mulguard 1.0.1 → 1.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +70 -0
- package/README.md +799 -123
- package/dist/client/index.js +1 -1
- package/dist/client/index.mjs +34 -32
- package/dist/client/provider.d.ts +50 -6
- package/dist/core/auth/signin-unified.d.ts +1 -1
- package/dist/index/index.js +1 -1
- package/dist/index/index.mjs +824 -728
- package/dist/mulguard.d.ts +32 -5
- package/package.json +1 -1
- package/dist/signin-unified-BS2gxaG1.mjs +0 -30
- package/dist/signin-unified-Cw41EFkc.js +0 -1
package/dist/client/index.js
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
"use strict";Object.defineProperty(exports,Symbol.toStringTag,{value:"Module"});const o=require("react"),
|
|
1
|
+
"use strict";Object.defineProperty(exports,Symbol.toStringTag,{value:"Module"});const o=require("react"),O=require("react/jsx-runtime");function v(){return typeof window>"u"}async function h(){try{return await Promise.resolve().then(()=>require("../actions-CExpv_dD.js")).then(l=>l.actions)}catch{return null}}async function N(e,l){if(v())return e.verify2FA?e.verify2FA(l):{success:!1,error:"2FA verification is not configured"};try{const r=await h();if(r)return await r.verify2FAAction(e,l)}catch{}try{const r=await fetch("/api/auth/verify-2fa",{method:"POST",headers:{"Content-Type":"application/json"},credentials:"include",body:JSON.stringify(l)});if(!r.ok){const a=await r.json().catch(()=>({}));return{success:!1,error:a.error||"2FA verification failed",errorCode:a.errorCode}}return await r.json()}catch(r){return{success:!1,error:r instanceof Error?r.message:"2FA verification failed"}}}async function _(e,l){var r;if(v())return(r=e.signIn)!=null&&r.email?e.signIn.email(l):{success:!1,error:"Email sign in is not configured"};try{const a=await h();if(a)return await a.signInEmailAction(e,l)}catch{}try{const a=await fetch("/api/auth/sign-in",{method:"POST",headers:{"Content-Type":"application/json"},credentials:"include",body:JSON.stringify({provider:"email",credentials:l})});if(!a.ok){const u=await a.json().catch(()=>({}));return{success:!1,error:u.error||"Sign in failed",errorCode:u.errorCode}}return await a.json()}catch(a){return{success:!1,error:a instanceof Error?a.message:"Sign in failed"}}}async function D(e,l){if(v())return e.signUp?e.signUp(l):{success:!1,error:"Sign up is not configured"};try{const r=await h();if(r)return await r.signUpAction(e,l)}catch{}try{const r=await fetch("/api/auth/sign-up",{method:"POST",headers:{"Content-Type":"application/json"},credentials:"include",body:JSON.stringify(l)});if(!r.ok){const a=await r.json().catch(()=>({}));return{success:!1,error:a.error||"Sign up failed",errorCode:a.errorCode}}return await r.json()}catch(r){return{success:!1,error:r instanceof Error?r.message:"Sign up failed"}}}function E(e){const[l,r]=o.useState(null),[a,u]=o.useState(!0),c=o.useCallback(async(s=!1)=>{u(!0);try{const n="/api/auth/session"+(s?`?t=${Date.now()}`:""),i=await fetch(n,{method:"GET",credentials:"include",headers:{"Content-Type":"application/json","Cache-Control":"no-cache, no-store, must-revalidate",Pragma:"no-cache",Expires:"0"},cache:"no-store"});if(i.status===401||i.status===403){r(null);return}if(i.ok){const t=await i.json();t.session?r(t.session):r(null)}else r(null)}catch(n){process.env.NODE_ENV==="development"&&console.error("Failed to load session:",n),r(null)}finally{u(!1)}},[e]),g=o.useCallback(s=>{if(!s||!s.expiresAt||!e.refreshSession)return()=>{};const n=new Date(s.expiresAt),i=new Date,t=n.getTime()-i.getTime(),f=5*60*1e3;if(t>0&&t<f)return e.refreshSession().catch(()=>{}),()=>{};if(t>f){const p=t-f,S=setTimeout(()=>{var C;(C=e.refreshSession)==null||C.call(e).catch(()=>{})},p);return()=>clearTimeout(S)}return()=>{}},[e]);o.useEffect(()=>{let s=null;(async()=>{await c();try{const t=await fetch("/api/auth/session",{method:"GET",credentials:"include",headers:{"Content-Type":"application/json"},cache:"no-store"});if(t.ok){const f=await t.json();f.session?s=g(f.session):r(null)}else r(null)}catch(t){process.env.NODE_ENV==="development"&&console.debug("Failed to schedule proactive refresh:",t),r(null)}})();const i=setInterval(()=>{fetch("/api/auth/session",{method:"GET",credentials:"include",headers:{"Content-Type":"application/json"},cache:"no-store"}).then(t=>t.status===401||t.status===403?(r(null),s&&(s(),s=null),typeof window<"u"&&window.location.pathname!=="/auth/login"&&window.location.replace("/auth/login?reason=session_expired"),null):t.json()).then(t=>{t&&(t.session?(r(t.session),s&&s(),s=g(t.session)):(r(null),s&&(s(),s=null)))}).catch(()=>{r(null),s&&(s(),s=null)})},60*1e3);return()=>{clearInterval(i),s&&s()}},[c,g]);const y=o.useCallback(async s=>{try{const n=await _(e,s);return n.success&&await c(),n}catch(n){return{success:!1,error:n instanceof Error?n.message:"Sign in failed"}}},[e,c]),w=o.useCallback(async s=>{if(!e.signIn.oauth)throw new Error("OAuth sign in is not configured");return e.signIn.oauth(s)},[e]),d=o.useCallback(async s=>{if(!e.signIn.passkey)return{success:!1,error:"PassKey sign in is not configured"};try{const n=await e.signIn.passkey(s);return n.success&&await c(),n}catch(n){return{success:!1,error:n instanceof Error?n.message:"PassKey authentication failed"}}},[e,c]),m=o.useCallback(async s=>{if(!e.signUp)return{success:!1,error:"Sign up is not configured"};try{const n=await D(e,s);return n.success&&await c(),n}catch(n){return{success:!1,error:n instanceof Error?n.message:"Sign up failed"}}},[e,c]),U=o.useCallback(async()=>{var s,n;try{if(r(null),u(!0),typeof window<"u"){try{window.sessionStorage.clear()}catch{}try{const i=(s=e._getSessionConfig)==null?void 0:s.call(e),t=(i==null?void 0:i.cookieName)||"__mulguard_session";try{window.localStorage.removeItem(t)}catch{}}catch{}}if(await e.signOut(),await c(!0),r(null),u(!1),typeof window<"u"){const i="/auth/login",t=window.location.pathname,f=window.location.search;if(t===i||t.startsWith("/auth/")){window.location.reload();return}const p=new URL(i,window.location.origin);t&&t!=="/"&&p.searchParams.set("redirect",t+f),window.location.replace(p.toString())}}catch(i){if(process.env.NODE_ENV==="development"&&console.error("Sign out error:",i),r(null),u(!1),typeof window<"u"){try{window.sessionStorage.clear();const f=(n=e._getSessionConfig)==null?void 0:n.call(e),p=(f==null?void 0:f.cookieName)||"__mulguard_session";try{window.localStorage.removeItem(p)}catch{}}catch{}const t="/auth/login";window.location.pathname!==t&&!window.location.pathname.startsWith("/auth/")?window.location.replace(t):window.location.reload()}}},[e,c]),T=o.useCallback(async s=>{if(!e.resetPassword)throw new Error("Password reset is not configured");return e.resetPassword(s)},[e]),F=o.useCallback(async s=>{if(!e.verifyEmail)throw new Error("Email verification is not configured");return e.verifyEmail(s)},[e]),x=o.useCallback(async s=>{if(!e.verify2FA)return{success:!1,error:"2FA verification is not configured"};try{const n=await N(e,s);return n.success&&(await new Promise(i=>setTimeout(i,100)),await c()),n}catch(n){return{success:!1,error:n instanceof Error?n.message:"2FA verification failed"}}},[e,c]),j=o.useCallback(async(s,n)=>e.signIn(s,n),[e]);return{session:l,isLoading:a,signIn:j,signInMethods:{email:y,oauth:w,passkey:d,otp:o.useCallback(async(s,n)=>{if(!e.signIn.otp)return{success:!1,error:"OTP sign in is not configured"};try{const i=await e.signIn.otp(s,n);return i.success&&await c(),i}catch(i){return{success:!1,error:i instanceof Error?i.message:"OTP sign in failed"}}},[e,c])},signUp:m,signOut:U,resetPassword:T,verifyEmail:F,verify2FA:x}}function A(e){const[l,r]=o.useState(null),[a,u]=o.useState(!0),[c,g]=o.useState(null),y=o.useCallback(async()=>{u(!0),g(null);try{const w=await e.getSession();r(w)}catch(w){const d=w instanceof Error?w:new Error("Failed to load session");g(d),r(null)}finally{u(!1)}},[e]);return o.useEffect(()=>{y();const w=setInterval(()=>{y()},5*60*1e3);return()=>clearInterval(w)},[y]),{session:l,isLoading:a,error:c}}function P(e){const[l,r]=o.useState([]),[a,u]=o.useState(!0),c=o.useCallback(async()=>{if(!e.accountPicker){r([]),u(!1);return}u(!0);try{const d=await e.accountPicker.getLastUsers();r(d)}catch(d){process.env.NODE_ENV==="development"&&console.error("Failed to load last users:",d),r([])}finally{u(!1)}},[e]);o.useEffect(()=>{c()},[c]);const g=o.useCallback(async(d,m)=>{e.accountPicker&&(await e.accountPicker.rememberUser(d,m),await c())},[e,c]),y=o.useCallback(async d=>{e.accountPicker&&(await e.accountPicker.clearUser(d),await c())},[e,c]),w=o.useCallback(async()=>{e.accountPicker&&(await e.accountPicker.clearAll(),await c())},[e,c]);return{lastUsers:l,isLoading:a,rememberUser:g,clearUser:y,clearAll:w,refresh:c}}const b=o.createContext(null);function I({auth:e,children:l}){const r=A(e),a=P(e);return O.jsx(b.Provider,{value:{auth:e,session:r,accountPicker:a},children:l})}function k(){const e=o.useContext(b);if(!e)throw new Error("useMulguardContext must be used within MulguardProvider");return e}function L(){const{auth:e}=k();return E(e)}const M=I,R=k;exports.AuthProvider=M;exports.MulguardProvider=I;exports.useAccountPicker=P;exports.useAuth=E;exports.useAuthContext=R;exports.useAuthFromContext=L;exports.useMulguardContext=k;exports.useSession=A;
|
package/dist/client/index.mjs
CHANGED
|
@@ -1,5 +1,4 @@
|
|
|
1
|
-
import { useState as y, useCallback as l, useEffect as
|
|
2
|
-
import { s as x } from "../signin-unified-BS2gxaG1.mjs";
|
|
1
|
+
import { useState as y, useCallback as l, useEffect as h, createContext as x, useContext as O } from "react";
|
|
3
2
|
import { jsx as N } from "react/jsx-runtime";
|
|
4
3
|
function E() {
|
|
5
4
|
return typeof window > "u";
|
|
@@ -175,7 +174,7 @@ function L(e) {
|
|
|
175
174
|
return () => {
|
|
176
175
|
};
|
|
177
176
|
}, [e]);
|
|
178
|
-
|
|
177
|
+
h(() => {
|
|
179
178
|
let n = null;
|
|
180
179
|
(async () => {
|
|
181
180
|
await i();
|
|
@@ -255,7 +254,7 @@ function L(e) {
|
|
|
255
254
|
}
|
|
256
255
|
},
|
|
257
256
|
[e, i]
|
|
258
|
-
),
|
|
257
|
+
), v = l(
|
|
259
258
|
async (n) => {
|
|
260
259
|
if (!e.signUp)
|
|
261
260
|
return {
|
|
@@ -273,7 +272,7 @@ function L(e) {
|
|
|
273
272
|
}
|
|
274
273
|
},
|
|
275
274
|
[e, i]
|
|
276
|
-
),
|
|
275
|
+
), C = l(async () => {
|
|
277
276
|
var n, s;
|
|
278
277
|
try {
|
|
279
278
|
if (r(null), f(!0), typeof window < "u") {
|
|
@@ -321,14 +320,14 @@ function L(e) {
|
|
|
321
320
|
return e.resetPassword(n);
|
|
322
321
|
},
|
|
323
322
|
[e]
|
|
324
|
-
),
|
|
323
|
+
), T = l(
|
|
325
324
|
async (n) => {
|
|
326
325
|
if (!e.verifyEmail)
|
|
327
326
|
throw new Error("Email verification is not configured");
|
|
328
327
|
return e.verifyEmail(n);
|
|
329
328
|
},
|
|
330
329
|
[e]
|
|
331
|
-
),
|
|
330
|
+
), F = l(
|
|
332
331
|
async (n) => {
|
|
333
332
|
if (!e.verify2FA)
|
|
334
333
|
return {
|
|
@@ -346,14 +345,14 @@ function L(e) {
|
|
|
346
345
|
}
|
|
347
346
|
},
|
|
348
347
|
[e, i]
|
|
349
|
-
),
|
|
350
|
-
async (n, s) =>
|
|
348
|
+
), j = l(
|
|
349
|
+
async (n, s) => e.signIn(n, s),
|
|
351
350
|
[e]
|
|
352
351
|
);
|
|
353
352
|
return {
|
|
354
353
|
session: a,
|
|
355
354
|
isLoading: c,
|
|
356
|
-
signIn:
|
|
355
|
+
signIn: j,
|
|
357
356
|
signInMethods: {
|
|
358
357
|
email: p,
|
|
359
358
|
oauth: w,
|
|
@@ -378,14 +377,14 @@ function L(e) {
|
|
|
378
377
|
[e, i]
|
|
379
378
|
)
|
|
380
379
|
},
|
|
381
|
-
signUp:
|
|
382
|
-
signOut:
|
|
380
|
+
signUp: v,
|
|
381
|
+
signOut: C,
|
|
383
382
|
resetPassword: U,
|
|
384
|
-
verifyEmail:
|
|
385
|
-
verify2FA:
|
|
383
|
+
verifyEmail: T,
|
|
384
|
+
verify2FA: F
|
|
386
385
|
};
|
|
387
386
|
}
|
|
388
|
-
function
|
|
387
|
+
function M(e) {
|
|
389
388
|
const [a, r] = y(null), [c, f] = y(!0), [i, g] = y(null), p = l(async () => {
|
|
390
389
|
f(!0), g(null);
|
|
391
390
|
try {
|
|
@@ -398,7 +397,7 @@ function W(e) {
|
|
|
398
397
|
f(!1);
|
|
399
398
|
}
|
|
400
399
|
}, [e]);
|
|
401
|
-
return
|
|
400
|
+
return h(() => {
|
|
402
