mulguard 1.1.2 → 1.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (19) hide show
  1. package/dist/core/auth/oauth-providers.d.ts +175 -49
  2. package/dist/core/mulguard/auth-handlers.d.ts +100 -0
  3. package/dist/core/mulguard/defaults.d.ts +58 -0
  4. package/dist/core/mulguard/index.d.ts +9 -0
  5. package/dist/core/mulguard/oauth-handler.d.ts +93 -0
  6. package/dist/core/mulguard/session-manager.d.ts +94 -0
  7. package/dist/core/security/index.d.ts +113 -9
  8. package/dist/core/security/validation.d.ts +231 -33
  9. package/dist/core/types/auth.d.ts +234 -75
  10. package/dist/core/types/errors.d.ts +174 -18
  11. package/dist/core/types/index.d.ts +397 -333
  12. package/dist/core/utils/logger.d.ts +112 -8
  13. package/dist/handlers/route.d.ts +59 -5
  14. package/dist/index/index.js +1 -1
  15. package/dist/index/index.mjs +1536 -1213
  16. package/dist/mulguard.d.ts +76 -1
  17. package/dist/server/helpers.d.ts +3 -3
  18. package/dist/server/utils.d.ts +3 -3
  19. package/package.json +1 -1
package/dist/index/index.mjs CHANGED
@@ -1,53 +1,53 @@
1
- var H = Object.defineProperty;
2
- var K = (r, e, s) => e in r ? H(r, e, { enumerable: !0, configurable: !0, writable: !0, value: s }) : r[e] = s;
3
- var F = (r, e, s) => K(r, typeof e != "symbol" ? e + "" : e, s);
4
- import { A as y, e as X, c as Y, g as G, d as J } from "../actions-DeCfLtHA.mjs";
5
- import { a as Qe, s as Ze, b as er, v as rr } from "../actions-DeCfLtHA.mjs";
6
- import { v as x } from "../oauth-state-LE-qeq-K.mjs";
7
- import { c as sr, p as nr, k as or, n as ir, m as ar, j as cr, l as lr, e as ur, g as fr, b as dr, i as gr, a as hr, o as wr, f as mr, h as pr, r as yr, d as Er, s as kr } from "../oauth-state-LE-qeq-K.mjs";
8
- import { NextResponse as f } from "next/server";
9
- const j = typeof globalThis == "object" && "crypto" in globalThis ? globalThis.crypto : void 0;
1
+ var ne = Object.defineProperty;
2
+ var se = (e, r, t) => r in e ? ne(e, r, { enumerable: !0, configurable: !0, writable: !0, value: t }) : e[r] = t;
3
+ var U = (e, r, t) => se(e, typeof r != "symbol" ? r + "" : r, t);
4
+ import { A as m, d as ie, e as oe, c as ae, g as ce } from "../actions-DeCfLtHA.mjs";
5
+ import { a as lt, s as ft, b as dt, v as ht } from "../actions-DeCfLtHA.mjs";
6
+ import { v as N } from "../oauth-state-LE-qeq-K.mjs";
7
+ import { c as wt, p as pt, k as mt, n as Et, m as yt, j as kt, l as vt, e as St, g as Rt, b as At, i as Tt, a as It, o as Ot, f as _t, h as Pt, r as Ct, d as bt, s as Ut } from "../oauth-state-LE-qeq-K.mjs";
8
+ import { NextResponse as E } from "next/server";
9
+ const x = typeof globalThis == "object" && "crypto" in globalThis ? globalThis.crypto : void 0;
10
10
  /*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */
11
- function Q(r = 32) {
12
- if (j && typeof j.getRandomValues == "function")
13
- return j.getRandomValues(new Uint8Array(r));
14
- if (j && typeof j.randomBytes == "function")
15
- return Uint8Array.from(j.randomBytes(r));
11
+ function ue(e = 32) {
12
+ if (x && typeof x.getRandomValues == "function")
13
+ return x.getRandomValues(new Uint8Array(e));
14
+ if (x && typeof x.randomBytes == "function")
15
+ return Uint8Array.from(x.randomBytes(e));
16
16
  throw new Error("crypto.getRandomValues must be defined");
17
17
  }
18
- class Z {
19
- constructor(e) {
20
- F(this, "attempts", /* @__PURE__ */ new Map());
21
- F(this, "config");
22
- this.config = e;
18
+ class le {
19
+ constructor(r) {
20
+ U(this, "attempts", /* @__PURE__ */ new Map());
21
+ U(this, "config");
22
+ this.config = r;
23
23
  }
24
24
  /**
25
25
  * Check if request is allowed
26
26
  */
27
- check(e) {
28
- const s = Date.now(), t = this.attempts.get(e);
29
- return !t || t.resetAt < s ? (this.attempts.set(e, {
27
+ check(r) {
28
+ const t = Date.now(), n = this.attempts.get(r);
29
+ return !n || n.resetAt < t ? (this.attempts.set(r, {
30
30
  count: 1,
31
- resetAt: s + this.config.windowMs
31
+ resetAt: t + this.config.windowMs
32
32
  }), {
33
33
  allowed: !0,
34
34
  remaining: this.config.maxAttempts - 1,
35
- resetAt: new Date(s + this.config.windowMs)
36
- }) : t.count >= this.config.maxAttempts ? {
35
+ resetAt: new Date(t + this.config.windowMs)
36
+ }) : n.count >= this.config.maxAttempts ? {
37
37
  allowed: !1,
38
38
  remaining: 0,
39
- resetAt: new Date(t.resetAt)
40
- } : (t.count++, {
39
+ resetAt: new Date(n.resetAt)
40
+ } : (n.count++, {
41
41
  allowed: !0,
42
- remaining: this.config.maxAttempts - t.count,
43
- resetAt: new Date(t.resetAt)
42
+ remaining: this.config.maxAttempts - n.count,
43
+ resetAt: new Date(n.resetAt)
44
44
  });
45
45
  }
46
46
  /**
47
47
  * Reset rate limit for a key
48
48
  */
49
- reset(e) {
50
- this.attempts.delete(e);
49
+ reset(r) {
50
+ this.attempts.delete(r);
51
51
  }
52
52
  /**
53
53
  * Clear all rate limits
@@ -56,10 +56,10 @@ class Z {
56
56
  this.attempts.clear();
57
57
  }
58
58
  }
59
- function ve(r) {
60
- return new Z(r);
59
+ function Tr(e) {
60
+ return new le(e);
61
61
  }
62
- const ee = {
62
+ const fe = {
63
63
  "X-Content-Type-Options": "nosniff",
64
64
  "X-Frame-Options": "DENY",
65
65
  "X-XSS-Protection": "1; mode=block",
@@ -68,163 +68,203 @@ const ee = {
68
68
  "Referrer-Policy": "strict-origin-when-cross-origin",
69
69
  "Permissions-Policy": "geolocation=(), microphone=(), camera=()"
70
70
  };
71
- function q(r) {
71
+ function H(e) {
72
72
  return {
73
- ...ee,
74
- ...r
73
+ ...fe,
74
+ ...e
75
75
  };
76
76
  }
77
- function Re(r, e) {
78
- const s = q(e);
79
- for (const [t, o] of Object.entries(s))
80
- o && r.set(t, o);
77
+ function Ir(e, r) {
78
+ const t = H(r);
79
+ for (const [n, s] of Object.entries(t))
80
+ s && e.set(n, s);
81
81
  }
82
- function M(r) {
83
- if (!r || typeof r != "string")
82
+ const de = /^[^\s@]+@[^\s@]+\.[^\s@]+$/, he = 254;
83
+ function G(e) {
84
+ var t;
85
+ if (typeof e != "string" || !e)
84
86
  return { valid: !1, error: "Email is required" };
85
- const e = r.trim().toLowerCase();
86
- return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(e) ? e.length > 254 ? { valid: !1, error: "Email is too long" } : e.includes("..") || e.startsWith(".") || e.endsWith(".") ? { valid: !1, error: "Invalid email format" } : { valid: !0, sanitized: e } : { valid: !1, error: "Invalid email format" };
87
+ const r = e.trim().toLowerCase();
88
+ return de.test(r) ? r.length > he ? { valid: !1, error: "Email is too long" } : r.includes("..") || r.startsWith(".") || r.endsWith(".") ? { valid: !1, error: "Invalid email format" } : (t = r.split("@")[1]) != null && t.includes("..") ? { valid: !1, error: "Invalid email format" } : { valid: !0, sanitized: r } : { valid: !1, error: "Invalid email format" };
87
89
  }
88
- function Ae(r, e = 8) {
89
- if (!r || typeof r != "string")
90
+ function K(e) {
91
+ return e.valid === !0 && e.sanitized !== void 0;
92
+ }
93
+ const ge = /* @__PURE__ */ new Set([
94
+ "password",
95
+ "12345678",
96
+ "qwerty",
97
+ "abc123",
98
+ "password123",
99
+ "123456789",
100
+ "1234567890",
101
+ "letmein",
102
+ "welcome",
103
+ "monkey",
104
+ "dragon",
105
+ "master",
106
+ "sunshine",
107
+ "princess",
108
+ "football",
109
+ "admin",
110
+ "root",
111
+ "test",
112
+ "guest",
113
+ "user"
114
+ ]), we = /012|123|234|345|456|567|678|789|abc|bcd|cde|def|efg|fgh|ghi|hij|ijk|jkl|klm|lmn|mno|nop|opq|pqr|qrs|rst|stu|tuv|uvw|vwx|wxy|xyz/i, pe = 8, me = 128;
115
+ function Or(e, r = pe) {
116
+ if (typeof e != "string" || !e)
90
117
  return { valid: !1, error: "Password is required" };
91
- if (r.length < e)
92
- return { valid: !1, error: `Password must be at least ${e} characters` };
93
- if (r.length > 128)
118
+ if (e.length < r)
119
+ return { valid: !1, error: `Password must be at least ${r} characters` };
120
+ if (e.length > me)
94
121
  return { valid: !1, error: "Password is too long" };
95
- if ([
96
- "password",
97
- "12345678",
98
- "qwerty",
99
- "abc123",
100
- "password123",
101
- "123456789",
102
- "1234567890",
103
- "letmein",
104
- "welcome",
105
- "monkey",
106
- "dragon",
107
- "master",
108
- "sunshine",
109
- "princess",
110
- "football"
111
- ].includes(r.toLowerCase()))
122
+ const t = e.toLowerCase();
123
+ if (ge.has(t))
112
124
  return { valid: !1, error: "Password is too common" };
113
- if (/(.)\1{3,}/.test(r))
125
+ if (/(.)\1{3,}/.test(e))
114
126
  return { valid: !1, error: "Password contains too many repeated characters" };
115
- if (/012|123|234|345|456|567|678|789|abc|bcd|cde|def|efg|fgh|ghi|hij|ijk|jkl|klm|lmn|mno|nop|opq|pqr|qrs|rst|stu|tuv|uvw|vwx|wxy|xyz/i.test(r))
127
+ if (we.test(e))
116
128
  return { valid: !1, error: "Password contains sequential characters" };
117
- let t = "weak", o = 0;
118
- return r.length >= 12 ? o += 2 : r.length >= 8 && (o += 1), /[a-z]/.test(r) && (o += 1), /[A-Z]/.test(r) && (o += 1), /[0-9]/.test(r) && (o += 1), /[^a-zA-Z0-9]/.test(r) && (o += 1), o >= 5 ? t = "strong" : o >= 3 && (t = "medium"), { valid: !0, strength: t };
129
+ const n = Ee(e);
130
+ return { valid: !0, sanitized: e, strength: n };
119
131
  }
120
- function Se(r) {
121
- if (!r || typeof r != "string")
132
+ function Ee(e) {
133
+ let r = 0;
134
+ return e.length >= 12 ? r += 2 : e.length >= 8 && (r += 1), /[a-z]/.test(e) && (r += 1), /[A-Z]/.test(e) && (r += 1), /[0-9]/.test(e) && (r += 1), /[^a-zA-Z0-9]/.test(e) && (r += 1), r >= 5 ? "strong" : r >= 3 ? "medium" : "weak";
135
+ }
136
+ function _r(e) {
137
+ return e.valid === !0 && e.sanitized !== void 0;
138
+ }
139
+ const ye = 100;
140
+ function Pr(e) {
141
+ if (typeof e != "string" || !e)
122
142
  return { valid: !1, error: "Name is required" };
123
- const e = r.trim();
124
