AAAA,UACpB,eAAe,aAAa;AAAA,UAC5B,MAAM,gBAAgB,KAAK,MAAM;AAAA,QACnC,CAAC;AAAA,MACH,SACOC,QAAO;AACZ,YAAIA,kBAAiB;AACnB,gBAAMA;AACR,gBAAQ,MAAM,0BAA0BA,MAAK;AAC7C,cAAM,IAAI,SAAS,WAAW,oBAAoB,EAAE,OAAOA,QAAO,aAAa,WAAW,CAAC;AAAA,MAC7F;AAAA,IACF;AAAA,EACF;AAGA,MAAI,QAAQ,aAAa,OAAO;AAC9B,UAAM,EAAE,OAAO,cAAc,eAAe,qBAAqB,IAAI;AACrE,UAAM,EAAE,OAAO,eAAe,eAAe,sBAAsB,IAAI;AAEvE,UAAM,SAAyC,EAAE,IAAI,KAAK,GAAG;AAC7D,QAAI,cAAc;AAGlB,QAAI,CAAC,gBAAgB,0BAA0B,MAAM;AACnD,aAAO,QAAQ;AACf,aAAO,gBAAgB;AACvB,oBAAc;AAAA,IAChB,WAGE,iBAAiB,iBACd,0BAA0B,QAC1B,CAAC,sBACJ;AACA,aAAO,gBAAgB;AACvB,oBAAc;AAAA,IAChB;AAEA,QAAI,aAAa;AACf,UAAI;AACF,eAAO,MAAM,KAAK,WAAW,MAAM;AAAA,MACrC,SACOA,QAAO;AACZ,gBAAQ,MAAM,wCAAwCA,MAAK;AAAA,MAC7D;AAAA,IACF;AAAA,EACF;AAEA,MAAI,CAAC,iBAAiB;AAEpB,QAAI;AACJ,QAAI;AACF,qBAAe,OAAO,aAAa;AAAA,IACrC,QACM;AACJ,qBAAe;AAAA,IACjB;AAEA,QAAI;AACJ,QAAI;AACF,YAAM,gBAAgB,OAAO,qBAAqB;AAClD,UAAI;AACF,oBAAY,KAAK,MAAM,cAAc,QAAQ,IAAI,GAAI;AAAA,IACzD,QACM;AAAA,IACN;AAEA,QAAI;AACJ,QAAI;AACF,gBAAU,OAAO,QAAQ;AAAA,IAC3B,QACM;AACJ,gBAAU;AAAA,IACZ;AAEA;AACE,YAAM,MAAM,MAAM,uBAAuB,MAAM;AAAA,QAC7C;AAAA,QACA;AAAA,QACA,QAAQ,KAAK;AAAA,QACb;AAAA,QACA;AAAA,MACF,CAAC;AACD,UAAI,IAAI,UAAU,OAAO;AACvB,cAAMD,YAAW,IAAI,aAAa,MAAM;AACtC,gBAAM,IAAI,SAAS,WAAW,qBAAqB,EAAE,aAAa,WAAW,CAAC;AAAA,QAChF,GAAG;AACH,gBAAQ,UAAU,EAAE,QAAQ,CAAC,OAAO,QAAQA,UAAS,QAAQ,OAAO,KAAK,KAAK,CAAC;AAC/E,eAAOA;AAAA,MACT;AAAA,IACF;AAEA,QAAI;AACF,UAAI;AACJ,UAAI;AACF,gBAAQ,OAAO,OAAO,GAAG,KAAK,GAAG,KAAK;AAAA,MACxC,QACM;AACJ,gBAAQ;AAAA,MACV;AAEA,YAAM,KAAK,YAAY;AAAA,QACrB,QAAQ,KAAK;AAAA,QACb,UAAU;AAAA,QACV,mBAAmB,aAAa;AAAA,QAChC,aAAa,OAAO,YAAY;AAAA,QAChC;AAAA,QACA;AAAA,QACA,WAAW,OAAO,YAAY,KAAK;AAAA,QACnC;AAAA,QACA;AAAA,MACF,CAAC;AACD,YAAM,sBAAsB,MAAM;AAAA,QAChC;AAAA,QACA;AAAA,QACA,QAAQ,KAAK;AAAA,QACb;AAAA,QACA;AAAA,QACA,QAAQ;AAAA,MACV,CAAC;AAAA,IACH,SACOC,QAAO;AACZ,cAAQ,MAAM,0BAA0BA,MAAK;AAC7C,YAAM,IAAI,SAAS,WAAW,qBAAqB,EAAE,OAAOA,QAAO,aAAa,WAAW,CAAC;AAAA,IAC9F;AAAA,EACF,OACK;AAEH,QAAI;AACF,YAAM,WAAW,MAAM,KAAK,YAAY,KAAM,EAAE;AAChD,YAAM,WAAW,SAAS,KAAK,OAAK,EAAE,aAAa,cAAc,EAAE,sBAAsB,aAAa,EAAE;AAExG,UAAI,YAAY,KAAK,eAAe;AAClC,YAAI;AACJ,YAAI;AACF,yBAAe,OAAO,aAAa;AAAA,QACrC,QACM;AACJ,yBAAe,SAAS,gBAAgB;AAAA,QAC1C;AAEA,YAAI;AACJ,YAAI;AACF,gBAAM,gBAAgB,OAAO,qBAAqB;AAClD,cAAI;AACF,wBAAY,KAAK,MAAM,cAAc,QAAQ,IAAI,GAAI;AAAA,QACzD,QACM;AACJ,sBAAY,SAAS,aAAa;AAAA,QACpC;AAEA,YAAI;AACJ,YAAI;AACF,oBAAU,OAAO,QAAQ;AAAA,QAC3B,QACM;AACJ,oBAAU,SAAS,WAAW;AAAA,QAChC;AAEA,YAAI;AACJ,YAAI;AACF,kBAAQ,OAAO,OAAO,GAAG,KAAK,GAAG,KAAK,SAAS,SAAS;AAAA,QAC1D,QACM;AACJ,kBAAQ,SAAS,SAAS;AAAA,QAC5B;AAEA,cAAM,KAAK,cAAc;AAAA,UACvB,QAAQ,KAAM;AAAA,UACd,UAAU;AAAA,UACV,mBAAmB,aAAa;AAAA,UAChC,aAAa,OAAO,YAAY,KAAK,SAAS,eAAe;AAAA,UAC7D;AAAA,UACA,WAAW,aAAa,SAAS,aAAa;AAAA,UAC9C,WAAW,OAAO,YAAY,KAAK,SAAS,aAAa;AAAA,UACzD;AAAA,UACA;AAAA,QACF,CAAC;AACD,cAAM,sBAAsB,MAAM;AAAA,UAChC;AAAA,UACA;AAAA,UACA,QAAQ,KAAM;AAAA,UACd;AAAA,UACA;AAAA,UACA,QAAQ;AAAA,QACV,CAAC;AAAA,MACH;AAAA,IACF,SACOA,QAAO;AACZ,cAAQ,MAAM,+CAA+CA,MAAK;AAAA,IACpE;AAAA,EACF;AAEA,QAAM,eAAe,MAAM,KAAK,cAAc,KAAK,EAAE;AAErD,QAAM,aAAa,IAAI,IAAI,QAAQ,GAAG;AACtC,QAAM,cAAc,IAAI,IAAI,YAAY,QAAQ,GAAG;AAEnD,QAAM,aAAa,KAAK,oBAAoB;AAC5C,QAAM,cAAc,KAAK,oBAAoB;AAE7C,QAAM,iBAAiB,YAAY,aAAa,WAAW,YAAY,aAAa;AACpF,QAAM,cAAc,WAAW,SAAS,YAAY;AAMpD,MAAI,cAAe,CAAC,gBAAgB,kBAAkB,cAAe;AACnE,UAAM,cAAc,IAAI,IAAI,WAAW;AACvC,UAAM,kBAAkB,QAAQ,IAAI,4BAA4B;AAEhE,QAAI,iBAAiB;AAEnB,YAAM,WAAW,MAAM,KAAK,QAAQ;AAAA,QAClC,KAAK,KAAK;AAAA,QACV,WAAW;AAAA,MACb,GAAG,EAAE,KAAK,GAAG,CAAC;AAEd,kBAAY,aAAa,IAAI,QAAQ,QAAQ;AAAA,IAC/C,OACK;AACH,YAAM,IAAI,SAAS,WAAW,wBAAwB,EAAE,aAAa,WAAW,CAAC;AAAA,IACnF;AAGA,UAAM,OAAO,kBAAkB,EAAE,aAAa,YAAY,SAAS,EAAE,CAAC;AAGtE,YAAQ,OAAO,gBAAgB;AAC/B,YAAQ,OAAO,gBAAgB;AAC/B,QAAI;AACF,cAAQ,OAAO,wBAAwB;AACzC,YAAQ,OAAO,4BAA4B;AAC3C,YAAQ,OAAO,4BAA4B;AAE3C,UAAMD,YAAW,aAAa,IAAI;AAClC,YAAQ,UAAU,EAAE,QAAQ,CAAC,OAAO,QAAQ;AAC1C,MAAAA,UAAS,QAAQ,OAAO,KAAK,KAAK;AAAA,IACpC,CAAC;AACD,WAAOA;AAAA,EACT;