create-croissant 0.1.7 → 0.1.9

package/template/apps/web/node_modules/@better-auth/core/dist/types/plugin-client.d.mts

@@ -1,113 +0,0 @@
-import { LiteralString } from "./helper.mjs";
-import { BetterAuthPlugin } from "./plugin.mjs";
-import { BetterAuthOptions } from "./init-options.mjs";
-import { BetterFetch, BetterFetchOption, BetterFetchPlugin } from "@better-fetch/fetch";
-import { Atom, WritableAtom } from "nanostores";
-
-//#region src/types/plugin-client.d.ts
-interface ClientStore {
-  notify: (signal: string) => void;
-  listen: (signal: string, listener: () => void) => void;
-  atoms: Record<string, WritableAtom<any>>;
-}
-type ClientAtomListener = {
-  matcher: (path: string) => boolean;
-  signal: "$sessionSignal" | Omit<string, "$sessionSignal">;
-  callback?: (path: string) => void;
-};
-/**
- * Better-Fetch options but with additional options for the auth-client.
- */
-type ClientFetchOption<Body = any, Query extends Record<string, any> = any, Params extends Record<string, any> | Array<string> | undefined = any, Res = any> = BetterFetchOption<Body, Query, Params, Res> & {
-  /**
-   * Certain endpoints, upon successful response, will trigger atom signals and thus rerendering all hooks related to that atom.
-   *
-   * This option is useful when you want to skip hook rerenders.
-   */
-  disableSignal?: boolean | undefined;
-};
-interface RevalidateOptions {
-  /**
-   * A time interval (in seconds) after which the session will be re-fetched.
-   * If set to `0` (default), the session is not polled.
-   *
-   * This helps prevent session expiry during idle periods by periodically
-   * refreshing the session.
-   *
-   * @default 0
-   */
-  refetchInterval?: number | undefined;
-  /**
-   * Automatically refetch the session when the user switches back to the window/tab.
-   * This option activates this behavior if set to `true` (default).
-   *
-   * Prevents expired sessions when users switch tabs and come back later.
-   *
-   * @default true
-   */
-  refetchOnWindowFocus?: boolean | undefined;
-  /**
-   * Set to `false` to stop polling when the device has no internet access
-   * (determined by `navigator.onLine`).
-   *
-   * @default false
-   * @see https://developer.mozilla.org/en-US/docs/Web/API/NavigatorOnLine/onLine
-   */
-  refetchWhenOffline?: boolean | undefined;
-}
-interface BetterAuthClientOptions {
-  fetchOptions?: ClientFetchOption | undefined;
-  plugins?: BetterAuthClientPlugin[] | undefined;
-  baseURL?: string | undefined;
-  basePath?: string | undefined;
-  disableDefaultFetchPlugins?: boolean | undefined;
-  $InferAuth?: BetterAuthOptions | undefined;
-  sessionOptions?: RevalidateOptions | undefined;
-}
-interface BetterAuthClientPlugin {
-  id: LiteralString;
-  version?: string | undefined;
-  /**
-   * only used for type inference. don't pass the
-   * actual plugin
-   */
-  $InferServerPlugin?: BetterAuthPlugin | undefined;
-  /**
-   * Custom actions
-   */
-  getActions?: ($fetch: BetterFetch, $store: ClientStore,
-  /**
-   * better-auth client options
-   */
-
-  options: BetterAuthClientOptions | undefined) => Record<string, any>;
-  /**
-   * State atoms that'll be resolved by each framework
-   * auth store.
-   */
-  getAtoms?: (($fetch: BetterFetch) => Record<string, Atom<any>>) | undefined;
-  /**
-   * specify path methods for server plugin inferred
-   * endpoints to force a specific method.
-   */
-  pathMethods?: Record<string, "POST" | "GET"> | undefined;
-  /**
-   * Better fetch plugins
-   */
-  fetchPlugins?: BetterFetchPlugin[] | undefined;
-  /**
-   * a list of recaller based on a matcher function.
-   * The signal name needs to match a signal in this
-   * plugin or any plugin the user might have added.
-   */
-  atomListeners?: ClientAtomListener[] | undefined;
-  /**
-   * The error codes returned by the plugin
-   */
-  $ERROR_CODES?: Record<string, {
-    code: string;
-    message: string;
-  }>;
-}
-//#endregion
-export { BetterAuthClientOptions, BetterAuthClientPlugin, ClientAtomListener, ClientFetchOption, ClientStore };