- return e.length < 1 ? { valid: !1, error: "Name cannot be empty" } : e.length > 100 ? { valid: !1, error: "Name is too long" } : { valid: !0, sanitized: e.replace(/[<>\"']/g, "") };
143
+ const r = e.trim();
144
+ if (r.length < 1)
145
+ return { valid: !1, error: "Name cannot be empty" };
146
+ if (r.length > ye)
147
+ return { valid: !1, error: "Name is too long" };
148
+ const t = r.replace(/[<>"']/g, "");
149
+ return t.length === 0 ? { valid: !1, error: "Name contains only invalid characters" } : { valid: !0, sanitized: t };
125
150
  }
126
- function Ie(r) {
127
- if (!r || typeof r != "string")
151
+ function Cr(e) {
152
+ return e.valid === !0 && e.sanitized !== void 0;
153
+ }
154
+ const ke = /* @__PURE__ */ new Set(["http:", "https:"]);
155
+ function br(e) {
156
+ if (typeof e != "string" || !e)
128
157
  return { valid: !1, error: "URL is required" };
129
158
  try {
130
- const e = new URL(r);
131
- return ["http:", "https:"].includes(e.protocol) ? { valid: !0 } : { valid: !1, error: "URL must use http or https protocol" };
159
+ const r = new URL(e);
160
+ return ke.has(r.protocol) ? { valid: !0, sanitized: e } : { valid: !1, error: "URL must use http or https protocol" };
132
161
  } catch {
133
162
  return { valid: !1, error: "Invalid URL format" };
134
163
  }
135
164
  }
136
- function _e(r, e = 16) {
137
- return !r || typeof r != "string" ? { valid: !1, error: "Token is required" } : r.length < e ? { valid: !1, error: "Token is too short" } : r.length > 512 ? { valid: !1, error: "Token is too long" } : /^[A-Za-z0-9_-]+$/.test(r) ? /(.)\1{10,}/.test(r) ? { valid: !1, error: "Token contains suspicious pattern" } : { valid: !0 } : { valid: !1, error: "Invalid token format" };
165
+ function Ur(e) {
166
+ return e.valid === !0 && e.sanitized !== void 0;
167
+ }
168
+ const ve = 16, Se = 512, Re = /^[A-Za-z0-9_-]+$/;
169
+ function Nr(e, r = ve) {
170
+ return typeof e != "string" || !e ? { valid: !1, error: "Token is required" } : e.length < r ? { valid: !1, error: "Token is too short" } : e.length > Se ? { valid: !1, error: "Token is too long" } : Re.test(e) ? /(.)\1{10,}/.test(e) ? { valid: !1, error: "Token contains suspicious pattern" } : { valid: !0, sanitized: e } : { valid: !1, error: "Invalid token format" };
138
171
  }
139
- function z(r, e) {
140
- const { maxLength: s = 1e3, allowHtml: t = !1, required: o = !0 } = e || {};
141
- if (o && (!r || typeof r != "string" || r.trim().length === 0))
172
+ function Fr(e) {
173
+ return e.valid === !0 && e.sanitized !== void 0;
174
+ }
175
+ const Ae = 1e3;
176
+ function X(e, r) {
177
+ const { maxLength: t = Ae, allowHtml: n = !1, required: s = !0 } = r ?? {};
178
+ if (s && (typeof e != "string" || !e || e.trim().length === 0))
142
179
  return { valid: !1, error: "Input is required" };
143
- if (!r || typeof r != "string")
180
+ if (typeof e != "string" || !e)
144
181
  return { valid: !0, sanitized: "" };
145
- let d = r.trim();
146
- return d.length > s ? { valid: !1, error: `Input must be less than ${s} characters` } : (t || (d = d.replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#x27;").replace(/\//g, "&#x2F;")), d = d.replace(/[\x00-\x1F\x7F]/g, ""), { valid: !0, sanitized: d });
182
+ let i = e.trim();
183
+ return i.length > t ? { valid: !1, error: `Input must be less than ${t} characters` } : (n || (i = i.replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#x27;").replace(/\//g, "&#x2F;")), i = i.replace(/[\x00-\x1F\x7F]/g, ""), { valid: !0, sanitized: i });
184
+ }
185
+ function xr(e) {
186
+ return e.valid === !0 && e.sanitized !== void 0;
147
187
  }
148
- class re {
188
+ class Te {
149
189
  constructor() {
150
- F(this, "tokens", /* @__PURE__ */ new Map());
190
+ U(this, "tokens", /* @__PURE__ */ new Map());
151
191
  }
152
- get(e) {
153
- const s = this.tokens.get(e);
154
- return s ? s.expiresAt < Date.now() ? (this.delete(e), null) : s.value : null;
192
+ get(r) {
193
+ const t = this.tokens.get(r);
194
+ return t ? t.expiresAt < Date.now() ? (this.delete(r), null) : t.value : null;
155
195
  }
156
- set(e, s, t = 36e5) {
157
- this.tokens.set(e, {
158
- value: s,
159
- expiresAt: Date.now() + t
196
+ set(r, t, n = 36e5) {
197
+ this.tokens.set(r, {
198
+ value: t,
199
+ expiresAt: Date.now() + n
160
200
  });
161
201
  }
162
- delete(e) {
163
- this.tokens.delete(e);
202
+ delete(r) {
203
+ this.tokens.delete(r);
164
204
  }
165
205
  clear() {
166
206
  this.tokens.clear();
167
207
  }
168
208
  }
169
- class te {
170
- constructor(e, s = 32) {
171
- F(this, "store");
172
- F(this, "tokenLength");
173
- this.store = e || new re(), this.tokenLength = s;
209
+ class Ie {
210
+ constructor(r, t = 32) {
211
+ U(this, "store");
212
+ U(this, "tokenLength");
213
+ this.store = r || new Te(), this.tokenLength = t;
174
214
  }
175
215
  /**
176
216
  * Generate CSRF token
177
217
  */
178
- generateToken(e, s) {
179
- const t = B(this.tokenLength);
180
- return this.store.set(e, t, s), t;
218
+ generateToken(r, t) {
219
+ const n = Y(this.tokenLength);
220
+ return this.store.set(r, n, t), n;
181
221
  }
182
222
  /**
183
223
  * Validate CSRF token
184
224
  */
185
- validateToken(e, s) {
186
- const t = this.store.get(e);
187
- if (!t)
225
+ validateToken(r, t) {
226
+ const n = this.store.get(r);
227
+ if (!n)
188
228
  return !1;
189
- const o = oe(s, t);
190
- return o && this.store.delete(e), o;
229
+ const s = Q(t, n);
230
+ return s && this.store.delete(r), s;
191
231
  }
192
232
  /**
193
233
  * Get stored token without validating
194
234
  */
195
- getToken(e) {
196
- return this.store.get(e);
235
+ getToken(r) {
236
+ return this.store.get(r);
197
237
  }
198
238
  /**
199
239
  * Delete token
200
240
  */
201
- deleteToken(e) {
202
- this.store.delete(e);
241
+ deleteToken(r) {
242
+ this.store.delete(r);
203
243
  }
204
244
  }
205
- function Oe(r) {
206
- return new te(r);
245
+ function Dr(e) {
246
+ return new Ie(e);
207
247
  }
208
- function se(r) {
209
- if (typeof r != "string")
248
+ function Oe(e) {
249
+ if (typeof e != "string")
210
250
  return "";
211
- const e = {
251
+ const r = {
212
252
  "&": "&amp;",
213
253
  "<": "&lt;",
214
254
  ">": "&gt;",
215
255
  '"': "&quot;",
216
256
  "'": "&#039;"
217
257
  };
218
- return r.replace(/[&<>"']/g, (s) => e[s] || s);
258
+ return e.replace(/[&<>"']/g, (t) => r[t] || t);
219
259
  }
220
- function be(r) {
221
- return typeof r != "string" ? "" : r.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, "").replace(/on\w+\s*=\s*["'][^"']*["']/gi, "").replace(/javascript:/gi, "");
260
+ function Lr(e) {
261
+ return typeof e != "string" ? "" : e.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, "").replace(/on\w+\s*=\s*["'][^"']*["']/gi, "").replace(/javascript:/gi, "");
222
262
  }
223
- function Te(r) {
224
- return typeof r != "string" ? "" : se(r.trim());
263
+ function Vr(e) {
264
+ return typeof e != "string" ? "" : Oe(e.trim());
225
265
  }
226
- function Pe(r) {
227
- return typeof r != "string" ? !1 : [
266
+ function Mr(e) {
267
+ return typeof e != "string" ? !1 : [
228
268
  /<script/i,
229
269
  /javascript:/i,
230
270
  /on\w+\s*=/i,
@@ -235,88 +275,95 @@ function Pe(r) {
235
275
  /<meta/i,
236
276
  /expression\s*\(/i,
237
277
  /vbscript:/i
238
- ].some((s) => s.test(r));
278
+ ].some((t) => t.test(e));
239
279
  }
240
- function B(r = 32) {
241
- const e = Q(r);
242
- return Buffer.from(e).toString("base64url");
280
+ const J = 32;
281
+ function Y(e = J) {
282
+ if (e < 1 || e > 256)
283
+ throw new Error("Token length must be between 1 and 256 bytes");
284
+ const r = ue(e);
285
+ return Buffer.from(r).toString("base64url");
243
286
  }
244
- function ne() {
245
- return B(32);
287
+ function _e() {
288
+ return Y(J);
246
289
  }
247
- function oe(r, e) {
248
- if (!r || !e || r.length !== e.length)
290
+ function Q(e, r) {
291
+ if (typeof e != "string" || typeof r != "string" || !e || !r || e.length !== r.length)
249
292
  return !1;
250
- let s = 0;
251
- for (let t = 0; t < r.length; t++)
252
- s |= r.charCodeAt(t) ^ e.charCodeAt(t);
253
- return s === 0;
293
+ let t = 0;
294
+ for (let n = 0; n < e.length; n++)
295
+ t |= e.charCodeAt(n) ^ r.charCodeAt(n);
296
+ return t === 0;
254
297
  }
255
- function Ce(r) {
256
- return r.trim().replace(/[<>]/g, "");
298
+ function jr(e, r) {
299
+ return Q(e, r);
257
300
  }
258
- function Ue(r) {
259
- return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(r);
301
+ function zr(e) {
302
+ return typeof e != "string" ? "" : e.trim().replace(/[<>]/g, "");
260
303
  }
261
- function ie(r) {
262
- return !r.success && !!r.error;
304
+ const Pe = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
305
+ function $r(e) {
306
+ return typeof e == "string" && Pe.test(e);
263
307
  }
264
- function Ne(r) {
265
- return r.requires2FA === !0 || r.errorCode === y.TWO_FA_REQUIRED;
308
+ function Ce(e) {
309
+ return !e.success && !!e.error;
266
310
  }
267
- function Fe(r, e) {
268
- return r.error ? r.error : e || "Authentication failed";
311
+ function Wr(e) {
312
+ return e.requires2FA === !0 || e.errorCode === m.TWO_FA_REQUIRED;
269
313
  }
270
- function xe(r) {
271
- return r.errorCode;
314
+ function qr(e, r) {
315
+ return e.error ? e.error : r || "Authentication failed";
272
316
  }
273
- function Le(r) {
274
- return r.success === !0 && !!r.user;
317
+ function Br(e) {
318
+ return e.errorCode;
275
319
  }
276
- function je(r, e) {
277
- return r.errorCode === e;
320
+ function Hr(e) {
321
+ return e.success === !0 && !!e.user;
278
322
  }
279
- function De(r) {
280
- if (!ie(r)) return !1;
281
- const e = [
282
- y.NETWORK_ERROR,
283
- y.RATE_LIMITED,
284
- y.UNKNOWN_ERROR
323
