npm - authhero - Versions diffs - 0.104.0 → 0.105.0 - Mend

authhero 0.104.0 → 0.105.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/authhero.cjs CHANGED Viewed

@@ -26,7 +26,7 @@
       }};
       <\/script>
   </body>
-  </html>`;return new Response(i,{headers:{"Content-Type":"text/html"}})}async function ty(t,e,n,r,i){var m,v,h;if(!n.redirect_uri)throw new z(400,{message:"Missing redirect_uri in authParams"});const[s]=await t.env.data.keys.list();if(!s)throw new z(500,{message:"No signing key found"});if(!((m=e.addons)!=null&&m.samlp))throw new z(400,{message:`SAML Addon is not enabled for client ${e.id}`});const{recipient:a,audience:c}=e.addons.samlp,l=n.state||"";if(!a||!l||!r||!n.state)throw new z(400,{message:"Missing recipient or inResponseTo"});const u=JSON.parse(n.state),p=new URL(n.redirect_uri),f=await ny(t,{issuer:t.env.ISSUER,audience:c||n.client_id,destination:p.toString(),inResponseTo:u.requestId,userId:((h=(v=r.app_metadata)==null?void 0:v.vimeo)==null?void 0:h.user_id)||r.user_id,email:r.email,sessionIndex:i,signature:{privateKeyPem:s.pkcs7,cert:s.cert,kid:s.kid}});return ey(p.toString(),f,u.relayState)}async function ny(t,e){const n=e.notBefore||new Date().toISOString(),r=e.notAfter||new Date(new Date(n).getTime()+10*60*1e3).toISOString(),i=e.issueInstant||n,s=e.sessionNotOnOrAfter||r,a=e.responseId||`_${xe()}`,c=e.assertionId||`_${xe()}`,l=[{"samlp:Response":[{"saml:Issuer":[{"#text":e.issuer}]},{"samlp:Status":[{"samlp:StatusCode":[],":@":{"@_Value":"urn:oasis:names:tc:SAML:2.0:status:Success"}}]},{"saml:Assertion":[{"saml:Issuer":[{"#text":e.issuer}]},{"saml:Subject":[{"saml:NameID":[{"#text":e.email}],":@":{"@_Format":"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"}},{"saml:SubjectConfirmation":[{"saml:SubjectConfirmationData":[],":@":{"@_InResponseTo":e.inResponseTo,"@_NotOnOrAfter":r,"@_Recipient":e.destination}}],":@":{"@_Method":"urn:oasis:names:tc:SAML:2.0:cm:bearer"}}]},{"saml:Conditions":[{"saml:AudienceRestriction":[{"saml:Audience":[{"#text":e.audience}]}]}],":@":{"@_NotBefore":n,"@_NotOnOrAfter":r}},{"saml:AuthnStatement":[{"saml:AuthnContext":[{"saml:AuthnContextClassRef":[{"#text":"urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified"}]}]}],":@":{"@_AuthnInstant":i,"@_SessionIndex":e.sessionIndex,"@_SessionNotOnOrAfter":s}},{"saml:AttributeStatement":[{"saml:Attribute":[{"saml:AttributeValue":[{"#text":e.userId}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_FriendlyName":"persistent","@_Name":"id","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":e.email}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"email","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"manage-account"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"default-roles-master"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"offline_access"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"view-profile"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"uma_authorization"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"manage-account-links"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}}]}],":@":{"@_xmlns":"urn:oasis:names:tc:SAML:2.0:assertion","@_ID":c,"@_IssueInstant":i,"@_Version":"2.0"}}],":@":{"@_xmlns:samlp":"urn:oasis:names:tc:SAML:2.0:protocol","@_xmlns:saml":"urn:oasis:names:tc:SAML:2.0:assertion","@_Destination":e.destination,"@_ID":a,"@_InResponseTo":e.inResponseTo,"@_IssueInstant":i,"@_Version":"2.0"}}];let p=new Q0.XMLBuilder({ignoreAttributes:!1,suppressEmptyNode:!0,preserveOrder:!0}).build(l);if(e.signature){const m=await fetch(t.env.SAML_SIGN_URL,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({xmlContent:p,privateKey:e.signature.privateKeyPem,publicCert:e.signature.cert})});if(!m.ok)throw new Error(`Failed to sign SAML response: ${m.status}`);p=await m.text()}return e.encode===!1?p:btoa(p)}var ry={deno:"Deno",bun:"Bun",workerd:"Cloudflare-Workers",node:"Node.js"},iy=()=>{var n,r;const t=globalThis;if(typeof navigator<"u"&&typeof navigator.userAgent=="string"){for(const[i,s]of Object.entries(ry))if(sy(s))return i}return typeof(t==null?void 0:t.EdgeRuntime)=="string"?"edge-light":(t==null?void 0:t.fastly)!==void 0?"fastly":((r=(n=t==null?void 0:t.process)==null?void 0:n.release)==null?void 0:r.name)==="node"?"node":"other"},sy=t=>navigator.userAgent.startsWith(t);function nt(t,e){iy()==="workerd"&&t.executionCtx.waitUntil(e)}function on(t){var e,n,r;return{auth0Client:(e=t.query("auth0Client"))==null?void 0:e.slice(0,255),ip:(n=t.header("x-real-ip"))==null?void 0:n.slice(0,45),useragent:(r=t.header("user-agent"))==null?void 0:r.slice(0,512)}}const Ju=["sub","iss","aud","exp","nbf","iat","jti"];async function to(t,e){var _,w;const{authParams:n,user:r,client:i,session_id:s}=e,c=(await t.env.data.keys.list()).filter(S=>!S.revoked_at||new Date(S.revoked_at)>new Date),l=c[c.length-1];if(!(l!=null&&l.pkcs7))throw new z(500,{message:"No signing key available"});const u=A_(l.pkcs7),p={aud:n.audience||"default",scope:n.scope||"",sub:(r==null?void 0:r.user_id)||n.client_id,iss:t.env.ISSUER,tenant_id:t.var.tenant_id,sid:s},f=r&&((_=n.scope)!=null&&_.split(" ").includes("openid"))?{aud:n.client_id,sub:r.user_id,iss:t.env.ISSUER,sid:s,nonce:n.nonce,given_name:r.given_name,family_name:r.family_name,nickname:r.nickname,picture:r.picture,locale:r.locale,name:r.name,email:r.email,email_verified:r.email_verified}:void 0;(w=t.env.hooks)!=null&&w.onExecuteCredentialsExchange&&await t.env.hooks.onExecuteCredentialsExchange({client:i,user:r,request:{ip:t.req.header("x-real-ip")||"",user_agent:t.req.header("user-agent")||"",method:t.req.method,url:t.req.url},scope:n.scope||"",grant_type:""},{accessToken:{setCustomClaim:(S,N)=>{if(Ju.includes(S))throw new Error(`Cannot overwrite reserved claim '${S}'`);p[S]=N}},idToken:{setCustomClaim:(S,N)=>{if(Ju.includes(S))throw new Error(`Cannot overwrite reserved claim '${S}'`);f&&(f[S]=N)}},access:{deny:S=>{throw new z(400,{message:`Access denied: ${S}`})}}});const m={includeIssuedTimestamp:!0,expiresIn:new sl(1,"d"),headers:{kid:l.kid}},v=await Du("RS256",u,p,m),h=f?await Du("RS256",u,f,m):void 0;return{access_token:v,refresh_token:e.refresh_token,id_token:h,token_type:"Bearer",expires_in:86400}}async function Hf(t,e){return e.loginSession||(e.loginSession=await t.env.data.loginSessions.create(e.client.tenant.id,{expires_at:new Date(Date.now()+Jn*1e3).toISOString(),authParams:e.authParams,authorization_url:t.req.url,csrf_token:xe(),...on(t.req)})),{code:(await t.env.data.codes.create(e.client.tenant.id,{code_id:xe(),user_id:e.user.user_id,code_type:"authorization_code",login_id:e.loginSession.id,expires_at:new Date(Date.now()+C_*1e3).toISOString()})).code_id,state:e.authParams.state}}async function oy(t,e){const{client:n,scope:r,audience:i=n.tenant.audience,session_id:s}=e;return await t.env.data.refreshTokens.create(n.tenant.id,{id:xe(),session_id:s,client_id:n.id,expires_at:new Date(Date.now()+Qs*1e3).toISOString(),user_id:e.user.user_id,device:{last_ip:t.req.header("x-real-ip")||"",initial_ip:t.req.header("x-real-ip")||"",last_user_agent:t.req.header("user-agent")||"",initial_user_agent:t.req.header("user-agent")||"",initial_asn:"",last_asn:""},resource_servers:[{audience:i,scopes:r}],rotating:!1})}async function Ff(t,{user:e,client:n,loginSession:r}){const i=await t.env.data.sessions.create(n.tenant.id,{id:xe(),user_id:e.user_id,idle_expires_at:new Date(Date.now()+Qs*1e3).toISOString(),device:{last_ip:t.req.header("x-real-ip")||"",initial_ip:t.req.header("x-real-ip")||"",last_user_agent:t.req.header("user-agent")||"",initial_user_agent:t.req.header("user-agent")||"",initial_asn:"",last_asn:""},clients:[n.id]});await t.env.data.loginSessions.update(n.tenant.id,r.id,{session_id:i.id});const{scope:s,audience:a}=r.authParams,c=s!=null&&s.split(" ").includes("offline_access")?await oy(t,{session_id:i.id,user:e,client:n,scope:s,audience:a}):void 0;return{...i,refresh_token:c}}async function an(t,e){var v;const{authParams:n,user:r,client:i,ticketAuth:s}=e,a=ve(t,{type:he.SUCCESS_LOGIN,description:`Successful login for ${r.user_id}`,userId:r.user_id});if(nt(t,t.env.data.logs.create(i.tenant.id,a)),nt(t,t.env.data.users.update(i.tenant.id,r.user_id,{last_login:new Date().toISOString(),last_ip:t.req.header("x-real-ip")||"",login_count:r.login_count+1})),s){if(!e.loginSession)throw new z(500,{message:"Login session not found"});const h=S_(),_=xe(12),w=await t.env.data.codes.create(i.tenant.id,{code_id:xe(),code_type:"ticket",login_id:e.loginSession.id,expires_at:new Date(Date.now()+j_).toISOString(),code_verifier:[_,h].join("|")});return t.json({login_ticket:w.code_id,co_verifier:h,co_id:_})}let c=e.refreshToken,l=e.sessionId,u=r;if(!l){if(!e.loginSession)throw new z(500,{message:"Login session not found"});u=await uy(t,t.env.data)(i.tenant.id,r);const h=await Ff(t,{user:r,client:i,loginSession:e.loginSession});l=h.id,c=(v=h.refresh_token)==null?void 0:v.id}if(e.authParams.response_mode===Xt.SAML_POST)return ty(t,e.client,e.authParams,u,l);const p=await to(t,{authParams:n,user:u,client:i,session_id:l,refresh_token:c}),f=new Headers({"set-cookie":Pf(i.tenant.id,l,t.req.header("host"))});if(n.response_mode===Xt.WEB_MESSAGE)return t.json(p,{headers:f});if((n.response_type||Pt.CODE)===Pt.CODE){const h=await Hf(t,e);if(!n.redirect_uri)throw new z(400,{message:"Redirect uri not found"});const _=new URL(n.redirect_uri);_.searchParams.set("code",h.code),h.state&&_.searchParams.set("state",h.state),f.set("location",_.toString())}return new Response("Redirecting",{status:302,headers:f})}async function ay(t,e,n){const r=await t.env.data.tenants.get(e);if(!r)throw new Error(`Tenant not found: ${e}`);return to(t,{client:{id:t.env.ISSUER,tenant:r,created_at:new Date().toISOString(),updated_at:new Date().toISOString(),name:t.env.ISSUER,disable_sign_ups:!1,connections:[]},authParams:{client_id:t.env.ISSUER,response_type:Pt.TOKEN,scope:n}})}async function dl(t,e,n){const r=await ay(t,n.tenant_id,"webhook");for await(const i of e)if(!(await fetch(i.url,{method:"POST",headers:{Authorization:`Bearer ${r.access_token}`,"Content-Type":"application/json"},body:JSON.stringify(n)})).ok){const a=ve(t,{type:he.FAILED_HOOK,description:`Failed to invoke hook ${i.hook_id}`});await t.env.data.logs.create(n.tenant_id,a)}}function cy(t){return async(e,n)=>{const{hooks:r}=await t.env.data.hooks.list(e);return await dl(t,r,{tenant_id:e,user:n,trigger_id:"post-user-registration"}),n}}function ly(t){return async(e,n)=>{const{hooks:r}=await t.env.data.hooks.list(e,{q:"trigger_id:pre-user-signup",page:0,per_page:100,include_totals:!1});await dl(t,r,{tenant_id:e,email:n,trigger_id:"pre-user-signup"})}}function uy(t,e){return async(n,r)=>{const{hooks:i}=await e.hooks.list(n,{q:"trigger_id:post-user-login",page:0,per_page:100,include_totals:!1});return await dl(t,i,{tenant_id:n,user:r,trigger_id:"post-user-login"}),r}}function dy(t,e){return async(n,r)=>{var a,c,l;const i={method:t.req.method,ip:t.req.query("x-real-ip")||"",user_agent:t.req.query("user-agent"),url:((a=t.var.loginSession)==null?void 0:a.authorization_url)||t.req.url};if((c=t.env.hooks)!=null&&c.onExecutePreUserRegistration)try{await t.env.hooks.onExecutePreUserRegistration({user:r,request:i},{user:{setUserMetadata:async(u,p)=>{r[u]=p}}})}catch{const p=ve(t,{type:he.FAILED_SIGNUP,description:"Pre user registration hook failed"});await e.logs.create(n,p)}let s=await __(e)(n,r);if((l=t.env.hooks)!=null&&l.onExecutePostUserRegistration)try{await t.env.hooks.onExecutePostUserRegistration({user:r,request:i},{user:{}})}catch{const p=ve(t,{type:he.FAILED_SIGNUP,description:"Post user registration hook failed"});await t.env.data.logs.create(n,p)}return await cy(t)(n,s),s}}async function py(t,e,n,r){var i,s;if(e.disable_sign_ups&&!(((s=(i=t.var.loginSession)==null?void 0:i.authParams)==null?void 0:s.prompt)==="signup")&&!await ro({userAdapter:n.users,tenant_id:e.tenant.id,email:r})){const l=ve(t,{type:he.FAILED_SIGNUP,description:"Public signup is disabled"});throw await n.logs.create(e.tenant.id,l),new z(400,{message:"Signups are disabled for this client"})}await ly(t)(t.var.tenant_id||"",r)}function no(t,e){return{...e,users:{...e.users,create:dy(t,e)}}}function Kf(t){return no(t,t.env.data)}async function pl(t,e,n){return(await t.list(e,{page:0,per_page:10,include_totals:!1,q:`email:${n}`})).users}async function ur({userAdapter:t,tenant_id:e,email:n,provider:r}){const{users:i}=await t.list(e,{page:0,per_page:10,include_totals:!1,q:`email:${n} provider:${r}`});return i.length>1&&console.error("More than one user found for same email and provider"),i[0]||null}async function ro({userAdapter:t,tenant_id:e,email:n}){var c;const{users:r}=await t.list(e,{page:0,per_page:10,include_totals:!1,q:`email:${n}`}),i=r.filter(l=>!(l.provider==="auth2"&&!l.email_verified));if(i.length===0)return;const s=i.filter(l=>!l.linked_to);if(s.length>0)return s.length>1&&console.error("More than one primary user found for same email"),s[0];const a=await t.get(e,(c=i[0])==null?void 0:c.linked_to);if(!a)throw new Error("Primary account not found");return a}async function ls({userAdapter:t,tenant_id:e,email:n,provider:r}){const i=await ur({userAdapter:t,tenant_id:e,email:n,provider:r});return i?i.linked_to?t.get(e,i.linked_to):i:null}async function io(t,e){const{email:n,provider:r,connection:i,client:s,userId:a,isSocial:c,profileData:l={},ip:u=""}=e;let p=await ls({userAdapter:t.env.data.users,tenant_id:e.client.tenant.id,email:n,provider:r});if(!p){const f={user_id:`${r}|${a||Xs()}`,email:n,name:n,provider:r,connection:i,email_verified:!0,last_ip:u,is_social:c,last_login:new Date().toISOString(),profileData:JSON.stringify(l)};p=await Kf(t).users.create(s.tenant.id,f),t.set("user_id",p.user_id)}return p}const Qt=o.z.object({page:o.z.string().min(0).optional().default("0").transform(t=>parseInt(t,10)).openapi({description:"The page number where 0 is the first page"}),per_page:o.z.string().min(1).optional().default("10").transform(t=>parseInt(t,10)).openapi({description:"The number of items per page"}),include_totals:o.z.string().optional().default("false").transform(t=>t==="true").openapi({description:"If the total number of items should be included in the response"}),sort:o.z.string().regex(/^.+:(-1|1)$/).optional().openapi({description:"A property that should have the format 'string:-1' or 'string:1'"}),q:o.z.string().optional().openapi({description:"A lucene query string used to filter the results"})});function dr(t){if(!t)return;const[e,n]=t.split(":"),r=n==="1"?"asc":"desc";if(!(!e||!r))return{sort_by:e,sort_order:r}}const Zu=rn.extend({users:o.z.array(xt)}),fy=rn.extend({sessions:o.z.array(Ys)}),hy=new o.OpenAPIHono().openapi(o.createRoute({tags:["users"],method:"get",path:"/",request:{query:Qt,headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.union([o.z.array(xt),Zu])}},description:"List of users"}}}),async t=>{const{page:e,per_page:n,include_totals:r,sort:i,q:s}=t.req.valid("query"),{"tenant-id":a}=t.req.valid("header");if(s!=null&&s.includes("identities.profileData.email")){const p=s.split("=")[1],m=(await t.env.data.users.list(a,{page:e,per_page:n,include_totals:r,q:`email:${p}`})).users.filter(_=>_.linked_to),[v]=m;if(!v)return t.json([]);const h=await t.env.data.users.get(a,v.linked_to);if(!h)throw new z(500,{message:"Primary account not found"});return t.json([xt.parse(h)])}const c=["-_exists_:linked_to"];s&&c.push(s);const l=await t.env.data.users.list(a,{page:e,per_page:n,include_totals:r,sort:dr(i),q:c.join(" ")}),u=l.users.filter(p=>!p.linked_to);return r?t.json(Zu.parse({users:u,length:l.length,start:l.start,limit:l.limit})):t.json(o.z.array(xt).parse(u))}).openapi(o.createRoute({tags:["users"],method:"get",path:"/{user_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:xt}},description:"List of users"}}}),async t=>{const{user_id:e}=t.req.valid("param"),{"tenant-id":n}=t.req.valid("header"),r=await t.env.data.users.get(n,e);if(!r)throw new z(404);if(r.linked_to)throw new z(404,{message:"User is linked to another user"});return t.json(r)}).openapi(o.createRoute({tags:["users"],method:"delete",path:"/{user_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{user_id:e}=t.req.valid("param"),{"tenant-id":n}=t.req.valid("header");if(!await t.env.data.users.remove(n,e))throw new z(404);return t.text("OK")}).openapi(o.createRoute({tags:["users"],method:"post",path:"/",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.object({...ts.shape})}}}},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:xt}},description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json");t.set("body",n);const{email:r}=n;if(!r)throw new z(400,{message:"Email is required"});const i=r.toLowerCase(),s=`${n.provider}|${n.user_id||Xs()}`;try{const a=await t.env.data.users.create(e,{email:i,user_id:s,name:n.name||i,provider:n.provider,connection:n.connection,email_verified:n.email_verified||!1,last_ip:"",is_social:!1,last_login:new Date().toISOString()});t.set("user_id",a.user_id);const c=ve(t,{type:he.SUCCESS_API_OPERATION,description:"User created"});nt(t,t.env.data.logs.create(e,c));const l={...a,identities:[{connection:a.connection,provider:a.provider,user_id:qu(a.user_id),isSocial:a.is_social}]};return t.json(xt.parse(l),{status:201})}catch(a){throw a.message==="User already exists"?new z(409,{message:"User already exists"}):a}}).openapi(o.createRoute({tags:["users"],method:"patch",path:"/{user_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.object({...ts.shape,verify_email:o.z.boolean(),password:o.z.string()}).partial()}}},params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{var p;const{data:e}=t.env,{"tenant-id":n}=t.req.valid("header"),r=t.req.valid("json"),{user_id:i}=t.req.valid("param"),{verify_email:s,password:a,...c}=r,l=await e.users.get(n,i);if(!l)throw new z(404);if(c.email&&c.email!==l.email){const f=await pl(t.env.data.users,n,c.email);if(f.length&&f.some(m=>m.user_id!==i))throw new z(409,{message:"Another user with the same email address already exists."})}if(l.linked_to)throw new z(404,{message:"User is linked to another user"});if(await t.env.data.users.update(n,i,c),a){const f=(p=l.identities)==null?void 0:p.find(h=>h.connection==="Username-Password-Authentication");if(!f)throw new z(400,{message:"User does not have a password identity"});const m={user_id:f.user_id,password:await si.hash(a,10),algorithm:"bcrypt"};await e.passwords.get(n,f.user_id)?await e.passwords.update(n,m):await e.passwords.create(n,m)}const u=await t.env.data.users.get(n,i);if(!u)throw new z(500);return t.json(u)}).openapi(o.createRoute({tags:["users"],method:"post",path:"/{user_id}/identities",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.union([o.z.object({link_with:o.z.string()}),o.z.object({user_id:o.z.string(),provider:o.z.string(),connection:o.z.string().optional()})])}}},params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:o.z.array(o.z.object({connection:o.z.string(),provider:o.z.string(),user_id:o.z.string(),isSocial:o.z.boolean()}))}},description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json"),{user_id:r}=t.req.valid("param"),i="link_with"in n?n.link_with:n.user_id,s=await t.env.data.users.get(e,r);if(!s)throw new z(400,{message:"Linking an inexistent identity is not allowed."});await t.env.data.users.update(e,i,{linked_to:r});const a=await t.env.data.users.list(e,{page:0,per_page:10,include_totals:!1,q:`linked_to:${r}`}),c=[s,...a.users].map(l=>({connection:l.connection,provider:l.provider,user_id:qu(l.user_id),isSocial:l.is_social}));return t.json(c,{status:201})}).openapi(o.createRoute({tags:["users"],method:"delete",path:"/{user_id}/identities/{provider}/{linked_user_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({user_id:o.z.string(),provider:o.z.string(),linked_user_id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:o.z.array(xt)}},description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{user_id:n,provider:r,linked_user_id:i}=t.req.valid("param");await t.env.data.users.unlink(e,n,r,i);const s=await t.env.data.users.get(e,n);if(!s)throw new z(404);return t.json([xt.parse(s)])}).openapi(o.createRoute({tags:["users"],method:"get",path:"/{user_id}/sessions",request:{query:Qt,headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.union([o.z.array(Ys),fy])}},description:"List of sessions"}}}),async t=>{const{user_id:e}=t.req.valid("param"),{include_totals:n}=t.req.valid("query"),{"tenant-id":r}=t.req.valid("header"),i=await t.env.data.sessions.list(r,{page:0,per_page:10,include_totals:!1,q:`user_id:${e}`});return n?t.json(i):t.json(i.sessions)});/*! *****************************************************************************
+  </html>`;return new Response(i,{headers:{"Content-Type":"text/html"}})}async function ty(t,e,n,r,i){var m,v,h;if(!n.redirect_uri)throw new z(400,{message:"Missing redirect_uri in authParams"});const[s]=await t.env.data.keys.list();if(!s)throw new z(500,{message:"No signing key found"});if(!((m=e.addons)!=null&&m.samlp))throw new z(400,{message:`SAML Addon is not enabled for client ${e.id}`});const{recipient:a,audience:c}=e.addons.samlp,l=n.state||"";if(!a||!l||!r||!n.state)throw new z(400,{message:"Missing recipient or inResponseTo"});const u=JSON.parse(n.state),p=new URL(n.redirect_uri),f=await ny(t,{issuer:t.env.ISSUER,audience:c||n.client_id,destination:p.toString(),inResponseTo:u.requestId,userId:((h=(v=r.app_metadata)==null?void 0:v.vimeo)==null?void 0:h.user_id)||r.user_id,email:r.email,sessionIndex:i,signature:{privateKeyPem:s.pkcs7,cert:s.cert,kid:s.kid}});return ey(p.toString(),f,u.relayState)}async function ny(t,e){const n=e.notBefore||new Date().toISOString(),r=e.notAfter||new Date(new Date(n).getTime()+10*60*1e3).toISOString(),i=e.issueInstant||n,s=e.sessionNotOnOrAfter||r,a=e.responseId||`_${xe()}`,c=e.assertionId||`_${xe()}`,l=[{"samlp:Response":[{"saml:Issuer":[{"#text":e.issuer}]},{"samlp:Status":[{"samlp:StatusCode":[],":@":{"@_Value":"urn:oasis:names:tc:SAML:2.0:status:Success"}}]},{"saml:Assertion":[{"saml:Issuer":[{"#text":e.issuer}]},{"saml:Subject":[{"saml:NameID":[{"#text":e.email}],":@":{"@_Format":"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"}},{"saml:SubjectConfirmation":[{"saml:SubjectConfirmationData":[],":@":{"@_InResponseTo":e.inResponseTo,"@_NotOnOrAfter":r,"@_Recipient":e.destination}}],":@":{"@_Method":"urn:oasis:names:tc:SAML:2.0:cm:bearer"}}]},{"saml:Conditions":[{"saml:AudienceRestriction":[{"saml:Audience":[{"#text":e.audience}]}]}],":@":{"@_NotBefore":n,"@_NotOnOrAfter":r}},{"saml:AuthnStatement":[{"saml:AuthnContext":[{"saml:AuthnContextClassRef":[{"#text":"urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified"}]}]}],":@":{"@_AuthnInstant":i,"@_SessionIndex":e.sessionIndex,"@_SessionNotOnOrAfter":s}},{"saml:AttributeStatement":[{"saml:Attribute":[{"saml:AttributeValue":[{"#text":e.userId}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_FriendlyName":"persistent","@_Name":"id","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":e.email}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"email","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"manage-account"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"default-roles-master"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"offline_access"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"view-profile"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"uma_authorization"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"manage-account-links"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}}]}],":@":{"@_xmlns":"urn:oasis:names:tc:SAML:2.0:assertion","@_ID":c,"@_IssueInstant":i,"@_Version":"2.0"}}],":@":{"@_xmlns:samlp":"urn:oasis:names:tc:SAML:2.0:protocol","@_xmlns:saml":"urn:oasis:names:tc:SAML:2.0:assertion","@_Destination":e.destination,"@_ID":a,"@_InResponseTo":e.inResponseTo,"@_IssueInstant":i,"@_Version":"2.0"}}];let p=new Q0.XMLBuilder({ignoreAttributes:!1,suppressEmptyNode:!0,preserveOrder:!0}).build(l);if(e.signature){const m=await fetch(t.env.SAML_SIGN_URL,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({xmlContent:p,privateKey:e.signature.privateKeyPem,publicCert:e.signature.cert})});if(!m.ok)throw new Error(`Failed to sign SAML response: ${m.status}`);p=await m.text()}return e.encode===!1?p:btoa(p)}var ry={deno:"Deno",bun:"Bun",workerd:"Cloudflare-Workers",node:"Node.js"},iy=()=>{var n,r;const t=globalThis;if(typeof navigator<"u"&&typeof navigator.userAgent=="string"){for(const[i,s]of Object.entries(ry))if(sy(s))return i}return typeof(t==null?void 0:t.EdgeRuntime)=="string"?"edge-light":(t==null?void 0:t.fastly)!