npm - better-auth - Versions diffs - 1.0.2 → 1.0.3 - Mend

better-auth 1.0.2 → 1.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (57) hide show

package/dist/adapters/drizzle.d.cts +1 -1
package/dist/adapters/drizzle.d.ts +1 -1
package/dist/adapters/kysely.d.cts +1 -1
package/dist/adapters/kysely.d.ts +1 -1
package/dist/adapters/memory.d.cts +1 -1
package/dist/adapters/memory.d.ts +1 -1
package/dist/adapters/mongodb.d.cts +1 -1
package/dist/adapters/mongodb.d.ts +1 -1
package/dist/adapters/prisma.d.cts +1 -1
package/dist/adapters/prisma.d.ts +1 -1
package/dist/api.cjs +4 -4
package/dist/api.d.cts +1 -1
package/dist/api.d.ts +1 -1
package/dist/api.js +4 -4
package/dist/{auth-BVa3db5J.d.cts → auth-BubrmklB.d.cts} +5 -1
package/dist/{auth-5eyWphKM.d.ts → auth-DF-f5DGM.d.ts} +5 -1
package/dist/client/plugins.d.cts +3 -3
package/dist/client/plugins.d.ts +3 -3
package/dist/client.d.cts +1 -1
package/dist/client.d.ts +1 -1
package/dist/cookies.d.cts +1 -1
package/dist/cookies.d.ts +1 -1
package/dist/db.d.cts +2 -2
package/dist/db.d.ts +2 -2
package/dist/{index-x5P1hIyV.d.cts → index-CwnHFdnT.d.cts} +2345 -65
package/dist/{index-CX-Hopog.d.ts → index-aMRluDla.d.ts} +2345 -65
package/dist/index.cjs +4 -4
package/dist/index.d.cts +2 -2
package/dist/index.d.ts +2 -2
package/dist/index.js +4 -4
package/dist/next-js.d.cts +1 -1
package/dist/next-js.d.ts +1 -1
package/dist/node.d.cts +1 -1
package/dist/node.d.ts +1 -1
package/dist/oauth2.d.cts +2 -2
package/dist/oauth2.d.ts +2 -2
package/dist/plugins.cjs +7 -7
package/dist/plugins.d.cts +233 -8
package/dist/plugins.d.ts +233 -8
package/dist/plugins.js +7 -7
package/dist/react.d.cts +1 -1
package/dist/react.d.ts +1 -1
package/dist/solid-start.d.cts +1 -1
package/dist/solid-start.d.ts +1 -1
package/dist/solid.d.cts +1 -1
package/dist/solid.d.ts +1 -1
package/dist/{state-CYO8U5dl.d.cts → state-CQJXHclh.d.cts} +1 -1
package/dist/{state-BpBNrIEi.d.ts → state-C_runTlH.d.ts} +1 -1
package/dist/svelte-kit.d.cts +1 -1
package/dist/svelte-kit.d.ts +1 -1
package/dist/svelte.d.cts +1 -1
package/dist/svelte.d.ts +1 -1
package/dist/types.d.cts +2 -2
package/dist/types.d.ts +2 -2
package/dist/vue.d.cts +1 -1
package/dist/vue.d.ts +1 -1
package/package.json +1 -1

package/dist/plugins.js CHANGED Viewed

@@ -1,5 +1,5 @@
-import{APIError as Si}from"better-call";import{z as Se}from"zod";import{createEndpointCreator as dt,createMiddleware as bo,createMiddlewareCreator as Kt}from"better-call";var vo=bo(async()=>({})),U=Kt({use:[vo,bo(async()=>({}))]}),K=dt({use:[vo]});import{APIError as q}from"better-call";import{z as x}from"zod";import{TimeSpan as mn}from"oslo";import{base64url as mt}from"oslo/encoding";import{HMAC as ko,sha256 as an}from"oslo/crypto";async function ut({value:e,secret:t}){return new ko("SHA-256").sign(new TextEncoder().encode(t),new TextEncoder().encode(e)).then(o=>Buffer.from(o).toString("base64"))}function lt({value:e,signature:t,secret:i}){return new ko("SHA-256").verify(new TextEncoder().encode(i),Buffer.from(t,"base64"),new TextEncoder().encode(e))}var Le={sign:ut,verify:lt};var G=class extends Error{constructor(t,i){super(t),this.name="BetterAuthError",this.message=t,this.cause=i,this.stack=""}};var I=(e,t="ms")=>new Date(Date.now()+(t==="sec"?e*1e3:e));var Fe=Object.create(null),Te=e=>globalThis.process?.env||globalThis.Deno?.env.toObject()||globalThis.__env__||(e?Fe:globalThis),Y=new Proxy(Fe,{get(e,t){return Te()[t]??Fe[t]},has(e,t){let i=Te();return t in i||t in Fe},set(e,t,i){let o=Te(!0);return o[t]=i,!0},deleteProperty(e,t){if(!t)return!1;let i=Te(!0);return delete i[t],!0},ownKeys(){let e=Te(!0);return Object.keys(e)}});function pt(e){return e?e!=="false":!1}var no=typeof process<"u"&&process.env&&process.env.NODE_ENV||"";var To=no==="dev"||no==="development",gt=no==="test"||pt(Y.TEST);function Ve(e){let t=new Map;return e.split(", ").forEach(o=>{let r=o.split(";").map(l=>l.trim()),[n,...a]=r,[s,...A]=n.split("="),d=A.join("=");if(!s||d===void 0){console.warn(`Malformed cookie: ${o}`);return}let c={value:d};a.forEach(l=>{let[u,...p]=l.split("="),h=p.join("="),k=u.trim().toLowerCase();switch(k){case"max-age":c["max-age"]=h?parseInt(h.trim(),10):void 0;break;case"expires":c.expires=h?new Date(h.trim()):void 0;break;case"domain":c.domain=h?h.trim():void 0;break;case"path":c.path=h?h.trim():void 0;break;case"secure":c.secure=!0;break;case"httponly":c.httponly=!0;break;case"samesite":c.samesite=h?h.trim().toLowerCase():void 0;break;default:c[k]=h?h.trim():!0;break}}),t.set(s,c)}),t}async function m(e,t,i,o){let r=e.context.authCookies.sessionToken.options,n=i?void 0:e.context.sessionConfig.expiresIn;await e.setSignedCookie(e.context.authCookies.sessionToken.name,t.session.token,e.context.secret,{...r,maxAge:n,...o}),i&&await e.setSignedCookie(e.context.authCookies.dontRememberToken.name,"true",e.context.secret,e.context.authCookies.dontRememberToken.options),e.context.options.session?.cookieCache?.enabled&&e.setCookie(e.context.authCookies.sessionData.name,JSON.stringify(mt.encode(new TextEncoder().encode(JSON.stringify({session:t,expiresAt:I(e.context.authCookies.sessionData.options.maxAge||60,"sec").getTime(),signature:await Le.sign({value:JSON.stringify(t),secret:e.context.secret})})))),e.context.authCookies.sessionData.options),e.context.options.secondaryStorage&&await e.context.secondaryStorage?.set(t.session.token,JSON.stringify({user:t.user,session:t.session}),t.session.expiresAt.getTime()-Date.now())}function V(e){e.setCookie(e.context.authCookies.sessionToken.name,"",{...e.context.authCookies.sessionToken.options,maxAge:0}),e.setCookie(e.context.authCookies.sessionData.name,"",{...e.context.authCookies.sessionData.options,maxAge:0}),e.setCookie(e.context.authCookies.dontRememberToken.name,"",{...e.context.authCookies.dontRememberToken.options,maxAge:0})}function Oe(e){let t=e.split("; "),i=new Map;return t.forEach(o=>{let[r,n]=o.split("=");i.set(r,n)}),i}import{betterFetch as bt}from"@better-fetch/fetch";import{APIError as vt}from"better-call";import{decodeProtectedHeader as kt,importJWK as Tt,jwtVerify as Ot}from"jose";import{parseJWT as It}from"oslo/jwt";import{sha256 as ft}from"oslo/crypto";import{base64url as ht}from"oslo/encoding";async function Oo(e){let t=await ft(new TextEncoder().encode(e));return ht.encode(new Uint8Array(t),{includePadding:!1})}function Io(e){return{tokenType:e.token_type,accessToken:e.access_token,refreshToken:e.refresh_token,accessTokenExpiresAt:e.expires_in?I(e.expires_in,"sec"):void 0,scopes:e?.scope?typeof e.scope=="string"?e.scope.split(" "):e.scope:[],idToken:e.id_token}}async function E({id:e,options:t,authorizationEndpoint:i,state:o,codeVerifier:r,scopes:n,claims:a,redirectURI:s}){let A=new URL(i);if(A.searchParams.set("response_type","code"),A.searchParams.set("client_id",t.clientId),A.searchParams.set("state",o),A.searchParams.set("scope",n.join(" ")),A.searchParams.set("redirect_uri",t.redirectURI||s),r){let d=await Oo(r);A.searchParams.set("code_challenge_method","S256"),A.searchParams.set("code_challenge",d)}if(a){let d=a.reduce((c,l)=>(c[l]=null,c),{});A.searchParams.set("claims",JSON.stringify({id_token:{email:null,email_verified:null,...d}}))}return A}import{betterFetch as yt}from"@better-fetch/fetch";async function O({code:e,codeVerifier:t,redirectURI:i,options:o,tokenEndpoint:r,authentication:n}){let a=new URLSearchParams,s={"content-type":"application/x-www-form-urlencoded",accept:"application/json","user-agent":"better-auth"};if(a.set("grant_type","authorization_code"),a.set("code",e),t&&a.set("code_verifier",t),a.set("redirect_uri",i),n==="basic"){let l=btoa(`${o.clientId}:${o.clientSecret}`);s.authorization=`Basic ${l}`}else a.set("client_id",o.clientId),a.set("client_secret",o.clientSecret);let{data:A,error:d}=await yt(r,{method:"POST",body:a,headers:s});if(d)throw d;return Io(A)}import{generateCodeVerifier as wt,generateState as Ct}from"oslo/oauth2";import{z as ce}from"zod";import{APIError as Ro}from"better-call";function me(e){try{return new URL(e).origin}catch{return null}}async function fe(e,t){let i=e.body?.callbackURL||(e.query?.currentURL?me(e.query?.currentURL):"")||e.context.options.baseURL;if(!i)throw new Ro("BAD_REQUEST",{message:"callbackURL is required"});let o=wt(),r=Ct(),n=JSON.stringify({callbackURL:i,codeVerifier:o,errorURL:e.body?.errorCallbackURL||e.query?.currentURL,link:t,expiresAt:Date.now()+10*60*1e3}),a=new Date;a.setMinutes(a.getMinutes()+10);let s=await e.context.internalAdapter.createVerificationValue({value:n,identifier:r,expiresAt:a});if(!s)throw e.context.logger.error("Unable to create verification. Make sure the database adapter is properly working and there is a verification table in the database"),new Ro("INTERNAL_SERVER_ERROR",{message:"Unable to create verification"});return{state:s.identifier,codeVerifier:o}}async function qe(e){let t=e.query.state||e.body.state,i=await e.context.internalAdapter.findVerificationValue(t);if(!i)throw e.context.logger.error("State Mismatch. Verification not found",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);let o=ce.object({callbackURL:ce.string(),codeVerifier:ce.string(),errorURL:ce.string().optional(),expiresAt:ce.number(),link:ce.object({email:ce.string(),userId:ce.string()}).optional()}).parse(JSON.parse(i.value));if(o.errorURL||(o.errorURL=`${e.context.baseURL}/error`),o.expiresAt<Date.now())throw await e.context.internalAdapter.deleteVerificationValue(i.id),e.context.logger.error("State expired.",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);return await e.context.internalAdapter.deleteVerificationValue(i.id),o}var Uo=e=>{let t="https://appleid.apple.com/auth/token";return{id:"apple",name:"Apple",createAuthorizationURL({state:i,scopes:o,redirectURI:r}){let n=o||["email","name"];return e.scope&&n.push(...e.scope),new URL(`https://appleid.apple.com/auth/authorize?client_id=${e.clientId}&response_type=code&redirect_uri=${r||e.redirectURI}&scope=${n.join(" ")}&state=${i}&response_mode=form_post`)},validateAuthorizationCode:async({code:i,codeVerifier:o,redirectURI:r})=>O({code:i,codeVerifier:o,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:t}),async verifyIdToken(i,o){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(i,o);let r=kt(i),{kid:n,alg:a}=r;if(!n||!a)return!1;let s=await Rt(n),{payload:A}=await Ot(i,s,{algorithms:[a],issuer:"https://appleid.apple.com",audience:e.clientId,maxTokenAge:"1h"});return["email_verified","is_private_email"].forEach(d=>{A[d]!==void 0&&(A[d]=!!A[d])}),o&&A.nonce!==o?!1:!!A},async getUserInfo(i){if(e.getUserInfo)return e.getUserInfo(i);if(!i.idToken)return null;let o=It(i.idToken)?.payload;if(!o)return null;let r=o.user?`${o.user.name.firstName} ${o.user.name.lastName}`:o.email;return{user:{id:o.sub,name:r,emailVerified:!1,email:o.email},data:o}}}},Rt=async e=>{let t="https://appleid.apple.com",i="/auth/keys",{data:o}=await bt(`${t}${i}`);if(!o?.keys)throw new vt("BAD_REQUEST",{message:"Keys not found"});let r=o.keys.find(n=>n.kid===e);if(!r)throw new Error(`JWK with kid ${e} not found`);return await Tt(r,r.alg)};import{betterFetch as Ut}from"@better-fetch/fetch";var Eo=e=>({id:"discord",name:"Discord",createAuthorizationURL({state:t,scopes:i,redirectURI:o}){let r=i||["identify","email"];return e.scope&&r.push(...e.scope),new URL(`https://discord.com/api/oauth2/authorize?scope=${r.join("+")}&response_type=code&client_id=${e.clientId}&redirect_uri=${encodeURIComponent(e.redirectURI||o)}&state=${t}`)},validateAuthorizationCode:async({code:t,redirectURI:i})=>O({code:t,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:"https://discord.com/api/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:i,error:o}=await Ut("https://discord.com/api/users/@me",{headers:{authorization:`Bearer ${t.accessToken}`}});if(o)return null;if(i.avatar===null){let r=i.discriminator==="0"?Number(BigInt(i.id)>>BigInt(22))%6:parseInt(i.discriminator)%5;i.image_url=`https://cdn.discordapp.com/embed/avatars/${r}.png`}else{let r=i.avatar.startsWith("a_")?"gif":"png";i.image_url=`https://cdn.discordapp.com/avatars/${i.id}/${i.avatar}.${r}`}return{user:{id:i.id,name:i.display_name||i.username||"",email:i.email,emailVerified:i.verified,image:i.image_url},data:i}}});import{betterFetch as Et}from"@better-fetch/fetch";var Po=e=>({id:"facebook",name:"Facebook",async createAuthorizationURL({state:t,scopes:i,redirectURI:o}){let r=i||["email","public_profile"];return e.scope&&r.push(...e.scope),await E({id:"facebook",options:e,authorizationEndpoint:"https://www.facebook.com/v21.0/dialog/oauth",scopes:r,state:t,redirectURI:o})},validateAuthorizationCode:async({code:t,redirectURI:i})=>O({code:t,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:"https://graph.facebook.com/oauth/access_token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:i,error:o}=await Et("https://graph.facebook.com/me?fields=id,name,email,picture",{auth:{type:"Bearer",token:t.accessToken}});return o?null:{user:{id:i.id,name:i.name,email:i.email,image:i.picture.data.url,emailVerified:i.email_verified},data:i}}});import{betterFetch as So}from"@better-fetch/fetch";var Do=e=>{let t="https://github.com/login/oauth/access_token";return{id:"github",name:"GitHub",createAuthorizationURL({state:i,scopes:o,codeVerifier:r,redirectURI:n}){let a=o||["user:email"];return e.scope&&a.push(...e.scope),E({id:"github",options:e,authorizationEndpoint:"https://github.com/login/oauth/authorize",scopes:a,state:i,redirectURI:n})},validateAuthorizationCode:async({code:i,redirectURI:o})=>O({code:i,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:t}),async getUserInfo(i){if(e.getUserInfo)return e.getUserInfo(i);let{data:o,error:r}=await So("https://api.github.com/user",{headers:{"User-Agent":"better-auth",authorization:`Bearer ${i.accessToken}`}});if(r)return null;let n=!1;if(!o.email){let{data:a,error:s}=await So("https://api.github.com/user/emails",{headers:{authorization:`Bearer ${i.accessToken}`,"User-Agent":"better-auth"}});s||(o.email=(a.find(A=>A.primary)??a[0])?.email,n=a.find(A=>A.email===o.email)?.verified??!1)}return{user:{id:o.id.toString(),name:o.name||o.login,email:o.email,image:o.avatar_url,emailVerified:n},data:o}}}};import{parseJWT as xt}from"oslo/jwt";import{createConsola as Pt}from"consola";var so=["info","success","warn","error","debug"];function St(e,t){return so.indexOf(t)<=so.indexOf(e)}var Dt=Pt({formatOptions:{date:!1,colors:!0,compact:!0},defaults:{tag:"Better Auth"}}),xo=e=>{let t=e?.disabled!==!0,i=e?.level??"error",o=(r,n,a=[])=>{if(!(!t||!St(i,r))){if(!e||typeof e.log!="function"){Dt[r]("",n,...a);return}e.log(r==="success"?"info":r,n,a)}};return Object.fromEntries(so.map(r=>[r,(...[n,...a])=>o(r,n,a)]))},$=xo();import{betterFetch as zt}from"@better-fetch/fetch";var zo=e=>({id:"google",name:"Google",async createAuthorizationURL({state:t,scopes:i,codeVerifier:o,redirectURI:r}){if(!e.clientId||!e.clientSecret)throw $.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options."),new G("CLIENT_ID_AND_SECRET_REQUIRED");if(!o)throw new G("codeVerifier is required for Google");let n=i||["email","profile","openid"];e.scope&&n.push(...e.scope);let a=await E({id:"google",options:e,authorizationEndpoint:"https://accounts.google.com/o/oauth2/auth",scopes:n,state:t,codeVerifier:o,redirectURI:r});return e.accessType&&a.searchParams.set("access_type",e.accessType),e.prompt&&a.searchParams.set("prompt",e.prompt),a},validateAuthorizationCode:async({code:t,codeVerifier:i,redirectURI:o})=>O({code:t,codeVerifier:i,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://oauth2.googleapis.com/token"}),async verifyIdToken(t,i){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(t,i);let o=`https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=${t}`,{data:r}=await zt(o);return r?r.aud===e.clientId&&r.iss==="https://accounts.google.com":!1},async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);if(!t.idToken)return null;let i=xt(t.idToken)?.payload;return{user:{id:i.sub,name:i.name,email:i.email,image:i.picture,emailVerified:i.email_verified},data:i}}});import{betterFetch as Bt}from"@better-fetch/fetch";import{parseJWT as jt}from"oslo/jwt";var Bo=e=>{let t=e.tenantId||"common",i=`https://login.microsoftonline.com/${t}/oauth2/v2.0/authorize`,o=`https://login.microsoftonline.com/${t}/oauth2/v2.0/token`;return{id:"microsoft",name:"Microsoft EntraID",createAuthorizationURL(r){let n=r.scopes||["openid","profile","email","User.Read"];return e.scope&&n.push(...e.scope),E({id:"microsoft",options:e,authorizationEndpoint:i,state:r.state,codeVerifier:r.codeVerifier,scopes:n,redirectURI:r.redirectURI})},validateAuthorizationCode({code:r,codeVerifier:n,redirectURI:a}){return O({code:r,codeVerifier:n,redirectURI:e.redirectURI||a,options:e,tokenEndpoint:o})},async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);if(!r.idToken)return null;let n=jt(r.idToken)?.payload,a=e.profilePhotoSize||48;return await Bt(`https://graph.microsoft.com/v1.0/me/photos/${a}x${a}/$value`,{headers:{Authorization:`Bearer ${r.accessToken}`},async onResponse(s){if(!(e.disableProfilePhoto||!s.response.ok))try{let d=await s.response.clone().arrayBuffer(),c=Buffer.from(d).toString("base64");n.picture=`data:image/jpeg;base64, ${c}`}catch(A){$.error(A&&typeof A=="object"&&"name"in A?A.name:"",A)}}}),{user:{id:n.sub,name:n.name,email:n.email,image:n.picture,emailVerified:!0},data:n}}}};import{betterFetch as Nt}from"@better-fetch/fetch";var jo=e=>({id:"spotify",name:"Spotify",createAuthorizationURL({state:t,scopes:i,codeVerifier:o,redirectURI:r}){let n=i||["user-read-email"];return e.scope&&n.push(...e.scope),E({id:"spotify",options:e,authorizationEndpoint:"https://accounts.spotify.com/authorize",scopes:n,state:t,codeVerifier:o,redirectURI:r})},validateAuthorizationCode:async({code:t,codeVerifier:i,redirectURI:o})=>O({code:t,codeVerifier:i,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://accounts.spotify.com/api/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:i,error:o}=await Nt("https://api.spotify.com/v1/me",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});return o?null:{user:{id:i.id,name:i.display_name,email:i.email,image:i.images[0]?.url,emailVerified:!1},data:i}}});var he={isAction:!1};import{nanoid as _t}from"nanoid";var _=e=>_t(e);import{parseJWT as Lt}from"oslo/jwt";var No=e=>({id:"twitch",name:"Twitch",createAuthorizationURL({state:t,scopes:i,redirectURI:o}){let r=i||["user:read:email","openid"];return e.scope&&r.push(...e.scope),E({id:"twitch",redirectURI:o,options:e,authorizationEndpoint:"https://id.twitch.tv/oauth2/authorize",scopes:r,state:t,claims:e.claims||["email","email_verified","preferred_username","picture"]})},validateAuthorizationCode:async({code:t,redirectURI:i})=>O({code:t,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:"https://id.twitch.tv/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let i=t.idToken;if(!i)return $.error("No idToken found in token"),null;let o=Lt(i)?.payload;return{user:{id:o.sub,name:o.preferred_username,email:o.email,image:o.picture,emailVerified:!1},data:o}}});import{betterFetch as Ft}from"@better-fetch/fetch";var _o=e=>({id:"twitter",name:"Twitter",createAuthorizationURL(t){let i=t.scopes||["users.read","tweet.read","offline.access"];return e.scope&&i.push(...e.scope),E({id:"twitter",options:e,authorizationEndpoint:"https://x.com/i/oauth2/authorize",scopes:i,state:t.state,codeVerifier:t.codeVerifier,redirectURI:t.redirectURI})},validateAuthorizationCode:async({code:t,codeVerifier:i,redirectURI:o})=>O({code:t,codeVerifier:i,authentication:"basic",redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://api.x.com/2/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:i,error:o}=await Ft("https://api.x.com/2/users/me?user.fields=profile_image_url",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});return o?null:{user:{id:i.data.id,name:i.data.name,email:i.data.email||null,image:i.data.profile_image_url,emailVerified:i.data.verified||!1},data:i}}});import{betterFetch as Vt}from"@better-fetch/fetch";var Lo=e=>{let t="https://api.dropboxapi.com/oauth2/token";return{id:"dropbox",name:"Dropbox",createAuthorizationURL:async({state:i,scopes:o,codeVerifier:r,redirectURI:n})=>{let a=o||["account_info.read"];return e.scope&&a.push(...e.scope),await E({id:"dropbox",options:e,authorizationEndpoint:"https://www.dropbox.com/oauth2/authorize",scopes:a,state:i,redirectURI:n,codeVerifier:r})},validateAuthorizationCode:async({code:i,codeVerifier:o,redirectURI:r})=>await O({code:i,codeVerifier:o,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:t}),async getUserInfo(i){if(e.getUserInfo)return e.getUserInfo(i);let{data:o,error:r}=await Vt("https://api.dropboxapi.com/2/users/get_current_account",{method:"POST",headers:{Authorization:`Bearer ${i.accessToken}`}});return r?null:{user:{id:o.account_id,name:o.name?.display_name,email:o.email,emailVerified:o.email_verified||!1,image:o.profile_photo_url},data:o}}}};import{betterFetch as qt}from"@better-fetch/fetch";var Fo=e=>{let t="https://www.linkedin.com/oauth/v2/authorization",i="https://www.linkedin.com/oauth/v2/accessToken";return{id:"linkedin",name:"Linkedin",createAuthorizationURL:async({state:o,scopes:r,redirectURI:n})=>{let a=r||["profile","email","openid"];return e.scope&&a.push(...e.scope),await E({id:"linkedin",options:e,authorizationEndpoint:t,scopes:a,state:o,redirectURI:n})},validateAuthorizationCode:async({code:o,redirectURI:r})=>await O({code:o,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:i}),async getUserInfo(o){let{data:r,error:n}=await qt("https://api.linkedin.com/v2/userinfo",{method:"GET",headers:{Authorization:`Bearer ${o.accessToken}`}});return n?null:{user:{id:r.sub,name:r.name,email:r.email,emailVerified:r.email_verified||!1,image:r.picture},data:r}}}};import{betterFetch as Mt}from"@better-fetch/fetch";var ao=(e="")=>e.split("://").map(t=>t.replace(/\/{2,}/g,"/")).join("://"),Ht=e=>{let t=e||"https://gitlab.com";return{authorizationEndpoint:ao(`${t}/oauth/authorize`),tokenEndpoint:ao(`${t}/oauth/token`),userinfoEndpoint:ao(`${t}/api/v4/user`)}},Vo=e=>{let{authorizationEndpoint:t,tokenEndpoint:i,userinfoEndpoint:o}=Ht(e.issuer),r="gitlab";return{id:r,name:"Gitlab",createAuthorizationURL:async({state:a,scopes:s,codeVerifier:A,redirectURI:d})=>{let c=s||["read_user"];return e.scope&&c.push(...e.scope),await E({id:r,options:e,authorizationEndpoint:t,scopes:c,state:a,redirectURI:d,codeVerifier:A})},validateAuthorizationCode:async({code:a,redirectURI:s,codeVerifier:A})=>O({code:a,redirectURI:e.redirectURI||s,options:e,codeVerifier:A,tokenEndpoint:i}),async getUserInfo(a){if(e.getUserInfo)return e.getUserInfo(a);let{data:s,error:A}=await Mt(o,{headers:{authorization:`Bearer ${a.accessToken}`}});return A||s.state!=="active"||s.locked?null:{user:{id:s.id.toString(),name:s.name??s.username,email:s.email,image:s.avatar_url,emailVerified:!0},data:s}}}};var Qt={apple:Uo,discord:Eo,facebook:Po,github:Do,microsoft:Bo,google:zo,spotify:jo,twitch:No,twitter:_o,dropbox:Lo,linkedin:Fo,gitlab:Vo},Me=Object.keys(Qt);import{TimeSpan as $t}from"oslo";import{createJWT as Zt,validateJWT as Wt}from"oslo/jwt";import{z as ee}from"zod";import{APIError as He}from"better-call";import{APIError as ne}from"better-call";import{z as Ie}from"zod";function Ao(e){try{return JSON.parse(e)}catch{return null}}var Ko=()=>K("/get-session",{method:"GET",query:Ie.optional(Ie.object({disableCookieCache:Ie.boolean({description:"Disable cookie cache and fetch session from database"}).optional()})),requireHeaders:!0,metadata:{openapi:{description:"Get the current session",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}},user:{type:"object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{try{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)return e.json(null);let i=e.getCookie(e.context.authCookies.sessionData.name),o=i?Ao(Buffer.from(i,"base64").toString()):null;if(o&&!await Le.verify({value:JSON.stringify(o.session),signature:o?.signature,secret:e.context.secret}))return V(e),e.json(null);let r=await e.getSignedCookie(e.context.authCookies.dontRememberToken.name,e.context.secret);if(o?.session&&e.context.options.session?.cookieCache?.enabled&&!e.query?.disableCookieCache){let c=o.session;if(o.expiresAt<Date.now()||c.session.expiresAt<new Date){let u=e.context.authCookies.sessionData.name;e.setCookie(u,"",{maxAge:0})}else return e.json(c)}let n=await e.context.internalAdapter.findSession(t);if(!n||n.session.expiresAt<new Date)return V(e),n&&await e.context.internalAdapter.deleteSession(n.session.token),e.json(null);if(r)return e.json(n);let a=e.context.sessionConfig.expiresIn,s=e.context.sessionConfig.updateAge;if(n.session.expiresAt.valueOf()-a*1e3+s*1e3<=Date.now()){let c=await e.context.internalAdapter.updateSession(n.session.token,{expiresAt:I(e.context.sessionConfig.expiresIn,"sec")});if(!c)return V(e),e.json(null,{status:401});let l=(c.expiresAt.valueOf()-Date.now())/1e3;return await m(e,{session:c,user:n.user},!1,{maxAge:l}),e.json({session:c,user:n.user})}return e.json(n)}catch(t){throw e.context.logger.error("INTERNAL_SERVER_ERROR",t),new ne("INTERNAL_SERVER_ERROR",{message:"internal server error"})}}),R=async e=>{if(e.context.session)return e.context.session;let t=await Ko()({...e,_flag:"json",headers:e.headers});return e.context.session=t,t},v=U(async e=>{let t=await R(e);if(!t?.session)throw new ne("UNAUTHORIZED");return{session:t}}),Re=U(async e=>{let t=await R(e);if(!t?.session)throw new ne("UNAUTHORIZED");if(e.context.sessionConfig.freshAge===0)return{session:t};let i=e.context.sessionConfig.freshAge,o=t.session.createdAt.valueOf(),r=Date.now();if(!(o+i*1e3>r))throw new ne("FORBIDDEN",{message:"Session is not fresh"});return{session:t}}),qo=()=>K("/list-sessions",{method:"GET",use:[v],requireHeaders:!0,metadata:{openapi:{description:"List all active sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"array",items:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}}}}}}}}}},async e=>{let i=(await e.context.internalAdapter.listSessions(e.context.session.user.id)).filter(o=>o.expiresAt>new Date);return e.json(i)}),Mo=K("/revoke-session",{method:"POST",body:Ie.object({token:Ie.string({description:"The token to revoke"})}),use:[v],requireHeaders:!0,metadata:{openapi:{description:"Revoke a single session",requestBody:{content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}},required:["token"]}}}}}}},async e=>{let t=e.body.token,i=await e.context.internalAdapter.findSession(t);if(!i)throw new ne("BAD_REQUEST",{message:"Session not found"});if(i.session.userId!==e.context.session.user.id)throw new ne("UNAUTHORIZED");try{await e.context.internalAdapter.deleteSession(t)}catch(o){throw e.context.logger.error(o&&typeof o=="object"&&"name"in o?o.name:"",o),new ne("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),Ho=K("/revoke-sessions",{method:"POST",use:[v],requireHeaders:!0,metadata:{openapi:{description:"Revoke all sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}},required:["status"]}}}}}}}},async e=>{try{await e.context.internalAdapter.deleteSessions(e.context.session.user.id)}catch(t){throw e.context.logger.error(t&&typeof t=="object"&&"name"in t?t.name:"",t),new ne("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),Qo=K("/revoke-other-sessions",{method:"POST",requireHeaders:!0,use:[v],metadata:{openapi:{description:"Revoke all other sessions for the user except the current one",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.context.session;if(!t.user)throw new ne("UNAUTHORIZED");let r=(await e.context.internalAdapter.listSessions(t.user.id)).filter(n=>n.expiresAt>new Date).filter(n=>n.token!==e.context.session.session.token);return await Promise.all(r.map(n=>e.context.internalAdapter.deleteSession(n.token))),e.json({status:!0})});async function se(e,t,i){return await Zt("HS256",Buffer.from(e),{email:t.toLowerCase(),updateTo:i},{expiresIn:new $t(1,"h"),issuer:"better-auth",subject:"verify-email",audiences:[t],includeIssuedTimestamp:!0})}var $o=K("/send-verification-email",{method:"POST",query:ee.object({currentURL:ee.string({description:"The URL to use for email verification callback"}).optional()}).optional(),body:ee.object({email:ee.string({description:"The email to send the verification email to"}).email(),callbackURL:ee.string({description:"The URL to use for email verification callback"}).optional()}),metadata:{openapi:{description:"Send a verification email to the user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{email:{type:"string",description:"The email to send the verification email to"},callbackURL:{type:"string",description:"The URL to use for email verification callback"}},required:["email"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new He("BAD_REQUEST",{message:"Verification email isn't enabled"});let{email:t}=e.body,i=await e.context.internalAdapter.findUserByEmail(t);if(!i)throw new He("BAD_REQUEST",{message:"User not found"});let o=await se(e.context.secret,t),r=`${e.context.baseURL}/verify-email?token=${o}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;return await e.context.options.emailVerification.sendVerificationEmail({user:i.user,url:r,token:o},e.request),e.json({status:!0})}),Zo=K("/verify-email",{method:"GET",query:ee.object({token:ee.string({description:"The token to verify the email"}),callbackURL:ee.string({description:"The URL to redirect to after email verification"}).optional()}),metadata:{openapi:{description:"Verify the email of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}},required:["user","status"]}}}}}}}},async e=>{function t(s){throw e.query.callbackURL?e.redirect(`${e.query.callbackURL}?error=${s}`):new He("UNAUTHORIZED",{message:s})}let{token:i}=e.query,o;try{o=await Wt("HS256",Buffer.from(e.context.secret),i)}catch(s){return e.context.logger.error("Failed to verify email",s),t("invalid_token")}let n=ee.object({email:ee.string().email(),updateTo:ee.string().optional()}).parse(o.payload),a=await e.context.internalAdapter.findUserByEmail(n.email);if(!a)return t("user_not_found");if(n.updateTo){let s=await R(e);if(!s){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}if(s.user.email!==n.email){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}let A=await e.context.internalAdapter.updateUserByEmail(n.email,{email:n.updateTo});if(await e.context.options.emailVerification?.sendVerificationEmail?.({user:A,url:`${e.context.baseURL}/verify-email?token=${i}`,token:i},e.request),e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:A,status:!0})}if(await e.context.internalAdapter.updateUserByEmail(n.email,{emailVerified:!0}),e.context.options.emailVerification?.autoSignInAfterVerification&&!await R(e)){let A=await e.context.internalAdapter.createSession(a.user.id,e.request);if(!A)throw new He("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});await m(e,{session:A,user:a.user})}if(e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:null,status:!0})});import{APIError as Ue,createRouter as fA,getCookie as ir,getSignedCookie as tr,setCookie as rr,setSignedCookie as nr}from"better-call";import{APIError as Gt}from"better-call";var Jt=U(async e=>{if(e.request?.method!=="POST")return;let{body:t,query:i,context:o}=e,r=e.headers?.get("origin")||e.headers?.get("referer")||"",n=t?.callbackURL||i?.callbackURL,a=t?.redirectTo,s=i?.currentURL,A=o.trustedOrigins,d=e.headers?.has("cookie"),c=(u,p)=>p.includes("*")?new RegExp("^"+p.replace(/\*/g,"[^/]+").replace(/\./g,"\\.")+"$").test(u):u.startsWith(p),l=(u,p)=>{if(!u)return;if(!A.some(k=>c(u,k)||u?.startsWith("/")&&p!=="origin"&&!u.includes(":")))throw e.context.logger.error(`Invalid ${p}: ${u}`),e.context.logger.info(`If it's a valid URL, please add ${u} to trustedOrigins in your auth config
-`,`Current list of trustedOrigins: ${A}`),new Gt("FORBIDDEN",{message:`Invalid ${p}`})};d&&!e.context.options.advanced?.disableCSRFCheck&&l(r,"origin"),n&&l(n,"callbackURL"),a&&l(a,"redirectURL"),s&&l(s,"currentURL")});var Wo=K("/ok",{method:"GET",metadata:{...he,openapi:{description:"Check if the API is working",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{ok:{type:"boolean"}}}}}}}}}},async e=>e.json({ok:!0}));import{z as ye}from"zod";import{APIError as ae}from"better-call";import{z as w}from"zod";var Qa=w.object({id:w.string(),providerId:w.string(),accountId:w.string(),userId:w.string(),accessToken:w.string().nullish(),refreshToken:w.string().nullish(),idToken:w.string().nullish(),accessTokenExpiresAt:w.date().nullish(),refreshTokenExpiresAt:w.date().nullish(),scope:w.string().nullish(),password:w.string().nullish(),createdAt:w.date().default(()=>new Date),updatedAt:w.date().default(()=>new Date)}),$a=w.object({id:w.string(),email:w.string().transform(e=>e.toLowerCase()),emailVerified:w.boolean().default(!1),name:w.string(),image:w.string().nullish(),createdAt:w.date().default(()=>new Date),updatedAt:w.date().default(()=>new Date)}),Za=w.object({id:w.string(),userId:w.string(),expiresAt:w.date(),createdAt:w.date().default(()=>new Date),updatedAt:w.date().default(()=>new Date),token:w.string(),ipAddress:w.string().nullish(),userAgent:w.string().nullish()}),Wa=w.object({id:w.string(),value:w.string(),createdAt:w.date().default(()=>new Date),updatedAt:w.date().default(()=>new Date),expiresAt:w.date(),identifier:w.string()});function Xt(e,t){let i={...t==="user"?e.user?.additionalFields:{},...t==="session"?e.session?.additionalFields:{}};for(let o of e.plugins||[])o.schema&&o.schema[t]&&(i={...i,...o.schema[t].fields});return i}function Yt(e,t){let i=t.action||"create",o=t.fields,r={};for(let n in o){if(n in e){if(o[n].input===!1){if(o[n].defaultValue){r[n]=o[n].defaultValue;continue}continue}r[n]=e[n];continue}if(o[n].defaultValue&&i==="create"){r[n]=o[n].defaultValue;continue}}return r}function Qe(e,t,i){let o=Xt(e,"user");return Yt(t||{},{fields:o,action:i})}function J(e,t){if(!t)return e;for(let i in t){let o=t[i]?.modelName;o&&(e[i].modelName=o);for(let r in e[i].fields){let n=t[i]?.fields?.[r];n&&(e[i].fields[r].fieldName=n)}}return e}var Go=()=>K("/sign-up/email",{method:"POST",query:ye.object({currentURL:ye.string().optional()}).optional(),body:ye.record(ye.string(),ye.any()),metadata:{openapi:{description:"Sign up a user using email and password",requestBody:{content:{"application/json":{schema:{type:"object",properties:{name:{type:"string",description:"The name of the user"},email:{type:"string",description:"The email of the user"},password:{type:"string",description:"The password of the user"},callbackURL:{type:"string",description:"The URL to use for email verification callback"}},required:["name","email","password"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},session:{type:"object"}}}}}}}}}},async e=>{if(!e.context.options.emailAndPassword?.enabled)throw new ae("BAD_REQUEST",{message:"Email and password sign up is not enabled"});let t=e.body,{name:i,email:o,password:r,image:n,callbackURL:a,...s}=t;if(!ye.string().email().safeParse(o).success)throw new ae("BAD_REQUEST",{message:"Invalid email"});let d=e.context.password.config.minPasswordLength;if(r.length<d)throw e.context.logger.error("Password is too short"),new ae("BAD_REQUEST",{message:"Password is too short"});let c=e.context.password.config.maxPasswordLength;if(r.length>c)throw e.context.logger.error("Password is too long"),new ae("BAD_REQUEST",{message:"Password is too long"});if((await e.context.internalAdapter.findUserByEmail(o))?.user)throw e.context.logger.info(`Sign-up attempt for existing email: ${o}`),new ae("UNPROCESSABLE_ENTITY",{message:"User with this email already exists"});let u=Qe(e.context.options,s),p;try{if(p=await e.context.internalAdapter.createUser({email:o.toLowerCase(),name:i,image:n,...u,emailVerified:!1}),!p)throw new ae("BAD_REQUEST",{message:"Failed to create user"})}catch(f){throw e.context.logger.error("Failed to create user",f),new ae("UNPROCESSABLE_ENTITY",{message:"Failed to create user",details:f})}if(!p)throw new ae("UNPROCESSABLE_ENTITY",{message:"Failed to create user"});let h=await e.context.password.hash(r);if(await e.context.internalAdapter.linkAccount({userId:p.id,providerId:"credential",accountId:p.id,password:h}),e.context.options.emailVerification?.sendOnSignUp){let f=await se(e.context.secret,p.email),g=`${e.context.baseURL}/verify-email?token=${f}&callbackURL=${t.callbackURL||e.query?.currentURL||"/"}`;await e.context.options.emailVerification?.sendVerificationEmail?.({user:p,url:g,token:f},e.request)}if(!e.context.options.emailAndPassword.autoSignIn||e.context.options.emailAndPassword.requireEmailVerification)return e.json({user:p,session:null});let k=await e.context.internalAdapter.createSession(p.id,e.request);if(!k)throw new ae("BAD_REQUEST",{message:"Failed to create session"});return await m(e,{session:k,user:p}),e.json({user:p,session:k})});var er=(e="Unknown")=>`<!DOCTYPE html>
