npm - authhero - Versions diffs - 0.221.0 → 0.222.0 - Mend

authhero 0.221.0 → 0.222.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/authhero.cjs CHANGED Viewed

@@ -194,7 +194,7 @@ In order to be iterable, non-array objects must have a [Symbol.iterator]() metho
 In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}function BA(t,e){if(t){if(typeof t=="string")return Sg(t,e);var n=Object.prototype.toString.call(t).slice(8,-1);if(n==="Object"&&t.constructor&&(n=t.constructor.name),n==="Map"||n==="Set")return Array.from(t);if(n==="Arguments"||/^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(n))return Sg(t,e)}}function Sg(t,e){(e==null||e>t.length)&&(e=t.length);for(var n=0,r=new Array(e);n<e;n++)r[n]=t[n];return r}function kg(t,e){var n=Object.keys(t);if(Object.getOwnPropertySymbols){var r=Object.getOwnPropertySymbols(t);e&&(r=r.filter(function(i){return Object.getOwnPropertyDescriptor(t,i).enumerable})),n.push.apply(n,r)}return n}function Ng(t){for(var e=1;e<arguments.length;e++){var n=arguments[e]!=null?arguments[e]:{};e%2?kg(Object(n),!0).forEach(function(r){LA(t,r,n[r])}):Object.getOwnPropertyDescriptors?Object.defineProperties(t,Object.getOwnPropertyDescriptors(n)):kg(Object(n)).forEach(function(r){Object.defineProperty(t,r,Object.getOwnPropertyDescriptor(n,r))})}return t}function LA(t,e,n){return e in t?Object.defineProperty(t,e,{value:n,enumerable:!0,configurable:!0,writable:!0}):t[e]=n,t}var Cg={formatExtension:function(e,n,r){return"".concat(e).concat(r.ext()).concat(n)}};function FA(t,e,n,r){if(n?n=Ng(Ng({},Cg),n):n=Cg,r=new $t(r),t.country&&t.country!=="001"){if(!r.hasCountry(t.country))throw new Error("Unknown country: ".concat(t.country));r.country(t.country)}else if(t.countryCallingCode)r.selectNumberingPlan(t.countryCallingCode);else return t.phone||"";var i=r.countryCallingCode(),s=n.v2?t.nationalNumber:t.phone,a;switch(e){case"NATIONAL":return s?(a=vc(s,t.carrierCode,"NATIONAL",r,n),uu(a,t.ext,r,n.formatExtension)):"";case"INTERNATIONAL":return s?(a=vc(s,null,"INTERNATIONAL",r,n),a="+".concat(i," ").concat(a),uu(a,t.ext,r,n.formatExtension)):"+".concat(i);case"E.164":return"+".concat(i).concat(s);case"RFC3966":return jA({number:"+".concat(i).concat(s),ext:t.ext});case"IDD":if(!n.fromCountry)return;var l=MA(s,t.carrierCode,i,n.fromCountry,r);return uu(l,t.ext,r,n.formatExtension);default:throw new Error('Unknown "format" argument passed to "formatNumber()": "'.concat(e,'"'))}}function vc(t,e,n,r,i){var s=UA(r.formats(),t);return s?EA(t,s,{useInternationalFormat:n==="INTERNATIONAL",withNationalPrefix:!(s.nationalPrefixIsOptionalWhenFormattingInNationalFormat()&&i&&i.nationalPrefix===!1),carrierCode:e,metadata:r}):t}function UA(t,e){for(var n=PA(t),r;!(r=n()).done;){var i=r.value;if(i.leadingDigitsPatterns().length>0){var s=i.leadingDigitsPatterns()[i.leadingDigitsPatterns().length-1];if(e.search(s)!==0)continue}if(Zn(e,i.pattern()))return i}}function uu(t,e,n,r){return e?r(t,e,n):t}function MA(t,e,n,r,i){var s=Cf(r,i.metadata);if(s===n){var a=vc(t,e,"NATIONAL",i);return n==="1"?n+" "+a:a}var l=kA(r,void 0,i.metadata);if(l)return"".concat(l," ").concat(n," ").concat(vc(t,null,"INTERNATIONAL",i))}function zg(t,e){var n=Object.keys(t);if(Object.getOwnPropertySymbols){var r=Object.getOwnPropertySymbols(t);e&&(r=r.filter(function(i){return Object.getOwnPropertyDescriptor(t,i).enumerable})),n.push.apply(n,r)}return n}function Ig(t){for(var e=1;e<arguments.length;e++){var n=arguments[e]!=null?arguments[e]:{};e%2?zg(Object(n),!0).forEach(function(r){qA(t,r,n[r])}):Object.getOwnPropertyDescriptors?Object.defineProperties(t,Object.getOwnPropertyDescriptors(n)):zg(Object(n)).forEach(function(r){Object.defineProperty(t,r,Object.getOwnPropertyDescriptor(n,r))})}return t}function qA(t,e,n){return e in t?Object.defineProperty(t,e,{value:n,enumerable:!0,configurable:!0,writable:!0}):t[e]=n,t}function VA(t,e){if(!(t instanceof e))throw new TypeError("Cannot call a class as a function")}function HA(t,e){for(var n=0;n<e.length;n++){var r=e[n];r.enumerable=r.enumerable||!1,r.configurable=!0,"value"in r&&(r.writable=!0),Object.defineProperty(t,r.key,r)}}function KA(t,e,n){return e&&HA(t.prototype,e),Object.defineProperty(t,"prototype",{writable:!1}),t}var GA=function(){function t(e,n,r){if(VA(this,t),!e)throw new TypeError("First argument is required");if(typeof e!="string")throw new TypeError("First argument must be a string");if(typeof e=="string"){if(e[0]==="+"&&!n)throw new TypeError("`metadata` argument not passed");if(Oi(n)&&Oi(n.countries)){r=n;var i=e;if(!JA.test(i))throw new Error('Invalid `number` argument passed: must consist of a "+" followed by digits');var s=hy(i,void 0,void 0,r),a=s.countryCallingCode,l=s.number;if(n=l,e=a,!n)throw new Error("Invalid `number` argument passed: too short")}}if(!n)throw new TypeError("`nationalNumber` argument is required");if(typeof n!="string")throw new TypeError("`nationalNumber` argument must be a string");dy(r);var u=XA(e,r),d=u.country,p=u.countryCallingCode;this.country=d,this.countryCallingCode=p,this.nationalNumber=n,this.number="+"+this.countryCallingCode+this.nationalNumber,this.getMetadata=function(){return r}}return KA(t,[{key:"setExt",value:function(n){this.ext=n}},{key:"getPossibleCountries",value:function(){return this.country?[this.country]:aA(this.countryCallingCode,this.nationalNumber,this.getMetadata())}},{key:"isPossible",value:function(){return nA(this,{v2:!0},this.getMetadata())}},{key:"isValid",value:function(){return sA(this,{v2:!0},this.getMetadata())}},{key:"isNonGeographic",value:function(){var n=new $t(this.getMetadata());return n.isNonGeographicCallingCode(this.countryCallingCode)}},{key:"isEqual",value:function(n){return this.number===n.number&&this.ext===n.ext}},{key:"getType",value:function(){return If(this,{v2:!0},this.getMetadata())}},{key:"format",value:function(n,r){return FA(this,n,r?Ig(Ig({},r),{},{v2:!0}):{v2:!0},this.getMetadata())}},{key:"formatNational",value:function(n){return this.format("NATIONAL",n)}},{key:"formatInternational",value:function(n){return this.format("INTERNATIONAL",n)}},{key:"getURI",value:function(n){return this.format("RFC3966",n)}}]),t}(),WA=function(e){return/^[A-Z]{2}$/.test(e)};function XA(t,e){var n,r,i=new $t(e);return WA(t)?(n=t,i.selectNumberingPlan(n),r=i.countryCallingCode()):r=t,{country:n,countryCallingCode:r}}var JA=/^\+\d+$/;function ip(t){"@babel/helpers - typeof";return ip=typeof Symbol=="function"&&typeof Symbol.iterator=="symbol"?function(e){return typeof e}:function(e){return e&&typeof Symbol=="function"&&e.constructor===Symbol&&e!==Symbol.prototype?"symbol":typeof e},ip(t)}function YA(t,e,n){return Object.defineProperty(t,"prototype",{writable:!1}),t}function ZA(t,e){if(!(t instanceof e))throw new TypeError("Cannot call a class as a function")}function QA(t,e){if(typeof e!="function"&&e!==null)throw new TypeError("Super expression must either be null or a function");t.prototype=Object.create(e&&e.prototype,{constructor:{value:t,writable:!0,configurable:!0}}),Object.defineProperty(t,"prototype",{writable:!1}),e&&Qo(t,e)}function eE(t){var e=_y();return function(){var r=es(t),i;if(e){var s=es(this).constructor;i=Reflect.construct(r,arguments,s)}else i=r.apply(this,arguments);return tE(this,i)}}function tE(t,e){if(e&&(ip(e)==="object"||typeof e=="function"))return e;if(e!==void 0)throw new TypeError("Derived constructors may only return object or undefined");return my(t)}function my(t){if(t===void 0)throw new ReferenceError("this hasn't been initialised - super() hasn't been called");return t}function op(t){var e=typeof Map=="function"?new Map:void 0;return op=function(r){if(r===null||!nE(r))return r;if(typeof r!="function")throw new TypeError("Super expression must either be null or a function");if(typeof e<"u"){if(e.has(r))return e.get(r);e.set(r,i)}function i(){return pa(r,arguments,es(this).constructor)}return i.prototype=Object.create(r.prototype,{constructor:{value:i,enumerable:!1,writable:!0,configurable:!0}}),Qo(i,r)},op(t)}function pa(t,e,n){return _y()?pa=Reflect.construct:pa=function(i,s,a){var l=[null];l.push.apply(l,s);var u=Function.bind.apply(i,l),d=new u;return a&&Qo(d,a.prototype),d},pa.apply(null,arguments)}function _y(){if(typeof Reflect>"u"||!Reflect.construct||Reflect.construct.sham)return!1;if(typeof Proxy=="function")return!0;try{return Boolean.prototype.valueOf.call(Reflect.construct(Boolean,[],function(){})),!0}catch{return!1}}function nE(t){return Function.toString.call(t).indexOf("[native code]")!==-1}function Qo(t,e){return Qo=Object.setPrototypeOf||function(r,i){return r.__proto__=i,r},Qo(t,e)}function es(t){return es=Object.setPrototypeOf?Object.getPrototypeOf:function(n){return n.__proto__||Object.getPrototypeOf(n)},es(t)}var Un=function(t){QA(n,t);var e=eE(n);function n(r){var i;return ZA(this,n),i=e.call(this,r),Object.setPrototypeOf(my(i),n.prototype),i.name=i.constructor.name,i}return YA(n)}(op(Error)),Tg=new RegExp("(?:"+gy()+")$","i");function rE(t){var e=t.search(Tg);if(e<0)return{};for(var n=t.slice(0,e),r=t.match(Tg),i=1;i<r.length;){if(r[i])return{number:n,ext:r[i]};i++}}var iE={0:"0",1:"1",2:"2",3:"3",4:"4",5:"5",6:"6",7:"7",8:"8",9:"9","０":"0","１":"1","２":"2","３":"3","４":"4","５":"5","６":"6","７":"7","８":"8","９":"9","٠":"0","١":"1","٢":"2","٣":"3","٤":"4","٥":"5","٦":"6","٧":"7","٨":"8","٩":"9","۰":"0","۱":"1","۲":"2","۳":"3","۴":"4","۵":"5","۶":"6","۷":"7","۸":"8","۹":"9"};function oE(t){return iE[t]}function sE(t,e){var n=typeof Symbol<"u"&&t[Symbol.iterator]||t["@@iterator"];if(n)return(n=n.call(t)).next.bind(n);if(Array.isArray(t)||(n=aE(t))||e){n&&(t=n);var r=0;return function(){return r>=t.length?{done:!0}:{done:!1,value:t[r++]}}}throw new TypeError(`Invalid attempt to iterate non-iterable instance.
 In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}function aE(t,e){if(t){if(typeof t=="string")return Og(t,e);var n=Object.prototype.toString.call(t).slice(8,-1);if(n==="Object"&&t.constructor&&(n=t.constructor.name),n==="Map"||n==="Set")return Array.from(t);if(n==="Arguments"||/^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(n))return Og(t,e)}}function Og(t,e){(e==null||e>t.length)&&(e=t.length);for(var n=0,r=new Array(e);n<e;n++)r[n]=t[n];return r}function Dg(t){for(var e="",n=sE(t.split("")),r;!(r=n()).done;){var i=r.value;e+=cE(i,e)||""}return e}function cE(t,e,n){return t==="+"?e?void 0:"+":oE(t)}function lE(t,e){var n=typeof Symbol<"u"&&t[Symbol.iterator]||t["@@iterator"];if(n)return(n=n.call(t)).next.bind(n);if(Array.isArray(t)||(n=uE(t))||e){n&&(t=n);var r=0;return function(){return r>=t.length?{done:!0}:{done:!1,value:t[r++]}}}throw new TypeError(`Invalid attempt to iterate non-iterable instance.
 In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}function uE(t,e){if(t){if(typeof t=="string")return Rg(t,e);var n=Object.prototype.toString.call(t).slice(8,-1);if(n==="Object"&&t.constructor&&(n=t.constructor.name),n==="Map"||n==="Set")return Array.from(t);if(n==="Arguments"||/^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(n))return Rg(t,e)}}function Rg(t,e){(e==null||e>t.length)&&(e=t.length);for(var n=0,r=new Array(e);n<e;n++)r[n]=t[n];return r}function dE(t,e){var n=e.countries,r=e.metadata;r=new $t(r);for(var i=lE(n),s;!(s=i()).done;){var a=s.value;if(r.country(a),r.leadingDigits()){if(t&&t.search(r.leadingDigits())===0)return a}else if(If({phone:t,country:a},void 0,r.metadata))return a}}function pE(t,e){var n=e.nationalNumber,r=e.defaultCountry,i=e.metadata,s=i.getCountryCodesForCallingCode(t);if(s)return s.length===1?s[0]:dE(n,{countries:s,defaultCountry:r,metadata:i.metadata})}var yy="+",fE="[\\-\\.\\(\\)]?",jg="(["+_n+"]|"+fE+")",hE="^\\"+yy+jg+"*["+_n+"]"+jg+"*$",gE=new RegExp(hE,"g"),sp=_n,mE="["+sp+"]+((\\-)*["+sp+"])*",_E="a-zA-Z",yE="["+_E+"]+((\\-)*["+sp+"])*",wE="^("+mE+"\\.)*"+yE+"\\.?$",vE=new RegExp(wE,"g"),Pg="tel:",ap=";phone-context=",bE=";isub=";function $E(t){var e=t.indexOf(ap);if(e<0)return null;var n=e+ap.length;if(n>=t.length)return"";var r=t.indexOf(";",n);return r>=0?t.substring(n,r):t.substring(n)}function xE(t){return t===null?!0:t.length===0?!1:gE.test(t)||vE.test(t)}function AE(t,e){var n=e.extractFormattedPhoneNumber,r=$E(t);if(!xE(r))throw new Un("NOT_A_NUMBER");var i;if(r===null)i=n(t)||"";else{i="",r.charAt(0)===yy&&(i+=r);var s=t.indexOf(Pg),a;s>=0?a=s+Pg.length:a=0;var l=t.indexOf(ap);i+=t.substring(a,l)}var u=i.indexOf(bE);if(u>0&&(i=i.substring(0,u)),i!=="")return i}var EE=250,SE=new RegExp("["+Of+_n+"]"),kE=new RegExp("[^"+_n+"#]+$");function NE(t,e,n){if(e=e||{},n=new $t(n),e.defaultCountry&&!n.hasCountry(e.defaultCountry))throw e.v2?new Un("INVALID_COUNTRY"):new Error("Unknown country: ".concat(e.defaultCountry));var r=zE(t,e.v2,e.extract),i=r.number,s=r.ext,a=r.error;if(!i){if(e.v2)throw a==="TOO_SHORT"?new Un("TOO_SHORT"):new Un("NOT_A_NUMBER");return{}}var l=TE(i,e.defaultCountry,e.defaultCallingCode,n),u=l.country,d=l.nationalNumber,p=l.countryCallingCode,h=l.countryCallingCodeSource,g=l.carrierCode;if(!n.hasSelectedNumberingPlan()){if(e.v2)throw new Un("INVALID_COUNTRY");return{}}if(!d||d.length<Tf){if(e.v2)throw new Un("TOO_SHORT");return{}}if(d.length>lA){if(e.v2)throw new Un("TOO_LONG");return{}}if(e.v2){var b=new GA(p,d,n.metadata);return u&&(b.country=u),g&&(b.carrierCode=g),s&&(b.ext=s),b.__countryCallingCodeSource=h,b}var x=(e.extended?n.hasSelectedNumberingPlan():u)?Zn(d,n.nationalNumberPattern()):!1;return e.extended?{country:u,countryCallingCode:p,carrierCode:g,valid:x,possible:x?!0:!!(e.extended===!0&&n.possibleLengths()&&fy(d,n)),phone:d,ext:s}:x?IE(u,d,s):{}}function CE(t,e,n){if(t){if(t.length>EE){if(n)throw new Un("TOO_LONG");return}if(e===!1)return t;var r=t.search(SE);if(!(r<0))return t.slice(r).replace(kE,"")}}function zE(t,e,n){var r=AE(t,{extractFormattedPhoneNumber:function(a){return CE(a,n,e)}});if(!r)return{};if(!DA(r))return RA(r)?{error:"TOO_SHORT"}:{};var i=rE(r);return i.ext?i:{number:r}}function IE(t,e,n){var r={country:t,phone:e};return n&&(r.ext=n),r}function TE(t,e,n,r){var i=hy(Dg(t),e,n,r.metadata),s=i.countryCallingCodeSource,a=i.countryCallingCode,l=i.number,u;if(a)r.selectNumberingPlan(a);else if(l&&(e||n))r.selectNumberingPlan(e,n),e&&(u=e),a=n||Cf(e,r.metadata);else return{};if(!l)return{countryCallingCodeSource:s,countryCallingCode:a};var d=rp(Dg(l),r),p=d.nationalNumber,h=d.carrierCode,g=pE(a,{nationalNumber:p,defaultCountry:e,metadata:r});return g&&(u=g,g==="001"||r.country(u)),{country:u,countryCallingCode:a,countryCallingCodeSource:s,nationalNumber:p,carrierCode:h}}function Bg(t,e){var n=Object.keys(t);if(Object.getOwnPropertySymbols){var r=Object.getOwnPropertySymbols(t);e&&(r=r.filter(function(i){return Object.getOwnPropertyDescriptor(t,i).enumerable})),n.push.apply(n,r)}return n}function Lg(t){for(var e=1;e<arguments.length;e++){var n=arguments[e]!=null?arguments[e]:{};e%2?Bg(Object(n),!0).forEach(function(r){OE(t,r,n[r])}):Object.getOwnPropertyDescriptors?Object.defineProperties(t,Object.getOwnPropertyDescriptors(n)):Bg(Object(n)).forEach(function(r){Object.defineProperty(t,r,Object.getOwnPropertyDescriptor(n,r))})}return t}function OE(t,e,n){return e in t?Object.defineProperty(t,e,{value:n,enumerable:!0,configurable:!0,writable:!0}):t[e]=n,t}function DE(t,e,n){return NE(t,Lg(Lg({},e),{},{v2:!0}),n)}function Fg(t,e){var n=Object.keys(t);if(Object.getOwnPropertySymbols){var r=Object.getOwnPropertySymbols(t);e&&(r=r.filter(function(i){return Object.getOwnPropertyDescriptor(t,i).enumerable})),n.push.apply(n,r)}return n}function RE(t){for(var e=1;e<arguments.length;e++){var n=arguments[e]!=null?arguments[e]:{};e%2?Fg(Object(n),!0).forEach(function(r){jE(t,r,n[r])}):Object.getOwnPropertyDescriptors?Object.defineProperties(t,Object.getOwnPropertyDescriptors(n)):Fg(Object(n)).forEach(function(r){Object.defineProperty(t,r,Object.getOwnPropertyDescriptor(n,r))})}return t}function jE(t,e,n){return e in t?Object.defineProperty(t,e,{value:n,enumerable:!0,configurable:!0,writable:!0}):t[e]=n,t}function PE(t,e){return UE(t)||FE(t,e)||LE(t,e)||BE()}function BE(){throw new TypeError(`Invalid attempt to destructure non-iterable instance.
