@tinyrack/tinyauth-server 0.0.7

package/dist/lib/crypto.js

@@ -0,0 +1,253 @@
+import { bytesToString, concatBytes, fromBase64Url, getRandomBytes, hexToBytes, stringToBytes, toArrayBuffer, toBase64Url, } from "./base64url.js";
+export { getRandomBytes } from "./base64url.js";
+const ALGORITHM = 'AES-GCM';
+const IV_LENGTH = 12;
+const AUTH_TAG_LENGTH = 16;
+/**
+ * Import a hex-encoded key for AES-GCM operations
+ * using the Web Crypto API.
+ */
+async function importAesKey(keyHex, usage) {
+    return crypto.subtle.importKey('raw', toArrayBuffer(hexToBytes(keyHex)), { name: ALGORITHM }, false, [usage]);
+}
+export async function encrypt(data, keyHex) {
+    const key = await importAesKey(keyHex, 'encrypt');
+    const iv = getRandomBytes(IV_LENGTH);
+    const plaintext = stringToBytes(data);
+    // Web Crypto AES-GCM appends the auth tag to the ciphertext
+    const cipherWithTag = new Uint8Array(await crypto.subtle.encrypt({
+        name: ALGORITHM,
+        iv: toArrayBuffer(iv),
+        tagLength: AUTH_TAG_LENGTH * 8,
+    }, key, toArrayBuffer(plaintext)));
+    // Split into ciphertext and auth tag to keep the same wire format:
+    // base64url(iv + authTag + encrypted)
+    const encrypted = cipherWithTag.slice(0, cipherWithTag.byteLength - AUTH_TAG_LENGTH);
+    const authTag = cipherWithTag.slice(cipherWithTag.byteLength - AUTH_TAG_LENGTH);
+    const combined = concatBytes(iv, authTag, encrypted);
+    return toBase64Url(combined);
+}
+export async function decrypt(encoded, keyHex) {
+    try {
+        const key = await importAesKey(keyHex, 'decrypt');
+        const combined = fromBase64Url(encoded);
+        if (combined.byteLength < IV_LENGTH + AUTH_TAG_LENGTH) {
+            return null;
+        }
+        const iv = combined.slice(0, IV_LENGTH);
+        const authTag = combined.slice(IV_LENGTH, IV_LENGTH + AUTH_TAG_LENGTH);
+        const encrypted = combined.slice(IV_LENGTH + AUTH_TAG_LENGTH);
+        // Web Crypto expects ciphertext + authTag concatenated
+        const cipherWithTag = concatBytes(encrypted, authTag);
+        const plaintext = new Uint8Array(await crypto.subtle.decrypt({
+            name: ALGORITHM,
+            iv: toArrayBuffer(iv),
+            tagLength: AUTH_TAG_LENGTH * 8,
+        }, key, toArrayBuffer(cipherWithTag)));
+        return bytesToString(plaintext);
+    }
+    catch {
+        return null;
+    }
+}
+// ---------------------------------------------------------------------------
+// Timing-safe comparison
+// ---------------------------------------------------------------------------
+/**
+ * Compares two byte arrays in constant time to prevent timing side-channel attacks.
+ *
+ * Returns `false` immediately if the arrays differ in length, but the byte-level
+ * comparison always processes every element to avoid leaking positional information.
+ *
+ * @param left - The first byte array.
+ * @param right - The second byte array.
+ * @returns `true` if both arrays contain identical bytes, `false` otherwise.
+ */
+export function timingSafeEqualBytes(left, right) {
+    if (left.length !== right.length) {
+        return false;
+    }
+    let diff = 0;
+    for (let index = 0; index < left.length; index += 1) {
+        const leftByte = left[index];
+        const rightByte = right[index];
+        if (leftByte === undefined || rightByte === undefined) {
+            return false;
+        }
+        diff |= leftByte ^ rightByte;
+    }
+    return diff === 0;
+}
+// ---------------------------------------------------------------------------
+// Secret hashing (PBKDF2 / HMAC)
+// ---------------------------------------------------------------------------
+/**
+ * Parses an integer key=value segment from the self-describing hash format.
+ *
+ * @example parseIntegerSegment('v=1', 'v') // => 1
+ */
+function parseIntegerSegment(segment, key) {
+    if (!segment.startsWith(`${key}=`)) {
+        return undefined;
+    }
+    const value = Number(segment.slice(key.length + 1));
+    if (!Number.isInteger(value) || value <= 0) {
+        return undefined;
+    }
+    return value;
+}
+/**
+ * Parses a string key=value segment from the self-describing hash format.
+ *
+ * @example parseStringSegment('s=Zm9v', 's') // => 'Zm9v'
+ */
+function parseStringSegment(segment, key) {
+    if (!segment.startsWith(`${key}=`)) {
+        return undefined;
+    }
+    return segment.slice(key.length + 1);
+}
+/**
+ * Parses a persisted PBKDF2 hash string into its constituent parameters.
+ *
+ * The expected format is: `<algorithm>$v=<version>$i=<iterations>$s=<salt>$h=<digest>`
+ * where salt and digest are base64url-encoded.
+ *
+ * @param hash - The stored hash string to parse.
+ * @param expectedAlgorithm - The algorithm identifier to match (e.g. `'pbkdf2-sha256'`).
+ * @returns The parsed components, or `undefined` if the string is malformed.
+ */
+export function parsePbkdf2Hash(hash, expectedAlgorithm) {
+    const [algorithm = '', version = '', iterations = '', salt = '', digest = '',] = hash.split('$');
+    if (algorithm !== expectedAlgorithm) {
+        return undefined;
+    }
+    const parsedVersion = parseIntegerSegment(version, 'v');