401
|
p();
|
|
403
402
|
const w = setInterval(() => {
|
|
404
403
|
p();
|
|
@@ -410,7 +409,7 @@ function W(e) {
|
|
|
410
409
|
error: i
|
|
411
410
|
};
|
|
412
411
|
}
|
|
413
|
-
function
|
|
412
|
+
function W(e) {
|
|
414
413
|
const [a, r] = y([]), [c, f] = y(!0), i = l(async () => {
|
|
415
414
|
if (!e.accountPicker) {
|
|
416
415
|
r([]), f(!1);
|
|
@@ -426,12 +425,12 @@ function R(e) {
|
|
|
426
425
|
f(!1);
|
|
427
426
|
}
|
|
428
427
|
}, [e]);
|
|
429
|
-
|
|
428
|
+
h(() => {
|
|
430
429
|
i();
|
|
431
430
|
}, [i]);
|
|
432
431
|
const g = l(
|
|
433
|
-
async (d,
|
|
434
|
-
e.accountPicker && (await e.accountPicker.rememberUser(d,
|
|
432
|
+
async (d, v) => {
|
|
433
|
+
e.accountPicker && (await e.accountPicker.rememberUser(d, v), await i());
|
|
435
434
|
},
|
|
436
435
|
[e, i]
|
|
437
436
|
), p = l(
|
|
@@ -451,26 +450,29 @@ function R(e) {
|
|
|
451
450
|
refresh: i
|
|
452
451
|
};
|
|
453
452
|
}
|
|
454
|
-
const I =
|
|
455
|
-
function
|
|
456
|
-
const r =
|
|
453
|
+
const I = x(null);
|
|
454
|
+
function R({ auth: e, children: a }) {
|
|
455
|
+
const r = M(e), c = W(e);
|
|
457
456
|
return /* @__PURE__ */ N(I.Provider, { value: { auth: e, session: r, accountPicker: c }, children: a });
|
|
458
457
|
}
|
|
459
|
-
function
|
|
458
|
+
function k() {
|
|
460
459
|
const e = O(I);
|
|
461
460
|
if (!e)
|
|
462
|
-
throw new Error("
|
|
461
|
+
throw new Error("useMulguardContext must be used within MulguardProvider");
|
|
463
462
|
return e;
|
|
464
463
|
}
|
|
465
|
-
function
|
|
466
|
-
const { auth: e } =
|
|
464
|
+
function J() {
|
|
465
|
+
const { auth: e } = k();
|
|
467
466
|
return L(e);
|
|
468
467
|
}
|
|
468
|
+
const z = R, K = k;
|
|
469
469
|
export {
|
|
470
|
-
|
|
471
|
-
R as
|
|
470
|
+
z as AuthProvider,
|
|
471
|
+
R as MulguardProvider,
|
|
472
|
+
W as useAccountPicker,
|
|
472
473
|
L as useAuth,
|
|
473
|
-
|
|
474
|
-
|
|
475
|
-
|
|
474
|
+
K as useAuthContext,
|
|
475
|
+
J as useAuthFromContext,
|
|
476
|
+
k as useMulguardContext,
|
|
477
|
+
M as useSession
|
|
476
478
|
};
|
|
@@ -1,25 +1,69 @@
|
|
|
1
1
|
import { ReactNode } from 'react';
|
|
2
2
|
import { MulguardInstance } from '../mulguard';
|
|
3
3
|
import { useSession, useAccountPicker } from './hooks';
|
|
4
|
-
interface
|
|
4
|
+
interface MulguardContextValue {
|
|
5
5
|
auth: MulguardInstance;
|
|
6
6
|
session: ReturnType<typeof useSession>;
|
|
7
7
|
accountPicker: ReturnType<typeof useAccountPicker>;
|
|
8
8
|
}
|
|
9
|
-
interface
|
|
9
|
+
interface MulguardProviderProps {
|
|
10
10
|
auth: MulguardInstance;
|
|
11
11
|
children: ReactNode;
|
|
12
12
|
}
|
|
13
13
|
/**
|
|
14
|
-
*
|
|
14
|
+
* Mulguard Provider - provides auth instance to children
|
|
15
|
+
*
|
|
16
|
+
* @example
|
|
17
|
+
* ```tsx
|
|
18
|
+
* import { MulguardProvider } from 'mulguard/client'
|
|
19
|
+
* import { auth } from '@/lib/auth'
|
|
20
|
+
*
|
|
21
|
+
* export default function RootLayout({ children }) {
|
|
22
|
+
* return (
|
|
23
|
+
* <MulguardProvider auth={auth}>
|
|
24
|
+
* {children}
|
|
25
|
+
* </MulguardProvider>
|
|
26
|
+
* )
|
|
27
|
+
* }
|
|
28
|
+
* ```
|
|
15
29
|
*/
|
|
16
|
-
export declare function
|
|
30
|
+
export declare function MulguardProvider({ auth, children }: MulguardProviderProps): import("react/jsx-runtime").JSX.Element;
|
|
17
31
|
/**
|
|
18
|
-
* Use
|
|
32
|
+
* Use Mulguard context
|
|
33
|
+
*
|
|
34
|
+
* @example
|
|
35
|
+
* ```tsx
|
|
36
|
+
* import { useMulguardContext } from 'mulguard/client'
|
|
37
|
+
*
|
|
38
|
+
* function Component() {
|
|
39
|
+
* const { auth, session } = useMulguardContext()
|
|
40
|
+
* // ...
|
|
41
|
+
* }
|
|
42
|
+
* ```
|
|
19
43
|
*/
|
|
20
|
-
export declare function
|
|
44
|
+
export declare function useMulguardContext(): MulguardContextValue;
|
|
21
45
|
/**
|
|
22
46
|
* Convenience hook that uses context
|
|
47
|
+
*
|
|
48
|
+
* @example
|
|
49
|
+
* ```tsx
|
|
50
|
+
* import { useAuthFromContext } from 'mulguard/client'
|
|
51
|
+
*
|
|
52
|
+
* function Component() {
|
|
53
|
+
* const { signIn, signOut } = useAuthFromContext()
|
|
54
|
+
* // ...
|
|
55
|
+
* }
|
|
56
|
+
* ```
|
|
23
57
|
*/
|
|
24
58
|
export declare function useAuthFromContext(): import('./hooks').UseAuthReturn;
|
|
59
|
+
/**
|
|
60
|
+
* @deprecated Use MulguardProvider instead
|
|
61
|
+
* This is kept for backward compatibility
|
|
62
|
+
*/
|
|
63
|
+
export declare const AuthProvider: typeof MulguardProvider;
|
|
64
|
+
/**
|
|
65
|
+
* @deprecated Use useMulguardContext instead
|
|
66
|
+
* This is kept for backward compatibility
|
|
67
|
+
*/
|
|
68
|
+
export declare const useAuthContext: typeof useMulguardContext;
|
|
25
69
|
export {};
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
import { MulguardInstance } from '../../mulguard';
|
|
2
2
|
import { EmailCredentials, AuthResult } from '../types';
|
|
3
3
|
/**
|
|
4
|
-
* Unified sign in function -
|
|
4
|
+
* Unified sign in function - delegates to auth.signIn unified logic
|
|
5
5
|
*
|
|
6
6
|
* @example
|
|
7
7
|
* ```typescript
|
package/dist/index/index.js
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
"use strict";var se=Object.defineProperty;var ne=(r,e,n)=>e in r?se(r,e,{enumerable:!0,configurable:!0,writable:!0,value:n}):r[e]=n;var U=(r,e,n)=>ne(r,typeof e!="symbol"?e+"":e,n);Object.defineProperty(exports,Symbol.toStringTag,{value:"Module"});const w=require("../actions-CExpv_dD.js"),oe=require("../signin-unified-Cw41EFkc.js"),R=require("../oauth-state-CzIWQq3s.js"),l=require("next/server"),F=typeof globalThis=="object"&&"crypto"in globalThis?globalThis.crypto:void 0;/*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */function ie(r=32){if(F&&typeof F.getRandomValues=="function")return F.getRandomValues(new Uint8Array(r));if(F&&typeof F.randomBytes=="function")return Uint8Array.from(F.randomBytes(r));throw new Error("crypto.getRandomValues must be defined")}class H{constructor(e){U(this,"attempts",new Map);U(this,"config");this.config=e}check(e){const n=Date.now(),t=this.attempts.get(e);return!t||t.resetAt<n?(this.attempts.set(e,{count:1,resetAt:n+this.config.windowMs}),{allowed:!0,remaining:this.config.maxAttempts-1,resetAt:new Date(n+this.config.windowMs)}):t.count>=this.config.maxAttempts?{allowed:!1,remaining:0,resetAt:new Date(t.resetAt)}:(t.count++,{allowed:!0,remaining:this.config.maxAttempts-t.count,resetAt:new Date(t.resetAt)})}reset(e){this.attempts.delete(e)}clear(){this.attempts.clear()}}function ae(r){return new H(r)}const q={"X-Content-Type-Options":"nosniff","X-Frame-Options":"DENY","X-XSS-Protection":"1; mode=block","Strict-Transport-Security":"max-age=31536000; includeSubDomains","Content-Security-Policy":"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';","Referrer-Policy":"strict-origin-when-cross-origin","Permissions-Policy":"geolocation=(), microphone=(), camera=()"};function $(r){return{...q,...r}}function ce(r,e){const n=$(e);for(const[t,i]of Object.entries(n))i&&r.set(t,i)}function ue(r){if(!r||typeof r!="string")return{valid:!1,error:"Email is required"};const e=r.trim().toLowerCase();return/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(e)?e.length>254?{valid:!1,error:"Email is too long"}:e.includes("..")||e.startsWith(".")||e.endsWith(".")?{valid:!1,error:"Invalid email format"}:{valid:!0,sanitized:e}:{valid:!1,error:"Invalid email format"}}function le(r,e=8){if(!r||typeof r!="string")return{valid:!1,error:"Password is required"};if(r.length<e)return{valid:!1,error:`Password must be at least ${e} characters`};if(r.length>128)return{valid:!1,error:"Password is too long"};if(["password","12345678","qwerty","abc123","password123","123456789","1234567890","letmein","welcome","monkey","dragon","master","sunshine","princess","football"].includes(r.toLowerCase()))return{valid:!1,error:"Password is too common"};if(/(.)\1{3,}/.test(r))return{valid:!1,error:"Password contains too many repeated characters"};if(/012|123|234|345|456|567|678|789|abc|bcd|cde|def|efg|fgh|ghi|hij|ijk|jkl|klm|lmn|mno|nop|opq|pqr|qrs|rst|stu|tuv|uvw|vwx|wxy|xyz/i.test(r))return{valid:!1,error:"Password contains sequential characters"};let t="weak",i=0;return r.length>=12?i+=2:r.length>=8&&(i+=1),/[a-z]/.test(r)&&(i+=1),/[A-Z]/.test(r)&&(i+=1),/[0-9]/.test(r)&&(i+=1),/[^a-zA-Z0-9]/.test(r)&&(i+=1),i>=5?t="strong":i>=3&&(t="medium"),{valid:!0,strength:t}}function fe(r){if(!r||typeof r!="string")return{valid:!1,error:"Name is required"};const e=r.trim();return e.length<1?{valid:!1,error:"Name cannot be empty"}:e.length>100?{valid:!1,error:"Name is too long"}:{valid:!0,sanitized:e.replace(/[<>\"']/g,"")}}function de(r){if(!r||typeof r!="string")return{valid:!1,error:"URL is required"};try{const e=new URL(r);return["http:","https:"].includes(e.protocol)?{valid:!0}:{valid:!1,error:"URL must use http or https protocol"}}catch{return{valid:!1,error:"Invalid URL format"}}}function he(r,e=16){return!r||typeof r!="string"?{valid:!1,error:"Token is required"}:r.length<e?{valid:!1,error:"Token is too short"}:r.length>512?{valid:!1,error:"Token is too long"}:/^[A-Za-z0-9_-]+$/.test(r)?/(.)\1{10,}/.test(r)?{valid:!1,error:"Token contains suspicious pattern"}:{valid:!0}:{valid:!1,error:"Invalid token format"}}function ge(r,e){const{maxLength:n=1e3,allowHtml:t=!1,required:i=!0}=e||{};if(i&&(!r||typeof r!="string"||r.trim().length===0))return{valid:!1,error:"Input is required"};if(!r||typeof r!="string")return{valid:!0,sanitized:""};let f=r.trim();return f.length>n?{valid:!1,error:`Input must be less than ${n} characters`}:(t||(f=f.replace(/</g,"<").replace(/>/g,">").replace(/"/g,""").replace(/'/g,"'").replace(/\//g,"/")),f=f.replace(/[\x00-\x1F\x7F]/g,""),{valid:!0,sanitized:f})}class B{constructor(){U(this,"tokens",new Map)}get(e){const n=this.tokens.get(e);return n?n.expiresAt<Date.now()?(this.delete(e),null):n.value:null}set(e,n,t=36e5){this.tokens.set(e,{value:n,expiresAt:Date.now()+t})}delete(e){this.tokens.delete(e)}clear(){this.tokens.clear()}}class K{constructor(e,n=32){U(this,"store");U(this,"tokenLength");this.store=e||new B,this.tokenLength=n}generateToken(e,n){const t=V(this.tokenLength);return this.store.set(e,t,n),t}validateToken(e,n){const t=this.store.get(e);if(!t)return!1;const i=G(n,t);return i&&this.store.delete(e),i}getToken(e){return this.store.get(e)}deleteToken(e){this.store.delete(e)}}function pe(r){return new K(r)}function X(r){if(typeof r!="string")return"";const e={"&":"&","<":"<",">":">",'"':""","'":"'"};return r.replace(/[&<>"']/g,n=>e[n]||n)}function we(r){return typeof r!="string"?"":r.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi,"").replace(/on\w+\s*=\s*["'][^"']*["']/gi,"").replace(/javascript:/gi,"")}function me(r){return typeof r!="string"?"":X(r.trim())}function Ee(r){return typeof r!="string"?!1:[/<script/i,/javascript:/i,/on\w+\s*=/i,/<iframe/i,/<object/i,/<embed/i,/<link/i,/<meta/i,/expression\s*\(/i,/vbscript:/i].some(n=>n.test(r))}function V(r=32){const e=ie(r);return Buffer.from(e).toString("base64url")}function Y(){return V(32)}function G(r,e){if(!r||!e||r.length!