npm - emdash - Versions diffs - 0.12.0 → 0.14.0 - Mend

emdash 0.12.0 → 0.14.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1003) hide show

package/dist/astro/routes/api/auth/oauth/_provider_/callback.mjs ADDED Viewed

@@ -0,0 +1,130 @@
+import { t as OptionsRepository } from "../../../../../../options-BL4X94qY.mjs";
+import { n as getPublicOrigin } from "../../../../../../public-url-CseXl9Fv.mjs";
+import { t as finalizeSetup } from "../../../../../../setup-complete-C6ZCLhKo.mjs";
+import { t as createOAuthStateStore } from "../../../../../../oauth-state-store-DpsZViTu.mjs";
+import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
+import { OAuthError, Role, handleOAuthCallback } from "@emdash-cms/auth";
+//#region src/astro/routes/api/auth/oauth/[provider]/callback.ts
+const prerender = false;
+const VALID_PROVIDERS = new Set(["github", "google"]);
+function isValidProvider(provider) {
+	return VALID_PROVIDERS.has(provider);
+}
+/** Safely extract a string value from an env-like record */
+function envString(env, ...keys) {
+	for (const key of keys) {
+		const val = env[key];
+		if (typeof val === "string" && val) return val;
+	}
+}
+/**
+* Get OAuth config from environment variables
+*/
+function getOAuthConfig(env) {
+	const providers = {};
+	const githubClientId = envString(env, "EMDASH_OAUTH_GITHUB_CLIENT_ID", "GITHUB_CLIENT_ID");
+	const githubClientSecret = envString(env, "EMDASH_OAUTH_GITHUB_CLIENT_SECRET", "GITHUB_CLIENT_SECRET");
+	if (githubClientId && githubClientSecret) providers.github = {
+		clientId: githubClientId,
+		clientSecret: githubClientSecret
+	};
+	const googleClientId = envString(env, "EMDASH_OAUTH_GOOGLE_CLIENT_ID", "GOOGLE_CLIENT_ID");
+	const googleClientSecret = envString(env, "EMDASH_OAUTH_GOOGLE_CLIENT_SECRET", "GOOGLE_CLIENT_SECRET");
+	if (googleClientId && googleClientSecret) providers.google = {
+		clientId: googleClientId,
+		clientSecret: googleClientSecret
+	};
+	return providers;
+}
+const GET = async ({ params, request, locals, session, redirect }) => {
+	const { emdash } = locals;
+	const provider = params.provider;
+	if (!provider || !isValidProvider(provider)) return redirect(`/_emdash/admin/login?error=invalid_provider&message=${encodeURIComponent("Invalid OAuth provider")}`);
+	if (!emdash?.db) return redirect(`/_emdash/admin/login?error=server_error&message=${encodeURIComponent("Database not configured")}`);
+	const url = new URL(request.url);
+	const code = url.searchParams.get("code");
+	const state = url.searchParams.get("state");
+	const error = url.searchParams.get("error");
+	const errorDescription = url.searchParams.get("error_description");
+	if (error) {
+		const message = errorDescription || error;
+		return redirect(`/_emdash/admin/login?error=oauth_denied&message=${encodeURIComponent(message)}`);
+	}
+	if (!code || !state) return redirect(`/_emdash/admin/login?error=invalid_callback&message=${encodeURIComponent("Missing code or state parameter")}`);
+	try {
+		const providers = getOAuthConfig(locals.runtime?.env ?? import.meta.env);
+		if (!providers[provider]) return redirect(`/_emdash/admin/login?error=provider_not_configured&message=${encodeURIComponent(`OAuth provider ${provider} is not configured`)}`);
+		const adapter = createKyselyAdapter(emdash.db);
+		const stateStore = createOAuthStateStore(emdash.db);
+		const config = {
+			baseUrl: `${getPublicOrigin(url, emdash?.config)}/_emdash`,
+			providers,
+			canSelfSignup: async (email) => {
+				const setupComplete = await new OptionsRepository(emdash.db).get("emdash:setup_complete");
+				if (setupComplete !== true && setupComplete !== "true") return {
+					allowed: true,
+					role: Role.ADMIN
+				};
+				const domain = email.split("@")[1]?.toLowerCase();
+				if (!domain) return null;
+				const entry = await emdash.db.selectFrom("allowed_domains").selectAll().where("domain", "=", domain).where("enabled", "=", 1).executeTakeFirst();
+				if (!entry) return null;
+				const roleLevel = entry.default_role;
+				const roleMap = {
+					50: Role.ADMIN,
+					40: Role.EDITOR,
+					30: Role.AUTHOR,
+					20: Role.CONTRIBUTOR,
+					10: Role.SUBSCRIBER
+				};
+				const role = roleMap[roleLevel] ?? Role.CONTRIBUTOR;
+				if (!roleMap[roleLevel]) console.warn(`[oauth] Unknown role level ${roleLevel} for domain ${domain}, defaulting to CONTRIBUTOR`);
+				return {
+					allowed: true,
+					role
+				};
+			}
+		};
+		const setupCompleteBefore = await new OptionsRepository(emdash.db).get("emdash:setup_complete");
+		const user = await handleOAuthCallback(config, adapter, provider, code, state, stateStore);
+		if (setupCompleteBefore !== true && setupCompleteBefore !== "true") {
+			await finalizeSetup(emdash.db);
+			console.log(`[oauth] Setup complete: created admin user via ${provider} (${user.email})`);
+		}
+		if (session) session.set("user", { id: user.id });
+		return redirect("/_emdash/admin");
+	} catch (callbackError) {
+		console.error("OAuth callback error:", callbackError);
+		let message = "Authentication failed";
+		let errorCode = "oauth_error";
+		if (callbackError instanceof OAuthError) {
+			errorCode = callbackError.code;
+			switch (callbackError.code) {
+				case "invalid_state":
+					message = "OAuth session expired or invalid. Please try again.";
+					break;
+				case "signup_not_allowed":
+					message = "Self-signup is not allowed for your email. Please contact an administrator.";
+					break;
+				case "user_not_found":
+					message = "Your account was not found. It may have been deleted.";
+					break;
+				case "token_exchange_failed":
+					message = "Failed to complete authentication. Please try again.";
+					break;
+				case "profile_fetch_failed":
+					message = "Failed to retrieve your profile. Please try again.";
+					break;
+				default:
+					message = "Authentication failed. Please try again.";
+					break;
+			}
+		}
+		return redirect(`/_emdash/admin/login?error=${errorCode}&message=${encodeURIComponent(message)}`);
+	}
+};
+//#endregion
+export { GET, prerender };
+//# sourceMappingURL=callback.mjs.map

