npm - mulguard - Versions diffs - 1.0.1 - Mend

mulguard 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (66) hide show

package/README.md +368 -0
package/dist/actions-CExpv_dD.js +1 -0
package/dist/actions-DeCfLtHA.mjs +184 -0
package/dist/client/hooks.d.ts +122 -0
package/dist/client/index.d.ts +5 -0
package/dist/client/index.js +1 -0
package/dist/client/index.mjs +476 -0
package/dist/client/provider.d.ts +25 -0
package/dist/client/server-actions-helper.d.ts +22 -0
package/dist/components/AccountPicker.d.ts +11 -0
package/dist/components/OAuthButton.d.ts +11 -0
package/dist/components/PassKeyButton.d.ts +11 -0
package/dist/components/PassKeyRegister.d.ts +10 -0
package/dist/components/TwoFactorSetup.d.ts +8 -0
package/dist/components/TwoFactorVerify.d.ts +9 -0
package/dist/core/account-picker/encryption.d.ts +22 -0
package/dist/core/account-picker/index.d.ts +22 -0
package/dist/core/auth/index.d.ts +40 -0
package/dist/core/auth/oauth-providers.d.ts +69 -0
package/dist/core/auth/oauth-state-store.d.ts +44 -0
package/dist/core/auth/oauth.d.ts +20 -0
package/dist/core/auth/passkey.d.ts +35 -0
package/dist/core/auth/password.d.ts +22 -0
package/dist/core/auth/signin-unified.d.ts +33 -0
package/dist/core/auth/two-factor.d.ts +28 -0
package/dist/core/client/index.d.ts +132 -0
package/dist/core/client/token-refresh-manager.d.ts +48 -0
package/dist/core/index.d.ts +10 -0
package/dist/core/security/csrf.d.ts +46 -0
package/dist/core/security/headers.d.ts +24 -0
package/dist/core/security/index.d.ts +28 -0
package/dist/core/security/rate-limit.d.ts +39 -0
package/dist/core/security/validation.d.ts +53 -0
package/dist/core/security/xss.d.ts +20 -0
package/dist/core/session/index.d.ts +35 -0
package/dist/core/types/auth.d.ts +131 -0
package/dist/core/types/errors.d.ts +44 -0
package/dist/core/types/index.d.ts +369 -0
package/dist/core/utils/auth-helpers.d.ts +136 -0
package/dist/core/utils/logger.d.ts +17 -0
package/dist/handlers/api.d.ts +10 -0
package/dist/handlers/route.d.ts +22 -0
package/dist/index/index.js +1 -0
package/dist/index/index.mjs +1633 -0
package/dist/index.d.ts +21 -0
package/dist/middleware/index.d.ts +28 -0
package/dist/middleware/proxy.d.ts +53 -0
package/dist/middleware/security.d.ts +9 -0
package/dist/mulguard.d.ts +263 -0
package/dist/oauth-state-CzIWQq3s.js +1 -0
package/dist/oauth-state-LE-qeq-K.mjs +282 -0
package/dist/server/actions.d.ts +86 -0
package/dist/server/auth.d.ts +65 -0
package/dist/server/cookies.d.ts +42 -0
package/dist/server/helpers.d.ts +10 -0
package/dist/server/index.d.ts +14 -0
package/dist/server/index.js +1 -0
package/dist/server/index.mjs +31 -0
package/dist/server/middleware.d.ts +39 -0
package/dist/server/oauth-state.d.ts +24 -0
package/dist/server/session-helpers.d.ts +26 -0
package/dist/server/session.d.ts +28 -0
package/dist/server/utils.d.ts +10 -0
package/dist/signin-unified-BS2gxaG1.mjs +30 -0
package/dist/signin-unified-Cw41EFkc.js +1 -0
package/package.json +73 -0

package/dist/index/index.mjs ADDED Viewed

@@ -0,0 +1,1633 @@
+var B = Object.defineProperty;
+var H = (r, e, n) => e in r ? B(r, e, { enumerable: !0, configurable: !0, writable: !0, value: n }) : r[e] = n;
+var C = (r, e, n) => H(r, typeof e != "symbol" ? e + "" : e, n);
+import { A as E, e as q, c as K, g as X, d as Y } from "../actions-DeCfLtHA.mjs";
+import { a as Je, s as Qe, b as Ze, v as er } from "../actions-DeCfLtHA.mjs";
+import { s as tr } from "../signin-unified-BS2gxaG1.mjs";
+import { v as F } from "../oauth-state-LE-qeq-K.mjs";
+import { c as nr, p as or, k as ir, n as ar, m as cr, j as lr, l as ur, e as fr, g as dr, b as hr, i as gr, a as wr, o as pr, f as mr, h as yr, r as Er, d as kr, s as vr } from "../oauth-state-LE-qeq-K.mjs";
+import { NextResponse as u } from "next/server";
+const x = typeof globalThis == "object" && "crypto" in globalThis ? globalThis.crypto : void 0;
+/*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+function G(r = 32) {
+  if (x && typeof x.getRandomValues == "function")
+    return x.getRandomValues(new Uint8Array(r));
+  if (x && typeof x.randomBytes == "function")
+    return Uint8Array.from(x.randomBytes(r));
+  throw new Error("crypto.getRandomValues must be defined");
+}
+class J {
+  constructor(e) {
+    C(this, "attempts", /* @__PURE__ */ new Map());
+    C(this, "config");
+    this.config = e;
+  }
+  /**
+   * Check if request is allowed
+   */
+  check(e) {
+    const n = Date.now(), t = this.attempts.get(e);
+    return !t || t.resetAt < n ? (this.attempts.set(e, {
+      count: 1,
+      resetAt: n + this.config.windowMs
+    }), {
+      allowed: !0,
+      remaining: this.config.maxAttempts - 1,
+      resetAt: new Date(n + this.config.windowMs)
+    }) : t.count >= this.config.maxAttempts ? {
+      allowed: !1,
+      remaining: 0,
+      resetAt: new Date(t.resetAt)
+    } : (t.count++, {
+      allowed: !0,
+      remaining: this.config.maxAttempts - t.count,
+      resetAt: new Date(t.resetAt)
+    });
+  }
+  /**
+   * Reset rate limit for a key
+   */
+  reset(e) {
+    this.attempts.delete(e);
+  }
+  /**
+   * Clear all rate limits
+   */
+  clear() {
+    this.attempts.clear();
+  }
+}
+function Ee(r) {
+  return new J(r);
+}
+const Q = {
+  "X-Content-Type-Options": "nosniff",
+  "X-Frame-Options": "DENY",
+  "X-XSS-Protection": "1; mode=block",
+  "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
+  "Content-Security-Policy": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';",
+  "Referrer-Policy": "strict-origin-when-cross-origin",
+  "Permissions-Policy": "geolocation=(), microphone=(), camera=()"
+};
+function z(r) {
+  return {
+    ...Q,
+    ...r
+  };
+}
+function ke(r, e) {
+  const n = z(e);
+  for (const [t, i] of Object.entries(n))
+    i && r.set(t, i);
+}
+function ve(r) {
+  if (!r || typeof r != "string")
+    return { valid: !1, error: "Email is required" };
+  const e = r.trim().toLowerCase();
+  return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(e) ? e.length > 254 ? { valid: !1, error: "Email is too long" } : e.includes("..") || e.startsWith(".") || e.endsWith(".") ? { valid: !1, error: "Invalid email format" } : { valid: !0, sanitized: e } : { valid: !1, error: "Invalid email format" };
+}
+function Re(r, e = 8) {
+  if (!r || typeof r != "string")
+    return { valid: !1, error: "Password is required" };
+  if (r.length < e)
+    return { valid: !1, error: `Password must be at least ${e} characters` };
+  if (r.length > 128)
+    return { valid: !1, error: "Password is too long" };
+  if ([
+    "password",
+    "12345678",
+    "qwerty",
+    "abc123",
+    "password123",
+    "123456789",
+    "1234567890",
+    "letmein",
+    "welcome",
+    "monkey",
+    "dragon",
+    "master",
+    "sunshine",
+    "princess",
+    "football"
+  ].includes(r.toLowerCase()))
+    return { valid: !1, error: "Password is too common" };
+  if (/(.)\1{3,}/.test(r))
+    return { valid: !1, error: "Password contains too many repeated characters" };
+  if (/012|123|234|345|456|567|678|789|abc|bcd|cde|def|efg|fgh|ghi|hij|ijk|jkl|klm|lmn|mno|nop|opq|pqr|qrs|rst|stu|tuv|uvw|vwx|wxy|xyz/i.test(r))
+    return { valid: !1, error: "Password contains sequential characters" };
