emdash 0.20.0 → 0.21.0

package/dist/astro/routes/api/admin/users/index.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"index.mjs","names":[],"sources":["../../../../../../src/astro/routes/api/admin/users/index.ts"],"sourcesContent":["/**\n * User management list endpoint\n *\n * GET /_emdash/api/admin/users - List users with search, filter, pagination\n */\n\nimport { Role } from \"@emdash-cms/auth\";\nimport { createKyselyAdapter } from \"@emdash-cms/auth/adapters/kysely\";\nimport type { APIRoute } from \"astro\";\n\nimport { apiError, apiSuccess, handleError } from \"#api/error.js\";\nimport { isParseError, parseQuery } from \"#api/parse.js\";\nimport { usersListQuery } from \"#api/schemas.js\";\n\nexport const prerender = false;\n\nexport const GET: APIRoute = async ({ url, locals }) => {\n\tconst { emdash, user } = locals;\n\n\tif (!emdash?.db) {\n\t\treturn apiError(\"NOT_CONFIGURED\", \"EmDash is not initialized\", 500);\n\t}\n\n\tif (!user || user.role < Role.ADMIN) {\n\t\treturn apiError(\"FORBIDDEN\", \"Admin privileges required\", 403);\n\t}\n\n\tconst adapter = createKyselyAdapter(emdash.db);\n\n\ttry {\n\t\t// Parse query parameters\n\t\tconst query = parseQuery(url, usersListQuery);\n\t\tif (isParseError(query)) return query;\n\n\t\t// Fetch users\n\t\tconst result = await adapter.getUsers({\n\t\t\tsearch: query.search,\n\t\t\trole: query.role ? parseInt(query.role, 10) : undefined,\n\t\t\tcursor: query.cursor,\n\t\t\tlimit: query.limit,\n\t\t});\n\n\t\t// Transform dates to ISO strings for JSON serialization\n\t\tconst items = result.items.map((u) => ({\n\t\t\tid: u.id,\n\t\t\temail: u.email,\n\t\t\tname: u.name,\n\t\t\tavatarUrl: u.avatarUrl,\n\t\t\trole: u.role,\n\t\t\temailVerified: u.emailVerified,\n\t\t\tdisabled: u.disabled,\n\t\t\tcreatedAt: u.createdAt.toISOString(),\n\t\t\tupdatedAt: u.updatedAt.toISOString(),\n\t\t\tlastLogin: u.lastLogin?.toISOString() ?? null,\n\t\t\tcredentialCount: u.credentialCount,\n\t\t\toauthProviders: u.oauthProviders,\n\t\t}));\n\n\t\treturn apiSuccess({\n\t\t\titems,\n\t\t\tnextCursor: result.nextCursor,\n\t\t});\n\t} catch (error) {\n\t\treturn handleError(error, \"Failed to list users\", \"USER_LIST_ERROR\");\n\t}\n};\n"],"mappings":";;;;;;;;;;;;;;;;AAcA,MAAa,YAAY;AAEzB,MAAa,MAAgB,OAAO,EAAE,KAAK,aAAa;CACvD,MAAM,EAAE,QAAQ,SAAS;AAEzB,KAAI,CAAC,QAAQ,GACZ,QAAO,SAAS,kBAAkB,6BAA6B,IAAI;AAGpE,KAAI,CAAC,QAAQ,KAAK,OAAO,KAAK,MAC7B,QAAO,SAAS,aAAa,6BAA6B,IAAI;CAG/D,MAAM,UAAU,oBAAoB,OAAO,GAAG;AAE9C,KAAI;EAEH,MAAM,QAAQ,WAAW,KAAK,eAAe;AAC7C,MAAI,aAAa,MAAM,CAAE,QAAO;EAGhC,MAAM,SAAS,MAAM,QAAQ,SAAS;GACrC,QAAQ,MAAM;GACd,MAAM,MAAM,OAAO,SAAS,MAAM,MAAM,GAAG,GAAG;GAC9C,QAAQ,MAAM;GACd,OAAO,MAAM;GACb,CAAC;AAkBF,SAAO,WAAW;GACjB,OAhBa,OAAO,MAAM,KAAK,OAAO;IACtC,IAAI,EAAE;IACN,OAAO,EAAE;IACT,MAAM,EAAE;IACR,WAAW,EAAE;IACb,MAAM,EAAE;IACR,eAAe,EAAE;IACjB,UAAU,EAAE;IACZ,WAAW,EAAE,UAAU,aAAa;IACpC,WAAW,EAAE,UAAU,aAAa;IACpC,WAAW,EAAE,WAAW,aAAa,IAAI;IACzC,iBAAiB,EAAE;IACnB,gBAAgB,EAAE;IAClB,EAAE;GAIF,YAAY,OAAO;GACnB,CAAC;UACM,OAAO;AACf,SAAO,YAAY,OAAO,wBAAwB,kBAAkB"}
+{"version":3,"file":"index.mjs","names":[],"sources":["../../../../../../src/astro/routes/api/admin/users/index.ts"],"sourcesContent":["/**\n * User management list endpoint\n *\n * GET /_emdash/api/admin/users - List users with search, filter, pagination\n */\n\nimport { Role } from \"@emdash-cms/auth\";\nimport { createKyselyAdapter } from \"@emdash-cms/auth/adapters/kysely\";\nimport type { APIRoute } from \"astro\";\n\nimport { apiError, apiSuccess, handleError } from \"#api/error.js\";\nimport { isParseError, parseQuery } from \"#api/parse.js\";\nimport { usersListQuery } from \"#api/schemas.js\";\n\nexport const prerender = false;\n\nexport const GET: APIRoute = async ({ url, locals }) => {\n\tconst { emdash, user } = locals;\n\n\tif (!emdash?.db) {\n\t\treturn apiError(\"NOT_CONFIGURED\", \"EmDash is not initialized\", 500);\n\t}\n\n\tif (!user || user.role < Role.ADMIN) {\n\t\treturn apiError(\"FORBIDDEN\", \"Admin privileges required\", 403);\n\t}\n\n\tconst adapter = createKyselyAdapter(emdash.db);\n\n\ttry {\n\t\t// Parse query parameters\n\t\tconst query = parseQuery(url, usersListQuery);\n\t\tif (isParseError(query)) return query;\n\n\t\t// Fetch users\n\t\tconst result = await adapter.getUsers({\n\t\t\tsearch: query.search,\n\t\t\trole: query.role ? parseInt(query.role, 10) : undefined,\n\t\t\tcursor: query.cursor,\n\t\t\tlimit: query.limit,\n\t\t});\n\n\t\t// Transform dates to ISO strings for JSON serialization\n\t\tconst items = result.items.map((u) => ({\n\t\t\tid: u.id,\n\t\t\temail: u.email,\n\t\t\tname: u.name,\n\t\t\tavatarUrl: u.avatarUrl,\n\t\t\trole: u.role,\n\t\t\temailVerified: u.emailVerified,\n\t\t\tdisabled: u.disabled,\n\t\t\tcreatedAt: u.createdAt.toISOString(),\n\t\t\tupdatedAt: u.updatedAt.toISOString(),\n\t\t\tlastLogin: u.lastLogin?.toISOString() ?? null,\n\t\t\tcredentialCount: u.credentialCount,\n\t\t\toauthProviders: u.oauthProviders,\n\t\t}));\n\n\t\treturn apiSuccess({\n\t\t\titems,\n\t\t\tnextCursor: result.nextCursor,\n\t\t});\n\t} catch (error) {\n\t\treturn handleError(error, \"Failed to list users\", \"USER_LIST_ERROR\");\n\t}\n};\n"],"mappings":";;;;;;;;;;;;;;;;;AAcA,MAAa,YAAY;AAEzB,MAAa,MAAgB,OAAO,EAAE,KAAK,aAAa;CACvD,MAAM,EAAE,QAAQ,SAAS;AAEzB,KAAI,CAAC,QAAQ,GACZ,QAAO,SAAS,kBAAkB,6BAA6B,IAAI;AAGpE,KAAI,CAAC,QAAQ,KAAK,OAAO,KAAK,MAC7B,QAAO,SAAS,aAAa,6BAA6B,IAAI;CAG/D,MAAM,UAAU,oBAAoB,OAAO,GAAG;AAE9C,KAAI;EAEH,MAAM,QAAQ,WAAW,KAAK,eAAe;AAC7C,MAAI,aAAa,MAAM,CAAE,QAAO;EAGhC,MAAM,SAAS,MAAM,QAAQ,SAAS;GACrC,QAAQ,MAAM;GACd,MAAM,MAAM,OAAO,SAAS,MAAM,MAAM,GAAG,GAAG;GAC9C,QAAQ,MAAM;GACd,OAAO,MAAM;GACb,CAAC;AAkBF,SAAO,WAAW;GACjB,OAhBa,OAAO,MAAM,KAAK,OAAO;IACtC,IAAI,EAAE;IACN,OAAO,EAAE;IACT,MAAM,EAAE;IACR,WAAW,EAAE;IACb,MAAM,EAAE;IACR,eAAe,EAAE;IACjB,UAAU,EAAE;IACZ,WAAW,EAAE,UAAU,aAAa;IACpC,WAAW,EAAE,UAAU,aAAa;IACpC,WAAW,EAAE,WAAW,aAAa,IAAI;IACzC,iBAAiB,EAAE;IACnB,gBAAgB,EAAE;IAClB,EAAE;GAIF,YAAY,OAAO;GACnB,CAAC;UACM,OAAO;AACf,SAAO,YAAY,OAAO,wBAAwB,kBAAkB"}

package/dist/astro/routes/api/auth/dev-bypass.mjs

@@ -2,9 +2,9 @@ import { i as runMigrations } from "../../../../runner--4wMWwKM.mjs";
 import "../../../../dialect-helpers-DRI5pyY3.mjs";
 import "../../../../base64-CqR-7kqF.mjs";
 import "../../../../types-BXSUSAjt.mjs";
-import { n as apiSuccess, r as handleError, t as apiError } from "../../../../error-RwM4dD35.mjs";
-import { t as escapeHtml } from "../../../../escape-Ds07EEyu.mjs";
-import { t as isSafeRedirect } from "../../../../redirect-B_q19j4v.mjs";
+import { n as apiSuccess, r as handleError, t as apiError } from "../../../../error-CNn_w7jf.mjs";
+import { t as escapeHtml } from "../../../../escape-DPgcxcpL.mjs";
+import { t as isSafeRedirect } from "../../../../redirect-C-OOkyku.mjs";
 import { ulid } from "ulidx";
 
 //#region src/astro/routes/api/auth/dev-bypass.ts

package/dist/astro/routes/api/auth/invite/accept.mjs

@@ -1,6 +1,6 @@
 import "../../../../../base64-CqR-7kqF.mjs";
 import "../../../../../types-BXSUSAjt.mjs";
-import { n as apiSuccess, r as handleError, t as apiError } from "../../../../../error-RwM4dD35.mjs";
+import { n as apiSuccess, r as handleError, t as apiError } from "../../../../../error-CNn_w7jf.mjs";
 import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
 import { InviteError, roleFromLevel, validateInvite } from "@emdash-cms/auth";
 

package/dist/astro/routes/api/auth/invite/complete.mjs

@@ -1,15 +1,16 @@
 import "../../../../../base64-CqR-7kqF.mjs";
 import "../../../../../types-BXSUSAjt.mjs";
 import { t as OptionsRepository } from "../../../../../options-BPCVnesz.mjs";
-import { n as apiSuccess, r as handleError, t as apiError } from "../../../../../error-RwM4dD35.mjs";
-import { n as parseBody, t as isParseError } from "../../../../../parse-CrGndy1A.mjs";
-import "../../../../../redirects-CCbCqCCd.mjs";
-import { y as inviteCompleteBody } from "../../../../../byline-fields-8TMtkBnH.mjs";
+import { n as apiSuccess, r as handleError, t as apiError } from "../../../../../error-CNn_w7jf.mjs";
+import { n as parseBody, t as isParseError } from "../../../../../parse-DzSrk1t8.mjs";
+import "../../../../../redirects-6Zg2SoYo.mjs";
+import { y as inviteCompleteBody } from "../../../../../byline-fields-B0NO1yUB.mjs";
+import "../../../../../status-2gZklYuj.mjs";
 import "../../../../../api/schemas/index.mjs";
-import { n as getPublicOrigin } from "../../../../../public-url-BFVC2OTJ.mjs";
-import { n as validateAllowedOrigins, t as getConfiguredAllowedOrigins } from "../../../../../allowed-origins-B1u7Qnvg.mjs";
-import { n as createChallengeStore } from "../../../../../challenge-store-DXX3rfdI.mjs";
-import { t as getPasskeyConfig } from "../../../../../passkey-config-C3QgnQnU.mjs";
+import { n as getPublicOrigin } from "../../../../../public-url-D_zARuvZ.mjs";
+import { n as validateAllowedOrigins, t as getConfiguredAllowedOrigins } from "../../../../../allowed-origins-BqC8cul8.mjs";
+import { n as createChallengeStore } from "../../../../../challenge-store-woE0bbCf.mjs";
+import { t as getPasskeyConfig } from "../../../../../passkey-config-BpjbE_Uv.mjs";
 import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
 import { InviteError, completeInvite } from "@emdash-cms/auth";
 import { registerPasskey, verifyRegistrationResponse } from "@emdash-cms/auth/passkey";