package/dist/astro/routes/api/auth/oauth/_provider_/callback.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"callback.mjs","names":[],"sources":["../../../../../../../src/astro/routes/api/auth/oauth/[provider]/callback.ts"],"sourcesContent":["/**\n * GET /_emdash/api/auth/oauth/[provider]/callback\n *\n * Handle OAuth callback from provider\n */\n\nimport type { APIRoute } from \"astro\";\n\nexport const prerender = false;\n\nimport {\n\thandleOAuthCallback,\n\tOAuthError,\n\tRole,\n\ttype OAuthConsumerConfig,\n\ttype RoleLevel,\n} from \"@emdash-cms/auth\";\nimport { createKyselyAdapter } from \"@emdash-cms/auth/adapters/kysely\";\n\nimport { getPublicOrigin } from \"#api/public-url.js\";\nimport { finalizeSetup } from \"#api/setup-complete.js\";\nimport { createOAuthStateStore } from \"#auth/oauth-state-store.js\";\nimport { OptionsRepository } from \"#db/repositories/options.js\";\n\ntype ProviderName = \"github\" | \"google\";\n\nconst VALID_PROVIDERS = new Set<string>([\"github\", \"google\"]);\n\nfunction isValidProvider(provider: string): provider is ProviderName {\n\treturn VALID_PROVIDERS.has(provider);\n}\n\n/** Safely extract a string value from an env-like record */\nfunction envString(env: Record<string, unknown>, ...keys: string[]): string | undefined {\n\tfor (const key of keys) {\n\t\tconst val = env[key];\n\t\tif (typeof val === \"string\" && val) return val;\n\t}\n\treturn undefined;\n}\n\n/**\n * Get OAuth config from environment variables\n */\nfunction getOAuthConfig(env: Record<string, unknown>): OAuthConsumerConfig[\"providers\"] {\n\tconst providers: OAuthConsumerConfig[\"providers\"] = {};\n\n\t// GitHub\n\tconst githubClientId = envString(env, \"EMDASH_OAUTH_GITHUB_CLIENT_ID\", \"GITHUB_CLIENT_ID\");\n\tconst githubClientSecret = envString(\n\t\tenv,\n\t\t\"EMDASH_OAUTH_GITHUB_CLIENT_SECRET\",\n\t\t\"GITHUB_CLIENT_SECRET\",\n\t);\n\tif (githubClientId && githubClientSecret) {\n\t\tproviders.github = {\n\t\t\tclientId: githubClientId,\n\t\t\tclientSecret: githubClientSecret,\n\t\t};\n\t}\n\n\t// Google\n\tconst googleClientId = envString(env, \"EMDASH_OAUTH_GOOGLE_CLIENT_ID\", \"GOOGLE_CLIENT_ID\");\n\tconst googleClientSecret = envString(\n\t\tenv,\n\t\t\"EMDASH_OAUTH_GOOGLE_CLIENT_SECRET\",\n\t\t\"GOOGLE_CLIENT_SECRET\",\n\t);\n\tif (googleClientId && googleClientSecret) {\n\t\tproviders.google = {\n\t\t\tclientId: googleClientId,\n\t\t\tclientSecret: googleClientSecret,\n\t\t};\n\t}\n\n\treturn providers;\n}\n\nexport const GET: APIRoute = async ({ params, request, locals, session, redirect }) => {\n\tconst { emdash } = locals;\n\tconst provider = params.provider;\n\n\t// Validate provider\n\tif (!provider || !isValidProvider(provider)) {\n\t\treturn redirect(\n\t\t\t`/_emdash/admin/login?error=invalid_provider&message=${encodeURIComponent(\"Invalid OAuth provider\")}`,\n\t\t);\n\t}\n\n\tif (!emdash?.db) {\n\t\treturn redirect(\n\t\t\t`/_emdash/admin/login?error=server_error&message=${encodeURIComponent(\"Database not configured\")}`,\n\t\t);\n\t}\n\n\tconst url = new URL(request.url);\n\tconst code = url.searchParams.get(\"code\");\n\tconst state = url.searchParams.get(\"state\");\n\tconst error = url.searchParams.get(\"error\");\n\tconst errorDescription = url.searchParams.get(\"error_description\");\n\n\t// Handle OAuth errors from provider\n\tif (error) {\n\t\tconst message = errorDescription || error;\n\t\treturn redirect(\n\t\t\t`/_emdash/admin/login?error=oauth_denied&message=${encodeURIComponent(message)}`,\n\t\t);\n\t}\n\n\t// Validate required params\n\tif (!code || !state) {\n\t\treturn redirect(\n\t\t\t`/_emdash/admin/login?error=invalid_callback&message=${encodeURIComponent(\"Missing code or state parameter\")}`,\n\t\t);\n\t}\n\n\ttry {\n\t\t// Get OAuth providers from environment\n\t\t// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- locals.runtime is injected by the Cloudflare adapter at runtime; not declared on App.Locals since the adapter is optional\n\t\tconst runtimeLocals = locals as unknown as { runtime?: { env?: Record<string, unknown> } };\n\t\t// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- import.meta.env is typed as ImportMetaEnv but we need Record<string, unknown> for getOAuthConfig\n\t\tconst env = runtimeLocals.runtime?.env ?? (import.meta.env as Record<string, unknown>);\n\t\tconst providers = getOAuthConfig(env);\n\n\t\tif (!providers[provider]) {\n\t\t\treturn redirect(\n\t\t\t\t`/_emdash/admin/login?error=provider_not_configured&message=${encodeURIComponent(`OAuth provider ${provider} is not configured`)}`,\n\t\t\t);\n\t\t}\n\n\t\tconst adapter = createKyselyAdapter(emdash.db);\n\t\tconst stateStore = createOAuthStateStore(emdash.db);\n\n\t\tconst config: OAuthConsumerConfig = {\n\t\t\tbaseUrl: `${getPublicOrigin(url, emdash?.config)}/_emdash`,\n\t\t\tproviders,\n\t\t\tcanSelfSignup: async (email: string) => {\n\t\t\t\t// During setup: first user becomes admin.\n\t\t\t\t// Check setup_complete flag instead of countUsers() to avoid\n\t\t\t\t// a TOCTOU race where concurrent callbacks both see 0 users.\n\t\t\t\tconst options = new OptionsRepository(emdash.db);\n\t\t\t\tconst setupComplete = await options.get(\"emdash:setup_complete\");\n\t\t\t\tif (setupComplete !== true && setupComplete !== \"true\") {\n\t\t\t\t\treturn { allowed: true, role: Role.ADMIN };\n\t\t\t\t}\n\n\t\t\t\t// Extract domain from email\n\t\t\t\tconst domain = email.split(\"@\")[1]?.toLowerCase();\n\t\t\t\tif (!domain) {\n\t\t\t\t\treturn null;\n\t\t\t\t}\n\n\t\t\t\t// Check allowed_domains table for a matching, enabled entry\n\t\t\t\tconst entry = await emdash.db\n\t\t\t\t\t.selectFrom(\"allowed_domains\")\n\t\t\t\t\t.selectAll()\n\t\t\t\t\t.where(\"domain\", \"=\", domain)\n\t\t\t\t\t.where(\"enabled\", \"=\", 1)\n\t\t\t\t\t.executeTakeFirst();\n\n\t\t\t\tif (!entry) {\n\t\t\t\t\treturn null;\n\t\t\t\t}\n\n\t\t\t\t// Map the stored role level to the Role enum\n\t\t\t\tconst roleLevel = entry.default_role;\n\t\t\t\tconst roleMap: Record<number, RoleLevel> = {\n\t\t\t\t\t50: Role.ADMIN,\n\t\t\t\t\t40: Role.EDITOR,\n\t\t\t\t\t30: Role.AUTHOR,\n\t\t\t\t\t20: Role.CONTRIBUTOR,\n\t\t\t\t\t10: Role.SUBSCRIBER,\n\t\t\t\t};\n\t\t\t\tconst role = roleMap[roleLevel] ?? Role.CONTRIBUTOR;\n\t\t\t\tif (!roleMap[roleLevel]) {\n\t\t\t\t\tconsole.warn(\n\t\t\t\t\t\t`[oauth] Unknown role level ${roleLevel} for domain ${domain}, defaulting to CONTRIBUTOR`,\n\t\t\t\t\t);\n\t\t\t\t}\n\n\t\t\t\treturn { allowed: true, role };\n\t\t\t},\n\t\t};\n\n\t\tconst options = new OptionsRepository(emdash.db);\n\t\tconst setupCompleteBefore = await options.get(\"emdash:setup_complete\");\n\t\tconst user = await handleOAuthCallback(config, adapter, provider, code, state, stateStore);\n\t\tconst isFirstUser = setupCompleteBefore !== true && setupCompleteBefore !== \"true\";\n\n\t\t// Finalize setup outside the transaction (idempotent, safe if two callbacks race).\n\t\tif (isFirstUser) {\n\t\t\tawait finalizeSetup(emdash.db);\n\t\t\tconsole.log(`[oauth] Setup complete: created admin user via ${provider} (${user.email})`);\n\t\t}\n\n\t\t// Create session\n\t\tif (session) {\n\t\t\tsession.set(\"user\", { id: user.id });\n\t\t}\n\n\t\t// Redirect to admin dashboard\n\t\treturn redirect(\"/_emdash/admin\");\n\t} catch (callbackError) {\n\t\tconsole.error(\"OAuth callback error:\", callbackError);\n\n\t\tlet message = \"Authentication failed\";\n\t\tlet errorCode = \"oauth_error\";\n\n\t\tif (callbackError instanceof OAuthError) {\n\t\t\terrorCode = callbackError.code;\n\n\t\t\t// Map all error codes to user-friendly messages (never expose raw error.message)\n\t\t\tswitch (callbackError.code) {\n\t\t\t\tcase \"invalid_state\":\n\t\t\t\t\tmessage = \"OAuth session expired or invalid. Please try again.\";\n\t\t\t\t\tbreak;\n\t\t\t\tcase \"signup_not_allowed\":\n\t\t\t\t\tmessage = \"Self-signup is not allowed for your email. Please contact an administrator.\";\n\t\t\t\t\tbreak;\n\t\t\t\tcase \"user_not_found\":\n\t\t\t\t\tmessage = \"Your account was not found. It may have been deleted.\";\n\t\t\t\t\tbreak;\n\t\t\t\tcase \"token_exchange_failed\":\n\t\t\t\t\tmessage = \"Failed to complete authentication. Please try again.\";\n\t\t\t\t\tbreak;\n\t\t\t\tcase \"profile_fetch_failed\":\n\t\t\t\t\tmessage = \"Failed to retrieve your profile. Please try again.\";\n\t\t\t\t\tbreak;\n\t\t\t\tdefault:\n\t\t\t\t\tmessage = \"Authentication failed. Please try again.\";\n\t\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t\t// For generic errors, keep the default \"Authentication failed\" message\n\n\t\treturn redirect(\n\t\t\t`/_emdash/admin/login?error=${errorCode}&message=${encodeURIComponent(message)}`,\n\t\t);\n\t}\n};\n"],"mappings":";;;;;;;;AAQA,MAAa,YAAY;AAkBzB,MAAM,kBAAkB,IAAI,IAAY,CAAC,UAAU,SAAS,CAAC;AAE7D,SAAS,gBAAgB,UAA4C;AACpE,QAAO,gBAAgB,IAAI,SAAS;;;AAIrC,SAAS,UAAU,KAA8B,GAAG,MAAoC;AACvF,MAAK,MAAM,OAAO,MAAM;EACvB,MAAM,MAAM,IAAI;AAChB,MAAI,OAAO,QAAQ,YAAY,IAAK,QAAO;;;;;;AAQ7C,SAAS,eAAe,KAAgE;CACvF,MAAM,YAA8C,EAAE;CAGtD,MAAM,iBAAiB,UAAU,KAAK,iCAAiC,mBAAmB;CAC1F,MAAM,qBAAqB,UAC1B,KACA,qCACA,uBACA;AACD,KAAI,kBAAkB,mBACrB,WAAU,SAAS;EAClB,UAAU;EACV,cAAc;EACd;CAIF,MAAM,iBAAiB,UAAU,KAAK,iCAAiC,mBAAmB;CAC1F,MAAM,qBAAqB,UAC1B,KACA,qCACA,uBACA;AACD,KAAI,kBAAkB,mBACrB,WAAU,SAAS;EAClB,UAAU;EACV,cAAc;EACd;AAGF,QAAO;;AAGR,MAAa,MAAgB,OAAO,EAAE,QAAQ,SAAS,QAAQ,SAAS,eAAe;CACtF,MAAM,EAAE,WAAW;CACnB,MAAM,WAAW,OAAO;AAGxB,KAAI,CAAC,YAAY,CAAC,gBAAgB,SAAS,CAC1C,QAAO,SACN,uDAAuD,mBAAmB,yBAAyB,GACnG;AAGF,KAAI,CAAC,QAAQ,GACZ,QAAO,SACN,mDAAmD,mBAAmB,0BAA0B,GAChG;CAGF,MAAM,MAAM,IAAI,IAAI,QAAQ,IAAI;CAChC,MAAM,OAAO,IAAI,aAAa,IAAI,OAAO;CACzC,MAAM,QAAQ,IAAI,aAAa,IAAI,QAAQ;CAC3C,MAAM,QAAQ,IAAI,aAAa,IAAI,QAAQ;CAC3C,MAAM,mBAAmB,IAAI,aAAa,IAAI,oBAAoB;AAGlE,KAAI,OAAO;EACV,MAAM,UAAU,oBAAoB;AACpC,SAAO,SACN,mDAAmD,mBAAmB,QAAQ,GAC9E;;AAIF,KAAI,CAAC,QAAQ,CAAC,MACb,QAAO,SACN,uDAAuD,mBAAmB,kCAAkC,GAC5G;AAGF,KAAI;EAMH,MAAM,YAAY,eAHI,OAEI,SAAS,OAAQ,OAAO,KAAK,IAClB;AAErC,MAAI,CAAC,UAAU,UACd,QAAO,SACN,8DAA8D,mBAAmB,kBAAkB,SAAS,oBAAoB,GAChI;EAGF,MAAM,UAAU,oBAAoB,OAAO,GAAG;EAC9C,MAAM,aAAa,sBAAsB,OAAO,GAAG;EAEnD,MAAM,SAA8B;GACnC,SAAS,GAAG,gBAAgB,KAAK,QAAQ,OAAO,CAAC;GACjD;GACA,eAAe,OAAO,UAAkB;IAKvC,MAAM,gBAAgB,MADN,IAAI,kBAAkB,OAAO,GAAG,CACZ,IAAI,wBAAwB;AAChE,QAAI,kBAAkB,QAAQ,kBAAkB,OAC/C,QAAO;KAAE,SAAS;KAAM,MAAM,KAAK;KAAO;IAI3C,MAAM,SAAS,MAAM,MAAM,IAAI,CAAC,IAAI,aAAa;AACjD,QAAI,CAAC,OACJ,QAAO;IAIR,MAAM,QAAQ,MAAM,OAAO,GACzB,WAAW,kBAAkB,CAC7B,WAAW,CACX,MAAM,UAAU,KAAK,OAAO,CAC5B,MAAM,WAAW,KAAK,EAAE,CACxB,kBAAkB;AAEpB,QAAI,CAAC,MACJ,QAAO;IAIR,MAAM,YAAY,MAAM;IACxB,MAAM,UAAqC;KAC1C,IAAI,KAAK;KACT,IAAI,KAAK;KACT,IAAI,KAAK;KACT,IAAI,KAAK;KACT,IAAI,KAAK;KACT;IACD,MAAM,OAAO,QAAQ,cAAc,KAAK;AACxC,QAAI,CAAC,QAAQ,WACZ,SAAQ,KACP,8BAA8B,UAAU,cAAc,OAAO,6BAC7D;AAGF,WAAO;KAAE,SAAS;KAAM;KAAM;;GAE/B;EAGD,MAAM,sBAAsB,MADZ,IAAI,kBAAkB,OAAO,GAAG,CACN,IAAI,wBAAwB;EACtE,MAAM,OAAO,MAAM,oBAAoB,QAAQ,SAAS,UAAU,MAAM,OAAO,WAAW;AAI1F,MAHoB,wBAAwB,QAAQ,wBAAwB,QAG3D;AAChB,SAAM,cAAc,OAAO,GAAG;AAC9B,WAAQ,IAAI,kDAAkD,SAAS,IAAI,KAAK,MAAM,GAAG;;AAI1F,MAAI,QACH,SAAQ,IAAI,QAAQ,EAAE,IAAI,KAAK,IAAI,CAAC;AAIrC,SAAO,SAAS,iBAAiB;UACzB,eAAe;AACvB,UAAQ,MAAM,yBAAyB,cAAc;EAErD,IAAI,UAAU;EACd,IAAI,YAAY;AAEhB,MAAI,yBAAyB,YAAY;AACxC,eAAY,cAAc;AAG1B,WAAQ,cAAc,MAAtB;IACC,KAAK;AACJ,eAAU;AACV;IACD,KAAK;AACJ,eAAU;AACV;IACD,KAAK;AACJ,eAAU;AACV;IACD,KAAK;AACJ,eAAU;AACV;IACD,KAAK;AACJ,eAAU;AACV;IACD;AACC,eAAU;AACV;;;AAKH,SAAO,SACN,8BAA8B,UAAU,WAAW,mBAAmB,QAAQ,GAC9E"}

