npm - @usebetterdev/console - Versions diffs - 0.3.0-beta.2 - Mend

@usebetterdev/console 0.3.0-beta.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

package/dist/drizzle.cjs +220 -0
package/dist/drizzle.cjs.map +1 -0
package/dist/drizzle.d.cts +343 -0
package/dist/drizzle.d.ts +343 -0
package/dist/drizzle.js +189 -0
package/dist/drizzle.js.map +1 -0
package/dist/hono.cjs +101 -0
package/dist/hono.cjs.map +1 -0
package/dist/hono.d.cts +43 -0
package/dist/hono.d.ts +43 -0
package/dist/hono.js +74 -0
package/dist/hono.js.map +1 -0
package/dist/index.cjs +1155 -0
package/dist/index.cjs.map +1 -0
package/dist/index.d.cts +162 -0
package/dist/index.d.ts +162 -0
package/dist/index.js +1106 -0
package/dist/index.js.map +1 -0
package/dist/types-Bm35VBpM.d.cts +169 -0
package/dist/types-Bm35VBpM.d.ts +169 -0
package/package.json +71 -0

package/dist/index.js ADDED Viewed

@@ -0,0 +1,1106 @@
+// src/errors.ts
+var ConsoleError = class extends Error {
+  code;
+  constructor(message, code) {
+    super(message);
+    this.name = "ConsoleError";
+    this.code = code;
+  }
+};
+var ConsoleSessionExpiredError = class extends ConsoleError {
+  constructor(message = "Session has expired") {
+    super(message, "SESSION_EXPIRED");
+    this.name = "ConsoleSessionExpiredError";
+  }
+};
+var ConsoleEmailNotAllowedError = class extends ConsoleError {
+  constructor(email) {
+    super(
+      `Email "${email}" is not in the allowed list. Update BETTER_CONSOLE_ALLOWED_EMAILS to grant access.`,
+      "EMAIL_NOT_ALLOWED"
+    );
+    this.name = "ConsoleEmailNotAllowedError";
+  }
+};
+var ConsoleMagicLinkExpiredError = class extends ConsoleError {
+  constructor(message = "Magic link has expired or was already used") {
+    super(message, "MAGIC_LINK_EXPIRED");
+    this.name = "ConsoleMagicLinkExpiredError";
+  }
+};
+var ConsoleInvalidTokenError = class extends ConsoleError {
+  constructor(message = "Invalid or expired session token") {
+    super(message, "INVALID_TOKEN");
+    this.name = "ConsoleInvalidTokenError";
+  }
+};
+var ConsoleAdapterRequiredError = class extends ConsoleError {
+  constructor(message = "Magic link sessions require a database adapter. Either provide an adapter or use autoApprove for development.") {
+    super(message, "ADAPTER_REQUIRED");
+    this.name = "ConsoleAdapterRequiredError";
+  }
+};
+var ConsoleWeakSecretError = class extends ConsoleError {
+  constructor() {
+    super(
+      "connectionTokenHash secret is too short (minimum 32 characters in production). Generate a strong secret with: npx better-console init",
+      "WEAK_SECRET"
+    );
+    this.name = "ConsoleWeakSecretError";
+  }
+};
+var ConsoleEmailRelayError = class extends ConsoleError {
+  constructor(message = "Failed to deliver verification code via Console email relay") {
+    super(message, "EMAIL_RELAY_FAILED");
+    this.name = "ConsoleEmailRelayError";
+  }
+};
+var ConsoleAutoApproveInProductionError = class extends ConsoleError {
+  constructor() {
+    super(
+      'autoApprove is enabled outside of development. This is a security risk. Set NODE_ENV="development" or disable autoApprove.',
+      "AUTO_APPROVE_IN_PRODUCTION"
+    );
+    this.name = "ConsoleAutoApproveInProductionError";
+  }
+};
+// src/token.ts
+var ALPHANUMERIC = "ABCDEFGHJKLMNPQRSTUVWXYZ23456789";
+var ALPHABET_LIMIT = 240;
+function bytesToHex(bytes) {
+  let hex = "";
+  for (const b of bytes) {
+    hex += b.toString(16).padStart(2, "0");
+  }
+  return hex;
+}
+function bytesToBase64url(bytes) {
+  let binary = "";
+  for (const b of bytes) {
+    binary += String.fromCharCode(b);
+  }
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function generateSessionToken() {
+  const bytes = new Uint8Array(32);
+  globalThis.crypto.getRandomValues(bytes);
+  return bytesToBase64url(bytes);
+}
+async function hashToken(token) {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(token);
+  const hashBuffer = await globalThis.crypto.subtle.digest("SHA-256", data);
+  return bytesToHex(new Uint8Array(hashBuffer));
+}
