authhero 0.47.0 → 0.48.0

package/dist/authhero.cjs

@@ -122,7 +122,7 @@ PERFORMANCE OF THIS SOFTWARE.
 `,r=0;for(;r<t.length;)r+64<=t.length?i+=t.substr(r,64)+`\r
 `:i+=t.substr(r)+`\r
 `,r+=64;return i+=`-----END ${n} KEY-----\r
-`,i}async function m0(n){const e=await n.publicKey.export(),t=await crypto.subtle.exportKey("jwk",e),i=JSON.stringify(t,Object.keys(t).sort()),s=new TextEncoder().encode(i);return Va(await Rf(s))}const y0=1e3*60*60*24,v0=new a.OpenAPIHono().openapi(a.createRoute({tags:["keys"],method:"get",path:"/signing",request:{headers:a.z.object({"tenant-id":a.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:a.z.array(ko)}},description:"List of keys"}}}),async n=>{const t=(await n.env.data.keys.list()).filter(i=>"cert"in i).map(i=>i);return n.json(t)}).openapi(a.createRoute({tags:["keys"],method:"get",path:"/signing/{kid}",request:{headers:a.z.object({"tenant-id":a.z.string()}),params:a.z.object({kid:a.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:ko}},description:"The requested key"}}}),async n=>{const{kid:e}=n.req.valid("param"),i=(await n.env.data.keys.list()).find(r=>r.kid===e);if(!i)throw new N(404,{message:"Key not found"});return n.json(i)}).openapi(a.createRoute({tags:["keys"],method:"post",path:"/signing/rotate",request:{headers:a.z.object({"tenant-id":a.z.string()})},security:[{Bearer:["auth:write"]}],responses:{201:{description:"Status"}}}),async n=>{const e=await n.env.data.keys.list();for await(const i of e)await n.env.data.keys.update(i.kid,{revoked_at:new Date(Date.now()+y0).toISOString()});const t=await Ma({name:`CN=${n.env.ORGANIZATION_NAME}`});return await n.env.data.keys.create(t),n.text("OK",{status:201})}).openapi(a.createRoute({tags:["keys"],method:"put",path:"/signing/{kid}/revoke",request:{headers:a.z.object({"tenant-id":a.z.string()}),params:a.z.object({kid:a.z.string()})},security:[{Bearer:["auth:write"]}],responses:{201:{description:"Status"}}}),async n=>{const{kid:e}=n.req.valid("param");if(!await n.env.data.keys.update(e,{revoked_at:new Date().toISOString()}))throw new N(404,{message:"Key not found"});const i=await Ma({name:`CN=${n.env.ORGANIZATION_NAME}`});return await n.env.data.keys.create(i),n.text("OK")}),w0=new a.OpenAPIHono().openapi(a.createRoute({tags:["users"],method:"get",path:"/",request:{query:a.z.object({email:a.z.string()}),headers:a.z.object({"tenant-id":a.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"tenant/json":{schema:a.z.array(qa)}},description:"List of users"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),{email:t}=n.req.valid("query"),r=(await Md(n.env.data.users,e,t)).filter(s=>!s.linked_to);return n.json(r)}),b0=Dt.extend({clients:a.z.array(Yt)}),k0=new a.OpenAPIHono().openapi(a.createRoute({tags:["clients"],method:"get",path:"/",request:{query:on,headers:a.z.object({"tenant-id":a.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:a.z.union([b0,a.z.array(Yt)])}},description:"List of clients"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),{page:t,per_page:i,include_totals:r,sort:s,q:o}=n.req.valid("query"),l=(await n.env.data.applications.list(e,{page:t,per_page:i,include_totals:r,sort:Dn(s),q:o})).applications;return r?n.json({clients:l,start:0,limit:10,length:l.length}):n.json(l)}).openapi(a.createRoute({tags:["clients"],method:"get",path:"/{id}",request:{params:a.z.object({id:a.z.string()}),headers:a.z.object({"tenant-id":a.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:Yt}},description:"An application"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),{id:t}=n.req.valid("param"),r=(await n.env.data.applications.list(e,{page:1,per_page:0,include_totals:!1})).applications.find(s=>s.id===t);if(!r)throw new N(404);return n.json(r)}).openapi(a.createRoute({tags:["clients"],method:"delete",path:"/{id}",request:{params:a.z.object({id:a.z.string()}),headers:a.z.object({"tenant-id":a.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),{id:t}=n.req.valid("param");if(!await n.env.data.applications.remove(e,t))throw new N(404,{message:"Application not found"});return n.text("OK")}).openapi(a.createRoute({tags:["clients"],method:"patch",path:"/{id}",request:{body:{content:{"application/json":{schema:a.z.object(fr.shape).partial()}}},params:a.z.object({id:a.z.string()}),headers:a.z.object({"tenant-id":a.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:Yt}},description:"The update application"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),{id:t}=n.req.valid("param"),r=n.req.valid("json");await n.env.data.applications.update(e,t,r);const s=await n.env.data.applications.get(e,t);if(!s)throw new N(404,{message:"Application not found"});return n.json(s)}).openapi(a.createRoute({tags:["clients"],method:"post",path:"/",request:{body:{content:{"application/json":{schema:a.z.object(fr.shape)}}},headers:a.z.object({"tenant-id":a.z.string()})},security:[{Bearer:["auth:write"]}],responses:{201:{content:{"application/json":{schema:a.z.object(Yt.shape)}},description:"An application"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),t=n.req.valid("json"),i={...t,id:t.id||Ke(),client_secret:t.client_secret||Ke()},r=await n.env.data.applications.create(e,i);return n.json(r,{status:201})});a.z.object({start:a.z.number(),limit:a.z.number(),length:a.z.number()});rs.extend({email:a.z.string(),login_count:a.z.number(),multifactor:a.z.array(a.z.string()).optional(),last_ip:a.z.string().optional(),last_login:a.z.string().optional(),user_id:a.z.string()}).catchall(a.z.any());const x0=Dt.extend({tenants:a.z.array(En)}),S0=new a.OpenAPIHono().openapi(a.createRoute({tags:["tenants"],method:"get",path:"/",request:{query:on},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"tenant/json":{schema:a.z.union([a.z.array(En),x0])}},description:"List of tenants"}}}),async n=>{const{page:e,per_page:t,include_totals:i,sort:r,q:s}=n.req.valid("query"),o=await n.env.data.tenants.list({page:e,per_page:t,include_totals:i,sort:Dn(r),q:s});return i?n.json(o):n.json(o.tenants)}).openapi(a.createRoute({tags:["tenants"],method:"get",path:"/{id}",request:{params:a.z.object({id:a.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"tenant/json":{schema:En}},description:"A tenant"}}}),async n=>{const{id:e}=n.req.valid("param"),t=await n.env.data.tenants.get(e);if(!t)throw new N(404);return n.json(t)}).openapi(a.createRoute({tags:["tenants"],method:"delete",path:"/{id}",request:{params:a.z.object({id:a.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async n=>{const{id:e}=n.req.valid("param");return await n.env.data.tenants.remove(e),n.text("OK")}).openapi(a.createRoute({tags:["tenants"],method:"patch",path:"/{id}",request:{body:{content:{"application/json":{schema:a.z.object(gr.shape).partial()}}},params:a.z.object({id:a.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async n=>{const{id:e}=n.req.valid("param"),t=n.req.valid("json");return await n.env.data.tenants.update(e,t),n.text("OK")}).openapi(a.createRoute({tags:["tenants"],method:"post",path:"/",request:{body:{content:{"application/json":{schema:a.z.object(gr.shape)}}}},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"tenant/json":{schema:En}},description:"An tenant"}}}),async n=>{const e=n.req.valid("json"),t=await n.env.data.tenants.create(e);return n.json(t,{status:201})}),A0=Dt.extend({logs:a.z.array(mr)}),I0=new a.OpenAPIHono().openapi(a.createRoute({tags:["logs"],method:"get",path:"/",request:{query:on,headers:a.z.object({"tenant-id":a.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:a.z.union([a.z.array(mr),A0])}},description:"List of log rows"}}}),async n=>{const{page:e,per_page:t,include_totals:i,sort:r,q:s}=n.req.valid("query"),{"tenant-id":o}=n.req.valid("header"),c=await n.env.data.logs.list(o,{page:e,per_page:t,include_totals:i,sort:Dn(r),q:s});return i?n.json(c):n.json(c.logs)}).openapi(a.createRoute({tags:["logs"],method:"get",path:"/{id}",request:{headers:a.z.object({"tenant-id":a.z.string()}),params:a.z.object({id:a.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:mr}},description:"A log entry"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),{id:t}=n.req.valid("param"),i=await n.env.data.logs.get(e,t);if(!i)throw new N(404);return n.json(i)}),E0=Dt.extend({hooks:a.z.array(An)}),$0=new a.OpenAPIHono().openapi(a.createRoute({tags:["hooks"],method:"get",path:"/",request:{query:on,headers:a.z.object({"tenant-id":a.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:a.z.union([a.z.array(An),E0])}},description:"List of hooks"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),{page:t,per_page:i,include_totals:r,sort:s,q:o}=n.req.valid("query"),c=await n.env.data.hooks.list(e,{page:t,per_page:i,include_totals:r,sort:Dn(s),q:o});return r?n.json(c):n.json(c.hooks)}).openapi(a.createRoute({tags:["hooks"],method:"post",path:"/",request:{headers:a.z.object({"tenant-id":a.z.string()}),body:{content:{"application/json":{schema:a.z.object(_r.shape)}}}},security:[{Bearer:["auth:write"]}],responses:{201:{content:{"application/json":{schema:An}},description:"The created hook"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),t=n.req.valid("json"),i=await n.env.data.hooks.create(e,t);return n.json(i,{status:201})}).openapi(a.createRoute({tags:["hooks"],method:"patch",path:"/{hook_id}",request:{headers:a.z.object({"tenant-id":a.z.string()}),params:a.z.object({hook_id:a.z.string()}),body:{content:{"application/json":{schema:a.z.object(_r.shape).omit({hook_id:!0}).partial()}}}},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:An.shape}},description:"The updated hook"},404:{description:"Hook not found"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),{hook_id:t}=n.req.valid("param"),i=n.req.valid("json");await n.env.data.hooks.update(e,t,i);const r=await n.env.data.hooks.get(e,t);if(!r)throw new N(404,{message:"Hook not found"});return n.json(r)}).openapi(a.createRoute({tags:["hooks"],method:"get",path:"/{hook_id}",request:{headers:a.z.object({"tenant-id":a.z.string()}),params:a.z.object({hook_id:a.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:An}},description:"A hook"},404:{description:"Hook not found"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),{hook_id:t}=n.req.valid("param"),i=await n.env.data.hooks.get(e,t);if(!i)throw new N(404,{message:"Hook not found"});return n.json(i)}).openapi(a.createRoute({tags:["hooks"],method:"delete",path:"/{hook_id}",request:{headers:a.z.object({"tenant-id":a.z.string()}),params:a.z.object({hook_id:a.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{description:"A hook"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),{hook_id:t}=n.req.valid("param");if(!await n.env.data.hooks.remove(e,t))throw new N(404,{message:"Hook not found"});return n.text("OK")}),C0=Dt.extend({connections:a.z.array(Ot)}),j0=new a.OpenAPIHono().openapi(a.createRoute({tags:["connections"],method:"get",path:"/",request:{query:on,headers:a.z.object({"tenant-id":a.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:a.z.union([a.z.array(Ot),C0])}},description:"List of connectionss"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),{page:t,per_page:i,include_totals:r=!1,sort:s,q:o}=n.req.valid("query"),c=await n.env.data.connections.list(e,{page:t,per_page:i,include_totals:r,sort:Dn(s),q:o});return r?n.json(c):n.json(c.connections)}).openapi(a.createRoute({tags:["connections"],method:"get",path:"/{id}",request:{params:a.z.object({id:a.z.string()}),headers:a.z.object({"tenant-id":a.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:Ot}},description:"A connection"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),{id:t}=n.req.valid("param"),i=await n.env.data.connections.get(e,t);if(!i)throw new N(404);return n.json(i)}).openapi(a.createRoute({tags:["connections"],method:"delete",path:"/{id}",request:{params:a.z.object({id:a.z.string()}),headers:a.z.object({"tenant-id":a.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),{id:t}=n.req.valid("param");if(!await n.env.data.connections.remove(e,t))throw new N(404,{message:"Connection not found"});return n.text("OK")}).openapi(a.createRoute({tags:["connections"],method:"patch",path:"/{id}",request:{body:{content:{"application/json":{schema:a.z.object(hr.shape).partial()}}},params:a.z.object({id:a.z.string()}),headers:a.z.object({"tenant-id":a.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:Ot}},description:"The updated connection"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),{id:t}=n.req.valid("param"),i=n.req.valid("json");if(!await n.env.data.connections.update(e,t,i))throw new N(404,{message:"Connection not found"});const s=await n.env.data.connections.get(e,t);if(!s)throw new N(404,{message:"Connection not found"});return n.json(s)}).openapi(a.createRoute({tags:["connections"],method:"post",path:"/",request:{body:{content:{"application/json":{schema:a.z.object(hr.shape)}}},headers:a.z.object({"tenant-id":a.z.string()})},security:[{Bearer:["auth:write"]}],responses:{201:{content:{"application/json":{schema:Ot}},description:"A connection"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),t=n.req.valid("json"),i=await n.env.data.connections.create(e,t);return n.json(i,{status:201})}),z0=new a.OpenAPIHono().openapi(a.createRoute({tags:["prompts"],method:"get",path:"/",request:{headers:a.z.object({"tenant-id":a.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:er}},description:"Branding settings"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),t=await n.env.data.promptSettings.get(e);return t?n.json(t):n.json(er.parse({}))}).openapi(a.createRoute({tags:["prompts"],method:"patch",path:"/",request:{headers:a.z.object({"tenant-id":a.z.string()}),body:{content:{"application/json":{schema:a.z.object(er.shape).partial()}}}},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Prompts settings"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),t=n.req.valid("json"),i=await n.env.data.promptSettings.get(e);return Object.assign(i,t),await n.env.data.promptSettings.set(e,i),n.json(i)});let Yu=!1;function Pf(n){n.use(async(e,t)=>(Yu||(n.openAPIRegistry.registerComponent("securitySchemes","Bearer",{type:"oauth2",scheme:"bearer",flows:{implicit:{authorizationUrl:`${e.env.AUTH_URL}/authorize`,scopes:{openid:"Basic user information",email:"User email",profile:"User profile information"}}}}),Yu=!0),await t()))}a.z.object({alg:a.z.literal("RS256"),kty:a.z.literal("RSA"),use:a.z.literal("sig"),n:a.z.string(),e:a.z.string(),kid:a.z.string(),x5t:a.z.string(),x5c:a.z.array(a.z.string())});async function N0(n){try{const e=await n.JWKS_SERVICE.fetch(n.JWKS_URL);if(!e.ok)throw new Error("Failed to fetch jwks");return(await e.json()).keys}catch(e){throw new N(500,{message:`Failed to fetch jwks: ${e.message}`})}}async function O0(n,e){const i=new TextEncoder().encode([e.raw.header,e.raw.payload].join(".")),r=new Uint8Array(Array.from(e.signature).map(l=>l.charCodeAt(0))),o=(await N0(n.env)).find(l=>l.kid===e.header.kid);if(!o)return console.log("No matching kid found"),!1;const c=await crypto.subtle.importKey("jwk",o,{name:"RSASSA-PKCS1-v1_5",hash:"SHA-256"},!1,["verify"]);return crypto.subtle.verify("RSASSA-PKCS1-v1_5",c,r,i)}function B0(n){const[e,t,i]=n.split(".");if(!e||!t||!i)return null;const r=JSON.parse(atob(e)),s=JSON.parse(atob(t)),o=atob(i.replace(/-/g,"+").replace(/_/g,"/"));return{header:r,payload:s,signature:o,raw:{header:e,payload:t,signature:i}}}function Lf(n){return async(e,t)=>{var r,s,o;const i=n.openAPIRegistry.definitions.find(c=>"route"in c&&c.route.path===e.req.path&&c.route.method.toUpperCase()===e.req.method);if(i&&"route"in i){const c=(s=(r=i.route.security)==null?void 0:r[0])==null?void 0:s.Bearer;if(!(c!=null&&c.length))return await t();const l=e.req.header("authorization")||"",[u,p]=l.split(" ");if((u==null?void 0:u.toLowerCase())!=="bearer"||!p)throw new N(401,{message:"Missing bearer token"});const g=B0(p);if(!g||!await O0(e,g))throw new N(403,{message:"Invalid JWT signature"});e.set("user_id",g.payload.sub),e.set("user",g.payload);const m=g.payload.permissions||[],x=((o=g.payload.scope)==null?void 0:o.split(" "))||[];if(c.length&&!(c.some(h=>m.includes(h))||c.some(h=>x.includes(h))))throw new N(403,{message:"Unauthorized"})}return await t()}}const T0=new a.OpenAPIHono().openapi(a.createRoute({tags:["emails"],method:"get",path:"/",request:{headers:a.z.object({"tenant-id":a.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:tr}},description:"Email provider"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),t=await n.env.data.emailProviders.get(e);if(!t)throw new N(404,{message:"Email provider not found"});return n.json(t)}).openapi(a.createRoute({tags:["emails"],method:"post",path:"/",request:{headers:a.z.object({"tenant-id":a.z.string()}),body:{content:{"application/json":{schema:a.z.object(tr.shape)}}}},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Branding settings"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),t=n.req.valid("json");return await n.env.data.emailProviders.create(e,t),n.text("OK",{status:201})}).openapi(a.createRoute({tags:["emails"],method:"patch",path:"/",request:{headers:a.z.object({"tenant-id":a.z.string()}),body:{content:{"application/json":{schema:a.z.object(tr.shape).partial()}}}},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Branding settings"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),t=n.req.valid("json");return await n.env.data.emailProviders.update(e,t),n.text("OK")});function R0(){const n=new a.OpenAPIHono;n.use(Lf(n));const e=n.route("/branding",ng).route("/email/providers",T0).route("/users",vg).route("/keys",v0).route("/users-by-email",w0).route("/clients",k0).route("/tenants",S0).route("/logs",I0).route("/hooks",$0).route("/connections",j0).route("/prompts",z0);return Pf(e),e.doc("/spec",{openapi:"3.0.0",info:{version:"1.0.0",title:"Management api"}}),e}function P0(n,e){Object.keys(e).forEach(t=>{const i=e[t];i!=null&&i.length&&n.searchParams.set(t,i)})}function Hn(n){var e,t,i;return{auth0Client:(e=n.query("auth0Client"))==null?void 0:e.slice(0,255),ip:(t=n.header("x-real-ip"))==null?void 0:t.slice(0,45),useragent:(i=n.header("user-agent"))==null?void 0:i.slice(0,512)}}const Qi=60*5,Uf=30*24*60*60,es=24*60*60,L0="auth-token",Xu=30*60*1e3,U0=5*60,V0=5*60;var Qu;(function(n){n[n.Include=0]="Include",n[n.None=1]="None"})(Qu||(Qu={}));var ed;(function(n){n[n.Required=0]="Required",n[n.Ignore=1]="Ignore"})(ed||(ed={}));function M0(n){return Mf(n,H0,Ii.Include)}function Vf(n){return Mf(n,D0,Ii.None)}function Mf(n,e,t){let i="";for(let r=0;r<n.byteLength;r+=3){let s=0,o=0;for(let c=0;c<3&&r+c<n.byteLength;c++)s=s<<8|n[r+c],o+=8;for(let c=0;c<4;c++)o>=6?(i+=e[s>>o-6&63],o-=6):o>0?(i+=e[s<<6-o&63],o=0):t===Ii.Include&&(i+="=")}return i}const H0="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/",D0="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";var Ii;(function(n){n[n.Include=0]="Include",n[n.None=1]="None"})(Ii||(Ii={}));var td;(function(n){n[n.Required=0]="Required",n[n.Ignore=1]="Ignore"})(td||(td={}));class F0{uint8(e,t){if(e.byteLength<t+1)throw new TypeError("Insufficient bytes");return e[t]}uint16(e,t){if(e.byteLength<t+2)throw new TypeError("Insufficient bytes");return e[t]<<8|e[t+1]}uint32(e,t){if(e.byteLength<t+4)throw new TypeError("Insufficient bytes");let i=0;for(let r=0;r<4;r++)i|=e[t+r]<<24-r*8;return i}uint64(e,t){if(e.byteLength<t+8)throw new TypeError("Insufficient bytes");let i=0n;for(let r=0;r<8;r++)i|=BigInt(e[t+r])<<BigInt(56-r*8);return i}putUint8(e,t,i){if(e.length<i+1)throw new TypeError("Not enough space");if(t<0||t>255)throw new TypeError("Invalid uint8 value");e[i]=t}putUint16(e,t,i){if(e.length<i+2)throw new TypeError("Not enough space");if(t<0||t>65535)throw new TypeError("Invalid uint16 value");e[i]=t>>8,e[i+1]=t&255}putUint32(e,t,i){if(e.length<i+4)throw new TypeError("Not enough space");if(t<0||t>4294967295)throw new TypeError("Invalid uint32 value");for(let r=0;r<4;r++)e[i+r]=t>>(3-r)*8&255}putUint64(e,t,i){if(e.length<i+8)throw new TypeError("Not enough space");if(t<0||t>18446744073709551615n)throw new TypeError("Invalid uint64 value");for(let r=0;r<8;r++)e[i+r]=Number(t>>BigInt((7-r)*8)&0xffn)}}const nd=new F0;function pt(n,e){return(n<<32-e|n>>>e)>>>0}function q0(n){const e=new K0;return e.update(n),e.digest()}class K0{constructor(){te(this,"blockSize",64);te(this,"size",32);te(this,"blocks",new Uint8Array(64));te(this,"currentBlockSize",0);te(this,"H",new Uint32Array([1779033703,3144134277,1013904242,2773480762,1359893119,2600822924,528734635,1541459225]));te(this,"l",0n);te(this,"w",new Uint32Array(64))}update(e){if(this.l+=BigInt(e.byteLength)*8n,this.currentBlockSize+e.byteLength<64){this.blocks.set(e,this.currentBlockSize),this.currentBlockSize+=e.byteLength;return}let t=0;if(this.currentBlockSize>0){const i=e.slice(0,64-this.currentBlockSize);this.blocks.set(i,this.currentBlockSize),this.process(),t+=i.byteLength,this.currentBlockSize=0}for(;t+64<=e.byteLength;){const i=e.slice(t,t+64);this.blocks.set(i),this.process(),t+=64}if(e.byteLength-t>0){const i=e.slice(t);this.blocks.set(i),this.currentBlockSize=i.byteLength}}digest(){this.blocks[this.currentBlockSize]=128,this.currentBlockSize+=1,64-this.currentBlockSize<8&&(this.blocks.fill(0,this.currentBlockSize),this.process(),this.currentBlockSize=0),this.blocks.fill(0,this.currentBlockSize),nd.putUint64(this.blocks,this.l,this.blockSize-8),this.process();const e=new Uint8Array(32);for(let t=0;t<8;t++)nd.putUint32(e,this.H[t],t*4);return e}process(){for(let u=0;u<16;u++)this.w[u]=(this.blocks[u*4]<<24|this.blocks[u*4+1]<<16|this.blocks[u*4+2]<<8|this.blocks[u*4+3])>>>0;for(let u=16;u<64;u++){const p=(pt(this.w[u-2],17)^pt(this.w[u-2],19)^this.w[u-2]>>>10)>>>0,g=(pt(this.w[u-15],7)^pt(this.w[u-15],18)^this.w[u-15]>>>3)>>>0;this.w[u]=p+this.w[u-7]+g+this.w[u-16]|0}let e=this.H[0],t=this.H[1],i=this.H[2],r=this.H[3],s=this.H[4],o=this.H[5],c=this.H[6],l=this.H[7];for(let u=0;u<64;u++){const p=(pt(s,6)^pt(s,11)^pt(s,25))>>>0,g=(s&o^~s&c)>>>0,m=l+p+g+W0[u]+this.w[u]|0,x=(pt(e,2)^pt(e,13)^pt(e,22))>>>0,h=(e&t^e&i^t&i)>>>0,_=x+h|0;l=c,c=o,o=s,s=r+m|0,r=i,i=t,t=e,e=m+_|0}this.H[0]=e+this.H[0]|0,this.H[1]=t+this.H[1]|0,this.H[2]=i+this.H[2]|0,this.H[3]=r+this.H[3]|0,this.H[4]=s+this.H[4]|0,this.H[5]=o+this.H[5]|0,this.H[6]=c+this.H[6]|0,this.H[7]=l+this.H[7]|0}}const W0=new Uint32Array([1116352408,1899447441,3049323471,3921009573,961987163,1508970993,2453635748,2870763221,3624381080,310598401,607225278,1426881987,1925078388,2162078206,2614888103,3248222580,3835390401,4022224774,264347078,604807628,770255983,1249150122,1555081692,1996064986,2554220882,2821834349,2952996808,3210313671,3336571891,3584528711,113926993,338241895,666307205,773529912,1294757372,1396182291,1695183700,1986661051,2177026350,2456956037,2730485921,2820302411,3259730800,3345764771,3516065817,3600352804,4094571909,275423344,430227734,506948616,659060556,883997877,958139571,1322822218,1537002063,1747873779,1955562222,2024104815,2227730452,2361852424,2428436474,2756734187,3204031479,3329325298]);new BigUint64Array([0x428a2f98d728ae22n,0x7137449123ef65cdn,0xb5c0fbcfec4d3b2fn,0xe9b5dba58189dbbcn,0x3956c25bf348b538n,0x59f111f1b605d019n,0x923f82a4af194f9bn,0xab1c5ed5da6d8118n,0xd807aa98a3030242n,0x12835b0145706fben,0x243185be4ee4b28cn,0x550c7dc3d5ffb4e2n,0x72be5d74f27b896fn,0x80deb1fe3b1696b1n,0x9bdc06a725c71235n,0xc19bf174cf692694n,0xe49b69c19ef14ad2n,0xefbe4786384f25e3n,0x0fc19dc68b8cd5b5n,0x240ca1cc77ac9c65n,0x2de92c6f592b0275n,0x4a7484aa6ea6e483n,0x5cb0a9dcbd41fbd4n,0x76f988da831153b5n,0x983e5152ee66dfabn,0xa831c66d2db43210n,0xb00327c898fb213fn,0xbf597fc7beef0ee4n,0xc6e00bf33da88fc2n,0xd5a79147930aa725n,0x06ca6351e003826fn,0x142929670a0e6e70n,0x27b70a8546d22ffcn,0x2e1b21385c26c926n,0x4d2c6dfc5ac42aedn,0x53380d139d95b3dfn,0x650a73548baf63den,0x766a0abb3c77b2a8n,0x81c2c92e47edaee6n,0x92722c851482353bn,0xa2bfe8a14cf10364n,0xa81a664bbc423001n,0xc24b8b70d0f89791n,0xc76c51a30654be30n,0xd192e819d6ef5218n,0xd69906245565a910n,0xf40e35855771202an,0x106aa07032bbd1b8n,0x19a4c116b8d2d0c8n,0x1e376c085141ab53n,0x2748774cdf8eeb99n,0x34b0bcb5e19b48a8n,0x391c0cb3c5c95a63n,0x4ed8aa4ae3418acbn,0x5b9cca4f7763e373n,0x682e6ff3d6b2b8a3n,0x748f82ee5defb2fcn,0x78a5636f43172f60n,0x84c87814a1f0ab72n,0x8cc702081a6439ecn,0x90befffa23631e28n,0xa4506cebde82bde9n,0xbef9a3f7b2c67915n,0xc67178f2e372532bn,0xca273eceea26619cn,0xd186b8c721c0c207n,0xeada7dd6cde0eb1en,0xf57d4f7fee6ed178n,0x06f067aa72176fban,0x0a637dc5a2c898a6n,0x113f9804bef90daen,0x1b710b35131c471bn,0x28db77f523047d84n,0x32caab7b40c72493n,0x3c9ebe0a15c9bebcn,0x431d67c49c100d4cn,0x4cc5d4becb3e42b6n,0x597f299cfc657e2an,0x5fcb6fab3ad6faecn,0x6c44198c4a475817n]);class G0{constructor(e){te(this,"data");this.data=e}tokenType(){if("token_type"in this.data&&typeof this.data.token_type=="string")return this.data.token_type;throw new Error("Missing or invalid 'token_type' field")}accessToken(){if("access_token"in this.data&&typeof this.data.access_token=="string")return this.data.access_token;throw new Error("Missing or invalid 'access_token' field")}accessTokenExpiresInSeconds(){if("expires_in"in this.data&&typeof this.data.expires_in=="number")return this.data.expires_in;throw new Error("Missing or invalid 'expires_in' field")}accessTokenExpiresAt(){return new Date(Date.now()+this.accessTokenExpiresInSeconds()*1e3)}hasRefreshToken(){return"refresh_token"in this.data&&typeof this.data.refresh_token=="string"}refreshToken(){if("refresh_token"in this.data&&typeof this.data.refresh_token=="string")return this.data.refresh_token;throw new Error("Missing or invalid 'refresh_token' field")}hasScopes(){return"scope"in this.data&&typeof this.data.scope=="string"}scopes(){if("scope"in this.data&&typeof this.data.scope=="string")return this.data.scope.split(" ");throw new Error("Missing or invalid 'scope' field")}idToken(){if("id_token"in this.data&&typeof this.data.id_token=="string")return this.data.id_token;throw new Error("Missing or invalid field 'id_token'")}}function J0(n){const e=q0(new TextEncoder().encode(n));return Vf(e)}function Z0(){const n=new Uint8Array(32);return crypto.getRandomValues(n),Vf(n)}function di(n,e){const t=new TextEncoder().encode(e.toString()),i=new Request(n,{method:"POST",body:t});return i.headers.set("Content-Type","application/x-www-form-urlencoded"),i.headers.set("Accept","application/json"),i.headers.set("User-Agent","arctic"),i.headers.set("Content-Length",t.byteLength.toString()),i}function mo(n,e){const t=new TextEncoder().encode(`${n}:${e}`);return M0(t)}async function ts(n){let e;try{e=await fetch(n)}catch(t){throw new Df(t)}if(e.status===400||e.status===401){let t;try{t=await e.json()}catch{throw new or(e.status)}if(typeof t!