better-auth 1.7.0-beta.2 → 1.7.0-beta.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (282) hide show
  1. package/README.md +14 -15
  2. package/dist/_virtual/_rolldown/runtime.mjs +10 -1
  3. package/dist/api/index.d.mts +18 -48
  4. package/dist/api/routes/account.d.mts +4 -23
  5. package/dist/api/routes/account.mjs +102 -75
  6. package/dist/api/routes/callback.mjs +42 -20
  7. package/dist/api/routes/email-verification.d.mts +1 -0
  8. package/dist/api/routes/email-verification.mjs +6 -5
  9. package/dist/api/routes/error.mjs +1 -1
  10. package/dist/api/routes/password.mjs +1 -1
  11. package/dist/api/routes/session.mjs +15 -10
  12. package/dist/api/routes/sign-in.d.mts +3 -1
  13. package/dist/api/routes/sign-in.mjs +13 -15
  14. package/dist/api/routes/sign-up.d.mts +1 -0
  15. package/dist/api/routes/sign-up.mjs +10 -8
  16. package/dist/api/routes/update-user.mjs +8 -8
  17. package/dist/api/to-auth-endpoints.mjs +7 -1
  18. package/dist/auth/base.mjs +30 -27
  19. package/dist/client/config.mjs +8 -1
  20. package/dist/client/fetch-plugins.mjs +2 -1
  21. package/dist/client/index.d.mts +2 -2
  22. package/dist/client/lynx/index.d.mts +13 -0
  23. package/dist/client/lynx/index.mjs +2 -1
  24. package/dist/client/parser.mjs +0 -1
  25. package/dist/client/plugins/index.d.mts +4 -17
  26. package/dist/client/plugins/index.mjs +1 -4
  27. package/dist/client/proxy.mjs +2 -1
  28. package/dist/client/react/index.d.mts +13 -0
  29. package/dist/client/react/index.mjs +2 -1
  30. package/dist/client/session-atom.mjs +12 -1
  31. package/dist/client/solid/index.d.mts +13 -0
  32. package/dist/client/solid/index.mjs +3 -2
  33. package/dist/client/svelte/index.d.mts +13 -0
  34. package/dist/client/svelte/index.mjs +2 -1
  35. package/dist/client/vanilla.d.mts +13 -0
  36. package/dist/client/vanilla.mjs +2 -1
  37. package/dist/client/vue/index.d.mts +13 -0
  38. package/dist/client/vue/index.mjs +2 -1
  39. package/dist/context/create-context.mjs +10 -14
  40. package/dist/context/helpers.mjs +3 -2
  41. package/dist/cookies/cookie-utils.d.mts +33 -1
  42. package/dist/cookies/cookie-utils.mjs +95 -14
  43. package/dist/cookies/index.d.mts +2 -3
  44. package/dist/cookies/index.mjs +39 -11
  45. package/dist/cookies/session-store.mjs +4 -23
  46. package/dist/db/get-migration.mjs +4 -4
  47. package/dist/db/index.d.mts +2 -2
  48. package/dist/db/index.mjs +3 -2
  49. package/dist/db/internal-adapter.mjs +129 -27
  50. package/dist/db/schema.d.mts +14 -1
  51. package/dist/db/schema.mjs +26 -1
  52. package/dist/db/with-hooks.d.mts +1 -0
  53. package/dist/db/with-hooks.mjs +58 -1
  54. package/dist/index.d.mts +2 -2
  55. package/dist/index.mjs +2 -2
  56. package/dist/integrations/cookie-plugin-guard.mjs +18 -0
  57. package/dist/integrations/next-js.mjs +6 -0
  58. package/dist/integrations/svelte-kit.mjs +6 -0
  59. package/dist/integrations/tanstack-start-solid.mjs +6 -0
  60. package/dist/integrations/tanstack-start.mjs +6 -0
  61. package/dist/node_modules/.pnpm/clipboardy@4.0.0/node_modules/clipboardy/index.mjs +32 -0
  62. package/dist/node_modules/.pnpm/clipboardy@4.0.0/node_modules/clipboardy/lib/linux.mjs +55 -0
  63. package/dist/node_modules/.pnpm/clipboardy@4.0.0/node_modules/clipboardy/lib/macos.mjs +26 -0
  64. package/dist/node_modules/.pnpm/clipboardy@4.0.0/node_modules/clipboardy/lib/termux.mjs +39 -0
  65. package/dist/node_modules/.pnpm/clipboardy@4.0.0/node_modules/clipboardy/lib/windows.mjs +19 -0
  66. package/dist/node_modules/.pnpm/consola@3.4.2/node_modules/consola/dist/chunks/prompt.mjs +845 -0
  67. package/dist/node_modules/.pnpm/consola@3.4.2/node_modules/consola/dist/core.mjs +386 -0
  68. package/dist/node_modules/.pnpm/consola@3.4.2/node_modules/consola/dist/index.mjs +320 -0
  69. package/dist/node_modules/.pnpm/consola@3.4.2/node_modules/consola/dist/shared/consola.DRwqZj3T.mjs +62 -0
  70. package/dist/node_modules/.pnpm/consola@3.4.2/node_modules/consola/dist/shared/consola.DXBYu-KD.mjs +190 -0
  71. package/dist/node_modules/.pnpm/consola@3.4.2/node_modules/consola/dist/utils.mjs +2 -0
  72. package/dist/node_modules/.pnpm/cross-spawn@7.0.6/node_modules/cross-spawn/index.mjs +29 -0
  73. package/dist/node_modules/.pnpm/cross-spawn@7.0.6/node_modules/cross-spawn/lib/enoent.mjs +42 -0
  74. package/dist/node_modules/.pnpm/cross-spawn@7.0.6/node_modules/cross-spawn/lib/parse.mjs +67 -0
  75. package/dist/node_modules/.pnpm/cross-spawn@7.0.6/node_modules/cross-spawn/lib/util/escape.mjs +23 -0
  76. package/dist/node_modules/.pnpm/cross-spawn@7.0.6/node_modules/cross-spawn/lib/util/readShebang.mjs +22 -0
  77. package/dist/node_modules/.pnpm/cross-spawn@7.0.6/node_modules/cross-spawn/lib/util/resolveCommand.mjs +36 -0
  78. package/dist/node_modules/.pnpm/crossws@0.3.5/node_modules/crossws/dist/adapters/node.d.mts +292 -0
  79. package/dist/node_modules/.pnpm/crossws@0.3.5/node_modules/crossws/dist/adapters/node.mjs +127 -0
  80. package/dist/node_modules/.pnpm/crossws@0.3.5/node_modules/crossws/dist/index.d.mts +145 -0
  81. package/dist/node_modules/.pnpm/crossws@0.3.5/node_modules/crossws/dist/shared/crossws.BQXMA5bH.d.mts +298 -0
  82. package/dist/node_modules/.pnpm/crossws@0.3.5/node_modules/crossws/dist/shared/crossws.By9qWDAI.mjs +9 -0
  83. package/dist/node_modules/.pnpm/crossws@0.3.5/node_modules/crossws/dist/shared/crossws.CipVM6lf.mjs +3549 -0
  84. package/dist/node_modules/.pnpm/crossws@0.3.5/node_modules/crossws/dist/shared/crossws.D9ehKjSh.mjs +66 -0
  85. package/dist/node_modules/.pnpm/crossws@0.3.5/node_modules/crossws/dist/shared/crossws.DfCzGthR.mjs +227 -0
  86. package/dist/node_modules/.pnpm/execa@8.0.1/node_modules/execa/index.mjs +224 -0
  87. package/dist/node_modules/.pnpm/execa@8.0.1/node_modules/execa/lib/command.mjs +52 -0
  88. package/dist/node_modules/.pnpm/execa@8.0.1/node_modules/execa/lib/error.mjs +54 -0
  89. package/dist/node_modules/.pnpm/execa@8.0.1/node_modules/execa/lib/kill.mjs +62 -0
  90. package/dist/node_modules/.pnpm/execa@8.0.1/node_modules/execa/lib/pipe.mjs +26 -0
  91. package/dist/node_modules/.pnpm/execa@8.0.1/node_modules/execa/lib/promise.mjs +32 -0
  92. package/dist/node_modules/.pnpm/execa@8.0.1/node_modules/execa/lib/stdio.mjs +19 -0
  93. package/dist/node_modules/.pnpm/execa@8.0.1/node_modules/execa/lib/stream.mjs +98 -0
  94. package/dist/node_modules/.pnpm/execa@8.0.1/node_modules/execa/lib/verbose.mjs +15 -0
  95. package/dist/node_modules/.pnpm/get-port-please@3.2.0/node_modules/get-port-please/dist/index.d.mts +15 -0
  96. package/dist/node_modules/.pnpm/get-port-please@3.2.0/node_modules/get-port-please/dist/index.mjs +220 -0
  97. package/dist/node_modules/.pnpm/get-stream@8.0.1/node_modules/get-stream/source/array-buffer.mjs +54 -0
  98. package/dist/node_modules/.pnpm/get-stream@8.0.1/node_modules/get-stream/source/array.mjs +2 -0
  99. package/dist/node_modules/.pnpm/get-stream@8.0.1/node_modules/get-stream/source/buffer.mjs +14 -0
