npm - @selvajs/selva - Versions diffs - 2.0.3 → 2.0.5 - Mend

@selvajs/selva 2.0.3 → 2.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (232) hide show

package/build/server/chunks/auth-bootstrap.server-dy8_QSAP.js ADDED Viewed

@@ -0,0 +1,97 @@
+import { b as private_env } from './shared-server-DaWdgxVh.js';
+import { randomUUID } from 'node:crypto';
+import { S as SYSTEM_CONTEXT, A as ALL_PLATFORM_PERMISSIONS } from './context-9tV9WxQ5.js';
+import { g as getAuthProvider, l as getPermissionStore, n as getDataProvider, t as tenancy, c as getOrganizationProvider, h as getProjectProvider } from './providers.server-Duyx-08B.js';
+import { s as slugify } from './slug-BGuFQjqe.js';
+async function bootstrapUserSession(user) {
+  await getDataProvider().ensureUser(SYSTEM_CONTEXT, user.id);
+  const perms = getPermissionStore();
+  const hasAdmin = await perms.hasInstanceAdmin(SYSTEM_CONTEXT);
+  let grantedAdminHere = false;
+  if (!hasAdmin) {
+    if (!shouldBootstrapAdmin(user, private_env.BOOTSTRAP_INSTANCE_ADMIN_EMAIL, tenancy)) return;
+    await perms.set(SYSTEM_CONTEXT, user.id, [...ALL_PLATFORM_PERMISSIONS]);
+    grantedAdminHere = true;
+  }
+  if (tenancy !== "single") return;
+  const orgs = getOrganizationProvider();
+  const existing = await orgs.listOrgs(SYSTEM_CONTEXT, { limit: 1 });
+  if (existing.items.length > 0) return;
+  if (!grantedAdminHere) {
+    const userPerms = await perms.getFor(SYSTEM_CONTEXT, user.id);
+    if (!userPerms.includes("instance_admin")) return;
+  }
+  await ensureSingleTenantDefaultOrg(user);
+}
+async function ensureSingleTenantDefaultOrg(user) {
+  if (tenancy !== "single") return;
+  const orgs = getOrganizationProvider();
+  const existing = await orgs.listOrgs(SYSTEM_CONTEXT, { limit: 1 });
+  if (existing.items.length > 0) return;
+  const displayName = typeof user.metadata?.displayName === "string" ? user.metadata.displayName : void 0;
+  const orgName = displayName?.trim() || user.email?.split("@")[0]?.trim() || "Default";
+  const slug = slugify(orgName).length >= 3 ? slugify(orgName) : "default";
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const org = {
+    id: randomUUID(),
+    name: orgName,
+    slug,
+    ownerId: user.id,
+    createdBy: user.id,
+    updatedBy: user.id,
+    createdAt: now,
+    updatedAt: now,
+    deletedAt: null
+  };
+  await orgs.createOrg(SYSTEM_CONTEXT, org);
+  const projects = getProjectProvider();
+  const project = {
+    id: randomUUID(),
+    orgId: org.id,
+    name: "Default",
+    slug: "default",
+    visibility: "public",
+    ownerId: user.id,
+    createdBy: user.id,
+    updatedBy: user.id,
+    autoJoinOnUpload: false,
+    createdAt: now,
+    updatedAt: now,
+    deletedAt: null
+  };
+  await projects.createProject(SYSTEM_CONTEXT, project);
+}
+function shouldBootstrapAdmin(user, configuredEmail, mode) {
+  const expected = configuredEmail?.trim().toLowerCase();
+  if (mode === "multi" && !expected) return false;
+  if (!expected) return true;
+  const actual = user.email?.trim().toLowerCase();
+  return !!actual && actual === expected;
+}
+function shouldBootstrapUpn(upn, email, configuredEmail, mode) {
+  const expected = configuredEmail?.trim().toLowerCase();
+  if (mode === "multi" && !expected) return false;
+  if (!expected) return true;
+  const candidate = (email ?? upn).trim().toLowerCase();
+  return !!candidate && candidate === expected;
+}
+function wireHeaderAuthBootstrap() {
+  const auth = getAuthProvider();
+  if (typeof auth.setBootstrapAllowlistPolicy !== "function") {
+    if (private_env.BOOTSTRAP_INSTANCE_ADMIN_EMAIL?.trim()) {
+      console.warn(
+        "[selva] BOOTSTRAP_INSTANCE_ADMIN_EMAIL is set but the installed @selvajs/header-auth-provider does not expose setBootstrapAllowlistPolicy. Upgrade the provider, or hand-seed header-allowlist.json."
+      );
+    }
+    return;
+  }
+  auth.setBootstrapAllowlistPolicy(async ({ upn, email }) => {
+    const hasAdmin = await getPermissionStore().hasInstanceAdmin(SYSTEM_CONTEXT);
+    if (hasAdmin) return false;
+    return shouldBootstrapUpn(upn, email, private_env.BOOTSTRAP_INSTANCE_ADMIN_EMAIL, tenancy);
+  });
+}
+export { bootstrapUserSession as b, wireHeaderAuthBootstrap as w };
+//# sourceMappingURL=auth-bootstrap.server-dy8_QSAP.js.map

package/build/server/chunks/auth-bootstrap.server-dy8_QSAP.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"auth-bootstrap.server-dy8_QSAP.js","sources":["../../../.svelte-kit/adapter-node/chunks/auth-bootstrap.server.js"],"sourcesContent":["import { b as private_env } from \"./shared-server.js\";\nimport { randomUUID } from \"node:crypto\";\nimport { S as SYSTEM_CONTEXT, f as ALL_PLATFORM_PERMISSIONS } from \"./context.js\";\nimport { h as getDataProvider, f as getPermissionStore, t as tenancy, a as getOrganizationProvider, e as getAuthProvider, b as getProjectProvider } from \"./providers.server.js\";\nimport { s as slugify } from \"./slug.js\";\nasync function bootstrapUserSession(user) {\n await getDataProvider().ensureUser(SYSTEM_CONTEXT, user.id);\n const perms = getPermissionStore();\n const hasAdmin = await perms.hasInstanceAdmin(SYSTEM_CONTEXT);\n let grantedAdminHere = false;\n if (!hasAdmin) {\n if (!shouldBootstrapAdmin(user, private_env.BOOTSTRAP_INSTANCE_ADMIN_EMAIL, tenancy)) return;\n await perms.set(SYSTEM_CONTEXT, user.id, [...ALL_PLATFORM_PERMISSIONS]);\n grantedAdminHere = true;\n }\n if (tenancy !