alepha 0.13.6 → 0.13.8

package/dist/server/auth/index.js

@@ -0,0 +1,742 @@
+import { $context, $hook, $inject, $module, Alepha, AlephaError, KIND, Primitive, createPrimitive, t } from "alepha";
+import { $cookie, AlephaServerCookies, ServerCookiesProvider } from "alepha/server/cookies";
+import { DateTimeProvider } from "alepha/datetime";
+import { InvalidCredentialsError, SecurityError, SecurityProvider, userAccountInfoSchema } from "alepha/security";
+import { Configuration, allowInsecureRequests, authorizationCodeGrant, buildAuthorizationUrl, buildEndSessionUrl, calculatePKCECodeChallenge, discovery, randomPKCECodeVerifier, randomState, refreshTokenGrant } from "openid-client";
+import { $logger } from "alepha/logger";
+import { $route, BadRequestError } from "alepha/server";
+import { ServerLinksProvider, apiLinksResponseSchema } from "alepha/server/links";
+
+//#region ../../src/server/auth/primitives/$auth.ts
+/**
+* Creates an authentication provider primitive for handling user login flows.
+*
+* Supports multiple authentication strategies: credentials (username/password), OAuth2,
+* and OIDC (OpenID Connect). Handles token management, user profile retrieval, and
+* integration with both external identity providers (Auth0, Keycloak) and internal realms.
+*
+* **Authentication Types**: Credentials, OAuth2 (Google, GitHub), OIDC, External providers
+*
+* @example
+* ```ts
+* class AuthProviders {
+*   // Internal credentials-based auth
+*   credentials = $auth({
+*     realm: this.userRealm,
+*     credentials: {
+*       account: async ({ username, password }) => {
+*         return await this.validateUser(username, password);
+*       }
+*     }
+*   });
+*
+*   // External OIDC provider
+*   keycloak = $auth({
+*     oidc: {
+*       issuer: "https://auth.example.com",
+*       clientId: "my-app",
+*       clientSecret: "secret",
+*       redirectUri: "/auth/callback"
+*     }
+*   });
+* }
+* ```
+*/
+const $auth = (options) => {
+	return createPrimitive(AuthPrimitive, options);
+};
+var AuthPrimitive = class extends Primitive {
+	securityProvider = $inject(SecurityProvider);
+	dateTimeProvider = $inject(DateTimeProvider);
+	oauth;
+	get name() {
+		return this.options.name ?? this.config.propertyKey;
+	}
+	get realm() {
+		if ("realm" in this.options) return this.options.realm;
+	}
+	get jwks_uri() {
+		const jwks = this.oauth?.serverMetadata().jwks_uri;
+		if (!jwks) throw new AlephaError("No JWKS URI available for the auth provider");
+		return jwks;
+	}
+	get scope() {
+		if ("oauth" in this.options) return this.options.oauth.scope;
+		if ("oidc" in this.options) return this.options.oidc.scope || "openid profile email";
+		throw new AlephaError("No OAuth2 or OIDC configuration available for the auth provider");
+	}
+	get redirect_uri() {
+		if ("oauth" in this.options) return this.options.oauth.redirectUri;
+		if ("oidc" in this.options) return this.options.oidc.redirectUri;
+		throw new AlephaError("No OAuth2 or OIDC configuration available for the auth provider");
+	}
+	/**
+	* Refreshes the access token using the refresh token.
+	* Can be used on oauth2, oidc or credentials auth providers.
+	*/
+	async refresh(refreshToken, accessToken) {
+		if ("realm" in this.options) return this.options.realm.refreshToken(refreshToken, accessToken).then((it) => it.tokens).catch((error) => {
+			throw new SecurityError("Failed to refresh access token using the refresh token (realm)", { cause: error });
+		});
+		else if (this.oauth) try {
+			return {
+				...await refreshTokenGrant(this.oauth, refreshToken),
+				issued_at: this.dateTimeProvider.now().unix()
+			};
+		} catch (error) {
+			throw new SecurityError("Failed to refresh access token using the refresh token (oauth2)", { cause: error });
+		}
+		throw new AlephaError("No realm or OAuth2 configuration available for refreshing the access token");
+	}
+	/**
+	* Extracts user information from the access token.