+import{APIError as xi}from"better-call";import{z as De}from"zod";import{createEndpointCreator as ct,createMiddleware as ko,createMiddlewareCreator as Kt}from"better-call";var To=ko(async()=>({})),U=Kt({use:[To,ko(async()=>({}))]}),c=ct({use:[To]});import{APIError as q}from"better-call";import{z as x}from"zod";import{TimeSpan as fn}from"oslo";import{base64url as ft}from"oslo/encoding";import{HMAC as Oo,sha256 as dn}from"oslo/crypto";async function ut({value:e,secret:t}){return new Oo("SHA-256").sign(new TextEncoder().encode(t),new TextEncoder().encode(e)).then(o=>Buffer.from(o).toString("base64"))}function lt({value:e,signature:t,secret:i}){return new Oo("SHA-256").verify(new TextEncoder().encode(i),Buffer.from(t,"base64"),new TextEncoder().encode(e))}var Ve={sign:ut,verify:lt};var W=class extends Error{constructor(t,i){super(t),this.name="BetterAuthError",this.message=t,this.cause=i,this.stack=""}};var I=(e,t="ms")=>new Date(Date.now()+(t==="sec"?e*1e3:e));var qe=Object.create(null),Te=e=>globalThis.process?.env||globalThis.Deno?.env.toObject()||globalThis.__env__||(e?qe:globalThis),Y=new Proxy(qe,{get(e,t){return Te()[t]??qe[t]},has(e,t){let i=Te();return t in i||t in qe},set(e,t,i){let o=Te(!0);return o[t]=i,!0},deleteProperty(e,t){if(!t)return!1;let i=Te(!0);return delete i[t],!0},ownKeys(){let e=Te(!0);return Object.keys(e)}});function gt(e){return e?e!=="false":!1}var no=typeof process<"u"&&process.env&&process.env.NODE_ENV||"";var Io=no==="dev"||no==="development",mt=no==="test"||gt(Y.TEST);function Me(e){let t=new Map;return e.split(", ").forEach(o=>{let r=o.split(";").map(u=>u.trim()),[n,...a]=r,[s,...d]=n.split("="),A=d.join("=");if(!s||A===void 0){console.warn(`Malformed cookie: ${o}`);return}let K={value:A};a.forEach(u=>{let[p,...l]=u.split("="),h=l.join("="),k=p.trim().toLowerCase();switch(k){case"max-age":K["max-age"]=h?parseInt(h.trim(),10):void 0;break;case"expires":K.expires=h?new Date(h.trim()):void 0;break;case"domain":K.domain=h?h.trim():void 0;break;case"path":K.path=h?h.trim():void 0;break;case"secure":K.secure=!0;break;case"httponly":K.httponly=!0;break;case"samesite":K.samesite=h?h.trim().toLowerCase():void 0;break;default:K[k]=h?h.trim():!0;break}}),t.set(s,K)}),t}async function m(e,t,i,o){let r=e.context.authCookies.sessionToken.options,n=i?void 0:e.context.sessionConfig.expiresIn;await e.setSignedCookie(e.context.authCookies.sessionToken.name,t.session.token,e.context.secret,{...r,maxAge:n,...o}),i&&await e.setSignedCookie(e.context.authCookies.dontRememberToken.name,"true",e.context.secret,e.context.authCookies.dontRememberToken.options),e.context.options.session?.cookieCache?.enabled&&e.setCookie(e.context.authCookies.sessionData.name,JSON.stringify(ft.encode(new TextEncoder().encode(JSON.stringify({session:t,expiresAt:I(e.context.authCookies.sessionData.options.maxAge||60,"sec").getTime(),signature:await Ve.sign({value:JSON.stringify(t),secret:e.context.secret})})))),e.context.authCookies.sessionData.options),e.context.options.secondaryStorage&&await e.context.secondaryStorage?.set(t.session.token,JSON.stringify({user:t.user,session:t.session}),t.session.expiresAt.getTime()-Date.now())}function V(e){e.setCookie(e.context.authCookies.sessionToken.name,"",{...e.context.authCookies.sessionToken.options,maxAge:0}),e.setCookie(e.context.authCookies.sessionData.name,"",{...e.context.authCookies.sessionData.options,maxAge:0}),e.setCookie(e.context.authCookies.dontRememberToken.name,"",{...e.context.authCookies.dontRememberToken.options,maxAge:0})}function Oe(e){let t=e.split("; "),i=new Map;return t.forEach(o=>{let[r,n]=o.split("=");i.set(r,n)}),i}import{betterFetch as vt}from"@better-fetch/fetch";import{APIError as kt}from"better-call";import{decodeProtectedHeader as Tt,importJWK as Ot,jwtVerify as It}from"jose";import{parseJWT as Rt}from"oslo/jwt";import{sha256 as ht}from"oslo/crypto";import{base64url as yt}from"oslo/encoding";async function Ro(e){let t=await ht(new TextEncoder().encode(e));return yt.encode(new Uint8Array(t),{includePadding:!1})}function Uo(e){return{tokenType:e.token_type,accessToken:e.access_token,refreshToken:e.refresh_token,accessTokenExpiresAt:e.expires_in?I(e.expires_in,"sec"):void 0,scopes:e?.scope?typeof e.scope=="string"?e.scope.split(" "):e.scope:[],idToken:e.id_token}}async function P({id:e,options:t,authorizationEndpoint:i,state:o,codeVerifier:r,scopes:n,claims:a,redirectURI:s}){let d=new URL(i);if(d.searchParams.set("response_type","code"),d.searchParams.set("client_id",t.clientId),d.searchParams.set("state",o),d.searchParams.set("scope",n.join(" ")),d.searchParams.set("redirect_uri",t.redirectURI||s),r){let A=await Ro(r);d.searchParams.set("code_challenge_method","S256"),d.searchParams.set("code_challenge",A)}if(a){let A=a.reduce((K,u)=>(K[u]=null,K),{});d.searchParams.set("claims",JSON.stringify({id_token:{email:null,email_verified:null,...A}}))}return d}import{betterFetch as wt}from"@better-fetch/fetch";async function O({code:e,codeVerifier:t,redirectURI:i,options:o,tokenEndpoint:r,authentication:n}){let a=new URLSearchParams,s={"content-type":"application/x-www-form-urlencoded",accept:"application/json","user-agent":"better-auth"};if(a.set("grant_type","authorization_code"),a.set("code",e),t&&a.set("code_verifier",t),a.set("redirect_uri",i),n==="basic"){let u=btoa(`${o.clientId}:${o.clientSecret}`);s.authorization=`Basic ${u}`}else a.set("client_id",o.clientId),a.set("client_secret",o.clientSecret);let{data:d,error:A}=await wt(r,{method:"POST",body:a,headers:s});if(A)throw A;return Uo(d)}import{generateCodeVerifier as Ct,generateState as bt}from"oslo/oauth2";import{z as Ke}from"zod";import{APIError as Po}from"better-call";function me(e){try{return new URL(e).origin}catch{return null}}async function fe(e,t){let i=e.body?.callbackURL||(e.query?.currentURL?me(e.query?.currentURL):"")||e.context.options.baseURL;if(!i)throw new Po("BAD_REQUEST",{message:"callbackURL is required"});let o=Ct(),r=bt(),n=JSON.stringify({callbackURL:i,codeVerifier:o,errorURL:e.body?.errorCallbackURL||e.query?.currentURL,link:t,expiresAt:Date.now()+10*60*1e3}),a=new Date;a.setMinutes(a.getMinutes()+10);let s=await e.context.internalAdapter.createVerificationValue({value:n,identifier:r,expiresAt:a});if(!s)throw e.context.logger.error("Unable to create verification. Make sure the database adapter is properly working and there is a verification table in the database"),new Po("INTERNAL_SERVER_ERROR",{message:"Unable to create verification"});return{state:s.identifier,codeVerifier:o}}async function He(e){let t=e.query.state||e.body.state,i=await e.context.internalAdapter.findVerificationValue(t);if(!i)throw e.context.logger.error("State Mismatch. Verification not found",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);let o=Ke.object({callbackURL:Ke.string(),codeVerifier:Ke.string(),errorURL:Ke.string().optional(),expiresAt:Ke.number(),link:Ke.object({email:Ke.string(),userId:Ke.string()}).optional()}).parse(JSON.parse(i.value));if(o.errorURL||(o.errorURL=`${e.context.baseURL}/error`),o.expiresAt<Date.now())throw await e.context.internalAdapter.deleteVerificationValue(i.id),e.context.logger.error("State expired.",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);return await e.context.internalAdapter.deleteVerificationValue(i.id),o}var Eo=e=>{let t="https://appleid.apple.com/auth/token";return{id:"apple",name:"Apple",createAuthorizationURL({state:i,scopes:o,redirectURI:r}){let n=o||["email","name"];return e.scope&&n.push(...e.scope),new URL(`https://appleid.apple.com/auth/authorize?client_id=${e.clientId}&response_type=code&redirect_uri=${r||e.redirectURI}&scope=${n.join(" ")}&state=${i}&response_mode=form_post`)},validateAuthorizationCode:async({code:i,codeVerifier:o,redirectURI:r})=>O({code:i,codeVerifier:o,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:t}),async verifyIdToken(i,o){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(i,o);let r=Tt(i),{kid:n,alg:a}=r;if(!n||!a)return!1;let s=await Ut(n),{payload:d}=await It(i,s,{algorithms:[a],issuer:"https://appleid.apple.com",audience:e.clientId,maxTokenAge:"1h"});return["email_verified","is_private_email"].forEach(A=>{d[A]!==void 0&&(d[A]=!!d[A])}),o&&d.nonce!==o?!1:!!d},async getUserInfo(i){if(e.getUserInfo)return e.getUserInfo(i);if(!i.idToken)return null;let o=Rt(i.idToken)?.payload;if(!o)return null;let r=o.user?`${o.user.name.firstName} ${o.user.name.lastName}`:o.email;return{user:{id:o.sub,name:r,emailVerified:!1,email:o.email},data:o}}}},Ut=async e=>{let t="https://appleid.apple.com",i="/auth/keys",{data:o}=await vt(`${t}${i}`);if(!o?.keys)throw new kt("BAD_REQUEST",{message:"Keys not found"});let r=o.keys.find(n=>n.kid===e);if(!r)throw new Error(`JWK with kid ${e} not found`);return await Ot(r,r.alg)};import{betterFetch as Pt}from"@better-fetch/fetch";var So=e=>({id:"discord",name:"Discord",createAuthorizationURL({state:t,scopes:i,redirectURI:o}){let r=i||["identify","email"];return e.scope&&r.push(...e.scope),new URL(`https://discord.com/api/oauth2/authorize?scope=${r.join("+")}&response_type=code&client_id=${e.clientId}&redirect_uri=${encodeURIComponent(e.redirectURI||o)}&state=${t}`)},validateAuthorizationCode:async({code:t,redirectURI:i})=>O({code:t,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:"https://discord.com/api/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:i,error:o}=await Pt("https://discord.com/api/users/@me",{headers:{authorization:`Bearer ${t.accessToken}`}});if(o)return null;if(i.avatar===null){let r=i.discriminator==="0"?Number(BigInt(i.id)>>BigInt(22))%6:parseInt(i.discriminator)%5;i.image_url=`https://cdn.discordapp.com/embed/avatars/${r}.png`}else{let r=i.avatar.startsWith("a_")?"gif":"png";i.image_url=`https://cdn.discordapp.com/avatars/${i.id}/${i.avatar}.${r}`}return{user:{id:i.id,name:i.display_name||i.username||"",email:i.email,emailVerified:i.verified,image:i.image_url},data:i}}});import{betterFetch as Et}from"@better-fetch/fetch";var Do=e=>({id:"facebook",name:"Facebook",async createAuthorizationURL({state:t,scopes:i,redirectURI:o}){let r=i||["email","public_profile"];return e.scope&&r.push(...e.scope),await P({id:"facebook",options:e,authorizationEndpoint:"https://www.facebook.com/v21.0/dialog/oauth",scopes:r,state:t,redirectURI:o})},validateAuthorizationCode:async({code:t,redirectURI:i})=>O({code:t,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:"https://graph.facebook.com/oauth/access_token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:i,error:o}=await Et("https://graph.facebook.com/me?fields=id,name,email,picture",{auth:{type:"Bearer",token:t.accessToken}});return o?null:{user:{id:i.id,name:i.name,email:i.email,image:i.picture.data.url,emailVerified:i.email_verified},data:i}}});import{betterFetch as xo}from"@better-fetch/fetch";var jo=e=>{let t="https://github.com/login/oauth/access_token";return{id:"github",name:"GitHub",createAuthorizationURL({state:i,scopes:o,codeVerifier:r,redirectURI:n}){let a=o||["user:email"];return e.scope&&a.push(...e.scope),P({id:"github",options:e,authorizationEndpoint:"https://github.com/login/oauth/authorize",scopes:a,state:i,redirectURI:n})},validateAuthorizationCode:async({code:i,redirectURI:o})=>O({code:i,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:t}),async getUserInfo(i){if(e.getUserInfo)return e.getUserInfo(i);let{data:o,error:r}=await xo("https://api.github.com/user",{headers:{"User-Agent":"better-auth",authorization:`Bearer ${i.accessToken}`}});if(r)return null;let n=!1;if(!o.email){let{data:a,error:s}=await xo("https://api.github.com/user/emails",{headers:{authorization:`Bearer ${i.accessToken}`,"User-Agent":"better-auth"}});s||(o.email=(a.find(d=>d.primary)??a[0])?.email,n=a.find(d=>d.email===o.email)?.verified??!1)}return{user:{id:o.id.toString(),name:o.name||o.login,email:o.email,image:o.avatar_url,emailVerified:n},data:o}}}};import{parseJWT as jt}from"oslo/jwt";import{createConsola as St}from"consola";var so=["info","success","warn","error","debug"];function Dt(e,t){return so.indexOf(t)<=so.indexOf(e)}var xt=St({formatOptions:{date:!1,colors:!0,compact:!0},defaults:{tag:"Better Auth"}}),Bo=e=>{let t=e?.disabled!==!0,i=e?.level??"error",o=(r,n,a=[])=>{if(!(!t||!Dt(i,r))){if(!e||typeof e.log!="function"){xt[r]("",n,...a);return}e.log(r==="success"?"info":r,n,a)}};return Object.fromEntries(so.map(r=>[r,(...[n,...a])=>o(r,n,a)]))},$=Bo();import{betterFetch as Bt}from"@better-fetch/fetch";var zo=e=>({id:"google",name:"Google",async createAuthorizationURL({state:t,scopes:i,codeVerifier:o,redirectURI:r}){if(!e.clientId||!e.clientSecret)throw $.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options."),new W("CLIENT_ID_AND_SECRET_REQUIRED");if(!o)throw new W("codeVerifier is required for Google");let n=i||["email","profile","openid"];e.scope&&n.push(...e.scope);let a=await P({id:"google",options:e,authorizationEndpoint:"https://accounts.google.com/o/oauth2/auth",scopes:n,state:t,codeVerifier:o,redirectURI:r});return e.accessType&&a.searchParams.set("access_type",e.accessType),e.prompt&&a.searchParams.set("prompt",e.prompt),a},validateAuthorizationCode:async({code:t,codeVerifier:i,redirectURI:o})=>O({code:t,codeVerifier:i,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://oauth2.googleapis.com/token"}),async verifyIdToken(t,i){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(t,i);let o=`https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=${t}`,{data:r}=await Bt(o);return r?r.aud===e.clientId&&r.iss==="https://accounts.google.com":!1},async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);if(!t.idToken)return null;let i=jt(t.idToken)?.payload;return{user:{id:i.sub,name:i.name,email:i.email,image:i.picture,emailVerified:i.email_verified},data:i}}});import{betterFetch as zt}from"@better-fetch/fetch";import{parseJWT as Nt}from"oslo/jwt";var No=e=>{let t=e.tenantId||"common",i=`https://login.microsoftonline.com/${t}/oauth2/v2.0/authorize`,o=`https://login.microsoftonline.com/${t}/oauth2/v2.0/token`;return{id:"microsoft",name:"Microsoft EntraID",createAuthorizationURL(r){let n=r.scopes||["openid","profile","email","User.Read"];return e.scope&&n.push(...e.scope),P({id:"microsoft",options:e,authorizationEndpoint:i,state:r.state,codeVerifier:r.codeVerifier,scopes:n,redirectURI:r.redirectURI})},validateAuthorizationCode({code:r,codeVerifier:n,redirectURI:a}){return O({code:r,codeVerifier:n,redirectURI:e.redirectURI||a,options:e,tokenEndpoint:o})},async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);if(!r.idToken)return null;let n=Nt(r.idToken)?.payload,a=e.profilePhotoSize||48;return await zt(`https://graph.microsoft.com/v1.0/me/photos/${a}x${a}/$value`,{headers:{Authorization:`Bearer ${r.accessToken}`},async onResponse(s){if(!(e.disableProfilePhoto||!s.response.ok))try{let A=await s.response.clone().arrayBuffer(),K=Buffer.from(A).toString("base64");n.picture=`data:image/jpeg;base64, ${K}`}catch(d){$.error(d&&typeof d=="object"&&"name"in d?d.name:"",d)}}}),{user:{id:n.sub,name:n.name,email:n.email,image:n.picture,emailVerified:!0},data:n}}}};import{betterFetch as Lt}from"@better-fetch/fetch";var Lo=e=>({id:"spotify",name:"Spotify",createAuthorizationURL({state:t,scopes:i,codeVerifier:o,redirectURI:r}){let n=i||["user-read-email"];return e.scope&&n.push(...e.scope),P({id:"spotify",options:e,authorizationEndpoint:"https://accounts.spotify.com/authorize",scopes:n,state:t,codeVerifier:o,redirectURI:r})},validateAuthorizationCode:async({code:t,codeVerifier:i,redirectURI:o})=>O({code:t,codeVerifier:i,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://accounts.spotify.com/api/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:i,error:o}=await Lt("https://api.spotify.com/v1/me",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});return o?null:{user:{id:i.id,name:i.display_name,email:i.email,image:i.images[0]?.url,emailVerified:!1},data:i}}});var he={isAction:!1};import{nanoid as _t}from"nanoid";var L=e=>_t(e);import{parseJWT as Ft}from"oslo/jwt";var _o=e=>({id:"twitch",name:"Twitch",createAuthorizationURL({state:t,scopes:i,redirectURI:o}){let r=i||["user:read:email","openid"];return e.scope&&r.push(...e.scope),P({id:"twitch",redirectURI:o,options:e,authorizationEndpoint:"https://id.twitch.tv/oauth2/authorize",scopes:r,state:t,claims:e.claims||["email","email_verified","preferred_username","picture"]})},validateAuthorizationCode:async({code:t,redirectURI:i})=>O({code:t,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:"https://id.twitch.tv/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let i=t.idToken;if(!i)return $.error("No idToken found in token"),null;let o=Ft(i)?.payload;return{user:{id:o.sub,name:o.preferred_username,email:o.email,image:o.picture,emailVerified:!1},data:o}}});import{betterFetch as Vt}from"@better-fetch/fetch";var Fo=e=>({id:"twitter",name:"Twitter",createAuthorizationURL(t){let i=t.scopes||["users.read","tweet.read","offline.access"];return e.scope&&i.push(...e.scope),P({id:"twitter",options:e,authorizationEndpoint:"https://x.com/i/oauth2/authorize",scopes:i,state:t.state,codeVerifier:t.codeVerifier,redirectURI:t.redirectURI})},validateAuthorizationCode:async({code:t,codeVerifier:i,redirectURI:o})=>O({code:t,codeVerifier:i,authentication:"basic",redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://api.x.com/2/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:i,error:o}=await Vt("https://api.x.com/2/users/me?user.fields=profile_image_url",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});return o?null:{user:{id:i.data.id,name:i.data.name,email:i.data.email||null,image:i.data.profile_image_url,emailVerified:i.data.verified||!1},data:i}}});import{betterFetch as qt}from"@better-fetch/fetch";var Vo=e=>{let t="https://api.dropboxapi.com/oauth2/token";return{id:"dropbox",name:"Dropbox",createAuthorizationURL:async({state:i,scopes:o,codeVerifier:r,redirectURI:n})=>{let a=o||["account_info.read"];return e.scope&&a.push(...e.scope),await P({id:"dropbox",options:e,authorizationEndpoint:"https://www.dropbox.com/oauth2/authorize",scopes:a,state:i,redirectURI:n,codeVerifier:r})},validateAuthorizationCode:async({code:i,codeVerifier:o,redirectURI:r})=>await O({code:i,codeVerifier:o,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:t}),async getUserInfo(i){if(e.getUserInfo)return e.getUserInfo(i);let{data:o,error:r}=await qt("https://api.dropboxapi.com/2/users/get_current_account",{method:"POST",headers:{Authorization:`Bearer ${i.accessToken}`}});return r?null:{user:{id:o.account_id,name:o.name?.display_name,email:o.email,emailVerified:o.email_verified||!1,image:o.profile_photo_url},data:o}}}};import{betterFetch as Mt}from"@better-fetch/fetch";var qo=e=>{let t="https://www.linkedin.com/oauth/v2/authorization",i="https://www.linkedin.com/oauth/v2/accessToken";return{id:"linkedin",name:"Linkedin",createAuthorizationURL:async({state:o,scopes:r,redirectURI:n})=>{let a=r||["profile","email","openid"];return e.scope&&a.push(...e.scope),await P({id:"linkedin",options:e,authorizationEndpoint:t,scopes:a,state:o,redirectURI:n})},validateAuthorizationCode:async({code:o,redirectURI:r})=>await O({code:o,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:i}),async getUserInfo(o){let{data:r,error:n}=await Mt("https://api.linkedin.com/v2/userinfo",{method:"GET",headers:{Authorization:`Bearer ${o.accessToken}`}});return n?null:{user:{id:r.sub,name:r.name,email:r.email,emailVerified:r.email_verified||!1,image:r.picture},data:r}}}};import{betterFetch as Ht}from"@better-fetch/fetch";var ao=(e="")=>e.split("://").map(t=>t.replace(/\/{2,}/g,"/")).join("://"),Qt=e=>{let t=e||"https://gitlab.com";return{authorizationEndpoint:ao(`${t}/oauth/authorize`),tokenEndpoint:ao(`${t}/oauth/token`),userinfoEndpoint:ao(`${t}/api/v4/user`)}},Mo=e=>{let{authorizationEndpoint:t,tokenEndpoint:i,userinfoEndpoint:o}=Qt(e.issuer),r="gitlab";return{id:r,name:"Gitlab",createAuthorizationURL:async({state:a,scopes:s,codeVerifier:d,redirectURI:A})=>{let K=s||["read_user"];return e.scope&&K.push(...e.scope),await P({id:r,options:e,authorizationEndpoint:t,scopes:K,state:a,redirectURI:A,codeVerifier:d})},validateAuthorizationCode:async({code:a,redirectURI:s,codeVerifier:d})=>O({code:a,redirectURI:e.redirectURI||s,options:e,codeVerifier:d,tokenEndpoint:i}),async getUserInfo(a){if(e.getUserInfo)return e.getUserInfo(a);let{data:s,error:d}=await Ht(o,{headers:{authorization:`Bearer ${a.accessToken}`}});return d||s.state!=="active"||s.locked?null:{user:{id:s.id.toString(),name:s.name??s.username,email:s.email,image:s.avatar_url,emailVerified:!0},data:s}}}};var $t={apple:Eo,discord:So,facebook:Do,github:jo,microsoft:No,google:zo,spotify:Lo,twitch:_o,twitter:Fo,dropbox:Vo,linkedin:qo,gitlab:Mo},Qe=Object.keys($t);import{TimeSpan as Zt}from"oslo";import{createJWT as Gt,validateJWT as Wt}from"oslo/jwt";import{z as ee}from"zod";import{APIError as Ue}from"better-call";import{APIError as ne}from"better-call";import{z as Ie}from"zod";function Ao(e){try{return JSON.parse(e)}catch{return null}}var co=()=>c("/get-session",{method:"GET",query:Ie.optional(Ie.object({disableCookieCache:Ie.boolean({description:"Disable cookie cache and fetch session from database"}).optional()})),requireHeaders:!0,metadata:{openapi:{description:"Get the current session",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}},user:{type:"object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{try{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)return e.json(null);let i=e.getCookie(e.context.authCookies.sessionData.name),o=i?Ao(Buffer.from(i,"base64").toString()):null;if(o&&!await Ve.verify({value:JSON.stringify(o.session),signature:o?.signature,secret:e.context.secret}))return V(e),e.json(null);let r=await e.getSignedCookie(e.context.authCookies.dontRememberToken.name,e.context.secret);if(o?.session&&e.context.options.session?.cookieCache?.enabled&&!e.query?.disableCookieCache){let K=o.session;if(o.expiresAt<Date.now()||K.session.expiresAt<new Date){let p=e.context.authCookies.sessionData.name;e.setCookie(p,"",{maxAge:0})}else return e.json(K)}let n=await e.context.internalAdapter.findSession(t);if(!n||n.session.expiresAt<new Date)return V(e),n&&await e.context.internalAdapter.deleteSession(n.session.token),e.json(null);if(r)return e.json(n);let a=e.context.sessionConfig.expiresIn,s=e.context.sessionConfig.updateAge;if(n.session.expiresAt.valueOf()-a*1e3+s*1e3<=Date.now()){let K=await e.context.internalAdapter.updateSession(n.session.token,{expiresAt:I(e.context.sessionConfig.expiresIn,"sec")});if(!K)return V(e),e.json(null,{status:401});let u=(K.expiresAt.valueOf()-Date.now())/1e3;return await m(e,{session:K,user:n.user},!1,{maxAge:u}),e.json({session:K,user:n.user})}return e.json(n)}catch(t){throw e.context.logger.error("INTERNAL_SERVER_ERROR",t),new ne("INTERNAL_SERVER_ERROR",{message:"internal server error"})}}),R=async e=>{if(e.context.session)return e.context.session;let t=await co()({...e,_flag:"json",headers:e.headers});return e.context.session=t,t},v=U(async e=>{let t=await R(e);if(!t?.session)throw new ne("UNAUTHORIZED");return{session:t}}),Re=U(async e=>{let t=await R(e);if(!t?.session)throw new ne("UNAUTHORIZED");if(e.context.sessionConfig.freshAge===0)return{session:t};let i=e.context.sessionConfig.freshAge,o=t.session.createdAt.valueOf(),r=Date.now();if(!(o+i*1e3>r))throw new ne("FORBIDDEN",{message:"Session is not fresh"});return{session:t}}),Ho=()=>c("/list-sessions",{method:"GET",use:[v],requireHeaders:!0,metadata:{openapi:{description:"List all active sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"array",items:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}}}}}}}}}},async e=>{let i=(await e.context.internalAdapter.listSessions(e.context.session.user.id)).filter(o=>o.expiresAt>new Date);return e.json(i)}),Qo=c("/revoke-session",{method:"POST",body:Ie.object({token:Ie.string({description:"The token to revoke"})}),use:[v],requireHeaders:!0,metadata:{openapi:{description:"Revoke a single session",requestBody:{content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}},required:["token"]}}}}}}},async e=>{let t=e.body.token,i=await e.context.internalAdapter.findSession(t);if(!i)throw new ne("BAD_REQUEST",{message:"Session not found"});if(i.session.userId!==e.context.session.user.id)throw new ne("UNAUTHORIZED");try{await e.context.internalAdapter.deleteSession(t)}catch(o){throw e.context.logger.error(o&&typeof o=="object"&&"name"in o?o.name:"",o),new ne("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),$o=c("/revoke-sessions",{method:"POST",use:[v],requireHeaders:!0,metadata:{openapi:{description:"Revoke all sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}},required:["status"]}}}}}}}},async e=>{try{await e.context.internalAdapter.deleteSessions(e.context.session.user.id)}catch(t){throw e.context.logger.error(t&&typeof t=="object"&&"name"in t?t.name:"",t),new ne("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),Zo=c("/revoke-other-sessions",{method:"POST",requireHeaders:!0,use:[v],metadata:{openapi:{description:"Revoke all other sessions for the user except the current one",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.context.session;if(!t.user)throw new ne("UNAUTHORIZED");let r=(await e.context.internalAdapter.listSessions(t.user.id)).filter(n=>n.expiresAt>new Date).filter(n=>n.token!==e.context.session.session.token);return await Promise.all(r.map(n=>e.context.internalAdapter.deleteSession(n.token))),e.json({status:!0})});async function se(e,t,i){return await Gt("HS256",Buffer.from(e),{email:t.toLowerCase(),updateTo:i},{expiresIn:new Zt(1,"h"),issuer:"better-auth",subject:"verify-email",audiences:[t],includeIssuedTimestamp:!0})}async function Ko(e,t){if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new Ue("BAD_REQUEST",{message:"Verification email isn't enabled"});let i=await se(e.context.secret,t.email),o=`${e.context.baseURL}/verify-email?token=${i}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;await e.context.options.emailVerification.sendVerificationEmail({user:t,url:o,token:i},e.request)}var Go=c("/send-verification-email",{method:"POST",query:ee.object({currentURL:ee.string({description:"The URL to use for email verification callback"}).optional()}).optional(),body:ee.object({email:ee.string({description:"The email to send the verification email to"}).email(),callbackURL:ee.string({description:"The URL to use for email verification callback"}).optional()}),metadata:{openapi:{description:"Send a verification email to the user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{email:{type:"string",description:"The email to send the verification email to"},callbackURL:{type:"string",description:"The URL to use for email verification callback"}},required:["email"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new Ue("BAD_REQUEST",{message:"Verification email isn't enabled"});let{email:t}=e.body,i=await e.context.internalAdapter.findUserByEmail(t);if(!i)throw new Ue("BAD_REQUEST",{message:"User not found"});return await Ko(e,i.user),e.json({status:!0})}),Wo=c("/verify-email",{method:"GET",query:ee.object({token:ee.string({description:"The token to verify the email"}),callbackURL:ee.string({description:"The URL to redirect to after email verification"}).optional()}),metadata:{openapi:{description:"Verify the email of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}},required:["user","status"]}}}}}}}},async e=>{function t(s){throw e.query.callbackURL?e.redirect(`${e.query.callbackURL}?error=${s}`):new Ue("UNAUTHORIZED",{message:s})}let{token:i}=e.query,o;try{o=await Wt("HS256",Buffer.from(e.context.secret),i)}catch(s){return e.context.logger.error("Failed to verify email",s),t("invalid_token")}let n=ee.object({email:ee.string().email(),updateTo:ee.string().optional()}).parse(o.payload),a=await e.context.internalAdapter.findUserByEmail(n.email);if(!a)return t("user_not_found");if(n.updateTo){let s=await R(e);if(!s){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}if(s.user.email!==n.email){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}let d=await e.context.internalAdapter.updateUserByEmail(n.email,{email:n.updateTo});if(await e.context.options.emailVerification?.sendVerificationEmail?.({user:d,url:`${e.context.baseURL}/verify-email?token=${i}`,token:i},e.request),e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:d,status:!0})}if(await e.context.internalAdapter.updateUserByEmail(n.email,{emailVerified:!0}),e.context.options.emailVerification?.autoSignInAfterVerification&&!await R(e)){let d=await e.context.internalAdapter.createSession(a.user.id,e.request);if(!d)throw new Ue("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});await m(e,{session:d,user:a.user})}if(e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:null,status:!0})});import{APIError as Pe,createRouter as hd,getCookie as tr,getSignedCookie as rr,setCookie as nr,setSignedCookie as sr}from"better-call";import{APIError as Jt}from"better-call";var Xt=U(async e=>{if(e.request?.method!=="POST")return;let{body:t,query:i,context:o}=e,r=e.headers?.get("origin")||e.headers?.get("referer")||"",n=t?.callbackURL||i?.callbackURL,a=t?.redirectTo,s=i?.currentURL,d=o.trustedOrigins,A=e.headers?.has("cookie"),K=(p,l)=>l.includes("*")?new RegExp("^"+l.replace(/\*/g,"[^/]+").replace(/\./g,"\\.")+"$").test(p):p.startsWith(l),u=(p,l)=>{if(!p)return;if(!d.some(k=>K(p,k)||p?.startsWith("/")&&l!=="origin"&&!p.includes(":")))throw e.context.logger.error(`Invalid ${l}: ${p}`),e.context.logger.info(`If it's a valid URL, please add ${p} to trustedOrigins in your auth config
+`,`Current list of trustedOrigins: ${d}`),new Jt("FORBIDDEN",{message:`Invalid ${l}`})};A&&!e.context.options.advanced?.disableCSRFCheck&&u(r,"origin"),n&&u(n,"callbackURL"),a&&u(a,"redirectURL"),s&&u(s,"currentURL")});var Jo=c("/ok",{method:"GET",metadata:{...he,openapi:{description:"Check if the API is working",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{ok:{type:"boolean"}}}}}}}}}},async e=>e.json({ok:!0}));import{z as ye}from"zod";import{APIError as ae}from"better-call";import{z as w}from"zod";var $a=w.object({id:w.string(),providerId:w.string(),accountId:w.string(),userId:w.string(),accessToken:w.string().nullish(),refreshToken:w.string().nullish(),idToken:w.string().nullish(),accessTokenExpiresAt:w.date().nullish(),refreshTokenExpiresAt:w.date().nullish(),scope:w.string().nullish(),password:w.string().nullish(),createdAt:w.date().default(()=>new Date),updatedAt:w.date().default(()=>new Date)}),Za=w.object({id:w.string(),email:w.string().transform(e=>e.toLowerCase()),emailVerified:w.boolean().default(!1),name:w.string(),image:w.string().nullish(),createdAt:w.date().default(()=>new Date),updatedAt:w.date().default(()=>new Date)}),Ga=w.object({id:w.string(),userId:w.string(),expiresAt:w.date(),createdAt:w.date().default(()=>new Date),updatedAt:w.date().default(()=>new Date),token:w.string(),ipAddress:w.string().nullish(),userAgent:w.string().nullish()}),Wa=w.object({id:w.string(),value:w.string(),createdAt:w.date().default(()=>new Date),updatedAt:w.date().default(()=>new Date),expiresAt:w.date(),identifier:w.string()});function Yt(e,t){let i={...t==="user"?e.user?.additionalFields:{},...t==="session"?e.session?.additionalFields:{}};for(let o of e.plugins||[])o.schema&&o.schema[t]&&(i={...i,...o.schema[t].fields});return i}function er(e,t){let i=t.action||"create",o=t.fields,r={};for(let n in o){if(n in e){if(o[n].input===!1){if(o[n].defaultValue){r[n]=o[n].defaultValue;continue}continue}r[n]=e[n];continue}if(o[n].defaultValue&&i==="create"){r[n]=o[n].defaultValue;continue}}return r}function $e(e,t,i){let o=Yt(e,"user");return er(t||{},{fields:o,action:i})}function J(e,t){if(!t)return e;for(let i in t){let o=t[i]?.modelName;o&&(e[i].modelName=o);for(let r in e[i].fields){let n=t[i]?.fields?.[r];n&&(e[i].fields[r].fieldName=n)}}return e}var Xo=()=>c("/sign-up/email",{method:"POST",query:ye.object({currentURL:ye.string().optional()}).optional(),body:ye.record(ye.string(),ye.any()),metadata:{openapi:{description:"Sign up a user using email and password",requestBody:{content:{"application/json":{schema:{type:"object",properties:{name:{type:"string",description:"The name of the user"},email:{type:"string",description:"The email of the user"},password:{type:"string",description:"The password of the user"},callbackURL:{type:"string",description:"The URL to use for email verification callback"}},required:["name","email","password"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},session:{type:"object"}}}}}}}}}},async e=>{if(!e.context.options.emailAndPassword?.enabled)throw new ae("BAD_REQUEST",{message:"Email and password sign up is not enabled"});let t=e.body,{name:i,email:o,password:r,image:n,callbackURL:a,...s}=t;if(!ye.string().email().safeParse(o).success)throw new ae("BAD_REQUEST",{message:"Invalid email"});let A=e.context.password.config.minPasswordLength;if(r.length<A)throw e.context.logger.error("Password is too short"),new ae("BAD_REQUEST",{message:"Password is too short"});let K=e.context.password.config.maxPasswordLength;if(r.length>K)throw e.context.logger.error("Password is too long"),new ae("BAD_REQUEST",{message:"Password is too long"});if((await e.context.internalAdapter.findUserByEmail(o))?.user)throw e.context.logger.info(`Sign-up attempt for existing email: ${o}`),new ae("UNPROCESSABLE_ENTITY",{message:"User with this email already exists"});let p=$e(e.context.options,s),l;try{if(l=await e.context.internalAdapter.createUser({email:o.toLowerCase(),name:i,image:n,...p,emailVerified:!1}),!l)throw new ae("BAD_REQUEST",{message:"Failed to create user"})}catch(f){throw e.context.logger.error("Failed to create user",f),new ae("UNPROCESSABLE_ENTITY",{message:"Failed to create user",details:f})}if(!l)throw new ae("UNPROCESSABLE_ENTITY",{message:"Failed to create user"});let h=await e.context.password.hash(r);if(await e.context.internalAdapter.linkAccount({userId:l.id,providerId:"credential",accountId:l.id,password:h}),e.context.options.emailVerification?.sendOnSignUp){let f=await se(e.context.secret,l.email),g=`${e.context.baseURL}/verify-email?token=${f}&callbackURL=${t.callbackURL||e.query?.currentURL||"/"}`;await e.context.options.emailVerification?.sendVerificationEmail?.({user:l,url:g,token:f},e.request)}if(!e.context.options.emailAndPassword.autoSignIn||e.context.options.emailAndPassword.requireEmailVerification)return e.json({user:l,session:null});let k=await e.context.internalAdapter.createSession(l.id,e.request);if(!k)throw new ae("BAD_REQUEST",{message:"Failed to create session"});return await m(e,{session:k,user:l}),e.json({user:l,session:k})});var or=(e="Unknown")=>`<!DOCTYPE html>
 <html lang="en">
 <head>
     <meta charset="UTF-8">
@@ -79,8 +79,8 @@ import{APIError as Si}from"better-call";import{z as Se}from"zod";import{createEn
         <div class="error-code">Error Code: <span id="errorCode">${e}</span></div>
     </div>
 </body>
-</html>`,Jo=K("/error",{method:"GET",metadata:{...he,openapi:{description:"Displays an error page",responses:{200:{description:"Success",content:{"text/html":{schema:{type:"string"}}}}}}}},async e=>{let t=new URL(e.request?.url||"").searchParams.get("error")||"Unknown";return new Response(er(t),{headers:{"Content-Type":"text/html"}})});import{APIError as b}from"better-call";function co(e,t){let i=t.plugins?.reduce((s,A)=>({...s,...A.endpoints}),{}),o=t.plugins?.map(s=>s.middlewares?.map(A=>{let d=async c=>A.middleware({...c,context:{...e,...c.context}});return d.path=A.path,d.options=A.middleware.options,d.headers=A.middleware.headers,{path:A.path,middleware:d}})).filter(s=>s!==void 0).flat()||[],n={...{signInSocial:Xo,callbackOAuth:ei,getSession:Ko(),signOut:oi,signUpEmail:Go(),signInEmail:Yo,forgetPassword:ii,resetPassword:ri,verifyEmail:Zo,sendVerificationEmail:$o,changeEmail:di,changePassword:si,setPassword:ai,updateUser:ni(),deleteUser:Ai,forgetPasswordCallback:ti,listSessions:qo(),revokeSession:Mo,revokeSessions:Ho,revokeOtherSessions:Qo,linkSocialAccount:ci,listUserAccounts:Ki},...i,ok:Wo,error:Jo},a={};for(let[s,A]of Object.entries(n))a[s]=async(d={})=>{A.headers=new Headers;let c={setHeader(f,g){A.headers.set(f,g)},setCookie(f,g,C){rr(A.headers,f,g,C)},getCookie(f,g){let T=d.headers?.get("cookie");return ir(T||"",f,g)},getSignedCookie(f,g,C){let T=d.headers;return T?tr(T,g,f,C):null},async setSignedCookie(f,g,C,T){await nr(A.headers,f,g,C,T)},redirect(f){return A.headers.set("Location",f),new Ue("FOUND")},responseHeader:A.headers},l=await e,u={...c,...d,path:A.path,context:{...l,...d.context,endpoint:A}};l.session=null;let p=t.plugins||[];for(let f of p){let g=f.hooks?.before??[];for(let C of g){if(!C.matcher(u))continue;let T=await C.handler(u);if(T&&"context"in T){u={...u,...T.context};continue}if(T)return T}}let h;try{h=await A(u)}catch(f){if(f instanceof Ue){let g=t.plugins?.map(C=>{if(C.hooks?.after)return C.hooks.after}).filter(C=>C!==void 0).flat();if(!g?.length)throw f.headers=A.headers,f;u.context.returned=f,u.context.returned.headers=A.headers;for(let C of g||[])if(C.matcher(u))try{let N=await C.handler(u);N&&"response"in N&&(u.context.returned=N.response)}catch(N){if(N instanceof Ue){u.context.returned=N;continue}throw N}if(u.context.returned instanceof Ue)throw u.context.returned.headers=A.headers,u.context.returned;return u.context.returned}throw f}u.context.returned=h,u.responseHeader=A.headers;for(let f of t.plugins||[])if(f.hooks?.after){for(let g of f.hooks.after)if(g.matcher(u))try{let T=await g.handler(u);T&&(u.context.returned=T)}catch(T){if(T instanceof Ue){u.context.returned=T;continue}throw T}}let k=u.context.returned;return k instanceof Response&&A.headers.forEach((f,g)=>{g==="set-cookie"?k.headers.append(g,f):k.headers.set(g,f)}),k},a[s].path=A.path,a[s].method=A.method,a[s].options=A.options,a[s].headers=A.headers;return{api:a,middlewares:o}}async function we(e,{userInfo:t,account:i,callbackURL:o}){let r=await e.context.internalAdapter.findUserByEmail(t.email.toLowerCase(),{includeAccounts:!0}).catch(s=>{throw $.error(`Better auth was unable to query your database.
