@saasak/kit-oauth 0.0.1

package/dist/derive-secret.d.ts

@@ -0,0 +1,2 @@
+/** Derive a deterministic OAuth client secret from a shared seed and client ID. */
+export declare function deriveClientSecret(seed: string, clientId: string): string;

package/dist/derive-secret.js

@@ -0,0 +1,6 @@
+import { createHmac } from 'node:crypto';
+/** Derive a deterministic OAuth client secret from a shared seed and client ID. */
+export function deriveClientSecret(seed, clientId) {
+    return createHmac('sha256', seed).update(clientId).digest('hex');
+}
+//# sourceMappingURL=derive-secret.js.map

package/dist/derive-secret.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"derive-secret.js","sourceRoot":"","sources":["../src/derive-secret.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,mFAAmF;AACnF,MAAM,UAAU,kBAAkB,CAAC,IAAY,EAAE,QAAgB;IAChE,OAAO,UAAU,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAClE,CAAC"}

package/dist/factory.d.ts

@@ -0,0 +1,2 @@
+import type { OAuthHandlerConfig, OAuthHandler } from './types.js';
+export declare function createOAuthHandler(config: OAuthHandlerConfig): OAuthHandler;

package/dist/factory.js

@@ -0,0 +1,83 @@
+import { deriveClientSecret } from './derive-secret.js';
+import { handleLogin } from './routes/login.js';
+import { handleCallback } from './routes/callback.js';
+import { handleLogout } from './routes/logout.js';
+import { handleRefresh } from './routes/refresh.js';
+import { handleSetTeam } from './routes/set-team.js';
+import { createSessionReader, forceRefreshSession } from './middleware.js';
+import { registerWithIAM } from './init.js';
+const DEFAULT_IAM_SESSION_COOKIES = [
+    'better-auth.session_token',
+    '__Secure-better-auth.session_token'
+];
+function validateEnv(env) {
+    const required = ['IAM_URL', 'SAASAK_APP_SEED', 'SESSION_SECRET', 'ORIGIN'];
+    for (const key of required) {
+        if (!env[key])
+            throw new Error(`[kit-oauth] Missing required env: ${key}`);
+    }
+}
+export function createOAuthHandler(config) {
+    let ctx = null;
+    function getContext() {
+        if (ctx)
+            return ctx;
+        const env = config.env();
+        validateEnv(env);
+        const clientSecret = deriveClientSecret(env.SAASAK_APP_SEED, config.clientId);
+        ctx = {
+            config,
+            env,
+            clientSecret,
+            secure: env.ORIGIN.startsWith('https://'),
+            cookieNames: {
+                session: `${config.cookiePrefix}_session`,
+                activeTeam: `${config.cookiePrefix}_active_team`,
+                oauthState: `${config.cookiePrefix}_oauth_state`
+            },
+            iamSessionCookies: config.iamSessionCookies ?? DEFAULT_IAM_SESSION_COOKIES,
+            jwksRef: { current: null }
+        };
+        return ctx;
+    }
+    const handle = async ({ event, resolve }) => {
+        const c = getContext();
+        const pathname = event.url.pathname;
+        const method = event.request.method;
+        // Route interception — handle /auth/* paths directly
+        if (pathname === '/auth/login' && method === 'GET') {
+            return handleLogin(event, c);
+        }
+        if (pathname === '/auth/callback' && method === 'GET') {
+            return handleCallback(event, c);
+        }
+        if (pathname === '/auth/logout' && method === 'POST') {
+            return handleLogout(event, c);
+        }
+        if (pathname === '/auth/refresh' && method === 'POST') {
+            return handleRefresh(event, c);
+        }
+        if (pathname === '/auth/set-team' && method === 'POST') {
+            return handleSetTeam(event, c);
+        }
+        // Not an auth route — pass through
+        return resolve(event);
+    };
+    const init = async () => {
+        const c = getContext();
+        return registerWithIAM(c);
+    };
+    // Lazy session reader — created once on first call
+    let sessionReader = null;
+    const getUser = async (event) => {
+        if (!sessionReader) {
+            sessionReader = createSessionReader(getContext());
+        }
+        return sessionReader(event);
+    };
+    const forceRefresh = async (event, currentUser) => {
+        return forceRefreshSession(event, getContext(), currentUser);
+    };
+    return { handle, init, getUser, forceRefresh };
+}
+//# sourceMappingURL=factory.js.map

