npm - dineway - Versions diffs - 0.1.8 → 0.1.11 - Mend

dineway 0.1.8 → 0.1.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (690) hide show

package/dist/astro/routes/api/oauth/authorize.mjs ADDED Viewed

@@ -0,0 +1,265 @@
+import { n as getPublicOrigin } from "../../../../public-url-BB_umF5G.mjs";
+import { a as filterExperimentalSiteContextWorkflowScopes, o as getExperimentalSiteContextWorkflowScopesDisabledMessage, r as disabledExperimentalSiteContextWorkflowScopes } from "../../../../experimental-workflows-DldxJlqV.mjs";
+import { t as ALL_VALID_SCOPES } from "../../../../api-tokens-DzloJxuh.mjs";
+import { t as escapeHtml } from "../../../../escape-mNZr4t2A.mjs";
+import { c as validateRedirectUri, o as lookupOAuthClient, s as validateClientRedirectUri } from "../../../../oauth-clients-CvWatf5p.mjs";
+import "../../../../oauth-user-lookup-B4OcmsLV.mjs";
+import { n as handleAuthorizationApproval, t as buildDeniedRedirect } from "../../../../oauth-authorization-C1qiw4hd.mjs";
+//#region src/astro/routes/api/oauth/authorize.ts
+const prerender = false;
+const CSRF_COOKIE_NAME = "dineway_oauth_csrf";
+/** Generate a 32-byte random token as hex. */
+function generateCsrfToken() {
+	const bytes = new Uint8Array(32);
+	crypto.getRandomValues(bytes);
+	return Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
+}
+/** Build the Set-Cookie header value for the CSRF token. */
+function csrfCookieHeader(token, request, siteUrl) {
+	return `${CSRF_COOKIE_NAME}=${token}; Path=/_dineway/oauth/authorize; HttpOnly; SameSite=Strict${(siteUrl ? siteUrl.startsWith("https:") : new URL(request.url).protocol === "https:") ? "; Secure" : ""}`;
+}
+/** Extract the CSRF token from the request's cookies. */
+function getCsrfCookie(request) {
+	const cookieHeader = request.headers.get("Cookie");
+	if (!cookieHeader) return null;
+	return cookieHeader.match(new RegExp(`(?:^|;\\s*)${CSRF_COOKIE_NAME}=([^;]+)`))?.[1] ?? null;
+}
+const SCOPE_LABELS = {
+	"content:read": "Read content (posts, pages, etc.)",
+	"content:write": "Create, edit, and delete content",
+	"media:read": "View media files",
+	"media:write": "Upload and manage media files",
+	"schema:read": "View collection schemas",
+	"schema:write": "Create and modify collection schemas",
+	admin: "Full administrative access"
+};
+const GET = async ({ url, request, locals }) => {
+	const { dineway, user } = locals;
+	const clientId = url.searchParams.get("client_id");
+	const redirectUri = url.searchParams.get("redirect_uri");
+	const responseType = url.searchParams.get("response_type");
+	const codeChallenge = url.searchParams.get("code_challenge");
+	const codeChallengeMethod = url.searchParams.get("code_challenge_method");
+	const scope = url.searchParams.get("scope");
+	const state = url.searchParams.get("state");
+	if (!clientId || !redirectUri || responseType !== "code" || !codeChallenge) return new Response(renderErrorPage("Invalid authorization request. Missing required parameters."), {
+		status: 400,
+		headers: { "Content-Type": "text/html; charset=utf-8" }
+	});
+	if (codeChallengeMethod && codeChallengeMethod !== "S256") return new Response(renderErrorPage("Only S256 code challenge method is supported."), {