package/dist/astro/routes/api/auth/invite/complete.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"complete.mjs","names":[],"sources":["../../../../../../src/astro/routes/api/auth/invite/complete.ts"],"sourcesContent":["/**\n * POST /_emdash/api/auth/invite/complete\n *\n * Complete the invite by registering a passkey for the new user.\n * This creates the user account and establishes a session.\n */\n\nimport type { APIRoute } from \"astro\";\n\nexport const prerender = false;\n\nimport { completeInvite, InviteError } from \"@emdash-cms/auth\";\nimport { createKyselyAdapter } from \"@emdash-cms/auth/adapters/kysely\";\nimport { verifyRegistrationResponse, registerPasskey } from \"@emdash-cms/auth/passkey\";\n\nimport { apiError, apiSuccess, handleError } from \"#api/error.js\";\nimport { isParseError, parseBody } from \"#api/parse.js\";\nimport { getPublicOrigin } from \"#api/public-url.js\";\nimport { inviteCompleteBody } from \"#api/schemas.js\";\nimport { getConfiguredAllowedOrigins, validateAllowedOrigins } from \"#auth/allowed-origins.js\";\nimport { createChallengeStore } from \"#auth/challenge-store.js\";\nimport { getPasskeyConfig } from \"#auth/passkey-config.js\";\nimport { OptionsRepository } from \"#db/repositories/options.js\";\n\nexport const POST: APIRoute = async ({ request, locals, session }) => {\n\tconst { emdash } = locals;\n\n\tif (!emdash?.db) {\n\t\treturn apiError(\"NOT_CONFIGURED\", \"EmDash is not initialized\", 500);\n\t}\n\n\ttry {\n\t\tconst body = await parseBody(request, inviteCompleteBody);\n\t\tif (isParseError(body)) return body;\n\n\t\tconst adapter = createKyselyAdapter(emdash.db);\n\n\t\t// Get passkey config\n\t\tconst url = new URL(request.url);\n\t\tconst options = new OptionsRepository(emdash.db);\n\t\tconst siteName = (await options.get<string>(\"emdash:site_title\")) ?? undefined;\n\t\tconst siteUrl = getPublicOrigin(url, emdash?.config);\n\t\tconst allowedOrigins = validateAllowedOrigins(\n\t\t\tsiteUrl,\n\t\t\tgetConfiguredAllowedOrigins(emdash?.config),\n\t\t);\n\t\tconst passkeyConfig = getPasskeyConfig(url, siteName, siteUrl, allowedOrigins);\n\n\t\t// Verify the passkey registration response\n\t\tconst challengeStore = createChallengeStore(emdash.db);\n\t\tconst verified = await verifyRegistrationResponse(\n\t\t\tpasskeyConfig,\n\t\t\tbody.credential,\n\t\t\tchallengeStore,\n\t\t);\n\n\t\t// Complete the invite - creates the user\n\t\tconst user = await completeInvite(adapter, body.token, {\n\t\t\tname: body.name,\n\t\t});\n\n\t\t// Register the passkey for the new user\n\t\tawait registerPasskey(adapter, user.id, verified, \"Initial passkey\");\n\n\t\t// Create session\n\t\tif (session) {\n\t\t\tsession.set(\"user\", { id: user.id });\n\t\t}\n\n\t\treturn apiSuccess({\n\t\t\tsuccess: true,\n\t\t\tuser: {\n\t\t\t\tid: user.id,\n\t\t\t\temail: user.email,\n\t\t\t\tname: user.name,\n\t\t\t\trole: user.role,\n\t\t\t},\n\t\t});\n\t} catch (error) {\n\t\tif (error instanceof InviteError) {\n\t\t\tconst statusMap: Record<string, number> = {\n\t\t\t\tinvalid_token: 404,\n\t\t\t\ttoken_expired: 410,\n\t\t\t\tuser_exists: 409,\n\t\t\t};\n\t\t\treturn apiError(error.code.toUpperCase(), error.message, statusMap[error.code] ?? 400);\n\t\t}\n\n\t\treturn handleError(error, \"Failed to complete invite\", \"INVITE_COMPLETE_ERROR\");\n\t}\n};\n"],"mappings":";;;;;;;;;;;;;;;;;AASA,MAAa,YAAY;AAezB,MAAa,OAAiB,OAAO,EAAE,SAAS,QAAQ,cAAc;CACrE,MAAM,EAAE,WAAW;AAEnB,KAAI,CAAC,QAAQ,GACZ,QAAO,SAAS,kBAAkB,6BAA6B,IAAI;AAGpE,KAAI;EACH,MAAM,OAAO,MAAM,UAAU,SAAS,mBAAmB;AACzD,MAAI,aAAa,KAAK,CAAE,QAAO;EAE/B,MAAM,UAAU,oBAAoB,OAAO,GAAG;EAG9C,MAAM,MAAM,IAAI,IAAI,QAAQ,IAAI;EAEhC,MAAM,WAAY,MADF,IAAI,kBAAkB,OAAO,GAAG,CAChB,IAAY,oBAAoB,IAAK;EACrE,MAAM,UAAU,gBAAgB,KAAK,QAAQ,OAAO;EAKpD,MAAM,gBAAgB,iBAAiB,KAAK,UAAU,SAJ/B,uBACtB,SACA,4BAA4B,QAAQ,OAAO,CAC3C,CAC6E;EAG9E,MAAM,iBAAiB,qBAAqB,OAAO,GAAG;EACtD,MAAM,WAAW,MAAM,2BACtB,eACA,KAAK,YACL,eACA;EAGD,MAAM,OAAO,MAAM,eAAe,SAAS,KAAK,OAAO,EACtD,MAAM,KAAK,MACX,CAAC;AAGF,QAAM,gBAAgB,SAAS,KAAK,IAAI,UAAU,kBAAkB;AAGpE,MAAI,QACH,SAAQ,IAAI,QAAQ,EAAE,IAAI,KAAK,IAAI,CAAC;AAGrC,SAAO,WAAW;GACjB,SAAS;GACT,MAAM;IACL,IAAI,KAAK;IACT,OAAO,KAAK;IACZ,MAAM,KAAK;IACX,MAAM,KAAK;IACX;GACD,CAAC;UACM,OAAO;AACf,MAAI,iBAAiB,YAMpB,QAAO,SAAS,MAAM,KAAK,aAAa,EAAE,MAAM,SALN;GACzC,eAAe;GACf,eAAe;GACf,aAAa;GACb,CACkE,MAAM,SAAS,IAAI;AAGvF,SAAO,YAAY,OAAO,6BAA6B,wBAAwB"}
+{"version":3,"file":"complete.mjs","names":[],"sources":["../../../../../../src/astro/routes/api/auth/invite/complete.ts"],"sourcesContent":["/**\n * POST /_emdash/api/auth/invite/complete\n *\n * Complete the invite by registering a passkey for the new user.\n * This creates the user account and establishes a session.\n */\n\nimport type { APIRoute } from \"astro\";\n\nexport const prerender = false;\n\nimport { completeInvite, InviteError } from \"@emdash-cms/auth\";\nimport { createKyselyAdapter } from \"@emdash-cms/auth/adapters/kysely\";\nimport { verifyRegistrationResponse, registerPasskey } from \"@emdash-cms/auth/passkey\";\n\nimport { apiError, apiSuccess, handleError } from \"#api/error.js\";\nimport { isParseError, parseBody } from \"#api/parse.js\";\nimport { getPublicOrigin } from \"#api/public-url.js\";\nimport { inviteCompleteBody } from \"#api/schemas.js\";\nimport { getConfiguredAllowedOrigins, validateAllowedOrigins } from \"#auth/allowed-origins.js\";\nimport { createChallengeStore } from \"#auth/challenge-store.js\";\nimport { getPasskeyConfig } from \"#auth/passkey-config.js\";\nimport { OptionsRepository } from \"#db/repositories/options.js\";\n\nexport const POST: APIRoute = async ({ request, locals, session }) => {\n\tconst { emdash } = locals;\n\n\tif (!emdash?.db) {\n\t\treturn apiError(\"NOT_CONFIGURED\", \"EmDash is not initialized\", 500);\n\t}\n\n\ttry {\n\t\tconst body = await parseBody(request, inviteCompleteBody);\n\t\tif (isParseError(body)) return body;\n\n\t\tconst adapter = createKyselyAdapter(emdash.db);\n\n\t\t// Get passkey config\n\t\tconst url = new URL(request.url);\n\t\tconst options = new OptionsRepository(emdash.db);\n\t\tconst siteName = (await options.get<string>(\"emdash:site_title\")) ?? undefined;\n\t\tconst siteUrl = getPublicOrigin(url, emdash?.config);\n\t\tconst allowedOrigins = validateAllowedOrigins(\n\t\t\tsiteUrl,\n\t\t\tgetConfiguredAllowedOrigins(emdash?.config),\n\t\t);\n\t\tconst passkeyConfig = getPasskeyConfig(url, siteName, siteUrl, allowedOrigins);\n\n\t\t// Verify the passkey registration response\n\t\tconst challengeStore = createChallengeStore(emdash.db);\n\t\tconst verified = await verifyRegistrationResponse(\n\t\t\tpasskeyConfig,\n\t\t\tbody.credential,\n\t\t\tchallengeStore,\n\t\t);\n\n\t\t// Complete the invite - creates the user\n\t\tconst user = await completeInvite(adapter, body.token, {\n\t\t\tname: body.name,\n\t\t});\n\n\t\t// Register the passkey for the new user\n\t\tawait registerPasskey(adapter, user.id, verified, \"Initial passkey\");\n\n\t\t// Create session\n\t\tif (session) {\n\t\t\tsession.set(\"user\", { id: user.id });\n\t\t}\n\n\t\treturn apiSuccess({\n\t\t\tsuccess: true,\n\t\t\tuser: {\n\t\t\t\tid: user.id,\n\t\t\t\temail: user.email,\n\t\t\t\tname: user.name,\n\t\t\t\trole: user.role,\n\t\t\t},\n\t\t});\n\t} catch (error) {\n\t\tif (error instanceof InviteError) {\n\t\t\tconst statusMap: Record<string, number> = {\n\t\t\t\tinvalid_token: 404,\n\t\t\t\ttoken_expired: 410,\n\t\t\t\tuser_exists: 409,\n\t\t\t};\n\t\t\treturn apiError(error.code.toUpperCase(), error.message, statusMap[error.code] ?? 400);\n\t\t}\n\n\t\treturn handleError(error, \"Failed to complete invite\", \"INVITE_COMPLETE_ERROR\");\n\t}\n};\n"],"mappings":";;;;;;;;;;;;;;;;;;AASA,MAAa,YAAY;AAezB,MAAa,OAAiB,OAAO,EAAE,SAAS,QAAQ,cAAc;CACrE,MAAM,EAAE,WAAW;AAEnB,KAAI,CAAC,QAAQ,GACZ,QAAO,SAAS,kBAAkB,6BAA6B,IAAI;AAGpE,KAAI;EACH,MAAM,OAAO,MAAM,UAAU,SAAS,mBAAmB;AACzD,MAAI,aAAa,KAAK,CAAE,QAAO;EAE/B,MAAM,UAAU,oBAAoB,OAAO,GAAG;EAG9C,MAAM,MAAM,IAAI,IAAI,QAAQ,IAAI;EAEhC,MAAM,WAAY,MADF,IAAI,kBAAkB,OAAO,GAAG,CAChB,IAAY,oBAAoB,IAAK;EACrE,MAAM,UAAU,gBAAgB,KAAK,QAAQ,OAAO;EAKpD,MAAM,gBAAgB,iBAAiB,KAAK,UAAU,SAJ/B,uBACtB,SACA,4BAA4B,QAAQ,OAAO,CAC3C,CAC6E;EAG9E,MAAM,iBAAiB,qBAAqB,OAAO,GAAG;EACtD,MAAM,WAAW,MAAM,2BACtB,eACA,KAAK,YACL,eACA;EAGD,MAAM,OAAO,MAAM,eAAe,SAAS,KAAK,OAAO,EACtD,MAAM,KAAK,MACX,CAAC;AAGF,QAAM,gBAAgB,SAAS,KAAK,IAAI,UAAU,kBAAkB;AAGpE,MAAI,QACH,SAAQ,IAAI,QAAQ,EAAE,IAAI,KAAK,IAAI,CAAC;AAGrC,SAAO,WAAW;GACjB,SAAS;GACT,MAAM;IACL,IAAI,KAAK;IACT,OAAO,KAAK;IACZ,MAAM,KAAK;IACX,MAAM,KAAK;IACX;GACD,CAAC;UACM,OAAO;AACf,MAAI,iBAAiB,YAMpB,QAAO,SAAS,MAAM,KAAK,aAAa,EAAE,MAAM,SALN;GACzC,eAAe;GACf,eAAe;GACf,aAAa;GACb,CACkE,MAAM,SAAS,IAAI;AAGvF,SAAO,YAAY,OAAO,6BAA6B,wBAAwB"}

package/dist/astro/routes/api/auth/invite/index.mjs

@@ -1,12 +1,13 @@
 import "../../../../../base64-CqR-7kqF.mjs";
 import "../../../../../types-BXSUSAjt.mjs";
 import { t as OptionsRepository } from "../../../../../options-BPCVnesz.mjs";
-import { n as apiSuccess, r as handleError, t as apiError } from "../../../../../error-RwM4dD35.mjs";
-import { n as parseBody, t as isParseError } from "../../../../../parse-CrGndy1A.mjs";
-import "../../../../../redirects-CCbCqCCd.mjs";
-import { b as inviteCreateBody } from "../../../../../byline-fields-8TMtkBnH.mjs";
+import { n as apiSuccess, r as handleError, t as apiError } from "../../../../../error-CNn_w7jf.mjs";
+import { n as parseBody, t as isParseError } from "../../../../../parse-DzSrk1t8.mjs";
+import "../../../../../redirects-6Zg2SoYo.mjs";
+import { b as inviteCreateBody } from "../../../../../byline-fields-B0NO1yUB.mjs";
+import "../../../../../status-2gZklYuj.mjs";
 import "../../../../../api/schemas/index.mjs";
-import { t as getSiteBaseUrl } from "../../../../../site-url-CnHlmAs9.mjs";
+import { t as getSiteBaseUrl } from "../../../../../site-url-vtsuOvSD.mjs";
 import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
 import { InviteError, Role, createInvite } from "@emdash-cms/auth";
 

package/dist/astro/routes/api/auth/invite/index.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"index.mjs","names":[],"sources":["../../../../../../src/astro/routes/api/auth/invite/index.ts"],"sourcesContent":["/**\n * POST /_emdash/api/auth/invite\n *\n * Create an invite for a new user. Admin only.\n *\n * When an email provider is configured (via the plugin email pipeline),\n * the invite email is sent automatically.\n * When no provider is configured, returns the invite URL for the admin\n * to share manually (copy-link fallback).\n */\n\nimport type { APIRoute } from \"astro\";\n\nexport const prerender = false;\n\nimport { createInvite, InviteError, Role } from \"@emdash-cms/auth\";\nimport { createKyselyAdapter } from \"@emdash-cms/auth/adapters/kysely\";\n\nimport { apiError, apiSuccess, handleError } from \"#api/error.js\";\nimport { isParseError, parseBody } from \"#api/parse.js\";\nimport { inviteCreateBody } from \"#api/schemas.js\";\nimport { getSiteBaseUrl } from \"#api/site-url.js\";\nimport { OptionsRepository } from \"#db/repositories/options.js\";\n\nexport const POST: APIRoute = async ({ request, locals }) => {\n\tconst { emdash, user } = locals;\n\n\tif (!emdash?.db) {\n\t\treturn apiError(\"NOT_CONFIGURED\", \"EmDash is not initialized\", 500);\n\t}\n\n\tif (!user || user.role < Role.ADMIN) {\n\t\treturn apiError(\"FORBIDDEN\", \"Admin privileges required\", 403);\n\t}\n\n\tconst adapter = createKyselyAdapter(emdash.db);\n\n\ttry {\n\t\tconst body = await parseBody(request, inviteCreateBody);\n\t\tif (isParseError(body)) return body;\n\n\t\t// Default to AUTHOR role if not specified (Zod validates the level)\n\t\tconst role = body.role ?? Role.AUTHOR;\n\n\t\t// Get site config for invite email\n\t\tconst options = new OptionsRepository(emdash.db);\n\t\tconst siteName = (await options.get<string>(\"emdash:site_title\")) || \"EmDash\";\n\n\t\t// Use stored site URL to prevent Host header spoofing in invite emails\n\t\tconst baseUrl = await getSiteBaseUrl(emdash.db, request);\n\n\t\t// Build email sender from the plugin pipeline (if available)\n\t\tconst emailSend = emdash.email?.isAvailable()\n\t\t\t? (message: { to: string; subject: string; text: string; html?: string }) =>\n\t\t\t\t\temdash.email!.send(message, \"system\")\n\t\t\t: undefined;\n\n\t\tconst result = await createInvite(\n\t\t\t{\n\t\t\t\tbaseUrl,\n\t\t\t\tsiteName,\n\t\t\t\temail: emailSend,\n\t\t\t},\n\t\t\tadapter,\n\t\t\tbody.email,\n\t\t\trole,\n\t\t\tuser.id,\n\t\t);\n\n\t\tif (emailSend) {\n\t\t\t// Email was sent\n\t\t\treturn apiSuccess({\n\t\t\t\tsuccess: true,\n\t\t\t\tmessage: `Invite sent to ${body.email}`,\n\t\t\t});\n\t\t}\n\n\t\t// No email provider — return the invite URL for manual sharing\n\t\treturn apiSuccess(\n\t\t\t{\n\t\t\t\tsuccess: true,\n\t\t\t\tmessage: \"Invite created. No email provider configured — share the link manually.\",\n\t\t\t\tinviteUrl: result.url,\n\t\t\t},\n\t\t\t200,\n\t\t);\n\t} catch (error) {\n\t\tif (error instanceof InviteError) {\n\t\t\tconst statusMap: Record<string, number> = {\n\t\t\t\tuser_exists: 409,\n\t\t\t\tinvalid_token: 400,\n\t\t\t\ttoken_expired: 400,\n\t\t\t};\n\t\t\treturn apiError(error.code.toUpperCase(), error.message, statusMap[error.code] ?? 400);\n\t\t}\n\n\t\treturn handleError(error, \"Failed to create invite\", \"INVITE_CREATE_ERROR\");\n\t}\n};\n"],"mappings":";;;;;;;;;;;;;AAaA,MAAa,YAAY;AAWzB,MAAa,OAAiB,OAAO,EAAE,SAAS,aAAa;CAC5D,MAAM,EAAE,QAAQ,SAAS;AAEzB,KAAI,CAAC,QAAQ,GACZ,QAAO,SAAS,kBAAkB,6BAA6B,IAAI;AAGpE,KAAI,CAAC,QAAQ,KAAK,OAAO,KAAK,MAC7B,QAAO,SAAS,aAAa,6BAA6B,IAAI;CAG/D,MAAM,UAAU,oBAAoB,OAAO,GAAG;AAE9C,KAAI;EACH,MAAM,OAAO,MAAM,UAAU,SAAS,iBAAiB;AACvD,MAAI,aAAa,KAAK,CAAE,QAAO;EAG/B,MAAM,OAAO,KAAK,QAAQ,KAAK;EAI/B,MAAM,WAAY,MADF,IAAI,kBAAkB,OAAO,GAAG,CAChB,IAAY,oBAAoB,IAAK;EAGrE,MAAM,UAAU,MAAM,eAAe,OAAO,IAAI,QAAQ;EAGxD,MAAM,YAAY,OAAO,OAAO,aAAa,IACzC,YACD,OAAO,MAAO,KAAK,SAAS,SAAS,GACrC;EAEH,MAAM,SAAS,MAAM,aACpB;GACC;GACA;GACA,OAAO;GACP,EACD,SACA,KAAK,OACL,MACA,KAAK,GACL;AAED,MAAI,UAEH,QAAO,WAAW;GACjB,SAAS;GACT,SAAS,kBAAkB,KAAK;GAChC,CAAC;AAIH,SAAO,WACN;GACC,SAAS;GACT,SAAS;GACT,WAAW,OAAO;GAClB,EACD,IACA;UACO,OAAO;AACf,MAAI,iBAAiB,YAMpB,QAAO,SAAS,MAAM,KAAK,aAAa,EAAE,MAAM,SALN;GACzC,aAAa;GACb,eAAe;GACf,eAAe;GACf,CACkE,MAAM,SAAS,IAAI;AAGvF,SAAO,YAAY,OAAO,2BAA2B,sBAAsB"}
+{"version":3,"file":"index.mjs","names":[],"sources":["../../../../../../src/astro/routes/api/auth/invite/index.ts"],"sourcesContent":["/**\n * POST /_emdash/api/auth/invite\n *\n * Create an invite for a new user. Admin only.\n *\n * When an email provider is configured (via the plugin email pipeline),\n * the invite email is sent automatically.\n * When no provider is configured, returns the invite URL for the admin\n * to share manually (copy-link fallback).\n */\n\nimport type { APIRoute } from \"astro\";\n\nexport const prerender = false;\n\nimport { createInvite, InviteError, Role } from \"@emdash-cms/auth\";\nimport { createKyselyAdapter } from \"@emdash-cms/auth/adapters/kysely\";\n\nimport { apiError, apiSuccess, handleError } from \"#api/error.js\";\nimport { isParseError, parseBody } from \"#api/parse.js\";\nimport { inviteCreateBody } from \"#api/schemas.js\";\nimport { getSiteBaseUrl } from \"#api/site-url.js\";\nimport { OptionsRepository } from \"#db/repositories/options.js\";\n\nexport const POST: APIRoute = async ({ request, locals }) => {\n\tconst { emdash, user } = locals;\n\n\tif (!emdash?.db) {\n\t\treturn apiError(\"NOT_CONFIGURED\", \"EmDash is not initialized\", 500);\n\t}\n\n\tif (!user || user.role < Role.ADMIN) {\n\t\treturn apiError(\"FORBIDDEN\", \"Admin privileges required\", 403);\n\t}\n\n\tconst adapter = createKyselyAdapter(emdash.db);\n\n\ttry {\n\t\tconst body = await parseBody(request, inviteCreateBody);\n\t\tif (isParseError(body)) return body;\n\n\t\t// Default to AUTHOR role if not specified (Zod validates the level)\n\t\tconst role = body.role ?? Role.AUTHOR;\n\n\t\t// Get site config for invite email\n\t\tconst options = new OptionsRepository(emdash.db);\n\t\tconst siteName = (await options.get<string>(\"emdash:site_title\")) || \"EmDash\";\n\n\t\t// Use stored site URL to prevent Host header spoofing in invite emails\n\t\tconst baseUrl = await getSiteBaseUrl(emdash.db, request);\n\n\t\t// Build email sender from the plugin pipeline (if available)\n\t\tconst emailSend = emdash.email?.isAvailable()\n\t\t\t? (message: { to: string; subject: string; text: string; html?: string }) =>\n\t\t\t\t\temdash.email!.send(message, \"system\")\n\t\t\t: undefined;\n\n\t\tconst result = await createInvite(\n\t\t\t{\n\t\t\t\tbaseUrl,\n\t\t\t\tsiteName,\n\t\t\t\temail: emailSend,\n\t\t\t},\n\t\t\tadapter,\n\t\t\tbody.email,\n\t\t\trole,\n\t\t\tuser.id,\n\t\t);\n\n\t\tif (emailSend) {\n\t\t\t// Email was sent\n\t\t\treturn apiSuccess({\n\t\t\t\tsuccess: true,\n\t\t\t\tmessage: `Invite sent to ${body.email}`,\n\t\t\t});\n\t\t}\n\n\t\t// No email provider — return the invite URL for manual sharing\n\t\treturn apiSuccess(\n\t\t\t{\n\t\t\t\tsuccess: true,\n\t\t\t\tmessage: \"Invite created. No email provider configured — share the link manually.\",\n\t\t\t\tinviteUrl: result.url,\n\t\t\t},\n\t\t\t200,\n\t\t);\n\t} catch (error) {\n\t\tif (error instanceof InviteError) {\n\t\t\tconst statusMap: Record<string, number> = {\n\t\t\t\tuser_exists: 409,\n\t\t\t\tinvalid_token: 400,\n\t\t\t\ttoken_expired: 400,\n\t\t\t};\n\t\t\treturn apiError(error.code.toUpperCase(), error.message, statusMap[error.code] ?? 400);\n\t\t}\n\n\t\treturn handleError(error, \"Failed to create invite\", \"INVITE_CREATE_ERROR\");\n\t}\n};\n"],"mappings":";;;;;;;;;;;;;;AAaA,MAAa,YAAY;AAWzB,MAAa,OAAiB,OAAO,EAAE,SAAS,aAAa;CAC5D,MAAM,EAAE,QAAQ,SAAS;AAEzB,KAAI,CAAC,QAAQ,GACZ,QAAO,SAAS,kBAAkB,6BAA6B,IAAI;AAGpE,KAAI,CAAC,QAAQ,KAAK,OAAO,KAAK,MAC7B,QAAO,SAAS,aAAa,6BAA6B,IAAI;CAG/D,MAAM,UAAU,oBAAoB,OAAO,GAAG;AAE9C,KAAI;EACH,MAAM,OAAO,MAAM,UAAU,SAAS,iBAAiB;AACvD,MAAI,aAAa,KAAK,CAAE,QAAO;EAG/B,MAAM,OAAO,KAAK,QAAQ,KAAK;EAI/B,MAAM,WAAY,MADF,IAAI,kBAAkB,OAAO,GAAG,CAChB,IAAY,oBAAoB,IAAK;EAGrE,MAAM,UAAU,MAAM,eAAe,OAAO,IAAI,QAAQ;EAGxD,MAAM,YAAY,OAAO,OAAO,aAAa,IACzC,YACD,OAAO,MAAO,KAAK,SAAS,SAAS,GACrC;EAEH,MAAM,SAAS,MAAM,aACpB;GACC;GACA;GACA,OAAO;GACP,EACD,SACA,KAAK,OACL,MACA,KAAK,GACL;AAED,MAAI,UAEH,QAAO,WAAW;GACjB,SAAS;GACT,SAAS,kBAAkB,KAAK;GAChC,CAAC;AAIH,SAAO,WACN;GACC,SAAS;GACT,SAAS;GACT,WAAW,OAAO;GAClB,EACD,IACA;UACO,OAAO;AACf,MAAI,iBAAiB,YAMpB,QAAO,SAAS,MAAM,KAAK,aAAa,EAAE,MAAM,SALN;GACzC,aAAa;GACb,eAAe;GACf,eAAe;GACf,CACkE,MAAM,SAAS,IAAI;AAGvF,SAAO,YAAY,OAAO,2BAA2B,sBAAsB"}