== \"single\") return;\n const orgs = getOrganizationProvider();\n const existing = await orgs.listOrgs(SYSTEM_CONTEXT, { limit: 1 });\n if (existing.items.length > 0) return;\n if (!grantedAdminHere) {\n const userPerms = await perms.getFor(SYSTEM_CONTEXT, user.id);\n if (!userPerms.includes(\"instance_admin\")) return;\n }\n await ensureSingleTenantDefaultOrg(user);\n}\nasync function ensureSingleTenantDefaultOrg(user) {\n if (tenancy !== \"single\") return;\n const orgs = getOrganizationProvider();\n const existing = await orgs.listOrgs(SYSTEM_CONTEXT, { limit: 1 });\n if (existing.items.length > 0) return;\n const displayName = typeof user.metadata?.displayName === \"string\" ? user.metadata.displayName : void 0;\n const orgName = displayName?.trim() || user.email?.split(\"@\")[0]?.trim() || \"Default\";\n const slug = slugify(orgName).length >= 3 ? slugify(orgName) : \"default\";\n const now = (/* @__PURE__ */ new Date()).toISOString();\n const org = {\n id: randomUUID(),\n name: orgName,\n slug,\n ownerId: user.id,\n createdBy: user.id,\n updatedBy: user.id,\n createdAt: now,\n updatedAt: now,\n deletedAt: null\n };\n await orgs.createOrg(SYSTEM_CONTEXT, org);\n const projects = getProjectProvider();\n const project = {\n id: randomUUID(),\n orgId: org.id,\n name: \"Default\",\n slug: \"default\",\n visibility: \"public\",\n ownerId: user.id,\n createdBy: user.id,\n updatedBy: user.id,\n autoJoinOnUpload: false,\n createdAt: now,\n updatedAt: now,\n deletedAt: null\n };\n await projects.createProject(SYSTEM_CONTEXT, project);\n}\nfunction shouldBootstrapAdmin(user, configuredEmail, mode) {\n const expected = configuredEmail?.trim().toLowerCase();\n if (mode === \"multi\" && !expected) return false;\n if (!expected) return true;\n const actual = user.email?.trim().toLowerCase();\n return !!actual && actual === expected;\n}\nfunction shouldBootstrapUpn(upn, email, configuredEmail, mode) {\n const expected = configuredEmail?.trim().toLowerCase();\n if (mode === \"multi\" && !expected) return false;\n if (!expected) return true;\n const candidate = (email ?? upn).trim().toLowerCase();\n return !!candidate && candidate === expected;\n}\nfunction wireHeaderAuthBootstrap() {\n const auth = getAuthProvider();\n if (typeof auth.setBootstrapAllowlistPolicy !== \"function\") {\n if (private_env.BOOTSTRAP_INSTANCE_ADMIN_EMAIL?.trim()) {\n console.warn(\n \"[selva] BOOTSTRAP_INSTANCE_ADMIN_EMAIL is set but the installed @selvajs/header-auth-provider does not expose setBootstrapAllowlistPolicy. Upgrade the provider, or hand-seed header-allowlist.json.\"\n );\n }\n return;\n }\n auth.setBootstrapAllowlistPolicy(async ({ upn, email }) => {\n const hasAdmin = await getPermissionStore().hasInstanceAdmin(SYSTEM_CONTEXT);\n if (hasAdmin) return false;\n return shouldBootstrapUpn(upn, email, private_env.BOOTSTRAP_INSTANCE_ADMIN_EMAIL, tenancy);\n });\n}\nexport {\n bootstrapUserSession as b,\n wireHeaderAuthBootstrap as w\n};\n"],"names":[],"mappings":";;;;;;AAKA,eAAe,oBAAoB,CAAC,IAAI,EAAE;AAC1C,EAAE,MAAM,eAAe,EAAE,CAAC,UAAU,CAAC,cAAc,EAAE,IAAI,CAAC,EAAE,CAAC;AAC7D,EAAE,MAAM,KAAK,GAAG,kBAAkB,EAAE;AACpC,EAAE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,gBAAgB,CAAC,cAAc,CAAC;AAC/D,EAAE,IAAI,gBAAgB,GAAG,KAAK;AAC9B,EAAE,IAAI,CAAC,QAAQ,EAAE;AACjB,IAAI,IAAI,CAAC,oBAAoB,CAAC,IAAI,EAAE,WAAW,CAAC,8BAA8B,EAAE,OAAO,CAAC,EAAE;AAC1F,IAAI,MAAM,KAAK,CAAC,GAAG,CAAC,cAAc,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,GAAG,wBAAwB,CAAC,CAAC;AAC3E,IAAI,gBAAgB,GAAG,IAAI;AAC3B,EAAE;AACF,EAAE,IAAI,OAAO,KAAK,QAAQ,EAAE;AAC5B,EAAE,MAAM,IAAI,GAAG,uBAAuB,EAAE;AACxC,EAAE,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;AACpE,EAAE,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE;AACjC,EAAE,IAAI,CAAC,gBAAgB,EAAE;AACzB,IAAI,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,cAAc,EAAE,IAAI,CAAC,EAAE,CAAC;AACjE,IAAI,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE;AAC/C,EAAE;AACF,EAAE,MAAM,4BAA4B,CAAC,IAAI,CAAC;AAC1C;AACA,eAAe,4BAA4B,CAAC,IAAI,EAAE;AAClD,EAAE,IAAI,OAAO,KAAK,QAAQ,EAAE;AAC5B,EAAE,MAAM,IAAI,GAAG,uBAAuB,EAAE;AACxC,EAAE,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;AACpE,EAAE,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE;AACjC,EAAE,MAAM,WAAW,GAAG,OAAO,IAAI,CAAC,QAAQ,EAAE,WAAW,KAAK,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,WAAW,GAAG,MAAM;AACzG,EAAE,MAAM,OAAO,GAAG,WAAW,EAAE,IAAI,EAAE,IAAI,IAAI,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,SAAS;AACvF,EAAE,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,MAAM,IAAI,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,SAAS;AAC1E,EAAE,MAAM,GAAG,GAAG,iBAAiB,IAAI,IAAI,EAAE,EAAE,WAAW,EAAE;AACxD,EAAE,MAAM,GAAG,GAAG;AACd,IAAI,EAAE,EAAE,UAAU,EAAE;AACpB,IAAI,IAAI,EAAE,OAAO;AACjB,IAAI,IAAI;AACR,IAAI,OAAO,EAAE,IAAI,CAAC,EAAE;AACpB,IAAI,SAAS,EAAE,IAAI,CAAC,EAAE;AACtB,IAAI,SAAS,EAAE,IAAI,CAAC,EAAE;AACtB,IAAI,SAAS,EAAE,GAAG;AAClB,IAAI,SAAS,EAAE,GAAG;AAClB,IAAI,SAAS,EAAE;AACf,GAAG;AACH,EAAE,MAAM,IAAI,CAAC,SAAS,CAAC,cAAc,EAAE,GAAG,CAAC;AAC3C,EAAE,MAAM,QAAQ,GAAG,kBAAkB,EAAE;AACvC,EAAE,MAAM,OAAO,GAAG;AAClB,IAAI,EAAE,EAAE,UAAU,EAAE;AACpB,IAAI,KAAK,EAAE,GAAG,CAAC,EAAE;AACjB,IAAI,IAAI,EAAE,SAAS;AACnB,IAAI,IAAI,EAAE,SAAS;AACnB,IAAI,UAAU,EAAE,QAAQ;AACxB,IAAI,OAAO,EAAE,IAAI,CAAC,EAAE;AACpB,IAAI,SAAS,EAAE,IAAI,CAAC,EAAE;AACtB,IAAI,SAAS,EAAE,IAAI,CAAC,EAAE;AACtB,IAAI,gBAAgB,EAAE,KAAK;AAC3B,IAAI,SAAS,EAAE,GAAG;AAClB,IAAI,SAAS,EAAE,GAAG;AAClB,IAAI,SAAS,EAAE;AACf,GAAG;AACH,EAAE,MAAM,QAAQ,CAAC,aAAa,CAAC,cAAc,EAAE,OAAO,CAAC;AACvD;AACA,SAAS,oBAAoB,CAAC,IAAI,EAAE,eAAe,EAAE,IAAI,EAAE;AAC3D,EAAE,MAAM,QAAQ,GAAG,eAAe,EAAE,IAAI,EAAE,CAAC,WAAW,EAAE;AACxD,EAAE,IAAI,IAAI,KAAK,OAAO,IAAI,CAAC,QAAQ,