+	* This is used to create a user account from the access token.
+	*/
+	async user(tokens) {
+		try {
+			if ("oauth" in this.options) {
+				const profile = await this.options.oauth.userinfo(tokens);
+				if (this.options.oauth.account) return this.options.oauth.account({
+					...tokens,
+					user: profile
+				});
+				return this.securityProvider.createUserFromPayload(profile);
+			}
+			if ("oidc" in this.options) {
+				const payload = this.getUserFromIdToken(tokens.id_token || "");
+				if (this.options.oidc.account) return this.options.oidc.account({
+					...tokens,
+					user: payload
+				});
+				return this.securityProvider.createUserFromPayload(payload);
+			}
+		} catch (error) {
+			throw new SecurityError("Failed to extract user from identity provider tokens", { cause: error });
+		}
+		throw new AlephaError("This authentication does not support user extraction from tokens");
+	}
+	getUserFromIdToken(idToken) {
+		try {
+			return JSON.parse(Buffer.from(idToken.split(".")[1], "base64").toString("utf8"));
+		} catch (error) {
+			throw new AlephaError("Failed to parse ID Token payload", { cause: error });
+		}
+	}
+	async prepare() {
+		const addons = [];
+		addons.push(allowInsecureRequests);
+		if ("oidc" in this.options) {
+			const { oidc } = this.options;
+			this.oauth = await discovery(new URL(oidc.issuer), oidc.clientId, { client_secret: oidc.clientSecret }, void 0, { execute: addons });
+		}
+		if ("oauth" in this.options) {
+			const { oauth } = this.options;
+			this.oauth = new Configuration({
+				authorization_endpoint: oauth.authorization,
+				token_endpoint: oauth.token,
+				issuer: oauth.authorization,
+				jwks_uri: void 0,
+				end_session_endpoint: void 0
+			}, oauth.clientId, { client_secret: oauth.clientSecret });
+		}
+	}
+};
+$auth[KIND] = AuthPrimitive;
+
+//#endregion
+//#region ../../src/server/auth/constants/routes.ts
+const alephaServerAuthRoutes = {
+	login: "/oauth/login",
+	callback: "/oauth/callback",
+	logout: "/oauth/logout",
+	token: "/_auth/token",
+	refresh: "/_auth/refresh",
+	userinfo: "/_auth/userinfo"
+};
+
+//#endregion
+//#region ../../src/server/auth/schemas/tokensSchema.ts
+const tokensSchema = t.object({
+	provider: t.text(),
+	access_token: t.text({ size: "rich" }),
+	issued_at: t.number(),
+	expires_in: t.optional(t.number()),
+	refresh_token: t.optional(t.text({ size: "rich" })),
+	refresh_token_expires_in: t.optional(t.number()),
+	refresh_expires_in: t.optional(t.number({ description: "Alias of `refresh_token_expires_in` for compatibility with some providers." })),
+	id_token: t.optional(t.text({ size: "rich" })),
+	scope: t.optional(t.text())
+});
+
+//#endregion
+//#region ../../src/server/auth/schemas/tokenResponseSchema.ts
+const tokenResponseSchema = t.extend(tokensSchema, {
+	user: userAccountInfoSchema,
+	api: apiLinksResponseSchema
+});
+
+//#endregion
+//#region ../../src/server/auth/schemas/userinfoResponseSchema.ts
+const userinfoResponseSchema = t.object({
+	user: t.optional(userAccountInfoSchema),
+	api: apiLinksResponseSchema
+});
+
+//#endregion
+//#region ../../src/server/auth/providers/ServerAuthProvider.ts
+var ServerAuthProvider = class {
+	log = $logger();
+	alepha = $inject(Alepha);
+	serverCookiesProvider = $inject(ServerCookiesProvider);
+	dateTimeProvider = $inject(DateTimeProvider);
+	serverLinksProvider = $inject(ServerLinksProvider);
+	authorizationCode = $cookie({
+		name: "authorizationCode",
+		ttl: [15, "minutes"],
+		httpOnly: true,
+		schema: t.object({
+			provider: t.text(),
+			realm: t.optional(t.text()),
+			codeVerifier: t.optional(t.text({ size: "long" })),
+			redirectUri: t.optional(t.text({ size: "long" })),
