actor-gate 0.1.0

package/src/next/rewrites.d.ts

@@ -0,0 +1,12 @@
+export type NextRewrite = {
+    source: string;
+    destination: string;
+};
+export type BuildAuthRewritesOptions = {
+    authBasePath?: string;
+    mcpPath?: string;
+    authorizePath?: string;
+    tokenPath?: string;
+    wellKnownBase?: string;
+};
+export declare function buildAuthRewrites(options?: BuildAuthRewritesOptions): NextRewrite[];

package/src/next/rewrites.js

@@ -0,0 +1,74 @@
+import { buildAuthRoutePath } from './shared/auth-routes';
+function normalizePath(path) {
+    const trimmed = path.trim();
+    if (trimmed.length === 0) {
+        throw new Error('Path must be a non-empty string.');
+    }
+    const withLeadingSlash = trimmed.startsWith('/') ? trimmed : `/${trimmed}`;
+    if (withLeadingSlash.length === 1) {
+        return withLeadingSlash;
+    }
+    return withLeadingSlash.endsWith('/')
+        ? withLeadingSlash.slice(0, -1)
+        : withLeadingSlash;
+}
+function joinPath(basePath, suffix) {
+    const base = normalizePath(basePath);
+    const cleanedSuffix = suffix.replace(/^\/+/, '').replace(/\/+$/, '');
+    if (base === '/') {
+        return `/${cleanedSuffix}`;
+    }
+    return `${base}/${cleanedSuffix}`;
+}
+function assertNoConflictingSource(output, nextRewrite) {
+    const existing = output.find(rewrite => rewrite.source === nextRewrite.source);
+    if (!existing) {
+        return;
+    }
+    throw new Error(`Conflicting rewrite source detected: "${nextRewrite.source}" points to both "${existing.destination}" and "${nextRewrite.destination}".`);
+}
+function pushRewrite(output, source, destination) {
+    const normalizedSource = normalizePath(source);
+    const normalizedDestination = normalizePath(destination);
+    if (normalizedSource === normalizedDestination) {
+        return;
+    }
+    const rewrite = {
+        source: normalizedSource,
+        destination: normalizedDestination,
+    };
+    assertNoConflictingSource(output, rewrite);
+    output.push(rewrite);
+}
+function buildPublicPathMap(input) {
+    return {
+        refresh: buildAuthRoutePath('refresh'),
+        logout: buildAuthRoutePath('logout'),
+        login_start: buildAuthRoutePath('login_start'),
+        login_finish: buildAuthRoutePath('login_finish'),
+        authorize: input.authorizePath,
+        authorize_confirm: joinPath(input.authorizePath, 'confirm'),
+        token: input.tokenPath,
+        well_known_oauth_protected_resource: joinPath(input.wellKnownBase, 'oauth-protected-resource'),
+        well_known_oauth_authorization_server: joinPath(input.wellKnownBase, 'oauth-authorization-server'),
+        well_known_openid_configuration: joinPath(input.wellKnownBase, 'openid-configuration'),
+    };
+}
+export function buildAuthRewrites(options) {
+    const authBasePath = normalizePath(options?.authBasePath ?? '/api/auth');
+    const authorizePath = normalizePath(options?.authorizePath ?? '/api/authorize');
+    const tokenPath = normalizePath(options?.tokenPath ?? '/api/token');
+    const wellKnownBase = normalizePath(options?.wellKnownBase ?? '/api/well-known');
+    const mcpPath = normalizePath(options?.mcpPath ?? '/api/mcp');
+    const publicPaths = buildPublicPathMap({
+        authorizePath,
+        tokenPath,
+        wellKnownBase,
+    });
+    const rewrites = [];
+    Object.keys(publicPaths).forEach(action => {
+        pushRewrite(rewrites, publicPaths[action], buildAuthRoutePath(action, { authBasePath }));
+    });
+    pushRewrite(rewrites, mcpPath, joinPath(authBasePath, 'mcp'));
+    return rewrites;
+}