package/dist/factory.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"factory.js","sourceRoot":"","sources":["../src/factory.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAExD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AAC3E,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAE5C,MAAM,2BAA2B,GAAG;IACnC,2BAA2B;IAC3B,oCAAoC;CACpC,CAAC;AAEF,SAAS,WAAW,CAAC,GAAgB;IACpC,MAAM,QAAQ,GAAG,CAAC,SAAS,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,QAAQ,CAAU,CAAC;IACrF,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC5B,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,MAAM,IAAI,KAAK,CAAC,qCAAqC,GAAG,EAAE,CAAC,CAAC;IAC5E,CAAC;AACF,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,MAA0B;IAC5D,IAAI,GAAG,GAAwB,IAAI,CAAC;IAEpC,SAAS,UAAU;QAClB,IAAI,GAAG;YAAE,OAAO,GAAG,CAAC;QAEpB,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,EAAE,CAAC;QACzB,WAAW,CAAC,GAAG,CAAC,CAAC;QAEjB,MAAM,YAAY,GAAG,kBAAkB,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;QAE9E,GAAG,GAAG;YACL,MAAM;YACN,GAAG;YACH,YAAY;YACZ,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC;YACzC,WAAW,EAAE;gBACZ,OAAO,EAAE,GAAG,MAAM,CAAC,YAAY,UAAU;gBACzC,UAAU,EAAE,GAAG,MAAM,CAAC,YAAY,cAAc;gBAChD,UAAU,EAAE,GAAG,MAAM,CAAC,YAAY,cAAc;aAChD;YACD,iBAAiB,EAAE,MAAM,CAAC,iBAAiB,IAAI,2BAA2B;YAC1E,OAAO,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE;SAC1B,CAAC;QAEF,OAAO,GAAG,CAAC;IACZ,CAAC;IAED,MAAM,MAAM,GAAW,KAAK,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE;QACnD,MAAM,CAAC,GAAG,UAAU,EAAE,CAAC;QACvB,MAAM,QAAQ,GAAG,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC;QACpC,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;QAEpC,qDAAqD;QACrD,IAAI,QAAQ,KAAK,aAAa,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;YACpD,OAAO,WAAW,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QAC9B,CAAC;QACD,IAAI,QAAQ,KAAK,gBAAgB,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;YACvD,OAAO,cAAc,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QACjC,CAAC;QACD,IAAI,QAAQ,KAAK,cAAc,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YACtD,OAAO,YAAY,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QAC/B,CAAC;QACD,IAAI,QAAQ,KAAK,eAAe,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YACvD,OAAO,aAAa,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QAChC,CAAC;QACD,IAAI,QAAQ,KAAK,gBAAgB,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YACxD,OAAO,aAAa,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QAChC,CAAC;QAED,mCAAmC;QACnC,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC;IACvB,CAAC,CAAC;IAEF,MAAM,IAAI,GAAe,KAAK,IAAI,EAAE;QACnC,MAAM,CAAC,GAAG,UAAU,EAAE,CAAC;QACvB,OAAO,eAAe,CAAC,CAAC,CAAC,CAAC;IAC3B,CAAC,CAAC;IAEF,mDAAmD;IACnD,IAAI,aAAa,GAAkD,IAAI,CAAC;IAExE,MAAM,OAAO,GAA4B,KAAK,EAAE,KAAK,EAAE,EAAE;QACxD,IAAI,CAAC,aAAa,EAAE,CAAC;YACpB,aAAa,GAAG,mBAAmB,CAAC,UAAU,EAAE,CAAC,CAAC;QACnD,CAAC;QACD,OAAO,aAAa,CAAC,KAAK,CAAC,CAAC;IAC7B,CAAC,CAAC;IAEF,MAAM,YAAY,GAAiC,KAAK,EAAE,KAAK,EAAE,WAAW,EAAE,EAAE;QAC/E,OAAO,mBAAmB,CAAC,KAAK,EAAE,UAAU,EAAE,EAAE,WAAW,CAAC,CAAC;IAC9D,CAAC,CAAC;IAEF,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,YAAY,EAAE,CAAC;AAChD,CAAC"}

package/dist/feature-flags.d.ts

@@ -0,0 +1,9 @@
+import type { OrgMembership } from './types.js';
+/**
+ * Check whether a feature flag is enabled for a given org.
+ */
+export declare function hasFeatureFlag(orgs: OrgMembership[] | undefined, orgId: string | null, flag: string): boolean;
+/**
+ * Server-side enforcement: throw 403 if the feature flag is not enabled.
+ */
+export declare function requireFeatureFlag(orgs: OrgMembership[] | undefined, orgId: string | null, flag: string): void;

package/dist/feature-flags.js

@@ -0,0 +1,19 @@
+import { error } from '@sveltejs/kit';
+/**
+ * Check whether a feature flag is enabled for a given org.
+ */
+export function hasFeatureFlag(orgs, orgId, flag) {
+    if (!orgs || !orgId)
+        return false;
+    const org = orgs.find((o) => o.id === orgId);
+    return Boolean(org?.featureFlags?.[flag]);
+}
+/**
+ * Server-side enforcement: throw 403 if the feature flag is not enabled.
+ */
+export function requireFeatureFlag(orgs, orgId, flag) {
+    if (!hasFeatureFlag(orgs, orgId, flag)) {
+        error(403, `Feature "${flag}" is not enabled`);
+    }
+}
+//# sourceMappingURL=feature-flags.js.map

package/dist/feature-flags.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"feature-flags.js","sourceRoot":"","sources":["../src/feature-flags.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAC;AAGtC;;GAEG;AACH,MAAM,UAAU,cAAc,CAC7B,IAAiC,EACjC,KAAoB,EACpB,IAAY;IAEZ,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IAClC,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,KAAK,CAAC,CAAC;IAC7C,OAAO,OAAO,CAAC,GAAG,EAAE,YAAY,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CACjC,IAAiC,EACjC,KAAoB,EACpB,IAAY;IAEZ,IAAI,CAAC,cAAc,CAAC,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,EAAE,CAAC;QACxC,KAAK,CAAC,GAAG,EAAE,YAAY,IAAI,kBAAkB,CAAC,CAAC;IAChD,CAAC;AACF,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,7 @@
+export { createOAuthHandler } from './factory.js';
+export { RefreshError } from './oauth.js';
+export { SYNC_AGE, SESSION_MAX_AGE } from './session.js';
+export type { SessionReaderResult } from './middleware.js';
+export type { OAuthHandlerConfig, ResolvedEnv, OAuthHandler, OAuthLocals, SessionClaims, OrgMembership, TeamMembership, AppModel } from './types.js';
+export { buildAbility, getTeamPermissions, requirePermission, type AppAbility } from './permissions.js';
+export { hasFeatureFlag, requireFeatureFlag } from './feature-flags.js';

package/dist/index.js

@@ -0,0 +1,6 @@
+export { createOAuthHandler } from './factory.js';
+export { RefreshError } from './oauth.js';
+export { SYNC_AGE, SESSION_MAX_AGE } from './session.js';
+export { buildAbility, getTeamPermissions, requirePermission } from './permissions.js';
+export { hasFeatureFlag, requireFeatureFlag } from './feature-flags.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC1C,OAAO,EAAE,QAAQ,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAYzD,OAAO,EACN,YAAY,EACZ,kBAAkB,EAClB,iBAAiB,EAEjB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC"}