+    const parsedIterations = parseIntegerSegment(iterations, 'i');
+    const parsedSalt = parseStringSegment(salt, 's');
+    const parsedDigest = parseStringSegment(digest, 'h');
+    if (parsedVersion === undefined ||
+        parsedIterations === undefined ||
+        parsedSalt === undefined ||
+        parsedDigest === undefined) {
+        return undefined;
+    }
+    try {
+        return {
+            version: parsedVersion,
+            iterations: parsedIterations,
+            salt: fromBase64Url(parsedSalt),
+            digest: fromBase64Url(parsedDigest),
+        };
+    }
+    catch {
+        return undefined;
+    }
+}
+/**
+ * Encodes PBKDF2 hash parameters into a self-describing string for storage.
+ *
+ * @param params - The PBKDF2 parameters to encode.
+ * @returns A string in the format `<algorithm>$v=<version>$i=<iterations>$s=<salt>$h=<digest>`.
+ */
+export function formatPbkdf2Hash(params) {
+    return [
+        params.algorithm,
+        `v=${params.version}`,
+        `i=${params.iterations}`,
+        `s=${toBase64Url(params.salt)}`,
+        `h=${toBase64Url(params.digest)}`,
+    ].join('$');
+}
+/**
+ * Encodes an HMAC digest into a self-describing string for opaque token storage.
+ *
+ * @param params - The HMAC digest to encode.
+ * @returns A string in the format `<algorithm>$v=<version>$h=<digest>`.
+ */
+export function formatOpaqueHash(params) {
+    return [
+        params.algorithm,
+        `v=${params.version}`,
+        `h=${toBase64Url(params.digest)}`,
+    ].join('$');
+}
+/**
+ * Normalizes a secret string to Unicode NFC form and encodes it as UTF-8 bytes.
+ * This ensures visually equivalent strings (e.g. `café` vs `cafe\u0301`) produce
+ * identical byte sequences across all runtimes.
+ *
+ * @param secret - The raw secret string.
+ * @returns The NFC-normalized, UTF-8-encoded byte representation.
+ */
+export function normalizeSecret(secret) {
+    return stringToBytes(secret.normalize('NFC'));
+}
+/**
+ * Derives a purpose-specific subkey from a master secret using HKDF-SHA-256.
+ *
+ * Each purpose produces a cryptographically isolated key, so compromising
+ * one purpose key does not affect others.
+ *
+ * @param crypto - The Web Crypto API instance.
+ * @param masterSecret - The 32-byte master secret.
+ * @param hkdfSalt - The salt string for HKDF (e.g. application context identifier).
+ * @param hkdfInfo - The info string for HKDF (e.g. purpose label).
+ * @param derivedKeyBytes - The number of bytes to derive.
+ * @returns A derived purpose key of the specified length.
+ */
+export async function derivePurposeKeyBytes(crypto, masterSecret, hkdfSalt, hkdfInfo, derivedKeyBytes) {
+    const baseKey = await crypto.subtle.importKey('raw', toArrayBuffer(masterSecret), 'HKDF', false, ['deriveBits']);
+    const bits = await crypto.subtle.deriveBits({
+        name: 'HKDF',
+        hash: 'SHA-256',
+        salt: toArrayBuffer(stringToBytes(hkdfSalt)),
+        info: toArrayBuffer(stringToBytes(hkdfInfo)),
+    }, baseKey, derivedKeyBytes * 8);
+    return new Uint8Array(bits);
+}
+/**
+ * Derives a PBKDF2-SHA-256 digest from a low-entropy secret (e.g. a password).
+ *
+ * The secret is first NFC-normalized and concatenated with the purpose key before
+ * being fed into PBKDF2, binding the derivation to a specific purpose.
+ *
+ * @param crypto - The Web Crypto API instance.
+ * @param purposeKey - The pre-derived purpose-specific key from {@link derivePurposeKeyBytes}.
+ * @param secret - The raw secret string (password, client secret, etc.).
+ * @param salt - A random salt (typically 16 bytes).
+ * @param iterations - The PBKDF2 iteration count.
+ * @param derivedKeyBytes - The number of bytes to derive.
+ * @returns A derived key of the specified length.
+ */
+export async function derivePbkdf2Bytes(crypto, purposeKey, secret, salt, iterations, derivedKeyBytes) {
+    const keyMaterial = await crypto.subtle.importKey('raw', toArrayBuffer(concatBytes(normalizeSecret(secret), purposeKey)), 'PBKDF2', false, ['deriveBits']);
+    const derived = await crypto.subtle.deriveBits({
+        name: 'PBKDF2',
+        hash: 'SHA-256',
+        iterations,
+        salt: toArrayBuffer(salt),
+    }, keyMaterial, derivedKeyBytes * 8);
+    return new Uint8Array(derived);
+}
+/**
+ * Computes an HMAC-SHA-256 signature over a high-entropy opaque value.
+ *
+ * Unlike PBKDF2, this is intended for values that are already cryptographically
+ * random (e.g. authorization codes, recovery tokens), where deterministic hashing
+ * enables efficient database lookups.
+ *
+ * @param crypto - The Web Crypto API instance.
+ * @param purposeKey - The pre-derived purpose-specific key from {@link derivePurposeKeyBytes}.
+ * @param value - The opaque value to sign.
+ * @returns A 32-byte HMAC signature.
+ */
+export async function signOpaqueValue(crypto, purposeKey, value) {
+    const hmacKey = await crypto.subtle.importKey('raw', toArrayBuffer(purposeKey), {
+        name: 'HMAC',
+        hash: 'SHA-256',
+    }, false, ['sign']);
+    const signature = await crypto.subtle.sign('HMAC', hmacKey, toArrayBuffer(normalizeSecret(value)));
+    return new Uint8Array(signature);
+}
+//# sourceMappingURL=crypto.js.map

