authhero 0.97.0 → 0.98.0

package/dist/authhero.cjs

@@ -26,7 +26,7 @@
       }};
       <\/script>
   </body>
-  </html>`;return new Response(i,{headers:{"Content-Type":"text/html"}})}async function Y0(t,e,n,r,i){var m,v,f;if(!n.redirect_uri)throw new z(400,{message:"Missing redirect_uri in authParams"});const[s]=await t.env.data.keys.list();if(!s)throw new z(500,{message:"No signing key found"});if(!((m=e.addons)!=null&&m.samlp))throw new z(400,{message:`SAML Addon is not enabled for client ${e.id}`});const{recipient:a,audience:c}=e.addons.samlp,l=n.state||"";if(!a||!l||!r||!n.state)throw new z(400,{message:"Missing recipient or inResponseTo"});const u=JSON.parse(n.state),p=new URL(n.redirect_uri),h=await X0(t,{issuer:t.env.ISSUER,audience:c||n.client_id,destination:p.toString(),inResponseTo:u.requestId,userId:((f=(v=r.app_metadata)==null?void 0:v.vimeo)==null?void 0:f.user_id)||r.user_id,email:r.email,sessionIndex:i,signature:{privateKeyPem:s.pkcs7,cert:s.cert,kid:s.kid}});return Z0(p.toString(),h,u.relayState)}async function X0(t,e){const n=e.notBefore||new Date().toISOString(),r=e.notAfter||new Date(new Date(n).getTime()+10*60*1e3).toISOString(),i=e.issueInstant||n,s=e.sessionNotOnOrAfter||r,a=e.responseId||`_${xe()}`,c=e.assertionId||`_${xe()}`,l=[{"samlp:Response":[{"saml:Issuer":[{"#text":e.issuer}]},{"samlp:Status":[{"samlp:StatusCode":[],":@":{"@_Value":"urn:oasis:names:tc:SAML:2.0:status:Success"}}]},{"saml:Assertion":[{"saml:Issuer":[{"#text":e.issuer}]},{"saml:Subject":[{"saml:NameID":[{"#text":e.email}],":@":{"@_Format":"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"}},{"saml:SubjectConfirmation":[{"saml:SubjectConfirmationData":[],":@":{"@_InResponseTo":e.inResponseTo,"@_NotOnOrAfter":r,"@_Recipient":e.destination}}],":@":{"@_Method":"urn:oasis:names:tc:SAML:2.0:cm:bearer"}}]},{"saml:Conditions":[{"saml:AudienceRestriction":[{"saml:Audience":[{"#text":e.audience}]}]}],":@":{"@_NotBefore":n,"@_NotOnOrAfter":r}},{"saml:AuthnStatement":[{"saml:AuthnContext":[{"saml:AuthnContextClassRef":[{"#text":"urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified"}]}]}],":@":{"@_AuthnInstant":i,"@_SessionIndex":e.sessionIndex,"@_SessionNotOnOrAfter":s}},{"saml:AttributeStatement":[{"saml:Attribute":[{"saml:AttributeValue":[{"#text":e.userId}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_FriendlyName":"persistent","@_Name":"id","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":e.email}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"email","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"manage-account"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"default-roles-master"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"offline_access"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"view-profile"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"uma_authorization"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"manage-account-links"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}}]}],":@":{"@_xmlns":"urn:oasis:names:tc:SAML:2.0:assertion","@_ID":c,"@_IssueInstant":i,"@_Version":"2.0"}}],":@":{"@_xmlns:samlp":"urn:oasis:names:tc:SAML:2.0:protocol","@_xmlns:saml":"urn:oasis:names:tc:SAML:2.0:assertion","@_Destination":e.destination,"@_ID":a,"@_InResponseTo":e.inResponseTo,"@_IssueInstant":i,"@_Version":"2.0"}}];let p=new J0.XMLBuilder({ignoreAttributes:!1,suppressEmptyNode:!0,preserveOrder:!0}).build(l);if(e.signature){const m=await fetch(t.env.SAML_SIGN_URL,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({xmlContent:p,privateKey:e.signature.privateKeyPem,publicCert:e.signature.cert})});if(!m.ok)throw new Error(`Failed to sign SAML response: ${m.status}`);p=await m.text()}return e.encode===!1?p:btoa(p)}var Q0={deno:"Deno",bun:"Bun",workerd:"Cloudflare-Workers",node:"Node.js"},ey=()=>{var n,r;const t=globalThis;if(typeof navigator<"u"&&typeof navigator.userAgent=="string"){for(const[i,s]of Object.entries(Q0))if(ty(s))return i}return typeof(t==null?void 0:t.EdgeRuntime)=="string"?"edge-light":(t==null?void 0:t.fastly)!==void 0?"fastly":((r=(n=t==null?void 0:t.process)==null?void 0:n.release)==null?void 0:r.name)==="node"?"node":"other"},ty=t=>navigator.userAgent.startsWith(t);function nt(t,e){ey()==="workerd"&&t.executionCtx.waitUntil(e)}function sn(t){var e,n,r;return{auth0Client:(e=t.query("auth0Client"))==null?void 0:e.slice(0,255),ip:(n=t.header("x-real-ip"))==null?void 0:n.slice(0,45),useragent:(r=t.header("user-agent"))==null?void 0:r.slice(0,512)}}const Gu=["sub","iss","aud","exp","nbf","iat","jti"];async function to(t,e){var _,w;const{authParams:n,user:r,client:i,session_id:s}=e,c=(await t.env.data.keys.list()).filter(S=>!S.revoked_at||new Date(S.revoked_at)>new Date),l=c[c.length-1];if(!(l!=null&&l.pkcs7))throw new z(500,{message:"No signing key available"});const u=b_(l.pkcs7),p={aud:n.audience||"default",scope:n.scope||"",sub:(r==null?void 0:r.user_id)||n.client_id,iss:t.env.ISSUER,tenant_id:t.var.tenant_id,sid:s},h=r&&((_=n.scope)!=null&&_.split(" ").includes("openid"))?{aud:n.client_id,sub:r.user_id,iss:t.env.ISSUER,sid:s,nonce:n.nonce,given_name:r.given_name,family_name:r.family_name,nickname:r.nickname,picture:r.picture,locale:r.locale,name:r.name,email:r.email,email_verified:r.email_verified}:void 0;(w=t.env.hooks)!=null&&w.onExecuteCredentialsExchange&&await t.env.hooks.onExecuteCredentialsExchange({client:i,user:r,request:{ip:t.req.header("x-real-ip")||"",user_agent:t.req.header("user-agent")||"",method:t.req.method,url:t.req.url},scope:n.scope||"",grant_type:""},{accessToken:{setCustomClaim:(S,C)=>{if(Gu.includes(S))throw new Error(`Cannot overwrite reserved claim '${S}'`);p[S]=C}},idToken:{setCustomClaim:(S,C)=>{if(Gu.includes(S))throw new Error(`Cannot overwrite reserved claim '${S}'`);h&&(h[S]=C)}},access:{deny:S=>{throw new z(400,{message:`Access denied: ${S}`})}}});const m={includeIssuedTimestamp:!0,expiresIn:new sl(1,"d"),headers:{kid:l.kid}},v=await Mu("RS256",u,p,m),f=h?await Mu("RS256",u,h,m):void 0;return{access_token:v,refresh_token:e.refresh_token,id_token:f,token_type:"Bearer",expires_in:86400}}async function qf(t,e){return e.loginSession||(e.loginSession=await t.env.data.loginSessions.create(e.client.tenant.id,{expires_at:new Date(Date.now()+Jn*1e3).toISOString(),authParams:e.authParams,authorization_url:t.req.url,csrf_token:xe(),...sn(t.req)})),{code:(await t.env.data.codes.create(e.client.tenant.id,{code_id:xe(),user_id:e.user.user_id,code_type:"authorization_code",login_id:e.loginSession.id,expires_at:new Date(Date.now()+A_*1e3).toISOString()})).code_id,state:e.authParams.state}}async function ny(t,e){const{client:n,scope:r,audience:i=n.tenant.audience,session_id:s}=e;return await t.env.data.refreshTokens.create(n.tenant.id,{id:xe(),session_id:s,client_id:n.id,expires_at:new Date(Date.now()+Qs*1e3).toISOString(),user_id:e.user.user_id,device:{last_ip:t.req.header("x-real-ip")||"",initial_ip:t.req.header("x-real-ip")||"",last_user_agent:t.req.header("user-agent")||"",initial_user_agent:t.req.header("user-agent")||"",initial_asn:"",last_asn:""},resource_servers:[{audience:i,scopes:r}],rotating:!1})}async function Mf(t,{user:e,client:n,loginSession:r}){const i=await t.env.data.sessions.create(n.tenant.id,{id:xe(),user_id:e.user_id,idle_expires_at:new Date(Date.now()+Qs*1e3).toISOString(),device:{last_ip:t.req.header("x-real-ip")||"",initial_ip:t.req.header("x-real-ip")||"",last_user_agent:t.req.header("user-agent")||"",initial_user_agent:t.req.header("user-agent")||"",initial_asn:"",last_asn:""},clients:[n.id]}),{scope:s,audience:a}=r.authParams,c=s!=null&&s.split(" ").includes("offline_access")?await ny(t,{session_id:i.id,user:e,client:n,scope:s,audience:a}):void 0;return{...i,refresh_token:c}}async function on(t,e){var v;const{authParams:n,user:r,client:i,ticketAuth:s}=e,a=ve(t,{type:he.SUCCESS_LOGIN,description:`Successful login for ${r.user_id}`,userId:r.user_id});if(nt(t,t.env.data.logs.create(i.tenant.id,a)),nt(t,t.env.data.users.update(i.tenant.id,r.user_id,{last_login:new Date().toISOString(),last_ip:t.req.header("x-real-ip")||"",login_count:r.login_count+1})),s){if(!e.loginSession)throw new z(500,{message:"Login session not found"});const f=w_(),_=xe(12),w=await t.env.data.codes.create(i.tenant.id,{code_id:xe(),code_type:"ticket",login_id:e.loginSession.id,expires_at:new Date(Date.now()+I_).toISOString(),code_verifier:[_,f].join("|")});return t.json({login_ticket:w.code_id,co_verifier:f,co_id:_})}let c=e.refreshToken,l=e.sessionId,u=r;if(!l){if(!e.loginSession)throw new z(500,{message:"Login session not found"});u=await oy(t,t.env.data)(i.tenant.id,r);const f=await Mf(t,{user:r,client:i,loginSession:e.loginSession});l=f.id,c=(v=f.refresh_token)==null?void 0:v.id}if(e.authParams.response_mode===Yt.SAML_POST)return Y0(t,e.client,e.authParams,u,l);const p=await to(t,{authParams:n,user:u,client:i,session_id:l,refresh_token:c}),h=new Headers({"set-cookie":Of(i.tenant.id,l,t.req.header("host"))});if(n.response_mode===Yt.WEB_MESSAGE)return t.json(p,{headers:h});if((n.response_type||Pt.CODE)===Pt.CODE){const f=await qf(t,e);if(!n.redirect_uri)throw new z(400,{message:"Redirect uri not found"});const _=new URL(n.redirect_uri);_.searchParams.set("code",f.code),f.state&&_.searchParams.set("state",f.state),h.set("location",_.toString())}return new Response("Redirecting",{status:302,headers:h})}async function ry(t,e,n){const r=await t.env.data.tenants.get(e);if(!r)throw new Error(`Tenant not found: ${e}`);return to(t,{client:{id:t.env.ISSUER,tenant:r,created_at:new Date().toISOString(),updated_at:new Date().toISOString(),name:t.env.ISSUER,disable_sign_ups:!1,connections:[]},authParams:{client_id:t.env.ISSUER,response_type:Pt.TOKEN,scope:n}})}async function dl(t,e,n){const r=await ry(t,n.tenant_id,"webhook");for await(const i of e)if(!