package/dist/astro/routes/api/auth/invite/register-options.mjs

@@ -1,14 +1,15 @@
 import "../../../../../base64-CqR-7kqF.mjs";
 import "../../../../../types-BXSUSAjt.mjs";
 import { t as OptionsRepository } from "../../../../../options-BPCVnesz.mjs";
-import { n as apiSuccess, r as handleError, t as apiError } from "../../../../../error-RwM4dD35.mjs";
-import { n as parseBody, t as isParseError } from "../../../../../parse-CrGndy1A.mjs";
-import "../../../../../redirects-CCbCqCCd.mjs";
-import { x as inviteRegisterOptionsBody } from "../../../../../byline-fields-8TMtkBnH.mjs";
+import { n as apiSuccess, r as handleError, t as apiError } from "../../../../../error-CNn_w7jf.mjs";
+import { n as parseBody, t as isParseError } from "../../../../../parse-DzSrk1t8.mjs";
+import "../../../../../redirects-6Zg2SoYo.mjs";
+import { x as inviteRegisterOptionsBody } from "../../../../../byline-fields-B0NO1yUB.mjs";
+import "../../../../../status-2gZklYuj.mjs";
 import "../../../../../api/schemas/index.mjs";
-import { n as getPublicOrigin } from "../../../../../public-url-BFVC2OTJ.mjs";
-import { n as createChallengeStore } from "../../../../../challenge-store-DXX3rfdI.mjs";
-import { t as getPasskeyConfig } from "../../../../../passkey-config-C3QgnQnU.mjs";
+import { n as getPublicOrigin } from "../../../../../public-url-D_zARuvZ.mjs";
+import { n as createChallengeStore } from "../../../../../challenge-store-woE0bbCf.mjs";
+import { t as getPasskeyConfig } from "../../../../../passkey-config-BpjbE_Uv.mjs";
 import { ulid } from "ulidx";
 import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
 import { InviteError, validateInvite } from "@emdash-cms/auth";

package/dist/astro/routes/api/auth/invite/register-options.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"register-options.mjs","names":[],"sources":["../../../../../../src/astro/routes/api/auth/invite/register-options.ts"],"sourcesContent":["/**\n * POST /_emdash/api/auth/invite/register-options\n *\n * Generate WebAuthn registration options for an invited user.\n * Validates the invite token and creates a temporary user identity\n * for the passkey registration flow.\n */\n\nimport type { APIRoute } from \"astro\";\n\nexport const prerender = false;\n\nimport { validateInvite, InviteError } from \"@emdash-cms/auth\";\nimport { createKyselyAdapter } from \"@emdash-cms/auth/adapters/kysely\";\nimport { generateRegistrationOptions } from \"@emdash-cms/auth/passkey\";\nimport { ulid } from \"ulidx\";\n\nimport { apiError, apiSuccess, handleError } from \"#api/error.js\";\nimport { isParseError, parseBody } from \"#api/parse.js\";\nimport { getPublicOrigin } from \"#api/public-url.js\";\nimport { inviteRegisterOptionsBody } from \"#api/schemas.js\";\nimport { createChallengeStore } from \"#auth/challenge-store.js\";\nimport { getPasskeyConfig } from \"#auth/passkey-config.js\";\nimport { OptionsRepository } from \"#db/repositories/options.js\";\n\nexport const POST: APIRoute = async ({ request, locals }) => {\n\tconst { emdash } = locals;\n\n\tif (!emdash?.db) {\n\t\treturn apiError(\"NOT_CONFIGURED\", \"EmDash is not initialized\", 500);\n\t}\n\n\ttry {\n\t\tconst body = await parseBody(request, inviteRegisterOptionsBody);\n\t\tif (isParseError(body)) return body;\n\n\t\t// Validate the invite token to get the email\n\t\tconst adapter = createKyselyAdapter(emdash.db);\n\t\tconst invite = await validateInvite(adapter, body.token);\n\n\t\t// Get passkey config\n\t\t// Resolve siteUrl from config / EMDASH_SITE_URL so the RP ID matches the\n\t\t// browser-facing origin when running behind a TLS-terminating reverse proxy\n\t\t// (e.g. Traefik, nginx). Without this, getPasskeyConfig falls back to\n\t\t// url.hostname — the internal hostname like \"localhost\" — and the browser\n\t\t// rejects the WebAuthn registration. See issue #994.\n\t\tconst url = new URL(request.url);\n\t\tconst options = new OptionsRepository(emdash.db);\n\t\tconst siteName = (await options.get<string>(\"emdash:site_title\")) ?? undefined;\n\t\tconst siteUrl = getPublicOrigin(url, emdash?.config);\n\t\tconst passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);\n\n\t\t// Generate registration options with a temporary user identity\n\t\tconst challengeStore = createChallengeStore(emdash.db);\n\t\tconst tempUser = {\n\t\t\tid: ulid(),\n\t\t\temail: invite.email,\n\t\t\tname: body.name || null,\n\t\t};\n\n\t\tconst registrationOptions = await generateRegistrationOptions(\n\t\t\tpasskeyConfig,\n\t\t\ttempUser,\n\t\t\t[],\n\t\t\tchallengeStore,\n\t\t);\n\n\t\treturn apiSuccess({ options: registrationOptions });\n\t} catch (error) {\n\t\tif (error instanceof InviteError) {\n\t\t\tconst statusMap: Record<string, number> = {\n\t\t\t\tinvalid_token: 404,\n\t\t\t\ttoken_expired: 410,\n\t\t\t\tuser_exists: 409,\n\t\t\t};\n\t\t\treturn apiError(error.code.toUpperCase(), error.message, statusMap[error.code] ?? 400);\n\t\t}\n\n\t\treturn handleError(\n\t\t\terror,\n\t\t\t\"Failed to generate registration options\",\n\t\t\t\"INVITE_REGISTER_OPTIONS_ERROR\",\n\t\t);\n\t}\n};\n"],"mappings":";;;;;;;;;;;;;;;;;AAUA,MAAa,YAAY;AAezB,MAAa,OAAiB,OAAO,EAAE,SAAS,aAAa;CAC5D,MAAM,EAAE,WAAW;AAEnB,KAAI,CAAC,QAAQ,GACZ,QAAO,SAAS,kBAAkB,6BAA6B,IAAI;AAGpE,KAAI;EACH,MAAM,OAAO,MAAM,UAAU,SAAS,0BAA0B;AAChE,MAAI,aAAa,KAAK,CAAE,QAAO;EAI/B,MAAM,SAAS,MAAM,eADL,oBAAoB,OAAO,GAAG,EACD,KAAK,MAAM;EAQxD,MAAM,MAAM,IAAI,IAAI,QAAQ,IAAI;EAIhC,MAAM,gBAAgB,iBAAiB,KAFrB,MADF,IAAI,kBAAkB,OAAO,GAAG,CAChB,IAAY,oBAAoB,IAAK,QACrD,gBAAgB,KAAK,QAAQ,OAAO,CACU;EAG9D,MAAM,iBAAiB,qBAAqB,OAAO,GAAG;AActD,SAAO,WAAW,EAAE,SAPQ,MAAM,4BACjC,eAPgB;GAChB,IAAI,MAAM;GACV,OAAO,OAAO;GACd,MAAM,KAAK,QAAQ;GACnB,EAKA,EAAE,EACF,eACA,EAEiD,CAAC;UAC3C,OAAO;AACf,MAAI,iBAAiB,YAMpB,QAAO,SAAS,MAAM,KAAK,aAAa,EAAE,MAAM,SALN;GACzC,eAAe;GACf,eAAe;GACf,aAAa;GACb,CACkE,MAAM,SAAS,IAAI;AAGvF,SAAO,YACN,OACA,2CACA,gCACA"}
+{"version":3,"file":"register-options.mjs","names":[],"sources":["../../../../../../src/astro/routes/api/auth/invite/register-options.ts"],"sourcesContent":["/**\n * POST /_emdash/api/auth/invite/register-options\n *\n * Generate WebAuthn registration options for an invited user.\n * Validates the invite token and creates a temporary user identity\n * for the passkey registration flow.\n */\n\nimport type { APIRoute } from \"astro\";\n\nexport const prerender = false;\n\nimport { validateInvite, InviteError } from \"@emdash-cms/auth\";\nimport { createKyselyAdapter } from \"@emdash-cms/auth/adapters/kysely\";\nimport { generateRegistrationOptions } from \"@emdash-cms/auth/passkey\";\nimport { ulid } from \"ulidx\";\n\nimport { apiError, apiSuccess, handleError } from \"#api/error.js\";\nimport { isParseError, parseBody } from \"#api/parse.js\";\nimport { getPublicOrigin } from \"#api/public-url.js\";\nimport { inviteRegisterOptionsBody } from \"#api/schemas.js\";\nimport { createChallengeStore } from \"#auth/challenge-store.js\";\nimport { getPasskeyConfig } from \"#auth/passkey-config.js\";\nimport { OptionsRepository } from \"#db/repositories/options.js\";\n\nexport const POST: APIRoute = async ({ request, locals }) => {\n\tconst { emdash } = locals;\n\n\tif (!emdash?.db) {\n\t\treturn apiError(\"NOT_CONFIGURED\", \"EmDash is not initialized\", 500);\n\t}\n\n\ttry {\n\t\tconst body = await parseBody(request, inviteRegisterOptionsBody);\n\t\tif (isParseError(body)) return body;\n\n\t\t// Validate the invite token to get the email\n\t\tconst adapter = createKyselyAdapter(emdash.db);\n\t\tconst invite = await validateInvite(adapter, body.token);\n\n\t\t// Get passkey config\n\t\t// Resolve siteUrl from config / EMDASH_SITE_URL so the RP ID matches the\n\t\t// browser-facing origin when running behind a TLS-terminating reverse proxy\n\t\t// (e.g. Traefik, nginx). Without this, getPasskeyConfig falls back to\n\t\t// url.hostname — the internal hostname like \"localhost\" — and the browser\n\t\t// rejects the WebAuthn registration. See issue #994.\n\t\tconst url = new URL(request.url);\n\t\tconst options = new OptionsRepository(emdash.db);\n\t\tconst siteName = (await options.get<string>(\"emdash:site_title\")) ?? undefined;\n\t\tconst siteUrl = getPublicOrigin(url, emdash?.config);\n\t\tconst passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);\n\n\t\t// Generate registration options with a temporary user identity\n\t\tconst challengeStore = createChallengeStore(emdash.db);\n\t\tconst tempUser = {\n\t\t\tid: ulid(),\n\t\t\temail: invite.email,\n\t\t\tname: body.name || null,\n\t\t};\n\n\t\tconst registrationOptions = await generateRegistrationOptions(\n\t\t\tpasskeyConfig,\n\t\t\ttempUser,\n\t\t\t[],\n\t\t\tchallengeStore,\n\t\t);\n\n\t\treturn apiSuccess({ options: registrationOptions });\n\t} catch (error) {\n\t\tif (error instanceof InviteError) {\n\t\t\tconst statusMap: Record<string, number> = {\n\t\t\t\tinvalid_token: 404,\n\t\t\t\ttoken_expired: 410,\n\t\t\t\tuser_exists: 409,\n\t\t\t};\n\t\t\treturn apiError(error.code.toUpperCase(), error.message, statusMap[error.code] ?? 400);\n\t\t}\n\n\t\treturn handleError(\n\t\t\terror,\n\t\t\t\"Failed to generate registration options\",\n\t\t\t\"INVITE_REGISTER_OPTIONS_ERROR\",\n\t\t);\n\t}\n};\n"],"mappings":";;;;;;;;;;;;;;;;;;AAUA,MAAa,YAAY;AAezB,MAAa,OAAiB,OAAO,EAAE,SAAS,aAAa;CAC5D,MAAM,EAAE,WAAW;AAEnB,KAAI,CAAC,QAAQ,GACZ,QAAO,SAAS,kBAAkB,6BAA6B,IAAI;AAGpE,KAAI;EACH,MAAM,OAAO,MAAM,UAAU,SAAS,0BAA0B;AAChE,MAAI,aAAa,KAAK,CAAE,QAAO;EAI/B,MAAM,SAAS,MAAM,eADL,oBAAoB,OAAO,GAAG,EACD,KAAK,MAAM;EAQxD,MAAM,MAAM,IAAI,IAAI,QAAQ,IAAI;EAIhC,MAAM,gBAAgB,iBAAiB,KAFrB,MADF,IAAI,kBAAkB,OAAO,GAAG,CAChB,IAAY,oBAAoB,IAAK,QACrD,gBAAgB,KAAK,QAAQ,OAAO,CACU;EAG9D,MAAM,iBAAiB,qBAAqB,OAAO,GAAG;AActD,SAAO,WAAW,EAAE,SAPQ,MAAM,4BACjC,eAPgB;GAChB,IAAI,MAAM;GACV,OAAO,OAAO;GACd,MAAM,KAAK,QAAQ;GACnB,EAKA,EAAE,EACF,eACA,EAEiD,CAAC;UAC3C,OAAO;AACf,MAAI,iBAAiB,YAMpB,QAAO,SAAS,MAAM,KAAK,aAAa,EAAE,MAAM,SALN;GACzC,eAAe;GACf,eAAe;GACf,aAAa;GACb,CACkE,MAAM,SAAS,IAAI;AAGvF,SAAO,YACN,OACA,2CACA,gCACA"}

package/dist/astro/routes/api/auth/logout.mjs

@@ -1,7 +1,7 @@
 import "../../../../base64-CqR-7kqF.mjs";
 import "../../../../types-BXSUSAjt.mjs";
-import { n as apiSuccess, r as handleError } from "../../../../error-RwM4dD35.mjs";
-import { t as isSafeRedirect } from "../../../../redirect-B_q19j4v.mjs";
+import { n as apiSuccess, r as handleError } from "../../../../error-CNn_w7jf.mjs";
+import { t as isSafeRedirect } from "../../../../redirect-C-OOkyku.mjs";
 