==void 0?"fastly":((r=(n=t==null?void 0:t.process)==null?void 0:n.release)==null?void 0:r.name)==="node"?"node":"other"},sy=t=>navigator.userAgent.startsWith(t);function nt(t,e){iy()==="workerd"&&t.executionCtx.waitUntil(e)}function on(t){var e,n,r;return{auth0Client:(e=t.query("auth0Client"))==null?void 0:e.slice(0,255),ip:(n=t.header("x-real-ip"))==null?void 0:n.slice(0,45),useragent:(r=t.header("user-agent"))==null?void 0:r.slice(0,512)}}const Ju=["sub","iss","aud","exp","nbf","iat","jti"];async function to(t,e){var _,w;const{authParams:n,user:r,client:i,session_id:s}=e,c=(await t.env.data.keys.list()).filter(S=>!S.revoked_at||new Date(S.revoked_at)>new Date),l=c[c.length-1];if(!(l!=null&&l.pkcs7))throw new z(500,{message:"No signing key available"});const u=A_(l.pkcs7),p={aud:n.audience||"default",scope:n.scope||"",sub:(r==null?void 0:r.user_id)||n.client_id,iss:t.var.custom_domain?`https://${t.var.custom_domain}`:t.env.ISSUER,tenant_id:t.var.tenant_id,sid:s},f=r&&((_=n.scope)!=null&&_.split(" ").includes("openid"))?{aud:n.client_id,sub:r.user_id,iss:t.var.custom_domain?`https://${t.var.custom_domain}`:t.env.ISSUER,sid:s,nonce:n.nonce,given_name:r.given_name,family_name:r.family_name,nickname:r.nickname,picture:r.picture,locale:r.locale,name:r.name,email:r.email,email_verified:r.email_verified}:void 0;(w=t.env.hooks)!=null&&w.onExecuteCredentialsExchange&&await t.env.hooks.onExecuteCredentialsExchange({client:i,user:r,request:{ip:t.req.header("x-real-ip")||"",user_agent:t.req.header("user-agent")||"",method:t.req.method,url:t.req.url},scope:n.scope||"",grant_type:""},{accessToken:{setCustomClaim:(S,N)=>{if(Ju.includes(S))throw new Error(`Cannot overwrite reserved claim '${S}'`);p[S]=N}},idToken:{setCustomClaim:(S,N)=>{if(Ju.includes(S))throw new Error(`Cannot overwrite reserved claim '${S}'`);f&&(f[S]=N)}},access:{deny:S=>{throw new z(400,{message:`Access denied: ${S}`})}}});const m={includeIssuedTimestamp:!0,expiresIn:new sl(1,"d"),headers:{kid:l.kid}},v=await Du("RS256",u,p,m),h=f?await Du("RS256",u,f,m):void 0;return{access_token:v,refresh_token:e.refresh_token,id_token:h,token_type:"Bearer",expires_in:86400}}async function Hf(t,e){return e.loginSession||(e.loginSession=await t.env.data.loginSessions.create(e.client.tenant.id,{expires_at:new Date(Date.now()+Jn*1e3).toISOString(),authParams:e.authParams,authorization_url:t.req.url,csrf_token:xe(),...on(t.req)})),{code:(await t.env.data.codes.create(e.client.tenant.id,{code_id:xe(),user_id:e.user.user_id,code_type:"authorization_code",login_id:e.loginSession.id,expires_at:new Date(Date.now()+C_*1e3).toISOString()})).code_id,state:e.authParams.state}}async function oy(t,e){const{client:n,scope:r,audience:i=n.tenant.audience,session_id:s}=e;return await t.env.data.refreshTokens.create(n.tenant.id,{id:xe(),session_id:s,client_id:n.id,expires_at:new Date(Date.now()+Qs*1e3).toISOString(),user_id:e.user.user_id,device:{last_ip:t.req.header("x-real-ip")||"",initial_ip:t.req.header("x-real-ip")||"",last_user_agent:t.req.header("user-agent")||"",initial_user_agent:t.req.header("user-agent")||"",initial_asn:"",last_asn:""},resource_servers:[{audience:i,scopes:r}],rotating:!1})}async function Ff(t,{user:e,client:n,loginSession:r}){const i=await t.env.data.sessions.create(n.tenant.id,{id:xe(),user_id:e.user_id,idle_expires_at:new Date(Date.now()+Qs*1e3).toISOString(),device:{last_ip:t.req.header("x-real-ip")||"",initial_ip:t.req.header("x-real-ip")||"",last_user_agent:t.req.header("user-agent")||"",initial_user_agent:t.req.header("user-agent")||"",initial_asn:"",last_asn:""},clients:[n.id]});await t.env.data.loginSessions.update(n.tenant.id,r.id,{session_id:i.id});const{scope:s,audience:a}=r.authParams,c=s!=null&&s.split(" ").includes("offline_access")?await oy(t,{session_id:i.id,user:e,client:n,scope:s,audience:a}):void 0;return{...i,refresh_token:c}}async function an(t,e){var v;const{authParams:n,user:r,client:i,ticketAuth:s}=e,a=ve(t,{type:he.SUCCESS_LOGIN,description:`Successful login for ${r.user_id}`,userId:r.user_id});if(nt(t,t.env.data.logs.create(i.tenant.id,a)),nt(t,t.env.data.users.update(i.tenant.id,r.user_id,{last_login:new Date().toISOString(),last_ip:t.req.header("x-real-ip")||"",login_count:r.login_count+1})),s){if(!e.loginSession)throw new z(500,{message:"Login session not found"});const h=S_(),_=xe(12),w=await t.env.data.codes.create(i.tenant.id,{code_id:xe(),code_type:"ticket",login_id:e.loginSession.id,expires_at:new Date(Date.now()+j_).toISOString(),code_verifier:[_,h].join("|")});return t.json({login_ticket:w.code_id,co_verifier:h,co_id:_})}let c=e.refreshToken,l=e.sessionId,u=r;if(!l){if(!e.loginSession)throw new z(500,{message:"Login session not found"});u=await uy(t,t.env.data)(i.tenant.id,r);const h=await Ff(t,{user:r,client:i,loginSession:e.loginSession});l=h.id,c=(v=h.refresh_token)==null?void 0:v.id}if(e.authParams.response_mode===Xt.SAML_POST)return ty(t,e.client,e.authParams,u,l);const p=await to(t,{authParams:n,user:u,client:i,session_id:l,refresh_token:c}),f=new Headers({"set-cookie":Pf(i.tenant.id,l,t.req.header("host"))});if(n.response_mode===Xt.WEB_MESSAGE)return t.json(p,{headers:f});if((n.response_type||Pt.CODE)===Pt.CODE){const h=await Hf(t,e);if(!n.redirect_uri)throw new z(400,{message:"Redirect uri not found"});const _=new URL(n.redirect_uri);_.searchParams.set("code",h.code),h.state&&_.searchParams.set("state",h.state),f.set("location",_.toString())}return new Response("Redirecting",{status:302,headers:f})}async function ay(t,e,n){const r=await t.env.data.tenants.get(e);if(!r)throw new Error(`Tenant not found: ${e}`);return to(t,{client:{id:t.env.ISSUER,tenant:r,created_at:new Date().toISOString(),updated_at:new Date().toISOString(),name:t.env.ISSUER,disable_sign_ups:!1,connections:[]},authParams:{client_id:t.env.ISSUER,response_type:Pt.TOKEN,scope:n}})}async function dl(t,e,n){const r=await ay(t,n.tenant_id,"webhook");for await(const i of e)if(!(await fetch(i.url,{method:"POST",headers:{Authorization:`Bearer ${r.access_token}`,"Content-Type":"application/json"},body:JSON.stringify(n)})).ok){const a=ve(t,{type:he.FAILED_HOOK,description:`Failed to invoke hook ${i.hook_id}`});await t.env.data.logs.create(n.tenant_id,a)}}function cy(t){return async(e,n)=>{const{hooks:r}=await t.env.data.hooks.list(e);return await dl(t,r,{tenant_id:e,user:n,trigger_id:"post-user-registration"}),n}}function ly(t){return async(e,n)=>{const{hooks:r}=await t.env.data.hooks.list(e,{q:"trigger_id:pre-user-signup",page:0,per_page:100,include_totals:!1});await dl(t,r,{tenant_id:e,email:n,trigger_id:"pre-user-signup"})}}function uy(t,e){return async(n,r)=>{const{hooks:i}=await e.hooks.list(n,{q:"trigger_id:post-user-login",page:0,per_page:100,include_totals:!1});return await dl(t,i,{tenant_id:n,user:r,trigger_id:"post-user-login"}),r}}function dy(t,e){return async(n,r)=>{var a,c,l;const i={method:t.req.method,ip:t.req.query("x-real-ip")||"",user_agent:t.req.query("user-agent"),url:((a=t.var.loginSession)==null?void 0:a.authorization_url)||t.req.url};if((c=t.env.hooks)!=null&&c.onExecutePreUserRegistration)try{await t.env.hooks.onExecutePreUserRegistration({user:r,request:i},{user:{setUserMetadata:async(u,p)=>{r[u]=p}}})}catch{const p=ve(t,{type:he.FAILED_SIGNUP,description:"Pre user registration hook failed"});await e.logs.create(n,p)}let s=await __(e)(n,r);if((l=t.env.hooks)!=null&&l.onExecutePostUserRegistration)try{await t.env.hooks.onExecutePostUserRegistration({user:r,request:i},{user:{}})}catch{const p=ve(t,{type:he.FAILED_SIGNUP,description:"Post user registration hook failed"});await t.env.data.logs.create(n,p)}return await cy(t)(n,s),s}}async function py(t,e,n,r){var i,s;if(e.disable_sign_ups&&!(((s=(i=t.var.loginSession)==null?void 0:i.authParams)==null?void 0:s.prompt)==="signup")&&!await ro({userAdapter:n.users,tenant_id:e.tenant.id,email:r})){const l=ve(t,{type:he.FAILED_SIGNUP,description:"Public signup is disabled"});throw await n.logs.create(e.tenant.id,l),new z(400,{message:"Signups are disabled for this client"})}await ly(t)(t.var.tenant_id||"",r)}function no(t,e){return{...e,users:{...e.users,create:dy(t,e)}}}function Kf(t){return no(t,t.env.data)}async function pl(t,e,n){return(await t.list(e,{page:0,per_page:10,include_totals:!1,q:`email:${n}`})).users}async function ur({userAdapter:t,tenant_id:e,email:n,provider:r}){const{users:i}=await t.list(e,{page:0,per_page:10,include_totals:!1,q:`email:${n} provider:${r}`});return i.length>1&&console.error("More than one user found for same email and provider"),i[0]||null}async function ro({userAdapter:t,tenant_id:e,email:n}){var c;const{users:r}=await t.list(e,{page:0,per_page:10,include_totals:!1,q:`email:${n}`}),i=r.filter(l=>!(l.provider==="auth2"&&!l.email_verified));if(i.length===0)return;const s=i.filter(l=>!l.linked_to);if(s.length>0)return s.length>1&&console.error("More than one primary user found for same email"),s[0];const a=await t.get(e,(c=i[0])==null?void 0:c.linked_to);if(!a)throw new Error("Primary account not found");return a}async function ls({userAdapter:t,tenant_id:e,email:n,provider:r}){const i=await ur({userAdapter:t,tenant_id:e,email:n,provider:r});return i?i.linked_to?t.get(e,i.linked_to):i:null}async function io(t,e){const{email:n,provider:r,connection:i,client:s,userId:a,isSocial:c,profileData:l={},ip:u=""}=e;let p=await ls({userAdapter:t.env.data.users,tenant_id:e.client.tenant.id,email:n,provider:r});if(!p){const f={user_id:`${r}|${a||Xs()}`,email:n,name:n,provider:r,connection:i,email_verified:!0,last_ip:u,is_social:c,last_login:new Date().toISOString(),profileData:JSON.stringify(l)};p=await Kf(t).users.create(s.tenant.id,f),t.set("user_id",p.user_id)}return p}const Qt=o.z.object({page:o.z.string().min(0).optional().default("0").transform(t=>parseInt(t,10)).openapi({description:"The page number where 0 is the first page"}),per_page:o.z.string().min(1).optional().default("10").transform(t=>parseInt(t,10)).openapi({description:"The number of items per page"}),include_totals:o.z.string().optional().default("false").transform(t=>t==="true").openapi({description:"If the total number of items should be included in the response"}),sort:o.z.string().regex(/^.+:(-1|1)$/).optional().openapi({description:"A property that should have the format 'string:-1' or 'string:1'"}),q:o.z.string().optional().openapi({description:"A lucene query string used to filter the results"})});function dr(t){if(!t)return;const[e,n]=t.split(":"),r=n==="1"?"asc":"desc";if(!(!e||!r))return{sort_by:e,sort_order:r}}const Zu=rn.extend({users:o.z.array(xt)}),fy=rn.extend({sessions:o.z.array(Ys)}),hy=new o.OpenAPIHono().openapi(o.createRoute({tags:["users"],method:"get",path:"/",request:{query:Qt,headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.union([o.z.array(xt),Zu])}},description:"List of users"}}}),async t=>{const{page:e,per_page:n,include_totals:r,sort:i,q:s}=t.req.valid("query"),{"tenant-id":a}=t.req.valid("header");if(s!=null&&s.includes("identities.profileData.email")){const p=s.split("=")[1],m=(await t.env.data.users.list(a,{page:e,per_page:n,include_totals:r,q:`email:${p}`})).users.filter(_=>_.linked_to),[v]=m;if(!v)return t.json([]);const h=await t.env.data.users.get(a,v.linked_to);if(!h)throw new z(500,{message:"Primary account not found"});return t.json([xt.parse(h)])}const c=["-_exists_:linked_to"];s&&c.push(s);const l=await t.env.data.users.list(a,{page:e,per_page:n,include_totals:r,sort:dr(i),q:c.join(" ")}),u=l.users.filter(p=>!p.linked_to);return r?t.json(Zu.parse({users:u,length:l.length,start:l.start,limit:l.limit})):t.json(o.z.array(xt).parse(u))}).openapi(o.createRoute({tags:["users"],method:"get",path:"/{user_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:xt}},description:"List of users"}}}),async t=>{const{user_id:e}=t.req.valid("param"),{"tenant-id":n}=t.req.valid("header"),r=await t.env.data.users.get(n,e);if(!r)throw new z(404);if(r.linked_to)throw new z(404,{message:"User is linked to another user"});return t.json(r)}).openapi(o.createRoute({tags:["users"],method:"delete",path:"/{user_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{user_id:e}=t.req.valid("param"),{"tenant-id":n}=t.req.valid("header");if(!await t.env.data.users.remove(n,e))throw new z(404);return t.text("OK")}).openapi(o.createRoute({tags:["users"],method:"post",path:"/",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.object({...ts.shape})}}}},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:xt}},description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json");t.set("body",n);const{email:r}=n;if(!r)throw new z(400,{message:"Email is required"});const i=r.toLowerCase(),s=`${n.provider}|${n.user_id||Xs()}`;try{const a=await t.env.data.users.create(e,{email:i,user_id:s,name:n.name||i,provider:n.provider,connection:n.connection,email_verified:n.email_verified||!1,last_ip:"",is_social:!1,last_login:new Date().toISOString()});t.set("user_id",a.user_id);const c=ve(t,{type:he.SUCCESS_API_OPERATION,description:"User created"});nt(t,t.env.data.logs.create(e,c));const l={...a,identities:[{connection:a.connection,provider:a.provider,user_id:qu(a.user_id),isSocial:a.is_social}]};return t.json(xt.parse(l),{status:201})}catch(a){throw a.message==="User already exists"?new z(409,{message:"User already exists"}):a}}).openapi(o.createRoute({tags:["users"],method:"patch",path:"/{user_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.object({...ts.shape,verify_email:o.z.boolean(),password:o.z.string()}).partial()}}},params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{var p;const{data:e}=t.env,{"tenant-id":n}=t.req.valid("header"),r=t.req.valid("json"),{user_id:i}=t.req.valid("param"),{verify_email:s,password:a,...c}=r,l=await e.users.get(n,i);if(!l)throw new z(404);if(c.email&&c.email!==l.email){const f=await pl(t.env.data.users,n,c.email);if(f.length&&f.some(m=>m.user_id!==i))throw new z(409,{message:"Another user with the same email address already exists."})}if(l.linked_to)throw new z(404,{message:"User is linked to another user"});if(await t.env.data.users.update(n,i,c),a){const f=(p=l.identities)==null?void 0:p.find(h=>h.connection==="Username-Password-Authentication");if(!f)throw new z(400,{message:"User does not have a password identity"});const m={user_id:f.user_id,password:await si.hash(a,10),algorithm:"bcrypt"};await e.passwords.get(n,f.user_id)?await e.passwords.update(n,m):await e.passwords.create(n,m)}const u=await t.env.data.users.get(n,i);if(!u)throw new z(500);return t.json(u)}).openapi(o.createRoute({tags:["users"],method:"post",path:"/{user_id}/identities",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.union([o.z.object({link_with:o.z.string()}),o.z.object({user_id:o.z.string(),provider:o.z.string(),connection:o.z.string().optional()})])}}},params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:o.z.array(o.z.object({connection:o.z.string(),provider:o.z.string(),user_id:o.z.string(),isSocial:o.z.boolean()}))}},description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json"),{user_id:r}=t.req.valid("param"),i="link_with"in n?n.link_with:n.user_id,s=await t.env.data.users.get(e,r);if(!s)throw new z(400,{message:"Linking an inexistent identity is not allowed."});await t.env.data.users.update(e,i,{linked_to:r});const a=await t.env.data.users.list(e,{page:0,per_page:10,include_totals:!1,q:`linked_to:${r}`}),c=[s,...a.users].map(l=>({connection:l.connection,provider:l.provider,user_id:qu(l.user_id),isSocial:l.is_social}));return t.json(c,{status:201})}).openapi(o.createRoute({tags:["users"],method:"delete",path:"/{user_id}/identities/{provider}/{linked_user_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({user_id:o.z.string(),provider:o.z.string(),linked_user_id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:o.z.array(xt)}},description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{user_id:n,provider:r,linked_user_id:i}=t.req.valid("param");await t.env.data.users.unlink(e,n,r,i);const s=await t.env.data.users.get(e,n);if(!s)throw new z(404);return t.json([xt.parse(s)])}).openapi(o.createRoute({tags:["users"],method:"get",path:"/{user_id}/sessions",request:{query:Qt,headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.union([o.z.array(Ys),fy])}},description:"List of sessions"}}}),async t=>{const{user_id:e}=t.req.valid("param"),{include_totals:n}=t.req.valid("query"),{"tenant-id":r}=t.req.valid("header"),i=await t.env.data.sessions.list(r,{page:0,per_page:10,include_totals:!1,q:`user_id:${e}`});return n?t.json(i):t.json(i.sessions)});/*! *****************************************************************************
 Copyright (C) Microsoft. All rights reserved.
 Licensed under the Apache License, Version 2.0 (the "License"); you may not use
 this file except in compliance with the License. You may obtain a copy of the
@@ -146,7 +146,7 @@ PERFORMANCE OF THIS SOFTWARE.
 `,i=0;for(;i<n.length;)i+64<=n.length?r+=n.substr(i,64)+`\r
 `:r+=n.substr(i)+`\r
 `,i+=64;return r+=`-----END ${t} KEY-----\r
-`,r}async function uw(t){const e=await t.publicKey.export(),n=await crypto.subtle.exportKey("jwk",e),r=JSON.stringify(n,Object.keys(n).sort()),s=new TextEncoder().encode(r);return za(await jf(s))}const dw=1e3*60*60*24,pw=new o.OpenAPIHono().openapi(o.createRoute({tags:["keys"],method:"get",path:"/signing",request:{headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.array(Ia)}},description:"List of keys"}}}),async t=>{const n=(await t.env.data.keys.list()).filter(r=>"cert"in r).map(r=>r);return t.json(n)}).openapi(o.createRoute({tags:["keys"],method:"get",path:"/signing/{kid}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({kid:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:Ia}},description:"The requested key"}}}),async t=>{const{kid:e}=t.req.valid("param"),r=(await t.env.data.keys.list()).find(i=>i.kid===e);if(!r)throw new z(404,{message:"Key not found"});return t.json(r)}).openapi(o.createRoute({tags:["keys"],method:"post",path:"/signing/rotate",request:{headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{201:{description:"Status"}}}),async t=>{const e=await t.env.data.keys.list();for await(const r of e)await t.env.data.keys.update(r.kid,{revoked_at:new Date(Date.now()+dw).toISOString()});const n=await Jc({name:`CN=${t.env.ORGANIZATION_NAME}`});return await t.env.data.keys.create(n),t.text("OK",{status:201})}).openapi(o.createRoute({tags:["keys"],method:"put",path:"/signing/{kid}/revoke",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({kid:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{201:{description:"Status"}}}),async t=>{const{kid:e}=t.req.valid("param");if(!await t.env.data.keys.update(e,{revoked_at:new Date().toISOString()}))throw new z(404,{message:"Key not found"});const r=await Jc({name:`CN=${t.env.ORGANIZATION_NAME}`});return await t.env.data.keys.create(r),t.text("OK")}),fw=new o.OpenAPIHono().openapi(o.createRoute({tags:["users"],method:"get",path:"/",request:{query:o.z.object({email:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"tenant/json":{schema:o.z.array(el)}},description:"List of users"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{email:n}=t.req.valid("query"),i=(await pl(t.env.data.users,e,n)).filter(s=>!s.linked_to);return t.json(i)}),hw=rn.extend({clients:o.z.array(mn)}),gw=new o.OpenAPIHono().openapi(o.createRoute({tags:["clients"],method:"get",path:"/",request:{query:Qt,headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.union([hw,o.z.array(mn)])}},description:"List of clients"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{page:n,per_page:r,include_totals:i,sort:s,q:a}=t.req.valid("query"),l=(await t.env.data.applications.list(e,{page:n,per_page:r,include_totals:i,sort:dr(s),q:a})).applications;return i?t.json({clients:l,start:0,limit:10,length:l.length}):t.json(l)}).openapi(o.createRoute({tags:["clients"],method:"get",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:mn}},description:"An application"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),i=(await t.env.data.applications.list(e,{page:1,per_page:0,include_totals:!1})).applications.find(s=>s.id===n);if(!i)throw new z(404);return t.json(i)}).openapi(o.createRoute({tags:["clients"],method:"delete",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param");if(!await t.env.data.applications.remove(e,n))throw new z(404,{message:"Application not found"});return t.text("OK")}).openapi(o.createRoute({tags:["clients"],method:"patch",path:"/{id}",request:{body:{content:{"application/json":{schema:o.z.object(ns.shape).partial()}}},params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:mn}},description:"The update application"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),i=t.req.valid("json");await t.env.data.applications.update(e,n,i);const s=await t.env.data.applications.get(e,n);if(!s)throw new z(404,{message:"Application not found"});return t.json(s)}).openapi(o.createRoute({tags:["clients"],method:"post",path:"/",request:{body:{content:{"application/json":{schema:o.z.object(ns.shape)}}},headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{201:{content:{"application/json":{schema:o.z.object(mn.shape)}},description:"An application"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json"),r={...n,id:n.id||xe(),client_secret:n.client_secret||xe()},i=await t.env.data.applications.create(e,r);return t.json(i,{status:201})});o.z.object({start:o.z.number(),limit:o.z.number(),length:o.z.number()});Js.extend({email:o.z.string(),login_count:o.z.number(),multifactor:o.z.array(o.z.string()).optional(),last_ip:o.z.string().optional(),last_login:o.z.string().optional(),user_id:o.z.string()}).catchall(o.z.any());const mw=rn.extend({tenants:o.z.array(Fn)}),_w=new o.OpenAPIHono().openapi(o.createRoute({tags:["tenants"],method:"get",path:"/",request:{query:Qt},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"tenant/json":{schema:o.z.union([o.z.array(Fn),mw])}},description:"List of tenants"}}}),async t=>{const{page:e,per_page:n,include_totals:r,sort:i,q:s}=t.req.valid("query"),a=await t.env.data.tenants.list({page:e,per_page:n,include_totals:r,sort:dr(i),q:s});return r?t.json(a):t.json(a.tenants)}).openapi(o.createRoute({tags:["tenants"],method:"get",path:"/{id}",request:{params:o.z.object({id:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"tenant/json":{schema:Fn}},description:"A tenant"}}}),async t=>{const{id:e}=t.req.valid("param"),n=await t.env.data.tenants.get(e);if(!n)throw new z(404);return t.json(n)}).openapi(o.createRoute({tags:["tenants"],method:"delete",path:"/{id}",request:{params:o.z.object({id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{id:e}=t.req.valid("param");return await t.env.data.tenants.remove(e),t.text("OK")}).openapi(o.createRoute({tags:["tenants"],method:"patch",path:"/{id}",request:{body:{content:{"application/json":{schema:o.z.object(is.shape).partial()}}},params:o.z.object({id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{id:e}=t.req.valid("param"),n=t.req.valid("json");return await t.env.data.tenants.update(e,n),t.text("OK")}).openapi(o.createRoute({tags:["tenants"],method:"post",path:"/",request:{body:{content:{"application/json":{schema:o.z.object(is.shape)}}}},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"tenant/json":{schema:Fn}},description:"An tenant"}}}),async t=>{const e=t.req.valid("json"),n=await t.env.data.tenants.create(e);return t.json(n,{status:201})}),yw=rn.extend({logs:o.z.array(os)}),vw=new o.OpenAPIHono().openapi(o.createRoute({tags:["logs"],method:"get",path:"/",request:{query:Qt,headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.union([o.z.array(os),yw])}},description:"List of log rows"}}}),async t=>{const{page:e,per_page:n,include_totals:r,sort:i,q:s}=t.req.valid("query"),{"tenant-id":a}=t.req.valid("header"),c=await t.env.data.logs.list(a,{page:e,per_page:n,include_totals:r,sort:dr(i),q:s});return r?t.json(c):t.json(c.logs)}).openapi(o.createRoute({tags:["logs"],method:"get",path:"/{id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({id:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:os}},description:"A log entry"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),r=await