(await fetch(i.url,{method:"POST",headers:{Authorization:`Bearer ${r.access_token}`,"Content-Type":"application/json"},body:JSON.stringify(n)})).ok){const a=ve(t,{type:he.FAILED_HOOK,description:`Failed to invoke hook ${i.hook_id}`});await t.env.data.logs.create(n.tenant_id,a)}}function iy(t){return async(e,n)=>{const{hooks:r}=await t.env.data.hooks.list(e);return await dl(t,r,{tenant_id:e,user:n,trigger_id:"post-user-registration"}),n}}function sy(t){return async(e,n)=>{const{hooks:r}=await t.env.data.hooks.list(e,{q:"trigger_id:pre-user-signup",page:0,per_page:100,include_totals:!1});await dl(t,r,{tenant_id:e,email:n,trigger_id:"pre-user-signup"})}}function oy(t,e){return async(n,r)=>{const{hooks:i}=await e.hooks.list(n,{q:"trigger_id:post-user-login",page:0,per_page:100,include_totals:!1});return await dl(t,i,{tenant_id:n,user:r,trigger_id:"post-user-login"}),r}}function ay(t,e){return async(n,r)=>{var a,c,l;const i={method:t.req.method,ip:t.req.query("x-real-ip")||"",user_agent:t.req.query("user-agent"),url:((a=t.var.loginSession)==null?void 0:a.authorization_url)||t.req.url};if((c=t.env.hooks)!=null&&c.onExecutePreUserRegistration)try{await t.env.hooks.onExecutePreUserRegistration({user:r,request:i},{user:{setUserMetadata:async(u,p)=>{r[u]=p}}})}catch{const p=ve(t,{type:he.FAILED_SIGNUP,description:"Pre user registration hook failed"});await e.logs.create(n,p)}let s=await f_(e)(n,r);if((l=t.env.hooks)!=null&&l.onExecutePostUserRegistration)try{await t.env.hooks.onExecutePostUserRegistration({user:r,request:i},{user:{}})}catch{const p=ve(t,{type:he.FAILED_SIGNUP,description:"Post user registration hook failed"});await t.env.data.logs.create(n,p)}return await iy(t)(n,s),s}}async function cy(t,e,n,r){if(e.disable_sign_ups&&!await ro({userAdapter:n.users,tenant_id:e.tenant.id,email:r})){const s=ve(t,{type:he.FAILED_SIGNUP,description:"Public signup is disabled"});throw await n.logs.create(e.tenant.id,s),new z(400,{message:"Signups are disabled for this client"})}await sy(t)(t.var.tenant_id||"",r)}function no(t,e){return{...e,users:{...e.users,create:ay(t,e)}}}function Df(t){return no(t,t.env.data)}async function pl(t,e,n){return(await t.list(e,{page:0,per_page:10,include_totals:!1,q:`email:${n}`})).users}async function ur({userAdapter:t,tenant_id:e,email:n,provider:r}){const{users:i}=await t.list(e,{page:0,per_page:10,include_totals:!1,q:`email:${n} provider:${r}`});return i.length>1&&console.error("More than one user found for same email and provider"),i[0]||null}async function ro({userAdapter:t,tenant_id:e,email:n}){var c;const{users:r}=await t.list(e,{page:0,per_page:10,include_totals:!1,q:`email:${n}`}),i=r.filter(l=>!(l.provider==="auth2"&&!l.email_verified));if(i.length===0)return;const s=i.filter(l=>!l.linked_to);if(s.length>0)return s.length>1&&console.error("More than one primary user found for same email"),s[0];const a=await t.get(e,(c=i[0])==null?void 0:c.linked_to);if(!a)throw new Error("Primary account not found");return a}async function ls({userAdapter:t,tenant_id:e,email:n,provider:r}){const i=await ur({userAdapter:t,tenant_id:e,email:n,provider:r});return i?i.linked_to?t.get(e,i.linked_to):i:null}async function io(t,e){const{email:n,provider:r,connection:i,client:s,userId:a,isSocial:c,profileData:l={},ip:u=""}=e;let p=await ls({userAdapter:t.env.data.users,tenant_id:e.client.tenant.id,email:n,provider:r});if(!p){const h={user_id:`${r}|${a||Xs()}`,email:n,name:n,provider:r,connection:i,email_verified:!0,last_ip:u,is_social:c,last_login:new Date().toISOString(),profileData:JSON.stringify(l)};p=await Df(t).users.create(s.tenant.id,h),t.set("user_id",p.user_id)}return p}const Xt=o.z.object({page:o.z.string().min(0).optional().default("0").transform(t=>parseInt(t,10)).openapi({description:"The page number where 0 is the first page"}),per_page:o.z.string().min(1).optional().default("10").transform(t=>parseInt(t,10)).openapi({description:"The number of items per page"}),include_totals:o.z.string().optional().default("false").transform(t=>t==="true").openapi({description:"If the total number of items should be included in the response"}),sort:o.z.string().regex(/^.+:(-1|1)$/).optional().openapi({description:"A property that should have the format 'string:-1' or 'string:1'"}),q:o.z.string().optional().openapi({description:"A lucene query string used to filter the results"})});function dr(t){if(!t)return;const[e,n]=t.split(":"),r=n==="1"?"asc":"desc";if(!(!e||!r))return{sort_by:e,sort_order:r}}const Ju=nn.extend({users:o.z.array(xt)}),ly=nn.extend({sessions:o.z.array(Ys)}),uy=new o.OpenAPIHono().openapi(o.createRoute({tags:["users"],method:"get",path:"/",request:{query:Xt,headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.union([o.z.array(xt),Ju])}},description:"List of users"}}}),async t=>{const{page:e,per_page:n,include_totals:r,sort:i,q:s}=t.req.valid("query"),{"tenant-id":a}=t.req.valid("header");if(s!=null&&s.includes("identities.profileData.email")){const p=s.split("=")[1],m=(await t.env.data.users.list(a,{page:e,per_page:n,include_totals:r,q:`email:${p}`})).users.filter(_=>_.linked_to),[v]=m;if(!v)return t.json([]);const f=await t.env.data.users.get(a,v.linked_to);if(!f)throw new z(500,{message:"Primary account not found"});return t.json([xt.parse(f)])}const c=["-_exists_:linked_to"];s&&c.push(s);const l=await t.env.data.users.list(a,{page:e,per_page:n,include_totals:r,sort:dr(i),q:c.join(" ")}),u=l.users.filter(p=>!p.linked_to);return r?t.json(Ju.parse({users:u,length:l.length,start:l.start,limit:l.limit})):t.json(o.z.array(xt).parse(u))}).openapi(o.createRoute({tags:["users"],method:"get",path:"/{user_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:xt}},description:"List of users"}}}),async t=>{const{user_id:e}=t.req.valid("param"),{"tenant-id":n}=t.req.valid("header"),r=await t.env.data.users.get(n,e);if(!r)throw new z(404);if(r.linked_to)throw new z(404,{message:"User is linked to another user"});return t.json(r)}).openapi(o.createRoute({tags:["users"],method:"delete",path:"/{user_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{user_id:e}=t.req.valid("param"),{"tenant-id":n}=t.req.valid("header");if(!await t.env.data.users.remove(n,e))throw new z(404);return t.text("OK")}).openapi(o.createRoute({tags:["users"],method:"post",path:"/",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.object({...ts.shape})}}}},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:xt}},description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json");t.set("body",n);const{email:r}=n;if(!r)throw new z(400,{message:"Email is required"});const i=r.toLowerCase(),s=`${n.provider}|${n.user_id||Xs()}`;try{const a=await t.env.data.users.create(e,{email:i,user_id:s,name:n.name||i,provider:n.provider,connection:n.connection,email_verified:n.email_verified||!1,last_ip:"",is_social:!1,last_login:new Date().toISOString()});t.set("user_id",a.user_id);const c=ve(t,{type:he.SUCCESS_API_OPERATION,description:"User created"});nt(t,t.env.data.logs.create(e,c));const l={...a,identities:[{connection:a.connection,provider:a.provider,user_id:Vu(a.user_id),isSocial:a.is_social}]};return t.json(xt.parse(l),{status:201})}catch(a){throw a.message==="User already exists"?new z(409,{message:"User already exists"}):a}}).openapi(o.createRoute({tags:["users"],method:"patch",path:"/{user_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.object({...ts.shape,verify_email:o.z.boolean(),password:o.z.string()}).partial()}}},params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{var p;const{data:e}=t.env,{"tenant-id":n}=t.req.valid("header"),r=t.req.valid("json"),{user_id:i}=t.req.valid("param"),{verify_email:s,password:a,...c}=r,l=await e.users.get(n,i);if(!l)throw new z(404);if(c.email&&c.email!==l.email){const h=await pl(t.env.data.users,n,c.email);if(h.length&&h.some(m=>m.user_id!==i))throw new z(409,{message:"Another user with the same email address already exists."})}if(l.linked_to)throw new z(404,{message:"User is linked to another user"});if(await t.env.data.users.update(n,i,c),a){const h=(p=l.identities)==null?void 0:p.find(f=>f.connection==="Username-Password-Authentication");if(!h)throw new z(400,{message:"User does not have a password identity"});const m={user_id:h.user_id,password:await si.hash(a,10),algorithm:"bcrypt"};await e.passwords.get(n,h.user_id)?await e.passwords.update(n,m):await e.passwords.create(n,m)}const u=await t.env.data.users.get(n,i);if(!u)throw new z(500);return t.json(u)}).openapi(o.createRoute({tags:["users"],method:"post",path:"/{user_id}/identities",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.union([o.z.object({link_with:o.z.string()}),o.z.object({user_id:o.z.string(),provider:o.z.string(),connection:o.z.string().optional()})])}}},params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:o.z.array(o.z.object({connection:o.z.string(),provider:o.z.string(),user_id:o.z.string(),isSocial:o.z.boolean()}))}},description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json"),{user_id:r}=t.req.valid("param"),i="link_with"in n?n.link_with:n.user_id,s=await t.env.data.users.get(e,r);if(!s)throw new z(400,{message:"Linking an inexistent identity is not allowed."});await t.env.data.users.update(e,i,{linked_to:r});const a=await t.env.data.users.list(e,{page:0,per_page:10,include_totals:!1,q:`linked_to:${r}`}),c=[s,...a.users].map(l=>({connection:l.connection,provider:l.provider,user_id:Vu(l.user_id),isSocial:l.is_social}));return t.json(c,{status:201})}).openapi(o.createRoute({tags:["users"],method:"delete",path:"/{user_id}/identities/{provider}/{linked_user_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({user_id:o.z.string(),provider:o.z.string(),linked_user_id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:o.z.array(xt)}},description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{user_id:n,provider:r,linked_user_id:i}=t.req.valid("param");await t.env.data.users.unlink(e,n,r,i);const s=await t.env.data.users.get(e,n);if(!s)throw new z(404);return t.json([xt.parse(s)])}).openapi(o.createRoute({tags:["users"],method:"get",path:"/{user_id}/sessions",request:{query:Xt,headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.union([o.z.array(Ys),ly])}},description:"List of sessions"}}}),async t=>{const{user_id:e}=t.req.valid("param"),{include_totals:n}=t.req.valid("query"),{"tenant-id":r}=t.req.valid("header"),i=await t.env.data.sessions.list(r,{page:0,per_page:10,include_totals:!1,q:`user_id:${e}`});return n?t.json(i):t.json(i.sessions)});/*! *****************************************************************************