-In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}function LE(t,e){if(t){if(typeof t=="string")return Ug(t,e);var n=Object.prototype.toString.call(t).slice(8,-1);if(n==="Object"&&t.constructor&&(n=t.constructor.name),n==="Map"||n==="Set")return Array.from(t);if(n==="Arguments"||/^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(n))return Ug(t,e)}}function Ug(t,e){(e==null||e>t.length)&&(e=t.length);for(var n=0,r=new Array(e);n<e;n++)r[n]=t[n];return r}function FE(t,e){var n=t==null?null:typeof Symbol<"u"&&t[Symbol.iterator]||t["@@iterator"];if(n!=null){var r=[],i=!0,s=!1,a,l;try{for(n=n.call(t);!(i=(a=n.next()).done)&&(r.push(a.value),!(e&&r.length===e));i=!0);}catch(u){s=!0,l=u}finally{try{!i&&n.return!=null&&n.return()}finally{if(s)throw l}}return r}}function UE(t){if(Array.isArray(t))return t}function ME(t){var e=Array.prototype.slice.call(t),n=PE(e,4),r=n[0],i=n[1],s=n[2],a=n[3],l,u,d;if(typeof r=="string")l=r;else throw new TypeError("A text for parsing must be a string.");if(!i||typeof i=="string")a?(u=s,d=a):(u=void 0,d=s),i&&(u=RE({defaultCountry:i},u));else if(Oi(i))s?(u=i,d=s):d=i;else throw new Error("Invalid second argument: ".concat(i));return{text:l,options:u,metadata:d}}function Mg(t,e){var n=Object.keys(t);if(Object.getOwnPropertySymbols){var r=Object.getOwnPropertySymbols(t);e&&(r=r.filter(function(i){return Object.getOwnPropertyDescriptor(t,i).enumerable})),n.push.apply(n,r)}return n}function qg(t){for(var e=1;e<arguments.length;e++){var n=arguments[e]!=null?arguments[e]:{};e%2?Mg(Object(n),!0).forEach(function(r){qE(t,r,n[r])}):Object.getOwnPropertyDescriptors?Object.defineProperties(t,Object.getOwnPropertyDescriptors(n)):Mg(Object(n)).forEach(function(r){Object.defineProperty(t,r,Object.getOwnPropertyDescriptor(n,r))})}return t}function qE(t,e,n){return e in t?Object.defineProperty(t,e,{value:n,enumerable:!0,configurable:!0,writable:!0}):t[e]=n,t}function VE(t,e,n){e&&e.defaultCountry&&!eA(e.defaultCountry,n)&&(e=qg(qg({},e),{},{defaultCountry:void 0}));try{return DE(t,e,n)}catch(r){if(!(r instanceof Un))throw r}}function HE(){var t=ME(arguments),e=t.text,n=t.options,r=t.metadata;return VE(e,n,r)}function KE(){return V5(HE,arguments)}function Bl(t,e="US"){const n=t.trim();if(n.includes("@")){const r=n.toLowerCase(),i=/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(r);return{connectionType:"email",normalized:i?r:null,isValid:i}}else if(/^\+?\d[\d\s\-().]*$/.test(n)){const r=KE(n,{defaultCountry:e});return r&&r.isValid()?{connectionType:"sms",normalized:r.number,isValid:!0}:{connectionType:"sms",normalized:null,isValid:!1}}else return{connectionType:"username",normalized:n,isValid:!0}}function Df(t){let e=t.trim();e.startsWith("[")&&e.endsWith("]")&&(e=e.slice(1,-1));const n=e.indexOf("%");return n!==-1&&(e=e.slice(0,n)),e}function GE(t){const n=Df(t).split(".");return n.length!==4?!1:n.every(r=>/^\d+$/.test(r)&&Number(r)>=0&&Number(r)<=255)}function WE(t){const e=Df(t);if(e.length<2||e.indexOf(":")===-1||!/^[0-9a-fA-F:.]+$/.test(e))return!1;const n=e.split(":");return e.includes("::")?n.length<=8:n.length===8}function XE(t){let e=t.trim();const n=/^\[([^\]]+)\](?::\d+)?$/,r=e.match(n);if(r&&r[1])return r[1];const i=e.lastIndexOf(":");if(i!==-1){const s=e.slice(0,i),a=e.slice(i+1);/^[0-9.]+$/.test(s)&&/^\d+$/.test(a)&&(e=s)}return e}function Vg(t){if(!t)return null;const e=Df(XE(t));return GE(e)?{family:4,normalized:e}:WE(e)?{family:6,normalized:e.toLowerCase()}:null}function Hg(t){if(t.includes("::")){let[e,n]=t.split("::"),r=e?e.split(":").filter(Boolean):[],i=n?n.split(":").filter(Boolean):[],s=8-(r.length+i.length);return[...r.map(a=>a.toLowerCase()||"0"),...Array(s).fill("0"),...i.map(a=>a.toLowerCase()||"0")]}else return t.split(":").map(e=>e.toLowerCase()||"0")}function JE(t,e,n=!0){const r=Vg(t),i=Vg(e);if(!r||!i||r.family!==i.family)return!1;if(r.family===4)return r.normalized===i.normalized;const s=Hg(r.normalized),a=Hg(i.normalized);return n?s.length===8&&a.length===8&&s.join(":")===a.join(":"):s.slice(0,4).join(":")===a.slice(0,4).join(":")}class oi extends Error{constructor(n,r=302){super(`Redirect to ${n}`);be(this,"location");be(this,"status");this.name=oi.name,this.location=n,this.status=r}}const YE=o.z.object({client_id:o.z.string(),username:o.z.string().transform(t=>t.toLowerCase()),otp:o.z.string(),authParams:jo.optional(),enforceIpCheck:o.z.boolean().optional().default(!1)});async function wy(t,{client_id:e,username:n,otp:r,authParams:i,enforceIpCheck:s=!1}){const a=t.get("ip"),l=t.get("countryCode"),{connectionType:u,normalized:d}=Bl(n,l);if(!d)throw new E(400,{message:"Invalid username format"});const p=await t.env.data.legacyClients.get(e);if(!p)throw new E(403,{message:"Client not found"});const{env:h}=t,g=await h.data.codes.get(p.tenant.id,r,"otp");if(!g)throw new E(400,{message:xe("code_invalid")});if(g.expires_at<new Date().toISOString())throw new E(400,{message:xe("code_expired")});if(g.used_at)throw new E(400,{message:xe("code_used")});const b=await h.data.loginSessions.get(p.tenant.id,g.login_id);if(!b||b.authParams.username!==n)throw new E(400,{message:"Code not found or expired"});if(s&&b.ip&&a&&!JE(b.ip,a))throw new oi(`${dt(t.env)}invalid-session?state=${b.id}`);const x=await Bc(t,{client:p,username:d,provider:u,connection:u,isSocial:!1,ip:t.var.ip});return await h.data.codes.used(p.tenant.id,r),{user:x,client:p,loginSession:b,session_id:b.session_id,authParams:{...b.authParams,...i||{}}}}async function Rf(t,e){const n=await wy(t,e);return Dn(t,{authParams:n.authParams,client:n.client,user:n.user,loginSession:n.loginSession,strategy:"email"})}const Kg=o.z.object({client_id:o.z.string().optional(),client_secret:o.z.string().optional()}),ZE=o.z.union([uy.extend(Kg.shape),o.z.object({grant_type:o.z.literal("authorization_code"),client_id:o.z.string(),code:o.z.string(),redirect_uri:o.z.string(),code_verifier:o.z.string().min(43).max(128)}),o.z.object({grant_type:o.z.literal("authorization_code"),code:o.z.string(),redirect_uri:o.z.string().optional(),...Kg.shape}),o.z.object({grant_type:o.z.literal("refresh_token"),client_id:o.z.string(),refresh_token:o.z.string(),redirect_uri:o.z.string().optional()}),o.z.object({grant_type:o.z.literal("http://auth0.com/oauth/grant-type/passwordless/otp"),client_id:o.z.string(),username:o.z.string(),otp:o.z.string(),realm:o.z.enum(["email","sms"])})]);function QE(t){if(!t)return{};const[e,n]=t.split(" ");if((e==null?void 0:e.toLowerCase())==="basic"&&n){const[r,i]=atob(n).split(":");return{client_id:r,client_secret:i}}return{}}const e8=new o.OpenAPIHono().openapi(o.createRoute({tags:["oauth2"],method:"post",path:"/",request:{body:{content:{"application/x-www-form-urlencoded":{schema:ZE}}}},responses:{200:{content:{"application/json":{schema:xp}},description:"Tokens"},302:{description:"Redirect for further user interaction (e.g., MFA, consent).",headers:o.z.object({Location:o.z.string().url()}).openapi({})},400:{description:"Bad Request - The request was malformed or invalid.",content:{"application/json":{schema:o.z.object({error:o.z.string(),error_description:o.z.string().optional()})}}},401:{description:"Unauthorized - Client authentication failed.",content:{"application/json":{schema:o.z.object({error:o.z.string(),error_description:o.z.string().optional()})}}},403:{description:"Forbidden - User is not a member of the required organization.",content:{"application/json":{schema:o.z.object({error:o.z.string(),error_description:o.z.string().optional()})}}}}}),async t=>{var l,u,d,p,h;const e=t.req.valid("form"),n=QE(t.req.header("Authorization")),r={...e,...n};if(!r.client_id)throw new E(400,{message:"client_id is required"});t.set("client_id",r.client_id);let i;switch(e.grant_type){case an.AuthorizationCode:i=await F5(t,L5.parse(r));break;case an.ClientCredential:i=await B5(t,uy.parse(r));break;case an.RefreshToken:i=await M5(t,U5.parse(r));break;case an.OTP:i=await wy(t,YE.parse(r));break;default:return t.json({error:"unsupported_grant_type",error_description:"Grant type not implemented"},400)}const s=new Headers;if(i.session_id){const g=Ra(i.client.tenant.id,i.session_id,t.var.host||"");s.set("Set-Cookie",g)}if(i.authParams.audience)try{let g;if(e.grant_type===an.ClientCredential)g=await ja(t,{grantType:an.ClientCredential,tenantId:i.client.tenant.id,clientId:i.client.client_id,audience:i.authParams.audience,requestedScopes:((l=i.authParams.scope)==null?void 0:l.split(" "))||[],organizationId:(u=i.organization)==null?void 0:u.id});else{if(!((d=i.user)!=null&&d.user_id))throw new Po(400,{error:"invalid_request",error_description:"User ID is required for user-based grants"});g=await ja(t,{grantType:e.grant_type,tenantId:i.client.tenant.id,userId:i.user.user_id,clientId:i.client.client_id,audience:i.authParams.audience,requestedScopes:((p=i.authParams.scope)==null?void 0:p.split(" "))||[],organizationId:(h=i.organization)==null?void 0:h.id})}i.authParams.scope=g.scopes.join(" ")}catch(g){if(g instanceof E)throw g;console.error("Error calculating scopes and permissions:",g)}const a=await Pc(t,{...i,grantType:e.grant_type});return t.json(a,{headers:s})});var jf={exports:{}};const Pf=[{id:0,value:"Too weak",minDiversity:0,minLength:0},{id:1,value:"Weak",minDiversity:2,minLength:6},{id:2,value:"Medium",minDiversity:4,minLength:8},{id:3,value:"Strong",minDiversity:4,minLength:10}],vy=(t,e=Pf,n="!\"#$%&'()*+,-./:;<=>?@[\\\\\\]^_`{|}~")=>{let r=t||"";e[0].minDiversity=0,e[0].minLength=0;const i=[{regex:"[a-z]",message:"lowercase"},{regex:"[A-Z]",message:"uppercase"},{regex:"[0-9]",message:"number"}];n&&i.push({regex:`[${n}]`,message:"symbol"});let s={};s.contains=i.filter(l=>new RegExp(`${l.regex}`).test(r)).map(l=>l.message),s.length=r.length;let a=e.filter(l=>s.contains.length>=l.minDiversity).filter(l=>s.length>=l.minLength).sort((l,u)=>u.id-l.id).map(l=>({id:l.id,value:l.value}));return Object.assign(s,a[0]),s};jf.exports={passwordStrength:vy,defaultOptions:Pf};var t8=jf.exports.passwordStrength=vy;jf.exports.defaultOptions=Pf;function Bf(t){return t8(t).id<2?!1:t.length>=8&&/[a-z]/.test(t)&&/[A-Z]/.test(t)&&/[0-9]/.test(t)&&/[^A-Za-z0-9]/.test(t)}async function Cs(t,e){var i;const n=await t.env.data.emailProviders.get(t.var.tenant_id)||(t.env.DEFAULT_TENANT_ID?await t.env.data.emailProviders.get(t.env.DEFAULT_TENANT_ID):null);if(!n)throw new E(500,{message:"Email provider not found"});const r=(i=t.env.emailProviders)==null?void 0:i[n.name];if(!r)throw new E(500,{message:"Email provider not found"});await r({emailProvider:n,...e,from:n.default_from_address||`login@${t.env.ISSUER}`})}async function by(t,e){var a,l;if(!t.var.client_id)throw new E(500,{message:"Client not found"});const n=await fo(t.env,t.var.client_id),r=n.connections.find(u=>u.strategy==="sms");if(!r)throw new E(500,{message:"SMS provider not found"});const i=((a=r.options)==null?void 0:a.provider)||"twilio",s=(l=t.env.smsProviders)==null?void 0:l[i];if(!s)throw new E(500,{message:"SMS provider not found"});await s({options:r.options,to:e.to,from:e.from,text:e.text,template:"auth-code",data:{code:e.code,tenantName:n.tenant.name,tenantId:n.tenant.id}})}async function $y(t,e,n,r){const i=await t.env.data.tenants.get(t.var.tenant_id);if(!i)throw new E(500,{message:"Tenant not found"});const s=`${dt(t.env)}reset-password?state=${r}&code=${n}`,a={vendorName:i.name,lng:i.language||"en"};await Cs(t,{to:e,subject:xe("reset_password_title",a),html:`Click here to reset your password: ${dt(t.env)}reset-password?state=${r}&code=${n}`,template:"auth-password-reset",data:{vendorName:i.name,logo:i.logo||"",passwordResetUrl:s,supportUrl:i.support_url||"https://support.sesamy.com",buttonColor:i.primary_color||"#7d68f4",passwordResetTitle:xe("password_reset_title",a),resetPasswordEmailClickToReset:xe("reset_password_email_click_to_reset",a),resetPasswordEmailReset:xe("reset_password_email_reset",a),supportInfo:xe("support_info",a),contactUs:xe("contact_us",a),copyright:xe("copyright",a),tenantName:i.name,tenantId:i.id}})}async function Lf(t,{to:e,code:n}){const r=await t.env.data.tenants.get(t.var.tenant_id);if(!r)throw new E(500,{message:"Tenant not found"});const{connectionType:i}=Bl(e),s=new URL(dt(t.env)),a={vendorName:r.name,vendorId:r.id,loginDomain:s.hostname,code:n,lng:r.language||"en"};i==="email"?await Cs(t,{to:e,subject:xe("code_email_subject",a),html:`Click here to validate your email: ${dt(t.env)}validate-email`,template:"auth-code",data:{code:n,vendorName:r.name,logo:r.logo||"",supportUrl:r.support_url||"",buttonColor:r.primary_color||"",welcomeToYourAccount:xe("welcome_to_your_account",a),linkEmailClickToLogin:xe("link_email_click_to_login",a),linkEmailLogin:xe("link_email_login",a),linkEmailOrEnterCode:xe("link_email_or_enter_code",a),codeValid30Mins:xe("code_valid_30_minutes",a),supportInfo:xe("support_info",a),contactUs:xe("contact_us",a),copyright:xe("copyright",a)}}):i==="sms"&&await by(t,{to:e,text:xe("sms_code_text",a),code:n,from:r.name});const l=Me(t,{type:Le.CODE_LINK_SENT,description:e});ln(t,t.env.data.logs.create(r.id,l))}async function Ff(t,{to:e,code:n,authParams:r}){const i=await t.env.data.tenants.get(t.var.tenant_id);if(!i)throw new E(500,{message:"Tenant not found"});if(!r.redirect_uri)throw new E(400,{message:"redirect_uri is required"});const{connectionType:s}=Bl(e),a=new URL(ct(t.env));a.pathname="passwordless/verify_redirect",a.searchParams.set("verification_code",n),a.searchParams.set("connection",s),a.searchParams.set("client_id",r.client_id),a.searchParams.set("redirect_uri",r.redirect_uri),a.searchParams.set("email",e),r.response_type&&a.searchParams.set("response_type",r.response_type),r.scope&&a.searchParams.set("scope",r.scope),r.state&&a.searchParams.set("state",r.state),r.nonce&&a.searchParams.set("nonce",r.nonce),r.code_challenge&&a.searchParams.set("code_challenge",r.code_challenge),r.code_challenge_method&&a.searchParams.set("code_challenge_method",r.code_challenge_method),r.audience&&a.searchParams.set("audience",r.audience);const l={vendorName:i.name,code:n,lng:i.language||"en"};if(s==="email")await Cs(t,{to:e,subject:xe("code_email_subject",l),html:`Click here to validate your email: ${dt(t.env)}validate-email`,template:"auth-link",data:{code:n,vendorName:i.name,logo:i.logo||"",supportUrl:i.support_url||"",magicLink:a.toString(),buttonColor:i.primary_color||"",welcomeToYourAccount:xe("welcome_to_your_account",l),linkEmailClickToLogin:xe("link_email_click_to_login",l),linkEmailLogin:xe("link_email_login",l),linkEmailOrEnterCode:xe("link_email_or_enter_code",l),codeValid30Mins:xe("code_valid_30_minutes",l),supportInfo:xe("support_info",l),contactUs:xe("contact_us",l),copyright:xe("copyright",l)}});else