emdash 0.12.0 → 0.13.0

package/dist/astro/routes/api/oauth/authorize.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorize.mjs","names":[],"sources":["../../../../../src/astro/routes/api/oauth/authorize.ts"],"sourcesContent":["/**\n * GET/POST /_emdash/oauth/authorize\n *\n * OAuth 2.1 Authorization Endpoint. Handles both the consent page (GET)\n * and consent submission (POST).\n *\n * GET: Renders an HTML consent page showing which client is requesting\n *      access and which scopes are being requested.\n * POST: Processes the user's decision (approve/deny) and redirects\n *       to the client's redirect_uri with an authorization code or error.\n *\n * Requires an authenticated session (not token auth). If unauthenticated,\n * redirects to login with a return URL.\n */\n\nimport type { APIRoute } from \"astro\";\n\nimport { escapeHtml } from \"#api/escape.js\";\nimport {\n\tbuildDeniedRedirect,\n\thandleAuthorizationApproval,\n\tvalidateRedirectUri,\n} from \"#api/handlers/oauth-authorization.js\";\nimport { lookupOAuthClient, validateClientRedirectUri } from \"#api/handlers/oauth-clients.js\";\nimport { getPublicOrigin } from \"#api/public-url.js\";\nimport { VALID_SCOPES } from \"#auth/api-tokens.js\";\n\nexport const prerender = false;\n\n// ---------------------------------------------------------------------------\n// CSRF (SEC-18): Double-submit cookie pattern\n// ---------------------------------------------------------------------------\n\nconst CSRF_COOKIE_NAME = \"emdash_oauth_csrf\";\n\n/** Generate a 32-byte random token as hex. */\nfunction generateCsrfToken(): string {\n\tconst bytes = new Uint8Array(32);\n\tcrypto.getRandomValues(bytes);\n\treturn Array.from(bytes, (b) => b.toString(16).padStart(2, \"0\")).join(\"\");\n}\n\n/** Build the Set-Cookie header value for the CSRF token. */\nfunction csrfCookieHeader(token: string, request: Request, siteUrl?: string): string {\n\t// SameSite=Strict prevents cross-site form submission.\n\t// HttpOnly: the token value is embedded in the form hidden field server-side,\n\t// so JS never needs to read the cookie. HttpOnly adds defense-in-depth.\n\t// Secure is set when:\n\t//   - siteUrl is configured and uses https (proxy case — request may be http internally), OR\n\t//   - the actual request is over https (non-proxy case, preserve existing behaviour)\n\tconst isSecure = siteUrl\n\t\t? siteUrl.startsWith(\"https:\")\n\t\t: new URL(request.url).protocol === \"https:\";\n\tconst secure = isSecure ? \"; Secure\" : \"\";\n\treturn `${CSRF_COOKIE_NAME}=${token}; Path=/_emdash/oauth/authorize; HttpOnly; SameSite=Strict${secure}`;\n}\n\n/** Extract the CSRF token from the request's cookies. */\nfunction getCsrfCookie(request: Request): string | null {\n\tconst cookieHeader = request.headers.get(\"Cookie\");\n\tif (!cookieHeader) return null;\n\tconst match = cookieHeader.match(new RegExp(`(?:^|;\\\\s*)${CSRF_COOKIE_NAME}=([^;]+)`));\n\treturn match?.[1] ?? null;\n}\n\n// ---------------------------------------------------------------------------\n// Human-readable scope labels\n// ---------------------------------------------------------------------------\n\nconst SCOPE_LABELS: Record<string, string> = {\n\t\"content:read\": \"Read content (posts, pages, etc.)\",\n\t\"content:write\": \"Create, edit, and delete content\",\n\t\"media:read\": \"View media files\",\n\t\"media:write\": \"Upload and manage media files\",\n\t\"schema:read\": \"View collection schemas\",\n\t\"schema:write\": \"Create and modify collection schemas\",\n\tadmin: \"Full administrative access\",\n};\n\n// ---------------------------------------------------------------------------\n// GET: Render consent page\n// ---------------------------------------------------------------------------\n\nexport const GET: APIRoute = async ({ url, request, locals }) => {\n\tconst { emdash, user } = locals;\n\n\t// Validate required OAuth params before rendering\n\tconst clientId = url.searchParams.get(\"client_id\");\n\tconst redirectUri = url.searchParams.get(\"redirect_uri\");\n\tconst responseType = url.searchParams.get(\"response_type\");\n\tconst codeChallenge = url.searchParams.get(\"code_challenge\");\n\tconst codeChallengeMethod = url.searchParams.get(\"code_challenge_method\");\n\tconst scope = url.searchParams.get(\"scope\");\n\tconst state = url.searchParams.get(\"state\");\n\n\t// Basic validation — detailed validation happens on POST\n\tif (!clientId || !redirectUri || responseType !== \"code\" || !codeChallenge) {\n\t\treturn new Response(\n\t\t\trenderErrorPage(\"Invalid authorization request. Missing required parameters.\"),\n\t\t\t{\n\t\t\t\tstatus: 400,\n\t\t\t\theaders: { \"Content-Type\": \"text/html; charset=utf-8\" },\n\t\t\t},\n\t\t);\n\t}\n\n\tif (codeChallengeMethod && codeChallengeMethod !== \"S256\") {\n\t\treturn new Response(renderErrorPage(\"Only S256 code challenge method is supported.\"), {\n\t\t\tstatus: 400,\n\t\t\theaders: { \"Content-Type\": \"text/html; charset=utf-8\" },\n\t\t});\n\t}\n\n\t// Validate client_id is registered and redirect_uri is in the allowlist.\n\t// This check happens BEFORE authentication so we never redirect to an\n\t// unregistered URI (even for the login redirect, we only redirect to our\n\t// own login page, not to the client's redirect_uri).\n\tif (emdash?.db) {\n\t\tconst client = await lookupOAuthClient(emdash.db, clientId);\n\t\tif (!client) {\n\t\t\treturn new Response(renderErrorPage(\"Unknown client application.\"), {\n\t\t\t\tstatus: 400,\n\t\t\t\theaders: { \"Content-Type\": \"text/html; charset=utf-8\" },\n\t\t\t});\n\t\t}\n\n\t\tconst clientUriError = validateClientRedirectUri(redirectUri, client.redirectUris);\n\t\tif (clientUriError) {\n\t\t\treturn new Response(renderErrorPage(\"The redirect URI is not registered for this client.\"), {\n\t\t\t\tstatus: 400,\n\t\t\t\theaders: { \"Content-Type\": \"text/html; charset=utf-8\" },\n\t\t\t});\n\t\t}\n\t}\n\n\t// If not authenticated, redirect to login with return URL\n\tif (!user) {\n\t\tconst loginUrl = new URL(\"/_emdash/admin/login\", getPublicOrigin(url, emdash?.config));\n\t\tloginUrl.searchParams.set(\"redirect\", url.pathname + url.search);\n\t\treturn Response.redirect(loginUrl.toString(), 302);\n\t}\n\n\t// Parse and validate scopes\n\tconst validSet = new Set<string>(VALID_SCOPES);\n\tconst requestedScopes = (scope ?? \"\")\n\t\t.split(\" \")\n\t\t.filter(Boolean)\n\t\t.filter((s) => validSet.has(s));\n\n\tif (requestedScopes.length === 0) {\n\t\treturn new Response(renderErrorPage(\"No valid scopes requested.\"), {\n\t\t\tstatus: 400,\n\t\t\theaders: { \"Content-Type\": \"text/html; charset=utf-8\" },\n\t\t});\n\t}\n\n\t// SEC-18: Generate CSRF token for the consent form (double-submit cookie pattern)\n\tconst csrfToken = generateCsrfToken();\n\n\t// Render the consent page\n\tconst html = renderConsentPage({\n\t\tclientId,\n\t\tscopes: requestedScopes,\n\t\tredirectUri,\n\t\tresponseType,\n\t\tcodeChallenge,\n\t\tcodeChallengeMethod: codeChallengeMethod ?? \"S256\",\n\t\tstate: state ?? \"\",\n\t\tresource: url.searchParams.get(\"resource\") ?? \"\",\n\t\tuserName: user.name ?? user.email,\n\t\tcsrfToken,\n\t});\n\n\treturn new Response(html, {\n\t\theaders: {\n\t\t\t\"Content-Type\": \"text/html; charset=utf-8\",\n\t\t\t\"Set-Cookie\": csrfCookieHeader(csrfToken, request, getPublicOrigin(url, emdash?.config)),\n\t\t},\n\t});\n};\n\n// ---------------------------------------------------------------------------\n// POST: Process consent\n// ---------------------------------------------------------------------------\n\nexport const POST: APIRoute = async ({ request, locals }) => {\n\tconst { emdash, user } = locals;\n\n\tif (!emdash?.db) {\n\t\treturn new Response(renderErrorPage(\"EmDash is not initialized.