+  </html>`;return new Response(i,{headers:{"Content-Type":"text/html"}})}async function Y0(t,e,n,r,i){var m,v,f;if(!n.redirect_uri)throw new z(400,{message:"Missing redirect_uri in authParams"});const[s]=await t.env.data.keys.list();if(!s)throw new z(500,{message:"No signing key found"});if(!((m=e.addons)!=null&&m.samlp))throw new z(400,{message:`SAML Addon is not enabled for client ${e.id}`});const{recipient:a,audience:c}=e.addons.samlp,l=n.state||"";if(!a||!l||!r||!n.state)throw new z(400,{message:"Missing recipient or inResponseTo"});const u=JSON.parse(n.state),p=new URL(n.redirect_uri),h=await X0(t,{issuer:t.env.ISSUER,audience:c||n.client_id,destination:p.toString(),inResponseTo:u.requestId,userId:((f=(v=r.app_metadata)==null?void 0:v.vimeo)==null?void 0:f.user_id)||r.user_id,email:r.email,sessionIndex:i,signature:{privateKeyPem:s.pkcs7,cert:s.cert,kid:s.kid}});return Z0(p.toString(),h,u.relayState)}async function X0(t,e){const n=e.notBefore||new Date().toISOString(),r=e.notAfter||new Date(new Date(n).getTime()+10*60*1e3).toISOString(),i=e.issueInstant||n,s=e.sessionNotOnOrAfter||r,a=e.responseId||`_${xe()}`,c=e.assertionId||`_${xe()}`,l=[{"samlp:Response":[{"saml:Issuer":[{"#text":e.issuer}]},{"samlp:Status":[{"samlp:StatusCode":[],":@":{"@_Value":"urn:oasis:names:tc:SAML:2.0:status:Success"}}]},{"saml:Assertion":[{"saml:Issuer":[{"#text":e.issuer}]},{"saml:Subject":[{"saml:NameID":[{"#text":e.email}],":@":{"@_Format":"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"}},{"saml:SubjectConfirmation":[{"saml:SubjectConfirmationData":[],":@":{"@_InResponseTo":e.inResponseTo,"@_NotOnOrAfter":r,"@_Recipient":e.destination}}],":@":{"@_Method":"urn:oasis:names:tc:SAML:2.0:cm:bearer"}}]},{"saml:Conditions":[{"saml:AudienceRestriction":[{"saml:Audience":[{"#text":e.audience}]}]}],":@":{"@_NotBefore":n,"@_NotOnOrAfter":r}},{"saml:AuthnStatement":[{"saml:AuthnContext":[{"saml:AuthnContextClassRef":[{"#text":"urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified"}]}]}],":@":{"@_AuthnInstant":i,"@_SessionIndex":e.sessionIndex,"@_SessionNotOnOrAfter":s}},{"saml:AttributeStatement":[{"saml:Attribute":[{"saml:AttributeValue":[{"#text":e.userId}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_FriendlyName":"persistent","@_Name":"id","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":e.email}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"email","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"manage-account"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"default-roles-master"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"offline_access"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"view-profile"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"uma_authorization"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}},{"saml:Attribute":[{"saml:AttributeValue":[{"#text":"manage-account-links"}],":@":{"@_xmlns:xs":"http://www.w3.org/2001/XMLSchema","@_xmlns:xsi":"http://www.w3.org/2001/XMLSchema-instance","@_xsi:type":"xs:string"}}],":@":{"@_Name":"Role","@_NameFormat":"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"}}]}],":@":{"@_xmlns":"urn:oasis:names:tc:SAML:2.0:assertion","@_ID":c,"@_IssueInstant":i,"@_Version":"2.0"}}],":@":{"@_xmlns:samlp":"urn:oasis:names:tc:SAML:2.0:protocol","@_xmlns:saml":"urn:oasis:names:tc:SAML:2.0:assertion","@_Destination":e.destination,"@_ID":a,"@_InResponseTo":e.inResponseTo,"@_IssueInstant":i,"@_Version":"2.0"}}];let p=new J0.XMLBuilder({ignoreAttributes:!1,suppressEmptyNode:!0,preserveOrder:!0}).build(l);if(e.signature){const m=await fetch(t.env.SAML_SIGN_URL,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({xmlContent:p,privateKey:e.signature.privateKeyPem,publicCert:e.signature.cert})});if(!m.ok)throw new Error(`Failed to sign SAML response: ${m.status}`);p=await m.text()}return e.encode===!1?p:btoa(p)}var Q0={deno:"Deno",bun:"Bun",workerd:"Cloudflare-Workers",node:"Node.js"},ey=()=>{var n,r;const t=globalThis;if(typeof navigator<"u"&&typeof navigator.userAgent=="string"){for(const[i,s]of Object.entries(Q0))if(ty(s))return i}return typeof(t==null?void 0:t.EdgeRuntime)=="string"?"edge-light":(t==null?void 0:t.fastly)!==void 0?"fastly":((r=(n=t==null?void 0:t.process)==null?void 0:n.release)==null?void 0:r.name)==="node"?"node":"other"},ty=t=>navigator.userAgent.startsWith(t);function nt(t,e){ey()==="workerd"&&t.executionCtx.waitUntil(e)}function sn(t){var e,n,r;return{auth0Client:(e=t.query("auth0Client"))==null?void 0:e.slice(0,255),ip:(n=t.header("x-real-ip"))==null?void 0:n.slice(0,45),useragent:(r=t.header("user-agent"))==null?void 0:r.slice(0,512)}}const Gu=["sub","iss","aud","exp","nbf","iat","jti"];async function to(t,e){var _,w;const{authParams:n,user:r,client:i,session_id:s}=e,c=(await t.env.data.keys.list()).filter(S=>!S.revoked_at||new Date(S.revoked_at)>new Date),l=c[c.length-1];if(!(l!=null&&l.pkcs7))throw new z(500,{message:"No signing key available"});const u=b_(l.pkcs7),p={aud:n.audience||"default",scope:n.scope||"",sub:(r==null?void 0:r.user_id)||n.client_id,iss:t.env.ISSUER,tenant_id:t.var.tenant_id,sid:s},h=r&&((_=n.scope)!=null&&_.split(" ").includes("openid"))?{aud:n.client_id,sub:r.user_id,iss:t.env.ISSUER,sid:s,nonce:n.nonce,given_name:r.given_name,family_name:r.family_name,nickname:r.nickname,picture:r.picture,locale:r.locale,name:r.name,email:r.email,email_verified:r.email_verified}:void 0;(w=t.env.hooks)!=null&&w.onExecuteCredentialsExchange&&await t.env.hooks.onExecuteCredentialsExchange({client:i,user:r,request:{ip:t.req.header("x-real-ip")||"",user_agent:t.req.header("user-agent")||"",method:t.req.method,url:t.req.url},scope:n.scope||"",grant_type:""},{accessToken:{setCustomClaim:(S,C)=>{if(Gu.includes(S))throw new Error(`Cannot overwrite reserved claim '${S}'`);p[S]=C}},idToken:{setCustomClaim:(S,C)=>{if(Gu.includes(S))throw new Error(`Cannot overwrite reserved claim '${S}'`);h&&(h[S]=C)}},access:{deny:S=>{throw new z(400,{message:`Access denied: ${S}`})}}});const m={includeIssuedTimestamp:!0,expiresIn:new sl(1,"d"),headers:{kid:l.kid}},v=await Mu("RS256",u,p,m),f=h?await Mu("RS256",u,h,m):void 0;return{access_token:v,refresh_token:e.refresh_token,id_token:f,token_type:"Bearer",expires_in:86400}}async function qf(t,e){return e.loginSession||(e.loginSession=await t.env.data.loginSessions.create(e.client.tenant.id,{expires_at:new Date(Date.now()+Jn*1e3).toISOString(),authParams:e.authParams,authorization_url:t.req.url,csrf_token:xe(),...sn(t.req)})),{code:(await t.env.data.codes.create(e.client.tenant.id,{code_id:xe(),user_id:e.user.user_id,code_type:"authorization_code",login_id:e.loginSession.id,expires_at:new Date(Date.now()+A_*1e3).toISOString()})).code_id,state:e.authParams.state}}async function ny(t,e){const{client:n,scope:r,audience:i=n.tenant.audience,session_id:s}=e;return await t.env.data.refreshTokens.create(n.tenant.id,{id:xe(),session_id:s,client_id:n.id,expires_at:new Date(Date.now()+Qs*1e3).toISOString(),user_id:e.user.user_id,device:{last_ip:t.req.header("x-real-ip")||"",initial_ip:t.req.header("x-real-ip")||"",last_user_agent:t.req.header("user-agent")||"",initial_user_agent:t.req.header("user-agent")||"",initial_asn:"",last_asn:""},resource_servers:[{audience:i,scopes:r}],rotating:!1})}async function Mf(t,{user:e,client:n,loginSession:r}){const i=await t.env.data.sessions.create(n.tenant.id,{id:xe(),user_id:e.user_id,idle_expires_at:new Date(Date.now()+Qs*1e3).toISOString(),device:{last_ip:t.req.header("x-real-ip")||"",initial_ip:t.req.header("x-real-ip")||"",last_user_agent:t.req.header("user-agent")||"",initial_user_agent:t.req.header("user-agent")||"",initial_asn:"",last_asn:""},clients:[n.id]});await t.env.data.loginSessions.update(n.tenant.id,r.id,{session_id:i.id});const{scope:s,audience:a}=r.authParams,c=s!=null&&s.split(" ").includes("offline_access")?await ny(t,{session_id:i.id,user:e,client:n,scope:s,audience:a}):void 0;return{...i,refresh_token:c}}async function on(t,e){var v;const{authParams:n,user:r,client:i,ticketAuth:s}=e,a=ve(t,{type:he.SUCCESS_LOGIN,description:`Successful login for ${r.user_id}`,userId:r.user_id});if(nt(t,t.env.data.logs.create(i.tenant.id,a)),nt(t,t.env.data.users.update(i.tenant.id,r.user_id,{last_login:new Date().toISOString(),last_ip:t.req.header("x-real-ip")||"",login_count:r.login_count+1})),s){if(!e.loginSession)throw new z(500,{message:"Login session not found"});const f=w_(),_=xe(12),w=await t.env.data.codes.create(i.tenant.id,{code_id:xe(),code_type:"ticket",login_id:e.loginSession.id,expires_at:new Date(Date.now()+I_).toISOString(),code_verifier:[_,f].join("|")});return t.json({login_ticket:w.code_id,co_verifier:f,co_id:_})}let c=e.refreshToken,l=e.sessionId,u=r;if(!l){if(!e.loginSession)throw new z(500,{message:"Login session not found"});u=await oy(t,t.env.data)(i.tenant.id,r);const f=await Mf(t,{user:r,client:i,loginSession:e.loginSession});l=f.id,c=(v=f.refresh_token)==null?void 0:v.id}if(e.authParams.response_mode===Yt.SAML_POST)return Y0(t,e.client,e.authParams,u,l);const p=await to(t,{authParams:n,user:u,client:i,session_id:l,refresh_token:c}),h=new Headers({"set-cookie":Of(i.tenant.id,l,t.req.header("host"))});if(n.response_mode===Yt.WEB_MESSAGE)return t.json(p,{headers:h});if((n.response_type||Pt.CODE)===Pt.CODE){const f=await qf(t,e);if(!n.redirect_uri)throw new z(400,{message:"Redirect uri not found"});const _=new URL(n.redirect_uri);_.searchParams.set("code",f.code),f.state&&_.searchParams.set("state",f.state),h.set("location",_.toString())}return new Response("Redirecting",{status:302,headers:h})}async function ry(t,e,n){const r=await t.env.data.tenants.get(e);if(!r)throw new Error(`Tenant not found: ${e}`);return to(t,{client:{id:t.env.ISSUER,tenant:r,created_at:new Date().toISOString(),updated_at:new Date().toISOString(),name:t.env.ISSUER,disable_sign_ups:!1,connections:[]},authParams:{client_id:t.env.ISSUER,response_type:Pt.TOKEN,scope:n}})}async function dl(t,e,n){const r=await ry(t,n.tenant_id,"webhook");for await(const i of e)if(!(await fetch(i.url,{method:"POST",headers:{Authorization:`Bearer ${r.access_token}`,"Content-Type":"application/json"},body:JSON.stringify(n)})).ok){const a=ve(t,{type:he.FAILED_HOOK,description:`Failed to invoke hook ${i.hook_id}`});await t.env.data.logs.create(n.tenant_id,a)}}function iy(t){return async(e,n)=>{const{hooks:r}=await t.env.data.hooks.list(e);return await dl(t,r,{tenant_id:e,user:n,trigger_id:"post-user-registration"}),n}}function sy(t){return async(e,n)=>{const{hooks:r}=await t.env.data.hooks.list(e,{q:"trigger_id:pre-user-signup",page:0,per_page:100,include_totals:!1});await dl(t,r,{tenant_id:e,email:n,trigger_id:"pre-user-signup"})}}function oy(t,e){return async(n,r)=>{const{hooks:i}=await e.hooks.list(n,{q:"trigger_id:post-user-login",page:0,per_page:100,include_totals:!1});return await dl(t,i,{tenant_id:n,user:r,trigger_id:"post-user-login"}),r}}function ay(t,e){return async(n,r)=>{var a,c,l;const i={method:t.req.method,ip:t.req.query("x-real-ip")||"",user_agent:t.req.query("user-agent"),url:((a=t.var.loginSession)==null?void 0:a.authorization_url)||t.req.url};if((c=t.env.hooks)!