if(s==="sms")await by(t,{to:e,text:`${xe("link_sms_login",l)}: ${a.toString()}`,code:n,from:i.name});else throw new E(400,{message:"Only email and SMS connections are supported for magic links"});const u=Me(t,{type:Le.CODE_LINK_SENT,description:e});ln(t,t.env.data.logs.create(i.id,u))}async function Uf(t,e){const n=await t.env.data.tenants.get(t.var.tenant_id);if(!n)throw new E(500,{message:"Tenant not found"});if(!e.email)throw new E(400,{message:"User has no email"});const r={vendorName:n.name,lng:n.language||"en"};await Cs(t,{to:e.email,subject:xe("welcome_to_your_account",r),html:`Click here to validate your email: ${dt(t.env)}validate-email`,template:"auth-verify-email",data:{vendorName:n.name,logo:n.logo||"",emailValidationUrl:`${dt(t.env)}validate-email`,supportUrl:n.support_url||"https://support.sesamy.com",buttonColor:n.primary_color||"#7d68f4",welcomeToYourAccount:xe("welcome_to_your_account",r),verifyEmailVerify:xe("verify_email_verify",r),supportInfo:xe("support_info",r),contactUs:xe("contact_us",r),copyright:xe("copyright",r)}})}async function n8(t,e,n,r){const i=await t.env.data.tenants.get(t.var.tenant_id);if(!i)throw new E(500,{message:"Tenant not found"});const s={vendorName:i.name,lng:i.language||"en"},a=`${dt(t.env)}signup?state=${r}&code=${n}`;await Cs(t,{to:e,subject:xe("register_password_account",s),html:`Click here to register: ${a}`,template:"auth-pre-signup-verification",data:{vendorName:i.name,logo:i.logo||"",signupUrl:a,setPassword:xe("set_password",s),registerPasswordAccount:xe("register_password_account",s),clickToSignUpDescription:xe("click_to_sign_up_description",s),supportUrl:i.support_url||"https://support.sesamy.com",buttonColor:i.primary_color||"#7d68f4",welcomeToYourAccount:xe("welcome_to_your_account",s),verifyEmailVerify:xe("verify_email_verify",s),supportInfo:xe("support_info",s),contactUs:xe("contact_us",s),copyright:xe("copyright",s)}})}const r8=new o.OpenAPIHono().openapi(o.createRoute({tags:["dbconnections"],method:"post",path:"/signup",request:{body:{content:{"application/json":{schema:o.z.object({client_id:o.z.string(),connection:o.z.literal("Username-Password-Authentication"),email:o.z.string().transform(t=>t.toLowerCase()),password:o.z.string()})}}}},responses:{200:{content:{"application/json":{schema:o.z.object({_id:o.z.string(),email:o.z.string().optional(),email_verified:o.z.boolean(),app_metadata:o.z.object({}),user_metadata:o.z.object({})})}},description:"Created user"}}}),async t=>{const{email:e,password:n,client_id:r}=t.req.valid("json"),i=await t.env.data.legacyClients.get(r);if(!i)throw new E(400,{message:"Client not found"});if(t.set("client_id",i.client_id),t.set("tenant_id",i.tenant.id),!Bf(n))throw new E(400,{message:"Password does not meet the requirements"});if(await Bo({userAdapter:t.env.data.users,tenant_id:i.tenant.id,username:e,provider:"auth2"}))throw new E(400,{message:"Invalid sign up"});const a=await t.env.data.users.create(i.tenant.id,{user_id:`auth2|${Dc()}`,email:e,email_verified:!1,provider:"auth2",connection:"Username-Password-Authentication",is_social:!1});t.set("user_id",a.user_id),t.set("username",a.email),t.set("connection",a.connection);const l=await as.hash(n,10);await t.env.data.passwords.create(i.tenant.id,{user_id:a.user_id,password:l,algorithm:"bcrypt"}),await Uf(t,a);const u=Me(t,{type:Le.SUCCESS_SIGNUP,description:"Successful signup"});return await t.env.data.logs.create(i.tenant.id,u),t.json({_id:a.user_id,email:a.email,email_verified:!1,app_metadata:{},user_metadata:{}})}).openapi(o.createRoute({tags:["dbconnections"],method:"post",path:"/change_password",request:{body:{content:{"application/json":{schema:o.z.object({client_id:o.z.string(),connection:o.z.literal("Username-Password-Authentication"),email:o.z.string().transform(t=>t.toLowerCase())})}}}},responses:{200:{description:"Redirect to the client's redirect uri"}}}),async t=>{const{email:e,client_id:n}=t.req.valid("json"),r=await t.env.data.legacyClients.get(n);if(!r)throw new E(400,{message:"Client not found"});if(t.set("client_id",r.client_id),t.set("tenant_id",r.tenant.id),!await eo({userAdapter:t.env.data.users,tenant_id:r.tenant.id,username:e,provider:"auth2"}))return t.html("If an account with that email exists, we've sent instructions to reset your password.");const s={client_id:n,username:e},a=await t.env.data.loginSessions.create(r.tenant.id,{expires_at:new Date(Date.now()+Hr*1e3).toISOString(),authParams:s,csrf_token:Ke(),ip:t.get("ip"),useragent:t.get("useragent"),auth0Client:Yn(t.get("auth0_client"))});return await $y(t,e,a.id,a.authParams.state),t.html("If an account with that email exists, we've sent instructions to reset your password.")});function Ar(){const t="1234567890";let e="";for(let n=0;n<6;n+=1)e+=t[Math.floor(Math.random()*10)];return e.toString()}const i8=new o.OpenAPIHono().openapi(o.createRoute({tags:["passwordless"],method:"post",path:"/start",request:{body:{content:{"application/json":{schema:o.z.union([o.z.object({connection:o.z.literal("email"),client_id:o.z.string(),email:o.z.string().transform(t=>t.toLowerCase()),send:o.z.enum(["link","code"]),authParams:jo.omit({client_id:!0})}),o.z.object({client_id:o.z.string(),connection:o.z.literal("sms"),phone_number:o.z.string(),send:o.z.enum(["link","code"]),authParams:jo.omit({client_id:!0})})])}}}},responses:{200:{description:"Status"}}}),async t=>{const e=t.req.valid("json"),{env:n}=t,{client_id:r,send:i,authParams:s,connection:a}=e,l=await t.env.data.legacyClients.get(r);if(!l)throw new E(400,{message:"Client not found"});t.set("client_id",l.client_id),t.set("tenant_id",l.tenant.id);const u=a==="email"?e.email:e.phone_number,d=t.get("ip"),p=t.get("useragent"),h=t.get("auth0_client"),g=Yn(h),b=await n.data.loginSessions.create(l.tenant.id,{authParams:{...s,client_id:r,username:u},expires_at:new Date(Date.now()+oa).toISOString(),csrf_token:Ke(),ip:d,useragent:p,auth0Client:g}),x=await n.data.codes.create(l.tenant.id,{code_id:Ar(),code_type:"otp",login_id:b.id,expires_at:new Date(Date.now()+oa).toISOString(),redirect_uri:s.redirect_uri});return i==="link"?await Ff(t,{to:u,code:x.code_id,authParams:{...s,client_id:r}}):await Lf(t,{to:u,code:x.code_id}),t.html("OK")}).openapi(o.createRoute({tags:["passwordless"],method:"get",path:"/verify_redirect",request:{query:o.z.object({scope:o.z.string(),response_type:o.z.nativeEnum(Yt),redirect_uri:o.z.string(),state:o.z.string(),nonce:o.z.string().optional(),verification_code:o.z.string(),connection:o.z.string(),client_id:o.z.string(),email:o.z.string().transform(t=>t.toLowerCase()),audience:o.z.string().optional()})},responses:{302:{description:"Successful verification, redirecting to continue flow.",headers:o.z.object({Location:o.z.string().url()}).openapi({})},400:{description:"Bad Request (e.g., invalid client, invalid code, missing parameters).",content:{"application/json":{schema:o.z.object({error:o.z.string(),error_description:o.z.string().optional()})}}},500:{description:"Internal Server Error.",content:{"application/json":{schema:o.z.object({error:o.z.string(),error_description:o.z.string().optional()})}}}}}),async t=>{const{env:e}=t,{client_id:n,email:r,verification_code:i,redirect_uri:s,state:a,scope:l,audience:u,response_type:d,nonce:p}=t.req.valid("query"),h=await fo(e,n);t.set("client_id",h.client_id),t.set("tenant_id",h.tenant.id),t.set("connection","email");const g={client_id:n,redirect_uri:s,state:a,nonce:p,scope:l,audience:u,response_type:d};let b="Something went wrong. Please try again later.";try{const M=await Rf(t,{client_id:n,username:r,otp:i,authParams:g,enforceIpCheck:!0});if(M instanceof Response)return M;if(M&&typeof M=="object"&&"access_token"in M)return t.json(M)}catch(M){const U=M;"message"in U&&typeof U.message=="string"&&(b=U.message)}const x=t.get("ip"),C=t.get("useragent"),T=t.get("auth0_client"),O=Yn(T),A=await e.data.loginSessions.create(h.tenant.id,{authParams:{...g,username:r},expires_at:new Date(Date.now()+oa).toISOString(),csrf_token:Ke(),ip:x,useragent:C,auth0Client:O});return t.redirect(`${dt(t.env)}invalid-session?state=${A.id}&error=${encodeURIComponent(b)}`,302)});class $i extends E{constructor(n,r){super(n,r);be(this,"_code");this._code=r==null?void 0:r.code}get code(){return this._code}}async function xy(t,e,n,r){const{data:i}=t.env,{username:s}=n;if(t.set("username",s),!s)throw new E(400,{message:"Username is required"});const a=await eo({userAdapter:t.env.data.users,tenant_id:e.tenant.id,username:s,provider:"auth2"});if(!a){const b=Me(t,{type:Le.FAILED_LOGIN_INCORRECT_PASSWORD,description:"Invalid user"});throw ln(t,i.logs.create(e.tenant.id,b)),new $i(403,{message:"User not found",code:"USER_NOT_FOUND"})}const l=a.linked_to?await i.users.get(e.tenant.id,a.linked_to):a;if(!l)throw new $i(403,{message:"User not found",code:"USER_NOT_FOUND"});t.set("connection",a.connection),t.set("user_id",l.user_id);const u=await i.passwords.get(e.tenant.id,a.user_id);if(!(u&&await as.compare(n.password,u.password))){const b=Me(t,{type:Le.FAILED_LOGIN_INCORRECT_PASSWORD,description:"Invalid password"});throw ln(t,i.logs.create(e.tenant.id,b)),new $i(403,{message:"Invalid password",code:"INVALID_PASSWORD"})}if((await i.logs.list(e.tenant.id,{page:0,per_page:10,include_totals:!1,q:`user_id:${l.user_id}`})).logs.filter(b=>b.type===Le.FAILED_LOGIN_INCORRECT_PASSWORD&&new Date(b.date)>new Date(Date.now()-1e3*60*5)).length>=3){const b=Me(t,{type:Le.FAILED_LOGIN,description:"Too many failed login attempts"});throw ln(t,i.logs.create(e.tenant.id,b)),new $i(403,{message:"Too many failed login attempts",code:"TOO_MANY_FAILED_LOGINS"})}if(!a.email_verified&&e.email_validation==="enforced"){await Uf(t,a);const b=Me(t,{type:Le.FAILED_LOGIN,description:"Email not verified"});throw await i.logs.create(e.tenant.id,b),new $i(403,{message:"Email not verified",code:"EMAIL_NOT_VERIFIED"})}const g=Me(t,{type:Le.SUCCESS_LOGIN,description:"Successful login",strategy_type:"Username-Password-Authentication",strategy:"Username-Password-Authentication"});return ln(t,i.logs.create(e.tenant.id,g)),{client:e,authParams:n,user:l,loginSession:r}}async function Ay(t,e,n,r,i){const s=await xy(t,e,n,r);return Dn(t,{...s,ticketAuth:i,strategy:"Username-Password-Authentication"})}async function o8(t,e,n,r){await Bc(t,{client:e,username:n,provider:"auth2",connection:"Username-Password-Authentication",isSocial:!1,ip:t.var.ip});let i=Ar(),s=await t.env.data.codes.get(e.tenant.id,i,"password_reset");for(;s;)i=Ar(),s=await t.env.data.codes.get(e.tenant.id,i,"password_reset");const a=t.get("ip"),l=t.get("useragent"),u=t.get("auth0_client"),d=Yn(u),p=await t.env.data.loginSessions.create(e.tenant.id,{expires_at:new Date(Date.now()+rb).toISOString(),authParams:{client_id:e.client_id,username:n},csrf_token:Ke(),ip:a,useragent:l,auth0Client:d}),h=await t.env.data.codes.create(e.tenant.id,{code_id:i,code_type:"password_reset",login_id:p.id,expires_at:new Date(Date.now()+nb).toISOString()});await $y(t,n,h.code_id,r)}const s8=new o.OpenAPIHono().openapi(o.createRoute({tags:["oauth"],method:"post",path:"/",request:{body:{content:{"application/json":{schema:o.z.union([o.z.object({credential_type:o.z.literal("http://auth0.com/oauth/grant-type/passwordless/otp"),otp:o.z.string(),client_id:o.z.string(),username:o.z.string().transform(t=>t.toLowerCase()),realm:o.z.enum(["email"]),scope:o.z.string().optional()}),o.z.object({credential_type:o.z.literal("http://auth0.com/oauth/grant-type/password-realm"),client_id:o.z.string(),username:o.z.string().transform(t=>t.toLowerCase()),password:o.z.string(),realm:o.z.enum(["Username-Password-Authentication"]),scope:o.z.string().optional()})])}}}},responses:{200:{description:"List of tenants"}}}),async t=>{const e=t.req.valid("json"),{client_id:n,username:r}=e;t.set("username",r);const i=await t.env.data.legacyClients.get(n);if(!i)throw new E(400,{message:"Client not found"});t.set("client_id",n),t.set("tenant_id",i.tenant.id);const s=r.toLocaleLowerCase(),a=t.get("ip"),l=t.get("useragent"),u=t.get("auth0_client");let d;if("otp"in e)d=await Rf(t,{client_id:n,username:s,otp:e.otp});else if("password"in e){const p=await t.env.data.loginSessions.create(i.tenant.id,{expires_at:new Date(Date.now()+Hr*1e3).toISOString(),authParams:{client_id:n,username:s},csrf_token:Ke(),ip:a,useragent:l,auth0Client:Yn(u)});d=await Ay(t,i,{username:s,password:e.password,client_id:n},p,!0)}else throw new E(400,{message:"Code or password required"});if(!