+  let t = "weak", i = 0;
+  return r.length >= 12 ? i += 2 : r.length >= 8 && (i += 1), /[a-z]/.test(r) && (i += 1), /[A-Z]/.test(r) && (i += 1), /[0-9]/.test(r) && (i += 1), /[^a-zA-Z0-9]/.test(r) && (i += 1), i >= 5 ? t = "strong" : i >= 3 && (t = "medium"), { valid: !0, strength: t };
+}
+function Se(r) {
+  if (!r || typeof r != "string")
+    return { valid: !1, error: "Name is required" };
+  const e = r.trim();
+  return e.length < 1 ? { valid: !1, error: "Name cannot be empty" } : e.length > 100 ? { valid: !1, error: "Name is too long" } : { valid: !0, sanitized: e.replace(/[<>\"']/g, "") };
+}
+function Ae(r) {
+  if (!r || typeof r != "string")
+    return { valid: !1, error: "URL is required" };
+  try {
+    const e = new URL(r);
+    return ["http:", "https:"].includes(e.protocol) ? { valid: !0 } : { valid: !1, error: "URL must use http or https protocol" };
+  } catch {
+    return { valid: !1, error: "Invalid URL format" };
+  }
+}
+function be(r, e = 16) {
+  return !r || typeof r != "string" ? { valid: !1, error: "Token is required" } : r.length < e ? { valid: !1, error: "Token is too short" } : r.length > 512 ? { valid: !1, error: "Token is too long" } : /^[A-Za-z0-9_-]+$/.test(r) ? /(.)\1{10,}/.test(r) ? { valid: !1, error: "Token contains suspicious pattern" } : { valid: !0 } : { valid: !1, error: "Invalid token format" };
+}
+function Oe(r, e) {
+  const { maxLength: n = 1e3, allowHtml: t = !1, required: i = !0 } = e || {};
+  if (i && (!r || typeof r != "string" || r.trim().length === 0))
+    return { valid: !1, error: "Input is required" };
+  if (!r || typeof r != "string")
+    return { valid: !0, sanitized: "" };
+  let f = r.trim();
+  return f.length > n ? { valid: !1, error: `Input must be less than ${n} characters` } : (t || (f = f.replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#x27;").replace(/\//g, "&#x2F;")), f = f.replace(/[\x00-\x1F\x7F]/g, ""), { valid: !0, sanitized: f });
+}
+class Z {
+  constructor() {
+    C(this, "tokens", /* @__PURE__ */ new Map());
+  }
+  get(e) {
+    const n = this.tokens.get(e);
+    return n ? n.expiresAt < Date.now() ? (this.delete(e), null) : n.value : null;
+  }
+  set(e, n, t = 36e5) {
+    this.tokens.set(e, {
+      value: n,
+      expiresAt: Date.now() + t
+    });
+  }
+  delete(e) {
+    this.tokens.delete(e);
+  }
+  clear() {
+    this.tokens.clear();
+  }
+}
+class ee {
+  constructor(e, n = 32) {
+    C(this, "store");
+    C(this, "tokenLength");
+    this.store = e || new Z(), this.tokenLength = n;
+  }
+  /**
+   * Generate CSRF token
+   */
+  generateToken(e, n) {
+    const t = W(this.tokenLength);
+    return this.store.set(e, t, n), t;
+  }
+  /**
+   * Validate CSRF token
+   */
+  validateToken(e, n) {
+    const t = this.store.get(e);
+    if (!t)
+      return !1;
+    const i = se(n, t);
+    return i && this.store.delete(e), i;
+  }
+  /**
+   * Get stored token without validating
+   */
+  getToken(e) {
+    return this.store.get(e);
+  }
+  /**
+   * Delete token
+   */
+  deleteToken(e) {
+    this.store.delete(e);
+  }
+}
+function _e(r) {
+  return new ee(r);
+}
+function re(r) {
+  if (typeof r != "string")
+    return "";
+  const e = {
+    "&": "&amp;",
+    "<": "&lt;",
+    ">": "&gt;",
+    '"': "&quot;",
+    "'": "&#039;"
+  };
+  return r.replace(/[&<>"']/g, (n) => e[n] || n);
+}
+function Ie(r) {
+  return typeof r != "string" ? "" : r.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, "").replace(/on\w+\s*=\s*["'][^"']*["']/gi, "").replace(/javascript:/gi, "");
+}
+function Te(r) {
+  return typeof r != "string" ? "" : re(r.trim());
+}
+function Pe(r) {
+  return typeof r != "string" ? !1 : [
+    /<script/i,
+    /javascript:/i,
+    /on\w+\s*=/i,
+    /<iframe/i,
+    /<object/i,
+    /<embed/i,
+    /<link/i,
+    /<meta/i,
+    /expression\s*\(/i,
+    /vbscript:/i
+  ].some((n) => n.test(r));
+}
+function W(r = 32) {
+  const e = G(r);
+  return Buffer.from(e).toString("base64url");
+}
+function te() {
+  return W(32);
+}
+function se(r, e) {
+  if (!r || !e || r.length !== e.length)
+    return !1;
+  let n = 0;
+  for (let t = 0; t < r.length; t++)
+    n |= r.charCodeAt(t) ^ e.charCodeAt(t);
+  return n === 0;
+}
+function Ue(r) {
+  return r.trim().replace(/[<>]/g, "");
+}
+function Ce(r) {
+  return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(r);
+}
+function ne(r) {
+  return !r.success && !!r.error;
+}
+function Fe(r) {
+  return r.requires2FA === !0 || r.errorCode === E.TWO_FA_REQUIRED;
+}
+function Ne(r, e) {
+  return r.error ? r.error : e || "Authentication failed";
+}
+function xe(r) {
+  return r.errorCode;
+}
+function je(r) {
+  return r.success === !0 && !!r.user;
+}
+function De(r, e) {
+  return r.errorCode === e;
+}
+function Le(r) {
+  if (!ne(r)) return !1;
+  const e = [
+    E.NETWORK_ERROR,
+    E.RATE_LIMITED,
+    E.UNKNOWN_ERROR
+  ];
+  return r.errorCode ? e.includes(r.errorCode) : !1;
+}
+function $e(r) {
+  if (r.error) return r.error;
+  switch (r.errorCode) {
+    case E.INVALID_CREDENTIALS:
+      return "Invalid email or password. Please try again.";
+    case E.ACCOUNT_LOCKED:
+      return "Your account has been temporarily locked. Please try again later.";
+    case E.ACCOUNT_INACTIVE:
+      return "Your account is inactive. Please contact support.";
+    case E.TWO_FA_REQUIRED:
+      return "Two-factor authentication is required. Please enter your code.";
+    case E.INVALID_TWO_FA_CODE:
+      return "Invalid two-factor authentication code. Please try again.";
+    case E.SESSION_EXPIRED:
+      return "Your session has expired. Please sign in again.";
+    case E.UNAUTHORIZED:
+      return "You are not authorized to perform this action.";
+    case E.NETWORK_ERROR:
+      return "Network error. Please check your connection and try again.";
+    case E.VALIDATION_ERROR:
+      return "Please check your input and try again.";
+    case E.RATE_LIMITED:
+      return "Too many attempts. Please try again later.";
+    case E.UNKNOWN_ERROR:
+    default:
+      return "An unexpected error occurred. Please try again.";
+  }
+}
+const oe = {
+  google: {
+    authorizationUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+    tokenUrl: "https://oauth2.googleapis.com/token",
+    userInfoUrl: "https://www.googleapis.com/oauth2/v2/userinfo",
+    defaultScopes: ["openid", "profile", "email"]
+  },
+  github: {
+    authorizationUrl: "https://github.com/login/oauth/authorize",
+    tokenUrl: "https://github.com/login/oauth/access_token",
+    userInfoUrl: "https://api.github.com/user",
+    defaultScopes: ["user:email"]
+  },
+  apple: {
+    authorizationUrl: "https://appleid.apple.com/auth/authorize",
+    tokenUrl: "https://appleid.apple.com/auth/token",
+    userInfoUrl: "https://appleid.apple.com/auth/userinfo",
+    defaultScopes: ["name", "email"],
+    defaultParams: {
+      response_mode: "form_post",
+      response_type: "code id_token"
+    }
+  },
+  facebook: {
+    authorizationUrl: "https://www.facebook.com/v18.0/dialog/oauth",
+    tokenUrl: "https://graph.facebook.com/v18.0/oauth/access_token",
+    userInfoUrl: "https://graph.facebook.com/v18.0/me?fields=id,name,email,picture",
+    defaultScopes: ["email", "public_profile"]