package/dist/astro/routes/api/auth/oauth/_provider_.d.mts ADDED Viewed

@@ -0,0 +1,8 @@
+import { APIRoute } from "astro";
+//#region src/astro/routes/api/auth/oauth/[provider].d.ts
+declare const prerender = false;
+declare const GET: APIRoute;
+//#endregion
+export { GET, prerender };
+//# sourceMappingURL=_provider_.d.mts.map

package/dist/astro/routes/api/auth/oauth/_provider_.d.mts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"_provider_.d.mts","names":[],"sources":["../../../../../../src/astro/routes/api/auth/oauth/[provider].ts"],"mappings":";;;cAQa,SAAA;AAAA,cA6DA,GAAA,EAAK,QAAA"}

package/dist/astro/routes/api/auth/oauth/_provider_.mjs ADDED Viewed

@@ -0,0 +1,60 @@
+import { n as getPublicOrigin } from "../../../../../public-url-CseXl9Fv.mjs";
+import { t as createOAuthStateStore } from "../../../../../oauth-state-store-DpsZViTu.mjs";
+import { createAuthorizationUrl } from "@emdash-cms/auth";
+//#region src/astro/routes/api/auth/oauth/[provider].ts
+const prerender = false;
+const VALID_PROVIDERS = new Set(["github", "google"]);
+function isValidProvider(provider) {
+	return VALID_PROVIDERS.has(provider);
+}
+/** Safely extract a string value from an env-like record */
+function envString(env, ...keys) {
+	for (const key of keys) {
+		const val = env[key];
+		if (typeof val === "string" && val) return val;
+	}
+}
+/**
+* Get OAuth config from environment variables
+*/
+function getOAuthConfig(env) {
+	const providers = {};
+	const githubClientId = envString(env, "EMDASH_OAUTH_GITHUB_CLIENT_ID", "GITHUB_CLIENT_ID");
+	const githubClientSecret = envString(env, "EMDASH_OAUTH_GITHUB_CLIENT_SECRET", "GITHUB_CLIENT_SECRET");
+	if (githubClientId && githubClientSecret) providers.github = {
+		clientId: githubClientId,
+		clientSecret: githubClientSecret
+	};
+	const googleClientId = envString(env, "EMDASH_OAUTH_GOOGLE_CLIENT_ID", "GOOGLE_CLIENT_ID");
+	const googleClientSecret = envString(env, "EMDASH_OAUTH_GOOGLE_CLIENT_SECRET", "GOOGLE_CLIENT_SECRET");
+	if (googleClientId && googleClientSecret) providers.google = {
+		clientId: googleClientId,
+		clientSecret: googleClientSecret
+	};
+	return providers;
+}
+const GET = async ({ params, request, locals, redirect }) => {
+	const { emdash } = locals;
+	const provider = params.provider;
+	const errorRedirectBase = (request.headers.get("referer") ?? "").includes("/setup") ? "/_emdash/admin/setup" : "/_emdash/admin/login";
+	if (!provider || !isValidProvider(provider)) return redirect(`${errorRedirectBase}?error=invalid_provider&message=${encodeURIComponent("Invalid OAuth provider")}`);
+	if (!emdash?.db) return redirect(`${errorRedirectBase}?error=server_error&message=${encodeURIComponent("Database not configured")}`);
+	try {
+		const url = new URL(request.url);
+		const providers = getOAuthConfig(locals.runtime?.env ?? import.meta.env);
+		if (!providers[provider]) return redirect(`${errorRedirectBase}?error=provider_not_configured&message=${encodeURIComponent(`OAuth provider ${provider} is not configured. Set either EMDASH_OAUTH_${provider.toUpperCase()}_CLIENT_ID and EMDASH_OAUTH_${provider.toUpperCase()}_CLIENT_SECRET, or ${provider.toUpperCase()}_CLIENT_ID and ${provider.toUpperCase()}_CLIENT_SECRET.`)}`);
+		const { url: authUrl } = await createAuthorizationUrl({
+			baseUrl: `${getPublicOrigin(url, emdash?.config)}/_emdash`,
+			providers
+		}, provider, createOAuthStateStore(emdash.db));
+		return redirect(authUrl);
+	} catch (error) {
+		console.error("OAuth initiation error:", error);
+		return redirect(`${errorRedirectBase}?error=oauth_error&message=${encodeURIComponent("Failed to start OAuth flow. Please try again.")}`);
+	}
+};
+//#endregion
+export { GET, prerender };
+//# sourceMappingURL=_provider_.mjs.map