package/src/next/shared/auth-http.d.ts

@@ -0,0 +1,24 @@
+import { type AuthServiceError, type AuthServiceErrorCode } from '../../core/services/auth-error';
+export type AuthErrorResponseBody = {
+    error: AuthServiceErrorCode | 'system_error';
+    error_description: string;
+    request_id?: string;
+};
+export type BuiltAuthErrorHttpResponse = {
+    statusCode: number;
+    challengeHeader?: string;
+    body: AuthErrorResponseBody;
+};
+export declare function buildAuthErrorHttpResponse(input: {
+    error: AuthServiceError;
+    requestId?: string;
+    includeChallengeError?: boolean;
+    challengeScope?: string;
+    resourceMetadataUrl?: string;
+}): BuiltAuthErrorHttpResponse;
+export declare function buildSystemErrorHttpResponse(options?: {
+    requestId?: string;
+}): {
+    statusCode: 500;
+    body: AuthErrorResponseBody;
+};

package/src/next/shared/auth-http.js

@@ -0,0 +1,42 @@
+import { buildBearerChallengeHeader } from '../../core/http/bearer-challenge';
+import { authErrorToHttpStatus, } from '../../core/services/auth-error';
+function toBearerChallengeError(code) {
+    return code === 'invalid_client' ? 'invalid_client' : 'invalid_token';
+}
+export function buildAuthErrorHttpResponse(input) {
+    const statusCode = authErrorToHttpStatus(input.error.code);
+    const challengeHeader = statusCode === 401
+        ? buildBearerChallengeHeader({
+            ...(input.challengeScope === undefined
+                ? {}
+                : { scope: input.challengeScope }),
+            ...(input.resourceMetadataUrl === undefined
+                ? {}
+                : { resourceMetadataUrl: input.resourceMetadataUrl }),
+            ...(input.includeChallengeError === false
+                ? {}
+                : { error: toBearerChallengeError(input.error.code) }),
+        })
+        : undefined;
+    return {
+        statusCode,
+        ...(challengeHeader === undefined ? {} : { challengeHeader }),
+        body: {
+            error: input.error.code,
+            error_description: input.error.message,
+            ...(input.requestId === undefined ? {} : { request_id: input.requestId }),
+        },
+    };
+}
+export function buildSystemErrorHttpResponse(options) {
+    return {
+        statusCode: 500,
+        body: {
+            error: 'system_error',
+            error_description: 'Internal server error.',
+            ...(options?.requestId === undefined
+                ? {}
+                : { request_id: options.requestId }),
+        },
+    };
+}

package/src/next/shared/auth-routes.d.ts

@@ -0,0 +1,17 @@
+export declare const AUTH_ROUTE_ACTIONS: readonly ["refresh", "logout", "login_start", "login_finish", "authorize", "authorize_confirm", "token", "well_known_oauth_protected_resource", "well_known_oauth_authorization_server", "well_known_openid_configuration"];
+export type AuthRouteAction = (typeof AUTH_ROUTE_ACTIONS)[number];
+export declare const AUTH_ROUTE_HTTP_METHODS: readonly ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS", "HEAD"];
+export type AuthRouteHttpMethod = (typeof AUTH_ROUTE_HTTP_METHODS)[number];
+export type AuthRouteDefinition = {
+    action: AuthRouteAction;
+    segments: readonly string[];
+    aliases?: readonly (readonly string[])[];
+    methods: readonly AuthRouteHttpMethod[];
+};
+export declare const AUTH_ROUTE_DEFINITIONS: readonly AuthRouteDefinition[];
+export declare function normalizeAuthRouteSegments(value: string | readonly string[] | undefined): string[];
+export declare function resolveAuthRoute(segments: readonly string[]): AuthRouteDefinition | undefined;
+export declare function isAuthRouteMethodAllowed(route: AuthRouteDefinition, method: string | undefined): boolean;
+export declare function buildAuthRoutePath(action: AuthRouteAction, options?: {
+    authBasePath?: string;
+}): string;