=null&&c.onExecutePreUserRegistration)try{await t.env.hooks.onExecutePreUserRegistration({user:r,request:i},{user:{setUserMetadata:async(u,p)=>{r[u]=p}}})}catch{const p=ve(t,{type:he.FAILED_SIGNUP,description:"Pre user registration hook failed"});await e.logs.create(n,p)}let s=await f_(e)(n,r);if((l=t.env.hooks)!=null&&l.onExecutePostUserRegistration)try{await t.env.hooks.onExecutePostUserRegistration({user:r,request:i},{user:{}})}catch{const p=ve(t,{type:he.FAILED_SIGNUP,description:"Post user registration hook failed"});await t.env.data.logs.create(n,p)}return await iy(t)(n,s),s}}async function cy(t,e,n,r){if(e.disable_sign_ups&&!await ro({userAdapter:n.users,tenant_id:e.tenant.id,email:r})){const s=ve(t,{type:he.FAILED_SIGNUP,description:"Public signup is disabled"});throw await n.logs.create(e.tenant.id,s),new z(400,{message:"Signups are disabled for this client"})}await sy(t)(t.var.tenant_id||"",r)}function no(t,e){return{...e,users:{...e.users,create:ay(t,e)}}}function Df(t){return no(t,t.env.data)}async function pl(t,e,n){return(await t.list(e,{page:0,per_page:10,include_totals:!1,q:`email:${n}`})).users}async function ur({userAdapter:t,tenant_id:e,email:n,provider:r}){const{users:i}=await t.list(e,{page:0,per_page:10,include_totals:!1,q:`email:${n} provider:${r}`});return i.length>1&&console.error("More than one user found for same email and provider"),i[0]||null}async function ro({userAdapter:t,tenant_id:e,email:n}){var c;const{users:r}=await t.list(e,{page:0,per_page:10,include_totals:!1,q:`email:${n}`}),i=r.filter(l=>!(l.provider==="auth2"&&!l.email_verified));if(i.length===0)return;const s=i.filter(l=>!l.linked_to);if(s.length>0)return s.length>1&&console.error("More than one primary user found for same email"),s[0];const a=await t.get(e,(c=i[0])==null?void 0:c.linked_to);if(!a)throw new Error("Primary account not found");return a}async function ls({userAdapter:t,tenant_id:e,email:n,provider:r}){const i=await ur({userAdapter:t,tenant_id:e,email:n,provider:r});return i?i.linked_to?t.get(e,i.linked_to):i:null}async function io(t,e){const{email:n,provider:r,connection:i,client:s,userId:a,isSocial:c,profileData:l={},ip:u=""}=e;let p=await ls({userAdapter:t.env.data.users,tenant_id:e.client.tenant.id,email:n,provider:r});if(!p){const h={user_id:`${r}|${a||Xs()}`,email:n,name:n,provider:r,connection:i,email_verified:!0,last_ip:u,is_social:c,last_login:new Date().toISOString(),profileData:JSON.stringify(l)};p=await Df(t).users.create(s.tenant.id,h),t.set("user_id",p.user_id)}return p}const Xt=o.z.object({page:o.z.string().min(0).optional().default("0").transform(t=>parseInt(t,10)).openapi({description:"The page number where 0 is the first page"}),per_page:o.z.string().min(1).optional().default("10").transform(t=>parseInt(t,10)).openapi({description:"The number of items per page"}),include_totals:o.z.string().optional().default("false").transform(t=>t==="true").openapi({description:"If the total number of items should be included in the response"}),sort:o.z.string().regex(/^.+:(-1|1)$/).optional().openapi({description:"A property that should have the format 'string:-1' or 'string:1'"}),q:o.z.string().optional().openapi({description:"A lucene query string used to filter the results"})});function dr(t){if(!t)return;const[e,n]=t.split(":"),r=n==="1"?"asc":"desc";if(!(!e||!r))return{sort_by:e,sort_order:r}}const Ju=nn.extend({users:o.z.array(xt)}),ly=nn.extend({sessions:o.z.array(Ys)}),uy=new o.OpenAPIHono().openapi(o.createRoute({tags:["users"],method:"get",path:"/",request:{query:Xt,headers:o.z.object({"tenant-id":o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.union([o.z.array(xt),Ju])}},description:"List of users"}}}),async t=>{const{page:e,per_page:n,include_totals:r,sort:i,q:s}=t.req.valid("query"),{"tenant-id":a}=t.req.valid("header");if(s!=null&&s.includes("identities.profileData.email")){const p=s.split("=")[1],m=(await t.env.data.users.list(a,{page:e,per_page:n,include_totals:r,q:`email:${p}`})).users.filter(_=>_.linked_to),[v]=m;if(!v)return t.json([]);const f=await t.env.data.users.get(a,v.linked_to);if(!f)throw new z(500,{message:"Primary account not found"});return t.json([xt.parse(f)])}const c=["-_exists_:linked_to"];s&&c.push(s);const l=await t.env.data.users.list(a,{page:e,per_page:n,include_totals:r,sort:dr(i),q:c.join(" ")}),u=l.users.filter(p=>!p.linked_to);return r?t.json(Ju.parse({users:u,length:l.length,start:l.start,limit:l.limit})):t.json(o.z.array(xt).parse(u))}).openapi(o.createRoute({tags:["users"],method:"get",path:"/{user_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:xt}},description:"List of users"}}}),async t=>{const{user_id:e}=t.req.valid("param"),{"tenant-id":n}=t.req.valid("header"),r=await t.env.data.users.get(n,e);if(!r)throw new z(404);if(r.linked_to)throw new z(404,{message:"User is linked to another user"});return t.json(r)}).openapi(o.createRoute({tags:["users"],method:"delete",path:"/{user_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{const{user_id:e}=t.req.valid("param"),{"tenant-id":n}=t.req.valid("header");if(!await t.env.data.users.remove(n,e))throw new z(404);return t.text("OK")}).openapi(o.createRoute({tags:["users"],method:"post",path:"/",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.object({...ts.shape})}}}},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:xt}},description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json");t.set("body",n);const{email:r}=n;if(!r)throw new z(400,{message:"Email is required"});const i=r.toLowerCase(),s=`${n.provider}|${n.user_id||Xs()}`;try{const a=await t.env.data.users.create(e,{email:i,user_id:s,name:n.name||i,provider:n.provider,connection:n.connection,email_verified:n.email_verified||!1,last_ip:"",is_social:!1,last_login:new Date().toISOString()});t.set("user_id",a.user_id);const c=ve(t,{type:he.SUCCESS_API_OPERATION,description:"User created"});nt(t,t.env.data.logs.create(e,c));const l={...a,identities:[{connection:a.connection,provider:a.provider,user_id:Vu(a.user_id),isSocial:a.is_social}]};return t.json(xt.parse(l),{status:201})}catch(a){throw a.message==="User already exists"?new z(409,{message:"User already exists"}):a}}).openapi(o.createRoute({tags:["users"],method:"patch",path:"/{user_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.object({...ts.shape,verify_email:o.z.boolean(),password:o.z.string()}).partial()}}},params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{description:"Status"}}}),async t=>{var p;const{data:e}=t.env,{"tenant-id":n}=t.req.valid("header"),r=t.req.valid("json"),{user_id:i}=t.req.valid("param"),{verify_email:s,password:a,...c}=r,l=await e.users.get(n,i);if(!l)throw new z(404);if(c.email&&c.email!==l.email){const h=await pl(t.env.data.users,n,c.email);if(h.length&&h.some(m=>m.user_id!==i))throw new z(409,{message:"Another user with the same email address already exists."})}if(l.linked_to)throw new z(404,{message:"User is linked to another user"});if(await t.env.data.users.update(n,i,c),a){const h=(p=l.identities)==null?void 0:p.find(f=>f.connection==="Username-Password-Authentication");if(!h)throw new z(400,{message:"User does not have a password identity"});const m={user_id:h.user_id,password:await si.hash(a,10),algorithm:"bcrypt"};await e.passwords.get(n,h.user_id)?await e.passwords.update(n,m):await e.passwords.create(n,m)}const u=await t.env.data.users.get(n,i);if(!u)throw new z(500);return t.json(u)}).openapi(o.createRoute({tags:["users"],method:"post",path:"/{user_id}/identities",request:{headers:o.z.object({"tenant-id":o.z.string()}),body:{content:{"application/json":{schema:o.z.union([o.z.object({link_with:o.z.string()}),o.z.object({user_id:o.z.string(),provider:o.z.string(),connection:o.z.string().optional()})])}}},params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:o.z.array(o.z.object({connection:o.z.string(),provider:o.z.string(),user_id:o.z.string(),isSocial:o.z.boolean()}))}},description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),n=t.req.valid("json"),{user_id:r}=t.req.valid("param"),i="link_with"in n?n.link_with:n.user_id,s=await t.env.data.users.get(e,r);if(!s)throw new z(400,{message:"Linking an inexistent identity is not allowed."});await t.env.data.users.update(e,i,{linked_to:r});const a=await t.env.data.users.list(e,{page:0,per_page:10,include_totals:!1,q:`linked_to:${r}`}),c=[s,...a.users].map(l=>({connection:l.connection,provider:l.provider,user_id:Vu(l.user_id),isSocial:l.is_social}));return t.json(c,{status:201})}).openapi(o.createRoute({tags:["users"],method:"delete",path:"/{user_id}/identities/{provider}/{linked_user_id}",request:{headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({user_id:o.z.string(),provider:o.z.string(),linked_user_id:o.z.string()})},security:[{Bearer:["auth:write"]}],responses:{200:{content:{"application/json":{schema:o.z.array(xt)}},description:"Status"}}}),async t=>{const{"tenant-id":e}=t.req.valid("header"),{user_id:n,provider:r,linked_user_id:i}=t.req.valid("param");await t.env.data.users.unlink(e,n,r,i);const s=await t.env.data.users.get(e,n);if(!s)throw new z(404);return t.json([xt.parse(s)])}).openapi(o.createRoute({tags:["users"],method:"get",path:"/{user_id}/sessions",request:{query:Xt,headers:o.z.object({"tenant-id":o.z.string()}),params:o.z.object({user_id:o.z.string()})},security:[{Bearer:["auth:read"]}],responses:{200:{content:{"application/json":{schema:o.z.union([o.z.array(Ys),ly])}},description:"List of sessions"}}}),async t=>{const{user_id:e}=t.req.valid("param"),{include_totals:n}=t.req.valid("query"),{"tenant-id":r}=t.req.valid("header"),i=await t.env.data.sessions.list(r,{page:0,per_page:10,include_totals:!1,q:`user_id:${e}`});return n?t.json(i):t.json(i.sessions)});/*! *****************************************************************************
 Copyright (C) Microsoft. All rights reserved.