+  }
+};
+function $(r) {
+  return oe[r] || null;
+}
+function ie(r, e, n, t) {
+  const i = $(r);
+  if (!i)
+    throw new Error(`Unknown OAuth provider: ${r}`);
+  const f = e.redirectUri || `${n}/api/auth/callback/${r}`, l = e.scopes || i.defaultScopes, a = new URLSearchParams({
+    client_id: e.clientId,
+    redirect_uri: f,
+    response_type: "code",
+    scope: l.join(" "),
+    state: t,
+    ...i.defaultParams,
+    ...e.params
+  });
+  return `${i.authorizationUrl}?${a.toString()}`;
+}
+async function ae(r, e, n, t) {
+  const i = $(r);
+  if (!i)
+    throw new Error(`Unknown OAuth provider: ${r}`);
+  const f = new URLSearchParams({
+    client_id: e.clientId,
+    code: n,
+    redirect_uri: t,
+    grant_type: "authorization_code"
+  });
+  e.clientSecret && f.append("client_secret", e.clientSecret);
+  const l = await fetch(i.tokenUrl, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      Accept: "application/json"
+    },
+    body: f.toString()
+  });
+  if (!l.ok) {
+    const a = await l.text();
+    throw new Error(`Failed to exchange code for tokens: ${a}`);
+  }
+  return await l.json();
+}
+async function ce(r, e) {
+  var f, l, a, h;
+  const n = $(r);
+  if (!n)
+    throw new Error(`Unknown OAuth provider: ${r}`);
+  const t = await fetch(n.userInfoUrl, {
+    headers: {
+      Authorization: `Bearer ${e}`,
+      Accept: "application/json"
+    }
+  });
+  if (!t.ok) {
+    const m = await t.text();
+    throw new Error(`Failed to fetch user info: ${m}`);
+  }
+  const i = await t.json();
+  switch (r) {
+    case "google":
+      return {
+        id: i.sub || i.id,
+        email: i.email,
+        name: i.name,
+        avatar: i.picture,
+        emailVerified: i.email_verified
+      };
+    case "github":
+      let m = i.email;
+      if (!m) {
+        const d = await (await fetch("https://api.github.com/user/emails", {
+          headers: { Authorization: `Bearer ${e}` }
+        })).json();
+        m = ((f = d.find((k) => k.primary)) == null ? void 0 : f.email) || ((l = d[0]) == null ? void 0 : l.email) || `${i.login}@users.noreply.github.com`;
+      }
+      return {
+        id: String(i.id),
+        email: m,
+        name: i.name || i.login,
+        avatar: i.avatar_url,
+        emailVerified: !!m
+      };
+    case "apple":
+      return {
+        id: i.sub,
+        email: i.email,
+        name: i.name ? `${i.name.firstName} ${i.name.lastName}` : "",
+        emailVerified: i.email_verified
+      };
+    case "facebook":
+      return {
+        id: i.id,
+        email: i.email,
+        name: i.name,
+        avatar: (h = (a = i.picture) == null ? void 0 : a.data) == null ? void 0 : h.url,
+        emailVerified: !0
+      };
+    default:
+      return {
+        id: String(i.id || i.sub),
+        email: i.email,
+        name: i.name || i.display_name || i.username,
+        avatar: i.avatar || i.picture || i.avatar_url,
+        emailVerified: i.email_verified || i.emailVerified || !1
+      };
+  }
+}
+class le {
+  constructor() {
+    C(this, "states", /* @__PURE__ */ new Map());
+  }
+  set(e, n, t) {
+    this.states.set(e, n), this.cleanup();
+  }
+  get(e) {
+    const n = this.states.get(e);
+    return n ? n.expiresAt < Date.now() ? (this.delete(e), null) : n : null;
+  }
+  delete(e) {
+    this.states.delete(e);
+  }
+  cleanup() {
+    const e = Date.now();
+    for (const [n, t] of this.states.entries())
+      t.expiresAt < e && this.states.delete(n);
+  }
+}
+function ue() {
+  return new le();
+}
+function fe(r = process.env.NODE_ENV === "development") {
+  const e = "[Mulguard]";
+  return {
+    debug: r ? (n, t) => {
+      t !== void 0 ? console.debug(`${e} ${n}`, t) : console.debug(`${e} ${n}`);
+    } : () => {
+    },
+    info: r ? (n, t) => {
+      t !== void 0 ? console.info(`${e} ${n}`, t) : console.info(`${e} ${n}`);
+    } : () => {
+    },
+    warn: r ? (n, t) => {
+      t !== void 0 ? console.warn(`${e} ${n}`, t) : console.warn(`${e} ${n}`);
+    } : () => {
+    },
+    error: r ? (n, t) => {
+      t !== void 0 ? console.error(`${e} ${n}`, t) : console.error(`${e} ${n}`);
+    } : () => {
+    }
+  };
+}
+const j = fe();
+function de(r, e, n, t = {}) {
+  const {
+    enabled: i = !0,
+    maxRetries: f = 1,
+    retryDelay: l = 1e3,
+    rateLimit: a = 3,
+    autoSignOutOnFailure: h = !0,
+    redirectToLogin: m = "/login",
+    autoRedirectOnFailure: v = !0
+  } = t;
+  let d = null, k = !1;
+  const R = [], S = [], _ = 60 * 1e3;
+  let A = 0, b = !1, T = null;
+  const L = 2, o = 60 * 1e3;
+  function s() {
+    const p = Date.now();
+    if (b && T) {
+      if (p < T)
+        return !1;
+      b = !1, T = null, A = 0;
+    }
+    for (; S.length > 0; ) {
+      const g = S[0];
+      if (g !== void 0 && g < p - _)
+        S.shift();
+      else
+        break;
+    }
+    return S.length >= a ? !1 : (S.push(p), !0);
+  }
+  function c() {
+    A++, A >= L && (b = !0, T = Date.now() + o, process.env.NODE_ENV === "development" && console.warn("[TokenRefreshManager] Circuit breaker opened - too many consecutive failures"));
+  }
+  function w() {
+    A = 0, b = !1, T = null;
+  }
+  async function y(p = 1) {
+    if (!i)
+      return null;
+    if (!s())
+      throw new Error("Rate limit exceeded for token refresh");
+    try {
+      const g = await r();
+      if (g)
+        return w(), D(g), t.onTokenRefreshed && await Promise.resolve(t.onTokenRefreshed(g)), g;
+      if (c(), p < f)
+        return await I(l * p), y(p + 1);
+      throw new Error("Token refresh failed: refresh function returned null");
+    } catch (g) {
+      if (c(), p < f && O(g))
+        return await I(l * p), y(p + 1);
+      throw g;
+    }
+  }
+  function O(p) {
+    if (p instanceof Error) {
+      const g = p.message.toLowerCase();
+      if (g.includes("rate limit") || g.includes("too many requests") || g.includes("429") || g.includes("limit:") || g.includes("requests per minute") || g.includes("token_blacklisted") || g.includes("blacklisted") || g.includes("invalid") || g.includes("401") || g.includes("unauthorized") || g.includes("session has been revoked") || g.includes("session expired"))
+        return !1;
+      if (g.includes("network") || g.includes("fetch") || g.includes("timeout"))
+        return !0;
+    }
+    return !1;
+  }
+  function D(p) {
+    const g = [...R];
+    R.length = 0;
+    for (const { resolve: U } of g)
+      U(p);
+  }
+  function P(p) {
+    const g = [...R];
+    R.length = 0;
+    for (const { reject: U } of g)
+      U(p);
+  }
+  function I(p) {
+    return new Promise((g) => setTimeout(g, p));
+  }
+  async function M(p) {
+    try {
+      if (t.onTokenRefreshFailed && await Promise.resolve(t.onTokenRefreshFailed(p)), h && (await n(), await e(), v && typeof window < "u")) {
+        let g = !0;
+        if (t.onBeforeRedirect && (g = await Promise.resolve(t.onBeforeRedirect(p))), g) {
+          const U = new URL(m, window.location.origin);
+          U.searchParams.set("reason", "session_expired"), U.searchParams.set("redirect", window.location.pathname + window.location.search), window.location.href = U.toString();
+        }
+      }