package/src/next/shared/auth-routes.js

@@ -0,0 +1,153 @@
+export const AUTH_ROUTE_ACTIONS = [
+    'refresh',
+    'logout',
+    'login_start',
+    'login_finish',
+    'authorize',
+    'authorize_confirm',
+    'token',
+    'well_known_oauth_protected_resource',
+    'well_known_oauth_authorization_server',
+    'well_known_openid_configuration',
+];
+export const AUTH_ROUTE_HTTP_METHODS = [
+    'GET',
+    'POST',
+    'PUT',
+    'PATCH',
+    'DELETE',
+    'OPTIONS',
+    'HEAD',
+];
+const AUTH_ROUTE_DEFINITION_MAP = {
+    refresh: {
+        action: 'refresh',
+        segments: ['refresh'],
+        methods: ['POST'],
+    },
+    logout: {
+        action: 'logout',
+        segments: ['logout'],
+        methods: ['POST'],
+    },
+    login_start: {
+        action: 'login_start',
+        segments: ['login', 'start'],
+        aliases: [['magic', 'start']],
+        methods: ['POST'],
+    },
+    login_finish: {
+        action: 'login_finish',
+        segments: ['login', 'finish'],
+        aliases: [['magic', 'verify']],
+        methods: ['GET'],
+    },
+    authorize: {
+        action: 'authorize',
+        segments: ['authorize'],
+        methods: ['GET'],
+    },
+    authorize_confirm: {
+        action: 'authorize_confirm',
+        segments: ['authorize', 'confirm'],
+        methods: ['POST'],
+    },
+    token: {
+        action: 'token',
+        segments: ['token'],
+        methods: ['POST'],
+    },
+    well_known_oauth_protected_resource: {
+        action: 'well_known_oauth_protected_resource',
+        segments: ['well-known', 'oauth-protected-resource'],
+        methods: ['GET'],
+    },
+    well_known_oauth_authorization_server: {
+        action: 'well_known_oauth_authorization_server',
+        segments: ['well-known', 'oauth-authorization-server'],
+        methods: ['GET'],
+    },
+    well_known_openid_configuration: {
+        action: 'well_known_openid_configuration',
+        segments: ['well-known', 'openid-configuration'],
+        methods: ['GET'],
+    },
+};
+function safeDecodeUriComponent(value) {
+    try {
+        return decodeURIComponent(value);
+    }
+    catch {
+        return value;
+    }
+}
+function normalizePathPart(part) {
+    return part
+        .split('/')
+        .map(segment => segment.trim())
+        .filter(segment => segment.length > 0)
+        .map(safeDecodeUriComponent);
+}
+function areSegmentsEqual(left, right) {
+    if (left.length !== right.length) {
+        return false;
+    }
+    for (let index = 0; index < left.length; index += 1) {
+        if (left[index] !== right[index]) {
+            return false;
+        }
+    }
+    return true;
+}
+function normalizePathPrefix(path) {
+    const trimmed = path.trim();
+    if (trimmed.length === 0) {
+        throw new Error('Path must be a non-empty string.');
+    }
+    const withLeadingSlash = trimmed.startsWith('/') ? trimmed : `/${trimmed}`;
+    if (withLeadingSlash.length === 1) {
+        return withLeadingSlash;
+    }
+    return withLeadingSlash.endsWith('/')
+        ? withLeadingSlash.slice(0, -1)
+        : withLeadingSlash;
+}
+export const AUTH_ROUTE_DEFINITIONS = AUTH_ROUTE_ACTIONS.map(action => AUTH_ROUTE_DEFINITION_MAP[action]);
+export function normalizeAuthRouteSegments(value) {
+    if (value === undefined) {
+        return [];
+    }
+    const parts = Array.isArray(value) ? value : [value];
+    const segments = [];
+    for (const part of parts) {
+        segments.push(...normalizePathPart(part));
+    }
+    return segments;
+}
+export function resolveAuthRoute(segments) {
+    for (const route of AUTH_ROUTE_DEFINITIONS) {
+        if (areSegmentsEqual(route.segments, segments)) {
+            return route;
+        }
+        if (route.aliases) {
+            for (const alias of route.aliases) {
+                if (areSegmentsEqual(alias, segments)) {
+                    return route;
+                }
+            }
+        }
+    }
+    return undefined;
+}
+export function isAuthRouteMethodAllowed(route, method) {
+    if (!method) {
+        return false;
+    }
+    return route.methods.includes(method.toUpperCase());
+}
+export function buildAuthRoutePath(action, options) {
+    const basePath = normalizePathPrefix(options?.authBasePath ?? '/api/auth');
+    const route = AUTH_ROUTE_DEFINITION_MAP[action];
+    const routeSuffix = route.segments.join('/');
+    return basePath === '/' ? `/${routeSuffix}` : `${basePath}/${routeSuffix}`;
+}