package/dist/lib/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../src/lib/crypto.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,aAAa,EACb,WAAW,EACX,aAAa,EACb,cAAc,EACd,UAAU,EACV,aAAa,EACb,aAAa,EACb,WAAW,GACZ,MAAM,gBAAgB,CAAC;AAExB,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAEhD,MAAM,SAAS,GAAG,SAAS,CAAC;AAC5B,MAAM,SAAS,GAAG,EAAE,CAAC;AACrB,MAAM,eAAe,GAAG,EAAE,CAAC;AAE3B;;;GAGG;AACH,KAAK,UAAU,YAAY,CACzB,MAAc,EACd,KAA4B;IAE5B,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAC5B,KAAK,EACL,aAAa,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,EACjC,EAAE,IAAI,EAAE,SAAS,EAAE,EACnB,KAAK,EACL,CAAC,KAAK,CAAC,CACR,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,IAAY,EAAE,MAAc;IACxD,MAAM,GAAG,GAAG,MAAM,YAAY,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAClD,MAAM,EAAE,GAAG,cAAc,CAAC,SAAS,CAAC,CAAC;IACrC,MAAM,SAAS,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC;IAEtC,4DAA4D;IAC5D,MAAM,aAAa,GAAG,IAAI,UAAU,CAClC,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CACzB;QACE,IAAI,EAAE,SAAS;QACf,EAAE,EAAE,aAAa,CAAC,EAAE,CAAC;QACrB,SAAS,EAAE,eAAe,GAAG,CAAC;KAC/B,EACD,GAAG,EACH,aAAa,CAAC,SAAS,CAAC,CACzB,CACF,CAAC;IAEF,mEAAmE;IACnE,sCAAsC;IACtC,MAAM,SAAS,GAAG,aAAa,CAAC,KAAK,CACnC,CAAC,EACD,aAAa,CAAC,UAAU,GAAG,eAAe,CAC3C,CAAC;IACF,MAAM,OAAO,GAAG,aAAa,CAAC,KAAK,CACjC,aAAa,CAAC,UAAU,GAAG,eAAe,CAC3C,CAAC;IAEF,MAAM,QAAQ,GAAG,WAAW,CAAC,EAAE,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;IACrD,OAAO,WAAW,CAAC,QAAQ,CAAC,CAAC;AAC/B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,OAAe,EACf,MAAc;IAEd,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,YAAY,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;QAClD,MAAM,QAAQ,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;QACxC,IAAI,QAAQ,CAAC,UAAU,GAAG,SAAS,GAAG,eAAe,EAAE,CAAC;YACtD,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,EAAE,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;QACxC,MAAM,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,SAAS,EAAE,SAAS,GAAG,eAAe,CAAC,CAAC;QACvE,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,SAAS,GAAG,eAAe,CAAC,CAAC;QAE9D,uDAAuD;QACvD,MAAM,aAAa,GAAG,WAAW,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QAEtD,MAAM,SAAS,GAAG,IAAI,UAAU,CAC9B,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CACzB;YACE,IAAI,EAAE,SAAS;YACf,EAAE,EAAE,aAAa,CAAC,EAAE,CAAC;YACrB,SAAS,EAAE,eAAe,GAAG,CAAC;SAC/B,EACD,GAAG,EACH,aAAa,CAAC,aAAa,CAAC,CAC7B,CACF,CAAC;QACF,OAAO,aAAa,CAAC,SAAS,CAAC,CAAC;IAClC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,yBAAyB;AACzB,8EAA8E;AAE9E;;;;;;;;;GASG;AACH,MAAM,UAAU,oBAAoB,CAClC,IAAgB,EAChB,KAAiB;IAEjB,IAAI,IAAI,CAAC,MAAM,KAAK,KAAK,CAAC,MAAM,EAAE,CAAC;QACjC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,IAAI,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC,EAAE,CAAC;QACpD,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC;QAC7B,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC;QAE/B,IAAI,QAAQ,KAAK,SAAS,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YACtD,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,IAAI,QAAQ,GAAG,SAAS,CAAC;IAC/B,CAAC;IAED,OAAO,IAAI,KAAK,CAAC,CAAC;AACpB,CAAC;AAED,8EAA8E;AAC9E,iCAAiC;AACjC,8EAA8E;AAE9E;;;;GAIG;AACH,SAAS,mBAAmB,CAAC,OAAe,EAAE,GAAW;IACvD,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,GAAG,GAAG,CAAC,EAAE,CAAC;QACnC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC;IACpD,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,KAAK,IAAI,CAAC,EAAE,CAAC;QAC3C,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;GAIG;AACH,SAAS,kBAAkB,CAAC,OAAe,EAAE,GAAW;IACtD,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,GAAG,GAAG,CAAC,EAAE,CAAC;QACnC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,OAAO,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;AACvC,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,eAAe,CAC7B,IAAY,EACZ,iBAAyB;IASzB,MAAM,CACJ,SAAS,GAAG,EAAE,EACd,OAAO,GAAG,EAAE,EACZ,UAAU,GAAG,EAAE,EACf,IAAI,GAAG,EAAE,EACT,MAAM,GAAG,EAAE,EACZ,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAEpB,IAAI,SAAS,KAAK,iBAAiB,EAAE,CAAC;QACpC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,aAAa,GAAG,mBAAmB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IACxD,MAAM,gBAAgB,GAAG,mBAAmB,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;IAC9D,MAAM,UAAU,GAAG,kBAAkB,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACjD,MAAM,YAAY,GAAG,kBAAkB,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAErD,IACE,aAAa,KAAK,SAAS;QAC3B,gBAAgB,KAAK,SAAS;QAC9B,UAAU,KAAK,SAAS;QACxB,YAAY,KAAK,SAAS,EAC1B,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,IAAI,CAAC;QACH,OAAO;YACL,OAAO,EAAE,aAAa;YACtB,UAAU,EAAE,gBAAgB;YAC5B,IAAI,EAAE,aAAa,CAAC,UAAU,CAAC;YAC/B,MAAM,EAAE,aAAa,CAAC,YAAY,CAAC;SACpC,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAMhC;IACC,OAAO;QACL,MAAM,CAAC,SAAS;QAChB,KAAK,MAAM,CAAC,OAAO,EAAE;QACrB,KAAK,MAAM,CAAC,UAAU,EAAE;QACxB,KAAK,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE;QAC/B,KAAK,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE;KAClC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACd,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAIhC;IACC,OAAO;QACL,MAAM,CAAC,SAAS;QAChB,KAAK,MAAM,CAAC,OAAO,EAAE;QACrB,KAAK,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE;KAClC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACd,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,eAAe,CAAC,MAAc;IAC5C,OAAO,aAAa,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;AAChD,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,MAAc,EACd,YAAwB,EACxB,QAAgB,EAChB,QAAgB,EAChB,eAAuB;IAEvB,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC3C,KAAK,EACL,aAAa,CAAC,YAAY,CAAC,EAC3B,MAAM,EACN,KAAK,EACL,CAAC,YAAY,CAAC,CACf,CAAC;IAEF,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,UAAU,CACzC;QACE,IAAI,EAAE,MAAM;QACZ,IAAI,EAAE,SAAS;QACf,IAAI,EAAE,aAAa,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;QAC5C,IAAI,EAAE,aAAa,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;KAC7C,EACD,OAAO,EACP,eAAe,GAAG,CAAC,CACpB,CAAC;IAEF,OAAO,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC;AAC9B,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,MAAc,EACd,UAAsB,EACtB,MAAc,EACd,IAAgB,EAChB,UAAkB,EAClB,eAAuB;IAEvB,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC/C,KAAK,EACL,aAAa,CAAC,WAAW,CAAC,eAAe,CAAC,MAAM,CAAC,EAAE,UAAU,CAAC,CAAC,EAC/D,QAAQ,EACR,KAAK,EACL,CAAC,YAAY,CAAC,CACf,CAAC;IAEF,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,UAAU,CAC5C;QACE,IAAI,EAAE,QAAQ;QACd,IAAI,EAAE,SAAS;QACf,UAAU;QACV,IAAI,EAAE,aAAa,CAAC,IAAI,CAAC;KAC1B,EACD,WAAW,EACX,eAAe,GAAG,CAAC,CACpB,CAAC;IAEF,OAAO,IAAI,UAAU,CAAC,OAAO,CAAC,CAAC;AACjC,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,MAAc,EACd,UAAsB,EACtB,KAAa;IAEb,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC3C,KAAK,EACL,aAAa,CAAC,UAAU,CAAC,EACzB;QACE,IAAI,EAAE,MAAM;QACZ,IAAI,EAAE,SAAS;KAChB,EACD,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAC;IAEF,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CACxC,MAAM,EACN,OAAO,EACP,aAAa,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,CACtC,CAAC;IAEF,OAAO,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC;AACnC,CAAC"}