t.env.data.logs.get(e,n);if(!r)throw new z(404);return t.json(r)}),ww=rn.extend({hooks:o.z.array(Dn)}),bw=new o.OpenAPIHono().openapi(o.createRoute({tags:["hooks"],method:"get",path:"/",request:{query:Qt,headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.union([o.z.array(Dn),ww])}},description:"List of hooks"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{page:n,per_page:r,include_totals:i,sort:s,q:a}=t.req.valid("query"),c=await t.env.data.hooks.list(e,{page:n,per_page:r,include_totals:i,sort:dr(s),q:a});return i?t.json(c):t.json(c.hooks)}).openapi(o.createRoute({tags:["hooks"],method:"post",path:"/",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.object(ss.shape)}}}},security:[{Bearer:["auth:write"]}],responses:{201:{content:{"application/json":{schema:Dn}},description:"The created hook"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json"),r=await t.env.data.hooks.create(e,n);return t.json(r,{status:201})}).openapi(o.createRoute({tags:["hooks"],method:"patch",path:"/{hook_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({hook_id:o.z.string()}),body:{content:{"application/json":{schema:o.z.object(ss.shape).omit({hook_id:!0}).partial()}}}},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:Dn.shape}},description:"The updated hook"},404:{description:"Hook not found"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{hook_id:n}=t.req.valid("param"),r=t.req.valid("json");await t.env.data.hooks.update(e,n,r);const i=await t.env.data.hooks.get(e,n);if(!i)throw new z(404,{message:"Hook not found"});return t.json(i)}).openapi(o.createRoute({tags:["hooks"],method:"get",path:"/{hook_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({hook_id:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:Dn}},description:"A hook"},404:{description:"Hook not found"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{hook_id:n}=t.req.valid("param"),r=await t.env.data.hooks.get(e,n);if(!r)throw new z(404,{message:"Hook not found"});return t.json(r)}).openapi(o.createRoute({tags:["hooks"],method:"delete",path:"/{hook_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({hook_id:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{description:"A hook"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{hook_id:n}=t.req.valid("param");if(!await t.env.data.hooks.remove(e,n))throw new z(404,{message:"Hook not found"});return t.text("OK")}),kw=rn.extend({connections:o.z.array(Kt)}),xw=new o.OpenAPIHono().openapi(o.createRoute({tags:["connections"],method:"get",path:"/",request:{query:Qt,headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.union([o.z.array(Kt),kw])}},description:"List of connectionss"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{page:n,per_page:r,include_totals:i=!1,sort:s,q:a}=t.req.valid("query"),c=await t.env.data.connections.list(e,{page:n,per_page:r,include_totals:i,sort:dr(s),q:a});return i?t.json(c):t.json(c.connections)}).openapi(o.createRoute({tags:["connections"],method:"get",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:Kt}},description:"A connection"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),r=await t.env.data.connections.get(e,n);if(!r)throw new z(404);return t.json(r)}).openapi(o.createRoute({tags:["connections"],method:"delete",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param");if(!await t.env.data.connections.remove(e,n))throw new z(404,{message:"Connection not found"});return t.text("OK")}).openapi(o.createRoute({tags:["connections"],method:"patch",path:"/{id}",request:{body:{content:{"application/json":{schema:o.z.object(rs.shape).partial()}}},params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:Kt}},description:"The updated connection"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),r=t.req.valid("json");if(!await t.env.data.connections.update(e,n,r))throw new z(404,{message:"Connection not found"});const s=await t.env.data.connections.get(e,n);if(!s)throw new z(404,{message:"Connection not found"});return t.json(s)}).openapi(o.createRoute({tags:["connections"],method:"post",path:"/",request:{body:{content:{"application/json":{schema:o.z.object(rs.shape)}}},headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{201:{content:{"application/json":{schema:Kt}},description:"A connection"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json"),r=await t.env.data.connections.create(e,n);return t.json(r,{status:201})}),Sw=new o.OpenAPIHono().openapi(o.createRoute({tags:["prompts"],method:"get",path:"/",request:{headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:Li}},description:"Branding settings"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=await t.env.data.promptSettings.get(e);return n?t.json(n):t.json(Li.parse({}))}).openapi(o.createRoute({tags:["prompts"],method:"patch",path:"/",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.object(Li.shape).partial()}}}},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Prompts settings"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json"),r=await t.env.data.promptSettings.get(e);return Object.assign(r,n),await t.env.data.promptSettings.set(e,r),t.json(r)});let Ep=!1;function Rg(t){t.use(async(e,n)=>(Ep||(t.openAPIRegistry.registerComponent("securitySchemes","Bearer",{type:"oauth2",scheme:"bearer",flows:{implicit:{authorizationUrl:`${e.env.AUTH_URL}/authorize`,scopes:{openid:"Basic user information",email:"User email",profile:"User profile information"}}}}),Ep=!0),await n()))}o.z.object({alg:o.z.literal("RS256"),kty:o.z.literal("RSA"),use:o.z.literal("sig"),n:o.z.string(),e:o.z.string(),kid:o.z.string(),x5t:o.z.string(),x5c:o.z.array(o.z.string())});async function Aw(t){try{const e=await t.JWKS_SERVICE.fetch(t.JWKS_URL);if(!e.ok)throw new Error("Failed to fetch jwks");return(await e.json()).keys}catch(e){throw new z(500,{message:`Failed to fetch jwks: ${e.message}`})}}async function Ew(t,e){const r=new TextEncoder().encode([e.raw.header,e.raw.payload].join(".")),i=new Uint8Array(Array.from(e.signature).map(l=>l.charCodeAt(0))),a=(await Aw(t.env)).find(l=>l.kid===e.header.kid);if(!a)return console.log("No matching kid found"),!1;const c=await crypto.subtle.importKey("jwk",a,{name:"RSASSA-PKCS1-v1_5",hash:"SHA-256"},!1,["verify"]);return crypto.subtle.verify("RSASSA-PKCS1-v1_5",c,i,r)}function Iw(t){const[e,n,r]=t.split(".");if(!e||!n||!r)return null;const i=JSON.parse(atob(e)),s=JSON.parse(atob(n)),a=atob(r.replace(/-/g,"+").replace(/_/g,"/"));return{header:i,payload:s,signature:a,raw:{header:e,payload:n,signature:r}}}function Lg(t){return async(e,n)=>{var i,s,a;const r=t.openAPIRegistry.definitions.find(c=>"route"in c&&c.route.path===e.req.path&&c.route.method.toUpperCase()===e.req.method);if(r&&"route"in r){const c=(s=(i=r.route.security)==null?void 0:i[0])==null?void 0:s.Bearer;if(!(c!=null&&c.length))return await n();const l=e.req.header("authorization")||"",[u,p]=l.split(" ");if((u==null?void 0:u.toLowerCase())!=="bearer"||!p)throw new z(401,{message:"Missing bearer token"});const f=Iw(p);if(!f||!await Ew(e,f))throw new z(403,{message:"Invalid JWT signature"});e.set("user_id",f.payload.sub),e.set("user",f.payload);const m=f.payload.permissions||[],v=((a=f.payload.scope)==null?void 0:a.split(" "))||[];if(c.length&&!(c.some(h=>m.includes(h))||c.some(h=>v.includes(h))))throw new z(403,{message:"Unauthorized"})}return await n()}}const zw=new o.OpenAPIHono().openapi(o.createRoute({tags:["emails"],method:"get",path:"/",request:{headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:Ui}},description:"Email provider"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=await t.env.data.emailProviders.get(e);if(!n)throw new z(404,{message:"Email provider not found"});return t.json(n)}).openapi(o.createRoute({tags:["emails"],method:"post",path:"/",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.object(Ui.shape)}}}},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Branding settings"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json");return await t.env.data.emailProviders.create(e,n),t.text("OK",{status:201})}).openapi(o.createRoute({tags:["emails"],method:"patch",path:"/",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.object(Ui.shape).partial()}}}},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Branding settings"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json");return await t.env.data.emailProviders.update(e,n),t.text("OK")}),Cw=new o.OpenAPIHono().openapi(o.createRoute({tags:["sessions"],method:"get",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:Ys}},description:"A session"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),r=await t.env.data.sessions.get(e,n);if(!r)throw new z(404);return t.json(r)}).openapi(o.createRoute({tags:["sessions"],method:"delete",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param");if(!await t.env.data.sessions.remove(e,n))throw new z(404,{message:"Session not found"});return t.text("OK")}).openapi(o.createRoute({tags:["sessions"],method:"post",path:"/{id}/revoke",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{202:{description:"Sesssion deletion status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param");if(!await t.env.data.sessions.update(e,n,{revoked_at:new Date().toDateString()}))throw new z(404,{message:"Session not found"});return t.text("Session deletion request accepted.",{status:202})}),Nw=new o.OpenAPIHono().openapi(o.createRoute({tags:["refresh_tokens"],method:"get",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:il}},description:"A session"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),r=await t.env.data.refreshTokens.get(e,n);if(!r)throw new z(404);return t.json(r)}).openapi(o.createRoute({tags:["refresh_tokens"],method:"delete",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param");if(!await t.env.data.refreshTokens.remove(e,n))throw new z(404,{message:"Session not found"});return t.text("OK")}),jw=new o.OpenAPIHono().openapi(o.createRoute({tags:["custom-domains"],method:"get",path:"/",request:{query:Qt,headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.array(Ft)}},description:"List of custom domains"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=await t.env.data.customDomains.list(e);return t.json(n)}).openapi(o.createRoute({tags:["custom-domains"],method:"get",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:Ft}},description:"A connection"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),r=await t.env.data.customDomains.get(e,n);if(!r)throw new z(404);return t.json(r)}).openapi(o.createRoute({tags:["custom-domains"],method:"delete",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param");if(!await t.env.data.customDomains.remove(e,n))throw new z(404,{message:"Custom domain not found"});return t.text("OK")}).openapi(o.createRoute({tags:["custom-domains"],method:"patch",path:"/{id}",request:{body:{content:{"application/json":{schema:o.z.object(Ft.shape).partial()}}},params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:Ft}},description:"The updated custom domain"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),r=t.req.valid("json");if(!await t.env.data.customDomains.update(e,n,r))throw new z(404);const s=await t.env.data.customDomains.get(e,n);if(!s)throw new z(404);return t.json(s)}).openapi(o.createRoute({tags:["custom-domains"],method:"post",path:"/",request:{body:{content:{"application/json":{schema:o.z.object(nl.shape)}}},headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{201:{content:{"application/json":{schema:Ft}},description:"The created custom domain"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json"),r=await t.env.data.customDomains.create(e,n);return t.json(r,{status:201})}).openapi(o.createRoute({tags:["custom-domains"],method:"post",path:"/{id}/verify",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:Ft}},description:"The custom domain"}}}),async()=>{throw new z(501,{message:"Not implemented"})});async function nu(t,e){const n=t.req.header("x-forwarded-host");if(n){const i=await t.env.data.customDomains.getByDomain(n);if(i)return t.set("tenant_id",i.tenant_id),await e()}const r=t.req.header("host");if(r){const i=r.split(".");if(i.length>1&&typeof i[0]=="string"){const s=i[0];await t.env.data.tenants.get(s)&&t.set("tenant_id",s)}}return await e()}function $w(t){const e=new o.OpenAPIHono;e.use(af({origin:r=>{var i;return r&&(i=t.allowedOrigins)!=null&&i.includes(r)?r:""},allowHeaders:["Tenant-Id","Content-Type","Content-Range","Auth0-Client","Authorization","Range","Upgrade-Insecure-Requests"],allowMethods:["POST","PUT","GET","DELETE","PATCH","OPTIONS"],exposeHeaders:["Content-Length","Content-Range"],maxAge:600,credentials:!0})),Rg(e),e.use(async(r,i)=>(r.env.data=no(r,t.dataAdapter),i())),e.use(nu).use(Lg(e));const n=e.route("/branding",s_).route("/custom-domains",jw).route("/email/providers",zw).route("/users",hy).route("/keys",pw).route("/users-by-email",fw).route("/clients",gw).route("/tenants",_w).route("/logs",vw).route("/hooks",bw).route("/connections",xw).route("/prompts",Sw).route("/sessions",Cw).route("/refresh_tokens",Nw);return n.doc("/spec",{openapi:"3.0.0",info:{version:"1.0.0",title:"Management api"},security:[{oauth2:["openid","email","profile"]}]}),n}function Ow(t,e){Object.keys(e).forEach(n=>{const r=e[n];r!=null&&r.length&&t.searchParams.set(n,r)})}var Ip;(function(t){t[t.Include=0]="Include",t[t.None=1]="None"})(Ip||(Ip={}));var zp;(function(t){t[t.Required=0]="Required",t[t.Ignore=1]="Ignore"})(zp||(zp={}));function Tw(t){return Vg(t,Bw,ei.Include)}function Ug(t){return Vg(t,Pw,ei.None)}function Vg(t,e,n){let r="";for(let i=0;i<t.byteLength;i+=3){let s=0,a=0;for(let c=0;c<3&&i+c<t.byteLength;c++)s=s<<8|t[i+c],a+=8;for(let c=0;c<4;c++)a>=6?(r+=e[s>>a-6&63],a-=6):a>0?(r+=e[s<<6-a&63],a=0):n===ei.Include&&(r+="=")}return r}const Bw="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/",Pw="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";var ei;(function(t){t[t.Include=0]="Include",t[t.None=1]="None"})(ei||(ei={}));var Cp;(function(t){t[t.Required=0]="Required",t[t.Ignore=1]="Ignore"})(Cp||(Cp={}));class Rw{uint8(e,n){if(e.byteLength<n+1)throw new TypeError("Insufficient bytes");return e[n]}uint16(e,n){if(e.byteLength<n+2)throw new TypeError("Insufficient bytes");return e[n]<<8|e[n+1]}uint32(e,n){if(e.byteLength<n+4)throw new TypeError("Insufficient bytes");let r=0;for(let i=0;i<4;i++)r|=e[n+i]<<24-i*8;return r}uint64(e,n){if(e.byteLength<n+8)throw new TypeError("Insufficient bytes");let r=0n;for(let i=0;i<8;i++)r|=BigInt(e[n+i])<<BigInt(56-i*8);return r}putUint8(e,n,r){if(e.length<r+1)throw new TypeError("Not enough space");if(n<0||n>255)throw new TypeError("Invalid uint8 value");e[r]=n}putUint16(e,n,r){if(e.length<r+2)throw new TypeError("Not enough space");if(n<0||n>65535)throw new TypeError("Invalid uint16 value");e[r]=n>>8,e[r+1]=n&255}putUint32(e,n,r){if(e.length<r+4)throw new TypeError("Not enough space");if(n<0||n>4294967295)throw new TypeError("Invalid uint32 value");for(let i=0;i<4;i++)e[r+i]=n>>(3-i)*8&255}putUint64(e,n,r){if(e.length<r+8)throw new TypeError("Not enough space");if(n<0||n>18446744073709551615n)throw new TypeError("Invalid uint64 value");for(let i=0;i<8;i++)e[r+i]=Number(n>>BigInt((7-i)*8)&0xffn)}}const Np=new Rw;function kt(t,e){return(t<<32-e|t>>>e)>>>0}function Lw(t){const e=new Uw;return e.update(t),e.digest()}class Uw{constructor(){te(this,"blockSize",64);te(this,"size",32);te(this,"blocks",new Uint8Array(64));te(this,"currentBlockSize",0);te(this,"H",new Uint32Array([1779033703,3144134277,1013904242,2773480762,1359893119,2600822924,528734635,1541459225]));te(this,"l",0n);te(this,"w",new Uint32Array(64))}update(e){if(this.l+=BigInt(e.byteLength)*8n,this.currentBlockSize+e.byteLength<64){this.blocks.set(e,this.currentBlockSize),this.currentBlockSize+=e.byteLength;return}let n=0;if(this.currentBlockSize>0){const r=e.slice(0,64-this.currentBlockSize);this.blocks.set(r,this.currentBlockSize),this.process(),n+=r.byteLength,this.currentBlockSize=0}for(;n+64<=e.byteLength;){const r=e.slice(n,n+64);this.blocks.set(r),this.process(),n+=64}if(e.byteLength-n>0){const r=e.slice(n);this.blocks.set(r),this.currentBlockSize=r.byteLength}}digest(){this.blocks[this.currentBlockSize]=128,this.currentBlockSize+=1,64-this.currentBlockSize<8&&(this.blocks.fill(0,this.currentBlockSize),this.process(),this.currentBlockSize=0),this.blocks.fill(0,this.currentBlockSize),Np.putUint64(this.blocks,this.l,this.blockSize-8),this.process();const e=new Uint8Array(32);for(let n=0;n<8;n++)Np.putUint32(e,this.H[n],n*4);return e}process(){for(let u=0;u<16;u++)this.w[u]=(this.blocks[u*4]<<24|this.blocks[u*4+1]<<16|this.blocks[u*4+2]<<8|this.blocks[u*4+3])>>>0;for(let u=16;u<64;u++){const p=(kt(this.w[u-2],17)^kt(this.w[u-2],19)^this.w[u-2]>>>10)>>>0,f=(kt(this.w[u-15],7)^kt(this.w[u-15],18)^this.w[u-15]>>>3)>>>0;this.w[u]=p+this.w[u-7]+f+this.w[u-16]|0}let e=this.H[0],n=this.H[1],r=this.H[2],i=this.H[3],s=this.H[4],a=this.H[5],c=this.H[6],l=this.H[7];for(let u=0;u<64;u++){const p=(kt(s,6)^kt(s,11)^kt(s,25))>>>0,f=(s&a^~s&c)>>>0,m=l+p+f+Vw[u]+this.w[u]|0,v=(kt(e,2)^kt(e,13)^kt(e,22))>>>0,h=(e&n^e&r^n&r)>>>0,_=v+h|0;l=c,c=a,a=s,s=i+m|0,i=r,r=n,n=e,e=m+_|0}this.H[0]=e+this.H[0]|0,this.H[1]=n+this.H[1]|0,this.H[2]=r+this.H[2]|0,this.H[3]=i+this.H[3]|0,this.H[4]=s+this.H[4]|0,this.H[5]=a+this.H[5]|0,this.H[6]=c+this.H[6]|0,this.H[7]=l+this.H[7]|0}}const Vw=new Uint32Array([1116352408,1899447441,3049323471,3921009573,961987163,1508970993,2453635748,2870763221,3624381080,310598401,607225278,1426881987,1925078388,2162078206,2614888103,3248222580,3835390401,4022224774,264347078,604807628,770255983,1249150122,1555081692,1996064986,2554220882,2821834349,2952996808,3210313671,3336571891,3584528711,113926993,338241895,666307205,773529912,1294757372,1396182291,1695183700,1986661051,2177026350,2456956037,2730485921,2820302411,3259730800,3345764771,3516065817,3600352804,4094571909,275423344,430227734,506948616,659060556,883997877,958139571,1322822218,1537002063,1747873779,1955562222,2024104815,2227730452,2361852424,2428436474,2756734187,3204031479,3329325298]);new BigUint64Array([0x428a2f98d728ae22n,0x7137449123ef65cdn,0xb5c0fbcfec4d3b2fn,0xe9b5dba58189dbbcn,0x3956c25bf348b538n,0x59f111f1b605d019n,0x923f82a4af194f9bn,0xab1c5ed5da6d8118n,0xd807aa98a3030242n,0x12835b0145706fben,0x243185be4ee4b28cn,0x550c7dc3d5ffb4e2n,0x72be5d74f27b896fn,0x80deb1fe3b1696b1n,0x9bdc06a725c71235n,0xc19bf174cf692694n,0xe49b69c19ef14ad2n,0xefbe4786384f25e3n,0x0fc19dc68b8cd5b5n,0x240ca1cc77ac9c65n,0x2de92c6f592b0275n,0x4a7484aa6ea6e483n,0x5cb0a9dcbd41fbd4n,0x76f988da831153b5n,0x983e5152ee66dfabn,0xa831c66d2db43210n,0xb00327c898fb213fn,0xbf597fc7beef0ee4n,0xc6e00bf33da88fc2n,0xd5a79147930aa725n,0x06ca6351e003826fn,0x142929670a0e6e70n,0x27b70a8546d22ffcn,0x2e1b21385c26c926n,0x4d2c6dfc5ac42aedn,0x53380d139d95b3dfn,0x650a73548baf63den,0x766a0abb3c77b2a8n,0x81c2c92e47edaee6n,0x92722c851482353bn,0xa2bfe8a14cf10364n,0xa81a664bbc423001n,0xc24b8b70d0f89791n,0xc76c51a30654be30n,0xd192e819d6ef5218n,0xd69906245565a910n,0xf40e35855771202an,0x106aa07032bbd1b8n,0x19a4c116b8d2d0c8n,0x1e376c085141ab53n,0x2748774cdf8eeb99n,0x34b0bcb5e19b48a8n,0x391c0cb3c5c95a63n,0x4ed8aa4ae3418acbn,0x5b9cca4f7763e373n,0x682e6ff3d6b2b8a3n,0x748f82ee5defb2fcn,0x78a5636f43172f60n,0x84c87814a1f0ab72n,0x8cc702081a6439ecn,0x90befffa23631e28n,0xa4506cebde82bde9n,0xbef9a3f7b2c67915n,0xc67178f2e372532bn,0xca273eceea26619cn,0xd186b8c721c0c207n,0xeada7dd6cde0eb1en,0xf57d4f7fee6ed178n,0x06f067aa72176fban,0x0a637dc5a2c898a6n,0x113f9804bef90daen,0x1b710b35131c471bn,0x28db77f523047d84n,0x32caab7b40c72493n,0x3c9ebe0a15c9bebcn,0x431d67c49c100d4cn,0x4cc5d4becb3e42b6n,0x597f299cfc657e2an,0x5fcb6fab3ad6faecn,0x6c44198c4a475817n]);class qw{constructor(e){te(this,"data");this.data=e}tokenType(){if("token_type"in this.data&&typeof this.data.token_type=="string")return this.data.token_type;throw new Error("Missing or invalid 'token_type' field")}accessToken(){if("access_token"in this.data&&typeof this.data.access_token=="string")return this.data.access_token;throw new Error("Missing or invalid 'access_token' field")}accessTokenExpiresInSeconds(){if("expires_in"in this.data&&typeof this.data.expires_in=="number")return this.data.expires_in;throw new Error("Missing or invalid 'expires_in' field")}accessTokenExpiresAt(){return new Date(Date.now()+this.accessTokenExpiresInSeconds()*1e3)}hasRefreshToken(){return"refresh_token"in this.data&&typeof this.data.refresh_token=="string"}refreshToken(){if("refresh_token"in this.data&&typeof this.data.refresh_token=="string")return this.data.refresh_token;throw new Error("Missing or invalid 'refresh_token' field")}hasScopes(){return"scope"in this.data&&typeof this.data.scope=="string"}scopes(){if("scope"in this.data&&typeof this.data.scope=="string")return this.data.scope.split(" ");throw new Error("Missing or invalid 'scope' field")}idToken(){if("id_token"in this.data&&typeof this.data.id_token=="string")return this.data.id_token;throw new Error("Missing or invalid field 'id_token'")}}function Mw(t){const e=Lw(new TextEncoder().encode(t));return Ug(e)}function Dw(){const t=new Uint8Array(32);return crypto.getRandomValues(t),Ug(t)}function Ur(t,e){const n=new TextEncoder().encode(e.toString()),r=new Request(t,{method:"POST",body:n});return r.headers.set("Content-Type","application/x-www-form-urlencoded"),r.headers.set("Accept","application/json"),r.headers.set("User-Agent","arctic"),r.headers.set("Content-Length",n.byteLength.toString()),r}function ha(t,e){const n=new TextEncoder().encode(`${t}:${e}`);return Tw(n)}async function Hs(t){let e;try{e=await fetch(t)}catch(n){throw new Mg(n)}if(e.status===400||e.status===401){let n;try{n=await e.json()}catch{throw new Hi(e.status)}if(typeof n!="object"||n===null)throw new Gn(e.status,n);let r;try{r=qg(n)}catch{throw new Gn(e.status,n)}throw r}if(e.status===200){let n;try{n=await e.json()}catch{throw new Hi(e.status)}if(typeof n!="object"||n===null)throw new Gn(e.status,n);return new qw(n)}throw e.body!==null&&await e.body.cancel(),new Hi(e.status)}async function Hw(t){let e;try{e=await fetch(t)}catch(n){throw new Mg(n)}if(e.status===400||e.status===401){let n;try{n=await e.json()}catch{throw new Gn(e.status,null)}if(typeof n!="object"||n===null)throw new Gn(e.status,n);let r;try{r=qg(n)}catch{throw new Gn(e.status,n)}throw r}if(e.status===200){e.body!==null&&await e.body.cancel();return}throw e.body!==null&&await e.body.cancel(),new Hi(e.status)}function qg(t){let e;if("error"in t&&typeof t.error=="string")e=t.error;else throw new Error("Invalid error response");let n=null,r=null,i=null;if("error_description"in t){if(typeof t.error_description!="string")throw new Error("Invalid data");n=t.error_description}if("error_uri"in t){if(typeof t.error_uri!="string")throw new Error("Invalid data");r=t.error_uri}if("state"in t){if(typeof t.state!="string")throw new Error("Invalid data");i=t.state}return new Fw(e,n,r,i)}class Mg extends Error{constructor(e){super("Failed to send request",{cause:e})}}class Fw extends Error{constructor(n,r,i,s){super(`OAuth request error: ${n}`);te(this,"code");te(this,"description");te(this,"uri");te(this,"state");this.code=n,this.description=r,this.uri=i,this.state=s}}class Hi extends Error{constructor(n){super("Unexpected error response");te(this,"status");this.status=n}}class Gn extends Error{constructor(n,r){super("Unexpected error response body");te(this,"status");te(this,"data");this.status=n,this.data=r}}class ru{constructor(e,n,r){te(this,"clientId");te(this,"clientPassword");te(this,"redirectURI");this.clientId=e,this.clientPassword=n,this.redirectURI=r}createAuthorizationURL(e,n,r){const i=new URL(e);return i.searchParams.set("response_type","code"),i.searchParams.set("client_id",this.clientId),this.redirectURI!==null&&i.searchParams.set("redirect_uri",this.redirectURI),i.searchParams.set("state",n),r.length>0&&i.searchParams.set("scope",r.join(" ")),i}createAuthorizationURLWithPKCE(e,n,r,i,s){const a=new URL(e);if(a.searchParams.set("response_type","code"),a.searchParams.set("client_id",this.clientId),this.redirectURI!==null&&a.searchParams.set("redirect_uri",this.redirectURI),a.searchParams.set("state",n),r===ti.S256){const c=Mw(i);a.searchParams.set("code_challenge_method","S256"),a.searchParams.set("code_challenge",c)}else r===ti.Plain&&(a.searchParams.set("code_challenge_method","plain"),a.searchParams.set("code_challenge",i));return s.length>0&&a.searchParams.set("scope",s.join(" ")),a}async validateAuthorizationCode(e,n,r){const i=new URLSearchParams;i.set("grant_type","authorization_code"),i.set("code",n),this.redirectURI!