@soulcraft/sdk 2.6.1 → 3.0.0

package/dist/modules/auth/middleware.js

@@ -1,12 +1,11 @@
 /**
  * @module modules/auth/middleware
- * @description Hono auth middleware factories, remote session verification, and
- * dev/guest session utilities for Soulcraft product backends.
+ * @description Session verification factories and shared auth types for Soulcraft
+ * product backends.
  *
  * ## Session verification strategies
  *
- * All products share the same `createAuthMiddleware` factory, but each product
- * selects the right session verifier for its deployment context:
+ * All products select the right session verifier for their deployment context:
  *
  * ```
  * Production (all products):
@@ -14,57 +13,45 @@
  *
  * Development (all products):
  *   createDevSessionVerifier({ role: 'owner' })   // auto-login, no OAuth needed
- *
- * Workshop standalone (legacy / local OAuth):
- *   createAuthMiddleware(betterAuthInstance)       // BetterAuthLike overload
  * ```
  *
- * ## Dev and guest endpoint factories
+ * ## Dev and guest cookie verifiers
+ *
+ * - `createDevCookieVerifier` — reads the dev session cookie issued by
+ *   `createRequestDevLoginHandler` (from `request-middleware.ts`).
+ * - `createGuestCookieVerifier` — reads the guest session cookie issued by
+ *   `createRequestGuestSessionHandler` (from `request-middleware.ts`).
+ *
+ * ## Framework-agnostic middleware
  *
- * - `createDevLoginHandler` — mounts a `/api/dev/login` endpoint for role-switching
- *   during development. Issues a signed dev session cookie. No-ops in production.
- * - `createGuestSessionHandler` — mounts a `/api/guest/session` endpoint so Venue
- *   visitors can obtain a guest session (platformRole `'guest'`) for anonymous
- *   browse and booking flows, before they create an account.
+ * Use `createRequestAuthMiddleware` from `request-middleware.ts` for the
+ * framework-agnostic middleware that works with any Web Standard Request/Response
+ * server (SvelteKit, Bun, Deno, Cloudflare Workers, etc.).
  *
  * @example Production setup (Venue / Academy)
  * ```typescript
- * import { createAuthMiddleware, createRemoteSessionVerifier } from '@soulcraft/sdk/server'
+ * import {
+ *   createRequestAuthMiddleware,
+ *   createRemoteSessionVerifier,
+ *   getUser,
+ * } from '@soulcraft/sdk/server'
  *
  * const verifySession = createRemoteSessionVerifier({ idpUrl: process.env.SOULCRAFT_IDP_URL! })
- * const { requireAuth, optionalAuth } = createAuthMiddleware(verifySession)
+ * const { requireAuth } = createRequestAuthMiddleware(verifySession)
  *
- * app.get('/api/bookings', requireAuth, async (c) => {
- *   const user = c.get('user')! // SoulcraftSessionUser
- * })
+ * // SvelteKit hooks:
+ * export const handle = async ({ event, resolve }) => {
+ *   const response = await requireAuth(event.request, () => resolve(event))
+ *   event.locals.user = getUser(event.request)
+ *   return response
+ * }
  * ```
  */
 import { LRUCache } from 'lru-cache';
 import { computeEmailHash } from './config.js';
 // ─────────────────────────────────────────────────────────────────────────────
-// Types
-// ─────────────────────────────────────────────────────────────────────────────
-/** The Hono context variable key where the resolved user is stored. */
-export const AUTH_USER_KEY = 'user';
-// ─────────────────────────────────────────────────────────────────────────────
 // Shared internal helpers
 // ─────────────────────────────────────────────────────────────────────────────
-/** Resolve a raw user record from a better-auth session into a `SoulcraftSessionUser`. */
-function _resolveUser(raw) {
-    const email = String(raw['email'] ?? '');
-    const emailHash = raw['emailHash']
-        ? String(raw['emailHash'])
-        : computeEmailHash(email);
-    return {
-        id: String(raw['id'] ?? ''),
-        email,
-        name: String(raw['name'] ?? ''),
-        image: raw['image'] ?? null,
-        platformRole: raw['platformRole'] ?? 'creator',
-        emailHash,
-        ...(raw['handle'] ? { handle: String(raw['handle']) } : {}),
-    };
-}
 /** Parse a simple `name=value` cookie from a raw cookie header string. */
 function _parseCookie(cookieHeader, name) {
     for (const part of cookieHeader.split(';')) {
@@ -74,10 +61,6 @@ function _parseCookie(cookieHeader, name) {
     }
     return undefined;
 }
-/** Encode a dev/guest session payload as a compact JSON+base64url string (unsigned). */
-function _encodeSessionCookie(session) {
-    return Buffer.from(JSON.stringify(session)).toString('base64url');
-}
 /** Decode a session payload encoded by `_encodeSessionCookie`. Returns null on any error. */
 function _decodeSessionCookie(value) {
     try {
@@ -93,108 +76,6 @@ function _decodeSessionCookie(value) {
     }
 }
 // ─────────────────────────────────────────────────────────────────────────────
-// createAuthMiddleware
-// ─────────────────────────────────────────────────────────────────────────────
-/**
- * Creates Hono auth middleware from a `SessionVerifier` function or a `BetterAuthLike`
- * instance.
- *
- * **Preferred form (all products in OIDC-client mode):**
- * Pass a `SessionVerifier` returned by `createRemoteSessionVerifier` or
- * `createDevSessionVerifier`. The middleware reads the request cookie header and
- * passes it to the verifier.
- *
- * **Legacy form (Workshop standalone mode):**
- * Pass a `better-auth` instance directly. The middleware calls `auth.api.getSession`.
- * In non-production environments and when `devAutoLogin` is enabled, a synthetic dev
- * user is injected on failed lookups so local dev works without OAuth.
- *
- * Both forms return identical `{ requireAuth, optionalAuth }` middleware.
- *
- * @param authOrVerifier - A `better-auth` instance or a `SessionVerifier` function.
- * @param options - Optional middleware configuration (only applies to `BetterAuthLike` form).
- * @returns Middleware pair: `{ requireAuth, optionalAuth }`.
