authhero 0.110.0 → 0.112.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/dist/authhero.cjs +3 -3
  2. package/dist/authhero.d.ts +2 -0
  3. package/dist/authhero.mjs +21 -14
  4. package/package.json +1 -1
package/dist/authhero.cjs CHANGED
@@ -26,7 +26,7 @@
26
26
  }};
27
27
  <\/script>
28
28
  </body>
29
- </html>`;return new Response(i,{headers:{"Content-Type":"text/html"}})}async function my(t,e,n,r,i){var m,w,h;if(!n.redirect_uri)throw new I(400,{message:"Missing redirect_uri in authParams"});const[s]=await t.env.data.keys.list();if(!s)throw new I(500,{message:"No signing key found"});if(!((m=e.addons)!=null&&m.samlp))throw new I(400,{message:`SAML Addon is not enabled for client ${e.id}`});const{recipient:a,audience:c}=e.addons.samlp,l=n.state||"";if(!a||!l||!r||!n.state)throw new I(400,{message:"Missing recipient or inResponseTo"});const d=JSON.parse(n.state),p=new URL(n.redirect_uri),f=await _y(t,{issuer:t.env.ISSUER,audience:c||n.client_id,destination:p.toString(),inResponseTo:d.requestId,userId:((h=(w=r.app_metadata)==null?void 0:w.vimeo)==null?void 0:h.user_id)||r.user_id,email:r.email,sessionIndex:i,signature:{privateKeyPem:s.pkcs7,cert:s.cert,kid:s.kid}});return gy(p.toString(),f,d.relayState)}async function _y(t,e){const n=e.notBefore||new Date().toISOString(),r=e.notAfter||new Date(new Date(n).getTime()+10*60*1e3).toISOString(),i=e.issueInstant||n,s=e.sessionNotOnOrAfter||r,a=e.responseId||`_${ke()}`,c=e.assertionId||`_${ke()}`,l=[{"samlp:Response":[{"saml:Issuer":[{"#text":e.issuer}]},{"samlp:Status":[{"samlp:StatusCode":[],":@":{"@_Value":"urn:oasis:names:tc:SAML:2.0:status:Success"}}]},{"saml:Assertion":[{"saml:Issuer":[{"#text":e.issuer}]},{"saml:Subject":[{"saml:NameID":[{"#text":e.email}],":@":{"@_Format":"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"}},{"saml:SubjectConfirmation":[{"saml:SubjectConfirmationData":[],":@":{"@_InResponseTo":e.inResponseTo,"@_NotOnOrAfter":r,"@_Recipient":e.destination}}],":@":{"@_Method":"urn:oasis:names:tc:SAML:2.0:cm:bearer"}}]},{"saml:Conditions":[{"saml:AudienceRestriction":[{"saml:Audience":[{"#text":e.audience}]}]}],":@":{"@_NotBefore":n,"@_NotOnOrAfter":r}},{"saml:AuthnStatement":[{"saml:AuthnContext":[{"saml:AuthnContextClassRef":[{"#text":"urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified"}]}]}],":@":{"@_AuthnInstant":i,"@_SessionIndex":e.sessionIndex,"@_SessionNotOnOrAfter":s}},{"saml:AttributeStatement":[{"saml:Attribute":[{"saml:AttributeValue":[{"#text":e.userId}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_FriendlyName":"persistent","@_Name":"id","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":e.email}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"email","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"manage-account"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"default-roles-master"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"offline_access"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"view-profile"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"uma_authorization"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"manage-account-links"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}}]}],":@":{"@_xmlns":"urn:oasis:names:tc:SAML:2.0:assertion","@_ID":c,"@_IssueInstant":i,"@_Version":"2.0"}}],":@":{"@_xmlns:samlp":"urn:oasis:names:tc:SAML:2.0:protocol","@_xmlns:saml":"urn:oasis:names:tc:SAML:2.0:assertion","@_Destination":e.destination,"@_ID":a,"@_InResponseTo":e.inResponseTo,"@_IssueInstant":i,"@_Version":"2.0"}}];let p=new hy.XMLBuilder({ignoreAttributes:!1,suppressEmptyNode:!0,preserveOrder:!0}).build(l);if(e.signature){const m=await fetch(t.env.SAML_SIGN_URL,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({xmlContent:p,privateKey:e.signature.privateKeyPem,publicCert:e.signature.cert})});if(!m.ok)throw new Error(`Failed to sign SAML response: ${m.status}`);p=await m.text()}return e.encode===!1?p:btoa(p)}var yy={deno:"Deno",bun:"Bun",workerd:"Cloudflare-Workers",node:"Node.js"},wy=()=>{var n,r;const t=globalThis;if(typeof navigator<"u"&&typeof navigator.userAgent=="string"){for(const[i,s]of Object.entries(yy))if(vy(s))return i}return typeof(t==null?void 0:t.EdgeRuntime)=="string"?"edge-light":(t==null?void 0:t.fastly)!==void 0?"fastly":((r=(n=t==null?void 0:t.process)==null?void 0:n.release)==null?void 0:r.name)==="node"?"node":"other"},vy=t=>navigator.userAgent.startsWith(t);function rt(t,e){wy()==="workerd"&&t.executionCtx.waitUntil(e)}function cn(t){var e,n,r;return{auth0Client:(e=t.query("auth0Client"))==null?void 0:e.slice(0,255),ip:(n=t.header("x-real-ip"))==null?void 0:n.slice(0,45),useragent:(r=t.header("user-agent"))==null?void 0:r.slice(0,512)}}const Zd=["sub","iss","aud","exp","nbf","iat","jti"];async function no(t,e){var v,A;const{authParams:n,user:r,client:i,session_id:s}=e,c=(await t.env.data.keys.list()).filter(C=>!C.revoked_at||new Date(C.revoked_at)>new Date),l=c[c.length-1];if(!(l!=null&&l.pkcs7))throw new I(500,{message:"No signing key available"});const d=V0(l.pkcs7),p=t.var.custom_domain?`https://${t.var.custom_domain}/`:t.env.ISSUER,f={aud:n.audience||"default",scope:n.scope||"",sub:(r==null?void 0:r.user_id)||n.client_id,iss:p,tenant_id:t.var.tenant_id,sid:s},m=r&&((v=n.scope)!=null&&v.split(" ").includes("openid"))?{aud:n.client_id,sub:r.user_id,iss:p,sid:s,nonce:n.nonce,given_name:r.given_name,family_name:r.family_name,nickname:r.nickname,picture:r.picture,locale:r.locale,name:r.name,email:r.email,email_verified:r.email_verified}:void 0;(A=t.env.hooks)!=null&&A.onExecuteCredentialsExchange&&await t.env.hooks.onExecuteCredentialsExchange({client:i,user:r,request:{ip:t.req.header("x-real-ip")||"",user_agent:t.req.header("user-agent")||"",method:t.req.method,url:t.req.url},scope:n.scope||"",grant_type:""},{accessToken:{setCustomClaim:(C,O)=>{if(Zd.includes(C))throw new Error(`Cannot overwrite reserved claim '${C}'`);f[C]=O}},idToken:{setCustomClaim:(C,O)=>{if(Zd.includes(C))throw new Error(`Cannot overwrite reserved claim '${C}'`);m&&(m[C]=O)}},access:{deny:C=>{throw new I(400,{message:`Access denied: ${C}`})}}});const w={includeIssuedTimestamp:!0,expiresIn:new ll(1,"d"),headers:{kid:l.kid}},h=await Hd("RS256",d,f,w),_=m?await Hd("RS256",d,m,w):void 0;return{access_token:h,refresh_token:e.refresh_token,id_token:_,token_type:"Bearer",expires_in:86400}}async function Df(t,e){return e.loginSession||(e.loginSession=await t.env.data.loginSessions.create(e.client.tenant.id,{expires_at:new Date(Date.now()+Qn*1e3).toISOString(),authParams:e.authParams,authorization_url:t.req.url,csrf_token:ke(),...cn(t.req)})),{code:(await t.env.data.codes.create(e.client.tenant.id,{code_id:ke(),user_id:e.user.user_id,code_type:"authorization_code",login_id:e.loginSession.id,expires_at:new Date(Date.now()+H0*1e3).toISOString()})).code_id,state:e.authParams.state}}async function by(t,e){const{client:n,scope:r,audience:i=n.tenant.audience,session_id:s}=e;return await t.env.data.refreshTokens.create(n.tenant.id,{id:ke(),session_id:s,client_id:n.id,expires_at:new Date(Date.now()+eo*1e3).toISOString(),user_id:e.user.user_id,device:{last_ip:t.req.header("x-real-ip")||"",initial_ip:t.req.header("x-real-ip")||"",last_user_agent:t.req.header("user-agent")||"",initial_user_agent:t.req.header("user-agent")||"",initial_asn:"",last_asn:""},resource_servers:[{audience:i,scopes:r}],rotating:!1})}async function Hf(t,{user:e,client:n,loginSession:r}){const i=await t.env.data.sessions.create(n.tenant.id,{id:ke(),user_id:e.user_id,idle_expires_at:new Date(Date.now()+eo*1e3).toISOString(),device:{last_ip:t.req.header("x-real-ip")||"",initial_ip:t.req.header("x-real-ip")||"",last_user_agent:t.req.header("user-agent")||"",initial_user_agent:t.req.header("user-agent")||"",initial_asn:"",last_asn:""},clients:[n.id]});await t.env.data.loginSessions.update(n.tenant.id,r.id,{session_id:i.id});const{scope:s,audience:a}=r.authParams,c=s!=null&&s.split(" ").includes("offline_access")?await by(t,{session_id:i.id,user:e,client:n,scope:s,audience:a}):void 0;return{...i,refresh_token:c}}async function ln(t,e){var w;const{authParams:n,user:r,client:i,ticketAuth:s}=e,a=we(t,{type:he.SUCCESS_LOGIN,description:`Successful login for ${r.user_id}`,userId:r.user_id});if(rt(t,t.env.data.logs.create(i.tenant.id,a)),rt(t,t.env.data.users.update(i.tenant.id,r.user_id,{last_login:new Date().toISOString(),last_ip:t.req.header("x-real-ip")||"",login_count:r.login_count+1})),s){if(!e.loginSession)throw new I(500,{message:"Login session not found"});const h=U0(),_=ke(12),v=await t.env.data.codes.create(i.tenant.id,{code_id:ke(),code_type:"ticket",login_id:e.loginSession.id,expires_at:new Date(Date.now()+K0).toISOString(),code_verifier:[_,h].join("|")});return t.json({login_ticket:v.code_id,co_verifier:h,co_id:_})}let c=e.refreshToken,l=e.sessionId,d=r;if(!l){if(!e.loginSession)throw new I(500,{message:"Login session not found"});d=await Ay(t,t.env.data)(i.tenant.id,r);const h=await Hf(t,{user:r,client:i,loginSession:e.loginSession});l=h.id,c=(w=h.refresh_token)==null?void 0:w.id}if(e.authParams.response_mode===Rt.SAML_POST)return my(t,e.client,e.authParams,d,l);const p=await no(t,{authParams:n,user:d,client:i,session_id:l,refresh_token:c}),f=new Headers({"set-cookie":Pf(i.tenant.id,l,t.req.header("host"))});if(n.response_mode===Rt.WEB_MESSAGE)return t.json(p,{headers:f});if((n.response_type||It.CODE)===It.CODE){const h=await Df(t,e);if(!n.redirect_uri)throw new I(400,{message:"Redirect uri not found"});const _=new URL(n.redirect_uri);_.searchParams.set("code",h.code),h.state&&_.searchParams.set("state",h.state),f.set("location",_.toString())}return new Response("Redirecting",{status:302,headers:f})}async function xy(t,e,n){const r=await t.env.data.tenants.get(e);if(!r)throw new Error(`Tenant not found: ${e}`);return no(t,{client:{id:t.env.ISSUER,tenant:r,created_at:new Date().toISOString(),updated_at:new Date().toISOString(),name:t.env.ISSUER,disable_sign_ups:!1,connections:[]},authParams:{client_id:t.env.ISSUER,response_type:It.TOKEN,scope:n}})}async function gl(t,e,n){const r=await xy(t,n.tenant_id,"webhook");for await(const i of e)if(!(await fetch(i.url,{method:"POST",headers:{Authorization:`Bearer ${r.access_token}`,"Content-Type":"application/json"},body:JSON.stringify(n)})).ok){const a=we(t,{type:he.FAILED_HOOK,description:`Failed to invoke hook ${i.hook_id}`});await t.env.data.logs.create(n.tenant_id,a)}}function ky(t){return async(e,n)=>{const{hooks:r}=await t.env.data.hooks.list(e);return await gl(t,r,{tenant_id:e,user:n,trigger_id:"post-user-registration"}),n}}function Sy(t){return async(e,n)=>{const{hooks:r}=await t.env.data.hooks.list(e,{q:"trigger_id:pre-user-signup",page:0,per_page:100,include_totals:!1});await gl(t,r,{tenant_id:e,email:n,trigger_id:"pre-user-signup"})}}function Ay(t,e){return async(n,r)=>{const{hooks:i}=await e.hooks.list(n,{q:"trigger_id:post-user-login",page:0,per_page:100,include_totals:!1});return await gl(t,i,{tenant_id:n,user:r,trigger_id:"post-user-login"}),r}}function zy(t,e){return async(n,r)=>{var a,c,l;const i={method:t.req.method,ip:t.req.query("x-real-ip")||"",user_agent:t.req.query("user-agent"),url:((a=t.var.loginSession)==null?void 0:a.authorization_url)||t.req.url};if((c=t.env.hooks)!=null&&c.onExecutePreUserRegistration)try{await t.env.hooks.onExecutePreUserRegistration({user:r,request:i},{user:{setUserMetadata:async(d,p)=>{r[d]=p}}})}catch{const p=we(t,{type:he.FAILED_SIGNUP,description:"Pre user registration hook failed"});await e.logs.create(n,p)}let s=await $0(e)(n,r);if((l=t.env.hooks)!=null&&l.onExecutePostUserRegistration)try{await t.env.hooks.onExecutePostUserRegistration({user:r,request:i},{user:{}})}catch{const p=we(t,{type:he.FAILED_SIGNUP,description:"Post user registration hook failed"});await t.env.data.logs.create(n,p)}return await ky(t)(n,s),s}}async function Ey(t,e,n,r){var i,s;if(e.disable_sign_ups&&!(((s=(i=t.var.loginSession)==null?void 0:i.authParams)==null?void 0:s.prompt)==="signup")&&!await io({userAdapter:n.users,tenant_id:e.tenant.id,email:r})){const l=we(t,{type:he.FAILED_SIGNUP,description:"Public signup is disabled"});throw await n.logs.create(e.tenant.id,l),new I(400,{message:"Signups are disabled for this client"})}await Sy(t)(t.var.tenant_id||"",r)}function ro(t,e){return{...e,users:{...e.users,create:zy(t,e)}}}function Ff(t){return ro(t,t.env.data)}async function ml(t,e,n){return(await t.list(e,{page:0,per_page:10,include_totals:!1,q:`email:${n}`})).users}async function fr({userAdapter:t,tenant_id:e,email:n,provider:r}){const{users:i}=await t.list(e,{page:0,per_page:10,include_totals:!1,q:`email:${n} provider:${r}`});return i.length>1&&console.error("More than one user found for same email and provider"),i[0]||null}async function io({userAdapter:t,tenant_id:e,email:n}){var c;const{users:r}=await t.list(e,{page:0,per_page:10,include_totals:!1,q:`email:${n}`}),i=r.filter(l=>!(l.provider==="auth2"&&!l.email_verified));if(i.length===0)return;const s=i.filter(l=>!l.linked_to);if(s.length>0)return s.length>1&&console.error("More than one primary user found for same email"),s[0];const a=await t.get(e,(c=i[0])==null?void 0:c.linked_to);if(!a)throw new Error("Primary account not found");return a}async function ds({userAdapter:t,tenant_id:e,email:n,provider:r}){const i=await fr({userAdapter:t,tenant_id:e,email:n,provider:r});return i?i.linked_to?t.get(e,i.linked_to):i:null}async function so(t,e){const{email:n,provider:r,connection:i,client:s,userId:a,isSocial:c,profileData:l={},ip:d=""}=e;let p=await ds({userAdapter:t.env.data.users,tenant_id:e.client.tenant.id,email:n,provider:r});if(!p){const f={user_id:`${r}|${a||Qs()}`,email:n,name:n,provider:r,connection:i,email_verified:!0,last_ip:d,is_social:c,last_login:new Date().toISOString(),profileData:JSON.stringify(l)};p=await Ff(t).users.create(s.tenant.id,f),t.set("user_id",p.user_id)}return p}const tn=o.z.object({page:o.z.string().min(0).optional().default("0").transform(t=>parseInt(t,10)).openapi({description:"The page number where 0 is the first page"}),per_page:o.z.string().min(1).optional().default("10").transform(t=>parseInt(t,10)).openapi({description:"The number of items per page"}),include_totals:o.z.string().optional().default("false").transform(t=>t==="true").openapi({description:"If the total number of items should be included in the response"}),sort:o.z.string().regex(/^.+:(-1|1)$/).optional().openapi({description:"A property that should have the format 'string:-1' or 'string:1'"}),q:o.z.string().optional().openapi({description:"A lucene query string used to filter the results"})});function hr(t){if(!t)return;const[e,n]=t.split(":"),r=n==="1"?"asc":"desc";if(!(!e||!r))return{sort_by:e,sort_order:r}}const Yd=on.extend({users:o.z.array(At)}),Iy=on.extend({sessions:o.z.array(Xs)}),Cy=new o.OpenAPIHono().openapi(o.createRoute({tags:["users"],method:"get",path:"/",request:{query:tn,headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.union([o.z.array(At),Yd])}},description:"List of users"}}}),async t=>{const{page:e,per_page:n,include_totals:r,sort:i,q:s}=t.req.valid("query"),{"tenant-id":a}=t.req.valid("header");if(s!=null&&s.includes("identities.profileData.email")){const p=s.split("=")[1],m=(await t.env.data.users.list(a,{page:e,per_page:n,include_totals:r,q:`email:${p}`})).users.filter(_=>_.linked_to),[w]=m;if(!w)return t.json([]);const h=await t.env.data.users.get(a,w.linked_to);if(!h)throw new I(500,{message:"Primary account not found"});return t.json([At.parse(h)])}const c=["-_exists_:linked_to"];s&&c.push(s);const l=await t.env.data.users.list(a,{page:e,per_page:n,include_totals:r,sort:hr(i),q:c.join(" ")}),d=l.users.filter(p=>!p.linked_to);return r?t.json(Yd.parse({users:d,length:l.length,start:l.start,limit:l.limit})):t.json(o.z.array(At).parse(d))}).openapi(o.createRoute({tags:["users"],method:"get",path:"/{user_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:At}},description:"List of users"}}}),async t=>{const{user_id:e}=t.req.valid("param"),{"tenant-id":n}=t.req.valid("header"),r=await t.env.data.users.get(n,e);if(!r)throw new I(404);if(r.linked_to)throw new I(404,{message:"User is linked to another user"});return t.json(r)}).openapi(o.createRoute({tags:["users"],method:"delete",path:"/{user_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{user_id:e}=t.req.valid("param"),{"tenant-id":n}=t.req.valid("header");if(!await t.env.data.users.remove(n,e))throw new I(404);return t.text("OK")}).openapi(o.createRoute({tags:["users"],method:"post",path:"/",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.object({...ns.shape})}}}},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:At}},description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json");t.set("body",n);const{email:r}=n;if(!r)throw new I(400,{message:"Email is required"});const i=r.toLowerCase(),s=`${n.provider}|${n.user_id||Qs()}`;try{const a=await t.env.data.users.create(e,{email:i,user_id:s,name:n.name||i,provider:n.provider,connection:n.connection,email_verified:n.email_verified||!1,last_ip:"",is_social:!1,last_login:new Date().toISOString()});t.set("user_id",a.user_id);const c=we(t,{type:he.SUCCESS_API_OPERATION,description:"User created"});rt(t,t.env.data.logs.create(e,c));const l={...a,identities:[{connection:a.connection,provider:a.provider,user_id:Md(a.user_id),isSocial:a.is_social}]};return t.json(At.parse(l),{status:201})}catch(a){throw a.message==="User already exists"?new I(409,{message:"User already exists"}):a}}).openapi(o.createRoute({tags:["users"],method:"patch",path:"/{user_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.object({...ns.shape,verify_email:o.z.boolean(),password:o.z.string()}).partial()}}},params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{var p;const{data:e}=t.env,{"tenant-id":n}=t.req.valid("header"),r=t.req.valid("json"),{user_id:i}=t.req.valid("param"),{verify_email:s,password:a,...c}=r,l=await e.users.get(n,i);if(!l)throw new I(404);if(c.email&&c.email!==l.email){const f=await ml(t.env.data.users,n,c.email);if(f.length&&f.some(m=>m.user_id!==i))throw new I(409,{message:"Another user with the same email address already exists."})}if(l.linked_to)throw new I(404,{message:"User is linked to another user"});if(await t.env.data.users.update(n,i,c),a){const f=(p=l.identities)==null?void 0:p.find(h=>h.connection==="Username-Password-Authentication");if(!f)throw new I(400,{message:"User does not have a password identity"});const m={user_id:f.user_id,password:await oi.hash(a,10),algorithm:"bcrypt"};await e.passwords.get(n,f.user_id)?await e.passwords.update(n,m):await e.passwords.create(n,m)}const d=await t.env.data.users.get(n,i);if(!d)throw new I(500);return t.json(d)}).openapi(o.createRoute({tags:["users"],method:"post",path:"/{user_id}/identities",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.union([o.z.object({link_with:o.z.string()}),o.z.object({user_id:o.z.string(),provider:o.z.string(),connection:o.z.string().optional()})])}}},params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:o.z.array(o.z.object({connection:o.z.string(),provider:o.z.string(),user_id:o.z.string(),isSocial:o.z.boolean()}))}},description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json"),{user_id:r}=t.req.valid("param"),i="link_with"in n?n.link_with:n.user_id,s=await t.env.data.users.get(e,r);if(!s)throw new I(400,{message:"Linking an inexistent identity is not allowed."});await t.env.data.users.update(e,i,{linked_to:r});const a=await t.env.data.users.list(e,{page:0,per_page:10,include_totals:!1,q:`linked_to:${r}`}),c=[s,...a.users].map(l=>({connection:l.connection,provider:l.provider,user_id:Md(l.user_id),isSocial:l.is_social}));return t.json(c,{status:201})}).openapi(o.createRoute({tags:["users"],method:"delete",path:"/{user_id}/identities/{provider}/{linked_user_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({user_id:o.z.string(),provider:o.z.string(),linked_user_id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:o.z.array(At)}},description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{user_id:n,provider:r,linked_user_id:i}=t.req.valid("param");await t.env.data.users.unlink(e,n,r,i);const s=await t.env.data.users.get(e,n);if(!s)throw new I(404);return t.json([At.parse(s)])}).openapi(o.createRoute({tags:["users"],method:"get",path:"/{user_id}/sessions",request:{query:tn,headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.union([o.z.array(Xs),Iy])}},description:"List of sessions"}}}),async t=>{const{user_id:e}=t.req.valid("param"),{include_totals:n}=t.req.valid("query"),{"tenant-id":r}=t.req.valid("header"),i=await t.env.data.sessions.list(r,{page:0,per_page:10,include_totals:!1,q:`user_id:${e}`});return n?t.json(i):t.json(i.sessions)});/*! *****************************************************************************
29
+ </html>`;return new Response(i,{headers:{"Content-Type":"text/html"}})}async function my(t,e,n,r,i){var m,w,h;if(!n.redirect_uri)throw new I(400,{message:"Missing redirect_uri in authParams"});const[s]=await t.env.data.keys.list();if(!s)throw new I(500,{message:"No signing key found"});if(!((m=e.addons)!=null&&m.samlp))throw new I(400,{message:`SAML Addon is not enabled for client ${e.id}`});const{recipient:a,audience:c}=e.addons.samlp,l=n.state||"";if(!a||!l||!r||!n.state)throw new I(400,{message:"Missing recipient or inResponseTo"});const d=JSON.parse(n.state),p=new URL(n.redirect_uri),f=await _y(t,{issuer:t.env.ISSUER,audience:c||n.client_id,destination:p.toString(),inResponseTo:d.requestId,userId:((h=(w=r.app_metadata)==null?void 0:w.vimeo)==null?void 0:h.user_id)||r.user_id,email:r.email,sessionIndex:i,signature:{privateKeyPem:s.pkcs7,cert:s.cert,kid:s.kid}});return gy(p.toString(),f,d.relayState)}async function _y(t,e){const n=e.notBefore||new Date().toISOString(),r=e.notAfter||new Date(new Date(n).getTime()+10*60*1e3).toISOString(),i=e.issueInstant||n,s=e.sessionNotOnOrAfter||r,a=e.responseId||`_${ke()}`,c=e.assertionId||`_${ke()}`,l=[{"samlp:Response":[{"saml:Issuer":[{"#text":e.issuer}]},{"samlp:Status":[{"samlp:StatusCode":[],":@":{"@_Value":"urn:oasis:names:tc:SAML:2.0:status:Success"}}]},{"saml:Assertion":[{"saml:Issuer":[{"#text":e.issuer}]},{"saml:Subject":[{"saml:NameID":[{"#text":e.email}],":@":{"@_Format":"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"}},{"saml:SubjectConfirmation":[{"saml:SubjectConfirmationData":[],":@":{"@_InResponseTo":e.inResponseTo,"@_NotOnOrAfter":r,"@_Recipient":e.destination}}],":@":{"@_Method":"urn:oasis:names:tc:SAML:2.0:cm:bearer"}}]},{"saml:Conditions":[{"saml:AudienceRestriction":[{"saml:Audience":[{"#text":e.audience}]}]}],":@":{"@_NotBefore":n,"@_NotOnOrAfter":r}},{"saml:AuthnStatement":[{"saml:AuthnContext":[{"saml:AuthnContextClassRef":[{"#text":"urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified"}]}]}],":@":{"@_AuthnInstant":i,"@_SessionIndex":e.sessionIndex,"@_SessionNotOnOrAfter":s}},{"saml:AttributeStatement":[{"saml:Attribute":[{"saml:AttributeValue":[{"#text":e.userId}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_FriendlyName":"persistent","@_Name":"id","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":e.email}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"email","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"manage-account"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"default-roles-master"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"offline_access"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"view-profile"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"uma_authorization"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"manage-account-links"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}}]}],":@":{"@_xmlns":"urn:oasis:names:tc:SAML:2.0:assertion","@_ID":c,"@_IssueInstant":i,"@_Version":"2.0"}}],":@":{"@_xmlns:samlp":"urn:oasis:names:tc:SAML:2.0:protocol","@_xmlns:saml":"urn:oasis:names:tc:SAML:2.0:assertion","@_Destination":e.destination,"@_ID":a,"@_InResponseTo":e.inResponseTo,"@_IssueInstant":i,"@_Version":"2.0"}}];let p=new hy.XMLBuilder({ignoreAttributes:!1,suppressEmptyNode:!0,preserveOrder:!0}).build(l);if(e.signature){const m=await fetch(t.env.SAML_SIGN_URL,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({xmlContent:p,privateKey:e.signature.privateKeyPem,publicCert:e.signature.cert})});if(!m.ok)throw new Error(`Failed to sign SAML response: ${m.status}`);p=await m.text()}return e.encode===!1?p:btoa(p)}var yy={deno:"Deno",bun:"Bun",workerd:"Cloudflare-Workers",node:"Node.js"},wy=()=>{var n,r;const t=globalThis;if(typeof navigator<"u"&&typeof navigator.userAgent=="string"){for(const[i,s]of Object.entries(yy))if(vy(s))return i}return typeof(t==null?void 0:t.EdgeRuntime)=="string"?"edge-light":(t==null?void 0:t.fastly)!==void 0?"fastly":((r=(n=t==null?void 0:t.process)==null?void 0:n.release)==null?void 0:r.name)==="node"?"node":"other"},vy=t=>navigator.userAgent.startsWith(t);function rt(t,e){wy()==="workerd"&&t.executionCtx.waitUntil(e)}function cn(t){var e,n,r;return{auth0Client:(e=t.query("auth0Client"))==null?void 0:e.slice(0,255),ip:(n=t.header("x-real-ip"))==null?void 0:n.slice(0,45),useragent:(r=t.header("user-agent"))==null?void 0:r.slice(0,512)}}const Zd=["sub","iss","aud","exp","nbf","iat","jti"];async function no(t,e){var v,A;const{authParams:n,user:r,client:i,session_id:s}=e,c=(await t.env.data.keys.list()).filter(C=>!C.revoked_at||new Date(C.revoked_at)>new Date),l=c[c.length-1];if(!(l!=null&&l.pkcs7))throw new I(500,{message:"No signing key available"});const d=V0(l.pkcs7),p=t.var.custom_domain?`https://${t.var.custom_domain}/`:t.env.ISSUER,f={aud:n.audience||"default",scope:n.scope||"",sub:(r==null?void 0:r.user_id)||n.client_id,iss:p,tenant_id:t.var.tenant_id,sid:s},m=r&&((v=n.scope)!=null&&v.split(" ").includes("openid"))?{aud:n.client_id,sub:r.user_id,iss:p,sid:s,nonce:n.nonce,given_name:r.given_name,family_name:r.family_name,nickname:r.nickname,picture:r.picture,locale:r.locale,name:r.name,email:r.email,email_verified:r.email_verified}:void 0;(A=t.env.hooks)!=null&&A.onExecuteCredentialsExchange&&await t.env.hooks.onExecuteCredentialsExchange({client:i,user:r,request:{ip:t.req.header("x-real-ip")||"",user_agent:t.req.header("user-agent")||"",method:t.req.method,url:t.req.url},scope:n.scope||"",grant_type:""},{accessToken:{setCustomClaim:(C,O)=>{if(Zd.includes(C))throw new Error(`Cannot overwrite reserved claim '${C}'`);f[C]=O}},idToken:{setCustomClaim:(C,O)=>{if(Zd.includes(C))throw new Error(`Cannot overwrite reserved claim '${C}'`);m&&(m[C]=O)}},access:{deny:C=>{throw new I(400,{message:`Access denied: ${C}`})}}});const w={includeIssuedTimestamp:!0,expiresIn:new ll(1,"d"),headers:{kid:l.kid}},h=await Hd("RS256",d,f,w),_=m?await Hd("RS256",d,m,w):void 0;return{access_token:h,refresh_token:e.refresh_token,id_token:_,token_type:"Bearer",expires_in:86400}}async function Df(t,e){return e.loginSession||(e.loginSession=await t.env.data.loginSessions.create(e.client.tenant.id,{expires_at:new Date(Date.now()+Qn*1e3).toISOString(),authParams:e.authParams,authorization_url:t.req.url,csrf_token:ke(),...cn(t.req)})),{code:(await t.env.data.codes.create(e.client.tenant.id,{code_id:ke(),user_id:e.user.user_id,code_type:"authorization_code",login_id:e.loginSession.id,expires_at:new Date(Date.now()+H0*1e3).toISOString()})).code_id,state:e.authParams.state}}async function by(t,e){const{client:n,scope:r,audience:i=n.tenant.audience,session_id:s}=e;return await t.env.data.refreshTokens.create(n.tenant.id,{id:ke(),session_id:s,client_id:n.id,expires_at:new Date(Date.now()+eo*1e3).toISOString(),user_id:e.user.user_id,device:{last_ip:t.req.header("x-real-ip")||"",initial_ip:t.req.header("x-real-ip")||"",last_user_agent:t.req.header("user-agent")||"",initial_user_agent:t.req.header("user-agent")||"",initial_asn:"",last_asn:""},resource_servers:[{audience:i,scopes:r}],rotating:!1})}async function Hf(t,{user:e,client:n,loginSession:r}){const i=await t.env.data.sessions.create(n.tenant.id,{id:ke(),user_id:e.user_id,idle_expires_at:new Date(Date.now()+eo*1e3).toISOString(),device:{last_ip:t.req.header("x-real-ip")||"",initial_ip:t.req.header("x-real-ip")||"",last_user_agent:t.req.header("user-agent")||"",initial_user_agent:t.req.header("user-agent")||"",initial_asn:"",last_asn:""},clients:[n.id]});await t.env.data.loginSessions.update(n.tenant.id,r.id,{session_id:i.id});const{scope:s,audience:a}=r.authParams,c=s!=null&&s.split(" ").includes("offline_access")?await by(t,{session_id:i.id,user:e,client:n,scope:s,audience:a}):void 0;return{...i,refresh_token:c}}async function ln(t,e){var w;const{authParams:n,user:r,client:i,ticketAuth:s}=e,a=we(t,{type:he.SUCCESS_LOGIN,description:`Successful login for ${r.user_id}`,userId:r.user_id});if(rt(t,t.env.data.logs.create(i.tenant.id,a)),rt(t,t.env.data.users.update(i.tenant.id,r.user_id,{last_login:new Date().toISOString(),last_ip:t.req.header("x-real-ip")||"",login_count:r.login_count+1})),s){if(!e.loginSession)throw new I(500,{message:"Login session not found"});const h=U0(),_=ke(12),v=await t.env.data.codes.create(i.tenant.id,{code_id:ke(),code_type:"ticket",login_id:e.loginSession.id,expires_at:new Date(Date.now()+K0).toISOString(),code_verifier:[_,h].join("|")});return t.json({login_ticket:v.code_id,co_verifier:h,co_id:_})}let c=e.refreshToken,l=e.sessionId,d=r;if(!l){if(!e.loginSession)throw new I(500,{message:"Login session not found"});d=await Ay(t,t.env.data)(i.tenant.id,r);const h=await Hf(t,{user:r,client:i,loginSession:e.loginSession});l=h.id,c=(w=h.refresh_token)==null?void 0:w.id}if(e.authParams.response_mode===Rt.SAML_POST)return my(t,e.client,e.authParams,d,l);const p=await no(t,{authParams:n,user:d,client:i,session_id:l,refresh_token:c}),f=new Headers({"set-cookie":Pf(i.tenant.id,l,t.req.header("host"))});if(n.response_mode===Rt.WEB_MESSAGE)return t.json(p,{headers:f});if((n.response_type||It.CODE)===It.CODE){const h=await Df(t,e);if(!n.redirect_uri)throw new I(400,{message:"Redirect uri not found"});const _=new URL(n.redirect_uri);_.searchParams.set("code",h.code),h.state&&_.searchParams.set("state",h.state),f.set("location",_.toString())}return new Response("Redirecting",{status:302,headers:f})}async function xy(t,e,n){const r=await t.env.data.tenants.get(e);if(!r)throw new Error(`Tenant not found: ${e}`);return no(t,{client:{id:t.env.ISSUER,tenant:r,created_at:new Date().toISOString(),updated_at:new Date().toISOString(),name:t.env.ISSUER,disable_sign_ups:!1,connections:[]},authParams:{client_id:t.env.ISSUER,response_type:It.TOKEN,scope:n}})}async function gl(t,e,n){const r=await xy(t,n.tenant_id,"webhook");for await(const i of e)if(!