  100. package/dist/node_modules/.pnpm/get-stream@8.0.1/node_modules/get-stream/source/contents.mjs +76 -0
  101. package/dist/node_modules/.pnpm/get-stream@8.0.1/node_modules/get-stream/source/index.mjs +6 -0
  102. package/dist/node_modules/.pnpm/get-stream@8.0.1/node_modules/get-stream/source/string.mjs +35 -0
  103. package/dist/node_modules/.pnpm/get-stream@8.0.1/node_modules/get-stream/source/utils.mjs +10 -0
  104. package/dist/node_modules/.pnpm/http-shutdown@1.2.2/node_modules/http-shutdown/index.mjs +76 -0
  105. package/dist/node_modules/.pnpm/human-signals@5.0.0/node_modules/human-signals/build/src/core.mjs +274 -0
  106. package/dist/node_modules/.pnpm/human-signals@5.0.0/node_modules/human-signals/build/src/main.mjs +44 -0
  107. package/dist/node_modules/.pnpm/human-signals@5.0.0/node_modules/human-signals/build/src/realtime.mjs +15 -0
  108. package/dist/node_modules/.pnpm/human-signals@5.0.0/node_modules/human-signals/build/src/signals.mjs +23 -0
  109. package/dist/node_modules/.pnpm/is-docker@3.0.0/node_modules/is-docker/index.mjs +24 -0
  110. package/dist/node_modules/.pnpm/is-inside-container@1.0.0/node_modules/is-inside-container/index.mjs +18 -0
  111. package/dist/node_modules/.pnpm/is-stream@3.0.0/node_modules/is-stream/index.mjs +9 -0
  112. package/dist/node_modules/.pnpm/is-wsl@3.1.1/node_modules/is-wsl/index.mjs +20 -0
  113. package/dist/node_modules/.pnpm/is64bit@2.0.0/node_modules/is64bit/index.mjs +13 -0
  114. package/dist/node_modules/.pnpm/isexe@2.0.0/node_modules/isexe/index.mjs +47 -0
  115. package/dist/node_modules/.pnpm/isexe@2.0.0/node_modules/isexe/mode.mjs +33 -0
  116. package/dist/node_modules/.pnpm/isexe@2.0.0/node_modules/isexe/windows.mjs +33 -0
  117. package/dist/node_modules/.pnpm/listhen@1.9.0/node_modules/listhen/dist/chunks/xdg-open.mjs +1070 -0
  118. package/dist/node_modules/.pnpm/listhen@1.9.0/node_modules/listhen/dist/index.mjs +619 -0
  119. package/dist/node_modules/.pnpm/listhen@1.9.0/node_modules/listhen/dist/shared/listhen.1c46e31d.d.mts +83 -0
  120. package/dist/node_modules/.pnpm/merge-stream@2.0.0/node_modules/merge-stream/index.mjs +38 -0
  121. package/dist/node_modules/.pnpm/mimic-fn@4.0.0/node_modules/mimic-fn/index.mjs +38 -0
  122. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/aes.mjs +597 -0
  123. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/aesCipherSuites.mjs +195 -0
  124. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/asn1-validator.mjs +76 -0
  125. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/asn1.mjs +967 -0
  126. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/baseN.mjs +137 -0
  127. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/cipher.mjs +186 -0
  128. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/cipherModes.mjs +597 -0
  129. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/des.mjs +1187 -0
  130. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/ed25519.mjs +1029 -0
  131. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/forge.mjs +15 -0
  132. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/hmac.mjs +107 -0
  133. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/index.mjs +66 -0
  134. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/jsbn.mjs +1334 -0
  135. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/kem.mjs +146 -0
  136. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/log.mjs +241 -0
  137. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/md.all.mjs +24 -0
  138. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/md.mjs +18 -0
  139. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/md5.mjs +324 -0
  140. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/mgf.mjs +20 -0
  141. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/mgf1.mjs +44 -0
  142. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/oids.mjs +154 -0
  143. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/pbe.mjs +815 -0
  144. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/pbkdf2.mjs +125 -0
  145. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/pem.mjs +175 -0
  146. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/pkcs1.mjs +200 -0
  147. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/pkcs12.mjs +724 -0
  148. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/pkcs7.mjs +642 -0
  149. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/pkcs7asn1.mjs +405 -0
  150. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/pki.mjs +101 -0
  151. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/prime.mjs +193 -0
  152. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/prng.mjs +290 -0
  153. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/pss.mjs +141 -0
  154. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/random.mjs +141 -0
  155. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/rc2.mjs +538 -0
  156. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/rsa.mjs +1309 -0
  157. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/sha1.mjs +230 -0
  158. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/sha256.mjs +267 -0
  159. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/sha512.mjs +413 -0
  160. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/ssh.mjs +194 -0
  161. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/tls.mjs +3655 -0
  162. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/util.mjs +2117 -0
  163. package/dist/node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/x509.mjs +2168 -0
  164. package/dist/node_modules/.pnpm/npm-run-path@5.3.0/node_modules/npm-run-path/index.mjs +34 -0
  165. package/dist/node_modules/.pnpm/onetime@6.0.0/node_modules/onetime/index.mjs +26 -0
  166. package/dist/node_modules/.pnpm/path-key@3.1.1/node_modules/path-key/index.mjs +14 -0
  167. package/dist/node_modules/.pnpm/path-key@4.0.0/node_modules/path-key/index.mjs +8 -0
  168. package/dist/node_modules/.pnpm/pathe@1.1.2/node_modules/pathe/dist/shared/pathe.ff20891b.mjs +176 -0
  169. package/dist/node_modules/.pnpm/shebang-command@2.0.0/node_modules/shebang-command/index.mjs +17 -0
  170. package/dist/node_modules/.pnpm/shebang-regex@3.0.0/node_modules/shebang-regex/index.mjs +8 -0
  171. package/dist/node_modules/.pnpm/signal-exit@4.1.0/node_modules/signal-exit/dist/mjs/index.mjs +169 -0
  172. package/dist/node_modules/.pnpm/signal-exit@4.1.0/node_modules/signal-exit/dist/mjs/signals.mjs +33 -0
  173. package/dist/node_modules/.pnpm/std-env@3.10.0/node_modules/std-env/dist/index.mjs +171 -0
  174. package/dist/node_modules/.pnpm/strip-final-newline@3.0.0/node_modules/strip-final-newline/index.mjs +10 -0
  175. package/dist/node_modules/.pnpm/system-architecture@0.1.0/node_modules/system-architecture/index.mjs +16 -0
  176. package/dist/node_modules/.pnpm/uncrypto@0.1.3/node_modules/uncrypto/dist/crypto.node.mjs +7 -0
  177. package/dist/node_modules/.pnpm/untun@0.1.3/node_modules/untun/dist/chunks/index.mjs +154 -0