AAEA,UAAQ,IAAI,qBAAqB,cAAc;AAAA,IAC7C,QAAQ,KAAK,IAAI;AAAA,IACjB,UAAU,KAAK,cAAc,QAAQ;AAAA,IACrC,QAAQ,CAAC,KAAK;AAAA,EAChB,CAAC;AACD,UAAQ,OAAO,gBAAgB;AAC/B,UAAQ,OAAO,gBAAgB;AAC/B,MAAI;AACF,YAAQ,OAAO,wBAAwB;AACzC,UAAQ,OAAO,4BAA4B;AAE3C,QAAM,gBAAgB,IAAI,aAAa,IAAI,UAAU;AAErD,MAAI;AACJ,MAAI,kBAAkB,SAAS;AAC7B,UAAM,WAAW,MAAM,KAAK,YAAY,KAAK,EAAE;AAC/C,UAAM,UAAU;AAAA,MACb,KAAK,QAAQ,KAAK,MAAM,WAAW,SAAS,KAAK,IAAI,KACnD,KAAK,MAAM,aAAa,SAAS,KAAK,EAAE;AAAA,IAC7C;AACA,eAAW,KAAK,EAAE,MAAM,EAAE,GAAG,MAAM,SAAS,SAAS,EAAE,CAAC;AAAA,EAC1D,OACK;AACH,eAAW,SAAS,UAAU;AAAA,EAChC;AAEA,UAAQ,UAAU,EAAE,QAAQ,CAAC,OAAO,QAAQ;AAC1C,aAAS,QAAQ,OAAO,KAAK,KAAK;AAAA,EACpC,CAAC;AAED,SAAO;AACT;;;AC5hBA,SAAS,cAAc,QAAgB,MAAqB;AAC1D,MAAI,KAAK,SAAS;AAChB,WAAO;AACT,QAAM,MAAM,KAAK;AACjB,MAAI,IAAI,mBAAmB;AACzB,WAAO;AACT,MAAI,IAAI,mBAAmB,SAAS;AAClC,QAAI,KAAK,eAAe;AACtB,aAAO;AACT,QAAI;AACF,YAAM,IAAI,IAAI,IAAI,MAAM;AACxB,aAAO,KAAK,WAAW,SAAS,EAAE,IAAI,KAAK,KAAK,WAAW,SAAS,EAAE,QAAQ;AAAA,IAChF,QACM;AACJ,aAAO;AAAA,IACT;AAAA,EACF;AACA,MAAI,IAAI,eAAe,SAAS,GAAG;AACjC,WAAO;AACT,MAAI;AACF,UAAM,IAAI,IAAI,IAAI,MAAM;AACxB,WAAO,IAAI,eAAe,SAAS,MAAM,KAAK,IAAI,eAAe,SAAS,EAAE,MAAM,KAAK,IAAI,eAAe,SAAS,EAAE,IAAI,KAAK,IAAI,eAAe,SAAS,EAAE,QAAQ;AAAA,EACtK,QACM;AACJ,WAAO,IAAI,eAAe,SAAS,MAAM;AAAA,EAC3C;AACF;AAEO,SAAS,UAAU,SAAkB,UAAoB,MAAsB;AACpF,MAAI,KAAK,SAAS;AAChB,WAAO;AAET,QAAM,SAAS,QAAQ,QAAQ,IAAI,QAAQ,KAAK,QAAQ,QAAQ,IAAI,QAAQ;AAC5E,MAAI,CAAC;AACH,WAAO;AAET,MAAI,CAAC,cAAc,QAAQ,IAAI;AAC7B,WAAO;AAET,QAAM,MAAM,KAAK;AACjB,WAAS,QAAQ,IAAI,QAAQ,QAAQ;AACrC,QAAM,aAAa,IAAI;AACvB,QAAM,mBAAoB,IAAI,mBAAmB,SAAS,CAAC,aAAc,MAAM;AAC/E,WAAS,QAAQ,IAAI,+BAA+B,gBAAgB;AACpE,MAAI;AACF,aAAS,QAAQ,IAAI,oCAAoC,MAAM;AACjE,WAAS,QAAQ,IAAI,gCAAgC,IAAI,eAAe,KAAK,IAAI,CAAC;AAClF,WAAS,QAAQ,IAAI,gCAAgC,IAAI,eAAe,KAAK,IAAI,CAAC;AAClF,MAAI,IAAI,eAAe;AACrB,aAAS,QAAQ,IAAI,iCAAiC,IAAI,cAAc,KAAK,IAAI,CAAC;AACpF,SAAO;AACT;AAEO,SAAS,gBAAgB,SAAkB,MAAsB;AACtE,MAAI,KAAK,SAAS;AAChB,WAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,IAAI,CAAC;AAE3C,QAAM,SAAS,QAAQ,QAAQ,IAAI,QAAQ,KAAK,QAAQ,QAAQ,IAAI,QAAQ;AAC5E,QAAM,MAAM,KAAK;AACjB,QAAM,UAAkC,CAAC;AACzC,MAAI,UAAU,cAAc,QAAQ,IAAI,GAAG;AACzC,UAAM,aAAa,IAAI;AACvB,UAAM,mBAAoB,IAAI,mBAAmB,SAAS,CAAC,aAAc,MAAM;AAC/E,YAAQ,6BAA6B,IAAI;AACzC,QAAI;AACF,cAAQ,kCAAkC,IAAI;AAAA,EAClD;AACA,UAAQ,8BAA8B,IAAI,IAAI,eAAe,KAAK,IAAI;AACtE,UAAQ,8BAA8B,IAAI,IAAI,eAAe,KAAK,IAAI;AACtE,MAAI,IAAI,UAAU;AAChB,YAAQ,wBAAwB,IAAI,OAAO,IAAI,MAAM;AACvD,MAAI,IAAI,eAAe;AACrB,YAAQ,+BAA+B,IAAI,IAAI,cAAc,KAAK,IAAI;AACxE,SAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,KAAK,QAAQ,CAAC;AACpD;;;AC5EA,SAAS,sBAAsB,qBAAqB;AAE7C,SAAS,kBAAkB;AAChC,QAAM,QAAQ,cAAc;AAC5B,QAAM,eAAe,qBAAqB;AAE1C,SAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AACF;;;ACMO,SAAS,oBAAoB,SAAkB,YAA8B,aAA+B;AACjH,MAAI,eAAe;AACjB,WAAO;AAET,QAAM,SAAS,QAAQ,QAAQ,IAAI,QAAQ;AAE3C,MAAI,CAAC;AACH,WAAO;AAET,MAAI;AACJ,MAAI;AACF,iBAAa,IAAI,IAAI,MAAM,EAAE;AAAA,EAC/B,QACM;AACJ,WAAO;AAAA,EACT;AAEA,MAAI,aAAa;AACf,UAAM,UAAU,WAAW,WAAW,WAAW,KAAK,WAAW,WAAW,WAAW;AACvF,QAAI;AACF,aAAO;AAAA,EACX;AAEA,QAAM,aAAa,IAAI,IAAI,QAAQ,GAAG;AACtC,QAAM,cAAc,WAAW;AAC/B,QAAM,gBAAgB,GAAG,WAAW,QAAQ,KAAK,WAAW;AAE5D,MAAI,WAAW;AACb,WAAO;AAET,SAAO,WAAW,SAAS,UAAU;AACvC;AAEA,eAAsB,qBACpB,SACA,MACA,YACA,cACmB;AACnB,QAAM,WAAW,KAAK,YAAY,IAAI,UAAU;AAChD,MAAI,CAAC;AACH,UAAM,IAAI,SAAS,WAAW,kBAAkB;AAElD,QAAM,EAAE,OAAO,eAAe,aAAa,IAAI,gBAAgB;AAC/D,QAAM,MAAM,IAAI,IAAI,QAAQ,GAAG;AAC/B,QAAM,aAAa,IAAI,aAAa,IAAI,YAAY;AACpD,QAAM,cAAc,IAAI,aAAa,IAAI,SAAS;AAClD,QAAM,cAAc,IAAI,aAAa,IAAI,QAAQ;AAEjD,MAAI,YAAY;AACd,QAAI;AACJ,QAAI;AACF,UAAI,WAAW,WAAW,IAAI;AAC5B,cAAM,IAAI,MAAM,mCAAmC;AACrD,uBAAiB,IAAI,IAAI,YAAY,IAAI,MAAM;AAAA,IACjD,QACM;AACJ,YAAM,IAAI,SAAS,WAAW,sBAAsB,4BAA4B,EAAE,QAAQ,IAAI,CAAC;AAAA,IACjG;AAEA,UAAM,eAAe,eAAe;AACpC,UAAM,cAAc,IAAI,IAAI,QAAQ,GAAG,EAAE;AAEzC,UAAM,aAAa,iBAAiB;AACpC,UAAM,YAAY,KAAK,eAAe,SAAS,KAAK,WAAW,SAAS,YAAY;AACpF,UAAM,SAAS,eAAe,aAAa,WAAW,eAAe,aAAa;AAElF,QAAI,UAAU,CAAC,cAAc,CAAC;AAC5B,YAAM,IAAI,SAAS,WAAW,cAAc;AAAA,EAChD;AAEA,QAAM,QAAQ,aAAa,GAAG,aAAa,IAAI,KAAK,UAAU,CAAC,KAAK;AACpE,MAAI,cAAc,IAAI,aAAa,IAAI,aAAa;AACpD,MAAI,CAAC,eAAe,SAAS;AAC3B,kBAAc,GAAG,IAAI,MAAM,GAAG,KAAK,QAAQ,aAAa,UAAU;AAEpE,MAAI;AACJ,MAAI;AACJ,MAAI;AACJ,MAAI,aAAa;AACf,UAAM,mBAAmB,KAAK,WAAW,UAAU,KAAK,CAAC;AACzD,UAAM,WAAW,iBAAiB,WAAW;AAC7C,QAAI,CAAC;AACH,YAAM,IAAI,SAAS,WAAW,iBAAiB,oBAAoB,WAAW,mBAAmB,UAAU,KAAK,EAAE,QAAQ,IAAI,CAAC;AACjI,QAAI,SAAS;AACX,oBAAc,SAAS;AACzB,QAAI,SAAS;AACX,uBAAiB,SAAS;AAC5B,QAAI,SAAS;AACX,oBAAc,EAAE,GAAI,SAAS,UAAU,CAAC,EAAG;AAC7C,UAAM,EAAE,QAAQ,OAAO,IAAI;AAC3B,QAAI,UAAU,QAAQ,UAAU;AAC9B,kBAAY,EAAE,GAAI,aAAa,CAAC,GAAI,QAAQ,OAAO;AACrD,QAAI,CAAC,gBAAgB,SAAS,aAAa;AACzC,YAAM,IAAI,SAAS,WAAW,oBAAoB,qEAAqE,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC1I;AAEA,MAAI;AACF,kBAAc,EAAE,GAAI,eAAe,CAAC,GAAI,QAAQ,YAAY;AAE9D,MAAI,CAAC,gBAAiB,SAAS,aAAa;AAC1C,UAAM,IAAI,SAAS,WAAW,kBAAkB;AAElD,MAAI;AACJ,MAAI;AACF,cAAU,MAAM,SAAS,oBAAoB,OAAO,cAAc;AAAA,MAChE,aAAa,eAAe;AAAA,MAC5B,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR;AAAA,IACF,CAAC;AAAA,EACH,SACO,OAAO;AACZ,YAAQ,MAAM,oCAAoC,KAAK;AACvD,cAAU;AAAA,EACZ;AAEA,MAAI,CAAC;AACH,UAAM,IAAI,SAAS,WAAW,0BAA0B,sCAAsC,EAAE,QAAQ,IAAI,CAAC;AAE/G,QAAM,iBAAiB,aAAa,QAAQ,QAAQ,IAAI,QAAQ,CAAC;AACjE,QAAM,UAAU,IAAI,QAAQ,gBAAgB,KAAK,aAAa;AAE9D,QAAM,yBAAyB;AAAA,IAC7B,QAAQ;AAAA,IACR,UAAU,KAAK,cAAc,QAAQ;AAAA,IACrC,QAAQ,CAAC,KAAK;AAAA,EAChB;AAEA,UAAQ,IAAI,kBAAkB,eAAe,sBAAsB;AACnE,UAAQ,IAAI,kBAAkB,cAAc,sBAAsB;AAClE,MAAI,cAAc;AAChB,YAAQ,IAAI,2BAA2B,cAAc,sBAAsB;AAAA,EAC7E,OACK;AACH,YAAQ,OAAO,2BAA2B;AAAA,MACxC,UAAU,KAAK,cAAc,QAAQ;AAAA,MACrC,QAAQ,CAAC,KAAK;AAAA,IAChB,CAAC;AAAA,EACH;AAEA,MAAI;AACF,YAAQ,IAAI,0BAA0B,aAAa,sBAAsB;AAE3E,QAAM,oBAAoB,KAAK,UAAU,EAAE,QAAQ,eAAe,CAAC,GAAG,WAAW,aAAa,CAAC,EAAE,CAAC;AAClG,UAAQ,IAAI,8BAA8B,KAAK,iBAAiB,GAAG,sBAAsB;AAEzF,QAAM,gBAAgB,IAAI,aAAa,IAAI,gBAAgB;AAC3D,MAAI;AACF,YAAQ,IAAI,8BAA8B,eAAe,sBAAsB;AAEjF,QAAM,gBAAgB,IAAI,aAAa,IAAI,UAAU;AAErD,MAAI,kBAAkB,SAAS;AAC7B,UAAME,YAAW,KAAK,EAAE,KAAK,QAAQ,SAAS,EAAE,CAAC;AACjD,YAAQ,UAAU,EAAE,QAAQ,CAAC,OAAO,QAAQ;AAC1C,MAAAA,UAAS,QAAQ,OAAO,KAAK,KAAK;AAAA,IACpC,CAAC;AACD,WAAOA;AAAA,EACT;AAEA,QAAM,WAAW,SAAS,QAAQ,SAAS,CAAC;AAC5C,UAAQ,UAAU,EAAE,QAAQ,CAAC,OAAO,QAAQ;AAC1C,aAAS,QAAQ,OAAO,KAAK,KAAK;AAAA,EACpC,CAAC;AAED,SAAO;AACT;;;ACjLA,eAAsB,WAAW,SAAkB,MAAY,YAAuC;AACpG,QAAM,MAAM,IAAI,IAAI,QAAQ,GAAG;AAC/B,MAAI,eAAe,2BAA2B,OAAO,EAAE;AAEvD,MAAI,CAAC;AACH,mBAAe,IAAI,aAAa,IAAI,OAAO,KAAK;AAElD,MAAI,CAAC;AACH,UAAM,IAAI,SAAS,WAAW,YAAY;AAE5C,QAAM,UAAU,MAAM,KAAK,gBAAgB,YAAY;AACvD,MAAI,CAAC;AACH,UAAM,IAAI,SAAS,WAAW,YAAY;AAE5C,MAAI,aAAa,OAAO,OAAO;AAC/B,QAAM,eAAe,IAAI,QAAQ,IAAI,SAAS,GAAG,OAAkB;AAEnE,SAAO,qBAAqB,cAAc,MAAM,YAAY,YAAY;AAC1E;AAEA,eAAsB,aAAa,SAAkB,MAAY,YAAuC;AACtG,QAAM,eAAe,2BAA2B,OAAO,EAAE;AAEzD,MAAI,CAAC;AACH,UAAM,IAAI,SAAS,WAAW,YAAY;AAE5C,QAAM,UAAU,MAAM,KAAK,gBAAgB,YAAY;AACvD,MAAI,CAAC,WAAW,CAAC,QAAQ;AACvB,UAAM,IAAI,SAAS,WAAW,YAAY;AAE5C,QAAM,WAAW,QAAQ,YAAY,CAAC;AAEtC,MAAI,SAAS,UAAU;AACrB,UAAM,IAAI,SAAS,WAAW,0BAA0B;AAE1D,QAAM,kBAAkB,SAAS,KAAK,OAAK,EAAE,aAAa,UAAU;AACpE,MAAI,CAAC;AACH,UAAM,IAAI,SAAS,WAAW,oBAAoB,aAAa,UAAU,cAAc;AAEzF,QAAM,KAAK,cAAc,YAAY,gBAAgB,iBAAiB;AAEtE,QAAM,oBAAoB,MAAM,KAAK,YAAY,QAAQ,KAAK,EAAE;AAIhE,MAAI,kBAAkB,SAAS,KAAK,QAAQ,KAAK,OAAO;AACtD,QAAI;AACF,YAAM,KAAK,WAAW;AAAA,QACpB,IAAI,QAAQ,KAAK;AAAA,QACjB,OAAO;AAAA,QACP,eAAe;AAAA,MACjB,CAAC;AAAA,IACH,SACO,OAAO;AACZ,cAAQ,MAAM,gDAAgD,KAAK;AAAA,IACrE;AAAA,EACF;AAEA,SAAO,KAAK,EAAE,SAAS,gCAAgC,CAAC;AAC1D;;;AC3DA,eAAsB,aAAa,SAAkB,MAAY,YAAuC;AACtG,SAAO,qBAAqB,SAAS,MAAM,YAAY,IAAI;AAC7D;AAEA,eAAsB,cAAc,SAAkB,MAA+B;AACnF,QAAM,iBAAiB,aAAa,QAAQ,QAAQ,IAAI,QAAQ,CAAC;AACjE,QAAM,UAAU,IAAI,QAAQ,gBAAgB,KAAK,aAAa;AAC9D,UAAQ,OAAO,qBAAqB;AAAA,IAClC,UAAU,KAAK,cAAc,QAAQ;AAAA,IACrC,QAAQ,CAAC,KAAK;AAAA,EAChB,CAAC;AACD,UAAQ,OAAO,2BAA2B;AAAA,IACxC,UAAU,KAAK,cAAc,QAAQ;AAAA,IACrC,QAAQ,CAAC,KAAK;AAAA,EAChB,CAAC;AAED,QAAM,