(await fetch(i.url,{method:"POST",headers:{Authorization:`Bearer ${r.access_token}`,"Content-Type":"application/json"},body:JSON.stringify(n)})).ok){const a=we(t,{type:he.FAILED_HOOK,description:`Failed to invoke hook ${i.hook_id}`});await t.env.data.logs.create(n.tenant_id,a)}}function ky(t){return async(e,n)=>{const{hooks:r}=await t.env.data.hooks.list(e);return await gl(t,r,{tenant_id:e,user:n,trigger_id:"post-user-registration"}),n}}function Sy(t){return async(e,n)=>{const{hooks:r}=await t.env.data.hooks.list(e,{q:"trigger_id:pre-user-signup",page:0,per_page:100,include_totals:!1});await gl(t,r,{tenant_id:e,email:n,trigger_id:"pre-user-signup"})}}function Ay(t,e){return async(n,r)=>{const{hooks:i}=await e.hooks.list(n,{q:"trigger_id:post-user-login",page:0,per_page:100,include_totals:!1});return await gl(t,i,{tenant_id:n,user:r,trigger_id:"post-user-login"}),r}}function zy(t,e){return async(n,r)=>{var a,c,l;const i={method:t.req.method,ip:t.req.query("x-real-ip")||"",user_agent:t.req.query("user-agent"),url:((a=t.var.loginSession)==null?void 0:a.authorization_url)||t.req.url};if((c=t.env.hooks)!=null&&c.onExecutePreUserRegistration)try{await t.env.hooks.onExecutePreUserRegistration({user:r,request:i},{user:{setUserMetadata:async(d,p)=>{r[d]=p}}})}catch{const p=we(t,{type:he.FAILED_SIGNUP,description:"Pre user registration hook failed"});await e.logs.create(n,p)}let s=await $0(e)(n,r);if((l=t.env.hooks)!=null&&l.onExecutePostUserRegistration)try{await t.env.hooks.onExecutePostUserRegistration({user:r,request:i},{user:{}})}catch{const p=we(t,{type:he.FAILED_SIGNUP,description:"Post user registration hook failed"});await t.env.data.logs.create(n,p)}return await ky(t)(n,s),s}}async function Ey(t,e,n,r){var i;if(e.disable_sign_ups){const s=(i=t.var.loginSession)==null?void 0:i.authorization_url;if(!(s&&new URL(s).searchParams.get("screen_hint")==="signup")&&!await io({userAdapter:n.users,tenant_id:e.tenant.id,email:r})){const l=we(t,{type:he.FAILED_SIGNUP,description:"Public signup is disabled"});throw await n.logs.create(e.tenant.id,l),new I(400,{message:"Signups are disabled for this client"})}}await Sy(t)(t.var.tenant_id||"",r)}function ro(t,e){return{...e,users:{...e.users,create:zy(t,e)}}}function Ff(t){return ro(t,t.env.data)}async function ml(t,e,n){return(await t.list(e,{page:0,per_page:10,include_totals:!1,q:`email:${n}`})).users}async function fr({userAdapter:t,tenant_id:e,email:n,provider:r}){const{users:i}=await t.list(e,{page:0,per_page:10,include_totals:!1,q:`email:${n} provider:${r}`});return i.length>1&&console.error("More than one user found for same email and provider"),i[0]||null}async function io({userAdapter:t,tenant_id:e,email:n}){var c;const{users:r}=await t.list(e,{page:0,per_page:10,include_totals:!1,q:`email:${n}`}),i=r.filter(l=>!(l.provider==="auth2"&&!l.email_verified));if(i.length===0)return;const s=i.filter(l=>!l.linked_to);if(s.length>0)return s.length>1&&console.error("More than one primary user found for same email"),s[0];const a=await t.get(e,(c=i[0])==null?void 0:c.linked_to);if(!a)throw new Error("Primary account not found");return a}async function ds({userAdapter:t,tenant_id:e,email:n,provider:r}){const i=await fr({userAdapter:t,tenant_id:e,email:n,provider:r});return i?i.linked_to?t.get(e,i.linked_to):i:null}async function so(t,e){const{email:n,provider:r,connection:i,client:s,userId:a,isSocial:c,profileData:l={},ip:d=""}=e;let p=await ds({userAdapter:t.env.data.users,tenant_id:e.client.tenant.id,email:n,provider:r});if(!p){const f={user_id:`${r}|${a||Qs()}`,email:n,name:n,provider:r,connection:i,email_verified:!0,last_ip:d,is_social:c,last_login:new Date().toISOString(),profileData:JSON.stringify(l)};p=await Ff(t).users.create(s.tenant.id,f),t.set("user_id",p.user_id)}return p}const tn=o.z.object({page:o.z.string().min(0).optional().default("0").transform(t=>parseInt(t,10)).openapi({description:"The page number where 0 is the first page"}),per_page:o.z.string().min(1).optional().default("10").transform(t=>parseInt(t,10)).openapi({description:"The number of items per page"}),include_totals:o.z.string().optional().default("false").transform(t=>t==="true").openapi({description:"If the total number of items should be included in the response"}),sort:o.z.string().regex(/^.+:(-1|1)$/).optional().openapi({description:"A property that should have the format 'string:-1' or 'string:1'"}),q:o.z.string().optional().openapi({description:"A lucene query string used to filter the results"})});function hr(t){if(!t)return;const[e,n]=t.split(":"),r=n==="1"?"asc":"desc";if(!(!e||!r))return{sort_by:e,sort_order:r}}const Yd=on.extend({users:o.z.array(At)}),Iy=on.extend({sessions:o.z.array(Xs)}),Cy=new o.OpenAPIHono().openapi(o.createRoute({tags:["users"],method:"get",path:"/",request:{query:tn,headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.union([o.z.array(At),Yd])}},description:"List of users"}}}),async t=>{const{page:e,per_page:n,include_totals:r,sort:i,q:s}=t.req.valid("query"),{"tenant-id":a}=t.req.valid("header");if(s!=null&&s.includes("identities.profileData.email")){const p=s.split("=")[1],m=(await t.env.data.users.list(a,{page:e,per_page:n,include_totals:r,q:`email:${p}`})).users.filter(_=>_.linked_to),[w]=m;if(!w)return t.json([]);const h=await t.env.data.users.get(a,w.linked_to);if(!h)throw new I(500,{message:"Primary account not found"});return t.json([At.parse(h)])}const c=["-_exists_:linked_to"];s&&c.push(s);const l=await t.env.data.users.list(a,{page:e,per_page:n,include_totals:r,sort:hr(i),q:c.join(" ")}),d=l.users.filter(p=>!p.linked_to);return r?t.json(Yd.parse({users:d,length:l.length,start:l.start,limit:l.limit})):t.json(o.z.array(At).parse(d))}).openapi(o.createRoute({tags:["users"],method:"get",path:"/{user_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:At}},description:"List of users"}}}),async t=>{const{user_id:e}=t.req.valid("param"),{"tenant-id":n}=t.req.valid("header"),r=await t.env.data.users.get(n,e);if(!r)throw new I(404);if(r.linked_to)throw new I(404,{message:"User is linked to another user"});return t.json(r)}).openapi(o.createRoute({tags:["users"],method:"delete",path:"/{user_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{user_id:e}=t.req.valid("param"),{"tenant-id":n}=t.req.valid("header");if(!await t.env.data.users.remove(n,e))throw new I(404);return t.text("OK")}).openapi(o.createRoute({tags:["users"],method:"post",path:"/",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.object({...ns.shape})}}}},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:At}},description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json");t.set("body",n);const{email:r}=n;if(!r)throw new I(400,{message:"Email is required"});const i=r.toLowerCase(),s=`${n.provider}|${n.user_id||Qs()}`;try{const a=await t.env.data.users.create(e,{email:i,user_id:s,name:n.name||i,provider:n.provider,connection:n.connection,email_verified:n.email_verified||!1,last_ip:"",is_social:!1,last_login:new Date().toISOString()});t.set("user_id",a.user_id);const c=we(t,{type:he.SUCCESS_API_OPERATION,description:"User created"});rt(t,t.env.data.logs.create(e,c));const l={...a,identities:[{connection:a.connection,provider:a.provider,user_id:Md(a.user_id),isSocial:a.is_social}]};return t.json(At.parse(l),{status:201})}catch(a){throw a.message==="User already exists"?new I(409,{message:"User already exists"}):a}}).openapi(o.createRoute({tags:["users"],method:"patch",path:"/{user_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.object({...ns.shape,verify_email:o.z.boolean(),password:o.z.string()}).partial()}}},params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{var p;const{data:e}=t.env,{"tenant-id":n}=t.req.valid("header"),r=t.req.valid("json"),{user_id:i}=t.req.valid("param"),{verify_email:s,password:a,...c}=r,l=await e.users.get(n,i);if(!l)throw new I(404);if(c.email&&c.email!==l.email){const f=await ml(t.env.data.users,n,c.email);if(f.length&&f.some(m=>m.user_id!==i))throw new I(409,{message:"Another user with the same email address already exists."})}if(l.linked_to)throw new I(404,{message:"User is linked to another user"});if(await t.env.data.users.update(n,i,c),a){const f=(p=l.identities)==null?void 0:p.find(h=>h.connection==="Username-Password-Authentication");if(!f)throw new I(400,{message:"User does not have a password identity"});const m={user_id:f.user_id,password:await oi.hash(a,10),algorithm:"bcrypt"};await e.passwords.get(n,f.user_id)?await e.passwords.update(n,m):await e.passwords.create(n,m)}const d=await t.env.data.users.get(n,i);if(!d)throw new I(500);return t.json(d)}).openapi(o.createRoute({tags:["users"],method:"post",path:"/{user_id}/identities",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.union([o.z.object({link_with:o.z.string()}),o.z.object({user_id:o.z.string(),provider:o.z.string(),connection:o.z.string().optional()})])}}},params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:o.z.array(o.z.object({connection:o.z.string(),provider:o.z.string(),user_id:o.z.string(),isSocial:o.z.boolean()}))}},description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json"),{user_id:r}=t.req.valid("param"),i="link_with"in n?n.link_with:n.user_id,s=await t.env.data.users.get(e,r);if(!s)throw new I(400,{message:"Linking an inexistent identity is not allowed."});await t.env.data.users.update(e,i,{linked_to:r});const a=await t.env.data.users.list(e,{page:0,per_page:10,include_totals:!1,q:`linked_to:${r}`}),c=[s,...a.users].map(l=>({connection:l.connection,provider:l.provider,user_id:Md(l.user_id),isSocial:l.is_social}));return t.json(c,{status:201})}).openapi(o.createRoute({tags:["users"],method:"delete",path:"/{user_id}/identities/{provider}/{linked_user_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({user_id:o.z.string(),provider:o.z.string(),linked_user_id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:o.z.array(At)}},description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{user_id:n,provider:r,linked_user_id:i}=t.req.valid("param");await t.env.data.users.unlink(e,n,r,i);const s=await t.env.data.users.get(e,n);if(!s)throw new I(404);return t.json([At.parse(s)])}).openapi(o.createRoute({tags:["users"],method:"get",path:"/{user_id}/sessions",request:{query:tn,headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.union([o.z.array(Xs),Iy])}},description:"List of sessions"}}}),async t=>{const{user_id:e}=t.req.valid("param"),{include_totals:n}=t.req.valid("query"),{"tenant-id":r}=t.req.valid("header"),i=await t.env.data.sessions.list(r,{page:0,per_page:10,include_totals:!1,q:`user_id:${e}`});return n?t.json(i):t.json(i.sessions)});/*! *****************************************************************************
30
30
  Copyright (C) Microsoft. All rights reserved.
31
31
  Licensed under the Apache License, Version 2.0 (the "License"); you may not use
32
32
  this file except in compliance with the License. You may obtain a copy of the
@@ -146,7 +146,7 @@ PERFORMANCE OF THIS SOFTWARE.
146
146
  `,i=0;for(;i<n.length;)i+64<=n.length?r+=n.substr(i,64)+`\r
147
147
  `:r+=n.substr(i)+`\r
148
148
  `,i+=64;return r+=`-----END ${t} KEY-----\r
149
- `,r}async function Av(t){const e=await t.publicKey.export(),n=await crypto.subtle.exportKey("jwk",e),r=JSON.stringify(n,Object.keys(n).sort()),s=new TextEncoder().encode(r);return ja(await Nf(s))}const zv=1e3*60*60*24,Ev=new o.OpenAPIHono().openapi(o.createRoute({tags:["keys"],method:"get",path:"/signing",request:{headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.array(Na)}},description:"List of keys"}}}),async t=>{const n=(await t.env.data.keys.list()).filter(r=>"cert"in r).map(r=>r);return t.json(n)}).openapi(o.createRoute({tags:["keys"],method:"get",path:"/signing/{kid}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({kid:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:Na}},description:"The requested key"}}}),async t=>{const{kid:e}=t.req.valid("param"),r=(await t.env.data.keys.list()).find(i=>i.kid===e);if(!r)throw new I(404,{message:"Key not found"});return t.json(r)}).openapi(o.createRoute({tags:["keys"],method:"post",path:"/signing/rotate",request:{headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{201:{description:"Status"}}}),async t=>{const e=await t.env.data.keys.list();for await(const r of e)await t.env.data.keys.update(r.kid,{revoked_at:new Date(Date.now()+zv).toISOString()});const n=await Xc({name:`CN=${t.env.ORGANIZATION_NAME}`});return await t.env.data.keys.create(n),t.text("OK",{status:201})}).openapi(o.createRoute({tags:["keys"],method:"put",path:"/signing/{kid}/revoke",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({kid:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{201:{description:"Status"}}}),async t=>{const{kid:e}=t.req.valid("param");if(!await t.env.data.keys.update(e,{revoked_at:new Date().toISOString()}))throw new I(404,{message:"Key not found"});const r=await Xc({name:`CN=${t.env.ORGANIZATION_NAME}`});return await t.env.data.keys.create(r),t.text("OK")}),Iv=new o.OpenAPIHono().openapi(o.createRoute({tags:["users"],method:"get",path:"/",request:{query:o.z.object({email:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"tenant/json":{schema:o.z.array(sl)}},description:"List of users"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{email:n}=t.req.valid("query"),i=(await ml(t.env.data.users,e,n)).filter(s=>!s.linked_to);return t.json(i)}),Cv=on.extend({clients:o.z.array(mn)}),Nv=new o.OpenAPIHono().openapi(o.createRoute({tags:["clients"],method:"get",path:"/",request:{query:tn,headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.union([Cv,o.z.array(mn)])}},description:"List of clients"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{page:n,per_page:r,include_totals:i,sort:s,q:a}=t.req.valid("query"),l=(await t.env.data.applications.list(e,{page:n,per_page:r,include_totals:i,sort:hr(s),q:a})).applications;return i?t.json({clients:l,start:0,limit:10,length:l.length}):t.json(l)}).openapi(o.createRoute({tags:["clients"],method:"get",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:mn}},description:"An application"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),i=(await t.env.data.applications.list(e,{page:1,per_page:0,include_totals:!1})).applications.find(s=>s.id===n);if(!i)throw new I(404);return t.json(i)}).openapi(o.createRoute({tags:["clients"],method:"delete",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param");if(!await t.env.data.applications.remove(e,n))throw new I(404,{message:"Application not found"});return t.text("OK")}).openapi(o.createRoute({tags:["clients"],method:"patch",path:"/{id}",request:{body:{content:{"application/json":{schema:o.z.object(rs.shape).partial()}}},params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:mn}},description:"The update application"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),i=t.req.valid("json");await t.env.data.applications.update(e,n,i);const s=await t.env.data.applications.get(e,n);if(!s)throw new I(404,{message:"Application not found"});return t.json(s)}).openapi(o.createRoute({tags:["clients"],method:"post",path:"/",request:{body:{content:{"application/json":{schema:o.z.object(rs.shape)}}},headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{201:{content:{"application/json":{schema:o.z.object(mn.shape)}},description:"An application"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json"),r={...n,id:n.id||ke(),client_secret:n.client_secret||ke()},i=await t.env.data.applications.create(e,r);return t.json(i,{status:201})});o.z.object({start:o.z.number(),limit:o.z.number(),length:o.z.number()});Zs.extend({email:o.z.string(),login_count:o.z.number(),multifactor:o.z.array(o.z.string()).optional(),last_ip:o.z.string().optional(),last_login:o.z.string().optional(),user_id:o.z.string()}).catchall(o.z.any());const jv=on.extend({tenants:o.z.array(Jn)}),$v=new o.OpenAPIHono().openapi(o.createRoute({tags:["tenants"],method:"get",path:"/",request:{query:tn},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"tenant/json":{schema:o.z.union([o.z.array(Jn),jv])}},description:"List of tenants"}}}),async t=>{const{page:e,per_page:n,include_totals:r,sort:i,q:s}=t.req.valid("query"),a=await t.env.data.tenants.list({page:e,per_page:n,include_totals:r,sort:hr(i),q:s});return r?t.json(a):t.json(a.tenants)}).openapi(o.createRoute({tags:["tenants"],method:"get",path:"/{id}",request:{params:o.z.object({id:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"tenant/json":{schema:Jn}},description:"A tenant"}}}),async t=>{const{id:e}=t.req.valid("param"),n=await t.env.data.tenants.get(e);if(!n)throw new I(404);return t.json(n)}).openapi(o.createRoute({tags:["tenants"],method:"delete",path:"/{id}",request:{params:o.z.object({id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{id:e}=t.req.valid("param");return await t.env.data.tenants.remove(e),t.text("OK")}).openapi(o.createRoute({tags:["tenants"],method:"patch",path:"/{id}",request:{body:{content:{"application/json":{schema:o.z.object(ss.shape).partial()}}},params:o.z.object({id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{id:e}=t.req.valid("param"),n=t.req.valid("json");return await t.env.data.tenants.update(e,n),t.text("OK")}).openapi(o.createRoute({tags:["tenants"],method:"post",path:"/",request:{body:{content:{"application/json":{schema:o.z.object(ss.shape)}}}},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"tenant/json":{schema:Jn}},description:"An tenant"}}}),async t=>{const e=t.req.valid("json"),n=await t.env.data.tenants.create(e);return t.json(n,{status:201})}),Ov=on.extend({logs:o.z.array(as)}),Tv=new o.OpenAPIHono().openapi(o.createRoute({tags:["logs"],method:"get",path:"/",request:{query:tn,headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.union([o.z.array(as),Ov])}},description:"List of log rows"}}}),async t=>{const{page:e,per_page:n,include_totals:r,sort:i,q:s}=t.req.valid("query"),{"tenant-id":a}=t.req.valid("header"),c=await t.env.data.logs.list(a,{page:e,per_page:n,include_totals:r,sort:hr(i),q:s});return r?t.json(c):t.json(c.logs)}).openapi(o.createRoute({tags:["logs"],method:"get",path:"/{id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({id:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:as}},description:"A log entry"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),r=await t.env.data.logs.get(e,n);if(!r)throw new I(404);return t.json(r)}),Pv=on.extend({hooks:o.z.array(Kn)}),Bv=new o.OpenAPIHono().openapi(o.createRoute({tags:["hooks"],method:"get",path:"/",request:{query:tn,headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.union([o.z.array(Kn),Pv])}},description:"List of hooks"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{page:n,per_page:r,include_totals:i,sort:s,q:a}=t.req.valid("query"),c=await t.env.data.hooks.list(e,{page:n,per_page:r,include_totals:i,sort:hr(s),q:a});return i?t.json(c):t.json(c.hooks)}).openapi(o.createRoute({tags:["hooks"],method:"post",path:"/",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.object(os.shape)}}}},security:[{Bearer:["auth:write"]}],responses:{201:{content:{"application/json":{schema:Kn}},description:"The created hook"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json"),r=await t.env.data.hooks.create(e,n);return t.json(r,{status:201})}).openapi(o.createRoute({tags:["hooks"],method:"patch",path:"/{hook_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({hook_id:o.z.string()}),body:{content:{"application/json":{schema:o.z.object(os.shape).omit({hook_id:!0}).partial()}}}},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:Kn.shape}},description:"The updated hook"},404:{description:"Hook not found"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{hook_id:n}=t.req.valid("param"),r=t.req.valid("json");await t.env.data.hooks.update(e,n,r);const i=await t.env.data.hooks.get(e,n);if(!i)throw new I(404,{message:"Hook not found"});return t.json(i)}).openapi(o.createRoute({tags:["hooks"],method:"get",path:"/{hook_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({hook_id:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:Kn}},description:"A hook"},404:{description:"Hook not found"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{hook_id:n}=t.req.valid("param"),r=await t.env.data.hooks.get(e,n);if(!r)throw new I(404,{message:"Hook not found"});return t.json(r)}).openapi(o.createRoute({tags:["hooks"],method:"delete",path:"/{hook_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({hook_id:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{description:"A hook"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{hook_id:n}=t.req.valid("param");if(!await t.env.data.hooks.remove(e,n))throw new I(404,{message:"Hook not found"});return t.text("OK")}),Rv=on.extend({connections:o.z.array(Jt)}),Lv=new o.OpenAPIHono().openapi(o.createRoute({tags:["connections"],method:"get",path:"/",request:{query:tn,headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.union([o.z.array(Jt),Rv])}},description:"List of connectionss"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{page:n,per_page:r,include_totals:i=!1,sort:s,q:a}=t.req.valid("query"),c=await t.env.data.connections.list(e,{page:n,per_page:r,include_totals:i,sort:hr(s),q:a});return i?t.json(c):t.json(c.connections)}).openapi(o.createRoute({tags:["connections"],method:"get",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:Jt}},description:"A connection"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),r=await t.env.data.connections.get(e,n);if(!r)throw new I(404);return t.json(r)}).openapi(o.createRoute({tags:["connections"],method:"delete",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param");if(!await t.env.data.connections.remove(e,n))throw new I(404,{message:"Connection not found"});return t.text("OK")}).openapi(o.createRoute({tags:["connections"],method:"patch",path:"/{id}",request:{body:{content:{"application/json":{schema:o.z.object(is.shape).partial()}}},params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:Jt}},description:"The updated connection"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),r=t.req.valid("json");if(!await t.env.data.connections.update(e,n,r))throw new I(404,{message:"Connection not found"});const s=await t.env.data.connections.get(e,n);if(!s)throw new I(404,{message:"Connection not found"});return t.json(s)}).openapi(o.createRoute({tags:["connections"],method:"post",path:"/",request:{body:{content:{"application/json":{schema:o.z.object(is.shape)}}},headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{201:{content:{"application/json":{schema:Jt}},description:"A connection"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json"),r=await t.env.data.connections.create(e,n);return t.json(r,{status:201})}),Uv=new o.OpenAPIHono().openapi(o.createRoute({tags:["prompts"],method:"get",path:"/",request:{headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:Li}},description:"Branding settings"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=await t.env.data.promptSettings.get(e);return n?t.json(n):t.json(Li.parse({}))}).openapi(o.createRoute({tags:["prompts"],method:"patch",path:"/",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.object(Li.shape).partial()}}}},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Prompts settings"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json"),r=await t.env.data.promptSettings.get(e);return Object.assign(r,n),await t.env.data.promptSettings.set(e,r),t.json(r)});let Ep=!1;function Bg(t){t.use(async(e,n)=>(Ep||(t.openAPIRegistry.registerComponent("securitySchemes","Bearer",{type:"oauth2",scheme:"bearer",flows:{implicit:{authorizationUrl:`${e.env.AUTH_URL}/authorize`,scopes:{openid:"Basic user information",email:"User email",profile:"User profile information"}}}}),Ep=!0),await n()))}o.z.object({alg:o.z.literal("RS256"),kty:o.z.literal("RSA"),use:o.z.literal("sig"),n:o.z.string(),e:o.z.string(),kid:o.z.string(),x5t:o.z.string(),x5c:o.z.array(o.z.string())});async function Vv(t){try{const e=await t.JWKS_SERVICE.fetch(t.JWKS_URL);if(!e.ok)throw new Error("Failed to fetch jwks");return(await e.json()).keys}catch(e){throw new I(500,{message:`Failed to fetch jwks: ${e.message}`})}}async function qv(t,e){const r=new TextEncoder().encode([e.raw.header,e.raw.payload].join(".")),i=new Uint8Array(Array.from(e.signature).map(l=>l.charCodeAt(0))),a=(await Vv(t.env)).find(l=>l.kid===e.header.kid);if(!a)return console.log("No matching kid found"),!1;const c=await crypto.subtle.importKey("jwk",a,{name:"RSASSA-PKCS1-v1_5",hash:"SHA-256"},!1,["verify"]);return crypto.subtle.verify("RSASSA-PKCS1-v1_5",c,i,r)}function Mv(t){const[e,n,r]=t.split(".");if(!e||!n||!r)return null;const i=JSON.parse(atob(e)),s=JSON.parse(atob(n)),a=atob(r.replace(/-/g,"+").replace(/_/g,"/"));return{header:i,payload:s,signature:a,raw:{header:e,payload:n,signature:r}}}function Rg(t){return async(e,n)=>{var i,s,a;const r=t.openAPIRegistry.definitions.find(c=>"route"in c&&c.route.path===e.req.path&&c.route.method.toUpperCase()===e.req.method);if(r&&"route"in r){const c=(s=(i=r.route.security)==null?void 0:i[0])==null?void 0:s.Bearer;if(!(c!=null&&c.length))return await n();const l=e.req.header("authorization")||"",[d,p]=l.split(" ");if((d==null?void 0:d.toLowerCase())!=="bearer"||!p)throw new I(401,{message:"Missing bearer token"});const f=Mv(p);if(!f||!await qv(e,f))throw new I(403,{message:"Invalid JWT signature"});e.set("user_id",f.payload.sub),e.set("user",f.payload);const m=f.payload.permissions||[],w=((a=f.payload.scope)==null?void 0:a.split(" "))||[];if(c.length&&!(c.some(h=>m.includes(h))||c.some(h=>w.includes(h))))throw new I(403,{message:"Unauthorized"})}return await n()}}const Dv=new o.OpenAPIHono().openapi(o.createRoute({tags:["emails"],method:"get",path:"/",request:{headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:Ui}},description:"Email provider"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=await t.env.data.emailProviders.get(e);if(!n)throw new I(404,{message:"Email provider not found"});return t.json(n)}).openapi(o.createRoute({tags:["emails"],method:"post",path:"/",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.object(Ui.shape)}}}},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Branding settings"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json");return await t.env.data.emailProviders.create(e,n),t.text("OK",{status:201})}).openapi(o.createRoute({tags:["emails"],method:"patch",path:"/",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.object(Ui.shape).partial()}}}},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Branding settings"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json");return await t.env.data.emailProviders.update(e,n),t.text("OK")}),Hv=new o.OpenAPIHono().openapi(o.createRoute({tags:["sessions"],method:"get",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:Xs}},description:"A session"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),r=await t.env.data.sessions.get(e,n);if(!r)throw new I(404);return t.json(r)}).openapi(o.createRoute({tags:["sessions"],method:"delete",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param");if(!await t.env.data.sessions.remove(e,n))throw new I(404,{message:"Session not found"});return t.text("OK")}).openapi(o.createRoute({tags:["sessions"],method:"post",path:"/{id}/revoke",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{202:{description:"Sesssion deletion status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param");if(!await t.env.data.sessions.update(e,n,{revoked_at:new Date().toDateString()}))throw new I(404,{message:"Session not found"});return t.text("Session deletion request accepted.",{status:202})}),Fv=new o.OpenAPIHono().openapi(o.createRoute({tags:["refresh_tokens"],method:"get",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:cl}},description:"A session"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),r=await t.env.data.refreshTokens.get(e,n);if(!r)throw new I(404);return t.json(r)}).openapi(o.createRoute({tags:["refresh_tokens"],method:"delete",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param");if(!await t.env.data.refreshTokens.remove(e,n))throw new I(404,{message:"Session not found"});return t.text("OK")}),Kv=new o.OpenAPIHono().openapi(o.createRoute({tags:["custom-domains"],method:"get",path:"/",request:{query:tn,headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.array(Gt)}},description:"List of custom domains"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=await t.env.data.customDomains.list(e);return t.json(n)}).openapi(o.createRoute({tags:["custom-domains"],method:"get",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:Gt}},description:"A connection"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),r=await t.env.data.customDomains.get(e,n);if(!r)throw new I(404);return t.json(r)}).openapi(o.createRoute({tags:["custom-domains"],method:"delete",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param");if(!await t.env.data.customDomains.remove(e,n))throw new I(404,{message:"Custom domain not found"});return t.text("OK")}).openapi(o.createRoute({tags:["custom-domains"],method:"patch",path:"/{id}",request:{body:{content:{"application/json":{schema:o.z.object(Gt.shape).partial()}}},params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:Gt}},description:"The updated custom domain"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),r=t.req.valid("json");if(!await t.env.data.customDomains.update(e,n,r))throw new I(404);const s=await t.env.data.customDomains.get(e,n);if(!s)throw new I(404);return t.json(s)}).openapi(o.createRoute({tags:["custom-domains"],method:"post",path:"/",request:{body:{content:{"application/json":{schema:o.z.object(ol.shape)}}},headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{201:{content:{"application/json":{schema:Gt}},description:"The created custom domain"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json"),r=await t.env.data.customDomains.create(e,n);return t.json(r,{status:201})}).openapi(o.createRoute({tags:["custom-domains"],method:"post",path:"/{id}/verify",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:Gt}},description:"The custom domain"}}}),async()=>{throw new I(501,{message:"Not implemented"})});async function od(t,e){const n=t.req.header("x-forwarded-host");if(n){const i=await t.env.data.customDomains.getByDomain(n);if(i)return t.set("tenant_id",i.tenant_id),t.set("custom_domain",n),await e()}const r=t.req.header("host");if(r){const i=r.split(".");if(i.length>1&&typeof i[0]=="string"){const s=i[0];await t.env.data.tenants.get(s)&&t.set("tenant_id",s)}}return await e()}function Wv(t){const e=new o.OpenAPIHono;e.use(of({origin:r=>{var i;return r&&(i=t.allowedOrigins)!