alepha 0.14.2 → 0.14.4

package/dist/security/index.d.ts

@@ -345,7 +345,7 @@ declare class PermissionPrimitive extends Primitive<PermissionPrimitiveOptions>
   /**
    * Check if the user has the permission.
    */
-  can(user: UserAccount): boolean;
+  can(user?: UserAccount): boolean;
 }
 //#endregion
 //#region ../../src/security/primitives/$realm.d.ts

package/dist/security/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","names":[],"sources":["../../src/security/schemas/userAccountInfoSchema.ts","../../src/security/errors/InvalidCredentialsError.ts","../../src/security/errors/InvalidPermissionError.ts","../../src/security/errors/SecurityError.ts","../../src/security/interfaces/UserAccountToken.ts","../../src/security/schemas/permissionSchema.ts","../../src/security/schemas/roleSchema.ts","../../src/security/providers/JwtProvider.ts","../../src/security/providers/SecurityProvider.ts","../../src/security/primitives/$permission.ts","../../src/security/primitives/$realm.ts","../../src/security/primitives/$role.ts","../../src/security/primitives/$serviceAccount.ts","../../src/security/providers/CryptoProvider.ts","../../src/security/index.ts"],"sourcesContent":[],"mappings":";;;;;;;;;cAGa,+BAAqB;MAiDhC,OAAA,CAAA;;;;;;;EAjDW,KAAA,mBAiDX,eAAA,iBAAA,CAAA;CAAA,CAAA;KAEU,WAAA,GAAc,cAAc;;;;;;;;;cC9C3B,uBAAA,SAAgC,iBAAA;;EDLhC,WAAA,CAAA;;;;cEHA,sBAAA,SAA+B,KAAA;;;;;cCA/B,aAAA,SAAsB,KAAA;;;;;;;;;;UCMlB,gBAAA,SAAyB;;;;EJH7B,KAAA,CAAA,EAAA,MAAA;EAiDX;;;;;;;;;;;;cKjDW,0BAAgB;QA8B3B,OAAA,CAAA;;;;;;KAEU,UAAA,GAAa,cAAc;;;cChC1B,oBAAU;QAqCrB,OAAA,CAAA;;;;;;;ENrCW,CAAA,CAAA,CAAA;CAiDX,CAAA;KMVU,IAAA,GAAO,cAAc;;;;;;cCjBpB,WAAA;0BAAW,cAAA,CACA;+BACO;EPxBlB,mBAAA,gBAiDX,EOxBmC,gBPwBnC;EAAA,mBAAA,OAAA,EOvB0B,WPuB1B;;;;;;;uDOf4D;;;;;;;;mDAwChD,mBACT,QAAQ;;;;APxBb;;;;AC9CA;;kBM+Ha,oDAEK,iBACb;;AL1IL;;;;ACAA;;;KIwKY,SAAA,sBACQ,6BACV,sBACL,QAAQ,YAAY;AHrKR,UGuKA,eAAA,CHvKiB;;aGyKrB;;AF5Kb;AA8BE,UEkJe,cAAA,CFlJf;WEmJS,QAAQ;;UAGF,kBAAA,SAA2B;;;;;;cFpLf,CAAA,EAAA;IAAA,KAAA,EAAA,MAAA,EAAA;EAgCjB,CAAA;;UE+JK,cAAA;;ED/LJ,MAAA,ECiMH,eD5JR,CC4JwB,kBD5JxB,CAAA;;;;cEjBW,kBAAA;ARpBb,cQsBM,SRtBO,EQ0BX,OAAA,CAJa,OR2Bb,CAAA;EAAA,UAAA,EQvBA,OAAA,CAAA,ORuBA;;;wBQpBsB,QAAQ,cAAc;;cAGjC,gBAAA;;wCAEyB;iDACS;0BAAA,cAAA,CAGvB;0BACA;;;;6BAEG;;;;ARU3B;kCQDkC;;;AP7ClC;6BOkD6B;mBAAK,OAAA,CAmBjB;;AN7EjB;;;;ACAA;mBKsG0B,4BAA4B;;;AJhGtD;;;wBIgK+B,sBAAsB;EHnKxC,WAAA,CAAA,KAAA,EGkOe,KHpM1B,CAAA,EAAA,IAAA;EAAA;;;;;;;;oCGqN+C,SAAS;;;AHnN1D;;;;AChCA;;iCE2Qa,iCAER;;;;;;;;;2CA4CwB,uCAExB;;;;EF3TkB,mBAAA,CAAA,aAAA,CAAA,EAAA,MAAA,EAAA,QAAA,EAAA;IAuCX,UAAI,CAAA,EE+WG,UF/Wc,GAAd,MAAA;;aEiXJ;MAEV,QAAQ;EDpYA;;;;;;;EAqDA,GAAA,CAAA,QAAA,EAAA,MAAA,EAAA,UAAA,EAAA,MAAA,GC0YuC,UD1YvC,CAAA,EAAA,OAAA;EAAR;;;EA4DA,SAAA,CAAA,QAAA,EAAA,MAAA,EAAA,UAAA,EAAA,MAAA,GCuVoB,UDvVpB,CAAA,EAAA,MAAA,GAAA,OAAA,GAAA,SAAA;EAAO;AA8BZ;;;;EAGyB,kBAAA,CAAA,UAAA,ECgUe,UDhUf,GAAA,MAAA,CAAA,EAAA,MAAA;EAApB,SAAA,CAAA,CAAA,ECmViB,KDnVjB,EAAA;EAAO;AAEZ;AAMA;AAIA;AAWA;4BCqUmC;;;AAhfnC;AAAqE;AAEtD;;;EAO+B,cAAA,CAAA,IAAf,CAAe,EAAA;IAAd,KAAA,CAAA,EAufpB,KAvfoB,CAufd,IAvfc,GAAA,MAAA,CAAA;IAAR,KAAA,CAAA,EAAA,MAAA;EAAO,CAAA,CAAA,EAyfzB,UAzfyB,EAAA;EAAA;;AAG/B;;;;EAOwB,gBAAA,CAAA,OAAA,EA8kBW,MA9kBX,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,MAAA;EAEG,uBAAA,CAAA,OAAA,EA6lBd,MA7lBc,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,MAAA,GAAA,SAAA;EASO;;;;;EAiHH,mBAAA,CAAA,OAAA,EAkfO,MAlfP,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,MAAA,EAAA;EAAsB,qBAAA,CAAA,OAAA,EAufxC,MAvfwC,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,MAAA,GAAA,SAAA;EA+DzB,sBAAA,CAAA,OAAA,EA8cf,MA9ce,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,MAAA,GAAA,SAAA;EAiBqB,mBAAA,CAAA,OAAA,EA8cX,MA9cW,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,MAAA,GAAA,SAAA;EAAS;;;;;;EAqK3C,kBAAA,CAAA,OAAA,EA2TsB,MA3TtB,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,MAAA;EAEF,2BAAA,CAAA,OAAA,EA6UA,MA7UA,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,MAAA,EAAA,GAAA,SAAA;;;;;AAiGS,UAkQL,KAAA,CAlQK;EASa,IAAA,EAAA,MAAA;EAgBjB,KAAA,EA4OT,IA5OS,EAAA;EAAN;;;;;EAsIC,MAAA,CAAA,EAAA,MAAA,GA6GO,aA7GP,GAAA,CAAA,GAAA,GAAA,MAAA,CAAA;EAsBA;;;;EAuDM,OAAA,CAAA,EAAA,CAAA,GAAA,EAsCD,MAtCC,CAAA,MAAA,EAAA,GAAA,CAAA,EAAA,GAsCuB,WAtCvB;AAsBnB;AAGS,UAgBQ,mBAAA,CAhBR;EAOW,YAAA,EAAA,OAAA;EAMF,SAAA,EAAA,MAAA,GAAA,OAAA,GAAA,SAAA;;;;;;;cCzwBL;aACF,6BACR;;ATNH,CAAA;AAiDE,USrCe,0BAAA,CTqCf;;;;;;;;;;;;;;cSlBW,mBAAA,SAA4B,UAAU;uCACd;;WThCH,CAAA,CAAA,EAAA,MAAA;EAAA,QAAA,CAAA,CAAA,EAAA,MAAA;EAmDtB,UAAA,MAAW,CAAA,CAAA,EAAA,IAAA;;;;EC9CV,GAAA,CAAA,IAAA,EQoDM,WRpDN,CAAA,EAAA,OAAwB;;;;;;ADLrC;AAiDE,cUnCW,MVmCX,EAAA;YUnC8B,wBAAwB;;;KAM5C,qBAAA;;;;;;;;;;;;;OVpBsB,CAAA,EUmCxB,KVnCwB,CAAA,MAAA,GUmCT,IVnCS,CAAA;EAAA;AAmDlC;;aUXa;;ATnCb;;yBSwCyB,wBAAwB;KAC5C,gBAAgB;ARjDR,UQmDI,aAAA,CRnDmB;;;;ACApC;;iBOyDiB;;ENnDA,YAAA,CAAA,EAAA;;;;ACHjB;IA8BE,UAAA,CAAA,EKgCe,YLhCf;;2BKsCQ;;QAIH;;;;+CAKwC;QL7ElB,EK8EnB,WL9EmB;IAAA,SAAA,EAAA,MAAA;IAgCjB,SAAU,CAAA,EAAA,MAAA;;8CKmDwB;;AJnFjC,KIsFD,aAAA,GJjDV;EAAA;;;;;UIwDe,aAAA;;;;yBAIQ;;cAKZ,cAAA,SAAuB,UAAU;uCACT;qBJvGd,gBAAA,EIwGc,gBJxGd;EAAA,mBAAA,GAAA,EIyGC,WJzGD;EAuCX,mBAAqB,GAAA,EIkET,cAAA,CACA,MJnEC;;+BIyEa;gCAMC;EHhG1B,UAAA,MAAW,CAAA,CAAA,EAAA,IAAA;EAAA;;;EAII,QAAA,CAAA,CAAA,EG2HP,IH3HO,EAAA;EAQkC;;;EAyCzD,QAAA,CAAA,KAAA,EGiF0B,IHjF1B,EAAA,CAAA,EGiFmC,OHjFnC,CAAA,IAAA,CAAA;EAyDQ;;;EAGD,aAAA,CAAA,IAAA,EAAA,MAAA,CAAA,EG4B0B,IH5B1B;EA8BA,UAAA,CAAA,KAAS,EAAA,MAAA,CAAA,EGMqB,OHNrB,CGM6B,UHN7B,CAAA;EACD;;;EAEK,WAAA,CAAA,IAAA,EGYf,WHZe,EAAA,YAQR,CARQ,EAAA;IAApB,GAAA,CAAA,EAAA,MAAA;IAAO,aAAA,CAAA,EAAA,MAAA;IAEK,wBAAe,CAAA,EAEnB,MAAA;EAII,CAAA,CAAA,EGUZ,OHVY,CGUJ,mBHTM,CAAA;EAGF,YAAA,CAAA,YAAmB,EAAA,MAAQ,EAAA,WAAU,CAAA,EAAA,MAAA,CAAA,EG6FjD,OH7FiD,CAAA;IAWrC,MAAA,EGmFL,mBHjFc;UGkFhB;;;AF/PG,UE+TI,kBAAA,CF/Tc;EAEzB,GAAA,EAAA,MAAA;EAAS,KAAA,CAAA,EAAA,MAAA,EAAA;EAAA,KAAA,CAAA,EAAA,MAAA;;AAO+B,UE4T7B,mBAAA,CF5T6B;EAAd,YAAA,EAAA,MAAA;EAAR,UAAA,EAAA,MAAA;EAAO,UAAA,CAAA,EAAA,MAAA;EAAA,SAAA,EAAA,MAAA;EAAA,aAAA,CAAA,EAAA,MAAA;EAGlB,wBAAgB,CAAA,EAAA,MAAA;EAES,KAAA,CAAA,EAAA,MAAA;;;;;;;cG7BzB;aAAkB,uBAA4B;EXL9C,MAAA,EAAA,oBAiDX;CAAA;UWtCe,oBAAA;;;;;;;;;mBAWE;gBAEH;;;;;;cAUH,aAAA,SAAsB,SXlCD,CWkCW,oBXlCX,CAAA,CAAA;EAAA,mBAAA,gBAAA,EWmCG,gBXnCH;EAmDtB,IAAA,IAAA,CAAA,CAAA,EAAA,MAAW;;;;AC9CvB;wBUwD+B;2BAIG;6BAIE,sBAAmB;ATxEvD;;;;;;;;;;AFGA;;;;;;;;;;;;;;;;;;;;AAmDA;cYrBa,2BACF,mCACR;KAqHS,8BAAA;;AXhJZ,CAAA,GAAa,CAAA;UWoJC;;SAGD;EV/JA,IAAA,EUgKD,WVhKC;;UUoKI,oCAAA;;ATpKjB;;;;ACMA;;;;ACHA;;;;UOkLiB,uBAAA;eACF;;UAGE,mBAAA;aACJ;;;;cCrLA,cAAA;kCACkC;oDAS1C;;;;;;;;;YCaO;;;;;;;;;;Ad0BZ;;;;AC9CA;;caqCa,gBAAc,OAAA,CAAA,QAIzB,OAAA,CAJyB,MAAA"}
+{"version":3,"file":"index.d.ts","names":[],"sources":["../../src/security/schemas/userAccountInfoSchema.ts","../../src/security/errors/InvalidCredentialsError.ts","../../src/security/errors/InvalidPermissionError.ts","../../src/security/errors/SecurityError.ts","../../src/security/interfaces/UserAccountToken.ts","../../src/security/schemas/permissionSchema.ts","../../src/security/schemas/roleSchema.ts","../../src/security/providers/JwtProvider.ts","../../src/security/providers/SecurityProvider.ts","../../src/security/primitives/$permission.ts","../../src/security/primitives/$realm.ts","../../src/security/primitives/$role.ts","../../src/security/primitives/$serviceAccount.ts","../../src/security/providers/CryptoProvider.ts","../../src/security/index.ts"],"sourcesContent":[],"mappings":";;;;;;;;;cAGa,+BAAqB;MAiDhC,OAAA,CAAA;;;;;;;EAjDW,KAAA,mBAiDX,eAAA,iBAAA,CAAA;CAAA,CAAA;KAEU,WAAA,GAAc,cAAc;;;;;;;;;cC9C3B,uBAAA,SAAgC,iBAAA;;EDLhC,WAAA,CAAA;;;;cEHA,sBAAA,SAA+B,KAAA;;;;;cCA/B,aAAA,SAAsB,KAAA;;;;;;;;;;UCMlB,gBAAA,SAAyB;;;;EJH7B,KAAA,CAAA,EAAA,MAAA;EAiDX;;;;;;;;;;;;cKjDW,0BAAgB;QA8B3B,OAAA,CAAA;;;;;;KAEU,UAAA,GAAa,cAAc;;;cChC1B,oBAAU;QAqCrB,OAAA,CAAA;;;;;;;ENrCW,CAAA,CAAA,CAAA;CAiDX,CAAA;KMVU,IAAA,GAAO,cAAc;;;;;;cCjBpB,WAAA;0BAAW,cAAA,CACA;+BACO;EPxBlB,mBAAA,gBAiDX,EOxBmC,gBPwBnC;EAAA,mBAAA,OAAA,EOvB0B,WPuB1B;;;;;;;uDOf4D;;;;;;;;mDAwChD,mBACT,QAAQ;;;;APxBb;;;;AC9CA;;kBM+Ha,oDAEK,iBACb;;AL1IL;;;;ACAA;;;KIwKY,SAAA,sBACQ,6BACV,sBACL,QAAQ,YAAY;AHrKR,UGuKA,eAAA,CHvKiB;;aGyKrB;;AF5Kb;AA8BE,UEkJe,cAAA,CFlJf;WEmJS,QAAQ;;UAGF,kBAAA,SAA2B;;;;;;cFpLf,CAAA,EAAA;IAAA,KAAA,EAAA,MAAA,EAAA;EAgCjB,CAAA;;UE+JK,cAAA;;ED/LJ,MAAA,ECiMH,eD5JR,CC4JwB,kBD5JxB,CAAA;;;;cEjBW,kBAAA;ARpBb,cQsBM,SRtBO,EQ0BX,OAAA,CAJa,OR2Bb,CAAA;EAAA,UAAA,EQvBA,OAAA,CAAA,ORuBA;;;wBQpBsB,QAAQ,cAAc;;cAGjC,gBAAA;;wCAEyB;iDACS;0BAAA,cAAA,CAGvB;0BACA;;;;6BAEG;;;;ARU3B;kCQDkC;;;AP7ClC;6BOkD6B;mBAAK,OAAA,CAmBjB;;AN7EjB;;;;ACAA;mBKsG0B,4BAA4B;;;AJhGtD;;;wBIgK+B,sBAAsB;EHnKxC,WAAA,CAAA,KAAA,EGkOe,KHpM1B,CAAA,EAAA,IAAA;EAAA;;;;;;;;oCGqN+C,SAAS;;;AHnN1D;;;;AChCA;;iCE2Qa,iCAER;;;;;;;;;2CA4CwB,uCAExB;;;;EF3TkB,mBAAA,CAAA,aAAA,CAAA,EAAA,MAAA,EAAA,QAAA,EAAA;IAuCX,UAAI,CAAA,EE+WG,UF/Wc,GAAA,MAAd;;aEiXJ;MAEV,QAAQ;EDpYA;;;;;;;EAqDA,GAAA,CAAA,QAAA,EAAA,MAAA,EAAA,UAAA,EAAA,MAAA,GC0YuC,UD1YvC,CAAA,EAAA,OAAA;EAAR;;;EA4DA,SAAA,CAAA,QAAA,EAAA,MAAA,EAAA,UAAA,EAAA,MAAA,GCuVoB,UDvVpB,CAAA,EAAA,MAAA,GAAA,OAAA,GAAA,SAAA;EAAO;AA8BZ;;;;EAGyB,kBAAA,CAAA,UAAA,ECgUe,UDhUf,GAAA,MAAA,CAAA,EAAA,MAAA;EAApB,SAAA,CAAA,CAAA,ECmViB,KDnVjB,EAAA;EAAO;AAEZ;AAMA;AAIA;AAWA;4BCqUmC;;;AAhfnC;AAAqE;AAEtD;;;EAO+B,cAAA,CAAA,IAAf,CAAe,EAAA;IAAd,KAAA,CAAA,EAufpB,KAvfoB,CAufd,IAvfc,GAAA,MAAA,CAAA;IAAR,KAAA,CAAA,EAAA,MAAA;EAAO,CAAA,CAAA,EAyfzB,UAzfyB,EAAA;EAAA;;AAG/B;;;;EAOwB,gBAAA,CAAA,OAAA,EA8kBW,MA9kBX,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,MAAA;EAEG,uBAAA,CAAA,OAAA,EA6lBd,MA7lBc,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,MAAA,GAAA,SAAA;EASO;;;;;EAiHH,mBAAA,CAAA,OAAA,EAkfO,MAlfP,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,MAAA,EAAA;EAAsB,qBAAA,CAAA,OAAA,EAufxC,MAvfwC,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,MAAA,GAAA,SAAA;EA+DzB,sBAAA,CAAA,OAAA,EA8cf,MA9ce,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,MAAA,GAAA,SAAA;EAiBqB,mBAAA,CAAA,OAAA,EA8cX,MA9cW,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,MAAA,GAAA,SAAA;EAAS;;;;;;EAqK3C,kBAAA,CAAA,OAAA,EA2TsB,MA3TtB,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,MAAA;EAEF,2BAAA,CAAA,OAAA,EA6UA,MA7UA,CAAA,MAAA,EAAA,GAAA,CAAA,CAAA,EAAA,MAAA,EAAA,GAAA,SAAA;;;;;AAiGS,UAkQL,KAAA,CAlQK;EASa,IAAA,EAAA,MAAA;EAgBjB,KAAA,EA4OT,IA5OS,EAAA;EAAN;;;;;EAsIC,MAAA,CAAA,EAAA,MAAA,GA6GO,aA7GP,GAAA,CAAA,GAAA,GAAA,MAAA,CAAA;EAsBA;;;;EAuDM,OAAA,CAAA,EAAA,CAAA,GAAA,EAsCD,MAtCC,CAAA,MAAA,EAAA,GAAA,CAAA,EAAA,GAsCuB,WAtCvB;AAsBnB;AAGS,UAgBQ,mBAAA,CAhBR;EAOW,YAAA,EAAA,OAAA;EAMF,SAAA,EAAA,MAAA,GAAA,OAAA,GAAA,SAAA;;;;;;;cCzwBL;aACF,6BACR;;ATNH,CAAA;AAiDE,USrCe,0BAAA,CTqCf;;;;;;;;;;;;;;cSlBW,mBAAA,SAA4B,UAAU;uCACd;;WThCH,CAAA,CAAA,EAAA,MAAA;EAAA,QAAA,CAAA,CAAA,EAAA,MAAA;EAmDtB,UAAA,MAAW,CAAA,CAAA,EAAA,IAAA;;;;EC9CV,GAAA,CAAA,IAAA,CAAA,EQoDO,WRpDP,CAAA,EAAA,OAAwB;;;;;;ADLrC;AAiDE,cUnCW,MVmCX,EAAA;YUnC8B,wBAAwB;;;KAM5C,qBAAA;;;;;;;;;;;;;OVpBsB,CAAA,EUmCxB,KVnCwB,CAAA,MAAA,GUmCT,IVnCS,CAAA;EAAA;AAmDlC;;aUXa;;ATnCb;;yBSwCyB,wBAAwB;KAC5C,gBAAgB;ARjDR,UQmDI,aAAA,CRnDmB;;;;ACApC;;iBOyDiB;;ENnDA,YAAA,CAAA,EAAA;;;;ACHjB;IA8BE,UAAA,CAAA,EKgCe,YLhCf;;2BKsCQ;;QAIH;;;;+CAKwC;QL7ElB,EK8EnB,WL9EmB;IAAA,SAAA,EAAA,MAAA;IAgCjB,SAAU,CAAA,EAAA,MAAA;;8CKmDwB;;AJnFjC,KIsFD,aAAA,GJjDV;EAAA;;;;;UIwDe,aAAA;;;;yBAIQ;;cAKZ,cAAA,SAAuB,UAAU;uCACT;qBJvGd,gBAAA,EIwGc,gBJxGd;EAAA,mBAAA,GAAA,EIyGC,WJzGD;EAuCX,mBAAqB,GAAA,EIkET,cAAA,CACA,MJnEC;;+BIyEa;gCAMC;EHhG1B,UAAA,MAAW,CAAA,CAAA,EAAA,IAAA;EAAA;;;EAII,QAAA,CAAA,CAAA,EG2HP,IH3HO,EAAA;EAQkC;;;EAyCzD,QAAA,CAAA,KAAA,EGiF0B,IHjF1B,EAAA,CAAA,EGiFmC,OHjFnC,CAAA,IAAA,CAAA;EAyDQ;;;EAGD,aAAA,CAAA,IAAA,EAAA,MAAA,CAAA,EG4B0B,IH5B1B;EA8BA,UAAA,CAAA,KAAS,EAAA,MAAA,CAAA,EGMqB,OHNrB,CGM6B,UHN7B,CAAA;EACD;;;EAEK,WAAA,CAAA,IAAA,EGYf,WHZe,EAAA,YAQR,CARQ,EAAA;IAApB,GAAA,CAAA,EAAA,MAAA;IAAO,aAAA,CAAA,EAAA,MAAA;IAEK,wBAAe,CAAA,EAEnB,MAAA;EAII,CAAA,CAAA,EGUZ,OHVY,CGUJ,mBHTM,CAAA;EAGF,YAAA,CAAA,YAAmB,EAAA,MAAQ,EAAA,WAAU,CAAA,EAAA,MAAA,CAAA,EG6FjD,OH7FiD,CAAA;IAWrC,MAAA,EGmFL,mBHjFc;UGkFhB;;;AF/PG,UE+TI,kBAAA,CF/Tc;EAEzB,GAAA,EAAA,MAAA;EAAS,KAAA,CAAA,EAAA,MAAA,EAAA;EAAA,KAAA,CAAA,EAAA,MAAA;;AAO+B,UE4T7B,mBAAA,CF5T6B;EAAd,YAAA,EAAA,MAAA;EAAR,UAAA,EAAA,MAAA;EAAO,UAAA,CAAA,EAAA,MAAA;EAAA,SAAA,EAAA,MAAA;EAAA,aAAA,CAAA,EAAA,MAAA;EAGlB,wBAAgB,CAAA,EAAA,MAAA;EAES,KAAA,CAAA,EAAA,MAAA;;;;;;;cG7BzB;aAAkB,uBAA4B;EXL9C,MAAA,EAAA,oBAiDX;CAAA;UWtCe,oBAAA;;;;;;;;;mBAWE;gBAEH;;;;;;cAUH,aAAA,SAAsB,SXlCD,CWkCW,oBXlCX,CAAA,CAAA;EAAA,mBAAA,gBAAA,EWmCG,gBXnCH;EAmDtB,IAAA,IAAA,CAAA,CAAA,EAAA,MAAW;;;;AC9CvB;wBUwD+B;2BAIG;6BAIE,sBAAmB;ATxEvD;;;;;;;;;;AFGA;;;;;;;;;;;;;;;;;;;;AAmDA;cYrBa,2BACF,mCACR;KAqHS,8BAAA;;AXhJZ,CAAA,GAAa,CAAA;UWoJC;;SAGD;EV/JA,IAAA,EUgKD,WVhKC;;UUoKI,oCAAA;;ATpKjB;;;;ACMA;;;;ACHA;;;;UOkLiB,uBAAA;eACF;;UAGE,mBAAA;aACJ;;;;cCrLA,cAAA;kCACkC;oDAS1C;;;;;;;;;YCaO;;;;;;;;;;Ad0BZ;;;;AC9CA;;caqCa,gBAAc,OAAA,CAAA,QAIzB,OAAA,CAJyB,MAAA"}

package/dist/security/index.js

@@ -559,7 +559,7 @@ var PermissionPrimitive = class extends Primitive {
 	* Check if the user has the permission.