 //#region src/astro/routes/api/auth/logout.ts
 const prerender = false;

package/dist/astro/routes/api/auth/magic-link/send.mjs

@@ -1,14 +1,15 @@
 import "../../../../../base64-CqR-7kqF.mjs";
 import "../../../../../types-BXSUSAjt.mjs";
 import { t as OptionsRepository } from "../../../../../options-BPCVnesz.mjs";
-import { n as apiSuccess, t as apiError } from "../../../../../error-RwM4dD35.mjs";
-import { n as parseBody, t as isParseError } from "../../../../../parse-CrGndy1A.mjs";
-import "../../../../../redirects-CCbCqCCd.mjs";
-import { S as magicLinkSendBody } from "../../../../../byline-fields-8TMtkBnH.mjs";
+import { n as apiSuccess, t as apiError } from "../../../../../error-CNn_w7jf.mjs";
+import { n as parseBody, t as isParseError } from "../../../../../parse-DzSrk1t8.mjs";
+import "../../../../../redirects-6Zg2SoYo.mjs";
+import { S as magicLinkSendBody } from "../../../../../byline-fields-B0NO1yUB.mjs";
+import "../../../../../status-2gZklYuj.mjs";
 import "../../../../../api/schemas/index.mjs";
-import { t as getTrustedProxyHeaders } from "../../../../../trusted-proxy-B4AfnoAp.mjs";
-import { t as getSiteBaseUrl } from "../../../../../site-url-CnHlmAs9.mjs";
-import { n as getClientIp, t as checkRateLimit } from "../../../../../rate-limit-C7hjdkS5.mjs";
+import { t as getTrustedProxyHeaders } from "../../../../../trusted-proxy-CHp41Fjj.mjs";
+import { t as getSiteBaseUrl } from "../../../../../site-url-vtsuOvSD.mjs";
+import { n as getClientIp, t as checkRateLimit } from "../../../../../rate-limit-hRTBqmw1.mjs";
 import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
 import { sendMagicLink } from "@emdash-cms/auth";
 

package/dist/astro/routes/api/auth/magic-link/send.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"send.mjs","names":[],"sources":["../../../../../../src/astro/routes/api/auth/magic-link/send.ts"],"sourcesContent":["/**\n * POST /_emdash/api/auth/magic-link/send\n *\n * Send a magic link email for passwordless authentication.\n * Always returns success to avoid revealing whether email exists.\n *\n * Rate limited: 3 requests per 5 minutes per IP.\n */\n\nimport type { APIRoute } from \"astro\";\n\nexport const prerender = false;\n\nimport { sendMagicLink, type MagicLinkConfig } from \"@emdash-cms/auth\";\nimport { createKyselyAdapter } from \"@emdash-cms/auth/adapters/kysely\";\n\nimport { apiError, apiSuccess } from \"#api/error.js\";\nimport { isParseError, parseBody } from \"#api/parse.js\";\nimport { magicLinkSendBody } from \"#api/schemas.js\";\nimport { getSiteBaseUrl } from \"#api/site-url.js\";\nimport { checkRateLimit, getClientIp } from \"#auth/rate-limit.js\";\nimport { getTrustedProxyHeaders } from \"#auth/trusted-proxy.js\";\nimport { OptionsRepository } from \"#db/repositories/options.js\";\n\nexport const POST: APIRoute = async ({ request, locals }) => {\n\tconst { emdash } = locals;\n\n\tif (!emdash?.db) {\n\t\treturn apiError(\"NOT_CONFIGURED\", \"EmDash is not initialized\", 500);\n\t}\n\n\ttry {\n\t\t// Parse request body first — avoids consuming rate limit slots on\n\t\t// malformed requests and normalizes timing between rate-limited\n\t\t// and real paths (parse cost evens out the response time).\n\t\tconst body = await parseBody(request, magicLinkSendBody);\n\t\tif (isParseError(body)) return body;\n\n\t\t// Rate limit: 3 requests per 300 seconds (5 minutes) per IP\n\t\tconst ip = getClientIp(request, getTrustedProxyHeaders(emdash.config));\n\t\tconst rateLimit = await checkRateLimit(emdash.db, ip, \"magic-link/send\", 3, 300);\n\t\tif (!rateLimit.allowed) {\n\t\t\t// Return success-shaped response to avoid revealing rate limit\n\t\t\t// (which could leak information about email enumeration attempts)\n\t\t\treturn apiSuccess({\n\t\t\t\tsuccess: true,\n\t\t\t\tmessage: \"If an account exists for this email, a magic link has been sent.\",\n\t\t\t});\n\t\t}\n\n\t\t// Check if email pipeline is available\n\t\tif (!emdash.email?.isAvailable()) {\n\t\t\treturn apiError(\n\t\t\t\t\"EMAIL_NOT_CONFIGURED\",\n\t\t\t\t\"Email is not configured. Magic link authentication requires an email provider.\",\n\t\t\t\t503,\n\t\t\t);\n\t\t}\n\n\t\t// Build magic link config using stored site URL (not request Host header)\n\t\tconst options = new OptionsRepository(emdash.db);\n\t\tconst baseUrl = await getSiteBaseUrl(emdash.db, request);\n\t\tconst siteName = (await options.get<string>(\"emdash:site_title\")) ?? \"EmDash\";\n\n\t\tconst config: MagicLinkConfig = {\n\t\t\tbaseUrl,\n\t\t\tsiteName,\n\t\t\temail: (message) => emdash.email!.send(message, \"system\"),\n\t\t};\n\n\t\t// Send magic link (silently fails if user doesn't exist)\n\t\tconst adapter = createKyselyAdapter(emdash.db);\n\t\tawait sendMagicLink(config, adapter, body.email.toLowerCase());\n\n\t\t// Always return success to avoid revealing if email exists\n\t\treturn apiSuccess({\n\t\t\tsuccess: true,\n\t\t\tmessage: \"If an account exists for this email, a magic link has been sent.\",\n\t\t});\n\t} catch (error) {\n\t\tconsole.error(\"Magic link send error:\", error);\n\n\t\t// Still return success to avoid revealing information\n\t\t// Log the error but don't expose it to the client\n\t\treturn apiSuccess({\n\t\t\tsuccess: true,\n\t\t\tmessage: \"If an account exists for this email, a magic link has been sent.\",\n\t\t});\n\t}\n};\n"],"mappings":";;;;;;;;;;;;;;;AAWA,MAAa,YAAY;AAazB,MAAa,OAAiB,OAAO,EAAE,SAAS,aAAa;CAC5D,MAAM,EAAE,WAAW;AAEnB,KAAI,CAAC,QAAQ,GACZ,QAAO,SAAS,kBAAkB,6BAA6B,IAAI;AAGpE,KAAI;EAIH,MAAM,OAAO,MAAM,UAAU,SAAS,kBAAkB;AACxD,MAAI,aAAa,KAAK,CAAE,QAAO;EAG/B,MAAM,KAAK,YAAY,SAAS,uBAAuB,OAAO,OAAO,CAAC;AAEtE,MAAI,EADc,MAAM,eAAe,OAAO,IAAI,IAAI,mBAAmB,GAAG,IAAI,EACjE,QAGd,QAAO,WAAW;GACjB,SAAS;GACT,SAAS;GACT,CAAC;AAIH,MAAI,CAAC,OAAO,OAAO,aAAa,CAC/B,QAAO,SACN,wBACA,kFACA,IACA;EAIF,MAAM,UAAU,IAAI,kBAAkB,OAAO,GAAG;AAYhD,QAAM,cAR0B;GAC/B,SAJe,MAAM,eAAe,OAAO,IAAI,QAAQ;GAKvD,UAJiB,MAAM,QAAQ,IAAY,oBAAoB,IAAK;GAKpE,QAAQ,YAAY,OAAO,MAAO,KAAK,SAAS,SAAS;GACzD,EAGe,oBAAoB,OAAO,GAAG,EACT,KAAK,MAAM,aAAa,CAAC;AAG9D,SAAO,WAAW;GACjB,SAAS;GACT,SAAS;GACT,CAAC;UACM,OAAO;AACf,UAAQ,MAAM,0BAA0B,MAAM;AAI9C,SAAO,WAAW;GACjB,SAAS;GACT,SAAS;GACT,CAAC"}
+{"version":3,"file":"send.mjs","names":[],"sources":["../../../../../../src/astro/routes/api/auth/magic-link/send.ts"],"sourcesContent":["/**\n * POST /_emdash/api/auth/magic-link/send\n *\n * Send a magic link email for passwordless authentication.\n * Always returns success to avoid revealing whether email exists.\n *\n * Rate limited: 3 requests per 5 minutes per IP.\n */\n\nimport type { APIRoute } from \"astro\";\n\nexport const prerender = false;\n\nimport { sendMagicLink, type MagicLinkConfig } from \"@emdash-cms/auth\";\nimport { createKyselyAdapter } from \"@emdash-cms/auth/adapters/kysely\";\n\nimport { apiError, apiSuccess } from \"#api/error.js\";\nimport { isParseError, parseBody } from \"#api/parse.js\";\nimport { magicLinkSendBody } from \"#api/schemas.js\";\nimport { getSiteBaseUrl } from \"#api/site-url.js\";\nimport { checkRateLimit, getClientIp } from \"#auth/rate-limit.js\";\nimport { getTrustedProxyHeaders } from \"#auth/trusted-proxy.js\";\nimport { OptionsRepository } from \"#db/repositories/options.js\";\n\nexport const POST: APIRoute = async ({ request, locals }) => {\n\tconst { emdash } = locals;\n\n\tif (!emdash?.db) {\n\t\treturn apiError(\"NOT_CONFIGURED\", \"EmDash is not initialized\", 500);\n\t}\n\n\ttry {\n\t\t// Parse request body first — avoids consuming rate limit slots on\n\t\t// malformed requests and normalizes timing between rate-limited\n\t\t// and real paths (parse cost evens out the response time).\n\t\tconst body = await parseBody(request, magicLinkSendBody);\n\t\tif (isParseError(body)) return body;\n\n\t\t// Rate limit: 3 requests per 300 seconds (5 minutes) per IP\n\t\tconst ip = getClientIp(request, getTrustedProxyHeaders(emdash.config));\n\t\tconst rateLimit = await checkRateLimit(emdash.db, ip, \"magic-link/send\", 3, 300);\n\t\tif (!rateLimit.allowed) {\n\t\t\t// Return success-shaped response to avoid revealing rate limit\n\t\t\t// (which could leak information about email enumeration attempts)\n\t\t\treturn apiSuccess({\n\t\t\t\tsuccess: true,\n\t\t\t\tmessage: \"If an account exists for this email, a magic link has been sent.\",\n\t\t\t});\n\t\t}\n\n\t\t// Check if email pipeline is available\n\t\tif (!emdash.email?.isAvailable()) {\n\t\t\treturn apiError(\n\t\t\t\t\"EMAIL_NOT_CONFIGURED\",\n\t\t\t\t\"Email is not configured. Magic link authentication requires an email provider.\",\n\t\t\t\t503,\n\t\t\t);\n\t\t}\n\n\t\t// Build magic link config using stored site URL (not request Host header)\n\t\tconst options = new OptionsRepository(emdash.db);\n\t\tconst baseUrl = await getSiteBaseUrl(emdash.db, request);\n\t\tconst siteName = (await options.get<string>(\"emdash:site_title\")) ?? \"EmDash\";\n\n\t\tconst config: MagicLinkConfig = {\n\t\t\tbaseUrl,\n\t\t\tsiteName,\n\t\t\temail: (message) => emdash.email!.send(message, \"system\"),\n\t\t};\n\n\t\t// Send magic link (silently fails if user doesn't exist)\n\t\tconst adapter = createKyselyAdapter(emdash.db);\n\t\tawait sendMagicLink(config, adapter, body.email.toLowerCase());\n\n\t\t// Always return success to avoid revealing if email exists\n\t\treturn apiSuccess({\n\t\t\tsuccess: true,\n\t\t\tmessage: \"If an account exists for this email, a magic link has been sent.\",\n\t\t});\n\t} catch (error) {\n\t\tconsole.error(\"Magic link send error:\", error);\n\n\t\t// Still return success to avoid revealing information\n\t\t// Log the error but don't expose it to the client\n\t\treturn apiSuccess({\n\t\t\tsuccess: true,\n\t\t\tmessage: \"If an account exists for this email, a magic link has been sent.\",\n\t\t});\n\t}\n};\n"],"mappings":";;;;;;;;;;;;;;;;AAWA,MAAa,YAAY;AAazB,MAAa,OAAiB,OAAO,EAAE,SAAS,aAAa;CAC5D,MAAM,EAAE,WAAW;AAEnB,KAAI,CAAC,QAAQ,GACZ,QAAO,SAAS,kBAAkB,6BAA6B,IAAI;AAGpE,KAAI;EAIH,MAAM,OAAO,MAAM,UAAU,SAAS,kBAAkB;AACxD,MAAI,aAAa,KAAK,CAAE,QAAO;EAG/B,MAAM,KAAK,YAAY,SAAS,uBAAuB,OAAO,OAAO,CAAC;AAEtE,MAAI,EADc,MAAM,eAAe,OAAO,IAAI,IAAI,mBAAmB,GAAG,IAAI,EACjE,QAGd,QAAO,WAAW;GACjB,SAAS;GACT,SAAS;GACT,CAAC;AAIH,MAAI,CAAC,OAAO,OAAO,aAAa,CAC/B,QAAO,SACN,wBACA,kFACA,IACA;EAIF,MAAM,UAAU,IAAI,kBAAkB,OAAO,GAAG;AAYhD,QAAM,cAR0B;GAC/B,SAJe,MAAM,eAAe,OAAO,IAAI,QAAQ;GAKvD,UAJiB,MAAM,QAAQ,IAAY,oBAAoB,IAAK;GAKpE,QAAQ,YAAY,OAAO,MAAO,KAAK,SAAS,SAAS;GACzD,EAGe,oBAAoB,OAAO,GAAG,EACT,KAAK,MAAM,aAAa,CAAC;AAG9D,SAAO,WAAW;GACjB,SAAS;GACT,SAAS;GACT,CAAC;UACM,OAAO;AACf,UAAQ,MAAM,0BAA0B,MAAM;AAI9C,SAAO,WAAW;GACjB,SAAS;GACT,SAAS;GACT,CAAC"}

package/dist/astro/routes/api/auth/magic-link/verify.mjs

@@ -1,7 +1,7 @@
 import "../../../../../base64-CqR-7kqF.mjs";
 import "../../../../../types-BXSUSAjt.mjs";
-import { t as apiError } from "../../../../../error-RwM4dD35.mjs";
-import { t as isSafeRedirect } from "../../../../../redirect-B_q19j4v.mjs";
+import { t as apiError } from "../../../../../error-CNn_w7jf.mjs";
+import { t as isSafeRedirect } from "../../../../../redirect-C-OOkyku.mjs";
 import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
 import { MagicLinkError, verifyMagicLink } from "@emdash-cms/auth";
 

package/dist/astro/routes/api/auth/me.mjs

@@ -1,10 +1,11 @@
 import "../../../../base64-CqR-7kqF.mjs";
 import "../../../../types-BXSUSAjt.mjs";
 import { t as UserRepository } from "../../../../user-C0um7wrg.mjs";
-import { n as apiSuccess, r as handleError, t as apiError } from "../../../../error-RwM4dD35.mjs";
-import { n as parseBody, t as isParseError } from "../../../../parse-CrGndy1A.mjs";
-import "../../../../redirects-CCbCqCCd.mjs";
-import { v as authMeActionBody } from "../../../../byline-fields-8TMtkBnH.mjs";
+import { n as apiSuccess, r as handleError, t as apiError } from "../../../../error-CNn_w7jf.mjs";
+import { n as parseBody, t as isParseError } from "../../../../parse-DzSrk1t8.mjs";
+import "../../../../redirects-6Zg2SoYo.mjs";
+import { v as authMeActionBody } from "../../../../byline-fields-B0NO1yUB.mjs";
+import "../../../../status-2gZklYuj.mjs";
 import "../../../../api/schemas/index.mjs";
 
 //#region src/astro/routes/api/auth/me.ts

package/dist/astro/routes/api/auth/me.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"me.mjs","names":[],"sources":["../../../../../src/astro/routes/api/auth/me.ts"],"sourcesContent":["/**\n * GET /_emdash/api/auth/me\n *\n * Returns the current authenticated user's info.\n * Used by the admin UI to display user info in the header.\n */\n\nimport type { APIRoute } from \"astro\";\n\nexport const prerender = false;\n\nimport { apiError, apiSuccess, handleError } from \"#api/error.js\";\nimport { isParseError, parseBody } from \"#api/parse.js\";\nimport { authMeActionBody } from \"#api/schemas.js\";\nimport { UserRepository } from \"#db/repositories/user.js\";\n\nexport const GET: APIRoute = async ({ locals }) => {\n\tconst { user } = locals;\n\n\tif (!user) {\n\t\treturn apiError(\"NOT_AUTHENTICATED\", \"Not authenticated\", 401);\n\t}\n\n\t// Check if this is the user's first login (for welcome modal).\n\t// The flag is persisted in the user's `data` JSON column so it survives\n\t// session expiry / rotation.\n\tconst isFirstLogin = !user.data?.welcomeDismissed;\n\n\t// Return safe user info (no sensitive data)\n\treturn apiSuccess({\n\t\tid: user.id,\n\t\temail: user.email,\n\t\tname: user.name,\n\t\trole: user.role,\n\t\tavatarUrl: user.avatarUrl,\n\t\tisFirstLogin,\n\t});\n};\n\n/**\n * POST /_emdash/api/auth/me\n *\n * Mark that the user has seen the welcome modal.\n */\nexport const POST: APIRoute = async ({ request, locals }) => {\n\tconst { user, emdash } = locals;\n\n\tif (!user) {\n\t\treturn apiError(\"NOT_AUTHENTICATED\", \"Not authenticated\", 401);\n\t}\n\n\tif (!emdash) return apiError(\"NOT_CONFIGURED\", \"EmDash is not initialized\", 500);\n\n\tconst body = await parseBody(request, authMeActionBody);\n\tif (isParseError(body)) return body;\n\n\tif (body.action === \"dismissWelcome\") {\n\t\ttry {\n\t\t\t// Persist in the user's data column so it survives session expiry.\n\t\t\tconst userRepo = new UserRepository(emdash.db);\n\t\t\tawait userRepo.update(user.id, {\n\t\t\t\tdata: { ...user.data, welcomeDismissed: true },\n\t\t\t});\n\t\t\treturn apiSuccess({ success: true });\n\t\t} catch (error) {\n\t\t\treturn handleError(error, \"Failed to dismiss welcome\", \"WELCOME_DISMISS_ERROR\");\n\t\t}\n\t}\n\n\treturn apiError(\"UNKNOWN_ACTION\", \"Unknown action\", 400);\n};\n"],"mappings":";;;;;;;;;;AASA,MAAa,YAAY;AAOzB,MAAa,MAAgB,OAAO,EAAE,aAAa;CAClD,MAAM,EAAE,SAAS;AAEjB,KAAI,CAAC,KACJ,QAAO,SAAS,qBAAqB,qBAAqB,IAAI;CAM/D,MAAM,eAAe,CAAC,KAAK,MAAM;AAGjC,QAAO,WAAW;EACjB,IAAI,KAAK;EACT,OAAO,KAAK;EACZ,MAAM,KAAK;EACX,MAAM,KAAK;EACX,WAAW,KAAK;EAChB;EACA,CAAC;;;;;;;AAQH,MAAa,OAAiB,OAAO,EAAE,SAAS,aAAa;CAC5D,MAAM,EAAE,MAAM,WAAW;AAEzB,KAAI,CAAC,KACJ,QAAO,SAAS,qBAAqB,qBAAqB,IAAI;AAG/D,KAAI,CAAC,OAAQ,QAAO,SAAS,kBAAkB,6BAA6B,IAAI;CAEhF,MAAM,OAAO,MAAM,UAAU,SAAS,iBAAiB;AACvD,KAAI,aAAa,KAAK,CAAE,QAAO;AAE/B,KAAI,KAAK,WAAW,iBACnB,KAAI;AAGH,QADiB,IAAI,eAAe,OAAO,GAAG,CAC/B,OAAO,KAAK,IAAI,EAC9B,MAAM;GAAE,GAAG,KAAK;GAAM,kBAAkB;GAAM,EAC9C,CAAC;AACF,SAAO,WAAW,EAAE,SAAS,MAAM,CAAC;UAC5B,OAAO;AACf,SAAO,YAAY,OAAO,6BAA6B,wBAAwB;;AAIjF,QAAO,SAAS,kBAAkB,kBAAkB,IAAI"}
+{"version":3,"file":"me.mjs","names":[],"sources":["../../../../../src/astro/routes/api/auth/me.ts"],"sourcesContent":["/**\n * GET /_emdash/api/auth/me\n *\n * Returns the current authenticated user's info.\n * Used by the admin UI to display user info in the header.\n */\n\nimport type { APIRoute } from \"astro\";\n\nexport const prerender = false;\n\nimport { apiError, apiSuccess, handleError } from \"#api/error.js\";\nimport { isParseError, parseBody } from \"#api/parse.js\";\nimport { authMeActionBody } from \"#api/schemas.js\";\nimport { UserRepository } from \"#db/repositories/user.js\";\n\nexport const GET: APIRoute = async ({ locals }) => {\n\tconst { user } = locals;\n\n\tif (!user) {\n\t\treturn apiError(\"NOT_AUTHENTICATED\", \"Not authenticated\", 401);\n\t}\n\n\t// Check if this is the user's first login (for welcome modal).\n\t// The flag is persisted in the user's `data` JSON column so it survives\n\t// session expiry / rotation.\n\tconst isFirstLogin = !user.data?.welcomeDismissed;\n\n\t// Return safe user info (no sensitive data)\n\treturn apiSuccess({\n\t\tid: user.id,\n\t\temail: user.email,\n\t\tname: user.name,\n\t\trole: user.role,\n\t\tavatarUrl: user.avatarUrl,\n\t\tisFirstLogin,\n\t});\n};\n\n/**\n * POST /_emdash/api/auth/me\n *\n * Mark that the user has seen the welcome modal.\n */\nexport const POST: APIRoute = async ({ request, locals }) => {\n\tconst { user, emdash } = locals;\n\n\tif (!user) {\n\t\treturn apiError(\"NOT_AUTHENTICATED\", \"Not authenticated\", 401);\n\t}\n\n\tif (!emdash) return apiError(\"NOT_CONFIGURED\", \"EmDash is not initialized\", 500);\n\n\tconst body = await parseBody(request, authMeActionBody);\n\tif (isParseError(body)) return body;\n\n\tif (body.action === \"dismissWelcome\") {\n\t\ttry {\n\t\t\t// Persist in the user's data column so it survives session expiry.\n\t\t\tconst userRepo = new UserRepository(emdash.db);\n\t\t\tawait userRepo.update(user.id, {\n\t\t\t\tdata: { ...user.data, welcomeDismissed: true },\n\t\t\t});\n\t\t\treturn apiSuccess({ success: true });\n\t\t} catch (error) {\n\t\t\treturn handleError(error, \"Failed to dismiss welcome\", \"WELCOME_DISMISS_ERROR\");\n\t\t}\n\t}\n\n\treturn apiError(\"UNKNOWN_ACTION\", \"Unknown action\", 400);\n};\n"],"mappings":";;;;;;;;;;;AASA,MAAa,YAAY;AAOzB,MAAa,MAAgB,OAAO,EAAE,aAAa;CAClD,MAAM,EAAE,SAAS;AAEjB,KAAI,CAAC,KACJ,QAAO,SAAS,qBAAqB,qBAAqB,IAAI;CAM/D,MAAM,eAAe,CAAC,KAAK,MAAM;AAGjC,QAAO,WAAW;EACjB,IAAI,KAAK;EACT,OAAO,KAAK;EACZ,MAAM,KAAK;EACX,MAAM,KAAK;EACX,WAAW,KAAK;EAChB;EACA,CAAC;;;;;;;AAQH,MAAa,OAAiB,OAAO,EAAE,SAAS,aAAa;CAC5D,MAAM,EAAE,MAAM,WAAW;AAEzB,KAAI,CAAC,KACJ,QAAO,SAAS,qBAAqB,qBAAqB,IAAI;AAG/D,KAAI,CAAC,OAAQ,QAAO,SAAS,kBAAkB,6BAA6B,IAAI;CAEhF,MAAM,OAAO,MAAM,UAAU,SAAS,iBAAiB;AACvD,KAAI,aAAa,KAAK,CAAE,QAAO;AAE/B,KAAI,KAAK,WAAW,iBACnB,KAAI;AAGH,QADiB,IAAI,eAAe,OAAO,GAAG,CAC/B,OAAO,KAAK,IAAI,EAC9B,MAAM;GAAE,GAAG,KAAK;GAAM,kBAAkB;GAAM,EAC9C,CAAC;AACF,SAAO,WAAW,EAAE,SAAS,MAAM,CAAC;UAC5B,OAAO;AACf,SAAO,YAAY,OAAO,6BAA6B,wBAAwB;;AAIjF,QAAO,SAAS,kBAAkB,kBAAkB,IAAI"}

