@stratal/framework 0.0.0-canary-d717e8a → 0.0.0-canary-3489cfd
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/access-control/index.d.mts +2 -2
- package/dist/access-control/index.mjs +2 -2
- package/dist/access-control/index.mjs.map +1 -1
- package/dist/{access.service-BjYVtUJw.mjs → access.service-Cb99esfz.mjs} +7 -4
- package/dist/{access.service-BjYVtUJw.mjs.map → access.service-Cb99esfz.mjs.map} +1 -1
- package/dist/auth/index.d.mts +9 -2
- package/dist/auth/index.d.mts.map +1 -1
- package/dist/auth/index.mjs +125 -20
- package/dist/auth/index.mjs.map +1 -1
- package/dist/auth-context-DXSTlnQH.d.mts +85 -0
- package/dist/auth-context-DXSTlnQH.d.mts.map +1 -0
- package/dist/auth-context-HLwuOl51.mjs +85 -0
- package/dist/auth-context-HLwuOl51.mjs.map +1 -0
- package/dist/context/index.d.mts +2 -2
- package/dist/context/index.mjs +1 -1
- package/dist/database/index.d.mts +1 -1
- package/dist/database/index.mjs +8 -5
- package/dist/database/index.mjs.map +1 -1
- package/dist/{decorate-CdfCRvAc.mjs → decorate-DViXs-0l.mjs} +1 -1
- package/dist/{decorateMetadata-CqtSx3_1.mjs → decorateMetadata-D5WUsc6Y.mjs} +1 -1
- package/dist/{decorateParam-Dc5DGEpb.mjs → decorateParam-C_dJ_dIO.mjs} +2 -2
- package/dist/{decorateParam-Dc5DGEpb.mjs.map → decorateParam-C_dJ_dIO.mjs.map} +1 -1
- package/dist/errors-B1vVXc1T.mjs.map +1 -1
- package/dist/factory/index.d.mts +1 -1
- package/dist/factory/index.mjs +1 -0
- package/dist/factory/index.mjs.map +1 -1
- package/dist/guards/index.mjs +6 -3
- package/dist/guards/index.mjs.map +1 -1
- package/dist/{index-CpFBG0Ws.d.mts → index-CCDPF-1Y.d.mts} +8 -2
- package/dist/index-CCDPF-1Y.d.mts.map +1 -0
- package/dist/insufficient-permissions.error-CRnOHYvq.mjs.map +1 -1
- package/package.json +13 -13
- package/dist/auth-context-BXSkiJ56.d.mts +0 -51
- package/dist/auth-context-BXSkiJ56.d.mts.map +0 -1
- package/dist/auth-context-BberoPal.mjs +0 -76
- package/dist/auth-context-BberoPal.mjs.map +0 -1
- package/dist/index-CpFBG0Ws.d.mts.map +0 -1
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import { n as RolePermissions, t as AccessControlOptions } from "../types-BLyu9dAd.mjs";
|
|
2
|
-
import { M as DatabaseService } from "../index-
|
|
3
|
-
import { t as AuthContext } from "../auth-context-
|
|
2
|
+
import { M as DatabaseService } from "../index-CCDPF-1Y.mjs";
|
|
3
|
+
import { t as AuthContext } from "../auth-context-DXSTlnQH.mjs";
|
|
4
4
|
import { ApplicationError } from "stratal/errors";
|
|
5
5
|
import { BetterAuthPlugin } from "better-auth";
|
|
6
6
|
import { AccessControl, Role, Statements } from "better-auth/plugins/access";
|
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import { n as createStratalAcPlugin, t as AccessService } from "../access.service-
|
|
2
|
-
import { n as AC_TOKENS } from "../decorateParam-
|
|
1
|
+
import { n as createStratalAcPlugin, t as AccessService } from "../access.service-Cb99esfz.mjs";
|
|
2
|
+
import { n as AC_TOKENS } from "../decorateParam-C_dJ_dIO.mjs";
|
|
3
3
|
import { t as InsufficientPermissionsError } from "../insufficient-permissions.error-CRnOHYvq.mjs";
|
|
4
4
|
import { createAccessControl as createAccessControl$1 } from "better-auth/plugins/access";
|
|
5
5
|
//#region src/access-control/create-access-control.ts
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.mjs","names":["baCreateAC"],"sources":["../../src/access-control/create-access-control.ts","../../src/access-control/extend-role.ts"],"sourcesContent":["import type { Role, Statements } from 'better-auth/plugins/access'\nimport { createAccessControl as baCreateAC } from 'better-auth/plugins/access'\nimport type { AccessControlOptions, RolePermissions } from './types'\n\n/**\n * Define access control resources and roles in one place.\n *\n * Returns `{ ac, roles }` — spread this directly into `accessControl`,\n * `admin({ ...permissions })`, or `organization({ ...permissions })`.\n *\n * @example\n * ```typescript\n * export const permissions = createAccessControl({\n * resources: {\n * posts: ['create', 'read', 'update', 'delete'],\n * admin: ['access'],\n * } as const,\n * roles: {\n * admin: { posts: ['create', 'read', 'update', 'delete'], admin: ['access'] },\n * user: { posts: ['create', 'read'] },\n * },\n * })\n *\n * // In AuthModule:\n * accessControl: permissions\n *\n * // With Better Auth admin plugin (same object):\n * plugins: [admin({ ...permissions })]\n * ```\n */\nexport function createAccessControl<\n TResources extends Statements,\n TRoles extends Record<string, RolePermissions<TResources>>,\n>(config: {\n resources: TResources\n roles: TRoles\n}): AccessControlOptions<TResources, TRoles> {\n const ac = baCreateAC(config.resources)\n const roles = Object.fromEntries(\n Object.entries(config.roles).map(([name, perms]) => [name, ac.newRole(perms as unknown as Statements)])\n ) as { [K in keyof TRoles]: Role<TResources> }\n return { ac, roles }\n}\n","import type { AccessControl, Role, Statements } from 'better-auth/plugins/access'\n\n/**\n * Merges two Statements types, unioning the action arrays for overlapping resource keys.\n *\n * @example\n * ```typescript\n * type A = { posts: readonly ['create', 'read'] }\n * type B = { posts: readonly ['update']; admin: readonly ['access'] }\n * type M = MergeStatements<A, B>\n * // → { posts: readonly ('create' | 'read' | 'update')[]; admin: readonly ['access'] }\n * ```\n */\ntype MergeStatements<\n A extends Statements,\n B extends Partial<Record<string, readonly string[]>>\n> = {\n [K in keyof A | keyof B]: K extends keyof A\n ? K extends keyof B\n ? readonly (A[K][number] | NonNullable<B[K]>[number])[]\n : A[K]\n : K extends keyof B\n ? NonNullable<B[K]>\n : never\n} & {}\n\n/**\n * Extend an existing role with additional permissions.\n *\n * Duplicate resource keys are merged (actions are unioned), not overwritten.\n * Better Auth has no built-in role inheritance — use this to compose roles.\n *\n * @example\n * ```typescript\n * const adminRole = ac.newRole({ posts: ['create', 'read', 'update', 'delete'] })\n * const superAdminRole = extendRole(ac, adminRole, { users: ['ban', 'delete'] })\n * // superAdminRole has both posts and users permissions\n *\n * // Duplicate keys are merged, not overwritten:\n * const editorRole = extendRole(ac, userRole, { posts: ['update'] })\n * // if userRole had posts: ['create', 'read'], editorRole has posts: ['create', 'read', 'update']\n * ```\n */\nexport function extendRole<\n TParent extends Statements,\n TExtra extends Partial<Record<string, readonly string[]>>\n>(\n ac: AccessControl<TParent>,\n parent: Role<TParent>,\n extra: TExtra\n): Role<MergeStatements<TParent, TExtra>> {\n const merged: Record<string, string[]> = {}\n\n for (const [key, actions] of Object.entries(parent.statements)) {\n merged[key] = [...(actions as string[])]\n }\n\n for (const [key, actions] of Object.entries(extra)) {\n if (!actions) continue\n if (key in merged) {\n merged[key] = [...new Set([...merged[key], ...actions])]\n } else {\n merged[key] = [...actions]\n }\n }\n\n return ac.newRole(merged) as Role<MergeStatements<TParent, TExtra>>\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA8BA,SAAgB,oBAGd,QAG2C;CAC3C,MAAM,KAAKA,sBAAW,OAAO,UAAU;
|
|
1
|
+
{"version":3,"file":"index.mjs","names":["baCreateAC"],"sources":["../../src/access-control/create-access-control.ts","../../src/access-control/extend-role.ts"],"sourcesContent":["import type { Role, Statements } from 'better-auth/plugins/access'\nimport { createAccessControl as baCreateAC } from 'better-auth/plugins/access'\nimport type { AccessControlOptions, RolePermissions } from './types'\n\n/**\n * Define access control resources and roles in one place.\n *\n * Returns `{ ac, roles }` — spread this directly into `accessControl`,\n * `admin({ ...permissions })`, or `organization({ ...permissions })`.\n *\n * @example\n * ```typescript\n * export const permissions = createAccessControl({\n * resources: {\n * posts: ['create', 'read', 'update', 'delete'],\n * admin: ['access'],\n * } as const,\n * roles: {\n * admin: { posts: ['create', 'read', 'update', 'delete'], admin: ['access'] },\n * user: { posts: ['create', 'read'] },\n * },\n * })\n *\n * // In AuthModule:\n * accessControl: permissions\n *\n * // With Better Auth admin plugin (same object):\n * plugins: [admin({ ...permissions })]\n * ```\n */\nexport function createAccessControl<\n TResources extends Statements,\n TRoles extends Record<string, RolePermissions<TResources>>,\n>(config: {\n resources: TResources\n roles: TRoles\n}): AccessControlOptions<TResources, TRoles> {\n const ac = baCreateAC(config.resources)\n const roles = Object.fromEntries(\n Object.entries(config.roles).map(([name, perms]) => [name, ac.newRole(perms as unknown as Statements)])\n ) as { [K in keyof TRoles]: Role<TResources> }\n return { ac, roles }\n}\n","import type { AccessControl, Role, Statements } from 'better-auth/plugins/access'\n\n/**\n * Merges two Statements types, unioning the action arrays for overlapping resource keys.\n *\n * @example\n * ```typescript\n * type A = { posts: readonly ['create', 'read'] }\n * type B = { posts: readonly ['update']; admin: readonly ['access'] }\n * type M = MergeStatements<A, B>\n * // → { posts: readonly ('create' | 'read' | 'update')[]; admin: readonly ['access'] }\n * ```\n */\ntype MergeStatements<\n A extends Statements,\n B extends Partial<Record<string, readonly string[]>>\n> = {\n [K in keyof A | keyof B]: K extends keyof A\n ? K extends keyof B\n ? readonly (A[K][number] | NonNullable<B[K]>[number])[]\n : A[K]\n : K extends keyof B\n ? NonNullable<B[K]>\n : never\n} & {}\n\n/**\n * Extend an existing role with additional permissions.\n *\n * Duplicate resource keys are merged (actions are unioned), not overwritten.\n * Better Auth has no built-in role inheritance — use this to compose roles.\n *\n * @example\n * ```typescript\n * const adminRole = ac.newRole({ posts: ['create', 'read', 'update', 'delete'] })\n * const superAdminRole = extendRole(ac, adminRole, { users: ['ban', 'delete'] })\n * // superAdminRole has both posts and users permissions\n *\n * // Duplicate keys are merged, not overwritten:\n * const editorRole = extendRole(ac, userRole, { posts: ['update'] })\n * // if userRole had posts: ['create', 'read'], editorRole has posts: ['create', 'read', 'update']\n * ```\n */\nexport function extendRole<\n TParent extends Statements,\n TExtra extends Partial<Record<string, readonly string[]>>\n>(\n ac: AccessControl<TParent>,\n parent: Role<TParent>,\n extra: TExtra\n): Role<MergeStatements<TParent, TExtra>> {\n const merged: Record<string, string[]> = {}\n\n for (const [key, actions] of Object.entries(parent.statements)) {\n merged[key] = [...(actions as string[])]\n }\n\n for (const [key, actions] of Object.entries(extra)) {\n if (!actions) continue\n if (key in merged) {\n merged[key] = [...new Set([...merged[key], ...actions])]\n } else {\n merged[key] = [...actions]\n }\n }\n\n return ac.newRole(merged) as Role<MergeStatements<TParent, TExtra>>\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA8BA,SAAgB,oBAGd,QAG2C;CAC3C,MAAM,KAAKA,sBAAW,OAAO,UAAU;CAIvC,OAAO;EAAE;EAAI,OAHC,OAAO,YACnB,OAAO,QAAQ,OAAO,MAAM,CAAC,KAAK,CAAC,MAAM,WAAW,CAAC,MAAM,GAAG,QAAQ,MAA+B,CAAC,CAAC,CAEvF;EAAE;;;;;;;;;;;;;;;;;;;;;ACEtB,SAAgB,WAId,IACA,QACA,OACwC;CACxC,MAAM,SAAmC,EAAE;CAE3C,KAAK,MAAM,CAAC,KAAK,YAAY,OAAO,QAAQ,OAAO,WAAW,EAC5D,OAAO,OAAO,CAAC,GAAI,QAAqB;CAG1C,KAAK,MAAM,CAAC,KAAK,YAAY,OAAO,QAAQ,MAAM,EAAE;EAClD,IAAI,CAAC,SAAS;EACd,IAAI,OAAO,QACT,OAAO,OAAO,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,OAAO,MAAM,GAAG,QAAQ,CAAC,CAAC;OAExD,OAAO,OAAO,CAAC,GAAG,QAAQ;;CAI9B,OAAO,GAAG,QAAQ,OAAO"}
|
|
@@ -1,6 +1,6 @@
|
|
|
1
|
-
import { n as AC_TOKENS, t as __decorateParam } from "./decorateParam-
|
|
2
|
-
import { t as __decorateMetadata } from "./decorateMetadata-
|
|
3
|
-
import { t as __decorate } from "./decorate-
|
|
1
|
+
import { n as AC_TOKENS, t as __decorateParam } from "./decorateParam-C_dJ_dIO.mjs";
|
|
2
|
+
import { t as __decorateMetadata } from "./decorateMetadata-D5WUsc6Y.mjs";
|
|
3
|
+
import { t as __decorate } from "./decorate-DViXs-0l.mjs";
|
|
4
4
|
import { DI_TOKENS, Transient, inject } from "stratal/di";
|
|
5
5
|
//#region src/access-control/plugin.ts
|
|
6
6
|
/**
|
|
@@ -30,6 +30,9 @@ function parseRoles(role) {
|
|
|
30
30
|
return role.split(",").map((r) => r.trim()).filter(Boolean);
|
|
31
31
|
}
|
|
32
32
|
let AccessService = class AccessService {
|
|
33
|
+
authContext;
|
|
34
|
+
db;
|
|
35
|
+
options;
|
|
33
36
|
constructor(authContext, db, options) {
|
|
34
37
|
this.authContext = authContext;
|
|
35
38
|
this.db = db;
|
|
@@ -142,4 +145,4 @@ AccessService = __decorate([
|
|
|
142
145
|
//#endregion
|
|
143
146
|
export { createStratalAcPlugin as n, AccessService as t };
|
|
144
147
|
|
|
145
|
-
//# sourceMappingURL=access.service-
|
|
148
|
+
//# sourceMappingURL=access.service-Cb99esfz.mjs.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"access.service-
|
|
1
|
+
{"version":3,"file":"access.service-Cb99esfz.mjs","names":[],"sources":["../src/access-control/plugin.ts","../src/access-control/services/access.service.ts"],"sourcesContent":["import type { BetterAuthPlugin } from 'better-auth'\nimport type { AccessControlOptions } from './types'\n\n/**\n * Creates the Stratal access control Better Auth plugin.\n *\n * Ensures the `user.role` schema field exists.\n * No endpoints are added — all permission logic lives in AccessService.\n *\n * Auto-added to Better Auth options when `accessControl` is provided to\n * `AuthModule.forRootAsync()`. Users never call this directly.\n */\nexport function createStratalAcPlugin(_options: AccessControlOptions): BetterAuthPlugin {\n return {\n id: 'stratal-ac',\n schema: {\n user: {\n fields: {\n role: {\n type: 'string',\n required: false,\n input: false,\n defaultValue: 'user',\n },\n },\n },\n },\n }\n}\n","import type { DatabaseService } from '@stratal/framework/database'\nimport { DI_TOKENS, inject, Transient } from 'stratal/di'\nimport type { AuthContext } from '../../context/auth-context'\nimport { AC_TOKENS } from '../tokens'\nimport type { AccessControlOptions } from '../types'\n\nfunction parseRoles(role: string | null | undefined): string[] {\n if (!role) return []\n return role.split(',').map(r => r.trim()).filter(Boolean)\n}\n\n/**\n * AccessService\n *\n * Request-scoped service for role and permission management.\n *\n * Roles for the current user are read from AuthContext (populated by\n * SessionVerificationMiddleware — no DB hit). Other users are resolved\n * from the database.\n *\n * Permission checks use Better Auth's `role.authorize()` locally with\n * OR logic — access is granted if any of the user's roles allows it.\n *\n * @example\n * ```typescript\n * // Check current user\n * await accessService.currentUserHasPermission({ posts: ['update'] })\n *\n * // Check arbitrary user (e.g. from an admin action)\n * await accessService.hasPermission(userId, { admin: ['access'] })\n *\n * // Assign a role\n * await accessService.setUserRole(userId, 'admin')\n *\n * // Assign multiple roles\n * await accessService.setUserRole(userId, ['editor', 'reviewer'])\n * ```\n */\n@Transient(AC_TOKENS.AccessService)\nexport class AccessService {\n constructor(\n @inject(DI_TOKENS.AuthContext)\n private readonly authContext: AuthContext,\n @inject(DI_TOKENS.Database)\n private readonly db: DatabaseService,\n @inject(AC_TOKENS.Options)\n private readonly options: AccessControlOptions\n ) { }\n\n /**\n * Get all roles for a user.\n *\n * Uses AuthContext for the current user (no DB hit).\n * Falls back to DB for other users.\n */\n async getUserRoles(userId: string): Promise<string[]> {\n if (userId === this.authContext.getUserId()) {\n const roles = this.authContext.getRoles()\n if (roles.length > 0) return roles\n }\n const user = await (this.db).user.findUnique({\n where: { id: userId },\n select: { role: true },\n })\n return parseRoles(user?.role)\n }\n\n /**\n * Assign one or more roles to a user.\n *\n * Multiple roles are stored as a comma-separated string in `user.role`.\n */\n async setUserRole(userId: string, role: string | string[]): Promise<void> {\n const roleStr = Array.isArray(role) ? role.join(',') : role\n await this.db.user.update({\n where: { id: userId },\n data: { role: roleStr },\n })\n }\n\n /**\n * Check if a user has the required permissions.\n *\n * Returns true if any of the user's roles grants all of the requested permissions.\n */\n async hasPermission(userId: string, permissions: Record<string, string[]>): Promise<boolean> {\n const roles = await this.getUserRoles(userId)\n return this.checkPermissions(roles, permissions)\n }\n\n /**\n * Get the merged permission set for a user across all their roles.\n * Useful for sending to the frontend.\n */\n async getPermissionsForUser(userId: string): Promise<Record<string, string[]>> {\n const roles = await this.getUserRoles(userId)\n return this.mergePermissions(roles)\n }\n\n /**\n * Get all roles for the currently authenticated user.\n * Reads from AuthContext — no DB hit.\n */\n getCurrentUserRoles(): string[] {\n return this.authContext.getRoles()\n }\n\n /**\n * Check if the currently authenticated user has the required permissions.\n * Reads roles from AuthContext — no DB hit.\n */\n currentUserHasPermission(permissions: Record<string, string[]>): boolean {\n const roles = this.authContext.getRoles()\n if (roles.length === 0) return false\n return this.checkPermissions(roles, permissions)\n }\n\n /**\n * Get merged permissions for the currently authenticated user.\n * Reads roles from AuthContext — no DB hit.\n */\n getCurrentUserPermissions(): Record<string, string[]> {\n const roles = this.authContext.getRoles()\n return this.mergePermissions(roles)\n }\n\n private checkPermissions(roles: string[], permissions: Record<string, string[]>): boolean {\n return roles.some(roleName => {\n const roleObj = this.options.roles[roleName]\n if (!roleObj) return false\n\n const specific: Record<string, string[]> = {}\n\n for (const [resource, actions] of Object.entries(permissions)) {\n if (actions.includes('*')) {\n // Wildcard: role must have at least one action defined for this resource\n const roleActions = (roleObj.statements as Record<string, readonly string[]>)[resource]\n if (!roleActions?.length) return false\n } else {\n specific[resource] = actions\n }\n }\n\n return Object.keys(specific).length === 0 || roleObj.authorize(specific).success\n })\n }\n\n private mergePermissions(roles: string[]): Record<string, string[]> {\n const result: Record<string, string[]> = {}\n for (const roleName of roles) {\n const roleObj = this.options.roles[roleName]\n if (!roleObj) continue\n for (const [resource, actions] of Object.entries(roleObj.statements)) {\n result[resource] ??= []\n for (const action of actions as string[]) {\n if (!result[resource].includes(action)) {\n result[resource].push(action)\n }\n }\n }\n }\n return result\n }\n}\n"],"mappings":";;;;;;;;;;;;;;AAYA,SAAgB,sBAAsB,UAAkD;CACtF,OAAO;EACL,IAAI;EACJ,QAAQ,EACN,MAAM,EACJ,QAAQ,EACN,MAAM;GACJ,MAAM;GACN,UAAU;GACV,OAAO;GACP,cAAc;GACf,EACF,EACF,EACF;EACF;;;;ACrBH,SAAS,WAAW,MAA2C;CAC7D,IAAI,CAAC,MAAM,OAAO,EAAE;CACpB,OAAO,KAAK,MAAM,IAAI,CAAC,KAAI,MAAK,EAAE,MAAM,CAAC,CAAC,OAAO,QAAQ;;AA+BpD,IAAA,gBAAA,MAAM,cAAc;CAGN;CAEA;CAEA;CANnB,YACE,aAEA,IAEA,SAEA;EALiB,KAAA,cAAA;EAEA,KAAA,KAAA;EAEA,KAAA,UAAA;;;;;;;;CASnB,MAAM,aAAa,QAAmC;EACpD,IAAI,WAAW,KAAK,YAAY,WAAW,EAAE;GAC3C,MAAM,QAAQ,KAAK,YAAY,UAAU;GACzC,IAAI,MAAM,SAAS,GAAG,OAAO;;EAM/B,OAAO,YAAW,MAJE,KAAK,GAAI,KAAK,WAAW;GAC3C,OAAO,EAAE,IAAI,QAAQ;GACrB,QAAQ,EAAE,MAAM,MAAM;GACvB,CAAC,GACsB,KAAK;;;;;;;CAQ/B,MAAM,YAAY,QAAgB,MAAwC;EACxE,MAAM,UAAU,MAAM,QAAQ,KAAK,GAAG,KAAK,KAAK,IAAI,GAAG;EACvD,MAAM,KAAK,GAAG,KAAK,OAAO;GACxB,OAAO,EAAE,IAAI,QAAQ;GACrB,MAAM,EAAE,MAAM,SAAS;GACxB,CAAC;;;;;;;CAQJ,MAAM,cAAc,QAAgB,aAAyD;EAC3F,MAAM,QAAQ,MAAM,KAAK,aAAa,OAAO;EAC7C,OAAO,KAAK,iBAAiB,OAAO,YAAY;;;;;;CAOlD,MAAM,sBAAsB,QAAmD;EAC7E,MAAM,QAAQ,MAAM,KAAK,aAAa,OAAO;EAC7C,OAAO,KAAK,iBAAiB,MAAM;;;;;;CAOrC,sBAAgC;EAC9B,OAAO,KAAK,YAAY,UAAU;;;;;;CAOpC,yBAAyB,aAAgD;EACvE,MAAM,QAAQ,KAAK,YAAY,UAAU;EACzC,IAAI,MAAM,WAAW,GAAG,OAAO;EAC/B,OAAO,KAAK,iBAAiB,OAAO,YAAY;;;;;;CAOlD,4BAAsD;EACpD,MAAM,QAAQ,KAAK,YAAY,UAAU;EACzC,OAAO,KAAK,iBAAiB,MAAM;;CAGrC,iBAAyB,OAAiB,aAAgD;EACxF,OAAO,MAAM,MAAK,aAAY;GAC5B,MAAM,UAAU,KAAK,QAAQ,MAAM;GACnC,IAAI,CAAC,SAAS,OAAO;GAErB,MAAM,WAAqC,EAAE;GAE7C,KAAK,MAAM,CAAC,UAAU,YAAY,OAAO,QAAQ,YAAY,EAC3D,IAAI,QAAQ,SAAS,IAAI;QAGnB,CADiB,QAAQ,WAAiD,WAC5D,QAAQ,OAAO;UAEjC,SAAS,YAAY;GAIzB,OAAO,OAAO,KAAK,SAAS,CAAC,WAAW,KAAK,QAAQ,UAAU,SAAS,CAAC;IACzE;;CAGJ,iBAAyB,OAA2C;EAClE,MAAM,SAAmC,EAAE;EAC3C,KAAK,MAAM,YAAY,OAAO;GAC5B,MAAM,UAAU,KAAK,QAAQ,MAAM;GACnC,IAAI,CAAC,SAAS;GACd,KAAK,MAAM,CAAC,UAAU,YAAY,OAAO,QAAQ,QAAQ,WAAW,EAAE;IACpE,OAAO,cAAc,EAAE;IACvB,KAAK,MAAM,UAAU,SACnB,IAAI,CAAC,OAAO,UAAU,SAAS,OAAO,EACpC,OAAO,UAAU,KAAK,OAAO;;;EAKrC,OAAO;;;;CA3HV,UAAU,UAAU,cAAc;oBAG9B,OAAO,UAAU,YAAY,CAAA;oBAE7B,OAAO,UAAU,SAAS,CAAA;oBAE1B,OAAO,UAAU,QAAQ,CAAA"}
|
package/dist/auth/index.d.mts
CHANGED
|
@@ -26,6 +26,12 @@ declare class AuthModule implements RouteConfigurable {
|
|
|
26
26
|
/**
|
|
27
27
|
* Configure AuthModule with async options factory.
