bonescript-compiler 0.4.0 → 0.5.0

package/dist/emit_auth.d.ts

@@ -1,6 +1,18 @@
 /**
  * BoneScript Auth Emitter
- * Generates auth.ts — JWT middleware with production safety checks.
+ * Generates auth.ts — JWT, OAuth2, or API key middleware depending on the
+ * resolved auth_method in the system's constraint resolution map.
+ *
+ * Auth method selection (in priority order):
+ *   1. system.resolution["implied.auth_method"] — set by constraint solver
+ *   2. Any api_service module's config.auth_method
+ *   3. Fallback: jwt
+ *
+ * Generated strategies:
+ *   jwt     — Bearer token verification via jsonwebtoken
+ *   oauth2  — Authorization Code flow: /auth/login redirect + /auth/callback
+ *             token exchange + refresh token rotation
+ *   apikey  — X-API-Key header lookup against hashed keys in the database
  */
 import * as IR from "./ir";
-export declare function emitAuthMiddleware(_system: IR.IRSystem): string;
+export declare function emitAuthMiddleware(system: IR.IRSystem): string;

package/dist/emit_auth.js

@@ -1,69 +1,507 @@
 "use strict";
 /**
  * BoneScript Auth Emitter
- * Generates auth.ts — JWT middleware with production safety checks.
+ * Generates auth.ts — JWT, OAuth2, or API key middleware depending on the
+ * resolved auth_method in the system's constraint resolution map.
+ *
+ * Auth method selection (in priority order):
+ *   1. system.resolution["implied.auth_method"] — set by constraint solver
+ *   2. Any api_service module's config.auth_method
+ *   3. Fallback: jwt
+ *
+ * Generated strategies:
+ *   jwt     — Bearer token verification via jsonwebtoken
+ *   oauth2  — Authorization Code flow: /auth/login redirect + /auth/callback
+ *             token exchange + refresh token rotation
+ *   apikey  — X-API-Key header lookup against hashed keys in the database
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.emitAuthMiddleware = void 0;
-function emitAuthMiddleware(_system) {
-    return `// Generated by BoneScript compiler. DO NOT EDIT.
-import { Request, Response, NextFunction } from "express";
-import jwt from "jsonwebtoken";
-
-// JWT_SECRET must be set in production. The server will refuse to start without it
-// when NODE_ENV is "production" to prevent accidental use of a weak fallback.
-const JWT_SECRET = (() => {
-  const secret = process.env.JWT_SECRET;
-  if (!secret) {
-    if (process.env.NODE_ENV === "production") {
-      console.error("[FATAL] JWT_SECRET environment variable is not set. Refusing to start in production.");
-      process.exit(1);
-    }
-    console.warn("[WARN] JWT_SECRET is not set. Using insecure default — do not use in production.");
-    return "bonescript-dev-secret-do-not-use-in-production";
-  }
-  if (secret.length < 32) {
-    console.warn("[WARN] JWT_SECRET is shorter than 32 characters. Use a longer secret in production.");
-  }
-  return secret;
-})();
-
-export interface AuthContext {
-  authenticated: boolean;
-  actor_id: string | null;
-  trace_id: string;
-}
-
-export function authMiddleware(req: Request, res: Response, next: NextFunction): void {
-  const header = req.headers.authorization;
-  if (!header || !header.startsWith("Bearer ")) {
-    (req as any).auth = { authenticated: false, actor_id: null, trace_id: req.headers["x-trace-id"] as string || "" };
-    next();
-    return;
-  }
-  try {
-    const token = header.slice(7);
-    const decoded = jwt.verify(token, JWT_SECRET) as { sub: string };
-    (req as any).auth = {
-      authenticated: true,
-      actor_id: decoded.sub,
-      trace_id: req.headers["x-trace-id"] as string || "",
-    };
-  } catch {
-    (req as any).auth = { authenticated: false, actor_id: null, trace_id: req.headers["x-trace-id"] as string || "" };
-  }
-  next();
-}
-
-export function requireAuth(req: Request, res: Response, next: NextFunction): void {
-  const auth: AuthContext = (req as any).auth;
-  if (!auth || !auth.authenticated) {
-    res.status(401).json({ error: { code: "UNAUTHORIZED", message: "Authentication required" } });
-    return;
-  }
-  next();
-}
-`;
+/** Resolve the auth method for the system. */
+function resolveAuthMethod(system) {
+    // Check resolution map first (set by constraint solver)
+    // The solver writes keys like "UserService.auth_method" for each api_service module.