=null&&i.includes(r)?r:""},allowHeaders:["Tenant-Id","Content-Type","Content-Range","Auth0-Client","Authorization","Range","Upgrade-Insecure-Requests"],allowMethods:["POST","PUT","GET","DELETE","PATCH","OPTIONS"],exposeHeaders:["Content-Length","Content-Range"],maxAge:600,credentials:!0})),Bg(e),e.use(async(r,i)=>(r.env.data=ro(r,t.dataAdapter),i())),e.use(od).use(Rg(e));const n=e.route("/branding",v0).route("/custom-domains",Kv).route("/email/providers",Dv).route("/users",Cy).route("/keys",Ev).route("/users-by-email",Iv).route("/clients",Nv).route("/tenants",$v).route("/logs",Tv).route("/hooks",Bv).route("/connections",Lv).route("/prompts",Uv).route("/sessions",Hv).route("/refresh_tokens",Fv);return n.doc("/spec",{openapi:"3.0.0",info:{version:"1.0.0",title:"Management api"},security:[{oauth2:["openid","email","profile"]}]}),n}function Gv(t,e){Object.keys(e).forEach(n=>{const r=e[n];r!=null&&r.length&&t.searchParams.set(n,r)})}var Ip;(function(t){t[t.Include=0]="Include",t[t.None=1]="None"})(Ip||(Ip={}));var Cp;(function(t){t[t.Required=0]="Required",t[t.Ignore=1]="Ignore"})(Cp||(Cp={}));function Jv(t){return Ug(t,Zv,ti.Include)}function Lg(t){return Ug(t,Yv,ti.None)}function Ug(t,e,n){let r="";for(let i=0;i<t.byteLength;i+=3){let s=0,a=0;for(let c=0;c<3&&i+c<t.byteLength;c++)s=s<<8|t[i+c],a+=8;for(let c=0;c<4;c++)a>=6?(r+=e[s>>a-6&63],a-=6):a>0?(r+=e[s<<6-a&63],a=0):n===ti.Include&&(r+="=")}return r}const Zv="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/",Yv="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";var ti;(function(t){t[t.Include=0]="Include",t[t.None=1]="None"})(ti||(ti={}));var Np;(function(t){t[t.Required=0]="Required",t[t.Ignore=1]="Ignore"})(Np||(Np={}));class Xv{uint8(e,n){if(e.byteLength<n+1)throw new TypeError("Insufficient bytes");return e[n]}uint16(e,n){if(e.byteLength<n+2)throw new TypeError("Insufficient bytes");return e[n]<<8|e[n+1]}uint32(e,n){if(e.byteLength<n+4)throw new TypeError("Insufficient bytes");let r=0;for(let i=0;i<4;i++)r|=e[n+i]<<24-i*8;return r}uint64(e,n){if(e.byteLength<n+8)throw new TypeError("Insufficient bytes");let r=0n;for(let i=0;i<8;i++)r|=BigInt(e[n+i])<<BigInt(56-i*8);return r}putUint8(e,n,r){if(e.length<r+1)throw new TypeError("Not enough space");if(n<0||n>255)throw new TypeError("Invalid uint8 value");e[r]=n}putUint16(e,n,r){if(e.length<r+2)throw new TypeError("Not enough space");if(n<0||n>65535)throw new TypeError("Invalid uint16 value");e[r]=n>>8,e[r+1]=n&255}putUint32(e,n,r){if(e.length<r+4)throw new TypeError("Not enough space");if(n<0||n>4294967295)throw new TypeError("Invalid uint32 value");for(let i=0;i<4;i++)e[r+i]=n>>(3-i)*8&255}putUint64(e,n,r){if(e.length<r+8)throw new TypeError("Not enough space");if(n<0||n>18446744073709551615n)throw new TypeError("Invalid uint64 value");for(let i=0;i<8;i++)e[r+i]=Number(n>>BigInt((7-i)*8)&0xffn)}}const jp=new Xv;function St(t,e){return(t<<32-e|t>>>e)>>>0}function Qv(t){const e=new eb;return e.update(t),e.digest()}class eb{constructor(){te(this,"blockSize",64);te(this,"size",32);te(this,"blocks",new Uint8Array(64));te(this,"currentBlockSize",0);te(this,"H",new Uint32Array([1779033703,3144134277,1013904242,2773480762,1359893119,2600822924,528734635,1541459225]));te(this,"l",0n);te(this,"w",new Uint32Array(64))}update(e){if(this.l+=BigInt(e.byteLength)*8n,this.currentBlockSize+e.byteLength<64){this.blocks.set(e,this.currentBlockSize),this.currentBlockSize+=e.byteLength;return}let n=0;if(this.currentBlockSize>0){const r=e.slice(0,64-this.currentBlockSize);this.blocks.set(r,this.currentBlockSize),this.process(),n+=r.byteLength,this.currentBlockSize=0}for(;n+64<=e.byteLength;){const r=e.slice(n,n+64);this.blocks.set(r),this.process(),n+=64}if(e.byteLength-n>0){const r=e.slice(n);this.blocks.set(r),this.currentBlockSize=r.byteLength}}digest(){this.blocks[this.currentBlockSize]=128,this.currentBlockSize+=1,64-this.currentBlockSize<8&&(this.blocks.fill(0,this.currentBlockSize),this.process(),this.currentBlockSize=0),this.blocks.fill(0,this.currentBlockSize),jp.putUint64(this.blocks,this.l,this.blockSize-8),this.process();const e=new Uint8Array(32);for(let n=0;n<8;n++)jp.putUint32(e,this.H[n],n*4);return e}process(){for(let d=0;d<16;d++)this.w[d]=(this.blocks[d*4]<<24|this.blocks[d*4+1]<<16|this.blocks[d*4+2]<<8|this.blocks[d*4+3])>>>0;for(let d=16;d<64;d++){const p=(St(this.w[d-2],17)^St(this.w[d-2],19)^this.w[d-2]>>>10)>>>0,f=(St(this.w[d-15],7)^St(this.w[d-15],18)^this.w[d-15]>>>3)>>>0;this.w[d]=p+this.w[d-7]+f+this.w[d-16]|0}let e=this.H[0],n=this.H[1],r=this.H[2],i=this.H[3],s=this.H[4],a=this.H[5],c=this.H[6],l=this.H[7];for(let d=0;d<64;d++){const p=(St(s,6)^St(s,11)^St(s,25))>>>0,f=(s&a^~s&c)>>>0,m=l+p+f+tb[d]+this.w[d]|0,w=(St(e,2)^St(e,13)^St(e,22))>>>0,h=(e&n^e&r^n&r)>>>0,_=w+h|0;l=c,c=a,a=s,s=i+m|0,i=r,r=n,n=e,e=m+_|0}this.H[0]=e+this.H[0]|0,this.H[1]=n+this.H[1]|0,this.H[2]=r+this.H[2]|0,this.H[3]=i+this.H[3]|0,this.H[4]=s+this.H[4]|0,this.H[5]=a+this.H[5]|0,this.H[6]=c+this.H[6]|0,this.H[7]=l+this.H[7]|0}}const tb=new Uint32Array([1116352408,1899447441,3049323471,3921009573,961987163,1508970993,2453635748,2870763221,3624381080,310598401,607225278,1426881987,1925078388,2162078206,2614888103,3248222580,3835390401,4022224774,264347078,604807628,770255983,1249150122,1555081692,1996064986,2554220882,2821834349,2952996808,3210313671,3336571891,3584528711,113926993,338241895,666307205,773529912,1294757372,1396182291,1695183700,1986661051,2177026350,2456956037,2730485921,2820302411,3259730800,3345764771,3516065817,3600352804,4094571909,275423344,430227734,506948616,659060556,883997877,958139571,1322822218,1537002063,1747873779,1955562222,2024104815,2227730452,2361852424,2428436474,2756734187,3204031479,3329325298]);new BigUint64Array([0x428a2f98d728ae22n,0x7137449123ef65cdn,0xb5c0fbcfec4d3b2fn,0xe9b5dba58189dbbcn,0x3956c25bf348b538n,0x59f111f1b605d019n,0x923f82a4af194f9bn,0xab1c5ed5da6d8118n,0xd807aa98a3030242n,0x12835b0145706fben,0x243185be4ee4b28cn,0x550c7dc3d5ffb4e2n,0x72be5d74f27b896fn,0x80deb1fe3b1696b1n,0x9bdc06a725c71235n,0xc19bf174cf692694n,0xe49b69c19ef14ad2n,0xefbe4786384f25e3n,0x0fc19dc68b8cd5b5n,0x240ca1cc77ac9c65n,0x2de92c6f592b0275n,0x4a7484aa6ea6e483n,0x5cb0a9dcbd41fbd4n,0x76f988da831153b5n,0x983e5152ee66dfabn,0xa831c66d2db43210n,0xb00327c898fb213fn,0xbf597fc7beef0ee4n,0xc6e00bf33da88fc2n,0xd5a79147930aa725n,0x06ca6351e003826fn,0x142929670a0e6e70n,0x27b70a8546d22ffcn,0x2e1b21385c26c926n,0x4d2c6dfc5ac42aedn,0x53380d139d95b3dfn,0x650a73548baf63den,0x766a0abb3c77b2a8n,0x81c2c92e47edaee6n,0x92722c851482353bn,0xa2bfe8a14cf10364n,0xa81a664bbc423001n,0xc24b8b70d0f89791n,0xc76c51a30654be30n,0xd192e819d6ef5218n,0xd69906245565a910n,0xf40e35855771202an,0x106aa07032bbd1b8n,0x19a4c116b8d2d0c8n,0x1e376c085141ab53n,0x2748774cdf8eeb99n,0x34b0bcb5e19b48a8n,0x391c0cb3c5c95a63n,0x4ed8aa4ae3418acbn,0x5b9cca4f7763e373n,0x682e6ff3d6b2b8a3n,0x748f82ee5defb2fcn,0x78a5636f43172f60n,0x84c87814a1f0ab72n,0x8cc702081a6439ecn,0x90befffa23631e28n,0xa4506cebde82bde9n,0xbef9a3f7b2c67915n,0xc67178f2e372532bn,0xca273eceea26619cn,0xd186b8c721c0c207n,0xeada7dd6cde0eb1en,0xf57d4f7fee6ed178n,0x06f067aa72176fban,0x0a637dc5a2c898a6n,0x113f9804bef90daen,0x1b710b35131c471bn,0x28db77f523047d84n,0x32caab7b40c72493n,0x3c9ebe0a15c9bebcn,0x431d67c49c100d4cn,0x4cc5d4becb3e42b6n,0x597f299cfc657e2an,0x5fcb6fab3ad6faecn,0x6c44198c4a475817n]);class nb{constructor(e){te(this,"data");this.data=e}tokenType(){if("token_type"in this.data&&typeof this.data.token_type=="string")return this.data.token_type;throw new Error("Missing or invalid 'token_type' field")}accessToken(){if("access_token"in this.data&&typeof this.data.access_token=="string")return this.data.access_token;throw new Error("Missing or invalid 'access_token' field")}accessTokenExpiresInSeconds(){if("expires_in"in this.data&&typeof this.data.expires_in=="number")return this.data.expires_in;throw new Error("Missing or invalid 'expires_in' field")}accessTokenExpiresAt(){return new Date(Date.now()+this.accessTokenExpiresInSeconds()*1e3)}hasRefreshToken(){return"refresh_token"in this.data&&typeof this.data.refresh_token=="string"}refreshToken(){if("refresh_token"in this.data&&typeof this.data.refresh_token=="string")return this.data.refresh_token;throw new Error("Missing or invalid 'refresh_token' field")}hasScopes(){return"scope"in this.data&&typeof this.data.scope=="string"}scopes(){if("scope"in this.data&&typeof this.data.scope=="string")return this.data.scope.split(" ");throw new Error("Missing or invalid 'scope' field")}idToken(){if("id_token"in this.data&&typeof this.data.id_token=="string")return this.data.id_token;throw new Error("Missing or invalid field 'id_token'")}}function rb(t){const e=Qv(new TextEncoder().encode(t));return Lg(e)}function ib(){const t=new Uint8Array(32);return crypto.getRandomValues(t),Lg(t)}function Ur(t,e){const n=new TextEncoder().encode(e.toString()),r=new Request(t,{method:"POST",body:n});return r.headers.set("Content-Type","application/x-www-form-urlencoded"),r.headers.set("Accept","application/json"),r.headers.set("User-Agent","arctic"),r.headers.set("Content-Length",n.byteLength.toString()),r}function ya(t,e){const n=new TextEncoder().encode(`${t}:${e}`);return Jv(n)}async function Fs(t){let e;try{e=await fetch(t)}catch(n){throw new qg(n)}if(e.status===400||e.status===401){let n;try{n=await e.json()}catch{throw new Hi(e.status)}if(typeof n!="object"||n===null)throw new Xn(e.status,n);let r;try{r=Vg(n)}catch{throw new Xn(e.status,n)}throw r}if(e.status===200){let n;try{n=await e.json()}catch{throw new Hi(e.status)}if(typeof n!="object"||n===null)throw new Xn(e.status,n);return new nb(n)}throw e.body!==null&&await e.body.cancel(),new Hi(e.status)}async function sb(t){let e;try{e=await fetch(t)}catch(n){throw new qg(n)}if(e.status===400||e.status===401){let n;try{n=await e.json()}catch{throw new Xn(e.status,null)}if(typeof n!="object"||n===null)throw new Xn(e.status,n);let r;try{r=Vg(n)}catch{throw new Xn(e.status,n)}throw r}if(e.status===200){e.body!==null&&await e.body.cancel();return}throw e.body!==null&&await e.body.cancel(),new Hi(e.status)}function Vg(t){let e;if("error"in t&&typeof t.error=="string")e=t.error;else throw new Error("Invalid error response");let n=null,r=null,i=null;if("error_description"in t){if(typeof t.error_description!="string")throw new Error("Invalid data");n=t.error_description}if("error_uri"in t){if(typeof t.error_uri!="string")throw new Error("Invalid data");r=t.error_uri}if("state"in t){if(typeof t.state!="string")throw new Error("Invalid data");i=t.state}return new ob(e,n,r,i)}class qg extends Error{constructor(e){super("Failed to send request",{cause:e})}}class ob extends Error{constructor(n,r,i,s){super(`OAuth request error: ${n}`);te(this,"code");te(this,"description");te(this,"uri");te(this,"state");this.code=n,this.description=r,this.uri=i,this.state=s}}class Hi extends Error{constructor(n){super("Unexpected error response");te(this,"status");this.status=n}}class Xn extends Error{constructor(n,r){super("Unexpected error response body");te(this,"status");te(this,"data");this.status=n,this.data=r}}class ad{constructor(e,n,r){te(this,"clientId");te(this,"clientPassword");te(this,"redirectURI");this.clientId=e,this.clientPassword=n,this.redirectURI=r}createAuthorizationURL(e,n,r){const i=new URL(e);return i.searchParams.set("response_type","code"),i.searchParams.set("client_id",this.clientId),this.redirectURI!==null&&i.searchParams.set("redirect_uri",this.redirectURI),i.searchParams.set("state",n),r.length>0&&i.searchParams.set("scope",r.join(" ")),i}createAuthorizationURLWithPKCE(e,n,r,i,s){const a=new URL(e);if(a.searchParams.set("response_type","code"),a.searchParams.set("client_id",this.clientId),this.redirectURI!==null&&a.searchParams.set("redirect_uri",this.redirectURI),a.searchParams.set("state",n),r===ni.S256){const c=rb(i);a.searchParams.set("code_challenge_method","S256"),a.searchParams.set("code_challenge",c)}else r===ni.Plain&&(a.searchParams.set("code_challenge_method","plain"),a.searchParams.set("code_challenge",i));return s.length>0&&a.searchParams.set("scope",s.join(" ")),a}async validateAuthorizationCode(e,n,r){const i=new URLSearchParams;i.set("grant_type","authorization_code"),i.set("code",n),this.redirectURI!==null&&i.set("redirect_uri",this.redirectURI),r!==null&&i.set("code_verifier",r),this.clientPassword===null&&i.set("client_id",this.clientId);const s=Ur(e,i);if(this.clientPassword!==null){const c=ya(this.clientId,this.clientPassword);s.headers.set("Authorization",`Basic ${c}`)}return await Fs(s)}async refreshAccessToken(e,n,r){const i=new URLSearchParams;i.set("grant_type","refresh_token"),i.set("refresh_token",n),this.clientPassword===null&&i.set("client_id",this.clientId),r.length>0&&i.set("scope",r.join(" "));const s=Ur(e,i);if(this.clientPassword!==null){const c=ya(this.clientId,this.clientPassword);s.headers.set("Authorization",`Basic ${c}`)}return await Fs(s)}async revokeToken(e,n){const r=new URLSearchParams;r.set("token",n),this.clientPassword===null&&r.set("client_id",this.clientId);const i=Ur(e,r);if(this.clientPassword!==null){const s=ya(this.clientId,this.clientPassword);i.headers.set("Authorization",`Basic ${s}`)}await sb(i)}}var ni;(function(t){t[t.S256=0]="S256",t[t.Plain=1]="Plain"})(ni||(ni={}));var $p;(function(t){t[t.Include=0]="Include",t[t.None=1]="None"})($p||($p={}));var Op;(function(t){t[t.Required=0]="Required",t[t.Ignore=1]="Ignore"})(Op||(Op={}));function Vr(t){return ab(t,cb,Ks.None)}function ab(t,e,n){let r="";for(let i=0;i<t.byteLength;i+=3){let s=0,a=0;for(let c=0;c<3&&i+c<t.byteLength;c++)s=s<<8|t[i+c],a+=8;for(let c=0;c<4;c++)a>=6?(r+=e[s>>a-6&63],a-=6):a>0?(r+=e[s<<6-a&63],a=0):n===Ks.Include&&(r+="=")}return r}const cb="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";var Ks;(function(t){t[t.Include=0]="Include",t[t.None=1]="None"})(Ks||(Ks={}));var Tp;(function(t){t[t.Required=0]="Required",t[t.Ignore=1]="Ignore"})(Tp||(Tp={}));function lb(t,e,n){const r=Vr(new TextEncoder().encode(t)),i=Vr(new TextEncoder().encode(e)),s=Vr(n);return r+"."+i+"."+s}function db(t,e){const n=Vr(new TextEncoder().encode(t)),r=Vr(new TextEncoder().encode(e)),i=n+"."+r;return new TextEncoder().encode(i)}const ub="https://appleid.apple.com/auth/authorize",pb="https://appleid.apple.com/auth/token";class Mg{constructor(e,n,r,i,s){te(this,"clientId");te(this,"teamId");te(this,"keyId");te(this,"pkcs8PrivateKey");te(this,"redirectURI");this.clientId=e,this.teamId=n,this.keyId=r,this.pkcs8PrivateKey=i,this.redirectURI=s}createAuthorizationURL(e,n){const r=new URL(ub);return r.searchParams.set("response_type","code"),r.searchParams.set("client_id",this.clientId),r.searchParams.set("state",e),n.length>0&&r.searchParams.set("scope",n.join(" ")),r.searchParams.set("redirect_uri",this.redirectURI),r}async validateAuthorizationCode(e){const n=new URLSearchParams;n.set("grant_type","authorization_code"),n.set("code",e),n.set("redirect_uri",this.redirectURI),n.set("client_id",this.clientId);const r=await this.createClientSecret();n.set("client_secret",r);const i=Ur(pb,n);return await Fs(i)}async createClientSecret(){const e=await crypto.subtle.importKey("pkcs8",this.pkcs8PrivateKey,{name:"ECDSA",namedCurve:"P-256"},!1,["sign"]),n=Math.floor(Date.now()/1e3),r=JSON.stringify({typ:"JWT",alg:"ES256",kid:this.keyId}),i=JSON.stringify({iss:this.teamId,exp:n+5*60,aud:["https://appleid.apple.com"],sub:this.clientId,iat:n}),s=new Uint8Array(await crypto.subtle.sign({name:"ECDSA",hash:"SHA-256"},e,db(r,i)));return lb(r,i,s)}}const fb="https://www.facebook.com/v16.0/dialog/oauth",hb="https://graph.facebook.com/v16.0/oauth/access_token";class Dg{constructor(e,n,r){te(this,"clientId");te(this,"clientSecret");te(this,"redirectURI");this.clientId=e,this.clientSecret=n,this.redirectURI=r}createAuthorizationURL(e,n){const r=new URL(fb);return r.searchParams.set("response_type","code"),r.searchParams.set("client_id",this.clientId),r.searchParams.set("state",e),n.length>0&&r.searchParams.set("scope",n.join(" ")),r.searchParams.set("redirect_uri",this.redirectURI),r}async validateAuthorizationCode(e){const n=new URLSearchParams;n.set("grant_type","authorization_code"),n.set("code",e),n.set("redirect_uri",this.redirectURI),n.set("client_id",this.clientId),n.set("client_secret",this.clientSecret);const r=Ur(hb,n);return await Fs(r)}}const gb="https://accounts.google.com/o/oauth2/v2/auth",Pp="https://oauth2.googleapis.com/token",mb="https://oauth2.googleapis.com/revoke";let Hg=class{constructor(e,n,r){te(this,"client");this.client=new ad(e,n,r)}createAuthorizationURL(e,n,r){return this.client.createAuthorizationURLWithPKCE(gb,e,ni.S256,n,r)}async validateAuthorizationCode(e,n){return await this.client.validateAuthorizationCode(Pp,e,n)}async refreshAccessToken(e){return await this.client.refreshAccessToken(Pp,e,[])}async revokeToken(e){await this.client.revokeToken(mb,e)}};const Zo=o.z.object({iss:o.z.string().url(),sub:o.z.string(),aud:o.z.string(),exp:o.z.number(),email:o.z.string().optional(),given_name:o.z.string().optional(),family_name:o.z.string().optional(),name:o.z.string().optional(),iat:o.z.number(),auth_time:o.z.number().optional(),nonce:o.z.string().optional(),acr:o.z.string().optional(),amr:o.z.array(o.z.string()).optional(),azp:o.z.string().optional(),at_hash:o.z.string().optional(),c_hash:o.z.string().optional()}).passthrough();Zo.omit({iat:!0,auth_time:!0,nonce:!0,acr:!0,amr:!0,azp:!0,at_hash:!0,c_hash:!0});function _b(t){return t.ISSUER}function ct(t){return t.UNIVERSAL_LOGIN_URL||`${t.ISSUER}u/`}function je(t){return t.OAUTH_API_URL||t.ISSUER}function Fg(t){const{options:e}=t;if(!e||!e.client_id||!e.team_id||!e.kid||!e.app_secret)throw new Error("Missing required Apple authentication parameters");const n=Buffer.from(e.app_secret,"utf-8"),r=n.toString().replace(/-----BEGIN PRIVATE KEY-----|-----END PRIVATE KEY-----|\s/g,""),i=Uint8Array.from(Buffer.from(r,"base64"));return n.fill(0),{options:e,keyArray:i}}async function yb(t,e){var l,d;const{options:n,keyArray:r}=Fg(e),i=new Mg(n.client_id,n.team_id,n.kid,r,`${je(t.env)}callback`),s=ke(),a=await i.createAuthorizationURL(s,((l=n.scope)==null?void 0:l.split(" "))||["name","email"]);return(((d=n.scope)==null?void 0:d.split(" "))||["name","email"]).some(p=>["email","name"].includes(p))&&a.searchParams.set("response_mode","form_post"),{redirectUrl:a.href,code:s}}async function wb(t,e,n){const{options:r,keyArray:i}=Fg(e),a=await new Mg(r.client_id,r.team_id,r.kid,i,`${je(t.env)}callback`).validateAuthorizationCode(n),c=dl(a.idToken());if(!c)throw new Error("Invalid ID token");const l=Zo.parse(c.payload);return{sub:l.sub,email:l.email,given_name:l.given_name,family_name:l.family_name,name:l.name,picture:l.picture,locale:l.locale}}const vb=Object.freeze(Object.defineProperty({__proto__:null,getRedirect:yb,validateAuthorizationCodeAndGetUser:wb},Symbol.toStringTag,{value:"Module"}));async function bb(t,e){var a;const{options:n}=e;if(!(n!=null&&n.client_id)||!n.client_secret)throw new Error("Missing required authentication parameters");const r=new Dg(n.client_id,n.client_secret,`${je(t.env)}callback`),i=ke();return{redirectUrl:r.createAuthorizationURL(i,((a=n.scope)==null?void 0:a.split(" "))||["email"]).href,code:i}}async function xb(t,e,n){const{options:r}=e;if(!(r!=null&&r.client_id)||!r.client_secret)throw new Error("Missing required authentication parameters");const s=await new Dg(r.client_id,r.client_secret,`${je(t.env)}callback`).validateAuthorizationCode(n),a=await fetch("https://graph.facebook.com/v16.0/me?fields=id,email,name",{headers:{Authorization:`Bearer ${s.accessToken()}`}});if(!a.ok)throw new Error("Failed to fetch user info");const c=await a.json();return t.set("log",`Userinfo: ${JSON.stringify(c)}`),{sub:c.id,email:c.email,name:c.name}}const kb=Object.freeze(Object.defineProperty({__proto__:null,getRedirect:bb,validateAuthorizationCodeAndGetUser:xb},Symbol.toStringTag,{value:"Module"}));async function Sb(t,e){var c;const{options:n}=e;if(!(n!=null&&n.client_id)||!n.client_secret)throw new Error("Missing required Google authentication parameters");const r=new Hg(n.client_id,n.client_secret,`${je(t.env)}callback`),i=ke(),s=ib();return{redirectUrl:r.createAuthorizationURL(i,s,((c=n.scope)==null?void 0:c.split(" "))??["email","profile"]).href,code:i,codeVerifier:s}}async function Ab(t,e,n,r){const{options:i}=e;if(!(i!=null&&i.client_id)||!i.client_secret||!r)throw new Error("Missing required authentication parameters");const a=await new Hg(i.client_id,i.client_secret,`${je(t.env)}callback`).validateAuthorizationCode(n,r),c=dl(a.idToken());if(!c)throw new Error("Invalid ID token");const l=Zo.parse(c.payload);return{sub:l.sub,email:l.email,given_name:l.given_name,family_name:l.family_name,name:l.name,picture:l.picture,locale:l.locale}}const zb=Object.freeze(Object.defineProperty({__proto__:null,getRedirect:Sb,validateAuthorizationCodeAndGetUser:Ab},Symbol.toStringTag,{value:"Module"}));async function Eb(t,e){var a;const{options:n}=e;if(!(n!=null&&n.client_id)||!n.client_secret)throw new Error("Missing required authentication parameters");const r=new ad(n.client_id,n.client_secret,`${je(t.env)}callback`),i=ke(),s=r.createAuthorizationURL("https://api.vipps.no/access-management-1.0/access/oauth2/auth",i,((a=n.scope)==null?void 0:a.split(" "))||["openid","email","phoneNumber","name","address","birthDate"]);return s.searchParams.set("response_type","code"),s.searchParams.set("response_mode","query"),{redirectUrl:s.href,code:i}}async function Ib(t,e,n){const{options:r}=e;if(!(r!=null&&r.client_id)||!r.client_secret)throw new Error("Missing required authentication parameters");const s=await new ad(r.client_id,r.client_secret,`${je(t.env)}callback`).validateAuthorizationCode("https://api.vipps.no/access-management-1.0/access/oauth2/token",n,null),a=dl(s.idToken());if(!a)throw new Error("Invalid ID token");const c=Zo.parse(a.payload);if(typeof c.msn!="string")throw new Error("msn not available in id token");const l=await fetch("https://api.vipps.no/vipps-userinfo-api/userinfo",{headers:{Authorization:`Bearer ${s.accessToken()}`,"Merchant-Serial-Number":c.msn}});if(!l.ok)throw new I(400,{message:"Failed to get user from vipps"});return await l.json()}const Cb=Object.freeze(Object.defineProperty({__proto__:null,getRedirect:Eb,validateAuthorizationCodeAndGetUser:Ib},Symbol.toStringTag,{value:"Module"}));function Kg(t,e){const n=t.env.STRATEGIES||{},i={apple:vb,facebook:kb,"google-oauth2":zb,vipps:Cb,...n}[e];if(!i)throw new Error(`Strategy ${e} not found`);return i}async function Yo(t,e){const n=await t.data.clients.get(e);if(!n)throw new I(403,{message:"Client not found"});const r=t.DEFAULT_CLIENT_ID?await t.data.clients.get(t.DEFAULT_CLIENT_ID):void 0,i=await t.data.connections.list(n.tenant.id),s=t.DEFAULT_TENANT_ID?await t.data.connections.list(t.DEFAULT_TENANT_ID):{connections:[]},a=i.connections.map(c=>{var p;const l=(p=s.connections)==null?void 0:p.find(f=>f.name===c.name);return l!=null&&l.options?Jt.parse({...l||{},...c,options:{...l.options||{},...c.options}}):c}).filter(c=>c);return{...n,web_origins:[...(r==null?void 0:r.web_origins)||[],...n.web_origins||[],`${ct(t)}login`],allowed_logout_urls:[...(r==null?void 0:r.allowed_logout_urls)||[],...n.allowed_logout_urls||[],t.ISSUER],callbacks:[...(r==null?void 0:r.callbacks)||[],...n.callbacks||[],`${ct(t)}info`],connections:a,tenant:{...(r==null?void 0:r.tenant)||{},...n.tenant}}}function Xo(t,e=[],n={}){try{const r=new URL(t);return e.some(i=>{try{return Nb(r,new URL(i),n.allowPathWildcards)}catch{return!1}})}catch{return!1}}function Nb(t,e,n){if(t.protocol!==e.protocol)return!1;if(n&&e.pathname.includes("*")){const r=e.pathname.replace(/\*/g,".*").replace(/\//g,"\\/");if(!new RegExp(`^${r}$`).test(t.pathname))return!1}else if(t.pathname!==e.pathname)return!1;if(e.hostname.startsWith("*.")&&e.hostname.split(".").length>2&&["http:","https:"].includes(e.protocol)){const r=e.hostname.split(".").slice(1).join(".");return t.hostname.endsWith(r)}return t.hostname===e.hostname}async function jb(t,e,n,r){if(!r.state)throw new I(400,{message:"State not found"});const i=e.connections.find(l=>l.name===n);if(!i){t.set("client_id",e.id);const l=we(t,{type:he.FAILED_LOGIN,description:"Connection not found"});throw await t.env.data.logs.create(e.tenant.id,l),new I(403,{message:"Connection Not Found"})}let s=await t.env.data.loginSessions.get(e.tenant.id,r.state);s||(s=await t.env.data.loginSessions.create(e.tenant.id,{expires_at:new Date(Date.now()+Qn*1e3).toISOString(),authParams:r,csrf_token:ke(),...cn(t.req)}));const c=await Kg(t,i.strategy).getRedirect(t,i);return await t.env.data.codes.create(e.tenant.id,{login_id:s.id,code_id:c.code,code_type:"oauth2_state",connection_id:i.id,code_verifier:c.codeVerifier,expires_at:new Date(Date.now()+F0*1e3).toISOString()}),t.redirect(c.redirectUrl)}async function Bp(t,{code:e,state:n}){var h;const{env:r}=t,i=await r.data.codes.get(t.var.tenant_id||"",n,"oauth2_state");if(!i||!i.connection_id)throw new I(403,{message:"State not found"});const s=await r.data.loginSessions.get(t.var.tenant_id||"",i.login_id);if(!s)throw new I(403,{message:"Session not found"});const a=await Yo(r,s.authParams.client_id);t.set("client_id",a.id),t.set("tenant_id",a.tenant.id);const c=a.connections.find(_=>_.id===i.connection_id);if(!c){const _=we(t,{type:he.FAILED_LOGIN,description:"Connection not found"});throw await r.data.logs.create(a.tenant.id,_),new I(403,{message:"Connection not found"})}if(t.set("connection",c.name),!s.authParams.redirect_uri){const _=we(t,{type:he.FAILED_LOGIN,description:"Redirect URI not defined"});throw await r.data.logs.create(a.tenant.id,_),new I(403,{message:"Redirect URI not defined"})}if(!Xo(s.authParams.redirect_uri,a.callbacks||[],{allowPathWildcards:!0})){const _=`Invalid redirect URI - ${s.authParams.redirect_uri}`,v=we(t,{type:he.FAILED_LOGIN,description:_});throw await r.data.logs.create(a.tenant.id,v),new I(403,{message:_})}const d=await Kg(t,c.strategy).validateAuthorizationCodeAndGetUser(t,c,e,i.code_verifier),{sub:p,...f}=d;t.set("user_id",p);const m=((h=d.email)==null?void 0:h.toLocaleLowerCase())||`${c.name}.${p}@${new URL(t.env.ISSUER).hostname}`;t.set("username",m);const w=await so(t,{client:a,email:m,provider:c.strategy,connection:c.name,userId:p,profileData:f,isSocial:!0,ip:t.req.header("x-real-ip")});return ln(t,{client:a,authParams:s.authParams,loginSession:s,user:w})}async function Rp(t,e,n,r,i,s){const a=await t.env.data.codes.get(t.var.tenant_id||"",e,"oauth2_state");if(!a)throw new I(400,{message:"State not found"});const c=await t.env.data.loginSessions.get(t.var.tenant_id,a.login_id);if(!c)throw new I(400,{message:"Login not found"});const{redirect_uri:l}=c.authParams;if(!l)throw new I(400,{message:"Redirect uri not found"});const d=we(t,{type:he.FAILED_LOGIN,description:`Failed connection login: ${i} ${n}, ${r}`});rt(t,t.env.data.logs.create(t.var.tenant_id,d));const p=new URL(l);return Gv(p,{error:n,error_description:r,error_reason:s,error_code:i,state:c.authParams.state}),t.redirect(`${ct(t.env)}enter-email?state=${c.id}&error=${n}`)}const $b=new o.OpenAPIHono().openapi(o.createRoute({tags:["oauth2"],method:"get",path:"/",request:{query:o.z.object({state:o.z.string(),code:o.z.string().optional(),scope:o.z.string().optional(),hd:o.z.string().optional(),error:o.z.string().optional(),error_description:o.z.string().optional(),error_code:o.z.string().optional(),error_reason:o.z.string().optional()})},responses:{302:{description:"Redirect to the client's redirect uri"}}}),async t=>{const{state:e,code:n,error:r,error_description:i,error_code:s,error_reason:a}=t.req.valid("query");if(r)return Rp(t,e,r,i,s,a);if(!n)throw new I(400,{message:"Code is required"});return Bp(t,{code:n,state:e})}).openapi(o.createRoute({tags:["oauth2"],method:"post",path:"/",request:{body:{content:{"application/x-www-form-urlencoded":{schema:o.z.object({state:o.z.string(),code:o.z.string().optional(),scope:o.z.string().optional(),hd:o.z.string().optional(),error:o.z.string().optional(),error_description:o.z.string().optional(),error_code:o.z.string().optional(),error_reason:o.z.string().optional()})}}}},responses:{302:{description:"Redirect to the client's redirect uri"}}}),async t=>{const{state:e,code:n,error:r,error_description:i,error_code:s,error_reason:a}=t.req.valid("form");if(r)return Rp(t,e,r,i,s,a);if(!n)throw new I(400,{message:"Code is required"});return Bp(t,{code:n,state:e})}),Ob=new o.OpenAPIHono().openapi(o.createRoute({tags:["oauth2"],method:"get",path:"/",request:{query:o.z.object({client_id:o.z.string(),returnTo:o.z.string().optional()}),header:o.z.object({cookie:o.z.string().optional()})},responses:{302:{description:"Log the user out"}}}),async t=>{const{client_id:e,returnTo:n}=t.req.valid("query"),r=await t.env.data.clients.get(e);if(!r)return t.text("OK");const i=await t.env.data.clients.get("DEFAULT_CLIENT");t.set("client_id",e),t.set("tenant_id",r.tenant.id);const s=n||t.req.header("referer");if(!s)return t.text("OK");if(!Xo(s,[...r.allowed_logout_urls||[],...