+		status: 400,
+		headers: { "Content-Type": "text/html; charset=utf-8" }
+	});
+	if (dineway?.db) {
+		const client = await lookupOAuthClient(dineway.db, clientId);
+		if (!client) return new Response(renderErrorPage("Unknown client application."), {
+			status: 400,
+			headers: { "Content-Type": "text/html; charset=utf-8" }
+		});
+		if (validateClientRedirectUri(redirectUri, client.redirectUris)) return new Response(renderErrorPage("The redirect URI is not registered for this client."), {
+			status: 400,
+			headers: { "Content-Type": "text/html; charset=utf-8" }
+		});
+	}
+	if (!user) {
+		const loginUrl = new URL("/_dineway/admin/login", getPublicOrigin(url, dineway?.config));
+		loginUrl.searchParams.set("redirect", url.pathname + url.search);
+		return Response.redirect(loginUrl.toString(), 302);
+	}
+	const rawRequestedScopes = (scope ?? "").split(" ").filter(Boolean);
+	if (disabledExperimentalSiteContextWorkflowScopes(rawRequestedScopes).length > 0) return new Response(renderErrorPage(getExperimentalSiteContextWorkflowScopesDisabledMessage()), {
+		status: 400,
+		headers: { "Content-Type": "text/html; charset=utf-8" }
+	});
+	const validSet = new Set(filterExperimentalSiteContextWorkflowScopes(ALL_VALID_SCOPES));
+	const requestedScopes = rawRequestedScopes.filter((s) => validSet.has(s));
+	if (requestedScopes.length === 0) return new Response(renderErrorPage("No valid scopes requested."), {
+		status: 400,
+		headers: { "Content-Type": "text/html; charset=utf-8" }
+	});
+	const csrfToken = generateCsrfToken();
+	const html = renderConsentPage({
+		clientId,
+		scopes: requestedScopes,
+		redirectUri,
+		responseType,
+		codeChallenge,
+		codeChallengeMethod: codeChallengeMethod ?? "S256",
+		state: state ?? "",
+		resource: url.searchParams.get("resource") ?? "",
+		userName: user.name ?? user.email,
+		csrfToken
+	});
+	return new Response(html, { headers: {
+		"Content-Type": "text/html; charset=utf-8",
+		"Set-Cookie": csrfCookieHeader(csrfToken, request, getPublicOrigin(url, dineway?.config))
+	} });
+};
+const POST = async ({ request, locals }) => {
+	const { dineway, user } = locals;
+	if (!dineway?.db) return new Response(renderErrorPage("Dineway is not initialized."), {
+		status: 500,
+		headers: { "Content-Type": "text/html; charset=utf-8" }
+	});
+	if (!user) return new Response(renderErrorPage("Authentication required."), {
+		status: 401,
+		headers: { "Content-Type": "text/html; charset=utf-8" }
+	});
+	const formData = await request.formData();
+	const field = (name, fallback = "") => {
+		const v = formData.get(name);
+		return typeof v === "string" ? v : fallback;
+	};
+	const formCsrf = field("csrf_token");
+	const cookieCsrf = getCsrfCookie(request);
+	const csrfError = new Response(renderErrorPage("Invalid or missing CSRF token. Please try again."), {
+		status: 403,
+		headers: { "Content-Type": "text/html; charset=utf-8" }
+	});
+	if (!formCsrf || !cookieCsrf) return csrfError;
+	const csrfEncoder = new TextEncoder();
+	const [csrfHashA, csrfHashB] = await Promise.all([crypto.subtle.digest("SHA-256", csrfEncoder.encode(formCsrf)), crypto.subtle.digest("SHA-256", csrfEncoder.encode(cookieCsrf))]);