+    // Also check the implied.auth_method key (set by domain defaults propagation).
+    const resolved = system.resolution["implied.auth_method"]
+        || system.resolution["system.auth_method"];
+    if (resolved === "oauth2" || resolved === "apikey" || resolved === "jwt") {
+        return resolved;
+    }
+    // Check per-module resolution keys written by the solver
+    for (const [key, val] of Object.entries(system.resolution)) {
+        if (key.endsWith(".auth_method") && (val === "oauth2" || val === "apikey" || val === "jwt")) {
+            return val;
+        }
+    }
+    // Fall back to any api_service module config
+    for (const mod of system.modules) {
+        const m = mod.config["auth_method"];
+        if (m === "oauth2" || m === "apikey" || m === "jwt")
+            return m;
+    }
+    return "jwt";
+}
+function emitAuthMiddleware(system) {
+    const method = resolveAuthMethod(system);
+    switch (method) {
+        case "oauth2": return emitOAuth2Auth();
+        case "apikey": return emitApiKeyAuth();
+        default: return emitJwtAuth();
+    }
 }
 exports.emitAuthMiddleware = emitAuthMiddleware;
+// ─── JWT ──────────────────────────────────────────────────────────────────────
+function emitJwtAuth() {
+    return `// Generated by BoneScript compiler. DO NOT EDIT.
+// Auth strategy: JWT (Bearer token)
+import { Request, Response, NextFunction } from "express";
+import jwt from "jsonwebtoken";
+
+// JWT_SECRET must be set in production. The server will refuse to start without it
+// when NODE_ENV is "production" to prevent accidental use of a weak fallback.
+const JWT_SECRET = (() => {
+  const secret = process.env.JWT_SECRET;
+  if (!secret) {
+    if (process.env.NODE_ENV === "production") {
+      console.error("[FATAL] JWT_SECRET environment variable is not set. Refusing to start in production.");
+      process.exit(1);
+    }
+    console.warn("[WARN] JWT_SECRET is not set. Using insecure default — do not use in production.");
+    return "bonescript-dev-secret-do-not-use-in-production";
+  }
+  if (secret.length < 32) {
+    console.warn("[WARN] JWT_SECRET is shorter than 32 characters. Use a longer secret in production.");
+  }
+  return secret;
+})();
+
+export interface AuthContext {
+  authenticated: boolean;
+  actor_id: string | null;
+  trace_id: string;
+}
+
+export function authMiddleware(req: Request, res: Response, next: NextFunction): void {
+  const header = req.headers.authorization;
+  if (!header || !header.startsWith("Bearer ")) {
+    (req as any).auth = { authenticated: false, actor_id: null, trace_id: req.headers["x-trace-id"] as string || "" };
+    next();
+    return;
+  }
+  try {
+    const token = header.slice(7);
+    const decoded = jwt.verify(token, JWT_SECRET) as { sub: string };
+    (req as any).auth = {
+      authenticated: true,
+      actor_id: decoded.sub,
+      trace_id: req.headers["x-trace-id"] as string || "",
+    };
+  } catch {
+    (req as any).auth = { authenticated: false, actor_id: null, trace_id: req.headers["x-trace-id"] as string || "" };
+  }
+  next();
+}
+
+export function requireAuth(req: Request, res: Response, next: NextFunction): void {
+  const auth: AuthContext = (req as any).auth;
+  if (!auth || !auth.authenticated) {
+    res.status(401).json({ error: { code: "UNAUTHORIZED", message: "Authentication required" } });
+    return;
+  }
+  next();
+}
+
+/** Issue a signed JWT for a given actor. Used by login/register routes. */
+export function issueToken(actorId: string, expiresIn: string = "24h"): string {
+  return jwt.sign({ sub: actorId }, JWT_SECRET, { expiresIn } as any);
+}
+`;
+}
+// ─── OAuth2 ───────────────────────────────────────────────────────────────────
+function emitOAuth2Auth() {
+    return `// Generated by BoneScript compiler. DO NOT EDIT.