+    } catch (g) {
+      process.env.NODE_ENV === "development" && console.error("[TokenRefreshManager] Error in handleRefreshFailure:", g);
+    }
+  }
+  return {
+    /**
+     * Refresh token with single refresh queue
+     */
+    async refreshToken() {
+      return i ? d || (k = !0, d = y().then((p) => (k = !1, d = null, p)).catch((p) => {
+        throw k = !1, d = null, P(p), M(p).catch(() => {
+        }), p;
+      }), d) : null;
+    },
+    /**
+     * Check if refresh is in progress
+     */
+    isRefreshing() {
+      return k;
+    },
+    /**
+     * Wait for current refresh to complete
+     */
+    async waitForRefresh() {
+      return d ? new Promise((p, g) => {
+        R.push({ resolve: p, reject: g });
+      }) : null;
+    },
+    /**
+     * Clear state
+     */
+    clear() {
+      d = null, k = !1, S.length = 0, w(), P(new Error("Token refresh manager cleared"));
+    },
+    /**
+     * Handle token refresh failure
+     */
+    async handleRefreshFailure(p) {
+      return M(p);
+    }
+  };
+}
+function he() {
+  const r = process.env.NODE_ENV === "production";
+  return {
+    cookieName: "__mulguard_session",
+    expiresIn: 60 * 60 * 24 * 7,
+    // 7 days
+    httpOnly: !0,
+    secure: r,
+    // HTTPS only in production
+    sameSite: "lax",
+    path: "/"
+  };
+}
+function ge() {
+  return {
+    enabled: !0,
+    refreshThreshold: 300,
+    // 5 minutes before expiration
+    maxRetries: 0,
+    // No retries for blacklisted tokens
+    retryDelay: 1e3,
+    rateLimit: 1,
+    // 1 attempt per minute to prevent loops
+    autoSignOutOnFailure: !0,
+    redirectToLogin: "/login",
+    autoRedirectOnFailure: !0
+  };
+}
+function Me(r) {
+  var T, L;
+  const e = {
+    ...he(),
+    ...r.session
+  }, n = r.actions, t = r.callbacks || {}, i = ((T = r.providers) == null ? void 0 : T.oauth) || {}, f = process.env.NEXT_PUBLIC_URL || (process.env.VERCEL_URL ? `https://${process.env.VERCEL_URL}` : "http://localhost:3000"), l = {
+    ...ge(),
+    ...r.tokenRefresh
+  }, a = { ...n };
+  if (Object.keys(i).length > 0 && !a.signIn.oauth && (a.signIn.oauth = async (o) => {
+    const s = i[o];
+    if (!s)
+      throw new Error(`OAuth provider "${o}" is not configured. Add it to providers.oauth in config.`);
+    if (!s.clientId)
+      throw new Error(`OAuth provider "${o}" is missing clientId`);
+    const c = te();
+    return { url: ie(o, s, f, c), state: c };
+  }), Object.keys(i).length > 0 && !a.oauthCallback && (a.oauthCallback = async (o, s, c) => {
+    const w = i[o];
+    if (!w)
+      return {
+        success: !1,
+        error: `OAuth provider "${o}" is not configured`,
+        errorCode: E.VALIDATION_ERROR
+      };
+    try {
+      const y = w.redirectUri || `${f}/api/auth/callback/${o}`, O = await ae(o, w, s, y), D = await ce(o, O.access_token);
+      if (t.onOAuthUser) {
+        const P = await d(t.onOAuthUser, D, o);
+        if (!P)
+          return {
+            success: !1,
+            error: "Failed to create or retrieve user",
+            errorCode: E.VALIDATION_ERROR
+          };
+        const I = {
+          user: {
+            id: P.id,
+            email: P.email,
+            name: P.name,
+            avatar: D.avatar,
+            emailVerified: D.emailVerified
+          },
+          expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1e3),
+          accessToken: O.access_token,
+          refreshToken: O.refresh_token,
+          tokenType: "Bearer",
+          expiresIn: O.expires_in
+        };
+        return await S(I), h = { session: I, timestamp: Date.now() }, t.onSignIn && await d(t.onSignIn, I.user, I), { success: !0, user: I.user, session: I };
+      }
+      return {
+        success: !1,
+        error: "OAuth user callback not implemented. Provide onOAuthUser callback or implement oauthCallback action.",
+        errorCode: E.VALIDATION_ERROR
+      };
+    } catch (y) {
+      return j.error("OAuth callback failed", { provider: o, error: y }), {
+        success: !1,
+        error: y instanceof Error ? y.message : "OAuth callback failed",
+        errorCode: E.NETWORK_ERROR
+      };
+    }
+  }), !a.signIn || !a.signIn.email)
+    throw new Error("mulguard: signIn.email action is required");
+  let h = null;
+  const m = ((L = r.session) == null ? void 0 : L.cacheTtl) ?? r.sessionCacheTtl ?? 5e3, v = r.oauthStateStore || ue(), d = async (o, ...s) => {
+    if (o)
+      try {
+        return await o(...s);
+      } catch (c) {
+        throw t.onError && await t.onError(c instanceof Error ? c : new Error(String(c)), "callback"), c;
+      }
+  }, k = async (o, s) => {
+    const c = {
+      provider: s,
+      expiresAt: Date.now() + 6e5
+      // 10 minutes
+    };
+    await Promise.resolve(v.set(o, c, 10 * 60 * 1e3)), v.cleanup && await Promise.resolve(v.cleanup());
+  }, R = async (o, s) => {
+    const c = await Promise.resolve(v.get(o));
+    return c ? c.expiresAt < Date.now() ? (await Promise.resolve(v.delete(o)), !1) : c.provider !== s ? !1 : (await Promise.resolve(v.delete(o)), !0) : !1;
+  }, S = async (o) => {
+    const s = e.cookieName || "__mulguard_session", c = typeof o == "object" && "token" in o ? String(o.token) : JSON.stringify(o), w = q(s, c, e);
+    return await K(w);
+  }, _ = async (o) => {
+    if (!o.success || !o.session)
+      return { success: !0 };
+    const s = await S(o.session);
+    return h = { session: o.session, timestamp: Date.now() }, o.user && t.onSignIn && await d(t.onSignIn, o.user, o.session), s;
+  }, A = async () => {
+    const o = e.cookieName || "__mulguard_session";
+    await Y(o, {
+      path: e.path,
+      domain: e.domain
+    });
+  }, b = {
+    /**
+     * Get current session
+     * Uses custom getSession action if provided, otherwise falls back to reading from cookie
+     * ✅ IMPROVEMENT: Added session caching for better performance
+     */
+    async getSession() {
+      const o = Date.now();
+      if (h && o - h.timestamp < m)
+        return h.session;
+      if (n.getSession)
+        try {
+          const s = await n.getSession();
+          if (s && F(s))
+            return h = { session: s, timestamp: o }, s;
+          s && !F(s) && (await A(), h = null);
+        } catch (s) {
+          j.debug("getSession error", { error: s }), t.onError && await d(t.onError, s instanceof Error ? s : new Error(String(s)), "getSession"), h = null;
+        }
+      try {
+        const s = e.cookieName || "__mulguard_session", c = await X(s);
+        if (c)
+          try {
+            const w = JSON.parse(c);
+            if (F(w))
+              return w.expiresAt && new Date(w.expiresAt) < /* @__PURE__ */ new Date() ? (t.onSessionExpired && await d(t.onSessionExpired, w), await A(), h = null, null) : (h = { session: w, timestamp: o }, w);
+            await A(), h = null;
+          } catch {
+            await A(), h = null;
+          }
+      } catch (s) {
+        const c = s instanceof Error ? s.message : String(s);
+        !c.includes("request scope") && !c.includes("cookies") && (j.warn("getSession cookie error", { error: s }), t.onError && await d(t.onError, s instanceof Error ? s : new Error(String(s)), "getSession.cookie"));