==e.length)return!1;let n=0;for(let t=0;t<r.length;t++)n|=r.charCodeAt(t)^e.charCodeAt(t);return n===0}function ye(r){return r.trim().replace(/[<>]/g,"")}function Re(r){return/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(r)}function J(r){return!r.success&&!!r.error}function ke(r){return r.requires2FA===!0||r.errorCode===w.AuthErrorCode.TWO_FA_REQUIRED}function ve(r,e){return r.error?r.error:e||"Authentication failed"}function Se(r){return r.errorCode}function Ae(r){return r.success===!0&&!!r.user}function Ce(r,e){return r.errorCode===e}function be(r){if(!J(r))return!1;const e=[w.AuthErrorCode.NETWORK_ERROR,w.AuthErrorCode.RATE_LIMITED,w.AuthErrorCode.UNKNOWN_ERROR];return r.errorCode?e.includes(r.errorCode):!1}function Oe(r){if(r.error)return r.error;switch(r.errorCode){case w.AuthErrorCode.INVALID_CREDENTIALS:return"Invalid email or password. Please try again.";case w.AuthErrorCode.ACCOUNT_LOCKED:return"Your account has been temporarily locked. Please try again later.";case w.AuthErrorCode.ACCOUNT_INACTIVE:return"Your account is inactive. Please contact support.";case w.AuthErrorCode.TWO_FA_REQUIRED:return"Two-factor authentication is required. Please enter your code.";case w.AuthErrorCode.INVALID_TWO_FA_CODE:return"Invalid two-factor authentication code. Please try again.";case w.AuthErrorCode.SESSION_EXPIRED:return"Your session has expired. Please sign in again.";case w.AuthErrorCode.UNAUTHORIZED:return"You are not authorized to perform this action.";case w.AuthErrorCode.NETWORK_ERROR:return"Network error. Please check your connection and try again.";case w.AuthErrorCode.VALIDATION_ERROR:return"Please check your input and try again.";case w.AuthErrorCode.RATE_LIMITED:return"Too many attempts. Please try again later.";case w.AuthErrorCode.UNKNOWN_ERROR:default:return"An unexpected error occurred. Please try again."}}const Ne={google:{authorizationUrl:"https://accounts.google.com/o/oauth2/v2/auth",tokenUrl:"https://oauth2.googleapis.com/token",userInfoUrl:"https://www.googleapis.com/oauth2/v2/userinfo",defaultScopes:["openid","profile","email"]},github:{authorizationUrl:"https://github.com/login/oauth/authorize",tokenUrl:"https://github.com/login/oauth/access_token",userInfoUrl:"https://api.github.com/user",defaultScopes:["user:email"]},apple:{authorizationUrl:"https://appleid.apple.com/auth/authorize",tokenUrl:"https://appleid.apple.com/auth/token",userInfoUrl:"https://appleid.apple.com/auth/userinfo",defaultScopes:["name","email"],defaultParams:{response_mode:"form_post",response_type:"code id_token"}},facebook:{authorizationUrl:"https://www.facebook.com/v18.0/dialog/oauth",tokenUrl:"https://graph.facebook.com/v18.0/oauth/access_token",userInfoUrl:"https://graph.facebook.com/v18.0/me?fields=id,name,email,picture",defaultScopes:["email","public_profile"]}};function M(r){return Ne[r]||null}function Q(r,e,n,t){const i=M(r);if(!i)throw new Error(`Unknown OAuth provider: ${r}`);const f=e.redirectUri||`${n}/api/auth/callback/${r}`,u=e.scopes||i.defaultScopes,a=new URLSearchParams({client_id:e.clientId,redirect_uri:f,response_type:"code",scope:u.join(" "),state:t,...i.defaultParams,...e.params});return`${i.authorizationUrl}?${a.toString()}`}async function Z(r,e,n,t){const i=M(r);if(!i)throw new Error(`Unknown OAuth provider: ${r}`);const f=new URLSearchParams({client_id:e.clientId,code:n,redirect_uri:t,grant_type:"authorization_code"});e.clientSecret&&f.append("client_secret",e.clientSecret);const u=await fetch(i.tokenUrl,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"},body:f.toString()});if(!u.ok){const a=await u.text();throw new Error(`Failed to exchange code for tokens: ${a}`)}return await u.json()}async function ee(r,e){var f,u,a,h;const n=M(r);if(!n)throw new Error(`Unknown OAuth provider: ${r}`);const t=await fetch(n.userInfoUrl,{headers:{Authorization:`Bearer ${e}`,Accept:"application/json"}});if(!t.ok){const E=await t.text();throw new Error(`Failed to fetch user info: ${E}`)}const i=await t.json();switch(r){case"google":return{id:i.sub||i.id,email:i.email,name:i.name,avatar:i.picture,emailVerified:i.email_verified};case"github":let E=i.email;if(!E){const d=await(await fetch("https://api.github.com/user/emails",{headers:{Authorization:`Bearer ${e}`}})).json();E=((f=d.find(k=>k.primary))==null?void 0:f.email)||((u=d[0])==null?void 0:u.email)||`${i.login}@users.noreply.github.com`}return{id:String(i.id),email:E,name:i.name||i.login,avatar:i.avatar_url,emailVerified:!!E};case"apple":return{id:i.sub,email:i.email,name:i.name?`${i.name.firstName} ${i.name.lastName}`:"",emailVerified:i.email_verified};case"facebook":return{id:i.id,email:i.email,name:i.name,avatar:(h=(a=i.picture)==null?void 0:a.data)==null?void 0:h.url,emailVerified:!0};default:return{id:String(i.id||i.sub),email:i.email,name:i.name||i.display_name||i.username,avatar:i.avatar||i.picture||i.avatar_url,emailVerified:i.email_verified||i.emailVerified||!1}}}class re{constructor(){U(this,"states",new Map)}set(e,n,t){this.states.set(e,n),this.cleanup()}get(e){const n=this.states.get(e);return n?n.expiresAt<Date.now()?(this.delete(e),null):n:null}delete(e){this.states.delete(e)}cleanup(){const e=Date.now();for(const[n,t]of this.states.entries())t.expiresAt<e&&this.states.delete(n)}}function te(){return new re}function xe(r=process.env.NODE_ENV==="development"){const e="[Mulguard]";return{debug:r?(n,t)=>{t!==void 0?console.debug(`${e} ${n}`,t):console.debug(`${e} ${n}`)}:()=>{},info:r?(n,t)=>{t!==void 0?console.info(`${e} ${n}`,t):console.info(`${e} ${n}`)}:()=>{},warn:r?(n,t)=>{t!==void 0?console.warn(`${e} ${n}`,t):console.warn(`${e} ${n}`)}:()=>{},error:r?(n,t)=>{t!==void 0?console.error(`${e} ${n}`,t):console.error(`${e} ${n}`)}:()=>{}}}const j=xe();function Te(r,e,n,t={}){const{enabled:i=!0,maxRetries:f=1,retryDelay:u=1e3,rateLimit:a=3,autoSignOutOnFailure:h=!0,redirectToLogin:E="/login",autoRedirectOnFailure:v=!0}=t;let d=null,k=!1;const S=[],A=[],N=60*1e3;let C=0,b=!1,T=null;const D=2,o=60*1e3;function s(){const m=Date.now();if(b&&T){if(m<T)return!1;b=!1,T=null,C=0}for(;A.length>0;){const g=A[0];if(g!==void 0&&g<m-N)A.shift();else break}return A.length>=a?!1:(A.push(m),!0)}function c(){C++,C>=D&&(b=!0,T=Date.now()+o,process.env.NODE_ENV==="development"&&console.warn("[TokenRefreshManager] Circuit breaker opened - too many consecutive failures"))}function p(){C=0,b=!1,T=null}async function y(m=1){if(!i)return null;if(!s())throw new Error("Rate limit exceeded for token refresh");try{const g=await r();if(g)return p(),L(g),t.onTokenRefreshed&&await Promise.resolve(t.onTokenRefreshed(g)),g;if(c(),m<f)return await x(u*m),y(m+1);throw new Error("Token refresh failed: refresh function returned null")}catch(g){if(c(),m<f&&O(g))return await x(u*m),y(m+1);throw g}}function O(m){if(m instanceof Error){const g=m.message.toLowerCase();if(g.includes("rate limit")||g.includes("too many requests")||g.includes("429")||g.includes("limit:")||g.includes("requests per minute")||g.includes("token_blacklisted")||g.includes("blacklisted")||g.includes("invalid")||g.includes("401")||g.includes("unauthorized")||g.includes("session has been revoked")||g.includes("session expired"))return!1;if(g.includes("network")||g.includes("fetch")||g.includes("timeout"))return!0}return!1}function L(m){const g=[...S];S.length=0;for(const{resolve:_}of g)_(m)}function P(m){const g=[...S];S.length=0;for(const{reject:_}of g)_(m)}function x(m){return new Promise(g=>setTimeout(g,m))}async function z(m){try{if(t.onTokenRefreshFailed&&await Promise.resolve(t.onTokenRefreshFailed(m)),h&&(await n(),await e(),v&&typeof window<"u")){let g=!0;if(t.onBeforeRedirect&&(g=await Promise.resolve(t.onBeforeRedirect(m))),g){const _=new URL(E,window.location.origin);_.searchParams.set("reason","session_expired"),_.searchParams.set("redirect",window.location.pathname+window.location.search),window.location.href=_.toString()}}}catch(g){process.env.NODE_ENV==="development"&&console.error("[TokenRefreshManager] Error in handleRefreshFailure:",g)}}return{async refreshToken(){return i?d||(k=!0,d=y().then(m=>(k=!1,d=null,m)).catch(m=>{throw k=!1,d=null,P(m),z(m).catch(()=>{}),m}),d):null},isRefreshing(){return k},async waitForRefresh(){return d?new Promise((m,g)=>{S.push({resolve:m,reject:g})}):null},clear(){d=null,k=!1,A.length=0,p(),P(new Error("Token refresh manager cleared"))},async handleRefreshFailure(m){return z(m)}}}function Ie(){const r=process.env.NODE_ENV==="production";return{cookieName:"__mulguard_session",expiresIn:60*60*24*7,httpOnly:!0,secure:r,sameSite:"lax",path:"/"}}function Pe(){return{enabled:!0,refreshThreshold:300,maxRetries:0,retryDelay:1e3,rateLimit:1,autoSignOutOnFailure:!0,redirectToLogin:"/login",autoRedirectOnFailure:!0}}function _e(r){var T,D;const e={...Ie(),...r.session},n=r.actions,t=r.callbacks||{},i=((T=r.providers)==null?void 0:T.oauth)||{},f=process.env.NEXT_PUBLIC_URL||(process.env.VERCEL_URL?`https://${process.env.VERCEL_URL}`:"http://localhost:3000"),u={...Pe(),...r.tokenRefresh},a={...n};if(Object.keys(i).length>0&&!a.signIn.oauth&&(a.signIn.oauth=async o=>{const s=i[o];if(!s)throw new Error(`OAuth provider "${o}" is not configured. Add it to providers.oauth in config.`);if(!s.clientId)throw new Error(`OAuth provider "${o}" is missing clientId`);const c=Y();return{url:Q(o,s,f,c),state:c}}),Object.keys(i).length>0&&!a.oauthCallback&&(a.oauthCallback=async(o,s,c)=>{const p=i[o];if(!p)return{success:!1,error:`OAuth provider "${o}" is not configured`,errorCode:w.AuthErrorCode.VALIDATION_ERROR};try{const y=p.redirectUri||`${f}/api/auth/callback/${o}`,O=await Z(o,p,s,y),L=await ee(o,O.access_token);if(t.onOAuthUser){const P=await d(t.onOAuthUser,L,o);if(!P)return{success:!1,error:"Failed to create or retrieve user",errorCode:w.AuthErrorCode.VALIDATION_ERROR};const x={user:{id:P.id,email:P.email,name:P.name,avatar:L.avatar,emailVerified:L.emailVerified},expiresAt:new Date(Date.now()+7*24*60*60*1e3),accessToken:O.access_token,refreshToken:O.refresh_token,tokenType:"Bearer",expiresIn:O.expires_in};return await A(x),h={session:x,timestamp:Date.now()},t.onSignIn&&await d(t.onSignIn,x.user,x),{success:!0,user:x.user,session:x}}return{success:!1,error:"OAuth user callback not implemented. Provide onOAuthUser callback or implement oauthCallback action.",errorCode:w.AuthErrorCode.VALIDATION_ERROR}}catch(y){return j.error("OAuth callback failed",{provider:o,error:y}),{success:!1,error:y instanceof Error?y.message:"OAuth callback failed",errorCode:w.AuthErrorCode.NETWORK_ERROR}}}),!a.signIn||!a.signIn.email)throw new Error("mulguard: signIn.email action is required");let h=null;const E=((D=r.session)==null?void 0:D.cacheTtl)??r.sessionCacheTtl??5e3,v=r.oauthStateStore||te(),d=async(o,...s)=>{if(o)try{return await o(...s)}catch(c){throw t.onError&&await t.onError(c instanceof Error?c:new Error(String(c)),"callback"),c}},k=async(o,s)=>{const c={provider:s,expiresAt:Date.now()+6e5};await Promise.resolve(v.set(o,c,10*60*1e3)),v.cleanup&&await Promise.resolve(v.cleanup())},S=async(o,s)=>{const c=await Promise.resolve(v.get(o));return c?c.expiresAt<Date.now()?(await Promise.resolve(v.delete(o)),!1):c.provider!==s?!1:(await Promise.resolve(v.delete(o)),!0):!1},A=async o=>{const s=e.cookieName||"__mulguard_session",c=typeof o=="object"&&"token"in o?String(o.token):JSON.stringify(o),p=w.buildCookieOptions(s,c,e);return await w.setCookie(p)},N=async o=>{if(!o.success||!o.session)return{success:!0};const s=await A(o.session);return h={session:o.session,timestamp:Date.now()},o.user&&t.onSignIn&&await d(t.onSignIn,o.user,o.session),s},C=async()=>{const o=e.cookieName||"__mulguard_session";await w.deleteCookie(o,{path:e.path,domain:e.domain})},b={async getSession(){const o=Date.now();if(h&&o-h.timestamp<E)return h.session;if(n.getSession)try{const s=await n.getSession();if(s&&R.validateSessionStructure(s))return h={session:s,timestamp:o},s;s&&!R.validateSessionStructure(s)&&(await C(),h=null)}catch(s){j.debug("getSession error",{error:s}),t.onError&&await d(t.onError,s instanceof Error?s:new Error(String(s)),"getSession"),h=null}try{const s=e.cookieName||"__mulguard_session",c=await w.getCookie(s);if(c)try{const p=JSON.parse(c);if(R.validateSessionStructure(p))return p.expiresAt&&new Date(p.expiresAt)<new Date?(t.onSessionExpired&&await d(t.onSessionExpired,p),await C(),h=null,null):(h={session:p,timestamp:o},p);await C(),h=null}catch{await C(),h=null}}catch(s){const c=s instanceof Error?s.message:String(s);!c.includes("request scope")&&!c.includes("cookies")&&(j.warn("getSession cookie error",{error:s}),t.onError&&await d(t.onError,s instanceof Error?s:new Error(String(s)),"getSession.cookie"))}return null},async getAccessToken(){const o=await this.getSession();return o!=null&&o.accessToken&&typeof o.accessToken=="string"?o.accessToken:null},async getRefreshToken(){const o=await this.getSession();return o!