WAAW,KAAK,EAAE,SAAS,aAAa,CAAC;AAC/C,UAAQ,UAAU,EAAE,QAAQ,CAAC,OAAO,QAAQ;AAC1C,aAAS,QAAQ,OAAO,KAAK,KAAK;AAAA,EACpC,CAAC;AAED,SAAO;AACT;;;ACvBA,eAAsB,cAAc,SAAkB,MAA+B;AACnF,QAAM,EAAE,OAAO,aAAa,IAAI,2BAA2B,OAAO;AAElE,QAAM,YAAY,MAAM,KAAK,KAAK,YAAY,KAAK,CAAC;AAEpD,MAAI,CAAC;AACH,WAAO,KAAK,EAAE,GAAG,cAAc,UAAU,CAAC;AAE5C,MAAI;AACF,UAAM,cAAc,MAAM,KAAK,gBAAgB,YAAY;AAE3D,QAAI,CAAC;AACH,aAAO,KAAK,EAAE,GAAG,cAAc,UAAU,GAAG,EAAE,QAAQ,IAAI,CAAC;AAE7D,WAAO,KAAK,EAAE,GAAG,gBAAgB,WAAW,GAAG,UAAU,CAAC;AAAA,EAC5D,SACO,OAAO;AACZ,YAAQ,MAAM,6BAA6B,KAAK;AAChD,UAAM,IAAI,SAAS,WAAW,2BAA2B,EAAE,OAAO,MAAM,CAAC;AAAA,EAC3E;AACF;;;ACrBA,eAAsB,YAAY,SAAkB,MAA+B;AACjF,MAAI,QAAQ,WAAW;AACrB,UAAM,IAAI,SAAS,WAAW,kBAAkB;AAElD,MAAI;AACJ,MAAI;AACF,WAAO,MAAM,QAAQ,KAAK;AAAA,EAC5B,QACM;AACJ,UAAM,IAAI,SAAS,WAAW,iBAAiB,qBAAqB,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrF;AAEA,QAAM,EAAE,MAAM,aAAa,IAAI;AAE/B,MAAI,CAAC,QAAQ,CAAC;AACZ,UAAM,IAAI,SAAS,WAAW,iBAAiB,gCAAgC,EAAE,QAAQ,IAAI,CAAC;AAEhG,QAAM,UAAU,MAAM,KAAK,UAA8C,IAAI;AAC7E,MAAI,CAAC;AACH,UAAM,IAAI,SAAS,WAAW,eAAe,yBAAyB;AAExE,QAAM,EAAE,KAAK,QAAQ,UAAU,IAAI;AAEnC,QAAM,UAAU,IAAI,YAAY;AAChC,QAAM,OAAO,QAAQ,OAAO,YAAY;AACxC,QAAM,aAAa,MAAM,OAAO,OAAO,OAAO,WAAW,IAAI;AAC7D,QAAM,YAAY,MAAM,KAAK,IAAI,WAAW,UAAU,CAAC;AACvD,QAAM,oBAAoB,KAAK,OAAO,aAAa,GAAG,SAAS,CAAC,EAC7D,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,EAAE;AAEpB,MAAI,cAAc;AAChB,UAAM,IAAI,SAAS,WAAW,qBAAqB;AAErD,QAAM,eAAe,MAAM,KAAK,cAAc,MAAM;AAEpD,SAAO,KAAK,EAAE,OAAO,aAAa,CAAC;AACrC;;;AC3BO,SAAS,cAAc,MAAqD;AACjF,QAAM,EAAE,SAAS,IAAI;AAErB,SAAO,eAAgB,SAAqC;AAE1D,QAAI,QAAQ,WAAW;AACrB,aAAO,gBAAgB,SAAS,IAAI;AAEtC,UAAM,MAAM,IAAI,IAAI,QAAQ,GAAG;AAG/B,QAAI,CAAC,IAAI,SAAS,WAAW,QAAQ,GAAG;AACtC,YAAM,QAAQ,IAAI,SAAS,WAAW,SAAS;AAC/C,YAAM,WAAW,MAAM;AAAA,QACrB,EAAE,OAAO,QAAQ;AAAA,QACjB,EAAE,UAAU,SAAS,KAAK,SAAS,eAAe,KAAK,cAAc;AAAA,MACvE;AACA,aAAO,UAAU,SAAS,UAAU,IAAI;AAAA,IAC1C;AAEA,QAAI;AAEF,UAAI,QAAQ,WAAW,UAAU,CAAC,oBAAoB,SAAS,KAAK,YAAY,KAAK,WAAW,GAAG;AACjG,cAAM,SAAS,QAAQ,QAAQ,IAAI,QAAQ,KAAK;AAChD,cAAM,UAAU,KAAK,cACjB,sBAAsB,MAAM,2HAC5B;AACJ,cAAM,IAAI,SAAS,WAAW,WAAW,SAAS,EAAE,QAAQ,IAAI,CAAC;AAAA,MACnE;AAEA,YAAM,OAAO,IAAI,SAAS,UAAU,SAAS,MAAM;AACnD,YAAM,QAAQ,KAAK,MAAM,GAAG,EAAE,OAAO,OAAO;AAC5C,YAAM,SAAS,MAAM,CAAC;AAEtB,UAAI,CAAC;AACH,cAAM,IAAI,SAAS,WAAW,SAAS;AAEzC,UAAI;AAEJ,UAAI,QAAQ,WAAW,OAAO;AAC5B,YAAI,WAAW;AACb,qBAAW,MAAM,cAAc,SAAS,IAAI;AAAA,iBACrC,MAAM,WAAW,KAAK,MAAM,CAAC,MAAM;AAC1C,qBAAW,MAAM,WAAW,SAAS,MAAM,MAAM,CAAC,CAAW;AAAA,iBACtD,MAAM,WAAW,KAAK,MAAM,CAAC,MAAM;AAC1C,qBAAW,MAAM,eAAe,SAAS,MAAM,MAAM,CAAC,CAAW;AAAA,iBAC1D,MAAM,WAAW;AACxB,qBAAW,MAAM,aAAa,SAAS,MAAM,MAAM;AAAA;AAEnD,gBAAM,IAAI,SAAS,WAAW,SAAS;AAAA,MAC3C,WACS,QAAQ,WAAW,QAAQ;AAClC,YAAI,MAAM,WAAW,KAAK,WAAW;AACnC,qBAAW,MAAM,cAAc,SAAS,IAAI;AAAA,iBACrC,MAAM,WAAW,KAAK,WAAW;AACxC,qBAAW,MAAM,YAAY,SAAS,IAAI;AAAA,iBACnC,MAAM,WAAW,KAAK,MAAM,CAAC,MAAM;AAC1C,qBAAW,MAAM,aAAa,SAAS,MAAM,MAAM,CAAC,CAAW;AAAA;AAE/D,gBAAM,IAAI,SAAS,WAAW,SAAS;AAAA,MAC3C,OACK;AACH,cAAM,IAAI,SAAS,WAAW,kBAAkB;AAAA,MAClD;AAGA,UAAI;AACF,iBAAS,QAAQ,IAAI,iBAAiB,mBAAmB;AACzD,iBAAS,QAAQ,IAAI,UAAU,UAAU;AACzC,iBAAS,QAAQ,IAAI,WAAW,GAAG;AAAA,MACrC,QACM;AAAA,MAAC;AAEP,aAAO,UAAU,SAAS,UAAU,IAAI;AAAA,IAC1C,SACO,OAAO;AAEZ,UAAI,iBAAiB,UAAU;AAC7B,cAAMC,YAAW,MAAM;AAAA,UACrB,EAAE,OAAO,QAAQ;AAAA,UACjB,EAAE,UAAU,SAAS,KAAK,SAAS,eAAe,KAAK,cAAc;AAAA,QACvE;AACA,eAAO,UAAU,SAASA,WAAU,IAAI;AAAA,MAC1C;AAGA,cAAQ,MAAM,oCAAoC,KAAK;AACvD,YAAM,WAAW,IAAI;AAAA,QACnB,WAAW;AAAA,QACX,EAAE,OAAO,MAAM;AAAA,MACjB;AACA,YAAM,WAAW,MAAM;AAAA,QACrB,EAAE,OAAO,UAAU,QAAQ;AAAA,QAC3B,EAAE,UAAU,SAAS,KAAK,SAAS,eAAe,KAAK,cAAc;AAAA,MACvE;AACA,aAAO,UAAU,SAAS,UAAU,IAAI;AAAA,IAC1C;AAAA,EACF;AACF;;;ACtEO,IAAM,eAAe;AAAA,EAC1B,MAAM;AAAA,EACN,SAAS;AAAA,EACT,UAAU;AACZ;AAEO,SAAS,gBACd,eACwB;AACxB,SAAO;AAAA,IACL,MAAM,cAAc;AAAA,IACpB,SAAS,cAAc;AAAA,IACvB,UAAU,cAAc,UAAU,IAAI,UAAQ;AAAA,MAC5C,UAAU,IAAI;AAAA,MACd,mBAAmB,IAAI;AAAA,IACzB,EAAE,KAAK;AAAA,IACP,WAAW,cAAc;AAAA,EAC