(i==null?void 0:i.allowed_logout_urls)||[]],{allowPathWildcards:!0}))throw new I(400,{message:"Invalid redirect uri"});const a=t.req.header("cookie");if(a){const l=ls(r.tenant.id,a);if(l){const d=await t.env.data.sessions.get(r.tenant.id,l);if(d){const p=await t.env.data.users.get(r.tenant.id,d.user_id);p&&(t.set("user_id",p.user_id),t.set("connection",p.connection));const f=await t.env.data.refreshTokens.list(r.tenant.id,{q:`session_id=${l}`,page:0,per_page:100,include_totals:!1});await Promise.all(f.refresh_tokens.map(m=>t.env.data.refreshTokens.remove(r.tenant.id,m.id))),await t.env.data.sessions.update(r.tenant.id,l,{revoked_at:new Date().toISOString()})}}}const c=we(t,{type:he.SUCCESS_LOGOUT,description:"User successfully logged out"});return await t.env.data.logs.create(r.tenant.id,c),new Response("Redirecting",{status:302,headers:{"set-cookie":Z0(r.tenant.id,t.req.header("host")),location:s}})}),Lp=o.z.object({sub:o.z.string(),email:o.z.string().optional(),family_name:o.z.string().optional(),given_name:o.z.string().optional(),email_verified:o.z.boolean()}),Tb=new o.OpenAPIHono().openapi(o.createRoute({tags:["oauth2"],method:"get",path:"/",request:{},security:[{Bearer:["openid"]}],responses:{200:{content:{"application/json":{schema:Lp}},description:"Userinfo"}}}),async t=>{if(!t.var.user)throw new I(404,{message:"User not found"});const e=await t.env.data.users.get(t.var.user.tenant_id,t.var.user.sub);if(!e)throw new I(404,{message:"User not found"});return t.json(Lp.parse({...e,sub:e.user_id}))}),Pb=new o.OpenAPIHono().openapi(o.createRoute({tags:["well known"],method:"get",path:"/jwks.json",request:{},responses:{200:{content:{"application/json":{schema:gf}},description:"List of tenants"}}}),async t=>{const e=await t.env.data.keys.list(),n=await Promise.all(e.map(async r=>{const s=await new sd(r.cert).publicKey.export(),a=await crypto.subtle.exportKey("jwk",s);return al.parse({...a,kid:r.kid})}));return t.json({keys:n},{headers:{"access-control-allow-origin":"*","access-control-allow-method":"GET","cache-control":`public, max-age=${$i}, stale-while-revalidate=${$i*2}, stale-if-error=86400`}})}).openapi(o.createRoute({tags:["well known"],method:"get",path:"/openid-configuration",request:{},responses:{200:{content:{"application/json":{schema:Ca}},description:"List of tenants"}}}),async t=>{const e=Ca.parse({issuer:_b(t.env),authorization_endpoint:`${je(t.env)}authorize`,token_endpoint:`${je(t.env)}oauth/token`,device_authorization_endpoint:`${je(t.env)}oauth/device/code`,userinfo_endpoint:`${je(t.env)}userinfo`,mfa_challenge_endpoint:`${je(t.env)}mfa/challenge`,jwks_uri:`${je(t.env)}.well-known/jwks.json`,registration_endpoint:`${je(t.env)}oidc/register`,revocation_endpoint:`${je(t.env)}oauth/revoke`,scopes_supported:["openid","profile","offline_access","name","given_name","family_name","nickname","email","email_verified","picture","created_at","identities","phone","address"],response_types_supported:["code","token","id_token","code token","code id_token","token id_token","code token id_token"],code_challenge_methods_supported:["S256","plain"],response_modes_supported:["query","fragment","form_post"],subject_types_supported:["public"],id_token_signing_alg_values_supported:["RS256"],token_endpoint_auth_methods_supported:["client_secret_basic","client_secret_post"],claims_supported:["aud","auth_time","created_at","email","email_verified","exp","family_name","given_name","iat","identities","iss","name","nickname","phone_number","picture","sub"],request_uri_parameter_supported:!1,request_parameter_supported:!1,token_endpoint_auth_signing_alg_values_supported:["RS256","RS384","PS256"]});return t.json(e,{headers:{"access-control-allow-origin":"*","access-control-allow-method":"GET","cache-control":`public, max-age=${$i}, stale-while-revalidate=${$i*2}, stale-if-error=86400`}})});function Fi(t,e){if(!t||!e||t.length!==e.length)return!1;let n=0;for(let r=0;r<t.length;r++)n|=t.charCodeAt(r)^e.charCodeAt(r);return n===0}const Wg=o.z.object({grant_type:o.z.literal("client_credentials"),scope:o.z.string().optional(),client_secret:o.z.string(),client_id:o.z.string(),audience:o.z.string().optional()});async function Bb(t,e){const n=await t.env.data.clients.get(e.client_id);if(!n)throw new I(403,{message:"Invalid client credentials"});if(n.client_secret&&!Fi(n.client_secret,e.client_secret))throw new I(403,{message:"Invalid client credentials"});const r={client_id:n.id,scope:e.scope,audience:e.audience},i=await no(t,{authParams:r,client:n});return t.json(i)}const Rb=o.z.object({grant_type:o.z.literal("authorization_code"),client_id:o.z.string(),code:o.z.string(),redirect_uri:o.z.string().optional(),client_secret:o.z.string().optional(),code_verifier:o.z.string().optional()}).refine(t=>"client_secret"in t&&!("code_verifier"in t)||!("client_secret"in t)&&"code_verifier"in t,{message:"Must provide either client_secret (standard flow) or code_verifier/code_verifier_mode (PKCE flow), but not both"});async function Lb(t,e){const n=await t.env.data.clients.get(e.client_id);if(!n)throw new I(403,{message:"Client not found"});const r=await t.env.data.codes.get(n.tenant.id,e.code,"authorization_code");if(!r||!r.user_id)throw new I(403,{message:"Invalid client credentials"});if(new Date(r.expires_at)<new Date)throw new I(403,{message:"Code expired"});if(r.used_at)throw new I(403,{message:"Code already used"});const i=await t.env.data.loginSessions.get(n.tenant.id,r.login_id);if(!i)throw new I(403,{message:"Invalid login"});if("client_secret"in e){const a=await t.env.data.clients.get("DEFAULT_CLIENT");if(!Fi(n.client_secret,e.client_secret)&&!Fi(a==null?void 0:a.client_secret,e.client_secret))throw new I(403,{message:"Invalid client credentials"})}else if("code_verifier"in e&&typeof e.code_verifier=="string"&&"code_challenge_method"in i.authParams&&typeof i.authParams.code_challenge_method=="string"){const a=await q0(e.code_verifier,i.authParams.code_challenge_method);if(!Fi(a,i.authParams.code_challenge||""))throw new I(403,{message:"Invalid client credentials"})}if(i.authParams.redirect_uri&&i.authParams.redirect_uri!==e.redirect_uri)throw new I(403,{message:"Invalid redirect uri"});const s=await t.env.data.users.get(n.tenant.id,r.user_id);if(!s)throw new I(403,{message:"User not found"});return await t.env.data.codes.used(n.tenant.id,e.code),ln(t,{user:s,client:n,loginSession:i,authParams:{...i.authParams,response_mode:Rt.WEB_MESSAGE}})}const Ub=o.z.object({grant_type:o.z.literal("refresh_token"),client_id:o.z.string(),redirect_uri:o.z.string().optional(),refresh_token:o.z.string()});async function Vb(t,e){const n=await t.env.data.clients.get(e.client_id);if(!n)throw new I(403,{message:"Client not found"});const r=await t.env.data.refreshTokens.get(n.tenant.id,e.refresh_token);if(r){if(r.expires_at&&new Date(r.expires_at)<new Date||r.idle_expires_at&&new Date(r.idle_expires_at)<new Date)throw new I(403,{message:JSON.stringify({error:"invalid_grant",error_description:"Refresh token has expired"})})}else throw new I(403,{message:JSON.stringify({error:"invalid_grant",error_description:"Invalid refresh token"})});const i=await t.env.data.users.get(n.tenant.id,r.user_id);if(!i)throw new I(403,{message:"User not found"});const s=r.resource_servers[0];if(r.idle_expires_at){const a=new Date(Date.now()+2592e6);await t.env.data.refreshTokens.update(n.tenant.id,r.id,{idle_expires_at:a.toISOString(),last_exchanged_at:new Date().toISOString(),device:{...r.device,last_ip:t.req.header["x-real-ip"]||"",last_user_agent:t.req.header["user-agent"]||""}})}return ln(t,{user:i,client:n,refreshToken:r.id,sessionId:r.session_id,authParams:{client_id:n.id,audience:s==null?void 0:s.audience,scope:s==null?void 0:s.scopes,response_mode:Rt.WEB_MESSAGE}})}const qb=o.z.object({client_id:o.z.string(),username:o.z.string().transform(t=>t.toLowerCase()),realm:o.z.enum(["email","sms"]),otp:o.z.string(),authParams:Mr.optional()});async function Mb(t,{client_id:e,username:n,otp:r,authParams:i}){const s=await t.env.data.clients.get(e);if(!s)throw new I(403,{message:"Client not found"});return Qo(t,s,i||{client_id:e,response_type:It.TOKEN_ID_TOKEN,response_mode:Rt.WEB_MESSAGE},n,r)}async function Qo(t,e,n,r,i,s,a){const{env:c}=t,l=await c.data.codes.get(e.tenant.id,i,"otp");if(!l)throw new I(400,{message:"Code not found or expired"});if(l.expires_at<new Date().toISOString())throw new I(400,{message:"Code expired"});if(l.used_at)throw new I(400,{message:"Code already used"});const d=await c.data.loginSessions.get(e.tenant.id,l.login_id);if(!d||d.authParams.username!==r)throw new I(400,{message:"Code not found or expired"});const p=cn(t.req);if(a&&d.ip!==p.ip)return t.redirect(`${ct(t.env)}invalid-session?state=${d.id}`);if(n.redirect_uri&&!Xo(n.redirect_uri,e.callbacks,{allowPathWildcards:!0}))throw new I(400,{message:`Invalid redirect URI - ${n.redirect_uri}`});const f=await so(t,{client:e,email:r,provider:"email",connection:"email",isSocial:!1,ip:t.req.header("x-real-ip")});return await c.data.codes.used(e.tenant.id,i),ln(t,{user:f,client:e,loginSession:d,authParams:n,ticketAuth:s})}const Up=o.z.object({client_id:o.z.string().optional(),client_secret:o.z.string().optional()}),Db=o.z.union([Wg.extend(Up.shape),o.z.object({grant_type:o.z.literal("authorization_code"),client_id:o.z.string(),code:o.z.string(),redirect_uri:o.z.string(),code_verifier:o.z.string().min(43).max(128)}),o.z.object({grant_type:o.z.literal("authorization_code"),code:o.z.string(),redirect_uri:o.z.string().optional(),...Up.shape}),o.z.object({grant_type:o.z.literal("refresh_token"),client_id:o.z.string(),refresh_token:o.z.string(),redirect_uri:o.z.string().optional()}),o.z.object({grant_type:o.z.literal("http://auth0.com/oauth/grant-type/passwordless/otp"),client_id:o.z.string(),username:o.z.string(),otp:o.z.string(),realm:o.z.enum(["email","sms"])})]);function Hb(t){if(!t)return{};const[e,n]=t.split(" ");if((e==null?void 0:e.toLowerCase())==="basic"&&n){const[r,i]=atob(n).split(":");return{client_id:r,client_secret:i}}return{}}const Fb=new o.OpenAPIHono().openapi(o.createRoute({tags:["oauth2"],method:"post",path:"/",request:{body:{content:{"application/x-www-form-urlencoded":{schema:Db}}}},responses:{200:{content:{"application/json":{schema:bf}},description:"Tokens"}}}),async t=>{const e=t.req.valid("form"),n=Hb(t.req.header("Authorization")),r={...e,...n};if(!r.client_id)throw new I(400,{message:"client_id is required"});switch(t.set("client_id",r.client_id),e.grant_type){case Wn.AuthorizationCode:return Lb(t,Rb.parse(r));case Wn.ClientCredential:return Bb(t,Wg.parse(r));case Wn.RefreshToken:return Vb(t,Ub.parse(r));case Wn.OTP:return Mb(t,qb.parse(r));default:throw new I(400,{message:"Not implemented"})}});var cd={exports:{}};const ld=[{id:0,value:"Too weak",minDiversity:0,minLength:0},{id:1,value:"Weak",minDiversity:2,minLength:6},{id:2,value:"Medium",minDiversity:4,minLength:8},{id:3,value:"Strong",minDiversity:4,minLength:10}],Gg=(t,e=ld,n="!\"#$%&'()*+,-./:;<=>?@[\\\\\\]^_`{|}~")=>{let r=t||"";e[0].minDiversity=0,e[0].minLength=0;const i=[{regex:"[a-z]",message:"lowercase"},{regex:"[A-Z]",message:"uppercase"},{regex:"[0-9]",message:"number"}];n&&i.push({regex:`[${n}]`,message:"symbol"});let s={};s.contains=i.filter(c=>new RegExp(`${c.regex}`).test(r)).map(c=>c.message),s.length=r.length;let a=e.filter(c=>s.contains.length>=c.minDiversity).filter(c=>s.length>=c.minLength).sort((c,l)=>l.id-c.id).map(c=>({id:c.id,value:c.value}));return Object.assign(s,a[0]),s};cd.exports={passwordStrength:Gg,defaultOptions:ld};var Kb=cd.exports.passwordStrength=Gg;cd.exports.defaultOptions=ld;function dd(t){return Kb(t).id<2?!1:t.length>=8&&/[a-z]/.test(t)&&/[A-Z]/.test(t)&&/[0-9]/.test(t)&&/[^A-Za-z0-9]/.test(t)}async function Ai(t,e){var i;const n=await t.env.data.emailProviders.get(t.var.tenant_id)||(t.env.DEFAULT_TENANT_ID?await t.env.data.emailProviders.get(t.env.DEFAULT_TENANT_ID):null);if(!n)throw new I(500,{message:"Email provider not found"});const r=(i=t.env.emailProviders)==null?void 0:i[n.name];if(!r)throw new I(500,{message:"Email provider not found"});await r({emailProvider:n,...e,from:n.default_from_address||`login@${t.env.ISSUER}`})}async function Wb(t,e){var a,c;const n=await t.env.data.tenants.get(t.var.tenant_id);if(!n)throw new I(500,{message:"Tenant not found"});const r=(await t.env.data.connections.list(t.var.tenant_id)).connections.find(l=>l.strategy==="sms")||(t.env.DEFAULT_TENANT_ID?(await t.env.data.connections.list(t.env.DEFAULT_TENANT_ID)).connections.find(l=>l.strategy==="sms"):null);if(!r)throw new I(500,{message:"SMS provider not found"});const i=((a=r.options)==null?void 0:a.provider)||"twilio",s=(c=t.env.smsProviders)==null?void 0:c[i];if(!s)throw new I(500,{message:"SMS provider not found"});await s({options:r.options,to:e.to,text:e.text,template:"auth-code",data:{code:e.code,tenantName:n.name,tenantId:n.id}})}async function Jg(t,e,n,r){const i=await t.env.data.tenants.get(t.var.tenant_id);if(!i)throw new I(500,{message:"Tenant not found"});const s=`${ct(t.env)}reset-password?state=${r}&code=${n}`,a={vendorName:i.name,lng:i.language||"en"};await Ai(t,{to:e,subject:re("reset_password_title",a),html:`Click here to reset your password: ${ct(t.env)}reset-password?state=${r}&code=${n}`,template:"auth-password-reset",data:{vendorName:i.name,logo:i.logo||"",passwordResetUrl:s,supportUrl:i.support_url||"https://support.sesamy.com",buttonColor:i.primary_color||"#7d68f4",passwordResetTitle:re("password_reset_title",a),resetPasswordEmailClickToReset:re("reset_password_email_click_to_reset",a),resetPasswordEmailReset:re("reset_password_email_reset",a),supportInfo:re("support_info",a),contactUs:re("contact_us",a),copyright:re("copyright",a),tenantName:i.name,tenantId:i.id}})}async function Zg(t,{to:e,code:n,connection:r}){const i=await t.env.data.tenants.get(t.var.tenant_id);if(!i)throw new I(500,{message:"Tenant not found"});const s=new URL(ct(t.env)),a={vendorName:i.name,vendorId:i.id,loginDomain:s.hostname,code:n,lng:i.language||"en"};r==="email"?await Ai(t,{to:e,subject:re("code_email_subject",a),html:`Click here to validate your email: ${ct(t.env)}validate-email`,template:"auth-code",data:{code:n,vendorName:i.name,logo:i.logo||"",supportUrl:i.support_url||"",buttonColor:i.primary_color||"",welcomeToYourAccount:re("welcome_to_your_account",a),linkEmailClickToLogin:re("link_email_click_to_login",a),linkEmailLogin:re("link_email_login",a),linkEmailOrEnterCode:re("link_email_or_enter_code",a),codeValid30Mins:re("code_valid_30_minutes",a),supportInfo:re("support_info",a),contactUs:re("contact_us",a),copyright:re("copyright",a)}}):r==="sms"&&await Wb(t,{to:e,text:re("sms_code_text",a),code:n});const c=we(t,{type:he.CODE_LINK_SENT,description:e});rt(t,t.env.data.logs.create(i.id,c))}async function ud(t,{to:e,code:n,authParams:r,connection:i}){const s=await t.env.data.tenants.get(t.var.tenant_id);if(!s)throw new I(500,{message:"Tenant not found"});if(!r.redirect_uri)throw new I(400,{message:"redirect_uri is required"});const a=new URL(je(t.env));a.pathname="passwordless/verify_redirect",a.searchParams.set("verification_code",n),a.searchParams.set("connection",i),a.searchParams.set("client_id",r.client_id),a.searchParams.set("redirect_uri",r.redirect_uri),a.searchParams.set("username",e),r.response_type&&a.searchParams.set("response_type",r.response_type),r.scope&&a.searchParams.set("scope",r.scope),r.state&&a.searchParams.set("state",r.state),r.nonce&&a.searchParams.set("nonce",r.nonce),r.code_challenge&&a.searchParams.set("code_challenge",r.code_challenge),r.code_challenge_method&&a.searchParams.set("code_challenge_method",r.code_challenge_method),r.audience&&a.searchParams.set("audience",r.audience);const c={vendorName:s.name,code:n,lng:s.language||"en"};if(i!=="email")throw new I(400,{message:"Only email connections are supported for magic links"});await Ai(t,{to:e,subject:re("code_email_subject",c),html:`Click here to validate your email: ${ct(t.env)}validate-email`,template:"auth-link",data:{code:n,vendorName:s.name,logo:s.logo||"",supportUrl:s.support_url||"",magicLink:a.toString(),buttonColor:s.primary_color||"",welcomeToYourAccount:re("welcome_to_your_account",c),linkEmailClickToLogin:re("link_email_click_to_login",c),linkEmailLogin:re("link_email_login",c),linkEmailOrEnterCode:re("link_email_or_enter_code",c),codeValid30Mins:re("code_valid_30_minutes",c),supportInfo:re("support_info",c),contactUs:re("contact_us",c),copyright:re("copyright",c)}});const l=we(t,{type:he.CODE_LINK_SENT,description:e});rt(t,t.env.data.logs.create(s.id,l))}async function pd(t,e){const n=await t.env.data.tenants.get(t.var.tenant_id);if(!n)throw new I(500,{message:"Tenant not found"});const r={vendorName:n.name,lng:n.language||"en"};await Ai(t,{to:e.email,subject:re("welcome_to_your_account",r),html:`Click here to validate your email: ${ct(t.env)}validate-email`,template:"auth-verify-email",data:{vendorName:n.name,logo:n.logo||"",emailValidationUrl:`${ct(t.env)}validate-email`,supportUrl:n.support_url||"https://support.sesamy.com",buttonColor:n.primary_color||"#7d68f4",welcomeToYourAccount:re("welcome_to_your_account",r),verifyEmailVerify:re("verify_email_verify",r),supportInfo:re("support_info",r),contactUs:re("contact_us",r),copyright:re("copyright",r)}})}async function Gb(t,e,n,r){const i=await t.env.data.tenants.get(t.var.tenant_id);if(!i)throw new I(500,{message:"Tenant not found"});const s={vendorName:i.name,lng:i.language||"en"},a=`${ct(t.env)}signup?state=${r}&code=${n}`;await Ai(t,{to:e,subject:re("register_password_account",s),html:`Click here to register: ${a}`,template:"auth-pre-signup-verification",data:{vendorName:i.name,logo:i.logo||"",signupUrl:a,setPassword:re("set_password",s),registerPasswordAccount:re("register_password_account",s),clickToSignUpDescription:re("click_to_sign_up_description",s),supportUrl:i.support_url||"https://support.sesamy.com",buttonColor:i.primary_color||"#7d68f4",welcomeToYourAccount:re("welcome_to_your_account",s),verifyEmailVerify:re("verify_email_verify",s),supportInfo:re("support_info",s),contactUs:re("contact_us",s),copyright:re("copyright",s)}})}const Jb=new o.OpenAPIHono().openapi(o.createRoute({tags:["dbconnections"],method:"post",path:"/signup",request:{body:{content:{"application/json":{schema:o.z.object({client_id:o.z.string(),connection:o.z.literal("Username-Password-Authentication"),email:o.z.string().transform(t=>t.toLowerCase()),password:o.z.string()})}}}},responses:{200:{content:{"application/json":{schema:o.z.object({_id:o.z.string(),email:o.z.string(),email_verified:o.z.boolean(),app_metadata:o.z.object({}),user_metadata:o.z.object({})})}},description:"Created user"}}}),async t=>{const{email:e,password:n,client_id:r}=t.req.valid("json"),i=await t.env.data.clients.get(r);if(!i)throw new I(400,{message:"Client not found"});if(t.set("client_id",i.id),t.set("tenant_id",i.tenant.id),!dd(n))throw new I(400,{message:"Password does not meet the requirements"});if(await ds({userAdapter:t.env.data.users,tenant_id:i.tenant.id,email:e,provider:"auth2"}))throw new I(400,{message:"Invalid sign up"});const a=await t.env.data.users.create(i.tenant.id,{user_id:`auth2|${Qs()}`,email:e,email_verified:!1,provider:"auth2",connection:"Username-Password-Authentication",is_social:!1});t.set("user_id",a.user_id),t.set("username",a.email),t.set("connection",a.connection);const c=await oi.hash(n,10);await t.env.data.passwords.create(i.tenant.id,{user_id:a.user_id,password:c,algorithm:"bcrypt"}),await pd(t,a);const l=we(t,{type:he.SUCCESS_SIGNUP,description:"Successful signup"});return await t.env.data.logs.create(i.tenant.id,l),t.json({_id:a.user_id,email:a.email,email_verified:!1,app_metadata:{},user_metadata:{}})}).openapi(o.createRoute({tags:["dbconnections"],method:"post",path:"/change_password",request:{body:{content:{"application/json":{schema:o.z.object({client_id:o.z.string(),connection:o.z.literal("Username-Password-Authentication"),email:o.z.string().transform(t=>t.toLowerCase())})}}}},responses:{200:{description:"Redirect to the client's redirect uri"}}}),async t=>{const{email:e,client_id:n}=t.req.valid("json"),r=await t.env.data.clients.get(n);if(!r)throw new I(400,{message:"Client not found"});if(t.set("client_id",r.id),t.set("tenant_id",r.tenant.id),!await fr({userAdapter:t.env.data.users,tenant_id:r.tenant.id,email:e,provider:"auth2"}))return t.html("If an account with that email exists, we've sent instructions to reset your password.");const s={client_id:n,username:e},a=await t.env.data.loginSessions.create(r.tenant.id,{expires_at:new Date(Date.now()+Qn*1e3).toISOString(),authParams:s,csrf_token:ke(),...cn(t.req)});return await Jg(t,e,a.id,a.authParams.state),t.html("If an account with that email exists, we've sent instructions to reset your password.")});function Pn(){const t="1234567890";let e="";for(let n=0;n<6;n+=1)e+=t[Math.floor(Math.random()*10)];return e.toString()}const Zb=new o.OpenAPIHono().openapi(o.createRoute({tags:["passwordless"],method:"post",path:"/start",request:{body:{content:{"application/json":{schema:o.z.union([o.z.object({connection:o.z.literal("email"),client_id:o.z.string(),email:o.z.string().transform(t=>t.toLowerCase()),send:o.z.enum(["link","code"]),authParams:Mr.omit({client_id:!0})}),o.z.object({client_id:o.z.string(),connection:o.z.literal("sms"),phone_number:o.z.string(),send:o.z.enum(["link","code"]),authParams:Mr.omit({client_id:!0})})])}}}},responses:{200:{description:"Status"}}}),async t=>{const e=t.req.valid("json"),{env:n}=t,{client_id:r,send:i,authParams:s,connection:a}=e,c=await t.env.data.clients.get(r);if(!c)throw new I(400,{message:"Client not found"});t.set("client_id",c.id),t.set("tenant_id",c.tenant.id);const l=a==="email"?e.email:e.phone_number,d=await n.data.loginSessions.create(c.tenant.id,{authParams:{...s,client_id:r,username:l},expires_at:new Date(Date.now()+$a).toISOString(),csrf_token:ke(),...cn(t.req)}),p=await n.data.codes.create(c.tenant.id,{code_id:Pn(),code_type:"otp",login_id:d.id,expires_at:new Date(Date.now()+$a).toISOString()});return i==="link"?await ud(t,{to:l,code:p.code_id,authParams:{...s,client_id:r},connection:a}):await Zg(t,{to:l,code:p.code_id,connection:a}),t.html("OK")}).openapi(o.createRoute({tags:["passwordless"],method:"get",path:"/verify_redirect",request:{query:o.z.object({scope:o.z.string(),response_type:o.z.nativeEnum(It),redirect_uri:o.z.string(),state:o.z.string(),nonce:o.z.string().optional(),verification_code:o.z.string(),connection:o.z.string(),client_id:o.z.string(),email:o.z.string().transform(t=>t.toLowerCase()),audience:o.z.string().optional()})},responses:{302:{description:"Status"}}}),async t=>{const{env:e}=t,{client_id:n,email:r,verification_code:i,redirect_uri:s,state:a,scope:c,audience:l,response_type:d,nonce:p}=t.req.valid("query"),f=await Yo(e,n);return t.set("client_id",f.id),t.set("tenant_id",f.tenant.id),t.set("connection","email"),Qo(t,f,{client_id:n,redirect_uri:s,state:a,nonce:p,scope:c,audience:l,response_type:d},r,i,!1,!0)});class jr extends I{constructor(n,r){super(n,r);te(this,"_code");this._code=r==null?void 0:r.code}get code(){return this._code}}async function fd(t,e,n,r,i){const{env:s}=t,a=n.username;if(t.set("username",a),!a)throw new I(400,{message:"Username is required"});const c=await fr({userAdapter:t.env.data.users,tenant_id:e.tenant.id,email:a,provider:"auth2"});if(!c){const h=we(t,{type:he.FAILED_LOGIN_INCORRECT_PASSWORD,description:"Invalid user"});throw rt(t,t.env.data.logs.create(e.tenant.id,h)),new jr(403,{message:"User not found",code:"USER_NOT_FOUND"})}const l=c.linked_to?await s.data.users.get(e.tenant.id,c.linked_to):c;if(!l)throw new jr(403,{message:"User not found",code:"USER_NOT_FOUND"});t.set("connection",c.connection),t.set("user_id",l.user_id);const d=await s.data.passwords.get(e.tenant.id,c.user_id);if(!(d&&await oi.compare(n.password,d.password))){const h=we(t,{type:he.FAILED_LOGIN_INCORRECT_PASSWORD,description:"Invalid password"});throw rt(t,t.env.data.logs.create(e.tenant.id,h)),new jr(403,{message:"Invalid password",code:"INVALID_PASSWORD"})}if((await s.data.logs.list(e.tenant.id,{page:0,per_page:10,include_totals:!1,q:`user_id:${l.user_id}`})).logs.filter(h=>h.type===he.FAILED_LOGIN_INCORRECT_PASSWORD&&new Date(h.date)>new Date(Date.now()-1e3*60*5)).length>=3){const h=we(t,{type:he.FAILED_LOGIN,description:"Too many failed login attempts"});throw rt(t,t.env.data.logs.create(e.tenant.id,h)),new jr(403,{message:"Too many failed login attempts",code:"TOO_MANY_FAILED_LOGINS"})}if(!c.email_verified&&e.email_validation==="enforced"){await pd(t,c);const h=we(t,{type:he.FAILED_LOGIN,description:"Email not verified"});throw await t.env.data.logs.create(e.tenant.id,h),new jr(403,{message:"Email not verified",code:"EMAIL_NOT_VERIFIED"})}const w=we(t,{type:he.SUCCESS_LOGIN,description:"Successful login",strategy_type:"Username-Password-Authentication",strategy:"Username-Password-Authentication"});return rt(t,t.env.data.logs.create(e.tenant.id,w)),ln(t,{client:e,authParams:n,user:l,ticketAuth:i,loginSession:r})}async function Yb(t,e,n,r){await so(t,{client:e,email:n,provider:"auth2",connection:"Username-Password-Authentication",isSocial:!1,ip:t.req.header("x-real-ip")});let i=Pn(),s=await t.env.data.codes.get(e.tenant.id,i,"password_reset");for(;s;)i=Pn(),s=await t.env.data.codes.get(e.tenant.id,i,"password_reset");const a=await t.env.data.loginSessions.create(e.tenant.id,{expires_at:new Date(Date.now()+G0).toISOString(),authParams:{client_id:e.id,username:n},csrf_token:ke(),...cn(t.req)}),c=await t.env.data.codes.create(e.tenant.id,{code_id:i,code_type:"password_reset",login_id:a.id,expires_at:new Date(Date.now()+W0).toISOString()});await Jg(t,n,c.code_id,r)}const Xb=new o.OpenAPIHono().openapi(o.createRoute({tags:["oauth"],method:"post",path:"/",request:{body:{content:{"application/json":{schema:o.z.union([o.z.object({credential_type:o.z.literal("http://auth0.com/oauth/grant-type/passwordless/otp"),otp:o.z.string(),client_id:o.z.string(),username:o.z.string().transform(t=>t.toLowerCase()),realm:o.z.enum(["email"]),scope:o.z.string().optional()}),o.z.object({credential_type:o.z.literal("http://auth0.com/oauth/grant-type/password-realm"),client_id:o.z.string(),username:o.z.string().transform(t=>t.toLowerCase()),password:o.z.string(),realm:o.z.enum(["Username-Password-Authentication"]),scope:o.z.string().optional()})])}}}},responses:{200:{description:"List of tenants"}}}),async t=>{const e=t.req.valid("json"),{client_id:n,username:r}=e;t.set("username",r);const i=await t.env.data.clients.get(n);if(!i)throw new I(400,{message:"Client not found"});t.set("client_id",n),t.set("tenant_id",i.tenant.id);const s=r.toLocaleLowerCase();if("otp"in e)return Qo(t,i,{client_id:n,username:s},s,e.otp,!0);if("password"in e){const a=await t.env.data.loginSessions.create(i.tenant.id,{expires_at:new Date(Date.now()+Qn*1e3).toISOString(),authParams:{client_id:n,username:s},csrf_token:ke(),...cn(t.req)});return fd(t,i,{username:s,password:e.password,client_id:n},a,!0)}else throw new I(400,{message:"Code or password required"})});function Qb(t,e){var r,i,s;if(!t||e.length===0)return!1;const n=((r=wa(t))==null?void 0:r.host)??null;if(!n)return!1;for(const a of e){let c;if(a.startsWith("http://")||a.startsWith("https://")?c=((i=wa(a))==null?void 0:i.host)??null:c=((s=wa("https://"+a))==null?void 0:s.host)??null,n===c)return!0}return!1}function wa(t){try{return new URL(t)}catch{return null}}async function e1({ctx:t,session:e,client:n,authParams:r,connection:i,login_hint:s}){const a=await t.env.data.loginSessions.create(n.tenant.id,{expires_at:new Date(Date.now()+Qn*1e3).toISOString(),authParams:r,csrf_token:ke(),authorization_url:t.req.url,...cn(t.req)});if(e&&s){const c=await t.env.data.users.get(n.tenant.id,e.user_id);if((c==null?void 0:c.email)===s)return ln(t,{client:n,loginSession:a,authParams:r,user:c,sessionId:e.id})}if(i==="email"&&s){const c=Pn();return await t.env.data.codes.create(n.tenant.id,{code_id:c,code_type:"otp",login_id:a.id,expires_at:new Date(Date.now()+Qn*1e3).toISOString()}),await ud(t,{connection:i,code:c,to:s,authParams:r}),t.redirect(`/u/enter-code?state=${a.id}`)}return e?t.redirect(`/u/check-account?state=${a.id}`):t.redirect(`/u/enter-email?state=${a.id}`)}function t1(t){if(t==="Username-Password-Authentication")return"auth2";if(t==="email")return"email";throw new I(403,{message:"Invalid realm"})}async function n1(t,e,n,r,i){var m;const{env:s}=t;t.set("connection",i);const a=await s.data.codes.get(e,n,"ticket");if(!a||a.used_at)throw new I(403,{message:"Ticket not found"});const c=await s.data.loginSessions.get(e,a.login_id);if(!c||!c.authParams.username)throw new I(403,{message:"Session not found"});const l=await s.data.clients.get(c.authParams.client_id);if(!l)throw new I(403,{message:"Client not found"});t.set("client_id",c.authParams.client_id),await s.data.codes.used(e,n);const d=t1(i);let p=await so(t,{email:c.authParams.username,provider:d,client:l,connection:d==="auth2"?"Username-Password-Authentication":"email",isSocial:!1,ip:t.req.header("x-real-ip")});t.set("username",p.email),t.set("user_id",p.user_id);const f=await Hf(t,{user:p,client:l,loginSession:c});return ln(t,{authParams:{scope:(m=c.authParams)==null?void 0:m.scope,...r},loginSession:c,sessionId:f.id,user:p,client:l})}async function Vp(t,e){return`<!DOCTYPE html>
149