==null&&i.set("redirect_uri",this.redirectURI),r!==null&&i.set("code_verifier",r),this.clientPassword===null&&i.set("client_id",this.clientId);const s=Ur(e,i);if(this.clientPassword!==null){const c=ha(this.clientId,this.clientPassword);s.headers.set("Authorization",`Basic ${c}`)}return await Hs(s)}async refreshAccessToken(e,n,r){const i=new URLSearchParams;i.set("grant_type","refresh_token"),i.set("refresh_token",n),this.clientPassword===null&&i.set("client_id",this.clientId),r.length>0&&i.set("scope",r.join(" "));const s=Ur(e,i);if(this.clientPassword!==null){const c=ha(this.clientId,this.clientPassword);s.headers.set("Authorization",`Basic ${c}`)}return await Hs(s)}async revokeToken(e,n){const r=new URLSearchParams;r.set("token",n),this.clientPassword===null&&r.set("client_id",this.clientId);const i=Ur(e,r);if(this.clientPassword!==null){const s=ha(this.clientId,this.clientPassword);i.headers.set("Authorization",`Basic ${s}`)}await Hw(i)}}var ti;(function(t){t[t.S256=0]="S256",t[t.Plain=1]="Plain"})(ti||(ti={}));var jp;(function(t){t[t.Include=0]="Include",t[t.None=1]="None"})(jp||(jp={}));var $p;(function(t){t[t.Required=0]="Required",t[t.Ignore=1]="Ignore"})($p||($p={}));function Vr(t){return Kw(t,Ww,Fs.None)}function Kw(t,e,n){let r="";for(let i=0;i<t.byteLength;i+=3){let s=0,a=0;for(let c=0;c<3&&i+c<t.byteLength;c++)s=s<<8|t[i+c],a+=8;for(let c=0;c<4;c++)a>=6?(r+=e[s>>a-6&63],a-=6):a>0?(r+=e[s<<6-a&63],a=0):n===Fs.Include&&(r+="=")}return r}const Ww="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";var Fs;(function(t){t[t.Include=0]="Include",t[t.None=1]="None"})(Fs||(Fs={}));var Op;(function(t){t[t.Required=0]="Required",t[t.Ignore=1]="Ignore"})(Op||(Op={}));function Gw(t,e,n){const r=Vr(new TextEncoder().encode(t)),i=Vr(new TextEncoder().encode(e)),s=Vr(n);return r+"."+i+"."+s}function Jw(t,e){const n=Vr(new TextEncoder().encode(t)),r=Vr(new TextEncoder().encode(e)),i=n+"."+r;return new TextEncoder().encode(i)}const Zw="https://appleid.apple.com/auth/authorize",Yw="https://appleid.apple.com/auth/token";class Dg{constructor(e,n,r,i,s){te(this,"clientId");te(this,"teamId");te(this,"keyId");te(this,"pkcs8PrivateKey");te(this,"redirectURI");this.clientId=e,this.teamId=n,this.keyId=r,this.pkcs8PrivateKey=i,this.redirectURI=s}createAuthorizationURL(e,n){const r=new URL(Zw);return r.searchParams.set("response_type","code"),r.searchParams.set("client_id",this.clientId),r.searchParams.set("state",e),n.length>0&&r.searchParams.set("scope",n.join(" ")),r.searchParams.set("redirect_uri",this.redirectURI),r}async validateAuthorizationCode(e){const n=new URLSearchParams;n.set("grant_type","authorization_code"),n.set("code",e),n.set("redirect_uri",this.redirectURI),n.set("client_id",this.clientId);const r=await this.createClientSecret();n.set("client_secret",r);const i=Ur(Yw,n);return await Hs(i)}async createClientSecret(){const e=await crypto.subtle.importKey("pkcs8",this.pkcs8PrivateKey,{name:"ECDSA",namedCurve:"P-256"},!1,["sign"]),n=Math.floor(Date.now()/1e3),r=JSON.stringify({typ:"JWT",alg:"ES256",kid:this.keyId}),i=JSON.stringify({iss:this.teamId,exp:n+5*60,aud:["https://appleid.apple.com"],sub:this.clientId,iat:n}),s=new Uint8Array(await crypto.subtle.sign({name:"ECDSA",hash:"SHA-256"},e,Jw(r,i)));return Gw(r,i,s)}}const Xw="https://www.facebook.com/v16.0/dialog/oauth",Qw="https://graph.facebook.com/v16.0/oauth/access_token";class Hg{constructor(e,n,r){te(this,"clientId");te(this,"clientSecret");te(this,"redirectURI");this.clientId=e,this.clientSecret=n,this.redirectURI=r}createAuthorizationURL(e,n){const r=new URL(Xw);return r.searchParams.set("response_type","code"),r.searchParams.set("client_id",this.clientId),r.searchParams.set("state",e),n.length>0&&r.searchParams.set("scope",n.join(" ")),r.searchParams.set("redirect_uri",this.redirectURI),r}async validateAuthorizationCode(e){const n=new URLSearchParams;n.set("grant_type","authorization_code"),n.set("code",e),n.set("redirect_uri",this.redirectURI),n.set("client_id",this.clientId),n.set("client_secret",this.clientSecret);const r=Ur(Qw,n);return await Hs(r)}}const eb="https://accounts.google.com/o/oauth2/v2/auth",Tp="https://oauth2.googleapis.com/token",tb="https://oauth2.googleapis.com/revoke";let Fg=class{constructor(e,n,r){te(this,"client");this.client=new ru(e,n,r)}createAuthorizationURL(e,n,r){return this.client.createAuthorizationURLWithPKCE(eb,e,ti.S256,n,r)}async validateAuthorizationCode(e,n){return await this.client.validateAuthorizationCode(Tp,e,n)}async refreshAccessToken(e){return await this.client.refreshAccessToken(Tp,e,[])}async revokeToken(e){await this.client.revokeToken(tb,e)}};const Jo=o.z.object({iss:o.z.string().url(),sub:o.z.string(),aud:o.z.string(),exp:o.z.number(),email:o.z.string().optional(),given_name:o.z.string().optional(),family_name:o.z.string().optional(),name:o.z.string().optional(),iat:o.z.number(),auth_time:o.z.number().optional(),nonce:o.z.string().optional(),acr:o.z.string().optional(),amr:o.z.array(o.z.string()).optional(),azp:o.z.string().optional(),at_hash:o.z.string().optional(),c_hash:o.z.string().optional()}).passthrough();Jo.omit({iat:!0,auth_time:!0,nonce:!0,acr:!0,amr:!0,azp:!0,at_hash:!0,c_hash:!0});function nb(t){return t.ISSUER}function _t(t){return t.UNIVERSAL_LOGIN_URL||`${t.ISSUER}u/`}function je(t){return t.OAUTH_API_URL||t.ISSUER}function Kg(t){const{options:e}=t;if(!e||!e.client_id||!e.team_id||!e.kid||!e.app_secret)throw new Error("Missing required Apple authentication parameters");const n=Buffer.from(e.app_secret,"utf-8"),r=n.toString().replace(/-----BEGIN PRIVATE KEY-----|-----END PRIVATE KEY-----|\s/g,""),i=Uint8Array.from(Buffer.from(r,"base64"));return n.fill(0),{options:e,keyArray:i}}async function rb(t,e){var l,u;const{options:n,keyArray:r}=Kg(e),i=new Dg(n.client_id,n.team_id,n.kid,r,`${je(t.env)}callback`),s=xe(),a=await i.createAuthorizationURL(s,((l=n.scope)==null?void 0:l.split(" "))||["name","email"]);return(((u=n.scope)==null?void 0:u.split(" "))||["name","email"]).some(p=>["email","name"].includes(p))&&a.searchParams.set("response_mode","form_post"),{redirectUrl:a.href,code:s}}async function ib(t,e,n){const{options:r,keyArray:i}=Kg(e),a=await new Dg(r.client_id,r.team_id,r.kid,i,`${je(t.env)}callback`).validateAuthorizationCode(n),c=ol(a.idToken());if(!c)throw new Error("Invalid ID token");const l=Jo.parse(c.payload);return{sub:l.sub,email:l.email,given_name:l.given_name,family_name:l.family_name,name:l.name,picture:l.picture,locale:l.locale}}const sb=Object.freeze(Object.defineProperty({__proto__:null,getRedirect:rb,validateAuthorizationCodeAndGetUser:ib},Symbol.toStringTag,{value:"Module"}));async function ob(t,e){var a;const{options:n}=e;if(!(n!=null&&n.client_id)||!n.client_secret)throw new Error("Missing required authentication parameters");const r=new Hg(n.client_id,n.client_secret,`${je(t.env)}callback`),i=xe();return{redirectUrl:r.createAuthorizationURL(i,((a=n.scope)==null?void 0:a.split(" "))||["email"]).href,code:i}}async function ab(t,e,n){const{options:r}=e;if(!(r!=null&&r.client_id)||!r.client_secret)throw new Error("Missing required authentication parameters");const s=await new Hg(r.client_id,r.client_secret,`${je(t.env)}callback`).validateAuthorizationCode(n),a=await fetch("https://graph.facebook.com/v16.0/me?fields=id,email,name",{headers:{Authorization:`Bearer ${s.accessToken()}`}});if(!a.ok)throw new Error("Failed to fetch user info");const c=await a.json();return t.set("log",`Userinfo: ${JSON.stringify(c)}`),{sub:c.id,email:c.email,name:c.name}}const cb=Object.freeze(Object.defineProperty({__proto__:null,getRedirect:ob,validateAuthorizationCodeAndGetUser:ab},Symbol.toStringTag,{value:"Module"}));async function lb(t,e){var c;const{options:n}=e;if(!(n!=null&&n.client_id)||!n.client_secret)throw new Error("Missing required Google authentication parameters");const r=new Fg(n.client_id,n.client_secret,`${je(t.env)}callback`),i=xe(),s=Dw();return{redirectUrl:r.createAuthorizationURL(i,s,((c=n.scope)==null?void 0:c.split(" "))??["email","profile"]).href,code:i,codeVerifier:s}}async function ub(t,e,n,r){const{options:i}=e;if(!(i!=null&&i.client_id)||!i.client_secret||!r)throw new Error("Missing required authentication parameters");const a=await new Fg(i.client_id,i.client_secret,`${je(t.env)}callback`).validateAuthorizationCode(n,r),c=ol(a.idToken());if(!c)throw new Error("Invalid ID token");const l=Jo.parse(c.payload);return{sub:l.sub,email:l.email,given_name:l.given_name,family_name:l.family_name,name:l.name,picture:l.picture,locale:l.locale}}const db=Object.freeze(Object.defineProperty({__proto__:null,getRedirect:lb,validateAuthorizationCodeAndGetUser:ub},Symbol.toStringTag,{value:"Module"}));async function pb(t,e){var a;const{options:n}=e;if(!(n!=null&&n.client_id)||!n.client_secret)throw new Error("Missing required authentication parameters");const r=new ru(n.client_id,n.client_secret,`${je(t.env)}callback`),i=xe(),s=r.createAuthorizationURL("https://api.vipps.no/access-management-1.0/access/oauth2/auth",i,((a=n.scope)==null?void 0:a.split(" "))||["openid","email","phoneNumber","name","address","birthDate"]);return s.searchParams.set("response_type","code"),s.searchParams.set("response_mode","query"),{redirectUrl:s.href,code:i}}async function fb(t,e,n){const{options:r}=e;if(!(r!=null&&r.client_id)||!r.client_secret)throw new Error("Missing required authentication parameters");const s=await new ru(r.client_id,r.client_secret,`${je(t.env)}callback`).validateAuthorizationCode("https://api.vipps.no/access-management-1.0/access/oauth2/token",n,null),a=ol(s.idToken());if(!a)throw new Error("Invalid ID token");const c=Jo.parse(a.payload);if(typeof c.msn!="string")throw new Error("msn not available in id token");const l=await fetch("https://api.vipps.no/vipps-userinfo-api/userinfo",{headers:{Authorization:`Bearer ${s.accessToken()}`,"Merchant-Serial-Number":c.msn}});if(!l.ok)throw new z(400,{message:"Failed to get user from vipps"});return await l.json()}const hb=Object.freeze(Object.defineProperty({__proto__:null,getRedirect:pb,validateAuthorizationCodeAndGetUser:fb},Symbol.toStringTag,{value:"Module"}));function Wg(t,e){const n=t.env.STRATEGIES||{},i={apple:sb,facebook:cb,"google-oauth2":db,vipps:hb,...n}[e];if(!i)throw new Error(`Strategy ${e} not found`);return i}async function Zo(t,e){const n=await t.data.clients.get(e);if(!n)throw new z(403,{message:"Client not found"});const r=t.DEFAULT_CLIENT_ID?await t.data.clients.get(t.DEFAULT_CLIENT_ID):void 0,i=await t.data.connections.list(n.tenant.id),s=t.DEFAULT_TENANT_ID?await t.data.connections.list(t.DEFAULT_TENANT_ID):{connections:[]},a=i.connections.map(c=>{var p;const l=(p=s.connections)==null?void 0:p.find(f=>f.name===c.name);return l!=null&&l.options?Kt.parse({...l||{},...c,options:{...l.options||{},...c.options}}):c}).filter(c=>c);return{...n,web_origins:[...(r==null?void 0:r.web_origins)||[],...n.web_origins||[],`${_t(t)}login`],allowed_logout_urls:[...(r==null?void 0:r.allowed_logout_urls)||[],...n.allowed_logout_urls||[],t.ISSUER],callbacks:[...(r==null?void 0:r.callbacks)||[],...n.callbacks||[],`${_t(t)}info`],connections:a,tenant:{...(r==null?void 0:r.tenant)||{},...n.tenant}}}function Yo(t,e=[],n={}){try{const r=new URL(t);return e.some(i=>{try{return gb(r,new URL(i),n.allowPathWildcards)}catch{return!1}})}catch{return!1}}function gb(t,e,n){if(t.protocol!==e.protocol)return!1;if(n&&e.pathname.includes("*")){const r=e.pathname.replace(/\*/g,".*").replace(/\//g,"\\/");if(!new RegExp(`^${r}$`).test(t.pathname))return!1}else if(t.pathname!==e.pathname)return!1;if(e.hostname.startsWith("*.")&&e.hostname.split(".").length>2&&["http:","https:"].includes(e.protocol)){const r=e.hostname.split(".").slice(1).join(".");return t.hostname.endsWith(r)}return t.hostname===e.hostname}async function mb(t,e,n,r){if(!r.state)throw new z(400,{message:"State not found"});const i=e.connections.find(l=>l.name===n);if(!i){t.set("client_id",e.id);const l=ve(t,{type:he.FAILED_LOGIN,description:"Connection not found"});throw await t.env.data.logs.create(e.tenant.id,l),new z(403,{message:"Connection Not Found"})}let s=await t.env.data.loginSessions.get(e.tenant.id,r.state);s||(s=await t.env.data.loginSessions.create(e.tenant.id,{expires_at:new Date(Date.now()+Jn*1e3).toISOString(),authParams:r,csrf_token:xe(),...on(t.req)}));const c=await Wg(t,i.strategy).getRedirect(t,i);return await t.env.data.codes.create(e.tenant.id,{login_id:s.id,code_id:c.code,code_type:"oauth2_state",connection_id:i.id,code_verifier:c.codeVerifier,expires_at:new Date(Date.now()+N_*1e3).toISOString()}),t.redirect(c.redirectUrl)}async function Bp(t,{code:e,state:n}){var h;const{env:r}=t,i=await r.data.codes.get(t.var.tenant_id||"",n,"oauth2_state");if(!i||!i.connection_id)throw new z(403,{message:"State not found"});const s=await r.data.loginSessions.get(t.var.tenant_id||"",i.login_id);if(!s)throw new z(403,{message:"Session not found"});const a=await Zo(r,s.authParams.client_id);t.set("client_id",a.id),t.set("tenant_id",a.tenant.id);const c=a.connections.find(_=>_.id===i.connection_id);if(!c){const _=ve(t,{type:he.FAILED_LOGIN,description:"Connection not found"});throw await r.data.logs.create(a.tenant.id,_),new z(403,{message:"Connection not found"})}if(t.set("connection",c.name),!s.authParams.redirect_uri){const _=ve(t,{type:he.FAILED_LOGIN,description:"Redirect URI not defined"});throw await r.data.logs.create(a.tenant.id,_),new z(403,{message:"Redirect URI not defined"})}if(!Yo(s.authParams.redirect_uri,a.callbacks||[],{allowPathWildcards:!0})){const _=`Invalid redirect URI - ${s.authParams.redirect_uri}`,w=ve(t,{type:he.FAILED_LOGIN,description:_});throw await r.data.logs.create(a.tenant.id,w),new z(403,{message:_})}const u=await Wg(t,c.strategy).validateAuthorizationCodeAndGetUser(t,c,e,i.code_verifier),{sub:p,...f}=u;t.set("user_id",p);const m=((h=u.email)==null?void 0:h.toLocaleLowerCase())||`${c.name}.${p}@${new URL(t.env.ISSUER).hostname}`;t.set("username",m);const v=await io(t,{client:a,email:m,provider:c.strategy,connection:c.name,userId:p,profileData:f,isSocial:!0,ip:t.req.header("x-real-ip")});return an(t,{client:a,authParams:s.authParams,loginSession:s,user:v})}async function Pp(t,e,n,r,i,s){const a=await t.env.data.codes.get(t.var.tenant_id||"",e,"oauth2_state");if(!a)throw new z(400,{message:"State not found"});const c=await t.env.data.loginSessions.get(t.var.tenant_id,a.login_id);if(!c)throw new z(400,{message:"Login not found"});const{redirect_uri:l}=c.authParams;if(!l)throw new z(400,{message:"Redirect uri not found"});const u=ve(t,{type:he.FAILED_LOGIN,description:`Failed connection login: ${i} ${n}, ${r}`});nt(t,t.env.data.logs.create(t.var.tenant_id,u));const p=new URL(l);return Ow(p,{error:n,error_description:r,error_reason:s,error_code:i,state:c.authParams.state}),t.redirect(`${_t(t.env)}enter-email?state=${c.id}&error=${n}`)}const _b=new o.OpenAPIHono().openapi(o.createRoute({tags:["oauth2"],method:"get",path:"/",request:{query:o.z.object({state:o.z.string(),code:o.z.string().optional(),scope:o.z.string().optional(),hd:o.z.string().optional(),error:o.z.string().optional(),error_description:o.z.string().optional(),error_code:o.z.string().optional(),error_reason:o.z.string().optional()})},responses:{302:{description:"Redirect to the client's redirect uri"}}}),async t=>{const{state:e,code:n,error:r,error_description:i,error_code:s,error_reason:a}=t.req.valid("query");if(r)return Pp(t,e,r,i,s,a);if(!n)throw new z(400,{message:"Code is required"});return Bp(t,{code:n,state:e})}).openapi(o.createRoute({tags:["oauth2"],method:"post",path:"/",request:{body:{content:{"application/x-www-form-urlencoded":{schema:o.z.object({state:o.z.string(),code:o.z.string().optional(),scope:o.z.string().optional(),hd:o.z.string().optional(),error:o.z.string().optional(),error_description:o.z.string().optional(),error_code:o.z.string().optional(),error_reason:o.z.string().optional()})}}}},responses:{302:{description:"Redirect to the client's redirect uri"}}}),async t=>{const{state:e,code:n,error:r,error_description:i,error_code:s,error_reason:a}=t.req.valid("form");if(r)return Pp(t,e,r,i,s,a);if(!n)throw new z(400,{message:"Code is required"});return Bp(t,{code:n,state:e})}),yb=new o.OpenAPIHono().openapi(o.createRoute({tags:["oauth2"],method:"get",path:"/",request:{query:o.z.object({client_id:o.z.string(),returnTo:o.z.string().optional()}),header:o.z.object({cookie:o.z.string().optional()})},responses:{302:{description:"Log the user out"}}}),async t=>{const{client_id:e,returnTo:n}=t.req.valid("query"),r=await t.env.data.clients.get(e);if(!r)return t.text("OK");const i=await t.env.data.clients.get("DEFAULT_CLIENT");t.set("client_id",e),t.set("tenant_id",r.tenant.id);const s=n||t.req.header("referer");if(!s)return t.text("OK");if(!Yo(s,[...r.allowed_logout_urls||[],...(i==null?void 0:i.allowed_logout_urls)||[]],{allowPathWildcards:!0}))throw new z(400,{message:"Invalid redirect uri"});const a=t.req.header("cookie");if(a){const l=cs(r.tenant.id,a);if(l){const u=await t.env.data.sessions.get(r.tenant.id,l);if(u){const p=await t.env.data.users.get(r.tenant.id,u.user_id);p&&(t.set("user_id",p.user_id),t.set("connection",p.connection));const f=await t.env.data.refreshTokens.list(r.tenant.id,{q:`session_id=${l}`,page:0,per_page:100,include_totals:!1});await Promise.all(f.refresh_tokens.map(m=>t.env.data.refreshTokens.remove(r.tenant.id,m.id))),await t.env.data.sessions.update(r.tenant.id,l,{revoked_at:new Date().toISOString()})}}}const c=ve(t,{type:he.SUCCESS_LOGOUT,description:"User successfully logged out"});return await t.env.data.logs.create(r.tenant.id,c),new Response("Redirecting",{status:302,headers:{"set-cookie":B_(r.tenant.id,t.req.header("host")),location:s}})}),Rp=o.z.object({sub:o.z.string(),email:o.z.string().optional(),family_name:o.z.string().optional(),given_name:o.z.string().optional(),email_verified:o.z.boolean()}),vb=new o.OpenAPIHono().openapi(o.createRoute({tags:["oauth2"],method:"get",path:"/",request:{},security:[{Bearer:["openid"]}],responses:{200:{content:{"application/json":{schema:Rp}},description:"Userinfo"}}}),async t=>{if(!t.var.user)throw new z(404,{message:"User not found"});const e=await t.env.data.users.get(t.var.user.tenant_id,t.var.user.sub);if(!e)throw new z(404,{message:"User not found"});return t.json(Rp.parse({...e,sub:e.user_id}))}),wb=new o.OpenAPIHono().openapi(o.createRoute({tags:["well known"],method:"get",path:"/jwks.json",request:{},responses:{200:{content:{"application/json":{schema:mf}},description:"List of tenants"}}}),async t=>{const e=await t.env.data.keys.list(),n=await Promise.all(e.map(async r=>{const s=await new tu(r.cert).publicKey.export(),a=await crypto.subtle.exportKey("jwk",s);return rl.parse({...a,kid:r.kid})}));return t.json({keys:n},{headers:{"access-control-allow-origin":"*","access-control-allow-method":"GET","cache-control":`public, max-age=${ji}, stale-while-revalidate=${ji*2}, stale-if-error=86400`}})}).openapi(o.createRoute({tags:["well known"],method:"get",path:"/openid-configuration",request:{},responses:{200:{content:{"application/json":{schema:Ea}},description:"List of tenants"}}}),async t=>{const e=Ea.parse({issuer:nb(t.env),authorization_endpoint:`${je(t.env)}authorize`,token_endpoint:`${je(t.env)}oauth/token`,device_authorization_endpoint:`${je(t.env)}oauth/device/code`,userinfo_endpoint:`${je(t.env)}userinfo`,mfa_challenge_endpoint:`${je(t.env)}mfa/challenge`,jwks_uri:`${je(t.env)}.well-known/jwks.json`,registration_endpoint:`${je(t.env)}oidc/register`,revocation_endpoint:`${je(t.env)}oauth/revoke`,scopes_supported:["openid","profile","offline_access","name","given_name","family_name","nickname","email","email_verified","picture","created_at","identities","phone","address"],response_types_supported:["code","token","id_token","code token","code id_token","token id_token","code token id_token"],code_challenge_methods_supported:["S256","plain"],response_modes_supported:["query","fragment","form_post"],subject_types_supported:["public"],id_token_signing_alg_values_supported:["RS256"],token_endpoint_auth_methods_supported:["client_secret_basic","client_secret_post"],claims_supported:["aud","auth_time","created_at","email","email_verified","exp","family_name","given_name","iat","identities","iss","name","nickname","phone_number","picture","sub"],request_uri_parameter_supported:!1,request_parameter_supported:!1,token_endpoint_auth_signing_alg_values_supported:["RS256","RS384","PS256"]});return t.json(e,{headers:{"access-control-allow-origin":"*","access-control-allow-method":"GET","cache-control":`public, max-age=${ji}, stale-while-revalidate=${ji*2}, stale-if-error=86400`}})});function Fi(t,e){if(!t||!e||t.length!==e.length)return!1;let n=0;for(let r=0;r<t.length;r++)n|=t.charCodeAt(r)^e.charCodeAt(r);return n===0}const Gg=o.z.object({grant_type:o.z.literal("client_credentials"),scope:o.z.string().optional(),client_secret:o.z.string(),client_id:o.z.string(),audience:o.z.string().optional()});async function bb(t,e){const n=await t.env.data.clients.get(e.client_id);if(!n)throw new z(403,{message:"Invalid client credentials"});if(n.client_secret&&!Fi(n.client_secret,e.client_secret))throw new z(403,{message:"Invalid client credentials"});const r={client_id:n.id,scope:e.scope,audience:e.audience},i=await to(t,{authParams:r,client:n});return t.json(i)}const kb=o.z.object({grant_type:o.z.literal("authorization_code"),client_id:o.z.string(),code:o.z.string(),redirect_uri:o.z.string().optional(),client_secret:o.z.string().optional(),code_verifier:o.z.string().optional()}).refine(t=>"client_secret"in t&&!("code_verifier"in t)||!("client_secret"in t)&&"code_verifier"in t,{message:"Must provide either client_secret (standard flow) or code_verifier/code_verifier_mode (PKCE flow), but not both"});async function xb(t,e){const n=await t.env.data.clients.get(e.client_id);if(!n)throw new z(403,{message:"Client not found"});const r=await t.env.data.codes.get(n.tenant.id,e.code,"authorization_code");if(!r||!r.user_id)throw new z(403,{message:"Invalid client credentials"});if(new Date(r.expires_at)<new Date)throw new z(403,{message:"Code expired"});if(r.used_at)throw new z(403,{message:"Code already used"});const i=await t.env.data.loginSessions.get(n.tenant.id,r.login_id);if(!i)throw new z(403,{message:"Invalid login"});if("client_secret"in e){const a=await t.env.data.clients.get("DEFAULT_CLIENT");if(!Fi(n.client_secret,e.client_secret)&&!Fi(a==null?void 0:a.client_secret,e.client_secret))throw new z(403,{message:"Invalid client credentials"})}else if("code_verifier"in e&&typeof e.code_verifier=="string"&&"code_challenge_method"in i.authParams&&typeof i.authParams.code_challenge_method=="string"){const a=await E_(e.code_verifier,i.authParams.code_challenge_method);if(!Fi(a,i.authParams.code_challenge||""))throw new z(403,{message:"Invalid client credentials"})}if(i.authParams.redirect_uri&&i.authParams.redirect_uri!