package/dist/astro/routes/api/auth/mode.mjs

@@ -1,4 +1,4 @@
-import { t as getAuthMode } from "../../../../mode-CO2vQHfq.mjs";
+import { t as getAuthMode } from "../../../../mode-CGXzIbD8.mjs";
 
 //#region src/astro/routes/api/auth/mode.ts
 const prerender = false;

package/dist/astro/routes/api/auth/oauth/_provider_/callback.mjs

@@ -1,7 +1,7 @@
 import { t as OptionsRepository } from "../../../../../../options-BPCVnesz.mjs";
-import { n as getPublicOrigin } from "../../../../../../public-url-BFVC2OTJ.mjs";
-import { t as finalizeSetup } from "../../../../../../setup-complete-yvPE4OsP.mjs";
-import { t as createOAuthStateStore } from "../../../../../../oauth-state-store-97x0xtN2.mjs";
+import { n as getPublicOrigin } from "../../../../../../public-url-D_zARuvZ.mjs";
+import { t as finalizeSetup } from "../../../../../../setup-complete-CMMr-oZU.mjs";
+import { t as createOAuthStateStore } from "../../../../../../oauth-state-store-Cd--TUaq.mjs";
 import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
 import { OAuthError, Role, handleOAuthCallback } from "@emdash-cms/auth";
 

package/dist/astro/routes/api/auth/oauth/_provider_.mjs

@@ -1,5 +1,5 @@
-import { n as getPublicOrigin } from "../../../../../public-url-BFVC2OTJ.mjs";
-import { t as createOAuthStateStore } from "../../../../../oauth-state-store-97x0xtN2.mjs";
+import { n as getPublicOrigin } from "../../../../../public-url-D_zARuvZ.mjs";
+import { t as createOAuthStateStore } from "../../../../../oauth-state-store-Cd--TUaq.mjs";
 import { createAuthorizationUrl } from "@emdash-cms/auth";
 
 //#region src/astro/routes/api/auth/oauth/[provider].ts

package/dist/astro/routes/api/auth/passkey/_id_.mjs

@@ -1,9 +1,10 @@
 import "../../../../../base64-CqR-7kqF.mjs";
 import "../../../../../types-BXSUSAjt.mjs";
-import { n as apiSuccess, r as handleError, t as apiError } from "../../../../../error-RwM4dD35.mjs";
-import { n as parseBody, t as isParseError } from "../../../../../parse-CrGndy1A.mjs";
-import "../../../../../redirects-CCbCqCCd.mjs";
-import { E as passkeyRenameBody } from "../../../../../byline-fields-8TMtkBnH.mjs";
+import { n as apiSuccess, r as handleError, t as apiError } from "../../../../../error-CNn_w7jf.mjs";
+import { n as parseBody, t as isParseError } from "../../../../../parse-DzSrk1t8.mjs";
+import "../../../../../redirects-6Zg2SoYo.mjs";
+import { E as passkeyRenameBody } from "../../../../../byline-fields-B0NO1yUB.mjs";
+import "../../../../../status-2gZklYuj.mjs";
 import "../../../../../api/schemas/index.mjs";
 import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
 

package/dist/astro/routes/api/auth/passkey/_id_.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"_id_.mjs","names":[],"sources":["../../../../../../src/astro/routes/api/auth/passkey/[id].ts"],"sourcesContent":["/**\n * PATCH/DELETE /_emdash/api/auth/passkey/[id]\n *\n * Rename or delete a passkey\n */\n\nimport type { APIRoute } from \"astro\";\n\nexport const prerender = false;\n\nimport { createKyselyAdapter } from \"@emdash-cms/auth/adapters/kysely\";\n\nimport { apiError, apiSuccess, handleError } from \"#api/error.js\";\nimport { isParseError, parseBody } from \"#api/parse.js\";\nimport { passkeyRenameBody } from \"#api/schemas.js\";\n\ninterface PasskeyResponse {\n\tid: string;\n\tname: string | null;\n\tdeviceType: \"singleDevice\" | \"multiDevice\";\n\tbackedUp: boolean;\n\tcreatedAt: string;\n\tlastUsedAt: string;\n}\n\n/**\n * PATCH - Rename a passkey\n */\nexport const PATCH: APIRoute = async ({ params, request, locals }) => {\n\tconst { emdash, user } = locals;\n\tconst { id } = params;\n\n\tif (!emdash?.db) {\n\t\treturn apiError(\"NOT_CONFIGURED\", \"EmDash is not initialized\", 500);\n\t}\n\n\t// Require authentication\n\tif (!user) {\n\t\treturn apiError(\"NOT_AUTHENTICATED\", \"Not authenticated\", 401);\n\t}\n\n\tif (!id) {\n\t\treturn apiError(\"MISSING_PARAM\", \"Passkey ID is required\", 400);\n\t}\n\n\ttry {\n\t\tconst adapter = createKyselyAdapter(emdash.db);\n\n\t\t// Get the credential and verify ownership\n\t\tconst credential = await adapter.getCredentialById(id);\n\n\t\tif (!credential || credential.userId !== user.id) {\n\t\t\treturn apiError(\"NOT_FOUND\", \"Passkey not found\", 404);\n\t\t}\n\n\t\t// Parse request body\n\t\tconst body = await parseBody(request, passkeyRenameBody);\n\t\tif (isParseError(body)) return body;\n\n\t\t// Update the name\n\t\tconst trimmedName = body.name.trim() || null;\n\t\tawait adapter.updateCredentialName(id, trimmedName);\n\n\t\t// Return updated passkey info\n\t\tconst passkey: PasskeyResponse = {\n\t\t\tid: credential.id,\n\t\t\tname: trimmedName,\n\t\t\tdeviceType: credential.deviceType,\n\t\t\tbackedUp: credential.backedUp,\n\t\t\tcreatedAt: credential.createdAt.toISOString(),\n\t\t\tlastUsedAt: credential.lastUsedAt.toISOString(),\n\t\t};\n\n\t\treturn apiSuccess({ passkey });\n\t} catch (error) {\n\t\treturn handleError(error, \"Failed to rename passkey\", \"PASSKEY_RENAME_ERROR\");\n\t}\n};\n\n/**\n * DELETE - Remove a passkey\n */\nexport const DELETE: APIRoute = async ({ params, locals }) => {\n\tconst { emdash, user } = locals;\n\tconst { id } = params;\n\n\tif (!emdash?.db) {\n\t\treturn apiError(\"NOT_CONFIGURED\", \"EmDash is not initialized\", 500);\n\t}\n\n\t// Require authentication\n\tif (!user) {\n\t\treturn apiError(\"NOT_AUTHENTICATED\", \"Not authenticated\", 401);\n\t}\n\n\tif (!id) {\n\t\treturn apiError(\"MISSING_PARAM\", \"Passkey ID is required\", 400);\n\t}\n\n\ttry {\n\t\tconst adapter = createKyselyAdapter(emdash.db);\n\n\t\t// Get the credential and verify ownership\n\t\tconst credential = await adapter.getCredentialById(id);\n\n\t\tif (!credential || credential.userId !== user.id) {\n\t\t\treturn apiError(\"NOT_FOUND\", \"Passkey not found\", 404);\n\t\t}\n\n\t\t// Check that this isn't the last passkey\n\t\tconst count = await adapter.countCredentialsByUserId(user.id);\n\n\t\tif (count <= 1) {\n\t\t\treturn apiError(\"LAST_PASSKEY\", \"Cannot remove your last passkey\", 400);\n\t\t}\n\n\t\t// Delete the passkey\n\t\tawait adapter.deleteCredential(id);\n\n\t\treturn apiSuccess({ success: true });\n\t} catch (error) {\n\t\treturn handleError(error, \"Failed to delete passkey\", \"PASSKEY_DELETE_ERROR\");\n\t}\n};\n"],"mappings":";;;;;;;;;;AAQA,MAAa,YAAY;;;;AAoBzB,MAAa,QAAkB,OAAO,EAAE,QAAQ,SAAS,aAAa;CACrE,MAAM,EAAE,QAAQ,SAAS;CACzB,MAAM,EAAE,OAAO;AAEf,KAAI,CAAC,QAAQ,GACZ,QAAO,SAAS,kBAAkB,6BAA6B,IAAI;AAIpE,KAAI,CAAC,KACJ,QAAO,SAAS,qBAAqB,qBAAqB,IAAI;AAG/D,KAAI,CAAC,GACJ,QAAO,SAAS,iBAAiB,0BAA0B,IAAI;AAGhE,KAAI;EACH,MAAM,UAAU,oBAAoB,OAAO,GAAG;EAG9C,MAAM,aAAa,MAAM,QAAQ,kBAAkB,GAAG;AAEtD,MAAI,CAAC,cAAc,WAAW,WAAW,KAAK,GAC7C,QAAO,SAAS,aAAa,qBAAqB,IAAI;EAIvD,MAAM,OAAO,MAAM,UAAU,SAAS,kBAAkB;AACxD,MAAI,aAAa,KAAK,CAAE,QAAO;EAG/B,MAAM,cAAc,KAAK,KAAK,MAAM,IAAI;AACxC,QAAM,QAAQ,qBAAqB,IAAI,YAAY;AAYnD,SAAO,WAAW,EAAE,SATa;GAChC,IAAI,WAAW;GACf,MAAM;GACN,YAAY,WAAW;GACvB,UAAU,WAAW;GACrB,WAAW,WAAW,UAAU,aAAa;GAC7C,YAAY,WAAW,WAAW,aAAa;GAC/C,EAE4B,CAAC;UACtB,OAAO;AACf,SAAO,YAAY,OAAO,4BAA4B,uBAAuB;;;;;;AAO/E,MAAa,SAAmB,OAAO,EAAE,QAAQ,aAAa;CAC7D,MAAM,EAAE,QAAQ,SAAS;CACzB,MAAM,EAAE,OAAO;AAEf,KAAI,CAAC,QAAQ,GACZ,QAAO,SAAS,kBAAkB,6BAA6B,IAAI;AAIpE,KAAI,CAAC,KACJ,QAAO,SAAS,qBAAqB,qBAAqB,IAAI;AAG/D,KAAI,CAAC,GACJ,QAAO,SAAS,iBAAiB,0BAA0B,IAAI;AAGhE,KAAI;EACH,MAAM,UAAU,oBAAoB,OAAO,GAAG;EAG9C,MAAM,aAAa,MAAM,QAAQ,kBAAkB,GAAG;AAEtD,MAAI,CAAC,cAAc,WAAW,WAAW,KAAK,GAC7C,QAAO,SAAS,aAAa,qBAAqB,IAAI;AAMvD,MAFc,MAAM,QAAQ,yBAAyB,KAAK,GAAG,IAEhD,EACZ,QAAO,SAAS,gBAAgB,mCAAmC,IAAI;AAIxE,QAAM,QAAQ,iBAAiB,GAAG;AAElC,SAAO,WAAW,EAAE,SAAS,MAAM,CAAC;UAC5B,OAAO;AACf,SAAO,YAAY,OAAO,4BAA4B,uBAAuB"}
+{"version":3,"file":"_id_.mjs","names":[],"sources":["../../../../../../src/astro/routes/api/auth/passkey/[id].ts"],"sourcesContent":["/**\n * PATCH/DELETE /_emdash/api/auth/passkey/[id]\n *\n * Rename or delete a passkey\n */\n\nimport type { APIRoute } from \"astro\";\n\nexport const prerender = false;\n\nimport { createKyselyAdapter } from \"@emdash-cms/auth/adapters/kysely\";\n\nimport { apiError, apiSuccess, handleError } from \"#api/error.js\";\nimport { isParseError, parseBody } from \"#api/parse.js\";\nimport { passkeyRenameBody } from \"#api/schemas.js\";\n\ninterface PasskeyResponse {\n\tid: string;\n\tname: string | null;\n\tdeviceType: \"singleDevice\" | \"multiDevice\";\n\tbackedUp: boolean;\n\tcreatedAt: string;\n\tlastUsedAt: string;\n}\n\n/**\n * PATCH - Rename a passkey\n */\nexport const PATCH: APIRoute = async ({ params, request, locals }) => {\n\tconst { emdash, user } = locals;\n\tconst { id } = params;\n\n\tif (!emdash?.db) {\n\t\treturn apiError(\"NOT_CONFIGURED\", \"EmDash is not initialized\", 500);\n\t}\n\n\t// Require authentication\n\tif (!user) {\n\t\treturn apiError(\"NOT_AUTHENTICATED\", \"Not authenticated\", 401);\n\t}\n\n\tif (!id) {\n\t\treturn apiError(\"MISSING_PARAM\", \"Passkey ID is required\", 400);\n\t}\n\n\ttry {\n\t\tconst adapter = createKyselyAdapter(emdash.db);\n\n\t\t// Get the credential and verify ownership\n\t\tconst credential = await adapter.getCredentialById(id);\n\n\t\tif (!credential || credential.userId !== user.id) {\n\t\t\treturn apiError(\"NOT_FOUND\", \"Passkey not found\", 404);\n\t\t}\n\n\t\t// Parse request body\n\t\tconst body = await parseBody(request, passkeyRenameBody);\n\t\tif (isParseError(body)) return body;\n\n\t\t// Update the name\n\t\tconst trimmedName = body.name.trim() || null;\n\t\tawait adapter.updateCredentialName(id, trimmedName);\n\n\t\t// Return updated passkey info\n\t\tconst passkey: PasskeyResponse = {\n\t\t\tid: credential.id,\n\t\t\tname: trimmedName,\n\t\t\tdeviceType: credential.deviceType,\n\t\t\tbackedUp: credential.backedUp,\n\t\t\tcreatedAt: credential.createdAt.toISOString(),\n\t\t\tlastUsedAt: credential.lastUsedAt.toISOString(),\n\t\t};\n\n\t\treturn apiSuccess({ passkey });\n\t} catch (error) {\n\t\treturn handleError(error, \"Failed to rename passkey\", \"PASSKEY_RENAME_ERROR\");\n\t}\n};\n\n/**\n * DELETE - Remove a passkey\n */\nexport const DELETE: APIRoute = async ({ params, locals }) => {\n\tconst { emdash, user } = locals;\n\tconst { id } = params;\n\n\tif (!emdash?.db) {\n\t\treturn apiError(\"NOT_CONFIGURED\", \"EmDash is not initialized\", 500);\n\t}\n\n\t// Require authentication\n\tif (!user) {\n\t\treturn apiError(\"NOT_AUTHENTICATED\", \"Not authenticated\", 401);\n\t}\n\n\tif (!id) {\n\t\treturn apiError(\"MISSING_PARAM\", \"Passkey ID is required\", 400);\n\t}\n\n\ttry {\n\t\tconst adapter = createKyselyAdapter(emdash.db);\n\n\t\t// Get the credential and verify ownership\n\t\tconst credential = await adapter.getCredentialById(id);\n\n\t\tif (!credential || credential.userId !== user.id) {\n\t\t\treturn apiError(\"NOT_FOUND\", \"Passkey not found\", 404);\n\t\t}\n\n\t\t// Check that this isn't the last passkey\n\t\tconst count = await adapter.countCredentialsByUserId(user.id);\n\n\t\tif (count <= 1) {\n\t\t\treturn apiError(\"LAST_PASSKEY\", \"Cannot remove your last passkey\", 400);\n\t\t}\n\n\t\t// Delete the passkey\n\t\tawait adapter.deleteCredential(id);\n\n\t\treturn apiSuccess({ success: true });\n\t} catch (error) {\n\t\treturn handleError(error, \"Failed to delete passkey\", \"PASSKEY_DELETE_ERROR\");\n\t}\n};\n"],"mappings":";;;;;;;;;;;AAQA,MAAa,YAAY;;;;AAoBzB,MAAa,QAAkB,OAAO,EAAE,QAAQ,SAAS,aAAa;CACrE,MAAM,EAAE,QAAQ,SAAS;CACzB,MAAM,EAAE,OAAO;AAEf,KAAI,CAAC,QAAQ,GACZ,QAAO,SAAS,kBAAkB,6BAA6B,IAAI;AAIpE,KAAI,CAAC,KACJ,QAAO,SAAS,qBAAqB,qBAAqB,IAAI;AAG/D,KAAI,CAAC,GACJ,QAAO,SAAS,iBAAiB,0BAA0B,IAAI;AAGhE,KAAI;EACH,MAAM,UAAU,oBAAoB,OAAO,GAAG;EAG9C,MAAM,aAAa,MAAM,QAAQ,kBAAkB,GAAG;AAEtD,MAAI,CAAC,cAAc,WAAW,WAAW,KAAK,GAC7C,QAAO,SAAS,aAAa,qBAAqB,IAAI;EAIvD,MAAM,OAAO,MAAM,UAAU,SAAS,kBAAkB;AACxD,MAAI,aAAa,KAAK,CAAE,QAAO;EAG/B,MAAM,cAAc,KAAK,KAAK,MAAM,IAAI;AACxC,QAAM,QAAQ,qBAAqB,IAAI,YAAY;AAYnD,SAAO,WAAW,EAAE,SATa;GAChC,IAAI,WAAW;GACf,MAAM;GACN,YAAY,WAAW;GACvB,UAAU,WAAW;GACrB,WAAW,WAAW,UAAU,aAAa;GAC7C,YAAY,WAAW,WAAW,aAAa;GAC/C,EAE4B,CAAC;UACtB,OAAO;AACf,SAAO,YAAY,OAAO,4BAA4B,uBAAuB;;;;;;AAO/E,MAAa,SAAmB,OAAO,EAAE,QAAQ,aAAa;CAC7D,MAAM,EAAE,QAAQ,SAAS;CACzB,MAAM,EAAE,OAAO;AAEf,KAAI,CAAC,QAAQ,GACZ,QAAO,SAAS,kBAAkB,6BAA6B,IAAI;AAIpE,KAAI,CAAC,KACJ,QAAO,SAAS,qBAAqB,qBAAqB,IAAI;AAG/D,KAAI,CAAC,GACJ,QAAO,SAAS,iBAAiB,0BAA0B,IAAI;AAGhE,KAAI;EACH,MAAM,UAAU,oBAAoB,OAAO,GAAG;EAG9C,MAAM,aAAa,MAAM,QAAQ,kBAAkB,GAAG;AAEtD,MAAI,CAAC,cAAc,WAAW,WAAW,KAAK,GAC7C,QAAO,SAAS,aAAa,qBAAqB,IAAI;AAMvD,MAFc,MAAM,QAAQ,yBAAyB,KAAK,GAAG,IAEhD,EACZ,QAAO,SAAS,gBAAgB,mCAAmC,IAAI;AAIxE,QAAM,QAAQ,iBAAiB,GAAG;AAElC,SAAO,WAAW,EAAE,SAAS,MAAM,CAAC;UAC5B,OAAO;AACf,SAAO,YAAY,OAAO,4BAA4B,uBAAuB"}