package/dist/lib/database/compiled-functions.d.ts

@@ -0,0 +1,16 @@
+import type { CompiledFunctions } from '@mikro-orm/core';
+import type { RuntimeDatabaseEntity } from './entities.ts';
+/**
+ * MikroORM v7 uses a counter-based metadata id inside `meta.uniqueName`.
+ *
+ * `mikro-orm compile` also keys generated functions by that value, so the
+ * compiled keys can drift from runtime keys when entity metadata is created in
+ * a different order during bundling or startup. In that case MikroORM falls
+ * back to runtime code generation via `new Function(...)`, which breaks in
+ * no-eval runtimes like Cloudflare Workers.
+ *
+ * To keep all database drivers on the same path, we remap the compiled keys by
+ * stable table name to the runtime `uniqueName` before passing them to MikroORM.
+ */
+export declare function resolveCompiledFunctionsForEntities(entitySchemas: readonly RuntimeDatabaseEntity[], compiledFunctions: CompiledFunctions): CompiledFunctions;
+//# sourceMappingURL=compiled-functions.d.ts.map

package/dist/lib/database/compiled-functions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"compiled-functions.d.ts","sourceRoot":"","sources":["../../../src/lib/database/compiled-functions.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACzD,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAkD3D;;;;;;;;;;;GAWG;AACH,wBAAgB,mCAAmC,CACjD,aAAa,EAAE,SAAS,qBAAqB,EAAE,EAC/C,iBAAiB,EAAE,iBAAiB,GACnC,iBAAiB,CAqCnB"}

package/dist/lib/database/compiled-functions.js

@@ -0,0 +1,66 @@
+const compiledFunctionPrefixes = [
+    'hydrator',
+    'comparator',
+    'snapshotGenerator',
+    'pkGetter',
+    'pkGetterConverted',
+    'pkSerializer',
+    'resultMapper',
+];
+function escapeRegExp(value) {
+    return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+function findCompiledUniqueName(functionKeys, tableName) {
+    const matcher = new RegExp(`^pkGetter-(${escapeRegExp(tableName)}_\\d+)$`);
+    for (const functionKey of functionKeys) {
+        const match = functionKey.match(matcher);
+        if (match) {
+            return match[1];
+        }
+    }
+    return undefined;
+}
+function remapCompiledFunctionKey(functionKey, compiledUniqueName, runtimeUniqueName) {
+    const matcher = new RegExp(`^(${compiledFunctionPrefixes.join('|')})-${escapeRegExp(compiledUniqueName)}(.*)$`);
+    const match = functionKey.match(matcher);
+    if (!match) {
+        return undefined;
+    }
+    return `${match[1]}-${runtimeUniqueName}${match[2]}`;
+}
+/**
+ * MikroORM v7 uses a counter-based metadata id inside `meta.uniqueName`.
+ *
+ * `mikro-orm compile` also keys generated functions by that value, so the
+ * compiled keys can drift from runtime keys when entity metadata is created in
+ * a different order during bundling or startup. In that case MikroORM falls
+ * back to runtime code generation via `new Function(...)`, which breaks in
+ * no-eval runtimes like Cloudflare Workers.
+ *
+ * To keep all database drivers on the same path, we remap the compiled keys by
+ * stable table name to the runtime `uniqueName` before passing them to MikroORM.
+ */
+export function resolveCompiledFunctionsForEntities(entitySchemas, compiledFunctions) {
+    const runtimeCompiledFunctions = { ...compiledFunctions };
+    const compiledFunctionEntries = Object.entries(compiledFunctions);
+    const compiledFunctionKeys = Object.keys(compiledFunctions);
+    for (const entitySchema of entitySchemas) {
+        const runtimeUniqueName = entitySchema.meta.uniqueName;
+        if (runtimeCompiledFunctions[`pkGetter-${runtimeUniqueName}`]) {
+            continue;
+        }
+        const compiledUniqueName = findCompiledUniqueName(compiledFunctionKeys, entitySchema.meta.tableName);
+        if (!compiledUniqueName) {
+            continue;
+        }
+        for (const [functionKey, compiledFunction] of compiledFunctionEntries) {
+            const runtimeFunctionKey = remapCompiledFunctionKey(functionKey, compiledUniqueName, runtimeUniqueName);
+            if (!runtimeFunctionKey) {
+                continue;
+            }
+            runtimeCompiledFunctions[runtimeFunctionKey] = compiledFunction;
+        }
+    }
+    return runtimeCompiledFunctions;
+}
+//# sourceMappingURL=compiled-functions.js.map