 	*/
 	can(user) {
-		if (!user.roles) return false;
+		if (!user?.roles) return false;
 		return this.securityProvider.checkPermission(this, ...user.roles).isAuthorized;
 	}
 };

package/dist/security/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","names":["role","it","role","refreshToken","user","expiresIn"],"sources":["../../src/security/errors/InvalidPermissionError.ts","../../src/security/errors/InvalidTokenError.ts","../../src/security/errors/RealmNotFoundError.ts","../../src/security/errors/SecurityError.ts","../../src/security/providers/JwtProvider.ts","../../src/security/providers/SecurityProvider.ts","../../src/security/primitives/$permission.ts","../../src/security/primitives/$realm.ts","../../src/security/primitives/$role.ts","../../src/security/providers/CryptoProvider.ts","../../src/security/errors/InvalidCredentialsError.ts","../../src/security/primitives/$serviceAccount.ts","../../src/security/schemas/permissionSchema.ts","../../src/security/schemas/roleSchema.ts","../../src/security/schemas/userAccountInfoSchema.ts","../../src/security/index.ts"],"sourcesContent":["export class InvalidPermissionError extends Error {\n  constructor(name: string) {\n    super(`Permission '${name}' is invalid`);\n  }\n}\n","export class InvalidTokenError extends Error {\n  public readonly status = 401;\n}\n","export class RealmNotFoundError extends Error {\n  constructor(realm: string) {\n    super(`Realm '${realm}' not found`);\n  }\n}\n","export class SecurityError extends Error {\n  public name = \"SecurityError\";\n  public readonly status = 403;\n}\n","import { createSecretKey } from \"node:crypto\";\nimport { $inject, AlephaError } from \"alepha\";\nimport { DateTimeProvider } from \"alepha/datetime\";\nimport { $logger } from \"alepha/logger\";\nimport {\n  type CryptoKey,\n  createLocalJWKSet,\n  createRemoteJWKSet,\n  type FlattenedJWSInput,\n  type JSONWebKeySet,\n  type JWSHeaderParameters,\n  type JWTHeaderParameters,\n  type JWTPayload,\n  type JWTVerifyResult,\n  jwtVerify,\n  type KeyObject,\n  SignJWT,\n} from \"jose\";\nimport { JWTClaimValidationFailed, JWTExpired } from \"jose/errors\";\nimport type { JWTVerifyOptions } from \"jose/jwt/verify\";\nimport { SecurityError } from \"../errors/SecurityError.ts\";\n\n/**\n * Provides utilities for working with JSON Web Tokens (JWT).\n */\nexport class JwtProvider {\n  protected readonly log = $logger();\n  protected readonly keystore: KeyLoaderHolder[] = [];\n  protected readonly dateTimeProvider = $inject(DateTimeProvider);\n  protected readonly encoder = new TextEncoder();\n\n  /**\n   * Adds a key loader to the embedded keystore.\n   *\n   * @param name\n   * @param secretKeyOrJwks\n   */\n  public setKeyLoader(name: string, secretKeyOrJwks: string | JSONWebKeySet) {\n    if (typeof secretKeyOrJwks === \"object\") {\n      this.log.info(\n        `will verify JWTs from key '${name}' with JWKS object (x${secretKeyOrJwks.keys.length})`,\n      );\n      this.keystore.push({\n        name,\n        keyLoader: createLocalJWKSet(secretKeyOrJwks),\n      });\n    } else if (this.isSecretKey(secretKeyOrJwks)) {\n      const secretKey = this.encoder.encode(secretKeyOrJwks);\n      this.log.info(\n        `will verify JWTs from '${name}' with secret a key (${secretKey.length} bytes)`,\n      );\n      this.keystore.push({\n        name,\n        secretKey: secretKeyOrJwks,\n        keyLoader: () => Promise.resolve(createSecretKey(secretKey)),\n      });\n    } else {\n      this.log.info(\n        `will verify JWTs from '${name}' with JWKS ${secretKeyOrJwks}`,\n      );\n      this.keystore.push({\n        name,\n        keyLoader: createRemoteJWKSet(new URL(secretKeyOrJwks)),\n      });\n    }\n  }\n\n  /**\n   * Retrieves the payload from a JSON Web Token (JWT).\n   *\n   * @param token - The JWT to extract the payload from.\n   *\n   * @return A Promise that resolves with the payload object from the token.\n   */\n  public async parse(\n    token: string,\n    keyName?: string,\n    options?: JWTVerifyOptions,\n  ): Promise<JwtParseResult> {\n    for (const it of this.keystore) {\n      if (keyName && it.name !== keyName) {\n        continue;\n      }\n\n      this.log.trace(`Trying to verify token`, {\n        keyName: it.name,\n        options,\n      });\n\n      try {\n        const verified = {\n          keyName: it.name,\n          result: await jwtVerify(token, it.keyLoader, {\n            currentDate: this.dateTimeProvider.now().toDate(),\n            ...options,\n          }),\n        };\n\n        this.log.trace(\"Token verified successfully\", {\n          keyName: verified.keyName,\n        });\n\n        return verified;\n      } catch (error) {\n        this.log.trace(\"Token verification has failed\", error);\n\n        if (error instanceof JWTExpired) {\n          throw new SecurityError(\"Token expired\", { cause: error });\n        }\n\n        if (error instanceof JWTClaimValidationFailed) {\n          throw new SecurityError(\"Token claim validation failed\", {\n            cause: error,\n          });\n        }\n      }\n    }\n\n    this.log.warn(\n      `No valid key loader found to verify the token (keystore size: ${this.keystore.length})`,\n    );\n\n    throw new SecurityError(\"Invalid token\");\n  }\n\n  /**\n   * Creates a JWT token with the provided payload and secret key.\n   *\n   * @param payload - The payload to be encoded in the token.\n   * \tIt should include the `realm_access` property which contains an array of roles.\n   * @param keyName - The name of the key to use when signing the token.\n   *\n   * @returns The signed JWT token.\n   */\n  public async create(\n    payload: ExtendedJWTPayload,\n    keyName?: string,\n    signOptions?: JwtSignOptions,\n  ): Promise<string> {\n    const secretKey = keyName\n      ? this.keystore.find((it) => it.name === keyName)?.secretKey\n      : this.keystore[0]?.secretKey;\n\n    if (!secretKey) {\n      throw new AlephaError(\"No secret key found in the keystore\");\n    }\n\n    const signJwt = new SignJWT(payload);\n\n    signJwt.setProtectedHeader({\n      alg: \"HS256\",\n      ...signOptions?.header,\n    });\n\n    return await signJwt.sign(this.encoder.encode(secretKey));\n  }\n\n  /**\n   * Determines if the provided key is a secret key.\n   *\n   * @param key\n   * @protected\n   */\n  protected isSecretKey(key: string): boolean {\n    return !key.startsWith(\"http\");\n  }\n}\n\nexport type KeyLoader = (\n  protectedHeader?: JWSHeaderParameters,\n  token?: FlattenedJWSInput,\n) => Promise<CryptoKey | KeyObject>;\n\nexport interface KeyLoaderHolder {\n  name: string;\n  keyLoader: KeyLoader;\n  secretKey?: string;\n}\n\nexport interface JwtSignOptions {\n  header?: Partial<JWTHeaderParameters>;\n}\n\nexport interface ExtendedJWTPayload extends JWTPayload {\n  sid?: string;\n  //\n  name?: string;\n  roles?: string[];\n  email?: string;\n  organizations?: string[];\n  // keycloak specific\n  realm_access?: { roles: string[] };\n}\n\nexport interface JwtParseResult {\n  keyName: string;\n  result: JWTVerifyResult<ExtendedJWTPayload>;\n}\n","import {\n  $env,\n  $hook,\n  $inject,\n  Alepha,\n  AppNotStartedError,\n  ContainerLockedError,\n  type Static,\n  t,\n} from \"alepha\";\nimport { $logger } from \"alepha/logger\";\nimport type { JSONWebKeySet, JWTPayload } from \"jose\";\nimport type { JWTVerifyOptions } from \"jose/jwt/verify\";\nimport { InvalidPermissionError } from \"../errors/InvalidPermissionError.ts\";\nimport { InvalidTokenError } from \"../errors/InvalidTokenError.ts\";\nimport { RealmNotFoundError } from \"../errors/RealmNotFoundError.ts\";\nimport { SecurityError } from \"../errors/SecurityError.ts\";\nimport type { UserAccountToken } from \"../interfaces/UserAccountToken.ts\";\nimport type { Permission } from \"../schemas/permissionSchema.ts\";\nimport type { Role } from \"../schemas/roleSchema.ts\";\nimport type { UserAccount } from \"../schemas/userAccountInfoSchema.ts\";\nimport { JwtProvider } from \"./JwtProvider.ts\";\n\nexport const DEFAULT_APP_SECRET = \"05759934015388327323179852515731\"; // (32)\n\nconst envSchema = t.object({\n  APP_SECRET: t.text({\n    default: DEFAULT_APP_SECRET,\n  }),\n});\n\ndeclare module \"alepha\" {\n  interface Env extends Partial<Static<typeof envSchema>> {}\n}\n\nexport class SecurityProvider {\n  protected readonly UNKNOWN_USER_NAME = \"Anonymous User\";\n  protected readonly PERMISSION_REGEXP = /^[\\w-]+((:[\\w-]+)+)?$/;\n  protected readonly PERMISSION_REGEXP_WILDCARD =\n    /^[\\w-]+((:[\\w-]+)*:\\*|(:[\\w-]+)+)?$/;\n\n  protected readonly log = $logger();\n  protected readonly jwt = $inject(JwtProvider);\n  protected readonly env = $env(envSchema);\n  protected readonly alepha = $inject(Alepha);\n\n  public get secretKey() {\n    return this.env.APP_SECRET;\n  }\n\n  /**\n   * The permissions configured for the security provider.\n   */\n  protected readonly permissions: Permission[] = [];\n\n  /**\n   * The realms configured for the security provider.\n   */\n  protected readonly realms: Realm[] = this.alepha.isTest()\n    ? [\n        {\n          name: \"default\",\n          secret: this.env.APP_SECRET,\n          roles: [\n            {\n              name: \"admin\",\n              permissions: [\n                {\n                  name: \"*\",\n                },\n              ],\n            },\n          ],\n        },\n      ]\n    : [];\n\n  protected start = $hook({\n    on: \"start\",\n    handler: async () => {\n      if (this.alepha.isProduction() && this.secretKey === DEFAULT_APP_SECRET) {\n        this.log.warn(\n          \"Using default APP_SECRET in production is not recommended. Please set a strong APP_SECRET value.\",\n        );\n      }\n\n      for (const realm of this.realms) {\n        if (realm.secret) {\n          const secret =\n            typeof realm.secret === \"function\" ? realm.secret() : realm.secret;\n          this.jwt.setKeyLoader(realm.name, secret);\n        }\n      }\n    },\n  });\n\n  /**\n   * Adds a role to one or more realms.\n   *\n   * @param role\n   * @param realms\n   */\n  public createRole(role: Role, ...realms: string[]): Role {\n    const list = realms.length\n      ? realms.map((it) => {\n          const item = this.realms.find((realm) => realm.name === it);\n          if (!item) {\n            throw new RealmNotFoundError(it);\n          }\n          return item;\n        })\n      : this.realms;\n\n    for (const realm of list) {\n      for (const { name } of role.permissions) {\n        if (this.alepha.isStarted()) {\n          // Check if permission exists or matches a wildcard pattern\n          if (name === \"*\") {\n            // Global wildcard is always allowed\n            continue;\n          }\n\n          // Check for exact match first\n          const existingExact = this.permissions.find(\n            (it) => this.permissionToString(it) === name,\n          );\n          if (existingExact) {\n            continue;\n          }\n\n          // Check if it's a wildcard pattern (e.g., \"admin:api:*\")\n          if (name.endsWith(\":*\")) {\n            const groupPrefix = name.slice(0, -2); // Remove \":*\"\n            // Check if any permission exists with this group prefix\n            const existingWithPrefix = this.permissions.find((it) => {\n              if (!it.group) return false;\n              return (\n                it.group === groupPrefix ||\n                it.group.startsWith(`${groupPrefix}:`)\n              );\n            });\n            if (existingWithPrefix) {\n              continue;\n            }\n          }\n\n          // Permission not found\n          throw new SecurityError(`Permission '${name}' not found`);\n        } else {\n          if (name !== \"*\" && !this.PERMISSION_REGEXP_WILDCARD.test(name)) {\n            throw new InvalidPermissionError(name);\n          }\n        }\n      }\n\n      realm.roles.push(role);\n    }\n\n    return role;\n  }\n\n  /**\n   * Adds a permission to the security provider.\n   *\n   * @param raw - The permission to add.\n   */\n  public createPermission(raw: Permission | string): Permission {\n    if (this.alepha.isStarted()) {\n      throw new ContainerLockedError();\n    }\n\n    let permission: Permission;\n    if (typeof raw === \"string\") {\n      if (!this.PERMISSION_REGEXP.test(raw)) {\n        throw new InvalidPermissionError(raw);\n      }\n\n      const parts = raw.split(\":\");\n      if (parts.length === 1) {\n        // No group, just name (e.g., \"read\")\n        permission = { name: parts[0] };\n      } else {\n        // Has group(s) (e.g., \"users:read\" or \"admin:api:users:read\")\n        // The last part is the name, everything else is the group\n        const name = parts[parts.length - 1];\n        const groupParts = parts.slice(0, -1);\n\n        if (groupParts.length === 1) {\n          permission = {\n            group: groupParts[0],\n            name,\n          };\n        } else {\n          // Multi-layer group\n          permission = {\n            group: groupParts.join(\":\"),\n            name,\n          };\n        }\n      }\n    } else {\n      permission = raw;\n    }\n\n    const asString = this.permissionToString(permission);\n    if (!this.PERMISSION_REGEXP.test(asString)) {\n      throw new InvalidPermissionError(asString);\n    }\n\n    const existing = this.permissions.find(\n      (it) => this.permissionToString(it) === asString,\n    );\n\n    if (existing) {\n      this.log.warn(`Permission '${asString}' already exists. Skipping.`, {\n        current: existing,\n        new: permission,\n      });\n\n      return existing;\n    }\n\n    this.log.trace(`Creating permission '${asString}'`);\n\n    this.permissions.push(permission);\n\n    return permission;\n  }\n\n  public createRealm(realm: Realm) {\n    if (this.realms.length === 1 && this.realms[0].name === \"default\") {\n      // if the default realm is the only one, we remove it to allow creating new realms\n      this.realms.pop();\n    }\n\n    this.realms.push(realm);\n  }\n\n  /**\n   * Updates the roles for a realm then synchronizes the user account provider if available.\n   *\n   * Only available when the app is started.\n   *\n   * @param realm - The realm to update the roles for.\n   * @param roles - The roles to update.\n   */\n  public async updateRealm(realm: string, roles: Role[]): Promise<void> {\n    if (!this.alepha.isStarted()) {\n      throw new AppNotStartedError();\n    }\n\n    const realmInstance = this.realms.find((it) => it.name === realm);\n    if (!realmInstance) {\n      throw new RealmNotFoundError(realm);\n    }\n\n    realmInstance.roles = roles;\n  }\n\n  // -------------------------------------------------------------------------------------------------------------------\n\n  /**\n   * Creates a user account from the provided payload.\n   *\n   * @param payload - The payload to create the user account from.\n   * @param [realmName] - The realm containing the roles. Default is all.\n   *\n   * @returns The user info created from the payload.\n   */\n  public createUserFromPayload(\n    payload: JWTPayload,\n    realmName?: string,\n  ): UserAccount {\n    const id = this.getIdFromPayload(payload);\n    const sessionId = this.getSessionIdFromPayload(payload);\n    const rolesFromPayload = this.getRolesFromPayload(payload);\n    const email = this.getEmailFromPayload(payload);\n    const username = this.getUsernameFromPayload(payload);\n    const picture = this.getPictureFromPayload(payload);\n    const name = this.getNameFromPayload(payload);\n    const organizations = this.getOrganizationsFromPayload(payload);\n    const rolesFromSystem = this.getRoles(realmName);\n    const roles = rolesFromPayload\n      .reduce<Role[]>(\n        (arr, roleName) =>\n          arr.concat(rolesFromSystem.filter((it) => it.name === roleName)),\n        [],\n      )\n      .map((it) => it.name);\n\n    const realm = this.realms.find((it) => it.name === realmName);\n    if (realm?.profile) {\n      return realm.profile(payload);\n    }\n\n    return {\n      id,\n      roles,\n      name,\n      email,\n      username,\n      picture,\n      organizations,\n      sessionId,\n    };\n  }\n\n  /**\n   * Checks if the user has the specified permission.\n   *\n   * Bonus: we check also if the user has \"ownership\" flag.\n   *\n   * @param permissionLike - The permission to check for.\n   * @param roleEntries - The roles to check for the permission.\n   */\n  public checkPermission(\n    permissionLike: string | Permission,\n    ...roleEntries: string[]\n  ): SecurityCheckResult {\n    const roles: Role[] = roleEntries.map((it) => {\n      const role = this.getRoles().find((role) => role.name === it);\n      if (!role) {\n        throw new SecurityError(`Role '${it}' not found`);\n      }\n      return role;\n    });\n\n    const permission = this.permissionToString(permissionLike);\n    const isAdmin = roles.find((it) =>\n      it.permissions.find(\n        (it) => it.name === \"*\" && !it.exclude && !it.ownership,\n      ),\n    );\n\n    // if the user is an admin, we can return early\n    if (isAdmin) {\n      return {\n        isAuthorized: true,\n        ownership: false,\n      };\n    }\n\n    const result: SecurityCheckResult = {\n      isAuthorized: false,\n      ownership: undefined,\n    };\n\n    // Helper function to check if a permission matches a pattern with multi-layer wildcard support\n    const matchesPattern = (\n      permissionName: string,\n      pattern: string,\n    ): boolean => {\n      if (pattern === \"*\") return true;\n      if (pattern === permissionName) return true;\n\n      // Handle multi-layer wildcards (e.g., \"admin:api:*\" matches \"admin:api:users:read\")\n      if (pattern.endsWith(\":*\")) {\n        const patternPrefix = pattern.slice(0, -2);\n        // Check if permission starts with the pattern prefix\n        if (permissionName === patternPrefix) return false; // \"admin:api\" doesn't match \"admin:api:*\"\n        return permissionName.startsWith(`${patternPrefix}:`);\n      }\n\n      return false;\n    };\n\n    for (const role of roles) {\n      // for each role candidate\n      for (const rolePermission of role.permissions) {\n        // for each permission in the role\n        if (matchesPattern(permission, rolePermission.name)) {\n          // [feature]: exclude permissions including wildcards\n          if (rolePermission.exclude) {\n            let isExcluded = false;\n            for (const excludePattern of rolePermission.exclude) {\n              if (matchesPattern(permission, excludePattern)) {\n                isExcluded = true;\n                break;\n              }\n            }\n            if (isExcluded) {\n              continue;\n            }\n          }\n\n          result.isAuthorized = true; // OK !\n\n          // but we also need to check if the user has ownership\n          if (rolePermission.ownership) {\n            // if ownership is true, we have to check all other matching permissions in case of ownership === false ...\n            result.ownership = rolePermission.ownership;\n          } else {\n            // but if isAuthorized && ownership === false, we can break the loop \\ :D /\n            result.ownership = false;\n            return result;\n          }\n        }\n      }\n    }\n\n    return result;\n  }\n\n  /**\n   * Creates a user account from the provided payload.\n   */\n  public async createUserFromToken(\n    headerOrToken?: string,\n    options: {\n      permission?: Permission | string;\n      realm?: string;\n      verify?: JWTVerifyOptions;\n    } = {},\n  ): Promise<UserAccountToken> {\n    const token = headerOrToken?.replace(\"Bearer\", \"\").trim();\n    if (typeof token !== \"string\" || token === \"\") {\n      throw new InvalidTokenError(\n        \"Invalid authorization header, maybe token is missing ?\",\n      );\n    }\n\n    const { result, keyName: realm } = await this.jwt.parse(\n      token,\n      options.realm,\n      options.verify,\n    );\n\n    const info = this.createUserFromPayload(result.payload, realm);\n    const realmRoles = this.getRoles(realm).filter((it) => it.default);\n    const roles = info.roles ?? [];\n\n    for (const role of realmRoles) {\n      if (!roles.includes(role.name)) {\n        roles.push(role.name);\n      }\n    }\n\n    info.roles = roles;\n\n    await this.alepha.events.emit(\"security:user:created\", {\n      realm,\n      user: info,\n    });\n\n    let ownership: string | boolean | undefined;\n\n    if (options.permission) {\n      const check = this.checkPermission(options.permission, ...roles);\n      if (!check.isAuthorized) {\n        throw new SecurityError(\n          `User is not allowed to access '${this.permissionToString(options.permission)}'`,\n        );\n      }\n\n      ownership = check.ownership;\n    }\n\n    return {\n      ...info,\n      ownership,\n      token,\n      realm,\n    };\n  }\n\n  /**\n   * Checks if a user has a specific role.