\"), {\n\t\t\tstatus: 500,\n\t\t\theaders: { \"Content-Type\": \"text/html; charset=utf-8\" },\n\t\t});\n\t}\n\n\tif (!user) {\n\t\treturn new Response(renderErrorPage(\"Authentication required.\"), {\n\t\t\tstatus: 401,\n\t\t\theaders: { \"Content-Type\": \"text/html; charset=utf-8\" },\n\t\t});\n\t}\n\n\tconst formData = await request.formData();\n\tconst field = (name: string, fallback = \"\"): string => {\n\t\tconst v = formData.get(name);\n\t\treturn typeof v === \"string\" ? v : fallback;\n\t};\n\n\t// SEC-18: Validate CSRF token (double-submit cookie pattern).\n\t// The form includes a hidden csrf_token field; the cookie has the same value.\n\t// An attacker cannot read the cookie to forge the form field (HttpOnly + SameSite=Strict).\n\tconst formCsrf = field(\"csrf_token\");\n\tconst cookieCsrf = getCsrfCookie(request);\n\tconst csrfError = new Response(\n\t\trenderErrorPage(\"Invalid or missing CSRF token. Please try again.\"),\n\t\t{ status: 403, headers: { \"Content-Type\": \"text/html; charset=utf-8\" } },\n\t);\n\tif (!formCsrf || !cookieCsrf) return csrfError;\n\n\t// Constant-time comparison: hash both values to fixed-length 32-byte digests,\n\t// then XOR every byte pair. This avoids crypto.subtle.timingSafeEqual which is\n\t// a Cloudflare Workers extension and doesn't exist in Node.js.\n\t// The SHA-256 pre-hash ensures fixed length, eliminating length-leaking.\n\tconst csrfEncoder = new TextEncoder();\n\tconst [csrfHashA, csrfHashB] = await Promise.all([\n\t\tcrypto.subtle.digest(\"SHA-256\", csrfEncoder.encode(formCsrf)),\n\t\tcrypto.subtle.digest(\"SHA-256\", csrfEncoder.encode(cookieCsrf)),\n\t]);\n\tconst a = new Uint8Array(csrfHashA);\n\tconst b = new Uint8Array(csrfHashB);\n\tlet diff = 0;\n\t// eslint-disable-next-line @typescript-eslint/no-unnecessary-type-assertion -- tsgo needs these\n\tfor (let i = 0; i < a.length; i++) diff |= a[i]! ^ b[i]!;\n\tif (diff !== 0) return csrfError;\n\n\tconst action = field(\"action\");\n\tconst redirectUri = field(\"redirect_uri\");\n\tconst state = field(\"state\") || undefined;\n\n\tif (!redirectUri) {\n\t\treturn new Response(renderErrorPage(\"Missing redirect_uri.\"), {\n\t\t\tstatus: 400,\n\t\t\theaders: { \"Content-Type\": \"text/html; charset=utf-8\" },\n\t\t});\n\t}\n\n\t// Validate redirect_uri scheme/host before using it for any redirect\n\tconst uriError = validateRedirectUri(redirectUri);\n\tif (uriError) {\n\t\treturn new Response(renderErrorPage(escapeHtml(uriError)), {\n\t\t\tstatus: 400,\n\t\t\theaders: { \"Content-Type\": \"text/html; charset=utf-8\" },\n\t\t});\n\t}\n\n\t// User denied — SEC-44: validate redirect_uri against client's registered URIs\n\t// before redirecting, to prevent open redirect on the deny path.\n\tif (action === \"deny\") {\n\t\tconst clientId = field(\"client_id\");\n\t\tif (!clientId) {\n\t\t\treturn new Response(renderErrorPage(\"Missing client_id.\"), {\n\t\t\t\tstatus: 400,\n\t\t\t\theaders: { \"Content-Type\": \"text/html; charset=utf-8\" },\n\t\t\t});\n\t\t}\n\n\t\tconst client = await lookupOAuthClient(emdash.db, clientId);\n\t\tif (!client) {\n\t\t\treturn new Response(renderErrorPage(\"Unknown client application.\"), {\n\t\t\t\tstatus: 400,\n\t\t\t\theaders: { \"Content-Type\": \"text/html; charset=utf-8\" },\n\t\t\t});\n\t\t}\n\n\t\tconst clientUriError = validateClientRedirectUri(redirectUri, client.redirectUris);\n\t\tif (clientUriError) {\n\t\t\treturn new Response(renderErrorPage(\"The redirect URI is not registered for this client.\"), {\n\t\t\t\tstatus: 400,\n\t\t\t\theaders: { \"Content-Type\": \"text/html; charset=utf-8\" },\n\t\t\t});\n\t\t}\n\n\t\tconst denyUrl = buildDeniedRedirect(redirectUri, state);\n\t\treturn Response.redirect(denyUrl, 302);\n\t}\n\n\t// User approved — process the authorization\n\tconst result = await handleAuthorizationApproval(emdash.db, user.id, user.role, {\n\t\tresponse_type: field(\"response_type\", \"code\"),\n\t\tclient_id: field(\"client_id\"),\n\t\tredirect_uri: redirectUri,\n\t\tscope: field(\"scope\"),\n\t\tstate,\n\t\tcode_challenge: field(\"code_challenge\"),\n\t\tcode_challenge_method: field(\"code_challenge_method\", \"S256\"),\n\t\tresource: field(\"resource\") || undefined,\n\t});\n\n\tif (!result.success) {\n\t\tconst errMsg = result.error?.message ?? \"Authorization failed\";\n\t\t// On error, redirect back with error params — use generic description to avoid\n\t\t// leaking internal error details to the (already-validated) redirect target\n\t\ttry {\n\t\t\tconst errorUrl = new URL(redirectUri);\n\t\t\terrorUrl.searchParams.set(\"error\", \"server_error\");\n\t\t\terrorUrl.searchParams.set(\"error_description\", \"Authorization failed\");\n\t\t\tif (state) errorUrl.searchParams.set(\"state\", state);\n\t\t\treturn Response.redirect(errorUrl.toString(), 302);\n\t\t} catch {\n\t\t\treturn new Response(renderErrorPage(escapeHtml(errMsg)), {\n\t\t\t\tstatus: 400,\n\t\t\t\theaders: { \"Content-Type\": \"text/html; charset=utf-8\" },\n\t\t\t});\n\t\t}\n\t}\n\n\treturn Response.redirect(result.data.redirect_url, 302);\n};\n\n// ---------------------------------------------------------------------------\n// HTML rendering\n// ---------------------------------------------------------------------------\n\nfunction renderConsentPage(params: {\n\tclientId: string;\n\tscopes: string[];\n\tredirectUri: string;\n\tresponseType: string;\n\tcodeChallenge: string;\n\tcodeChallengeMethod: string;\n\tstate: string;\n\tresource: string;\n\tuserName: string;\n\tcsrfToken: string;\n}): string {\n\tconst scopeList = params.scopes\n\t\t.map((s) => {\n\t\t\tconst label = SCOPE_LABELS[s] ?? s;\n\t\t\treturn `<li>${escapeHtml(label)}</li>`;\n\t\t})\n\t\t.join(\"\\n\");\n\n\treturn `<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<meta charset=\"utf-8\">\n<meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n<title>Authorize Application — EmDash</title>\n<style>\n  * { margin: 0; padding: 0; box-sizing: border-box; }\n  body { font-family: system-ui, -apple-system, sans-serif; background: #0a0a0a; color: #e5e5e5; display: flex; justify-content: center; align-items: center; min-height: 100vh; padding: 1rem; }\n  .card { background: #171717; border: 1px solid #262626; border-radius: 12px; max-width: 420px; width: 100%; padding: 2rem; }\n  h1 { font-size: 1.25rem; font-weight: 600; margin-bottom: 0.5rem; }\n  .client-id { color: #a3a3a3; font-size: 0.875rem; word-break: break-all; margin-bottom: 1.5rem; }\n  .user { color: #a3a3a3; font-size: 0.875rem; margin-bottom: 1rem; }\n  h2 { font-size: 0.875rem; font-weight: 500; color: #a3a3a3; text-transform: uppercase; letter-spacing: 0.05em; margin-bottom: 0.75rem; }\n  ul { list-style: none; margin-bottom: 1.5rem; }\n  li { padding: 0.5rem 0; border-bottom: 1px solid #262626; font-size: 0.875rem; }\n  li:last-child { border-bottom: none; }\n  .actions { display: flex; gap: 0.75rem; }\n  button { flex: 1; padding: 0.625rem 1rem; border-radius: 8px; border: none; font-size: 0.875rem; font-weight: 500; cursor: pointer; }\n  .approve { background: #2563eb; color: white; }\n  .approve:hover { background: #1d4ed8; }\n  .deny { background: #262626; color: #e5e5e5; }\n  .deny:hover { background: #333; }\n</style>\n</head>\n<body>\n<div