3B;AACF;AAoCO,IAAM,YAAN,cAAwB,MAAM;AAAA,EACjB;AAAA,EAClB,YAAY,SAAiB,OAAiB;AAC5C,UAAM,OAAO;AACb,SAAK,OAAO;AACZ,SAAK,QAAQ;AAAA,EACf;AACF;AAEO,SAAS,KAAQ,MAAS,OAAqB,CAAC,GAAa;AAClE,QAAM,UAAU,IAAI,QAAQ,KAAK,OAAO;AACxC,MAAI,CAAC,QAAQ,IAAI,cAAc;AAC7B,YAAQ,IAAI,gBAAgB,iCAAiC;AAC/D,SAAO,IAAI,SAAS,KAAK,UAAU,IAAI,GAAG,EAAE,GAAG,MAAM,QAAQ,CAAC;AAChE;AAEO,SAAS,SAAS,KAAa,SAAoB,KAAe;AACvE,SAAO,IAAI,SAAS,MAAM;AAAA,IACxB;AAAA,IACA,SAAS;AAAA,MACP,UAAU;AAAA,IACZ;AAAA,EACF,CAAC;AACH;AASO,IAAM,yBAAyB;;;AC/H/B,SAAS,kBAAkB,GAAe,GAAwB;AACvE,MAAI,OAAO,EAAE,SAAS,EAAE;AACxB,QAAM,MAAM,KAAK,IAAI,EAAE,QAAQ,EAAE,MAAM;AACvC,WAAS,IAAI,GAAG,IAAI,KAAK;AACvB,aAAS,EAAE,CAAC,KAAK,MAAM,EAAE,CAAC,KAAK;AAEjC,SAAO,SAAS;AAClB;AAEA,SAAS,iBAAiB,WAA+B;AACvD,QAAM,SAAS,UAAU,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG;AAC7D,QAAM,aAAa,IAAK,OAAO,SAAS,KAAM;AAC9C,QAAM,SAAS,OAAO,OAAO,OAAO,SAAS,WAAW,GAAG;AAC3D,MAAI;AACF,UAAM,gBAAgB,KAAK,MAAM;AACjC,UAAM,MAAM,cAAc;AAC1B,UAAM,QAAQ,IAAI,WAAW,GAAG;AAChC,aAAS,IAAI,GAAG,IAAI,KAAK;AACvB,YAAM,CAAC,IAAI,cAAc,WAAW,CAAC;AAEvC,WAAO;AAAA,EACT,QACM;AACJ,UAAM,IAAI,UAAU,0BAA0B;AAAA,EAChD;AACF;AAEA,eAAsB,qBAAqB,QAA0E;AACnH,MAAI;AACF,UAAM,cAAc,iBAAiB,MAAM;AAC3C,UAAM,aAAa,MAAM,OAAO,OAAO;AAAA,MACrC;AAAA,MACA,YAAY,MAAM;AAAA,MAClB,EAAE,MAAM,SAAS,YAAY,QAAQ;AAAA,MACrC;AAAA,MACA,CAAC,MAAM;AAAA,IACT;AAEA,UAAM,MAAM,MAAM,OAAO,OAAO,UAAU,OAAO,UAAU;AAC3D,WAAO,IAAI;AACX,QAAI,UAAU,CAAC,QAAQ;AAEvB,UAAM,YAAY,MAAM,OAAO,OAAO;AAAA,MACpC;AAAA,MACA;AAAA,MACA,EAAE,MAAM,SAAS,YAAY,QAAQ;AAAA,MACrC;AAAA,MACA,CAAC,QAAQ;AAAA,IACX;AACA,WAAO,EAAE,YAAY,UAAU;AAAA,EACjC,SACO,OAAO;AACZ,QAAI,iBAAiB;AACnB,YAAM;AACR,UAAM,IAAI,UAAU,oHAAoH,KAAK;AAAA,EAC/I;AACF;AAKO,SAAS,SAAS,KAA6B;AACpD,MAAI,IAAI,WAAW;AACjB,UAAM,IAAI,MAAM,8BAA8B;AAEhD,MAAI,IAAI,IAAI,MAAM,GAAG,EAAE;AACvB,MAAI,IAAI,IAAI,MAAM,EAAE;AAEpB,MAAI,UAAU;AACd,SAAO,UAAU,EAAE,SAAS,KAAK,EAAE,OAAO,MAAM,EAAG;AACnD,MAAI,EAAE,MAAM,OAAO;AAEnB,MAAI,UAAU;AACd,SAAO,UAAU,EAAE,SAAS,KAAK,EAAE,OAAO,MAAM,EAAG;AACnD,MAAI,EAAE,MAAM,OAAO;AAEnB,MAAI,EAAE,SAAS,KAAK,EAAE,CAAC,IAAK,KAAM;AAChC,UAAM,UAAU,IAAI,WAAW,EAAE,SAAS,CAAC;AAC3C,YAAQ,CAAC,IAAI;AACb,YAAQ,IAAI,GAAG,CAAC;AAChB,QAAI;AAAA,EACN;AACA,MAAI,EAAE,SAAS,KAAK,EAAE,CAAC,IAAK,KAAM;AAChC,UAAM,UAAU,IAAI,WAAW,EAAE,SAAS,CAAC;AAC3C,YAAQ,CAAC,IAAI;AACb,YAAQ,IAAI,GAAG,CAAC;AAChB,QAAI;AAAA,EACN;AAEA,QAAM,UAAU,EAAE;AAClB,QAAM,UAAU,EAAE;AAClB,QAAM,cAAc,IAAI,UAAU,IAAI;AAEtC,QAAM,MAAM,IAAI,WAAW,IAAI,WAAW;AAC1C,MAAI,CAAC,IAAI;AACT,MAAI,CAAC,IAAI;AACT,MAAI,CAAC,IAAI;AACT,MAAI,CAAC,IAAI;AACT,MAAI,IAAI,GAAG,CAAC;AACZ,MAAI,IAAI,OAAO,IAAI;AACnB,MAAI,IAAI,OAAO,IAAI;AACnB,MAAI,IAAI,GAAG,IAAI,OAAO;AAEtB,SAAO;AACT;;;AhB9EA,eAAsB,KAAwC,SAAY,UAAuB,CAAC,GAAoB;AACpH,MAAI,EAAE,YAAY,SAAS,KAAK,KAAK,KAAK,KAAK,YAAY,OAAO,IAAI;AAEtE,MAAI,cAAc,SAAS;AACzB,QAAI,CAAC,YAAY;AACf,UAAI,OAAO,WAAW;AACpB,cAAM,IAAI,UAAU,0EAA0E;AAEhG,OAAC,EAAE,WAAW,IAAI,MAAM,qBAAqB,MAAM;AAAA,IACrD;AAAA,EACF,WACS,cAAc,WAAW,CAAC,QAAQ;AACzC,UAAM,IAAI,UAAU,kCAAkC;AAAA,EACxD;AAEA,QAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAExC,QAAM,aAAsC,EAAE,KAAK,KAAK,KAAK,KAAK,KAAK,GAAG,QAAQ;AAElF,MAAI,OAAO,QAAQ,MAAM;AACvB,eAAW,MAAM,MAAM;AAEzB,QAAM,UAAU,cAAc;AAC9B,QAAM,MAA0B,UAAU,UAAU;AAEpD,QAAM,aAAa,KAAK,UAAU,EAAE,KAAK,KAAK,MAAM,CAAC;AACrD,QAAM,cAAc,KAAK,UAAU,UAAU;AAE7C,QAAM,mBAAmB,0BAA0B,YAAY,WAAW;AAE1E,MAAI;AAEJ,MAAI,SAAS;AAEX,UAAM,cAAc,OAAO,WAAW,WAClC,IAAI,YAAY,EAAE,OAAO,MAAM,IAC/B;AAEJ,UAAM,YAAY,MAAM,OAAO,OAAO;AAAA,MACpC;AAAA,MACA;AAAA,MACA,EAAE,MAAM,QAAQ,MAAM,UAAU;AAAA,MAChC;AAAA,MACA,CAAC,MAAM;AAAA,IACT;AAEA,gBAAY,IAAI,WAAW,MAAM,OAAO,OAAO,KAAK,QAAQ,WAAW,gBAAgC,CAAC;AAAA,EAC1G,OACK;AAGH,gBAAY,IAAI;AAAA,MACd,MAAM,OAAO,OAAO;AAAA,QAClB,EAAE,MAAM,SAAS,MAAM,UAAU;AAAA,QACjC;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,SAAO,UAAU,YAAY,aAAa,SAAS;AACrD;AAWA,eAAsB,OAAoC,OAAe,SAAoC;AAC3G,MAAI,EAAE,YAAY,SAAS,WAAW,QAAQ,KAAK,IAAI,IAAI;AAE3D,MAAI,cAAc,SAAS;AACzB,QAAI,CAAC,WAAW;AACd,UAAI,OAAO,WAAW;AACpB,cAAM,IAAI,UAAU,4EAA4E;AAElG,OAAC,EAAE,UAAU,IAAI,MAAM,qBAAqB,MAAM;AAAA,IACpD;AAAA,EACF;AAEA,MAAI,cAAc,WAAW,CAAC;AAC5B,UAAM,IAAI,UAAU,uCAAuC;AAE7D,QAAM,CAAC,QAAQ,SAAS,WAAW,gBAAgB,IAAI,SAAS,KAAK;AAErE,QAAM,eAAe,IAAI,qBAAqB,MAAM;AACpD,QAAM,YAAY,aAAa,UAAU;AAEzC,MAAI,iBAAiB;AAGrB,MAAI,cAAc,SAAS;AACzB,QAAI,cAAc;AAChB,YAAM,IAAI,MAAM,qBAAqB,SAAS,4CAA4C;AAE5F,UAAM,cAAc,OAAO,WAAW,WAClC,IAAI,YAAY,EAAE,OAAO,MAAM,IAC/B;AAEJ,UAAM,YAAY,MAAM,OAAO,OAAO;AAAA,MACpC;AAAA,MACA;AAAA,MACA,EAAE,MAAM,QAAQ,MAAM,UAAU;AAAA,MAChC;AAAA,MACA,CAAC,MAAM;AAAA,IACT;AAEA,UAAM,cAAc,IAAI,WAAW,MAAM,OAAO,OAAO,KAAK,QAAQ,WAAW,gBAAgC,CAAC;AAChH,qBAAiB,kBAAkB,aAAa,IAAI,WAAW,SAAS,CAAC;AAAA,EAC3E,OAEK;AACH,QAAI,cAAc;AAChB,YAAM,IAAI,UAAU,qBAAqB,SAAS,4CAA4C;AAEhG,UAAM,iBAAiB,IAAI,WAAW,SAAS;AAI/C,qBAAiB,MAAM,OAAO,OAAO;AAAA,MACnC,EAAE,MAAM,SAAS,MAAM,UAAU;AAAA,MACjC;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAEA,QAAI,CAAC,kBAAkB,eAAe,WAAW,IAAI;AAGnD,UAAI;AACF,cAAM,SAAS,SAAS,cAAc;AACtC,yBAAiB,MAAM,OAAO,OAAO;AAAA,UACnC,EAAE,MAAM,SAAS,MAAM,UAAU;AAAA,UACjC;AAAA,UACA;AAAA,UACA;AAAA,QACF;AAAA,MACF,QACM;AAGJ,yBAAiB;AAAA,MACnB;AAAA,IACF;AAAA,EACF;AAEA,MAAI,CAAC;AACH,UAAM,IAAI,UAAU,uBAAuB;AAE7C,QAAM,SAAS,IAAI,oBAAoB,OAAO;AAC9C,MAAI,OAAO,cAAc,KAAK,CAAC,OAAO,iBAAiB;AACrD,UAAM,IAAI,UAAU,aAAa;AACnC,MAAI,OAAO,aAAa,KAAK,CAAC,OAAO,gBAAgB;AACnD,UAAM,IAAI,UAAU,mBAAmB;AACzC,MAAI,OAAQ,QAAgB,QAAQ;AAClC,UAAM,IAAI,UAAU,oBAAoB;AAE1C,MAAI,KAAK;AACP,UAAM,mBAAmB,MAAM,QAAQ,GAAG,IAAI,MAAM,CAAC,GAAG;AACxD,UAAM,gBAAiB,QAAgB,MAClC,MAAM,QAAS,QAAgB,GAAG,IAAK,QAAgB,MAAM,CAAE,QAAgB,GAAG,IACnF,CAAC;AAEL,QAAI,CAAC,iBAAiB,KAAK,cAAY,cAAc,SAAS,QAAQ,CAAC;AACrE,YAAM,IAAI,UAAU,sBAAsB;AAAA,EAC9C;AAEA,SAAO;AACT;","names":["serialize","serialize","iat","iss","aud","htmlResponse","redirectTo","response","error","response","response"]}
package/dist/src/client/svelte/index.svelte.d.ts.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"file":"index.svelte.d.ts","sourceRoot":"","sources":["../../../../src/client/svelte/index.svelte.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,YAAY,CAAA;AAStE,UAAU,gBAAgB,CAAC,KAAK,GAAG,OAAO;IACxC,OAAO,EAAE,UAAU,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,CAAA;IACvC,SAAS,EAAE,OAAO,CAAA;IAClB,MAAM,EAAE,CAAC,CAAC,SAAS,WAAW,CAAC,KAAK,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,CAAC,EAAE;QAAE,UAAU,CAAC,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,WAAW,CAAC,KAAK,EAAE,CAAC,CAAC,CAAA;KAAE,KAAK,OAAO,CAAC,IAAI,CAAC,CAAA;IACxI,WAAW,EAAE,CAAC,CAAC,SAAS,WAAW,CAAC,KAAK,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,CAAC,EAAE;QAAE,UAAU,CAAC,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,WAAW,CAAC,KAAK,EAAE,CAAC,CAAC,CAAA;KAAE,KAAK,OAAO,CAAC,IAAI,CAAC,CAAA;IAC7I,aAAa,EAAE,CAAC,QAAQ,EAAE,WAAW,CAAC,KAAK,CAAC,KAAK,OAAO,CAAC,IAAI,CAAC,CAAA;IAC9D,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAA;IAC5B,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAA;IAC5B,KAAK,EAAE,CAAC,KAAK,EAAE,WAAW,GAAG,GAAG,EAAE,IAAI,CAAC,EAAE,WAAW,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAA;CAC3E;AAID,wBAAgB,gBAAgB,CAAC,KAAK,CAAC,KAAK,GAAG,OAAO,EAAE,EACtD,OAAqB,EACrB,MAAc,EACd,UAAU,EAAE,iBAAiB,EAC7B,OAAO,EAAE,cAAc,EACxB,GAAE;IACD,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,OAAO,CAAC,EAAE,UAAU,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,CAAA;CACpC,QA6HL;AAED,wBAAgB,OAAO,CAAC,KAAK,CAAC,KAAK,GAAG,OAAO,KAAK,gBAAgB,CAAC,KAAK,CAAC,CAMxE"}
package/dist/src/src/adapters/drizzle/index.d.ts.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/adapters/drizzle/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAA;AAC/C,OAAO,KAAK,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,UAAU,CAAA;AAEzD,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAA;AACtD,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAA;AAEhD,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAA;AAK5D,wBAAgB,cAAc,CAC5B,CAAC,SAAS,UAAU,EACpB,CAAC,SAAS,aAAa,EAEvB,EAAE,EACE,kBAAkB,CAAC,MAAM,GAAG,OAAO,EAAE,GAAG,EAAE,GAAG,CAAC,GAC9C,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,GACjC,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,EAC7B,KAAK,EAAE,CAAC,EACR,QAAQ,EAAE,CAAC,GACV,OAAO,CAcT"}