\n   *\n   * @param roleName - The role to check for.\n   * @param permission - The permission to check for.\n   * @returns True if the user has the role, false otherwise.\n   */\n  public can(roleName: string, permission: string | Permission): boolean {\n    return this.checkPermission(permission, roleName).isAuthorized;\n  }\n\n  /**\n   * Checks if a user has ownership of a specific permission.\n   */\n  public ownership(\n    roleName: string,\n    permission: string | Permission,\n  ): string | boolean | undefined {\n    return this.checkPermission(permission, roleName).ownership;\n  }\n\n  /**\n   * Converts a permission object to a string.\n   *\n   * @param permission\n   */\n  public permissionToString(permission: Permission | string): string {\n    if (typeof permission === \"string\") {\n      return permission;\n    }\n\n    if (!permission.group) {\n      return permission.name;\n    }\n\n    // Handle multi-layer groups (e.g., \"admin:api\" or \"management:users\")\n    const groupParts = Array.isArray(permission.group)\n      ? permission.group\n      : [permission.group];\n\n    return `${groupParts.join(\":\")}:${permission.name}`;\n  }\n\n  // accessors\n\n  public getRealms(): Realm[] {\n    return this.realms;\n  }\n\n  /**\n   * Retrieves the user account from the provided user ID.\n   *\n   * @param realm\n   */\n  public getRoles(realm?: string): Role[] {\n    if (realm) {\n      return [...(this.realms.find((it) => it.name === realm)?.roles ?? [])];\n    }\n\n    return this.realms.reduce<Role[]>((arr, it) => arr.concat(it.roles), []);\n  }\n\n  /**\n   * Returns all permissions.\n   *\n   * @param user - Filter permissions by user.\n   *\n   * @return An array containing all permissions.\n   */\n  public getPermissions(user?: {\n    roles?: Array<Role | string>;\n    realm?: string;\n  }): Permission[] {\n    if (user?.roles) {\n      const permissions: Permission[] = [];\n      const roles = user.roles ?? [];\n\n      for (const roleOrString of roles) {\n        const role =\n          typeof roleOrString === \"string\"\n            ? this.getRoles(user.realm).find((it) => it.name === roleOrString)\n            : roleOrString;\n\n        if (!role) {\n          throw new SecurityError(`Role '${roleOrString}' not found`);\n        }\n\n        if (role.permissions.some((it) => it.name === \"*\" && !it.exclude)) {\n          return this.getPermissions();\n        }\n\n        for (const permission of role.permissions) {\n          let ref: Permission[] = [];\n          if (permission.name === \"*\") {\n            ref.push(...this.permissions);\n          } else if (permission.name.includes(\":\")) {\n            // Handle multi-layer wildcards (e.g., \"admin:api:*\" or \"users:read\")\n            const parts = permission.name.split(\":\");\n            const lastPart = parts[parts.length - 1];\n\n            if (lastPart === \"*\") {\n              // Wildcard at any level (e.g., \"admin:*\", \"admin:api:*\")\n              const groupPrefix = parts.slice(0, -1).join(\":\");\n\n              ref.push(\n                ...this.permissions.filter((it) => {\n                  if (!it.group) return false;\n                  // Match exact group or any sub-group\n                  return (\n                    it.group === groupPrefix ||\n                    it.group.startsWith(`${groupPrefix}:`)\n                  );\n                }),\n              );\n            } else {\n              // Specific permission (e.g., \"users:read\" or \"admin:api:users:read\")\n              const name = lastPart;\n              const groupParts = parts.slice(0, -1);\n              const group = groupParts.join(\":\");\n\n              ref.push(\n                ...this.permissions.filter((it) => {\n                  if (it.name !== name) return false;\n                  if (!it.group) return false;\n                  return it.group === group;\n                }),\n              );\n            }\n          } else {\n            // all permissions without a group\n            ref.push(\n              ...this.permissions.filter(\n                (it) => it.name === permission.name && !it.group,\n              ),\n            );\n          }\n          const exclude = permission.exclude;\n          if (exclude) {\n            // exclude permissions with multi-layer wildcard support\n            ref = ref.filter((it) => {\n              const permString = this.permissionToString(it);\n              return !exclude.some((excludePattern) => {\n                if (excludePattern === permString) return true;\n                if (excludePattern.endsWith(\":*\")) {\n                  const excludePrefix = excludePattern.slice(0, -2);\n                  return permString.startsWith(`${excludePrefix}:`);\n                }\n                return false;\n              });\n            });\n          }\n          permissions.push(...ref);\n        }\n      }\n\n      return [...new Set(permissions.filter((it) => it != null))];\n    }\n\n    return this.permissions;\n  }\n\n  /**\n   * Retrieves the user ID from the provided payload object.\n   *\n   * @param payload - The payload object from which to extract the user ID.\n   * @return The user ID as a string.\n   */\n  public getIdFromPayload(payload: Record<string, any>): string {\n    if (payload.sub != null) {\n      return String(payload.sub);\n    }\n\n    if (payload.id != null) {\n      return String(payload.id);\n    }\n\n    if (payload.userId != null) {\n      return String(payload.userId);\n    }\n\n    throw new SecurityError(\"Invalid JWT - missing id\");\n  }\n\n  public getSessionIdFromPayload(\n    payload: Record<string, any>,\n  ): string | undefined {\n    if (!payload) {\n      return;\n    }\n    if (payload.sid) {\n      return String(payload.sid);\n    }\n  }\n\n  /**\n   * Retrieves the roles from the provided payload object.\n   * @param payload - The payload object from which to extract the roles.\n   * @return An array of role strings.\n   */\n  public getRolesFromPayload(payload: Record<string, any>): string[] {\n    return payload?.realm_access?.roles ?? payload?.roles ?? [];\n  }\n\n  public getPictureFromPayload(\n    payload: Record<string, any>,\n  ): string | undefined {\n    if (!payload) {\n      return;\n    }\n\n    if (payload.picture) {\n      return payload.picture;\n    }\n\n    if (payload.avatar_url) {\n      return payload.avatar_url;\n    }\n\n    if (payload.user_picture) {\n      return payload.user_picture;\n    }\n\n    return undefined;\n  }\n\n  public getUsernameFromPayload(\n    payload: Record<string, any>,\n  ): string | undefined {\n    if (!payload) {\n      return;\n    }\n\n    if (payload.preferred_username) {\n      return payload.preferred_username;\n    }\n\n    if (payload.username) {\n      return payload.username;\n    }\n\n    return undefined;\n  }\n\n  public getEmailFromPayload(payload: Record<string, any>): string | undefined {\n    if (!payload) {\n      return;\n    }\n\n    if (payload.email) {\n      return payload.email;\n    }\n\n    return undefined;\n  }\n\n  /**\n   * Returns the name from the given payload.\n   *\n   * @param payload - The payload object.\n   * @returns The name extracted from the payload, or an empty string if the payload is falsy or no name is found.\n   */\n  public getNameFromPayload(payload: Record<string, any>): string {\n    if (!payload) {\n      return this.UNKNOWN_USER_NAME;\n    }\n\n    if (payload.name) {\n      return payload.name;\n    }\n\n    if (\n      typeof payload.given_name === \"string\" &&\n      typeof payload.family_name === \"string\"\n    ) {\n      return `${payload.given_name} ${payload.family_name}`.trim();\n    }\n\n    return this.UNKNOWN_USER_NAME;\n  }\n\n  public getOrganizationsFromPayload(\n    payload: Record<string, any>,\n  ): string[] | undefined {\n    if (!payload) {\n      return;\n    }\n\n    if (payload.organization) {\n      if (typeof payload.organization === \"string\") {\n        return [payload.organization];\n      }\n      if (Array.isArray(payload.organization)) {\n        return payload.organization;\n      }\n    }\n  }\n}\n\n// =====================================================================================================================\n\n/**\n * A realm definition.\n */\nexport interface Realm {\n  name: string;\n\n  roles: Role[];\n\n  /**\n   * The secret key for the realm.\n   *\n   * Can be also a JWKS URL.\n   */\n  secret?: string | JSONWebKeySet | (() => string);\n\n  /**\n   * Create the user account info based on the raw JWT payload.\n   * By default, SecurityProvider has his own implementation, but this method allow to override it.\n   */\n  profile?: (raw: Record<string, any>) => UserAccount;\n}\n\nexport interface SecurityCheckResult {\n  isAuthorized: boolean;\n  ownership: string | boolean | undefined;\n}\n","import { $inject, createPrimitive, KIND, Primitive } from \"alepha\";\nimport { SecurityProvider } from \"../providers/SecurityProvider.ts\";\nimport type { UserAccount } from \"../schemas/userAccountInfoSchema.ts\";\n\n/**\n * Create a new permission.\n */\nexport const $permission = (\n  options: PermissionPrimitiveOptions = {},\n): PermissionPrimitive => {\n  return createPrimitive(PermissionPrimitive, options);\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface PermissionPrimitiveOptions {\n  /**\n   * Name of the permission. Use Property name is not provided.\n   */\n  name?: string;\n\n  /**\n   * Group of the permission. Use Class name is not provided.\n   */\n  group?: string;\n\n  /**\n   * Describe the permission.\n   */\n  description?: string;\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport class PermissionPrimitive extends Primitive<PermissionPrimitiveOptions> {\n  protected readonly securityProvider = $inject(SecurityProvider);\n\n  public get name(): string {\n    return this.options.name || this.config.propertyKey;\n  }\n\n  public get group(): string {\n    return this.options.group || this.config.service.name;\n  }\n\n  public toString(): string {\n    return `${this.group}:${this.name}`;\n  }\n\n  protected onInit() {\n    this.securityProvider.createPermission({\n      name: this.name,\n      group: this.group,\n      description: this.options.description,\n    });\n  }\n\n  /**\n   * Check if the user has the permission.\n   */\n  public can(user: UserAccount): boolean {\n    if (!user.roles) {\n      return false;\n    }\n    const check = this.securityProvider.checkPermission(this, ...user.roles);\n    return check.isAuthorized;\n  }\n}\n\n$permission[KIND] = PermissionPrimitive;\n","import { $inject, AlephaError, createPrimitive, KIND, Primitive } from \"alepha\";\nimport {\n  DateTimeProvider,\n  type Duration,\n  type DurationLike,\n} from \"alepha/datetime\";\nimport { $logger } from \"alepha/logger\";\nimport type { JSONWebKeySet, JWTPayload } from \"jose\";\nimport { SecurityError } from \"../errors/SecurityError.ts\";\nimport { JwtProvider } from \"../providers/JwtProvider.ts\";\nimport { SecurityProvider } from \"../providers/SecurityProvider.ts\";\nimport type { Role } from \"../schemas/roleSchema.ts\";\nimport type { UserAccount } from \"../schemas/userAccountInfoSchema.ts\";\n\n/**\n * Create a new realm.\n */\nexport const $realm = (options: RealmPrimitiveOptions): RealmPrimitive => {\n  return createPrimitive(RealmPrimitive, options);\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport type RealmPrimitiveOptions = {\n  /**\n   * Define the realm name.\n   * If not provided, it will use the property key.\n   */\n  name?: string;\n\n  /**\n   * Short description about the realm.\n   */\n  description?: string;\n\n  /**\n   * All roles available in the realm. Role is a string (role name) or a Role object (embedded role).\n   */\n  roles?: Array<string | Role>;\n\n  /**\n   * Realm settings.\n   */\n  settings?: RealmSettings;\n\n  /**\n   * Parse the JWT payload to create a user account info.\n   */\n  profile?: (jwtPayload: Record<string, any>) => UserAccount;\n} & (RealmInternal | RealmExternal);\n\nexport interface RealmSettings {\n  accessToken?: {\n    /**\n     * Lifetime of the access token.\n     * @default 15 minutes\n     */\n    expiration?: DurationLike;\n  };\n\n  refreshToken?: {\n    /**\n     * Lifetime of the refresh token.\n     * @default 30 days\n     */\n    expiration?: DurationLike;\n\n    // TODO: expirationIdle (max inactive time before the token is invalidated)\n  };\n\n  onCreateSession?: (\n    user: UserAccount,\n    config: {\n      expiresIn: number;\n    },\n  ) => Promise<{\n    refreshToken: string;\n    sessionId?: string;\n  }>;\n\n  onRefreshSession?: (refreshToken: string) => Promise<{\n    user: UserAccount;\n    expiresIn: number;\n    sessionId?: string;\n  }>;\n\n  onDeleteSession?: (refreshToken: string) => Promise<void>;\n}\n\nexport type RealmInternal = {\n  /**\n   * Internal secret to sign JWT tokens and verify them.\n   */\n  secret: string;\n};\n\nexport interface RealmExternal {\n  /**\n   * URL to the JWKS (JSON Web Key Set) to verify JWT tokens from external providers.\n   */\n  jwks: (() => string) | JSONWebKeySet;\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport class RealmPrimitive extends Primitive<RealmPrimitiveOptions> {\n  protected readonly securityProvider = $inject(SecurityProvider);\n  protected readonly dateTimeProvider = $inject(DateTimeProvider);\n  protected readonly jwt = $inject(JwtProvider);\n  protected readonly log = $logger();\n\n  public get name(): string {\n    return this.options.name || this.config.propertyKey;\n  }\n\n  public get accessTokenExpiration(): Duration {\n    return this.dateTimeProvider.duration(\n      this.options.settings?.accessToken?.expiration ?? [15, \"minutes\"],\n    );\n  }\n\n  public get refreshTokenExpiration(): Duration {\n    return this.dateTimeProvider.duration(\n      this.options.settings?.refreshToken?.expiration ?? [30, \"days\"],\n    );\n  }\n\n  protected onInit() {\n    const roles =\n      this.options.roles?.map((it) => {\n        if (typeof it === \"string\") {\n          const role = this.getRoles().find((role) => role.name === it);\n          if (!role) {\n            throw new SecurityError(`Role '${it}' not found`);\n          }\n          return role;\n        }\n\n        return it;\n      }) ?? [];\n\n    this.securityProvider.createRealm({\n      name: this.name,\n      profile: this.options.profile,\n      secret: \"jwks\" in this.options ? this.options.jwks : this.options.secret,\n      roles,\n    });\n  }\n\n  /**\n   * Get all roles in the realm.\n   */\n  public getRoles(): Role[] {\n    return this.securityProvider.getRoles(this.name);\n  }\n\n  /**\n   * Set all roles in the realm.\n   */\n  public async setRoles(roles: Role[]): Promise<void> {\n    await this.securityProvider.updateRealm(this.name, roles);\n  }\n\n  /**\n   * Get a role by name, throws an error if not found.\n   */\n  public getRoleByName(name: string): Role {\n    const role = this.getRoles().find((it) => it.name === name);\n    if (!role) {\n      throw new SecurityError(`Role '${name}' not found`);\n    }\n    return role;\n  }\n\n  public async parseToken(token: string): Promise<JWTPayload> {\n    const { result } = await this.jwt.parse(token, this.name);\n    return result.payload;\n  }\n\n  /**\n   * Create a token for the subject.\n   */\n  public async createToken(\n    user: UserAccount,\n    refreshToken?: {\n      sid?: string;\n      refresh_token?: string;\n      refresh_token_expires_in?: number;\n    },\n  ): Promise<AccessTokenResponse> {\n    let sid: string | undefined = refreshToken?.sid;\n    let refresh_token: string | undefined = refreshToken?.refresh_token;\n    let refresh_token_expires_in: number | undefined =\n      refreshToken?.refresh_token_expires_in;\n\n    const iat = this.dateTimeProvider.now().unix();\n    const exp = iat + this.accessTokenExpiration.asSeconds();\n\n    if (!refreshToken) {\n      const create = this.options.settings?.onCreateSession;\n      if (create) {\n        // -----------------------------------------------------------------------------------------------------------------\n        // managed by the application\n        const expiresIn = this.refreshTokenExpiration.asSeconds();\n        const { refreshToken, sessionId } = await create(user, {\n          expiresIn,\n        });\n\n        refresh_token = refreshToken;\n        refresh_token_expires_in = expiresIn;\n        sid = sessionId;\n      } else {\n        // -----------------------------------------------------------------------------------------------------------------\n        // token based\n\n        const payload = {\n          sub: user.id,\n          exp: iat + this.refreshTokenExpiration.asSeconds(),\n          iat,\n          aud: this.name,\n        };\n\n        this.log.trace(\"Creating refresh token\", payload);\n\n        sid = crypto.randomUUID();\n        refresh_token_expires_in = this.refreshTokenExpiration.asSeconds();\n        refresh_token = await this.jwt.create(payload, this.name, {\n          header: {\n            typ: \"refresh\",\n          },\n        });\n      }\n    }\n\n    this.log.trace(\"Creating access token\", {\n      sub: user.id,\n      exp,\n      iat,\n      aud: this.name,\n    });\n\n    const access_token = await this.jwt.create(\n      {\n        // jwt\n        sub: user.id,\n        exp,\n        iat,\n        aud: this.name,\n        sid, // session id, if available\n        // oidc\n        name: user.name,\n        email: user.email,\n        preferred_username: user.username,\n        picture: user.picture,\n        // our claims\n        organizations: user.organizations,\n        roles: user.roles,\n      },\n      this.name,\n    );\n\n    const response: AccessTokenResponse = {\n      access_token,\n      token_type: \"Bearer\",\n      expires_in: this.accessTokenExpiration.asSeconds(),\n      issued_at: iat,\n      refresh_token,\n      refresh_token_expires_in,\n    };\n\n    return response;\n  }\n\n  public async refreshToken(\n    refreshToken: string,\n    accessToken?: string,\n  ): Promise<{\n    tokens: AccessTokenResponse;\n    user: UserAccount;\n  }> {\n    // -----------------------------------------------------------------------------------------------------------------\n    // session based\n\n    if (this.options.settings?.onRefreshSession) {\n      // get user and expiration from the session\n      const { user, expiresIn, sessionId } =\n        await this.options.settings.onRefreshSession(refreshToken);\n\n      // then, create a new access token\n      const tokens = await this.createToken(user, {\n        sid: sessionId,\n        refresh_token: refreshToken,\n        refresh_token_expires_in: expiresIn,\n      });\n\n      return { user, tokens };\n    }\n\n    // -----------------------------------------------------------------------------------------------------------------\n    // token based\n\n    if (!accessToken) {\n      throw new AlephaError(\"An access token is required for refreshing\");\n    }\n\n    // extract user from an expired token\n    const user = await this.securityProvider.createUserFromToken(accessToken, {\n      realm: this.name,\n      verify: {\n        currentDate: new Date(0), // don't verify expiration, it's expected to be expired...\n      },\n    });\n\n    // check if the refresh token is valid + match access token user\n    const {\n      result: { payload },\n    } = await this.jwt.parse(refreshToken, this.name, {\n      typ: \"refresh\",\n      audience: this.name,\n      subject: user.id,\n    });\n\n    const iat = this.dateTimeProvider.now().unix();\n    const expiresIn = payload.exp\n      ? payload.exp - iat\n      : this.refreshTokenExpiration.asSeconds();\n\n    return {\n      user,\n      tokens: await this.createToken(user, {\n        sid: payload.sid,\n        refresh_token: refreshToken,\n        refresh_token_expires_in: expiresIn,\n      }),\n    };\n  }\n}\n\n$realm[KIND] = RealmPrimitive;\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface CreateTokenOptions {\n  sub: string;\n  roles?: string[];\n  email?: string;\n}\n\nexport interface AccessTokenResponse {\n  access_token: string;\n  token_type: string;\n  expires_in?: number;\n  issued_at: number;\n  refresh_token?: string;\n  refresh_token_expires_in?: number;\n  scope?: string;\n}\n","import { $inject, createPrimitive, KIND, Primitive } from \"alepha\";\nimport { SecurityProvider } from \"../providers/SecurityProvider.ts\";\nimport type { PermissionPrimitive } from \"./$permission.ts\";\nimport type { RealmPrimitive } from \"./$realm.ts\";\n\n/**\n * Create a new role.