package/src/next/shared/direct-auth-utils.d.ts

@@ -0,0 +1,71 @@
+import type { AccessTokenSource, AccessTokenTransportAdapter, AccessTokenTransportInput } from '../../core/adapters/access-token-transport-adapter';
+import type { AuthActor } from '../../core/types/auth-contract';
+export declare const DEFAULT_ACCESS_TOKEN_COOKIE_NAME = "access_token";
+export declare const DEFAULT_REFRESH_TOKEN_COOKIE_NAME = "refresh_token";
+export declare const DEFAULT_CSRF_COOKIE_NAME = "csrf_token";
+export declare const DEFAULT_CSRF_HEADER_NAME = "x-csrf-token";
+export declare const DEFAULT_CSRF_BODY_FIELD_NAME = "csrf_token";
+export type DirectAccessTokenTransportConfig<TActor extends AuthActor = AuthActor> = {
+    priority?: readonly AccessTokenSource[];
+    cookieName?: string;
+    requireBearerForActors?: readonly TActor[] | ReadonlySet<TActor>;
+    adapter?: AccessTokenTransportAdapter<TActor>;
+};
+export type DirectCsrfConfig = {
+    enabled?: boolean;
+    headerName?: string;
+    cookieName?: string;
+    bodyFieldName?: string;
+    ignorePaths?: readonly string[];
+};
+export type RefreshTokenSource = 'cookie' | 'body';
+export type HeaderBag = Headers | Record<string, unknown>;
+export declare function parseBearerAuthorizationHeader(authorizationHeader: string | undefined): string | undefined;
+export declare function extractAccessTokenWithPriority(input: {
+    transport: AccessTokenTransportInput;
+    priority?: readonly AccessTokenSource[];
+    cookieName?: string;
+}): {
+    token: string | null;
+    source?: AccessTokenSource;
+};
+export declare function resolveAccessTokenTransportAdapter<TActor extends AuthActor = AuthActor>(config: DirectAccessTokenTransportConfig<TActor> | undefined): AccessTokenTransportAdapter<TActor>;
+export declare function assertBearerOnlyActorPolicy<TActor extends AuthActor>(input: {
+    source?: AccessTokenSource;
+    actor: TActor;
+    requireBearerForActors?: readonly TActor[] | ReadonlySet<TActor>;
+}): void;
+export declare function extractRefreshToken(input: {
+    body: Record<string, unknown>;
+    cookies: Record<string, string | undefined>;
+    cookieName?: string;
+    bodyFieldName?: string;
+    priority?: readonly RefreshTokenSource[];
+}): {
+    token?: string;
+    source?: RefreshTokenSource;
+};
+export declare function getHeaderValue(headers: HeaderBag, headerName: string): string | undefined;
+export declare function resolvePathnameFromUrl(url: string | undefined): string;
+export declare function isMutationHttpMethod(method: string | undefined): boolean;
+export declare function assertCsrfForCookieMutation(input: {
+    method: string | undefined;
+    pathname: string;
+    cookies: Record<string, string | undefined>;
+    headers: HeaderBag;
+    body?: Record<string, unknown>;
+    cookieAuthenticated: boolean;
+    config?: DirectCsrfConfig;
+}): void;
+export declare function resolveLoginMethod(input: {
+    pathname: string;
+    phase: 'start' | 'finish';
+    body?: Record<string, unknown>;
+    queryMethod?: unknown;
+    defaultMethod?: string;
+}): string;
+export declare function resolveCookieSecureFlag(input?: {
+    secure?: boolean;
+    secureInProduction?: boolean;
+}): boolean;
+export declare function parseNonNegativeSafeInteger(value: unknown, fieldName: string): number;