="object"||t===null)throw new jn(e.status,t);let i;try{i=Hf(t)}catch{throw new jn(e.status,t)}throw i}if(e.status===200){let t;try{t=await e.json()}catch{throw new or(e.status)}if(typeof t!="object"||t===null)throw new jn(e.status,t);return new G0(t)}throw e.body!==null&&await e.body.cancel(),new or(e.status)}async function Y0(n){let e;try{e=await fetch(n)}catch(t){throw new Df(t)}if(e.status===400||e.status===401){let t;try{t=await e.json()}catch{throw new jn(e.status,null)}if(typeof t!="object"||t===null)throw new jn(e.status,t);let i;try{i=Hf(t)}catch{throw new jn(e.status,t)}throw i}if(e.status===200){e.body!==null&&await e.body.cancel();return}throw e.body!==null&&await e.body.cancel(),new or(e.status)}function Hf(n){let e;if("error"in n&&typeof n.error=="string")e=n.error;else throw new Error("Invalid error response");let t=null,i=null,r=null;if("error_description"in n){if(typeof n.error_description!="string")throw new Error("Invalid data");t=n.error_description}if("error_uri"in n){if(typeof n.error_uri!="string")throw new Error("Invalid data");i=n.error_uri}if("state"in n){if(typeof n.state!="string")throw new Error("Invalid data");r=n.state}return new X0(e,t,i,r)}class Df extends Error{constructor(e){super("Failed to send request",{cause:e})}}class X0 extends Error{constructor(t,i,r,s){super(`OAuth request error: ${t}`);te(this,"code");te(this,"description");te(this,"uri");te(this,"state");this.code=t,this.description=i,this.uri=r,this.state=s}}class or extends Error{constructor(t){super("Unexpected error response");te(this,"status");this.status=t}}class jn extends Error{constructor(t,i){super("Unexpected error response body");te(this,"status");te(this,"data");this.status=t,this.data=i}}class Mc{constructor(e,t,i){te(this,"clientId");te(this,"clientPassword");te(this,"redirectURI");this.clientId=e,this.clientPassword=t,this.redirectURI=i}createAuthorizationURL(e,t,i){const r=new URL(e);return r.searchParams.set("response_type","code"),r.searchParams.set("client_id",this.clientId),this.redirectURI!==null&&r.searchParams.set("redirect_uri",this.redirectURI),r.searchParams.set("state",t),i.length>0&&r.searchParams.set("scope",i.join(" ")),r}createAuthorizationURLWithPKCE(e,t,i,r,s){const o=new URL(e);if(o.searchParams.set("response_type","code"),o.searchParams.set("client_id",this.clientId),this.redirectURI!==null&&o.searchParams.set("redirect_uri",this.redirectURI),o.searchParams.set("state",t),i===Ei.S256){const c=J0(r);o.searchParams.set("code_challenge_method","S256"),o.searchParams.set("code_challenge",c)}else i===Ei.Plain&&(o.searchParams.set("code_challenge_method","plain"),o.searchParams.set("code_challenge",r));return s.length>0&&o.searchParams.set("scope",s.join(" ")),o}async validateAuthorizationCode(e,t,i){const r=new URLSearchParams;r.set("grant_type","authorization_code"),r.set("code",t),this.redirectURI!==null&&r.set("redirect_uri",this.redirectURI),i!==null&&r.set("code_verifier",i),this.clientPassword===null&&r.set("client_id",this.clientId);const s=di(e,r);if(this.clientPassword!==null){const c=mo(this.clientId,this.clientPassword);s.headers.set("Authorization",`Basic ${c}`)}return await ts(s)}async refreshAccessToken(e,t,i){const r=new URLSearchParams;r.set("grant_type","refresh_token"),r.set("refresh_token",t),this.clientPassword===null&&r.set("client_id",this.clientId),i.length>0&&r.set("scope",i.join(" "));const s=di(e,r);if(this.clientPassword!==null){const c=mo(this.clientId,this.clientPassword);s.headers.set("Authorization",`Basic ${c}`)}return await ts(s)}async revokeToken(e,t){const i=new URLSearchParams;i.set("token",t),this.clientPassword===null&&i.set("client_id",this.clientId);const r=di(e,i);if(this.clientPassword!==null){const s=mo(this.clientId,this.clientPassword);r.headers.set("Authorization",`Basic ${s}`)}await Y0(r)}}var Ei;(function(n){n[n.S256=0]="S256",n[n.Plain=1]="Plain"})(Ei||(Ei={}));var id;(function(n){n[n.Include=0]="Include",n[n.None=1]="None"})(id||(id={}));var rd;(function(n){n[n.Required=0]="Required",n[n.Ignore=1]="Ignore"})(rd||(rd={}));function pi(n){return Q0(n,em,ns.None)}function Q0(n,e,t){let i="";for(let r=0;r<n.byteLength;r+=3){let s=0,o=0;for(let c=0;c<3&&r+c<n.byteLength;c++)s=s<<8|n[r+c],o+=8;for(let c=0;c<4;c++)o>=6?(i+=e[s>>o-6&63],o-=6):o>0?(i+=e[s<<6-o&63],o=0):t===ns.Include&&(i+="=")}return i}const em="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";var ns;(function(n){n[n.Include=0]="Include",n[n.None=1]="None"})(ns||(ns={}));var sd;(function(n){n[n.Required=0]="Required",n[n.Ignore=1]="Ignore"})(sd||(sd={}));function tm(n,e,t){const i=pi(new TextEncoder().encode(n)),r=pi(new TextEncoder().encode(e)),s=pi(t);return i+"."+r+"."+s}function nm(n,e){const t=pi(new TextEncoder().encode(n)),i=pi(new TextEncoder().encode(e)),r=t+"."+i;return new TextEncoder().encode(r)}const im="https://appleid.apple.com/auth/authorize",rm="https://appleid.apple.com/auth/token";class Ff{constructor(e,t,i,r,s){te(this,"clientId");te(this,"teamId");te(this,"keyId");te(this,"pkcs8PrivateKey");te(this,"redirectURI");this.clientId=e,this.teamId=t,this.keyId=i,this.pkcs8PrivateKey=r,this.redirectURI=s}createAuthorizationURL(e,t){const i=new URL(im);return i.searchParams.set("response_type","code"),i.searchParams.set("client_id",this.clientId),i.searchParams.set("state",e),t.length>0&&i.searchParams.set("scope",t.join(" ")),i.searchParams.set("redirect_uri",this.redirectURI),i}async validateAuthorizationCode(e){const t=new URLSearchParams;t.set("grant_type","authorization_code"),t.set("code",e),t.set("redirect_uri",this.redirectURI),t.set("client_id",this.clientId);const i=await this.createClientSecret();t.set("client_secret",i);const r=di(rm,t);return await ts(r)}async createClientSecret(){const e=await crypto.subtle.importKey("pkcs8",this.pkcs8PrivateKey,{name:"ECDSA",namedCurve:"P-256"},!1,["sign"]),t=Math.floor(Date.now()/1e3),i=JSON.stringify({typ:"JWT",alg:"ES256",kid:this.keyId}),r=JSON.stringify({iss:this.teamId,exp:t+5*60,aud:["https://appleid.apple.com"],sub:this.clientId,iat:t}),s=new Uint8Array(await crypto.subtle.sign({name:"ECDSA",hash:"SHA-256"},e,nm(i,r)));return tm(i,r,s)}}const sm="https://www.facebook.com/v16.0/dialog/oauth",om="https://graph.facebook.com/v16.0/oauth/access_token";class qf{constructor(e,t,i){te(this,"clientId");te(this,"clientSecret");te(this,"redirectURI");this.clientId=e,this.clientSecret=t,this.redirectURI=i}createAuthorizationURL(e,t){const i=new URL(sm);return i.searchParams.set("response_type","code"),i.searchParams.set("client_id",this.clientId),i.searchParams.set("state",e),t.length>0&&i.searchParams.set("scope",t.join(" ")),i.searchParams.set("redirect_uri",this.redirectURI),i}async validateAuthorizationCode(e){const t=new URLSearchParams;t.set("grant_type","authorization_code"),t.set("code",e),t.set("redirect_uri",this.redirectURI),t.set("client_id",this.clientId),t.set("client_secret",this.clientSecret);const i=di(om,t);return await ts(i)}}const am="https://accounts.google.com/o/oauth2/v2/auth",od="https://oauth2.googleapis.com/token",cm="https://oauth2.googleapis.com/revoke";class Kf{constructor(e,t,i){te(this,"client");this.client=new Mc(e,t,i)}createAuthorizationURL(e,t,i){return this.client.createAuthorizationURLWithPKCE(am,e,Ei.S256,t,i)}async validateAuthorizationCode(e,t){return await this.client.validateAuthorizationCode(od,e,t)}async refreshAccessToken(e){return await this.client.refreshAccessToken(od,e,[])}async revokeToken(e){await this.client.revokeToken(cm,e)}}class Hc{constructor(e,t){te(this,"value");te(this,"unit");this.value=e,this.unit=t}milliseconds(){return this.unit==="ms"?this.value:this.unit==="s"?this.value*1e3:this.unit==="m"?this.value*1e3*60:this.unit==="h"?this.value*1e3*60*60:this.unit==="d"?this.value*1e3*60*60*24:this.value*1e3*60*60*24*7}seconds(){return this.milliseconds()/1e3}transform(e){return new Hc(Math.round(this.milliseconds()*e),"ms")}}async function ad(n,e,t,i){const r={alg:n,typ:"JWT",...i==null?void 0:i.headers},s={...t};(i==null?void 0:i.audiences)!==void 0&&(s.aud=i.audiences),(i==null?void 0:i.subject)!==void 0&&(s.sub=i.subject),(i==null?void 0:i.issuer)!==void 0&&(s.iss=i.issuer),(i==null?void 0:i.jwtId)!==void 0&&(s.jti=i.jwtId),(i==null?void 0:i.expiresIn)!==void 0&&(s.exp=Math.floor(Date.now()/1e3)+i.expiresIn.seconds()),(i==null?void 0:i.notBefore)!==void 0&&(s.nbf=Math.floor(i.notBefore.getTime()/1e3)),s.iat=Math.floor(Date.now()/1e3);const o=new TextEncoder,c=rn.encode(o.encode(JSON.stringify(r)),{includePadding:!1}),l=rn.encode(o.encode(JSON.stringify(s)),{includePadding:!1}),u=o.encode([c,l].join(".")),p=await um(n).sign(e,u),g=rn.encode(new Uint8Array(p),{includePadding:!1});return[c,l,g].join(".")}function lm(n){const e=n.split(".");return e.length!==3?null:e}function Dc(n){const e=lm(n);if(!e)return null;const t=new TextDecoder,i=rn.decode(e[0],{strict:!1}),r=rn.decode(e[1],{strict:!1}),s=JSON.parse(t.decode(i));if(typeof s!="object"||s===null||!("alg"in s)||!dm(s.alg)||"typ"in s&&s.typ!=="JWT")return null;const o=JSON.parse(t.decode(r));if(typeof o!="object"||o===null)return null;const c={algorithm:s.alg,expiresAt:null,subject:null,issuedAt:null,issuer:null,jwtId:null,audiences:null,notBefore:null};if("exp"in o){if(typeof o.exp!="number")return null;c.expiresAt=new Date(o.exp*1e3)}if("iss"in o){if(typeof o.iss!="string")return null;c.issuer=o.iss}if("sub"in o){if(typeof o.sub!="string")return null;c.subject=o.sub}if("aud"in o)if(Array.isArray(o.aud)){for(const l of o.aud)if(typeof l!="string")return null;c.audiences=o.aud}else{if(typeof o.aud!="string")return null;c.audiences=[o.aud]}if("nbf"in o){if(typeof o.nbf!="number")return null;c.notBefore=new Date(o.nbf*1e3)}if("iat"in o){if(typeof o.iat!="number")return null;c.issuedAt=new Date(o.iat*1e3)}if("jti"in o){if(typeof o.jti!="string")return null;c.jwtId=o.jti}return{value:n,header:{...s,typ:"JWT",alg:s.alg},payload:{...o},parts:e,...c}}function um(n){return new g0(pm[n])}function dm(n){return typeof n!="string"?!1:["HS256","HS384","HS512","RS256","RS384","RS512","ES256","ES384","ES512","PS256","PS384","PS512"].includes(n)}const pm={RS256:"SHA-256",RS384:"SHA-384",RS512:"SHA-512"},Zs=a.z.object({iss:a.z.string().url(),sub:a.z.string(),aud:a.z.string(),exp:a.z.number(),email:a.z.string().optional(),given_name:a.z.string().optional(),family_name:a.z.string().optional(),name:a.z.string().optional(),iat:a.z.number(),auth_time:a.z.number().optional(),nonce:a.z.string().optional(),acr:a.z.string().optional(),amr:a.z.array(a.z.string()).optional(),azp:a.z.string().optional(),at_hash:a.z.string().optional(),c_hash:a.z.string().optional()}).passthrough();Zs.omit({iat:!0,auth_time:!0,nonce:!0,acr:!0,amr:!0,azp:!0,at_hash:!0,c_hash:!0});function mt(n){return n.UNIVERSAL_LOGIN_URL||`${n.ISSUER}u/`}function bt(n){return n.OAUTH_API_URL||n.ISSUER}function Wf(n){const{options:e}=n;if(!e||!e.client_id||!e.team_id||!e.kid||!e.app_secret)throw new Error("Missing required Apple authentication parameters");const t=Buffer.from(e.app_secret,"utf-8"),i=t.toString().replace(/-----BEGIN PRIVATE KEY-----|-----END PRIVATE KEY-----|\s/g,""),r=Uint8Array.from(Buffer.from(i,"base64"));return t.fill(0),{options:e,keyArray:r}}async function fm(n,e){var l,u;const{options:t,keyArray:i}=Wf(e),r=new Ff(t.client_id,t.team_id,t.kid,i,`${bt(n.env)}callback`),s=Ke(),o=await r.createAuthorizationURL(s,((l=t.scope)==null?void 0:l.split(" "))||["name","email"]);return(((u=t.scope)==null?void 0:u.split(" "))||["name","email"]).some(p=>["email","name"].includes(p))&&o.searchParams.set("response_mode","form_post"),{redirectUrl:o.href,code:s}}async function hm(n,e,t){const{options:i,keyArray:r}=Wf(e),o=await new Ff(i.client_id,i.team_id,i.kid,r,`${bt(n.env)}callback`).validateAuthorizationCode(t),c=Dc(o.idToken());if(!c)throw new Error("Invalid ID token");const l=Zs.parse(c.payload);return{sub:l.sub,email:l.email,given_name:l.given_name,family_name:l.family_name,name:l.name,picture:l.picture,locale:l.locale}}const gm=Object.freeze(Object.defineProperty({__proto__:null,getRedirect:fm,validateAuthorizationCodeAndGetUser:hm},Symbol.toStringTag,{value:"Module"}));async function _m(n,e){var o;const{options:t}=e;if(!(t!=null&&t.client_id)||!t.client_secret)throw new Error("Missing required authentication parameters");const i=new qf(t.client_id,t.client_secret,`${bt(n.env)}callback`),r=Ke();return{redirectUrl:i.createAuthorizationURL(r,((o=t.scope)==null?void 0:o.split(" "))||["email"]).href,code:r}}async function mm(n,e,t){const{options:i}=e;if(!(i!=null&&i.client_id)||!i.client_secret)throw new Error("Missing required authentication parameters");const s=await new qf(i.client_id,i.client_secret,`${bt(n.env)}callback`).validateAuthorizationCode(t),o=await fetch("https://graph.facebook.com/v16.0/me?fields=id,email,name",{headers:{Authorization:`Bearer ${s.accessToken()}`}});if(!o.ok)throw new Error("Failed to fetch user info");const c=await o.json();return n.set("log",`Userinfo: ${JSON.stringify(c)}`),{sub:c.id,email:c.email,name:c.name}}const ym=Object.freeze(Object.defineProperty({__proto__:null,getRedirect:_m,validateAuthorizationCodeAndGetUser:mm},Symbol.toStringTag,{value:"Module"}));async function vm(n,e){var c;const{options:t}=e;if(!(t!=null&&t.client_id)||!t.client_secret)throw new Error("Missing required Google authentication parameters");const i=new Kf(t.client_id,t.client_secret,`${bt(n.env)}callback`),r=Ke(),s=Z0();return{redirectUrl:i.createAuthorizationURL(r,s,((c=t.scope)==null?void 0:c.split(" "))??["email","profile"]).href,code:r,codeVerifier:s}}async function wm(n,e,t,i){const{options:r}=e;if(!(r!=null&&r.client_id)||!r.client_secret||!i)throw new Error("Missing required authentication parameters");const o=await new Kf(r.client_id,r.client_secret,`${bt(n.env)}callback`).validateAuthorizationCode(t,i);console.log("got here");const c=Dc(o.idToken());if(!c)throw new Error("Invalid ID token");const l=Zs.parse(c.payload);return{sub:l.sub,email:l.email,given_name:l.given_name,family_name:l.family_name,name:l.name,picture:l.picture,locale:l.locale}}const bm=Object.freeze(Object.defineProperty({__proto__:null,getRedirect:vm,validateAuthorizationCodeAndGetUser:wm},Symbol.toStringTag,{value:"Module"}));async function km(n,e){var o;const{options:t}=e;if(!(t!=null&&t.client_id)||!t.client_secret)throw new Error("Missing required authentication parameters");const i=new Mc(t.client_id,t.client_secret,`${bt(n.env)}callback`),r=Ke(),s=i.createAuthorizationURL("https://api.vipps.no/access-management-1.0/access/oauth2/auth",r,((o=t.scope)==null?void 0:o.split(" "))||["openid","email","phoneNumber","name","address","birthDate"]);return s.searchParams.set("response_type","code"),s.searchParams.set("response_mode","query"),{redirectUrl:s.href,code:r}}async function xm(n,e,t){const{options:i}=e;if(!(i!=null&&i.client_id)||!i.client_secret)throw new Error("Missing required authentication parameters");const s=await new Mc(i.client_id,i.client_secret,`${bt(n.env)}callback`).validateAuthorizationCode("https://api.vipps.no/access-management-1.0/access/oauth2/token",t,null),o=Dc(s.idToken());if(!o)throw new Error("Invalid ID token");const c=Zs.parse(o.payload);if(typeof c.msn!="string")throw new Error("msn not available in id token");const l=await fetch("https://api.vipps.no/vipps-userinfo-api/userinfo",{headers:{Authorization:`Bearer ${s.accessToken()}`,"Merchant-Serial-Number":c.msn}});if(!l.ok)throw new N(400,{message:"Failed to get user from vipps"});return await l.json()}const Sm=Object.freeze(Object.defineProperty({__proto__:null,getRedirect:km,validateAuthorizationCodeAndGetUser:xm},Symbol.toStringTag,{value:"Module"}));function Gf(n,e){const t=n.env.STRATEGIES||{},r={apple:gm,facebook:ym,"google-oauth2":bm,vipps:Sm,...t}[e];if(!r)throw new Error(`Strategy ${e} not found`);return r}async function Fc(n,e){const t=await n.data.clients.get(e);if(!t)throw new N(403,{message:"Client not found"});const i=n.DEFAULT_CLIENT_ID?await n.data.clients.get(n.DEFAULT_CLIENT_ID):void 0,r=await n.data.connections.list(t.tenant.id),s=n.DEFAULT_TENANT_ID?await n.data.connections.list(n.DEFAULT_TENANT_ID):{connections:[]},o=r.connections.map(c=>{var p;const l=(p=s.connections)==null?void 0:p.find(g=>g.name===c.name);return l!=null&&l.options?Ot.parse({...l||{},...c,options:{...l.options||{},...c.options}}):c}).filter(c=>c);return{...t,web_origins:[...(i==null?void 0:i.web_origins)||[],...t.web_origins||[],`${mt(n)}login`],allowed_logout_urls:[...(i==null?void 0:i.allowed_logout_urls)||[],...t.allowed_logout_urls||[],n.ISSUER],callbacks:[...(i==null?void 0:i.callbacks)||[],...t.callbacks||[],`${mt(n)}info`],connections:o,domains:[...t.domains||[],...(i==null?void 0:i.domains)||[]],tenant:{...(i==null?void 0:i.tenant)||{},...t.tenant}}}function Ys(n,e=[]){try{const t=new URL(n);return e.some(i=>{try{return Am(t,new URL(i))}catch{return!1}})}catch{return!1}}function Am(n,e){if(n.protocol!==e.protocol||n.pathname!==e.pathname)return!1;if(e.hostname.startsWith("*.")&&e.hostname.split(".").length>2&&["http:","https:"].includes(e.protocol)){const t=e.hostname.split(".").slice(1).join(".");return n.hostname.endsWith(t)}return n.hostname===e.hostname}function Im(n){try{const t=/-----BEGIN (?:RSA )?(?:PRIVATE|PUBLIC) KEY-----([^-]*)-----END (?:RSA )?(?:PRIVATE|PUBLIC) KEY-----/.exec(n);if(!t||!t[1])throw new Error("Invalid PEM format");return Uint8Array.from(atob(t[1].replace(/\s/g,"")),i=>i.charCodeAt(0)).buffer}finally{n=n.replace(/./g,"\0")}}async function Em(n,e){if(e==="plain")return n;const t=new TextEncoder().encode(n),i=await Rf(t);return rn.encode(new Uint8Array(i),{includePadding:!1})}function Jf(n,e,t){const i=[];return i.push([encodeURIComponent(n),encodeURIComponent(e)]),(t==null?void 0:t.domain)!==void 0&&i.push(["Domain",t.domain]),(t==null?void 0:t.expires)!==void 0&&i.push(["Expires",t.expires.toUTCString()]),t!=null&&t.httpOnly&&i.push(["HttpOnly"]),(t==null?void 0:t.maxAge)!==void 0&&i.push(["Max-Age",t.maxAge.toString()]),(t==null?void 0:t.path)!==void 0&&i.push(["Path",t.path]),(t==null?void 0:t.sameSite)==="lax"&&i.push(["SameSite","Lax"]),(t==null?void 0:t.sameSite)==="none"&&i.push(["SameSite","None"]),(t==null?void 0:t.sameSite)==="strict"&&i.push(["SameSite","Strict"]),t!=null&&t.secure&&i.push(["Secure"]),i.map(r=>r.join("=")).join("; ")}function $m(n){const e=new Map,t=n.split("; ");for(const i of t){const r=i.split("="),s=r[0],o=r[1]??"";s&&e.set(decodeURIComponent(s),decodeURIComponent(o))}return e}function qc(n){return`${n}-${L0}`}function Zf(n,e){return e?$m(e).get(qc(n)):void 0}function Cm(n){const e={path:"/",httpOnly:!0,secure:!0,maxAge:0};return Jf(qc(n),"",{...e,sameSite:"none"})}function Yf(n,e){const t={path:"/",httpOnly:!0,secure:!0,maxAge:Uf};return Jf(qc(n),e,{...t,sameSite:"none"})}var Kc={},Xs={};(function(n){const e=":A-Za-z_\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD",t=e+"\\-.\\d\\u00B7\\u0300-\\u036F\\u203F-\\u2040",i="["+e+"]["+t+"]*",r=new RegExp("^"+i+"$"),s=function(c,l){const u=[];let p=l.exec(c);for(;p;){const g=[];g.startIndex=l.lastIndex-p[0].length;const m=p.length;for(let x=0;x<m;x++)g.push(p[x]);u.push(g),p=l.exec(c)}return u},o=function(c){const l=r.exec(c);return!(l===null||typeof l>"u")};n.isExist=function(c){return typeof c<"u"},n.isEmptyObject=function(c){return Object.keys(c).length===0},n.merge=function(c,l,u){if(l){const p=Object.keys(l),g=p.length;for(let m=0;m<g;m++)u==="strict"?c[p[m]]=[l[p[m]]]:c[p[m]]=l[p[m]]}},n.getValue=function(c){return n.isExist(c)?c:""},n.isName=o,n.getAllMatches=s,n.nameRegexp=i})(Xs);const Wc=Xs,jm={allowBooleanAttributes:!1,unpairedTags:[]};Kc.validate=function(n,e){e=Object.assign({},jm,e);const t=[];let i=!1,r=!1;n[0]==="\uFEFF"&&(n=n.substr(1));for(let s=0;s<n.length;s++)if(n[s]==="<"&&n[s+1]==="?"){if(s+=2,s=ld(n,s),s.err)return s}else if(n[s]==="<"){let o=s;if(s++,n[s]==="!"){s=ud(n,s);continue}else{let c=!1;n[s]==="/"&&(c=!0,s++);let l="";for(;s<n.length&&n[s]!==">"&&n[s]!==" "&&n[s]!=="	"&&n[s]!==`