 Licensed under the Apache License, Version 2.0 (the "License"); you may not use
 this file except in compliance with the License. You may obtain a copy of the
@@ -189,7 +189,7 @@ PERFORMANCE OF THIS SOFTWARE.
       <\/script>
   </body>
   
-  </html>`}async function Tb({ctx:t,client:e,session:n,redirect_uri:r,state:i,nonce:s,code_challenge_method:a,code_challenge:c,audience:l,scope:u,response_type:p}){const{env:h}=t,m=new URL(r),v=`${m.protocol}//${m.host}`;async function f(ce="Login required"){const le=ve(t,{type:he.FAILED_SILENT_AUTH,description:ce});return await t.env.data.logs.create(e.tenant.id,le),t.html(Lp(v,JSON.stringify({error:"login_required",error_description:ce,state:i})))}if(!n||(n==null?void 0:n.expires_at)&&new Date(n.expires_at)<new Date||(n==null?void 0:n.idle_expires_at)&&new Date(n.idle_expires_at)<new Date)return f();t.set("user_id",n.user_id);const w=await h.data.users.get(e.tenant.id,n.user_id);if(!w)return console.error("User not found",n.user_id),f("User not found");t.set("username",w.email),t.set("connection",w.connection);const S={client:e,authParams:{client_id:e.id,audience:l,code_challenge_method:a,code_challenge:c,scope:u,state:i,nonce:s,response_type:p},user:w,session_id:n.id},C=p===Pt.CODE?await qf(t,S):await to(t,S);await h.data.sessions.update(e.tenant.id,n.id,{used_at:new Date().toISOString(),last_interaction_at:new Date().toISOString(),device:{...n.device,last_ip:t.req.header("x-real-ip")||"",last_user_agent:t.req.header("user-agent")||""},idle_expires_at:n.idle_expires_at?new Date(Date.now()+Qs*1e3).toISOString():void 0});const B=ve(t,{type:he.SUCCESS_SILENT_AUTH,description:"Successful silent authentication"});await t.env.data.logs.create(e.tenant.id,B);const L=new Headers;L.set("Server-Timing","cf-nel=0; no-cloudflare-insights=1");const Q=Of(e.tenant.id,n.id,t.req.header("host"));return L.set("set-cookie",Q),t.html(Lp(v,JSON.stringify(C)),{headers:L})}const Pb=new o.OpenAPIHono().openapi(o.createRoute({tags:["oauth"],method:"get",path:"/",request:{query:o.z.object({client_id:o.z.string(),vendor_id:o.z.string().optional(),redirect_uri:o.z.string(),scope:o.z.string().optional(),state:o.z.string(),prompt:o.z.string().optional(),response_mode:o.z.nativeEnum(Yt).optional(),response_type:o.z.nativeEnum(Pt).optional(),audience:o.z.string().optional(),connection:o.z.string().optional(),nonce:o.z.string().optional(),max_age:o.z.string().optional(),login_ticket:o.z.string().optional(),code_challenge_method:o.z.nativeEnum(Zs).optional(),code_challenge:o.z.string().optional(),realm:o.z.string().optional(),auth0Client:o.z.string().optional(),organization:o.z.string().optional(),login_hint:o.z.string().optional(),ui_locales:o.z.string().optional()})},responses:{200:{description:"Silent authentication page"},302:{description:"Redirect to the client's redirect uri"}}}),async t=>{const{env:e}=t,{client_id:n,vendor_id:r,redirect_uri:i,scope:s,state:a,audience:c,nonce:l,connection:u,response_type:p,response_mode:h,code_challenge:m,code_challenge_method:v,prompt:f,login_ticket:_,realm:w,auth0Client:S,login_hint:C,ui_locales:B,organization:L}=t.req.valid("query");t.set("log","authorize");const Q=await Zo(e,n);t.set("client_id",Q.id),t.set("tenant_id",Q.tenant.id);const ce={redirect_uri:i,scope:s,state:a,client_id:n,vendor_id:r,audience:c,nonce:l,prompt:f,response_type:p,response_mode:h,code_challenge:m,code_challenge_method:v,username:C,ui_locales:B,organization:L},le=t.req.header("origin");if(le&&!jb(le,Q.web_origins||[]))throw new z(403,{message:`Origin ${le} not allowed`});if(ce.redirect_uri&&!Yo(ce.redirect_uri,Q.callbacks||[],{allowPathWildcards:!0}))throw new z(400,{message:`Invalid redirect URI - ${ce.redirect_uri}`});const qe=cs(Q.tenant.id,t.req.header("cookie")),Me=qe?await e.data.sessions.get(Q.tenant.id,qe):void 0;if(f=="none"){if(!p)throw new z(400,{message:"Missing response_type"});return Tb({ctx:t,session:Me||void 0,redirect_uri:i,state:a,response_type:p,client:Q,nonce:l,code_challenge_method:v,code_challenge:m,audience:c,scope:s})}return u&&u!=="email"?pb(t,Q,u,ce):_?Bb(t,Q.tenant.id,_,ce,w):$b({ctx:t,client:Q,auth0Client:S,authParams:ce,session:Me||void 0,connection:u,login_hint:C})});function Rb(t){const e=new o.OpenAPIHono;e.use(async(r,i)=>(r.env.data=no(r,t.dataAdapter),i())),e.use(Tg(e));const n=e.route("/v2/logout",hb).route("/userinfo",gb).route("/.well-known",mb).route("/oauth/token",Sb).route("/dbconnections",Ib).route("/passwordless",zb).route("/co/authenticate",Cb).route("/authorize",Pb).route("/callback",fb);return n.doc("/spec",{openapi:"3.0.0",info:{version:"1.0.0",title:"Oauth API"},security:[{oauth2:["openid","email","profile"]}]}),Bg(n),n}var Lb={Stringify:1,BeforeStream:2,Stream:3},gt=(t,e)=>{const n=new String(t);return n.isEscaped=!0,n.callbacks=e,n},Ub=/[&<>'"]/,Jg=async(t,e)=>{let n="";e||(e=[]);const r=await Promise.all(t);for(let i=r.length-1;n+=r[i],i--,!(i<0);i--){let s=r[i];typeof s=="object"&&e.push(...s.callbacks||[]);const a=s.isEscaped;if(s=await(typeof s=="object"?s.toString():s),typeof s=="object"&&e.push(...s.callbacks||[]),s.isEscaped??a)n+=s;else{const c=[n];Zt(s,c),n=c[0]}}return gt(n,e)},Zt=(t,e)=>{const n=t.search(Ub);if(n===-1){e[0]+=t;return}let r,i,s=0;for(i=n;i<t.length;i++){switch(t.charCodeAt(i)){case 34:r="&quot;";break;case 39:r="&#39;";break;case 38:r="&amp;";break;case 60:r="&lt;";break;case 62:r="&gt;";break;default:continue}e[0]+=t.substring(s,i)+r,s=i+1}e[0]+=t.substring(s,i)},Zg=t=>{const e=t.callbacks;if(!(e!=null&&e.length))return t;const n=[t],r={};return e.forEach(i=>i({phase:Lb.Stringify,buffer:n,context:r})),n[0]},Vb=(t,...e)=>{const n=[""];for(let r=0,i=t.length-1;r<i;r++){n[0]+=t[r];const s=Array.isArray(e[r])?e[r].flat(1/0):[e[r]];for(let a=0,c=s.length;a<c;a++){const l=s[a];if(typeof l=="string")Zt(l,n);else if(typeof l=="number")n[0]+=l;else{if(typeof l=="boolean"||l===null||l===void 0)continue;if(typeof l=="object"&&l.isEscaped)if(l.callbacks)n.unshift("",l);else{const u=l.toString();u instanceof Promise?n.unshift("",u):n[0]+=u}else l instanceof Promise?n.unshift("",l):Zt(l.toString(),n)}}}return n[0]+=t[t.length-1],n.length===1?"callbacks"in n?gt(Zg(gt(n[0],n.callbacks))):gt(n[0]):Jg(n,n.callbacks)},uu=Symbol("RENDERER"),Zc=Symbol("ERROR_HANDLER"),Ae=Symbol("STASH"),Yg=Symbol("INTERNAL"),qb=Symbol("MEMO"),Ks=Symbol("PERMALINK"),Up=t=>(t[Yg]=!0,t),Xg=t=>({value:e,children:n})=>{if(!n)return;const r={children:[{tag:Up(()=>{t.push(e)}),props:{}}]};Array.isArray(n)?r.children.push(...n.flat()):r.children.push(n),r.children.push({tag:Up(()=>{t.pop()}),props:{}});const i={tag:"",props:r,type:""};return i[Zc]=s=>{throw t.pop(),s},i},Qg=t=>{const e=[t],n=Xg(e);return n.values=e,n.Provider=n,ar.push(n),n},ar=[],Mb=t=>{const e=[t],n=r=>{e.push(r.value);let i;try{i=r.children?(Array.isArray(r.children)?new rm("",{},r.children):r.children).toString():""}finally{e.pop()}return i instanceof Promise?i.then(s=>gt(s,s.callbacks)):gt(i)};return n.values=e,n.Provider=n,n[uu]=Xg(e),ar.push(n),n},kr=t=>t.values.at(-1),Ki={title:[],script:["src"],style:["data-href"],link:["href"],meta:["name","httpEquiv","charset","itemProp"]},Yc={},Wi="data-precedence",Ai=t=>Array.isArray(t)?t:[t],Vp=new WeakMap,qp=(t,e,n,r)=>({buffer:i,context:s})=>{if(!i)return;const a=Vp.get(s)||{};Vp.set(s,a);const c=a[t]||(a[t]=[]);let l=!1;const u=Ki[t];if(u.length>0){e:for(const[,p]of c)for(const h of u)if(((p==null?void 0:p[h])??null)===(n==null?void 0:n[h])){l=!0;break e}}if(l?i[0]=i[0].replaceAll(e,""):u.length>0?c.push([e,n,r]):c.unshift([e,n,r]),i[0].indexOf("</head>")!==-1){let p;if(r===void 0)p=c.map(([h])=>h);else{const h=[];p=c.map(([m,,v])=>{let f=h.indexOf(v);return f===-1&&(h.push(v),f=h.length-1),[m,f]}).sort((m,v)=>m[1]-v[1]).map(([m])=>m)}p.forEach(h=>{i[0]=i[0].replaceAll(h,"")}),i[0]=i[0].replace(/(?=<\/head>)/,p.join(""))}},Ei=(t,e,n)=>gt(new mt(t,n,Ai(e??