  178. package/dist/node_modules/.pnpm/untun@0.1.3/node_modules/untun/dist/index.mjs +34 -0
  179. package/dist/node_modules/.pnpm/uqr@0.1.2/node_modules/uqr/dist/index.mjs +896 -0
  180. package/dist/node_modules/.pnpm/which@2.0.2/node_modules/which/which.mjs +76 -0
  181. package/dist/oauth2/errors.mjs +27 -0
  182. package/dist/oauth2/index.d.mts +2 -2
  183. package/dist/oauth2/index.mjs +3 -3
  184. package/dist/oauth2/link-account.d.mts +27 -1
  185. package/dist/oauth2/link-account.mjs +30 -5
  186. package/dist/oauth2/state.mjs +8 -2
  187. package/dist/{package.mjs → packages/better-auth/package.mjs} +1 -1
  188. package/dist/plugins/access/access.d.mts +3 -15
  189. package/dist/plugins/access/access.mjs +11 -6
  190. package/dist/plugins/access/index.d.mts +2 -2
  191. package/dist/plugins/access/types.d.mts +11 -4
  192. package/dist/plugins/admin/access/statement.d.mts +29 -93
  193. package/dist/plugins/admin/admin.mjs +0 -4
  194. package/dist/plugins/admin/client.d.mts +6 -1
  195. package/dist/plugins/admin/client.mjs +5 -0
  196. package/dist/plugins/admin/routes.mjs +3 -2
  197. package/dist/plugins/anonymous/client.d.mts +1 -0
  198. package/dist/plugins/anonymous/error-codes.d.mts +1 -0
  199. package/dist/plugins/anonymous/error-codes.mjs +1 -0
  200. package/dist/plugins/anonymous/index.d.mts +1 -0
  201. package/dist/plugins/anonymous/index.mjs +16 -2
  202. package/dist/plugins/bearer/index.mjs +5 -12
  203. package/dist/plugins/captcha/index.mjs +14 -1
  204. package/dist/plugins/device-authorization/error-codes.mjs +1 -0
  205. package/dist/plugins/device-authorization/index.d.mts +1 -0
  206. package/dist/plugins/device-authorization/routes.mjs +34 -3
  207. package/dist/plugins/email-otp/routes.mjs +4 -4
  208. package/dist/plugins/generic-oauth/error-codes.mjs +0 -1
  209. package/dist/plugins/generic-oauth/index.d.mts +2 -4
  210. package/dist/plugins/generic-oauth/index.mjs +23 -17
  211. package/dist/plugins/generic-oauth/providers/auth0.mjs +1 -0
  212. package/dist/plugins/generic-oauth/providers/gumroad.mjs +1 -0
  213. package/dist/plugins/generic-oauth/providers/hubspot.mjs +1 -0
  214. package/dist/plugins/generic-oauth/providers/keycloak.mjs +1 -0
  215. package/dist/plugins/generic-oauth/providers/line.mjs +1 -0
  216. package/dist/plugins/generic-oauth/providers/microsoft-entra-id.mjs +1 -0
  217. package/dist/plugins/generic-oauth/providers/okta.mjs +1 -0
  218. package/dist/plugins/generic-oauth/providers/patreon.mjs +1 -0
  219. package/dist/plugins/generic-oauth/providers/slack.mjs +1 -0
  220. package/dist/plugins/generic-oauth/types.d.mts +30 -8
  221. package/dist/plugins/index.d.mts +2 -2
  222. package/dist/plugins/jwt/utils.d.mts +1 -1
  223. package/dist/plugins/last-login-method/client.mjs +2 -2
  224. package/dist/plugins/magic-link/index.d.mts +8 -1
  225. package/dist/plugins/magic-link/index.mjs +4 -17
  226. package/dist/plugins/mcp/authorize.mjs +8 -2
  227. package/dist/plugins/mcp/index.mjs +75 -35
  228. package/dist/plugins/multi-session/index.mjs +2 -2
  229. package/dist/plugins/oauth-proxy/index.mjs +45 -32
  230. package/dist/plugins/oauth-proxy/utils.mjs +3 -10
  231. package/dist/plugins/oidc-provider/authorize.mjs +8 -2
  232. package/dist/plugins/oidc-provider/index.mjs +65 -38
  233. package/dist/plugins/one-tap/client.mjs +9 -2
  234. package/dist/plugins/one-tap/index.mjs +19 -36
  235. package/dist/plugins/open-api/generator.mjs +25 -5
  236. package/dist/plugins/organization/access/statement.d.mts +68 -201
  237. package/dist/plugins/organization/adapter.d.mts +1 -1
  238. package/dist/plugins/organization/adapter.mjs +65 -58
  239. package/dist/plugins/organization/client.d.mts +3 -1
  240. package/dist/plugins/organization/client.mjs +1 -1
  241. package/dist/plugins/organization/error-codes.d.mts +2 -0
  242. package/dist/plugins/organization/error-codes.mjs +3 -1
  243. package/dist/plugins/organization/routes/crud-access-control.d.mts +2 -2
  244. package/dist/plugins/organization/routes/crud-invites.d.mts +8 -1
  245. package/dist/plugins/organization/routes/crud-invites.mjs +8 -3
  246. package/dist/plugins/organization/routes/crud-org.d.mts +4 -4
  247. package/dist/plugins/organization/routes/crud-org.mjs +2 -2
  248. package/dist/plugins/organization/routes/crud-team.mjs +7 -2
  249. package/dist/plugins/organization/schema.d.mts +1 -1
  250. package/dist/plugins/organization/types.d.mts +15 -5
  251. package/dist/plugins/phone-number/routes.mjs +1 -1
  252. package/dist/plugins/siwe/client.d.mts +4 -0
  253. package/dist/plugins/siwe/client.mjs +5 -1
  254. package/dist/plugins/siwe/index.d.mts +13 -2
  255. package/dist/plugins/siwe/index.mjs +179 -165
  256. package/dist/plugins/two-factor/backup-codes/index.d.mts +4 -3
  257. package/dist/plugins/two-factor/client.mjs +2 -1
  258. package/dist/plugins/two-factor/index.mjs +3 -2
  259. package/dist/plugins/username/client.d.mts +1 -0
  260. package/dist/plugins/username/error-codes.d.mts +1 -0
  261. package/dist/plugins/username/error-codes.mjs +2 -1
  262. package/dist/plugins/username/index.d.mts +43 -2
  263. package/dist/plugins/username/index.mjs +73 -6
  264. package/dist/state.d.mts +2 -2
  265. package/dist/state.mjs +18 -4
  266. package/dist/test-utils/headers.mjs +2 -7
  267. package/dist/test-utils/http-test-instance.d.mts +397 -0
  268. package/dist/test-utils/http-test-instance.mjs +54 -0
  269. package/dist/test-utils/index.d.mts +2 -1
  270. package/dist/test-utils/index.mjs +2 -1
  271. package/dist/test-utils/test-instance.d.mts +4110 -224
  272. package/dist/test-utils/test-instance.mjs +11 -2
  273. package/dist/types/auth.d.mts +4 -0
  274. package/dist/utils/index.d.mts +1 -1
  275. package/dist/utils/url.d.mts +2 -1
  276. package/dist/utils/url.mjs +9 -3
  277. package/dist/version.mjs +1 -1
  278. package/package.json +14 -14
  279. package/dist/oauth2/error-codes.d.mts +0 -20
  280. package/dist/plugins/generic-oauth/client.d.mts +0 -32
  281. package/dist/plugins/generic-oauth/client.mjs +0 -19
  282. package/dist/plugins/generic-oauth/error-codes.d.mts +0 -10
@@ -0,0 +1,815 @@
1
+ import { __commonJSMin } from "../../../../../../_virtual/_rolldown/runtime.mjs";
2
+ import { require_forge } from "./forge.mjs";
3
+ import { require_util } from "./util.mjs";
4
+ import { require_aes } from "./aes.mjs";
5
+ import { require_oids } from "./oids.mjs";
6
+ import { require_asn1 } from "./asn1.mjs";
7
+ import { require_md } from "./md.mjs";
8
+ import { require_pem } from "./pem.mjs";
9
+ import { require_des } from "./des.mjs";
10
+ import { require_pbkdf2 } from "./pbkdf2.mjs";
11
+ import { require_random } from "./random.mjs";
12
+ import { require_rc2 } from "./rc2.mjs";
13
+ import { require_rsa } from "./rsa.mjs";
14
+ //#region ../../node_modules/.pnpm/node-forge@1.4.0/node_modules/node-forge/lib/pbe.js
15
+ var require_pbe = /* @__PURE__ */ __commonJSMin(((exports, module) => {
16
+ /**
17
+ * Password-based encryption functions.