+ function Gr(e, r) {
324
+ return e.errorCode === r;
325
+ }
326
+ function Kr(e) {
327
+ if (!Ce(e)) return !1;
328
+ const r = [
329
+ m.NETWORK_ERROR,
330
+ m.RATE_LIMITED,
331
+ m.UNKNOWN_ERROR
285
332
  ];
286
- return r.errorCode ? e.includes(r.errorCode) : !1;
333
+ return e.errorCode ? r.includes(e.errorCode) : !1;
287
334
  }
288
- function Ve(r) {
289
- if (r.error) return r.error;
290
- switch (r.errorCode) {
291
- case y.INVALID_CREDENTIALS:
335
+ function Xr(e) {
336
+ if (e.error) return e.error;
337
+ switch (e.errorCode) {
338
+ case m.INVALID_CREDENTIALS:
292
339
  return "Invalid email or password. Please try again.";
293
- case y.ACCOUNT_LOCKED:
340
+ case m.ACCOUNT_LOCKED:
294
341
  return "Your account has been temporarily locked. Please try again later.";
295
- case y.ACCOUNT_INACTIVE:
342
+ case m.ACCOUNT_INACTIVE:
296
343
  return "Your account is inactive. Please contact support.";
297
- case y.TWO_FA_REQUIRED:
344
+ case m.TWO_FA_REQUIRED:
298
345
  return "Two-factor authentication is required. Please enter your code.";
299
- case y.INVALID_TWO_FA_CODE:
346
+ case m.INVALID_TWO_FA_CODE:
300
347
  return "Invalid two-factor authentication code. Please try again.";
301
- case y.SESSION_EXPIRED:
348
+ case m.SESSION_EXPIRED:
302
349
  return "Your session has expired. Please sign in again.";
303
- case y.UNAUTHORIZED:
350
+ case m.UNAUTHORIZED:
304
351
  return "You are not authorized to perform this action.";
305
- case y.NETWORK_ERROR:
352
+ case m.NETWORK_ERROR:
306
353
  return "Network error. Please check your connection and try again.";
307
- case y.VALIDATION_ERROR:
354
+ case m.VALIDATION_ERROR:
308
355
  return "Please check your input and try again.";
309
- case y.RATE_LIMITED:
356
+ case m.RATE_LIMITED:
310
357
  return "Too many attempts. Please try again later.";
311
- case y.UNKNOWN_ERROR:
358
+ case m.UNKNOWN_ERROR:
312
359
  default:
313
360
  return "An unexpected error occurred. Please try again.";
314
361
  }
315
362
  }
316
- async function $e(r, e, s) {
317
- return r.signIn(e, s);
363
+ async function Jr(e, r, t) {
364
+ return e.signIn(r, t);
318
365
  }
319
- const ae = {
366
+ const Z = {
320
367
  google: {
321
368
  authorizationUrl: "https://accounts.google.com/o/oauth2/v2/auth",
322
369
  tokenUrl: "https://oauth2.googleapis.com/token",
@@ -346,254 +393,382 @@ const ae = {
346
393
  defaultScopes: ["email", "public_profile"]
347
394
  }
348
395
  };
349
- function $(r) {
350
- return ae[r] || null;
351
- }
352
- function ce(r, e, s, t) {
353
- const o = $(r);
354
- if (!o)
355
- throw new Error(`Unknown OAuth provider: ${r}`);
356
- const d = e.redirectUri || `${s}/api/auth/callback/${r}`, c = e.scopes || o.defaultScopes, a = new URLSearchParams({
357
- client_id: e.clientId,
358
- redirect_uri: d,
396
+ function j(e) {
397
+ return Z[e] ?? null;
398
+ }
399
+ function Yr(e) {
400
+ return e in Z;
401
+ }
402
+ function be(e, r, t, n) {
403
+ const s = j(e);
404
+ if (!s)
405
+ throw new Error(`Unknown OAuth provider: ${e}`);
406
+ if (!r.clientId)
407
+ throw new Error(`OAuth provider "${e}" is missing clientId`);
408
+ const i = r.redirectUri ?? `${t}/api/auth/callback/${e}`, o = r.scopes ?? s.defaultScopes, a = new URLSearchParams({
409
+ client_id: r.clientId,
410
+ redirect_uri: i,
359
411
  response_type: "code",
360
- scope: c.join(" "),
361
- state: t,
362
- ...o.defaultParams,
363
- ...e.params
412
+ scope: Array.isArray(o) ? o.join(" ") : String(o),
413
+ state: n
364
414
  });
365
- return `${o.authorizationUrl}?${a.toString()}`;
366
- }
367
- async function le(r, e, s, t) {
368
- const o = $(r);
369
- if (!o)
370
- throw new Error(`Unknown OAuth provider: ${r}`);
371
- const d = new URLSearchParams({
372
- client_id: e.clientId,
373
- code: s,
374
- redirect_uri: t,
415
+ if (s.defaultParams)
416
+ for (const [f, l] of Object.entries(s.defaultParams))
417
+ a.append(f, l);
418
+ if (r.params)
419
+ for (const [f, l] of Object.entries(r.params))
420
+ a.set(f, l);
421
+ return `${s.authorizationUrl}?${a.toString()}`;
422
+ }
423
+ async function Ue(e, r, t, n) {
424
+ const s = j(e);
425
+ if (!s)
426
+ throw new Error(`Unknown OAuth provider: ${e}`);
427
+ if (!t || typeof t != "string")
428
+ throw new Error("Authorization code is required");
429
+ if (!r.clientId)
430
+ throw new Error(`OAuth provider "${e}" is missing clientId`);
431
+ const i = new URLSearchParams({
432
+ client_id: r.clientId,
433
+ code: t,
434
+ redirect_uri: n,
375
435
  grant_type: "authorization_code"
376
436
  });
377
- e.clientSecret && d.append("client_secret", e.clientSecret);
378
- const c = await fetch(o.tokenUrl, {
379
- method: "POST",
380
- headers: {
381
- "Content-Type": "application/x-www-form-urlencoded",
382
- Accept: "application/json"
383
- },
384
- body: d.toString()
385
- });
386
- if (!c.ok) {
387
- const a = await c.text();
388
- throw new Error(`Failed to exchange code for tokens: ${a}`);
437
+ r.clientSecret && i.append("client_secret", r.clientSecret);
438
+ try {
439
+ const o = await fetch(s.tokenUrl, {
440
+ method: "POST",
441
+ headers: {
442
+ "Content-Type": "application/x-www-form-urlencoded",
443
+ Accept: "application/json"
444
+ },
445
+ body: i.toString()
446
+ });
447
+ if (!o.ok) {
448
+ const f = await o.text();
449
+ let l = `Failed to exchange code for tokens: ${f}`;
450
+ try {
451
+ const w = JSON.parse(f);
452
+ l = w.error_description ?? w.error ?? l;
453
+ } catch {
454
+ }
455
+ throw new Error(l);
456
+ }
457
+ const a = await o.json();
458
+ if (!Ne(a))
459
+ throw new Error("Invalid token exchange response format");
460
+ return a;
461
+ } catch (o) {
462
+ throw o instanceof Error ? o : new Error(`OAuth token exchange failed: ${String(o)}`);
389
463
  }
390
- return await c.json();
391
464
  }
392
- async function ue(r, e) {
393
- var d, c, a, m;
394
- const s = $(r);
395
- if (!s)
396
- throw new Error(`Unknown OAuth provider: ${r}`);
397
- const t = await fetch(s.userInfoUrl, {
398
- headers: {
399
- Authorization: `Bearer ${e}`,
400
- Accept: "application/json"
465
+ function Ne(e) {
466
+ return typeof e == "object" && e !== null && "access_token" in e && typeof e.access_token == "string";
467
+ }
468
+ async function Fe(e, r) {
469
+ const t = j(e);
470
+ if (!t)
471
+ throw new Error(`Unknown OAuth provider: ${e}`);
472
+ if (!r || typeof r != "string")
473
+ throw new Error("Access token is required");
474
+ try {
475
+ const n = await fetch(t.userInfoUrl, {
476
+ headers: {
477
+ Authorization: `Bearer ${r}`,
478
+ Accept: "application/json"
479
+ }
480
+ });
481
+ if (!n.ok) {
482
+ const i = await n.text();
483
+ let o = `Failed to fetch user info: ${i}`;
484
+ try {
485
+ const a = JSON.parse(i);
486
+ o = a.error_description ?? a.error ?? o;
487
+ } catch {
488
+ }
489
+ throw new Error(o);
401
490
  }
402
- });
403
- if (!t.ok) {
404
- const k = await t.text();
405
- throw new Error(`Failed to fetch user info: ${k}`);
491
+ const s = await n.json();
492
+ return xe(e, s, r);
493
+ } catch (n) {
494
+ throw n instanceof Error ? n : new Error(`OAuth user info retrieval failed: ${String(n)}`);
406
495
  }
407
- const o = await t.json();
408
- switch (r) {
496
+ }
497
+ async function xe(e, r, t) {
498
+ switch (e) {
409
499
  case "google":
410
- return {
411
- id: o.sub || o.id,
412
- email: o.email,
413
- name: o.name,
414
- avatar: o.picture,
415
- emailVerified: o.email_verified,
416
- rawProfile: o
417
- };
500
+ return De(r);
418
501
  case "github":
419
- let k = o.email, I = { ...o };
420
- if (!k) {
421
- const A = await (await fetch("https://api.github.com/user/emails", {
422
- headers: { Authorization: `Bearer ${e}` }
423
- })).json();
424
- k = ((d = A.find((_) => _.primary)) == null ? void 0 : d.email) || ((c = A[0]) == null ? void 0 : c.email) || `${o.login}@users.noreply.github.com`, I = { ...o, emails: A };
425
- }
426
- return {
427
- id: String(o.id),
428
- email: k,
429
- name: o.name || o.login,
430
- avatar: o.avatar_url,
431
- emailVerified: !!k,
432
- rawProfile: I
433
- };
502
+ return await Le(r, t);
434
503
  case "apple":
435
- return {
436
- id: o.sub,
437
- email: o.email,
438
- name: o.name ? `${o.name.firstName} ${o.name.lastName}` : "",
439
- emailVerified: o.email_verified,
440
- rawProfile: o
441
- };
504
+ return Ve(r);
442
505
  case "facebook":
443
- return {
444
- id: o.id,
445
- email: o.email,
446
- name: o.name,
447
- avatar: (m = (a = o.picture) == null ? void 0 : a.data) == null ? void 0 : m.url,
448
- emailVerified: !0,
449
- rawProfile: o
450
- };
506
+ return Me(r);
451
507
  default:
452
- return {
453
- id: String(o.id || o.sub),
454
- email: o.email,
455
- name: o.name || o.display_name || o.username,
456
- avatar: o.avatar || o.picture || o.avatar_url,
457
- emailVerified: o.email_verified || o.emailVerified || !1,
458
- rawProfile: o
459
- };
508
+ return je(r);
460
509
  }
461
510
  }
462
- class fe {
511
+ function De(e) {
512
+ return {
513
+ id: String(e.sub ?? e.id ?? ""),
514
+ email: String(e.email ?? ""),
515
+ name: String(e.name ?? ""),
516
+ avatar: typeof e.picture == "string" ? e.picture : void 0,
517
+ emailVerified: !!e.email_verified,
518
+ rawProfile: e
519
+ };
520
+ }
521
+ async function Le(e, r) {
522
+ let t = typeof e.email == "string" ? e.email : void 0, n = { ...e };
523
+ if (!t)
524
+ try {
525
+ const s = await fetch("https://api.github.com/user/emails", {
526
+ headers: { Authorization: `Bearer ${r}` }
527
+ });
528
+ if (s.ok) {
529
+ const i = await s.json(), o = i.find((a) => a.primary) ?? i[0];
530
+ t = (o == null ? void 0 : o.email) ?? `${String(e.login ?? "user")}@users.noreply.github.com`, n = { ...e, emails: i };
531
+ } else
532
