mulguard 1.0.1

package/dist/core/utils/auth-helpers.d.ts

@@ -0,0 +1,136 @@
+import { AuthResult, TwoFactorAuthResult } from '../types/auth';
+import { AuthErrorCode } from '../types/errors';
+/**
+ * Check if an authentication result indicates an error
+ *
+ * @param result - Authentication result to check
+ * @returns True if the result indicates an error
+ *
+ * @example
+ * ```typescript
+ * const result = await auth.signIn.email(credentials)
+ * if (isAuthError(result)) {
+ *   console.error('Authentication failed:', result.error)
+ * }
+ * ```
+ */
+export declare function isAuthError(result: AuthResult): boolean;
+/**
+ * Type guard to check if 2FA is required
+ *
+ * This function narrows the type to TwoFactorAuthResult when true,
+ * making it easier to work with 2FA flows in TypeScript.
+ *
+ * @param result - Authentication result to check
+ * @returns True if 2FA is required (type guard)
+ *
+ * @example
+ * ```typescript
+ * const result = await auth.signIn.email(credentials)
+ * if (isTwoFactorRequired(result)) {
+ *   // TypeScript knows result is TwoFactorAuthResult here
+ *   console.log('2FA required for:', result.email)
+ *   // Can safely access result.email, result.userId, result.twoFactorMethod
+ * }
+ * ```
+ */
+export declare function isTwoFactorRequired(result: AuthResult): result is TwoFactorAuthResult;
+/**
+ * Get error message from authentication result
+ *
+ * @param result - Authentication result
+ * @param defaultMessage - Default message if no error is present
+ * @returns Error message or default message
+ *
+ * @example
+ * ```typescript
+ * const result = await auth.signIn.email(credentials)
+ * if (!result.success) {
+ *   const message = getErrorMessage(result, 'Authentication failed')
+ *   showToast(message)
+ * }
+ * ```
+ */
+export declare function getErrorMessage(result: AuthResult, defaultMessage?: string): string;
+/**
+ * Get error code from authentication result
+ *
+ * @param result - Authentication result
+ * @returns Error code or undefined
+ *
+ * @example
+ * ```typescript
+ * const result = await auth.signIn.email(credentials)
+ * const errorCode = getErrorCode(result)
+ * if (errorCode === AuthErrorCode.ACCOUNT_LOCKED) {
+ *   showAccountLockedMessage()
+ * }
+ * ```
+ */
+export declare function getErrorCode(result: AuthResult): AuthErrorCode | undefined;
+/**
+ * Check if authentication was successful
+ *
+ * @param result - Authentication result to check
+ * @returns True if authentication was successful
+ *
+ * @example
+ * ```typescript
+ * const result = await auth.signIn.email(credentials)
+ * if (isAuthSuccess(result)) {
+ *   console.log('Welcome,', result.user?.name)
+ * }
+ * ```
+ */
+export declare function isAuthSuccess(result: AuthResult): boolean;
+/**
+ * Check if a specific error code matches
+ *
+ * @param result - Authentication result
+ * @param code - Error code to check for
+ * @returns True if the error code matches
+ *
+ * @example
+ * ```typescript
+ * const result = await auth.signIn.email(credentials)
+ * if (hasErrorCode(result, AuthErrorCode.ACCOUNT_LOCKED)) {
+ *   showAccountLockedMessage()
+ * }
+ * ```
+ */
+export declare function hasErrorCode(result: AuthResult, code: AuthErrorCode): boolean;
+/**
+ * Check if the error is retryable
+ *
+ * Some errors (like network errors or rate limits) may be retryable,
+ * while others (like invalid credentials) should not be retried.
+ *
+ * @param result - Authentication result
+ * @returns True if the error is retryable
+ *
+ * @example
+ * ```typescript
+ * const result = await auth.signIn.email(credentials)
+ * if (isAuthError(result) && isRetryableError(result)) {
+ *   // Show retry button
+ *   showRetryButton()
+ * }
+ * ```
+ */
+export declare function isRetryableError(result: AuthResult): boolean;
+/**
+ * Get user-friendly error message based on error code
+ *
+ * @param result - Authentication result
+ * @returns User-friendly error message
+ *
+ * @example
+ * ```typescript
+ * const result = await auth.signIn.email(credentials)
+ * if (!result.success) {
+ *   const message = getUserFriendlyError(result)
+ *   showToast(message)
+ * }
+ * ```
+ */
+export declare function getUserFriendlyError(result: AuthResult): string;

package/dist/core/utils/logger.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Logging utilities for Mulguard
+ */
+export interface Logger {
+    debug(message: string, data?: unknown): void;
+    info(message: string, data?: unknown): void;
+    warn(message: string, data?: unknown): void;
+    error(message: string, error?: Error | unknown): void;
+}
+/**
+ * Create a logger instance
+ */
+export declare function createLogger(enabled?: boolean): Logger;
+/**
+ * Default logger instance
+ */
+export declare const logger: Logger;

package/dist/handlers/api.d.ts

@@ -0,0 +1,10 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { MulguardInstance } from '../mulguard';
+/**
+ * Create API route handler
+ */
+export declare function createApiHandler(_auth: MulguardInstance): (request: NextRequest) => Promise<NextResponse<any>>;
+/**
+ * OAuth callback handler
+ */
+export declare function createOAuthCallbackHandler(auth: MulguardInstance): (request: NextRequest) => Promise<NextResponse<unknown>>;

package/dist/handlers/route.d.ts

@@ -0,0 +1,22 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { MulguardInstance } from '../mulguard';
+export interface RouteHandlerOptions {
+    auth: MulguardInstance;
+}
+/**
+ * Create Next.js route handlers