+`,i}async function m0(n){const e=await n.publicKey.export(),t=await crypto.subtle.exportKey("jwk",e),i=JSON.stringify(t,Object.keys(t).sort()),s=new TextEncoder().encode(i);return Va(await Rf(s))}const y0=1e3*60*60*24,v0=new a.OpenAPIHono().openapi(a.createRoute({tags:["keys"],method:"get",path:"/signing",request:{headers:a.z.object({"tenant-id":a.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:a.z.array(ko)}},description:"List of keys"}}}),async n=>{const t=(await n.env.data.keys.list()).filter(i=>"cert"in i).map(i=>i);return n.json(t)}).openapi(a.createRoute({tags:["keys"],method:"get",path:"/signing/{kid}",request:{headers:a.z.object({"tenant-id":a.z.string()}),params:a.z.object({kid:a.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:ko}},description:"The requested key"}}}),async n=>{const{kid:e}=n.req.valid("param"),i=(await n.env.data.keys.list()).find(r=>r.kid===e);if(!i)throw new N(404,{message:"Key not found"});return n.json(i)}).openapi(a.createRoute({tags:["keys"],method:"post",path:"/signing/rotate",request:{headers:a.z.object({"tenant-id":a.z.string()})},security:[{Bearer:["auth:write"]}],responses:{201:{description:"Status"}}}),async n=>{const e=await n.env.data.keys.list();for await(const i of e)await n.env.data.keys.update(i.kid,{revoked_at:new Date(Date.now()+y0).toISOString()});const t=await Ma({name:`CN=${n.env.ORGANIZATION_NAME}`});return await n.env.data.keys.create(t),n.text("OK",{status:201})}).openapi(a.createRoute({tags:["keys"],method:"put",path:"/signing/{kid}/revoke",request:{headers:a.z.object({"tenant-id":a.z.string()}),params:a.z.object({kid:a.z.string()})},security:[{Bearer:["auth:write"]}],responses:{201:{description:"Status"}}}),async n=>{const{kid:e}=n.req.valid("param");if(!await n.env.data.keys.update(e,{revoked_at:new Date().toISOString()}))throw new N(404,{message:"Key not found"});const i=await Ma({name:`CN=${n.env.ORGANIZATION_NAME}`});return await n.env.data.keys.create(i),n.text("OK")}),w0=new a.OpenAPIHono().openapi(a.createRoute({tags:["users"],method:"get",path:"/",request:{query:a.z.object({email:a.z.string()}),headers:a.z.object({"tenant-id":a.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"tenant/json":{schema:a.z.array(qa)}},description:"List of users"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),{email:t}=n.req.valid("query"),r=(await Md(n.env.data.users,e,t)).filter(s=>!s.linked_to);return n.json(r)}),b0=Dt.extend({clients:a.z.array(Yt)}),k0=new a.OpenAPIHono().openapi(a.createRoute({tags:["clients"],method:"get",path:"/",request:{query:on,headers:a.z.object({"tenant-id":a.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:a.z.union([b0,a.z.array(Yt)])}},description:"List of clients"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),{page:t,per_page:i,include_totals:r,sort:s,q:o}=n.req.valid("query"),l=(await n.env.data.applications.list(e,{page:t,per_page:i,include_totals:r,sort:Dn(s),q:o})).applications;return r?n.json({clients:l,start:0,limit:10,length:l.length}):n.json(l)}).openapi(a.createRoute({tags:["clients"],method:"get",path:"/{id}",request:{params:a.z.object({id:a.z.string()}),headers:a.z.object({"tenant-id":a.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:Yt}},description:"An application"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),{id:t}=n.req.valid("param"),r=(await n.env.data.applications.list(e,{page:1,per_page:0,include_totals:!1})).applications.find(s=>s.id===t);if(!r)throw new N(404);return n.json(r)}).openapi(a.createRoute({tags:["clients"],method:"delete",path:"/{id}",request:{params:a.z.object({id:a.z.string()}),headers:a.z.object({"tenant-id":a.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),{id:t}=n.req.valid("param");if(!await n.env.data.applications.remove(e,t))throw new N(404,{message:"Application not found"});return n.text("OK")}).openapi(a.createRoute({tags:["clients"],method:"patch",path:"/{id}",request:{body:{content:{"application/json":{schema:a.z.object(fr.shape).partial()}}},params:a.z.object({id:a.z.string()}),headers:a.z.object({"tenant-id":a.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:Yt}},description:"The update application"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),{id:t}=n.req.valid("param"),r=n.req.valid("json");await n.env.data.applications.update(e,t,r);const s=await n.env.data.applications.get(e,t);if(!s)throw new N(404,{message:"Application not found"});return n.json(s)}).openapi(a.createRoute({tags:["clients"],method:"post",path:"/",request:{body:{content:{"application/json":{schema:a.z.object(fr.shape)}}},headers:a.z.object({"tenant-id":a.z.string()})},security:[{Bearer:["auth:write"]}],responses:{201:{content:{"application/json":{schema:a.z.object(Yt.shape)}},description:"An application"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),t=n.req.valid("json"),i={...t,id:t.id||Ke(),client_secret:t.client_secret||Ke()},r=await n.env.data.applications.create(e,i);return n.json(r,{status:201})});a.z.object({start:a.z.number(),limit:a.z.number(),length:a.z.number()});rs.extend({email:a.z.string(),login_count:a.z.number(),multifactor:a.z.array(a.z.string()).optional(),last_ip:a.z.string().optional(),last_login:a.z.string().optional(),user_id:a.z.string()}).catchall(a.z.any());const x0=Dt.extend({tenants:a.z.array(En)}),S0=new a.OpenAPIHono().openapi(a.createRoute({tags:["tenants"],method:"get",path:"/",request:{query:on},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"tenant/json":{schema:a.z.union([a.z.array(En),x0])}},description:"List of tenants"}}}),async n=>{const{page:e,per_page:t,include_totals:i,sort:r,q:s}=n.req.valid("query"),o=await n.env.data.tenants.list({page:e,per_page:t,include_totals:i,sort:Dn(r),q:s});return i?n.json(o):n.json(o.tenants)}).openapi(a.createRoute({tags:["tenants"],method:"get",path:"/{id}",request:{params:a.z.object({id:a.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"tenant/json":{schema:En}},description:"A tenant"}}}),async n=>{const{id:e}=n.req.valid("param"),t=await n.env.data.tenants.get(e);if(!t)throw new N(404);return n.json(t)}).openapi(a.createRoute({tags:["tenants"],method:"delete",path:"/{id}",request:{params:a.z.object({id:a.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async n=>{const{id:e}=n.req.valid("param");return await n.env.data.tenants.remove(e),n.text("OK")}).openapi(a.createRoute({tags:["tenants"],method:"patch",path:"/{id}",request:{body:{content:{"application/json":{schema:a.z.object(gr.shape).partial()}}},params:a.z.object({id:a.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async n=>{const{id:e}=n.req.valid("param"),t=n.req.valid("json");return await n.env.data.tenants.update(e,t),n.text("OK")}).openapi(a.createRoute({tags:["tenants"],method:"post",path:"/",request:{body:{content:{"application/json":{schema:a.z.object(gr.shape)}}}},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"tenant/json":{schema:En}},description:"An tenant"}}}),async n=>{const e=n.req.valid("json"),t=await n.env.data.tenants.create(e);return n.json(t,{status:201})}),A0=Dt.extend({logs:a.z.array(mr)}),I0=new a.OpenAPIHono().openapi(a.createRoute({tags:["logs"],method:"get",path:"/",request:{query:on,headers:a.z.object({"tenant-id":a.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:a.z.union([a.z.array(mr),A0])}},description:"List of log rows"}}}),async n=>{const{page:e,per_page:t,include_totals:i,sort:r,q:s}=n.req.valid("query"),{"tenant-id":o}=n.req.valid("header"),c=await n.env.data.logs.list(o,{page:e,per_page:t,include_totals:i,sort:Dn(r),q:s});return i?n.json(c):n.json(c.logs)}).openapi(a.createRoute({tags:["logs"],method:"get",path:"/{id}",request:{headers:a.z.object({"tenant-id":a.z.string()}),params:a.z.object({id:a.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:mr}},description:"A log entry"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),{id:t}=n.req.valid("param"),i=await n.env.data.logs.get(e,t);if(!i)throw new N(404);return n.json(i)}),E0=Dt.extend({hooks:a.z.array(An)}),$0=new a.OpenAPIHono().openapi(a.createRoute({tags:["hooks"],method:"get",path:"/",request:{query:on,headers:a.z.object({"tenant-id":a.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:a.z.union([a.z.array(An),E0])}},description:"List of hooks"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),{page:t,per_page:i,include_totals:r,sort:s,q:o}=n.req.valid("query"),c=await n.env.data.hooks.list(e,{page:t,per_page:i,include_totals:r,sort:Dn(s),q:o});return r?n.json(c):n.json(c.hooks)}).openapi(a.createRoute({tags:["hooks"],method:"post",path:"/",request:{headers:a.z.object({"tenant-id":a.z.string()}),body:{content:{"application/json":{schema:a.z.object(_r.shape)}}}},security:[{Bearer:["auth:write"]}],responses:{201:{content:{"application/json":{schema:An}},description:"The created hook"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),t=n.req.valid("json"),i=await n.env.data.hooks.create(e,t);return n.json(i,{status:201})}).openapi(a.createRoute({tags:["hooks"],method:"patch",path:"/{hook_id}",request:{headers:a.z.object({"tenant-id":a.z.string()}),params:a.z.object({hook_id:a.z.string()}),body:{content:{"application/json":{schema:a.z.object(_r.shape).omit({hook_id:!0}).partial()}}}},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:An.shape}},description:"The updated hook"},404:{description:"Hook not found"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),{hook_id:t}=n.req.valid("param"),i=n.req.valid("json");await n.env.data.hooks.update(e,t,i);const r=await n.env.data.hooks.get(e,t);if(!r)throw new N(404,{message:"Hook not found"});return n.json(r)}).openapi(a.createRoute({tags:["hooks"],method:"get",path:"/{hook_id}",request:{headers:a.z.object({"tenant-id":a.z.string()}),params:a.z.object({hook_id:a.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:An}},description:"A hook"},404:{description:"Hook not found"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),{hook_id:t}=n.req.valid("param"),i=await n.env.data.hooks.get(e,t);if(!i)throw new N(404,{message:"Hook not found"});return n.json(i)}).openapi(a.createRoute({tags:["hooks"],method:"delete",path:"/{hook_id}",request:{headers:a.z.object({"tenant-id":a.z.string()}),params:a.z.object({hook_id:a.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{description:"A hook"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),{hook_id:t}=n.req.valid("param");if(!await n.env.data.hooks.remove(e,t))throw new N(404,{message:"Hook not found"});return n.text("OK")}),C0=Dt.extend({connections:a.z.array(Ot)}),j0=new a.OpenAPIHono().openapi(a.createRoute({tags:["connections"],method:"get",path:"/",request:{query:on,headers:a.z.object({"tenant-id":a.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:a.z.union([a.z.array(Ot),C0])}},description:"List of connectionss"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),{page:t,per_page:i,include_totals:r=!1,sort:s,q:o}=n.req.valid("query"),c=await n.env.data.connections.list(e,{page:t,per_page:i,include_totals:r,sort:Dn(s),q:o});return r?n.json(c):n.json(c.connections)}).openapi(a.createRoute({tags:["connections"],method:"get",path:"/{id}",request:{params:a.z.object({id:a.z.string()}),headers:a.z.object({"tenant-id":a.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:Ot}},description:"A connection"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),{id:t}=n.req.valid("param"),i=await n.env.data.connections.get(e,t);if(!i)throw new N(404);return n.json(i)}).openapi(a.createRoute({tags:["connections"],method:"delete",path:"/{id}",request:{params:a.z.object({id:a.z.string()}),headers:a.z.object({"tenant-id":a.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),{id:t}=n.req.valid("param");if(!await n.env.data.connections.remove(e,t))throw new N(404,{message:"Connection not found"});return n.text("OK")}).openapi(a.createRoute({tags:["connections"],method:"patch",path:"/{id}",request:{body:{content:{"application/json":{schema:a.z.object(hr.shape).partial()}}},params:a.z.object({id:a.z.string()}),headers:a.z.object({"tenant-id":a.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:Ot}},description:"The updated connection"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),{id:t}=n.req.valid("param"),i=n.req.valid("json");if(!await n.env.data.connections.update(e,t,i))throw new N(404,{message:"Connection not found"});const s=await n.env.data.connections.get(e,t);if(!s)throw new N(404,{message:"Connection not found"});return n.json(s)}).openapi(a.createRoute({tags:["connections"],method:"post",path:"/",request:{body:{content:{"application/json":{schema:a.z.object(hr.shape)}}},headers:a.z.object({"tenant-id":a.z.string()})},security:[{Bearer:["auth:write"]}],responses:{201:{content:{"application/json":{schema:Ot}},description:"A connection"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),t=n.req.valid("json"),i=await n.env.data.connections.create(e,t);return n.json(i,{status:201})}),z0=new a.OpenAPIHono().openapi(a.createRoute({tags:["prompts"],method:"get",path:"/",request:{headers:a.z.object({"tenant-id":a.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:er}},description:"Branding settings"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),t=await n.env.data.promptSettings.get(e);return t?n.json(t):n.json(er.parse({}))}).openapi(a.createRoute({tags:["prompts"],method:"patch",path:"/",request:{headers:a.z.object({"tenant-id":a.z.string()}),body:{content:{"application/json":{schema:a.z.object(er.shape).partial()}}}},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Prompts settings"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),t=n.req.valid("json"),i=await n.env.data.promptSettings.get(e);return Object.assign(i,t),await n.env.data.promptSettings.set(e,i),n.json(i)});let Yu=!1;function Pf(n){n.use(async(e,t)=>(Yu||(n.openAPIRegistry.registerComponent("securitySchemes","Bearer",{type:"oauth2",scheme:"bearer",flows:{implicit:{authorizationUrl:`${e.env.AUTH_URL}/authorize`,scopes:{openid:"Basic user information",email:"User email",profile:"User profile information"}}}}),Yu=!0),await t()))}a.z.object({alg:a.z.literal("RS256"),kty:a.z.literal("RSA"),use:a.z.literal("sig"),n:a.z.string(),e:a.z.string(),kid:a.z.string(),x5t:a.z.string(),x5c:a.z.array(a.z.string())});async function N0(n){try{const e=await n.JWKS_SERVICE.fetch(n.JWKS_URL);if(!e.ok)throw new Error("Failed to fetch jwks");return(await e.json()).keys}catch(e){throw new N(500,{message:`Failed to fetch jwks: ${e.message}`})}}async function O0(n,e){const i=new TextEncoder().encode([e.raw.header,e.raw.payload].join(".")),r=new Uint8Array(Array.from(e.signature).map(l=>l.charCodeAt(0))),o=(await N0(n.env)).find(l=>l.kid===e.header.kid);if(!o)return console.log("No matching kid found"),!1;const c=await crypto.subtle.importKey("jwk",o,{name:"RSASSA-PKCS1-v1_5",hash:"SHA-256"},!1,["verify"]);return crypto.subtle.verify("RSASSA-PKCS1-v1_5",c,r,i)}function B0(n){const[e,t,i]=n.split(".");if(!e||!t||!i)return null;const r=JSON.parse(atob(e)),s=JSON.parse(atob(t)),o=atob(i.replace(/-/g,"+").replace(/_/g,"/"));return{header:r,payload:s,signature:o,raw:{header:e,payload:t,signature:i}}}function Lf(n){return async(e,t)=>{var r,s,o;const i=n.openAPIRegistry.definitions.find(c=>"route"in c&&c.route.path===e.req.path&&c.route.method.toUpperCase()===e.req.method);if(i&&"route"in i){const c=(s=(r=i.route.security)==null?void 0:r[0])==null?void 0:s.Bearer;if(!(c!=null&&c.length))return await t();const l=e.req.header("authorization")||"",[u,p]=l.split(" ");if((u==null?void 0:u.toLowerCase())!=="bearer"||!p)throw new N(401,{message:"Missing bearer token"});const g=B0(p);if(!g||!await O0(e,g))throw new N(403,{message:"Invalid JWT signature"});e.set("user_id",g.payload.sub),e.set("user",g.payload);const m=g.payload.permissions||[],x=((o=g.payload.scope)==null?void 0:o.split(" "))||[];if(c.length&&!(c.some(h=>m.includes(h))||c.some(h=>x.includes(h))))throw new N(403,{message:"Unauthorized"})}return await t()}}const T0=new a.OpenAPIHono().openapi(a.createRoute({tags:["emails"],method:"get",path:"/",request:{headers:a.z.object({"tenant-id":a.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:tr}},description:"Email provider"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),t=await n.env.data.emailProviders.get(e);if(!t)throw new N(404,{message:"Email provider not found"});return n.json(t)}).openapi(a.createRoute({tags:["emails"],method:"post",path:"/",request:{headers:a.z.object({"tenant-id":a.z.string()}),body:{content:{"application/json":{schema:a.z.object(tr.shape)}}}},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Branding settings"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),t=n.req.valid("json");return await n.env.data.emailProviders.create(e,t),n.text("OK",{status:201})}).openapi(a.createRoute({tags:["emails"],method:"patch",path:"/",request:{headers:a.z.object({"tenant-id":a.z.string()}),body:{content:{"application/json":{schema:a.z.object(tr.shape).partial()}}}},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Branding settings"}}}),async n=>{const{"tenant-id":e}=n.req.valid("header"),t=n.req.valid("json");return await n.env.data.emailProviders.update(e,t),n.text("OK")});function R0(){const n=new a.OpenAPIHono;n.use(Lf(n));const e=n.route("/branding",ng).route("/email/providers",T0).route("/users",vg).route("/keys",v0).route("/users-by-email",w0).route("/clients",k0).route("/tenants",S0).route("/logs",I0).route("/hooks",$0).route("/connections",j0).route("/prompts",z0);return Pf(e),e.doc("/spec",{openapi:"3.0.0",info:{version:"1.0.0",title:"Management api"}}),e}function P0(n,e){Object.keys(e).forEach(t=>{const i=e[t];i!=null&&i.length&&n.searchParams.set(t,i)})}function Hn(n){var e,t,i;return{auth0Client:(e=n.query("auth0Client"))==null?void 0:e.slice(0,255),ip:(t=n.header("x-real-ip"))==null?void 0:t.slice(0,45),useragent:(i=n.header("user-agent"))==null?void 0:i.slice(0,512)}}const Qi=60*5,Uf=30*24*60*60,es=24*60*60,L0="auth-token",Xu=30*60*1e3,U0=5*60,V0=5*60;var Qu;(function(n){n[n.Include=0]="Include",n[n.None=1]="None"})(Qu||(Qu={}));var ed;(function(n){n[n.Required=0]="Required",n[n.Ignore=1]="Ignore"})(ed||(ed={}));function M0(n){return Mf(n,H0,Ii.Include)}function Vf(n){return Mf(n,D0,Ii.None)}function Mf(n,e,t){let i="";for(let r=0;r<n.byteLength;r+=3){let s=0,o=0;for(let c=0;c<3&&r+c<n.byteLength;c++)s=s<<8|n[r+c],o+=8;for(let c=0;c<4;c++)o>=6?(i+=e[s>>o-6&63],o-=6):o>0?(i+=e[s<<6-o&63],o=0):t===Ii.Include&&(i+="=")}return i}const H0="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/",D0="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";var Ii;(function(n){n[n.Include=0]="Include",n[n.None=1]="None"})(Ii||(Ii={}));var td;(function(n){n[n.Required=0]="Required",n[n.Ignore=1]="Ignore"})(td||(td={}));class F0{uint8(e,t){if(e.byteLength<t+1)throw new TypeError("Insufficient bytes");return e[t]}uint16(e,t){if(e.byteLength<t+2)throw new TypeError("Insufficient bytes");return e[t]<<8|e[t+1]}uint32(e,t){if(e.byteLength<t+4)throw new TypeError("Insufficient bytes");let i=0;for(let r=0;r<4;r++)i|=e[t+r]<<24-r*8;return i}uint64(e,t){if(e.byteLength<t+8)throw new TypeError("Insufficient bytes");let i=0n;for(let r=0;r<8;r++)i|=BigInt(e[t+r])<<BigInt(56-r*8);return i}putUint8(e,t,i){if(e.length<i+1)throw new TypeError("Not enough space");if(t<0||t>255)throw new TypeError("Invalid uint8 value");e[i]=t}putUint16(e,t,i){if(e.length<i+2)throw new TypeError("Not enough space");if(t<0||t>65535)throw new TypeError("Invalid uint16 value");e[i]=t>>8,e[i+1]=t&255}putUint32(e,t,i){if(e.length<i+4)throw new TypeError("Not enough space");if(t<0||t>4294967295)throw new TypeError("Invalid uint32 value");for(let r=0;r<4;r++)e[i+r]=t>>(3-r)*8&255}putUint64(e,t,i){if(e.length<i+8)throw new TypeError("Not enough space");if(t<0||t>18446744073709551615n)throw new TypeError("Invalid uint64 value");for(let r=0;r<8;r++)e[i+r]=Number(t>>BigInt((7-r)*8)&0xffn)}}const nd=new F0;function pt(n,e){return(n<<32-e|n>>>e)>>>0}function q0(n){const e=new K0;return e.update(n),e.digest()}class K0{constructor(){te(this,"blockSize",64);te(this,"size",32);te(this,"blocks",new Uint8Array(64));te(this,"currentBlockSize",0);te(this,"H",new Uint32Array([1779033703,3144134277,1013904242,2773480762,1359893119,2600822924,528734635,1541459225]));te(this,"l",0n);te(this,"w",new Uint32Array(64))}update(e){if(this.l+=BigInt(e.byteLength)*8n,this.currentBlockSize+e.byteLength<64){this.blocks.set(e,this.currentBlockSize),this.currentBlockSize+=e.byteLength;return}let t=0;if(this.currentBlockSize>0){const i=e.slice(0,64-this.currentBlockSize);this.blocks.set(i,this.currentBlockSize),this.process(),t+=i.byteLength,this.currentBlockSize=0}for(;t+64<=e.byteLength;){const i=e.slice(t,t+64);this.blocks.set(i),this.process(),t+=64}if(e.byteLength-t>0){const i=e.slice(t);this.blocks.set(i),this.currentBlockSize=i.byteLength}}digest(){this.blocks[this.currentBlockSize]=128,this.currentBlockSize+=1,64-this.currentBlockSize<8&&(this.blocks.fill(0,this.currentBlockSize),this.process(),this.currentBlockSize=0),this.blocks.fill(0,this.currentBlockSize),nd.putUint64(this.blocks,this.l,this.blockSize-8),this.process();const e=new Uint8Array(32);for(let t=0;t<8;t++)nd.putUint32(e,this.H[t],t*4);return e}process(){for(let u=0;u<16;u++)this.w[u]=(this.blocks[u*4]<<24|this.blocks[u*4+1]<<16|this.blocks[u*4+2]<<8|this.blocks[u*4+3])>>>0;for(let u=16;u<64;u++){const p=(pt(this.w[u-2],17)^pt(this.w[u-2],19)^this.w[u-2]>>>10)>>>0,g=(pt(this.w[u-15],7)^pt(this.w[u-15],18)^this.w[u-15]>>>3)>>>0;this.w[u]=p+this.w[u-7]+g+this.w[u-16]|0}let e=this.H[0],t=this.H[1],i=this.H[2],r=this.H[3],s=this.H[4],o=this.H[5],c=this.H[6],l=this.H[7];for(let u=0;u<64;u++){const p=(pt(s,6)^pt(s,11)^pt(s,25))>>>0,g=(s&o^~s&c)>>>0,m=l+p+g+W0[u]+this.w[u]|0,x=(pt(e,2)^pt(e,13)^pt(e,22))>>>0,h=(e&t^e&i^t&i)>>>0,_=x+h|0;l=c,c=o,o=s,s=r+m|0,r=i,i=t,t=e,e=m+_|0}this.H[0]=e+this.H[0]|0,this.H[1]=t+this.H[1]|0,this.H[2]=i+this.H[2]|0,this.H[3]=r+this.H[3]|0,this.H[4]=s+this.H[4]|0,this.H[5]=o+this.H[5]|0,this.H[6]=c+this.H[6]|0,this.H[7]=l+this.H[7]|0}}const W0=new Uint32Array([1116352408,1899447441,3049323471,3921009573,961987163,1508970993,2453635748,2870763221,3624381080,310598401,607225278,1426881987,1925078388,2162078206,2614888103,3248222580,3835390401,4022224774,264347078,604807628,770255983,1249150122,1555081692,1996064986,2554220882,2821834349,2952996808,3210313671,3336571891,3584528711,113926993,338241895,666307205,773529912,1294757372,1396182291,1695183700,1986661051,2177026350,2456956037,2730485921,2820302411,3259730800,3345764771,3516065817,3600352804,4094571909,275423344,430227734,506948616,659060556,883997877,958139571,1322822218,1537002063,1747873779,1955562222,2024104815,2227730452,2361852424,2428436474,2756734187,3204031479,3329325298]);new BigUint64Array([0x428a2f98d728ae22n,0x7137449123ef65cdn,0xb5c0fbcfec4d3b2fn,0xe9b5dba58189dbbcn,0x3956c25bf348b538n,0x59f111f1b605d019n,0x923f82a4af194f9bn,0xab1c5ed5da6d8118n,0xd807aa98a3030242n,0x12835b0145706fben,0x243185be4ee4b28cn,0x550c7dc3d5ffb4e2n,0x72be5d74f27b896fn,0x80deb1fe3b1696b1n,0x9bdc06a725c71235n,0xc19bf174cf692694n,0xe49b69c19ef14ad2n,0xefbe4786384f25e3n,0x0fc19dc68b8cd5b5n,0x240ca1cc77ac9c65n,0x2de92c6f592b0275n,0x4a7484aa6ea6e483n,0x5cb0a9dcbd41fbd4n,0x76f988da831153b5n,0x983e5152ee66dfabn,0xa831c66d2db43210n,0xb00327c898fb213fn,0xbf597fc7beef0ee4n,0xc6e00bf33da88fc2n,0xd5a79147930aa725n,0x06ca6351e003826fn,0x142929670a0e6e70n,0x27b70a8546d22ffcn,0x2e1b21385c26c926n,0x4d2c6dfc5ac42aedn,0x53380d139d95b3dfn,0x650a73548baf63den,0x766a0abb3c77b2a8n,0x81c2c92e47edaee6n,0x92722c851482353bn,0xa2bfe8a14cf10364n,0xa81a664bbc423001n,0xc24b8b70d0f89791n,0xc76c51a30654be30n,0xd192e819d6ef5218n,0xd69906245565a910n,0xf40e35855771202an,0x106aa07032bbd1b8n,0x19a4c116b8d2d0c8n,0x1e376c085141ab53n,0x2748774cdf8eeb99n,0x34b0bcb5e19b48a8n,0x391c0cb3c5c95a63n,0x4ed8aa4ae3418acbn,0x5b9cca4f7763e373n,0x682e6ff3d6b2b8a3n,0x748f82ee5defb2fcn,0x78a5636f43172f60n,0x84c87814a1f0ab72n,0x8cc702081a6439ecn,0x90befffa23631e28n,0xa4506cebde82bde9n,0xbef9a3f7b2c67915n,0xc67178f2e372532bn,0xca273eceea26619cn,0xd186b8c721c0c207n,0xeada7dd6cde0eb1en,0xf57d4f7fee6ed178n,0x06f067aa72176fban,0x0a637dc5a2c898a6n,0x113f9804bef90daen,0x1b710b35131c471bn,0x28db77f523047d84n,0x32caab7b40c72493n,0x3c9ebe0a15c9bebcn,0x431d67c49c100d4cn,0x4cc5d4becb3e42b6n,0x597f299cfc657e2an,0x5fcb6fab3ad6faecn,0x6c44198c4a475817n]);class G0{constructor(e){te(this,"data");this.data=e}tokenType(){if("token_type"in this.data&&typeof this.data.token_type=="string")return this.data.token_type;throw new Error("Missing or invalid 'token_type' field")}accessToken(){if("access_token"in this.data&&typeof this.data.access_token=="string")return this.data.access_token;throw new Error("Missing or invalid 'access_token' field")}accessTokenExpiresInSeconds(){if("expires_in"in this.data&&typeof this.data.expires_in=="number")return this.data.expires_in;throw new Error("Missing or invalid 'expires_in' field")}accessTokenExpiresAt(){return new Date(Date.now()+this.accessTokenExpiresInSeconds()*1e3)}hasRefreshToken(){return"refresh_token"in this.data&&typeof this.data.refresh_token=="string"}refreshToken(){if("refresh_token"in this.data&&typeof this.data.refresh_token=="string")return this.data.refresh_token;throw new Error("Missing or invalid 'refresh_token' field")}hasScopes(){return"scope"in this.data&&typeof this.data.scope=="string"}scopes(){if("scope"in this.data&&typeof this.data.scope=="string")return this.data.scope.split(" ");throw new Error("Missing or invalid 'scope' field")}idToken(){if("id_token"in this.data&&typeof this.data.id_token=="string")return this.data.id_token;throw new Error("Missing or invalid field 'id_token'")}}function J0(n){const e=q0(new TextEncoder().encode(n));return Vf(e)}function Z0(){const n=new Uint8Array(32);return crypto.getRandomValues(n),Vf(n)}function di(n,e){const t=new TextEncoder().encode(e.toString()),i=new Request(n,{method:"POST",body:t});return i.headers.set("Content-Type","application/x-www-form-urlencoded"),i.headers.set("Accept","application/json"),i.headers.set("User-Agent","arctic"),i.headers.set("Content-Length",t.byteLength.toString()),i}function mo(n,e){const t=new TextEncoder().encode(`${n}:${e}`);return M0(t)}async function ts(n){let e;try{e=await fetch(n)}catch(t){throw new Df(t)}if(e.status===400||e.status===401){let t;try{t=await e.json()}catch{throw new or(e.status)}if(typeof t!="object"||t===null)throw new jn(e.status,t);let i;try{i=Hf(t)}catch{throw new jn(e.status,t)}throw i}if(e.status===200){let t;try{t=await e.json()}catch{throw new or(e.status)}if(typeof t!="object"||t===null)throw new jn(e.status,t);return new G0(t)}throw e.body!==null&&await e.body.cancel(),new or(e.status)}async function Y0(n){let e;try{e=await fetch(n)}catch(t){throw new Df(t)}if(e.status===400||e.status===401){let t;try{t=await e.json()}catch{throw new jn(e.status,null)}if(typeof t!="object"||t===null)throw new jn(e.status,t);let i;try{i=Hf(t)}catch{throw new jn(e.status,t)}throw i}if(e.status===200){e.body!==null&&await e.body.cancel();return}throw e.body!==null&&await e.body.cancel(),new or(e.status)}function Hf(n){let e;if("error"in n&&typeof n.error=="string")e=n.error;else throw new Error("Invalid error response");let t=null,i=null,r=null;if("error_description"in n){if(typeof n.error_description!="string")throw new Error("Invalid data");t=n.error_description}if("error_uri"in n){if(typeof n.error_uri!="string")throw new Error("Invalid data");i=n.error_uri}if("state"in n){if(typeof n.state!="string")throw new Error("Invalid data");r=n.state}return new X0(e,t,i,r)}class Df extends Error{constructor(e){super("Failed to send request",{cause:e})}}class X0 extends Error{constructor(t,i,r,s){super(`OAuth request error: ${t}`);te(this,"code");te(this,"description");te(this,"uri");te(this,"state");this.code=t,this.description=i,this.uri=r,this.state=s}}class or extends Error{constructor(t){super("Unexpected error response");te(this,"status");this.status=t}}class jn extends Error{constructor(t,i){super("Unexpected error response body");te(this,"status");te(this,"data");this.status=t,this.data=i}}class Mc{constructor(e,t,i){te(this,"clientId");te(this,"clientPassword");te(this,"redirectURI");this.clientId=e,this.clientPassword=t,this.redirectURI=i}createAuthorizationURL(e,t,i){const r=new URL(e);return r.searchParams.set("response_type","code"),r.searchParams.set("client_id",this.clientId),this.redirectURI!==null&&r.searchParams.set("redirect_uri",this.redirectURI),r.searchParams.set("state",t),i.length>0&&r.searchParams.set("scope",i.join(" ")),r}createAuthorizationURLWithPKCE(e,t,i,r,s){const o=new URL(e);if(o.searchParams.set("response_type","code"),o.searchParams.set("client_id",this.clientId),this.redirectURI!