package/dist/astro/routes/api/auth/oauth/_provider_.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"_provider_.mjs","names":[],"sources":["../../../../../../src/astro/routes/api/auth/oauth/[provider].ts"],"sourcesContent":["/**\n * GET /_emdash/api/auth/oauth/[provider]\n *\n * Start OAuth flow - redirects to provider authorization URL\n */\n\nimport type { APIRoute } from \"astro\";\n\nexport const prerender = false;\n\nimport { createAuthorizationUrl, type OAuthConsumerConfig } from \"@emdash-cms/auth\";\n\nimport { getPublicOrigin } from \"#api/public-url.js\";\nimport { createOAuthStateStore } from \"#auth/oauth-state-store.js\";\n\ntype ProviderName = \"github\" | \"google\";\n\nconst VALID_PROVIDERS = new Set<string>([\"github\", \"google\"]);\n\nfunction isValidProvider(provider: string): provider is ProviderName {\n\treturn VALID_PROVIDERS.has(provider);\n}\n\n/** Safely extract a string value from an env-like record */\nfunction envString(env: Record<string, unknown>, ...keys: string[]): string | undefined {\n\tfor (const key of keys) {\n\t\tconst val = env[key];\n\t\tif (typeof val === \"string\" && val) return val;\n\t}\n\treturn undefined;\n}\n\n/**\n * Get OAuth config from environment variables\n */\nfunction getOAuthConfig(env: Record<string, unknown>): OAuthConsumerConfig[\"providers\"] {\n\tconst providers: OAuthConsumerConfig[\"providers\"] = {};\n\n\t// GitHub\n\tconst githubClientId = envString(env, \"EMDASH_OAUTH_GITHUB_CLIENT_ID\", \"GITHUB_CLIENT_ID\");\n\tconst githubClientSecret = envString(\n\t\tenv,\n\t\t\"EMDASH_OAUTH_GITHUB_CLIENT_SECRET\",\n\t\t\"GITHUB_CLIENT_SECRET\",\n\t);\n\tif (githubClientId && githubClientSecret) {\n\t\tproviders.github = {\n\t\t\tclientId: githubClientId,\n\t\t\tclientSecret: githubClientSecret,\n\t\t};\n\t}\n\n\t// Google\n\tconst googleClientId = envString(env, \"EMDASH_OAUTH_GOOGLE_CLIENT_ID\", \"GOOGLE_CLIENT_ID\");\n\tconst googleClientSecret = envString(\n\t\tenv,\n\t\t\"EMDASH_OAUTH_GOOGLE_CLIENT_SECRET\",\n\t\t\"GOOGLE_CLIENT_SECRET\",\n\t);\n\tif (googleClientId && googleClientSecret) {\n\t\tproviders.google = {\n\t\t\tclientId: googleClientId,\n\t\t\tclientSecret: googleClientSecret,\n\t\t};\n\t}\n\n\treturn providers;\n}\n\nexport const GET: APIRoute = async ({ params, request, locals, redirect }) => {\n\tconst { emdash } = locals;\n\tconst provider = params.provider;\n\n\t// Determine where to redirect errors (setup wizard or login page)\n\tconst referer = request.headers.get(\"referer\") ?? \"\";\n\tconst errorRedirectBase = referer.includes(\"/setup\")\n\t\t? \"/_emdash/admin/setup\"\n\t\t: \"/_emdash/admin/login\";\n\n\t// Validate provider\n\tif (!provider || !isValidProvider(provider)) {\n\t\treturn redirect(\n\t\t\t`${errorRedirectBase}?error=invalid_provider&message=${encodeURIComponent(\"Invalid OAuth provider\")}`,\n\t\t);\n\t}\n\n\tif (!emdash?.db) {\n\t\treturn redirect(\n\t\t\t`${errorRedirectBase}?error=server_error&message=${encodeURIComponent(\"Database not configured\")}`,\n\t\t);\n\t}\n\n\ttry {\n\t\tconst url = new URL(request.url);\n\n\t\t// Get OAuth providers from environment\n\t\t// Access via locals.runtime for Cloudflare, or import.meta.env for Node\n\t\t// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- locals.runtime is injected by the Cloudflare adapter at runtime; not declared on App.Locals since the adapter is optional\n\t\tconst runtimeLocals = locals as unknown as { runtime?: { env?: Record<string, unknown> } };\n\t\t// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- import.meta.env is typed as ImportMetaEnv but we need Record<string, unknown> for getOAuthConfig\n\t\tconst env = runtimeLocals.runtime?.env ?? (import.meta.env as Record<string, unknown>);\n\t\tconst providers = getOAuthConfig(env);\n\n\t\tif (!providers[provider]) {\n\t\t\treturn redirect(\n\t\t\t\t`${errorRedirectBase}?error=provider_not_configured&message=${encodeURIComponent(`OAuth provider ${provider} is not configured. Set either EMDASH_OAUTH_${provider.toUpperCase()}_CLIENT_ID and EMDASH_OAUTH_${provider.toUpperCase()}_CLIENT_SECRET, or ${provider.toUpperCase()}_CLIENT_ID and ${provider.toUpperCase()}_CLIENT_SECRET.`)}`,\n\t\t\t);\n\t\t}\n\n\t\tconst config: OAuthConsumerConfig = {\n\t\t\tbaseUrl: `${getPublicOrigin(url, emdash?.config)}/_emdash`,\n\t\t\tproviders,\n\t\t};\n\n\t\tconst stateStore = createOAuthStateStore(emdash.db);\n\n\t\tconst { url: authUrl } = await createAuthorizationUrl(config, provider, stateStore);\n\n\t\treturn redirect(authUrl);\n\t} catch (error) {\n\t\tconsole.error(\"OAuth initiation error:\", error);\n\t\treturn redirect(\n\t\t\t`${errorRedirectBase}?error=oauth_error&message=${encodeURIComponent(\"Failed to start OAuth flow. Please try again.\")}`,\n\t\t);\n\t}\n};\n"],"mappings":";;;;;AAQA,MAAa,YAAY;AASzB,MAAM,kBAAkB,IAAI,IAAY,CAAC,UAAU,SAAS,CAAC;AAE7D,SAAS,gBAAgB,UAA4C;AACpE,QAAO,gBAAgB,IAAI,SAAS;;;AAIrC,SAAS,UAAU,KAA8B,GAAG,MAAoC;AACvF,MAAK,MAAM,OAAO,MAAM;EACvB,MAAM,MAAM,IAAI;AAChB,MAAI,OAAO,QAAQ,YAAY,IAAK,QAAO;;;;;;AAQ7C,SAAS,eAAe,KAAgE;CACvF,MAAM,YAA8C,EAAE;CAGtD,MAAM,iBAAiB,UAAU,KAAK,iCAAiC,mBAAmB;CAC1F,MAAM,qBAAqB,UAC1B,KACA,qCACA,uBACA;AACD,KAAI,kBAAkB,mBACrB,WAAU,SAAS;EAClB,UAAU;EACV,cAAc;EACd;CAIF,MAAM,iBAAiB,UAAU,KAAK,iCAAiC,mBAAmB;CAC1F,MAAM,qBAAqB,UAC1B,KACA,qCACA,uBACA;AACD,KAAI,kBAAkB,mBACrB,WAAU,SAAS;EAClB,UAAU;EACV,cAAc;EACd;AAGF,QAAO;;AAGR,MAAa,MAAgB,OAAO,EAAE,QAAQ,SAAS,QAAQ,eAAe;CAC7E,MAAM,EAAE,WAAW;CACnB,MAAM,WAAW,OAAO;CAIxB,MAAM,qBADU,QAAQ,QAAQ,IAAI,UAAU,IAAI,IAChB,SAAS,SAAS,GACjD,yBACA;AAGH,KAAI,CAAC,YAAY,CAAC,gBAAgB,SAAS,CAC1C,QAAO,SACN,GAAG,kBAAkB,kCAAkC,mBAAmB,yBAAyB,GACnG;AAGF,KAAI,CAAC,QAAQ,GACZ,QAAO,SACN,GAAG,kBAAkB,8BAA8B,mBAAmB,0BAA0B,GAChG;AAGF,KAAI;EACH,MAAM,MAAM,IAAI,IAAI,QAAQ,IAAI;EAQhC,MAAM,YAAY,eAHI,OAEI,SAAS,OAAQ,OAAO,KAAK,IAClB;AAErC,MAAI,CAAC,UAAU,UACd,QAAO,SACN,GAAG,kBAAkB,yCAAyC,mBAAmB,kBAAkB,SAAS,8CAA8C,SAAS,aAAa,CAAC,8BAA8B,SAAS,aAAa,CAAC,qBAAqB,SAAS,aAAa,CAAC,iBAAiB,SAAS,aAAa,CAAC,iBAAiB,GAC3U;EAUF,MAAM,EAAE,KAAK,YAAY,MAAM,uBAPK;GACnC,SAAS,GAAG,gBAAgB,KAAK,QAAQ,OAAO,CAAC;GACjD;GACA,EAI6D,UAF3C,sBAAsB,OAAO,GAAG,CAEgC;AAEnF,SAAO,SAAS,QAAQ;UAChB,OAAO;AACf,UAAQ,MAAM,2BAA2B,MAAM;AAC/C,SAAO,SACN,GAAG,kBAAkB,6BAA6B,mBAAmB,gDAAgD,GACrH"}

package/dist/astro/routes/api/auth/passkey/_id_.d.mts ADDED Viewed

@@ -0,0 +1,15 @@
+import { APIRoute } from "astro";
+//#region src/astro/routes/api/auth/passkey/[id].d.ts
+declare const prerender = false;
+/**
+ * PATCH - Rename a passkey
+ */
+declare const PATCH: APIRoute;
+/**
+ * DELETE - Remove a passkey
+ */
+declare const DELETE: APIRoute;
+//#endregion
+export { DELETE, PATCH, prerender };
+//# sourceMappingURL=_id_.d.mts.map

package/dist/astro/routes/api/auth/passkey/_id_.d.mts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"_id_.d.mts","names":[],"sources":["../../../../../../src/astro/routes/api/auth/passkey/[id].ts"],"mappings":";;;cAQa,SAAA;;AAoBb;;cAAa,KAAA,EAAO,QAAA;;;AAsDpB;cAAa,MAAA,EAAQ,QAAA"}

