npm - @sqrzro/server - Versions diffs - 2.0.0-bz.1 → 2.0.0-bz.11 - Mend

@sqrzro/server 2.0.0-bz.1 → 2.0.0-bz.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (51) hide show

package/dist/auth.js ADDED Viewed

@@ -0,0 +1,891 @@
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// src/auth/index.ts
+var auth_exports = {};
+__export(auth_exports, {
+  checkMFAEnabled: () => checkMFAEnabled,
+  checkPasswordComplexity: () => checkPasswordComplexity,
+  checkRouteAllowed: () => checkRouteAllowed,
+  checkSessionExists: () => checkSessionExists,
+  checkUserHasMFA: () => checkUserHasMFA,
+  createUserSession: () => createUserSession,
+  generateID: () => generateID,
+  generateMFA: () => generateMFA,
+  getAllowedRoles: () => getAllowedRoles,
+  getClientByID: () => getClientByID,
+  getPasswordComplexity: () => getPasswordComplexity,
+  getScopeByID: () => getScopeByID,
+  getScopes: () => getScopes,
+  getSessionID: () => getSessionID,
+  getSessionUser: () => getSessionUser,
+  handleClientAuth: () => handleClientAuth,
+  handleLoginForm: () => handleLoginForm,
+  handleLogout: () => handleLogout,
+  handleMFAForm: () => handleMFAForm,
+  handlePasswordForm: () => handlePasswordForm,
+  handlePasswordResetForm: () => handlePasswordResetForm,
+  handleSession: () => handleSession,
+  hashPassword: () => hashPassword,
+  invalidateSession: () => invalidateSession,
+  invalidateUserSessions: () => invalidateUserSessions,
+  lucia: () => lucia,
+  registerClient: () => registerClient,
+  registerUser: () => registerUser,
+  setScopes: () => setScopes,
+  verifyPassword: () => verifyPassword
+});
+module.exports = __toCommonJS(auth_exports);
+// src/auth/AuthService.ts
+var import_drizzle_orm2 = require("drizzle-orm");
+// src/database/DatabaseService.ts
+var import_postgres_js = require("drizzle-orm/postgres-js");
+var import_postgres = __toESM(require("postgres"));
+function createSingleton() {
+  if (!process.env.DATABASE_URL) {
+    throw new Error("DATABASE_URL is not defined");
+  }
+  return (0, import_postgres_js.drizzle)((0, import_postgres.default)(process.env.DATABASE_URL, { prepare: false }));
+}
+var db = globalThis.db ?? createSingleton();
+if (!process.env.VERCEL_ENV) {
+  globalThis.db = db;
+}
+// src/database/schema.ts
+var import_pg_core = require("drizzle-orm/pg-core");
+var DEFAULT_ROLE = 10;
+var mfaType = (0, import_pg_core.pgEnum)("mfaType", ["TOTP", "HARDWARE"]);
+var scope = (0, import_pg_core.pgEnum)("scope", ["ANON", "MFA", "AUTHED"]);
+var authSchema = (0, import_pg_core.pgSchema)("auth");
+var authUserTable = authSchema.table("user_credentials", {
+  id: (0, import_pg_core.text)("id").primaryKey(),
+  email: (0, import_pg_core.text)("email").notNull().unique(),
+  password: (0, import_pg_core.text)("password"),
+  role: (0, import_pg_core.integer)("role").notNull().default(DEFAULT_ROLE)
+});
+var authSessionTable = authSchema.table("sessions", {
+  id: (0, import_pg_core.text)("id").primaryKey(),
+  userId: (0, import_pg_core.text)("userId").notNull().references(() => authUserTable.id),
+  scope: scope("scope").notNull().default("ANON"),
+  expiresAt: (0, import_pg_core.timestamp)("expiresAt").notNull()
+});
+var authResetTable = authSchema.table("resets", {
+  id: (0, import_pg_core.text)("id").primaryKey(),
+  userId: (0, import_pg_core.text)("userId").notNull().references(() => authUserTable.id),
+  expiresAt: (0, import_pg_core.timestamp)("expiresAt").notNull()
+});
+var authMFATable = authSchema.table("mfas", {
+  id: (0, import_pg_core.text)("id").primaryKey(),
+  name: (0, import_pg_core.text)("name").notNull(),
+  userId: (0, import_pg_core.text)("userId").notNull().references(() => authUserTable.id),
+  type: mfaType("type").notNull().default("TOTP"),
+  secret: (0, import_pg_core.text)("secret").notNull(),
+  verifiedAt: (0, import_pg_core.timestamp)("verifiedAt")
+});
+var authClientTable = authSchema.table("client_credentials", {