EAAE,OAAO,KAAK;AACjD,EAAE,IAAI,CAAC,QAAQ,EAAE,OAAO,IAAI;AAC5B,EAAE,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,WAAW,EAAE;AACjD,EAAE,OAAO,CAAC,CAAC,MAAM,IAAI,MAAM,KAAK,QAAQ;AACxC;AACA,SAAS,kBAAkB,CAAC,GAAG,EAAE,KAAK,EAAE,eAAe,EAAE,IAAI,EAAE;AAC/D,EAAE,MAAM,QAAQ,GAAG,eAAe,EAAE,IAAI,EAAE,CAAC,WAAW,EAAE;AACxD,EAAE,IAAI,IAAI,KAAK,OAAO,IAAI,CAAC,QAAQ,EAAE,OAAO,KAAK;AACjD,EAAE,IAAI,CAAC,QAAQ,EAAE,OAAO,IAAI;AAC5B,EAAE,MAAM,SAAS,GAAG,CAAC,KAAK,IAAI,GAAG,EAAE,IAAI,EAAE,CAAC,WAAW,EAAE;AACvD,EAAE,OAAO,CAAC,CAAC,SAAS,IAAI,SAAS,KAAK,QAAQ;AAC9C;AACA,SAAS,uBAAuB,GAAG;AACnC,EAAE,MAAM,IAAI,GAAG,eAAe,EAAE;AAChC,EAAE,IAAI,OAAO,IAAI,CAAC,2BAA2B,KAAK,UAAU,EAAE;AAC9D,IAAI,IAAI,WAAW,CAAC,8BAA8B,EAAE,IAAI,EAAE,EAAE;AAC5D,MAAM,OAAO,CAAC,IAAI;AAClB,QAAQ;AACR,OAAO;AACP,IAAI;AACJ,IAAI;AACJ,EAAE;AACF,EAAE,IAAI,CAAC,2BAA2B,CAAC,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,KAAK;AAC7D,IAAI,MAAM,QAAQ,GAAG,MAAM,kBAAkB,EAAE,CAAC,gBAAgB,CAAC,cAAc,CAAC;AAChF,IAAI,IAAI,QAAQ,EAAE,OAAO,KAAK;AAC9B,IAAI,OAAO,kBAAkB,CAAC,GAAG,EAAE,KAAK,EAAE,WAAW,CAAC,8BAA8B,EAAE,OAAO,CAAC;AAC9F,EAAE,CAAC,CAAC;AACJ;;;;"}

package/build/server/chunks/{hooks.server-aaRldGQ_.js → hooks.server-D5z2JKsD.js} RENAMED Viewed

@@ -2,7 +2,7 @@ import { redirect, isHttpError } from '@sveltejs/kit';
 import { S as SYSTEM_CONTEXT } from './context-9tV9WxQ5.js';
 import { p as providers } from './providers.server-Duyx-08B.js';
 import { g as getBootHealth } from './bootHealth.server-DQx_qsNh.js';
-import { w as wireHeaderAuthBootstrap, b as bootstrapUserSession } from './auth-bootstrap.server-oox9p1sN.js';
+import { w as wireHeaderAuthBootstrap, b as bootstrapUserSession } from './auth-bootstrap.server-dy8_QSAP.js';
 import { g as getRefreshToken, s as setSessionCookie, a as setRefreshCookie, c as clearRefreshCookie } from './admin-auth.server-CdTfBMI5.js';
 import 'zod';
 import './shared-server-DaWdgxVh.js';
@@ -12,6 +12,7 @@ import 'node:fs';
 import 'node:crypto';
 import 'node:fs/promises';
 import '@supabase/supabase-js';
+import './slug-BGuFQjqe.js';
 function emptyProfile(userId) {
   return { userId, starredDefinitions: [], recentRuns: [] };
@@ -194,4 +195,4 @@ const handleError = ({
 };
 export { handle, handleError, isPublicRoute, isStaticAsset };
-//# sourceMappingURL=hooks.server-aaRldGQ_.js.map
+//# sourceMappingURL=hooks.server-D5z2JKsD.js.map

package/build/server/chunks/{hooks.server-aaRldGQ_.js.map → hooks.server-D5z2JKsD.js.map} RENAMED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"hooks.server-aaRldGQ_.js","sources":["../../../.svelte-kit/adapter-node/entries/hooks.server.js"],"sourcesContent":["import { redirect, isHttpError } from \"@sveltejs/kit\";\nimport { S as SYSTEM_CONTEXT } from \"../chunks/context.js\";\nimport { p as providers } from \"../chunks/providers.server.js\";\nimport { g as getBootHealth } from \"../chunks/bootHealth.server.js\";\nimport { w as wireHeaderAuthBootstrap, b as bootstrapUserSession } from \"../chunks/auth-bootstrap.server.js\";\nimport { g as getRefreshToken, s as setSessionCookie, a as setRefreshCookie, h as clearRefreshCookie } from \"../chunks/admin-auth.server.js\";\nfunction emptyProfile(userId) {\n return { userId, starredDefinitions: [], recentRuns: [] };\n}\nlet headerAuthBootstrapWired = false;\nvoid getBootHealth();\nlet firstRunResolved = false;\nasync function isFirstRun() {\n if (firstRunResolved) return false;\n const usersPage = await providers.auth.listUsers({ limit: 1 });\n if (usersPage === null) {\n firstRunResolved = true;\n return false;\n }\n if (usersPage.items.length === 0) return true;\n firstRunResolved = true;\n return false;\n}\nasync function buildContext(user, sessionToken) {\n let actingOrgId;\n let orgPermissions = [];\n const platformPermissions = await providers.data.permissions.getFor(SYSTEM_CONTEXT, user.id);\n const membership = await providers.data.orgs.findUserMembership(SYSTEM_CONTEXT, user.id);\n if (membership) {\n actingOrgId = membership.org.id;\n orgPermissions = membership.member.permissions;\n }\n if (!actingOrgId && platformPermissions.includes(\"instance_admin\")) {\n const firstOrgPage = await providers.data.orgs.listOrgs(SYSTEM_CONTEXT, { limit: 1 });\n const firstOrg = firstOrgPage.items[0];\n if (firstOrg) actingOrgId = firstOrg.id;\n }\n return {\n userId: user.id,\n actingOrgId,\n platformPermissions,\n orgPermissions,\n adapterContext: sessionToken ? { sessionToken } : void 0\n };\n}\nconst PUBLIC_PAGE_ROUTES = /* @__PURE__ / new Set([\n \"/\",\n // landing — guests see it; authed users get redirected by +page.server.ts\n \"/login\",\n \"/setup\",\n \"/accept-invite\"\n]);\nconst PUBLIC_PATH_PREFIXES = [\"/auth/\", \"/logout\"];\nconst PUBLIC_API_ROUTES = / @__PURE__ / new Set([\"/api/health\"]);\nconst STATIC_ASSET_PREFIXES = [\"/_app/\", \"/favicon/\"];\nconst STATIC_ASSET_PATHS = / @__PURE__ */ new Set([\"/favicon.svg\", \"/robots.txt\"]);\nfunction isStaticAsset(pathname) {\n if (STATIC_ASSET_PATHS.has(pathname)) return true;\n return STATIC_ASSET_PREFIXES.some((p) => pathname.startsWith(p));\n}\nfunction isPublicRoute(pathname) {\n if (PUBLIC_PAGE_ROUTES.has(pathname)) return true;\n if (PUBLIC_API_ROUTES.has(pathname)) return true;\n return PUBLIC_PATH_PREFIXES.some((p) => pathname.startsWith(p));\n}\nconst handle = async ({ event, resolve }) => {\n event.locals.providers = providers;\n if (!headerAuthBootstrapWired) {\n wireHeaderAuthBootstrap();\n headerAuthBootstrapWired = true;\n }\n const { pathname } = event.url;\n if (isStaticAsset(pathname)) {\n return applySecurityHeaders(await