+ * This is a simple proxy that forwards requests to Server Actions
+ *
+ * @example
+ * ```typescript
+ * // app/api/auth/[...mulguard]/route.ts
+ * import { auth } from '@/auth'
+ * import { toNextJsHandler } from 'mulguard'
+ *
+ * export const { GET, POST } = toNextJsHandler(auth)
+ * ```
+ */
+export declare function toNextJsHandler(auth: MulguardInstance): {
+    GET: (request: NextRequest) => Promise<NextResponse<unknown>>;
+    POST: (request: NextRequest) => Promise<NextResponse<unknown>>;
+};

package/dist/index/index.js

@@ -0,0 +1 @@
+"use strict";var se=Object.defineProperty;var ne=(r,e,n)=>e in r?se(r,e,{enumerable:!0,configurable:!0,writable:!0,value:n}):r[e]=n;var U=(r,e,n)=>ne(r,typeof e!="symbol"?e+"":e,n);Object.defineProperty(exports,Symbol.toStringTag,{value:"Module"});const w=require("../actions-CExpv_dD.js"),oe=require("../signin-unified-Cw41EFkc.js"),R=require("../oauth-state-CzIWQq3s.js"),l=require("next/server"),F=typeof globalThis=="object"&&"crypto"in globalThis?globalThis.crypto:void 0;/*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */function ie(r=32){if(F&&typeof F.getRandomValues=="function")return F.getRandomValues(new Uint8Array(r));if(F&&typeof F.randomBytes=="function")return Uint8Array.from(F.randomBytes(r));throw new Error("crypto.getRandomValues must be defined")}class H{constructor(e){U(this,"attempts",new Map);U(this,"config");this.config=e}check(e){const n=Date.now(),t=this.attempts.get(e);return!t||t.resetAt<n?(this.attempts.set(e,{count:1,resetAt:n+this.config.windowMs}),{allowed:!0,remaining:this.config.maxAttempts-1,resetAt:new Date(n+this.config.windowMs)}):t.count>=this.config.maxAttempts?{allowed:!1,remaining:0,resetAt:new Date(t.resetAt)}:(t.count++,{allowed:!0,remaining:this.config.maxAttempts-t.count,resetAt:new Date(t.resetAt)})}reset(e){this.attempts.delete(e)}clear(){this.attempts.clear()}}function ae(r){return new H(r)}const q={"X-Content-Type-Options":"nosniff","X-Frame-Options":"DENY","X-XSS-Protection":"1; mode=block","Strict-Transport-Security":"max-age=31536000; includeSubDomains","Content-Security-Policy":"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';","Referrer-Policy":"strict-origin-when-cross-origin","Permissions-Policy":"geolocation=(), microphone=(), camera=()"};function $(r){return{...q,...r}}function ce(r,e){const n=$(e);for(const[t,i]of Object.entries(n))i&&r.set(t,i)}function ue(r){if(!r||typeof r!="string")return{valid:!1,error:"Email is required"};const e=r.trim().toLowerCase();return/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(e)?e.length>254?{valid:!1,error:"Email is too long"}:e.includes("..")||e.startsWith(".")||e.endsWith(".")?{valid:!1,error:"Invalid email format"}:{valid:!0,sanitized:e}:{valid:!1,error:"Invalid email format"}}function le(r,e=8){if(!r||typeof r!="string")return{valid:!1,error:"Password is required"};if(r.length<e)return{valid:!1,error:`Password must be at least ${e} characters`};if(r.length>128)return{valid:!1,error:"Password is too long"};if(["password","12345678","qwerty","abc123","password123","123456789","1234567890","letmein","welcome","monkey","dragon","master","sunshine","princess","football"].includes(r.toLowerCase()))return{valid:!1,error:"Password is too common"};if(/(.)\1{3,}/.test(r))return{valid:!1,error:"Password contains too many repeated characters"};if(/012|123|234|345|456|567|678|789|abc|bcd|cde|def|efg|fgh|ghi|hij|ijk|jkl|klm|lmn|mno|nop|opq|pqr|qrs|rst|stu|tuv|uvw|vwx|wxy|xyz/i.test(r))return{valid:!1,error:"Password contains sequential characters"};let t="weak",i=0;return r.length>=12?i+=2:r.length>=8&&(i+=1),/[a-z]/.test(r)&&(i+=1),/[A-Z]/.test(r)&&(i+=1),/[0-9]/.test(r)&&(i+=1),/[^a-zA-Z0-9]/.test(r)&&(i+=1),i>=5?t="strong":i>=3&&(t="medium"),{valid:!0,strength:t}}function fe(r){if(!r||typeof r!="string")return{valid:!1,error:"Name is required"};const e=r.trim();return e.length<1?{valid:!1,error:"Name cannot be empty"}:e.length>100?{valid:!1,error:"Name is too long"}:{valid:!0,sanitized:e.replace(/[<>\"']/g,"")}}function de(r){if(!r||typeof r!="string")return{valid:!1,error:"URL is required"};try{const e=new URL(r);return["http:","https:"].includes(e.protocol)?{valid:!0}:{valid:!1,error:"URL must use http or https protocol"}}catch{return{valid:!1,error:"Invalid URL format"}}}function he(r,e=16){return!r||typeof r!="string"?{valid:!1,error:"Token is required"}:r.length<e?{valid:!1,error:"Token is too short"}:r.length>512?{valid:!1,error:"Token is too long"}:/^[A-Za-z0-9_-]+$/.test(r)?/(.)\1{10,}/.test(r)?{valid:!1,error:"Token contains suspicious pattern"}:{valid:!0}:{valid:!1,error:"Invalid token format"}}function ge(r,e){const{maxLength:n=1e3,allowHtml:t=!1,required:i=!0}=e||{};if(i&&(!r||typeof r!="string"||r.trim().length===0))return{valid:!1,error:"Input is required"};if(!r||typeof r!="string")return{valid:!0,sanitized:""};let f=r.trim();return f.length>n?{valid:!1,error:`Input must be less than ${n} characters`}:(t||(f=f.replace(/</g,"&lt;").replace(/>/g,"&gt;").replace(/"/g,"&quot;").replace(/'/g,"&#x27;").replace(/\//g,"&#x2F;")),f=f.replace(/[\x00-\x1F\x7F]/g,""),{valid:!0,sanitized:f})}class B{constructor(){U(this,"tokens",new Map)}get(e){const n=this.tokens.get(e);return n?n.expiresAt<Date.now()?