alepha 0.13.0 → 0.13.2

package/dist/server-auth/index.cjs

@@ -1,3146 +0,0 @@
-let alepha = require("alepha");
-let alepha_server = require("alepha/server");
-let node_crypto = require("node:crypto");
-let node_zlib = require("node:zlib");
-let alepha_datetime = require("alepha/datetime");
-let alepha_logger = require("alepha/logger");
-let alepha_security = require("alepha/security");
-let alepha_retry = require("alepha/retry");
-let node_stream_web = require("node:stream/web");
-
-//#region src/server-cookies/services/CookieParser.ts
-var CookieParser = class {
-	parseRequestCookies(header) {
-		const cookies = {};
-		const parts = header.split(";");
-		for (const part of parts) {
-			const [key, value] = part.split("=");
-			if (!key || !value) continue;
-			cookies[key.trim()] = value.trim();
-		}
-		return cookies;
-	}
-	serializeResponseCookies(cookies, isHttps) {
-		const headers$1 = [];
-		for (const [name, cookie] of Object.entries(cookies)) {
-			if (cookie == null) {
-				headers$1.push(`${name}=; Path=/; Max-Age=0`);
-				continue;
-			}
-			if (!cookie.value) continue;
-			headers$1.push(this.cookieToString(name, cookie, isHttps));
-		}
-		return headers$1;
-	}
-	cookieToString(name, cookie, isHttps) {
-		const parts = [];
-		parts.push(`${name}=${cookie.value}`);
-		if (cookie.path) parts.push(`Path=${cookie.path}`);
-		if (cookie.maxAge) parts.push(`Max-Age=${cookie.maxAge}`);
-		if (cookie.secure !== false && isHttps) parts.push("Secure");
-		if (cookie.httpOnly) parts.push("HttpOnly");
-		if (cookie.sameSite) parts.push(`SameSite=${cookie.sameSite}`);
-		if (cookie.domain) parts.push(`Domain=${cookie.domain}`);
-		return parts.join("; ");
-	}
-};
-
-//#endregion
-//#region src/server-cookies/providers/ServerCookiesProvider.ts
-const envSchema$2 = alepha.t.object({ APP_SECRET: alepha.t.text({ default: alepha_security.DEFAULT_APP_SECRET }) });
-var ServerCookiesProvider = class {
-	alepha = (0, alepha.$inject)(alepha.Alepha);
-	log = (0, alepha_logger.$logger)();
-	cookieParser = (0, alepha.$inject)(CookieParser);
-	dateTimeProvider = (0, alepha.$inject)(alepha_datetime.DateTimeProvider);
-	env = (0, alepha.$env)(envSchema$2);
-	ALGORITHM = "aes-256-gcm";
-	IV_LENGTH = 16;
-	AUTH_TAG_LENGTH = 16;
-	SIGNATURE_LENGTH = 32;
-	onRequest = (0, alepha.$hook)({
-		on: "server:onRequest",
-		handler: async ({ request }) => {
-			request.cookies = {
-				req: this.cookieParser.parseRequestCookies(request.headers.cookie ?? ""),
-				res: {}
-			};
-		}
-	});
-	onAction = (0, alepha.$hook)({
-		on: "action:onRequest",
-		handler: async ({ request }) => {
-			request.cookies = {
-				req: this.cookieParser.parseRequestCookies(request.headers.cookie ?? ""),
-				res: {}
-			};
-		}
-	});
-	onSend = (0, alepha.$hook)({
-		on: "server:onSend",
-		handler: async ({ request }) => {
-			if (request.cookies && Object.keys(request.cookies.res).length > 0) {
-				const setCookieHeaders = this.cookieParser.serializeResponseCookies(request.cookies.res, request.url.protocol === "https:");
-				if (setCookieHeaders.length > 0) request.reply.headers["set-cookie"] = setCookieHeaders;
-			}
-		}
-	});
-	getCookiesFromContext(cookies) {
-		const contextCookies = this.alepha.context.get("request")?.cookies;
-		if (cookies) return cookies;
-		if (contextCookies) return contextCookies;
-		throw new Error("Cookie context is not available. This method must be called within a server request cycle.");
-	}
-	getCookie(name, options, contextCookies) {
-		const cookies = this.getCookiesFromContext(contextCookies);
-		let rawValue = cookies.req[name];
-		if (!rawValue) return void 0;
-		try {
-			rawValue = decodeURIComponent(rawValue);
-			if (options.sign) {
-				const signature = rawValue.substring(0, this.SIGNATURE_LENGTH * 2);
-				const value = rawValue.substring(this.SIGNATURE_LENGTH * 2);
-				const expectedSignature = this.sign(value);
-				if (!(0, node_crypto.timingSafeEqual)(Buffer.from(signature, "hex"), Buffer.from(expectedSignature, "hex"))) {
-					this.log.warn(`Invalid signature for cookie "${name}".`);
-					return;
-				}
-				rawValue = value;
-			}
-			if (options.encrypt) rawValue = this.decrypt(rawValue);
-			if (options.compress) rawValue = (0, node_zlib.inflateRawSync)(Buffer.from(rawValue, "base64")).toString("utf8");
-			return this.alepha.codec.decode(options.schema, JSON.parse(rawValue));
-		} catch (error) {
-			this.log.warn(`Failed to parse cookie "${name}"`, error);
-			this.deleteCookie(name, cookies);
-			return;
-		}
-	}
-	setCookie(name, options, data, contextCookies) {
-		const cookies = this.getCookiesFromContext(contextCookies);
-		let value = JSON.stringify(this.alepha.codec.decode(options.schema, data));
-		if (options.compress) value = (0, node_zlib.deflateRawSync)(value).toString("base64");
-		if (options.encrypt) value = this.encrypt(value);
-		if (options.sign) value = this.sign(value) + value;
-		const cookie = {
-			value: encodeURIComponent(value),
-			path: options.path ?? "/",
-			sameSite: options.sameSite ?? "lax",
-			secure: options.secure ?? this.alepha.isProduction(),
-			httpOnly: options.httpOnly,
-			domain: options.domain
-		};
-		if (options.ttl) cookie.maxAge = this.dateTimeProvider.duration(options.ttl).as("seconds");
-		cookies.res[name] = cookie;
-	}
-	deleteCookie(name, contextCookies) {
-		const cookies = this.getCookiesFromContext(contextCookies);
-		cookies.res[name] = null;
-	}
-	encrypt(text) {
-		const iv = (0, node_crypto.randomBytes)(this.IV_LENGTH);
-		const cipher = (0, node_crypto.createCipheriv)(this.ALGORITHM, Buffer.from(this.secretKey()), iv);
-		const encrypted = Buffer.concat([cipher.update(text, "utf8"), cipher.final()]);
-		const authTag = cipher.getAuthTag();
-		return Buffer.concat([
-			iv,
-			authTag,
-			encrypted
-		]).toString("base64");
-	}
-	decrypt(encryptedText) {
-		const data = Buffer.from(encryptedText, "base64");
-		const iv = data.subarray(0, this.IV_LENGTH);
-		const authTag = data.subarray(this.IV_LENGTH, this.IV_LENGTH + this.AUTH_TAG_LENGTH);
-		const encrypted = data.subarray(this.IV_LENGTH + this.AUTH_TAG_LENGTH);
-		const decipher = (0, node_crypto.createDecipheriv)(this.ALGORITHM, Buffer.from(this.secretKey()), iv);
-		decipher.setAuthTag(authTag);
-		return Buffer.concat([decipher.update(encrypted), decipher.final()]).toString("utf8");
-	}
-	secretKey() {
-		let secret = this.env.APP_SECRET;
-		if (secret.length < 32) secret = secret.padEnd(32, "0");
-		else if (secret.length > 32) secret = secret.substring(0, 32);
-		return secret;
-	}
-	sign(data) {
-		return (0, node_crypto.createHmac)("sha256", this.secretKey()).update(data).digest("hex");
-	}
-};
-
-//#endregion
-//#region src/server-cookies/descriptors/$cookie.ts
-/**
-* Declares a type-safe, configurable HTTP cookie.
-* This descriptor provides methods to get, set, and delete the cookie
-* within the server request/response cycle.
-*/
-const $cookie = (options) => {
-	return (0, alepha.createDescriptor)(CookieDescriptor, options);
-};
-var CookieDescriptor = class extends alepha.Descriptor {
-	serverCookiesProvider = (0, alepha.$inject)(ServerCookiesProvider);
-	get schema() {
-		return this.options.schema;
-	}
-	get name() {
-		return this.options.name ?? `${this.config.propertyKey}`;
-	}
-	/**
-	* Sets the cookie with the given value in the current request's response.
-	*/
-	set(value, options) {
-		this.serverCookiesProvider.setCookie(this.name, {
-			...this.options,
-			ttl: options?.ttl ?? this.options.ttl
-		}, value, options?.cookies);
-	}
-	/**
-	* Gets the cookie value from the current request. Returns undefined if not found or invalid.
-	*/
-	get(options) {
-		return this.serverCookiesProvider.getCookie(this.name, this.options, options?.cookies);
-	}
-	/**
-	* Deletes the cookie in the current request's response.
-	*/
-	del(options) {
-		this.serverCookiesProvider.deleteCookie(this.name, options?.cookies);
-	}
-};
-$cookie[alepha.KIND] = CookieDescriptor;
-
-//#endregion
-//#region src/server-cookies/index.ts
-/**
-* Provides HTTP cookie management capabilities for server requests and responses with type-safe cookie descriptors.
-*
-* The server-cookies module enables declarative cookie handling using the `$cookie` descriptor on class properties.
-* It offers automatic cookie parsing, secure cookie configuration, and seamless integration with server routes
-* for managing user sessions, preferences, and authentication tokens.
-*
-* @see {@link $cookie}
-* @module alepha.server.cookies
-*/
-const AlephaServerCookies = (0, alepha.$module)({
-	name: "alepha.server.cookies",
-	descriptors: [$cookie],
-	services: [alepha_server.AlephaServer, ServerCookiesProvider]
-});
-
-//#endregion
-//#region ../../node_modules/oauth4webapi/build/index.js
-let USER_AGENT$1;
-if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) USER_AGENT$1 = `oauth4webapi/v3.8.2`;
-function looseInstanceOf(input, expected) {
-	if (input == null) return false;
-	try {
-		return input instanceof expected || Object.getPrototypeOf(input)[Symbol.toStringTag] === expected.prototype[Symbol.toStringTag];
-	} catch {
-		return false;
-	}
-}
-const ERR_INVALID_ARG_VALUE$1 = "ERR_INVALID_ARG_VALUE";
-const ERR_INVALID_ARG_TYPE$1 = "ERR_INVALID_ARG_TYPE";
-function CodedTypeError$1(message, code, cause) {
-	const err = new TypeError(message, { cause });
-	Object.assign(err, { code });
-	return err;
-}
-const allowInsecureRequests$1 = Symbol();
-const clockSkew$1 = Symbol();
-const clockTolerance$1 = Symbol();
-const customFetch$1 = Symbol();
-const modifyAssertion$1 = Symbol();
-const jweDecrypt = Symbol();
-const encoder = new TextEncoder();
-const decoder$1 = new TextDecoder();
-function buf(input) {
-	if (typeof input === "string") return encoder.encode(input);
-	return decoder$1.decode(input);
-}
-let encodeBase64Url;
-if (Uint8Array.prototype.toBase64) encodeBase64Url = (input) => {
-	if (input instanceof ArrayBuffer) input = new Uint8Array(input);
-	return input.toBase64({
-		alphabet: "base64url",
-		omitPadding: true
-	});
-};
-else {
-	const CHUNK_SIZE = 32768;
-	encodeBase64Url = (input) => {
-		if (input instanceof ArrayBuffer) input = new Uint8Array(input);
-		const arr = [];
-		for (let i = 0; i < input.byteLength; i += CHUNK_SIZE) arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE)));
-		return btoa(arr.join("")).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
-	};
-}
-let decodeBase64Url;
-if (Uint8Array.fromBase64) decodeBase64Url = (input) => {
-	try {
-		return Uint8Array.fromBase64(input, { alphabet: "base64url" });
-	} catch (cause) {
-		throw CodedTypeError$1("The input to be decoded is not correctly encoded.", ERR_INVALID_ARG_VALUE$1, cause);
-	}
-};
-else decodeBase64Url = (input) => {
-	try {
-		const binary = atob(input.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, ""));
-		const bytes = new Uint8Array(binary.length);
-		for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
-		return bytes;
-	} catch (cause) {
-		throw CodedTypeError$1("The input to be decoded is not correctly encoded.", ERR_INVALID_ARG_VALUE$1, cause);
-	}
-};
-function b64u(input) {
-	if (typeof input === "string") return decodeBase64Url(input);
-	return encodeBase64Url(input);
-}
-var UnsupportedOperationError = class extends Error {
-	code;
-	constructor(message, options) {
-		super(message, options);
-		this.name = this.constructor.name;
-		this.code = UNSUPPORTED_OPERATION;
-		Error.captureStackTrace?.(this, this.constructor);
-	}
-};
-var OperationProcessingError = class extends Error {
-	code;
-	constructor(message, options) {
-		super(message, options);
-		this.name = this.constructor.name;
-		if (options?.code) this.code = options?.code;
-		Error.captureStackTrace?.(this, this.constructor);
-	}
-};
-function OPE(message, code, cause) {
-	return new OperationProcessingError(message, {
-		code,
-		cause
-	});
-}
-function isJsonObject(input) {
-	if (input === null || typeof input !== "object" || Array.isArray(input)) return false;
-	return true;
-}
-function prepareHeaders(input) {
-	if (looseInstanceOf(input, Headers)) input = Object.fromEntries(input.entries());
-	const headers$1 = new Headers(input ?? {});
-	if (USER_AGENT$1 && !headers$1.has("user-agent")) headers$1.set("user-agent", USER_AGENT$1);
-	if (headers$1.has("authorization")) throw CodedTypeError$1("\"options.headers\" must not include the \"authorization\" header name", ERR_INVALID_ARG_VALUE$1);
-	return headers$1;
-}
-function signal$1(url, value) {
-	if (value !== void 0) {
-		if (typeof value === "function") value = value(url.href);
-		if (!(value instanceof AbortSignal)) throw CodedTypeError$1("\"options.signal\" must return or be an instance of AbortSignal", ERR_INVALID_ARG_TYPE$1);
-		return value;
-	}
-}
-function replaceDoubleSlash(pathname) {
-	if (pathname.includes("//")) return pathname.replace("//", "/");
-	return pathname;
-}
-function prependWellKnown(url, wellKnown, allowTerminatingSlash = false) {
-	if (url.pathname === "/") url.pathname = wellKnown;
-	else url.pathname = replaceDoubleSlash(`${wellKnown}/${allowTerminatingSlash ? url.pathname : url.pathname.replace(/(\/)$/, "")}`);
-	return url;
-}
-function appendWellKnown(url, wellKnown) {
-	url.pathname = replaceDoubleSlash(`${url.pathname}/${wellKnown}`);
-	return url;
-}
-async function performDiscovery$1(input, urlName, transform, options) {
-	if (!(input instanceof URL)) throw CodedTypeError$1(`"${urlName}" must be an instance of URL`, ERR_INVALID_ARG_TYPE$1);
-	checkProtocol(input, options?.[allowInsecureRequests$1] !== true);
-	const url = transform(new URL(input.href));
-	const headers$1 = prepareHeaders(options?.headers);
-	headers$1.set("accept", "application/json");
-	return (options?.[customFetch$1] || fetch)(url.href, {
-		body: void 0,
-		headers: Object.fromEntries(headers$1.entries()),
-		method: "GET",
-		redirect: "manual",
-		signal: signal$1(url, options?.signal)
-	});
-}
-async function discoveryRequest(issuerIdentifier, options) {
-	return performDiscovery$1(issuerIdentifier, "issuerIdentifier", (url) => {
-		switch (options?.algorithm) {
-			case void 0:
-			case "oidc":
-				appendWellKnown(url, ".well-known/openid-configuration");
-				break;
-			case "oauth2":
-				prependWellKnown(url, ".well-known/oauth-authorization-server");
-				break;
-			default: throw CodedTypeError$1("\"options.algorithm\" must be \"oidc\" (default), or \"oauth2\"", ERR_INVALID_ARG_VALUE$1);
-		}
-		return url;
-	}, options);
-}
-function assertNumber(input, allow0, it, code, cause) {
-	try {
-		if (typeof input !== "number" || !Number.isFinite(input)) throw CodedTypeError$1(`${it} must be a number`, ERR_INVALID_ARG_TYPE$1, cause);
-		if (input > 0) return;
-		if (allow0) {
-			if (input !== 0) throw CodedTypeError$1(`${it} must be a non-negative number`, ERR_INVALID_ARG_VALUE$1, cause);
-			return;
-		}
-		throw CodedTypeError$1(`${it} must be a positive number`, ERR_INVALID_ARG_VALUE$1, cause);
-	} catch (err) {
-		if (code) throw OPE(err.message, code, cause);
-		throw err;
-	}
-}
-function assertString$1(input, it, code, cause) {