package/dist/init.d.ts

@@ -0,0 +1,2 @@
+import type { OAuthContext } from './types.js';
+export declare function registerWithIAM(ctx: OAuthContext): Promise<void>;

package/dist/init.js

@@ -0,0 +1,45 @@
+export async function registerWithIAM(ctx) {
+    const { env, config, clientSecret } = ctx;
+    if (!env.SAASAK_APP_SEED || !env.IAM_URL)
+        return;
+    const redirectUri = `${env.ORIGIN}/auth/callback`;
+    const payload = JSON.stringify({
+        clientId: config.clientId,
+        redirectUris: [redirectUri],
+        name: config.displayName,
+        appModel: config.appModel,
+        defaultAllow: config.registration?.defaultAllow ?? true,
+        skipConsent: config.registration?.skipConsent ?? true,
+        permissions: config.registration?.permissions,
+        featureFlags: config.registration?.featureFlags
+    });
+    const maxAttempts = 5;
+    for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+        try {
+            const res = await fetch(`${env.IAM_URL}/api/register-app`, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/json',
+                    Authorization: `Bearer ${env.SAASAK_APP_SEED}`
+                },
+                body: payload
+            });
+            if (!res.ok) {
+                const body = await res.text().catch(() => 'unknown');
+                throw new Error(`HTTP ${res.status}: ${body}`);
+            }
+            console.log(`[init] Registered OAuth client with IAM: ${config.clientId}`);
+            return;
+        }
+        catch (err) {
+            if (attempt < maxAttempts) {
+                console.warn(`[init] IAM not ready (attempt ${attempt}/${maxAttempts}), retrying in 2s...`);
+                await new Promise((r) => setTimeout(r, 2000));
+            }
+            else {
+                throw new Error(`[init] Failed to register with IAM after ${maxAttempts} attempts: ${err}`);
+            }
+        }
+    }
+}
+//# sourceMappingURL=init.js.map

package/dist/init.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"init.js","sourceRoot":"","sources":["../src/init.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,GAAiB;IACtD,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,YAAY,EAAE,GAAG,GAAG,CAAC;IAE1C,IAAI,CAAC,GAAG,CAAC,eAAe,IAAI,CAAC,GAAG,CAAC,OAAO;QAAE,OAAO;IAEjD,MAAM,WAAW,GAAG,GAAG,GAAG,CAAC,MAAM,gBAAgB,CAAC;IAClD,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC;QAC9B,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,YAAY,EAAE,CAAC,WAAW,CAAC;QAC3B,IAAI,EAAE,MAAM,CAAC,WAAW;QACxB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,YAAY,EAAE,MAAM,CAAC,YAAY,EAAE,YAAY,IAAI,IAAI;QACvD,WAAW,EAAE,MAAM,CAAC,YAAY,EAAE,WAAW,IAAI,IAAI;QACrD,WAAW,EAAE,MAAM,CAAC,YAAY,EAAE,WAAW;QAC7C,YAAY,EAAE,MAAM,CAAC,YAAY,EAAE,YAAY;KAC/C,CAAC,CAAC;IAEH,MAAM,WAAW,GAAG,CAAC,CAAC;IACtB,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,IAAI,WAAW,EAAE,OAAO,EAAE,EAAE,CAAC;QACzD,IAAI,CAAC;YACJ,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,GAAG,CAAC,OAAO,mBAAmB,EAAE;gBAC1D,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACR,cAAc,EAAE,kBAAkB;oBAClC,aAAa,EAAE,UAAU,GAAG,CAAC,eAAe,EAAE;iBAC9C;gBACD,IAAI,EAAE,OAAO;aACb,CAAC,CAAC;YAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACb,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;gBACrD,MAAM,IAAI,KAAK,CAAC,QAAQ,GAAG,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC,CAAC;YAChD,CAAC;YAED,OAAO,CAAC,GAAG,CAAC,4CAA4C,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC3E,OAAO;QACR,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACd,IAAI,OAAO,GAAG,WAAW,EAAE,CAAC;gBAC3B,OAAO,CAAC,IAAI,CACX,iCAAiC,OAAO,IAAI,WAAW,sBAAsB,CAC7E,CAAC;gBACF,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC;YAC/C,CAAC;iBAAM,CAAC;gBACP,MAAM,IAAI,KAAK,CACd,4CAA4C,WAAW,cAAc,GAAG,EAAE,CAC1E,CAAC;YACH,CAAC;QACF,CAAC;IACF,CAAC;AACF,CAAC"}

package/dist/middleware.d.ts

@@ -0,0 +1,13 @@
+import type { RequestEvent } from '@sveltejs/kit';
+import type { OAuthContext, SessionClaims } from './types.js';
+export interface SessionReaderResult {
+    user: SessionClaims | null;
+    refreshedToken?: string;
+}
+export declare function createSessionReader(ctx: OAuthContext): (event: RequestEvent) => Promise<SessionReaderResult>;
+/**
+ * Force-refresh the session tokens. Useful when claims may be stale
+ * (e.g., org just created on IAM but not yet reflected in local JWT).
+ * Returns updated user or null on failure.
+ */
+export declare function forceRefreshSession(event: RequestEvent, ctx: OAuthContext, currentUser: SessionClaims): Promise<SessionClaims | null>;