=null&&o.refreshToken&&typeof o.refreshToken=="string"?o.refreshToken:null},async hasValidTokens(){return!!await this.getAccessToken()},signIn:{async email(o){try{const s=await a.signIn.email(o);return s.success&&s.session&&await N(s),s}catch(s){return t.onError&&await d(t.onError,s instanceof Error?s:new Error(String(s)),"signIn.email"),{success:!1,error:s instanceof Error?s.message:"Sign in failed"}}},async oauth(o){if(!a.signIn.oauth)throw new Error("OAuth sign in is not configured. Either provide oauth action in signIn, or configure providers.oauth in config.");const s=await a.signIn.oauth(o);return await k(s.state,o),s},async passkey(o){if(!a.signIn.passkey)throw new Error("PassKey sign in is not configured. Provide passkey action in signIn.");try{const s=await a.signIn.passkey(o);return s.success&&s.session&&await N(s),s}catch(s){return t.onError&&await d(t.onError,s instanceof Error?s:new Error(String(s)),"signIn.passkey"),{success:!1,error:s instanceof Error?s.message:"PassKey sign in failed"}}},async otp(o,s){if(!a.signIn.otp)throw new Error("OTP sign in is not configured. Provide otp action in signIn.");try{const c=await a.signIn.otp(o,s);return c.success&&c.session&&await N(c),c}catch(c){return t.onError&&await d(t.onError,c instanceof Error?c:new Error(String(c)),"signIn.otp"),{success:!1,error:c instanceof Error?c.message:"OTP sign in failed"}}}},signInMethods:{email:o=>b.signIn.email(o),oauth:o=>{var s,c;return((c=(s=b.signIn).oauth)==null?void 0:c.call(s,o))||Promise.reject(new Error("OAuth not configured"))},passkey:o=>{var s,c;return((c=(s=b.signIn).passkey)==null?void 0:c.call(s,o))||Promise.reject(new Error("Passkey not configured"))},otp:(o,s)=>{var c,p;return((p=(c=b.signIn).otp)==null?void 0:p.call(c,o,s))||Promise.reject(new Error("OTP not configured"))}},async signUp(o){if(!a.signUp)throw new Error("Sign up is not configured. Provide signUp action in config.");try{const s=await a.signUp(o);return s.success&&s.session&&await N(s),s}catch(s){return t.onError&&await d(t.onError,s instanceof Error?s:new Error(String(s)),"signUp"),{success:!1,error:s instanceof Error?s.message:"Sign up failed"}}},async signOut(){try{const o=await this.getSession(),s=o==null?void 0:o.user;return n.signOut&&await n.signOut(),await C(),h=null,s&&t.onSignOut&&await d(t.onSignOut,s),{success:!0}}catch(o){return await C(),t.onError&&await d(t.onError,o instanceof Error?o:new Error(String(o)),"signOut"),{success:!1,error:o instanceof Error?o.message:"Sign out failed"}}},async resetPassword(o){if(!n.resetPassword)throw new Error("Password reset is not configured. Provide resetPassword action in config.");try{return await n.resetPassword(o)}catch(s){return t.onError&&await d(t.onError,s instanceof Error?s:new Error(String(s)),"resetPassword"),{success:!1,error:s instanceof Error?s.message:"Password reset failed"}}},async verifyEmail(o){if(!n.verifyEmail)throw new Error("Email verification is not configured. Provide verifyEmail action in config.");try{return await n.verifyEmail(o)}catch(s){return t.onError&&await d(t.onError,s instanceof Error?s:new Error(String(s)),"verifyEmail"),{success:!1,error:s instanceof Error?s.message:"Email verification failed"}}},async refreshSession(){if(!n.refreshSession)return this.getSession();try{const o=await n.refreshSession();if(o&&R.validateSessionStructure(o)){if(await A(o),h={session:o,timestamp:Date.now()},t.onSessionUpdate){const s=await d(t.onSessionUpdate,o);if(s&&R.validateSessionStructure(s)){if(await A(s),t.onTokenRefresh){const c=await this.getSession();c&&await d(t.onTokenRefresh,c,s)}return s}}if(t.onTokenRefresh){const s=await this.getSession();s&&await d(t.onTokenRefresh,s,o)}return o}else if(o&&!R.validateSessionStructure(o))return await C(),null;return null}catch(o){return await C(),t.onError&&await d(t.onError,o instanceof Error?o:new Error(String(o)),"refreshSession"),null}},async oauthCallback(o,s,c){if(!a.oauthCallback)throw new Error("OAuth callback is not configured. Either provide oauthCallback action, or configure providers.oauth in config.");if(!o||!s||!c)return{success:!1,error:"Missing required OAuth parameters (provider, code, or state)",errorCode:w.AuthErrorCode.VALIDATION_ERROR};if(!await S(c,o))return{success:!1,error:"Invalid or expired state parameter",errorCode:w.AuthErrorCode.VALIDATION_ERROR};try{const y=await a.oauthCallback(o,s,c);if(y.success&&y.session){const O=await N(y);O.success||(process.env.NODE_ENV==="development"&&j.debug("Failed to save session cookie after oauthCallback",{error:O.error,warning:O.warning}),t.onError&&await d(t.onError,new Error(O.warning||O.error||"Failed to save session cookie"),"oauthCallback.setSession"))}return y}catch(y){return t.onError&&await d(t.onError,y instanceof Error?y:new Error(String(y)),"oauthCallback"),{success:!1,error:y instanceof Error?y.message:"OAuth callback failed",errorCode:w.AuthErrorCode.NETWORK_ERROR}}},async verify2FA(o,s){if(!n.verify2FA)throw new Error("2FA verification is not configured. Provide verify2FA action in config.");try{const c=await n.verify2FA(o);if(c.success&&c.session&&!(s!=null&&s.skipCookieSave)){const p=await N(c);p.success||(process.env.NODE_ENV==="development"&&j.debug("Failed to save session cookie after verify2FA",{error:p.error,warning:p.warning}),t.onError&&await d(t.onError,new Error(p.warning||p.error||"Failed to save session cookie"),"verify2FA.setSession"))}return c}catch(c){return t.onError&&await d(t.onError,c instanceof Error?c:new Error(String(c)),"verify2FA"),{success:!1,error:c instanceof Error?c.message:"2FA verification failed",errorCode:w.AuthErrorCode.TWO_FA_REQUIRED}}},async setSession(o){return R.validateSessionStructure(o)?await A(o):{success:!1,error:"Invalid session structure"}},_getSessionConfig(){return{cookieName:e.cookieName||"__mulguard_session",config:e}},_getCallbacks(){return t},passkey:n.passkey?{register:n.passkey.register,authenticate:async o=>{var s;if(!((s=n.passkey)!=null&&s.authenticate))throw new Error("PassKey authenticate is not configured.");try{const c=await n.passkey.authenticate(o);return c.success&&c.session&&await N(c),c}catch(c){return t.onError&&await d(t.onError,c instanceof Error?c:new Error(String(c)),"passkey.authenticate"),{success:!1,error:c instanceof Error?c.message:"PassKey authentication failed"}}},list:n.passkey.list,remove:n.passkey.remove}:void 0,twoFactor:n.twoFactor?{enable:n.twoFactor.enable,verify:n.twoFactor.verify,disable:n.twoFactor.disable,generateBackupCodes:n.twoFactor.generateBackupCodes,isEnabled:n.twoFactor.isEnabled,verify2FA:async o=>{var c;const s=((c=n.twoFactor)==null?void 0:c.verify2FA)||n.verify2FA;if(!s)throw new Error("2FA verification is not configured. Provide verify2FA action in config.");try{const p=await s(o);if(p.success&&p.session){const y=await N(p);y.success||(process.env.NODE_ENV==="development"&&j.debug("Failed to save session cookie after twoFactor.verify2FA",{error:y.error,warning:y.warning}),t.onError&&await d(t.onError,new Error(y.warning||y.error||"Failed to save session cookie"),"twoFactor.verify2FA.setSession"))}return p}catch(p){return t.onError&&await d(t.onError,p instanceof Error?p:new Error(String(p)),"twoFactor.verify2FA"),{success:!1,error:p instanceof Error?p.message:"2FA verification failed",errorCode:w.AuthErrorCode.UNKNOWN_ERROR}}}}:void 0};if(n.refreshSession){const o=Te(async()=>await b.refreshSession(),async()=>await b.signOut(),async()=>{await C()},{...u,onTokenRefreshed:u.onTokenRefreshed,onTokenRefreshFailed:u.onTokenRefreshFailed,onBeforeRedirect:u.onBeforeRedirect});b._tokenRefreshManager=o,b._getTokenRefreshManager=()=>o}return b}function Ue(r){return{GET:async e=>W(e,r,"GET"),POST:async e=>W(e,r,"POST")}}async function W(r,e,n){const t=new URL(r.url),i=t.pathname.replace(/^\/api\/auth/,"")||"/session",f=i.split("/").filter(Boolean);try{if(n==="GET"){if(i==="/session"||i==="/"){const u=await e.getSession();return l.NextResponse.json({session:u})}if(i==="/providers")return l.NextResponse.json({providers:{email:!!e.signIn.email,oauth:!!e.signIn.oauth,passkey:!!e.signIn.passkey}});if(i.startsWith("/oauth/callback")||f[0]==="oauth"&&f[1]==="callback"){if(!e.oauthCallback)return l.NextResponse.redirect(new URL("/login?error=oauth_not_configured",r.url));const u=f[2]||t.searchParams.get("provider"),a=t.searchParams.get("code"),h=t.searchParams.get("state");if(!u||!a||!h)return l.NextResponse.redirect(new URL("/login?error=oauth_missing_params",r.url));try{const E=await e.oauthCallback(u,a,h);if(E.success){const v=t.searchParams.get("callbackUrl")||"/";return l.NextResponse.redirect(new URL(v,r.url))}else return l.NextResponse.redirect(new URL(`/login?error=${encodeURIComponent(E.error||"oauth_failed")}`,r.url))}catch(E){return l.NextResponse.redirect(new URL(`/login?error=${encodeURIComponent(E instanceof Error?E.message:"oauth_error")}`,r.url))}}return l.NextResponse.json({error:"Not found"},{status:404})}if(n==="POST"){const u=await r.json().catch(()=>({}));if(i==="/sign-in"||f[0]==="sign-in"){if(u.provider==="email"&&u.email&&u.password){const a=await e.signIn.email({email:u.email,password:u.password});return l.NextResponse.json(a)}if(u.provider==="oauth"&&u.providerName){if(!e.signIn.oauth)return l.NextResponse.json({success:!1,error:"OAuth is not configured"},{status:400});const a=await e.signIn.oauth(u.providerName);return l.NextResponse.json(a)}if(u.provider==="passkey"){if(!e.signIn.passkey)return l.NextResponse.json({success:!1,error:"PassKey is not configured"},{status:400});const a=await e.signIn.passkey(u.options);return l.NextResponse.json(a)}return l.NextResponse.json({success:!1,error:"Invalid sign in request"},{status:400})}if(i==="/sign-up"||f[0]==="sign-up"){if(!e.signUp)return l.NextResponse.json({success:!1,error:"Sign up is not configured"},{status:400});const a=await e.signUp(u);return l.NextResponse.json(a)}if(i==="/sign-out"||f[0]==="sign-out"){const a=await e.signOut();return l.NextResponse.json(a)}if(i==="/reset-password"||f[0]==="reset-password"){if(!e.resetPassword)return l.NextResponse.json({success:!1,error:"Password reset is not configured"},{status:400});const a=await e.resetPassword(u.email);return l.NextResponse.json(a)}if(i==="/verify-email"||f[0]==="verify-email"){if(!e.verifyEmail)return l.NextResponse.json({success:!1,error:"Email verification is not configured"},{status:400});const a=await e.verifyEmail(u.token);return l.NextResponse.json(a)}if(i==="/refresh"||f[0]==="refresh"){if(!e.refreshSession){const h=await e.getSession();return l.NextResponse.json({session:h})}const a=await e.refreshSession();return l.NextResponse.json({session:a})}if(i.startsWith("/oauth/callback")||f[0]==="oauth"&&f[1]==="callback"){if(!e.oauthCallback)return l.NextResponse.json({success:!1,error:"OAuth callback is not configured"},{status:400});const a=u.provider||f[2]||t.searchParams.get("provider"),h=u.code||t.searchParams.get("code"),E=u.state||t.searchParams.get("state");if(!a||!h||!E)return l.NextResponse.json({success:!1,error:"Missing required OAuth parameters. Provider, code, and state are required."},{status:400});const v=await e.oauthCallback(a,h,E);return l.NextResponse.json(v)}if(i.startsWith("/passkey")){if(!e.passkey)return l.NextResponse.json({success:!1,error:"PassKey is not configured"},{status:400});if(f[1]==="register"&&e.passkey.register){const a=await e.passkey.register(u.options);return l.NextResponse.json(a)}if(f[1]==="list"&&e.passkey.list){const a=await e.passkey.list();return l.NextResponse.json(a)}if(f[1]==="remove"&&e.passkey.remove){const a=await e.passkey.remove(u.passkeyId);return l.NextResponse.json(a)}}if(i==="/verify-2fa"||f[0]==="verify-2fa"){if(!e.verify2FA)return l.NextResponse.json({success:!1,error:"2FA verification is not configured"},{status:400});if(!u.email||!u.userId||!u.code)return l.NextResponse.json({success:!1,error:"Missing required parameters. Email, userId, and code are required."