package/src/next/shared/direct-auth-utils.js

@@ -0,0 +1,275 @@
+import { AuthServiceError } from '../../core/services/auth-error';
+import { toSingleString } from './oauth-utils';
+export const DEFAULT_ACCESS_TOKEN_COOKIE_NAME = 'access_token';
+export const DEFAULT_REFRESH_TOKEN_COOKIE_NAME = 'refresh_token';
+export const DEFAULT_CSRF_COOKIE_NAME = 'csrf_token';
+export const DEFAULT_CSRF_HEADER_NAME = 'x-csrf-token';
+export const DEFAULT_CSRF_BODY_FIELD_NAME = 'csrf_token';
+const DEFAULT_ACCESS_TOKEN_PRIORITY = [
+    'bearer',
+    'cookie',
+];
+const DEFAULT_REFRESH_TOKEN_PRIORITY = [
+    'cookie',
+    'body',
+];
+function normalizeAccessTokenPriority(priority) {
+    const resolved = priority ?? DEFAULT_ACCESS_TOKEN_PRIORITY;
+    if (resolved.length === 0) {
+        throw new AuthServiceError({
+            code: 'invalid_request',
+            message: 'accessToken priority must contain at least one source.',
+        });
+    }
+    const normalized = [];
+    for (const source of resolved) {
+        if (source !== 'bearer' && source !== 'cookie') {
+            throw new AuthServiceError({
+                code: 'invalid_request',
+                message: `Unsupported accessToken priority source "${String(source)}".`,
+            });
+        }
+        normalized.push(source);
+    }
+    return normalized;
+}
+function normalizeRefreshTokenPriority(priority) {
+    const resolved = priority ?? DEFAULT_REFRESH_TOKEN_PRIORITY;
+    if (resolved.length === 0) {
+        throw new AuthServiceError({
+            code: 'invalid_request',
+            message: 'refreshToken priority must contain at least one source.',
+        });
+    }
+    const normalized = [];
+    for (const source of resolved) {
+        if (source !== 'cookie' && source !== 'body') {
+            throw new AuthServiceError({
+                code: 'invalid_request',
+                message: `Unsupported refreshToken priority source "${String(source)}".`,
+            });
+        }
+        normalized.push(source);
+    }
+    return normalized;
+}
+function resolveCookieName(value, fallbackName) {
+    const normalized = toSingleString(value);
+    if (normalized === undefined) {
+        return fallbackName;
+    }
+    return normalized;
+}
+function toReadonlyActorSet(actors) {
+    if (!actors) {
+        return new Set();
+    }
+    if (actors instanceof Set) {
+        return actors;
+    }
+    return new Set(actors);
+}
+export function parseBearerAuthorizationHeader(authorizationHeader) {
+    if (!authorizationHeader) {
+        return undefined;
+    }
+    const match = authorizationHeader.match(/^Bearer\s+(.+)$/i);
+    if (!match) {
+        return undefined;
+    }
+    const token = match[1].trim();
+    return token.length > 0 ? token : undefined;
+}
+export function extractAccessTokenWithPriority(input) {
+    const priority = normalizeAccessTokenPriority(input.priority);
+    const cookieName = resolveCookieName(input.cookieName, DEFAULT_ACCESS_TOKEN_COOKIE_NAME);
+    for (const source of priority) {
+        if (source === 'bearer') {
+            const token = parseBearerAuthorizationHeader(input.transport.authorizationHeader);
+            if (token) {
+                return { token, source };
+            }
+            continue;
+        }
+        const cookieToken = toSingleString(input.transport.cookies?.[cookieName]);
+        if (cookieToken) {
+            return {
+                token: cookieToken,
+                source,
+            };
+        }
+    }
+    return { token: null };
+}
+export function resolveAccessTokenTransportAdapter(config) {
+    if (config?.adapter) {
+        return config.adapter;
+    }
+    const priority = normalizeAccessTokenPriority(config?.priority);
+    const cookieName = resolveCookieName(config?.cookieName, DEFAULT_ACCESS_TOKEN_COOKIE_NAME);
+    return {
+        extractAccessToken: ({ transport }) => extractAccessTokenWithPriority({
+            transport,
+            priority,
+            cookieName,
+        }),
+    };
+}
+export function assertBearerOnlyActorPolicy(input) {
+    if (input.source !== 'cookie') {
+        return;
+    }
+    const actorSet = toReadonlyActorSet(input.requireBearerForActors);
+    if (!actorSet.has(input.actor)) {
+        return;
+    }
+    throw new AuthServiceError({
+        code: 'forbidden',
+        message: `Actor "${input.actor}" requires bearer token transport.`,
+    });
+}
+export function extractRefreshToken(input) {
+    const cookieName = resolveCookieName(input.cookieName, DEFAULT_REFRESH_TOKEN_COOKIE_NAME);
+    const bodyFieldName = resolveCookieName(input.bodyFieldName, DEFAULT_REFRESH_TOKEN_COOKIE_NAME);
+    const priority = normalizeRefreshTokenPriority(input.priority);
+    for (const source of priority) {
+        if (source === 'cookie') {