==null&&o.searchParams.set("redirect_uri",this.redirectURI),o.searchParams.set("state",t),i===Ei.S256){const c=J0(r);o.searchParams.set("code_challenge_method","S256"),o.searchParams.set("code_challenge",c)}else i===Ei.Plain&&(o.searchParams.set("code_challenge_method","plain"),o.searchParams.set("code_challenge",r));return s.length>0&&o.searchParams.set("scope",s.join(" ")),o}async validateAuthorizationCode(e,t,i){const r=new URLSearchParams;r.set("grant_type","authorization_code"),r.set("code",t),this.redirectURI!==null&&r.set("redirect_uri",this.redirectURI),i!==null&&r.set("code_verifier",i),this.clientPassword===null&&r.set("client_id",this.clientId);const s=di(e,r);if(this.clientPassword!==null){const c=mo(this.clientId,this.clientPassword);s.headers.set("Authorization",`Basic ${c}`)}return await ts(s)}async refreshAccessToken(e,t,i){const r=new URLSearchParams;r.set("grant_type","refresh_token"),r.set("refresh_token",t),this.clientPassword===null&&r.set("client_id",this.clientId),i.length>0&&r.set("scope",i.join(" "));const s=di(e,r);if(this.clientPassword!==null){const c=mo(this.clientId,this.clientPassword);s.headers.set("Authorization",`Basic ${c}`)}return await ts(s)}async revokeToken(e,t){const i=new URLSearchParams;i.set("token",t),this.clientPassword===null&&i.set("client_id",this.clientId);const r=di(e,i);if(this.clientPassword!==null){const s=mo(this.clientId,this.clientPassword);r.headers.set("Authorization",`Basic ${s}`)}await Y0(r)}}var Ei;(function(n){n[n.S256=0]="S256",n[n.Plain=1]="Plain"})(Ei||(Ei={}));var id;(function(n){n[n.Include=0]="Include",n[n.None=1]="None"})(id||(id={}));var rd;(function(n){n[n.Required=0]="Required",n[n.Ignore=1]="Ignore"})(rd||(rd={}));function pi(n){return Q0(n,em,ns.None)}function Q0(n,e,t){let i="";for(let r=0;r<n.byteLength;r+=3){let s=0,o=0;for(let c=0;c<3&&r+c<n.byteLength;c++)s=s<<8|n[r+c],o+=8;for(let c=0;c<4;c++)o>=6?(i+=e[s>>o-6&63],o-=6):o>0?(i+=e[s<<6-o&63],o=0):t===ns.Include&&(i+="=")}return i}const em="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";var ns;(function(n){n[n.Include=0]="Include",n[n.None=1]="None"})(ns||(ns={}));var sd;(function(n){n[n.Required=0]="Required",n[n.Ignore=1]="Ignore"})(sd||(sd={}));function tm(n,e,t){const i=pi(new TextEncoder().encode(n)),r=pi(new TextEncoder().encode(e)),s=pi(t);return i+"."+r+"."+s}function nm(n,e){const t=pi(new TextEncoder().encode(n)),i=pi(new TextEncoder().encode(e)),r=t+"."+i;return new TextEncoder().encode(r)}const im="https://appleid.apple.com/auth/authorize",rm="https://appleid.apple.com/auth/token";class Ff{constructor(e,t,i,r,s){te(this,"clientId");te(this,"teamId");te(this,"keyId");te(this,"pkcs8PrivateKey");te(this,"redirectURI");this.clientId=e,this.teamId=t,this.keyId=i,this.pkcs8PrivateKey=r,this.redirectURI=s}createAuthorizationURL(e,t){const i=new URL(im);return i.searchParams.set("response_type","code"),i.searchParams.set("client_id",this.clientId),i.searchParams.set("state",e),t.length>0&&i.searchParams.set("scope",t.join(" ")),i.searchParams.set("redirect_uri",this.redirectURI),i}async validateAuthorizationCode(e){const t=new URLSearchParams;t.set("grant_type","authorization_code"),t.set("code",e),t.set("redirect_uri",this.redirectURI),t.set("client_id",this.clientId);const i=await this.createClientSecret();t.set("client_secret",i);const r=di(rm,t);return await ts(r)}async createClientSecret(){const e=await crypto.subtle.importKey("pkcs8",this.pkcs8PrivateKey,{name:"ECDSA",namedCurve:"P-256"},!1,["sign"]),t=Math.floor(Date.now()/1e3),i=JSON.stringify({typ:"JWT",alg:"ES256",kid:this.keyId}),r=JSON.stringify({iss:this.teamId,exp:t+5*60,aud:["https://appleid.apple.com"],sub:this.clientId,iat:t}),s=new Uint8Array(await crypto.subtle.sign({name:"ECDSA",hash:"SHA-256"},e,nm(i,r)));return tm(i,r,s)}}const sm="https://www.facebook.com/v16.0/dialog/oauth",om="https://graph.facebook.com/v16.0/oauth/access_token";class qf{constructor(e,t,i){te(this,"clientId");te(this,"clientSecret");te(this,"redirectURI");this.clientId=e,this.clientSecret=t,this.redirectURI=i}createAuthorizationURL(e,t){const i=new URL(sm);return i.searchParams.set("response_type","code"),i.searchParams.set("client_id",this.clientId),i.searchParams.set("state",e),t.length>0&&i.searchParams.set("scope",t.join(" ")),i.searchParams.set("redirect_uri",this.redirectURI),i}async validateAuthorizationCode(e){const t=new URLSearchParams;t.set("grant_type","authorization_code"),t.set("code",e),t.set("redirect_uri",this.redirectURI),t.set("client_id",this.clientId),t.set("client_secret",this.clientSecret);const i=di(om,t);return await ts(i)}}const am="https://accounts.google.com/o/oauth2/v2/auth",od="https://oauth2.googleapis.com/token",cm="https://oauth2.googleapis.com/revoke";class Kf{constructor(e,t,i){te(this,"client");this.client=new Mc(e,t,i)}createAuthorizationURL(e,t,i){return this.client.createAuthorizationURLWithPKCE(am,e,Ei.S256,t,i)}async validateAuthorizationCode(e,t){return await this.client.validateAuthorizationCode(od,e,t)}async refreshAccessToken(e){return await this.client.refreshAccessToken(od,e,[])}async revokeToken(e){await this.client.revokeToken(cm,e)}}class Hc{constructor(e,t){te(this,"value");te(this,"unit");this.value=e,this.unit=t}milliseconds(){return this.unit==="ms"?this.value:this.unit==="s"?this.value*1e3:this.unit==="m"?this.value*1e3*60:this.unit==="h"?this.value*1e3*60*60:this.unit==="d"?this.value*1e3*60*60*24:this.value*1e3*60*60*24*7}seconds(){return this.milliseconds()/1e3}transform(e){return new Hc(Math.round(this.milliseconds()*e),"ms")}}async function ad(n,e,t,i){const r={alg:n,typ:"JWT",...i==null?void 0:i.headers},s={...t};(i==null?void 0:i.audiences)!==void 0&&(s.aud=i.audiences),(i==null?void 0:i.subject)!==void 0&&(s.sub=i.subject),(i==null?void 0:i.issuer)!==void 0&&(s.iss=i.issuer),(i==null?void 0:i.jwtId)!==void 0&&(s.jti=i.jwtId),(i==null?void 0:i.expiresIn)!==void 0&&(s.exp=Math.floor(Date.now()/1e3)+i.expiresIn.seconds()),(i==null?void 0:i.notBefore)!==void 0&&(s.nbf=Math.floor(i.notBefore.getTime()/1e3)),s.iat=Math.floor(Date.now()/1e3);const o=new TextEncoder,c=rn.encode(o.encode(JSON.stringify(r)),{includePadding:!1}),l=rn.encode(o.encode(JSON.stringify(s)),{includePadding:!1}),u=o.encode([c,l].join(".")),p=await um(n).sign(e,u),g=rn.encode(new Uint8Array(p),{includePadding:!1});return[c,l,g].join(".")}function lm(n){const e=n.split(".");return e.length!==3?null:e}function Dc(n){const e=lm(n);if(!e)return null;const t=new TextDecoder,i=rn.decode(e[0],{strict:!1}),r=rn.decode(e[1],{strict:!1}),s=JSON.parse(t.decode(i));if(typeof s!="object"||s===null||!("alg"in s)||!dm(s.alg)||"typ"in s&&s.typ!=="JWT")return null;const o=JSON.parse(t.decode(r));if(typeof o!="object"||o===null)return null;const c={algorithm:s.alg,expiresAt:null,subject:null,issuedAt:null,issuer:null,jwtId:null,audiences:null,notBefore:null};if("exp"in o){if(typeof o.exp!="number")return null;c.expiresAt=new Date(o.exp*1e3)}if("iss"in o){if(typeof o.iss!="string")return null;c.issuer=o.iss}if("sub"in o){if(typeof o.sub!="string")return null;c.subject=o.sub}if("aud"in o)if(Array.isArray(o.aud)){for(const l of o.aud)if(typeof l!="string")return null;c.audiences=o.aud}else{if(typeof o.aud!="string")return null;c.audiences=[o.aud]}if("nbf"in o){if(typeof o.nbf!="number")return null;c.notBefore=new Date(o.nbf*1e3)}if("iat"in o){if(typeof o.iat!="number")return null;c.issuedAt=new Date(o.iat*1e3)}if("jti"in o){if(typeof o.jti!="string")return null;c.jwtId=o.jti}return{value:n,header:{...s,typ:"JWT",alg:s.alg},payload:{...o},parts:e,...c}}function um(n){return new g0(pm[n])}function dm(n){return typeof n!="string"?!1:["HS256","HS384","HS512","RS256","RS384","RS512","ES256","ES384","ES512","PS256","PS384","PS512"].includes(n)}const pm={RS256:"SHA-256",RS384:"SHA-384",RS512:"SHA-512"},Zs=a.z.object({iss:a.z.string().url(),sub:a.z.string(),aud:a.z.string(),exp:a.z.number(),email:a.z.string().optional(),given_name:a.z.string().optional(),family_name:a.z.string().optional(),name:a.z.string().optional(),iat:a.z.number(),auth_time:a.z.number().optional(),nonce:a.z.string().optional(),acr:a.z.string().optional(),amr:a.z.array(a.z.string()).optional(),azp:a.z.string().optional(),at_hash:a.z.string().optional(),c_hash:a.z.string().optional()}).passthrough();Zs.omit({iat:!0,auth_time:!0,nonce:!0,acr:!0,amr:!0,azp:!0,at_hash:!0,c_hash:!0});function mt(n){return n.UNIVERSAL_LOGIN_URL||`${n.ISSUER}u/`}function bt(n){return n.OAUTH_API_URL||n.ISSUER}function Wf(n){const{options:e}=n;if(!e||!e.client_id||!e.team_id||!e.kid||!e.app_secret)throw new Error("Missing required Apple authentication parameters");const t=Buffer.from(e.app_secret,"utf-8"),i=t.toString().replace(/-----BEGIN PRIVATE KEY-----|-----END PRIVATE KEY-----|\s/g,""),r=Uint8Array.from(Buffer.from(i,"base64"));return t.fill(0),{options:e,keyArray:r}}async function fm(n,e){var l,u;const{options:t,keyArray:i}=Wf(e),r=new Ff(t.client_id,t.team_id,t.kid,i,`${bt(n.env)}callback`),s=Ke(),o=await r.createAuthorizationURL(s,((l=t.scope)==null?void 0:l.split(" "))||["name","email"]);return(((u=t.scope)==null?void 0:u.split(" "))||["name","email"]).some(p=>["email","name"].includes(p))&&o.searchParams.set("response_mode","form_post"),{redirectUrl:o.href,code:s}}async function hm(n,e,t){const{options:i,keyArray:r}=Wf(e),o=await new Ff(i.client_id,i.team_id,i.kid,r,`${bt(n.env)}callback`).validateAuthorizationCode(t),c=Dc(o.idToken());if(!c)throw new Error("Invalid ID token");const l=Zs.parse(c.payload);return{sub:l.sub,email:l.email,given_name:l.given_name,family_name:l.family_name,name:l.name,picture:l.picture,locale:l.locale}}const gm=Object.freeze(Object.defineProperty({__proto__:null,getRedirect:fm,validateAuthorizationCodeAndGetUser:hm},Symbol.toStringTag,{value:"Module"}));async function _m(n,e){var o;const{options:t}=e;if(!(t!=null&&t.client_id)||!t.client_secret)throw new Error("Missing required authentication parameters");const i=new qf(t.client_id,t.client_secret,`${bt(n.env)}callback`),r=Ke();return{redirectUrl:i.createAuthorizationURL(r,((o=t.scope)==null?void 0:o.split(" "))||["email"]).href,code:r}}async function mm(n,e,t){const{options:i}=e;if(!(i!=null&&i.client_id)||!i.client_secret)throw new Error("Missing required authentication parameters");const s=await new qf(i.client_id,i.client_secret,`${bt(n.env)}callback`).validateAuthorizationCode(t),o=await fetch("https://graph.facebook.com/v16.0/me?fields=id,email,name",{headers:{Authorization:`Bearer ${s.accessToken()}`}});if(!o.ok)throw new Error("Failed to fetch user info");const c=await o.json();return n.set("log",`Userinfo: ${JSON.stringify(c)}`),{sub:c.id,email:c.email,name:c.name}}const ym=Object.freeze(Object.defineProperty({__proto__:null,getRedirect:_m,validateAuthorizationCodeAndGetUser:mm},Symbol.toStringTag,{value:"Module"}));async function vm(n,e){var c;const{options:t}=e;if(!(t!=null&&t.client_id)||!t.client_secret)throw new Error("Missing required Google authentication parameters");const i=new Kf(t.client_id,t.client_secret,`${bt(n.env)}callback`),r=Ke(),s=Z0();return{redirectUrl:i.createAuthorizationURL(r,s,((c=t.scope)==null?void 0:c.split(" "))??["email","profile"]).href,code:r,codeVerifier:s}}async function wm(n,e,t,i){const{options:r}=e;if(!(r!=null&&r.client_id)||!r.client_secret||!i)throw new Error("Missing required authentication parameters");const o=await new Kf(r.client_id,r.client_secret,`${bt(n.env)}callback`).validateAuthorizationCode(t,i);console.log("got here");const c=Dc(o.idToken());if(!c)throw new Error("Invalid ID token");const l=Zs.parse(c.payload);return{sub:l.sub,email:l.email,given_name:l.given_name,family_name:l.family_name,name:l.name,picture:l.picture,locale:l.locale}}const bm=Object.freeze(Object.defineProperty({__proto__:null,getRedirect:vm,validateAuthorizationCodeAndGetUser:wm},Symbol.toStringTag,{value:"Module"}));async function km(n,e){var o;const{options:t}=e;if(!(t!=null&&t.client_id)||!t.client_secret)throw new Error("Missing required authentication parameters");const i=new Mc(t.client_id,t.client_secret,`${bt(n.env)}callback`),r=Ke(),s=i.createAuthorizationURL("https://api.vipps.no/access-management-1.0/access/oauth2/auth",r,((o=t.scope)==null?void 0:o.split(" "))||["openid","email","phoneNumber","name","address","birthDate"]);return s.searchParams.set("response_type","code"),s.searchParams.set("response_mode","query"),{redirectUrl:s.href,code:r}}async function xm(n,e,t){const{options:i}=e;if(!(i!=null&&i.client_id)||!i.client_secret)throw new Error("Missing required authentication parameters");const s=await new Mc(i.client_id,i.client_secret,`${bt(n.env)}callback`).validateAuthorizationCode("https://api.vipps.no/access-management-1.0/access/oauth2/token",t,null),o=Dc(s.idToken());if(!o)throw new Error("Invalid ID token");const c=Zs.parse(o.payload);if(typeof c.msn!="string")throw new Error("msn not available in id token");const l=await fetch("https://api.vipps.no/vipps-userinfo-api/userinfo",{headers:{Authorization:`Bearer ${s.accessToken()}`,"Merchant-Serial-Number":c.msn}});if(!l.ok)throw new N(400,{message:"Failed to get user from vipps"});return await l.json()}const Sm=Object.freeze(Object.defineProperty({__proto__:null,getRedirect:km,validateAuthorizationCodeAndGetUser:xm},Symbol.toStringTag,{value:"Module"}));function Gf(n,e){const t=n.env.STRATEGIES||{},r={apple:gm,facebook:ym,"google-oauth2":bm,vipps:Sm,...t}[e];if(!r)throw new Error(`Strategy ${e} not found`);return r}async function Fc(n,e){const t=await n.data.clients.get(e);if(!t)throw new N(403,{message:"Client not found"});const i=n.DEFAULT_CLIENT_ID?await n.data.clients.get(n.DEFAULT_CLIENT_ID):void 0,r=await n.data.connections.list(t.tenant.id),s=n.DEFAULT_TENANT_ID?await n.data.connections.list(n.DEFAULT_TENANT_ID):{connections:[]},o=r.connections.map(c=>{var p;const l=(p=s.connections)==null?void 0:p.find(g=>g.name===c.name);return l!=null&&l.options?Ot.parse({...l||{},...c,options:{...l.options||{},...c.options}}):c}).filter(c=>c);return{...t,web_origins:[...(i==null?void 0:i.web_origins)||[],...t.web_origins||[],`${mt(n)}login`],allowed_logout_urls:[...(i==null?void 0:i.allowed_logout_urls)||[],...t.allowed_logout_urls||[],n.ISSUER],callbacks:[...(i==null?void 0:i.callbacks)||[],...t.callbacks||[],`${mt(n)}info`],connections:o,domains:[...t.domains||[],...(i==null?void 0:i.domains)||[]],tenant:{...(i==null?void 0:i.tenant)||{},...t.tenant}}}function Ys(n,e=[],t={}){try{const i=new URL(n);return e.some(r=>{try{return Am(i,new URL(r),t.allowPathWildcards)}catch{return!1}})}catch{return!1}}function Am(n,e,t){if(n.protocol!==e.protocol)return!1;if(t&&e.pathname.includes("*")){const i=e.pathname.replace(/\*/g,".*").replace(/\//g,"\\/");if(!new RegExp(`^${i}$`).test(n.pathname))return!1}else if(n.pathname!==e.pathname)return!1;if(e.hostname.startsWith("*.")&&e.hostname.split(".").length>2&&["http:","https:"].includes(e.protocol)){const i=e.hostname.split(".").slice(1).join(".");return n.hostname.endsWith(i)}return n.hostname===e.hostname}function Im(n){try{const t=/-----BEGIN (?:RSA )?(?:PRIVATE|PUBLIC) KEY-----([^-]*)-----END (?:RSA )?(?:PRIVATE|PUBLIC) KEY-----/.exec(n);if(!t||!t[1])throw new Error("Invalid PEM format");return Uint8Array.from(atob(t[1].replace(/\s/g,"")),i=>i.charCodeAt(0)).buffer}finally{n=n.replace(/./g,"\0")}}async function Em(n,e){if(e==="plain")return n;const t=new TextEncoder().encode(n),i=await Rf(t);return rn.encode(new Uint8Array(i),{includePadding:!1})}function Jf(n,e,t){const i=[];return i.push([encodeURIComponent(n),encodeURIComponent(e)]),(t==null?void 0:t.domain)!==void 0&&i.push(["Domain",t.domain]),(t==null?void 0:t.expires)!==void 0&&i.push(["Expires",t.expires.toUTCString()]),t!=null&&t.httpOnly&&i.push(["HttpOnly"]),(t==null?void 0:t.maxAge)!==void 0&&i.push(["Max-Age",t.maxAge.toString()]),(t==null?void 0:t.path)!==void 0&&i.push(["Path",t.path]),(t==null?void 0:t.sameSite)==="lax"&&i.push(["SameSite","Lax"]),(t==null?void 0:t.sameSite)==="none"&&i.push(["SameSite","None"]),(t==null?void 0:t.sameSite)==="strict"&&i.push(["SameSite","Strict"]),t!=null&&t.secure&&i.push(["Secure"]),i.map(r=>r.join("=")).join("; ")}function $m(n){const e=new Map,t=n.split("; ");for(const i of t){const r=i.split("="),s=r[0],o=r[1]??"";s&&e.set(decodeURIComponent(s),decodeURIComponent(o))}return e}function qc(n){return`${n}-${L0}`}function Zf(n,e){return e?$m(e).get(qc(n)):void 0}function Cm(n){const e={path:"/",httpOnly:!0,secure:!0,maxAge:0};return Jf(qc(n),"",{...e,sameSite:"none"})}function Yf(n,e){const t={path:"/",httpOnly:!0,secure:!0,maxAge:Uf};return Jf(qc(n),e,{...t,sameSite:"none"})}var Kc={},Xs={};(function(n){const e=":A-Za-z_\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD",t=e+"\\-.\\d\\u00B7\\u0300-\\u036F\\u203F-\\u2040",i="["+e+"]["+t+"]*",r=new RegExp("^"+i+"$"),s=function(c,l){const u=[];let p=l.exec(c);for(;p;){const g=[];g.startIndex=l.lastIndex-p[0].length;const m=p.length;for(let x=0;x<m;x++)g.push(p[x]);u.push(g),p=l.exec(c)}return u},o=function(c){const l=r.exec(c);return!(l===null||typeof l>"u")};n.isExist=function(c){return typeof c<"u"},n.isEmptyObject=function(c){return Object.keys(c).length===0},n.merge=function(c,l,u){if(l){const p=Object.keys(l),g=p.length;for(let m=0;m<g;m++)u==="strict"?c[p[m]]=[l[p[m]]]:c[p[m]]=l[p[m]]}},n.getValue=function(c){return n.isExist(c)?c:""},n.isName=o,n.getAllMatches=s,n.nameRegexp=i})(Xs);const Wc=Xs,jm={allowBooleanAttributes:!1,unpairedTags:[]};Kc.validate=function(n,e){e=Object.assign({},jm,e);const t=[];let i=!1,r=!1;n[0]==="\uFEFF"&&(n=n.substr(1));for(let s=0;s<n.length;s++)if(n[s]==="<"&&n[s+1]==="?"){if(s+=2,s=ld(n,s),s.err)return s}else if(n[s]==="<"){let o=s;if(s++,n[s]==="!"){s=ud(n,s);continue}else{let c=!1;n[s]==="/"&&(c=!0,s++);let l="";for(;s<n.length&&n[s]!==">"&&n[s]!==" "&&n[s]!=="	"&&n[s]!==`
 `&&n[s]!=="\r";s++)l+=n[s];if(l=l.trim(),l[l.length-1]==="/"&&(l=l.substring(0,l.length-1),s--),!Lm(l)){let g;return l.trim().length===0?g="Invalid space after '<'.":g="Tag '"+l+"' is an invalid name.",ye("InvalidTag",g,Oe(n,s))}const u=Om(n,s);if(u===!1)return ye("InvalidAttr","Attributes for '"+l+"' have open quote.",Oe(n,s));let p=u.value;if(s=u.index,p[p.length-1]==="/"){const g=s-p.length;p=p.substring(0,p.length-1);const m=dd(p,e);if(m===!0)i=!0;else return ye(m.err.code,m.err.msg,Oe(n,g+m.err.line))}else if(c)if(u.tagClosed){if(p.trim().length>0)return ye("InvalidTag","Closing tag '"+l+"' can't have attributes or invalid starting.",Oe(n,o));if(t.length===0)return ye("InvalidTag","Closing tag '"+l+"' has not been opened.",Oe(n,o));{const g=t.pop();if(l!==g.tagName){let m=Oe(n,g.tagStartPos);return ye("InvalidTag","Expected closing tag '"+g.tagName+"' (opened in line "+m.line+", col "+m.col+") instead of closing tag '"+l+"'.",Oe(n,o))}t.length==0&&(r=!0)}}else return ye("InvalidTag","Closing tag '"+l+"' doesn't have proper closing.",Oe(n,s));else{const g=dd(p,e);if(g!==!0)return ye(g.err.code,g.err.msg,Oe(n,s-p.length+g.err.line));if(r===!0)return ye("InvalidXml","Multiple possible root nodes found.",Oe(n,s));e.unpairedTags.indexOf(l)!==-1||t.push({tagName:l,tagStartPos:o}),i=!0}for(s++;s<n.length;s++)if(n[s]==="<")if(n[s+1]==="!"){s++,s=ud(n,s);continue}else if(n[s+1]==="?"){if(s=ld(n,++s),s.err)return s}else break;else if(n[s]==="&"){const g=Rm(n,s);if(g==-1)return ye("InvalidChar","char '&' is not expected.",Oe(n,s));s=g}else if(r===!0&&!cd(n[s]))return ye("InvalidXml","Extra text at the end",Oe(n,s));n[s]==="<"&&s--}}else{if(cd(n[s]))continue;return ye("InvalidChar","char '"+n[s]+"' is not expected.",Oe(n,s))}if(i){if(t.length==1)return ye("InvalidTag","Unclosed tag '"+t[0].tagName+"'.",Oe(n,t[0].tagStartPos));if(t.length>0)return ye("InvalidXml","Invalid '"+JSON.stringify(t.map(s=>s.tagName),null,4).replace(/\r?\n/g,"")+"' found.",{line:1,col:1})}else return ye("InvalidXml","Start tag expected.",1);return!0};function cd(n){return n===" "||n==="	"||n===`
 `||n==="\r"}function ld(n,e){const t=e;for(;e<n.length;e++)if(n[e]=="?"||n[e]==" "){const i=n.substr(t,e-t);if(e>5&&i==="xml")return ye("InvalidXml","XML declaration allowed only at the start of the document.",Oe(n,e));if(n[e]=="?"&&n[e+1]==">"){e++;break}else continue}return e}function ud(n,e){if(n.length>e+5&&n[e+1]==="-"&&n[e+2]==="-"){for(e+=3;e<n.length;e++)if(n[e]==="-"&&n[e+1]==="-"&&n[e+2]===">"){e+=2;break}}else if(n.length>e+8&&n[e+1]==="D"&&n[e+2]==="O"&&n[e+3]==="C"&&n[e+4]==="T"&&n[e+5]==="Y"&&n[e+6]==="P"&&n[e+7]==="E"){let t=1;for(e+=8;e<n.length;e++)if(n[e]==="<")t++;else if(n[e]===">"&&(t--,t===0))break}else if(n.length>e+9&&n[e+1]==="["&&n[e+2]==="C"&&n[e+3]==="D"&&n[e+4]==="A"&&n[e+5]==="T"&&n[e+6]==="A"&&n[e+7]==="["){for(e+=8;e<n.length;e++)if(n[e]==="]"&&n[e+1]==="]"&&n[e+2]===">"){e+=2;break}}return e}const zm='"',Nm="'";function Om(n,e){let t="",i="",r=!1;for(;e<n.length;e++){if(n[e]===zm||n[e]===Nm)i===""?i=n[e]:i!==n[e]||(i="");else if(n[e]===">"&&i===""){r=!0;break}t+=n[e]}return i!==""?!1:{value:t,index:e,tagClosed:r}}const Bm=new RegExp(`(\\s*)([^\\s=]+)(\\s*=)?(\\s*(['"])(([\\s\\S])*?)\\5)?`,"g");function dd(n,e){const t=Wc.getAllMatches(n,Bm),i={};for(let r=0;r<t.length;r++){if(t[r][1].length===0)return ye("InvalidAttr","Attribute '"+t[r][2]+"' has no space in starting.",ii(t[r]));if(t[r][3]!==void 0&&t[r][4]===void 0)return ye("InvalidAttr","Attribute '"+t[r][2]+"' is without value.",ii(t[r]));if(t[r][3]===void 0&&!e.allowBooleanAttributes)return ye("InvalidAttr","boolean attribute '"+t[r][2]+"' is not allowed.",ii(t[r]));const s=t[r][2];if(!Pm(s))return ye("InvalidAttr","Attribute '"+s+"' is an invalid name.",ii(t[r]));if(!i.hasOwnProperty(s))i[s]=1;else return ye("InvalidAttr","Attribute '"+s+"' is repeated.",ii(t[r]))}return!0}function Tm(n,e){let t=/\d/;for(n[e]==="x"&&(e++,t=/[\da-fA-F]/);e<n.length;e++){if(n[e]===";")return e;if(!n[e].match(t))break}return-1}function Rm(n,e){if(e++,n[e]===";")return-1;if(n[e]==="#")return e++,Tm(n,e);let t=0;for(;e<n.length;e++,t++)if(!(n[e].match(/\w/)&&t<20)){if(n[e]===";")break;return-1}return e}function ye(n,e,t){return{err:{code:n,msg:e,line:t.line||t,col:t.col}}}function Pm(n){return Wc.isName(n)}function Lm(n){return Wc.isName(n)}function Oe(n,e){const t=n.substring(0,e).split(/\r?\n/);return{line:t.length,col:t[t.length-1].length+1}}function ii(n){return n.startIndex+n[1].length}var Gc={};const Xf={preserveOrder:!1,attributeNamePrefix:"@_",attributesGroupName:!1,textNodeName:"#text",ignoreAttributes:!0,removeNSPrefix:!1,allowBooleanAttributes:!1,parseTagValue:!0,parseAttributeValue:!1,trimValues:!0,cdataPropName:!1,numberParseOptions:{hex:!0,leadingZeros:!0,eNotation:!0},tagValueProcessor:function(n,e){return e},attributeValueProcessor:function(n,e){return e},stopNodes:[],alwaysCreateTextNode:!1,isArray:()=>!1,commentPropName:!1,unpairedTags:[],processEntities:!0,htmlEntities:!1,ignoreDeclaration:!1,ignorePiTags:!1,transformTagName:!1,transformAttributeName:!1,updateTag:function(n,e,t){return n}},Um=function(n){return Object.assign({},Xf,n)};Gc.buildOptions=Um;Gc.defaultOptions=Xf;class Vm{constructor(e){this.tagname=e,this.child=[],this[":@"]={}}add(e,t){e==="__proto__"&&(e="#__proto__"),this.child.push({[e]:t})}addChild(e){e.tagname==="__proto__"&&(e.tagname="#__proto__"),e[":@"]&&Object.keys(e[":@"]).length>0?this.child.push({[e.tagname]:e.child,":@":e[":@"]}):this.child.push({[e.tagname]:e.child})}}var Mm=Vm;const Hm=Xs;function Dm(n,e){const t={};if(n[e+3]==="O"&&n[e+4]==="C"&&n[e+5]==="T"&&n[e+6]==="Y"&&n[e+7]==="P"&&n[e+8]==="E"){e=e+9;let i=1,r=!1,s=!1,o="";for(;e<n.length;e++)if(n[e]==="<"&&!s){if(r&&Km(n,e)){e+=7;let c,l;[c,l,e]=Fm(n,e+1),l.indexOf("&")===-1&&(t[Zm(c)]={regx:RegExp(`&${c};`,"g"),val:l})}else if(r&&Wm(n,e))e+=8;else if(r&&Gm(n,e))e+=8;else if(r&&Jm(n,e))e+=9;else if(qm)s=!0;else throw new Error("Invalid DOCTYPE");i++,o=""}else if(n[e]===">"){if(s?n[e-1]==="-"&&n[e-2]==="-"&&(s=!1,i--):i--,i===0)break}else n[e]==="["?r=!0:o+=n[e];if(i!==0)throw new Error("Unclosed DOCTYPE")}else throw new Error("Invalid Tag instead of DOCTYPE");return{entities:t,i:e}}function Fm(n,e){let t="";for(;e<n.length&&n[e]!=="'"&&n[e]!=='"';e++)t+=n[e];if(t=t.trim(),t.indexOf(" ")!==-1)throw new Error("External entites are not supported");const i=n[e++];let r="";for(;e<n.length&&n[e]!==i;e++)r+=n[e];return[t,r,e]}function qm(n,e){return n[e+1]==="!"&&n[e+2]==="-"&&n[e+3]==="-"}function Km(n,e){return n[e+1]==="!"&&n[e+2]==="E"&&n[e+3]==="N"&&n[e+4]==="T"&&n[e+5]==="I"&&n[e+6]==="T"&&n[e+7]==="Y"}function Wm(n,e){return n[e+1]==="!"&&n[e+2]==="E"&&n[e+3]==="L"&&n[e+4]==="E"&&n[e+5]==="M"&&n[e+6]==="E"&&n[e+7]==="N"&&n[e+8]==="T"}function Gm(n,e){return n[e+1]==="!"&&n[e+2]==="A"&&n[e+3]==="T"&&n[e+4]==="T"&&n[e+5]==="L"&&n[e+6]==="I"&&n[e+7]==="S"&&n[e+8]==="T"}function Jm(n,e){return n[e+1]==="!"&&n[e+2]==="N"&&n[e+3]==="O"&&n[e+4]==="T"&&n[e+5]==="A"&&n[e+6]==="T"&&n[e+7]==="I"&&n[e+8]==="O"&&n[e+9]==="N"}function Zm(n){if(Hm.isName(n))return n;throw new Error(`Invalid entity name ${n}`)}var Ym=Dm;const Xm=/^[-+]?0x[a-fA-F0-9]+$/,Qm=/^([\-\+])?(0*)(\.[0-9]+([eE]\-?[0-9]+)?|[0-9]+(\.[0-9]+([eE]\-?[0-9]+)?)?)$/;!Number.parseInt&&window.parseInt&&(Number.parseInt=window.parseInt);!Number.parseFloat&&window.parseFloat&&(Number.parseFloat=window.parseFloat);const ey={hex:!0,leadingZeros:!0,decimalPoint:".",eNotation:!0};function ty(n,e={}){if(e=Object.assign({},ey,e),!n||typeof n!