+ `,r}async function Av(t){const e=await t.publicKey.export(),n=await crypto.subtle.exportKey("jwk",e),r=JSON.stringify(n,Object.keys(n).sort()),s=new TextEncoder().encode(r);return ja(await Nf(s))}const zv=1e3*60*60*24,Ev=new o.OpenAPIHono().openapi(o.createRoute({tags:["keys"],method:"get",path:"/signing",request:{headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.array(Na)}},description:"List of keys"}}}),async t=>{const n=(await t.env.data.keys.list()).filter(r=>"cert"in r).map(r=>r);return t.json(n)}).openapi(o.createRoute({tags:["keys"],method:"get",path:"/signing/{kid}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({kid:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:Na}},description:"The requested key"}}}),async t=>{const{kid:e}=t.req.valid("param"),r=(await t.env.data.keys.list()).find(i=>i.kid===e);if(!r)throw new I(404,{message:"Key not found"});return t.json(r)}).openapi(o.createRoute({tags:["keys"],method:"post",path:"/signing/rotate",request:{headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{201:{description:"Status"}}}),async t=>{const e=await t.env.data.keys.list();for await(const r of e)await t.env.data.keys.update(r.kid,{revoked_at:new Date(Date.now()+zv).toISOString()});const n=await Xc({name:`CN=${t.env.ORGANIZATION_NAME}`});return await t.env.data.keys.create(n),t.text("OK",{status:201})}).openapi(o.createRoute({tags:["keys"],method:"put",path:"/signing/{kid}/revoke",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({kid:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{201:{description:"Status"}}}),async t=>{const{kid:e}=t.req.valid("param");if(!await t.env.data.keys.update(e,{revoked_at:new Date().toISOString()}))throw new I(404,{message:"Key not found"});const r=await Xc({name:`CN=${t.env.ORGANIZATION_NAME}`});return await t.env.data.keys.create(r),t.text("OK")}),Iv=new o.OpenAPIHono().openapi(o.createRoute({tags:["users"],method:"get",path:"/",request:{query:o.z.object({email:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"tenant/json":{schema:o.z.array(sl)}},description:"List of users"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{email:n}=t.req.valid("query"),i=(await ml(t.env.data.users,e,n)).filter(s=>!s.linked_to);return t.json(i)}),Cv=on.extend({clients:o.z.array(mn)}),Nv=new o.OpenAPIHono().openapi(o.createRoute({tags:["clients"],method:"get",path:"/",request:{query:tn,headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.union([Cv,o.z.array(mn)])}},description:"List of clients"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{page:n,per_page:r,include_totals:i,sort:s,q:a}=t.req.valid("query"),l=(await t.env.data.applications.list(e,{page:n,per_page:r,include_totals:i,sort:hr(s),q:a})).applications;return i?t.json({clients:l,start:0,limit:10,length:l.length}):t.json(l)}).openapi(o.createRoute({tags:["clients"],method:"get",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:mn}},description:"An application"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),i=(await t.env.data.applications.list(e,{page:1,per_page:0,include_totals:!1})).applications.find(s=>s.id===n);if(!i)throw new I(404);return t.json(i)}).openapi(o.createRoute({tags:["clients"],method:"delete",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param");if(!await t.env.data.applications.remove(e,n))throw new I(404,{message:"Application not found"});return t.text("OK")}).openapi(o.createRoute({tags:["clients"],method:"patch",path:"/{id}",request:{body:{content:{"application/json":{schema:o.z.object(rs.shape).partial()}}},params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:mn}},description:"The update application"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),i=t.req.valid("json");await t.env.data.applications.update(e,n,i);const s=await t.env.data.applications.get(e,n);if(!s)throw new I(404,{message:"Application not found"});return t.json(s)}).openapi(o.createRoute({tags:["clients"],method:"post",path:"/",request:{body:{content:{"application/json":{schema:o.z.object(rs.shape)}}},headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{201:{content:{"application/json":{schema:o.z.object(mn.shape)}},description:"An application"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json"),r={...n,id:n.id||ke(),client_secret:n.client_secret||ke()},i=await t.env.data.applications.create(e,r);return t.json(i,{status:201})});o.z.object({start:o.z.number(),limit:o.z.number(),length:o.z.number()});Zs.extend({email:o.z.string(),login_count:o.z.number(),multifactor:o.z.array(o.z.string()).optional(),last_ip:o.z.string().optional(),last_login:o.z.string().optional(),user_id:o.z.string()}).catchall(o.z.any());const jv=on.extend({tenants:o.z.array(Jn)}),$v=new o.OpenAPIHono().openapi(o.createRoute({tags:["tenants"],method:"get",path:"/",request:{query:tn},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"tenant/json":{schema:o.z.union([o.z.array(Jn),jv])}},description:"List of tenants"}}}),async t=>{const{page:e,per_page:n,include_totals:r,sort:i,q:s}=t.req.valid("query"),a=await t.env.data.tenants.list({page:e,per_page:n,include_totals:r,sort:hr(i),q:s});return r?t.json(a):t.json(a.tenants)}).openapi(o.createRoute({tags:["tenants"],method:"get",path:"/{id}",request:{params:o.z.object({id:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"tenant/json":{schema:Jn}},description:"A tenant"}}}),async t=>{const{id:e}=t.req.valid("param"),n=await t.env.data.tenants.get(e);if(!n)throw new I(404);return t.json(n)}).openapi(o.createRoute({tags:["tenants"],method:"delete",path:"/{id}",request:{params:o.z.object({id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{id:e}=t.req.valid("param");return await t.env.data.tenants.remove(e),t.text("OK")}).openapi(o.createRoute({tags:["tenants"],method:"patch",path:"/{id}",request:{body:{content:{"application/json":{schema:o.z.object(ss.shape).partial()}}},params:o.z.object({id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{id:e}=t.req.valid("param"),n=t.req.valid("json");return await t.env.data.tenants.update(e,n),t.text("OK")}).openapi(o.createRoute({tags:["tenants"],method:"post",path:"/",request:{body:{content:{"application/json":{schema:o.z.object(ss.shape)}}}},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"tenant/json":{schema:Jn}},description:"An tenant"}}}),async t=>{const e=t.req.valid("json"),n=await t.env.data.tenants.create(e);return t.json(n,{status:201})}),Ov=on.extend({logs:o.z.array(as)}),Tv=new o.OpenAPIHono().openapi(o.createRoute({tags:["logs"],method:"get",path:"/",request:{query:tn,headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.union([o.z.array(as),Ov])}},description:"List of log rows"}}}),async t=>{const{page:e,per_page:n,include_totals:r,sort:i,q:s}=t.req.valid("query"),{"tenant-id":a}=t.req.valid("header"),c=await t.env.data.logs.list(a,{page:e,per_page:n,include_totals:r,sort:hr(i),q:s});return r?t.json(c):t.json(c.logs)}).openapi(o.createRoute({tags:["logs"],method:"get",path:"/{id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({id:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:as}},description:"A log entry"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),r=await t.env.data.logs.get(e,n);if(!r)throw new I(404);return t.json(r)}),Pv=on.extend({hooks:o.z.array(Kn)}),Bv=new o.OpenAPIHono().openapi(o.createRoute({tags:["hooks"],method:"get",path:"/",request:{query:tn,headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.union([o.z.array(Kn),Pv])}},description:"List of hooks"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{page:n,per_page:r,include_totals:i,sort:s,q:a}=t.req.valid("query"),c=await t.env.data.hooks.list(e,{page:n,per_page:r,include_totals:i,sort:hr(s),q:a});return i?t.json(c):t.json(c.hooks)}).openapi(o.createRoute({tags:["hooks"],method:"post",path:"/",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.object(os.shape)}}}},security:[{Bearer:["auth:write"]}],responses:{201:{content:{"application/json":{schema:Kn}},description:"The created hook"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json"),r=await t.env.data.hooks.create(e,n);return t.json(r,{status:201})}).openapi(o.createRoute({tags:["hooks"],method:"patch",path:"/{hook_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({hook_id:o.z.string()}),body:{content:{"application/json":{schema:o.z.object(os.shape).omit({hook_id:!0}).partial()}}}},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:Kn.shape}},description:"The updated hook"},404:{description:"Hook not found"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{hook_id:n}=t.req.valid("param"),r=t.req.valid("json");await t.env.data.hooks.update(e,n,r);const i=await t.env.data.hooks.get(e,n);if(!i)throw new I(404,{message:"Hook not found"});return t.json(i)}).openapi(o.createRoute({tags:["hooks"],method:"get",path:"/{hook_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({hook_id:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:Kn}},description:"A hook"},404:{description:"Hook not found"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{hook_id:n}=t.req.valid("param"),r=await t.env.data.hooks.get(e,n);if(!r)throw new I(404,{message:"Hook not found"});return t.json(r)}).openapi(o.createRoute({tags:["hooks"],method:"delete",path:"/{hook_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({hook_id:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{description:"A hook"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{hook_id:n}=t.req.valid("param");if(!await t.env.data.hooks.remove(e,n))throw new I(404,{message:"Hook not found"});return t.text("OK")}),Rv=on.extend({connections:o.z.array(Jt)}),Lv=new o.OpenAPIHono().openapi(o.createRoute({tags:["connections"],method:"get",path:"/",request:{query:tn,headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.union([o.z.array(Jt),Rv])}},description:"List of connectionss"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{page:n,per_page:r,include_totals:i=!1,sort:s,q:a}=t.req.valid("query"),c=await t.env.data.connections.list(e,{page:n,per_page:r,include_totals:i,sort:hr(s),q:a});return i?t.json(c):t.json(c.connections)}).openapi(o.createRoute({tags:["connections"],method:"get",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:Jt}},description:"A connection"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),r=await t.env.data.connections.get(e,n);if(!r)throw new I(404);return t.json(r)}).openapi(o.createRoute({tags:["connections"],method:"delete",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param");if(!await t.env.data.connections.remove(e,n))throw new I(404,{message:"Connection not found"});return t.text("OK")}).openapi(o.createRoute({tags:["connections"],method:"patch",path:"/{id}",request:{body:{content:{"application/json":{schema:o.z.object(is.shape).partial()}}},params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:Jt}},description:"The updated connection"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),r=t.req.valid("json");if(!await t.env.data.connections.update(e,n,r))throw new I(404,{message:"Connection not found"});const s=await t.env.data.connections.get(e,n);if(!s)throw new I(404,{message:"Connection not found"});return t.json(s)}).openapi(o.createRoute({tags:["connections"],method:"post",path:"/",request:{body:{content:{"application/json":{schema:o.z.object(is.shape)}}},headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{201:{content:{"application/json":{schema:Jt}},description:"A connection"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json"),r=await t.env.data.connections.create(e,n);return t.json(r,{status:201})}),Uv=new o.OpenAPIHono().openapi(o.createRoute({tags:["prompts"],method:"get",path:"/",request:{headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:Li}},description:"Branding settings"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=await t.env.data.promptSettings.get(e);return n?t.json(n):t.json(Li.parse({}))}).openapi(o.createRoute({tags:["prompts"],method:"patch",path:"/",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.object(Li.shape).partial()}}}},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Prompts settings"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json"),r=await t.env.data.promptSettings.get(e);return Object.assign(r,n),await t.env.data.promptSettings.set(e,r),t.json(r)});let Ep=!1;function Bg(t){t.use(async(e,n)=>(Ep||(t.openAPIRegistry.registerComponent("securitySchemes","Bearer",{type:"oauth2",scheme:"bearer",flows:{implicit:{authorizationUrl:`${e.env.AUTH_URL}/authorize`,scopes:{openid:"Basic user information",email:"User email",profile:"User profile information"}}}}),Ep=!0),await n()))}o.z.object({alg:o.z.literal("RS256"),kty:o.z.literal("RSA"),use:o.z.literal("sig"),n:o.z.string(),e:o.z.string(),kid:o.z.string(),x5t:o.z.string(),x5c:o.z.array(o.z.string())});async function Vv(t){try{const e=await t.JWKS_SERVICE.fetch(t.JWKS_URL);if(!e.ok)throw new Error("Failed to fetch jwks");return(await e.json()).keys}catch(e){throw new I(500,{message:`Failed to fetch jwks: ${e.message}`})}}async function qv(t,e){const r=new TextEncoder().encode([e.raw.header,e.raw.payload].join(".")),i=new Uint8Array(Array.from(e.signature).map(l=>l.charCodeAt(0))),a=(await Vv(t.env)).find(l=>l.kid===e.header.kid);if(!a)return console.log("No matching kid found"),!1;const c=await crypto.subtle.importKey("jwk",a,{name:"RSASSA-PKCS1-v1_5",hash:"SHA-256"},!1,["verify"]);return crypto.subtle.verify("RSASSA-PKCS1-v1_5",c,i,r)}function Mv(t){const[e,n,r]=t.split(".");if(!e||!n||!r)return null;const i=JSON.parse(atob(e)),s=JSON.parse(atob(n)),a=atob(r.replace(/-/g,"+").replace(/_/g,"/"));return{header:i,payload:s,signature:a,raw:{header:e,payload:n,signature:r}}}function Rg(t){return async(e,n)=>{var i,s,a;const r=t.openAPIRegistry.definitions.find(c=>"route"in c&&c.route.path===e.req.path&&c.route.method.toUpperCase()===e.req.method);if(r&&"route"in r){const c=(s=(i=r.route.security)==null?void 0:i[0])==null?void 0:s.Bearer;if(!(c!=null&&c.length))return await n();const l=e.req.header("authorization")||"",[d,p]=l.split(" ");if((d==null?void 0:d.toLowerCase())!=="bearer"||!p)throw new I(401,{message:"Missing bearer token"});const f=Mv(p);if(!f||!await qv(e,f))throw new I(403,{message:"Invalid JWT signature"});e.set("user_id",f.payload.sub),e.set("user",f.payload);const m=f.payload.permissions||[],w=((a=f.payload.scope)==null?void 0:a.split(" "))||[];if(c.length&&!(c.some(h=>m.includes(h))||c.some(h=>w.includes(h))))throw new I(403,{message:"Unauthorized"})}return await n()}}const Dv=new o.OpenAPIHono().openapi(o.createRoute({tags:["emails"],method:"get",path:"/",request:{headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:Ui}},description:"Email provider"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=await t.env.data.emailProviders.get(e);if(!n)throw new I(404,{message:"Email provider not found"});return t.json(n)}).openapi(o.createRoute({tags:["emails"],method:"post",path:"/",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.object(Ui.shape)}}}},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Branding settings"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json");return await t.env.data.emailProviders.create(e,n),t.text("OK",{status:201})}).openapi(o.createRoute({tags:["emails"],method:"patch",path:"/",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.object(Ui.shape).partial()}}}},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Branding settings"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json");return await t.env.data.emailProviders.update(e,n),t.text("OK")}),Hv=new o.OpenAPIHono().openapi(o.createRoute({tags:["sessions"],method:"get",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:Xs}},description:"A session"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),r=await t.env.data.sessions.get(e,n);if(!r)throw new I(404);return t.json(r)}).openapi(o.createRoute({tags:["sessions"],method:"delete",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param");if(!await t.env.data.sessions.remove(e,n))throw new I(404,{message:"Session not found"});return t.text("OK")}).openapi(o.createRoute({tags:["sessions"],method:"post",path:"/{id}/revoke",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{202:{description:"Sesssion deletion status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param");if(!await t.env.data.sessions.update(e,n,{revoked_at:new Date().toDateString()}))throw new I(404,{message:"Session not found"});return t.text("Session deletion request accepted.",{status:202})}),Fv=new o.OpenAPIHono().openapi(o.createRoute({tags:["refresh_tokens"],method:"get",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:cl}},description:"A session"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),r=await t.env.data.refreshTokens.get(e,n);if(!r)throw new I(404);return t.json(r)}).openapi(o.createRoute({tags:["refresh_tokens"],method:"delete",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param");if(!await t.env.data.refreshTokens.remove(e,n))throw new I(404,{message:"Session not found"});return t.text("OK")}),Kv=new o.OpenAPIHono().openapi(o.createRoute({tags:["custom-domains"],method:"get",path:"/",request:{query:tn,headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.array(Gt)}},description:"List of custom domains"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=await t.env.data.customDomains.list(e);return t.json(n)}).openapi(o.createRoute({tags:["custom-domains"],method:"get",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:Gt}},description:"A connection"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),r=await t.env.data.customDomains.get(e,n);if(!r)throw new I(404);return t.json(r)}).openapi(o.createRoute({tags:["custom-domains"],method:"delete",path:"/{id}",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param");if(!await t.env.data.customDomains.remove(e,n))throw new I(404,{message:"Custom domain not found"});return t.text("OK")}).openapi(o.createRoute({tags:["custom-domains"],method:"patch",path:"/{id}",request:{body:{content:{"application/json":{schema:o.z.object(Gt.shape).partial()}}},params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:Gt}},description:"The updated custom domain"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{id:n}=t.req.valid("param"),r=t.req.valid("json");if(!await t.env.data.customDomains.update(e,n,r))throw new I(404);const s=await t.env.data.customDomains.get(e,n);if(!s)throw new I(404);return t.json(s)}).openapi(o.createRoute({tags:["custom-domains"],method:"post",path:"/",request:{body:{content:{"application/json":{schema:o.z.object(ol.shape)}}},headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{201:{content:{"application/json":{schema:Gt}},description:"The created custom domain"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json"),r=await t.env.data.customDomains.create(e,n);return t.json(r,{status:201})}).openapi(o.createRoute({tags:["custom-domains"],method:"post",path:"/{id}/verify",request:{params:o.z.object({id:o.z.string()}),headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:Gt}},description:"The custom domain"}}}),async()=>{throw new I(501,{message:"Not implemented"})});async function od(t,e){const n=t.req.header("x-forwarded-host");if(n){const i=await t.env.data.customDomains.getByDomain(n);if(i)return t.set("tenant_id",i.tenant_id),t.set("custom_domain",n),await e()}const r=t.req.header("host");if(r){const i=r.split(".");if(i.length>1&&typeof i[0]=="string"){const s=i[0];await t.env.data.tenants.get(s)&&t.set("tenant_id",s)}}return await e()}function Wv(t){const e=new o.OpenAPIHono;e.use(of({origin:r=>{var i;return r&&(i=t.allowedOrigins)!=null&&i.includes(r)?r:""},allowHeaders:["Tenant-Id","Content-Type","Content-Range","Auth0-Client","Authorization","Range","Upgrade-Insecure-Requests"],allowMethods:["POST","PUT","GET","DELETE","PATCH","OPTIONS"],exposeHeaders:["Content-Length","Content-Range"],maxAge:600,credentials:!0})),Bg(e),e.use(async(r,i)=>(r.env.data=ro(r,t.dataAdapter),i())),e.use(od).use(Rg(e));const n=e.route("/branding",v0).route("/custom-domains",Kv).route("/email/providers",Dv).route("/users",Cy).route("/keys",Ev).route("/users-by-email",Iv).route("/clients",Nv).route("/tenants",$v).route("/logs",Tv).route("/hooks",Bv).route("/connections",Lv).route("/prompts",Uv).route("/sessions",Hv).route("/refresh_tokens",Fv);return n.doc("/spec",{openapi:"3.0.0",info:{version:"1.0.0",title:"Management api"},security:[{oauth2:["openid","email","profile"]}]}),n}function Gv(t,e){Object.keys(e).forEach(n=>{const r=e[n];r!=null&&r.length&&t.searchParams.set(n,r)})}var Ip;(function(t){t[t.Include=0]="Include",t[t.None=1]="None"})(Ip||(Ip={}));var Cp;(function(t){t[t.Required=0]="Required",t[t.Ignore=1]="Ignore"})(Cp||(Cp={}));function Jv(t){return Ug(t,Zv,ti.Include)}function Lg(t){return Ug(t,Yv,ti.None)}function Ug(t,e,n){let r="";for(let i=0;i<t.byteLength;i+=3){let s=0,a=0;for(let c=0;c<3&&i+c<t.byteLength;c++)s=s<<8|t[i+c],a+=8;for(let c=0;c<4;c++)a>=6?(r+=e[s>>a-6&63],a-=6):a>0?(r+=e[s<<6-a&63],a=0):n===ti.Include&&(r+="=")}return r}const Zv="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/",Yv="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";var ti;(function(t){t[t.Include=0]="Include",t[t.None=1]="None"})(ti||(ti={}));var Np;(function(t){t[t.Required=0]="Required",t[t.Ignore=1]="Ignore"})(Np||(Np={}));class Xv{uint8(e,n){if(e.byteLength<n+1)throw new TypeError("Insufficient bytes");return e[n]}uint16(e,n){if(e.byteLength<n+2)throw new TypeError("Insufficient bytes");return e[n]<<8|e[n+1]}uint32(e,n){if(e.byteLength<n+4)throw new TypeError("Insufficient bytes");let r=0;for(let i=0;i<4;i++)r|=e[n+i]<<24-i*8;return r}uint64(e,n){if(e.byteLength<n+8)throw new TypeError("Insufficient bytes");let r=0n;for(let i=0;i<8;i++)r|=BigInt(e[n+i])<<BigInt(56-i*8);return r}putUint8(e,n,r){if(e.length<r+1)throw new TypeError("Not enough space");if(n<0||n>255)throw new TypeError("Invalid uint8 value");e[r]=n}putUint16(e,n,r){if(e.length<r+2)throw new TypeError("Not enough space");if(n<0||n>65535)throw new TypeError("Invalid uint16 value");e[r]=n>>8,e[r+1]=n&255}putUint32(e,n,r){if(e.length<r+4)throw new TypeError("Not enough space");if(n<0||n>4294967295)throw new TypeError("Invalid uint32 value");for(let i=0;i<4;i++)e[r+i]=n>>(3-i)*8&255}putUint64(e,n,r){if(e.length<r+8)throw new TypeError("Not enough space");if(n<0||n>18446744073709551615n)throw new TypeError("Invalid uint64 value");for(let i=0;i<8;i++)e[r+i]=Number(n>>BigInt((7-i)*8)&0xffn)}}const jp=new Xv;function St(t,e){return(t<<32-e|t>>>e)>>>0}function Qv(t){const e=new eb;return e.update(t),e.digest()}class eb{constructor(){te(this,"blockSize",64);te(this,"size",32);te(this,"blocks",new Uint8Array(64));te(this,"currentBlockSize",0);te(this,"H",new Uint32Array([1779033703,3144134277,1013904242,2773480762,1359893119,2600822924,528734635,1541459225]));te(this,"l",0n);te(this,"w",new Uint32Array(64))}update(e){if(this.l+=BigInt(e.byteLength)*8n,this.currentBlockSize+e.byteLength<64){this.blocks.set(e,this.currentBlockSize),this.currentBlockSize+=e.byteLength;return}let n=0;if(this.currentBlockSize>0){const r=e.slice(0,64-this.currentBlockSize);this.blocks.set(r,this.currentBlockSize),this.process(),n+=r.byteLength,this.currentBlockSize=0}for(;n+64<=e.byteLength;){const r=e.slice(n,n+64);this.blocks.set(r),this.process(),n+=64}if(e.byteLength-n>0){const r=e.slice(n);this.blocks.set(r),this.currentBlockSize=r.byteLength}}digest(){this.blocks[this.currentBlockSize]=128,this.currentBlockSize+=1,64-this.currentBlockSize<8&&(this.blocks.fill(0,this.currentBlockSize),this.process(),this.currentBlockSize=0),this.blocks.fill(0,this.currentBlockSize),jp.putUint64(this.blocks,this.l,this.blockSize-8),this.process();const e=new Uint8Array(32);for(let n=0;n<8;n++)jp.putUint32(e,this.H[n],n*4);return e}process(){for(let d=0;d<16;d++)this.w[d]=(this.blocks[d*4]<<24|this.blocks[d*4+1]<<16|this.blocks[d*4+2]<<8|this.blocks[d*4+3])>>>0;for(let d=16;d<64;d++){const p=(St(this.w[d-2],17)^St(this.w[d-2],19)^this.w[d-2]>>>10)>>>0,f=(St(this.w[d-15],7)^St(this.w[d-15],18)^this.w[d-15]>>>3)>>>0;this.w[d]=p+this.w[d-7]+f+this.w[d-16]|0}let e=this.H[0],n=this.H[1],r=this.H[2],i=this.H[3],s=this.H[4],a=this.H[5],c=this.H[6],l=this.H[7];for(let d=0;d<64;d++){const p=(St(s,6)^St(s,11)^St(s,25))>>>0,f=(s&a^~s&c)>>>0,m=l+p+f+tb[d]+this.w[d]|0,w=(St(e,2)^St(e,13)^St(e,22))>>>0,h=(e&n^e&r^n&r)>>>0,_=w+h|0;l=c,c=a,a=s,s=i+m|0,i=r,r=n,n=e,e=m+_|0}this.H[0]=e+this.H[0]|0,this.H[1]=n+this.H[1]|0,this.H[2]=r+this.H[2]|0,this.H[3]=i+this.H[3]|0,this.H[4]=s+this.H[4]|0,this.H[5]=a+this.H[5]|0,this.H[6]=c+this.H[6]|0,this.H[7]=l+this.H[7]|0}}const tb=new Uint32Array([1116352408,1899447441,3049323471,3921009573,961987163,1508970993,2453635748,2870763221,3624381080,310598401,607225278,1426881987,1925078388,2162078206,2614888103,3248222580,3835390401,4022224774,264347078,604807628,770255983,1249150122,1555081692,1996064986,2554220882,2821834349,2952996808,3210313671,3336571891,3584528711,113926993,338241895,666307205,773529912,1294757372,1396182291,1695183700,1986661051,2177026350,2456956037,2730485921,2820302411,3259730800,3345764771,3516065817,3600352804,4094571909,275423344,430227734,506948616,659060556,883997877,958139571,1322822218,1537002063,1747873779,1955562222,2024104815,2227730452,2361852424,2428436474,2756734187,3204031479,3329325298]);new BigUint64Array([0x428a2f98d728ae22n,0x7137449123ef65cdn,0xb5c0fbcfec4d3b2fn,0xe9b5dba58189dbbcn,0x3956c25bf348b538n,0x59f111f1b605d019n,0x923f82a4af194f9bn,0xab1c5ed5da6d8118n,0xd807aa98a3030242n,0x12835b0145706fben,0x243185be4ee4b28cn,0x550c7dc3d5ffb4e2n,0x72be5d74f27b896fn,0x80deb1fe3b1696b1n,0x9bdc06a725c71235n,0xc19bf174cf692694n,0xe49b69c19ef14ad2n,0xefbe4786384f25e3n,0x0fc19dc68b8cd5b5n,0x240ca1cc77ac9c65n,0x2de92c6f592b0275n,0x4a7484aa6ea6e483n,0x5cb0a9dcbd41fbd4n,0x76f988da831153b5n,0x983e5152ee66dfabn,0xa831c66d2db43210n,0xb00327c898fb213fn,0xbf597fc7beef0ee4n,0xc6e00bf33da88fc2n,0xd5a79147930aa725n,0x06ca6351e003826fn,0x142929670a0e6e70n,0x27b70a8546d22ffcn,0x2e1b21385c26c926n,0x4d2c6dfc5ac42aedn,0x53380d139d95b3dfn,0x650a73548baf63den,0x766a0abb3c77b2a8n,0x81c2c92e47edaee6n,0x92722c851482353bn,0xa2bfe8a14cf10364n,0xa81a664bbc423001n,0xc24b8b70d0f89791n,0xc76c51a30654be30n,0xd192e819d6ef5218n,0xd69906245565a910n,0xf40e35855771202an,0x106aa07032bbd1b8n,0x19a4c116b8d2d0c8n,0x1e376c085141ab53n,0x2748774cdf8eeb99n,0x34b0bcb5e19b48a8n,0x391c0cb3c5c95a63n,0x4ed8aa4ae3418acbn,0x5b9cca4f7763e373n,0x682e6ff3d6b2b8a3n,0x748f82ee5defb2fcn,0x78a5636f43172f60n,0x84c87814a1f0ab72n,0x8cc702081a6439ecn,0x90befffa23631e28n,0xa4506cebde82bde9n,0xbef9a3f7b2c67915n,0xc67178f2e372532bn,0xca273eceea26619cn,0xd186b8c721c0c207n,0xeada7dd6cde0eb1en,0xf57d4f7fee6ed178n,0x06f067aa72176fban,0x0a637dc5a2c898a6n,0x113f9804bef90daen,0x1b710b35131c471bn,0x28db77f523047d84n,0x32caab7b40c72493n,0x3c9ebe0a15c9bebcn,0x431d67c49c100d4cn,0x4cc5d4becb3e42b6n,0x597f299cfc657e2an,0x5fcb6fab3ad6faecn,0x6c44198c4a475817n]);class nb{constructor(e){te(this,"data");this.data=e}tokenType(){if("token_type"in this.data&&typeof this.data.token_type=="string")return this.data.token_type;throw new Error("Missing or invalid 'token_type' field")}accessToken(){if("access_token"in this.data&&typeof this.data.access_token=="string")return this.data.access_token;throw new Error("Missing or invalid 'access_token' field")}accessTokenExpiresInSeconds(){if("expires_in"in this.data&&typeof this.data.expires_in=="number")return this.data.expires_in;throw new Error("Missing or invalid 'expires_in' field")}accessTokenExpiresAt(){return new Date(Date.now()+this.accessTokenExpiresInSeconds()*1e3)}hasRefreshToken(){return"refresh_token"in this.data&&typeof this.data.refresh_token=="string"}refreshToken(){if("refresh_token"in this.data&&typeof this.data.refresh_token=="string")return this.data.refresh_token;throw new Error("Missing or invalid 'refresh_token' field")}hasScopes(){return"scope"in this.data&&typeof this.data.scope=="string"}scopes(){if("scope"in this.data&&typeof this.data.scope=="string")return this.data.scope.split(" ");throw new Error("Missing or invalid 'scope' field")}idToken(){if("id_token"in this.data&&typeof this.data.id_token=="string")return this.data.id_token;throw new Error("Missing or invalid field 'id_token'")}}function rb(t){const e=Qv(new TextEncoder().encode(t));return Lg(e)}function ib(){const t=new Uint8Array(32);return crypto.getRandomValues(t),Lg(t)}function Ur(t,e){const n=new TextEncoder().encode(e.toString()),r=new Request(t,{method:"POST",body:n});return r.headers.set("Content-Type","application/x-www-form-urlencoded"),r.headers.set("Accept","application/json"),r.headers.set("User-Agent","arctic"),r.headers.set("Content-Length",n.byteLength.toString()),r}function ya(t,e){const n=new TextEncoder().encode(`${t}:${e}`);return Jv(n)}async function Fs(t){let e;try{e=await fetch(t)}catch(n){throw new qg(n)}if(e.status===400||e.status===401){let n;try{n=await e.json()}catch{throw new Hi(e.status)}if(typeof n!="object"||n===null)throw new Xn(e.status,n);let r;try{r=Vg(n)}catch{throw new Xn(e.status,n)}throw r}if(e.status===200){let n;try{n=await e.json()}catch{throw new Hi(e.status)}if(typeof n!="object"||n===null)throw new Xn(e.status,n);return new nb(n)}throw e.body!==null&&await e.body.cancel(),new Hi(e.status)}async function sb(t){let e;try{e=await fetch(t)}catch(n){throw new qg(n)}if(e.status===400||e.status===401){let n;try{n=await e.json()}catch{throw new Xn(e.status,null)}if(typeof n!="object"||n===null)throw new Xn(e.status,n);let r;try{r=Vg(n)}catch{throw new Xn(e.status,n)}throw r}if(e.status===200){e.body!==null&&await e.body.cancel();return}throw e.body!==null&&await e.body.cancel(),new Hi(e.status)}function Vg(t){let e;if("error"in t&&typeof t.error=="string")e=t.error;else throw new Error("Invalid error response");let n=null,r=null,i=null;if("error_description"in t){if(typeof t.error_description!="string")throw new Error("Invalid data");n=t.error_description}if("error_uri"in t){if(typeof t.error_uri!="string")throw new Error("Invalid data");r=t.error_uri}if("state"in t){if(typeof t.state!="string")throw new Error("Invalid data");i=t.state}return new ob(e,n,r,i)}class qg extends Error{constructor(e){super("Failed to send request",{cause:e})}}class ob extends Error{constructor(n,r,i,s){super(`OAuth request error: ${n}`);te(this,"code");te(this,"description");te(this,"uri");te(this,"state");this.code=n,this.description=r,this.uri=i,this.state=s}}class Hi extends Error{constructor(n){super("Unexpected error response");te(this,"status");this.status=n}}class Xn extends Error{constructor(n,r){super("Unexpected error response body");te(this,"status");te(this,"data");this.status=n,this.data=r}}class ad{constructor(e,n,r){te(this,"clientId");te(this,"clientPassword");te(this,"redirectURI");this.clientId=e,this.clientPassword=n,this.redirectURI=r}createAuthorizationURL(e,n,r){const i=new URL(e);return i.searchParams.set("response_type","code"),i.searchParams.set("client_id",this.clientId),this.redirectURI!==null&&i.searchParams.set("redirect_uri",this.redirectURI),i.searchParams.set("state",n),r.length>0&&i.searchParams.set("scope",r.join(" ")),i}createAuthorizationURLWithPKCE(e,n,r,i,s){const a=new URL(e);if(a.searchParams.set("response_type","code"),a.searchParams.set("client_id",this.clientId),this.redirectURI!==null&&a.searchParams.set("redirect_uri",this.redirectURI),a.searchParams.set("state",n),r===ni.S256){const c=rb(i);a.searchParams.set("code_challenge_method","S256"),a.searchParams.set("code_challenge",c)}else r===ni.Plain&&(a.searchParams.set("code_challenge_method","plain"),a.searchParams.set("code_challenge",i));return s.length>0&&a.searchParams.set("scope",s.join(" ")),a}async validateAuthorizationCode(e,n,r){const i=new URLSearchParams;i.set("grant_type","authorization_code"),i.set("code",n),this.redirectURI!==null&&i.set("redirect_uri",this.redirectURI),r!==null&&i.set("code_verifier",r),this.clientPassword===null&&i.set("client_id",this.clientId);const s=Ur(e,i);if(this.clientPassword!==null){const c=ya(this.clientId,this.clientPassword);s.headers.set("Authorization",`Basic ${c}`)}return await Fs(s)}async refreshAccessToken(e,n,r){const i=new URLSearchParams;i.set("grant_type","refresh_token"),i.set("refresh_token",n),this.clientPassword===null&&i.set("client_id",this.clientId),r.length>0&&i.set("scope",r.join(" "));const s=Ur(e,i);if(this.clientPassword!==null){const c=ya(this.clientId,this.clientPassword);s.headers.set("Authorization",`Basic ${c}`)}return await Fs(s)}async revokeToken(e,n){const r=new URLSearchParams;r.set("token",n),this.clientPassword===null&&r.set("client_id",this.clientId);const i=Ur(e,r);if(this.clientPassword!==null){const s=ya(this.clientId,this.clientPassword);i.headers.set("Authorization",`Basic ${s}`)}await sb(i)}}var ni;(function(t){t[t.S256=0]="S256",t[t.Plain=1]="Plain"})(ni||(ni={}));var $p;(function(t){t[t.Include=0]="Include",t[t.None=1]="None"})($p||($p={}));var Op;(function(t){t[t.Required=0]="Required",t[t.Ignore=1]="Ignore"})(Op||(Op={}));function Vr(t){return ab(t,cb,Ks.None)}function ab(t,e,n){let r="";for(let i=0;i<t.byteLength;i+=3){let s=0,a=0;for(let c=0;c<3&&i+c<t.byteLength;c++)s=s<<8|t[i+c],a+=8;for(let c=0;c<4;c++)a>=6?