package/dist/astro/routes/api/auth/passkey/_id_.mjs ADDED Viewed

@@ -0,0 +1,64 @@
+import "../../../../../base64-CqR-7kqF.mjs";
+import "../../../../../types-CwXMEPRr.mjs";
+import { n as apiSuccess, r as handleError, t as apiError } from "../../../../../error-tSQWIl5U.mjs";
+import { n as parseBody, t as isParseError } from "../../../../../parse-BFTPon-J.mjs";
+import "../../../../../redirects-Dmj6KRU3.mjs";
+import { b as passkeyRenameBody } from "../../../../../setup-BGAJ2uXs.mjs";
+import "../../../../../api/schemas/index.mjs";
+import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
+//#region src/astro/routes/api/auth/passkey/[id].ts
+const prerender = false;
+/**
+* PATCH - Rename a passkey
+*/
+const PATCH = async ({ params, request, locals }) => {
+	const { emdash, user } = locals;
+	const { id } = params;
+	if (!emdash?.db) return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
+	if (!user) return apiError("NOT_AUTHENTICATED", "Not authenticated", 401);
+	if (!id) return apiError("MISSING_PARAM", "Passkey ID is required", 400);
+	try {
+		const adapter = createKyselyAdapter(emdash.db);
+		const credential = await adapter.getCredentialById(id);
+		if (!credential || credential.userId !== user.id) return apiError("NOT_FOUND", "Passkey not found", 404);
+		const body = await parseBody(request, passkeyRenameBody);
+		if (isParseError(body)) return body;
+		const trimmedName = body.name.trim() || null;
+		await adapter.updateCredentialName(id, trimmedName);
+		return apiSuccess({ passkey: {
+			id: credential.id,
+			name: trimmedName,
+			deviceType: credential.deviceType,
+			backedUp: credential.backedUp,
+			createdAt: credential.createdAt.toISOString(),
+			lastUsedAt: credential.lastUsedAt.toISOString()
+		} });
+	} catch (error) {
+		return handleError(error, "Failed to rename passkey", "PASSKEY_RENAME_ERROR");
+	}
+};
+/**
+* DELETE - Remove a passkey
+*/
+const DELETE = async ({ params, locals }) => {
+	const { emdash, user } = locals;
+	const { id } = params;
+	if (!emdash?.db) return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
+	if (!user) return apiError("NOT_AUTHENTICATED", "Not authenticated", 401);
+	if (!id) return apiError("MISSING_PARAM", "Passkey ID is required", 400);
+	try {
+		const adapter = createKyselyAdapter(emdash.db);
+		const credential = await adapter.getCredentialById(id);
+		if (!credential || credential.userId !== user.id) return apiError("NOT_FOUND", "Passkey not found", 404);
+		if (await adapter.countCredentialsByUserId(user.id) <= 1) return apiError("LAST_PASSKEY", "Cannot remove your last passkey", 400);
+		await adapter.deleteCredential(id);
+		return apiSuccess({ success: true });
+	} catch (error) {
+		return handleError(error, "Failed to delete passkey", "PASSKEY_DELETE_ERROR");
+	}
+};
+//#endregion
+export { DELETE, PATCH, prerender };
+//# sourceMappingURL=_id_.mjs.map

package/dist/astro/routes/api/auth/passkey/_id_.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"_id_.mjs","names":[],"sources":["../../../../../../src/astro/routes/api/auth/passkey/[id].ts"],"sourcesContent":["/**\n * PATCH/DELETE /_emdash/api/auth/passkey/[id]\n *\n * Rename or delete a passkey\n */\n\nimport type { APIRoute } from \"astro\";\n\nexport const prerender = false;\n\nimport { createKyselyAdapter } from \"@emdash-cms/auth/adapters/kysely\";\n\nimport { apiError, apiSuccess, handleError } from \"#api/error.js\";\nimport { isParseError, parseBody } from \"#api/parse.js\";\nimport { passkeyRenameBody } from \"#api/schemas.js\";\n\ninterface PasskeyResponse {\n\tid: string;\n\tname: string | null;\n\tdeviceType: \"singleDevice\" | \"multiDevice\";\n\tbackedUp: boolean;\n\tcreatedAt: string;\n\tlastUsedAt: string;\n}\n\n/**\n * PATCH - Rename a passkey\n */\nexport const PATCH: APIRoute = async ({ params, request, locals }) => {\n\tconst { emdash, user } = locals;\n\tconst { id } = params;\n\n\tif (!emdash?.db) {\n\t\treturn apiError(\"NOT_CONFIGURED\", \"EmDash is not initialized\", 500);\n\t}\n\n\t// Require authentication\n\tif (!user) {\n\t\treturn apiError(\"NOT_AUTHENTICATED\", \"Not authenticated\", 401);\n\t}\n\n\tif (!id) {\n\t\treturn apiError(\"MISSING_PARAM\", \"Passkey ID is required\", 400);\n\t}\n\n\ttry {\n\t\tconst adapter = createKyselyAdapter(emdash.db);\n\n\t\t// Get the credential and verify ownership\n\t\tconst credential = await adapter.getCredentialById(id);\n\n\t\tif (!credential || credential.userId !== user.id) {\n\t\t\treturn apiError(\"NOT_FOUND\", \"Passkey not found\", 404);\n\t\t}\n\n\t\t// Parse request body\n\t\tconst body = await parseBody(request, passkeyRenameBody);\n\t\tif (isParseError(body)) return body;\n\n\t\t// Update the name\n\t\tconst trimmedName = body.name.trim() || null;\n\t\tawait adapter.updateCredentialName(id, trimmedName);\n\n\t\t// Return updated passkey info\n\t\tconst passkey: PasskeyResponse = {\n\t\t\tid: credential.id,\n\t\t\tname: trimmedName,\n\t\t\tdeviceType: credential.deviceType,\n\t\t\tbackedUp: credential.backedUp,\n\t\t\tcreatedAt: credential.createdAt.toISOString(),\n\t\t\tlastUsedAt: credential.lastUsedAt.toISOString(),\n\t\t};\n\n\t\treturn apiSuccess({ passkey });\n\t} catch (error) {\n\t\treturn handleError(error, \"Failed to rename passkey\", \"PASSKEY_RENAME_ERROR\");\n\t}\n};\n\n/**\n * DELETE - Remove a passkey\n */\nexport const DELETE: APIRoute = async ({ params, locals }) => {\n\tconst { emdash, user } = locals;\n\tconst { id } = params;\n\n\tif (!emdash?.db) {\n\t\treturn apiError(\"NOT_CONFIGURED\", \"EmDash is not initialized\", 500);\n\t}\n\n\t// Require authentication\n\tif (!user) {\n\t\treturn apiError(\"NOT_AUTHENTICATED\", \"Not authenticated\", 401);\n\t}\n\n\tif (!id) {\n\t\treturn apiError(\"MISSING_PARAM\", \"Passkey ID is required\", 400);\n\t}\n\n\ttry {\n\t\tconst adapter = createKyselyAdapter(emdash.db);\n\n\t\t// Get the credential and verify ownership\n\t\tconst credential = await adapter.getCredentialById(id);\n\n\t\tif (!credential || credential.userId !== user.id) {\n\t\t\treturn apiError(\"NOT_FOUND\", \"Passkey not found\", 404);\n\t\t}\n\n\t\t// Check that this isn't the last passkey\n\t\tconst count = await adapter.countCredentialsByUserId(user.id);\n\n\t\tif (count <= 1) {\n\t\t\treturn apiError(\"LAST_PASSKEY\", \"Cannot remove your last passkey\", 400);\n\t\t}\n\n\t\t// Delete the passkey\n\t\tawait adapter.deleteCredential(id);\n\n\t\treturn apiSuccess({ success: true });\n\t} catch (error) {\n\t\treturn handleError(error, \"Failed to delete passkey\", \"PASSKEY_DELETE_ERROR\");\n\t}\n};\n"],"mappings":";;;;;;;;;;AAQA,MAAa,YAAY;;;;AAoBzB,MAAa,QAAkB,OAAO,EAAE,QAAQ,SAAS,aAAa;CACrE,MAAM,EAAE,QAAQ,SAAS;CACzB,MAAM,EAAE,OAAO;AAEf,KAAI,CAAC,QAAQ,GACZ,QAAO,SAAS,kBAAkB,6BAA6B,IAAI;AAIpE,KAAI,CAAC,KACJ,QAAO,SAAS,qBAAqB,qBAAqB,IAAI;AAG/D,KAAI,CAAC,GACJ,QAAO,SAAS,iBAAiB,0BAA0B,IAAI;AAGhE,KAAI;EACH,MAAM,UAAU,oBAAoB,OAAO,GAAG;EAG9C,MAAM,aAAa,MAAM,QAAQ,kBAAkB,GAAG;AAEtD,MAAI,CAAC,cAAc,WAAW,WAAW,KAAK,GAC7C,QAAO,SAAS,aAAa,qBAAqB,IAAI;EAIvD,MAAM,OAAO,MAAM,UAAU,SAAS,kBAAkB;AACxD,MAAI,aAAa,KAAK,CAAE,QAAO;EAG/B,MAAM,cAAc,KAAK,KAAK,MAAM,IAAI;AACxC,QAAM,QAAQ,qBAAqB,IAAI,YAAY;AAYnD,SAAO,WAAW,EAAE,SATa;GAChC,IAAI,WAAW;GACf,MAAM;GACN,YAAY,WAAW;GACvB,UAAU,WAAW;GACrB,WAAW,WAAW,UAAU,aAAa;GAC7C,YAAY,WAAW,WAAW,aAAa;GAC/C,EAE4B,CAAC;UACtB,OAAO;AACf,SAAO,YAAY,OAAO,4BAA4B,uBAAuB;;;;;;AAO/E,MAAa,SAAmB,OAAO,EAAE,QAAQ,aAAa;CAC7D,MAAM,EAAE,QAAQ,SAAS;CACzB,MAAM,EAAE,OAAO;AAEf,KAAI,CAAC,QAAQ,GACZ,QAAO,SAAS,kBAAkB,6BAA6B,IAAI;AAIpE,KAAI,CAAC,KACJ,QAAO,SAAS,qBAAqB,qBAAqB,IAAI;AAG/D,KAAI,CAAC,GACJ,QAAO,SAAS,iBAAiB,0BAA0B,IAAI;AAGhE,KAAI;EACH,MAAM,UAAU,oBAAoB,OAAO,GAAG;EAG9C,MAAM,aAAa,MAAM,QAAQ,kBAAkB,GAAG;AAEtD,MAAI,CAAC,cAAc,WAAW,WAAW,KAAK,GAC7C,QAAO,SAAS,aAAa,qBAAqB,IAAI;AAMvD,MAFc,MAAM,QAAQ,yBAAyB,KAAK,GAAG,IAEhD,EACZ,QAAO,SAAS,gBAAgB,mCAAmC,IAAI;AAIxE,QAAM,QAAQ,iBAAiB,GAAG;AAElC,SAAO,WAAW,EAAE,SAAS,MAAM,CAAC;UAC5B,OAAO;AACf,SAAO,YAAY,OAAO,4BAA4B,uBAAuB"}