package/template/apps/web/node_modules/@better-auth/core/dist/types/plugin.d.mts

@@ -1,124 +0,0 @@
-import { BetterAuthPluginDBSchema } from "../db/plugin.mjs";
-import { Awaitable, LiteralString } from "./helper.mjs";
-import { RawError } from "../utils/error-codes.mjs";
-import { BetterAuthOptions } from "./init-options.mjs";
-import { AuthContext } from "./context.mjs";
-import { AuthMiddleware } from "../api/index.mjs";
-import { Endpoint, EndpointContext, InputContext, Middleware } from "better-call";
-import { Migration } from "kysely";
-
-//#region src/types/plugin.d.ts
-type DeepPartial<T> = T extends Function ? T : T extends object ? { [K in keyof T]?: DeepPartial<T[K]> } : T;
-type HookEndpointContext = Partial<EndpointContext<string, any> & Omit<InputContext<string, any>, "method">> & {
-  path?: string;
-  context: AuthContext & {
-    returned?: unknown | undefined;
-    responseHeaders?: Headers | undefined;
-  };
-  headers?: Headers | undefined;
-};
-type BetterAuthPluginErrorCodePart = {
-  /**
-   * The error codes returned by the plugin
-   */
-  $ERROR_CODES?: Record<string, RawError>;
-};
-type BetterAuthPlugin = BetterAuthPluginErrorCodePart & {
-  id: LiteralString;
-  version?: string | undefined;
-  /**
-   * The init function is called when the plugin is initialized.
-   * You can return a new context or modify the existing context.
-   */
-  init?: ((ctx: AuthContext) => Awaitable<{
-    context?: DeepPartial<Omit<AuthContext, "options">> & Record<string, unknown>;
-    options?: Partial<BetterAuthOptions>;
-  }> | void | Promise<void>) | undefined;
-  endpoints?: {
-    [key: string]: Endpoint;
-  } | undefined;
-  middlewares?: {
-    path: string;
-    middleware: Middleware;
-  }[] | undefined;
-  onRequest?: ((request: Request, ctx: AuthContext) => Promise<{
-    response: Response;
-  } | {
-    request: Request;
-  } | void>) | undefined;
-  onResponse?: ((response: Response, ctx: AuthContext) => Promise<{
-    response: Response;
-  } | void>) | undefined;
-  hooks?: {
-    before?: {
-      matcher: (context: HookEndpointContext) => boolean;
-      handler: AuthMiddleware;
-    }[];
-    after?: {
-      matcher: (context: HookEndpointContext) => boolean;
-      handler: AuthMiddleware;
-    }[];
-  } | undefined;
-  /**
-   * Schema the plugin needs
-   *
-   * This will also be used to migrate the database. If the fields are dynamic from the plugins
-   * configuration each time the configuration is changed a new migration will be created.
-   *
-   * NOTE: If you want to create migrations manually using
-   * migrations option or any other way you
-   * can disable migration per table basis.
-   *
-   * @example
-   * ```ts
-   * schema: {
-   * 	user: {
-   * 		fields: {
-   * 			email: {
-   * 				 type: "string",
-   * 			},
-   * 			emailVerified: {
-   * 				type: "boolean",
-   * 				defaultValue: false,
-   * 			},
-   * 		},
-   * 	}
-   * } as AuthPluginSchema
-   * ```
-   */
-  schema?: BetterAuthPluginDBSchema | undefined;
-  /**
-   * The migrations of the plugin. If you define schema that will automatically create
-   * migrations for you.
-   *
-   * ⚠️ Only uses this if you dont't want to use the schema option and you disabled migrations for
-   * the tables.
-   */
-  migrations?: Record<string, Migration> | undefined;
-  /**
-   * The options of the plugin
-   */
-  options?: Record<string, any> | undefined;
-  /**
-   * types to be inferred
-   */
-  $Infer?: Record<string, any> | undefined;
-  /**
-   * The rate limit rules to apply to specific paths.
-   */
-  rateLimit?: {
-    window: number;
-    max: number;
-    pathMatcher: (path: string) => boolean;
-  }[] | undefined;
-  /**
-   * All database operations that are performed by the plugin
-   *
-   * This will override the default database operations
-   */
-  adapter?: {
-    [key: string]: (...args: any[]) => Awaitable<any>;
-  };
-};
-//#endregion
-export { BetterAuthPlugin, BetterAuthPluginErrorCodePart, HookEndpointContext };