class=\"card\">\n  <h1>Authorize Application</h1>\n  <p class=\"client-id\">${escapeHtml(params.clientId)}</p>\n  <p class=\"user\">Signed in as <strong>${escapeHtml(params.userName)}</strong></p>\n  <h2>Permissions requested</h2>\n  <ul>${scopeList}</ul>\n  <form method=\"POST\">\n    <input type=\"hidden\" name=\"csrf_token\" value=\"${escapeHtml(params.csrfToken)}\">\n    <input type=\"hidden\" name=\"response_type\" value=\"${escapeHtml(params.responseType)}\">\n    <input type=\"hidden\" name=\"client_id\" value=\"${escapeHtml(params.clientId)}\">\n    <input type=\"hidden\" name=\"redirect_uri\" value=\"${escapeHtml(params.redirectUri)}\">\n    <input type=\"hidden\" name=\"scope\" value=\"${escapeHtml(params.scopes.join(\" \"))}\">\n    <input type=\"hidden\" name=\"state\" value=\"${escapeHtml(params.state)}\">\n    <input type=\"hidden\" name=\"code_challenge\" value=\"${escapeHtml(params.codeChallenge)}\">\n    <input type=\"hidden\" name=\"code_challenge_method\" value=\"${escapeHtml(params.codeChallengeMethod)}\">\n    <input type=\"hidden\" name=\"resource\" value=\"${escapeHtml(params.resource)}\">\n    <div class=\"actions\">\n      <button type=\"submit\" name=\"action\" value=\"deny\" class=\"deny\">Deny</button>\n      <button type=\"submit\" name=\"action\" value=\"approve\" class=\"approve\">Approve</button>\n    </div>\n  </form>\n</div>\n</body>\n</html>`;\n}\n\nfunction renderErrorPage(message: string): string {\n\treturn `<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<meta charset=\"utf-8\">\n<meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n<title>Authorization Error — EmDash</title>\n<style>\n  * { margin: 0; padding: 0; box-sizing: border-box; }\n  body { font-family: system-ui, -apple-system, sans-serif; background: #0a0a0a; color: #e5e5e5; display: flex; justify-content: center; align-items: center; min-height: 100vh; padding: 1rem; }\n  .card { background: #171717; border: 1px solid #262626; border-radius: 12px; max-width: 420px; width: 100%; padding: 2rem; }\n  h1 { font-size: 1.25rem; font-weight: 600; margin-bottom: 1rem; color: #ef4444; }\n  p { font-size: 0.875rem; color: #a3a3a3; }\n</style>\n</head>\n<body>\n<div class=\"card\">\n  <h1>Authorization Error</h1>\n  <p>${escapeHtml(message)}</p>\n</div>\n</body>\n</html>`;\n}\n"],"mappings":";;;;;;;;AA2BA,MAAa,YAAY;AAMzB,MAAM,mBAAmB;;AAGzB,SAAS,oBAA4B;CACpC,MAAM,QAAQ,IAAI,WAAW,GAAG;AAChC,QAAO,gBAAgB,MAAM;AAC7B,QAAO,MAAM,KAAK,QAAQ,MAAM,EAAE,SAAS,GAAG,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC,KAAK,GAAG;;;AAI1E,SAAS,iBAAiB,OAAe,SAAkB,SAA0B;AAWpF,QAAO,GAAG,iBAAiB,GAAG,MAAM,6DAJnB,UACd,QAAQ,WAAW,SAAS,GAC5B,IAAI,IAAI,QAAQ,IAAI,CAAC,aAAa,YACX,aAAa;;;AAKxC,SAAS,cAAc,SAAiC;CACvD,MAAM,eAAe,QAAQ,QAAQ,IAAI,SAAS;AAClD,KAAI,CAAC,aAAc,QAAO;AAE1B,QADc,aAAa,MAAM,IAAI,OAAO,cAAc,iBAAiB,UAAU,CAAC,GACvE,MAAM;;AAOtB,MAAM,eAAuC;CAC5C,gBAAgB;CAChB,iBAAiB;CACjB,cAAc;CACd,eAAe;CACf,eAAe;CACf,gBAAgB;CAChB,OAAO;CACP;AAMD,MAAa,MAAgB,OAAO,EAAE,KAAK,SAAS,aAAa;CAChE,MAAM,EAAE,QAAQ,SAAS;CAGzB,MAAM,WAAW,IAAI,aAAa,IAAI,YAAY;CAClD,MAAM,cAAc,IAAI,aAAa,IAAI,eAAe;CACxD,MAAM,eAAe,IAAI,aAAa,IAAI,gBAAgB;CAC1D,MAAM,gBAAgB,IAAI,aAAa,IAAI,iBAAiB;CAC5D,MAAM,sBAAsB,IAAI,aAAa,IAAI,wBAAwB;CACzE,MAAM,QAAQ,IAAI,aAAa,IAAI,QAAQ;CAC3C,MAAM,QAAQ,IAAI,aAAa,IAAI,QAAQ;AAG3C,KAAI,CAAC,YAAY,CAAC,eAAe,iBAAiB,UAAU,CAAC,cAC5D,QAAO,IAAI,SACV,gBAAgB,8DAA8D,EAC9E;EACC,QAAQ;EACR,SAAS,EAAE,gBAAgB,4BAA4B;EACvD,CACD;AAGF,KAAI,uBAAuB,wBAAwB,OAClD,QAAO,IAAI,SAAS,gBAAgB,gDAAgD,EAAE;EACrF,QAAQ;EACR,SAAS,EAAE,gBAAgB,4BAA4B;EACvD,CAAC;AAOH,KAAI,QAAQ,IAAI;EACf,MAAM,SAAS,MAAM,kBAAkB,OAAO,IAAI,SAAS;AAC3D,MAAI,CAAC,OACJ,QAAO,IAAI,SAAS,gBAAgB,8BAA8B,EAAE;GACnE,QAAQ;GACR,SAAS,EAAE,gBAAgB,4BAA4B;GACvD,CAAC;AAIH,MADuB,0BAA0B,aAAa,OAAO,aAAa,CAEjF,QAAO,IAAI,SAAS,gBAAgB,sDAAsD,EAAE;GAC3F,QAAQ;GACR,SAAS,EAAE,gBAAgB,4BAA4B;GACvD,CAAC;;AAKJ,KAAI,CAAC,MAAM;EACV,MAAM,WAAW,IAAI,IAAI,wBAAwB,gBAAgB,KAAK,QAAQ,OAAO,CAAC;AACtF,WAAS,aAAa,IAAI,YAAY,IAAI,WAAW,IAAI,OAAO;AAChE,SAAO,SAAS,SAAS,SAAS,UAAU,EAAE,IAAI;;CAInD,MAAM,WAAW,IAAI,IAAY,aAAa;CAC9C,MAAM,mBAAmB,SAAS,IAChC,MAAM,IAAI,CACV,OAAO,QAAQ,CACf,QAAQ,MAAM,SAAS,IAAI,EAAE,CAAC;AAEhC,KAAI,gBAAgB,WAAW,EAC9B,QAAO,IAAI,SAAS,gBAAgB,6BAA6B,EAAE;EAClE,QAAQ;EACR,SAAS,EAAE,gBAAgB,4BAA4B;EACvD,CAAC;CAIH,MAAM,YAAY,mBAAmB;CAGrC,MAAM,OAAO,kBAAkB;EAC9B;EACA,QAAQ;EACR;EACA;EACA;EACA,qBAAqB,uBAAuB;EAC5C,OAAO,SAAS;EAChB,UAAU,IAAI,aAAa,IAAI,WAAW,IAAI;EAC9C,UAAU,KAAK,QAAQ,KAAK;EAC5B;EACA,CAAC;AAEF,QAAO,IAAI,SAAS,MAAM,EACzB,SAAS;EACR,gBAAgB;EAChB,cAAc,iBAAiB,WAAW,SAAS,gBAAgB,KAAK,QAAQ,OAAO,CAAC;EACxF,EACD,CAAC;;AAOH,MAAa,OAAiB,OAAO,EAAE,SAAS,aAAa;CAC5D,MAAM,EAAE,QAAQ,SAAS;AAEzB,KAAI,CAAC,QAAQ,GACZ,QAAO,IAAI,SAAS,gBAAgB,6BAA6B,EAAE;EAClE,QAAQ;EACR,SAAS,EAAE,gBAAgB,4BAA4B;EACvD,CAAC;AAGH,KAAI,CAAC,KACJ,QAAO,IAAI,SAAS,gBAAgB,2BAA2B,EAAE;EAChE,QAAQ;EACR,SAAS,EAAE,gBAAgB,4BAA4B;EACvD,CAAC;CAGH,MAAM,WAAW,MAAM,QAAQ,UAAU;CACzC,MAAM,SAAS,MAAc,WAAW,OAAe;EACtD,MAAM,IAAI,SAAS,IAAI,KAAK;AAC5B,SAAO,OAAO,MAAM,WAAW,IAAI;;CAMpC,MAAM,WAAW,MAAM,aAAa;CACpC,MAAM,aAAa,cAAc,QAAQ;CACzC,MAAM,YAAY,IAAI,SACrB,gBAAgB,mDAAmD,EACnE;EAAE,QAAQ;EAAK,SAAS,EAAE,gBAAgB,4BAA4B;EAAE,CACxE;AACD,KAAI,CAAC,YAAY,CAAC,WAAY,QAAO;CAMrC,MAAM,cAAc,IAAI,aAAa;CACrC,MAAM,CAAC,WAAW,aAAa,MAAM,QAAQ,IAAI,CAChD,OAAO,OAAO,OAAO,WAAW,YAAY,OAAO,SAAS,CAAC,EAC7D,OAAO,OAAO,OAAO,WAAW,YAAY,OAAO,WAAW,CAAC,CAC/D,CAAC;CACF,MAAM,IAAI,IAAI,WAAW,UAAU;CACnC,MAAM,IAAI,IAAI,WAAW,UAAU;CACnC,IAAI,OAAO;AAEX,MAAK,IAAI,IAAI,GAAG,IAAI,EAAE,QAAQ,IAAK,SAAQ,EAAE,KAAM,EAAE;AACrD,KAAI,SAAS,EAAG,QAAO;CAEvB,MAAM,SAAS,MAAM,SAAS;CAC9B,MAAM,cAAc,MAAM,eAAe;CACzC,MAAM,QAAQ,MAAM,QAAQ,IAAI;AAEhC,KAAI,CAAC,YACJ,QAAO,IAAI,SAAS,gBAAgB,wBAAwB,EAAE;EAC7D,QAAQ;EACR,SAAS,EAAE,gBAAgB,4BAA4B;EACvD,CAAC;CAIH,MAAM,WAAW,oBAAoB,YAAY;AACjD,KAAI,SACH,QAAO,IAAI,SAAS,gBAAgB,WAAW,SAAS,CAAC,EAAE;EAC1D,QAAQ;EACR,SAAS,EAAE,gBAAgB,4BAA4B;EACvD,CAAC;AAKH,KAAI,WAAW,QAAQ;EACtB,MAAM,WAAW,MAAM,YAAY;AACnC,MAAI,CAAC,SACJ,QAAO,IAAI,SAAS,gBAAgB,qBAAqB,EAAE;GAC1D,QAAQ;GACR,SAAS,EAAE,gBAAgB,4BAA4B;GACvD,CAAC;EAGH,MAAM,SAAS,MAAM,kBAAkB,OAAO,IAAI,SAAS;AAC3D,MAAI,CAAC,OACJ,QAAO,IAAI,SAAS,gBAAgB,8BAA8B,EAAE;GACnE,QAAQ;GACR,SAAS,EAAE,gBAAgB,4BAA4B;GACvD,CAAC;AAIH,MADuB,0BAA0B,aAAa,OAAO,aAAa,CAEjF,QAAO,IAAI,SAAS,gBAAgB,sDAAsD,EAAE;GAC3F,QAAQ;GACR,SAAS,EAAE,gBAAgB,4BAA4B;GACvD,CAAC;EAGH,MAAM,UAAU,oBAAoB,aAAa,MAAM;AACvD,SAAO,SAAS,SAAS,SAAS,IAAI;;CAIvC,MAAM,SAAS,MAAM,4BAA4B,OAAO,IAAI,KAAK,IAAI,KAAK,MAAM;EAC/E,eAAe,MAAM,iBAAiB,OAAO;EAC7C,WAAW,MAAM,YAAY;EAC7B,cAAc;EACd,OAAO,MAAM,QAAQ;EACrB;EACA,gBAAgB,MAAM,iBAAiB;EACvC,uBAAuB,MAAM,yBAAyB,OAAO;EAC7D,UAAU,MAAM,WAAW,IAAI;EAC/B,CAAC;AAEF,KAAI,CAAC,OAAO,SAAS;EACpB,MAAM,SAAS,OAAO,OAAO,WAAW;AAGxC,MAAI;GACH,MAAM,WAAW,IAAI,IAAI,YAAY;AACrC,YAAS,aAAa,IAAI,SAAS,eAAe;AAClD,YAAS,aAAa,IAAI,qBAAqB,uBAAuB;AACtE,OAAI,MAAO,UAAS,aAAa,IAAI,SAAS,MAAM;AACpD,UAAO,SAAS,SAAS,SAAS,UAAU,EAAE,IAAI;UAC3C;AACP,UAAO,IAAI,SAAS,gBAAgB,WAAW,OAAO,CAAC,EAAE;IACxD,QAAQ;IACR,SAAS,EAAE,gBAAgB,4BAA4B;IACvD,CAAC;;;AAIJ,QAAO,SAAS,SAAS,OAAO,KAAK,cAAc,IAAI;;AAOxD,SAAS,kBAAkB,QAWhB;CACV,MAAM,YAAY,OAAO,OACvB,KAAK,MAAM;AAEX,SAAO,OAAO,WADA,aAAa,MAAM,EACF,CAAC;GAC/B,CACD,KAAK,KAAK;AAEZ,QAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;yBA4BiB,WAAW,OAAO,SAAS,CAAC;yCACZ,WAAW,OAAO,SAAS,CAAC;;QAE7D,UAAU;;oDAEkC,WAAW,OAAO,UAAU,CAAC;uDAC1B,WAAW,OAAO,aAAa,CAAC;mDACpC,WAAW,OAAO,SAAS,CAAC;sDACzB,WAAW,OAAO,YAAY,CAAC;+CACtC,WAAW,OAAO,OAAO,KAAK,IAAI,CAAC,CAAC;+CACpC,WAAW,OAAO,MAAM,CAAC;wDAChB,WAAW,OAAO,cAAc,CAAC;+DAC1B,WAAW,OAAO,oBAAoB,CAAC;kDACpD,WAAW,OAAO,SAAS,CAAC;;;;;;;;;;AAW9E,SAAS,gBAAgB,SAAyB;AACjD,QAAO;;;;;;;;;;;;;;;;;OAiBD,WAAW,QAAQ,CAAC"}