resolve(event), pathname);\n }\n if (pathname === \"/api/health\") {\n return applySecurityHeaders(await resolve(event), pathname);\n }\n const publicRoute = isPublicRoute(pathname);\n const isJsonApiRoute = pathname.startsWith(\"/api/\") \|\| pathname.startsWith(\"/admin/api/\");\n if (!publicRoute) {\n if (await isFirstRun()) {\n if (isJsonApiRoute) {\n return applySecurityHeaders(\n new Response(JSON.stringify({ error: \"Setup required\" }), {\n status: 503,\n headers: { \"Content-Type\": \"application/json\" }\n }),\n pathname\n );\n }\n redirect(303, \"/setup\");\n }\n }\n const needsAuth = !publicRoute;\n if (needsAuth) {\n let token = event.cookies.get(\"admin_session\") ?? \"\";\n let user = await providers.auth.verifyToken(token);\n if (!user) {\n const refreshToken = getRefreshToken(event.cookies);\n const oauth = providers.auth.oauth;\n if (refreshToken && oauth) {\n const refreshed = await oauth.refreshSession(refreshToken);\n if (refreshed) {\n setSessionCookie(event.cookies, refreshed.sessionToken);\n setRefreshCookie(event.cookies, refreshed.refreshToken);\n token = refreshed.sessionToken;\n user = await providers.auth.verifyToken(token);\n } else {\n clearRefreshCookie(event.cookies);\n }\n }\n }\n if (!user && providers.auth.proxyAuth) {\n user = await providers.auth.proxyAuth.identifyFromHeaders(event.request.headers);\n if (user) await bootstrapUserSession(user);\n }\n if (!user) {\n if (isJsonApiRoute) {\n return applySecurityHeaders(\n new Response(JSON.stringify({ error: \"Unauthorized\" }), {\n status: 401,\n headers: { \"Content-Type\": \"application/json\" }\n }),\n pathname\n );\n }\n redirect(303, `/login?redirectTo=${encodeURIComponent(pathname)}`);\n }\n await providers.data.ensureUser(SYSTEM_CONTEXT, user.id);\n event.locals.user = user;\n event.locals.profile = await providers.data.userProfile.getProfile(SYSTEM_CONTEXT, user.id) ?? emptyProfile(user.id);\n event.locals.ctx = await buildContext(user, token);\n } else {\n const isPublicPage = PUBLIC_PAGE_ROUTES.has(pathname);\n const token = isPublicPage ? event.cookies.get(\"admin_session\") ?? \"\" : \"\";\n let user = token ? await providers.auth.verifyToken(token) : null;\n if (!user && isPublicPage && providers.auth.proxyAuth) {\n user = await providers.auth.proxyAuth.identifyFromHeaders(event.request.headers);\n }\n if (user) {\n await providers.data.ensureUser(SYSTEM_CONTEXT, user.id);\n event.locals.user = user;\n event.locals.profile = await providers.data.userProfile.getProfile(SYSTEM_CONTEXT, user.id) ?? emptyProfile(user.id);\n event.locals.ctx = await buildContext(user, token);\n }\n }\n return applySecurityHeaders(await resolve(event), pathname);\n};\nfunction applySecurityHeaders(response, pathname) {\n response.headers.set(\"X-Content-Type-Options\", \"nosniff\");\n response.headers.set(\"Referrer-Policy\", \"strict-origin-when-cross-origin\");\n response.headers.set(\n \"Permissions-Policy\",\n \"accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()\"\n );\n if (process.env.NODE_ENV === \"production\") {\n response.headers.set(\"Strict-Transport-Security\", \"max-age=31536000; includeSubDomains\");\n }\n if (pathname.startsWith(\"/_app/\")) {\n response.headers.set(\"Cache-Control\", \"public, max-age=31536000, immutable\");\n } else if (pathname.startsWith(\"/favicon/\") \|\| pathname === \"/favicon.svg\" \|\| pathname === \"/robots.txt\") {\n response.headers.set(\"Cache-Control\", \"public, max-age=604800\");\n }\n return response;\n}\nconst handleError = ({\n error,\n status,\n event\n}) => {\n if (isHttpError(error)) {\n return { message: error.body.message };\n }\n if (status === 404) {\n return { message: \"Page not found.\" };\n }\n const cause = error instanceof Error && error.cause ? `\n caused by: ${error.cause}` : \"\";\n console.error(\n `[Unhandled error] ${event.request.method} ${event.url.pathname}\n ${error}${cause}`\n );\n return { message: \"An unexpected error occurred.\" };\n};\nexport {\n handle,\n handleError,\n isPublicRoute,\n isStaticAsset\n};\n"],"names":[],"mappings":";;;;;;;;;;;;;;;AAMA,SAAS,YAAY,CAAC,MAAM,EAAE;AAC9B,EAAE,OAAO,EAAE,MAAM,EAAE,kBAAkB,EAAE,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE;AAC3D;AACA,IAAI,wBAAwB,GAAG,KAAK;AACpC,KAAK,aAAa,EAAE;AACpB,IAAI,gBAAgB,GAAG,KAAK;AAC5B,eAAe,UAAU,GAAG;AAC5B,EAAE,IAAI,gBAAgB,EAAE,OAAO,KAAK;AACpC,EAAE,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;AAChE,EAAE,IAAI,SAAS,KAAK,IAAI,EAAE;AAC1B,IAAI,gBAAgB,GAAG,IAAI;AAC3B,IAAI,OAAO,KAAK;AAChB,EAAE;AACF,EAAE,IAAI,SAAS,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,OAAO,IAAI;AAC/C,EAAE,gBAAgB,GAAG,IAAI;AACzB,EAAE,OAAO,KAAK;AACd;AACA,eAAe,YAAY,CAAC,IAAI,EAAE,YAAY,EAAE;AAChD,EAAE,IAAI,WAAW;AACjB,EAAE,IAAI,cAAc,GAAG,EAAE;AACzB,EAAE,MAAM,mBAAmB,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,cAAc,EAAE,IAAI,CAAC,EAAE,CAAC;AAC9F,EAAE,MAAM,UAAU,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,kBAAkB,CAAC,cAAc,EAAE,IAAI,CAAC,EAAE,CAAC;AAC1F,EAAE,IAAI,UAAU,EAAE;AAClB,IAAI,WAAW,GAAG,UAAU,CAAC,GAAG,CAAC,EAAE;AACnC,IAAI,cAAc,GAAG,UAAU,CAAC,MAAM,CAAC,WAAW;AAClD,EAAE;AACF,EAAE,IAAI,CAAC,WAAW,IAAI,mBAAmB,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE;AACtE,IAAI,MAAM,YAAY,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;AACzF,IAAI,MAAM,QAAQ,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC;AAC1C,IAAI,IAAI,QAAQ,EAAE,WAAW,GAAG,QAAQ,CAAC,EAAE;AAC3C,EAAE;AACF,EAAE,OAAO;AACT,IAAI,MAAM,EAAE,IAAI,CAAC,EAAE;AACnB,IAAI,WAAW;AACf,IAAI,mBAAmB;AACvB,IAAI,cAAc;AAClB,IAAI,cAAc,EAAE,YAAY,GAAG,EAAE,YAAY,EAAE,GAAG;AACtD,GAAG;AACH;AACA,MAAM,kBAAkB,mBAAmB,IAAI,GAAG,CAAC;AACnD,EAAE,GAAG;AACL;AACA,EAAE,QAAQ;AACV,EAAE,QAAQ;AACV,EAAE;AACF,CAAC,CAAC;AACF,MAAM,oBAAoB,GAAG,CAAC,QAAQ,EAAE,SAAS,CAAC;AAClD,MAAM,iBAAiB,mBAAmB,IAAI,GAAG,CAAC,CAAC,aAAa,CAAC,CAAC;AAClE,MAAM,qBAAqB,GAAG,CAAC,QAAQ,EAAE,WAAW,CAAC;AACrD,MAAM,kBAAkB,mBAAmB,IAAI,GAAG,CAAC,CAAC,cAAc,EAAE,aAAa,CAAC,CAAC;AACnF,SAAS,aAAa,CAAC,QAAQ,EAAE;AACjC,EAAE,IAAI,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,OAAO,IAAI;AACnD,EAAE,OAAO,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;AAClE;AACA,SAAS,aAAa,CAAC,QAAQ,EAAE;AACjC,EAAE,IAAI,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,OAAO,IAAI;AACnD,EAAE,IAAI,iBAAiB,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,OAAO,IAAI;AAClD,EAAE,OAAO,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;AACjE;AACK,MAAC,MAAM,GAAG,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK;AAC7C,EAAE,KAAK,CAAC,MAAM,CAAC,SAAS,GAAG,SAAS;AACpC,EAAE,IAAI,CAAC,wBAAwB,EAAE;AACjC,IAAI,uBAAuB,EAAE;AAC7B,IAAI,wBAAwB,GAAG,IAAI;AACnC,EAAE;AACF,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,KAAK,CAAC,GAAG;AAChC,EAAE,IAAI,aAAa,CAAC,QAAQ,CAAC,EAAE;AAC/B,IAAI,OAAO,oBAAoB,CAAC,MAAM,OAAO,CAAC,KAAK,CAAC,EAAE,QAAQ,CAAC;AAC/D,EAAE;AACF,EAAE,IAAI,QAAQ,KAAK,aAAa,EAAE;AAClC,IAAI,OAAO,oBAAoB,CAAC,MAAM,OAAO,CAAC,KAAK,CAAC,EAAE,QAAQ,CAAC;AAC/D,EAAE;AACF,EAAE,MAAM,WAAW,GAAG,aAAa,CAAC,QAAQ,CAAC;AAC7C,EAAE,MAAM,cAAc,GAAG,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,aAAa,CAAC;AAC3F,EAAE,IAAI,CAAC,WAAW,EAAE;AACpB,IAAI,IAAI,MAAM,UAAU,EAAE,EAAE;AAC5B,MAAM,IAAI,cAAc,EAAE;AAC1B,QAAQ,OAAO,oBAAoB;AACnC,UAAU,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,EAAE;AACpE,YAAY,MAAM,EAAE,GAAG;AACvB,YAAY,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB;AACzD,WAAW,CAAC;AACZ,UAAU;AACV,SAAS;AACT,MAAM;AACN,MAAM,QAAQ,CAAC,GAAG,EAAE,QAAQ,CAAC;AAC7B,IAAI;AACJ,EAAE;AACF,EAAE,MAAM,SAAS,GAAG,CAAC,WAAW;AAChC,EAAE,IAAI,SAAS,EAAE;AACjB,IAAI,IAAI,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,EAAE;AACxD,IAAI,IAAI,IAAI,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC;AACtD,IAAI,IAAI,CAAC,IAAI,EAAE;AACf,MAAM,MAAM,YAAY,GAAG,eAAe,CAAC,KAAK,CAAC,OAAO,CAAC;AACzD,MAAM,MAAM,KAAK,GAAG,SAAS,CAAC,IAAI,CAAC,KAAK;AACxC,MAAM,IAAI,YAAY,IAAI,KAAK,EAAE;AACjC,QAAQ,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,cAAc,CAAC,YAAY,CAAC;AAClE,QAAQ,IAAI,SAAS,EAAE;AACvB,UAAU,gBAAgB,CAAC,KAAK,CAAC,OAAO,EAAE,SAAS,CAAC,YAAY,CAAC;AACjE,UAAU,gBAAgB,CAAC,KAAK,CAAC,OAAO,EAAE,SAAS,CAAC,YAAY,CAAC;AACjE,UAAU,KAAK,GAAG,SAAS,CAAC,YAAY;AACxC,UAAU,IAAI,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC;AACxD,QAAQ,CAAC,MAAM;AACf,UAAU,kBAAkB,CAAC,KAAK,CAAC,OAAO,CAAC;AAC3C,QAAQ;AACR,MAAM;AACN,IAAI;AACJ,IAAI,IAAI,CAAC,IAAI,IAAI,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE;AAC3C,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,mBAAmB,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC;AACtF,MAAM,IAAI,IAAI,EAAE,MAAM,oBAAoB,CAAC,IAAI,CAAC;AAChD,IAAI;AACJ,IAAI,IAAI,CAAC,IAAI,EAAE;AACf,MAAM,IAAI,cAAc,EAAE;AAC1B,QAAQ,OAAO,oBAAoB;AACnC,UAAU,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,EAAE;AAClE,YAAY,MAAM,EAAE,GAAG;AACvB,YAAY,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB;AACzD,WAAW,CAAC;AACZ,UAAU;AACV,SAAS;AACT,MAAM;AACN,MAAM,QAAQ,CAAC,GAAG,EAAE,CAAC,kBAAkB,EAAE,kBAAkB,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;AACxE,IAAI;AACJ,IAAI,MAAM,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,cAAc,EAAE,IAAI,CAAC,EAAE,CAAC;AAC5D,IAAI,KAAK,CAAC,MAAM,CAAC,IAAI,GAAG,IAAI;AAC5B,IAAI,KAAK,CAAC,MAAM,CAAC,OAAO,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,cAAc,EAAE,IAAI,CAAC,EAAE,CAAC,IAAI,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC;AACxH,IAAI,KAAK,CAAC,MAAM,CAAC,GAAG,GAAG,MAAM,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC;AACtD,EAAE,CAAC,MAAM;AACT,IAAI,MAAM,YAAY,GAAG,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC;AACzD,IAAI,MAAM,KAAK,GAAG,YAAY,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,EAAE,GAAG,EAAE;AAC9E,IAAI,IAAI,IAAI,GAAG,KAAK,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,GAAG,IAAI;AACrE,IAAI,IAAI,CAAC,IAAI,IAAI,YAAY,IAAI,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE;AAC3D,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,mBAAmB,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC;AACtF,IAAI;AACJ,IAAI,IAAI,IAAI,EAAE;AACd,MAAM,MAAM,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,cAAc,EAAE,IAAI,CAAC,EAAE,CAAC;AAC9D,MAAM,KAAK,CAAC,MAAM,CAAC,IAAI,GAAG,IAAI;AAC9B,MAAM,KAAK,CAAC,MAAM,CAAC,OAAO,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,cAAc,EAAE,IAAI,CAAC,EAAE,CAAC,IAAI,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC;AAC1H,MAAM,KAAK,CAAC,MAAM,CAAC,GAAG,GAAG,MAAM,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC;AACxD,IAAI;AACJ,EAAE;AACF,EAAE,OAAO,oBAAoB,CAAC,MAAM,OAAO,CAAC,KAAK,CAAC,EAAE,QAAQ,CAAC;AAC7D;AACA,SAAS,oBAAoB,CAAC,QAAQ,EAAE,QAAQ,EAAE;AAClD,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,wBAAwB,EAAE,SAAS,CAAC;AAC3D,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,iCAAiC,CAAC;AAC5E,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG;AACtB,IAAI,oBAAoB;AACxB,IAAI;AACJ,GAAG;AACH,EAAE,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,EAAE;AAC7C,IAAI,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,2BAA2B,EAAE,qCAAqC,CAAC;AAC5F,EAAE;AACF,EAAE,IAAI,QAAQ,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE;AACrC,IAAI,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,qCAAqC,CAAC;AAChF,EAAE,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,