(this.delete(e),null):n.value:null}set(e,n,t=36e5){this.tokens.set(e,{value:n,expiresAt:Date.now()+t})}delete(e){this.tokens.delete(e)}clear(){this.tokens.clear()}}class K{constructor(e,n=32){U(this,"store");U(this,"tokenLength");this.store=e||new B,this.tokenLength=n}generateToken(e,n){const t=V(this.tokenLength);return this.store.set(e,t,n),t}validateToken(e,n){const t=this.store.get(e);if(!t)return!1;const i=G(n,t);return i&&this.store.delete(e),i}getToken(e){return this.store.get(e)}deleteToken(e){this.store.delete(e)}}function pe(r){return new K(r)}function X(r){if(typeof r!="string")return"";const e={"&":"&amp;","<":"&lt;",">":"&gt;",'"':"&quot;","'":"&#039;"};return r.replace(/[&<>"']/g,n=>e[n]||n)}function we(r){return typeof r!="string"?"":r.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi,"").replace(/on\w+\s*=\s*["'][^"']*["']/gi,"").replace(/javascript:/gi,"")}function me(r){return typeof r!="string"?"":X(r.trim())}function Ee(r){return typeof r!="string"?!1:[/<script/i,/javascript:/i,/on\w+\s*=/i,/<iframe/i,/<object/i,/<embed/i,/<link/i,/<meta/i,/expression\s*\(/i,/vbscript:/i].some(n=>n.test(r))}function V(r=32){const e=ie(r);return Buffer.from(e).toString("base64url")}function Y(){return V(32)}function G(r,e){if(!r||!e||r.length!==e.length)return!1;let n=0;for(let t=0;t<r.length;t++)n|=r.charCodeAt(t)^e.charCodeAt(t);return n===0}function ye(r){return r.trim().replace(/[<>]/g,"")}function Re(r){return/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(r)}function J(r){return!r.success&&!!r.error}function ke(r){return r.requires2FA===!0||r.errorCode===w.AuthErrorCode.TWO_FA_REQUIRED}function ve(r,e){return r.error?r.error:e||"Authentication failed"}function Se(r){return r.errorCode}function Ae(r){return r.success===!0&&!!r.user}function Ce(r,e){return r.errorCode===e}function be(r){if(!J(r))return!1;const e=[w.AuthErrorCode.NETWORK_ERROR,w.AuthErrorCode.RATE_LIMITED,w.AuthErrorCode.UNKNOWN_ERROR];return r.errorCode?e.includes(r.errorCode):!1}function Oe(r){if(r.error)return r.error;switch(r.errorCode){case w.AuthErrorCode.INVALID_CREDENTIALS:return"Invalid email or password. Please try again.";case w.AuthErrorCode.ACCOUNT_LOCKED:return"Your account has been temporarily locked. Please try again later.";case w.AuthErrorCode.ACCOUNT_INACTIVE:return"Your account is inactive. Please contact support.";case w.AuthErrorCode.TWO_FA_REQUIRED:return"Two-factor authentication is required. Please enter your code.";case w.AuthErrorCode.INVALID_TWO_FA_CODE:return"Invalid two-factor authentication code. Please try again.";case w.AuthErrorCode.SESSION_EXPIRED:return"Your session has expired. Please sign in again.";case w.AuthErrorCode.UNAUTHORIZED:return"You are not authorized to perform this action.";case w.AuthErrorCode.NETWORK_ERROR:return"Network error. Please check your connection and try again.";case w.AuthErrorCode.VALIDATION_ERROR:return"Please check your input and try again.";case w.AuthErrorCode.RATE_LIMITED:return"Too many attempts. Please try again later.";case w.AuthErrorCode.UNKNOWN_ERROR:default:return"An unexpected error occurred. Please try again."}}const Ne={google:{authorizationUrl:"https://accounts.google.com/o/oauth2/v2/auth",tokenUrl:"https://oauth2.googleapis.com/token",userInfoUrl:"https://www.googleapis.com/oauth2/v2/userinfo",defaultScopes:["openid","profile","email"]},github:{authorizationUrl:"https://github.com/login/oauth/authorize",tokenUrl:"https://github.com/login/oauth/access_token",userInfoUrl:"https://api.github.com/user",defaultScopes:["user:email"]},apple:{authorizationUrl:"https://appleid.apple.com/auth/authorize",tokenUrl:"https://appleid.apple.com/auth/token",userInfoUrl:"https://appleid.apple.com/auth/userinfo",defaultScopes:["name","email"],defaultParams:{response_mode:"form_post",response_type:"code id_token"}},facebook:{authorizationUrl:"https://www.facebook.com/v18.0/dialog/oauth",tokenUrl:"https://graph.facebook.com/v18.0/oauth/access_token",userInfoUrl:"https://graph.facebook.com/v18.0/me?fields=id,name,email,picture",defaultScopes:["email","public_profile"]}};function M(r){return Ne[r]||null}function Q(r,e,n,t){const i=M(r);if(!i)throw new Error(`Unknown OAuth provider: ${r}`);const f=e.redirectUri||`${n}/api/auth/callback/${r}`,u=e.scopes||i.defaultScopes,a=new URLSearchParams({client_id:e.clientId,redirect_uri:f,response_type:"code",scope:u.join(" "),state:t,...i.defaultParams,...e.params});return`${i.authorizationUrl}?${a.toString()}`}async function Z(r,e,n,t){const i=M(r);if(!i)throw new Error(`Unknown OAuth provider: ${r}`);const f=new URLSearchParams({client_id:e.clientId,code:n,redirect_uri:t,grant_type:"authorization_code"});e.clientSecret&&f.append("client_secret",e.clientSecret);const u=await fetch(i.tokenUrl,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"},body:f.toString()});if(!u.ok){const a=await u.text();throw new Error(`Failed to exchange code for tokens: ${a}`)}return await u.json()}async function ee(r,e){var f,u,a,h;const n=M(r);if(!n)throw new Error(`Unknown OAuth provider: ${r}`);const t=await fetch(n.userInfoUrl,{headers:{Authorization:`Bearer ${e}`,Accept:"application/json"}});if(!t.ok){const E=await t.text();throw new Error(`Failed to fetch user info: ${E}`)}const i=await t.json();switch(r){case"google":return{id:i.sub||i.id,email:i.email,name:i.name,avatar:i.picture,emailVerified:i.email_verified};case"github":let E=i.email;if(!E){const d=await(await fetch("https://api.github.com/user/emails",{headers:{Authorization:`Bearer ${e}`}})).json();E=((f=d.find(k=>k.primary))==null?void 0:f.email)||((u=d[0])==null?void 0:u.email)||`${i.login}@users.noreply.github.com`}return{id:String(i.id),email:E,name:i.name||i.login,avatar:i.avatar_url,emailVerified:!!E};case"apple":return{id:i.sub,email:i.email,name:i.name?