18
+ *
19
+ * @author Dave Longley
20
+ * @author Stefan Siegl <stesie@brokenpipe.de>
21
+ *
22
+ * Copyright (c) 2010-2013 Digital Bazaar, Inc.
23
+ * Copyright (c) 2012 Stefan Siegl <stesie@brokenpipe.de>
24
+ *
25
+ * An EncryptedPrivateKeyInfo:
26
+ *
27
+ * EncryptedPrivateKeyInfo ::= SEQUENCE {
28
+ * encryptionAlgorithm EncryptionAlgorithmIdentifier,
29
+ * encryptedData EncryptedData }
30
+ *
31
+ * EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
32
+ *
33
+ * EncryptedData ::= OCTET STRING
34
+ */
35
+ var forge = require_forge();
36
+ require_aes();
37
+ require_asn1();
38
+ require_des();
39
+ require_md();
40
+ require_oids();
41
+ require_pbkdf2();
42
+ require_pem();
43
+ require_random();
44
+ require_rc2();
45
+ require_rsa();
46
+ require_util();
47
+ if (typeof BigInteger === "undefined") var BigInteger = forge.jsbn.BigInteger;
48
+ var asn1 = forge.asn1;
49
+ var pki = forge.pki = forge.pki || {};
50
+ module.exports = pki.pbe = forge.pbe = forge.pbe || {};
51
+ var oids = pki.oids;
52
+ var encryptedPrivateKeyValidator = {
53
+ name: "EncryptedPrivateKeyInfo",
54
+ tagClass: asn1.Class.UNIVERSAL,
55
+ type: asn1.Type.SEQUENCE,
56
+ constructed: true,
57
+ value: [{
58
+ name: "EncryptedPrivateKeyInfo.encryptionAlgorithm",
59
+ tagClass: asn1.Class.UNIVERSAL,
60
+ type: asn1.Type.SEQUENCE,
61
+ constructed: true,
62
+ value: [{
63
+ name: "AlgorithmIdentifier.algorithm",
64
+ tagClass: asn1.Class.UNIVERSAL,
65
+ type: asn1.Type.OID,
66
+ constructed: false,
67
+ capture: "encryptionOid"
68
+ }, {
69
+ name: "AlgorithmIdentifier.parameters",
70
+ tagClass: asn1.Class.UNIVERSAL,
71
+ type: asn1.Type.SEQUENCE,
72
+ constructed: true,
73
+ captureAsn1: "encryptionParams"
74
+ }]
75
+ }, {
76
+ name: "EncryptedPrivateKeyInfo.encryptedData",
77
+ tagClass: asn1.Class.UNIVERSAL,
78
+ type: asn1.Type.OCTETSTRING,
79
+ constructed: false,
80
+ capture: "encryptedData"
81
+ }]
82
+ };
83
+ var PBES2AlgorithmsValidator = {
84
+ name: "PBES2Algorithms",
85
+ tagClass: asn1.Class.UNIVERSAL,
86
+ type: asn1.Type.SEQUENCE,
87
+ constructed: true,
88
+ value: [{
89
+ name: "PBES2Algorithms.keyDerivationFunc",
90
+ tagClass: asn1.Class.UNIVERSAL,
91
+ type: asn1.Type.SEQUENCE,
92
+ constructed: true,
93
+ value: [{
94
+ name: "PBES2Algorithms.keyDerivationFunc.oid",
95
+ tagClass: asn1.Class.UNIVERSAL,
96
+ type: asn1.Type.OID,
97
+ constructed: false,
98
+ capture: "kdfOid"
99
+ }, {
100
+ name: "PBES2Algorithms.params",
101
+ tagClass: asn1.Class.UNIVERSAL,
102
+ type: asn1.Type.SEQUENCE,
103
+ constructed: true,
104
+ value: [
105
+ {
106
+ name: "PBES2Algorithms.params.salt",
107
+ tagClass: asn1.Class.UNIVERSAL,
108
+ type: asn1.Type.OCTETSTRING,
109
+ constructed: false,
110
+ capture: "kdfSalt"
111
+ },
112
+ {
113
+ name: "PBES2Algorithms.params.iterationCount",
114
+ tagClass: asn1.Class.UNIVERSAL,
115
+ type: asn1.Type.INTEGER,
116
+ constructed: false,
117
+ capture: "kdfIterationCount"
118
+ },
119
+ {
120
+ name: "PBES2Algorithms.params.keyLength",
121
+ tagClass: asn1.Class.UNIVERSAL,
122
+ type: asn1.Type.INTEGER,
123
+ constructed: false,
124
+ optional: true,
125
+ capture: "keyLength"
126
+ },
127
+ {
128
+ name: "PBES2Algorithms.params.prf",
129
+ tagClass: asn1.Class.UNIVERSAL,
130
+ type: asn1.Type.SEQUENCE,
131
+ constructed: true,
132
+ optional: true,
133
+ value: [{
134
+ name: "PBES2Algorithms.params.prf.algorithm",
135
+ tagClass: asn1.Class.UNIVERSAL,
136
+ type: asn1.Type.OID,
137
+ constructed: false,
138
+ capture: "prfOid"
139
+ }]
140
+ }
141
+ ]
142
+ }]
143
+ }, {
144
+ name: "PBES2Algorithms.encryptionScheme",
145
+ tagClass: asn1.Class.UNIVERSAL,
146
+ type: asn1.Type.SEQUENCE,
147
+ constructed: true,
148
+ value: [{
149
+ name: "PBES2Algorithms.encryptionScheme.oid",
150
+ tagClass: asn1.Class.UNIVERSAL,
151
+ type: asn1.Type.OID,
152
+ constructed: false,
153
+ capture: "encOid"
154
+ }, {
155
+ name: "PBES2Algorithms.encryptionScheme.iv",
156
+ tagClass: asn1.Class.UNIVERSAL,
157
+ type: asn1.Type.OCTETSTRING,
158
+ constructed: false,
159
+ capture: "encIv"
160
+ }]
161
+ }]
162
+ };
163
+ var pkcs12PbeParamsValidator = {
164
+ name: "pkcs-12PbeParams",
165
+ tagClass: asn1.Class.UNIVERSAL,
166
+ type: asn1.Type.SEQUENCE,
167
+ constructed: true,
168
+ value: [{
169
+ name: "pkcs-12PbeParams.salt",
170
+ tagClass: asn1.Class.UNIVERSAL,
171
+ type: asn1.Type.OCTETSTRING,
172
+ constructed: false,
173
+ capture: "salt"
174
+ }, {
175
+ name: "pkcs-12PbeParams.iterations",
176
+ tagClass: asn1.Class.UNIVERSAL,
177
+ type: asn1.Type.INTEGER,
178
+ constructed: false,
179
+ capture: "iterations"
180
+ }]
181
+ };
182
+ /**
183
+ * Encrypts a ASN.1 PrivateKeyInfo object, producing an EncryptedPrivateKeyInfo.