package/dist/astro/routes/api/oauth/device/authorize.d.mts

@@ -0,0 +1,8 @@
+import { APIRoute } from "astro";
+
+//#region src/astro/routes/api/oauth/device/authorize.d.ts
+declare const prerender = false;
+declare const POST: APIRoute;
+//#endregion
+export { POST, prerender };
+//# sourceMappingURL=authorize.d.mts.map

package/dist/astro/routes/api/oauth/device/authorize.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorize.d.mts","names":[],"sources":["../../../../../../src/astro/routes/api/oauth/device/authorize.ts"],"mappings":";;;cAgBa,SAAA;AAAA,cAOA,IAAA,EAAM,QAAA"}

package/dist/astro/routes/api/oauth/device/authorize.mjs

@@ -0,0 +1,32 @@
+import "../../../../../base64-CqR-7kqF.mjs";
+import "../../../../../types-CwXMEPRr.mjs";
+import { a as unwrapResult, r as handleError, t as apiError } from "../../../../../error-tSQWIl5U.mjs";
+import { n as parseBody, t as isParseError } from "../../../../../parse-BFTPon-J.mjs";
+import "../../../../../api-tokens-D3C9v02m.mjs";
+import "../../../../../oauth-user-lookup-meyS2oB1.mjs";
+import { t as handleDeviceAuthorize } from "../../../../../device-flow-BqJRxa0Q.mjs";
+import { z } from "zod";
+
+//#region src/astro/routes/api/oauth/device/authorize.ts
+const prerender = false;
+const authorizeSchema = z.object({
+	user_code: z.string().min(1),
+	action: z.enum(["approve", "deny"]).optional()
+});
+const POST = async ({ request, locals }) => {
+	const { emdash } = locals;
+	const { user } = locals;
+	if (!emdash?.db) return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
+	if (!user) return apiError("NOT_AUTHENTICATED", "Authentication required", 401);
+	try {
+		const body = await parseBody(request, authorizeSchema);
+		if (isParseError(body)) return body;
+		return unwrapResult(await handleDeviceAuthorize(emdash.db, user.id, user.role, body));
+	} catch (error) {
+		return handleError(error, "Failed to authorize device", "AUTHORIZE_ERROR");
+	}
+};
+
+//#endregion
+export { POST, prerender };
+//# sourceMappingURL=authorize.mjs.map

package/dist/astro/routes/api/oauth/device/authorize.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorize.mjs","names":[],"sources":["../../../../../../src/astro/routes/api/oauth/device/authorize.ts"],"sourcesContent":["/**\n * POST /_emdash/api/oauth/device/authorize\n *\n * User submits the user code after logging in via the browser.\n * This endpoint requires authentication (the user must be logged in).\n */\n\n/// <reference types=\"emdash/locals\" />\n\nimport type { APIRoute } from \"astro\";\nimport { z } from \"zod\";\n\nimport { apiError, handleError, unwrapResult } from \"#api/error.js\";\nimport { handleDeviceAuthorize } from \"#api/handlers/device-flow.js\";\nimport { isParseError, parseBody } from \"#api/parse.js\";\n\nexport const prerender = false;\n\nconst authorizeSchema = z.object({\n\tuser_code: z.string().min(1),\n\taction: z.enum([\"approve\", \"deny\"]).optional(),\n});\n\nexport const POST: APIRoute = async ({ request, locals }) => {\n\tconst { emdash } = locals;\n\tconst { user } = locals;\n\n\tif (!emdash?.db) {\n\t\treturn apiError(\"NOT_CONFIGURED\", \"EmDash is not initialized\", 500);\n\t}\n\n\tif (!user) {\n\t\treturn apiError(\"NOT_AUTHENTICATED\", \"Authentication required\", 401);\n\t}\n\n\ttry {\n\t\tconst body = await parseBody(request, authorizeSchema);\n\t\tif (isParseError(body)) return body;\n\n\t\tconst result = await handleDeviceAuthorize(emdash.db, user.id, user.role, body);\n\t\treturn unwrapResult(result);\n\t} catch (error) {\n\t\treturn handleError(error, \"Failed to authorize device\", \"AUTHORIZE_ERROR\");\n\t}\n};\n"],"mappings":";;;;;;;;;;AAgBA,MAAa,YAAY;AAEzB,MAAM,kBAAkB,EAAE,OAAO;CAChC,WAAW,EAAE,QAAQ,CAAC,IAAI,EAAE;CAC5B,QAAQ,EAAE,KAAK,CAAC,WAAW,OAAO,CAAC,CAAC,UAAU;CAC9C,CAAC;AAEF,MAAa,OAAiB,OAAO,EAAE,SAAS,aAAa;CAC5D,MAAM,EAAE,WAAW;CACnB,MAAM,EAAE,SAAS;AAEjB,KAAI,CAAC,QAAQ,GACZ,QAAO,SAAS,kBAAkB,6BAA6B,IAAI;AAGpE,KAAI,CAAC,KACJ,QAAO,SAAS,qBAAqB,2BAA2B,IAAI;AAGrE,KAAI;EACH,MAAM,OAAO,MAAM,UAAU,SAAS,gBAAgB;AACtD,MAAI,aAAa,KAAK,CAAE,QAAO;AAG/B,SAAO,aADQ,MAAM,sBAAsB,OAAO,IAAI,KAAK,IAAI,KAAK,MAAM,KAAK,CACpD;UACnB,OAAO;AACf,SAAO,YAAY,OAAO,8BAA8B,kBAAkB"}

package/dist/astro/routes/api/oauth/device/code.d.mts

@@ -0,0 +1,8 @@
+import { APIRoute } from "astro";
+
+//#region src/astro/routes/api/oauth/device/code.d.ts
+declare const prerender = false;
+declare const POST: APIRoute;
+//#endregion
+export { POST, prerender };
+//# sourceMappingURL=code.d.mts.map

package/dist/astro/routes/api/oauth/device/code.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"code.d.mts","names":[],"sources":["../../../../../../src/astro/routes/api/oauth/device/code.ts"],"mappings":";;;cAmBa,SAAA;AAAA,cAOA,IAAA,EAAM,QAAA"}

package/dist/astro/routes/api/oauth/device/code.mjs

@@ -0,0 +1,36 @@
+import "../../../../../base64-CqR-7kqF.mjs";
+import "../../../../../types-CwXMEPRr.mjs";
+import { a as unwrapResult, r as handleError, t as apiError } from "../../../../../error-tSQWIl5U.mjs";
+import { n as parseBody, t as isParseError } from "../../../../../parse-BFTPon-J.mjs";
+import { t as getTrustedProxyHeaders } from "../../../../../trusted-proxy-CJhQIk65.mjs";
+import { n as getPublicOrigin } from "../../../../../public-url-CseXl9Fv.mjs";
+import "../../../../../api-tokens-D3C9v02m.mjs";
+import "../../../../../oauth-user-lookup-meyS2oB1.mjs";
+import { n as handleDeviceCodeRequest } from "../../../../../device-flow-BqJRxa0Q.mjs";
+import { n as getClientIp, r as rateLimitResponse, t as checkRateLimit } from "../../../../../rate-limit-t5CVjCO6.mjs";
+import { z } from "zod";
+
+//#region src/astro/routes/api/oauth/device/code.ts
+const prerender = false;
+const deviceCodeSchema = z.object({
+	client_id: z.string().optional(),
+	scope: z.string().optional()
+});
+const POST = async ({ request, locals, url }) => {
+	const { emdash } = locals;
+	if (!emdash?.db) return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
+	try {
+		const body = await parseBody(request, deviceCodeSchema);
+		if (isParseError(body)) return body;
+		const ip = getClientIp(request, getTrustedProxyHeaders(emdash.config));
+		if (!(await checkRateLimit(emdash.db, ip, "device/code", 10, 60)).allowed) return rateLimitResponse(60);
+		const verificationUri = new URL("/_emdash/admin/device", getPublicOrigin(url, emdash?.config)).toString();
+		return unwrapResult(await handleDeviceCodeRequest(emdash.db, body, verificationUri));
+	} catch (error) {
+		return handleError(error, "Failed to create device code", "DEVICE_CODE_ERROR");
+	}
+};
+
+//#endregion
+export { POST, prerender };
+//# sourceMappingURL=code.mjs.map