- *
- * @example Verifier form (Venue / Academy / Workshop in OIDC mode)
- * ```typescript
- * const verifySession = createRemoteSessionVerifier({ idpUrl: process.env.SOULCRAFT_IDP_URL! })
- * const { requireAuth } = createAuthMiddleware(verifySession)
- * ```
- *
- * @example BetterAuth form (Workshop dev standalone)
- * ```typescript
- * import { auth } from './better-auth.js'
- * const { requireAuth } = createAuthMiddleware(auth)
- * ```
- */
-export function createAuthMiddleware(authOrVerifier, options = {}) {
-    const isVerifier = typeof authOrVerifier === 'function';
-    if (isVerifier) {
-        const verify = authOrVerifier;
-        const requireAuth = async (c, next) => {
-            const cookieHeader = c.req.header('cookie') ?? '';
-            const session = await verify(cookieHeader);
-            if (!session)
-                return c.json({ error: 'Authentication required' }, 401);
-            c.set(AUTH_USER_KEY, session.user);
-            await next();
-            return;
-        };
-        const optionalAuth = async (c, next) => {
-            const cookieHeader = c.req.header('cookie') ?? '';
-            const session = await verify(cookieHeader);
-            c.set(AUTH_USER_KEY, session?.user ?? null);
-            await next();
-        };
-        return { requireAuth, optionalAuth };
-    }
-    // BetterAuthLike form (Workshop standalone)
-    const auth = authOrVerifier;
-    const devAutoLogin = options.devAutoLogin ?? true;
-    const isDev = process.env['NODE_ENV'] !== 'production';
-    const DEV_USER = {
-        id: 'dev-user-001',
-        email: 'dev@localhost',
-        name: 'Dev User',
-        image: null,
-        emailHash: computeEmailHash('dev@localhost'),
-        platformRole: 'creator',
-        handle: 'dev',
-    };
-    const requireAuth = async (c, next) => {
-        if (isDev && devAutoLogin) {
-            if (!c.get(AUTH_USER_KEY))
-                c.set(AUTH_USER_KEY, DEV_USER);
-            await next();
-            return;
-        }
-        const session = await auth.api.getSession({ headers: c.req.raw.headers });
-        if (!session?.user) {
-            return c.json({ error: 'Authentication required' }, 401);
-        }
-        c.set(AUTH_USER_KEY, _resolveUser(session.user));
-        await next();
-        return;
-    };
-    const optionalAuth = async (c, next) => {
-        if (isDev && devAutoLogin) {
-            if (!c.get(AUTH_USER_KEY))
-                c.set(AUTH_USER_KEY, DEV_USER);
-            await next();
-            return;
-        }
-        const session = await auth.api.getSession({ headers: c.req.raw.headers });
-        if (session?.user) {
-            c.set(AUTH_USER_KEY, _resolveUser(session.user));
-        }
-        else {
-            c.set(AUTH_USER_KEY, null);
-        }
-        await next();
-    };
-    return { requireAuth, optionalAuth };
-}
-// ─────────────────────────────────────────────────────────────────────────────
 // createRemoteSessionVerifier
 // ─────────────────────────────────────────────────────────────────────────────
 /**
@@ -208,10 +89,10 @@ export function createAuthMiddleware(authOrVerifier, options = {}) {
  * The verifier sends the cookie header to the IdP's `/api/auth/get-session` endpoint
  * and returns the resolved `SoulcraftSession` or `null` if the session is invalid.
  *
- * Pass the returned function directly to `createAuthMiddleware`:
+ * Pass the returned function to `createRequestAuthMiddleware`:
  * ```typescript
  * const verifySession = createRemoteSessionVerifier({ idpUrl: process.env.SOULCRAFT_IDP_URL! })
- * const { requireAuth } = createAuthMiddleware(verifySession)
+ * const { requireAuth } = createRequestAuthMiddleware(verifySession)
  * ```
  *
  * @param options - IdP URL, cache TTL, and max cache size.
@@ -224,8 +105,8 @@ export function createAuthMiddleware(authOrVerifier, options = {}) {
  *   cacheTtlMs: 30_000,
  * })
  *
- * const session = await verifySession(c.req.header('cookie') ?? '')
- * if (!session) return c.json({ error: 'Unauthorized' }, 401)
+ * const session = await verifySession(request.headers.get('cookie') ?? '')
+ * if (!session) return new Response('Unauthorized', { status: 401 })
  * ```
  */
 export function createRemoteSessionVerifier(options) {
@@ -306,7 +187,7 @@ export function createRemoteSessionVerifier(options) {
  *   ? createRemoteSessionVerifier({ idpUrl: process.env.SOULCRAFT_IDP_URL })
  *   : createDevSessionVerifier({ role: 'owner' })
  *
- * const { requireAuth } = createAuthMiddleware(verifySession)
+ * const { requireAuth } = createRequestAuthMiddleware(verifySession)
  * ```
  *
  * **Never use in production.** The verifier performs no validation whatsoever.
@@ -349,90 +230,12 @@ export function createDevSessionVerifier(options = {}) {
     };
 }
 // ─────────────────────────────────────────────────────────────────────────────
-// createDevLoginHandler
-// ─────────────────────────────────────────────────────────────────────────────
-/**
- * Creates a Hono request handler for a dev login endpoint.
- *
- * Mount at `/api/dev/login` to get a role-switching endpoint for local
- * development. Accepts `?role=<platformRole>` and optional `?email=` / `?name=`
- * query params. Issues a signed base64url session cookie that `createAuthMiddleware`
- * (when used with a `SessionVerifier` that reads dev cookies) can resolve.
- *
- * **Guards against production use:** the handler returns HTTP 404 when
- * `NODE_ENV === 'production'` — it is safe to leave mounted in all environments.
- *
- * @param options - Allowed roles, cookie name, and max-age.
- * @returns A Hono-compatible request handler `(c: Context) => Response`.