|
|
28
28
|
* Optionally provide `accessControl` to enable permission-based authorization.
|
|
29
|
+
*
|
|
30
|
+
* When `RateLimiterModule` is also imported, better-auth's `rateLimit`
|
|
31
|
+
* block is auto-wired: `customStorage` shares Stratal's backing store, and
|
|
32
|
+
* any `RateLimiterRegistry.forPath(...)` entries are projected into
|
|
33
|
+
* `customRules`. User-supplied `rateLimit.{customStorage, customRules}` keys
|
|
34
|
+
* take precedence on a per-key basis.
|
|
29
35
|
*/
|
|
30
36
|
static forRootAsync<TOptions extends BetterAuthOptions>(options: AuthModuleAsyncOptions<TOptions>): DynamicModule;
|
|
31
37
|
}
|
|
@@ -282,11 +288,12 @@ declare class AuthService<TOptions extends BetterAuthOptions = BetterAuthOptions
|
|
|
282
288
|
/**
|
|
283
289
|
* Session Verification Middleware
|
|
284
290
|
*
|
|
285
|
-
* Verifies user session via Better Auth and populates AuthContext with
|
|
291
|
+
* Verifies user session via Better Auth and populates AuthContext with
|
|
292
|
+
* the authenticated user.
|
|
286
293
|
*
|
|
287
294
|
* **Responsibilities:**
|
|
288
295
|
* - Calls Better Auth's getSession() API
|
|
289
|
-
* - Populates AuthContext with
|
|
296
|
+
* - Populates AuthContext with the user record if the session is valid
|
|
290
297
|
* - Continues request chain regardless of session status
|
|
291
298
|
*/
|
|
292
299
|
declare class SessionVerificationMiddleware implements Middleware {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.mts","names":[],"sources":["../../src/auth/auth.module.ts","../../src/auth/auth.tokens.ts","../../src/auth/errors/auth-errors.ts","../../src/auth/errors/invalid-token.error.ts","../../src/auth/errors/organization-errors.ts","../../src/auth/errors/token-required.error.ts","../../src/auth/errors/verification-failed.error.ts","../../src/auth/i18n/en.ts","../../src/auth/middleware/auth-context.middleware.ts","../../src/auth/services/auth.service.ts","../../src/auth/middleware/session-verification.middleware.ts","../../src/auth/utils/auth-helpers.ts","../../src/auth/utils/better-auth-error-handler.ts"],"mappings":";;;;;;;;;
|
|
1
|
+
{"version":3,"file":"index.d.mts","names":[],"sources":["../../src/auth/auth.module.ts","../../src/auth/auth.tokens.ts","../../src/auth/errors/auth-errors.ts","../../src/auth/errors/invalid-token.error.ts","../../src/auth/errors/organization-errors.ts","../../src/auth/errors/token-required.error.ts","../../src/auth/errors/verification-failed.error.ts","../../src/auth/i18n/en.ts","../../src/auth/middleware/auth-context.middleware.ts","../../src/auth/services/auth.service.ts","../../src/auth/middleware/session-verification.middleware.ts","../../src/auth/utils/auth-helpers.ts","../../src/auth/utils/better-auth-error-handler.ts"],"mappings":";;;;;;;;;UAwEiB,sBAAA,kBAAwC,iBAAA,GAAoB,iBAAA,UACnE,kBAAA,CAAmB,QAAA;EAsCX;;;;EAjChB,aAAA,GAAgB,oBAAA;AAAA;AAAA,cASL,UAAA,YAAsB,iBAAA;ECtF2B;;AAG9D;;;;;ED2FE,eAAA,CAAgB,MAAA,EAAQ,MAAA;;;AE7F1B;;;;;;;;SF2GS,YAAA,kBAA8B,iBAAA,CAAA,CACnC,OAAA,EAAS,sBAAA,CAAuB,QAAA,IAC/B,aAAA;AAAA;;;;cC9GQ,YAAA;;cAGA,YAAA;;;cCFA,iBAAA,SAA0B,gBAAA;cACzB,KAAA;AAAA;AAAA,cAKD,uBAAA,SAAgC,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAMhC,oBAAA,SAA6B,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAM7B,iBAAA,SAA0B,gBAAA;cACzB,KAAA;AAAA;AAAA,cAKD,mBAAA,SAA4B,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAM5B,qBAAA,SAA8B,gBAAA;cAC7B,KAAA;AAAA;AAAA,cAKD,qBAAA,SAA8B,gBAAA;cAC7B,SAAA;AAAA;AAAA,cAKD,oBAAA,SAA6B,gBAAA;cAC5B,SAAA;AAAA;AAAA,cAKD,yBAAA,SAAkC,gBAAA;cACjC,KAAA;AAAA;AAAA,cAKD,uBAAA,SAAgC,gBAAA;cAC/B,MAAA;AAAA;AAAA,cAKD,0BAAA,SAAmC,gBAAA;cAClC,MAAA;AAAA;AAAA,cAKD,uBAAA,SAAgC,gBAAA;cAC/B,MAAA;AAAA;AAAA,cAKD,wBAAA,SAAiC,gBAAA;cAChC,QAAA;AAAA;AAAA,cAKD,4BAAA,SAAqC,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAMrC,qBAAA,SAA8B,gBAAA;cAC7B,QAAA;AAAA;AAAA,cAKD,sBAAA,SAA+B,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAM/B,oBAAA,SAA6B,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAM7B,8BAAA,SAAuC,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAMvC,2BAAA,SAAoC,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAMpC,yBAAA,SAAkC,gBAAA;cACjC,MAAA;AAAA;AAAA,cAKD,uBAAA,SAAgC,gBAAA;cAC/B,MAAA;AAAA;AAAA,cAKD,wBAAA,SAAiC,gBAAA;cAChC,MAAA;AAAA;AAAA,cAKD,wBAAA,SAAiC,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAMjC,iBAAA,SAA0B,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAM1B,uBAAA,SAAgC,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAMhC,kBAAA,SAA2B,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAM3B,yBAAA,SAAkC,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAMlC,yBAAA,SAAkC,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAMlC,kBAAA,SAA2B,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAM3B,sBAAA,SAA+B,gBAAA;cAC9B,SAAA;AAAA;;;cC/KD,iBAAA,SAA0B,gBAAA;EAAA,WAAA,CAAA;AAAA;;;cCA1B,yBAAA,SAAkC,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAMlC,+BAAA,SAAwC,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAMxC,mCAAA,SAA4C,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAM5C,iCAAA,SAA0C,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAM1C,4CAAA,SAAqD,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAMrD,yBAAA,SAAkC,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAMlC,6BAAA,SAAsC,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAMtC,2BAAA,SAAoC,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAMpC,6BAAA,SAAsC,gBAAA;EAAA,WAAA,CAAA;AAAA;AAAA,cAMtC,6BAAA,SAAsC,gBAAA;EAAA,WAAA,CAAA;AAAA;;;cCtDtC,kBAAA,SAA2B,gBAAA;EAAA,WAAA,CAAA;AAAA;;;cCA3B,uBAAA,SAAgC,gBAAA;EAAA,WAAA,CAAA;AAAA;;;cCFhC,YAAA;EAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;YAsDD,oBAAA;IACR,IAAA,SAAa,YAAA;EAAA;AAAA;;;;;;;;;;cC3CJ,qBAAA,YAAiC,UAAA;EACtC,MAAA,CAAO,GAAA,EAAK,aAAA,EAAe,IAAA,EAAM,IAAA,GAAO,OAAA;AAAA;;;;;;;;;;;AR2DhD;;;;;;;;;;;;;cS3Ca,WAAA,kBAA6B,iBAAA,GAAoB,iBAAA;EAAA,mBAIjB,OAAA,EAAS,QAAA;EAAA,QAH5C,YAAA;cAGmC,OAAA,EAAS,QAAA;ET6ChB;;AAGtC;EAHsC,ISlChC,IAAA,CAAA,GAAQ,IAAA,CAAK,QAAA;AAAA;;;;;;;;;AT4BnB;;;;;cUpDa,6BAAA,YAAyC,UAAA;EAAA,iBAGjC,WAAA;EAAA,QAC4B,MAAA;cAD5B,WAAA,EAAa,WAAA,EACe,MAAA,EAAQ,aAAA;EAGjD,MAAA,CAAO,GAAA,EAAK,aAAA,EAAe,IAAA,EAAM,IAAA,GAAO,OAAA;AAAA;;;;;;;iBCpBhC,qBAAA,CAAA,GAAyB,iBAAA;;;;cAe5B,cAAA,MAA2B,EAAA,QAAU,OAAA,CAAQ,CAAA,MAAK,OAAA,CAAQ,CAAA;;;;;;iBC2BvD,kBAAA,CAAmB,KAAA,EAAO,QAAA,GAAW,gBAAA;;;;AZuBrD;;iBY0LgB,UAAA,CAAW,KAAA,YAAiB,KAAA,IAAS,QAAA"}
|
package/dist/auth/index.mjs
CHANGED
|
@@ -1,11 +1,12 @@
|
|
|
1
|
-
import { n as createStratalAcPlugin, t as AccessService } from "../access.service-
|
|
2
|
-
import { n as AC_TOKENS, t as __decorateParam } from "../decorateParam-
|
|
3
|
-
import { t as __decorateMetadata } from "../decorateMetadata-
|
|
4
|
-
import { t as __decorate } from "../decorate-
|
|
5
|
-
import { t as AuthContext } from "../auth-context-
|
|
1
|
+
import { n as createStratalAcPlugin, t as AccessService } from "../access.service-Cb99esfz.mjs";
|
|
2
|
+
import { n as AC_TOKENS, t as __decorateParam } from "../decorateParam-C_dJ_dIO.mjs";
|
|
3
|
+
import { t as __decorateMetadata } from "../decorateMetadata-D5WUsc6Y.mjs";
|
|
4
|
+
import { t as __decorate } from "../decorate-DViXs-0l.mjs";
|
|
5
|
+
import { t as AuthContext } from "../auth-context-HLwuOl51.mjs";
|
|
6
|
+
import { CONTAINER_TOKEN, DI_TOKENS, Transient } from "stratal/di";
|
|
6
7
|
import { I18nModule } from "stratal/i18n";
|
|
7
8
|
import { Module } from "stratal/module";
|
|
8
|
-
import {
|
|
9
|
+
import { RATE_LIMITER_TOKENS, RateLimiterRegistry } from "stratal/rate-limiter";
|
|
9
10
|
import { ApplicationError, ERROR_CODES } from "stratal/errors";
|
|
10
11
|
import { LOGGER_TOKENS } from "stratal/logger";
|
|
11
12
|
import { inject as inject$1 } from "tsyringe";
|
|
@@ -80,17 +81,16 @@ AuthContextMiddleware = __decorate([Transient()], AuthContextMiddleware);
|
|
|
80
81
|
//#endregion
|
|
81
82
|
//#region src/auth/middleware/session-verification.middleware.ts
|
|
82
83
|
let SessionVerificationMiddleware = class SessionVerificationMiddleware {
|
|
84
|
+
authService;
|
|
85
|
+
logger;
|
|
83
86
|
constructor(authService, logger) {
|
|
84
87
|
this.authService = authService;
|
|
85
88
|
this.logger = logger;
|
|
86
89
|
}
|
|
87
90
|
async handle(ctx, next) {
|
|
88
91
|
try {
|
|
89
|
-
const
|
|
90
|
-
if (
|
|
91
|
-
userId: session.user.id,
|
|
92
|
-
role: session.user.role
|
|
93
|
-
});
|
|
92
|
+
const result = await this.authService.auth.api.getSession({ headers: ctx.c.req.raw.headers });
|
|
93
|
+
if (result) ctx.getContainer().resolve(DI_TOKENS.AuthContext).setAuthContext({ user: result.user });
|
|
94
94
|
} catch (error) {
|
|
95
95
|
this.logger.debug("Session validation failed (e.g., invalidated in DB)", { error });
|
|
96
96
|
}
|
|
@@ -104,6 +104,89 @@ SessionVerificationMiddleware = __decorate([
|
|
|
104
104
|
__decorateMetadata("design:paramtypes", [Object, Object])
|
|
105
105
|
], SessionVerificationMiddleware);
|
|
106
106
|
//#endregion
|
|
107
|
+
//#region src/auth/rate-limit-bridge.ts
|
|
108
|
+
/**
|
|
109
|
+
* Rate-limit bridge between Stratal's `RateLimiterModule` and better-auth.
|
|
110
|
+
*
|
|
111
|
+
* Importing this file (transitively, via `auth.module.ts`) does two things:
|
|
112
|
+
*
|
|
113
|
+
* 1. Augments `RateLimiterRegistry` with `forPath()` + `pathEntries()` via
|
|
114
|
+
* Stratal's `Macroable`. Path-keyed rules registered on the same registry
|
|
115
|
+
* used for Stratal's own throttling are projected into better-auth's
|
|
116
|
+
* `customRules` by {@link projectCustomRules}.
|
|
117
|
+
* 2. Exports {@link createBetterAuthRateLimitStorage} — adapts Stratal's
|
|
118
|
+
* {@link IRateLimiterStore} into better-auth's `customStorage`, so both
|
|
119
|
+
* systems share one backing store.
|
|
120
|
+
*
|
|
121
|
+
* `AuthModule.forRootAsync` wires both automatically when `RateLimiterModule`
|
|
122
|
+
* is imported. Users with explicit `rateLimit.customStorage` /
|
|
123
|
+
* `rateLimit.customRules` keys in their auth factory keep precedence.
|
|
124
|
+
*
|
|
125
|
+
* Frictions, documented for path-keyed entries:
|
|
126
|
+
*
|
|
127
|
+
* - `Limit.by(...)` is meaningless. Better-auth scopes per-IP+path.
|
|
128
|
+
* - Multiple `Limit`s reduce to the most restrictive (smallest max-per-second).
|
|
129
|
+
* - `Limit.none()` projects to `false` (better-auth's "disable" sentinel).
|
|
130
|
+
* - `Limit.response(...)` is a no-op. Better-auth renders its own 429.
|
|
131
|
+
* - Snapshot caveat: `customRules` is built once at AuthService construction,
|
|
132
|
+
* so register all `forPath()` entries inside `OnInitialize` hooks.
|
|
133
|
+
*/
|
|
134
|
+
const pathResolvers = /* @__PURE__ */ new WeakMap();
|
|
135
|
+
function getOrCreatePathMap(registry) {
|
|
136
|
+
let map = pathResolvers.get(registry);
|
|
137
|
+
if (!map) {
|
|
138
|
+
map = /* @__PURE__ */ new Map();
|
|
139
|
+
pathResolvers.set(registry, map);
|
|
140
|
+
}
|
|
141
|
+
return map;
|
|
142
|
+
}
|
|
143
|
+
RateLimiterRegistry.macro("forPath", function(path, resolver) {
|
|
144
|
+
getOrCreatePathMap(this).set(path, resolver);
|
|
145
|
+
});
|
|
146
|
+
RateLimiterRegistry.macro("pathEntries", function() {
|
|
147
|
+
return (pathResolvers.get(this) ?? /* @__PURE__ */ new Map()).entries();
|
|
148
|
+
});
|
|
149
|
+
const BETTER_AUTH_TTL_SECONDS = 86400;
|
|
150
|
+
const BETTER_AUTH_KEY_PREFIX = "ba-rl:";
|
|
151
|
+
/**
|
|
152
|
+
* Adapt Stratal's `IRateLimiterStore` into better-auth's `customStorage` shape.
|
|
153
|
+
* Better-auth supplies its own `RateLimit` records (`{ key, count, lastRequest }`);
|
|
154
|
+
* the adapter just persists them under a separate key namespace.
|
|
155
|
+
*/
|
|
156
|
+
function createBetterAuthRateLimitStorage(store) {
|
|
157
|
+
return {
|
|
158
|
+
async get(key) {
|
|
159
|
+
return await store.get(`${BETTER_AUTH_KEY_PREFIX}${key}`);
|
|
160
|
+
},
|
|
161
|
+
async set(key, value, _update) {
|
|
162
|
+
await store.set(`${BETTER_AUTH_KEY_PREFIX}${key}`, value, BETTER_AUTH_TTL_SECONDS);
|
|
163
|
+
}
|
|
164
|
+
};
|
|
165
|
+
}
|
|
166
|
+
/**
|
|
167
|
+
* Project every `forPath` entry on the registry into better-auth's
|
|
168
|
+
* `customRules` shape. Each entry becomes an async function that resolves
|
|
169
|
+
* the user's `Limit`(s) and reduces them to a single `{ window, max }` pair
|
|
170
|
+
* (or `false` for `Limit.none()`).