+async function verifyTokenHash(token, hash) {
+  const computed = await hashToken(token);
+  if (computed.length !== hash.length) {
+    return false;
+  }
+  let result = 0;
+  for (let i = 0; i < computed.length; i++) {
+    result |= computed.charCodeAt(i) ^ hash.charCodeAt(i);
+  }
+  return result === 0;
+}
+function generateMagicLinkCode() {
+  const codeLength = 6;
+  let code = "";
+  const buffer = new Uint8Array(12);
+  globalThis.crypto.getRandomValues(buffer);
+  let offset = 0;
+  while (code.length < codeLength) {
+    if (offset >= buffer.length) {
+      globalThis.crypto.getRandomValues(buffer);
+      offset = 0;
+    }
+    const b = buffer[offset];
+    offset++;
+    if (b < ALPHABET_LIMIT) {
+      code += ALPHANUMERIC[b % ALPHANUMERIC.length];
+    }
+  }
+  return code;
+}
+async function hashMagicLinkCode(code) {
+  return hashToken(code);
+}
+function parseConnectionTokenHash(envValue) {
+  if (envValue.startsWith("sha256:")) {
+    return envValue.slice(7);
+  }
+  return envValue;
+}
+function parseDuration(duration) {
+  const match = /^(\d+)(ms|s|m|h|d)$/.exec(duration.trim());
+  if (!match) {
+    return null;
+  }
+  const value = Number(match[1]);
+  const unit = match[2];
+  switch (unit) {
+    case "ms":
+      return value;
+    case "s":
+      return value * 1e3;
+    case "m":
+      return value * 60 * 1e3;
+    case "h":
+      return value * 60 * 60 * 1e3;
+    case "d":
+      return value * 24 * 60 * 60 * 1e3;
+    default:
+      return null;
+  }
+}
+// src/config-validation.ts
+var MIN_TOKEN_LIFETIME_MS = 60 * 60 * 1e3;
+var MAX_TOKEN_LIFETIME_MS = 7 * 24 * 60 * 60 * 1e3;
+var DEFAULT_TOKEN_LIFETIME_MS = 24 * 60 * 60 * 1e3;
+function parseAllowedEmails(input) {
+  if (!input) {
+    return [];
+  }
+  const raw = typeof input === "string" ? input.split(",") : input;
+  return raw.map((e) => e.trim().toLowerCase()).filter((e) => e.length > 0);
+}
+function validateConfig(config) {
+  if (!config.connectionTokenHash || config.connectionTokenHash.trim().length === 0) {
+    throw new ConsoleError(
+      "connectionTokenHash is required. Run: npx better-console init",
+      "MISSING_CONNECTION_TOKEN"
+    );
+  }
+  const connectionTokenSecret = parseConnectionTokenHash(
+    config.connectionTokenHash
+  );
+  if (connectionTokenSecret.length === 0) {
+    throw new ConsoleError(
+      "connectionTokenHash is empty after parsing. Check your BETTER_CONSOLE_TOKEN_HASH env var.",
+      "EMPTY_CONNECTION_TOKEN"
+    );
+  }
+  const nodeEnv = (typeof process !== "undefined" ? process.env?.NODE_ENV : void 0) ?? "";
+  if (nodeEnv !== "development" && nodeEnv !== "test" && connectionTokenSecret.length < 32) {
+    throw new ConsoleWeakSecretError();
+  }
+  if (config.sessions.autoApprove) {
+    if (nodeEnv !== "development" && nodeEnv !== "test") {
+      throw new ConsoleAutoApproveInProductionError();
+    }
+  }
+  if (config.sessions.magicLink && !config.adapter) {
+    throw new ConsoleAdapterRequiredError();
+  }
+  if (!config.sessions.autoApprove && !config.sessions.magicLink && !config.sessions.authenticate) {
+    throw new ConsoleError(
+      "No session method configured. Enable autoApprove, magicLink, or authenticate.",
+      "NO_SESSION_METHOD"
+    );
+  }
+  let tokenLifetimeMs = DEFAULT_TOKEN_LIFETIME_MS;
+  if (config.sessions.tokenLifetime) {
+    const parsed = parseDuration(config.sessions.tokenLifetime);
+    if (parsed === null) {
+      throw new ConsoleError(
+        `Invalid tokenLifetime "${config.sessions.tokenLifetime}". Use format: "24h", "8h", "1h", "30m", "7d".`,
+        "INVALID_TOKEN_LIFETIME"
+      );
+    }
+    if (parsed < MIN_TOKEN_LIFETIME_MS || parsed > MAX_TOKEN_LIFETIME_MS) {
+      throw new ConsoleError(
+        `tokenLifetime must be between 1h and 7d. Got: "${config.sessions.tokenLifetime}".`,
+        "TOKEN_LIFETIME_OUT_OF_RANGE"
+      );
+    }
+    tokenLifetimeMs = parsed;
+  }
+  const allowedOrigins = config.allowedOrigins && config.allowedOrigins.length > 0 ? config.allowedOrigins : ["https://console.usebetter.dev"];