(d instanceof Response))throw new E(500,{message:"Unexpected response from loginWithPassword"});return d});function Ey(t,e){var r,i,s;if(!t||e.length===0)return!1;const n=((r=du(t))==null?void 0:r.host)??null;if(!n)return!1;for(const a of e){let l;if(a.startsWith("http://")||a.startsWith("https://")?l=((i=du(a))==null?void 0:i.host)??null:l=((s=du("https://"+a))==null?void 0:s.host)??null,n===l)return!0}return!1}function du(t){try{return new URL(t)}catch{return null}}async function a8({ctx:t,session:e,client:n,authParams:r,connection:i,login_hint:s}){const a=new URL(t.req.url);t.var.custom_domain&&(a.hostname=t.var.custom_domain);const{ip:l,auth0_client:u,useragent:d}=t.var,p=Yn(u),h=await t.env.data.loginSessions.create(n.tenant.id,{expires_at:new Date(Date.now()+Hr*1e3).toISOString(),authParams:r,csrf_token:Ke(),authorization_url:a.toString(),ip:l,useragent:d,auth0Client:p});if(e&&s){const g=await t.env.data.users.get(n.tenant.id,e.user_id);if((g==null?void 0:g.email)===s)return await t.env.data.loginSessions.update(n.tenant.id,h.id,{session_id:e.id}),Dn(t,{client:n,loginSession:{...h,session_id:e.id},authParams:r,user:g,sessionId:e.id})}if(i==="email"&&s){const g=Ar();return await t.env.data.codes.create(n.tenant.id,{code_id:g,code_type:"otp",login_id:h.id,expires_at:new Date(Date.now()+Hr*1e3).toISOString(),redirect_uri:r.redirect_uri}),await Ff(t,{code:g,to:s,authParams:r}),t.redirect(`/u/enter-code?state=${h.id}`)}return e?t.redirect(`/u/check-account?state=${h.id}`):t.redirect(`/u/login/identifier?state=${h.id}`)}function c8(t){if(t==="Username-Password-Authentication")return"auth2";if(t==="email")return"email";throw new E(403,{message:"Invalid realm"})}async function l8(t,e,n,r,i){var g;const{env:s}=t;t.set("connection",i);const a=await s.data.codes.get(e,n,"ticket");if(!a||a.used_at)throw new E(403,{message:"Ticket not found"});const l=await s.data.loginSessions.get(e,a.login_id);if(!l||!l.authParams.username)throw new E(403,{message:"Session not found"});const u=await s.data.legacyClients.get(l.authParams.client_id);if(!u)throw new E(403,{message:"Client not found"});t.set("client_id",l.authParams.client_id),await s.data.codes.used(e,n);const d=c8(i);let p=await Bc(t,{username:l.authParams.username,provider:d,client:u,connection:d==="auth2"?"Username-Password-Authentication":"email",isSocial:!1,ip:t.var.ip});t.set("username",p.email||p.phone_number),t.set("user_id",p.user_id);const h=await Z_(t,{user:p,client:u,loginSession:l});return Dn(t,{authParams:{scope:(g=l.authParams)==null?void 0:g.scope,...r},loginSession:l,sessionId:h.id,user:p,client:u})}async function u8({ctx:t,client:e,session:n,redirect_uri:r,state:i,nonce:s,code_challenge_method:a,code_challenge:l,audience:u,scope:d,response_type:p}){const{env:h}=t,g=new URL(r),b=`${g.protocol}//${g.host}`;async function x(H="Login required"){const G=Me(t,{type:Le.FAILED_SILENT_AUTH,description:H});return await t.env.data.logs.create(e.tenant.id,G),t.html(Du(b,JSON.stringify({error:"login_required",error_description:H,state:i})))}if(!n||(n==null?void 0:n.expires_at)&&new Date(n.expires_at)<new Date||(n==null?void 0:n.idle_expires_at)&&new Date(n.idle_expires_at)<new Date)return x();t.set("user_id",n.user_id);const T=await h.data.users.get(e.tenant.id,n.user_id);if(!T)return console.error("User not found",n.user_id),x("User not found");t.set("username",T.email),t.set("connection",T.connection);const O={client:e,authParams:{client_id:e.client_id,audience:u,code_challenge_method:a,code_challenge:l,scope:d,state:i,nonce:s,response_type:p,redirect_uri:r},user:T,session_id:n.id},A=p===Yt.CODE?await J_(t,{user:T,client:e,authParams:O.authParams,login_id:n.login_session_id}):await Pc(t,O);await h.data.sessions.update(e.tenant.id,n.id,{used_at:new Date().toISOString(),last_interaction_at:new Date().toISOString(),device:{...n.device,last_ip:t.var.ip||"",last_user_agent:t.var.useragent||""},idle_expires_at:n.idle_expires_at?new Date(Date.now()+Rc*1e3).toISOString():void 0});const M=Me(t,{type:Le.SUCCESS_SILENT_AUTH,description:"Successful silent authentication"});await t.env.data.logs.create(e.tenant.id,M);const U=new Headers;U.set("Server-Timing","cf-nel=0; no-cloudflare-insights=1");const F=Ra(e.tenant.id,n.id,t.req.header("host"));return U.set("set-cookie",F),t.html(Du(b,JSON.stringify({...A,state:i})),{headers:U})}const d8=["email","sms","Username-Password-Authentication"],p8=new o.OpenAPIHono().openapi(o.createRoute({tags:["oauth"],method:"get",path:"/",request:{query:o.z.object({client_id:o.z.string(),vendor_id:o.z.string().optional(),redirect_uri:o.z.string(),scope:o.z.string().optional(),state:o.z.string(),prompt:o.z.string().optional(),response_mode:o.z.nativeEnum(zn).optional(),response_type:o.z.nativeEnum(Yt).optional(),audience:o.z.string().optional(),connection:o.z.string().optional(),nonce:o.z.string().optional(),max_age:o.z.string().optional(),login_ticket:o.z.string().optional(),code_challenge_method:o.z.nativeEnum(zc).optional(),code_challenge:o.z.string().optional(),realm:o.z.string().optional(),auth0Client:o.z.string().optional(),organization:o.z.string().optional(),login_hint:o.z.string().optional(),screen_hint:o.z.string().openapi({example:"signup",description:'Optional hint for the screen to show, like "signup" or "login".'}).optional(),ui_locales:o.z.string().optional()})},responses:{200:{description:"Successful authorization response. This can be an HTML page (e.g., for silent authentication iframe or universal login page) or a JSON object containing tokens (e.g., for response_mode=web_message).",content:{"text/html":{schema:o.z.string().openapi({example:"<html>...</html>"})},"application/json":{schema:xp}}},302:{description:"Redirect to the client's redirect URI, an authentication page, or an external identity provider.",headers:o.z.object({Location:o.z.string().url()})},400:{description:"Bad Request. Invalid parameters or other client-side errors.",content:{"application/json":{schema:o.z.object({message:o.z.string()})}}},403:{description:"Forbidden. The request is not allowed (e.g., invalid origin).",content:{"application/json":{schema:o.z.object({message:o.z.string()})}}}}}),async t=>{const{env:e}=t,{client_id:n,vendor_id:r,redirect_uri:i,scope:s,state:a,audience:l,nonce:u,connection:d,response_type:p,response_mode:h,code_challenge:g,code_challenge_method:b,prompt:x,login_ticket:C,realm:T,auth0Client:O,login_hint:A,ui_locales:M,organization:U}=t.req.valid("query");t.set("log","authorize");const F=await fo(e,n);t.set("client_id",F.client_id),t.set("tenant_id",F.tenant.id);const H={redirect_uri:i.split("#")[0],scope:s,state:a,client_id:n,vendor_id:r,audience:l,nonce:u,prompt:x,response_type:p,response_mode:h,code_challenge:g,code_challenge_method:b,username:A,ui_locales:M,organization:U},G=t.req.header("origin");if(G&&!Ey(G,F.web_origins||[]))throw new E(403,{message:`Origin ${G} not allowed`});if(H.redirect_uri){const L=F.callbacks||[];if(t.var.host&&(L.push(`${Il(t.env)}/*`),L.push(`${dt(t.env)}/*`)),!Nf(H.redirect_uri,L,{allowPathWildcards:!0}))throw new E(400,{message:`Invalid redirect URI - ${H.redirect_uri}`})}const Y=Di(F.tenant.id,t.req.header("cookie")),J=Y?await e.data.sessions.get(F.tenant.id,Y):void 0,Ae=J&&!J.revoked_at?J:void 0;if(x=="none"){if(!p)throw new E(400,{message:"Missing response_type"});return u8({ctx:t,session:Ae||void 0,redirect_uri:i,state:a,response_type:p,client:F,nonce:u,code_challenge_method:b,code_challenge:g,audience:l,scope:s})}if(F.connections.length===1&&F.connections[0]&&!d8.includes(F.connections[0].strategy||""))return _g(t,F,F.connections[0].name,H);if(d&&d!=="email")return _g(t,F,d,H);if(C){const L=await l8(t,F.tenant.id,C,H,T);return L instanceof Response?L:t.json(L)}const R=await a8({ctx:t,client:F,auth0Client:O,authParams:H,session:Ae||void 0,connection:d,login_hint:A});return R instanceof Response?R:t.json(R)}),f8=new o.OpenAPIHono().openapi(o.createRoute({tags:["oauth"],method:"get",path:"/",request:{query:o.z.object({client_id:o.z.string(),redirect_url:o.z.string().optional(),login_hint:o.z.string().toLowerCase().optional(),screen_hint:o.z.enum(["account","change-email","change-phone","change-password"]).optional().default("account")})},responses:{302:{description:"Redirect to the account page with login session state or login page",headers:o.z.object({Location:o.z.string().url()})},400:{description:"Bad Request. Invalid parameters or other client-side errors.",content:{"application/json":{schema:o.z.object({message:o.z.string()})}}}}}),async t=>{const{env:e}=t,{client_id:n,redirect_url:r,login_hint:i,screen_hint:s}=t.req.valid("query");t.set("log","account");const a=await fo(e,n);t.set("client_id",a.client_id),t.set("tenant_id",a.tenant.id);const l={redirect_uri:r||t.req.url,client_id:n,username:i},u=t.req.header("origin");if(u&&!Ey(u,a.web_origins||[]))throw new E(403,{message:`Origin ${u} not allowed`});if(l.redirect_uri){const A=a.callbacks||[];if(t.var.host&&(A.push(`${Il(t.env)}/*`),A.push(`${dt(t.env)}/*`)),!Nf(l.redirect_uri,A,{allowPathWildcards:!0}))throw new E(400,{message:`Invalid redirect URI - ${l.redirect_uri}`})}const d=Di(a.tenant.id,t.req.header("cookie")),p=d?await e.data.sessions.get(a.tenant.id,d):void 0,h=p&&!p.revoked_at?p:void 0,g=new URL(t.req.url);t.var.custom_domain&&(g.hostname=t.var.custom_domain);const{ip:b,auth0_client:x,useragent:C}=t.var,T=Yn(x),O=await e.data.loginSessions.create(a.tenant.id,{expires_at:new Date(Date.now()+Hr*1e3).toISOString(),authParams:l,csrf_token:Ke(),authorization_url:g.toString(),ip:b,useragent:C,auth0Client:T});if(h){if(i){const M=await e.data.users.get(a.tenant.id,h.user_id);if((M==null?void 0:M.email)!==i)return t.redirect(`${dt(t.env)}login/identifier?state=${encodeURIComponent(O.id)}`)}if(await e.data.loginSessions.update(a.tenant.id,O.id,{session_id:h.id}),s==="change-email"){const M=new URL("/u/account/change-email",t.req.url);return M.searchParams.set("state",O.id),t.redirect(M.toString())}const A=new URL("/u/account",t.req.url);return A.searchParams.set("state",O.id),t.redirect(A.toString())}return t.redirect(`${dt(t.env)}login/identifier?state=${encodeURIComponent(O.id)}`)});function h8(t){const e=new o.OpenAPIHono;e.use(async(r,i)=>{const s=cs(r,t.dataAdapter),a=t.dataAdapter.cache||Ns({defaultTtlSeconds:0,maxEntries:100,cleanupIntervalMs:0}),l=t.dataAdapter.cache?300:0,u=Dl(s,{defaultTtl:l,cacheEntities:["tenants","connections","customDomains","clients","legacyClients","branding","themes","promptSettings","forms","resourceServers","roles","organizations","userRoles","userPermissions"],cache:a});return r.env.data=zl(r,u),i()}),e.use("/oauth/token",Rm({origin:r=>r||"",allowHeaders:["Tenant-Id","Content-Type","Auth0-Client","Upgrade-Insecure-Requests"],allowMethods:["POST"],maxAge:600})),e.use(Ol).use(Tl).use(Ef(e));const n=e.route("/v2/logout",R5).route("/userinfo",j5).route("/.well-known",P5).route("/oauth/token",e8).route("/dbconnections",r8).route("/passwordless",i8).route("/co/authenticate",s8).route("/authorize",p8).route("/account",f8).route("/callback",O5);return n.doc("/spec",{openapi:"3.0.0",info:{version:"1.0.0",title:"Oauth API"},security:[{oauth2:["openid","email","profile"]}]}),Af(n),n}var Mf=(t,...e)=>{const n=[""];for(let r=0,i=t.length-1;r<i;r++){n[0]+=t[r];const s=Array.isArray(e[r])?e[r].flat(1/0):[e[r]];for(let a=0,l=s.length;a<l;a++){const u=s[a];if(typeof u=="string")wr(u,n);else if(typeof u=="number")n[0]+=u;else{if(typeof u=="boolean"||u===null||u===void 0)continue;if(typeof u=="object"&&u.isEscaped)if(u.callbacks)n.unshift("",u);else{const d=u.toString();d instanceof Promise?n.unshift("",d):n[0]+=d}else u instanceof Promise?n.unshift("",u):wr(u.toString(),n)}}}return n[0]+=t.at(-1),n.length===1?"callbacks"in n?hn(ey(hn(n[0],n.callbacks))):hn(n[0]):Q1(n,n.callbacks)},qf=Symbol("RENDERER"),cp=Symbol("ERROR_HANDLER"),We=Symbol("STASH"),Sy=Symbol("INTERNAL"),g8=Symbol("MEMO"),bc=Symbol("PERMALINK"),Gg=t=>(t[Sy]=!0,t),ky=t=>({value:e,children:n})=>{if(!n)return;const r={children:[{tag:Gg(()=>{t.push(e)}),props:{}}]};Array.isArray(n)?r.children.push(...n.flat()):r.children.push(n),r.children.push({tag:Gg(()=>{t.pop()}),props:{}});const i={tag:"",props:r,type:""};return i[cp]=s=>{throw t.pop(),s},i},Ny=t=>{const e=[t],n=ky(e);return n.values=e,n.Provider=n,Ki.push(n),n},Ki=[],Cy=t=>{const e=[t],n=r=>{e.push(r.value);let i;try{i=r.children?(Array.isArray(r.children)?new Oy("",{},r.children):r.children).toString():""}finally{e.pop()}return i instanceof Promise?i.then(s=>hn(s,s.callbacks)):hn(i)};return n.values=e,n.Provider=n,n[qf]=ky(e),Ki.push(n),n},ho=t=>t.values.at(-1),fa={title:[],script:["src"],style:["data-href"],link:["href"],meta:["name","httpEquiv","charset","itemProp"]},lp={},ha="data-precedence",zs=t=>Array.isArray(t)?t:[t],Wg=new WeakMap,Xg=(t,e,n,r)=>({buffer:i,context:s})=>{if(!i)return;const a=Wg.get(s)||{};Wg.set(s,a);const l=a[t]||(a[t]=[]);let u=!1;const d=fa[t];if(d.length>0){e:for(const[,p]of l)for(const h of d)if(((p==null?void 0:p[h])??null)===(n==null?void 0:n[h])){u=!0;break e}}if(u?i[0]=i[0].replaceAll(e,""):d.length>0?l.push([e,n,r]):l.unshift([e,n,r]),i[0].indexOf("</head>")!==-1){let p;if(r===void 0)p=l.map(([h])=>h);else{const h=[];p=l.map(([g,,b])=>{let x=h.indexOf(b);return x===-1&&(h.push(b),x=h.length-1),[g,x]}).sort((g,b)=>g[1]-b[1]).map(([g])=>g)}p.forEach(h=>{i[0]=i[0].replaceAll(h,"")}),i[0]=i[0].replace(/(?=<\/head>)/,p.join(""))}},Is=(t,e,n)=>hn(new gn(t,n,zs(e??[])).toString()),Ts=(t,e,n,r)=>{if("itemProp"in n)return Is(t,e,n);let{precedence:i,blocking:s,...a}=n;i=r?i??"":void 0,r&&(a[ha]=i);const l=new gn(t,a,zs(e||[])).toString();return l instanceof Promise?l.then(u=>hn(l,[...u.callbacks||[],Xg(t,u,a,i)])):hn(l,[Xg(t,l,a,i)])},m8=({children:t,...e})=>{const n=Vf();if(n){const r=ho(n);if(r==="svg"||r==="head")return new gn("title",e,zs(t??[]))}return Ts("title",t,e,!1)},_8=({children:t,...e})=>{const n=Vf();return["src","async"].some(r=>!e[r])||n&&ho(n)==="head"?Is("script",t,e):Ts("script",t,e,!1)},y8=({children:t,...e})=>["href","precedence"].every(n=>n in e)?(e["data-href"]=e.href,delete e.href,Ts("style",t,e,!0)):Is("style",t,e),w8=({children:t,...e})=>["onLoad","onError"].some(n=>n in e)||e.rel==="stylesheet"&&(!("precedence"in e)||"disabled"in e)?Is("link",t,e):Ts("link",t,e,"precedence"in e),v8=({children:t,...e})=>{const n=Vf();return n&&ho(n)==="head"?Is("meta",t,e):Ts("meta",t,e,!1)},zy=(t,{children:e,...n})=>new gn(t,n,zs(e??[])),b8=t=>(typeof t.action=="function"&&(t.action=bc in t.action?t.action[bc]:void 0),zy("form",t)),Iy=(t,e)=>(typeof e.formAction=="function"&&(e.formAction=bc in e.formAction?e.formAction[bc]:void 0),zy(t,e)),$8=t=>Iy("input",t),x8=t=>Iy("button",t);const pu=Object.freeze(Object.defineProperty({__proto__:null,button:x8,form:b8,input:$8,link:w8,meta:v8,script:_8,style:y8,title:m8},Symbol.toStringTag,{value:"Module"}));var A8=new Map([["className","class"],["htmlFor","for"],["crossOrigin","crossorigin"],["httpEquiv","http-equiv"],["itemProp","itemprop"],["fetchPriority","fetchpriority"],["noModule","nomodule"],["formAction","formaction"]]),$c=t=>A8.get(t)||t,Ty=(t,e)=>{for(const[n,r]of Object.entries(t)){const i=n[0]==="-"||!/[A-Z]/.test(n)?n:n.replace(/[A-Z]/g,s=>`-${s.toLowerCase()}`);e(i,r==null?null:typeof r=="number"?i.match(/^(?:a|border-im|column(?:-c|s)|flex(?:$|-[^b])|grid-(?:ar|[^a])|font-w|li|or|sca|st|ta|wido|z)|ty$/)?`${r}`:`${r}px`:r)}},ts=void 0,Vf=()=>ts,E8=t=>/[A-Z]/.test(t)&&t.match(/^(?:al|basel|clip(?:Path|Rule)$|co|do|fill|fl|fo|gl|let|lig|i|marker[EMS]|o|pai|pointe|sh|st[or]|text[^L]|tr|u|ve|w)/)?t.replace(/([A-Z])/g,"-$1").toLowerCase():t,S8=["area","base","br","col","embed","hr","img","input","keygen","link","meta","param","source","track","wbr"],k8=["allowfullscreen","async","autofocus","autoplay","checked","controls","default","defer","disabled","download","formnovalidate","hidden","inert","ismap","itemscope","loop","multiple","muted","nomodule","novalidate","open","playsinline","readonly","required","reversed","selected"],Hf=(t,e)=>{for(let n=0,r=t.length;n<r;n++){const i=t[n];if(typeof i=="string")wr(i,e);else{if(typeof i=="boolean"||i===null||i===void 0)continue;i instanceof gn?i.toStringToBuffer(e):typeof i=="number"||i.isEscaped?e[0]+=i:i instanceof Promise?e.unshift("",i):Hf(i,e)}}},gn=class{constructor(t,e,n){be(this,"tag");be(this,"props");be(this,"key");be(this,"children");be(this,"isEscaped",!0);be(this,"localContexts");this.tag=t,this.props=e,this.children=n}get type(){return this.tag}get ref(){return this.props.ref||null}toString(){var e,n;const t=[""];(e=this.localContexts)==null||e.forEach(([r,i])=>{r.values.push(i)});try{this.toStringToBuffer(t)}finally{(n=this.localContexts)==null||n.forEach(([r])=>{r.values.pop()})}return t.length===1?"callbacks"in t?ey(hn(t[0],t.callbacks)).toString():t[0]:Q1(t,t.callbacks)}toStringToBuffer(t){const e=this.tag,n=this.props;let{children:r}=this;t[0]+=`<${e}`;const i=ts&&ho(ts)==="svg"?s=>E8($c(s)):s=>$c(s);for(let[s,a]of Object.entries(n))if(s=i(s),s!