-	try {
-		if (typeof input !== "string") throw CodedTypeError$1(`${it} must be a string`, ERR_INVALID_ARG_TYPE$1, cause);
-		if (input.length === 0) throw CodedTypeError$1(`${it} must not be empty`, ERR_INVALID_ARG_VALUE$1, cause);
-	} catch (err) {
-		if (code) throw OPE(err.message, code, cause);
-		throw err;
-	}
-}
-async function processDiscoveryResponse(expectedIssuerIdentifier, response) {
-	const expected = expectedIssuerIdentifier;
-	if (!(expected instanceof URL) && expected !== _nodiscoverycheck) throw CodedTypeError$1("\"expectedIssuerIdentifier\" must be an instance of URL", ERR_INVALID_ARG_TYPE$1);
-	if (!looseInstanceOf(response, Response)) throw CodedTypeError$1("\"response\" must be an instance of Response", ERR_INVALID_ARG_TYPE$1);
-	if (response.status !== 200) throw OPE("\"response\" is not a conform Authorization Server Metadata response (unexpected HTTP status code)", RESPONSE_IS_NOT_CONFORM, response);
-	assertReadableResponse(response);
-	const json = await getResponseJsonBody(response);
-	assertString$1(json.issuer, "\"response\" body \"issuer\" property", INVALID_RESPONSE, { body: json });
-	if (expected !== _nodiscoverycheck && new URL(json.issuer).href !== expected.href) throw OPE("\"response\" body \"issuer\" property does not match the expected value", JSON_ATTRIBUTE_COMPARISON, {
-		expected: expected.href,
-		body: json,
-		attribute: "issuer"
-	});
-	return json;
-}
-function assertApplicationJson(response) {
-	assertContentType(response, "application/json");
-}
-function notJson(response, ...types) {
-	let msg = "\"response\" content-type must be ";
-	if (types.length > 2) {
-		const last = types.pop();
-		msg += `${types.join(", ")}, or ${last}`;
-	} else if (types.length === 2) msg += `${types[0]} or ${types[1]}`;
-	else msg += types[0];
-	return OPE(msg, RESPONSE_IS_NOT_JSON, response);
-}
-function assertContentType(response, contentType) {
-	if (getContentType(response) !== contentType) throw notJson(response, contentType);
-}
-function randomBytes() {
-	return b64u(crypto.getRandomValues(new Uint8Array(32)));
-}
-function generateRandomCodeVerifier() {
-	return randomBytes();
-}
-function generateRandomState() {
-	return randomBytes();
-}
-async function calculatePKCECodeChallenge$1(codeVerifier) {
-	assertString$1(codeVerifier, "codeVerifier");
-	return b64u(await crypto.subtle.digest("SHA-256", buf(codeVerifier)));
-}
-function getClockSkew(client) {
-	const skew = client?.[clockSkew$1];
-	return typeof skew === "number" && Number.isFinite(skew) ? skew : 0;
-}
-function getClockTolerance(client) {
-	const tolerance = client?.[clockTolerance$1];
-	return typeof tolerance === "number" && Number.isFinite(tolerance) && Math.sign(tolerance) !== -1 ? tolerance : 30;
-}
-function epochTime() {
-	return Math.floor(Date.now() / 1e3);
-}
-function assertAs(as) {
-	if (typeof as !== "object" || as === null) throw CodedTypeError$1("\"as\" must be an object", ERR_INVALID_ARG_TYPE$1);
-	assertString$1(as.issuer, "\"as.issuer\"");
-}
-function assertClient(client) {
-	if (typeof client !== "object" || client === null) throw CodedTypeError$1("\"client\" must be an object", ERR_INVALID_ARG_TYPE$1);
-	assertString$1(client.client_id, "\"client.client_id\"");
-}
-function ClientSecretPost$1(clientSecret) {
-	assertString$1(clientSecret, "\"clientSecret\"");
-	return (_as, client, body, _headers) => {
-		body.set("client_id", client.client_id);
-		body.set("client_secret", clientSecret);
-	};
-}
-function None$1() {
-	return (_as, client, body, _headers) => {
-		body.set("client_id", client.client_id);
-	};
-}
-const URLParse = URL.parse ? (url, base) => URL.parse(url, base) : (url, base) => {
-	try {
-		return new URL(url, base);
-	} catch {
-		return null;
-	}
-};
-function checkProtocol(url, enforceHttps) {
-	if (enforceHttps && url.protocol !== "https:") throw OPE("only requests to HTTPS are allowed", HTTP_REQUEST_FORBIDDEN, url);
-	if (url.protocol !== "https:" && url.protocol !== "http:") throw OPE("only HTTP and HTTPS requests are allowed", REQUEST_PROTOCOL_FORBIDDEN, url);
-}
-function validateEndpoint(value, endpoint, useMtlsAlias, enforceHttps) {
-	let url;
-	if (typeof value !== "string" || !(url = URLParse(value))) throw OPE(`authorization server metadata does not contain a valid ${useMtlsAlias ? `"as.mtls_endpoint_aliases.${endpoint}"` : `"as.${endpoint}"`}`, value === void 0 ? MISSING_SERVER_METADATA : INVALID_SERVER_METADATA, { attribute: useMtlsAlias ? `mtls_endpoint_aliases.${endpoint}` : endpoint });
-	checkProtocol(url, enforceHttps);
-	return url;
-}
-function resolveEndpoint(as, endpoint, useMtlsAlias, enforceHttps) {
-	if (useMtlsAlias && as.mtls_endpoint_aliases && endpoint in as.mtls_endpoint_aliases) return validateEndpoint(as.mtls_endpoint_aliases[endpoint], endpoint, useMtlsAlias, enforceHttps);
-	return validateEndpoint(as[endpoint], endpoint, useMtlsAlias, enforceHttps);
-}
-function isDPoPNonceError(err) {
-	if (err instanceof WWWAuthenticateChallengeError) {
-		const { 0: challenge, length } = err.cause;
-		return length === 1 && challenge.scheme === "dpop" && challenge.parameters.error === "use_dpop_nonce";
-	}
-	if (err instanceof ResponseBodyError) return err.error === "use_dpop_nonce";
-	return false;
-}
-var ResponseBodyError = class extends Error {
-	cause;
-	code;
-	error;
-	status;
-	error_description;
-	response;
-	constructor(message, options) {
-		super(message, options);
-		this.name = this.constructor.name;
-		this.code = RESPONSE_BODY_ERROR;
-		this.cause = options.cause;
-		this.error = options.cause.error;
-		this.status = options.response.status;
-		this.error_description = options.cause.error_description;
-		Object.defineProperty(this, "response", {
-			enumerable: false,
-			value: options.response
-		});
-		Error.captureStackTrace?.(this, this.constructor);
-	}
-};
-var AuthorizationResponseError = class extends Error {
-	cause;
-	code;
-	error;
-	error_description;
-	constructor(message, options) {
-		super(message, options);
-		this.name = this.constructor.name;
-		this.code = AUTHORIZATION_RESPONSE_ERROR;
-		this.cause = options.cause;
-		this.error = options.cause.get("error");
-		this.error_description = options.cause.get("error_description") ?? void 0;
-		Error.captureStackTrace?.(this, this.constructor);
-	}
-};
-var WWWAuthenticateChallengeError = class extends Error {
-	cause;
-	code;
-	response;
-	status;
-	constructor(message, options) {
-		super(message, options);
-		this.name = this.constructor.name;
-		this.code = WWW_AUTHENTICATE_CHALLENGE;
-		this.cause = options.cause;
-		this.status = options.response.status;
-		this.response = options.response;
-		Object.defineProperty(this, "response", { enumerable: false });
-		Error.captureStackTrace?.(this, this.constructor);
-	}
-};
-const tokenMatch = "[a-zA-Z0-9!#$%&\\'\\*\\+\\-\\.\\^_`\\|~]+";
-const token68Match = "[a-zA-Z0-9\\-\\._\\~\\+\\/]+[=]{0,2}";
-const quotedParamMatcher = "(" + tokenMatch + ")\\s*=\\s*\"((?:[^\"\\\\]|\\\\.)*)\"";
-const paramMatcher = "(" + tokenMatch + ")\\s*=\\s*([a-zA-Z0-9!#$%&\\'\\*\\+\\-\\.\\^_`\\|~]+)";
-const schemeRE = /* @__PURE__ */ new RegExp("^[,\\s]*(" + tokenMatch + ")\\s(.*)");
-const quotedParamRE = /* @__PURE__ */ new RegExp("^[,\\s]*" + quotedParamMatcher + "[,\\s]*(.*)");
-const unquotedParamRE = /* @__PURE__ */ new RegExp("^[,\\s]*" + paramMatcher + "[,\\s]*(.*)");
-const token68ParamRE = /* @__PURE__ */ new RegExp("^(" + token68Match + ")(?:$|[,\\s])(.*)");
-function parseWwwAuthenticateChallenges(response) {
-	if (!looseInstanceOf(response, Response)) throw CodedTypeError$1("\"response\" must be an instance of Response", ERR_INVALID_ARG_TYPE$1);
-	const header = response.headers.get("www-authenticate");
-	if (header === null) return;
-	const challenges = [];
-	let rest = header;
-	while (rest) {
-		let match = rest.match(schemeRE);
-		const scheme = match?.["1"].toLowerCase();
-		rest = match?.["2"];
-		if (!scheme) return;
-		const parameters = {};
-		let token68;
-		while (rest) {
-			let key;
-			let value;
-			if (match = rest.match(quotedParamRE)) {
-				[, key, value, rest] = match;
-				if (value.includes("\\")) try {
-					value = JSON.parse(`"${value}"`);
-				} catch {}
-				parameters[key.toLowerCase()] = value;
-				continue;
-			}
-			if (match = rest.match(unquotedParamRE)) {
-				[, key, value, rest] = match;
-				parameters[key.toLowerCase()] = value;
-				continue;
-			}
-			if (match = rest.match(token68ParamRE)) {
-				if (Object.keys(parameters).length) break;
-				[, token68, rest] = match;
-				break;
-			}
-			return;
-		}
-		const challenge = {
-			scheme,
-			parameters
-		};
-		if (token68) challenge.token68 = token68;
-		challenges.push(challenge);
-	}
-	if (!challenges.length) return;
-	return challenges;
-}
-async function parseOAuthResponseErrorBody(response) {
-	if (response.status > 399 && response.status < 500) {
-		assertReadableResponse(response);
-		assertApplicationJson(response);
-		try {
-			const json = await response.clone().json();
-			if (isJsonObject(json) && typeof json.error === "string" && json.error.length) return json;
-		} catch {}
-	}
-}
-async function checkOAuthBodyError(response, expected, label) {
-	if (response.status !== expected) {
-		checkAuthenticationChallenges(response);
-		let err;
-		if (err = await parseOAuthResponseErrorBody(response)) {
-			await response.body?.cancel();
-			throw new ResponseBodyError("server responded with an error in the response body", {
-				cause: err,
-				response
-			});
-		}
-		throw OPE(`"response" is not a conform ${label} response (unexpected HTTP status code)`, RESPONSE_IS_NOT_CONFORM, response);
-	}
-}
-function assertDPoP(option) {
-	if (!branded.has(option)) throw CodedTypeError$1("\"options.DPoP\" is not a valid DPoPHandle", ERR_INVALID_ARG_VALUE$1);
-}
-const skipSubjectCheck$1 = Symbol();
-function getContentType(input) {
-	return input.headers.get("content-type")?.split(";")[0];
-}
-async function authenticatedRequest(as, client, clientAuthentication, url, body, headers$1, options) {
-	await clientAuthentication(as, client, body, headers$1);
-	headers$1.set("content-type", "application/x-www-form-urlencoded;charset=UTF-8");
-	return (options?.[customFetch$1] || fetch)(url.href, {
-		body,
-		headers: Object.fromEntries(headers$1.entries()),
-		method: "POST",
-		redirect: "manual",
-		signal: signal$1(url, options?.signal)
-	});
-}
-async function tokenEndpointRequest(as, client, clientAuthentication, grantType, parameters, options) {
-	const url = resolveEndpoint(as, "token_endpoint", client.use_mtls_endpoint_aliases, options?.[allowInsecureRequests$1] !== true);
-	parameters.set("grant_type", grantType);
-	const headers$1 = prepareHeaders(options?.headers);
-	headers$1.set("accept", "application/json");
-	if (options?.DPoP !== void 0) {
-		assertDPoP(options.DPoP);
-		await options.DPoP.addProof(url, headers$1, "POST");
-	}
-	const response = await authenticatedRequest(as, client, clientAuthentication, url, parameters, headers$1, options);
-	options?.DPoP?.cacheNonce(response, url);
-	return response;
-}
-async function refreshTokenGrantRequest(as, client, clientAuthentication, refreshToken, options) {
-	assertAs(as);
-	assertClient(client);
-	assertString$1(refreshToken, "\"refreshToken\"");
-	const parameters = new URLSearchParams(options?.additionalParameters);
-	parameters.set("refresh_token", refreshToken);
-	return tokenEndpointRequest(as, client, clientAuthentication, "refresh_token", parameters, options);
-}
-const idTokenClaims = /* @__PURE__ */ new WeakMap();
-const jwtRefs = /* @__PURE__ */ new WeakMap();
-function getValidatedIdTokenClaims(ref) {
-	if (!ref.id_token) return;
-	const claims = idTokenClaims.get(ref);
-	if (!claims) throw CodedTypeError$1("\"ref\" was already garbage collected or did not resolve from the proper sources", ERR_INVALID_ARG_VALUE$1);
-	return claims;
-}
-async function processGenericAccessTokenResponse(as, client, response, additionalRequiredIdTokenClaims, decryptFn, recognizedTokenTypes) {
-	assertAs(as);
-	assertClient(client);
-	if (!looseInstanceOf(response, Response)) throw CodedTypeError$1("\"response\" must be an instance of Response", ERR_INVALID_ARG_TYPE$1);
-	await checkOAuthBodyError(response, 200, "Token Endpoint");
-	assertReadableResponse(response);
-	const json = await getResponseJsonBody(response);
-	assertString$1(json.access_token, "\"response\" body \"access_token\" property", INVALID_RESPONSE, { body: json });
-	assertString$1(json.token_type, "\"response\" body \"token_type\" property", INVALID_RESPONSE, { body: json });
-	json.token_type = json.token_type.toLowerCase();
-	if (json.expires_in !== void 0) {
-		let expiresIn = typeof json.expires_in !== "number" ? parseFloat(json.expires_in) : json.expires_in;
-		assertNumber(expiresIn, true, "\"response\" body \"expires_in\" property", INVALID_RESPONSE, { body: json });
-		json.expires_in = expiresIn;
-	}
-	if (json.refresh_token !== void 0) assertString$1(json.refresh_token, "\"response\" body \"refresh_token\" property", INVALID_RESPONSE, { body: json });
-	if (json.scope !== void 0 && typeof json.scope !== "string") throw OPE("\"response\" body \"scope\" property must be a string", INVALID_RESPONSE, { body: json });
-	if (json.id_token !== void 0) {
-		assertString$1(json.id_token, "\"response\" body \"id_token\" property", INVALID_RESPONSE, { body: json });
-		const requiredClaims = [
-			"aud",
-			"exp",
-			"iat",
-			"iss",
-			"sub"
-		];
-		if (client.require_auth_time === true) requiredClaims.push("auth_time");
-		if (client.default_max_age !== void 0) {
-			assertNumber(client.default_max_age, true, "\"client.default_max_age\"");
-			requiredClaims.push("auth_time");
-		}
-		if (additionalRequiredIdTokenClaims?.length) requiredClaims.push(...additionalRequiredIdTokenClaims);
-		const { claims, jwt } = await validateJwt(json.id_token, checkSigningAlgorithm.bind(void 0, client.id_token_signed_response_alg, as.id_token_signing_alg_values_supported, "RS256"), getClockSkew(client), getClockTolerance(client), decryptFn).then(validatePresence.bind(void 0, requiredClaims)).then(validateIssuer.bind(void 0, as)).then(validateAudience.bind(void 0, client.client_id));
-		if (Array.isArray(claims.aud) && claims.aud.length !== 1) {
-			if (claims.azp === void 0) throw OPE("ID Token \"aud\" (audience) claim includes additional untrusted audiences", JWT_CLAIM_COMPARISON, {
-				claims,
-				claim: "aud"
-			});
-			if (claims.azp !== client.client_id) throw OPE("unexpected ID Token \"azp\" (authorized party) claim value", JWT_CLAIM_COMPARISON, {
-				expected: client.client_id,
-				claims,
-				claim: "azp"
-			});
-		}
-		if (claims.auth_time !== void 0) assertNumber(claims.auth_time, true, "ID Token \"auth_time\" (authentication time)", INVALID_RESPONSE, { claims });
-		jwtRefs.set(response, jwt);
-		idTokenClaims.set(json, claims);
-	}
-	if (recognizedTokenTypes?.[json.token_type] !== void 0) recognizedTokenTypes[json.token_type](response, json);