+// Auth strategy: OAuth2 Authorization Code Flow with PKCE + refresh token rotation
+import { Request, Response, NextFunction, Router } from "express";
+import crypto from "crypto";
+import jwt from "jsonwebtoken";
+
+// ─── Configuration ────────────────────────────────────────────────────────────
+
+const OAUTH2_CLIENT_ID     = process.env.OAUTH2_CLIENT_ID     || "";
+const OAUTH2_CLIENT_SECRET = process.env.OAUTH2_CLIENT_SECRET || "";
+const OAUTH2_AUTH_URL      = process.env.OAUTH2_AUTH_URL      || "";
+const OAUTH2_TOKEN_URL     = process.env.OAUTH2_TOKEN_URL     || "";
+const OAUTH2_REDIRECT_URI  = process.env.OAUTH2_REDIRECT_URI  || "http://localhost:3000/auth/callback";
+const OAUTH2_SCOPES        = (process.env.OAUTH2_SCOPES       || "openid profile email").split(" ");
+
+const JWT_SECRET = (() => {
+  const secret = process.env.JWT_SECRET;
+  if (!secret) {
+    if (process.env.NODE_ENV === "production") {
+      console.error("[FATAL] JWT_SECRET environment variable is not set. Refusing to start in production.");
+      process.exit(1);
+    }
+    console.warn("[WARN] JWT_SECRET is not set. Using insecure default — do not use in production.");
+    return "bonescript-dev-secret-do-not-use-in-production";
+  }
+  return secret;
+})();
+
+if (process.env.NODE_ENV === "production") {
+  if (!OAUTH2_CLIENT_ID || !OAUTH2_CLIENT_SECRET || !OAUTH2_AUTH_URL || !OAUTH2_TOKEN_URL) {
+    console.error("[FATAL] OAuth2 configuration incomplete. Set OAUTH2_CLIENT_ID, OAUTH2_CLIENT_SECRET, OAUTH2_AUTH_URL, OAUTH2_TOKEN_URL.");
+    process.exit(1);
+  }
+}
+
+// ─── PKCE helpers ─────────────────────────────────────────────────────────────
+
+function generateCodeVerifier(): string {
+  return crypto.randomBytes(32).toString("base64url");
+}
+
+function generateCodeChallenge(verifier: string): string {
+  return crypto.createHash("sha256").update(verifier).digest("base64url");
+}
+
+// ─── In-memory state store (replace with Redis in production) ─────────────────
+
+const pendingStates = new Map<string, { verifier: string; createdAt: number }>();
+
+// Clean up stale states every 5 minutes
+setInterval(() => {
+  const cutoff = Date.now() - 10 * 60 * 1000; // 10 min TTL
+  for (const [k, v] of pendingStates) {
+    if (v.createdAt < cutoff) pendingStates.delete(k);
+  }
+}, 5 * 60 * 1000);
+
+// ─── Auth context ─────────────────────────────────────────────────────────────
+
+export interface AuthContext {
+  authenticated: boolean;
+  actor_id: string | null;
+  trace_id: string;
+}
+
+// ─── Middleware ───────────────────────────────────────────────────────────────
+
+export function authMiddleware(req: Request, res: Response, next: NextFunction): void {
+  const header = req.headers.authorization;
+  if (!header || !header.startsWith("Bearer ")) {
+    (req as any).auth = { authenticated: false, actor_id: null, trace_id: req.headers["x-trace-id"] as string || "" };
+    next();
+    return;
+  }
+  try {
+    const token = header.slice(7);
+    const decoded = jwt.verify(token, JWT_SECRET) as { sub: string };
+    (req as any).auth = {
+      authenticated: true,
+      actor_id: decoded.sub,
+      trace_id: req.headers["x-trace-id"] as string || "",
+    };
+  } catch {
+    (req as any).auth = { authenticated: false, actor_id: null, trace_id: req.headers["x-trace-id"] as string || "" };