},{status:400});const a=await e.verify2FA({email:u.email,userId:u.userId,code:u.code});return l.NextResponse.json(a)}if(i.startsWith("/two-factor")){if(!e.twoFactor)return l.NextResponse.json({success:!1,error:"Two-Factor Authentication is not configured"},{status:400});if(f[1]==="enable"&&e.twoFactor.enable){const a=await e.twoFactor.enable();return l.NextResponse.json(a)}if(f[1]==="verify"&&e.twoFactor.verify){const a=await e.twoFactor.verify(u.code);return l.NextResponse.json(a)}if(f[1]==="disable"&&e.twoFactor.disable){const a=await e.twoFactor.disable();return l.NextResponse.json(a)}if(f[1]==="backup-codes"&&e.twoFactor.generateBackupCodes){const a=await e.twoFactor.generateBackupCodes();return l.NextResponse.json(a)}if(f[1]==="is-enabled"&&e.twoFactor.isEnabled){const a=await e.twoFactor.isEnabled();return l.NextResponse.json({enabled:a})}}return l.NextResponse.json({error:"Not found"},{status:404})}return l.NextResponse.json({error:"Method not allowed"},{status:405})}catch(u){return l.NextResponse.json({success:!1,error:u instanceof Error?u.message:"Request failed"},{status:500})}}function Fe(r){return async e=>{const{method:n,nextUrl:t}=e,f=t.pathname.replace(/^\/api\/auth/,"")||"/";try{let u;if(n!=="GET"&&n!=="HEAD")try{u=await e.json()}catch{}const a=Object.fromEntries(t.searchParams.entries()),h=await fetch(`${process.env.NEXT_PUBLIC_API_URL||""}/api/auth${f}${Object.keys(a).length>0?`?${new URLSearchParams(a).toString()}`:""}`,{method:n,headers:{"Content-Type":"application/json",...Object.fromEntries(e.headers.entries())},body:u?JSON.stringify(u):void 0}),E=await h.json();return l.NextResponse.json(E,{status:h.status,headers:{...Object.fromEntries(h.headers.entries())}})}catch(u){return console.error("API handler error:",u),l.NextResponse.json({success:!1,error:u instanceof Error?u.message:"Internal server error"},{status:500})}}}function je(r){return async e=>{const{searchParams:n}=e.nextUrl,t=n.get("provider"),i=n.get("code"),f=n.get("state");if(!t||!i||!f)return l.NextResponse.redirect(new URL("/login?error=oauth_missing_params",e.url));try{if(!r.oauthCallback)return l.NextResponse.redirect(new URL("/login?error=oauth_not_configured",e.url));const u=await r.oauthCallback(t,i,f);if(u.success){const a=n.get("callbackUrl")||"/";return l.NextResponse.redirect(new URL(a,e.url))}else{const a=u.errorCode?`${encodeURIComponent(u.error||"oauth_failed")}&code=${u.errorCode}`:encodeURIComponent(u.error||"oauth_failed");return l.NextResponse.redirect(new URL(`/login?error=${a}`,e.url))}}catch(u){return process.env.NODE_ENV==="development"&&console.error("[Mulguard] OAuth callback error:",u),l.NextResponse.redirect(new URL(`/login?error=${encodeURIComponent(u instanceof Error?u.message:"oauth_error")}`,e.url))}}}function I(r,e){const n=$({"X-Frame-Options":"SAMEORIGIN"});for(const[t,i]of Object.entries(n))i&&typeof i=="string"&&e.headers.set(t,i);return e}function Le(){return async r=>{const e=l.NextResponse.next();return I(r,e)}}function De(r,e={}){const{protectedRoutes:n=[],publicRoutes:t=[],redirectTo:i="/login",redirectIfAuthenticated:f}=e;return async u=>{const{pathname:a}=u.nextUrl,h=n.some(d=>a.startsWith(d));let E=null;try{E=await r.getSession()}catch(d){console.error("Middleware: Failed to get session:",d)}if(h&&!E){const d=u.nextUrl.clone();return d.pathname=i,d.searchParams.set("callbackUrl",a),l.NextResponse.redirect(d)}if(f&&E&&(a.startsWith("/login")||a.startsWith("/register"))){const k=u.nextUrl.clone();k.pathname=f;const S=l.NextResponse.redirect(k);return I(u,S)}const v=l.NextResponse.next();return I(u,v)}}async function Me(r,e){var n;try{const t=await r.getSession();return t?((n=t.user.roles)==null?void 0:n.includes(e))??!1:!1}catch{return!1}}function $e(r){const{auth:e,protectedRoutes:n=[],publicRoutes:t=[],redirectTo:i="/login",redirectIfAuthenticated:f,apiPrefix:u="/api/auth"}=r;return async a=>{const{pathname:h}=a.nextUrl;if(h.startsWith(u)){const k=l.NextResponse.next();return I(a,k)}const E=n.some(k=>h.startsWith(k));let v=null;if(E||f)try{v=await e.getSession()}catch(k){console.error("Middleware: Failed to get session:",k)}if(E&&!v){const k=a.nextUrl.clone();k.pathname=i,k.searchParams.set("callbackUrl",h);const S=l.NextResponse.redirect(k);return I(a,S)}if(f&&v&&(h.startsWith("/login")||h.startsWith("/register"))){const S=a.nextUrl.clone();S.pathname=f;const A=l.NextResponse.redirect(S);return I(a,A)}const d=l.NextResponse.next();return I(a,d)}}async function Ve(r,e){var n;try{const t=await r.getSession();return t?((n=t.user.roles)==null?void 0:n.includes(e))??!1:!1}catch{return!1}}exports.buildCookieOptions=w.buildCookieOptions;exports.deleteCookie=w.deleteCookie;exports.getCookie=w.getCookie;exports.setCookie=w.setCookie;exports.signInEmailAction=w.signInEmailAction;exports.signOutAction=w.signOutAction;exports.signUpAction=w.signUpAction;exports.verify2FAAction=w.verify2FAAction;exports.signIn=oe.signIn;exports.createServerAuthMiddleware=R.createAuthMiddleware;exports.createServerHelpers=R.createServerHelpers;exports.createServerUtils=R.createServerUtils;exports.createSessionManager=R.createSessionManager;exports.deleteOAuthStateCookie=R.deleteOAuthStateCookie;exports.getCurrentUser=R.getCurrentUser;exports.getOAuthStateCookie=R.getOAuthStateCookie;exports.getServerSession=R.getServerSession;exports.getSessionTimeUntilExpiry=R.getSessionTimeUntilExpiry;exports.isSessionExpiredNullable=R.isSessionExpiredNullable;exports.isSessionExpiringSoon=R.isSessionExpiringSoon;exports.isSessionValid=R.isSessionValid;exports.refreshSession=R.refreshSession;exports.requireAuth=R.requireAuth;exports.requireRole=R.requireRole;exports.requireServerAuthMiddleware=R.requireAuthMiddleware;exports.requireServerRoleMiddleware=R.requireRoleMiddleware;exports.storeOAuthStateCookie=R.storeOAuthStateCookie;exports.validateSessionStructure=R.validateSessionStructure;exports.CSRFProtection=K;exports.DEFAULT_SECURITY_HEADERS=q;exports.MemoryCSRFStore=B;exports.MemoryOAuthStateStore=re;exports.RateLimiter=H;exports.applySecurityHeaders=ce;exports.buildOAuthAuthorizationUrl=Q;exports.checkRole=Me;exports.checkRoleProxy=Ve;exports.containsXSSPattern=Ee;exports.createApiHandler=Fe;exports.createAuthMiddleware=De;exports.createCSRFProtection=pe;exports.createMemoryOAuthStateStore=te;exports.createOAuthCallbackHandler=je;exports.createProxyMiddleware=$e;exports.createRateLimiter=ae;exports.createSecurityMiddleware=Le;exports.escapeHTML=X;exports.exchangeOAuthCode=Z;exports.generateCSRFToken=Y;exports.generateToken=V;exports.getErrorCode=Se;exports.getErrorMessage=ve;exports.getOAuthUserInfo=ee;exports.getProviderMetadata=M;exports.getSecurityHeaders=$;exports.getUserFriendlyError=Oe;exports.hasErrorCode=Ce;exports.isAuthError=J;exports.isAuthSuccess=Ae;exports.isRetryableError=be;exports.isTwoFactorRequired=ke;exports.isValidEmail=Re;exports.mulguard=_e;exports.sanitizeHTML=we;exports.sanitizeInput=ye;exports.sanitizeUserInput=me;exports.toNextJsHandler=Ue;exports.validateAndSanitizeEmail=ue;exports.validateAndSanitizeInput=ge;exports.validateAndSanitizeName=fe;exports.validateAndSanitizePassword=le;exports.validateCSRFToken=G;exports.validateToken=he;exports.validateURL=de;exports.withSecurityHeaders=I;
|
|
1
|
+
"use strict";var ne=Object.defineProperty;var ie=(r,e,s)=>e in r?ne(r,e,{enumerable:!0,configurable:!0,writable:!0,value:s}):r[e]=s;var L=(r,e,s)=>ie(r,typeof e!="symbol"?e+"":e,s);Object.defineProperty(exports,Symbol.toStringTag,{value:"Module"});const h=require("../actions-CExpv_dD.js"),k=require("../oauth-state-CzIWQq3s.js"),f=require("next/server"),j=typeof globalThis=="object"&&"crypto"in globalThis?globalThis.crypto:void 0;/*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */function ae(r=32){if(j&&typeof j.getRandomValues=="function")return j.getRandomValues(new Uint8Array(r));if(j&&typeof j.randomBytes=="function")return Uint8Array.from(j.randomBytes(r));throw new Error("crypto.getRandomValues must be defined")}class B{constructor(e){L(this,"attempts",new Map);L(this,"config");this.config=e}check(e){const s=Date.now(),t=this.attempts.get(e);return!t||t.resetAt<s?(this.attempts.set(e,{count:1,resetAt:s+this.config.windowMs}),{allowed:!0,remaining:this.config.maxAttempts-1,resetAt:new Date(s+this.config.windowMs)}):t.count>=this.config.maxAttempts?{allowed:!1,remaining:0,resetAt:new Date(t.resetAt)}:(t.count++,{allowed:!0,remaining:this.config.maxAttempts-t.count,resetAt:new Date(t.resetAt)})}reset(e){this.attempts.delete(e)}clear(){this.attempts.clear()}}function ce(r){return new B(r)}const K={"X-Content-Type-Options":"nosniff","X-Frame-Options":"DENY","X-XSS-Protection":"1; mode=block","Strict-Transport-Security":"max-age=31536000; includeSubDomains","Content-Security-Policy":"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';","Referrer-Policy":"strict-origin-when-cross-origin","Permissions-Policy":"geolocation=(), microphone=(), camera=()"};function q(r){return{...K,...r}}function ue(r,e){const s=q(e);for(const[t,i]of Object.entries(s))i&&r.set(t,i)}function $(r){if(!r||typeof r!="string")return{valid:!1,error:"Email is required"};const e=r.trim().toLowerCase();return/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(e)?e.length>254?{valid:!1,error:"Email is too long"}:e.includes("..")||e.startsWith(".")||e.endsWith(".")?{valid:!1,error:"Invalid email format"}:{valid:!0,sanitized:e}:{valid:!1,error:"Invalid email format"}}function le(r,e=8){if(!r||typeof r!="string")return{valid:!1,error:"Password is required"};if(r.length<e)return{valid:!1,error:`Password must be at least ${e} characters`};if(r.length>128)return{valid:!1,error:"Password is too long"};if(["password","12345678","qwerty","abc123","password123","123456789","1234567890","letmein","welcome","monkey","dragon","master","sunshine","princess","football"].includes(r.toLowerCase()))return{valid:!1,error:"Password is too common"};if(/(.)\1{3,}/.test(r))return{valid:!1,error:"Password contains too many repeated characters"};if(/012|123|234|345|456|567|678|789|abc|bcd|cde|def|efg|fgh|ghi|hij|ijk|jkl|klm|lmn|mno|nop|opq|pqr|qrs|rst|stu|tuv|uvw|vwx|wxy|xyz/i.test(r))return{valid:!1,error:"Password contains sequential characters"};let t="weak",i=0;return r.length>=12?i+=2:r.length>=8&&(i+=1),/[a-z]/.test(r)&&(i+=1),/[A-Z]/.test(r)&&(i+=1),/[0-9]/.test(r)&&(i+=1),/[^a-zA-Z0-9]/.test(r)&&(i+=1),i>=5?t="strong":i>=3&&(t="medium"),{valid:!0,strength:t}}function fe(r){if(!r||typeof r!="string")return{valid:!1,error:"Name is required"};const e=r.trim();return e.length<1?{valid:!1,error:"Name cannot be empty"}:e.length>100?{valid:!1,error:"Name is too long"}:{valid:!0,sanitized:e.replace(/[<>\"']/g,"")}}function de(r){if(!r||typeof r!="string")return{valid:!1,error:"URL is required"};try{const e=new URL(r);return["http:","https:"].includes(e.protocol)?{valid:!0}:{valid:!1,error:"URL must use http or https protocol"}}catch{return{valid:!1,error:"Invalid URL format"}}}function he(r,e=16){return!r||typeof r!="string"?{valid:!1,error:"Token is required"}:r.length<e?{valid:!1,error:"Token is too short"}:r.length>512?{valid:!1,error:"Token is too long"}:/^[A-Za-z0-9_-]+$/.test(r)?/(.)\1{10,}/.test(r)?{valid:!1,error:"Token contains suspicious pattern"}:{valid:!0}:{valid:!1,error:"Invalid token format"}}function z(r,e){const{maxLength:s=1e3,allowHtml:t=!1,required:i=!0}=e||{};if(i&&(!r||typeof r!="string"||r.trim().length===0))return{valid:!1,error:"Input is required"};if(!r||typeof r!="string")return{valid:!0,sanitized:""};let d=r.trim();return d.length>s?{valid:!1,error:`Input must be less than ${s} characters`}:(t||(d=d.replace(/</g,"<").replace(/>/g,">").replace(/"/g,""").replace(/'/g,"'").replace(/\//g,"/")),d=d.replace(/[\x00-\x1F\x7F]/g,""),{valid:!0,sanitized:d})}class X{constructor(){L(this,"tokens",new Map)}get(e){const s=this.tokens.get(e);return s?s.expiresAt<Date.now()?