- *
- * @example
- * ```typescript
- * import { createDevLoginHandler } from '@soulcraft/sdk/server'
- *
- * // In your Hono server setup:
- * app.get('/api/dev/login', createDevLoginHandler({ allowedRoles: ['owner', 'staff', 'customer'] }))
- *
- * // Usage: GET /api/dev/login?role=staff → sets cookie + redirects to /
- * ```
- */
-export function createDevLoginHandler(options = {}) {
-    const DEFAULT_ROLES = [
-        'creator', 'viewer', 'customer', 'staff', 'manager', 'owner', 'learner', 'instructor',
-    ];
-    const allowedRoles = options.allowedRoles ?? DEFAULT_ROLES;
-    const cookieName = options.cookieName ?? 'soulcraft_dev_session';
-    const maxAgeSeconds = options.maxAgeSeconds ?? 86_400;
-    return function devLoginHandler(c) {
-        if (process.env['NODE_ENV'] === 'production') {
-            return c.json({ error: 'Not found' }, 404);
-        }
-        const role = c.req.query('role');
-        if (!role || !allowedRoles.includes(role)) {
-            return c.json({
-                error: `Invalid role. Allowed: ${allowedRoles.join(', ')}`,
-                allowedRoles,
-            }, 400);
-        }
-        const email = c.req.query('email') ?? `dev-${role}@soulcraft.com`;
-        const name = c.req.query('name') ?? `Dev ${role.charAt(0).toUpperCase() + role.slice(1)}`;
-        const redirect = c.req.query('redirect') ?? '/';
-        const session = {
-            user: {
-                id: `dev-user-${role}`,
-                email,
-                name,
-                image: null,
-                platformRole: role,
-                emailHash: computeEmailHash(email),
-            },
-            sessionId: `dev-session-${Date.now()}`,
-            expiresAt: Date.now() + maxAgeSeconds * 1000,
-        };
-        const cookieValue = _encodeSessionCookie(session);
-        const cookieHeader = [
-            `${cookieName}=${cookieValue}`,
-            `Path=/`,
-            `HttpOnly`,
-            `SameSite=Lax`,
-            `Max-Age=${maxAgeSeconds}`,
-        ].join('; ');
-        const response = new Response(null, {
-            status: 302,
-            headers: {
-                Location: redirect,
-                'Set-Cookie': cookieHeader,
-            },
-        });
-        return response;
-    };
-}
-// ─────────────────────────────────────────────────────────────────────────────
 // createDevCookieVerifier
 // ─────────────────────────────────────────────────────────────────────────────
 /**
- * Creates a session verifier that reads the cookie issued by `createDevLoginHandler`.
+ * Creates a session verifier that reads the cookie issued by `createRequestDevLoginHandler`.
  *
- * Use this together with `createDevLoginHandler` when you want dev role-switching
+ * Use this together with `createRequestDevLoginHandler` when you want dev role-switching
  * (e.g. clicking "Login as Staff" in a dev UI) rather than a fixed synthetic user.
  *
  * The verifier decodes the base64url cookie value and returns the embedded session.
@@ -445,12 +248,12 @@ export function createDevLoginHandler(options = {}) {
  * const verifySession = createDevSessionVerifier({ role: 'owner' })
  *
  * // Option B: Role-switching dev login UI
- * app.get('/api/dev/login', createDevLoginHandler({ allowedRoles: ['owner', 'staff', 'customer'] }))
+ * const loginHandler = createRequestDevLoginHandler({ allowedRoles: ['owner', 'staff', 'customer'] })
  * const verifySession = createDevCookieVerifier()
  * ```
  *
- * @param cookieName - Must match the `cookieName` passed to `createDevLoginHandler`. Default: `'soulcraft_dev_session'`.
- * @returns A `SessionVerifier` compatible with `createAuthMiddleware`.
+ * @param cookieName - Must match the `cookieName` passed to `createRequestDevLoginHandler`. Default: `'soulcraft_dev_session'`.
+ * @returns A `SessionVerifier` compatible with `createRequestAuthMiddleware`.
  */
 export function createDevCookieVerifier(cookieName = 'soulcraft_dev_session') {
     return async function verifyDevCookie(cookieHeader) {
@@ -461,95 +264,10 @@ export function createDevCookieVerifier(cookieName = 'soulcraft_dev_session') {
     };
 }
 // ─────────────────────────────────────────────────────────────────────────────
-// createGuestSessionHandler
-// ─────────────────────────────────────────────────────────────────────────────
-/**
- * Creates a Hono request handler that issues a guest session cookie.
- *
- * Venue visitors can browse and initiate bookings without creating an account.
- * This handler mounts at e.g. `/api/guest/session` and issues a session cookie
- * with `platformRole: 'guest'` and a unique guest ID on each call (if no valid
- * guest session already exists).
- *
- * The guest session cookie can be verified using `createGuestCookieVerifier`,
- * which returns a `SessionVerifier` compatible with `createAuthMiddleware`.
- *
- * @param options - Cookie name, max-age, and optional `onGuestCreated` callback.
- * @returns A Hono-compatible request handler.
- *
- * @example
- * ```typescript
- * import { createGuestSessionHandler, createGuestCookieVerifier, createAuthMiddleware } from '@soulcraft/sdk/server'
- *
- * // Issue guest sessions
- * app.post('/api/guest/session', createGuestSessionHandler({
- *   onGuestCreated: async (guestId) => {
- *     await db.guests.insert({ id: guestId, createdAt: new Date() })
- *   },
- * }))
- *
- * // Verify guest sessions in optional auth (guests can browse)
- * const verifyGuest = createGuestCookieVerifier()
- * const verifySession = createRemoteSessionVerifier({ idpUrl: process.env.SOULCRAFT_IDP_URL! })
- *
- * // Compose: check real session first, fall back to guest
- * const { optionalAuth } = createAuthMiddleware(async (cookie) =>
- *   await verifySession(cookie) ?? await verifyGuest(cookie)
- * )
- * ```
- */
-export function createGuestSessionHandler(options = {}) {
-    const cookieName = options.cookieName ?? 'soulcraft_guest_session';
-    const maxAgeSeconds = options.maxAgeSeconds ?? 3_600;
-    const onGuestCreated = options.onGuestCreated;
-    return async function guestSessionHandler(c) {
-        // Return existing guest session if still valid
-        const cookieHeader = c.req.header('cookie') ?? '';
-        const existingValue = _parseCookie(cookieHeader, cookieName);
-        if (existingValue) {
-            const existing = _decodeSessionCookie(existingValue);
-            if (existing)
-                return c.json({ guestId: existing.user.id, existing: true });
-        }
-        // Create a new guest session
-        const guestId = `guest-${Date.now().toString(36)}-${Math.random().toString(36).slice(2, 8)}`;
-        const email = `${guestId}@guest.soulcraft.com`;
-        const session = {
-            user: {
-                id: guestId,
-                email,
-                name: 'Guest',
-                image: null,
-                platformRole: 'guest',
-                emailHash: computeEmailHash(email),
-            },
-            sessionId: `guest-session-${Date.now()}`,
-            expiresAt: Date.now() + maxAgeSeconds * 1000,
-        };
-        if (onGuestCreated)
-            await onGuestCreated(guestId);
-        const cookieValue = _encodeSessionCookie(session);
-        const cookieHeader2 = [
-            `${cookieName}=${cookieValue}`,
-            `Path=/`,
-            `HttpOnly`,
-            `SameSite=Lax`,
-            `Max-Age=${maxAgeSeconds}`,
-        ].join('; ');
-        return new Response(JSON.stringify({ guestId, existing: false }), {
-            status: 200,
-            headers: {
-                'Content-Type': 'application/json',
-                'Set-Cookie': cookieHeader2,
-            },
-        });
-    };
-}
-// ─────────────────────────────────────────────────────────────────────────────
 // createGuestCookieVerifier
 // ─────────────────────────────────────────────────────────────────────────────
 /**
- * Creates a session verifier that reads the cookie issued by `createGuestSessionHandler`.