+  id: (0, import_pg_core.text)("id").primaryKey(),
+  alias: (0, import_pg_core.text)("alias").notNull().unique(),
+  secret: (0, import_pg_core.text)("secret").notNull().unique()
+});
+// src/forms/ValidationError.ts
+var ValidationError = class extends Error {
+  constructor(messages2) {
+    super(JSON.stringify(messages2));
+    this.name = "ValidationError";
+  }
+};
+var ValidationError_default = ValidationError;
+// src/forms/ValidationService.ts
+var import_joi = __toESM(require("joi"));
+// src/forms/lang.ts
+var messages = {
+  "alternatives.all": "",
+  "alternatives.any": "",
+  "alternatives.match": "",
+  "alternatives.one": "",
+  "alternatives.types": "",
+  "any.custom": "",
+  "any.default": "",
+  "any.failover": "",
+  "any.invalid": "",
+  "any.only": "",
+  "any.ref": "",
+  "any.required": "{{#label}} is required",
+  "any.unknown": "",
+  "array.base": "",
+  "array.excludes": "",
+  "array.includesRequiredBoth": "",
+  "array.includesRequiredKnowns": "",
+  "array.includesRequiredUnknowns": "",
+  "array.includes": "",
+  "array.length": "",
+  "array.max": "",
+  "array.min": "",
+  "array.orderedLength": "",
+  "array.sort": "",
+  "array.sort.mismatching": "",
+  "array.sort.unsupported": "",
+  "array.sparse": "",
+  "array.unique": "",
+  "array.hasKnown": "",
+  "array.hasUnknown": "",
+  "binary.base": "",
+  "binary.length": "",
+  "binary.max": "",
+  "binary.min": "",
+  "boolean.base": "",
+  "date.base": "",
+  "date.format": "",
+  "date.greater": "",
+  "date.less": "",
+  "date.max": "",
+  "date.min": "",
+  "date.strict": "",
+  "function.arity": "",
+  "function.class": "",
+  "function.maxArity": "",
+  "function.minArity": "",
+  "number.base": "{{#label}} should be a number",
+  "number.greater": "",
+  "number.infinity": "",
+  "number.integer": "",
+  "number.less": "",
+  "number.max": "",
+  "number.min": "{{#label}} should be greater than or equal to {{#limit}}",
+  "number.multiple": "",
+  "number.negative": "",
+  "number.port": "",
+  "number.positive": "",
+  "number.precision": "",
+  "number.unsafe": "",
+  "object.unknown": "",
+  "object.and": "",
+  "object.assert": "",
+  "object.base": "",
+  "object.length": "",
+  "object.max": "",
+  "object.min": "",
+  "object.missing": "",
+  "object.nand": "",
+  "object.pattern.match": "",
+  "object.refType": "",
+  "object.regex": "",
+  "object.rename.multiple": "",
+  "object.rename.override": "",
+  "object.schema": "",
+  "object.instance": "",
+  "object.with": "",
+  "object.without": "",
+  "object.xor": "",
+  "object.oxor": "",
+  "string.alphanum": "",
+  "string.base64": "",
+  "string.base": "",
+  "string.creditCard": "",
+  "string.dataUri": "",
+  "string.domain": "",
+  "string.email": "",
+  "string.empty": "{{#label}} is required",
+  "string.guid": "",
+  "string.hexAlign": "",
+  "string.hex": "",
+  "string.hostname": "",
+  "string.ipVersion": "",
+  "string.ip": "",
+  "string.isoDate": "",
+  "string.isoDuration": "",
+  "string.length": "",
+  "string.lowercase": "",
+  "string.max": "",
+  "string.min": "",
+  "string.normalize": "",
+  "string.pattern.base": "",
+  "string.pattern.name": "",
+  "string.pattern.invert.base": "",
+  "string.pattern.invert.name": "",
+  "string.token": "",
+  "string.trim": "",
+  "string.uppercase": "",
+  "string.uri": "",
+  "string.uriCustomScheme": "",
+  "string.uriRelativeOnly": "",
+  "symbol.base": "",
+  "symbol.map": ""
+};
+var lang_default = messages;
+// src/forms/ValidationService.ts
+function getErrorMessages() {
+  return Object.entries(lang_default).reduce((acc, [key, value]) => {
+    if (!value) {
+      return acc;
+    }
+    return {
+      ...acc,
+      [key]: value
+    };
+  }, {});
+}
+function transformErrors(error) {
+  const messages2 = error.details.reduce(
+    (acc, cur) => ({
+      ...acc,
+      [cur.path.join(".")]: cur.message.replace(/"/gu, "")