package/dist/astro/routes/api/oauth/device/code.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"code.mjs","names":[],"sources":["../../../../../../src/astro/routes/api/oauth/device/code.ts"],"sourcesContent":["/**\n * POST /_emdash/api/oauth/device/code\n *\n * Issue a device code + user code for the OAuth Device Flow.\n * This is an unauthenticated endpoint (the CLI doesn't have a token yet).\n *\n * Rate limited: 10 requests per minute per IP.\n */\n\nimport type { APIRoute } from \"astro\";\nimport { z } from \"zod\";\n\nimport { apiError, handleError, unwrapResult } from \"#api/error.js\";\nimport { handleDeviceCodeRequest } from \"#api/handlers/device-flow.js\";\nimport { isParseError, parseBody } from \"#api/parse.js\";\nimport { getPublicOrigin } from \"#api/public-url.js\";\nimport { checkRateLimit, getClientIp, rateLimitResponse } from \"#auth/rate-limit.js\";\nimport { getTrustedProxyHeaders } from \"#auth/trusted-proxy.js\";\n\nexport const prerender = false;\n\nconst deviceCodeSchema = z.object({\n\tclient_id: z.string().optional(),\n\tscope: z.string().optional(),\n});\n\nexport const POST: APIRoute = async ({ request, locals, url }) => {\n\tconst { emdash } = locals;\n\n\tif (!emdash?.db) {\n\t\treturn apiError(\"NOT_CONFIGURED\", \"EmDash is not initialized\", 500);\n\t}\n\n\ttry {\n\t\tconst body = await parseBody(request, deviceCodeSchema);\n\t\tif (isParseError(body)) return body;\n\n\t\t// Rate limit: 10 requests per 60 seconds per IP\n\t\tconst ip = getClientIp(request, getTrustedProxyHeaders(emdash.config));\n\t\tconst rateLimit = await checkRateLimit(emdash.db, ip, \"device/code\", 10, 60);\n\t\tif (!rateLimit.allowed) {\n\t\t\treturn rateLimitResponse(60);\n\t\t}\n\n\t\t// Build the verification URI — device page lives inside the admin SPA\n\t\tconst verificationUri = new URL(\n\t\t\t\"/_emdash/admin/device\",\n\t\t\tgetPublicOrigin(url, emdash?.config),\n\t\t).toString();\n\n\t\tconst result = await handleDeviceCodeRequest(emdash.db, body, verificationUri);\n\t\treturn unwrapResult(result);\n\t} catch (error) {\n\t\treturn handleError(error, \"Failed to create device code\", \"DEVICE_CODE_ERROR\");\n\t}\n};\n"],"mappings":";;;;;;;;;;;;;AAmBA,MAAa,YAAY;AAEzB,MAAM,mBAAmB,EAAE,OAAO;CACjC,WAAW,EAAE,QAAQ,CAAC,UAAU;CAChC,OAAO,EAAE,QAAQ,CAAC,UAAU;CAC5B,CAAC;AAEF,MAAa,OAAiB,OAAO,EAAE,SAAS,QAAQ,UAAU;CACjE,MAAM,EAAE,WAAW;AAEnB,KAAI,CAAC,QAAQ,GACZ,QAAO,SAAS,kBAAkB,6BAA6B,IAAI;AAGpE,KAAI;EACH,MAAM,OAAO,MAAM,UAAU,SAAS,iBAAiB;AACvD,MAAI,aAAa,KAAK,CAAE,QAAO;EAG/B,MAAM,KAAK,YAAY,SAAS,uBAAuB,OAAO,OAAO,CAAC;AAEtE,MAAI,EADc,MAAM,eAAe,OAAO,IAAI,IAAI,eAAe,IAAI,GAAG,EAC7D,QACd,QAAO,kBAAkB,GAAG;EAI7B,MAAM,kBAAkB,IAAI,IAC3B,yBACA,gBAAgB,KAAK,QAAQ,OAAO,CACpC,CAAC,UAAU;AAGZ,SAAO,aADQ,MAAM,wBAAwB,OAAO,IAAI,MAAM,gBAAgB,CACnD;UACnB,OAAO;AACf,SAAO,YAAY,OAAO,gCAAgC,oBAAoB"}

package/dist/astro/routes/api/oauth/device/token.d.mts

@@ -0,0 +1,8 @@
+import { APIRoute } from "astro";
+
+//#region src/astro/routes/api/oauth/device/token.d.ts
+declare const prerender = false;
+declare const POST: APIRoute;
+//#endregion
+export { POST, prerender };
+//# sourceMappingURL=token.d.mts.map

package/dist/astro/routes/api/oauth/device/token.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.d.mts","names":[],"sources":["../../../../../../src/astro/routes/api/oauth/device/token.ts"],"mappings":";;;cAqBa,SAAA;AAAA,cAOA,IAAA,EAAM,QAAA"}

package/dist/astro/routes/api/oauth/device/token.mjs

@@ -0,0 +1,47 @@
+import "../../../../../base64-CqR-7kqF.mjs";
+import "../../../../../types-CwXMEPRr.mjs";
+import { a as unwrapResult, r as handleError, t as apiError } from "../../../../../error-tSQWIl5U.mjs";
+import { n as parseBody, t as isParseError } from "../../../../../parse-BFTPon-J.mjs";
+import { t as getTrustedProxyHeaders } from "../../../../../trusted-proxy-CJhQIk65.mjs";
+import "../../../../../api-tokens-D3C9v02m.mjs";
+import "../../../../../oauth-user-lookup-meyS2oB1.mjs";
+import { r as handleDeviceTokenExchange } from "../../../../../device-flow-BqJRxa0Q.mjs";
+import { n as getClientIp, r as rateLimitResponse, t as checkRateLimit } from "../../../../../rate-limit-t5CVjCO6.mjs";
+import { z } from "zod";
+
+//#region src/astro/routes/api/oauth/device/token.ts
+const prerender = false;
+const deviceTokenSchema = z.object({
+	device_code: z.string().min(1),
+	grant_type: z.string().min(1)
+});
+const POST = async ({ request, locals }) => {
+	const { emdash } = locals;
+	if (!emdash?.db) return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
+	try {
+		const body = await parseBody(request, deviceTokenSchema);
+		if (isParseError(body)) return body;
+		const ip = getClientIp(request, getTrustedProxyHeaders(emdash.config));
+		if (!(await checkRateLimit(emdash.db, ip, "device/token", 12, 60)).allowed) return rateLimitResponse(60);
+		const result = await handleDeviceTokenExchange(emdash.db, body);
+		if (!result.success && result.deviceFlowError) {
+			const errorBody = { error: result.deviceFlowError };
+			if (result.deviceFlowInterval !== void 0) errorBody.interval = result.deviceFlowInterval;
+			return Response.json(errorBody, {
+				status: 400,
+				headers: {
+					"Content-Type": "application/json",
+					"Cache-Control": "no-store",
+					Pragma: "no-cache"
+				}
+			});
+		}
+		return unwrapResult(result);
+	} catch (error) {
+		return handleError(error, "Failed to exchange device code", "TOKEN_EXCHANGE_ERROR");
+	}
+};
+
+//#endregion
+export { POST, prerender };
+//# sourceMappingURL=token.mjs.map

package/dist/astro/routes/api/oauth/device/token.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.mjs","names":[],"sources":["../../../../../../src/astro/routes/api/oauth/device/token.ts"],"sourcesContent":["/**\n * POST /_emdash/api/oauth/device/token\n *\n * CLI polls this endpoint to exchange a device code for tokens.\n * Returns RFC 8628 error codes during the polling phase.\n * This is an unauthenticated endpoint.\n *\n * Rate limited: 12 requests per minute per IP.\n * Also enforces RFC 8628 slow_down: if polled faster than the interval,\n * responds with { error: \"slow_down\", interval: N } and increases the interval by 5s.\n */\n\nimport type { APIRoute } from \"astro\";\nimport { z } from \"zod\";\n\nimport { apiError, handleError, unwrapResult } from \"#api/error.js\";\nimport { handleDeviceTokenExchange } from \"#api/handlers/device-flow.js\";\nimport { isParseError, parseBody } from \"#api/parse.js\";\nimport { checkRateLimit, getClientIp, rateLimitResponse } from \"#auth/rate-limit.js\";\nimport { getTrustedProxyHeaders } from \"#auth/trusted-proxy.js\";\n\nexport const prerender = false;\n\nconst deviceTokenSchema = z.object({\n\tdevice_code: z.string().min(1),\n\tgrant_type: z.string().min(1),\n});\n\nexport const POST: APIRoute = async ({ request, locals }) => {\n\tconst { emdash } = locals;\n\n\tif (!emdash?.db) {\n\t\treturn apiError(\"NOT_CONFIGURED\", \"EmDash is not initialized\", 500);\n\t}\n\n\ttry {\n\t\tconst body = await parseBody(request, deviceTokenSchema);\n\t\tif (isParseError(body)) return body;\n\n\t\t// Rate limit: 12 requests per 60 seconds per IP\n\t\tconst ip = getClientIp(request, getTrustedProxyHeaders(emdash.config));\n\t\tconst rateLimit = await checkRateLimit(emdash.db, ip, \"device/token\", 12, 60);\n\t\tif (!rateLimit.allowed) {\n\t\t\treturn rateLimitResponse(60);\n\t\t}\n\n\t\tconst result = await handleDeviceTokenExchange(emdash.db, body);\n\n\t\t// RFC 8628 requires specific error format for device flow errors\n\t\t// RFC 6749 §5.1 requires Cache-Control: no-store + Pragma: no-cache on token responses\n\t\tif (!result.success && result.deviceFlowError) {\n\t\t\tconst errorBody: { error: string; interval?: number } = { error: result.deviceFlowError };\n\t\t\tif (result.deviceFlowInterval !== undefined) {\n\t\t\t\terrorBody.interval = result.deviceFlowInterval;\n\t\t\t}\n\t\t\treturn Response.json(errorBody, {\n\t\t\t\tstatus: 400,\n\t\t\t\theaders: {\n\t\t\t\t\t\"Content-Type\": \"application/json\",\n\t\t\t\t\t\"Cache-Control\": \"no-store\",\n\t\t\t\t\tPragma: \"no-cache\",\n\t\t\t\t},\n\t\t\t});\n\t\t}\n\n\t\treturn unwrapResult(result);\n\t} catch (error) {\n\t\treturn handleError(error, \"Failed to exchange device code\", \"TOKEN_EXCHANGE_ERROR\");\n\t}\n};\n"],"mappings":";;;;;;;;;;;;AAqBA,MAAa,YAAY;AAEzB,MAAM,oBAAoB,EAAE,OAAO;CAClC,aAAa,EAAE,QAAQ,CAAC,IAAI,EAAE;CAC9B,YAAY,EAAE,QAAQ,CAAC,IAAI,EAAE;CAC7B,CAAC;AAEF,MAAa,OAAiB,OAAO,EAAE,SAAS,aAAa;CAC5D,MAAM,EAAE,WAAW;AAEnB,KAAI,CAAC,QAAQ,GACZ,QAAO,SAAS,kBAAkB,6BAA6B,IAAI;AAGpE,KAAI;EACH,MAAM,OAAO,MAAM,UAAU,SAAS,kBAAkB;AACxD,MAAI,aAAa,KAAK,CAAE,QAAO;EAG/B,MAAM,KAAK,YAAY,SAAS,uBAAuB,OAAO,OAAO,CAAC;AAEtE,MAAI,EADc,MAAM,eAAe,OAAO,IAAI,IAAI,gBAAgB,IAAI,GAAG,EAC9D,QACd,QAAO,kBAAkB,GAAG;EAG7B,MAAM,SAAS,MAAM,0BAA0B,OAAO,IAAI,KAAK;AAI/D,MAAI,CAAC,OAAO,WAAW,OAAO,iBAAiB;GAC9C,MAAM,YAAkD,EAAE,OAAO,OAAO,iBAAiB;AACzF,OAAI,OAAO,uBAAuB,OACjC,WAAU,WAAW,OAAO;AAE7B,UAAO,SAAS,KAAK,WAAW;IAC/B,QAAQ;IACR,SAAS;KACR,gBAAgB;KAChB,iBAAiB;KACjB,QAAQ;KACR;IACD,CAAC;;AAGH,SAAO,aAAa,OAAO;UACnB,OAAO;AACf,SAAO,YAAY,OAAO,kCAAkC,uBAAuB"}