+			state: t.optional(t.text()),
+			nonce: t.optional(t.text())
+		})
+	});
+	tokens = $cookie({
+		name: "tokens",
+		ttl: [30, "days"],
+		httpOnly: true,
+		compress: true,
+		encrypt: true,
+		schema: tokensSchema
+	});
+	get identities() {
+		return this.alepha.primitives($auth).filter((auth) => !auth.options.disabled);
+	}
+	getAuthenticationProviders(filters = {}) {
+		const providers = [];
+		for (const identity of this.identities) {
+			if (filters.realmName) {
+				const realm = "realm" in identity.options && identity.options.realm;
+				if (!realm || realm.name !== filters.realmName) continue;
+			}
+			const type = "oidc" in identity.options ? "OIDC" : "oauth" in identity.options ? "OAUTH2" : "credentials" in identity.options ? "CREDENTIALS" : void 0;
+			if (!type) continue;
+			providers.push({
+				name: identity.name,
+				type
+			});
+		}
+		return providers;
+	}
+	configure = $hook({
+		on: "configure",
+		handler: async () => {
+			for (const identity of this.identities) await identity.prepare();
+		}
+	});
+	getAccessTokens(tokens) {
+		const idp = this.provider(tokens.provider);
+		if ("oidc" in idp.options && !("realm" in idp.options) && idp.options.oidc?.useIdToken) return tokens.id_token;
+		return tokens.access_token;
+	}
+	/**
+	* Fill request headers with access token from cookies or fallback to provider's fallback function.
+	*/
+	onRequest = $hook({
+		on: "server:onRequest",
+		after: this.serverCookiesProvider,
+		handler: async ({ request }) => {
+			const cookies = request.cookies;
+			if (cookies) {
+				const tokens = await this.cookiesToTokens(cookies);
+				if (tokens) {
+					request.headers.authorization = `Bearer ${this.getAccessTokens(tokens)}`;
+					this.log.trace("Access token set in request headers", { provider: tokens.provider });
+				}
+			}
+			if (!request.headers.authorization) {
+				for (const provider of this.identities) if (!("realm" in provider.options) && !!provider.options.fallback) {
+					const token = await provider.options.fallback();
+					if (token) {
+						request.headers.authorization = `Bearer ${token}`;
+						break;
+					}
+				}
+			}
+		}
+	});
+	/**
+	* Convert cookies to tokens.
+	* If the tokens are expired, try to refresh them using the refresh token.
+	*/
+	async cookiesToTokens(cookies) {
+		const tokens = this.getTokens(cookies);
+		if (!tokens) {
+			this.log.trace("No tokens found in cookies");
+			return;
+		}
+		this.log.trace("Tokens found in cookies", {
+			expires_in: tokens.expires_in,
+			issued_at: tokens.issued_at
+		});
+		const refreshedTokens = await this.refreshTokens(tokens);
+		if (!refreshedTokens) {
+			this.tokens.del({ cookies });
+			return;
+		}
+		if (refreshedTokens.access_token !== tokens.access_token) this.setTokens(refreshedTokens, cookies);
+		return refreshedTokens;
+	}
+	async refreshTokens(tokens) {
+		if (tokens.expires_in && tokens.issued_at) {
+			if (tokens.issued_at + (tokens.expires_in - 10) < this.dateTimeProvider.now().unix()) {
+				this.log.trace("Tokens are expired");
+				if (tokens.refresh_token) {
+					this.log.trace("Trying to refresh tokens using refresh token");
+					try {
+						const newTokens = {
+							...await this.provider(tokens).refresh(tokens.refresh_token, tokens.access_token),
+							provider: tokens.provider,
+							issued_at: this.dateTimeProvider.now().unix()
+						};
+						this.log.debug("Tokens refreshed successfully");
+						return newTokens;
+					} catch (e) {
+						this.log.warn("Failed to refresh token", e);
+					}
+				}
+				return;
+			}
+		}
+		if (!tokens.issued_at && tokens.access_token) return;
+		return tokens;
+	}
+	/**
+	* Get user information.