(this.delete(e),null):s.value:null}set(e,s,t=36e5){this.tokens.set(e,{value:s,expiresAt:Date.now()+t})}delete(e){this.tokens.delete(e)}clear(){this.tokens.clear()}}class Y{constructor(e,s=32){L(this,"store");L(this,"tokenLength");this.store=e||new X,this.tokenLength=s}generateToken(e,s){const t=W(this.tokenLength);return this.store.set(e,t,s),t}validateToken(e,s){const t=this.store.get(e);if(!t)return!1;const i=Q(s,t);return i&&this.store.delete(e),i}getToken(e){return this.store.get(e)}deleteToken(e){this.store.delete(e)}}function ge(r){return new Y(r)}function G(r){if(typeof r!="string")return"";const e={"&":"&","<":"<",">":">",'"':""","'":"'"};return r.replace(/[&<>"']/g,s=>e[s]||s)}function pe(r){return typeof r!="string"?"":r.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi,"").replace(/on\w+\s*=\s*["'][^"']*["']/gi,"").replace(/javascript:/gi,"")}function we(r){return typeof r!="string"?"":G(r.trim())}function me(r){return typeof r!="string"?!1:[/<script/i,/javascript:/i,/on\w+\s*=/i,/<iframe/i,/<object/i,/<embed/i,/<link/i,/<meta/i,/expression\s*\(/i,/vbscript:/i].some(s=>s.test(r))}function W(r=32){const e=ae(r);return Buffer.from(e).toString("base64url")}function J(){return W(32)}function Q(r,e){if(!r||!e||r.length!==e.length)return!1;let s=0;for(let t=0;t<r.length;t++)s|=r.charCodeAt(t)^e.charCodeAt(t);return s===0}function Ee(r){return r.trim().replace(/[<>]/g,"")}function Re(r){return/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(r)}function Z(r){return!r.success&&!!r.error}function ye(r){return r.requires2FA===!0||r.errorCode===h.AuthErrorCode.TWO_FA_REQUIRED}function ve(r,e){return r.error?r.error:e||"Authentication failed"}function Ae(r){return r.errorCode}function ke(r){return r.success===!0&&!!r.user}function Se(r,e){return r.errorCode===e}function Ce(r){if(!Z(r))return!1;const e=[h.AuthErrorCode.NETWORK_ERROR,h.AuthErrorCode.RATE_LIMITED,h.AuthErrorCode.UNKNOWN_ERROR];return r.errorCode?e.includes(r.errorCode):!1}function Ie(r){if(r.error)return r.error;switch(r.errorCode){case h.AuthErrorCode.INVALID_CREDENTIALS:return"Invalid email or password. Please try again.";case h.AuthErrorCode.ACCOUNT_LOCKED:return"Your account has been temporarily locked. Please try again later.";case h.AuthErrorCode.ACCOUNT_INACTIVE:return"Your account is inactive. Please contact support.";case h.AuthErrorCode.TWO_FA_REQUIRED:return"Two-factor authentication is required. Please enter your code.";case h.AuthErrorCode.INVALID_TWO_FA_CODE:return"Invalid two-factor authentication code. Please try again.";case h.AuthErrorCode.SESSION_EXPIRED:return"Your session has expired. Please sign in again.";case h.AuthErrorCode.UNAUTHORIZED:return"You are not authorized to perform this action.";case h.AuthErrorCode.NETWORK_ERROR:return"Network error. Please check your connection and try again.";case h.AuthErrorCode.VALIDATION_ERROR:return"Please check your input and try again.";case h.AuthErrorCode.RATE_LIMITED:return"Too many attempts. Please try again later.";case h.AuthErrorCode.UNKNOWN_ERROR:default:return"An unexpected error occurred. Please try again."}}async function Oe(r,e,s){return r.signIn(e,s)}const Ne={google:{authorizationUrl:"https://accounts.google.com/o/oauth2/v2/auth",tokenUrl:"https://oauth2.googleapis.com/token",userInfoUrl:"https://www.googleapis.com/oauth2/v2/userinfo",defaultScopes:["openid","profile","email"]},github:{authorizationUrl:"https://github.com/login/oauth/authorize",tokenUrl:"https://github.com/login/oauth/access_token",userInfoUrl:"https://api.github.com/user",defaultScopes:["user:email"]},apple:{authorizationUrl:"https://appleid.apple.com/auth/authorize",tokenUrl:"https://appleid.apple.com/auth/token",userInfoUrl:"https://appleid.apple.com/auth/userinfo",defaultScopes:["name","email"],defaultParams:{response_mode:"form_post",response_type:"code id_token"}},facebook:{authorizationUrl:"https://www.facebook.com/v18.0/dialog/oauth",tokenUrl:"https://graph.facebook.com/v18.0/oauth/access_token",userInfoUrl:"https://graph.facebook.com/v18.0/me?fields=id,name,email,picture",defaultScopes:["email","public_profile"]}};function V(r){return Ne[r]||null}function ee(r,e,s,t){const i=V(r);if(!i)throw new Error(`Unknown OAuth provider: ${r}`);const d=e.redirectUri||`${s}/api/auth/callback/${r}`,c=e.scopes||i.defaultScopes,a=new URLSearchParams({client_id:e.clientId,redirect_uri:d,response_type:"code",scope:c.join(" "),state:t,...i.defaultParams,...e.params});return`${i.authorizationUrl}?${a.toString()}`}async function re(r,e,s,t){const i=V(r);if(!i)throw new Error(`Unknown OAuth provider: ${r}`);const d=new URLSearchParams({client_id:e.clientId,code:s,redirect_uri:t,grant_type:"authorization_code"});e.clientSecret&&d.append("client_secret",e.clientSecret);const c=await fetch(i.tokenUrl,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"},body:d.toString()});if(!c.ok){const a=await c.text();throw new Error(`Failed to exchange code for tokens: ${a}`)}return await c.json()}async function te(r,e){var d,c,a,m;const s=V(r);if(!s)throw new Error(`Unknown OAuth provider: ${r}`);const t=await fetch(s.userInfoUrl,{headers:{Authorization:`Bearer ${e}`,Accept:"application/json"}});if(!t.ok){const v=await t.text();throw new Error(`Failed to fetch user info: ${v}`)}const i=await t.json();switch(r){case"google":return{id:i.sub||i.id,email:i.email,name:i.name,avatar:i.picture,emailVerified:i.email_verified};case"github":let v=i.email;if(!v){const g=await(await fetch("https://api.github.com/user/emails",{headers:{Authorization:`Bearer ${e}`}})).json();v=((d=g.find(S=>S.primary))==null?void 0:d.email)||((c=g[0])==null?void 0:c.email)||`${i.login}@users.noreply.github.com`}return{id:String(i.id),email:v,name:i.name||i.login,avatar:i.avatar_url,emailVerified:!!v};case"apple":return{id:i.sub,email:i.email,name:i.name?`${i.name.firstName} ${i.name.lastName}`:"",emailVerified:i.email_verified};case"facebook":return{id:i.id,email:i.email,name:i.name,avatar:(m=(a=i.picture)==null?void 0:a.data)==null?void 0:m.url,emailVerified:!0};default:return{id:String(i.id||i.sub),email:i.email,name:i.name||i.display_name||i.username,avatar:i.avatar||i.picture||i.avatar_url,emailVerified:i.email_verified||i.emailVerified||!1}}}class se{constructor(){L(this,"states",new Map)}set(e,s,t){this.states.set(e,s),this.cleanup()}get(e){const s=this.states.get(e);return s?s.expiresAt<Date.now()?(this.delete(e),null):s:null}delete(e){this.states.delete(e)}cleanup(){const e=Date.now();for(const[s,t]of this.states.entries())t.expiresAt<e&&this.states.delete(s)}}function oe(){return new se}function be(r=process.env.NODE_ENV==="development"){const e="[Mulguard]";return{debug:r?(s,t)=>{t!==void 0?console.debug(`${e} ${s}`,t):console.debug(`${e} ${s}`)}:()=>{},info:r?(s,t)=>{t!==void 0?console.info(`${e} ${s}`,t):console.info(`${e} ${s}`)}:()=>{},warn:r?(s,t)=>{t!==void 0?console.warn(`${e} ${s}`,t):console.warn(`${e} ${s}`)}:()=>{},error:r?(s,t)=>{t!==void 0?console.error(`${e} ${s}`,t):console.error(`${e} ${s}`)}:()=>{}}}const x=be();function Te(r,e,s,t={}){const{enabled:i=!0,maxRetries:d=1,retryDelay:c=1e3,rateLimit:a=3,autoSignOutOnFailure:m=!0,redirectToLogin:v="/login",autoRedirectOnFailure:C=!0}=t;let g=null,S=!1;const N=[],b=[],P=60*1e3;let T=0,I=!1,_=null;const D=2,M=60*1e3;function o(){const u=Date.now();if(I&&_){if(u<_)return!1;I=!1,_=null,T=0}for(;b.length>0;){const w=b[0];if(w!==void 0&&w<u-P)b.shift();else break}return b.length>=a?!1:(b.push(u),!0)}function n(){T++,T>=D&&(I=!0,_=Date.now()+M,process.env.NODE_ENV==="development"&&console.warn("[TokenRefreshManager] Circuit breaker opened - too many consecutive failures"))}function l(){T=0,I=!1,_=null}async function E(u=1){if(!i)return null;if(!o())throw new Error("Rate limit exceeded for token refresh");try{const w=await r();if(w)return l(),O(w),t.onTokenRefreshed&&await Promise.resolve(t.onTokenRefreshed(w)),w;if(n(),u<d)return await p(c*u),E(u+1);throw new Error("Token refresh failed: refresh function returned null")}catch(w){if(n(),u<d&&A(w))return await p(c*u),E(u+1);throw w}}function A(u){if(u instanceof Error){const w=u.message.toLowerCase();if(w.includes("rate limit")||w.includes("too many requests")||w.includes("429")||w.includes("limit:")||w.includes("requests per minute")||w.includes("token_blacklisted")||w.includes("blacklisted")||w.includes("invalid")||w.includes("401")||w.includes("unauthorized")||w.includes("session has been revoked")||w.includes("session expired"))return!1;if(w.includes("network")||w.includes("fetch")||w.includes("timeout"))return!0}return!1}function O(u){const w=[...N];N.length=0;for(const{resolve:F}of w)F(u)}function R(u){const w=[...N];N.length=0;for(const{reject:F}of w)F(u)}function p(u){return new Promise(w=>setTimeout(w,u))}async function y(u){try{if(t.onTokenRefreshFailed&&await Promise.resolve(t.onTokenRefreshFailed(u)),m&&(await s(),await e(),C&&typeof window<"u")){let w=!0;if(t.onBeforeRedirect&&(w=await Promise.resolve(t.onBeforeRedirect(u))),w){const F=new URL(v,window.location.origin);F.searchParams.set("reason","session_expired"),F.searchParams.set("redirect",window.location.pathname+window.location.search),window.location.href=F.toString()}}}catch(w){process.env.NODE_ENV==="development"&&console.error("[TokenRefreshManager] Error in handleRefreshFailure:",w)}}return{async refreshToken(){return i?g||(S=!0,g=E().then(u=>(S=!1,g=null,u)).catch(u=>{throw S=!1,g=null,R(u),y(u).catch(()=>{}),u}),g):null},isRefreshing(){return S},async waitForRefresh(){return g?new Promise((u,w)=>{N.push({resolve:u,reject:w})}):null},clear(){g=null,S=!1,b.length=0,l(),R(new Error("Token refresh manager cleared"))},async handleRefreshFailure(u){return y(u)}}}function xe(){const r=process.env.NODE_ENV==="production";return{cookieName:"__mulguard_session",expiresIn:60*60*24*7,httpOnly:!0,secure:r,sameSite:"lax",path:"/"}}function _e(){return{enabled:!0,refreshThreshold:300,maxRetries:0,retryDelay:1e3,rateLimit:1,autoSignOutOnFailure:!0,redirectToLogin:"/login",autoRedirectOnFailure:!0}}function Pe(r){var D,M;const e={...xe(),...r.session},s=r.actions,t=r.callbacks||{},i=((D=r.providers)==null?void 0:D.oauth)||{},d=process.env.NEXT_PUBLIC_URL||(process.env.VERCEL_URL?`https://${process.env.VERCEL_URL}`:"http://localhost:3000"),c={..._e(),...r.tokenRefresh},a={...s};if(Object.keys(i).length>0&&!a.signIn.oauth&&(a.signIn.oauth=async o=>{const n=i[o];if(!n)throw new Error(`OAuth provider "${o}" is not configured. Add it to providers.oauth in config.`);if(!n.clientId)throw new Error(`OAuth provider "${o}" is missing clientId`);const l=J();return{url:ee(o,n,d,l),state:l}}),Object.keys(i).length>0&&!a.oauthCallback&&(a.oauthCallback=async(o,n,l)=>{const E=i[o];if(!E)return{success:!1,error:`OAuth provider "${o}" is not configured`,errorCode:h.AuthErrorCode.VALIDATION_ERROR};try{const A=E.redirectUri||`${d}/api/auth/callback/${o}`,O=await re(o,E,n,A),R=await te(o,O.access_token);if(t.onOAuthUser){const p=await g(t.onOAuthUser,R,o);if(!p)return{success:!1,error:"Failed to create or retrieve user",errorCode:h.AuthErrorCode.VALIDATION_ERROR};const y={user:{id:p.id,email:p.email,name:p.name,avatar:R.avatar,emailVerified:R.emailVerified},expiresAt:new Date(Date.now()+7*24*60*60*1e3),accessToken:O.access_token,refreshToken:O.refresh_token,tokenType:"Bearer",expiresIn:O.expires_in};return await b(y),m={session:y,timestamp:Date.now()},t.onSignIn&&await g(t.onSignIn,y.user,y),{success:!0,user:y.user,session:y}}return{success:!1,error:"OAuth user callback not implemented. Provide onOAuthUser callback or implement oauthCallback action.",errorCode:h.AuthErrorCode.VALIDATION_ERROR}}catch(A){return x.error("OAuth callback failed",{provider:o,error:A}),{success:!1,error:A instanceof Error?A.message:"OAuth callback failed",errorCode:h.AuthErrorCode.NETWORK_ERROR}}}),!a.signIn||!a.signIn.email)throw new Error("mulguard: signIn.email action is required");let m=null;const v=((M=r.session)==null?void 0:M.cacheTtl)??r.sessionCacheTtl??5e3,C=r.oauthStateStore||oe(),g=async(o,...n)=>{if(o)try{return await o(...n)}catch(l){throw t.onError&&await t.onError(l instanceof Error?l:new Error(String(l)),"callback"),l}},S=async(o,n)=>{const l={provider:n,expiresAt:Date.now()+6e5};await Promise.resolve(C.set(o,l,10*60*1e3)),C.cleanup&&await Promise.resolve(C.cleanup())},N=async(o,n)=>{const l=await Promise.resolve(C.get(o));return l?l.expiresAt<Date.now()?