(r+=e[s>>a-6&63],a-=6):a>0?(r+=e[s<<6-a&63],a=0):n===Ks.Include&&(r+="=")}return r}const cb="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";var Ks;(function(t){t[t.Include=0]="Include",t[t.None=1]="None"})(Ks||(Ks={}));var Tp;(function(t){t[t.Required=0]="Required",t[t.Ignore=1]="Ignore"})(Tp||(Tp={}));function lb(t,e,n){const r=Vr(new TextEncoder().encode(t)),i=Vr(new TextEncoder().encode(e)),s=Vr(n);return r+"."+i+"."+s}function db(t,e){const n=Vr(new TextEncoder().encode(t)),r=Vr(new TextEncoder().encode(e)),i=n+"."+r;return new TextEncoder().encode(i)}const ub="https://appleid.apple.com/auth/authorize",pb="https://appleid.apple.com/auth/token";class Mg{constructor(e,n,r,i,s){te(this,"clientId");te(this,"teamId");te(this,"keyId");te(this,"pkcs8PrivateKey");te(this,"redirectURI");this.clientId=e,this.teamId=n,this.keyId=r,this.pkcs8PrivateKey=i,this.redirectURI=s}createAuthorizationURL(e,n){const r=new URL(ub);return r.searchParams.set("response_type","code"),r.searchParams.set("client_id",this.clientId),r.searchParams.set("state",e),n.length>0&&r.searchParams.set("scope",n.join(" ")),r.searchParams.set("redirect_uri",this.redirectURI),r}async validateAuthorizationCode(e){const n=new URLSearchParams;n.set("grant_type","authorization_code"),n.set("code",e),n.set("redirect_uri",this.redirectURI),n.set("client_id",this.clientId);const r=await this.createClientSecret();n.set("client_secret",r);const i=Ur(pb,n);return await Fs(i)}async createClientSecret(){const e=await crypto.subtle.importKey("pkcs8",this.pkcs8PrivateKey,{name:"ECDSA",namedCurve:"P-256"},!1,["sign"]),n=Math.floor(Date.now()/1e3),r=JSON.stringify({typ:"JWT",alg:"ES256",kid:this.keyId}),i=JSON.stringify({iss:this.teamId,exp:n+5*60,aud:["https://appleid.apple.com"],sub:this.clientId,iat:n}),s=new Uint8Array(await crypto.subtle.sign({name:"ECDSA",hash:"SHA-256"},e,db(r,i)));return lb(r,i,s)}}const fb="https://www.facebook.com/v16.0/dialog/oauth",hb="https://graph.facebook.com/v16.0/oauth/access_token";class Dg{constructor(e,n,r){te(this,"clientId");te(this,"clientSecret");te(this,"redirectURI");this.clientId=e,this.clientSecret=n,this.redirectURI=r}createAuthorizationURL(e,n){const r=new URL(fb);return r.searchParams.set("response_type","code"),r.searchParams.set("client_id",this.clientId),r.searchParams.set("state",e),n.length>0&&r.searchParams.set("scope",n.join(" ")),r.searchParams.set("redirect_uri",this.redirectURI),r}async validateAuthorizationCode(e){const n=new URLSearchParams;n.set("grant_type","authorization_code"),n.set("code",e),n.set("redirect_uri",this.redirectURI),n.set("client_id",this.clientId),n.set("client_secret",this.clientSecret);const r=Ur(hb,n);return await Fs(r)}}const gb="https://accounts.google.com/o/oauth2/v2/auth",Pp="https://oauth2.googleapis.com/token",mb="https://oauth2.googleapis.com/revoke";let Hg=class{constructor(e,n,r){te(this,"client");this.client=new ad(e,n,r)}createAuthorizationURL(e,n,r){return this.client.createAuthorizationURLWithPKCE(gb,e,ni.S256,n,r)}async validateAuthorizationCode(e,n){return await this.client.validateAuthorizationCode(Pp,e,n)}async refreshAccessToken(e){return await this.client.refreshAccessToken(Pp,e,[])}async revokeToken(e){await this.client.revokeToken(mb,e)}};const Zo=o.z.object({iss:o.z.string().url(),sub:o.z.string(),aud:o.z.string(),exp:o.z.number(),email:o.z.string().optional(),given_name:o.z.string().optional(),family_name:o.z.string().optional(),name:o.z.string().optional(),iat:o.z.number(),auth_time:o.z.number().optional(),nonce:o.z.string().optional(),acr:o.z.string().optional(),amr:o.z.array(o.z.string()).optional(),azp:o.z.string().optional(),at_hash:o.z.string().optional(),c_hash:o.z.string().optional()}).passthrough();Zo.omit({iat:!0,auth_time:!0,nonce:!0,acr:!0,amr:!0,azp:!0,at_hash:!0,c_hash:!0});function _b(t){return t.ISSUER}function ct(t){return t.UNIVERSAL_LOGIN_URL||`${t.ISSUER}u/`}function je(t){return t.OAUTH_API_URL||t.ISSUER}function Fg(t){const{options:e}=t;if(!e||!e.client_id||!e.team_id||!e.kid||!e.app_secret)throw new Error("Missing required Apple authentication parameters");const n=Buffer.from(e.app_secret,"utf-8"),r=n.toString().replace(/-----BEGIN PRIVATE KEY-----|-----END PRIVATE KEY-----|\s/g,""),i=Uint8Array.from(Buffer.from(r,"base64"));return n.fill(0),{options:e,keyArray:i}}async function yb(t,e){var l,d;const{options:n,keyArray:r}=Fg(e),i=new Mg(n.client_id,n.team_id,n.kid,r,`${je(t.env)}callback`),s=ke(),a=await i.createAuthorizationURL(s,((l=n.scope)==null?void 0:l.split(" "))||["name","email"]);return(((d=n.scope)==null?void 0:d.split(" "))||["name","email"]).some(p=>["email","name"].includes(p))&&a.searchParams.set("response_mode","form_post"),{redirectUrl:a.href,code:s}}async function wb(t,e,n){const{options:r,keyArray:i}=Fg(e),a=await new Mg(r.client_id,r.team_id,r.kid,i,`${je(t.env)}callback`).validateAuthorizationCode(n),c=dl(a.idToken());if(!c)throw new Error("Invalid ID token");const l=Zo.parse(c.payload);return{sub:l.sub,email:l.email,given_name:l.given_name,family_name:l.family_name,name:l.name,picture:l.picture,locale:l.locale}}const vb=Object.freeze(Object.defineProperty({__proto__:null,getRedirect:yb,validateAuthorizationCodeAndGetUser:wb},Symbol.toStringTag,{value:"Module"}));async function bb(t,e){var a;const{options:n}=e;if(!(n!=null&&n.client_id)||!n.client_secret)throw new Error("Missing required authentication parameters");const r=new Dg(n.client_id,n.client_secret,`${je(t.env)}callback`),i=ke();return{redirectUrl:r.createAuthorizationURL(i,((a=n.scope)==null?void 0:a.split(" "))||["email"]).href,code:i}}async function xb(t,e,n){const{options:r}=e;if(!(r!=null&&r.client_id)||!r.client_secret)throw new Error("Missing required authentication parameters");const s=await new Dg(r.client_id,r.client_secret,`${je(t.env)}callback`).validateAuthorizationCode(n),a=await fetch("https://graph.facebook.com/v16.0/me?fields=id,email,name",{headers:{Authorization:`Bearer ${s.accessToken()}`}});if(!a.ok)throw new Error("Failed to fetch user info");const c=await a.json();return t.set("log",`Userinfo: ${JSON.stringify(c)}`),{sub:c.id,email:c.email,name:c.name}}const kb=Object.freeze(Object.defineProperty({__proto__:null,getRedirect:bb,validateAuthorizationCodeAndGetUser:xb},Symbol.toStringTag,{value:"Module"}));async function Sb(t,e){var c;const{options:n}=e;if(!(n!=null&&n.client_id)||!n.client_secret)throw new Error("Missing required Google authentication parameters");const r=new Hg(n.client_id,n.client_secret,`${je(t.env)}callback`),i=ke(),s=ib();return{redirectUrl:r.createAuthorizationURL(i,s,((c=n.scope)==null?void 0:c.split(" "))??["email","profile"]).href,code:i,codeVerifier:s}}async function Ab(t,e,n,r){const{options:i}=e;if(!(i!=null&&i.client_id)||!i.client_secret||!r)throw new Error("Missing required authentication parameters");const a=await new Hg(i.client_id,i.client_secret,`${je(t.env)}callback`).validateAuthorizationCode(n,r),c=dl(a.idToken());if(!c)throw new Error("Invalid ID token");const l=Zo.parse(c.payload);return{sub:l.sub,email:l.email,given_name:l.given_name,family_name:l.family_name,name:l.name,picture:l.picture,locale:l.locale}}const zb=Object.freeze(Object.defineProperty({__proto__:null,getRedirect:Sb,validateAuthorizationCodeAndGetUser:Ab},Symbol.toStringTag,{value:"Module"}));async function Eb(t,e){var a;const{options:n}=e;if(!(n!=null&&n.client_id)||!n.client_secret)throw new Error("Missing required authentication parameters");const r=new ad(n.client_id,n.client_secret,`${je(t.env)}callback`),i=ke(),s=r.createAuthorizationURL("https://api.vipps.no/access-management-1.0/access/oauth2/auth",i,((a=n.scope)==null?void 0:a.split(" "))||["openid","email","phoneNumber","name","address","birthDate"]);return s.searchParams.set("response_type","code"),s.searchParams.set("response_mode","query"),{redirectUrl:s.href,code:i}}async function Ib(t,e,n){const{options:r}=e;if(!(r!=null&&r.client_id)||!r.client_secret)throw new Error("Missing required authentication parameters");const s=await new ad(r.client_id,r.client_secret,`${je(t.env)}callback`).validateAuthorizationCode("https://api.vipps.no/access-management-1.0/access/oauth2/token",n,null),a=dl(s.idToken());if(!a)throw new Error("Invalid ID token");const c=Zo.parse(a.payload);if(typeof c.msn!="string")throw new Error("msn not available in id token");const l=await fetch("https://api.vipps.no/vipps-userinfo-api/userinfo",{headers:{Authorization:`Bearer ${s.accessToken()}`,"Merchant-Serial-Number":c.msn}});if(!l.ok)throw new I(400,{message:"Failed to get user from vipps"});return await l.json()}const Cb=Object.freeze(Object.defineProperty({__proto__:null,getRedirect:Eb,validateAuthorizationCodeAndGetUser:Ib},Symbol.toStringTag,{value:"Module"}));function Kg(t,e){const n=t.env.STRATEGIES||{},i={apple:vb,facebook:kb,"google-oauth2":zb,vipps:Cb,...n}[e];if(!i)throw new Error(`Strategy ${e} not found`);return i}async function Yo(t,e){const n=await t.data.clients.get(e);if(!n)throw new I(403,{message:"Client not found"});const r=t.DEFAULT_CLIENT_ID?await t.data.clients.get(t.DEFAULT_CLIENT_ID):void 0,i=await t.data.connections.list(n.tenant.id),s=t.DEFAULT_TENANT_ID?await t.data.connections.list(t.DEFAULT_TENANT_ID):{connections:[]},a=i.connections.map(c=>{var p;const l=(p=s.connections)==null?void 0:p.find(f=>f.name===c.name);return l!=null&&l.options?Jt.parse({...l||{},...c,options:{...l.options||{},...c.options}}):c}).filter(c=>c);return{...n,web_origins:[...(r==null?void 0:r.web_origins)||[],...n.web_origins||[],`${ct(t)}login`],allowed_logout_urls:[...(r==null?void 0:r.allowed_logout_urls)||[],...n.allowed_logout_urls||[],t.ISSUER],callbacks:[...(r==null?void 0:r.callbacks)||[],...n.callbacks||[],`${ct(t)}info`],connections:a,tenant:{...(r==null?void 0:r.tenant)||{},...n.tenant}}}function Xo(t,e=[],n={}){try{const r=new URL(t);return e.some(i=>{try{return Nb(r,new URL(i),n.allowPathWildcards)}catch{return!1}})}catch{return!1}}function Nb(t,e,n){if(t.protocol!==e.protocol)return!1;if(n&&e.pathname.includes("*")){const r=e.pathname.replace(/\*/g,".*").replace(/\//g,"\\/");if(!new RegExp(`^${r}$`).test(t.pathname))return!1}else if(t.pathname!==e.pathname)return!1;if(e.hostname.startsWith("*.")&&e.hostname.split(".").length>2&&["http:","https:"].includes(e.protocol)){const r=e.hostname.split(".").slice(1).join(".");return t.hostname.endsWith(r)}return t.hostname===e.hostname}async function jb(t,e,n,r){if(!r.state)throw new I(400,{message:"State not found"});const i=e.connections.find(l=>l.name===n);if(!i){t.set("client_id",e.id);const l=we(t,{type:he.FAILED_LOGIN,description:"Connection not found"});throw await t.env.data.logs.create(e.tenant.id,l),new I(403,{message:"Connection Not Found"})}let s=await t.env.data.loginSessions.get(e.tenant.id,r.state);s||(s=await t.env.data.loginSessions.create(e.tenant.id,{expires_at:new Date(Date.now()+Qn*1e3).toISOString(),authParams:r,csrf_token:ke(),...cn(t.req)}));const c=await Kg(t,i.strategy).getRedirect(t,i);return await t.env.data.codes.create(e.tenant.id,{login_id:s.id,code_id:c.code,code_type:"oauth2_state",connection_id:i.id,code_verifier:c.codeVerifier,expires_at:new Date(Date.now()+F0*1e3).toISOString()}),t.redirect(c.redirectUrl)}async function Bp(t,{code:e,state:n}){var h;const{env:r}=t,i=await r.data.codes.get(t.var.tenant_id||"",n,"oauth2_state");if(!i||!i.connection_id)throw new I(403,{message:"State not found"});const s=await r.data.loginSessions.get(t.var.tenant_id||"",i.login_id);if(!s)throw new I(403,{message:"Session not found"});const a=await Yo(r,s.authParams.client_id);t.set("client_id",a.id),t.set("tenant_id",a.tenant.id);const c=a.connections.find(_=>_.id===i.connection_id);if(!c){const _=we(t,{type:he.FAILED_LOGIN,description:"Connection not found"});throw await r.data.logs.create(a.tenant.id,_),new I(403,{message:"Connection not found"})}if(t.set("connection",c.name),!s.authParams.redirect_uri){const _=we(t,{type:he.FAILED_LOGIN,description:"Redirect URI not defined"});throw await r.data.logs.create(a.tenant.id,_),new I(403,{message:"Redirect URI not defined"})}if(!Xo(s.authParams.redirect_uri,a.callbacks||[],{allowPathWildcards:!0})){const _=`Invalid redirect URI - ${s.authParams.redirect_uri}`,v=we(t,{type:he.FAILED_LOGIN,description:_});throw await r.data.logs.create(a.tenant.id,v),new I(403,{message:_})}const d=await Kg(t,c.strategy).validateAuthorizationCodeAndGetUser(t,c,e,i.code_verifier),{sub:p,...f}=d;t.set("user_id",p);const m=((h=d.email)==null?void 0:h.toLocaleLowerCase())||`${c.name}.${p}@${new URL(t.env.ISSUER).hostname}`;t.set("username",m);const w=await so(t,{client:a,email:m,provider:c.strategy,connection:c.name,userId:p,profileData:f,isSocial:!0,ip:t.req.header("x-real-ip")});return ln(t,{client:a,authParams:s.authParams,loginSession:s,user:w})}async function Rp(t,e,n,r,i,s){const a=await t.env.data.codes.get(t.var.tenant_id||"",e,"oauth2_state");if(!a)throw new I(400,{message:"State not found"});const c=await t.env.data.loginSessions.get(t.var.tenant_id,a.login_id);if(!c)throw new I(400,{message:"Login not found"});const{redirect_uri:l}=c.authParams;if(!l)throw new I(400,{message:"Redirect uri not found"});const d=we(t,{type:he.FAILED_LOGIN,description:`Failed connection login: ${i} ${n}, ${r}`});rt(t,t.env.data.logs.create(t.var.tenant_id,d));const p=new URL(l);return Gv(p,{error:n,error_description:r,error_reason:s,error_code:i,state:c.authParams.state}),t.redirect(`${ct(t.env)}enter-email?state=${c.id}&error=${n}`)}const $b=new o.OpenAPIHono().openapi(o.createRoute({tags:["oauth2"],method:"get",path:"/",request:{query:o.z.object({state:o.z.string(),code:o.z.string().optional(),scope:o.z.string().optional(),hd:o.z.string().optional(),error:o.z.string().optional(),error_description:o.z.string().optional(),error_code:o.z.string().optional(),error_reason:o.z.string().optional()})},responses:{302:{description:"Redirect to the client's redirect uri"}}}),async t=>{const{state:e,code:n,error:r,error_description:i,error_code:s,error_reason:a}=t.req.valid("query");if(r)return Rp(t,e,r,i,s,a);if(!n)throw new I(400,{message:"Code is required"});return Bp(t,{code:n,state:e})}).openapi(o.createRoute({tags:["oauth2"],method:"post",path:"/",request:{body:{content:{"application/x-www-form-urlencoded":{schema:o.z.object({state:o.z.string(),code:o.z.string().optional(),scope:o.z.string().optional(),hd:o.z.string().optional(),error:o.z.string().optional(),error_description:o.z.string().optional(),error_code:o.z.string().optional(),error_reason:o.z.string().optional()})}}}},responses:{302:{description:"Redirect to the client's redirect uri"}}}),async t=>{const{state:e,code:n,error:r,error_description:i,error_code:s,error_reason:a}=t.req.valid("form");if(r)return Rp(t,e,r,i,s,a);if(!n)throw new I(400,{message:"Code is required"});return Bp(t,{code:n,state:e})}),Ob=new o.OpenAPIHono().openapi(o.createRoute({tags:["oauth2"],method:"get",path:"/",request:{query:o.z.object({client_id:o.z.string(),returnTo:o.z.string().optional()}),header:o.z.object({cookie:o.z.string().optional()})},responses:{302:{description:"Log the user out"}}}),async t=>{const{client_id:e,returnTo:n}=t.req.valid("query"),r=await t.env.data.clients.get(e);if(!r)return t.text("OK");const i=await t.env.data.clients.get("DEFAULT_CLIENT");t.set("client_id",e),t.set("tenant_id",r.tenant.id);const s=n||t.req.header("referer");if(!s)return t.text("OK");if(!Xo(s,[...r.allowed_logout_urls||[],...(i==null?void 0:i.allowed_logout_urls)||[]],{allowPathWildcards:!0}))throw new I(400,{message:"Invalid redirect uri"});const a=t.req.header("cookie");if(a){const l=ls(r.tenant.id,a);if(l){const d=await t.env.data.sessions.get(r.tenant.id,l);if(d){const p=await t.env.data.users.get(r.tenant.id,d.user_id);p&&(t.set("user_id",p.user_id),t.set("connection",p.connection));const f=await t.env.data.refreshTokens.list(r.tenant.id,{q:`session_id=${l}`,page:0,per_page:100,include_totals:!1});await Promise.all(f.refresh_tokens.map(m=>t.env.data.refreshTokens.remove(r.tenant.id,m.id))),await t.env.data.sessions.update(r.tenant.id,l,{revoked_at:new Date().toISOString()})}}}const c=we(t,{type:he.SUCCESS_LOGOUT,description:"User successfully logged out"});return await t.env.data.logs.create(r.tenant.id,c),new Response("Redirecting",{status:302,headers:{"set-cookie":Z0(r.tenant.id,t.req.header("host")),location:s}})}),Lp=o.z.object({sub:o.z.string(),email:o.z.string().optional(),family_name:o.z.string().optional(),given_name:o.z.string().optional(),email_verified:o.z.boolean()}),Tb=new o.OpenAPIHono().openapi(o.createRoute({tags:["oauth2"],method:"get",path:"/",request:{},security:[{Bearer:["openid"]}],responses:{200:{content:{"application/json":{schema:Lp}},description:"Userinfo"}}}),async t=>{if(!t.var.user)throw new I(404,{message:"User not found"});const e=await t.env.data.users.get(t.var.user.tenant_id,t.var.user.sub);if(!e)throw new I(404,{message:"User not found"});return t.json(Lp.parse({...e,sub:e.user_id}))}),Pb=new o.OpenAPIHono().openapi(o.createRoute({tags:["well known"],method:"get",path:"/jwks.json",request:{},responses:{200:{content:{"application/json":{schema:gf}},description:"List of tenants"}}}),async t=>{const e=await t.env.data.keys.list(),n=await Promise.all(e.map(async r=>{const s=await new sd(r.cert).publicKey.export(),a=await crypto.subtle.exportKey("jwk",s);return al.parse({...a,kid:r.kid})}));return t.json({keys:n},{headers:{"access-control-allow-origin":"*","access-control-allow-method":"GET","cache-control":`public, max-age=${$i}, stale-while-revalidate=${$i*2}, stale-if-error=86400`}})}).openapi(o.createRoute({tags:["well known"],method:"get",path:"/openid-configuration",request:{},responses:{200:{content:{"application/json":{schema:Ca}},description:"List of tenants"}}}),async t=>{const e=Ca.parse({issuer:_b(t.env),authorization_endpoint:`${je(t.env)}authorize`,token_endpoint:`${je(t.env)}oauth/token`,device_authorization_endpoint:`${je(t.env)}oauth/device/code`,userinfo_endpoint:`${je(t.env)}userinfo`,mfa_challenge_endpoint:`${je(t.env)}mfa/challenge`,jwks_uri:`${je(t.env)}.well-known/jwks.json`,registration_endpoint:`${je(t.env)}oidc/register`,revocation_endpoint:`${je(t.env)}oauth/revoke`,scopes_supported:["openid","profile","offline_access","name","given_name","family_name","nickname","email","email_verified","picture","created_at","identities","phone","address"],response_types_supported:["code","token","id_token","code token","code id_token","token id_token","code token id_token"],code_challenge_methods_supported:["S256","plain"],response_modes_supported:["query","fragment","form_post"],subject_types_supported:["public"],id_token_signing_alg_values_supported:["RS256"],token_endpoint_auth_methods_supported:["client_secret_basic","client_secret_post"],claims_supported:["aud","auth_time","created_at","email","email_verified","exp","family_name","given_name","iat","identities","iss","name","nickname","phone_number","picture","sub"],request_uri_parameter_supported:!1,request_parameter_supported:!1,token_endpoint_auth_signing_alg_values_supported:["RS256","RS384","PS256"]});return t.json(e,{headers:{"access-control-allow-origin":"*","access-control-allow-method":"GET","cache-control":`public, max-age=${$i}, stale-while-revalidate=${$i*2}, stale-if-error=86400`}})});function Fi(t,e){if(!t||!e||t.length!==e.length)return!1;let n=0;for(let r=0;r<t.length;r++)n|=t.charCodeAt(r)^e.charCodeAt(r);return n===0}const Wg=o.z.object({grant_type:o.z.literal("client_credentials"),scope:o.z.string().optional(),client_secret:o.z.string(),client_id:o.z.string(),audience:o.z.string().optional()});async function Bb(t,e){const n=await t.env.data.clients.get(e.client_id);if(!n)throw new I(403,{message:"Invalid client credentials"});if(n.client_secret&&!Fi(n.client_secret,e.client_secret))throw new I(403,{message:"Invalid client credentials"});const r={client_id:n.id,scope:e.scope,audience:e.audience},i=await no(t,{authParams:r,client:n});return t.json(i)}const Rb=o.z.object({grant_type:o.z.literal("authorization_code"),client_id:o.z.string(),code:o.z.string(),redirect_uri:o.z.string().optional(),client_secret:o.z.string().optional(),code_verifier:o.z.string().optional()}).refine(t=>"client_secret"in t&&!("code_verifier"in t)||!("client_secret"in t)&&"code_verifier"in t,{message:"Must provide either client_secret (standard flow) or code_verifier/code_verifier_mode (PKCE flow), but not both"});async function Lb(t,e){const n=await t.env.data.clients.get(e.client_id);if(!n)throw new I(403,{message:"Client not found"});const r=await t.env.data.codes.get(n.tenant.id,e.code,"authorization_code");if(!r||!r.user_id)throw new I(403,{message:"Invalid client credentials"});if(new Date(r.expires_at)<new Date)throw new I(403,{message:"Code expired"});if(r.used_at)throw new I(403,{message:"Code already used"});const i=await t.env.data.loginSessions.get(n.tenant.id,r.login_id);if(!i)throw new I(403,{message:"Invalid login"});if("client_secret"in e){const a=await t.env.data.clients.get("DEFAULT_CLIENT");if(!Fi(n.client_secret,e.client_secret)&&!Fi(a==null?void 0:a.client_secret,e.client_secret))throw new I(403,{message:"Invalid client credentials"})}else if("code_verifier"in e&&typeof e.code_verifier=="string"&&"code_challenge_method"in i.authParams&&typeof i.authParams.code_challenge_method=="string"){const a=await q0(e.code_verifier,i.authParams.code_challenge_method);if(!Fi(a,i.authParams.code_challenge||""))throw new I(403,{message:"Invalid client credentials"})}if(i.authParams.redirect_uri&&i.authParams.redirect_uri!==e.redirect_uri)throw new I(403,{message:"Invalid redirect uri"});const s=await t.env.data.users.get(n.tenant.id,r.user_id);if(!s)throw new I(403,{message:"User not found"});return await t.env.data.codes.used(n.tenant.id,e.code),ln(t,{user:s,client:n,loginSession:i,authParams:{...i.authParams,response_mode:Rt.WEB_MESSAGE}})}const Ub=o.z.object({grant_type:o.z.literal("refresh_token"),client_id:o.z.string(),redirect_uri:o.z.string().optional(),refresh_token:o.z.string()});async function Vb(t,e){const n=await t.env.data.clients.get(e.client_id);if(!n)throw new I(403,{message:"Client not found"});const r=await t.env.data.refreshTokens.get(n.tenant.id,e.refresh_token);if(r){if(r.expires_at&&new Date(r.expires_at)<new Date||r.idle_expires_at&&new Date(r.idle_expires_at)<new Date)throw new I(403,{message:JSON.stringify({error:"invalid_grant",error_description:"Refresh token has expired"})})}else throw new I(403,{message:JSON.stringify({error:"invalid_grant",error_description:"Invalid refresh token"})});const i=await t.env.data.users.get(n.tenant.id,r.user_id);if(!i)throw new I(403,{message:"User not found"});const s=r.resource_servers[0];if(r.idle_expires_at){const a=new Date(Date.now()+2592e6);await t.env.data.refreshTokens.update(n.tenant.id,r.id,{idle_expires_at:a.toISOString(),last_exchanged_at:new Date().toISOString(),device:{...r.device,last_ip:t.req.header["x-real-ip"]||"",last_user_agent:t.req.header["user-agent"]||""}})}return ln(t,{user:i,client:n,refreshToken:r.id,sessionId:r.session_id,authParams:{client_id:n.id,audience:s==null?void 0:s.audience,scope:s==null?void 0:s.scopes,response_mode:Rt.WEB_MESSAGE}})}const qb=o.z.object({client_id:o.z.string(),username:o.z.string().transform(t=>t.toLowerCase()),realm:o.z.enum(["email","sms"]),otp:o.z.string(),authParams:Mr.optional()});async function Mb(t,{client_id:e,username:n,otp:r,authParams:i}){const s=await t.env.data.clients.get(e);if(!s)throw new I(403,{message:"Client not found"});return Qo(t,s,i||{client_id:e,response_type:It.TOKEN_ID_TOKEN,response_mode:Rt.WEB_MESSAGE},n,r)}async function Qo(t,e,n,r,i,s,a){const{env:c}=t,l=await c.data.codes.get(e.tenant.id,i,"otp");if(!l)throw new I(400,{message:"Code not found or expired"});if(l.expires_at<new Date().toISOString())throw new I(400,{message:"Code expired"});if(l.used_at)throw new I(400,{message:"Code already used"});const d=await c.data.loginSessions.get(e.tenant.id,l.login_id);if(!d||d.authParams.username!==r)throw new I(400,{message:"Code not found or expired"});const p=cn(t.req);if(a&&d.ip!==p.ip)return t.redirect(`${ct(t.env)}invalid-session?state=${d.id}`);if(n.redirect_uri&&!Xo(n.redirect_uri,e.callbacks,{allowPathWildcards:!0}))throw new I(400,{message:`Invalid redirect URI - ${n.redirect_uri}`});const f=await so(t,{client:e,email:r,provider:"email",connection:"email",isSocial:!1,ip:t.req.header("x-real-ip")});return await c.data.codes.used(e.tenant.id,i),ln(t,{user:f,client:e,loginSession:d,authParams:n,ticketAuth:s})}const Up=o.z.object({client_id:o.z.string().optional(),client_secret:o.z.string().optional()}),Db=o.z.union([Wg.extend(Up.shape),o.z.object({grant_type:o.z.literal("authorization_code"),client_id:o.z.string(),code:o.z.string(),redirect_uri:o.z.string(),code_verifier:o.z.string().min(43).max(128)}),o.z.object({grant_type:o.z.literal("authorization_code"),code:o.z.string(),redirect_uri:o.z.string().optional(),...Up.shape}),o.z.object({grant_type:o.z.literal("refresh_token"),client_id:o.z.string(),refresh_token:o.z.string(),redirect_uri:o.z.string().optional()}),o.z.object({grant_type:o.z.literal("http://auth0.com/oauth/grant-type/passwordless/otp"),client_id:o.z.string(),username:o.z.string(),otp:o.z.string(),realm:o.z.enum(["email","sms"])})]);function Hb(t){if(!t)return{};const[e,n]=t.split(" ");if((e==null?void 0:e.toLowerCase())==="basic"&&n){const[r,i]=atob(n).split(":");return{client_id:r,client_secret:i}}return{}}const Fb=new o.OpenAPIHono().openapi(o.createRoute({tags:["oauth2"],method:"post",path:"/",request:{body:{content:{"application/x-www-form-urlencoded":{schema:Db}}}},responses:{200:{content:{"application/json":{schema:bf}},description:"Tokens"}}}),async t=>{const e=t.req.valid("form"),n=Hb(t.req.header("Authorization")),r={...e,...n};if(!r.client_id)throw new I(400,{message:"client_id is required"});switch(t.set("client_id",r.client_id),e.grant_type){case Wn.AuthorizationCode:return Lb(t,Rb.parse(r));case Wn.ClientCredential:return Bb(t,Wg.parse(r));case Wn.RefreshToken:return Vb(t,Ub.parse(r));case Wn.OTP:return Mb(t,qb.parse(r));default:throw new I(400,{message:"Not implemented"})}});var cd={exports:{}};const ld=[{id:0,value:"Too weak",minDiversity:0,minLength:0},{id:1,value:"Weak",minDiversity:2,minLength:6},{id:2,value:"Medium",minDiversity:4,minLength:8},{id:3,value:"Strong",minDiversity:4,minLength:10}],Gg=(t,e=ld,n="!\"#$%&'()*+,-./:;<=>?@[\\\\\\]^_`{|}~")=>{let r=t||"";e[0].minDiversity=0,e[0].minLength=0;const i=[{regex:"[a-z]",message:"lowercase"},{regex:"[A-Z]",message:"uppercase"},{regex:"[0-9]",message:"number"}];n&&i.push({regex:`[${n}]`,message:"symbol"});let s={};s.contains=i.filter(c=>new RegExp(`${c.regex}`).test(r)).map(c=>c.message),s.length=r.length;let a=e.filter(c=>s.contains.length>=c.minDiversity).filter(c=>s.length>=c.minLength).sort((c,l)=>l.id-c.id).map(c=>({id:c.id,value:c.value}));return Object.assign(s,a[0]),s};cd.exports={passwordStrength:Gg,defaultOptions:ld};var Kb=cd.exports.passwordStrength=Gg;cd.exports.defaultOptions=ld;function dd(t){return Kb(t).id<2?!1:t.length>=8&&/[a-z]/.test(t)&&/[A-Z]/.test(t)&&/[0-9]/.test(t)&&/[^A-Za-z0-9]/.test(t)}async function Ai(t,e){var i;const n=await t.env.data.emailProviders.get(t.var.tenant_id)||(t.env.DEFAULT_TENANT_ID?await t.env.data.emailProviders.get(t.env.DEFAULT_TENANT_ID):null);if(!n)throw new I(500,{message:"Email provider not found"});const r=(i=t.env.emailProviders)==null?void 0:i[n.name];if(!r)throw new I(500,{message:"Email provider not found"});await r({emailProvider:n,...e,from:n.default_from_address||`login@${t.env.ISSUER}`})}async function Wb(t,e){var a,c;const n=await t.env.data.tenants.get(t.var.tenant_id);if(!n)throw new I(500,{message:"Tenant not found"});const r=(await t.env.data.connections.list(t.var.tenant_id)).connections.find(l=>l.strategy==="sms")||(t.env.DEFAULT_TENANT_ID?(await t.env.data.connections.list(t.env.DEFAULT_TENANT_ID)).connections.find(l=>l.strategy==="sms"):null);if(!r)throw new I(500,{message:"SMS provider not found"});const i=((a=r.options)==null?void 0:a.provider)||"twilio",s=(c=t.env.smsProviders)==null?void 0:c[i];if(!s)throw new I(500,{message:"SMS provider not found"});await s({options:r.options,to:e.to,text:e.text,template:"auth-code",data:{code:e.code,tenantName:n.name,tenantId:n.id}})}async function Jg(t,e,n,r){const i=await t.env.data.tenants.get(t.var.tenant_id);if(!i)throw new I(500,{message:"Tenant not found"});const s=`${ct(t.env)}reset-password?state=${r}&code=${n}`,a={vendorName:i.name,lng:i.language||"en"};await Ai(t,{to:e,subject:re("reset_password_title",a),html:`Click here to reset your password: ${ct(t.env)}reset-password?state=${r}&code=${n}`,template:"auth-password-reset",data:{vendorName:i.name,logo:i.logo||"",passwordResetUrl:s,supportUrl:i.support_url||"https://support.sesamy.com",buttonColor:i.primary_color||"#7d68f4",passwordResetTitle:re("password_reset_title",a),resetPasswordEmailClickToReset:re("reset_password_email_click_to_reset",a),resetPasswordEmailReset:re("reset_password_email_reset",a),supportInfo:re("support_info",a),contactUs:re("contact_us",a),copyright:re("copyright",a),tenantName:i.name,tenantId:i.id}})}async function Zg(t,{to:e,code:n,connection:r}){const i=await t.env.data.tenants.get(t.var.tenant_id);if(!i)throw new I(500,{message:"Tenant not found"});const s=new URL(ct(t.env)),a={vendorName:i.name,vendorId:i.id,loginDomain:s.hostname,code:n,lng:i.language||"en"};r==="email"?await Ai(t,{to:e,subject:re("code_email_subject",a),html:`Click here to validate your email: ${ct(t.env)}validate-email`,template:"auth-code",data:{code:n,vendorName:i.name,logo:i.logo||"",supportUrl:i.support_url||"",buttonColor:i.primary_color||"",welcomeToYourAccount:re("welcome_to_your_account",a),linkEmailClickToLogin:re("link_email_click_to_login",a),linkEmailLogin:re("link_email_login",a),linkEmailOrEnterCode:re("link_email_or_enter_code",a),codeValid30Mins:re("code_valid_30_minutes",a),supportInfo:re("support_info",a),contactUs:re("contact_us",a),copyright:re("copyright",a)}}):r==="sms"&&await Wb(t,{to:e,text:re("sms_code_text",a),code:n});const c=we(t,{type:he.CODE_LINK_SENT,description:e});rt(t,t.env.data.logs.create(i.id,c))}async function ud(t,{to:e,code:n,authParams:r,connection:i}){const s=await t.env.data.tenants.get(t.var.tenant_id);if(!s)throw new I(500,{message:"Tenant not found"});if(!r.redirect_uri)throw new I(400,{message:"redirect_uri is required"});const a=new URL(je(t.env));a.pathname="passwordless/verify_redirect",a.searchParams.set("verification_code",n),a.searchParams.set("connection",i),a.searchParams.set("client_id",r.client_id),a.searchParams.set("redirect_uri",r.redirect_uri),a.searchParams.set("email",e),r.response_type&&a.searchParams.set("response_type",r.response_type),r.scope&&a.searchParams.set("scope",r.scope),r.state&&a.searchParams.set("state",r.state),r.nonce&&a.searchParams.set("nonce",r.nonce),r.code_challenge&&a.searchParams.set("code_challenge",r.code_challenge),r.code_challenge_method&&a.searchParams.set("code_challenge_method",r.code_challenge_method),r.audience&&a.searchParams.set("audience",r.audience);const c={vendorName:s.name,code:n,lng:s.language||"en"};if(i!