+  }
+  next();
+}
+
+export function requireAuth(req: Request, res: Response, next: NextFunction): void {
+  const auth: AuthContext = (req as any).auth;
+  if (!auth || !auth.authenticated) {
+    res.status(401).json({ error: { code: "UNAUTHORIZED", message: "Authentication required" } });
+    return;
+  }
+  next();
+}
+
+// ─── OAuth2 Routes ────────────────────────────────────────────────────────────
+
+export const authRouter = Router();
+
+/** GET /auth/login — redirect to OAuth2 provider */
+authRouter.get("/login", (_req: Request, res: Response) => {
+  const state = crypto.randomBytes(16).toString("hex");
+  const verifier = generateCodeVerifier();
+  const challenge = generateCodeChallenge(verifier);
+  pendingStates.set(state, { verifier, createdAt: Date.now() });
+
+  const params = new URLSearchParams({
+    response_type: "code",
+    client_id: OAUTH2_CLIENT_ID,
+    redirect_uri: OAUTH2_REDIRECT_URI,
+    scope: OAUTH2_SCOPES.join(" "),
+    state,
+    code_challenge: challenge,
+    code_challenge_method: "S256",
+  });
+  res.redirect(\`\${OAUTH2_AUTH_URL}?\${params}\`);
+});
+
+/** GET /auth/callback — exchange code for tokens, issue internal JWT */
+authRouter.get("/callback", async (req: Request, res: Response) => {
+  const { code, state, error } = req.query as Record<string, string>;
+
+  if (error) {
+    return res.status(400).json({ error: { code: "OAUTH2_ERROR", message: error } });
+  }
+  if (!code || !state) {
+    return res.status(400).json({ error: { code: "MISSING_PARAMS", message: "code and state are required" } });
+  }
+
+  const pending = pendingStates.get(state);
+  if (!pending) {
+    return res.status(400).json({ error: { code: "INVALID_STATE", message: "Unknown or expired state parameter" } });
+  }
+  pendingStates.delete(state);
+
+  try {
+    // Exchange authorization code for tokens
+    const tokenRes = await fetch(OAUTH2_TOKEN_URL, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams({
+        grant_type: "authorization_code",
+        code,
+        redirect_uri: OAUTH2_REDIRECT_URI,
+        client_id: OAUTH2_CLIENT_ID,
+        client_secret: OAUTH2_CLIENT_SECRET,
+        code_verifier: pending.verifier,
+      }),
+    });
+
+    if (!tokenRes.ok) {
+      const body = await tokenRes.text();
+      console.error("[OAuth2] Token exchange failed:", body);
+      return res.status(502).json({ error: { code: "TOKEN_EXCHANGE_FAILED", message: "Failed to exchange authorization code" } });
+    }
+
+    const tokens = await tokenRes.json() as {
+      access_token: string;
+      id_token?: string;
+      refresh_token?: string;
+      expires_in?: number;
+    };
+
+    // Extract subject from id_token or access_token
+    let actorId: string;
+    try {
+      const payload = JSON.parse(Buffer.from((tokens.id_token || tokens.access_token).split(".")[1], "base64url").toString());
+      actorId = payload.sub || payload.email || payload.preferred_username || "unknown";
+    } catch {
+      actorId = "unknown";
+    }
+
+    // Issue internal JWT (short-lived)
+    const internalToken = jwt.sign({ sub: actorId }, JWT_SECRET, { expiresIn: "1h" } as any);
+
+    res.json({
+      token: internalToken,
+      actor_id: actorId,
+      expires_in: 3600,