\n */\nexport const $role = (options: RolePrimitiveOptions = {}): RolePrimitive => {\n  return createPrimitive(RolePrimitive, options);\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface RolePrimitiveOptions {\n  /**\n   * Name of the role.\n   */\n  name?: string;\n\n  /**\n   * Describe the role.\n   */\n  description?: string;\n\n  realm?: string | RealmPrimitive;\n\n  permissions?: Array<\n    | string\n    | {\n        name: string;\n        ownership?: boolean;\n        exclude?: string[];\n      }\n  >;\n}\n\nexport class RolePrimitive extends Primitive<RolePrimitiveOptions> {\n  protected readonly securityProvider = $inject(SecurityProvider);\n\n  public get name(): string {\n    return this.options.name || this.config.propertyKey;\n  }\n\n  protected onInit() {\n    this.securityProvider.createRole({\n      ...this.options,\n      name: this.name,\n      permissions:\n        this.options.permissions?.map((it) => {\n          if (typeof it === \"string\") {\n            return {\n              name: it,\n            };\n          }\n\n          return it;\n        }) ?? [],\n    });\n  }\n\n  /**\n   * Get the realm of the role.\n   */\n  public get realm(): string | RealmPrimitive | undefined {\n    return this.options.realm;\n  }\n\n  public can(permission: string | PermissionPrimitive): boolean {\n    return this.securityProvider.can(this.name, permission);\n  }\n\n  public check(permission: string | PermissionPrimitive) {\n    return this.securityProvider.checkPermission(permission, this.name);\n  }\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\n$role[KIND] = RolePrimitive;\n","import { randomBytes, randomUUID, scrypt, timingSafeEqual } from \"node:crypto\";\nimport { promisify } from \"node:util\";\n\nconst scryptAsync = promisify(scrypt);\n\nexport class CryptoProvider {\n  public async hashPassword(password: string): Promise<string> {\n    const salt = randomBytes(16).toString(\"hex\"); // 128-bit salt\n    const derivedKey = (await scryptAsync(password, salt, 64)) as Buffer;\n    return `${salt}:${derivedKey.toString(\"hex\")}`;\n  }\n\n  public async verifyPassword(\n    password: string,\n    stored: string,\n  ): Promise<boolean> {\n    // Validate input format\n    if (!stored || typeof stored !== \"string\") {\n      return false;\n    }\n\n    const parts = stored.split(\":\");\n    if (parts.length !== 2) {\n      return false;\n    }\n\n    const [salt, originalHex] = parts;\n\n    // Validate salt and hash are non-empty\n    if (!salt || !originalHex) {\n      return false;\n    }\n\n    // Validate hex format (must be even length and valid hex)\n    if (originalHex.length % 2 !== 0 || !/^[0-9a-f]+$/i.test(originalHex)) {\n      return false;\n    }\n\n    try {\n      const derivedKey = (await scryptAsync(password, salt, 64)) as Buffer;\n      const originalKey = Buffer.from(originalHex, \"hex\");\n\n      // Validate buffer lengths match (scrypt should produce 64 bytes)\n      if (derivedKey.length !== originalKey.length) {\n        return false;\n      }\n\n      // Important: prevent timing attacks\n      return timingSafeEqual(derivedKey, originalKey);\n    } catch (error) {\n      // Handle any errors during verification (e.g., invalid salt encoding)\n      return false;\n    }\n  }\n\n  public randomUUID(): string {\n    return randomUUID();\n  }\n}\n","import { UnauthorizedError } from \"alepha/server\";\n\n/**\n * Error thrown when the provided credentials are invalid.\n *\n * Message can not be changed to avoid leaking information.\n * Cause is omitted for the same reason.\n */\nexport class InvalidCredentialsError extends UnauthorizedError {\n  readonly name = \"UnauthorizedError\";\n  constructor() {\n    super(\"Invalid credentials\");\n  }\n}\n","import { $context } from \"alepha\";\nimport { DateTimeProvider } from \"alepha/datetime\";\nimport type { UserAccount } from \"../schemas/userAccountInfoSchema.ts\";\nimport type { AccessTokenResponse, RealmPrimitive } from \"./$realm.ts\";\n\n/**\n * Allow to get an access token for a service account.\n *\n * You have some options to configure the service account:\n * - a OAUTH2 URL using client credentials grant type\n * - a JWT secret shared between the services\n *\n * @example\n * ```ts\n * import { $serviceAccount } from \"alepha/security\";\n *\n * class MyService {\n *   serviceAccount = $serviceAccount({\n *     oauth2: {\n *       url: \"https://example.com/oauth2/token\",\n *       clientId: \"your-client-id\",\n *       clientSecret: \"your-client-secret\",\n *     }\n *   });\n *\n *   async fetchData() {\n *     const token = await this.serviceAccount.token();\n *     // or\n *     const response = await this.serviceAccount.fetch(\"https://api.example.com/data\");\n *   }\n * }\n * ```\n */\nexport const $serviceAccount = (\n  options: ServiceAccountPrimitiveOptions,\n): ServiceAccountPrimitive => {\n  const { alepha } = $context();\n  const store: {\n    cache?: AccessTokenResponse;\n  } = {};\n  const dateTimeProvider = alepha.inject(DateTimeProvider);\n  const gracePeriod = options.gracePeriod ?? 30;\n\n  const cacheToken = (response: Omit<AccessTokenResponse, \"at\">) => {\n    store.cache = {\n      ...response,\n      issued_at: dateTimeProvider.now().unix(),\n    };\n  };\n\n  const getTokenFromCache = () => {\n    if (store.cache) {\n      const { access_token, expires_in, issued_at } = store.cache;\n      if (!expires_in) {\n        return access_token;\n      }\n\n      const now = dateTimeProvider.now().unix();\n      const expires = issued_at + expires_in;\n\n      if (expires - gracePeriod > now) {\n        return access_token;\n      }\n    }\n  };\n\n  if (\"oauth2\" in options) {\n    const { url, clientId, clientSecret } = options.oauth2;\n\n    const token = async () => {\n      const tokenFromCache = getTokenFromCache();\n      if (tokenFromCache) {\n        return tokenFromCache;\n      }\n\n      let response: Response;\n      try {\n        response = await fetch(url, {\n          method: \"POST\",\n          headers: {\n            \"Content-Type\": \"application/x-www-form-urlencoded\",\n          },\n          body: new URLSearchParams({\n            grant_type: \"client_credentials\",\n            client_id: clientId,\n            client_secret: clientSecret,\n          }),\n        });\n      } catch (error) {\n        throw new Error(\n          `Failed to fetch access token from ${url}: ${error instanceof Error ? error.message : String(error)}`,\n        );\n      }\n\n      // Check HTTP status\n      if (!response.ok) {\n        let errorMessage = `HTTP ${response.status} ${response.statusText}`;\n        try {\n          const errorBody = await response.text();\n          errorMessage += `: ${errorBody}`;\n        } catch {\n          // Ignore error reading body\n        }\n        throw new Error(`Failed to fetch access token: ${errorMessage}`);\n      }\n\n      // Parse JSON response\n      let json: any;\n      try {\n        json = await response.json();\n      } catch (error) {\n        throw new Error(\n          `Failed to parse access token response as JSON: ${error instanceof Error ? error.message : String(error)}`,\n        );\n      }\n\n      // Validate response structure\n      if (!json.access_token || !json.expires_in) {\n        throw new Error(\n          `Invalid access token response: missing access_token or expires_in. Response: ${JSON.stringify(json)}`,\n        );\n      }\n\n      cacheToken(json);\n\n      return json.access_token;\n    };\n\n    return {\n      token,\n    };\n  }\n\n  return {\n    token: async () => {\n      const tokenFromCache = getTokenFromCache();\n      if (tokenFromCache) {\n        return tokenFromCache;\n      }\n\n      const token = await options.realm.createToken(options.user);\n\n      cacheToken({\n        ...token,\n        issued_at: dateTimeProvider.now().unix(),\n      });\n\n      return token.access_token;\n    },\n  };\n};\n\nexport type ServiceAccountPrimitiveOptions = {\n  gracePeriod?: number; // Grace period in milliseconds before token expiration\n} & (\n  | {\n      oauth2: Oauth2ServiceAccountPrimitiveOptions;\n    }\n  | {\n      realm: RealmPrimitive;\n      user: UserAccount;\n    }\n);\n\nexport interface Oauth2ServiceAccountPrimitiveOptions {\n  /**\n   * Get Token URL.\n   */\n  url: string;\n\n  /**\n   * Client ID.\n   */\n  clientId: string;\n\n  /**\n   * Client Secret.\n   */\n  clientSecret: string;\n}\n\nexport interface ServiceAccountPrimitive {\n  token: () => Promise<string>;\n}\n\nexport interface ServiceAccountStore {\n  response?: AccessTokenResponse;\n}\n","import type { Static } from \"alepha\";\nimport { t } from \"alepha\";\n\nexport const permissionSchema = t.object({\n  name: t.text({\n    description: \"Name of the permission.\",\n  }),\n\n  group: t.optional(\n    t.text({\n      description: \"Group of the permission.\",\n    }),\n  ),\n\n  description: t.optional(\n    t.text({\n      description: \"Describe the permission.\",\n    }),\n  ),\n\n  // HTTP Only\n\n  method: t.optional(\n    t.text({\n      description: \"HTTP method of the permission. When available.\",\n    }),\n  ),\n\n  path: t.optional(\n    t.text({\n      description: \"Pathname of the permission. When available.\",\n    }),\n  ),\n});\n\nexport type Permission = Static<typeof permissionSchema>;\n","import type { Static } from \"alepha\";\nimport { t } from \"alepha\";\n\nexport const roleSchema = t.object({\n  name: t.text({\n    description: \"Name of the role.\",\n  }),\n\n  description: t.optional(\n    t.text({\n      description: \"Describe the role.\",\n    }),\n  ),\n\n  default: t.optional(\n    t.boolean({\n      description:\n        \"If true, this role will be assigned to all users by default.\",\n    }),\n  ),\n\n  permissions: t.array(\n    t.object({\n      name: t.text({\n        description: \"Name of the permission.\",\n      }),\n      ownership: t.optional(\n        t.boolean({\n          description:\n            \"If true, user will only have access to it's own resources.\",\n        }),\n      ),\n      exclude: t.optional(\n        t.array(t.text(), {\n          description:\n            \"Exclude some permissions. Useful when 'name' is a wildcard.\",\n        }),\n      ),\n    }),\n  ),\n});\n\nexport type Role = Static<typeof roleSchema>;\n","import type { Static } from \"alepha\";\nimport { t } from \"alepha\";\n\nexport const userAccountInfoSchema = t.object({\n  id: t.text({\n    description: \"Unique identifier for the user.\",\n  }),\n\n  name: t.optional(\n    t.text({\n      description: \"Full name of the user.\",\n    }),\n  ),\n\n  email: t.optional(\n    t.text({\n      description: \"Email address of the user.\",\n      format: \"email\",\n    }),\n  ),\n\n  username: t.optional(\n    t.text({\n      description: \"Preferred username of the user.\",\n    }),\n  ),\n\n  picture: t.optional(\n    t.text({\n      description: \"URL to the user's profile picture.\",\n    }),\n  ),\n\n  sessionId: t.optional(\n    t.text({\n      description: \"Session identifier for the user, if applicable.\",\n    }),\n  ),\n\n  // -------------------------------------------------------------------------------------------------------------------\n\n  organizations: t.optional(\n    t.array(t.text(), {\n      description: \"List of organizations the user belongs to.\",\n    }),\n  ),\n\n  roles: t.optional(\n    t.array(t.text(), {\n      description: \"List of roles assigned to the user.\",\n    }),\n  ),\n});\n\nexport type UserAccount = Static<typeof userAccountInfoSchema>;\n","import { $module } from \"alepha\";\nimport { $permission } from \"./primitives/$permission.ts\";\nimport { $realm } from \"./primitives/$realm.ts\";\nimport { $role } from \"./primitives/$role.ts\";\nimport { CryptoProvider } from \"./providers/CryptoProvider.ts\";\nimport { JwtProvider } from \"./providers/JwtProvider.ts\";\nimport { SecurityProvider } from \"./providers/SecurityProvider.ts\";\nimport type { UserAccount } from \"./schemas/userAccountInfoSchema.ts\";\n\nexport * from \"./errors/InvalidCredentialsError.ts\";\nexport * from \"./errors/InvalidPermissionError.ts\";\nexport * from \"./errors/SecurityError.ts\";\nexport * from \"./interfaces/UserAccountToken.ts\";\nexport * from \"./primitives/$permission.ts\";\nexport * from \"./primitives/$realm.ts\";\nexport * from \"./primitives/$role.ts\";\nexport * from \"./primitives/$serviceAccount.ts\";\nexport * from \"./providers/CryptoProvider.ts\";\nexport * from \"./providers/JwtProvider.ts\";\nexport * from \"./providers/SecurityProvider.ts\";\nexport * from \"./schemas/permissionSchema.ts\";\nexport * from \"./schemas/roleSchema.ts\";\nexport * from \"./schemas/userAccountInfoSchema.ts\";\n\ndeclare module \"alepha\" {\n  interface Hooks {\n    \"security:user:created\": {\n      realm: string;\n      user: UserAccount;\n    };\n  }\n}\n\n/**\n * Provides comprehensive authentication and authorization capabilities with JWT tokens, role-based access control, and user management.\n *\n * The security module enables building secure applications using primitives like `$realm`, `$role`, and `$permission`\n * on class properties. It offers JWT-based authentication, fine-grained permissions, service accounts, and seamless\n * integration with various authentication providers and user management systems.\n *\n * @see {@link $realm}\n * @see {@link $role}\n * @see {@link $permission}\n * @module alepha.security\n */\nexport const AlephaSecurity = $module({\n  name: \"alepha.security\",\n  primitives: [$realm, $role, $permission],\n  services: [SecurityProvider, JwtProvider, CryptoProvider],\n});\n"],"mappings":";;;;;;;;;;AAAA,IAAa,yBAAb,cAA4C,MAAM;CAChD,YAAY,MAAc;AACxB,QAAM,eAAe,KAAK,cAAc;;;;;;ACF5C,IAAa,oBAAb,cAAuC,MAAM;CAC3C,AAAgB,SAAS;;;;;ACD3B,IAAa,qBAAb,cAAwC,MAAM;CAC5C,YAAY,OAAe;AACzB,QAAM,UAAU,MAAM,aAAa;;;;;;ACFvC,IAAa,gBAAb,cAAmC,MAAM;CACvC,AAAO,OAAO;CACd,AAAgB,SAAS;;;;;;;;ACuB3B,IAAa,cAAb,MAAyB;CACvB,AAAmB,MAAM,SAAS;CAClC,AAAmB,WAA8B,EAAE;CACnD,AAAmB,mBAAmB,QAAQ,iBAAiB;CAC/D,AAAmB,UAAU,IAAI,aAAa;;;;;;;CAQ9C,AAAO,aAAa,MAAc,iBAAyC;AACzE,MAAI,OAAO,oBAAoB,UAAU;AACvC,QAAK,IAAI,KACP,8BAA8B,KAAK,uBAAuB,gBAAgB,KAAK,OAAO,GACvF;AACD,QAAK,SAAS,KAAK;IACjB;IACA,WAAW,kBAAkB,gBAAgB;IAC9C,CAAC;aACO,KAAK,YAAY,gBAAgB,EAAE;GAC5C,MAAM,YAAY,KAAK,QAAQ,OAAO,gBAAgB;AACtD,QAAK,IAAI,KACP,0BAA0B,KAAK,uBAAuB,UAAU,OAAO,SACxE;AACD,QAAK,SAAS,KAAK;IACjB;IACA,WAAW;IACX,iBAAiB,QAAQ,QAAQ,gBAAgB,UAAU,CAAC;IAC7D,CAAC;SACG;AACL,QAAK,IAAI,KACP,0BAA0B,KAAK,cAAc,kBAC9C;AACD,QAAK,SAAS,KAAK;IACjB;IACA,WAAW,mBAAmB,IAAI,IAAI,gBAAgB,CAAC;IACxD,CAAC;;;;;;;;;;CAWN,MAAa,MACX,OACA,SACA,SACyB;AACzB,OAAK,MAAM,MAAM,KAAK,UAAU;AAC9B,OAAI,WAAW,GAAG,SAAS,QACzB;AAGF,QAAK,IAAI,MAAM,0BAA0B;IACvC,SAAS,GAAG;IACZ;IACD,CAAC;AAEF,OAAI;IACF,MAAM,WAAW;KACf,SAAS,GAAG;KACZ,QAAQ,MAAM,UAAU,OAAO,GAAG,WAAW;MAC3C,aAAa,KAAK,iBAAiB,KAAK,CAAC,QAAQ;MACjD,GAAG;MACJ,CAAC;KACH;AAED,SAAK,IAAI,MAAM,+BAA+B,EAC5C,SAAS,SAAS,SACnB,CAAC;AAEF,WAAO;YACA,OAAO;AACd,SAAK,IAAI,MAAM,iCAAiC,MAAM;AAEtD,QAAI,iBAAiB,WACnB,OAAM,IAAI,cAAc,iBAAiB,EAAE,OAAO,OAAO,CAAC;AAG5D,QAAI,iBAAiB,yBACnB,OAAM,IAAI,cAAc,iCAAiC,EACvD,OAAO,OACR,CAAC;;;AAKR,OAAK,IAAI,KACP,iEAAiE,KAAK,SAAS,OAAO,GACvF;AAED,QAAM,IAAI,cAAc,gBAAgB;;;;;;;;;;;CAY1C,MAAa,OACX,SACA,SACA,aACiB;EACjB,MAAM,YAAY,UACd,KAAK,SAAS,MAAM,OAAO,GAAG,SAAS,QAAQ,EAAE,YACjD,KAAK,SAAS,IAAI;AAEtB,MAAI,CAAC,UACH,OAAM,IAAI,YAAY,sCAAsC;EAG9D,MAAM,UAAU,IAAI,QAAQ,QAAQ;AAEpC,UAAQ,mBAAmB;GACzB,KAAK;GACL,GAAG,aAAa;GACjB,CAAC;AAEF,SAAO,MAAM,QAAQ,KAAK,KAAK,QAAQ,OAAO,UAAU,CAAC;;;;;;;;CAS3D,AAAU,YAAY,KAAsB;AAC1C,SAAO,CAAC,IAAI,WAAW,OAAO;;;;;;AC7IlC,MAAa,qBAAqB;AAElC,MAAM,YAAY,EAAE,OAAO,EACzB,YAAY,EAAE,KAAK,EACjB,SAAS,oBACV,CAAC,EACH,CAAC;AAMF,IAAa,mBAAb,MAA8B;CAC5B,AAAmB,oBAAoB;CACvC,AAAmB,oBAAoB;CACvC,AAAmB,6BACjB;CAEF,AAAmB,MAAM,SAAS;CAClC,AAAmB,MAAM,QAAQ,YAAY;CAC7C,AAAmB,MAAM,KAAK,UAAU;CACxC,AAAmB,SAAS,QAAQ,OAAO;CAE3C,IAAW,YAAY;AACrB,SAAO,KAAK,IAAI;;;;;CAMlB,AAAmB,cAA4B,EAAE;;;;CAKjD,AAAmB,SAAkB,KAAK,OAAO,QAAQ,GACrD,CACE;EACE,MAAM;EACN,QAAQ,KAAK,IAAI;EACjB,OAAO,CACL;GACE,MAAM;GACN,aAAa,CACX,EACE,MAAM,KACP,CACF;GACF,CACF;EACF,CACF,GACD,EAAE;CAEN,AAAU,QAAQ,MAAM;EACtB,IAAI;EACJ,SAAS,YAAY;AACnB,OAAI,KAAK,OAAO,cAAc,IAAI,KAAK,cAAc,mBACnD,MAAK,IAAI,KACP,mGACD;AAGH,QAAK,MAAM,SAAS,KAAK,OACvB,KAAI,MAAM,QAAQ;IAChB,MAAM,SACJ,OAAO,MAAM,WAAW,aAAa,MAAM,QAAQ,GAAG,MAAM;AAC9D,SAAK,IAAI,aAAa,MAAM,MAAM,OAAO;;;EAIhD,CAAC;;;;;;;CAQF,AAAO,WAAW,MAAY,GAAG,QAAwB;EACvD,MAAM,OAAO,OAAO,SAChB,OAAO,KAAK,OAAO;GACjB,MAAM,OAAO,KAAK,OAAO,MAAM,UAAU,MAAM,SAAS,GAAG;AAC3D,OAAI,CAAC,KACH,OAAM,IAAI,mBAAmB,GAAG;AAElC,UAAO;IACP,GACF,KAAK;AAET,OAAK,MAAM,SAAS,MAAM;AACxB,QAAK,MAAM,EAAE,UAAU,KAAK,YAC1B,KAAI,KAAK,OAAO,WAAW,EAAE;AAE3B,QAAI,SAAS,IAEX;AAOF,QAHsB,KAAK,YAAY,MACpC,OAAO,KAAK,mBAAmB,GAAG,KAAK,KACzC,CAEC;AAIF,QAAI,KAAK,SAAS,KAAK,EAAE;KACvB,MAAM,cAAc,KAAK,MAAM,GAAG,GAAG;AASrC,SAP2B,KAAK,YAAY,MAAM,OAAO;AACvD,UAAI,CAAC,GAAG,MAAO,QAAO;AACtB,aACE,GAAG,UAAU,eACb,GAAG,MAAM,WAAW,GAAG,YAAY,GAAG;OAExC,CAEA;;AAKJ,UAAM,IAAI,cAAc,eAAe,KAAK,aAAa;cAErD,SAAS,OAAO,CAAC,KAAK,2BAA2B,KAAK,KAAK,CAC7D,OAAM,IAAI,uBAAuB,KAAK;AAK5C,SAAM,MAAM,KAAK,KAAK;;AAGxB,SAAO;;;;;;;CAQT,AAAO,iBAAiB,KAAsC;AAC5D,MAAI,KAAK,OAAO,WAAW,CACzB,OAAM,IAAI,sBAAsB;EAGlC,IAAI;AACJ,MAAI,OAAO,QAAQ,UAAU;AAC3B,OAAI,CAAC,KAAK,kBAAkB,KAAK,IAAI,CACnC,OAAM,IAAI,uBAAuB,IAAI;GAGvC,MAAM,QAAQ,IAAI,MAAM,IAAI;AAC5B,OAAI,MAAM,WAAW,EAEnB,cAAa,EAAE,MAAM,MAAM,IAAI;QAC1B;IAGL,MAAM,OAAO,MAAM,MAAM,SAAS;IAClC,MAAM,aAAa,MAAM,MAAM,GAAG,GAAG;AAErC,QAAI,WAAW,WAAW,EACxB,cAAa;KACX,OAAO,WAAW;KAClB;KACD;QAGD,cAAa;KACX,OAAO,WAAW,KAAK,IAAI;KAC3B;KACD;;QAIL,cAAa;EAGf,MAAM,WAAW,KAAK,mBAAmB,WAAW;AACpD,MAAI,CAAC,KAAK,kBAAkB,KAAK,SAAS,CACxC,OAAM,IAAI,uBAAuB,SAAS;EAG5C,MAAM,WAAW,KAAK,YAAY,MAC/B,OAAO,KAAK,mBAAmB,GAAG,KAAK,SACzC;AAED,MAAI,UAAU;AACZ,QAAK,IAAI,KAAK,eAAe,SAAS,8BAA8B;IAClE,SAAS;IACT,KAAK;IACN,CAAC;AAEF,UAAO;;AAGT,OAAK,IAAI,MAAM,wBAAwB,SAAS,GAAG;AAEnD,OAAK,YAAY,KAAK,WAAW;AAEjC,SAAO;;CAGT,AAAO,YAAY,OAAc;AAC/B,MAAI,KAAK,OAAO,WAAW,KAAK,KAAK,OAAO,GAAG,SAAS,UAEtD,MAAK,OAAO,KAAK;AAGnB,OAAK,OAAO,KAAK,MAAM;;;;;;;;;;CAWzB,MAAa,YAAY,OAAe,OAA8B;AACpE,MAAI,CAAC,KAAK,OAAO,WAAW,CAC1B,OAAM,IAAI,oBAAoB;EAGhC,MAAM,gBAAgB,KAAK,OAAO,MAAM,OAAO,GAAG,SAAS,MAAM;AACjE,MAAI,CAAC,cACH,OAAM,IAAI,mBAAmB,MAAM;AAGrC,gBAAc,QAAQ;;;;;;;;;;CAaxB,AAAO,sBACL,SACA,WACa;EACb,MAAM,KAAK,KAAK,iBAAiB,QAAQ;EACzC,MAAM,YAAY,KAAK,wBAAwB,QAAQ;EACvD,MAAM,mBAAmB,KAAK,oBAAoB,QAAQ;EAC1D,MAAM,QAAQ,KAAK,oBAAoB,QAAQ;EAC/C,MAAM,WAAW,KAAK,uBAAuB,QAAQ;EACrD,MAAM,UAAU,KAAK,sBAAsB,QAAQ;EACnD,MAAM,OAAO,KAAK,mBAAmB,QAAQ;EAC7C,MAAM,gBAAgB,KAAK,4BAA4B,QAAQ;EAC/D,MAAM,kBAAkB,KAAK,SAAS,UAAU;EAChD,MAAM,QAAQ,iBACX,QACE,KAAK,aACJ,IAAI,OAAO,gBAAgB,QAAQ,OAAO,GAAG,SAAS,SAAS,CAAC,EAClE,EAAE,CACH,CACA,KAAK,OAAO,GAAG,KAAK;EAEvB,MAAM,QAAQ,KAAK,OAAO,MAAM,OAAO,GAAG,SAAS,UAAU;AAC7D,MAAI,OAAO,QACT,QAAO,MAAM,QAAQ,QAAQ;AAG/B,SAAO;GACL;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACD;;;;;;;;;;CAWH,AAAO,gBACL,gBACA,GAAG,aACkB;EACrB,MAAM,QAAgB,YAAY,KAAK,OAAO;GAC5C,MAAM,OAAO,KAAK,UAAU,CAAC,MAAM,WAASA,OAAK,SAAS,GAAG;AAC7D,OAAI,CAAC,KACH,OAAM,IAAI,cAAc,SAAS,GAAG,aAAa;AAEnD,UAAO;IACP;EAEF,MAAM,aAAa,KAAK,mBAAmB,eAAe;AAQ1D,MAPgB,MAAM,MAAM,OAC1B,GAAG,YAAY,MACZ,SAAOC,KAAG,SAAS,OAAO,CAACA,KAAG,WAAW,CAACA,KAAG,UAC/C,CACF,CAIC,QAAO;GACL,cAAc;GACd,WAAW;GACZ;EAGH,MAAM,SAA8B;GAClC,cAAc;GACd,WAAW;GACZ;EAGD,MAAM,kBACJ,gBACA,YACY;AACZ,OAAI,YAAY,IAAK,QAAO;AAC5B,OAAI,YAAY,eAAgB,QAAO;AAGvC,OAAI,QAAQ,SAAS,KAAK,EAAE;IAC1B,MAAM,gBAAgB,QAAQ,MAAM,GAAG,GAAG;AAE1C,QAAI,mBAAmB,cAAe,QAAO;AAC7C,WAAO,eAAe,WAAW,GAAG,cAAc,GAAG;;AAGvD,UAAO;;AAGT,OAAK,MAAM,QAAQ,MAEjB,MAAK,MAAM,kBAAkB,KAAK,YAEhC,KAAI,eAAe,YAAY,eAAe,KAAK,EAAE;AAEnD,OAAI,eAAe,SAAS;IAC1B,IAAI,aAAa;AACjB,SAAK,MAAM,kBAAkB,eAAe,QAC1C,KAAI,eAAe,YAAY,eAAe,EAAE;AAC9C,kBAAa;AACb;;AAGJ,QAAI,WACF;;AAIJ,UAAO,eAAe;AAGtB,OAAI,eAAe,UAEjB,QAAO,YAAY,eAAe;QAC7B;AAEL,WAAO,YAAY;AACnB,WAAO;;;AAMf,SAAO;;;;;CAMT,MAAa,oBACX,eACA,UAII,EAAE,EACqB;EAC3B,MAAM,QAAQ,eAAe,QAAQ,UAAU,GAAG,CAAC,MAAM;AACzD,MAAI,OAAO,UAAU,YAAY,UAAU,GACzC,OAAM,IAAI,kBACR,yDACD;EAGH,MAAM,EAAE,QAAQ,SAAS,UAAU,MAAM,KAAK,IAAI,MAChD,OACA,QAAQ,OACR,QAAQ,OACT;EAED,MAAM,OAAO,KAAK,sBAAsB,OAAO,SAAS,MAAM;EAC9D,MAAM,aAAa,KAAK,SAAS,MAAM,CAAC,QAAQ,OAAO,GAAG,QAAQ;EAClE,MAAM,QAAQ,KAAK,SAAS,EAAE;AAE9B,OAAK,MAAM,QAAQ,WACjB,KAAI,CAAC,MAAM,SAAS,KAAK,KAAK,CAC5B,OAAM,KAAK,KAAK,KAAK;AAIzB,OAAK,QAAQ;AAEb,QAAM,KAAK,OAAO,OAAO,KAAK,yBAAyB;GACrD;GACA,MAAM;GACP,CAAC;EAEF,IAAI;AAEJ,MAAI,QAAQ,YAAY;GACtB,MAAM,QAAQ,KAAK,gBAAgB,QAAQ,YAAY,GAAG,MAAM;AAChE,OAAI,CAAC,MAAM,aACT,OAAM,IAAI,cACR,kCAAkC,KAAK,mBAAmB,QAAQ,WAAW,CAAC,GAC/E;AAGH,eAAY,MAAM;;AAGpB,SAAO;GACL,GAAG;GACH;GACA;GACA;GACD;;;;;;;;;CAUH,AAAO,IAAI,UAAkB,YAA