184
+ *
185
+ * PBES2Algorithms ALGORITHM-IDENTIFIER ::=
186
+ * { {PBES2-params IDENTIFIED BY id-PBES2}, ...}
187
+ *
188
+ * id-PBES2 OBJECT IDENTIFIER ::= {pkcs-5 13}
189
+ *
190
+ * PBES2-params ::= SEQUENCE {
191
+ * keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}},
192
+ * encryptionScheme AlgorithmIdentifier {{PBES2-Encs}}
193
+ * }
194
+ *
195
+ * PBES2-KDFs ALGORITHM-IDENTIFIER ::=
196
+ * { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... }
197
+ *
198
+ * PBES2-Encs ALGORITHM-IDENTIFIER ::= { ... }
199
+ *
200
+ * PBKDF2-params ::= SEQUENCE {
201
+ * salt CHOICE {
202
+ * specified OCTET STRING,
203
+ * otherSource AlgorithmIdentifier {{PBKDF2-SaltSources}}
204
+ * },
205
+ * iterationCount INTEGER (1..MAX),
206
+ * keyLength INTEGER (1..MAX) OPTIONAL,
207
+ * prf AlgorithmIdentifier {{PBKDF2-PRFs}} DEFAULT algid-hmacWithSHA1
208
+ * }
209
+ *
210
+ * @param obj the ASN.1 PrivateKeyInfo object.
211
+ * @param password the password to encrypt with.
212
+ * @param options:
213
+ * algorithm the encryption algorithm to use
214
+ * ('aes128', 'aes192', 'aes256', '3des'), defaults to 'aes128'.
215
+ * count the iteration count to use.
216
+ * saltSize the salt size to use.
217
+ * prfAlgorithm the PRF message digest algorithm to use
218
+ * ('sha1', 'sha224', 'sha256', 'sha384', 'sha512')
219
+ *
220
+ * @return the ASN.1 EncryptedPrivateKeyInfo.
221
+ */
222
+ pki.encryptPrivateKeyInfo = function(obj, password, options) {
223
+ options = options || {};
224
+ options.saltSize = options.saltSize || 8;
225
+ options.count = options.count || 2048;
226
+ options.algorithm = options.algorithm || "aes128";
227
+ options.prfAlgorithm = options.prfAlgorithm || "sha1";
228
+ var salt = forge.random.getBytesSync(options.saltSize);
229
+ var count = options.count;
230
+ var countBytes = asn1.integerToDer(count);
231
+ var dkLen;
232
+ var encryptionAlgorithm;
233
+ var encryptedData;
234
+ if (options.algorithm.indexOf("aes") === 0 || options.algorithm === "des") {
235
+ var ivLen, encOid, cipherFn;
236
+ switch (options.algorithm) {
237
+ case "aes128":
238
+ dkLen = 16;
239
+ ivLen = 16;
240
+ encOid = oids["aes128-CBC"];
241
+ cipherFn = forge.aes.createEncryptionCipher;
242
+ break;
243
+ case "aes192":
244
+ dkLen = 24;
245
+ ivLen = 16;
246
+ encOid = oids["aes192-CBC"];
247
+ cipherFn = forge.aes.createEncryptionCipher;
248
+ break;
249
+ case "aes256":
250
+ dkLen = 32;
251
+ ivLen = 16;
252
+ encOid = oids["aes256-CBC"];
253
+ cipherFn = forge.aes.createEncryptionCipher;
254
+ break;
255
+ case "des":
256
+ dkLen = 8;
257
+ ivLen = 8;
258
+ encOid = oids["desCBC"];
259
+ cipherFn = forge.des.createEncryptionCipher;
260
+ break;
261
+ default:
262
+ var error = /* @__PURE__ */ new Error("Cannot encrypt private key. Unknown encryption algorithm.");
263
+ error.algorithm = options.algorithm;
264
+ throw error;
265
+ }
266
+ var prfAlgorithm = "hmacWith" + options.prfAlgorithm.toUpperCase();
267
+ var md = prfAlgorithmToMessageDigest(prfAlgorithm);
268
+ var dk = forge.pkcs5.pbkdf2(password, salt, count, dkLen, md);
269
+ var iv = forge.random.getBytesSync(ivLen);
270
+ var cipher = cipherFn(dk);
271
+ cipher.start(iv);
272
+ cipher.update(asn1.toDer(obj));
273
+ cipher.finish();
274
+ encryptedData = cipher.output.getBytes();
275
+ var params = createPbkdf2Params(salt, countBytes, dkLen, prfAlgorithm);
276
+ encryptionAlgorithm = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false, asn1.oidToDer(oids["pkcs5PBES2"]).getBytes()), asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false, asn1.oidToDer(oids["pkcs5PBKDF2"]).getBytes()), params]), asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false, asn1.oidToDer(encOid).getBytes()), asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OCTETSTRING, false, iv)])])]);
277
+ } else if (options.algorithm === "3des") {
278
+ dkLen = 24;
279
+ var saltBytes = new forge.util.ByteBuffer(salt);
280
+ var dk = pki.pbe.generatePkcs12Key(password, saltBytes, 1, count, dkLen);
281
+ var iv = pki.pbe.generatePkcs12Key(password, saltBytes, 2, count, dkLen);
282
+ var cipher = forge.des.createEncryptionCipher(dk);
283
+ cipher.start(iv);
284
+ cipher.update(asn1.toDer(obj));
285
+ cipher.finish();
286
+ encryptedData = cipher.output.getBytes();
287
+ encryptionAlgorithm = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false, asn1.oidToDer(oids["pbeWithSHAAnd3-KeyTripleDES-CBC"]).getBytes()), asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OCTETSTRING, false, salt), asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false, countBytes.getBytes())])]);
288
+ } else {
289
+ var error = /* @__PURE__ */ new Error("Cannot encrypt private key. Unknown encryption algorithm.");
290
+ error.algorithm = options.algorithm;
291
+ throw error;
292
+ }
293
+ return asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [encryptionAlgorithm, asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OCTETSTRING, false, encryptedData)]);
294
+ };
295
+ /**
296
+ * Decrypts a ASN.1 PrivateKeyInfo object.
297
+ *
298
+ * @param obj the ASN.1 EncryptedPrivateKeyInfo object.
299
+ * @param password the password to decrypt with.
300
+ *
301
+ * @return the ASN.1 PrivateKeyInfo on success, null on failure.
302
+ */
303
+ pki.decryptPrivateKeyInfo = function(obj, password) {
304
+ var rval = null;
305
+ var capture = {};
306
+ var errors = [];
307
+ if (!asn1.validate(obj, encryptedPrivateKeyValidator, capture, errors)) {
308
+ var error = /* @__PURE__ */ new Error("Cannot read encrypted private key. ASN.1 object is not a supported EncryptedPrivateKeyInfo.");
309
+ error.errors = errors;
310
+ throw error;
311
+ }
312
+ var oid = asn1.derToOid(capture.encryptionOid);
313
+ var cipher = pki.pbe.getCipher(oid, capture.encryptionParams, password);
314
+ var encrypted = forge.util.createBuffer(capture.encryptedData);
315
+ cipher.update(encrypted);
316
+ if (cipher.finish()) rval = asn1.fromDer(cipher.output);
317
+ return rval;
318
+ };
319
+ /**
320
+ * Converts a EncryptedPrivateKeyInfo to PEM format.
321
+ *
322
+ * @param epki the EncryptedPrivateKeyInfo.
323
+ * @param maxline the maximum characters per line, defaults to 64.
324
+ *
325
+ * @return the PEM-formatted encrypted private key.