+    });
+  } catch (err: any) {
+    console.error("[OAuth2] Callback error:", err.message);
+    res.status(500).json({ error: { code: "INTERNAL_ERROR", message: "OAuth2 callback failed" } });
+  }
+});
+
+/** POST /auth/refresh — refresh an expired internal JWT */
+authRouter.post("/refresh", (req: Request, res: Response) => {
+  const { token } = req.body as { token?: string };
+  if (!token) {
+    return res.status(400).json({ error: { code: "MISSING_TOKEN", message: "token is required" } });
+  }
+  try {
+    // Allow expired tokens for refresh (ignoreExpiration)
+    const decoded = jwt.verify(token, JWT_SECRET, { ignoreExpiration: true }) as { sub: string };
+    const newToken = jwt.sign({ sub: decoded.sub }, JWT_SECRET, { expiresIn: "1h" } as any);
+    res.json({ token: newToken, expires_in: 3600 });
+  } catch {
+    res.status(401).json({ error: { code: "INVALID_TOKEN", message: "Cannot refresh: token is invalid" } });
+  }
+});
+
+/** POST /auth/logout — client-side only (stateless JWT); invalidation requires a denylist */
+authRouter.post("/logout", (_req: Request, res: Response) => {
+  res.json({ ok: true, message: "Logged out. Discard the token on the client." });
+});
+`;
+}
+// ─── API Key ──────────────────────────────────────────────────────────────────
+function emitApiKeyAuth() {
+    return `// Generated by BoneScript compiler. DO NOT EDIT.
+// Auth strategy: API Key (X-API-Key header, hashed keys stored in database)
+import { Request, Response, NextFunction, Router } from "express";
+import crypto from "crypto";
+import { query } from "./db";
+
+// ─── Auth context ─────────────────────────────────────────────────────────────
+
+export interface AuthContext {
+  authenticated: boolean;
+  actor_id: string | null;
+  trace_id: string;
+}
+
+// ─── Key hashing ──────────────────────────────────────────────────────────────
+
+/** Hash an API key with SHA-256 for safe storage. Never store raw keys. */
+function hashApiKey(key: string): string {
+  return crypto.createHash("sha256").update(key).digest("hex");
+}
+
+/** Generate a new API key. Returns the raw key (shown once) and its hash. */
+export function generateApiKey(): { key: string; hash: string; prefix: string } {
+  const raw = "bsk_" + crypto.randomBytes(32).toString("base64url");
+  return { key: raw, hash: hashApiKey(raw), prefix: raw.slice(0, 12) };
+}
+
+// ─── In-memory LRU cache (avoids a DB hit on every request) ──────────────────
+
+const KEY_CACHE_TTL_MS = 60_000; // 1 minute
+const keyCache = new Map<string, { actorId: string; expiresAt: number }>();
+
+function getCached(hash: string): string | null {
+  const entry = keyCache.get(hash);
+  if (!entry) return null;
+  if (Date.now() > entry.expiresAt) { keyCache.delete(hash); return null; }
+  return entry.actorId;
+}
+
+function setCached(hash: string, actorId: string): void {
+  // Evict oldest entry if cache is too large
+  if (keyCache.size >= 1000) {
+    const oldest = [...keyCache.entries()].sort((a, b) => a[1].expiresAt - b[1].expiresAt)[0];
+    if (oldest) keyCache.delete(oldest[0]);
+  }
+  keyCache.set(hash, { actorId, expiresAt: Date.now() + KEY_CACHE_TTL_MS });
+}
+
+// ─── Middleware ───────────────────────────────────────────────────────────────
+