-	else if (json.token_type !== "dpop" && json.token_type !== "bearer") throw new UnsupportedOperationError("unsupported `token_type` value", { cause: { body: json } });
-	return json;
-}
-function checkAuthenticationChallenges(response) {
-	let challenges;
-	if (challenges = parseWwwAuthenticateChallenges(response)) throw new WWWAuthenticateChallengeError("server responded with a challenge in the WWW-Authenticate HTTP Header", {
-		cause: challenges,
-		response
-	});
-}
-async function processRefreshTokenResponse(as, client, response, options) {
-	return processGenericAccessTokenResponse(as, client, response, void 0, options?.[jweDecrypt], options?.recognizedTokenTypes);
-}
-function validateAudience(expected, result) {
-	if (Array.isArray(result.claims.aud)) {
-		if (!result.claims.aud.includes(expected)) throw OPE("unexpected JWT \"aud\" (audience) claim value", JWT_CLAIM_COMPARISON, {
-			expected,
-			claims: result.claims,
-			claim: "aud"
-		});
-	} else if (result.claims.aud !== expected) throw OPE("unexpected JWT \"aud\" (audience) claim value", JWT_CLAIM_COMPARISON, {
-		expected,
-		claims: result.claims,
-		claim: "aud"
-	});
-	return result;
-}
-function validateIssuer(as, result) {
-	const expected = as[_expectedIssuer]?.(result) ?? as.issuer;
-	if (result.claims.iss !== expected) throw OPE("unexpected JWT \"iss\" (issuer) claim value", JWT_CLAIM_COMPARISON, {
-		expected,
-		claims: result.claims,
-		claim: "iss"
-	});
-	return result;
-}
-const branded = /* @__PURE__ */ new WeakSet();
-function brand(searchParams) {
-	branded.add(searchParams);
-	return searchParams;
-}
-const nopkce = Symbol();
-async function authorizationCodeGrantRequest(as, client, clientAuthentication, callbackParameters, redirectUri, codeVerifier, options) {
-	assertAs(as);
-	assertClient(client);
-	if (!branded.has(callbackParameters)) throw CodedTypeError$1("\"callbackParameters\" must be an instance of URLSearchParams obtained from \"validateAuthResponse()\", or \"validateJwtAuthResponse()", ERR_INVALID_ARG_VALUE$1);
-	assertString$1(redirectUri, "\"redirectUri\"");
-	const code = getURLSearchParameter(callbackParameters, "code");
-	if (!code) throw OPE("no authorization code in \"callbackParameters\"", INVALID_RESPONSE);
-	const parameters = new URLSearchParams(options?.additionalParameters);
-	parameters.set("redirect_uri", redirectUri);
-	parameters.set("code", code);
-	if (codeVerifier !== nopkce) {
-		assertString$1(codeVerifier, "\"codeVerifier\"");
-		parameters.set("code_verifier", codeVerifier);
-	}
-	return tokenEndpointRequest(as, client, clientAuthentication, "authorization_code", parameters, options);
-}
-const jwtClaimNames = {
-	aud: "audience",
-	c_hash: "code hash",
-	client_id: "client id",
-	exp: "expiration time",
-	iat: "issued at",
-	iss: "issuer",
-	jti: "jwt id",
-	nonce: "nonce",
-	s_hash: "state hash",
-	sub: "subject",
-	ath: "access token hash",
-	htm: "http method",
-	htu: "http uri",
-	cnf: "confirmation",
-	auth_time: "authentication time"
-};
-function validatePresence(required, result) {
-	for (const claim of required) if (result.claims[claim] === void 0) throw OPE(`JWT "${claim}" (${jwtClaimNames[claim]}) claim missing`, INVALID_RESPONSE, { claims: result.claims });
-	return result;
-}
-const expectNoNonce = Symbol();
-const skipAuthTimeCheck = Symbol();
-async function processAuthorizationCodeResponse(as, client, response, options) {
-	if (typeof options?.expectedNonce === "string" || typeof options?.maxAge === "number" || options?.requireIdToken) return processAuthorizationCodeOpenIDResponse(as, client, response, options.expectedNonce, options.maxAge, options[jweDecrypt], options.recognizedTokenTypes);
-	return processAuthorizationCodeOAuth2Response(as, client, response, options?.[jweDecrypt], options?.recognizedTokenTypes);
-}
-async function processAuthorizationCodeOpenIDResponse(as, client, response, expectedNonce, maxAge, decryptFn, recognizedTokenTypes) {
-	const additionalRequiredClaims = [];
-	switch (expectedNonce) {
-		case void 0:
-			expectedNonce = expectNoNonce;
-			break;
-		case expectNoNonce: break;
-		default:
-			assertString$1(expectedNonce, "\"expectedNonce\" argument");
-			additionalRequiredClaims.push("nonce");
-	}
-	maxAge ??= client.default_max_age;
-	switch (maxAge) {
-		case void 0:
-			maxAge = skipAuthTimeCheck;
-			break;
-		case skipAuthTimeCheck: break;
-		default:
-			assertNumber(maxAge, true, "\"maxAge\" argument");
-			additionalRequiredClaims.push("auth_time");
-	}
-	const result = await processGenericAccessTokenResponse(as, client, response, additionalRequiredClaims, decryptFn, recognizedTokenTypes);
-	assertString$1(result.id_token, "\"response\" body \"id_token\" property", INVALID_RESPONSE, { body: result });
-	const claims = getValidatedIdTokenClaims(result);
-	if (maxAge !== skipAuthTimeCheck) {
-		const now = epochTime() + getClockSkew(client);
-		const tolerance = getClockTolerance(client);
-		if (claims.auth_time + maxAge < now - tolerance) throw OPE("too much time has elapsed since the last End-User authentication", JWT_TIMESTAMP_CHECK, {
-			claims,
-			now,
-			tolerance,
-			claim: "auth_time"
-		});
-	}
-	if (expectedNonce === expectNoNonce) {
-		if (claims.nonce !== void 0) throw OPE("unexpected ID Token \"nonce\" claim value", JWT_CLAIM_COMPARISON, {
-			expected: void 0,
-			claims,
-			claim: "nonce"
-		});
-	} else if (claims.nonce !== expectedNonce) throw OPE("unexpected ID Token \"nonce\" claim value", JWT_CLAIM_COMPARISON, {
-		expected: expectedNonce,
-		claims,
-		claim: "nonce"
-	});
-	return result;
-}
-async function processAuthorizationCodeOAuth2Response(as, client, response, decryptFn, recognizedTokenTypes) {
-	const result = await processGenericAccessTokenResponse(as, client, response, void 0, decryptFn, recognizedTokenTypes);
-	const claims = getValidatedIdTokenClaims(result);
-	if (claims) {
-		if (client.default_max_age !== void 0) {
-			assertNumber(client.default_max_age, true, "\"client.default_max_age\"");
-			const now = epochTime() + getClockSkew(client);
-			const tolerance = getClockTolerance(client);
-			if (claims.auth_time + client.default_max_age < now - tolerance) throw OPE("too much time has elapsed since the last End-User authentication", JWT_TIMESTAMP_CHECK, {
-				claims,
-				now,
-				tolerance,
-				claim: "auth_time"
-			});
-		}
-		if (claims.nonce !== void 0) throw OPE("unexpected ID Token \"nonce\" claim value", JWT_CLAIM_COMPARISON, {
-			expected: void 0,
-			claims,
-			claim: "nonce"
-		});
-	}
-	return result;
-}
-const WWW_AUTHENTICATE_CHALLENGE = "OAUTH_WWW_AUTHENTICATE_CHALLENGE";
-const RESPONSE_BODY_ERROR = "OAUTH_RESPONSE_BODY_ERROR";
-const UNSUPPORTED_OPERATION = "OAUTH_UNSUPPORTED_OPERATION";
-const AUTHORIZATION_RESPONSE_ERROR = "OAUTH_AUTHORIZATION_RESPONSE_ERROR";
-const PARSE_ERROR = "OAUTH_PARSE_ERROR";
-const INVALID_RESPONSE = "OAUTH_INVALID_RESPONSE";
-const RESPONSE_IS_NOT_JSON = "OAUTH_RESPONSE_IS_NOT_JSON";
-const RESPONSE_IS_NOT_CONFORM = "OAUTH_RESPONSE_IS_NOT_CONFORM";
-const HTTP_REQUEST_FORBIDDEN = "OAUTH_HTTP_REQUEST_FORBIDDEN";
-const REQUEST_PROTOCOL_FORBIDDEN = "OAUTH_REQUEST_PROTOCOL_FORBIDDEN";
-const JWT_TIMESTAMP_CHECK = "OAUTH_JWT_TIMESTAMP_CHECK_FAILED";
-const JWT_CLAIM_COMPARISON = "OAUTH_JWT_CLAIM_COMPARISON_FAILED";
-const JSON_ATTRIBUTE_COMPARISON = "OAUTH_JSON_ATTRIBUTE_COMPARISON_FAILED";
-const MISSING_SERVER_METADATA = "OAUTH_MISSING_SERVER_METADATA";
-const INVALID_SERVER_METADATA = "OAUTH_INVALID_SERVER_METADATA";
-function assertReadableResponse(response) {
-	if (response.bodyUsed) throw CodedTypeError$1("\"response\" body has been used already", ERR_INVALID_ARG_VALUE$1);
-}
-async function validateJwt(jws, checkAlg, clockSkew$2, clockTolerance$2, decryptJwt) {
-	let { 0: protectedHeader, 1: payload, length } = jws.split(".");
-	if (length === 5) if (decryptJwt !== void 0) {
-		jws = await decryptJwt(jws);
-		({0: protectedHeader, 1: payload, length} = jws.split("."));
-	} else throw new UnsupportedOperationError("JWE decryption is not configured", { cause: jws });
-	if (length !== 3) throw OPE("Invalid JWT", INVALID_RESPONSE, jws);
-	let header;
-	try {
-		header = JSON.parse(buf(b64u(protectedHeader)));
-	} catch (cause) {
-		throw OPE("failed to parse JWT Header body as base64url encoded JSON", PARSE_ERROR, cause);
-	}
-	if (!isJsonObject(header)) throw OPE("JWT Header must be a top level object", INVALID_RESPONSE, jws);
-	checkAlg(header);
-	if (header.crit !== void 0) throw new UnsupportedOperationError("no JWT \"crit\" header parameter extensions are supported", { cause: { header } });
-	let claims;
-	try {
-		claims = JSON.parse(buf(b64u(payload)));
-	} catch (cause) {
-		throw OPE("failed to parse JWT Payload body as base64url encoded JSON", PARSE_ERROR, cause);
-	}
-	if (!isJsonObject(claims)) throw OPE("JWT Payload must be a top level object", INVALID_RESPONSE, jws);
-	const now = epochTime() + clockSkew$2;
-	if (claims.exp !== void 0) {
-		if (typeof claims.exp !== "number") throw OPE("unexpected JWT \"exp\" (expiration time) claim type", INVALID_RESPONSE, { claims });
-		if (claims.exp <= now - clockTolerance$2) throw OPE("unexpected JWT \"exp\" (expiration time) claim value, expiration is past current timestamp", JWT_TIMESTAMP_CHECK, {
-			claims,
-			now,
-			tolerance: clockTolerance$2,
-			claim: "exp"
-		});
-	}
-	if (claims.iat !== void 0) {
-		if (typeof claims.iat !== "number") throw OPE("unexpected JWT \"iat\" (issued at) claim type", INVALID_RESPONSE, { claims });
-	}
-	if (claims.iss !== void 0) {
-		if (typeof claims.iss !== "string") throw OPE("unexpected JWT \"iss\" (issuer) claim type", INVALID_RESPONSE, { claims });
-	}
-	if (claims.nbf !== void 0) {
-		if (typeof claims.nbf !== "number") throw OPE("unexpected JWT \"nbf\" (not before) claim type", INVALID_RESPONSE, { claims });
-		if (claims.nbf > now + clockTolerance$2) throw OPE("unexpected JWT \"nbf\" (not before) claim value", JWT_TIMESTAMP_CHECK, {
-			claims,
-			now,
-			tolerance: clockTolerance$2,
-			claim: "nbf"
-		});
-	}
-	if (claims.aud !== void 0) {
-		if (typeof claims.aud !== "string" && !Array.isArray(claims.aud)) throw OPE("unexpected JWT \"aud\" (audience) claim type", INVALID_RESPONSE, { claims });
-	}
-	return {
-		header,
-		claims,
-		jwt: jws
-	};
-}
-async function consumeStream(request) {
-	if (request.bodyUsed) throw CodedTypeError$1("form_post Request instances must contain a readable body", ERR_INVALID_ARG_VALUE$1, { cause: request });
-	return request.text();
-}
-async function formPostResponse(request) {
-	if (request.method !== "POST") throw CodedTypeError$1("form_post responses are expected to use the POST method", ERR_INVALID_ARG_VALUE$1, { cause: request });
-	if (getContentType(request) !== "application/x-www-form-urlencoded") throw CodedTypeError$1("form_post responses are expected to use the application/x-www-form-urlencoded content-type", ERR_INVALID_ARG_VALUE$1, { cause: request });
-	return consumeStream(request);
-}
-function checkSigningAlgorithm(client, issuer, fallback, header) {
-	if (client !== void 0) {
-		if (typeof client === "string" ? header.alg !== client : !client.includes(header.alg)) throw OPE("unexpected JWT \"alg\" header parameter", INVALID_RESPONSE, {
-			header,
-			expected: client,
-			reason: "client configuration"
-		});
-		return;
-	}
-	if (Array.isArray(issuer)) {
-		if (!issuer.includes(header.alg)) throw OPE("unexpected JWT \"alg\" header parameter", INVALID_RESPONSE, {
-			header,
-			expected: issuer,
-			reason: "authorization server metadata"
-		});
-		return;
-	}
-	if (fallback !== void 0) {
-		if (typeof fallback === "string" ? header.alg !== fallback : typeof fallback === "function" ? !fallback(header.alg) : !fallback.includes(header.alg)) throw OPE("unexpected JWT \"alg\" header parameter", INVALID_RESPONSE, {
-			header,
-			expected: fallback,
-			reason: "default value"
-		});
-		return;
-	}
-	throw OPE("missing client or server configuration to verify used JWT \"alg\" header parameter", void 0, {
-		client,
-		issuer,
-		fallback
-	});
-}
-function getURLSearchParameter(parameters, name) {
-	const { 0: value, length } = parameters.getAll(name);
-	if (length > 1) throw OPE(`"${name}" parameter must be provided only once`, INVALID_RESPONSE);
-	return value;
-}
-const skipStateCheck$1 = Symbol();
-const expectNoState = Symbol();
-function validateAuthResponse(as, client, parameters, expectedState) {
-	assertAs(as);
-	assertClient(client);
-	if (parameters instanceof URL) parameters = parameters.searchParams;
-	if (!(parameters instanceof URLSearchParams)) throw CodedTypeError$1("\"parameters\" must be an instance of URLSearchParams, or URL", ERR_INVALID_ARG_TYPE$1);
-	if (getURLSearchParameter(parameters, "response")) throw OPE("\"parameters\" contains a JARM response, use validateJwtAuthResponse() instead of validateAuthResponse()", INVALID_RESPONSE, { parameters });
-	const iss = getURLSearchParameter(parameters, "iss");
-	const state = getURLSearchParameter(parameters, "state");
-	if (!iss && as.authorization_response_iss_parameter_supported) throw OPE("response parameter \"iss\" (issuer) missing", INVALID_RESPONSE, { parameters });
-	if (iss && iss !== as.issuer) throw OPE("unexpected \"iss\" (issuer) response parameter value", INVALID_RESPONSE, {
-		expected: as.issuer,
-		parameters
-	});
-	switch (expectedState) {
-		case void 0:
-		case expectNoState:
-			if (state !== void 0) throw OPE("unexpected \"state\" response parameter encountered", INVALID_RESPONSE, {
-				expected: void 0,
-				parameters
-			});
-			break;
-		case skipStateCheck$1: break;
-		default:
-			assertString$1(expectedState, "\"expectedState\" argument");
-			if (state !== expectedState) throw OPE(state === void 0 ? "response parameter \"state\" missing" : "unexpected \"state\" response parameter value", INVALID_RESPONSE, {
-				expected: expectedState,
-				parameters
-			});
-	}
-	if (getURLSearchParameter(parameters, "error")) throw new AuthorizationResponseError("authorization response from the server is an error", { cause: parameters });
-	const id_token = getURLSearchParameter(parameters, "id_token");
-	const token = getURLSearchParameter(parameters, "token");
-	if (id_token !== void 0 || token !== void 0) throw new UnsupportedOperationError("implicit and hybrid flows are not supported");
-	return brand(new URLSearchParams(parameters));
-}
-async function getResponseJsonBody(response, check = assertApplicationJson) {
-	let json;
-	try {
-		json = await response.json();
-	} catch (cause) {
-		check(response);
-		throw OPE("failed to parse \"response\" body as JSON", PARSE_ERROR, cause);
-	}
-	if (!isJsonObject(json)) throw OPE("\"response\" body must be a top level object", INVALID_RESPONSE, { body: json });
-	return json;
-}
-const _nodiscoverycheck = Symbol();
-const _expectedIssuer = Symbol();
-
-//#endregion
-//#region ../../node_modules/openid-client/build/index.js
-let headers;
-let USER_AGENT;
-if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) {
-	USER_AGENT = `openid-client/v6.8.1`;