package/dist/lib/database/compiled-functions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"compiled-functions.js","sourceRoot":"","sources":["../../../src/lib/database/compiled-functions.ts"],"names":[],"mappings":"AAGA,MAAM,wBAAwB,GAAG;IAC/B,UAAU;IACV,YAAY;IACZ,mBAAmB;IACnB,UAAU;IACV,mBAAmB;IACnB,cAAc;IACd,cAAc;CACN,CAAC;AAEX,SAAS,YAAY,CAAC,KAAa;IACjC,OAAO,KAAK,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;AACtD,CAAC;AAED,SAAS,sBAAsB,CAC7B,YAAsB,EACtB,SAAiB;IAEjB,MAAM,OAAO,GAAG,IAAI,MAAM,CAAC,cAAc,YAAY,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;IAE3E,KAAK,MAAM,WAAW,IAAI,YAAY,EAAE,CAAC;QACvC,MAAM,KAAK,GAAG,WAAW,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAEzC,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,wBAAwB,CAC/B,WAAmB,EACnB,kBAA0B,EAC1B,iBAAyB;IAEzB,MAAM,OAAO,GAAG,IAAI,MAAM,CACxB,KAAK,wBAAwB,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,YAAY,CAAC,kBAAkB,CAAC,OAAO,CACpF,CAAC;IACF,MAAM,KAAK,GAAG,WAAW,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAEzC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,iBAAiB,GAAG,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;AACvD,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,mCAAmC,CACjD,aAA+C,EAC/C,iBAAoC;IAEpC,MAAM,wBAAwB,GAAG,EAAE,GAAG,iBAAiB,EAAE,CAAC;IAC1D,MAAM,uBAAuB,GAAG,MAAM,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;IAClE,MAAM,oBAAoB,GAAG,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAE5D,KAAK,MAAM,YAAY,IAAI,aAAa,EAAE,CAAC;QACzC,MAAM,iBAAiB,GAAG,YAAY,CAAC,IAAI,CAAC,UAAU,CAAC;QAEvD,IAAI,wBAAwB,CAAC,YAAY,iBAAiB,EAAE,CAAC,EAAE,CAAC;YAC9D,SAAS;QACX,CAAC;QAED,MAAM,kBAAkB,GAAG,sBAAsB,CAC/C,oBAAoB,EACpB,YAAY,CAAC,IAAI,CAAC,SAAS,CAC5B,CAAC;QAEF,IAAI,CAAC,kBAAkB,EAAE,CAAC;YACxB,SAAS;QACX,CAAC;QAED,KAAK,MAAM,CAAC,WAAW,EAAE,gBAAgB,CAAC,IAAI,uBAAuB,EAAE,CAAC;YACtE,MAAM,kBAAkB,GAAG,wBAAwB,CACjD,WAAW,EACX,kBAAkB,EAClB,iBAAiB,CAClB,CAAC;YAEF,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBACxB,SAAS;YACX,CAAC;YAED,wBAAwB,CAAC,kBAAkB,CAAC,GAAG,gBAAgB,CAAC;QAClE,CAAC;IACH,CAAC;IAED,OAAO,wBAAwB,CAAC;AAClC,CAAC"}

package/dist/lib/database/entities.d.ts

@@ -0,0 +1,10 @@
+import type { EntityName } from '@mikro-orm/core';
+export interface RuntimeDatabaseEntity {
+    meta: {
+        tableName: string;
+        uniqueName: string;
+    };
+}
+export declare function getDatabaseEntities(): readonly EntityName[];
+export declare function getDatabaseEntitiesWithMetadata(): readonly RuntimeDatabaseEntity[];
+//# sourceMappingURL=entities.d.ts.map

package/dist/lib/database/entities.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"entities.d.ts","sourceRoot":"","sources":["../../../src/lib/database/entities.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAkBlD,MAAM,WAAW,qBAAqB;IACpC,IAAI,EAAE;QACJ,SAAS,EAAE,MAAM,CAAC;QAClB,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC;CACH;AAuBD,wBAAgB,mBAAmB,IAAI,SAAS,UAAU,EAAE,CAE3D;AAED,wBAAgB,+BAA+B,IAAI,SAAS,qBAAqB,EAAE,CAElF"}

package/dist/lib/database/entities.js

@@ -0,0 +1,43 @@
+import { EmailVerificationEntitySchema } from "../../entities/email-verification.entity.js";
+import { JwtKeyEntitySchema } from "../../entities/jwt-key.entity.js";
+import { OAuthClientEntitySchema } from "../../entities/oauth-client.entity.js";
+import { OAuthCodeEntitySchema } from "../../entities/oauth-code.entity.js";
+import { PasswordResetEntitySchema } from "../../entities/password-reset.entity.js";
+import { PendingOAuthRegistrationEntitySchema } from "../../entities/pending-oauth-registration.entity.js";
+import { RevokedTokenEntitySchema } from "../../entities/revoked-token.entity.js";
+import { TermsEntitySchema } from "../../entities/terms.entity.js";
+import { TermsContentEntitySchema } from "../../entities/terms-content.entity.js";
+import { UserEntitySchema } from "../../entities/user.entity.js";
+import { UserConsentEntitySchema } from "../../entities/user-consent.entity.js";
+import { UserOAuthEntitySchema } from "../../entities/user-oauth.entity.js";
+import { UserPasskeyEntitySchema } from "../../entities/user-passkey.entity.js";
+import { UserTermsConsentEntitySchema } from "../../entities/user-terms-consent.entity.js";
+import { UserTotpEntitySchema } from "../../entities/user-totp.entity.js";
+import { UserTotpRecoveryCodeEntitySchema } from "../../entities/user-totp-recovery-code.entity.js";
+function createDatabaseEntities() {
+    return [
+        UserEntitySchema,
+        OAuthClientEntitySchema,
+        OAuthCodeEntitySchema,
+        JwtKeyEntitySchema,
+        EmailVerificationEntitySchema,
+        PasswordResetEntitySchema,
+        PendingOAuthRegistrationEntitySchema,
+        RevokedTokenEntitySchema,
+        TermsEntitySchema,
+        TermsContentEntitySchema,
+        UserConsentEntitySchema,
+        UserOAuthEntitySchema,
+        UserPasskeyEntitySchema,
+        UserTermsConsentEntitySchema,
+        UserTotpRecoveryCodeEntitySchema,
+        UserTotpEntitySchema,
+    ];
+}
+export function getDatabaseEntities() {
+    return createDatabaseEntities();
+}
+export function getDatabaseEntitiesWithMetadata() {
+    return createDatabaseEntities();
+}
+//# sourceMappingURL=entities.js.map