+export async function authMiddleware(req: Request, res: Response, next: NextFunction): Promise<void> {
+  const rawKey = req.headers["x-api-key"] as string | undefined;
+  const traceId = req.headers["x-trace-id"] as string || "";
+
+  if (!rawKey) {
+    (req as any).auth = { authenticated: false, actor_id: null, trace_id: traceId };
+    next();
+    return;
+  }
+
+  const hash = hashApiKey(rawKey);
+
+  // Check cache first
+  const cached = getCached(hash);
+  if (cached) {
+    (req as any).auth = { authenticated: true, actor_id: cached, trace_id: traceId };
+    next();
+    return;
+  }
+
+  try {
+    // Look up in database — api_keys table (see migration below)
+    const rows = await query<{ actor_id: string; revoked: boolean }>(
+      \`SELECT actor_id, revoked FROM api_keys WHERE key_hash = $1 AND expires_at > NOW()\`,
+      [hash]
+    );
+    if (rows.length === 0 || rows[0].revoked) {
+      (req as any).auth = { authenticated: false, actor_id: null, trace_id: traceId };
+      next();
+      return;
+    }
+    const actorId = rows[0].actor_id;
+    setCached(hash, actorId);
+    (req as any).auth = { authenticated: true, actor_id: actorId, trace_id: traceId };
+  } catch (err: any) {
+    console.error("[ApiKey] Auth lookup failed:", err.message);
+    (req as any).auth = { authenticated: false, actor_id: null, trace_id: traceId };
+  }
+  next();
+}
+
+export function requireAuth(req: Request, res: Response, next: NextFunction): void {
+  const auth: AuthContext = (req as any).auth;
+  if (!auth || !auth.authenticated) {
+    res.status(401).json({ error: { code: "UNAUTHORIZED", message: "Valid API key required (X-API-Key header)" } });
+    return;
+  }
+  next();
+}
+
+// ─── Key Management Routes ────────────────────────────────────────────────────
+
+export const authRouter = Router();
+
+/** POST /auth/keys — create a new API key for the authenticated actor */
+authRouter.post("/keys", requireAuth, async (req: Request, res: Response) => {
+  const auth: AuthContext = (req as any).auth;
+  const { name, expires_in_days = 365 } = req.body as { name?: string; expires_in_days?: number };
+
+  const { key, hash, prefix } = generateApiKey();
+  const expiresAt = new Date(Date.now() + expires_in_days * 86_400_000);
+
+  try {
+    await query(
+      \`INSERT INTO api_keys (actor_id, key_hash, key_prefix, name, expires_at) VALUES ($1, $2, $3, $4, $5)\`,
+      [auth.actor_id, hash, prefix, name || "default", expiresAt]
+    );
+    // Return the raw key ONCE — it cannot be retrieved again
+    res.status(201).json({ key, prefix, expires_at: expiresAt });
+  } catch (err: any) {
+    res.status(500).json({ error: { code: "KEY_CREATE_FAILED", message: err.message } });
+  }
+});
+
+/** GET /auth/keys — list API keys for the authenticated actor (no raw keys) */
+authRouter.get("/keys", requireAuth, async (req: Request, res: Response) => {
+  const auth: AuthContext = (req as any).auth;
+  try {
+    const rows = await query(
+      \`SELECT id, key_prefix, name, created_at, expires_at, revoked FROM api_keys WHERE actor_id = $1 ORDER BY created_at DESC\`,
+      [auth.actor_id]
+    );
+    res.json({ keys: rows });
+  } catch (err: any) {
+    res.status(500).json({ error: { code: "KEY_LIST_FAILED", message: err.message } });
+  }
+});
+