package/dist/astro/routes/api/auth/passkey/index.d.mts ADDED Viewed

@@ -0,0 +1,8 @@
+import { APIRoute } from "astro";
+//#region src/astro/routes/api/auth/passkey/index.d.ts
+declare const prerender = false;
+declare const GET: APIRoute;
+//#endregion
+export { GET, prerender };
+//# sourceMappingURL=index.d.mts.map

package/dist/astro/routes/api/auth/passkey/index.d.mts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.d.mts","names":[],"sources":["../../../../../../src/astro/routes/api/auth/passkey/index.ts"],"mappings":";;;cAQa,SAAA;AAAA,cAeA,GAAA,EAAK,QAAA"}

package/dist/astro/routes/api/auth/passkey/index.mjs ADDED Viewed

@@ -0,0 +1,28 @@
+import "../../../../../base64-CqR-7kqF.mjs";
+import "../../../../../types-CwXMEPRr.mjs";
+import { n as apiSuccess, r as handleError, t as apiError } from "../../../../../error-tSQWIl5U.mjs";
+import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
+//#region src/astro/routes/api/auth/passkey/index.ts
+const prerender = false;
+const GET = async ({ locals }) => {
+	const { emdash, user } = locals;
+	if (!emdash?.db) return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
+	if (!user) return apiError("NOT_AUTHENTICATED", "Not authenticated", 401);
+	try {
+		return apiSuccess({ items: (await createKyselyAdapter(emdash.db).getCredentialsByUserId(user.id)).map((cred) => ({
+			id: cred.id,
+			name: cred.name,
+			deviceType: cred.deviceType,
+			backedUp: cred.backedUp,
+			createdAt: cred.createdAt.toISOString(),
+			lastUsedAt: cred.lastUsedAt.toISOString()
+		})) });
+	} catch (error) {
+		return handleError(error, "Failed to list passkeys", "PASSKEY_LIST_ERROR");
+	}
+};
+//#endregion
+export { GET, prerender };
+//# sourceMappingURL=index.mjs.map

package/dist/astro/routes/api/auth/passkey/index.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.mjs","names":[],"sources":["../../../../../../src/astro/routes/api/auth/passkey/index.ts"],"sourcesContent":["/**\n * GET /_emdash/api/auth/passkey\n *\n * List all passkeys for the authenticated user\n */\n\nimport type { APIRoute } from \"astro\";\n\nexport const prerender = false;\n\nimport { createKyselyAdapter } from \"@emdash-cms/auth/adapters/kysely\";\n\nimport { apiError, apiSuccess, handleError } from \"#api/error.js\";\n\ninterface PasskeyResponse {\n\tid: string;\n\tname: string | null;\n\tdeviceType: \"singleDevice\" | \"multiDevice\";\n\tbackedUp: boolean;\n\tcreatedAt: string;\n\tlastUsedAt: string;\n}\n\nexport const GET: APIRoute = async ({ locals }) => {\n\tconst { emdash, user } = locals;\n\n\tif (!emdash?.db) {\n\t\treturn apiError(\"NOT_CONFIGURED\", \"EmDash is not initialized\", 500);\n\t}\n\n\t// Require authentication\n\tif (!user) {\n\t\treturn apiError(\"NOT_AUTHENTICATED\", \"Not authenticated\", 401);\n\t}\n\n\ttry {\n\t\tconst adapter = createKyselyAdapter(emdash.db);\n\t\tconst credentials = await adapter.getCredentialsByUserId(user.id);\n\n\t\t// Map to public response format (exclude sensitive fields)\n\t\tconst passkeys: PasskeyResponse[] = credentials.map((cred) => ({\n\t\t\tid: cred.id,\n\t\t\tname: cred.name,\n\t\t\tdeviceType: cred.deviceType,\n\t\t\tbackedUp: cred.backedUp,\n\t\t\tcreatedAt: cred.createdAt.toISOString(),\n\t\t\tlastUsedAt: cred.lastUsedAt.toISOString(),\n\t\t}));\n\n\t\treturn apiSuccess({ items: passkeys });\n\t} catch (error) {\n\t\treturn handleError(error, \"Failed to list passkeys\", \"PASSKEY_LIST_ERROR\");\n\t}\n};\n"],"mappings":";;;;;;AAQA,MAAa,YAAY;AAezB,MAAa,MAAgB,OAAO,EAAE,aAAa;CAClD,MAAM,EAAE,QAAQ,SAAS;AAEzB,KAAI,CAAC,QAAQ,GACZ,QAAO,SAAS,kBAAkB,6BAA6B,IAAI;AAIpE,KAAI,CAAC,KACJ,QAAO,SAAS,qBAAqB,qBAAqB,IAAI;AAG/D,KAAI;AAcH,SAAO,WAAW,EAAE,QAZA,MADJ,oBAAoB,OAAO,GAAG,CACZ,uBAAuB,KAAK,GAAG,EAGjB,KAAK,UAAU;GAC9D,IAAI,KAAK;GACT,MAAM,KAAK;GACX,YAAY,KAAK;GACjB,UAAU,KAAK;GACf,WAAW,KAAK,UAAU,aAAa;GACvC,YAAY,KAAK,WAAW,aAAa;GACzC,EAAE,EAEkC,CAAC;UAC9B,OAAO;AACf,SAAO,YAAY,OAAO,2BAA2B,qBAAqB"}

package/dist/astro/routes/api/auth/passkey/options.d.mts ADDED Viewed

@@ -0,0 +1,8 @@
+import { APIRoute } from "astro";
+//#region src/astro/routes/api/auth/passkey/options.d.ts
+declare const prerender = false;
+declare const POST: APIRoute;
+//#endregion
+export { POST, prerender };
+//# sourceMappingURL=options.d.mts.map

package/dist/astro/routes/api/auth/passkey/options.d.mts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"options.d.mts","names":[],"sources":["../../../../../../src/astro/routes/api/auth/passkey/options.ts"],"mappings":";;;cAUa,SAAA;AAAA,cAeA,IAAA,EAAM,QAAA"}

package/dist/astro/routes/api/auth/passkey/options.mjs ADDED Viewed

@@ -0,0 +1,48 @@
+import "../../../../../base64-CqR-7kqF.mjs";
+import "../../../../../types-CwXMEPRr.mjs";
+import { t as OptionsRepository } from "../../../../../options-BL4X94qY.mjs";
+import { n as apiSuccess, r as handleError, t as apiError } from "../../../../../error-tSQWIl5U.mjs";
+import { r as parseOptionalBody, t as isParseError } from "../../../../../parse-BFTPon-J.mjs";
+import "../../../../../redirects-Dmj6KRU3.mjs";
+import { _ as passkeyOptionsBody } from "../../../../../setup-BGAJ2uXs.mjs";
+import "../../../../../api/schemas/index.mjs";
+import { t as getTrustedProxyHeaders } from "../../../../../trusted-proxy-CJhQIk65.mjs";
+import { n as getPublicOrigin } from "../../../../../public-url-CseXl9Fv.mjs";
+import { n as createChallengeStore, t as cleanupExpiredChallenges } from "../../../../../challenge-store-CJ0OOHOr.mjs";
+import { t as getPasskeyConfig } from "../../../../../passkey-config-Cg86_ISa.mjs";
+import { n as getClientIp, r as rateLimitResponse, t as checkRateLimit } from "../../../../../rate-limit-t5CVjCO6.mjs";
+import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
+import { generateAuthenticationOptions } from "@emdash-cms/auth/passkey";
+//#region src/astro/routes/api/auth/passkey/options.ts
+const prerender = false;
+const POST = async ({ request, locals }) => {
+	const { emdash } = locals;
+	if (!emdash?.db) return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
+	try {
+		cleanupExpiredChallenges(emdash.db).catch(() => {});
+		const body = await parseOptionalBody(request, passkeyOptionsBody, {});
+		if (isParseError(body)) return body;
+		const ip = getClientIp(request, getTrustedProxyHeaders(emdash.config));
+		if (!(await checkRateLimit(emdash.db, ip, "passkey/options", 10, 60)).allowed) return rateLimitResponse(60);
+		const adapter = createKyselyAdapter(emdash.db);
+		let credentials = [];
+		if (body.email) {
+			const user = await adapter.getUserByEmail(body.email);
+			if (user) credentials = await adapter.getCredentialsByUserId(user.id);
+		}
+		const url = new URL(request.url);
+		const passkeyConfig = getPasskeyConfig(url, await new OptionsRepository(emdash.db).get("emdash:site_title") ?? void 0, getPublicOrigin(url, emdash?.config));
+		const challengeStore = createChallengeStore(emdash.db);
+		return apiSuccess({
+			success: true,
+			options: await generateAuthenticationOptions(passkeyConfig, credentials, challengeStore)
+		});
+	} catch (error) {
+		return handleError(error, "Failed to generate passkey options", "PASSKEY_OPTIONS_ERROR");
+	}
+};
+//#endregion
+export { POST, prerender };
+//# sourceMappingURL=options.mjs.map