(await Promise.resolve(C.delete(o)),!1):l.provider!==n?!1:(await Promise.resolve(C.delete(o)),!0):!1},b=async o=>{const n=e.cookieName||"__mulguard_session",l=typeof o=="object"&&"token"in o?String(o.token):JSON.stringify(o),E=h.buildCookieOptions(n,l,e);return await h.setCookie(E)},P=async o=>{if(!o.success||!o.session)return{success:!0};const n=await b(o.session);return m={session:o.session,timestamp:Date.now()},o.user&&t.onSignIn&&await g(t.onSignIn,o.user,o.session),n},T=async()=>{const o=e.cookieName||"__mulguard_session";await h.deleteCookie(o,{path:e.path,domain:e.domain})};let I=null;const _={async getSession(){const o=Date.now();if(m&&o-m.timestamp<v)return m.session;if(s.getSession)try{const n=await s.getSession();if(n&&k.validateSessionStructure(n))return m={session:n,timestamp:o},n;n&&!k.validateSessionStructure(n)&&(await T(),m=null)}catch(n){x.debug("getSession error",{error:n}),t.onError&&await g(t.onError,n instanceof Error?n:new Error(String(n)),"getSession"),m=null}try{const n=e.cookieName||"__mulguard_session",l=await h.getCookie(n);if(l)try{const E=JSON.parse(l);if(k.validateSessionStructure(E))return E.expiresAt&&new Date(E.expiresAt)<new Date?(t.onSessionExpired&&await g(t.onSessionExpired,E),await T(),m=null,null):(m={session:E,timestamp:o},E);await T(),m=null}catch{await T(),m=null}}catch(n){const l=n instanceof Error?n.message:String(n);!l.includes("request scope")&&!l.includes("cookies")&&(x.warn("getSession cookie error",{error:n}),t.onError&&await g(t.onError,n instanceof Error?n:new Error(String(n)),"getSession.cookie"))}return null},async getAccessToken(){const o=await this.getSession();return o!=null&&o.accessToken&&typeof o.accessToken=="string"?o.accessToken:null},async getRefreshToken(){const o=await this.getSession();return o!=null&&o.refreshToken&&typeof o.refreshToken=="string"?o.refreshToken:null},async hasValidTokens(){return!!await this.getAccessToken()},signIn:(()=>{const o=async R=>{try{if(!R||typeof R!="object")return{success:!1,error:"Invalid credentials",errorCode:h.AuthErrorCode.VALIDATION_ERROR};if(!R.email||typeof R.email!="string")return{success:!1,error:"Email is required",errorCode:h.AuthErrorCode.VALIDATION_ERROR};const p=$(R.email);if(!p.valid)return{success:!1,error:p.error||"Invalid email format",errorCode:h.AuthErrorCode.VALIDATION_ERROR};if(!R.password||typeof R.password!="string")return{success:!1,error:"Password is required",errorCode:h.AuthErrorCode.VALIDATION_ERROR};if(R.password.length>128)return{success:!1,error:"Invalid credentials",errorCode:h.AuthErrorCode.VALIDATION_ERROR};const y={email:p.sanitized,password:R.password},u=await a.signIn.email(y);return u.success&&u.session&&await P(u),u.success?x.info("Sign in successful",{email:y.email.substring(0,3)+"***"}):x.warn("Sign in failed",{email:y.email.substring(0,3)+"***",errorCode:u.errorCode}),u}catch(p){const y=p instanceof Error?p.message:"Sign in failed";return x.error("Sign in error",{error:y,context:"signIn.email"}),t.onError&&await g(t.onError,p instanceof Error?p:new Error(String(p)),"signIn.email"),{success:!1,error:"Sign in failed. Please try again.",errorCode:h.AuthErrorCode.UNKNOWN_ERROR}}},n=async R=>{if(!R||typeof R!="string")throw new Error("Provider is required");const p=z(R,{maxLength:50,allowHtml:!1,required:!0});if(!p.valid||!p.sanitized)throw new Error("Invalid provider");const y=p.sanitized.toLowerCase();if(!a.signIn.oauth)throw new Error("OAuth sign in is not configured. Either provide oauth action in signIn, or configure providers.oauth in config.");const u=await a.signIn.oauth(y);return await S(u.state,y),x.info("OAuth sign in initiated",{provider:y}),u},l=async R=>{if(!a.signIn.passkey)throw new Error("PassKey sign in is not configured. Provide passkey action in signIn.");try{const p=await a.signIn.passkey(R);return p.success&&p.session&&await P(p),p}catch(p){return t.onError&&await g(t.onError,p instanceof Error?p:new Error(String(p)),"signIn.passkey"),{success:!1,error:p instanceof Error?p.message:"PassKey sign in failed"}}},E=async(R,p)=>{if(!R||typeof R!="string")return{success:!1,error:"Email is required",errorCode:h.AuthErrorCode.VALIDATION_ERROR};const y=$(R);if(!y.valid)return{success:!1,error:y.error||"Invalid email format",errorCode:h.AuthErrorCode.VALIDATION_ERROR};if(p!==void 0&&(typeof p!="string"||p.length<4||p.length>10))return{success:!1,error:"Invalid OTP code format",errorCode:h.AuthErrorCode.VALIDATION_ERROR};if(!a.signIn.otp)return{success:!1,error:"OTP sign in is not configured",errorCode:h.AuthErrorCode.VALIDATION_ERROR};try{const u=await a.signIn.otp(y.sanitized,p);return u.success&&u.session&&await P(u),u.success?x.info("OTP sign in successful",{email:y.sanitized.substring(0,3)+"***"}):x.warn("OTP sign in failed",{email:y.sanitized.substring(0,3)+"***"}),u}catch(u){return x.error("OTP sign in error",{error:u instanceof Error?u.message:"Unknown error",context:"signIn.otp"}),t.onError&&await g(t.onError,u instanceof Error?u:new Error(String(u)),"signIn.otp"),{success:!1,error:"OTP sign in failed. Please try again.",errorCode:h.AuthErrorCode.UNKNOWN_ERROR}}},O=Object.assign(async(R,p)=>{if(!R||typeof R!="string")throw new Error("Provider is required");const y=z(R,{maxLength:50,allowHtml:!1,required:!0});if(!y.valid||!y.sanitized)throw new Error("Invalid provider");const u=y.sanitized.toLowerCase();if(u==="google"||u==="github"||u==="apple"||u==="facebook"||typeof u=="string"&&!["credentials","otp","passkey"].includes(u))return n(u);if(u==="credentials")return!p||!("email"in p)||!("password"in p)?{success:!1,error:"Credentials are required",errorCode:h.AuthErrorCode.VALIDATION_ERROR}:o(p);if(u==="otp"){if(!p||!("email"in p))return{success:!1,error:"Email is required",errorCode:h.AuthErrorCode.VALIDATION_ERROR};const w=p;return E(w.email,w.code)}return u==="passkey"?l(p):{success:!1,error:"Invalid provider",errorCode:h.AuthErrorCode.VALIDATION_ERROR}},{email:o,oauth:a.signIn.oauth?n:void 0,passkey:a.signIn.passkey?l:void 0,otp:a.signIn.otp?E:void 0});return I=O,O})(),async signUp(o){if(!a.signUp)throw new Error("Sign up is not configured. Provide signUp action in config.");try{const n=await a.signUp(o);return n.success&&n.session&&await P(n),n}catch(n){return t.onError&&await g(t.onError,n instanceof Error?n:new Error(String(n)),"signUp"),{success:!1,error:n instanceof Error?n.message:"Sign up failed"}}},async signOut(){try{const o=await this.getSession(),n=o==null?void 0:o.user;return s.signOut&&await s.signOut(),await T(),m=null,n&&t.onSignOut&&await g(t.onSignOut,n),{success:!0}}catch(o){return await T(),t.onError&&await g(t.onError,o instanceof Error?o:new Error(String(o)),"signOut"),{success:!1,error:o instanceof Error?o.message:"Sign out failed"}}},async resetPassword(o){if(!s.resetPassword)throw new Error("Password reset is not configured. Provide resetPassword action in config.");try{return await s.resetPassword(o)}catch(n){return t.onError&&await g(t.onError,n instanceof Error?n:new Error(String(n)),"resetPassword"),{success:!1,error:n instanceof Error?n.message:"Password reset failed"}}},async verifyEmail(o){if(!s.verifyEmail)throw new Error("Email verification is not configured. Provide verifyEmail action in config.");try{return await s.verifyEmail(o)}catch(n){return t.onError&&await g(t.onError,n instanceof Error?n:new Error(String(n)),"verifyEmail"),{success:!1,error:n instanceof Error?n.message:"Email verification failed"}}},async refreshSession(){if(!s.refreshSession)return this.getSession();try{const o=await s.refreshSession();if(o&&k.validateSessionStructure(o)){if(await b(o),m={session:o,timestamp:Date.now()},t.onSessionUpdate){const n=await g(t.onSessionUpdate,o);if(n&&k.validateSessionStructure(n)){if(await b(n),t.onTokenRefresh){const l=await this.getSession();l&&await g(t.onTokenRefresh,l,n)}return n}}if(t.onTokenRefresh){const n=await this.getSession();n&&await g(t.onTokenRefresh,n,o)}return o}else if(o&&!k.validateSessionStructure(o))return await T(),null;return null}catch(o){return await T(),t.onError&&await g(t.onError,o instanceof Error?o:new Error(String(o)),"refreshSession"),null}},async oauthCallback(o,n,l){if(!a.oauthCallback)throw new Error("OAuth callback is not configured. Either provide oauthCallback action, or configure providers.oauth in config.");if(!o||!n||!l)return{success:!1,error:"Missing required OAuth parameters (provider, code, or state)",errorCode:h.AuthErrorCode.VALIDATION_ERROR};if(!await N(l,o))return{success:!1,error:"Invalid or expired state parameter",errorCode:h.AuthErrorCode.VALIDATION_ERROR};try{const A=await a.oauthCallback(o,n,l);if(A.success&&A.session){const O=await P(A);O.success||(process.env.NODE_ENV==="development"&&x.debug("Failed to save session cookie after oauthCallback",{error:O.error,warning:O.warning}),t.onError&&await g(t.onError,new Error(O.warning||O.error||"Failed to save session cookie"),"oauthCallback.setSession"))}return A}catch(A){return t.onError&&await g(t.onError,A instanceof Error?A:new Error(String(A)),"oauthCallback"),{success:!1,error:A instanceof Error?A.message:"OAuth callback failed",errorCode:h.AuthErrorCode.NETWORK_ERROR}}},async verify2FA(o,n){if(!s.verify2FA)throw new Error("2FA verification is not configured. Provide verify2FA action in config.");try{const l=await s.verify2FA(o);if(l.success&&l.session&&!(n!=null&&n.skipCookieSave)){const E=await P(l);E.success||(process.env.NODE_ENV==="development"&&x.debug("Failed to save session cookie after verify2FA",{error:E.error,warning:E.warning}),t.onError&&await g(t.onError,new Error(E.warning||E.error||"Failed to save session cookie"),"verify2FA.setSession"))}return l}catch(l){return t.onError&&await g(t.onError,l instanceof Error?l:new Error(String(l)),"verify2FA"),{success:!1,error:l instanceof Error?l.message:"2FA verification failed",errorCode:h.AuthErrorCode.TWO_FA_REQUIRED}}},async setSession(o){return k.validateSessionStructure(o)?await b(o):{success:!1,error:"Invalid session structure"}},_getSessionConfig(){return{cookieName:e.cookieName||"__mulguard_session",config:e}},_getCallbacks(){return t},passkey:s.passkey?{register:s.passkey.register,authenticate:async o=>{var n;if(!((n=s.passkey)!=null&&n.authenticate))throw new Error("PassKey authenticate is not configured.");try{const l=await s.passkey.authenticate(o);return l.success&&l.session&&await P(l),l}catch(l){return t.onError&&await g(t.onError,l instanceof Error?l:new Error(String(l)),"passkey.authenticate"),{success:!1,error:l instanceof Error?l.message:"PassKey authentication failed"}}},list:s.passkey.list,remove:s.passkey.remove}:void 0,twoFactor:s.twoFactor?