-	headers = { "user-agent": USER_AGENT };
-}
-const int = (config) => {
-	return props.get(config);
-};
-let props;
-let tbi;
-function ClientSecretPost(clientSecret) {
-	if (clientSecret !== void 0) return ClientSecretPost$1(clientSecret);
-	tbi ||= /* @__PURE__ */ new WeakMap();
-	return (as, client, body, headers$1) => {
-		let auth;
-		if (!(auth = tbi.get(client))) {
-			assertString(client.client_secret, "\"metadata.client_secret\"");
-			auth = ClientSecretPost$1(client.client_secret);
-			tbi.set(client, auth);
-		}
-		return auth(as, client, body, headers$1);
-	};
-}
-function assertString(input, it) {
-	if (typeof input !== "string") throw CodedTypeError(`${it} must be a string`, ERR_INVALID_ARG_TYPE);
-	if (input.length === 0) throw CodedTypeError(`${it} must not be empty`, ERR_INVALID_ARG_VALUE);
-}
-function None() {
-	return None$1();
-}
-const skipStateCheck = skipStateCheck$1;
-const skipSubjectCheck = skipSubjectCheck$1;
-const customFetch = customFetch$1;
-const modifyAssertion = modifyAssertion$1;
-const clockSkew = clockSkew$1;
-const clockTolerance = clockTolerance$1;
-const ERR_INVALID_ARG_VALUE = "ERR_INVALID_ARG_VALUE";
-const ERR_INVALID_ARG_TYPE = "ERR_INVALID_ARG_TYPE";
-function CodedTypeError(message, code, cause) {
-	const err = new TypeError(message, { cause });
-	Object.assign(err, { code });
-	return err;
-}
-function calculatePKCECodeChallenge(codeVerifier) {
-	return calculatePKCECodeChallenge$1(codeVerifier);
-}
-function randomPKCECodeVerifier() {
-	return generateRandomCodeVerifier();
-}
-function randomState() {
-	return generateRandomState();
-}
-var ClientError = class extends Error {
-	code;
-	constructor(message, options) {
-		super(message, options);
-		this.name = this.constructor.name;
-		this.code = options?.code;
-		Error.captureStackTrace?.(this, this.constructor);
-	}
-};
-const decoder = new TextDecoder();
-function e(msg, cause, code) {
-	return new ClientError(msg, {
-		cause,
-		code
-	});
-}
-function errorHandler(err) {
-	if (err instanceof TypeError || err instanceof ClientError || err instanceof ResponseBodyError || err instanceof AuthorizationResponseError || err instanceof WWWAuthenticateChallengeError) throw err;
-	if (err instanceof OperationProcessingError) switch (err.code) {
-		case HTTP_REQUEST_FORBIDDEN: throw e("only requests to HTTPS are allowed", err, err.code);
-		case REQUEST_PROTOCOL_FORBIDDEN: throw e("only requests to HTTP or HTTPS are allowed", err, err.code);
-		case RESPONSE_IS_NOT_CONFORM: throw e("unexpected HTTP response status code", err.cause, err.code);
-		case RESPONSE_IS_NOT_JSON: throw e("unexpected response content-type", err.cause, err.code);
-		case PARSE_ERROR: throw e("parsing error occured", err, err.code);
-		case INVALID_RESPONSE: throw e("invalid response encountered", err, err.code);
-		case JWT_CLAIM_COMPARISON: throw e("unexpected JWT claim value encountered", err, err.code);
-		case JSON_ATTRIBUTE_COMPARISON: throw e("unexpected JSON attribute value encountered", err, err.code);
-		case JWT_TIMESTAMP_CHECK: throw e("JWT timestamp claim value failed validation", err, err.code);
-		default: throw e(err.message, err, err.code);
-	}
-	if (err instanceof UnsupportedOperationError) throw e("unsupported operation", err, err.code);
-	if (err instanceof DOMException) switch (err.name) {
-		case "OperationError": throw e("runtime operation error", err, UNSUPPORTED_OPERATION);
-		case "NotSupportedError": throw e("runtime unsupported operation", err, UNSUPPORTED_OPERATION);
-		case "TimeoutError": throw e("operation timed out", err, "OAUTH_TIMEOUT");
-		case "AbortError": throw e("operation aborted", err, "OAUTH_ABORT");
-	}
-	throw new ClientError("something went wrong", { cause: err });
-}
-function handleEntraId(server, as, options) {
-	if (server.origin === "https://login.microsoftonline.com" && (!options?.algorithm || options.algorithm === "oidc")) {
-		as[kEntraId] = true;
-		return true;
-	}
-	return false;
-}
-function handleB2Clogin(server, options) {
-	if (server.hostname.endsWith(".b2clogin.com") && (!options?.algorithm || options.algorithm === "oidc")) return true;
-	return false;
-}
-async function discovery(server, clientId, metadata, clientAuthentication, options) {
-	const instance = new Configuration(await performDiscovery(server, options), clientId, metadata, clientAuthentication);
-	let internals = int(instance);
-	if (options?.[customFetch]) internals.fetch = options[customFetch];
-	if (options?.timeout) internals.timeout = options.timeout;
-	if (options?.execute) for (const extension of options.execute) extension(instance);
-	return instance;
-}
-async function performDiscovery(server, options) {
-	if (!(server instanceof URL)) throw CodedTypeError("\"server\" must be an instance of URL", ERR_INVALID_ARG_TYPE);
-	const resolve = !server.href.includes("/.well-known/");
-	const timeout = options?.timeout ?? 30;
-	const signal$2 = AbortSignal.timeout(timeout * 1e3);
-	const as = await (resolve ? discoveryRequest(server, {
-		algorithm: options?.algorithm,
-		[customFetch$1]: options?.[customFetch],
-		[allowInsecureRequests$1]: options?.execute?.includes(allowInsecureRequests),
-		signal: signal$2,
-		headers: new Headers(headers)
-	}) : (options?.[customFetch] || fetch)((() => {
-		checkProtocol(server, options?.execute?.includes(allowInsecureRequests) ? false : true);
-		return server.href;
-	})(), {
-		headers: Object.fromEntries(new Headers({
-			accept: "application/json",
-			...headers
-		}).entries()),
-		body: void 0,
-		method: "GET",
-		redirect: "manual",
-		signal: signal$2
-	})).then((response) => processDiscoveryResponse(_nodiscoverycheck, response)).catch(errorHandler);
-	if (resolve && new URL(as.issuer).href !== server.href) handleEntraId(server, as, options) || handleB2Clogin(server, options) || (() => {
-		throw new ClientError("discovered metadata issuer does not match the expected issuer", {
-			code: JSON_ATTRIBUTE_COMPARISON,
-			cause: {
-				expected: server.href,
-				body: as,
-				attribute: "issuer"
-			}
-		});
-	})();
-	return as;
-}
-function getServerHelpers(metadata) {
-	return { supportsPKCE: {
-		__proto__: null,
-		value(method = "S256") {
-			return metadata.code_challenge_methods_supported?.includes(method) === true;
-		}
-	} };
-}
-function addServerHelpers(metadata) {
-	Object.defineProperties(metadata, getServerHelpers(metadata));
-}
-const kEntraId = Symbol();
-var Configuration = class {
-	constructor(server, clientId, metadata, clientAuthentication) {
-		if (typeof clientId !== "string" || !clientId.length) throw CodedTypeError("\"clientId\" must be a non-empty string", ERR_INVALID_ARG_TYPE);
-		if (typeof metadata === "string") metadata = { client_secret: metadata };
-		if (metadata?.client_id !== void 0 && clientId !== metadata.client_id) throw CodedTypeError("\"clientId\" and \"metadata.client_id\" must be the same", ERR_INVALID_ARG_VALUE);
-		const client = {
-			...structuredClone(metadata),
-			client_id: clientId
-		};
-		client[clockSkew$1] = metadata?.[clockSkew$1] ?? 0;
-		client[clockTolerance$1] = metadata?.[clockTolerance$1] ?? 30;
-		let auth;
-		if (clientAuthentication) auth = clientAuthentication;
-		else if (typeof client.client_secret === "string" && client.client_secret.length) auth = ClientSecretPost(client.client_secret);
-		else auth = None();
-		let c = Object.freeze(client);
-		const clone = structuredClone(server);
-		if (kEntraId in server) clone[_expectedIssuer] = ({ claims: { tid } }) => server.issuer.replace("{tenantid}", tid);
-		let as = Object.freeze(clone);
-		props ||= /* @__PURE__ */ new WeakMap();
-		props.set(this, {
-			__proto__: null,
-			as,
-			c,
-			auth,
-			tlsOnly: true,
-			jwksCache: {}
-		});
-	}
-	serverMetadata() {
-		const metadata = structuredClone(int(this).as);
-		addServerHelpers(metadata);
-		return metadata;
-	}
-	clientMetadata() {
-		return structuredClone(int(this).c);
-	}
-	get timeout() {
-		return int(this).timeout;
-	}
-	set timeout(value) {
-		int(this).timeout = value;
-	}
-	get [customFetch]() {
-		return int(this).fetch;
-	}
-	set [customFetch](value) {
-		int(this).fetch = value;
-	}
-};
-Object.freeze(Configuration.prototype);
-function getHelpers(response) {
-	let exp = void 0;
-	if (response.expires_in !== void 0) {
-		const now = /* @__PURE__ */ new Date();
-		now.setSeconds(now.getSeconds() + response.expires_in);
-		exp = now.getTime();
-	}
-	return {
-		expiresIn: {
-			__proto__: null,
-			value() {
-				if (exp) {
-					const now = Date.now();
-					if (exp > now) return Math.floor((exp - now) / 1e3);
-					return 0;
-				}
-			}
-		},
-		claims: {
-			__proto__: null,
-			value() {
-				try {
-					return getValidatedIdTokenClaims(this);
-				} catch {
-					return;
-				}
-			}
-		}
-	};
-}
-function addHelpers(response) {
-	Object.defineProperties(response, getHelpers(response));
-}
-function allowInsecureRequests(config) {
-	int(config).tlsOnly = false;
-}
-function stripParams(url) {
-	url = new URL(url);
-	url.search = "";
-	url.hash = "";
-	return url.href;
-}
-function webInstanceOf(input, toStringTag) {
-	try {
-		return Object.getPrototypeOf(input)[Symbol.toStringTag] === toStringTag;
-	} catch {
-		return false;
-	}
-}
-async function authorizationCodeGrant(config, currentUrl, checks, tokenEndpointParameters, options) {
-	checkConfig(config);
-	if (options?.flag !== retry && !(currentUrl instanceof URL) && !webInstanceOf(currentUrl, "Request")) throw CodedTypeError("\"currentUrl\" must be an instance of URL, or Request", ERR_INVALID_ARG_TYPE);
-	let authResponse;
-	let redirectUri;
-	const { as, c, auth, fetch: fetch$1, tlsOnly, jarm, hybrid, nonRepudiation, timeout, decrypt, implicit } = int(config);
-	if (options?.flag === retry) {
-		authResponse = options.authResponse;
-		redirectUri = options.redirectUri;
-	} else {
-		if (!(currentUrl instanceof URL)) {
-			const request = currentUrl;
-			currentUrl = new URL(currentUrl.url);
-			switch (request.method) {
-				case "GET": break;
-				case "POST":
-					const params = new URLSearchParams(await formPostResponse(request));
-					if (hybrid) currentUrl.hash = params.toString();
-					else for (const [k, v] of params.entries()) currentUrl.searchParams.append(k, v);
-					break;
-				default: throw CodedTypeError("unexpected Request HTTP method", ERR_INVALID_ARG_VALUE);
-			}
-		}
-		redirectUri = stripParams(currentUrl);
-		switch (true) {
-			case !!jarm:
-				authResponse = await jarm(currentUrl, checks?.expectedState);
-				break;
-			case !!hybrid:
-				authResponse = await hybrid(currentUrl, checks?.expectedNonce, checks?.expectedState, checks?.maxAge);
-				break;
-			case !!implicit: throw new TypeError("authorizationCodeGrant() cannot be used by response_type=id_token clients");
-			default: try {
-				authResponse = validateAuthResponse(as, c, currentUrl.searchParams, checks?.expectedState);
-			} catch (err) {
-				errorHandler(err);
-			}
-		}
-	}
-	const response = await authorizationCodeGrantRequest(as, c, auth, authResponse, redirectUri, checks?.pkceCodeVerifier || nopkce, {
-		additionalParameters: tokenEndpointParameters,
-		[customFetch$1]: fetch$1,
-		[allowInsecureRequests$1]: !tlsOnly,
-		DPoP: options?.DPoP,
-		headers: new Headers(headers),
-		signal: signal(timeout)
-	}).catch(errorHandler);
-	if (typeof checks?.expectedNonce === "string" || typeof checks?.maxAge === "number") checks.idTokenExpected = true;
-	const p = processAuthorizationCodeResponse(as, c, response, {
-		expectedNonce: checks?.expectedNonce,
-		maxAge: checks?.maxAge,
-		requireIdToken: checks?.idTokenExpected,
-		[jweDecrypt]: decrypt
-	});
-	let result;
-	try {
-		result = await p;
-	} catch (err) {
-		if (retryable(err, options)) return authorizationCodeGrant(config, void 0, checks, tokenEndpointParameters, {
-			...options,
-			flag: retry,
-			authResponse,
-			redirectUri
-		});
-		errorHandler(err);
-	}
-	result.id_token && await nonRepudiation?.(response);
-	addHelpers(result);
-	return result;
-}
-async function refreshTokenGrant(config, refreshToken, parameters, options) {
-	checkConfig(config);
-	parameters = new URLSearchParams(parameters);
-	const { as, c, auth, fetch: fetch$1, tlsOnly, nonRepudiation, timeout, decrypt } = int(config);
-	const response = await refreshTokenGrantRequest(as, c, auth, refreshToken, {
-		[customFetch$1]: fetch$1,
-		[allowInsecureRequests$1]: !tlsOnly,
-		additionalParameters: parameters,
-		DPoP: options?.DPoP,
-		headers: new Headers(headers),
-		signal: signal(timeout)
-	}).catch(errorHandler);
-	const p = processRefreshTokenResponse(as, c, response, { [jweDecrypt]: decrypt });
-	let result;
-	try {
-		result = await p;
-	} catch (err) {
-		if (retryable(err, options)) return refreshTokenGrant(config, refreshToken, parameters, {
-			...options,
-			flag: retry
-		});
-		errorHandler(err);
-	}
-	result.id_token && await nonRepudiation?.(response);
-	addHelpers(result);
-	return result;
-}
-function buildAuthorizationUrl(config, parameters) {
-	checkConfig(config);
-	const { as, c, tlsOnly, hybrid, jarm, implicit } = int(config);
-	const authorizationEndpoint = resolveEndpoint(as, "authorization_endpoint", false, tlsOnly);
-	parameters = new URLSearchParams(parameters);
-	if (!parameters.has("client_id")) parameters.set("client_id", c.client_id);
-	if (!parameters.has("request_uri") && !parameters.has("request")) {
-		if (!parameters.has("response_type")) parameters.set("response_type", hybrid ? "code id_token" : implicit ? "id_token" : "code");
-		if (implicit && !parameters.has("nonce")) throw CodedTypeError("response_type=id_token clients must provide a nonce parameter in their authorization request parameters", ERR_INVALID_ARG_VALUE);
-		if (jarm) parameters.set("response_mode", "jwt");
-	}
-	for (const [k, v] of parameters.entries()) authorizationEndpoint.searchParams.append(k, v);
-	return authorizationEndpoint;
-}
-function buildEndSessionUrl(config, parameters) {
-	checkConfig(config);
-	const { as, c, tlsOnly } = int(config);
-	const endSessionEndpoint = resolveEndpoint(as, "end_session_endpoint", false, tlsOnly);
-	parameters = new URLSearchParams(parameters);
-	if (!parameters.has("client_id")) parameters.set("client_id", c.client_id);
-	for (const [k, v] of parameters.entries()) endSessionEndpoint.searchParams.append(k, v);
-	return endSessionEndpoint;
-}
-function checkConfig(input) {
-	if (!(input instanceof Configuration)) throw CodedTypeError("\"config\" must be an instance of Configuration", ERR_INVALID_ARG_TYPE);
-	if (Object.getPrototypeOf(input) !== Configuration.prototype) throw CodedTypeError("subclassing Configuration is not allowed", ERR_INVALID_ARG_VALUE);
-}
-function signal(timeout) {
-	return timeout ? AbortSignal.timeout(timeout * 1e3) : void 0;
-}
-function retryable(err, options) {
-	if (options?.DPoP && options.flag !== retry) return isDPoPNonceError(err);
-	return false;
-}
-const retry = Symbol();
-
-//#endregion
-//#region src/server-auth/descriptors/$auth.ts
-/**
-* Creates an authentication provider descriptor for handling user login flows.