+	*/
+	userinfo = $route({
+		path: alephaServerAuthRoutes.userinfo,
+		schema: { response: userinfoResponseSchema },
+		handler: async ({ user, headers, cookies }) => {
+			const tokens = this.getTokens(cookies);
+			if (tokens) {
+				const provider = this.provider(tokens);
+				if (!("realm" in provider.options)) {
+					const user$1 = await provider.user(tokens);
+					return {
+						api: await this.serverLinksProvider.getUserApiLinks({
+							authorization: headers.authorization,
+							user: user$1
+						}),
+						user: user$1
+					};
+				}
+			}
+			return {
+				api: await this.serverLinksProvider.getUserApiLinks({
+					authorization: headers.authorization,
+					user
+				}),
+				user
+			};
+		}
+	});
+	/**
+	* Refresh a token for internal providers.
+	*/
+	refresh = $route({
+		path: alephaServerAuthRoutes.refresh,
+		method: "POST",
+		schema: {
+			query: t.object({ provider: t.text() }),
+			body: t.object({
+				refresh_token: t.text({ size: "rich" }),
+				access_token: t.optional(t.text({
+					size: "rich",
+					description: "Required if provider has stateless refresh token on credentials mode"
+				}))
+			}),
+			response: tokensSchema
+		},
+		handler: async ({ query, body, cookies }) => {
+			const provider = this.provider(query);
+			const tokens = {
+				provider: query.provider,
+				...await provider.refresh(body.refresh_token, body.access_token)
+			};
+			this.setTokens(tokens, cookies);
+			return tokens;
+		}
+	});
+	/**
+	* Login for local password-based authentication.
+	*/
+	token = $route({
+		path: alephaServerAuthRoutes.token,
+		method: "POST",
+		schema: {
+			query: t.object({
+				provider: t.text(),
+				realm: t.optional(t.text({ description: "Realm name for multi-realm setups" }))
+			}),
+			body: t.object({
+				username: t.text(),
+				password: t.text()
+			}),
+			response: tokenResponseSchema
+		},
+		handler: async ({ query, body, cookies }) => {
+			const provider = this.provider({
+				provider: query.provider,
+				realm: query.realm
+			});
+			const realm = "realm" in provider.options && provider.options.realm;
+			if (!realm) throw new SecurityError(`Auth provider '${query.provider}' does not support password grant`);
+			const credentials = "credentials" in provider.options && provider.options.credentials;
+			if (!credentials) throw new SecurityError(`Auth provider '${query.provider}' does not support password grant`);
+			console.log("->", body);
+			let user;
+			try {
+				user = await credentials.account(body);
+			} catch (e) {
+				if (e instanceof InvalidCredentialsError) throw e;
+				this.log.error("Failed to authenticate user", e);
+				throw new InvalidCredentialsError();
+			}
+			if (!user) throw new InvalidCredentialsError();
+			const tokens = {
+				provider: query.provider,
+				...await realm.createToken(user)
+			};
+			this.setTokens(tokens, cookies);
+			const api = await this.serverLinksProvider.getUserApiLinks({ user });
+			return {
+				...tokens,
+				user,
+				api
+			};
+		}
+	});
+	/**
+	* Oauth2/OIDC login route.