package/dist/astro/routes/api/auth/passkey/index.mjs

@@ -1,6 +1,6 @@
 import "../../../../../base64-CqR-7kqF.mjs";
 import "../../../../../types-BXSUSAjt.mjs";
-import { n as apiSuccess, r as handleError, t as apiError } from "../../../../../error-RwM4dD35.mjs";
+import { n as apiSuccess, r as handleError, t as apiError } from "../../../../../error-CNn_w7jf.mjs";
 import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
 
 //#region src/astro/routes/api/auth/passkey/index.ts

package/dist/astro/routes/api/auth/passkey/options.mjs

@@ -1,16 +1,17 @@
 import "../../../../../base64-CqR-7kqF.mjs";
 import "../../../../../types-BXSUSAjt.mjs";
 import { t as OptionsRepository } from "../../../../../options-BPCVnesz.mjs";
-import { n as apiSuccess, r as handleError, t as apiError } from "../../../../../error-RwM4dD35.mjs";
-import { r as parseOptionalBody, t as isParseError } from "../../../../../parse-CrGndy1A.mjs";
-import "../../../../../redirects-CCbCqCCd.mjs";
-import { C as passkeyOptionsBody } from "../../../../../byline-fields-8TMtkBnH.mjs";
+import { n as apiSuccess, r as handleError, t as apiError } from "../../../../../error-CNn_w7jf.mjs";
+import { r as parseOptionalBody, t as isParseError } from "../../../../../parse-DzSrk1t8.mjs";
+import "../../../../../redirects-6Zg2SoYo.mjs";
+import { C as passkeyOptionsBody } from "../../../../../byline-fields-B0NO1yUB.mjs";
+import "../../../../../status-2gZklYuj.mjs";
 import "../../../../../api/schemas/index.mjs";
-import { t as getTrustedProxyHeaders } from "../../../../../trusted-proxy-B4AfnoAp.mjs";
-import { n as getPublicOrigin } from "../../../../../public-url-BFVC2OTJ.mjs";
-import { n as createChallengeStore, t as cleanupExpiredChallenges } from "../../../../../challenge-store-DXX3rfdI.mjs";
-import { t as getPasskeyConfig } from "../../../../../passkey-config-C3QgnQnU.mjs";
-import { n as getClientIp, r as rateLimitResponse, t as checkRateLimit } from "../../../../../rate-limit-C7hjdkS5.mjs";
+import { t as getTrustedProxyHeaders } from "../../../../../trusted-proxy-CHp41Fjj.mjs";
+import { n as getPublicOrigin } from "../../../../../public-url-D_zARuvZ.mjs";
+import { n as createChallengeStore, t as cleanupExpiredChallenges } from "../../../../../challenge-store-woE0bbCf.mjs";
+import { t as getPasskeyConfig } from "../../../../../passkey-config-BpjbE_Uv.mjs";
+import { n as getClientIp, r as rateLimitResponse, t as checkRateLimit } from "../../../../../rate-limit-hRTBqmw1.mjs";
 import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
 import { generateAuthenticationOptions } from "@emdash-cms/auth/passkey";
 

package/dist/astro/routes/api/auth/passkey/options.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"options.mjs","names":[],"sources":["../../../../../../src/astro/routes/api/auth/passkey/options.ts"],"sourcesContent":["/**\n * POST /_emdash/api/auth/passkey/options\n *\n * Get authentication options for passkey login.\n *\n * Rate limited: 10 requests per minute per IP.\n */\n\nimport type { APIRoute } from \"astro\";\n\nexport const prerender = false;\n\nimport { createKyselyAdapter } from \"@emdash-cms/auth/adapters/kysely\";\nimport { generateAuthenticationOptions } from \"@emdash-cms/auth/passkey\";\n\nimport { apiError, apiSuccess, handleError } from \"#api/error.js\";\nimport { isParseError, parseOptionalBody } from \"#api/parse.js\";\nimport { getPublicOrigin } from \"#api/public-url.js\";\nimport { passkeyOptionsBody } from \"#api/schemas.js\";\nimport { createChallengeStore, cleanupExpiredChallenges } from \"#auth/challenge-store.js\";\nimport { getPasskeyConfig } from \"#auth/passkey-config.js\";\nimport { checkRateLimit, getClientIp, rateLimitResponse } from \"#auth/rate-limit.js\";\nimport { getTrustedProxyHeaders } from \"#auth/trusted-proxy.js\";\nimport { OptionsRepository } from \"#db/repositories/options.js\";\n\nexport const POST: APIRoute = async ({ request, locals }) => {\n\tconst { emdash } = locals;\n\n\tif (!emdash?.db) {\n\t\treturn apiError(\"NOT_CONFIGURED\", \"EmDash is not initialized\", 500);\n\t}\n\n\ttry {\n\t\t// Fire-and-forget cleanup of expired challenges -- prevents accumulation\n\t\tvoid cleanupExpiredChallenges(emdash.db).catch(() => {});\n\n\t\t// Parse body before rate limiting so malformed requests don't consume slots\n\t\tconst body = await parseOptionalBody(request, passkeyOptionsBody, {});\n\t\tif (isParseError(body)) return body;\n\n\t\t// Rate limit: 10 requests per 60 seconds per IP\n\t\tconst ip = getClientIp(request, getTrustedProxyHeaders(emdash.config));\n\t\tconst rateLimit = await checkRateLimit(emdash.db, ip, \"passkey/options\", 10, 60);\n\t\tif (!rateLimit.allowed) {\n\t\t\treturn rateLimitResponse(60);\n\t\t}\n\n\t\tconst adapter = createKyselyAdapter(emdash.db);\n\n\t\t// Get credentials to allow\n\t\tlet credentials: Awaited<ReturnType<typeof adapter.getCredentialsByUserId>> = [];\n\n\t\tif (body.email) {\n\t\t\t// Get credentials for specific user\n\t\t\tconst user = await adapter.getUserByEmail(body.email);\n\t\t\tif (user) {\n\t\t\t\tcredentials = await adapter.getCredentialsByUserId(user.id);\n\t\t\t}\n\t\t\t// Don't reveal if user exists - just return empty allowCredentials\n\t\t}\n\t\t// If no email provided, allowCredentials will be undefined (allow any discoverable credential)\n\n\t\t// Get passkey config\n\t\tconst url = new URL(request.url);\n\t\tconst options = new OptionsRepository(emdash.db);\n\t\tconst siteName = (await options.get<string>(\"emdash:site_title\")) ?? undefined;\n\t\tconst siteUrl = getPublicOrigin(url, emdash?.config);\n\t\tconst passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);\n\n\t\t// Generate authentication options\n\t\tconst challengeStore = createChallengeStore(emdash.db);\n\t\tconst authOptions = await generateAuthenticationOptions(\n\t\t\tpasskeyConfig,\n\t\t\tcredentials,\n\t\t\tchallengeStore,\n\t\t);\n\n\t\treturn apiSuccess({\n\t\t\tsuccess: true,\n\t\t\toptions: authOptions,\n\t\t});\n\t} catch (error) {\n\t\treturn handleError(error, \"Failed to generate passkey options\", \"PASSKEY_OPTIONS_ERROR\");\n\t}\n};\n"],"mappings":";;;;;;;;;;;;;;;;;AAUA,MAAa,YAAY;AAezB,MAAa,OAAiB,OAAO,EAAE,SAAS,aAAa;CAC5D,MAAM,EAAE,WAAW;AAEnB,KAAI,CAAC,QAAQ,GACZ,QAAO,SAAS,kBAAkB,6BAA6B,IAAI;AAGpE,KAAI;AAEH,EAAK,yBAAyB,OAAO,GAAG,CAAC,YAAY,GAAG;EAGxD,MAAM,OAAO,MAAM,kBAAkB,SAAS,oBAAoB,EAAE,CAAC;AACrE,MAAI,aAAa,KAAK,CAAE,QAAO;EAG/B,MAAM,KAAK,YAAY,SAAS,uBAAuB,OAAO,OAAO,CAAC;AAEtE,MAAI,EADc,MAAM,eAAe,OAAO,IAAI,IAAI,mBAAmB,IAAI,GAAG,EACjE,QACd,QAAO,kBAAkB,GAAG;EAG7B,MAAM,UAAU,oBAAoB,OAAO,GAAG;EAG9C,IAAI,cAA0E,EAAE;AAEhF,MAAI,KAAK,OAAO;GAEf,MAAM,OAAO,MAAM,QAAQ,eAAe,KAAK,MAAM;AACrD,OAAI,KACH,eAAc,MAAM,QAAQ,uBAAuB,KAAK,GAAG;;EAO7D,MAAM,MAAM,IAAI,IAAI,QAAQ,IAAI;EAIhC,MAAM,gBAAgB,iBAAiB,KAFrB,MADF,IAAI,kBAAkB,OAAO,GAAG,CAChB,IAAY,oBAAoB,IAAK,QACrD,gBAAgB,KAAK,QAAQ,OAAO,CACU;EAG9D,MAAM,iBAAiB,qBAAqB,OAAO,GAAG;AAOtD,SAAO,WAAW;GACjB,SAAS;GACT,SARmB,MAAM,8BACzB,eACA,aACA,eACA;GAKA,CAAC;UACM,OAAO;AACf,SAAO,YAAY,OAAO,sCAAsC,wBAAwB"}
+{"version":3,"file":"options.mjs","names":[],"sources":["../../../../../../src/astro/routes/api/auth/passkey/options.ts"],"sourcesContent":["/**\n * POST /_emdash/api/auth/passkey/options\n *\n * Get authentication options for passkey login.\n *\n * Rate limited: 10 requests per minute per IP.\n */\n\nimport type { APIRoute } from \"astro\";\n\nexport const prerender = false;\n\nimport { createKyselyAdapter } from \"@emdash-cms/auth/adapters/kysely\";\nimport { generateAuthenticationOptions } from \"@emdash-cms/auth/passkey\";\n\nimport { apiError, apiSuccess, handleError } from \"#api/error.js\";\nimport { isParseError, parseOptionalBody } from \"#api/parse.js\";\nimport { getPublicOrigin } from \"#api/public-url.js\";\nimport { passkeyOptionsBody } from \"#api/schemas.js\";\nimport { createChallengeStore, cleanupExpiredChallenges } from \"#auth/challenge-store.js\";\nimport { getPasskeyConfig } from \"#auth/passkey-config.js\";\nimport { checkRateLimit, getClientIp, rateLimitResponse } from \"#auth/rate-limit.js\";\nimport { getTrustedProxyHeaders } from \"#auth/trusted-proxy.js\";\nimport { OptionsRepository } from \"#db/repositories/options.js\";\n\nexport const POST: APIRoute = async ({ request, locals }) => {\n\tconst { emdash } = locals;\n\n\tif (!emdash?.db) {\n\t\treturn apiError(\"NOT_CONFIGURED\", \"EmDash is not initialized\", 500);\n\t}\n\n\ttry {\n\t\t// Fire-and-forget cleanup of expired challenges -- prevents accumulation\n\t\tvoid cleanupExpiredChallenges(emdash.db).catch(() => {});\n\n\t\t// Parse body before rate limiting so malformed requests don't consume slots\n\t\tconst body = await parseOptionalBody(request, passkeyOptionsBody, {});\n\t\tif (isParseError(body)) return body;\n\n\t\t// Rate limit: 10 requests per 60 seconds per IP\n\t\tconst ip = getClientIp(request, getTrustedProxyHeaders(emdash.config));\n\t\tconst rateLimit = await checkRateLimit(emdash.db, ip, \"passkey/options\", 10, 60);\n\t\tif (!rateLimit.allowed) {\n\t\t\treturn rateLimitResponse(60);\n\t\t}\n\n\t\tconst adapter = createKyselyAdapter(emdash.db);\n\n\t\t// Get credentials to allow\n\t\tlet credentials: Awaited<ReturnType<typeof adapter.getCredentialsByUserId>> = [];\n\n\t\tif (body.email) {\n\t\t\t// Get credentials for specific user\n\t\t\tconst user = await adapter.getUserByEmail(body.email);\n\t\t\tif (user) {\n\t\t\t\tcredentials = await adapter.getCredentialsByUserId(user.id);\n\t\t\t}\n\t\t\t// Don't reveal if user exists - just return empty allowCredentials\n\t\t}\n\t\t// If no email provided, allowCredentials will be undefined (allow any discoverable credential)\n\n\t\t// Get passkey config\n\t\tconst url = new URL(request.url);\n\t\tconst options = new OptionsRepository(emdash.db);\n\t\tconst siteName = (await options.get<string>(\"emdash:site_title\")) ?? undefined;\n\t\tconst siteUrl = getPublicOrigin(url, emdash?.config);\n\t\tconst passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);\n\n\t\t// Generate authentication options\n\t\tconst challengeStore = createChallengeStore(emdash.db);\n\t\tconst authOptions = await generateAuthenticationOptions(\n\t\t\tpasskeyConfig,\n\t\t\tcredentials,\n\t\t\tchallengeStore,\n\t\t);\n\n\t\treturn apiSuccess({\n\t\t\tsuccess: true,\n\t\t\toptions: authOptions,\n\t\t});\n\t} catch (error) {\n\t\treturn handleError(error, \"Failed to generate passkey options\", \"PASSKEY_OPTIONS_ERROR\");\n\t}\n};\n"],"mappings":";;;;;;;;;;;;;;;;;;AAUA,MAAa,YAAY;AAezB,MAAa,OAAiB,OAAO,EAAE,SAAS,aAAa;CAC5D,MAAM,EAAE,WAAW;AAEnB,KAAI,CAAC,QAAQ,GACZ,QAAO,SAAS,kBAAkB,6BAA6B,IAAI;AAGpE,KAAI;AAEH,EAAK,yBAAyB,OAAO,GAAG,CAAC,YAAY,GAAG;EAGxD,MAAM,OAAO,MAAM,kBAAkB,SAAS,oBAAoB,EAAE,CAAC;AACrE,MAAI,aAAa,KAAK,CAAE,QAAO;EAG/B,MAAM,KAAK,YAAY,SAAS,uBAAuB,OAAO,OAAO,CAAC;AAEtE,MAAI,EADc,MAAM,eAAe,OAAO,IAAI,IAAI,mBAAmB,IAAI,GAAG,EACjE,QACd,QAAO,kBAAkB,GAAG;EAG7B,MAAM,UAAU,oBAAoB,OAAO,GAAG;EAG9C,IAAI,cAA0E,EAAE;AAEhF,MAAI,KAAK,OAAO;GAEf,MAAM,OAAO,MAAM,QAAQ,eAAe,KAAK,MAAM;AACrD,OAAI,KACH,eAAc,MAAM,QAAQ,uBAAuB,KAAK,GAAG;;EAO7D,MAAM,MAAM,IAAI,IAAI,QAAQ,IAAI;EAIhC,MAAM,gBAAgB,iBAAiB,KAFrB,MADF,IAAI,kBAAkB,OAAO,GAAG,CAChB,IAAY,oBAAoB,IAAK,QACrD,gBAAgB,KAAK,QAAQ,OAAO,CACU;EAG9D,MAAM,iBAAiB,qBAAqB,OAAO,GAAG;AAOtD,SAAO,WAAW;GACjB,SAAS;GACT,SARmB,MAAM,8BACzB,eACA,aACA,eACA;GAKA,CAAC;UACM,OAAO;AACf,SAAO,YAAY,OAAO,sCAAsC,wBAAwB"}