-Error: `,s),e.redirect(`${e.context.baseURL}/error?error=internal_server_error`)}),n=r?.user;if(r){let s=r.accounts.find(A=>A.providerId===i.providerId);if(s)await e.context.internalAdapter.updateAccount(s.id,{accessToken:i.accessToken,idToken:i.idToken,refreshToken:i.refreshToken,accessTokenExpiresAt:i.accessTokenExpiresAt,refreshTokenExpiresAt:i.refreshTokenExpiresAt});else{if(!e.context.options.account?.accountLinking?.trustedProviders?.includes(i.providerId)&&!t.emailVerified||e.context.options.account?.accountLinking?.enabled===!1)return To&&$.warn(`User already exist but account isn't linked to ${i.providerId}. To read more about how account linking works in Better Auth see https://www.better-auth.com/docs/concepts/users-accounts#account-linking.`),{error:"account not linked",data:null};try{await e.context.internalAdapter.linkAccount({providerId:i.providerId,accountId:t.id.toString(),userId:r.user.id,accessToken:i.accessToken,idToken:i.idToken,refreshToken:i.refreshToken,accessTokenExpiresAt:i.accessTokenExpiresAt,refreshTokenExpiresAt:i.refreshTokenExpiresAt,scope:i.scope})}catch(c){return $.error("Unable to link account",c),{error:"unable to link account",data:null}}}}else try{let s=t.emailVerified||!1;if(n=await e.context.internalAdapter.createOAuthUser({...t,id:void 0,emailVerified:s,email:t.email.toLowerCase()},{accessToken:i.accessToken,idToken:i.idToken,refreshToken:i.refreshToken,accessTokenExpiresAt:i.accessTokenExpiresAt,refreshTokenExpiresAt:i.refreshTokenExpiresAt,scope:i.scope,providerId:i.providerId,accountId:t.id.toString()}).then(A=>A?.user),!s&&n&&e.context.options.emailVerification?.sendOnSignUp){let A=await se(e.context.secret,n.email),d=`${e.context.baseURL}/verify-email?token=${A}&callbackURL=${o}`;await e.context.options.emailVerification?.sendVerificationEmail?.({user:n,url:d,token:A},e.request)}}catch(s){return $.error("Unable to create user",s),{error:"unable to create user",data:null}}if(!n)return{error:"unable to create user",data:null};let a=await e.context.internalAdapter.createSession(n.id,e.request);return a?{data:{session:a,user:n},error:null}:{error:"unable to create session",data:null}}var Xo=K("/sign-in/social",{method:"POST",query:x.object({currentURL:x.string().optional()}).optional(),body:x.object({callbackURL:x.string({description:"Callback URL to redirect to after the user has signed in"}).optional(),errorCallbackURL:x.string({description:"Callback URL to redirect to if an error happens"}).optional(),provider:x.enum(Me,{description:"OAuth2 provider to use"}),disableRedirect:x.boolean({description:"Disable automatic redirection to the provider. Useful for handling the redirection yourself"}).optional(),idToken:x.optional(x.object({token:x.string({description:"ID token from the provider"}),nonce:x.string({description:"Nonce used to generate the token"}).optional(),accessToken:x.string({description:"Access token from the provider"}).optional(),refreshToken:x.string({description:"Refresh token from the provider"}).optional(),expiresAt:x.number({description:"Expiry date of the token"}).optional()}),{description:"ID token from the provider to sign in the user with id token"})}),metadata:{openapi:{description:"Sign in with a social provider",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"string"},user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{let t=e.context.socialProviders.find(n=>n.id===e.body.provider);if(!t)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new q("NOT_FOUND",{message:"Provider not found"});if(e.body.idToken){if(!t.verifyIdToken)throw e.context.logger.error("Provider does not support id token verification",{provider:e.body.provider}),new q("NOT_FOUND",{message:"Provider does not support id token verification"});let{token:n,nonce:a}=e.body.idToken;if(!await t.verifyIdToken(n,a))throw e.context.logger.error("Invalid id token",{provider:e.body.provider}),new q("UNAUTHORIZED",{message:"Invalid id token"});let A=await t.getUserInfo({idToken:n,accessToken:e.body.idToken.accessToken,refreshToken:e.body.idToken.refreshToken});if(!A||!A?.user)throw e.context.logger.error("Failed to get user info",{provider:e.body.provider}),new q("UNAUTHORIZED",{message:"Failed to get user info"});if(!A.user.email)throw e.context.logger.error("User email not found",{provider:e.body.provider}),new q("UNAUTHORIZED",{message:"User email not found"});let d=await we(e,{userInfo:{email:A.user.email,id:A.user.id,name:A.user.name||"",image:A.user.image,emailVerified:A.user.emailVerified||!1},account:{providerId:t.id,accountId:A.user.id,accessToken:e.body.idToken.accessToken}});if(d.error)throw new q("UNAUTHORIZED",{message:d.error});return await m(e,d.data),e.json({session:d.data.session,user:d.data.user,url:`${e.body.callbackURL||e.query?.currentURL||e.context.options.baseURL}`,redirect:!0})}let{codeVerifier:i,state:o}=await fe(e),r=await t.createAuthorizationURL({state:o,codeVerifier:i,redirectURI:`${e.context.baseURL}/callback/${t.id}`});return e.json({url:r.toString(),redirect:!e.body.disableRedirect})}),Yo=K("/sign-in/email",{method:"POST",body:x.object({email:x.string({description:"Email of the user"}),password:x.string({description:"Password of the user"}),callbackURL:x.string({description:"Callback URL to use as a redirect for email verification"}).optional(),rememberMe:x.boolean({description:"If this is false, the session will not be remembered. Default is `true`."}).default(!0).optional()}),metadata:{openapi:{description:"Sign in with email and password",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"string"},user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{if(!e.context.options?.emailAndPassword?.enabled)throw e.context.logger.error("Email and password is not enabled. Make sure to enable it in the options on you `auth.ts` file. Check `https://better-auth.com/docs/authentication/email-password` for more!"),new q("BAD_REQUEST",{message:"Email and password is not enabled"});let{email:t,password:i}=e.body;if(!x.string().email().safeParse(t).success)throw new q("BAD_REQUEST",{message:"Invalid email"});let r=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!r)throw await e.context.password.hash(i),e.context.logger.error("User not found",{email:t}),new q("UNAUTHORIZED",{message:"Invalid email or password"});let n=r.accounts.find(d=>d.providerId==="credential");if(!n)throw e.context.logger.error("Credential account not found",{email:t}),new q("UNAUTHORIZED",{message:"Invalid email or password"});let a=n?.password;if(!a)throw e.context.logger.error("Password not found",{email:t}),new q("UNAUTHORIZED",{message:"Unexpected error"});if(!await e.context.password.verify(a,i))throw e.context.logger.error("Invalid password"),new q("UNAUTHORIZED",{message:"Invalid email or password"});if(e.context.options?.emailAndPassword?.requireEmailVerification&&!r.user.emailVerified){if(!e.context.options?.emailVerification?.sendVerificationEmail)throw new q("UNAUTHORIZED",{message:"Email is not verified."});let d=await se(e.context.secret,r.user.email),c=`${e.context.baseURL}/verify-email?token=${d}&callbackURL=${e.body.callbackURL||"/"}`;throw await e.context.options.emailVerification.sendVerificationEmail({user:r.user,url:c,token:d},e.request),e.context.logger.error("Email not verified",{email:t}),new q("FORBIDDEN",{message:"Email is not verified. Check your email for a verification link"})}let A=await e.context.internalAdapter.createSession(r.user.id,e.headers,e.body.rememberMe===!1);if(!A)throw e.context.logger.error("Failed to create session"),new q("UNAUTHORIZED",{message:"Failed to create session"});return await m(e,{session:A,user:r.user},e.body.rememberMe===!1),e.json({user:r.user,session:A,redirect:!!e.body.callbackURL,url:e.body.callbackURL})});import{z as Ee}from"zod";var $e=Ee.object({code:Ee.string().optional(),error:Ee.string().optional(),errorMessage:Ee.string().optional(),state:Ee.string().optional()}),ei=K("/callback/:id",{method:["GET","POST"],body:$e.optional(),query:$e.optional(),metadata:he},async e=>{let t;try{if(e.method==="GET")t=$e.parse(e.query);else if(e.method==="POST")t=$e.parse(e.body);else throw new Error("Unsupported method")}catch(g){throw e.context.logger.error("INVALID_CALLBACK_REQUEST",g),e.redirect(`${e.context.baseURL}/error?error=invalid_callback_request`)}let{code:i,error:o,state:r}=t;if(!r)throw e.context.logger.error("State not found"),e.redirect(`${e.context.baseURL}/error?error=state_not_found`);if(!i)throw e.context.logger.error("Code not found"),e.redirect(`${e.context.baseURL}/error?error=${o||"no_code"}`);let n=e.context.socialProviders.find(g=>g.id===e.params.id);if(!n)throw e.context.logger.error("Oauth provider with id",e.params.id,"not found"),e.redirect(`${e.context.baseURL}/error?error=oauth_provider_not_found`);let{codeVerifier:a,callbackURL:s,link:A,errorURL:d}=await qe(e),c;try{c=await n.validateAuthorizationCode({code:i,codeVerifier:a,redirectURI:`${e.context.baseURL}/callback/${n.id}`})}catch(g){throw e.context.logger.error("",g),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`)}let l=await n.getUserInfo(c).then(g=>g?.user);function u(g){let C=d||s||`${e.context.baseURL}/error`;throw C.includes("?")?C=`${C}&error=${g}`:C=`${C}?error=${g}`,e.redirect(C)}if(!l)return e.context.logger.error("Unable to get user info"),u("unable_to_get_user_info");if(!l.email)return e.context.logger.error("Provider did not return email. This could be due to misconfiguration in the provider settings."),u("email_not_found");if(!s)throw e.context.logger.error("No callback URL found"),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);if(A){if(A.email!==l.email.toLowerCase())return u("email_doesn't_match");if(!await e.context.internalAdapter.createAccount({userId:A.userId,providerId:n.id,accountId:l.id}))return u("unable_to_link_account");let C;try{C=new URL(s).toString()}catch{C=s}throw e.redirect(C)}let p=await we(e,{userInfo:{id:l.id,email:l.email,name:l.name||"",image:l.image,emailVerified:l.emailVerified||!1},account:{providerId:n.id,accountId:l.id,...c,scope:c.scopes?.join(",")},callbackURL:s});if(p.error)return e.context.logger.error(p.error.split(" ").join("_")),u(p.error.split(" ").join("_"));let{session:h,user:k}=p.data;await m(e,{session:h,user:k});let f;try{f=new URL(s).toString()}catch{f=s}throw e.redirect(f)});import"zod";import{APIError as sr}from"better-call";var oi=K("/sign-out",{method:"POST",requireHeaders:!0,metadata:{openapi:{description:"Sign out the current user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async e=>{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)throw V(e),new sr("BAD_REQUEST",{message:"Session not found"});return await e.context.internalAdapter.deleteSession(t),V(e),e.json({success:!0})});import{z as X}from"zod";import{APIError as uo}from"better-call";function ui(e,t,i){let o=t?new URL(t,e.baseURL):new URL(`${e.baseURL}/error`);return i&&Object.entries(i).forEach(([r,n])=>o.searchParams.set(r,n)),o.href}function ar(e,t,i){let o=new URL(t,e.baseURL);return i&&Object.entries(i).forEach(([r,n])=>o.searchParams.set(r,n)),o.href}var ii=K("/forget-password",{method:"POST",body:X.object({email:X.string({description:"The email address of the user to send a password reset email to"}).email(),redirectTo:X.string({description:"The URL to redirect the user to reset their password. If the token isn't valid or expired, it'll be redirected with a query parameter `?error=INVALID_TOKEN`. If the token is valid, it'll be redirected with a query parameter `?token=VALID_TOKEN"}).optional()}),metadata:{openapi:{description:"Send a password reset email to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailAndPassword?.sendResetPassword)throw e.context.logger.error("Reset password isn't enabled.Please pass an emailAndPassword.sendResetPasswordToken function in your auth config!"),new uo("BAD_REQUEST",{message:"Reset password isn't enabled"});let{email:t,redirectTo:i}=e.body,o=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!o)return e.context.logger.error("Reset Password: User not found",{email:t}),e.json({status:!1},{body:{status:!0}});let r=60*60*1,n=I(e.context.options.emailAndPassword.resetPasswordTokenExpiresIn||r,"sec"),a=_(24);await e.context.internalAdapter.createVerificationValue({value:o.user.id,identifier:`reset-password:${a}`,expiresAt:n});let s=`${e.context.baseURL}/reset-password/${a}?callbackURL=${i}`;return await e.context.options.emailAndPassword.sendResetPassword({user:o.user,url:s,token:a},e.request),e.json({status:!0})}),ti=K("/reset-password/:token",{method:"GET",query:X.object({callbackURL:X.string({description:"The URL to redirect the user to reset their password"})}),metadata:{openapi:{description:"Redirects the user to the callback URL with the token",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}}}}}}}}}},async e=>{let{token:t}=e.params,{callbackURL:i}=e.query;if(!t||!i)throw e.redirect(ui(e.context,i,{error:"INVALID_TOKEN"}));let o=await e.context.internalAdapter.findVerificationValue(`reset-password:${t}`);throw!o||o.expiresAt<new Date?e.redirect(ui(e.context,i,{error:"INVALID_TOKEN"})):e.redirect(ar(e.context,i,{token:t}))}),ri=K("/reset-password",{query:X.optional(X.object({token:X.string().optional(),currentURL:X.string().optional()})),method:"POST",body:X.object({newPassword:X.string({description:"The new password to set"}),token:X.string({description:"The token to reset the password"}).optional()}),metadata:{openapi:{description:"Reset the password for a user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.body.token||e.query?.token||(e.query?.currentURL?new URL(e.query.currentURL).searchParams.get("token"):"");if(!t)throw new uo("BAD_REQUEST",{message:"Token not found"});let{newPassword:i}=e.body,o=`reset-password:${t}`,r=await e.context.internalAdapter.findVerificationValue(o);if(!r||r.expiresAt<new Date)throw new uo("BAD_REQUEST",{message:"Invalid token"});await e.context.internalAdapter.deleteVerificationValue(r.id);let n=r.value,a=await e.context.password.hash(i);return(await e.context.internalAdapter.findAccounts(n)).find(d=>d.providerId==="credential")?(await e.context.internalAdapter.updatePassword(n,a),e.json({status:!0})):(await e.context.internalAdapter.createAccount({userId:n,providerId:"credential",password:a,accountId:n}),e.json({status:!0}))});import{z as L}from"zod";import{APIError as Z}from"better-call";var ni=()=>K("/update-user",{method:"POST",body:L.record(L.string(),L.any()),use:[v],metadata:{openapi:{description:"Update the current user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{name:{type:"string",description:"The name of the user"},image:{type:"string",description:"The image of the user"}}}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"}}}}}}}}}},async e=>{let t=e.body;if(t.email)throw new Z("BAD_REQUEST",{message:"You can't update email"});let{name:i,image:o,...r}=t,n=e.context.session;if(!o&&!i&&Object.keys(r).length===0)return e.json({user:n.user});let a=Qe(e.context.options,r,"update"),s=await e.context.internalAdapter.updateUserByEmail(n.user.email,{name:i,image:o,...a});return await m(e,{session:n.session,user:s}),e.json({user:s})}),si=K("/change-password",{method:"POST",body:L.object({newPassword:L.string({description:"The new password to set"}),currentPassword:L.string({description:"The current password"}),revokeOtherSessions:L.boolean({description:"Revoke all other sessions"}).optional()}),use:[v],metadata:{openapi:{description:"Change the password of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{description:"The user object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{let{newPassword:t,currentPassword:i,revokeOtherSessions:o}=e.body,r=e.context.session,n=e.context.password.config.minPasswordLength;if(t.length<n)throw e.context.logger.error("Password is too short"),new Z("BAD_REQUEST",{message:"Password is too short"});let a=e.context.password.config.maxPasswordLength;if(t.length>a)throw e.context.logger.error("Password is too long"),new Z("BAD_REQUEST",{message:"Password too long"});let A=(await e.context.internalAdapter.findAccounts(r.user.id)).find(l=>l.providerId==="credential"&&l.password);if(!A||!A.password)throw new Z("BAD_REQUEST",{message:"User does not have a password"});let d=await e.context.password.hash(t);if(!await e.context.password.verify(A.password,i))throw new Z("BAD_REQUEST",{message:"Incorrect password"});if(await e.context.internalAdapter.updateAccount(A.id,{password:d}),o){await e.context.internalAdapter.deleteSessions(r.user.id);let l=await e.context.internalAdapter.createSession(r.user.id,e.headers);if(!l)throw new Z("INTERNAL_SERVER_ERROR",{message:"Unable to create session"});await m(e,{session:l,user:r.user})}return e.json(r.user)}),ai=K("/set-password",{method:"POST",body:L.object({newPassword:L.string()}),metadata:{SERVER_ONLY:!0},use:[v]},async e=>{let{newPassword:t}=e.body,i=e.context.session,o=e.context.password.config.minPasswordLength;if(t.length<o)throw e.context.logger.error("Password is too short"),new Z("BAD_REQUEST",{message:"Password is too short"});let r=e.context.password.config.maxPasswordLength;if(t.length>r)throw e.context.logger.error("Password is too long"),new Z("BAD_REQUEST",{message:"Password too long"});let a=(await e.context.internalAdapter.findAccounts(i.user.id)).find(A=>A.providerId==="credential"&&A.password),s=await e.context.password.hash(t);if(!a)return await e.context.internalAdapter.linkAccount({userId:i.user.id,providerId:"credential",accountId:i.user.id,password:s}),e.json(i.user);throw new Z("BAD_REQUEST",{message:"user already has a password"})}),Ai=K("/delete-user",{method:"POST",body:L.object({password:L.string({description:"The password of the user"})}),use:[Re],metadata:{openapi:{description:"Delete the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object"}}}}}}}},async e=>{let t=e.context.session;return await e.context.internalAdapter.deleteUser(t.user.id),await e.context.internalAdapter.deleteSessions(t.user.id),V(e),e.json(null)}),di=K("/change-email",{method:"POST",query:L.object({currentURL:L.string().optional()}).optional(),body:L.object({newEmail:L.string({description:"The new email to set"}).email(),callbackURL:L.string({description:"The URL to redirect to after email verification"}).optional()}),use:[v],metadata:{openapi:{responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.user?.changeEmail?.enabled)throw e.context.logger.error("Change email is disabled."),new Z("BAD_REQUEST",{message:"Change email is disabled"});if(e.body.newEmail===e.context.session.user.email)throw e.context.logger.error("Email is the same"),new Z("BAD_REQUEST",{message:"Email is the same"});if(await e.context.internalAdapter.findUserByEmail(e.body.newEmail))throw e.context.logger.error("Email already exists"),new Z("BAD_REQUEST",{message:"Couldn't update your email"});if(e.context.session.user.emailVerified!==!0){let r=await e.context.internalAdapter.updateUserByEmail(e.context.session.user.email,{email:e.body.newEmail});return e.json({user:r,status:!0})}if(!e.context.options.user.changeEmail.sendChangeEmailVerification)throw e.context.logger.error("Verification email isn't enabled."),new Z("BAD_REQUEST",{message:"Verification email isn't enabled"});let i=await se(e.context.secret,e.context.session.user.email,e.body.newEmail),o=`${e.context.baseURL}/verify-email?token=${i}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;return await e.context.options.user.changeEmail.sendChangeEmailVerification({user:e.context.session.user,newEmail:e.body.newEmail,url:o,token:i},e.request),e.json({user:null,status:!0})});import{z as Pe}from"zod";import{APIError as li}from"better-call";var Ki=K("/list-accounts",{method:"GET",use:[v],metadata:{openapi:{description:"List all accounts linked to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"array",items:{type:"object",properties:{id:{type:"string"},provider:{type:"string"}}}}}}}}}}},async e=>{let t=e.context.session,i=await e.context.internalAdapter.findAccounts(t.user.id);return e.json(i.map(o=>({id:o.id,provider:o.providerId})))}),ci=K("/link-social",{method:"POST",requireHeaders:!0,query:Pe.object({currentURL:Pe.string().optional()}).optional(),body:Pe.object({callbackURL:Pe.string({description:"The URL to redirect to after the user has signed in"}).optional(),provider:Pe.enum(Me,{description:"The OAuth2 provider to use"})}),use:[v],metadata:{openapi:{description:"Link a social account to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{url:{type:"string"},redirect:{type:"boolean"}},required:["url","redirect"]}}}}}}}},async e=>{let t=e.context.session;if((await e.context.internalAdapter.findAccounts(t.user.id)).find(s=>s.providerId===e.body.provider))throw new li("BAD_REQUEST",{message:"Social Account is already linked."});let r=e.context.socialProviders.find(s=>s.id===e.body.provider);if(!r)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new li("NOT_FOUND",{message:"Provider not found"});let n=await fe(e,{userId:t.user.id,email:t.user.email}),a=await r.createAuthorizationURL({state:n.state,codeVerifier:n.codeVerifier,redirectURI:`${e.context.baseURL}/callback/${r.id}`});return e.json({url:a.toString(),redirect:!0})});var pi=(e,t)=>{let i={};for(let[o,r]of Object.entries(e))i[o]=n=>r({...n,context:{...t,...n.context}}),i[o].path=r.path,i[o].method=r.method,i[o].options=r.options,i[o].headers=r.headers;return i};function Ze(e){let t=e;return{newRole(i){return Ar(i)}}}function Ar(e){return{statements:e,authorize(t,i){for(let[o,r]of Object.entries(t)){let n=e[o];return n?(i==="OR"?r.some(s=>n.includes(s)):r.every(s=>n.includes(s)))?{success:!0}:{success:!1,error:`Unauthorized to access resource "${o}"`}:{success:!1,error:`You are not allowed to access resource: ${o}`}}return{success:!1,error:"Not authorized"}}}}var dr={organization:["update","delete"],member:["create","update","delete"],invitation:["create","cancel"]},lo=Ze(dr),Kr=lo.newRole({organization:["update"],invitation:["create","cancel"],member:["create","update","delete"]}),cr=lo.newRole({organization:["update","delete"],member:["create","update","delete"],invitation:["create","cancel"]}),ur=lo.newRole({organization:[],member:[],invitation:[]}),gi={admin:Kr,owner:cr,member:ur};var z=(e,t)=>{let i=e.adapter;return{findOrganizationBySlug:async o=>await i.findOne({model:"organization",where:[{field:"slug",value:o}]}),createOrganization:async o=>{let r=await i.create({model:"organization",data:{...o.organization,metadata:o.organization.metadata?JSON.stringify(o.organization.metadata):void 0}}),n=await i.create({model:"member",data:{organizationId:r.id,userId:o.user.id,createdAt:new Date,role:t?.creatorRole||"owner"}});return{...r,metadata:r.metadata?JSON.parse(r.metadata):void 0,members:[{...n,user:{id:o.user.id,name:o.user.name,email:o.user.email,image:o.user.image}}]}},findMemberByEmail:async o=>{let r=await i.findOne({model:"user",where:[{field:"email",value:o.email}]});if(!r)return null;let n=await i.findOne({model:"member",where:[{field:"organizationId",value:o.organizationId},{field:"userId",value:r.id}]});return n?{...n,user:{id:r.id,name:r.name,email:r.email,image:r.image}}:null},findMemberByOrgId:async o=>{let[r,n]=await Promise.all([await i.findOne({model:"member",where:[{field:"userId",value:o.userId},{field:"organizationId",value:o.organizationId}]}),await i.findOne({model:"user",where:[{field:"id",value:o.userId}]})]);return!n||!r?null:{...r,user:{id:n.id,name:n.name,email:n.email,image:n.image}}},findMemberById:async o=>{let r=await i.findOne({model:"member",where:[{field:"id",value:o}]});if(!r)return null;let n=await i.findOne({model:"user",where:[{field:"id",value:r.userId}]});return n?{...r,user:{id:n.id,name:n.name,email:n.email,image:n.image}}:null},createMember:async o=>await i.create({model:"member",data:o}),updateMember:async(o,r)=>await i.update({model:"member",where:[{field:"id",value:o}],update:{role:r}}),deleteMember:async o=>await i.delete({model:"member",where:[{field:"id",value:o}]}),updateOrganization:async(o,r)=>await i.update({model:"organization",where:[{field:"id",value:o}],update:r}),deleteOrganization:async o=>(await i.delete({model:"member",where:[{field:"organizationId",value:o}]}),await i.delete({model:"invitation",where:[{field:"organizationId",value:o}]}),await i.delete({model:"organization",where:[{field:"id",value:o}]}),o),setActiveOrganization:async(o,r)=>await e.internalAdapter.updateSession(o,{activeOrganizationId:r}),findOrganizationById:async o=>await i.findOne({model:"organization",where:[{field:"id",value:o}]}),findFullOrganization:async o=>{let[r,n,a]=await Promise.all([i.findOne({model:"organization",where:[{field:"id",value:o}]}),i.findMany({model:"invitation",where:[{field:"organizationId",value:o}]}),i.findMany({model:"member",where:[{field:"organizationId",value:o}]})]);if(!r)return null;let s=a.map(l=>l.userId),A=await i.findMany({model:"user",where:[{field:"id",value:s,operator:"in"}]}),d=new Map(A.map(l=>[l.id,l])),c=a.map(l=>{let u=d.get(l.userId);if(!u)throw new G("Unexpected error: User not found for member");return{...l,user:{id:u.id,name:u.name,email:u.email,image:u.image}}});return{...r,invitations:n,members:c}},listOrganizations:async o=>{let r=await i.findMany({model:"member",where:[{field:"userId",value:o}]});if(!r||r.length===0)return[];let n=r.map(s=>s.organizationId);return await i.findMany({model:"organization",where:[{field:"id",value:n,operator:"in"}]})},createInvitation:async({invitation:o,user:r})=>{let a=I(t?.invitationExpiresIn||1728e5);return await i.create({model:"invitation",data:{email:o.email,role:o.role,organizationId:o.organizationId,status:"pending",expiresAt:a,inviterId:r.id}})},findInvitationById:async o=>await i.findOne({model:"invitation",where:[{field:"id",value:o}]}),findPendingInvitation:async o=>(await i.findMany({model:"invitation",where:[{field:"email",value:o.email},{field:"organizationId",value:o.organizationId},{field:"status",value:"pending"}]})).filter(n=>new Date(n.expiresAt)>new Date),updateInvitation:async o=>await i.update({model:"invitation",where:[{field:"id",value:o.invitationId}],update:{status:o.status}})}};import"better-call";var j=U(async e=>({})),F=U({use:[v]},async e=>({session:e.context.session}));import{z as W}from"zod";import{z as P}from"zod";var mi=P.string(),lr=P.enum(["pending","accepted","rejected","canceled"]).default("pending"),iK=P.object({id:P.string().default(_),name:P.string(),slug:P.string(),logo:P.string().nullish(),metadata:P.record(P.string()).or(P.string().transform(e=>JSON.parse(e))).nullish(),createdAt:P.date()}),tK=P.object({id:P.string().default(_),organizationId:P.string(),userId:P.string(),role:mi,createdAt:P.date()}),rK=P.object({id:P.string().default(_),organizationId:P.string(),email:P.string(),role:mi,status:lr,inviterId:P.string(),expiresAt:P.date()});import{APIError as B}from"better-call";var fi=e=>K("/organization/invite-member",{method:"POST",use:[j,F],body:W.object({email:W.string({description:"The email address of the user to invite"}),role:W.string({description:"The role to assign to the user"}),organizationId:W.string({description:"The organization ID to invite the user to"}).optional(),resend:W.boolean({description:"Resend the invitation email, if the user is already invited"}).optional()}),metadata:{openapi:{description:"Invite a user to an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{id:{type:"string"},email:{type:"string"},role:{type:"string"},organizationId:{type:"string"},inviterId:{type:"string"},status:{type:"string"},expiresAt:{type:"string"}},required:["id","email","role","organizationId","inviterId","status","expiresAt"]}}}}}}}},async t=>{if(!t.context.orgOptions.sendInvitationEmail)throw t.context.logger.warn("Invitation email is not enabled. Pass `sendInvitationEmail` to the plugin options to enable it."),new B("BAD_REQUEST",{message:"Invitation email is not enabled"});let i=t.context.session,o=t.body.organizationId||i.session.activeOrganizationId;if(!o)throw new B("BAD_REQUEST",{message:"Organization not found"});let r=z(t.context,t.context.orgOptions),n=await r.findMemberByOrgId({userId:i.user.id,organizationId:o});if(!n)throw new B("BAD_REQUEST",{message:"Member not found!"});let a=t.context.roles[n.role];if(!a)throw new B("BAD_REQUEST",{message:"Role not found!"});if(a.authorize({invitation:["create"]}).error)throw new B("FORBIDDEN",{message:"You are not allowed to invite members"});if(await r.findMemberByEmail({email:t.body.email,organizationId:o}))throw new B("BAD_REQUEST",{message:"User is already a member of this organization"});if((await r.findPendingInvitation({email:t.body.email,organizationId:o})).length&&!t.body.resend)throw new B("BAD_REQUEST",{message:"User is already invited to this organization"});let c=await r.createInvitation({invitation:{role:t.body.role,email:t.body.email,organizationId:o},user:i.user}),l=await r.findOrganizationById(o);if(!l)throw new B("BAD_REQUEST",{message:"Organization not found"});return await t.context.orgOptions.sendInvitationEmail?.({id:c.id,role:c.role,email:c.email,organization:l,inviter:{...n,user:i.user}},t.request),t.json(c)}),hi=K("/organization/accept-invitation",{method:"POST",body:W.object({invitationId:W.string({description:"The ID of the invitation to accept"})}),use:[j,F],metadata:{openapi:{description:"Accept an invitation to an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{invitation:{type:"object"},member:{type:"object"}}}}}}}}}},async e=>{let t=e.context.session,i=z(e.context,e.context.orgOptions),o=await i.findInvitationById(e.body.invitationId);if(!o||o.expiresAt<new Date||o.status!=="pending")throw new B("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new B("FORBIDDEN",{message:"You are not the recipient of the invitation"});let r=await i.updateInvitation({invitationId:e.body.invitationId,status:"accepted"}),n=await i.createMember({organizationId:o.organizationId,userId:t.user.id,role:o.role,createdAt:new Date});return await i.setActiveOrganization(t.session.token,o.organizationId),r?e.json({invitation:r,member:n}):e.json(null,{status:400,body:{message:"Invitation not found!"}})}),yi=K("/organization/reject-invitation",{method:"POST",body:W.object({invitationId:W.string({description:"The ID of the invitation to reject"})}),use:[j,F],metadata:{openapi:{description:"Reject an invitation to an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{invitation:{type:"object"},member:{type:"null"}}}}}}}}}},async e=>{let t=e.context.session,i=z(e.context,e.context.orgOptions),o=await i.findInvitationById(e.body.invitationId);if(!o||o.expiresAt<new Date||o.status!=="pending")throw new B("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new B("FORBIDDEN",{message:"You are not the recipient of the invitation"});let r=await i.updateInvitation({invitationId:e.body.invitationId,status:"rejected"});return e.json({invitation:r,member:null})}),wi=K("/organization/cancel-invitation",{method:"POST",body:W.object({invitationId:W.string({description:"The ID of the invitation to cancel"})}),use:[j,F],openapi:{description:"Cancel an invitation to an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{invitation:{type:"object"}}}}}}}}},async e=>{let t=e.context.session,i=z(e.context,e.context.orgOptions),o=await i.findInvitationById(e.body.invitationId);if(!o)throw new B("BAD_REQUEST",{message:"Invitation not found!"});let r=await i.findMemberByOrgId({userId:t.user.id,organizationId:o.organizationId});if(!r)throw new B("BAD_REQUEST",{message:"Member not found!"});if(e.context.roles[r.role].authorize({invitation:["cancel"]}).error)throw new B("FORBIDDEN",{message:"You are not allowed to cancel this invitation"});let a=await i.updateInvitation({invitationId:e.body.invitationId,status:"canceled"});return e.json(a)}),Ci=K("/organization/get-invitation",{method:"GET",use:[j],requireHeaders:!0,query:W.object({id:W.string({description:"The ID of the invitation to get"})}),metadata:{openapi:{description:"Get an invitation by ID",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{id:{type:"string"},email:{type:"string"},role:{type:"string"},organizationId:{type:"string"},inviterId:{type:"string"},status:{type:"string"},expiresAt:{type:"string"},organizationName:{type:"string"},organizationSlug:{type:"string"},inviterEmail:{type:"string"}},required:["id","email","role","organizationId","inviterId","status","expiresAt","organizationName","organizationSlug","inviterEmail"]}}}}}}}},async e=>{let t=await R(e);if(!t)throw new B("UNAUTHORIZED",{message:"Not authenticated"});let i=z(e.context,e.context.orgOptions),o=await i.findInvitationById(e.query.id);if(!o||o.status!=="pending"||o.expiresAt<new Date)throw new B("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new B("FORBIDDEN",{message:"You are not the recipient of the invitation"});let r=await i.findOrganizationById(o.organizationId);if(!r)throw new B("BAD_REQUEST",{message:"Organization not found"});let n=await i.findMemberByOrgId({userId:o.inviterId,organizationId:o.organizationId});if(!n)throw new B("BAD_REQUEST",{message:"Inviter is no longer a member of the organization"});return e.json({...o,organizationName:r.name,organizationSlug:r.slug,inviterEmail:n.user.email})});import{z as oe}from"zod";import{APIError as le}from"better-call";var bi=()=>K("/organization/add-member",{method:"POST",body:oe.object({userId:oe.string(),role:oe.string(),organizationId:oe.string().optional()}),use:[j],metadata:{SERVER_ONLY:!0}},async e=>{let t=e.body.userId?await R(e).catch(s=>null):null,i=e.body.organizationId||t?.session.activeOrganizationId;if(!i)return e.json(null,{status:400,body:{message:"No active organization found!"}});let o=z(e.context,e.context.orgOptions),r=await e.context.internalAdapter.findUserById(e.body.userId);if(!r)throw new le("BAD_REQUEST",{message:"User not found!"});if(await o.findMemberByEmail({email:r.email,organizationId:i}))throw new le("BAD_REQUEST",{message:"User is already a member of this organization"});let a=await o.createMember({id:_(),organizationId:i,userId:r.id,role:e.body.role,createdAt:new Date});return e.json(a)}),vi=K("/organization/remove-member",{method:"POST",body:oe.object({memberIdOrEmail:oe.string({description:"The ID or email of the member to remove"}),organizationId:oe.string({description:"The ID of the organization to remove the member from. If not provided, the active organization will be used"}).optional()}),use:[j,F],metadata:{openapi:{description:"Remove a member from an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{member:{type:"object",properties:{id:{type:"string"},userId:{type:"string"},organizationId:{type:"string"},role:{type:"string"}},required:["id","userId","organizationId","role"]}},required:["member"]}}}}}}}},async e=>{let t=e.context.session,i=e.body.organizationId||t.session.activeOrganizationId;if(!i)return e.json(null,{status:400,body:{message:"No active organization found!"}});let o=z(e.context,e.context.orgOptions),r=await o.findMemberByOrgId({userId:t.user.id,organizationId:i});if(!r)throw new le("BAD_REQUEST",{message:"Member not found!"});let n=e.context.roles[r.role];if(!n)throw new le("BAD_REQUEST",{message:"Role not found!"});let a=t.user.email===e.body.memberIdOrEmail||r.id===e.body.memberIdOrEmail;if(a&&r.role===(e.context.orgOptions?.creatorRole||"owner"))throw new le("BAD_REQUEST",{message:"You cannot leave the organization as the owner"});if(!(a||n.authorize({member:["delete"]}).success))throw new le("UNAUTHORIZED",{message:"You are not allowed to delete this member"});let d=null;if(e.body.memberIdOrEmail.includes("@")?d=await o.findMemberByEmail({email:e.body.memberIdOrEmail,organizationId:i}):d=await o.findMemberById(e.body.memberIdOrEmail),d?.organizationId!==i)throw new le("BAD_REQUEST",{message:"Member not found!"});return await o.deleteMember(d.id),t.user.id===d.userId&&t.session.activeOrganizationId===d.organizationId&&await o.setActiveOrganization(t.session.token,null),e.json({member:d})}),ki=e=>K("/organization/update-member-role",{method:"POST",body:oe.object({role:oe.string(),memberId:oe.string(),organizationId:oe.string().optional()}),use:[j,F],metadata:{openapi:{description:"Update the role of a member in an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{member:{type:"object",properties:{id:{type:"string"},userId:{type:"string"},organizationId:{type:"string"},role:{type:"string"}},required:["id","userId","organizationId","role"]}},required:["member"]}}}}}}}},async t=>{let i=t.context.session,o=t.body.organizationId||i.session.activeOrganizationId;if(!o)return t.json(null,{status:400,body:{message:"No active organization found!"}});let r=z(t.context,t.context.orgOptions),n=await r.findMemberByOrgId({userId:i.user.id,organizationId:o});if(!n)return t.json(null,{status:400,body:{message:"Member not found!"}});let a=t.context.roles[n.role];if(!a)return t.json(null,{status:400,body:{message:"Role not found!"}});if(a.authorize({member:["update"]}).error||t.body.role==="owner"&&n.role!=="owner")return t.json(null,{body:{message:"You are not allowed to update this member"},status:403});let A=await r.updateMember(t.body.memberId,t.body.role);return A?t.json(A):t.json(null,{status:400,body:{message:"Member not found!"}})}),Ti=K("/organization/get-active-member",{method:"GET",use:[j,F],metadata:{openapi:{description:"Get the active member in the organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{id:{type:"string"},userId:{type:"string"},organizationId:{type:"string"},role:{type:"string"}},required:["id","userId","organizationId","role"]}}}}}}}},async e=>{let t=e.context.session,i=t.session.activeOrganizationId;if(!i)return e.json(null,{status:400,body:{message:"No active organization found!"}});let r=await z(e.context,e.context.orgOptions).findMemberByOrgId({userId:t.user.id,organizationId:i});return r?e.json(r):e.json(null,{status:400,body:{message:"Member not found!"}})});import{z as S}from"zod";import{APIError as pe}from"better-call";var Oi=K("/organization/create",{method:"POST",body:S.object({name:S.string({description:"The name of the organization"}),slug:S.string({description:"The slug of the organization"}),userId:S.string({description:"The user id of the organization creator. If not provided, the current user will be used. Should only be used by admins or when called by the server."}).optional(),logo:S.string({description:"The logo of the organization"}).optional(),metadata:S.record(S.string(),S.any(),{description:"The metadata of the organization"}).optional()}),use:[j,F],metadata:{openapi:{description:"Create an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",description:"The organization that was created",$ref:"#/components/schemas/Organization"}}}}}}}},async e=>{let t=e.context.session.user;if(!t)return e.json(null,{status:401});let i=e.context.orgOptions;if(!(typeof i?.allowUserToCreateOrganization=="function"?await i.allowUserToCreateOrganization(t):i?.allowUserToCreateOrganization===void 0?!0:i.allowUserToCreateOrganization))throw new pe("FORBIDDEN",{message:"You are not allowed to create an organization"});let r=z(e.context,i),n=await r.listOrganizations(t.id);if(typeof i.organizationLimit=="number"?n.length>=i.organizationLimit:typeof i.organizationLimit=="function"?await i.organizationLimit(t):!1)throw new pe("FORBIDDEN",{message:"You have reached the organization limit"});if(await r.findOrganizationBySlug(e.body.slug))throw new pe("BAD_REQUEST",{message:"Organization with this slug already exists"});let A=await r.createOrganization({organization:{id:_(),slug:e.body.slug,name:e.body.name,logo:e.body.logo,createdAt:new Date,metadata:e.body.metadata},user:t});return await r.setActiveOrganization(e.context.session.session.token,A.id),e.json(A)}),Ii=K("/organization/update",{method:"POST",body:S.object({data:S.object({name:S.string({description:"The name of the organization"}).optional(),slug:S.string({description:"The slug of the organization"}).optional(),logo:S.string({description:"The logo of the organization"}).optional()}).partial(),organizationId:S.string().optional()}),requireHeaders:!0,use:[j],metadata:{openapi:{description:"Update an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",description:"The updated organization",$ref:"#/components/schemas/Organization"}}}}}}}},async e=>{let t=await e.context.getSession(e);if(!t)throw new pe("UNAUTHORIZED",{message:"User not found"});let i=e.body.organizationId||t.session.activeOrganizationId;if(!i)return e.json(null,{status:400,body:{message:"Organization id not found!"}});let o=z(e.context,e.context.orgOptions),r=await o.findMemberByOrgId({userId:t.user.id,organizationId:i});if(!r)return e.json(null,{status:400,body:{message:"User is not a member of this organization!"}});let n=e.context.roles[r.role];if(!n)return e.json(null,{status:400,body:{message:"Role not found!"}});if(n.authorize({organization:["update"]}).error)return e.json(null,{body:{message:"You are not allowed to update this organization"},status:403});let s=await o.updateOrganization(i,e.body.data);return e.json(s)}),Ri=K("/organization/delete",{method:"POST",body:S.object({organizationId:S.string({description:"The organization id to delete"})}),requireHeaders:!0,use:[j],metadata:{openapi:{description:"Delete an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"string",description:"The organization id that was deleted"}}}}}}}},async e=>{let t=await e.context.getSession(e);if(!t)return e.json(null,{status:401});let i=e.body.organizationId;if(!i)return e.json(null,{status:400,body:{message:"Organization id not found!"}});let o=z(e.context,e.context.orgOptions),r=await o.findMemberByOrgId({userId:t.user.id,organizationId:i});if(!r)return e.json(null,{status:400,body:{message:"User is not a member of this organization!"}});let n=e.context.roles[r.role];if(!n)return e.json(null,{status:400,body:{message:"Role not found!"