+	const a = new Uint8Array(csrfHashA);
+	const b = new Uint8Array(csrfHashB);
+	let diff = 0;
+	for (let i = 0; i < a.length; i++) diff |= a[i] ^ b[i];
+	if (diff !== 0) return csrfError;
+	const action = field("action");
+	const redirectUri = field("redirect_uri");
+	const state = field("state") || void 0;
+	if (!redirectUri) return new Response(renderErrorPage("Missing redirect_uri."), {
+		status: 400,
+		headers: { "Content-Type": "text/html; charset=utf-8" }
+	});
+	const uriError = validateRedirectUri(redirectUri);
+	if (uriError) return new Response(renderErrorPage(escapeHtml(uriError)), {
+		status: 400,
+		headers: { "Content-Type": "text/html; charset=utf-8" }
+	});
+	if (action === "deny") {
+		const clientId = field("client_id");
+		if (!clientId) return new Response(renderErrorPage("Missing client_id."), {
+			status: 400,
+			headers: { "Content-Type": "text/html; charset=utf-8" }
+		});
+		const client = await lookupOAuthClient(dineway.db, clientId);
+		if (!client) return new Response(renderErrorPage("Unknown client application."), {
+			status: 400,
+			headers: { "Content-Type": "text/html; charset=utf-8" }
+		});
+		if (validateClientRedirectUri(redirectUri, client.redirectUris)) return new Response(renderErrorPage("The redirect URI is not registered for this client."), {
+			status: 400,
+			headers: { "Content-Type": "text/html; charset=utf-8" }
+		});
+		const denyUrl = buildDeniedRedirect(redirectUri, state);
+		return Response.redirect(denyUrl, 302);
+	}
+	const result = await handleAuthorizationApproval(dineway.db, user.id, user.role, {
+		response_type: field("response_type", "code"),
+		client_id: field("client_id"),
+		redirect_uri: redirectUri,
+		scope: field("scope"),
+		state,
+		code_challenge: field("code_challenge"),
+		code_challenge_method: field("code_challenge_method", "S256"),
+		resource: field("resource") || void 0
+	});
+	if (!result.success) {
+		const errMsg = result.error?.message ?? "Authorization failed";
+		try {
+			const errorUrl = new URL(redirectUri);
+			errorUrl.searchParams.set("error", "server_error");
+			errorUrl.searchParams.set("error_description", "Authorization failed");
+			if (state) errorUrl.searchParams.set("state", state);
+			return Response.redirect(errorUrl.toString(), 302);
+		} catch {
+			return new Response(renderErrorPage(escapeHtml(errMsg)), {
+				status: 400,
+				headers: { "Content-Type": "text/html; charset=utf-8" }
+			});
+		}
+	}
+	return Response.redirect(result.data.redirect_url, 302);
+};
+function renderConsentPage(params) {
+	const scopeList = params.scopes.map((s) => {
+		return `<li>${escapeHtml(SCOPE_LABELS[s] ?? s)}</li>`;
+	}).join("\n");
+	return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<title>Authorize Application — Dineway</title>
+<style>
+  * { margin: 0; padding: 0; box-sizing: border-box; }
+  body { font-family: system-ui, -apple-system, sans-serif; background: #0a0a0a; color: #e5e5e5; display: flex; justify-content: center; align-items: center; min-height: 100vh; padding: 1rem; }
+  .card { background: #171717; border: 1px solid #262626; border-radius: 12px; max-width: 420px; width: 100%; padding: 2rem; }