package/template/apps/web/node_modules/@better-auth/core/dist/types/secret.d.mts

@@ -1,11 +0,0 @@
-//#region src/types/secret.d.ts
-interface SecretConfig {
-  /** Map of version number → secret value */
-  keys: Map<number, string>;
-  /** Version to use for new encryption (first entry in secrets array) */
-  currentVersion: number;
-  /** Legacy secret for bare-hex fallback (from BETTER_AUTH_SECRET) */
-  legacySecret?: string;
-}
-//#endregion
-export { SecretConfig };

package/template/apps/web/node_modules/@better-auth/core/dist/utils/async.d.mts

@@ -1,22 +0,0 @@
-import { Awaitable } from "../types/helper.mjs";
-
-//#region src/utils/async.d.ts
-interface MapConcurrentOptions {
-  /**
-   * Max in-flight mappers. Non-integer values are floored, then clamped
-   * to the range `[1, items.length]`. `NaN` falls back to 1.
-   */
-  concurrency: number;
-  /**
-   * Rejects with `signal.reason` when aborted. In-flight mappers keep
-   * running but their results are not returned.
-   */
-  signal?: AbortSignal;
-}
-/**
- * Run an async mapper over items with bounded concurrency.
- * Preserves input order in the result. Fails fast on the first rejection.
- */
-declare function mapConcurrent<T, R>(items: readonly T[], fn: (item: T, index: number) => Awaitable<R>, options: MapConcurrentOptions): Promise<R[]>;
-//#endregion
-export { MapConcurrentOptions, mapConcurrent };

package/template/apps/web/node_modules/@better-auth/core/dist/utils/async.mjs

@@ -1,32 +0,0 @@
-//#region src/utils/async.ts
-/**
-* Run an async mapper over items with bounded concurrency.
-* Preserves input order in the result. Fails fast on the first rejection.
-*/
-async function mapConcurrent(items, fn, options) {
-	const n = items.length;
-	if (n === 0) return [];
-	const { signal } = options;
-	if (signal?.aborted) throw signal.reason;
-	const raw = Math.floor(options.concurrency);
-	const width = Math.min(n, raw >= 1 ? raw : 1);
-	const results = new Array(n);
-	let idx = 0;
-	let failed = false;
-	const worker = async () => {
-		while (!failed && idx < n) {
-			if (signal?.aborted) throw signal.reason;
-			const i = idx++;
-			try {
-				results[i] = await fn(items[i], i);
-			} catch (error) {
-				failed = true;
-				throw error;
-			}
-		}
-	};
-	await Promise.all(Array.from({ length: width }, worker));
-	return results;
-}
-//#endregion
-export { mapConcurrent };

package/template/apps/web/node_modules/@better-auth/core/dist/utils/db.d.mts

@@ -1,9 +0,0 @@
-import { DBFieldAttribute } from "../db/type.mjs";
-//#region src/utils/db.d.ts
-/**
- * Filters output data by removing fields with the `returned: false` attribute.
- * This ensures sensitive fields are not exposed in API responses.
- */
-declare function filterOutputFields<T extends Record<string, unknown> | null>(data: T, additionalFields: Record<string, DBFieldAttribute> | undefined): T;
-//#endregion
-export { filterOutputFields };

package/template/apps/web/node_modules/@better-auth/core/dist/utils/db.mjs

@@ -1,15 +0,0 @@
-//#region src/utils/db.ts
-/**
-* Filters output data by removing fields with the `returned: false` attribute.
-* This ensures sensitive fields are not exposed in API responses.
-*/
-function filterOutputFields(data, additionalFields) {
-	if (!data || !additionalFields) return data;
-	const returnFiltered = Object.entries(additionalFields).filter(([, { returned }]) => returned === false).map(([key]) => key);
-	return Object.entries(structuredClone(data)).filter(([key]) => !returnFiltered.includes(key)).reduce((acc, [key, value]) => ({
-		...acc,
-		[key]: value
-	}), {});
-}
-//#endregion
-export { filterOutputFields };

package/template/apps/web/node_modules/@better-auth/core/dist/utils/deprecate.d.mts