package/dist/src/src/adapters/drizzle/mysql.d.ts.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"file":"mysql.d.ts","sourceRoot":"","sources":["../../../../../src/adapters/drizzle/mysql.ts"],"names":[],"mappings":"AACA,wBAAgB,mBAAmB,IAAI,KAAK,CAE3C"}
package/dist/src/src/adapters/drizzle/pg.d.ts.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"file":"pg.d.ts","sourceRoot":"","sources":["../../../../../src/adapters/drizzle/pg.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAsC,KAAK,EAAE,MAAM,aAAa,CAAA;AACvF,OAAO,KAAK,EAAE,UAAU,EAAW,MAAM,qBAAqB,CAAA;AAC9D,OAAO,KAAK,EAAW,OAAO,EAA6B,MAAM,YAAY,CAAA;AAG7E,MAAM,MAAM,UAAU,GAAG,KAAK,GAAG;IAC/B,EAAE,EAAE,SAAS,CAAA;IACb,IAAI,EAAE,SAAS,CAAA;IACf,KAAK,EAAE,SAAS,CAAA;IAChB,KAAK,EAAE,SAAS,CAAA;IAChB,aAAa,EAAE,SAAS,CAAA;IACxB,IAAI,CAAC,EAAE,SAAS,CAAA;IAChB,SAAS,EAAE,SAAS,CAAA;IACpB,SAAS,EAAE,SAAS,CAAA;CACrB,CAAA;AAED,MAAM,MAAM,aAAa,GAAG,KAAK,GAAG;IAClC,MAAM,EAAE,SAAS,CAAA;IACjB,IAAI,EAAE,SAAS,CAAA;IACf,QAAQ,EAAE,SAAS,CAAA;IACnB,iBAAiB,EAAE,SAAS,CAAA;IAC5B,YAAY,EAAE,SAAS,CAAA;IACvB,WAAW,EAAE,SAAS,CAAA;IACtB,SAAS,EAAE,SAAS,CAAA;IACpB,SAAS,EAAE,SAAS,CAAA;IACpB,KAAK,EAAE,SAAS,CAAA;IAChB,OAAO,EAAE,SAAS,CAAA;IAClB,YAAY,CAAC,EAAE,SAAS,CAAA;CACzB,CAAA;AAED,wBAAgB,sBAAsB,CACpC,EAAE,SAAS,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,EACpC,CAAC,SAAS,UAAU,EACpB,CAAC,SAAS,aAAa,EACvB,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,GAAG,OAAO,CA2JxC"}
package/dist/src/src/adapters/drizzle/sqlite.d.ts.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"file":"sqlite.d.ts","sourceRoot":"","sources":["../../../../../src/adapters/drizzle/sqlite.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAsC,KAAK,EAAE,MAAM,aAAa,CAAA;AACvF,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAA;AACjE,OAAO,KAAK,EAAW,OAAO,EAA6B,MAAM,kBAAkB,CAAA;AAInF,MAAM,MAAM,UAAU,GAAG,KAAK,GAAG;IAC/B,EAAE,EAAE,SAAS,CAAA;IACb,IAAI,EAAE,SAAS,CAAA;IACf,KAAK,EAAE,SAAS,CAAA;IAChB,KAAK,EAAE,SAAS,CAAA;IAChB,aAAa,EAAE,SAAS,CAAA;IACxB,IAAI,CAAC,EAAE,SAAS,CAAA;IAChB,SAAS,EAAE,SAAS,CAAA;IACpB,SAAS,EAAE,SAAS,CAAA;CACrB,CAAA;AAED,MAAM,MAAM,aAAa,GAAG,KAAK,GAAG;IAClC,MAAM,EAAE,SAAS,CAAA;IACjB,IAAI,EAAE,SAAS,CAAA;IACf,QAAQ,EAAE,SAAS,CAAA;IACnB,iBAAiB,EAAE,SAAS,CAAA;IAC5B,YAAY,EAAE,SAAS,CAAA;IACvB,WAAW,EAAE,SAAS,CAAA;IACtB,SAAS,EAAE,SAAS,CAAA;IACpB,SAAS,EAAE,SAAS,CAAA;IACpB,KAAK,EAAE,SAAS,CAAA;IAChB,OAAO,EAAE,SAAS,CAAA;IAClB,YAAY,CAAC,EAAE,SAAS,CAAA;CACzB,CAAA;AAED,wBAAgB,oBAAoB,CAClC,EAAE,SAAS,kBAAkB,CAAC,MAAM,GAAG,OAAO,EAAE,GAAG,EAAE,GAAG,CAAC,EACzD,CAAC,SAAS,UAAU,EACpB,CAAC,SAAS,aAAa,EACvB,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,GAAG,OAAO,CAkJxC"}
package/dist/src/src/adapters/drizzle/transaction.d.ts.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"file":"transaction.d.ts","sourceRoot":"","sources":["../../../../../src/adapters/drizzle/transaction.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAA;AAGjE;;;;;;;;;GASG;AACH,wBAAsB,WAAW,CAAC,CAAC,EACjC,EAAE,EAAE,kBAAkB,CAAC,MAAM,GAAG,OAAO,EAAE,GAAG,EAAE,GAAG,CAAC,EAClD,QAAQ,EAAE,CACR,EAAE,EAAE,IAAI,CAAC,OAAO,EAAE,EAAE,aAAa,CAAC,KAC/B,OAAO,CAAC,CAAC,CAAC,GACd,OAAO,CAAC,CAAC,CAAC,CAgBZ"}
package/dist/src/src/adapters/index.d.ts.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/adapters/index.ts"],"names":[],"mappings":"AAAA,cAAc,WAAW,CAAA;AACzB,cAAc,UAAU,CAAA"}
package/dist/src/src/adapters/memory/index.d.ts.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/adapters/memory/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAW,OAAO,EAA6B,MAAM,kBAAkB,CAAA;AAWnF,wBAAgB,aAAa,IAAI,OAAO,CAkHvC"}
package/dist/src/src/client/token.d.ts DELETED