-*
-* Supports multiple authentication strategies: credentials (username/password), OAuth2,
-* and OIDC (OpenID Connect). Handles token management, user profile retrieval, and
-* integration with both external identity providers (Auth0, Keycloak) and internal realms.
-*
-* **Authentication Types**: Credentials, OAuth2 (Google, GitHub), OIDC, External providers
-*
-* @example
-* ```ts
-* class AuthProviders {
-*   // Internal credentials-based auth
-*   credentials = $auth({
-*     realm: this.userRealm,
-*     credentials: {
-*       account: async ({ username, password }) => {
-*         return await this.validateUser(username, password);
-*       }
-*     }
-*   });
-*
-*   // External OIDC provider
-*   keycloak = $auth({
-*     oidc: {
-*       issuer: "https://auth.example.com",
-*       clientId: "my-app",
-*       clientSecret: "secret",
-*       redirectUri: "/auth/callback"
-*     }
-*   });
-* }
-* ```
-*/
-const $auth = (options) => {
-	return (0, alepha.createDescriptor)(AuthDescriptor, options);
-};
-var AuthDescriptor = class extends alepha.Descriptor {
-	securityProvider = (0, alepha.$inject)(alepha_security.SecurityProvider);
-	dateTimeProvider = (0, alepha.$inject)(alepha_datetime.DateTimeProvider);
-	oauth;
-	get name() {
-		return this.options.name ?? this.config.propertyKey;
-	}
-	get jwks_uri() {
-		const jwks = this.oauth?.serverMetadata().jwks_uri;
-		if (!jwks) throw new alepha.AlephaError("No JWKS URI available for the auth provider");
-		return jwks;
-	}
-	get scope() {
-		if ("oauth" in this.options) return this.options.oauth.scope;
-		if ("oidc" in this.options) return this.options.oidc.scope || "openid profile email";
-		throw new alepha.AlephaError("No OAuth2 or OIDC configuration available for the auth provider");
-	}
-	get redirect_uri() {
-		if ("oauth" in this.options) return this.options.oauth.redirectUri;
-		if ("oidc" in this.options) return this.options.oidc.redirectUri;
-		throw new alepha.AlephaError("No OAuth2 or OIDC configuration available for the auth provider");
-	}
-	/**
-	* Refreshes the access token using the refresh token.
-	* Can be used on oauth2, oidc or credentials auth providers.
-	*/
-	async refresh(refreshToken, accessToken) {
-		if ("realm" in this.options) return this.options.realm.refreshToken(refreshToken, accessToken).then((it) => it.tokens).catch((error) => {
-			throw new alepha_security.SecurityError("Failed to refresh access token using the refresh token (realm)", { cause: error });
-		});
-		else if (this.oauth) try {
-			return {
-				...await refreshTokenGrant(this.oauth, refreshToken),
-				issued_at: this.dateTimeProvider.now().unix()
-			};
-		} catch (error) {
-			throw new alepha_security.SecurityError("Failed to refresh access token using the refresh token (oauth2)", { cause: error });
-		}
-		throw new alepha.AlephaError("No realm or OAuth2 configuration available for refreshing the access token");
-	}
-	/**
-	* Extracts user information from the access token.
-	* This is used to create a user account from the access token.
-	*/
-	async user(tokens) {
-		try {
-			if ("oauth" in this.options) {
-				const profile = await this.options.oauth.userinfo(tokens);
-				if (this.options.oauth.account) return this.options.oauth.account({
-					...tokens,
-					user: profile
-				});
-				return this.securityProvider.createUserFromPayload(profile);
-			}
-			if ("oidc" in this.options) {
-				const payload = this.getUserFromIdToken(tokens.id_token || "");
-				if (this.options.oidc.account) return this.options.oidc.account({
-					...tokens,
-					user: payload
-				});
-				return this.securityProvider.createUserFromPayload(payload);
-			}
-		} catch (error) {
-			throw new alepha_security.SecurityError("Failed to extract user from identity provider tokens", { cause: error });
-		}
-		throw new alepha.AlephaError("This authentication does not support user extraction from tokens");
-	}
-	getUserFromIdToken(idToken) {
-		try {
-			return JSON.parse(Buffer.from(idToken.split(".")[1], "base64").toString("utf8"));
-		} catch (error) {
-			throw new alepha.AlephaError("Failed to parse ID Token payload", { cause: error });
-		}
-	}
-	async prepare() {
-		const addons = [];
-		addons.push(allowInsecureRequests);
-		if ("oidc" in this.options) {
-			const { oidc } = this.options;
-			this.oauth = await discovery(new URL(oidc.issuer), oidc.clientId, { client_secret: oidc.clientSecret }, void 0, { execute: addons });
-		}
-		if ("oauth" in this.options) {
-			const { oauth } = this.options;
-			this.oauth = new Configuration({
-				authorization_endpoint: oauth.authorization,
-				token_endpoint: oauth.token,
-				issuer: oauth.authorization,
-				jwks_uri: void 0,
-				end_session_endpoint: void 0
-			}, oauth.clientId, { client_secret: oauth.clientSecret });
-		}
-	}
-};
-$auth[alepha.KIND] = AuthDescriptor;
-
-//#endregion
-//#region src/server-security/providers/ServerBasicAuthProvider.ts
-var ServerBasicAuthProvider = class {
-	alepha = (0, alepha.$inject)(alepha.Alepha);
-	log = (0, alepha_logger.$logger)();
-	routerProvider = (0, alepha.$inject)(alepha_server.ServerRouterProvider);
-	realm = "Secure Area";
-	/**
-	* Registered basic auth descriptors with their configurations
-	*/
-	registeredAuths = [];
-	/**
-	* Register a basic auth configuration (called by descriptors)
-	*/
-	registerAuth(config) {
-		this.registeredAuths.push(config);
-	}
-	onStart = (0, alepha.$hook)({
-		on: "start",
-		handler: async () => {
-			for (const auth of this.registeredAuths) if (auth.paths) for (const pattern of auth.paths) {
-				const matchedRoutes = this.routerProvider.getRoutes(pattern);
-				for (const route of matchedRoutes) route.secure = { basic: {
-					username: auth.username,
-					password: auth.password
-				} };
-			}
-			if (this.registeredAuths.length > 0) this.log.info(`Initialized with ${this.registeredAuths.length} registered basic-auth configurations.`);
-		}
-	});
-	/**
-	* Hook into server:onRequest to check basic auth
-	*/
-	onRequest = (0, alepha.$hook)({
-		on: "server:onRequest",
-		handler: async ({ route, request }) => {
-			const routeAuth = route.secure;
-			if (typeof routeAuth === "object" && "basic" in routeAuth && routeAuth.basic) this.checkAuth(request, routeAuth.basic);
-		}
-	});
-	/**
-	* Hook into action:onRequest to check basic auth for actions
-	*/
-	onActionRequest = (0, alepha.$hook)({
-		on: "action:onRequest",
-		handler: async ({ action, request }) => {
-			const routeAuth = action.route.secure;
-			if (isBasicAuth(routeAuth)) this.checkAuth(request, routeAuth.basic);
-		}
-	});
-	/**
-	* Check basic authentication
-	*/
-	checkAuth(request, options) {
-		const authHeader = request.headers?.authorization;
-		if (!authHeader || !authHeader.startsWith("Basic ")) {
-			this.sendAuthRequired(request);
-			throw new alepha_server.HttpError({
-				status: 401,
-				message: "Authentication required"
-			});
-		}
-		const base64Credentials = authHeader.slice(6);
-		const credentials = Buffer.from(base64Credentials, "base64").toString("utf-8");
-		const colonIndex = credentials.indexOf(":");
-		const username = colonIndex !== -1 ? credentials.slice(0, colonIndex) : credentials;
-		const password = colonIndex !== -1 ? credentials.slice(colonIndex + 1) : "";
-		if (!this.timingSafeCredentialCheck(username, password, options.username, options.password)) {
-			this.sendAuthRequired(request);
-			this.log.warn(`Failed basic auth attempt for user`, { username });
-			throw new alepha_server.HttpError({
-				status: 401,
-				message: "Invalid credentials"
-			});
-		}
-	}
-	/**
-	* Performs a timing-safe comparison of credentials to prevent timing attacks.
-	* Always compares both username and password to avoid leaking which one is wrong.
-	*/
-	timingSafeCredentialCheck(inputUsername, inputPassword, expectedUsername, expectedPassword) {
-		const inputUserBuf = Buffer.from(inputUsername, "utf-8");
-		const expectedUserBuf = Buffer.from(expectedUsername, "utf-8");
-		const inputPassBuf = Buffer.from(inputPassword, "utf-8");
-		const expectedPassBuf = Buffer.from(expectedPassword, "utf-8");
-		return (this.safeCompare(inputUserBuf, expectedUserBuf) & this.safeCompare(inputPassBuf, expectedPassBuf)) === 1;
-	}
-	/**
-	* Compares two buffers in constant time, handling different lengths safely.
-	* Returns 1 if equal, 0 if not equal.
-	*/
-	safeCompare(input, expected) {
-		if (input.length !== expected.length) {
-			(0, node_crypto.timingSafeEqual)(input, input);
-			return 0;
-		}
-		return (0, node_crypto.timingSafeEqual)(input, expected) ? 1 : 0;
-	}
-	/**
-	* Send WWW-Authenticate header
-	*/
-	sendAuthRequired(request) {
-		request.reply.setHeader("WWW-Authenticate", `Basic realm="${this.realm}"`);
-	}
-};
-const isBasicAuth = (value) => {
-	return typeof value === "object" && !!value && "basic" in value && !!value.basic;
-};
-
-//#endregion
-//#region src/server-security/descriptors/$basicAuth.ts
-/**
-* Declares HTTP Basic Authentication for server routes.
-* This descriptor provides methods to protect routes with username/password authentication.
-*/
-const $basicAuth = (options) => {
-	return (0, alepha.createDescriptor)(BasicAuthDescriptor, options);
-};
-var BasicAuthDescriptor = class extends alepha.Descriptor {
-	serverBasicAuthProvider = (0, alepha.$inject)(ServerBasicAuthProvider);
-	get name() {
-		return this.options.name ?? `${this.config.propertyKey}`;
-	}
-	onInit() {
-		this.serverBasicAuthProvider.registerAuth(this.options);
-	}
-	/**
-	* Checks basic auth for the given request using this descriptor's configuration.
-	*/
-	check(request, options) {
-		const mergedOptions = {
-			...this.options,
-			...options
-		};
-		this.serverBasicAuthProvider.checkAuth(request, mergedOptions);
-	}
-};
-$basicAuth[alepha.KIND] = BasicAuthDescriptor;
-
-//#endregion
-//#region src/server-security/providers/ServerSecurityProvider.ts
-var ServerSecurityProvider = class {
-	log = (0, alepha_logger.$logger)();
-	securityProvider = (0, alepha.$inject)(alepha_security.SecurityProvider);
-	jwtProvider = (0, alepha.$inject)(alepha_security.JwtProvider);
-	alepha = (0, alepha.$inject)(alepha.Alepha);
-	onConfigure = (0, alepha.$hook)({
-		on: "configure",
-		handler: async () => {
-			for (const action of this.alepha.descriptors(alepha_server.$action)) {
-				if (action.options.disabled || action.options.secure === false || this.securityProvider.getRealms().length === 0) continue;
-				if (typeof action.options.secure !== "object") this.securityProvider.createPermission({
-					name: action.name,
-					group: action.group,
-					method: action.route.method,
-					path: action.route.path
-				});
-			}
-		}
-	});
-	onActionRequest = (0, alepha.$hook)({
-		on: "action:onRequest",
-		handler: async ({ action, request, options }) => {
-			if (action.options.secure === false && !options.user) {
-				this.log.trace("Skipping security check for route");
-				return;
-			}
-			if (isBasicAuth(action.route.secure)) return;
-			const permission = this.securityProvider.getPermissions().find((it) => it.path === action.route.path && it.method === action.route.method);
-			try {
-				request.user = this.createUserFromLocalFunctionContext(options, permission);
-				const route = action.route;
-				if (typeof route.secure === "object") this.check(request.user, route.secure);
-				this.alepha.state.set("alepha.server.request.user", this.alepha.codec.decode(alepha_security.userAccountInfoSchema, request.user));
-			} catch (error) {
-				if (action.options.secure || permission) throw error;
-				this.log.trace("Skipping security check for action");
-			}
-		}
-	});
-	onRequest = (0, alepha.$hook)({
-		on: "server:onRequest",
-		priority: "last",
-		handler: async ({ request, route }) => {
-			if (route.secure === false) {
-				this.log.trace("Skipping security check for route - explicitly disabled");
-				return;
-			}
-			if (isBasicAuth(route.secure)) return;
-			const permission = this.securityProvider.getPermissions().find((it) => it.path === route.path && it.method === route.method);
-			if (!request.headers.authorization && !route.secure && !permission) {
-				this.log.trace("Skipping security check for route - no authorization header and not secure");
-				return;
-			}
-			try {
-				request.user = await this.securityProvider.createUserFromToken(request.headers.authorization, { permission });
-				if (typeof route.secure === "object") this.check(request.user, route.secure);
-				this.alepha.state.set("alepha.server.request.user", this.alepha.codec.decode(alepha_security.userAccountInfoSchema, request.user));
-				this.log.trace("User set from request token", {
-					user: request.user,
-					permission
-				});
-			} catch (error) {
-				if (route.secure || permission) throw error;
-				this.log.trace("Skipping security check for route - error occurred", error);
-			}
-		}
-	});
-	check(user, secure) {
-		if (secure.realm) {
-			if (user.realm !== secure.realm) throw new alepha_server.ForbiddenError(`User must belong to realm '${secure.realm}' to access this route`);
-		}
-	}
-	/**
-	* Get the user account token for a local action call.