326
+ */
327
+ pki.encryptedPrivateKeyToPem = function(epki, maxline) {
328
+ var msg = {
329
+ type: "ENCRYPTED PRIVATE KEY",
330
+ body: asn1.toDer(epki).getBytes()
331
+ };
332
+ return forge.pem.encode(msg, { maxline });
333
+ };
334
+ /**
335
+ * Converts a PEM-encoded EncryptedPrivateKeyInfo to ASN.1 format. Decryption
336
+ * is not performed.
337
+ *
338
+ * @param pem the EncryptedPrivateKeyInfo in PEM-format.
339
+ *
340
+ * @return the ASN.1 EncryptedPrivateKeyInfo.
341
+ */
342
+ pki.encryptedPrivateKeyFromPem = function(pem) {
343
+ var msg = forge.pem.decode(pem)[0];
344
+ if (msg.type !== "ENCRYPTED PRIVATE KEY") {
345
+ var error = /* @__PURE__ */ new Error("Could not convert encrypted private key from PEM; PEM header type is \"ENCRYPTED PRIVATE KEY\".");
346
+ error.headerType = msg.type;
347
+ throw error;
348
+ }
349
+ if (msg.procType && msg.procType.type === "ENCRYPTED") throw new Error("Could not convert encrypted private key from PEM; PEM is encrypted.");
350
+ return asn1.fromDer(msg.body);
351
+ };
352
+ /**
353
+ * Encrypts an RSA private key. By default, the key will be wrapped in
354
+ * a PrivateKeyInfo and encrypted to produce a PKCS#8 EncryptedPrivateKeyInfo.
355
+ * This is the standard, preferred way to encrypt a private key.
356
+ *
357
+ * To produce a non-standard PEM-encrypted private key that uses encapsulated
358
+ * headers to indicate the encryption algorithm (old-style non-PKCS#8 OpenSSL
359
+ * private key encryption), set the 'legacy' option to true. Note: Using this
360
+ * option will cause the iteration count to be forced to 1.
361
+ *
362
+ * Note: The 'des' algorithm is supported, but it is not considered to be
363
+ * secure because it only uses a single 56-bit key. If possible, it is highly
364
+ * recommended that a different algorithm be used.
365
+ *
366
+ * @param rsaKey the RSA key to encrypt.
367
+ * @param password the password to use.
368
+ * @param options:
369
+ * algorithm: the encryption algorithm to use
370
+ * ('aes128', 'aes192', 'aes256', '3des', 'des').
371
+ * count: the iteration count to use.
372
+ * saltSize: the salt size to use.
373
+ * legacy: output an old non-PKCS#8 PEM-encrypted+encapsulated
374
+ * headers (DEK-Info) private key.
375
+ *
376
+ * @return the PEM-encoded ASN.1 EncryptedPrivateKeyInfo.
377
+ */
378
+ pki.encryptRsaPrivateKey = function(rsaKey, password, options) {
379
+ options = options || {};
380
+ if (!options.legacy) {
381
+ var rval = pki.wrapRsaPrivateKey(pki.privateKeyToAsn1(rsaKey));
382
+ rval = pki.encryptPrivateKeyInfo(rval, password, options);
383
+ return pki.encryptedPrivateKeyToPem(rval);
384
+ }
385
+ var algorithm;
386
+ var iv;
387
+ var dkLen;
388
+ var cipherFn;
389
+ switch (options.algorithm) {
390
+ case "aes128":
391
+ algorithm = "AES-128-CBC";
392
+ dkLen = 16;
393
+ iv = forge.random.getBytesSync(16);
394
+ cipherFn = forge.aes.createEncryptionCipher;
395
+ break;
396
+ case "aes192":
397
+ algorithm = "AES-192-CBC";
398
+ dkLen = 24;
399
+ iv = forge.random.getBytesSync(16);
400
+ cipherFn = forge.aes.createEncryptionCipher;
401
+ break;
402
+ case "aes256":
403
+ algorithm = "AES-256-CBC";
404
+ dkLen = 32;
405
+ iv = forge.random.getBytesSync(16);
406
+ cipherFn = forge.aes.createEncryptionCipher;
407
+ break;
408
+ case "3des":
409
+ algorithm = "DES-EDE3-CBC";
410
+ dkLen = 24;
411
+ iv = forge.random.getBytesSync(8);
412
+ cipherFn = forge.des.createEncryptionCipher;
413
+ break;
414
+ case "des":
415
+ algorithm = "DES-CBC";
416
+ dkLen = 8;
417
+ iv = forge.random.getBytesSync(8);
418
+ cipherFn = forge.des.createEncryptionCipher;
419
+ break;
420
+ default:
421
+ var error = /* @__PURE__ */ new Error("Could not encrypt RSA private key; unsupported encryption algorithm \"" + options.algorithm + "\".");
422
+ error.algorithm = options.algorithm;
423
+ throw error;
424
+ }
425
+ var dk = forge.pbe.opensslDeriveBytes(password, iv.substr(0, 8), dkLen);
426
+ var cipher = cipherFn(dk);
427
+ cipher.start(iv);
428
+ cipher.update(asn1.toDer(pki.privateKeyToAsn1(rsaKey)));
429
+ cipher.finish();
430
+ var msg = {
431
+ type: "RSA PRIVATE KEY",
432
+ procType: {
433
+ version: "4",
434
+ type: "ENCRYPTED"
435
+ },
436
+ dekInfo: {
437
+ algorithm,
438
+ parameters: forge.util.bytesToHex(iv).toUpperCase()
439
+ },
440
+ body: cipher.output.getBytes()
441
+ };
442
+ return forge.pem.encode(msg);
443
+ };
444
+ /**
445
+ * Decrypts an RSA private key.
446
+ *
447
+ * @param pem the PEM-formatted EncryptedPrivateKeyInfo to decrypt.
448
+ * @param password the password to use.
449
+ *
450
+ * @return the RSA key on success, null on failure.
451
+ */
452
+ pki.decryptRsaPrivateKey = function(pem, password) {
453
+ var rval = null;
454
+ var msg = forge.pem.decode(pem)[0];
455
+ if (msg.type !== "ENCRYPTED PRIVATE KEY" && msg.type !== "PRIVATE KEY" && msg.type !== "RSA PRIVATE KEY") {
456
+ var error = /* @__PURE__ */ new Error("Could not convert private key from PEM; PEM header type is not \"ENCRYPTED PRIVATE KEY\", \"PRIVATE KEY\", or \"RSA PRIVATE KEY\".");
457
+ error.headerType = error;
458
+ throw error;
459
+ }
460
+ if (msg.procType && msg.procType.type === "ENCRYPTED") {
461
+ var dkLen;
462
+ var cipherFn;
463
+ switch (msg.dekInfo.algorithm) {
464
+ case "DES-CBC":
465
+ dkLen = 8;
466
+ cipherFn = forge.des.createDecryptionCipher;
467
+ break;
468
+ case "DES-EDE3-CBC":
469
+ dkLen = 24;
470
+ cipherFn = forge.des.createDecryptionCipher;
471
+ break;
472
+ case "AES-128-CBC":
473
+ dkLen = 16;
474
+ cipherFn = forge.aes.createDecryptionCipher;
475
+ break;
476
+ case "AES-192-CBC":
477
+ dkLen = 24;
478
+ cipherFn = forge.aes.createDecryptionCipher;
479
+ break;
480
+ case "AES-256-CBC":
481
+ dkLen = 32;
482
+ cipherFn = forge.aes.createDecryptionCipher;
483
+ break;
484
+ case "RC2-40-CBC":
485
+ dkLen = 5;
486
+ cipherFn = function(key) {
487
+ return forge.rc2.createDecryptionCipher(key, 40);
488
+ };
489
+ break;
490
+ case "RC2-64-CBC":
491
+ dkLen = 8;
492
+ cipherFn = function(key) {
493
+ return forge.rc2.createDecryptionCipher(key, 64);
494
+ };
495
+ break;
496
+ case "RC2-128-CBC":
497
+ dkLen = 16;
498
+ cipherFn = function(key) {
499
+ return forge.rc2.createDecryptionCipher(key, 128);
500
+ };
501
+ break;
502
+ default:
503
+ var error = /* @__PURE__ */ new Error("Could not decrypt private key; unsupported encryption algorithm \"" + msg.dekInfo.algorithm + "\".");
504
+ error.algorithm = msg.dekInfo.algorithm;
505
+ throw error;
506
+ }
507
+ var iv = forge.util.hexToBytes(msg.dekInfo.parameters);
508
+ var dk = forge.pbe.opensslDeriveBytes(password, iv.substr(0, 8), dkLen);
509
+ var cipher = cipherFn(dk);
510
+ cipher.start(iv);
511
+ cipher.update(forge.util.createBuffer(msg.body));
512
+ if (cipher.finish()) rval = cipher.output.getBytes();
513
+ else return rval;
514
+ } else rval = msg.body;
515
+ if (msg.type === "ENCRYPTED PRIVATE KEY") rval = pki.decryptPrivateKeyInfo(asn1.fromDer(rval), password);
516
+ else rval = asn1.fromDer(rval);
517
+ if (rval !== null) rval = pki.privateKeyFromAsn1(rval);
518
+ return rval;
519
+ };
520
+ /**
521
+ * Derives a PKCS#12 key.