=="children"){if(s==="style"&&typeof a=="object"){let l="";Ty(a,(u,d)=>{d!=null&&(l+=`${l?";":""}${u}:${d}`)}),t[0]+=' style="',wr(l,t),t[0]+='"'}else if(typeof a=="string")t[0]+=` ${s}="`,wr(a,t),t[0]+='"';else if(a!=null)if(typeof a=="number"||a.isEscaped)t[0]+=` ${s}="${a}"`;else if(typeof a=="boolean"&&k8.includes(s))a&&(t[0]+=` ${s}=""`);else if(s==="dangerouslySetInnerHTML"){if(r.length>0)throw new Error("Can only set one of `children` or `props.dangerouslySetInnerHTML`.");r=[hn(a.__html)]}else if(a instanceof Promise)t[0]+=` ${s}="`,t.unshift('"',a);else if(typeof a=="function"){if(!s.startsWith("on")&&s!=="ref")throw new Error(`Invalid prop '${s}' of type 'function' supplied to '${e}'.`)}else t[0]+=` ${s}="`,wr(a.toString(),t),t[0]+='"'}if(S8.includes(e)&&r.length===0){t[0]+="/>";return}t[0]+=">",Hf(r,t),t[0]+=`</${e}>`}},fu=class extends gn{toStringToBuffer(t){const{children:e}=this,n=this.tag.call(null,{...this.props,children:e.length<=1?e[0]:e});if(!(typeof n=="boolean"||n==null))if(n instanceof Promise)if(Ki.length===0)t.unshift("",n);else{const r=Ki.map(i=>[i,i.values.at(-1)]);t.unshift("",n.then(i=>(i instanceof gn&&(i.localContexts=r),i)))}else n instanceof gn?n.toStringToBuffer(t):typeof n=="number"||n.isEscaped?(t[0]+=n,n.callbacks&&(t.callbacks||(t.callbacks=[]),t.callbacks.push(...n.callbacks))):wr(n,t)}},Oy=class extends gn{toStringToBuffer(t){Hf(this.children,t)}},N8=(t,e,...n)=>{e??(e={}),n.length&&(e.children=n.length===1?n[0]:n);const r=e.key;delete e.key;const i=ga(t,e,n);return i.key=r,i},Jg=!1,ga=(t,e,n)=>{if(!Jg){for(const r in lp)pu[r][qf]=lp[r];Jg=!0}return typeof t=="function"?new fu(t,e,n):pu[t]?new fu(pu[t],e,n):t==="svg"||t==="head"?(ts||(ts=Cy("")),new gn(t,e,[new fu(ts,{value:t},n)])):new gn(t,e,n)},Kf=({children:t})=>new Oy("",{children:t},Array.isArray(t)?t:t?[t]:[]),C8=(t,e,...n)=>{let r;if(n.length>0)r=n;else{const i=t.props.children;r=Array.isArray(i)?i:[i]}return N8(t.tag,{...t.props,...e},...r)};function _(t,e,n){let r;if(!e||!("children"in e))r=ga(t,e,[]);else{const i=e.children;r=Array.isArray(i)?ga(t,e,i):ga(t,e,[i])}return r.key=n,r}async function Ue(t,e,n=!1){var p;const{env:r}=t,i=await r.data.loginSessions.get(t.var.tenant_id||"",e);if(!i)throw new E(400,{message:"Login session not found"});t.set("loginSession",i);const s=await fo(r,i.authParams.client_id);t.set("client_id",s.client_id),t.set("tenant_id",s.tenant.id);const a=await r.data.tenants.get(s.tenant.id);if(a){if(i.session_id&&!n){if(!i.authParams.redirect_uri)throw new E(400,{message:"Login session closed and no redirect URI available"});const h=new URL(i.authParams.redirect_uri);throw h.searchParams.set("error","access_denied"),h.searchParams.set("error_description","Login session closed"),i.authParams.state&&h.searchParams.set("state",i.authParams.state),new oi(h.toString(),302)}}else throw new E(400,{message:"Tenant not found"});const l=await r.data.themes.get(a.id,"default"),u=await r.data.branding.get(a.id),d=(p=i.authParams.ui_locales)==null?void 0:p.split(" ").map(h=>h.split("-")[0]).find(h=>{if(Array.isArray(P.options.supportedLngs))return P.options.supportedLngs.includes(h)});return await P.changeLanguage(d||a.language||"sv"),{theme:l,branding:u,client:s,tenant:a,loginSession:i}}async function si(t,e){const{theme:n,branding:r,client:i,tenant:s,loginSession:a}=await Ue(t,e,!0),l=Di(i.tenant.id,t.req.header("cookie")),u=l?await t.env.data.sessions.get(i.tenant.id,l):null;if(!u||!a.session_id)throw new oi(`/u/login/identifier?state=${encodeURIComponent(e)}`);const d=await t.env.data.sessions.get(i.tenant.id,a.session_id),p=await t.env.data.users.get(i.tenant.id,u.user_id);if(!p||(d==null?void 0:d.user_id)!==u.user_id)throw new oi(`/u/login/identifier?state=${encodeURIComponent(e)}`);return{theme:n,branding:r,client:i,user:p,tenant:s,loginSession:a,session:d}}async function z8(t,e,n,r){if(r!==void 0)return r==="password";const i=await Op({userAdapter:t.env.data.users,tenant_id:e.tenant.id,email:n});return i!=null&&i.app_metadata.strategy?i.app_metadata.strategy==="Username-Password-Authentication":(await t.env.data.promptSettings.get(e.tenant.id)).password_first}const Dy=({theme:t,branding:e})=>{var r;const n=((r=t==null?void 0:t.widget)==null?void 0:r.logo_url)||(e==null?void 0:e.logo_url);return n?_("div",{className:"flex h-9 items-center",children:_("img",{src:n,className:"max-h-full",alt:"Logo"})}):_(Kf,{})},Ry=t=>{var e,n;return _("div",{className:"mt-8",children:((n=(e=t.client)==null?void 0:e.client_metadata)==null?void 0:n.termsAndConditionsUrl)&&_("div",{className:"text-xs text-gray-300",children:[P.t("agree_to")," ",_("a",{href:t.client.client_metadata.termsAndConditionsUrl,className:"text-primary hover:underline",target:"_blank",rel:"noreferrer",children:P.t("terms")})]})})};var jy={exports:{}};/*!
+In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}function LE(t,e){if(t){if(typeof t=="string")return Ug(t,e);var n=Object.prototype.toString.call(t).slice(8,-1);if(n==="Object"&&t.constructor&&(n=t.constructor.name),n==="Map"||n==="Set")return Array.from(t);if(n==="Arguments"||/^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(n))return Ug(t,e)}}function Ug(t,e){(e==null||e>t.length)&&(e=t.length);for(var n=0,r=new Array(e);n<e;n++)r[n]=t[n];return r}function FE(t,e){var n=t==null?null:typeof Symbol<"u"&&t[Symbol.iterator]||t["@@iterator"];if(n!=null){var r=[],i=!0,s=!1,a,l;try{for(n=n.call(t);!(i=(a=n.next()).done)&&(r.push(a.value),!(e&&r.length===e));i=!0);}catch(u){s=!0,l=u}finally{try{!i&&n.return!=null&&n.return()}finally{if(s)throw l}}return r}}function UE(t){if(Array.isArray(t))return t}function ME(t){var e=Array.prototype.slice.call(t),n=PE(e,4),r=n[0],i=n[1],s=n[2],a=n[3],l,u,d;if(typeof r=="string")l=r;else throw new TypeError("A text for parsing must be a string.");if(!i||typeof i=="string")a?(u=s,d=a):(u=void 0,d=s),i&&(u=RE({defaultCountry:i},u));else if(Oi(i))s?(u=i,d=s):d=i;else throw new Error("Invalid second argument: ".concat(i));return{text:l,options:u,metadata:d}}function Mg(t,e){var n=Object.keys(t);if(Object.getOwnPropertySymbols){var r=Object.getOwnPropertySymbols(t);e&&(r=r.filter(function(i){return Object.getOwnPropertyDescriptor(t,i).enumerable})),n.push.apply(n,r)}return n}function qg(t){for(var e=1;e<arguments.length;e++){var n=arguments[e]!=null?arguments[e]:{};e%2?Mg(Object(n),!0).forEach(function(r){qE(t,r,n[r])}):Object.getOwnPropertyDescriptors?Object.defineProperties(t,Object.getOwnPropertyDescriptors(n)):Mg(Object(n)).forEach(function(r){Object.defineProperty(t,r,Object.getOwnPropertyDescriptor(n,r))})}return t}function qE(t,e,n){return e in t?Object.defineProperty(t,e,{value:n,enumerable:!0,configurable:!0,writable:!0}):t[e]=n,t}function VE(t,e,n){e&&e.defaultCountry&&!eA(e.defaultCountry,n)&&(e=qg(qg({},e),{},{defaultCountry:void 0}));try{return DE(t,e,n)}catch(r){if(!(r instanceof Un))throw r}}function HE(){var t=ME(arguments),e=t.text,n=t.options,r=t.metadata;return VE(e,n,r)}function KE(){return V5(HE,arguments)}function Bl(t,e="US"){const n=t.trim();if(n.includes("@")){const r=n.toLowerCase(),i=/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(r);return{connectionType:"email",normalized:i?r:null,isValid:i}}else if(/^\+?\d[\d\s\-().]*$/.test(n)){const r=KE(n,{defaultCountry:e});return r&&r.isValid()?{connectionType:"sms",normalized:r.number,isValid:!0}:{connectionType:"sms",normalized:null,isValid:!1}}else return{connectionType:"username",normalized:n,isValid:!0}}function Df(t){let e=t.trim();e.startsWith("[")&&e.endsWith("]")&&(e=e.slice(1,-1));const n=e.indexOf("%");return n!==-1&&(e=e.slice(0,n)),e}function GE(t){const n=Df(t).split(".");return n.length!==4?!1:n.every(r=>/^\d+$/.test(r)&&Number(r)>=0&&Number(r)<=255)}function WE(t){const e=Df(t);if(e.length<2||e.indexOf(":")===-1||!/^[0-9a-fA-F:.]+$/.test(e))return!1;const n=e.split(":");return e.includes("::")?n.length<=8:n.length===8}function XE(t){let e=t.trim();const n=/^\[([^\]]+)\](?::\d+)?$/,r=e.match(n);if(r&&r[1])return r[1];const i=e.lastIndexOf(":");if(i!==-1){const s=e.slice(0,i),a=e.slice(i+1);/^[0-9.]+$/.test(s)&&/^\d+$/.test(a)&&(e=s)}return e}function Vg(t){if(!t)return null;const e=Df(XE(t));return GE(e)?{family:4,normalized:e}:WE(e)?{family:6,normalized:e.toLowerCase()}:null}function Hg(t){if(t.includes("::")){let[e,n]=t.split("::"),r=e?e.split(":").filter(Boolean):[],i=n?n.split(":").filter(Boolean):[],s=8-(r.length+i.length);return[...r.map(a=>a.toLowerCase()||"0"),...Array(s).fill("0"),...i.map(a=>a.toLowerCase()||"0")]}else return t.split(":").map(e=>e.toLowerCase()||"0")}function JE(t,e,n=!0){const r=Vg(t),i=Vg(e);if(!r||!i||r.family!==i.family)return!1;if(r.family===4)return r.normalized===i.normalized;const s=Hg(r.normalized),a=Hg(i.normalized);return n?s.length===8&&a.length===8&&s.join(":")===a.join(":"):s.slice(0,4).join(":")===a.slice(0,4).join(":")}class oi extends Error{constructor(n,r=302){super(`Redirect to ${n}`);be(this,"location");be(this,"status");this.name=oi.name,this.location=n,this.status=r}}const YE=o.z.object({client_id:o.z.string(),username:o.z.string().transform(t=>t.toLowerCase()),otp:o.z.string(),authParams:jo.optional(),enforceIpCheck:o.z.boolean().optional().default(!1)});async function wy(t,{client_id:e,username:n,otp:r,authParams:i,enforceIpCheck:s=!1}){const a=t.get("ip"),l=t.get("countryCode"),{connectionType:u,normalized:d}=Bl(n,l);if(!d)throw new E(400,{message:"Invalid username format"});const p=await t.env.data.legacyClients.get(e);if(!p)throw new E(403,{message:"Client not found"});const{env:h}=t,g=await h.data.codes.get(p.tenant.id,r,"otp");if(!g)throw new E(400,{message:xe("code_invalid")});if(g.expires_at<new Date().toISOString())throw new E(400,{message:xe("code_expired")});if(g.used_at)throw new E(400,{message:xe("code_used")});const b=await h.data.loginSessions.get(p.tenant.id,g.login_id);if(!b||b.authParams.username!==n)throw new E(400,{message:"Code not found or expired"});if(s&&b.ip&&a&&!JE(b.ip,a))throw new oi(`${dt(t.env)}invalid-session?state=${b.id}`);const x=await Bc(t,{client:p,username:d,provider:u,connection:u,isSocial:!1,ip:t.var.ip});return await h.data.codes.used(p.tenant.id,r),{user:x,client:p,loginSession:b,session_id:b.session_id,authParams:{...b.authParams,...i||{}}}}async function Rf(t,e){const n=await wy(t,e);return Dn(t,{authParams:n.authParams,client:n.client,user:n.user,loginSession:n.loginSession,strategy:"email"})}const Kg=o.z.object({client_id:o.z.string().optional(),client_secret:o.z.string().optional()}),ZE=o.z.union([uy.extend(Kg.shape),o.z.object({grant_type:o.z.literal("authorization_code"),client_id:o.z.string(),code:o.z.string(),redirect_uri:o.z.string(),code_verifier:o.z.string().min(43).max(128)}),o.z.object({grant_type:o.z.literal("authorization_code"),code:o.z.string(),redirect_uri:o.z.string().optional(),...Kg.shape}),o.z.object({grant_type:o.z.literal("refresh_token"),client_id:o.z.string(),refresh_token:o.z.string(),redirect_uri:o.z.string().optional()}),o.z.object({grant_type:o.z.literal("http://auth0.com/oauth/grant-type/passwordless/otp"),client_id:o.z.string(),username:o.z.string(),otp:o.z.string(),realm:o.z.enum(["email","sms"])})]);function QE(t){if(!t)return{};const[e,n]=t.split(" ");if((e==null?void 0:e.toLowerCase())==="basic"&&n){const[r,i]=atob(n).split(":");return{client_id:r,client_secret:i}}return{}}const e8=new o.OpenAPIHono().openapi(o.createRoute({tags:["oauth2"],method:"post",path:"/",request:{body:{content:{"application/x-www-form-urlencoded":{schema:ZE}}}},responses:{200:{content:{"application/json":{schema:xp}},description:"Tokens"},302:{description:"Redirect for further user interaction (e.g., MFA, consent).",headers:o.z.object({Location:o.z.string().url()}).openapi({})},400:{description:"Bad Request - The request was malformed or invalid.",content:{"application/json":{schema:o.z.object({error:o.z.string(),error_description:o.z.string().optional()})}}},401:{description:"Unauthorized - Client authentication failed.",content:{"application/json":{schema:o.z.object({error:o.z.string(),error_description:o.z.string().optional()})}}},403:{description:"Forbidden - User is not a member of the required organization.",content:{"application/json":{schema:o.z.object({error:o.z.string(),error_description:o.z.string().optional()})}}}}}),async t=>{var u,d,p,h,g;const e=t.req.valid("form"),n=QE(t.req.header("Authorization")),r={...e,...n};if(!r.client_id)throw new E(400,{message:"client_id is required"});t.set("client_id",r.client_id);let i;switch(e.grant_type){case an.AuthorizationCode:i=await F5(t,L5.parse(r));break;case an.ClientCredential:i=await B5(t,uy.parse(r));break;case an.RefreshToken:i=await M5(t,U5.parse(r));break;case an.OTP:i=await wy(t,YE.parse(r));break;default:return t.json({error:"unsupported_grant_type",error_description:"Grant type not implemented"},400)}const s=new Headers;if(i.session_id){const b=Ra(i.client.tenant.id,i.session_id,t.var.host||"");s.set("Set-Cookie",b)}let a=[];if(i.authParams.audience)try{let b;if(e.grant_type===an.ClientCredential)b=await ja(t,{grantType:an.ClientCredential,tenantId:i.client.tenant.id,clientId:i.client.client_id,audience:i.authParams.audience,requestedScopes:((u=i.authParams.scope)==null?void 0:u.split(" "))||[],organizationId:(d=i.organization)==null?void 0:d.id});else{if(!((p=i.user)!=null&&p.user_id))throw new Po(400,{error:"invalid_request",error_description:"User ID is required for user-based grants"});b=await ja(t,{grantType:e.grant_type,tenantId:i.client.tenant.id,userId:i.user.user_id,clientId:i.client.client_id,audience:i.authParams.audience,requestedScopes:((h=i.authParams.scope)==null?void 0:h.split(" "))||[],organizationId:(g=i.organization)==null?void 0:g.id})}i.authParams.scope=b.scopes.join(" "),a=b.permissions}catch(b){if(b instanceof E)throw b;console.error("Error calculating scopes and permissions:",b)}const l=await Pc(t,{...i,grantType:e.grant_type,permissions:a.length>0?a:void 0});return t.json(l,{headers:s})});var jf={exports:{}};const Pf=[{id:0,value:"Too weak",minDiversity:0,minLength:0},{id:1,value:"Weak",minDiversity:2,minLength:6},{id:2,value:"Medium",minDiversity:4,minLength:8},{id:3,value:"Strong",minDiversity:4,minLength:10}],vy=(t,e=Pf,n="!