+      }
+      return null;
+    },
+    /**
+     * Get access token from current session
+     */
+    async getAccessToken() {
+      const o = await this.getSession();
+      return o != null && o.accessToken && typeof o.accessToken == "string" ? o.accessToken : null;
+    },
+    /**
+     * Get refresh token from current session
+     */
+    async getRefreshToken() {
+      const o = await this.getSession();
+      return o != null && o.refreshToken && typeof o.refreshToken == "string" ? o.refreshToken : null;
+    },
+    /**
+     * Check if session has valid tokens
+     */
+    async hasValidTokens() {
+      return !!await this.getAccessToken();
+    },
+    /**
+     * Sign in methods - uses custom actions from config
+     */
+    signIn: {
+      /**
+       * Sign in with email/password
+       */
+      async email(o) {
+        try {
+          const s = await a.signIn.email(o);
+          return s.success && s.session && await _(s), s;
+        } catch (s) {
+          return t.onError && await d(t.onError, s instanceof Error ? s : new Error(String(s)), "signIn.email"), {
+            success: !1,
+            error: s instanceof Error ? s.message : "Sign in failed"
+          };
+        }
+      },
+      /**
+       * Initiate OAuth sign in
+       * ✅ Auto-generated if providers.oauth is configured in config
+       */
+      async oauth(o) {
+        if (!a.signIn.oauth)
+          throw new Error(
+            "OAuth sign in is not configured. Either provide oauth action in signIn, or configure providers.oauth in config."
+          );
+        const s = await a.signIn.oauth(o);
+        return await k(s.state, o), s;
+      },
+      /**
+       * Sign in with PassKey
+       */
+      async passkey(o) {
+        if (!a.signIn.passkey)
+          throw new Error("PassKey sign in is not configured. Provide passkey action in signIn.");
+        try {
+          const s = await a.signIn.passkey(o);
+          return s.success && s.session && await _(s), s;
+        } catch (s) {
+          return t.onError && await d(t.onError, s instanceof Error ? s : new Error(String(s)), "signIn.passkey"), {
+            success: !1,
+            error: s instanceof Error ? s.message : "PassKey sign in failed"
+          };
+        }
+      },
+      /**
+       * Sign in with OTP
+       */
+      async otp(o, s) {
+        if (!a.signIn.otp)
+          throw new Error("OTP sign in is not configured. Provide otp action in signIn.");
+        try {
+          const c = await a.signIn.otp(o, s);
+          return c.success && c.session && await _(c), c;
+        } catch (c) {
+          return t.onError && await d(t.onError, c instanceof Error ? c : new Error(String(c)), "signIn.otp"), {
+            success: !1,
+            error: c instanceof Error ? c.message : "OTP sign in failed"
+          };
+        }
+      }
+    },
+    /**
+     * Sign in methods - alias for signIn (for backward compatibility)
+     */
+    signInMethods: {
+      email: (o) => b.signIn.email(o),
+      oauth: (o) => {
+        var s, c;
+        return ((c = (s = b.signIn).oauth) == null ? void 0 : c.call(s, o)) || Promise.reject(new Error("OAuth not configured"));
+      },
+      passkey: (o) => {
+        var s, c;
+        return ((c = (s = b.signIn).passkey) == null ? void 0 : c.call(s, o)) || Promise.reject(new Error("Passkey not configured"));
+      },
+      otp: (o, s) => {
+        var c, w;
+        return ((w = (c = b.signIn).otp) == null ? void 0 : w.call(c, o, s)) || Promise.reject(new Error("OTP not configured"));
+      }
+    },
+    /**
+     * Sign up new user
+     */
+    async signUp(o) {
+      if (!a.signUp)
+        throw new Error("Sign up is not configured. Provide signUp action in config.");
+      try {
+        const s = await a.signUp(o);
+        return s.success && s.session && await _(s), s;
+      } catch (s) {
+        return t.onError && await d(t.onError, s instanceof Error ? s : new Error(String(s)), "signUp"), {
+          success: !1,
+          error: s instanceof Error ? s.message : "Sign up failed"
+        };
+      }
+    },
+    /**
+     * Sign out
+     */
+    async signOut() {
+      try {
+        const o = await this.getSession(), s = o == null ? void 0 : o.user;
+        return n.signOut && await n.signOut(), await A(), h = null, s && t.onSignOut && await d(t.onSignOut, s), { success: !0 };
+      } catch (o) {
+        return await A(), t.onError && await d(t.onError, o instanceof Error ? o : new Error(String(o)), "signOut"), {
+          success: !1,
+          error: o instanceof Error ? o.message : "Sign out failed"
+        };
+      }
+    },
+    /**
+     * Request password reset
+     */
+    async resetPassword(o) {
+      if (!n.resetPassword)
+        throw new Error("Password reset is not configured. Provide resetPassword action in config.");
+      try {
+        return await n.resetPassword(o);
+      } catch (s) {
+        return t.onError && await d(t.onError, s instanceof Error ? s : new Error(String(s)), "resetPassword"), {
+          success: !1,
+          error: s instanceof Error ? s.message : "Password reset failed"
+        };
+      }
+    },
+    /**
+     * Verify email address
+     */
+    async verifyEmail(o) {
+      if (!n.verifyEmail)
+        throw new Error("Email verification is not configured. Provide verifyEmail action in config.");
+      try {
+        return await n.verifyEmail(o);
+      } catch (s) {
+        return t.onError && await d(t.onError, s instanceof Error ? s : new Error(String(s)), "verifyEmail"), {
+          success: !1,
+          error: s instanceof Error ? s.message : "Email verification failed"
+        };
+      }
+    },
+    /**
+     * Refresh session
+     * Executes custom refreshSession action with improved error handling and callbacks
+     */
+    async refreshSession() {
+      if (!n.refreshSession)
+        return this.getSession();
+      try {
+        const o = await n.refreshSession();
+        if (o && F(o)) {
+          if (await S(o), h = { session: o, timestamp: Date.now() }, t.onSessionUpdate) {
+            const s = await d(t.onSessionUpdate, o);
+            if (s && F(s)) {
+              if (await S(s), t.onTokenRefresh) {
+                const c = await this.getSession();
+                c && await d(t.onTokenRefresh, c, s);
+              }
+              return s;
+            }
+          }
+          if (t.onTokenRefresh) {
+            const s = await this.getSession();
+            s && await d(t.onTokenRefresh, s, o);
+          }
+          return o;
+        } else if (o && !F(o))
+          return await A(), null;
+        return null;
+      } catch (o) {
+        return await A(), t.onError && await d(t.onError, o instanceof Error ? o : new Error(String(o)), "refreshSession"), null;
+      }
+    },
+    /**
+     * OAuth callback handler
+     * ✅ Auto-generated if providers.oauth is configured in config
+     */
+    async oauthCallback(o, s, c) {
+      if (!a.oauthCallback)
+        throw new Error(
+          "OAuth callback is not configured. Either provide oauthCallback action, or configure providers.oauth in config."