package/dist/middleware.js

@@ -0,0 +1,176 @@
+import * as jose from 'jose';
+import { refreshTokens, verifyIdToken, RefreshError } from './oauth.js';
+import { readSession, getSessionToken, createSession, setSessionCookie, clearSessionCookie, clearActiveTeamCookie, isBearerRequest, isApiToken, SYNC_AGE } from './session.js';
+/**
+ * Reads the JWT session from cookie/Bearer header, checks cross-subdomain
+ * logout sync, and performs staleness refresh if needed.
+ *
+ * Does NOT handle public path checks, redirects, team validation, or locals
+ * assignment — those are the responsibility of kit-auth-check.
+ */
+// In-memory cache for exchanged API token sessions
+const API_TOKEN_CACHE_TTL = 300; // 5 minutes
+const API_TOKEN_CACHE_MAX = 1000;
+const apiTokenCache = new Map();
+function evictExpiredTokens() {
+    const now = Date.now();
+    for (const [key, entry] of apiTokenCache) {
+        if (entry.expiresAt <= now)
+            apiTokenCache.delete(key);
+    }
+}
+export function createSessionReader(ctx) {
+    const secret = new TextEncoder().encode(ctx.env.SESSION_SECRET);
+    return async (event) => {
+        const isBearer = isBearerRequest(event.request);
+        const token = getSessionToken(event.request, event.cookies, ctx.cookieNames.session);
+        // Handle M2M API tokens (sk_live_ prefix)
+        if (token && isApiToken(token)) {
+            const cacheKey = token;
+            const cached = apiTokenCache.get(cacheKey);
+            if (cached && cached.expiresAt > Date.now()) {
+                return { user: cached.claims };
+            }
+            try {
+                const res = await fetch(`${ctx.env.IAM_URL}/api/auth/api-tokens/exchange`, {
+                    method: 'POST',
+                    headers: { 'Content-Type': 'application/json' },
+                    body: JSON.stringify({ token, clientId: ctx.config.clientId })
+                });
+                if (!res.ok) {
+                    return { user: null };
+                }
+                const data = (await res.json());
+                const claims = {
+                    sub: data.sub,
+                    email: data.email,
+                    name: data.name,
+                    emailVerified: data.emailVerified ?? false,
+                    orgs: (data.orgs ?? []),
+                    accessToken: '',
+                    permissions: data.permissions,
+                    impersonatedBy: data.impersonatedBy,
+                    apiToken: true,
+                    plan: data.plan,
+                    entitlements: data.entitlements,
+                    addons: data.addons
+                };
+                // Cache the claims
+                if (apiTokenCache.size >= API_TOKEN_CACHE_MAX)
+                    evictExpiredTokens();
+                apiTokenCache.set(cacheKey, {
+                    claims,
+                    expiresAt: Date.now() + API_TOKEN_CACHE_TTL * 1000
+                });
+                return { user: claims };
+            }
+            catch {
+                return { user: null };
+            }
+        }
+        let user = token ? await readSession(secret, token) : null;
+        // If we have a local session but the cross-subdomain better-auth cookie is gone,
+        // IAM has logged the user out → clear local session immediately
+        if (user && !isBearer) {
+            let baSession;
+            for (const name of ctx.iamSessionCookies) {
+                baSession = event.cookies.get(name);
+                if (baSession)
+                    break;
+            }
+            if (!baSession) {
+                clearSessionCookie(event.cookies, ctx.cookieNames.session);
+                clearActiveTeamCookie(event.cookies, ctx.cookieNames.activeTeam);
+                user = null;
+            }
+        }
+        let refreshedToken;
+        // Staleness check: if JWT was issued more than SYNC_AGE seconds ago, refresh tokens
+        if (user?.refreshToken && token) {
+            try {
+                const payload = jose.decodeJwt(token);
+                const iat = payload.iat ?? 0;
+                const age = Math.floor(Date.now() / 1000) - iat;
+                if (age > SYNC_AGE) {
+                    const tokens = await refreshTokens(ctx, user.refreshToken);
+                    let updatedClaims = {
+                        ...user,
+                        accessToken: tokens.access_token
+                    };
+                    if (tokens.refresh_token) {
+                        updatedClaims.refreshToken = tokens.refresh_token;
+                    }
+                    if (tokens.id_token) {
+                        const idClaims = await verifyIdToken(ctx, tokens.id_token);
+                        updatedClaims = {
+                            ...updatedClaims,
+                            sub: idClaims.sub,
+                            email: idClaims.email,
+                            name: idClaims.name,
+                            emailVerified: idClaims.email_verified,
+                            orgs: idClaims.orgs,
+                            permissions: idClaims.permissions,
+                            impersonatedBy: idClaims.impersonatedBy
+                        };
+                    }
+                    const newToken = await createSession(secret, updatedClaims);
+                    setSessionCookie(event.cookies, ctx.cookieNames.session, newToken, ctx.secure);
+                    user = updatedClaims;
+                    if (isBearer) {
+                        refreshedToken = newToken;
+                    }
+                }
+            }
+            catch (err) {
+                if (err instanceof RefreshError && err.status >= 400 && err.status < 500) {
+                    clearSessionCookie(event.cookies, ctx.cookieNames.session);
+                    user = null;
+                }
+                else {
+                    console.warn(`[${ctx.config.displayName}] Token refresh failed, continuing with stale session:`, err);
+                }
+            }
+        }
+        return { user, refreshedToken };
+    };
+}
+/**
+ * Force-refresh the session tokens. Useful when claims may be stale
+ * (e.g., org just created on IAM but not yet reflected in local JWT).
+ * Returns updated user or null on failure.
+ */
+export async function forceRefreshSession(event, ctx, currentUser) {
+    if (!currentUser.refreshToken)
+        return null;
+    const secret = new TextEncoder().encode(ctx.env.SESSION_SECRET);
+    try {
+        const tokens = await refreshTokens(ctx, currentUser.refreshToken);
+        let updatedClaims = {
+            ...currentUser,
+            accessToken: tokens.access_token
+        };
+        if (tokens.refresh_token) {
+            updatedClaims.refreshToken = tokens.refresh_token;
+        }
+        if (tokens.id_token) {
+            const idClaims = await verifyIdToken(ctx, tokens.id_token);
+            updatedClaims = {
+                ...updatedClaims,
+                sub: idClaims.sub,
+                email: idClaims.email,
+                name: idClaims.name,
+                emailVerified: idClaims.email_verified,
+                orgs: idClaims.orgs,
+                permissions: idClaims.permissions,
+                impersonatedBy: idClaims.impersonatedBy
+            };
+        }
+        const newToken = await createSession(secret, updatedClaims);
+        setSessionCookie(event.cookies, ctx.cookieNames.session, newToken, ctx.secure);
+        return updatedClaims;
+    }
+    catch {
+        return null;
+    }
+}
+//# sourceMappingURL=middleware.js.map