{enable:s.twoFactor.enable,verify:s.twoFactor.verify,disable:s.twoFactor.disable,generateBackupCodes:s.twoFactor.generateBackupCodes,isEnabled:s.twoFactor.isEnabled,verify2FA:async o=>{var l;const n=((l=s.twoFactor)==null?void 0:l.verify2FA)||s.verify2FA;if(!n)throw new Error("2FA verification is not configured. Provide verify2FA action in config.");try{const E=await n(o);if(E.success&&E.session){const A=await P(E);A.success||(process.env.NODE_ENV==="development"&&x.debug("Failed to save session cookie after twoFactor.verify2FA",{error:A.error,warning:A.warning}),t.onError&&await g(t.onError,new Error(A.warning||A.error||"Failed to save session cookie"),"twoFactor.verify2FA.setSession"))}return E}catch(E){return t.onError&&await g(t.onError,E instanceof Error?E:new Error(String(E)),"twoFactor.verify2FA"),{success:!1,error:E instanceof Error?E.message:"2FA verification failed",errorCode:h.AuthErrorCode.UNKNOWN_ERROR}}}}:void 0,signInMethods:{email:o=>I.email(o),oauth:o=>{var n;return((n=I.oauth)==null?void 0:n.call(I,o))||Promise.reject(new Error("OAuth not configured"))},passkey:o=>{var n;return((n=I.passkey)==null?void 0:n.call(I,o))||Promise.reject(new Error("Passkey not configured"))},otp:(o,n)=>{var l;return((l=I.otp)==null?void 0:l.call(I,o,n))||Promise.reject(new Error("OTP not configured"))}}};if(s.refreshSession){const o=Te(async()=>await _.refreshSession(),async()=>await _.signOut(),async()=>{await T()},{...c,onTokenRefreshed:c.onTokenRefreshed,onTokenRefreshFailed:c.onTokenRefreshFailed,onBeforeRedirect:c.onBeforeRedirect});_._tokenRefreshManager=o,_._getTokenRefreshManager=()=>o}return _}function Ue(r){return{GET:async e=>H(e,r,"GET"),POST:async e=>H(e,r,"POST")}}async function H(r,e,s){const t=new URL(r.url),i=t.pathname.replace(/^\/api\/auth/,"")||"/session",d=i.split("/").filter(Boolean);try{if(s==="GET"){if(i==="/session"||i==="/"){const c=await e.getSession();return f.NextResponse.json({session:c})}if(i==="/providers")return f.NextResponse.json({providers:{email:!!e.signIn.email,oauth:!!e.signIn.oauth,passkey:!!e.signIn.passkey}});if(i.startsWith("/oauth/callback")||d[0]==="oauth"&&d[1]==="callback"){if(!e.oauthCallback)return f.NextResponse.redirect(new URL("/login?error=oauth_not_configured",r.url));const c=d[2]||t.searchParams.get("provider"),a=t.searchParams.get("code"),m=t.searchParams.get("state");if(!c||!a||!m)return f.NextResponse.redirect(new URL("/login?error=oauth_missing_params",r.url));try{const v=await e.oauthCallback(c,a,m);if(v.success){const C=t.searchParams.get("callbackUrl")||"/";return f.NextResponse.redirect(new URL(C,r.url))}else return f.NextResponse.redirect(new URL(`/login?error=${encodeURIComponent(v.error||"oauth_failed")}`,r.url))}catch(v){return f.NextResponse.redirect(new URL(`/login?error=${encodeURIComponent(v instanceof Error?v.message:"oauth_error")}`,r.url))}}return f.NextResponse.json({error:"Not found"},{status:404})}if(s==="POST"){const c=await r.json().catch(()=>({}));if(i==="/sign-in"||d[0]==="sign-in"){if(c.provider==="email"&&c.email&&c.password){const a=await e.signIn.email({email:c.email,password:c.password});return f.NextResponse.json(a)}if(c.provider==="oauth"&&c.providerName){if(!e.signIn.oauth)return f.NextResponse.json({success:!1,error:"OAuth is not configured"},{status:400});const a=await e.signIn.oauth(c.providerName);return f.NextResponse.json(a)}if(c.provider==="passkey"){if(!e.signIn.passkey)return f.NextResponse.json({success:!1,error:"PassKey is not configured"},{status:400});const a=await e.signIn.passkey(c.options);return f.NextResponse.json(a)}return f.NextResponse.json({success:!1,error:"Invalid sign in request"},{status:400})}if(i==="/sign-up"||d[0]==="sign-up"){if(!e.signUp)return f.NextResponse.json({success:!1,error:"Sign up is not configured"},{status:400});const a=await e.signUp(c);return f.NextResponse.json(a)}if(i==="/sign-out"||d[0]==="sign-out"){const a=await e.signOut();return f.NextResponse.json(a)}if(i==="/reset-password"||d[0]==="reset-password"){if(!e.resetPassword)return f.NextResponse.json({success:!1,error:"Password reset is not configured"},{status:400});const a=await e.resetPassword(c.email);return f.NextResponse.json(a)}if(i==="/verify-email"||d[0]==="verify-email"){if(!e.verifyEmail)return f.NextResponse.json({success:!1,error:"Email verification is not configured"},{status:400});const a=await e.verifyEmail(c.token);return f.NextResponse.json(a)}if(i==="/refresh"||d[0]==="refresh"){if(!e.refreshSession){const m=await e.getSession();return f.NextResponse.json({session:m})}const a=await e.refreshSession();return f.NextResponse.json({session:a})}if(i.startsWith("/oauth/callback")||d[0]==="oauth"&&d[1]==="callback"){if(!e.oauthCallback)return f.NextResponse.json({success:!1,error:"OAuth callback is not configured"},{status:400});const a=c.provider||d[2]||t.searchParams.get("provider"),m=c.code||t.searchParams.get("code"),v=c.state||t.searchParams.get("state");if(!a||!m||!v)return f.NextResponse.json({success:!1,error:"Missing required OAuth parameters. Provider, code, and state are required."},{status:400});const C=await e.oauthCallback(a,m,v);return f.NextResponse.json(C)}if(i.startsWith("/passkey")){if(!e.passkey)return f.NextResponse.json({success:!1,error:"PassKey is not configured"},{status:400});if(d[1]==="register"&&e.passkey.register){const a=await e.passkey.register(c.options);return f.NextResponse.json(a)}if(d[1]==="list"&&e.passkey.list){const a=await e.passkey.list();return f.NextResponse.json(a)}if(d[1]==="remove"&&e.passkey.remove){const a=await e.passkey.remove(c.passkeyId);return f.NextResponse.json(a)}}if(i==="/verify-2fa"||d[0]==="verify-2fa"){if(!e.verify2FA)return f.NextResponse.json({success:!1,error:"2FA verification is not configured"},{status:400});if(!c.email||!c.userId||!c.code)return f.NextResponse.json({success:!1,error:"Missing required parameters. Email, userId, and code are required."},{status:400});const a=await e.verify2FA({email:c.email,userId:c.userId,code:c.code});return f.NextResponse.json(a)}if(i.startsWith("/two-factor")){if(!e.twoFactor)return f.NextResponse.json({success:!1,error:"Two-Factor Authentication is not configured"},{status:400});if(d[1]==="enable"&&e.twoFactor.enable){const a=await e.twoFactor.enable();return f.NextResponse.json(a)}if(d[1]==="verify"&&e.twoFactor.verify){const a=await e.twoFactor.verify(c.code);return f.NextResponse.json(a)}if(d[1]==="disable"&&e.twoFactor.disable){const a=await e.twoFactor.disable();return f.NextResponse.json(a)}if(d[1]==="backup-codes"&&e.twoFactor.generateBackupCodes){const a=await e.twoFactor.generateBackupCodes();return f.NextResponse.json(a)}if(d[1]==="is-enabled"&&e.twoFactor.isEnabled){const a=await e.twoFactor.isEnabled();return f.NextResponse.json({enabled:a})}}return f.NextResponse.json({error:"Not found"},{status:404})}return f.NextResponse.json({error:"Method not allowed"},{status:405})}catch(c){return f.NextResponse.json({success:!1,error:c instanceof Error?c.message:"Request failed"},{status:500})}}function Fe(r){return async e=>{const{method:s,nextUrl:t}=e,d=t.pathname.replace(/^\/api\/auth/,"")||"/";try{let c;if(s!=="GET"&&s!=="HEAD")try{c=await e.json()}catch{}const a=Object.fromEntries(t.searchParams.entries()),m=await fetch(`${process.env.NEXT_PUBLIC_API_URL||""}/api/auth${d}${Object.keys(a).length>0?`?${new URLSearchParams(a).toString()}`:""}`,{method:s,headers:{"Content-Type":"application/json",...Object.fromEntries(e.headers.entries())},body:c?JSON.stringify(c):void 0}),v=await m.json();return f.NextResponse.json(v,{status:m.status,headers:{...Object.fromEntries(m.headers.entries())}})}catch(c){return console.error("API handler error:",c),f.NextResponse.json({success:!1,error:c instanceof Error?c.message:"Internal server error"},{status:500})}}}function Le(r){return async e=>{const{searchParams:s}=e.nextUrl,t=s.get("provider"),i=s.get("code"),d=s.get("state");if(!t||!i||!d)return f.NextResponse.redirect(new URL("/login?error=oauth_missing_params",e.url));try{if(!r.oauthCallback)return f.NextResponse.redirect(new URL("/login?error=oauth_not_configured",e.url));const c=await r.oauthCallback(t,i,d);if(c.success){const a=s.get("callbackUrl")||"/";return f.NextResponse.redirect(new URL(a,e.url))}else{const a=c.errorCode?`${encodeURIComponent(c.error||"oauth_failed")}&code=${c.errorCode}`:encodeURIComponent(c.error||"oauth_failed");return f.NextResponse.redirect(new URL(`/login?error=${a}`,e.url))}}catch(c){return process.env.NODE_ENV==="development"&&console.error("[Mulguard] OAuth callback error:",c),f.NextResponse.redirect(new URL(`/login?error=${encodeURIComponent(c instanceof Error?c.message:"oauth_error")}`,e.url))}}}function U(r,e){const s=q({"X-Frame-Options":"SAMEORIGIN"});for(const[t,i]of Object.entries(s))i&&typeof i=="string"&&e.headers.set(t,i);return e}function je(){return async r=>{const e=f.NextResponse.next();return U(r,e)}}function De(r,e={}){const{protectedRoutes:s=[],publicRoutes:t=[],redirectTo:i="/login",redirectIfAuthenticated:d}=e;return async c=>{const{pathname:a}=c.nextUrl,m=s.some(g=>a.startsWith(g));let v=null;try{v=await r.getSession()}catch(g){console.error("Middleware: Failed to get session:",g)}if(m&&!v){const g=c.nextUrl.clone();return g.pathname=i,g.searchParams.set("callbackUrl",a),f.NextResponse.redirect(g)}if(d&&v&&(a.startsWith("/login")||a.startsWith("/register"))){const S=c.nextUrl.clone();S.pathname=d;const N=f.NextResponse.redirect(S);return U(c,N)}const C=f.NextResponse.next();return U(c,C)}}async function Me(r,e){var s;try{const t=await r.getSession();return t?((s=t.user.roles)==null?void 0:s.includes(e))??!1:!1}catch{return!1}}function Ve(r){const{auth:e,protectedRoutes:s=[],publicRoutes:t=[],redirectTo:i="/login",redirectIfAuthenticated:d,apiPrefix:c="/api/auth"}=r;return async a=>{const{pathname:m}=a.nextUrl;if(m.startsWith(c)){const S=f.NextResponse.next();return U(a,S)}const v=s.some(S=>m.startsWith(S));let C=null;if(v||d)try{C=await e.getSession()}catch(S){console.error("Middleware: Failed to get session:",S)}if(v&&!C){const S=a.nextUrl.clone();S.pathname=i,S.searchParams.set("callbackUrl",m);const N=f.NextResponse.redirect(S);return U(a,N)}if(d&&C&&(m.startsWith("/login")||m.startsWith("/register"))){const N=a.nextUrl.clone();N.pathname=d;const b=f.NextResponse.redirect(N);return U(a,b)}const g=f.NextResponse.next();return U(a,g)}}async function $e(r,e){var s;try{const t=await r.getSession();return t?((s=t.user.roles)==null?void 0:s.includes(e))??!1:!1}catch{return!1}}exports.buildCookieOptions=h.buildCookieOptions;exports.deleteCookie=h.deleteCookie;exports.getCookie=h.getCookie;exports.setCookie=h.setCookie;exports.signInEmailAction=h.signInEmailAction;exports.signOutAction=h.signOutAction;exports.signUpAction=h.signUpAction;exports.verify2FAAction=h.verify2FAAction;exports.createServerAuthMiddleware=k.createAuthMiddleware;exports.createServerHelpers=k.createServerHelpers;exports.createServerUtils=k.createServerUtils;exports.createSessionManager=k.createSessionManager;exports.deleteOAuthStateCookie=k.deleteOAuthStateCookie;exports.getCurrentUser=k.getCurrentUser;exports.getOAuthStateCookie=k.getOAuthStateCookie;exports.getServerSession=k.getServerSession;exports.getSessionTimeUntilExpiry=k.getSessionTimeUntilExpiry;exports.isSessionExpiredNullable=k.isSessionExpiredNullable;exports.isSessionExpiringSoon=k.isSessionExpiringSoon;exports.isSessionValid=k.isSessionValid;exports.refreshSession=k.refreshSession;exports.requireAuth=k.requireAuth;exports.requireRole=k.requireRole;exports.requireServerAuthMiddleware=k.requireAuthMiddleware;exports.requireServerRoleMiddleware=k.requireRoleMiddleware;exports.storeOAuthStateCookie=k.storeOAuthStateCookie;exports.validateSessionStructure=k.validateSessionStructure;exports.CSRFProtection=Y;exports.DEFAULT_SECURITY_HEADERS=K;exports.MemoryCSRFStore=X;exports.MemoryOAuthStateStore=se;exports.RateLimiter=B;exports.applySecurityHeaders=ue;exports.buildOAuthAuthorizationUrl=ee;exports.checkRole=Me;exports.checkRoleProxy=$e;exports.containsXSSPattern=me;exports.createApiHandler=Fe;exports.createAuthMiddleware=De;exports.createCSRFProtection=ge;exports.createMemoryOAuthStateStore=oe;exports.createOAuthCallbackHandler=Le;exports.createProxyMiddleware=Ve;exports.createRateLimiter=ce;exports.createSecurityMiddleware=je;exports.escapeHTML=G;exports.exchangeOAuthCode=re;exports.generateCSRFToken=J;exports.generateToken=W;exports.getErrorCode=Ae;exports.getErrorMessage=ve;exports.getOAuthUserInfo=te;exports.getProviderMetadata=V;exports.getSecurityHeaders=q;exports.getUserFriendlyError=Ie;exports.hasErrorCode=Se;exports.isAuthError=Z;exports.isAuthSuccess=ke;exports.isRetryableError=Ce;exports.isTwoFactorRequired=ye;exports.isValidEmail=Re;exports.mulguard=Pe;exports.sanitizeHTML=pe;exports.sanitizeInput=Ee;exports.sanitizeUserInput=we;exports.signIn=Oe;exports.toNextJsHandler=Ue;exports.validateAndSanitizeEmail=$;exports.validateAndSanitizeInput=z;exports.validateAndSanitizeName=fe;exports.validateAndSanitizePassword=le;exports.validateCSRFToken=Q;exports.validateToken=he;exports.validateURL=de;exports.withSecurityHeaders=U;
|