+        );
+      if (!o || !s || !c)
+        return {
+          success: !1,
+          error: "Missing required OAuth parameters (provider, code, or state)",
+          errorCode: E.VALIDATION_ERROR
+        };
+      if (!await R(c, o))
+        return {
+          success: !1,
+          error: "Invalid or expired state parameter",
+          errorCode: E.VALIDATION_ERROR
+        };
+      try {
+        const y = await a.oauthCallback(o, s, c);
+        if (y.success && y.session) {
+          const O = await _(y);
+          O.success || (process.env.NODE_ENV === "development" && j.debug("Failed to save session cookie after oauthCallback", {
+            error: O.error,
+            warning: O.warning
+          }), t.onError && await d(
+            t.onError,
+            new Error(O.warning || O.error || "Failed to save session cookie"),
+            "oauthCallback.setSession"
+          ));
+        }
+        return y;
+      } catch (y) {
+        return t.onError && await d(t.onError, y instanceof Error ? y : new Error(String(y)), "oauthCallback"), {
+          success: !1,
+          error: y instanceof Error ? y.message : "OAuth callback failed",
+          errorCode: E.NETWORK_ERROR
+        };
+      }
+    },
+    /**
+     * Verify 2FA code after initial sign in
+     * Used when signIn returns requires2FA: true
+     */
+    async verify2FA(o, s) {
+      if (!n.verify2FA)
+        throw new Error("2FA verification is not configured. Provide verify2FA action in config.");
+      try {
+        const c = await n.verify2FA(o);
+        if (c.success && c.session && !(s != null && s.skipCookieSave)) {
+          const w = await _(c);
+          w.success || (process.env.NODE_ENV === "development" && j.debug("Failed to save session cookie after verify2FA", {
+            error: w.error,
+            warning: w.warning
+          }), t.onError && await d(
+            t.onError,
+            new Error(w.warning || w.error || "Failed to save session cookie"),
+            "verify2FA.setSession"
+          ));
+        }
+        return c;
+      } catch (c) {
+        return t.onError && await d(t.onError, c instanceof Error ? c : new Error(String(c)), "verify2FA"), {
+          success: !1,
+          error: c instanceof Error ? c.message : "2FA verification failed",
+          errorCode: E.TWO_FA_REQUIRED
+        };
+      }
+    },
+    /**
+     * Set session directly
+     * Useful for Server Actions that need to save session manually
+     */
+    async setSession(o) {
+      return F(o) ? await S(o) : {
+        success: !1,
+        error: "Invalid session structure"
+      };
+    },
+    /**
+     * Internal method to get session config for Server Actions
+     * Used by verify2FAAction to save session cookie directly
+     * @internal
+     */
+    _getSessionConfig() {
+      return {
+        cookieName: e.cookieName || "__mulguard_session",
+        config: e
+      };
+    },
+    _getCallbacks() {
+      return t;
+    },
+    /**
+     * PassKey methods
+     */
+    passkey: n.passkey ? {
+      register: n.passkey.register,
+      authenticate: async (o) => {
+        var s;
+        if (!((s = n.passkey) != null && s.authenticate))
+          throw new Error("PassKey authenticate is not configured.");
+        try {
+          const c = await n.passkey.authenticate(o);
+          return c.success && c.session && await _(c), c;
+        } catch (c) {
+          return t.onError && await d(t.onError, c instanceof Error ? c : new Error(String(c)), "passkey.authenticate"), {
+            success: !1,
+            error: c instanceof Error ? c.message : "PassKey authentication failed"
+          };
+        }
+      },
+      list: n.passkey.list,
+      remove: n.passkey.remove
+    } : void 0,
+    /**
+     * Two-Factor Authentication methods
+     */
+    twoFactor: n.twoFactor ? {
+      enable: n.twoFactor.enable,
+      verify: n.twoFactor.verify,
+      disable: n.twoFactor.disable,
+      generateBackupCodes: n.twoFactor.generateBackupCodes,
+      isEnabled: n.twoFactor.isEnabled,
+      verify2FA: async (o) => {
+        var c;
+        const s = ((c = n.twoFactor) == null ? void 0 : c.verify2FA) || n.verify2FA;
+        if (!s)
+          throw new Error("2FA verification is not configured. Provide verify2FA action in config.");
+        try {
+          const w = await s(o);
+          if (w.success && w.session) {
+            const y = await _(w);
+            y.success || (process.env.NODE_ENV === "development" && j.debug("Failed to save session cookie after twoFactor.verify2FA", {
+              error: y.error,
+              warning: y.warning
+            }), t.onError && await d(
+              t.onError,
+              new Error(y.warning || y.error || "Failed to save session cookie"),
+              "twoFactor.verify2FA.setSession"
+            ));
+          }
+          return w;
+        } catch (w) {
+          return t.onError && await d(t.onError, w instanceof Error ? w : new Error(String(w)), "twoFactor.verify2FA"), {
+            success: !1,
+            error: w instanceof Error ? w.message : "2FA verification failed",
+            errorCode: E.UNKNOWN_ERROR
+          };
+        }
+      }
+    } : void 0
+  };
+  if (n.refreshSession) {
+    const o = de(
+      async () => await b.refreshSession(),
+      async () => await b.signOut(),
+      async () => {
+        await A();
+      },
+      {
+        ...l,
+        onTokenRefreshed: l.onTokenRefreshed,
+        onTokenRefreshFailed: l.onTokenRefreshFailed,
+        onBeforeRedirect: l.onBeforeRedirect
+      }
+    );
+    b._tokenRefreshManager = o, b._getTokenRefreshManager = () => o;
+  }
+  return b;
+}
+function Ve(r) {
+  return {
+    GET: async (e) => V(e, r, "GET"),
+    POST: async (e) => V(e, r, "POST")
+  };
+}
+async function V(r, e, n) {