+  h1 { font-size: 1.25rem; font-weight: 600; margin-bottom: 0.5rem; }
+  .client-id { color: #a3a3a3; font-size: 0.875rem; word-break: break-all; margin-bottom: 1.5rem; }
+  .user { color: #a3a3a3; font-size: 0.875rem; margin-bottom: 1rem; }
+  h2 { font-size: 0.875rem; font-weight: 500; color: #a3a3a3; text-transform: uppercase; letter-spacing: 0.05em; margin-bottom: 0.75rem; }
+  ul { list-style: none; margin-bottom: 1.5rem; }
+  li { padding: 0.5rem 0; border-bottom: 1px solid #262626; font-size: 0.875rem; }
+  li:last-child { border-bottom: none; }
+  .actions { display: flex; gap: 0.75rem; }
+  button { flex: 1; padding: 0.625rem 1rem; border-radius: 8px; border: none; font-size: 0.875rem; font-weight: 500; cursor: pointer; }
+  .approve { background: #2563eb; color: white; }
+  .approve:hover { background: #1d4ed8; }
+  .deny { background: #262626; color: #e5e5e5; }
+  .deny:hover { background: #333; }
+</style>
+</head>
+<body>
+<div class="card">
+  <h1>Authorize Application</h1>
+  <p class="client-id">${escapeHtml(params.clientId)}</p>
+  <p class="user">Signed in as <strong>${escapeHtml(params.userName)}</strong></p>
+  <h2>Permissions requested</h2>
+  <ul>${scopeList}</ul>
+  <form method="POST">
+    <input type="hidden" name="csrf_token" value="${escapeHtml(params.csrfToken)}">
+    <input type="hidden" name="response_type" value="${escapeHtml(params.responseType)}">
+    <input type="hidden" name="client_id" value="${escapeHtml(params.clientId)}">
+    <input type="hidden" name="redirect_uri" value="${escapeHtml(params.redirectUri)}">
+    <input type="hidden" name="scope" value="${escapeHtml(params.scopes.join(" "))}">
+    <input type="hidden" name="state" value="${escapeHtml(params.state)}">
+    <input type="hidden" name="code_challenge" value="${escapeHtml(params.codeChallenge)}">
+    <input type="hidden" name="code_challenge_method" value="${escapeHtml(params.codeChallengeMethod)}">
+    <input type="hidden" name="resource" value="${escapeHtml(params.resource)}">
+    <div class="actions">
+      <button type="submit" name="action" value="deny" class="deny">Deny</button>
+      <button type="submit" name="action" value="approve" class="approve">Approve</button>
+    </div>
+  </form>
+</div>
+</body>
+</html>`;
+}
+function renderErrorPage(message) {
+	return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<title>Authorization Error — Dineway</title>
+<style>
+  * { margin: 0; padding: 0; box-sizing: border-box; }
+  body { font-family: system-ui, -apple-system, sans-serif; background: #0a0a0a; color: #e5e5e5; display: flex; justify-content: center; align-items: center; min-height: 100vh; padding: 1rem; }
+  .card { background: #171717; border: 1px solid #262626; border-radius: 12px; max-width: 420px; width: 100%; padding: 2rem; }
+  h1 { font-size: 1.25rem; font-weight: 600; margin-bottom: 1rem; color: #ef4444; }
+  p { font-size: 0.875rem; color: #a3a3a3; }
+</style>
+</head>
+<body>
+<div class="card">
+  <h1>Authorization Error</h1>
+  <p>${escapeHtml(message)}</p>
+</div>
+</body>
+</html>`;
+}
+//#endregion
+export { GET, POST, prerender };