+ t = `${String(e.login ?? "user")}@users.noreply.github.com`;
533
+ } catch {
534
+ t = `${String(e.login ?? "user")}@users.noreply.github.com`;
535
+ }
536
+ return {
537
+ id: String(e.id ?? ""),
538
+ email: t ?? "",
539
+ name: String(e.name ?? e.login ?? ""),
540
+ avatar: typeof e.avatar_url == "string" ? e.avatar_url : void 0,
541
+ emailVerified: !!t,
542
+ rawProfile: n
543
+ };
544
+ }
545
+ function Ve(e) {
546
+ const r = e.name, t = r ? `${r.firstName ?? ""} ${r.lastName ?? ""}`.trim() : "";
547
+ return {
548
+ id: String(e.sub ?? ""),
549
+ email: String(e.email ?? ""),
550
+ name: t,
551
+ emailVerified: !!e.email_verified,
552
+ rawProfile: e
553
+ };
554
+ }
555
+ function Me(e) {
556
+ var t;
557
+ const r = e.picture;
558
+ return {
559
+ id: String(e.id ?? ""),
560
+ email: String(e.email ?? ""),
561
+ name: String(e.name ?? ""),
562
+ avatar: (t = r == null ? void 0 : r.data) == null ? void 0 : t.url,
563
+ emailVerified: !0,
564
+ rawProfile: e
565
+ };
566
+ }
567
+ function je(e) {
568
+ return {
569
+ id: String(e.id ?? e.sub ?? ""),
570
+ email: String(e.email ?? ""),
571
+ name: String(e.name ?? e.display_name ?? e.username ?? ""),
572
+ avatar: typeof e.avatar == "string" ? e.avatar : typeof e.picture == "string" ? e.picture : typeof e.avatar_url == "string" ? e.avatar_url : void 0,
573
+ emailVerified: !!(e.email_verified ?? e.emailVerified ?? !1),
574
+ rawProfile: e
575
+ };
576
+ }
577
+ function Qr(e) {
578
+ return typeof e == "object" && e !== null && "clientId" in e && typeof e.clientId == "string";
579
+ }
580
+ class ze {
463
581
  constructor() {
464
- F(this, "states", /* @__PURE__ */ new Map());
582
+ U(this, "states", /* @__PURE__ */ new Map());
465
583
  }
466
- set(e, s, t) {
467
- this.states.set(e, s), this.cleanup();
584
+ set(r, t, n) {
585
+ this.states.set(r, t), this.cleanup();
468
586
  }
469
- get(e) {
470
- const s = this.states.get(e);
471
- return s ? s.expiresAt < Date.now() ? (this.delete(e), null) : s : null;
587
+ get(r) {
588
+ const t = this.states.get(r);
589
+ return t ? t.expiresAt < Date.now() ? (this.delete(r), null) : t : null;
472
590
  }
473
- delete(e) {
474
- this.states.delete(e);
591
+ delete(r) {
592
+ this.states.delete(r);
475
593
  }
476
594
  cleanup() {
477
- const e = Date.now();
478
- for (const [s, t] of this.states.entries())
479
- t.expiresAt < e && this.states.delete(s);
595
+ const r = Date.now();
596
+ for (const [t, n] of this.states.entries())
597
+ n.expiresAt < r && this.states.delete(t);
480
598
  }
481
599
  }
482
- function de() {
483
- return new fe();
600
+ function $e() {
601
+ return new ze();
602
+ }
603
+ function D(e) {
604
+ return e.success === !0 && e.user !== void 0 && e.session !== void 0;
484
605
  }
485
- function ge(r = process.env.NODE_ENV === "development") {
486
- const e = "[Mulguard]";
606
+ var ee = /* @__PURE__ */ ((e) => (e[e.DEBUG = 0] = "DEBUG", e[e.INFO = 1] = "INFO", e[e.WARN = 2] = "WARN", e[e.ERROR = 3] = "ERROR", e))(ee || {});
607
+ const We = process.env.NODE_ENV === "development" ? 0 : 1;
608
+ function qe(e = {}) {
609
+ const {
610
+ enabled: r = process.env.NODE_ENV === "development",
611
+ level: t = We,
612
+ context: n,
613
+ formatter: s = Be
614
+ } = e, i = (a) => r && a >= t, o = (a, f, l, w) => ({
615
+ level: a,
616
+ message: f,
617
+ timestamp: /* @__PURE__ */ new Date(),
618
+ context: n,
619
+ data: l ? He(l) : void 0,
620
+ error: w
621
+ });
487
622
  return {
488
- debug: r ? (s, t) => {
489
- t !== void 0 ? console.debug(`${e} ${s}`, t) : console.debug(`${e} ${s}`);
490
- } : () => {
623
+ debug: (a, f) => {
624
+ if (i(
625
+ 0
626
+ /* DEBUG */
627
+ )) {
628
+ const l = o(0, a, f);
629
+ console.debug(s(l));
630
+ }
491
631
  },
492
- info: r ? (s, t) => {
493
- t !== void 0 ? console.info(`${e} ${s}`, t) : console.info(`${e} ${s}`);
494
- } : () => {
632
+ info: (a, f) => {
633
+ if (i(
634
+ 1
635
+ /* INFO */
636
+ )) {
637
+ const l = o(1, a, f);
638
+ console.info(s(l));
639
+ }
495
640
  },
496
- warn: r ? (s, t) => {
497
- t !== void 0 ? console.warn(`${e} ${s}`, t) : console.warn(`${e} ${s}`);
498
- } : () => {
641
+ warn: (a, f) => {
642
+ if (i(
643
+ 2
644
+ /* WARN */
645
+ )) {
646
+ const l = o(2, a, f);
647
+ console.warn(s(l));
648
+ }
499
649
  },
500
- error: r ? (s, t) => {
501
- t !== void 0 ? console.error(`${e} ${s}`, t) : console.error(`${e} ${s}`);
502
- } : () => {
650
+ error: (a, f) => {
651
+ if (i(
652
+ 3
653
+ /* ERROR */
654
+ )) {
655
+ const l = f instanceof Error ? f : void 0, w = f instanceof Error ? void 0 : f, g = o(3, a, w, l);
656
+ console.error(s(g)), l && console.error(l);
657
+ }
503
658
  }
504
659
  };
505
660
  }
506
- const P = ge();
507
- function he(r, e, s, t = {}) {
661
+ function Be(e) {
662
+ const r = e.timestamp.toISOString(), t = ee[e.level], n = e.context ? `[${e.context}]` : "", s = e.data ? ` ${JSON.stringify(e.data)}` : "";
663
+ return `${r} [${t}]${n} ${e.message}${s}`;
664
+ }
665
+ function He(e) {
666
+ const r = /* @__PURE__ */ new Set(["password", "token", "secret", "key", "accessToken", "refreshToken"]), t = {};
667
+ for (const [n, s] of Object.entries(e))
668
+ if (r.has(n.toLowerCase()))
669
+ t[n] = "***REDACTED***";
670
+ else if (typeof s == "string" && n.toLowerCase().includes("email")) {
671
+ const i = s.split("@");
672
+ if (i.length === 2 && i[0]) {
673
+ const o = i[0].substring(0, 3) + "***@" + i[1];
674
+ t[n] = o;
675
+ } else
676
+ t[n] = s;
677
+ } else
678
+ t[n] = s;
679
+ return t;
680
+ }
681
+ const O = qe();
682
+ function Ge(e, r, t, n = {}) {
508
683
  const {
509
- enabled: o = !0,
510
- maxRetries: d = 1,
511
- retryDelay: c = 1e3,
684
+ enabled: s = !0,
685
+ maxRetries: i = 1,
686
+ retryDelay: o = 1e3,
512
687
  rateLimit: a = 3,
513
- autoSignOutOnFailure: m = !0,
514
- redirectToLogin: k = "/login",
515
- autoRedirectOnFailure: I = !0
516
- } = t;
688
+ autoSignOutOnFailure: f = !0,
689
+ redirectToLogin: l = "/login",
690
+ autoRedirectOnFailure: w = !0
691
+ } = n;
517
692
  let g = null, A = !1;
518
- const _ = [], b = [], U = 60 * 1e3;
519
- let T = 0, O = !1, C = null;
520
- const D = 2, V = 60 * 1e3;
521
- function n() {
522
- const l = Date.now();
523
- if (O && C) {
524
- if (l < C)
693
+ const S = [], v = [], y = 60 * 1e3;
694
+ let h = 0, I = !1, _ = null;
695
+ const L = 2, V = 60 * 1e3;
696
+ function c() {
697
+ const k = Date.now();
698
+ if (I && _) {
699
+ if (k < _)
525
700
  return !1;
526
- O = !1, C = null, T = 0;
701
+ I = !1, _ = null, h = 0;
527
702
  }
528
- for (; b.length > 0; ) {
529
- const w = b[0];
530
- if (w !== void 0 && w < l - U)
531
- b.shift();
703
+ for (; v.length > 0; ) {
704
+ const p = v[0];
705
+ if (p !== void 0 && p < k - y)
706
+ v.shift();
532
707
  else
533
708
  break;
534
709
  }
535
- return b.length >= a ? !1 : (b.push(l), !0);
536
- }
537
- function i() {
538
- T++, T >= D && (O = !0, C = Date.now() + V, process.env.NODE_ENV === "development" && console.warn("[TokenRefreshManager] Circuit breaker opened - too many consecutive failures"));
710
+ return v.length >= a ? !1 : (v.push(k), !0);
539
711
  }
540
712
  function u() {
541
- T = 0, O = !1, C = null;
713
+ h++, h >= L && (I = !0, _ = Date.now() + V, process.env.NODE_ENV === "development" && console.warn("[TokenRefreshManager] Circuit breaker opened - too many consecutive failures"));
542
714
  }
543
- async function p(l = 1) {
544
- if (!o)
715
+ function d() {
716
+ h = 0, I = !1, _ = null;
717
+ }
718
+ async function R(k = 1) {
719
+ if (!s)
545
720
  return null;
546
- if (!n())
721
+ if (!c())
547
722
  throw new Error("Rate limit exceeded for token refresh");
548
723
  try {
549
- const w = await r();
550
- if (w)
551
- return u(), S(w), t.onTokenRefreshed && await Promise.resolve(t.onTokenRefreshed(w)), w;
552
- if (i(), l < d)
553
- return await h(c * l), p(l + 1);
724
+ const p = await e();
725
+ if (p)
726
+ return d(), P(p), n.onTokenRefreshed && await Promise.resolve(n.onTokenRefreshed(p)), p;
727
+ if (u(), k < i)
728
+ return await $(o * k), R(k + 1);
554
729
  throw new Error("Token refresh failed: refresh function returned null");
555
- } catch (w) {
556
- if (i(), l < d && R(w))
557
- return await h(c * l), p(l + 1);
558
- throw w;
730
+ } catch (p) {
731
+ if (u(), k < i && C(p))
732
+ return await $(o * k), R(k + 1);
733
+ throw p;
559
734
  }
560
735
  }
561
- function R(l) {
562
- if (l instanceof Error) {
563
- const w = l.message.toLowerCase();
564
- if (w.includes("rate limit") || w.includes("too many requests") || w.includes("429") || w.includes("limit:") || w.includes("requests per minute") || w.includes("token_blacklisted") || w.includes("blacklisted") || w.includes("invalid") || w.includes("401") || w.includes("unauthorized") || w.includes("session has been revoked") || w.includes("session expired"))
736
+ function C(k) {
737
+ if (k instanceof Error) {
738
+ const p = k.message.toLowerCase();
739
+ if (p.includes("rate limit") || p.includes("too many requests") || p.includes("429") || p.includes("limit:") || p.includes("requests per minute") || p.includes("token_blacklisted") || p.includes("blacklisted") || p.includes("invalid") || p.includes("401") || p.includes("unauthorized") || p.includes("session has been revoked") || p.includes("session expired"))
565
740
  return !1;
566
- if (w.includes("network") || w.includes("fetch") || w.includes("timeout"))
741
+ if (p.includes("network") || p.includes("fetch") || p.includes("timeout"))
567
742
  return !0;
568
743
  }
569
744
  return !1;
570
745
  }
571
- function S(l) {
572
- const w = [..._];
573
- _.length = 0;
574
- for (const { resolve: N } of w)
575
- N(l);
746
+ function P(k) {
747