+  const allowedActions = config.allowedActions && config.allowedActions.length > 0 ? config.allowedActions : ["read", "write", "admin"];
+  const allowedEmails = parseAllowedEmails(
+    config.sessions.magicLink?.allowedEmails
+  );
+  return {
+    connectionTokenSecret,
+    tokenLifetimeMs,
+    allowedOrigins,
+    allowedActions,
+    allowedEmails
+  };
+}
+// src/jwt.ts
+function base64urlEncode(data) {
+  return btoa(data).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64urlDecode(encoded) {
+  const padded = encoded + "=".repeat((4 - encoded.length % 4) % 4);
+  return atob(padded.replace(/-/g, "+").replace(/_/g, "/"));
+}
+async function hmacSign(data, secret) {
+  const encoder = new TextEncoder();
+  const key = await globalThis.crypto.subtle.importKey(
+    "raw",
+    encoder.encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const signature = await globalThis.crypto.subtle.sign(
+    "HMAC",
+    key,
+    encoder.encode(data)
+  );
+  const bytes = new Uint8Array(signature);
+  let binary = "";
+  for (const b of bytes) {
+    binary += String.fromCharCode(b);
+  }
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+async function hmacVerify(data, signature, secret) {
+  const encoder = new TextEncoder();
+  const key = await globalThis.crypto.subtle.importKey(
+    "raw",
+    encoder.encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["verify"]
+  );
+  const sigPadded = signature + "=".repeat((4 - signature.length % 4) % 4);
+  const sigBytes = Uint8Array.from(
+    atob(sigPadded.replace(/-/g, "+").replace(/_/g, "/")),
+    (c) => c.charCodeAt(0)
+  );
+  return globalThis.crypto.subtle.verify(
+    "HMAC",
+    key,
+    sigBytes,
+    encoder.encode(data)
+  );
+}
+async function signSessionJwt(payload, secret) {
+  const header = base64urlEncode(
+    JSON.stringify({ alg: "HS256", typ: "JWT" })
+  );
+  const body = base64urlEncode(JSON.stringify(payload));
+  const signingInput = `${header}.${body}`;
+  const signature = await hmacSign(signingInput, secret);
+  return `${signingInput}.${signature}`;
+}
+async function verifySessionJwt(token, secret) {
+  const parts = token.split(".");
+  if (parts.length !== 3) {
+    return null;
+  }
+  const [header, body, signature] = parts;
+  const signingInput = `${header}.${body}`;
+  let valid;
+  try {
+    valid = await hmacVerify(signingInput, signature, secret);
+  } catch {
+    return null;
+  }
+  if (!valid) {
+    return null;
+  }
+  let payload;
+  try {
+    payload = JSON.parse(base64urlDecode(body));
+  } catch {
+    return null;
+  }
+  if (typeof payload !== "object" || payload === null || !("sessionId" in payload) || !("email" in payload) || !("permissions" in payload) || !("expiresAt" in payload)) {
+    return null;
+  }
+  const sessionToken = payload;
+  const nowSeconds = Math.floor(Date.now() / 1e3);
+  if (sessionToken.expiresAt <= nowSeconds) {
+    return null;
+  }
+  return sessionToken;
+}
+// src/permissions.ts
+function resolveHighestPermission(allowedActions) {
+  if (allowedActions.includes("admin")) {
+    return "admin";
+  }
+  if (allowedActions.includes("write")) {
+    return "write";
+  }
+  return "read";
+}
+// src/sessions/auto-approve.ts
+async function createAutoApproveSession(email, validated) {
+  const expiresInSeconds = Math.floor(validated.tokenLifetimeMs / 1e3);
+  const expiresAt = Math.floor(Date.now() / 1e3) + expiresInSeconds;
+  const highestPermission = resolveHighestPermission(validated.allowedActions);
+  const payload = {
+    sessionId: globalThis.crypto.randomUUID(),
+    email,
+    permissions: highestPermission,
+    expiresAt
+  };
+  const sessionToken = await signSessionJwt(
+    payload,
+    validated.connectionTokenSecret
+  );
+  return { sessionToken, expiresIn: expiresInSeconds };
+}
+// src/sessions/email-relay.ts
+var RELAY_URL = "https://api.usebetter.dev/api/email/send-magic-link";
+async function sendMagicLinkViaRelay(data) {
+  const normalizedBase = data.baseUrl.replace(/\/+$/, "");