0C;AACrE,SAAO,KAAK,gBAAgB,YAAY,SAAS,CAAC;;;;;CAMpD,AAAO,UACL,UACA,YAC8B;AAC9B,SAAO,KAAK,gBAAgB,YAAY,SAAS,CAAC;;;;;;;CAQpD,AAAO,mBAAmB,YAAyC;AACjE,MAAI,OAAO,eAAe,SACxB,QAAO;AAGT,MAAI,CAAC,WAAW,MACd,QAAO,WAAW;AAQpB,SAAO,IAJY,MAAM,QAAQ,WAAW,MAAM,GAC9C,WAAW,QACX,CAAC,WAAW,MAAM,EAED,KAAK,IAAI,CAAC,GAAG,WAAW;;CAK/C,AAAO,YAAqB;AAC1B,SAAO,KAAK;;;;;;;CAQd,AAAO,SAAS,OAAwB;AACtC,MAAI,MACF,QAAO,CAAC,GAAI,KAAK,OAAO,MAAM,OAAO,GAAG,SAAS,MAAM,EAAE,SAAS,EAAE,CAAE;AAGxE,SAAO,KAAK,OAAO,QAAgB,KAAK,OAAO,IAAI,OAAO,GAAG,MAAM,EAAE,EAAE,CAAC;;;;;;;;;CAU1E,AAAO,eAAe,MAGL;AACf,MAAI,MAAM,OAAO;GACf,MAAM,cAA4B,EAAE;GACpC,MAAM,QAAQ,KAAK,SAAS,EAAE;AAE9B,QAAK,MAAM,gBAAgB,OAAO;IAChC,MAAM,OACJ,OAAO,iBAAiB,WACpB,KAAK,SAAS,KAAK,MAAM,CAAC,MAAM,OAAO,GAAG,SAAS,aAAa,GAChE;AAEN,QAAI,CAAC,KACH,OAAM,IAAI,cAAc,SAAS,aAAa,aAAa;AAG7D,QAAI,KAAK,YAAY,MAAM,OAAO,GAAG,SAAS,OAAO,CAAC,GAAG,QAAQ,CAC/D,QAAO,KAAK,gBAAgB;AAG9B,SAAK,MAAM,cAAc,KAAK,aAAa;KACzC,IAAI,MAAoB,EAAE;AAC1B,SAAI,WAAW,SAAS,IACtB,KAAI,KAAK,GAAG,KAAK,YAAY;cACpB,WAAW,KAAK,SAAS,IAAI,EAAE;MAExC,MAAM,QAAQ,WAAW,KAAK,MAAM,IAAI;MACxC,MAAM,WAAW,MAAM,MAAM,SAAS;AAEtC,UAAI,aAAa,KAAK;OAEpB,MAAM,cAAc,MAAM,MAAM,GAAG,GAAG,CAAC,KAAK,IAAI;AAEhD,WAAI,KACF,GAAG,KAAK,YAAY,QAAQ,OAAO;AACjC,YAAI,CAAC,GAAG,MAAO,QAAO;AAEtB,eACE,GAAG,UAAU,eACb,GAAG,MAAM,WAAW,GAAG,YAAY,GAAG;SAExC,CACH;aACI;OAEL,MAAM,OAAO;OAEb,MAAM,QADa,MAAM,MAAM,GAAG,GAAG,CACZ,KAAK,IAAI;AAElC,WAAI,KACF,GAAG,KAAK,YAAY,QAAQ,OAAO;AACjC,YAAI,GAAG,SAAS,KAAM,QAAO;AAC7B,YAAI,CAAC,GAAG,MAAO,QAAO;AACtB,eAAO,GAAG,UAAU;SACpB,CACH;;WAIH,KAAI,KACF,GAAG,KAAK,YAAY,QACjB,OAAO,GAAG,SAAS,WAAW,QAAQ,CAAC,GAAG,MAC5C,CACF;KAEH,MAAM,UAAU,WAAW;AAC3B,SAAI,QAEF,OAAM,IAAI,QAAQ,OAAO;MACvB,MAAM,aAAa,KAAK,mBAAmB,GAAG;AAC9C,aAAO,CAAC,QAAQ,MAAM,mBAAmB;AACvC,WAAI,mBAAmB,WAAY,QAAO;AAC1C,WAAI,eAAe,SAAS,KAAK,EAAE;QACjC,MAAM,gBAAgB,eAAe,MAAM,GAAG,GAAG;AACjD,eAAO,WAAW,WAAW,GAAG,cAAc,GAAG;;AAEnD,cAAO;QACP;OACF;AAEJ,iBAAY,KAAK,GAAG,IAAI;;;AAI5B,UAAO,CAAC,GAAG,IAAI,IAAI,YAAY,QAAQ,OAAO,MAAM,KAAK,CAAC,CAAC;;AAG7D,SAAO,KAAK;;;;;;;;CASd,AAAO,iBAAiB,SAAsC;AAC5D,MAAI,QAAQ,OAAO,KACjB,QAAO,OAAO,QAAQ,IAAI;AAG5B,MAAI,QAAQ,MAAM,KAChB,QAAO,OAAO,QAAQ,GAAG;AAG3B,MAAI,QAAQ,UAAU,KACpB,QAAO,OAAO,QAAQ,OAAO;AAG/B,QAAM,IAAI,cAAc,2BAA2B;;CAGrD,AAAO,wBACL,SACoB;AACpB,MAAI,CAAC,QACH;AAEF,MAAI,QAAQ,IACV,QAAO,OAAO,QAAQ,IAAI;;;;;;;CAS9B,AAAO,oBAAoB,SAAwC;AACjE,SAAO,SAAS,cAAc,SAAS,SAAS,SAAS,EAAE;;CAG7D,AAAO,sBACL,SACoB;AACpB,MAAI,CAAC,QACH;AAGF,MAAI,QAAQ,QACV,QAAO,QAAQ;AAGjB,MAAI,QAAQ,WACV,QAAO,QAAQ;AAGjB,MAAI,QAAQ,aACV,QAAO,QAAQ;;CAMnB,AAAO,uBACL,SACoB;AACpB,MAAI,CAAC,QACH;AAGF,MAAI,QAAQ,mBACV,QAAO,QAAQ;AAGjB,MAAI,QAAQ,SACV,QAAO,QAAQ;;CAMnB,AAAO,oBAAoB,SAAkD;AAC3E,MAAI,CAAC,QACH;AAGF,MAAI,QAAQ,MACV,QAAO,QAAQ;;;;;;;;CAYnB,AAAO,mBAAmB,SAAsC;AAC9D,MAAI,CAAC,QACH,QAAO,KAAK;AAGd,MAAI,QAAQ,KACV,QAAO,QAAQ;AAGjB,MACE,OAAO,QAAQ,eAAe,YAC9B,OAAO,QAAQ,gBAAgB,SAE/B,QAAO,GAAG,QAAQ,WAAW,GAAG,QAAQ,cAAc,MAAM;AAG9D,SAAO,KAAK;;CAGd,AAAO,4BACL,SACsB;AACtB,MAAI,CAAC,QACH;AAGF,MAAI,QAAQ,cAAc;AACxB,OAAI,OAAO,QAAQ,iBAAiB,SAClC,QAAO,CAAC,QAAQ,aAAa;AAE/B,OAAI,MAAM,QAAQ,QAAQ,aAAa,CACrC,QAAO,QAAQ;;;;;;;;;;AC9uBvB,MAAa,eACX,UAAsC,EAAE,KAChB;AACxB,QAAO,gBAAgB,qBAAqB,QAAQ;;AAwBtD,IAAa,sBAAb,cAAyC,UAAsC;CAC7E,AAAmB,mBAAmB,QAAQ,iBAAiB;CAE/D,IAAW,OAAe;AACxB,SAAO,KAAK,QAAQ,QAAQ,KAAK,OAAO;;CAG1C,IAAW,QAAgB;AACzB,SAAO,KAAK,QAAQ,SAAS,KAAK,OAAO,QAAQ;;CAGnD,AAAO,WAAmB;AACxB,SAAO,GAAG,KAAK,MAAM,GAAG,KAAK;;CAG/B,AAAU,SAAS;AACjB,OAAK,iBAAiB,iBAAiB;GACrC,MAAM,KAAK;GACX,OAAO,KAAK;GACZ,aAAa,KAAK,QAAQ;GAC3B,CAAC;;;;;CAMJ,AAAO,IAAI,MAA4B;AACrC,MAAI,CAAC,KAAK,MACR,QAAO;AAGT,SADc,KAAK,iBAAiB,gBAAgB,MAAM,GAAG,KAAK,MAAM,CAC3D;;;AAIjB,YAAY,QAAQ;;;;;;;ACpDpB,MAAa,UAAU,YAAmD;AACxE,QAAO,gBAAgB,gBAAgB,QAAQ;;AAuFjD,IAAa,iBAAb,cAAoC,UAAiC;CACnE,AAAmB,mBAAmB,QAAQ,iBAAiB;CAC/D,AAAmB,mBAAmB,QAAQ,iBAAiB;CAC/D,AAAmB,MAAM,QAAQ,YAAY;CAC7C,AAAmB,MAAM,SAAS;CAElC,IAAW,OAAe;AACxB,SAAO,KAAK,QAAQ,QAAQ,KAAK,OAAO;;CAG1C,IAAW,wBAAkC;AAC3C,SAAO,KAAK,iBAAiB,SAC3B,KAAK,QAAQ,UAAU,aAAa,cAAc,CAAC,IAAI,UAAU,CAClE;;CAGH,IAAW,yBAAmC;AAC5C,SAAO,KAAK,iBAAiB,SAC3B,KAAK,QAAQ,UAAU,cAAc,cAAc,CAAC,IAAI,OAAO,CAChE;;CAGH,AAAU,SAAS;EACjB,MAAM,QACJ,KAAK,QAAQ,OAAO,KAAK,OAAO;AAC9B,OAAI,OAAO,OAAO,UAAU;IAC1B,MAAM,OAAO,KAAK,UAAU,CAAC,MAAM,WAASC,OAAK,SAAS,GAAG;AAC7D,QAAI,CAAC,KACH,OAAM,IAAI,cAAc,SAAS,GAAG,aAAa;AAEnD,WAAO;;AAGT,UAAO;IACP,IAAI,EAAE;AAEV,OAAK,iBAAiB,YAAY;GAChC,MAAM,KAAK;GACX,SAAS,KAAK,QAAQ;GACtB,QAAQ,UAAU,KAAK,UAAU,KAAK,QAAQ,OAAO,KAAK,QAAQ;GAClE;GACD,CAAC;;;;;CAMJ,AAAO,WAAmB;AACxB,SAAO,KAAK,iBAAiB,SAAS,KAAK,KAAK;;;;;CAMlD,MAAa,SAAS,OAA8B;AAClD,QAAM,KAAK,iBAAiB,YAAY,KAAK,MAAM,MAAM;;;;;CAM3D,AAAO,cAAc,MAAoB;EACvC,MAAM,OAAO,KAAK,UAAU,CAAC,MAAM,OAAO,GAAG,SAAS,KAAK;AAC3D,MAAI,CAAC,KACH,OAAM,IAAI,cAAc,SAAS,KAAK,aAAa;AAErD,SAAO;;CAGT,MAAa,WAAW,OAAoC;EAC1D,MAAM,EAAE,WAAW,MAAM,KAAK,IAAI,MAAM,OAAO,KAAK,KAAK;AACzD,SAAO,OAAO;;;;;CAMhB,MAAa,YACX,MACA,cAK8B;EAC9B,IAAI,MAA0B,cAAc;EAC5C,IAAI,gBAAoC,cAAc;EACtD,IAAI,2BACF,cAAc;EAEhB,MAAM,MAAM,KAAK,iBAAiB,KAAK,CAAC,MAAM;EAC9C,MAAM,MAAM,MAAM,KAAK,sBAAsB,WAAW;AAExD,MAAI,CAAC,cAAc;GACjB,MAAM,SAAS,KAAK,QAAQ,UAAU;AACtC,OAAI,QAAQ;IAGV,MAAM,YAAY,KAAK,uBAAuB,WAAW;IACzD,MAAM,EAAE,8BAAc,cAAc,MAAM,OAAO,MAAM,EACrD,WACD,CAAC;AAEF,oBAAgBC;AAChB,+BAA2B;AAC3B,UAAM;UACD;IAIL,MAAM,UAAU;KACd,KAAK,KAAK;KACV,KAAK,MAAM,KAAK,uBAAuB,WAAW;KAClD;KACA,KAAK,KAAK;KACX;AAED,SAAK,IAAI,MAAM,0BAA0B,QAAQ;AAEjD,UAAM,OAAO,YAAY;AACzB,+BAA2B,KAAK,uBAAuB,WAAW;AAClE,oBAAgB,MAAM,KAAK,IAAI,OAAO,SAAS,KAAK,MAAM,EACxD,QAAQ,EACN,KAAK,WACN,EACF,CAAC;;;AAIN,OAAK,IAAI,MAAM,yBAAyB;GACtC,KAAK,KAAK;GACV;GACA;GACA,KAAK,KAAK;GACX,CAAC;AA+BF,SATsC;GACpC,cArBmB,MAAM,KAAK,IAAI,OAClC;IAEE,KAAK,KAAK;IACV;IACA;IACA,KAAK,KAAK;IACV;IAEA,MAAM,KAAK;IACX,OAAO,KAAK;IACZ,oBAAoB,KAAK;IACzB,SAAS,KAAK;IAEd,eAAe,KAAK;IACpB,OAAO,KAAK;IACb,EACD,KAAK,KACN;GAIC,YAAY;GACZ,YAAY,KAAK,sBAAsB,WAAW;GAClD,WAAW;GACX;GACA;GACD;;CAKH,MAAa,aACX,cACA,aAIC;AAID,MAAI,KAAK,QAAQ,UAAU,kBAAkB;GAE3C,MAAM,EAAE,cAAM,wBAAW,cACvB,MAAM,KAAK,QAAQ,SAAS,iBAAiB,aAAa;AAS5D,UAAO;IAAE;IAAM,QANA,MAAM,KAAK,YAAYC,QAAM;KAC1C,KAAK;KACL,eAAe;KACf,0BAA0BC;KAC3B,CAAC;IAEqB;;AAMzB,MAAI,CAAC,YACH,OAAM,IAAI,YAAY,6CAA6C;EAIrE,MAAM,OAAO,MAAM,KAAK,iBAAiB,oBAAoB,aAAa;GACxE,OAAO,KAAK;GACZ,QAAQ,EACN,6BAAa,IAAI,KAAK,EAAE,EACzB;GACF,CAAC;EAGF,MAAM,EACJ,QAAQ,EAAE,cACR,MAAM,KAAK,IAAI,MAAM,cAAc,KAAK,MAAM;GAChD,KAAK;GACL,UAAU,KAAK;GACf,SAAS,KAAK;GACf,CAAC;EAEF,MAAM,MAAM,KAAK,iBAAiB,KAAK,CAAC,MAAM;EAC9C,MAAM,YAAY,QAAQ,MACtB,QAAQ,MAAM,MACd,KAAK,uBAAuB,WAAW;AAE3C,SAAO;GACL;GACA,QAAQ,MAAM,KAAK,YAAY,MAAM;IACnC,KAAK,QAAQ;IACb,eAAe;IACf,0BAA0B;IAC3B,CAAC;GACH;;;AAIL,OAAO,QAAQ;;;;;;;AC1Uf,MAAa,SAAS,UAAgC,EAAE,KAAoB;AAC1E,QAAO,gBAAgB,eAAe,QAAQ;;AA4BhD,IAAa,gBAAb,cAAmC,UAAgC;CACjE,AAAmB,mBAAmB,QAAQ,iBAAiB;CAE/D,IAAW,OAAe;AACxB,SAAO,KAAK,QAAQ,QAAQ,KAAK,OAAO;;CAG1C,AAAU,SAAS;AACjB,OAAK,iBAAiB,WAAW;GAC/B,GAAG,KAAK;GACR,MAAM,KAAK;GACX,aACE,KAAK,QAAQ,aAAa,KAAK,OAAO;AACpC,QAAI,OAAO,OAAO,SAChB,QAAO,EACL,MAAM,IACP;AAGH,WAAO;KACP,IAAI,EAAE;GACX,CAAC;;;;;CAMJ,IAAW,QAA6C;AACtD,SAAO,KAAK,QAAQ;;CAGtB,AAAO,IAAI,YAAmD;AAC5D,SAAO,KAAK,iBAAiB,IAAI,KAAK,MAAM,WAAW;;CAGzD,AAAO,MAAM,YAA0C;AACrD,SAAO,KAAK,iBAAiB,gBAAgB,YAAY,KAAK,KAAK;;;AAMvE,MAAM,QAAQ;;;;AC5Ed,MAAM,cAAc,UAAU,OAAO;AAErC,IAAa,iBAAb,MAA4B;CAC1B,MAAa,aAAa,UAAmC;EAC3D,MAAM,OAAO,YAAY,GAAG,CAAC,SAAS,MAAM;AAE5C,SAAO,GAAG,KAAK,IADK,MAAM,YAAY,UAAU,MAAM,GAAG,EAC5B,SAAS,MAAM;;CAG9C,MAAa,eACX,UACA,QACkB;AAElB,MAAI,CAAC,UAAU,OAAO,WAAW,SAC/B,QAAO;EAGT,MAAM,QAAQ,OAAO,MAAM,IAAI;AAC/B,MAAI,MAAM,WAAW,EACnB,QAAO;EAGT,MAAM,CAAC,MAAM,eAAe;AAG5B,MAAI,CAAC,QAAQ,CAAC,YACZ,QAAO;AAIT,MAAI,YAAY,SAAS,MAAM,KAAK,CAAC,eAAe,KAAK,YAAY,CACnE,QAAO;AAGT,MAAI;GACF,MAAM,aAAc,MAAM,YAAY,UAAU,MAAM,GAAG;GACzD,MAAM,cAAc,OAAO,KAAK,aAAa,MAAM;AAGnD,OAAI,WAAW,WAAW,YAAY,OACpC,QAAO;AAIT,UAAO,gBAAgB,YAAY,YAAY;WACxC,OAAO;AAEd,UAAO;;;CAIX,AAAO,aAAqB;AAC1B,SAAO,YAAY;;;;;;;;;;;;AChDvB,IAAa,0BAAb,cAA6C,kBAAkB;CAC7D,AAAS,OAAO;CAChB,cAAc;AACZ,QAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACsBhC,MAAa,mBACX,YAC4B;CAC5B,MAAM,EAAE,WAAW,UAAU;CAC7B,MAAM,QAEF,EAAE;CACN,MAAM,mBAAmB,OAAO,OAAO,iBAAiB;CACxD,MAAM,cAAc,QAAQ,eAAe;CAE3C,MAAM,cAAc,aAA8C;AAChE,QAAM,QAAQ;GACZ,GAAG;GACH,WAAW,iBAAiB,KAAK,CAAC,MAAM;GACzC;;CAGH,MAAM,0BAA0B;AAC9B,MAAI,MAAM,OAAO;GACf,MAAM,EAAE,cAAc,YAAY,cAAc,MAAM;AACtD,OAAI,CAAC,WACH,QAAO;GAGT,MAAM,MAAM,iBAAiB,KAAK,CAAC,MAAM;AAGzC,OAFgB,YAAY,aAEd,cAAc,IAC1B,QAAO;;;AAKb,KAAI,YAAY,SAAS;EACvB,MAAM,EAAE,KAAK,UAAU,iBAAiB,QAAQ;EAEhD,MAAM,QAAQ,YAAY;GACxB,MAAM,iBAAiB,mBAAmB;AAC1C,OAAI,eACF,QAAO;GAGT,IAAI;AACJ,OAAI;AACF,eAAW,MAAM,MAAM,KAAK;KAC1B,QAAQ;KACR,SAAS,EACP,gBAAgB,qCACjB;KACD,MAAM,IAAI,gBAAgB;MACxB,YAAY;MACZ,WAAW;MACX,eAAe;MAChB,CAAC;KACH,CAAC;YACK,OAAO;AACd,UAAM,IAAI,MACR,qCAAqC,IAAI,IAAI,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM,GACpG;;AAIH,OAAI,CAAC,SAAS,IAAI;IAChB,IAAI,eAAe,QAAQ,SAAS,OAAO,GAAG,SAAS;AACvD,QAAI;KACF,MAAM,YAAY,MAAM,SAAS,MAAM;AACvC,qBAAgB,KAAK;YACf;AAGR,UAAM,IAAI,MAAM,iCAAiC,eAAe;;GAIlE,IAAI;AACJ,OAAI;AACF,WAAO,MAAM,SAAS,MAAM;YACrB,OAAO;AACd,UAAM,IAAI,MACR,kDAAkD,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM,GACzG;;AAIH,OAAI,CAAC,KAAK,gBAAgB,CAAC,KAAK,WAC9B,OAAM,IAAI,MACR,gFAAgF,KAAK,UAAU,KAAK,GACrG;AAGH,cAAW,KAAK;AAEhB,UAAO,KAAK;;AAGd,SAAO,EACL,OACD;;AAGH,QAAO,EACL,OAAO,YAAY;EACjB,MAAM,iBAAiB,mBAAmB;AAC1C,MAAI,eACF,QAAO;EAGT,MAAM,QAAQ,MAAM,QAAQ,MAAM,YAAY,QAAQ,KAAK;AAE3D,aAAW;GACT,GAAG;GACH,WAAW,iBAAiB,KAAK,CAAC,MAAM;GACzC,CAAC;AAEF,SAAO,MAAM;IAEhB;;;;;AClJH,MAAa,mBAAmB,EAAE,OAAO;CACvC,MAAM,EAAE,KAAK,EACX,aAAa,2BACd,CAAC;CAEF,OAAO,EAAE,SACP,EAAE,KAAK,EACL,aAAa,4BACd,CAAC,CACH;CAED,aAAa,EAAE,SACb,EAAE,KAAK,EACL,aAAa,4BACd,CAAC,CACH;CAID,QAAQ,EAAE,SACR,EAAE,KAAK,EACL,aAAa,kDACd,CAAC,CACH;CAED,MAAM,EAAE,SACN,EAAE,KAAK,EACL,aAAa,+CACd,CAAC,CACH;CACF,CAAC;;;;AC9BF,MAAa,aAAa,EAAE,OAAO;CACjC,MAAM,EAAE,KAAK,EACX,aAAa,qBACd,CAAC;CAEF,aAAa,EAAE,SACb,EAAE,KAAK,EACL,aAAa,sBACd,CAAC,CACH;CAED,SAAS,EAAE,SACT,EAAE,QAAQ,EACR,aACE,gEACH,CAAC,CACH;CAED,aAAa,EAAE,MACb,EAAE,OAAO;EACP,MAAM,EAAE,KAAK,EACX,aAAa,2BACd,CAAC;EACF,WAAW,EAAE,SACX,EAAE,QAAQ,EACR,aACE,8DACH,CAAC,CACH;EACD,SAAS,EAAE,SACT,EAAE,MAAM,EAAE,MAAM,EAAE,EAChB,aACE,+DACH,CAAC,CACH;EACF,CAAC,CACH;CACF,CAAC;;;;ACrCF,MAAa,wBAAwB,EAAE,OAAO;CAC5C,IAAI,EAAE,KAAK,EACT,aAAa,mCACd,CAAC;CAEF,MAAM,EAAE,SACN,EAAE,KAAK,EACL,aAAa,0BACd,CAAC,CACH;CAED,OAAO,EAAE,SACP,EAAE,KAAK;EACL,aAAa;EACb,QAAQ;EACT,CAAC,CACH;CAED,UAAU,EAAE,SACV,EAAE,KAAK,EACL,aAAa,mCACd,CAAC,CACH;CAED,SAAS,EAAE,SACT,EAAE,KAAK,EACL,aAAa,sCACd,CAAC,CACH;CAED,WAAW,EAAE,SACX,EAAE,KAAK,EACL,aAAa,mDACd,CAAC,CACH;CAID,eAAe,EAAE,SACf,EAAE,MAAM,EAAE,MAAM,EAAE,EAChB,aAAa,8CACd,CAAC,CACH;CAED,OAAO,EAAE,SACP,EAAE,MAAM,EAAE,MAAM,EAAE,EAChB,aAAa,uCACd,CAAC,CACH;CACF,CAAC;;;;;;;;;;;;;;;;ACPF,MAAa,iBAAiB,QAAQ;CACpC,MAAM;CACN,YAAY;EAAC;EAAQ;EAAO;EAAY;CACxC,UAAU;EAAC;EAAkB;EAAa;EAAe;CAC1D,CAAC"}
+{"version":3,"file":"index.js","names":["role","it","role","refreshToken","user","expiresIn"],"sources":["../../src/security/errors/InvalidPermissionError.ts","../../src/security/errors/InvalidTokenError.ts","../../src/security/errors/RealmNotFoundError.ts","../../src/security/errors/SecurityError.ts","../../src/security/providers/JwtProvider.ts","../../src/security/providers/SecurityProvider.ts","../../src/security/primitives/$permission.ts","../../src/security/primitives/$realm.ts","../../src/security/primitives/$role.ts","../../src/security/providers/CryptoProvider.ts","../../src/security/errors/InvalidCredentialsError.ts","../../src/security/primitives/$serviceAccount.ts","../../src/security/schemas/permissionSchema.ts","../../src/security/schemas/roleSchema.ts","../../src/security/schemas/userAccountInfoSchema.ts","../../src/security/index.ts"],"sourcesContent":["export class InvalidPermissionError extends Error {\n  constructor(name: string) {\n    super(`Permission '${name}' is invalid`);\n  }\n}\n","export class InvalidTokenError extends Error {\n  public readonly status = 401;\n}\n","export class RealmNotFoundError extends Error {\n  constructor(realm: string) {\n    super(`Realm '${realm}' not found`);\n  }\n}\n","export class SecurityError extends Error {\n  public name = \"SecurityError\";\n  public readonly status = 403;\n}\n","import { createSecretKey } from \"node:crypto\";\nimport { $inject, AlephaError } from \"alepha\";\nimport { DateTimeProvider } from \"alepha/datetime\";\nimport { $logger } from \"alepha/logger\";\nimport {\n  type CryptoKey,\n  createLocalJWKSet,\n  createRemoteJWKSet,\n  type FlattenedJWSInput,\n  type JSONWebKeySet,\n  type JWSHeaderParameters,\n  type JWTHeaderParameters,\n  type JWTPayload,\n  type JWTVerifyResult,\n  jwtVerify,\n  type KeyObject,\n  SignJWT,\n} from \"jose\";\nimport { JWTClaimValidationFailed, JWTExpired } from \"jose/errors\";\nimport type { JWTVerifyOptions } from \"jose/jwt/verify\";\nimport { SecurityError } from \"../errors/SecurityError.ts\";\n\n/**\n * Provides utilities for working with JSON Web Tokens (JWT).\n */\nexport class JwtProvider {\n  protected readonly log = $logger();\n  protected readonly keystore: KeyLoaderHolder[] = [];\n  protected readonly dateTimeProvider = $inject(DateTimeProvider);\n  protected readonly encoder = new TextEncoder();\n\n  /**\n   * Adds a key loader to the embedded keystore.\n   *\n   * @param name\n   * @param secretKeyOrJwks\n   */\n  public setKeyLoader(name: string, secretKeyOrJwks: string | JSONWebKeySet) {\n    if (typeof secretKeyOrJwks === \"object\") {\n      this.log.info(\n        `will verify JWTs from key '${name}' with JWKS object (x${secretKeyOrJwks.keys.length})`,\n      );\n      this.keystore.push({\n        name,\n        keyLoader: createLocalJWKSet(secretKeyOrJwks),\n      });\n    } else if (this.isSecretKey(secretKeyOrJwks)) {\n      const secretKey = this.encoder.encode(secretKeyOrJwks);\n      this.log.info(\n        `will verify JWTs from '${name}' with secret a key (${secretKey.length} bytes)`,\n      );\n      this.keystore.push({\n        name,\n        secretKey: secretKeyOrJwks,\n        keyLoader: () => Promise.resolve(createSecretKey(secretKey)),\n      });\n    } else {\n      this.log.info(\n        `will verify JWTs from '${name}' with JWKS ${secretKeyOrJwks}`,\n      );\n      this.keystore.push({\n        name,\n        keyLoader: createRemoteJWKSet(new URL(secretKeyOrJwks)),\n      });\n    }\n  }\n\n  /**\n   * Retrieves the payload from a JSON Web Token (JWT).\n   *\n   * @param token - The JWT to extract the payload from.\n   *\n   * @return A Promise that resolves with the payload object from the token.\n   */\n  public async parse(\n    token: string,\n    keyName?: string,\n    options?: JWTVerifyOptions,\n  ): Promise<JwtParseResult> {\n    for (const it of this.keystore) {\n      if (keyName && it.name !== keyName) {\n        continue;\n      }\n\n      this.log.trace(`Trying to verify token`, {\n        keyName: it.name,\n        options,\n      });\n\n      try {\n        const verified = {\n          keyName: it.name,\n          result: await jwtVerify(token, it.keyLoader, {\n            currentDate: this.dateTimeProvider.now().toDate(),\n            ...options,\n          }),\n        };\n\n        this.log.trace(\"Token verified successfully\", {\n          keyName: verified.keyName,\n        });\n\n        return verified;\n      } catch (error) {\n        this.log.trace(\"Token verification has failed\", error);\n\n        if (error instanceof JWTExpired) {\n          throw new SecurityError(\"Token expired\", { cause: error });\n        }\n\n        if (error instanceof JWTClaimValidationFailed) {\n          throw new SecurityError(\"Token claim validation failed\", {\n            cause: error,\n          });\n        }\n      }\n    }\n\n    this.log.warn(\n      `No valid key loader found to verify the token (keystore size: ${this.keystore.length})`,\n    );\n\n    throw new SecurityError(\"Invalid token\");\n  }\n\n  /**\n   * Creates a JWT token with the provided payload and secret key.\n   *\n   * @param payload - The payload to be encoded in the token.\n   * \tIt should include the `realm_access` property which contains an array of roles.\n   * @param keyName - The name of the key to use when signing the token.\n   *\n   * @returns The signed JWT token.\n   */\n  public async create(\n    payload: ExtendedJWTPayload,\n    keyName?: string,\n    signOptions?: JwtSignOptions,\n  ): Promise<string> {\n    const secretKey = keyName\n      ? this.keystore.find((it) => it.name === keyName)?.secretKey\n      : this.keystore[0]?.secretKey;\n\n    if (!secretKey) {\n      throw new AlephaError(\"No secret key found in the keystore\");\n    }\n\n    const signJwt = new SignJWT(payload);\n\n    signJwt.setProtectedHeader({\n      alg: \"HS256\",\n      ...signOptions?.header,\n    });\n\n    return await signJwt.sign(this.encoder.encode(secretKey));\n  }\n\n  /**\n   * Determines if the provided key is a secret key.\n   *\n   * @param key\n   * @protected\n   */\n  protected isSecretKey(key: string): boolean {\n    return !key.startsWith(\"http\");\n  }\n}\n\nexport type KeyLoader = (\n  protectedHeader?: JWSHeaderParameters,\n  token?: FlattenedJWSInput,\n) => Promise<CryptoKey | KeyObject>;\n\nexport interface KeyLoaderHolder {\n  name: string;\n  keyLoader: KeyLoader;\n  secretKey?: string;\n}\n\nexport interface JwtSignOptions {\n  header?: Partial<JWTHeaderParameters>;\n}\n\nexport interface ExtendedJWTPayload extends JWTPayload {\n  sid?: string;\n  //\n  name?: string;\n  roles?: string[];\n  email?: string;\n  organizations?: string[];\n  // keycloak specific\n  realm_access?: { roles: string[] };\n}\n\nexport interface JwtParseResult {\n  keyName: string;\n  result: JWTVerifyResult<ExtendedJWTPayload>;\n}\n","import {\n  $env,\n  $hook,\n  $inject,\n  Alepha,\n  AppNotStartedError,\n  ContainerLockedError,\n  type Static,\n  t,\n} from \"alepha\";\nimport { $logger } from \"alepha/logger\";\nimport type { JSONWebKeySet, JWTPayload } from \"jose\";\nimport type { JWTVerifyOptions } from \"jose/jwt/verify\";\nimport { InvalidPermissionError } from \"../errors/InvalidPermissionError.ts\";\nimport { InvalidTokenError } from \"../errors/InvalidTokenError.ts\";\nimport { RealmNotFoundError } from \"../errors/RealmNotFoundError.ts\";\nimport { SecurityError } from \"../errors/SecurityError.ts\";\nimport type { UserAccountToken } from \"../interfaces/UserAccountToken.ts\";\nimport type { Permission } from \"../schemas/permissionSchema.ts\";\nimport type { Role } from \"../schemas/roleSchema.ts\";\nimport type { UserAccount } from \"../schemas/userAccountInfoSchema.ts\";\nimport { JwtProvider } from \"./JwtProvider.ts\";\n\nexport const DEFAULT_APP_SECRET = \"05759934015388327323179852515731\"; // (32)\n\nconst envSchema = t.object({\n  APP_SECRET: t.text({\n    default: DEFAULT_APP_SECRET,\n  }),\n});\n\ndeclare module \"alepha\" {\n  interface Env extends Partial<Static<typeof envSchema>> {}\n}\n\nexport class SecurityProvider {\n  protected readonly UNKNOWN_USER_NAME = \"Anonymous User\";\n  protected readonly PERMISSION_REGEXP = /^[\\w-]+((:[\\w-]+)+)?$/;\n  protected readonly PERMISSION_REGEXP_WILDCARD =\n    /^[\\w-]+((:[\\w-]+)*:\\*|(:[\\w-]+)+)?$/;\n\n  protected readonly log = $logger();\n  protected readonly jwt = $inject(JwtProvider);\n  protected readonly env = $env(envSchema);\n  protected readonly alepha = $inject(Alepha);\n\n  public get secretKey() {\n    return this.env.APP_SECRET;\n  }\n\n  /**\n   * The permissions configured for the security provider.\n   */\n  protected readonly permissions: Permission[] = [];\n\n  /**\n   * The realms configured for the security provider.\n   */\n  protected readonly realms: Realm[] = this.alepha.isTest()\n    ? [\n        {\n          name: \"default\",\n          secret: this.env.APP_SECRET,\n          roles: [\n            {\n              name: \"admin\",\n              permissions: [\n                {\n                  name: \"*\",\n                },\n              ],\n            },\n          ],\n        },\n      ]\n    : [];\n\n  protected start = $hook({\n    on: \"start\",\n    handler: async () => {\n      if (this.alepha.isProduction() && this.secretKey === DEFAULT_APP_SECRET) {\n        this.log.warn(\n          \"Using default APP_SECRET in production is not recommended. Please set a strong APP_SECRET value.\",\n        );\n      }\n\n      for (const realm of this.realms) {\n        if (realm.secret) {\n          const secret =\n            typeof realm.secret === \"function\" ? realm.secret() : realm.secret;\n          this.jwt.setKeyLoader(realm.name, secret);\n        }\n      }\n    },\n  });\n\n  /**\n   * Adds a role to one or more realms.