="string")return n;let t=n.trim();if(e.skipLike!==void 0&&e.skipLike.test(t))return n;if(e.hex&&Xm.test(t))return Number.parseInt(t,16);{const i=Qm.exec(t);if(i){const r=i[1],s=i[2];let o=ny(i[3]);const c=i[4]||i[6];if(!e.leadingZeros&&s.length>0&&r&&t[2]!==".")return n;if(!e.leadingZeros&&s.length>0&&!r&&t[1]!==".")return n;{const l=Number(t),u=""+l;return u.search(/[eE]/)!==-1||c?e.eNotation?l:n:t.indexOf(".")!==-1?u==="0"&&o===""||u===o||r&&u==="-"+o?l:n:s?o===u||r+o===u?l:n:t===u||t===r+u?l:n}}else return n}}function ny(n){return n&&n.indexOf(".")!==-1&&(n=n.replace(/0+$/,""),n==="."?n="0":n[0]==="."?n="0"+n:n[n.length-1]==="."&&(n=n.substr(0,n.length-1))),n}var iy=ty;function ry(n){return typeof n=="function"?n:Array.isArray(n)?e=>{for(const t of n)if(typeof t=="string"&&e===t||t instanceof RegExp&&t.test(e))return!0}:()=>!1}var Qf=ry;const eh=Xs,ri=Mm,sy=Ym,oy=iy,ay=Qf;let cy=class{constructor(e){this.options=e,this.currentNode=null,this.tagsNodeStack=[],this.docTypeEntities={},this.lastEntities={apos:{regex:/&(apos|#39|#x27);/g,val:"'"},gt:{regex:/&(gt|#62|#x3E);/g,val:">"},lt:{regex:/&(lt|#60|#x3C);/g,val:"<"},quot:{regex:/&(quot|#34|#x22);/g,val:'"'}},this.ampEntity={regex:/&(amp|#38|#x26);/g,val:"&"},this.htmlEntities={space:{regex:/&(nbsp|#160);/g,val:" "},cent:{regex:/&(cent|#162);/g,val:"¢"},pound:{regex:/&(pound|#163);/g,val:"£"},yen:{regex:/&(yen|#165);/g,val:"¥"},euro:{regex:/&(euro|#8364);/g,val:"€"},copyright:{regex:/&(copy|#169);/g,val:"©"},reg:{regex:/&(reg|#174);/g,val:"®"},inr:{regex:/&(inr|#8377);/g,val:"₹"},num_dec:{regex:/&#([0-9]{1,7});/g,val:(t,i)=>String.fromCharCode(Number.parseInt(i,10))},num_hex:{regex:/&#x([0-9a-fA-F]{1,6});/g,val:(t,i)=>String.fromCharCode(Number.parseInt(i,16))}},this.addExternalEntities=ly,this.parseXml=hy,this.parseTextData=uy,this.resolveNameSpace=dy,this.buildAttributesMap=fy,this.isItStopNode=yy,this.replaceEntitiesValue=_y,this.readStopNodeData=wy,this.saveTextToParentTag=my,this.addChild=gy,this.ignoreAttributesFn=ay(this.options.ignoreAttributes)}};function ly(n){const e=Object.keys(n);for(let t=0;t<e.length;t++){const i=e[t];this.lastEntities[i]={regex:new RegExp("&"+i+";","g"),val:n[i]}}}function uy(n,e,t,i,r,s,o){if(n!==void 0&&(this.options.trimValues&&!i&&(n=n.trim()),n.length>0)){o||(n=this.replaceEntitiesValue(n));const c=this.options.tagValueProcessor(e,n,t,r,s);return c==null?n:typeof c!=typeof n||c!==n?c:this.options.trimValues?Da(n,this.options.parseTagValue,this.options.numberParseOptions):n.trim()===n?Da(n,this.options.parseTagValue,this.options.numberParseOptions):n}}function dy(n){if(this.options.removeNSPrefix){const e=n.split(":"),t=n.charAt(0)==="/"?"/":"";if(e[0]==="xmlns")return"";e.length===2&&(n=t+e[1])}return n}const py=new RegExp(`([^\\s=]+)\\s*(=\\s*(['"])([\\s\\S]*?)\\3)?`,"gm");function fy(n,e,t){if(this.options.ignoreAttributes!==!0&&typeof n=="string"){const i=eh.getAllMatches(n,py),r=i.length,s={};for(let o=0;o<r;o++){const c=this.resolveNameSpace(i[o][1]);if(this.ignoreAttributesFn(c,e))continue;let l=i[o][4],u=this.options.attributeNamePrefix+c;if(c.length)if(this.options.transformAttributeName&&(u=this.options.transformAttributeName(u)),u==="__proto__"&&(u="#__proto__"),l!==void 0){this.options.trimValues&&(l=l.trim()),l=this.replaceEntitiesValue(l);const p=this.options.attributeValueProcessor(c,l,e);p==null?s[u]=l:typeof p!=typeof l||p!==l?s[u]=p:s[u]=Da(l,this.options.parseAttributeValue,this.options.numberParseOptions)}else this.options.allowBooleanAttributes&&(s[u]=!0)}if(!Object.keys(s).length)return;if(this.options.attributesGroupName){const o={};return o[this.options.attributesGroupName]=s,o}return s}}const hy=function(n){n=n.replace(/\r\n?/g,`
 `);const e=new ri("!xml");let t=e,i="",r="";for(let s=0;s<n.length;s++)if(n[s]==="<")if(n[s+1]==="/"){const c=en(n,">",s,"Closing Tag is not closed.");let l=n.substring(s+2,c).trim();if(this.options.removeNSPrefix){const g=l.indexOf(":");g!==-1&&(l=l.substr(g+1))}this.options.transformTagName&&(l=this.options.transformTagName(l)),t&&(i=this.saveTextToParentTag(i,t,r));const u=r.substring(r.lastIndexOf(".")+1);if(l&&this.options.unpairedTags.indexOf(l)!==-1)throw new Error(`Unpaired tag can not be used as closing tag: </${l}>`);let p=0;u&&this.options.unpairedTags.indexOf(u)!==-1?(p=r.lastIndexOf(".",r.lastIndexOf(".")-1),this.tagsNodeStack.pop()):p=r.lastIndexOf("."),r=r.substring(0,p),t=this.tagsNodeStack.pop(),i="",s=c}else if(n[s+1]==="?"){let c=Ha(n,s,!1,"?>");if(!c)throw new Error("Pi Tag is not closed.");if(i=this.saveTextToParentTag(i,t,r),!(this.options.ignoreDeclaration&&c.tagName==="?xml"||this.options.ignorePiTags)){const l=new ri(c.tagName);l.add(this.options.textNodeName,""),c.tagName!==c.tagExp&&c.attrExpPresent&&(l[":@"]=this.buildAttributesMap(c.tagExp,r,c.tagName)),this.addChild(t,l,r)}s=c.closeIndex+1}else if(n.substr(s+1,3)==="!--"){const c=en(n,"-->",s+4,"Comment is not closed.");if(this.options.commentPropName){const l=n.substring(s+4,c-2);i=this.saveTextToParentTag(i,t,r),t.add(this.options.commentPropName,[{[this.options.textNodeName]:l}])}s=c}else if(n.substr(s+1,2)==="!D"){const c=sy(n,s);this.docTypeEntities=c.entities,s=c.i}else if(n.substr(s+1,2)==="!["){const c=en(n,"]]>",s,"CDATA is not closed.")-2,l=n.substring(s+9,c);i=this.saveTextToParentTag(i,t,r);let u=this.parseTextData(l,t.tagname,r,!0,!1,!0,!0);u==null&&(u=""),this.options.cdataPropName?t.add(this.options.cdataPropName,[{[this.options.textNodeName]:l}]):t.add(this.options.textNodeName,u),s=c+2}else{let c=Ha(n,s,this.options.removeNSPrefix),l=c.tagName;const u=c.rawTagName;let p=c.tagExp,g=c.attrExpPresent,m=c.closeIndex;this.options.transformTagName&&(l=this.options.transformTagName(l)),t&&i&&t.tagname!=="!xml"&&(i=this.saveTextToParentTag(i,t,r,!1));const x=t;if(x&&this.options.unpairedTags.indexOf(x.tagname)!==-1&&(t=this.tagsNodeStack.pop(),r=r.substring(0,r.lastIndexOf("."))),l!==e.tagname&&(r+=r?"."+l:l),this.isItStopNode(this.options.stopNodes,r,l)){let h="";if(p.length>0&&p.lastIndexOf("/")===p.length-1)l[l.length-1]==="/"?(l=l.substr(0,l.length-1),r=r.substr(0,r.length-1),p=l):p=p.substr(0,p.length-1),s=c.closeIndex;else if(this.options.unpairedTags.indexOf(l)!==-1)s=c.closeIndex;else{const b=this.readStopNodeData(n,u,m+1);if(!b)throw new Error(`Unexpected end of ${u}`);s=b.i,h=b.tagContent}const _=new ri(l);l!==p&&g&&(_[":@"]=this.buildAttributesMap(p,r,l)),h&&(h=this.parseTextData(h,l,r,!0,g,!0,!0)),r=r.substr(0,r.lastIndexOf(".")),_.add(this.options.textNodeName,h),this.addChild(t,_,r)}else{if(p.length>0&&p.lastIndexOf("/")===p.length-1){l[l.length-1]==="/"?(l=l.substr(0,l.length-1),r=r.substr(0,r.length-1),p=l):p=p.substr(0,p.length-1),this.options.transformTagName&&(l=this.options.transformTagName(l));const h=new ri(l);l!==p&&g&&(h[":@"]=this.buildAttributesMap(p,r,l)),this.addChild(t,h,r),r=r.substr(0,r.lastIndexOf("."))}else{const h=new ri(l);this.tagsNodeStack.push(t),l!==p&&g&&(h[":@"]=this.buildAttributesMap(p,r,l)),this.addChild(t,h,r),t=h}i="",s=m}}else i+=n[s];return e.child};function gy(n,e,t){const i=this.options.updateTag(e.tagname,t,e[":@"]);i===!1||(typeof i=="string"&&(e.tagname=i),n.addChild(e))}const _y=function(n){if(this.options.processEntities){for(let e in this.docTypeEntities){const t=this.docTypeEntities[e];n=n.replace(t.regx,t.val)}for(let e in this.lastEntities){const t=this.lastEntities[e];n=n.replace(t.regex,t.val)}if(this.options.htmlEntities)for(let e in this.htmlEntities){const t=this.htmlEntities[e];n=n.replace(t.regex,t.val)}n=n.replace(this.ampEntity.regex,this.ampEntity.val)}return n};function my(n,e,t,i){return n&&(i===void 0&&(i=Object.keys(e.child).length===0),n=this.parseTextData(n,e.tagname,t,!1,e[":@"]?Object.keys(e[":@"]).length!==0:!1,i),n!==void 0&&n!==""&&e.add(this.options.textNodeName,n),n=""),n}function yy(n,e,t){const i="*."+t;for(const r in n){const s=n[r];if(i===s||e===s)return!0}return!1}function vy(n,e,t=">"){let i,r="";for(let s=e;s<n.length;s++){let o=n[s];if(i)o===i&&(i="");else if(o==='"'||o==="'")i=o;else if(o===t[0])if(t[1]){if(n[s+1]===t[1])return{data:r,index:s}}else return{data:r,index:s};else o==="	"&&(o=" ");r+=o}}function en(n,e,t,i){const r=n.indexOf(e,t);if(r===-1)throw new Error(i);return r+e.length-1}function Ha(n,e,t,i=">"){const r=vy(n,e+1,i);if(!r)return;let s=r.data;const o=r.index,c=s.search(/\s/);let l=s,u=!0;c!==-1&&(l=s.substring(0,c),s=s.substring(c+1).trimStart());const p=l;if(t){const g=l.indexOf(":");g!==-1&&(l=l.substr(g+1),u=l!==r.data.substr(g+1))}return{tagName:l,tagExp:s,closeIndex:o,attrExpPresent:u,rawTagName:p}}function wy(n,e,t){const i=t;let r=1;for(;t<n.length;t++)if(n[t]==="<")if(n[t+1]==="/"){const s=en(n,">",t,`${e} is not closed`);if(n.substring(t+2,s).trim()===e&&(r--,r===0))return{tagContent:n.substring(i,t),i:s};t=s}else if(n[t+1]==="?")t=en(n,"?>",t+1,"StopNode is not closed.");else if(n.substr(t+1,3)==="!--")t=en(n,"-->",t+3,"StopNode is not closed.");else if(n.substr(t+1,2)==="![")t=en(n,"]]>",t,"StopNode is not closed.")-2;else{const s=Ha(n,t,">");s&&((s&&s.tagName)===e&&s.tagExp[s.tagExp.length-1]!=="/"&&r++,t=s.closeIndex)}}function Da(n,e,t){if(e&&typeof n=="string"){const i=n.trim();return i==="true"?!0:i==="false"?!1:oy(n,t)}else return eh.isExist(n)?n:""}var by=cy,th={};function ky(n,e){return nh(n,e)}function nh(n,e,t){let i;const r={};for(let s=0;s<n.length;s++){const o=n[s],c=xy(o);let l="";if(t===void 0?l=c:l=t+"."+c,c===e.textNodeName)i===void 0?i=o[c]:i+=""+o[c];else{if(c===void 0)continue;if(o[c]){let u=nh(o[c],e,l);const p=Ay(u,e);o[":@"]?Sy(u,o[":@"],l,e):Object.keys(u).length===1&&u[e.textNodeName]!==void 0&&!e.alwaysCreateTextNode?u=u[e.textNodeName]:Object.keys(u).length===0&&(e.alwaysCreateTextNode?u[e.textNodeName]="":u=""),r[c]!==void 0&&r.hasOwnProperty(c)?(Array.isArray(r[c])||(r[c]=[r[c]]),r[c].push(u)):e.isArray(c,l,p)?r[c]=[u]:r[c]=u}}}return typeof i=="string"?i.length>0&&(r[e.textNodeName]=i):i!==void 0&&(r[e.textNodeName]=i),r}function xy(n){const e=Object.keys(n);for(let t=0;t<e.length;t++){const i=e[t];if(i!==":@")return i}}function Sy(n,e,t,i){if(e){const r=Object.keys(e),s=r.length;for(let o=0;o<s;o++){const c=r[o];i.isArray(c,t+"."+c,!0,!0)?n[c]=[e[c]]:n[c]=e[c]}}}function Ay(n,e){const{textNodeName:t}=e,i=Object.keys(n).length;return!!(i===0||i===1&&(n[t]||typeof n[t]=="boolean"||n[t]===0))}th.prettify=ky;const{buildOptions:Iy}=Gc,Ey=by,{prettify:$y}=th,Cy=Kc;let jy=class{constructor(e){this.externalEntities={},this.options=Iy(e)}parse(e,t){if(typeof e!="string")if(e.toString)e=e.toString();else throw new Error("XML data is accepted in String or Bytes[] form.");if(t){t===!0&&(t={});const s=Cy.validate(e,t);if(s!==!0)throw Error(`${s.err.msg}:${s.err.line}:${s.err.col}`)}const i=new Ey(this.options);i.addExternalEntities(this.externalEntities);const r=i.parseXml(e);return this.options.preserveOrder||r===void 0?r:$y(r,this.options)}addEntity(e,t){if(t.indexOf("&")!==-1)throw new Error("Entity value can't have '&'");if(e.indexOf("&")!==-1||e.indexOf(";")!==-1)throw new Error("An entity must be set without '&' and ';'. Eg. use '#xD' for '&#xD;'");if(t==="&")throw new Error("An entity with value '&' is not permitted");this.externalEntities[e]=t}};var zy=jy;const Ny=`
@@ -146,7 +146,7 @@ PERFORMANCE OF THIS SOFTWARE.
       }};
       <\/script>
   </body>
-  </html>`;return new Response(r,{headers:{"Content-Type":"text/html"}})}async function Jy(n,e,t,i,r){var m,x,h;if(!t.redirect_uri)throw new N(400,{message:"Missing redirect_uri in authParams"});const[s]=await n.env.data.keys.list();if(!s)throw new N(500,{message:"No signing key found"});if(!((m=e.addons)!=null&&m.samlp))throw new N(400,{message:`SAML Addon is not enabled for client ${e.id}`});const{recipient:o,audience:c}=e.addons.samlp,l=t.state||"";if(!o||!l||!i||!t.state)throw new N(400,{message:"Missing recipient or inResponseTo"});const u=JSON.parse(t.state),p=new URL(t.redirect_uri),g=await Zy(n,{issuer:n.env.ISSUER,audience:c||t.client_id,destination:p.toString(),inResponseTo:u.requestId,userId:((h=(x=i.app_metadata)==null?void 0:x.vimeo)==null?void 0:h.user_id)||i.user_id,email:i.email,sessionIndex:r,signature:{privateKeyPem:s.pkcs7,cert:s.cert,kid:s.kid}});return Gy(p.toString(),g,u.relayState)}async function Zy(n,e){const t=e.notBefore||new Date().toISOString(),i=e.notAfter||new Date(new Date(t).getTime()+10*60*1e3).toISOString(),r=e.issueInstant||t,s=e.sessionNotOnOrAfter||i,o=e.responseId||`_${Ke()}`,c=e.assertionId||`_${Ke()}`,l=[{"samlp:Response":[{"saml:Issuer":[{"#text":e.issuer}]},{"samlp:Status":[{"samlp:StatusCode":[],":@":{"@_Value":"urn:oasis:names:tc:SAML:2.0:status:Success"}}]},{"saml:Assertion":[{"saml:Issuer":[{"#text":e.issuer}]},{"saml:Subject":[{"saml:NameID":[{"#text":e.email}],":@":{"@_Format":"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"}},{"saml:SubjectConfirmation":[{"saml:SubjectConfirmationData":[],":@":{"@_InResponseTo":e.inResponseTo,"@_NotOnOrAfter":i,"@_Recipient":e.destination}}],":@":{"@_Method":"urn:oasis:names:tc:SAML:2.0:cm:bearer"}}]},{"saml:Conditions":[{"saml:AudienceRestriction":[{"saml:Audience":[{"#text":e.audience}]}]}],":@":{"@_NotBefore":t,"@_NotOnOrAfter":i}},{"saml:AuthnStatement":[{"saml:AuthnContext":[{"saml:AuthnContextClassRef":[{"#text":"urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified"}]}]}],":@":{"@_AuthnInstant":r,"@_SessionIndex":e.sessionIndex,"@_SessionNotOnOrAfter":s}},{"saml:AttributeStatement":[{"saml:Attribute":[{"saml:AttributeValue":[{"#text":e.userId}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_FriendlyName":"persistent","@_Name":"id","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":e.email}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"email","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"manage-account"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"default-roles-master"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"offline_access"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"view-profile"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"uma_authorization"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"manage-account-links"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}}]}],":@":{"@_xmlns":"urn:oasis:names:tc:SAML:2.0:assertion","@_ID":c,"@_IssueInstant":r,"@_Version":"2.0"}}],":@":{"@_xmlns:samlp":"urn:oasis:names:tc:SAML:2.0:protocol","@_xmlns:saml":"urn:oasis:names:tc:SAML:2.0:assertion","@_Destination":e.destination,"@_ID":o,"@_InResponseTo":e.inResponseTo,"@_IssueInstant":r,"@_Version":"2.0"}}];let p=new Wy.XMLBuilder({ignoreAttributes:!1,suppressEmptyNode:!0,preserveOrder:!0}).build(l);if(e.signature){const m=await fetch(n.env.SAML_SIGN_URL,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({xmlContent:p,privateKey:e.signature.privateKeyPem,publicCert:e.signature.cert})});if(!m.ok)throw new Error(`Failed to sign SAML response: ${m.status}`);p=await m.text()}return e.encode===!1?p:btoa(p)}const fd=["sub","iss","aud","exp","nbf","iat","jti"];async function Jc(n,e){var _,b;const{authParams:t,user:i,client:r,sid:s}=e,c=(await n.env.data.keys.list()).filter(S=>!S.revoked_at||new Date(S.revoked_at)>new Date),l=c[c.length-1];if(!(l!=null&&l.pkcs7))throw new N(500,{message:"No signing key available"});const u=Im(l.pkcs7),p={aud:t.audience||"default",scope:t.scope||"",sub:(i==null?void 0:i.user_id)||t.client_id,iss:n.env.ISSUER,tenant_id:n.var.tenant_id,sid:s},g=i&&((_=t.scope)!=null&&_.split(" ").includes("openid"))?{aud:t.client_id,sub:i.user_id,iss:n.env.ISSUER,sid:s,nonce:t.nonce,given_name:i.given_name,family_name:i.family_name,nickname:i.nickname,picture:i.picture,locale:i.locale,name:i.name,email:i.email,email_verified:i.email_verified}:void 0;(b=n.env.hooks)!=null&&b.onExecuteCredentialsExchange&&await n.env.hooks.onExecuteCredentialsExchange({client:r,user:i,scope:t.scope||"",grant_type:""},{accessToken:{setCustomClaim:(S,O)=>{if(fd.includes(S))throw new Error(`Cannot overwrite reserved claim '${S}'`);p[S]=O}},idToken:{setCustomClaim:(S,O)=>{if(fd.includes(S))throw new Error(`Cannot overwrite reserved claim '${S}'`);g&&(g[S]=O)}},access:{deny:S=>{throw new N(400,{message:`Access denied: ${S}`})}}});const m={includeIssuedTimestamp:!0,expiresIn:new Hc(1,"d"),headers:{kid:l.kid}},x=await ad("RS256",u,p,m),h=g?await ad("RS256",u,g,m):void 0;return{access_token:x,id_token:h,token_type:"Bearer",expires_in:86400}}async function sh(n,e,t){return await n.env.data.sessions.create(t.tenant.id,{session_id:Ke(),user_id:e.user_id,client_id:t.id,expires_at:new Date(Date.now()+Uf*1e3).toISOString(),used_at:new Date().toISOString()})}async function Ki(n,e){const{authParams:t,user:i,client:r}=e,s=e.sid||(await sh(n,i,r)).session_id;if(e.authParams.response_mode===sn.SAML_POST)return Jy(n,e.client,e.authParams,i,s);const o=await Jc(n,{authParams:t,user:i,client:r,sid:s}),c=new Headers({"set-cookie":Yf(r.tenant.id,s)});if(t.response_mode===sn.WEB_MESSAGE)return n.json(o,{headers:c});if((t.response_type||Ut.CODE)===Ut.CODE){if(!e.loginSession)throw new N(500,{message:"Login session not found"});const u=await n.env.data.codes.create(r.tenant.id,{code_id:Ke(),user_id:i.user_id,code_type:"authorization_code",login_id:e.loginSession.login_id,expires_at:new Date(Date.now()+U0*1e3).toISOString()});c.set("location",`${t.redirect_uri}?state=${e.authParams.state}&code=${u.code_id}`)}return new Response("Redirecting",{status:302,headers:c})}function Yy(n){return async(e,t)=>{if(!t.email||!t.email_verified)return n.users.create(e,t);const i=await Hd({userAdapter:n.users,tenant_id:e,email:t.email});return i?(await n.users.create(e,{...t,linked_to:i.user_id}),i):n.users.create(e,t)}}async function oh(n,e,t){for await(const i of e)if(!(await fetch(i.url,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify(t)})).ok){const s=ke(n,{type:_e.FAILED_LOGIN_INCORRECT_PASSWORD,description:"Invalid password"});await t.logs.create(n.var.tenant_id,s)}}function Xy(n,e){return async(t,i)=>{const{hooks:r}=await e.hooks.list(t);return await oh(n,r,{tenant_id:t,user:i,trigger_id:"post-user-registration"}),i}}function Qy(n,e){return async(t,i)=>{const{hooks:r}=await e.hooks.list(t,{q:"trigger_id:pre-user-signup",page:0,per_page:100,include_totals:!1});await oh(n,r,{tenant_id:t,email:i,trigger_id:"pre-user-signup"})}}function ev(n,e){return async(t,i)=>{let r=await Yy(e)(t,i);return await Xy(n,e)(t,r),r}}async function tv(n,e,t,i){if(e.disable_sign_ups&&!await Hd({userAdapter:n.env.data.users,tenant_id:e.tenant.id,email:i})){const s=ke(n,{type:_e.FAILED_SIGNUP,description:"Public signup is disabled"});throw await n.env.data.logs.create(e.tenant.id,s),new N(400,{message:"Signups are disabled for this client"})}await Qy(n,t)(n.var.tenant_id||"",i)}function nv(n,e){return{...e,users:{...e.users,create:ev(n,e)}}}async function iv(n,e,t,i){if(!i.state)throw new N(400,{message:"State not found"});const r=e.connections.find(l=>l.name===t);if(!r){n.set("client_id",e.id);const l=ke(n,{type:_e.FAILED_LOGIN,description:"Connection not found"});throw await n.env.data.logs.create(e.tenant.id,l),new N(403,{message:"Connection Not Found"})}let s=await n.env.data.logins.get(e.tenant.id,i.state);s||(s=await n.env.data.logins.create(e.tenant.id,{expires_at:new Date(Date.now()+es*1e3).toISOString(),authParams:i,...Hn(n.req)}));const c=await Gf(n,r.strategy).getRedirect(n,r);return await n.env.data.codes.create(e.tenant.id,{login_id:s.login_id,code_id:c.code,code_type:"oauth2_state",connection_id:r.id,code_verifier:c.codeVerifier,expires_at:new Date(Date.now()+V0*1e3).toISOString()}),n.redirect(c.redirectUrl)}async function hd(n,{code:e,state:t}){var h;const{env:i}=n,r=await i.data.codes.get(n.var.tenant_id||"",t,"oauth2_state");if(!r||!r.connection_id)throw new N(403,{message:"State not found"});const s=await i.data.logins.get(n.var.tenant_id||"",r.login_id);if(!s)throw new N(403,{message:"Session not found"});const o=await Fc(i,s.authParams.client_id);n.set("client_id",o.id),n.set("tenant_id",o.tenant.id);const c=o.connections.find(_=>_.id===r.connection_id);if(!c){const _=ke(n,{type:_e.FAILED_LOGIN,description:"Connection not found"});throw await i.data.logs.create(o.tenant.id,_),new N(403,{message:"Connection not found"})}if(n.set("connection",c.name),!s.authParams.redirect_uri){const _=ke(n,{type:_e.FAILED_LOGIN,description:"Redirect URI not defined"});throw await i.data.logs.create(o.tenant.id,_),new N(403,{message:"Redirect URI not defined"})}if(!Ys(s.authParams.redirect_uri,o.callbacks||[])){const _=`Invalid redirect URI - ${s.authParams.redirect_uri}`,b=ke(n,{type:_e.FAILED_LOGIN,description:_});throw await i.data.logs.create(o.tenant.id,b),new N(403,{message:_})}const u=await Gf(n,c.strategy).validateAuthorizationCodeAndGetUser(n,c,e,r.code_verifier),{sub:p,...g}=u;n.set("user_id",p);const m=((h=u.email)==null?void 0:h.toLocaleLowerCase())||`${c.name}.${p}@${new URL(n.env.ISSUER).hostname}`;n.set("username",m);let x=await os({userAdapter:i.data.users,tenant_id:o.tenant.id,email:m,provider:c.name});if(!x){try{await tv(n,o,n.env.data,m)}catch(_){const b=_;throw new N(500,{message:`Failed to run preUserSignupHook: ${b.message}`})}x=await i.data.users.create(o.tenant.id,{user_id:`${c.name}|${p}`,email:m,name:m,provider:c.name,connection:c.name,email_verified:!0,last_ip:"",is_social:!0,last_login:new Date().toISOString(),profileData:JSON.stringify(g)}),n.set("user_id",x.user_id)}return Ki(n,{client:o,authParams:s.authParams,loginSession:s,user:x})}async function gd(n,e,t,i,r,s){const o=await n.env.data.codes.get(n.var.tenant_id||"",e,"oauth2_state");if(!o)throw new N(400,{message:"State not found"});const c=await n.env.data.logins.get(n.var.tenant_id,o.login_id);if(!c)throw new N(400,{message:"Login not found"});const{redirect_uri:l}=c.authParams;if(!l)throw new N(400,{message:"Redirect uri not found"});const u=ke(n,{type:_e.FAILED_LOGIN,description:`Failed connection login: ${r} ${t}, ${i}`});Bt(n,n.env.data.logs.create(n.var.tenant_id,u));const p=new URL(l);return P0(p,{error:t,error_description:i,error_reason:s,error_code:r,state:c.authParams.state}),n.redirect(`${mt(n.env)}enter-email?state=${c.login_id}&error=${t}`)}const rv=new a.OpenAPIHono().openapi(a.createRoute({tags:["oauth2"],method:"get",path:"/",request:{query:a.z.object({state:a.z.string(),code:a.z.string().optional(),scope:a.z.string().optional(),hd:a.z.string().optional(),error:a.z.string().optional(),error_description:a.z.string().optional(),error_code:a.z.string().optional(),error_reason:a.z.string().optional()})},responses:{302:{description:"Redirect to the client's redirect uri"}}}),async n=>{const{state:e,code:t,error:i,error_description:r,error_code:s,error_reason:o}=n.req.valid("query");if(i)return gd(n,e,i,r,s,o);if(!t)throw new N(400,{message:"Code is required"});return hd(n,{code:t,state:e})}).openapi(a.createRoute({tags:["oauth2"],method:"post",path:"/",request:{body:{content:{"application/x-www-form-urlencoded":{schema:a.z.object({state:a.z.string(),code:a.z.string().optional(),scope:a.z.string().optional(),hd:a.z.string().optional(),error:a.z.string().optional(),error_description:a.z.string().optional(),error_code:a.z.string().optional(),error_reason:a.z.string().optional()})}}}},responses:{302:{description:"Redirect to the client's redirect uri"}}}),async n=>{const{state:e,code:t,error:i,error_description:r,error_code:s,error_reason:o}=n.req.valid("form");if(i)return gd(n,e,i,r,s,o);if(!t)throw new N(400,{message:"Code is required"});return hd(n,{code:t,state:e})}),sv=new a.OpenAPIHono().openapi(a.createRoute({tags:["oauth2"],method:"get",path:"/",request:{query:a.z.object({client_id:a.z.string(),returnTo:a.z.string().optional()}),header:a.z.object({cookie:a.z.string().optional()})},responses:{302:{description:"Log the user out"}}}),async n=>{const{client_id:e,returnTo:t}=n.req.valid("query"),i=await n.env.data.clients.get(e);if(!i)return n.text("OK");const r=await n.env.data.clients.get("DEFAULT_CLIENT");n.set("client_id",e),n.set("tenant_id",i.tenant.id);const s=t||n.req.header("referer");if(!s)return n.text("OK");if(!Ys(s,[...i.allowed_logout_urls||[],...