package/dist/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAE7B,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AACxE,OAAO,EACN,WAAW,EACX,eAAe,EACf,aAAa,EACb,gBAAgB,EAChB,kBAAkB,EAClB,qBAAqB,EACrB,eAAe,EACf,UAAU,EACV,QAAQ,EACR,MAAM,cAAc,CAAC;AAOtB;;;;;;GAMG;AACH,mDAAmD;AACnD,MAAM,mBAAmB,GAAG,GAAG,CAAC,CAAC,YAAY;AAC7C,MAAM,mBAAmB,GAAG,IAAI,CAAC;AACjC,MAAM,aAAa,GAAG,IAAI,GAAG,EAAwD,CAAC;AAEtF,SAAS,kBAAkB;IAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,aAAa,EAAE,CAAC;QAC1C,IAAI,KAAK,CAAC,SAAS,IAAI,GAAG;YAAE,aAAa,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACvD,CAAC;AACF,CAAC;AAED,MAAM,UAAU,mBAAmB,CAClC,GAAiB;IAEjB,MAAM,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IAEhE,OAAO,KAAK,EAAE,KAAmB,EAAgC,EAAE;QAClE,MAAM,QAAQ,GAAG,eAAe,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAChD,MAAM,KAAK,GAAG,eAAe,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,GAAG,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;QAErF,0CAA0C;QAC1C,IAAI,KAAK,IAAI,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;YAChC,MAAM,QAAQ,GAAG,KAAK,CAAC;YACvB,MAAM,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAC3C,IAAI,MAAM,IAAI,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;gBAC7C,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC;YAChC,CAAC;YAED,IAAI,CAAC;gBACJ,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,OAAO,+BAA+B,EAAE;oBAC1E,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;oBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;iBAC9D,CAAC,CAAC;gBAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;oBACb,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;gBACvB,CAAC;gBAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAA4B,CAAC;gBAC3D,MAAM,MAAM,GAAkB;oBAC7B,GAAG,EAAE,IAAI,CAAC,GAAa;oBACvB,KAAK,EAAE,IAAI,CAAC,KAAe;oBAC3B,IAAI,EAAE,IAAI,CAAC,IAAc;oBACzB,aAAa,EAAG,IAAI,CAAC,aAAyB,IAAI,KAAK;oBACvD,IAAI,EAAE,CAAC,IAAI,CAAC,IAAI,IAAI,EAAE,CAA0B;oBAChD,WAAW,EAAE,EAAE;oBACf,WAAW,EAAE,IAAI,CAAC,WAA2C;oBAC7D,cAAc,EAAE,IAAI,CAAC,cAAoC;oBACzD,QAAQ,EAAE,IAAI;oBACd,IAAI,EAAE,IAAI,CAAC,IAA6B;oBACxC,YAAY,EAAE,IAAI,CAAC,YAA6C;oBAChE,MAAM,EAAE,IAAI,CAAC,MAA8B;iBAC3C,CAAC;gBAEF,mBAAmB;gBACnB,IAAI,aAAa,CAAC,IAAI,IAAI,mBAAmB;oBAAE,kBAAkB,EAAE,CAAC;gBACpE,aAAa,CAAC,GAAG,CAAC,QAAQ,EAAE;oBAC3B,MAAM;oBACN,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,mBAAmB,GAAG,IAAI;iBAClD,CAAC,CAAC;gBAEH,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;YACzB,CAAC;YAAC,MAAM,CAAC;gBACR,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;YACvB,CAAC;QACF,CAAC;QAED,IAAI,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,MAAM,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QAE3D,iFAAiF;QACjF,gEAAgE;QAChE,IAAI,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACvB,IAAI,SAA6B,CAAC;YAClC,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,iBAAiB,EAAE,CAAC;gBAC1C,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBACpC,IAAI,SAAS;oBAAE,MAAM;YACtB,CAAC;YACD,IAAI,CAAC,SAAS,EAAE,CAAC;gBAChB,kBAAkB,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;gBAC3D,qBAAqB,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;gBACjE,IAAI,GAAG,IAAI,CAAC;YACb,CAAC;QACF,CAAC;QAED,IAAI,cAAkC,CAAC;QAEvC,oFAAoF;QACpF,IAAI,IAAI,EAAE,YAAY,IAAI,KAAK,EAAE,CAAC;YACjC,IAAI,CAAC;gBACJ,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;gBACtC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,CAAC,CAAC;gBAC7B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,GAAG,CAAC;gBAEhD,IAAI,GAAG,GAAG,QAAQ,EAAE,CAAC;oBACpB,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,GAAG,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;oBAE3D,IAAI,aAAa,GAAkB;wBAClC,GAAG,IAAI;wBACP,WAAW,EAAE,MAAM,CAAC,YAAY;qBAChC,CAAC;oBACF,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;wBAC1B,aAAa,CAAC,YAAY,GAAG,MAAM,CAAC,aAAa,CAAC;oBACnD,CAAC;oBAED,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;wBACrB,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,GAAG,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;wBAC3D,aAAa,GAAG;4BACf,GAAG,aAAa;4BAChB,GAAG,EAAE,QAAQ,CAAC,GAAG;4BACjB,KAAK,EAAE,QAAQ,CAAC,KAAK;4BACrB,IAAI,EAAE,QAAQ,CAAC,IAAI;4BACnB,aAAa,EAAE,QAAQ,CAAC,cAAc;4BACtC,IAAI,EAAE,QAAQ,CAAC,IAAI;4BACnB,WAAW,EAAE,QAAQ,CAAC,WAAW;4BACjC,cAAc,EAAE,QAAQ,CAAC,cAAc;yBACvC,CAAC;oBACH,CAAC;oBAED,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;oBAC5D,gBAAgB,CACf,KAAK,CAAC,OAAO,EACb,GAAG,CAAC,WAAW,CAAC,OAAO,EACvB,QAAQ,EACR,GAAG,CAAC,MAAM,CACV,CAAC;oBACF,IAAI,GAAG,aAAa,CAAC;oBAErB,IAAI,QAAQ,EAAE,CAAC;wBACd,cAAc,GAAG,QAAQ,CAAC;oBAC3B,CAAC;gBACF,CAAC;YACF,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACd,IAAI,GAAG,YAAY,YAAY,IAAI,GAAG,CAAC,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;oBAC1E,kBAAkB,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;oBAC3D,IAAI,GAAG,IAAI,CAAC;gBACb,CAAC;qBAAM,CAAC;oBACP,OAAO,CAAC,IAAI,CACX,IAAI,GAAG,CAAC,MAAM,CAAC,WAAW,wDAAwD,EAClF,GAAG,CACH,CAAC;gBACH,CAAC;YACF,CAAC;QACF,CAAC;QAED,OAAO,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC;IACjC,CAAC,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACxC,KAAmB,EACnB,GAAiB,EACjB,WAA0B;IAE1B,IAAI,CAAC,WAAW,CAAC,YAAY;QAAE,OAAO,IAAI,CAAC;IAE3C,MAAM,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IAEhE,IAAI,CAAC;QACJ,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,GAAG,EAAE,WAAW,CAAC,YAAY,CAAC,CAAC;QAClE,IAAI,aAAa,GAAkB;YAClC,GAAG,WAAW;YACd,WAAW,EAAE,MAAM,CAAC,YAAY;SAChC,CAAC;QACF,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;YAC1B,aAAa,CAAC,YAAY,GAAG,MAAM,CAAC,aAAa,CAAC;QACnD,CAAC;QACD,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACrB,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,GAAG,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;YAC3D,aAAa,GAAG;gBACf,GAAG,aAAa;gBAChB,GAAG,EAAE,QAAQ,CAAC,GAAG;gBACjB,KAAK,EAAE,QAAQ,CAAC,KAAK;gBACrB,IAAI,EAAE,QAAQ,CAAC,IAAI;gBACnB,aAAa,EAAE,QAAQ,CAAC,cAAc;gBACtC,IAAI,EAAE,QAAQ,CAAC,IAAI;gBACnB,WAAW,EAAE,QAAQ,CAAC,WAAW;gBACjC,cAAc,EAAE,QAAQ,CAAC,cAAc;aACvC,CAAC;QACH,CAAC;QACD,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;QAC5D,gBAAgB,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,CAAC,WAAW,CAAC,OAAO,EAAE,QAAQ,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;QAC/E,OAAO,aAAa,CAAC;IACtB,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,IAAI,CAAC;IACb,CAAC;AACF,CAAC"}