[])).toString()),Ii=(t,e,n,r)=>{if("itemProp"in n)return Ei(t,e,n);let{precedence:i,blocking:s,...a}=n;i=r?i??"":void 0,r&&(a[Wi]=i);const c=new mt(t,a,Ai(e||[])).toString();return c instanceof Promise?c.then(l=>gt(c,[...l.callbacks||[],qp(t,l,a,i)])):gt(c,[qp(t,c,a,i)])},Db=({children:t,...e})=>{const n=du();if(n){const r=kr(n);if(r==="svg"||r==="head")return new mt("title",e,Ai(t??[]))}return Ii("title",t,e,!1)},Hb=({children:t,...e})=>{const n=du();return["src","async"].some(r=>!e[r])||n&&kr(n)==="head"?Ei("script",t,e):Ii("script",t,e,!1)},Fb=({children:t,...e})=>["href","precedence"].every(n=>n in e)?(e["data-href"]=e.href,delete e.href,Ii("style",t,e,!0)):Ei("style",t,e),Kb=({children:t,...e})=>["onLoad","onError"].some(n=>n in e)||e.rel==="stylesheet"&&(!("precedence"in e)||"disabled"in e)?Ei("link",t,e):Ii("link",t,e,"precedence"in e),Wb=({children:t,...e})=>{const n=du();return n&&kr(n)==="head"?Ei("meta",t,e):Ii("meta",t,e,!1)},em=(t,{children:e,...n})=>new mt(t,n,Ai(e??[])),Gb=t=>(typeof t.action=="function"&&(t.action=Ks in t.action?t.action[Ks]:void 0),em("form",t)),tm=(t,e)=>(typeof e.formAction=="function"&&(e.formAction=Ks in e.formAction?e.formAction[Ks]:void 0),em(t,e)),Jb=t=>tm("input",t),Zb=t=>tm("button",t);const ma=Object.freeze(Object.defineProperty({__proto__:null,button:Zb,form:Gb,input:Jb,link:Kb,meta:Wb,script:Hb,style:Fb,title:Db},Symbol.toStringTag,{value:"Module"}));var Yb=new Map([["className","class"],["htmlFor","for"],["crossOrigin","crossorigin"],["httpEquiv","http-equiv"],["itemProp","itemprop"],["fetchPriority","fetchpriority"],["noModule","nomodule"],["formAction","formaction"]]),Ws=t=>Yb.get(t)||t,nm=(t,e)=>{for(const[n,r]of Object.entries(t)){const i=n[0]==="-"||!/[A-Z]/.test(n)?n:n.replace(/[A-Z]/g,s=>`-${s.toLowerCase()}`);e(i,r==null?null:typeof r=="number"?i.match(/^(?:a|border-im|column(?:-c|s)|flex(?:$|-[^b])|grid-(?:ar|[^a])|font-w|li|or|sca|st|ta|wido|z)|ty$/)?`${r}`:`${r}px`:r)}},ni=void 0,du=()=>ni,Xb=t=>/[A-Z]/.test(t)&&t.match(/^(?:al|basel|clip(?:Path|Rule)$|co|do|fill|fl|fo|gl|let|lig|i|marker[EMS]|o|pai|pointe|sh|st[or]|text[^L]|tr|u|ve|w)/)?t.replace(/([A-Z])/g,"-$1").toLowerCase():t,Qb=["area","base","br","col","embed","hr","img","input","keygen","link","meta","param","source","track","wbr"],e1=["allowfullscreen","async","autofocus","autoplay","checked","controls","default","defer","disabled","download","formnovalidate","hidden","inert","ismap","itemscope","loop","multiple","muted","nomodule","novalidate","open","playsinline","readonly","required","reversed","selected"],pu=(t,e)=>{for(let n=0,r=t.length;n<r;n++){const i=t[n];if(typeof i=="string")Zt(i,e);else{if(typeof i=="boolean"||i===null||i===void 0)continue;i instanceof mt?i.toStringToBuffer(e):typeof i=="number"||i.isEscaped?e[0]+=i:i instanceof Promise?e.unshift("",i):pu(i,e)}}},mt=class{constructor(t,e,n){te(this,"tag");te(this,"props");te(this,"key");te(this,"children");te(this,"isEscaped",!0);te(this,"localContexts");this.tag=t,this.props=e,this.children=n}get type(){return this.tag}get ref(){return this.props.ref||null}toString(){var e,n;const t=[""];(e=this.localContexts)==null||e.forEach(([r,i])=>{r.values.push(i)});try{this.toStringToBuffer(t)}finally{(n=this.localContexts)==null||n.forEach(([r])=>{r.values.pop()})}return t.length===1?"callbacks"in t?Zg(gt(t[0],t.callbacks)).toString():t[0]:Jg(t,t.callbacks)}toStringToBuffer(t){const e=this.tag,n=this.props;let{children:r}=this;t[0]+=`<${e}`;const i=ni&&kr(ni)==="svg"?s=>Xb(Ws(s)):s=>Ws(s);for(let[s,a]of Object.entries(n))if(s=i(s),s!=="children"){if(s==="style"&&typeof a=="object"){let c="";nm(a,(l,u)=>{u!=null&&(c+=`${c?";":""}${l}:${u}`)}),t[0]+=' style="',Zt(c,t),t[0]+='"'}else if(typeof a=="string")t[0]+=` ${s}="`,Zt(a,t),t[0]+='"';else if(a!=null)if(typeof a=="number"||a.isEscaped)t[0]+=` ${s}="${a}"`;else if(typeof a=="boolean"&&e1.includes(s))a&&(t[0]+=` ${s}=""`);else if(s==="dangerouslySetInnerHTML"){if(r.length>0)throw"Can only set one of `children` or `props.dangerouslySetInnerHTML`.";r=[gt(a.__html)]}else if(a instanceof Promise)t[0]+=` ${s}="`,t.unshift('"',a);else if(typeof a=="function"){if(!s.startsWith("on"))throw`Invalid prop '${s}' of type 'function' supplied to '${e}'.`}else t[0]+=` ${s}="`,Zt(a.toString(),t),t[0]+='"'}if(Qb.includes(e)&&r.length===0){t[0]+="/>";return}t[0]+=">",pu(r,t),t[0]+=`</${e}>`}},_a=class extends mt{toStringToBuffer(t){const{children:e}=this,n=this.tag.call(null,{...this.props,children:e.length<=1?e[0]:e});if(!(typeof n=="boolean"||n==null))if(n instanceof Promise)if(ar.length===0)t.unshift("",n);else{const r=ar.map(i=>[i,i.values.at(-1)]);t.unshift("",n.then(i=>(i instanceof mt&&(i.localContexts=r),i)))}else n instanceof mt?n.toStringToBuffer(t):typeof n=="number"||n.isEscaped?(t[0]+=n,n.callbacks&&(t.callbacks||(t.callbacks=[]),t.callbacks.push(...n.callbacks))):Zt(n,t)}},rm=class extends mt{toStringToBuffer(t){pu(this.children,t)}},t1=(t,e,...n)=>{e??(e={}),n.length&&(e.children=n.length===1?n[0]:n);const r=e.key;delete e.key;const i=Gi(t,e,n);return i.key=r,i},Mp=!1,Gi=(t,e,n)=>{if(!Mp){for(const r in Yc)ma[r][uu]=Yc[r];Mp=!0}return typeof t=="function"?new _a(t,e,n):ma[t]?new _a(ma[t],e,n):t==="svg"||t==="head"?(ni||(ni=Mb("")),new mt(t,e,[new _a(ni,{value:t},n)])):new mt(t,e,n)},fu=({children:t})=>new rm("",{children:t},Array.isArray(t)?t:t?[t]:[]),n1=(t,e,...n)=>t1(t.tag,{...t.props,...e},...n);function y(t,e,n){let r;if(!e||!("children"in e))r=Gi(t,e,[]);else{const i=e.children;r=Array.isArray(i)?Gi(t,e,i):Gi(t,e,[i])}return r.key=n,r}const Dp={name:"sesamy",logoUrl:"https://assets.sesamy.com/static/images/email/sesamy-logo.png",style:{primaryColor:"#7D68F4",buttonTextColor:"#FFFFFF",primaryHoverColor:"#A091F2"},loginBackgroundImage:"",checkoutHideSocial:!1,supportEmail:"support@sesamy.com",supportUrl:"https://support.sesamy.com",siteUrl:"https://sesamy.com",termsAndConditionsUrl:"https://store.sesamy.com/pages/terms-of-service",manageSubscriptionsUrl:"https://account.sesamy.com/manage-subscriptions"};async function hu(t,e,n){if(!n&&!e)return Dp;const r=n||e;try{const i=await fetch(`${t.API_URL}/profile/vendors/${r}/style`);if(!i.ok)throw new Error("Failed to fetch vendor settings");const s=await i.json();return uf.parse(s)}catch(i){return console.error(i),Dp}}async function Ie(t,e){var l;const{env:n}=t,r=await n.data.loginSessions.get(t.var.tenant_id||"",e);if(!r)throw new z(400,{message:"Login session not found"});t.set("loginSession",r);const i=await Zo(n,r.authParams.client_id);t.set("client_id",i.id),t.set("tenant_id",i.tenant.id);const s=await n.data.tenants.get(i.tenant.id);if(!s)throw new z(400,{message:"Tenant not found"});const a=await hu(n,i.id,r.authParams.vendor_id),c=(l=r.authParams.ui_locales)==null?void 0:l.split(" ").map(u=>u.split("-")[0]).find(u=>{if(Array.isArray(P.options.supportedLngs))return P.options.supportedLngs.includes(u)});return await P.changeLanguage(c||s.language||"sv"),{vendorSettings:{...a,termsAndConditionsUrl:i.id==="fokus-app"?"https://www.fokus.se/kopvillkor-app/":a.termsAndConditionsUrl},client:i,tenant:s,loginSession:r}}async function r1(t,e,n,r){if(r!==void 0)return r==="password";const i=await ro({userAdapter:t.env.data.users,tenant_id:e.tenant.id,email:n});if(i){const a=await t.env.data.logs.list(e.tenant.id,{page:0,per_page:10,include_totals:!1,sort:{sort_by:"date",sort_order:"desc"},q:`type:${he.SUCCESS_LOGIN} user_id:${i.user_id}`}),[c]=a.logs.filter(l=>l.strategy&&["Username-Password-Authentication","passwordless","email"].includes(l.strategy));if(c)return c.strategy==="Username-Password-Authentication"}return(await t.env.data.promptSettings.get(e.tenant.id)).password_first}const i1=({vendorSettings:t})=>t!=null&&t.logoUrl?y("div",{className:"flex h-9 items-center",children:y("img",{src:t.logoUrl,className:"max-h-full",alt:"Vendor logo"})}):y(fu,{}),s1=({vendorSettings:t})=>{const{termsAndConditionsUrl:e}=t;return y("div",{className:"mt-8",children:e&&y("div",{className:"text-xs text-gray-300",children:[P.t("agree_to")," ",y("a",{href:e,className:"text-primary hover:underline",target:"_blank",rel:"noreferrer",children:P.t("terms")})]})})};var im={exports:{}};/*!