|
|
171
|
+
*
|
|
172
|
+
* Multi-`Limit` reduction picks the most restrictive — smallest
|
|
173
|
+
* `max / windowSeconds` ratio; ties favour the first.
|
|
174
|
+
*/
|
|
175
|
+
function projectCustomRules(registry) {
|
|
176
|
+
const rules = {};
|
|
177
|
+
for (const [path, resolver] of registry.pathEntries()) rules[path] = async (req) => {
|
|
178
|
+
const resolved = await resolver(req);
|
|
179
|
+
const candidates = (Array.isArray(resolved) ? resolved : [resolved]).filter((l) => !l.disabled);
|
|
180
|
+
if (candidates.length === 0) return false;
|
|
181
|
+
const chosen = candidates.reduce((a, b) => a.max / a.windowSeconds <= b.max / b.windowSeconds ? a : b);
|
|
182
|
+
return {
|
|
183
|
+
window: chosen.windowSeconds,
|
|
184
|
+
max: chosen.max
|
|
185
|
+
};
|
|
186
|
+
};
|
|
187
|
+
return rules;
|
|
188
|
+
}
|
|
189
|
+
//#endregion
|
|
107
190
|
//#region src/auth/errors/auth-errors.ts
|
|
108
191
|
var UserNotFoundError = class extends ApplicationError {
|
|
109
192
|
constructor(email) {
|
|
@@ -426,6 +509,7 @@ const wrapBetterAuth = async (fn) => {
|
|
|
426
509
|
//#endregion
|
|
427
510
|
//#region src/auth/services/auth.service.ts
|
|
428
511
|
let AuthService = class AuthService {
|
|
512
|
+
options;
|
|
429
513
|
authInstance;
|
|
430
514
|
constructor(options) {
|
|
431
515
|
this.options = options;
|
|
@@ -463,23 +547,44 @@ let AuthModule = _AuthModule = class AuthModule {
|
|
|
463
547
|
/**
|
|
464
548
|
* Configure AuthModule with async options factory.
|
|
465
549
|
* Optionally provide `accessControl` to enable permission-based authorization.
|
|
550
|
+
*
|
|
551
|
+
* When `RateLimiterModule` is also imported, better-auth's `rateLimit`
|
|
552
|
+
* block is auto-wired: `customStorage` shares Stratal's backing store, and
|
|
553
|
+
* any `RateLimiterRegistry.forPath(...)` entries are projected into
|
|
554
|
+
* `customRules`. User-supplied `rateLimit.{customStorage, customRules}` keys
|
|
555
|
+
* take precedence on a per-key basis.
|
|
466
556
|
*/
|
|
467
557
|
static forRootAsync(options) {
|
|
468
558
|
const { accessControl } = options;
|
|
469
|
-
const
|
|
559
|
+
const userInject = options.inject ?? [];
|
|
560
|
+
const userFactory = options.useFactory;
|
|
561
|
+
const authOptionsProvider = {
|
|
470
562
|
provide: AUTH_OPTIONS,
|
|
471
|
-
useFactory: (...
|
|
472
|
-
|
|
473
|
-
|
|
563
|
+
useFactory: (container, ...userDeps) => {
|
|
564
|
+
let raw = userFactory(...userDeps);
|
|
565
|
+
if (accessControl) raw = {
|
|
474
566
|
...raw,
|
|
475
567
|
plugins: [createStratalAcPlugin(accessControl), ...raw.plugins ?? []]
|
|
476
568
|
};
|
|
569
|
+
if (container.getTsyringeContainer().isRegistered(RATE_LIMITER_TOKENS.ModuleMarker, true)) {
|
|
570
|
+
const store = container.resolve(RATE_LIMITER_TOKENS.Store);
|
|
571
|
+
const registry = container.resolve(RATE_LIMITER_TOKENS.Registry);
|
|
572
|
+
raw = {
|
|
573
|
+
...raw,
|
|
574
|
+
rateLimit: {
|
|
575
|
+
enabled: true,
|
|
576
|
+
...raw.rateLimit,
|
|
577
|
+
customStorage: raw.rateLimit?.customStorage ?? createBetterAuthRateLimitStorage(store),
|
|
578
|
+
customRules: {
|
|
579
|
+
...projectCustomRules(registry),
|
|
580
|
+
...raw.rateLimit?.customRules ?? {}
|
|
581
|
+
}
|
|
582
|
+
}
|
|
583
|
+
};
|
|
584
|
+
}
|
|
585
|
+
return raw;
|
|
477
586
|
},
|
|
478
|
-
inject:
|
|
479
|
-
} : {
|
|
480
|
-
provide: AUTH_OPTIONS,
|
|
481
|
-
useFactory: options.useFactory,
|
|
482
|
-
inject: options.inject
|
|
587
|
+
inject: [CONTAINER_TOKEN, ...userInject]
|
|
483
588
|
};
|
|
484
589
|
return {
|
|
485
590
|
module: _AuthModule,
|
package/dist/auth/index.mjs.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.mjs","names":["inject","inject"],"sources":["../../src/auth/auth.tokens.ts","../../src/auth/i18n/en.ts","../../src/auth/middleware/auth-context.middleware.ts","../../src/auth/middleware/session-verification.middleware.ts","../../src/auth/errors/auth-errors.ts","../../src/auth/errors/invalid-token.error.ts","../../src/auth/errors/organization-errors.ts","../../src/auth/errors/token-required.error.ts","../../src/auth/errors/verification-failed.error.ts","../../src/auth/utils/better-auth-error-handler.ts","../../src/auth/utils/auth-helpers.ts","../../src/auth/services/auth.service.ts","../../src/auth/auth.module.ts"],"sourcesContent":["/** Token for AuthService - core authentication service */\nexport const AUTH_SERVICE = Symbol.for('stratal:auth:service')\n\n/** Token for Better Auth options configuration */\nexport const AUTH_OPTIONS = Symbol.for('stratal:auth:options')\n","export const authMessages = {\n en: {\n auth: {\n errors: {\n tokenRequired: 'Verification token is required',\n invalidToken: 'Invalid or expired verification token',\n verificationFailed: 'Verification failed. Please try again.',\n userNotFound: 'User not found. Please check your credentials.',\n invalidCredentials: 'Invalid email or password',\n invalidPassword: 'Invalid password',\n invalidEmail: 'Invalid email address',\n sessionExpired: 'Your session has expired. Please sign in again.',\n emailNotVerified: 'Please verify your email address before signing in',\n passwordTooShort: 'Password must be at least {minLength} characters',\n passwordTooLong: 'Password must be at most {maxLength} characters',\n accountAlreadyExists: 'An account with this email already exists',\n failedToCreateUser: 'Failed to create user account. Please try again.',\n failedToCreateSession: 'Failed to create session. Please try again.',\n failedToGetSession: 'Failed to retrieve session. Please try again.',\n failedToUpdateUser: 'Failed to update user information. Please try again.',\n failedToGetUserInfo: 'Failed to retrieve user information. Please try again.',\n socialAccountLinked: 'This social account is already linked to another user',\n providerNotFound: 'Authentication provider not found',\n userEmailNotFound: 'User email address not found',\n accountNotFound: 'Account not found',\n credentialAccountNotFound: 'Credential account not found',\n cannotUnlinkLastAccount: 'Cannot unlink your last account',\n userAlreadyHasPassword: 'User already has a password set',\n emailCannotBeUpdated: 'Email address cannot be updated at this time',\n tokenExpired: 'The verification token has expired. Please request a new verification email.',\n invalidCallbackUrl: 'Invalid callback URL',\n invalidOrigin: 'Request origin is not allowed',\n validationFailed: 'Authentication validation failed',\n emailAlreadyVerified: 'Email address is already verified',\n emailMismatch: 'Email address does not match',\n unknownError: 'An authentication error occurred',\n },\n org: {\n organizationNotFound: 'Organization not found',\n memberNotFound: 'Member not found',\n invitationNotFound: 'Invitation not found',\n permissionDenied: 'You do not have permission to perform this action',\n invitationRecipientMismatch: 'You are not the recipient of this invitation',\n conflict: 'A resource with this identifier already exists',\n limitReached: 'The maximum limit has been reached',\n membershipError: 'This action cannot be performed due to membership constraints',\n teamNotFound: 'Team not found',\n roleNotFound: 'Role not found',\n },\n },\n },\n} as const\n\ndeclare module 'stratal/i18n' {\n interface AppMessageNamespaces {\n auth: typeof authMessages['en']['auth']\n }\n}\n","import { DI_TOKENS, Transient } from 'stratal/di'\nimport type { Middleware, Next, RouterContext } from 'stratal/router'\nimport { AuthContext } from '../../context/auth-context'\n\n/**\n * Auth Context Middleware\n *\n * Registers AuthContext in the request container at the start of each request.\n * This MUST run before SessionVerificationMiddleware and any other middleware\n * that depends on AuthContext.\n */\n@Transient()\nexport class AuthContextMiddleware implements Middleware {\n async handle(ctx: RouterContext, next: Next): Promise<void> {\n const requestContainer = ctx.getContainer()\n\n const authContext = new AuthContext()\n requestContainer.registerValue(DI_TOKENS.AuthContext, authContext)\n\n return next()\n }\n}\n","import { DI_TOKENS, Transient } from 'stratal/di'\nimport { LOGGER_TOKENS, type LoggerService } from 'stratal/logger'\nimport type { Middleware, Next, RouterContext } from 'stratal/router'\nimport { inject } from 'tsyringe'\nimport { type AuthContext } from '../../context/auth-context'\nimport { AUTH_SERVICE } from '../auth.tokens'\nimport type { AuthService } from '../services/auth.service'\n\n/**\n * Session Verification Middleware\n *\n * Verifies user session via Better Auth and populates AuthContext with userId.\n *\n * **Responsibilities:**\n * - Calls Better Auth's getSession() API\n * - Populates AuthContext with userId if session is valid\n * - Continues request chain regardless of session status\n */\n@Transient()\nexport class SessionVerificationMiddleware implements Middleware {\n constructor(\n @inject(AUTH_SERVICE)\n private readonly authService: AuthService,\n @inject(LOGGER_TOKENS.LoggerService) private logger: LoggerService\n ) { }\n\n async handle(ctx: RouterContext, next: Next): Promise<void> {\n try {\n const session = await this.authService.auth.api.getSession({\n headers: ctx.c.req.raw.headers\n })\n\n if (session) {\n const authContext = ctx.getContainer().resolve<AuthContext>(DI_TOKENS.AuthContext)\n authContext.setAuthContext({\n userId: session.user.id,\n role: (session.user as Record<string, unknown>).role as string | undefined,\n })\n }\n } catch (error: unknown) {\n this.logger.debug('Session validation failed (e.g., invalidated in DB)', { error })\n }\n\n return next()\n }\n}\n","import { ApplicationError, ERROR_CODES } from 'stratal/errors'\n\nexport class UserNotFoundError extends ApplicationError {\n constructor(email?: string) {\n super('auth.errors.userNotFound', ERROR_CODES.RESOURCE.NOT_FOUND, email ? { email } : undefined)\n }\n}\n\nexport class InvalidCredentialsError extends ApplicationError {\n constructor() {\n super('auth.errors.invalidCredentials', ERROR_CODES.AUTH.INVALID_CREDENTIALS)\n }\n}\n\nexport class InvalidPasswordError extends ApplicationError {\n constructor() {\n super('auth.errors.invalidPassword', ERROR_CODES.AUTH.INVALID_CREDENTIALS)\n }\n}\n\nexport class InvalidEmailError extends ApplicationError {\n constructor(email?: string) {\n super('auth.errors.invalidEmail', ERROR_CODES.VALIDATION.INVALID_FORMAT, email ? { email } : undefined)\n }\n}\n\nexport class SessionExpiredError extends ApplicationError {\n constructor() {\n super('auth.errors.sessionExpired', ERROR_CODES.AUTH.SESSION_EXPIRED)\n }\n}\n\nexport class EmailNotVerifiedError extends ApplicationError {\n constructor(email?: string) {\n super('auth.errors.emailNotVerified', ERROR_CODES.AUTH.EMAIL_NOT_VERIFIED, email ? { email } : undefined)\n }\n}\n\nexport class PasswordTooShortError extends ApplicationError {\n constructor(minLength: number) {\n super('auth.errors.passwordTooShort', ERROR_CODES.AUTH.PASSWORD_TOO_SHORT, { minLength })\n }\n}\n\nexport class PasswordTooLongError extends ApplicationError {\n constructor(maxLength: number) {\n super('auth.errors.passwordTooLong', ERROR_CODES.AUTH.PASSWORD_TOO_LONG, { maxLength })\n }\n}\n\nexport class AccountAlreadyExistsError extends ApplicationError {\n constructor(email?: string) {\n super('auth.errors.accountAlreadyExists', ERROR_CODES.AUTH.ACCOUNT_ALREADY_EXISTS, email ? { email } : undefined)\n }\n}\n\nexport class FailedToCreateUserError extends ApplicationError {\n constructor(reason?: string) {\n super('auth.errors.failedToCreateUser', ERROR_CODES.AUTH.FAILED_TO_CREATE_USER, reason ? { reason } : undefined)\n }\n}\n\nexport class FailedToCreateSessionError extends ApplicationError {\n constructor(reason?: string) {\n super('auth.errors.failedToCreateSession', ERROR_CODES.AUTH.FAILED_TO_CREATE_SESSION, reason ? { reason } : undefined)\n }\n}\n\nexport class FailedToUpdateUserError extends ApplicationError {\n constructor(reason?: string) {\n super('auth.errors.failedToUpdateUser', ERROR_CODES.AUTH.FAILED_TO_UPDATE_USER, reason ? { reason } : undefined)\n }\n}\n\nexport class SocialAccountLinkedError extends ApplicationError {\n constructor(provider?: string) {\n super('auth.errors.socialAccountLinked', ERROR_CODES.AUTH.SOCIAL_ACCOUNT_LINKED, provider ? { provider } : undefined)\n }\n}\n\nexport class CannotUnlinkLastAccountError extends ApplicationError {\n constructor() {\n super('auth.errors.cannotUnlinkLastAccount', ERROR_CODES.AUTH.CANNOT_UNLINK_LAST_ACCOUNT)\n }\n}\n\nexport class ProviderNotFoundError extends ApplicationError {\n constructor(provider?: string) {\n super('auth.errors.providerNotFound', ERROR_CODES.RESOURCE.NOT_FOUND, provider ? { provider } : undefined)\n }\n}\n\nexport class UserEmailNotFoundError extends ApplicationError {\n constructor() {\n super('auth.errors.userEmailNotFound', ERROR_CODES.RESOURCE.NOT_FOUND)\n }\n}\n\nexport class AccountNotFoundError extends ApplicationError {\n constructor() {\n super('auth.errors.accountNotFound', ERROR_CODES.RESOURCE.NOT_FOUND)\n }\n}\n\nexport class CredentialAccountNotFoundError extends ApplicationError {\n constructor() {\n super('auth.errors.credentialAccountNotFound', ERROR_CODES.RESOURCE.NOT_FOUND)\n }\n}\n\nexport class UserAlreadyHasPasswordError extends ApplicationError {\n constructor() {\n super('auth.errors.userAlreadyHasPassword', ERROR_CODES.RESOURCE.CONFLICT)\n }\n}\n\nexport class EmailCannotBeUpdatedError extends ApplicationError {\n constructor(reason?: string) {\n super('auth.errors.emailCannotBeUpdated', ERROR_CODES.VALIDATION.GENERIC, reason ? { reason } : undefined)\n }\n}\n\nexport class FailedToGetSessionError extends ApplicationError {\n constructor(reason?: string) {\n super('auth.errors.failedToGetSession', ERROR_CODES.SYSTEM.INTERNAL_ERROR, reason ? { reason } : undefined)\n }\n}\n\nexport class FailedToGetUserInfoError extends ApplicationError {\n constructor(reason?: string) {\n super('auth.errors.failedToGetUserInfo', ERROR_CODES.SYSTEM.INTERNAL_ERROR, reason ? { reason } : undefined)\n }\n}\n\nexport class IdTokenNotSupportedError extends ApplicationError {\n constructor() {\n super('auth.errors.invalidToken', ERROR_CODES.VALIDATION.GENERIC)\n }\n}\n\nexport class TokenExpiredError extends ApplicationError {\n constructor() {\n super('auth.errors.tokenExpired', ERROR_CODES.VALIDATION.GENERIC)\n }\n}\n\nexport class InvalidCallbackUrlError extends ApplicationError {\n constructor() {\n super('auth.errors.invalidCallbackUrl', ERROR_CODES.VALIDATION.INVALID_FORMAT)\n }\n}\n\nexport class InvalidOriginError extends ApplicationError {\n constructor() {\n super('auth.errors.invalidOrigin', ERROR_CODES.AUTHZ.FORBIDDEN)\n }\n}\n\nexport class AuthValidationFailedError extends ApplicationError {\n constructor() {\n super('auth.errors.validationFailed', ERROR_CODES.VALIDATION.GENERIC)\n }\n}\n\nexport class EmailAlreadyVerifiedError extends ApplicationError {\n constructor() {\n super('auth.errors.emailAlreadyVerified', ERROR_CODES.RESOURCE.CONFLICT)\n }\n}\n\nexport class EmailMismatchError extends ApplicationError {\n constructor() {\n