\n   *\n   * @param role\n   * @param realms\n   */\n  public createRole(role: Role, ...realms: string[]): Role {\n    const list = realms.length\n      ? realms.map((it) => {\n          const item = this.realms.find((realm) => realm.name === it);\n          if (!item) {\n            throw new RealmNotFoundError(it);\n          }\n          return item;\n        })\n      : this.realms;\n\n    for (const realm of list) {\n      for (const { name } of role.permissions) {\n        if (this.alepha.isStarted()) {\n          // Check if permission exists or matches a wildcard pattern\n          if (name === \"*\") {\n            // Global wildcard is always allowed\n            continue;\n          }\n\n          // Check for exact match first\n          const existingExact = this.permissions.find(\n            (it) => this.permissionToString(it) === name,\n          );\n          if (existingExact) {\n            continue;\n          }\n\n          // Check if it's a wildcard pattern (e.g., \"admin:api:*\")\n          if (name.endsWith(\":*\")) {\n            const groupPrefix = name.slice(0, -2); // Remove \":*\"\n            // Check if any permission exists with this group prefix\n            const existingWithPrefix = this.permissions.find((it) => {\n              if (!it.group) return false;\n              return (\n                it.group === groupPrefix ||\n                it.group.startsWith(`${groupPrefix}:`)\n              );\n            });\n            if (existingWithPrefix) {\n              continue;\n            }\n          }\n\n          // Permission not found\n          throw new SecurityError(`Permission '${name}' not found`);\n        } else {\n          if (name !== \"*\" && !this.PERMISSION_REGEXP_WILDCARD.test(name)) {\n            throw new InvalidPermissionError(name);\n          }\n        }\n      }\n\n      realm.roles.push(role);\n    }\n\n    return role;\n  }\n\n  /**\n   * Adds a permission to the security provider.\n   *\n   * @param raw - The permission to add.\n   */\n  public createPermission(raw: Permission | string): Permission {\n    if (this.alepha.isStarted()) {\n      throw new ContainerLockedError();\n    }\n\n    let permission: Permission;\n    if (typeof raw === \"string\") {\n      if (!this.PERMISSION_REGEXP.test(raw)) {\n        throw new InvalidPermissionError(raw);\n      }\n\n      const parts = raw.split(\":\");\n      if (parts.length === 1) {\n        // No group, just name (e.g., \"read\")\n        permission = { name: parts[0] };\n      } else {\n        // Has group(s) (e.g., \"users:read\" or \"admin:api:users:read\")\n        // The last part is the name, everything else is the group\n        const name = parts[parts.length - 1];\n        const groupParts = parts.slice(0, -1);\n\n        if (groupParts.length === 1) {\n          permission = {\n            group: groupParts[0],\n            name,\n          };\n        } else {\n          // Multi-layer group\n          permission = {\n            group: groupParts.join(\":\"),\n            name,\n          };\n        }\n      }\n    } else {\n      permission = raw;\n    }\n\n    const asString = this.permissionToString(permission);\n    if (!this.PERMISSION_REGEXP.test(asString)) {\n      throw new InvalidPermissionError(asString);\n    }\n\n    const existing = this.permissions.find(\n      (it) => this.permissionToString(it) === asString,\n    );\n\n    if (existing) {\n      this.log.warn(`Permission '${asString}' already exists. Skipping.`, {\n        current: existing,\n        new: permission,\n      });\n\n      return existing;\n    }\n\n    this.log.trace(`Creating permission '${asString}'`);\n\n    this.permissions.push(permission);\n\n    return permission;\n  }\n\n  public createRealm(realm: Realm) {\n    if (this.realms.length === 1 && this.realms[0].name === \"default\") {\n      // if the default realm is the only one, we remove it to allow creating new realms\n      this.realms.pop();\n    }\n\n    this.realms.push(realm);\n  }\n\n  /**\n   * Updates the roles for a realm then synchronizes the user account provider if available.\n   *\n   * Only available when the app is started.\n   *\n   * @param realm - The realm to update the roles for.\n   * @param roles - The roles to update.\n   */\n  public async updateRealm(realm: string, roles: Role[]): Promise<void> {\n    if (!this.alepha.isStarted()) {\n      throw new AppNotStartedError();\n    }\n\n    const realmInstance = this.realms.find((it) => it.name === realm);\n    if (!realmInstance) {\n      throw new RealmNotFoundError(realm);\n    }\n\n    realmInstance.roles = roles;\n  }\n\n  // -------------------------------------------------------------------------------------------------------------------\n\n  /**\n   * Creates a user account from the provided payload.\n   *\n   * @param payload - The payload to create the user account from.\n   * @param [realmName] - The realm containing the roles. Default is all.\n   *\n   * @returns The user info created from the payload.\n   */\n  public createUserFromPayload(\n    payload: JWTPayload,\n    realmName?: string,\n  ): UserAccount {\n    const id = this.getIdFromPayload(payload);\n    const sessionId = this.getSessionIdFromPayload(payload);\n    const rolesFromPayload = this.getRolesFromPayload(payload);\n    const email = this.getEmailFromPayload(payload);\n    const username = this.getUsernameFromPayload(payload);\n    const picture = this.getPictureFromPayload(payload);\n    const name = this.getNameFromPayload(payload);\n    const organizations = this.getOrganizationsFromPayload(payload);\n    const rolesFromSystem = this.getRoles(realmName);\n    const roles = rolesFromPayload\n      .reduce<Role[]>(\n        (arr, roleName) =>\n          arr.concat(rolesFromSystem.filter((it) => it.name === roleName)),\n        [],\n      )\n      .map((it) => it.name);\n\n    const realm = this.realms.find((it) => it.name === realmName);\n    if (realm?.profile) {\n      return realm.profile(payload);\n    }\n\n    return {\n      id,\n      roles,\n      name,\n      email,\n      username,\n      picture,\n      organizations,\n      sessionId,\n    };\n  }\n\n  /**\n   * Checks if the user has the specified permission.\n   *\n   * Bonus: we check also if the user has \"ownership\" flag.\n   *\n   * @param permissionLike - The permission to check for.\n   * @param roleEntries - The roles to check for the permission.\n   */\n  public checkPermission(\n    permissionLike: string | Permission,\n    ...roleEntries: string[]\n  ): SecurityCheckResult {\n    const roles: Role[] = roleEntries.map((it) => {\n      const role = this.getRoles().find((role) => role.name === it);\n      if (!role) {\n        throw new SecurityError(`Role '${it}' not found`);\n      }\n      return role;\n    });\n\n    const permission = this.permissionToString(permissionLike);\n    const isAdmin = roles.find((it) =>\n      it.permissions.find(\n        (it) => it.name === \"*\" && !it.exclude && !it.ownership,\n      ),\n    );\n\n    // if the user is an admin, we can return early\n    if (isAdmin) {\n      return {\n        isAuthorized: true,\n        ownership: false,\n      };\n    }\n\n    const result: SecurityCheckResult = {\n      isAuthorized: false,\n      ownership: undefined,\n    };\n\n    // Helper function to check if a permission matches a pattern with multi-layer wildcard support\n    const matchesPattern = (\n      permissionName: string,\n      pattern: string,\n    ): boolean => {\n      if (pattern === \"*\") return true;\n      if (pattern === permissionName) return true;\n\n      // Handle multi-layer wildcards (e.g., \"admin:api:*\" matches \"admin:api:users:read\")\n      if (pattern.endsWith(\":*\")) {\n        const patternPrefix = pattern.slice(0, -2);\n        // Check if permission starts with the pattern prefix\n        if (permissionName === patternPrefix) return false; // \"admin:api\" doesn't match \"admin:api:*\"\n        return permissionName.startsWith(`${patternPrefix}:`);\n      }\n\n      return false;\n    };\n\n    for (const role of roles) {\n      // for each role candidate\n      for (const rolePermission of role.permissions) {\n        // for each permission in the role\n        if (matchesPattern(permission, rolePermission.name)) {\n          // [feature]: exclude permissions including wildcards\n          if (rolePermission.exclude) {\n            let isExcluded = false;\n            for (const excludePattern of rolePermission.exclude) {\n              if (matchesPattern(permission, excludePattern)) {\n                isExcluded = true;\n                break;\n              }\n            }\n            if (isExcluded) {\n              continue;\n            }\n          }\n\n          result.isAuthorized = true; // OK !\n\n          // but we also need to check if the user has ownership\n          if (rolePermission.ownership) {\n            // if ownership is true, we have to check all other matching permissions in case of ownership === false ...\n            result.ownership = rolePermission.ownership;\n          } else {\n            // but if isAuthorized && ownership === false, we can break the loop \\ :D /\n            result.ownership = false;\n            return result;\n          }\n        }\n      }\n    }\n\n    return result;\n  }\n\n  /**\n   * Creates a user account from the provided payload.\n   */\n  public async createUserFromToken(\n    headerOrToken?: string,\n    options: {\n      permission?: Permission | string;\n      realm?: string;\n      verify?: JWTVerifyOptions;\n    } = {},\n  ): Promise<UserAccountToken> {\n    const token = headerOrToken?.replace(\"Bearer\", \"\").trim();\n    if (typeof token !== \"string\" || token === \"\") {\n      throw new InvalidTokenError(\n        \"Invalid authorization header, maybe token is missing ?\",\n      );\n    }\n\n    const { result, keyName: realm } = await this.jwt.parse(\n      token,\n      options.realm,\n      options.verify,\n    );\n\n    const info = this.createUserFromPayload(result.payload, realm);\n    const realmRoles = this.getRoles(realm).filter((it) => it.default);\n    const roles = info.roles ?? [];\n\n    for (const role of realmRoles) {\n      if (!roles.includes(role.name)) {\n        roles.push(role.name);\n      }\n    }\n\n    info.roles = roles;\n\n    await this.alepha.events.emit(\"security:user:created\", {\n      realm,\n      user: info,\n    });\n\n    let ownership: string | boolean | undefined;\n\n    if (options.permission) {\n      const check = this.checkPermission(options.permission, ...roles);\n      if (!check.isAuthorized) {\n        throw new SecurityError(\n          `User is not allowed to access '${this.permissionToString(options.permission)}'`,\n        );\n      }\n\n      ownership = check.ownership;\n    }\n\n    return {\n      ...info,\n      ownership,\n      token,\n      realm,\n    };\n  }\n\n  /**\n   * Checks if a user has a specific role.\n   *\n   * @param roleName - The role to check for.\n   * @param permission - The permission to check for.\n   * @returns True if the user has the role, false otherwise.\n   */\n  public can(roleName: string, permission: string | Permission): boolean {\n    return this.checkPermission(permission, roleName).isAuthorized;\n  }\n\n  /**\n   * Checks if a user has ownership of a specific permission.\n   */\n  public ownership(\n    roleName: string,\n    permission: string | Permission,\n  ): string | boolean | undefined {\n    return this.checkPermission(permission, roleName).ownership;\n  }\n\n  /**\n   * Converts a permission object to a string.\n   *\n   * @param permission\n   */\n  public permissionToString(permission: Permission | string): string {\n    if (typeof permission === \"string\") {\n      return permission;\n    }\n\n    if (!permission.group) {\n      return permission.name;\n    }\n\n    // Handle multi-layer groups (e.g., \"admin:api\" or \"management:users\")\n    const groupParts = Array.isArray(permission.group)\n      ? permission.group\n      : [permission.group];\n\n    return `${groupParts.join(\":\")}:${permission.name}`;\n  }\n\n  // accessors\n\n  public getRealms(): Realm[] {\n    return this.realms;\n  }\n\n  /**\n   * Retrieves the user account from the provided user ID.\n   *\n   * @param realm\n   */\n  public getRoles(realm?: string): Role[] {\n    if (realm) {\n      return [...(this.realms.find((it) => it.name === realm)?.roles ?? [])];\n    }\n\n    return this.realms.reduce<Role[]>((arr, it) => arr.concat(it.roles), []);\n  }\n\n  /**\n   * Returns all permissions.\n   *\n   * @param user - Filter permissions by user.\n   *\n   * @return An array containing all permissions.\n   */\n  public getPermissions(user?: {\n    roles?: Array<Role | string>;\n    realm?: string;\n  }): Permission[] {\n    if (user?.roles) {\n      const permissions: Permission[] = [];\n      const roles = user.roles ?? [];\n\n      for (const roleOrString of roles) {\n        const role =\n          typeof roleOrString === \"string\"\n            ? this.getRoles(user.realm).find((it) => it.name === roleOrString)\n            : roleOrString;\n\n        if (!role) {\n          throw new SecurityError(`Role '${roleOrString}' not found`);\n        }\n\n        if (role.permissions.some((it) => it.name === \"*\" && !it.exclude)) {\n          return this.getPermissions();\n        }\n\n        for (const permission of role.permissions) {\n          let ref: Permission[] = [];\n          if (permission.name === \"*\") {\n            ref.push(...this.permissions);\n          } else if (permission.name.includes(\":\")) {\n            // Handle multi-layer wildcards (e.g., \"admin:api:*\" or \"users:read\")\n            const parts = permission.name.split(\":\");\n            const lastPart = parts[parts.length - 1];\n\n            if (lastPart === \"*\") {\n              // Wildcard at any level (e.g., \"admin:*\", \"admin:api:*\")\n              const groupPrefix = parts.slice(0, -1).join(\":\");\n\n              ref.push(\n                ...this.permissions.filter((it) => {\n                  if (!it.group) return false;\n                  // Match exact group or any sub-group\n                  return (\n                    it.group === groupPrefix ||\n                    it.group.startsWith(`${groupPrefix}:`)\n                  );\n                }),\n              );\n            } else {\n              // Specific permission (e.g., \"users:read\" or \"admin:api:users:read\")\n              const name = lastPart;\n              const groupParts = parts.slice(0, -1);\n              const group = groupParts.join(\":\");\n\n              ref.push(\n                ...this.permissions.filter((it) => {\n                  if (it.name !== name) return false;\n                  if (!it.group) return false;\n                  return it.group === group;\n                }),\n              );\n            }\n          } else {\n            // all permissions without a group\n            ref.push(\n              ...this.permissions.filter(\n                (it) => it.name === permission.name && !it.group,\n              ),\n            );\n          }\n          const exclude = permission.exclude;\n          if (exclude) {\n            // exclude permissions with multi-layer wildcard support\n            ref = ref.filter((it) => {\n              const permString = this.permissionToString(it);\n              return !exclude.some((excludePattern) => {\n                if (excludePattern === permString) return true;\n                if (excludePattern.endsWith(\":*\")) {\n                  const excludePrefix = excludePattern.slice(0, -2);\n                  return permString.startsWith(`${excludePrefix}:`);\n                }\n                return false;\n              });\n            });\n          }\n          permissions.push(...ref);\n        }\n      }\n\n      return [...new Set(permissions.filter((it) => it != null))];\n    }\n\n    return this.permissions;\n  }\n\n  /**\n   * Retrieves the user ID from the provided payload object.\n   *\n   * @param payload - The payload object from which to extract the user ID.\n   * @return The user ID as a string.\n   */\n  public getIdFromPayload(payload: Record<string, any>): string {\n    if (payload.sub != null) {\n      return String(payload.sub);\n    }\n\n    if (payload.id != null) {\n      return String(payload.id);\n    }\n\n    if (payload.userId != null) {\n      return String(payload.userId);\n    }\n\n    throw new SecurityError(\"Invalid JWT - missing id\");\n  }\n\n  public getSessionIdFromPayload(\n    payload: Record<string, any>,\n  ): string | undefined {\n    if (!payload) {\n      return;\n    }\n    if (payload.sid) {\n      return String(payload.sid);\n    }\n  }\n\n  /**\n   * Retrieves the roles from the provided payload object.\n   * @param payload - The payload object from which to extract the roles.\n   * @return An array of role strings.\n   */\n  public getRolesFromPayload(payload: Record<string, any>): string[] {\n    return payload?.realm_access?.roles ?? payload?.roles ?? [];\n  }\n\n  public getPictureFromPayload(\n    payload: Record<string, any>,\n  ): string | undefined {\n    if (!payload) {\n      return;\n    }\n\n    if (payload.picture) {\n      return payload.picture;\n    }\n\n    if (payload.avatar_url) {\n      return payload.avatar_url;\n    }\n\n    if (payload.user_picture) {\n      return payload.user_picture;\n    }\n\n    return undefined;\n  }\n\n  public getUsernameFromPayload(\n    payload: Record<string, any>,\n  ): string | undefined {\n    if (!payload) {\n      return;\n    }\n\n    if (payload.preferred_username) {\n      return payload.preferred_username;\n    }\n\n    if (payload.username) {\n      return payload.username;\n    }\n\n    return undefined;\n  }\n\n  public getEmailFromPayload(payload: Record<string, any>): string | undefined {\n    if (!payload) {\n      return;\n    }\n\n    if (payload.email) {\n      return payload.email;\n    }\n\n    return undefined;\n  }\n\n  /**\n   * Returns the name from the given payload.\n   *\n   * @param payload - The payload object.\n   * @returns The name extracted from the payload, or an empty string if the payload is falsy or no name is found.\n   */\n  public getNameFromPayload(payload: Record<string, any>): string {\n    if (!payload) {\n      return this.UNKNOWN_USER_NAME;\n    }\n\n    if (payload.name) {\n      return payload.name;\n    }\n\n    if (\n      typeof payload.given_name === \"string\" &&\n      typeof payload.family_name === \"string\"\n    ) {\n      return `${payload.given_name} ${payload.family_name}`.trim();\n    }\n\n    return this.UNKNOWN_USER_NAME;\n  }\n\n  public getOrganizationsFromPayload(\n    payload: Record<string, any>,\n  ): string[] | undefined {\n    if (!payload) {\n      return;\n    }\n\n    if (payload.organization) {\n      if (typeof payload.organization === \"string\") {\n        return [payload.organization];\n      }\n      if (Array.isArray(payload.organization)) {\n        return payload.organization;\n      }\n    }\n  }\n}\n\n// =====================================================================================================================\n\n/**\n * A realm definition.\n */\nexport interface Realm {\n  name: string;\n\n  roles: Role[];\n\n  /**\n   * The secret key for the realm.\n   *\n   * Can be also a JWKS URL.\n   */\n  secret?: string | JSONWebKeySet | (() => string);\n\n  /**\n   * Create the user account info based on the raw JWT payload.\n   * By default, SecurityProvider has his own implementation, but this method allow to override it.\n   */\n  profile?: (raw: Record<string, any>) => UserAccount;\n}\n\nexport interface SecurityCheckResult {\n  isAuthorized: boolean;\n  ownership: string | boolean | undefined;\n}\n","import { $inject, createPrimitive, KIND, Primitive } from \"alepha\";\nimport { SecurityProvider } from \"../providers/SecurityProvider.ts\";\nimport type { UserAccount } from \"../schemas/userAccountInfoSchema.ts\";\n\n/**\n * Create a new permission.\n */\nexport const $permission = (\n  options: PermissionPrimitiveOptions = {},\n): PermissionPrimitive => {\n  return createPrimitive(PermissionPrimitive, options);\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface PermissionPrimitiveOptions {\n  /**\n   * Name of the permission. Use Property name is not provided.\n   */\n  name?: string;\n\n  /**\n   * Group of the permission. Use Class name is not provided.\n   */\n  group?: string;\n\n  /**\n   * Describe the permission.\n   */\n  description?: string;\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport class PermissionPrimitive extends Primitive<PermissionPrimitiveOptions> {\n  protected readonly securityProvider = $inject(SecurityProvider);\n\n  public get name(): string {\n    return this.options.name || this.config.propertyKey;\n  }\n\n  public get group(): string {\n    return this.options.group || this.config.service.name;\n  }\n\n  public toString(): string {\n    return `${this.group}:${this.name}`;\n  }\n\n  protected onInit() {\n    this.securityProvider.createPermission({\n      name: this.name,\n      group: this.group,\n      description: this.options.description,\n    });\n  }\n\n  /**\n   * Check if the user has the permission.