@@ -1,11 +0,0 @@
1
- export declare const SESSION_TOKEN_KEY = "__gau-session-token";
2
- export declare const REFRESHED_TOKEN_HEADER = "X-Refreshed-Token";
3
- export declare function storeSessionToken(token: string): void;
4
- export declare function getSessionToken(): string | null;
5
- export declare function clearSessionToken(): void;
6
- export declare function handleRefreshedToken(response: Response): void;
7
- export declare function generatePKCE(): Promise<{
8
- codeVerifier: string;
9
- codeChallenge: string;
10
- }>;
11
- //# sourceMappingURL=token.d.ts.map
package/dist/src/src/client/token.d.ts.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"file":"token.d.ts","sourceRoot":"","sources":["../../../../src/client/token.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,iBAAiB,wBAAwB,CAAA;AAEtD,eAAO,MAAM,sBAAsB,sBAAsB,CAAA;AAEzD,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,QAO9C;AAED,wBAAgB,eAAe,IAAI,MAAM,GAAG,IAAI,CAS/C;AAED,wBAAgB,iBAAiB,SAOhC;AAED,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,QAAQ,GAAG,IAAI,CAM7D;AAED,wBAAsB,YAAY;;;GAsBjC"}
package/dist/src/src/core/cookies.d.ts DELETED
@@ -1,24 +0,0 @@
1
- import type { SerializeOptions } from 'cookie';
2
- export declare const DEFAULT_COOKIE_SERIALIZE_OPTIONS: SerializeOptions;
3
- export type Cookie = [string, string, SerializeOptions];
4
- export declare function parseCookies(cookieHeader: string | null | undefined): Map<string, string>;
5
- export declare class Cookies {
6
- #private;
7
- private readonly requestCookies;
8
- private readonly defaultOptions;
9
- constructor(requestCookies: Map<string, string>, defaultOptions: SerializeOptions);
10
- get(name: string): string | undefined;
11
- set(name: string, value: string, options?: SerializeOptions): void;
12
- delete(name: string, options?: Omit<SerializeOptions, 'expires' | 'maxAge'>): void;
13
- toHeaders(): Headers;
14
- }
15
- export declare const CSRF_COOKIE_NAME = "__gau-csrf-token";
16
- export declare const SESSION_COOKIE_NAME = "__gau-session-token";
17
- export declare const SESSION_STRATEGY_COOKIE_NAME = "__gau-session-strategy";
18
- export declare const LINKING_TOKEN_COOKIE_NAME = "__gau-linking-token";
19
- export declare const PKCE_COOKIE_NAME = "__gau-pkce-code-verifier";
20
- export declare const CALLBACK_URI_COOKIE_NAME = "__gau-callback-uri";
21
- export declare const PROVIDER_OPTIONS_COOKIE_NAME = "__gau-provider-options";
22
- export declare const CLIENT_CHALLENGE_COOKIE_NAME = "__gau-client-challenge";
23
- export declare const CSRF_MAX_AGE: number;
24
- //# sourceMappingURL=cookies.d.ts.map
package/dist/src/src/core/cookies.d.ts.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"file":"cookies.d.ts","sourceRoot":"","sources":["../../../../src/core/cookies.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,QAAQ,CAAA;AAG9C,eAAO,MAAM,gCAAgC,EAAE,gBAK9C,CAAA;AAED,MAAM,MAAM,MAAM,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,gBAAgB,CAAC,CAAA;AAEvD,wBAAgB,YAAY,CAAC,YAAY,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAQzF;AAED,qBAAa,OAAO;;IAIhB,OAAO,CAAC,QAAQ,CAAC,cAAc;IAC/B,OAAO,CAAC,QAAQ,CAAC,cAAc;IAFjC,YACmB,cAAc,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,EACnC,cAAc,EAAE,gBAAgB,EAC/C;IAEJ,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAEpC;IAED,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,gBAAgB,GAAG,IAAI,CAGjE;IAED,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,CAAC,gBAAgB,EAAE,SAAS,GAAG,QAAQ,CAAC,GAAG,IAAI,CAEjF;IAED,SAAS,IAAI,OAAO,CAMnB;CACF;AAED,eAAO,MAAM,gBAAgB,qBAAqB,CAAA;AAClD,eAAO,MAAM,mBAAmB,wBAAwB,CAAA;AACxD,eAAO,MAAM,4BAA4B,2BAA2B,CAAA;AACpE,eAAO,MAAM,yBAAyB,wBAAwB,CAAA;AAC9D,eAAO,MAAM,gBAAgB,6BAA6B,CAAA;AAC1D,eAAO,MAAM,wBAAwB,uBAAuB,CAAA;AAC5D,eAAO,MAAM,4BAA4B,2BAA2B,CAAA;AACpE,eAAO,MAAM,4BAA4B,2BAA2B,CAAA;AAEpE,eAAO,MAAM,YAAY,QAAU,CAAA"}