=="email")throw new I(400,{message:"Only email connections are supported for magic links"});await Ai(t,{to:e,subject:re("code_email_subject",c),html:`Click here to validate your email: ${ct(t.env)}validate-email`,template:"auth-link",data:{code:n,vendorName:s.name,logo:s.logo||"",supportUrl:s.support_url||"",magicLink:a.toString(),buttonColor:s.primary_color||"",welcomeToYourAccount:re("welcome_to_your_account",c),linkEmailClickToLogin:re("link_email_click_to_login",c),linkEmailLogin:re("link_email_login",c),linkEmailOrEnterCode:re("link_email_or_enter_code",c),codeValid30Mins:re("code_valid_30_minutes",c),supportInfo:re("support_info",c),contactUs:re("contact_us",c),copyright:re("copyright",c)}});const l=we(t,{type:he.CODE_LINK_SENT,description:e});rt(t,t.env.data.logs.create(s.id,l))}async function pd(t,e){const n=await t.env.data.tenants.get(t.var.tenant_id);if(!n)throw new I(500,{message:"Tenant not found"});const r={vendorName:n.name,lng:n.language||"en"};await Ai(t,{to:e.email,subject:re("welcome_to_your_account",r),html:`Click here to validate your email: ${ct(t.env)}validate-email`,template:"auth-verify-email",data:{vendorName:n.name,logo:n.logo||"",emailValidationUrl:`${ct(t.env)}validate-email`,supportUrl:n.support_url||"https://support.sesamy.com",buttonColor:n.primary_color||"#7d68f4",welcomeToYourAccount:re("welcome_to_your_account",r),verifyEmailVerify:re("verify_email_verify",r),supportInfo:re("support_info",r),contactUs:re("contact_us",r),copyright:re("copyright",r)}})}async function Gb(t,e,n,r){const i=await t.env.data.tenants.get(t.var.tenant_id);if(!i)throw new I(500,{message:"Tenant not found"});const s={vendorName:i.name,lng:i.language||"en"},a=`${ct(t.env)}signup?state=${r}&code=${n}`;await Ai(t,{to:e,subject:re("register_password_account",s),html:`Click here to register: ${a}`,template:"auth-pre-signup-verification",data:{vendorName:i.name,logo:i.logo||"",signupUrl:a,setPassword:re("set_password",s),registerPasswordAccount:re("register_password_account",s),clickToSignUpDescription:re("click_to_sign_up_description",s),supportUrl:i.support_url||"https://support.sesamy.com",buttonColor:i.primary_color||"#7d68f4",welcomeToYourAccount:re("welcome_to_your_account",s),verifyEmailVerify:re("verify_email_verify",s),supportInfo:re("support_info",s),contactUs:re("contact_us",s),copyright:re("copyright",s)}})}const Jb=new o.OpenAPIHono().openapi(o.createRoute({tags:["dbconnections"],method:"post",path:"/signup",request:{body:{content:{"application/json":{schema:o.z.object({client_id:o.z.string(),connection:o.z.literal("Username-Password-Authentication"),email:o.z.string().transform(t=>t.toLowerCase()),password:o.z.string()})}}}},responses:{200:{content:{"application/json":{schema:o.z.object({_id:o.z.string(),email:o.z.string(),email_verified:o.z.boolean(),app_metadata:o.z.object({}),user_metadata:o.z.object({})})}},description:"Created user"}}}),async t=>{const{email:e,password:n,client_id:r}=t.req.valid("json"),i=await t.env.data.clients.get(r);if(!i)throw new I(400,{message:"Client not found"});if(t.set("client_id",i.id),t.set("tenant_id",i.tenant.id),!dd(n))throw new I(400,{message:"Password does not meet the requirements"});if(await ds({userAdapter:t.env.data.users,tenant_id:i.tenant.id,email:e,provider:"auth2"}))throw new I(400,{message:"Invalid sign up"});const a=await t.env.data.users.create(i.tenant.id,{user_id:`auth2|${Qs()}`,email:e,email_verified:!1,provider:"auth2",connection:"Username-Password-Authentication",is_social:!1});t.set("user_id",a.user_id),t.set("username",a.email),t.set("connection",a.connection);const c=await oi.hash(n,10);await t.env.data.passwords.create(i.tenant.id,{user_id:a.user_id,password:c,algorithm:"bcrypt"}),await pd(t,a);const l=we(t,{type:he.SUCCESS_SIGNUP,description:"Successful signup"});return await t.env.data.logs.create(i.tenant.id,l),t.json({_id:a.user_id,email:a.email,email_verified:!1,app_metadata:{},user_metadata:{}})}).openapi(o.createRoute({tags:["dbconnections"],method:"post",path:"/change_password",request:{body:{content:{"application/json":{schema:o.z.object({client_id:o.z.string(),connection:o.z.literal("Username-Password-Authentication"),email:o.z.string().transform(t=>t.toLowerCase())})}}}},responses:{200:{description:"Redirect to the client's redirect uri"}}}),async t=>{const{email:e,client_id:n}=t.req.valid("json"),r=await t.env.data.clients.get(n);if(!r)throw new I(400,{message:"Client not found"});if(t.set("client_id",r.id),t.set("tenant_id",r.tenant.id),!await fr({userAdapter:t.env.data.users,tenant_id:r.tenant.id,email:e,provider:"auth2"}))return t.html("If an account with that email exists, we've sent instructions to reset your password.");const s={client_id:n,username:e},a=await t.env.data.loginSessions.create(r.tenant.id,{expires_at:new Date(Date.now()+Qn*1e3).toISOString(),authParams:s,csrf_token:ke(),...cn(t.req)});return await Jg(t,e,a.id,a.authParams.state),t.html("If an account with that email exists, we've sent instructions to reset your password.")});function Pn(){const t="1234567890";let e="";for(let n=0;n<6;n+=1)e+=t[Math.floor(Math.random()*10)];return e.toString()}const Zb=new o.OpenAPIHono().openapi(o.createRoute({tags:["passwordless"],method:"post",path:"/start",request:{body:{content:{"application/json":{schema:o.z.union([o.z.object({connection:o.z.literal("email"),client_id:o.z.string(),email:o.z.string().transform(t=>t.toLowerCase()),send:o.z.enum(["link","code"]),authParams:Mr.omit({client_id:!0})}),o.z.object({client_id:o.z.string(),connection:o.z.literal("sms"),phone_number:o.z.string(),send:o.z.enum(["link","code"]),authParams:Mr.omit({client_id:!0})})])}}}},responses:{200:{description:"Status"}}}),async t=>{const e=t.req.valid("json"),{env:n}=t,{client_id:r,send:i,authParams:s,connection:a}=e,c=await t.env.data.clients.get(r);if(!c)throw new I(400,{message:"Client not found"});t.set("client_id",c.id),t.set("tenant_id",c.tenant.id);const l=a==="email"?e.email:e.phone_number,d=await n.data.loginSessions.create(c.tenant.id,{authParams:{...s,client_id:r,username:l},expires_at:new Date(Date.now()+$a).toISOString(),csrf_token:ke(),...cn(t.req)}),p=await n.data.codes.create(c.tenant.id,{code_id:Pn(),code_type:"otp",login_id:d.id,expires_at:new Date(Date.now()+$a).toISOString()});return i==="link"?await ud(t,{to:l,code:p.code_id,authParams:{...s,client_id:r},connection:a}):await Zg(t,{to:l,code:p.code_id,connection:a}),t.html("OK")}).openapi(o.createRoute({tags:["passwordless"],method:"get",path:"/verify_redirect",request:{query:o.z.object({scope:o.z.string(),response_type:o.z.nativeEnum(It),redirect_uri:o.z.string(),state:o.z.string(),nonce:o.z.string().optional(),verification_code:o.z.string(),connection:o.z.string(),client_id:o.z.string(),email:o.z.string().transform(t=>t.toLowerCase()),audience:o.z.string().optional()})},responses:{302:{description:"Status"}}}),async t=>{const{env:e}=t,{client_id:n,email:r,verification_code:i,redirect_uri:s,state:a,scope:c,audience:l,response_type:d,nonce:p}=t.req.valid("query"),f=await Yo(e,n);return t.set("client_id",f.id),t.set("tenant_id",f.tenant.id),t.set("connection","email"),Qo(t,f,{client_id:n,redirect_uri:s,state:a,nonce:p,scope:c,audience:l,response_type:d},r,i,!1,!0)});class jr extends I{constructor(n,r){super(n,r);te(this,"_code");this._code=r==null?void 0:r.code}get code(){return this._code}}async function fd(t,e,n,r,i){const{env:s}=t,a=n.username;if(t.set("username",a),!a)throw new I(400,{message:"Username is required"});const c=await fr({userAdapter:t.env.data.users,tenant_id:e.tenant.id,email:a,provider:"auth2"});if(!c){const h=we(t,{type:he.FAILED_LOGIN_INCORRECT_PASSWORD,description:"Invalid user"});throw rt(t,t.env.data.logs.create(e.tenant.id,h)),new jr(403,{message:"User not found",code:"USER_NOT_FOUND"})}const l=c.linked_to?await s.data.users.get(e.tenant.id,c.linked_to):c;if(!l)throw new jr(403,{message:"User not found",code:"USER_NOT_FOUND"});t.set("connection",c.connection),t.set("user_id",l.user_id);const d=await s.data.passwords.get(e.tenant.id,c.user_id);if(!(d&&await oi.compare(n.password,d.password))){const h=we(t,{type:he.FAILED_LOGIN_INCORRECT_PASSWORD,description:"Invalid password"});throw rt(t,t.env.data.logs.create(e.tenant.id,h)),new jr(403,{message:"Invalid password",code:"INVALID_PASSWORD"})}if((await s.data.logs.list(e.tenant.id,{page:0,per_page:10,include_totals:!1,q:`user_id:${l.user_id}`})).logs.filter(h=>h.type===he.FAILED_LOGIN_INCORRECT_PASSWORD&&new Date(h.date)>new Date(Date.now()-1e3*60*5)).length>=3){const h=we(t,{type:he.FAILED_LOGIN,description:"Too many failed login attempts"});throw rt(t,t.env.data.logs.create(e.tenant.id,h)),new jr(403,{message:"Too many failed login attempts",code:"TOO_MANY_FAILED_LOGINS"})}if(!c.email_verified&&e.email_validation==="enforced"){await pd(t,c);const h=we(t,{type:he.FAILED_LOGIN,description:"Email not verified"});throw await t.env.data.logs.create(e.tenant.id,h),new jr(403,{message:"Email not verified",code:"EMAIL_NOT_VERIFIED"})}const w=we(t,{type:he.SUCCESS_LOGIN,description:"Successful login",strategy_type:"Username-Password-Authentication",strategy:"Username-Password-Authentication"});return rt(t,t.env.data.logs.create(e.tenant.id,w)),ln(t,{client:e,authParams:n,user:l,ticketAuth:i,loginSession:r})}async function Yb(t,e,n,r){await so(t,{client:e,email:n,provider:"auth2",connection:"Username-Password-Authentication",isSocial:!1,ip:t.req.header("x-real-ip")});let i=Pn(),s=await t.env.data.codes.get(e.tenant.id,i,"password_reset");for(;s;)i=Pn(),s=await t.env.data.codes.get(e.tenant.id,i,"password_reset");const a=await t.env.data.loginSessions.create(e.tenant.id,{expires_at:new Date(Date.now()+G0).toISOString(),authParams:{client_id:e.id,username:n},csrf_token:ke(),...cn(t.req)}),c=await t.env.data.codes.create(e.tenant.id,{code_id:i,code_type:"password_reset",login_id:a.id,expires_at:new Date(Date.now()+W0).toISOString()});await Jg(t,n,c.code_id,r)}const Xb=new o.OpenAPIHono().openapi(o.createRoute({tags:["oauth"],method:"post",path:"/",request:{body:{content:{"application/json":{schema:o.z.union([o.z.object({credential_type:o.z.literal("http://auth0.com/oauth/grant-type/passwordless/otp"),otp:o.z.string(),client_id:o.z.string(),username:o.z.string().transform(t=>t.toLowerCase()),realm:o.z.enum(["email"]),scope:o.z.string().optional()}),o.z.object({credential_type:o.z.literal("http://auth0.com/oauth/grant-type/password-realm"),client_id:o.z.string(),username:o.z.string().transform(t=>t.toLowerCase()),password:o.z.string(),realm:o.z.enum(["Username-Password-Authentication"]),scope:o.z.string().optional()})])}}}},responses:{200:{description:"List of tenants"}}}),async t=>{const e=t.req.valid("json"),{client_id:n,username:r}=e;t.set("username",r);const i=await t.env.data.clients.get(n);if(!i)throw new I(400,{message:"Client not found"});t.set("client_id",n),t.set("tenant_id",i.tenant.id);const s=r.toLocaleLowerCase();if("otp"in e)return Qo(t,i,{client_id:n,username:s},s,e.otp,!0);if("password"in e){const a=await t.env.data.loginSessions.create(i.tenant.id,{expires_at:new Date(Date.now()+Qn*1e3).toISOString(),authParams:{client_id:n,username:s},csrf_token:ke(),...cn(t.req)});return fd(t,i,{username:s,password:e.password,client_id:n},a,!0)}else throw new I(400,{message:"Code or password required"})});function Qb(t,e){var r,i,s;if(!t||e.length===0)return!1;const n=((r=wa(t))==null?void 0:r.host)??null;if(!n)return!1;for(const a of e){let c;if(a.startsWith("http://")||a.startsWith("https://")?c=((i=wa(a))==null?void 0:i.host)??null:c=((s=wa("https://"+a))==null?void 0:s.host)??null,n===c)return!0}return!1}function wa(t){try{return new URL(t)}catch{return null}}async function e1({ctx:t,session:e,client:n,authParams:r,connection:i,login_hint:s}){const a=await t.env.data.loginSessions.create(n.tenant.id,{expires_at:new Date(Date.now()+Qn*1e3).toISOString(),authParams:r,csrf_token:ke(),authorization_url:t.req.url,...cn(t.req)});if(e&&s){const c=await t.env.data.users.get(n.tenant.id,e.user_id);if((c==null?void 0:c.email)===s)return ln(t,{client:n,loginSession:a,authParams:r,user:c,sessionId:e.id})}if(i==="email"&&s){const c=Pn();return await t.env.data.codes.create(n.tenant.id,{code_id:c,code_type:"otp",login_id:a.id,expires_at:new Date(Date.now()+Qn*1e3).toISOString()}),await ud(t,{connection:i,code:c,to:s,authParams:r}),t.redirect(`/u/enter-code?state=${a.id}`)}return e?t.redirect(`/u/check-account?state=${a.id}`):t.redirect(`/u/enter-email?state=${a.id}`)}function t1(t){if(t==="Username-Password-Authentication")return"auth2";if(t==="email")return"email";throw new I(403,{message:"Invalid realm"})}async function n1(t,e,n,r,i){var m;const{env:s}=t;t.set("connection",i);const a=await s.data.codes.get(e,n,"ticket");if(!a||a.used_at)throw new I(403,{message:"Ticket not found"});const c=await s.data.loginSessions.get(e,a.login_id);if(!c||!c.authParams.username)throw new I(403,{message:"Session not found"});const l=await s.data.clients.get(c.authParams.client_id);if(!l)throw new I(403,{message:"Client not found"});t.set("client_id",c.authParams.client_id),await s.data.codes.used(e,n);const d=t1(i);let p=await so(t,{email:c.authParams.username,provider:d,client:l,connection:d==="auth2"?"Username-Password-Authentication":"email",isSocial:!1,ip:t.req.header("x-real-ip")});t.set("username",p.email),t.set("user_id",p.user_id);const f=await Hf(t,{user:p,client:l,loginSession:c});return ln(t,{authParams:{scope:(m=c.authParams)==null?void 0:m.scope,...r},loginSession:c,sessionId:f.id,user:p,client:l})}async function Vp(t,e){return`<!DOCTYPE html>
150
150
  <html>
151
151
 
152
152
  <head>
@@ -189,7 +189,7 @@ PERFORMANCE OF THIS SOFTWARE.
189
189
  <\/script>
190
190
  </body>
191
191
 
192
- </html>`}async function r1({ctx:t,client:e,session:n,redirect_uri:r,state:i,nonce:s,code_challenge_method:a,code_challenge:c,audience:l,scope:d,response_type:p}){const{env:f}=t,m=new URL(r),w=`${m.protocol}//${m.host}`;async function h(ce="Login required"){const le=we(t,{type:he.FAILED_SILENT_AUTH,description:ce});return await t.env.data.logs.create(e.tenant.id,le),t.html(Vp(w,JSON.stringify({error:"login_required",error_description:ce,state:i})))}if(!n||(n==null?void 0:n.expires_at)&&new Date(n.expires_at)<new Date||(n==null?void 0:n.idle_expires_at)&&new Date(n.idle_expires_at)<new Date)return h();t.set("user_id",n.user_id);const v=await f.data.users.get(e.tenant.id,n.user_id);if(!v)return console.error("User not found",n.user_id),h("User not found");t.set("username",v.email),t.set("connection",v.connection);const A={client:e,authParams:{client_id:e.id,audience:l,code_challenge_method:a,code_challenge:c,scope:d,state:i,nonce:s,response_type:p},user:v,session_id:n.id},C=p===It.CODE?await Df(t,A):await no(t,A);await f.data.sessions.update(e.tenant.id,n.id,{used_at:new Date().toISOString(),last_interaction_at:new Date().toISOString(),device:{...n.device,last_ip:t.req.header("x-real-ip")||"",last_user_agent:t.req.header("user-agent")||""},idle_expires_at:n.idle_expires_at?new Date(Date.now()+eo*1e3).toISOString():void 0});const O=we(t,{type:he.SUCCESS_SILENT_AUTH,description:"Successful silent authentication"});await t.env.data.logs.create(e.tenant.id,O);const L=new Headers;L.set("Server-Timing","cf-nel=0; no-cloudflare-insights=1");const Q=Pf(e.tenant.id,n.id,t.req.header("host"));return L.set("set-cookie",Q),t.html(Vp(w,JSON.stringify(C)),{headers:L})}const i1=new o.OpenAPIHono().openapi(o.createRoute({tags:["oauth"],method:"get",path:"/",request:{query:o.z.object({client_id:o.z.string(),vendor_id:o.z.string().optional(),redirect_uri:o.z.string(),scope:o.z.string().optional(),state:o.z.string(),prompt:o.z.string().optional(),response_mode:o.z.nativeEnum(Rt).optional(),response_type:o.z.nativeEnum(It).optional(),audience:o.z.string().optional(),connection:o.z.string().optional(),nonce:o.z.string().optional(),max_age:o.z.string().optional(),login_ticket:o.z.string().optional(),code_challenge_method:o.z.nativeEnum(Ys).optional(),code_challenge:o.z.string().optional(),realm:o.z.string().optional(),auth0Client:o.z.string().optional(),organization:o.z.string().optional(),login_hint:o.z.string().optional(),ui_locales:o.z.string().optional()})},responses:{200:{description:"Silent authentication page"},302:{description:"Redirect to the client's redirect uri"}}}),async t=>{const{env:e}=t,{client_id:n,vendor_id:r,redirect_uri:i,scope:s,state:a,audience:c,nonce:l,connection:d,response_type:p,response_mode:f,code_challenge:m,code_challenge_method:w,prompt:h,login_ticket:_,realm:v,auth0Client:A,login_hint:C,ui_locales:O,organization:L}=t.req.valid("query");t.set("log","authorize");const Q=await Yo(e,n);t.set("client_id",Q.id),t.set("tenant_id",Q.tenant.id);const ce={redirect_uri:i,scope:s,state:a,client_id:n,vendor_id:r,audience:c,nonce:l,prompt:h,response_type:p,response_mode:f,code_challenge:m,code_challenge_method:w,username:C,ui_locales:O,organization:L},le=t.req.header("origin");if(le&&!Qb(le,Q.web_origins||[]))throw new I(403,{message:`Origin ${le} not allowed`});if(ce.redirect_uri&&!Xo(ce.redirect_uri,Q.callbacks||[],{allowPathWildcards:!0}))throw new I(400,{message:`Invalid redirect URI - ${ce.redirect_uri}`});const He=ls(Q.tenant.id,t.req.header("cookie")),Ve=He?await e.data.sessions.get(Q.tenant.id,He):void 0,Re=Ve&&!Ve.revoked_at?Ve:void 0;if(h=="none"){if(!p)throw new I(400,{message:"Missing response_type"});return r1({ctx:t,session:Re||void 0,redirect_uri:i,state:a,response_type:p,client:Q,nonce:l,code_challenge_method:w,code_challenge:m,audience:c,scope:s})}return d&&d!=="email"?jb(t,Q,d,ce):_?n1(t,Q.tenant.id,_,ce,v):e1({ctx:t,client:Q,auth0Client:A,authParams:ce,session:Re||void 0,connection:d,login_hint:C})});function s1(t){const e=new o.OpenAPIHono;e.use(async(r,i)=>(r.env.data=ro(r,t.dataAdapter),i())),e.use("/oauth/token",of({origin:r=>r||"",allowHeaders:["Tenant-Id","Content-Type","Auth0-Client","Upgrade-Insecure-Requests"],allowMethods:["POST"],maxAge:600})),e.use(od).use(Rg(e));const n=e.route("/v2/logout",Ob).route("/userinfo",Tb).route("/.well-known",Pb).route("/oauth/token",Fb).route("/dbconnections",Jb).route("/passwordless",Zb).route("/co/authenticate",Xb).route("/authorize",i1).route("/callback",$b);return n.doc("/spec",{openapi:"3.0.0",info:{version:"1.0.0",title:"Oauth API"},security:[{oauth2:["openid","email","profile"]}]}),Bg(n),n}var o1={Stringify:1,BeforeStream:2,Stream:3},_t=(t,e)=>{const n=new String(t);return n.isEscaped=!0,n.callbacks=e,n},a1=/[&<>'"]/,Yg=async(t,e)=>{let n="";e||(e=[]);const r=await Promise.all(t);for(let i=r.length-1;n+=r[i],i--,!(i<0);i--){let s=r[i];typeof s=="object"&&e.push(...s.callbacks||[]);const a=s.isEscaped;if(s=await(typeof s=="object"?s.toString():s),typeof s=="object"&&e.push(...s.callbacks||[]),s.isEscaped??a)n+=s;else{const c=[n];en(s,c),n=c[0]}}return _t(n,e)},en=(t,e)=>{const n=t.search(a1);if(n===-1){e[0]+=t;return}let r,i,s=0;for(i=n;i<t.length;i++){switch(t.charCodeAt(i)){case 34:r="&quot;";break;case 39:r="&#39;";break;case 38:r="&amp;";break;case 60:r="&lt;";break;case 62:r="&gt;";break;default:continue}e[0]+=t.substring(s,i)+r,s=i+1}e[0]+=t.substring(s,i)},Xg=t=>{const e=t.callbacks;if(!(e!=null&&e.length))return t;const n=[t],r={};return e.forEach(i=>i({phase:o1.Stringify,buffer:n,context:r})),n[0]},c1=(t,...e)=>{const n=[""];for(let r=0,i=t.length-1;r<i;r++){n[0]+=t[r];const s=Array.isArray(e[r])?e[r].flat(1/0):[e[r]];for(let a=0,c=s.length;a<c;a++){const l=s[a];if(typeof l=="string")en(l,n);else if(typeof l=="number")n[0]+=l;else{if(typeof l=="boolean"||l===null||l===void 0)continue;if(typeof l=="object"&&l.isEscaped)if(l.callbacks)n.unshift("",l);else{const d=l.toString();d instanceof Promise?n.unshift("",d):n[0]+=d}else l instanceof Promise?n.unshift("",l):en(l.toString(),n)}}}return n[0]+=t[t.length-1],n.length===1?"callbacks"in n?_t(Xg(_t(n[0],n.callbacks))):_t(n[0]):Yg(n,n.callbacks)},hd=Symbol("RENDERER"),Qc=Symbol("ERROR_HANDLER"),Ae=Symbol("STASH"),Qg=Symbol("INTERNAL"),l1=Symbol("MEMO"),Ws=Symbol("PERMALINK"),qp=t=>(t[Qg]=!0,t),em=t=>({value:e,children:n})=>{if(!n)return;const r={children:[{tag:qp(()=>{t.push(e)}),props:{}}]};Array.isArray(n)?r.children.push(...n.flat()):r.children.push(n),r.children.push({tag:qp(()=>{t.pop()}),props:{}});const i={tag:"",props:r,type:""};return i[Qc]=s=>{throw t.pop(),s},i},tm=t=>{const e=[t],n=em(e);return n.values=e,n.Provider=n,ur.push(n),n},ur=[],d1=t=>{const e=[t],n=r=>{e.push(r.value);let i;try{i=r.children?(Array.isArray(r.children)?new sm("",{},r.children):r.children).toString():""}finally{e.pop()}return i instanceof Promise?i.then(s=>_t(s,s.callbacks)):_t(i)};return n.values=e,n.Provider=n,n[hd]=em(e),ur.push(n),n},Ar=t=>t.values.at(-1),Ki={title:[],script:["src"],style:["data-href"],link:["href"],meta:["name","httpEquiv","charset","itemProp"]},el={},Wi="data-precedence",zi=t=>Array.isArray(t)?t:[t],Mp=new WeakMap,Dp=(t,e,n,r)=>({buffer:i,context:s})=>{if(!i)return;const a=Mp.get(s)||{};Mp.set(s,a);const c=a[t]||(a[t]=[]);let l=!1;const d=Ki[t];if(d.length>0){e:for(const[,p]of c)for(const f of d)if(((p==null?void 0:p[f])??null)===(n==null?void 0:n[f])){l=!0;break e}}if(l?i[0]=i[0].replaceAll(e,""):d.length>0?c.push([e,n,r]):c.unshift([e,n,r]),i[0].indexOf("</head>")!==-1){let p;if(r===void 0)p=c.map(([f])=>f);else{const f=[];p=c.map(([m,,w])=>{let h=f.indexOf(w);return h===-1&&(f.push(w),h=f.length-1),[m,h]}).sort((m,w)=>m[1]-w[1]).map(([m])=>m)}p.forEach(f=>{i[0]=i[0].replaceAll(f,"")}),i[0]=i[0].replace(/(?=<\/head>)/,p.join(""))}},Ei=(t,e,n)=>_t(new yt(t,n,zi(e??[])).toString()),Ii=(t,e,n,r)=>{if("itemProp"in n)return Ei(t,e,n);let{precedence:i,blocking:s,...a}=n;i=r?i??"":void 0,r&&(a[Wi]=i);const c=new yt(t,a,zi(e||[])).toString();return c instanceof Promise?c.then(l=>_t(c,[...l.callbacks||[],Dp(t,l,a,i)])):_t(c,[Dp(t,c,a,i)])},u1=({children:t,...e})=>{const n=gd();if(n){const r=Ar(n);if(r==="svg"||r==="head")return new yt("title",e,zi(t??[]))}return Ii("title",t,e,!1)},p1=({children:t,...e})=>{const n=gd();return["src","async"].some(r=>!e[r])||n&&Ar(n)==="head"?Ei("script",t,e):Ii("script",t,e,!1)},f1=({children:t,...e})=>["href","precedence"].every(n=>n in e)?(e["data-href"]=e.href,delete e.href,Ii("style",t,e,!0)):Ei("style",t,e),h1=({children:t,...e})=>["onLoad","onError"].some(n=>n in e)||e.rel==="stylesheet"&&(!("precedence"in e)||"disabled"in e)?Ei("link",t,e):Ii("link",t,e,"precedence"in e),g1=({children:t,...e})=>{const n=gd();return n&&Ar(n)==="head"?Ei("meta",t,e):Ii("meta",t,e,!1)},nm=(t,{children:e,...n})=>new yt(t,n,zi(e??[])),m1=t=>(typeof t.action=="function"&&(t.action=Ws in t.action?t.action[Ws]:void 0),nm("form",t)),rm=(t,e)=>(typeof e.formAction=="function"&&(e.formAction=Ws in e.formAction?e.formAction[Ws]:void 0),nm(t,e)),_1=t=>rm("input",t),y1=t=>rm("button",t);const va=Object.freeze(Object.defineProperty({__proto__:null,button:y1,form:m1,input:_1,link:h1,meta:g1,script:p1,style:f1,title:u1},Symbol.toStringTag,{value:"Module"}));var w1=new Map([["className","class"],["htmlFor","for"],["crossOrigin","crossorigin"],["httpEquiv","http-equiv"],["itemProp","itemprop"],["fetchPriority","fetchpriority"],["noModule","nomodule"],["formAction","formaction"]]),Gs=t=>w1.get(t)||t,im=(t,e)=>{for(const[n,r]of Object.entries(t)){const i=n[0]==="-"||!/[A-Z]/.test(n)?n:n.replace(/[A-Z]/g,s=>`-${s.toLowerCase()}`);e(i,r==null?null:typeof r=="number"?i.match(/^(?:a|border-im|column(?:-c|s)|flex(?:$|-[^b])|grid-(?:ar|[^a])|font-w|li|or|sca|st|ta|wido|z)|ty$/)?`${r}`:`${r}px`:r)}},ri=void 0,gd=()=>ri,v1=t=>/[A-Z]/.test(t)&&t.match(/^(?:al|basel|clip(?:Path|Rule)$|co|do|fill|fl|fo|gl|let|lig|i|marker[EMS]|o|pai|pointe|sh|st[or]|text[^L]|tr|u|ve|w)/)?t.replace(/([A-Z])/g,"-$1").toLowerCase():t,b1=["area","base","br","col","embed","hr","img","input","keygen","link","meta","param","source","track","wbr"],x1=["allowfullscreen","async","autofocus","autoplay","checked","controls","default","defer","disabled","download","formnovalidate","hidden","inert","ismap","itemscope","loop","multiple","muted","nomodule","novalidate","open","playsinline","readonly","required","reversed","selected"],md=(t,e)=>{for(let n=0,r=t.length;n<r;n++){const i=t[n];if(typeof i=="string")en(i,e);else{if(typeof i=="boolean"||i===null||i===void 0)continue;i instanceof yt?i.toStringToBuffer(e):typeof i=="number"||i.isEscaped?e[0]+=i:i instanceof Promise?e.unshift("",i):md(i,e)}}},yt=class{constructor(t,e,n){te(this,"tag");te(this,"props");te(this,"key");te(this,"children");te(this,"isEscaped",!0);te(this,"localContexts");this.tag=t,this.props=e,this.children=n}get type(){return this.tag}get ref(){return this.props.ref||null}toString(){var e,n;const t=[""];(e=this.localContexts)==null||e.forEach(([r,i])=>{r.values.push(i)});try{this.toStringToBuffer(t)}finally{(n=this.localContexts)==null||n.forEach(([r])=>{r.values.pop()})}return t.length===1?"callbacks"in t?Xg(_t(t[0],t.callbacks)).toString():t[0]:Yg(t,t.callbacks)}toStringToBuffer(t){const e=this.tag,n=this.props;let{children:r}=this;t[0]+=`<${e}`;const i=ri&&Ar(ri)==="svg"?s=>v1(Gs(s)):s=>Gs(s);for(let[s,a]of Object.entries(n))if(s=i(s),s!=="children"){if(s==="style"&&typeof a=="object"){let c="";im(a,(l,d)=>{d!=null&&(c+=`${c?";":""}${l}:${d}`)}),t[0]+=' style="',en(c,t),t[0]+='"'}else if(typeof a=="string")t[0]+=` ${s}="`,en(a,t),t[0]+='"';else if(a!=null)if(typeof a=="number"||a.isEscaped)t[0]+=` ${s}="${a}"`;else if(typeof a=="boolean"&&x1.includes(s))a&&(t[0]+=` ${s}=""`);else if(s==="dangerouslySetInnerHTML"){if(r.length>0)throw"Can only set one of `children` or `props.dangerouslySetInnerHTML`.";r=[_t(a.__html)]}else if(a instanceof Promise)t[0]+=` ${s}="`,t.unshift('"',a);else if(typeof a=="function"){if(!s.startsWith("on"))throw`Invalid prop '${s}' of type 'function' supplied to '${e}'.`}else t[0]+=` ${s}="`,en(a.toString(),t),t[0]+='"'}if(b1.includes(e)&&r.length===0){t[0]+="/>";return}t[0]+=">",md(r,t),t[0]+=`</${e}>`}},ba=class extends yt{toStringToBuffer(t){const{children:e}=this,n=this.tag.call(null,{...this.props,children:e.length<=1?e[0]:e});if(!(typeof n=="boolean"||n==null))if(n instanceof Promise)if(ur.length===0)t.unshift("",n);else{const r=ur.map(i=>[i,i.values.at(-1)]);t.unshift("",n.then(i=>(i instanceof yt&&(i.localContexts=r),i)))}else n instanceof yt?n.toStringToBuffer(t):typeof n=="number"||n.isEscaped?(t[0]+=n,n.callbacks&&(t.callbacks||(t.callbacks=[]),t.callbacks.push(...n.callbacks))):en(n,t)}},sm=class extends yt{toStringToBuffer(t){md(this.children,t)}},k1=(t,e,...n)=>{e??(e={}),n.length&&(e.children=n.length===1?n[0]:n);const r=e.key;delete e.key;const i=Gi(t,e,n);return i.key=r,i},Hp=!1,Gi=(t,e,n)=>{if(!Hp){for(const r in el)va[r][hd]=el[r];Hp=!0}return typeof t=="function"?new ba(t,e,n):va[t]?new ba(va[t],e,n):t==="svg"||t==="head"?(ri||(ri=d1("")),new yt(t,e,[new ba(ri,{value:t},n)])):new yt(t,e,n)},om=({children:t})=>new sm("",{children:t},Array.isArray(t)?t:t?[t]:[]),S1=(t,e,...n)=>k1(t.tag,{...t.props,...e},...n);function y(t,e,n){let r;if(!e||!("children"in e))r=Gi(t,e,[]);else{const i=e.children;r=Array.isArray(i)?Gi(t,e,i):Gi(t,e,[i])}return r.key=n,r}const Fp={name:"sesamy",logoUrl:"https://assets.sesamy.com/static/images/email/sesamy-logo.png",style:{primaryColor:"#7D68F4",buttonTextColor:"#FFFFFF",primaryHoverColor:"#A091F2"},loginBackgroundImage:"",checkoutHideSocial:!1,supportEmail:"support@sesamy.com",supportUrl:"https://support.sesamy.com",siteUrl:"https://sesamy.com",termsAndConditionsUrl:"https://store.sesamy.com/pages/terms-of-service",manageSubscriptionsUrl:"https://account.sesamy.com/manage-subscriptions"};async function _d(t,e,n){if(!n&&!e)return Fp;const r=n||e;try{const i=await fetch(`${t.API_URL}/profile/vendors/${r}/style`);if(!i.ok)throw new Error("Failed to fetch vendor settings");const s=await i.json();return uf.parse(s)}catch(i){return console.error(i),Fp}}async function Ee(t,e,n=!1){var d;const{env:r}=t,i=await r.data.loginSessions.get(t.var.tenant_id||"",e);if(i)i.session_id;else throw new I(400,{message:"Login session not found"});t.set("loginSession",i);const s=await Yo(r,i.authParams.client_id);t.set("client_id",s.id),t.set("tenant_id",s.tenant.id);const a=await r.data.tenants.get(s.tenant.id);if(a){if(i.session_id&&!n)throw new I(400,{message:"Login session closed"})}else throw new I(400,{message:"Tenant not found"});const c=await _d(r,s.id,i.authParams.vendor_id),l=(d=i.authParams.ui_locales)==null?void 0:d.split(" ").map(p=>p.split("-")[0]).find(p=>{if(Array.isArray(B.options.supportedLngs))return B.options.supportedLngs.includes(p)});return await B.changeLanguage(l||a.language||"sv"),{vendorSettings:{...c,termsAndConditionsUrl:s.id==="fokus-app"?"https://www.fokus.se/kopvillkor-app/":c.termsAndConditionsUrl},client:s,tenant:a,loginSession:i}}async function A1(t,e,n,r){if(r!==void 0)return r==="password";const i=await io({userAdapter:t.env.data.users,tenant_id:e.tenant.id,email:n});if(i){const a=await t.env.data.logs.list(e.tenant.id,{page:0,per_page:10,include_totals:!1,sort:{sort_by:"date",sort_order:"desc"},q:`type:${he.SUCCESS_LOGIN} user_id:${i.user_id}`}),[c]=a.logs.filter(l=>l.strategy&&["Username-Password-Authentication","passwordless","email"].includes(l.strategy));if(c)return c.strategy==="Username-Password-Authentication"}return(await t.env.data.promptSettings.get(e.tenant.id)).password_first}const am=({vendorSettings:t})=>t!=null&&t.logoUrl?y("div",{className:"flex h-9 items-center",children:y("img",{src:t.logoUrl,className:"max-h-full",alt:"Vendor logo"})}):y(om,{}),cm=({vendorSettings:t})=>{const{termsAndConditionsUrl:e}=t;return y("div",{className:"mt-8",children:e&&y("div",{className:"text-xs text-gray-300",children:[B.t("agree_to")," ",y("a",{href:e,className:"text-primary hover:underline",target:"_blank",rel:"noreferrer",children:B.t("terms")})]})})};var lm={exports:{}};/*!