+    }),
+    {}
+  );
+  return new ValidationError_default(messages2);
+}
+async function validateSchema(formData, validation) {
+  try {
+    const validated = await validation.validateAsync(formData, {
+      abortEarly: false,
+      messages: getErrorMessages()
+    });
+    return [validated, null];
+  } catch (err) {
+    if (err instanceof import_joi.default.ValidationError) {
+      return [null, transformErrors(err)];
+    }
+    if (err instanceof Error) {
+      return [null, err];
+    }
+    return [null, new Error("Unknown validation error occured")];
+  }
+}
+function createSchema(schema) {
+  return import_joi.default.object(schema);
+}
+// src/forms/FormService.ts
+function serializeError(err) {
+  return {
+    cause: err.cause,
+    message: err.message,
+    name: err.name,
+    stack: err.stack
+  };
+}
+function hasFn(args) {
+  return Boolean(Object.prototype.hasOwnProperty.call(args, "fn"));
+}
+async function submitForm(args) {
+  let data = { ...args.formData };
+  if (args.request) {
+    const [validated, validationError] = await validateSchema(args.formData, args.request);
+    if (validationError !== null) {
+      if (validationError instanceof ValidationError_default) {
+        args.onValidationError?.(validationError);
+      }
+      return [null, serializeError(validationError)];
+    }
+    data = validated;
+  }
+  if (!hasFn(args)) {
+    try {
+      await args.onSuccess?.(data);
+    } catch (err) {
+      if (err instanceof Error) {
+        return [null, serializeError(err)];
+      }
+      return [
+        null,
+        serializeError(
+          new Error("The submitForm onSuccess function encountered an unknown error")
+        )
+      ];
+    }
+    return [data, null];
+  }
+  let model = null;
+  try {
+    model = await args.fn(data);
+  } catch (err) {
+    if (err instanceof ValidationError_default) {
+      args.onValidationError?.(err);
+      return [null, serializeError(err)];
+    }
+    if (err instanceof Error) {
+      return [null, serializeError(err)];
+    }
+    return [
+      null,
+      serializeError(
+        new Error("The function supplied to submitForm encountered an unknown error")
+      )
+    ];
+  }
+  if (!model) {
+    return [
+      null,
+      serializeError(
+        new Error("No model has been returned from the function supplied to submitForm")
+      )
+    ];
+  }
+  try {
+    await args.onSuccess?.(model);
+  } catch (err) {
+    if (err instanceof Error) {
+      return [null, serializeError(err)];
+    }
+    return [
+      null,
+      serializeError(
+        new Error("The submitForm onSuccess function encountered an unknown error")
+      )
+    ];
+  }
+  return [model, null];
+}
+// src/auth/MFAService.ts
+var import_drizzle_orm = require("drizzle-orm");
+var import_qrcode = __toESM(require("qrcode"));
+var import_otplib = require("otplib");
+// src/auth/MFARequest.ts
+var import_joi2 = __toESM(require("joi"));
+var MFARequest = createSchema({
+  token: import_joi2.default.string().pattern(/^[0-9]{6}$/u).required()
+});
+var MFARequest_default = MFARequest;
+// src/auth/SessionService.ts
+var import_adapter_drizzle = require("@lucia-auth/adapter-drizzle");
+var import_lucia = require("lucia");
+var import_headers2 = require("next/headers");
+var import_server = require("next/server");
+var import_path_to_regexp = require("path-to-regexp");
+// src/cache/CacheService.ts
+var import_redis = require("redis");
+async function getClient() {
+  const client = (0, import_redis.createClient)();
+  await client.connect();
+  return client;
+}
+async function getFromCache(key) {
+  const client = await getClient();
+  return client.get(key);
+}
+async function setToCache(key, value) {
+  const client = await getClient();
+  await client.set(key, value);
+}
+// src/url/URLService.ts
+var import_headers = require("next/headers");