package/dist/oauth.d.ts

@@ -0,0 +1,28 @@
+import type { OAuthContext, OrgMembership } from './types.js';
+export declare function generateState(): string;
+export declare function generateCodeVerifier(): string;
+export declare function computeS256Challenge(verifier: string): Promise<string>;
+export declare function buildAuthorizeURL(ctx: OAuthContext, state: string, codeChallenge: string, orgHint?: string): string;
+export declare function exchangeCode(ctx: OAuthContext, code: string, codeVerifier: string): Promise<{
+    access_token: string;
+    id_token?: string;
+    refresh_token?: string;
+}>;
+export declare class RefreshError extends Error {
+    status: number;
+    constructor(message: string, status: number);
+}
+export declare function refreshTokens(ctx: OAuthContext, refreshToken: string): Promise<{
+    access_token: string;
+    id_token?: string;
+    refresh_token?: string;
+}>;
+export declare function verifyIdToken(ctx: OAuthContext, idToken: string): Promise<{
+    sub: string;
+    email: string;
+    name: string;
+    email_verified: boolean;
+    orgs: OrgMembership[];
+    permissions?: Record<string, Record<string, string[]>>;
+    impersonatedBy?: string;
+}>;

package/dist/oauth.js

@@ -0,0 +1,101 @@
+import * as jose from 'jose';
+// --- PKCE helpers (pure, no config needed) ---
+function base64url(bytes) {
+    let binary = '';
+    for (const b of bytes)
+        binary += String.fromCharCode(b);
+    return btoa(binary).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+export function generateState() {
+    return base64url(crypto.getRandomValues(new Uint8Array(16)));
+}
+export function generateCodeVerifier() {
+    return base64url(crypto.getRandomValues(new Uint8Array(32)));
+}
+export async function computeS256Challenge(verifier) {
+    const encoded = new TextEncoder().encode(verifier);
+    const digest = await crypto.subtle.digest('SHA-256', encoded);
+    return base64url(new Uint8Array(digest));
+}
+// --- OAuth operations (parameterized via context) ---
+export function buildAuthorizeURL(ctx, state, codeChallenge, orgHint) {
+    const redirectUri = `${ctx.env.ORIGIN}/auth/callback`;
+    const params = new URLSearchParams({
+        response_type: 'code',
+        client_id: ctx.config.clientId,
+        redirect_uri: redirectUri,
+        state,
+        code_challenge: codeChallenge,
+        code_challenge_method: 'S256',
+        scope: 'openid profile email'
+    });
+    if (orgHint) {
+        params.set('org_hint', orgHint);
+    }
+    return `${ctx.env.IAM_URL}/api/auth/oauth2/authorize?${params}`;
+}
+export async function exchangeCode(ctx, code, codeVerifier) {
+    const redirectUri = `${ctx.env.ORIGIN}/auth/callback`;
+    const res = await fetch(`${ctx.env.IAM_URL}/api/auth/oauth2/token`, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+            Authorization: `Basic ${btoa(`${ctx.config.clientId}:${ctx.clientSecret}`)}`
+        },
+        body: new URLSearchParams({
+            grant_type: 'authorization_code',
+            code,
+            redirect_uri: redirectUri,
+            code_verifier: codeVerifier
+        })
+    });
+    if (!res.ok) {
+        const body = await res.text().catch(() => 'unknown error');
+        throw new Error(`Token exchange failed (${res.status}): ${body}`);
+    }
+    return res.json();
+}
+export class RefreshError extends Error {
+    constructor(message, status) {
+        super(message);
+        this.status = status;
+        this.name = 'RefreshError';
+    }
+}
+export async function refreshTokens(ctx, refreshToken) {
+    const res = await fetch(`${ctx.env.IAM_URL}/api/auth/oauth2/token`, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+            Authorization: `Basic ${btoa(`${ctx.config.clientId}:${ctx.clientSecret}`)}`
+        },
+        body: new URLSearchParams({
+            grant_type: 'refresh_token',
+            refresh_token: refreshToken
+        })
+    });
+    if (!res.ok) {
+        const body = await res.text().catch(() => 'unknown error');
+        throw new RefreshError(`Token refresh failed (${res.status}): ${body}`, res.status);
+    }
+    return res.json();
+}
+export async function verifyIdToken(ctx, idToken) {
+    if (!ctx.jwksRef.current) {
+        ctx.jwksRef.current = jose.createRemoteJWKSet(new URL(`${ctx.env.IAM_URL}/api/auth/jwks`));
+    }
+    const { payload } = await jose.jwtVerify(idToken, ctx.jwksRef.current, {