+ * Creates a session verifier that reads the cookie issued by `createRequestGuestSessionHandler`.
  *
  * Returns the guest `SoulcraftSession` or `null` if no valid guest cookie is present.
  * Compose with `createRemoteSessionVerifier` to allow both authenticated and guest access:
@@ -558,13 +276,13 @@ export function createGuestSessionHandler(options = {}) {
  * const verifyReal = createRemoteSessionVerifier({ idpUrl: process.env.SOULCRAFT_IDP_URL! })
  * const verifyGuest = createGuestCookieVerifier()
  *
- * const { optionalAuth } = createAuthMiddleware(async (cookie) =>
+ * const { optionalAuth } = createRequestAuthMiddleware(async (cookie) =>
  *   await verifyReal(cookie) ?? await verifyGuest(cookie)
  * )
  * ```
  *
- * @param cookieName - Must match the `cookieName` passed to `createGuestSessionHandler`. Default: `'soulcraft_guest_session'`.
- * @returns A `SessionVerifier` compatible with `createAuthMiddleware`.
+ * @param cookieName - Must match the `cookieName` passed to `createRequestGuestSessionHandler`. Default: `'soulcraft_guest_session'`.
+ * @returns A `SessionVerifier` compatible with `createRequestAuthMiddleware`.
  */
 export function createGuestCookieVerifier(cookieName = 'soulcraft_guest_session') {
     return async function verifyGuestCookie(cookieHeader) {

package/dist/modules/auth/middleware.js.map

@@ -1 +1 @@
-{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../../src/modules/auth/middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAA;AACpC,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAA;AAI9C,gFAAgF;AAChF,QAAQ;AACR,gFAAgF;AAEhF,uEAAuE;AACvE,MAAM,CAAC,MAAM,aAAa,GAAG,MAAe,CAAA;AAqI5C,gFAAgF;AAChF,0BAA0B;AAC1B,gFAAgF;AAEhF,0FAA0F;AAC1F,SAAS,YAAY,CAAC,GAA4B;IAChD,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAA;IACxC,MAAM,SAAS,GAAG,GAAG,CAAC,WAAW,CAAC;QAChC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QAC1B,CAAC,CAAC,gBAAgB,CAAC,KAAK,CAAC,CAAA;IAE3B,OAAO;QACL,EAAE,EAAE,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAC3B,KAAK;QACL,IAAI,EAAE,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QAC/B,KAAK,EAAG,GAAG,CAAC,OAAO,CAA+B,IAAI,IAAI;QAC1D,YAAY,EAAG,GAAG,CAAC,cAAc,CAA0C,IAAI,SAAS;QACxF,SAAS;QACT,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC5D,CAAA;AACH,CAAC;AAED,0EAA0E;AAC1E,SAAS,YAAY,CAAC,YAAoB,EAAE,IAAY;IACtD,KAAK,MAAM,IAAI,IAAI,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;QAC3C,MAAM,CAAC,CAAC,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QAC3C,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAA;IACtD,CAAC;IACD,OAAO,SAAS,CAAA;AAClB,CAAC;AAED,wFAAwF;AACxF,SAAS,oBAAoB,CAAC,OAAyB;IACrD,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAA;AACnE,CAAC;AAED,6FAA6F;AAC7F,SAAS,oBAAoB,CAAC,KAAa;IACzC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAqB,CAAA;QAC7F,IAAI,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,SAAS,IAAI,CAAC,GAAG,CAAC,SAAS;YAAE,OAAO,IAAI,CAAA;QAC9D,IAAI,GAAG,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE;YAAE,OAAO,IAAI,CAAA;QAC3C,OAAO,GAAG,CAAA;IACZ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAED,gFAAgF;AAChF,uBAAuB;AACvB,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACH,MAAM,UAAU,oBAAoB,CAClC,cAAgD,EAChD,UAAiC,EAAE;IAEnC,MAAM,UAAU,GAAG,OAAO,cAAc,KAAK,UAAU,CAAA;IAEvD,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,MAAM,GAAG,cAAiC,CAAA;QAEhD,MAAM,WAAW,GAAkC,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;YACnE,MAAM,YAAY,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAA;YACjD,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,CAAA;YAC1C,IAAI,CAAC,OAAO;gBAAE,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,EAAE,GAAG,CAAC,CAAA;YACtE,CAAC,CAAC,GAAG,CAAC,aAAa,EAAE,OAAO,CAAC,IAAI,CAAC,CAAA;YAClC,MAAM,IAAI,EAAE,CAAA;YACZ,OAAM;QACR,CAAC,CAAA;QAED,MAAM,YAAY,GAAmC,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;YACrE,MAAM,YAAY,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAA;YACjD,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,CAAA;YAC1C,CAAC,CAAC,GAAG,CAAC,aAAa,EAAE,OAAO,EAAE,IAAI,IAAI,IAAI,CAAC,CAAA;YAC3C,MAAM,IAAI,EAAE,CAAA;QACd,CAAC,CAAA;QAED,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,CAAA;IACtC,CAAC;IAED,4CAA4C;IAC5C,MAAM,IAAI,GAAG,cAAgC,CAAA;IAC7C,MAAM,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,IAAI,CAAA;IACjD,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,KAAK,YAAY,CAAA;IAEtD,MAAM,QAAQ,GAAyB;QACrC,EAAE,EAAE,cAAc;QAClB,KAAK,EAAE,eAAe;QACtB,IAAI,EAAE,UAAU;QAChB,KAAK,EAAE,IAAI;QACX,SAAS,EAAE,gBAAgB,CAAC,eAAe,CAAC;QAC5C,YAAY,EAAE,SAAS;QACvB,MAAM,EAAE,KAAK;KACd,CAAA;IAED,MAAM,WAAW,GAAkC,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QACnE,IAAI,KAAK,IAAI,YAAY,EAAE,CAAC;YAC1B,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,aAAa,CAAC;gBAAE,CAAC,CAAC,GAAG,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAA;YACzD,MAAM,IAAI,EAAE,CAAA;YACZ,OAAM;QACR,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAA;QACzE,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC;YACnB,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,EAAE,GAAG,CAAC,CAAA;QAC1D,CAAC;QAED,CAAC,CAAC,GAAG,CAAC,aAAa,EAAE,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAA;QAChD,MAAM,IAAI,EAAE,CAAA;QACZ,OAAM;IACR,CAAC,CAAA;IAED,MAAM,YAAY,GAAmC,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QACrE,IAAI,KAAK,IAAI,YAAY,EAAE,CAAC;YAC1B,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,aAAa,CAAC;gBAAE,CAAC,CAAC,GAAG,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAA;YACzD,MAAM,IAAI,EAAE,CAAA;YACZ,OAAM;QACR,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAA;QACzE,IAAI,OAAO,EAAE,IAAI,EAAE,CAAC;YAClB,CAAC,CAAC,GAAG,CAAC,aAAa,EAAE,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAA;QAClD,CAAC;aAAM,CAAC;YACN,CAAC,CAAC,GAAG,CAAC,aAAa,EAAE,IAAI,CAAC,CAAA;QAC5B,CAAC;QACD,MAAM,IAAI,EAAE,CAAA;IACd,CAAC,CAAA;IAED,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,CAAA;AACtC,CAAC;AAED,gFAAgF;AAChF,8BAA8B;AAC9B,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,MAAM,UAAU,2BAA2B,CACzC,OAAqC;IAErC,MAAM,QAAQ,GAAG,OAAO,CAAC,UAAU,IAAI,MAAM,CAAA;IAC7C,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,GAAG,CAAA;IACxC,MAAM,UAAU,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,uBAAuB,CAAA;IAE9E,MAAM,KAAK,GAAG,IAAI,QAAQ,CAA2B;QACnD,GAAG,EAAE,QAAQ;QACb,GAAG,EAAE,QAAQ;KACd,CAAC,CAAA;IAEF,OAAO,KAAK,UAAU,mBAAmB,CACvC,YAAoB;QAEpB,IAAI,CAAC,YAAY;YAAE,OAAO,IAAI,CAAA;QAE9B,iEAAiE;QACjE,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;QACtC,IAAI,MAAM,KAAK,SAAS;YAAE,OAAO,MAAM,CAAA;QAEvC,IAAI,QAAkB,CAAA;QACtB,IAAI,CAAC;YACH,QAAQ,GAAG,MAAM,KAAK,CAAC,UAAU,EAAE;gBACjC,OAAO,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE;gBACjC,WAAW,EAAE,SAAS;aACvB,CAAC,CAAA;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,EAAE;YAAE,OAAO,IAAI,CAAA;QAE7B,IAAI,IAA6B,CAAA;QACjC,IAAI,CAAC;YACH,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAA;QACzD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;QAED,2EAA2E;QAC3E,6EAA6E;QAC7E,wEAAwE;QACxE,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAA;QAElD,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAwC,CAAA;QACnE,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAwC,CAAA;QAEzE,IAAI,CAAC,OAAO,IAAI,CAAC,UAAU;YAAE,OAAO,IAAI,CAAA;QAExC,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAA;QAC5C,MAAM,OAAO,GAAqB;YAChC,IAAI,EAAE;gBACJ,EAAE,EAAE,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC/B,KAAK;gBACL,IAAI,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;gBACnC,KAAK,EAAG,OAAO,CAAC,OAAO,CAA+B,IAAI,IAAI;gBAC9D,YAAY,EAAG,OAAO,CAAC,cAAc,CAA0C,IAAI,SAAS;gBAC5F,SAAS,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,KAAK,CAAC;gBACxF,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACpE;YACD,SAAS,EAAE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YACzC,SAAS,EAAE,MAAM,CAAC,UAAU,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;SAChD,CAAA;QAED,KAAK,CAAC,GAAG,CAAC,YAAY,EAAE,OAAO,CAAC,CAAA;QAChC,OAAO,OAAO,CAAA;IAChB,CAAC,CAAA;AACH,CAAC;AAED,gFAAgF;AAChF,2BAA2B;AAC3B,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AACH,MAAM,UAAU,wBAAwB,CACtC,UAAqC,EAAE;IAEvC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,OAAO,CAAA;IACpC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,mBAAmB,CAAA;IAClD,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,UAAU,CAAA;IAEvC,MAAM,OAAO,GAAqB;QAChC,IAAI,EAAE;YACJ,EAAE,EAAE,cAAc;YAClB,KAAK;YACL,IAAI;YACJ,KAAK,EAAE,IAAI;YACX,YAAY,EAAE,IAAI;YAClB,SAAS,EAAE,gBAAgB,CAAC,KAAK,CAAC;YAClC,MAAM,EAAE,KAAK;SACd;QACD,SAAS,EAAE,iBAAiB;QAC5B,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI;KACjD,CAAA;IAED,OAAO,KAAK,UAAU,gBAAgB;QACpC,OAAO,OAAO,CAAA;IAChB,CAAC,CAAA;AACH,CAAC;AAED,gFAAgF;AAChF,wBAAwB;AACxB,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,UAAU,qBAAqB,CACnC,UAAkC,EAAE;IAEpC,MAAM,aAAa,GAA2C;QAC5D,SAAS,EAAE,QAAQ,EAAE,UAAU,