+function getOrigin() {
+  const origin = (0, import_headers.headers)().get("x-origin");
+  if (origin) {
+    return origin;
+  }
+  const proto = (0, import_headers.headers)().get("x-forwarded-proto");
+  const host = (0, import_headers.headers)().get("x-forwarded-host");
+  if (proto && host) {
+    return `${proto}://${host}`;
+  }
+  throw new Error("No origin could be determined");
+}
+// src/auth/SessionService.ts
+var import_utility = require("@sqrzro/utility");
+var DEFAULT_REDIRECT = "/auth/login";
+var ID_LENGTH = 16;
+var DEFAULT_SCOPES = {
+  ANON: {
+    allowedRoute: "/auth/(login|password)",
+    redirectOnUnauth: DEFAULT_REDIRECT
+  },
+  MFA: {
+    allowedRoute: "/auth/mfa",
+    redirectOnUnauth: "/auth/mfa"
+  },
+  AUTHED: {
+    allowedRoute: "*",
+    redirectOnAuth: "/"
+  }
+};
+var adapter = new import_adapter_drizzle.DrizzlePostgreSQLAdapter(db, authSessionTable, authUserTable);
+var lucia = new import_lucia.Lucia(adapter, {
+  sessionCookie: {
+    attributes: {
+      secure: process.env.NODE_ENV === "production"
+    },
+    name: process.env.AUTH_COOKIE_NAME || "auth_session"
+  },
+  getSessionAttributes: (attributes) => ({
+    scope: attributes.scope
+  }),
+  getUserAttributes: (attributes) => ({
+    email: attributes.email,
+    role: attributes.role
+  })
+});
+function generateID(length = ID_LENGTH) {
+  return (0, import_lucia.generateId)(length);
+}
+async function invalidateSession(id) {
+  const cookie = lucia.createBlankSessionCookie();
+  (0, import_headers2.cookies)().set(cookie.name, cookie.value, cookie.attributes);
+  return lucia.invalidateSession(id);
+}
+async function invalidateUserSessions(id) {
+  return lucia.invalidateUserSessions(id);
+}
+async function createUserSession(id, scope2 = "ANON") {
+  const session = await lucia.createSession(id, { scope: scope2 });
+  const sessionCookie = lucia.createSessionCookie(session.id);
+  (0, import_headers2.cookies)().set(sessionCookie.name, sessionCookie.value, sessionCookie.attributes);
+  return true;
+}
+function getSessionID() {
+  return (0, import_headers2.cookies)().get(lucia.sessionCookieName)?.value ?? null;
+}
+function checkSessionExists() {
+  return Boolean(getSessionID());
+}
+async function getSessionUser() {
+  const sessionID = getSessionID();
+  if (!sessionID) {
+    return null;
+  }
+  const { user } = await lucia.validateSession(sessionID);
+  if (!user?.role || !getAllowedRoles().includes(user.role)) {
+    return null;
+  }
+  return (0, import_utility.getFromObject)(user, ["id", "email", "role"]);
+}
+function checkRouteAllowed(pathname, route) {
+  if (!route) {
+    return false;
+  }
+  if (route === "*") {
+    return true;
+  }
+  return (0, import_path_to_regexp.match)(route)(pathname) !== false;
+}
+async function getScopes() {
+  const scopes = await getFromCache(`${getOrigin()}:scopes`);
+  return scopes ? JSON.parse(scopes) : DEFAULT_SCOPES;
+}
+async function getScopeByID(id) {
+  const scopes = await getScopes();
+  return scopes[id];
+}
+async function setScopes(customScopes) {
+  const scopes = {
+    ANON: {
+      ...DEFAULT_SCOPES.ANON,
+      ...customScopes?.ANON
+    },
+    MFA: {
+      ...DEFAULT_SCOPES.MFA,
+      ...customScopes?.MFA
+    },
+    AUTHED: {
+      ...DEFAULT_SCOPES.AUTHED,
+      ...customScopes?.AUTHED
+    }
+  };
+  return setToCache(`${getOrigin()}:scopes`, JSON.stringify(scopes));
+}
+async function validateSessionFromID(sessionID, pathname) {
+  const scopes = await getScopes();
+  const { session, user } = await lucia.validateSession(sessionID);
+  const scope2 = scopes[session && getAllowedRoles().includes(user?.role) ? session.scope : "ANON"];
+  return checkRouteAllowed(pathname, scope2.allowedRoute) ? null : scope2.redirectOnUnauth || DEFAULT_REDIRECT;
+}
+async function handleSession(request, customScopes) {
+  const sessionID = request.nextUrl.searchParams.get("id") || "";