+ const p = [...S];
748
+ S.length = 0;
749
+ for (const { resolve: b } of p)
750
+ b(k);
576
751
  }
577
- function E(l) {
578
- const w = [..._];
579
- _.length = 0;
580
- for (const { reject: N } of w)
581
- N(l);
752
+ function z(k) {
753
+ const p = [...S];
754
+ S.length = 0;
755
+ for (const { reject: b } of p)
756
+ b(k);
582
757
  }
583
- function h(l) {
584
- return new Promise((w) => setTimeout(w, l));
758
+ function $(k) {
759
+ return new Promise((p) => setTimeout(p, k));
585
760
  }
586
- async function v(l) {
761
+ async function W(k) {
587
762
  try {
588
- if (t.onTokenRefreshFailed && await Promise.resolve(t.onTokenRefreshFailed(l)), m && (await s(), await e(), I && typeof window < "u")) {
589
- let w = !0;
590
- if (t.onBeforeRedirect && (w = await Promise.resolve(t.onBeforeRedirect(l))), w) {
591
- const N = new URL(k, window.location.origin);
592
- N.searchParams.set("reason", "session_expired"), N.searchParams.set("redirect", window.location.pathname + window.location.search), window.location.href = N.toString();
763
+ if (n.onTokenRefreshFailed && await Promise.resolve(n.onTokenRefreshFailed(k)), f && (await t(), await r(), w && typeof window < "u")) {
764
+ let p = !0;
765
+ if (n.onBeforeRedirect && (p = await Promise.resolve(n.onBeforeRedirect(k))), p) {
766
+ const b = new URL(l, window.location.origin);
767
+ b.searchParams.set("reason", "session_expired"), b.searchParams.set("redirect", window.location.pathname + window.location.search), window.location.href = b.toString();
593
768
  }
594
769
  }
595
- } catch (w) {
596
- process.env.NODE_ENV === "development" && console.error("[TokenRefreshManager] Error in handleRefreshFailure:", w);
770
+ } catch (p) {
771
+ process.env.NODE_ENV === "development" && console.error("[TokenRefreshManager] Error in handleRefreshFailure:", p);
597
772
  }
598
773
  }
599
774
  return {
@@ -601,9 +776,9 @@ function he(r, e, s, t = {}) {
601
776
  * Refresh token with single refresh queue
602
777
  */
603
778
  async refreshToken() {
604
- return o ? g || (A = !0, g = p().then((l) => (A = !1, g = null, l)).catch((l) => {
605
- throw A = !1, g = null, E(l), v(l).catch(() => {
606
- }), l;
779
+ return s ? g || (A = !0, g = R().then((k) => (A = !1, g = null, k)).catch((k) => {
780
+ throw A = !1, g = null, z(k), W(k).catch(() => {
781
+ }), k;
607
782
  }), g) : null;
608
783
  },
609
784
  /**
@@ -616,38 +791,38 @@ function he(r, e, s, t = {}) {
616
791
  * Wait for current refresh to complete
617
792
  */
618
793
  async waitForRefresh() {
619
- return g ? new Promise((l, w) => {
620
- _.push({ resolve: l, reject: w });
794
+ return g ? new Promise((k, p) => {
795
+ S.push({ resolve: k, reject: p });
621
796
  }) : null;
622
797
  },
623
798
  /**
624
799
  * Clear state
625
800
  */
626
801
  clear() {
627
- g = null, A = !1, b.length = 0, u(), E(new Error("Token refresh manager cleared"));
802
+ g = null, A = !1, v.length = 0, d(), z(new Error("Token refresh manager cleared"));
628
803
  },
629
804
  /**
630
805
  * Handle token refresh failure
631
806
  */
632
- async handleRefreshFailure(l) {
633
- return v(l);
807
+ async handleRefreshFailure(k) {
808
+ return W(k);
634
809
  }
635
810
  };
636
811
  }
637
- function we() {
638
- const r = process.env.NODE_ENV === "production";
812
+ function Ke() {
813
+ const e = process.env.NODE_ENV === "production";
639
814
  return {
640
815
  cookieName: "__mulguard_session",
641
816
  expiresIn: 60 * 60 * 24 * 7,
642
817
  // 7 days
643
818
  httpOnly: !0,
644
- secure: r,
819
+ secure: e,
645
820
  // HTTPS only in production
646
821
  sameSite: "lax",
647
822
  path: "/"
648
823
  };
649
824
  }
650
- function me() {
825
+ function Xe() {
651
826
  return {
652
827
  enabled: !0,
653
828
  refreshThreshold: 300,
@@ -662,394 +837,568 @@ function me() {
662
837
  autoRedirectOnFailure: !0
663
838
  };
664
839
  }
665
- function Me(r) {
666
- var D, V;
667
- const e = {
668
- ...we(),
669
- ...r.session
670
- }, s = r.actions, t = r.callbacks || {}, o = ((D = r.providers) == null ? void 0 : D.oauth) || {}, d = process.env.NEXT_PUBLIC_URL || (process.env.VERCEL_URL ? `https://${process.env.VERCEL_URL}` : "http://localhost:3000"), c = {
671
- ...me(),
672
- ...r.tokenRefresh
673
- }, a = { ...s };
674
- if (Object.keys(o).length > 0 && !a.signIn.oauth && (a.signIn.oauth = async (n) => {
675
- const i = o[n];
840
+ function Je() {
841
+ return process.env.NEXT_PUBLIC_URL ?? (process.env.VERCEL_URL ? `https://${process.env.VERCEL_URL}` : "http://localhost:3000");
842
+ }
843
+ function Ye(e) {
844
+ const { sessionConfig: r, cacheTtl: t, getSessionAction: n, onSessionExpired: s, onError: i } = e, o = r.cookieName ?? "__mulguard_session";
845
+ let a = null;
846
+ const f = async () => {
847
+ const y = Date.now();
848
+ if (a && y - a.timestamp < t)
849
+ return a.session;
850
+ if (n)
851
+ try {
852
+ const h = await n();
853
+ if (h && N(h))
854
+ return a = { session: h, timestamp: y }, h;
855
+ h && !N(h) && (await w(), a = null);
856
+ } catch (h) {
857
+ O.debug("getSession error", { error: h }), i && await i(h instanceof Error ? h : new Error(String(h)), "getSession"), a = null;
858
+ }
859
+ try {
860
+ const h = await ce(o);
861
+ if (h)
862
+ try {
863
+ const I = JSON.parse(h);
864
+ if (N(I))
865
+ return I.expiresAt && new Date(I.expiresAt) < /* @__PURE__ */ new Date() ? (s && await s(I), await w(), a = null, null) : (a = { session: I, timestamp: y }, I);
866
+ await w(), a = null;
867
+ } catch {
868
+ await w(), a = null;
869
+ }
870
+ } catch (h) {
871
+ const I = h instanceof Error ? h.message : String(h);
872
+ !I.includes("request scope") && !I.includes("cookies") && (O.warn("getSession cookie error", { error: h }), i && await i(
873
+ h instanceof Error ? h : new Error(String(h)),
874
+ "getSession.cookie"
875
+ ));
876
+ }
877
+ return null;
878
+ }, l = async (y) => {
879
+ if (!N(y))
880
+ return {
881
+ success: !1,
882
+ error: "Invalid session structure"
883
+ };
884
+ try {
885
+ const h = typeof y == "object" && "token" in y ? String(y.token) : JSON.stringify(y), I = oe(o, h, r), _ = await ae(I);
886
+ return _.success && (a = { session: y, timestamp: Date.now() }), _;
887
+ } catch (h) {
888
+ const I = h instanceof Error ? h.message : "Failed to set session";
889
+ return O.error("setSession error", { error: h }), i && await i(h instanceof Error ? h : new Error(String(h)), "setSession"), {
890
+ success: !1,
891
+ error: I
892
+ };
893
+ }
894
+ }, w = async () => {
895
+ try {
896
+ await ie(o, {
897
+ path: r.path,
898
+ domain: r.domain
899
+ }), a = null;
900
+ } catch (y) {
901
+ O.warn("clearSessionCookie error", { error: y });
902
+ }
903
+ }, g = async () => {
904
+ const y = await f();
905
+ return y != null && y.accessToken && typeof y.accessToken == "string" ? y.accessToken : null;
906
+ };
907
+ return {
908
+ getSession: f,
909
+ setSession: l,
910
+ clearSessionCookie: w,
911
+ getAccessToken: g,
912
+ getRefreshToken: async () => {
913
+ const y = await f();
914
+ return y != null && y.refreshToken && typeof y.refreshToken == "string" ? y.refreshToken : null;
915
+ },
916
+ hasValidTokens: async () => !!await g(),
917
+ clearCache: () => {
918
+ a = null;
919
+ },
920
+ getSessionConfig: () => ({ cookieName: o, config: r })
921
+ };
922
+ }
923
+ function Qe(e) {
924
+ return async (r) => {
925
+ try {
926
+ if (!r || typeof r != "object")
927
+ return {
928
+ success: !1,
929
+ error: "Invalid credentials",
930
+ errorCode: m.VALIDATION_ERROR
931
+ };
932
+ if (!r.email || typeof r.email != "string")
933
+ return {
934
+ success: !1,
935
+ error: "Email is required",
936
+ errorCode: m.VALIDATION_ERROR
937
+ };
938
+ const t = G(r.email);
939
+ if (!K(t))
940
+ return {
941
+ success: !1,
942
+ error: t.error ?? "Invalid email format",
943
+ errorCode: m.VALIDATION_ERROR
944
+ };
945
+ if (!r.password || typeof r.password != "string")
946
+ return {
947
+ success: !1,
948
+ error: "Password is required",
949
+ errorCode: m.VALIDATION_ERROR
950
+ };
951
+ if (r.password.length > 128)
952
+ return {
953
+ success: !1,
954
+ error: "Invalid credentials",
955
+ errorCode: m.VALIDATION_ERROR
956
+ };
957
+ const n = {
958
+ email: t.sanitized,
959
+ password: r.password
960
+ // Don't sanitize password (needed for hashing)
961
+ }, s = await e.actions.signIn.email(n);
962
+ if (D(s)) {
963
+ const i = await e.saveSessionAfterAuth(s);
964
+ !i.success && i.warning && O.warn("Session save warning", { warning: i.warning });
965
+ }
966
+ return s.success ? O.info("Sign in successful", {
967
+ email: n.email.substring(0, 3) + "***"
968
+ }) : O.warn("Sign in failed", {
969
+ email: n.email.substring(0, 3) + "***",
970
+ errorCode: s.errorCode
971
+ }), s;
972
+ } catch (t) {
973
+ const n = t instanceof Error ? t.message : "Sign in failed";
974
+ return O.error("Sign in error", { error: n, context: "signIn.email" }), e.onError && await e.onError(
975
+ t instanceof Error ? t : new Error(String(t)),
976
+ "signIn.email"
977
+ ), {
978
+ success: !1,
979
+ error: "Sign in failed. Please try again.",
980
+ errorCode: m.UNKNOWN_ERROR
981
+ };
982
+ }
983
+ };
984
+ }
985
+ function Ze(e, r) {
986
+ return async (t) => {
987
+ if (!t || typeof t != "string")
988
+ throw new Error("Provider is required");
989
+ const n = X(t, {
990
+ maxLength: 50,
991
+ allowHtml: !1,
992
+ required: !0
993
+ });
994
+ if (!n.valid || !n.sanitized)
995
+ throw new Error("Invalid provider");
996
+ const s = n.sanitized.toLowerCase();
997
+ if (!e.actions.signIn.oauth)
998
+ throw new Error(
999
+ "OAuth sign in is not configured. Either provide oauth action in signIn, or configure providers.oauth in config."