+  const t = new URL(r.url), i = t.pathname.replace(/^\/api\/auth/, "") || "/session", f = i.split("/").filter(Boolean);
+  try {
+    if (n === "GET") {
+      if (i === "/session" || i === "/") {
+        const l = await e.getSession();
+        return u.json({ session: l });
+      }
+      if (i === "/providers")
+        return u.json({
+          providers: {
+            email: !!e.signIn.email,
+            oauth: !!e.signIn.oauth,
+            passkey: !!e.signIn.passkey
+          }
+        });
+      if (i.startsWith("/oauth/callback") || f[0] === "oauth" && f[1] === "callback") {
+        if (!e.oauthCallback)
+          return u.redirect(new URL("/login?error=oauth_not_configured", r.url));
+        const l = f[2] || t.searchParams.get("provider"), a = t.searchParams.get("code"), h = t.searchParams.get("state");
+        if (!l || !a || !h)
+          return u.redirect(new URL("/login?error=oauth_missing_params", r.url));
+        try {
+          const m = await e.oauthCallback(l, a, h);
+          if (m.success) {
+            const v = t.searchParams.get("callbackUrl") || "/";
+            return u.redirect(new URL(v, r.url));
+          } else
+            return u.redirect(
+              new URL(`/login?error=${encodeURIComponent(m.error || "oauth_failed")}`, r.url)
+            );
+        } catch (m) {
+          return u.redirect(
+            new URL(
+              `/login?error=${encodeURIComponent(m instanceof Error ? m.message : "oauth_error")}`,
+              r.url
+            )
+          );
+        }
+      }
+      return u.json(
+        { error: "Not found" },
+        { status: 404 }
+      );
+    }
+    if (n === "POST") {
+      const l = await r.json().catch(() => ({}));
+      if (i === "/sign-in" || f[0] === "sign-in") {
+        if (l.provider === "email" && l.email && l.password) {
+          const a = await e.signIn.email({
+            email: l.email,
+            password: l.password
+          });
+          return u.json(a);
+        }
+        if (l.provider === "oauth" && l.providerName) {
+          if (!e.signIn.oauth)
+            return u.json(
+              { success: !1, error: "OAuth is not configured" },
+              { status: 400 }
+            );
+          const a = await e.signIn.oauth(l.providerName);
+          return u.json(a);
+        }
+        if (l.provider === "passkey") {
+          if (!e.signIn.passkey)
+            return u.json(
+              { success: !1, error: "PassKey is not configured" },
+              { status: 400 }
+            );
+          const a = await e.signIn.passkey(l.options);
+          return u.json(a);
+        }
+        return u.json(
+          { success: !1, error: "Invalid sign in request" },
+          { status: 400 }
+        );
+      }
+      if (i === "/sign-up" || f[0] === "sign-up") {
+        if (!e.signUp)
+          return u.json(
+            { success: !1, error: "Sign up is not configured" },
+            { status: 400 }
+          );
+        const a = await e.signUp(l);
+        return u.json(a);
+      }
+      if (i === "/sign-out" || f[0] === "sign-out") {
+        const a = await e.signOut();
+        return u.json(a);
+      }
+      if (i === "/reset-password" || f[0] === "reset-password") {
+        if (!e.resetPassword)
+          return u.json(
+            { success: !1, error: "Password reset is not configured" },
+            { status: 400 }
+          );
+        const a = await e.resetPassword(l.email);
+        return u.json(a);
+      }
+      if (i === "/verify-email" || f[0] === "verify-email") {
+        if (!e.verifyEmail)
+          return u.json(
+            { success: !1, error: "Email verification is not configured" },
+            { status: 400 }
+          );
+        const a = await e.verifyEmail(l.token);
+        return u.json(a);
+      }
+      if (i === "/refresh" || f[0] === "refresh") {
+        if (!e.refreshSession) {
+          const h = await e.getSession();
+          return u.json({ session: h });
+        }
+        const a = await e.refreshSession();
+        return u.json({ session: a });
+      }
+      if (i.startsWith("/oauth/callback") || f[0] === "oauth" && f[1] === "callback") {
+        if (!e.oauthCallback)
+          return u.json(
+            { success: !1, error: "OAuth callback is not configured" },
+            { status: 400 }
+          );
+        const a = l.provider || f[2] || t.searchParams.get("provider"), h = l.code || t.searchParams.get("code"), m = l.state || t.searchParams.get("state");
+        if (!a || !h || !m)
+          return u.json(
+            {
+              success: !1,
+              error: "Missing required OAuth parameters. Provider, code, and state are required."
+            },
+            { status: 400 }
+          );
+        const v = await e.oauthCallback(a, h, m);
+        return u.json(v);
+      }
+      if (i.startsWith("/passkey")) {
+        if (!e.passkey)
+          return u.json(
+            { success: !1, error: "PassKey is not configured" },
+            { status: 400 }
+          );
+        if (f[1] === "register" && e.passkey.register) {
+          const a = await e.passkey.register(l.options);
+          return u.json(a);
+        }
+        if (f[1] === "list" && e.passkey.list) {
+          const a = await e.passkey.list();
+          return u.json(a);
+        }
+        if (f[1] === "remove" && e.passkey.remove) {
+          const a = await e.passkey.remove(l.passkeyId);
+          return u.json(a);
+        }
+      }
+      if (i === "/verify-2fa" || f[0] === "verify-2fa") {
+        if (!e.verify2FA)
+          return u.json(
+            { success: !1, error: "2FA verification is not configured" },
+            { status: 400 }
+          );
+        if (!l.email || !l.userId || !l.code)
+          return u.json(
+            {
+              success: !1,
+              error: "Missing required parameters. Email, userId, and code are required."