package/dist/astro/routes/api/oauth/device/authorize.d.mts ADDED Viewed

@@ -0,0 +1,7 @@
+import { APIRoute } from "astro";
+//#region src/astro/routes/api/oauth/device/authorize.d.ts
+declare const prerender = false;
+declare const POST: APIRoute;
+//#endregion
+export { POST, prerender };

package/dist/astro/routes/api/oauth/device/authorize.mjs ADDED Viewed

@@ -0,0 +1,30 @@
+import { a as unwrapResult, r as handleError, t as apiError } from "../../../../../error-DEGjx2Xw.mjs";
+import { n as parseBody, t as isParseError } from "../../../../../parse-BeQXIt1U.mjs";
+import "../../../../../api-tokens-DzloJxuh.mjs";
+import "../../../../../oauth-clients-CvWatf5p.mjs";
+import "../../../../../oauth-user-lookup-B4OcmsLV.mjs";
+import { t as handleDeviceAuthorize } from "../../../../../device-flow-7AhWNwCK.mjs";
+import { z } from "zod";
+//#region src/astro/routes/api/oauth/device/authorize.ts
+const prerender = false;
+const authorizeSchema = z.object({
+	user_code: z.string().min(1),
+	action: z.enum(["approve", "deny"]).optional()
+});
+const POST = async ({ request, locals }) => {
+	const { dineway } = locals;
+	const { user } = locals;
+	if (!dineway?.db) return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	if (!user) return apiError("NOT_AUTHENTICATED", "Authentication required", 401);
+	try {
+		const body = await parseBody(request, authorizeSchema);
+		if (isParseError(body)) return body;
+		return unwrapResult(await handleDeviceAuthorize(dineway.db, user.id, user.role, body));
+	} catch (error) {
+		return handleError(error, "Failed to authorize device", "AUTHORIZE_ERROR");
+	}
+};
+//#endregion
+export { POST, prerender };

package/dist/astro/routes/api/oauth/device/code.d.mts ADDED Viewed

@@ -0,0 +1,7 @@
+import { APIRoute } from "astro";
+//#region src/astro/routes/api/oauth/device/code.d.ts
+declare const prerender = false;
+declare const POST: APIRoute;
+//#endregion
+export { POST, prerender };

package/dist/astro/routes/api/oauth/device/code.mjs ADDED Viewed

@@ -0,0 +1,34 @@
+import { a as unwrapResult, r as handleError, t as apiError } from "../../../../../error-DEGjx2Xw.mjs";
+import { n as parseBody, t as isParseError } from "../../../../../parse-BeQXIt1U.mjs";
+import { t as getTrustedProxyHeaders } from "../../../../../trusted-proxy-Bi0Cuk5n.mjs";
+import { n as getPublicOrigin } from "../../../../../public-url-BB_umF5G.mjs";
+import "../../../../../api-tokens-DzloJxuh.mjs";
+import "../../../../../oauth-clients-CvWatf5p.mjs";
+import "../../../../../oauth-user-lookup-B4OcmsLV.mjs";
+import { n as handleDeviceCodeRequest } from "../../../../../device-flow-7AhWNwCK.mjs";
+import { n as getClientIp, r as rateLimitResponse, t as checkRateLimit } from "../../../../../rate-limit-CbJoj_fT.mjs";
+import { z } from "zod";
+//#region src/astro/routes/api/oauth/device/code.ts
+const prerender = false;
+const deviceCodeSchema = z.object({
+	client_id: z.string().optional(),
+	scope: z.string().optional()
+});
+const POST = async ({ request, locals, url }) => {
+	const { dineway } = locals;
+	if (!dineway?.db) return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	try {
+		const body = await parseBody(request, deviceCodeSchema);
+		if (isParseError(body)) return body;
+		const ip = getClientIp(request, getTrustedProxyHeaders(dineway.config));
+		if (!(await checkRateLimit(dineway.db, ip, "device/code", 10, 60)).allowed) return rateLimitResponse(60);
+		const verificationUri = new URL("/_dineway/admin/device", getPublicOrigin(url, dineway?.config)).toString();
+		return unwrapResult(await handleDeviceCodeRequest(dineway.db, body, verificationUri));
+	} catch (error) {
+		return handleError(error, "Failed to create device code", "DEVICE_CODE_ERROR");
+	}
+};
+//#endregion
+export { POST, prerender };

package/dist/astro/routes/api/oauth/device/token.d.mts ADDED Viewed

@@ -0,0 +1,7 @@
+import { APIRoute } from "astro";
+//#region src/astro/routes/api/oauth/device/token.d.ts
+declare const prerender = false;
+declare const POST: APIRoute;
+//#endregion
+export { POST, prerender };