}});if(n.authorize({organization:["delete"]}).error)throw new pe("FORBIDDEN",{message:"You are not allowed to delete this organization"});return i===t.session.activeOrganizationId&&await o.setActiveOrganization(t.session.token,null),await o.deleteOrganization(i),e.json(i)}),Ui=K("/organization/get-full-organization",{method:"GET",query:S.optional(S.object({organizationId:S.string({description:"The organization id to get"}).optional()})),requireHeaders:!0,use:[j,F],metadata:{openapi:{description:"Get the full organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",description:"The organization",$ref:"#/components/schemas/Organization"}}}}}}}},async e=>{let t=e.context.session,i=e.query?.organizationId||t.session.activeOrganizationId;if(!i)return e.json(null,{status:200});let r=await z(e.context,e.context.orgOptions).findFullOrganization(i);if(!r)throw new pe("BAD_REQUEST",{message:"Organization not found"});return e.json(r)}),Ei=K("/organization/set-active",{method:"POST",body:S.object({organizationId:S.string({description:"The organization id to set as active. Can be null to unset the active organization"}).nullable().optional()}),use:[F,j],metadata:{openapi:{description:"Set the active organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",description:"The organization",$ref:"#/components/schemas/Organization"}}}}}}}},async e=>{let t=z(e.context,e.context.orgOptions),i=e.context.session,o=e.body.organizationId;if(o===null){if(!i.session.activeOrganizationId)return e.json(null);let A=await t.setActiveOrganization(i.session.token,null);return await m(e,{session:A,user:i.user}),e.json(null)}if(!o){let s=i.session.activeOrganizationId;if(!s)return e.json(null);o=s}if(!await t.findMemberByOrgId({userId:i.user.id,organizationId:o}))throw await t.setActiveOrganization(i.session.token,null),new pe("FORBIDDEN",{message:"You are not a member of this organization"});let n=await t.setActiveOrganization(i.session.token,o);await m(e,{session:n,user:i.user});let a=await t.findFullOrganization(o);return e.json(a)}),Pi=K("/organization/list",{method:"GET",use:[j,F],metadata:{openapi:{description:"List all organizations",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"array",items:{$ref:"#/components/schemas/Organization"}}}}}}}}},async e=>{let i=await z(e.context,e.context.orgOptions).listOrganizations(e.context.session.user.id);return e.json(i)});var pr=Ze({name:["action"]}),FK=pr.newRole({name:["action"]}),VK=e=>{let t={createOrganization:Oi,updateOrganization:Ii,deleteOrganization:Ri,setActiveOrganization:Ei,getFullOrganization:Ui,listOrganizations:Pi,createInvitation:fi(e),cancelInvitation:wi,acceptInvitation:hi,getInvitation:Ci,rejectInvitation:yi,addMember:bi(),removeMember:vi,updateMemberRole:ki(e),getActiveMember:Ti},i={...gi,...e?.roles};return{id:"organization",endpoints:{...pi(t,{orgOptions:e||{},roles:i,getSession:async r=>await R(r)}),hasPermission:K("/organization/has-permission",{method:"POST",requireHeaders:!0,body:Se.object({permission:Se.record(Se.string(),Se.array(Se.string()))}),use:[F],metadata:{openapi:{description:"Check if the user has permission",requestBody:{content:{"application/json":{schema:{type:"object",properties:{permission:{type:"object",description:"The permission to check"}},required:["permission"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{error:{type:"string"},success:{type:"boolean"}},required:["success"]}}}}}}}},async r=>{if(!r.context.session.session.activeOrganizationId)throw new Si("BAD_REQUEST",{message:"No active organization"});let a=await z(r.context).findMemberByOrgId({userId:r.context.session.user.id,organizationId:r.context.session.session.activeOrganizationId||""});if(!a)throw new Si("UNAUTHORIZED",{message:"You are not a member of this organization"});let A=i[a.role].authorize(r.body.permission);return A.error?r.json({error:A.error,success:!1},{status:403}):r.json({error:null,success:!0})})},schema:{session:{fields:{activeOrganizationId:{type:"string",required:!1,fieldName:e?.schema?.session?.fields?.activeOrganizationId}}},organization:{modelName:e?.schema?.organization?.modelName,fields:{name:{type:"string",required:!0,fieldName:e?.schema?.organization?.fields?.name},slug:{type:"string",unique:!0,fieldName:e?.schema?.organization?.fields?.slug},logo:{type:"string",required:!1,fieldName:e?.schema?.organization?.fields?.logo},createdAt:{type:"date",required:!0,fieldName:e?.schema?.organization?.fields?.createdAt},metadata:{type:"string",required:!1,fieldName:e?.schema?.organization?.fields?.metadata}}},member:{modelName:e?.schema?.member?.modelName,fields:{organizationId:{type:"string",required:!0,references:{model:"organization",field:"id"},fieldName:e?.schema?.member?.fields?.organizationId},userId:{type:"string",required:!0,fieldName:e?.schema?.member?.fields?.userId,references:{model:"user",field:"id"}},role:{type:"string",required:!0,defaultValue:"member",fieldName:e?.schema?.member?.fields?.role},createdAt:{type:"date",required:!0,fieldName:e?.schema?.member?.fields?.createdAt}}},invitation:{modelName:e?.schema?.invitation?.modelName,fields:{organizationId:{type:"string",required:!0,references:{model:"organization",field:"id"},fieldName:e?.schema?.invitation?.fields?.organizationId},email:{type:"string",required:!0,fieldName:e?.schema?.invitation?.fields?.email},role:{type:"string",required:!1,fieldName:e?.schema?.invitation?.fields?.role},status:{type:"string",required:!0,defaultValue:"pending",fieldName:e?.schema?.invitation?.fields?.status},expiresAt:{type:"date",required:!0,fieldName:e?.schema?.invitation?.fields?.expiresAt},inviterId:{type:"string",references:{model:"user",field:"id"},fieldName:e?.schema?.invitation?.fields?.inviterId,required:!0}}}},$Infer:{Organization:{},Invitation:{},Member:{},ActiveOrganization:{}}}};import Di from"uncrypto";function gr(e){return e.toString(2).padStart(8,"0")}function mr(e){return[...e].map(t=>gr(t)).join("")}function xi(e){return parseInt(mr(e),2)}function fr(e){if(e<0||!Number.isInteger(e))throw new Error("Argument 'max' must be an integer greater than or equal to 0");let t=(e-1).toString(2).length,i=t%8,o=new Uint8Array(Math.ceil(t/8));Di.getRandomValues(o),i!==0&&(o[0]&=(1<<i)-1);let r=xi(o);for(;r>=e;)Di.getRandomValues(o),i!==0&&(o[0]&=(1<<i)-1),r=xi(o);return r}function M(e,t){let i="";for(let o=0;o<e;o++)i+=t[fr(t.length)];return i}function H(...e){let t=new Set(e),i="";for(let o of t)o==="a-z"?i+="abcdefghijklmnopqrstuvwxyz":o==="A-Z"?i+="ABCDEFGHIJKLMNOPQRSTUVWXYZ":o==="0-9"?i+="0123456789":i+=o;return i}import{z as Ye}from"zod";import{xchacha20poly1305 as Bi}from"@noble/ciphers/chacha";import{bytesToHex as hr,hexToBytes as yr,utf8ToBytes as wr}from"@noble/ciphers/utils";import{managedNonce as ji}from"@noble/ciphers/webcrypto";import{sha256 as Ni}from"oslo/crypto";import zi from"uncrypto";import{decodeHex as WK,encodeHex as GK}from"oslo/encoding";import{scryptAsync as YK}from"@noble/hashes/scrypt";import{getRandomValues as oc}from"uncrypto";async function De(e,t){let i=new TextEncoder,o={name:"HMAC",hash:"SHA-256"},r=await zi.subtle.importKey("raw",i.encode(e),o,!1,["sign","verify"]),n=await zi.subtle.sign(o.name,r,i.encode(t));return btoa(String.fromCharCode(...new Uint8Array(n)))}var Ae=async({key:e,data:t})=>{let i=await Ni(new TextEncoder().encode(e)),o=wr(t),r=ji(Bi)(new Uint8Array(i));return hr(r.encrypt(o))},ue=async({key:e,data:t})=>{let i=await Ni(new TextEncoder().encode(e)),o=yr(t),r=ji(Bi)(new Uint8Array(i));return new TextDecoder().decode(r.decrypt(o))};import{z as de}from"zod";import{APIError as xe}from"better-call";var We="two_factor";var Ge="trust_device";import{z as _i}from"zod";var ge=U({body:_i.object({trustDevice:_i.boolean().optional()})},async e=>{let t=await R(e);if(!t){let i=e.context.createAuthCookie(We),o=await e.getSignedCookie(i.name,e.context.secret);if(!o)throw new xe("UNAUTHORIZED",{message:"invalid two factor cookie"});let r=await e.context.internalAdapter.findUserById(o);if(!r)throw new xe("UNAUTHORIZED",{message:"invalid two factor cookie"});let n=await e.context.internalAdapter.createSession(o,e.request);if(!n)throw new xe("INTERNAL_SERVER_ERROR",{message:"failed to create session"});return{valid:async()=>{if(await m(e,{session:n,user:r}),e.body.trustDevice){let a=e.context.createAuthCookie(Ge,{maxAge:2592e3}),s=await De(e.context.secret,`${r.id}!${n.token}`);await e.setSignedCookie(a.name,`${s}!${n.token}`,e.context.secret,a.attributes)}return e.json({session:n,user:r})},invalid:async()=>{throw new xe("UNAUTHORIZED",{message:"invalid two factor authentication"})},session:{id:n.token,userId:n.userId,expiresAt:n.expiresAt,user:r}}}return{valid:async()=>e.json({session:t,user:t.user}),invalid:async()=>{throw new xe("UNAUTHORIZED",{message:"invalid two factor authentication"})},session:t}});import{APIError as ze}from"better-call";function Cr(e){return Array.from({length:e?.amount??10}).fill(null).map(()=>M(e?.length??10,H("a-z","0-9"))).map(t=>`${t.slice(0,5)}-${t.slice(5)}`)}async function po(e,t){let i=e,o=t?.customBackupCodesGenerate?t.customBackupCodesGenerate():Cr(),r=await Ae({data:JSON.stringify(o),key:i});return{backupCodes:o,encryptedBackupCodes:r}}async function br(e,t){let i=await Li(e.backupCodes,t);return i?{status:i.includes(e.code),updated:i.filter(o=>o!==e.code)}:{status:!1,updated:null}}async function Li(e,t){let i=Buffer.from(await ue({key:t,data:e})).toString("utf-8"),o=JSON.parse(i),r=de.array(de.string()).safeParse(o);return r.success?r.data:null}var Fi=(e,t)=>({id:"backup_code",endpoints:{verifyBackupCode:K("/two-factor/verify-backup-code",{method:"POST",body:de.object({code:de.string(),disableSession:de.boolean().optional()}),use:[ge]},async i=>{let o=i.context.session.user,r=await i.context.adapter.findOne({model:t,where:[{field:"userId",value:o.id}]});if(!r)throw new ze("BAD_REQUEST",{message:"Backup codes aren't enabled"});let n=await br({backupCodes:r.backupCodes,code:i.body.code},i.context.secret);if(!n.status)throw new ze("UNAUTHORIZED",{message:"Invalid backup code"});let a=await Ae({key:i.context.secret,data:JSON.stringify(n.updated)});return await i.context.adapter.update({model:t,update:{backupCodes:a},where:[{field:"userId",value:o.id}]}),i.body.disableSession||await m(i,{session:i.context.session.session,user:o}),i.json({user:o,session:i.context.session})}),generateBackupCodes:K("/two-factor/generate-backup-codes",{method:"POST",body:de.object({password:de.string()}),use:[v]},async i=>{let o=i.context.session.user;if(!o.twoFactorEnabled)throw new ze("BAD_REQUEST",{message:"Two factor isn't enabled"});await i.context.password.checkPassword(o.id,i);let r=await po(i.context.secret,e);return await i.context.adapter.update({model:t,update:{backupCodes:r.encryptedBackupCodes},where:[{field:"userId",value:i.context.session.user.id}]}),i.json({status:!0,backupCodes:r.backupCodes})}),viewBackupCodes:K("/two-factor/view-backup-codes",{method:"GET",body:de.object({userId:de.string()}),metadata:{SERVER_ONLY:!0}},async i=>{let o=await i.context.adapter.findOne({model:t,where:[{field:"userId",value:i.body.userId}]});if(!o)throw new ze("BAD_REQUEST",{message:"Backup codes aren't enabled"});let r=await Li(o.backupCodes,i.context.secret);if(!r)throw new ze("BAD_REQUEST",{message:"Backup codes aren't enabled"});return i.json({status:!0,backupCodes:r})})}});import{APIError as Je}from"better-call";import{TOTPController as vr}from"oslo/otp";import{z as Vi}from"zod";import{TimeSpan as kr}from"oslo";var qi=(e,t)=>{let i={...e,period:new kr(e?.period||3,"m")},o=new vr({digits:6,period:i.period}),r=K("/two-factor/send-otp",{method:"POST",use:[ge]},async a=>{if(!e||!e.sendOTP)throw a.context.logger.error("send otp isn't configured. Please configure the send otp function on otp options."),new Je("BAD_REQUEST",{message:"otp isn't configured"});let s=a.context.session.user,A=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!A)throw new Je("BAD_REQUEST",{message:"OTP isn't enabled"});let d=await o.generate(Buffer.from(A.secret));return await e.sendOTP({user:s,otp:d},a.request),a.json({status:!0})}),n=K("/two-factor/verify-otp",{method:"POST",body:Vi.object({code:Vi.string()}),use:[ge]},async a=>{let s=a.context.session.user;if(!s.twoFactorEnabled)throw new Je("BAD_REQUEST",{message:"two factor isn't enabled"});let A=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!A)throw new Je("BAD_REQUEST",{message:"OTP isn't enabled"});return await o.generate(Buffer.from(A.secret))===a.body.code?a.context.valid():a.context.invalid()});return{id:"otp",endpoints:{sendTwoFactorOTP:r,verifyTwoFactorOTP:n}}};import{APIError as Ce}from"better-call";import{TimeSpan as Tr}from"oslo";import{TOTPController as Mi,createTOTPKeyURI as Or}from"oslo/otp";import{z as Xe}from"zod";var Hi=(e,t)=>{let i={...e,digits:6,period:new Tr(e?.period||30,"s")},o=K("/totp/generate",{method:"POST",use:[v]},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new Ce("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,A=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!A)throw new Ce("BAD_REQUEST",{message:"totp isn't enabled"});return{code:await new Mi(i).generate(Buffer.from(A.secret))}}),r=K("/two-factor/get-totp-uri",{method:"POST",use:[v],body:Xe.object({password:Xe.string()})},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new Ce("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,A=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!A||!s.twoFactorEnabled)throw new Ce("BAD_REQUEST",{message:"totp isn't enabled"});return await a.context.password.checkPassword(s.id,a),{totpURI:Or(e.issuer||a.context.appName,s.email,Buffer.from(A.secret),i)}}),n=K("/two-factor/verify-totp",{method:"POST",body:Xe.object({code:Xe.string()}),use:[ge]},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new Ce("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,A=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!A)throw new Ce("BAD_REQUEST",{message:"totp isn't enabled"});let d=new Mi(i),c=await ue({key:a.context.secret,data:A.secret}),l=Buffer.from(c);if(!await d.verify(a.body.code,l))return a.context.invalid();if(!s.twoFactorEnabled){let p=await a.context.internalAdapter.updateUser(s.id,{twoFactorEnabled:!0}),h=await a.context.internalAdapter.createSession(s.id,a.request,!1,a.context.session.session).catch(k=>{throw console.log(k),k});await a.context.internalAdapter.deleteSession(a.context.session.session.token),await m(a,{session:h,user:p})}return a.context.valid()});return{id:"totp",endpoints:{generateTOTP:o,getTOTPURI:r,verifyTOTP:n}}};import{APIError as Wc}from"better-call";async function go(e,t){let o=(await e.context.internalAdapter.findAccounts(t.userId))?.find(a=>a.providerId==="credential"),r=o?.password;return!o||!r?!1:await e.context.password.verify(r,t.password)}import{APIError as $i}from"better-call";import{createTOTPKeyURI as Rr}from"oslo/otp";import{TimeSpan as Ur}from"oslo";import{APIError as Ir}from"better-call";var be=async e=>{let t=e.context.returned;return t?t instanceof Response?t.status!==200?null:await t.clone().json():t instanceof Ir?null:t:null};var Qi={user:{fields:{twoFactorEnabled:{type:"boolean",required:!1,defaultValue:!1,input:!1}}},twoFactor:{fields:{secret:{type:"string",required:!0,returned:!1},backupCodes:{type:"string",required:!0,returned:!1},userId:{type:"string",required:!0,returned:!1,references:{model:"user",field:"id"}}}}};var eu=e=>({id:"two-factor",$InferServerPlugin:{},atomListeners:[{matcher:t=>t.startsWith("/two-factor/"),signal:"$sessionSignal"}],pathMethods:{"/two-factor/disable":"POST","/two-factor/enable":"POST","/two-factor/send-otp":"POST","/two-factor/generate-backup-codes":"POST"},fetchPlugins:[{id:"two-factor",name:"two-factor",hooks:{async onSuccess(t){t.data?.twoFactorRedirect&&e?.onTwoFactorRedirect&&await e.onTwoFactorRedirect()}}}]});var yu=e=>{let t={twoFactorTable:"twoFactor"},i=Hi({issuer:e?.issuer,...e?.totpOptions},t.twoFactorTable),o=Fi({...e?.backupCodeOptions},t.twoFactorTable),r=qi({...e?.otpOptions},t.twoFactorTable);return{id:"two-factor",endpoints:{...i.endpoints,...r.endpoints,...o.endpoints,enableTwoFactor:K("/two-factor/enable",{method:"POST",body:Ye.object({password:Ye.string().min(8)}),use:[v]},async n=>{let a=n.context.session.user,{password:s}=n.body;if(!await go(n,{password:s,userId:a.id}))throw new $i("BAD_REQUEST",{message:"Invalid password"});let d=M(16,H("a-z","0-9","-")),c=await Ae({key:n.context.secret,data:d}),l=await po(n.context.secret,e?.backupCodeOptions);if(e?.skipVerificationOnEnable){let p=await n.context.internalAdapter.updateUser(a.id,{twoFactorEnabled:!0}),h=await n.context.internalAdapter.createSession(p.id,n.request,!1,n.context.session.session);await m(n,{session:h,user:a}),await n.context.internalAdapter.deleteSession(n.context.session.session.token)}await n.context.adapter.deleteMany({model:t.twoFactorTable,where:[{field:"userId",value:a.id}]}),await n.context.adapter.create({model:t.twoFactorTable,data:{secret:c,backupCodes:l.encryptedBackupCodes,userId:a.id}});let u=Rr(e?.issuer||"BetterAuth",a.email,Buffer.from(d),{digits:e?.totpOptions?.digits||6,period:new Ur(e?.totpOptions?.period||30,"s")});return n.json({totpURI:u,backupCodes:l.backupCodes})}),disableTwoFactor:K("/two-factor/disable",{method:"POST",body:Ye.object({password:Ye.string().min(8)}),use:[v]},async n=>{let a=n.context.session.user,{password:s}=n.body;if(!await go(n,{password:s,userId:a.id}))throw new $i("BAD_REQUEST",{message:"Invalid password"});await n.context.internalAdapter.updateUser(a.id,{twoFactorEnabled:!1}),await n.context.adapter.delete({model:t.twoFactorTable,where:[{field:"userId",value:a.id}]});let d=await n.context.internalAdapter.createSession(a.id,n.request,!1,n.context.session.session);return await m(n,{session:d,user:a}),await n.context.internalAdapter.deleteSession(n.context.session.session.token),n.json({status:!0})})},options:e,hooks:{after:[{matcher(n){return n.path==="/sign-in/email"||n.path==="/sign-in/username"},handler:U(async n=>{let a=await be(n);if(!a||!a.user.twoFactorEnabled)return;let s=n.context.createAuthCookie(Ge),A=await n.getSignedCookie(s.name,n.context.secret);if(A){let[c,l]=A.split("!"),u=await De(n.context.secret,`${a.user.id}!${l}`);if(c===u){let p=await De(n.context.secret,`${a.user.id}!${a.session.token}`);await n.setSignedCookie(s.name,`${p}!${a.session.token}`,n.context.secret,s.attributes);return}}V(n),await n.context.internalAdapter.deleteSession(a.session.token);let d=n.context.createAuthCookie(We,{maxAge:60*10});return await n.setSignedCookie(d.name,a.user.id,n.context.secret,d.attributes),n.json({twoFactorRedirect:!0})})}]},schema:J(Qi,e?.schema),rateLimit:[{pathMatcher(n){return n.startsWith("/two-factor/")},window:10,max:3}]}};import{generateAuthenticationOptions as jr,generateRegistrationOptions as Nr,verifyAuthenticationResponse as _r,verifyRegistrationResponse as Lr}from"@simplewebauthn/server";import{APIError as ie}from"better-call";import{z as Ke}from"zod";import{WebAuthnError as Sr,startAuthentication as Dr,startRegistration as xr}from"@simplewebauthn/browser";import{createFetch as ju}from"@better-fetch/fetch";import"nanostores";import"@better-fetch/fetch";import{atom as Uu}from"nanostores";import"@better-fetch/fetch";import{atom as Er,onMount as Pr}from"nanostores";var mo=(e,t,i,o)=>{let r=Er({data:null,error:null,isPending:!0,isRefetching:!1}),n=()=>{let s=typeof o=="function"?o({data:r.get().data,error:r.get().error,isPending:r.get().isPending}):o;return i(t,{...s,async onSuccess(A){r.set({data:A.data,error:null,isPending:!1,isRefetching:!1}),await s?.onSuccess?.(A)},async onError(A){r.set({error:A.error,data:null,isPending:!1,isRefetching:!1}),await s?.onError?.(A)},async onRequest(A){let d=r.get();r.set({isPending:d.data===null,data:d.data,error:null,isRefetching:!0}),await s?.onRequest?.(A)}})};e=Array.isArray(e)?e:[e];let a=!1;for(let s of e)s.subscribe(()=>{a?n():Pr(r,()=>(n(),a=!0,()=>{r.off(),s.off()}))});return r};import{atom as zr}from"nanostores";var Br=(e,{$listPasskeys:t})=>({signIn:{passkey:async(r,n)=>{let a=await e("/passkey/generate-authenticate-options",{method:"POST",body:{email:r?.email}});if(!a.data)return a;try{let s=await Dr(a.data,r?.autoFill||!1),A=await e("/passkey/verify-authentication",{body:{response:s},...r?.fetchOptions,...n,method:"POST"});if(!A.data)return A}catch{return{data:null,error:{message:"auth cancelled",status:400,statusText:"BAD_REQUEST"}}}}},passkey:{addPasskey:async(r,n)=>{let a=await e("/passkey/generate-register-options",{method:"GET"});if(!a.data)return a;try{let s=await xr(a.data),A=await e("/passkey/verify-registration",{...r?.fetchOptions,...n,body:{response:s,name:r?.name},method:"POST"});if(!A.data)return A;t.set(Math.random())}catch(s){return s instanceof Sr?s.code==="ERROR_AUTHENTICATOR_PREVIOUSLY_REGISTERED"?{data:null,error:{message:"previously registered",status:400,statusText:"BAD_REQUEST"}}:s.code==="ERROR_CEREMONY_ABORTED"?{data:null,error:{message:"registration cancelled",status:400,statusText:"BAD_REQUEST"}}:{data:null,error:{message:s.message,status:400,statusText:"BAD_REQUEST"}}:{data:null,error:{message:s instanceof Error?s.message:"unknown error",status:500,statusText:"INTERNAL_SERVER_ERROR"}}}}},$Infer:{}}),rl=()=>{let e=zr();return{id:"passkey",$InferServerPlugin:{},getActions:t=>Br(t,{$listPasskeys:e}),getAtoms(t){return{listPasskeys:mo(e,"/passkey/list-user-passkeys",t,{method:"GET"}),$listPasskeys:e}},pathMethods:{"/passkey/register":"POST","/passkey/authenticate":"POST"},atomListeners:[{matcher(t){return t==="/passkey/verify-registration"||t==="/passkey/delete-passkey"},signal:"_listPasskeys"}]}};var hl=e=>{let t=Y.BETTER_AUTH_URL,i=e?.rpID||t?.replace("http://","").replace("https://","").split(":")[0]||"localhost";if(!i)throw new G("passkey rpID not found. Please provide a rpID in the options or set the BETTER_AUTH_URL environment variable.");let o={origin:null,...e,rpID:i,advanced:{webAuthnChallengeCookie:"better-auth-passkey",...e?.advanced}},r=new Date(Date.now()+1e3*60*5),n=new Date,a=Math.floor((r.getTime()-n.getTime())/1e3);return{id:"passkey",endpoints:{generatePasskeyRegistrationOptions:K("/passkey/generate-register-options",{method:"GET",use:[Re],metadata:{client:!1}},async s=>{let A=s.context.session,d=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:A.user.id}]}),c=new Uint8Array(Buffer.from(M(32,H("a-z","0-9")))),l;l=await Nr({rpName:o.rpName||s.context.appName,rpID:o.rpID,userID:c,userName:A.user.email||A.user.id,attestationType:"none",excludeCredentials:d.map(p=>({id:p.id,transports:p.transports?.split(",")})),authenticatorSelection:{residentKey:"preferred",userVerification:"preferred",authenticatorAttachment:"platform"}});let u=_(32);return await s.setSignedCookie(o.advanced.webAuthnChallengeCookie,u,s.context.secret,{secure:!0,httpOnly:!0,sameSite:"lax",maxAge:a}),await s.context.internalAdapter.createVerificationValue({identifier:u,value:JSON.stringify({expectedChallenge:l.challenge,userData:{id:A.user.id}}),expiresAt:r}),s.json(l,{status:200})}),generatePasskeyAuthenticationOptions:K("/passkey/generate-authenticate-options",{method:"POST",body:Ke.object({email:Ke.string().optional()}).optional()},async s=>{let A=await R(s),d=[];A&&(d=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:A.user.id}]}));let c=await jr({rpID:o.rpID,userVerification:"preferred",...d.length?{allowCredentials:d.map(p=>({id:p.id,transports:p.transports?.split(",")}))}:{}}),l={expectedChallenge:c.challenge,userData:{id:A?.user.id||""}},u=_(32);return await s.setSignedCookie(o.advanced.webAuthnChallengeCookie,u,s.context.secret,{secure:!0,httpOnly:!0,sameSite:"lax",maxAge:a}),await s.context.internalAdapter.createVerificationValue({identifier:u,value:JSON.stringify(l),expiresAt:r}),s.json(c,{status:200})}),verifyPasskeyRegistration:K("/passkey/verify-registration",{method:"POST",body:Ke.object({response:Ke.any(),name:Ke.string().optional()}),use:[Re]},async s=>{let A=e?.origin||s.headers?.get("origin")||"";if(!A)return s.json(null,{status:400});let d=s.body.response,c=await s.getSignedCookie(o.advanced.webAuthnChallengeCookie,s.context.secret);if(!c)throw new ie("BAD_REQUEST",{message:"Challenge not found"});let l=await s.context.internalAdapter.findVerificationValue(c);if(!l)return s.json(null,{status:400});let{expectedChallenge:u,userData:p}=JSON.parse(l.value);if(p.id!==s.context.session.user.id)throw new ie("UNAUTHORIZED",{message:"You are not authorized to register this passkey"});try{let h=await Lr({response:d,expectedChallenge:u,expectedOrigin:A,expectedRPID:e?.rpID}),{verified:k,registrationInfo:f}=h;if(!k||!f)return s.json(null,{status:400});let{credentialID:g,credentialPublicKey:C,counter:T,credentialDeviceType:N,credentialBackedUp:_e}=f,st=Buffer.from(C).toString("base64"),at={name:s.body.name,userId:p.id,webauthnUserID:s.context.generateId({model:"passkey"}),id:g,publicKey:st,counter:T,deviceType:N,transports:d.response.transports.join(","),backedUp:_e,createdAt:new Date},At=await s.context.adapter.create({model:"passkey",data:at});return s.json(At,{status:200})}catch(h){throw console.log(h),new ie("INTERNAL_SERVER_ERROR",{message:"Failed to verify registration"})}}),verifyPasskeyAuthentication:K("/passkey/verify-authentication",{method:"POST",body:Ke.object({response:Ke.any()})},async s=>{let A=e?.origin||s.headers?.get("origin")||"";if(!A)throw new ie("BAD_REQUEST",{message:"origin missing"});let d=s.body.response,c=await s.getSignedCookie(o.advanced.webAuthnChallengeCookie,s.context.secret);if(!c)throw new ie("BAD_REQUEST",{message:"Challenge not found"});let l=await s.context.internalAdapter.findVerificationValue(c);if(!l)throw new ie("BAD_REQUEST",{message:"Challenge not found"});let{expectedChallenge:u}=JSON.parse(l.value),p=await s.context.adapter.findOne({model:"passkey",where:[{field:"id",value:d.id}]});if(!p)throw new ie("UNAUTHORIZED",{message:"Passkey not found"});try{let h=await _r({response:d,expectedChallenge:u,expectedOrigin:A,expectedRPID:o.rpID,authenticator:{credentialID:p.id,credentialPublicKey:new Uint8Array(Buffer.from(p.publicKey,"base64")),counter:p.counter,transports:p.transports?.split(",")}}),{verified:k}=h;if(!k)throw new ie("UNAUTHORIZED",{message:"Authentication failed"});await s.context.adapter.update({model:"passkey",where:[{field:"id",value:p.id}],update:{counter:h.authenticationInfo.newCounter}});let f=await s.context.internalAdapter.createSession(p.userId,s.request);if(!f)throw new ie("INTERNAL_SERVER_ERROR",{message:"Unable to create session"});let g=await s.context.internalAdapter.findUserById(p.userId);if(!g)throw new ie("INTERNAL_SERVER_ERROR",{message:"User not found"});return await m(s,{session:f,user:g}),s.json({session:f},{status:200})}catch(h){throw s.context.logger.error("Failed to verify authentication",h),new ie("BAD_REQUEST",{message:"Failed to verify authentication"})}}),listPasskeys:K("/passkey/list-user-passkeys",{method:"GET",use:[v]},async s=>{let A=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:s.context.session.user.id}]});return s.json(A,{status:200})}),deletePasskey:K("/passkey/delete-passkey",{method:"POST",body:Ke.object({id:Ke.string()}),use:[v]},async s=>(await s.context.adapter.delete({model:"passkey",where:[{field:"id",value:s.body.id}]}),s.json(null,{status:200})))},schema:J(Fr,e?.schema)}},Fr={passkey:{fields:{name:{type:"string",required:!1},publicKey:{type:"string",required:!0},userId:{type:"string",references:{model:"user",field:"id"},required:!0},webauthnUserID:{type:"string",required:!0},counter:{type:"number",required:!0},deviceType:{type:"string",required:!0},backedUp:{type:"boolean",required:!0},transports:{type:"string",required:!1},createdAt:{type:"date",defaultValue:new Date,required:!1}}}};import{z as eo}from"zod";import{APIError as oo}from"better-call";var Zi=()=>({id:"username",endpoints:{signInUsername:K("/sign-in/username",{method:"POST",body:eo.object({username:eo.string(),password:eo.string(),rememberMe:eo.boolean().optional()})},async e=>{let t=await e.context.adapter.findOne({model:"user",where:[{field:"username",value:e.body.username}]});if(!t)throw await e.context.password.hash(e.body.password),e.context.logger.error("User not found",{username:Zi}),new oo("UNAUTHORIZED",{message:"Invalid username or password"});let i=await e.context.adapter.findOne({model:"account",where:[{field:"userId",value:t.id},{field:"providerId",value:"credential"}]});if(!i)throw new oo("UNAUTHORIZED",{message:"Invalid username or password"});let o=i?.password;if(!o)throw e.context.logger.error("Password not found",{username:Zi}),new oo("UNAUTHORIZED",{message:"Unexpected error"});if(!await e.context.password.verify(o,e.body.password))throw e.context.logger.error("Invalid password"),new oo("UNAUTHORIZED",{message:"Invalid username or password"});let n=await e.context.internalAdapter.createSession(t.id,e.request,e.body.rememberMe===!1);return n?(await m(e,{session:n,user:t},e.body.rememberMe===!1),e.json({user:t,session:n})):e.json(null,{status:500,body:{message:"Failed to create session",status:500}})})},schema:{user:{fields:{username:{type:"string",required:!1,unique:!0,returned:!0}}}}});import{serializeSigned as Vr}from"better-call";var Il=()=>({id:"bearer",hooks:{before:[{matcher(e){return!!(e.request?.headers.get("authorization")||e.headers?.get("authorization"))},handler:async e=>{let t=e.request?.headers.get("authorization")?.replace("Bearer ","")||e.headers?.get("authorization")?.replace("Bearer ","");if(!t)return;let i="";return t.includes(".")?i=t:i=await Vr("",t,e.context.secret),e.request&&e.request.headers.set("cookie",`${e.context.authCookies.sessionToken.name}=${i.replace("=","")}`),e.headers&&e.headers.set("cookie",`${e.context.authCookies.sessionToken.name}=${i.replace("=","")}`),{context:e}}}]}});import{z as ve}from"zod";import{APIError as Wi}from"better-call";var xl=e=>({id:"magic-link",endpoints:{signInMagicLink:K("/sign-in/magic-link",{method:"POST",requireHeaders:!0,body:ve.object({email:ve.string().email(),callbackURL:ve.string().optional()})},async t=>{let{email:i}=t.body;if(e.disableSignUp&&!await t.context.internalAdapter.findUserByEmail(i))throw new Wi("BAD_REQUEST",{message:"User not found"});let o=M(32,H("a-z","A-Z"));await t.context.internalAdapter.createVerificationValue({identifier:o,value:i,expiresAt:new Date(Date.now()+(e.expiresIn||60*5)*1e3)});let r=`${t.context.baseURL}/magic-link/verify?token=${o}&callbackURL=${t.body.callbackURL||"/"}`;try{await e.sendMagicLink({email:i,url:r,token:o},t.request)}catch(n){throw t.context.logger.error("Failed to send magic link",n),new Wi("INTERNAL_SERVER_ERROR",{message:"Failed to send magic link"})}return t.json({status:!0})}),magicLinkVerify:K("/magic-link/verify",{method:"GET",query:ve.object({token:ve.string(),callbackURL:ve.string().optional()}),requireHeaders:!0},async t=>{let{token:i,callbackURL:o}=t.query,r=o?.startsWith("http")?o:o?`${t.context.options.baseURL}${o}`:t.context.options.baseURL,n=await t.context.internalAdapter.findVerificationValue(i);if(!n)throw t.redirect(`${r}?error=INVALID_TOKEN`);if(n.expiresAt<new Date)throw await t.context.internalAdapter.deleteVerificationValue(n.id),t.redirect(`${r}?error=EXPIRED_TOKEN`);await t.context.internalAdapter.deleteVerificationValue(n.id);let a=n.value,s=await t.context.internalAdapter.findUserByEmail(a),A=s?.user.id||"";if(!s){if(e.disableSignUp)throw t.redirect(`${r}?error=USER_NOT_FOUND`);if(A=(await t.context.internalAdapter.createUser({email:a,emailVerified:!0,name:a})).id,!A)throw t.redirect(`${r}?error=USER_NOT_CREATED`)}let d=await t.context.internalAdapter.createSession(A,t.headers);if(!d)throw t.redirect(`${r}?error=SESSION_NOT_CREATED`);if(await m(t,{session:d,user:s?.user}),!o)return t.json({session:d,user:s?.user});throw t.redirect(o)})},rateLimit:[{pathMatcher(t){return t.startsWith("/sign-in/magic-link")||t.startsWith("/magic-link/verify")},window:e.rateLimit?.window||60,max:e.rateLimit?.max||5}]});import{z as te}from"zod";import{APIError as Q}from"better-call";function qr(e){return M(e,H("0-9"))}var Ml=e=>{let t={expiresIn:e?.expiresIn||300,otpLength:e?.otpLength||6,...e,phoneNumber:"phoneNumber",phoneNumberVerified:"phoneNumberVerified",code:"code",createdAt:"createdAt"};return{id:"phone-number",endpoints:{signInPhoneNumber:K("/sign-in/phone-number",{method:"POST",body:te.object({phoneNumber:te.string(),password:te.string(),rememberMe:te.boolean().optional()})},async i=>{let{password:o,phoneNumber:r}=i.body;if(t.phoneNumberValidator&&!await t.phoneNumberValidator(i.body.phoneNumber))throw new Q("BAD_REQUEST",{message:"Invalid phone number!"});let n=await i.context.adapter.findOne({model:"user",where:[{field:"phoneNumber",value:r}]});if(!n)throw new Q("UNAUTHORIZED",{message:"Invalid phone number or password"});let s=(await i.context.internalAdapter.findAccountByUserId(n.id)).find(l=>l.providerId==="credential");if(!s)throw i.context.logger.error("Credential account not found",{phoneNumber:r}),new Q("UNAUTHORIZED",{message:"Invalid password or password"});let A=s?.password;if(!A)throw i.context.logger.error("Password not found",{phoneNumber:r}),new Q("UNAUTHORIZED",{message:"Unexpected error"});if(!await i.context.password.verify(A,o))throw i.context.logger.error("Invalid password"),new Q("UNAUTHORIZED",{message:"Invalid email or password"});let c=await i.context.internalAdapter.createSession(n.id,i.headers,i.body.rememberMe===!1);if(!c)throw i.context.logger.error("Failed to create session"),new Q("UNAUTHORIZED",{message:"Failed to create session"});return await m(i,{session:c,user:n},i.body.rememberMe===!1),i.json({user:n,session:c})}),sendPhoneNumberOTP:K("/phone-number/send-otp",{method:"POST",body:te.object({phoneNumber:te.string()})},async i=>{if(!e?.sendOTP)throw i.context.logger.warn("sendOTP not implemented"),new Q("NOT_IMPLEMENTED",{message:"sendOTP not implemented"});if(t.phoneNumberValidator&&!await t.phoneNumberValidator(i.body.phoneNumber))throw new Q("BAD_REQUEST",{message:"Invalid phone number!"});let o=qr(t.otpLength);return await i.context.internalAdapter.createVerificationValue({value:o,identifier:i.body.phoneNumber,expiresAt:I(t.expiresIn,"sec")}),await e.sendOTP({phoneNumber:i.body.phoneNumber,code:o},i.request),i.json({code:o},{body:{message:"Code sent"}})}),verifyPhoneNumber:K("/phone-number/verify",{method:"POST",body:te.object({phoneNumber:te.string(),code:te.string(),disableSession:te.boolean().optional(),updatePhoneNumber:te.boolean().optional()})},async i=>{let o=await i.context.internalAdapter.findVerificationValue(i.body.phoneNumber);if(!o||o.expiresAt<new Date)throw o&&o.expiresAt<new Date?(await i.context.internalAdapter.deleteVerificationValue(o.id),new Q("BAD_REQUEST",{message:"OTP expired"})):new Q("BAD_REQUEST",{message:"OTP not found"});if(o.value!==i.body.code)throw new Q("BAD_REQUEST",{message:"Invalid OTP"});if(await i.context.internalAdapter.deleteVerificationValue(o.id),i.body.updatePhoneNumber){let n=await R(i);if(!n)throw new Q("UNAUTHORIZED",{message:"Session not found"});let a=await i.context.internalAdapter.updateUser(n.user.id,{[t.phoneNumber]:i.body.phoneNumber,[t.phoneNumberVerified]:!0});return i.json({user:a,session:n.session})}let r=await i.context.adapter.findOne({model:"user",where:[{value:i.body.phoneNumber,field:t.phoneNumber}]});if(await e?.callbackOnVerification?.({phoneNumber:i.body.phoneNumber,user:r},i.request),r)r=await i.context.internalAdapter.updateUser(r.id,{[t.phoneNumberVerified]:!0});else if(e?.signUpOnVerification){if(r=await i.context.internalAdapter.createUser({email:e.signUpOnVerification.getTempEmail(i.body.phoneNumber),name:e.signUpOnVerification.getTempName?e.signUpOnVerification.getTempName(i.body.phoneNumber):i.body.phoneNumber,[t.phoneNumber]:i.body.phoneNumber,[t.phoneNumberVerified]:!0}),!r)throw new Q("INTERNAL_SERVER_ERROR",{message:"Failed to create user"})}else return i.json(null);if(!r)throw new Q("INTERNAL_SERVER_ERROR",{message:"Failed to update user"});if(!i.body.disableSession){let n=await i.context.internalAdapter.createSession(r.id,i.request);if(!n)throw new Q("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});return await m(i,{session:n,user:r}),i.json({user:r,session:n})}return i.json({user:r,session:null})})},schema:J(Mr,e?.schema)}},Mr={user:{fields:{phoneNumber:{type:"string",required:!1,unique:!0,returned:!0},phoneNumberVerified:{type:"boolean",required:!1,returned:!0,input:!1}}}};import"zod";var Hr={user:{fields:{isAnonymous:{type:"boolean",required:!1}}}},Xl=e=>({id:"anonymous",endpoints:{signInAnonymous:K("/sign-in/anonymous",{method:"POST"},async t=>{let{emailDomainName:i=me(t.context.baseURL)}=e||{},o=t.context.generateId({model:"user"}),r=`temp-${o}@${i}`,n=await t.context.internalAdapter.createUser({id:o,email:r,emailVerified:!1,isAnonymous:!0,name:"Anonymous",createdAt:new Date,updatedAt:new Date});if(!n)return t.json(null,{status:500,body:{message:"Failed to create user",status:500}});let a=await t.context.internalAdapter.createSession(n.id,t.request);return a?(await m(t,{session:a,user:n}),t.json({user:n,session:a})):t.json(null,{status:400,body:{message:"Could not create session"}})})},hooks:{after:[{matcher(t){return t.path?.startsWith("/sign-in")||t.path?.startsWith("/sign-up")},handler:U(async t=>{let o=t.responseHeader.get("set-cookie"),r=t.context.authCookies.sessionToken.name,n=Ve(o||"").get(r)?.value.split(".")[0];if(!n)return;let a=await R(t);if(!(!a||!a.user.isAnonymous)){if(t.path==="/sign-in/anonymous")throw new b("BAD_REQUEST",{message:"Anonymous users cannot sign in again anonymously"});if(e?.onLinkAccount){let s=await t.context.internalAdapter.findSession(n);if(!s)return;await e?.onLinkAccount?.({anonymousUser:a,newUser:s})}e?.disableDeleteAnonymousUser||await t.context.internalAdapter.deleteUser(a.user.id)}})}]},schema:J(Hr,e?.schema)});import{z as y}from"zod";var Ap=e=>{let t={defaultRole:"user",adminRole:"admin",...e},i=U(async o=>{let r=await R(o);if(!r?.session)throw new b("UNAUTHORIZED");let n=r.user;if(!n.role||(Array.isArray(t.adminRole)?!t.adminRole.includes(n.role):n.role!==t.adminRole))throw new b("FORBIDDEN",{message:"Only admins can access this endpoint"});return{session:{user:n,session:r.session}}});return{id:"admin",init(o){return{options:{databaseHooks:{user:{create:{async before(r){if(e?.defaultRole!==!1)return{data:{role:e?.defaultRole??"user",...r}}}}},session:{create:{async before(r){let n=await o.internalAdapter.findUserById(r.userId);if(n.banned){if(n.banExpires&&n.banExpires<Date.now()){await o.internalAdapter.updateUser(r.userId,{banned:!1,banReason:null,banExpires:null});return}return!1}}}}}}}},hooks:{after:[{matcher(o){return o.path==="/list-sessions"},handler:U(async o=>{let r=await be(o);if(!r)return;let n=r.filter(a=>!a.impersonatedBy);return o.json(n)})}]},endpoints:{setRole:K("/admin/set-role",{method:"POST",body:y.object({userId:y.string(),role:y.string()}),use:[i]},async o=>{let r=await o.context.internalAdapter.updateUser(o.body.userId,{role:o.body.role});return o.json({user:r})}),createUser:K("/admin/create-user",{method:"POST",body:y.object({email:y.string(),password:y.string(),name:y.string(),role:y.string(),data:y.optional(y.record(y.any()))}),use:[i]},async o=>{if(await o.context.internalAdapter.findUserByEmail(o.body.email))throw new b("BAD_REQUEST",{message:"User already exists"});let n=await o.context.internalAdapter.createUser({email:o.body.email,name:o.body.name,role:o.body.role,...o.body.data});if(!n)throw new b("INTERNAL_SERVER_ERROR",{message:"Failed to create user"});let a=await o.context.password.hash(o.body.password);return await o.context.internalAdapter.linkAccount({accountId:n.id,providerId:"credential",password:a,userId:n.id}),o.json({user:n})}),listUsers:K("/admin/list-users",{method:"GET",use:[i],query:y.object({searchValue:y.string().optional(),searchField:y.enum(["email","name"]).optional(),searchOperator:y.enum(["contains","starts_with","ends_with"]).optional(),limit:y.string().or(y.number()).optional(),offset:y.string().or(y.number()).optional(),sortBy:y.string().optional(),sortDirection:y.enum(["asc","desc"]).optional(),filterField:y.string().optional(),filterValue:y.string().or(y.number()).or(y.boolean()).optional(),filterOperator:y.enum(["eq","ne","lt","lte","gt","gte"]).optional()})},async o=>{let r=[];o.query?.searchValue&&r.push({field:o.query.searchField||"email",operator:o.query.searchOperator||"contains",value:o.query.searchValue}),o.query?.filterValue&&r.push({field:o.query.filterField||"email",operator:o.query.filterOperator||"eq",value:o.query.filterValue});try{let n=await o.context.internalAdapter.listUsers(Number(o.query?.limit)||void 0,Number(o.query?.offset)||void 0,o.query?.sortBy?{field:o.query.sortBy,direction:o.query.sortDirection||"asc"}:void 0,r.length?r:void 0);return o.json({users:n})}catch(n){return console.log(n),o.json({users:[]})}}),listUserSessions:K("/admin/list-user-sessions",{method:"POST",use:[i],body:y.object({userId:y.string()})},async o=>({sessions:await o.context.internalAdapter.listSessions(o.body.userId)})),unbanUser:K("/admin/unban-user",{method:"POST",body:y.object({userId:y.string()}),use:[i]},async o=>{let r=await o.context.internalAdapter.updateUser(o.body.userId,{banned:!1});return o.json({user:r})}),banUser:K("/admin/ban-user",{method:"POST",body:y.object({userId:y.string(),banReason:y.string().optional(),banExpiresIn:y.number().optional()}),use:[i]},async o=>{if(o.body.userId===o.context.session.user.id)throw new b("BAD_REQUEST",{message:"You cannot ban yourself"});let r=await o.context.internalAdapter.updateUser(o.body.userId,{banned:!0,banReason:o.body.banReason||e?.defaultBanReason||"No reason",banExpires:o.body.banExpiresIn?I(o.body.banExpiresIn,"sec"):e?.defaultBanExpiresIn?I(e.defaultBanExpiresIn,"sec"):void 0});return await o.context.internalAdapter.deleteSessions(o.body.userId),o.json({user:r})}),impersonateUser:K("/admin/impersonate-user",{method:"POST",body:y.object({userId:y.string()}),use:[i]},async o=>{let r=await o.context.internalAdapter.findUserById(o.body.userId);if(!r)throw new b("NOT_FOUND",{message:"User not found"});let n=await o.context.internalAdapter.createSession(r.id,void 0,!0,{impersonatedBy:o.context.session.user.id,expiresAt:e?.impersonationSessionDuration?I(e.impersonationSessionDuration,"sec"):I(60*60,"sec")});if(!n)throw new b("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});return await m(o,{session:n,user:r},!0),o.json({session:n,user:r})}),revokeUserSession:K("/admin/revoke-user-session",{method:"POST",body:y.object({sessionToken:y.string()}),use:[i]},async o=>(await o.context.internalAdapter.deleteSession(o.body.sessionToken),o.json({success:!0}))),revokeUserSessions:K("/admin/revoke-user-sessions",{method:"POST",body:y.object({userId:y.string()}),use:[i]},async o=>(await o.context.internalAdapter.deleteSessions(o.body.userId),o.json({success:!0}))),removeUser:K("/admin/remove-user",{method:"POST",body:y.object({userId:y.string()}),use:[i]},async o=>(await o.context.internalAdapter.deleteUser(o.body.userId),o.json({success:!0})))},schema:J(Qr,t.schema)}},Qr={user:{fields:{role:{type:"string",required:!1,input:!1},banned:{type:"boolean",defaultValue:!1,required:!1,input:!1},banReason:{type:"string",required:!1,input:!1},banExpires:{type:"date",required:!1,input:!1}}},session:{fields:{impersonatedBy:{type:"string",required:!1}}}};import{z as re}from"zod";import{APIError as Be}from"better-call";import{betterFetch as fo}from"@better-fetch/fetch";import{parseJWT as $r}from"oslo/jwt";async function Zr(e,t,i){if(t==="oidc"&&e.idToken){let r=$r(e.idToken);if(r?.payload)return r.payload}if(!i)return null;let o=await fo(i,{method:"GET",headers:{Authorization:`Bearer ${e.accessToken}`}});return{id:o.data?.sub,emailVerified:o.data?.email_verified,email:o.data?.email,...o.data}}var Cp=e=>({id:"generic-oauth",endpoints:{signInWithOAuth2:K("/sign-in/oauth2",{method:"POST",query:re.object({currentURL:re.string().optional()}).optional(),body:re.object({providerId:re.string(),callbackURL:re.string().optional(),errorCallbackURL:re.string().optional()})},async t=>{let{providerId:i}=t.body,o=e.config.find(N=>N.providerId===i);if(!o)throw new Be("BAD_REQUEST",{message:`No config found for provider ${i}`});let{discoveryUrl:r,authorizationUrl:n,tokenUrl:a,clientId:s,clientSecret:A,scopes:d,redirectURI:c,responseType:l,pkce:u,prompt:p,accessType:h}=o,k=n,f=a;if(r){let N=await fo(r,{onError(_e){t.context.logger.error(_e.error.message,_e.error,{discoveryUrl:r})}});N.data&&(k=N.data.authorization_endpoint,f=N.data.token_endpoint)}if(!k||!f)throw new Be("BAD_REQUEST",{message:"Invalid OAuth configuration."