+  const magicLinkUrl = `${normalizedBase}/.well-known/better/console/session/verify?code=${encodeURIComponent(data.code)}&session_id=${encodeURIComponent(data.sessionId)}`;
+  const envName = process.env.NODE_ENV ?? "production";
+  const response = await fetch(RELAY_URL, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      to: data.email,
+      magicLinkUrl,
+      appName: data.appName,
+      envName
+    })
+  });
+  if (!response.ok) {
+    const body = await response.text().catch(() => "");
+    throw new ConsoleEmailRelayError(
+      `Console email relay returned ${String(response.status)}: ${body}`
+    );
+  }
+}
+// src/sessions/magic-link.ts
+var MAGIC_LINK_EXPIRY_MS = 10 * 60 * 1e3;
+async function initMagicLinkSession(email, validated, adapter, magicLinkConfig, relayContext) {
+  const normalizedEmail = email.trim().toLowerCase();
+  if (!validated.allowedEmails.includes(normalizedEmail)) {
+    throw new ConsoleEmailNotAllowedError(normalizedEmail);
+  }
+  const code = generateMagicLinkCode();
+  const codeHash = await hashMagicLinkCode(code);
+  const sessionId = globalThis.crypto.randomUUID();
+  const expiresAt = new Date(Date.now() + MAGIC_LINK_EXPIRY_MS);
+  await adapter.magicLinks.createMagicLink({
+    email: normalizedEmail,
+    codeHash,
+    sessionId,
+    expiresAt
+  });
+  if (magicLinkConfig.sendMagicLinkEmail) {
+    await magicLinkConfig.sendMagicLinkEmail({
+      email: normalizedEmail,
+      sessionId,
+      code
+    });
+  } else if (relayContext) {
+    await sendMagicLinkViaRelay({
+      email: normalizedEmail,
+      code,
+      sessionId,
+      appName: relayContext.appName,
+      baseUrl: relayContext.baseUrl
+    });
+  }
+  return { sessionId };
+}
+// src/sessions/verify.ts
+async function verifySession(token, validated, adapter) {
+  const jwtPayload = await verifySessionJwt(
+    token,
+    validated.connectionTokenSecret
+  );
+  if (jwtPayload) {
+    return {
+      id: jwtPayload.sessionId,
+      email: jwtPayload.email,
+      permissions: jwtPayload.permissions,
+      expiresAt: new Date(jwtPayload.expiresAt * 1e3),
+      createdAt: /* @__PURE__ */ new Date()
+    };
+  }
+  if (adapter) {
+    const tokenHash = await hashToken(token);
+    const session = await adapter.sessions.getSessionByTokenHash(tokenHash);
+    if (!session) {
+      return null;
+    }
+    if (session.expiresAt.getTime() <= Date.now()) {
+      return null;
+    }
+    return session;
+  }
+  return null;
+}
+// src/router.ts
+function matchPath(pattern, actual) {
+  const patternParts = pattern.split("/").filter((p) => p.length > 0);
+  const actualParts = actual.split("/").filter((p) => p.length > 0);
+  if (patternParts.length !== actualParts.length) {
+    return null;
+  }
+  const params = {};
+  for (let i = 0; i < patternParts.length; i++) {
+    const pp = patternParts[i];
+    const ap = actualParts[i];
+    if (pp.startsWith(":")) {
+      params[pp.slice(1)] = ap;
+    } else if (pp !== ap) {
+      return null;
+    }
+  }
+  return params;
+}
+var ConsoleRouter = class {
+  routes = [];
+  /**
+   * Register a built-in console route (e.g. session/init, health).
+   */
+  addConsoleRoute(method, path, handler, options = {}) {
+    this.routes.push({
+      method: method.toUpperCase(),
+      pattern: `/console${path}`,
+      route: {
+        handler,
+        requiresAuth: options.requiresAuth ?? false,
+        requiredPermission: options.requiredPermission ?? "read"
+      }
+    });
+  }
+  /**
+   * Register all endpoints from a product.
+   */
+  registerProduct(product) {
+    for (const endpoint of product.endpoints) {
+      const handler = endpoint.handler;
+      this.routes.push({
+        method: endpoint.method.toUpperCase(),
+        pattern: `/${product.id}${endpoint.path}`,
+        route: {
+          handler,
+          requiresAuth: true,
+          requiredPermission: endpoint.requiredPermission ?? "read"
+        }
+      });
+    }
+  }
+  /**
+   * Match an incoming request method + path against registered routes.