+        issuer: `${ctx.env.IAM_URL}/api/auth`
+    });
+    const p = payload;
+    return {
+        sub: payload.sub,
+        email: p.email,
+        name: p.name,
+        email_verified: p.email_verified ?? false,
+        orgs: (Array.isArray(p.orgs) ? p.orgs : []),
+        permissions: p.permissions,
+        impersonatedBy: p.impersonatedBy
+    };
+}
+//# sourceMappingURL=oauth.js.map

package/dist/oauth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.js","sourceRoot":"","sources":["../src/oauth.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAG7B,gDAAgD;AAEhD,SAAS,SAAS,CAAC,KAAiB;IACnC,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,KAAK,MAAM,CAAC,IAAI,KAAK;QAAE,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACxD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AAChF,CAAC;AAED,MAAM,UAAU,aAAa;IAC5B,OAAO,SAAS,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;AAC9D,CAAC;AAED,MAAM,UAAU,oBAAoB;IACnC,OAAO,SAAS,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;AAC9D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,QAAgB;IAC1D,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACnD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IAC9D,OAAO,SAAS,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;AAC1C,CAAC;AAED,uDAAuD;AAEvD,MAAM,UAAU,iBAAiB,CAChC,GAAiB,EACjB,KAAa,EACb,aAAqB,EACrB,OAAgB;IAEhB,MAAM,WAAW,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC,MAAM,gBAAgB,CAAC;IAEtD,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;QAClC,aAAa,EAAE,MAAM;QACrB,SAAS,EAAE,GAAG,CAAC,MAAM,CAAC,QAAQ;QAC9B,YAAY,EAAE,WAAW;QACzB,KAAK;QACL,cAAc,EAAE,aAAa;QAC7B,qBAAqB,EAAE,MAAM;QAC7B,KAAK,EAAE,sBAAsB;KAC7B,CAAC,CAAC;IAEH,IAAI,OAAO,EAAE,CAAC;QACb,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IACjC,CAAC;IAED,OAAO,GAAG,GAAG,CAAC,GAAG,CAAC,OAAO,8BAA8B,MAAM,EAAE,CAAC;AACjE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CACjC,GAAiB,EACjB,IAAY,EACZ,YAAoB;IAEpB,MAAM,WAAW,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC,MAAM,gBAAgB,CAAC;IAEtD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,OAAO,wBAAwB,EAAE;QACnE,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACR,cAAc,EAAE,mCAAmC;YACnD,aAAa,EAAE,SAAS,IAAI,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC,QAAQ,IAAI,GAAG,CAAC,YAAY,EAAE,CAAC,EAAE;SAC5E;QACD,IAAI,EAAE,IAAI,eAAe,CAAC;YACzB,UAAU,EAAE,oBAAoB;YAChC,IAAI;YACJ,YAAY,EAAE,WAAW;YACzB,aAAa,EAAE,YAAY;SAC3B,CAAC;KACF,CAAC,CAAC;IAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACb,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,eAAe,CAAC,CAAC;QAC3D,MAAM,IAAI,KAAK,CAAC,0BAA0B,GAAG,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAC;IACnE,CAAC;IAED,OAAO,GAAG,CAAC,IAAI,EAAE,CAAC;AACnB,CAAC;AAED,MAAM,OAAO,YAAa,SAAQ,KAAK;IACtC,YACC,OAAe,EACR,MAAc;QAErB,KAAK,CAAC,OAAO,CAAC,CAAC;QAFR,WAAM,GAAN,MAAM,CAAQ;QAGrB,IAAI,CAAC,IAAI,GAAG,cAAc,CAAC;IAC5B,CAAC;CACD;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAClC,GAAiB,EACjB,YAAoB;IAEpB,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,OAAO,wBAAwB,EAAE;QACnE,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACR,cAAc,EAAE,mCAAmC;YACnD,aAAa,EAAE,SAAS,IAAI,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC,QAAQ,IAAI,GAAG,CAAC,YAAY,EAAE,CAAC,EAAE;SAC5E;QACD,IAAI,EAAE,IAAI,eAAe,CAAC;YACzB,UAAU,EAAE,eAAe;YAC3B,aAAa,EAAE,YAAY;SAC3B,CAAC;KACF,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACb,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,eAAe,CAAC,CAAC;QAC3D,MAAM,IAAI,YAAY,CAAC,yBAAyB,GAAG,CAAC,MAAM,MAAM,IAAI,EAAE,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IACrF,CAAC;IACD,OAAO,GAAG,CAAC,IAAI,EAAE,CAAC;AACnB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAClC,GAAiB,EACjB,OAAe;IAUf,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;QAC1B,GAAG,CAAC,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,kBAAkB,CAC5C,IAAI,GAAG,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,OAAO,gBAAgB,CAAC,CAC3C,CAAC;IACH,CAAC;IAED,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,OAAO,EAAE;QACtE,MAAM,EAAE,GAAG,GAAG,CAAC,GAAG,CAAC,OAAO,WAAW;KACrC,CAAC,CAAC;IAEH,MAAM,CAAC,GAAG,OAAkC,CAAC;IAE7C,OAAO;QACN,GAAG,EAAE,OAAO,CAAC,GAAI;QACjB,KAAK,EAAE,CAAC,CAAC,KAAe;QACxB,IAAI,EAAE,CAAC,CAAC,IAAc;QACtB,cAAc,EAAG,CAAC,CAAC,cAA0B,IAAI,KAAK;QACtD,IAAI,EAAE,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAoB;QAC9D,WAAW,EAAE,CAAC,CAAC,WAAmE;QAClF,cAAc,EAAE,CAAC,CAAC,cAAoC;KACtD,CAAC;AACH,CAAC"}