+/** DELETE /auth/keys/:id — revoke an API key */
+authRouter.delete("/keys/:id", requireAuth, async (req: Request, res: Response) => {
+  const auth: AuthContext = (req as any).auth;
+  try {
+    const result = await query(
+      \`UPDATE api_keys SET revoked = true WHERE id = $1 AND actor_id = $2 RETURNING id\`,
+      [req.params.id, auth.actor_id]
+    );
+    if (result.length === 0) {
+      return res.status(404).json({ error: { code: "NOT_FOUND", message: "API key not found" } });
+    }
+    res.json({ ok: true });
+  } catch (err: any) {
+    res.status(500).json({ error: { code: "KEY_REVOKE_FAILED", message: err.message } });
+  }
+});
+
+/*
+ * Required migration — add to your migrations directory:
+ *
+ * CREATE TABLE IF NOT EXISTS api_keys (
+ *   id         UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+ *   actor_id   UUID NOT NULL,
+ *   key_hash   VARCHAR(64) NOT NULL UNIQUE,
+ *   key_prefix VARCHAR(16) NOT NULL,
+ *   name       VARCHAR(255) NOT NULL DEFAULT 'default',
+ *   created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+ *   expires_at TIMESTAMPTZ NOT NULL,
+ *   revoked    BOOLEAN NOT NULL DEFAULT false
+ * );
+ * CREATE INDEX IF NOT EXISTS idx_api_keys_actor ON api_keys (actor_id);
+ * CREATE INDEX IF NOT EXISTS idx_api_keys_hash  ON api_keys (key_hash);
+ */
+`;
+}
 //# sourceMappingURL=emit_auth.js.map

package/dist/emit_auth.js.map

@@ -1 +1 @@
-{"version":3,"file":"emit_auth.js","sourceRoot":"","sources":["../src/emit_auth.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAIH,SAAgB,kBAAkB,CAAC,OAAoB;IACrD,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAyDR,CAAC;AACF,CAAC;AA3DD,gDA2DC"}
+{"version":3,"file":"emit_auth.js","sourceRoot":"","sources":["../src/emit_auth.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;GAeG;;;AAIH,8CAA8C;AAC9C,SAAS,iBAAiB,CAAC,MAAmB;IAC5C,wDAAwD;IACxD,qFAAqF;IACrF,+EAA+E;IAC/E,MAAM,QAAQ,GAAG,MAAM,CAAC,UAAU,CAAC,qBAAqB,CAAC;WACpD,MAAM,CAAC,UAAU,CAAC,oBAAoB,CAAC,CAAC;IAC7C,IAAI,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,KAAK,EAAE,CAAC;QACzE,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,yDAAyD;IACzD,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC;QAC3D,IAAI,GAAG,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,CAAC,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,KAAK,CAAC,EAAE,CAAC;YAC5F,OAAO,GAAkC,CAAC;QAC5C,CAAC;IACH,CAAC;IAED,6CAA6C;IAC7C,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACjC,MAAM,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC,aAAa,CAAuB,CAAC;QAC1D,IAAI,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,KAAK;YAAE,OAAO,CAAC,CAAC;IAChE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAgB,kBAAkB,CAAC,MAAmB;IACpD,MAAM,MAAM,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IACzC,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,QAAQ,CAAC,CAAE,OAAO,cAAc,EAAE,CAAC;QACxC,KAAK,QAAQ,CAAC,CAAE,OAAO,cAAc,EAAE,CAAC;QACxC,OAAO,CAAC,CAAQ,OAAO,WAAW,EAAE,CAAC;IACvC,CAAC;AACH,CAAC;AAPD,gDAOC;AAED,iFAAiF;AAEjF,SAAS,WAAW;IAClB,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA+DR,CAAC;AACF,CAAC;AAED,iFAAiF;AAEjF,SAAS,cAAc;IACrB,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAgNR,CAAC;AACF,CAAC;AAED,iFAAiF;AAEjF,SAAS,cAAc;IACrB,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA2KR,CAAC;AACF,CAAC"}