+	*/
+	login = $route({
+		path: alephaServerAuthRoutes.login,
+		schema: { query: t.object({
+			provider: t.text(),
+			realm: t.optional(t.text({ description: "Realm name for multi-realm setups" })),
+			redirect_uri: t.optional(t.text({ size: "rich" }))
+		}) },
+		handler: async ({ query, url, reply }) => {
+			const provider = this.provider({
+				provider: query.provider,
+				realm: query.realm
+			});
+			const oauth = provider.oauth;
+			if (!oauth) throw new SecurityError(`Auth provider '${query.provider}' does not support OAuth2`);
+			const scope = provider.scope;
+			let redirect_uri = provider.redirect_uri || alephaServerAuthRoutes.callback;
+			if (redirect_uri.startsWith("/")) redirect_uri = `${url.protocol}//${url.host}${redirect_uri}`;
+			const oidc = "oidc" in provider.options && provider.options.oidc;
+			if (!oauth.serverMetadata().supportsPKCE()) {
+				const state = randomState();
+				const parameters$1 = {
+					redirect_uri,
+					state
+				};
+				if (oidc) parameters$1.nonce = randomState();
+				if (scope) parameters$1.scope = scope;
+				this.authorizationCode.set({
+					state,
+					nonce: parameters$1.nonce,
+					redirectUri: query.redirect_uri ?? "/",
+					provider: query.provider,
+					realm: query.realm
+				});
+				reply.redirect(buildAuthorizationUrl(oauth, parameters$1).toString());
+				return;
+			}
+			const codeVerifier = randomPKCECodeVerifier();
+			const codeChallenge = await calculatePKCECodeChallenge(codeVerifier);
+			const parameters = {
+				redirect_uri,
+				code_challenge: codeChallenge,
+				code_challenge_method: "S256"
+			};
+			if (scope) parameters.scope = scope;
+			this.authorizationCode.set({
+				codeVerifier,
+				redirectUri: query.redirect_uri ?? "/",
+				provider: query.provider,
+				realm: query.realm
+			});
+			reply.redirect(buildAuthorizationUrl(oauth, parameters).toString());
+		}
+	});
+	/**
+	* Callback for OAuth2/OIDC providers.
+	* It handles the authorization code flow and retrieves the access token.
+	*/
+	callback = $route({
+		path: alephaServerAuthRoutes.callback,
+		handler: async ({ url, reply, cookies }) => {
+			const authorizationCode = this.authorizationCode.get({ cookies });
+			if (!authorizationCode) throw new BadRequestError("Missing code verifier");
+			const provider = this.provider(authorizationCode);
+			const oauth = provider.oauth;
+			if (!oauth) throw new SecurityError(`Auth provider '${provider.name}' does not support OAuth2`);
+			const redirectUri = authorizationCode.redirectUri ?? "/";
+			const externalTokens = await authorizationCodeGrant(oauth, url, {
+				pkceCodeVerifier: authorizationCode.codeVerifier,
+				expectedState: authorizationCode.state,
+				expectedNonce: authorizationCode.nonce
+			}).then((tokens$1) => ({
+				issued_at: this.dateTimeProvider.now().unix(),
+				provider: provider.name,
+				...tokens$1
+			})).catch((e) => {
+				this.log.error("Failed to get access token", e);
+				throw new SecurityError("Failed to get access token", { cause: e });
+			});
+			this.authorizationCode.del({ cookies });
+			const realm = "realm" in provider.options && provider.options.realm;
+			if (!realm) {
+				this.setTokens(externalTokens, cookies);
+				reply.redirect(redirectUri);
+				return;
+			}
+			const user = await provider.user(externalTokens);
+			const tokens = await realm.createToken(user);
+			this.setTokens({
+				...tokens,
+				issued_at: this.dateTimeProvider.now().unix(),
+				provider: provider.name
+			}, cookies);
+			reply.redirect(redirectUri);
+		}
+	});
+	/**
+	* Logout route for OAuth2/OIDC providers.