522
+ *
523
+ * @param password the password to derive the key material from, null or
524
+ * undefined for none.
525
+ * @param salt the salt, as a ByteBuffer, to use.
526
+ * @param id the PKCS#12 ID byte (1 = key material, 2 = IV, 3 = MAC).
527
+ * @param iter the iteration count.
528
+ * @param n the number of bytes to derive from the password.
529
+ * @param md the message digest to use, defaults to SHA-1.
530
+ *
531
+ * @return a ByteBuffer with the bytes derived from the password.
532
+ */
533
+ pki.pbe.generatePkcs12Key = function(password, salt, id, iter, n, md) {
534
+ var j, l;
535
+ if (typeof md === "undefined" || md === null) {
536
+ if (!("sha1" in forge.md)) throw new Error("\"sha1\" hash algorithm unavailable.");
537
+ md = forge.md.sha1.create();
538
+ }
539
+ var u = md.digestLength;
540
+ var v = md.blockLength;
541
+ var result = new forge.util.ByteBuffer();
542
+ var passBuf = new forge.util.ByteBuffer();
543
+ if (password !== null && password !== void 0) {
544
+ for (l = 0; l < password.length; l++) passBuf.putInt16(password.charCodeAt(l));
545
+ passBuf.putInt16(0);
546
+ }
547
+ var p = passBuf.length();
548
+ var s = salt.length();
549
+ var D = new forge.util.ByteBuffer();
550
+ D.fillWithByte(id, v);
551
+ var Slen = v * Math.ceil(s / v);
552
+ var S = new forge.util.ByteBuffer();
553
+ for (l = 0; l < Slen; l++) S.putByte(salt.at(l % s));
554
+ var Plen = v * Math.ceil(p / v);
555
+ var P = new forge.util.ByteBuffer();
556
+ for (l = 0; l < Plen; l++) P.putByte(passBuf.at(l % p));
557
+ var I = S;
558
+ I.putBuffer(P);
559
+ var c = Math.ceil(n / u);
560
+ for (var i = 1; i <= c; i++) {
561
+ var buf = new forge.util.ByteBuffer();
562
+ buf.putBytes(D.bytes());
563
+ buf.putBytes(I.bytes());
564
+ for (var round = 0; round < iter; round++) {
565
+ md.start();
566
+ md.update(buf.getBytes());
567
+ buf = md.digest();
568
+ }
569
+ var B = new forge.util.ByteBuffer();
570
+ for (l = 0; l < v; l++) B.putByte(buf.at(l % u));
571
+ var k = Math.ceil(s / v) + Math.ceil(p / v);
572
+ var Inew = new forge.util.ByteBuffer();
573
+ for (j = 0; j < k; j++) {
574
+ var chunk = new forge.util.ByteBuffer(I.getBytes(v));
575
+ var x = 511;
576
+ for (l = B.length() - 1; l >= 0; l--) {
577
+ x = x >> 8;
578
+ x += B.at(l) + chunk.at(l);
579
+ chunk.setAt(l, x & 255);
580
+ }
581
+ Inew.putBuffer(chunk);
582
+ }
583
+ I = Inew;
584
+ result.putBuffer(buf);
585
+ }
586
+ result.truncate(result.length() - n);
587
+ return result;
588
+ };
589
+ /**
590
+ * Get new Forge cipher object instance.
591
+ *
592
+ * @param oid the OID (in string notation).
593
+ * @param params the ASN.1 params object.
594
+ * @param password the password to decrypt with.
595
+ *
596
+ * @return new cipher object instance.
597
+ */
598
+ pki.pbe.getCipher = function(oid, params, password) {
599
+ switch (oid) {
600
+ case pki.oids["pkcs5PBES2"]: return pki.pbe.getCipherForPBES2(oid, params, password);
601
+ case pki.oids["pbeWithSHAAnd3-KeyTripleDES-CBC"]:
602
+ case pki.oids["pbewithSHAAnd40BitRC2-CBC"]: return pki.pbe.getCipherForPKCS12PBE(oid, params, password);
603
+ default:
604
+ var error = /* @__PURE__ */ new Error("Cannot read encrypted PBE data block. Unsupported OID.");
605
+ error.oid = oid;
606
+ error.supportedOids = [
607
+ "pkcs5PBES2",
608
+ "pbeWithSHAAnd3-KeyTripleDES-CBC",
609
+ "pbewithSHAAnd40BitRC2-CBC"
610
+ ];
611
+ throw error;
612
+ }
613
+ };
614
+ /**
615
+ * Get new Forge cipher object instance according to PBES2 params block.
616
+ *
617
+ * The returned cipher instance is already started using the IV
618
+ * from PBES2 parameter block.
619
+ *
620
+ * @param oid the PKCS#5 PBKDF2 OID (in string notation).
621
+ * @param params the ASN.1 PBES2-params object.
622
+ * @param password the password to decrypt with.
623
+ *
624
+ * @return new cipher object instance.