package/dist/astro/routes/api/oauth/device/token.mjs ADDED Viewed

@@ -0,0 +1,45 @@
+import { a as unwrapResult, r as handleError, t as apiError } from "../../../../../error-DEGjx2Xw.mjs";
+import { n as parseBody, t as isParseError } from "../../../../../parse-BeQXIt1U.mjs";
+import { t as getTrustedProxyHeaders } from "../../../../../trusted-proxy-Bi0Cuk5n.mjs";
+import "../../../../../api-tokens-DzloJxuh.mjs";
+import "../../../../../oauth-clients-CvWatf5p.mjs";
+import "../../../../../oauth-user-lookup-B4OcmsLV.mjs";
+import { r as handleDeviceTokenExchange } from "../../../../../device-flow-7AhWNwCK.mjs";
+import { n as getClientIp, r as rateLimitResponse, t as checkRateLimit } from "../../../../../rate-limit-CbJoj_fT.mjs";
+import { z } from "zod";
+//#region src/astro/routes/api/oauth/device/token.ts
+const prerender = false;
+const deviceTokenSchema = z.object({
+	device_code: z.string().min(1),
+	grant_type: z.string().min(1)
+});
+const POST = async ({ request, locals }) => {
+	const { dineway } = locals;
+	if (!dineway?.db) return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	try {
+		const body = await parseBody(request, deviceTokenSchema);
+		if (isParseError(body)) return body;
+		const ip = getClientIp(request, getTrustedProxyHeaders(dineway.config));
+		if (!(await checkRateLimit(dineway.db, ip, "device/token", 12, 60)).allowed) return rateLimitResponse(60);
+		const result = await handleDeviceTokenExchange(dineway.db, body);
+		if (!result.success && result.deviceFlowError) {
+			const errorBody = { error: result.deviceFlowError };
+			if (result.deviceFlowInterval !== void 0) errorBody.interval = result.deviceFlowInterval;
+			return Response.json(errorBody, {
+				status: 400,
+				headers: {
+					"Content-Type": "application/json",
+					"Cache-Control": "no-store",
+					Pragma: "no-cache"
+				}
+			});
+		}
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to exchange device code", "TOKEN_EXCHANGE_ERROR");
+	}
+};
+//#endregion
+export { POST, prerender };

package/dist/astro/routes/api/oauth/register.d.mts ADDED Viewed

@@ -0,0 +1,8 @@
+import { APIRoute } from "astro";
+//#region src/astro/routes/api/oauth/register.d.ts
+declare const prerender = false;
+declare const OPTIONS: APIRoute;
+declare const POST: APIRoute;
+//#endregion
+export { OPTIONS, POST, prerender };