-	* There are three possible sources for the user:
-	* - `options.user`: the user passed in the options
-	* - `"system"`: the system user from the state (you MUST set state `server.security.system.user`)
-	* - `"context"`: the user from the request context (you MUST be in an HTTP request context)
-	*
-	* Priority order: `options.user` > `"system"` > `"context"`.
-	*
-	* In testing environment, if no user is provided, a test user is created based on the SecurityProvider's roles.
-	*/
-	createUserFromLocalFunctionContext(options, permission) {
-		const fromOptions = typeof options.user === "object" ? options.user : void 0;
-		const type = typeof options.user === "string" ? options.user : void 0;
-		let user;
-		const fromContext = this.alepha.context.get("request")?.user;
-		const fromSystem = this.alepha.state.get("alepha.server.security.system.user");
-		if (type === "system") user = fromSystem;
-		else if (type === "context") user = fromContext;
-		else user = fromOptions ?? fromContext ?? fromSystem;
-		if (!user) {
-			if (this.alepha.isTest() && !("user" in options)) return this.createTestUser();
-			throw new alepha_server.UnauthorizedError("User is required for calling this action");
-		}
-		const roles = user.roles ?? (this.alepha.isTest() ? this.securityProvider.getRoles().map((role) => role.name) : []);
-		let ownership;
-		if (permission) {
-			const result = this.securityProvider.checkPermission(permission, ...roles);
-			if (!result.isAuthorized) throw new alepha_server.ForbiddenError(`Permission '${this.securityProvider.permissionToString(permission)}' is required for this route`);
-			ownership = result.ownership;
-		}
-		return {
-			...user,
-			ownership
-		};
-	}
-	createTestUser() {
-		return {
-			id: (0, node_crypto.randomUUID)(),
-			name: "Test",
-			roles: this.securityProvider.getRoles().map((role) => role.name)
-		};
-	}
-	onClientRequest = (0, alepha.$hook)({
-		on: "client:onRequest",
-		handler: async ({ request, options }) => {
-			if (!this.alepha.isTest()) return;
-			if ("user" in options && options.user === void 0) return;
-			request.headers = new Headers(request.headers);
-			if (!request.headers.has("authorization")) {
-				const test = this.createTestUser();
-				const user = typeof options?.user === "object" ? options.user : void 0;
-				const sub = user?.id ?? test.id;
-				const roles = user?.roles ?? test.roles;
-				const token = await this.jwtProvider.create({
-					sub,
-					roles
-				}, user?.realm ?? this.securityProvider.getRealms()[0]?.name);
-				request.headers.set("authorization", `Bearer ${token}`);
-			}
-		}
-	});
-};
-
-//#endregion
-//#region src/server-security/index.ts
-/**
-* Plugin for Alepha Server that provides security features. Based on the Alepha Security module.
-*
-* By default, all $action will be guarded by a permission check.
-*
-* @see {@link ServerSecurityProvider}
-* @module alepha.server.security
-*/
-const AlephaServerSecurity = (0, alepha.$module)({
-	name: "alepha.server.security",
-	descriptors: [
-		alepha_security.$realm,
-		alepha_security.$role,
-		alepha_security.$permission,
-		$basicAuth
-	],
-	services: [
-		alepha_server.AlephaServer,
-		alepha_security.AlephaSecurity,
-		ServerSecurityProvider,
-		ServerBasicAuthProvider
-	]
-});
-
-//#endregion
-//#region src/server-links/schemas/apiLinksResponseSchema.ts
-const apiLinkSchema = alepha.t.object({
-	name: alepha.t.text({ description: "Name of the API link, used for identification." }),
-	group: alepha.t.optional(alepha.t.text({ description: "Group to which the API link belongs, used for categorization." })),
-	path: alepha.t.text({ description: "Pathname used to access the API link." }),
-	method: alepha.t.optional(alepha.t.text({ description: "HTTP method used for the API link, e.g., GET, POST, etc. If not specified, defaults to GET." })),
-	requestBodyType: alepha.t.optional(alepha.t.text({ description: "Type of the request body for the API link. Default is application/json for POST/PUT/PATCH, null for others." })),
-	service: alepha.t.optional(alepha.t.text({ description: "Service name associated with the API link, used for service discovery." }))
-});
-const apiLinksResponseSchema = alepha.t.object({
-	prefix: alepha.t.optional(alepha.t.text()),
-	links: alepha.t.array(apiLinkSchema)
-});
-
-//#endregion
-//#region src/server-links/providers/LinkProvider.ts
-/**
-* Browser, SSR friendly, service to handle links.
-*/
-var LinkProvider = class LinkProvider {
-	static path = {
-		apiLinks: "/api/_links",
-		apiSchema: "/api/_links/:name/schema"
-	};
-	log = (0, alepha_logger.$logger)();
-	alepha = (0, alepha.$inject)(alepha.Alepha);
-	httpClient = (0, alepha.$inject)(alepha_server.HttpClient);
-	serverLinks = [];
-	/**
-	* Get applicative links registered on the server.
-	* This does not include lazy-loaded remote links.
-	*/
-	getServerLinks() {
-		if (this.alepha.isBrowser()) {
-			this.log.warn("Getting server links in the browser is not supported. Use `fetchLinks` to get links from the server.");
-			return [];
-		}
-		return this.serverLinks;
-	}
-	/**
-	* Register a new link for the application.
-	*/
-	registerLink(link) {
-		if (this.alepha.isBrowser()) {
-			this.log.warn("Registering links in the browser is not supported. Use `fetchLinks` to get links from the server.");
-			return;
-		}
-		if (!link.handler && !link.host) throw new alepha.AlephaError("Can't create link - 'handler' or 'host' is required");
-		if (this.serverLinks.some((l) => l.name === link.name)) this.serverLinks = this.serverLinks.filter((l) => l.name !== link.name);
-		this.serverLinks.push(link);
-	}
-	get links() {
-		const apiLinks = this.alepha.state.get("alepha.server.request.apiLinks")?.links;
-		if (apiLinks) {
-			if (this.alepha.isBrowser()) return apiLinks;
-			const links = [];
-			for (const link of apiLinks) {
-				const originalLink = this.serverLinks.find((l) => l.name === link.name);
-				if (originalLink) links.push(originalLink);
-			}
-			return links;
-		}
-		return this.serverLinks ?? [];
-	}
-	/**
-	* Force browser to refresh links from the server.
-	*/
-	async fetchLinks() {
-		const { data } = await this.httpClient.fetch(`${LinkProvider.path.apiLinks}`, {
-			method: "GET",
-			schema: { response: apiLinksResponseSchema }
-		});
-		this.alepha.state.set("alepha.server.request.apiLinks", data);
-		return data.links;
-	}
-	/**
-	* Create a virtual client that can be used to call actions.
-	*
-	* Use js Proxy under the hood.
-	*/
-	client(scope = {}) {
-		return new Proxy({}, { get: (_, prop) => {
-			if (typeof prop !== "string") return;
-			return this.createVirtualAction(prop, scope);
-		} });
-	}
-	/**
-	* Check if a link with the given name exists.
-	* @param name
-	*/
-	can(name) {
-		return this.links.some((link) => link.name === name);
-	}
-	/**
-	* Resolve a link by its name and call it.
-	* - If link is local, it will call the local handler.
-	* - If link is remote, it will make a fetch request to the remote server.
-	*/
-	async follow(name, config = {}, options = {}) {
-		this.log.trace("Following link", {
-			name,
-			config,
-			options
-		});
-		const link = await this.getLinkByName(name, options);
-		if (link.handler && !options.request) {
-			this.log.trace("Local link found", { name });
-			return link.handler({
-				method: link.method,
-				url: new URL(`http://localhost${link.path}`),
-				query: config.query ?? {},
-				body: config.body ?? {},
-				params: config.params ?? {},
-				headers: config.headers ?? {},
-				metadata: {},
-				reply: new alepha_server.ServerReply()
-			}, options);
-		}
-		this.log.trace("Remote link found", {
-			name,
-			host: link.host,
-			service: link.service
-		});
-		return this.followRemote(link, config, options).then((response) => response.data);
-	}
-	createVirtualAction(name, scope = {}) {
-		const $ = async (config = {}, options = {}) => {
-			return this.follow(name, config, {
-				...scope,
-				...options
-			});
-		};
-		Object.defineProperty($, "name", {
-			value: name,
-			writable: false
-		});
-		$.run = async (config = {}, options = {}) => {
-			return this.follow(name, config, {
-				...scope,
-				...options
-			});
-		};
-		$.fetch = async (config = {}, options = {}) => {
-			const link = await this.getLinkByName(name, scope);
-			return this.followRemote(link, config, options);
-		};
-		$.can = () => {
-			return this.can(name);
-		};
-		return $;
-	}
-	async followRemote(link, config = {}, options = {}) {
-		options.request ??= {};
-		options.request.headers = new Headers(options.request.headers);
-		const als = this.alepha.context.get("request");
-		if (als?.headers.authorization) options.request.headers.set("authorization", als.headers.authorization);
-		const context = this.alepha.context.get("context");
-		if (typeof context === "string") options.request.headers.set("x-request-id", context);
-		const action = {
-			...link,
-			schema: {
-				body: alepha.t.any(),
-				response: alepha.t.any()
-			}
-		};
-		if (!link.host && link.service) action.path = `/${link.service}${action.path}`;
-		action.path = `${action.prefix ?? "/api"}${action.path}`;
-		action.prefix = void 0;
-		return this.httpClient.fetchAction({
-			host: link.host,
-			config,
-			options,
-			action
-		});
-	}
-	async getLinkByName(name, options = {}) {
-		if (this.alepha.isBrowser() && !this.alepha.state.get("alepha.server.request.apiLinks")) await this.fetchLinks();
-		const link = this.links.find((a) => a.name === name && (!options.group || a.group === options.group) && (!options.service || options.service === a.service));
-		if (!link) {
-			const error = new alepha_server.UnauthorizedError(`Action ${name} not found.`);
-			await this.alepha.events.emit("client:onError", {
-				route: link,
-				error
-			});
-			throw error;
-		}
-		if (options.hostname) return {
-			...link,
-			host: options.hostname
-		};
-		return link;
-	}
-};
-
-//#endregion
-//#region src/server-links/descriptors/$client.ts
-/**
-* Create a new client.
-*/
-const $client = (scope) => {
-	return (0, alepha.$inject)(LinkProvider).client(scope);
-};
-$client[alepha.KIND] = "$client";
-
-//#endregion
-//#region src/server-links/descriptors/$remote.ts
-/**
-* $remote is a descriptor that allows you to define remote service access.
-*
-* Use it only when you have 2 or more services that need to communicate with each other.
-*
-* All remote services can be exposed as actions, ... or not.
-*
-* You can add a service account if you want to use a security layer.
-*/
-const $remote = (options) => {
-	return (0, alepha.createDescriptor)(RemoteDescriptor, options);
-};
-var RemoteDescriptor = class extends alepha.Descriptor {
-	get name() {
-		return this.options.name ?? this.config.propertyKey;
-	}
-};
-$remote[alepha.KIND] = RemoteDescriptor;
-
-//#endregion
-//#region src/server-proxy/descriptors/$proxy.ts
-/**
-* Creates a proxy descriptor to forward requests to another server.
-*
-* This descriptor enables you to create reverse proxy functionality, allowing your Alepha server
-* to forward requests to other services while maintaining a unified API surface. It's particularly
-* useful for microservice architectures, API gateways, or when you need to aggregate multiple
-* services behind a single endpoint.
-*
-* **Key Features**
-*
-* - **Path-based routing**: Match specific paths or patterns to proxy
-* - **Dynamic targets**: Support both static and dynamic target resolution
-* - **Request/Response hooks**: Modify requests before forwarding and responses after receiving
-* - **URL rewriting**: Transform URLs before forwarding to the target
-* - **Conditional proxying**: Enable/disable proxies based on environment or conditions
-*
-* @example
-* **Basic proxy setup:**
-* ```ts
-* import { $proxy } from "alepha/server/proxy";
-*
-* class ApiGateway {
-*   // Forward all /api/* requests to external service
-*   api = $proxy({
-*     path: "/api/*",
-*     target: "https://api.example.com"
-*   });
-* }
-* ```
-*
-* @example
-* **Dynamic target with environment-based routing:**
-* ```ts
-* class ApiGateway {
-*   // Route to different environments based on configuration
-*   api = $proxy({
-*     path: "/api/*",
-*     target: () => process.env.NODE_ENV === "production"
-*       ? "https://api.prod.example.com"
-*       : "https://api.dev.example.com"
-*   });
-* }
-* ```
-*
-* @example
-* **Advanced proxy with request/response modification:**
-* ```ts
-* class SecureProxy {
-*   secure = $proxy({
-*     path: "/secure/*",
-*     target: "https://secure-api.example.com",
-*     beforeRequest: async (request, proxyRequest) => {
-*       // Add authentication headers
-*       proxyRequest.headers = {
-*         ...proxyRequest.headers,
-*         'Authorization': `Bearer ${await getServiceToken()}`,
-*         'X-Forwarded-For': request.headers['x-forwarded-for'] || request.ip
-*       };
-*     },
-*     afterResponse: async (request, proxyResponse) => {
-*       // Log response for monitoring
-*       console.log(`Proxied ${request.url} -> ${proxyResponse.status}`);
-*     },
-*     rewrite: (url) => {
-*       // Remove /secure prefix when forwarding
-*       url.pathname = url.pathname.replace('/secure', '');
-*     }
-*   });
-* }
-* ```
-*
-* @example
-* **Conditional proxy based on feature flags:**
-* ```ts
-* class FeatureProxy {
-*   newApi = $proxy({
-*     path: "/v2/*",
-*     target: "https://new-api.example.com",
-*     disabled: !process.env.ENABLE_V2_API // Disable if feature flag is off
-*   });
-* }
-* ```
-*/
-const $proxy = (options) => {
-	return (0, alepha.createDescriptor)(ProxyDescriptor, options);
-};
-var ProxyDescriptor = class extends alepha.Descriptor {};
-$proxy[alepha.KIND] = ProxyDescriptor;
-
-//#endregion
-//#region src/server-proxy/providers/ServerProxyProvider.ts
-var ServerProxyProvider = class {
-	log = (0, alepha_logger.$logger)();
-	routerProvider = (0, alepha.$inject)(alepha_server.ServerRouterProvider);
-	alepha = (0, alepha.$inject)(alepha.Alepha);
-	configure = (0, alepha.$hook)({
-		on: "configure",
-		handler: () => {
-			for (const proxy of this.alepha.descriptors($proxy)) this.createProxy(proxy.options);
-		}
-	});
-	createProxy(options) {
-		if (options.disabled) return;
-		const path = options.path;
-		const target = typeof options.target === "function" ? options.target() : options.target;
-		if (!path.endsWith("/*")) throw new alepha.AlephaError("Proxy path should end with '/*'");
-		const handler = this.createProxyHandler(target, options);
-		for (const method of alepha_server.routeMethods) this.routerProvider.createRoute({
-			method,
-			path,
-			handler
-		});
-		this.log.info("Proxying", {
-			path,
-			target
-		});
-	}
-	createProxyHandler(target, options) {
-		return async (request) => {
-			const url = new URL(target + request.url.pathname);
-			if (request.url.search) url.search = request.url.search;
-			options.rewrite?.(url);
-			const requestInit = {
-				url: url.toString(),
-				method: request.method,
-				headers: {
-					...request.headers,
-					"accept-encoding": "identity"
-				},
-				body: this.getRawRequestBody(request)
-			};
-			if (requestInit.body) requestInit.duplex = "half";
-			if (options.beforeRequest) await options.beforeRequest(request, requestInit);
-			this.log.debug("Proxying request", {
-				url: url.toString(),
-				method: request.method,
-				headers: request.headers
-			});
-			const response = await fetch(requestInit.url, requestInit);
-			request.reply.status = response.status;
-			request.reply.headers = Object.fromEntries(response.headers.entries());
-			request.reply.body = response.body;
-			this.log.debug("Received response", {
-				status: request.reply.status,
-				headers: request.reply.headers
-			});
-			if (options.afterResponse) await options.afterResponse(request, response);
-		};
-	}
-	getRawRequestBody(req) {
-		const { method } = req;
-		if (method === "GET" || method === "HEAD" || method === "OPTIONS") return;
-		if (req.raw?.web?.req) return req.raw.web.req.body;
-		if (req.raw?.node?.req) {
-			const nodeReq = req.raw.node.req;
-			return node_stream_web.ReadableStream.from(nodeReq);
-		}
-	}
-};
-
-//#endregion
-//#region src/server-proxy/index.ts
-/**
-* Plugin for Alepha that provides a proxy server functionality.