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,SAAS,EAAE,YAAY;KACtF,CAAA;IACD,MAAM,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,aAAa,CAAA;IAC1D,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,uBAAuB,CAAA;IAChE,MAAM,aAAa,GAAG,OAAO,CAAC,aAAa,IAAI,MAAM,CAAA;IAErD,OAAO,SAAS,eAAe,CAAC,CAAU;QACxC,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,KAAK,YAAY,EAAE,CAAC;YAC7C,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,EAAE,GAAG,CAAC,CAAA;QAC5C,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAqD,CAAA;QACpF,IAAI,CAAC,IAAI,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1C,OAAO,CAAC,CAAC,IAAI,CACX;gBACE,KAAK,EAAE,0BAA0B,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;gBAC1D,YAAY;aACb,EACD,GAAG,CACJ,CAAA;QACH,CAAC;QAED,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,OAAO,IAAI,gBAAgB,CAAA;QACjE,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAA;QACzF,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,GAAG,CAAA;QAE/C,MAAM,OAAO,GAAqB;YAChC,IAAI,EAAE;gBACJ,EAAE,EAAE,YAAY,IAAI,EAAE;gBACtB,KAAK;gBACL,IAAI;gBACJ,KAAK,EAAE,IAAI;gBACX,YAAY,EAAE,IAAI;gBAClB,SAAS,EAAE,gBAAgB,CAAC,KAAK,CAAC;aACnC;YACD,SAAS,EAAE,eAAe,IAAI,CAAC,GAAG,EAAE,EAAE;YACtC,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,GAAG,IAAI;SAC7C,CAAA;QAED,MAAM,WAAW,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAA;QACjD,MAAM,YAAY,GAAG;YACnB,GAAG,UAAU,IAAI,WAAW,EAAE;YAC9B,QAAQ;YACR,UAAU;YACV,cAAc;YACd,WAAW,aAAa,EAAE;SAC3B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAEZ,MAAM,QAAQ,GAAG,IAAI,QAAQ,CAAC,IAAI,EAAE;YAClC,MAAM,EAAE,GAAG;YACX,OAAO,EAAE;gBACP,QAAQ,EAAE,QAAQ;gBAClB,YAAY,EAAE,YAAY;aAC3B;SACF,CAAC,CAAA;QACF,OAAO,QAAQ,CAAA;IACjB,CAAC,CAAA;AACH,CAAC;AAED,gFAAgF;AAChF,0BAA0B;AAC1B,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,UAAU,uBAAuB,CACrC,UAAU,GAAG,uBAAuB;IAEpC,OAAO,KAAK,UAAU,eAAe,CAAC,YAAoB;QACxD,MAAM,KAAK,GAAG,YAAY,CAAC,YAAY,EAAE,UAAU,CAAC,CAAA;QACpD,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAA;QACvB,OAAO,oBAAoB,CAAC,KAAK,CAAC,CAAA;IACpC,CAAC,CAAA;AACH,CAAC;AAED,gFAAgF;AAChF,4BAA4B;AAC5B,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AACH,MAAM,UAAU,yBAAyB,CACvC,UAAsC,EAAE;IAExC,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,yBAAyB,CAAA;IAClE,MAAM,aAAa,GAAG,OAAO,CAAC,aAAa,IAAI,KAAK,CAAA;IACpD,MAAM,cAAc,GAAG,OAAO,CAAC,cAAc,CAAA;IAE7C,OAAO,KAAK,UAAU,mBAAmB,CAAC,CAAU;QAClD,+CAA+C;QAC/C,MAAM,YAAY,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAA;QACjD,MAAM,aAAa,GAAG,YAAY,CAAC,YAAY,EAAE,UAAU,CAAC,CAAA;QAC5D,IAAI,aAAa,EAAE,CAAC;YAClB,MAAM,QAAQ,GAAG,oBAAoB,CAAC,aAAa,CAAC,CAAA;YACpD,IAAI,QAAQ;gBAAE,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAA;QAC5E,CAAC;QAED,6BAA6B;QAC7B,MAAM,OAAO,GAAG,SAAS,IAAI,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAA;QAC5F,MAAM,KAAK,GAAG,GAAG,OAAO,sBAAsB,CAAA;QAE9C,MAAM,OAAO,GAAqB;YAChC,IAAI,EAAE;gBACJ,EAAE,EAAE,OAAO;gBACX,KAAK;gBACL,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,IAAI;gBACX,YAAY,EAAE,OAAO;gBACrB,SAAS,EAAE,gBAAgB,CAAC,KAAK,CAAC;aACnC;YACD,SAAS,EAAE,iBAAiB,IAAI,CAAC,GAAG,EAAE,EAAE;YACxC,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,GAAG,IAAI;SAC7C,CAAA;QAED,IAAI,cAAc;YAAE,MAAM,cAAc,CAAC,OAAO,CAAC,CAAA;QAEjD,MAAM,WAAW,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAA;QACjD,MAAM,aAAa,GAAG;YACpB,GAAG,UAAU,IAAI,WAAW,EAAE;YAC9B,QAAQ;YACR,UAAU;YACV,cAAc;YACd,WAAW,aAAa,EAAE;SAC3B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAEZ,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,EAAE;YAChE,MAAM,EAAE,GAAG;YACX,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,YAAY,EAAE,aAAa;aAC5B;SACF,CAAC,CAAA;IACJ,CAAC,CAAA;AACH,CAAC;AAED,gFAAgF;AAChF,4BAA4B;AAC5B,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,yBAAyB,CACvC,UAAU,GAAG,yBAAyB;IAEtC,OAAO,KAAK,UAAU,iBAAiB,CAAC,YAAoB;QAC1D,MAAM,KAAK,GAAG,YAAY,CAAC,YAAY,EAAE,UAAU,CAAC,CAAA;QACpD,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAA;QACvB,OAAO,oBAAoB,CAAC,KAAK,CAAC,CAAA;IACpC,CAAC,CAAA;AACH,CAAC"}