super('auth.errors.emailMismatch', ERROR_CODES.VALIDATION.INVALID_FORMAT)\n }\n}\n\nexport class BetterAuthUnknownError extends ApplicationError {\n constructor(errorCode?: string) {\n super('auth.errors.unknownError', ERROR_CODES.SYSTEM.INTERNAL_ERROR, errorCode ? { errorCode } : undefined)\n }\n}\n","import { ApplicationError, ERROR_CODES } from 'stratal/errors'\n\nexport class InvalidTokenError extends ApplicationError {\n constructor() {\n super('auth.errors.invalidToken', ERROR_CODES.AUTH.INVALID_TOKEN)\n }\n}\n","import { ApplicationError, ERROR_CODES } from 'stratal/errors'\n\nexport class OrganizationNotFoundError extends ApplicationError {\n constructor() {\n super('auth.org.organizationNotFound', ERROR_CODES.AUTH.ORGANIZATION_NOT_FOUND)\n }\n}\n\nexport class OrganizationMemberNotFoundError extends ApplicationError {\n constructor() {\n super('auth.org.memberNotFound', ERROR_CODES.AUTH.MEMBER_NOT_FOUND)\n }\n}\n\nexport class OrganizationInvitationNotFoundError extends ApplicationError {\n constructor() {\n super('auth.org.invitationNotFound', ERROR_CODES.AUTH.INVITATION_NOT_FOUND)\n }\n}\n\nexport class OrganizationPermissionDeniedError extends ApplicationError {\n constructor() {\n super('auth.org.permissionDenied', ERROR_CODES.AUTHZ.FORBIDDEN)\n }\n}\n\nexport class OrganizationInvitationRecipientMismatchError extends ApplicationError {\n constructor() {\n super('auth.org.invitationRecipientMismatch', ERROR_CODES.AUTH.INVITATION_RECIPIENT_MISMATCH)\n }\n}\n\nexport class OrganizationConflictError extends ApplicationError {\n constructor() {\n super('auth.org.conflict', ERROR_CODES.RESOURCE.CONFLICT)\n }\n}\n\nexport class OrganizationLimitReachedError extends ApplicationError {\n constructor() {\n super('auth.org.limitReached', ERROR_CODES.AUTH.ORGANIZATION_LIMIT_REACHED)\n }\n}\n\nexport class OrganizationMembershipError extends ApplicationError {\n constructor() {\n super('auth.org.membershipError', ERROR_CODES.AUTH.ORGANIZATION_MEMBERSHIP_REQUIRED)\n }\n}\n\nexport class OrganizationTeamNotFoundError extends ApplicationError {\n constructor() {\n super('auth.org.teamNotFound', ERROR_CODES.RESOURCE.NOT_FOUND)\n }\n}\n\nexport class OrganizationRoleNotFoundError extends ApplicationError {\n constructor() {\n super('auth.org.roleNotFound', ERROR_CODES.RESOURCE.NOT_FOUND)\n }\n}\n","import { ApplicationError, ERROR_CODES } from 'stratal/errors'\n\nexport class TokenRequiredError extends ApplicationError {\n constructor() {\n super('auth.errors.tokenRequired', ERROR_CODES.VALIDATION.REQUIRED_FIELD, { field: 'token' })\n }\n}\n","import { ApplicationError, ERROR_CODES } from 'stratal/errors'\n\nexport class VerificationFailedError extends ApplicationError {\n constructor() {\n super('auth.errors.verificationFailed', ERROR_CODES.AUTH.INVALID_CREDENTIALS)\n }\n}\n","import { APIError } from 'better-auth/api'\nimport type { ApplicationError } from 'stratal/errors'\nimport {\n AccountAlreadyExistsError,\n AccountNotFoundError,\n AuthValidationFailedError,\n BetterAuthUnknownError,\n CannotUnlinkLastAccountError,\n CredentialAccountNotFoundError,\n EmailAlreadyVerifiedError,\n EmailCannotBeUpdatedError,\n EmailMismatchError,\n EmailNotVerifiedError,\n FailedToCreateSessionError,\n FailedToCreateUserError,\n FailedToGetSessionError,\n FailedToGetUserInfoError,\n FailedToUpdateUserError,\n IdTokenNotSupportedError,\n InvalidCallbackUrlError,\n InvalidCredentialsError,\n InvalidEmailError,\n InvalidOriginError,\n InvalidPasswordError,\n InvalidTokenError,\n OrganizationConflictError,\n OrganizationInvitationNotFoundError,\n OrganizationInvitationRecipientMismatchError,\n OrganizationLimitReachedError,\n OrganizationMemberNotFoundError,\n OrganizationMembershipError,\n OrganizationNotFoundError,\n OrganizationPermissionDeniedError,\n OrganizationRoleNotFoundError,\n OrganizationTeamNotFoundError,\n PasswordTooLongError,\n PasswordTooShortError,\n ProviderNotFoundError,\n SessionExpiredError,\n SocialAccountLinkedError,\n TokenExpiredError,\n UserAlreadyHasPasswordError,\n UserEmailNotFoundError,\n UserNotFoundError,\n} from '../errors'\n\n/**\n * Maps Better Auth API error codes to ApplicationError instances.\n */\nexport function mapBetterAuthError(error: APIError): ApplicationError {\n const errorCode = error.body?.code\n\n if (error.status === 'FOUND') {\n const headers = error.headers as Headers\n const location = headers.get('location') ?? ''\n\n if (location.includes('INVALID_TOKEN')) return new InvalidTokenError()\n if (location.includes('EXPIRED_TOKEN')) return new TokenExpiredError()\n if (location.includes('ATTEMPTS_EXCEEDED')) return new InvalidTokenError()\n if (location.includes('new_user_signup_disabled')) return new UserNotFoundError()\n if (location.includes('failed_to_create_user')) return new FailedToCreateUserError()\n if (location.includes('failed_to_create_session')) return new FailedToCreateSessionError()\n }\n\n if (!errorCode) {\n return new BetterAuthUnknownError()\n }\n\n // ── Base Error Codes ──────────────────────────────────────────────────\n\n // User errors\n if (errorCode === 'USER_NOT_FOUND' || errorCode === 'INVALID_USER') return new UserNotFoundError()\n if (errorCode === 'USER_EMAIL_NOT_FOUND') return new UserEmailNotFoundError()\n\n // Credential errors\n if (errorCode === 'INVALID_EMAIL_OR_PASSWORD') return new InvalidCredentialsError()\n if (errorCode === 'INVALID_PASSWORD') return new InvalidPasswordError()\n if (errorCode === 'INVALID_EMAIL') return new InvalidEmailError()\n\n // Session errors\n if (errorCode === 'SESSION_EXPIRED' || errorCode === 'SESSION_NOT_FRESH') return new SessionExpiredError()\n if (errorCode === 'FAILED_TO_CREATE_SESSION') return new FailedToCreateSessionError()\n if (errorCode === 'FAILED_TO_GET_SESSION') return new FailedToGetSessionError()\n\n // Email verification\n if (errorCode === 'EMAIL_NOT_VERIFIED') return new EmailNotVerifiedError()\n if (errorCode === 'EMAIL_CAN_NOT_BE_UPDATED') return new EmailCannotBeUpdatedError()\n if (errorCode === 'EMAIL_ALREADY_VERIFIED') return new EmailAlreadyVerifiedError()\n if (errorCode === 'EMAIL_MISMATCH') return new EmailMismatchError()\n\n // Password validation\n if (errorCode === 'PASSWORD_TOO_SHORT') return new PasswordTooShortError(8)\n if (errorCode === 'PASSWORD_TOO_LONG') return new PasswordTooLongError(128)\n\n // Account errors\n if (errorCode === 'USER_ALREADY_EXISTS' || errorCode === 'USER_ALREADY_EXISTS_USE_ANOTHER_EMAIL') {\n return new AccountAlreadyExistsError()\n }\n if (errorCode === 'ACCOUNT_NOT_FOUND') return new AccountNotFoundError()\n if (errorCode === 'CREDENTIAL_ACCOUNT_NOT_FOUND') return new CredentialAccountNotFoundError()\n if (errorCode === 'FAILED_TO_UNLINK_LAST_ACCOUNT') return new CannotUnlinkLastAccountError()\n\n // User creation/update errors\n if (errorCode === 'FAILED_TO_CREATE_USER') return new FailedToCreateUserError()\n if (errorCode === 'FAILED_TO_UPDATE_USER') return new FailedToUpdateUserError()\n if (errorCode === 'FAILED_TO_GET_USER_INFO') return new FailedToGetUserInfoError()\n\n // Social account errors\n if (errorCode === 'SOCIAL_ACCOUNT_ALREADY_LINKED' || errorCode === 'LINKED_ACCOUNT_ALREADY_EXISTS') {\n return new SocialAccountLinkedError()\n }\n if (errorCode === 'PROVIDER_NOT_FOUND') return new ProviderNotFoundError()\n\n // Token errors\n if (errorCode === 'ID_TOKEN_NOT_SUPPORTED') return new IdTokenNotSupportedError()\n if (errorCode === 'INVALID_TOKEN') return new InvalidTokenError()\n if (errorCode === 'TOKEN_EXPIRED') return new TokenExpiredError()\n\n // Password management\n if (errorCode === 'USER_ALREADY_HAS_PASSWORD' || errorCode === 'PASSWORD_ALREADY_SET') {\n return new UserAlreadyHasPasswordError()\n }\n\n // Callback/redirect URL errors\n if (\n errorCode === 'INVALID_CALLBACK_URL'\n || errorCode === 'INVALID_REDIRECT_URL'\n || errorCode === 'INVALID_NEW_USER_CALLBACK_URL'\n || errorCode === 'INVALID_ERROR_CALLBACK_URL'\n || errorCode === 'CALLBACK_URL_REQUIRED'\n ) {\n return new InvalidCallbackUrlError()\n }\n\n // Origin/CORS errors\n if (\n errorCode === 'INVALID_ORIGIN'\n || errorCode === 'MISSING_OR_NULL_ORIGIN'\n || errorCode === 'CROSS_SITE_NAVIGATION_LOGIN_BLOCKED'\n ) {\n return new InvalidOriginError()\n }\n\n // Validation errors\n if (\n errorCode === 'VALIDATION_ERROR'\n || errorCode === 'MISSING_FIELD'\n || errorCode === 'FIELD_NOT_ALLOWED'\n || errorCode === 'BODY_MUST_BE_AN_OBJECT'\n || errorCode === 'ASYNC_VALIDATION_NOT_SUPPORTED'\n || errorCode === 'METHOD_NOT_ALLOWED_DEFER_SESSION_REQUIRED'\n ) {\n return new AuthValidationFailedError()\n }\n\n // Verification errors\n if (errorCode === 'FAILED_TO_CREATE_VERIFICATION' || errorCode === 'VERIFICATION_EMAIL_NOT_ENABLED') {\n return new FailedToCreateSessionError()\n }\n\n // ── Organization Plugin Error Codes ───────────────────────────────────\n\n // Organization not found\n if (errorCode === 'ORGANIZATION_NOT_FOUND' || errorCode === 'NO_ACTIVE_ORGANIZATION') {\n return new OrganizationNotFoundError()\n }\n\n // Member not found\n if (\n errorCode === 'MEMBER_NOT_FOUND'\n || errorCode === 'USER_IS_NOT_A_MEMBER_OF_THE_ORGANIZATION'\n || errorCode === 'USER_IS_NOT_A_MEMBER_OF_THE_TEAM'\n ) {\n return new OrganizationMemberNotFoundError()\n }\n\n // Invitation not found\n if (errorCode === 'INVITATION_NOT_FOUND' || errorCode === 'FAILED_TO_RETRIEVE_INVITATION') {\n return new OrganizationInvitationNotFoundError()\n }\n\n // Invitation recipient mismatch\n if (\n errorCode === 'YOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION'\n || errorCode === 'EMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION'\n ) {\n return new OrganizationInvitationRecipientMismatchError()\n }\n\n // Team not found\n if (errorCode === 'TEAM_NOT_FOUND' || errorCode === 'YOU_DO_NOT_HAVE_AN_ACTIVE_TEAM') {\n return new OrganizationTeamNotFoundError()\n }\n\n // Role not found\n if (errorCode === 'ROLE_NOT_FOUND' || errorCode === 'INVALID_RESOURCE') {\n return new OrganizationRoleNotFoundError()\n }\n\n // Organization conflict/already exists\n if (\n errorCode === 'ORGANIZATION_ALREADY_EXISTS'\n || errorCode === 'ORGANIZATION_SLUG_ALREADY_TAKEN'\n || errorCode === 'USER_IS_ALREADY_A_MEMBER_OF_THIS_ORGANIZATION'\n || errorCode === 'USER_IS_ALREADY_INVITED_TO_THIS_ORGANIZATION'\n || errorCode === 'TEAM_ALREADY_EXISTS'\n || errorCode === 'ROLE_NAME_IS_ALREADY_TAKEN'\n ) {\n return new OrganizationConflictError()\n }\n\n // Organization limit reached\n if (\n errorCode === 'YOU_HAVE_REACHED_THE_MAXIMUM_NUMBER_OF_ORGANIZATIONS'\n || errorCode === 'YOU_HAVE_REACHED_THE_MAXIMUM_NUMBER_OF_TEAMS'\n || errorCode === 'ORGANIZATION_MEMBERSHIP_LIMIT_REACHED'\n || errorCode === 'INVITATION_LIMIT_REACHED'\n || errorCode === 'TEAM_MEMBER_LIMIT_REACHED'\n || errorCode === 'TOO_MANY_ROLES'\n ) {\n return new OrganizationLimitReachedError()\n }\n\n // Organization membership constraints\n if (\n errorCode === 'YOU_CANNOT_LEAVE_THE_ORGANIZATION_AS_THE_ONLY_OWNER'\n || errorCode === 'YOU_CANNOT_LEAVE_THE_ORGANIZATION_WITHOUT_AN_OWNER'\n || errorCode === 'UNABLE_TO_REMOVE_LAST_TEAM'\n || errorCode === 'CANNOT_DELETE_A_PRE_DEFINED_ROLE'\n || errorCode === 'ROLE_IS_ASSIGNED_TO_MEMBERS'\n || errorCode === 'YOU_CANNOT_IMPERSONATE_ADMINS'\n || errorCode === 'YOU_CANNOT_BAN_YOURSELF'\n || errorCode === 'YOU_CANNOT_REMOVE_YOURSELF'\n || errorCode === 'INVITER_IS_NO_LONGER_A_MEMBER_OF_THE_ORGANIZATION'\n ) {\n return new OrganizationMembershipError()\n }\n\n // Organization permission denied (catch-all for YOU_ARE_NOT_ALLOWED_TO_* patterns)\n if (\n errorCode.startsWith('YOU_ARE_NOT_ALLOWED_TO_')\n || errorCode === 'YOU_ARE_NOT_A_MEMBER_OF_THIS_ORGANIZATION'\n || errorCode === 'YOU_CAN_NOT_ACCESS_THE_MEMBERS_OF_THIS_TEAM'\n || errorCode === 'YOU_MUST_BE_IN_AN_ORGANIZATION_TO_CREATE_A_ROLE'\n || errorCode === 'MISSING_AC_INSTANCE'\n ) {\n return new OrganizationPermissionDeniedError()\n }\n\n // Unknown error code\n return new BetterAuthUnknownError(errorCode)\n}\n\n/**\n * Type guard to check if an error is a Better Auth APIError.\n * Uses duck typing to handle bundler environments (e.g. Vite)\n * where instanceof may fail across module boundaries.\n */\nexport function isAPIError(error: unknown): error is APIError {\n if (error instanceof APIError) return true\n\n return (\n error instanceof Error\n && error.name === 'APIError'\n && 'status' in error\n && 'statusCode' in error\n )\n}\n","import type { BetterAuthOptions } from 'better-auth'\nimport { isAPIError, mapBetterAuthError } from './better-auth-error-handler'\n\n/**\n * Get shared Better Auth error handler configuration.\n * Use this in Better Auth config's onAPIError option.\n */\nexport function getErrorHandlerConfig(): BetterAuthOptions['onAPIError'] {\n return {\n throw: false,\n onError: (error) => {\n if (isAPIError(error)) {\n throw mapBetterAuthError(error)\n }\n throw error\n },\n }\n}\n\n/**\n * Wrap a Better Auth function in a try/catch block and map errors to ApplicationError.\n */\nexport const wrapBetterAuth = async <T>(fn: () => Promise<T>): Promise<T> => {\n try {\n return await fn()\n } catch (error) {\n if (isAPIError(error)) {\n throw mapBetterAuthError(error)\n }\n throw error\n }\n}\n","import type { Auth, BetterAuthOptions } from 'better-auth'\nimport { betterAuth } from 'better-auth'\nimport { inject } from 'tsyringe'\nimport { Transient } from 'stratal/di'\nimport { AUTH_OPTIONS, AUTH_SERVICE } from '../auth.tokens'\nimport { getErrorHandlerConfig } from '../utils'\n\n/**\n * AuthService\n *\n * Base authentication service using Better Auth.\n * Configured via AuthModule.forRootAsync() from the application layer.\n *\n * **Extensibility:**\n * Extend this class in application layer to add custom methods.\n *\n * @example\n * ```typescript\n * @Transient(AUTH_SERVICE)\n * export class AppAuthService extends AuthService<AuthOptions> {\n * async signInMagicLink(email: string) {\n * return wrapBetterAuth(async () => {\n * return this.auth.api.signInMagicLink({ body: { email }, headers: new Headers() })\n * })\n * }\n * }\n * ```\n */\n@Transient(AUTH_SERVICE)\nexport class AuthService<TOptions extends BetterAuthOptions = BetterAuthOptions> {\n private authInstance: Auth<TOptions>\n\n constructor(\n @inject(AUTH_OPTIONS) protected readonly options: TOptions\n ) {\n this.authInstance = betterAuth({\n ...this.options,\n onAPIError: getErrorHandlerConfig()\n }) as Auth<TOptions>\n }\n\n /**\n * Get the Better Auth instance\n */\n get auth(): Auth<TOptions> {\n return this.authInstance\n }\n}\n","/**\n * Auth Module\n *\n * Provides configurable authentication using Better Auth.\n * Use `forRootAsync` to configure Better Auth options from the application layer.\n *\n * Optionally pass `accessControl` to enable permission-based authorization.\n * This auto-adds the Stratal AC plugin to Better Auth and registers `AccessService`.