+            const token = toSingleString(input.cookies[cookieName]);
+            if (token) {
+                return { token, source };
+            }
+            continue;
+        }
+        const token = toSingleString(input.body[bodyFieldName]);
+        if (token) {
+            return { token, source };
+        }
+    }
+    return {};
+}
+export function getHeaderValue(headers, headerName) {
+    if (headers instanceof Headers) {
+        const value = headers.get(headerName);
+        return value === null ? undefined : toSingleString(value);
+    }
+    const lowerHeaderName = headerName.toLowerCase();
+    const direct = headers[headerName] ??
+        headers[lowerHeaderName] ??
+        headers[headerName.toUpperCase()];
+    if (direct !== undefined) {
+        return toSingleString(direct);
+    }
+    for (const [key, value] of Object.entries(headers)) {
+        if (key.toLowerCase() === lowerHeaderName) {
+            return toSingleString(value);
+        }
+    }
+    return undefined;
+}
+export function resolvePathnameFromUrl(url) {
+    if (!url || url.trim().length === 0) {
+        return '/';
+    }
+    try {
+        const parsed = new URL(url, 'http://localhost');
+        return parsed.pathname;
+    }
+    catch {
+        return '/';
+    }
+}
+function pathMatches(pathname, pathPrefix) {
+    const normalizedPath = pathPrefix.trim();
+    if (normalizedPath.length === 0) {
+        return false;
+    }
+    const prefix = normalizedPath.startsWith('/')
+        ? normalizedPath
+        : `/${normalizedPath}`;
+    if (pathname === prefix) {
+        return true;
+    }
+    return pathname.startsWith(`${prefix}/`);
+}
+export function isMutationHttpMethod(method) {
+    if (!method) {
+        return false;
+    }
+    const normalized = method.toUpperCase();
+    return (normalized !== 'GET' && normalized !== 'HEAD' && normalized !== 'OPTIONS');
+}
+export function assertCsrfForCookieMutation(input) {
+    const enabled = input.config?.enabled ?? true;
+    if (!enabled || !input.cookieAuthenticated) {
+        return;
+    }
+    if (!isMutationHttpMethod(input.method)) {
+        return;
+    }
+    if (input.config?.ignorePaths?.some(path => pathMatches(input.pathname, path))) {
+        return;
+    }
+    const cookieName = resolveCookieName(input.config?.cookieName, DEFAULT_CSRF_COOKIE_NAME);
+    const headerName = resolveCookieName(input.config?.headerName, DEFAULT_CSRF_HEADER_NAME);
+    const bodyFieldName = resolveCookieName(input.config?.bodyFieldName, DEFAULT_CSRF_BODY_FIELD_NAME);
+    const expected = toSingleString(input.cookies[cookieName]);
+    const provided = getHeaderValue(input.headers, headerName) ??
+        toSingleString(input.body?.[bodyFieldName]);
+    if (!expected || !provided || expected !== provided) {
+        throw new AuthServiceError({
+            code: 'forbidden',
+            message: 'CSRF token validation failed.',
+        });
+    }
+}
+function inferLoginMethodFromPath(input) {
+    const parts = input.pathname.split('/').filter(part => part.length > 0);
+    if (parts.length < 2) {
+        return undefined;
+    }
+    const actionPart = parts[parts.length - 1];
+    const methodPart = parts[parts.length - 2];
+    if (input.phase === 'start') {
+        if (actionPart !== 'start') {
+            return undefined;
+        }
+        return methodPart === 'login' ? undefined : methodPart;
+    }
+    if (actionPart !== 'finish' && actionPart !== 'verify') {
+        return undefined;
+    }
+    return methodPart === 'login' ? undefined : methodPart;
+}
+export function resolveLoginMethod(input) {
+    const fromPath = inferLoginMethodFromPath(input);
+    const fromBody = toSingleString(input.body?.method);
+    const fromQuery = toSingleString(input.queryMethod);
+    const fromDefault = toSingleString(input.defaultMethod);
+    const method = fromPath ?? fromBody ?? fromQuery ?? fromDefault;
+    if (method === undefined) {
+        throw new AuthServiceError({
+            code: 'invalid_request',
+            message: 'Missing required field "method".',
+        });
+    }
+    return method;
+}
+export function resolveCookieSecureFlag(input) {
+    if (input?.secure !== undefined) {
+        return input.secure;
+    }
+    const secureInProduction = input?.secureInProduction ?? true;
+    return secureInProduction && process.env.NODE_ENV === 'production';
+}
+export function parseNonNegativeSafeInteger(value, fieldName) {
+    const normalized = typeof value === 'number'
+        ? value
+        : Number.parseInt(toSingleString(value) ?? '', 10);
+    if (!Number.isSafeInteger(normalized) || normalized < 0) {
+        throw new AuthServiceError({
+            code: 'invalid_request',
+            message: `${fieldName} must be a non-negative safe integer.`,
+        });
+    }
+    return normalized;
+}