});let{state:g,codeVerifier:C}=await fe(t),T=await E({id:i,options:{clientId:s,clientSecret:A,redirectURI:c},authorizationEndpoint:k,state:g,codeVerifier:u?C:void 0,scopes:d||[],redirectURI:`${t.context.baseURL}/oauth2/callback/${i}`});return l&&l!=="code"&&T.searchParams.set("response_type",l),p&&T.searchParams.set("prompt",p),h&&T.searchParams.set("access_type",h),t.json({url:T.toString(),redirect:!0})}),oAuth2Callback:K("/oauth2/callback/:providerId",{method:"GET",query:re.object({code:re.string().optional(),error:re.string().optional(),state:re.string()})},async t=>{if(t.query.error||!t.query.code)throw t.redirect(`${t.context.baseURL}?error=${t.query.error||"oAuth_code_missing"}`);let i=e.config.find(g=>g.providerId===t.params.providerId);if(!i)throw new Be("BAD_REQUEST",{message:`No config found for provider ${t.params.providerId}`});let o,r=await qe(t),{callbackURL:n,codeVerifier:a,errorURL:s}=r,A=t.query.code,d=i.tokenUrl,c=i.userInfoUrl;if(i.discoveryUrl){let g=await fo(i.discoveryUrl,{method:"GET"});g.data&&(d=g.data.token_endpoint,c=g.data.userinfo_endpoint)}try{if(!d)throw new Be("BAD_REQUEST",{message:"Invalid OAuth configuration."});o=await O({code:A,codeVerifier:a,redirectURI:`${t.context.baseURL}/oauth2/callback/${i.providerId}`,options:{clientId:i.clientId,clientSecret:i.clientSecret},tokenEndpoint:d})}catch(g){throw t.context.logger.error(g&&typeof g=="object"&&"name"in g?g.name:"",g),t.redirect(`${s}?error=oauth_code_verification_failed`)}if(!o)throw new Be("BAD_REQUEST",{message:"Invalid OAuth configuration."});let l=i.getUserInfo?await i.getUserInfo(o):await Zr(o,i.type||"oauth2",c);if(!l?.email)throw t.context.logger.error("Unable to get user info",l),t.redirect(`${t.context.baseURL}/error?error=email_is_missing`);let u=await we(t,{userInfo:l,account:{providerId:i.providerId,accountId:l.id,accessToken:o.accessToken}});function p(g){throw t.redirect(`${s||n||`${t.context.baseURL}/error`}?error=${g}`)}if(u.error)return p(u.error.split(" ").join("_"));let{session:h,user:k}=u.data;await m(t,{session:h,user:k});let f;try{f=new URL(n).toString()}catch{f=n}throw t.redirect(f)})}});import{z as je}from"zod";var Gi={jwks:{fields:{publicKey:{type:"string",required:!0},privateKey:{type:"string",required:!0},createdAt:{type:"date",required:!0}}}},kp=je.object({id:je.string(),publicKey:je.string(),privateKey:je.string(),createdAt:je.date()});var ho=e=>({getAllKeys:async()=>await e.findMany({model:"jwks"}),getLatestKey:async()=>(await e.findMany({model:"jwks",sortBy:{field:"createdAt",direction:"desc"},limit:1}))[0],createJwk:async t=>await e.create({model:"jwks",data:{...t,createdAt:new Date}})});import{exportJWK as Ji,generateKeyPair as Wr,importJWK as Gr,SignJWT as Jr}from"jose";var Dp=e=>({id:"jwt",endpoints:{getJwks:K("/jwks",{method:"GET"},async t=>{let o=await ho(t.context.adapter).getAllKeys();return t.json({keys:o.map(r=>({...JSON.parse(r.publicKey),kid:r.id}))})}),getToken:K("/token",{method:"GET",requireHeaders:!0,use:[v]},async t=>{let i=ho(t.context.adapter),o=await i.getLatestKey(),r=!e?.jwks?.disablePrivateKeyEncryption;if(o===void 0){let{publicKey:d,privateKey:c}=await Wr(e?.jwks?.keyPairConfig?.alg??"EdDSA",e?.jwks?.keyPairConfig??{crv:"Ed25519"}),l=await Ji(d),u=await Ji(c),p=JSON.stringify(u),h={id:crypto.randomUUID(),publicKey:JSON.stringify(l),privateKey:r?JSON.stringify(await Ae({key:t.context.options.secret,data:p})):p,createdAt:new Date};o=await i.createJwk(h)}let n=r?await ue({key:t.context.options.secret,data:JSON.parse(o.privateKey)}):o.privateKey,a=await Gr(JSON.parse(n)),s=e?.jwt?.definePayload?await e?.jwt.definePayload(t.context.session.user):t.context.session.user,A=await new Jr({...s,...t.context.session.session.impersonatedBy?{impersonatedBy:t.context.session.session.impersonatedBy}:{}}).setProtectedHeader({alg:e?.jwks?.keyPairConfig?.alg??"EdDSA",kid:o.id}).setIssuedAt().setIssuer(e?.jwt?.issuer??t.context.options.baseURL).setAudience(e?.jwt?.audience??t.context.options.baseURL).setExpirationTime(e?.jwt?.expirationTime??"15m").setSubject(t.context.session.user.id).sign(a);return t.json({token:A})})},schema:J(Gi,e?.schema)});import{z as io}from"zod";var Np=e=>{let t={maximumSessions:5,...e},i=o=>o.includes("_multi-");return{id:"multi-session",endpoints:{listDeviceSessions:K("/multi-session/list-device-sessions",{method:"GET",requireHeaders:!0},async o=>{let r=o.headers?.get("cookie");if(!r)return o.json([]);let n=Object.fromEntries(Oe(r)),a=(await Promise.all(Object.entries(n).filter(([d])=>i(d)).map(async([d])=>await o.getSignedCookie(d,o.context.secret)))).filter(d=>d!==void 0);if(!a.length)return o.json([]);let A=(await o.context.internalAdapter.findSessions(a)).filter(d=>d&&d.session.expiresAt>new Date);return o.json(A)}),setActiveSession:K("/multi-session/set-active",{method:"POST",body:io.object({sessionToken:io.string()}),requireHeaders:!0,use:[v]},async o=>{let r=o.body.sessionToken,n=`${o.context.authCookies.sessionToken.name}_multi-${r}`;if(!await o.getSignedCookie(n,o.context.secret))throw new b("UNAUTHORIZED",{message:"Invalid session token"});let s=await o.context.internalAdapter.findSession(r);if(!s||s.session.expiresAt<new Date)throw o.setCookie(n,"",{...o.context.authCookies.sessionToken.options,maxAge:0}),new b("UNAUTHORIZED",{message:"Invalid session token"});return await m(o,s),o.json(s)}),revokeDeviceSession:K("/multi-session/revoke",{method:"POST",body:io.object({sessionToken:io.string()}),requireHeaders:!0,use:[v]},async o=>{let r=o.body.sessionToken,n=`${o.context.authCookies.sessionToken.name}_multi-${r}`;if(!await o.getSignedCookie(n,o.context.secret))throw new b("UNAUTHORIZED",{message:"Invalid session token"});if(await o.context.internalAdapter.deleteSession(r),o.setCookie(n,"",{...o.context.authCookies.sessionToken.options,maxAge:0}),!(o.context.session?.session.token===r))return o.json({success:!0});let A=o.headers?.get("cookie");if(A){let d=Object.fromEntries(Oe(A)),c=(await Promise.all(Object.entries(d).filter(([u])=>i(u)).map(async([u])=>await o.getSignedCookie(u,o.context.secret)))).filter(u=>u!==void 0),l=o.context.internalAdapter;if(c.length>0){let p=(await l.findSessions(c)).filter(h=>h&&h.session.expiresAt>new Date);if(p.length>0){let h=p[0];await m(o,h)}else V(o)}else V(o)}else V(o);return o.json({success:!0})})},hooks:{after:[{matcher:()=>!0,handler:U(async o=>{let r=o.responseHeader.get("set-cookie");if(!r)return;let n=Ve(r),a=o.context.authCookies.sessionToken,s=n.get(a.name)?.value;if(!s)return;let A=Oe(o.headers?.get("cookie")||""),d=s.split(".")[0];if(!d)return;let c=`${a.name}_multi-${d}`;n.get(c)||A.get(c)||Object.keys(Object.fromEntries(A)).filter(i).length+(r.includes("session_token")?1:0)>t.maximumSessions||await o.setSignedCookie(c,d,o.context.secret,a.options)})},{matcher:o=>o.path==="/sign-out",handler:U(async o=>{let r=o.headers?.get("cookie");if(!r)return;let n=Object.fromEntries(Oe(r)),a=Object.keys(n).map(s=>i(s)?(o.setCookie(s,"",{maxAge:0}),s.split("_multi-")[1]):null).filter(s=>s!==null);await o.context.internalAdapter.deleteSessions(a)})}]}}};import{z as D}from"zod";var yo=["email-verification","sign-in","forget-password"],Qp=e=>{let t={expireIn:300,otpLength:6,...e};return{id:"email-otp",endpoints:{sendVerificationOTP:K("/email-otp/send-verification-otp",{method:"POST",body:D.object({email:D.string(),type:D.enum(yo)})},async i=>{if(!e?.sendVerificationOTP)throw i.context.logger.error("send email verification is not implemented"),new b("BAD_REQUEST",{message:"send email verification is not implemented"});let o=i.body.email,r=M(t.otpLength,H("0-9"));return await i.context.internalAdapter.createVerificationValue({value:r,identifier:`${i.body.type}-otp-${o}`,expiresAt:I(t.expireIn,"sec")}).catch(async n=>{await i.context.internalAdapter.deleteVerificationByIdentifier(`${i.body.type}-otp-${o}`),await i.context.internalAdapter.createVerificationValue({value:r,identifier:`${i.body.type}-otp-${o}`,expiresAt:I(t.expireIn,"sec")})}),await e.sendVerificationOTP({email:o,otp:r,type:i.body.type},i.request),i.json({success:!0})}),createVerificationOTP:K("/email-otp/create-verification-otp",{method:"POST",body:D.object({email:D.string(),type:D.enum(yo)}),metadata:{SERVER_ONLY:!0}},async i=>{let o=i.body.email,r=M(t.otpLength,H("0-9"));return await i.context.internalAdapter.createVerificationValue({value:r,identifier:`${i.body.type}-otp-${o}`,expiresAt:I(t.expireIn,"sec")}),r}),getVerificationOTP:K("/email-otp/get-verification-otp",{method:"GET",query:D.object({email:D.string(),type:D.enum(yo)}),metadata:{SERVER_ONLY:!0}},async i=>{let o=i.query.email,r=await i.context.internalAdapter.findVerificationValue(`${i.query.type}-otp-${o}`);return!r||r.expiresAt<new Date?i.json({otp:null}):i.json({otp:r.value})}),verifyEmailOTP:K("/email-otp/verify-email",{method:"POST",body:D.object({email:D.string(),otp:D.string()})},async i=>{let o=i.body.email,r=await i.context.internalAdapter.findVerificationValue(`email-verification-otp-${o}`);if(!r||r.expiresAt<new Date)throw r&&await i.context.internalAdapter.deleteVerificationValue(r.id),new b("BAD_REQUEST",{message:"Invalid OTP"});let n=i.body.otp;if(r.value!==n)throw new b("BAD_REQUEST",{message:"Invalid OTP"});await i.context.internalAdapter.deleteVerificationValue(r.id);let a=await i.context.internalAdapter.findUserByEmail(o);if(!a)throw new b("BAD_REQUEST",{message:"User not found"});let s=await i.context.internalAdapter.updateUser(a.user.id,{email:o,emailVerified:!0});return i.json({user:s})}),signInEmailOTP:K("/sign-in/email-otp",{method:"POST",body:D.object({email:D.string(),otp:D.string()})},async i=>{let o=i.body.email,r=await i.context.internalAdapter.findVerificationValue(`sign-in-otp-${o}`);if(!r||r.expiresAt<new Date)throw r&&await i.context.internalAdapter.deleteVerificationValue(r.id),new b("BAD_REQUEST",{message:"Invalid OTP"});let n=i.body.otp;if(r.value!==n)throw new b("BAD_REQUEST",{message:"Invalid OTP"});await i.context.internalAdapter.deleteVerificationValue(r.id);let a=await i.context.internalAdapter.findUserByEmail(o);if(!a){if(t.disableSignUp)throw new b("BAD_REQUEST",{message:"User not found"});let A=await i.context.internalAdapter.createUser({email:o,emailVerified:!0,name:o}),d=await i.context.internalAdapter.createSession(A.id,i.request);return await m(i,{session:d,user:A}),i.json({user:A,session:d})}a.user.emailVerified||await i.context.internalAdapter.updateUser(a.user.id,{emailVerified:!0});let s=await i.context.internalAdapter.createSession(a.user.id,i.request);return await m(i,{session:s,user:a.user}),i.json({session:s,user:a})}),forgetEmailOTP:K("/forget-password/email-otp",{method:"POST",body:D.object({email:D.string()})},async i=>{let o=i.body.email;if(!await i.context.internalAdapter.findUserByEmail(o))throw new b("BAD_REQUEST",{message:"User not found"});let n=M(t.otpLength,H("0-9"));return await i.context.internalAdapter.createVerificationValue({value:n,identifier:`forget-password-otp-${o}`,expiresAt:I(t.expireIn,"sec")}),await e.sendVerificationOTP({email:o,otp:n,type:"forget-password"},i.request),i.json({success:!0})}),resetPasswordEmailOTP:K("/email-otp/reset-password",{method:"POST",body:D.object({email:D.string(),otp:D.string(),password:D.string()})},async i=>{let o=i.body.email,r=await i.context.internalAdapter.findUserByEmail(o);if(!r)throw new b("BAD_REQUEST",{message:"User not found"});let n=await i.context.internalAdapter.findVerificationValue(`forget-password-otp-${o}`);if(!n||n.expiresAt<new Date)throw n&&await i.context.internalAdapter.deleteVerificationValue(n.id),new b("BAD_REQUEST",{message:"Invalid OTP"});let a=i.body.otp;if(n.value!==a)throw new b("BAD_REQUEST",{message:"Invalid OTP"});await i.context.internalAdapter.deleteVerificationValue(n.id);let s=await i.context.password.hash(i.body.password);return await i.context.internalAdapter.updatePassword(r.user.id,s),i.json({success:!0})})},hooks:{after:[{matcher(i){return!!(i.path?.startsWith("/sign-up")&&t.sendVerificationOnSignUp)},async handler(i){let o=await be(i);if(o&&o.user.email&&o.user.emailVerified===!1){let r=M(t.otpLength,H("0-9"));await i.context.internalAdapter.createVerificationValue({value:r,identifier:`email-verification-otp-${o.user.email}`,expiresAt:I(t.expireIn,"sec")}),await e.sendVerificationOTP({email:o.user.email,otp:r,type:"email-verification"},i.request)}}}]}}};import{z as Yi}from"zod";import{betterFetch as Xr}from"@better-fetch/fetch";function Xi(e){return e==="true"||e===!0}var eg=e=>({id:"one-tap",endpoints:{oneTapCallback:K("/one-tap/callback",{method:"POST",body:Yi.object({idToken:Yi.string()})},async t=>{let{idToken:i}=t.body,{data:o,error:r}=await Xr("https://oauth2.googleapis.com/tokeninfo?id_token="+i);if(r)return t.json({error:"Invalid token"});let n=await t.context.internalAdapter.findUserByEmail(o.email);if(!n){if(e?.disableSignup)throw new b("BAD_GATEWAY",{message:"User not found"});let s=await t.context.internalAdapter.createOAuthUser({email:o.email,emailVerified:Xi(o.email_verified),name:o.name,image:o.picture},{providerId:"google",accountId:o.sub});if(!s)throw new b("INTERNAL_SERVER_ERROR",{message:"Could not create user"});let A=await t.context.internalAdapter.createSession(s?.user.id,t.request);return await m(t,{user:s.user,session:A}),t.json({session:A,user:s})}let a=await t.context.internalAdapter.createSession(n.user.id,t.request);return await m(t,{user:n.user,session:a}),t.json({session:a,user:n})})}});import{z as wo}from"zod";function Yr(){let e=Y.VERCEL_URL,t=Y.NETLIFY_URL,i=Y.RENDER_URL,o=Y.AWS_LAMBDA_FUNCTION_NAME,r=Y.GOOGLE_CLOUD_FUNCTION_NAME,n=Y.AZURE_FUNCTION_NAME;return e||t||i||o||r||n}var ag=e=>({id:"oauth-proxy",endpoints:{oAuthProxy:K("/oauth-proxy-callback",{method:"GET",query:wo.object({callbackURL:wo.string(),cookies:wo.string()})},async t=>{let i=t.query.cookies,o=await ue({key:t.context.secret,data:i});throw t.setHeader("set-cookie",o),t.redirect(t.query.callbackURL)})},hooks:{after:[{matcher(t){return t.path?.startsWith("/callback")},handler:U(async t=>{let i=t.context.returned,o=i instanceof b?i.headers:null,r=o?.get("location");if(r?.includes("/oauth-proxy-callback?callbackURL")){if(!r.startsWith("http"))return;let n=new URL(r);if(n.origin===me(t.context.baseURL)){let c=n.searchParams.get("callbackURL");if(!c)return;t.setHeader("location",c);return}let s=o?.get("set-cookie");if(!s)return;let A=await Ae({key:t.context.secret,data:s}),d=`${r}&cookies=${encodeURIComponent(A)}`;t.setHeader("location",d)}})}],before:[{matcher(t){return t.path?.startsWith("/sign-in/social")},async handler(t){let i=new URL(e?.currentURL||t.request?.url||Yr()||t.context.baseURL);return t.body.callbackURL=`${i.origin}${t.context.options.basePath||"/api/auth"}/oauth-proxy-callback?callbackURL=${encodeURIComponent(t.body.callbackURL||t.context.baseURL)}`,{context:t}}}]}});var Kg=(e,t)=>({id:"custom-session",endpoints:{getSession:K("/get-session",{method:"GET",metadata:{CUSTOM_SESSION:!0}},async i=>{let o=await R(i);if(!o)return i.json(null);let r=await e(o);return i.json(r)})}});import{ZodObject as ot,ZodOptional as Co,ZodSchema as it}from"zod";var ke=e=>{let t=e.plugins?.reduce((A,d)=>{let c=d.schema;if(!c)return A;for(let[l,u]of Object.entries(c))A[l]={fields:{...A[l]?.fields,...u.fields},modelName:u.modelName||l};return A},{}),i=e.rateLimit?.storage==="database",o={rateLimit:{modelName:e.rateLimit?.modelName||"rateLimit",fields:{key:{type:"string",fieldName:e.rateLimit?.fields?.key||"key"},count:{type:"number",fieldName:e.rateLimit?.fields?.count||"count"},lastRequest:{type:"number",fieldName:e.rateLimit?.fields?.lastRequest||"lastRequest"}}}},{user:r,session:n,account:a,...s}=t||{};return{user:{modelName:e.user?.modelName||"user",fields:{name:{type:"string",required:!0,fieldName:e.user?.fields?.name||"name"},email:{type:"string",unique:!0,required:!0,fieldName:e.user?.fields?.email||"email"},emailVerified:{type:"boolean",defaultValue:()=>!1,required:!0,fieldName:e.user?.fields?.emailVerified||"emailVerified"},image:{type:"string",required:!1,fieldName:e.user?.fields?.image||"image"},createdAt:{type:"date",defaultValue:()=>new Date,required:!0,fieldName:e.user?.fields?.createdAt||"createdAt"},updatedAt:{type:"date",defaultValue:()=>new Date,required:!0,fieldName:e.user?.fields?.updatedAt||"updatedAt"},...r?.fields,...e.user?.additionalFields},order:1},session:{modelName:e.session?.modelName||"session",fields:{expiresAt:{type:"date",required:!0,fieldName:e.session?.fields?.expiresAt||"expiresAt"},token:{type:"string",required:!0,fieldName:e.session?.fields?.token||"token",unique:!0},createdAt:{type:"date",required:!0,fieldName:e.session?.fields?.createdAt||"createdAt"},updatedAt:{type:"date",required:!0,fieldName:e.session?.fields?.updatedAt||"updatedAt"},ipAddress:{type:"string",required:!1,fieldName:e.session?.fields?.ipAddress||"ipAddress"},userAgent:{type:"string",required:!1,fieldName:e.session?.fields?.userAgent||"userAgent"},userId:{type:"string",fieldName:e.session?.fields?.userId||"userId",references:{model:e.user?.modelName||"user",field:"id",onDelete:"cascade"},required:!0},...n?.fields,...e.session?.additionalFields},order:2},account:{modelName:e.account?.modelName||"account",fields:{accountId:{type:"string",required:!0,fieldName:e.account?.fields?.accountId||"accountId"},providerId:{type:"string",required:!0,fieldName:e.account?.fields?.providerId||"providerId"},userId:{type:"string",references:{model:e.user?.modelName||"user",field:"id",onDelete:"cascade"},required:!0,fieldName:e.account?.fields?.userId||"userId"},accessToken:{type:"string",required:!1,fieldName:e.account?.fields?.accessToken||"accessToken"},refreshToken:{type:"string",required:!1,fieldName:e.account?.fields?.refreshToken||"refreshToken"},idToken:{type:"string",required:!1,fieldName:e.account?.fields?.idToken||"idToken"},accessTokenExpiresAt:{type:"date",required:!1,fieldName:e.account?.fields?.accessTokenExpiresAt||"accessTokenExpiresAt"},refreshTokenExpiresAt:{type:"date",required:!1,fieldName:e.account?.fields?.accessTokenExpiresAt||"refreshTokenExpiresAt"},scope:{type:"string",required:!1,fieldName:e.account?.fields?.scope||"scope"},password:{type:"string",required:!1,fieldName:e.account?.fields?.password||"password"},createdAt:{type:"date",required:!0,fieldName:e.account?.fields?.createdAt||"createdAt"},updatedAt:{type:"date",required:!0,fieldName:e.account?.fields?.updatedAt||"updatedAt"},...a?.fields},order:3},verification:{modelName:e.verification?.modelName||"verification",fields:{identifier:{type:"string",required:!0,fieldName:e.verification?.fields?.identifier||"identifier"},value:{type:"string",required:!0,fieldName:e.verification?.fields?.value||"value"},expiresAt:{type:"date",required:!0,fieldName:e.verification?.fields?.expiresAt||"expiresAt"},createdAt:{type:"date",required:!1,defaultValue:()=>new Date,fieldName:e.verification?.fields?.createdAt||"createdAt"},updatedAt:{type:"date",required:!1,defaultValue:()=>new Date,fieldName:e.verification?.fields?.updatedAt||"updatedAt"}},order:4},...s,...i?o:{}}};import{z as Og}from"zod";import{Kysely as Ug,MssqlDialect as Eg}from"kysely";import{MysqlDialect as Sg,PostgresDialect as Dg,SqliteDialect as xg}from"kysely";var Ne={};function tt(e){switch(e.constructor.name){case"ZodString":return"string";case"ZodNumber":return"number";case"ZodBoolean":return"boolean";case"ZodObject":return"object";case"ZodArray":return"array";default:return"string"}}function to(e){let t=[];return e.metadata?.openapi?.parameters?(t.push(...e.metadata.openapi.parameters),t):(e.query instanceof ot&&Object.entries(e.query.shape).forEach(([i,o])=>{o instanceof it&&t.push({name:i,in:"query",schema:{type:tt(o),..."minLength"in o&&o.minLength?{minLength:o.minLength}:{},description:o.description}})}),t)}function et(e){if(e.metadata?.openapi?.requestBody)return e.metadata.openapi.requestBody;if(e.body&&(e.body instanceof ot||e.body instanceof Co)){let t=e.body.shape;if(!t)return;let i={},o=[];return Object.entries(t).forEach(([r,n])=>{n instanceof it&&(i[r]={type:tt(n),description:n.description},n instanceof Co||o.push(r))}),{required:e.body instanceof Co?!1:!!e.body,content:{"application/json":{schema:{type:"object",properties:i,required:o}}}}}}function ro(e){return{400:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}},required:["message"]}}},description:"Bad Request. Usually due to missing parameters, or invalid parameters."},401:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}},required:["message"]}}},description:"Unauthorized. Due to missing or invalid authentication."},403:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}},description:"Forbidden. You do not have permission to access this resource or to perform this action."},404:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}},description:"Not Found. The requested resource was not found."},429:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}},description:"Too Many Requests. You have exceeded the rate limit. Try again later."},500:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}},description:"Internal Server Error. This is a problem with the server that you cannot fix."},...e}}async function rt(e,t){let i=co(e,{...t,plugins:[]}),o=ke(t),n={schemas:{...Object.entries(o).reduce((s,[A,d])=>{let c=A.charAt(0).toUpperCase()+A.slice(1);return s[c]={type:"object",properties:Object.entries(d.fields).reduce((l,[u,p])=>(l[u]={type:p.type},l),{})},s},{})}};Object.entries(i.api).forEach(([s,A])=>{let d=A.options;if(!d.metadata?.SERVER_ONLY&&(d.method==="GET"&&(Ne[A.path]={get:{tags:["Default",...d.metadata?.openapi?.tags||[]],description:d.metadata?.openapi?.description,operationId:d.metadata?.openapi?.operationId,security:[{bearerAuth:[]}],parameters:to(d),responses:ro(d.metadata?.openapi?.responses)}}),d.method==="POST")){let c=et(d);Ne[A.path]={post:{tags:["Default",...d.metadata?.openapi?.tags||[]],description:d.metadata?.openapi?.description,operationId:d.metadata?.openapi?.operationId,security:[{bearerAuth:[]}],parameters:to(d),...c?{requestBody:c}:{requestBody:{content:{"application/json":{schema:{type:"object",properties:{}}}}}},responses:ro(d.metadata?.openapi?.responses)}}}});for(let s of t.plugins||[]){if(s.id==="open-api")continue;let A=co(e,{...t,plugins:[s]}),d=Object.keys(A.api).map(c=>i.api[c]===void 0?A.api[c]:null).filter(c=>c!==null);Object.entries(d).forEach(([c,l])=>{let u=l.options;u.metadata?.SERVER_ONLY||(u.method==="GET"&&(Ne[l.path]={get:{tags:u.metadata?.openapi?.tags||[s.id.charAt(0).toUpperCase()+s.id.slice(1)],description:u.metadata?.openapi?.description,operationId:u.metadata?.openapi?.operationId,security:[{bearerAuth:[]}],parameters:to(u),responses:ro(u.metadata?.openapi?.responses)}}),u.method==="POST"&&(Ne[l.path]={post:{tags:u.metadata?.openapi?.tags||[s.id.charAt(0).toUpperCase()+s.id.slice(1)],description:u.metadata?.openapi?.description,operationId:u.metadata?.openapi?.operationId,security:[{bearerAuth:[]}],parameters:to(u),requestBody:et(u),responses:ro(u.metadata?.openapi?.responses)}}))})}return{openapi:"3.1.1",info:{title:"Better Auth",description:"API Reference for your Better Auth Instance"},components:n,security:[{apiKeyCookie:[]}],servers:[{url:e.baseURL}],tags:[{name:"Default",description:"Default endpoints that are included with Better Auth by default. These endpoints are not part of any plugin."}],paths:Ne}}var nt=`<svg width="75" height="75" viewBox="0 0 75 75" fill="none" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+</html>`,Yo=c("/error",{method:"GET",metadata:{...he,openapi:{description:"Displays an error page",responses:{200:{description:"Success",content:{"text/html":{schema:{type:"string"}}}}}}}},async e=>{let t=new URL(e.request?.url||"").searchParams.get("error")||"Unknown";return new Response(or(t),{headers:{"Content-Type":"text/html"}})});import{APIError as b}from"better-call";function po(e,t){let i=t.plugins?.reduce((s,d)=>({...s,...d.endpoints}),{}),o=t.plugins?.map(s=>s.middlewares?.map(d=>{let A=async K=>d.middleware({...K,context:{...e,...K.context}});return A.path=d.path,A.options=d.middleware.options,A.headers=d.middleware.headers,{path:d.path,middleware:A}})).filter(s=>s!==void 0).flat()||[],n={...{signInSocial:ei,callbackOAuth:ii,getSession:co(),signOut:ti,signUpEmail:Xo(),signInEmail:oi,forgetPassword:ri,resetPassword:si,verifyEmail:Wo,sendVerificationEmail:Go,changeEmail:Ki,changePassword:di,setPassword:Ai,updateUser:ai(),deleteUser:ci,forgetPasswordCallback:ni,listSessions:Ho(),revokeSession:Qo,revokeSessions:$o,revokeOtherSessions:Zo,linkSocialAccount:ui,listUserAccounts:pi},...i,ok:Jo,error:Yo},a={};for(let[s,d]of Object.entries(n))a[s]=async(A={})=>{d.headers=new Headers;let K={setHeader(f,g){d.headers.set(f,g)},setCookie(f,g,C){nr(d.headers,f,g,C)},getCookie(f,g){let T=A.headers?.get("cookie");return tr(T||"",f,g)},getSignedCookie(f,g,C){let T=A.headers;return T?rr(T,g,f,C):null},async setSignedCookie(f,g,C,T){await sr(d.headers,f,g,C,T)},redirect(f){return d.headers.set("Location",f),new Pe("FOUND")},responseHeader:d.headers},u=await e,p={...K,...A,path:d.path,context:{...u,...A.context,endpoint:d}};u.session=null;let l=t.plugins||[];for(let f of l){let g=f.hooks?.before??[];for(let C of g){if(!C.matcher(p))continue;let T=await C.handler(p);if(T&&"context"in T){p={...p,...T.context};continue}if(T)return T}}let h;try{h=await d(p)}catch(f){if(f instanceof Pe){let g=t.plugins?.map(C=>{if(C.hooks?.after)return C.hooks.after}).filter(C=>C!==void 0).flat();if(!g?.length)throw f.headers=d.headers,f;p.context.returned=f,p.context.returned.headers=d.headers;for(let C of g||[])if(C.matcher(p))try{let N=await C.handler(p);N&&"response"in N&&(p.context.returned=N.response)}catch(N){if(N instanceof Pe){p.context.returned=N;continue}throw N}if(p.context.returned instanceof Pe)throw p.context.returned.headers=d.headers,p.context.returned;return p.context.returned}throw f}p.context.returned=h,p.responseHeader=d.headers;for(let f of t.plugins||[])if(f.hooks?.after){for(let g of f.hooks.after)if(g.matcher(p))try{let T=await g.handler(p);T&&(p.context.returned=T)}catch(T){if(T instanceof Pe){p.context.returned=T;continue}throw T}}let k=p.context.returned;return k instanceof Response&&d.headers.forEach((f,g)=>{g==="set-cookie"?k.headers.append(g,f):k.headers.set(g,f)}),k},a[s].path=d.path,a[s].method=d.method,a[s].options=d.options,a[s].headers=d.headers;return{api:a,middlewares:o}}async function we(e,{userInfo:t,account:i,callbackURL:o}){let r=await e.context.internalAdapter.findUserByEmail(t.email.toLowerCase(),{includeAccounts:!0}).catch(s=>{throw $.error(`Better auth was unable to query your database.
+Error: `,s),e.redirect(`${e.context.baseURL}/error?error=internal_server_error`)}),n=r?.user;if(r){let s=r.accounts.find(d=>d.providerId===i.providerId);if(s)await e.context.internalAdapter.updateAccount(s.id,{accessToken:i.accessToken,idToken:i.idToken,refreshToken:i.refreshToken,accessTokenExpiresAt:i.accessTokenExpiresAt,refreshTokenExpiresAt:i.refreshTokenExpiresAt});else{if(!e.context.options.account?.accountLinking?.trustedProviders?.includes(i.providerId)&&!t.emailVerified||e.context.options.account?.accountLinking?.enabled===!1)return Io&&$.warn(`User already exist but account isn't linked to ${i.providerId}. To read more about how account linking works in Better Auth see https://www.better-auth.com/docs/concepts/users-accounts#account-linking.`),{error:"account not linked",data:null};try{await e.context.internalAdapter.linkAccount({providerId:i.providerId,accountId:t.id.toString(),userId:r.user.id,accessToken:i.accessToken,idToken:i.idToken,refreshToken:i.refreshToken,accessTokenExpiresAt:i.accessTokenExpiresAt,refreshTokenExpiresAt:i.refreshTokenExpiresAt,scope:i.scope})}catch(K){return $.error("Unable to link account",K),{error:"unable to link account",data:null}}}}else try{let s=t.emailVerified||!1;if(n=await e.context.internalAdapter.createOAuthUser({...t,id:void 0,emailVerified:s,email:t.email.toLowerCase()},{accessToken:i.accessToken,idToken:i.idToken,refreshToken:i.refreshToken,accessTokenExpiresAt:i.accessTokenExpiresAt,refreshTokenExpiresAt:i.refreshTokenExpiresAt,scope:i.scope,providerId:i.providerId,accountId:t.id.toString()}).then(d=>d?.user),!s&&n&&e.context.options.emailVerification?.sendOnSignUp){let d=await se(e.context.secret,n.email),A=`${e.context.baseURL}/verify-email?token=${d}&callbackURL=${o}`;await e.context.options.emailVerification?.sendVerificationEmail?.({user:n,url:A,token:d},e.request)}}catch(s){return $.error("Unable to create user",s),{error:"unable to create user",data:null}}if(!n)return{error:"unable to create user",data:null};let a=await e.context.internalAdapter.createSession(n.id,e.request);return a?{data:{session:a,user:n},error:null}:{error:"unable to create session",data:null}}var ei=c("/sign-in/social",{method:"POST",query:x.object({currentURL:x.string().optional()}).optional(),body:x.object({callbackURL:x.string({description:"Callback URL to redirect to after the user has signed in"}).optional(),errorCallbackURL:x.string({description:"Callback URL to redirect to if an error happens"}).optional(),provider:x.enum(Qe,{description:"OAuth2 provider to use"}),disableRedirect:x.boolean({description:"Disable automatic redirection to the provider. Useful for handling the redirection yourself"}).optional(),idToken:x.optional(x.object({token:x.string({description:"ID token from the provider"}),nonce:x.string({description:"Nonce used to generate the token"}).optional(),accessToken:x.string({description:"Access token from the provider"}).optional(),refreshToken:x.string({description:"Refresh token from the provider"}).optional(),expiresAt:x.number({description:"Expiry date of the token"}).optional()}),{description:"ID token from the provider to sign in the user with id token"})}),metadata:{openapi:{description:"Sign in with a social provider",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"string"},user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{let t=e.context.socialProviders.find(n=>n.id===e.body.provider);if(!t)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new q("NOT_FOUND",{message:"Provider not found"});if(e.body.idToken){if(!t.verifyIdToken)throw e.context.logger.error("Provider does not support id token verification",{provider:e.body.provider}),new q("NOT_FOUND",{message:"Provider does not support id token verification"});let{token:n,nonce:a}=e.body.idToken;if(!await t.verifyIdToken(n,a))throw e.context.logger.error("Invalid id token",{provider:e.body.provider}),new q("UNAUTHORIZED",{message:"Invalid id token"});let d=await t.getUserInfo({idToken:n,accessToken:e.body.idToken.accessToken,refreshToken:e.body.idToken.refreshToken});if(!d||!d?.user)throw e.context.logger.error("Failed to get user info",{provider:e.body.provider}),new q("UNAUTHORIZED",{message:"Failed to get user info"});if(!d.user.email)throw e.context.logger.error("User email not found",{provider:e.body.provider}),new q("UNAUTHORIZED",{message:"User email not found"});let A=await we(e,{userInfo:{email:d.user.email,id:d.user.id,name:d.user.name||"",image:d.user.image,emailVerified:d.user.emailVerified||!1},account:{providerId:t.id,accountId:d.user.id,accessToken:e.body.idToken.accessToken}});if(A.error)throw new q("UNAUTHORIZED",{message:A.error});return await m(e,A.data),e.json({session:A.data.session,user:A.data.user,url:`${e.body.callbackURL||e.query?.currentURL||e.context.options.baseURL}`,redirect:!0})}let{codeVerifier:i,state:o}=await fe(e),r=await t.createAuthorizationURL({state:o,codeVerifier:i,redirectURI:`${e.context.baseURL}/callback/${t.id}`});return e.json({url:r.toString(),redirect:!e.body.disableRedirect})}),oi=c("/sign-in/email",{method:"POST",body:x.object({email:x.string({description:"Email of the user"}),password:x.string({description:"Password of the user"}),callbackURL:x.string({description:"Callback URL to use as a redirect for email verification"}).optional(),rememberMe:x.boolean({description:"If this is false, the session will not be remembered. Default is `true`."}).default(!0).optional()}),metadata:{openapi:{description:"Sign in with email and password",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"string"},user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{if(!e.context.options?.emailAndPassword?.enabled)throw e.context.logger.error("Email and password is not enabled. Make sure to enable it in the options on you `auth.ts` file. Check `https://better-auth.com/docs/authentication/email-password` for more!"),new q("BAD_REQUEST",{message:"Email and password is not enabled"});let{email:t,password:i}=e.body;if(!x.string().email().safeParse(t).success)throw new q("BAD_REQUEST",{message:"Invalid email"});let r=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!r)throw await e.context.password.hash(i),e.context.logger.error("User not found",{email:t}),new q("UNAUTHORIZED",{message:"Invalid email or password"});let n=r.accounts.find(A=>A.providerId==="credential");if(!n)throw e.context.logger.error("Credential account not found",{email:t}),new q("UNAUTHORIZED",{message:"Invalid email or password"});let a=n?.password;if(!a)throw e.context.logger.error("Password not found",{email:t}),new q("UNAUTHORIZED",{message:"Unexpected error"});if(!await e.context.password.verify(a,i))throw e.context.logger.error("Invalid password"),new q("UNAUTHORIZED",{message:"Invalid email or password"});if(e.context.options?.emailAndPassword?.requireEmailVerification&&!r.user.emailVerified){if(!e.context.options?.emailVerification?.sendVerificationEmail)throw new q("UNAUTHORIZED",{message:"Email is not verified."});let A=await se(e.context.secret,r.user.email),K=`${e.context.baseURL}/verify-email?token=${A}&callbackURL=${e.body.callbackURL||"/"}`;throw await e.context.options.emailVerification.sendVerificationEmail({user:r.user,url:K,token:A},e.request),e.context.logger.error("Email not verified",{email:t}),new q("FORBIDDEN",{message:"Email is not verified. Check your email for a verification link"})}let d=await e.context.internalAdapter.createSession(r.user.id,e.headers,e.body.rememberMe===!1);if(!d)throw e.context.logger.error("Failed to create session"),new q("UNAUTHORIZED",{message:"Failed to create session"});return await m(e,{session:d,user:r.user},e.body.rememberMe===!1),e.json({user:r.user,session:d,redirect:!!e.body.callbackURL,url:e.body.callbackURL})});import{z as Ee}from"zod";var Ze=Ee.object({code:Ee.string().optional(),error:Ee.string().optional(),errorMessage:Ee.string().optional(),state:Ee.string().optional()}),ii=c("/callback/:id",{method:["GET","POST"],body:Ze.optional(),query:Ze.optional(),metadata:he},async e=>{let t;try{if(e.method==="GET")t=Ze.parse(e.query);else if(e.method==="POST")t=Ze.parse(e.body);else throw new Error("Unsupported method")}catch(g){throw e.context.logger.error("INVALID_CALLBACK_REQUEST",g),e.redirect(`${e.context.baseURL}/error?error=invalid_callback_request`)}let{code:i,error:o,state:r}=t;if(!r)throw e.context.logger.error("State not found"),e.redirect(`${e.context.baseURL}/error?error=state_not_found`);if(!i)throw e.context.logger.error("Code not found"),e.redirect(`${e.context.baseURL}/error?error=${o||"no_code"}`);let n=e.context.socialProviders.find(g=>g.id===e.params.id);if(!n)throw e.context.logger.error("Oauth provider with id",e.params.id,"not found"),e.redirect(`${e.context.baseURL}/error?error=oauth_provider_not_found`);let{codeVerifier:a,callbackURL:s,link:d,errorURL:A}=await He(e),K;try{K=await n.validateAuthorizationCode({code:i,codeVerifier:a,redirectURI:`${e.context.baseURL}/callback/${n.id}`})}catch(g){throw e.context.logger.error("",g),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`)}let u=await n.getUserInfo(K).then(g=>g?.user);function p(g){let C=A||s||`${e.context.baseURL}/error`;throw C.includes("?")?C=`${C}&error=${g}`:C=`${C}?error=${g}`,e.redirect(C)}if(!u)return e.context.logger.error("Unable to get user info"),p("unable_to_get_user_info");if(!u.email)return e.context.logger.error("Provider did not return email. This could be due to misconfiguration in the provider settings."),p("email_not_found");if(!s)throw e.context.logger.error("No callback URL found"),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);if(d){if(d.email!==u.email.toLowerCase())return p("email_doesn't_match");if(!await e.context.internalAdapter.createAccount({userId:d.userId,providerId:n.id,accountId:u.id}))return p("unable_to_link_account");let C;try{C=new URL(s).toString()}catch{C=s}throw e.redirect(C)}let l=await we(e,{userInfo:{id:u.id,email:u.email,name:u.name||"",image:u.image,emailVerified:u.emailVerified||!1},account:{providerId:n.id,accountId:u.id,...K,scope:K.scopes?.join(",")},callbackURL:s});if(l.error)return e.context.logger.error(l.error.split(" ").join("_")),p(l.error.split(" ").join("_"));let{session:h,user:k}=l.data;await m(e,{session:h,user:k});let f;try{f=new URL(s).toString()}catch{f=s}throw e.redirect(f)});import"zod";import{APIError as ar}from"better-call";var ti=c("/sign-out",{method:"POST",requireHeaders:!0,metadata:{openapi:{description:"Sign out the current user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async e=>{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)throw V(e),new ar("BAD_REQUEST",{message:"Session not found"});return await e.context.internalAdapter.deleteSession(t),V(e),e.json({success:!0})});import{z as X}from"zod";import{APIError as uo}from"better-call";function li(e,t,i){let o=t?new URL(t,e.baseURL):new URL(`${e.baseURL}/error`);return i&&Object.entries(i).forEach(([r,n])=>o.searchParams.set(r,n)),o.href}function dr(e,t,i){let o=new URL(t,e.baseURL);return i&&Object.entries(i).forEach(([r,n])=>o.searchParams.set(r,n)),o.href}var ri=c("/forget-password",{method:"POST",body:X.object({email:X.string({description:"The email address of the user to send a password reset email to"}).email(),redirectTo:X.string({description:"The URL to redirect the user to reset their password. If the token isn't valid or expired, it'll be redirected with a query parameter `?error=INVALID_TOKEN`. If the token is valid, it'll be redirected with a query parameter `?token=VALID_TOKEN"}).optional()}),metadata:{openapi:{description:"Send a password reset email to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailAndPassword?.sendResetPassword)throw e.context.logger.error("Reset password isn't enabled.Please pass an emailAndPassword.sendResetPasswordToken function in your auth config!"),new uo("BAD_REQUEST",{message:"Reset password isn't enabled"});let{email:t,redirectTo:i}=e.body,o=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!o)return e.context.logger.error("Reset Password: User not found",{email:t}),e.json({status:!1},{body:{status:!0}});let r=60*60*1,n=I(e.context.options.emailAndPassword.resetPasswordTokenExpiresIn||r,"sec"),a=L(24);await e.context.internalAdapter.createVerificationValue({value:o.user.id,identifier:`reset-password:${a}`,expiresAt:n});let s=`${e.context.baseURL}/reset-password/${a}?callbackURL=${i}`;return await e.context.options.emailAndPassword.sendResetPassword({user:o.user,url:s,token:a},e.request),e.json({status:!0})}),ni=c("/reset-password/:token",{method:"GET",query:X.object({callbackURL:X.string({description:"The URL to redirect the user to reset their password"})}),metadata:{openapi:{description:"Redirects the user to the callback URL with the token",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}}}}}}}}}},async e=>{let{token:t}=e.params,{callbackURL:i}=e.query;if(!t||!i)throw e.redirect(li(e.context,i,{error:"INVALID_TOKEN"}));let o=await e.context.internalAdapter.findVerificationValue(`reset-password:${t}`);throw!o||o.expiresAt<new Date?e.redirect(li(e.context,i,{error:"INVALID_TOKEN"})):e.redirect(dr(e.context,i,{token:t}))}),si=c("/reset-password",{query:X.optional(X.object({token:X.string().optional(),currentURL:X.string().optional()})),method:"POST",body:X.object({newPassword:X.string({description:"The new password to set"}),token:X.string({description:"The token to reset the password"}).optional()}),metadata:{openapi:{description:"Reset the password for a user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.body.token||e.query?.token||(e.query?.currentURL?new URL(e.query.currentURL).searchParams.get("token"):"");if(!t)throw new uo("BAD_REQUEST",{message:"Token not found"});let{newPassword:i}=e.body,o=`reset-password:${t}`,r=await e.context.internalAdapter.findVerificationValue(o);if(!r||r.expiresAt<new Date)throw new uo("BAD_REQUEST",{message:"Invalid token"});await e.context.internalAdapter.deleteVerificationValue(r.id);let n=r.value,a=await e.context.password.hash(i);return(await e.context.internalAdapter.findAccounts(n)).find(A=>A.providerId==="credential")?