package/dist/astro/routes/api/oauth/register.mjs ADDED Viewed

@@ -0,0 +1,115 @@
+import { r as handleError, t as apiError } from "../../../../error-DEGjx2Xw.mjs";
+import { o as getExperimentalSiteContextWorkflowScopesDisabledMessage, r as disabledExperimentalSiteContextWorkflowScopes } from "../../../../experimental-workflows-DldxJlqV.mjs";
+import "../../../../api-tokens-DzloJxuh.mjs";
+import { t as handleOAuthClientCreate } from "../../../../oauth-clients-CvWatf5p.mjs";
+//#region src/astro/routes/api/oauth/register.ts
+const prerender = false;
+const OAUTH_REGISTRATION_HEADERS = {
+	"Cache-Control": "no-store",
+	Pragma: "no-cache",
+	"Access-Control-Allow-Origin": "*"
+};
+const OAUTH_PREFLIGHT_HEADERS = {
+	"Access-Control-Allow-Origin": "*",
+	"Access-Control-Allow-Methods": "POST, OPTIONS",
+	"Access-Control-Allow-Headers": "Content-Type",
+	"Access-Control-Max-Age": "86400"
+};
+const SUPPORTED_GRANT_TYPES = new Set([
+	"authorization_code",
+	"refresh_token",
+	"urn:ietf:params:oauth:grant-type:device_code"
+]);
+const SUPPORTED_RESPONSE_TYPES = new Set(["code"]);
+function registrationError(description, status = 400) {
+	return Response.json({
+		error: "invalid_client_metadata",
+		error_description: description
+	}, {
+		status,
+		headers: OAUTH_REGISTRATION_HEADERS
+	});
+}
+function isRecord(value) {
+	return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function isStringArray(value) {
+	return Array.isArray(value) && value.every((item) => typeof item === "string");
+}
+function parseScope(value) {
+	if (value === void 0) return void 0;
+	if (typeof value === "string") {
+		const scopes = value.split(" ").filter(Boolean);
+		return scopes.length > 0 ? scopes : void 0;
+	}
+	if (isStringArray(value)) {
+		const scopes = value.filter(Boolean);
+		return scopes.length > 0 ? scopes : void 0;
+	}
+	return registrationError("scope must be a string or array of strings");
+}
+function parseSupportedStringArray(value, field, supported) {
+	if (value === void 0) return void 0;
+	if (!isStringArray(value)) return registrationError(`${field} must be an array of strings`);
+	const invalidValue = value.find((item) => !supported.has(item));
+	if (invalidValue) return registrationError(`${field} contains unsupported value: ${invalidValue}`);
+	return value;
+}
+const OPTIONS = () => {
+	return new Response(null, {
+		status: 204,
+		headers: OAUTH_PREFLIGHT_HEADERS
+	});
+};
+const POST = async ({ request, locals }) => {
+	const { dineway } = locals;
+	if (!dineway?.db) return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	try {
+		let body;
+		try {
+			body = await request.json();
+		} catch {
+			return registrationError("Request body must be valid JSON");
+		}
+		if (!isRecord(body)) return registrationError("Request body must be a JSON object");
+		if (!isStringArray(body.redirect_uris) || body.redirect_uris.length === 0) return registrationError("redirect_uris must be a non-empty array of strings");
+		if (body.token_endpoint_auth_method !== void 0 && body.token_endpoint_auth_method !== "none") return registrationError("Only token_endpoint_auth_method=none is supported");
+		const grantTypes = parseSupportedStringArray(body.grant_types, "grant_types", SUPPORTED_GRANT_TYPES);
+		if (grantTypes instanceof Response) return grantTypes;
+		const responseTypes = parseSupportedStringArray(body.response_types, "response_types", SUPPORTED_RESPONSE_TYPES);
+		if (responseTypes instanceof Response) return responseTypes;
+		const scopes = parseScope(body.scope);
+		if (scopes instanceof Response) return scopes;
+		if (scopes) {
+			if (disabledExperimentalSiteContextWorkflowScopes(scopes).length > 0) return registrationError(getExperimentalSiteContextWorkflowScopesDisabledMessage());
+		}
+		const clientId = crypto.randomUUID();
+		const clientName = typeof body.client_name === "string" && body.client_name ? body.client_name : `dynamic-${clientId.slice(0, 8)}`;
+		const result = await handleOAuthClientCreate(dineway.db, {
+			id: clientId,
+			name: clientName,
+			redirectUris: body.redirect_uris,
+			scopes
+		});
+		if (!result.success) return registrationError(result.error.message);
+		return Response.json({
+			client_id: result.data.id,
+			client_id_issued_at: Math.floor(new Date(result.data.createdAt).getTime() / 1e3),
+			redirect_uris: result.data.redirectUris,
+			client_name: result.data.name,
+			grant_types: grantTypes ?? ["authorization_code", "refresh_token"],
+			response_types: responseTypes ?? ["code"],
+			token_endpoint_auth_method: "none",
+			scope: result.data.scopes ? result.data.scopes.join(" ") : void 0
+		}, {
+			status: 201,
+			headers: OAUTH_REGISTRATION_HEADERS
+		});
+	} catch (error) {
+		return handleError(error, "Failed to register OAuth client", "CLIENT_REGISTER_ERROR");
+	}
+};
+//#endregion
+export { OPTIONS, POST, prerender };