-*
-* @see {@link $proxy}
-* @module alepha.server.proxy
-*/
-const AlephaServerProxy = (0, alepha.$module)({
-	name: "alepha.server.proxy",
-	descriptors: [$proxy],
-	services: [alepha_server.AlephaServer, ServerProxyProvider]
-});
-
-//#endregion
-//#region src/server-links/providers/RemoteDescriptorProvider.ts
-const envSchema$1 = alepha.t.object({ SERVER_API_PREFIX: alepha.t.text({
-	description: "Prefix for all API routes (e.g. $action).",
-	default: "/api"
-}) });
-var RemoteDescriptorProvider = class {
-	env = (0, alepha.$env)(envSchema$1);
-	alepha = (0, alepha.$inject)(alepha.Alepha);
-	proxyProvider = (0, alepha.$inject)(ServerProxyProvider);
-	linkProvider = (0, alepha.$inject)(LinkProvider);
-	remotes = [];
-	log = (0, alepha_logger.$logger)();
-	getRemotes() {
-		return this.remotes;
-	}
-	configure = (0, alepha.$hook)({
-		on: "configure",
-		handler: async () => {
-			const remotes = this.alepha.descriptors($remote);
-			for (const remote of remotes) await this.registerRemote(remote);
-		}
-	});
-	start = (0, alepha.$hook)({
-		on: "start",
-		handler: async () => {
-			for (const remote of this.remotes) {
-				const token = typeof remote.serviceAccount?.token === "function" ? await remote.serviceAccount.token() : void 0;
-				if (!remote.internal) continue;
-				const { links } = await remote.links({ authorization: token });
-				for (const link of links) {
-					let path = link.path.replace(remote.prefix, "");
-					if (link.service) path = `/${link.service}${path}`;
-					this.linkProvider.registerLink({
-						...link,
-						prefix: remote.prefix,
-						path,
-						method: link.method ?? "GET",
-						host: remote.url,
-						service: remote.name
-					});
-				}
-				this.log.info(`Remote '${remote.name}' OK`, {
-					links: remote.links.length,
-					prefix: remote.prefix
-				});
-			}
-		}
-	});
-	async registerRemote(value) {
-		const options = value.options;
-		const url = typeof options.url === "string" ? options.url : options.url();
-		const linkPath = LinkProvider.path.apiLinks;
-		const name = value.name;
-		const proxy = typeof options.proxy === "object" ? options.proxy : {};
-		const remote = {
-			url,
-			name,
-			prefix: "/api",
-			serviceAccount: options.serviceAccount,
-			proxy: !!options.proxy,
-			internal: !proxy.noInternal,
-			schema: async (opts) => {
-				const { authorization, name: name$1 } = opts;
-				return await fetch(`${url}${linkPath}/${name$1}/schema`, { headers: new Headers(authorization ? { authorization } : {}) }).then((it) => it.json());
-			},
-			links: async (opts) => {
-				const { authorization } = opts;
-				const remoteApi = await this.fetchLinks.run({
-					service: name,
-					url: `${url}${linkPath}`,
-					authorization
-				});
-				if (remoteApi.prefix != null) remote.prefix = remoteApi.prefix;
-				return remoteApi;
-			}
-		};
-		this.remotes.push(remote);
-		if (options.proxy) this.proxyProvider.createProxy({
-			path: `${this.env.SERVER_API_PREFIX}/${name}/*`,
-			target: url,
-			rewrite: (url$1) => {
-				url$1.pathname = url$1.pathname.replace(`${this.env.SERVER_API_PREFIX}/${name}`, remote.prefix);
-			},
-			...proxy
-		});
-	}
-	fetchLinks = (0, alepha_retry.$retry)({
-		max: 10,
-		backoff: { initial: 1e3 },
-		onError: (_, attempt, { service, url }) => {
-			this.log.warn(`Failed to fetch links, retry (${attempt})...`, {
-				service,
-				url
-			});
-		},
-		handler: async (opts) => {
-			const { url, authorization } = opts;
-			const response = await fetch(url, { headers: new Headers(authorization ? { authorization } : {}) });
-			if (!response.ok) throw new Error(`Failed to fetch links from ${url}`);
-			return this.alepha.codec.decode(apiLinksResponseSchema, await response.json());
-		}
-	});
-};
-
-//#endregion
-//#region src/server-links/providers/ServerLinksProvider.ts
-const envSchema = alepha.t.object({ SERVER_API_PREFIX: alepha.t.text({
-	description: "Prefix for all API routes (e.g. $action).",
-	default: "/api"
-}) });
-var ServerLinksProvider = class {
-	env = (0, alepha.$env)(envSchema);
-	alepha = (0, alepha.$inject)(alepha.Alepha);
-	linkProvider = (0, alepha.$inject)(LinkProvider);
-	remoteProvider = (0, alepha.$inject)(RemoteDescriptorProvider);
-	serverTimingProvider = (0, alepha.$inject)(alepha_server.ServerTimingProvider);
-	get prefix() {
-		return this.env.SERVER_API_PREFIX;
-	}
-	onRoute = (0, alepha.$hook)({
-		on: "configure",
-		handler: () => {
-			for (const action of this.alepha.descriptors(alepha_server.$action)) this.linkProvider.registerLink({
-				name: action.name,
-				group: action.group,
-				schema: action.options.schema,
-				requestBodyType: action.getBodyContentType(),
-				secured: action.options.secure ?? true,
-				method: action.method === "GET" ? void 0 : action.method,
-				prefix: action.prefix,
-				path: action.path,
-				handler: (config, options = {}) => action.run(config, options)
-			});
-		}
-	});
-	/**
-	* First API - Get all API links for the user.
-	*
-	* This is based on the user's permissions.
-	*/
-	links = (0, alepha_server.$route)({
-		path: LinkProvider.path.apiLinks,
-		schema: { response: apiLinksResponseSchema },
-		handler: ({ user, headers: headers$1 }) => {
-			return this.getUserApiLinks({
-				user,
-				authorization: headers$1.authorization
-			});
-		}
-	});
-	/**
-	* Second API - Get schema for a specific API link.
-	*
-	* Note: Body/Response schema are not included in `links` API because it's TOO BIG.
-	* I mean for 150+ links, you got 50ms of serialization time.
-	*/
-	schema = (0, alepha_server.$route)({
-		path: LinkProvider.path.apiSchema,
-		schema: {
-			params: alepha.t.object({ name: alepha.t.text() }),
-			response: alepha.t.json()
-		},
-		handler: ({ params, user, headers: headers$1 }) => {
-			return this.getSchemaByName(params.name, {
-				user,
-				authorization: headers$1.authorization
-			});
-		}
-	});
-	async getSchemaByName(name, options = {}) {
-		const authorization = options.authorization;
-		const api = await this.getUserApiLinks({
-			user: options.user,
-			authorization
-		});
-		for (const link of api.links) if (link.name === name) {
-			if (link.service) return this.remoteProvider.getRemotes().find((it) => it.name === link.service)?.schema({
-				name,
-				authorization
-			});
-			return this.linkProvider.getServerLinks().find((it) => it.name === name)?.schema ?? {};
-		}
-		return {};
-	}
-	/**
-	* Retrieves API links for the user based on their permissions.
-	* Will check on local links and remote links.
-	*/
-	async getUserApiLinks(options) {
-		const { user } = options;
-		let permissions;
-		let permissionMap;
-		const hasSecurity = this.alepha.has(alepha_security.SecurityProvider);
-		if (hasSecurity && user) {
-			permissions = this.alepha.inject(alepha_security.SecurityProvider).getPermissions(user);
-			permissionMap = new Map(permissions.map((it) => [`${it.group}:${it.name}`, it]));
-		}
-		const userLinks = [];
-		for (const permission of permissions ?? []) if (!permission.path && !permission.method && permission.name && permission.group) userLinks.push({
-			path: "",
-			name: permission.name,
-			group: permission.group
-		});
-		for (const link of this.linkProvider.getServerLinks()) {
-			if (link.host) continue;
-			if (hasSecurity && link.secured) {
-				if (!user) continue;
-				if (typeof link.secured === "object" && link.secured.realm) {
-					if (user.realm !== link.secured.realm) continue;
-				} else if (permissionMap) {
-					if (!permissionMap.has(`${link.group}:${link.name}`)) continue;
-				}
-			}
-			userLinks.push({
-				name: link.name,
-				group: link.group,
-				requestBodyType: link.requestBodyType,
-				method: link.method,
-				path: link.path
-			});
-		}
-		this.serverTimingProvider.beginTiming("fetchRemoteLinks");
-		const promises = this.remoteProvider.getRemotes().filter((it) => it.proxy).map(async (remote) => {
-			const { links, prefix } = await remote.links(options);
-			return links.map((link) => {
-				let path = link.path.replace(prefix ?? "/api", "");
-				if (link.service) path = `/${link.service}${path}`;
-				return {
-					...link,
-					path,
-					proxy: true,
-					service: remote.name
-				};
-			});
-		});
-		userLinks.push(...(await Promise.all(promises)).flat());
-		this.serverTimingProvider.endTiming("fetchRemoteLinks");
-		return {
-			prefix: this.env.SERVER_API_PREFIX,
-			links: userLinks
-		};
-	}
-};
-
-//#endregion
-//#region src/server-links/index.ts
-/**
-* Provides server-side link management and remote capabilities for client-server interactions.
-*
-* The server-links module enables declarative link definitions using `$remote` and `$client` descriptors,
-* facilitating seamless API endpoint management and client-server communication. It integrates with server
-* security features to ensure safe and controlled access to resources.
-*
-* @see {@link $remote}
-* @see {@link $client}
-* @module alepha.server.links
-*/
-const AlephaServerLinks = (0, alepha.$module)({
-	name: "alepha.server.links",
-	descriptors: [$remote, $client],
-	services: [
-		alepha_server.AlephaServer,
-		ServerLinksProvider,
-		RemoteDescriptorProvider,
-		LinkProvider
-	]
-});
-
-//#endregion
-//#region src/server-auth/constants/routes.ts
-const alephaServerAuthRoutes = {
-	login: "/oauth/login",
-	callback: "/oauth/callback",
-	logout: "/oauth/logout",
-	token: "/_auth/token",
-	refresh: "/_auth/refresh",
-	userinfo: "/_auth/userinfo"
-};
-
-//#endregion
-//#region src/server-auth/schemas/tokensSchema.ts
-const tokensSchema = alepha.t.object({
-	provider: alepha.t.text(),
-	access_token: alepha.t.text({ size: "rich" }),
-	issued_at: alepha.t.number(),
-	expires_in: alepha.t.optional(alepha.t.number()),
-	refresh_token: alepha.t.optional(alepha.t.text({ size: "rich" })),
-	refresh_token_expires_in: alepha.t.optional(alepha.t.number()),
-	refresh_expires_in: alepha.t.optional(alepha.t.number({ description: "Alias of `refresh_token_expires_in` for compatibility with some providers." })),
-	id_token: alepha.t.optional(alepha.t.text({ size: "rich" })),
-	scope: alepha.t.optional(alepha.t.text())
-});
-
-//#endregion
-//#region src/server-auth/schemas/tokenResponseSchema.ts
-const tokenResponseSchema = alepha.t.extend(tokensSchema, {
-	user: alepha_security.userAccountInfoSchema,
-	api: apiLinksResponseSchema
-});
-
-//#endregion
-//#region src/server-auth/schemas/userinfoResponseSchema.ts
-const userinfoResponseSchema = alepha.t.object({
-	user: alepha.t.optional(alepha_security.userAccountInfoSchema),
-	api: apiLinksResponseSchema
-});
-
-//#endregion
-//#region src/server-auth/providers/ServerAuthProvider.ts
-var ServerAuthProvider = class {
-	log = (0, alepha_logger.$logger)();
-	alepha = (0, alepha.$inject)(alepha.Alepha);
-	serverCookiesProvider = (0, alepha.$inject)(ServerCookiesProvider);
-	dateTimeProvider = (0, alepha.$inject)(alepha_datetime.DateTimeProvider);
-	serverLinksProvider = (0, alepha.$inject)(ServerLinksProvider);
-	authorizationCode = $cookie({
-		name: "authorizationCode",
-		ttl: [15, "minutes"],
-		httpOnly: true,
-		schema: alepha.t.object({
-			provider: alepha.t.text(),
-			codeVerifier: alepha.t.optional(alepha.t.text({ size: "long" })),
-			redirectUri: alepha.t.optional(alepha.t.text({ size: "long" })),
-			state: alepha.t.optional(alepha.t.text()),
-			nonce: alepha.t.optional(alepha.t.text())
-		})
-	});
-	tokens = $cookie({
-		name: "tokens",
-		ttl: [30, "days"],
-		httpOnly: true,
-		compress: true,
-		encrypt: true,
-		schema: tokensSchema
-	});
-	get identities() {
-		return this.alepha.descriptors($auth).filter((auth) => !auth.options.disabled);
-	}
-	getAuthenticationProviders(filters = {}) {
-		const providers = [];
-		for (const identity of this.identities) {
-			if (filters.realmName) {
-				const realm = "realm" in identity.options && identity.options.realm;
-				if (!realm || realm.name !== filters.realmName) continue;
-			}
-			const type = "oidc" in identity.options ? "OIDC" : "oauth" in identity.options ? "OAUTH2" : "credentials" in identity.options ? "CREDENTIALS" : void 0;
-			if (!type) continue;
-			providers.push({
-				name: identity.name,
-				type
-			});
-		}
-		return providers;
-	}
-	configure = (0, alepha.$hook)({
-		on: "configure",
-		handler: async () => {
-			for (const identity of this.identities) await identity.prepare();
-		}
-	});
-	getAccessTokens(tokens) {
-		const idp = this.provider(tokens.provider);
-		if ("oidc" in idp.options && !("realm" in idp.options) && idp.options.oidc?.useIdToken) return tokens.id_token;
-		return tokens.access_token;
-	}
-	/**
-	* Fill request headers with access token from cookies or fallback to provider's fallback function.
-	*/
-	onRequest = (0, alepha.$hook)({
-		on: "server:onRequest",
-		after: this.serverCookiesProvider,
-		handler: async ({ request }) => {
-			const cookies = request.cookies;
-			if (cookies) {
-				const tokens = await this.cookiesToTokens(cookies);
-				if (tokens) {
-					request.headers.authorization = `Bearer ${this.getAccessTokens(tokens)}`;
-					this.log.trace("Access token set in request headers", { provider: tokens.provider });
-				}
-			}
-			if (!request.headers.authorization) {
-				for (const provider of this.identities) if (!("realm" in provider.options) && !!provider.options.fallback) {
-					const token = await provider.options.fallback();
-					if (token) {
-						request.headers.authorization = `Bearer ${token}`;
-						break;
-					}
-				}
-			}
-		}
-	});
-	/**
-	* Convert cookies to tokens.
-	* If the tokens are expired, try to refresh them using the refresh token.
-	*/
-	async cookiesToTokens(cookies) {
-		const tokens = this.tokens.get({ cookies });
-		if (!tokens) {
-			this.log.trace("No tokens found in cookies");
-			return;
-		}
-		this.log.trace("Tokens found in cookies", {
-			expires_in: tokens.expires_in,
-			issued_at: tokens.issued_at
-		});
-		const refreshedTokens = await this.refreshTokens(tokens);
-		if (!refreshedTokens) {
-			this.tokens.del({ cookies });
-			return;
-		}
-		if (refreshedTokens.access_token !== tokens.access_token) this.setTokens(refreshedTokens, cookies);
-		return refreshedTokens;
-	}
-	async refreshTokens(tokens) {
-		if (tokens.expires_in && tokens.issued_at) {
-			if (tokens.issued_at + (tokens.expires_in - 10) < this.dateTimeProvider.now().unix()) {
-				this.log.trace("Tokens are expired");
-				if (tokens.refresh_token) {
-					this.log.trace("Trying to refresh tokens using refresh token");
-					try {
-						const newTokens = {
-							...await this.provider(tokens).refresh(tokens.refresh_token, tokens.access_token),
-							provider: tokens.provider,
-							issued_at: this.dateTimeProvider.now().unix()
-						};
-						this.log.debug("Tokens refreshed successfully");
-						return newTokens;
-					} catch (e$1) {
-						this.log.warn("Failed to refresh token", e$1);
-					}
-				}
-				return;
-			}
-		}
-		if (!tokens.issued_at && tokens.access_token) return;
-		return tokens;
-	}
-	/**
-	* Get user information.