(await e.context.internalAdapter.updatePassword(n,a),e.json({status:!0})):(await e.context.internalAdapter.createAccount({userId:n,providerId:"credential",password:a,accountId:n}),e.json({status:!0}))});import{z as _}from"zod";import{APIError as Z}from"better-call";var ai=()=>c("/update-user",{method:"POST",body:_.record(_.string(),_.any()),use:[v],metadata:{openapi:{description:"Update the current user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{name:{type:"string",description:"The name of the user"},image:{type:"string",description:"The image of the user"}}}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"}}}}}}}}}},async e=>{let t=e.body;if(t.email)throw new Z("BAD_REQUEST",{message:"You can't update email"});let{name:i,image:o,...r}=t,n=e.context.session;if(!o&&!i&&Object.keys(r).length===0)return e.json({user:n.user});let a=$e(e.context.options,r,"update"),s=await e.context.internalAdapter.updateUserByEmail(n.user.email,{name:i,image:o,...a});return await m(e,{session:n.session,user:s}),e.json({user:s})}),di=c("/change-password",{method:"POST",body:_.object({newPassword:_.string({description:"The new password to set"}),currentPassword:_.string({description:"The current password"}),revokeOtherSessions:_.boolean({description:"Revoke all other sessions"}).optional()}),use:[v],metadata:{openapi:{description:"Change the password of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{description:"The user object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{let{newPassword:t,currentPassword:i,revokeOtherSessions:o}=e.body,r=e.context.session,n=e.context.password.config.minPasswordLength;if(t.length<n)throw e.context.logger.error("Password is too short"),new Z("BAD_REQUEST",{message:"Password is too short"});let a=e.context.password.config.maxPasswordLength;if(t.length>a)throw e.context.logger.error("Password is too long"),new Z("BAD_REQUEST",{message:"Password too long"});let d=(await e.context.internalAdapter.findAccounts(r.user.id)).find(u=>u.providerId==="credential"&&u.password);if(!d||!d.password)throw new Z("BAD_REQUEST",{message:"User does not have a password"});let A=await e.context.password.hash(t);if(!await e.context.password.verify(d.password,i))throw new Z("BAD_REQUEST",{message:"Incorrect password"});if(await e.context.internalAdapter.updateAccount(d.id,{password:A}),o){await e.context.internalAdapter.deleteSessions(r.user.id);let u=await e.context.internalAdapter.createSession(r.user.id,e.headers);if(!u)throw new Z("INTERNAL_SERVER_ERROR",{message:"Unable to create session"});await m(e,{session:u,user:r.user})}return e.json(r.user)}),Ai=c("/set-password",{method:"POST",body:_.object({newPassword:_.string()}),metadata:{SERVER_ONLY:!0},use:[v]},async e=>{let{newPassword:t}=e.body,i=e.context.session,o=e.context.password.config.minPasswordLength;if(t.length<o)throw e.context.logger.error("Password is too short"),new Z("BAD_REQUEST",{message:"Password is too short"});let r=e.context.password.config.maxPasswordLength;if(t.length>r)throw e.context.logger.error("Password is too long"),new Z("BAD_REQUEST",{message:"Password too long"});let a=(await e.context.internalAdapter.findAccounts(i.user.id)).find(d=>d.providerId==="credential"&&d.password),s=await e.context.password.hash(t);if(!a)return await e.context.internalAdapter.linkAccount({userId:i.user.id,providerId:"credential",accountId:i.user.id,password:s}),e.json(i.user);throw new Z("BAD_REQUEST",{message:"user already has a password"})}),ci=c("/delete-user",{method:"POST",body:_.object({password:_.string({description:"The password of the user"})}),use:[Re],metadata:{openapi:{description:"Delete the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object"}}}}}}}},async e=>{let t=e.context.session;return await e.context.internalAdapter.deleteUser(t.user.id),await e.context.internalAdapter.deleteSessions(t.user.id),V(e),e.json(null)}),Ki=c("/change-email",{method:"POST",query:_.object({currentURL:_.string().optional()}).optional(),body:_.object({newEmail:_.string({description:"The new email to set"}).email(),callbackURL:_.string({description:"The URL to redirect to after email verification"}).optional()}),use:[v],metadata:{openapi:{responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.user?.changeEmail?.enabled)throw e.context.logger.error("Change email is disabled."),new Z("BAD_REQUEST",{message:"Change email is disabled"});if(e.body.newEmail===e.context.session.user.email)throw e.context.logger.error("Email is the same"),new Z("BAD_REQUEST",{message:"Email is the same"});if(await e.context.internalAdapter.findUserByEmail(e.body.newEmail))throw e.context.logger.error("Email already exists"),new Z("BAD_REQUEST",{message:"Couldn't update your email"});if(e.context.session.user.emailVerified!==!0){let r=await e.context.internalAdapter.updateUserByEmail(e.context.session.user.email,{email:e.body.newEmail});return e.json({user:r,status:!0})}if(!e.context.options.user.changeEmail.sendChangeEmailVerification)throw e.context.logger.error("Verification email isn't enabled."),new Z("BAD_REQUEST",{message:"Verification email isn't enabled"});let i=await se(e.context.secret,e.context.session.user.email,e.body.newEmail),o=`${e.context.baseURL}/verify-email?token=${i}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;return await e.context.options.user.changeEmail.sendChangeEmailVerification({user:e.context.session.user,newEmail:e.body.newEmail,url:o,token:i},e.request),e.json({user:null,status:!0})});import{z as Se}from"zod";import{APIError as gi}from"better-call";var pi=c("/list-accounts",{method:"GET",use:[v],metadata:{openapi:{description:"List all accounts linked to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"array",items:{type:"object",properties:{id:{type:"string"},provider:{type:"string"}}}}}}}}}}},async e=>{let t=e.context.session,i=await e.context.internalAdapter.findAccounts(t.user.id);return e.json(i.map(o=>({id:o.id,provider:o.providerId})))}),ui=c("/link-social",{method:"POST",requireHeaders:!0,query:Se.object({currentURL:Se.string().optional()}).optional(),body:Se.object({callbackURL:Se.string({description:"The URL to redirect to after the user has signed in"}).optional(),provider:Se.enum(Qe,{description:"The OAuth2 provider to use"})}),use:[v],metadata:{openapi:{description:"Link a social account to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{url:{type:"string"},redirect:{type:"boolean"}},required:["url","redirect"]}}}}}}}},async e=>{let t=e.context.session;if((await e.context.internalAdapter.findAccounts(t.user.id)).find(s=>s.providerId===e.body.provider))throw new gi("BAD_REQUEST",{message:"Social Account is already linked."});let r=e.context.socialProviders.find(s=>s.id===e.body.provider);if(!r)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new gi("NOT_FOUND",{message:"Provider not found"});let n=await fe(e,{userId:t.user.id,email:t.user.email}),a=await r.createAuthorizationURL({state:n.state,codeVerifier:n.codeVerifier,redirectURI:`${e.context.baseURL}/callback/${r.id}`});return e.json({url:a.toString(),redirect:!0})});var mi=(e,t)=>{let i={};for(let[o,r]of Object.entries(e))i[o]=n=>r({...n,context:{...t,...n.context}}),i[o].path=r.path,i[o].method=r.method,i[o].options=r.options,i[o].headers=r.headers;return i};function Ge(e){let t=e;return{newRole(i){return Ar(i)}}}function Ar(e){return{statements:e,authorize(t,i){for(let[o,r]of Object.entries(t)){let n=e[o];return n?(i==="OR"?r.some(s=>n.includes(s)):r.every(s=>n.includes(s)))?{success:!0}:{success:!1,error:`Unauthorized to access resource "${o}"`}:{success:!1,error:`You are not allowed to access resource: ${o}`}}return{success:!1,error:"Not authorized"}}}}var cr={organization:["update","delete"],member:["create","update","delete"],invitation:["create","cancel"]},lo=Ge(cr),Kr=lo.newRole({organization:["update"],invitation:["create","cancel"],member:["create","update","delete"]}),pr=lo.newRole({organization:["update","delete"],member:["create","update","delete"],invitation:["create","cancel"]}),ur=lo.newRole({organization:[],member:[],invitation:[]}),fi={admin:Kr,owner:pr,member:ur};var j=(e,t)=>{let i=e.adapter;return{findOrganizationBySlug:async o=>await i.findOne({model:"organization",where:[{field:"slug",value:o}]}),createOrganization:async o=>{let r=await i.create({model:"organization",data:{...o.organization,metadata:o.organization.metadata?JSON.stringify(o.organization.metadata):void 0}}),n=await i.create({model:"member",data:{organizationId:r.id,userId:o.user.id,createdAt:new Date,role:t?.creatorRole||"owner"}});return{...r,metadata:r.metadata?JSON.parse(r.metadata):void 0,members:[{...n,user:{id:o.user.id,name:o.user.name,email:o.user.email,image:o.user.image}}]}},findMemberByEmail:async o=>{let r=await i.findOne({model:"user",where:[{field:"email",value:o.email}]});if(!r)return null;let n=await i.findOne({model:"member",where:[{field:"organizationId",value:o.organizationId},{field:"userId",value:r.id}]});return n?{...n,user:{id:r.id,name:r.name,email:r.email,image:r.image}}:null},findMemberByOrgId:async o=>{let[r,n]=await Promise.all([await i.findOne({model:"member",where:[{field:"userId",value:o.userId},{field:"organizationId",value:o.organizationId}]}),await i.findOne({model:"user",where:[{field:"id",value:o.userId}]})]);return!n||!r?null:{...r,user:{id:n.id,name:n.name,email:n.email,image:n.image}}},findMemberById:async o=>{let r=await i.findOne({model:"member",where:[{field:"id",value:o}]});if(!r)return null;let n=await i.findOne({model:"user",where:[{field:"id",value:r.userId}]});return n?{...r,user:{id:n.id,name:n.name,email:n.email,image:n.image}}:null},createMember:async o=>await i.create({model:"member",data:o}),updateMember:async(o,r)=>await i.update({model:"member",where:[{field:"id",value:o}],update:{role:r}}),deleteMember:async o=>await i.delete({model:"member",where:[{field:"id",value:o}]}),updateOrganization:async(o,r)=>await i.update({model:"organization",where:[{field:"id",value:o}],update:r}),deleteOrganization:async o=>(await i.delete({model:"member",where:[{field:"organizationId",value:o}]}),await i.delete({model:"invitation",where:[{field:"organizationId",value:o}]}),await i.delete({model:"organization",where:[{field:"id",value:o}]}),o),setActiveOrganization:async(o,r)=>await e.internalAdapter.updateSession(o,{activeOrganizationId:r}),findOrganizationById:async o=>await i.findOne({model:"organization",where:[{field:"id",value:o}]}),findFullOrganization:async o=>{let[r,n,a]=await Promise.all([i.findOne({model:"organization",where:[{field:"id",value:o}]}),i.findMany({model:"invitation",where:[{field:"organizationId",value:o}]}),i.findMany({model:"member",where:[{field:"organizationId",value:o}]})]);if(!r)return null;let s=a.map(u=>u.userId),d=await i.findMany({model:"user",where:[{field:"id",value:s,operator:"in"}]}),A=new Map(d.map(u=>[u.id,u])),K=a.map(u=>{let p=A.get(u.userId);if(!p)throw new W("Unexpected error: User not found for member");return{...u,user:{id:p.id,name:p.name,email:p.email,image:p.image}}});return{...r,invitations:n,members:K}},listOrganizations:async o=>{let r=await i.findMany({model:"member",where:[{field:"userId",value:o}]});if(!r||r.length===0)return[];let n=r.map(s=>s.organizationId);return await i.findMany({model:"organization",where:[{field:"id",value:n,operator:"in"}]})},createInvitation:async({invitation:o,user:r})=>{let a=I(t?.invitationExpiresIn||1728e5);return await i.create({model:"invitation",data:{email:o.email,role:o.role,organizationId:o.organizationId,status:"pending",expiresAt:a,inviterId:r.id}})},findInvitationById:async o=>await i.findOne({model:"invitation",where:[{field:"id",value:o}]}),findPendingInvitation:async o=>(await i.findMany({model:"invitation",where:[{field:"email",value:o.email},{field:"organizationId",value:o.organizationId},{field:"status",value:"pending"}]})).filter(n=>new Date(n.expiresAt)>new Date),updateInvitation:async o=>await i.update({model:"invitation",where:[{field:"id",value:o.invitationId}],update:{status:o.status}})}};import"better-call";var z=U(async e=>({})),F=U({use:[v]},async e=>({session:e.context.session}));import{z as G}from"zod";import{z as E}from"zod";var hi=E.string(),lr=E.enum(["pending","accepted","rejected","canceled"]).default("pending"),tc=E.object({id:E.string().default(L),name:E.string(),slug:E.string(),logo:E.string().nullish(),metadata:E.record(E.string()).or(E.string().transform(e=>JSON.parse(e))).nullish(),createdAt:E.date()}),rc=E.object({id:E.string().default(L),organizationId:E.string(),userId:E.string(),role:hi,createdAt:E.date()}),nc=E.object({id:E.string().default(L),organizationId:E.string(),email:E.string(),role:hi,status:lr,inviterId:E.string(),expiresAt:E.date()});import{APIError as B}from"better-call";var yi=e=>c("/organization/invite-member",{method:"POST",use:[z,F],body:G.object({email:G.string({description:"The email address of the user to invite"}),role:G.string({description:"The role to assign to the user"}),organizationId:G.string({description:"The organization ID to invite the user to"}).optional(),resend:G.boolean({description:"Resend the invitation email, if the user is already invited"}).optional()}),metadata:{openapi:{description:"Invite a user to an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{id:{type:"string"},email:{type:"string"},role:{type:"string"},organizationId:{type:"string"},inviterId:{type:"string"},status:{type:"string"},expiresAt:{type:"string"}},required:["id","email","role","organizationId","inviterId","status","expiresAt"]}}}}}}}},async t=>{if(!t.context.orgOptions.sendInvitationEmail)throw t.context.logger.warn("Invitation email is not enabled. Pass `sendInvitationEmail` to the plugin options to enable it."),new B("BAD_REQUEST",{message:"Invitation email is not enabled"});let i=t.context.session,o=t.body.organizationId||i.session.activeOrganizationId;if(!o)throw new B("BAD_REQUEST",{message:"Organization not found"});let r=j(t.context,t.context.orgOptions),n=await r.findMemberByOrgId({userId:i.user.id,organizationId:o});if(!n)throw new B("BAD_REQUEST",{message:"Member not found!"});let a=t.context.roles[n.role];if(!a)throw new B("BAD_REQUEST",{message:"Role not found!"});if(a.authorize({invitation:["create"]}).error)throw new B("FORBIDDEN",{message:"You are not allowed to invite members"});if(await r.findMemberByEmail({email:t.body.email,organizationId:o}))throw new B("BAD_REQUEST",{message:"User is already a member of this organization"});if((await r.findPendingInvitation({email:t.body.email,organizationId:o})).length&&!t.body.resend)throw new B("BAD_REQUEST",{message:"User is already invited to this organization"});let K=await r.createInvitation({invitation:{role:t.body.role,email:t.body.email,organizationId:o},user:i.user}),u=await r.findOrganizationById(o);if(!u)throw new B("BAD_REQUEST",{message:"Organization not found"});return await t.context.orgOptions.sendInvitationEmail?.({id:K.id,role:K.role,email:K.email,organization:u,inviter:{...n,user:i.user}},t.request),t.json(K)}),wi=c("/organization/accept-invitation",{method:"POST",body:G.object({invitationId:G.string({description:"The ID of the invitation to accept"})}),use:[z,F],metadata:{openapi:{description:"Accept an invitation to an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{invitation:{type:"object"},member:{type:"object"}}}}}}}}}},async e=>{let t=e.context.session,i=j(e.context,e.context.orgOptions),o=await i.findInvitationById(e.body.invitationId);if(!o||o.expiresAt<new Date||o.status!=="pending")throw new B("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new B("FORBIDDEN",{message:"You are not the recipient of the invitation"});let r=await i.updateInvitation({invitationId:e.body.invitationId,status:"accepted"}),n=await i.createMember({organizationId:o.organizationId,userId:t.user.id,role:o.role,createdAt:new Date});return await i.setActiveOrganization(t.session.token,o.organizationId),r?e.json({invitation:r,member:n}):e.json(null,{status:400,body:{message:"Invitation not found!"}})}),Ci=c("/organization/reject-invitation",{method:"POST",body:G.object({invitationId:G.string({description:"The ID of the invitation to reject"})}),use:[z,F],metadata:{openapi:{description:"Reject an invitation to an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{invitation:{type:"object"},member:{type:"null"}}}}}}}}}},async e=>{let t=e.context.session,i=j(e.context,e.context.orgOptions),o=await i.findInvitationById(e.body.invitationId);if(!o||o.expiresAt<new Date||o.status!=="pending")throw new B("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new B("FORBIDDEN",{message:"You are not the recipient of the invitation"});let r=await i.updateInvitation({invitationId:e.body.invitationId,status:"rejected"});return e.json({invitation:r,member:null})}),bi=c("/organization/cancel-invitation",{method:"POST",body:G.object({invitationId:G.string({description:"The ID of the invitation to cancel"})}),use:[z,F],openapi:{description:"Cancel an invitation to an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{invitation:{type:"object"}}}}}}}}},async e=>{let t=e.context.session,i=j(e.context,e.context.orgOptions),o=await i.findInvitationById(e.body.invitationId);if(!o)throw new B("BAD_REQUEST",{message:"Invitation not found!"});let r=await i.findMemberByOrgId({userId:t.user.id,organizationId:o.organizationId});if(!r)throw new B("BAD_REQUEST",{message:"Member not found!"});if(e.context.roles[r.role].authorize({invitation:["cancel"]}).error)throw new B("FORBIDDEN",{message:"You are not allowed to cancel this invitation"});let a=await i.updateInvitation({invitationId:e.body.invitationId,status:"canceled"});return e.json(a)}),vi=c("/organization/get-invitation",{method:"GET",use:[z],requireHeaders:!0,query:G.object({id:G.string({description:"The ID of the invitation to get"})}),metadata:{openapi:{description:"Get an invitation by ID",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{id:{type:"string"},email:{type:"string"},role:{type:"string"},organizationId:{type:"string"},inviterId:{type:"string"},status:{type:"string"},expiresAt:{type:"string"},organizationName:{type:"string"},organizationSlug:{type:"string"},inviterEmail:{type:"string"}},required:["id","email","role","organizationId","inviterId","status","expiresAt","organizationName","organizationSlug","inviterEmail"]}}}}}}}},async e=>{let t=await R(e);if(!t)throw new B("UNAUTHORIZED",{message:"Not authenticated"});let i=j(e.context,e.context.orgOptions),o=await i.findInvitationById(e.query.id);if(!o||o.status!=="pending"||o.expiresAt<new Date)throw new B("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new B("FORBIDDEN",{message:"You are not the recipient of the invitation"});let r=await i.findOrganizationById(o.organizationId);if(!r)throw new B("BAD_REQUEST",{message:"Organization not found"});let n=await i.findMemberByOrgId({userId:o.inviterId,organizationId:o.organizationId});if(!n)throw new B("BAD_REQUEST",{message:"Inviter is no longer a member of the organization"});return e.json({...o,organizationName:r.name,organizationSlug:r.slug,inviterEmail:n.user.email})});import{z as oe}from"zod";import{APIError as ue}from"better-call";var ki=()=>c("/organization/add-member",{method:"POST",body:oe.object({userId:oe.string(),role:oe.string(),organizationId:oe.string().optional()}),use:[z],metadata:{SERVER_ONLY:!0}},async e=>{let t=e.body.userId?await R(e).catch(s=>null):null,i=e.body.organizationId||t?.session.activeOrganizationId;if(!i)return e.json(null,{status:400,body:{message:"No active organization found!"}});let o=j(e.context,e.context.orgOptions),r=await e.context.internalAdapter.findUserById(e.body.userId);if(!r)throw new ue("BAD_REQUEST",{message:"User not found!"});if(await o.findMemberByEmail({email:r.email,organizationId:i}))throw new ue("BAD_REQUEST",{message:"User is already a member of this organization"});let a=await o.createMember({id:L(),organizationId:i,userId:r.id,role:e.body.role,createdAt:new Date});return e.json(a)}),Ti=c("/organization/remove-member",{method:"POST",body:oe.object({memberIdOrEmail:oe.string({description:"The ID or email of the member to remove"}),organizationId:oe.string({description:"The ID of the organization to remove the member from. If not provided, the active organization will be used"}).optional()}),use:[z,F],metadata:{openapi:{description:"Remove a member from an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{member:{type:"object",properties:{id:{type:"string"},userId:{type:"string"},organizationId:{type:"string"},role:{type:"string"}},required:["id","userId","organizationId","role"]}},required:["member"]}}}}}}}},async e=>{let t=e.context.session,i=e.body.organizationId||t.session.activeOrganizationId;if(!i)return e.json(null,{status:400,body:{message:"No active organization found!"}});let o=j(e.context,e.context.orgOptions),r=await o.findMemberByOrgId({userId:t.user.id,organizationId:i});if(!r)throw new ue("BAD_REQUEST",{message:"Member not found!"});let n=e.context.roles[r.role];if(!n)throw new ue("BAD_REQUEST",{message:"Role not found!"});let a=t.user.email===e.body.memberIdOrEmail||r.id===e.body.memberIdOrEmail;if(a&&r.role===(e.context.orgOptions?.creatorRole||"owner"))throw new ue("BAD_REQUEST",{message:"You cannot leave the organization as the owner"});if(!(a||n.authorize({member:["delete"]}).success))throw new ue("UNAUTHORIZED",{message:"You are not allowed to delete this member"});let A=null;if(e.body.memberIdOrEmail.includes("@")?A=await o.findMemberByEmail({email:e.body.memberIdOrEmail,organizationId:i}):A=await o.findMemberById(e.body.memberIdOrEmail),A?.organizationId!==i)throw new ue("BAD_REQUEST",{message:"Member not found!"});return await o.deleteMember(A.id),t.user.id===A.userId&&t.session.activeOrganizationId===A.organizationId&&await o.setActiveOrganization(t.session.token,null),e.json({member:A})}),Oi=e=>c("/organization/update-member-role",{method:"POST",body:oe.object({role:oe.string(),memberId:oe.string(),organizationId:oe.string().optional()}),use:[z,F],metadata:{openapi:{description:"Update the role of a member in an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{member:{type:"object",properties:{id:{type:"string"},userId:{type:"string"},organizationId:{type:"string"},role:{type:"string"}},required:["id","userId","organizationId","role"]}},required:["member"]}}}}}}}},async t=>{let i=t.context.session,o=t.body.organizationId||i.session.activeOrganizationId;if(!o)return t.json(null,{status:400,body:{message:"No active organization found!"}});let r=j(t.context,t.context.orgOptions),n=await r.findMemberByOrgId({userId:i.user.id,organizationId:o});if(!n)return t.json(null,{status:400,body:{message:"Member not found!"}});let a=t.context.roles[n.role];if(!a)return t.json(null,{status:400,body:{message:"Role not found!"}});if(a.authorize({member:["update"]}).error||t.body.role==="owner"&&n.role!=="owner")return t.json(null,{body:{message:"You are not allowed to update this member"},status:403});let d=await r.updateMember(t.body.memberId,t.body.role);return d?t.json(d):t.json(null,{status:400,body:{message:"Member not found!"}})}),Ii=c("/organization/get-active-member",{method:"GET",use:[z,F],metadata:{openapi:{description:"Get the active member in the organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{id:{type:"string"},userId:{type:"string"},organizationId:{type:"string"},role:{type:"string"}},required:["id","userId","organizationId","role"]}}}}}}}},async e=>{let t=e.context.session,i=t.session.activeOrganizationId;if(!i)return e.json(null,{status:400,body:{message:"No active organization found!"}});let r=await j(e.context,e.context.orgOptions).findMemberByOrgId({userId:t.user.id,organizationId:i});return r?e.json(r):e.json(null,{status:400,body:{message:"Member not found!"}})});import{z as S}from"zod";import{APIError as le}from"better-call";var Ri=c("/organization/create",{method:"POST",body:S.object({name:S.string({description:"The name of the organization"}),slug:S.string({description:"The slug of the organization"}),userId:S.string({description:"The user id of the organization creator. If not provided, the current user will be used. Should only be used by admins or when called by the server."}).optional(),logo:S.string({description:"The logo of the organization"}).optional(),metadata:S.record(S.string(),S.any(),{description:"The metadata of the organization"}).optional()}),use:[z,F],metadata:{openapi:{description:"Create an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",description:"The organization that was created",$ref:"#/components/schemas/Organization"}}}}}}}},async e=>{let t=e.context.session.user;if(!t)return e.json(null,{status:401});let i=e.context.orgOptions;if(!(typeof i?.allowUserToCreateOrganization=="function"?await i.allowUserToCreateOrganization(t):i?.allowUserToCreateOrganization===void 0?!0:i.allowUserToCreateOrganization))throw new le("FORBIDDEN",{message:"You are not allowed to create an organization"});let r=j(e.context,i),n=await r.listOrganizations(t.id);if(typeof i.organizationLimit=="number"?n.length>=i.organizationLimit:typeof i.organizationLimit=="function"?await i.organizationLimit(t):!1)throw new le("FORBIDDEN",{message:"You have reached the organization limit"});if(await r.findOrganizationBySlug(e.body.slug))throw new le("BAD_REQUEST",{message:"Organization with this slug already exists"});let d=await r.createOrganization({organization:{id:L(),slug:e.body.slug,name:e.body.name,logo:e.body.logo,createdAt:new Date,metadata:e.body.metadata},user:t});return await r.setActiveOrganization(e.context.session.session.token,d.id),e.json(d)}),Ui=c("/organization/update",{method:"POST",body:S.object({data:S.object({name:S.string({description:"The name of the organization"}).optional(),slug:S.string({description:"The slug of the organization"}).optional(),logo:S.string({description:"The logo of the organization"}).optional()}).partial(),organizationId:S.string().optional()}),requireHeaders:!0,use:[z],metadata:{openapi:{description:"Update an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",description:"The updated organization",$ref:"#/components/schemas/Organization"}}}}}}}},async e=>{let t=await e.context.getSession(e);if(!t)throw new le("UNAUTHORIZED",{message:"User not found"});let i=e.body.organizationId||t.session.activeOrganizationId;if(!i)return e.json(null,{status:400,body:{message:"Organization id not found!"}});let o=j(e.context,e.context.orgOptions),r=await o.findMemberByOrgId({userId:t.user.id,organizationId:i});if(!r)return e.json(null,{status:400,body:{message:"User is not a member of this organization!"}});let n=e.context.roles[r.role];if(!n)return e.json(null,{status:400,body:{message:"Role not found!"}});if(n.authorize({organization:["update"]}).error)return e.json(null,{body:{message:"You are not allowed to update this organization"},status:403});let s=await o.updateOrganization(i,e.body.data);return e.json(s)}),Pi=c("/organization/delete",{method:"POST",body:S.object({organizationId:S.string({description:"The organization id to delete"})}),requireHeaders:!0,use:[z],metadata:{openapi:{description:"Delete an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"string",description:"The organization id that was deleted"}}}}}}}},async e=>{let t=await e.context.getSession(e);if(!t)return e.json(null,{status:401});let i=e.body.organizationId;if(!i)return e.json(null,{status:400,body:{message:"Organization id not found!"}});let o=j(e.context,e.context.orgOptions),r=await o.findMemberByOrgId({userId:t.user.id,organizationId:i});if(!r)return e.json(null,{status:400,body:{message:"User is not a member of this organization!"}});let n=e.context.roles[r.role];if(!n)return e.json(null,{status:400,body:{message:"Role not found!"}});if(n.authorize({organization:["delete"]}).error)throw new le("FORBIDDEN",{message:"You are not allowed to delete this organization"});return i===t.session.activeOrganizationId&&await o.setActiveOrganization(t.session.token,null),await o.deleteOrganization(i),e.json(i)}),Ei=c("/organization/get-full-organization",{method:"GET",query:S.optional(S.object({organizationId:S.string({description:"The organization id to get"}).optional()})),requireHeaders:!0,use:[z,F],metadata:{openapi:{description:"Get the full organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",description:"The organization",$ref:"#/components/schemas/Organization"}}}}}}}},async e=>{let t=e.context.session,i=e.query?.organizationId||t.session.activeOrganizationId;if(!i)return e.json(null,{status:200});let r=await j(e.context,e.context.orgOptions).findFullOrganization(i);if(!r)throw new le("BAD_REQUEST",{message:"Organization not found"});return e.json(r)}),Si=c("/organization/set-active",{method:"POST",body:S.object({organizationId:S.string({description:"The organization id to set as active. Can be null to unset the active organization"}).nullable().optional()}),use:[F,z],metadata:{openapi:{description:"Set the active organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",description:"The organization",$ref:"#/components/schemas/Organization"}}}}}}}},async e=>{let t=j(e.context,e.context.orgOptions),i=e.context.session,o=e.body.organizationId;if(o===null){if(!i.session.activeOrganizationId)return e.json(null);let d=await t.setActiveOrganization(i.session.token,null);return await m(e,{session:d,user:i.user}),e.json(null)}if(!o){let s=i.session.activeOrganizationId;if(!s)return e.json(null);o=s}if(!await t.findMemberByOrgId({userId:i.user.id,organizationId:o}))throw await t.setActiveOrganization(i.session.token,null),new le("FORBIDDEN",{message:"You are not a member of this organization"});let n=await t.setActiveOrganization(i.session.token,o);await m(e,{session:n,user:i.user});let a=await t.findFullOrganization(o);return e.json(a)}),Di=c("/organization/list",{method:"GET",use:[z,F],metadata:{openapi:{description:"List all organizations",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"array",items:{$ref:"#/components/schemas/Organization"}}}}}}}}},async e=>{let i=await j(e.context,e.context.orgOptions).listOrganizations(e.context.session.user.id);return e.json(i)});var gr=Ge({name:["action"]}),Vc=gr.newRole({name:["action"]}),qc=e=>{let t={createOrganization:Ri,updateOrganization:Ui,deleteOrganization:Pi,setActiveOrganization:Si,getFullOrganization:Ei,listOrganizations:Di,createInvitation:yi(e),cancelInvitation:bi,acceptInvitation:wi,getInvitation:vi,rejectInvitation:Ci,addMember:ki(),removeMember:Ti,updateMemberRole:Oi(e),getActiveMember:Ii},i={...fi,...e?.roles};return{id:"organization",endpoints:{...mi(t,{orgOptions:e||{},roles:i,getSession:async r=>await R(r)}),hasPermission:c("/organization/has-permission",{method:"POST",requireHeaders:!0,body:De.object({permission:De.record(De.string(),De.array(De.string()))}),use:[F],metadata:{openapi:{description:"Check if the user has permission",requestBody:{content:{"application/json":{schema:{type:"object",properties:{permission:{type:"object",description:"The permission to check"}},required:["permission"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{error:{type:"string"},success:{type:"boolean"}},required:["success"]}}}}}}}},async r=>{if(!r.context.session.session.activeOrganizationId)throw new xi("BAD_REQUEST",{message:"No active organization"});let a=await j(r.context).findMemberByOrgId({userId:r.context.session.user.id,organizationId:r.context.session.session.activeOrganizationId||""});if(!a)throw new xi("UNAUTHORIZED",{message:"You are not a member of this organization"});let d=i[a.role].authorize(r.body.permission);return d.error?r.json({error:d.error,success:!1},{status:403}):r.json({error:null,success:!0})})},schema:{session:{fields:{activeOrganizationId:{type:"string",required:!1,fieldName:e?.schema?.session?.fields?.activeOrganizationId}}},organization:{modelName:e?.schema?.organization?.modelName,fields:{name:{type:"string",required:!0,fieldName:e?.schema?.organization?.fields?.name},slug:{type:"string",unique:!0,fieldName:e?.schema?.organization?.fields?.slug},logo:{type:"string",required:!1,fieldName:e?.schema?.organization?.fields?.logo},createdAt:{type:"date",required:!0,fieldName:e?.schema?.organization?.fields?.createdAt},metadata:{type:"string",required:!1,fieldName:e?.schema?.organization?.fields?.metadata}}},member:{modelName:e?.schema?.member?.modelName,fields:{organizationId:{type:"string",required:!0,references:{model:"organization",field:"id"},fieldName:e?.schema?.member?.fields?.organizationId},userId:{type:"string",required:!0,fieldName:e?.schema?.member?.fields?.userId,references:{model:"user",field:"id"}},role:{type:"string",required:!0,defaultValue:"member",fieldName:e?.schema?.member?.fields?.role},createdAt:{type:"date",required:!0,fieldName:e?.schema?.member?.fields?.createdAt}}},invitation:{modelName:e?.schema?.invitation?.modelName,fields:{organizationId:{type:"string",required:!0,references:{model:"organization",field:"id"},fieldName:e?.schema?.invitation?.fields?.organizationId},email:{type:"string",required:!0,fieldName:e?.schema?.invitation?.fields?.email},role:{type:"string",required:!1,fieldName:e?.schema?.invitation?.fields?.role},status:{type:"string",required:!0,defaultValue:"pending",fieldName:e?.schema?.invitation?.fields?.status},expiresAt:{type:"date",required:!0,fieldName:e?.schema?.invitation?.fields?.expiresAt},inviterId:{type:"string",references:{model:"user",field:"id"},fieldName:e?.schema?.invitation?.fields?.inviterId,required:!0}}}},$Infer:{Organization:{},Invitation:{},Member:{},ActiveOrganization:{}}}};import ji from"uncrypto";function mr(e){return e.toString(2).padStart(8,"0")}function fr(e){return[...e].map(t=>mr(t)).join("")}function Bi(e){return parseInt(fr(e),2)}function hr(e){if(e<0||!Number.isInteger(e))throw new Error("Argument 'max' must be an integer greater than or equal to 0");let t=(e-1).toString(2).length,i=t%8,o=new Uint8Array(Math.ceil(t/8));ji.getRandomValues(o),i!==0&&(o[0]&=(1<<i)-1);let r=Bi(o);for(;r>=e;)ji.getRandomValues(o),i!==0&&(o[0]&=(1<<i)-1),r=Bi(o);return r}function M(e,t){let i="";for(let o=0;o<e;o++)i+=t[hr(t.length)];return i}function H(...e){let t=new Set(e),i="";for(let o of t)o==="a-z"?i+="abcdefghijklmnopqrstuvwxyz":o==="A-Z"?i+="ABCDEFGHIJKLMNOPQRSTUVWXYZ":o==="0-9"?i+="0123456789":i+=o;return i}import{z as eo}from"zod";import{xchacha20poly1305 as Ni}from"@noble/ciphers/chacha";import{bytesToHex as yr,hexToBytes as wr,utf8ToBytes as Cr}from"@noble/ciphers/utils";import{managedNonce as Li}from"@noble/ciphers/webcrypto";import{sha256 as _i}from"oslo/crypto";import zi from"uncrypto";import{decodeHex as Wc,encodeHex as Jc}from"oslo/encoding";import{scryptAsync as eK}from"@noble/hashes/scrypt";import{getRandomValues as iK}from"uncrypto";async function xe(e,t){let i=new TextEncoder,o={name:"HMAC",hash:"SHA-256"},r=await zi.subtle.importKey("raw",i.encode(e),o,!1,["sign","verify"]),n=await zi.subtle.sign(o.name,r,i.encode(t));return btoa(String.fromCharCode(...new Uint8Array(n)))}var de=async({key:e,data:t})=>{let i=await _i(new TextEncoder().encode(e)),o=Cr(t),r=Li(Ni)(new Uint8Array(i));return yr(r.encrypt(o))},pe=async({key:e,data:t})=>{let i=await _i(new TextEncoder().encode(e)),o=wr(t),r=Li(Ni)(new Uint8Array(i));return new TextDecoder().decode(r.decrypt(o))};import{z as Ae}from"zod";import{APIError as je}from"better-call";var We="two_factor";var Je="trust_device";import{z as Fi}from"zod";var ge=U({body:Fi.object({trustDevice:Fi.boolean().optional()})},async e=>{let t=await R(e);if(!t){let i=e.context.createAuthCookie(We),o=await e.getSignedCookie(i.name,e.context.secret);if(!o)throw new je("UNAUTHORIZED",{message:"invalid two factor cookie"});let r=await e.context.internalAdapter.findUserById(o);if(!r)throw new je("UNAUTHORIZED",{message:"invalid two factor cookie"});let n=await e.context.internalAdapter.createSession(o,e.request);if(!n)throw new je("INTERNAL_SERVER_ERROR",{message:"failed to create session"});return{valid:async()=>{if(await m(e,{session:n,user:r}),e.body.trustDevice){let a=e.context.createAuthCookie(Je,{maxAge:2592e3}),s=await xe(e.context.secret,`${r.id}!${n.token}`);await e.setSignedCookie(a.name,`${s}!${n.token}`,e.context.secret,a.attributes)}return e.json({session:n,user:r})},invalid:async()=>{throw new je("UNAUTHORIZED",{message:"invalid two factor authentication"})},session:{id:n.token,userId:n.userId,expiresAt:n.expiresAt,user:r}}}return{valid:async()=>e.json({session:t,user:t.user}),invalid:async()=>{throw new je("UNAUTHORIZED",{message:"invalid two factor authentication"})},session:t}});import{APIError as Be}from"better-call";function br(e){return Array.from({length:e?.amount??10}).fill(null).map(()=>M(e?.length??10,H("a-z","0-9"))).map(t=>`${t.slice(0,5)}-${t.slice(5)}`)}async function go(e,t){let i=e,o=t?.customBackupCodesGenerate?t.customBackupCodesGenerate():br(),r=await de({data:JSON.stringify(o),key:i});return{backupCodes:o,encryptedBackupCodes:r}}async function vr(e,t){let i=await Vi(e.backupCodes,t);return i?{status:i.includes(e.code),updated:i.filter(o=>o!==e.code)}:{status:!1,updated:null}}async function Vi(e,t){let i=Buffer.from(await pe({key:t,data:e})).toString("utf-8"),o=JSON.parse(i),r=Ae.array(Ae.string()).safeParse(o);return r.success?r.data:null}var qi=(e,t)=>({id:"backup_code",endpoints:{verifyBackupCode:c("/two-factor/verify-backup-code",{method:"POST",body:Ae.object({code:Ae.string(),disableSession:Ae.boolean().optional()}),use:[ge]},async i=>{let o=i.context.session.user,r=await i.context.adapter.findOne({model:t,where:[{field:"userId",value:o.id}]});if(!r)throw new Be("BAD_REQUEST",{message:"Backup codes aren't enabled"});let n=await vr({backupCodes:r.backupCodes,code:i.body.code},i.context.secret);if(!n.status)throw new Be("UNAUTHORIZED",{message:"Invalid backup code"});let a=await de({key:i.context.secret,data:JSON.stringify(n.updated)});return await i.context.adapter.update({model:t,update:{backupCodes:a},where:[{field:"userId",value:o.id}]}),i.body.disableSession||await m(i,{session:i.context.session.session,user:o}),i.json({user:o,session:i.context.session})}),generateBackupCodes:c("/two-factor/generate-backup-codes",{method:"POST",body:Ae.object({password:Ae.string()}),use:[v]},async i=>{let o=i.context.session.user;if(!o.twoFactorEnabled)throw new Be("BAD_REQUEST",{message:"Two factor isn't enabled"});await i.context.password.checkPassword(o.id,i);let r=await go(i.context.secret,e);return await i.context.adapter.update({model:t,update:{backupCodes:r.encryptedBackupCodes},where:[{field:"userId",value:i.context.session.user.id}]}),i.json({status:!0,backupCodes:r.backupCodes})}),viewBackupCodes:c("/two-factor/view-backup-codes",{method:"GET",body:Ae.object({userId:Ae.string()}),metadata:{SERVER_ONLY:!0}},async i=>{let o=await i.context.adapter.findOne({model:t,where:[{field:"userId",value:i.body.userId}]});if(!o)throw new Be("BAD_REQUEST",{message:"Backup codes aren't enabled"});let r=await Vi(o.backupCodes,i.context.secret);if(!r)throw new Be("BAD_REQUEST",{message:"Backup codes aren't enabled"});return i.json({status:!0,backupCodes:r})})}});import{APIError as Xe}from"better-call";import{TOTPController as kr}from"oslo/otp";import{z as Mi}from"zod";import{TimeSpan as Tr}from"oslo";var Hi=(e,t)=>{let i={...e,period:new Tr(e?.period||3,"m")},o=new kr({digits:6,period:i.period}),r=c("/two-factor/send-otp",{method:"POST",use:[ge],metadata:{openapi:{summary:"Send two factor OTP",description:"Send two factor OTP to the user",responses:{200:{description:"Successful response",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async a=>{if(!e||!e.sendOTP)throw a.context.logger.error("send otp isn't configured. Please configure the send otp function on otp options."),new Xe("BAD_REQUEST",{message:"otp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new Xe("BAD_REQUEST",{message:"OTP isn't enabled"});let A=await o.generate(Buffer.from(d.secret));return await e.sendOTP({user:s,otp:A},a.request),a.json({status:!0})}),n=c("/two-factor/verify-otp",{method:"POST",body:Mi.object({code:Mi.string({description:"The otp code to verify"})}),use:[ge],metadata:{openapi:{summary:"Verify two factor OTP",description:"Verify two factor OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async a=>{let s=a.context.session.user;if(!s.twoFactorEnabled)throw new Xe("BAD_REQUEST",{message:"two factor isn't enabled"});let d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new Xe("BAD_REQUEST",{message:"OTP isn't enabled"});return await o.generate(Buffer.from(d.secret))===a.body.code?a.context.valid():a.context.invalid()});return{id:"otp",endpoints:{sendTwoFactorOTP:r,verifyTwoFactorOTP:n}}};import{APIError as Ce}from"better-call";import{TimeSpan as Or}from"oslo";import{TOTPController as Qi,createTOTPKeyURI as Ir}from"oslo/otp";import{z as Ye}from"zod";var $i=(e,t)=>{let i={...e,digits:6,period:new Or(e?.period||30,"s")},o=c("/totp/generate",{method:"POST",use:[v],metadata:{openapi:{summary:"Generate TOTP code",description:"Use this endpoint to generate a TOTP code",responses:{200:{description:"Successful response",content:{"application/json":{schema:{type:"object",properties:{code:{type:"string"}}}}}}}}}},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new Ce("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new Ce("BAD_REQUEST",{message:"totp isn't enabled"});return{code:await new Qi(i).generate(Buffer.from(d.secret))}}),r=c("/two-factor/get-totp-uri",{method:"POST",use:[v],body:Ye.object({password:Ye.string({description:"User password"})}),metadata:{openapi:{summary:"Get TOTP URI",description:"Use this endpoint to get the TOTP URI",responses:{200:{description:"Successful response",content:{"application/json":{schema:{type:"object",properties:{totpURI:{type:"string"}}}}}}}}}},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new Ce("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d||!s.twoFactorEnabled)throw new Ce("BAD_REQUEST",{message:"totp isn't enabled"});return await a.context.password.checkPassword(s.id,a),{totpURI:Ir(e.issuer||a.context.appName,s.email,Buffer.from(d.secret),i)}}),n=c("/two-factor/verify-totp",{method:"POST",body:Ye.object({code:Ye.string({description:"The otp code to verify"})}),use:[ge],metadata:{openapi:{summary:"Verify two factor TOTP",description:"Verify two factor TOTP",responses:{200:{description:"Successful response",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new Ce("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new Ce("BAD_REQUEST",{message:"totp isn't enabled"});let A=new Qi(i),K=await pe({key:a.context.secret,data:d.secret}),u=Buffer.from(K);if(!await A.verify(a.body.code,u))return a.context.invalid();if(!s.twoFactorEnabled){let l=await a.context.internalAdapter.updateUser(s.id,{twoFactorEnabled:!0}),h=await a.context.internalAdapter.createSession(s.id,a.request,!1,a.context.session.session).catch(k=>{throw console.log(k),k});await a.context.internalAdapter.deleteSession(a.context.session.session.token),await m(a,{session:h,user:l})}return a.context.valid()});return{id:"totp",endpoints:{generateTOTP:o,getTOTPURI:r,verifyTOTP:n}}};import{APIError as WK}from"better-call";async function mo(e,t){let o=(await e.context.internalAdapter.findAccounts(t.userId))?.find(a=>a.providerId==="credential"),r=o?.password;return!o||!r?!1:await e.context.password.verify(r,t.password)}import{APIError as Gi}from"better-call";import{createTOTPKeyURI as Ur}from"oslo/otp";import{TimeSpan as Pr}from"oslo";import{APIError as Rr}from"better-call";var be=async e=>{let t=e.context.returned;return t?t instanceof Response?t.status!