package/dist/astro/routes/api/oauth/register.d.mts

@@ -0,0 +1,9 @@
+import { APIRoute } from "astro";
+
+//#region src/astro/routes/api/oauth/register.d.ts
+declare const prerender = false;
+declare const OPTIONS: APIRoute;
+declare const POST: APIRoute;
+//#endregion
+export { OPTIONS, POST, prerender };
+//# sourceMappingURL=register.d.mts.map

package/dist/astro/routes/api/oauth/register.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"register.d.mts","names":[],"sources":["../../../../../src/astro/routes/api/oauth/register.ts"],"mappings":";;;cAaa,SAAA;AAAA,cAwEA,OAAA,EAAS,QAAA;AAAA,cAIT,IAAA,EAAM,QAAA"}

package/dist/astro/routes/api/oauth/register.mjs

@@ -0,0 +1,113 @@
+import "../../../../base64-CqR-7kqF.mjs";
+import "../../../../types-CwXMEPRr.mjs";
+import { r as handleError, t as apiError } from "../../../../error-tSQWIl5U.mjs";
+import { t as handleOAuthClientCreate } from "../../../../oauth-clients-D_B0_-Bz.mjs";
+
+//#region src/astro/routes/api/oauth/register.ts
+const prerender = false;
+const OAUTH_REGISTRATION_HEADERS = {
+	"Cache-Control": "no-store",
+	Pragma: "no-cache",
+	"Access-Control-Allow-Origin": "*"
+};
+const OAUTH_PREFLIGHT_HEADERS = {
+	"Access-Control-Allow-Origin": "*",
+	"Access-Control-Allow-Methods": "POST, OPTIONS",
+	"Access-Control-Allow-Headers": "Content-Type",
+	"Access-Control-Max-Age": "86400"
+};
+const SUPPORTED_GRANT_TYPES = new Set([
+	"authorization_code",
+	"refresh_token",
+	"urn:ietf:params:oauth:grant-type:device_code"
+]);
+const SUPPORTED_RESPONSE_TYPES = new Set(["code"]);
+function registrationError(description, status = 400) {
+	return Response.json({
+		error: "invalid_client_metadata",
+		error_description: description
+	}, {
+		status,
+		headers: OAUTH_REGISTRATION_HEADERS
+	});
+}
+function isRecord(value) {
+	return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function isStringArray(value) {
+	return Array.isArray(value) && value.every((item) => typeof item === "string");
+}
+function parseScope(value) {
+	if (value === void 0) return void 0;
+	if (typeof value === "string") {
+		const scopes = value.split(" ").filter(Boolean);
+		return scopes.length > 0 ? scopes : void 0;
+	}
+	if (isStringArray(value)) {
+		const scopes = value.filter(Boolean);
+		return scopes.length > 0 ? scopes : void 0;
+	}
+	return registrationError("scope must be a string or array of strings");
+}
+function parseSupportedStringArray(value, field, supported) {
+	if (value === void 0) return void 0;
+	if (!isStringArray(value)) return registrationError(`${field} must be an array of strings`);
+	const invalidValue = value.find((item) => !supported.has(item));
+	if (invalidValue) return registrationError(`${field} contains unsupported value: ${invalidValue}`);
+	return value;
+}
+const OPTIONS = () => {
+	return new Response(null, {
+		status: 204,
+		headers: OAUTH_PREFLIGHT_HEADERS
+	});
+};
+const POST = async ({ request, locals }) => {
+	const { emdash } = locals;
+	if (!emdash?.db) return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
+	try {
+		let body;
+		try {
+			body = await request.json();
+		} catch {
+			return registrationError("Request body must be valid JSON");
+		}
+		if (!isRecord(body)) return registrationError("Request body must be a JSON object");
+		if (!isStringArray(body.redirect_uris) || body.redirect_uris.length === 0) return registrationError("redirect_uris must be a non-empty array of strings");
+		if (body.token_endpoint_auth_method !== void 0 && body.token_endpoint_auth_method !== "none") return registrationError("Only token_endpoint_auth_method=none is supported");
+		const grantTypes = parseSupportedStringArray(body.grant_types, "grant_types", SUPPORTED_GRANT_TYPES);
+		if (grantTypes instanceof Response) return grantTypes;
+		const responseTypes = parseSupportedStringArray(body.response_types, "response_types", SUPPORTED_RESPONSE_TYPES);
+		if (responseTypes instanceof Response) return responseTypes;
+		const scopes = parseScope(body.scope);
+		if (scopes instanceof Response) return scopes;
+		const clientId = crypto.randomUUID();
+		const clientName = typeof body.client_name === "string" && body.client_name ? body.client_name : `dynamic-${clientId.slice(0, 8)}`;
+		const result = await handleOAuthClientCreate(emdash.db, {
+			id: clientId,
+			name: clientName,
+			redirectUris: body.redirect_uris,
+			scopes
+		});
+		if (!result.success) return registrationError(result.error.message);
+		return Response.json({
+			client_id: result.data.id,
+			client_id_issued_at: Math.floor(new Date(result.data.createdAt).getTime() / 1e3),
+			redirect_uris: result.data.redirectUris,
+			client_name: result.data.name,
+			grant_types: grantTypes ?? ["authorization_code", "refresh_token"],
+			response_types: responseTypes ?? ["code"],
+			token_endpoint_auth_method: "none",
+			scope: result.data.scopes ? result.data.scopes.join(" ") : void 0
+		}, {
+			status: 201,
+			headers: OAUTH_REGISTRATION_HEADERS
+		});
+	} catch (error) {
+		return handleError(error, "Failed to register OAuth client", "CLIENT_REGISTER_ERROR");
+	}
+};
+
+//#endregion
+export { OPTIONS, POST, prerender };
+//# sourceMappingURL=register.mjs.map