package/dist/astro/routes/api/auth/passkey/register/options.mjs

@@ -1,14 +1,15 @@
 import "../../../../../../base64-CqR-7kqF.mjs";
 import "../../../../../../types-BXSUSAjt.mjs";
 import { t as OptionsRepository } from "../../../../../../options-BPCVnesz.mjs";
-import { n as apiSuccess, r as handleError, t as apiError } from "../../../../../../error-RwM4dD35.mjs";
-import { r as parseOptionalBody, t as isParseError } from "../../../../../../parse-CrGndy1A.mjs";
-import "../../../../../../redirects-CCbCqCCd.mjs";
-import { w as passkeyRegisterOptionsBody } from "../../../../../../byline-fields-8TMtkBnH.mjs";
+import { n as apiSuccess, r as handleError, t as apiError } from "../../../../../../error-CNn_w7jf.mjs";
+import { r as parseOptionalBody, t as isParseError } from "../../../../../../parse-DzSrk1t8.mjs";
+import "../../../../../../redirects-6Zg2SoYo.mjs";
+import { w as passkeyRegisterOptionsBody } from "../../../../../../byline-fields-B0NO1yUB.mjs";
+import "../../../../../../status-2gZklYuj.mjs";
 import "../../../../../../api/schemas/index.mjs";
-import { n as getPublicOrigin } from "../../../../../../public-url-BFVC2OTJ.mjs";
-import { n as createChallengeStore } from "../../../../../../challenge-store-DXX3rfdI.mjs";
-import { t as getPasskeyConfig } from "../../../../../../passkey-config-C3QgnQnU.mjs";
+import { n as getPublicOrigin } from "../../../../../../public-url-D_zARuvZ.mjs";
+import { n as createChallengeStore } from "../../../../../../challenge-store-woE0bbCf.mjs";
+import { t as getPasskeyConfig } from "../../../../../../passkey-config-BpjbE_Uv.mjs";
 import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
 import { generateRegistrationOptions } from "@emdash-cms/auth/passkey";
 

package/dist/astro/routes/api/auth/passkey/register/options.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"options.mjs","names":[],"sources":["../../../../../../../src/astro/routes/api/auth/passkey/register/options.ts"],"sourcesContent":["/**\n * POST /_emdash/api/auth/passkey/register/options\n *\n * Get WebAuthn registration options for adding a new passkey (authenticated user)\n */\n\nimport type { APIRoute } from \"astro\";\n\nexport const prerender = false;\n\nimport { createKyselyAdapter } from \"@emdash-cms/auth/adapters/kysely\";\nimport { generateRegistrationOptions } from \"@emdash-cms/auth/passkey\";\n\nimport { apiError, apiSuccess, handleError } from \"#api/error.js\";\nimport { isParseError, parseOptionalBody } from \"#api/parse.js\";\nimport { getPublicOrigin } from \"#api/public-url.js\";\nimport { passkeyRegisterOptionsBody } from \"#api/schemas.js\";\nimport { createChallengeStore } from \"#auth/challenge-store.js\";\nimport { getPasskeyConfig } from \"#auth/passkey-config.js\";\nimport { OptionsRepository } from \"#db/repositories/options.js\";\n\nconst MAX_PASSKEYS = 10;\n\nexport const POST: APIRoute = async ({ request, locals }) => {\n\tconst { emdash, user } = locals;\n\n\tif (!emdash?.db) {\n\t\treturn apiError(\"NOT_CONFIGURED\", \"EmDash is not initialized\", 500);\n\t}\n\n\t// Require authentication\n\tif (!user) {\n\t\treturn apiError(\"NOT_AUTHENTICATED\", \"Not authenticated\", 401);\n\t}\n\n\ttry {\n\t\tconst adapter = createKyselyAdapter(emdash.db);\n\n\t\t// Check passkey limit\n\t\tconst count = await adapter.countCredentialsByUserId(user.id);\n\t\tif (count >= MAX_PASSKEYS) {\n\t\t\treturn apiError(\"PASSKEY_LIMIT\", `Maximum of ${MAX_PASSKEYS} passkeys allowed`, 400);\n\t\t}\n\n\t\t// Parse optional name from request\n\t\tconst body = await parseOptionalBody(request, passkeyRegisterOptionsBody, {});\n\t\tif (isParseError(body)) return body;\n\n\t\t// Get existing credentials for excludeCredentials\n\t\tconst existingCredentials = await adapter.getCredentialsByUserId(user.id);\n\n\t\t// Get passkey config\n\t\tconst url = new URL(request.url);\n\t\tconst optionsRepo = new OptionsRepository(emdash.db);\n\t\tconst siteName = (await optionsRepo.get<string>(\"emdash:site_title\")) ?? undefined;\n\t\tconst siteUrl = getPublicOrigin(url, emdash?.config);\n\t\tconst passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);\n\n\t\t// Generate registration options\n\t\tconst challengeStore = createChallengeStore(emdash.db);\n\t\tconst registrationOptions = await generateRegistrationOptions(\n\t\t\tpasskeyConfig,\n\t\t\t{ id: user.id, email: user.email, name: user.name },\n\t\t\texistingCredentials,\n\t\t\tchallengeStore,\n\t\t);\n\n\t\t// Store the passkey name in the challenge metadata if provided\n\t\t// We'll retrieve it during verification\n\t\tif (body.name) {\n\t\t\t// Store name with challenge for later retrieval\n\t\t\t// The challenge store will need this when verifying\n\t\t\tawait optionsRepo.set(`emdash:passkey_pending:${user.id}`, {\n\t\t\t\tname: body.name,\n\t\t\t});\n\t\t}\n\n\t\treturn apiSuccess({\n\t\t\toptions: registrationOptions,\n\t\t});\n\t} catch (error) {\n\t\treturn handleError(\n\t\t\terror,\n\t\t\t\"Failed to generate registration options\",\n\t\t\t\"PASSKEY_REGISTER_OPTIONS_ERROR\",\n\t\t);\n\t}\n};\n"],"mappings":";;;;;;;;;;;;;;;AAQA,MAAa,YAAY;AAazB,MAAM,eAAe;AAErB,MAAa,OAAiB,OAAO,EAAE,SAAS,aAAa;CAC5D,MAAM,EAAE,QAAQ,SAAS;AAEzB,KAAI,CAAC,QAAQ,GACZ,QAAO,SAAS,kBAAkB,6BAA6B,IAAI;AAIpE,KAAI,CAAC,KACJ,QAAO,SAAS,qBAAqB,qBAAqB,IAAI;AAG/D,KAAI;EACH,MAAM,UAAU,oBAAoB,OAAO,GAAG;AAI9C,MADc,MAAM,QAAQ,yBAAyB,KAAK,GAAG,IAChD,aACZ,QAAO,SAAS,iBAAiB,cAAc,aAAa,oBAAoB,IAAI;EAIrF,MAAM,OAAO,MAAM,kBAAkB,SAAS,4BAA4B,EAAE,CAAC;AAC7E,MAAI,aAAa,KAAK,CAAE,QAAO;EAG/B,MAAM,sBAAsB,MAAM,QAAQ,uBAAuB,KAAK,GAAG;EAGzE,MAAM,MAAM,IAAI,IAAI,QAAQ,IAAI;EAChC,MAAM,cAAc,IAAI,kBAAkB,OAAO,GAAG;EAGpD,MAAM,gBAAgB,iBAAiB,KAFrB,MAAM,YAAY,IAAY,oBAAoB,IAAK,QACzD,gBAAgB,KAAK,QAAQ,OAAO,CACU;EAG9D,MAAM,iBAAiB,qBAAqB,OAAO,GAAG;EACtD,MAAM,sBAAsB,MAAM,4BACjC,eACA;GAAE,IAAI,KAAK;GAAI,OAAO,KAAK;GAAO,MAAM,KAAK;GAAM,EACnD,qBACA,eACA;AAID,MAAI,KAAK,KAGR,OAAM,YAAY,IAAI,0BAA0B,KAAK,MAAM,EAC1D,MAAM,KAAK,MACX,CAAC;AAGH,SAAO,WAAW,EACjB,SAAS,qBACT,CAAC;UACM,OAAO;AACf,SAAO,YACN,OACA,2CACA,iCACA"}
+{"version":3,"file":"options.mjs","names":[],"sources":["../../../../../../../src/astro/routes/api/auth/passkey/register/options.ts"],"sourcesContent":["/**\n * POST /_emdash/api/auth/passkey/register/options\n *\n * Get WebAuthn registration options for adding a new passkey (authenticated user)\n */\n\nimport type { APIRoute } from \"astro\";\n\nexport const prerender = false;\n\nimport { createKyselyAdapter } from \"@emdash-cms/auth/adapters/kysely\";\nimport { generateRegistrationOptions } from \"@emdash-cms/auth/passkey\";\n\nimport { apiError, apiSuccess, handleError } from \"#api/error.js\";\nimport { isParseError, parseOptionalBody } from \"#api/parse.js\";\nimport { getPublicOrigin } from \"#api/public-url.js\";\nimport { passkeyRegisterOptionsBody } from \"#api/schemas.js\";\nimport { createChallengeStore } from \"#auth/challenge-store.js\";\nimport { getPasskeyConfig } from \"#auth/passkey-config.js\";\nimport { OptionsRepository } from \"#db/repositories/options.js\";\n\nconst MAX_PASSKEYS = 10;\n\nexport const POST: APIRoute = async ({ request, locals }) => {\n\tconst { emdash, user } = locals;\n\n\tif (!emdash?.db) {\n\t\treturn apiError(\"NOT_CONFIGURED\", \"EmDash is not initialized\", 500);\n\t}\n\n\t// Require authentication\n\tif (!user) {\n\t\treturn apiError(\"NOT_AUTHENTICATED\", \"Not authenticated\", 401);\n\t}\n\n\ttry {\n\t\tconst adapter = createKyselyAdapter(emdash.db);\n\n\t\t// Check passkey limit\n\t\tconst count = await adapter.countCredentialsByUserId(user.id);\n\t\tif (count >= MAX_PASSKEYS) {\n\t\t\treturn apiError(\"PASSKEY_LIMIT\", `Maximum of ${MAX_PASSKEYS} passkeys allowed`, 400);\n\t\t}\n\n\t\t// Parse optional name from request\n\t\tconst body = await parseOptionalBody(request, passkeyRegisterOptionsBody, {});\n\t\tif (isParseError(body)) return body;\n\n\t\t// Get existing credentials for excludeCredentials\n\t\tconst existingCredentials = await adapter.getCredentialsByUserId(user.id);\n\n\t\t// Get passkey config\n\t\tconst url = new URL(request.url);\n\t\tconst optionsRepo = new OptionsRepository(emdash.db);\n\t\tconst siteName = (await optionsRepo.get<string>(\"emdash:site_title\")) ?? undefined;\n\t\tconst siteUrl = getPublicOrigin(url, emdash?.config);\n\t\tconst passkeyConfig = getPasskeyConfig(url, siteName, siteUrl);\n\n\t\t// Generate registration options\n\t\tconst challengeStore = createChallengeStore(emdash.db);\n\t\tconst registrationOptions = await generateRegistrationOptions(\n\t\t\tpasskeyConfig,\n\t\t\t{ id: user.id, email: user.email, name: user.name },\n\t\t\texistingCredentials,\n\t\t\tchallengeStore,\n\t\t);\n\n\t\t// Store the passkey name in the challenge metadata if provided\n\t\t// We'll retrieve it during verification\n\t\tif (body.name) {\n\t\t\t// Store name with challenge for later retrieval\n\t\t\t// The challenge store will need this when verifying\n\t\t\tawait optionsRepo.set(`emdash:passkey_pending:${user.id}`, {\n\t\t\t\tname: body.name,\n\t\t\t});\n\t\t}\n\n\t\treturn apiSuccess({\n\t\t\toptions: registrationOptions,\n\t\t});\n\t} catch (error) {\n\t\treturn handleError(\n\t\t\terror,\n\t\t\t\"Failed to generate registration options\",\n\t\t\t\"PASSKEY_REGISTER_OPTIONS_ERROR\",\n\t\t);\n\t}\n};\n"],"mappings":";;;;;;;;;;;;;;;;AAQA,MAAa,YAAY;AAazB,MAAM,eAAe;AAErB,MAAa,OAAiB,OAAO,EAAE,SAAS,aAAa;CAC5D,MAAM,EAAE,QAAQ,SAAS;AAEzB,KAAI,CAAC,QAAQ,GACZ,QAAO,SAAS,kBAAkB,6BAA6B,IAAI;AAIpE,KAAI,CAAC,KACJ,QAAO,SAAS,qBAAqB,qBAAqB,IAAI;AAG/D,KAAI;EACH,MAAM,UAAU,oBAAoB,OAAO,GAAG;AAI9C,MADc,MAAM,QAAQ,yBAAyB,KAAK,GAAG,IAChD,aACZ,QAAO,SAAS,iBAAiB,cAAc,aAAa,oBAAoB,IAAI;EAIrF,MAAM,OAAO,MAAM,kBAAkB,SAAS,4BAA4B,EAAE,CAAC;AAC7E,MAAI,aAAa,KAAK,CAAE,QAAO;EAG/B,MAAM,sBAAsB,MAAM,QAAQ,uBAAuB,KAAK,GAAG;EAGzE,MAAM,MAAM,IAAI,IAAI,QAAQ,IAAI;EAChC,MAAM,cAAc,IAAI,kBAAkB,OAAO,GAAG;EAGpD,MAAM,gBAAgB,iBAAiB,KAFrB,MAAM,YAAY,IAAY,oBAAoB,IAAK,QACzD,gBAAgB,KAAK,QAAQ,OAAO,CACU;EAG9D,MAAM,iBAAiB,qBAAqB,OAAO,GAAG;EACtD,MAAM,sBAAsB,MAAM,4BACjC,eACA;GAAE,IAAI,KAAK;GAAI,OAAO,KAAK;GAAO,MAAM,KAAK;GAAM,EACnD,qBACA,eACA;AAID,MAAI,KAAK,KAGR,OAAM,YAAY,IAAI,0BAA0B,KAAK,MAAM,EAC1D,MAAM,KAAK,MACX,CAAC;AAGH,SAAO,WAAW,EACjB,SAAS,qBACT,CAAC;UACM,OAAO;AACf,SAAO,YACN,OACA,2CACA,iCACA"}

package/dist/astro/routes/api/auth/passkey/register/verify.mjs

@@ -1,15 +1,16 @@
 import "../../../../../../base64-CqR-7kqF.mjs";
 import "../../../../../../types-BXSUSAjt.mjs";
 import { t as OptionsRepository } from "../../../../../../options-BPCVnesz.mjs";
-import { n as apiSuccess, t as apiError } from "../../../../../../error-RwM4dD35.mjs";
-import { n as parseBody, t as isParseError } from "../../../../../../parse-CrGndy1A.mjs";
-import "../../../../../../redirects-CCbCqCCd.mjs";
-import { T as passkeyRegisterVerifyBody } from "../../../../../../byline-fields-8TMtkBnH.mjs";
+import { n as apiSuccess, t as apiError } from "../../../../../../error-CNn_w7jf.mjs";
+import { n as parseBody, t as isParseError } from "../../../../../../parse-DzSrk1t8.mjs";
+import "../../../../../../redirects-6Zg2SoYo.mjs";
+import { T as passkeyRegisterVerifyBody } from "../../../../../../byline-fields-B0NO1yUB.mjs";
+import "../../../../../../status-2gZklYuj.mjs";
 import "../../../../../../api/schemas/index.mjs";
-import { n as getPublicOrigin } from "../../../../../../public-url-BFVC2OTJ.mjs";
-import { n as validateAllowedOrigins, t as getConfiguredAllowedOrigins } from "../../../../../../allowed-origins-B1u7Qnvg.mjs";
-import { n as createChallengeStore } from "../../../../../../challenge-store-DXX3rfdI.mjs";
-import { t as getPasskeyConfig } from "../../../../../../passkey-config-C3QgnQnU.mjs";
+import { n as getPublicOrigin } from "../../../../../../public-url-D_zARuvZ.mjs";
+import { n as validateAllowedOrigins, t as getConfiguredAllowedOrigins } from "../../../../../../allowed-origins-BqC8cul8.mjs";
+import { n as createChallengeStore } from "../../../../../../challenge-store-woE0bbCf.mjs";
+import { t as getPasskeyConfig } from "../../../../../../passkey-config-BpjbE_Uv.mjs";
 import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
 import { registerPasskey, verifyRegistrationResponse } from "@emdash-cms/auth/passkey";
 