\"#$%&'()*+,-./:;<=>?@[\\\\\\]^_`{|}~")=>{let r=t||"";e[0].minDiversity=0,e[0].minLength=0;const i=[{regex:"[a-z]",message:"lowercase"},{regex:"[A-Z]",message:"uppercase"},{regex:"[0-9]",message:"number"}];n&&i.push({regex:`[${n}]`,message:"symbol"});let s={};s.contains=i.filter(l=>new RegExp(`${l.regex}`).test(r)).map(l=>l.message),s.length=r.length;let a=e.filter(l=>s.contains.length>=l.minDiversity).filter(l=>s.length>=l.minLength).sort((l,u)=>u.id-l.id).map(l=>({id:l.id,value:l.value}));return Object.assign(s,a[0]),s};jf.exports={passwordStrength:vy,defaultOptions:Pf};var t8=jf.exports.passwordStrength=vy;jf.exports.defaultOptions=Pf;function Bf(t){return t8(t).id<2?!1:t.length>=8&&/[a-z]/.test(t)&&/[A-Z]/.test(t)&&/[0-9]/.test(t)&&/[^A-Za-z0-9]/.test(t)}async function Cs(t,e){var i;const n=await t.env.data.emailProviders.get(t.var.tenant_id)||(t.env.DEFAULT_TENANT_ID?await t.env.data.emailProviders.get(t.env.DEFAULT_TENANT_ID):null);if(!n)throw new E(500,{message:"Email provider not found"});const r=(i=t.env.emailProviders)==null?void 0:i[n.name];if(!r)throw new E(500,{message:"Email provider not found"});await r({emailProvider:n,...e,from:n.default_from_address||`login@${t.env.ISSUER}`})}async function by(t,e){var a,l;if(!t.var.client_id)throw new E(500,{message:"Client not found"});const n=await fo(t.env,t.var.client_id),r=n.connections.find(u=>u.strategy==="sms");if(!r)throw new E(500,{message:"SMS provider not found"});const i=((a=r.options)==null?void 0:a.provider)||"twilio",s=(l=t.env.smsProviders)==null?void 0:l[i];if(!s)throw new E(500,{message:"SMS provider not found"});await s({options:r.options,to:e.to,from:e.from,text:e.text,template:"auth-code",data:{code:e.code,tenantName:n.tenant.name,tenantId:n.tenant.id}})}async function $y(t,e,n,r){const i=await t.env.data.tenants.get(t.var.tenant_id);if(!i)throw new E(500,{message:"Tenant not found"});const s=`${dt(t.env)}reset-password?state=${r}&code=${n}`,a={vendorName:i.name,lng:i.language||"en"};await Cs(t,{to:e,subject:xe("reset_password_title",a),html:`Click here to reset your password: ${dt(t.env)}reset-password?state=${r}&code=${n}`,template:"auth-password-reset",data:{vendorName:i.name,logo:i.logo||"",passwordResetUrl:s,supportUrl:i.support_url||"https://support.sesamy.com",buttonColor:i.primary_color||"#7d68f4",passwordResetTitle:xe("password_reset_title",a),resetPasswordEmailClickToReset:xe("reset_password_email_click_to_reset",a),resetPasswordEmailReset:xe("reset_password_email_reset",a),supportInfo:xe("support_info",a),contactUs:xe("contact_us",a),copyright:xe("copyright",a),tenantName:i.name,tenantId:i.id}})}async function Lf(t,{to:e,code:n}){const r=await t.env.data.tenants.get(t.var.tenant_id);if(!r)throw new E(500,{message:"Tenant not found"});const{connectionType:i}=Bl(e),s=new URL(dt(t.env)),a={vendorName:r.name,vendorId:r.id,loginDomain:s.hostname,code:n,lng:r.language||"en"};i==="email"?await Cs(t,{to:e,subject:xe("code_email_subject",a),html:`Click here to validate your email: ${dt(t.env)}validate-email`,template:"auth-code",data:{code:n,vendorName:r.name,logo:r.logo||"",supportUrl:r.support_url||"",buttonColor:r.primary_color||"",welcomeToYourAccount:xe("welcome_to_your_account",a),linkEmailClickToLogin:xe("link_email_click_to_login",a),linkEmailLogin:xe("link_email_login",a),linkEmailOrEnterCode:xe("link_email_or_enter_code",a),codeValid30Mins:xe("code_valid_30_minutes",a),supportInfo:xe("support_info",a),contactUs:xe("contact_us",a),copyright:xe("copyright",a)}}):i==="sms"&&await by(t,{to:e,text:xe("sms_code_text",a),code:n,from:r.name});const l=Me(t,{type:Le.CODE_LINK_SENT,description:e});ln(t,t.env.data.logs.create(r.id,l))}async function Ff(t,{to:e,code:n,authParams:r}){const i=await t.env.data.tenants.get(t.var.tenant_id);if(!i)throw new E(500,{message:"Tenant not found"});if(!r.redirect_uri)throw new E(400,{message:"redirect_uri is required"});const{connectionType:s}=Bl(e),a=new URL(ct(t.env));a.pathname="passwordless/verify_redirect",a.searchParams.set("verification_code",n),a.searchParams.set("connection",s),a.searchParams.set("client_id",r.client_id),a.searchParams.set("redirect_uri",r.redirect_uri),a.searchParams.set("email",e),r.response_type&&a.searchParams.set("response_type",r.response_type),r.scope&&a.searchParams.set("scope",r.scope),r.state&&a.searchParams.set("state",r.state),r.nonce&&a.searchParams.set("nonce",r.nonce),r.code_challenge&&a.searchParams.set("code_challenge",r.code_challenge),r.code_challenge_method&&a.searchParams.set("code_challenge_method",r.code_challenge_method),r.audience&&a.searchParams.set("audience",r.audience);const l={vendorName:i.name,code:n,lng:i.language||"en"};if(s==="email")await Cs(t,{to:e,subject:xe("code_email_subject",l),html:`Click here to validate your email: ${dt(t.env)}validate-email`,template:"auth-link",data:{code:n,vendorName:i.name,logo:i.logo||"",supportUrl:i.support_url||"",magicLink:a.toString(),buttonColor:i.primary_color||"",welcomeToYourAccount:xe("welcome_to_your_account",l),linkEmailClickToLogin:xe("link_email_click_to_login",l),linkEmailLogin:xe("link_email_login",l),linkEmailOrEnterCode:xe("link_email_or_enter_code",l),codeValid30Mins:xe("code_valid_30_minutes",l),supportInfo:xe("support_info",l),contactUs:xe("contact_us",l),copyright:xe("copyright",l)}});else if(s==="sms")await by(t,{to:e,text:`${xe("link_sms_login",l)}: ${a.toString()}`,code:n,from:i.name});else throw new E(400,{message:"Only email and SMS connections are supported for magic links"});const u=Me(t,{type:Le.CODE_LINK_SENT,description:e});ln(t,t.env.data.logs.create(i.id,u))}async function Uf(t,e){const n=await t.env.data.tenants.get(t.var.tenant_id);if(!n)throw new E(500,{message:"Tenant not found"});if(!e.email)throw new E(400,{message:"User has no email"});const r={vendorName:n.name,lng:n.language||"en"};await Cs(t,{to:e.email,subject:xe("welcome_to_your_account",r),html:`Click here to validate your email: ${dt(t.env)}validate-email`,template:"auth-verify-email",data:{vendorName:n.name,logo:n.logo||"",emailValidationUrl:`${dt(t.env)}validate-email`,supportUrl:n.support_url||"https://support.sesamy.com",buttonColor:n.primary_color||"#7d68f4",welcomeToYourAccount:xe("welcome_to_your_account",r),verifyEmailVerify:xe("verify_email_verify",r),supportInfo:xe("support_info",r),contactUs:xe("contact_us",r),copyright:xe("copyright",r)}})}async function n8(t,e,n,r){const i=await t.env.data.tenants.get(t.var.tenant_id);if(!i)throw new E(500,{message:"Tenant not found"});const s={vendorName:i.name,lng:i.language||"en"},a=`${dt(t.env)}signup?state=${r}&code=${n}`;await Cs(t,{to:e,subject:xe("register_password_account",s),html:`Click here to register: ${a}`,template:"auth-pre-signup-verification",data:{vendorName:i.name,logo:i.logo||"",signupUrl:a,setPassword:xe("set_password",s),registerPasswordAccount:xe("register_password_account",s),clickToSignUpDescription:xe("click_to_sign_up_description",s),supportUrl:i.support_url||"https://support.sesamy.com",buttonColor:i.primary_color||"#7d68f4",welcomeToYourAccount:xe("welcome_to_your_account",s),verifyEmailVerify:xe("verify_email_verify",s),supportInfo:xe("support_info",s),contactUs:xe("contact_us",s),copyright:xe("copyright",s)}})}const r8=new o.OpenAPIHono().openapi(o.createRoute({tags:["dbconnections"],method:"post",path:"/signup",request:{body:{content:{"application/json":{schema:o.z.object({client_id:o.z.string(),connection:o.z.literal("Username-Password-Authentication"),email:o.z.string().transform(t=>t.toLowerCase()),password:o.z.string()})}}}},responses:{200:{content:{"application/json":{schema:o.z.object({_id:o.z.string(),email:o.z.string().optional(),email_verified:o.z.boolean(),app_metadata:o.z.object({}),user_metadata:o.z.object({})})}},description:"Created user"}}}),async t=>{const{email:e,password:n,client_id:r}=t.req.valid("json"),i=await t.env.data.legacyClients.get(r);if(!i)throw new E(400,{message:"Client not found"});if(t.set("client_id",i.client_id),t.set("tenant_id",i.tenant.id),!Bf(n))throw new E(400,{message:"Password does not meet the requirements"});if(await Bo({userAdapter:t.env.data.users,tenant_id:i.tenant.id,username:e,provider:"auth2"}))throw new E(400,{message:"Invalid sign up"});const a=await t.env.data.users.create(i.tenant.id,{user_id:`auth2|${Dc()}`,email:e,email_verified:!1,provider:"auth2",connection:"Username-Password-Authentication",is_social:!1});t.set("user_id",a.user_id),t.set("username",a.email),t.set("connection",a.connection);const l=await as.hash(n,10);await t.env.data.passwords.create(i.tenant.id,{user_id:a.user_id,password:l,algorithm:"bcrypt"}),await Uf(t,a);const u=Me(t,{type:Le.SUCCESS_SIGNUP,description:"Successful signup"});return await t.env.data.logs.create(i.tenant.id,u),t.json({_id:a.user_id,email:a.email,email_verified:!1,app_metadata:{},user_metadata:{}})}).openapi(o.createRoute({tags:["dbconnections"],method:"post",path:"/change_password",request:{body:{content:{"application/json":{schema:o.z.object({client_id:o.z.string(),connection:o.z.literal("Username-Password-Authentication"),email:o.z.string().transform(t=>t.toLowerCase())})}}}},responses:{200:{description:"Redirect to the client's redirect uri"}}}),async t=>{const{email:e,client_id:n}=t.req.valid("json"),r=await t.env.data.legacyClients.get(n);if(!r)throw new E(400,{message:"Client not found"});if(t.set("client_id",r.client_id),t.set("tenant_id",r.tenant.id),!await eo({userAdapter:t.env.data.users,tenant_id:r.tenant.id,username:e,provider:"auth2"}))return t.html("If an account with that email exists, we've sent instructions to reset your password.");const s={client_id:n,username:e},a=await t.env.data.loginSessions.create(r.tenant.id,{expires_at:new Date(Date.now()+Hr*1e3).toISOString(),authParams:s,csrf_token:Ke(),ip:t.get("ip"),useragent:t.get("useragent"),auth0Client:Yn(t.get("auth0_client"))});return await $y(t,e,a.id,a.authParams.state),t.html("If an account with that email exists, we've sent instructions to reset your password.")});function Ar(){const t="1234567890";let e="";for(let n=0;n<6;n+=1)e+=t[Math.floor(Math.random()*10)];return e.toString()}const i8=new o.OpenAPIHono().openapi(o.createRoute({tags:["passwordless"],method:"post",path:"/start",request:{body:{content:{"application/json":{schema:o.z.union([o.z.object({connection:o.z.literal("email"),client_id:o.z.string(),email:o.z.string().transform(t=>t.toLowerCase()),send:o.z.enum(["link","code"]),authParams:jo.omit({client_id:!0})}),o.z.object({client_id:o.z.string(),connection:o.z.literal("sms"),phone_number:o.z.string(),send:o.z.enum(["link","code"]),authParams:jo.omit({client_id:!0})})])}}}},responses:{200:{description:"Status"}}}),async t=>{const e=t.req.valid("json"),{env:n}=t,{client_id:r,send:i,authParams:s,connection:a}=e,l=await t.env.data.legacyClients.get(r);if(!l)throw new E(400,{message:"Client not found"});t.set("client_id",l.client_id),t.set("tenant_id",l.tenant.id);const u=a==="email"?e.email:e.phone_number,d=t.get("ip"),p=t.get("useragent"),h=t.get("auth0_client"),g=Yn(h),b=await n.data.loginSessions.create(l.tenant.id,{authParams:{...s,client_id:r,username:u},expires_at:new Date(Date.now()+oa).toISOString(),csrf_token:Ke(),ip:d,useragent:p,auth0Client:g}),x=await n.data.codes.create(l.tenant.id,{code_id:Ar(),code_type:"otp",login_id:b.id,expires_at:new Date(Date.now()+oa).toISOString(),redirect_uri:s.redirect_uri});return i==="link"?await Ff(t,{to:u,code:x.code_id,authParams:{...s,client_id:r}}):await Lf(t,{to:u,code:x.code_id}),t.html("OK")}).openapi(o.createRoute({tags:["passwordless"],method:"get",path:"/verify_redirect",request:{query:o.z.object({scope:o.z.string(),response_type:o.z.nativeEnum(Yt),redirect_uri:o.z.string(),state:o.z.string(),nonce:o.z.string().optional(),verification_code:o.z.string(),connection:o.z.string(),client_id:o.z.string(),email:o.z.string().transform(t=>t.toLowerCase()),audience:o.z.string().optional()})},responses:{302:{description:"Successful verification, redirecting to continue flow.",headers:o.z.object({Location:o.z.string().url()}).openapi({})},400:{description:"Bad Request (e.g., invalid client, invalid code, missing parameters).",content:{"application/json":{schema:o.z.object({error:o.z.string(),error_description:o.z.string().optional()})}}},500:{description:"Internal Server Error.",content:{"application/json":{schema:o.z.object({error:o.z.string(),error_description:o.z.string().optional()})}}}}}),async t=>{const{env:e}=t,{client_id:n,email:r,verification_code:i,redirect_uri:s,state:a,scope:l,audience:u,response_type:d,nonce:p}=t.req.valid("query"),h=await fo(e,n);t.set("client_id",h.client_id),t.set("tenant_id",h.tenant.id),t.set("connection","email");const g={client_id:n,redirect_uri:s,state:a,nonce:p,scope:l,audience:u,response_type:d};let b="Something went wrong. Please try again later.";try{const M=await Rf(t,{client_id:n,username:r,otp:i,authParams:g,enforceIpCheck:!0});if(M instanceof Response)return M;if(M&&typeof M=="object"&&"access_token"in M)return t.json(M)}catch(M){const U=M;"message"in U&&typeof U.message=="string"&&(b=U.message)}const x=t.get("ip"),C=t.get("useragent"),T=t.get("auth0_client"),O=Yn(T),A=await e.data.loginSessions.create(h.tenant.id,{authParams:{...g,username:r},expires_at:new Date(Date.now()+oa).toISOString(),csrf_token:Ke(),ip:x,useragent:C,auth0Client:O});return t.redirect(`${dt(t.env)}invalid-session?state=${A.id}&error=${encodeURIComponent(b)}`,302)});class $i extends E{constructor(n,r){super(n,r);be(this,"_code");this._code=r==null?void 0:r.code}get code(){return this._code}}async function xy(t,e,n,r){const{data:i}=t.env,{username:s}=n;if(t.set("username",s),!s)throw new E(400,{message:"Username is required"});const a=await eo({userAdapter:t.env.data.users,tenant_id:e.tenant.id,username:s,provider:"auth2"});if(!a){const b=Me(t,{type:Le.FAILED_LOGIN_INCORRECT_PASSWORD,description:"Invalid user"});throw ln(t,i.logs.create(e.tenant.id,b)),new $i(403,{message:"User not found",code:"USER_NOT_FOUND"})}const l=a.linked_to?await i.users.get(e.tenant.id,a.linked_to):a;if(!l)throw new $i(403,{message:"User not found",code:"USER_NOT_FOUND"});t.set("connection",a.connection),t.set("user_id",l.user_id);const u=await i.passwords.get(e.tenant.id,a.user_id);if(!