+	*/
+	logout = $route({
+		path: alephaServerAuthRoutes.logout,
+		method: "GET",
+		schema: { query: t.object({ post_logout_redirect_uri: t.optional(t.text()) }) },
+		handler: async ({ query, reply, cookies }) => {
+			const redirect = query.post_logout_redirect_uri ?? "/";
+			const tokens = this.getTokens(cookies);
+			if (!tokens) {
+				reply.redirect(redirect);
+				return;
+			}
+			const provider = this.provider(tokens.provider);
+			this.tokens.del({ cookies });
+			if ("realm" in provider.options && tokens.refresh_token) {
+				const onDeleteSession = provider.options.realm.options.settings?.onDeleteSession;
+				if (onDeleteSession) try {
+					await onDeleteSession(tokens.refresh_token);
+				} catch (e) {
+					this.log.error("Failed to delete session", e);
+				}
+			}
+			const oauth = provider.oauth;
+			if (!oauth) {
+				reply.redirect(redirect);
+				return;
+			}
+			const params = new URLSearchParams();
+			const idToken = tokens?.id_token;
+			params.set("post_logout_redirect_uri", redirect);
+			if (idToken) params.set("id_token_hint", idToken);
+			const customLogoutUri = "oidc" in provider.options ? provider.options.oidc?.logoutUri : void 0;
+			if (customLogoutUri) {
+				reply.redirect(`${customLogoutUri}?${params}`);
+				return;
+			}
+			if (!oauth.serverMetadata().end_session_endpoint) {
+				reply.redirect(redirect);
+				return;
+			}
+			reply.redirect(buildEndSessionUrl(oauth, params).toString());
+		}
+	});
+	/**
+	* Find an auth provider by name and optionally by realm.
+	* When realm is specified, it filters providers by both name and realm.
+	* This enables multi-realm setups where multiple providers share the same name (e.g., "credentials").
+	*/
+	provider(opts) {
+		const name = typeof opts === "string" ? opts : opts.provider;
+		const realmName = typeof opts === "string" ? void 0 : opts.realm;
+		const identity = this.identities.find((identity$1) => {
+			if (identity$1.name !== name) return false;
+			if (realmName && identity$1.realm?.name !== realmName) return false;
+			return true;
+		});
+		if (!identity) throw new SecurityError(`Auth provider '${name}'${realmName ? ` for realm '${realmName}'` : ""} not found`);
+		return identity;
+	}
+	getTokens(cookies) {
+		return this.tokens.get({ cookies });
+	}
+	setTokens(tokens, cookies) {
+		const exp = tokens.refresh_token_expires_in || tokens.refresh_expires_in || tokens.expires_in;
+		const ttl = exp ? this.dateTimeProvider.duration(exp, "seconds") : void 0;
+		this.tokens.set(tokens, {
+			cookies,
+			ttl
+		});
+	}
+};
+
+//#endregion
+//#region ../../src/server/auth/schemas/authenticationProviderSchema.ts
+const authenticationProviderSchema = t.object({
+	name: t.text({ description: "Name of the authentication provider." }),
+	type: t.enum([
+		"OAUTH2",
+		"OIDC",
+		"CREDENTIALS"
+	], { description: "Type of the authentication provider." })
+}, { title: "AuthenticationProvider" });
+
+//#endregion
+//#region ../../src/server/auth/primitives/$authCredentials.ts
+/**
+* Already configured Credentials authentication primitive.
+*
+* Uses username and password to authenticate users.
+*/
+const $authCredentials = (realm, options = {}) => {
+	const name = "credentials";
+	const account = realm.login ? realm.login(name) : options.account;
+	if (!account) throw new AlephaError("Credentials authentication requires a login function in the realm primitive.");
+	return $auth({
+		realm,
+		name,
+		credentials: { account }
+	});
+};
+
+//#endregion
+//#region ../../src/server/auth/primitives/$authGithub.ts
+/**
+* Already configured GitHub authentication primitive.
+*
+* Uses OAuth2 to authenticate users via their GitHub accounts.
+* Upon successful authentication, it links the GitHub account to a user session.
+*
+* Environment Variables:
+* - `GITHUB_CLIENT_ID`: The client ID obtained from the GitHub Developer Settings.
+* - `GITHUB_CLIENT_SECRET`: The client secret obtained from the GitHub Developer Settings.