package/dist/astro/routes/api/auth/passkey/register/verify.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"verify.mjs","names":[],"sources":["../../../../../../../src/astro/routes/api/auth/passkey/register/verify.ts"],"sourcesContent":["/**\n * POST /_emdash/api/auth/passkey/register/verify\n *\n * Verify and store a new passkey credential (authenticated user)\n */\n\nimport type { APIRoute } from \"astro\";\n\nexport const prerender = false;\n\nimport { createKyselyAdapter } from \"@emdash-cms/auth/adapters/kysely\";\nimport { verifyRegistrationResponse, registerPasskey } from \"@emdash-cms/auth/passkey\";\n\nimport { apiError, apiSuccess } from \"#api/error.js\";\nimport { isParseError, parseBody } from \"#api/parse.js\";\nimport { getPublicOrigin } from \"#api/public-url.js\";\nimport { passkeyRegisterVerifyBody } from \"#api/schemas.js\";\nimport { getConfiguredAllowedOrigins, validateAllowedOrigins } from \"#auth/allowed-origins.js\";\nimport { createChallengeStore } from \"#auth/challenge-store.js\";\nimport { getPasskeyConfig } from \"#auth/passkey-config.js\";\nimport { OptionsRepository } from \"#db/repositories/options.js\";\n\nconst MAX_PASSKEYS = 10;\n\ninterface PasskeyResponse {\n\tid: string;\n\tname: string | null;\n\tdeviceType: \"singleDevice\" | \"multiDevice\";\n\tbackedUp: boolean;\n\tcreatedAt: string;\n\tlastUsedAt: string;\n}\n\nexport const POST: APIRoute = async ({ request, locals }) => {\n\tconst { emdash, user } = locals;\n\n\tif (!emdash?.db) {\n\t\treturn apiError(\"NOT_CONFIGURED\", \"EmDash is not initialized\", 500);\n\t}\n\n\t// Require authentication\n\tif (!user) {\n\t\treturn apiError(\"NOT_AUTHENTICATED\", \"Not authenticated\", 401);\n\t}\n\n\ttry {\n\t\tconst adapter = createKyselyAdapter(emdash.db);\n\n\t\t// Check passkey limit again (in case of concurrent requests)\n\t\tconst count = await adapter.countCredentialsByUserId(user.id);\n\t\tif (count >= MAX_PASSKEYS) {\n\t\t\treturn apiError(\"PASSKEY_LIMIT\", `Maximum of ${MAX_PASSKEYS} passkeys allowed`, 400);\n\t\t}\n\n\t\t// Parse request body\n\t\tconst body = await parseBody(request, passkeyRegisterVerifyBody);\n\t\tif (isParseError(body)) return body;\n\n\t\t// Get passkey config\n\t\tconst url = new URL(request.url);\n\t\tconst optionsRepo = new OptionsRepository(emdash.db);\n\t\tconst siteName = (await optionsRepo.get<string>(\"emdash:site_title\")) ?? undefined;\n\t\tconst siteUrl = getPublicOrigin(url, emdash?.config);\n\t\tconst allowedOrigins = validateAllowedOrigins(\n\t\t\tsiteUrl,\n\t\t\tgetConfiguredAllowedOrigins(emdash?.config),\n\t\t);\n\t\tconst passkeyConfig = getPasskeyConfig(url, siteName, siteUrl, allowedOrigins);\n\n\t\t// Verify the registration response\n\t\tconst challengeStore = createChallengeStore(emdash.db);\n\t\tconst verified = await verifyRegistrationResponse(\n\t\t\tpasskeyConfig,\n\t\t\tbody.credential,\n\t\t\tchallengeStore,\n\t\t);\n\n\t\t// Get passkey name - prefer body.name, then check stored pending name\n\t\tlet passKeyName: string | undefined = body.name ?? undefined;\n\t\tif (!passKeyName) {\n\t\t\tconst pending = await optionsRepo.get<{ name?: string }>(`emdash:passkey_pending:${user.id}`);\n\t\t\tif (pending?.name) {\n\t\t\t\tpassKeyName = pending.name;\n\t\t\t}\n\t\t}\n\n\t\t// Clean up pending state\n\t\tawait optionsRepo.delete(`emdash:passkey_pending:${user.id}`);\n\n\t\t// Register the passkey\n\t\tconst credential = await registerPasskey(adapter, user.id, verified, passKeyName);\n\n\t\t// Return the new passkey info\n\t\tconst passkey: PasskeyResponse = {\n\t\t\tid: credential.id,\n\t\t\tname: credential.name,\n\t\t\tdeviceType: credential.deviceType,\n\t\t\tbackedUp: credential.backedUp,\n\t\t\tcreatedAt: credential.createdAt.toISOString(),\n\t\t\tlastUsedAt: credential.lastUsedAt.toISOString(),\n\t\t};\n\n\t\treturn apiSuccess({ passkey });\n\t} catch (error) {\n\t\tconsole.error(\"Passkey registration verify error:\", error);\n\n\t\t// Handle specific errors\n\t\tconst message = error instanceof Error ? error.message : \"\";\n\n\t\t// Check for duplicate credential error\n\t\tif (message.includes(\"credential_exists\") || message.includes(\"already\")) {\n\t\t\treturn apiError(\"CREDENTIAL_EXISTS\", \"This passkey is already registered\", 400);\n\t\t}\n\n\t\t// Check for challenge errors\n\t\tif (message.includes(\"challenge\") || message.includes(\"expired\")) {\n\t\t\treturn apiError(\"CHALLENGE_EXPIRED\", \"Registration expired. Please try again.\", 400);\n\t\t}\n\n\t\treturn apiError(\"PASSKEY_REGISTER_ERROR\", \"Registration failed\", 500);\n\t}\n};\n"],"mappings":";;;;;;;;;;;;;;;;AAQA,MAAa,YAAY;AAczB,MAAM,eAAe;AAWrB,MAAa,OAAiB,OAAO,EAAE,SAAS,aAAa;CAC5D,MAAM,EAAE,QAAQ,SAAS;AAEzB,KAAI,CAAC,QAAQ,GACZ,QAAO,SAAS,kBAAkB,6BAA6B,IAAI;AAIpE,KAAI,CAAC,KACJ,QAAO,SAAS,qBAAqB,qBAAqB,IAAI;AAG/D,KAAI;EACH,MAAM,UAAU,oBAAoB,OAAO,GAAG;AAI9C,MADc,MAAM,QAAQ,yBAAyB,KAAK,GAAG,IAChD,aACZ,QAAO,SAAS,iBAAiB,cAAc,aAAa,oBAAoB,IAAI;EAIrF,MAAM,OAAO,MAAM,UAAU,SAAS,0BAA0B;AAChE,MAAI,aAAa,KAAK,CAAE,QAAO;EAG/B,MAAM,MAAM,IAAI,IAAI,QAAQ,IAAI;EAChC,MAAM,cAAc,IAAI,kBAAkB,OAAO,GAAG;EACpD,MAAM,WAAY,MAAM,YAAY,IAAY,oBAAoB,IAAK;EACzE,MAAM,UAAU,gBAAgB,KAAK,QAAQ,OAAO;EAKpD,MAAM,gBAAgB,iBAAiB,KAAK,UAAU,SAJ/B,uBACtB,SACA,4BAA4B,QAAQ,OAAO,CAC3C,CAC6E;EAG9E,MAAM,iBAAiB,qBAAqB,OAAO,GAAG;EACtD,MAAM,WAAW,MAAM,2BACtB,eACA,KAAK,YACL,eACA;EAGD,IAAI,cAAkC,KAAK,QAAQ;AACnD,MAAI,CAAC,aAAa;GACjB,MAAM,UAAU,MAAM,YAAY,IAAuB,0BAA0B,KAAK,KAAK;AAC7F,OAAI,SAAS,KACZ,eAAc,QAAQ;;AAKxB,QAAM,YAAY,OAAO,0BAA0B,KAAK,KAAK;EAG7D,MAAM,aAAa,MAAM,gBAAgB,SAAS,KAAK,IAAI,UAAU,YAAY;AAYjF,SAAO,WAAW,EAAE,SATa;GAChC,IAAI,WAAW;GACf,MAAM,WAAW;GACjB,YAAY,WAAW;GACvB,UAAU,WAAW;GACrB,WAAW,WAAW,UAAU,aAAa;GAC7C,YAAY,WAAW,WAAW,aAAa;GAC/C,EAE4B,CAAC;UACtB,OAAO;AACf,UAAQ,MAAM,sCAAsC,MAAM;EAG1D,MAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU;AAGzD,MAAI,QAAQ,SAAS,oBAAoB,IAAI,QAAQ,SAAS,UAAU,CACvE,QAAO,SAAS,qBAAqB,sCAAsC,IAAI;AAIhF,MAAI,QAAQ,SAAS,YAAY,IAAI,QAAQ,SAAS,UAAU,CAC/D,QAAO,SAAS,qBAAqB,2CAA2C,IAAI;AAGrF,SAAO,SAAS,0BAA0B,uBAAuB,IAAI"}
+{"version":3,"file":"verify.mjs","names":[],"sources":["../../../../../../../src/astro/routes/api/auth/passkey/register/verify.ts"],"sourcesContent":["/**\n * POST /_emdash/api/auth/passkey/register/verify\n *\n * Verify and store a new passkey credential (authenticated user)\n */\n\nimport type { APIRoute } from \"astro\";\n\nexport const prerender = false;\n\nimport { createKyselyAdapter } from \"@emdash-cms/auth/adapters/kysely\";\nimport { verifyRegistrationResponse, registerPasskey } from \"@emdash-cms/auth/passkey\";\n\nimport { apiError, apiSuccess } from \"#api/error.js\";\nimport { isParseError, parseBody } from \"#api/parse.js\";\nimport { getPublicOrigin } from \"#api/public-url.js\";\nimport { passkeyRegisterVerifyBody } from \"#api/schemas.js\";\nimport { getConfiguredAllowedOrigins, validateAllowedOrigins } from \"#auth/allowed-origins.js\";\nimport { createChallengeStore } from \"#auth/challenge-store.js\";\nimport { getPasskeyConfig } from \"#auth/passkey-config.js\";\nimport { OptionsRepository } from \"#db/repositories/options.js\";\n\nconst MAX_PASSKEYS = 10;\n\ninterface PasskeyResponse {\n\tid: string;\n\tname: string | null;\n\tdeviceType: \"singleDevice\" | \"multiDevice\";\n\tbackedUp: boolean;\n\tcreatedAt: string;\n\tlastUsedAt: string;\n}\n\nexport const POST: APIRoute = async ({ request, locals }) => {\n\tconst { emdash, user } = locals;\n\n\tif (!emdash?.db) {\n\t\treturn apiError(\"NOT_CONFIGURED\", \"EmDash is not initialized\", 500);\n\t}\n\n\t// Require authentication\n\tif (!user) {\n\t\treturn apiError(\"NOT_AUTHENTICATED\", \"Not authenticated\", 401);\n\t}\n\n\ttry {\n\t\tconst adapter = createKyselyAdapter(emdash.db);\n\n\t\t// Check passkey limit again (in case of concurrent requests)\n\t\tconst count = await adapter.countCredentialsByUserId(user.id);\n\t\tif (count >= MAX_PASSKEYS) {\n\t\t\treturn apiError(\"PASSKEY_LIMIT\", `Maximum of ${MAX_PASSKEYS} passkeys allowed`, 400);\n\t\t}\n\n\t\t// Parse request body\n\t\tconst body = await parseBody(request, passkeyRegisterVerifyBody);\n\t\tif (isParseError(body)) return body;\n\n\t\t// Get passkey config\n\t\tconst url = new URL(request.url);\n\t\tconst optionsRepo = new OptionsRepository(emdash.db);\n\t\tconst siteName = (await optionsRepo.get<string>(\"emdash:site_title\")) ?? undefined;\n\t\tconst siteUrl = getPublicOrigin(url, emdash?.config);\n\t\tconst allowedOrigins = validateAllowedOrigins(\n\t\t\tsiteUrl,\n\t\t\tgetConfiguredAllowedOrigins(emdash?.config),\n\t\t);\n\t\tconst passkeyConfig = getPasskeyConfig(url, siteName, siteUrl, allowedOrigins);\n\n\t\t// Verify the registration response\n\t\tconst challengeStore = createChallengeStore(emdash.db);\n\t\tconst verified = await verifyRegistrationResponse(\n\t\t\tpasskeyConfig,\n\t\t\tbody.credential,\n\t\t\tchallengeStore,\n\t\t);\n\n\t\t// Get passkey name - prefer body.name, then check stored pending name\n\t\tlet passKeyName: string | undefined = body.name ?? undefined;\n\t\tif (!passKeyName) {\n\t\t\tconst pending = await optionsRepo.get<{ name?: string }>(`emdash:passkey_pending:${user.id}`);\n\t\t\tif (pending?.name) {\n\t\t\t\tpassKeyName = pending.name;\n\t\t\t}\n\t\t}\n\n\t\t// Clean up pending state\n\t\tawait optionsRepo.delete(`emdash:passkey_pending:${user.id}`);\n\n\t\t// Register the passkey\n\t\tconst credential = await registerPasskey(adapter, user.id, verified, passKeyName);\n\n\t\t// Return the new passkey info\n\t\tconst passkey: PasskeyResponse = {\n\t\t\tid: credential.id,\n\t\t\tname: credential.name,\n\t\t\tdeviceType: credential.deviceType,\n\t\t\tbackedUp: credential.backedUp,\n\t\t\tcreatedAt: credential.createdAt.toISOString(),\n\t\t\tlastUsedAt: credential.lastUsedAt.toISOString(),\n\t\t};\n\n\t\treturn apiSuccess({ passkey });\n\t} catch (error) {\n\t\tconsole.error(\"Passkey registration verify error:\", error);\n\n\t\t// Handle specific errors\n\t\tconst message = error instanceof Error ? error.message : \"\";\n\n\t\t// Check for duplicate credential error\n\t\tif (message.includes(\"credential_exists\") || message.includes(\"already\")) {\n\t\t\treturn apiError(\"CREDENTIAL_EXISTS\", \"This passkey is already registered\", 400);\n\t\t}\n\n\t\t// Check for challenge errors\n\t\tif (message.includes(\"challenge\") || message.includes(\"expired\")) {\n\t\t\treturn apiError(\"CHALLENGE_EXPIRED\", \"Registration expired. Please try again.\", 400);\n\t\t}\n\n\t\treturn apiError(\"PASSKEY_REGISTER_ERROR\", \"Registration failed\", 500);\n\t}\n};\n"],"mappings":";;;;;;;;;;;;;;;;;AAQA,MAAa,YAAY;AAczB,MAAM,eAAe;AAWrB,MAAa,OAAiB,OAAO,EAAE,SAAS,aAAa;CAC5D,MAAM,EAAE,QAAQ,SAAS;AAEzB,KAAI,CAAC,QAAQ,GACZ,QAAO,SAAS,kBAAkB,6BAA6B,IAAI;AAIpE,KAAI,CAAC,KACJ,QAAO,SAAS,qBAAqB,qBAAqB,IAAI;AAG/D,KAAI;EACH,MAAM,UAAU,oBAAoB,OAAO,GAAG;AAI9C,MADc,MAAM,QAAQ,yBAAyB,KAAK,GAAG,IAChD,aACZ,QAAO,SAAS,iBAAiB,cAAc,aAAa,oBAAoB,IAAI;EAIrF,MAAM,OAAO,MAAM,UAAU,SAAS,0BAA0B;AAChE,MAAI,aAAa,KAAK,CAAE,QAAO;EAG/B,MAAM,MAAM,IAAI,IAAI,QAAQ,IAAI;EAChC,MAAM,cAAc,IAAI,kBAAkB,OAAO,GAAG;EACpD,MAAM,WAAY,MAAM,YAAY,IAAY,oBAAoB,IAAK;EACzE,MAAM,UAAU,gBAAgB,KAAK,QAAQ,OAAO;EAKpD,MAAM,gBAAgB,iBAAiB,KAAK,UAAU,SAJ/B,uBACtB,SACA,4BAA4B,QAAQ,OAAO,CAC3C,CAC6E;EAG9E,MAAM,iBAAiB,qBAAqB,OAAO,GAAG;EACtD,MAAM,WAAW,MAAM,2BACtB,eACA,KAAK,YACL,eACA;EAGD,IAAI,cAAkC,KAAK,QAAQ;AACnD,MAAI,CAAC,aAAa;GACjB,MAAM,UAAU,MAAM,YAAY,IAAuB,0BAA0B,KAAK,KAAK;AAC7F,OAAI,SAAS,KACZ,eAAc,QAAQ;;AAKxB,QAAM,YAAY,OAAO,0BAA0B,KAAK,KAAK;EAG7D,MAAM,aAAa,MAAM,gBAAgB,SAAS,KAAK,IAAI,UAAU,YAAY;AAYjF,SAAO,WAAW,EAAE,SATa;GAChC,IAAI,WAAW;GACf,MAAM,WAAW;GACjB,YAAY,WAAW;GACvB,UAAU,WAAW;GACrB,WAAW,WAAW,UAAU,aAAa;GAC7C,YAAY,WAAW,WAAW,aAAa;GAC/C,EAE4B,CAAC;UACtB,OAAO;AACf,UAAQ,MAAM,sCAAsC,MAAM;EAG1D,MAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU;AAGzD,MAAI,QAAQ,SAAS,oBAAoB,IAAI,QAAQ,SAAS,UAAU,CACvE,QAAO,SAAS,qBAAqB,sCAAsC,IAAI;AAIhF,MAAI,QAAQ,SAAS,YAAY,IAAI,QAAQ,SAAS,UAAU,CAC/D,QAAO,SAAS,qBAAqB,2CAA2C,IAAI;AAGrF,SAAO,SAAS,0BAA0B,uBAAuB,IAAI"}

package/dist/astro/routes/api/auth/passkey/verify.mjs

@@ -1,15 +1,16 @@
 import "../../../../../base64-CqR-7kqF.mjs";
 import "../../../../../types-BXSUSAjt.mjs";
 import { t as OptionsRepository } from "../../../../../options-BPCVnesz.mjs";
-import { n as apiSuccess, r as handleError, t as apiError } from "../../../../../error-RwM4dD35.mjs";
-import { n as parseBody, t as isParseError } from "../../../../../parse-CrGndy1A.mjs";
-import "../../../../../redirects-CCbCqCCd.mjs";
-import { D as passkeyVerifyBody } from "../../../../../byline-fields-8TMtkBnH.mjs";
+import { n as apiSuccess, r as handleError, t as apiError } from "../../../../../error-CNn_w7jf.mjs";
+import { n as parseBody, t as isParseError } from "../../../../../parse-DzSrk1t8.mjs";
+import "../../../../../redirects-6Zg2SoYo.mjs";
+import { D as passkeyVerifyBody } from "../../../../../byline-fields-B0NO1yUB.mjs";
+import "../../../../../status-2gZklYuj.mjs";
 import "../../../../../api/schemas/index.mjs";
-import { n as getPublicOrigin } from "../../../../../public-url-BFVC2OTJ.mjs";
-import { n as validateAllowedOrigins, t as getConfiguredAllowedOrigins } from "../../../../../allowed-origins-B1u7Qnvg.mjs";
-import { n as createChallengeStore } from "../../../../../challenge-store-DXX3rfdI.mjs";
-import { t as getPasskeyConfig } from "../../../../../passkey-config-C3QgnQnU.mjs";
+import { n as getPublicOrigin } from "../../../../../public-url-D_zARuvZ.mjs";
+import { n as validateAllowedOrigins, t as getConfiguredAllowedOrigins } from "../../../../../allowed-origins-BqC8cul8.mjs";
+import { n as createChallengeStore } from "../../../../../challenge-store-woE0bbCf.mjs";
+import { t as getPasskeyConfig } from "../../../../../passkey-config-BpjbE_Uv.mjs";
 import { createKyselyAdapter } from "@emdash-cms/auth/adapters/kysely";
 import { PasskeyAuthenticationError, authenticateWithPasskey } from "@emdash-cms/auth/passkey";