+  const pathname = request.nextUrl.searchParams.get("pathname") || "/";
+  await setScopes(customScopes);
+  return import_server.NextResponse.json({
+    redirect: await validateSessionFromID(sessionID, pathname)
+  });
+}
+// src/auth/MFAService.ts
+function checkMFAEnabled() {
+  return process.env.AUTH_MFA_ENABLED !== "false";
+}
+async function generateMFA(name, email) {
+  if (!checkMFAEnabled() || !email) {
+    return null;
+  }
+  const [user] = await db.select().from(authUserTable).where((0, import_drizzle_orm.eq)(authUserTable.email, email)).limit(1);
+  if (!user) {
+    return null;
+  }
+  const secret = import_otplib.authenticator.generateSecret();
+  const otpauth = import_otplib.authenticator.keyuri(email, name, secret);
+  await db.delete(authMFATable).where((0, import_drizzle_orm.and)((0, import_drizzle_orm.eq)(authMFATable.userId, user.id), (0, import_drizzle_orm.isNull)(authMFATable.verifiedAt)));
+  await db.insert(authMFATable).values({
+    id: generateID(),
+    name: "Default",
+    secret,
+    userId: user.id
+  });
+  return new Promise((resolve, reject) => {
+    import_qrcode.default.toDataURL(
+      otpauth,
+      { rendererOpts: { quality: 1 }, margin: 0, scale: 2 },
+      (err, data) => {
+        if (err) {
+          reject(err);
+        }
+        resolve(data);
+      }
+    );
+  });
+}
+async function checkUserHasMFA(user) {
+  if (!checkMFAEnabled()) {
+    return false;
+  }
+  const [mfa] = await db.select().from(authMFATable).where((0, import_drizzle_orm.and)((0, import_drizzle_orm.eq)(authMFATable.userId, user.id), (0, import_drizzle_orm.isNotNull)(authMFATable.verifiedAt))).limit(1);
+  return Boolean(mfa);
+}
+async function markAsVerified(userID) {
+  if (!checkMFAEnabled()) {
+    return;
+  }
+  await db.update(authMFATable).set({ verifiedAt: /* @__PURE__ */ new Date() }).where((0, import_drizzle_orm.eq)(authMFATable.userId, userID));
+}
+async function validateUserToken(userID, token) {
+  if (!checkMFAEnabled()) {
+    return false;
+  }
+  const [mfa] = await db.select().from(authMFATable).where((0, import_drizzle_orm.eq)(authMFATable.userId, userID)).limit(1);
+  if (!mfa) {
+    return false;
+  }
+  return import_otplib.authenticator.check(token, mfa.secret);
+}
+async function handleMFA(formData) {
+  if (!checkMFAEnabled()) {
+    return false;
+  }
+  const user = await getSessionUser();
+  if (!user) {
+    return false;
+  }
+  const isValid = await validateUserToken(user.id, formData.token);
+  if (!isValid) {
+    return false;
+  }
+  await markAsVerified(user.id);
+  return createUserSession(user.id, "AUTHED");
+}
+async function handleMFAForm(formData) {
+  if (!checkMFAEnabled()) {
+    return [null, new Error("MFA is not enabled")];
+  }
+  const response = await submitForm({
+    fn: handleMFA,
+    formData,
+    request: MFARequest_default
+  });
+  return response;
+}
+// src/auth/PasswordService.ts
+var import_bcryptjs = __toESM(require("bcryptjs"));
+var PW_SALT_ROUNDS = 12;
+var PASSWORD_RULES = {
+  min: 8,
+  upper: 1,
+  lower: 1,
+  number: 1,
+  symbol: 1
+};
+function checkPasswordMin(password, value) {
+  return password.length >= value;
+}
+function checkPasswordUpper(password, value) {
+  return password.replace(/[^A-Z]/gu, "").length >= value;
+}
+function checkPasswordLower(password, value) {
+  return password.replace(/[^a-z]/gu, "").length >= value;
+}
+function checkPasswordNumber(password, value) {
+  return password.replace(/[^0-9]/gu, "").length >= value;
+}
+function checkPasswordSymbol(password, value) {
+  return password.replace(/[^$]/gu, "").length >= value;
+}
+var PASSWORD_FUNCTIONS = {
+  min: checkPasswordMin,
+  upper: checkPasswordUpper,
+  lower: checkPasswordLower,
+  number: checkPasswordNumber,
+  symbol: checkPasswordSymbol
+};
+async function hashPassword(password) {
+  const hash = await import_bcryptjs.default.hash(password, PW_SALT_ROUNDS);