\n   */\n  public can(user?: UserAccount): boolean {\n    if (!user?.roles) {\n      return false;\n    }\n    const check = this.securityProvider.checkPermission(this, ...user.roles);\n    return check.isAuthorized;\n  }\n}\n\n$permission[KIND] = PermissionPrimitive;\n","import { $inject, AlephaError, createPrimitive, KIND, Primitive } from \"alepha\";\nimport {\n  DateTimeProvider,\n  type Duration,\n  type DurationLike,\n} from \"alepha/datetime\";\nimport { $logger } from \"alepha/logger\";\nimport type { JSONWebKeySet, JWTPayload } from \"jose\";\nimport { SecurityError } from \"../errors/SecurityError.ts\";\nimport { JwtProvider } from \"../providers/JwtProvider.ts\";\nimport { SecurityProvider } from \"../providers/SecurityProvider.ts\";\nimport type { Role } from \"../schemas/roleSchema.ts\";\nimport type { UserAccount } from \"../schemas/userAccountInfoSchema.ts\";\n\n/**\n * Create a new realm.\n */\nexport const $realm = (options: RealmPrimitiveOptions): RealmPrimitive => {\n  return createPrimitive(RealmPrimitive, options);\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport type RealmPrimitiveOptions = {\n  /**\n   * Define the realm name.\n   * If not provided, it will use the property key.\n   */\n  name?: string;\n\n  /**\n   * Short description about the realm.\n   */\n  description?: string;\n\n  /**\n   * All roles available in the realm. Role is a string (role name) or a Role object (embedded role).\n   */\n  roles?: Array<string | Role>;\n\n  /**\n   * Realm settings.\n   */\n  settings?: RealmSettings;\n\n  /**\n   * Parse the JWT payload to create a user account info.\n   */\n  profile?: (jwtPayload: Record<string, any>) => UserAccount;\n} & (RealmInternal | RealmExternal);\n\nexport interface RealmSettings {\n  accessToken?: {\n    /**\n     * Lifetime of the access token.\n     * @default 15 minutes\n     */\n    expiration?: DurationLike;\n  };\n\n  refreshToken?: {\n    /**\n     * Lifetime of the refresh token.\n     * @default 30 days\n     */\n    expiration?: DurationLike;\n\n    // TODO: expirationIdle (max inactive time before the token is invalidated)\n  };\n\n  onCreateSession?: (\n    user: UserAccount,\n    config: {\n      expiresIn: number;\n    },\n  ) => Promise<{\n    refreshToken: string;\n    sessionId?: string;\n  }>;\n\n  onRefreshSession?: (refreshToken: string) => Promise<{\n    user: UserAccount;\n    expiresIn: number;\n    sessionId?: string;\n  }>;\n\n  onDeleteSession?: (refreshToken: string) => Promise<void>;\n}\n\nexport type RealmInternal = {\n  /**\n   * Internal secret to sign JWT tokens and verify them.\n   */\n  secret: string;\n};\n\nexport interface RealmExternal {\n  /**\n   * URL to the JWKS (JSON Web Key Set) to verify JWT tokens from external providers.\n   */\n  jwks: (() => string) | JSONWebKeySet;\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport class RealmPrimitive extends Primitive<RealmPrimitiveOptions> {\n  protected readonly securityProvider = $inject(SecurityProvider);\n  protected readonly dateTimeProvider = $inject(DateTimeProvider);\n  protected readonly jwt = $inject(JwtProvider);\n  protected readonly log = $logger();\n\n  public get name(): string {\n    return this.options.name || this.config.propertyKey;\n  }\n\n  public get accessTokenExpiration(): Duration {\n    return this.dateTimeProvider.duration(\n      this.options.settings?.accessToken?.expiration ?? [15, \"minutes\"],\n    );\n  }\n\n  public get refreshTokenExpiration(): Duration {\n    return this.dateTimeProvider.duration(\n      this.options.settings?.refreshToken?.expiration ?? [30, \"days\"],\n    );\n  }\n\n  protected onInit() {\n    const roles =\n      this.options.roles?.map((it) => {\n        if (typeof it === \"string\") {\n          const role = this.getRoles().find((role) => role.name === it);\n          if (!role) {\n            throw new SecurityError(`Role '${it}' not found`);\n          }\n          return role;\n        }\n\n        return it;\n      }) ?? [];\n\n    this.securityProvider.createRealm({\n      name: this.name,\n      profile: this.options.profile,\n      secret: \"jwks\" in this.options ? this.options.jwks : this.options.secret,\n      roles,\n    });\n  }\n\n  /**\n   * Get all roles in the realm.\n   */\n  public getRoles(): Role[] {\n    return this.securityProvider.getRoles(this.name);\n  }\n\n  /**\n   * Set all roles in the realm.\n   */\n  public async setRoles(roles: Role[]): Promise<void> {\n    await this.securityProvider.updateRealm(this.name, roles);\n  }\n\n  /**\n   * Get a role by name, throws an error if not found.\n   */\n  public getRoleByName(name: string): Role {\n    const role = this.getRoles().find((it) => it.name === name);\n    if (!role) {\n      throw new SecurityError(`Role '${name}' not found`);\n    }\n    return role;\n  }\n\n  public async parseToken(token: string): Promise<JWTPayload> {\n    const { result } = await this.jwt.parse(token, this.name);\n    return result.payload;\n  }\n\n  /**\n   * Create a token for the subject.\n   */\n  public async createToken(\n    user: UserAccount,\n    refreshToken?: {\n      sid?: string;\n      refresh_token?: string;\n      refresh_token_expires_in?: number;\n    },\n  ): Promise<AccessTokenResponse> {\n    let sid: string | undefined = refreshToken?.sid;\n    let refresh_token: string | undefined = refreshToken?.refresh_token;\n    let refresh_token_expires_in: number | undefined =\n      refreshToken?.refresh_token_expires_in;\n\n    const iat = this.dateTimeProvider.now().unix();\n    const exp = iat + this.accessTokenExpiration.asSeconds();\n\n    if (!refreshToken) {\n      const create = this.options.settings?.onCreateSession;\n      if (create) {\n        // -----------------------------------------------------------------------------------------------------------------\n        // managed by the application\n        const expiresIn = this.refreshTokenExpiration.asSeconds();\n        const { refreshToken, sessionId } = await create(user, {\n          expiresIn,\n        });\n\n        refresh_token = refreshToken;\n        refresh_token_expires_in = expiresIn;\n        sid = sessionId;\n      } else {\n        // -----------------------------------------------------------------------------------------------------------------\n        // token based\n\n        const payload = {\n          sub: user.id,\n          exp: iat + this.refreshTokenExpiration.asSeconds(),\n          iat,\n          aud: this.name,\n        };\n\n        this.log.trace(\"Creating refresh token\", payload);\n\n        sid = crypto.randomUUID();\n        refresh_token_expires_in = this.refreshTokenExpiration.asSeconds();\n        refresh_token = await this.jwt.create(payload, this.name, {\n          header: {\n            typ: \"refresh\",\n          },\n        });\n      }\n    }\n\n    this.log.trace(\"Creating access token\", {\n      sub: user.id,\n      exp,\n      iat,\n      aud: this.name,\n    });\n\n    const access_token = await this.jwt.create(\n      {\n        // jwt\n        sub: user.id,\n        exp,\n        iat,\n        aud: this.name,\n        sid, // session id, if available\n        // oidc\n        name: user.name,\n        email: user.email,\n        preferred_username: user.username,\n        picture: user.picture,\n        // our claims\n        organizations: user.organizations,\n        roles: user.roles,\n      },\n      this.name,\n    );\n\n    const response: AccessTokenResponse = {\n      access_token,\n      token_type: \"Bearer\",\n      expires_in: this.accessTokenExpiration.asSeconds(),\n      issued_at: iat,\n      refresh_token,\n      refresh_token_expires_in,\n    };\n\n    return response;\n  }\n\n  public async refreshToken(\n    refreshToken: string,\n    accessToken?: string,\n  ): Promise<{\n    tokens: AccessTokenResponse;\n    user: UserAccount;\n  }> {\n    // -----------------------------------------------------------------------------------------------------------------\n    // session based\n\n    if (this.options.settings?.onRefreshSession) {\n      // get user and expiration from the session\n      const { user, expiresIn, sessionId } =\n        await this.options.settings.onRefreshSession(refreshToken);\n\n      // then, create a new access token\n      const tokens = await this.createToken(user, {\n        sid: sessionId,\n        refresh_token: refreshToken,\n        refresh_token_expires_in: expiresIn,\n      });\n\n      return { user, tokens };\n    }\n\n    // -----------------------------------------------------------------------------------------------------------------\n    // token based\n\n    if (!accessToken) {\n      throw new AlephaError(\"An access token is required for refreshing\");\n    }\n\n    // extract user from an expired token\n    const user = await this.securityProvider.createUserFromToken(accessToken, {\n      realm: this.name,\n      verify: {\n        currentDate: new Date(0), // don't verify expiration, it's expected to be expired...\n      },\n    });\n\n    // check if the refresh token is valid + match access token user\n    const {\n      result: { payload },\n    } = await this.jwt.parse(refreshToken, this.name, {\n      typ: \"refresh\",\n      audience: this.name,\n      subject: user.id,\n    });\n\n    const iat = this.dateTimeProvider.now().unix();\n    const expiresIn = payload.exp\n      ? payload.exp - iat\n      : this.refreshTokenExpiration.asSeconds();\n\n    return {\n      user,\n      tokens: await this.createToken(user, {\n        sid: payload.sid,\n        refresh_token: refreshToken,\n        refresh_token_expires_in: expiresIn,\n      }),\n    };\n  }\n}\n\n$realm[KIND] = RealmPrimitive;\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface CreateTokenOptions {\n  sub: string;\n  roles?: string[];\n  email?: string;\n}\n\nexport interface AccessTokenResponse {\n  access_token: string;\n  token_type: string;\n  expires_in?: number;\n  issued_at: number;\n  refresh_token?: string;\n  refresh_token_expires_in?: number;\n  scope?: string;\n}\n","import { $inject, createPrimitive, KIND, Primitive } from \"alepha\";\nimport { SecurityProvider } from \"../providers/SecurityProvider.ts\";\nimport type { PermissionPrimitive } from \"./$permission.ts\";\nimport type { RealmPrimitive } from \"./$realm.ts\";\n\n/**\n * Create a new role.\n */\nexport const $role = (options: RolePrimitiveOptions = {}): RolePrimitive => {\n  return createPrimitive(RolePrimitive, options);\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface RolePrimitiveOptions {\n  /**\n   * Name of the role.\n   */\n  name?: string;\n\n  /**\n   * Describe the role.\n   */\n  description?: string;\n\n  realm?: string | RealmPrimitive;\n\n  permissions?: Array<\n    | string\n    | {\n        name: string;\n        ownership?: boolean;\n        exclude?: string[];\n      }\n  >;\n}\n\nexport class RolePrimitive extends Primitive<RolePrimitiveOptions> {\n  protected readonly securityProvider = $inject(SecurityProvider);\n\n  public get name(): string {\n    return this.options.name || this.config.propertyKey;\n  }\n\n  protected onInit() {\n    this.securityProvider.createRole({\n      ...this.options,\n      name: this.name,\n      permissions:\n        this.options.permissions?.map((it) => {\n          if (typeof it === \"string\") {\n            return {\n              name: it,\n            };\n          }\n\n          return it;\n        }) ?? [],\n    });\n  }\n\n  /**\n   * Get the realm of the role.\n   */\n  public get realm(): string | RealmPrimitive | undefined {\n    return this.options.realm;\n  }\n\n  public can(permission: string | PermissionPrimitive): boolean {\n    return this.securityProvider.can(this.name, permission);\n  }\n\n  public check(permission: string | PermissionPrimitive) {\n    return this.securityProvider.checkPermission(permission, this.name);\n  }\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\n$role[KIND] = RolePrimitive;\n","import { randomBytes, randomUUID, scrypt, timingSafeEqual } from \"node:crypto\";\nimport { promisify } from \"node:util\";\n\nconst scryptAsync = promisify(scrypt);\n\nexport class CryptoProvider {\n  public async hashPassword(password: string): Promise<string> {\n    const salt = randomBytes(16).toString(\"hex\"); // 128-bit salt\n    const derivedKey = (await scryptAsync(password, salt, 64)) as Buffer;\n    return `${salt}:${derivedKey.toString(\"hex\")}`;\n  }\n\n  public async verifyPassword(\n    password: string,\n    stored: string,\n  ): Promise<boolean> {\n    // Validate input format\n    if (!stored || typeof stored !== \"string\") {\n      return false;\n    }\n\n    const parts = stored.split(\":\");\n    if (parts.length !== 2) {\n      return false;\n    }\n\n    const [salt, originalHex] = parts;\n\n    // Validate salt and hash are non-empty\n    if (!salt || !originalHex) {\n      return false;\n    }\n\n    // Validate hex format (must be even length and valid hex)\n    if (originalHex.length % 2 !== 0 || !/^[0-9a-f]+$/i.test(originalHex)) {\n      return false;\n    }\n\n    try {\n      const derivedKey = (await scryptAsync(password, salt, 64)) as Buffer;\n      const originalKey = Buffer.from(originalHex, \"hex\");\n\n      // Validate buffer lengths match (scrypt should produce 64 bytes)\n      if (derivedKey.length !== originalKey.length) {\n        return false;\n      }\n\n      // Important: prevent timing attacks\n      return timingSafeEqual(derivedKey, originalKey);\n    } catch (error) {\n      // Handle any errors during verification (e.g., invalid salt encoding)\n      return false;\n    }\n  }\n\n  public randomUUID(): string {\n    return randomUUID();\n  }\n}\n","import { UnauthorizedError } from \"alepha/server\";\n\n/**\n * Error thrown when the provided credentials are invalid.\n *\n * Message can not be changed to avoid leaking information.\n * Cause is omitted for the same reason.\n */\nexport class InvalidCredentialsError extends UnauthorizedError {\n  readonly name = \"UnauthorizedError\";\n  constructor() {\n    super(\"Invalid credentials\");\n  }\n}\n","import { $context } from \"alepha\";\nimport { DateTimeProvider } from \"alepha/datetime\";\nimport type { UserAccount } from \"../schemas/userAccountInfoSchema.ts\";\nimport type { AccessTokenResponse, RealmPrimitive } from \"./$realm.ts\";\n\n/**\n * Allow to get an access token for a service account.\n *\n * You have some options to configure the service account:\n * - a OAUTH2 URL using client credentials grant type\n * - a JWT secret shared between the services\n *\n * @example\n * ```ts\n * import { $serviceAccount } from \"alepha/security\";\n *\n * class MyService {\n *   serviceAccount = $serviceAccount({\n *     oauth2: {\n *       url: \"https://example.com/oauth2/token\",\n *       clientId: \"your-client-id\",\n *       clientSecret: \"your-client-secret\",\n *     }\n *   });\n *\n *   async fetchData() {\n *     const token = await this.serviceAccount.token();\n *     // or\n *     const response = await this.serviceAccount.fetch(\"https://api.example.com/data\");\n *   }\n * }\n * ```\n */\nexport const $serviceAccount = (\n  options: ServiceAccountPrimitiveOptions,\n): ServiceAccountPrimitive => {\n  const { alepha } = $context();\n  const store: {\n    cache?: AccessTokenResponse;\n  } = {};\n  const dateTimeProvider = alepha.inject(DateTimeProvider);\n  const gracePeriod = options.gracePeriod ?? 30;\n\n  const cacheToken = (response: Omit<AccessTokenResponse, \"at\">) => {\n    store.cache = {\n      ...response,\n      issued_at: dateTimeProvider.now().unix(),\n    };\n  };\n\n  const getTokenFromCache = () => {\n    if (store.cache) {\n      const { access_token, expires_in, issued_at } = store.cache;\n      if (!expires_in) {\n        return access_token;\n      }\n\n      const now = dateTimeProvider.now().unix();\n      const expires = issued_at + expires_in;\n\n      if (expires - gracePeriod > now) {\n        return access_token;\n      }\n    }\n  };\n\n  if (\"oauth2\" in options) {\n    const { url, clientId, clientSecret } = options.oauth2;\n\n    const token = async () => {\n      const tokenFromCache = getTokenFromCache();\n      if (tokenFromCache) {\n        return tokenFromCache;\n      }\n\n      let response: Response;\n      try {\n        response = await fetch(url, {\n          method: \"POST\",\n          headers: {\n            \"Content-Type\": \"application/x-www-form-urlencoded\",\n          },\n          body: new URLSearchParams({\n            grant_type: \"client_credentials\",\n            client_id: clientId,\n            client_secret: clientSecret,\n          }),\n        });\n      } catch (error) {\n        throw new Error(\n          `Failed to fetch access token from ${url}: ${error instanceof Error ? error.message : String(error)}`,\n        );\n      }\n\n      // Check HTTP status\n      if (!response.ok) {\n        let errorMessage = `HTTP ${response.status} ${response.statusText}`;\n        try {\n          const errorBody = await response.text();\n          errorMessage += `: ${errorBody}`;\n        } catch {\n          // Ignore error reading body\n        }\n        throw new Error(`Failed to fetch access token: ${errorMessage}`);\n      }\n\n      // Parse JSON response\n      let json: any;\n      try {\n        json = await response.json();\n      } catch (error) {\n        throw new Error(\n          `Failed to parse access token response as JSON: ${error instanceof Error ? error.message : String(error)}`,\n        );\n      }\n\n      // Validate response structure\n      if (!json.access_token || !json.expires_in) {\n        throw new Error(\n          `Invalid access token response: missing access_token or expires_in. Response: ${JSON.stringify(json)}`,\n        );\n      }\n\n      cacheToken(json);\n\n      return json.access_token;\n    };\n\n    return {\n      token,\n    };\n  }\n\n  return {\n    token: async () => {\n      const tokenFromCache = getTokenFromCache();\n      if (tokenFromCache) {\n        return tokenFromCache;\n      }\n\n      const token = await options.realm.createToken(options.user);\n\n      cacheToken({\n        ...token,\n        issued_at: dateTimeProvider.now().unix(),\n      });\n\n      return token.access_token;\n    },\n  };\n};\n\nexport type ServiceAccountPrimitiveOptions = {\n  gracePeriod?: number; // Grace period in milliseconds before token expiration\n} & (\n  | {\n      oauth2: Oauth2ServiceAccountPrimitiveOptions;\n    }\n  | {\n      realm: RealmPrimitive;\n      user: UserAccount;\n    }\n);\n\nexport interface Oauth2ServiceAccountPrimitiveOptions {\n  /**\n   * Get Token URL.\n   */\n  url: string;\n\n  /**\n   * Client ID.\n   */\n  clientId: string;\n\n  /**\n   * Client Secret.\n   */\n  clientSecret: string;\n}\n\nexport interface ServiceAccountPrimitive {\n  token: () => Promise<string>;\n}\n\nexport interface ServiceAccountStore {\n  response?: AccessTokenResponse;\n}\n","import type { Static } from \"alepha\";\nimport { t } from \"alepha\";\n\nexport const permissionSchema = t.object({\n  name: t.text({\n    description: \"Name of the permission.\",\n  }),\n\n  group: t.optional(\n    t.text({\n      description: \"Group of the permission.\",\n    }),\n  ),\n\n  description: t.optional(\n    t.text({\n      description: \"Describe the permission.\",\n    }),\n  ),\n\n  // HTTP Only\n\n  method: t.optional(\n    t.text({\n      description: \"HTTP method of the permission. When available.\",\n    }),\n  ),\n\n  path: t.optional(\n    t.text({\n      description: \"Pathname of the permission. When available.\",\n    }),\n  ),\n});\n\nexport type Permission = Static<typeof permissionSchema>;\n","import type { Static } from \"alepha\";\nimport { t } from \"alepha\";\n\nexport const roleSchema = t.object({\n  name: t.text({\n    description: \"Name of the role.\",\n  }),\n\n  description: t.optional(\n    t.text({\n      description: \"Describe the role.\",\n    }),\n  ),\n\n  default: t.optional(\n    t.boolean({\n      description:\n        \"If true, this role will be assigned to all users by default.\",\n    }),\n  ),\n\n  permissions: t.array(\n    t.object({\n      name: t.text({\n        description: \"Name of the permission.\",\n      }),\n      ownership: t.optional(\n        t.boolean({\n          description:\n            \"If true, user will only have access to it's own resources.\",\n        }),\n      ),\n      exclude: t.optional(\n        t.array(t.text(), {\n          description:\n            \"Exclude some permissions. Useful when 'name' is a wildcard.