CAAC,WAAW,CAAC,IAAI,QAAQ,KAAK,cAAc,IAAI,QAAQ,KAAK,aAAa,EAAE;AAC5G,IAAI,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,wBAAwB,CAAC;AACnE,EAAE;AACF,EAAE,OAAO,QAAQ;AACjB;AACK,MAAC,WAAW,GAAG,CAAC;AACrB,EAAE,KAAK;AACP,EAAE,MAAM;AACR,EAAE;AACF,CAAC,KAAK;AACN,EAAE,IAAI,WAAW,CAAC,KAAK,CAAC,EAAE;AAC1B,IAAI,OAAO,EAAE,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE;AAC1C,EAAE;AACF,EAAE,IAAI,MAAM,KAAK,GAAG,EAAE;AACtB,IAAI,OAAO,EAAE,OAAO,EAAE,iBAAiB,EAAE;AACzC,EAAE;AACF,EAAE,MAAM,KAAK,GAAG,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,KAAK,GAAG;AACxD,aAAa,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE;AACjC,EAAE,OAAO,CAAC,KAAK;AACf,IAAI,CAAC,kBAAkB,EAAE,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,QAAQ;AACnE,EAAE,EAAE,KAAK,CAAC,EAAE,KAAK,CAAC;AAClB,GAAG;AACH,EAAE,OAAO,EAAE,OAAO,EAAE,+BAA+B,EAAE;AACrD;;;;"}
1	+ {"version":3,"file":"hooks.server-D5z2JKsD.js","sources":["../../../.svelte-kit/adapter-node/entries/hooks.server.js"],"sourcesContent":["import { redirect, isHttpError } from \"@sveltejs/kit\";\nimport { S as SYSTEM_CONTEXT } from \"../chunks/context.js\";\nimport { p as providers } from \"../chunks/providers.server.js\";\nimport { g as getBootHealth } from \"../chunks/bootHealth.server.js\";\nimport { w as wireHeaderAuthBootstrap, b as bootstrapUserSession } from \"../chunks/auth-bootstrap.server.js\";\nimport { g as getRefreshToken, s as setSessionCookie, a as setRefreshCookie, h as clearRefreshCookie } from \"../chunks/admin-auth.server.js\";\nfunction emptyProfile(userId) {\n return { userId, starredDefinitions: [], recentRuns: [] };\n}\nlet headerAuthBootstrapWired = false;\nvoid getBootHealth();\nlet firstRunResolved = false;\nasync function isFirstRun() {\n if (firstRunResolved) return false;\n const usersPage = await providers.auth.listUsers({ limit: 1 });\n if (usersPage === null) {\n firstRunResolved = true;\n return false;\n }\n if (usersPage.items.length === 0) return true;\n firstRunResolved = true;\n return false;\n}\nasync function buildContext(user, sessionToken) {\n let actingOrgId;\n let orgPermissions = [];\n const platformPermissions = await providers.data.permissions.getFor(SYSTEM_CONTEXT, user.id);\n const membership = await providers.data.orgs.findUserMembership(SYSTEM_CONTEXT, user.id);\n if (membership) {\n actingOrgId = membership.org.id;\n orgPermissions = membership.member.permissions;\n }\n if (!actingOrgId && platformPermissions.includes(\"instance_admin\")) {\n const firstOrgPage = await providers.data.orgs.listOrgs(SYSTEM_CONTEXT, { limit: 1 });\n const firstOrg = firstOrgPage.items[0];\n if (firstOrg) actingOrgId = firstOrg.id;\n }\n return {\n userId: user.id,\n actingOrgId,\n platformPermissions,\n orgPermissions,\n adapterContext: sessionToken ? { sessionToken } : void 0\n };\n}\nconst PUBLIC_PAGE_ROUTES = /* @__PURE__ / new Set([\n \"/\",\n // landing — guests see it; authed users get redirected by +page.server.ts\n \"/login\",\n \"/setup\",\n \"/accept-invite\"\n]);\nconst PUBLIC_PATH_PREFIXES = [\"/auth/\", \"/logout\"];\nconst PUBLIC_API_ROUTES = / @__PURE__ / new Set([\"/api/health\"]);\nconst STATIC_ASSET_PREFIXES = [\"/_app/\", \"/favicon/\"];\nconst STATIC_ASSET_PATHS = / @__PURE__ */ new Set([\"/favicon.svg\", \"/robots.txt\"]);\nfunction isStaticAsset(pathname) {\n if (STATIC_ASSET_PATHS.has(pathname)) return true;\n return STATIC_ASSET_PREFIXES.some((p) => pathname.startsWith(p));\n}\nfunction isPublicRoute(pathname) {\n if (PUBLIC_PAGE_ROUTES.has(pathname)) return true;\n if (PUBLIC_API_ROUTES.has(pathname)) return true;\n return PUBLIC_PATH_PREFIXES.some((p) => pathname.startsWith(p));\n}\nconst handle = async ({ event, resolve }) => {\n event.locals.providers = providers;\n if (!headerAuthBootstrapWired) {\n wireHeaderAuthBootstrap();\n headerAuthBootstrapWired = true;\n }\n const { pathname } = event.url;\n if (isStaticAsset(pathname)) {\n return applySecurityHeaders(await resolve(event), pathname);\n }\n if (pathname === \"/api/health\") {\n return applySecurityHeaders(await resolve(event), pathname);\n }\n const publicRoute = isPublicRoute(pathname);\n const isJsonApiRoute = pathname.startsWith(\"/api/\") \|\| pathname.startsWith(\"/admin/api/\");\n if (!publicRoute) {\n if (await isFirstRun()) {\n if (isJsonApiRoute) {\n return applySecurityHeaders(\n new Response(JSON.stringify({ error: \"Setup required\" }), {\n status: 503,\n headers: { \"Content-Type\": \"application/json\" }\n }),\n pathname\n );\n }\n redirect(303, \"/setup\");\n }\n }\n const needsAuth = !publicRoute;\n if (needsAuth) {\n let token = event.cookies.get(\"admin_session\") ?? \"\";\n let user = await providers.auth.verifyToken(token);\n if (!user) {\n const refreshToken = getRefreshToken(event.cookies);\n const oauth = providers.auth.oauth;\n if (refreshToken && oauth) {\n const refreshed = await oauth.refreshSession(refreshToken);\n if (refreshed) {\n setSessionCookie(event.cookies, refreshed.sessionToken);\n setRefreshCookie(event.cookies, refreshed.refreshToken);\n token = refreshed.sessionToken;\n user = await providers.auth.verifyToken(token);\n } else {\n clearRefreshCookie(event.cookies);\n }\n }\n }\n if (!user && providers.auth.proxyAuth) {\n user = await providers.auth.proxyAuth.identifyFromHeaders(event.request.headers);\n if (user) await bootstrapUserSession(user);\n }\n if (!user) {\n if (isJsonApiRoute) {\n return applySecurityHeaders(\n new Response(JSON.stringify({ error: \"Unauthorized\" }), {\n status: 401,\n headers: { \"Content-Type\": \"application/json\" }\n }),\n