1000
+ );
1001
+ const i = await e.actions.signIn.oauth(s);
1002
+ return await r(i.state, s), O.info("OAuth sign in initiated", { provider: s }), i;
1003
+ };
1004
+ }
1005
+ function er(e) {
1006
+ return async (r, t) => {
1007
+ if (!r || typeof r != "string")
1008
+ return {
1009
+ success: !1,
1010
+ error: "Email is required",
1011
+ errorCode: m.VALIDATION_ERROR
1012
+ };
1013
+ const n = G(r);
1014
+ if (!K(n))
1015
+ return {
1016
+ success: !1,
1017
+ error: n.error ?? "Invalid email format",
1018
+ errorCode: m.VALIDATION_ERROR
1019
+ };
1020
+ if (t !== void 0 && (typeof t != "string" || t.length < 4 || t.length > 10))
1021
+ return {
1022
+ success: !1,
1023
+ error: "Invalid OTP code format",
1024
+ errorCode: m.VALIDATION_ERROR
1025
+ };
1026
+ if (!e.actions.signIn.otp)
1027
+ return {
1028
+ success: !1,
1029
+ error: "OTP sign in is not configured",
1030
+ errorCode: m.VALIDATION_ERROR
1031
+ };
1032
+ try {
1033
+ const s = await e.actions.signIn.otp(n.sanitized, t);
1034
+ if (D(s)) {
1035
+ const i = await e.saveSessionAfterAuth(s);
1036
+ !i.success && i.warning && O.warn("Session save warning", { warning: i.warning });
1037
+ }
1038
+ return s.success ? O.info("OTP sign in successful", {
1039
+ email: n.sanitized.substring(0, 3) + "***"
1040
+ }) : O.warn("OTP sign in failed", {
1041
+ email: n.sanitized.substring(0, 3) + "***"
1042
+ }), s;
1043
+ } catch (s) {
1044
+ return O.error("OTP sign in error", {
1045
+ error: s instanceof Error ? s.message : "Unknown error",
1046
+ context: "signIn.otp"
1047
+ }), e.onError && await e.onError(
1048
+ s instanceof Error ? s : new Error(String(s)),
1049
+ "signIn.otp"
1050
+ ), {
1051
+ success: !1,
1052
+ error: "OTP sign in failed. Please try again.",
1053
+ errorCode: m.UNKNOWN_ERROR
1054
+ };
1055
+ }
1056
+ };
1057
+ }
1058
+ function rr(e) {
1059
+ return async (r) => {
1060
+ if (!e.actions.signIn.passkey)
1061
+ throw new Error("PassKey sign in is not configured. Provide passkey action in signIn.");
1062
+ try {
1063
+ const t = await e.actions.signIn.passkey(r);
1064
+ if (D(t)) {
1065
+ const n = await e.saveSessionAfterAuth(t);
1066
+ !n.success && n.warning && O.warn("Session save warning", { warning: n.warning });
1067
+ }
1068
+ return t;
1069
+ } catch (t) {
1070
+ return e.onError && await e.onError(
1071
+ t instanceof Error ? t : new Error(String(t)),
1072
+ "signIn.passkey"
1073
+ ), {
1074
+ success: !1,
1075
+ error: t instanceof Error ? t.message : "PassKey sign in failed"
1076
+ };
1077
+ }
1078
+ };
1079
+ }
1080
+ function tr(e, r) {
1081
+ const t = Qe(e), n = Ze(e, r), s = er(e), i = rr(e);
1082
+ return Object.assign(async (f, l) => {
1083
+ if (!f || typeof f != "string")
1084
+ throw new Error("Provider is required");
1085
+ const w = X(f, {
1086
+ maxLength: 50,
1087
+ allowHtml: !1,
1088
+ required: !0
1089
+ });
1090
+ if (!w.valid || !w.sanitized)
1091
+ throw new Error("Invalid provider");
1092
+ const g = w.sanitized.toLowerCase();
1093
+ if (g === "google" || g === "github" || g === "apple" || g === "facebook" || typeof g == "string" && !["credentials", "otp", "passkey"].includes(g))
1094
+ return n(g);
1095
+ if (g === "credentials")
1096
+ return !l || !("email" in l) || !("password" in l) ? {
1097
+ success: !1,
1098
+ error: "Credentials are required",
1099
+ errorCode: m.VALIDATION_ERROR
1100
+ } : t(l);
1101
+ if (g === "otp") {
1102
+ if (!l || !("email" in l))
1103
+ return {
1104
+ success: !1,
1105
+ error: "Email is required",
1106
+ errorCode: m.VALIDATION_ERROR
1107
+ };
1108
+ const A = l;
1109
+ return s(A.email, A.code);
1110
+ }
1111
+ return g === "passkey" ? i(l) : {
1112
+ success: !1,
1113
+ error: "Invalid provider",
1114
+ errorCode: m.VALIDATION_ERROR
1115
+ };
1116
+ }, {
1117
+ email: t,
1118
+ oauth: e.actions.signIn.oauth ? n : void 0,
1119
+ passkey: e.actions.signIn.passkey ? i : void 0,
1120
+ otp: e.actions.signIn.otp ? s : void 0
1121
+ });
1122
+ }
1123
+ function nr(e) {
1124
+ return async (r) => {
1125
+ if (!e.actions.signUp)
1126
+ throw new Error("Sign up is not configured. Provide signUp action in config.");
1127
+ try {
1128
+ const t = await e.actions.signUp(r);
1129
+ if (D(t)) {
1130
+ const n = await e.saveSessionAfterAuth(t);
1131
+ !n.success && n.warning && O.warn("Session save warning", { warning: n.warning });
1132
+ }
1133
+ return t;
1134
+ } catch (t) {
1135
+ return e.onError && await e.onError(
1136
+ t instanceof Error ? t : new Error(String(t)),
1137
+ "signUp"
1138
+ ), {
1139
+ success: !1,
1140
+ error: t instanceof Error ? t.message : "Sign up failed"
1141
+ };
1142
+ }
1143
+ };
1144
+ }
1145
+ function sr(e, r) {
1146
+ return async (t, n, s) => {
1147
+ const i = e.oauthProviders[t];
676
1148
  if (!i)
677
- throw new Error(`OAuth provider "${n}" is not configured. Add it to providers.oauth in config.`);
678
- if (!i.clientId)
679
- throw new Error(`OAuth provider "${n}" is missing clientId`);
680
- const u = ne();
681
- return { url: ce(n, i, d, u), state: u };
682
- }), Object.keys(o).length > 0 && !a.oauthCallback && (a.oauthCallback = async (n, i, u) => {
683
- const p = o[n];
684
- if (!p)
685
1149
  return {
686
1150
  success: !1,
687
- error: `OAuth provider "${n}" is not configured`,
688
- errorCode: y.VALIDATION_ERROR
1151
+ error: `OAuth provider "${t}" is not configured`,
1152
+ errorCode: m.VALIDATION_ERROR
689
1153
  };
690
1154
  try {
691
- const R = p.redirectUri || `${d}/api/auth/callback/${n}`, S = await le(n, p, i, R), E = await ue(n, S.access_token), h = {
692
- id: E.id,
693
- email: E.email,
694
- name: E.name,
695
- avatar: E.avatar,
696
- emailVerified: E.emailVerified,
697
- // ✅ NEW: Add provider information
698
- provider: n,
699
- // ✅ NEW: Add access token (required for backend API integration)
700
- accessToken: S.access_token,
701
- // ✅ NEW: Add refresh token (optional, for token refresh)
702
- refreshToken: S.refresh_token,
703
- // ✅ NEW: Add complete tokens object
1155
+ const o = i.redirectUri ?? `${e.baseUrl}/api/auth/callback/${t}`, a = await Ue(t, i, n, o), f = await Fe(t, a.access_token), l = {
1156
+ id: f.id,
1157
+ email: f.email,
1158
+ name: f.name,
1159
+ avatar: f.avatar,
1160
+ emailVerified: f.emailVerified,
1161
+ provider: t,
1162
+ accessToken: a.access_token,
1163
+ refreshToken: a.refresh_token,
704
1164
  tokens: {
705
- access_token: S.access_token,
706
- refresh_token: S.refresh_token,
707
- expires_in: S.expires_in,
708
- token_type: S.token_type,
709
- id_token: S.id_token
1165
+ access_token: a.access_token,
1166
+ refresh_token: a.refresh_token,
1167
+ expires_in: a.expires_in,
1168
+ token_type: a.token_type,
1169
+ id_token: a.id_token
710
1170
  },
711
- // ✅ NEW: Add raw profile data (for advanced use cases)
712
- rawProfile: E.rawProfile
1171
+ rawProfile: f.rawProfile
713
1172
  };
714
- if (t.onOAuthUser) {
715
- const v = await g(t.onOAuthUser, h, n);
716
- if (!v)
1173
+ if (e.callbacks.onOAuthUser) {
1174
+ const w = await q(
1175
+ e.callbacks.onOAuthUser,
1176
+ [l, t],
1177
+ e.onError
1178
+ );
1179
+ if (!w)
717
1180
  return {
718
1181
  success: !1,
719
1182
  error: "Failed to create or retrieve user",
720
- errorCode: y.VALIDATION_ERROR
1183
+ errorCode: m.VALIDATION_ERROR
721
1184
  };
722
- const l = {
723
- user: {
724
- id: v.id,
725
- email: v.email,
726
- name: v.name,
727
- avatar: h.avatar,
728
- emailVerified: h.emailVerified
729
- },
730
- expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1e3),
731
- accessToken: S.access_token,
732
- refreshToken: S.refresh_token,
733
- tokenType: "Bearer",
734
- expiresIn: S.expires_in
735
- };
736
- return await b(l), m = { session: l, timestamp: Date.now() }, t.onSignIn && await g(t.onSignIn, l.user, l), { success: !0, user: l.user, session: l };
1185
+ const g = e.createSession(w, l, a);
1186
+ return await e.saveSession(g), e.callbacks.onSignIn && await q(
1187
+ e.callbacks.onSignIn,
1188
+ [g.user, g],
1189
+ e.onError
1190
+ ), { success: !0, user: g.user, session: g };
737
1191
  }
738
1192
  return {
739
1193
  success: !1,
740
1194
  error: "OAuth user callback not implemented. Provide onOAuthUser callback or implement oauthCallback action.",
741
- errorCode: y.VALIDATION_ERROR
1195
+ errorCode: m.VALIDATION_ERROR
742
1196
  };
743
- } catch (R) {
744
- return P.error("OAuth callback failed", { provider: n, error: R }), {
1197
+ } catch (o) {
1198
+ return O.error("OAuth callback failed", { provider: t, error: o }), {
745
1199
  success: !1,
746
- error: R instanceof Error ? R.message : "OAuth callback failed",
747
- errorCode: y.NETWORK_ERROR
1200
+ error: o instanceof Error ? o.message : "OAuth callback failed",
1201
+ errorCode: m.NETWORK_ERROR
748
1202
  };
749
1203
  }
750
- }), !a.signIn || !a.signIn.email)
751
- throw new Error("mulguard: signIn.email action is required");
752
- let m = null;
753
- const k = ((V = r.session) == null ? void 0 : V.cacheTtl) ?? r.sessionCacheTtl ?? 5e3, I = r.oauthStateStore || de(), g = async (n, ...i) => {
754
- if (n)
755
- try {
756
- return await n(...i);
757
- } catch (u) {
758
- throw t.onError && await t.onError(u instanceof Error ? u : new Error(String(u)), "callback"), u;
759
- }
760
- }, A = async (n, i) => {
761
- const u = {
762
- provider: i,
1204
+ };
1205
+ }
1206
+ async function q(e, r, t) {
1207
+ if (e)
1208
+ try {
1209
+ return await e(...r);
1210
+ } catch (n) {
1211
+ throw t && await t(
1212
+ n instanceof Error ? n : new Error(String(n)),
1213
+ "callback"
1214
+ ), n;
1215
+ }
1216
+ }
1217
+ function ir(e, r, t, n) {
1218
+ if (Object.keys(e).length !== 0)
1219
+ return async (s) => {
1220
+ const i = e[s];
1221
+ if (!i)
1222
+ throw new Error(`OAuth provider "${s}" is not configured. Add it to providers.oauth in config.`);
1223
+ if (!i.clientId)
1224
+ throw new Error(`OAuth provider "${s}" is missing clientId`);
1225
+ const o = t();
1226
+ return { url: n(s, i, r, o), state: o };
1227
+ };
1228
+ }
1229
+ function Zr(e) {
1230
+ var L, V;
1231
+ const r = {
1232
+ ...Ke(),
1233
+ ...e.session
1234
+ }, t = e.actions, n = e.callbacks || {}, s = ((L = e.providers) == null ? void 0 : L.oauth) || {}, i = Je(), o = {
1235
+ ...Xe(),
1236
+ ...e.tokenRefresh
1237
+ }, a = ((V = e.session) == null ? void 0 : V.cacheTtl) ?? e.sessionCacheTtl ?? 5e3, f = e.oauthStateStore || $e(), l = { ...t }, w = async (c, u) => {
1238
+ const d = {
1239
+ provider: u,
763
1240
  expiresAt: Date.now() + 6e5
764
1241
  // 10 minutes
765
1242
  };
766
- await Promise.resolve(I.set(n, u, 10 * 60 * 1e3)), I.cleanup && await Promise.resolve(I.cleanup());
767
- }, _ = async (n, i) => {
768
- const u = await Promise.resolve(I.get(n));
769
- return u ? u.expiresAt < Date.now() ? (await Promise.resolve(I.delete(n)), !1) : u.provider !== i ? !1 : (await Promise.resolve(I.delete(n)), !0) : !1;
770
- }, b = async (n) => {
771
- const i = e.cookieName || "__mulguard_session", u = typeof n == "object" && "token" in n ? String(n.token) : JSON.stringify(n), p = X(i, u, e);
772
- return await Y(p);
773
- }, U = async (n) => {
774
- if (!n.success || !n.session)