+   * For OPTIONS, matches any registered path regardless of method.
+   */
+  match(method, path) {
+    const upperMethod = method.toUpperCase();
+    if (upperMethod === "OPTIONS") {
+      for (const entry of this.routes) {
+        const params = matchPath(entry.pattern, path);
+        if (params) {
+          return {
+            handler: entry.route.handler,
+            params,
+            requiresAuth: false,
+            requiredPermission: "read"
+          };
+        }
+      }
+      return null;
+    }
+    for (const entry of this.routes) {
+      if (entry.method !== upperMethod) {
+        continue;
+      }
+      const params = matchPath(entry.pattern, path);
+      if (params) {
+        return {
+          handler: entry.route.handler,
+          params,
+          requiresAuth: entry.route.requiresAuth,
+          requiredPermission: entry.route.requiredPermission
+        };
+      }
+    }
+    return null;
+  }
+};
+function hasPermission(sessionPermission, required) {
+  const levels = {
+    read: 1,
+    write: 2,
+    admin: 3
+  };
+  return levels[sessionPermission] >= levels[required];
+}
+function extractBearerToken(headers) {
+  const auth = headers.get("authorization");
+  if (!auth) {
+    return null;
+  }
+  const parts = auth.split(" ");
+  if (parts.length !== 2 || parts[0]?.toLowerCase() !== "bearer") {
+    return null;
+  }
+  return parts[1] ?? null;
+}
+// src/cors.ts
+var ALLOWED_HEADERS = "Authorization, Content-Type";
+var ALLOWED_METHODS = "GET, POST, PUT, PATCH, DELETE, OPTIONS";
+var MAX_AGE = "86400";
+function isLocalhost(origin) {
+  try {
+    const url = new URL(origin);
+    return url.hostname === "localhost" || url.hostname === "127.0.0.1";
+  } catch {
+    return false;
+  }
+}
+function isDevEnvironment() {
+  const nodeEnv = (typeof process !== "undefined" ? process.env?.NODE_ENV : void 0) ?? "";
+  return nodeEnv === "development" || nodeEnv === "test";
+}
+function isOriginAllowed(origin, config) {
+  if (config.allowedOrigins.includes(origin)) {
+    return true;
+  }
+  if (isDevEnvironment() && isLocalhost(origin)) {
+    return true;
+  }
+  return false;
+}
+function getCorsHeaders(origin, config) {
+  if (!origin) {
+    return null;
+  }
+  if (!isOriginAllowed(origin, config)) {
+    return null;
+  }
+  return {
+    "Access-Control-Allow-Origin": origin,
+    "Access-Control-Allow-Headers": ALLOWED_HEADERS,
+    "Access-Control-Allow-Methods": ALLOWED_METHODS,
+    "Vary": "Origin"
+  };
+}
+function getPreflightCorsHeaders(origin, config) {
+  const headers = getCorsHeaders(origin, config);
+  if (!headers) {
+    return null;
+  }
+  return {
+    ...headers,
+    "Access-Control-Max-Age": MAX_AGE
+  };
+}
+// src/handlers/health.ts
+async function handleHealth(_request) {
+  return {
+    status: 200,
+    body: { status: "ok" }
+  };
+}
+// src/handlers/capabilities.ts
+function createCapabilitiesHandler(instance) {
+  return async (_request) => {
+    return {
+      status: 200,
+      body: instance.getCapabilities()
+    };
+  };
+}
+// src/handlers/session-init.ts
+function createSessionInitHandler(instance) {
+  return async (request) => {
+    try {
+      const result = await instance.initSession(request);
+      return { status: 200, body: result };
+    } catch (error) {
+      if (error instanceof ConsoleError) {
+        return {
+          status: 400,
+          body: { error: error.message, code: error.code }
+        };
+      }
+      throw error;
+    }
+  };
+}
+// src/input-validation.ts
+var UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+var MAGIC_CODE_RE = /^[A-HJ-NP-Z2-9]{6}$/;
+function isValidUuid(value) {
+  return UUID_RE.test(value);
+}
+function isValidMagicLinkCode(value) {
+  return MAGIC_CODE_RE.test(value);
+}
+// src/handlers/session-verify.ts
+var DEFAULT_MAX_ATTEMPTS = 5;
+async function verifyMagicLink(code, sessionId, adapter, maxAttempts) {
+  if (!code || !sessionId) {
+    return { ok: false, status: 400, error: "Missing code or session_id" };
+  }
+  if (typeof code !== "string" || !isValidMagicLinkCode(code)) {
+    return { ok: false, status: 400, error: "Invalid code format" };
+  }
+  if (typeof sessionId !== "string" || !isValidUuid(sessionId)) {
+    return { ok: false, status: 400, error: "Invalid session_id format" };
+  }
+  const magicLink = await adapter.magicLinks.getMagicLinkBySessionId(sessionId);