pathname\n );\n }\n redirect(303, `/login?redirectTo=${encodeURIComponent(pathname)}`);\n }\n await providers.data.ensureUser(SYSTEM_CONTEXT, user.id);\n event.locals.user = user;\n event.locals.profile = await providers.data.userProfile.getProfile(SYSTEM_CONTEXT, user.id) ?? emptyProfile(user.id);\n event.locals.ctx = await buildContext(user, token);\n } else {\n const isPublicPage = PUBLIC_PAGE_ROUTES.has(pathname);\n const token = isPublicPage ? event.cookies.get(\"admin_session\") ?? \"\" : \"\";\n let user = token ? await providers.auth.verifyToken(token) : null;\n if (!user && isPublicPage && providers.auth.proxyAuth) {\n user = await providers.auth.proxyAuth.identifyFromHeaders(event.request.headers);\n }\n if (user) {\n await providers.data.ensureUser(SYSTEM_CONTEXT, user.id);\n event.locals.user = user;\n event.locals.profile = await providers.data.userProfile.getProfile(SYSTEM_CONTEXT, user.id) ?? emptyProfile(user.id);\n event.locals.ctx = await buildContext(user, token);\n }\n }\n return applySecurityHeaders(await resolve(event), pathname);\n};\nfunction applySecurityHeaders(response, pathname) {\n response.headers.set(\"X-Content-Type-Options\", \"nosniff\");\n response.headers.set(\"Referrer-Policy\", \"strict-origin-when-cross-origin\");\n response.headers.set(\n \"Permissions-Policy\",\n \"accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()\"\n );\n if (process.env.NODE_ENV === \"production\") {\n response.headers.set(\"Strict-Transport-Security\", \"max-age=31536000; includeSubDomains\");\n }\n if (pathname.startsWith(\"/_app/\")) {\n response.headers.set(\"Cache-Control\", \"public, max-age=31536000, immutable\");\n } else if (pathname.startsWith(\"/favicon/\") \|\| pathname === \"/favicon.svg\" \|\| pathname === \"/robots.txt\") {\n response.headers.set(\"Cache-Control\", \"public, max-age=604800\");\n }\n return response;\n}\nconst handleError = ({\n error,\n status,\n event\n}) => {\n if (isHttpError(error)) {\n return { message: error.body.message };\n }\n if (status === 404) {\n return { message: \"Page not found.\" };\n }\n const cause = error instanceof Error && error.cause ? `\n caused by: ${error.cause}` : \"\";\n console.error(\n `[Unhandled error] ${event.request.method} ${event.url.pathname}\n ${error}${cause}`\n );\n return { message: \"An unexpected error occurred.\" };\n};\nexport {\n handle,\n handleError,\n isPublicRoute,\n isStaticAsset\n};\n"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAMA,SAAS,YAAY,CAAC,MAAM,EAAE;AAC9B,EAAE,OAAO,EAAE,MAAM,EAAE,kBAAkB,EAAE,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE;AAC3D;AACA,IAAI,wBAAwB,GAAG,KAAK;AACpC,KAAK,aAAa,EAAE;AACpB,IAAI,gBAAgB,GAAG,KAAK;AAC5B,eAAe,UAAU,GAAG;AAC5B,EAAE,IAAI,gBAAgB,EAAE,OAAO,KAAK;AACpC,EAAE,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;AAChE,EAAE,IAAI,SAAS,KAAK,IAAI,EAAE;AAC1B,IAAI,gBAAgB,GAAG,IAAI;AAC3B,IAAI,OAAO,KAAK;AAChB,EAAE;AACF,EAAE,IAAI,SAAS,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,OAAO,IAAI;AAC/C,EAAE,gBAAgB,GAAG,IAAI;AACzB,EAAE,OAAO,KAAK;AACd;AACA,eAAe,YAAY,CAAC,IAAI,EAAE,YAAY,EAAE;AAChD,EAAE,IAAI,WAAW;AACjB,EAAE,IAAI,cAAc,GAAG,EAAE;AACzB,EAAE,MAAM,mBAAmB,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,cAAc,EAAE,IAAI,CAAC,EAAE,CAAC;AAC9F,EAAE,MAAM,UAAU,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,kBAAkB,CAAC,cAAc,EAAE,IAAI,CAAC,EAAE,CAAC;AAC1F,EAAE,IAAI,UAAU,EAAE;AAClB,IAAI,WAAW,GAAG,UAAU,CAAC,GAAG,CAAC,EAAE;AACnC,IAAI,cAAc,GAAG,UAAU,CAAC,MAAM,CAAC,WAAW;AAClD,EAAE;AACF,EAAE,IAAI,CAAC,WAAW,IAAI,mBAAmB,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE;AACtE,IAAI,MAAM,YAAY,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;AACzF,IAAI,MAAM,QAAQ,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC;AAC1C,IAAI,IAAI,QAAQ,EAAE,WAAW,GAAG,QAAQ,CAAC,EAAE;AAC3C,EAAE;AACF,EAAE,OAAO;AACT,IAAI,MAAM,EAAE,IAAI,CAAC,EAAE;AACnB,IAAI,WAAW;AACf,IAAI,mBAAmB;AACvB,IAAI,cAAc;AAClB,IAAI,cAAc,EAAE,YAAY,GAAG,EAAE,YAAY,EAAE,GAAG;AACtD,GAAG;AACH;AACA,MAAM,kBAAkB,mBAAmB,IAAI,GAAG,CAAC;AACnD,EAAE,GAAG;AACL;AACA,EAAE,QAAQ;AACV,EAAE,QAAQ;AACV,EAAE;AACF,CAAC,CAAC;AACF,MAAM,oBAAoB,GAAG,CAAC,QAAQ,EAAE,SAAS,CAAC;AAClD,MAAM,iBAAiB,mBAAmB,IAAI,GAAG,CAAC,CAAC,aAAa,CAAC,CAAC;AAClE,MAAM,qBAAqB,GAAG,CAAC,QAAQ,EAAE,WAAW,CAAC;AACrD,MAAM,kBAAkB,mBAAmB,IAAI,GAAG,CAAC,CAAC,cAAc,EAAE,aAAa,CAAC,CAAC;AACnF,SAAS,aAAa,CAAC,QAAQ,EAAE;AACjC,EAAE,IAAI,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,OAAO,IAAI;AACnD,EAAE,OAAO,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;AAClE;AACA,SAAS,aAAa,CAAC,QAAQ,EAAE;AACjC,EAAE,IAAI,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,OAAO,IAAI;AACnD,EAAE,IAAI,iBAAiB,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,OAAO,IAAI;AAClD,EAAE,OAAO,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;AACjE;AACK,MAAC,MAAM,GAAG,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK;AAC7C,EAAE,KAAK,CAAC,MAAM,CAAC,SAAS,GAAG,SAAS;AACpC,EAAE,IAAI,CAAC,wBAAwB,EAAE;AACjC,IAAI,uBAAuB,EAAE;AAC7B,IAAI,wBAAwB,GAAG,IAAI;AACnC,EAAE;AACF,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,KAAK,CAAC,GAAG;AAChC,EAAE,IAAI,aAAa,CAAC,QAAQ,CAAC,EAAE;AAC/B,IAAI,OAAO,oBAAoB,CAAC,MAAM,OAAO,CAAC,KAAK,CAAC,EAAE,QAAQ,CAAC;AAC/D,EAAE;AACF,EAAE,IAAI,QAAQ,KAAK,aAAa,EAAE;AAClC,IAAI,OAAO,oBAAoB,CAAC,MAAM,OAAO,CAAC,KAAK,CAAC,EAAE,QAAQ,CAAC;AAC/D,EAAE;AACF,EAAE,MAAM,WAAW,GAAG,aAAa,CAAC,QAAQ,CAAC;AAC7C,EAAE,MAAM,cAAc,GAAG,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,aAAa,CAAC;AAC3F,EAAE,IAAI,CAAC,WAAW,EAAE;AACpB,IAAI,IAAI,MAAM,UAAU,EAAE,EAAE;AAC5B,MAAM,IAAI,cAAc,EAAE;AAC1B,QAAQ,OAAO,oBAAoB;AACnC,UAAU,