package/dist/astro/routes/api/oauth/register.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"register.mjs","names":[],"sources":["../../../../../src/astro/routes/api/oauth/register.ts"],"sourcesContent":["/**\n * POST /_emdash/api/oauth/register\n *\n * RFC 7591 Dynamic Client Registration. Public, unauthenticated.\n * MCP clients (e.g. Claude Code) call this to register themselves\n * before starting the OAuth authorization flow.\n */\n\nimport type { APIRoute } from \"astro\";\n\nimport { apiError, handleError } from \"#api/error.js\";\nimport { handleOAuthClientCreate } from \"#api/handlers/oauth-clients.js\";\n\nexport const prerender = false;\n\nconst OAUTH_REGISTRATION_HEADERS: HeadersInit = {\n\t\"Cache-Control\": \"no-store\",\n\tPragma: \"no-cache\",\n\t// RFC 7591 dynamic client registration is called cross-origin by MCP clients,\n\t// CLIs, and native apps. The endpoint is anonymous and carries no ambient\n\t// credentials, so CORS `*` is safe.\n\t\"Access-Control-Allow-Origin\": \"*\",\n};\n\nconst OAUTH_PREFLIGHT_HEADERS: HeadersInit = {\n\t\"Access-Control-Allow-Origin\": \"*\",\n\t\"Access-Control-Allow-Methods\": \"POST, OPTIONS\",\n\t\"Access-Control-Allow-Headers\": \"Content-Type\",\n\t\"Access-Control-Max-Age\": \"86400\",\n};\n\nconst SUPPORTED_GRANT_TYPES = new Set([\n\t\"authorization_code\",\n\t\"refresh_token\",\n\t\"urn:ietf:params:oauth:grant-type:device_code\",\n]);\nconst SUPPORTED_RESPONSE_TYPES = new Set([\"code\"]);\n\nfunction registrationError(description: string, status = 400): Response {\n\treturn Response.json(\n\t\t{\n\t\t\terror: \"invalid_client_metadata\",\n\t\t\terror_description: description,\n\t\t},\n\t\t{ status, headers: OAUTH_REGISTRATION_HEADERS },\n\t);\n}\n\nfunction isRecord(value: unknown): value is Record<string, unknown> {\n\treturn typeof value === \"object\" && value !== null && !Array.isArray(value);\n}\n\nfunction isStringArray(value: unknown): value is string[] {\n\treturn Array.isArray(value) && value.every((item) => typeof item === \"string\");\n}\n\nfunction parseScope(value: unknown): string[] | Response | undefined {\n\tif (value === undefined) return undefined;\n\tif (typeof value === \"string\") {\n\t\tconst scopes = value.split(\" \").filter(Boolean);\n\t\treturn scopes.length > 0 ? scopes : undefined;\n\t}\n\tif (isStringArray(value)) {\n\t\tconst scopes = value.filter(Boolean);\n\t\treturn scopes.length > 0 ? scopes : undefined;\n\t}\n\treturn registrationError(\"scope must be a string or array of strings\");\n}\n\nfunction parseSupportedStringArray(\n\tvalue: unknown,\n\tfield: string,\n\tsupported: ReadonlySet<string>,\n): string[] | Response | undefined {\n\tif (value === undefined) return undefined;\n\tif (!isStringArray(value)) {\n\t\treturn registrationError(`${field} must be an array of strings`);\n\t}\n\tconst invalidValue = value.find((item) => !supported.has(item));\n\tif (invalidValue) {\n\t\treturn registrationError(`${field} contains unsupported value: ${invalidValue}`);\n\t}\n\treturn value;\n}\n\nexport const OPTIONS: APIRoute = () => {\n\treturn new Response(null, { status: 204, headers: OAUTH_PREFLIGHT_HEADERS });\n};\n\nexport const POST: APIRoute = async ({ request, locals }) => {\n\tconst { emdash } = locals;\n\n\tif (!emdash?.db) {\n\t\treturn apiError(\"NOT_CONFIGURED\", \"EmDash is not initialized\", 500);\n\t}\n\n\ttry {\n\t\tlet body: unknown;\n\t\ttry {\n\t\t\tbody = await request.json();\n\t\t} catch {\n\t\t\treturn registrationError(\"Request body must be valid JSON\");\n\t\t}\n\n\t\tif (!isRecord(body)) {\n\t\t\treturn registrationError(\"Request body must be a JSON object\");\n\t\t}\n\n\t\t// redirect_uris is the only required field per RFC 7591 §2\n\t\tif (!isStringArray(body.redirect_uris) || body.redirect_uris.length === 0) {\n\t\t\treturn registrationError(\"redirect_uris must be a non-empty array of strings\");\n\t\t}\n\n\t\tif (\n\t\t\tbody.token_endpoint_auth_method !== undefined &&\n\t\t\tbody.token_endpoint_auth_method !== \"none\"\n\t\t) {\n\t\t\treturn registrationError(\"Only token_endpoint_auth_method=none is supported\");\n\t\t}\n\n\t\tconst grantTypes = parseSupportedStringArray(\n\t\t\tbody.grant_types,\n\t\t\t\"grant_types\",\n\t\t\tSUPPORTED_GRANT_TYPES,\n\t\t);\n\t\tif (grantTypes instanceof Response) {\n\t\t\treturn grantTypes;\n\t\t}\n\n\t\tconst responseTypes = parseSupportedStringArray(\n\t\t\tbody.response_types,\n\t\t\t\"response_types\",\n\t\t\tSUPPORTED_RESPONSE_TYPES,\n\t\t);\n\t\tif (responseTypes instanceof Response) {\n\t\t\treturn responseTypes;\n\t\t}\n\n\t\tconst scopes = parseScope(body.scope);\n\t\tif (scopes instanceof Response) {\n\t\t\treturn scopes;\n\t\t}\n\n\t\tconst clientId = crypto.randomUUID();\n\t\tconst clientName =\n\t\t\ttypeof body.client_name === \"string\" && body.client_name\n\t\t\t\t? body.client_name\n\t\t\t\t: `dynamic-${clientId.slice(0, 8)}`;\n\n\t\tconst result = await handleOAuthClientCreate(emdash.db, {\n\t\t\tid: clientId,\n\t\t\tname: clientName,\n\t\t\tredirectUris: body.redirect_uris,\n\t\t\tscopes,\n\t\t});\n\n\t\tif (!result.success) {\n\t\t\treturn registrationError(result.error.message);\n\t\t}\n\n\t\t// RFC 7591 §3.2.1 response\n\t\treturn Response.json(\n\t\t\t{\n\t\t\t\tclient_id: result.data.id,\n\t\t\t\tclient_id_issued_at: Math.floor(new Date(result.data.createdAt).getTime() / 1000),\n\t\t\t\tredirect_uris: result.data.redirectUris,\n\t\t\t\tclient_name: result.data.name,\n\t\t\t\tgrant_types: grantTypes ?? [\"authorization_code\", \"refresh_token\"],\n\t\t\t\tresponse_types: responseTypes ?? [\"code\"],\n\t\t\t\ttoken_endpoint_auth_method: \"none\",\n\t\t\t\tscope: result.data.scopes ? result.data.scopes.join(\" \") : undefined,\n\t\t\t},\n\t\t\t{ status: 201, headers: OAUTH_REGISTRATION_HEADERS },\n\t\t);\n\t} catch (error) {\n\t\treturn handleError(error, \"Failed to register OAuth client\", \"CLIENT_REGISTER_ERROR\");\n\t}\n};\n"],"mappings":";;;;;;AAaA,MAAa,YAAY;AAEzB,MAAM,6BAA0C;CAC/C,iBAAiB;CACjB,QAAQ;CAIR,+BAA+B;CAC/B;AAED,MAAM,0BAAuC;CAC5C,+BAA+B;CAC/B,gCAAgC;CAChC,gCAAgC;CAChC,0BAA0B;CAC1B;AAED,MAAM,wBAAwB,IAAI,IAAI;CACrC;CACA;CACA;CACA,CAAC;AACF,MAAM,2BAA2B,IAAI,IAAI,CAAC,OAAO,CAAC;AAElD,SAAS,kBAAkB,aAAqB,SAAS,KAAe;AACvE,QAAO,SAAS,KACf;EACC,OAAO;EACP,mBAAmB;EACnB,EACD;EAAE;EAAQ,SAAS;EAA4B,CAC/C;;AAGF,SAAS,SAAS,OAAkD;AACnE,QAAO,OAAO,UAAU,YAAY,UAAU,QAAQ,CAAC,MAAM,QAAQ,MAAM;;AAG5E,SAAS,cAAc,OAAmC;AACzD,QAAO,MAAM,QAAQ,MAAM,IAAI,MAAM,OAAO,SAAS,OAAO,SAAS,SAAS;;AAG/E,SAAS,WAAW,OAAiD;AACpE,KAAI,UAAU,OAAW,QAAO;AAChC,KAAI,OAAO,UAAU,UAAU;EAC9B,MAAM,SAAS,MAAM,MAAM,IAAI,CAAC,OAAO,QAAQ;AAC/C,SAAO,OAAO,SAAS,IAAI,SAAS;;AAErC,KAAI,cAAc,MAAM,EAAE;EACzB,MAAM,SAAS,MAAM,OAAO,QAAQ;AACpC,SAAO,OAAO,SAAS,IAAI,SAAS;;AAErC,QAAO,kBAAkB,6CAA6C;;AAGvE,SAAS,0BACR,OACA,OACA,WACkC;AAClC,KAAI,UAAU,OAAW,QAAO;AAChC,KAAI,CAAC,cAAc,MAAM,CACxB,QAAO,kBAAkB,GAAG,MAAM,8BAA8B;CAEjE,MAAM,eAAe,MAAM,MAAM,SAAS,CAAC,UAAU,IAAI,KAAK,CAAC;AAC/D,KAAI,aACH,QAAO,kBAAkB,GAAG,MAAM,+BAA+B,eAAe;AAEjF,QAAO;;AAGR,MAAa,gBAA0B;AACtC,QAAO,IAAI,SAAS,MAAM;EAAE,QAAQ;EAAK,SAAS;EAAyB,CAAC;;AAG7E,MAAa,OAAiB,OAAO,EAAE,SAAS,aAAa;CAC5D,MAAM,EAAE,WAAW;AAEnB,KAAI,CAAC,QAAQ,GACZ,QAAO,SAAS,kBAAkB,6BAA6B,IAAI;AAGpE,KAAI;EACH,IAAI;AACJ,MAAI;AACH,UAAO,MAAM,QAAQ,MAAM;UACpB;AACP,UAAO,kBAAkB,kCAAkC;;AAG5D,MAAI,CAAC,SAAS,KAAK,CAClB,QAAO,kBAAkB,qCAAqC;AAI/D,MAAI,CAAC,cAAc,KAAK,cAAc,IAAI,KAAK,cAAc,WAAW,EACvE,QAAO,kBAAkB,qDAAqD;AAG/E,MACC,KAAK,+BAA+B,UACpC,KAAK,+BAA+B,OAEpC,QAAO,kBAAkB,oDAAoD;EAG9E,MAAM,aAAa,0BAClB,KAAK,aACL,eACA,sBACA;AACD,MAAI,sBAAsB,SACzB,QAAO;EAGR,MAAM,gBAAgB,0BACrB,KAAK,gBACL,kBACA,yBACA;AACD,MAAI,yBAAyB,SAC5B,QAAO;EAGR,MAAM,SAAS,WAAW,KAAK,MAAM;AACrC,MAAI,kBAAkB,SACrB,QAAO;EAGR,MAAM,WAAW,OAAO,YAAY;EACpC,MAAM,aACL,OAAO,KAAK,gBAAgB,YAAY,KAAK,cAC1C,KAAK,cACL,WAAW,SAAS,MAAM,GAAG,EAAE;EAEnC,MAAM,SAAS,MAAM,wBAAwB,OAAO,IAAI;GACvD,IAAI;GACJ,MAAM;GACN,cAAc,KAAK;GACnB;GACA,CAAC;AAEF,MAAI,CAAC,OAAO,QACX,QAAO,kBAAkB,OAAO,MAAM,QAAQ;AAI/C,SAAO,SAAS,KACf;GACC,WAAW,OAAO,KAAK;GACvB,qBAAqB,KAAK,MAAM,IAAI,KAAK,OAAO,KAAK,UAAU,CAAC,SAAS,GAAG,IAAK;GACjF,eAAe,OAAO,KAAK;GAC3B,aAAa,OAAO,KAAK;GACzB,aAAa,cAAc,CAAC,sBAAsB,gBAAgB;GAClE,gBAAgB,iBAAiB,CAAC,OAAO;GACzC,4BAA4B;GAC5B,OAAO,OAAO,KAAK,SAAS,OAAO,KAAK,OAAO,KAAK,IAAI,GAAG;GAC3D,EACD;GAAE,QAAQ;GAAK,SAAS;GAA4B,CACpD;UACO,OAAO;AACf,SAAO,YAAY,OAAO,mCAAmC,wBAAwB"}