==200?null:await t.clone().json():t instanceof Rr?null:t:null};var Zi={user:{fields:{twoFactorEnabled:{type:"boolean",required:!1,defaultValue:!1,input:!1}}},twoFactor:{fields:{secret:{type:"string",required:!0,returned:!1},backupCodes:{type:"string",required:!0,returned:!1},userId:{type:"string",required:!0,returned:!1,references:{model:"user",field:"id"}}}}};var op=e=>({id:"two-factor",$InferServerPlugin:{},atomListeners:[{matcher:t=>t.startsWith("/two-factor/"),signal:"$sessionSignal"}],pathMethods:{"/two-factor/disable":"POST","/two-factor/enable":"POST","/two-factor/send-otp":"POST","/two-factor/generate-backup-codes":"POST"},fetchPlugins:[{id:"two-factor",name:"two-factor",hooks:{async onSuccess(t){t.data?.twoFactorRedirect&&e?.onTwoFactorRedirect&&await e.onTwoFactorRedirect()}}}]});var wp=e=>{let t={twoFactorTable:"twoFactor"},i=$i({issuer:e?.issuer,...e?.totpOptions},t.twoFactorTable),o=qi({...e?.backupCodeOptions},t.twoFactorTable),r=Hi({...e?.otpOptions},t.twoFactorTable);return{id:"two-factor",endpoints:{...i.endpoints,...r.endpoints,...o.endpoints,enableTwoFactor:c("/two-factor/enable",{method:"POST",body:eo.object({password:eo.string({description:"User password"}).min(8)}),use:[v],metadata:{openapi:{summary:"Enable two factor authentication",description:"Use this endpoint to enable two factor authentication. This will generate a TOTP URI and backup codes. Once the user verifies the TOTP URI, the two factor authentication will be enabled.",responses:{200:{description:"Successful response",content:{"application/json":{schema:{type:"object",properties:{totpURI:{type:"string",description:"TOTP URI"},backupCodes:{type:"array",items:{type:"string"},description:"Backup codes"}}}}}}}}}},async n=>{let a=n.context.session.user,{password:s}=n.body;if(!await mo(n,{password:s,userId:a.id}))throw new Gi("BAD_REQUEST",{message:"Invalid password"});let A=M(16,H("a-z","0-9","-")),K=await de({key:n.context.secret,data:A}),u=await go(n.context.secret,e?.backupCodeOptions);if(e?.skipVerificationOnEnable){let l=await n.context.internalAdapter.updateUser(a.id,{twoFactorEnabled:!0}),h=await n.context.internalAdapter.createSession(l.id,n.request,!1,n.context.session.session);await m(n,{session:h,user:a}),await n.context.internalAdapter.deleteSession(n.context.session.session.token)}await n.context.adapter.deleteMany({model:t.twoFactorTable,where:[{field:"userId",value:a.id}]}),await n.context.adapter.create({model:t.twoFactorTable,data:{secret:K,backupCodes:u.encryptedBackupCodes,userId:a.id}});let p=Ur(e?.issuer||"BetterAuth",a.email,Buffer.from(A),{digits:e?.totpOptions?.digits||6,period:new Pr(e?.totpOptions?.period||30,"s")});return n.json({totpURI:p,backupCodes:u.backupCodes})}),disableTwoFactor:c("/two-factor/disable",{method:"POST",body:eo.object({password:eo.string({description:"User password"}).min(8)}),use:[v],metadata:{openapi:{summary:"Disable two factor authentication",description:"Use this endpoint to disable two factor authentication.",responses:{200:{description:"Successful response",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async n=>{let a=n.context.session.user,{password:s}=n.body;if(!await mo(n,{password:s,userId:a.id}))throw new Gi("BAD_REQUEST",{message:"Invalid password"});await n.context.internalAdapter.updateUser(a.id,{twoFactorEnabled:!1}),await n.context.adapter.delete({model:t.twoFactorTable,where:[{field:"userId",value:a.id}]});let A=await n.context.internalAdapter.createSession(a.id,n.request,!1,n.context.session.session);return await m(n,{session:A,user:a}),await n.context.internalAdapter.deleteSession(n.context.session.session.token),n.json({status:!0})})},options:e,hooks:{after:[{matcher(n){return n.path==="/sign-in/email"||n.path==="/sign-in/username"},handler:U(async n=>{let a=await be(n);if(!a||!a.user.twoFactorEnabled)return;let s=n.context.createAuthCookie(Je),d=await n.getSignedCookie(s.name,n.context.secret);if(d){let[K,u]=d.split("!"),p=await xe(n.context.secret,`${a.user.id}!${u}`);if(K===p){let l=await xe(n.context.secret,`${a.user.id}!${a.session.token}`);await n.setSignedCookie(s.name,`${l}!${a.session.token}`,n.context.secret,s.attributes);return}}V(n),await n.context.internalAdapter.deleteSession(a.session.token);let A=n.context.createAuthCookie(We,{maxAge:60*10});return await n.setSignedCookie(A.name,a.user.id,n.context.secret,A.attributes),n.json({twoFactorRedirect:!0})})}]},schema:J(Zi,e?.schema),rateLimit:[{pathMatcher(n){return n.startsWith("/two-factor/")},window:10,max:3}]}};import{generateAuthenticationOptions as Nr,generateRegistrationOptions as Lr,verifyAuthenticationResponse as _r,verifyRegistrationResponse as Fr}from"@simplewebauthn/server";import{APIError as ie}from"better-call";import{z as ce}from"zod";import{WebAuthnError as Dr,startAuthentication as xr,startRegistration as jr}from"@simplewebauthn/browser";import{createFetch as Np}from"@better-fetch/fetch";import"nanostores";import"@better-fetch/fetch";import{atom as Pp}from"nanostores";import"@better-fetch/fetch";import{atom as Er,onMount as Sr}from"nanostores";var fo=(e,t,i,o)=>{let r=Er({data:null,error:null,isPending:!0,isRefetching:!1}),n=()=>{let s=typeof o=="function"?o({data:r.get().data,error:r.get().error,isPending:r.get().isPending}):o;return i(t,{...s,async onSuccess(d){r.set({data:d.data,error:null,isPending:!1,isRefetching:!1}),await s?.onSuccess?.(d)},async onError(d){r.set({error:d.error,data:null,isPending:!1,isRefetching:!1}),await s?.onError?.(d)},async onRequest(d){let A=r.get();r.set({isPending:A.data===null,data:A.data,error:null,isRefetching:!0}),await s?.onRequest?.(d)}})};e=Array.isArray(e)?e:[e];let a=!1;for(let s of e)s.subscribe(()=>{a?n():Sr(r,()=>(n(),a=!0,()=>{r.off(),s.off()}))});return r};import{atom as Br}from"nanostores";var zr=(e,{$listPasskeys:t})=>({signIn:{passkey:async(r,n)=>{let a=await e("/passkey/generate-authenticate-options",{method:"POST",body:{email:r?.email}});if(!a.data)return a;try{let s=await xr(a.data,r?.autoFill||!1),d=await e("/passkey/verify-authentication",{body:{response:s},...r?.fetchOptions,...n,method:"POST"});if(!d.data)return d}catch{return{data:null,error:{message:"auth cancelled",status:400,statusText:"BAD_REQUEST"}}}}},passkey:{addPasskey:async(r,n)=>{let a=await e("/passkey/generate-register-options",{method:"GET"});if(!a.data)return a;try{let s=await jr(a.data),d=await e("/passkey/verify-registration",{...r?.fetchOptions,...n,body:{response:s,name:r?.name},method:"POST"});if(!d.data)return d;t.set(Math.random())}catch(s){return s instanceof Dr?s.code==="ERROR_AUTHENTICATOR_PREVIOUSLY_REGISTERED"?{data:null,error:{message:"previously registered",status:400,statusText:"BAD_REQUEST"}}:s.code==="ERROR_CEREMONY_ABORTED"?{data:null,error:{message:"registration cancelled",status:400,statusText:"BAD_REQUEST"}}:{data:null,error:{message:s.message,status:400,statusText:"BAD_REQUEST"}}:{data:null,error:{message:s instanceof Error?s.message:"unknown error",status:500,statusText:"INTERNAL_SERVER_ERROR"}}}}},$Infer:{}}),nu=()=>{let e=Br();return{id:"passkey",$InferServerPlugin:{},getActions:t=>zr(t,{$listPasskeys:e}),getAtoms(t){return{listPasskeys:fo(e,"/passkey/list-user-passkeys",t,{method:"GET"}),$listPasskeys:e}},pathMethods:{"/passkey/register":"POST","/passkey/authenticate":"POST"},atomListeners:[{matcher(t){return t==="/passkey/verify-registration"||t==="/passkey/delete-passkey"},signal:"_listPasskeys"}]}};var yu=e=>{let t=Y.BETTER_AUTH_URL,i=e?.rpID||t?.replace("http://","").replace("https://","").split(":")[0]||"localhost";if(!i)throw new W("passkey rpID not found. Please provide a rpID in the options or set the BETTER_AUTH_URL environment variable.");let o={origin:null,...e,rpID:i,advanced:{webAuthnChallengeCookie:"better-auth-passkey",...e?.advanced}},r=new Date(Date.now()+1e3*60*5),n=new Date,a=Math.floor((r.getTime()-n.getTime())/1e3);return{id:"passkey",endpoints:{generatePasskeyRegistrationOptions:c("/passkey/generate-register-options",{method:"GET",use:[Re],metadata:{client:!1,openapi:{description:"Generate registration options for a new passkey",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{challenge:{type:"string"},rp:{type:"object",properties:{name:{type:"string"},id:{type:"string"}}},user:{type:"object",properties:{id:{type:"string"},name:{type:"string"},displayName:{type:"string"}}},pubKeyCredParams:{type:"array",items:{type:"object",properties:{type:{type:"string"},alg:{type:"number"}}}},timeout:{type:"number"},excludeCredentials:{type:"array",items:{type:"object",properties:{id:{type:"string"},type:{type:"string"},transports:{type:"array",items:{type:"string"}}}}},authenticatorSelection:{type:"object",properties:{authenticatorAttachment:{type:"string"},requireResidentKey:{type:"boolean"},userVerification:{type:"string"}}},attestation:{type:"string"},extensions:{type:"object"}}}}}}}}}},async s=>{let d=s.context.session,A=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:d.user.id}]}),K=new Uint8Array(Buffer.from(M(32,H("a-z","0-9")))),u;u=await Lr({rpName:o.rpName||s.context.appName,rpID:o.rpID,userID:K,userName:d.user.email||d.user.id,attestationType:"none",excludeCredentials:A.map(l=>({id:l.id,transports:l.transports?.split(",")})),authenticatorSelection:{residentKey:"preferred",userVerification:"preferred",authenticatorAttachment:"platform"}});let p=L(32);return await s.setSignedCookie(o.advanced.webAuthnChallengeCookie,p,s.context.secret,{secure:!0,httpOnly:!0,sameSite:"lax",maxAge:a}),await s.context.internalAdapter.createVerificationValue({identifier:p,value:JSON.stringify({expectedChallenge:u.challenge,userData:{id:d.user.id}}),expiresAt:r}),s.json(u,{status:200})}),generatePasskeyAuthenticationOptions:c("/passkey/generate-authenticate-options",{method:"POST",body:ce.object({email:ce.string({description:"The email address of the user"}).optional()}).optional(),metadata:{openapi:{description:"Generate authentication options for a passkey",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{challenge:{type:"string"},rp:{type:"object",properties:{name:{type:"string"},id:{type:"string"}}},user:{type:"object",properties:{id:{type:"string"},name:{type:"string"},displayName:{type:"string"}}},timeout:{type:"number"},allowCredentials:{type:"array",items:{type:"object",properties:{id:{type:"string"},type:{type:"string"},transports:{type:"array",items:{type:"string"}}}}},userVerification:{type:"string"},authenticatorSelection:{type:"object",properties:{authenticatorAttachment:{type:"string"},requireResidentKey:{type:"boolean"},userVerification:{type:"string"}}},extensions:{type:"object"}}}}}}}}}},async s=>{let d=await R(s),A=[];d&&(A=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:d.user.id}]}));let K=await Nr({rpID:o.rpID,userVerification:"preferred",...A.length?{allowCredentials:A.map(l=>({id:l.id,transports:l.transports?.split(",")}))}:{}}),u={expectedChallenge:K.challenge,userData:{id:d?.user.id||""}},p=L(32);return await s.setSignedCookie(o.advanced.webAuthnChallengeCookie,p,s.context.secret,{secure:!0,httpOnly:!0,sameSite:"lax",maxAge:a}),await s.context.internalAdapter.createVerificationValue({identifier:p,value:JSON.stringify(u),expiresAt:r}),s.json(K,{status:200})}),verifyPasskeyRegistration:c("/passkey/verify-registration",{method:"POST",body:ce.object({response:ce.any({description:"The response from the authenticator"}),name:ce.string({description:"Name of the passkey"}).optional()}),use:[Re],metadata:{openapi:{description:"Verify registration of a new passkey",responses:{200:{description:"Success",content:{"application/json":{schema:{$ref:"#/components/schemas/Passkey"}}}},400:{description:"Bad request"}}}}},async s=>{let d=e?.origin||s.headers?.get("origin")||"";if(!d)return s.json(null,{status:400});let A=s.body.response,K=await s.getSignedCookie(o.advanced.webAuthnChallengeCookie,s.context.secret);if(!K)throw new ie("BAD_REQUEST",{message:"Challenge not found"});let u=await s.context.internalAdapter.findVerificationValue(K);if(!u)return s.json(null,{status:400});let{expectedChallenge:p,userData:l}=JSON.parse(u.value);if(l.id!==s.context.session.user.id)throw new ie("UNAUTHORIZED",{message:"You are not authorized to register this passkey"});try{let h=await Fr({response:A,expectedChallenge:p,expectedOrigin:d,expectedRPID:e?.rpID}),{verified:k,registrationInfo:f}=h;if(!k||!f)return s.json(null,{status:400});let{credentialID:g,credentialPublicKey:C,counter:T,credentialDeviceType:N,credentialBackedUp:Fe}=f,at=Buffer.from(C).toString("base64"),dt={name:s.body.name,userId:l.id,webauthnUserID:s.context.generateId({model:"passkey"}),id:g,publicKey:at,counter:T,deviceType:N,transports:A.response.transports.join(","),backedUp:Fe,createdAt:new Date},At=await s.context.adapter.create({model:"passkey",data:dt});return s.json(At,{status:200})}catch(h){throw console.log(h),new ie("INTERNAL_SERVER_ERROR",{message:"Failed to verify registration"})}}),verifyPasskeyAuthentication:c("/passkey/verify-authentication",{method:"POST",body:ce.object({response:ce.any()}),metadata:{openapi:{description:"Verify authentication of a passkey",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{$ref:"#/components/schemas/Session"},user:{$ref:"#/components/schemas/User"}}}}}}}}}},async s=>{let d=e?.origin||s.headers?.get("origin")||"";if(!d)throw new ie("BAD_REQUEST",{message:"origin missing"});let A=s.body.response,K=await s.getSignedCookie(o.advanced.webAuthnChallengeCookie,s.context.secret);if(!K)throw new ie("BAD_REQUEST",{message:"Challenge not found"});let u=await s.context.internalAdapter.findVerificationValue(K);if(!u)throw new ie("BAD_REQUEST",{message:"Challenge not found"});let{expectedChallenge:p}=JSON.parse(u.value),l=await s.context.adapter.findOne({model:"passkey",where:[{field:"id",value:A.id}]});if(!l)throw new ie("UNAUTHORIZED",{message:"Passkey not found"});try{let h=await _r({response:A,expectedChallenge:p,expectedOrigin:d,expectedRPID:o.rpID,authenticator:{credentialID:l.id,credentialPublicKey:new Uint8Array(Buffer.from(l.publicKey,"base64")),counter:l.counter,transports:l.transports?.split(",")}}),{verified:k}=h;if(!k)throw new ie("UNAUTHORIZED",{message:"Authentication failed"});await s.context.adapter.update({model:"passkey",where:[{field:"id",value:l.id}],update:{counter:h.authenticationInfo.newCounter}});let f=await s.context.internalAdapter.createSession(l.userId,s.request);if(!f)throw new ie("INTERNAL_SERVER_ERROR",{message:"Unable to create session"});let g=await s.context.internalAdapter.findUserById(l.userId);if(!g)throw new ie("INTERNAL_SERVER_ERROR",{message:"User not found"});return await m(s,{session:f,user:g}),s.json({session:f},{status:200})}catch(h){throw s.context.logger.error("Failed to verify authentication",h),new ie("BAD_REQUEST",{message:"Failed to verify authentication"})}}),listPasskeys:c("/passkey/list-user-passkeys",{method:"GET",use:[v]},async s=>{let d=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:s.context.session.user.id}]});return s.json(d,{status:200})}),deletePasskey:c("/passkey/delete-passkey",{method:"POST",body:ce.object({id:ce.string()}),use:[v]},async s=>(await s.context.adapter.delete({model:"passkey",where:[{field:"id",value:s.body.id}]}),s.json(null,{status:200})))},schema:J(Vr,e?.schema)}},Vr={passkey:{fields:{name:{type:"string",required:!1},publicKey:{type:"string",required:!0},userId:{type:"string",references:{model:"user",field:"id"},required:!0},webauthnUserID:{type:"string",required:!0},counter:{type:"number",required:!0},deviceType:{type:"string",required:!0},backedUp:{type:"boolean",required:!0},transports:{type:"string",required:!1},createdAt:{type:"date",defaultValue:new Date,required:!1}}}};import{z as oo}from"zod";import{APIError as ze}from"better-call";var Wi=()=>({id:"username",endpoints:{signInUsername:c("/sign-in/username",{method:"POST",body:oo.object({username:oo.string({description:"The username of the user"}),password:oo.string({description:"The password of the user"}),rememberMe:oo.boolean({description:"Remember the user session"}).optional()}),metadata:{openapi:{summary:"Sign in with username",description:"Sign in with username",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"},session:{$ref:"#/components/schemas/Session"}}}}}}}}}},async e=>{let t=await e.context.adapter.findOne({model:"user",where:[{field:"username",value:e.body.username}]});if(!t)throw await e.context.password.hash(e.body.password),e.context.logger.error("User not found",{username:Wi}),new ze("UNAUTHORIZED",{message:"Invalid username or password"});if(!t.emailVerified&&e.context.options.emailAndPassword?.requireEmailVerification)throw await Ko(e,t),new ze("UNAUTHORIZED",{message:"Email not verified"});let i=await e.context.adapter.findOne({model:"account",where:[{field:"userId",value:t.id},{field:"providerId",value:"credential"}]});if(!i)throw new ze("UNAUTHORIZED",{message:"Invalid username or password"});let o=i?.password;if(!o)throw e.context.logger.error("Password not found",{username:Wi}),new ze("UNAUTHORIZED",{message:"Unexpected error"});if(!await e.context.password.verify(o,e.body.password))throw e.context.logger.error("Invalid password"),new ze("UNAUTHORIZED",{message:"Invalid username or password"});let n=await e.context.internalAdapter.createSession(t.id,e.request,e.body.rememberMe===!1);return n?(await m(e,{session:n,user:t},e.body.rememberMe===!1),e.json({user:t,session:n})):e.json(null,{status:500,body:{message:"Failed to create session",status:500}})})},schema:{user:{fields:{username:{type:"string",required:!1,unique:!0,returned:!0}}}}});import{serializeSigned as qr}from"better-call";var Uu=()=>({id:"bearer",hooks:{before:[{matcher(e){return!!(e.request?.headers.get("authorization")||e.headers?.get("authorization"))},handler:async e=>{let t=e.request?.headers.get("authorization")?.replace("Bearer ","")||e.headers?.get("authorization")?.replace("Bearer ","");if(!t)return;let i="";return t.includes(".")?i=t:i=await qr("",t,e.context.secret),e.request&&e.request.headers.set("cookie",`${e.context.authCookies.sessionToken.name}=${i.replace("=","")}`),e.headers&&e.headers.set("cookie",`${e.context.authCookies.sessionToken.name}=${i.replace("=","")}`),{context:e}}}]}});import{z as ve}from"zod";import{APIError as Ji}from"better-call";var Bu=e=>({id:"magic-link",endpoints:{signInMagicLink:c("/sign-in/magic-link",{method:"POST",requireHeaders:!0,body:ve.object({email:ve.string({description:"Email address to send the magic link"}).email(),callbackURL:ve.string({description:"URL to redirect after magic link verification"}).optional()}),metadata:{openapi:{description:"Sign in with magic link",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async t=>{let{email:i}=t.body;if(e.disableSignUp&&!await t.context.internalAdapter.findUserByEmail(i))throw new Ji("BAD_REQUEST",{message:"User not found"});let o=M(32,H("a-z","A-Z"));await t.context.internalAdapter.createVerificationValue({identifier:o,value:i,expiresAt:new Date(Date.now()+(e.expiresIn||60*5)*1e3)});let r=`${t.context.baseURL}/magic-link/verify?token=${o}&callbackURL=${t.body.callbackURL||"/"}`;try{await e.sendMagicLink({email:i,url:r,token:o},t.request)}catch(n){throw t.context.logger.error("Failed to send magic link",n),new Ji("INTERNAL_SERVER_ERROR",{message:"Failed to send magic link"})}return t.json({status:!0})}),magicLinkVerify:c("/magic-link/verify",{method:"GET",query:ve.object({token:ve.string({description:"Verification token"}),callbackURL:ve.string({description:"URL to redirect after magic link verification, if not provided will return session"}).optional()}),requireHeaders:!0,metadata:{openapi:{description:"Verify magic link",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{$ref:"#/components/schemas/Session"},user:{$ref:"#/components/schemas/User"}}}}}}}}}},async t=>{let{token:i,callbackURL:o}=t.query,r=o?.startsWith("http")?o:o?`${t.context.options.baseURL}${o}`:t.context.options.baseURL,n=await t.context.internalAdapter.findVerificationValue(i);if(!n)throw t.redirect(`${r}?error=INVALID_TOKEN`);if(n.expiresAt<new Date)throw await t.context.internalAdapter.deleteVerificationValue(n.id),t.redirect(`${r}?error=EXPIRED_TOKEN`);await t.context.internalAdapter.deleteVerificationValue(n.id);let a=n.value,s=await t.context.internalAdapter.findUserByEmail(a),d=s?.user.id||"";if(!s){if(e.disableSignUp)throw t.redirect(`${r}?error=USER_NOT_FOUND`);if(d=(await t.context.internalAdapter.createUser({email:a,emailVerified:!0,name:a})).id,!d)throw t.redirect(`${r}?error=USER_NOT_CREATED`)}let A=await t.context.internalAdapter.createSession(d,t.headers);if(!A)throw t.redirect(`${r}?error=SESSION_NOT_CREATED`);if(await m(t,{session:A,user:s?.user}),!o)return t.json({session:A,user:s?.user});throw t.redirect(o)})},rateLimit:[{pathMatcher(t){return t.startsWith("/sign-in/magic-link")||t.startsWith("/magic-link/verify")},window:e.rateLimit?.window||60,max:e.rateLimit?.max||5}]});import{z as te}from"zod";import{APIError as Q}from"better-call";function Mr(e){return M(e,H("0-9"))}var Qu=e=>{let t={expiresIn:e?.expiresIn||300,otpLength:e?.otpLength||6,...e,phoneNumber:"phoneNumber",phoneNumberVerified:"phoneNumberVerified",code:"code",createdAt:"createdAt"};return{id:"phone-number",endpoints:{signInPhoneNumber:c("/sign-in/phone-number",{method:"POST",body:te.object({phoneNumber:te.string({description:"Phone number to sign in"}),password:te.string({description:"Password to use for sign in"}),rememberMe:te.boolean({description:"Remember the session"}).optional()}),metadata:{openapi:{summary:"Sign in with phone number",description:"Use this endpoint to sign in with phone number",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"},session:{$ref:"#/components/schemas/Session"}}}}}},400:{description:"Invalid phone number or password"}}}}},async i=>{let{password:o,phoneNumber:r}=i.body;if(t.phoneNumberValidator&&!await t.phoneNumberValidator(i.body.phoneNumber))throw new Q("BAD_REQUEST",{message:"Invalid phone number!"});let n=await i.context.adapter.findOne({model:"user",where:[{field:"phoneNumber",value:r}]});if(!n)throw new Q("UNAUTHORIZED",{message:"Invalid phone number or password"});let s=(await i.context.internalAdapter.findAccountByUserId(n.id)).find(u=>u.providerId==="credential");if(!s)throw i.context.logger.error("Credential account not found",{phoneNumber:r}),new Q("UNAUTHORIZED",{message:"Invalid password or password"});let d=s?.password;if(!d)throw i.context.logger.error("Password not found",{phoneNumber:r}),new Q("UNAUTHORIZED",{message:"Unexpected error"});if(!await i.context.password.verify(d,o))throw i.context.logger.error("Invalid password"),new Q("UNAUTHORIZED",{message:"Invalid email or password"});let K=await i.context.internalAdapter.createSession(n.id,i.headers,i.body.rememberMe===!1);if(!K)throw i.context.logger.error("Failed to create session"),new Q("UNAUTHORIZED",{message:"Failed to create session"});return await m(i,{session:K,user:n},i.body.rememberMe===!1),i.json({user:n,session:K})}),sendPhoneNumberOTP:c("/phone-number/send-otp",{method:"POST",body:te.object({phoneNumber:te.string({description:"Phone number to send OTP"})}),metadata:{openapi:{summary:"Send OTP to phone number",description:"Use this endpoint to send OTP to phone number",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}}}}}}},async i=>{if(!e?.sendOTP)throw i.context.logger.warn("sendOTP not implemented"),new Q("NOT_IMPLEMENTED",{message:"sendOTP not implemented"});if(t.phoneNumberValidator&&!await t.phoneNumberValidator(i.body.phoneNumber))throw new Q("BAD_REQUEST",{message:"Invalid phone number!"});let o=Mr(t.otpLength);return await i.context.internalAdapter.createVerificationValue({value:o,identifier:i.body.phoneNumber,expiresAt:I(t.expiresIn,"sec")}),await e.sendOTP({phoneNumber:i.body.phoneNumber,code:o},i.request),i.json({code:o},{body:{message:"Code sent"}})}),verifyPhoneNumber:c("/phone-number/verify",{method:"POST",body:te.object({phoneNumber:te.string({description:"Phone number to verify"}),code:te.string({description:"OTP code"}),disableSession:te.boolean({description:"Disable session creation after verification"}).optional(),updatePhoneNumber:te.boolean({description:"Check if there is a session and update the phone number"}).optional()}),metadata:{openapi:{summary:"Verify phone number",description:"Use this endpoint to verify phone number",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"},session:{$ref:"#/components/schemas/Session"}}}}}},400:{description:"Invalid OTP"}}}}},async i=>{let o=await i.context.internalAdapter.findVerificationValue(i.body.phoneNumber);if(!o||o.expiresAt<new Date)throw o&&o.expiresAt<new Date?(await i.context.internalAdapter.deleteVerificationValue(o.id),new Q("BAD_REQUEST",{message:"OTP expired"})):new Q("BAD_REQUEST",{message:"OTP not found"});if(o.value!==i.body.code)throw new Q("BAD_REQUEST",{message:"Invalid OTP"});if(await i.context.internalAdapter.deleteVerificationValue(o.id),i.body.updatePhoneNumber){let n=await R(i);if(!n)throw new Q("UNAUTHORIZED",{message:"Session not found"});let a=await i.context.internalAdapter.updateUser(n.user.id,{[t.phoneNumber]:i.body.phoneNumber,[t.phoneNumberVerified]:!0});return i.json({user:a,session:n.session})}let r=await i.context.adapter.findOne({model:"user",where:[{value:i.body.phoneNumber,field:t.phoneNumber}]});if(await e?.callbackOnVerification?.({phoneNumber:i.body.phoneNumber,user:r},i.request),r)r=await i.context.internalAdapter.updateUser(r.id,{[t.phoneNumberVerified]:!0});else if(e?.signUpOnVerification){if(r=await i.context.internalAdapter.createUser({email:e.signUpOnVerification.getTempEmail(i.body.phoneNumber),name:e.signUpOnVerification.getTempName?e.signUpOnVerification.getTempName(i.body.phoneNumber):i.body.phoneNumber,[t.phoneNumber]:i.body.phoneNumber,[t.phoneNumberVerified]:!0}),!r)throw new Q("INTERNAL_SERVER_ERROR",{message:"Failed to create user"})}else return i.json(null);if(!r)throw new Q("INTERNAL_SERVER_ERROR",{message:"Failed to update user"});if(!i.body.disableSession){let n=await i.context.internalAdapter.createSession(r.id,i.request);if(!n)throw new Q("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});return await m(i,{session:n,user:r}),i.json({user:r,session:n})}return i.json({user:r,session:null})})},schema:J(Hr,e?.schema)}},Hr={user:{fields:{phoneNumber:{type:"string",required:!1,unique:!0,returned:!0},phoneNumberVerified:{type:"boolean",required:!1,returned:!0,input:!1}}}};import"zod";var Qr={user:{fields:{isAnonymous:{type:"boolean",required:!1}}}},el=e=>({id:"anonymous",endpoints:{signInAnonymous:c("/sign-in/anonymous",{method:"POST",metadata:{openapi:{description:"Sign in anonymously",responses:{200:{description:"Sign in anonymously",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"},session:{$ref:"#/components/schemas/Session"}}}}}}}}}},async t=>{let{emailDomainName:i=me(t.context.baseURL)}=e||{},o=t.context.generateId({model:"user"}),r=`temp-${o}@${i}`,n=await t.context.internalAdapter.createUser({id:o,email:r,emailVerified:!1,isAnonymous:!0,name:"Anonymous",createdAt:new Date,updatedAt:new Date});if(!n)return t.json(null,{status:500,body:{message:"Failed to create user",status:500}});let a=await t.context.internalAdapter.createSession(n.id,t.request);return a?(await m(t,{session:a,user:n}),t.json({user:n,session:a})):t.json(null,{status:400,body:{message:"Could not create session"}})})},hooks:{after:[{matcher(t){return t.path?.startsWith("/sign-in")||t.path?.startsWith("/sign-up")},handler:U(async t=>{let o=t.responseHeader.get("set-cookie"),r=t.context.authCookies.sessionToken.name,n=Me(o||"").get(r)?.value.split(".")[0];if(!n)return;let a=await R(t);if(!(!a||!a.user.isAnonymous)){if(t.path==="/sign-in/anonymous")throw new b("BAD_REQUEST",{message:"Anonymous users cannot sign in again anonymously"});if(e?.onLinkAccount){let s=await t.context.internalAdapter.findSession(n);if(!s)return;await e?.onLinkAccount?.({anonymousUser:a,newUser:s})}e?.disableDeleteAnonymousUser||await t.context.internalAdapter.deleteUser(a.user.id)}})}]},schema:J(Qr,e?.schema)});import{z as y}from"zod";var cl=e=>{let t={defaultRole:"user",adminRole:"admin",...e},i=U(async o=>{let r=await R(o);if(!r?.session)throw new b("UNAUTHORIZED");let n=r.user;if(!n.role||(Array.isArray(t.adminRole)?!t.adminRole.includes(n.role):n.role!==t.adminRole))throw new b("FORBIDDEN",{message:"Only admins can access this endpoint"});return{session:{user:n,session:r.session}}});return{id:"admin",init(o){return{options:{databaseHooks:{user:{create:{async before(r){if(e?.defaultRole!==!1)return{data:{role:e?.defaultRole??"user",...r}}}}},session:{create:{async before(r){let n=await o.internalAdapter.findUserById(r.userId);if(n.banned){if(n.banExpires&&n.banExpires<Date.now()){await o.internalAdapter.updateUser(r.userId,{banned:!1,banReason:null,banExpires:null});return}return!1}}}}}}}},hooks:{after:[{matcher(o){return o.path==="/list-sessions"},handler:U(async o=>{let r=await be(o);if(!r)return;let n=r.filter(a=>!a.impersonatedBy);return o.json(n)})}]},endpoints:{setRole:c("/admin/set-role",{method:"POST",body:y.object({userId:y.string({description:"The user id"}),role:y.string({description:"The role to set. `admin` or `user` by default"})}),use:[i],metadata:{openapi:{operationId:"setRole",summary:"Set the role of a user",description:"Set the role of a user",responses:{200:{description:"User role updated",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"}}}}}}}}}},async o=>{let r=await o.context.internalAdapter.updateUser(o.body.userId,{role:o.body.role});return o.json({user:r})}),createUser:c("/admin/create-user",{method:"POST",body:y.object({email:y.string({description:"The email of the user"}),password:y.string({description:"The password of the user"}),name:y.string({description:"The name of the user"}),role:y.string({description:"The role of the user"}),data:y.optional(y.record(y.any(),{description:"Extra fields for the user. Including custom additional fields."}))}),use:[i],metadata:{openapi:{operationId:"createUser",summary:"Create a new user",description:"Create a new user",responses:{200:{description:"User created",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"}}}}}}}}}},async o=>{if(await o.context.internalAdapter.findUserByEmail(o.body.email))throw new b("BAD_REQUEST",{message:"User already exists"});let n=await o.context.internalAdapter.createUser({email:o.body.email,name:o.body.name,role:o.body.role,...o.body.data});if(!n)throw new b("INTERNAL_SERVER_ERROR",{message:"Failed to create user"});let a=await o.context.password.hash(o.body.password);return await o.context.internalAdapter.linkAccount({accountId:n.id,providerId:"credential",password:a,userId:n.id}),o.json({user:n})}),listUsers:c("/admin/list-users",{method:"GET",use:[i],query:y.object({searchValue:y.string({description:"The value to search for"}).optional(),searchField:y.enum(["email","name"],{description:"The field to search in, defaults to email. Can be `email` or `name`"}).optional(),searchOperator:y.enum(["contains","starts_with","ends_with"],{description:"The operator to use for the search. Can be `contains`, `starts_with` or `ends_with`"}).optional(),limit:y.string({description:"The number of users to return"}).or(y.number()).optional(),offset:y.string({description:"The offset to start from"}).or(y.number()).optional(),sortBy:y.string({description:"The field to sort by"}).optional(),sortDirection:y.enum(["asc","desc"],{description:"The direction to sort by"}).optional(),filterField:y.string({description:"The field to filter by"}).optional(),filterValue:y.string({description:"The value to filter by"}).or(y.number()).or(y.boolean()).optional(),filterOperator:y.enum(["eq","ne","lt","lte","gt","gte"],{description:"The operator to use for the filter"}).optional()}),metadata:{openapi:{operationId:"listUsers",summary:"List users",description:"List users",responses:{200:{description:"List of users",content:{"application/json":{schema:{type:"object",properties:{users:{type:"array",items:{$ref:"#/components/schemas/User"}}}}}}}}}}},async o=>{let r=[];o.query?.searchValue&&r.push({field:o.query.searchField||"email",operator:o.query.searchOperator||"contains",value:o.query.searchValue}),o.query?.filterValue&&r.push({field:o.query.filterField||"email",operator:o.query.filterOperator||"eq",value:o.query.filterValue});try{let n=await o.context.internalAdapter.listUsers(Number(o.query?.limit)||void 0,Number(o.query?.offset)||void 0,o.query?.sortBy?{field:o.query.sortBy,direction:o.query.sortDirection||"asc"}:void 0,r.length?r:void 0);return o.json({users:n})}catch(n){return console.log(n),o.json({users:[]})}}),listUserSessions:c("/admin/list-user-sessions",{method:"POST",use:[i],body:y.object({userId:y.string({description:"The user id"})}),metadata:{openapi:{operationId:"listUserSessions",summary:"List user sessions",description:"List user sessions",responses:{200:{description:"List of user sessions",content:{"application/json":{schema:{type:"object",properties:{sessions:{type:"array",items:{$ref:"#/components/schemas/Session"}}}}}}}}}}},async o=>({sessions:await o.context.internalAdapter.listSessions(o.body.userId)})),unbanUser:c("/admin/unban-user",{method:"POST",body:y.object({userId:y.string({description:"The user id"})}),use:[i],metadata:{openapi:{operationId:"unbanUser",summary:"Unban a user",description:"Unban a user",responses:{200:{description:"User unbanned",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"}}}}}}}}}},async o=>{let r=await o.context.internalAdapter.updateUser(o.body.userId,{banned:!1});return o.json({user:r})}),banUser:c("/admin/ban-user",{method:"POST",body:y.object({userId:y.string({description:"The user id"}),banReason:y.string({description:"The reason for the ban"}).optional(),banExpiresIn:y.number({description:"The number of seconds until the ban expires"}).optional()}),use:[i],metadata:{openapi:{operationId:"banUser",summary:"Ban a user",description:"Ban a user",responses:{200:{description:"User banned",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"}}}}}}}}}},async o=>{if(o.body.userId===o.context.session.user.id)throw new b("BAD_REQUEST",{message:"You cannot ban yourself"});let r=await o.context.internalAdapter.updateUser(o.body.userId,{banned:!0,banReason:o.body.banReason||e?.defaultBanReason||"No reason",banExpires:o.body.banExpiresIn?I(o.body.banExpiresIn,"sec"):e?.defaultBanExpiresIn?I(e.defaultBanExpiresIn,"sec"):void 0});return await o.context.internalAdapter.deleteSessions(o.body.userId),o.json({user:r})}),impersonateUser:c("/admin/impersonate-user",{method:"POST",body:y.object({userId:y.string({description:"The user id"})}),use:[i],metadata:{openapi:{operationId:"impersonateUser",summary:"Impersonate a user",description:"Impersonate a user",responses:{200:{description:"Impersonation session created",content:{"application/json":{schema:{type:"object",properties:{session:{$ref:"#/components/schemas/Session"},user:{$ref:"#/components/schemas/User"}}}}}}}}}},async o=>{let r=await o.context.internalAdapter.findUserById(o.body.userId);if(!r)throw new b("NOT_FOUND",{message:"User not found"});let n=await o.context.internalAdapter.createSession(r.id,void 0,!0,{impersonatedBy:o.context.session.user.id,expiresAt:e?.impersonationSessionDuration?I(e.impersonationSessionDuration,"sec"):I(60*60,"sec")});if(!n)throw new b("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});return await m(o,{session:n,user:r},!0),o.json({session:n,user:r})}),revokeUserSession:c("/admin/revoke-user-session",{method:"POST",body:y.object({sessionToken:y.string({description:"The session token"})}),use:[i],metadata:{openapi:{operationId:"revokeUserSession",summary:"Revoke a user session",description:"Revoke a user session",responses:{200:{description:"Session revoked",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async o=>(await o.context.internalAdapter.deleteSession(o.body.sessionToken),o.json({success:!0}))),revokeUserSessions:c("/admin/revoke-user-sessions",{method:"POST",body:y.object({userId:y.string({description:"The user id"})}),use:[i],metadata:{openapi:{operationId:"revokeUserSessions",summary:"Revoke all user sessions",description:"Revoke all user sessions",responses:{200:{description:"Sessions revoked",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async o=>(await o.context.internalAdapter.deleteSessions(o.body.userId),o.json({success:!0}))),removeUser:c("/admin/remove-user",{method:"POST",body:y.object({userId:y.string({description:"The user id"})}),use:[i],metadata:{openapi:{operationId:"removeUser",summary:"Remove a user",description:"Delete a user and all their sessions and accounts. Cannot be undone.",responses:{200:{description:"User removed",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async o=>(await o.context.internalAdapter.deleteUser(o.body.userId),o.json({success:!0})))},schema:J($r,t.schema)}},$r={user:{fields:{role:{type:"string",required:!1,input:!1},banned:{type:"boolean",defaultValue:!1,required:!1,input:!1},banReason:{type:"string",required:!1,input:!1},banExpires:{type:"date",required:!1,input:!1}}},session:{fields:{impersonatedBy:{type:"string",required:!1}}}};import{z as re}from"zod";import{APIError as Ne}from"better-call";import{betterFetch as ho}from"@better-fetch/fetch";import{parseJWT as Zr}from"oslo/jwt";async function Gr(e,t,i){if(t==="oidc"&&e.idToken){let r=Zr(e.idToken);if(r?.payload)return r.payload}if(!i)return null;let o=await ho(i,{method:"GET",headers:{Authorization:`Bearer ${e.accessToken}`}});return{id:o.data?.sub,emailVerified:o.data?.email_verified,email:o.data?.email,...o.data}}var vl=e=>({id:"generic-oauth",endpoints:{signInWithOAuth2:c("/sign-in/oauth2",{method:"POST",query:re.object({currentURL:re.string({description:"Redirect to the current URL after sign in"}).optional()}).optional(),body:re.object({providerId:re.string({description:"The provider ID for the OAuth provider"}),callbackURL:re.string({description:"The URL to redirect to after sign in"}).optional(),errorCallbackURL:re.string({description:"The URL to redirect to if an error occurs"}).optional()}),metadata:{openapi:{description:"Sign in with OAuth2",responses:{200:{description:"Sign in with OAuth2",content:{"application/json":{schema:{type:"object",properties:{url:{type:"string"},redirect:{type:"boolean"}}}}}}}}}},async t=>{let{providerId:i}=t.body,o=e.config.find(N=>N.providerId===i);if(!o)throw new Ne("BAD_REQUEST",{message:`No config found for provider ${i}`});let{discoveryUrl:r,authorizationUrl:n,tokenUrl:a,clientId:s,clientSecret:d,scopes:A,redirectURI:K,responseType:u,pkce:p,prompt:l,accessType:h}=o,k=n,f=a;if(r){let N=await ho(r,{onError(Fe){t.context.logger.error(Fe.error.message,Fe.error,{discoveryUrl:r})}});N.data&&(k=N.data.authorization_endpoint,f=N.data.token_endpoint)}if(!k||!f)throw new Ne("BAD_REQUEST",{message:"Invalid OAuth configuration."});let{state:g,codeVerifier:C}=await fe(t),T=await P({id:i,options:{clientId:s,clientSecret:d,redirectURI:K},authorizationEndpoint:k,state:g,codeVerifier:p?C:void 0,scopes:A||[],redirectURI:`${t.context.baseURL}/oauth2/callback/${i}`});return u&&u!=="code"&&T.searchParams.set("response_type",u),l&&T.searchParams.set("prompt",l),h&&T.searchParams.set("access_type",h),t.json({url:T.toString(),redirect:!0})}),oAuth2Callback:c("/oauth2/callback/:providerId",{method:"GET",query:re.object({code:re.string({description:"The OAuth2 code"}).optional(),error:re.string({description:"The error message, if any"}).optional(),state:re.string({description:"The state parameter from the OAuth2 request"})}),metadata:{openapi:{description:"OAuth2 callback",responses:{200:{description:"OAuth2 callback",content:{"application/json":{schema:{type:"object",properties:{url:{type:"string"}}}}}}}}}},async t=>{if(t.query.error||!t.query.code)throw t.redirect(`${t.context.baseURL}?error=${t.query.error||"oAuth_code_missing"}`);let i=e.config.find(g=>g.providerId===t.params.providerId);if(!i)throw new Ne("BAD_REQUEST",{message:`No config found for provider ${t.params.providerId}`});let o,r=await He(t),{callbackURL:n,codeVerifier:a,errorURL:s}=r,d=t.query.code,A=i.tokenUrl,K=i.userInfoUrl;if(i.discoveryUrl){let g=await ho(i.discoveryUrl,{method:"GET"});g.data&&(A=g.data.token_endpoint,K=g.data.userinfo_endpoint)}try{if(!A)throw new Ne("BAD_REQUEST",{message:"Invalid OAuth configuration."});o=await O({code:d,codeVerifier:a,redirectURI:`${t.context.baseURL}/oauth2/callback/${i.providerId}`,options:{clientId:i.clientId,clientSecret:i.clientSecret},tokenEndpoint:A})}catch(g){throw t.context.logger.error(g&&typeof g=="object"&&"name"in g?g.name:"",g),t.redirect(`${s}?error=oauth_code_verification_failed`)}if(!o)throw new Ne("BAD_REQUEST",{message:"Invalid OAuth configuration."