1243
+ await Promise.resolve(f.set(c, d, 10 * 60 * 1e3)), f.cleanup && await Promise.resolve(f.cleanup());
1244
+ }, g = async (c, u) => {
1245
+ const d = await Promise.resolve(f.get(c));
1246
+ return d ? d.expiresAt < Date.now() ? (await Promise.resolve(f.delete(c)), !1) : d.provider !== u ? !1 : (await Promise.resolve(f.delete(c)), !0) : !1;
1247
+ }, A = ir(
1248
+ s,
1249
+ i,
1250
+ _e,
1251
+ be
1252
+ );
1253
+ if (A && !l.signIn.oauth) {
1254
+ const c = l.signIn;
1255
+ l.signIn = {
1256
+ ...c,
1257
+ oauth: async (u) => {
1258
+ const d = await A(u);
1259
+ return await w(d.state, u), d;
1260
+ }
1261
+ };
1262
+ }
1263
+ if (!l.signIn || !l.signIn.email)
1264
+ throw new Error("mulguard: signIn.email action is required");
1265
+ const S = async (c, ...u) => {
1266
+ if (c)
1267
+ try {
1268
+ return await c(...u);
1269
+ } catch (d) {
1270
+ throw n.onError && await n.onError(d instanceof Error ? d : new Error(String(d)), "callback"), d;
1271
+ }
1272
+ }, v = Ye({
1273
+ sessionConfig: r,
1274
+ cacheTtl: a,
1275
+ getSessionAction: t.getSession,
1276
+ onSessionExpired: n.onSessionExpired,
1277
+ onError: n.onError
1278
+ }), y = async (c) => {
1279
+ if (!D(c) || !c.session)
775
1280
  return { success: !0 };
776
- const i = await b(n.session);
777
- return m = { session: n.session, timestamp: Date.now() }, n.user && t.onSignIn && await g(t.onSignIn, n.user, n.session), i;
778
- }, T = async () => {
779
- const n = e.cookieName || "__mulguard_session";
780
- await J(n, {
781
- path: e.path,
782
- domain: e.domain
783
- });
1281
+ const u = await v.setSession(c.session);
1282
+ return c.user && n.onSignIn && await S(n.onSignIn, c.user, c.session), u;
784
1283
  };
785
- let O = null;
786
- const C = {
1284
+ if (Object.keys(s).length > 0 && !l.oauthCallback) {
1285
+ const c = sr(
1286
+ {
1287
+ oauthProviders: s,
1288
+ baseUrl: i,
1289
+ callbacks: n,
1290
+ createSession: (u, d, R) => ({
1291
+ user: {
1292
+ ...u,
1293
+ avatar: d.avatar,
1294
+ emailVerified: d.emailVerified
1295
+ },
1296
+ expiresAt: new Date(Date.now() + (r.expiresIn || 604800) * 1e3),
1297
+ accessToken: R.access_token,
1298
+ refreshToken: R.refresh_token,
1299
+ tokenType: "Bearer",
1300
+ expiresIn: R.expires_in
1301
+ }),
1302
+ saveSession: async (u) => {
1303
+ await v.setSession(u);
1304
+ },
1305
+ onError: n.onError
1306
+ }
1307
+ );
1308
+ l.oauthCallback = c;
1309
+ }
1310
+ const h = tr(
1311
+ {
1312
+ actions: l,
1313
+ callbacks: n,
1314
+ saveSessionAfterAuth: y,
1315
+ onError: n.onError
1316
+ },
1317
+ w
1318
+ ), I = nr({
1319
+ actions: l,
1320
+ callbacks: n,
1321
+ saveSessionAfterAuth: y,
1322
+ onError: n.onError
1323
+ }), _ = {
787
1324
  /**
788
1325
  * Get current session
789
1326
  * Uses custom getSession action if provided, otherwise falls back to reading from cookie
790
- * ✅ IMPROVEMENT: Added session caching for better performance
791
1327
  */
792
1328
  async getSession() {
793
- const n = Date.now();
794
- if (m && n - m.timestamp < k)
795
- return m.session;
796
- if (s.getSession)
797
- try {
798
- const i = await s.getSession();
799
- if (i && x(i))
800
- return m = { session: i, timestamp: n }, i;
801
- i && !x(i) && (await T(), m = null);
802
- } catch (i) {
803
- P.debug("getSession error", { error: i }), t.onError && await g(t.onError, i instanceof Error ? i : new Error(String(i)), "getSession"), m = null;
804
- }
805
- try {
806
- const i = e.cookieName || "__mulguard_session", u = await G(i);
807
- if (u)
808
- try {
809
- const p = JSON.parse(u);
810
- if (x(p))
811
- return p.expiresAt && new Date(p.expiresAt) < /* @__PURE__ */ new Date() ? (t.onSessionExpired && await g(t.onSessionExpired, p), await T(), m = null, null) : (m = { session: p, timestamp: n }, p);
812
- await T(), m = null;
813
- } catch {
814
- await T(), m = null;
815
- }
816
- } catch (i) {
817
- const u = i instanceof Error ? i.message : String(i);
818
- !u.includes("request scope") && !u.includes("cookies") && (P.warn("getSession cookie error", { error: i }), t.onError && await g(t.onError, i instanceof Error ? i : new Error(String(i)), "getSession.cookie"));
819
- }
820
- return null;
1329
+ return await v.getSession();
821
1330
  },
822
1331
  /**
823
1332
  * Get access token from current session
824
1333
  */
825
1334
  async getAccessToken() {
826
- const n = await this.getSession();
827
- return n != null && n.accessToken && typeof n.accessToken == "string" ? n.accessToken : null;
1335
+ return await v.getAccessToken();
828
1336
  },
829
1337
  /**
830
1338
  * Get refresh token from current session
831
1339
  */
832
1340
  async getRefreshToken() {
833
- const n = await this.getSession();
834
- return n != null && n.refreshToken && typeof n.refreshToken == "string" ? n.refreshToken : null;
1341
+ return await v.getRefreshToken();
835
1342
  },
836
1343
  /**
837
1344
  * Check if session has valid tokens
838
1345
  */
839
1346
  async hasValidTokens() {
840
- return !!await this.getAccessToken();
1347
+ return await v.hasValidTokens();
841
1348
  },
842
1349
  /**
843
1350
  * Unified sign in method - supports both unified and direct method calls
844
- * ✅ IMPROVEMENT: Single unified logic for all sign-in methods
845
1351
  */
846
- signIn: (() => {
847
- const n = async (E) => {
848
- try {
849
- if (!E || typeof E != "object")
850
- return {
851
- success: !1,
852
- error: "Invalid credentials",
853
- errorCode: y.VALIDATION_ERROR
854
- };
855
- if (!E.email || typeof E.email != "string")
856
- return {
857
- success: !1,
858
- error: "Email is required",
859
- errorCode: y.VALIDATION_ERROR
860
- };
861
- const h = M(E.email);
862
- if (!h.valid)
863
- return {
864
- success: !1,
865
- error: h.error || "Invalid email format",
866
- errorCode: y.VALIDATION_ERROR
867
- };
868
- if (!E.password || typeof E.password != "string")
869
- return {
870
- success: !1,
871
- error: "Password is required",
872
- errorCode: y.VALIDATION_ERROR
873
- };
874
- if (E.password.length > 128)
875
- return {
876
- success: !1,
877
- error: "Invalid credentials",
878
- errorCode: y.VALIDATION_ERROR
879
- };
880
- const v = {
881
- email: h.sanitized,
882
- password: E.password
883
- // Don't sanitize password (needed for hashing)
884
- }, l = await a.signIn.email(v);
885
- return l.success && l.session && await U(l), l.success ? P.info("Sign in successful", { email: v.email.substring(0, 3) + "***" }) : P.warn("Sign in failed", { email: v.email.substring(0, 3) + "***", errorCode: l.errorCode }), l;
886
- } catch (h) {
887
- const v = h instanceof Error ? h.message : "Sign in failed";
888
- return P.error("Sign in error", { error: v, context: "signIn.email" }), t.onError && await g(t.onError, h instanceof Error ? h : new Error(String(h)), "signIn.email"), {
889
- success: !1,
890
- error: "Sign in failed. Please try again.",
891
- errorCode: y.UNKNOWN_ERROR
892
- };
893
- }
894
- }, i = async (E) => {
895
- if (!E || typeof E != "string")
896
- throw new Error("Provider is required");
897
- const h = z(E, { maxLength: 50, allowHtml: !1, required: !0 });
898
- if (!h.valid || !h.sanitized)
899
- throw new Error("Invalid provider");
900
- const v = h.sanitized.toLowerCase();
901
- if (!a.signIn.oauth)
902
- throw new Error(
903
- "OAuth sign in is not configured. Either provide oauth action in signIn, or configure providers.oauth in config."
904
- );
905
- const l = await a.signIn.oauth(v);
906
- return await A(l.state, v), P.info("OAuth sign in initiated", { provider: v }), l;
907
- }, u = async (E) => {
908
- if (!a.signIn.passkey)
909
- throw new Error("PassKey sign in is not configured. Provide passkey action in signIn.");
910
- try {
911
- const h = await a.signIn.passkey(E);
912
- return h.success && h.session && await U(h), h;
913
- } catch (h) {
914
- return t.onError && await g(t.onError, h instanceof Error ? h : new Error(String(h)), "signIn.passkey"), {
915
- success: !1,
916
- error: h instanceof Error ? h.message : "PassKey sign in failed"
917
- };
918
- }
919
- }, p = async (E, h) => {
920
- if (!E || typeof E != "string")
921
- return {
922
- success: !1,
923
- error: "Email is required",
924
- errorCode: y.VALIDATION_ERROR
925
- };
926
- const v = M(E);
927
- if (!v.valid)
928
- return {
929
- success: !1,
930
- error: v.error || "Invalid email format",
931
- errorCode: y.VALIDATION_ERROR
932
- };
933
- if (h !== void 0 && (typeof h != "string" || h.length < 4 || h.length > 10))
934
- return {
935
- success: !1,
936
- error: "Invalid OTP code format",
937
- errorCode: y.VALIDATION_ERROR
938
- };
939
- if (!a.signIn.otp)
940
- return {
941
- success: !1,
942
- error: "OTP sign in is not configured",
943
- errorCode: y.VALIDATION_ERROR
944
- };
945
- try {
946
- const l = await a.signIn.otp(v.sanitized, h);
947
- return l.success && l.session && await U(l), l.success ? P.info("OTP sign in successful", { email: v.sanitized.substring(0, 3) + "***" }) : P.warn("OTP sign in failed", { email: v.sanitized.substring(0, 3) + "***" }), l;
948
- } catch (l) {
949
- return P.error("OTP sign in error", { error: l instanceof Error ? l.message : "Unknown error", context: "signIn.otp" }), t.onError && await g(t.onError, l instanceof Error ? l : new Error(String(l)), "signIn.otp"), {
950
- success: !1,
951
- error: "OTP sign in failed. Please try again.",
952
- errorCode: y.UNKNOWN_ERROR
953
- };
954
- }
955
- }, S = Object.assign(
956
- async (E, h) => {
957
- if (!E || typeof E != "string")
958
- throw new Error("Provider is required");
959
- const v = z(E, { maxLength: 50, allowHtml: !1, required: !0 });
960
- if (!v.valid || !v.sanitized)
961
- throw new Error("Invalid provider");
962
- const l = v.sanitized.toLowerCase();
963
- if (l === "google" || l === "github" || l === "apple" || l === "facebook" || typeof l == "string" && !["credentials", "otp", "passkey"].includes(l))
964
- return i(l);
965
- if (l === "credentials")
966
- return !h || !("email" in h) || !("password" in h) ? {
967
- success: !1,
968
- error: "Credentials are required",
969
- errorCode: y.VALIDATION_ERROR
970
- } : n(h);
971
- if (l === "otp") {
972
- if (!h || !("email" in h))
973
- return {
974
- success: !1,
975
- error: "Email is required",
976
- errorCode: y.VALIDATION_ERROR
977
- };
978
- const w = h;
979
- return p(w.email, w.code);
980
- }
981
- return l === "passkey" ? u(h) : {
982
- success: !1,
983
- error: "Invalid provider",
984
- errorCode: y.VALIDATION_ERROR
985
- };
986
- },
987
- {
988
- email: n,
989
- oauth: a.signIn.oauth ? i : void 0,
990
- passkey: a.signIn.passkey ? u : void 0,
991
- otp: a.signIn.otp ? p : void 0
992
- }
993
- );
994
- return O = S, S;
995
- })(),
1352
+ signIn: h,
996
1353
  /**
997
1354
  * Sign up new user
998
1355
  */
999
- async signUp(n) {
1000
- if (!a.signUp)
1356
+ async signUp(c) {
1357
+ if (!I)
1001
1358
  throw new Error("Sign up is not configured. Provide signUp action in config.");
1002
- try {
1003
- const i = await a.signUp(n);
1004
- return i.success && i.session && await U(i), i;
1005
- } catch (i) {
1006
- return t.onError && await g(t.onError, i instanceof Error ? i : new Error(String(i)), "signUp"), {