\n *\n * @example Without access control\n * ```typescript\n * @Module({\n * imports: [\n * AuthModule.forRootAsync({\n * inject: [DI_TOKENS.Database, CONFIG_TOKENS.ConfigService],\n * useFactory: (db, config) => createAuthOptions(db, config)\n * })\n * ]\n * })\n * export class AppModule {}\n * ```\n *\n * @example With access control\n * ```typescript\n * import { createAccessControl } from '@stratal/framework/access-control'\n * import { admin } from 'better-auth/plugins'\n *\n * const permissions = createAccessControl({\n * resources: { posts: ['create', 'read', 'update', 'delete'] } as const,\n * roles: { admin: { posts: ['create', 'read', 'update', 'delete'] }, user: { posts: ['read'] } },\n * })\n *\n * @Module({\n * imports: [\n * AuthModule.forRootAsync({\n * inject: [DI_TOKENS.Database],\n * useFactory: (db) => ({\n * database: ...,\n * plugins: [admin({ ...permissions })],\n * }),\n * accessControl: permissions,\n * })\n * ]\n * })\n * ```\n */\n\nimport type { BetterAuthOptions } from 'better-auth'\nimport { I18nModule } from 'stratal/i18n'\nimport type { AsyncModuleOptions, DynamicModule } from 'stratal/module'\nimport { Module } from 'stratal/module'\nimport type { RouteConfigurable, Router } from 'stratal/router'\nimport { createStratalAcPlugin } from '../access-control/plugin'\nimport { AccessService } from '../access-control/services/access.service'\nimport { AC_TOKENS } from '../access-control/tokens'\nimport type { AccessControlOptions } from '../access-control/types'\nimport { AUTH_OPTIONS, AUTH_SERVICE } from './auth.tokens'\nimport { authMessages } from './i18n'\nimport { AuthContextMiddleware } from './middleware/auth-context.middleware'\nimport { SessionVerificationMiddleware } from './middleware/session-verification.middleware'\nimport { AuthService } from './services/auth.service'\n\nexport interface AuthModuleAsyncOptions<TOptions extends BetterAuthOptions = BetterAuthOptions>\n extends AsyncModuleOptions<TOptions> {\n /**\n * Optional access control configuration.\n * When provided, registers AccessService and auto-adds the Stratal AC plugin to Better Auth.\n */\n accessControl?: AccessControlOptions\n}\n\n@Module({\n imports: [\n I18nModule.registerMessages(authMessages),\n ],\n providers: []\n})\nexport class AuthModule implements RouteConfigurable {\n /**\n * Configure auth middleware globally.\n *\n * Registers middlewares in order:\n * 1. AuthContextMiddleware - Creates and registers AuthContext in request container\n * 2. SessionVerificationMiddleware - Verifies session and populates AuthContext with userId + role\n */\n configureRoutes(router: Router): void {\n router.use(AuthContextMiddleware, SessionVerificationMiddleware)\n }\n\n /**\n * Configure AuthModule with async options factory.\n * Optionally provide `accessControl` to enable permission-based authorization.\n */\n static forRootAsync<TOptions extends BetterAuthOptions>(\n options: AuthModuleAsyncOptions<TOptions>\n ): DynamicModule {\n const { accessControl } = options\n\n const authOptionsProvider = accessControl\n ? {\n provide: AUTH_OPTIONS,\n useFactory: (...deps: unknown[]) => {\n const raw = (options.useFactory as (...args: unknown[]) => TOptions)(...deps) as BetterAuthOptions\n return {\n ...raw,\n plugins: [createStratalAcPlugin(accessControl), ...(raw.plugins ?? [])],\n }\n },\n inject: options.inject,\n }\n : {\n provide: AUTH_OPTIONS,\n useFactory: options.useFactory,\n inject: options.inject,\n }\n\n return {\n module: AuthModule,\n providers: [\n authOptionsProvider,\n {\n provide: AUTH_SERVICE,\n useClass: AuthService,\n },\n ...(accessControl\n ? [\n { provide: AC_TOKENS.Options, useValue: accessControl as unknown as object },\n { provide: AC_TOKENS.AccessService, useClass: AccessService },\n ]\n : []),\n ],\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;AACA,MAAa,eAAe,OAAO,IAAI,uBAAuB;;AAG9D,MAAa,eAAe,OAAO,IAAI,uBAAuB;;;ACJ9D,MAAa,eAAe,EAC1B,IAAI,EACF,MAAM;CACJ,QAAQ;EACN,eAAe;EACf,cAAc;EACd,oBAAoB;EACpB,cAAc;EACd,oBAAoB;EACpB,iBAAiB;EACjB,cAAc;EACd,gBAAgB;EAChB,kBAAkB;EAClB,kBAAkB;EAClB,iBAAiB;EACjB,sBAAsB;EACtB,oBAAoB;EACpB,uBAAuB;EACvB,oBAAoB;EACpB,oBAAoB;EACpB,qBAAqB;EACrB,qBAAqB;EACrB,kBAAkB;EAClB,mBAAmB;EACnB,iBAAiB;EACjB,2BAA2B;EAC3B,yBAAyB;EACzB,wBAAwB;EACxB,sBAAsB;EACtB,cAAc;EACd,oBAAoB;EACpB,eAAe;EACf,kBAAkB;EAClB,sBAAsB;EACtB,eAAe;EACf,cAAc;EACf;CACD,KAAK;EACH,sBAAsB;EACtB,gBAAgB;EAChB,oBAAoB;EACpB,kBAAkB;EAClB,6BAA6B;EAC7B,UAAU;EACV,cAAc;EACd,iBAAiB;EACjB,cAAc;EACd,cAAc;EACf;CACF,EACF,EACF;;;ACvCM,IAAA,wBAAA,MAAM,sBAA4C;CACvD,MAAM,OAAO,KAAoB,MAA2B;EAC1D,MAAM,mBAAmB,IAAI,cAAc;EAE3C,MAAM,cAAc,IAAI,aAAa;AACrC,mBAAiB,cAAc,UAAU,aAAa,YAAY;AAElE,SAAO,MAAM;;;oCARhB,WAAW,CAAA,EAAA,sBAAA;;;ACQL,IAAA,gCAAA,MAAM,8BAAoD;CAC/D,YACE,aAEA,QACA;AAFiB,OAAA,cAAA;AAC4B,OAAA,SAAA;;CAG/C,MAAM,OAAO,KAAoB,MAA2B;AAC1D,MAAI;GACF,MAAM,UAAU,MAAM,KAAK,YAAY,KAAK,IAAI,WAAW,EACzD,SAAS,IAAI,EAAE,IAAI,IAAI,SACxB,CAAC;AAEF,OAAI,QACkB,KAAI,cAAc,CAAC,QAAqB,UAAU,YAC3D,CAAC,eAAe;IACzB,QAAQ,QAAQ,KAAK;IACrB,MAAO,QAAQ,KAAiC;IACjD,CAAC;WAEG,OAAgB;AACvB,QAAK,OAAO,MAAM,uDAAuD,EAAE,OAAO,CAAC;;AAGrF,SAAO,MAAM;;;;CAzBhB,WAAW;oBAGPA,SAAO,aAAa,CAAA;oBAEpBA,SAAO,cAAc,cAAc,CAAA;;;;;ACrBxC,IAAa,oBAAb,cAAuC,iBAAiB;CACtD,YAAY,OAAgB;AAC1B,QAAM,4BAA4B,YAAY,SAAS,WAAW,QAAQ,EAAE,OAAO,GAAG,KAAA,EAAU;;;AAIpG,IAAa,0BAAb,cAA6C,iBAAiB;CAC5D,cAAc;AACZ,QAAM,kCAAkC,YAAY,KAAK,oBAAoB;;;AAIjF,IAAa,uBAAb,cAA0C,iBAAiB;CACzD,cAAc;AACZ,QAAM,+BAA+B,YAAY,KAAK,oBAAoB;;;AAI9E,IAAa,oBAAb,cAAuC,iBAAiB;CACtD,YAAY,OAAgB;AAC1B,QAAM,4BAA4B,YAAY,WAAW,gBAAgB,QAAQ,EAAE,OAAO,GAAG,KAAA,EAAU;;;AAI3G,IAAa,sBAAb,cAAyC,iBAAiB;CACxD,cAAc;AACZ,QAAM,8BAA8B,YAAY,KAAK,gBAAgB;;;AAIzE,IAAa,wBAAb,cAA2C,iBAAiB;CAC1D,YAAY,OAAgB;AAC1B,QAAM,gCAAgC,YAAY,KAAK,oBAAoB,QAAQ,EAAE,OAAO,GAAG,KAAA,EAAU;;;AAI7G,IAAa,wBAAb,cAA2C,iBAAiB;CAC1D,YAAY,WAAmB;AAC7B,QAAM,gCAAgC,YAAY,KAAK,oBAAoB,EAAE,WAAW,CAAC;;;AAI7F,IAAa,uBAAb,cAA0C,iBAAiB;CACzD,YAAY,WAAmB;AAC7B,QAAM,+BAA+B,YAAY,KAAK,mBAAmB,EAAE,WAAW,CAAC;;;AAI3F,IAAa,4BAAb,cAA+C,iBAAiB;CAC9D,YAAY,OAAgB;AAC1B,QAAM,oCAAoC,YAAY,KAAK,wBAAwB,QAAQ,EAAE,OAAO,GAAG,KAAA,EAAU;;;AAIrH,IAAa,0BAAb,cAA6C,iBAAiB;CAC5D,YAAY,QAAiB;AAC3B,QAAM,kCAAkC,YAAY,KAAK,uBAAuB,SAAS,EAAE,QAAQ,GAAG,KAAA,EAAU;;;AAIpH,IAAa,6BAAb,cAAgD,iBAAiB;CAC/D,YAAY,QAAiB;AAC3B,QAAM,qCAAqC,YAAY,KAAK,0BAA0B,SAAS,EAAE,QAAQ,GAAG,KAAA,EAAU;;;AAI1H,IAAa,0BAAb,cAA6C,iBAAiB;CAC5D,YAAY,QAAiB;AAC3B,QAAM,kCAAkC,YAAY,KAAK,uBAAuB,SAAS,EAAE,QAAQ,GAAG,KAAA,EAAU;;;AAIpH,IAAa,2BAAb,cAA8C,iBAAiB;CAC7D,YAAY,UAAmB;AAC7B,QAAM,mCAAmC,YAAY,KAAK,uBAAuB,WAAW,EAAE,UAAU,GAAG,KAAA,EAAU;;;AAIzH,IAAa,+BAAb,cAAkD,iBAAiB;CACjE,cAAc;AACZ,QAAM,uCAAuC,YAAY,KAAK,2BAA2B;;;AAI7F,IAAa,wBAAb,cAA2C,iBAAiB;CAC1D,YAAY,UAAmB;AAC7B,QAAM,gCAAgC,YAAY,SAAS,WAAW,WAAW,EAAE,UAAU,GAAG,KAAA,EAAU;;;AAI9G,IAAa,yBAAb,cAA4C,iBAAiB;CAC3D,cAAc;AACZ,QAAM,iCAAiC,YAAY,SAAS,UAAU;;;AAI1E,IAAa,uBAAb,cAA0C,iBAAiB;CACzD,cAAc;AACZ,QAAM,+BAA+B,YAAY,SAAS,UAAU;;;AAIxE,IAAa,iCAAb,cAAoD,iBAAiB;CACnE,cAAc;AACZ,QAAM,yCAAyC,YAAY,SAAS,UAAU;;;AAIlF,IAAa,8BAAb,cAAiD,iBAAiB;CAChE,cAAc;AACZ,QAAM,sCAAsC,YAAY,SAAS,SAAS;;;AAI9E,IAAa,4BAAb,cAA+C,iBAAiB;CAC9D,YAAY,QAAiB;AAC3B,QAAM,oCAAoC,YAAY,WAAW,SAAS,SAAS,EAAE,QAAQ,GAAG,KAAA,EAAU;;;AAI9G,IAAa,0BAAb,cAA6C,iBAAiB;CAC5D,YAAY,QAAiB;AAC3B,QAAM,kCAAkC,YAAY,OAAO,gBAAgB,SAAS,EAAE,QAAQ,GAAG,KAAA,EAAU;;;AAI/G,IAAa,2BAAb,cAA8C,iBAAiB;CAC7D,YAAY,QAAiB;AAC3B,QAAM,mCAAmC,YAAY,OAAO,gBAAgB,SAAS,EAAE,QAAQ,GAAG,KAAA,EAAU;;;AAIhH,IAAa,2BAAb,cAA8C,iBAAiB;CAC7D,cAAc;AACZ,QAAM,4BAA4B,YAAY,WAAW,QAAQ;;;AAIrE,IAAa,oBAAb,cAAuC,iBAAiB;CACtD,cAAc;AACZ,QAAM,4BAA4B,YAAY,WAAW,QAAQ;;;AAIrE,IAAa,0BAAb,cAA6C,iBAAiB;CAC5D,cAAc;AACZ,QAAM,kCAAkC,YAAY,WAAW,eAAe;;;AAIlF,IAAa,qBAAb,cAAwC,iBAAiB;CACvD,cAAc;AACZ,QAAM,6BAA6B,YAAY,MAAM,UAAU;;;AAInE,IAAa,4BAAb,cAA+C,iBAAiB;CAC9D,cAAc;AACZ,QAAM,gCAAgC,YAAY,WAAW,QAAQ;;;AAIzE,IAAa,4BAAb,cAA+C,iBAAiB;CAC9D,cAAc;AACZ,QAAM,oCAAoC,YAAY,SAAS,SAAS;;;AAI5E,IAAa,qBAAb,cAAwC,iBAAiB;CACvD,cAAc;AACZ,QAAM,6BAA6B,YAAY,WAAW,eAAe;;;AAI7E,IAAa,yBAAb,cAA4C,iBAAiB;CAC3D,YAAY,WAAoB;AAC9B,QAAM,4BAA4B,YAAY,OAAO,gBAAgB,YAAY,EAAE,WAAW,GAAG,KAAA,EAAU;;;;;AChL/G,IAAa,oBAAb,cAAuC,iBAAiB;CACtD,cAAc;AACZ,QAAM,4BAA4B,YAAY,KAAK,cAAc;;;;;ACFrE,IAAa,4BAAb,cAA+C,iBAAiB;CAC9D,cAAc;AACZ,QAAM,iCAAiC,YAAY,KAAK,uBAAuB;;;AAInF,IAAa,kCAAb,cAAqD,iBAAiB;CACpE,cAAc;AACZ,QAAM,2BAA2B,YAAY,KAAK,iBAAiB;;;AAIvE,IAAa,sCAAb,cAAyD,iBAAiB;CACxE,cAAc;AACZ,QAAM,+BAA+B,YAAY,KAAK,qBAAqB;;;AAI/E,IAAa,oCAAb,cAAuD,iBAAiB;CACtE,cAAc;AACZ,QAAM,6BAA6B,YAAY,MAAM,UAAU;;;AAInE,IAAa,+CAAb,cAAkE,iBAAiB;CACjF,cAAc;AACZ,QAAM,wCAAwC,YAAY,KAAK,8BAA8B;;;AAIjG,IAAa,4BAAb,cAA+C,iBAAiB;CAC9D,cAAc;AACZ,QAAM,qBAAqB,YAAY,SAAS,SAAS;;;AAI7D,IAAa,gCAAb,cAAmD,iBAAiB;CAClE,cAAc;AACZ,QAAM,yBAAyB,YAAY,KAAK,2BAA2B;;;AAI/E,IAAa,8BAAb,cAAiD,iBAAiB;CAChE,cAAc;AACZ,QAAM,4BAA4B,YAAY,KAAK,iCAAiC;;;AAIxF,IAAa,gCAAb,cAAmD,iBAAiB;CAClE,cAAc;AACZ,QAAM,yBAAyB,YAAY,SAAS,UAAU;;;AAIlE,IAAa,gCAAb,cAAmD,iBAAiB;CAClE,cAAc;AACZ,QAAM,yBAAyB,YAAY,SAAS,UAAU;;;;;ACxDlE,IAAa,qBAAb,cAAwC,iBAAiB;CACvD,cAAc;AACZ,QAAM,6BAA6B,YAAY,WAAW,gBAAgB,EAAE,OAAO,SAAS,CAAC;;;;;ACFjG,IAAa,0BAAb,cAA6C,iBAAiB;CAC5D,cAAc;AACZ,QAAM,kCAAkC,YAAY,KAAK,oBAAoB;;;;;;;;AC6CjF,SAAgB,mBAAmB,OAAmC;CACpE,MAAM,YAAY,MAAM,MAAM;AAE9B,KAAI,MAAM,WAAW,SAAS;EAE5B,MAAM,WADU,MAAM,QACG,IAAI,WAAW,IAAI;AAE5C,MAAI,SAAS,SAAS,gBAAgB,CAAE,QAAO,IAAI,mBAAmB;AACtE,MAAI,SAAS,SAAS,gBAAgB,CAAE,QAAO,IAAI,mBAAmB;AACtE,MAAI,SAAS,SAAS,oBAAoB,CAAE,QAAO,IAAI,mBAAmB;AAC1E,MAAI,SAAS,SAAS,2BAA2B,CAAE,QAAO,IAAI,mBAAmB;AACjF,MAAI,SAAS,SAAS,wBAAwB,CAAE,QAAO,IAAI,yBAAyB;AACpF,MAAI,SAAS,SAAS,2BAA2B,CAAE,QAAO,IAAI,4BAA4B;;AAG5F,KAAI,CAAC,UACH,QAAO,IAAI,wBAAwB;AAMrC,KAAI,cAAc,oBAAoB,cAAc,eAAgB,QAAO,IAAI,mBAAmB;AAClG,KAAI,cAAc,uBAAwB,QAAO,IAAI,wBAAwB;AAG7E,KAAI,cAAc,4BAA6B,QAAO,IAAI,yBAAyB;AACnF,KAAI,cAAc,mBAAoB,QAAO,IAAI,sBAAsB;AACvE,KAAI,cAAc,gBAAiB,QAAO,IAAI,mBAAmB;AAGjE,KAAI,cAAc,qBAAqB,cAAc,oBAAqB,QAAO,IAAI,qBAAqB;AAC1G,KAAI,cAAc,2BAA4B,QAAO,IAAI,4BAA4B;AACrF,KAAI,cAAc,wBAAyB,QAAO,IAAI,yBAAyB;AAG/E,KAAI,cAAc,qBAAsB,QAAO,IAAI,uBAAuB;AAC1E,KAAI,cAAc,2BAA4B,QAAO,IAAI,2BAA2B;AACpF,KAAI,cAAc,yBAA0B,QAAO,IAAI,2BAA2B;AAClF,KAAI,cAAc,iBAAkB,QAAO,IAAI,oBAAoB;AAGnE,KAAI,cAAc,qBAAsB,QAAO,IAAI,sBAAsB,EAAE;AAC3E,KAAI,cAAc,oBAAqB,QAAO,IAAI,qBAAqB,IAAI;AAG3E,KAAI,cAAc,yBAAyB,cAAc,wCACvD,QAAO,IAAI,2BAA2B;AAExC,KAAI,cAAc,oBAAqB,QAAO,IAAI,sBAAsB;AACxE,KAAI,cAAc,+BAAgC,QAAO,IAAI,gCAAgC;AAC7F,KAAI,cAAc,gCAAiC,QAAO,IAAI,8BAA8B;AAG5F,KAAI,cAAc,wBAAyB,QAAO,IAAI,yBAAyB;AAC/E,KAAI,cAAc,wBAAyB,QAAO,IAAI,yBAAyB;AAC/E,KAAI,cAAc,0BAA2B,QAAO,IAAI,0BAA0B;AAGlF,KAAI,cAAc,mCAAmC,cAAc,gCACjE,QAAO,IAAI,0BAA0B;AAEvC,KAAI,cAAc,qBAAsB,QAAO,IAAI,uBAAuB;AAG1E,KAAI,cAAc,yBAA0B,QAAO,IAAI,0BAA0B;AACjF,KAAI,cAAc,gBAAiB,QAAO,IAAI,mBAAmB;AACjE,KAAI,cAAc,gBAAiB,QAAO,IAAI,mBAAmB;AAGjE,KAAI,cAAc,+BAA+B,cAAc,uBAC7D,QAAO,IAAI,6BAA6B;AAI1C,KACE,cAAc,0BACX,cAAc,0BACd,cAAc,mCACd,cAAc,gCACd,cAAc,wBAEjB,QAAO,IAAI,yBAAyB;AAItC,KACE,cAAc,oBACX,cAAc,4BACd,cAAc,sCAEjB,QAAO,IAAI,oBAAoB;AAIjC,KACE,cAAc,sBACX,cAAc,mBACd,cAAc,uBACd,cAAc,4BACd,cAAc,oCACd,cAAc,4CAEjB,QAAO,IAAI,2BAA2B;AAIxC,KAAI,cAAc,mCAAmC,cAAc,iCACjE,QAAO,IAAI,4BAA4B;AAMzC,KAAI,cAAc,4BAA4B,cAAc,yBAC1D,QAAO,IAAI,2BAA2B;AAIxC,KACE,cAAc,sBACX,cAAc,8CACd,cAAc,mCAEjB,QAAO,IAAI,iCAAiC;AAI9C,KAAI,cAAc,0BAA0B,cAAc,gCACxD,QAAO,IAAI,qCAAqC;AAIlD,KACE,cAAc,iDACX,cAAc,uEAEjB,QAAO,IAAI,8CAA8C;AAI3D,KAAI,cAAc,oBAAoB,cAAc,iCAClD,QAAO,IAAI,+BAA+B;AAI5C,KAAI,cAAc,oBAAoB,cAAc,mBAClD,QAAO,IAAI,+BAA+B;AAI5C,KACE,cAAc,iCACX,cAAc,qCACd,cAAc,mDACd,cAAc,kDACd,cAAc,yBACd,cAAc,6BAEjB,QAAO,IAAI,2BAA2B;AAIxC,KACE,cAAc,0DACX,cAAc,kDACd,cAAc,2CACd,cAAc,8BACd,cAAc,+BACd,cAAc,iBAEjB,QAAO,IAAI,+BAA+B;AAI5C,KACE,cAAc,yDACX,cAAc,wDACd,cAAc,gCACd,cAAc,sCACd,cAAc,iCACd,cAAc,mCACd,cAAc,6BACd,cAAc,gCACd,cAAc,oDAEjB,QAAO,IAAI,6BAA6B;AAI1C,KACE,UAAU,WAAW,0BAA0B,IAC5C,cAAc,+CACd,cAAc,iDACd,cAAc,qDACd,cAAc,sBAEjB,QAAO,IAAI,mCAAmC;AAIhD,QAAO,IAAI,uBAAuB,UAAU;;;;;;;AAQ9C,SAAgB,WAAW,OAAmC;AAC5D,KAAI,iBAAiB,SAAU,QAAO;AAEtC,QACE,iBAAiB,SACd,MAAM,SAAS,cACf,YAAY,SACZ,gBAAgB;;;;;;;;AClQvB,SAAgB,wBAAyD;AACvE,QAAO;EACL,OAAO;EACP,UAAU,UAAU;AAClB,OAAI,WAAW,MAAM,CACnB,OAAM,mBAAmB,MAAM;AAEjC,SAAM;;EAET;;;;;AAMH,MAAa,iBAAiB,OAAU,OAAqC;AAC3E,KAAI;AACF,SAAO,MAAM,IAAI;UACV,OAAO;AACd,MAAI,WAAW,MAAM,CACnB,OAAM,mBAAmB,MAAM;AAEjC,QAAM;;;;;ACAH,IAAA,cAAA,MAAM,YAAoE;CAC/E;CAEA,YACE,SACA;AADyC,OAAA,UAAA;AAEzC,OAAK,eAAe,WAAW;GAC7B,GAAG,KAAK;GACR,YAAY,uBAAuB;GACpC,CAAC;;;;;CAMJ,IAAI,OAAuB;AACzB,SAAO,KAAK;;;;CAjBf,UAAU,aAAa;oBAKnBC,SAAO,aAAa,CAAA;;;;;;AC4ClB,IAAA,aAAA,cAAA,MAAM,WAAwC;;;;;;;;CAQnD,gBAAgB,QAAsB;AACpC,SAAO,IAAI,uBAAuB,8BAA8B;;;;;;CAOlE,OAAO,aACL,SACe;EACf,MAAM,EAAE,kBAAkB;EAE1B,MAAM,sBAAsB,gBACxB;GACA,SAAS;GACT,aAAa,GAAG,SAAoB;IAClC,MAAM,MAAO,QAAQ,WAAgD,GAAG,KAAK;AAC7E,WAAO;KACL,GAAG;KACH,SAAS,CAAC,sBAAsB,cAAc,EAAE,GAAI,IAAI,WAAW,EAAE,CAAE;KACxE;;GAEH,QAAQ,QAAQ;GACjB,GACC;GACA,SAAS;GACT,YAAY,QAAQ;GACpB,QAAQ,QAAQ;GACjB;AAEH,SAAO;GACL,QAAA;GACA,WAAW;IACT;IACA;KACE,SAAS;KACT,UAAU;KACX;IACD,GAAI,gBACA,CACA;KAAE,SAAS,UAAU;KAAS,UAAU;KAAoC,EAC5E;KAAE,SAAS,UAAU;KAAe,UAAU;KAAe,CAC9D,GACC,EAAE;IACP;GACF;;;uCA5DJ,OAAO;CACN,SAAS,CACP,WAAW,iBAAiB,aAAa,CAC1C;CACD,WAAW,EAAE;CACd,CAAC,CAAA,EAAA,WAAA"}
|
|
1
|
+
{"version":3,"file":"index.mjs","names":["inject","inject"],"sources":["../../src/auth/auth.tokens.ts","../../src/auth/i18n/en.ts","../../src/auth/middleware/auth-context.middleware.ts","../../src/auth/middleware/session-verification.middleware.ts","../../src/auth/rate-limit-bridge.ts","../../src/auth/errors/auth-errors.ts","../../src/auth/errors/invalid-token.error.ts","../../src/auth/errors/organization-errors.ts","../../src/auth/errors/token-required.error.ts","../../src/auth/errors/verification-failed.error.ts","../../src/auth/utils/better-auth-error-handler.ts","../../src/auth/utils/auth-helpers.ts","../../src/auth/services/auth.service.ts","../../src/auth/auth.module.ts"],"sourcesContent":["/** Token for AuthService - core authentication service */\nexport const AUTH_SERVICE = Symbol.for('stratal:auth:service')\n\n/** Token for Better Auth options configuration */\nexport const AUTH_OPTIONS = Symbol.for('stratal:auth:options')\n","export const authMessages = {\n en: {\n auth: {\n errors: {\n tokenRequired: 'Verification token is required',\n invalidToken: 'Invalid or expired verification token',\n verificationFailed: 'Verification failed. Please try again.',\n userNotFound: 'User not found. Please check your credentials.',\n invalidCredentials: 'Invalid email or password',\n invalidPassword: 'Invalid password',\n invalidEmail: 'Invalid email address',\n sessionExpired: 'Your session has expired. Please sign in again.',\n emailNotVerified: 'Please verify your email address before signing in',\n passwordTooShort: 'Password must be at least {minLength} characters',\n passwordTooLong: 'Password must be at most {maxLength} characters',\n accountAlreadyExists: 'An account with this email already exists',\n failedToCreateUser: 'Failed to create user account. Please try again.',\n failedToCreateSession: 'Failed to create session. Please try again.',\n failedToGetSession: 'Failed to retrieve session. Please try again.',\n failedToUpdateUser: 'Failed to update user information. Please try again.',\n failedToGetUserInfo: 'Failed to retrieve user information. Please try again.',\n socialAccountLinked: 'This social account is already linked to another user',\n providerNotFound: 'Authentication provider not found',\n userEmailNotFound: 'User email address not found',\n accountNotFound: 'Account not found',\n credentialAccountNotFound: 'Credential account not found',\n cannotUnlinkLastAccount: 'Cannot unlink your last account',\n userAlreadyHasPassword: 'User already has a password set',\n emailCannotBeUpdated: 'Email address cannot be updated at this time',\n tokenExpired: 'The verification token has expired. Please request a new verification email.',\n invalidCallbackUrl: 'Invalid callback URL',\n invalidOrigin: 'Request origin is not allowed',\n validationFailed: 'Authentication validation failed',\n emailAlreadyVerified: 'Email address is already verified',\n emailMismatch: 'Email address does not match',\n unknownError: 'An authentication error occurred',\n },\n org: {\n organizationNotFound: 'Organization not found',\n memberNotFound: 'Member not found',\n invitationNotFound: 'Invitation not found',\n permissionDenied: 'You do not have permission to perform this action',\n invitationRecipientMismatch: 'You are not the recipient of this invitation',\n conflict: 'A resource with this identifier already exists',\n limitReached: 'The maximum limit has been reached',\n membershipError: 'This action cannot be performed due to membership constraints',\n teamNotFound: 'Team not found',\n roleNotFound: 'Role not found',\n },\n },\n },\n} as const\n\ndeclare module 'stratal/i18n' {\n interface AppMessageNamespaces {\n auth: typeof authMessages['en']['auth']\n }\n}\n","import { DI_TOKENS, Transient } from 'stratal/di'\nimport type { Middleware, Next, RouterContext } from 'stratal/router'\nimport { AuthContext } from '../../context/auth-context'\n\n/**\n * Auth Context Middleware\n *\n * Registers AuthContext in the request container at the start of each request.