==e.redirect_uri)throw new z(403,{message:"Invalid redirect uri"});const s=await t.env.data.users.get(n.tenant.id,r.user_id);if(!s)throw new z(403,{message:"User not found"});return await t.env.data.codes.used(n.tenant.id,e.code),an(t,{user:s,client:n,loginSession:i,authParams:{...i.authParams,response_mode:Xt.WEB_MESSAGE}})}const Sb=o.z.object({grant_type:o.z.literal("refresh_token"),client_id:o.z.string(),redirect_uri:o.z.string().optional(),refresh_token:o.z.string()});async function Ab(t,e){const n=await t.env.data.clients.get(e.client_id);if(!n)throw new z(403,{message:"Client not found"});const r=await t.env.data.refreshTokens.get(n.tenant.id,e.refresh_token);if(r){if(r.expires_at&&new Date(r.expires_at)<new Date||r.idle_expires_at&&new Date(r.idle_expires_at)<new Date)throw new z(403,{message:JSON.stringify({error:"invalid_grant",error_description:"Refresh token has expired"})})}else throw new z(403,{message:JSON.stringify({error:"invalid_grant",error_description:"Invalid refresh token"})});const i=await t.env.data.users.get(n.tenant.id,r.user_id);if(!i)throw new z(403,{message:"User not found"});const s=r.resource_servers[0];if(r.idle_expires_at){const a=new Date(Date.now()+2592e6);await t.env.data.refreshTokens.update(n.tenant.id,r.id,{idle_expires_at:a.toISOString(),last_exchanged_at:new Date().toISOString(),device:{...r.device,last_ip:t.req.header["x-real-ip"]||"",last_user_agent:t.req.header["user-agent"]||""}})}return an(t,{user:i,client:n,refreshToken:r.id,sessionId:r.session_id,authParams:{client_id:n.id,audience:s==null?void 0:s.audience,scope:s==null?void 0:s.scopes,response_mode:Xt.WEB_MESSAGE}})}const Lp=o.z.object({client_id:o.z.string().optional(),client_secret:o.z.string().optional()}),Eb=o.z.union([Gg.extend(Lp.shape),o.z.object({grant_type:o.z.literal("authorization_code"),client_id:o.z.string(),code:o.z.string(),redirect_uri:o.z.string(),code_verifier:o.z.string().min(43).max(128)}),o.z.object({grant_type:o.z.literal("authorization_code"),code:o.z.string(),redirect_uri:o.z.string().optional(),...Lp.shape}),o.z.object({grant_type:o.z.literal("refresh_token"),client_id:o.z.string(),refresh_token:o.z.string(),redirect_uri:o.z.string().optional()})]);function Ib(t){if(!t)return{};const[e,n]=t.split(" ");if((e==null?void 0:e.toLowerCase())==="basic"&&n){const[r,i]=atob(n).split(":");return{client_id:r,client_secret:i}}return{}}const zb=new o.OpenAPIHono().openapi(o.createRoute({tags:["oauth2"],method:"post",path:"/",request:{body:{content:{"application/x-www-form-urlencoded":{schema:Eb}}}},responses:{200:{content:{"application/json":{schema:kf}},description:"Tokens"}}}),async t=>{const e=t.req.valid("form"),n=Ib(t.req.header("Authorization")),r={...e,...n};if(!r.client_id)throw new z(400,{message:"client_id is required"});switch(t.set("client_id",r.client_id),e.grant_type){case Tr.AuthorizationCode:return xb(t,kb.parse(r));case Tr.ClientCredential:return bb(t,Gg.parse(r));case Tr.RefreshToken:return Ab(t,Sb.parse(r));default:throw new z(400,{message:"Not implemented"})}});var iu={exports:{}};const su=[{id:0,value:"Too weak",minDiversity:0,minLength:0},{id:1,value:"Weak",minDiversity:2,minLength:6},{id:2,value:"Medium",minDiversity:4,minLength:8},{id:3,value:"Strong",minDiversity:4,minLength:10}],Jg=(t,e=su,n="!\"#$%&'()*+,-./:;<=>?@[\\\\\\]^_`{|}~")=>{let r=t||"";e[0].minDiversity=0,e[0].minLength=0;const i=[{regex:"[a-z]",message:"lowercase"},{regex:"[A-Z]",message:"uppercase"},{regex:"[0-9]",message:"number"}];n&&i.push({regex:`[${n}]`,message:"symbol"});let s={};s.contains=i.filter(c=>new RegExp(`${c.regex}`).test(r)).map(c=>c.message),s.length=r.length;let a=e.filter(c=>s.contains.length>=c.minDiversity).filter(c=>s.length>=c.minLength).sort((c,l)=>l.id-c.id).map(c=>({id:c.id,value:c.value}));return Object.assign(s,a[0]),s};iu.exports={passwordStrength:Jg,defaultOptions:su};var Cb=iu.exports.passwordStrength=Jg;iu.exports.defaultOptions=su;function ou(t){return Cb(t).id<2?!1:t.length>=8&&/[a-z]/.test(t)&&/[A-Z]/.test(t)&&/[0-9]/.test(t)&&/[^A-Za-z0-9]/.test(t)}async function Si(t,e){var i;const n=await t.env.data.emailProviders.get(t.var.tenant_id)||(t.env.DEFAULT_TENANT_ID?await t.env.data.emailProviders.get(t.env.DEFAULT_TENANT_ID):null);if(!n)throw new z(500,{message:"Email provider not found"});const r=(i=t.env.emailProviders)==null?void 0:i[n.name];if(!r)throw new z(500,{message:"Email provider not found"});await r({emailProvider:n,...e,from:n.default_from_address||`login@${t.env.ISSUER}`})}async function Zg(t,e,n,r){const i=await t.env.data.tenants.get(t.var.tenant_id);if(!i)throw new z(500,{message:"Tenant not found"});const s=`${_t(t.env)}reset-password?state=${r}&code=${n}`,a={vendorName:i.name,lng:i.language||"en"};await Si(t,{to:e,subject:se("reset_password_title",a),html:`Click here to reset your password: ${_t(t.env)}reset-password?state=${r}&code=${n}`,template:"auth-password-reset",data:{vendorName:i.name,logo:i.logo||"",passwordResetUrl:s,supportUrl:i.support_url||"https://support.sesamy.com",buttonColor:i.primary_color||"#7d68f4",passwordResetTitle:se("password_reset_title",a),resetPasswordEmailClickToReset:se("reset_password_email_click_to_reset",a),resetPasswordEmailReset:se("reset_password_email_reset",a),supportInfo:se("support_info",a),contactUs:se("contact_us",a),copyright:se("copyright",a)}})}async function Yg(t,e,n){const r=await t.env.data.tenants.get(t.var.tenant_id);if(!r)throw new z(500,{message:"Tenant not found"});const i={vendorName:r.name,code:n,lng:r.language||"en"};await Si(t,{to:e,subject:se("code_email_subject",i),html:`Click here to validate your email: ${_t(t.env)}validate-email`,template:"auth-code",data:{code:n,vendorName:r.name,logo:r.logo||"",supportUrl:r.support_url||"",buttonColor:r.primary_color||"",welcomeToYourAccount:se("welcome_to_your_account",i),linkEmailClickToLogin:se("link_email_click_to_login",i),linkEmailLogin:se("link_email_login",i),linkEmailOrEnterCode:se("link_email_or_enter_code",i),codeValid30Mins:se("code_valid_30_minutes",i),supportInfo:se("support_info",i),contactUs:se("contact_us",i),copyright:se("copyright",i)}});const s=ve(t,{type:he.CODE_LINK_SENT,description:e});nt(t,t.env.data.logs.create(r.id,s))}async function au(t,e,n,r){const i=await t.env.data.tenants.get(t.var.tenant_id);if(!i)throw new z(500,{message:"Tenant not found"});if(!r.redirect_uri)throw new z(400,{message:"redirect_uri is required"});const s=new URL(je(t.env));s.pathname="passwordless/verify_redirect",s.searchParams.set("verification_code",n),s.searchParams.set("connection","email"),s.searchParams.set("client_id",r.client_id),s.searchParams.set("redirect_uri",r.redirect_uri),s.searchParams.set("email",e),r.response_type&&s.searchParams.set("response_type",r.response_type),r.scope&&s.searchParams.set("scope",r.scope),r.state&&s.searchParams.set("state",r.state),r.nonce&&s.searchParams.set("nonce",r.nonce),r.code_challenge&&s.searchParams.set("code_challenge",r.code_challenge),r.code_challenge_method&&s.searchParams.set("code_challenge_method",r.code_challenge_method),r.audience&&s.searchParams.set("audience",r.audience);const a={vendorName:i.name,code:n,lng:i.language||"en"};await Si(t,{to:e,subject:se("code_email_subject",a),html:`Click here to validate your email: ${_t(t.env)}validate-email`,template:"auth-link",data:{code:n,vendorName:i.name,logo:i.logo||"",supportUrl:i.support_url||"",magicLink:s.toString(),buttonColor:i.primary_color||"",welcomeToYourAccount:se("welcome_to_your_account",a),linkEmailClickToLogin:se("link_email_click_to_login",a),linkEmailLogin:se("link_email_login",a),linkEmailOrEnterCode:se("link_email_or_enter_code",a),codeValid30Mins:se("code_valid_30_minutes",a),supportInfo:se("support_info",a),contactUs:se("contact_us",a),copyright:se("copyright",a)}});const c=ve(t,{type:he.CODE_LINK_SENT,description:e});nt(t,t.env.data.logs.create(i.id,c))}async function cu(t,e){const n=await t.env.data.tenants.get(t.var.tenant_id);if(!n)throw new z(500,{message:"Tenant not found"});const r={vendorName:n.name,lng:n.language||"en"};await Si(t,{to:e.email,subject:se("welcome_to_your_account",r),html:`Click here to validate your email: ${_t(t.env)}validate-email`,template:"auth-verify-email",data:{vendorName:n.name,logo:n.logo||"",emailValidationUrl:`${_t(t.env)}validate-email`,supportUrl:n.support_url||"https://support.sesamy.com",buttonColor:n.primary_color||"#7d68f4",welcomeToYourAccount:se("welcome_to_your_account",r),verifyEmailVerify:se("verify_email_verify",r),supportInfo:se("support_info",r),contactUs:se("contact_us",r),copyright:se("copyright",r)}})}async function Nb(t,e,n,r){const i=await t.env.data.tenants.get(t.var.tenant_id);if(!i)throw new z(500,{message:"Tenant not found"});const s={vendorName:i.name,lng:i.language||"en"},a=`${_t(t.env)}signup?state=${r}&code=${n}`;await Si(t,{to:e,subject:se("register_password_account",s),html:`Click here to register: ${a}`,template:"auth-pre-signup-verification",data:{vendorName:i.name,logo:i.logo||"",signupUrl:a,setPassword:se("set_password",s),registerPasswordAccount:se("register_password_account",s),clickToSignUpDescription:se("click_to_sign_up_description",s),supportUrl:i.support_url||"https://support.sesamy.com",buttonColor:i.primary_color||"#7d68f4",welcomeToYourAccount:se("welcome_to_your_account",s),verifyEmailVerify:se("verify_email_verify",s),supportInfo:se("support_info",s),contactUs:se("contact_us",s),copyright:se("copyright",s)}})}const jb=new o.OpenAPIHono().openapi(o.createRoute({tags:["dbconnections"],method:"post",path:"/signup",request:{body:{content:{"application/json":{schema:o.z.object({client_id:o.z.string(),connection:o.z.literal("Username-Password-Authentication"),email:o.z.string().transform(t=>t.toLowerCase()),password:o.z.string()})}}}},responses:{200:{content:{"application/json":{schema:o.z.object({_id:o.z.string(),email:o.z.string(),email_verified:o.z.boolean(),app_metadata:o.z.object({}),user_metadata:o.z.object({})})}},description:"Created user"}}}),async t=>{const{email:e,password:n,client_id:r}=t.req.valid("json"),i=await t.env.data.clients.get(r);if(!i)throw new z(400,{message:"Client not found"});if(t.set("client_id",i.id),t.set("tenant_id",i.tenant.id),!ou(n))throw new z(400,{message:"Password does not meet the requirements"});if(await ls({userAdapter:t.env.data.users,tenant_id:i.tenant.id,email:e,provider:"auth2"}))throw new z(400,{message:"Invalid sign up"});const a=await t.env.data.users.create(i.tenant.id,{user_id:`auth2|${Xs()}`,email:e,email_verified:!1,provider:"auth2",connection:"Username-Password-Authentication",is_social:!1});t.set("user_id",a.user_id),t.set("username",a.email),t.set("connection",a.connection);const c=await si.hash(n,10);await t.env.data.passwords.create(i.tenant.id,{user_id:a.user_id,password:c,algorithm:"bcrypt"}),await cu(t,a);const l=ve(t,{type:he.SUCCESS_SIGNUP,description:"Successful signup"});return await t.env.data.logs.create(i.tenant.id,l),t.json({_id:a.user_id,email:a.email,email_verified:!1,app_metadata:{},user_metadata:{}})}).openapi(o.createRoute({tags:["dbconnections"],method:"post",path:"/change_password",request:{body:{content:{"application/json":{schema:o.z.object({client_id:o.z.string(),connection:o.z.literal("Username-Password-Authentication"),email:o.z.string().transform(t=>t.toLowerCase())})}}}},responses:{200:{description:"Redirect to the client's redirect uri"}}}),async t=>{const{email:e,client_id:n}=t.req.valid("json"),r=await t.env.data.clients.get(n);if(!r)throw new z(400,{message:"Client not found"});if(t.set("client_id",r.id),t.set("tenant_id",r.tenant.id),!await ur({userAdapter:t.env.data.users,tenant_id:r.tenant.id,email:e,provider:"auth2"}))return t.html("If an account with that email exists, we've sent instructions to reset your password.");const s={client_id:n,username:e},a=await t.env.data.loginSessions.create(r.tenant.id,{expires_at:new Date(Date.now()+Jn*1e3).toISOString(),authParams:s,csrf_token:xe(),...on(t.req)});return await Zg(t,e,a.id,a.authParams.state),t.html("If an account with that email exists, we've sent instructions to reset your password.")});function Bn(){const t="1234567890";let e="";for(let n=0;n<6;n+=1)e+=t[Math.floor(Math.random()*10)];return e.toString()}async function lu(t,e,n,r,i,s,a){const{env:c}=t,l=await c.data.codes.get(e.tenant.id,i,"otp");if(!l)throw new z(400,{message:"Code not found or expired"});if(l.expires_at<new Date().toISOString())throw new z(400,{message:"Code expired"});if(l.used_at)throw new z(400,{message:"Code already used"});const u=await c.data.loginSessions.get(e.tenant.id,l.login_id);if(!u||u.authParams.username!==r)throw new z(400,{message:"Code not found or expired"});const p=on(t.req);if(a&&u.ip!==p.ip)return t.redirect(`${_t(t.env)}invalid-session?state=${u.id}`);if(n.redirect_uri&&!Yo(n.redirect_uri,e.callbacks,{allowPathWildcards:!0}))throw new z(400,{message:`Invalid redirect URI - ${n.redirect_uri}`});const f=await io(t,{client:e,email:r,provider:"email",connection:"email",isSocial:!1,ip:t.req.header("x-real-ip")});return await c.data.codes.used(e.tenant.id,i),an(t,{user:f,client:e,loginSession:u,authParams:n,ticketAuth:s})}const $b=new o.OpenAPIHono().openapi(o.createRoute({tags:["passwordless"],method:"post",path:"/start",request:{body:{content:{"application/json":{schema:o.z.object({client_id:o.z.string(),connection:o.z.string(),email:o.z.string().transform(t=>t.toLowerCase()),send:o.z.enum(["link","code"]),authParams:tl.omit({client_id:!0})})}}}},responses:{200:{description:"Status"}}}),async t=>{const e=t.req.valid("json"),{env:n}=t,{client_id:r,email:i,send:s,authParams:a}=e,c=await t.env.data.clients.get(r);if(!c)throw new z(400,{message:"Client not found"});t.set("client_id",c.id),t.set("tenant_id",c.tenant.id);const l=await n.data.loginSessions.create(c.tenant.id,{authParams:{...a,client_id:r,username:i},expires_at:new Date(Date.now()+Ca).toISOString(),csrf_token:xe(),...on(t.req)}),u=await n.data.codes.create(c.tenant.id,{code_id:Bn(),code_type:"otp",login_id:l.id,expires_at:new Date(Date.now()+Ca).toISOString()});return s==="link"?await au(t,i,u.code_id,{...a,client_id:r}):await Yg(t,i,u.code_id),t.html("OK")}).openapi(o.createRoute({tags:["passwordless"],method:"get",path:"/verify_redirect",request:{query:o.z.object({scope:o.z.string(),response_type:o.z.nativeEnum(Pt),redirect_uri:o.z.string(),state:o.z.string(),nonce:o.z.string().optional(),verification_code:o.z.string(),connection:o.z.string(),client_id:o.z.string(),email:o.z.string().transform(t=>t.toLowerCase()),audience:o.z.string().optional()})},responses:{302:{description:"Status"}}}),async t=>{const{env:e}=t,{client_id:n,email:r,verification_code:i,redirect_uri:s,state:a,scope:c,audience:l,response_type:u,nonce:p}=t.req.valid("query"),f=await Zo(e,n);return t.set("client_id",f.id),t.set("tenant_id",f.tenant.id),t.set("connection","email"),lu(t,f,{client_id:n,redirect_uri:s,state:a,nonce:p,scope:c,audience:l,response_type:u},r,i,!1,!0)});class Cr extends z{constructor(n,r){super(n,r);te(this,"_code");this._code=r==null?void 0:r.code}get code(){return this._code}}async function uu(t,e,n,r,i){const{env:s}=t,a=n.username;if(t.set("username",a),!a)throw new z(400,{message:"Username is required"});const c=await ur({userAdapter:t.env.data.users,tenant_id:e.tenant.id,email:a,provider:"auth2"});if(!c){const h=ve(t,{type:he.FAILED_LOGIN_INCORRECT_PASSWORD,description:"Invalid user"});throw nt(t,t.env.data.logs.create(e.tenant.id,h)),new Cr(403,{message:"User not found",code:"USER_NOT_FOUND"})}const l=c.linked_to?await s.data.users.get(e.tenant.id,c.linked_to):c;if(!l)throw new Cr(403,{message:"User not found",code:"USER_NOT_FOUND"});t.set("connection",c.connection),t.set("user_id",l.user_id);const u=await s.data.passwords.get(e.tenant.id,c.user_id);if(!(u&&await si.compare(n.password,u.password))){const h=ve(t,{type:he.FAILED_LOGIN_INCORRECT_PASSWORD,description:"Invalid password"});throw nt(t,t.env.data.logs.create(e.tenant.id,h)),new Cr(403,{message:"Invalid password",code:"INVALID_PASSWORD"})}if((await s.data.logs.list(e.tenant.id,{page:0,per_page:10,include_totals:!1,q:`user_id:${l.user_id}`})).logs.filter(h=>h.type===he.FAILED_LOGIN_INCORRECT_PASSWORD&&new Date(h.date)>new Date(Date.now()-1e3*60*5)).length>=3){const h=ve(t,{type:he.FAILED_LOGIN,description:"Too many failed login attempts"});throw nt(t,t.env.data.logs.create(e.tenant.id,h)),new Cr(403,{message:"Too many failed login attempts",code:"TOO_MANY_FAILED_LOGINS"})}if(!c.email_verified&&e.email_validation==="enforced"){await cu(t,c);const h=ve(t,{type:he.FAILED_LOGIN,description:"Email not verified"});throw await t.env.data.logs.create(e.tenant.id,h),new Cr(403,{message:"Email not verified",code:"EMAIL_NOT_VERIFIED"})}const v=ve(t,{type:he.SUCCESS_LOGIN,description:"Successful login",strategy_type:"Username-Password-Authentication",strategy:"Username-Password-Authentication"});return nt(t,t.env.data.logs.create(e.tenant.id,v)),an(t,{client:e,authParams:n,user:l,ticketAuth:i,loginSession:r})}async function Ob(t,e,n,r){await io(t,{client:e,email:n,provider:"auth2",connection:"Username-Password-Authentication",isSocial:!1,ip:t.req.header("x-real-ip")});let i=Bn(),s=await t.env.data.codes.get(e.tenant.id,i,"password_reset");for(;s;)i=Bn(),s=await t.env.data.codes.get(e.tenant.id,i,"password_reset");const a=await t.env.data.loginSessions.create(e.tenant.id,{expires_at:new Date(Date.now()+O_).toISOString(),authParams:{client_id:e.id,username:n},csrf_token:xe(),...on(t.req)}),c=await t.env.data.codes.create(e.tenant.id,{code_id:i,code_type:"password_reset",login_id:a.id,expires_at:new Date(Date.now()+$_).toISOString()});await Zg(t,n,c.code_id,r)}const Tb=new o.OpenAPIHono().openapi(o.createRoute({tags:["oauth"],method:"post",path:"/",request:{body:{content:{"application/json":{schema:o.z.union([o.z.object({credential_type:o.z.literal("http://auth0.com/oauth/grant-type/passwordless/otp"),otp:o.z.string(),client_id:o.z.string(),username:o.z.string().transform(t=>t.toLowerCase()),realm:o.z.enum(["email"]),scope:o.z.string().optional()}),o.z.object({credential_type:o.z.literal("http://auth0.com/oauth/grant-type/password-realm"),client_id:o.z.string(),username:o.z.string().transform(t=>t.toLowerCase()),password:o.z.string(),realm:o.z.enum(["Username-Password-Authentication"]),scope:o.z.string().optional()})])}}}},responses:{200:{description:"List of tenants"}}}),async t=>{const e=t.req.valid("json"),{client_id:n,username:r}=e;t.set("username",r);const i=await t.env.data.clients.get(n);if(!i)throw new z(400,{message:"Client not found"});t.set("client_id",n),t.set("tenant_id",i.tenant.id);const s=r.toLocaleLowerCase();if("otp"in e)return lu(t,i,{client_id:n,username:s},s,e.otp,!0);if("password"in e){const a=await t.env.data.loginSessions.create(i.tenant.id,{expires_at:new Date(Date.now()+Jn*1e3).toISOString(),authParams:{client_id:n,username:s},csrf_token:xe(),...on(t.req)});return uu(t,i,{username:s,password:e.password,client_id:n},a,!0)}else throw new z(400,{message:"Code or password required"})});function Bb(t,e){var r,i,s;if(!t||e.length===0)return!1;const n=((r=ga(t))==null?void 0:r.host)??null;if(!n)return!1;for(const a of e){let c;if(a.startsWith("http://")||a.startsWith("https://")?c=((i=ga(a))==null?void 0:i.host)??null:c=((s=ga("https://"+a))==null?void 0:s.host)??null,n===c)return!0}return!1}function ga(t){try{return new URL(t)}catch{return null}}async function Pb({ctx:t,session:e,client:n,authParams:r,connection:i,login_hint:s}){const a=await t.env.data.loginSessions.create(n.tenant.id,{expires_at:new Date(Date.now()+Jn*1e3).toISOString(),authParams:r,csrf_token:xe(),authorization_url:t.req.url,...on(t.req)});if(e&&s){const c=await t.env.data.users.get(n.tenant.id,e.user_id);if((c==null?void 0:c.email)===s)return an(t,{client:n,loginSession:a,authParams:r,user:c,sessionId:e.id})}if(i==="email"&&s){const c=Bn();return await t.env.data.codes.create(n.tenant.id,{code_id:c,code_type:"otp",login_id:a.id,expires_at:new Date(Date.now()+Jn*1e3).toISOString()}),await au(t,s,c,r),t.redirect(`/u/enter-code?state=${a.id}`)}return e?t.redirect(`/u/check-account?state=${a.id}`):t.redirect(`/u/enter-email?state=${a.id}`)}function Rb(t){if(t==="Username-Password-Authentication")return"auth2";if(t==="email")return"email";throw new z(403,{message:"Invalid realm"})}async function Lb(t,e,n,r,i){var m;const{env:s}=t;t.set("connection",i);const a=await s.data.codes.get(e,n,"ticket");if(!a||a.used_at)throw new z(403,{message:"Ticket not found"});const c=await s.data.loginSessions.get(e,a.login_id);if(!c||!c.authParams.username)throw new z(403,{message:"Session not found"});const l=await s.data.clients.get(c.authParams.client_id);if(!l)throw new z(403,{message:"Client not found"});t.set("client_id",c.authParams.client_id),await s.data.codes.used(e,n);const u=Rb(i);let p=await io(t,{email:c.authParams.username,provider:u,client:l,connection:u==="auth2"?"Username-Password-Authentication":"email",isSocial:!1,ip:t.req.header("x-real-ip")});t.set("username",p.email),t.set("user_id",p.user_id);const f=await Ff(t,{user:p,client:l,loginSession:c});return an(t,{authParams:{scope:(m=c.authParams)==null?void 0:m.scope,...r},loginSession:c,sessionId:f.id,user:p,client:l})}async function Up(t,e){return`<!DOCTYPE html>
+`,r}async function uw(t){const e=await t.publicKey.export(),n=await crypto.subtle.exportKey("jwk",e),r=JSON.stringify(n,Object.keys(n).sort()),s=new TextEncoder().encode(r);return za(await jf(s))}const dw=1e3*60*60*24,pw=new o.OpenAPIHono().openapi(o.createRoute({tags:["keys"],method:"get",path:"/signing",request:{headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.array(Ia)}},description:"List of keys"}}}),async t=>{const n=(await t.env.data.keys.list()).filter(r=>"cert"in r).map(r=>r);return t.json(n)}).openapi(o.createRoute({tags:["keys"],method:"get",path:"/signing/{kid}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({kid:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:Ia}},description:"The requested key"}}}),async t=>{const{kid:e}=t.req.valid("param"),r=(await t.env.data.keys.list()).find(i=>i.kid===e);if(!r)throw new z(404,{message:"Key not found"});return t.json(r)}).openapi(o.createRoute({tags:["keys"],method:"post",path:"/signing/rotate",request:{headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{201:{description:"Status"}}}),async t=>{const e=await t.env.data.keys.list();for await(const r of e)await t.env.data.keys.update(r.kid,{revoked_at:new Date(Date.now()+dw).toISOString()});const n=await Jc({name:`CN=${t.env.ORGANIZATION_NAME}`});return await t.env.data.keys.create(n),t.text("OK",{status:201})}).openapi(o.createRoute({tags:["keys"],method:"put",path:"/signing/{kid}/revoke",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({kid:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{201:{description:"Status"}}}),async t=>{const{kid:e}=t.req.valid("param");if(!await t.env.data.keys.update(e,{revoked_at:new Date().toISOString()}))throw new z(404,{message:"Key not found"});const r=await Jc({name:`CN=${t.env.ORGANIZATION_NAME}`});return await t.env.data.keys.create(r),t.text("OK")}),fw=new o.OpenAPIHono().openapi(o.createRoute({tags:["users"],method:"get",path:"/",request:{query:o.z.object({email:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"tenant/json":{schema:o.z.array(el)}},description:"List of users"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{email:n}=t.req.valid("query"),i=(await pl(t.env.data.users,e,n)).filter(s=>!s.linked_to);return t.json(i)}),hw=rn.extend({clients:o.z.array(mn)}),gw=new o.OpenAPIHono().openapi(o.createRoute({tags:["clients"],method:"get",path:"/",request:{query:Qt,headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.union([hw,o.z.array(mn)])}},description:"List of clients"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{page:n,per_page:r,include_totals:i,sort:s,q:a}=t.req.valid("query"),l=(await t.env.data.applications.list(e,{page:n,per_page:r,include_totals:i,sort:dr(s),q:a})).applications;return i?t.json({clients:l,start:0,limit:10,length:l.length}):t.json(l)}).openapi(o.createRoute({tags:["clients"],method:"get",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:mn}},description:"An application"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),i=(await t.env.data.applications.list(e,{page:1,per_page:0,include_totals:!1})).applications.find(s=>s.id===n);if(!i)throw new z(404);return t.json(i)}).openapi(o.createRoute({tags:["clients"],method:"delete",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param");if(!await t.env.data.applications.remove(e,n))throw new z(404,{message:"Application not found"});return t.text("OK")}).openapi(o.createRoute({tags:["clients"],method:"patch",path:"/{id}",request:{body:{content:{"application/json":{schema:o.z.object(ns.shape).partial()}}},params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:mn}},description:"The update application"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),i=t.req.valid("json");await t.env.data.applications.update(e,n,i);const s=await t.env.data.applications.get(e,n);if(!s)throw new z(404,{message:"Application not found"});return t.json(s)}).openapi(o.createRoute({tags:["clients"],method:"post",path:"/",request:{body:{content:{"application/json":{schema:o.z.object(ns.shape)}}},headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{201:{content:{"application/json":{schema:o.z.object(mn.shape)}},description:"An application"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json"),r={...n,id:n.id||xe(),client_secret:n.client_secret||xe()},i=await