+  return hash;
+}
+async function verifyPassword(data, encrypted) {
+  if (!data || !encrypted) {
+    return false;
+  }
+  const verified = await import_bcryptjs.default.compare(data, encrypted);
+  return verified;
+}
+async function getPasswordComplexity(password, rules = PASSWORD_RULES) {
+  const entries = Object.entries(rules);
+  const validity = entries.reduce((acc, [rule, value]) => {
+    acc[rule] = PASSWORD_FUNCTIONS[rule](password, value);
+    return acc;
+  }, {});
+  return Promise.resolve(validity);
+}
+async function checkPasswordComplexity(password, rules = PASSWORD_RULES) {
+  const validity = await getPasswordComplexity(password, rules);
+  return Promise.resolve(Object.values(validity).every(Boolean));
+}
+// src/auth/LoginRequest.ts
+var import_joi3 = __toESM(require("joi"));
+var LoginRequest = createSchema({
+  email: import_joi3.default.string().email({ minDomainSegments: 2, tlds: false }).required(),
+  password: import_joi3.default.string().min(8).required()
+});
+var LoginRequest_default = LoginRequest;
+// src/auth/PasswordRequest.ts
+var import_joi4 = __toESM(require("joi"));
+var PasswordRequest = createSchema({
+  email: import_joi4.default.string().max(60).email({ minDomainSegments: 2, tlds: false }).required().messages({
+    "any.required": "Please provide your email address, so we can send you a reset link",
+    "string.empty": "Please provide your email address, so we can send you a reset link",
+    "string.email": "Please make sure your email address is valid",
+    "string.max": "Please make sure your email address is valid"
+  })
+});
+var PasswordRequest_default = PasswordRequest;
+// src/auth/PasswordResetRequest.ts
+var import_joi5 = __toESM(require("joi"));
+var PasswordResetRequest = createSchema({
+  token: import_joi5.default.string().pattern(/[a-z0-9]{40}/u).required(),
+  password: import_joi5.default.string().required().messages({
+    "any.required": "Please provide your new password",
+    "string.empty": "Please provide your new password"
+  })
+});
+var PasswordResetRequest_default = PasswordResetRequest;
+// src/auth/AuthService.ts
+var RESET_TOKEN_LENGTH = 40;
+var RESET_TOKEN_EXPIRY = 36e5;
+async function handleLogout() {
+  const id = getSessionID();
+  if (id) {
+    await invalidateSession(id);
+  }
+}
+function getAllowedRoles() {
+  const roles = process.env.AUTH_ALLOWED_ROLES;
+  if (!roles) {
+    throw new Error("AUTH_ALLOWED_ROLES is not defined. Authentication will not be possible.");
+  }
+  return roles.split(",").map((role) => Number(role)).filter((role) => !isNaN(role));
+}
+async function handleUserSession(userID) {
+  await createUserSession(userID, checkMFAEnabled() ? "MFA" : "AUTHED");
+  const scope2 = await getScopeByID("AUTHED");
+  return scope2?.redirectOnAuth || null;
+}
+async function getUserByEmail(email) {
+  const [user] = await db.select().from(authUserTable).where((0, import_drizzle_orm2.and)((0, import_drizzle_orm2.eq)(authUserTable.email, email), (0, import_drizzle_orm2.inArray)(authUserTable.role, getAllowedRoles()))).limit(1);
+  return user;
+}
+async function loginUser({ email, password }) {
+  const user = await getUserByEmail(email);
+  if (!user?.password || !await verifyPassword(password, user.password)) {
+    throw new ValidationError_default({ email: "", password: "" });
+  }
+  const session = await handleUserSession(user.id);
+  if (!session) {
+    throw new ValidationError_default({ email: "", password: "" });
+  }
+  return session;
+}
+async function handleLoginForm(formData) {
+  const response = await submitForm({
+    fn: loginUser,
+    formData,
+    request: LoginRequest_default
+  });
+  return response;
+}
+async function registerUser({
+  email,
+  password,
+  role
+}) {
+  const hash = password ? await hashPassword(password) : null;
+  const [user] = await db.insert(authUserTable).values({ id: generateID(), email, password: hash, role }).returning();