\n * This MUST run before SessionVerificationMiddleware and any other middleware\n * that depends on AuthContext.\n */\n@Transient()\nexport class AuthContextMiddleware implements Middleware {\n async handle(ctx: RouterContext, next: Next): Promise<void> {\n const requestContainer = ctx.getContainer()\n\n const authContext = new AuthContext()\n requestContainer.registerValue(DI_TOKENS.AuthContext, authContext)\n\n return next()\n }\n}\n","import { DI_TOKENS, Transient } from 'stratal/di'\nimport { LOGGER_TOKENS, type LoggerService } from 'stratal/logger'\nimport type { Middleware, Next, RouterContext } from 'stratal/router'\nimport { inject } from 'tsyringe'\nimport { type AuthContext } from '../../context/auth-context'\nimport { AUTH_SERVICE } from '../auth.tokens'\nimport type { AuthService } from '../services/auth.service'\n\n/**\n * Session Verification Middleware\n *\n * Verifies user session via Better Auth and populates AuthContext with\n * the authenticated user.\n *\n * **Responsibilities:**\n * - Calls Better Auth's getSession() API\n * - Populates AuthContext with the user record if the session is valid\n * - Continues request chain regardless of session status\n */\n@Transient()\nexport class SessionVerificationMiddleware implements Middleware {\n constructor(\n @inject(AUTH_SERVICE)\n private readonly authService: AuthService,\n @inject(LOGGER_TOKENS.LoggerService) private logger: LoggerService\n ) { }\n\n async handle(ctx: RouterContext, next: Next): Promise<void> {\n try {\n const result = await this.authService.auth.api.getSession({\n headers: ctx.c.req.raw.headers\n })\n\n if (result) {\n const authContext = ctx.getContainer().resolve<AuthContext>(DI_TOKENS.AuthContext)\n authContext.setAuthContext({\n user: result.user,\n })\n }\n } catch (error: unknown) {\n this.logger.debug('Session validation failed (e.g., invalidated in DB)', { error })\n }\n\n return next()\n }\n}\n","/**\n * Rate-limit bridge between Stratal's `RateLimiterModule` and better-auth.\n *\n * Importing this file (transitively, via `auth.module.ts`) does two things:\n *\n * 1. Augments `RateLimiterRegistry` with `forPath()` + `pathEntries()` via\n * Stratal's `Macroable`. Path-keyed rules registered on the same registry\n * used for Stratal's own throttling are projected into better-auth's\n * `customRules` by {@link projectCustomRules}.\n * 2. Exports {@link createBetterAuthRateLimitStorage} — adapts Stratal's\n * {@link IRateLimiterStore} into better-auth's `customStorage`, so both\n * systems share one backing store.\n *\n * `AuthModule.forRootAsync` wires both automatically when `RateLimiterModule`\n * is imported. Users with explicit `rateLimit.customStorage` /\n * `rateLimit.customRules` keys in their auth factory keep precedence.\n *\n * Frictions, documented for path-keyed entries:\n *\n * - `Limit.by(...)` is meaningless. Better-auth scopes per-IP+path.\n * - Multiple `Limit`s reduce to the most restrictive (smallest max-per-second).\n * - `Limit.none()` projects to `false` (better-auth's \"disable\" sentinel).\n * - `Limit.response(...)` is a no-op. Better-auth renders its own 429.\n * - Snapshot caveat: `customRules` is built once at AuthService construction,\n * so register all `forPath()` entries inside `OnInitialize` hooks.\n */\nimport { type IRateLimiterStore, type Limit, RateLimiterRegistry } from 'stratal/rate-limiter'\n\n/**\n * Resolver attached to a path-keyed limiter entry. Receives the native\n * `Request` (better-auth's customRules invokes us with the live Request)\n * and returns one or more `Limit`s. Async is supported.\n */\nexport type PathLimitResolver = (\n req: Request,\n) => Limit | Limit[] | Promise<Limit | Limit[]>\n\ninterface BetterAuthRateLimit {\n key: string\n count: number\n lastRequest: number\n}\n\ninterface BetterAuthRateLimitRule {\n window: number\n max: number\n}\n\ntype BetterAuthCustomRule =\n | BetterAuthRateLimitRule\n | false\n | ((req: Request) => Promise<BetterAuthRateLimitRule | false>)\n\n// Per-instance path map — keyed by registry so we don't pin GC roots.\nconst pathResolvers = new WeakMap<RateLimiterRegistry, Map<string, PathLimitResolver>>()\n\nfunction getOrCreatePathMap(registry: RateLimiterRegistry): Map<string, PathLimitResolver> {\n let map = pathResolvers.get(registry)\n if (!map) {\n map = new Map()\n pathResolvers.set(registry, map)\n }\n return map\n}\n\nRateLimiterRegistry.macro('forPath', function (\n this: RateLimiterRegistry,\n path: string,\n resolver: PathLimitResolver,\n): void {\n getOrCreatePathMap(this).set(path, resolver)\n})\n\nRateLimiterRegistry.macro('pathEntries', function (\n this: RateLimiterRegistry,\n): IterableIterator<[string, PathLimitResolver]> {\n return (pathResolvers.get(this) ?? new Map<string, PathLimitResolver>()).entries()\n})\n\ndeclare module 'stratal/rate-limiter' {\n interface RateLimiterRegistry {\n /**\n * Register a rate-limit rule for a better-auth path pattern. The rule\n * is projected into better-auth's `rateLimit.customRules` automatically\n * when both modules are imported.\n *\n * @example\n * limiter.forPath('/sign-in/email', () => Limit.perSeconds(10, 3))\n * limiter.forPath('/two-factor/*', async (req) => { ... })\n * limiter.forPath('/forget-password', () => Limit.none())\n */\n forPath(path: string, resolver: PathLimitResolver): void\n\n /**\n * Iterate every path-keyed entry registered via `forPath`. Used by the\n * auth bridge to project entries into better-auth's `customRules`.\n */\n pathEntries(): IterableIterator<[string, PathLimitResolver]>\n }\n}\n\n// Better-auth manages window expiry itself by reading `lastRequest`. We still\n// need a TTL on the underlying KV so dead records don't accumulate. 1 day\n// covers any reasonable better-auth window without colliding with the next.\nconst BETTER_AUTH_TTL_SECONDS = 86_400\nconst BETTER_AUTH_KEY_PREFIX = 'ba-rl:'\n\n/**\n * Adapt Stratal's `IRateLimiterStore` into better-auth's `customStorage` shape.\n * Better-auth supplies its own `RateLimit` records (`{ key, count, lastRequest }`);\n * the adapter just persists them under a separate key namespace.\n */\nexport function createBetterAuthRateLimitStorage(store: IRateLimiterStore): {\n get: (key: string) => Promise<BetterAuthRateLimit | null>\n set: (key: string, value: BetterAuthRateLimit, update?: boolean) => Promise<void>\n} {\n return {\n async get(key) {\n return await store.get<BetterAuthRateLimit>(`${BETTER_AUTH_KEY_PREFIX}${key}`)\n },\n async set(key, value, _update) {\n await store.set(`${BETTER_AUTH_KEY_PREFIX}${key}`, value, BETTER_AUTH_TTL_SECONDS)\n },\n }\n}\n\n/**\n * Project every `forPath` entry on the registry into better-auth's\n * `customRules` shape. Each entry becomes an async function that resolves\n * the user's `Limit`(s) and reduces them to a single `{ window, max }` pair\n * (or `false` for `Limit.none()`).\n *\n * Multi-`Limit` reduction picks the most restrictive — smallest\n * `max / windowSeconds` ratio; ties favour the first.\n */\nexport function projectCustomRules(\n registry: RateLimiterRegistry,\n): Record<string, BetterAuthCustomRule> {\n const rules: Record<string, BetterAuthCustomRule> = {}\n\n for (const [path, resolver] of registry.pathEntries()) {\n rules[path] = async (req: Request): Promise<BetterAuthRateLimitRule | false> => {\n const resolved = await resolver(req)\n const candidates = (Array.isArray(resolved) ? resolved : [resolved]).filter((l) => !l.disabled)\n if (candidates.length === 0) return false\n\n const chosen = candidates.reduce((a, b) =>\n a.max / a.windowSeconds <= b.max / b.windowSeconds ? a : b,\n )\n\n return { window: chosen.windowSeconds, max: chosen.max }\n }\n }\n\n return rules\n}\n","import { ApplicationError, ERROR_CODES } from 'stratal/errors'\n\nexport class UserNotFoundError extends ApplicationError {\n constructor(email?: string) {\n super('auth.errors.userNotFound', ERROR_CODES.RESOURCE.NOT_FOUND, email ? { email } : undefined)\n }\n}\n\nexport class InvalidCredentialsError extends ApplicationError {\n constructor() {\n super('auth.errors.invalidCredentials', ERROR_CODES.AUTH.INVALID_CREDENTIALS)\n }\n}\n\nexport class InvalidPasswordError extends ApplicationError {\n constructor() {\n super('auth.errors.invalidPassword', ERROR_CODES.AUTH.INVALID_CREDENTIALS)\n }\n}\n\nexport class InvalidEmailError extends ApplicationError {\n constructor(email?: string) {\n super('auth.errors.invalidEmail', ERROR_CODES.VALIDATION.INVALID_FORMAT, email ? { email } : undefined)\n }\n}\n\nexport class SessionExpiredError extends ApplicationError {\n constructor() {\n super('auth.errors.sessionExpired', ERROR_CODES.AUTH.SESSION_EXPIRED)\n }\n}\n\nexport class EmailNotVerifiedError extends ApplicationError {\n constructor(email?: string) {\n super('auth.errors.emailNotVerified', ERROR_CODES.AUTH.EMAIL_NOT_VERIFIED, email ? { email } : undefined)\n }\n}\n\nexport class PasswordTooShortError extends ApplicationError {\n constructor(minLength: number) {\n super('auth.errors.passwordTooShort', ERROR_CODES.AUTH.PASSWORD_TOO_SHORT, { minLength })\n }\n}\n\nexport class PasswordTooLongError extends ApplicationError {\n constructor(maxLength: number) {\n super('auth.errors.passwordTooLong', ERROR_CODES.AUTH.PASSWORD_TOO_LONG, { maxLength })\n }\n}\n\nexport class AccountAlreadyExistsError extends ApplicationError {\n constructor(email?: string) {\n super('auth.errors.accountAlreadyExists', ERROR_CODES.AUTH.ACCOUNT_ALREADY_EXISTS, email ? { email } : undefined)\n }\n}\n\nexport class FailedToCreateUserError extends ApplicationError {\n constructor(reason?: string) {\n super('auth.errors.failedToCreateUser', ERROR_CODES.AUTH.FAILED_TO_CREATE_USER, reason ? { reason } : undefined)\n }\n}\n\nexport class FailedToCreateSessionError extends ApplicationError {\n constructor(reason?: string) {\n super('auth.errors.failedToCreateSession', ERROR_CODES.AUTH.FAILED_TO_CREATE_SESSION, reason ? { reason } : undefined)\n }\n}\n\nexport class FailedToUpdateUserError extends ApplicationError {\n constructor(reason?: string) {\n super('auth.errors.failedToUpdateUser', ERROR_CODES.AUTH.FAILED_TO_UPDATE_USER, reason ? { reason } : undefined)\n }\n}\n\nexport class SocialAccountLinkedError extends ApplicationError {\n constructor(provider?: string) {\n super('auth.errors.socialAccountLinked', ERROR_CODES.AUTH.SOCIAL_ACCOUNT_LINKED, provider ? { provider } : undefined)\n }\n}\n\nexport class CannotUnlinkLastAccountError extends ApplicationError {\n constructor() {\n super('auth.errors.cannotUnlinkLastAccount', ERROR_CODES.AUTH.CANNOT_UNLINK_LAST_ACCOUNT)\n }\n}\n\nexport class ProviderNotFoundError extends ApplicationError {\n constructor(provider?: string) {\n super('auth.errors.providerNotFound', ERROR_CODES.RESOURCE.NOT_FOUND, provider ? { provider } : undefined)\n }\n}\n\nexport class UserEmailNotFoundError extends ApplicationError {\n constructor() {\n super('auth.errors.userEmailNotFound', ERROR_CODES.RESOURCE.NOT_FOUND)\n }\n}\n\nexport class AccountNotFoundError extends ApplicationError {\n constructor() {\n super('auth.errors.accountNotFound', ERROR_CODES.RESOURCE.NOT_FOUND)\n }\n}\n\nexport class CredentialAccountNotFoundError extends ApplicationError {\n constructor() {\n super('auth.errors.credentialAccountNotFound', ERROR_CODES.RESOURCE.NOT_FOUND)\n }\n}\n\nexport class UserAlreadyHasPasswordError extends ApplicationError {\n constructor() {\n super('auth.errors.userAlreadyHasPassword', ERROR_CODES.RESOURCE.CONFLICT)\n }\n}\n\nexport class EmailCannotBeUpdatedError extends ApplicationError {\n constructor(reason?: string) {\n super('auth.errors.emailCannotBeUpdated', ERROR_CODES.VALIDATION.GENERIC, reason ? { reason } : undefined)\n }\n}\n\nexport class FailedToGetSessionError extends ApplicationError {\n constructor(reason?: string) {\n super('auth.errors.failedToGetSession', ERROR_CODES.SYSTEM.INTERNAL_ERROR, reason ? { reason } : undefined)\n }\n}\n\nexport class FailedToGetUserInfoError extends ApplicationError {\n constructor(reason?: string) {\n super('auth.errors.failedToGetUserInfo', ERROR_CODES.SYSTEM.INTERNAL_ERROR, reason ? { reason } : undefined)\n }\n}\n\nexport class IdTokenNotSupportedError extends ApplicationError {\n constructor() {\n super('auth.errors.invalidToken', ERROR_CODES.VALIDATION.GENERIC)\n }\n}\n\nexport class TokenExpiredError extends ApplicationError {\n constructor() {\n super('auth.errors.tokenExpired', ERROR_CODES.VALIDATION.GENERIC)\n }\n}\n\nexport class InvalidCallbackUrlError extends ApplicationError {\n constructor() {\n super('auth.errors.invalidCallbackUrl', ERROR_CODES.VALIDATION.INVALID_FORMAT)\n }\n}\n\nexport class InvalidOriginError extends ApplicationError {\n constructor() {\n super('auth.errors.invalidOrigin', ERROR_CODES.AUTHZ.FORBIDDEN)\n }\n}\n\nexport class AuthValidationFailedError extends ApplicationError {\n constructor() {\n super('auth.errors.validationFailed', ERROR_CODES.VALIDATION.GENERIC)\n }\n}\n\nexport class EmailAlreadyVerifiedError extends ApplicationError {\n constructor() {\n super('auth.errors.emailAlreadyVerified', ERROR_CODES.RESOURCE.CONFLICT)\n }\n}\n\nexport class EmailMismatchError extends ApplicationError {\n constructor() {\n super('auth.errors.emailMismatch', ERROR_CODES.VALIDATION.INVALID_FORMAT)\n }\n}\n\nexport class BetterAuthUnknownError extends ApplicationError {\n constructor(errorCode?: string) {\n super('auth.errors.unknownError', ERROR_CODES.SYSTEM.INTERNAL_ERROR, errorCode ? { errorCode } : undefined)\n }\n}\n","import { ApplicationError, ERROR_CODES } from 'stratal/errors'\n\nexport class InvalidTokenError extends ApplicationError {\n