625
+ */
626
+ pki.pbe.getCipherForPBES2 = function(oid, params, password) {
627
+ var capture = {};
628
+ var errors = [];
629
+ if (!asn1.validate(params, PBES2AlgorithmsValidator, capture, errors)) {
630
+ var error = /* @__PURE__ */ new Error("Cannot read password-based-encryption algorithm parameters. ASN.1 object is not a supported EncryptedPrivateKeyInfo.");
631
+ error.errors = errors;
632
+ throw error;
633
+ }
634
+ oid = asn1.derToOid(capture.kdfOid);
635
+ if (oid !== pki.oids["pkcs5PBKDF2"]) {
636
+ var error = /* @__PURE__ */ new Error("Cannot read encrypted private key. Unsupported key derivation function OID.");
637
+ error.oid = oid;
638
+ error.supportedOids = ["pkcs5PBKDF2"];
639
+ throw error;
640
+ }
641
+ oid = asn1.derToOid(capture.encOid);
642
+ if (oid !== pki.oids["aes128-CBC"] && oid !== pki.oids["aes192-CBC"] && oid !== pki.oids["aes256-CBC"] && oid !== pki.oids["des-EDE3-CBC"] && oid !== pki.oids["desCBC"]) {
643
+ var error = /* @__PURE__ */ new Error("Cannot read encrypted private key. Unsupported encryption scheme OID.");
644
+ error.oid = oid;
645
+ error.supportedOids = [
646
+ "aes128-CBC",
647
+ "aes192-CBC",
648
+ "aes256-CBC",
649
+ "des-EDE3-CBC",
650
+ "desCBC"
651
+ ];
652
+ throw error;
653
+ }
654
+ var salt = capture.kdfSalt;
655
+ var count = forge.util.createBuffer(capture.kdfIterationCount);
656
+ count = count.getInt(count.length() << 3);
657
+ var dkLen;
658
+ var cipherFn;
659
+ switch (pki.oids[oid]) {
660
+ case "aes128-CBC":
661
+ dkLen = 16;
662
+ cipherFn = forge.aes.createDecryptionCipher;
663
+ break;
664
+ case "aes192-CBC":
665
+ dkLen = 24;
666
+ cipherFn = forge.aes.createDecryptionCipher;
667
+ break;
668
+ case "aes256-CBC":
669
+ dkLen = 32;
670
+ cipherFn = forge.aes.createDecryptionCipher;
671
+ break;
672
+ case "des-EDE3-CBC":
673
+ dkLen = 24;
674
+ cipherFn = forge.des.createDecryptionCipher;
675
+ break;
676
+ case "desCBC":
677
+ dkLen = 8;
678
+ cipherFn = forge.des.createDecryptionCipher;
679
+ break;
680
+ }
681
+ var md = prfOidToMessageDigest(capture.prfOid);
682
+ var dk = forge.pkcs5.pbkdf2(password, salt, count, dkLen, md);
683
+ var iv = capture.encIv;
684
+ var cipher = cipherFn(dk);
685
+ cipher.start(iv);
686
+ return cipher;
687
+ };
688
+ /**
689
+ * Get new Forge cipher object instance for PKCS#12 PBE.
690
+ *
691
+ * The returned cipher instance is already started using the key & IV
692
+ * derived from the provided password and PKCS#12 PBE salt.
693
+ *
694
+ * @param oid The PKCS#12 PBE OID (in string notation).
695
+ * @param params The ASN.1 PKCS#12 PBE-params object.
696
+ * @param password The password to decrypt with.
697
+ *
698
+ * @return the new cipher object instance.
699
+ */
700
+ pki.pbe.getCipherForPKCS12PBE = function(oid, params, password) {
701
+ var capture = {};
702
+ var errors = [];
703
+ if (!asn1.validate(params, pkcs12PbeParamsValidator, capture, errors)) {
704
+ var error = /* @__PURE__ */ new Error("Cannot read password-based-encryption algorithm parameters. ASN.1 object is not a supported EncryptedPrivateKeyInfo.");
705
+ error.errors = errors;
706
+ throw error;
707
+ }
708
+ var salt = forge.util.createBuffer(capture.salt);
709
+ var count = forge.util.createBuffer(capture.iterations);
710
+ count = count.getInt(count.length() << 3);
711
+ var dkLen, dIvLen, cipherFn;
712
+ switch (oid) {
713
+ case pki.oids["pbeWithSHAAnd3-KeyTripleDES-CBC"]:
714
+ dkLen = 24;
715
+ dIvLen = 8;
716
+ cipherFn = forge.des.startDecrypting;
717
+ break;
718
+ case pki.oids["pbewithSHAAnd40BitRC2-CBC"]:
719
+ dkLen = 5;
720
+ dIvLen = 8;
721
+ cipherFn = function(key, iv) {
722
+ var cipher = forge.rc2.createDecryptionCipher(key, 40);
723
+ cipher.start(iv, null);
724
+ return cipher;
725
+ };
726
+ break;
727
+ default:
728
+ var error = /* @__PURE__ */ new Error("Cannot read PKCS #12 PBE data block. Unsupported OID.");
729
+ error.oid = oid;
730
+ throw error;
731
+ }
732
+ var md = prfOidToMessageDigest(capture.prfOid);
733
+ var key = pki.pbe.generatePkcs12Key(password, salt, 1, count, dkLen, md);
734
+ md.start();
735
+ var iv = pki.pbe.generatePkcs12Key(password, salt, 2, count, dIvLen, md);
736
+ return cipherFn(key, iv);
737
+ };
738
+ /**
739
+ * OpenSSL's legacy key derivation function.
740
+ *
741
+ * See: http://www.openssl.org/docs/crypto/EVP_BytesToKey.html
742
+ *
743
+ * @param password the password to derive the key from.
744
+ * @param salt the salt to use, null for none.
745
+ * @param dkLen the number of bytes needed for the derived key.
746
+ * @param [options] the options to use:
747
+ * [md] an optional message digest object to use.
748
+ */
749
+ pki.pbe.opensslDeriveBytes = function(password, salt, dkLen, md) {
750
+ if (typeof md === "undefined" || md === null) {
751
+ if (!("md5" in forge.md)) throw new Error("\"md5\" hash algorithm unavailable.");
752
+ md = forge.md.md5.create();
753
+ }
754
+ if (salt === null) salt = "";
755
+ var digests = [hash(md, password + salt)];
756
+ for (var length = 16, i = 1; length < dkLen; ++i, length += 16) digests.push(hash(md, digests[i - 1] + password + salt));
757
+ return digests.join("").substr(0, dkLen);
758
+ };
759
+ function hash(md, bytes) {
760
+ return md.start().update(bytes).digest().getBytes();
761
+ }
762
+ function prfOidToMessageDigest(prfOid) {
763
+ var prfAlgorithm;
764
+ if (!prfOid) prfAlgorithm = "hmacWithSHA1";
765
+ else {
766
+ prfAlgorithm = pki.oids[asn1.derToOid(prfOid)];
767
+ if (!prfAlgorithm) {
768
+ var error = /* @__PURE__ */ new Error("Unsupported PRF OID.");
769
+ error.oid = prfOid;
770
+ error.supported = [
771
+ "hmacWithSHA1",
772
+ "hmacWithSHA224",
773
+ "hmacWithSHA256",
774
+ "hmacWithSHA384",
775
+ "hmacWithSHA512"
776
+ ];
777
+ throw error;
778
+ }
779
+ }
780
+ return prfAlgorithmToMessageDigest(prfAlgorithm);
781
+ }
782
+ function prfAlgorithmToMessageDigest(prfAlgorithm) {
783
+ var factory = forge.md;
784
+ switch (prfAlgorithm) {
785
+ case "hmacWithSHA224": factory = forge.md.sha512;
786
+ case "hmacWithSHA1":
787
+ case "hmacWithSHA256":
788
+ case "hmacWithSHA384":
789
+ case "hmacWithSHA512":
790
+ prfAlgorithm = prfAlgorithm.substr(8).toLowerCase();
791
+ break;
792
+ default:
793
+ var error = /* @__PURE__ */ new Error("Unsupported PRF algorithm.");
794
+ error.algorithm = prfAlgorithm;
795
+ error.supported = [
796
+ "hmacWithSHA1",
797
+ "hmacWithSHA224",
798
+ "hmacWithSHA256",
799
+ "hmacWithSHA384",
800
+ "hmacWithSHA512"
801
+ ];
802
+ throw error;
803
+ }
804
+ if (!factory || !(prfAlgorithm in factory)) throw new Error("Unknown hash algorithm: " + prfAlgorithm);
805
+ return factory[prfAlgorithm].create();
806
+ }
807
+ function createPbkdf2Params(salt, countBytes, dkLen, prfAlgorithm) {
808
+ var params = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OCTETSTRING, false, salt), asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false, countBytes.getBytes())]);
809
+ if (prfAlgorithm !== "hmacWithSHA1") params.value.push(asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false, forge.util.hexToBytes(dkLen.toString(16))), asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false, asn1.oidToDer(pki.oids[prfAlgorithm]).getBytes()), asn1.create(asn1.Class.UNIVERSAL, asn1.Type.NULL, false, "")]));
810
+ return params;
811
+ }
812
+ }));
813
+ //#endregion
814
+ export default require_pbe();
815
+ export { require_pbe };