(u&&await as.compare(n.password,u.password))){const b=Me(t,{type:Le.FAILED_LOGIN_INCORRECT_PASSWORD,description:"Invalid password"});throw ln(t,i.logs.create(e.tenant.id,b)),new $i(403,{message:"Invalid password",code:"INVALID_PASSWORD"})}if((await i.logs.list(e.tenant.id,{page:0,per_page:10,include_totals:!1,q:`user_id:${l.user_id}`})).logs.filter(b=>b.type===Le.FAILED_LOGIN_INCORRECT_PASSWORD&&new Date(b.date)>new Date(Date.now()-1e3*60*5)).length>=3){const b=Me(t,{type:Le.FAILED_LOGIN,description:"Too many failed login attempts"});throw ln(t,i.logs.create(e.tenant.id,b)),new $i(403,{message:"Too many failed login attempts",code:"TOO_MANY_FAILED_LOGINS"})}if(!a.email_verified&&e.email_validation==="enforced"){await Uf(t,a);const b=Me(t,{type:Le.FAILED_LOGIN,description:"Email not verified"});throw await i.logs.create(e.tenant.id,b),new $i(403,{message:"Email not verified",code:"EMAIL_NOT_VERIFIED"})}const g=Me(t,{type:Le.SUCCESS_LOGIN,description:"Successful login",strategy_type:"Username-Password-Authentication",strategy:"Username-Password-Authentication"});return ln(t,i.logs.create(e.tenant.id,g)),{client:e,authParams:n,user:l,loginSession:r}}async function Ay(t,e,n,r,i){const s=await xy(t,e,n,r);return Dn(t,{...s,ticketAuth:i,strategy:"Username-Password-Authentication"})}async function o8(t,e,n,r){await Bc(t,{client:e,username:n,provider:"auth2",connection:"Username-Password-Authentication",isSocial:!1,ip:t.var.ip});let i=Ar(),s=await t.env.data.codes.get(e.tenant.id,i,"password_reset");for(;s;)i=Ar(),s=await t.env.data.codes.get(e.tenant.id,i,"password_reset");const a=t.get("ip"),l=t.get("useragent"),u=t.get("auth0_client"),d=Yn(u),p=await t.env.data.loginSessions.create(e.tenant.id,{expires_at:new Date(Date.now()+rb).toISOString(),authParams:{client_id:e.client_id,username:n},csrf_token:Ke(),ip:a,useragent:l,auth0Client:d}),h=await t.env.data.codes.create(e.tenant.id,{code_id:i,code_type:"password_reset",login_id:p.id,expires_at:new Date(Date.now()+nb).toISOString()});await $y(t,n,h.code_id,r)}const s8=new o.OpenAPIHono().openapi(o.createRoute({tags:["oauth"],method:"post",path:"/",request:{body:{content:{"application/json":{schema:o.z.union([o.z.object({credential_type:o.z.literal("http://auth0.com/oauth/grant-type/passwordless/otp"),otp:o.z.string(),client_id:o.z.string(),username:o.z.string().transform(t=>t.toLowerCase()),realm:o.z.enum(["email"]),scope:o.z.string().optional()}),o.z.object({credential_type:o.z.literal("http://auth0.com/oauth/grant-type/password-realm"),client_id:o.z.string(),username:o.z.string().transform(t=>t.toLowerCase()),password:o.z.string(),realm:o.z.enum(["Username-Password-Authentication"]),scope:o.z.string().optional()})])}}}},responses:{200:{description:"List of tenants"}}}),async t=>{const e=t.req.valid("json"),{client_id:n,username:r}=e;t.set("username",r);const i=await t.env.data.legacyClients.get(n);if(!i)throw new E(400,{message:"Client not found"});t.set("client_id",n),t.set("tenant_id",i.tenant.id);const s=r.toLocaleLowerCase(),a=t.get("ip"),l=t.get("useragent"),u=t.get("auth0_client");let d;if("otp"in e)d=await Rf(t,{client_id:n,username:s,otp:e.otp});else if("password"in e){const p=await t.env.data.loginSessions.create(i.tenant.id,{expires_at:new Date(Date.now()+Hr*1e3).toISOString(),authParams:{client_id:n,username:s},csrf_token:Ke(),ip:a,useragent:l,auth0Client:Yn(u)});d=await Ay(t,i,{username:s,password:e.password,client_id:n},p,!0)}else throw new E(400,{message:"Code or password required"});if(!(d instanceof Response))throw new E(500,{message:"Unexpected response from loginWithPassword"});return d});function Ey(t,e){var r,i,s;if(!t||e.length===0)return!1;const n=((r=du(t))==null?void 0:r.host)??null;if(!n)return!1;for(const a of e){let l;if(a.startsWith("http://")||a.startsWith("https://")?l=((i=du(a))==null?void 0:i.host)??null:l=((s=du("https://"+a))==null?void 0:s.host)??null,n===l)return!0}return!1}function du(t){try{return new URL(t)}catch{return null}}async function a8({ctx:t,session:e,client:n,authParams:r,connection:i,login_hint:s}){const a=new URL(t.req.url);t.var.custom_domain&&(a.hostname=t.var.custom_domain);const{ip:l,auth0_client:u,useragent:d}=t.var,p=Yn(u),h=await t.env.data.loginSessions.create(n.tenant.id,{expires_at:new Date(Date.now()+Hr*1e3).toISOString(),authParams:r,csrf_token:Ke(),authorization_url:a.toString(),ip:l,useragent:d,auth0Client:p});if(e&&s){const g=await t.env.data.users.get(n.tenant.id,e.user_id);if((g==null?void 0:g.email)===s)return await t.env.data.loginSessions.update(n.tenant.id,h.id,{session_id:e.id}),Dn(t,{client:n,loginSession:{...h,session_id:e.id},authParams:r,user:g,sessionId:e.id})}if(i==="email"&&s){const g=Ar();return await t.env.data.codes.create(n.tenant.id,{code_id:g,code_type:"otp",login_id:h.id,expires_at:new Date(Date.now()+Hr*1e3).toISOString(),redirect_uri:r.redirect_uri}),await Ff(t,{code:g,to:s,authParams:r}),t.redirect(`/u/enter-code?state=${h.id}`)}return e?t.redirect(`/u/check-account?state=${h.id}`):t.redirect(`/u/login/identifier?state=${h.id}`)}function c8(t){if(t==="Username-Password-Authentication")return"auth2";if(t==="email")return"email";throw new E(403,{message:"Invalid realm"})}async function l8(t,e,n,r,i){var g;const{env:s}=t;t.set("connection",i);const a=await s.data.codes.get(e,n,"ticket");if(!a||a.used_at)throw new E(403,{message:"Ticket not found"});const l=await s.data.loginSessions.get(e,a.login_id);if(!l||!l.authParams.username)throw new E(403,{message:"Session not found"});const u=await s.data.legacyClients.get(l.authParams.client_id);if(!u)throw new E(403,{message:"Client not found"});t.set("client_id",l.authParams.client_id),await s.data.codes.used(e,n);const d=c8(i);let p=await Bc(t,{username:l.authParams.username,provider:d,client:u,connection:d==="auth2"?"Username-Password-Authentication":"email",isSocial:!1,ip:t.var.ip});t.set("username",p.email||p.phone_number),t.set("user_id",p.user_id);const h=await Z_(t,{user:p,client:u,loginSession:l});return Dn(t,{authParams:{scope:(g=l.authParams)==null?void 0:g.scope,...r},loginSession:l,sessionId:h.id,user:p,client:u})}async function u8({ctx:t,client:e,session:n,redirect_uri:r,state:i,nonce:s,code_challenge_method:a,code_challenge:l,audience:u,scope:d,response_type:p}){const{env:h}=t,g=new URL(r),b=`${g.protocol}//${g.host}`;async function x(H="Login required"){const G=Me(t,{type:Le.FAILED_SILENT_AUTH,description:H});return await t.env.data.logs.create(e.tenant.id,G),t.html(Du(b,JSON.stringify({error:"login_required",error_description:H,state:i})))}if(!n||(n==null?void 0:n.expires_at)&&new Date(n.expires_at)<new Date||(n==null?void 0:n.idle_expires_at)&&new Date(n.idle_expires_at)<new Date)return x();t.set("user_id",n.user_id);const T=await h.data.users.get(e.tenant.id,n.user_id);if(!T)return console.error("User not found",n.user_id),x("User not found");t.set("username",T.email),t.set("connection",T.connection);const O={client:e,authParams:{client_id:e.client_id,audience:u,code_challenge_method:a,code_challenge:l,scope:d,state:i,nonce:s,response_type:p,redirect_uri:r},user:T,session_id:n.id},A=p===Yt.CODE?await J_(t,{user:T,client:e,authParams:O.authParams,login_id:n.login_session_id}):await Pc(t,O);await h.data.sessions.update(e.tenant.id,n.id,{used_at:new Date().toISOString(),last_interaction_at:new Date().toISOString(),device:{...n.device,last_ip:t.var.ip||"",last_user_agent:t.var.useragent||""},idle_expires_at:n.idle_expires_at?new Date(Date.now()+Rc*1e3).toISOString():void 0});const M=Me(t,{type:Le.SUCCESS_SILENT_AUTH,description:"Successful silent authentication"});await t.env.data.logs.create(e.tenant.id,M);const U=new Headers;U.set("Server-Timing","cf-nel=0; no-cloudflare-insights=1");const F=Ra(e.tenant.id,n.id,t.req.header("host"));return U.set("set-cookie",F),t.html(Du(b,JSON.stringify({...A,state:i})),{headers:U})}const d8=["email","sms","Username-Password-Authentication"],p8=new o.OpenAPIHono().openapi(o.createRoute({tags:["oauth"],method:"get",path:"/",request:{query:o.z.object({client_id:o.z.string(),vendor_id:o.z.string().optional(),redirect_uri:o.z.string(),scope:o.z.string().optional(),state:o.z.string(),prompt:o.z.string().optional(),response_mode:o.z.nativeEnum(zn).optional(),response_type:o.z.nativeEnum(Yt).optional(),audience:o.z.string().optional(),connection:o.z.string().optional(),nonce:o.z.string().optional(),max_age:o.z.string().optional(),login_ticket:o.z.string().optional(),code_challenge_method:o.z.nativeEnum(zc).optional(),code_challenge:o.z.string().optional(),realm:o.z.string().optional(),auth0Client:o.z.string().optional(),organization:o.z.string().optional(),login_hint:o.z.string().optional(),screen_hint:o.z.string().openapi({example:"signup",description:'Optional hint for the screen to show, like "signup" or "login".'}).optional(),ui_locales:o.z.string().optional()})},responses:{200:{description:"Successful authorization response. This can be an HTML page (e.g., for silent authentication iframe or universal login page) or a JSON object containing tokens (e.g., for response_mode=web_message).",content:{"text/html":{schema:o.z.string().openapi({example:"<html>...</html>"})},"application/json":{schema:xp}}},302:{description:"Redirect to the client's redirect URI, an authentication page, or an external identity provider.",headers:o.z.object({Location:o.z.string().url()})},400:{description:"Bad Request. Invalid parameters or other client-side errors.",content:{"application/json":{schema:o.z.object({message:o.z.string()})}}},403:{description:"Forbidden. The request is not allowed (e.g., invalid origin).",content:{"application/json":{schema:o.z.object({message:o.z.string()})}}}}}),async t=>{const{env:e}=t,{client_id:n,vendor_id:r,redirect_uri:i,scope:s,state:a,audience:l,nonce:u,connection:d,response_type:p,response_mode:h,code_challenge:g,code_challenge_method:b,prompt:x,login_ticket:C,realm:T,auth0Client:O,login_hint:A,ui_locales:M,organization:U}=t.req.valid("query");t.set("log","authorize");const F=await fo(e,n);t.set("client_id",F.client_id),t.set("tenant_id",F.tenant.id);const H={redirect_uri:i.split("#")[0],scope:s,state:a,client_id:n,vendor_id:r,audience:l,nonce:u,prompt:x,response_type:p,response_mode:h,code_challenge:g,code_challenge_method:b,username:A,ui_locales:M,organization:U},G=t.req.header("origin");if(G&&!Ey(G,F.web_origins||[]))throw new E(403,{message:`Origin ${G} not allowed`});if(H.redirect_uri){const L=F.callbacks||[];if(t.var.host&&(L.push(`${Il(t.env)}/*`),L.push(`${dt(t.env)}/*`)),!Nf(H.redirect_uri,L,{allowPathWildcards:!0}))throw new E(400,{message:`Invalid redirect URI - ${H.redirect_uri}`})}const Y=Di(F.tenant.id,t.req.header("cookie")),J=Y?await e.data.sessions.get(F.tenant.id,Y):void 0,Ae=J&&!J.revoked_at?J:void 0;if(x=="none"){if(!p)throw new E(400,{message:"Missing response_type"});return u8({ctx:t,session:Ae||void 0,redirect_uri:i,state:a,response_type:p,client:F,nonce:u,code_challenge_method:b,code_challenge:g,audience:l,scope:s})}if(F.connections.length===1&&F.connections[0]&&!d8.includes(F.connections[0].strategy||""))return _g(t,F,F.connections[0].name,H);if(d&&d!=="email")return _g(t,F,d,H);if(C){const L=await l8(t,F.tenant.id,C,H,T);return L instanceof Response?L:t.json(L)}const R=await a8({ctx:t,client:F,auth0Client:O,authParams:H,session:Ae||void 0,connection:d,login_hint:A});return R instanceof Response?R:t.json(R)}),f8=new o.OpenAPIHono().openapi(o.createRoute({tags:["oauth"],method:"get",path:"/",request:{query:o.z.object({client_id:o.z.string(),redirect_url:o.z.string().optional(),login_hint:o.z.string().toLowerCase().optional(),screen_hint:o.z.enum(["account","change-email","change-phone","change-password"]).optional().default("account")})},responses:{302:{description:"Redirect to the account page with login session state or login page",headers:o.z.object({Location:o.z.string().url()})},400:{description:"Bad Request. Invalid parameters or other client-side errors.",content:{"application/json":{schema:o.z.object({message:o.z.string()})}}}}}),async t=>{const{env:e}=t,{client_id:n,redirect_url:r,login_hint:i,screen_hint:s}=t.req.valid("query");t.set("log","account");const a=await fo(e,n);t.set("client_id",a.client_id),t.set("tenant_id",a.tenant.id);const l={redirect_uri:r||t.req.url,client_id:n,username:i},u=t.req.header("origin");if(u&&!Ey(u,a.web_origins||[]))throw new E(403,{message:`Origin ${u} not allowed`});if(l.redirect_uri){const A=a.callbacks||[];if(t.var.host&&(A.push(`${Il(t.env)}/*`),A.push(`${dt(t.env)}/*`)),!Nf(l.redirect_uri,A,{allowPathWildcards:!0}))throw new E(400,{message:`Invalid redirect URI - ${l.redirect_uri}`})}const d=Di(a.tenant.id,t.req.header("cookie")),p=d?await e.data.sessions.get(a.tenant.id,d):void 0,h=p&&!p.revoked_at?p:void 0,g=new URL(t.req.url);t.var.custom_domain&&(g.hostname=t.var.custom_domain);const{ip:b,auth0_client:x,useragent:C}=t.var,T=Yn(x),O=await e.data.loginSessions.create(a.tenant.id,{expires_at:new Date(Date.now()+Hr*1e3).toISOString(),authParams:l,csrf_token:Ke(),authorization_url:g.toString(),ip:b,useragent:C,auth0Client:T});if(h){if(i){const M=await e.data.users.get(a.tenant.id,h.user_id);if((M==null?void 0:M.email)!