`${i.name.firstName} ${i.name.lastName}`:"",emailVerified:i.email_verified};case"facebook":return{id:i.id,email:i.email,name:i.name,avatar:(h=(a=i.picture)==null?void 0:a.data)==null?void 0:h.url,emailVerified:!0};default:return{id:String(i.id||i.sub),email:i.email,name:i.name||i.display_name||i.username,avatar:i.avatar||i.picture||i.avatar_url,emailVerified:i.email_verified||i.emailVerified||!1}}}class re{constructor(){U(this,"states",new Map)}set(e,n,t){this.states.set(e,n),this.cleanup()}get(e){const n=this.states.get(e);return n?n.expiresAt<Date.now()?(this.delete(e),null):n:null}delete(e){this.states.delete(e)}cleanup(){const e=Date.now();for(const[n,t]of this.states.entries())t.expiresAt<e&&this.states.delete(n)}}function te(){return new re}function xe(r=process.env.NODE_ENV==="development"){const e="[Mulguard]";return{debug:r?(n,t)=>{t!==void 0?console.debug(`${e} ${n}`,t):console.debug(`${e} ${n}`)}:()=>{},info:r?(n,t)=>{t!==void 0?console.info(`${e} ${n}`,t):console.info(`${e} ${n}`)}:()=>{},warn:r?(n,t)=>{t!==void 0?console.warn(`${e} ${n}`,t):console.warn(`${e} ${n}`)}:()=>{},error:r?(n,t)=>{t!==void 0?console.error(`${e} ${n}`,t):console.error(`${e} ${n}`)}:()=>{}}}const j=xe();function Te(r,e,n,t={}){const{enabled:i=!0,maxRetries:f=1,retryDelay:u=1e3,rateLimit:a=3,autoSignOutOnFailure:h=!0,redirectToLogin:E="/login",autoRedirectOnFailure:v=!0}=t;let d=null,k=!1;const S=[],A=[],N=60*1e3;let C=0,b=!1,T=null;const D=2,o=60*1e3;function s(){const m=Date.now();if(b&&T){if(m<T)return!1;b=!1,T=null,C=0}for(;A.length>0;){const g=A[0];if(g!==void 0&&g<m-N)A.shift();else break}return A.length>=a?!1:(A.push(m),!0)}function c(){C++,C>=D&&(b=!0,T=Date.now()+o,process.env.NODE_ENV==="development"&&console.warn("[TokenRefreshManager] Circuit breaker opened - too many consecutive failures"))}function p(){C=0,b=!1,T=null}async function y(m=1){if(!i)return null;if(!s())throw new Error("Rate limit exceeded for token refresh");try{const g=await r();if(g)return p(),L(g),t.onTokenRefreshed&&await Promise.resolve(t.onTokenRefreshed(g)),g;if(c(),m<f)return await x(u*m),y(m+1);throw new Error("Token refresh failed: refresh function returned null")}catch(g){if(c(),m<f&&O(g))return await x(u*m),y(m+1);throw g}}function O(m){if(m instanceof Error){const g=m.message.toLowerCase();if(g.includes("rate limit")||g.includes("too many requests")||g.includes("429")||g.includes("limit:")||g.includes("requests per minute")||g.includes("token_blacklisted")||g.includes("blacklisted")||g.includes("invalid")||g.includes("401")||g.includes("unauthorized")||g.includes("session has been revoked")||g.includes("session expired"))return!1;if(g.includes("network")||g.includes("fetch")||g.includes("timeout"))return!0}return!1}function L(m){const g=[...S];S.length=0;for(const{resolve:_}of g)_(m)}function P(m){const g=[...S];S.length=0;for(const{reject:_}of g)_(m)}function x(m){return new Promise(g=>setTimeout(g,m))}async function z(m){try{if(t.onTokenRefreshFailed&&await Promise.resolve(t.onTokenRefreshFailed(m)),h&&(await n(),await e(),v&&typeof window<"u")){let g=!0;if(t.onBeforeRedirect&&(g=await Promise.resolve(t.onBeforeRedirect(m))),g){const _=new URL(E,window.location.origin);_.searchParams.set("reason","session_expired"),_.searchParams.set("redirect",window.location.pathname+window.location.search),window.location.href=_.toString()}}}catch(g){process.env.NODE_ENV==="development"&&console.error("[TokenRefreshManager] Error in handleRefreshFailure:",g)}}return{async refreshToken(){return i?d||(k=!0,d=y().then(m=>(k=!1,d=null,m)).catch(m=>{throw k=!1,d=null,P(m),z(m).catch(()=>{}),m}),d):null},isRefreshing(){return k},async waitForRefresh(){return d?new Promise((m,g)=>{S.push({resolve:m,reject:g})}):null},clear(){d=null,k=!1,A.length=0,p(),P(new Error("Token refresh manager cleared"))},async handleRefreshFailure(m){return z(m)}}}function Ie(){const r=process.env.NODE_ENV==="production";return{cookieName:"__mulguard_session",expiresIn:60*60*24*7,httpOnly:!0,secure:r,sameSite:"lax",path:"/"}}function Pe(){return{enabled:!0,refreshThreshold:300,maxRetries:0,retryDelay:1e3,rateLimit:1,autoSignOutOnFailure:!0,redirectToLogin:"/login",autoRedirectOnFailure:!0}}function _e(r){var T,D;const e={...Ie(),...r.session},n=r.actions,t=r.callbacks||{},i=((T=r.providers)==null?void 0:T.oauth)||{},f=process.env.NEXT_PUBLIC_URL||(process.env.VERCEL_URL?`https://${process.env.VERCEL_URL}`:"http://localhost:3000"),u={...Pe(),...r.tokenRefresh},a={...n};if(Object.keys(i).length>0&&!a.signIn.oauth&&(a.signIn.oauth=async o=>{const s=i[o];if(!s)throw new Error(`OAuth provider "${o}" is not configured. Add it to providers.oauth in config.