-	*/
-	userinfo = (0, alepha_server.$route)({
-		path: alephaServerAuthRoutes.userinfo,
-		schema: { response: userinfoResponseSchema },
-		handler: async ({ user, headers: headers$1, cookies }) => {
-			const tokens = this.tokens.get({ cookies });
-			if (tokens) {
-				const provider = this.provider(tokens);
-				if (!("realm" in provider.options)) {
-					const user$1 = await provider.user(tokens);
-					return {
-						api: await this.serverLinksProvider.getUserApiLinks({
-							authorization: headers$1.authorization,
-							user: user$1
-						}),
-						user: user$1
-					};
-				}
-			}
-			return {
-				api: await this.serverLinksProvider.getUserApiLinks({
-					authorization: headers$1.authorization,
-					user
-				}),
-				user
-			};
-		}
-	});
-	/**
-	* Refresh a token for internal providers.
-	*/
-	refresh = (0, alepha_server.$route)({
-		path: alephaServerAuthRoutes.refresh,
-		method: "POST",
-		schema: {
-			query: alepha.t.object({ provider: alepha.t.text() }),
-			body: alepha.t.object({
-				refresh_token: alepha.t.text({ size: "rich" }),
-				access_token: alepha.t.optional(alepha.t.text({
-					size: "rich",
-					description: "Required if provider has stateless refresh token on credentials mode"
-				}))
-			}),
-			response: tokensSchema
-		},
-		handler: async ({ query, body, cookies }) => {
-			const provider = this.provider(query);
-			const tokens = {
-				provider: query.provider,
-				...await provider.refresh(body.refresh_token, body.access_token)
-			};
-			this.setTokens(tokens, cookies);
-			return tokens;
-		}
-	});
-	/**
-	* Login for local password-based authentication.
-	*/
-	token = (0, alepha_server.$route)({
-		path: alephaServerAuthRoutes.token,
-		method: "POST",
-		schema: {
-			query: alepha.t.object({ provider: alepha.t.text() }),
-			body: alepha.t.object({
-				username: alepha.t.text(),
-				password: alepha.t.text()
-			}),
-			response: tokenResponseSchema
-		},
-		handler: async ({ query, body, cookies }) => {
-			const provider = this.provider(query);
-			const realm = "realm" in provider.options && provider.options.realm;
-			if (!realm) throw new alepha_security.SecurityError(`Auth provider '${query.provider}' does not support password grant`);
-			const credentials = "credentials" in provider.options && provider.options.credentials;
-			if (!credentials) throw new alepha_security.SecurityError(`Auth provider '${query.provider}' does not support password grant`);
-			let user;
-			try {
-				user = await credentials.account(body);
-			} catch (e$1) {
-				if (e$1 instanceof alepha_security.InvalidCredentialsError) throw e$1;
-				this.log.error("Failed to authenticate user", e$1);
-				throw new alepha_security.InvalidCredentialsError();
-			}
-			if (!user) throw new alepha_security.InvalidCredentialsError();
-			const tokens = {
-				provider: query.provider,
-				...await realm.createToken(user)
-			};
-			this.setTokens(tokens, cookies);
-			const api = await this.serverLinksProvider.getUserApiLinks({ user });
-			return {
-				...tokens,
-				user,
-				api
-			};
-		}
-	});
-	/**
-	* Oauth2/OIDC login route.
-	*/
-	login = (0, alepha_server.$route)({
-		path: alephaServerAuthRoutes.login,
-		schema: { query: alepha.t.object({
-			provider: alepha.t.text(),
-			redirect_uri: alepha.t.optional(alepha.t.text({ size: "rich" }))
-		}) },
-		handler: async ({ query, url, reply }) => {
-			const provider = this.provider(query);
-			const oauth = provider.oauth;
-			if (!oauth) throw new alepha_security.SecurityError(`Auth provider '${query.provider}' does not support OAuth2`);
-			const scope = provider.scope;
-			let redirect_uri = provider.redirect_uri || alephaServerAuthRoutes.callback;
-			if (redirect_uri.startsWith("/")) redirect_uri = `${url.protocol}//${url.host}${redirect_uri}`;
-			const oidc = "oidc" in provider.options && provider.options.oidc;
-			if (!oauth.serverMetadata().supportsPKCE()) {
-				const state = randomState();
-				const parameters$1 = {
-					redirect_uri,
-					state
-				};
-				if (oidc) parameters$1.nonce = randomState();
-				if (scope) parameters$1.scope = scope;
-				this.authorizationCode.set({
-					state,
-					nonce: parameters$1.nonce,
-					redirectUri: query.redirect_uri ?? "/",
-					provider: query.provider
-				});
-				reply.redirect(buildAuthorizationUrl(oauth, parameters$1).toString());
-				return;
-			}
-			const codeVerifier = randomPKCECodeVerifier();
-			const codeChallenge = await calculatePKCECodeChallenge(codeVerifier);
-			const parameters = {
-				redirect_uri,
-				code_challenge: codeChallenge,
-				code_challenge_method: "S256"
-			};
-			if (scope) parameters.scope = scope;
-			this.authorizationCode.set({
-				codeVerifier,
-				redirectUri: query.redirect_uri ?? "/",
-				provider: query.provider
-			});
-			reply.redirect(buildAuthorizationUrl(oauth, parameters).toString());
-		}
-	});
-	/**
-	* Callback for OAuth2/OIDC providers.
-	* It handles the authorization code flow and retrieves the access token.
-	*/
-	callback = (0, alepha_server.$route)({
-		path: alephaServerAuthRoutes.callback,
-		handler: async ({ url, reply, cookies }) => {
-			const authorizationCode = this.authorizationCode.get({ cookies });
-			if (!authorizationCode) throw new alepha_server.BadRequestError("Missing code verifier");
-			const provider = this.provider(authorizationCode);
-			const oauth = provider.oauth;
-			if (!oauth) throw new alepha_security.SecurityError(`Auth provider '${provider.name}' does not support OAuth2`);
-			const redirectUri = authorizationCode.redirectUri ?? "/";
-			const externalTokens = await authorizationCodeGrant(oauth, url, {
-				pkceCodeVerifier: authorizationCode.codeVerifier,
-				expectedState: authorizationCode.state,
-				expectedNonce: authorizationCode.nonce
-			}).then((tokens$1) => ({
-				issued_at: this.dateTimeProvider.now().unix(),
-				provider: provider.name,
-				...tokens$1
-			})).catch((e$1) => {
-				this.log.error("Failed to get access token", e$1);
-				throw new alepha_security.SecurityError("Failed to get access token", { cause: e$1 });
-			});
-			this.authorizationCode.del({ cookies });
-			const realm = "realm" in provider.options && provider.options.realm;
-			if (!realm) {
-				this.setTokens(externalTokens, cookies);
-				reply.redirect(redirectUri);
-				return;
-			}
-			const user = await provider.user(externalTokens);
-			const tokens = await realm.createToken(user);
-			this.setTokens({
-				...tokens,
-				issued_at: this.dateTimeProvider.now().unix(),
-				provider: provider.name
-			}, cookies);
-			reply.redirect(redirectUri);
-		}
-	});
-	/**
-	* Logout route for OAuth2/OIDC providers.
-	*/
-	logout = (0, alepha_server.$route)({
-		path: alephaServerAuthRoutes.logout,
-		method: "GET",
-		schema: { query: alepha.t.object({ post_logout_redirect_uri: alepha.t.optional(alepha.t.text()) }) },
-		handler: async ({ query, reply, cookies }) => {
-			const redirect = query.post_logout_redirect_uri ?? "/";
-			const tokens = this.tokens.get({ cookies });
-			if (!tokens) {
-				reply.redirect(redirect);
-				return;
-			}
-			const provider = this.provider(tokens.provider);
-			this.tokens.del({ cookies });
-			if ("realm" in provider.options && tokens.refresh_token) {
-				const onDeleteSession = provider.options.realm.options.settings?.onDeleteSession;
-				if (onDeleteSession) try {
-					await onDeleteSession(tokens.refresh_token);
-				} catch (e$1) {
-					this.log.error("Failed to delete session", e$1);
-				}
-			}
-			const oauth = provider.oauth;
-			if (!oauth) {
-				reply.redirect(redirect);
-				return;
-			}
-			const params = new URLSearchParams();
-			const idToken = tokens?.id_token;
-			params.set("post_logout_redirect_uri", redirect);
-			if (idToken) params.set("id_token_hint", idToken);
-			const customLogoutUri = "oidc" in provider.options ? provider.options.oidc?.logoutUri : void 0;
-			if (customLogoutUri) {
-				reply.redirect(`${customLogoutUri}?${params}`);
-				return;
-			}
-			if (!oauth.serverMetadata().end_session_endpoint) {
-				reply.redirect(redirect);
-				return;
-			}
-			reply.redirect(buildEndSessionUrl(oauth, params).toString());
-		}
-	});
-	provider(opts) {
-		const name = typeof opts === "string" ? opts : opts.provider;
-		const identity = this.identities.find((identity$1) => identity$1.name === name);
-		if (!identity) throw new alepha_security.SecurityError(`Auth provider '${name}' not found`);
-		return identity;
-	}
-	setTokens(tokens, cookies) {
-		const exp = tokens.refresh_token_expires_in || tokens.refresh_expires_in || tokens.expires_in;
-		const ttl = exp ? this.dateTimeProvider.duration(exp, "seconds") : void 0;
-		this.tokens.set(tokens, {
-			cookies,
-			ttl
-		});
-	}
-};
-
-//#endregion
-//#region src/server-auth/descriptors/$authCredentials.ts
-/**
-* Already configured Credentials authentication descriptor.
-*
-* Uses username and password to authenticate users.
-*/
-const $authCredentials = (realm, options = {}) => {
-	const name = "credentials";
-	const account = realm.login ? realm.login(name) : options.account;
-	if (!account) throw new alepha.AlephaError("Credentials authentication requires a login function in the realm descriptor.");
-	return $auth({
-		realm,
-		name,
-		credentials: { account }
-	});
-};
-
-//#endregion
-//#region src/server-auth/descriptors/$authGithub.ts
-/**
-* Already configured GitHub authentication descriptor.
-*
-* Uses OAuth2 to authenticate users via their GitHub accounts.
-* Upon successful authentication, it links the GitHub account to a user session.
-*
-* Environment Variables:
-* - `GITHUB_CLIENT_ID`: The client ID obtained from the GitHub Developer Settings.
-* - `GITHUB_CLIENT_SECRET`: The client secret obtained from the GitHub Developer Settings.
-*/
-const $authGithub = (realm, options = {}) => {
-	const { alepha: alepha$1 } = (0, alepha.$context)();
-	const env = alepha$1.parseEnv(alepha.t.object({
-		GITHUB_CLIENT_ID: alepha.t.optional(alepha.t.text()),
-		GITHUB_CLIENT_SECRET: alepha.t.optional(alepha.t.text())
-	}));
-	const disabled = !env.GITHUB_CLIENT_ID || !env.GITHUB_CLIENT_SECRET;
-	const name = "github";
-	const account = options.account ?? (realm.link ? realm.link(name) : void 0);
-	if (!account) throw new alepha.AlephaError("Authentication requires a link function in the realm descriptor.");
-	return $auth({
-		realm,
-		name,
-		oauth: {
-			clientId: env.GITHUB_CLIENT_ID,
-			clientSecret: env.GITHUB_CLIENT_SECRET,
-			authorization: "https://github.com/login/oauth/authorize",
-			token: "https://github.com/login/oauth/access_token",
-			scope: "read:user user:email",
-			userinfo: async (tokens) => {
-				const BASE_URL = "https://api.github.com";
-				const res = await fetch(`${BASE_URL}/user`, { headers: {
-					Authorization: `Bearer ${tokens.access_token}`,
-					"User-Agent": "Alepha"
-				} }).then((res$1) => res$1.json());
-				const user = { sub: res.id.toString() };
-				if (res.email) user.email = res.email;
-				if (res.name) user.name = res.name.trim();
-				if (res.avatar_url) user.picture = res.avatar_url;
-				if (!user.email) {
-					const res$1 = await fetch(`${BASE_URL}/user/emails`, { headers: {
-						Authorization: `Bearer ${tokens.access_token}`,
-						"User-Agent": "Alepha"
-					} });
-					if (res$1.ok) {
-						const emails = await res$1.json();
-						user.email = (emails.find((e$1) => e$1.primary) ?? emails[0]).email;
-					}
-				}
-				return user;
-			},
-			...options,
-			account
-		},
-		disabled
-	});
-};
-
-//#endregion
-//#region src/server-auth/descriptors/$authGoogle.ts
-/**
-* Already configured Google authentication descriptor.
-*
-* Uses OpenID Connect (OIDC) to authenticate users via their Google accounts.
-* Upon successful authentication, it links the Google account to a user session.
-*
-* Environment Variables:
-* - `GOOGLE_CLIENT_ID`: The client ID obtained from the Google Developer Console.
-* - `GOOGLE_CLIENT_SECRET`: The client secret obtained from the Google Developer Console.
-*/
-const $authGoogle = (realm, options = {}) => {
-	const { alepha: alepha$1 } = (0, alepha.$context)();
-	const env = alepha$1.parseEnv(alepha.t.object({
-		GOOGLE_CLIENT_ID: alepha.t.optional(alepha.t.text()),
-		GOOGLE_CLIENT_SECRET: alepha.t.optional(alepha.t.text())
-	}));
-	const disabled = !env.GOOGLE_CLIENT_ID || !env.GOOGLE_CLIENT_SECRET;
-	const name = "google";
-	const account = options.account ?? (realm.link ? realm.link(name) : void 0);
-	if (!account) throw new alepha.AlephaError("Authentication requires a link function in the realm descriptor.");
-	return $auth({
-		realm,
-		name,
-		oidc: {
-			issuer: "https://accounts.google.com",
-			clientId: env.GOOGLE_CLIENT_ID,
-			clientSecret: env.GOOGLE_CLIENT_SECRET,
-			...options,
-			account
-		},
-		disabled
-	});
-};
-
-//#endregion
-//#region src/server-auth/schemas/authenticationProviderSchema.ts
-const authenticationProviderSchema = alepha.t.object({
-	name: alepha.t.text({ description: "Name of the authentication provider." }),
-	type: alepha.t.enum([
-		"OAUTH2",
-		"OIDC",
-		"CREDENTIALS"
-	], { description: "Type of the authentication provider." })
-}, { title: "AuthenticationProvider" });
-
-//#endregion
-//#region src/server-auth/index.ts
-/**
-* Allow authentication services for server applications.
-* It provides login and logout functionalities.
-*
-* There are multiple authentication providers available (e.g., Google, GitHub).
-* You can also delegate authentication to your own OIDC/OAuth2, for example using Keycloak or Auth0.
-*
-* It's cookie-based and SSR friendly.
-*
-* @see {@link $auth}
-* @see {@link ServerAuthProvider}
-* @module alepha.server.auth
-*/
-const AlephaServerAuth = (0, alepha.$module)({
-	name: "alepha.server.auth",
-	descriptors: [$auth],
-	services: [AlephaServerCookies, ServerAuthProvider]
-});
-
-//#endregion
-exports.$auth = $auth;
-exports.$authCredentials = $authCredentials;
-exports.$authGithub = $authGithub;
-exports.$authGoogle = $authGoogle;
-exports.AlephaServerAuth = AlephaServerAuth;
-exports.AuthDescriptor = AuthDescriptor;
-exports.ServerAuthProvider = ServerAuthProvider;
-exports.alephaServerAuthRoutes = alephaServerAuthRoutes;
-exports.authenticationProviderSchema = authenticationProviderSchema;
-exports.tokenResponseSchema = tokenResponseSchema;
-exports.tokensSchema = tokensSchema;
-exports.userinfoResponseSchema = userinfoResponseSchema;
-//# sourceMappingURL=index.cjs.map