package/dist/lib/database/entities.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"entities.js","sourceRoot":"","sources":["../../../src/lib/database/entities.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,6BAA6B,EAAE,MAAM,6CAA6C,CAAC;AAC5F,OAAO,EAAE,kBAAkB,EAAE,MAAM,kCAAkC,CAAC;AACtE,OAAO,EAAE,uBAAuB,EAAE,MAAM,uCAAuC,CAAC;AAChF,OAAO,EAAE,qBAAqB,EAAE,MAAM,qCAAqC,CAAC;AAC5E,OAAO,EAAE,yBAAyB,EAAE,MAAM,yCAAyC,CAAC;AACpF,OAAO,EAAE,oCAAoC,EAAE,MAAM,qDAAqD,CAAC;AAC3G,OAAO,EAAE,wBAAwB,EAAE,MAAM,wCAAwC,CAAC;AAClF,OAAO,EAAE,iBAAiB,EAAE,MAAM,gCAAgC,CAAC;AACnE,OAAO,EAAE,wBAAwB,EAAE,MAAM,wCAAwC,CAAC;AAClF,OAAO,EAAE,gBAAgB,EAAE,MAAM,+BAA+B,CAAC;AACjE,OAAO,EAAE,uBAAuB,EAAE,MAAM,uCAAuC,CAAC;AAChF,OAAO,EAAE,qBAAqB,EAAE,MAAM,qCAAqC,CAAC;AAC5E,OAAO,EAAE,uBAAuB,EAAE,MAAM,uCAAuC,CAAC;AAChF,OAAO,EAAE,4BAA4B,EAAE,MAAM,6CAA6C,CAAC;AAC3F,OAAO,EAAE,oBAAoB,EAAE,MAAM,oCAAoC,CAAC;AAC1E,OAAO,EAAE,gCAAgC,EAAE,MAAM,kDAAkD,CAAC;AASpG,SAAS,sBAAsB;IAC7B,OAAO;QACL,gBAAgB;QAChB,uBAAuB;QACvB,qBAAqB;QACrB,kBAAkB;QAClB,6BAA6B;QAC7B,yBAAyB;QACzB,oCAAoC;QACpC,wBAAwB;QACxB,iBAAiB;QACjB,wBAAwB;QACxB,uBAAuB;QACvB,qBAAqB;QACrB,uBAAuB;QACvB,4BAA4B;QAC5B,gCAAgC;QAChC,oBAAoB;KACrB,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,mBAAmB;IACjC,OAAO,sBAAsB,EAAE,CAAC;AAClC,CAAC;AAED,MAAM,UAAU,+BAA+B;IAC7C,OAAO,sBAAsB,EAAE,CAAC;AAClC,CAAC"}

package/dist/lib/duration.d.ts

@@ -0,0 +1,44 @@
+import z from 'zod';
+/**
+ * Duration string pattern supporting multiple time units:
+ * - s: seconds (e.g., "30s")
+ * - m: minutes (e.g., "30m")
+ * - h: hours (e.g., "24h")
+ * - d: days (e.g., "7d")
+ * - y: years (e.g., "1y")
+ *
+ * Special value "0" means immediate (no retention).
+ */
+export declare const DurationString: z.ZodString;
+export type DurationString = z.infer<typeof DurationString>;
+export declare const MS_PER_SECOND = 1000;
+export declare const MS_PER_MINUTE: number;
+export declare const MS_PER_HOUR: number;
+export declare const MS_PER_DAY: number;
+export declare const MS_PER_YEAR: number;
+/**
+ * Parse duration string to milliseconds
+ * @param duration - Duration string like "30s", "30m", "24h", "7d", "1y" or "0"
+ * @returns Duration in milliseconds
+ */
+export declare function parseDurationToMs(duration: string): number;
+/**
+ * Calculate a cutoff date by subtracting a duration from now
+ * @param retention - Duration string for retention period
+ * @returns Date before which items should be cleaned up
+ */
+export declare function calculateCutoffDate(retention: string): Date;
+/**
+ * Format milliseconds as a human-readable duration
+ * @param ms - Duration in milliseconds
+ * @returns Human-readable string like "24 hours", "7 days", "30 days"
+ */
+export declare function formatDuration(ms: number): string;
+/**
+ * Calculate the permanent deletion date based on deleted_at and retention period
+ * @param deletedAt - The date when deletion was requested
+ * @param retentionPeriod - Retention period string like "30d"
+ * @returns Date when permanent deletion should occur
+ */
+export declare function calculatePermanentDeletionDate(deletedAt: Date, retentionPeriod: string): Date;
+//# sourceMappingURL=duration.d.ts.map

package/dist/lib/duration.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"duration.d.ts","sourceRoot":"","sources":["../../src/lib/duration.ts"],"names":[],"mappings":"AAAA,OAAO,CAAC,MAAM,KAAK,CAAC;AAEpB;;;;;;;;;GASG;AACH,eAAO,MAAM,cAAc,aAMyC,CAAC;AAErE,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,eAAO,MAAM,aAAa,OAAO,CAAC;AAClC,eAAO,MAAM,aAAa,QAAqB,CAAC;AAChD,eAAO,MAAM,WAAW,QAAqB,CAAC;AAC9C,eAAO,MAAM,UAAU,QAAmB,CAAC;AAC3C,eAAO,MAAM,WAAW,QAAmB,CAAC;AAE5C;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAgC1D;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAG3D;AAED;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM,CA2BjD;AAED;;;;;GAKG;AACH,wBAAgB,8BAA8B,CAC5C,SAAS,EAAE,IAAI,EACf,eAAe,EAAE,MAAM,GACtB,IAAI,CAGN"}