`);if(!s.clientId)throw new Error(`OAuth provider "${o}" is missing clientId`);const c=Y();return{url:Q(o,s,f,c),state:c}}),Object.keys(i).length>0&&!a.oauthCallback&&(a.oauthCallback=async(o,s,c)=>{const p=i[o];if(!p)return{success:!1,error:`OAuth provider "${o}" is not configured`,errorCode:w.AuthErrorCode.VALIDATION_ERROR};try{const y=p.redirectUri||`${f}/api/auth/callback/${o}`,O=await Z(o,p,s,y),L=await ee(o,O.access_token);if(t.onOAuthUser){const P=await d(t.onOAuthUser,L,o);if(!P)return{success:!1,error:"Failed to create or retrieve user",errorCode:w.AuthErrorCode.VALIDATION_ERROR};const x={user:{id:P.id,email:P.email,name:P.name,avatar:L.avatar,emailVerified:L.emailVerified},expiresAt:new Date(Date.now()+7*24*60*60*1e3),accessToken:O.access_token,refreshToken:O.refresh_token,tokenType:"Bearer",expiresIn:O.expires_in};return await A(x),h={session:x,timestamp:Date.now()},t.onSignIn&&await d(t.onSignIn,x.user,x),{success:!0,user:x.user,session:x}}return{success:!1,error:"OAuth user callback not implemented. Provide onOAuthUser callback or implement oauthCallback action.",errorCode:w.AuthErrorCode.VALIDATION_ERROR}}catch(y){return j.error("OAuth callback failed",{provider:o,error:y}),{success:!1,error:y instanceof Error?y.message:"OAuth callback failed",errorCode:w.AuthErrorCode.NETWORK_ERROR}}}),!a.signIn||!a.signIn.email)throw new Error("mulguard: signIn.email action is required");let h=null;const E=((D=r.session)==null?void 0:D.cacheTtl)??r.sessionCacheTtl??5e3,v=r.oauthStateStore||te(),d=async(o,...s)=>{if(o)try{return await o(...s)}catch(c){throw t.onError&&await t.onError(c instanceof Error?c:new Error(String(c)),"callback"),c}},k=async(o,s)=>{const c={provider:s,expiresAt:Date.now()+6e5};await Promise.resolve(v.set(o,c,10*60*1e3)),v.cleanup&&await Promise.resolve(v.cleanup())},S=async(o,s)=>{const c=await Promise.resolve(v.get(o));return c?c.expiresAt<Date.now()?(await Promise.resolve(v.delete(o)),!1):c.provider!==s?!1:(await Promise.resolve(v.delete(o)),!0):!1},A=async o=>{const s=e.cookieName||"__mulguard_session",c=typeof o=="object"&&"token"in o?String(o.token):JSON.stringify(o),p=w.buildCookieOptions(s,c,e);return await w.setCookie(p)},N=async o=>{if(!o.success||!o.session)return{success:!0};const s=await A(o.session);return h={session:o.session,timestamp:Date.now()},o.user&&t.onSignIn&&await d(t.onSignIn,o.user,o.session),s},C=async()=>{const o=e.cookieName||"__mulguard_session";await w.deleteCookie(o,{path:e.path,domain:e.domain})},b={async getSession(){const o=Date.now();if(h&&o-h.timestamp<E)return h.session;if(n.getSession)try{const s=await n.getSession();if(s&&R.validateSessionStructure(s))return h={session:s,timestamp:o},s;s&&!R.validateSessionStructure(s)&&(await C(),h=null)}catch(s){j.debug("getSession error",{error:s}),t.onError&&await d(t.onError,s instanceof Error?s:new Error(String(s)),"getSession"),h=null}try{const s=e.cookieName||"__mulguard_session",c=await w.getCookie(s);if(c)try{const p=JSON.parse(c);if(R.validateSessionStructure(p))return p.expiresAt&&new Date(p.expiresAt)<new Date?(t.onSessionExpired&&await d(t.onSessionExpired,p),await C(),h=null,null):(h={session:p,timestamp:o},p);await C(),h=null}catch{await C(),h=null}}catch(s){const c=s instanceof Error?s.message:String(s);!c.includes("request scope")&&!c.includes("cookies")&&(j.warn("getSession cookie error",{error:s}),t.onError&&await d(t.onError,s instanceof Error?s:new Error(String(s)),"getSession.cookie"))}return null},async getAccessToken(){const o=await this.getSession();return o!=null&&o.accessToken&&typeof o.accessToken=="string"?o.accessToken:null},async getRefreshToken(){const o=await this.getSession();return o!=null&&o.refreshToken&&typeof o.refreshToken=="string"?o.refreshToken:null},async hasValidTokens(){return!!await this.getAccessToken()},signIn:{async email(o){try{const s=await a.signIn.email(o);return s.success&&s.session&&await N(s),s}catch(s){return t.onError&&await d(t.onError,s instanceof Error?s:new Error(String(s)),"signIn.email"),{success:!1,error:s instanceof Error?s.message:"Sign in failed"}}},async oauth(o){if(!a.signIn.oauth)throw new Error("OAuth sign in is not configured. Either provide oauth action in signIn, or configure providers.oauth in config.");const s=await a.signIn.oauth(o);return await k(s.state,o),s},async passkey(o){if(!a.signIn.passkey)throw new Error("PassKey sign in is not configured. Provide passkey action in signIn.");try{const s=await a.signIn.passkey(o);return s.success&&s.session&&await N(s),s}catch(s){return t.onError&&await d(t.onError,s instanceof Error?s:new Error(String(s)),"signIn.passkey"),{success:!1,error:s instanceof Error?s.message:"PassKey sign in failed"}}},async otp(o,s){if(!a.signIn.otp)throw new Error("OTP sign in is not configured. Provide otp action in signIn.");try{const c=await a.signIn.otp(o,s);return c.success&&c.session&&await N(c),c}catch(c){return t.onError&&await d(t.onError,c instanceof Error?c:new Error(String(c)),"signIn.otp"),{success:!1,error:c instanceof Error?c.message:"OTP sign in failed"}}}},signInMethods:{email:o=>b.signIn.email(o),oauth:o=>{var s,c;return((c=(s=b.signIn).oauth)==null?void 0:c.call(s,o))||Promise.reject(new Error("OAuth not configured"))},passkey:o=>{var s,c;return((c=(s=b.signIn).passkey)==null?void 0:c.call(s,o))||Promise.reject(new Error("Passkey not configured"))},otp:(o,s)=>{var c,p;return((p=(c=b.signIn).otp)==null?void 0:p.call(c,o,s))||Promise.reject(new Error("OTP not configured"))}},async signUp(o){if(!a.signUp)throw new Error("Sign up is not configured. Provide signUp action in config.");try{const s=await a.signUp(o);return s.success&&s.session&&await N(s),s}catch(s){return t.onError&&await d(t.onError,s instanceof Error?s:new Error(String(s)),"signUp"),{success:!1,error:s instanceof Error?s.message:"Sign up failed"}}},async signOut(){try{const o=await this.getSession(),s=o==null?void 0:o.user;return n.signOut&&await n.signOut(),await C(),h=null,s&&t.onSignOut&&await d(t.onSignOut,s),{success:!0}}catch(o){return await C(),t.onError&&await d(t.onError,o instanceof Error?o:new Error(String(o)),"signOut"),{success:!1,error:o instanceof Error?o.message:"Sign out failed"}}},async resetPassword(o){if(!n.resetPassword)throw new Error("Password reset is not configured. Provide resetPassword action in