constructor() {\n super('auth.errors.invalidToken', ERROR_CODES.AUTH.INVALID_TOKEN)\n }\n}\n","import { ApplicationError, ERROR_CODES } from 'stratal/errors'\n\nexport class OrganizationNotFoundError extends ApplicationError {\n constructor() {\n super('auth.org.organizationNotFound', ERROR_CODES.AUTH.ORGANIZATION_NOT_FOUND)\n }\n}\n\nexport class OrganizationMemberNotFoundError extends ApplicationError {\n constructor() {\n super('auth.org.memberNotFound', ERROR_CODES.AUTH.MEMBER_NOT_FOUND)\n }\n}\n\nexport class OrganizationInvitationNotFoundError extends ApplicationError {\n constructor() {\n super('auth.org.invitationNotFound', ERROR_CODES.AUTH.INVITATION_NOT_FOUND)\n }\n}\n\nexport class OrganizationPermissionDeniedError extends ApplicationError {\n constructor() {\n super('auth.org.permissionDenied', ERROR_CODES.AUTHZ.FORBIDDEN)\n }\n}\n\nexport class OrganizationInvitationRecipientMismatchError extends ApplicationError {\n constructor() {\n super('auth.org.invitationRecipientMismatch', ERROR_CODES.AUTH.INVITATION_RECIPIENT_MISMATCH)\n }\n}\n\nexport class OrganizationConflictError extends ApplicationError {\n constructor() {\n super('auth.org.conflict', ERROR_CODES.RESOURCE.CONFLICT)\n }\n}\n\nexport class OrganizationLimitReachedError extends ApplicationError {\n constructor() {\n super('auth.org.limitReached', ERROR_CODES.AUTH.ORGANIZATION_LIMIT_REACHED)\n }\n}\n\nexport class OrganizationMembershipError extends ApplicationError {\n constructor() {\n super('auth.org.membershipError', ERROR_CODES.AUTH.ORGANIZATION_MEMBERSHIP_REQUIRED)\n }\n}\n\nexport class OrganizationTeamNotFoundError extends ApplicationError {\n constructor() {\n super('auth.org.teamNotFound', ERROR_CODES.RESOURCE.NOT_FOUND)\n }\n}\n\nexport class OrganizationRoleNotFoundError extends ApplicationError {\n constructor() {\n super('auth.org.roleNotFound', ERROR_CODES.RESOURCE.NOT_FOUND)\n }\n}\n","import { ApplicationError, ERROR_CODES } from 'stratal/errors'\n\nexport class TokenRequiredError extends ApplicationError {\n constructor() {\n super('auth.errors.tokenRequired', ERROR_CODES.VALIDATION.REQUIRED_FIELD, { field: 'token' })\n }\n}\n","import { ApplicationError, ERROR_CODES } from 'stratal/errors'\n\nexport class VerificationFailedError extends ApplicationError {\n constructor() {\n super('auth.errors.verificationFailed', ERROR_CODES.AUTH.INVALID_CREDENTIALS)\n }\n}\n","import { APIError } from 'better-auth/api'\nimport type { ApplicationError } from 'stratal/errors'\nimport {\n AccountAlreadyExistsError,\n AccountNotFoundError,\n AuthValidationFailedError,\n BetterAuthUnknownError,\n CannotUnlinkLastAccountError,\n CredentialAccountNotFoundError,\n EmailAlreadyVerifiedError,\n EmailCannotBeUpdatedError,\n EmailMismatchError,\n EmailNotVerifiedError,\n FailedToCreateSessionError,\n FailedToCreateUserError,\n FailedToGetSessionError,\n FailedToGetUserInfoError,\n FailedToUpdateUserError,\n IdTokenNotSupportedError,\n InvalidCallbackUrlError,\n InvalidCredentialsError,\n InvalidEmailError,\n InvalidOriginError,\n InvalidPasswordError,\n InvalidTokenError,\n OrganizationConflictError,\n OrganizationInvitationNotFoundError,\n OrganizationInvitationRecipientMismatchError,\n OrganizationLimitReachedError,\n OrganizationMemberNotFoundError,\n OrganizationMembershipError,\n OrganizationNotFoundError,\n OrganizationPermissionDeniedError,\n OrganizationRoleNotFoundError,\n OrganizationTeamNotFoundError,\n PasswordTooLongError,\n PasswordTooShortError,\n ProviderNotFoundError,\n SessionExpiredError,\n SocialAccountLinkedError,\n TokenExpiredError,\n UserAlreadyHasPasswordError,\n UserEmailNotFoundError,\n UserNotFoundError,\n} from '../errors'\n\n/**\n * Maps Better Auth API error codes to ApplicationError instances.\n */\nexport function mapBetterAuthError(error: APIError): ApplicationError {\n const errorCode = error.body?.code\n\n if (error.status === 'FOUND') {\n const headers = error.headers as Headers\n const location = headers.get('location') ?? ''\n\n if (location.includes('INVALID_TOKEN')) return new InvalidTokenError()\n if (location.includes('EXPIRED_TOKEN')) return new TokenExpiredError()\n if (location.includes('ATTEMPTS_EXCEEDED')) return new InvalidTokenError()\n if (location.includes('new_user_signup_disabled')) return new UserNotFoundError()\n if (location.includes('failed_to_create_user')) return new FailedToCreateUserError()\n if (location.includes('failed_to_create_session')) return new FailedToCreateSessionError()\n }\n\n if (!errorCode) {\n return new BetterAuthUnknownError()\n }\n\n // ── Base Error Codes ──────────────────────────────────────────────────\n\n // User errors\n if (errorCode === 'USER_NOT_FOUND' || errorCode === 'INVALID_USER') return new UserNotFoundError()\n if (errorCode === 'USER_EMAIL_NOT_FOUND') return new UserEmailNotFoundError()\n\n // Credential errors\n if (errorCode === 'INVALID_EMAIL_OR_PASSWORD') return new InvalidCredentialsError()\n if (errorCode === 'INVALID_PASSWORD') return new InvalidPasswordError()\n if (errorCode === 'INVALID_EMAIL') return new InvalidEmailError()\n\n // Session errors\n if (errorCode === 'SESSION_EXPIRED' || errorCode === 'SESSION_NOT_FRESH') return new SessionExpiredError()\n if (errorCode === 'FAILED_TO_CREATE_SESSION') return new FailedToCreateSessionError()\n if (errorCode === 'FAILED_TO_GET_SESSION') return new FailedToGetSessionError()\n\n // Email verification\n if (errorCode === 'EMAIL_NOT_VERIFIED') return new EmailNotVerifiedError()\n if (errorCode === 'EMAIL_CAN_NOT_BE_UPDATED') return new EmailCannotBeUpdatedError()\n if (errorCode === 'EMAIL_ALREADY_VERIFIED') return new EmailAlreadyVerifiedError()\n if (errorCode === 'EMAIL_MISMATCH') return new EmailMismatchError()\n\n // Password validation\n if (errorCode === 'PASSWORD_TOO_SHORT') return new PasswordTooShortError(8)\n if (errorCode === 'PASSWORD_TOO_LONG') return new PasswordTooLongError(128)\n\n // Account errors\n if (errorCode === 'USER_ALREADY_EXISTS' || errorCode === 'USER_ALREADY_EXISTS_USE_ANOTHER_EMAIL') {\n return new AccountAlreadyExistsError()\n }\n if (errorCode === 'ACCOUNT_NOT_FOUND') return new AccountNotFoundError()\n if (errorCode === 'CREDENTIAL_ACCOUNT_NOT_FOUND') return new CredentialAccountNotFoundError()\n if (errorCode === 'FAILED_TO_UNLINK_LAST_ACCOUNT') return new CannotUnlinkLastAccountError()\n\n // User creation/update errors\n if (errorCode === 'FAILED_TO_CREATE_USER') return new FailedToCreateUserError()\n if (errorCode === 'FAILED_TO_UPDATE_USER') return new FailedToUpdateUserError()\n if (errorCode === 'FAILED_TO_GET_USER_INFO') return new FailedToGetUserInfoError()\n\n // Social account errors\n if (errorCode === 'SOCIAL_ACCOUNT_ALREADY_LINKED' || errorCode === 'LINKED_ACCOUNT_ALREADY_EXISTS') {\n return new SocialAccountLinkedError()\n }\n if (errorCode === 'PROVIDER_NOT_FOUND') return new ProviderNotFoundError()\n\n // Token errors\n if (errorCode === 'ID_TOKEN_NOT_SUPPORTED') return new IdTokenNotSupportedError()\n if (errorCode === 'INVALID_TOKEN') return new InvalidTokenError()\n if (errorCode === 'TOKEN_EXPIRED') return new TokenExpiredError()\n\n // Password management\n if (errorCode === 'USER_ALREADY_HAS_PASSWORD' || errorCode === 'PASSWORD_ALREADY_SET') {\n return new UserAlreadyHasPasswordError()\n }\n\n // Callback/redirect URL errors\n if (\n errorCode === 'INVALID_CALLBACK_URL'\n || errorCode === 'INVALID_REDIRECT_URL'\n || errorCode === 'INVALID_NEW_USER_CALLBACK_URL'\n || errorCode === 'INVALID_ERROR_CALLBACK_URL'\n || errorCode === 'CALLBACK_URL_REQUIRED'\n ) {\n return new InvalidCallbackUrlError()\n }\n\n // Origin/CORS errors\n if (\n errorCode === 'INVALID_ORIGIN'\n || errorCode === 'MISSING_OR_NULL_ORIGIN'\n || errorCode === 'CROSS_SITE_NAVIGATION_LOGIN_BLOCKED'\n ) {\n return new InvalidOriginError()\n }\n\n // Validation errors\n if (\n errorCode === 'VALIDATION_ERROR'\n || errorCode === 'MISSING_FIELD'\n || errorCode === 'FIELD_NOT_ALLOWED'\n || errorCode === 'BODY_MUST_BE_AN_OBJECT'\n || errorCode === 'ASYNC_VALIDATION_NOT_SUPPORTED'\n || errorCode === 'METHOD_NOT_ALLOWED_DEFER_SESSION_REQUIRED'\n ) {\n return new AuthValidationFailedError()\n }\n\n // Verification errors\n if (errorCode === 'FAILED_TO_CREATE_VERIFICATION' || errorCode === 'VERIFICATION_EMAIL_NOT_ENABLED') {\n return new FailedToCreateSessionError()\n }\n\n // ── Organization Plugin Error Codes ───────────────────────────────────\n\n // Organization not found\n if (errorCode === 'ORGANIZATION_NOT_FOUND' || errorCode === 'NO_ACTIVE_ORGANIZATION') {\n return new OrganizationNotFoundError()\n }\n\n // Member not found\n if (\n errorCode === 'MEMBER_NOT_FOUND'\n || errorCode === 'USER_IS_NOT_A_MEMBER_OF_THE_ORGANIZATION'\n || errorCode === 'USER_IS_NOT_A_MEMBER_OF_THE_TEAM'\n ) {\n return new OrganizationMemberNotFoundError()\n }\n\n // Invitation not found\n if (errorCode === 'INVITATION_NOT_FOUND' || errorCode === 'FAILED_TO_RETRIEVE_INVITATION') {\n return new OrganizationInvitationNotFoundError()\n }\n\n // Invitation recipient mismatch\n if (\n errorCode === 'YOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION'\n || errorCode === 'EMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION'\n ) {\n return new OrganizationInvitationRecipientMismatchError()\n }\n\n // Team not found\n if (errorCode === 'TEAM_NOT_FOUND' || errorCode === 'YOU_DO_NOT_HAVE_AN_ACTIVE_TEAM') {\n return new OrganizationTeamNotFoundError()\n }\n\n // Role not found\n if (errorCode === 'ROLE_NOT_FOUND' || errorCode === 'INVALID_RESOURCE') {\n return new OrganizationRoleNotFoundError()\n }\n\n // Organization conflict/already exists\n if (\n errorCode === 'ORGANIZATION_ALREADY_EXISTS'\n || errorCode === 'ORGANIZATION_SLUG_ALREADY_TAKEN'\n || errorCode === 'USER_IS_ALREADY_A_MEMBER_OF_THIS_ORGANIZATION'\n || errorCode === 'USER_IS_ALREADY_INVITED_TO_THIS_ORGANIZATION'\n || errorCode === 'TEAM_ALREADY_EXISTS'\n || errorCode === 'ROLE_NAME_IS_ALREADY_TAKEN'\n ) {\n return new OrganizationConflictError()\n }\n\n // Organization limit reached\n if (\n errorCode === 'YOU_HAVE_REACHED_THE_MAXIMUM_NUMBER_OF_ORGANIZATIONS'\n || errorCode === 'YOU_HAVE_REACHED_THE_MAXIMUM_NUMBER_OF_TEAMS'\n || errorCode === 'ORGANIZATION_MEMBERSHIP_LIMIT_REACHED'\n || errorCode === 'INVITATION_LIMIT_REACHED'\n || errorCode === 'TEAM_MEMBER_LIMIT_REACHED'\n || errorCode === 'TOO_MANY_ROLES'\n ) {\n return new OrganizationLimitReachedError()\n }\n\n // Organization membership constraints\n if (\n errorCode === 'YOU_CANNOT_LEAVE_THE_ORGANIZATION_AS_THE_ONLY_OWNER'\n || errorCode === 'YOU_CANNOT_LEAVE_THE_ORGANIZATION_WITHOUT_AN_OWNER'\n || errorCode === 'UNABLE_TO_REMOVE_LAST_TEAM'\n || errorCode === 'CANNOT_DELETE_A_PRE_DEFINED_ROLE'\n || errorCode === 'ROLE_IS_ASSIGNED_TO_MEMBERS'\n || errorCode === 'YOU_CANNOT_IMPERSONATE_ADMINS'\n || errorCode === 'YOU_CANNOT_BAN_YOURSELF'\n || errorCode === 'YOU_CANNOT_REMOVE_YOURSELF'\n || errorCode === 'INVITER_IS_NO_LONGER_A_MEMBER_OF_THE_ORGANIZATION'\n ) {\n return new OrganizationMembershipError()\n }\n\n // Organization permission denied (catch-all for YOU_ARE_NOT_ALLOWED_TO_* patterns)\n if (\n errorCode.startsWith('YOU_ARE_NOT_ALLOWED_TO_')\n || errorCode === 'YOU_ARE_NOT_A_MEMBER_OF_THIS_ORGANIZATION'\n || errorCode === 'YOU_CAN_NOT_ACCESS_THE_MEMBERS_OF_THIS_TEAM'\n || errorCode === 'YOU_MUST_BE_IN_AN_ORGANIZATION_TO_CREATE_A_ROLE'\n || errorCode === 'MISSING_AC_INSTANCE'\n ) {\n return new OrganizationPermissionDeniedError()\n }\n\n // Unknown error code\n return new BetterAuthUnknownError(errorCode)\n}\n\n/**\n * Type guard to check if an error is a Better Auth APIError.\n * Uses duck typing to handle bundler environments (e.g. Vite)\n * where instanceof may fail across module boundaries.\n */\nexport function isAPIError(error: unknown): error is APIError {\n if (error instanceof APIError) return true\n\n return (\n error instanceof Error\n && error.name === 'APIError'\n && 'status' in error\n && 'statusCode' in error\n )\n}\n","import type { BetterAuthOptions } from 'better-auth'\nimport { isAPIError, mapBetterAuthError } from './better-auth-error-handler'\n\n/**\n * Get shared Better Auth error handler configuration.\n * Use this in Better Auth config's onAPIError option.\n */\nexport function getErrorHandlerConfig(): BetterAuthOptions['onAPIError'] {\n return {\n throw: false,\n onError: (error) => {\n if (isAPIError(error)) {\n throw mapBetterAuthError(error)\n }\n throw error\n },\n }\n}\n\n/**\n * Wrap a Better Auth function in a try/catch block and map errors to ApplicationError.\n */\nexport const wrapBetterAuth = async <T>(fn: () => Promise<T>): Promise<T> => {\n try {\n return await fn()\n } catch (error) {\n if (isAPIError(error)) {\n throw mapBetterAuthError(error)\n }\n throw error\n }\n}\n","import type { Auth, BetterAuthOptions } from 'better-auth'\nimport { betterAuth } from 'better-auth'\nimport { inject } from 'tsyringe'\nimport { Transient } from 'stratal/di'\nimport { AUTH_OPTIONS, AUTH_SERVICE } from '../auth.tokens'\nimport { getErrorHandlerConfig } from '../utils'\n\n/**\n * AuthService\n *\n * Base authentication service using Better Auth.\n * Configured via AuthModule.forRootAsync() from the application layer.\n *\n * **Extensibility:**\n * Extend this class in application layer to add custom methods.\n *\n * @example\n * ```typescript\n * @Transient(AUTH_SERVICE)\n * export class AppAuthService extends AuthService<AuthOptions> {\n * async signInMagicLink(email: string) {\n * return wrapBetterAuth(async () => {\n * return this.auth.api.signInMagicLink({ body: { email }, headers: new Headers() })\n * })\n * }\n * }\n * ```\n */\n@Transient(AUTH_SERVICE)\nexport class AuthService<TOptions extends BetterAuthOptions = BetterAuthOptions> {\n private authInstance: Auth<TOptions>\n\n constructor(\n @inject(AUTH_OPTIONS) protected readonly options: TOptions\n ) {\n this.authInstance = betterAuth({\n ...this.options,\n onAPIError: getErrorHandlerConfig()\n }) as Auth<TOptions>\n }\n\n /**\n * Get the Better Auth instance\n */\n get auth(): Auth<TOptions> {\n return this.authInstance\n }\n}\n","/**\n * Auth Module\n *\n * Provides configurable authentication using Better Auth.\n * Use `forRootAsync` to configure Better Auth options from the application layer.\n *\n * Optionally pass `accessControl` to enable permission-based authorization.\n * This auto-adds the Stratal AC plugin to Better Auth and registers `AccessService`.