192
+ </html>`}async function r1({ctx:t,client:e,session:n,redirect_uri:r,state:i,nonce:s,code_challenge_method:a,code_challenge:c,audience:l,scope:d,response_type:p}){const{env:f}=t,m=new URL(r),w=`${m.protocol}//${m.host}`;async function h(ce="Login required"){const le=we(t,{type:he.FAILED_SILENT_AUTH,description:ce});return await t.env.data.logs.create(e.tenant.id,le),t.html(Vp(w,JSON.stringify({error:"login_required",error_description:ce,state:i})))}if(!n||(n==null?void 0:n.expires_at)&&new Date(n.expires_at)<new Date||(n==null?void 0:n.idle_expires_at)&&new Date(n.idle_expires_at)<new Date)return h();t.set("user_id",n.user_id);const v=await f.data.users.get(e.tenant.id,n.user_id);if(!v)return console.error("User not found",n.user_id),h("User not found");t.set("username",v.email),t.set("connection",v.connection);const A={client:e,authParams:{client_id:e.id,audience:l,code_challenge_method:a,code_challenge:c,scope:d,state:i,nonce:s,response_type:p},user:v,session_id:n.id},C=p===It.CODE?await Df(t,A):await no(t,A);await f.data.sessions.update(e.tenant.id,n.id,{used_at:new Date().toISOString(),last_interaction_at:new Date().toISOString(),device:{...n.device,last_ip:t.req.header("x-real-ip")||"",last_user_agent:t.req.header("user-agent")||""},idle_expires_at:n.idle_expires_at?new Date(Date.now()+eo*1e3).toISOString():void 0});const O=we(t,{type:he.SUCCESS_SILENT_AUTH,description:"Successful silent authentication"});await t.env.data.logs.create(e.tenant.id,O);const L=new Headers;L.set("Server-Timing","cf-nel=0; no-cloudflare-insights=1");const Q=Pf(e.tenant.id,n.id,t.req.header("host"));return L.set("set-cookie",Q),t.html(Vp(w,JSON.stringify(C)),{headers:L})}const i1=new o.OpenAPIHono().openapi(o.createRoute({tags:["oauth"],method:"get",path:"/",request:{query:o.z.object({client_id:o.z.string(),vendor_id:o.z.string().optional(),redirect_uri:o.z.string(),scope:o.z.string().optional(),state:o.z.string(),prompt:o.z.string().optional(),response_mode:o.z.nativeEnum(Rt).optional(),response_type:o.z.nativeEnum(It).optional(),audience:o.z.string().optional(),connection:o.z.string().optional(),nonce:o.z.string().optional(),max_age:o.z.string().optional(),login_ticket:o.z.string().optional(),code_challenge_method:o.z.nativeEnum(Ys).optional(),code_challenge:o.z.string().optional(),realm:o.z.string().optional(),auth0Client:o.z.string().optional(),organization:o.z.string().optional(),login_hint:o.z.string().optional(),screen_hint:o.z.string().openapi({example:"signup",description:'Optional hint for the screen to show, like "signup" or "login".'}).optional(),ui_locales:o.z.string().optional()})},responses:{200:{description:"Silent authentication page"},302:{description:"Redirect to the client's redirect uri"}}}),async t=>{const{env:e}=t,{client_id:n,vendor_id:r,redirect_uri:i,scope:s,state:a,audience:c,nonce:l,connection:d,response_type:p,response_mode:f,code_challenge:m,code_challenge_method:w,prompt:h,login_ticket:_,realm:v,auth0Client:A,login_hint:C,ui_locales:O,organization:L}=t.req.valid("query");t.set("log","authorize");const Q=await Yo(e,n);t.set("client_id",Q.id),t.set("tenant_id",Q.tenant.id);const ce={redirect_uri:i,scope:s,state:a,client_id:n,vendor_id:r,audience:c,nonce:l,prompt:h,response_type:p,response_mode:f,code_challenge:m,code_challenge_method:w,username:C,ui_locales:O,organization:L},le=t.req.header("origin");if(le&&!Qb(le,Q.web_origins||[]))throw new I(403,{message:`Origin ${le} not allowed`});if(ce.redirect_uri&&!Xo(ce.redirect_uri,Q.callbacks||[],{allowPathWildcards:!0}))throw new I(400,{message:`Invalid redirect URI - ${ce.redirect_uri}`});const He=ls(Q.tenant.id,t.req.header("cookie")),Ve=He?await e.data.sessions.get(Q.tenant.id,He):void 0,Re=Ve&&!Ve.revoked_at?Ve:void 0;if(h=="none"){if(!p)throw new I(400,{message:"Missing response_type"});return r1({ctx:t,session:Re||void 0,redirect_uri:i,state:a,response_type:p,client:Q,nonce:l,code_challenge_method:w,code_challenge:m,audience:c,scope:s})}return d&&d!=="email"?jb(t,Q,d,ce):_?n1(t,Q.tenant.id,_,ce,v):e1({ctx:t,client:Q,auth0Client:A,authParams:ce,session:Re||void 0,connection:d,login_hint:C})});function s1(t){const e=new o.OpenAPIHono;e.use(async(r,i)=>(r.env.data=ro(r,t.dataAdapter),i())),e.use("/oauth/token",of({origin:r=>r||"",allowHeaders:["Tenant-Id","Content-Type","Auth0-Client","Upgrade-Insecure-Requests"],allowMethods:["POST"],maxAge:600})),e.use(od).use(Rg(e));const n=e.route("/v2/logout",Ob).route("/userinfo",Tb).route("/.well-known",Pb).route("/oauth/token",Fb).route("/dbconnections",Jb).route("/passwordless",Zb).route("/co/authenticate",Xb).route("/authorize",i1).route("/callback",$b);return n.doc("/spec",{openapi:"3.0.0",info:{version:"1.0.0",title:"Oauth API"},security:[{oauth2:["openid","email","profile"]}]}),Bg(n),n}var o1={Stringify:1,BeforeStream:2,Stream:3},_t=(t,e)=>{const n=new String(t);return n.isEscaped=!0,n.callbacks=e,n},a1=/[&<>'"]/,Yg=async(t,e)=>{let n="";e||(e=[]);const r=await Promise.all(t);for(let i=r.length-1;n+=r[i],i--,!(i<0);i--){let s=r[i];typeof s=="object"&&e.push(...s.callbacks||[]);const a=s.isEscaped;if(s=await(typeof s=="object"?s.toString():s),typeof s=="object"&&e.push(...s.callbacks||[]),s.isEscaped??a)n+=s;else{const c=[n];en(s,c),n=c[0]}}return _t(n,e)},en=(t,e)=>{const n=t.search(a1);if(n===-1){e[0]+=t;return}let r,i,s=0;for(i=n;i<t.length;i++){switch(t.charCodeAt(i)){case 34:r="&quot;";break;case 39:r="&#39;";break;case 38:r="&amp;";break;case 60:r="&lt;";break;case 62:r="&gt;";break;default:continue}e[0]+=t.substring(s,i)+r,s=i+1}e[0]+=t.substring(s,i)},Xg=t=>{const e=t.callbacks;if(!(e!=null&&e.length))return t;const n=[t],r={};return e.forEach(i=>i({phase:o1.Stringify,buffer:n,context:r})),n[0]},c1=(t,...e)=>{const n=[""];for(let r=0,i=t.length-1;r<i;r++){n[0]+=t[r];const s=Array.isArray(e[r])?e[r].flat(1/0):[e[r]];for(let a=0,c=s.length;a<c;a++){const l=s[a];if(typeof l=="string")en(l,n);else if(typeof l=="number")n[0]+=l;else{if(typeof l=="boolean"||l===null||l===void 0)continue;if(typeof l=="object"&&l.isEscaped)if(l.callbacks)n.unshift("",l);else{const d=l.toString();d instanceof Promise?n.unshift("",d):n[0]+=d}else l instanceof Promise?n.unshift("",l):en(l.toString(),n)}}}return n[0]+=t[t.length-1],n.length===1?"callbacks"in n?_t(Xg(_t(n[0],n.callbacks))):_t(n[0]):Yg(n,n.callbacks)},hd=Symbol("RENDERER"),Qc=Symbol("ERROR_HANDLER"),Ae=Symbol("STASH"),Qg=Symbol("INTERNAL"),l1=Symbol("MEMO"),Ws=Symbol("PERMALINK"),qp=t=>(t[Qg]=!0,t),em=t=>({value:e,children:n})=>{if(!n)return;const r={children:[{tag:qp(()=>{t.push(e)}),props:{}}]};Array.isArray(n)?r.children.push(...n.flat()):r.children.push(n),r.children.push({tag:qp(()=>{t.pop()}),props:{}});const i={tag:"",props:r,type:""};return i[Qc]=s=>{throw t.pop(),s},i},tm=t=>{const e=[t],n=em(e);return n.values=e,n.Provider=n,ur.push(n),n},ur=[],d1=t=>{const e=[t],n=r=>{e.push(r.value);let i;try{i=r.children?(Array.isArray(r.children)?new sm("",{},r.children):r.children).toString():""}finally{e.pop()}return i instanceof Promise?i.then(s=>_t(s,s.callbacks)):_t(i)};return n.values=e,n.Provider=n,n[hd]=em(e),ur.push(n),n},Ar=t=>t.values.at(-1),Ki={title:[],script:["src"],style:["data-href"],link:["href"],meta:["name","httpEquiv","charset","itemProp"]},el={},Wi="data-precedence",zi=t=>Array.isArray(t)?t:[t],Mp=new WeakMap,Dp=(t,e,n,r)=>({buffer:i,context:s})=>{if(!i)return;const a=Mp.get(s)||{};Mp.set(s,a);const c=a[t]||(a[t]=[]);let l=!1;const d=Ki[t];if(d.length>0){e:for(const[,p]of c)for(const f of d)if(((p==null?void 0:p[f])??null)===(n==null?void 0:n[f])){l=!0;break e}}if(l?i[0]=i[0].replaceAll(e,""):d.length>0?c.push([e,n,r]):c.unshift([e,n,r]),i[0].indexOf("</head>")!==-1){let p;if(r===void 0)p=c.map(([f])=>f);else{const f=[];p=c.map(([m,,w])=>{let h=f.indexOf(w);return h===-1&&(f.push(w),h=f.length-1),[m,h]}).sort((m,w)=>m[1]-w[1]).map(([m])=>m)}p.forEach(f=>{i[0]=i[0].replaceAll(f,"")}),i[0]=i[0].replace(/(?=<\/head>)/,p.join(""))}},Ei=(t,e,n)=>_t(new yt(t,n,zi(e??[])).toString()),Ii=(t,e,n,r)=>{if("itemProp"in n)return Ei(t,e,n);let{precedence:i,blocking:s,...a}=n;i=r?i??"":void 0,r&&(a[Wi]=i);const c=new yt(t,a,zi(e||[])).toString();return c instanceof Promise?c.then(l=>_t(c,[...l.callbacks||[],Dp(t,l,a,i)])):_t(c,[Dp(t,c,a,i)])},u1=({children:t,...e})=>{const n=gd();if(n){const r=Ar(n);if(r==="svg"||r==="head")return new yt("title",e,zi(t??[]))}return Ii("title",t,e,!1)},p1=({children:t,...e})=>{const n=gd();return["src","async"].some(r=>!e[r])||n&&Ar(n)==="head"?Ei("script",t,e):Ii("script",t,e,!1)},f1=({children:t,...e})=>["href","precedence"].every(n=>n in e)?(e["data-href"]=e.href,delete e.href,Ii("style",t,e,!0)):Ei("style",t,e),h1=({children:t,...e})=>["onLoad","onError"].some(n=>n in e)||e.rel==="stylesheet"&&(!("precedence"in e)||"disabled"in e)?Ei("link",t,e):Ii("link",t,e,"precedence"in e),g1=({children:t,...e})=>{const n=gd();return n&&Ar(n)==="head"?Ei("meta",t,e):Ii("meta",t,e,!1)},nm=(t,{children:e,...n})=>new yt(t,n,zi(e??[])),m1=t=>(typeof t.action=="function"&&(t.action=Ws in t.action?t.action[Ws]:void 0),nm("form",t)),rm=(t,e)=>(typeof e.formAction=="function"&&(e.formAction=Ws in e.formAction?e.formAction[Ws]:void 0),nm(t,e)),_1=t=>rm("input",t),y1=t=>rm("button",t);const va=Object.freeze(Object.defineProperty({__proto__:null,button:y1,form:m1,input:_1,link:h1,meta:g1,script:p1,style:f1,title:u1},Symbol.toStringTag,{value:"Module"}));var w1=new Map([["className","class"],["htmlFor","for"],["crossOrigin","crossorigin"],["httpEquiv","http-equiv"],["itemProp","itemprop"],["fetchPriority","fetchpriority"],["noModule","nomodule"],["formAction","formaction"]]),Gs=t=>w1.get(t)||t,im=(t,e)=>{for(const[n,r]of Object.entries(t)){const i=n[0]==="-"||!/[A-Z]/.test(n)?n:n.replace(/[A-Z]/g,s=>`-${s.toLowerCase()}`);e(i,r==null?null:typeof r=="number"?i.match(/^(?:a|border-im|column(?:-c|s)|flex(?:$|-[^b])|grid-(?:ar|[^a])|font-w|li|or|sca|st|ta|wido|z)|ty$/)?`${r}`:`${r}px`:r)}},ri=void 0,gd=()=>ri,v1=t=>/[A-Z]/.test(t)&&t.match(/^(?:al|basel|clip(?:Path|Rule)$|co|do|fill|fl|fo|gl|let|lig|i|marker[EMS]|o|pai|pointe|sh|st[or]|text[^L]|tr|u|ve|w)/)?t.replace(/([A-Z])/g,"-$1").toLowerCase():t,b1=["area","base","br","col","embed","hr","img","input","keygen","link","meta","param","source","track","wbr"],x1=["allowfullscreen","async","autofocus","autoplay","checked","controls","default","defer","disabled","download","formnovalidate","hidden","inert","ismap","itemscope","loop","multiple","muted","nomodule","novalidate","open","playsinline","readonly","required","reversed","selected"],md=(t,e)=>{for(let n=0,r=t.length;n<r;n++){const i=t[n];if(typeof i=="string")en(i,e);else{if(typeof i=="boolean"||i===null||i===void 0)continue;i instanceof yt?i.toStringToBuffer(e):typeof i=="number"||i.isEscaped?e[0]+=i:i instanceof Promise?e.unshift("",i):md(i,e)}}},yt=class{constructor(t,e,n){te(this,"tag");te(this,"props");te(this,"key");te(this,"children");te(this,"isEscaped",!0);te(this,"localContexts");this.tag=t,this.props=e,this.children=n}get type(){return this.tag}get ref(){return this.props.ref||null}toString(){var e,n;const t=[""];(e=this.localContexts)==null||e.forEach(([r,i])=>{r.values.push(i)});try{this.toStringToBuffer(t)}finally{(n=this.localContexts)==null||n.forEach(([r])=>{r.values.pop()})}return t.length===1?"callbacks"in t?Xg(_t(t[0],t.callbacks)).toString():t[0]:Yg(t,t.callbacks)}toStringToBuffer(t){const e=this.tag,n=this.props;let{children:r}=this;t[0]+=`<${e}`;const i=ri&&Ar(ri)==="svg"?s=>v1(Gs(s)):s=>Gs(s);for(let[s,a]of Object.entries(n))if(s=i(s),s!=="children"){if(s==="style"&&typeof a=="object"){let c="";im(a,(l,d)=>{d!=null&&(c+=`${c?";":""}${l}:${d}`)}),t[0]+=' style="',en(c,t),t[0]+='"'}else if(typeof a=="string")t[0]+=` ${s}="`,en(a,t),t[0]+='"';else if(a!=null)if(typeof a=="number"||a.isEscaped)t[0]+=` ${s}="${a}"`;else if(typeof a=="boolean"&&x1.includes(s))a&&(t[0]+=` ${s}=""`);else if(s==="dangerouslySetInnerHTML"){if(r.length>0)throw"Can only set one of `children` or `props.dangerouslySetInnerHTML`.";r=[_t(a.__html)]}else if(a instanceof Promise)t[0]+=` ${s}="`,t.unshift('"',a);else if(typeof a=="function"){if(!s.startsWith("on"))throw`Invalid prop '${s}' of type 'function' supplied to '${e}'.`}else t[0]+=` ${s}="`,en(a.toString(),t),t[0]+='"'}if(b1.includes(e)&&r.length===0){t[0]+="/>";return}t[0]+=">",md(r,t),t[0]+=`</${e}>`}},ba=class extends yt{toStringToBuffer(t){const{children:e}=this,n=this.tag.call(null,{...this.props,children:e.length<=1?e[0]:e});if(!(typeof n=="boolean"||n==null))if(n instanceof Promise)if(ur.length===0)t.unshift("",n);else{const r=ur.map(i=>[i,i.values.at(-1)]);t.unshift("",n.then(i=>(i instanceof yt&&(i.localContexts=r),i)))}else n instanceof yt?n.toStringToBuffer(t):typeof n=="number"||n.isEscaped?(t[0]+=n,n.callbacks&&(t.callbacks||(t.callbacks=[]),t.callbacks.push(...n.callbacks))):en(n,t)}},sm=class extends yt{toStringToBuffer(t){md(this.children,t)}},k1=(t,e,...n)=>{e??(e={}),n.length&&(e.children=n.length===1?n[0]:n);const r=e.key;delete e.key;const i=Gi(t,e,n);return i.key=r,i},Hp=!1,Gi=(t,e,n)=>{if(!Hp){for(const r in el)va[r][hd]=el[r];Hp=!0}return typeof t=="function"?new ba(t,e,n):va[t]?new ba(va[t],e,n):t==="svg"||t==="head"?(ri||(ri=d1("")),new yt(t,e,[new ba(ri,{value:t},n)])):new yt(t,e,n)},om=({children:t})=>new sm("",{children:t},Array.isArray(t)?t:t?[t]:[]),S1=(t,e,...n)=>k1(t.tag,{...t.props,...e},...n);function y(t,e,n){let r;if(!e||!("children"in e))r=Gi(t,e,[]);else{const i=e.children;r=Array.isArray(i)?Gi(t,e,i):Gi(t,e,[i])}return r.key=n,r}const Fp={name:"sesamy",logoUrl:"https://assets.sesamy.com/static/images/email/sesamy-logo.png",style:{primaryColor:"#7D68F4",buttonTextColor:"#FFFFFF",primaryHoverColor:"#A091F2"},loginBackgroundImage:"",checkoutHideSocial:!1,supportEmail:"support@sesamy.com",supportUrl:"https://support.sesamy.com",siteUrl:"https://sesamy.com",termsAndConditionsUrl:"https://store.sesamy.com/pages/terms-of-service",manageSubscriptionsUrl:"https://account.sesamy.com/manage-subscriptions"};async function _d(t,e,n){if(!n&&!e)return Fp;const r=n||e;try{const i=await fetch(`${t.API_URL}/profile/vendors/${r}/style`);if(!i.ok)throw new Error("Failed to fetch vendor settings");const s=await i.json();return uf.parse(s)}catch(i){return console.error(i),Fp}}async function Ee(t,e,n=!1){var d;const{env:r}=t,i=await r.data.loginSessions.get(t.var.tenant_id||"",e);if(i)i.session_id;else throw new I(400,{message:"Login session not found"});t.set("loginSession",i);const s=await Yo(r,i.authParams.client_id);t.set("client_id",s.id),t.set("tenant_id",s.tenant.id);const a=await r.data.tenants.get(s.tenant.id);if(a){if(i.session_id&&!n)throw new I(400,{message:"Login session closed"})}else throw new I(400,{message:"Tenant not found"});const c=await _d(r,s.id,i.authParams.vendor_id),l=(d=i.authParams.ui_locales)==null?void 0:d.split(" ").map(p=>p.split("-")[0]).find(p=>{if(Array.isArray(B.options.supportedLngs))return B.options.supportedLngs.includes(p)});return await B.changeLanguage(l||a.language||"sv"),{vendorSettings:{...c,termsAndConditionsUrl:s.id==="fokus-app"?"https://www.fokus.se/kopvillkor-app/":c.termsAndConditionsUrl},client:s,tenant:a,loginSession:i}}async function A1(t,e,n,r){if(r!==void 0)return r==="password";const i=await io({userAdapter:t.env.data.users,tenant_id:e.tenant.id,email:n});if(i){const a=await t.env.data.logs.list(e.tenant.id,{page:0,per_page:10,include_totals:!1,sort:{sort_by:"date",sort_order:"desc"},q:`type:${he.SUCCESS_LOGIN} user_id:${i.user_id}`}),[c]=a.logs.filter(l=>l.strategy&&["Username-Password-Authentication","passwordless","email"].includes(l.strategy));if(c)return c.strategy==="Username-Password-Authentication"}return(await t.env.data.promptSettings.get(e.tenant.id)).password_first}const am=({vendorSettings:t})=>t!=null&&t.logoUrl?y("div",{className:"flex h-9 items-center",children:y("img",{src:t.logoUrl,className:"max-h-full",alt:"Vendor logo"})}):y(om,{}),cm=({vendorSettings:t})=>{const{termsAndConditionsUrl:e}=t;return y("div",{className:"mt-8",children:e&&y("div",{className:"text-xs text-gray-300",children:[B.t("agree_to")," ",y("a",{href:e,className:"text-primary hover:underline",target:"_blank",rel:"noreferrer",children:B.t("terms")})]})})};var lm={exports:{}};/*!
193
193
  Copyright (c) 2018 Jed Watson.
194
194
  Licensed under the MIT License (MIT), see
195
195
  http://jedwatson.github.io/classnames
package/dist/authhero.d.ts CHANGED
@@ -7477,6 +7477,7 @@ export declare function init(config: AuthHeroConfig): {
7477
7477
  auth0Client?: string | undefined;
7478
7478
  scope?: string | undefined;
7479
7479
  login_ticket?: string | undefined;
7480
+ screen_hint?: string | undefined;
7480
7481
  code_challenge_method?: CodeChallengeMethod | undefined;
7481
7482
  realm?: string | undefined;
7482
7483
  code_challenge?: string | undefined;
@@ -7505,6 +7506,7 @@ export declare function init(config: AuthHeroConfig): {
7505
7506
  auth0Client?: string | undefined;
7506
7507
  scope?: string | undefined;
7507
7508
  login_ticket?: string | undefined;
7509
+ screen_hint?: string | undefined;
7508
7510
  code_challenge_method?: CodeChallengeMethod | undefined;
7509
7511
  realm?: string | undefined;
7510
7512
  code_challenge?: string | undefined;
package/dist/authhero.mjs CHANGED
@@ -5949,19 +5949,22 @@ function sy(t, e) {
5949
5949
  };
5950
5950
  }
5951
5951
  async function oy(t, e, n, r) {
5952
- var i, s;
5953
- if (e.disable_sign_ups && !(((s = (i = t.var.loginSession) == null ? void 0 : i.authParams) == null ? void 0 : s.prompt) === "signup") && !await Gs({
5954
- userAdapter: n.users,
5955
- tenant_id: e.tenant.id,
5956
- email: r
5957
- })) {
5958
- const l = be(t, {
5959
- type: _e.FAILED_SIGNUP,
5960
- description: "Public signup is disabled"
5961
- });
5962
- throw await n.logs.create(e.tenant.id, l), new C(400, {
5963
- message: "Signups are disabled for this client"
5964
- });
5952
+ var i;
5953
+ if (e.disable_sign_ups) {
5954
+ const s = (i = t.var.loginSession) == null ? void 0 : i.authorization_url;
5955
+ if (!(s && new URL(s).searchParams.get("screen_hint") === "signup") && !await Gs({
5956
+ userAdapter: n.users,
5957
+ tenant_id: e.tenant.id,
5958
+ email: r
5959
+ })) {
5960
+ const l = be(t, {
5961
+ type: _e.FAILED_SIGNUP,
5962
+ description: "Public signup is disabled"
5963
+ });
5964
+ throw await n.logs.create(e.tenant.id, l), new C(400, {
5965
+ message: "Signups are disabled for this client"
5966
+ });
5967
+ }
5965
5968
  }
5966
5969
  await ry(t)(t.var.tenant_id || "", r);
5967
5970
  }
@@ -19404,7 +19407,7 @@ async function nd(t, { to: e, code: n, authParams: r, connection: i }) {
19404
19407
  if (!r.redirect_uri)
19405
19408
  throw new C(400, { message: "redirect_uri is required" });
19406
19409
  const o = new URL(Te(t.env));
19407
- o.pathname = "passwordless/verify_redirect", o.searchParams.set("verification_code", n), o.searchParams.set("connection", i), o.searchParams.set("client_id", r.client_id), o.searchParams.set("redirect_uri", r.redirect_uri), o.searchParams.set("username", e), r.response_type && o.searchParams.set("response_type", r.response_type), r.scope && o.searchParams.set("scope", r.scope), r.state && o.searchParams.set("state", r.state), r.nonce && o.searchParams.set("nonce", r.nonce), r.code_challenge && o.searchParams.set("code_challenge", r.code_challenge), r.code_challenge_method && o.searchParams.set(
19410
+ o.pathname = "passwordless/verify_redirect", o.searchParams.set("verification_code", n), o.searchParams.set("connection", i), o.searchParams.set("client_id", r.client_id), o.searchParams.set("redirect_uri", r.redirect_uri), o.searchParams.set("email", e), r.response_type && o.searchParams.set("response_type", r.response_type), r.scope && o.searchParams.set("scope", r.scope), r.state && o.searchParams.set("state", r.state), r.nonce && o.searchParams.set("nonce", r.nonce), r.code_challenge && o.searchParams.set("code_challenge", r.code_challenge), r.code_challenge_method && o.searchParams.set(
19408
19411
  "code_challenge_method",
19409
19412
  r.code_challenge_method
19410
19413
  ), r.audience && o.searchParams.set("audience", r.audience);
@@ -20277,6 +20280,10 @@ const Lb = new ae().openapi(
20277
20280
  auth0Client: a.string().optional(),
20278
20281
  organization: a.string().optional(),
20279
20282
  login_hint: a.string().optional(),
20283
+ screen_hint: a.string().openapi({
20284
+ example: "signup",
20285
+ description: 'Optional hint for the screen to show, like "signup" or "login".'
20286
+ }).optional(),
20280
20287
  ui_locales: a.string().optional()
20281
20288
  })
20282
20289
  },
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "authhero",
3
- "version": "0.110.0",
3
+ "version": "0.112.0",
4
4
  "files": [
5
5
  "dist"
6
6
  ],