package/dist/lib/duration.js

@@ -0,0 +1,103 @@
+import z from 'zod';
+/**
+ * Duration string pattern supporting multiple time units:
+ * - s: seconds (e.g., "30s")
+ * - m: minutes (e.g., "30m")
+ * - h: hours (e.g., "24h")
+ * - d: days (e.g., "7d")
+ * - y: years (e.g., "1y")
+ *
+ * Special value "0" means immediate (no retention).
+ */
+export const DurationString = z
+    .string()
+    .regex(/^(0|\d+[smhdy])$/, 'Duration must be "0" or format like "30s", "30m", "24h", "7d", "1y"')
+    .describe('Duration string (e.g., "0", "30m", "24h", "7d", "1y")');
+export const MS_PER_SECOND = 1000;
+export const MS_PER_MINUTE = 60 * MS_PER_SECOND;
+export const MS_PER_HOUR = 60 * MS_PER_MINUTE;
+export const MS_PER_DAY = 24 * MS_PER_HOUR;
+export const MS_PER_YEAR = 365 * MS_PER_DAY; // Approximate year as 365 days
+/**
+ * Parse duration string to milliseconds
+ * @param duration - Duration string like "30s", "30m", "24h", "7d", "1y" or "0"
+ * @returns Duration in milliseconds
+ */
+export function parseDurationToMs(duration) {
+    // Special case: "0" means immediate (no retention)
+    if (duration === '0') {
+        return 0;
+    }
+    const match = duration.match(/^(\d+)([smhdy])$/);
+    if (!match) {
+        throw new Error(`Invalid duration format: ${duration}`);
+    }
+    const valueStr = match[1];
+    const unit = match[2];
+    if (!valueStr || !unit) {
+        throw new Error(`Invalid duration format: ${duration}`);
+    }
+    const value = Number.parseInt(valueStr, 10);
+    switch (unit) {
+        case 's':
+            return value * MS_PER_SECOND;
+        case 'm':
+            return value * MS_PER_MINUTE;
+        case 'h':
+            return value * MS_PER_HOUR;
+        case 'd':
+            return value * MS_PER_DAY;
+        case 'y':
+            return value * MS_PER_YEAR;
+        default:
+            throw new Error(`Unknown duration unit: ${unit}`);
+    }
+}
+/**
+ * Calculate a cutoff date by subtracting a duration from now
+ * @param retention - Duration string for retention period
+ * @returns Date before which items should be cleaned up
+ */
+export function calculateCutoffDate(retention) {
+    const retentionMs = parseDurationToMs(retention);
+    return new Date(Date.now() - retentionMs);
+}
+/**
+ * Format milliseconds as a human-readable duration
+ * @param ms - Duration in milliseconds
+ * @returns Human-readable string like "24 hours", "7 days", "30 days"
+ */
+export function formatDuration(ms) {
+    if (ms === 0) {
+        return 'immediate';
+    }
+    if (ms < MS_PER_MINUTE) {
+        const seconds = Math.round(ms / MS_PER_SECOND);
+        return `${seconds} second${seconds !== 1 ? 's' : ''}`;
+    }
+    if (ms < MS_PER_HOUR) {
+        const minutes = Math.round(ms / MS_PER_MINUTE);
+        return `${minutes} minute${minutes !== 1 ? 's' : ''}`;
+    }
+    if (ms < MS_PER_DAY) {
+        const hours = Math.round(ms / MS_PER_HOUR);
+        return `${hours} hour${hours !== 1 ? 's' : ''}`;
+    }
+    if (ms < MS_PER_YEAR) {
+        const days = Math.round(ms / MS_PER_DAY);
+        return `${days} day${days !== 1 ? 's' : ''}`;
+    }
+    const years = Math.round(ms / MS_PER_YEAR);
+    return `${years} year${years !== 1 ? 's' : ''}`;
+}
+/**
+ * Calculate the permanent deletion date based on deleted_at and retention period
+ * @param deletedAt - The date when deletion was requested
+ * @param retentionPeriod - Retention period string like "30d"
+ * @returns Date when permanent deletion should occur
+ */
+export function calculatePermanentDeletionDate(deletedAt, retentionPeriod) {
+    const retentionMs = parseDurationToMs(retentionPeriod);
+    return new Date(deletedAt.getTime() + retentionMs);
+}
+//# sourceMappingURL=duration.js.map