+  </html>`}async function Tb({ctx:t,client:e,session:n,redirect_uri:r,state:i,nonce:s,code_challenge_method:a,code_challenge:c,audience:l,scope:u,response_type:p}){const{env:h}=t,m=new URL(r),v=`${m.protocol}//${m.host}`;async function f(ce="Login required"){const le=ve(t,{type:he.FAILED_SILENT_AUTH,description:ce});return await t.env.data.logs.create(e.tenant.id,le),t.html(Lp(v,JSON.stringify({error:"login_required",error_description:ce,state:i})))}if(!n||(n==null?void 0:n.expires_at)&&new Date(n.expires_at)<new Date||(n==null?void 0:n.idle_expires_at)&&new Date(n.idle_expires_at)<new Date)return f();t.set("user_id",n.user_id);const w=await h.data.users.get(e.tenant.id,n.user_id);if(!w)return console.error("User not found",n.user_id),f("User not found");t.set("username",w.email),t.set("connection",w.connection);const S={client:e,authParams:{client_id:e.id,audience:l,code_challenge_method:a,code_challenge:c,scope:u,state:i,nonce:s,response_type:p},user:w,session_id:n.id},C=p===Pt.CODE?await qf(t,S):await to(t,S);await h.data.sessions.update(e.tenant.id,n.id,{used_at:new Date().toISOString(),last_interaction_at:new Date().toISOString(),device:{...n.device,last_ip:t.req.header("x-real-ip")||"",last_user_agent:t.req.header("user-agent")||""},idle_expires_at:n.idle_expires_at?new Date(Date.now()+Qs*1e3).toISOString():void 0});const B=ve(t,{type:he.SUCCESS_SILENT_AUTH,description:"Successful silent authentication"});await t.env.data.logs.create(e.tenant.id,B);const L=new Headers;L.set("Server-Timing","cf-nel=0; no-cloudflare-insights=1");const Q=Of(e.tenant.id,n.id,t.req.header("host"));return L.set("set-cookie",Q),t.html(Lp(v,JSON.stringify(C)),{headers:L})}const Pb=new o.OpenAPIHono().openapi(o.createRoute({tags:["oauth"],method:"get",path:"/",request:{query:o.z.object({client_id:o.z.string(),vendor_id:o.z.string().optional(),redirect_uri:o.z.string(),scope:o.z.string().optional(),state:o.z.string(),prompt:o.z.string().optional(),response_mode:o.z.nativeEnum(Yt).optional(),response_type:o.z.nativeEnum(Pt).optional(),audience:o.z.string().optional(),connection:o.z.string().optional(),nonce:o.z.string().optional(),max_age:o.z.string().optional(),login_ticket:o.z.string().optional(),code_challenge_method:o.z.nativeEnum(Zs).optional(),code_challenge:o.z.string().optional(),realm:o.z.string().optional(),auth0Client:o.z.string().optional(),organization:o.z.string().optional(),login_hint:o.z.string().optional(),ui_locales:o.z.string().optional()})},responses:{200:{description:"Silent authentication page"},302:{description:"Redirect to the client's redirect uri"}}}),async t=>{const{env:e}=t,{client_id:n,vendor_id:r,redirect_uri:i,scope:s,state:a,audience:c,nonce:l,connection:u,response_type:p,response_mode:h,code_challenge:m,code_challenge_method:v,prompt:f,login_ticket:_,realm:w,auth0Client:S,login_hint:C,ui_locales:B,organization:L}=t.req.valid("query");t.set("log","authorize");const Q=await Zo(e,n);t.set("client_id",Q.id),t.set("tenant_id",Q.tenant.id);const ce={redirect_uri:i,scope:s,state:a,client_id:n,vendor_id:r,audience:c,nonce:l,prompt:f,response_type:p,response_mode:h,code_challenge:m,code_challenge_method:v,username:C,ui_locales:B,organization:L},le=t.req.header("origin");if(le&&!jb(le,Q.web_origins||[]))throw new z(403,{message:`Origin ${le} not allowed`});if(ce.redirect_uri&&!Yo(ce.redirect_uri,Q.callbacks||[],{allowPathWildcards:!0}))throw new z(400,{message:`Invalid redirect URI - ${ce.redirect_uri}`});const qe=cs(Q.tenant.id,t.req.header("cookie")),Me=qe?await e.data.sessions.get(Q.tenant.id,qe):void 0;if(f=="none"){if(!p)throw new z(400,{message:"Missing response_type"});return Tb({ctx:t,session:Me||void 0,redirect_uri:i,state:a,response_type:p,client:Q,nonce:l,code_challenge_method:v,code_challenge:m,audience:c,scope:s})}return u&&u!=="email"?pb(t,Q,u,ce):_?Bb(t,Q.tenant.id,_,ce,w):$b({ctx:t,client:Q,auth0Client:S,authParams:ce,session:Me||void 0,connection:u,login_hint:C})});function Rb(t){const e=new o.OpenAPIHono;e.use(async(r,i)=>(r.env.data=no(r,t.dataAdapter),i())),e.use(Tg(e));const n=e.route("/v2/logout",hb).route("/userinfo",gb).route("/.well-known",mb).route("/oauth/token",Sb).route("/dbconnections",Ib).route("/passwordless",zb).route("/co/authenticate",Cb).route("/authorize",Pb).route("/callback",fb);return n.doc("/spec",{openapi:"3.0.0",info:{version:"1.0.0",title:"Oauth API"},security:[{oauth2:["openid","email","profile"]}]}),Bg(n),n}var Lb={Stringify:1,BeforeStream:2,Stream:3},gt=(t,e)=>{const n=new String(t);return n.isEscaped=!0,n.callbacks=e,n},Ub=/[&<>'"]/,Jg=async(t,e)=>{let n="";e||(e=[]);const r=await Promise.all(t);for(let i=r.length-1;n+=r[i],i--,!(i<0);i--){let s=r[i];typeof s=="object"&&e.push(...s.callbacks||[]);const a=s.isEscaped;if(s=await(typeof s=="object"?s.toString():s),typeof s=="object"&&e.push(...s.callbacks||[]),s.isEscaped??a)n+=s;else{const c=[n];Zt(s,c),n=c[0]}}return gt(n,e)},Zt=(t,e)=>{const n=t.search(Ub);if(n===-1){e[0]+=t;return}let r,i,s=0;for(i=n;i<t.length;i++){switch(t.charCodeAt(i)){case 34:r="&quot;";break;case 39:r="&#39;";break;case 38:r="&amp;";break;case 60:r="&lt;";break;case 62:r="&gt;";break;default:continue}e[0]+=t.substring(s,i)+r,s=i+1}e[0]+=t.substring(s,i)},Zg=t=>{const e=t.callbacks;if(!(e!=null&&e.length))return t;const n=[t],r={};return e.forEach(i=>i({phase:Lb.Stringify,buffer:n,context:r})),n[0]},Vb=(t,...e)=>{const n=[""];for(let r=0,i=t.length-1;r<i;r++){n[0]+=t[r];const s=Array.isArray(e[r])?e[r].flat(1/0):[e[r]];for(let a=0,c=s.length;a<c;a++){const l=s[a];if(typeof l=="string")Zt(l,n);else if(typeof l=="number")n[0]+=l;else{if(typeof l=="boolean"||l===null||l===void 0)continue;if(typeof l=="object"&&l.isEscaped)if(l.callbacks)n.unshift("",l);else{const u=l.toString();u instanceof Promise?n.unshift("",u):n[0]+=u}else l instanceof Promise?n.unshift("",l):Zt(l.toString(),n)}}}return n[0]+=t[t.length-1],n.length===1?"callbacks"in n?gt(Zg(gt(n[0],n.callbacks))):gt(n[0]):Jg(n,n.callbacks)},uu=Symbol("RENDERER"),Zc=Symbol("ERROR_HANDLER"),Ae=Symbol("STASH"),Yg=Symbol("INTERNAL"),qb=Symbol("MEMO"),Ks=Symbol("PERMALINK"),Up=t=>(t[Yg]=!0,t),Xg=t=>({value:e,children:n})=>{if(!n)return;const r={children:[{tag:Up(()=>{t.push(e)}),props:{}}]};Array.isArray(n)?r.children.push(...n.flat()):r.children.push(n),r.children.push({tag:Up(()=>{t.pop()}),props:{}});const i={tag:"",props:r,type:""};return i[Zc]=s=>{throw t.pop(),s},i},Qg=t=>{const e=[t],n=Xg(e);return n.values=e,n.Provider=n,ar.push(n),n},ar=[],Mb=t=>{const e=[t],n=r=>{e.push(r.value);let i;try{i=r.children?(Array.isArray(r.children)?new rm("",{},r.children):r.children).toString():""}finally{e.pop()}return i instanceof Promise?i.then(s=>gt(s,s.callbacks)):gt(i)};return n.values=e,n.Provider=n,n[uu]=Xg(e),ar.push(n),n},kr=t=>t.values.at(-1),Ki={title:[],script:["src"],style:["data-href"],link:["href"],meta:["name","httpEquiv","charset","itemProp"]},Yc={},Wi="data-precedence",Ai=t=>Array.isArray(t)?t:[t],Vp=new WeakMap,qp=(t,e,n,r)=>({buffer:i,context:s})=>{if(!i)return;const a=Vp.get(s)||{};Vp.set(s,a);const c=a[t]||(a[t]=[]);let l=!1;const u=Ki[t];if(u.length>0){e:for(const[,p]of c)for(const h of u)if(((p==null?void 0:p[h])??null)===(n==null?void 0:n[h])){l=!0;break e}}if(l?i[0]=i[0].replaceAll(e,""):u.length>0?c.push([e,n,r]):c.unshift([e,n,r]),i[0].indexOf("</head>")!==-1){let p;if(r===void 0)p=c.map(([h])=>h);else{const h=[];p=c.map(([m,,v])=>{let f=h.indexOf(v);return f===-1&&(h.push(v),f=h.length-1),[m,f]}).sort((m,v)=>m[1]-v[1]).map(([m])=>m)}p.forEach(h=>{i[0]=i[0].replaceAll(h,"")}),i[0]=i[0].replace(/(?=<\/head>)/,p.join(""))}},Ei=(t,e,n)=>gt(new mt(t,n,Ai(e??[])).toString()),Ii=(t,e,n,r)=>{if("itemProp"in n)return Ei(t,e,n);let{precedence:i,blocking:s,...a}=n;i=r?i??"":void 0,r&&(a[Wi]=i);const c=new mt(t,a,Ai(e||[])).toString();return c instanceof Promise?c.then(l=>gt(c,[...l.callbacks||[],qp(t,l,a,i)])):gt(c,[qp(t,c,a,i)])},Db=({children:t,...e})=>{const n=du();if(n){const r=kr(n);if(r==="svg"||r==="head")return new mt("title",e,Ai(t??[]))}return Ii("title",t,e,!1)},Hb=({children:t,...e})=>{const n=du();return["src","async"].some(r=>!e[r])||n&&kr(n)==="head"?Ei("script",t,e):Ii("script",t,e,!1)},Fb=({children:t,...e})=>["href","precedence"].every(n=>n in e)?(e["data-href"]=e.href,delete e.href,Ii("style",t,e,!0)):Ei("style",t,e),Kb=({children:t,...e})=>["onLoad","onError"].some(n=>n in e)||e.rel==="stylesheet"&&(!("precedence"in e)||"disabled"in e)?Ei("link",t,e):Ii("link",t,e,"precedence"in e),Wb=({children:t,...e})=>{const n=du();return n&&kr(n)==="head"?Ei("meta",t,e):Ii("meta",t,e,!1)},em=(t,{children:e,...n})=>new mt(t,n,Ai(e??[])),Gb=t=>(typeof t.action=="function"&&(t.action=Ks in t.action?t.action[Ks]:void 0),em("form",t)),tm=(t,e)=>(typeof e.formAction=="function"&&(e.formAction=Ks in e.formAction?e.formAction[Ks]:void 0),em(t,e)),Jb=t=>tm("input",t),Zb=t=>tm("button",t);const ma=Object.freeze(Object.defineProperty({__proto__:null,button:Zb,form:Gb,input:Jb,link:Kb,meta:Wb,script:Hb,style:Fb,title:Db},Symbol.toStringTag,{value:"Module"}));var Yb=new Map([["className","class"],["htmlFor","for"],["crossOrigin","crossorigin"],["httpEquiv","http-equiv"],["itemProp","itemprop"],["fetchPriority","fetchpriority"],["noModule","nomodule"],["formAction","formaction"]]),Ws=t=>Yb.get(t)||t,nm=(t,e)=>{for(const[n,r]of Object.entries(t)){const i=n[0]==="-"||!/[A-Z]/.test(n)?n:n.replace(/[A-Z]/g,s=>`-${s.toLowerCase()}`);e(i,r==null?null:typeof r=="number"?i.match(/^(?:a|border-im|column(?:-c|s)|flex(?:$|-[^b])|grid-(?:ar|[^a])|font-w|li|or|sca|st|ta|wido|z)|ty$/)?