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../../src/modules/auth/middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgDG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAA;AACpC,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAA;AAoH9C,gFAAgF;AAChF,0BAA0B;AAC1B,gFAAgF;AAEhF,0EAA0E;AAC1E,SAAS,YAAY,CAAC,YAAoB,EAAE,IAAY;IACtD,KAAK,MAAM,IAAI,IAAI,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;QAC3C,MAAM,CAAC,CAAC,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QAC3C,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAA;IACtD,CAAC;IACD,OAAO,SAAS,CAAA;AAClB,CAAC;AAED,6FAA6F;AAC7F,SAAS,oBAAoB,CAAC,KAAa;IACzC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAqB,CAAA;QAC7F,IAAI,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,SAAS,IAAI,CAAC,GAAG,CAAC,SAAS;YAAE,OAAO,IAAI,CAAA;QAC9D,IAAI,GAAG,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE;YAAE,OAAO,IAAI,CAAA;QAC3C,OAAO,GAAG,CAAA;IACZ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAED,gFAAgF;AAChF,8BAA8B;AAC9B,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,MAAM,UAAU,2BAA2B,CACzC,OAAqC;IAErC,MAAM,QAAQ,GAAG,OAAO,CAAC,UAAU,IAAI,MAAM,CAAA;IAC7C,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,GAAG,CAAA;IACxC,MAAM,UAAU,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,uBAAuB,CAAA;IAE9E,MAAM,KAAK,GAAG,IAAI,QAAQ,CAA2B;QACnD,GAAG,EAAE,QAAQ;QACb,GAAG,EAAE,QAAQ;KACd,CAAC,CAAA;IAEF,OAAO,KAAK,UAAU,mBAAmB,CACvC,YAAoB;QAEpB,IAAI,CAAC,YAAY;YAAE,OAAO,IAAI,CAAA;QAE9B,iEAAiE;QACjE,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;QACtC,IAAI,MAAM,KAAK,SAAS;YAAE,OAAO,MAAM,CAAA;QAEvC,IAAI,QAAkB,CAAA;QACtB,IAAI,CAAC;YACH,QAAQ,GAAG,MAAM,KAAK,CAAC,UAAU,EAAE;gBACjC,OAAO,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE;gBACjC,WAAW,EAAE,SAAS;aACvB,CAAC,CAAA;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,EAAE;YAAE,OAAO,IAAI,CAAA;QAE7B,IAAI,IAA6B,CAAA;QACjC,IAAI,CAAC;YACH,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAA;QACzD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;QAED,2EAA2E;QAC3E,6EAA6E;QAC7E,wEAAwE;QACxE,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAA;QAElD,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAwC,CAAA;QACnE,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAwC,CAAA;QAEzE,IAAI,CAAC,OAAO,IAAI,CAAC,UAAU;YAAE,OAAO,IAAI,CAAA;QAExC,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAA;QAC5C,MAAM,OAAO,GAAqB;YAChC,IAAI,EAAE;gBACJ,EAAE,EAAE,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC/B,KAAK;gBACL,IAAI,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;gBACnC,KAAK,EAAG,OAAO,CAAC,OAAO,CAA+B,IAAI,IAAI;gBAC9D,YAAY,EAAG,OAAO,CAAC,cAAc,CAA0C,IAAI,SAAS;gBAC5F,SAAS,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,KAAK,CAAC;gBACxF,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACpE;YACD,SAAS,EAAE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YACzC,SAAS,EAAE,MAAM,CAAC,UAAU,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;SAChD,CAAA;QAED,KAAK,CAAC,GAAG,CAAC,YAAY,EAAE,OAAO,CAAC,CAAA;QAChC,OAAO,OAAO,CAAA;IAChB,CAAC,CAAA;AACH,CAAC;AAED,gFAAgF;AAChF,2BAA2B;AAC3B,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AACH,MAAM,UAAU,wBAAwB,CACtC,UAAqC,EAAE;IAEvC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,OAAO,CAAA;IACpC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,mBAAmB,CAAA;IAClD,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,UAAU,CAAA;IAEvC,MAAM,OAAO,GAAqB;QAChC,IAAI,EAAE;YACJ,EAAE,EAAE,cAAc;YAClB,KAAK;YACL,IAAI;YACJ,KAAK,EAAE,IAAI;YACX,YAAY,EAAE,IAAI;YAClB,SAAS,EAAE,gBAAgB,CAAC,KAAK,CAAC;YAClC,MAAM,EAAE,KAAK;SACd;QACD,SAAS,EAAE,iBAAiB;QAC5B,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI;KACjD,CAAA;IAED,OAAO,KAAK,UAAU,gBAAgB;QACpC,OAAO,OAAO,CAAA;IAChB,CAAC,CAAA;AACH,CAAC;AAED,gFAAgF;AAChF,0BAA0B;AAC1B,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,UAAU,uBAAuB,CACrC,UAAU,GAAG,uBAAuB;IAEpC,OAAO,KAAK,UAAU,eAAe,CAAC,YAAoB;QACxD,MAAM,KAAK,GAAG,YAAY,CAAC,YAAY,EAAE,UAAU,CAAC,CAAA;QACpD,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAA;QACvB,OAAO,oBAAoB,CAAC,KAAK,CAAC,CAAA;IACpC,CAAC,CAAA;AACH,CAAC;AAED,gFAAgF;AAChF,4BAA4B;AAC5B,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,yBAAyB,CACvC,UAAU,GAAG,yBAAyB;IAEtC,OAAO,KAAK,UAAU,iBAAiB,CAAC,YAAoB;QAC1D,MAAM,KAAK,GAAG,YAAY,CAAC,YAAY,EAAE,UAAU,CAAC,CAAA;QACpD,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAA;QACvB,OAAO,oBAAoB,CAAC,KAAK,CAAC,CAAA;IACpC,CAAC,CAAA;AACH,CAAC"}

package/dist/modules/auth/products.d.ts

@@ -168,7 +168,7 @@ export type SoulcraftProduct = keyof typeof SOULCRAFT_PRODUCTS;
  *
  * Used by the auth server for:
  * - `betterAuth({ trustedOrigins: deriveOrigins() })` — callback URL validation
- * - `cors({ origin: deriveOrigins() })` — CORS preflight on the Hono layer
+ * - CORS origin allowlist for preflight validation
  *
  * @returns Deduplicated list of origin strings (scheme + host, no trailing slash).