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,EAAE;AACpE,YAAY,MAAM,EAAE,GAAG;AACvB,YAAY,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB;AACzD,WAAW,CAAC;AACZ,UAAU;AACV,SAAS;AACT,MAAM;AACN,MAAM,QAAQ,CAAC,GAAG,EAAE,QAAQ,CAAC;AAC7B,IAAI;AACJ,EAAE;AACF,EAAE,MAAM,SAAS,GAAG,CAAC,WAAW;AAChC,EAAE,IAAI,SAAS,EAAE;AACjB,IAAI,IAAI,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,EAAE;AACxD,IAAI,IAAI,IAAI,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC;AACtD,IAAI,IAAI,CAAC,IAAI,EAAE;AACf,MAAM,MAAM,YAAY,GAAG,eAAe,CAAC,KAAK,CAAC,OAAO,CAAC;AACzD,MAAM,MAAM,KAAK,GAAG,SAAS,CAAC,IAAI,CAAC,KAAK;AACxC,MAAM,IAAI,YAAY,IAAI,KAAK,EAAE;AACjC,QAAQ,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,cAAc,CAAC,YAAY,CAAC;AAClE,QAAQ,IAAI,SAAS,EAAE;AACvB,UAAU,gBAAgB,CAAC,KAAK,CAAC,OAAO,EAAE,SAAS,CAAC,YAAY,CAAC;AACjE,UAAU,gBAAgB,CAAC,KAAK,CAAC,OAAO,EAAE,SAAS,CAAC,YAAY,CAAC;AACjE,UAAU,KAAK,GAAG,SAAS,CAAC,YAAY;AACxC,UAAU,IAAI,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC;AACxD,QAAQ,CAAC,MAAM;AACf,UAAU,kBAAkB,CAAC,KAAK,CAAC,OAAO,CAAC;AAC3C,QAAQ;AACR,MAAM;AACN,IAAI;AACJ,IAAI,IAAI,CAAC,IAAI,IAAI,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE;AAC3C,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,mBAAmB,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC;AACtF,MAAM,IAAI,IAAI,EAAE,MAAM,oBAAoB,CAAC,IAAI,CAAC;AAChD,IAAI;AACJ,IAAI,IAAI,CAAC,IAAI,EAAE;AACf,MAAM,IAAI,cAAc,EAAE;AAC1B,QAAQ,OAAO,oBAAoB;AACnC,UAAU,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,EAAE;AAClE,YAAY,MAAM,EAAE,GAAG;AACvB,YAAY,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB;AACzD,WAAW,CAAC;AACZ,UAAU;AACV,SAAS;AACT,MAAM;AACN,MAAM,QAAQ,CAAC,GAAG,EAAE,CAAC,kBAAkB,EAAE,kBAAkB,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;AACxE,IAAI;AACJ,IAAI,MAAM,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,cAAc,EAAE,IAAI,CAAC,EAAE,CAAC;AAC5D,IAAI,KAAK,CAAC,MAAM,CAAC,IAAI,GAAG,IAAI;AAC5B,IAAI,KAAK,CAAC,MAAM,CAAC,OAAO,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,cAAc,EAAE,IAAI,CAAC,EAAE,CAAC,IAAI,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC;AACxH,IAAI,KAAK,CAAC,MAAM,CAAC,GAAG,GAAG,MAAM,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC;AACtD,EAAE,CAAC,MAAM;AACT,IAAI,MAAM,YAAY,GAAG,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC;AACzD,IAAI,MAAM,KAAK,GAAG,YAAY,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,EAAE,GAAG,EAAE;AAC9E,IAAI,IAAI,IAAI,GAAG,KAAK,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,GAAG,IAAI;AACrE,IAAI,IAAI,CAAC,IAAI,IAAI,YAAY,IAAI,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE;AAC3D,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,mBAAmB,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC;AACtF,IAAI;AACJ,IAAI,IAAI,IAAI,EAAE;AACd,MAAM,MAAM,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,cAAc,EAAE,IAAI,CAAC,EAAE,CAAC;AAC9D,MAAM,KAAK,CAAC,MAAM,CAAC,IAAI,GAAG,IAAI;AAC9B,MAAM,KAAK,CAAC,MAAM,CAAC,OAAO,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,cAAc,EAAE,IAAI,CAAC,EAAE,CAAC,IAAI,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC;AAC1H,MAAM,KAAK,CAAC,MAAM,CAAC,GAAG,GAAG,MAAM,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC;AACxD,IAAI;AACJ,EAAE;AACF,EAAE,OAAO,oBAAoB,CAAC,MAAM,OAAO,CAAC,KAAK,CAAC,EAAE,QAAQ,CAAC;AAC7D;AACA,SAAS,oBAAoB,CAAC,QAAQ,EAAE,QAAQ,EAAE;AAClD,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,wBAAwB,EAAE,SAAS,CAAC;AAC3D,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,iCAAiC,CAAC;AAC5E,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG;AACtB,IAAI,oBAAoB;AACxB,IAAI;AACJ,GAAG;AACH,EAAE,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,EAAE;AAC7C,IAAI,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,2BAA2B,EAAE,qCAAqC,CAAC;AAC5F,EAAE;AACF,EAAE,IAAI,QAAQ,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE;AACrC,IAAI,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,qCAAqC,CAAC;AAChF,EAAE,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,CAAC,WAAW,CAAC,IAAI,QAAQ,KAAK,cAAc,IAAI,QAAQ,KAAK,aAAa,EAAE;AAC5G,IAAI,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,wBAAwB,CAAC;AACnE,EAAE;AACF,EAAE,OAAO,QAAQ;AACjB;AACK,MAAC,WAAW,GAAG,CAAC;AACrB,EAAE,KAAK;AACP,EAAE,MAAM;AACR,EAAE;AACF,CAAC,KAAK;AACN,EAAE,IAAI,WAAW,CAAC,KAAK,CAAC,EAAE;AAC1B,IAAI,OAAO,EAAE,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE;AAC1C,EAAE;AACF,EAAE,IAAI,MAAM,KAAK,GAAG,EAAE;AACtB,IAAI,OAAO,EAAE,OAAO,EAAE,iBAAiB,EAAE;AACzC,EAAE;AACF,EAAE,MAAM,KAAK,GAAG,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,KAAK,GAAG;AACxD,aAAa,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE;AACjC,EAAE,OAAO,CAAC,KAAK;AACf,IAAI,CAAC,kBAAkB,EAAE,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,QAAQ;AACnE,EAAE,EAAE,KAAK,CAAC,EAAE,KAAK,CAAC;AAClB,GAAG;AACH,EAAE,OAAO,EAAE,OAAO,EAAE,+BAA+B,EAAE;AACrD;;;;"}

package/build/server/index.js CHANGED Viewed

@@ -1175,7 +1175,7 @@ const options = {
 		<div class="error">
 			<span class="status">` + status + '</span>\n			<div class="message">\n				<h1>' + message + "</h1>\n			</div>\n		</div>\n	</body>\n</html>\n"
   },
-  version_hash: "69v4og"
+  version_hash: "1c5p5sh"
 };
 async function get_hooks() {
   let handle;
@@ -1183,7 +1183,7 @@ async function get_hooks() {
   let handleError;
   let handleValidationError;
   let init;
-  ({ handle, handleFetch, handleError, handleValidationError, init } = await import('./chunks/hooks.server-aaRldGQ_.js'));
+  ({ handle, handleFetch, handleError, handleValidationError, init } = await import('./chunks/hooks.server-D5z2JKsD.js'));
   let reroute;
   let transport;
   return {