\n *\n * @example Without access control\n * ```typescript\n * @Module({\n * imports: [\n * AuthModule.forRootAsync({\n * inject: [DI_TOKENS.Database, CONFIG_TOKENS.ConfigService],\n * useFactory: (db, config) => createAuthOptions(db, config)\n * })\n * ]\n * })\n * export class AppModule {}\n * ```\n *\n * @example With access control\n * ```typescript\n * import { createAccessControl } from '@stratal/framework/access-control'\n * import { admin } from 'better-auth/plugins'\n *\n * const permissions = createAccessControl({\n * resources: { posts: ['create', 'read', 'update', 'delete'] } as const,\n * roles: { admin: { posts: ['create', 'read', 'update', 'delete'] }, user: { posts: ['read'] } },\n * })\n *\n * @Module({\n * imports: [\n * AuthModule.forRootAsync({\n * inject: [DI_TOKENS.Database],\n * useFactory: (db) => ({\n * database: ...,\n * plugins: [admin({ ...permissions })],\n * }),\n * accessControl: permissions,\n * })\n * ]\n * })\n * ```\n */\n\nimport type { BetterAuthOptions } from 'better-auth'\nimport { CONTAINER_TOKEN, type Container } from 'stratal/di'\nimport { I18nModule } from 'stratal/i18n'\nimport type { AsyncModuleOptions, DynamicModule } from 'stratal/module'\nimport { Module } from 'stratal/module'\nimport type { IRateLimiterStore, RateLimiterRegistry } from 'stratal/rate-limiter'\nimport { RATE_LIMITER_TOKENS } from 'stratal/rate-limiter'\nimport type { RouteConfigurable, Router } from 'stratal/router'\nimport { createStratalAcPlugin } from '../access-control/plugin'\nimport { AccessService } from '../access-control/services/access.service'\nimport { AC_TOKENS } from '../access-control/tokens'\nimport type { AccessControlOptions } from '../access-control/types'\nimport { AUTH_OPTIONS, AUTH_SERVICE } from './auth.tokens'\nimport { authMessages } from './i18n'\nimport { AuthContextMiddleware } from './middleware/auth-context.middleware'\nimport { SessionVerificationMiddleware } from './middleware/session-verification.middleware'\n// Side-effect import: registers `forPath`/`pathEntries` macros on\n// `RateLimiterRegistry` and the `declare module` augmentation that exposes\n// them at the type level. Must run before any consumer calls `forPath()`.\nimport {\n createBetterAuthRateLimitStorage,\n projectCustomRules,\n} from './rate-limit-bridge'\nimport { AuthService } from './services/auth.service'\n\nexport interface AuthModuleAsyncOptions<TOptions extends BetterAuthOptions = BetterAuthOptions>\n extends AsyncModuleOptions<TOptions> {\n /**\n * Optional access control configuration.\n * When provided, registers AccessService and auto-adds the Stratal AC plugin to Better Auth.\n */\n accessControl?: AccessControlOptions\n}\n\n@Module({\n imports: [\n I18nModule.registerMessages(authMessages),\n ],\n providers: []\n})\nexport class AuthModule implements RouteConfigurable {\n /**\n * Configure auth middleware globally.\n *\n * Registers middlewares in order:\n * 1. AuthContextMiddleware - Creates and registers AuthContext in request container\n * 2. SessionVerificationMiddleware - Verifies session and populates AuthContext with userId + role\n */\n configureRoutes(router: Router): void {\n router.use(AuthContextMiddleware, SessionVerificationMiddleware)\n }\n\n /**\n * Configure AuthModule with async options factory.\n * Optionally provide `accessControl` to enable permission-based authorization.\n *\n * When `RateLimiterModule` is also imported, better-auth's `rateLimit`\n * block is auto-wired: `customStorage` shares Stratal's backing store, and\n * any `RateLimiterRegistry.forPath(...)` entries are projected into\n * `customRules`. User-supplied `rateLimit.{customStorage, customRules}` keys\n * take precedence on a per-key basis.\n */\n static forRootAsync<TOptions extends BetterAuthOptions>(\n options: AuthModuleAsyncOptions<TOptions>\n ): DynamicModule {\n const { accessControl } = options\n const userInject = options.inject ?? []\n const userFactory = options.useFactory as (...args: unknown[]) => TOptions\n\n const authOptionsProvider = {\n provide: AUTH_OPTIONS,\n useFactory: (container: Container, ...userDeps: unknown[]): BetterAuthOptions => {\n let raw = userFactory(...userDeps) as BetterAuthOptions\n\n if (accessControl) {\n raw = {\n ...raw,\n plugins: [createStratalAcPlugin(accessControl), ...(raw.plugins ?? [])],\n }\n }\n\n const tsyringe = container.getTsyringeContainer()\n const rateLimiterPresent = tsyringe.isRegistered(\n RATE_LIMITER_TOKENS.ModuleMarker,\n true,\n )\n\n if (rateLimiterPresent) {\n const store = container.resolve<IRateLimiterStore>(RATE_LIMITER_TOKENS.Store)\n const registry = container.resolve<RateLimiterRegistry>(RATE_LIMITER_TOKENS.Registry)\n\n raw = {\n ...raw,\n rateLimit: {\n enabled: true,\n ...raw.rateLimit,\n customStorage: raw.rateLimit?.customStorage ?? createBetterAuthRateLimitStorage(store),\n customRules: {\n ...projectCustomRules(registry),\n ...(raw.rateLimit?.customRules ?? {}),\n },\n },\n }\n }\n\n return raw\n },\n inject: [CONTAINER_TOKEN, ...userInject],\n }\n\n return {\n module: AuthModule,\n providers: [\n authOptionsProvider,\n {\n provide: AUTH_SERVICE,\n useClass: AuthService,\n },\n ...(accessControl\n ? [\n { provide: AC_TOKENS.Options, useValue: accessControl as unknown as object },\n { provide: AC_TOKENS.AccessService, useClass: AccessService },\n ]\n : []),\n ],\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;AACA,MAAa,eAAe,OAAO,IAAI,uBAAuB;;AAG9D,MAAa,eAAe,OAAO,IAAI,uBAAuB;;;ACJ9D,MAAa,eAAe,EAC1B,IAAI,EACF,MAAM;CACJ,QAAQ;EACN,eAAe;EACf,cAAc;EACd,oBAAoB;EACpB,cAAc;EACd,oBAAoB;EACpB,iBAAiB;EACjB,cAAc;EACd,gBAAgB;EAChB,kBAAkB;EAClB,kBAAkB;EAClB,iBAAiB;EACjB,sBAAsB;EACtB,oBAAoB;EACpB,uBAAuB;EACvB,oBAAoB;EACpB,oBAAoB;EACpB,qBAAqB;EACrB,qBAAqB;EACrB,kBAAkB;EAClB,mBAAmB;EACnB,iBAAiB;EACjB,2BAA2B;EAC3B,yBAAyB;EACzB,wBAAwB;EACxB,sBAAsB;EACtB,cAAc;EACd,oBAAoB;EACpB,eAAe;EACf,kBAAkB;EAClB,sBAAsB;EACtB,eAAe;EACf,cAAc;EACf;CACD,KAAK;EACH,sBAAsB;EACtB,gBAAgB;EAChB,oBAAoB;EACpB,kBAAkB;EAClB,6BAA6B;EAC7B,UAAU;EACV,cAAc;EACd,iBAAiB;EACjB,cAAc;EACd,cAAc;EACf;CACF,EACF,EACF;;;ACvCM,IAAA,wBAAA,MAAM,sBAA4C;CACvD,MAAM,OAAO,KAAoB,MAA2B;EAC1D,MAAM,mBAAmB,IAAI,cAAc;EAE3C,MAAM,cAAc,IAAI,aAAa;EACrC,iBAAiB,cAAc,UAAU,aAAa,YAAY;EAElE,OAAO,MAAM;;;oCARhB,WAAW,CAAA,EAAA,sBAAA;;;ACSL,IAAA,gCAAA,MAAM,8BAAoD;CAG5C;CAC4B;CAH/C,YACE,aAEA,QACA;EAFiB,KAAA,cAAA;EAC4B,KAAA,SAAA;;CAG/C,MAAM,OAAO,KAAoB,MAA2B;EAC1D,IAAI;GACF,MAAM,SAAS,MAAM,KAAK,YAAY,KAAK,IAAI,WAAW,EACxD,SAAS,IAAI,EAAE,IAAI,IAAI,SACxB,CAAC;GAEF,IAAI,QAEF,IADwB,cAAc,CAAC,QAAqB,UAAU,YAC3D,CAAC,eAAe,EACzB,MAAM,OAAO,MACd,CAAC;WAEG,OAAgB;GACvB,KAAK,OAAO,MAAM,uDAAuD,EAAE,OAAO,CAAC;;EAGrF,OAAO,MAAM;;;;CAxBhB,WAAW;oBAGPA,SAAO,aAAa,CAAA;oBAEpBA,SAAO,cAAc,cAAc,CAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AC8BxC,MAAM,gCAAgB,IAAI,SAA8D;AAExF,SAAS,mBAAmB,UAA+D;CACzF,IAAI,MAAM,cAAc,IAAI,SAAS;CACrC,IAAI,CAAC,KAAK;EACR,sBAAM,IAAI,KAAK;EACf,cAAc,IAAI,UAAU,IAAI;;CAElC,OAAO;;AAGT,oBAAoB,MAAM,WAAW,SAEnC,MACA,UACM;CACN,mBAAmB,KAAK,CAAC,IAAI,MAAM,SAAS;EAC5C;AAEF,oBAAoB,MAAM,eAAe,WAEQ;CAC/C,QAAQ,cAAc,IAAI,KAAK,oBAAI,IAAI,KAAgC,EAAE,SAAS;EAClF;AA2BF,MAAM,0BAA0B;AAChC,MAAM,yBAAyB;;;;;;AAO/B,SAAgB,iCAAiC,OAG/C;CACA,OAAO;EACL,MAAM,IAAI,KAAK;GACb,OAAO,MAAM,MAAM,IAAyB,GAAG,yBAAyB,MAAM;;EAEhF,MAAM,IAAI,KAAK,OAAO,SAAS;GAC7B,MAAM,MAAM,IAAI,GAAG,yBAAyB,OAAO,OAAO,wBAAwB;;EAErF;;;;;;;;;;;AAYH,SAAgB,mBACd,UACsC;CACtC,MAAM,QAA8C,EAAE;CAEtD,KAAK,MAAM,CAAC,MAAM,aAAa,SAAS,aAAa,EACnD,MAAM,QAAQ,OAAO,QAA2D;EAC9E,MAAM,WAAW,MAAM,SAAS,IAAI;EACpC,MAAM,cAAc,MAAM,QAAQ,SAAS,GAAG,WAAW,CAAC,SAAS,EAAE,QAAQ,MAAM,CAAC,EAAE,SAAS;EAC/F,IAAI,WAAW,WAAW,GAAG,OAAO;EAEpC,MAAM,SAAS,WAAW,QAAQ,GAAG,MACnC,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,EAAE,gBAAgB,IAAI,EAC1D;EAED,OAAO;GAAE,QAAQ,OAAO;GAAe,KAAK,OAAO;GAAK;;CAI5D,OAAO;;;;ACxJT,IAAa,oBAAb,cAAuC,iBAAiB;CACtD,YAAY,OAAgB;EAC1B,MAAM,4BAA4B,YAAY,SAAS,WAAW,QAAQ,EAAE,OAAO,GAAG,KAAA,EAAU;;;AAIpG,IAAa,0BAAb,cAA6C,iBAAiB;CAC5D,cAAc;EACZ,MAAM,kCAAkC,YAAY,KAAK,oBAAoB;;;AAIjF,IAAa,uBAAb,cAA0C,iBAAiB;CACzD,cAAc;EACZ,MAAM,+BAA+B,YAAY,KAAK,oBAAoB;;;AAI9E,IAAa,oBAAb,cAAuC,iBAAiB;CACtD,YAAY,OAAgB;EAC1B,MAAM,4BAA4B,YAAY,WAAW,gBAAgB,QAAQ,EAAE,OAAO,GAAG,KAAA,EAAU;;;AAI3G,IAAa,sBAAb,cAAyC,iBAAiB;CACxD,cAAc;EACZ,MAAM,8BAA8B,YAAY,KAAK,gBAAgB;;;AAIzE,IAAa,wBAAb,cAA2C,iBAAiB;CAC1D,YAAY,OAAgB;EAC1B,MAAM,gCAAgC,YAAY,KAAK,oBAAoB,QAAQ,EAAE,OAAO,GAAG,KAAA,EAAU;;;AAI7G,IAAa,wBAAb,cAA2C,iBAAiB;CAC1D,YAAY,WAAmB;EAC7B,MAAM,gCAAgC,YAAY,KAAK,oBAAoB,EAAE,WAAW,CAAC;;;AAI7F,IAAa,uBAAb,cAA0C,iBAAiB;CACzD,YAAY,WAAmB;EAC7B,MAAM,+BAA+B,YAAY,KAAK,mBAAmB,EAAE,WAAW,CAAC;;;AAI3F,IAAa,4BAAb,cAA+C,iBAAiB;CAC9D,YAAY,OAAgB;EAC1B,MAAM,oCAAoC,YAAY,KAAK,wBAAwB,QAAQ,EAAE,OAAO,GAAG,KAAA,EAAU;;;AAIrH,IAAa,0BAAb,cAA6C,iBAAiB;CAC5D,YAAY,QAAiB;EAC3B,MAAM,kCAAkC,YAAY,KAAK,uBAAuB,SAAS,EAAE,QAAQ,GAAG,KAAA,EAAU;;;AAIpH,IAAa,6BAAb,cAAgD,iBAAiB;CAC/D,YAAY,QAAiB;EAC3B,MAAM,qCAAqC,YAAY,KAAK,0BAA0B,SAAS,EAAE,QAAQ,GAAG,KAAA,EAAU;;;AAI1H,IAAa,0BAAb,cAA6C,iBAAiB;CAC5D,YAAY,QAAiB;EAC3B,MAAM,kCAAkC,YAAY,KAAK,uBAAuB,SAAS,EAAE,QAAQ,GAAG,KAAA,EAAU;;;AAIpH,IAAa,2BAAb,cAA8C,iBAAiB;CAC7D,YAAY,UAAmB;EAC7B,MAAM,mCAAmC,YAAY,KAAK,uBAAuB,WAAW,EAAE,UAAU,GAAG,KAAA,EAAU;;;AAIzH,IAAa,+BAAb,cAAkD,iBAAiB;CACjE,cAAc;EACZ,MAAM,uCAAuC,YAAY,KAAK,2BAA2B;;;AAI7F,IAAa,wBAAb,cAA2C,iBAAiB;CAC1D,YAAY,UAAmB;EAC7B,MAAM,gCAAgC,YAAY,SAAS,WAAW,WAAW,EAAE,UAAU,GAAG,KAAA,EAAU;;;AAI9G,IAAa,yBAAb,cAA4C,iBAAiB;CAC3D,cAAc;EACZ,MAAM,iCAAiC,YAAY,SAAS,UAAU;;;AAI1E,IAAa,uBAAb,cAA0C,iBAAiB;CACzD,cAAc;EACZ,MAAM,+BAA+B,YAAY,SAAS,UAAU;;;AAIxE,IAAa,iCAAb,cAAoD,iBAAiB;CACnE,cAAc;EACZ,MAAM,yCAAyC,YAAY,SAAS,UAAU;;;AAIlF,IAAa,8BAAb,cAAiD,iBAAiB;CAChE,cAAc;EACZ,MAAM,sCAAsC,YAAY,SAAS,SAAS;;;AAI9E,IAAa,4BAAb,cAA+C,iBAAiB;CAC9D,YAAY,QAAiB;EAC3B,MAAM,oCAAoC,YAAY,WAAW,SAAS,SAAS,EAAE,QAAQ,GAAG,KAAA,EAAU;;;AAI9G,IAAa,0BAAb,cAA6C,iBAAiB;CAC5D,YAAY,QAAiB;EAC3B,MAAM,kCAAkC,YAAY,OAAO,gBAAgB,SAAS,EAAE,QAAQ,GAAG,KAAA,EAAU;;;AAI/G,IAAa,2BAAb,cAA8C,iBAAiB;CAC7D,YAAY,QAAiB;EAC3B,MAAM,mCAAmC,YAAY,OAAO,gBAAgB,SAAS,EAAE,QAAQ,GAAG,KAAA,EAAU;;;AAIhH,IAAa,2BAAb,cAA8C,iBAAiB;CAC7D,cAAc;EACZ,MAAM,4BAA4B,YAAY,WAAW,QAAQ;;;AAIrE,IAAa,oBAAb,cAAuC,iBAAiB;CACtD,cAAc;EACZ,MAAM,4BAA4B,YAAY,WAAW,QAAQ;;;AAIrE,IAAa,0BAAb,cAA6C,iBAAiB;CAC5D,cAAc;EACZ,MAAM,kCAAkC,YAAY,WAAW,eAAe;;;AAIlF,IAAa,qBAAb,cAAwC,iBAAiB;CACvD,cAAc;EACZ,MAAM,6BAA6B,YAAY,MAAM,UAAU;;;AAInE,IAAa,4BAAb,cAA+C,iBAAiB;CAC9D,cAAc;EACZ,MAAM,gCAAgC,YAAY,WAAW,QAAQ;;;AAIzE,IAAa,4BAAb,cAA+C,iBAAiB;CAC9D,cAAc;EACZ,MAAM,oCAAoC,YAAY,SAAS,SAAS;;;AAI5E,IAAa,qBAAb,cAAwC,iBAAiB;CACvD,cAAc;EACZ,MAAM,6BAA6B,YAAY,WAAW,eAAe;;;AAI7E,IAAa,yBAAb,cAA4C,iBAAiB;CAC3D,YAAY,WAAoB;EAC9B,MAAM,4BAA4B,YAAY,OAAO,gBAAgB,YAAY,EAAE,WAAW,GAAG,KAAA,EAAU;;;;;AChL/G,IAAa,oBAAb,cAAuC,iBAAiB;CACtD,cAAc;EACZ,MAAM,4BAA4B,YAAY,KAAK,cAAc;;;;;ACFrE,IAAa,4BAAb,cAA+C,iBAAiB;CAC9D,cAAc;EACZ,MAAM,iCAAiC,YAAY,KAAK,uBAAuB;;;AAInF,IAAa,kCAAb,cAAqD,iBAAiB;CACpE,cAAc;EACZ,MAAM,2BAA2B,YAAY,KAAK,iBAAiB;;;AAIvE,IAAa,sCAAb,cAAyD,iBAAiB;CACxE,cAAc;EACZ,MAAM,+BAA+B,YAAY,KAAK,qBAAqB;;;AAI/E,IAAa,oCAAb,cAAuD,iBAAiB;CACtE,cAAc;EACZ,MAAM,6BAA6B,YAAY,MAAM,UAAU;;;AAInE,IAAa,+CAAb,cAAkE,iBAAiB;CACjF,cAAc;EACZ,MAAM,wCAAwC,YAAY,KAAK,8BAA8B;;;AAIjG,IAAa,4BAAb,cAA+C,iBAAiB;CAC9D,cAAc;EACZ,MAAM,qBAAqB,YAAY,SAAS,SAAS;;;AAI7D,IAAa,gCAAb,cAAmD,iBAAiB;CAClE,cAAc;EACZ,MAAM,yBAAyB,YAAY,KAAK,2BAA2B;;;AAI/E,IAAa,8BAAb,cAAiD,iBAAiB;CAChE,cAAc;EACZ,MAAM,4BAA4B,YAAY,KAAK,iCAAiC;;;AAIxF,IAAa,gCAAb,cAAmD,iBAAiB;CAClE,cAAc;EACZ,MAAM,yBAAyB,YAAY,SAAS,UAAU;;;AAIlE,IAAa,gCAAb,cAAmD,iBAAiB;CAClE,cAAc;EACZ,MAAM,yBAAyB,YAAY,SAAS,UAAU;;;;;ACxDlE,IAAa,qBAAb,cAAwC,iBAAiB;CACvD,cAAc;EACZ,MAAM,6BAA6B,YAAY,WAAW,gBAAgB,EAAE,OAAO,SAAS,CAAC;;;;;ACFjG,IAAa,0BAAb,cAA6C,iBAAiB;CAC5D,cAAc;EACZ,MAAM,kCAAkC,YAAY,KAAK,oBAAoB;;;;;;;;AC6CjF,SAAgB,mBAAmB,OAAmC;CACpE,MAAM,YAAY,MAAM,MAAM;CAE9B,IAAI,MAAM,WAAW,SAAS;EAE5B,MAAM,WADU,MAAM,QACG,IAAI,WAAW,IAAI;EAE5C,IAAI,SAAS,SAAS,gBAAgB,EAAE,OAAO,IAAI,mBAAmB;EACtE,IAAI,SAAS,SAAS,gBAAgB,EAAE,OAAO,IAAI,mBAAmB;EACtE,IAAI,SAAS,SAAS,oBAAoB,EAAE,OAAO,IAAI,mBAAmB;EAC1E,IAAI,SAAS,SAAS,2BAA2B,EAAE,OAAO,IAAI,mBAAmB;EACjF,IAAI,SAAS,SAAS,wBAAwB,EAAE,OAAO,IAAI,yBAAyB;EACpF,IAAI,SAAS,SAAS,2BAA2B,EAAE,OAAO,IAAI,4BAA4B;;CAG5F,IAAI,CAAC,WACH,OAAO,IAAI,wBAAwB;CAMrC,IAAI,cAAc,oBAAoB,cAAc,gBAAgB,OAAO,IAAI,mBAAmB;CAClG,IAAI,cAAc,wBAAwB,OAAO,IAAI,wBAAwB;CAG7E,IAAI,cAAc,6BAA6B,OAAO,IAAI,yBAAyB;CACnF,IAAI,cAAc,oBAAoB,OAAO,IAAI,sBAAsB;CACvE,IAAI,cAAc,iBAAiB,OAAO,IAAI,mBAAmB;CAGjE,IAAI,cAAc,qBAAqB,cAAc,qBAAqB,OAAO,IAAI,qBAAqB;CAC1G,IAAI,cAAc,4BAA4B,OAAO,IAAI,4BAA4B;CACrF,IAAI,cAAc,yBAAyB,OAAO,IAAI,yBAAyB;CAG/E,IAAI,cAAc,sBAAsB,OAAO,IAAI,uBAAuB;CAC1E,IAAI,cAAc,4BAA4B,OAAO,IAAI,2BAA2B;CACpF,IAAI,cAAc,0BAA0B,OAAO,IAAI,2BAA2B;CAClF,IAAI,cAAc,kBAAkB,OAAO,IAAI,oBAAoB;CAGnE,IAAI,cAAc,sBAAsB,OAAO,IAAI,sBAAsB,EAAE;CAC3E,IAAI,cAAc,qBAAqB,OAAO,IAAI,qBAAqB,IAAI;CAG3E,IAAI,cAAc,yBAAyB,cAAc,yCACvD,OAAO,IAAI,2BAA2B;CAExC,IAAI,cAAc,qBAAqB,OAAO,IAAI,sBAAsB;CACxE,IAAI,cAAc,gCAAgC,OAAO,IAAI,gCAAgC;CAC7F,IAAI,cAAc,iCAAiC,OAAO,IAAI,8BAA8B;CAG5F,IAAI,cAAc,yBAAyB,OAAO,IAAI,yBAAyB;CAC/E,IAAI,cAAc,yBAAyB,OAAO,IAAI,yBAAyB;CAC/E,IAAI,cAAc,2BAA2B,OAAO,IAAI,0BAA0B;CAGlF,IAAI,cAAc,mCAAmC,cAAc,iCACjE,OAAO,IAAI,0BAA0B;CAEvC,IAAI,cAAc,sBAAsB,OAAO,IAAI,uBAAuB;CAG1E,IAAI,cAAc,0BAA0B,OAAO,IAAI,0BAA0B;CACjF,IAAI,cAAc,iBAAiB,OAAO,IAAI,mBAAmB;CACjE,IAAI,cAAc,iBAAiB,OAAO,IAAI,mBAAmB;CAGjE,IAAI,cAAc,+BAA+B,cAAc,wBAC7D,OAAO,IAAI,6BAA6B;CAI1C,IACE,cAAc,0BACX,cAAc,0BACd,cAAc,mCACd,cAAc,gCACd,cAAc,yBAEjB,OAAO,IAAI,yBAAyB;CAItC,IACE,cAAc,oBACX,cAAc,4BACd,cAAc,uCAEjB,OAAO,IAAI,oBAAoB;CAIjC,IACE,cAAc,sBACX,cAAc,mBACd,cAAc,uBACd,cAAc,4BACd,cAAc,oCACd,cAAc,6CAEjB,OAAO,IAAI,2BAA2B;CAIxC,IAAI,cAAc,mCAAmC,cAAc,kCACjE,OAAO,IAAI,4BAA4B;CAMzC,IAAI,cAAc,4BAA4B,cAAc,0BAC1D,OAAO,IAAI,2BAA2B;CAIxC,IACE,cAAc,sBACX,cAAc,8CACd,cAAc,oCAEjB,OAAO,IAAI,iCAAiC;CAI9C,IAAI,cAAc,0BAA0B,cAAc,iCACxD,OAAO,IAAI,qCAAqC;CAIlD,IACE,cAAc,iDACX,cAAc,wEAEjB,OAAO,IAAI,8CAA8C;CAI3D,IAAI,cAAc,oBAAoB,cAAc,kCAClD,OAAO,IAAI,+BAA+B;CAI5C,IAAI,cAAc,oBAAoB,cAAc,oBAClD,OAAO,IAAI,+BAA+B;CAI5C,IACE,cAAc,iCACX,cAAc,qCACd,cAAc,mDACd,cAAc,kDACd,cAAc,yBACd,cAAc,8BAEjB,OAAO,IAAI,2BAA2B;CAIxC,IACE,cAAc,0DACX,cAAc,kDACd,cAAc,2CACd,cAAc,8BACd,cAAc,+BACd,cAAc,kBAEjB,OAAO,IAAI,+BAA+B;CAI5C,IACE,cAAc,yDACX,cAAc,wDACd,cAAc,gCACd,cAAc,sCACd,cAAc,iCACd,cAAc,mCACd,cAAc,6BACd,cAAc,gCACd,cAAc,qDAEjB,OAAO,IAAI,6BAA6B;CAI1C,IACE,UAAU,WAAW,0BAA0B,IAC5C,cAAc,+CACd,cAAc,iDACd,cAAc,qDACd,cAAc,uBAEjB,OAAO,IAAI,mCAAmC;CAIhD,OAAO,IAAI,uBAAuB,UAAU;;;;;;;AAQ9C,SAAgB,WAAW,OAAmC;CAC5D,IAAI,iBAAiB,UAAU,OAAO;CAEtC,OACE,iBAAiB,SACd,MAAM,SAAS,cACf,YAAY,SACZ,gBAAgB;;;;;;;;AClQvB,SAAgB,wBAAyD;CACvE,OAAO;EACL,OAAO;EACP,UAAU,UAAU;GAClB,IAAI,WAAW,MAAM,EACnB,MAAM,mBAAmB,MAAM;GAEjC,MAAM;;EAET;;;;;AAMH,MAAa,iBAAiB,OAAU,OAAqC;CAC3E,IAAI;EACF,OAAO,MAAM,IAAI;UACV,OAAO;EACd,IAAI,WAAW,MAAM,EACnB,MAAM,mBAAmB,MAAM;EAEjC,MAAM;;;;;ACAH,IAAA,cAAA,MAAM,YAAoE;CAIpC;CAH3C;CAEA,YACE,SACA;EADyC,KAAA,UAAA;EAEzC,KAAK,eAAe,WAAW;GAC7B,GAAG,KAAK;GACR,YAAY,uBAAuB;GACpC,CAAC;;;;;CAMJ,IAAI,OAAuB;EACzB,OAAO,KAAK;;;;CAjBf,UAAU,aAAa;oBAKnBC,SAAO,aAAa,CAAA;;;;;;ACsDlB,IAAA,aAAA,cAAA,MAAM,WAAwC;;;;;;;;CAQnD,gBAAgB,QAAsB;EACpC,OAAO,IAAI,uBAAuB,8BAA8B;;;;;;;;;;;;CAalE,OAAO,aACL,SACe;EACf,MAAM,EAAE,kBAAkB;EAC1B,MAAM,aAAa,QAAQ,UAAU,EAAE;EACvC,MAAM,cAAc,QAAQ;EAE5B,MAAM,sBAAsB;GAC1B,SAAS;GACT,aAAa,WAAsB,GAAG,aAA2C;IAC/E,IAAI,MAAM,YAAY,GAAG,SAAS;IAElC,IAAI,eACF,MAAM;KACJ,GAAG;KACH,SAAS,CAAC,sBAAsB,cAAc,EAAE,GAAI,IAAI,WAAW,EAAE,CAAE;KACxE;IASH,IANiB,UAAU,sBACQ,CAAC,aAClC,oBAAoB,cACpB,KAGoB,EAAE;KACtB,MAAM,QAAQ,UAAU,QAA2B,oBAAoB,MAAM;KAC7E,MAAM,WAAW,UAAU,QAA6B,oBAAoB,SAAS;KAErF,MAAM;MACJ,GAAG;MACH,WAAW;OACT,SAAS;OACT,GAAG,IAAI;OACP,eAAe,IAAI,WAAW,iBAAiB,iCAAiC,MAAM;OACtF,aAAa;QACX,GAAG,mBAAmB,SAAS;QAC/B,GAAI,IAAI,WAAW,eAAe,EAAE;QACrC;OACF;MACF;;IAGH,OAAO;;GAET,QAAQ,CAAC,iBAAiB,GAAG,WAAW;GACzC;EAED,OAAO;GACL,QAAA;GACA,WAAW;IACT;IACA;KACE,SAAS;KACT,UAAU;KACX;IACD,GAAI,gBACA,CACA;KAAE,SAAS,UAAU;KAAS,UAAU;KAAoC,EAC5E;KAAE,SAAS,UAAU;KAAe,UAAU;KAAe,CAC9D,GACC,EAAE;IACP;GACF;;;uCA3FJ,OAAO;CACN,SAAS,CACP,WAAW,iBAAiB,aAAa,CAC1C;CACD,WAAW,EAAE;CACd,CAAC,CAAA,EAAA,WAAA"}
|