  *

package/dist/modules/auth/products.js

@@ -114,7 +114,7 @@ export const SOULCRAFT_PRODUCTS = {
  *
  * Used by the auth server for:
  * - `betterAuth({ trustedOrigins: deriveOrigins() })` — callback URL validation
- * - `cors({ origin: deriveOrigins() })` — CORS preflight on the Hono layer
+ * - CORS origin allowlist for preflight validation
  *
  * @returns Deduplicated list of origin strings (scheme + host, no trailing slash).
  *

package/dist/modules/auth/request-backchannel.d.ts

@@ -0,0 +1,94 @@
+/**
+ * @module modules/auth/request-backchannel
+ * @description Framework-agnostic OIDC back-channel logout handler using Web Standard
+ * Request/Response.
+ *
+ * Implements the OpenID Connect Back-Channel Logout 1.0 specification. When a user
+ * signs out of the central IdP (`auth.soulcraft.com`), the IdP POSTs a signed
+ * `logout_token` (HS256 JWT) to every registered product's back-channel logout
+ * endpoint. This handler verifies the token and deletes all active sessions for
+ * the identified user, ensuring immediate logout across all products.
+ *
+ * ## Protocol
+ *
+ * 1. IdP POSTs `application/x-www-form-urlencoded` body with `logout_token` field
+ * 2. Handler verifies HS256 JWT signature using the OIDC client secret
+ * 3. Handler validates standard claims: `iss`, `aud`, `events` (must contain
+ *    `http://schemas.openid.net/event/backchannel-logout`)
+ * 4. Handler deletes all better-auth sessions for the `sub` (user ID) claim
+ * 5. Returns 200 on success, 400 for malformed tokens, 401 for bad signatures
+ *
+ * ## Mounting
+ *
+ * ```typescript
+ * import { createRequestBackchannelLogoutHandler } from '@soulcraft/sdk/server'
+ *
+ * const handleLogout = createRequestBackchannelLogoutHandler({
+ *   auth,
+ *   clientSecret: process.env.SOULCRAFT_OIDC_CLIENT_SECRET!,
+ *   idpUrl: process.env.SOULCRAFT_IDP_URL!,
+ *   clientId: process.env.SOULCRAFT_OIDC_CLIENT_ID!,
+ * })
+ *
+ * // SvelteKit: export const POST = ({ request }) => handleLogout(request)
+ * // Bun:       if (url.pathname === '/api/auth/backchannel-logout') return handleLogout(req)
+ * ```
+ */
+/** Minimal better-auth API surface needed for session deletion. */
+export interface BackchannelAuthLike {
+    api: {
+        revokeUserSessions(opts: {
+            body: {
+                userId: string;
+            };
+            headers?: Headers;
+        }): Promise<unknown>;
+    };
+}
+/**
+ * @description Configuration for `createRequestBackchannelLogoutHandler()`.
+ */
+export interface BackchannelLogoutConfig {
+    /** The product's better-auth instance (used to delete sessions). */
+    auth: BackchannelAuthLike;
+    /** This product's OIDC client secret — used to verify the logout_token signature. */
+    clientSecret: string;
+    /** The central IdP base URL — used to validate the `iss` claim. */
+    idpUrl: string;
+    /** This product's OIDC client ID — used to validate the `aud` claim. */
+    clientId: string;
+}
+/**
+ * @description Creates a framework-agnostic request handler for the OIDC back-channel
+ * logout endpoint.
+ *
+ * The handler:
+ * 1. Parses the `logout_token` from the form-encoded or JSON body
+ * 2. Verifies the HS256 JWT signature using the OIDC client secret
+ * 3. Validates `iss` (must match idpUrl), `aud` (must match clientId),
+ *    and `events` (must contain the back-channel logout event URI)
+ * 4. Calls `auth.api.revokeUserSessions({ body: { userId: sub } })` to
+ *    immediately invalidate all sessions for the identified user
+ * 5. Returns 200 on success, 400 for malformed/missing token, 401 for
+ *    invalid signature or failed claims validation
+ *
+ * @param config - Auth instance, client secret, IdP URL, and client ID.
+ * @returns An async request handler function `(req: Request) => Promise<Response>`.
+ *
+ * @example
+ * ```typescript
+ * import { createRequestBackchannelLogoutHandler } from '@soulcraft/sdk/server'
+ *
+ * const handleLogout = createRequestBackchannelLogoutHandler({
+ *   auth,
+ *   clientSecret: process.env.SOULCRAFT_OIDC_CLIENT_SECRET!,
+ *   idpUrl: process.env.SOULCRAFT_IDP_URL!,
+ *   clientId: process.env.SOULCRAFT_OIDC_CLIENT_ID!,
+ * })
+ *
+ * // SvelteKit +server.ts:
+ * export const POST = ({ request }) => handleLogout(request)
+ * ```
+ */
+export declare function createRequestBackchannelLogoutHandler(config: BackchannelLogoutConfig): (req: Request) => Promise<Response>;
+//# sourceMappingURL=request-backchannel.d.ts.map

package/dist/modules/auth/request-backchannel.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"request-backchannel.d.ts","sourceRoot":"","sources":["../../../src/modules/auth/request-backchannel.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AAMH,mEAAmE;AACnE,MAAM,WAAW,mBAAmB;IAClC,GAAG,EAAE;QACH,kBAAkB,CAAC,IAAI,EAAE;YAAE,IAAI,EAAE;gBAAE,MAAM,EAAE,MAAM,CAAA;aAAE,CAAC;YAAC,OAAO,CAAC,EAAE,OAAO,CAAA;SAAE,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;KAC5F,CAAA;CACF;AAED;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACtC,oEAAoE;IACpE,IAAI,EAAE,mBAAmB,CAAA;IACzB,qFAAqF;IACrF,YAAY,EAAE,MAAM,CAAA;IACpB,mEAAmE;IACnE,MAAM,EAAE,MAAM,CAAA;IACd,wEAAwE;IACxE,QAAQ,EAAE,MAAM,CAAA;CACjB;AA0ED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACH,wBAAgB,qCAAqC,CACnD,MAAM,EAAE,uBAAuB,GAC9B,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CA4FrC"}