package/dist/permissions.d.ts

@@ -0,0 +1,14 @@
+import { type MongoAbility } from '@casl/ability';
+export type AppAbility = MongoAbility<[string, string]>;
+/**
+ * Build a CASL ability from a permission map: { resource: action[] }
+ */
+export declare function buildAbility(permissions: Record<string, string[]>): AppAbility;
+/**
+ * Extract the active team's permission map from the full permissions object.
+ */
+export declare function getTeamPermissions(allPermissions: Record<string, Record<string, string[]>> | undefined, teamId: string | null): Record<string, string[]>;
+/**
+ * Server-side enforcement: throw 403 if the user lacks the given permission.
+ */
+export declare function requirePermission(permissions: Record<string, Record<string, string[]>> | undefined, teamId: string | null, action: string, resource: string): void;

package/dist/permissions.js

@@ -0,0 +1,33 @@
+import { AbilityBuilder, createMongoAbility } from '@casl/ability';
+import { error } from '@sveltejs/kit';
+/**
+ * Build a CASL ability from a permission map: { resource: action[] }
+ */
+export function buildAbility(permissions) {
+    const { can, build } = new AbilityBuilder(createMongoAbility);
+    for (const [resource, actions] of Object.entries(permissions)) {
+        for (const action of actions) {
+            can(action, resource);
+        }
+    }
+    return build();
+}
+/**
+ * Extract the active team's permission map from the full permissions object.
+ */
+export function getTeamPermissions(allPermissions, teamId) {
+    if (!allPermissions || !teamId)
+        return {};
+    return allPermissions[teamId] ?? {};
+}
+/**
+ * Server-side enforcement: throw 403 if the user lacks the given permission.
+ */
+export function requirePermission(permissions, teamId, action, resource) {
+    const teamPerms = getTeamPermissions(permissions, teamId);
+    const ability = buildAbility(teamPerms);
+    if (!ability.can(action, resource)) {
+        error(403, `Missing permission: ${action} on ${resource}`);
+    }
+}
+//# sourceMappingURL=permissions.js.map

package/dist/permissions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissions.js","sourceRoot":"","sources":["../src/permissions.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAqB,MAAM,eAAe,CAAC;AACtF,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAC;AAItC;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,WAAqC;IACjE,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,IAAI,cAAc,CAAa,kBAAkB,CAAC,CAAC;IAC1E,KAAK,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;QAC/D,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC9B,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QACvB,CAAC;IACF,CAAC;IACD,OAAO,KAAK,EAAE,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CACjC,cAAoE,EACpE,MAAqB;IAErB,IAAI,CAAC,cAAc,IAAI,CAAC,MAAM;QAAE,OAAO,EAAE,CAAC;IAC1C,OAAO,cAAc,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;AACrC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAChC,WAAiE,EACjE,MAAqB,EACrB,MAAc,EACd,QAAgB;IAEhB,MAAM,SAAS,GAAG,kBAAkB,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;IAC1D,MAAM,OAAO,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC;IACxC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,EAAE,CAAC;QACpC,KAAK,CAAC,GAAG,EAAE,uBAAuB,MAAM,OAAO,QAAQ,EAAE,CAAC,CAAC;IAC5D,CAAC;AACF,CAAC"}

package/dist/routes/callback.d.ts

@@ -0,0 +1,3 @@
+import type { RequestEvent } from '@sveltejs/kit';
+import type { OAuthContext } from '../types.js';
+export declare function handleCallback(event: RequestEvent, ctx: OAuthContext): Promise<Response>;