+  if (!magicLink) {
+    return { ok: false, status: 404, error: "Magic link not found" };
+  }
+  if (magicLink.usedAt !== null) {
+    return { ok: false, status: 410, error: "Magic link already used" };
+  }
+  if (magicLink.expiresAt.getTime() <= Date.now()) {
+    return { ok: false, status: 410, error: "Magic link expired" };
+  }
+  if (magicLink.failedAttempts >= maxAttempts) {
+    return { ok: false, status: 429, error: "Too many failed attempts" };
+  }
+  const providedCodeHash = await hashMagicLinkCode(code);
+  if (providedCodeHash !== magicLink.codeHash) {
+    await adapter.magicLinks.incrementFailedAttempts(magicLink.id);
+    return { ok: false, status: 401, error: "Invalid code" };
+  }
+  await adapter.magicLinks.markMagicLinkUsed(magicLink.id);
+  return { ok: true };
+}
+function createSessionVerifyHandler(adapter, options = {}) {
+  const maxAttempts = options.maxAttempts ?? DEFAULT_MAX_ATTEMPTS;
+  return async (request) => {
+    const body = request.body;
+    const result = await verifyMagicLink(
+      body?.code,
+      body?.session_id,
+      adapter,
+      maxAttempts
+    );
+    if (!result.ok) {
+      return {
+        status: result.status,
+        body: { error: result.error }
+      };
+    }
+    return {
+      status: 200,
+      body: { status: "verified" }
+    };
+  };
+}
+function htmlPage(title, message) {
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>${title}</title>
+  <style>
+    body { font-family: system-ui, sans-serif; display: flex; justify-content: center; align-items: center; min-height: 100vh; margin: 0; background: #fafafa; }
+    .card { text-align: center; padding: 2rem; max-width: 400px; }
+    h1 { font-size: 1.25rem; margin-bottom: 0.5rem; }
+    p { color: #555; }
+  </style>
+</head>
+<body>
+  <div class="card">
+    <h1>${title}</h1>
+    <p>${message}</p>
+  </div>
+</body>
+</html>`;
+}
+function createSessionVerifyGetHandler(adapter, options = {}) {
+  const maxAttempts = options.maxAttempts ?? DEFAULT_MAX_ATTEMPTS;
+  return async (request) => {
+    const code = request.query.code;
+    const sessionId = request.query.session_id;
+    const result = await verifyMagicLink(
+      code,
+      sessionId,
+      adapter,
+      maxAttempts
+    );
+    if (!result.ok) {
+      return {
+        status: result.status,
+        body: htmlPage("Verification failed", result.error),
+        headers: { "content-type": "text/html; charset=utf-8" }
+      };
+    }
+    return {
+      status: 200,
+      body: htmlPage(
+        "Verification successful",
+        "You can close this tab and return to the Console."
+      ),
+      headers: { "content-type": "text/html; charset=utf-8" }
+    };
+  };
+}
+// src/handlers/session-poll.ts
+function createSessionPollHandler(adapter) {
+  return async (request) => {
+    const sessionId = request.query.session_id;
+    if (!sessionId) {
+      return {
+        status: 400,
+        body: { error: "Missing session_id" }
+      };
+    }
+    if (!isValidUuid(sessionId)) {
+      return {
+        status: 400,
+        body: { error: "Invalid session_id format" }
+      };
+    }
+    const magicLink = await adapter.magicLinks.getMagicLinkBySessionId(sessionId);
+    if (!magicLink) {
+      return {
+        status: 404,
+        body: { error: "Magic link not found" }
+      };
+    }
+    if (magicLink.usedAt === null && magicLink.expiresAt.getTime() <= Date.now()) {
+      return {
+        status: 200,
+        body: { status: "expired" }
+      };
+    }
+    if (magicLink.usedAt === null) {
+      return {
+        status: 200,
+        body: { status: "pending" }
+      };
+    }
+    return {
+      status: 200,
+      body: { status: "verified" }
+    };
+  };
+}
+// src/handlers/session-claim.ts
+var CLAIM_GRACE_MS = 60 * 1e3;
+function createSessionClaimHandler(validated, adapter) {
+  return async (request) => {
+    const body = request.body;
+    const sessionId = body?.session_id;
+    if (!sessionId) {
+      return {
+        status: 400,
+        body: { error: "Missing session_id" }
+      };
+    }
+    if (typeof sessionId !== "string" || !isValidUuid(sessionId)) {
+      return {
+        status: 400,
+        body: { error: "Invalid session_id format" }
+      };
+    }
+    const magicLink = await adapter.magicLinks.getMagicLinkBySessionId(sessionId);
+    if (!magicLink) {
+      return {
+        status: 404,