config.");try{return await n.resetPassword(o)}catch(s){return t.onError&&await d(t.onError,s instanceof Error?s:new Error(String(s)),"resetPassword"),{success:!1,error:s instanceof Error?s.message:"Password reset failed"}}},async verifyEmail(o){if(!n.verifyEmail)throw new Error("Email verification is not configured. Provide verifyEmail action in config.");try{return await n.verifyEmail(o)}catch(s){return t.onError&&await d(t.onError,s instanceof Error?s:new Error(String(s)),"verifyEmail"),{success:!1,error:s instanceof Error?s.message:"Email verification failed"}}},async refreshSession(){if(!n.refreshSession)return this.getSession();try{const o=await n.refreshSession();if(o&&R.validateSessionStructure(o)){if(await A(o),h={session:o,timestamp:Date.now()},t.onSessionUpdate){const s=await d(t.onSessionUpdate,o);if(s&&R.validateSessionStructure(s)){if(await A(s),t.onTokenRefresh){const c=await this.getSession();c&&await d(t.onTokenRefresh,c,s)}return s}}if(t.onTokenRefresh){const s=await this.getSession();s&&await d(t.onTokenRefresh,s,o)}return o}else if(o&&!R.validateSessionStructure(o))return await C(),null;return null}catch(o){return await C(),t.onError&&await d(t.onError,o instanceof Error?o:new Error(String(o)),"refreshSession"),null}},async oauthCallback(o,s,c){if(!a.oauthCallback)throw new Error("OAuth callback is not configured. Either provide oauthCallback action, or configure providers.oauth in config.");if(!o||!s||!c)return{success:!1,error:"Missing required OAuth parameters (provider, code, or state)",errorCode:w.AuthErrorCode.VALIDATION_ERROR};if(!await S(c,o))return{success:!1,error:"Invalid or expired state parameter",errorCode:w.AuthErrorCode.VALIDATION_ERROR};try{const y=await a.oauthCallback(o,s,c);if(y.success&&y.session){const O=await N(y);O.success||(process.env.NODE_ENV==="development"&&j.debug("Failed to save session cookie after oauthCallback",{error:O.error,warning:O.warning}),t.onError&&await d(t.onError,new Error(O.warning||O.error||"Failed to save session cookie"),"oauthCallback.setSession"))}return y}catch(y){return t.onError&&await d(t.onError,y instanceof Error?y:new Error(String(y)),"oauthCallback"),{success:!1,error:y instanceof Error?y.message:"OAuth callback failed",errorCode:w.AuthErrorCode.NETWORK_ERROR}}},async verify2FA(o,s){if(!n.verify2FA)throw new Error("2FA verification is not configured. Provide verify2FA action in config.");try{const c=await n.verify2FA(o);if(c.success&&c.session&&!(s!=null&&s.skipCookieSave)){const p=await N(c);p.success||(process.env.NODE_ENV==="development"&&j.debug("Failed to save session cookie after verify2FA",{error:p.error,warning:p.warning}),t.onError&&await d(t.onError,new Error(p.warning||p.error||"Failed to save session cookie"),"verify2FA.setSession"))}return c}catch(c){return t.onError&&await d(t.onError,c instanceof Error?c:new Error(String(c)),"verify2FA"),{success:!1,error:c instanceof Error?c.message:"2FA verification failed",errorCode:w.AuthErrorCode.TWO_FA_REQUIRED}}},async setSession(o){return R.validateSessionStructure(o)?await A(o):{success:!1,error:"Invalid session structure"}},_getSessionConfig(){return{cookieName:e.cookieName||"__mulguard_session",config:e}},_getCallbacks(){return t},passkey:n.passkey?{register:n.passkey.register,authenticate:async o=>{var s;if(!((s=n.passkey)!=null&&s.authenticate))throw new Error("PassKey authenticate is not configured.");try{const c=await n.passkey.authenticate(o);return c.success&&c.session&&await N(c),c}catch(c){return t.onError&&await d(t.onError,c instanceof Error?c:new Error(String(c)),"passkey.authenticate"),{success:!1,error:c instanceof Error?c.message:"PassKey authentication failed"}}},list:n.passkey.list,remove:n.passkey.remove}:void 0,twoFactor:n.twoFactor?{enable:n.twoFactor.enable,verify:n.twoFactor.verify,disable:n.twoFactor.disable,generateBackupCodes:n.twoFactor.generateBackupCodes,isEnabled:n.twoFactor.isEnabled,verify2FA:async o=>{var c;const s=((c=n.twoFactor)==null?void 0:c.verify2FA)||n.verify2FA;if(!s)throw new Error("2FA verification is not configured. Provide verify2FA action in config.");try{const p=await s(o);if(p.success&&p.session){const y=await N(p);y.success||(process.env.NODE_ENV==="development"&&j.debug("Failed to save session cookie after twoFactor.verify2FA",{error:y.error,warning:y.warning}),t.onError&&await d(t.onError,new Error(y.warning||y.error||"Failed to save session cookie"),"twoFactor.verify2FA.setSession"))}return p}catch(p){return t.onError&&await d(t.onError,p instanceof Error?p:new Error(String(p)),"twoFactor.verify2FA"),{success:!1,error:p instanceof Error?p.message:"2FA verification failed",errorCode:w.AuthErrorCode.UNKNOWN_ERROR}}}}:void 0};if(n.refreshSession){const o=Te(async()=>await b.refreshSession(),async()=>await b.signOut(),async()=>{await C()},{...u,onTokenRefreshed:u.onTokenRefreshed,onTokenRefreshFailed:u.onTokenRefreshFailed,onBeforeRedirect:u.onBeforeRedirect});b._tokenRefreshManager=o,b._getTokenRefreshManager=()=>o}return b}function Ue(r){return{GET:async e=>W(e,r,"GET"),POST:async e=>W(e,r,"POST")}}async function W(r,e,n){const t=new URL(r.url),i=t.pathname.replace(/^\/api\/auth/,"")||"/session",f=i.split("/").filter(Boolean);try{if(n==="GET"){if(i==="/session"||i==="/"){const u=await e.getSession();return l.NextResponse.json({session:u})}if(i==="/providers")return l.NextResponse.json({providers:{email:!!e.signIn.email,oauth:!!e.signIn.oauth,passkey:!!e.signIn.passkey}});if(i.startsWith("/oauth/callback")||f[0]==="oauth"&&f[1]==="callback"){if(!e.oauthCallback)return