==i)return t.redirect(`${dt(t.env)}login/identifier?state=${encodeURIComponent(O.id)}`)}if(await e.data.loginSessions.update(a.tenant.id,O.id,{session_id:h.id}),s==="change-email"){const M=new URL("/u/account/change-email",t.req.url);return M.searchParams.set("state",O.id),t.redirect(M.toString())}const A=new URL("/u/account",t.req.url);return A.searchParams.set("state",O.id),t.redirect(A.toString())}return t.redirect(`${dt(t.env)}login/identifier?state=${encodeURIComponent(O.id)}`)});function h8(t){const e=new o.OpenAPIHono;e.use(async(r,i)=>{const s=cs(r,t.dataAdapter),a=t.dataAdapter.cache||Ns({defaultTtlSeconds:0,maxEntries:100,cleanupIntervalMs:0}),l=t.dataAdapter.cache?300:0,u=Dl(s,{defaultTtl:l,cacheEntities:["tenants","connections","customDomains","clients","legacyClients","branding","themes","promptSettings","forms","resourceServers","roles","organizations","userRoles","userPermissions"],cache:a});return r.env.data=zl(r,u),i()}),e.use("/oauth/token",Rm({origin:r=>r||"",allowHeaders:["Tenant-Id","Content-Type","Auth0-Client","Upgrade-Insecure-Requests"],allowMethods:["POST"],maxAge:600})),e.use(Ol).use(Tl).use(Ef(e));const n=e.route("/v2/logout",R5).route("/userinfo",j5).route("/.well-known",P5).route("/oauth/token",e8).route("/dbconnections",r8).route("/passwordless",i8).route("/co/authenticate",s8).route("/authorize",p8).route("/account",f8).route("/callback",O5);return n.doc("/spec",{openapi:"3.0.0",info:{version:"1.0.0",title:"Oauth API"},security:[{oauth2:["openid","email","profile"]}]}),Af(n),n}var Mf=(t,...e)=>{const n=[""];for(let r=0,i=t.length-1;r<i;r++){n[0]+=t[r];const s=Array.isArray(e[r])?e[r].flat(1/0):[e[r]];for(let a=0,l=s.length;a<l;a++){const u=s[a];if(typeof u=="string")wr(u,n);else if(typeof u=="number")n[0]+=u;else{if(typeof u=="boolean"||u===null||u===void 0)continue;if(typeof u=="object"&&u.isEscaped)if(u.callbacks)n.unshift("",u);else{const d=u.toString();d instanceof Promise?n.unshift("",d):n[0]+=d}else u instanceof Promise?n.unshift("",u):wr(u.toString(),n)}}}return n[0]+=t.at(-1),n.length===1?"callbacks"in n?hn(ey(hn(n[0],n.callbacks))):hn(n[0]):Q1(n,n.callbacks)},qf=Symbol("RENDERER"),cp=Symbol("ERROR_HANDLER"),We=Symbol("STASH"),Sy=Symbol("INTERNAL"),g8=Symbol("MEMO"),bc=Symbol("PERMALINK"),Gg=t=>(t[Sy]=!0,t),ky=t=>({value:e,children:n})=>{if(!n)return;const r={children:[{tag:Gg(()=>{t.push(e)}),props:{}}]};Array.isArray(n)?r.children.push(...n.flat()):r.children.push(n),r.children.push({tag:Gg(()=>{t.pop()}),props:{}});const i={tag:"",props:r,type:""};return i[cp]=s=>{throw t.pop(),s},i},Ny=t=>{const e=[t],n=ky(e);return n.values=e,n.Provider=n,Ki.push(n),n},Ki=[],Cy=t=>{const e=[t],n=r=>{e.push(r.value);let i;try{i=r.children?(Array.isArray(r.children)?new Oy("",{},r.children):r.children).toString():""}finally{e.pop()}return i instanceof Promise?i.then(s=>hn(s,s.callbacks)):hn(i)};return n.values=e,n.Provider=n,n[qf]=ky(e),Ki.push(n),n},ho=t=>t.values.at(-1),fa={title:[],script:["src"],style:["data-href"],link:["href"],meta:["name","httpEquiv","charset","itemProp"]},lp={},ha="data-precedence",zs=t=>Array.isArray(t)?t:[t],Wg=new WeakMap,Xg=(t,e,n,r)=>({buffer:i,context:s})=>{if(!i)return;const a=Wg.get(s)||{};Wg.set(s,a);const l=a[t]||(a[t]=[]);let u=!1;const d=fa[t];if(d.length>0){e:for(const[,p]of l)for(const h of d)if(((p==null?void 0:p[h])??null)===(n==null?void 0:n[h])){u=!0;break e}}if(u?i[0]=i[0].replaceAll(e,""):d.length>0?l.push([e,n,r]):l.unshift([e,n,r]),i[0].indexOf("</head>")!==-1){let p;if(r===void 0)p=l.map(([h])=>h);else{const h=[];p=l.map(([g,,b])=>{let x=h.indexOf(b);return x===-1&&(h.push(b),x=h.length-1),[g,x]}).sort((g,b)=>g[1]-b[1]).map(([g])=>g)}p.forEach(h=>{i[0]=i[0].replaceAll(h,"")}),i[0]=i[0].replace(/(?=<\/head>)/,p.join(""))}},Is=(t,e,n)=>hn(new gn(t,n,zs(e??[])).toString()),Ts=(t,e,n,r)=>{if("itemProp"in n)return Is(t,e,n);let{precedence:i,blocking:s,...a}=n;i=r?i??"":void 0,r&&(a[ha]=i);const l=new gn(t,a,zs(e||[])).toString();return l instanceof Promise?l.then(u=>hn(l,[...u.callbacks||[],Xg(t,u,a,i)])):hn(l,[Xg(t,l,a,i)])},m8=({children:t,...e})=>{const n=Vf();if(n){const r=ho(n);if(r==="svg"||r==="head")return new gn("title",e,zs(t??[]))}return Ts("title",t,e,!1)},_8=({children:t,...e})=>{const n=Vf();return["src","async"].some(r=>!e[r])||n&&ho(n)==="head"?Is("script",t,e):Ts("script",t,e,!1)},y8=({children:t,...e})=>["href","precedence"].every(n=>n in e)?(e["data-href"]=e.href,delete e.href,Ts("style",t,e,!0)):Is("style",t,e),w8=({children:t,...e})=>["onLoad","onError"].some(n=>n in e)||e.rel==="stylesheet"&&(!("precedence"in e)||"disabled"in e)?Is("link",t,e):Ts("link",t,e,"precedence"in e),v8=({children:t,...e})=>{const n=Vf();return n&&ho(n)==="head"?Is("meta",t,e):Ts("meta",t,e,!1)},zy=(t,{children:e,...n})=>new gn(t,n,zs(e??[])),b8=t=>(typeof t.action=="function"&&(t.action=bc in t.action?t.action[bc]:void 0),zy("form",t)),Iy=(t,e)=>(typeof e.formAction=="function"&&(e.formAction=bc in e.formAction?e.formAction[bc]:void 0),zy(t,e)),$8=t=>Iy("input",t),x8=t=>Iy("button",t);const pu=Object.freeze(Object.defineProperty({__proto__:null,button:x8,form:b8,input:$8,link:w8,meta:v8,script:_8,style:y8,title:m8},Symbol.toStringTag,{value:"Module"}));var A8=new Map([["className","class"],["htmlFor","for"],["crossOrigin","crossorigin"],["httpEquiv","http-equiv"],["itemProp","itemprop"],["fetchPriority","fetchpriority"],["noModule","nomodule"],["formAction","formaction"]]),$c=t=>A8.get(t)||t,Ty=(t,e)=>{for(const[n,r]of Object.entries(t)){const i=n[0]==="-"||!/[A-Z]/.test(n)?n:n.replace(/[A-Z]/g,s=>`-${s.toLowerCase()}`);e(i,r==null?null:typeof r=="number"?i.match(/^(?:a|border-im|column(?:-c|s)|flex(?:$|-[^b])|grid-(?:ar|[^a])|font-w|li|or|sca|st|ta|wido|z)|ty$/)?`${r}`:`${r}px`:r)}},ts=void 0,Vf=()=>ts,E8=t=>/[A-Z]/.test(t)&&t.match(/^(?:al|basel|clip(?:Path|Rule)$|co|do|fill|fl|fo|gl|let|lig|i|marker[EMS]|o|pai|pointe|sh|st[or]|text[^L]|tr|u|ve|w)/)?t.replace(/([A-Z])/g,"-$1").toLowerCase():t,S8=["area","base","br","col","embed","hr","img","input","keygen","link","meta","param","source","track","wbr"],k8=["allowfullscreen","async","autofocus","autoplay","checked","controls","default","defer","disabled","download","formnovalidate","hidden","inert","ismap","itemscope","loop","multiple","muted","nomodule","novalidate","open","playsinline","readonly","required","reversed","selected"],Hf=(t,e)=>{for(let n=0,r=t.length;n<r;n++){const i=t[n];if(typeof i=="string")wr(i,e);else{if(typeof i=="boolean"||i===null||i===void 0)continue;i instanceof gn?i.toStringToBuffer(e):typeof i=="number"||i.isEscaped?e[0]+=i:i instanceof Promise?e.unshift("",i):Hf(i,e)}}},gn=class{constructor(t,e,n){be(this,"tag");be(this,"props");be(this,"key");be(this,"children");be(this,"isEscaped",!0);be(this,"localContexts");this.tag=t,this.props=e,this.children=n}get type(){return this.tag}get ref(){return this.props.ref||null}toString(){var e,n;const t=[""];(e=this.localContexts)==null||e.forEach(([r,i])=>{r.values.push(i)});try{this.toStringToBuffer(t)}finally{(n=this.localContexts)==null||n.forEach(([r])=>{r.values.pop()})}return t.length===1?"callbacks"in t?ey(hn(t[0],t.callbacks)).toString():t[0]:Q1(t,t.callbacks)}toStringToBuffer(t){const e=this.tag,n=this.props;let{children:r}=this;t[0]+=`<${e}`;const i=ts&&ho(ts)==="svg"?s=>E8($c(s)):s=>$c(s);for(let[s,a]of Object.entries(n))if(s=i(s),s!=="children"){if(s==="style"&&typeof a=="object"){let l="";Ty(a,(u,d)=>{d!=null&&(l+=`${l?";":""}${u}:${d}`)}),t[0]+=' style="',wr(l,t),t[0]+='"'}else if(typeof a=="string")t[0]+=` ${s}="`,wr(a,t),t[0]+='"';else if(a!=null)if(typeof a=="number"||a.isEscaped)t[0]+=` ${s}="${a}"`;else if(typeof a=="boolean"&&k8.includes(s))a&&(t[0]+=` ${s}=""`);else if(s==="dangerouslySetInnerHTML"){if(r.length>0)throw new Error("Can only set one of `children` or `props.dangerouslySetInnerHTML`.");r=[hn(a.__html)]}else if(a instanceof Promise)t[0]+=` ${s}="`,t.unshift('"',a);else if(typeof a=="function"){if(!s.startsWith("on")&&s!=="ref")throw new Error(`Invalid prop '${s}' of type 'function' supplied to '${e}'.`)}else t[0]+=` ${s}="`,wr(a.toString(),t),t[0]+='"'}if(S8.includes(e)&&r.length===0){t[0]+="/>";return}t[0]+=">",Hf(r,t),t[0]+=`</${e}>`}},fu=class extends gn{toStringToBuffer(t){const{children:e}=this,n=this.tag.call(null,{...this.props,children:e.length<=1?e[0]:e});if(!(typeof n=="boolean"||n==null))if(n instanceof Promise)if(Ki.length===0)t.unshift("",n);else{const r=Ki.map(i=>[i,i.values.at(-1)]);t.unshift("",n.then(i=>(i instanceof gn&&(i.localContexts=r),i)))}else n instanceof gn?n.toStringToBuffer(t):typeof n=="number"||n.isEscaped?(t[0]+=n,n.callbacks&&(t.callbacks||(t.callbacks=[]),t.callbacks.push(...n.callbacks))):wr(n,t)}},Oy=class extends gn{toStringToBuffer(t){Hf(this.children,t)}},N8=(t,e,...n)=>{e??(e={}),n.length&&(e.children=n.length===1?n[0]:n);const r=e.key;delete e.key;const i=ga(t,e,n);return i.key=r,i},Jg=!1,ga=(t,e,n)=>{if(!Jg){for(const r in lp)pu[r][qf]=lp[r];Jg=!0}return typeof t=="function"?new fu(t,e,n):pu[t]?new fu(pu[t],e,n):t==="svg"||t==="head"?(ts||(ts=Cy("")),new gn(t,e,[new fu(ts,{value:t},n)])):new gn(t,e,n)},Kf=({children:t})=>new Oy("",{children:t},Array.isArray(t)?t:t?[t]:[]),C8=(t,e,...n)=>{let r;if(n.length>0)r=n;else{const i=t.props.children;r=Array.isArray(i)?i:[i]}return N8(t.tag,{...t.props,...e},...r)};function _(t,e,n){let r;if(!e||!("children"in e))r=ga(t,e,[]);else{const i=e.children;r=Array.isArray(i)?ga(t,e,i):ga(t,e,[i])}return r.key=n,r}async function Ue(t,e,n=!1){var p;const{env:r}=t,i=await r.data.loginSessions.get(t.var.tenant_id||"",e);if(!i)throw new E(400,{message:"Login session not found"});t.set("loginSession",i);const s=await fo(r,i.authParams.client_id);t.set("client_id",s.client_id),t.set("tenant_id",s.tenant.id);const a=await r.data.tenants.get(s.tenant.id);if(a){if(i.session_id&&!n){if(!i.authParams.redirect_uri)throw new E(400,{message:"Login session closed and no redirect URI available"});const h=new URL(i.authParams.redirect_uri);throw h.searchParams.set("error","access_denied"),h.searchParams.set("error_description","Login session closed"),i.authParams.state&&h.searchParams.set("state",i.authParams.state),new oi(h.toString(),302)}}else throw new E(400,{message:"Tenant not found"});const l=await r.data.themes.get(a.id,"default"),u=await r.data.branding.get(a.id),d=(p=i.authParams.ui_locales)==null?void 0:p.split(" ").map(h=>h.split("-")[0]).find(h=>{if(Array.isArray(P.options.supportedLngs))return P.options.supportedLngs.includes(h)});return await P.changeLanguage(d||a.language||"sv"),{theme:l,branding:u,client:s,tenant:a,loginSession:i}}async function si(t,e){const{theme:n,branding:r,client:i,tenant:s,loginSession:a}=await Ue(t,e,!0),l=Di(i.tenant.id,t.req.header("cookie")),u=l?await t.env.data.sessions.get(i.tenant.id,l):null;if(!u||!a.session_id)throw new oi(`/u/login/identifier?state=${encodeURIComponent(e)}`);const d=await t.env.data.sessions.get(i.tenant.id,a.session_id),p=await t.env.data.users.get(i.tenant.id,u.user_id);if(!p||(d==null?void 0:d.user_id)!==u.user_id)throw new oi(`/u/login/identifier?state=${encodeURIComponent(e)}`);return{theme:n,branding:r,client:i,user:p,tenant:s,loginSession:a,session:d}}async function z8(t,e,n,r){if(r!==void 0)return r==="password";const i=await Op({userAdapter:t.env.data.users,tenant_id:e.tenant.id,email:n});return i!=null&&i.app_metadata.strategy?i.app_metadata.strategy==="Username-Password-Authentication":(await t.env.data.promptSettings.get(e.tenant.id)).password_first}const Dy=({theme:t,branding:e})=>{var r;const n=((r=t==null?void 0:t.widget)==null?void 0:r.logo_url)||(e==null?void 0:e.logo_url);return n?_("div",{className:"flex h-9 items-center",children:_("img",{src:n,className:"max-h-full",alt:"Logo"})}):_(Kf,{})},Ry=t=>{var e,n;return _("div",{className:"mt-8",children:((n=(e=t.client)==null?void 0:e.client_metadata)==null?void 0:n.termsAndConditionsUrl)&&_("div",{className:"text-xs text-gray-300",children:[P.t("agree_to")," ",_("a",{href:t.client.client_metadata.termsAndConditionsUrl,className:"text-primary hover:underline",target:"_blank",rel:"noreferrer",children:P.t("terms")})]})})};var jy={exports:{}};/*!
 	Copyright (c) 2018 Jed Watson.
 	Licensed under the MIT License (MIT), see
 	http://jedwatson.github.io/classnames

package/dist/authhero.mjs CHANGED Viewed

@@ -24981,7 +24981,7 @@ const SE = new be().openapi(
     }
   }),
   async (t) => {
-    var l, u, d, p, h;
+    var u, d, p, h, g;
     const e = t.req.valid("form"), n = EE(t.req.header("Authorization")), r = { ...e, ...n };
     if (!r.client_id)
       throw new E(400, { message: "client_id is required" });
@@ -25023,52 +25023,54 @@ const SE = new be().openapi(
     }
     const s = new Headers();
     if (i.session_id) {
-      const g = wa(
+      const b = wa(
         i.client.tenant.id,
         i.session_id,
         t.var.host || ""
       );
-      s.set("Set-Cookie", g);
+      s.set("Set-Cookie", b);
     }
+    let a = [];
     if (i.authParams.audience)
       try {
-        let g;
+        let b;
         if (e.grant_type === En.ClientCredential)
-          g = await va(t, {
+          b = await va(t, {
             grantType: En.ClientCredential,
             tenantId: i.client.tenant.id,
             clientId: i.client.client_id,
             audience: i.authParams.audience,
-            requestedScopes: ((l = i.authParams.scope) == null ? void 0 : l.split(" ")) || [],
-            organizationId: (u = i.organization) == null ? void 0 : u.id
+            requestedScopes: ((u = i.authParams.scope) == null ? void 0 : u.split(" ")) || [],
+            organizationId: (d = i.organization) == null ? void 0 : d.id
           });
         else {
-          if (!((d = i.user) != null && d.user_id))
+          if (!((p = i.user) != null && p.user_id))
             throw new Rs(400, {
               error: "invalid_request",
               error_description: "User ID is required for user-based grants"
             });
-          g = await va(t, {
+          b = await va(t, {
             grantType: e.grant_type,
             tenantId: i.client.tenant.id,
             userId: i.user.user_id,
             clientId: i.client.client_id,
             audience: i.authParams.audience,
-            requestedScopes: ((p = i.authParams.scope) == null ? void 0 : p.split(" ")) || [],
-            organizationId: (h = i.organization) == null ? void 0 : h.id
+            requestedScopes: ((h = i.authParams.scope) == null ? void 0 : h.split(" ")) || [],
+            organizationId: (g = i.organization) == null ? void 0 : g.id
           });
         }
-        i.authParams.scope = g.scopes.join(" ");
-      } catch (g) {
-        if (g instanceof E)
-          throw g;
-        console.error("Error calculating scopes and permissions:", g);
+        i.authParams.scope = b.scopes.join(" "), a = b.permissions;
+      } catch (b) {
+        if (b instanceof E)
+          throw b;
+        console.error("Error calculating scopes and permissions:", b);
       }
-    const a = await yc(t, {
+    const l = await yc(t, {
       ...i,
-      grantType: e.grant_type
+      grantType: e.grant_type,
+      permissions: a.length > 0 ? a : void 0
     });
-    return t.json(a, {
+    return t.json(l, {
       headers: s
     });
   }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "authhero",
-  "version": "0.221.0",
+  "version": "0.222.0",
   "files": [
     "dist"
   ],
@@ -35,7 +35,7 @@
     "vite": "^5.4.11",
     "vite-plugin-dts": "^4.3.0",
     "vitest": "^2.1.5",
-    "@authhero/kysely-adapter": "^10.46.0"
+    "@authhero/kysely-adapter": "^10.47.0"
   },
   "dependencies": {
     "@peculiar/x509": "^1.12.3",