`${r}`:`${r}px`:r)}},ni=void 0,du=()=>ni,Xb=t=>/[A-Z]/.test(t)&&t.match(/^(?:al|basel|clip(?:Path|Rule)$|co|do|fill|fl|fo|gl|let|lig|i|marker[EMS]|o|pai|pointe|sh|st[or]|text[^L]|tr|u|ve|w)/)?t.replace(/([A-Z])/g,"-$1").toLowerCase():t,Qb=["area","base","br","col","embed","hr","img","input","keygen","link","meta","param","source","track","wbr"],e1=["allowfullscreen","async","autofocus","autoplay","checked","controls","default","defer","disabled","download","formnovalidate","hidden","inert","ismap","itemscope","loop","multiple","muted","nomodule","novalidate","open","playsinline","readonly","required","reversed","selected"],pu=(t,e)=>{for(let n=0,r=t.length;n<r;n++){const i=t[n];if(typeof i=="string")Zt(i,e);else{if(typeof i=="boolean"||i===null||i===void 0)continue;i instanceof mt?i.toStringToBuffer(e):typeof i=="number"||i.isEscaped?e[0]+=i:i instanceof Promise?e.unshift("",i):pu(i,e)}}},mt=class{constructor(t,e,n){te(this,"tag");te(this,"props");te(this,"key");te(this,"children");te(this,"isEscaped",!0);te(this,"localContexts");this.tag=t,this.props=e,this.children=n}get type(){return this.tag}get ref(){return this.props.ref||null}toString(){var e,n;const t=[""];(e=this.localContexts)==null||e.forEach(([r,i])=>{r.values.push(i)});try{this.toStringToBuffer(t)}finally{(n=this.localContexts)==null||n.forEach(([r])=>{r.values.pop()})}return t.length===1?"callbacks"in t?Zg(gt(t[0],t.callbacks)).toString():t[0]:Jg(t,t.callbacks)}toStringToBuffer(t){const e=this.tag,n=this.props;let{children:r}=this;t[0]+=`<${e}`;const i=ni&&kr(ni)==="svg"?s=>Xb(Ws(s)):s=>Ws(s);for(let[s,a]of Object.entries(n))if(s=i(s),s!=="children"){if(s==="style"&&typeof a=="object"){let c="";nm(a,(l,u)=>{u!=null&&(c+=`${c?";":""}${l}:${u}`)}),t[0]+=' style="',Zt(c,t),t[0]+='"'}else if(typeof a=="string")t[0]+=` ${s}="`,Zt(a,t),t[0]+='"';else if(a!=null)if(typeof a=="number"||a.isEscaped)t[0]+=` ${s}="${a}"`;else if(typeof a=="boolean"&&e1.includes(s))a&&(t[0]+=` ${s}=""`);else if(s==="dangerouslySetInnerHTML"){if(r.length>0)throw"Can only set one of `children` or `props.dangerouslySetInnerHTML`.";r=[gt(a.__html)]}else if(a instanceof Promise)t[0]+=` ${s}="`,t.unshift('"',a);else if(typeof a=="function"){if(!s.startsWith("on"))throw`Invalid prop '${s}' of type 'function' supplied to '${e}'.`}else t[0]+=` ${s}="`,Zt(a.toString(),t),t[0]+='"'}if(Qb.includes(e)&&r.length===0){t[0]+="/>";return}t[0]+=">",pu(r,t),t[0]+=`</${e}>`}},_a=class extends mt{toStringToBuffer(t){const{children:e}=this,n=this.tag.call(null,{...this.props,children:e.length<=1?e[0]:e});if(!(typeof n=="boolean"||n==null))if(n instanceof Promise)if(ar.length===0)t.unshift("",n);else{const r=ar.map(i=>[i,i.values.at(-1)]);t.unshift("",n.then(i=>(i instanceof mt&&(i.localContexts=r),i)))}else n instanceof mt?n.toStringToBuffer(t):typeof n=="number"||n.isEscaped?(t[0]+=n,n.callbacks&&(t.callbacks||(t.callbacks=[]),t.callbacks.push(...n.callbacks))):Zt(n,t)}},rm=class extends mt{toStringToBuffer(t){pu(this.children,t)}},t1=(t,e,...n)=>{e??(e={}),n.length&&(e.children=n.length===1?n[0]:n);const r=e.key;delete e.key;const i=Gi(t,e,n);return i.key=r,i},Mp=!1,Gi=(t,e,n)=>{if(!Mp){for(const r in Yc)ma[r][uu]=Yc[r];Mp=!0}return typeof t=="function"?new _a(t,e,n):ma[t]?new _a(ma[t],e,n):t==="svg"||t==="head"?(ni||(ni=Mb("")),new mt(t,e,[new _a(ni,{value:t},n)])):new mt(t,e,n)},fu=({children:t})=>new rm("",{children:t},Array.isArray(t)?t:t?[t]:[]),n1=(t,e,...n)=>t1(t.tag,{...t.props,...e},...n);function y(t,e,n){let r;if(!e||!("children"in e))r=Gi(t,e,[]);else{const i=e.children;r=Array.isArray(i)?Gi(t,e,i):Gi(t,e,[i])}return r.key=n,r}const Dp={name:"sesamy",logoUrl:"https://assets.sesamy.com/static/images/email/sesamy-logo.png",style:{primaryColor:"#7D68F4",buttonTextColor:"#FFFFFF",primaryHoverColor:"#A091F2"},loginBackgroundImage:"",checkoutHideSocial:!1,supportEmail:"support@sesamy.com",supportUrl:"https://support.sesamy.com",siteUrl:"https://sesamy.com",termsAndConditionsUrl:"https://store.sesamy.com/pages/terms-of-service",manageSubscriptionsUrl:"https://account.sesamy.com/manage-subscriptions"};async function hu(t,e,n){if(!n&&!e)return Dp;const r=n||e;try{const i=await fetch(`${t.API_URL}/profile/vendors/${r}/style`);if(!i.ok)throw new Error("Failed to fetch vendor settings");const s=await i.json();return uf.parse(s)}catch(i){return console.error(i),Dp}}async function Ie(t,e,n=!1){var u;const{env:r}=t,i=await r.data.loginSessions.get(t.var.tenant_id||"",e);if(i)i.session_id;else throw new z(400,{message:"Login session not found"});t.set("loginSession",i);const s=await Zo(r,i.authParams.client_id);t.set("client_id",s.id),t.set("tenant_id",s.tenant.id);const a=await r.data.tenants.get(s.tenant.id);if(a){if(i.session_id&&!n)throw new z(400,{message:"Login session closed"})}else throw new z(400,{message:"Tenant not found"});const c=await hu(r,s.id,i.authParams.vendor_id),l=(u=i.authParams.ui_locales)==null?void 0:u.split(" ").map(p=>p.split("-")[0]).find(p=>{if(Array.isArray(P.options.supportedLngs))return P.options.supportedLngs.includes(p)});return await P.changeLanguage(l||a.language||"sv"),{vendorSettings:{...c,termsAndConditionsUrl:s.id==="fokus-app"?"https://www.fokus.se/kopvillkor-app/":c.termsAndConditionsUrl},client:s,tenant:a,loginSession:i}}async function r1(t,e,n,r){if(r!==void 0)return r==="password";const i=await ro({userAdapter:t.env.data.users,tenant_id:e.tenant.id,email:n});if(i){const a=await t.env.data.logs.list(e.tenant.id,{page:0,per_page:10,include_totals:!1,sort:{sort_by:"date",sort_order:"desc"},q:`type:${he.SUCCESS_LOGIN} user_id:${i.user_id}`}),[c]=a.logs.filter(l=>l.strategy&&["Username-Password-Authentication","passwordless","email"].includes(l.strategy));if(c)return c.strategy==="Username-Password-Authentication"}return(await t.env.data.promptSettings.get(e.tenant.id)).password_first}const i1=({vendorSettings:t})=>t!=null&&t.logoUrl?y("div",{className:"flex h-9 items-center",children:y("img",{src:t.logoUrl,className:"max-h-full",alt:"Vendor logo"})}):y(fu,{}),s1=({vendorSettings:t})=>{const{termsAndConditionsUrl:e}=t;return y("div",{className:"mt-8",children:e&&y("div",{className:"text-xs text-gray-300",children:[P.t("agree_to")," ",y("a",{href:e,className:"text-primary hover:underline",target:"_blank",rel:"noreferrer",children:P.t("terms")})]})})};var im={exports:{}};/*!
 	Copyright (c) 2018 Jed Watson.
 	Licensed under the MIT License (MIT), see
 	http://jedwatson.github.io/classnames

package/dist/authhero.mjs

@@ -5659,7 +5659,11 @@ async function Ef(t, { user: e, client: n, loginSession: r }) {
       last_asn: ""
     },
     clients: [n.id]
-  }), { scope: s, audience: o } = r.authParams, c = s != null && s.split(" ").includes("offline_access") ? await Y0(t, {
+  });
+  await t.env.data.loginSessions.update(n.tenant.id, r.id, {
+    session_id: i.id
+  });
+  const { scope: s, audience: o } = r.authParams, c = s != null && s.split(" ").includes("offline_access") ? await Y0(t, {
     session_id: i.id,
     user: e,
     client: n,
@@ -20632,40 +20636,43 @@ async function cu(t, e, n) {
     return console.error(i), qp;
   }
 }
-async function Ce(t, e) {
-  var l;
-  const { env: n } = t, r = await n.data.loginSessions.get(
+async function Ce(t, e, n = !1) {
+  var u;
+  const { env: r } = t, i = await r.data.loginSessions.get(
     t.var.tenant_id || "",
     e
   );
-  if (!r)
-    throw new N(400, { message: "Login session not found" });
-  t.set("loginSession", r);
-  const i = await Mo(
-    n,
-    r.authParams.client_id
+  if (i)
+    i.session_id;
+  else throw new N(400, { message: "Login session not found" });
+  t.set("loginSession", i);
+  const s = await Mo(
+    r,
+    i.authParams.client_id
   );
-  t.set("client_id", i.id), t.set("tenant_id", i.tenant.id);
-  const s = await n.data.tenants.get(i.tenant.id);
-  if (!s)
-    throw new N(400, { message: "Tenant not found" });
-  const o = await cu(
-    n,
-    i.id,
-    r.authParams.vendor_id
-  ), c = (l = r.authParams.ui_locales) == null ? void 0 : l.split(" ").map((u) => u.split("-")[0]).find((u) => {
+  t.set("client_id", s.id), t.set("tenant_id", s.tenant.id);
+  const o = await r.data.tenants.get(s.tenant.id);
+  if (o) {
+    if (i.session_id && !n)
+      throw new N(400, { message: "Login session closed" });
+  } else throw new N(400, { message: "Tenant not found" });
+  const c = await cu(
+    r,
+    s.id,
+    i.authParams.vendor_id
+  ), l = (u = i.authParams.ui_locales) == null ? void 0 : u.split(" ").map((p) => p.split("-")[0]).find((p) => {
     if (Array.isArray(R.options.supportedLngs))
-      return R.options.supportedLngs.includes(u);
+      return R.options.supportedLngs.includes(p);
   });
-  return await R.changeLanguage(c || s.language || "sv"), {
+  return await R.changeLanguage(l || o.language || "sv"), {
     vendorSettings: {
-      ...o,
+      ...c,
       // HACK: Change the terms and conditions for fokus app
-      termsAndConditionsUrl: i.id === "fokus-app" ? "https://www.fokus.se/kopvillkor-app/" : o.termsAndConditionsUrl
+      termsAndConditionsUrl: s.id === "fokus-app" ? "https://www.fokus.se/kopvillkor-app/" : c.termsAndConditionsUrl
     },
-    client: i,
-    tenant: s,
-    loginSession: r
+    client: s,
+    tenant: o,
+    loginSession: i
   };
 }
 async function Xb(t, e, n, r) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "authhero",
-  "version": "0.97.0",
+  "version": "0.98.0",
   "files": [
     "dist"
   ],