l.NextResponse.redirect(new URL("/login?error=oauth_not_configured",r.url));const u=f[2]||t.searchParams.get("provider"),a=t.searchParams.get("code"),h=t.searchParams.get("state");if(!u||!a||!h)return l.NextResponse.redirect(new URL("/login?error=oauth_missing_params",r.url));try{const E=await e.oauthCallback(u,a,h);if(E.success){const v=t.searchParams.get("callbackUrl")||"/";return l.NextResponse.redirect(new URL(v,r.url))}else return l.NextResponse.redirect(new URL(`/login?error=${encodeURIComponent(E.error||"oauth_failed")}`,r.url))}catch(E){return l.NextResponse.redirect(new URL(`/login?error=${encodeURIComponent(E instanceof Error?E.message:"oauth_error")}`,r.url))}}return l.NextResponse.json({error:"Not found"},{status:404})}if(n==="POST"){const u=await r.json().catch(()=>({}));if(i==="/sign-in"||f[0]==="sign-in"){if(u.provider==="email"&&u.email&&u.password){const a=await e.signIn.email({email:u.email,password:u.password});return l.NextResponse.json(a)}if(u.provider==="oauth"&&u.providerName){if(!e.signIn.oauth)return l.NextResponse.json({success:!1,error:"OAuth is not configured"},{status:400});const a=await e.signIn.oauth(u.providerName);return l.NextResponse.json(a)}if(u.provider==="passkey"){if(!e.signIn.passkey)return l.NextResponse.json({success:!1,error:"PassKey is not configured"},{status:400});const a=await e.signIn.passkey(u.options);return l.NextResponse.json(a)}return l.NextResponse.json({success:!1,error:"Invalid sign in request"},{status:400})}if(i==="/sign-up"||f[0]==="sign-up"){if(!e.signUp)return l.NextResponse.json({success:!1,error:"Sign up is not configured"},{status:400});const a=await e.signUp(u);return l.NextResponse.json(a)}if(i==="/sign-out"||f[0]==="sign-out"){const a=await e.signOut();return l.NextResponse.json(a)}if(i==="/reset-password"||f[0]==="reset-password"){if(!e.resetPassword)return l.NextResponse.json({success:!1,error:"Password reset is not configured"},{status:400});const a=await e.resetPassword(u.email);return l.NextResponse.json(a)}if(i==="/verify-email"||f[0]==="verify-email"){if(!e.verifyEmail)return l.NextResponse.json({success:!1,error:"Email verification is not configured"},{status:400});const a=await e.verifyEmail(u.token);return l.NextResponse.json(a)}if(i==="/refresh"||f[0]==="refresh"){if(!e.refreshSession){const h=await e.getSession();return l.NextResponse.json({session:h})}const a=await e.refreshSession();return l.NextResponse.json({session:a})}if(i.startsWith("/oauth/callback")||f[0]==="oauth"&&f[1]==="callback"){if(!e.oauthCallback)return l.NextResponse.json({success:!1,error:"OAuth callback is not configured"},{status:400});const a=u.provider||f[2]||t.searchParams.get("provider"),h=u.code||t.searchParams.get("code"),E=u.state||t.searchParams.get("state");if(!a||!h||!E)return l.NextResponse.json({success:!1,error:"Missing required OAuth parameters. Provider, code, and state are required."},{status:400});const v=await e.oauthCallback(a,h,E);return l.NextResponse.json(v)}if(i.startsWith("/passkey")){if(!e.passkey)return l.NextResponse.json({success:!1,error:"PassKey is not configured"},{status:400});if(f[1]==="register"&&e.passkey.register){const a=await e.passkey.register(u.options);return l.NextResponse.json(a)}if(f[1]==="list"&&e.passkey.list){const a=await e.passkey.list();return l.NextResponse.json(a)}if(f[1]==="remove"&&e.passkey.remove){const a=await e.passkey.remove(u.passkeyId);return l.NextResponse.json(a)}}if(i==="/verify-2fa"||f[0]==="verify-2fa"){if(!e.verify2FA)return l.NextResponse.json({success:!1,error:"2FA verification is not configured"},{status:400});if(!u.email||!u.userId||!u.code)return l.NextResponse.json({success:!1,error:"Missing required parameters. Email, userId, and code are required."},{status:400});const a=await e.verify2FA({email:u.email,userId:u.userId,code:u.code});return l.NextResponse.json(a)}if(i.startsWith("/two-factor")){if(!e.twoFactor)return l.NextResponse.json({success:!1,error:"Two-Factor Authentication is not configured"},{status:400});if(f[1]==="enable"&&e.twoFactor.enable){const a=await e.twoFactor.enable();return l.NextResponse.json(a)}if(f[1]==="verify"&&e.twoFactor.verify){const a=await e.twoFactor.verify(u.code);return l.NextResponse.json(a)}if(f[1]==="disable"&&e.twoFactor.disable){const a=await e.twoFactor.disable();return l.NextResponse.json(a)}if(f[1]==="backup-codes"&&e.twoFactor.generateBackupCodes){const a=await e.twoFactor.generateBackupCodes();return l.NextResponse.json(a)}if(f[1]==="is-enabled"&&e.twoFactor.isEnabled){const a=await e.twoFactor.isEnabled();return l.NextResponse.json({enabled:a})}}return l.NextResponse.json({error:"Not found"},{status:404})}return l.NextResponse.json({error:"Method not allowed"},{status:405})}catch(u){return l.NextResponse.json({success:!1,error:u instanceof Error?u.message:"Request failed"},{status:500})}}function Fe(r){return async e=>{const{method:n,nextUrl:t}=e,f=t.pathname.replace(/^\/api\/auth/,"")||"/";try{let u;if(n!=="GET"&&n!=="HEAD")try{u=await e.json()}catch{}const a=Object.fromEntries(t.searchParams.entries()),h=await fetch(`${process.env.NEXT_PUBLIC_API_URL||""}/api/auth${f}${Object.keys(a).length>0?`?