t.env.data.applications.create(e,r);return t.json(i,{status:201})});o.z.object({start:o.z.number(),limit:o.z.number(),length:o.z.number()});Js.extend({email:o.z.string(),login_count:o.z.number(),multifactor:o.z.array(o.z.string()).optional(),last_ip:o.z.string().optional(),last_login:o.z.string().optional(),user_id:o.z.string()}).catchall(o.z.any());const mw=rn.extend({tenants:o.z.array(Fn)}),_w=new o.OpenAPIHono().openapi(o.createRoute({tags:["tenants"],method:"get",path:"/",request:{query:Qt},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"tenant/json":{schema:o.z.union([o.z.array(Fn),mw])}},description:"List of tenants"}}}),async t=>{const{page:e,per_page:n,include_totals:r,sort:i,q:s}=t.req.valid("query"),a=await t.env.data.tenants.list({page:e,per_page:n,include_totals:r,sort:dr(i),q:s});return r?t.json(a):t.json(a.tenants)}).openapi(o.createRoute({tags:["tenants"],method:"get",path:"/{id}",request:{params:o.z.object({id:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"tenant/json":{schema:Fn}},description:"A tenant"}}}),async t=>{const{id:e}=t.req.valid("param"),n=await t.env.data.tenants.get(e);if(!n)throw new z(404);return t.json(n)}).openapi(o.createRoute({tags:["tenants"],method:"delete",path:"/{id}",request:{params:o.z.object({id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{id:e}=t.req.valid("param");return await t.env.data.tenants.remove(e),t.text("OK")}).openapi(o.createRoute({tags:["tenants"],method:"patch",path:"/{id}",request:{body:{content:{"application/json":{schema:o.z.object(is.shape).partial()}}},params:o.z.object({id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{id:e}=t.req.valid("param"),n=t.req.valid("json");return await t.env.data.tenants.update(e,n),t.text("OK")}).openapi(o.createRoute({tags:["tenants"],method:"post",path:"/",request:{body:{content:{"application/json":{schema:o.z.object(is.shape)}}}},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"tenant/json":{schema:Fn}},description:"An tenant"}}}),async t=>{const e=t.req.valid("json"),n=await t.env.data.tenants.create(e);return t.json(n,{status:201})}),yw=rn.extend({logs:o.z.array(os)}),vw=new o.OpenAPIHono().openapi(o.createRoute({tags:["logs"],method:"get",path:"/",request:{query:Qt,headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.union([o.z.array(os),yw])}},description:"List of log rows"}}}),async t=>{const{page:e,per_page:n,include_totals:r,sort:i,q:s}=t.req.valid("query"),{"tenant-id":a}=t.req.valid("header"),c=await t.env.data.logs.list(a,{page:e,per_page:n,include_totals:r,sort:dr(i),q:s});return r?t.json(c):t.json(c.logs)}).openapi(o.createRoute({tags:["logs"],method:"get",path:"/{id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({id:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:os}},description:"A log entry"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),r=await t.env.data.logs.get(e,n);if(!r)throw new z(404);return t.json(r)}),ww=rn.extend({hooks:o.z.array(Dn)}),bw=new o.OpenAPIHono().openapi(o.createRoute({tags:["hooks"],method:"get",path:"/",request:{query:Qt,headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.union([o.z.array(Dn),ww])}},description:"List of hooks"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{page:n,per_page:r,include_totals:i,sort:s,q:a}=t.req.valid("query"),c=await t.env.data.hooks.list(e,{page:n,per_page:r,include_totals:i,sort:dr(s),q:a});return i?t.json(c):t.json(c.hooks)}).openapi(o.createRoute({tags:["hooks"],method:"post",path:"/",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.object(ss.shape)}}}},security:[{Bearer:["auth:write"]}],responses:{201:{content:{"application/json":{schema:Dn}},description:"The created hook"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json"),r=await t.env.data.hooks.create(e,n);return t.json(r,{status:201})}).openapi(o.createRoute({tags:["hooks"],method:"patch",path:"/{hook_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({hook_id:o.z.string()}),body:{content:{"application/json":{schema:o.z.object(ss.shape).omit({hook_id:!0}).partial()}}}},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:Dn.shape}},description:"The updated hook"},404:{description:"Hook not found"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{hook_id:n}=t.req.valid("param"),r=t.req.valid("json");await t.env.data.hooks.update(e,n,r);const i=await t.env.data.hooks.get(e,n);if(!i)throw new z(404,{message:"Hook not found"});return t.json(i)}).openapi(o.createRoute({tags:["hooks"],method:"get",path:"/{hook_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({hook_id:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:Dn}},description:"A hook"},404:{description:"Hook not found"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{hook_id:n}=t.req.valid("param"),r=await t.env.data.hooks.get(e,n);if(!r)throw new z(404,{message:"Hook not found"});return t.json(r)}).openapi(o.createRoute({tags:["hooks"],method:"delete",path:"/{hook_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({hook_id:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{description:"A hook"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{hook_id:n}=t.req.valid("param");if(!await t.env.data.hooks.remove(e,n))throw new z(404,{message:"Hook not found"});return t.text("OK")}),kw=rn.extend({connections:o.z.array(Kt)}),xw=new o.OpenAPIHono().openapi(o.createRoute({tags:["connections"],method:"get",path:"/",request:{query:Qt,headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.union([o.z.array(Kt),kw])}},description:"List of connectionss"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{page:n,per_page:r,include_totals:i=!1,sort:s,q:a}=t.req.valid("query"),c=await t.env.data.connections.list(e,{page:n,per_page:r,include_totals:i,sort:dr(s),q:a});return i?t.json(c):t.json(c.connections)}).openapi(o.createRoute({tags:["connections"],method:"get",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:Kt}},description:"A connection"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),r=await t.env.data.connections.get(e,n);if(!r)throw new z(404);return t.json(r)}).openapi(o.createRoute({tags:["connections"],method:"delete",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param");if(!await t.env.data.connections.remove(e,n))throw new z(404,{message:"Connection not found"});return t.text("OK")}).openapi(o.createRoute({tags:["connections"],method:"patch",path:"/{id}",request:{body:{content:{"application/json":{schema:o.z.object(rs.shape).partial()}}},params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:Kt}},description:"The updated connection"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),r=t.req.valid("json");if(!await t.env.data.connections.update(e,n,r))throw new z(404,{message:"Connection not found"});const s=await t.env.data.connections.get(e,n);if(!s)throw new z(404,{message:"Connection not found"});return t.json(s)}).openapi(o.createRoute({tags:["connections"],method:"post",path:"/",request:{body:{content:{"application/json":{schema:o.z.object(rs.shape)}}},headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{201:{content:{"application/json":{schema:Kt}},description:"A connection"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json"),r=await t.env.data.connections.create(e,n);return t.json(r,{status:201})}),Sw=new o.OpenAPIHono().openapi(o.createRoute({tags:["prompts"],method:"get",path:"/",request:{headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:Li}},description:"Branding settings"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=await t.env.data.promptSettings.get(e);return n?t.json(n):t.json(Li.parse({}))}).openapi(o.createRoute({tags:["prompts"],method:"patch",path:"/",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.object(Li.shape).partial()}}}},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Prompts settings"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json"),r=await t.env.data.promptSettings.get(e);return Object.assign(r,n),await t.env.data.promptSettings.set(e,r),t.json(r)});let Ep=!1;function Rg(t){t.use(async(e,n)=>(Ep||(t.openAPIRegistry.registerComponent("securitySchemes","Bearer",{type:"oauth2",scheme:"bearer",flows:{implicit:{authorizationUrl:`${e.env.AUTH_URL}/authorize`,scopes:{openid:"Basic user information",email:"User email",profile:"User profile information"}}}}),Ep=!0),await n()))}o.z.object({alg:o.z.literal("RS256"),kty:o.z.literal("RSA"),use:o.z.literal("sig"),n:o.z.string(),e:o.z.string(),kid:o.z.string(),x5t:o.z.string(),x5c:o.z.array(o.z.string())});async function Aw(t){try{const e=await t.JWKS_SERVICE.fetch(t.JWKS_URL);if(!e.ok)throw new Error("Failed to fetch jwks");return(await e.json()).keys}catch(e){throw new z(500,{message:`Failed to fetch jwks: ${e.message}`})}}async function Ew(t,e){const r=new TextEncoder().encode([e.raw.header,e.raw.payload].join(".")),i=new Uint8Array(Array.from(e.signature).map(l=>l.charCodeAt(0))),a=(await Aw(t.env)).find(l=>l.kid===e.header.kid);if(!a)return console.log("No matching kid found"),!1;const c=await crypto.subtle.importKey("jwk",a,{name:"RSASSA-PKCS1-v1_5",hash:"SHA-256"},!1,["verify"]);return crypto.subtle.verify("RSASSA-PKCS1-v1_5",c,i,r)}function Iw(t){const[e,n,r]=t.split(".");if(!e||!n||!r)return null;const i=JSON.parse(atob(e)),s=JSON.parse(atob(n)),a=atob(r.replace(/-/g,"+").replace(/_/g,"/"));return{header:i,payload:s,signature:a,raw:{header:e,payload:n,signature:r}}}function Lg(t){return async(e,n)=>{var i,s,a;const r=t.openAPIRegistry.definitions.find(c=>"route"in c&&c.route.path===e.req.path&&c.route.method.toUpperCase()===e.req.method);if(r&&"route"in r){const c=(s=(i=r.route.security)==null?void 0:i[0])==null?void 0:s.Bearer;if(!(c!=null&&c.length))return await n();const l=e.req.header("authorization")||"",[u,p]=l.split(" ");if((u==null?void 0:u.toLowerCase())!=="bearer"||!p)throw new z(401,{message:"Missing bearer token"});const f=Iw(p);if(!f||!await Ew(e,f))throw new z(403,{message:"Invalid JWT signature"});e.set("user_id",f.payload.sub),e.set("user",f.payload);const m=f.payload.permissions||[],v=((a=f.payload.scope)==null?void 0:a.split(" "))||[];if(c.length&&!(c.some(h=>m.includes(h))||c.some(h=>v.includes(h))))throw new z(403,{message:"Unauthorized"})}return await n()}}const zw=new o.OpenAPIHono().openapi(o.createRoute({tags:["emails"],method:"get",path:"/",request:{headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:Ui}},description:"Email provider"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=await t.env.data.emailProviders.get(e);if(!n)throw new z(404,{message:"Email provider not found"});return t.json(n)}).openapi(o.createRoute({tags:["emails"],method:"post",path:"/",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.object(Ui.shape)}}}},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Branding settings"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json");return await t.env.data.emailProviders.create(e,n),t.text("OK",{status:201})}).openapi(o.createRoute({tags:["emails"],method:"patch",path:"/",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.object(Ui.shape).partial()}}}},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Branding settings"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json");return await t.env.data.emailProviders.update(e,n),t.text("OK")}),Cw=new o.OpenAPIHono().openapi(o.createRoute({tags:["sessions"],method:"get",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:Ys}},description:"A session"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),r=await t.env.data.sessions.get(e,n);if(!r)throw new z(404);return t.json(r)}).openapi(o.createRoute({tags:["sessions"],method:"delete",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param");if(!await t.env.data.sessions.remove(e,n))throw new z(404,{message:"Session not found"});return t.text("OK")}).openapi(o.createRoute({tags:["sessions"],method:"post",path:"/{id}/revoke",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{202:{description:"Sesssion deletion status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param");if(!await t.env.data.sessions.update(e,n,{revoked_at:new Date().toDateString()}))throw new z(404,{message:"Session not found"});return t.text("Session deletion request accepted.",{status:202})}),Nw=new o.OpenAPIHono().openapi(o.createRoute({tags:["refresh_tokens"],method:"get",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:il}},description:"A session"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),r=await t.env.data.refreshTokens.get(e,n);if(!r)throw new z(404);return t.json(r)}).openapi(o.createRoute({tags:["refresh_tokens"],method:"delete",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param");if(!await t.env.data.refreshTokens.remove(e,n))throw new z(404,{message:"Session not found"});return t.text("OK")}),jw=new o.OpenAPIHono().openapi(o.createRoute({tags:["custom-domains"],method:"get",path:"/",request:{query:Qt,headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.array(Ft)}},description:"List of custom domains"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=await t.env.data.customDomains.list(e);return t.json(n)}).openapi(o.createRoute({tags:["custom-domains"],method:"get",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:Ft}},description:"A connection"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),r=await t.env.data.customDomains.get(e,n);if(!r)throw new z(404);return t.json(r)}).openapi(o.createRoute({tags:["custom-domains"],method:"delete",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param");if(!await t.env.data.customDomains.remove(e,n))throw new z(404,{message:"Custom domain not found"});return t.text("OK")}).openapi(o.createRoute({tags:["custom-domains"],method:"patch",path:"/{id}",request:{body:{content:{"application/json":{schema:o.z.object(Ft.shape).partial()}}},params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:Ft}},description:"The updated custom domain"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),r=t.req.valid("json");if(!await t.env.data.customDomains.update(e,n,r))throw new z(404);const s=await t.env.data.customDomains.get(e,n);if(!s)throw new z(404);return t.json(s)}).openapi(o.createRoute({tags:["custom-domains"],method:"post",path:"/",request:{body:{content:{"application/json":{schema:o.z.object(nl.shape)}}},headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{201:{content:{"application/json":{schema:Ft}},description:"The created custom domain"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json"),r=await t.env.data.customDomains.create(e,n);return t.json(r,{status:201})}).openapi(o.createRoute({tags:["custom-domains"],method:"post",path:"/{id}/verify",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:Ft}},description:"The custom domain"}}}),async()=>{throw new z(501,{message:"Not implemented"})});async function nu(t,e){const n=t.req.header("x-forwarded-host");if(n){const i=await t.env.data.customDomains.getByDomain(n);if(i)return t.set("tenant_id",i.tenant_id),t.set("custom_domain",n),await e()}const r=t.req.header("host");if(r){const i=r.split(".");if(i.length>1&&typeof i[0]=="string"){const s=i[0];await t.env.data.tenants.get(s)&&t.set("tenant_id",s)}}return await e()}function $w(t){const e=new o.OpenAPIHono;e.use(af({origin:r=>{var i;return r&&(i=t.allowedOrigins)!=null&&i.includes(r)?r:""},allowHeaders:["Tenant-Id","Content-Type","Content-Range","Auth0-Client","Authorization","Range","Upgrade-Insecure-Requests"],allowMethods:["POST","PUT","GET","DELETE","PATCH","OPTIONS"],exposeHeaders:["Content-Length","Content-Range"],maxAge:600,credentials:!0})),Rg(e),e.use(async(r,i)=>(r.env.data=no(r,t.dataAdapter),i())),e.use(nu).use(Lg(e));const n=e.route("/branding",s_).route("/custom-domains",jw).route("/email/providers",zw).route("/users",hy).route("/keys",pw).route("/users-by-email",fw).route("/clients",gw).route("/tenants",_w).route("/logs",vw).route("/hooks",bw).route("/connections",xw).route("/prompts",Sw).route("/sessions",Cw).route("/refresh_tokens",Nw);return n.doc("/spec",{openapi:"3.0.0",info:{version:"1.0.0",title:"Management api"},security:[{oauth2:["openid","email","profile"]}]}),n}function Ow(t,e){Object.keys(e).forEach(n=>{const r=e[n];r!=null&&r.length&&t.searchParams.set(n,r)})}var Ip;(function(t){t[t.Include=0]="Include",t[t.None=1]="None"})(Ip||(Ip={}));var zp;(function(t){t[t.Required=0]="Required",t[t.Ignore=1]="Ignore"})(zp||(zp={}));function Tw(t){return Vg(t,Bw,ei.Include)}function Ug(t){return Vg(t,Pw,ei.None)}function Vg(t,e,n){let r="";for(let i=0;i<t.byteLength;i+=3){let s=0,a=0;for(let c=0;c<3&&i+c<t.byteLength;c++)s=s<<8|t[i+c],a+=8;for(let c=0;c<4;c++)a>=6?(r+=e[s>>a-6&63],a-=6):a>0?(r+=e[s<<6-a&63],a=0):n===ei.Include&&(r+="=")}return r}const Bw="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/",Pw="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";var ei;(function(t){t[t.Include=0]="Include",t[t.None=1]="None"})(ei||(ei={}));var Cp;(function(t){t[t.Required=0]="Required",t[t.Ignore=1]="Ignore"})(Cp||(Cp={}));class Rw{uint8(e,n){if(e.byteLength<n+1)throw new TypeError("Insufficient bytes");return e[n]}uint16(e,n){if(e.byteLength<n+2)throw new TypeError("Insufficient bytes");return e[n]<<8|e[n+1]}uint32(e,n){if(e.byteLength<n+4)throw new TypeError("Insufficient bytes");let r=0;for(let i=0;i<4;i++)r|=e[n+i]<<24-i*8;return r}uint64(e,n){if(e.byteLength<n+8)throw new TypeError("Insufficient bytes");let r=0n;for(let i=0;i<8;i++)r|=BigInt(e[n+i])<<BigInt(56-i*8);return r}putUint8(e,n,r){if(e.length<r+1)throw new TypeError("Not enough space");if(n<0||n>255)throw new TypeError("Invalid uint8 value");e[r]=n}putUint16(e,n,r){if(e.length<r+2)throw new TypeError("Not enough space");if(n<0||n>65535)throw new TypeError("Invalid uint16 value");e[r]=n>>8,e[r+1]=n&255}putUint32(e,n,r){if(e.length<r+4)throw new TypeError("Not enough space");if(n<0||n>4294967295)throw new TypeError("Invalid uint32 value");for(let i=0;i<4;i++)e[r+i]=n>>(3-i)*8&255}putUint64(e,n,r){if(e.length<r+8)throw new TypeError("Not enough space");if(n<0||n>18446744073709551615n)throw new TypeError("Invalid uint64 value");for(let i=0;i<8;i++)e[r+i]=Number(n>>BigInt((7-i)*8)&0xffn)}}const Np=new Rw;function kt(t,e){return(t<<32-e|t>>>e)>>>0}function Lw(t){const e=new Uw;return e.update(t),e.digest()}class Uw{constructor(){te(this,"blockSize",64);te(this,"size",32);te(this,"blocks",new Uint8Array(64));te(this,"currentBlockSize",0);te(this,"H",new Uint32Array([1779033703,3144134277,1013904242,2773480762,1359893119,2600822924,528734635,1541459225]));te(this,"l",0n);te(this,"w",new Uint32Array(64))}update(e){if(this.l+=BigInt(e.byteLength)*8n,this.currentBlockSize+e.byteLength<64){this.blocks.set(e,this.currentBlockSize),this.currentBlockSize+=e.byteLength;return}let n=0;if(this.currentBlockSize>0){const r=e.slice(0,64-this.currentBlockSize);this.blocks.set(r,this.currentBlockSize),this.process(),n+=r.byteLength,this.currentBlockSize=0}for(;n+64<=e.byteLength;){const r=e.slice(n,n+64);this.blocks.set(r),this.process(),n+=64}if(e.byteLength-n>0){const r=e.slice(n);this.blocks.set(r),this.currentBlockSize=r.byteLength}}digest(){this.blocks[this.currentBlockSize]=128,this.currentBlockSize+=1,64-this.currentBlockSize<8&&(this.blocks.fill(0,this.currentBlockSize),this.process(),this.currentBlockSize=0),this.blocks.fill(0,this.currentBlockSize),Np.putUint64(this.blocks,this.l,this.blockSize-8),this.process();const e=new Uint8Array(32);for(let n=0;n<8;n++)Np.putUint32(e,this.H[n],n*4);return e}process(){for(let u=0;u<16;u++)this.w[u]=(this.blocks[u*4]<<24|this.blocks[u*4+1]<<16|this.blocks[u*4+2]<<8|this.blocks[u*4+3])>>>0;for(let u=16;u<64;u++){const p=(kt(this.w[u-2],17)^kt(this.w[u-2],19)^this.w[u-2]>>>10)>>>0,f=(kt(this.w[u-15],7)^kt(this.w[u-15],18)^this.w[u-15]>>>3)>>>0;this.w[u]=p+this.w[u-7]+f+this.w[u-16]|0}let e=this.H[0],n=this.H[1],r=this.H[2],i=this.H[3],s=this.H[4],a=this.H[5],c=this.H[6],l=this.H[7];for(let u=0;u<64;u++){const p=(kt(s,6)^kt(s,11)^kt(s,25))>>>0,f=(s&a^~s&c)>>>0,m=l+p+f+Vw[u]+this.w[u]|0,v=(kt(e,2)^kt(e,13)^kt(e,22))>>>0,h=(e&n^e&r^n&r)>>>0,_=v+h|0;l=c,c=a,a=s,s=i+m|0,i=r,r=n,n=e,e=m+_|0}this.H[0]=e+this.H[0]|0,this.H[1]=n+this.H[1]|0,this.H[2]=r+this.H[2]|0,this.H[3]=i+this.H[3]|0,this.H[4]=s+this.H[4]|0,this.H[5]=a+this.H[5]|0,this.H[6]=c+this.H[6]|0,this.H[7]=l+this.H[7]|0}}const Vw=new Uint32Array([1116352408,1899447441,3049323471,3921009573,961987163,1508970993,2453635748,2870763221,3624381080,310598401,607225278,1426881987,1925078388,2162078206,2614888103,3248222580,3835390401,4022224774,264347078,604807628,770255983,1249150122,1555081692,1996064986,2554220882,2821834349,2952996808,3210313671,3336571891,3584528711,113926993,338241895,666307205,773529912,1294757372,1396182291,1695183700,1986661051,2177026350,2456956037,2730485921,2820302411,3259730800,3345764771,3516065817,3600352804,4094571909,275423344,430227734,506948616,659060556,883997877,958139571,1322822218,1537002063,1747873779,1955562222,2024104815,2227730452,2361852424,2428436474,2756734187,3204031479,3329325298]);new BigUint64Array([0x428a2f98d728ae22n,0x7137449123ef65cdn,0xb5c0fbcfec4d3b2fn,0xe9b5dba58189dbbcn,0x3956c25bf348b538n,0x59f111f1b605d019n,0x923f82a4af194f9bn,0xab1c5ed5da6d8118n,0xd807aa98a3030242n,0x12835b0145706fben,0x243185be4ee4b28cn,0x550c7dc3d5ffb4e2n,0x72be5d74f27b896fn,0x80deb1fe3b1696b1n,0x9bdc06a725c71235n,0xc19bf174cf692694n,0xe49b69c19ef14ad2n,0xefbe4786384f25e3n,0x0fc19dc68b8cd5b5n,0x240ca1cc77ac9c65n,0x2de92c6f592b0275n,0x4a7484aa6ea6e483n,0x5cb0a9dcbd41fbd4n,0x76f988da831153b5n,0x983e5152ee66dfabn,0xa831c66d2db43210n,0xb00327c898fb213fn,0xbf597fc7beef0ee4n,0xc6e00bf33da88fc2n,0xd5a79147930aa725n,0x06ca6351e003826fn,0x142929670a0e6e70n,0x27b70a8546d22ffcn,0x2e1b21385c26c926n,0x4d2c6dfc5ac42aedn,0x53380d139d95b3dfn,0x650a73548baf63den,0x766a0abb3c77b2a8n,0x81c2c92e47edaee6n,0x92722c851482353bn,0xa2bfe8a14cf10364n,0xa81a664bbc423001n,0xc24b8b70d0f89791n,0xc76c51a30654be30n,0xd192e819d6ef5218n,0xd69906245565a910n,0xf40e35855771202an,0x106aa07032bbd1b8n,0x19a4c116b8d2d0c8n,0x1e376c085141ab53n,0x2748774cdf8eeb99n,0x34b0bcb5e19b48a8n,0x391c0cb3c5c95a63n,0x4ed8aa4ae3418acbn,0x5b9cca4f7763e373n,0x682e6ff3d6b2b8a3n,0x748f82ee5defb2fcn,0x78a5636f43172f60n,0x84c87814a1f0ab72n,0x8cc702081a6439ecn,0x90befffa23631e28n,0xa4506cebde82bde9n,0xbef9a3f7b2c67915n,0xc67178f2e372532bn,0xca273eceea26619cn,0xd186b8c721c0c207n,0xeada7dd6cde0eb1en,0xf57d4f7fee6ed178n,0x06f067aa72176fban,0x0a637dc5a2c898a6n,0x113f9804bef90daen,0x1b710b35131c471bn,0x28db77f523047d84n,0x32caab7b40c72493n,0x3c9ebe0a15c9bebcn,0x431d67c49c100d4cn,0x4cc5d4becb3e42b6n,0x597f299cfc657e2an,0x5fcb6fab3ad6faecn,0x6c44198c4a475817n]);class qw{constructor(e){te(this,"data");this.data=e}tokenType(){if("token_type"in this.data&&typeof this.data.token_type=="string")return this.data.token_type;throw new Error("Missing or invalid 'token_type' field")}accessToken(){if("access_token"in this.data&&typeof this.data.access_token=="string")return this.data.access_token;throw new Error("Missing or invalid 'access_token' field")}accessTokenExpiresInSeconds(){if("expires_in"in this.data&&typeof this.data.expires_in=="number")return this.data.expires_in;throw new Error("Missing or invalid 'expires_in' field")}accessTokenExpiresAt(){return new Date(Date.now()+this.accessTokenExpiresInSeconds()*1e3)}hasRefreshToken(){return"refresh_token"in this.data&&typeof this.data.refresh_token=="string"}refreshToken(){if("refresh_token"in this.data&&typeof this.data.refresh_token=="string")return this.data.refresh_token;throw new Error("Missing or invalid 'refresh_token' field")}hasScopes(){return"scope"in this.data&&typeof this.data.scope=="string"}scopes(){if("scope"in this.data&&typeof this.data.scope=="string")return this.data.scope.split(" ");throw new Error("Missing or invalid 'scope' field")}idToken(){if("id_token"in this.data&&typeof this.data.id_token=="string")return this.data.id_token;throw new Error("Missing or invalid field 'id_token'")}}function Mw(t){const e=Lw(new TextEncoder().encode(t));return Ug(e)}function Dw(){const t=new Uint8Array(32);return crypto.getRandomValues(t),Ug(t)}function Ur(t,e){const n=new TextEncoder().encode(e.toString()),r=new Request(t,{method:"POST",body:n});return r.headers.set("Content-Type","application/x-www-form-urlencoded"),r.headers.set("Accept","application/json"),r.headers.set("User-Agent","arctic"),r.headers.set("Content-Length",n.byteLength.toString()),r}function ha(t,e){const n=new TextEncoder().encode(`${t}:${e}`);return Tw(n)}async function Hs(t){let e;try{e=await fetch(t)}catch(n){throw new Mg(n)}if(e.status===400||e.status===401){let n;try{n=await e.json()}catch{throw new Hi(e.status)}if(typeof n!