package/dist/astro/routes/api/auth/passkey/options.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"options.mjs","names":[],"sources":["../../../../../../src/astro/routes/api/auth/passkey/options.ts"],"sourcesContent":["/**\n * POST /_emdash/api/auth/passkey/options\n *\n * Get authentication options for passkey login.\n *\n * Rate limited: 10 requests per minute per IP.\n */\n\nimport type { APIRoute } from \"astro\";\n\nexport const prerender = false;\n\nimport { createKyselyAdapter } from \"@emdash-cms/auth/adapters/kysely\";\nimport { generateAuthenticationOptions } from \"@emdash-cms/auth/passkey\";\n\nimport { apiError, apiSuccess, handleError } from \"#api/error.js\";\nimport { isParseError, parseOptionalBody } from \"#api/parse.js\";\nimport { getPublicOrigin } from \"#api/public-url.js\";\nimport { passkeyOptionsBody } from \"#api/schemas.js\";\nimport { createChallengeStore, cleanupExpiredChallenges } from \"#auth/challenge-store.js\";\nimport { getPasskeyConfig } from \"#auth/passkey-config.js\";\nimport { checkRateLimit, getClientIp, rateLimitResponse } from \"#auth/rate-limit.js\";\nimport { getTrustedProxyHeaders } from \"#auth/trusted-proxy.js\";\nimport { OptionsRepository } from \"#db/repositories/options.js\";\n\nexport const POST: APIRoute = async ({ request, locals }) => {\n\tconst { emdash } = locals;\n\n\tif (!emdash?.db) {\n\t\treturn apiError(\"NOT_CONFIGURED\", \"EmDash is not initialized\", 500);\n\t}\n\n\ttry {\n\t\t// Fire-and-forget cleanup of expired challenges -- prevents accumulation\n\t\tvoid cleanupExpiredChallenges(emdash.db).catch(() => {});\n\n\t\t// Parse body before rate limiting so malformed requests don't consume slots\n\t\tconst body = await parseOptionalBody(request, passkeyOptionsBody, {});\n\t\tif (isParseError(body)) return body;\n\n\t\t// Rate limit: 10 requests per 60 seconds per IP\n\t\tconst ip = getClientIp(request, getTrustedProxyHeaders(emdash.config));\n\t\tconst rateLimit = await checkRateLimit(emdash.db, ip, \"passkey/options\", 10, 60);\n\t\tif (!rateLimit.allowed) {\n\t\t\treturn rateLimitResponse(60);\n\t\t}\n\n\t\tconst adapter = createKyselyAdapter(emdash.db);\n\n\t\t// Get credentials to allow\n\t\tlet credentials: Awaited<ReturnType<typeof adapter.getCredentialsByUserId>> = [];\n\n\t\tif (body.email) {\n\t\t\t// Get credentials for specific user\n\t\t\tconst user = await adapter.getUserByEmail(body.email);\n\t\t\tif (user) {\n\t\t\t\tcredentials = await adapter.getCredentialsByUserId(user.id);\n\t\t\t}\n\t\t\t// Don't reveal if user exists - just return empty allowCredentials\n\t\t}\n\t\t// If no email provided, allowCredentials will be undefined (allow any discoverable credential)\n\n\t\t// Get passkey config\n\t\tconst url = new URL(request.url);\n\t\tconst options = new OptionsRepository(emdash.db);\n\t\tconst siteName = (await options.get<string>(\"emdash:site_title\")) ?? undefined;\n\t\tconst siteUrl = getPublicOrigin(url, emdash?.config);\n\t\tconst passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);\n\n\t\t// Generate authentication options\n\t\tconst challengeStore = createChallengeStore(emdash.db);\n\t\tconst authOptions = await generateAuthenticationOptions(\n\t\t\tpasskeyConfig,\n\t\t\tcredentials,\n\t\t\tchallengeStore,\n\t\t);\n\n\t\treturn apiSuccess({\n\t\t\tsuccess: true,\n\t\t\toptions: authOptions,\n\t\t});\n\t} catch (error) {\n\t\treturn handleError(error, \"Failed to generate passkey options\", \"PASSKEY_OPTIONS_ERROR\");\n\t}\n};\n"],"mappings":";;;;;;;;;;;;;;;;;AAUA,MAAa,YAAY;AAezB,MAAa,OAAiB,OAAO,EAAE,SAAS,aAAa;CAC5D,MAAM,EAAE,WAAW;AAEnB,KAAI,CAAC,QAAQ,GACZ,QAAO,SAAS,kBAAkB,6BAA6B,IAAI;AAGpE,KAAI;AAEH,EAAK,yBAAyB,OAAO,GAAG,CAAC,YAAY,GAAG;EAGxD,MAAM,OAAO,MAAM,kBAAkB,SAAS,oBAAoB,EAAE,CAAC;AACrE,MAAI,aAAa,KAAK,CAAE,QAAO;EAG/B,MAAM,KAAK,YAAY,SAAS,uBAAuB,OAAO,OAAO,CAAC;AAEtE,MAAI,EADc,MAAM,eAAe,OAAO,IAAI,IAAI,mBAAmB,IAAI,GAAG,EACjE,QACd,QAAO,kBAAkB,GAAG;EAG7B,MAAM,UAAU,oBAAoB,OAAO,GAAG;EAG9C,IAAI,cAA0E,EAAE;AAEhF,MAAI,KAAK,OAAO;GAEf,MAAM,OAAO,MAAM,QAAQ,eAAe,KAAK,MAAM;AACrD,OAAI,KACH,eAAc,MAAM,QAAQ,uBAAuB,KAAK,GAAG;;EAO7D,MAAM,MAAM,IAAI,IAAI,QAAQ,IAAI;EAIhC,MAAM,gBAAgB,iBAAiB,KAFrB,MADF,IAAI,kBAAkB,OAAO,GAAG,CAChB,IAAY,oBAAoB,IAAK,QACrD,gBAAgB,KAAK,QAAQ,OAAO,CACU;EAG9D,MAAM,iBAAiB,qBAAqB,OAAO,GAAG;AAOtD,SAAO,WAAW;GACjB,SAAS;GACT,SARmB,MAAM,8BACzB,eACA,aACA,eACA;GAKA,CAAC;UACM,OAAO;AACf,SAAO,YAAY,OAAO,sCAAsC,wBAAwB"}

package/dist/astro/routes/api/auth/passkey/register/options.d.mts ADDED Viewed

@@ -0,0 +1,8 @@
+import { APIRoute } from "astro";
+//#region src/astro/routes/api/auth/passkey/register/options.d.ts
+declare const prerender = false;
+declare const POST: APIRoute;
+//#endregion
+export { POST, prerender };
+//# sourceMappingURL=options.d.mts.map

package/dist/astro/routes/api/auth/passkey/register/options.d.mts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"options.d.mts","names":[],"sources":["../../../../../../../src/astro/routes/api/auth/passkey/register/options.ts"],"mappings":";;;cAQa,SAAA;AAAA,cAeA,IAAA,EAAM,QAAA"}

package/dist/astro/routes/api/auth/passkey/register/options.mjs ADDED Viewed

@@ -0,0 +1,46 @@
+import "../../../../../../base64-CqR-7kqF.mjs";
+import "../../../../../../types-CwXMEPRr.mjs";
+import { t as OptionsRepository } from "../../../../../../options-BL4X94qY.mjs";
+import { n as apiSuccess, r as handleError, t as apiError } from "../../../../../../error-tSQWIl5U.mjs";
+import { r as parseOptionalBody, t as isParseError } from "../../../../../../parse-BFTPon-J.mjs";
+import "../../../../../../redirects-Dmj6KRU3.mjs";
+import { v as passkeyRegisterOptionsBody } from "../../../../../../setup-BGAJ2uXs.mjs";
+import "../../../../../../api/schemas/index.mjs";
+import { n as getPublicOrigin } from "../../../../../../public-url-CseXl9Fv.mjs";
+import { n as createChallengeStore } from "../../../../../../challenge-store-CJ0OOHOr.mjs";
+import { t as getPasskeyConfig } from "../../../../../../passkey-config-Cg86_ISa.mjs";
+import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
+import { generateRegistrationOptions } from "@emdash-cms/auth/passkey";
+//#region src/astro/routes/api/auth/passkey/register/options.ts
+const prerender = false;
+const MAX_PASSKEYS = 10;
+const POST = async ({ request, locals }) => {
+	const { emdash, user } = locals;
+	if (!emdash?.db) return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
+	if (!user) return apiError("NOT_AUTHENTICATED", "Not authenticated", 401);
+	try {
+		const adapter = createKyselyAdapter(emdash.db);
+		if (await adapter.countCredentialsByUserId(user.id) >= MAX_PASSKEYS) return apiError("PASSKEY_LIMIT", `Maximum of ${MAX_PASSKEYS} passkeys allowed`, 400);
+		const body = await parseOptionalBody(request, passkeyRegisterOptionsBody, {});
+		if (isParseError(body)) return body;
+		const existingCredentials = await adapter.getCredentialsByUserId(user.id);
+		const url = new URL(request.url);
+		const optionsRepo = new OptionsRepository(emdash.db);
+		const passkeyConfig = getPasskeyConfig(url, await optionsRepo.get("emdash:site_title") ?? void 0, getPublicOrigin(url, emdash?.config));
+		const challengeStore = createChallengeStore(emdash.db);
+		const registrationOptions = await generateRegistrationOptions(passkeyConfig, {
+			id: user.id,
+			email: user.email,
+			name: user.name
+		}, existingCredentials, challengeStore);
+		if (body.name) await optionsRepo.set(`emdash:passkey_pending:${user.id}`, { name: body.name });
+		return apiSuccess({ options: registrationOptions });
+	} catch (error) {
+		return handleError(error, "Failed to generate registration options", "PASSKEY_REGISTER_OPTIONS_ERROR");
+	}
+};
+//#endregion
+export { POST, prerender };
+//# sourceMappingURL=options.mjs.map