+        body: { error: "Magic link not found" }
+      };
+    }
+    if (magicLink.usedAt === null) {
+      return {
+        status: 409,
+        body: { error: "Magic link not yet verified" }
+      };
+    }
+    if (magicLink.expiresAt.getTime() + CLAIM_GRACE_MS <= Date.now()) {
+      return {
+        status: 410,
+        body: { error: "Magic link expired" }
+      };
+    }
+    if (magicLink.tokenHash !== null) {
+      return {
+        status: 200,
+        body: { status: "already_claimed" }
+      };
+    }
+    const sessionToken = generateSessionToken();
+    const tokenHash = await hashToken(sessionToken);
+    const claimed = await adapter.magicLinks.setMagicLinkTokenHash(
+      magicLink.id,
+      tokenHash
+    );
+    if (!claimed) {
+      return {
+        status: 200,
+        body: { status: "already_claimed" }
+      };
+    }
+    const expiresInSeconds = Math.floor(validated.tokenLifetimeMs / 1e3);
+    const expiresAt = new Date(Date.now() + validated.tokenLifetimeMs);
+    const highestPermission = resolveHighestPermission(validated.allowedActions);
+    try {
+      await adapter.sessions.createSession({
+        email: magicLink.email,
+        tokenHash,
+        permissions: highestPermission,
+        expiresAt
+      });
+    } catch (error) {
+      await adapter.magicLinks.clearMagicLinkTokenHash(magicLink.id);
+      throw error;
+    }
+    return {
+      status: 200,
+      body: {
+        status: "claimed",
+        sessionToken,
+        expiresIn: expiresInSeconds
+      }
+    };
+  };
+}
+// src/better-console.ts
+function addCorsHeaders(response, origin, allowedOrigins) {
+  const corsHeaders = getCorsHeaders(origin, { allowedOrigins });
+  if (!corsHeaders) {
+    return response;
+  }
+  return {
+    ...response,
+    headers: { ...response.headers, ...corsHeaders }
+  };
+}
+function betterConsole(config) {
+  const validated = validateConfig(config);
+  const products = [];
+  const router = new ConsoleRouter();
+  const instance = {
+    async initSession(request) {
+      if (config.sessions.autoApprove) {
+        const body = request.body;
+        const email = body?.email ?? "dev@localhost";
+        const result = await createAutoApproveSession(email, validated);
+        return { method: "auto_approve", ...result };
+      }
+      if (config.sessions.magicLink) {
+        if (!config.adapter) {
+          throw new ConsoleAdapterRequiredError();
+        }
+        const body = request.body;
+        const email = body?.email;
+        if (!email || typeof email !== "string") {
+          throw new ConsoleError(
+            "Email is required for magic link sessions",
+            "EMAIL_REQUIRED"
+          );
+        }
+        const relayContext = body?.appName && body?.baseUrl ? { appName: body.appName, baseUrl: body.baseUrl } : void 0;
+        const result = await initMagicLinkSession(
+          email,
+          validated,
+          config.adapter,
+          config.sessions.magicLink,
+          relayContext
+        );
+        return { method: "magic_link", sessionId: result.sessionId };
+      }
+      throw new ConsoleError(
+        "No session method configured",
+        "NO_SESSION_METHOD"
+      );
+    },
+    async verifySession(token) {
+      return verifySession(token, validated, config.adapter);
+    },
+    async refreshSession(_token) {
+      return null;
+    },
+    async revokeSession(sessionId) {
+      if (config.adapter) {
+        await config.adapter.sessions.deleteSession(sessionId);
+      }
+    },
+    async revokeAllSessions() {
+      if (config.adapter) {
+        await config.adapter.sessions.deleteAllSessions();
+      }
+    },
+    registerProduct(product) {
+      const existing = products.find((p) => p.id === product.id);
+      if (existing) {
+        throw new ConsoleError(
+          `Product "${product.id}" is already registered`,
+          "DUPLICATE_PRODUCT"
+        );
+      }
+      products.push(product);
+      router.registerProduct(product);
+    },
+    getRegisteredProducts() {
+      return [...products];
+    },
+    async handleConsoleRequest(request) {
+      const origin = request.headers.get("origin");
+      try {
+        const match = router.match(request.method, request.path);
+        if (!match) {
+          return addCorsHeaders(
+            { status: 404, body: { error: "Not found" } },