});let u=i.getUserInfo?await i.getUserInfo(o):await Gr(o,i.type||"oauth2",K);if(!u?.email)throw t.context.logger.error("Unable to get user info",u),t.redirect(`${t.context.baseURL}/error?error=email_is_missing`);let p=await we(t,{userInfo:u,account:{providerId:i.providerId,accountId:u.id,accessToken:o.accessToken}});function l(g){throw t.redirect(`${s||n||`${t.context.baseURL}/error`}?error=${g}`)}if(p.error)return l(p.error.split(" ").join("_"));let{session:h,user:k}=p.data;await m(t,{session:h,user:k});let f;try{f=new URL(n).toString()}catch{f=n}throw t.redirect(f)})}});import{z as Le}from"zod";var Xi={jwks:{fields:{publicKey:{type:"string",required:!0},privateKey:{type:"string",required:!0},createdAt:{type:"date",required:!0}}}},Ol=Le.object({id:Le.string(),publicKey:Le.string(),privateKey:Le.string(),createdAt:Le.date()});var yo=e=>({getAllKeys:async()=>await e.findMany({model:"jwks"}),getLatestKey:async()=>(await e.findMany({model:"jwks",sortBy:{field:"createdAt",direction:"desc"},limit:1}))[0],createJwk:async t=>await e.create({model:"jwks",data:{...t,createdAt:new Date}})});import{exportJWK as Yi,generateKeyPair as Wr,importJWK as Jr,SignJWT as Xr}from"jose";var jl=e=>({id:"jwt",endpoints:{getJwks:c("/jwks",{method:"GET",metadata:{openapi:{description:"Get the JSON Web Key Set",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{keys:{type:"array",items:{type:"object",properties:{kid:{type:"string"},kty:{type:"string"},use:{type:"string"},alg:{type:"string"},n:{type:"string"},e:{type:"string"}}}}}}}}}}}}},async t=>{let o=await yo(t.context.adapter).getAllKeys();return t.json({keys:o.map(r=>({...JSON.parse(r.publicKey),kid:r.id}))})}),getToken:c("/token",{method:"GET",requireHeaders:!0,use:[v],metadata:{openapi:{description:"Get a JWT token",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}}}}}}}}}},async t=>{let i=yo(t.context.adapter),o=await i.getLatestKey(),r=!e?.jwks?.disablePrivateKeyEncryption;if(o===void 0){let{publicKey:A,privateKey:K}=await Wr(e?.jwks?.keyPairConfig?.alg??"EdDSA",e?.jwks?.keyPairConfig??{crv:"Ed25519"}),u=await Yi(A),p=await Yi(K),l=JSON.stringify(p),h={id:crypto.randomUUID(),publicKey:JSON.stringify(u),privateKey:r?JSON.stringify(await de({key:t.context.options.secret,data:l})):l,createdAt:new Date};o=await i.createJwk(h)}let n=r?await pe({key:t.context.options.secret,data:JSON.parse(o.privateKey)}):o.privateKey,a=await Jr(JSON.parse(n)),s=e?.jwt?.definePayload?await e?.jwt.definePayload(t.context.session.user):t.context.session.user,d=await new Xr({...s,...t.context.session.session.impersonatedBy?{impersonatedBy:t.context.session.session.impersonatedBy}:{}}).setProtectedHeader({alg:e?.jwks?.keyPairConfig?.alg??"EdDSA",kid:o.id}).setIssuedAt().setIssuer(e?.jwt?.issuer??t.context.options.baseURL).setAudience(e?.jwt?.audience??t.context.options.baseURL).setExpirationTime(e?.jwt?.expirationTime??"15m").setSubject(t.context.session.user.id).sign(a);return t.json({token:d})})},schema:J(Xi,e?.schema)});import{z as io}from"zod";var _l=e=>{let t={maximumSessions:5,...e},i=o=>o.includes("_multi-");return{id:"multi-session",endpoints:{listDeviceSessions:c("/multi-session/list-device-sessions",{method:"GET",requireHeaders:!0},async o=>{let r=o.headers?.get("cookie");if(!r)return o.json([]);let n=Object.fromEntries(Oe(r)),a=(await Promise.all(Object.entries(n).filter(([A])=>i(A)).map(async([A])=>await o.getSignedCookie(A,o.context.secret)))).filter(A=>A!==void 0);if(!a.length)return o.json([]);let d=(await o.context.internalAdapter.findSessions(a)).filter(A=>A&&A.session.expiresAt>new Date);return o.json(d)}),setActiveSession:c("/multi-session/set-active",{method:"POST",body:io.object({sessionToken:io.string({description:"The session token to set as active"})}),requireHeaders:!0,use:[v],metadata:{openapi:{description:"Set the active session",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{$ref:"#/components/schemas/Session"}}}}}}}}}},async o=>{let r=o.body.sessionToken,n=`${o.context.authCookies.sessionToken.name}_multi-${r}`;if(!await o.getSignedCookie(n,o.context.secret))throw new b("UNAUTHORIZED",{message:"Invalid session token"});let s=await o.context.internalAdapter.findSession(r);if(!s||s.session.expiresAt<new Date)throw o.setCookie(n,"",{...o.context.authCookies.sessionToken.options,maxAge:0}),new b("UNAUTHORIZED",{message:"Invalid session token"});return await m(o,s),o.json(s)}),revokeDeviceSession:c("/multi-session/revoke",{method:"POST",body:io.object({sessionToken:io.string({description:"The session token to revoke"})}),requireHeaders:!0,use:[v],metadata:{openapi:{description:"Revoke a device session",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async o=>{let r=o.body.sessionToken,n=`${o.context.authCookies.sessionToken.name}_multi-${r}`;if(!await o.getSignedCookie(n,o.context.secret))throw new b("UNAUTHORIZED",{message:"Invalid session token"});if(await o.context.internalAdapter.deleteSession(r),o.setCookie(n,"",{...o.context.authCookies.sessionToken.options,maxAge:0}),!(o.context.session?.session.token===r))return o.json({success:!0});let d=o.headers?.get("cookie");if(d){let A=Object.fromEntries(Oe(d)),K=(await Promise.all(Object.entries(A).filter(([p])=>i(p)).map(async([p])=>await o.getSignedCookie(p,o.context.secret)))).filter(p=>p!==void 0),u=o.context.internalAdapter;if(K.length>0){let l=(await u.findSessions(K)).filter(h=>h&&h.session.expiresAt>new Date);if(l.length>0){let h=l[0];await m(o,h)}else V(o)}else V(o)}else V(o);return o.json({success:!0})})},hooks:{after:[{matcher:()=>!0,handler:U(async o=>{let r=o.responseHeader.get("set-cookie");if(!r)return;let n=Me(r),a=o.context.authCookies.sessionToken,s=n.get(a.name)?.value;if(!s)return;let d=Oe(o.headers?.get("cookie")||""),A=s.split(".")[0];if(!A)return;let K=`${a.name}_multi-${A}`;n.get(K)||d.get(K)||Object.keys(Object.fromEntries(d)).filter(i).length+(r.includes("session_token")?1:0)>t.maximumSessions||await o.setSignedCookie(K,A,o.context.secret,a.options)})},{matcher:o=>o.path==="/sign-out",handler:U(async o=>{let r=o.headers?.get("cookie");if(!r)return;let n=Object.fromEntries(Oe(r)),a=Object.keys(n).map(s=>i(s)?(o.setCookie(s,"",{maxAge:0}),s.split("_multi-")[1]):null).filter(s=>s!==null);await o.context.internalAdapter.deleteSessions(a)})}]}}};import{z as D}from"zod";var wo=["email-verification","sign-in","forget-password"],Zl=e=>{let t={expireIn:300,otpLength:6,...e};return{id:"email-otp",endpoints:{sendVerificationOTP:c("/email-otp/send-verification-otp",{method:"POST",body:D.object({email:D.string({description:"Email address to send the OTP"}),type:D.enum(wo,{description:"Type of the OTP"})}),metadata:{openapi:{description:"Send verification OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async i=>{if(!e?.sendVerificationOTP)throw i.context.logger.error("send email verification is not implemented"),new b("BAD_REQUEST",{message:"send email verification is not implemented"});let o=i.body.email,r=M(t.otpLength,H("0-9"));return await i.context.internalAdapter.createVerificationValue({value:r,identifier:`${i.body.type}-otp-${o}`,expiresAt:I(t.expireIn,"sec")}).catch(async n=>{await i.context.internalAdapter.deleteVerificationByIdentifier(`${i.body.type}-otp-${o}`),await i.context.internalAdapter.createVerificationValue({value:r,identifier:`${i.body.type}-otp-${o}`,expiresAt:I(t.expireIn,"sec")})}),await e.sendVerificationOTP({email:o,otp:r,type:i.body.type},i.request),i.json({success:!0})}),createVerificationOTP:c("/email-otp/create-verification-otp",{method:"POST",body:D.object({email:D.string({description:"Email address to send the OTP"}),type:D.enum(wo,{description:"Type of the OTP"})}),metadata:{SERVER_ONLY:!0,openapi:{description:"Create verification OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"string"}}}}}}}},async i=>{let o=i.body.email,r=M(t.otpLength,H("0-9"));return await i.context.internalAdapter.createVerificationValue({value:r,identifier:`${i.body.type}-otp-${o}`,expiresAt:I(t.expireIn,"sec")}),r}),getVerificationOTP:c("/email-otp/get-verification-otp",{method:"GET",query:D.object({email:D.string({description:"Email address to get the OTP"}),type:D.enum(wo)}),metadata:{SERVER_ONLY:!0,openapi:{description:"Get verification OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{otp:{type:"string"}}}}}}}}}},async i=>{let o=i.query.email,r=await i.context.internalAdapter.findVerificationValue(`${i.query.type}-otp-${o}`);return!r||r.expiresAt<new Date?i.json({otp:null}):i.json({otp:r.value})}),verifyEmailOTP:c("/email-otp/verify-email",{method:"POST",body:D.object({email:D.string({description:"Email address to verify"}),otp:D.string({description:"OTP to verify"})}),metadata:{openapi:{description:"Verify email OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"}}}}}}}}}},async i=>{let o=i.body.email,r=await i.context.internalAdapter.findVerificationValue(`email-verification-otp-${o}`);if(!r||r.expiresAt<new Date)throw r&&await i.context.internalAdapter.deleteVerificationValue(r.id),new b("BAD_REQUEST",{message:"Invalid OTP"});let n=i.body.otp;if(r.value!==n)throw new b("BAD_REQUEST",{message:"Invalid OTP"});await i.context.internalAdapter.deleteVerificationValue(r.id);let a=await i.context.internalAdapter.findUserByEmail(o);if(!a)throw new b("BAD_REQUEST",{message:"User not found"});let s=await i.context.internalAdapter.updateUser(a.user.id,{email:o,emailVerified:!0});return i.json({user:s})}),signInEmailOTP:c("/sign-in/email-otp",{method:"POST",body:D.object({email:D.string({description:"Email address to sign in"}),otp:D.string({description:"OTP sent to the email"})}),metadata:{openapi:{description:"Sign in with email OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"},session:{$ref:"#/components/schemas/Session"}}}}}}}}}},async i=>{let o=i.body.email,r=await i.context.internalAdapter.findVerificationValue(`sign-in-otp-${o}`);if(!r||r.expiresAt<new Date)throw r&&await i.context.internalAdapter.deleteVerificationValue(r.id),new b("BAD_REQUEST",{message:"Invalid OTP"});let n=i.body.otp;if(r.value!==n)throw new b("BAD_REQUEST",{message:"Invalid OTP"});await i.context.internalAdapter.deleteVerificationValue(r.id);let a=await i.context.internalAdapter.findUserByEmail(o);if(!a){if(t.disableSignUp)throw new b("BAD_REQUEST",{message:"User not found"});let d=await i.context.internalAdapter.createUser({email:o,emailVerified:!0,name:o}),A=await i.context.internalAdapter.createSession(d.id,i.request);return await m(i,{session:A,user:d}),i.json({user:d,session:A})}a.user.emailVerified||await i.context.internalAdapter.updateUser(a.user.id,{emailVerified:!0});let s=await i.context.internalAdapter.createSession(a.user.id,i.request);return await m(i,{session:s,user:a.user}),i.json({session:s,user:a})}),forgetPasswordEmailOTP:c("/forget-password/email-otp",{method:"POST",body:D.object({email:D.string({description:"Email address to send the OTP"})}),metadata:{openapi:{description:"Forget password with email OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async i=>{let o=i.body.email;if(!await i.context.internalAdapter.findUserByEmail(o))throw new b("BAD_REQUEST",{message:"User not found"});let n=M(t.otpLength,H("0-9"));return await i.context.internalAdapter.createVerificationValue({value:n,identifier:`forget-password-otp-${o}`,expiresAt:I(t.expireIn,"sec")}),await e.sendVerificationOTP({email:o,otp:n,type:"forget-password"},i.request),i.json({success:!0})}),resetPasswordEmailOTP:c("/email-otp/reset-password",{method:"POST",body:D.object({email:D.string({description:"Email address to reset the password"}),otp:D.string({description:"OTP sent to the email"}),password:D.string({description:"New password"})}),metadata:{openapi:{description:"Reset password with email OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async i=>{let o=i.body.email,r=await i.context.internalAdapter.findUserByEmail(o);if(!r)throw new b("BAD_REQUEST",{message:"User not found"});let n=await i.context.internalAdapter.findVerificationValue(`forget-password-otp-${o}`);if(!n||n.expiresAt<new Date)throw n&&await i.context.internalAdapter.deleteVerificationValue(n.id),new b("BAD_REQUEST",{message:"Invalid OTP"});let a=i.body.otp;if(n.value!==a)throw new b("BAD_REQUEST",{message:"Invalid OTP"});await i.context.internalAdapter.deleteVerificationValue(n.id);let s=await i.context.password.hash(i.body.password);return await i.context.internalAdapter.updatePassword(r.user.id,s),i.json({success:!0})})},hooks:{after:[{matcher(i){return!!(i.path?.startsWith("/sign-up")&&t.sendVerificationOnSignUp)},async handler(i){let o=await be(i);if(o&&o.user.email&&o.user.emailVerified===!1){let r=M(t.otpLength,H("0-9"));await i.context.internalAdapter.createVerificationValue({value:r,identifier:`email-verification-otp-${o.user.email}`,expiresAt:I(t.expireIn,"sec")}),await e.sendVerificationOTP({email:o.user.email,otp:r,type:"email-verification"},i.request)}}}]}}};import{z as ot}from"zod";import{betterFetch as Yr}from"@better-fetch/fetch";function et(e){return e==="true"||e===!0}var ig=e=>({id:"one-tap",endpoints:{oneTapCallback:c("/one-tap/callback",{method:"POST",body:ot.object({idToken:ot.string({description:"Google ID token, which the client obtains from the One Tap API"})}),metadata:{openapi:{summary:"One tap callback",description:"Use this endpoint to authenticate with Google One Tap",responses:{200:{description:"Successful response",content:{"application/json":{schema:{type:"object",properties:{session:{$ref:"#/components/schemas/Session"},user:{$ref:"#/components/schemas/User"}}}}}},400:{description:"Invalid token"}}}}},async t=>{let{idToken:i}=t.body,{data:o,error:r}=await Yr("https://oauth2.googleapis.com/tokeninfo?id_token="+i);if(r)return t.json({error:"Invalid token"});let n=await t.context.internalAdapter.findUserByEmail(o.email);if(!n){if(e?.disableSignup)throw new b("BAD_GATEWAY",{message:"User not found"});let s=await t.context.internalAdapter.createOAuthUser({email:o.email,emailVerified:et(o.email_verified),name:o.name,image:o.picture},{providerId:"google",accountId:o.sub});if(!s)throw new b("INTERNAL_SERVER_ERROR",{message:"Could not create user"});let d=await t.context.internalAdapter.createSession(s?.user.id,t.request);return await m(t,{user:s.user,session:d}),t.json({session:d,user:s})}let a=await t.context.internalAdapter.createSession(n.user.id,t.request);return await m(t,{user:n.user,session:a}),t.json({session:a,user:n})})}});import{z as Co}from"zod";function en(){let e=Y.VERCEL_URL,t=Y.NETLIFY_URL,i=Y.RENDER_URL,o=Y.AWS_LAMBDA_FUNCTION_NAME,r=Y.GOOGLE_CLOUD_FUNCTION_NAME,n=Y.AZURE_FUNCTION_NAME;return e||t||i||o||r||n}var Ag=e=>({id:"oauth-proxy",endpoints:{oAuthProxy:c("/oauth-proxy-callback",{method:"GET",query:Co.object({callbackURL:Co.string({description:"The URL to redirect to after the proxy"}),cookies:Co.string({description:"The cookies to set after the proxy"})}),metadata:{openapi:{description:"OAuth Proxy Callback",parameters:[{in:"query",name:"callbackURL",required:!0,description:"The URL to redirect to after the proxy"},{in:"query",name:"cookies",required:!0,description:"The cookies to set after the proxy"}],responses:{302:{description:"Redirect",headers:{Location:{description:"The URL to redirect to",schema:{type:"string"}}}}}}}},async t=>{let i=t.query.cookies,o=await pe({key:t.context.secret,data:i});throw t.setHeader("set-cookie",o),t.redirect(t.query.callbackURL)})},hooks:{after:[{matcher(t){return t.path?.startsWith("/callback")},handler:U(async t=>{let i=t.context.returned,o=i instanceof b?i.headers:null,r=o?.get("location");if(r?.includes("/oauth-proxy-callback?callbackURL")){if(!r.startsWith("http"))return;let n=new URL(r);if(n.origin===me(t.context.baseURL)){let K=n.searchParams.get("callbackURL");if(!K)return;t.setHeader("location",K);return}let s=o?.get("set-cookie");if(!s)return;let d=await de({key:t.context.secret,data:s}),A=`${r}&cookies=${encodeURIComponent(d)}`;t.setHeader("location",A)}})}],before:[{matcher(t){return t.path?.startsWith("/sign-in/social")},async handler(t){let i=new URL(e?.currentURL||t.request?.url||en()||t.context.baseURL);return t.body.callbackURL=`${i.origin}${t.context.options.basePath||"/api/auth"}/oauth-proxy-callback?callbackURL=${encodeURIComponent(t.body.callbackURL||t.context.baseURL)}`,{context:t}}}]}});var pg=(e,t)=>({id:"custom-session",endpoints:{getSession:c("/get-session",{method:"GET",metadata:{CUSTOM_SESSION:!0}},async i=>{let o=await R(i);if(!o)return i.json(null);let r=await e(o);return i.json(r)})}});import{ZodObject as tt,ZodOptional as bo,ZodSchema as rt}from"zod";var ke=e=>{let t=e.plugins?.reduce((d,A)=>{let K=A.schema;if(!K)return d;for(let[u,p]of Object.entries(K))d[u]={fields:{...d[u]?.fields,...p.fields},modelName:p.modelName||u};return d},{}),i=e.rateLimit?.storage==="database",o={rateLimit:{modelName:e.rateLimit?.modelName||"rateLimit",fields:{key:{type:"string",fieldName:e.rateLimit?.fields?.key||"key"},count:{type:"number",fieldName:e.rateLimit?.fields?.count||"count"},lastRequest:{type:"number",fieldName:e.rateLimit?.fields?.lastRequest||"lastRequest"}}}},{user:r,session:n,account:a,...s}=t||{};return{user:{modelName:e.user?.modelName||"user",fields:{name:{type:"string",required:!0,fieldName:e.user?.fields?.name||"name"},email:{type:"string",unique:!0,required:!0,fieldName:e.user?.fields?.email||"email"},emailVerified:{type:"boolean",defaultValue:()=>!1,required:!0,fieldName:e.user?.fields?.emailVerified||"emailVerified"},image:{type:"string",required:!1,fieldName:e.user?.fields?.image||"image"},createdAt:{type:"date",defaultValue:()=>new Date,required:!0,fieldName:e.user?.fields?.createdAt||"createdAt"},updatedAt:{type:"date",defaultValue:()=>new Date,required:!0,fieldName:e.user?.fields?.updatedAt||"updatedAt"},...r?.fields,...e.user?.additionalFields},order:1},session:{modelName:e.session?.modelName||"session",fields:{expiresAt:{type:"date",required:!0,fieldName:e.session?.fields?.expiresAt||"expiresAt"},token:{type:"string",required:!0,fieldName:e.session?.fields?.token||"token",unique:!0},createdAt:{type:"date",required:!0,fieldName:e.session?.fields?.createdAt||"createdAt"},updatedAt:{type:"date",required:!0,fieldName:e.session?.fields?.updatedAt||"updatedAt"},ipAddress:{type:"string",required:!1,fieldName:e.session?.fields?.ipAddress||"ipAddress"},userAgent:{type:"string",required:!1,fieldName:e.session?.fields?.userAgent||"userAgent"},userId:{type:"string",fieldName:e.session?.fields?.userId||"userId",references:{model:e.user?.modelName||"user",field:"id",onDelete:"cascade"},required:!0},...n?.fields,...e.session?.additionalFields},order:2},account:{modelName:e.account?.modelName||"account",fields:{accountId:{type:"string",required:!0,fieldName:e.account?.fields?.accountId||"accountId"},providerId:{type:"string",required:!0,fieldName:e.account?.fields?.providerId||"providerId"},userId:{type:"string",references:{model:e.user?.modelName||"user",field:"id",onDelete:"cascade"},required:!0,fieldName:e.account?.fields?.userId||"userId"},accessToken:{type:"string",required:!1,fieldName:e.account?.fields?.accessToken||"accessToken"},refreshToken:{type:"string",required:!1,fieldName:e.account?.fields?.refreshToken||"refreshToken"},idToken:{type:"string",required:!1,fieldName:e.account?.fields?.idToken||"idToken"},accessTokenExpiresAt:{type:"date",required:!1,fieldName:e.account?.fields?.accessTokenExpiresAt||"accessTokenExpiresAt"},refreshTokenExpiresAt:{type:"date",required:!1,fieldName:e.account?.fields?.accessTokenExpiresAt||"refreshTokenExpiresAt"},scope:{type:"string",required:!1,fieldName:e.account?.fields?.scope||"scope"},password:{type:"string",required:!1,fieldName:e.account?.fields?.password||"password"},createdAt:{type:"date",required:!0,fieldName:e.account?.fields?.createdAt||"createdAt"},updatedAt:{type:"date",required:!0,fieldName:e.account?.fields?.updatedAt||"updatedAt"},...a?.fields},order:3},verification:{modelName:e.verification?.modelName||"verification",fields:{identifier:{type:"string",required:!0,fieldName:e.verification?.fields?.identifier||"identifier"},value:{type:"string",required:!0,fieldName:e.verification?.fields?.value||"value"},expiresAt:{type:"date",required:!0,fieldName:e.verification?.fields?.expiresAt||"expiresAt"},createdAt:{type:"date",required:!1,defaultValue:()=>new Date,fieldName:e.verification?.fields?.createdAt||"createdAt"},updatedAt:{type:"date",required:!1,defaultValue:()=>new Date,fieldName:e.verification?.fields?.updatedAt||"updatedAt"}},order:4},...s,...i?o:{}}};import{z as Rg}from"zod";import{Kysely as Eg,MssqlDialect as Sg}from"kysely";import{MysqlDialect as xg,PostgresDialect as jg,SqliteDialect as Bg}from"kysely";var _e={};function nt(e){switch(e.constructor.name){case"ZodString":return"string";case"ZodNumber":return"number";case"ZodBoolean":return"boolean";case"ZodObject":return"object";case"ZodArray":return"array";default:return"string"}}function to(e){let t=[];return e.metadata?.openapi?.parameters?(t.push(...e.metadata.openapi.parameters),t):(e.query instanceof tt&&Object.entries(e.query.shape).forEach(([i,o])=>{o instanceof rt&&t.push({name:i,in:"query",schema:{type:nt(o),..."minLength"in o&&o.minLength?{minLength:o.minLength}:{},description:o.description}})}),t)}function it(e){if(e.metadata?.openapi?.requestBody)return e.metadata.openapi.requestBody;if(e.body&&(e.body instanceof tt||e.body instanceof bo)){let t=e.body.shape;if(!t)return;let i={},o=[];return Object.entries(t).forEach(([r,n])=>{n instanceof rt&&(i[r]={type:nt(n),description:n.description},n instanceof bo||o.push(r))}),{required:e.body instanceof bo?!1:!!e.body,content:{"application/json":{schema:{type:"object",properties:i,required:o}}}}}}function ro(e){return{400:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}},required:["message"]}}},description:"Bad Request. Usually due to missing parameters, or invalid parameters."},401:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}},required:["message"]}}},description:"Unauthorized. Due to missing or invalid authentication."},403:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}},description:"Forbidden. You do not have permission to access this resource or to perform this action."},404:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}},description:"Not Found. The requested resource was not found."},429:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}},description:"Too Many Requests. You have exceeded the rate limit. Try again later."},500:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}},description:"Internal Server Error. This is a problem with the server that you cannot fix."},...e}}async function vo(e,t){let i=po(e,{...t,plugins:[]}),o=ke(t),n={schemas:{...Object.entries(o).reduce((s,[d,A])=>{let K=d.charAt(0).toUpperCase()+d.slice(1);return s[K]={type:"object",properties:Object.entries(A.fields).reduce((u,[p,l])=>(u[p]={type:l.type},u),{})},s},{})}};Object.entries(i.api).forEach(([s,d])=>{let A=d.options;if(!A.metadata?.SERVER_ONLY&&(A.method==="GET"&&(_e[d.path]={get:{tags:["Default",...A.metadata?.openapi?.tags||[]],description:A.metadata?.openapi?.description,operationId:A.metadata?.openapi?.operationId,security:[{bearerAuth:[]}],parameters:to(A),responses:ro(A.metadata?.openapi?.responses)}}),A.method==="POST")){let K=it(A);_e[d.path]={post:{tags:["Default",...A.metadata?.openapi?.tags||[]],description:A.metadata?.openapi?.description,operationId:A.metadata?.openapi?.operationId,security:[{bearerAuth:[]}],parameters:to(A),...K?{requestBody:K}:{requestBody:{content:{"application/json":{schema:{type:"object",properties:{}}}}}},responses:ro(A.metadata?.openapi?.responses)}}}});for(let s of t.plugins||[]){if(s.id==="open-api")continue;let d=po(e,{...t,plugins:[s]}),A=Object.keys(d.api).map(K=>i.api[K]===void 0?d.api[K]:null).filter(K=>K!==null);Object.entries(A).forEach(([K,u])=>{let p=u.options;p.metadata?.SERVER_ONLY||(p.method==="GET"&&(_e[u.path]={get:{tags:p.metadata?.openapi?.tags||[s.id.charAt(0).toUpperCase()+s.id.slice(1)],description:p.metadata?.openapi?.description,operationId:p.metadata?.openapi?.operationId,security:[{bearerAuth:[]}],parameters:to(p),responses:ro(p.metadata?.openapi?.responses)}}),p.method==="POST"&&(_e[u.path]={post:{tags:p.metadata?.openapi?.tags||[s.id.charAt(0).toUpperCase()+s.id.slice(1)],description:p.metadata?.openapi?.description,operationId:p.metadata?.openapi?.operationId,security:[{bearerAuth:[]}],parameters:to(p),requestBody:it(p),responses:ro(p.metadata?.openapi?.responses)}}))})}return{openapi:"3.1.1",info:{title:"Better Auth",description:"API Reference for your Better Auth Instance"},components:n,security:[{apiKeyCookie:[]}],servers:[{url:e.baseURL}],tags:[{name:"Default",description:"Default endpoints that are included with Better Auth by default. These endpoints are not part of any plugin."}],paths:_e}}var st=`<svg width="75" height="75" viewBox="0 0 75 75" fill="none" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
 <rect width="75" height="75" fill="url(#pattern0_21_12)"/>
 <defs>
 <pattern id="pattern0_21_12" patternContentUnits="objectBoundingBox" width="1" height="1">
@@ -89,7 +89,7 @@ Error: `,s),e.redirect(`${e.context.baseURL}/error?error=internal_server_error`)
 <image id="image0_21_12" width="1056" height="1056" xlink:href="data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAASABIAAD/4QBARXhpZgAATU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAEIKADAAQAAAABAAAEIAAAAAD/7QA4UGhvdG9zaG9wIDMuMAA4QklNBAQAAAAAAAA4QklNBCUAAAAAABDUHYzZjwCyBOmACZjs+EJ+/+ICKElDQ19QUk9GSUxFAAEBAAACGGFwcGwEAAAAbW50clJHQiBYWVogB+YAAQABAAAAAAAAYWNzcEFQUEwAAAAAQVBQTAAAAAAAAAAAAAAAAAAAAAAAAPbWAAEAAAAA0y1hcHBs7P2jjjiFR8NttL1PetoYLwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKZGVzYwAAAPwAAAAwY3BydAAAASwAAABQd3RwdAAAAXwAAAAUclhZWgAAAZAAAAAUZ1hZWgAAAaQAAAAUYlhZWgAAAbgAAAAUclRSQwAAAcwAAAAgY2hhZAAAAewAAAAsYlRSQwAAAcwAAAAgZ1RSQwAAAcwAAAAgbWx1YwAAAAAAAAABAAAADGVuVVMAAAAUAAAAHABEAGkAcwBwAGwAYQB5ACAAUAAzbWx1YwAAAAAAAAABAAAADGVuVVMAAAA0AAAAHABDAG8AcAB5AHIAaQBnAGgAdAAgAEEAcABwAGwAZQAgAEkAbgBjAC4ALAAgADIAMAAyADJYWVogAAAAAAAA9tUAAQAAAADTLFhZWiAAAAAAAACD3wAAPb////+7WFlaIAAAAAAAAEq/AACxNwAACrlYWVogAAAAAAAAKDgAABELAADIuXBhcmEAAAAAAAMAAAACZmYAAPKnAAANWQAAE9AAAApbc2YzMgAAAAAAAQxCAAAF3v//8yYAAAeTAAD9kP//+6L///2jAAAD3AAAwG7/wAARCAQgBCADASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9sAQwACAgICAgIDAgIDBAMDAwQFBAQEBAUHBQUFBQUHCAcHBwcHBwgICAgICAgICgoKCgoKCwsLCwsNDQ0NDQ0NDQ0N/9sAQwECAgIDAwMGAwMGDQkHCQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0N/90ABABC/9oADAMBAAIRAxEAPwD9/KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA//Q/fyiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/0f38ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9L9/KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA//T/fyiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/1P38ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9X9/KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA//W/fyiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/1/38ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9D9/KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA//R/fyiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/0v38ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9P9/KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA//U/fyiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/1f38ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9b9/KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA//X/fyiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/0P38ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9H9/KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA//S/fyiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/0/38ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9T9/KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA//V/fyiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/1v38ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAK/Ln/gq38a/in8Dvgp4T8R/CfxFdeG9SvvFMdlcXFoELyW5srqQxnzEcY3op4Gciv1Gr8Z/+C2X/JvXgj/sc4v/AE33lAH4z/8ADwv9tD/oq2tf9823/wAZo/4eF/tof9FW1r/vm2/+M18Z0UAfZn/Dwv8AbQ/6KtrX/fNt/wDGaP8Ah4X+2h/0VbWv++bb/wCM18Z0UAfZn/Dwv9tD/oq2tf8AfNt/8Zo/4eF/tof9FW1r/vm2/wDjNfGdFAH2Z/w8L/bQ/wCira1/3zbf/GaP+Hhf7aH/AEVbWv8Avm2/+M18Z0UAfZn/AA8L/bQ/6KtrX/fNt/8AGaP+Hhf7aH/RVta/75tv/jNfGdFAH2Z/w8L/AG0P+ira1/3zbf8Axmj/AIeF/tof9FW1r/vm2/8AjNfGdFAH63/sVftq/tTfEb9qb4deCfG3xF1TVtD1bVGgvbKdYBHPGIJW2ttiVsblB4I6V/UbX8Z//BPT/k9D4U/9hpv/AEmmr+zCgAooooAKKKKACiiigAooooAKKKKACiiigD+M/wD4eF/tof8ARVta/wC+bb/4zR/w8L/bQ/6KtrX/AHzbf/Ga+M6KAPsz/h4X+2h/0VbWv++bb/4zR/w8L/bQ/wCira1/3zbf/Ga+M6KAPsz/AIeF/tof9FW1r/vm2/8AjNH/AA8L/bQ/6KtrX/fNt/8AGa+M6KAPsz/h4X+2h/0VbWv++bb/AOM0f8PC/wBtD/oq2tf9823/AMZr4zooA+zP+Hhf7aH/AEVbWv8Avm2/+M0f8PC/20P+ira1/wB823/xmvjOigD7M/4eF/tof9FW1r/vm2/+M0f8PC/20P8Aoq2tf9823/xmvjOigD7M/wCHhf7aH/RVta/75tv/AIzR/wAPC/20P+ira1/3zbf/ABmvjOigD7M/4eF/tof9FW1r/vm2/wDjNH/Dwv8AbQ/6KtrX/fNt/wDGa+M6KAPsz/h4X+2h/wBFW1r/AL5tv/jNH/Dwv9tD/oq2tf8AfNt/8Zr4zooA+zP+Hhf7aH/RVta/75tv/jNH/Dwv9tD/AKKtrX/fNt/8Zr4zooA+zP8Ah4X+2h/0VbWv++bb/wCM0f8ADwv9tD/oq2tf9823/wAZr4zooA+zP+Hhf7aH/RVta/75tv8A4zR/w8L/AG0P+ira1/3zbf8AxmvjOigD7M/4eF/tof8ARVta/wC+bb/4zR/w8L/bQ/6KtrX/AHzbf/Ga+M6KAP6tv+CUnxr+Kfxx+CnizxH8WPEV14k1Kx8UyWVvcXYQPHbiytZBGPLRBje7HkZya/Uavxn/AOCJv/JvXjf/ALHOX/032dfsxQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAf//X/fyiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAr8Z/+C2X/JvXgj/sc4v/AE33lfsxX4z/APBbL/k3rwR/2OcX/pvvKAP5m6KKKACiiigAooooAKKKKACiiigAooooA+zP+Cen/J6Hwp/7DTf+k01f2YV/Gf8A8E9P+T0PhT/2Gm/9Jpq/swoAKKKKACiiigAooooAKKKKACiiigAooooA/gDooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA/pk/4Im/8m9eN/8Asc5f/TfZ1+zFfjP/AMETf+TevG//AGOcv/pvs6/ZigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA/9D9/KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACvxn/4LZf8m9eCP+xzi/8ATfeV+zFfjP8A8Fsv+TevBH/Y5xf+m+8oA/mbooooAKKKKACiiigAooooAKKKKACiiigD7M/4J6f8nofCn/sNN/6TTV/ZhX8Z/wDwT0/5PQ+FP/Yab/0mmr+zCgAooooAKKKKACiiigAooooAKKKKACiiigD+AOiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD+mT/gib/yb143/wCxzl/9N9nX7MV+M/8AwRN/5N68b/8AY5y/+m+zr9mKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/0f38ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAK/Gf/gtl/yb14I/7HOL/wBN95X7MV+M/wDwWy/5N68Ef9jnF/6b7ygD+ZuiiigAooooAKKKKACiiigAooooAKKKKAPsz/gnp/yeh8Kf+w03/pNNX9mFfxn/APBPT/k9D4U/9hpv/Saav7MKACiiigAooooAKKKKACiiigAooooAKKKKAP4A6KKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP6ZP+CJv/JvXjf/ALHOX/032dfsxX4z/wDBE3/k3rxv/wBjnL/6b7Ov2YoAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/S/fyiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAr8Z/+C2X/JvXgj/sc4v/AE33lfsxX4z/APBbL/k3rwR/2OcX/pvvKAP5m6KKKACiiigAooooAKKKKACiiigAooooA+zP+Cen/J6Hwp/7DTf+k01f2YV/Gf8A8E9P+T0PhT/2Gm/9Jpq/swoAKKKKACiiigAooooAKKKKACiiigAooooA/gDooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA/pk/4Im/8m9eN/8Asc5f/TfZ1+zFfjP/AMETf+TevG//AGOcv/pvs6/ZigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA/9P9/KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACvxn/4LZf8m9eCP+xzi/8ATfeV+zFfjP8A8Fsv+TevBH/Y5xf+m+8oA/mbooooAKKKKACiiigAooooAKKKKACiiigD7M/4J6f8nofCn/sNN/6TTV/ZhX8Z/wDwT0/5PQ+FP/Yab/0mmr+zCgAooooAKKKKACiiigAooooAKKKKACiiigD+AOiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD+mT/gib/yb143/wCxzl/9N9nX7MV+M/8AwRN/5N68b/8AY5y/+m+zr9mKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/1P38ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAK/Gf/gtl/yb14I/7HOL/wBN95X7MV+M/wDwWy/5N68Ef9jnF/6b7ygD+ZuiiigAooooAKKKKACiiigAooooAKKKKAPsz/gnp/yeh8Kf+w03/pNNX9mFfwq/BT4r638Dvin4d+LHhy0tb7UvDd0bu3t70ObeRzG0eJBGyPjDnowOa/Ub/h9l+0L/ANCR4M/79ah/8m0Af0yUV/M3/wAPsv2hf+hI8Gf9+tQ/+TaP+H2X7Qv/AEJHgz/v1qH/AMm0Af0yUV/M3/w+y/aF/wChI8Gf9+tQ/wDk2j/h9l+0L/0JHgz/AL9ah/8AJtAH9MlFfzN/8Psv2hf+hI8Gf9+tQ/8Ak2j/AIfZftC/9CR4M/79ah/8m0Af0yUV/M3/AMPsv2hf+hI8Gf8AfrUP/k2j/h9l+0L/ANCR4M/79ah/8m0Af0yUV/M3/wAPsv2hf+hI8Gf9+tQ/+TaP+H2X7Qv/AEJHgz/v1qH/AMm0Af0yUV/M3/w+y/aF/wChI8Gf9+tQ/wDk2j/h9l+0L/0JHgz/AL9ah/8AJtAH4z0V/TJ/w5N/Z6/6Hfxn/wB/dP8A/kKj/hyb+z1/0O/jP/v7p/8A8hUAfzN0V/TJ/wAOTf2ev+h38Z/9/dP/APkKj/hyb+z1/wBDv4z/AO/un/8AyFQB/M3RX9Mn/Dk39nr/AKHfxn/390//AOQqP+HJv7PX/Q7+M/8Av7p//wAhUAfzN0V/TJ/w5N/Z6/6Hfxn/AN/dP/8AkKj/AIcm/s9f9Dv4z/7+6f8A/IVAH8zdFf0yf8OTf2ev+h38Z/8Af3T/AP5Co/4cm/s9f9Dv4z/7+6f/APIVAH8zdFf0yf8ADk39nr/od/Gf/f3T/wD5Co/4cm/s9f8AQ7+M/wDv7p//AMhUAfzN0V/TJ/w5N/Z6/wCh38Z/9/dP/wDkKvwV/ag+FGifA74++M/hP4cu7q+03w3fi0t7i9KG4kQxRyZkMaomcueigYoA8FooooAKKKKACiiigAooooAKKKKACiiigD+mT/gib/yb143/AOxzl/8ATfZ1+zFfjP8A8ETf+TevG/8A2Ocv/pvs6/ZigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA//9X9/KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACvxn/4LZf8m9eCP+xzi/8ATfeV+zFfjP8A8Fsv+TevBH/Y5xf+m+8oA/mbooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA/v8ooooAKKKKACiiigAooooAKKKKACiiigAr+M//goX/wAnofFb/sNL/wCk0Nf2YV/Gf/wUL/5PQ+K3/YaX/wBJoaAPjOiiigAooooAKKKKACiiigAooooAKKKKAP6ZP+CJv/JvXjf/ALHOX/032dfsxX4z/wDBE3/k3rxv/wBjnL/6b7Ov2YoAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/W/fyiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAr8Z/+C2X/JvXgj/sc4v/AE33lfsxX4z/APBbL/k3rwR/2OcX/pvvKAP5m6KKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP7/KKKKACiiigAooooAKKKKACiiigAooooAK/jP/4KF/8AJ6HxW/7DS/8ApNDX9mFfxn/8FC/+T0Pit/2Gl/8ASaGgD4zooooAKKKKACiiigAooooAKKKKACiiigD+mT/gib/yb143/wCxzl/9N9nX7MV+M/8AwRN/5N68b/8AY5y/+m+zr9mKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/1/38ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAK/Gf/gtl/yb14I/7HOL/wBN95X7MV+M/wDwWy/5N68Ef9jnF/6b7ygD+ZuiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD+/yiiigAooooAKKKKACiiigAooooAKKKKACv4z/+Chf/ACeh8Vv+w0v/AKTQ1/ZhX8Z//BQv/k9D4rf9hpf/AEmhoA+M6KKKACiiigAooooAKKKKACiiigAooooA/pk/4Im/8m9eN/8Asc5f/TfZ1+zFfjP/AMETf+TevG//AGOcv/pvs6/ZigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA/9D9/KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACvxn/4LZf8m9eCP+xzi/8ATfeV+zFfjP8A8Fsv+TevBH/Y5xf+m+8oA/mbooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA/v8ooooAKKKKACiiigAooooAKKKKACiiigAr+M//goX/wAnofFb/sNL/wCk0Nf2YV/Gf/wUL/5PQ+K3/YaX/wBJoaAPjOiiigAooooAKKKKACiiigAooooAKKKKAP6ZP+CJv/JvXjf/ALHOX/032dfsxX4z/wDBE3/k3rxv/wBjnL/6b7Ov2YoAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/R/fyiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAr8Z/+C2X/JvXgj/sc4v/AE33lfsxX4z/APBbL/k3rwR/2OcX/pvvKAP5m6KKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP7/KKKKACiiigAooooAKKKKACiiigAooooAK/jP/4KF/8AJ6HxW/7DS/8ApNDX9mFfxn/8FC/+T0Pit/2Gl/8ASaGgD4zooooAKKKKACiiigAooooAKKKKACiiigD+mT/gib/yb143/wCxzl/9N9nX7MV+M/8AwRN/5N68b/8AY5y/+m+zr9mKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/0v38ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAK/Gf/gtl/yb14I/7HOL/wBN95X7MV+M/wDwWy/5N68Ef9jnF/6b7ygD+ZuiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD+/yiiigAooooAKKKKACiiigAooooAKKKKACv4z/+Chf/ACeh8Vv+w0v/AKTQ1/ZhX8Z//BQv/k9D4rf9hpf/AEmhoA+M6KKKACiiigAooooAKKKKACiiigAooooA/pk/4Im/8m9eN/8Asc5f/TfZ1+zFfjP/AMETf+TevG//AGOcv/pvs6/ZigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA/9P9/KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACvxn/4LZf8m9eCP+xzi/8ATfeV+zFfjP8A8Fsv+TevBH/Y5xf+m+8oA/mbooooAKKKKACiiigAooooAKKKKACiiigD1L4KfCjW/jj8U/Dvwn8OXdrY6l4kujaW9xelxbxuI2kzIY1d8YQ9FJzX6jf8OTf2hf8Aod/Bn/f3UP8A5Cr4z/4J6f8AJ6Hwp/7DTf8ApNNX9mFAH8zf/Dk39oX/AKHfwZ/391D/AOQqP+HJv7Qv/Q7+DP8Av7qH/wAhV/TJRQB/M3/w5N/aF/6HfwZ/391D/wCQqP8Ahyb+0L/0O/gz/v7qH/yFX9MlFAH8zf8Aw5N/aF/6HfwZ/wB/dQ/+QqP+HJv7Qv8A0O/gz/v7qH/yFX9MlFAH8zf/AA5N/aF/6HfwZ/391D/5Co/4cm/tC/8AQ7+DP+/uof8AyFX9MlFAH8zf/Dk39oX/AKHfwZ/391D/AOQqP+HJv7Qv/Q7+DP8Av7qH/wAhV/TJRQB/M3/w5N/aF/6HfwZ/391D/wCQqP8Ahyb+0L/0O/gz/v7qH/yFX9MlFAH4z/8AD7L9nr/oSPGf/frT/wD5No/4fZfs9f8AQkeM/wDv1p//AMm1/M3RQB/TJ/w+y/Z6/wChI8Z/9+tP/wDk2j/h9l+z1/0JHjP/AL9af/8AJtfzN0UAf0yf8Psv2ev+hI8Z/wDfrT//AJNo/wCH2X7PX/QkeM/+/Wn/APybX8zdFAH9Mn/D7L9nr/oSPGf/AH60/wD+TaP+H2X7PX/QkeM/+/Wn/wDybX8zdFAH9Mn/AA+y/Z6/6Ejxn/360/8A+TaP+H2X7PX/AEJHjP8A79af/wDJtfzN0UAf0yf8Psv2ev8AoSPGf/frT/8A5No/4fZfs9f9CR4z/wC/Wn//ACbX8zdFAH9Mn/D7L9nr/oSPGf8A360//wCTa/BX9qD4r6J8cfj74z+LHhy0urHTfEl+Lu3t70ILiNBFHHiQRs6Zyh6MRivBaKACiiigAooooAKKKKACiiigAooooAKKKKAP6ZP+CJv/ACb143/7HOX/ANN9nX7MV+M//BE3/k3rxv8A9jnL/wCm+zr9mKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD//U/fyiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAr8Z/+C2X/JvXgj/sc4v/AE33lfsxX4z/APBbL/k3rwR/2OcX/pvvKAP5m6KKKACiiigAooooAKKKKACiiigAooooA+zP+Cen/J6Hwp/7DTf+k01f2YV/Gf8A8E9P+T0PhT/2Gm/9Jpq/swoAKKKKACiiigAooooAKKKKACiiigAooooA/gDooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA/pk/4Im/8m9eN/8Asc5f/TfZ1+zFfjP/AMETf+TevG//AGOcv/pvs6/ZigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA/9X9/KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACvxn/4LZf8m9eCP+xzi/8ATfeV+zFfjP8A8Fsv+TevBH/Y5xf+m+8oA/mbooooAKKKKACiiigAooooAKKKKACiiigD7M/4J6f8nofCn/sNN/6TTV/ZhX8Z/wDwT0/5PQ+FP/Yab/0mmr+zCgAooooAKKKKACiiigAooooAKKKKACiiigD+AOiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD+mT/gib/yb143/wCxzl/9N9nX7MV+M/8AwRN/5N68b/8AY5y/+m+zr9mKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/1v38ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAK/Gf/gtl/yb14I/7HOL/wBN95X7MV+M/wDwWy/5N68Ef9jnF/6b7ygD+ZuiiigAooooAKKKKACiiigAooooAKKKKAPsz/gnp/yeh8Kf+w03/pNNX9mFfxn/APBPT/k9D4U/9hpv/Saav7MKACiiigAooooAKKKKACiiigAooooAKKKKAP4A6KKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP6ZP+CJv/JvXjf/ALHOX/032dfsxX4z/wDBE3/k3rxv/wBjnL/6b7Ov2YoAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/X/fyiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAr8Z/+C2X/JvXgj/sc4v/AE33lfsxX4z/APBbL/k3rwR/2OcX/pvvKAP5m6KKKACiiigAooooAKKKKACiiigAooooA+zP+Cen/J6Hwp/7DTf+k01f2YV/Gf8A8E9P+T0PhT/2Gm/9Jpq/swoAKKKKACiiigAooooAKKKKACiiigAooooA/gDooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA/pk/4Im/8m9eN/8Asc5f/TfZ1+zFfjP/AMETf+TevG//AGOcv/pvs6/ZigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA/9D9/KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACvxn/4LZf8m9eCP+xzi/8ATfeV+zFfjP8A8Fsv+TevBH/Y5xf+m+8oA/mbooooAKKKKACiiigAooooAKKKKACiiigD7M/4J6f8nofCn/sNN/6TTV/ZhX8Z/wDwT0/5PQ+FP/Yab/0mmr+zCgAooooAKKKKACiiigAooooAKKKKACiiigD+AOiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD+mT/gib/yb143/wCxzl/9N9nX7MV+M/8AwRN/5N68b/8AY5y/+m+zr9mKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/0f38ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAK/Gf/gtl/yb14I/7HOL/wBN95X7MV+XP/BVv4KfFP44/BTwn4c+E/h268SalY+KY724t7QoHjtxZXUZkPmOgxvdRwc5NAH8pNFfZn/DvT9tD/olOtf99W3/AMeo/wCHen7aH/RKda/76tv/AI9QB8Z0V9mf8O9P20P+iU61/wB9W3/x6j/h3p+2h/0SnWv++rb/AOPUAfGdFfZn/DvT9tD/AKJTrX/fVt/8eo/4d6ftof8ARKda/wC+rb/49QB8Z0V9mf8ADvT9tD/olOtf99W3/wAeo/4d6ftof9Ep1r/vq2/+PUAfGdFfZn/DvT9tD/olOtf99W3/AMeo/wCHen7aH/RKda/76tv/AI9QB8Z0V9mf8O9P20P+iU61/wB9W3/x6j/h3p+2h/0SnWv++rb/AOPUAH/BPT/k9D4U/wDYab/0mmr+zCv5cv2Kv2Kv2pvhz+1N8OvG3jb4dappOh6TqjT3t7O0BjgjMEq7m2ys2NzAcA9a/qNoAKKKKACiiigAooooAKKKKACiiigAooooA/gDor7M/wCHen7aH/RKda/76tv/AI9R/wAO9P20P+iU61/31bf/AB6gD4zor7M/4d6ftof9Ep1r/vq2/wDj1H/DvT9tD/olOtf99W3/AMeoA+M6K+zP+Hen7aH/AESnWv8Avq2/+PUf8O9P20P+iU61/wB9W3/x6gD4zor7M/4d6ftof9Ep1r/vq2/+PUf8O9P20P8AolOtf99W3/x6gD4zor7M/wCHen7aH/RKda/76tv/AI9R/wAO9P20P+iU61/31bf/AB6gD4zor7M/4d6ftof9Ep1r/vq2/wDj1H/DvT9tD/olOtf99W3/AMeoA+M6K+zP+Hen7aH/AESnWv8Avq2/+PUf8O9P20P+iU61/wB9W3/x6gD4zor7M/4d6ftof9Ep1r/vq2/+PUf8O9P20P8AolOtf99W3/x6gD4zor7M/wCHen7aH/RKda/76tv/AI9R/wAO9P20P+iU61/31bf/AB6gD4zor7M/4d6ftof9Ep1r/vq2/wDj1H/DvT9tD/olOtf99W3/AMeoA+M6K+zP+Hen7aH/AESnWv8Avq2/+PUf8O9P20P+iU61/wB9W3/x6gD4zor7M/4d6ftof9Ep1r/vq2/+PUf8O9P20P8AolOtf99W3/x6gD4zor7M/wCHen7aH/RKda/76tv/AI9R/wAO9P20P+iU61/31bf/AB6gD9mP+CJv/JvXjf8A7HOX/wBN9nX7MV+XP/BKT4KfFP4HfBTxZ4c+LHh268N6lfeKZL23t7soXktzZWsYkHlu4xvRhyc5FfqNQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAf/9L9/KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA//T/fyiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/1P38ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9X9/KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA//W/fyiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/1/38ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9D9/KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA//R/fyiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/0v38ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9P9/KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA//U/fyiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/1f38ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9b9/KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA//X/fyiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/0P38ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9H9/KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA//S/fyiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/0/38ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9T9/KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA//V/fyiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/1v38ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9f9/KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA//Q/fyiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/2Q=="/>
 </defs>
 </svg>
-`;var on=e=>`<!doctype html>
+`;var tn=e=>`<!doctype html>
 <html>
   <head>
     <title>Scalar API Reference</title>
@@ -106,7 +106,7 @@ Error: `,s),e.redirect(`${e.context.baseURL}/error?error=internal_server_error`)
     </script>
 	 <script>
       var configuration = {
-	  	favicon: "data:image/svg+xml;utf8,${encodeURIComponent(nt)}",
+	  	favicon: "data:image/svg+xml;utf8,${encodeURIComponent(st)}",
 	   	theme: "saturn",
         metaData: {
 			title: "Better Auth API",
@@ -119,4 +119,4 @@ Error: `,s),e.redirect(`${e.context.baseURL}/error?error=internal_server_error`)
     </script>
 	  <script src="https://cdn.jsdelivr.net/npm/@scalar/api-reference"></script>
   </body>
-</html>`,Im=()=>({id:"open-api",endpoints:{openAPI:K("/reference",{method:"GET"},async e=>{let t=await rt(e.context,e.context.options);return new Response(on(t),{headers:{"Content-Type":"text/html"}})})}});export{he as HIDE_METADATA,Ap as admin,Xl as anonymous,Il as bearer,K as createAuthEndpoint,U as createAuthMiddleware,Kg as customSession,Qp as emailOTP,Cp as genericOAuth,Br as getPasskeyActions,Dp as jwt,xl as magicLink,Np as multiSession,ag as oAuthProxy,eg as oneTap,Im as openAPI,vo as optionsMiddleware,VK as organization,hl as passkey,rl as passkeyClient,Ml as phoneNumber,yu as twoFactor,eu as twoFactorClient,Zi as username};
+</html>`,Um=e=>{let t=e?.path??"/reference";return{id:"open-api",endpoints:{openAPIGenerator:c("/open-api/schema",{method:"GET"},async i=>{let o=await vo(i.context,i.context.options);return i.json(o)}),openAPIReference:c(t,{method:"GET",metadata:{isAction:!1}},async i=>{if(e?.disableDefaultReference)throw new b("NOT_FOUND");let o=await vo(i.context,i.context.options);return new Response(tn(o),{headers:{"Content-Type":"text/html"}})})}}};export{he as HIDE_METADATA,cl as admin,el as anonymous,Uu as bearer,c as createAuthEndpoint,U as createAuthMiddleware,pg as customSession,Zl as emailOTP,vl as genericOAuth,zr as getPasskeyActions,jl as jwt,Bu as magicLink,_l as multiSession,Ag as oAuthProxy,ig as oneTap,Um as openAPI,To as optionsMiddleware,qc as organization,yu as passkey,nu as passkeyClient,Qu as phoneNumber,wp as twoFactor,op as twoFactorClient,Wi as username};