+            },
+            { status: 400 }
+          );
+        const a = await e.verify2FA({
+          email: l.email,
+          userId: l.userId,
+          code: l.code
+        });
+        return u.json(a);
+      }
+      if (i.startsWith("/two-factor")) {
+        if (!e.twoFactor)
+          return u.json(
+            { success: !1, error: "Two-Factor Authentication is not configured" },
+            { status: 400 }
+          );
+        if (f[1] === "enable" && e.twoFactor.enable) {
+          const a = await e.twoFactor.enable();
+          return u.json(a);
+        }
+        if (f[1] === "verify" && e.twoFactor.verify) {
+          const a = await e.twoFactor.verify(l.code);
+          return u.json(a);
+        }
+        if (f[1] === "disable" && e.twoFactor.disable) {
+          const a = await e.twoFactor.disable();
+          return u.json(a);
+        }
+        if (f[1] === "backup-codes" && e.twoFactor.generateBackupCodes) {
+          const a = await e.twoFactor.generateBackupCodes();
+          return u.json(a);
+        }
+        if (f[1] === "is-enabled" && e.twoFactor.isEnabled) {
+          const a = await e.twoFactor.isEnabled();
+          return u.json({ enabled: a });
+        }
+      }
+      return u.json(
+        { error: "Not found" },
+        { status: 404 }
+      );
+    }
+    return u.json(
+      { error: "Method not allowed" },
+      { status: 405 }
+    );
+  } catch (l) {
+    return u.json(
+      {
+        success: !1,
+        error: l instanceof Error ? l.message : "Request failed"
+      },
+      { status: 500 }
+    );
+  }
+}
+function ze(r) {
+  return async (e) => {
+    const { method: n, nextUrl: t } = e, f = t.pathname.replace(/^\/api\/auth/, "") || "/";
+    try {
+      let l;
+      if (n !== "GET" && n !== "HEAD")
+        try {
+          l = await e.json();
+        } catch {
+        }
+      const a = Object.fromEntries(t.searchParams.entries()), h = await fetch(
+        `${process.env.NEXT_PUBLIC_API_URL || ""}/api/auth${f}${Object.keys(a).length > 0 ? `?${new URLSearchParams(a).toString()}` : ""}`,
+        {
+          method: n,
+          headers: {
+            "Content-Type": "application/json",
+            ...Object.fromEntries(e.headers.entries())
+          },
+          body: l ? JSON.stringify(l) : void 0
+        }
+      ), m = await h.json();
+      return u.json(m, {
+        status: h.status,
+        headers: {
+          ...Object.fromEntries(h.headers.entries())
+        }
+      });
+    } catch (l) {
+      return console.error("API handler error:", l), u.json(
+        {
+          success: !1,
+          error: l instanceof Error ? l.message : "Internal server error"
+        },
+        { status: 500 }
+      );
+    }
+  };
+}
+function We(r) {
+  return async (e) => {
+    const { searchParams: n } = e.nextUrl, t = n.get("provider"), i = n.get("code"), f = n.get("state");
+    if (!t || !i || !f)
+      return u.redirect(
+        new URL("/login?error=oauth_missing_params", e.url)
+      );
+    try {
+      if (!r.oauthCallback)
+        return u.redirect(
+          new URL("/login?error=oauth_not_configured", e.url)
+        );
+      const l = await r.oauthCallback(t, i, f);
+      if (l.success) {
+        const a = n.get("callbackUrl") || "/";
+        return u.redirect(new URL(a, e.url));
+      } else {
+        const a = l.errorCode ? `${encodeURIComponent(l.error || "oauth_failed")}&code=${l.errorCode}` : encodeURIComponent(l.error || "oauth_failed");
+        return u.redirect(
+          new URL(`/login?error=${a}`, e.url)
+        );
+      }
+    } catch (l) {
+      return process.env.NODE_ENV === "development" && console.error("[Mulguard] OAuth callback error:", l), u.redirect(
+        new URL(
+          `/login?error=${encodeURIComponent(l instanceof Error ? l.message : "oauth_error")}`,
+          e.url
+        )
+      );
+    }
+  };
+}
+function N(r, e) {
+  const n = z({
+    // Customize headers if needed
+    "X-Frame-Options": "SAMEORIGIN"
+    // Allow same-origin framing
+  });
+  for (const [t, i] of Object.entries(n))
+    i && typeof i == "string" && e.headers.set(t, i);
+  return e;
+}
+function Be() {
+  return async (r) => {
+    const e = u.next();
+    return N(r, e);
+  };
+}
+function He(r, e = {}) {
+  const {
+    protectedRoutes: n = [],
+    publicRoutes: t = [],
+    redirectTo: i = "/login",
+    redirectIfAuthenticated: f
+  } = e;
+  return async (l) => {
+    const { pathname: a } = l.nextUrl, h = n.some((d) => a.startsWith(d));
+    let m = null;
+    try {
+      m = await r.getSession();
+    } catch (d) {
+      console.error("Middleware: Failed to get session:", d);
+    }
+    if (h && !m) {
+      const d = l.nextUrl.clone();
+      return d.pathname = i, d.searchParams.set("callbackUrl", a), u.redirect(d);
+    }
+    if (f && m && (a.startsWith("/login") || a.startsWith("/register"))) {
+      const k = l.nextUrl.clone();
+      k.pathname = f;
+      const R = u.redirect(k);
+      return N(l, R);
+    }
+    const v = u.next();
+    return N(l, v);
+  };
+}
+async function qe(r, e) {
+  var n;
+  try {
+    const t = await r.getSession();
+    return t ? ((n = t.user.roles) == null ? void 0 : n.includes(e)) ?? !1 : !1;
+  } catch {
+    return !1;
+  }
+}
+function Ke(r) {
+  const {
+    auth: e,
+    protectedRoutes: n = [],
+    publicRoutes: t = [],
+    redirectTo: i = "/login",
+    redirectIfAuthenticated: f,
+    apiPrefix: l = "/api/auth"
+  } = r;
+  return async (a) => {
+    const { pathname: h } = a.nextUrl;
+    if (h.startsWith(l)) {
+      const k = u.next();
+      return N(a, k);
+    }
+    const m = n.some((k) => h.startsWith(k));
+    let v = null;
+    if (m || f)
+      try {
+        v = await e.getSession();
+      } catch (k) {
+        console.error("Middleware: Failed to get session:", k);
+      }
+    if (m && !v) {
+      const k = a.nextUrl.clone();
+      k.pathname = i, k.searchParams.set("callbackUrl", h);
+      const R = u.redirect(k);
+      return N(a, R);
+    }
+    if (f && v && (h.startsWith("/login") || h.startsWith("/register"))) {
+      const R = a.nextUrl.clone();
+      R.pathname = f;
+      const S = u.redirect(R);
+      return N(a, S);
+    }
+    const d = u.next();
+    return N(a, d);
+  };
+}
+async function Xe(r, e) {
+  var n;
+  try {
+    const t = await r.getSession();
+    return t ? ((n = t.user.roles) == null ? void 0 : n.includes(e)) ?? !1 : !1;
+  } catch {
+    return !1;
+  }
+}
+export {
+  ee as CSRFProtection,
+  Q as DEFAULT_SECURITY_HEADERS,
+  Z as MemoryCSRFStore,
+  le as MemoryOAuthStateStore,
+  J as RateLimiter,
+  ke as applySecurityHeaders,
+  q as buildCookieOptions,
+  ie as buildOAuthAuthorizationUrl,
+  qe as checkRole,
+  Xe as checkRoleProxy,
+  Pe as containsXSSPattern,
+  ze as createApiHandler,
+  He as createAuthMiddleware,
+  _e as createCSRFProtection,
+  ue as createMemoryOAuthStateStore,
+  We as createOAuthCallbackHandler,
+  Ke as createProxyMiddleware,
+  Ee as createRateLimiter,
+  Be as createSecurityMiddleware,
+  nr as createServerAuthMiddleware,
+  or as createServerHelpers,
+  ir as createServerUtils,
+  ar as createSessionManager,
+  Y as deleteCookie,
+  cr as deleteOAuthStateCookie,
+  re as escapeHTML,
+  ae as exchangeOAuthCode,
+  te as generateCSRFToken,
+  W as generateToken,
+  X as getCookie,
+  lr as getCurrentUser,
+  xe as getErrorCode,
+  Ne as getErrorMessage,
+  ur as getOAuthStateCookie,
+  ce as getOAuthUserInfo,
+  $ as getProviderMetadata,
+  z as getSecurityHeaders,
+  fr as getServerSession,
+  dr as getSessionTimeUntilExpiry,
+  $e as getUserFriendlyError,
+  De as hasErrorCode,
+  ne as isAuthError,
+  je as isAuthSuccess,
+  Le as isRetryableError,
+  hr as isSessionExpiredNullable,
+  gr as isSessionExpiringSoon,
+  wr as isSessionValid,
+  Fe as isTwoFactorRequired,
+  Ce as isValidEmail,
+  Me as mulguard,
+  pr as refreshSession,
+  mr as requireAuth,
+  yr as requireRole,
+  Er as requireServerAuthMiddleware,
+  kr as requireServerRoleMiddleware,
+  Ie as sanitizeHTML,
+  Ue as sanitizeInput,
+  Te as sanitizeUserInput,
+  K as setCookie,
+  tr as signIn,
+  Je as signInEmailAction,
+  Qe as signOutAction,
+  Ze as signUpAction,
+  vr as storeOAuthStateCookie,
+  Ve as toNextJsHandler,
+  ve as validateAndSanitizeEmail,
+  Oe as validateAndSanitizeInput,
+  Se as validateAndSanitizeName,
+  Re as validateAndSanitizePassword,
+  se as validateCSRFToken,
+  F as validateSessionStructure,
+  be as validateToken,
+  Ae as validateURL,
+  er as verify2FAAction,
+  N as withSecurityHeaders
+};