package/dist/astro/routes/api/oauth/token/refresh.d.mts ADDED Viewed

@@ -0,0 +1,7 @@
+import { APIRoute } from "astro";
+//#region src/astro/routes/api/oauth/token/refresh.d.ts
+declare const prerender = false;
+declare const POST: APIRoute;
+//#endregion
+export { POST, prerender };

package/dist/astro/routes/api/oauth/token/refresh.mjs ADDED Viewed

@@ -0,0 +1,28 @@
+import { a as unwrapResult, r as handleError, t as apiError } from "../../../../../error-DEGjx2Xw.mjs";
+import { n as parseBody, t as isParseError } from "../../../../../parse-BeQXIt1U.mjs";
+import "../../../../../api-tokens-DzloJxuh.mjs";
+import "../../../../../oauth-clients-CvWatf5p.mjs";
+import "../../../../../oauth-user-lookup-B4OcmsLV.mjs";
+import { i as handleTokenRefresh } from "../../../../../device-flow-7AhWNwCK.mjs";
+import { z } from "zod";
+//#region src/astro/routes/api/oauth/token/refresh.ts
+const prerender = false;
+const refreshSchema = z.object({
+	refresh_token: z.string().min(1),
+	grant_type: z.string().min(1)
+});
+const POST = async ({ request, locals }) => {
+	const { dineway } = locals;
+	if (!dineway?.db) return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	try {
+		const body = await parseBody(request, refreshSchema);
+		if (isParseError(body)) return body;
+		return unwrapResult(await handleTokenRefresh(dineway.db, body));
+	} catch (error) {
+		return handleError(error, "Failed to refresh token", "TOKEN_REFRESH_ERROR");
+	}
+};
+//#endregion
+export { POST, prerender };

package/dist/astro/routes/api/oauth/token/revoke.d.mts ADDED Viewed

@@ -0,0 +1,7 @@
+import { APIRoute } from "astro";
+//#region src/astro/routes/api/oauth/token/revoke.d.ts
+declare const prerender = false;
+declare const POST: APIRoute;
+//#endregion
+export { POST, prerender };

package/dist/astro/routes/api/oauth/token/revoke.mjs ADDED Viewed

@@ -0,0 +1,25 @@
+import { a as unwrapResult, r as handleError, t as apiError } from "../../../../../error-DEGjx2Xw.mjs";
+import { n as parseBody, t as isParseError } from "../../../../../parse-BeQXIt1U.mjs";
+import "../../../../../api-tokens-DzloJxuh.mjs";
+import "../../../../../oauth-clients-CvWatf5p.mjs";
+import "../../../../../oauth-user-lookup-B4OcmsLV.mjs";
+import { a as handleTokenRevoke } from "../../../../../device-flow-7AhWNwCK.mjs";
+import { z } from "zod";
+//#region src/astro/routes/api/oauth/token/revoke.ts
+const prerender = false;
+const revokeSchema = z.object({ token: z.string().min(1) });
+const POST = async ({ request, locals }) => {
+	const { dineway } = locals;
+	if (!dineway?.db) return apiError("NOT_CONFIGURED", "Dineway is not initialized", 500);
+	try {
+		const body = await parseBody(request, revokeSchema);
+		if (isParseError(body)) return body;
+		return unwrapResult(await handleTokenRevoke(dineway.db, body));
+	} catch (error) {
+		return handleError(error, "Failed to revoke token", "TOKEN_REVOKE_ERROR");
+	}
+};
+//#endregion
+export { POST, prerender };

package/dist/astro/routes/api/oauth/token.d.mts ADDED Viewed

@@ -0,0 +1,8 @@
+import { APIRoute } from "astro";
+//#region src/astro/routes/api/oauth/token.d.ts
+declare const prerender = false;
+declare const OPTIONS: APIRoute;
+declare const POST: APIRoute;
+//#endregion
+export { OPTIONS, POST, prerender };