+  return user;
+}
+async function createPasswordResetToken(email) {
+  const user = await getUserByEmail(email);
+  if (!user) {
+    return null;
+  }
+  await db.delete(authResetTable).where((0, import_drizzle_orm2.eq)(authResetTable.userId, user.id));
+  const id = generateID(RESET_TOKEN_LENGTH);
+  await db.insert(authResetTable).values({
+    id,
+    userId: user.id,
+    expiresAt: new Date((/* @__PURE__ */ new Date()).getTime() + RESET_TOKEN_EXPIRY)
+  });
+  return id;
+}
+async function handlePasswordForm(formData, mailFn) {
+  async function mutateFn(data) {
+    const token = await createPasswordResetToken(data.email);
+    if (!token) {
+      return true;
+    }
+    return mailFn(data.email, token);
+  }
+  const response = await submitForm({
+    fn: mutateFn,
+    formData,
+    request: PasswordRequest_default
+  });
+  return response;
+}
+async function validatePasswordResetToken(password, token) {
+  const [result] = await db.select().from(authResetTable).where((0, import_drizzle_orm2.eq)(authResetTable.id, token)).limit(1);
+  if (!result) {
+    return null;
+  }
+  await db.delete(authResetTable).where((0, import_drizzle_orm2.eq)(authResetTable.id, token));
+  if (!result || result.expiresAt < /* @__PURE__ */ new Date()) {
+    return null;
+  }
+  await invalidateUserSessions(result.userId);
+  await db.update(authUserTable).set({ password: await hashPassword(password) }).where(
+    (0, import_drizzle_orm2.and)((0, import_drizzle_orm2.eq)(authUserTable.id, result.userId), (0, import_drizzle_orm2.inArray)(authUserTable.role, getAllowedRoles()))
+  );
+  return result.userId;
+}
+async function handlePasswordResetForm(formData) {
+  async function mutateFn(data) {
+    const userID = await validatePasswordResetToken(data.password, data.token);
+    if (!userID) {
+      return null;
+    }
+    return handleUserSession(userID);
+  }
+  const response = await submitForm({
+    fn: mutateFn,
+    formData,
+    request: PasswordResetRequest_default
+  });
+  return response;
+}
+// src/auth/ClientService.ts
+var import_drizzle_orm3 = require("drizzle-orm");
+var ID_LENGTH2 = 16;
+var SECRET_LENGTH = 64;
+async function getClientByID(id) {
+  const [client] = await db.select().from(authClientTable).where((0, import_drizzle_orm3.eq)(authClientTable.id, id)).limit(1);
+  return client;
+}
+async function registerClient({
+  alias,
+  id,
+  secret
+}) {
+  const [client] = await db.insert(authClientTable).values({
+    alias,
+    id: id || generateID(ID_LENGTH2),
+    secret: await hashPassword(secret || generateID(SECRET_LENGTH))
+  }).returning();
+  return client;
+}
+async function handleClientAuth(request) {
+  const { headers: headers2 } = request;
+  const header = headers2.get("authorization");
+  if (!header) {
+    return null;
+  }
+  const auth = Buffer.from(header.replace("Basic ", ""), "base64").toString("utf-8").replace(/:$/u, "");
+  const [id, ...secret] = auth.split("-");
+  const [client] = await db.select().from(authClientTable).where((0, import_drizzle_orm3.eq)(authClientTable.id, id)).limit(1);
+  if (!client) {
+    return null;
+  }
+  const isVerified = await verifyPassword(secret.join(""), client.secret);
+  return isVerified ? client : null;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  checkMFAEnabled,
+  checkPasswordComplexity,
+  checkRouteAllowed,
+  checkSessionExists,
+  checkUserHasMFA,
+  createUserSession,
+  generateID,
+  generateMFA,
+  getAllowedRoles,
+  getClientByID,
+  getPasswordComplexity,
+  getScopeByID,
+  getScopes,
+  getSessionID,
+  getSessionUser,
+  handleClientAuth,
+  handleLoginForm,
+  handleLogout,
+  handleMFAForm,
+  handlePasswordForm,
+  handlePasswordResetForm,
+  handleSession,
+  hashPassword,
+  invalidateSession,
+  invalidateUserSessions,
+  lucia,
+  registerClient,
+  registerUser,
+  setScopes,
+  verifyPassword
+});