package/dist/lib/duration.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"duration.js","sourceRoot":"","sources":["../../src/lib/duration.ts"],"names":[],"mappings":"AAAA,OAAO,CAAC,MAAM,KAAK,CAAC;AAEpB;;;;;;;;;GASG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC;KAC5B,MAAM,EAAE;KACR,KAAK,CACJ,kBAAkB,EAClB,qEAAqE,CACtE;KACA,QAAQ,CAAC,uDAAuD,CAAC,CAAC;AAIrE,MAAM,CAAC,MAAM,aAAa,GAAG,IAAI,CAAC;AAClC,MAAM,CAAC,MAAM,aAAa,GAAG,EAAE,GAAG,aAAa,CAAC;AAChD,MAAM,CAAC,MAAM,WAAW,GAAG,EAAE,GAAG,aAAa,CAAC;AAC9C,MAAM,CAAC,MAAM,UAAU,GAAG,EAAE,GAAG,WAAW,CAAC;AAC3C,MAAM,CAAC,MAAM,WAAW,GAAG,GAAG,GAAG,UAAU,CAAC,CAAC,+BAA+B;AAE5E;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAAC,QAAgB;IAChD,mDAAmD;IACnD,IAAI,QAAQ,KAAK,GAAG,EAAE,CAAC;QACrB,OAAO,CAAC,CAAC;IACX,CAAC;IAED,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;IACjD,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,4BAA4B,QAAQ,EAAE,CAAC,CAAC;IAC1D,CAAC;IAED,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IAC1B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IACtB,IAAI,CAAC,QAAQ,IAAI,CAAC,IAAI,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,4BAA4B,QAAQ,EAAE,CAAC,CAAC;IAC1D,CAAC;IACD,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;IAE5C,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,GAAG;YACN,OAAO,KAAK,GAAG,aAAa,CAAC;QAC/B,KAAK,GAAG;YACN,OAAO,KAAK,GAAG,aAAa,CAAC;QAC/B,KAAK,GAAG;YACN,OAAO,KAAK,GAAG,WAAW,CAAC;QAC7B,KAAK,GAAG;YACN,OAAO,KAAK,GAAG,UAAU,CAAC;QAC5B,KAAK,GAAG;YACN,OAAO,KAAK,GAAG,WAAW,CAAC;QAC7B;YACE,MAAM,IAAI,KAAK,CAAC,0BAA0B,IAAI,EAAE,CAAC,CAAC;IACtD,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,mBAAmB,CAAC,SAAiB;IACnD,MAAM,WAAW,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAAC;IACjD,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,CAAC,CAAC;AAC5C,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,cAAc,CAAC,EAAU;IACvC,IAAI,EAAE,KAAK,CAAC,EAAE,CAAC;QACb,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,IAAI,EAAE,GAAG,aAAa,EAAE,CAAC;QACvB,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,aAAa,CAAC,CAAC;QAC/C,OAAO,GAAG,OAAO,UAAU,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;IACxD,CAAC;IAED,IAAI,EAAE,GAAG,WAAW,EAAE,CAAC;QACrB,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,aAAa,CAAC,CAAC;QAC/C,OAAO,GAAG,OAAO,UAAU,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;IACxD,CAAC;IAED,IAAI,EAAE,GAAG,UAAU,EAAE,CAAC;QACpB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,WAAW,CAAC,CAAC;QAC3C,OAAO,GAAG,KAAK,QAAQ,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;IAClD,CAAC;IAED,IAAI,EAAE,GAAG,WAAW,EAAE,CAAC;QACrB,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,UAAU,CAAC,CAAC;QACzC,OAAO,GAAG,IAAI,OAAO,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;IAC/C,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,WAAW,CAAC,CAAC;IAC3C,OAAO,GAAG,KAAK,QAAQ,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;AAClD,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,8BAA8B,CAC5C,SAAe,EACf,eAAuB;IAEvB,MAAM,WAAW,GAAG,iBAAiB,CAAC,eAAe,CAAC,CAAC;IACvD,OAAO,IAAI,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,WAAW,CAAC,CAAC;AACrD,CAAC"}

package/dist/lib/email-pattern.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Check if an email address matches any of the allowed signup patterns.
+ *
+ * Supported patterns:
+ * - `*` — Allow all emails
+ * - `user@domain.com` — Exact email match (case-insensitive)
+ * - `*@domain.com` — Allow any email at the specified domain
+ *
+ * An empty patterns array means signup is disabled entirely.
+ *
+ * @param email - The email address to check
+ * @param patterns - Array of allowed email patterns
+ * @returns `true` if the email matches at least one pattern
+ */
+export declare function isEmailAllowed(email: string, patterns: readonly string[]): boolean;
+//# sourceMappingURL=email-pattern.d.ts.map

package/dist/lib/email-pattern.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"email-pattern.d.ts","sourceRoot":"","sources":["../../src/lib/email-pattern.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AACH,wBAAgB,cAAc,CAC5B,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,SAAS,MAAM,EAAE,GAC1B,OAAO,CA+BT"}

package/dist/lib/email-pattern.js

@@ -0,0 +1,41 @@
+/**
+ * Check if an email address matches any of the allowed signup patterns.
+ *
+ * Supported patterns:
+ * - `*` — Allow all emails
+ * - `user@domain.com` — Exact email match (case-insensitive)
+ * - `*@domain.com` — Allow any email at the specified domain
+ *
+ * An empty patterns array means signup is disabled entirely.
+ *
+ * @param email - The email address to check
+ * @param patterns - Array of allowed email patterns
+ * @returns `true` if the email matches at least one pattern
+ */
+export function isEmailAllowed(email, patterns) {
+    if (patterns.length === 0) {
+        return false;
+    }
+    const normalizedEmail = email.toLowerCase();
+    for (const pattern of patterns) {
+        const normalizedPattern = pattern.toLowerCase().trim();
+        // Wildcard: allow all
+        if (normalizedPattern === '*') {
+            return true;
+        }
+        // Domain wildcard: *@domain.com
+        if (normalizedPattern.startsWith('*@')) {
+            const domain = normalizedPattern.slice(2);
+            if (normalizedEmail.endsWith(`@${domain}`)) {
+                return true;
+            }
+            continue;
+        }
+        // Exact match
+        if (normalizedEmail === normalizedPattern) {
+            return true;
+        }
+    }
+    return false;
+}
+//# sourceMappingURL=email-pattern.js.map

package/dist/lib/email-pattern.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"email-pattern.js","sourceRoot":"","sources":["../../src/lib/email-pattern.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,cAAc,CAC5B,KAAa,EACb,QAA2B;IAE3B,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,eAAe,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;IAE5C,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,iBAAiB,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC;QAEvD,sBAAsB;QACtB,IAAI,iBAAiB,KAAK,GAAG,EAAE,CAAC;YAC9B,OAAO,IAAI,CAAC;QACd,CAAC;QAED,gCAAgC;QAChC,IAAI,iBAAiB,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACvC,MAAM,MAAM,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAC1C,IAAI,eAAe,CAAC,QAAQ,CAAC,IAAI,MAAM,EAAE,CAAC,EAAE,CAAC;gBAC3C,OAAO,IAAI,CAAC;YACd,CAAC;YACD,SAAS;QACX,CAAC;QAED,cAAc;QACd,IAAI,eAAe,KAAK,iBAAiB,EAAE,CAAC;YAC1C,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC"}