${new URLSearchParams(a).toString()}`:""}`,{method:n,headers:{"Content-Type":"application/json",...Object.fromEntries(e.headers.entries())},body:u?JSON.stringify(u):void 0}),E=await h.json();return l.NextResponse.json(E,{status:h.status,headers:{...Object.fromEntries(h.headers.entries())}})}catch(u){return console.error("API handler error:",u),l.NextResponse.json({success:!1,error:u instanceof Error?u.message:"Internal server error"},{status:500})}}}function je(r){return async e=>{const{searchParams:n}=e.nextUrl,t=n.get("provider"),i=n.get("code"),f=n.get("state");if(!t||!i||!f)return l.NextResponse.redirect(new URL("/login?error=oauth_missing_params",e.url));try{if(!r.oauthCallback)return l.NextResponse.redirect(new URL("/login?error=oauth_not_configured",e.url));const u=await r.oauthCallback(t,i,f);if(u.success){const a=n.get("callbackUrl")||"/";return l.NextResponse.redirect(new URL(a,e.url))}else{const a=u.errorCode?`${encodeURIComponent(u.error||"oauth_failed")}&code=${u.errorCode}`:encodeURIComponent(u.error||"oauth_failed");return l.NextResponse.redirect(new URL(`/login?error=${a}`,e.url))}}catch(u){return process.env.NODE_ENV==="development"&&console.error("[Mulguard] OAuth callback error:",u),l.NextResponse.redirect(new URL(`/login?error=${encodeURIComponent(u instanceof Error?u.message:"oauth_error")}`,e.url))}}}function I(r,e){const n=$({"X-Frame-Options":"SAMEORIGIN"});for(const[t,i]of Object.entries(n))i&&typeof i=="string"&&e.headers.set(t,i);return e}function Le(){return async r=>{const e=l.NextResponse.next();return I(r,e)}}function De(r,e={}){const{protectedRoutes:n=[],publicRoutes:t=[],redirectTo:i="/login",redirectIfAuthenticated:f}=e;return async u=>{const{pathname:a}=u.nextUrl,h=n.some(d=>a.startsWith(d));let E=null;try{E=await r.getSession()}catch(d){console.error("Middleware: Failed to get session:",d)}if(h&&!E){const d=u.nextUrl.clone();return d.pathname=i,d.searchParams.set("callbackUrl",a),l.NextResponse.redirect(d)}if(f&&E&&(a.startsWith("/login")||a.startsWith("/register"))){const k=u.nextUrl.clone();k.pathname=f;const S=l.NextResponse.redirect(k);return I(u,S)}const v=l.NextResponse.next();return I(u,v)}}async function Me(r,e){var n;try{const t=await r.getSession();return t?((n=t.user.roles)==null?void 0:n.includes(e))??!1:!1}catch{return!1}}function $e(r){const{auth:e,protectedRoutes:n=[],publicRoutes:t=[],redirectTo:i="/login",redirectIfAuthenticated:f,apiPrefix:u="/api/auth"}=r;return async a=>{const{pathname:h}=a.nextUrl;if(h.startsWith(u)){const k=l.NextResponse.next();return I(a,k)}const E=n.some(k=>h.startsWith(k));let v=null;if(E||f)try{v=await e.getSession()}catch(k){console.error("Middleware: Failed to get session:",k)}if(E&&!v){const k=a.nextUrl.clone();k.pathname=i,k.searchParams.set("callbackUrl",h);const S=l.NextResponse.redirect(k);return I(a,S)}if(f&&v&&(h.startsWith("/login")||h.startsWith("/register"))){const S=a.nextUrl.clone();S.pathname=f;const A=l.NextResponse.redirect(S);return I(a,A)}const d=l.NextResponse.next();return I(a,d)}}async function Ve(r,e){var n;try{const t=await r.getSession();return t?((n=t.user.roles)==null?void 0:n.includes(e))??!1:!1}catch{return!1}}exports.buildCookieOptions=w.buildCookieOptions;exports.deleteCookie=w.deleteCookie;exports.getCookie=w.getCookie;exports.setCookie=w.setCookie;exports.signInEmailAction=w.signInEmailAction;exports.signOutAction=w.signOutAction;exports.signUpAction=w.signUpAction;exports.verify2FAAction=w.verify2FAAction;exports.signIn=oe.signIn;exports.createServerAuthMiddleware=R.createAuthMiddleware;exports.createServerHelpers=R.createServerHelpers;exports.createServerUtils=R.createServerUtils;exports.createSessionManager=R.createSessionManager;exports.deleteOAuthStateCookie=R.deleteOAuthStateCookie;exports.getCurrentUser=R.getCurrentUser;exports.getOAuthStateCookie=R.getOAuthStateCookie;exports.getServerSession=R.getServerSession;exports.getSessionTimeUntilExpiry=R.getSessionTimeUntilExpiry;exports.isSessionExpiredNullable=R.isSessionExpiredNullable;exports.isSessionExpiringSoon=R.isSessionExpiringSoon;exports.isSessionValid=R.isSessionValid;exports.refreshSession=R.refreshSession;exports.requireAuth=R.requireAuth;exports.requireRole=R.requireRole;exports.requireServerAuthMiddleware=R.requireAuthMiddleware;exports.requireServerRoleMiddleware=R.requireRoleMiddleware;exports.storeOAuthStateCookie=R.storeOAuthStateCookie;exports.validateSessionStructure=R.validateSessionStructure;exports.CSRFProtection=K;exports.DEFAULT_SECURITY_HEADERS=q;exports.MemoryCSRFStore=B;exports.MemoryOAuthStateStore=re;exports.RateLimiter=H;exports.applySecurityHeaders=ce;exports.buildOAuthAuthorizationUrl=Q;exports.checkRole=Me;exports.checkRoleProxy=Ve;exports.containsXSSPattern=Ee;exports.createApiHandler=Fe;exports.createAuthMiddleware=De;exports.createCSRFProtection=pe;exports.createMemoryOAuthStateStore=te;exports.createOAuthCallbackHandler=je;exports.createProxyMiddleware=$e;exports.createRateLimiter=ae;exports.createSecurityMiddleware=Le;exports.escapeHTML=X;exports.exchangeOAuthCode=Z;exports.generateCSRFToken=Y;exports.generateToken=V;exports.getErrorCode=Se;exports.getErrorMessage=ve;exports.getOAuthUserInfo=ee;exports.getProviderMetadata=M;exports.getSecurityHeaders=$;exports.getUserFriendlyError=Oe;exports.hasErrorCode=Ce;exports.isAuthError=J;exports.isAuthSuccess=Ae;exports.isRetryableError=be;exports.isTwoFactorRequired=ke;exports.isValidEmail=Re;exports.mulguard=_e;exports.sanitizeHTML=we;exports.sanitizeInput=ye;exports.sanitizeUserInput=me;exports.toNextJsHandler=Ue;exports.validateAndSanitizeEmail=ue;exports.validateAndSanitizeInput=ge;exports.validateAndSanitizeName=fe;exports.validateAndSanitizePassword=le;exports.validateCSRFToken=G;exports.validateToken=he;exports.validateURL=de;exports.withSecurityHeaders=I;