package/dist/astro/routes/api/oauth/token/refresh.d.mts

@@ -0,0 +1,8 @@
+import { APIRoute } from "astro";
+
+//#region src/astro/routes/api/oauth/token/refresh.d.ts
+declare const prerender = false;
+declare const POST: APIRoute;
+//#endregion
+export { POST, prerender };
+//# sourceMappingURL=refresh.d.mts.map

package/dist/astro/routes/api/oauth/token/refresh.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh.d.mts","names":[],"sources":["../../../../../../src/astro/routes/api/oauth/token/refresh.ts"],"mappings":";;;cAca,SAAA;AAAA,cAOA,IAAA,EAAM,QAAA"}

package/dist/astro/routes/api/oauth/token/refresh.mjs

@@ -0,0 +1,30 @@
+import "../../../../../base64-CqR-7kqF.mjs";
+import "../../../../../types-CwXMEPRr.mjs";
+import { a as unwrapResult, r as handleError, t as apiError } from "../../../../../error-tSQWIl5U.mjs";
+import { n as parseBody, t as isParseError } from "../../../../../parse-BFTPon-J.mjs";
+import "../../../../../api-tokens-D3C9v02m.mjs";
+import "../../../../../oauth-user-lookup-meyS2oB1.mjs";
+import { i as handleTokenRefresh } from "../../../../../device-flow-BqJRxa0Q.mjs";
+import { z } from "zod";
+
+//#region src/astro/routes/api/oauth/token/refresh.ts
+const prerender = false;
+const refreshSchema = z.object({
+	refresh_token: z.string().min(1),
+	grant_type: z.string().min(1)
+});
+const POST = async ({ request, locals }) => {
+	const { emdash } = locals;
+	if (!emdash?.db) return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
+	try {
+		const body = await parseBody(request, refreshSchema);
+		if (isParseError(body)) return body;
+		return unwrapResult(await handleTokenRefresh(emdash.db, body));
+	} catch (error) {
+		return handleError(error, "Failed to refresh token", "TOKEN_REFRESH_ERROR");
+	}
+};
+
+//#endregion
+export { POST, prerender };
+//# sourceMappingURL=refresh.mjs.map

package/dist/astro/routes/api/oauth/token/refresh.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh.mjs","names":[],"sources":["../../../../../../src/astro/routes/api/oauth/token/refresh.ts"],"sourcesContent":["/**\n * POST /_emdash/api/oauth/token/refresh\n *\n * Exchange a refresh token for a new access token.\n * This is an unauthenticated endpoint (the caller presents the refresh token).\n */\n\nimport type { APIRoute } from \"astro\";\nimport { z } from \"zod\";\n\nimport { apiError, handleError, unwrapResult } from \"#api/error.js\";\nimport { handleTokenRefresh } from \"#api/handlers/device-flow.js\";\nimport { isParseError, parseBody } from \"#api/parse.js\";\n\nexport const prerender = false;\n\nconst refreshSchema = z.object({\n\trefresh_token: z.string().min(1),\n\tgrant_type: z.string().min(1),\n});\n\nexport const POST: APIRoute = async ({ request, locals }) => {\n\tconst { emdash } = locals;\n\n\tif (!emdash?.db) {\n\t\treturn apiError(\"NOT_CONFIGURED\", \"EmDash is not initialized\", 500);\n\t}\n\n\ttry {\n\t\tconst body = await parseBody(request, refreshSchema);\n\t\tif (isParseError(body)) return body;\n\n\t\tconst result = await handleTokenRefresh(emdash.db, body);\n\t\treturn unwrapResult(result);\n\t} catch (error) {\n\t\treturn handleError(error, \"Failed to refresh token\", \"TOKEN_REFRESH_ERROR\");\n\t}\n};\n"],"mappings":";;;;;;;;;;AAcA,MAAa,YAAY;AAEzB,MAAM,gBAAgB,EAAE,OAAO;CAC9B,eAAe,EAAE,QAAQ,CAAC,IAAI,EAAE;CAChC,YAAY,EAAE,QAAQ,CAAC,IAAI,EAAE;CAC7B,CAAC;AAEF,MAAa,OAAiB,OAAO,EAAE,SAAS,aAAa;CAC5D,MAAM,EAAE,WAAW;AAEnB,KAAI,CAAC,QAAQ,GACZ,QAAO,SAAS,kBAAkB,6BAA6B,IAAI;AAGpE,KAAI;EACH,MAAM,OAAO,MAAM,UAAU,SAAS,cAAc;AACpD,MAAI,aAAa,KAAK,CAAE,QAAO;AAG/B,SAAO,aADQ,MAAM,mBAAmB,OAAO,IAAI,KAAK,CAC7B;UACnB,OAAO;AACf,SAAO,YAAY,OAAO,2BAA2B,sBAAsB"}

package/dist/astro/routes/api/oauth/token/revoke.d.mts

@@ -0,0 +1,8 @@
+import { APIRoute } from "astro";
+
+//#region src/astro/routes/api/oauth/token/revoke.d.ts
+declare const prerender = false;
+declare const POST: APIRoute;
+//#endregion
+export { POST, prerender };
+//# sourceMappingURL=revoke.d.mts.map

package/dist/astro/routes/api/oauth/token/revoke.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"revoke.d.mts","names":[],"sources":["../../../../../../src/astro/routes/api/oauth/token/revoke.ts"],"mappings":";;;cAea,SAAA;AAAA,cAMA,IAAA,EAAM,QAAA"}

package/dist/astro/routes/api/oauth/token/revoke.mjs

@@ -0,0 +1,27 @@
+import "../../../../../base64-CqR-7kqF.mjs";
+import "../../../../../types-CwXMEPRr.mjs";
+import { a as unwrapResult, r as handleError, t as apiError } from "../../../../../error-tSQWIl5U.mjs";
+import { n as parseBody, t as isParseError } from "../../../../../parse-BFTPon-J.mjs";
+import "../../../../../api-tokens-D3C9v02m.mjs";
+import "../../../../../oauth-user-lookup-meyS2oB1.mjs";
+import { a as handleTokenRevoke } from "../../../../../device-flow-BqJRxa0Q.mjs";
+import { z } from "zod";
+
+//#region src/astro/routes/api/oauth/token/revoke.ts
+const prerender = false;
+const revokeSchema = z.object({ token: z.string().min(1) });
+const POST = async ({ request, locals }) => {
+	const { emdash } = locals;
+	if (!emdash?.db) return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
+	try {
+		const body = await parseBody(request, revokeSchema);
+		if (isParseError(body)) return body;
+		return unwrapResult(await handleTokenRevoke(emdash.db, body));
+	} catch (error) {
+		return handleError(error, "Failed to revoke token", "TOKEN_REVOKE_ERROR");
+	}
+};
+
+//#endregion
+export { POST, prerender };
+//# sourceMappingURL=revoke.mjs.map

package/dist/astro/routes/api/oauth/token/revoke.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"revoke.mjs","names":[],"sources":["../../../../../../src/astro/routes/api/oauth/token/revoke.ts"],"sourcesContent":["/**\n * POST /_emdash/api/oauth/token/revoke\n *\n * Revoke an access or refresh token (RFC 7009).\n * Always returns 200, even for invalid tokens.\n * This is an unauthenticated endpoint (the caller presents the token to revoke).\n */\n\nimport type { APIRoute } from \"astro\";\nimport { z } from \"zod\";\n\nimport { apiError, handleError, unwrapResult } from \"#api/error.js\";\nimport { handleTokenRevoke } from \"#api/handlers/device-flow.js\";\nimport { isParseError, parseBody } from \"#api/parse.js\";\n\nexport const prerender = false;\n\nconst revokeSchema = z.object({\n\ttoken: z.string().min(1),\n});\n\nexport const POST: APIRoute = async ({ request, locals }) => {\n\tconst { emdash } = locals;\n\n\tif (!emdash?.db) {\n\t\treturn apiError(\"NOT_CONFIGURED\", \"EmDash is not initialized\", 500);\n\t}\n\n\ttry {\n\t\tconst body = await parseBody(request, revokeSchema);\n\t\tif (isParseError(body)) return body;\n\n\t\tconst result = await handleTokenRevoke(emdash.db, body);\n\t\treturn unwrapResult(result);\n\t} catch (error) {\n\t\treturn handleError(error, \"Failed to revoke token\", \"TOKEN_REVOKE_ERROR\");\n\t}\n};\n"],"mappings":";;;;;;;;;;AAeA,MAAa,YAAY;AAEzB,MAAM,eAAe,EAAE,OAAO,EAC7B,OAAO,EAAE,QAAQ,CAAC,IAAI,EAAE,EACxB,CAAC;AAEF,MAAa,OAAiB,OAAO,EAAE,SAAS,aAAa;CAC5D,MAAM,EAAE,WAAW;AAEnB,KAAI,CAAC,QAAQ,GACZ,QAAO,SAAS,kBAAkB,6BAA6B,IAAI;AAGpE,KAAI;EACH,MAAM,OAAO,MAAM,UAAU,SAAS,aAAa;AACnD,MAAI,aAAa,KAAK,CAAE,QAAO;AAG/B,SAAO,aADQ,MAAM,kBAAkB,OAAO,IAAI,KAAK,CAC5B;UACnB,OAAO;AACf,SAAO,YAAY,OAAO,0BAA0B,qBAAqB"}

package/dist/astro/routes/api/oauth/token.d.mts

@@ -0,0 +1,9 @@
+import { APIRoute } from "astro";
+
+//#region src/astro/routes/api/oauth/token.d.ts
+declare const prerender = false;
+declare const OPTIONS: APIRoute;
+declare const POST: APIRoute;
+//#endregion
+export { OPTIONS, POST, prerender };
+//# sourceMappingURL=token.d.mts.map

package/dist/astro/routes/api/oauth/token.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.d.mts","names":[],"sources":["../../../../../src/astro/routes/api/oauth/token.ts"],"mappings":";;;cAsBa,SAAA;AAAA,cAmEA,OAAA,EAAS,QAAA;AAAA,cAIT,IAAA,EAAM,QAAA"}