="object"||n===null)throw new Gn(e.status,n);let r;try{r=qg(n)}catch{throw new Gn(e.status,n)}throw r}if(e.status===200){let n;try{n=await e.json()}catch{throw new Hi(e.status)}if(typeof n!="object"||n===null)throw new Gn(e.status,n);return new qw(n)}throw e.body!==null&&await e.body.cancel(),new Hi(e.status)}async function Hw(t){let e;try{e=await fetch(t)}catch(n){throw new Mg(n)}if(e.status===400||e.status===401){let n;try{n=await e.json()}catch{throw new Gn(e.status,null)}if(typeof n!="object"||n===null)throw new Gn(e.status,n);let r;try{r=qg(n)}catch{throw new Gn(e.status,n)}throw r}if(e.status===200){e.body!==null&&await e.body.cancel();return}throw e.body!==null&&await e.body.cancel(),new Hi(e.status)}function qg(t){let e;if("error"in t&&typeof t.error=="string")e=t.error;else throw new Error("Invalid error response");let n=null,r=null,i=null;if("error_description"in t){if(typeof t.error_description!="string")throw new Error("Invalid data");n=t.error_description}if("error_uri"in t){if(typeof t.error_uri!="string")throw new Error("Invalid data");r=t.error_uri}if("state"in t){if(typeof t.state!="string")throw new Error("Invalid data");i=t.state}return new Fw(e,n,r,i)}class Mg extends Error{constructor(e){super("Failed to send request",{cause:e})}}class Fw extends Error{constructor(n,r,i,s){super(`OAuth request error: ${n}`);te(this,"code");te(this,"description");te(this,"uri");te(this,"state");this.code=n,this.description=r,this.uri=i,this.state=s}}class Hi extends Error{constructor(n){super("Unexpected error response");te(this,"status");this.status=n}}class Gn extends Error{constructor(n,r){super("Unexpected error response body");te(this,"status");te(this,"data");this.status=n,this.data=r}}class ru{constructor(e,n,r){te(this,"clientId");te(this,"clientPassword");te(this,"redirectURI");this.clientId=e,this.clientPassword=n,this.redirectURI=r}createAuthorizationURL(e,n,r){const i=new URL(e);return i.searchParams.set("response_type","code"),i.searchParams.set("client_id",this.clientId),this.redirectURI!==null&&i.searchParams.set("redirect_uri",this.redirectURI),i.searchParams.set("state",n),r.length>0&&i.searchParams.set("scope",r.join(" ")),i}createAuthorizationURLWithPKCE(e,n,r,i,s){const a=new URL(e);if(a.searchParams.set("response_type","code"),a.searchParams.set("client_id",this.clientId),this.redirectURI!==null&&a.searchParams.set("redirect_uri",this.redirectURI),a.searchParams.set("state",n),r===ti.S256){const c=Mw(i);a.searchParams.set("code_challenge_method","S256"),a.searchParams.set("code_challenge",c)}else r===ti.Plain&&(a.searchParams.set("code_challenge_method","plain"),a.searchParams.set("code_challenge",i));return s.length>0&&a.searchParams.set("scope",s.join(" ")),a}async validateAuthorizationCode(e,n,r){const i=new URLSearchParams;i.set("grant_type","authorization_code"),i.set("code",n),this.redirectURI!==null&&i.set("redirect_uri",this.redirectURI),r!==null&&i.set("code_verifier",r),this.clientPassword===null&&i.set("client_id",this.clientId);const s=Ur(e,i);if(this.clientPassword!==null){const c=ha(this.clientId,this.clientPassword);s.headers.set("Authorization",`Basic ${c}`)}return await Hs(s)}async refreshAccessToken(e,n,r){const i=new URLSearchParams;i.set("grant_type","refresh_token"),i.set("refresh_token",n),this.clientPassword===null&&i.set("client_id",this.clientId),r.length>0&&i.set("scope",r.join(" "));const s=Ur(e,i);if(this.clientPassword!==null){const c=ha(this.clientId,this.clientPassword);s.headers.set("Authorization",`Basic ${c}`)}return await Hs(s)}async revokeToken(e,n){const r=new URLSearchParams;r.set("token",n),this.clientPassword===null&&r.set("client_id",this.clientId);const i=Ur(e,r);if(this.clientPassword!==null){const s=ha(this.clientId,this.clientPassword);i.headers.set("Authorization",`Basic ${s}`)}await Hw(i)}}var ti;(function(t){t[t.S256=0]="S256",t[t.Plain=1]="Plain"})(ti||(ti={}));var jp;(function(t){t[t.Include=0]="Include",t[t.None=1]="None"})(jp||(jp={}));var $p;(function(t){t[t.Required=0]="Required",t[t.Ignore=1]="Ignore"})($p||($p={}));function Vr(t){return Kw(t,Ww,Fs.None)}function Kw(t,e,n){let r="";for(let i=0;i<t.byteLength;i+=3){let s=0,a=0;for(let c=0;c<3&&i+c<t.byteLength;c++)s=s<<8|t[i+c],a+=8;for(let c=0;c<4;c++)a>=6?(r+=e[s>>a-6&63],a-=6):a>0?(r+=e[s<<6-a&63],a=0):n===Fs.Include&&(r+="=")}return r}const Ww="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";var Fs;(function(t){t[t.Include=0]="Include",t[t.None=1]="None"})(Fs||(Fs={}));var Op;(function(t){t[t.Required=0]="Required",t[t.Ignore=1]="Ignore"})(Op||(Op={}));function Gw(t,e,n){const r=Vr(new TextEncoder().encode(t)),i=Vr(new TextEncoder().encode(e)),s=Vr(n);return r+"."+i+"."+s}function Jw(t,e){const n=Vr(new TextEncoder().encode(t)),r=Vr(new TextEncoder().encode(e)),i=n+"."+r;return new TextEncoder().encode(i)}const Zw="https://appleid.apple.com/auth/authorize",Yw="https://appleid.apple.com/auth/token";class Dg{constructor(e,n,r,i,s){te(this,"clientId");te(this,"teamId");te(this,"keyId");te(this,"pkcs8PrivateKey");te(this,"redirectURI");this.clientId=e,this.teamId=n,this.keyId=r,this.pkcs8PrivateKey=i,this.redirectURI=s}createAuthorizationURL(e,n){const r=new URL(Zw);return r.searchParams.set("response_type","code"),r.searchParams.set("client_id",this.clientId),r.searchParams.set("state",e),n.length>0&&r.searchParams.set("scope",n.join(" ")),r.searchParams.set("redirect_uri",this.redirectURI),r}async validateAuthorizationCode(e){const n=new URLSearchParams;n.set("grant_type","authorization_code"),n.set("code",e),n.set("redirect_uri",this.redirectURI),n.set("client_id",this.clientId);const r=await this.createClientSecret();n.set("client_secret",r);const i=Ur(Yw,n);return await Hs(i)}async createClientSecret(){const e=await crypto.subtle.importKey("pkcs8",this.pkcs8PrivateKey,{name:"ECDSA",namedCurve:"P-256"},!1,["sign"]),n=Math.floor(Date.now()/1e3),r=JSON.stringify({typ:"JWT",alg:"ES256",kid:this.keyId}),i=JSON.stringify({iss:this.teamId,exp:n+5*60,aud:["https://appleid.apple.com"],sub:this.clientId,iat:n}),s=new Uint8Array(await crypto.subtle.sign({name:"ECDSA",hash:"SHA-256"},e,Jw(r,i)));return Gw(r,i,s)}}const Xw="https://www.facebook.com/v16.0/dialog/oauth",Qw="https://graph.facebook.com/v16.0/oauth/access_token";class Hg{constructor(e,n,r){te(this,"clientId");te(this,"clientSecret");te(this,"redirectURI");this.clientId=e,this.clientSecret=n,this.redirectURI=r}createAuthorizationURL(e,n){const r=new URL(Xw);return r.searchParams.set("response_type","code"),r.searchParams.set("client_id",this.clientId),r.searchParams.set("state",e),n.length>0&&r.searchParams.set("scope",n.join(" ")),r.searchParams.set("redirect_uri",this.redirectURI),r}async validateAuthorizationCode(e){const n=new URLSearchParams;n.set("grant_type","authorization_code"),n.set("code",e),n.set("redirect_uri",this.redirectURI),n.set("client_id",this.clientId),n.set("client_secret",this.clientSecret);const r=Ur(Qw,n);return await Hs(r)}}const eb="https://accounts.google.com/o/oauth2/v2/auth",Tp="https://oauth2.googleapis.com/token",tb="https://oauth2.googleapis.com/revoke";let Fg=class{constructor(e,n,r){te(this,"client");this.client=new ru(e,n,r)}createAuthorizationURL(e,n,r){return this.client.createAuthorizationURLWithPKCE(eb,e,ti.S256,n,r)}async validateAuthorizationCode(e,n){return await this.client.validateAuthorizationCode(Tp,e,n)}async refreshAccessToken(e){return await this.client.refreshAccessToken(Tp,e,[])}async revokeToken(e){await this.client.revokeToken(tb,e)}};const Jo=o.z.object({iss:o.z.string().url(),sub:o.z.string(),aud:o.z.string(),exp:o.z.number(),email:o.z.string().optional(),given_name:o.z.string().optional(),family_name:o.z.string().optional(),name:o.z.string().optional(),iat:o.z.number(),auth_time:o.z.number().optional(),nonce:o.z.string().optional(),acr:o.z.string().optional(),amr:o.z.array(o.z.string()).optional(),azp:o.z.string().optional(),at_hash:o.z.string().optional(),c_hash:o.z.string().optional()}).passthrough();Jo.omit({iat:!0,auth_time:!0,nonce:!0,acr:!0,amr:!0,azp:!0,at_hash:!0,c_hash:!0});function nb(t){return t.ISSUER}function _t(t){return t.UNIVERSAL_LOGIN_URL||`${t.ISSUER}u/`}function je(t){return t.OAUTH_API_URL||t.ISSUER}function Kg(t){const{options:e}=t;if(!e||!e.client_id||!e.team_id||!e.kid||!e.app_secret)throw new Error("Missing required Apple authentication parameters");const n=Buffer.from(e.app_secret,"utf-8"),r=n.toString().replace(/-----BEGIN PRIVATE KEY-----|-----END PRIVATE KEY-----|\s/g,""),i=Uint8Array.from(Buffer.from(r,"base64"));return n.fill(0),{options:e,keyArray:i}}async function rb(t,e){var l,u;const{options:n,keyArray:r}=Kg(e),i=new Dg(n.client_id,n.team_id,n.kid,r,`${je(t.env)}callback`),s=xe(),a=await i.createAuthorizationURL(s,((l=n.scope)==null?void 0:l.split(" "))||["name","email"]);return(((u=n.scope)==null?void 0:u.split(" "))||["name","email"]).some(p=>["email","name"].includes(p))&&a.searchParams.set("response_mode","form_post"),{redirectUrl:a.href,code:s}}async function ib(t,e,n){const{options:r,keyArray:i}=Kg(e),a=await new Dg(r.client_id,r.team_id,r.kid,i,`${je(t.env)}callback`).validateAuthorizationCode(n),c=ol(a.idToken());if(!c)throw new Error("Invalid ID token");const l=Jo.parse(c.payload);return{sub:l.sub,email:l.email,given_name:l.given_name,family_name:l.family_name,name:l.name,picture:l.picture,locale:l.locale}}const sb=Object.freeze(Object.defineProperty({__proto__:null,getRedirect:rb,validateAuthorizationCodeAndGetUser:ib},Symbol.toStringTag,{value:"Module"}));async function ob(t,e){var a;const{options:n}=e;if(!(n!=null&&n.client_id)||!n.client_secret)throw new Error("Missing required authentication parameters");const r=new Hg(n.client_id,n.client_secret,`${je(t.env)}callback`),i=xe();return{redirectUrl:r.createAuthorizationURL(i,((a=n.scope)==null?void 0:a.split(" "))||["email"]).href,code:i}}async function ab(t,e,n){const{options:r}=e;if(!(r!=null&&r.client_id)||!r.client_secret)throw new Error("Missing required authentication parameters");const s=await new Hg(r.client_id,r.client_secret,`${je(t.env)}callback`).validateAuthorizationCode(n),a=await fetch("https://graph.facebook.com/v16.0/me?fields=id,email,name",{headers:{Authorization:`Bearer ${s.accessToken()}`}});if(!a.ok)throw new Error("Failed to fetch user info");const c=await a.json();return t.set("log",`Userinfo: ${JSON.stringify(c)}`),{sub:c.id,email:c.email,name:c.name}}const cb=Object.freeze(Object.defineProperty({__proto__:null,getRedirect:ob,validateAuthorizationCodeAndGetUser:ab},Symbol.toStringTag,{value:"Module"}));async function lb(t,e){var c;const{options:n}=e;if(!(n!=null&&n.client_id)||!n.client_secret)throw new Error("Missing required Google authentication parameters");const r=new Fg(n.client_id,n.client_secret,`${je(t.env)}callback`),i=xe(),s=Dw();return{redirectUrl:r.createAuthorizationURL(i,s,((c=n.scope)==null?void 0:c.split(" "))??["email","profile"]).href,code:i,codeVerifier:s}}async function ub(t,e,n,r){const{options:i}=e;if(!(i!=null&&i.client_id)||!i.client_secret||!r)throw new Error("Missing required authentication parameters");const a=await new Fg(i.client_id,i.client_secret,`${je(t.env)}callback`).validateAuthorizationCode(n,r),c=ol(a.idToken());if(!c)throw new Error("Invalid ID token");const l=Jo.parse(c.payload);return{sub:l.sub,email:l.email,given_name:l.given_name,family_name:l.family_name,name:l.name,picture:l.picture,locale:l.locale}}const db=Object.freeze(Object.defineProperty({__proto__:null,getRedirect:lb,validateAuthorizationCodeAndGetUser:ub},Symbol.toStringTag,{value:"Module"}));async function pb(t,e){var a;const{options:n}=e;if(!(n!=null&&n.client_id)||!n.client_secret)throw new Error("Missing required authentication parameters");const r=new ru(n.client_id,n.client_secret,`${je(t.env)}callback`),i=xe(),s=r.createAuthorizationURL("https://api.vipps.no/access-management-1.0/access/oauth2/auth",i,((a=n.scope)==null?void 0:a.split(" "))||["openid","email","phoneNumber","name","address","birthDate"]);return s.searchParams.set("response_type","code"),s.searchParams.set("response_mode","query"),{redirectUrl:s.href,code:i}}async function fb(t,e,n){const{options:r}=e;if(!(r!=null&&r.client_id)||!r.client_secret)throw new Error("Missing required authentication parameters");const s=await new ru(r.client_id,r.client_secret,`${je(t.env)}callback`).validateAuthorizationCode("https://api.vipps.no/access-management-1.0/access/oauth2/token",n,null),a=ol(s.idToken());if(!a)throw new Error("Invalid ID token");const c=Jo.parse(a.payload);if(typeof c.msn!="string")throw new Error("msn not available in id token");const l=await fetch("https://api.vipps.no/vipps-userinfo-api/userinfo",{headers:{Authorization:`Bearer ${s.accessToken()}`,"Merchant-Serial-Number":c.msn}});if(!l.ok)throw new z(400,{message:"Failed to get user from vipps"});return await l.json()}const hb=Object.freeze(Object.defineProperty({__proto__:null,getRedirect:pb,validateAuthorizationCodeAndGetUser:fb},Symbol.toStringTag,{value:"Module"}));function Wg(t,e){const n=t.env.STRATEGIES||{},i={apple:sb,facebook:cb,"google-oauth2":db,vipps:hb,...n}[e];if(!i)throw new Error(`Strategy ${e} not found`);return i}async function Zo(t,e){const n=await t.data.clients.get(e);if(!n)throw new z(403,{message:"Client not found"});const r=t.DEFAULT_CLIENT_ID?await t.data.clients.get(t.DEFAULT_CLIENT_ID):void 0,i=await t.data.connections.list(n.tenant.id),s=t.DEFAULT_TENANT_ID?await t.data.connections.list(t.DEFAULT_TENANT_ID):{connections:[]},a=i.connections.map(c=>{var p;const l=(p=s.connections)==null?void 0:p.find(f=>f.name===c.name);return l!=null&&l.options?Kt.parse({...l||{},...c,options:{...l.options||{},...c.options}}):c}).filter(c=>c);return{...n,web_origins:[...(r==null?void 0:r.web_origins)||[],...n.web_origins||[],`${_t(t)}login`],allowed_logout_urls:[...(r==null?void 0:r.allowed_logout_urls)||[],...n.allowed_logout_urls||[],t.ISSUER],callbacks:[...(r==null?void 0:r.callbacks)||[],...n.callbacks||[],`${_t(t)}info`],connections:a,tenant:{...(r==null?void 0:r.tenant)||{},...n.tenant}}}function Yo(t,e=[],n={}){try{const r=new URL(t);return e.some(i=>{try{return gb(r,new URL(i),n.allowPathWildcards)}catch{return!1}})}catch{return!1}}function gb(t,e,n){if(t.protocol!==e.protocol)return!1;if(n&&e.pathname.includes("*")){const r=e.pathname.replace(/\*/g,".*").replace(/\//g,"\\/");if(!new RegExp(`^${r}$`).test(t.pathname))return!1}else if(t.pathname!==e.pathname)return!1;if(e.hostname.startsWith("*.")&&e.hostname.split(".").length>2&&["http:","https:"].includes(e.protocol)){const r=e.hostname.split(".").slice(1).join(".");return t.hostname.endsWith(r)}return t.hostname===e.hostname}async function mb(t,e,n,r){if(!r.state)throw new z(400,{message:"State not found"});const i=e.connections.find(l=>l.name===n);if(!i){t.set("client_id",e.id);const l=ve(t,{type:he.FAILED_LOGIN,description:"Connection not found"});throw await t.env.data.logs.create(e.tenant.id,l),new z(403,{message:"Connection Not Found"})}let s=await t.env.data.loginSessions.get(e.tenant.id,r.state);s||(s=await t.env.data.loginSessions.create(e.tenant.id,{expires_at:new Date(Date.now()+Jn*1e3).toISOString(),authParams:r,csrf_token:xe(),...on(t.req)}));const c=await Wg(t,i.strategy).getRedirect(t,i);return await t.env.data.codes.create(e.tenant.id,{login_id:s.id,code_id:c.code,code_type:"oauth2_state",connection_id:i.id,code_verifier:c.codeVerifier,expires_at:new Date(Date.now()+N_*1e3).toISOString()}),t.redirect(c.redirectUrl)}async function Bp(t,{code:e,state:n}){var h;const{env:r}=t,i=await r.data.codes.get(t.var.tenant_id||"",n,"oauth2_state");if(!i||!i.connection_id)throw new z(403,{message:"State not found"});const s=await r.data.loginSessions.get(t.var.tenant_id||"",i.login_id);if(!s)throw new z(403,{message:"Session not found"});const a=await Zo(r,s.authParams.client_id);t.set("client_id",a.id),t.set("tenant_id",a.tenant.id);const c=a.connections.find(_=>_.id===i.connection_id);if(!c){const _=ve(t,{type:he.FAILED_LOGIN,description:"Connection not found"});throw await r.data.logs.create(a.tenant.id,_),new z(403,{message:"Connection not found"})}if(t.set("connection",c.name),!s.authParams.redirect_uri){const _=ve(t,{type:he.FAILED_LOGIN,description:"Redirect URI not defined"});throw await r.data.logs.create(a.tenant.id,_),new z(403,{message:"Redirect URI not defined"})}if(!Yo(s.authParams.redirect_uri,a.callbacks||[],{allowPathWildcards:!0})){const _=`Invalid redirect URI - ${s.authParams.redirect_uri}`,w=ve(t,{type:he.FAILED_LOGIN,description:_});throw await r.data.logs.create(a.tenant.id,w),new z(403,{message:_})}const u=await Wg(t,c.strategy).validateAuthorizationCodeAndGetUser(t,c,e,i.code_verifier),{sub:p,...f}=u;t.set("user_id",p);const m=((h=u.email)==null?void 0:h.toLocaleLowerCase())||`${c.name}.${p}@${new URL(t.env.ISSUER).hostname}`;t.set("username",m);const v=await io(t,{client:a,email:m,provider:c.strategy,connection:c.name,userId:p,profileData:f,isSocial:!0,ip:t.req.header("x-real-ip")});return an(t,{client:a,authParams:s.authParams,loginSession:s,user:v})}async function Pp(t,e,n,r,i,s){const a=await t.env.data.codes.get(t.var.tenant_id||"",e,"oauth2_state");if(!a)throw new z(400,{message:"State not found"});const c=await t.env.data.loginSessions.get(t.var.tenant_id,a.login_id);if(!c)throw new z(400,{message:"Login not found"});const{redirect_uri:l}=c.authParams;if(!l)throw new z(400,{message:"Redirect uri not found"});const u=ve(t,{type:he.FAILED_LOGIN,description:`Failed connection login: ${i} ${n}, ${r}`});nt(t,t.env.data.logs.create(t.var.tenant_id,u));const p=new URL(l);return Ow(p,{error:n,error_description:r,error_reason:s,error_code:i,state:c.authParams.state}),t.redirect(`${_t(t.env)}enter-email?state=${c.id}&error=${n}`)}const _b=new o.OpenAPIHono().openapi(o.createRoute({tags:["oauth2"],method:"get",path:"/",request:{query:o.z.object({state:o.z.string(),code:o.z.string().optional(),scope:o.z.string().optional(),hd:o.z.string().optional(),error:o.z.string().optional(),error_description:o.z.string().optional(),error_code:o.z.string().optional(),error_reason:o.z.string().optional()})},responses:{302:{description:"Redirect to the client's redirect uri"}}}),async t=>{const{state:e,code:n,error:r,error_description:i,error_code:s,error_reason:a}=t.req.valid("query");if(r)return Pp(t,e,r,i,s,a);if(!n)throw new z(400,{message:"Code is required"});return Bp(t,{code:n,state:e})}).openapi(o.createRoute({tags:["oauth2"],method:"post",path:"/",request:{body:{content:{"application/x-www-form-urlencoded":{schema:o.z.object({state:o.z.string(),code:o.z.string().optional(),scope:o.z.string().optional(),hd:o.z.string().optional(),error:o.z.string().optional(),error_description:o.z.string().optional(),error_code:o.z.string().optional(),error_reason:o.z.string().optional()})}}}},responses:{302:{description:"Redirect to the client's redirect uri"}}}),async t=>{const{state:e,code:n,error:r,error_description:i,error_code:s,error_reason:a}=t.req.valid("form");if(r)return Pp(t,e,r,i,s,a);if(!n)throw new z(400,{message:"Code is required"});return Bp(t,{code:n,state:e})}),yb=new o.OpenAPIHono().openapi(o.createRoute({tags:["oauth2"],method:"get",path:"/",request:{query:o.z.object({client_id:o.z.string(),returnTo:o.z.string().optional()}),header:o.z.object({cookie:o.z.string().optional()})},responses:{302:{description:"Log the user out"}}}),async t=>{const{client_id:e,returnTo:n}=t.req.valid("query"),r=await t.env.data.clients.get(e);if(!r)return t.text("OK");const i=await t.env.data.clients.get("DEFAULT_CLIENT");t.set("client_id",e),t.set("tenant_id",r.tenant.id);const s=n||t.req.header("referer");if(!s)return t.text("OK");if(!Yo(s,[...r.allowed_logout_urls||[],...(i==null?void 0:i.allowed_logout_urls)||[]],{allowPathWildcards:!0}))throw new z(400,{message:"Invalid redirect uri"});const a=t.req.header("cookie");if(a){const l=cs(r.tenant.id,a);if(l){const u=await t.env.data.sessions.get(r.tenant.id,l);if(u){const p=await t.env.data.users.get(r.tenant.id,u.user_id);p&&(t.set("user_id",p.user_id),t.set("connection",p.connection));const f=await t.env.data.refreshTokens.list(r.tenant.id,{q:`session_id=${l}`,page:0,per_page:100,include_totals:!1});await Promise.all(f.refresh_tokens.map(m=>t.env.data.refreshTokens.remove(r.tenant.id,m.id))),await t.env.data.sessions.update(r.tenant.id,l,{revoked_at:new Date().toISOString()})}}}const c=ve(t,{type:he.SUCCESS_LOGOUT,description:"User successfully logged out"});return await t.env.data.logs.create(r.tenant.id,c),new Response("Redirecting",{status:302,headers:{"set-cookie":B_(r.tenant.id,t.req.header("host")),location:s}})}),Rp=o.z.object({sub:o.z.string(),email:o.z.string().optional(),family_name:o.z.string().optional(),given_name:o.z.string().optional(),email_verified:o.z.boolean()}),vb=new o.OpenAPIHono().openapi(o.createRoute({tags:["oauth2"],method:"get",path:"/",request:{},security:[{Bearer:["openid"]}],responses:{200:{content:{"application/json":{schema:Rp}},description:"Userinfo"}}}),async t=>{if(!t.var.user)throw new z(404,{message:"User not found"});const e=await t.env.data.users.get(t.var.user.tenant_id,t.var.user.sub);if(!e)throw new z(404,{message:"User not found"});return t.json(Rp.parse({...e,sub:e.user_id}))}),wb=new o.OpenAPIHono().openapi(o.createRoute({tags:["well known"],method:"get",path:"/jwks.json",request:{},responses:{200:{content:{"application/json":{schema:mf}},description:"List of tenants"}}}),async t=>{const e=await t.env.data.keys.list(),n=await Promise.all(e.map(async r=>{const s=await new tu(r.cert).publicKey.export(),a=await crypto.subtle.exportKey("jwk",s);return rl.parse({...a,kid:r.kid})}));return t.json({keys:n},{headers:{"access-control-allow-origin":"*","access-control-allow-method":"GET","cache-control":`public, max-age=${ji}, stale-while-revalidate=${ji*2}, stale-if-error=86400`}})}).openapi(o.createRoute({tags:["well known"],method:"get",path:"/openid-configuration",request:{},responses:{200:{content:{"application/json":{schema:Ea}},description:"List of tenants"}}}),async t=>{const e=Ea.parse({issuer:nb(t.env),authorization_endpoint:`${je(t.env)}authorize`,token_endpoint:`${je(t.env)}oauth/token`,device_authorization_endpoint:`${je(t.env)}oauth/device/code`,userinfo_endpoint:`${je(t.env)}userinfo`,mfa_challenge_endpoint:`${je(t.env)}mfa/challenge`,jwks_uri:`${je(t.env)}.well-known/jwks.json`,registration_endpoint:`${je(t.env)}oidc/register`,revocation_endpoint:`${je(t.env)}oauth/revoke`,scopes_supported:["openid","profile","offline_access","name","given_name","family_name","nickname","email","email_verified","picture","created_at","identities","phone","address"],response_types_supported:["code","token","id_token","code token","code id_token","token id_token","code token id_token"],code_challenge_methods_supported:["S256","plain"],response_modes_supported:["query","fragment","form_post"],subject_types_supported:["public"],id_token_signing_alg_values_supported:["RS256"],token_endpoint_auth_methods_supported:["client_secret_basic","client_secret_post"],claims_supported:["aud","auth_time","created_at","email","email_verified","exp","family_name","given_name","iat","identities","iss","name","nickname","phone_number","picture","sub"],request_uri_parameter_supported:!1,request_parameter_supported:!1,token_endpoint_auth_signing_alg_values_supported:["RS256","RS384","PS256"]});return t.json(e,{headers:{"access-control-allow-origin":"*","access-control-allow-method":"GET","cache-control":`public, max-age=${ji}, stale-while-revalidate=${ji*2}, stale-if-error=86400`}})});function Fi(t,e){if(!t||!e||t.length!==e.length)return!1;let n=0;for(let r=0;r<t.length;r++)n|=t.charCodeAt(r)^e.charCodeAt(r);return n===0}const Gg=o.z.object({grant_type:o.z.literal("client_credentials"),scope:o.z.string().optional(),client_secret:o.z.string(),client_id:o.z.string(),audience:o.z.string().optional()});async function bb(t,e){const n=await t.env.data.clients.get(e.client_id);if(!n)throw new z(403,{message:"Invalid client credentials"});if(n.client_secret&&!Fi(n.client_secret,e.client_secret))throw new z(403,{message:"Invalid client credentials"});const r={client_id:n.id,scope:e.scope,audience:e.audience},i=await to(t,{authParams:r,client:n});return t.json(i)}const kb=o.z.object({grant_type:o.z.literal("authorization_code"),client_id:o.z.string(),code:o.z.string(),redirect_uri:o.z.string().optional(),client_secret:o.z.string().optional(),code_verifier:o.z.string().optional()}).refine(t=>"client_secret"in t&&!