@@ -1,9 +0,0 @@
-import { InternalLogger } from "../env/logger.mjs";
-
-//#region src/utils/deprecate.d.ts
-/**
- * Wraps a function to log a deprecation warning at once.
- */
-declare function deprecate<T extends (...args: any[]) => any>(fn: T, message: string, logger?: InternalLogger): T;
-//#endregion
-export { deprecate };

package/template/apps/web/node_modules/@better-auth/core/dist/utils/deprecate.mjs

@@ -1,16 +0,0 @@
-//#region src/utils/deprecate.ts
-/**
-* Wraps a function to log a deprecation warning at once.
-*/
-function deprecate(fn, message, logger) {
-	let warned = false;
-	return function(...args) {
-		if (!warned) {
-			(logger?.warn ?? console.warn)(`[Deprecation] ${message}`);
-			warned = true;
-		}
-		return fn.apply(this, args);
-	};
-}
-//#endregion
-export { deprecate };

package/template/apps/web/node_modules/@better-auth/core/dist/utils/error-codes.d.mts

@@ -1,13 +0,0 @@
-//#region src/utils/error-codes.d.ts
-type UpperLetter = "A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" | "J" | "K" | "L" | "M" | "N" | "O" | "P" | "Q" | "R" | "S" | "T" | "U" | "V" | "W" | "X" | "Y" | "Z";
-type SpecialCharacter = "_";
-type IsValidUpperSnakeCase<S extends string> = S extends `${infer F}${infer R}` ? F extends UpperLetter | SpecialCharacter ? IsValidUpperSnakeCase<R> : false : true;
-type InvalidKeyError<K extends string> = `Invalid error code key: "${K}" - must only contain uppercase letters (A-Z) and underscores (_)`;
-type ValidateErrorCodes<T> = { [K in keyof T]: K extends string ? IsValidUpperSnakeCase<K> extends false ? InvalidKeyError<K> : T[K] : T[K] };
-type RawError<K extends string = string> = {
-  readonly code: K;
-  message: string;
-};
-declare function defineErrorCodes<const T extends Record<string, string>, R extends { [K in keyof T & string]: RawError<K> }>(codes: ValidateErrorCodes<T>): R;
-//#endregion
-export { RawError, defineErrorCodes };

package/template/apps/web/node_modules/@better-auth/core/dist/utils/error-codes.mjs

@@ -1,10 +0,0 @@
-//#region src/utils/error-codes.ts
-function defineErrorCodes(codes) {
-	return Object.fromEntries(Object.entries(codes).map(([key, value]) => [key, {
-		code: key,
-		message: value,
-		toString: () => key
-	}]));
-}
-//#endregion
-export { defineErrorCodes };

package/template/apps/web/node_modules/@better-auth/core/dist/utils/fetch-metadata.d.mts

@@ -1,4 +0,0 @@
-//#region src/utils/fetch-metadata.d.ts
-declare function isBrowserFetchRequest(headers?: Headers | null): boolean;
-//#endregion
-export { isBrowserFetchRequest };

package/template/apps/web/node_modules/@better-auth/core/dist/utils/fetch-metadata.mjs

@@ -1,6 +0,0 @@
-//#region src/utils/fetch-metadata.ts
-function isBrowserFetchRequest(headers) {
-	return headers?.get("sec-fetch-mode") === "cors";
-}
-//#endregion
-export { isBrowserFetchRequest };