package/dist/astro/routes/api/auth/passkey/register/options.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"options.mjs","names":[],"sources":["../../../../../../../src/astro/routes/api/auth/passkey/register/options.ts"],"sourcesContent":["/**\n * POST /_emdash/api/auth/passkey/register/options\n *\n * Get WebAuthn registration options for adding a new passkey (authenticated user)\n */\n\nimport type { APIRoute } from \"astro\";\n\nexport const prerender = false;\n\nimport { createKyselyAdapter } from \"@emdash-cms/auth/adapters/kysely\";\nimport { generateRegistrationOptions } from \"@emdash-cms/auth/passkey\";\n\nimport { apiError, apiSuccess, handleError } from \"#api/error.js\";\nimport { isParseError, parseOptionalBody } from \"#api/parse.js\";\nimport { getPublicOrigin } from \"#api/public-url.js\";\nimport { passkeyRegisterOptionsBody } from \"#api/schemas.js\";\nimport { createChallengeStore } from \"#auth/challenge-store.js\";\nimport { getPasskeyConfig } from \"#auth/passkey-config.js\";\nimport { OptionsRepository } from \"#db/repositories/options.js\";\n\nconst MAX_PASSKEYS = 10;\n\nexport const POST: APIRoute = async ({ request, locals }) => {\n\tconst { emdash, user } = locals;\n\n\tif (!emdash?.db) {\n\t\treturn apiError(\"NOT_CONFIGURED\", \"EmDash is not initialized\", 500);\n\t}\n\n\t// Require authentication\n\tif (!user) {\n\t\treturn apiError(\"NOT_AUTHENTICATED\", \"Not authenticated\", 401);\n\t}\n\n\ttry {\n\t\tconst adapter = createKyselyAdapter(emdash.db);\n\n\t\t// Check passkey limit\n\t\tconst count = await adapter.countCredentialsByUserId(user.id);\n\t\tif (count >= MAX_PASSKEYS) {\n\t\t\treturn apiError(\"PASSKEY_LIMIT\", `Maximum of ${MAX_PASSKEYS} passkeys allowed`, 400);\n\t\t}\n\n\t\t// Parse optional name from request\n\t\tconst body = await parseOptionalBody(request, passkeyRegisterOptionsBody, {});\n\t\tif (isParseError(body)) return body;\n\n\t\t// Get existing credentials for excludeCredentials\n\t\tconst existingCredentials = await adapter.getCredentialsByUserId(user.id);\n\n\t\t// Get passkey config\n\t\tconst url = new URL(request.url);\n\t\tconst optionsRepo = new OptionsRepository(emdash.db);\n\t\tconst siteName = (await optionsRepo.get<string>(\"emdash:site_title\")) ?? undefined;\n\t\tconst siteUrl = getPublicOrigin(url, emdash?.config);\n\t\tconst passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);\n\n\t\t// Generate registration options\n\t\tconst challengeStore = createChallengeStore(emdash.db);\n\t\tconst registrationOptions = await generateRegistrationOptions(\n\t\t\tpasskeyConfig,\n\t\t\t{ id: user.id, email: user.email, name: user.name },\n\t\t\texistingCredentials,\n\t\t\tchallengeStore,\n\t\t);\n\n\t\t// Store the passkey name in the challenge metadata if provided\n\t\t// We'll retrieve it during verification\n\t\tif (body.name) {\n\t\t\t// Store name with challenge for later retrieval\n\t\t\t// The challenge store will need this when verifying\n\t\t\tawait optionsRepo.set(`emdash:passkey_pending:${user.id}`, {\n\t\t\t\tname: body.name,\n\t\t\t});\n\t\t}\n\n\t\treturn apiSuccess({\n\t\t\toptions: registrationOptions,\n\t\t});\n\t} catch (error) {\n\t\treturn handleError(\n\t\t\terror,\n\t\t\t\"Failed to generate registration options\",\n\t\t\t\"PASSKEY_REGISTER_OPTIONS_ERROR\",\n\t\t);\n\t}\n};\n"],"mappings":";;;;;;;;;;;;;;;AAQA,MAAa,YAAY;AAazB,MAAM,eAAe;AAErB,MAAa,OAAiB,OAAO,EAAE,SAAS,aAAa;CAC5D,MAAM,EAAE,QAAQ,SAAS;AAEzB,KAAI,CAAC,QAAQ,GACZ,QAAO,SAAS,kBAAkB,6BAA6B,IAAI;AAIpE,KAAI,CAAC,KACJ,QAAO,SAAS,qBAAqB,qBAAqB,IAAI;AAG/D,KAAI;EACH,MAAM,UAAU,oBAAoB,OAAO,GAAG;AAI9C,MADc,MAAM,QAAQ,yBAAyB,KAAK,GAAG,IAChD,aACZ,QAAO,SAAS,iBAAiB,cAAc,aAAa,oBAAoB,IAAI;EAIrF,MAAM,OAAO,MAAM,kBAAkB,SAAS,4BAA4B,EAAE,CAAC;AAC7E,MAAI,aAAa,KAAK,CAAE,QAAO;EAG/B,MAAM,sBAAsB,MAAM,QAAQ,uBAAuB,KAAK,GAAG;EAGzE,MAAM,MAAM,IAAI,IAAI,QAAQ,IAAI;EAChC,MAAM,cAAc,IAAI,kBAAkB,OAAO,GAAG;EAGpD,MAAM,gBAAgB,iBAAiB,KAFrB,MAAM,YAAY,IAAY,oBAAoB,IAAK,QACzD,gBAAgB,KAAK,QAAQ,OAAO,CACU;EAG9D,MAAM,iBAAiB,qBAAqB,OAAO,GAAG;EACtD,MAAM,sBAAsB,MAAM,4BACjC,eACA;GAAE,IAAI,KAAK;GAAI,OAAO,KAAK;GAAO,MAAM,KAAK;GAAM,EACnD,qBACA,eACA;AAID,MAAI,KAAK,KAGR,OAAM,YAAY,IAAI,0BAA0B,KAAK,MAAM,EAC1D,MAAM,KAAK,MACX,CAAC;AAGH,SAAO,WAAW,EACjB,SAAS,qBACT,CAAC;UACM,OAAO;AACf,SAAO,YACN,OACA,2CACA,iCACA"}

package/dist/astro/routes/api/auth/passkey/register/verify.d.mts ADDED Viewed

@@ -0,0 +1,8 @@
+import { APIRoute } from "astro";
+//#region src/astro/routes/api/auth/passkey/register/verify.d.ts
+declare const prerender = false;
+declare const POST: APIRoute;
+//#endregion
+export { POST, prerender };
+//# sourceMappingURL=verify.d.mts.map

package/dist/astro/routes/api/auth/passkey/register/verify.d.mts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"verify.d.mts","names":[],"sources":["../../../../../../../src/astro/routes/api/auth/passkey/register/verify.ts"],"mappings":";;;cAQa,SAAA;AAAA,cAyBA,IAAA,EAAM,QAAA"}

package/dist/astro/routes/api/auth/passkey/register/verify.mjs ADDED Viewed

@@ -0,0 +1,61 @@
+import "../../../../../../base64-CqR-7kqF.mjs";
+import "../../../../../../types-CwXMEPRr.mjs";
+import { t as OptionsRepository } from "../../../../../../options-BL4X94qY.mjs";
+import { n as apiSuccess, t as apiError } from "../../../../../../error-tSQWIl5U.mjs";
+import { n as parseBody, t as isParseError } from "../../../../../../parse-BFTPon-J.mjs";
+import "../../../../../../redirects-Dmj6KRU3.mjs";
+import { y as passkeyRegisterVerifyBody } from "../../../../../../setup-BGAJ2uXs.mjs";
+import "../../../../../../api/schemas/index.mjs";
+import { n as getPublicOrigin } from "../../../../../../public-url-CseXl9Fv.mjs";
+import { n as validateAllowedOrigins, t as getConfiguredAllowedOrigins } from "../../../../../../allowed-origins-CDdG-4Gd.mjs";
+import { n as createChallengeStore } from "../../../../../../challenge-store-CJ0OOHOr.mjs";
+import { t as getPasskeyConfig } from "../../../../../../passkey-config-Cg86_ISa.mjs";
+import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
+import { registerPasskey, verifyRegistrationResponse } from "@emdash-cms/auth/passkey";
+//#region src/astro/routes/api/auth/passkey/register/verify.ts
+const prerender = false;
+const MAX_PASSKEYS = 10;
+const POST = async ({ request, locals }) => {
+	const { emdash, user } = locals;
+	if (!emdash?.db) return apiError("NOT_CONFIGURED", "EmDash is not initialized", 500);
+	if (!user) return apiError("NOT_AUTHENTICATED", "Not authenticated", 401);
+	try {
+		const adapter = createKyselyAdapter(emdash.db);
+		if (await adapter.countCredentialsByUserId(user.id) >= MAX_PASSKEYS) return apiError("PASSKEY_LIMIT", `Maximum of ${MAX_PASSKEYS} passkeys allowed`, 400);
+		const body = await parseBody(request, passkeyRegisterVerifyBody);
+		if (isParseError(body)) return body;
+		const url = new URL(request.url);
+		const optionsRepo = new OptionsRepository(emdash.db);
+		const siteName = await optionsRepo.get("emdash:site_title") ?? void 0;
+		const siteUrl = getPublicOrigin(url, emdash?.config);
+		const passkeyConfig = getPasskeyConfig(url, siteName, siteUrl, validateAllowedOrigins(siteUrl, getConfiguredAllowedOrigins(emdash?.config)));
+		const challengeStore = createChallengeStore(emdash.db);
+		const verified = await verifyRegistrationResponse(passkeyConfig, body.credential, challengeStore);
+		let passKeyName = body.name ?? void 0;
+		if (!passKeyName) {
+			const pending = await optionsRepo.get(`emdash:passkey_pending:${user.id}`);
+			if (pending?.name) passKeyName = pending.name;
+		}
+		await optionsRepo.delete(`emdash:passkey_pending:${user.id}`);
+		const credential = await registerPasskey(adapter, user.id, verified, passKeyName);
+		return apiSuccess({ passkey: {
+			id: credential.id,
+			name: credential.name,
+			deviceType: credential.deviceType,
+			backedUp: credential.backedUp,
+			createdAt: credential.createdAt.toISOString(),
+			lastUsedAt: credential.lastUsedAt.toISOString()
+		} });
+	} catch (error) {
+		console.error("Passkey registration verify error:", error);
+		const message = error instanceof Error ? error.message : "";
+		if (message.includes("credential_exists") || message.includes("already")) return apiError("CREDENTIAL_EXISTS", "This passkey is already registered", 400);
+		if (message.includes("challenge") || message.includes("expired")) return apiError("CHALLENGE_EXPIRED", "Registration expired. Please try again.", 400);
+		return apiError("PASSKEY_REGISTER_ERROR", "Registration failed", 500);
+	}
+};
+//#endregion
+export { POST, prerender };
+//# sourceMappingURL=verify.mjs.map