\",\n        }),\n      ),\n    }),\n  ),\n});\n\nexport type Role = Static<typeof roleSchema>;\n","import type { Static } from \"alepha\";\nimport { t } from \"alepha\";\n\nexport const userAccountInfoSchema = t.object({\n  id: t.text({\n    description: \"Unique identifier for the user.\",\n  }),\n\n  name: t.optional(\n    t.text({\n      description: \"Full name of the user.\",\n    }),\n  ),\n\n  email: t.optional(\n    t.text({\n      description: \"Email address of the user.\",\n      format: \"email\",\n    }),\n  ),\n\n  username: t.optional(\n    t.text({\n      description: \"Preferred username of the user.\",\n    }),\n  ),\n\n  picture: t.optional(\n    t.text({\n      description: \"URL to the user's profile picture.\",\n    }),\n  ),\n\n  sessionId: t.optional(\n    t.text({\n      description: \"Session identifier for the user, if applicable.\",\n    }),\n  ),\n\n  // -------------------------------------------------------------------------------------------------------------------\n\n  organizations: t.optional(\n    t.array(t.text(), {\n      description: \"List of organizations the user belongs to.\",\n    }),\n  ),\n\n  roles: t.optional(\n    t.array(t.text(), {\n      description: \"List of roles assigned to the user.\",\n    }),\n  ),\n});\n\nexport type UserAccount = Static<typeof userAccountInfoSchema>;\n","import { $module } from \"alepha\";\nimport { $permission } from \"./primitives/$permission.ts\";\nimport { $realm } from \"./primitives/$realm.ts\";\nimport { $role } from \"./primitives/$role.ts\";\nimport { CryptoProvider } from \"./providers/CryptoProvider.ts\";\nimport { JwtProvider } from \"./providers/JwtProvider.ts\";\nimport { SecurityProvider } from \"./providers/SecurityProvider.ts\";\nimport type { UserAccount } from \"./schemas/userAccountInfoSchema.ts\";\n\nexport * from \"./errors/InvalidCredentialsError.ts\";\nexport * from \"./errors/InvalidPermissionError.ts\";\nexport * from \"./errors/SecurityError.ts\";\nexport * from \"./interfaces/UserAccountToken.ts\";\nexport * from \"./primitives/$permission.ts\";\nexport * from \"./primitives/$realm.ts\";\nexport * from \"./primitives/$role.ts\";\nexport * from \"./primitives/$serviceAccount.ts\";\nexport * from \"./providers/CryptoProvider.ts\";\nexport * from \"./providers/JwtProvider.ts\";\nexport * from \"./providers/SecurityProvider.ts\";\nexport * from \"./schemas/permissionSchema.ts\";\nexport * from \"./schemas/roleSchema.ts\";\nexport * from \"./schemas/userAccountInfoSchema.ts\";\n\ndeclare module \"alepha\" {\n  interface Hooks {\n    \"security:user:created\": {\n      realm: string;\n      user: UserAccount;\n    };\n  }\n}\n\n/**\n * Provides comprehensive authentication and authorization capabilities with JWT tokens, role-based access control, and user management.\n *\n * The security module enables building secure applications using primitives like `$realm`, `$role`, and `$permission`\n * on class properties. It offers JWT-based authentication, fine-grained permissions, service accounts, and seamless\n * integration with various authentication providers and user management systems.\n *\n * @see {@link $realm}\n * @see {@link $role}\n * @see {@link $permission}\n * @module alepha.security\n */\nexport const AlephaSecurity = $module({\n  name: \"alepha.security\",\n  primitives: [$realm, $role, $permission],\n  services: [SecurityProvider, JwtProvider, CryptoProvider],\n});\n"],"mappings":";;;;;;;;;;AAAA,IAAa,yBAAb,cAA4C,MAAM;CAChD,YAAY,MAAc;AACxB,QAAM,eAAe,KAAK,cAAc;;;;;;ACF5C,IAAa,oBAAb,cAAuC,MAAM;CAC3C,AAAgB,SAAS;;;;;ACD3B,IAAa,qBAAb,cAAwC,MAAM;CAC5C,YAAY,OAAe;AACzB,QAAM,UAAU,MAAM,aAAa;;;;;;ACFvC,IAAa,gBAAb,cAAmC,MAAM;CACvC,AAAO,OAAO;CACd,AAAgB,SAAS;;;;;;;;ACuB3B,IAAa,cAAb,MAAyB;CACvB,AAAmB,MAAM,SAAS;CAClC,AAAmB,WAA8B,EAAE;CACnD,AAAmB,mBAAmB,QAAQ,iBAAiB;CAC/D,AAAmB,UAAU,IAAI,aAAa;;;;;;;CAQ9C,AAAO,aAAa,MAAc,iBAAyC;AACzE,MAAI,OAAO,oBAAoB,UAAU;AACvC,QAAK,IAAI,KACP,8BAA8B,KAAK,uBAAuB,gBAAgB,KAAK,OAAO,GACvF;AACD,QAAK,SAAS,KAAK;IACjB;IACA,WAAW,kBAAkB,gBAAgB;IAC9C,CAAC;aACO,KAAK,YAAY,gBAAgB,EAAE;GAC5C,MAAM,YAAY,KAAK,QAAQ,OAAO,gBAAgB;AACtD,QAAK,IAAI,KACP,0BAA0B,KAAK,uBAAuB,UAAU,OAAO,SACxE;AACD,QAAK,SAAS,KAAK;IACjB;IACA,WAAW;IACX,iBAAiB,QAAQ,QAAQ,gBAAgB,UAAU,CAAC;IAC7D,CAAC;SACG;AACL,QAAK,IAAI,KACP,0BAA0B,KAAK,cAAc,kBAC9C;AACD,QAAK,SAAS,KAAK;IACjB;IACA,WAAW,mBAAmB,IAAI,IAAI,gBAAgB,CAAC;IACxD,CAAC;;;;;;;;;;CAWN,MAAa,MACX,OACA,SACA,SACyB;AACzB,OAAK,MAAM,MAAM,KAAK,UAAU;AAC9B,OAAI,WAAW,GAAG,SAAS,QACzB;AAGF,QAAK,IAAI,MAAM,0BAA0B;IACvC,SAAS,GAAG;IACZ;IACD,CAAC;AAEF,OAAI;IACF,MAAM,WAAW;KACf,SAAS,GAAG;KACZ,QAAQ,MAAM,UAAU,OAAO,GAAG,WAAW;MAC3C,aAAa,KAAK,iBAAiB,KAAK,CAAC,QAAQ;MACjD,GAAG;MACJ,CAAC;KACH;AAED,SAAK,IAAI,MAAM,+BAA+B,EAC5C,SAAS,SAAS,SACnB,CAAC;AAEF,WAAO;YACA,OAAO;AACd,SAAK,IAAI,MAAM,iCAAiC,MAAM;AAEtD,QAAI,iBAAiB,WACnB,OAAM,IAAI,cAAc,iBAAiB,EAAE,OAAO,OAAO,CAAC;AAG5D,QAAI,iBAAiB,yBACnB,OAAM,IAAI,cAAc,iCAAiC,EACvD,OAAO,OACR,CAAC;;;AAKR,OAAK,IAAI,KACP,iEAAiE,KAAK,SAAS,OAAO,GACvF;AAED,QAAM,IAAI,cAAc,gBAAgB;;;;;;;;;;;CAY1C,MAAa,OACX,SACA,SACA,aACiB;EACjB,MAAM,YAAY,UACd,KAAK,SAAS,MAAM,OAAO,GAAG,SAAS,QAAQ,EAAE,YACjD,KAAK,SAAS,IAAI;AAEtB,MAAI,CAAC,UACH,OAAM,IAAI,YAAY,sCAAsC;EAG9D,MAAM,UAAU,IAAI,QAAQ,QAAQ;AAEpC,UAAQ,mBAAmB;GACzB,KAAK;GACL,GAAG,aAAa;GACjB,CAAC;AAEF,SAAO,MAAM,QAAQ,KAAK,KAAK,QAAQ,OAAO,UAAU,CAAC;;;;;;;;CAS3D,AAAU,YAAY,KAAsB;AAC1C,SAAO,CAAC,IAAI,WAAW,OAAO;;;;;;AC7IlC,MAAa,qBAAqB;AAElC,MAAM,YAAY,EAAE,OAAO,EACzB,YAAY,EAAE,KAAK,EACjB,SAAS,oBACV,CAAC,EACH,CAAC;AAMF,IAAa,mBAAb,MAA8B;CAC5B,AAAmB,oBAAoB;CACvC,AAAmB,oBAAoB;CACvC,AAAmB,6BACjB;CAEF,AAAmB,MAAM,SAAS;CAClC,AAAmB,MAAM,QAAQ,YAAY;CAC7C,AAAmB,MAAM,KAAK,UAAU;CACxC,AAAmB,SAAS,QAAQ,OAAO;CAE3C,IAAW,YAAY;AACrB,SAAO,KAAK,IAAI;;;;;CAMlB,AAAmB,cAA4B,EAAE;;;;CAKjD,AAAmB,SAAkB,KAAK,OAAO,QAAQ,GACrD,CACE;EACE,MAAM;EACN,QAAQ,KAAK,IAAI;EACjB,OAAO,CACL;GACE,MAAM;GACN,aAAa,CACX,EACE,MAAM,KACP,CACF;GACF,CACF;EACF,CACF,GACD,EAAE;CAEN,AAAU,QAAQ,MAAM;EACtB,IAAI;EACJ,SAAS,YAAY;AACnB,OAAI,KAAK,OAAO,cAAc,IAAI,KAAK,cAAc,mBACnD,MAAK,IAAI,KACP,mGACD;AAGH,QAAK,MAAM,SAAS,KAAK,OACvB,KAAI,MAAM,QAAQ;IAChB,MAAM,SACJ,OAAO,MAAM,WAAW,aAAa,MAAM,QAAQ,GAAG,MAAM;AAC9D,SAAK,IAAI,aAAa,MAAM,MAAM,OAAO;;;EAIhD,CAAC;;;;;;;CAQF,AAAO,WAAW,MAAY,GAAG,QAAwB;EACvD,MAAM,OAAO,OAAO,SAChB,OAAO,KAAK,OAAO;GACjB,MAAM,OAAO,KAAK,OAAO,MAAM,UAAU,MAAM,SAAS,GAAG;AAC3D,OAAI,CAAC,KACH,OAAM,IAAI,mBAAmB,GAAG;AAElC,UAAO;IACP,GACF,KAAK;AAET,OAAK,MAAM,SAAS,MAAM;AACxB,QAAK,MAAM,EAAE,UAAU,KAAK,YAC1B,KAAI,KAAK,OAAO,WAAW,EAAE;AAE3B,QAAI,SAAS,IAEX;AAOF,QAHsB,KAAK,YAAY,MACpC,OAAO,KAAK,mBAAmB,GAAG,KAAK,KACzC,CAEC;AAIF,QAAI,KAAK,SAAS,KAAK,EAAE;KACvB,MAAM,cAAc,KAAK,MAAM,GAAG,GAAG;AASrC,SAP2B,KAAK,YAAY,MAAM,OAAO;AACvD,UAAI,CAAC,GAAG,MAAO,QAAO;AACtB,aACE,GAAG,UAAU,eACb,GAAG,MAAM,WAAW,GAAG,YAAY,GAAG;OAExC,CAEA;;AAKJ,UAAM,IAAI,cAAc,eAAe,KAAK,aAAa;cAErD,SAAS,OAAO,CAAC,KAAK,2BAA2B,KAAK,KAAK,CAC7D,OAAM,IAAI,uBAAuB,KAAK;AAK5C,SAAM,MAAM,KAAK,KAAK;;AAGxB,SAAO;;;;;;;CAQT,AAAO,iBAAiB,KAAsC;AAC5D,MAAI,KAAK,OAAO,WAAW,CACzB,OAAM,IAAI,sBAAsB;EAGlC,IAAI;AACJ,MAAI,OAAO,QAAQ,UAAU;AAC3B,OAAI,CAAC,KAAK,kBAAkB,KAAK,IAAI,CACnC,OAAM,IAAI,uBAAuB,IAAI;GAGvC,MAAM,QAAQ,IAAI,MAAM,IAAI;AAC5B,OAAI,MAAM,WAAW,EAEnB,cAAa,EAAE,MAAM,MAAM,IAAI;QAC1B;IAGL,MAAM,OAAO,MAAM,MAAM,SAAS;IAClC,MAAM,aAAa,MAAM,MAAM,GAAG,GAAG;AAErC,QAAI,WAAW,WAAW,EACxB,cAAa;KACX,OAAO,WAAW;KAClB;KACD;QAGD,cAAa;KACX,OAAO,WAAW,KAAK,IAAI;KAC3B;KACD;;QAIL,cAAa;EAGf,MAAM,WAAW,KAAK,mBAAmB,WAAW;AACpD,MAAI,CAAC,KAAK,kBAAkB,KAAK,SAAS,CACxC,OAAM,IAAI,uBAAuB,SAAS;EAG5C,MAAM,WAAW,KAAK,YAAY,MAC/B,OAAO,KAAK,mBAAmB,GAAG,KAAK,SACzC;AAED,MAAI,UAAU;AACZ,QAAK,IAAI,KAAK,eAAe,SAAS,8BAA8B;IAClE,SAAS;IACT,KAAK;IACN,CAAC;AAEF,UAAO;;AAGT,OAAK,IAAI,MAAM,wBAAwB,SAAS,GAAG;AAEnD,OAAK,YAAY,KAAK,WAAW;AAEjC,SAAO;;CAGT,AAAO,YAAY,OAAc;AAC/B,MAAI,KAAK,OAAO,WAAW,KAAK,KAAK,OAAO,GAAG,SAAS,UAEtD,MAAK,OAAO,KAAK;AAGnB,OAAK,OAAO,KAAK,MAAM;;;;;;;;;;CAWzB,MAAa,YAAY,OAAe,OAA8B;AACpE,MAAI,CAAC,KAAK,OAAO,WAAW,CAC1B,OAAM,IAAI,oBAAoB;EAGhC,MAAM,gBAAgB,KAAK,OAAO,MAAM,OAAO,GAAG,SAAS,MAAM;AACjE,MAAI,CAAC,cACH,OAAM,IAAI,mBAAmB,MAAM;AAGrC,gBAAc,QAAQ;;;;;;;;;;CAaxB,AAAO,sBACL,SACA,WACa;EACb,MAAM,KAAK,KAAK,iBAAiB,QAAQ;EACzC,MAAM,YAAY,KAAK,wBAAwB,QAAQ;EACvD,MAAM,mBAAmB,KAAK,oBAAoB,QAAQ;EAC1D,MAAM,QAAQ,KAAK,oBAAoB,QAAQ;EAC/C,MAAM,WAAW,KAAK,uBAAuB,QAAQ;EACrD,MAAM,UAAU,KAAK,sBAAsB,QAAQ;EACnD,MAAM,OAAO,KAAK,mBAAmB,QAAQ;EAC7C,MAAM,gBAAgB,KAAK,4BAA4B,QAAQ;EAC/D,MAAM,kBAAkB,KAAK,SAAS,UAAU;EAChD,MAAM,QAAQ,iBACX,QACE,KAAK,aACJ,IAAI,OAAO,gBAAgB,QAAQ,OAAO,GAAG,SAAS,SAAS,CAAC,EAClE,EAAE,CACH,CACA,KAAK,OAAO,GAAG,KAAK;EAEvB,MAAM,QAAQ,KAAK,OAAO,MAAM,OAAO,GAAG,SAAS,UAAU;AAC7D,MAAI,OAAO,QACT,QAAO,MAAM,QAAQ,QAAQ;AAG/B,SAAO;GACL;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACD;;;;;;;;;;CAWH,AAAO,gBACL,gBACA,GAAG,aACkB;EACrB,MAAM,QAAgB,YAAY,KAAK,OAAO;GAC5C,MAAM,OAAO,KAAK,UAAU,CAAC,MAAM,WAASA,OAAK,SAAS,GAAG;AAC7D,OAAI,CAAC,KACH,OAAM,IAAI,cAAc,SAAS,GAAG,aAAa;AAEnD,UAAO;IACP;EAEF,MAAM,aAAa,KAAK,mBAAmB,eAAe;AAQ1D,MAPgB,MAAM,MAAM,OAC1B,GAAG,YAAY,MACZ,SAAOC,KAAG,SAAS,OAAO,CAACA,KAAG,WAAW,CAACA,KAAG,UAC/C,CACF,CAIC,QAAO;GACL,cAAc;GACd,WAAW;GACZ;EAGH,MAAM,SAA8B;GAClC,cAAc;GACd,WAAW;GACZ;EAGD,MAAM,kBACJ,gBACA,YACY;AACZ,OAAI,YAAY,IAAK,QAAO;AAC5B,OAAI,YAAY,eAAgB,QAAO;AAGvC,OAAI,QAAQ,SAAS,KAAK,EAAE;IAC1B,MAAM,gBAAgB,QAAQ,MAAM,GAAG,GAAG;AAE1C,QAAI,mBAAmB,cAAe,QAAO;AAC7C,WAAO,eAAe,WAAW,GAAG,cAAc,GAAG;;AAGvD,UAAO;;AAGT,OAAK,MAAM,QAAQ,MAEjB,MAAK,MAAM,kBAAkB,KAAK,YAEhC,KAAI,eAAe,YAAY,eAAe,KAAK,EAAE;AAEnD,OAAI,eAAe,SAAS;IAC1B,IAAI,aAAa;AACjB,SAAK,MAAM,kBAAkB,eAAe,QAC1C,KAAI,eAAe,YAAY,eAAe,EAAE;AAC9C,kBAAa;AACb;;AAGJ,QAAI,WACF;;AAIJ,UAAO,eAAe;AAGtB,OAAI,eAAe,UAEjB,QAAO,YAAY,eAAe;QAC7B;AAEL,WAAO,YAAY;AACnB,WAAO;;;AAMf,SAAO;;;;;CAMT,MAAa,oBACX,eACA,UAII,EAAE,EACqB;EAC3B,MAAM,QAAQ,eAAe,QAAQ,UAAU,GAAG,CAAC,MAAM;AACzD,MAAI,OAAO,UAAU,YAAY,UAAU,GACzC,OAAM,IAAI,kBACR,yDACD;EAGH,MAAM,EAAE,QAAQ,SAAS,UAAU,MAAM,KAAK,IAAI,MAChD,OACA,QAAQ,OACR,QAAQ,OACT;EAED,MAAM,OAAO,KAAK,sBAAsB,OAAO,SAAS,MAAM;EAC9D,MAAM,aAAa,KAAK,SAAS,MAAM,CAAC,QAAQ,OAAO,GAAG,QAAQ;EAClE,MAAM,QAAQ,KAAK,SAAS,EAAE;AAE9B,OAAK,MAAM,QAAQ,WACjB,KAAI,CAAC,MAAM,SAAS,KAAK,KAAK,CAC5B,OAAM,KAAK,KAAK,KAAK;AAIzB,OAAK,QAAQ;AAEb,QAAM,KAAK,OAAO,OAAO,KAAK,yBAAyB;GACrD;GACA,MAAM;GACP,CAAC;EAEF,IAAI;AAEJ,MAAI,QAAQ,YAAY;GACtB,MAAM,QAAQ,KAAK,gBAAgB,QAAQ,YAAY,GAAG,MAAM;AAChE,OAAI,CAAC,MAAM,aACT,OAAM,IAAI,cACR,kCAAkC,KAAK,mBAAmB,QAAQ,WAAW,CAAC,GAC/E;AAGH,eAAY,MAAM;;AAGpB,SAAO;GACL,GAAG;GACH;GACA;GACA;GACD;;;;;;;;;CAUH,AAAO,IAAI,UAAkB,YAA0C;AACrE,SAAO,KAAK,gBAAgB,YAAY,SAAS,CAAC;;;;;CAMpD,AAAO,UACL,UACA,YAC8B;AAC9B,SAAO,KAAK,gBAAgB,YAAY,SAAS,CAAC;;;;;;;CAQpD,AAAO,mBAAmB,YAAyC;AACjE,MAAI,OAAO,eAAe,SACxB,QAAO;AAGT,MAAI,CAAC,WAAW,MACd,QAAO,WAAW;AAQpB,SAAO,IAJY,MAAM,QAAQ,WAAW,MAAM,GAC9C,WAAW,QACX,CAAC,WAAW,MAAM,EAED,KAAK,IAAI,CAAC,GAAG,WAAW;;CAK/C,AAAO,YAAqB;AAC1B,SAAO,KAAK;;;;;;;CAQd,AAAO,SAAS,OAAwB;AACtC,MAAI,MACF,QAAO,CAAC,GAAI,KAAK,OAAO,MAAM,OAAO,GAAG,SAAS,MAAM,EAAE,SAAS,EAAE,CAAE;AAGxE,SAAO,KAAK,OAAO,QAAgB,KAAK,OAAO,IAAI,OAAO,GAAG,MAAM,EAAE,EAAE,CAAC;;;;;;;;;CAU1E,AAAO,eAAe,MAGL;AACf,MAAI,MAAM,OAAO;GACf,MAAM,cAA4B,EAAE;GACpC,MAAM,QAAQ,KAAK,SAAS,EAAE;AAE9B,QAAK,MAAM,gBAAgB,OAAO;IAChC,MAAM,OACJ,OAAO,iBAAiB,WACpB,KAAK,SAAS,KAAK,MAAM,CAAC,MAAM,OAAO,GAAG,SAAS,aAAa,GAChE;AAEN,QAAI,CAAC,KACH,OAAM,IAAI,cAAc,SAAS,aAAa,aAAa;AAG7D,QAAI,KAAK,YAAY,MAAM,OAAO,GAAG,SAAS,OAAO,CAAC,GAAG,QAAQ,CAC/D,QAAO,KAAK,gBAAgB;AAG9B,SAAK,MAAM,cAAc,KAAK,aAAa;KACzC,IAAI,MAAoB,EAAE;AAC1B,SAAI,WAAW,SAAS,IACtB,KAAI,KAAK,GAAG,KAAK,YAAY;cACpB,WAAW,KAAK,SAAS,IAAI,EAAE;MAExC,MAAM,QAAQ,WAAW,KAAK,MAAM,IAAI;MACxC,MAAM,WAAW,MAAM,MAAM,SAAS;AAEtC,UAAI,aAAa,KAAK;OAEpB,MAAM,cAAc,MAAM,MAAM,GAAG,GAAG,CAAC,KAAK,IAAI;AAEhD,WAAI,KACF,GAAG,KAAK,YAAY,QAAQ,OAAO;AACjC,YAAI,CAAC,GAAG,MAAO,QAAO;AAEtB,eACE,GAAG,UAAU,eACb,GAAG,MAAM,WAAW,GAAG,YAAY,GAAG;SAExC,CACH;aACI;OAEL,MAAM,OAAO;OAEb,MAAM,QADa,MAAM,MAAM,GAAG,GAAG,CACZ,KAAK,IAAI;AAElC,WAAI,KACF,GAAG,KAAK,YAAY,QAAQ,OAAO;AACjC,YAAI,GAAG,SAAS,KAAM,QAAO;AAC7B,YAAI,CAAC,GAAG,MAAO,QAAO;AACtB,eAAO,GAAG,UAAU;SACpB,CACH;;WAIH,KAAI,KACF,GAAG,KAAK,YAAY,QACjB,OAAO,GAAG,SAAS,WAAW,QAAQ,CAAC,GAAG,MAC5C,CACF;KAEH,MAAM,UAAU,WAAW;AAC3B,SAAI,QAEF,OAAM,IAAI,QAAQ,OAAO;MACvB,MAAM,aAAa,KAAK,mBAAmB,GAAG;AAC9C,aAAO,CAAC,QAAQ,MAAM,mBAAmB;AACvC,WAAI,mBAAmB,WAAY,QAAO;AAC1C,WAAI,eAAe,SAAS,KAAK,EAAE;QACjC,MAAM,gBAAgB,eAAe,MAAM,GAAG,GAAG;AACjD,eAAO,WAAW,WAAW,GAAG,cAAc,GAAG;;AAEnD,cAAO;QACP;OACF;AAEJ,iBAAY,KAAK,GAAG,IAAI;;;AAI5B,UAAO,CAAC,GAAG,IAAI,IAAI,YAAY,QAAQ,OAAO,MAAM,KAAK,CAAC,CAAC;;AAG7D,SAAO,KAAK;;;;;;;;CASd,AAAO,iBAAiB,SAAsC;AAC5D,MAAI,QAAQ,OAAO,KACjB,QAAO,OAAO,QAAQ,IAAI;AAG5B,MAAI,QAAQ,MAAM,KAChB,QAAO,OAAO,QAAQ,GAAG;AAG3B,MAAI,QAAQ,UAAU,KACpB,QAAO,OAAO,QAAQ,OAAO;AAG/B,QAAM,IAAI,cAAc,2BAA2B;;CAGrD,AAAO,wBACL,SACoB;AACpB,MAAI,CAAC,QACH;AAEF,MAAI,QAAQ,IACV,QAAO,OAAO,QAAQ,IAAI;;;;;;;CAS9B,AAAO,oBAAoB,SAAwC;AACjE,SAAO,SAAS,cAAc,SAAS,SAAS,SAAS,EAAE;;CAG7D,AAAO,sBACL,SACoB;AACpB,MAAI,CAAC,QACH;AAGF,MAAI,QAAQ,QACV,QAAO,QAAQ;AAGjB,MAAI,QAAQ,WACV,QAAO,QAAQ;AAGjB,MAAI,QAAQ,aACV,QAAO,QAAQ;;CAMnB,AAAO,uBACL,SACoB;AACpB,MAAI,CAAC,QACH;AAGF,MAAI,QAAQ,mBACV,QAAO,QAAQ;AAGjB,MAAI,QAAQ,SACV,QAAO,QAAQ;;CAMnB,AAAO,oBAAoB,SAAkD;AAC3E,MAAI,CAAC,QACH;AAGF,MAAI,QAAQ,MACV,QAAO,QAAQ;;;;;;;;CAYnB,AAAO,mBAAmB,SAAsC;AAC9D,MAAI,CAAC,QACH,QAAO,KAAK;AAGd,MAAI,QAAQ,KACV,QAAO,QAAQ;AAGjB,MACE,OAAO,QAAQ,eAAe,YAC9B,OAAO,QAAQ,gBAAgB,SAE/B,QAAO,GAAG,QAAQ,WAAW,GAAG,QAAQ,cAAc,MAAM;AAG9D,SAAO,KAAK;;CAGd,AAAO,4BACL,SACsB;AACtB,MAAI,CAAC,QACH;AAGF,MAAI,QAAQ,cAAc;AACxB,OAAI,OAAO,QAAQ,iBAAiB,SAClC,QAAO,CAAC,QAAQ,aAAa;AAE/B,OAAI,MAAM,QAAQ,QAAQ,aAAa,CACrC,QAAO,QAAQ;;;;;;;;;;AC9uBvB,MAAa,eACX,UAAsC,EAAE,KAChB;AACxB,QAAO,gBAAgB,qBAAqB,QAAQ;;AAwBtD,IAAa,sBAAb,cAAyC,UAAsC;CAC7E,AAAmB,mBAAmB,QAAQ,iBAAiB;CAE/D,IAAW,OAAe;AACxB,SAAO,KAAK,QAAQ,QAAQ,KAAK,OAAO;;CAG1C,IAAW,QAAgB;AACzB,SAAO,KAAK,QAAQ,SAAS,KAAK,OAAO,QAAQ;;CAGnD,AAAO,WAAmB;AACxB,SAAO,GAAG,KAAK,MAAM,GAAG,KAAK;;CAG/B,AAAU,SAAS;AACjB,OAAK,iBAAiB,iBAAiB;GACrC,MAAM,KAAK;GACX,OAAO,KAAK;GACZ,aAAa,KAAK,QAAQ;GAC3B,CAAC;;;;;CAMJ,AAAO,IAAI,MAA6B;AACtC,MAAI,CAAC,MAAM,MACT,QAAO;AAGT,SADc,KAAK,iBAAiB,gBAAgB,MAAM,GAAG,KAAK,MAAM,CAC3D;;;AAIjB,YAAY,QAAQ;;;;;;;ACpDpB,MAAa,UAAU,YAAmD;AACxE,QAAO,gBAAgB,gBAAgB,QAAQ;;AAuFjD,IAAa,iBAAb,cAAoC,UAAiC;CACnE,AAAmB,mBAAmB,QAAQ,iBAAiB;CAC/D,AAAmB,mBAAmB,QAAQ,iBAAiB;CAC/D,AAAmB,MAAM,QAAQ,YAAY;CAC7C,AAAmB,MAAM,SAAS;CAElC,IAAW,OAAe;AACxB,SAAO,KAAK,QAAQ,QAAQ,KAAK,OAAO;;CAG1C,IAAW,wBAAkC;AAC3C,SAAO,KAAK,iBAAiB,SAC3B,KAAK,QAAQ,UAAU,aAAa,cAAc,CAAC,IAAI,UAAU,CAClE;;CAGH,IAAW,yBAAmC;AAC5C,SAAO,KAAK,iBAAiB,SAC3B,KAAK,QAAQ,UAAU,cAAc,cAAc,CAAC,IAAI,OAAO,CAChE;;CAGH,AAAU,SAAS;EACjB,MAAM,QACJ,KAAK,QAAQ,OAAO,KAAK,OAAO;AAC9B,OAAI,OAAO,OAAO,UAAU;IAC1B,MAAM,OAAO,KAAK,UAAU,CAAC,MAAM,WAASC,OAAK,SAAS,GAAG;AAC7D,QAAI,CAAC,KACH,OAAM,IAAI,cAAc,SAAS,GAAG,aAAa;AAEnD,WAAO;;AAGT,UAAO;IACP,IAAI,EAAE;AAEV,OAAK,iBAAiB,YAAY;GAChC,MAAM,KAAK;GACX,SAAS,KAAK,QAAQ;GACtB,QAAQ,UAAU,KAAK,UAAU,KAAK,QAAQ,OAAO,KAAK,QAAQ;GAClE;GACD,CAAC;;;;;CAMJ,AAAO,WAAmB;AACxB,SAAO,KAAK,iBAAiB,SAAS,KAAK,KAAK;;;;;CAMlD,MAAa,SAAS,OAA8B;AAClD,QAAM,KAAK,iBAAiB,YAAY,KAAK,MAAM,MAAM;;;;;CAM3D,AAAO,cAAc,MAAoB;EACvC,MAAM,OAAO,KAAK,UAAU,CAAC,MAAM,OAAO,GAAG,SAAS,KAAK;AAC3D,MAAI,CAAC,KACH,OAAM,IAAI,cAAc,SAAS,KAAK,aAAa;AAErD,SAAO;;CAGT,MAAa,WAAW,OAAoC;EAC1D,MAAM,EAAE,WAAW,MAAM,KAAK,IAAI,MAAM,OAAO,KAAK,KAAK;AACzD,SAAO,OAAO;;;;;CAMhB,MAAa,YACX,MACA,cAK8B;EAC9B,IAAI,MAA0B,cAAc;EAC5C,IAAI,gBAAoC,cAAc;EACtD,IAAI,2BACF,cAAc;EAEhB,MAAM,MAAM,KAAK,iBAAiB,KAAK,CAAC,MAAM;EAC9C,MAAM,MAAM,MAAM,KAAK,sBAAsB,WAAW;AAExD,MAAI,CAAC,cAAc;GACjB,MAAM,SAAS,KAAK,QAAQ,UAAU;AACtC,OAAI,QAAQ;IAGV,MAAM,YAAY,KAAK,uBAAuB,WAAW;IACzD,MAAM,EAAE,8BAAc,cAAc,MAAM,OAAO,MAAM,EACrD,WACD,CAAC;AAEF,oBAAgBC;AAChB,+BAA2B;AAC3B,UAAM;UACD;IAIL,MAAM,UAAU;KACd,KAAK,KAAK;KACV,KAAK,MAAM,KAAK,uBAAuB,WAAW;KAClD;KACA,KAAK,KAAK;KACX;AAED,SAAK,IAAI,MAAM,0BAA0B,QAAQ;AAEjD,UAAM,OAAO,YAAY;AACzB,+BAA2B,KAAK,uBAAuB,WAAW;AAClE,oBAAgB,MAAM,KAAK,IAAI,OAAO,SAAS,KAAK,MAAM,EACxD,QAAQ,EACN,KAAK,WACN,EACF,CAAC;;;AAIN,OAAK,IAAI,MAAM,yBAAyB;GACtC,KAAK,KAAK;GACV;GACA;GACA,KAAK,KAAK;GACX,CAAC;AA+BF,SATsC;GACpC,cArBmB,MAAM,KAAK,IAAI,OAClC;IAEE,KAAK,KAAK;IACV;IACA;IACA,KAAK,KAAK;IACV;IAEA,MAAM,KAAK;IACX,OAAO,KAAK;IACZ,oBAAoB,KAAK;IACzB,SAAS,KAAK;IAEd,eAAe,KAAK;IACpB,OAAO,KAAK;IACb,EACD,KAAK,KACN;GAIC,YAAY;GACZ,YAAY,KAAK,sBAAsB,WAAW;GAClD,WAAW;GACX;GACA;GACD;;CAKH,MAAa,aACX,cACA,aAIC;AAID,MAAI,KAAK,QAAQ,UAAU,kBAAkB;GAE3C,MAAM,EAAE,cAAM,wBAAW,cACvB,MAAM,KAAK,QAAQ,SAAS,iBAAiB,aAAa;AAS5D,UAAO;IAAE;IAAM,QANA,MAAM,KAAK,YAAYC,QAAM;KAC1C,KAAK;KACL,eAAe;KACf,0BAA0BC;KAC3B,CAAC;IAEqB;;AAMzB,MAAI,CAAC,YACH,OAAM,IAAI,YAAY,6CAA6C;EAIrE,MAAM,OAAO,MAAM,KAAK,iBAAiB,oBAAoB,aAAa;GACxE,OAAO,KAAK;GACZ,QAAQ,EACN,6BAAa,IAAI,KAAK,EAAE,EACzB;GACF,CAAC;EAGF,MAAM,EACJ,QAAQ,EAAE,cACR,MAAM,KAAK,IAAI,MAAM,cAAc,KAAK,MAAM;GAChD,KAAK;GACL,UAAU,KAAK;GACf,SAAS,KAAK;GACf,CAAC;EAEF,MAAM,MAAM,KAAK,iBAAiB,KAAK,CAAC,MAAM;EAC9C,MAAM,YAAY,QAAQ,MACtB,QAAQ,MAAM,MACd,KAAK,uBAAuB,WAAW;AAE3C,SAAO;GACL;GACA,QAAQ,MAAM,KAAK,YAAY,MAAM;IACnC,KAAK,QAAQ;IACb,eAAe;IACf,0BAA0B;IAC3B,CAAC;GACH;;;AAIL,OAAO,QAAQ;;;;;;;AC1Uf,MAAa,SAAS,UAAgC,EAAE,KAAoB;AAC1E,QAAO,gBAAgB,eAAe,QAAQ;;AA4BhD,IAAa,gBAAb,cAAmC,UAAgC;CACjE,AAAmB,mBAAmB,QAAQ,iBAAiB;CAE/D,IAAW,OAAe;AACxB,SAAO,KAAK,QAAQ,QAAQ,KAAK,OAAO;;CAG1C,AAAU,SAAS;AACjB,OAAK,iBAAiB,WAAW;GAC/B,GAAG,KAAK;GACR,MAAM,KAAK;GACX,aACE,KAAK,QAAQ,aAAa,KAAK,OAAO;AACpC,QAAI,OAAO,OAAO,SAChB,QAAO,EACL,MAAM,IACP;AAGH,WAAO;KACP,IAAI,EAAE;GACX,CAAC;;;;;CAMJ,IAAW,QAA6C;AACtD,SAAO,KAAK,QAAQ;;CAGtB,AAAO,IAAI,YAAmD;AAC5D,SAAO,KAAK,iBAAiB,IAAI,KAAK,MAAM,WAAW;;CAGzD,AAAO,MAAM,YAA0C;AACrD,SAAO,KAAK,iBAAiB,gBAAgB,YAAY,KAAK,KAAK;;;AAMvE,MAAM,QAAQ;;;;AC5Ed,MAAM,cAAc,UAAU,OAAO;AAErC,IAAa,iBAAb,MAA4B;CAC1B,MAAa,aAAa,UAAmC;EAC3D,MAAM,OAAO,YAAY,GAAG,CAAC,SAAS,MAAM;AAE5C,SAAO,GAAG,KAAK,IADK,MAAM,YAAY,UAAU,MAAM,GAAG,EAC5B,SAAS,MAAM;;CAG9C,MAAa,eACX,UACA,QACkB;AAElB,MAAI,CAAC,UAAU,OAAO,WAAW,SAC/B,QAAO;EAGT,MAAM,QAAQ,OAAO,MAAM,IAAI;AAC/B,MAAI,MAAM,WAAW,EACnB,QAAO;EAGT,MAAM,CAAC,MAAM,eAAe;AAG5B,MAAI,CAAC,QAAQ,CAAC,YACZ,QAAO;AAIT,MAAI,YAAY,SAAS,MAAM,KAAK,CAAC,eAAe,KAAK,YAAY,CACnE,QAAO;AAGT,MAAI;GACF,MAAM,aAAc,MAAM,YAAY,UAAU,MAAM,GAAG;GACzD,MAAM,cAAc,OAAO,KAAK,aAAa,MAAM;AAGnD,OAAI,WAAW,WAAW,YAAY,OACpC,QAAO;AAIT,UAAO,gBAAgB,YAAY,YAAY;WACxC,OAAO;AAEd,UAAO;;;CAIX,AAAO,aAAqB;AAC1B,SAAO,YAAY;;;;;;;;;;;;AChDvB,IAAa,0BAAb,cAA6C,kBAAkB;CAC7D,AAAS,OAAO;CAChB,cAAc;AACZ,QAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACsBhC,MAAa,mBACX,YAC4B;CAC5B,MAAM,EAAE,WAAW,UAAU;CAC7B,MAAM,QAEF,EAAE;CACN,MAAM,mBAAmB,OAAO,OAAO,iBAAiB;CACxD,MAAM,cAAc,QAAQ,eAAe;CAE3C,MAAM,cAAc,aAA8C;AAChE,QAAM,QAAQ;GACZ,GAAG;GACH,WAAW,iBAAiB,KAAK,CAAC,MAAM;GACzC;;CAGH,MAAM,0BAA0B;AAC9B,MAAI,MAAM,OAAO;GACf,MAAM,EAAE,cAAc,YAAY,cAAc,MAAM;AACtD,OAAI,CAAC,WACH,QAAO;GAGT,MAAM,MAAM,iBAAiB,KAAK,CAAC,MAAM;AAGzC,OAFgB,YAAY,aAEd,cAAc,IAC1B,QAAO;;;AAKb,KAAI,YAAY,SAAS;EACvB,MAAM,EAAE,KAAK,UAAU,iBAAiB,QAAQ;EAEhD,MAAM,QAAQ,YAAY;GACxB,MAAM,iBAAiB,mBAAmB;AAC1C,OAAI,eACF,QAAO;GAGT,IAAI;AACJ,OAAI;AACF,eAAW,MAAM,MAAM,KAAK;KAC1B,QAAQ;KACR,SAAS,EACP,gBAAgB,qCACjB;KACD,MAAM,IAAI,gBAAgB;MACxB,YAAY;MACZ,WAAW;MACX,eAAe;MAChB,CAAC;KACH,CAAC;YACK,OAAO;AACd,UAAM,IAAI,MACR,qCAAqC,IAAI,IAAI,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM,GACpG;;AAIH,OAAI,CAAC,SAAS,IAAI;IAChB,IAAI,eAAe,QAAQ,SAAS,OAAO,GAAG,SAAS;AACvD,QAAI;KACF,MAAM,YAAY,MAAM,SAAS,MAAM;AACvC,qBAAgB,KAAK;YACf;AAGR,UAAM,IAAI,MAAM,iCAAiC,eAAe;;GAIlE,IAAI;AACJ,OAAI;AACF,WAAO,MAAM,SAAS,MAAM;YACrB,OAAO;AACd,UAAM,IAAI,MACR,kDAAkD,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM,GACzG;;AAIH,OAAI,CAAC,KAAK,gBAAgB,CAAC,KAAK,WAC9B,OAAM,IAAI,MACR,gFAAgF,KAAK,UAAU,KAAK,GACrG;AAGH,cAAW,KAAK;AAEhB,UAAO,KAAK;;AAGd,SAAO,EACL,OACD;;AAGH,QAAO,EACL,OAAO,YAAY;EACjB,MAAM,iBAAiB,mBAAmB;AAC1C,MAAI,eACF,QAAO;EAGT,MAAM,QAAQ,MAAM,QAAQ,MAAM,YAAY,QAAQ,KAAK;AAE3D,aAAW;GACT,GAAG;GACH,WAAW,iBAAiB,KAAK,CAAC,MAAM;GACzC,CAAC;AAEF,SAAO,MAAM;IAEhB;;;;;AClJH,MAAa,mBAAmB,EAAE,OAAO;CACvC,MAAM,EAAE,KAAK,EACX,aAAa,2BACd,CAAC;CAEF,OAAO,EAAE,SACP,EAAE,KAAK,EACL,aAAa,4BACd,CAAC,CACH;CAED,aAAa,EAAE,SACb,EAAE,KAAK,EACL,aAAa,4BACd,CAAC,CACH;CAID,QAAQ,EAAE,SACR,EAAE,KAAK,EACL,aAAa,kDACd,CAAC,CACH;CAED,MAAM,EAAE,SACN,EAAE,KAAK,EACL,aAAa,+CACd,CAAC,CACH;CACF,CAAC;;;;AC9BF,MAAa,aAAa,EAAE,OAAO;CACjC,MAAM,EAAE,KAAK,EACX,aAAa,qBACd,CAAC;CAEF,aAAa,EAAE,SACb,EAAE,KAAK,EACL,aAAa,sBACd,CAAC,CACH;CAED,SAAS,EAAE,SACT,EAAE,QAAQ,EACR,aACE,gEACH,CAAC,CACH;CAED,aAAa,EAAE,MACb,EAAE,OAAO;EACP,MAAM,EAAE,KAAK,EACX,aAAa,2BACd,CAAC;EACF,WAAW,EAAE,SACX,EAAE,QAAQ,EACR,aACE,8DACH,CAAC,CACH;EACD,SAAS,EAAE,SACT,EAAE,MAAM,EAAE,MAAM,EAAE,EAChB,aACE,+DACH,CAAC,CACH;EACF,CAAC,CACH;CACF,CAAC;;;;ACrCF,MAAa,wBAAwB,EAAE,OAAO;CAC5C,IAAI,EAAE,KAAK,EACT,aAAa,mCACd,CAAC;CAEF,MAAM,EAAE,SACN,EAAE,KAAK,EACL,aAAa,0BACd,CAAC,CACH;CAED,OAAO,EAAE,SACP,EAAE,KAAK;EACL,aAAa;EACb,QAAQ;EACT,CAAC,CACH;CAED,UAAU,EAAE,SACV,EAAE,KAAK,EACL,aAAa,mCACd,CAAC,CACH;CAED,SAAS,EAAE,SACT,EAAE,KAAK,EACL,aAAa,sCACd,CAAC,CACH;CAED,WAAW,EAAE,SACX,EAAE,KAAK,EACL,aAAa,mDACd,CAAC,CACH;CAID,eAAe,EAAE,SACf,EAAE,MAAM,EAAE,MAAM,EAAE,EAChB,aAAa,8CACd,CAAC,CACH;CAED,OAAO,EAAE,SACP,EAAE,MAAM,EAAE,MAAM,EAAE,EAChB,aAAa,uCACd,CAAC,CACH;CACF,CAAC;;;;;;;;;;;;;;;;ACPF,MAAa,iBAAiB,QAAQ;CACpC,MAAM;CACN,YAAY;EAAC;EAAQ;EAAO;EAAY;CACxC,UAAU;EAAC;EAAkB;EAAa;EAAe;CAC1D,CAAC"}