package/template/apps/web/node_modules/@better-auth/core/dist/utils/host.d.mts

@@ -1,147 +0,0 @@
-//#region src/utils/host.d.ts
-/**
- * Host classification per RFC 6890 (Special-Purpose IP Address Registries),
- * RFC 6761 (Special-Use Domain Names), and RFC 8252 §7.3 (loopback redirect URIs).
- *
- * This module is the single source of truth for "is this host public? private?
- * loopback? link-local?" in the codebase. Consumers MUST prefer these predicates
- * over bespoke regexes or substring matches; divergent checks are how bypass
- * vulnerabilities get introduced (e.g. Oligo's "0.0.0.0 Day" 2024).
- *
- * Four user-facing primitives:
- *
- *   - `classifyHost(host)` — the workhorse. Returns a {@link HostClassification}
- *     with `kind`, `literal`, and `canonical` fields.
- *   - `isLoopbackIP(host)` — strict: IPv4 `127.0.0.0/8` or IPv6 `::1` only.
- *     Use this for RFC 8252 §7.3 loopback redirect URI matching where IP
- *     literals are REQUIRED.
- *   - `isLoopbackHost(host)` — permissive: also accepts `localhost` and RFC 6761
- *     `.localhost` subdomains. Use this for developer ergonomics (CORS, cookie
- *     secure bypass, dev-mode HTTP allow-list).
- *   - `isPublicRoutableHost(host)` — SSRF gate. Returns false for every
- *     non-`public` kind. Use this before server-side fetches to user-controlled
- *     URLs.
- */
-/**
- * The semantic kind of a host, derived from RFC 6890 special-purpose registries
- * plus a few domain-name categories (localhost, cloud metadata FQDNs).
- */
-type HostKind = /** IPv4 `127.0.0.0/8` or IPv6 `::1`. */"loopback" /** DNS name `localhost` or RFC 6761 `.localhost` TLD. */ | "localhost" /** IPv4 `0.0.0.0` or IPv6 `::` — "this host on this network", not loopback. */ | "unspecified" /** RFC 1918 `10/8`, `172.16/12`, `192.168/16`, or IPv6 ULA `fc00::/7`. */ | "private" /** IPv4 `169.254/16` or IPv6 `fe80::/10`. Includes AWS IMDS `169.254.169.254`. */ | "linkLocal" /** RFC 6598 carrier-grade NAT `100.64.0.0/10`. */ | "sharedAddressSpace" /** RFC 5737 `192.0.2/24`, `198.51.100/24`, `203.0.113/24`, or RFC 3849 `2001:db8::/32`. */ | "documentation" /** RFC 2544 `198.18.0.0/15`. */ | "benchmarking" /** IPv4 `224.0.0.0/4` or IPv6 `ff00::/8`. */ | "multicast" /** IPv4 limited broadcast `255.255.255.255`. */ | "broadcast" /** Other RFC 6890 special-purpose ranges (0/8, 192.0.0/24, 240/4, 2001::/32, etc.). */ | "reserved" /** Cloud metadata service FQDN (e.g. `metadata.google.internal`). */ | "cloudMetadata" /** Any host not matching a special-purpose range above. */ | "public";
-/**
- * The syntactic form of the input host: an IPv4 literal, an IPv6 literal, or
- * a domain name. IPv4-mapped IPv6 (`::ffff:192.0.2.1`) is reported as `ipv4`
- * because it's unmapped during canonicalization.
- */
-type HostLiteral = "ipv4" | "ipv6" | "fqdn";
-/**
- * Result of {@link classifyHost}. All fields are readonly.
- *
- * @property kind - Semantic classification per RFC 6890 + RFC 6761.
- * @property literal - Syntactic form of the input (IPv4, IPv6, or FQDN).
- * @property canonical - Lowercase, port-stripped, bracket-stripped, zone-id-stripped
- *   form suitable for equality comparison. IPv6 is expanded to full form.
- *   IPv4-mapped IPv6 is collapsed to the underlying IPv4.
- */
-interface HostClassification {
-  readonly kind: HostKind;
-  readonly literal: HostLiteral;
-  readonly canonical: string;
-}
-/**
- * Classify a host string according to RFC 6890 / RFC 6761.
- *
- * Accepts inputs in any of these shapes and normalizes before classifying:
- *
- *   - Bare IPv4: `127.0.0.1`
- *   - Bare IPv6: `::1`, `fe80::1%eth0`
- *   - Bracketed IPv6: `[::1]`
- *   - Host with port: `localhost:3000`, `127.0.0.1:443`, `[::1]:8080`
- *   - FQDN: `example.com`, `tenant.localhost`
- *   - IPv4-mapped IPv6: `::ffff:192.0.2.1` (reported as `literal: "ipv4"`)
- *
- * Invalid or non-resolvable FQDNs are returned as `{ kind: "public", literal: "fqdn" }`