+*/
+const $authGithub = (realm, options = {}) => {
+	const { alepha } = $context();
+	const env = alepha.parseEnv(t.object({
+		GITHUB_CLIENT_ID: t.optional(t.text()),
+		GITHUB_CLIENT_SECRET: t.optional(t.text())
+	}));
+	const disabled = !env.GITHUB_CLIENT_ID || !env.GITHUB_CLIENT_SECRET;
+	const name = "github";
+	const account = options.account ?? (realm.link ? realm.link(name) : void 0);
+	if (!account) throw new AlephaError("Authentication requires a link function in the realm primitive.");
+	return $auth({
+		realm,
+		name,
+		oauth: {
+			clientId: env.GITHUB_CLIENT_ID,
+			clientSecret: env.GITHUB_CLIENT_SECRET,
+			authorization: "https://github.com/login/oauth/authorize",
+			token: "https://github.com/login/oauth/access_token",
+			scope: "read:user user:email",
+			userinfo: async (tokens) => {
+				const BASE_URL = "https://api.github.com";
+				const res = await fetch(`${BASE_URL}/user`, { headers: {
+					Authorization: `Bearer ${tokens.access_token}`,
+					"User-Agent": "Alepha"
+				} }).then((res$1) => res$1.json());
+				const user = { sub: res.id.toString() };
+				if (res.email) user.email = res.email;
+				if (res.name) user.name = res.name.trim();
+				if (res.avatar_url) user.picture = res.avatar_url;
+				if (!user.email) {
+					const res$1 = await fetch(`${BASE_URL}/user/emails`, { headers: {
+						Authorization: `Bearer ${tokens.access_token}`,
+						"User-Agent": "Alepha"
+					} });
+					if (res$1.ok) {
+						const emails = await res$1.json();
+						user.email = (emails.find((e) => e.primary) ?? emails[0]).email;
+					}
+				}
+				return user;
+			},
+			...options,
+			account
+		},
+		disabled
+	});
+};
+
+//#endregion
+//#region ../../src/server/auth/primitives/$authGoogle.ts
+/**
+* Already configured Google authentication primitive.
+*
+* Uses OpenID Connect (OIDC) to authenticate users via their Google accounts.
+* Upon successful authentication, it links the Google account to a user session.
+*
+* Environment Variables:
+* - `GOOGLE_CLIENT_ID`: The client ID obtained from the Google Developer Console.
+* - `GOOGLE_CLIENT_SECRET`: The client secret obtained from the Google Developer Console.
+*/
+const $authGoogle = (realm, options = {}) => {
+	const { alepha } = $context();
+	const env = alepha.parseEnv(t.object({
+		GOOGLE_CLIENT_ID: t.optional(t.text()),
+		GOOGLE_CLIENT_SECRET: t.optional(t.text())
+	}));
+	const disabled = !env.GOOGLE_CLIENT_ID || !env.GOOGLE_CLIENT_SECRET;
+	const name = "google";
+	const account = options.account ?? (realm.link ? realm.link(name) : void 0);
+	if (!account) throw new AlephaError("Authentication requires a link function in the realm primitive.");
+	return $auth({
+		realm,
+		name,
+		oidc: {
+			issuer: "https://accounts.google.com",
+			clientId: env.GOOGLE_CLIENT_ID,
+			clientSecret: env.GOOGLE_CLIENT_SECRET,
+			...options,
+			account
+		},
+		disabled
+	});
+};
+
+//#endregion
+//#region ../../src/server/auth/index.ts
+/**
+* Allow authentication services for server applications.
+* It provides login and logout functionalities.
+*
+* There are multiple authentication providers available (e.g., Google, GitHub).
+* You can also delegate authentication to your own OIDC/OAuth2, for example using Keycloak or Auth0.
+*
+* It's cookie-based and SSR friendly.
+*
+* @see {@link $auth}
+* @see {@link ServerAuthProvider}
+* @module alepha.server.auth
+*/
+const AlephaServerAuth = $module({
+	name: "alepha.server.auth",
+	primitives: [$auth],
+	services: [AlephaServerCookies, ServerAuthProvider]
+});
+
+//#endregion
+export { $auth, $authCredentials, $authGithub, $authGoogle, AlephaServerAuth, AuthPrimitive, ServerAuthProvider, alephaServerAuthRoutes, authenticationProviderSchema, tokenResponseSchema, tokensSchema, userinfoResponseSchema };
+//# sourceMappingURL=index.js.map