(r==null?void 0:r.allowed_logout_urls)||[]]))throw new N(400,{message:"Invalid redirect uri"});const o=n.req.header("cookie");if(o){const l=Zf(i.tenant.id,o);if(l){const u=await n.env.data.sessions.get(i.tenant.id,l);if(u){const p=await n.env.data.users.get(i.tenant.id,u.user_id);p&&(n.set("user_id",p.user_id),n.set("connection",p.connection))}await n.env.data.sessions.remove(i.tenant.id,l)}}const c=ke(n,{type:_e.SUCCESS_LOGOUT,description:"User successfully logged out"});return await n.env.data.logs.create(i.tenant.id,c),new Response("Redirecting",{status:302,headers:{"set-cookie":Cm(i.tenant.id),location:s}})}),_d=a.z.object({sub:a.z.string(),email:a.z.string().optional(),family_name:a.z.string().optional(),given_name:a.z.string().optional(),email_verified:a.z.boolean()}),ov=new a.OpenAPIHono().openapi(a.createRoute({tags:["oauth2"],method:"get",path:"/",request:{},security:[{Bearer:["openid"]}],responses:{200:{content:{"application/json":{schema:_d}},description:"Userinfo"}}}),async n=>{if(!n.var.user)throw new N(404,{message:"User not found"});const e=await n.env.data.users.get(n.var.user.tenant_id,n.var.user.sub);if(!e)throw new N(404,{message:"User not found"});return n.json(_d.parse({...e,sub:e.user_id}))}),av=new a.OpenAPIHono().openapi(a.createRoute({tags:["well known"],method:"get",path:"/jwks.json",request:{},responses:{200:{content:{"application/json":{schema:Cd}},description:"List of tenants"}}}),async n=>{const e=await n.env.data.keys.list(),t=await Promise.all(e.map(async i=>{const s=await new Vc(i.cert).publicKey.export(),o=await crypto.subtle.exportKey("jwk",s);return Wa.parse({...o,kid:i.kid})}));return n.json({keys:t},{headers:{"access-control-allow-origin":"*","access-control-allow-method":"GET","cache-control":`public, max-age=${Qi}, stale-while-revalidate=${Qi*2}, stale-if-error=86400`}})}).openapi(a.createRoute({tags:["well known"],method:"get",path:"/openid-configuration",request:{},responses:{200:{content:{"application/json":{schema:bo}},description:"List of tenants"}}}),async n=>{const e=n.env.ISSUER,t=bo.parse({issuer:e,authorization_endpoint:`${e}authorize`,token_endpoint:`${e}oauth/token`,device_authorization_endpoint:`${e}oauth/device/code`,userinfo_endpoint:`${e}userinfo`,mfa_challenge_endpoint:`${e}mfa/challenge`,jwks_uri:`${e}.well-known/jwks.json`,registration_endpoint:`${e}oidc/register`,revocation_endpoint:`${e}oauth/revoke`,scopes_supported:["openid","profile","offline_access","name","given_name","family_name","nickname","email","email_verified","picture","created_at","identities","phone","address"],response_types_supported:["code","token","id_token","code token","code id_token","token id_token","code token id_token"],code_challenge_methods_supported:["S256","plain"],response_modes_supported:["query","fragment","form_post"],subject_types_supported:["public"],id_token_signing_alg_values_supported:["RS256"],token_endpoint_auth_methods_supported:["client_secret_basic","client_secret_post"],claims_supported:["aud","auth_time","created_at","email","email_verified","exp","family_name","given_name","iat","identities","iss","name","nickname","phone_number","picture","sub"],request_uri_parameter_supported:!1,request_parameter_supported:!1,token_endpoint_auth_signing_alg_values_supported:["RS256","RS384","PS256"]});return n.json(t,{headers:{"access-control-allow-origin":"*","access-control-allow-method":"GET","cache-control":`public, max-age=${Qi}, stale-while-revalidate=${Qi*2}, stale-if-error=86400`}})});function ar(n,e){if(!n||!e||n.length!==e.length)return!1;let t=0;for(let i=0;i<n.length;i++)t|=n.charCodeAt(i)^e.charCodeAt(i);return t===0}const ah=a.z.object({grant_type:a.z.literal("client_credentials"),scope:a.z.string().optional(),client_secret:a.z.string(),client_id:a.z.string(),audience:a.z.string().optional()});async function cv(n,e){const t=await n.env.data.clients.get(e.client_id);if(!t)throw new N(403,{message:"Invalid client credentials"});if(t.client_secret&&!ar(t.client_secret,e.client_secret))throw new N(403,{message:"Invalid client credentials"});const i={client_id:t.id,scope:e.scope,audience:e.audience},r=await Jc(n,{authParams:i,client:t});return n.json(r)}const lv=a.z.object({grant_type:a.z.literal("authorization_code"),client_id:a.z.string(),code:a.z.string(),redirect_uri:a.z.string().optional(),client_secret:a.z.string().optional(),code_verifier:a.z.string().optional()}).refine(n=>"client_secret"in n&&!("code_verifier"in n)||!("client_secret"in n)&&"code_verifier"in n,{message:"Must provide either client_secret (standard flow) or code_verifier/code_verifier_mode (PKCE flow), but not both"});async function uv(n,e){const t=await n.env.data.clients.get(e.client_id);if(!t)throw new N(403,{message:"Client not found"});console.log("client",t);const i=await n.env.data.codes.get(t.tenant.id,e.code,"authorization_code");if(!i||!i.user_id)throw new N(403,{message:"Invalid client credentials"});if(new Date(i.expires_at)<new Date)throw new N(403,{message:"Code expired"});if(i.used_at)throw new N(403,{message:"Code already used"});const r=await n.env.data.logins.get(t.tenant.id,i.login_id);if(!r)throw new N(403,{message:"Invalid login"});if("client_secret"in e){const o=await n.env.data.clients.get("DEFAULT_CLIENT");if(!ar(t.client_secret,e.client_secret)&&!ar(o==null?void 0:o.client_secret,e.client_secret))throw new N(403,{message:"Invalid client credentials"})}else if("code_verifier"in e&&typeof e.code_verifier=="string"&&"code_challenge_method"in r.authParams&&typeof r.authParams.code_challenge_method=="string"){const o=await Em(e.code_verifier,r.authParams.code_challenge_method);if(!ar(o,r.authParams.code_challenge||""))throw new N(403,{message:"Invalid client credentials"})}if(r.authParams.redirect_uri&&r.authParams.redirect_uri!==e.redirect_uri)throw new N(403,{message:"Invalid redirect uri"});const s=await n.env.data.users.get(t.tenant.id,i.user_id);if(!s)throw new N(403,{message:"User not found"});return await n.env.data.codes.used(t.tenant.id,e.code),Ki(n,{user:s,client:t,loginSession:r,authParams:{...r.authParams,response_mode:sn.WEB_MESSAGE}})}const md=a.z.object({client_id:a.z.string().optional(),client_secret:a.z.string().optional()}),dv=a.z.union([ah.extend(md.shape),a.z.object({grant_type:a.z.literal("authorization_code"),client_id:a.z.string(),code:a.z.string(),redirect_uri:a.z.string(),code_verifier:a.z.string().min(43).max(128)}),a.z.object({grant_type:a.z.literal("authorization_code"),code:a.z.string(),redirect_uri:a.z.string().optional(),...md.shape})]);function pv(n){if(!n)return{};const[e,t]=n.split(" ");if((e==null?void 0:e.toLowerCase())==="basic"&&t){const[i,r]=atob(t).split(":");return{client_id:i,client_secret:r}}return{}}const fv=new a.OpenAPIHono().openapi(a.createRoute({tags:["oauth2"],method:"post",path:"/",request:{body:{content:{"application/x-www-form-urlencoded":{schema:dv}}}},responses:{200:{content:{"application/json":{schema:a.z.object({access_token:a.z.string(),id_token:a.z.string().optional(),refresh_token:a.z.string().optional(),token_type:a.z.string(),expires_in:a.z.number()})}},description:"Tokens"}}}),async n=>{const e=n.req.valid("form");console.log("body",e);const t=pv(n.req.header("Authorization")),i={...e,...t};if(!i.client_id)throw new N(400,{message:"client_id is required"});switch(e.grant_type){case yr.AuthorizationCode:return uv(n,lv.parse(i));case yr.ClientCredential:return cv(n,ah.parse(i));default:throw new N(400,{message:"Not implemented"})}});var Zc={exports:{}};const Yc=[{id:0,value:"Too weak",minDiversity:0,minLength:0},{id:1,value:"Weak",minDiversity:2,minLength:6},{id:2,value:"Medium",minDiversity:4,minLength:8},{id:3,value:"Strong",minDiversity:4,minLength:10}],ch=(n,e=Yc,t="!\"#$%&'()*+,-./:;<=>?@[\\\\\\]^_`{|}~")=>{let i=n||"";e[0].minDiversity=0,e[0].minLength=0;const r=[{regex:"[a-z]",message:"lowercase"},{regex:"[A-Z]",message:"uppercase"},{regex:"[0-9]",message:"number"}];t&&r.push({regex:`[${t}]`,message:"symbol"});let s={};s.contains=r.filter(c=>new RegExp(`${c.regex}`).test(i)).map(c=>c.message),s.length=i.length;let o=e.filter(c=>s.contains.length>=c.minDiversity).filter(c=>s.length>=c.minLength).sort((c,l)=>l.id-c.id).map(c=>({id:c.id,value:c.value}));return Object.assign(s,o[0]),s};Zc.exports={passwordStrength:ch,defaultOptions:Yc};var hv=Zc.exports.passwordStrength=ch;Zc.exports.defaultOptions=Yc;function gv(n){return hv(n).id<2?!1:n.length>=8&&/[a-z]/.test(n)&&/[A-Z]/.test(n)&&/[0-9]/.test(n)&&/[^A-Za-z0-9]/.test(n)}async function Qs(n,e){var r;const t=await n.env.data.emailProviders.get(n.var.tenant_id)||(n.env.DEFAULT_TENANT_ID?await n.env.data.emailProviders.get(n.env.DEFAULT_TENANT_ID):null);if(!t)throw new N(500,{message:"Email provider not found"});const i=(r=n.env.emailProviders)==null?void 0:r[t.name];if(!i)throw new N(500,{message:"Email provider not found"});await i({emailProvider:t,...e,from:t.default_from_address||`login@${n.env.ISSUER}`})}async function _v(n,e,t,i){const r=await n.env.data.tenants.get(n.var.tenant_id);if(!r)throw new N(500,{message:"Tenant not found"});const s=`${mt(n.env)}reset-password?state=${i}&code=${t}`,o={vendorName:r.name,lng:r.language||"en"};await Qs(n,{to:e,subject:"Reset your password",html:`Click here to reset your password: ${mt(n.env)}reset-password?state=${i}&code=${t}`,template:"auth-password-reset",data:{vendorName:r.name,logo:r.logo||"",passwordResetUrl:s,supportUrl:r.support_url||"https://support.sesamy.com",buttonColor:r.primary_color||"#7d68f4",passwordResetTitle:ue("password_reset_title",o),resetPasswordEmailClickToReset:ue("reset_password_email_click_to_reset",o),resetPasswordEmailReset:ue("reset_password_email_reset",o),supportInfo:ue("support_info",o),contactUs:ue("contact_us",o),copyright:ue("copyright",o)}})}async function mv(n,e,t){const i=await n.env.data.tenants.get(n.var.tenant_id);if(!i)throw new N(500,{message:"Tenant not found"});const r={vendorName:i.name,code:t,lng:i.language||"en"};await Qs(n,{to:e,subject:ue("code_email_subject",r),html:`Click here to validate your email: ${mt(n.env)}validate-email`,template:"auth-link",data:{code:t,vendorName:i.name,logo:i.logo||"",supportUrl:i.support_url||"",magicLink:`${bt(n.env)}passwordless/verify_redirect?ticket=${t}`,buttonColor:i.primary_color||"",welcomeToYourAccount:ue("welcome_to_your_account",r),linkEmailClickToLogin:ue("link_email_click_to_login",r),linkEmailLogin:ue("link_email_login",r),linkEmailOrEnterCode:ue("link_email_or_enter_code",r),codeValid30Mins:ue("code_valid_30_minutes",r),supportInfo:ue("support_info",r),contactUs:ue("contact_us",r),copyright:ue("copyright",r)}});const s=ke(n,{type:_e.CODE_LINK_SENT,description:e});Bt(n,n.env.data.logs.create(i.id,s))}async function lh(n,e,t){const i=await n.env.data.tenants.get(n.var.tenant_id);if(!i)throw new N(500,{message:"Tenant not found"});const r={vendorName:i.name,code:t,lng:i.language||"en"};await Qs(n,{to:e,subject:ue("code_email_subject",r),html:`Click here to validate your email: ${mt(n.env)}validate-email`,template:"auth-link",data:{code:t,vendorName:i.name,logo:i.logo||"",supportUrl:i.support_url||"",magicLink:`${bt(n.env)}passwordless/verify_redirect?ticket=${t}`,buttonColor:i.primary_color||"",welcomeToYourAccount:ue("welcome_to_your_account",r),linkEmailClickToLogin:ue("link_email_click_to_login",r),linkEmailLogin:ue("link_email_login",r),linkEmailOrEnterCode:ue("link_email_or_enter_code",r),codeValid30Mins:ue("code_valid_30_minutes",r),supportInfo:ue("support_info",r),contactUs:ue("contact_us",r),copyright:ue("copyright",r)}});const s=ke(n,{type:_e.CODE_LINK_SENT,description:e});Bt(n,n.env.data.logs.create(i.id,s))}async function uh(n,e){const t=await n.env.data.tenants.get(n.var.tenant_id);if(!t)throw new N(500,{message:"Tenant not found"});const i={vendorName:t.name,lng:t.language||"en"};await Qs(n,{to:e.email,subject:"Validate your email address",html:`Click here to validate your email: ${mt(n.env)}validate-email`,template:"auth-verify-email",data:{vendorName:t.name,logo:t.logo||"",emailValidationUrl:`${mt(n.env)}validate-email`,supportUrl:t.support_url||"https://support.sesamy.com",buttonColor:t.primary_color||"#7d68f4",welcomeToYourAccount:ue("welcome_to_your_account",i),verifyEmailVerify:ue("verify_email_verify",i),supportInfo:ue("support_info",i),contactUs:ue("contact_us",i),copyright:ue("copyright",i)}})}const yv=new a.OpenAPIHono().openapi(a.createRoute({tags:["dbconnections"],method:"post",path:"/signup",request:{body:{content:{"application/json":{schema:a.z.object({client_id:a.z.string(),connection:a.z.literal("Username-Password-Authentication"),email:a.z.string().transform(n=>n.toLowerCase()),password:a.z.string()})}}}},responses:{200:{content:{"application/json":{schema:a.z.object({_id:a.z.string(),email:a.z.string(),email_verified:a.z.boolean(),app_metadata:a.z.object({}),user_metadata:a.z.object({})})}},description:"Created user"}}}),async n=>{const{email:e,password:t,client_id:i}=n.req.valid("json"),r=await n.env.data.clients.get(i);if(!r)throw new N(400,{message:"Client not found"});if(n.set("client_id",r.id),n.set("tenant_id",r.tenant.id),!gv(t))throw new N(400,{message:"Password does not meet the requirements"});if(await os({userAdapter:n.env.data.users,tenant_id:r.tenant.id,email:e,provider:"auth2"}))throw new N(400,{message:"Invalid sign up"});const o=await n.env.data.users.create(r.tenant.id,{user_id:`auth2|${Za()}`,email:e,email_verified:!1,provider:"auth2",connection:"Username-Password-Authentication",is_social:!1});n.set("user_id",o.user_id),n.set("username",o.email),n.set("connection",o.connection);const c=await Ja.hash(t,10);await n.env.data.passwords.create(r.tenant.id,{user_id:o.user_id,password:c,algorithm:"bcrypt"}),await uh(n,o);const l=ke(n,{type:_e.SUCCESS_SIGNUP,description:"Successful signup"});return await n.env.data.logs.create(r.tenant.id,l),n.json({_id:o.user_id,email:o.email,email_verified:!1,app_metadata:{},user_metadata:{}})}).openapi(a.createRoute({tags:["dbconnections"],method:"post",path:"/change_password",request:{body:{content:{"application/json":{schema:a.z.object({client_id:a.z.string(),connection:a.z.literal("Username-Password-Authentication"),email:a.z.string().transform(n=>n.toLowerCase())})}}}},responses:{200:{description:"Redirect to the client's redirect uri"}}}),async n=>{const{email:e,client_id:t}=n.req.valid("json"),i=await n.env.data.clients.get(t);if(!i)throw new N(400,{message:"Client not found"});if(n.set("client_id",i.id),n.set("tenant_id",i.tenant.id),!await Ya({userAdapter:n.env.data.users,tenant_id:i.tenant.id,email:e,provider:"auth2"}))return n.html("If an account with that email exists, we've sent instructions to reset your password.");const s={client_id:t,username:e},o=await n.env.data.logins.create(i.tenant.id,{expires_at:new Date(Date.now()+es*1e3).toISOString(),authParams:s,...Hn(n.req)});return await _v(n,e,o.login_id,o.authParams.state),n.html("If an account with that email exists, we've sent instructions to reset your password.")});function dh(){const n="1234567890";let e="";for(let t=0;t<6;t+=1)e+=n[Math.floor(Math.random()*10)];return e.toString()}const vv=new a.OpenAPIHono().openapi(a.createRoute({tags:["passwordless"],method:"post",path:"/start",request:{body:{content:{"application/json":{schema:a.z.object({client_id:a.z.string(),connection:a.z.string(),email:a.z.string().transform(n=>n.toLowerCase()),send:a.z.enum(["link","code"]),authParams:Ka.omit({client_id:!0})})}}}},responses:{200:{description:"Status"}}}),async n=>{const e=n.req.valid("json"),{env:t}=n,{client_id:i,email:r,send:s,authParams:o}=e,c=await n.env.data.clients.get(i);if(!c)throw new N(400,{message:"Client not found"});n.set("client_id",c.id),n.set("tenant_id",c.tenant.id);const l=await t.data.logins.create(c.tenant.id,{authParams:{...o,client_id:i,username:r},expires_at:new Date(Date.now()+Xu).toISOString(),...Hn(n.req)}),u=await t.data.codes.create(c.tenant.id,{code_id:dh(),code_type:"otp",login_id:l.login_id,expires_at:new Date(Date.now()+Xu).toISOString()});return s==="link"?await lh(n,r,u.code_id):await mv(n,r,u.code_id),n.html("OK")}).openapi(a.createRoute({tags:["passwordless"],method:"get",path:"/verify_redirect",request:{query:a.z.object({scope:a.z.string(),response_type:a.z.nativeEnum(Ut),redirect_uri:a.z.string(),state:a.z.string(),nonce:a.z.string().optional(),verification_code:a.z.string(),connection:a.z.string(),client_id:a.z.string(),email:a.z.string().transform(n=>n.toLowerCase()),audience:a.z.string().optional()})},responses:{302:{description:"Status"}}}),async n=>{const{env:e}=n,{client_id:t,email:i,verification_code:r,redirect_uri:s,state:o,scope:c,audience:l,response_type:u,nonce:p}=n.req.valid("query"),g=await Fc(e,t);n.set("client_id",g.id),n.set("tenant_id",g.tenant.id),n.set("connection","email");const m=await e.data.codes.get(g.tenant.id,r,"otp");if(!m)throw new N(400,{message:"Code not found or expired"});if(m.expires_at<new Date().toISOString())throw new N(400,{message:"Code expired"});const x=await e.data.logins.get(g.tenant.id,m.login_id);if(!x||x.authParams.username!==i)throw new N(400,{message:"Code not found or expired"});const h=Hn(n.req);if(x.ip!==h.ip)return n.redirect(`${mt(n.env)}invalid-session?state=${x.login_id}`);if(!Ys(s,g.callbacks))throw new N(400,{message:`Invalid redirect URI - ${s}`});const _={client_id:t,redirect_uri:s,state:o,nonce:p,scope:c,audience:l,response_type:u},b=await os({userAdapter:e.data.users,tenant_id:g.tenant.id,email:i,provider:"email"});if(!b)throw new N(400,{message:"User not found"});return Ki(n,{user:b,client:g,loginSession:x,authParams:_})});class si extends N{constructor(t,i){super(t,i);te(this,"_code");this._code=i==null?void 0:i.code}get code(){return this._code}}async function wv(n,e,t){const{env:i}=n,r=t.username;if(n.set("username",r),!r)throw new N(400,{message:"Username is required"});const s=await Ya({userAdapter:n.env.data.users,tenant_id:e.tenant.id,email:r,provider:"auth2"});if(!s){const m=ke(n,{type:_e.FAILED_LOGIN_INCORRECT_PASSWORD,description:"Invalid user"});throw Bt(n,n.env.data.logs.create(e.tenant.id,m)),new si(403,{message:"User not found",code:"USER_NOT_FOUND"})}const o=s.linked_to?await i.data.users.get(e.tenant.id,s.linked_to):s;if(!o)throw new si(403,{message:"User not found",code:"USER_NOT_FOUND"});n.set("connection",s.connection),n.set("user_id",o.user_id);const{password:c}=await i.data.passwords.get(e.tenant.id,s.user_id);if(!await Ja.compare(t.password,c)){const m=ke(n,{type:_e.FAILED_LOGIN_INCORRECT_PASSWORD,description:"Invalid password"});throw Bt(n,n.env.data.logs.create(e.tenant.id,m)),new si(403,{message:"Invalid password",code:"INVALID_PASSWORD"})}if((await i.data.logs.list(e.tenant.id,{page:0,per_page:10,include_totals:!1,q:`user_id:${o.user_id}`})).logs.filter(m=>m.type===_e.FAILED_LOGIN_INCORRECT_PASSWORD&&new Date(m.date)>new Date(Date.now()-1e3*60*5)).length>=3){const m=ke(n,{type:_e.FAILED_LOGIN,description:"Too many failed login attempts"});throw Bt(n,n.env.data.logs.create(e.tenant.id,m)),new si(403,{message:"Too many failed login attempts",code:"TOO_MANY_FAILED_LOGINS"})}if(!s.email_verified&&e.email_validation==="enforced"){await uh(n,s);const m=ke(n,{type:_e.FAILED_LOGIN,description:"Email not verified"});throw await n.env.data.logs.create(e.tenant.id,m),new si(403,{message:"Email not verified",code:"EMAIL_NOT_VERIFIED"})}const g=ke(n,{type:_e.SUCCESS_LOGIN,description:"Successful login",strategy_type:"Username-Password-Authentication",strategy:"Username-Password-Authentication"});return Bt(n,n.env.data.logs.create(e.tenant.id,g)),o}function bv(){const n=new Uint8Array(32);return crypto.getRandomValues(n),rn.encode(n,{includePadding:!1})}function yd(){return new N(403,{res:new Response(JSON.stringify({error:"access_denied",error_description:"Wrong email or verification code."}),{status:403,headers:{"Content-Type":"application/json"}}),message:"Wrong email or verification code."})}const vd=30*60*1e3,kv=new a.OpenAPIHono().openapi(a.createRoute({tags:["oauth"],method:"post",path:"/",request:{body:{content:{"application/json":{schema:a.z.union([a.z.object({credential_type:a.z.literal("http://auth0.com/oauth/grant-type/passwordless/otp"),otp:a.z.string(),client_id:a.z.string(),username:a.z.string().transform(n=>n.toLowerCase()),realm:a.z.enum(["email"]),scope:a.z.string().optional()}),a.z.object({credential_type:a.z.literal("http://auth0.com/oauth/grant-type/password-realm"),client_id:a.z.string(),username:a.z.string().transform(n=>n.toLowerCase()),password:a.z.string(),realm:a.z.enum(["Username-Password-Authentication"]),scope:a.z.string().optional()})])}}}},responses:{200:{description:"List of tenants"}}}),async n=>{const e=n.req.valid("json"),{client_id:t,username:i}=e;n.set("username",i);const r=await n.env.data.clients.get(t);if(!r)throw new N(400,{message:"Client not found"});n.set("client_id",t),n.set("tenant_id",r.tenant.id);const s=i.toLocaleLowerCase();let o;if("otp"in e){const p=await n.env.data.codes.get(r.tenant.id,e.otp,"otp");if(!p)throw yd();const g=await n.env.data.logins.get(r.tenant.id,p.login_id);if(!g||g.authParams.username!==s)throw yd();o=g}else if("password"in e)await wv(n,r,{username:i,password:e.password,client_id:t}),o=await n.env.data.logins.create(r.tenant.id,{expires_at:new Date(Date.now()+vd).toISOString(),authParams:{client_id:r.id,username:s},...Hn(n.req)});else throw new N(400,{message:"Code or password required"});const c=bv(),l=Ke(12),u=await n.env.data.codes.create(r.tenant.id,{code_id:Ke(),code_type:"ticket",login_id:o.login_id,expires_at:new Date(Date.now()+vd).toISOString(),code_verifier:[l,c].join("|")});return n.json({login_ticket:u.code_id,co_verifier:c,co_id:l})});function xv(n,e){var i,r,s;if(!n||e.length===0)return!1;const t=((i=yo(n))==null?void 0:i.host)??null;if(!t)return!1;for(const o of e){let c;if(o.startsWith("http://")||o.startsWith("https://")?c=((r=yo(o))==null?void 0:r.host)??null:c=((s=yo("https://"+o))==null?void 0:s.host)??null,t===c)return!0}return!1}function yo(n){try{return new URL(n)}catch{return null}}async function Sv({ctx:n,session:e,client:t,authParams:i,connection:r,login_hint:s}){const o=await n.env.data.logins.create(t.tenant.id,{expires_at:new Date(Date.now()+es*1e3).toISOString(),authParams:i,...Hn(n.req)});if(e&&s){const c=await n.env.data.users.get(t.tenant.id,e.user_id);if((c==null?void 0:c.email)===s)return Ki(n,{client:t,loginSession:o,authParams:i,user:c,sid:e.session_id})}if(r==="email"&&s){const c=dh();return await n.env.data.codes.create(t.tenant.id,{code_id:c,code_type:"otp",login_id:o.login_id,expires_at:new Date(Date.now()+es*1e3).toISOString()}),await lh(n,s,c),n.redirect(`/u/enter-code?state=${o.login_id}`)}return e?n.redirect(`/u/check-account?state=${o.login_id}`):n.redirect(`/u/enter-email?state=${o.login_id}`)}function Av(n){if(n==="Username-Password-Authentication")return"auth2";if(n==="email")return"email";throw new N(403,{message:"Invalid realm"})}async function Iv(n,e,t,i,r){var m;const{env:s}=n;n.set("connection",r);const o=await s.data.codes.get(e,t,"ticket");if(!o||o.used_at)throw new N(403,{message:"Ticket not found"});const c=await s.data.logins.get(e,o.login_id);if(!c||!c.authParams.username)throw new N(403,{message:"Session not found"});const l=await s.data.clients.get(c.authParams.client_id);if(!l)throw new N(403,{message:"Client not found"});n.set("client_id",c.authParams.client_id),await s.data.codes.used(e,t);const u=Av(r);let p=await os({userAdapter:s.data.users,tenant_id:e,email:c.authParams.username,provider:u});p||(p=await s.data.users.create(e,{user_id:`email|${Za()}`,email:c.authParams.username,name:c.authParams.username,provider:"email",connection:"email",email_verified:!0,is_social:!1,last_ip:"",last_login:new Date().toISOString()})),n.set("username",p.email),n.set("user_id",p.user_id);const g=await sh(n,p,l);return Ki(n,{authParams:{scope:(m=c.authParams)==null?void 0:m.scope,...i},loginSession:c,sid:g.session_id,user:p,client:l})}async function wd(n,e){return`<!DOCTYPE html>