- * — this function never throws. Callers that need structural validation must
- * combine this with a URL/hostname validator upstream.
- *
- * @example
- * classifyHost("127.0.0.1")
- * // { kind: "loopback", literal: "ipv4", canonical: "127.0.0.1" }
- *
- * @example
- * classifyHost("[::1]:8080")
- * // { kind: "loopback", literal: "ipv6", canonical: "0000:0000:...:0001" }
- *
- * @example
- * classifyHost("::ffff:192.0.2.1")
- * // { kind: "documentation", literal: "ipv4", canonical: "192.0.2.1" }
- *
- * @example
- * classifyHost("tenant-a.localhost")
- * // { kind: "localhost", literal: "fqdn", canonical: "tenant-a.localhost" }
- */
-declare function classifyHost(host: string): HostClassification;
-/**
- * Strict loopback-IP-literal check per RFC 8252 §7.3.
- *
- * Returns true ONLY for IPv4 `127.0.0.0/8` or IPv6 `::1`. The DNS name
- * `localhost` returns false — RFC 8252 §8.3 explicitly recommends against
- * relying on name resolution for loopback redirect URIs.
- *
- * Use this for OAuth redirect URI matching.
- *
- * @example
- * isLoopbackIP("127.0.0.1")     // true
- * isLoopbackIP("::1")           // true
- * isLoopbackIP("[::1]:8080")    // true
- * isLoopbackIP("localhost")     // false  (use isLoopbackHost for DNS names)
- * isLoopbackIP("0.0.0.0")       // false  (unspecified, not loopback)
- */
-declare function isLoopbackIP(host: string): boolean;
-/**
- * Permissive loopback check for developer-ergonomics code paths.
- *
- * Returns true for IPv4 `127.0.0.0/8`, IPv6 `::1`, the literal name `localhost`,
- * and any RFC 6761 `.localhost` subdomain (`tenant.localhost`, `app.localhost`).
- *
- * Use this for things like: allowing HTTP for dev servers, skipping Secure
- * cookie requirements, browser-trust heuristics. Do NOT use this for OAuth
- * redirect URI matching — use {@link isLoopbackIP} there.
- *
- * @example
- * isLoopbackHost("localhost")         // true
- * isLoopbackHost("tenant.localhost")  // true  (RFC 6761)
- * isLoopbackHost("127.0.0.1")         // true
- * isLoopbackHost("0.0.0.0")           // false (unspecified, NOT loopback)
- */
-declare function isLoopbackHost(host: string): boolean;
-/**
- * First-line SSRF gate: returns true ONLY for hosts that classify as `public`.
- *
- * Every RFC 6890 special-purpose range (loopback, private, link-local,
- * unspecified, documentation, multicast, broadcast, reserved, shared address
- * space, benchmarking) and cloud-metadata FQDN returns false.
- *
- * Use this BEFORE issuing a server-side fetch to a user-supplied URL, e.g.
- * OAuth introspection endpoints, webhook targets, or metadata-document
- * fetches (CIMD).
- *
- * Limitations (this is a syntactic check, not a complete SSRF mitigation):
- * - No DNS resolution: a public-looking FQDN that resolves to a private IP
- *   passes this check. Re-verify the resolved address before connecting, or
- *   pin the socket to the resolved IP.
- * - No DNS-rebinding defense: attackers can return a public IP on the first
- *   lookup and a private IP on the second. Resolve once and reuse the IP.
- * - No redirect following: HTTP 3xx responses can redirect to private hosts.
- *   Re-run this check on every redirect target, or disable auto-follow.
- *
- * @example
- * isPublicRoutableHost("example.com")            // true
- * isPublicRoutableHost("127.0.0.1")              // false (loopback)
- * isPublicRoutableHost("169.254.169.254")        // false (linkLocal / AWS IMDS)
- * isPublicRoutableHost("metadata.google.internal") // false (cloudMetadata)
- * isPublicRoutableHost("10.0.0.1")               // false (private)
- * isPublicRoutableHost("::ffff:127.0.0.1")       // false (mapped loopback)
- */
-declare function isPublicRoutableHost(host: string): boolean;
-//#endregion
-export { HostClassification, HostKind, HostLiteral, classifyHost, isLoopbackHost, isLoopbackIP, isPublicRoutableHost };