+            origin,
+            validated.allowedOrigins
+          );
+        }
+        if (request.method.toUpperCase() === "OPTIONS") {
+          const preflightHeaders = getPreflightCorsHeaders(origin, {
+            allowedOrigins: validated.allowedOrigins
+          }) ?? {};
+          return { status: 204, body: null, headers: preflightHeaders };
+        }
+        if (match.requiresAuth) {
+          const token = extractBearerToken(request.headers);
+          if (!token) {
+            return addCorsHeaders(
+              { status: 401, body: { error: "Missing session token" } },
+              origin,
+              validated.allowedOrigins
+            );
+          }
+          const session = await instance.verifySession(token);
+          if (!session) {
+            return addCorsHeaders(
+              { status: 401, body: { error: "Invalid or expired session" } },
+              origin,
+              validated.allowedOrigins
+            );
+          }
+          if (!hasPermission(session.permissions, match.requiredPermission)) {
+            return addCorsHeaders(
+              { status: 403, body: { error: "Insufficient permissions" } },
+              origin,
+              validated.allowedOrigins
+            );
+          }
+          const enrichedRequest2 = {
+            ...request,
+            params: match.params,
+            session
+          };
+          const response2 = await match.handler(enrichedRequest2);
+          return addCorsHeaders(response2, origin, validated.allowedOrigins);
+        }
+        const enrichedRequest = { ...request, params: match.params };
+        const response = await match.handler(enrichedRequest);
+        return addCorsHeaders(response, origin, validated.allowedOrigins);
+      } catch (error) {
+        if (error instanceof ConsoleError) {
+          return addCorsHeaders(
+            { status: 400, body: { error: error.message, code: error.code } },
+            origin,
+            validated.allowedOrigins
+          );
+        }
+        if (config.onError) {
+          config.onError(error);
+        }
+        return addCorsHeaders(
+          { status: 500, body: { error: "Internal server error" } },
+          origin,
+          validated.allowedOrigins
+        );
+      }
+    },
+    getCapabilities() {
+      const authMethods = [];
+      if (config.sessions.autoApprove) {
+        authMethods.push("auto_approve");
+      }
+      if (config.sessions.magicLink) {
+        authMethods.push("magic_link");
+      }
+      if (config.sessions.authenticate) {
+        authMethods.push("authenticate");
+      }
+      return {
+        products: products.map((p) => p.id),
+        authMethods,
+        permissions: validated.allowedActions
+      };
+    },
+    config
+  };
+  router.addConsoleRoute("GET", "/health", handleHealth);
+  router.addConsoleRoute(
+    "GET",
+    "/capabilities",
+    createCapabilitiesHandler(instance)
+  );
+  router.addConsoleRoute(
+    "POST",
+    "/session/init",
+    createSessionInitHandler(instance)
+  );
+  if (config.adapter) {
+    const verifyOptions = config.sessions.magicLink?.maxAttempts !== void 0 ? { maxAttempts: config.sessions.magicLink.maxAttempts } : {};
+    router.addConsoleRoute(
+      "POST",
+      "/session/verify",
+      createSessionVerifyHandler(config.adapter, verifyOptions)
+    );
+    router.addConsoleRoute(
+      "GET",
+      "/session/verify",
+      createSessionVerifyGetHandler(config.adapter, verifyOptions)
+    );
+    router.addConsoleRoute(
+      "GET",
+      "/session/poll",
+      createSessionPollHandler(config.adapter)
+    );
+    router.addConsoleRoute(
+      "POST",
+      "/session/claim",
+      createSessionClaimHandler(validated, config.adapter)
+    );
+  }
+  return instance;
+}
+export {
+  ConsoleAdapterRequiredError,
+  ConsoleAutoApproveInProductionError,
+  ConsoleEmailNotAllowedError,
+  ConsoleError,
+  ConsoleInvalidTokenError,
+  ConsoleMagicLinkExpiredError,
+  ConsoleRouter,
+  ConsoleSessionExpiredError,
+  betterConsole,
+  extractBearerToken,
+  generateMagicLinkCode,
+  generateSessionToken,
+  getCorsHeaders,
+  getPreflightCorsHeaders,
+  hasPermission,
+  hashMagicLinkCode,
+  hashToken,
+  isOriginAllowed,
+  parseConnectionTokenHash,
+  parseDuration,
+  signSessionJwt,
+  verifySessionJwt,
+  verifyTokenHash
+};
+//# sourceMappingURL=index.js.map