+  </html>`;return new Response(r,{headers:{"Content-Type":"text/html"}})}async function Jy(n,e,t,i,r){var m,x,h;if(!t.redirect_uri)throw new N(400,{message:"Missing redirect_uri in authParams"});const[s]=await n.env.data.keys.list();if(!s)throw new N(500,{message:"No signing key found"});if(!((m=e.addons)!=null&&m.samlp))throw new N(400,{message:`SAML Addon is not enabled for client ${e.id}`});const{recipient:o,audience:c}=e.addons.samlp,l=t.state||"";if(!o||!l||!i||!t.state)throw new N(400,{message:"Missing recipient or inResponseTo"});const u=JSON.parse(t.state),p=new URL(t.redirect_uri),g=await Zy(n,{issuer:n.env.ISSUER,audience:c||t.client_id,destination:p.toString(),inResponseTo:u.requestId,userId:((h=(x=i.app_metadata)==null?void 0:x.vimeo)==null?void 0:h.user_id)||i.user_id,email:i.email,sessionIndex:r,signature:{privateKeyPem:s.pkcs7,cert:s.cert,kid:s.kid}});return Gy(p.toString(),g,u.relayState)}async function Zy(n,e){const t=e.notBefore||new Date().toISOString(),i=e.notAfter||new Date(new Date(t).getTime()+10*60*1e3).toISOString(),r=e.issueInstant||t,s=e.sessionNotOnOrAfter||i,o=e.responseId||`_${Ke()}`,c=e.assertionId||`_${Ke()}`,l=[{"samlp:Response":[{"saml:Issuer":[{"#text":e.issuer}]},{"samlp:Status":[{"samlp:StatusCode":[],":@":{"@_Value":"urn:oasis:names:tc:SAML:2.0:status:Success"}}]},{"saml:Assertion":[{"saml:Issuer":[{"#text":e.issuer}]},{"saml:Subject":[{"saml:NameID":[{"#text":e.email}],":@":{"@_Format":"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"}},{"saml:SubjectConfirmation":[{"saml:SubjectConfirmationData":[],":@":{"@_InResponseTo":e.inResponseTo,"@_NotOnOrAfter":i,"@_Recipient":e.destination}}],":@":{"@_Method":"urn:oasis:names:tc:SAML:2.0:cm:bearer"}}]},{"saml:Conditions":[{"saml:AudienceRestriction":[{"saml:Audience":[{"#text":e.audience}]}]}],":@":{"@_NotBefore":t,"@_NotOnOrAfter":i}},{"saml:AuthnStatement":[{"saml:AuthnContext":[{"saml:AuthnContextClassRef":[{"#text":"urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified"}]}]}],":@":{"@_AuthnInstant":r,"@_SessionIndex":e.sessionIndex,"@_SessionNotOnOrAfter":s}},{"saml:AttributeStatement":[{"saml:Attribute":[{"saml:AttributeValue":[{"#text":e.userId}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_FriendlyName":"persistent","@_Name":"id","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":e.email}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"email","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"manage-account"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"default-roles-master"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"offline_access"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"view-profile"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"uma_authorization"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"manage-account-links"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}}]}],":@":{"@_xmlns":"urn:oasis:names:tc:SAML:2.0:assertion","@_ID":c,"@_IssueInstant":r,"@_Version":"2.0"}}],":@":{"@_xmlns:samlp":"urn:oasis:names:tc:SAML:2.0:protocol","@_xmlns:saml":"urn:oasis:names:tc:SAML:2.0:assertion","@_Destination":e.destination,"@_ID":o,"@_InResponseTo":e.inResponseTo,"@_IssueInstant":r,"@_Version":"2.0"}}];let p=new Wy.XMLBuilder({ignoreAttributes:!1,suppressEmptyNode:!0,preserveOrder:!0}).build(l);if(e.signature){const m=await fetch(n.env.SAML_SIGN_URL,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({xmlContent:p,privateKey:e.signature.privateKeyPem,publicCert:e.signature.cert})});if(!m.ok)throw new Error(`Failed to sign SAML response: ${m.status}`);p=await m.text()}return e.encode===!1?p:btoa(p)}const fd=["sub","iss","aud","exp","nbf","iat","jti"];async function Jc(n,e){var _,b;const{authParams:t,user:i,client:r,sid:s}=e,c=(await n.env.data.keys.list()).filter(S=>!S.revoked_at||new Date(S.revoked_at)>new Date),l=c[c.length-1];if(!(l!=null&&l.pkcs7))throw new N(500,{message:"No signing key available"});const u=Im(l.pkcs7),p={aud:t.audience||"default",scope:t.scope||"",sub:(i==null?void 0:i.user_id)||t.client_id,iss:n.env.ISSUER,tenant_id:n.var.tenant_id,sid:s},g=i&&((_=t.scope)!=null&&_.split(" ").includes("openid"))?{aud:t.client_id,sub:i.user_id,iss:n.env.ISSUER,sid:s,nonce:t.nonce,given_name:i.given_name,family_name:i.family_name,nickname:i.nickname,picture:i.picture,locale:i.locale,name:i.name,email:i.email,email_verified:i.email_verified}:void 0;(b=n.env.hooks)!=null&&b.onExecuteCredentialsExchange&&await n.env.hooks.onExecuteCredentialsExchange({client:r,user:i,scope:t.scope||"",grant_type:""},{accessToken:{setCustomClaim:(S,O)=>{if(fd.includes(S))throw new Error(`Cannot overwrite reserved claim '${S}'`);p[S]=O}},idToken:{setCustomClaim:(S,O)=>{if(fd.includes(S))throw new Error(`Cannot overwrite reserved claim '${S}'`);g&&(g[S]=O)}},access:{deny:S=>{throw new N(400,{message:`Access denied: ${S}`})}}});const m={includeIssuedTimestamp:!0,expiresIn:new Hc(1,"d"),headers:{kid:l.kid}},x=await ad("RS256",u,p,m),h=g?await ad("RS256",u,g,m):void 0;return{access_token:x,id_token:h,token_type:"Bearer",expires_in:86400}}async function sh(n,e,t){return await n.env.data.sessions.create(t.tenant.id,{session_id:Ke(),user_id:e.user_id,client_id:t.id,expires_at:new Date(Date.now()+Uf*1e3).toISOString(),used_at:new Date().toISOString()})}async function Ki(n,e){const{authParams:t,user:i,client:r}=e,s=e.sid||(await sh(n,i,r)).session_id;if(e.authParams.response_mode===sn.SAML_POST)return Jy(n,e.client,e.authParams,i,s);const o=await Jc(n,{authParams:t,user:i,client:r,sid:s}),c=new Headers({"set-cookie":Yf(r.tenant.id,s)});if(t.response_mode===sn.WEB_MESSAGE)return n.json(o,{headers:c});if((t.response_type||Ut.CODE)===Ut.CODE){if(!e.loginSession)throw new N(500,{message:"Login session not found"});const u=await n.env.data.codes.create(r.tenant.id,{code_id:Ke(),user_id:i.user_id,code_type:"authorization_code",login_id:e.loginSession.login_id,expires_at:new Date(Date.now()+U0*1e3).toISOString()});c.set("location",`${t.redirect_uri}?state=${e.authParams.state}&code=${u.code_id}`)}return new Response("Redirecting",{status:302,headers:c})}function Yy(n){return async(e,t)=>{if(!t.email||!t.email_verified)return n.users.create(e,t);const i=await Hd({userAdapter:n.users,tenant_id:e,email:t.email});return i?(await n.users.create(e,{...t,linked_to:i.user_id}),i):n.users.create(e,t)}}async function oh(n,e,t){for await(const i of e)if(!(await fetch(i.url,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify(t)})).ok){const s=ke(n,{type:_e.FAILED_LOGIN_INCORRECT_PASSWORD,description:"Invalid password"});await t.logs.create(n.var.tenant_id,s)}}function Xy(n,e){return async(t,i)=>{const{hooks:r}=await e.hooks.list(t);return await oh(n,r,{tenant_id:t,user:i,trigger_id:"post-user-registration"}),i}}function Qy(n,e){return async(t,i)=>{const{hooks:r}=await e.hooks.list(t,{q:"trigger_id:pre-user-signup",page:0,per_page:100,include_totals:!1});await oh(n,r,{tenant_id:t,email:i,trigger_id:"pre-user-signup"})}}function ev(n,e){return async(t,i)=>{let r=await Yy(e)(t,i);return await Xy(n,e)(t,r),r}}async function tv(n,e,t,i){if(e.disable_sign_ups&&!await Hd({userAdapter:n.env.data.users,tenant_id:e.tenant.id,email:i})){const s=ke(n,{type:_e.FAILED_SIGNUP,description:"Public signup is disabled"});throw await n.env.data.logs.create(e.tenant.id,s),new N(400,{message:"Signups are disabled for this client"})}await Qy(n,t)(n.var.tenant_id||"",i)}function nv(n,e){return{...e,users:{...e.users,create:ev(n,e)}}}async function iv(n,e,t,i){if(!i.state)throw new N(400,{message:"State not found"});const r=e.connections.find(l=>l.name===t);if(!r){n.set("client_id",e.id);const l=ke(n,{type:_e.FAILED_LOGIN,description:"Connection not found"});throw await n.env.data.logs.create(e.tenant.id,l),new N(403,{message:"Connection Not Found"})}let s=await n.env.data.logins.get(e.tenant.id,i.state);s||(s=await n.env.data.logins.create(e.tenant.id,{expires_at:new Date(Date.now()+es*1e3).toISOString(),authParams:i,...Hn(n.req)}));const c=await Gf(n,r.strategy).getRedirect(n,r);return await n.env.data.codes.create(e.tenant.id,{login_id:s.login_id,code_id:c.code,code_type:"oauth2_state",connection_id:r.id,code_verifier:c.codeVerifier,expires_at:new Date(Date.now()+V0*1e3).toISOString()}),n.redirect(c.redirectUrl)}async function hd(n,{code:e,state:t}){var h;const{env:i}=n,r=await i.data.codes.get(n.var.tenant_id||"",t,"oauth2_state");if(!r||!r.connection_id)throw new N(403,{message:"State not found"});const s=await i.data.logins.get(n.var.tenant_id||"",r.login_id);if(!s)throw new N(403,{message:"Session not found"});const o=await Fc(i,s.authParams.client_id);n.set("client_id",o.id),n.set("tenant_id",o.tenant.id);const c=o.connections.find(_=>_.id===r.connection_id);if(!c){const _=ke(n,{type:_e.FAILED_LOGIN,description:"Connection not found"});throw await i.data.logs.create(o.tenant.id,_),new N(403,{message:"Connection not found"})}if(n.set("connection",c.name),!s.authParams.redirect_uri){const _=ke(n,{type:_e.FAILED_LOGIN,description:"Redirect URI not defined"});throw await i.data.logs.create(o.tenant.id,_),new N(403,{message:"Redirect URI not defined"})}if(!Ys(s.authParams.redirect_uri,o.callbacks||[],{allowPathWildcards:!0})){const _=`Invalid redirect URI - ${s.authParams.redirect_uri}`,b=ke(n,{type:_e.FAILED_LOGIN,description:_});throw await i.data.logs.create(o.tenant.id,b),new N(403,{message:_})}const u=await Gf(n,c.strategy).validateAuthorizationCodeAndGetUser(n,c,e,r.code_verifier),{sub:p,...g}=u;n.set("user_id",p);const m=((h=u.email)==null?void 0:h.toLocaleLowerCase())||`${c.name}.${p}@${new URL(n.env.ISSUER).hostname}`;n.set("username",m);let x=await os({userAdapter:i.data.users,tenant_id:o.tenant.id,email:m,provider:c.name});if(!x){try{await tv(n,o,n.env.data,m)}catch(_){const b=_;throw new N(500,{message:`Failed to run preUserSignupHook: ${b.message}`})}x=await i.data.users.create(o.tenant.id,{user_id:`${c.name}|${p}`,email:m,name:m,provider:c.name,connection:c.name,email_verified:!0,last_ip:"",is_social:!0,last_login:new Date().toISOString(),profileData:JSON.stringify(g)}),n.set("user_id",x.user_id)}return Ki(n,{client:o,authParams:s.authParams,loginSession:s,user:x})}async function gd(n,e,t,i,r,s){const o=await n.env.data.codes.get(n.var.tenant_id||"",e,"oauth2_state");if(!o)throw new N(400,{message:"State not found"});const c=await n.env.data.logins.get(n.var.tenant_id,o.login_id);if(!c)throw new N(400,{message:"Login not found"});const{redirect_uri:l}=c.authParams;if(!l)throw new N(400,{message:"Redirect uri not found"});const u=ke(n,{type:_e.FAILED_LOGIN,description:`Failed connection login: ${r} ${t}, ${i}`});Bt(n,n.env.data.logs.create(n.var.tenant_id,u));const p=new URL(l);return P0(p,{error:t,error_description:i,error_reason:s,error_code:r,state:c.authParams.state}),n.redirect(`${mt(n.env)}enter-email?state=${c.login_id}&error=${t}`)}const rv=new a.OpenAPIHono().openapi(a.createRoute({tags:["oauth2"],method:"get",path:"/",request:{query:a.z.object({state:a.z.string(),code:a.z.string().optional(),scope:a.z.string().optional(),hd:a.z.string().optional(),error:a.z.string().optional(),error_description:a.z.string().optional(),error_code:a.z.string().optional(),error_reason:a.z.string().optional()})},responses:{302:{description:"Redirect to the client's redirect uri"}}}),async n=>{const{state:e,code:t,error:i,error_description:r,error_code:s,error_reason:o}=n.req.valid("query");if(i)return gd(n,e,i,r,s,o);if(!t)throw new N(400,{message:"Code is required"});return hd(n,{code:t,state:e})}).openapi(a.createRoute({tags:["oauth2"],method:"post",path:"/",request:{body:{content:{"application/x-www-form-urlencoded":{schema:a.z.object({state:a.z.string(),code:a.z.string().optional(),scope:a.z.string().optional(),hd:a.z.string().optional(),error:a.z.string().optional(),error_description:a.z.string().optional(),error_code:a.z.string().optional(),error_reason:a.z.string().optional()})}}}},responses:{302:{description:"Redirect to the client's redirect uri"}}}),async n=>{const{state:e,code:t,error:i,error_description:r,error_code:s,error_reason:o}=n.req.valid("form");if(i)return gd(n,e,i,r,s,o);if(!t)throw new N(400,{message:"Code is required"});return hd(n,{code:t,state:e})}),sv=new a.OpenAPIHono().openapi(a.createRoute({tags:["oauth2"],method:"get",path:"/",request:{query:a.z.object({client_id:a.z.string(),returnTo:a.z.string().optional()}),header:a.z.object({cookie:a.z.string().optional()})},responses:{302:{description:"Log the user out"}}}),async n=>{const{client_id:e,returnTo:t}=n.req.valid("query"),i=await n.env.data.clients.get(e);if(!i)return n.text("OK");const r=await n.env.data.clients.get("DEFAULT_CLIENT");n.set("client_id",e),n.set("tenant_id",i.tenant.id);const s=t||n.req.header("referer");if(!s)return n.text("OK");if(!Ys(s,[...i.allowed_logout_urls||[],...(r==null?void 0:r.allowed_logout_urls)||[]],{allowPathWildcards:!0}))throw new N(400,{message:"Invalid redirect uri"});const o=n.req.header("cookie");if(o){const l=Zf(i.tenant.id,o);if(l){const u=await n.env.data.sessions.get(i.tenant.id,l);if(u){const p=await n.env.data.users.get(i.tenant.id,u.user_id);p&&(n.set("user_id",p.user_id),n.set("connection",p.connection))}await n.env.data.sessions.remove(i.tenant.id,l)}}const c=ke(n,{type:_e.SUCCESS_LOGOUT,description:"User successfully logged out"});return await n.env.data.logs.create(i.tenant.id,c),new Response("Redirecting",{status:302,headers:{"set-cookie":Cm(i.tenant.id),location:s}})}),_d=a.z.object({sub:a.z.string(),email:a.z.string().optional(),family_name:a.z.string().optional(),given_name:a.z.string().optional(),email_verified:a.z.boolean()}),ov=new a.OpenAPIHono().openapi(a.createRoute({tags:["oauth2"],method:"get",path:"/",request:{},security:[{Bearer:["openid"]}],responses:{200:{content:{"application/json":{schema:_d}},description:"Userinfo"}}}),async n=>{if(!n.var.user)throw new N(404,{message:"User not found"});const e=await n.env.data.users.get(n.var.user.tenant_id,n.var.user.sub);if(!e)throw new N(404,{message:"User not found"});return n.json(_d.parse({...e,sub:e.user_id}))}),av=new a.OpenAPIHono().openapi(a.createRoute({tags:["well known"],method:"get",path:"/jwks.json",request:{},responses:{200:{content:{"application/json":{schema:Cd}},description:"List of tenants"}}}),async n=>{const e=await n.env.data.keys.list(),t=await Promise.all(e.map(async i=>{const s=await new Vc(i.cert).publicKey.export(),o=await crypto.subtle.exportKey("jwk",s);return Wa.parse({...o,kid:i.kid})}));return n.json({keys:t},{headers:{"access-control-allow-origin":"*","access-control-allow-method":"GET","cache-control":`public, max-age=${Qi}, stale-while-revalidate=${Qi*2}, stale-if-error=86400`}})}).openapi(a.createRoute({tags:["well known"],method:"get",path:"/openid-configuration",request:{},responses:{200:{content:{"application/json":{schema:bo}},description:"List of tenants"}}}),async n=>{const e=n.env.ISSUER,t=bo.parse({issuer:e,authorization_endpoint:`${e}authorize`,token_endpoint:`${e}oauth/token`,device_authorization_endpoint:`${e}oauth/device/code`,userinfo_endpoint:`${e}userinfo`,mfa_challenge_endpoint:`${e}mfa/challenge`,jwks_uri:`${e}.well-known/jwks.json`,registration_endpoint:`${e}oidc/register`,revocation_endpoint:`${e}oauth/revoke`,scopes_supported:["openid","profile","offline_access","name","given_name","family_name","nickname","email","email_verified","picture","created_at","identities","phone","address"],response_types_supported:["code","token","id_token","code token","code id_token","token id_token","code token id_token"],code_challenge_methods_supported:["S256","plain"],response_modes_supported:["query","fragment","form_post"],subject_types_supported:["public"],id_token_signing_alg_values_supported:["RS256"],token_endpoint_auth_methods_supported:["client_secret_basic","client_secret_post"],claims_supported:["aud","auth_time","created_at","email","email_verified","exp","family_name","given_name","iat","identities","iss","name","nickname","phone_number","picture","sub"],request_uri_parameter_supported:!1,request_parameter_supported:!1,token_endpoint_auth_signing_alg_values_supported:["RS256","RS384","PS256"]});return n.json(t,{headers:{"access-control-allow-origin":"*","access-control-allow-method":"GET","cache-control":`public, max-age=${Qi}, stale-while-revalidate=${Qi*2}, stale-if-error=86400`}})});function ar(n,e){if(!n||!e||n.length!==e.length)return!1;let t=0;for(let i=0;i<n.length;i++)t|=n.charCodeAt(i)^e.charCodeAt(i);return t===0}const ah=a.z.object({grant_type:a.z.literal("client_credentials"),scope:a.z.string().optional(),client_secret:a.z.string(),client_id:a.z.string(),audience:a.z.string().optional()});async function cv(n,e){const t=await n.env.data.clients.get(e.client_id);if(!t)throw new N(403,{message:"Invalid client credentials"});if(t.client_secret&&!ar(t.client_secret,e.client_secret))throw new N(403,{message:"Invalid client credentials"});const i={client_id:t.id,scope:e.scope,audience:e.audience},r=await Jc(n,{authParams:i,client:t});return n.json(r)}const lv=a.z.object({grant_type:a.z.literal("authorization_code"),client_id:a.z.string(),code:a.z.string(),redirect_uri:a.z.string().optional(),client_secret:a.z.string().optional(),code_verifier:a.z.string().optional()}).refine(n=>"client_secret"in n&&!("code_verifier"in n)||!("client_secret"in n)&&"code_verifier"in n,{message:"Must provide either client_secret (standard flow) or code_verifier/code_verifier_mode (PKCE flow), but not both"});async function uv(n,e){const t=await n.env.data.clients.get(e.client_id);if(!t)throw new N(403,{message:"Client not found"});console.log("client",t);const i=await n.env.data.codes.get(t.tenant.id,e.code,"authorization_code");if(!i||!i.user_id)throw new N(403,{message:"Invalid client credentials"});if(new Date(i.expires_at)<new Date)throw new N(403,{message:"Code expired"});if(i.used_at)throw new N(403,{message:"Code already used"});const r=await n.env.data.logins.get(t.tenant.id,i.login_id);if(!r)throw new N(403,{message:"Invalid login"});if("client_secret"in e){const o=await n.env.data.clients.get("DEFAULT_CLIENT");if(!ar(t.client_secret,e.client_secret)&&!ar(o==null?void 0:o.client_secret,e.client_secret))throw new N(403,{message:"Invalid client credentials"})}else if("code_verifier"in e&&typeof e.code_verifier=="string"&&"code_challenge_method"in r.authParams&&typeof r.authParams.code_challenge_method=="string"){const o=await Em(e.code_verifier,r.authParams.code_challenge_method);if(!ar(o,r.authParams.code_challenge||""))throw new N(403,{message:"Invalid client credentials"})}if(r.authParams.redirect_uri&&r.authParams.redirect_uri!==e.redirect_uri)throw new N(403,{message:"Invalid redirect uri"});const s=await n.env.data.users.get(t.tenant.id,i.user_id);if(!s)throw new N(403,{message:"User not found"});return await n.env.data.codes.used(t.tenant.id,e.code),Ki(n,{user:s,client:t,loginSession:r,authParams:{...r.authParams,response_mode:sn.WEB_MESSAGE}})}const md=a.z.object({client_id:a.z.string().optional(),client_secret:a.z.string().optional()}),dv=a.z.union([ah.extend(md.shape),a.z.object({grant_type:a.z.literal("authorization_code"),client_id:a.z.string(),code:a.z.string(),redirect_uri:a.z.string(),code_verifier:a.z.string().min(43).max(128)}),a.z.object({grant_type:a.z.literal("authorization_code"),code:a.z.string(),redirect_uri:a.z.string().optional(),...md.shape})]);function pv(n){if(!n)return{};const[e,t]=n.split(" ");if((e==null?void 0:e.toLowerCase())==="basic"&&t){const[i,r]=atob(t).split(":");return{client_id:i,client_secret:r}}return{}}const fv=new a.OpenAPIHono().openapi(a.createRoute({tags:["oauth2"],method:"post",path:"/",request:{body:{content:{"application/x-www-form-urlencoded":{schema:dv}}}},responses:{200:{content:{"application/json":{schema:a.z.object({access_token:a.z.string(),id_token:a.z.string().optional(),refresh_token:a.z.string().optional(),token_type:a.z.string(),expires_in:a.z.number()})}},description:"Tokens"}}}),async n=>{const e=n.req.valid("form");console.log("body",e);const t=pv(n.req.header("Authorization")),i={...e,...t};if(!i.client_id)throw new N(400,{message:"client_id is required"});switch(e.grant_type){case yr.AuthorizationCode:return uv(n,lv.parse(i));case yr.ClientCredential:return cv(n,ah.parse(i));default:throw new N(400,{message:"Not implemented"})}});var Zc={exports:{}};const Yc=[{id:0,value:"Too weak",minDiversity:0,minLength:0},{id:1,value:"Weak",minDiversity:2,minLength:6},{id:2,value:"Medium",minDiversity:4,minLength:8},{id:3,value:"Strong",minDiversity:4,minLength:10}],ch=(n,e=Yc,t="!\"#$%&'()*+,-./:;<=>?@[\\\\\\]^_`{|}~")=>{let i=n||"";e[0].minDiversity=0,e[0].minLength=0;const r=[{regex:"[a-z]",message:"lowercase"},{regex:"[A-Z]",message:"uppercase"},{regex:"[0-9]",message:"number"}];t&&r.push({regex:`[${t}]`,message:"symbol"});let s={};s.contains=r.filter(c=>new RegExp(`${c.regex}`).test(i)).map(c=>c.message),s.length=i.length;let o=e.filter(c=>s.contains.length>=c.minDiversity).filter(c=>s.length>=c.minLength).sort((c,l)=>l.id-c.id).map(c=>({id:c.id,value:c.value}));return Object.assign(s,o[0]),s};Zc.exports={passwordStrength:ch,defaultOptions:Yc};var hv=Zc.exports.passwordStrength=ch;Zc.exports.defaultOptions=Yc;function gv(n){return hv(n).id<2?!1:n.length>=8&&/[a-z]/.test(n)&&/[A-Z]/.test(n)&&/[0-9]/.test(n)&&/[^A-Za-z0-9]/.test(n)}async function Qs(n,e){var r;const t=await n.env.data.emailProviders.get(n.var.tenant_id)||(n.env.DEFAULT_TENANT_ID?await n.env.data.emailProviders.get(n.env.DEFAULT_TENANT_ID):null);if(!t)throw new N(500,{message:"Email provider not found"});const i=(r=n.env.emailProviders)==null?void 0:r[t.name];if(!i)throw new N(500,{message:"Email provider not found"});await i({emailProvider:t,...e,from:t.default_from_address||`login@${n.env.ISSUER}`})}async function _v(n,e,t,i){const r=await n.env.data.tenants.get(n.var.tenant_id);if(!r)throw new N(500,{message:"Tenant not found"});const s=`${mt(n.env)}reset-password?state=${i}&code=${t}`,o={vendorName:r.name,lng:r.language||"en"};await Qs(n,{to:e,subject:"Reset your password",html:`Click here to reset your password: ${mt(n.env)}reset-password?state=${i}&code=${t}`,template:"auth-password-reset",data:{vendorName:r.name,logo:r.logo||"",passwordResetUrl:s,supportUrl:r.support_url||"https://support.sesamy.com",buttonColor:r.primary_color||"#7d68f4",passwordResetTitle:ue("password_reset_title",o),resetPasswordEmailClickToReset:ue("reset_password_email_click_to_reset",o),resetPasswordEmailReset:ue("reset_password_email_reset",o),supportInfo:ue("support_info",o),contactUs:ue("contact_us",o),copyright:ue("copyright",o)}})}async function mv(n,e,t){const i=await n.env.data.tenants.get(n.var.tenant_id);if(!i)throw new N(500,{message:"Tenant not found"});const r={vendorName:i.name,code:t,lng:i.language||"en"};await Qs(n,{to:e,subject:ue("code_email_subject",r),html:`Click here to validate your email: ${mt(n.env)}validate-email`,template:"auth-link",data:{code:t,vendorName:i.name,logo:i.logo||"",supportUrl:i.support_url||"",magicLink:`${bt(n.env)}passwordless/verify_redirect?ticket=${t}`,buttonColor:i.primary_color||"",welcomeToYourAccount:ue("welcome_to_your_account",r),linkEmailClickToLogin:ue("link_email_click_to_login",r),linkEmailLogin:ue("link_email_login",r),linkEmailOrEnterCode:ue("link_email_or_enter_code",r),codeValid30Mins:ue("code_valid_30_minutes",r),supportInfo:ue("support_info",r),contactUs:ue("contact_us",r),copyright:ue("copyright",r)}});const s=ke(n,{type:_e.CODE_LINK_SENT,description:e});Bt(n,n.env.data.logs.create(i.id,s))}async function lh(n,e,t){const i=await n.env.data.tenants.get(n.var.tenant_id);if(!i)throw new N(500,{message:"Tenant not found"});const r={vendorName:i.name,code:t,lng:i.language||"en"};await Qs(n,{to:e,subject:ue("code_email_subject",r),html:`Click here to validate your email: ${mt(n.env)}validate-email`,template:"auth-link",data:{code:t,vendorName:i.name,logo:i.logo||"",supportUrl:i.support_url||"",magicLink:`${bt(n.env)}passwordless/verify_redirect?ticket=${t}`,buttonColor:i.primary_color||"",welcomeToYourAccount:ue("welcome_to_your_account",r),linkEmailClickToLogin:ue("link_email_click_to_login",r),linkEmailLogin:ue("link_email_login",r),linkEmailOrEnterCode:ue("link_email_or_enter_code",r),codeValid30Mins:ue("code_valid_30_minutes",r),supportInfo:ue("support_info",r),contactUs:ue("contact_us",r),copyright:ue("copyright",r)}});const s=ke(n,{type:_e.CODE_LINK_SENT,description:e});Bt(n,n.env.data.logs.create(i.id,s))}async function uh(n,e){const t=await n.env.data.tenants.get(n.var.tenant_id);if(!t)throw new N(500,{message:"Tenant not found"});const i={vendorName:t.name,lng:t.language||"en"};await Qs(n,{to:e.email,subject:"Validate your email address",html:`Click here to validate your email: ${mt(n.env)}validate-email`,template:"auth-verify-email",data:{vendorName:t.name,logo:t.logo||"",emailValidationUrl:`${mt(n.env)}validate-email`,supportUrl:t.support_url||"https://support.sesamy.com",buttonColor:t.primary_color||"#7d68f4",welcomeToYourAccount:ue("welcome_to_your_account",i),verifyEmailVerify:ue("verify_email_verify",i),supportInfo:ue("support_info",i),contactUs:ue("contact_us",i),copyright:ue("copyright",i)}})}const yv=new a.OpenAPIHono().openapi(a.createRoute({tags:["dbconnections"],method:"post",path:"/signup",request:{body:{content:{"application/json":{schema:a.z.object({client_id:a.z.string(),connection:a.z.literal("Username-Password-Authentication"),email:a.z.string().transform(n=>n.toLowerCase()),password:a.z.string()})}}}},responses:{200:{content:{"application/json":{schema:a.z.object({_id:a.z.string(),email:a.z.string(),email_verified:a.z.boolean(),app_metadata:a.z.object({}),user_metadata:a.z.object({})})}},description:"Created user"}}}),async n=>{const{email:e,password:t,client_id:i}=n.req.valid("json"),r=await n.env.data.clients.get(i);if(!r)throw new N(400,{message:"Client not found"});if(n.set("client_id",r.id),n.set("tenant_id",r.tenant.id),!gv(t))throw new N(400,{message:"Password does not meet the requirements"});if(await os({userAdapter:n.env.data.users,tenant_id:r.tenant.id,email:e,provider:"auth2"}))throw new N(400,{message:"Invalid sign up"});const o=await n.env.data.users.create(r.tenant.id,{user_id:`auth2|${Za()}`,email:e,email_verified:!1,provider:"auth2",connection:"Username-Password-Authentication",is_social:!1});n.set("user_id",o.user_id),n.set("username",o.email),n.set("connection",o.connection);const c=await Ja.hash(t,10);await n.env.data.passwords.create(r.tenant.id,{user_id:o.user_id,password:c,algorithm:"bcrypt"}),await uh(n,o);const l=ke(n,{type:_e.SUCCESS_SIGNUP,description:"Successful signup"});return await n.env.data.logs.create(r.tenant.id,l),n.json({_id:o.user_id,email:o.email,email_verified:!1,app_metadata:{},user_metadata:{}})}).openapi(a.createRoute({tags:["dbconnections"],method:"post",path:"/change_password",request:{body:{content:{"application/json":{schema:a.z.object({client_id:a.z.string(),connection:a.z.literal("Username-Password-Authentication"),email:a.z.string().transform(n=>n.toLowerCase())})}}}},responses:{200:{description:"Redirect to the client's redirect uri"}}}),async n=>{const{email:e,client_id:t}=n.req.valid("json"),i=await n.env.data.clients.get(t);if(!i)throw new N(400,{message:"Client not found"});if(n.set("client_id",i.id),n.set("tenant_id",i.tenant.id),!await Ya({userAdapter:n.env.data.users,tenant_id:i.tenant.id,email:e,provider:"auth2"}))return n.html("If an account with that email exists, we've sent instructions to reset your password.");const s={client_id:t,username:e},o=await n.env.data.logins.create(i.tenant.id,{expires_at:new Date(Date.now()+es*1e3).toISOString(),authParams:s,...Hn(n.req)});return await _v(n,e,o.login_id,o.authParams.state),n.html("If an account with that email exists, we've sent instructions to reset your password.")