("code_verifier"in t)||!("client_secret"in t)&&"code_verifier"in t,{message:"Must provide either client_secret (standard flow) or code_verifier/code_verifier_mode (PKCE flow), but not both"});async function xb(t,e){const n=await t.env.data.clients.get(e.client_id);if(!n)throw new z(403,{message:"Client not found"});const r=await t.env.data.codes.get(n.tenant.id,e.code,"authorization_code");if(!r||!r.user_id)throw new z(403,{message:"Invalid client credentials"});if(new Date(r.expires_at)<new Date)throw new z(403,{message:"Code expired"});if(r.used_at)throw new z(403,{message:"Code already used"});const i=await t.env.data.loginSessions.get(n.tenant.id,r.login_id);if(!i)throw new z(403,{message:"Invalid login"});if("client_secret"in e){const a=await t.env.data.clients.get("DEFAULT_CLIENT");if(!Fi(n.client_secret,e.client_secret)&&!Fi(a==null?void 0:a.client_secret,e.client_secret))throw new z(403,{message:"Invalid client credentials"})}else if("code_verifier"in e&&typeof e.code_verifier=="string"&&"code_challenge_method"in i.authParams&&typeof i.authParams.code_challenge_method=="string"){const a=await E_(e.code_verifier,i.authParams.code_challenge_method);if(!Fi(a,i.authParams.code_challenge||""))throw new z(403,{message:"Invalid client credentials"})}if(i.authParams.redirect_uri&&i.authParams.redirect_uri!==e.redirect_uri)throw new z(403,{message:"Invalid redirect uri"});const s=await t.env.data.users.get(n.tenant.id,r.user_id);if(!s)throw new z(403,{message:"User not found"});return await t.env.data.codes.used(n.tenant.id,e.code),an(t,{user:s,client:n,loginSession:i,authParams:{...i.authParams,response_mode:Xt.WEB_MESSAGE}})}const Sb=o.z.object({grant_type:o.z.literal("refresh_token"),client_id:o.z.string(),redirect_uri:o.z.string().optional(),refresh_token:o.z.string()});async function Ab(t,e){const n=await t.env.data.clients.get(e.client_id);if(!n)throw new z(403,{message:"Client not found"});const r=await t.env.data.refreshTokens.get(n.tenant.id,e.refresh_token);if(r){if(r.expires_at&&new Date(r.expires_at)<new Date||r.idle_expires_at&&new Date(r.idle_expires_at)<new Date)throw new z(403,{message:JSON.stringify({error:"invalid_grant",error_description:"Refresh token has expired"})})}else throw new z(403,{message:JSON.stringify({error:"invalid_grant",error_description:"Invalid refresh token"})});const i=await t.env.data.users.get(n.tenant.id,r.user_id);if(!i)throw new z(403,{message:"User not found"});const s=r.resource_servers[0];if(r.idle_expires_at){const a=new Date(Date.now()+2592e6);await t.env.data.refreshTokens.update(n.tenant.id,r.id,{idle_expires_at:a.toISOString(),last_exchanged_at:new Date().toISOString(),device:{...r.device,last_ip:t.req.header["x-real-ip"]||"",last_user_agent:t.req.header["user-agent"]||""}})}return an(t,{user:i,client:n,refreshToken:r.id,sessionId:r.session_id,authParams:{client_id:n.id,audience:s==null?void 0:s.audience,scope:s==null?void 0:s.scopes,response_mode:Xt.WEB_MESSAGE}})}const Lp=o.z.object({client_id:o.z.string().optional(),client_secret:o.z.string().optional()}),Eb=o.z.union([Gg.extend(Lp.shape),o.z.object({grant_type:o.z.literal("authorization_code"),client_id:o.z.string(),code:o.z.string(),redirect_uri:o.z.string(),code_verifier:o.z.string().min(43).max(128)}),o.z.object({grant_type:o.z.literal("authorization_code"),code:o.z.string(),redirect_uri:o.z.string().optional(),...Lp.shape}),o.z.object({grant_type:o.z.literal("refresh_token"),client_id:o.z.string(),refresh_token:o.z.string(),redirect_uri:o.z.string().optional()})]);function Ib(t){if(!t)return{};const[e,n]=t.split(" ");if((e==null?void 0:e.toLowerCase())==="basic"&&n){const[r,i]=atob(n).split(":");return{client_id:r,client_secret:i}}return{}}const zb=new o.OpenAPIHono().openapi(o.createRoute({tags:["oauth2"],method:"post",path:"/",request:{body:{content:{"application/x-www-form-urlencoded":{schema:Eb}}}},responses:{200:{content:{"application/json":{schema:kf}},description:"Tokens"}}}),async t=>{const e=t.req.valid("form"),n=Ib(t.req.header("Authorization")),r={...e,...n};if(!r.client_id)throw new z(400,{message:"client_id is required"});switch(t.set("client_id",r.client_id),e.grant_type){case Tr.AuthorizationCode:return xb(t,kb.parse(r));case Tr.ClientCredential:return bb(t,Gg.parse(r));case Tr.RefreshToken:return Ab(t,Sb.parse(r));default:throw new z(400,{message:"Not implemented"})}});var iu={exports:{}};const su=[{id:0,value:"Too weak",minDiversity:0,minLength:0},{id:1,value:"Weak",minDiversity:2,minLength:6},{id:2,value:"Medium",minDiversity:4,minLength:8},{id:3,value:"Strong",minDiversity:4,minLength:10}],Jg=(t,e=su,n="!\"#$%&'()*+,-./:;<=>?@[\\\\\\]^_`{|}~")=>{let r=t||"";e[0].minDiversity=0,e[0].minLength=0;const i=[{regex:"[a-z]",message:"lowercase"},{regex:"[A-Z]",message:"uppercase"},{regex:"[0-9]",message:"number"}];n&&i.push({regex:`[${n}]`,message:"symbol"});let s={};s.contains=i.filter(c=>new RegExp(`${c.regex}`).test(r)).map(c=>c.message),s.length=r.length;let a=e.filter(c=>s.contains.length>=c.minDiversity).filter(c=>s.length>=c.minLength).sort((c,l)=>l.id-c.id).map(c=>({id:c.id,value:c.value}));return Object.assign(s,a[0]),s};iu.exports={passwordStrength:Jg,defaultOptions:su};var Cb=iu.exports.passwordStrength=Jg;iu.exports.defaultOptions=su;function ou(t){return Cb(t).id<2?!1:t.length>=8&&/[a-z]/.test(t)&&/[A-Z]/.test(t)&&/[0-9]/.test(t)&&/[^A-Za-z0-9]/.test(t)}async function Si(t,e){var i;const n=await t.env.data.emailProviders.get(t.var.tenant_id)||(t.env.DEFAULT_TENANT_ID?await t.env.data.emailProviders.get(t.env.DEFAULT_TENANT_ID):null);if(!n)throw new z(500,{message:"Email provider not found"});const r=(i=t.env.emailProviders)==null?void 0:i[n.name];if(!r)throw new z(500,{message:"Email provider not found"});await r({emailProvider:n,...e,from:n.default_from_address||`login@${t.env.ISSUER}`})}async function Zg(t,e,n,r){const i=await t.env.data.tenants.get(t.var.tenant_id);if(!i)throw new z(500,{message:"Tenant not found"});const s=`${_t(t.env)}reset-password?state=${r}&code=${n}`,a={vendorName:i.name,lng:i.language||"en"};await Si(t,{to:e,subject:se("reset_password_title",a),html:`Click here to reset your password: ${_t(t.env)}reset-password?state=${r}&code=${n}`,template:"auth-password-reset",data:{vendorName:i.name,logo:i.logo||"",passwordResetUrl:s,supportUrl:i.support_url||"https://support.sesamy.com",buttonColor:i.primary_color||"#7d68f4",passwordResetTitle:se("password_reset_title",a),resetPasswordEmailClickToReset:se("reset_password_email_click_to_reset",a),resetPasswordEmailReset:se("reset_password_email_reset",a),supportInfo:se("support_info",a),contactUs:se("contact_us",a),copyright:se("copyright",a)}})}async function Yg(t,e,n){const r=await t.env.data.tenants.get(t.var.tenant_id);if(!r)throw new z(500,{message:"Tenant not found"});const i={vendorName:r.name,code:n,lng:r.language||"en"};await Si(t,{to:e,subject:se("code_email_subject",i),html:`Click here to validate your email: ${_t(t.env)}validate-email`,template:"auth-code",data:{code:n,vendorName:r.name,logo:r.logo||"",supportUrl:r.support_url||"",buttonColor:r.primary_color||"",welcomeToYourAccount:se("welcome_to_your_account",i),linkEmailClickToLogin:se("link_email_click_to_login",i),linkEmailLogin:se("link_email_login",i),linkEmailOrEnterCode:se("link_email_or_enter_code",i),codeValid30Mins:se("code_valid_30_minutes",i),supportInfo:se("support_info",i),contactUs:se("contact_us",i),copyright:se("copyright",i)}});const s=ve(t,{type:he.CODE_LINK_SENT,description:e});nt(t,t.env.data.logs.create(r.id,s))}async function au(t,e,n,r){const i=await t.env.data.tenants.get(t.var.tenant_id);if(!i)throw new z(500,{message:"Tenant not found"});if(!r.redirect_uri)throw new z(400,{message:"redirect_uri is required"});const s=new URL(je(t.env));s.pathname="passwordless/verify_redirect",s.searchParams.set("verification_code",n),s.searchParams.set("connection","email"),s.searchParams.set("client_id",r.client_id),s.searchParams.set("redirect_uri",r.redirect_uri),s.searchParams.set("email",e),r.response_type&&s.searchParams.set("response_type",r.response_type),r.scope&&s.searchParams.set("scope",r.scope),r.state&&s.searchParams.set("state",r.state),r.nonce&&s.searchParams.set("nonce",r.nonce),r.code_challenge&&s.searchParams.set("code_challenge",r.code_challenge),r.code_challenge_method&&s.searchParams.set("code_challenge_method",r.code_challenge_method),r.audience&&s.searchParams.set("audience",r.audience);const a={vendorName:i.name,code:n,lng:i.language||"en"};await Si(t,{to:e,subject:se("code_email_subject",a),html:`Click here to validate your email: ${_t(t.env)}validate-email`,template:"auth-link",data:{code:n,vendorName:i.name,logo:i.logo||"",supportUrl:i.support_url||"",magicLink:s.toString(),buttonColor:i.primary_color||"",welcomeToYourAccount:se("welcome_to_your_account",a),linkEmailClickToLogin:se("link_email_click_to_login",a),linkEmailLogin:se("link_email_login",a),linkEmailOrEnterCode:se("link_email_or_enter_code",a),codeValid30Mins:se("code_valid_30_minutes",a),supportInfo:se("support_info",a),contactUs:se("contact_us",a),copyright:se("copyright",a)}});const c=ve(t,{type:he.CODE_LINK_SENT,description:e});nt(t,t.env.data.logs.create(i.id,c))}async function cu(t,e){const n=await t.env.data.tenants.get(t.var.tenant_id);if(!n)throw new z(500,{message:"Tenant not found"});const r={vendorName:n.name,lng:n.language||"en"};await Si(t,{to:e.email,subject:se("welcome_to_your_account",r),html:`Click here to validate your email: ${_t(t.env)}validate-email`,template:"auth-verify-email",data:{vendorName:n.name,logo:n.logo||"",emailValidationUrl:`${_t(t.env)}validate-email`,supportUrl:n.support_url||"https://support.sesamy.com",buttonColor:n.primary_color||"#7d68f4",welcomeToYourAccount:se("welcome_to_your_account",r),verifyEmailVerify:se("verify_email_verify",r),supportInfo:se("support_info",r),contactUs:se("contact_us",r),copyright:se("copyright",r)}})}async function Nb(t,e,n,r){const i=await t.env.data.tenants.get(t.var.tenant_id);if(!i)throw new z(500,{message:"Tenant not found"});const s={vendorName:i.name,lng:i.language||"en"},a=`${_t(t.env)}signup?state=${r}&code=${n}`;await Si(t,{to:e,subject:se("register_password_account",s),html:`Click here to register: ${a}`,template:"auth-pre-signup-verification",data:{vendorName:i.name,logo:i.logo||"",signupUrl:a,setPassword:se("set_password",s),registerPasswordAccount:se("register_password_account",s),clickToSignUpDescription:se("click_to_sign_up_description",s),supportUrl:i.support_url||"https://support.sesamy.com",buttonColor:i.primary_color||"#7d68f4",welcomeToYourAccount:se("welcome_to_your_account",s),verifyEmailVerify:se("verify_email_verify",s),supportInfo:se("support_info",s),contactUs:se("contact_us",s),copyright:se("copyright",s)}})}const jb=new o.OpenAPIHono().openapi(o.createRoute({tags:["dbconnections"],method:"post",path:"/signup",request:{body:{content:{"application/json":{schema:o.z.object({client_id:o.z.string(),connection:o.z.literal("Username-Password-Authentication"),email:o.z.string().transform(t=>t.toLowerCase()),password:o.z.string()})}}}},responses:{200:{content:{"application/json":{schema:o.z.object({_id:o.z.string(),email:o.z.string(),email_verified:o.z.boolean(),app_metadata:o.z.object({}),user_metadata:o.z.object({})})}},description:"Created user"}}}),async t=>{const{email:e,password:n,client_id:r}=t.req.valid("json"),i=await t.env.data.clients.get(r);if(!i)throw new z(400,{message:"Client not found"});if(t.set("client_id",i.id),t.set("tenant_id",i.tenant.id),!ou(n))throw new z(400,{message:"Password does not meet the requirements"});if(await ls({userAdapter:t.env.data.users,tenant_id:i.tenant.id,email:e,provider:"auth2"}))throw new z(400,{message:"Invalid sign up"});const a=await t.env.data.users.create(i.tenant.id,{user_id:`auth2|${Xs()}`,email:e,email_verified:!1,provider:"auth2",connection:"Username-Password-Authentication",is_social:!1});t.set("user_id",a.user_id),t.set("username",a.email),t.set("connection",a.connection);const c=await si.hash(n,10);await t.env.data.passwords.create(i.tenant.id,{user_id:a.user_id,password:c,algorithm:"bcrypt"}),await cu(t,a);const l=ve(t,{type:he.SUCCESS_SIGNUP,description:"Successful signup"});return await t.env.data.logs.create(i.tenant.id,l),t.json({_id:a.user_id,email:a.email,email_verified:!1,app_metadata:{},user_metadata:{}})}).openapi(o.createRoute({tags:["dbconnections"],method:"post",path:"/change_password",request:{body:{content:{"application/json":{schema:o.z.object({client_id:o.z.string(),connection:o.z.literal("Username-Password-Authentication"),email:o.z.string().transform(t=>t.toLowerCase())})}}}},responses:{200:{description:"Redirect to the client's redirect uri"}}}),async t=>{const{email:e,client_id:n}=t.req.valid("json"),r=await t.env.data.clients.get(n);if(!r)throw new z(400,{message:"Client not found"});if(t.set("client_id",r.id),t.set("tenant_id",r.tenant.id),!await ur({userAdapter:t.env.data.users,tenant_id:r.tenant.id,email:e,provider:"auth2"}))return t.html("If an account with that email exists, we've sent instructions to reset your password.");const s={client_id:n,username:e},a=await t.env.data.loginSessions.create(r.tenant.id,{expires_at:new Date(Date.now()+Jn*1e3).toISOString(),authParams:s,csrf_token:xe(),...on(t.req)});return await Zg(t,e,a.id,a.authParams.state),t.html("If an account with that email exists, we've sent instructions to reset your password.")});function Bn(){const t="1234567890";let e="";for(let n=0;n<6;n+=1)e+=t[Math.floor(Math.random()*10)];return e.toString()}async function lu(t,e,n,r,i,s,a){const{env:c}=t,l=await c.data.codes.get(e.tenant.id,i,"otp");if(!l)throw new z(400,{message:"Code not found or expired"});if(l.expires_at<new Date().toISOString())throw new z(400,{message:"Code expired"});if(l.used_at)throw new z(400,{message:"Code already used"});const u=await c.data.loginSessions.get(e.tenant.id,l.login_id);if(!u||u.authParams.username!==r)throw new z(400,{message:"Code not found or expired"});const p=on(t.req);if(a&&u.ip!==p.ip)return t.redirect(`${_t(t.env)}invalid-session?state=${u.id}`);if(n.redirect_uri&&!Yo(n.redirect_uri,e.callbacks,{allowPathWildcards:!0}))throw new z(400,{message:`Invalid redirect URI - ${n.redirect_uri}`});const f=await io(t,{client:e,email:r,provider:"email",connection:"email",isSocial:!1,ip:t.req.header("x-real-ip")});return await c.data.codes.used(e.tenant.id,i),an(t,{user:f,client:e,loginSession:u,authParams:n,ticketAuth:s})}const $b=new o.OpenAPIHono().openapi(o.createRoute({tags:["passwordless"],method:"post",path:"/start",request:{body:{content:{"application/json":{schema:o.z.object({client_id:o.z.string(),connection:o.z.string(),email:o.z.string().transform(t=>t.toLowerCase()),send:o.z.enum(["link","code"]),authParams:tl.omit({client_id:!0})})}}}},responses:{200:{description:"Status"}}}),async t=>{const e=t.req.valid("json"),{env:n}=t,{client_id:r,email:i,send:s,authParams:a}=e,c=await t.env.data.clients.get(r);if(!c)throw new z(400,{message:"Client not found"});t.set("client_id",c.id),t.set("tenant_id",c.tenant.id);const l=await n.data.loginSessions.create(c.tenant.id,{authParams:{...a,client_id:r,username:i},expires_at:new Date(Date.now()+Ca).toISOString(),csrf_token:xe(),...on(t.req)}),u=await n.data.codes.create(c.tenant.id,{code_id:Bn(),code_type:"otp",login_id:l.id,expires_at:new Date(Date.now()+Ca).toISOString()});return s==="link"?await au(t,i,u.code_id,{...a,client_id:r}):await Yg(t,i,u.code_id),t.html("OK")}).openapi(o.createRoute({tags:["passwordless"],method:"get",path:"/verify_redirect",request:{query:o.z.object({scope:o.z.string(),response_type:o.z.nativeEnum(Pt),redirect_uri:o.z.string(),state:o.z.string(),nonce:o.z.string().optional(),verification_code:o.z.string(),connection:o.z.string(),client_id:o.z.string(),email:o.z.string().transform(t=>t.toLowerCase()),audience:o.z.string().optional()})},responses:{302:{description:"Status"}}}),async t=>{const{env:e}=t,{client_id:n,email:r,verification_code:i,redirect_uri:s,state:a,scope:c,audience:l,response_type:u,nonce:p}=t.req.valid("query"),f=await Zo(e,n);return t.set("client_id",f.id),t.set("tenant_id",f.tenant.id),t.set("connection","email"),lu(t,f,{client_id:n,redirect_uri:s,state:a,nonce:p,scope:c,audience:l,response_type:u},r,i,!1,!0)});class Cr extends z{constructor(n,r){super(n,r);te(this,"_code");this._code=r==null?void 0:r.code}get code(){return this._code}}async function uu(t,e,n,r,i){const{env:s}=t,a=n.username;if(t.set("username",a),!a)throw new z(400,{message:"Username is required"});const c=await ur({userAdapter:t.env.data.users,tenant_id:e.tenant.id,email:a,provider:"auth2"});if(!c){const h=ve(t,{type:he.FAILED_LOGIN_INCORRECT_PASSWORD,description:"Invalid user"});throw nt(t,t.env.data.logs.create(e.tenant.id,h)),new Cr(403,{message:"User not found",code:"USER_NOT_FOUND"})}const l=c.linked_to?await s.data.users.get(e.tenant.id,c.linked_to):c;if(!l)throw new Cr(403,{message:"User not found",code:"USER_NOT_FOUND"});t.set("connection",c.connection),t.set("user_id",l.user_id);const u=await s.data.passwords.get(e.tenant.id,c.user_id);if(!(u&&await si.compare(n.password,u.password))){const h=ve(t,{type:he.FAILED_LOGIN_INCORRECT_PASSWORD,description:"Invalid password"});throw nt(t,t.env.data.logs.create(e.tenant.id,h)),new Cr(403,{message:"Invalid password",code:"INVALID_PASSWORD"})}if((await s.data.logs.list(e.tenant.id,{page:0,per_page:10,include_totals:!1,q:`user_id:${l.user_id}`})).logs.filter(h=>h.type===he.FAILED_LOGIN_INCORRECT_PASSWORD&&new Date(h.date)>new Date(Date.now()-1e3*60*5)).length>=3){const h=ve(t,{type:he.FAILED_LOGIN,description:"Too many failed login attempts"});throw nt(t,t.env.data.logs.create(e.tenant.id,h)),new Cr(403,{message:"Too many failed login attempts",code:"TOO_MANY_FAILED_LOGINS"})}if(!c.email_verified&&e.email_validation==="enforced"){await cu(t,c);const h=ve(t,{type:he.FAILED_LOGIN,description:"Email not verified"});throw await t.env.data.logs.create(e.tenant.id,h),new Cr(403,{message:"Email not verified",code:"EMAIL_NOT_VERIFIED"})}const v=ve(t,{type:he.SUCCESS_LOGIN,description:"Successful login",strategy_type:"Username-Password-Authentication",strategy:"Username-Password-Authentication"});return nt(t,t.env.data.logs.create(e.tenant.id,v)),an(t,{client:e,authParams:n,user:l,ticketAuth:i,loginSession:r})}async function Ob(t,e,n,r){await io(t,{client:e,email:n,provider:"auth2",connection:"Username-Password-Authentication",isSocial:!1,ip:t.req.header("x-real-ip")});let i=Bn(),s=await t.env.data.codes.get(e.tenant.id,i,"password_reset");for(;s;)i=Bn(),s=await t.env.data.codes.get(e.tenant.id,i,"password_reset");const a=await t.env.data.loginSessions.create(e.tenant.id,{expires_at:new Date(Date.now()+O_).toISOString(),authParams:{client_id:e.id,username:n},csrf_token:xe(),...on(t.req)}),c=await t.env.data.codes.create(e.tenant.id,{code_id:i,code_type:"password_reset",login_id:a.id,expires_at:new Date(Date.now()+$_).toISOString()});await Zg(t,n,c.code_id,r)}const Tb=new o.OpenAPIHono().openapi(o.createRoute({tags:["oauth"],method:"post",path:"/",request:{body:{content:{"application/json":{schema:o.z.union([o.z.object({credential_type:o.z.literal("http://auth0.com/oauth/grant-type/passwordless/otp"),otp:o.z.string(),client_id:o.z.string(),username:o.z.string().transform(t=>t.toLowerCase()),realm:o.z.enum(["email"]),scope:o.z.string().optional()}),o.z.object({credential_type:o.z.literal("http://auth0.com/oauth/grant-type/password-realm"),client_id:o.z.string(),username:o.z.string().transform(t=>t.toLowerCase()),password:o.z.string(),realm:o.z.enum(["Username-Password-Authentication"]),scope:o.z.string().optional()})])}}}},responses:{200:{description:"List of tenants"}}}),async t=>{const e=t.req.valid("json"),{client_id:n,username:r}=e;t.set("username",r);const i=await t.env.data.clients.get(n);if(!i)throw new z(400,{message:"Client not found"});t.set("client_id",n),t.set("tenant_id",i.tenant.id);const s=r.toLocaleLowerCase();if("otp"in e)return lu(t,i,{client_id:n,username:s},s,e.otp,!0);if("password"in e){const a=await t.env.data.loginSessions.create(i.tenant.id,{expires_at:new Date(Date.now()+Jn*1e3).toISOString(),authParams:{client_id:n,username:s},csrf_token:xe(),...on(t.req)});return uu(t,i,{username:s,password:e.password,client_id:n},a,!0)}else throw new z(400,{message:"Code or password required"})});function Bb(t,e){var r,i,s;if(!t||e.length===0)return!1;const n=((r=ga(t))==null?void 0:r.host)??null;if(!n)return!1;for(const a of e){let c;if(a.startsWith("http://")||a.startsWith("https://")?c=((i=ga(a))==null?void 0:i.host)??null:c=((s=ga("https://"+a))==null?void 0:s.host)??null,n===c)return!0}return!1}function ga(t){try{return new URL(t)}catch{return null}}async function Pb({ctx:t,session:e,client:n,authParams:r,connection:i,login_hint:s}){const a=await t.env.data.loginSessions.create(n.tenant.id,{expires_at:new Date(Date.now()+Jn*1e3).toISOString(),authParams:r,csrf_token:xe(),authorization_url:t.req.url,...on(t.req)});if(e&&s){const c=await t.env.data.users.get(n.tenant.id,e.user_id);if((c==null?void 0:c.email)===s)return an(t,{client:n,loginSession:a,authParams:r,user:c,sessionId:e.id})}if(i==="email"&&s){const c=Bn();return await t.env.data.codes.create(n.tenant.id,{code_id:c,code_type:"otp",login_id:a.id,expires_at:new Date(Date.now()+Jn*1e3).toISOString()}),await au(t,s,c,r),t.redirect(`/u/enter-code?state=${a.id}`)}return e?t.redirect(`/u/check-account?state=${a.id}`):t.redirect(`/u/enter-email?state=${a.id}`)}function Rb(t){if(t==="Username-Password-Authentication")return"auth2";if(t==="email")return"email";throw new z(403,{message:"Invalid realm"})}async function Lb(t,e,n,r,i){var m;const{env:s}=t;t.set("connection",i);const a=await s.data.codes.get(e,n,"ticket");if(!a||a.used_at)throw new z(403,{message:"Ticket not found"});const c=await s.data.loginSessions.get(e,a.login_id);if(!c||!c.authParams.username)throw new z(403,{message:"Session not found"});const l=await s.data.clients.get(c.authParams.client_id);if(!l)throw new z(403,{message:"Client not found"});t.set("client_id",c.authParams.client_id),await s.data.codes.used(e,n);const u=Rb(i);let p=await io(t,{email:c.authParams.username,provider:u,client:l,connection:u==="auth2"?"Username-Password-Authentication":"email",isSocial:!1,ip:t.req.header("x-real-ip")});t.set("username",p.email),t.set("user_id",p.user_id);const f=await Ff(t,{user:p,client:l,loginSession:c});return an(t,{authParams:{scope:(m=c.authParams)==null?void 0:m.scope,...r},loginSession:c,sessionId:f.id,user:p,client:l})}async function Up(t,e){return`<!DOCTYPE html>
   <html>
   <head>

package/dist/authhero.d.ts CHANGED Viewed

@@ -4836,6 +4836,7 @@ export type Variables = {
 	connection?: string;
 	body?: any;
 	log?: string;
+	custom_domain?: string;
 	user?: {
 		sub: string;
 		tenant_id: string;

package/dist/authhero.mjs CHANGED Viewed

@@ -5549,14 +5549,14 @@ async function Ks(t, e) {
     aud: n.audience || "default",
     scope: n.scope || "",
     sub: (r == null ? void 0 : r.user_id) || n.client_id,
-    iss: t.env.ISSUER,
+    iss: t.var.custom_domain ? `https://${t.var.custom_domain}` : t.env.ISSUER,
     tenant_id: t.var.tenant_id,
     sid: s
   }, f = r && ((_ = n.scope) != null && _.split(" ").includes("openid")) ? {
     // The audience for an id token is the client id
     aud: n.client_id,
     sub: r.user_id,
-    iss: t.env.ISSUER,
+    iss: t.var.custom_domain ? `https://${t.var.custom_domain}` : t.env.ISSUER,
     sid: s,
     nonce: n.nonce,
     given_name: r.given_name,
@@ -17298,7 +17298,7 @@ async function Zl(t, e) {
   if (n) {
     const i = await t.env.data.customDomains.getByDomain(n);
     if (i)
-      return t.set("tenant_id", i.tenant_id), await e();
+      return t.set("tenant_id", i.tenant_id), t.set("custom_domain", n), await e();
   }
   const r = t.req.header("host");
   if (r) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "authhero",
-  "version": "0.104.0",
+  "version": "0.105.0",
   "files": [
     "dist"
   ],