});function dh(){const n="1234567890";let e="";for(let t=0;t<6;t+=1)e+=n[Math.floor(Math.random()*10)];return e.toString()}const vv=new a.OpenAPIHono().openapi(a.createRoute({tags:["passwordless"],method:"post",path:"/start",request:{body:{content:{"application/json":{schema:a.z.object({client_id:a.z.string(),connection:a.z.string(),email:a.z.string().transform(n=>n.toLowerCase()),send:a.z.enum(["link","code"]),authParams:Ka.omit({client_id:!0})})}}}},responses:{200:{description:"Status"}}}),async n=>{const e=n.req.valid("json"),{env:t}=n,{client_id:i,email:r,send:s,authParams:o}=e,c=await n.env.data.clients.get(i);if(!c)throw new N(400,{message:"Client not found"});n.set("client_id",c.id),n.set("tenant_id",c.tenant.id);const l=await t.data.logins.create(c.tenant.id,{authParams:{...o,client_id:i,username:r},expires_at:new Date(Date.now()+Xu).toISOString(),...Hn(n.req)}),u=await t.data.codes.create(c.tenant.id,{code_id:dh(),code_type:"otp",login_id:l.login_id,expires_at:new Date(Date.now()+Xu).toISOString()});return s==="link"?await lh(n,r,u.code_id):await mv(n,r,u.code_id),n.html("OK")}).openapi(a.createRoute({tags:["passwordless"],method:"get",path:"/verify_redirect",request:{query:a.z.object({scope:a.z.string(),response_type:a.z.nativeEnum(Ut),redirect_uri:a.z.string(),state:a.z.string(),nonce:a.z.string().optional(),verification_code:a.z.string(),connection:a.z.string(),client_id:a.z.string(),email:a.z.string().transform(n=>n.toLowerCase()),audience:a.z.string().optional()})},responses:{302:{description:"Status"}}}),async n=>{const{env:e}=n,{client_id:t,email:i,verification_code:r,redirect_uri:s,state:o,scope:c,audience:l,response_type:u,nonce:p}=n.req.valid("query"),g=await Fc(e,t);n.set("client_id",g.id),n.set("tenant_id",g.tenant.id),n.set("connection","email");const m=await e.data.codes.get(g.tenant.id,r,"otp");if(!m)throw new N(400,{message:"Code not found or expired"});if(m.expires_at<new Date().toISOString())throw new N(400,{message:"Code expired"});const x=await e.data.logins.get(g.tenant.id,m.login_id);if(!x||x.authParams.username!==i)throw new N(400,{message:"Code not found or expired"});const h=Hn(n.req);if(x.ip!==h.ip)return n.redirect(`${mt(n.env)}invalid-session?state=${x.login_id}`);if(!Ys(s,g.callbacks,{allowPathWildcards:!0}))throw new N(400,{message:`Invalid redirect URI - ${s}`});const _={client_id:t,redirect_uri:s,state:o,nonce:p,scope:c,audience:l,response_type:u},b=await os({userAdapter:e.data.users,tenant_id:g.tenant.id,email:i,provider:"email"});if(!b)throw new N(400,{message:"User not found"});return Ki(n,{user:b,client:g,loginSession:x,authParams:_})});class si extends N{constructor(t,i){super(t,i);te(this,"_code");this._code=i==null?void 0:i.code}get code(){return this._code}}async function wv(n,e,t){const{env:i}=n,r=t.username;if(n.set("username",r),!r)throw new N(400,{message:"Username is required"});const s=await Ya({userAdapter:n.env.data.users,tenant_id:e.tenant.id,email:r,provider:"auth2"});if(!s){const m=ke(n,{type:_e.FAILED_LOGIN_INCORRECT_PASSWORD,description:"Invalid user"});throw Bt(n,n.env.data.logs.create(e.tenant.id,m)),new si(403,{message:"User not found",code:"USER_NOT_FOUND"})}const o=s.linked_to?await i.data.users.get(e.tenant.id,s.linked_to):s;if(!o)throw new si(403,{message:"User not found",code:"USER_NOT_FOUND"});n.set("connection",s.connection),n.set("user_id",o.user_id);const{password:c}=await i.data.passwords.get(e.tenant.id,s.user_id);if(!await Ja.compare(t.password,c)){const m=ke(n,{type:_e.FAILED_LOGIN_INCORRECT_PASSWORD,description:"Invalid password"});throw Bt(n,n.env.data.logs.create(e.tenant.id,m)),new si(403,{message:"Invalid password",code:"INVALID_PASSWORD"})}if((await i.data.logs.list(e.tenant.id,{page:0,per_page:10,include_totals:!1,q:`user_id:${o.user_id}`})).logs.filter(m=>m.type===_e.FAILED_LOGIN_INCORRECT_PASSWORD&&new Date(m.date)>new Date(Date.now()-1e3*60*5)).length>=3){const m=ke(n,{type:_e.FAILED_LOGIN,description:"Too many failed login attempts"});throw Bt(n,n.env.data.logs.create(e.tenant.id,m)),new si(403,{message:"Too many failed login attempts",code:"TOO_MANY_FAILED_LOGINS"})}if(!s.email_verified&&e.email_validation==="enforced"){await uh(n,s);const m=ke(n,{type:_e.FAILED_LOGIN,description:"Email not verified"});throw await n.env.data.logs.create(e.tenant.id,m),new si(403,{message:"Email not verified",code:"EMAIL_NOT_VERIFIED"})}const g=ke(n,{type:_e.SUCCESS_LOGIN,description:"Successful login",strategy_type:"Username-Password-Authentication",strategy:"Username-Password-Authentication"});return Bt(n,n.env.data.logs.create(e.tenant.id,g)),o}function bv(){const n=new Uint8Array(32);return crypto.getRandomValues(n),rn.encode(n,{includePadding:!1})}function yd(){return new N(403,{res:new Response(JSON.stringify({error:"access_denied",error_description:"Wrong email or verification code."}),{status:403,headers:{"Content-Type":"application/json"}}),message:"Wrong email or verification code."})}const vd=30*60*1e3,kv=new a.OpenAPIHono().openapi(a.createRoute({tags:["oauth"],method:"post",path:"/",request:{body:{content:{"application/json":{schema:a.z.union([a.z.object({credential_type:a.z.literal("http://auth0.com/oauth/grant-type/passwordless/otp"),otp:a.z.string(),client_id:a.z.string(),username:a.z.string().transform(n=>n.toLowerCase()),realm:a.z.enum(["email"]),scope:a.z.string().optional()}),a.z.object({credential_type:a.z.literal("http://auth0.com/oauth/grant-type/password-realm"),client_id:a.z.string(),username:a.z.string().transform(n=>n.toLowerCase()),password:a.z.string(),realm:a.z.enum(["Username-Password-Authentication"]),scope:a.z.string().optional()})])}}}},responses:{200:{description:"List of tenants"}}}),async n=>{const e=n.req.valid("json"),{client_id:t,username:i}=e;n.set("username",i);const r=await n.env.data.clients.get(t);if(!r)throw new N(400,{message:"Client not found"});n.set("client_id",t),n.set("tenant_id",r.tenant.id);const s=i.toLocaleLowerCase();let o;if("otp"in e){const p=await n.env.data.codes.get(r.tenant.id,e.otp,"otp");if(!p)throw yd();const g=await n.env.data.logins.get(r.tenant.id,p.login_id);if(!g||g.authParams.username!==s)throw yd();o=g}else if("password"in e)await wv(n,r,{username:i,password:e.password,client_id:t}),o=await n.env.data.logins.create(r.tenant.id,{expires_at:new Date(Date.now()+vd).toISOString(),authParams:{client_id:r.id,username:s},...Hn(n.req)});else throw new N(400,{message:"Code or password required"});const c=bv(),l=Ke(12),u=await n.env.data.codes.create(r.tenant.id,{code_id:Ke(),code_type:"ticket",login_id:o.login_id,expires_at:new Date(Date.now()+vd).toISOString(),code_verifier:[l,c].join("|")});return n.json({login_ticket:u.code_id,co_verifier:c,co_id:l})});function xv(n,e){var i,r,s;if(!n||e.length===0)return!1;const t=((i=yo(n))==null?void 0:i.host)??null;if(!t)return!1;for(const o of e){let c;if(o.startsWith("http://")||o.startsWith("https://")?c=((r=yo(o))==null?void 0:r.host)??null:c=((s=yo("https://"+o))==null?void 0:s.host)??null,t===c)return!0}return!1}function yo(n){try{return new URL(n)}catch{return null}}async function Sv({ctx:n,session:e,client:t,authParams:i,connection:r,login_hint:s}){const o=await n.env.data.logins.create(t.tenant.id,{expires_at:new Date(Date.now()+es*1e3).toISOString(),authParams:i,...Hn(n.req)});if(e&&s){const c=await n.env.data.users.get(t.tenant.id,e.user_id);if((c==null?void 0:c.email)===s)return Ki(n,{client:t,loginSession:o,authParams:i,user:c,sid:e.session_id})}if(r==="email"&&s){const c=dh();return await n.env.data.codes.create(t.tenant.id,{code_id:c,code_type:"otp",login_id:o.login_id,expires_at:new Date(Date.now()+es*1e3).toISOString()}),await lh(n,s,c),n.redirect(`/u/enter-code?state=${o.login_id}`)}return e?n.redirect(`/u/check-account?state=${o.login_id}`):n.redirect(`/u/enter-email?state=${o.login_id}`)}function Av(n){if(n==="Username-Password-Authentication")return"auth2";if(n==="email")return"email";throw new N(403,{message:"Invalid realm"})}async function Iv(n,e,t,i,r){var m;const{env:s}=n;n.set("connection",r);const o=await s.data.codes.get(e,t,"ticket");if(!o||o.used_at)throw new N(403,{message:"Ticket not found"});const c=await s.data.logins.get(e,o.login_id);if(!c||!c.authParams.username)throw new N(403,{message:"Session not found"});const l=await s.data.clients.get(c.authParams.client_id);if(!l)throw new N(403,{message:"Client not found"});n.set("client_id",c.authParams.client_id),await s.data.codes.used(e,t);const u=Av(r);let p=await os({userAdapter:s.data.users,tenant_id:e,email:c.authParams.username,provider:u});p||(p=await s.data.users.create(e,{user_id:`email|${Za()}`,email:c.authParams.username,name:c.authParams.username,provider:"email",connection:"email",email_verified:!0,is_social:!1,last_ip:"",last_login:new Date().toISOString()})),n.set("username",p.email),n.set("user_id",p.user_id);const g=await sh(n,p,l);return Ki(n,{authParams:{scope:(m=c.authParams)==null?void 0:m.scope,...i},loginSession:c,sid:g.session_id,user:p,client:l})}async function wd(n,e){return`<!DOCTYPE html>
   <html>
   
   <head>
@@ -189,7 +189,7 @@ PERFORMANCE OF THIS SOFTWARE.
       <\/script>
   </body>
   
-  </html>`}async function Ev({ctx:n,client:e,session:t,redirect_uri:i,state:r,nonce:s,code_challenge_method:o,code_challenge:c,audience:l,scope:u}){const{env:p}=n,g=new URL(i);if(t){n.set("user_id",t.user_id);const x=new Headers,h=Yf(e.tenant.id,t.session_id);x.set("set-cookie",h);const _=await p.data.users.get(e.tenant.id,t.user_id);if(_){n.set("username",_.email),n.set("connection",_.connection);const b=await Jc(n,{client:e,authParams:{client_id:e.id,audience:l,code_challenge_method:o,code_challenge:c,scope:u,state:r,nonce:s,response_type:Ut.TOKEN_ID_TOKEN},user:_,sid:t.session_id});await p.data.sessions.update(e.tenant.id,t.session_id,{used_at:new Date().toISOString()});const S=ke(n,{type:_e.SUCCESS_SILENT_AUTH,description:"Successful silent authentication"});return await n.env.data.logs.create(e.tenant.id,S),n.html(wd(`${g.protocol}//${g.host}`,JSON.stringify(b)),{headers:x})}}const m=ke(n,{type:_e.FAILED_SILENT_AUTH,description:"Login required"});return await n.env.data.logs.create(e.tenant.id,m),n.html(wd(`${g.protocol}//${g.host}`,JSON.stringify({error:"login_required",error_description:"Login required",state:r})))}const $v=new a.OpenAPIHono().openapi(a.createRoute({tags:["oauth"],method:"get",path:"/",request:{query:a.z.object({client_id:a.z.string(),vendor_id:a.z.string().optional(),redirect_uri:a.z.string(),scope:a.z.string().optional(),state:a.z.string(),prompt:a.z.string().optional(),response_mode:a.z.nativeEnum(sn).optional(),response_type:a.z.nativeEnum(Ut).optional(),audience:a.z.string().optional(),connection:a.z.string().optional(),nonce:a.z.string().optional(),max_age:a.z.string().optional(),login_ticket:a.z.string().optional(),code_challenge_method:a.z.nativeEnum(ss).optional(),code_challenge:a.z.string().optional(),realm:a.z.string().optional(),auth0Client:a.z.string().optional(),login_hint:a.z.string().optional(),ui_locales:a.z.string().optional()})},responses:{200:{description:"Silent authentication page"},302:{description:"Redirect to the client's redirect uri"}}}),async n=>{const{env:e}=n,{client_id:t,vendor_id:i,redirect_uri:r,scope:s,state:o,audience:c,nonce:l,connection:u,response_type:p,response_mode:g,code_challenge:m,code_challenge_method:x,prompt:h,login_ticket:_,realm:b,auth0Client:S,login_hint:O,ui_locales:T}=n.req.valid("query");n.set("log","authorize");const q=await Fc(e,t);n.set("client_id",q.id),n.set("tenant_id",q.tenant.id);const oe={redirect_uri:r,scope:s,state:o,client_id:t,vendor_id:i,audience:c,nonce:l,prompt:h,response_type:p,response_mode:g,code_challenge:m,code_challenge_method:x,username:O,ui_locales:T},pe=n.req.header("origin");if(pe&&!xv(pe,q.web_origins||[]))throw new N(403,{message:`Origin ${pe} not allowed`});if(oe.redirect_uri&&!Ys(oe.redirect_uri,q.callbacks||[]))throw new N(400,{message:`Invalid redirect URI - ${oe.redirect_uri}`});const ce=Zf(q.tenant.id,n.req.header("cookie")),Re=ce?await e.data.sessions.get(q.tenant.id,ce):void 0;if(h=="none"){if(!p)throw new N(400,{message:"Missing response_type"});return Ev({ctx:n,session:Re||void 0,redirect_uri:r,state:o,response_type:p,client:q,nonce:l,code_challenge_method:x,code_challenge:m,audience:c,scope:s})}return u&&u!=="email"?iv(n,q,u,oe):_?Iv(n,q.tenant.id,_,oe,b):Sv({ctx:n,client:q,auth0Client:S,authParams:oe,session:Re||void 0,connection:u,login_hint:O})});function Cv(){const n=new a.OpenAPIHono;n.use(Lf(n));const e=n.route("/v2/logout",sv).route("/userinfo",ov).route("/.well-known",av).route("/oauth/token",fv).route("/dbconnections",yv).route("/passwordless",vv).route("/co/authenticate",kv).route("/authorize",$v).route("/callback",rv);return e.doc("/spec",{openapi:"3.0.0",info:{version:"1.0.0",title:"Oauth API"}}),Pf(e),e}function jv(){const e=new a.OpenAPIHono;return e.doc("/u/spec",{openapi:"3.0.0",info:{version:"1.0.0",title:"Universal login"}}),e}const zv="Account detected",Nv="We have detected that you have already created an account through",Ov="By signing in, you agree to our",Bv="and",Tv="Callback URL mismatch",Rv="The provided redirect_uri is not in the list of allowed callback URLs.",Pv="continue with user",Lv="Please click the button to create a new password account.",Uv="Enter the code at {{vendorName}} to complete the login",Vv="Welcome to {{vendorName}}! {{code}} is the login code",Mv="Welcome to {{vendorName}}! {{code}} is the login code",Hv="The code is valid for 30 minutes",Dv="Confirm password",Fv="Need Help?",qv="Contact us",Kv="or continue with social account",Wv="Continue with {{provider}}",Gv="Would you like to continue with your existing account?",Jv="Copyright © 2023 SESAMY. All rights reserved.",Zv="©2023 Sesamy",Yv="Choose a password with a mix of uppercase and lowercase letters, numbers, and symbols.",Xv="Please enter a valid email address.",Qv="The passwords didn't match. Try again.",ew="Choose password",tw="Password must be at least 8 characters long and contain at least one lowercase letter, one uppercase letter, one number and one symbol.",nw="Create new account",iw="Sign up with password",rw="You are currently logged in as <0>{{email}}</0>",sw="Email",ow="Email address",aw="Your email address has been validated",cw="Now enter your password to login again",lw="An email has been sent to <0>{{email}}</0> with a verification link. Please click the link to verify your email address and set a password.",uw="Email verification sent",dw="Enter a code",pw="We'll send you a verification link to ensure you own this email address.",fw="Enter new password",hw="Enter password",gw="Enter your email address and password to login.",_w="Enter your password",mw="The magic link has expired. Please click on the button below to receive a new link in your inbox.",yw="Hey! We updated our login experience. <0>Click here to learn more about it.</0>",vw="Send password reset email",ww="Click the button below and we’ll send instructions on how to reset your password.",bw="Password reset email sent",kw="Forgot password?",xw="Forgot password?",Sw="Go back",Aw="Invalid password",Iw=`The link is no longer valid.
+  </html>`}async function Ev({ctx:n,client:e,session:t,redirect_uri:i,state:r,nonce:s,code_challenge_method:o,code_challenge:c,audience:l,scope:u}){const{env:p}=n,g=new URL(i);if(t){n.set("user_id",t.user_id);const x=new Headers,h=Yf(e.tenant.id,t.session_id);x.set("set-cookie",h);const _=await p.data.users.get(e.tenant.id,t.user_id);if(_){n.set("username",_.email),n.set("connection",_.connection);const b=await Jc(n,{client:e,authParams:{client_id:e.id,audience:l,code_challenge_method:o,code_challenge:c,scope:u,state:r,nonce:s,response_type:Ut.TOKEN_ID_TOKEN},user:_,sid:t.session_id});await p.data.sessions.update(e.tenant.id,t.session_id,{used_at:new Date().toISOString()});const S=ke(n,{type:_e.SUCCESS_SILENT_AUTH,description:"Successful silent authentication"});return await n.env.data.logs.create(e.tenant.id,S),n.html(wd(`${g.protocol}//${g.host}`,JSON.stringify(b)),{headers:x})}}const m=ke(n,{type:_e.FAILED_SILENT_AUTH,description:"Login required"});return await n.env.data.logs.create(e.tenant.id,m),n.html(wd(`${g.protocol}//${g.host}`,JSON.stringify({error:"login_required",error_description:"Login required",state:r})))}const $v=new a.OpenAPIHono().openapi(a.createRoute({tags:["oauth"],method:"get",path:"/",request:{query:a.z.object({client_id:a.z.string(),vendor_id:a.z.string().optional(),redirect_uri:a.z.string(),scope:a.z.string().optional(),state:a.z.string(),prompt:a.z.string().optional(),response_mode:a.z.nativeEnum(sn).optional(),response_type:a.z.nativeEnum(Ut).optional(),audience:a.z.string().optional(),connection:a.z.string().optional(),nonce:a.z.string().optional(),max_age:a.z.string().optional(),login_ticket:a.z.string().optional(),code_challenge_method:a.z.nativeEnum(ss).optional(),code_challenge:a.z.string().optional(),realm:a.z.string().optional(),auth0Client:a.z.string().optional(),login_hint:a.z.string().optional(),ui_locales:a.z.string().optional()})},responses:{200:{description:"Silent authentication page"},302:{description:"Redirect to the client's redirect uri"}}}),async n=>{const{env:e}=n,{client_id:t,vendor_id:i,redirect_uri:r,scope:s,state:o,audience:c,nonce:l,connection:u,response_type:p,response_mode:g,code_challenge:m,code_challenge_method:x,prompt:h,login_ticket:_,realm:b,auth0Client:S,login_hint:O,ui_locales:T}=n.req.valid("query");n.set("log","authorize");const q=await Fc(e,t);n.set("client_id",q.id),n.set("tenant_id",q.tenant.id);const oe={redirect_uri:r,scope:s,state:o,client_id:t,vendor_id:i,audience:c,nonce:l,prompt:h,response_type:p,response_mode:g,code_challenge:m,code_challenge_method:x,username:O,ui_locales:T},pe=n.req.header("origin");if(pe&&!xv(pe,q.web_origins||[]))throw new N(403,{message:`Origin ${pe} not allowed`});if(oe.redirect_uri&&!Ys(oe.redirect_uri,q.callbacks||[],{allowPathWildcards:!0}))throw new N(400,{message:`Invalid redirect URI - ${oe.redirect_uri}`});const ce=Zf(q.tenant.id,n.req.header("cookie")),Re=ce?await e.data.sessions.get(q.tenant.id,ce):void 0;if(h=="none"){if(!p)throw new N(400,{message:"Missing response_type"});return Ev({ctx:n,session:Re||void 0,redirect_uri:r,state:o,response_type:p,client:q,nonce:l,code_challenge_method:x,code_challenge:m,audience:c,scope:s})}return u&&u!=="email"?iv(n,q,u,oe):_?Iv(n,q.tenant.id,_,oe,b):Sv({ctx:n,client:q,auth0Client:S,authParams:oe,session:Re||void 0,connection:u,login_hint:O})});function Cv(){const n=new a.OpenAPIHono;n.use(Lf(n));const e=n.route("/v2/logout",sv).route("/userinfo",ov).route("/.well-known",av).route("/oauth/token",fv).route("/dbconnections",yv).route("/passwordless",vv).route("/co/authenticate",kv).route("/authorize",$v).route("/callback",rv);return e.doc("/spec",{openapi:"3.0.0",info:{version:"1.0.0",title:"Oauth API"}}),Pf(e),e}function jv(){const e=new a.OpenAPIHono;return e.doc("/u/spec",{openapi:"3.0.0",info:{version:"1.0.0",title:"Universal login"}}),e}const zv="Account detected",Nv="We have detected that you have already created an account through",Ov="By signing in, you agree to our",Bv="and",Tv="Callback URL mismatch",Rv="The provided redirect_uri is not in the list of allowed callback URLs.",Pv="continue with user",Lv="Please click the button to create a new password account.",Uv="Enter the code at {{vendorName}} to complete the login",Vv="Welcome to {{vendorName}}! {{code}} is the login code",Mv="Welcome to {{vendorName}}! {{code}} is the login code",Hv="The code is valid for 30 minutes",Dv="Confirm password",Fv="Need Help?",qv="Contact us",Kv="or continue with social account",Wv="Continue with {{provider}}",Gv="Would you like to continue with your existing account?",Jv="Copyright © 2023 SESAMY. All rights reserved.",Zv="©2023 Sesamy",Yv="Choose a password with a mix of uppercase and lowercase letters, numbers, and symbols.",Xv="Please enter a valid email address.",Qv="The passwords didn't match. Try again.",ew="Choose password",tw="Password must be at least 8 characters long and contain at least one lowercase letter, one uppercase letter, one number and one symbol.",nw="Create new account",iw="Sign up with password",rw="You are currently logged in as <0>{{email}}</0>",sw="Email",ow="Email address",aw="Your email address has been validated",cw="Now enter your password to login again",lw="An email has been sent to <0>{{email}}</0> with a verification link. Please click the link to verify your email address and set a password.",uw="Email verification sent",dw="Enter a code",pw="We'll send you a verification link to ensure you own this email address.",fw="Enter new password",hw="Enter password",gw="Enter your email address and password to login.",_w="Enter your password",mw="The magic link has expired. Please click on the button below to receive a new link in your inbox.",yw="Hey! We updated our login experience. <0>Click here to learn more about it.</0>",vw="Send password reset email",ww="Click the button below and we’ll send instructions on how to reset your password.",bw="Password reset email sent",kw="Forgot password?",xw="Forgot password?",Sw="Go back",Aw="Invalid password",Iw=`The link is no longer valid.
 
 Please make sure to open the login link in the same browser you started the login with.
 

package/dist/authhero.mjs

@@ -15892,12 +15892,16 @@ async function Vc(n, e) {
     }
   };
 }
-function Ds(n, e = []) {
+function Ds(n, e = [], t = {}) {
   try {
-    const t = new URL(n);
-    return e.some((i) => {
+    const i = new URL(n);
+    return e.some((r) => {
       try {
-        return vm(t, new URL(i));
+        return vm(
+          i,
+          new URL(r),
+          t.allowPathWildcards
+        );
       } catch {
         return !1;
       }
@@ -15906,17 +15910,18 @@ function Ds(n, e = []) {
     return !1;
   }
 }
-function vm(n, e) {
-  if (n.protocol !== e.protocol || n.pathname !== e.pathname)
+function vm(n, e, t) {
+  if (n.protocol !== e.protocol)
+    return !1;
+  if (t && e.pathname.includes("*")) {
+    const i = e.pathname.replace(/\*/g, ".*").replace(/\//g, "\\/");
+    if (!new RegExp(`^${i}$`).test(n.pathname))
+      return !1;
+  } else if (n.pathname !== e.pathname)
     return !1;
-  if (
-    // Only allow wildcard domains with a single subdomain
-    e.hostname.startsWith("*.") && // Ensure that it's not a top-level wildcard domain
-    e.hostname.split(".").length > 2 && // Ensure that the protocol is HTTP or HTTPS
-    ["http:", "https:"].includes(e.protocol)
-  ) {
-    const t = e.hostname.split(".").slice(1).join(".");
-    return n.hostname.endsWith(t);
+  if (e.hostname.startsWith("*.") && e.hostname.split(".").length > 2 && ["http:", "https:"].includes(e.protocol)) {
+    const i = e.hostname.split(".").slice(1).join(".");
+    return n.hostname.endsWith(i);
   }
   return n.hostname === e.hostname;
 }
@@ -17625,7 +17630,8 @@ async function pd(n, { code: e, state: t }) {
   }
   if (!Ds(
     s.authParams.redirect_uri,
-    o.callbacks || []
+    o.callbacks || [],
+    { allowPathWildcards: !0 }
   )) {
     const _ = `Invalid redirect URI - ${s.authParams.redirect_uri}`, b = Se(n, {
       type: we.FAILED_LOGIN,
@@ -17844,10 +17850,14 @@ const Xy = new _e().openapi(
     const s = t || n.req.header("referer");
     if (!s)
       return n.text("OK");
-    if (!Ds(s, [
-      ...i.allowed_logout_urls || [],
-      ...(r == null ? void 0 : r.allowed_logout_urls) || []
-    ]))
+    if (!Ds(
+      s,
+      [
+        ...i.allowed_logout_urls || [],
+        ...(r == null ? void 0 : r.allowed_logout_urls) || []
+      ],
+      { allowPathWildcards: !0 }
+    ))
       throw new O(400, {
         message: "Invalid redirect uri"
       });
@@ -18698,7 +18708,9 @@ const fv = new _e().openapi(
       return n.redirect(
         `${yt(n.env)}invalid-session?state=${x.login_id}`
       );
-    if (!Ds(s, g.callbacks))
+    if (!Ds(s, g.callbacks, {
+      allowPathWildcards: !0
+    }))
       throw new O(400, {
         message: `Invalid redirect URI - ${s}`
       });
@@ -19249,7 +19261,9 @@ const kv = new _e().openapi(
       throw new O(403, {
         message: `Origin ${fe} not allowed`
       });
-    if (ae.redirect_uri && !Ds(ae.redirect_uri, q.callbacks || []))
+    if (ae.redirect_uri && !Ds(ae.redirect_uri, q.callbacks || [], {
+      allowPathWildcards: !0
+    }))
       throw new O(400, {
         message: `Invalid redirect URI - ${ae.redirect_uri}`
       });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "authhero",
-  "version": "0.47.0",
+  "version": "0.48.0",
   "files": [
     "dist"
   ],