1007
- success: !1,
1008
- error: i instanceof Error ? i.message : "Sign up failed"
1009
- };
1010
- }
1359
+ return await I(c);
1011
1360
  },
1012
1361
  /**
1013
1362
  * Sign out
1014
1363
  */
1015
1364
  async signOut() {
1016
1365
  try {
1017
- const n = await this.getSession(), i = n == null ? void 0 : n.user;
1018
- return s.signOut && await s.signOut(), await T(), m = null, i && t.onSignOut && await g(t.onSignOut, i), { success: !0 };
1019
- } catch (n) {
1020
- return await T(), t.onError && await g(t.onError, n instanceof Error ? n : new Error(String(n)), "signOut"), {
1366
+ const c = await this.getSession(), u = c == null ? void 0 : c.user;
1367
+ return t.signOut && await t.signOut(), await v.clearSessionCookie(), v.clearCache(), u && n.onSignOut && await S(n.onSignOut, u), { success: !0 };
1368
+ } catch (c) {
1369
+ return await v.clearSessionCookie(), v.clearCache(), n.onError && await S(n.onError, c instanceof Error ? c : new Error(String(c)), "signOut"), {
1021
1370
  success: !1,
1022
- error: n instanceof Error ? n.message : "Sign out failed"
1371
+ error: c instanceof Error ? c.message : "Sign out failed"
1023
1372
  };
1024
1373
  }
1025
1374
  },
1026
1375
  /**
1027
1376
  * Request password reset
1028
1377
  */
1029
- async resetPassword(n) {
1030
- if (!s.resetPassword)
1378
+ async resetPassword(c) {
1379
+ if (!t.resetPassword)
1031
1380
  throw new Error("Password reset is not configured. Provide resetPassword action in config.");
1032
1381
  try {
1033
- return await s.resetPassword(n);
1034
- } catch (i) {
1035
- return t.onError && await g(t.onError, i instanceof Error ? i : new Error(String(i)), "resetPassword"), {
1382
+ return await t.resetPassword(c);
1383
+ } catch (u) {
1384
+ return n.onError && await S(n.onError, u instanceof Error ? u : new Error(String(u)), "resetPassword"), {
1036
1385
  success: !1,
1037
- error: i instanceof Error ? i.message : "Password reset failed"
1386
+ error: u instanceof Error ? u.message : "Password reset failed"
1038
1387
  };
1039
1388
  }
1040
1389
  },
1041
1390
  /**
1042
1391
  * Verify email address
1043
1392
  */
1044
- async verifyEmail(n) {
1045
- if (!s.verifyEmail)
1393
+ async verifyEmail(c) {
1394
+ if (!t.verifyEmail)
1046
1395
  throw new Error("Email verification is not configured. Provide verifyEmail action in config.");
1047
1396
  try {
1048
- return await s.verifyEmail(n);
1049
- } catch (i) {
1050
- return t.onError && await g(t.onError, i instanceof Error ? i : new Error(String(i)), "verifyEmail"), {
1397
+ return await t.verifyEmail(c);
1398
+ } catch (u) {
1399
+ return n.onError && await S(n.onError, u instanceof Error ? u : new Error(String(u)), "verifyEmail"), {
1051
1400
  success: !1,
1052
- error: i instanceof Error ? i.message : "Email verification failed"
1401
+ error: u instanceof Error ? u.message : "Email verification failed"
1053
1402
  };
1054
1403
  }
1055
1404
  },
@@ -1058,73 +1407,73 @@ function Me(r) {
1058
1407
  * Executes custom refreshSession action with improved error handling and callbacks
1059
1408
  */
1060
1409
  async refreshSession() {
1061
- if (!s.refreshSession)
1410
+ if (!t.refreshSession)
1062
1411
  return this.getSession();
1063
1412
  try {
1064
- const n = await s.refreshSession();
1065
- if (n && x(n)) {
1066
- if (await b(n), m = { session: n, timestamp: Date.now() }, t.onSessionUpdate) {
1067
- const i = await g(t.onSessionUpdate, n);
1068
- if (i && x(i)) {
1069
- if (await b(i), t.onTokenRefresh) {
1070
- const u = await this.getSession();
1071
- u && await g(t.onTokenRefresh, u, i);
1413
+ const c = await t.refreshSession();
1414
+ if (c && N(c)) {
1415
+ if (await v.setSession(c), n.onSessionUpdate) {
1416
+ const u = await S(n.onSessionUpdate, c);
1417
+ if (u && N(u)) {
1418
+ if (await v.setSession(u), n.onTokenRefresh) {
1419
+ const d = await this.getSession();
1420
+ d && await S(n.onTokenRefresh, d, u);
1072
1421
  }
1073
- return i;
1422
+ return u;
1074
1423
  }
1075
1424
  }
1076
- if (t.onTokenRefresh) {
1077
- const i = await this.getSession();
1078
- i && await g(t.onTokenRefresh, i, n);
1425
+ if (n.onTokenRefresh) {
1426
+ const u = await this.getSession();
1427
+ u && await S(n.onTokenRefresh, u, c);
1079
1428
  }
1080
- return n;
1081
- } else if (n && !x(n))
1082
- return await T(), null;
1429
+ return c;
1430
+ } else if (c && !N(c))
1431
+ return await v.clearSessionCookie(), v.clearCache(), null;
1083
1432
  return null;
1084
- } catch (n) {
1085
- return await T(), t.onError && await g(t.onError, n instanceof Error ? n : new Error(String(n)), "refreshSession"), null;
1433
+ } catch (c) {
1434
+ return await v.clearSessionCookie(), v.clearCache(), n.onError && await S(n.onError, c instanceof Error ? c : new Error(String(c)), "refreshSession"), null;
1086
1435
  }
1087
1436
  },
1088
1437
  /**
1089
1438
  * OAuth callback handler
1090
1439
  * ✅ Auto-generated if providers.oauth is configured in config
1091
1440
  */
1092
- async oauthCallback(n, i, u) {
1093
- if (!a.oauthCallback)
1441
+ async oauthCallback(c, u, d) {
1442
+ if (!l.oauthCallback)
1094
1443
  throw new Error(
1095
1444
  "OAuth callback is not configured. Either provide oauthCallback action, or configure providers.oauth in config."
1096
1445
  );
1097
- if (!n || !i || !u)
1446
+ if (!u || !d)
1098
1447
  return {
1099
1448
  success: !1,
1100
- error: "Missing required OAuth parameters (provider, code, or state)",
1101
- errorCode: y.VALIDATION_ERROR
1449
+ error: "Missing required OAuth parameters (code or state)",
1450
+ errorCode: m.VALIDATION_ERROR
1102
1451
  };
1103
- if (!await _(u, n))
1452
+ let R = c;
1453
+ if (!R) {
1454
+ const P = await Promise.resolve(f.get(d));
1455
+ if (P && P.provider)
1456
+ R = P.provider;
1457
+ else
1458
+ return {
1459
+ success: !1,
1460
+ error: "Provider is required and could not be extracted from state",
1461
+ errorCode: m.VALIDATION_ERROR
1462
+ };
1463
+ }
1464
+ if (!await g(d, R))
1104
1465
  return {
1105
1466
  success: !1,
1106
1467
  error: "Invalid or expired state parameter",
1107
- errorCode: y.VALIDATION_ERROR
1468
+ errorCode: m.VALIDATION_ERROR
1108
1469
  };
1109
1470
  try {
1110
- const R = await a.oauthCallback(n, i, u);
1111
- if (R.success && R.session) {
1112
- const S = await U(R);
1113
- S.success || (process.env.NODE_ENV === "development" && P.debug("Failed to save session cookie after oauthCallback", {
1114
- error: S.error,
1115
- warning: S.warning
1116
- }), t.onError && await g(
1117
- t.onError,
1118
- new Error(S.warning || S.error || "Failed to save session cookie"),
1119
- "oauthCallback.setSession"
1120
- ));
1121
- }
1122
- return R;
1123
- } catch (R) {
1124
- return t.onError && await g(t.onError, R instanceof Error ? R : new Error(String(R)), "oauthCallback"), {
1471
+ return await l.oauthCallback(R, u, d);
1472
+ } catch (P) {
1473
+ return n.onError && await S(n.onError, P instanceof Error ? P : new Error(String(P)), "oauthCallback"), {
1125
1474
  success: !1,
1126
- error: R instanceof Error ? R.message : "OAuth callback failed",
1127
- errorCode: y.NETWORK_ERROR
1475
+ error: P instanceof Error ? P.message : "OAuth callback failed",
1476
+ errorCode: m.NETWORK_ERROR
1128
1477
  };
1129
1478
  }
1130
1479
  },
@@ -1132,28 +1481,28 @@ function Me(r) {
1132
1481
  * Verify 2FA code after initial sign in
1133
1482
  * Used when signIn returns requires2FA: true
1134
1483
  */
1135
- async verify2FA(n, i) {
1136
- if (!s.verify2FA)
1484
+ async verify2FA(c, u) {
1485
+ if (!t.verify2FA)
1137
1486
  throw new Error("2FA verification is not configured. Provide verify2FA action in config.");
1138
1487
  try {
1139
- const u = await s.verify2FA(n);
1140
- if (u.success && u.session && !(i != null && i.skipCookieSave)) {
1141
- const p = await U(u);
1142
- p.success || (process.env.NODE_ENV === "development" && P.debug("Failed to save session cookie after verify2FA", {
1143
- error: p.error,
1144
- warning: p.warning
1145
- }), t.onError && await g(
1146
- t.onError,
1147
- new Error(p.warning || p.error || "Failed to save session cookie"),
1488
+ const d = await t.verify2FA(c);
1489
+ if (d.success && d.session && !(u != null && u.skipCookieSave)) {
1490
+ const R = await y(d);
1491
+ R.success || (process.env.NODE_ENV === "development" && O.debug("Failed to save session cookie after verify2FA", {
1492
+ error: R.error,
1493
+ warning: R.warning
1494
+ }), n.onError && await S(
1495
+ n.onError,
1496
+ new Error(R.warning || R.error || "Failed to save session cookie"),
1148
1497
  "verify2FA.setSession"
1149
1498
  ));
1150
1499
  }
1151
- return u;
1152
- } catch (u) {
1153
- return t.onError && await g(t.onError, u instanceof Error ? u : new Error(String(u)), "verify2FA"), {
1500
+ return d;
1501
+ } catch (d) {
1502
+ return n.onError && await S(n.onError, d instanceof Error ? d : new Error(String(d)), "verify2FA"), {
1154
1503
  success: !1,
1155
- error: u instanceof Error ? u.message : "2FA verification failed",
1156
- errorCode: y.TWO_FA_REQUIRED
1504
+ error: d instanceof Error ? d.message : "2FA verification failed",
1505
+ errorCode: m.TWO_FA_REQUIRED
1157
1506
  };
1158
1507
  }
1159
1508
  },
@@ -1161,11 +1510,8 @@ function Me(r) {
1161
1510
  * Set session directly
1162
1511
  * Useful for Server Actions that need to save session manually
1163
1512
  */
1164
- async setSession(n) {
1165
- return x(n) ? await b(n) : {
1166
- success: !1,
1167
- error: "Invalid session structure"
1168
- };
1513
+ async setSession(c) {
1514
+ return await v.setSession(c);
1169
1515
  },
1170
1516
  /**
1171
1517
  * Internal method to get session config for Server Actions
@@ -1173,584 +1519,561 @@ function Me(r) {
1173
1519
  * @internal
1174
1520
  */
1175
1521
  _getSessionConfig() {
1176
- return {
1177
- cookieName: e.cookieName || "__mulguard_session",
1178
- config: e
1179
- };
1522
+ return v.getSessionConfig();
1180
1523
  },
1181
1524
  _getCallbacks() {
1182
- return t;
1525
+ return n;
1183
1526
  },
1184
1527
  /**
1185
1528
  * PassKey methods
1186
1529
  */
1187
- passkey: s.passkey ? {
1188
- register: s.passkey.register,
1189
- authenticate: async (n) => {
1190
- var i;
1191
- if (!((i = s.passkey) != null && i.authenticate))
1530
+ passkey: t.passkey ? {
1531
+ register: t.passkey.register,
1532
+ authenticate: async (c) => {
1533
+ var u;
1534
+ if (!((u = t.passkey) != null && u.authenticate))
1192
1535
  throw new Error("PassKey authenticate is not configured.");
1193
1536
  try {
1194
- const u = await s.passkey.authenticate(n);
1195
- return u.success && u.session && await U(u), u;
1196
- } catch (u) {
1197
- return t.onError && await g(t.onError, u instanceof Error ? u : new Error(String(u)), "passkey.authenticate"), {
1537
+ const d = await t.passkey.authenticate(c);
1538
+ return d.success && d.session && await y(d), d;
1539
+ } catch (d) {
1540
+ return n.onError && await S(n.onError, d instanceof Error ? d : new Error(String(d)), "passkey.authenticate"), {
1198
1541
  success: !1,
1199
- error: u instanceof Error ? u.message : "PassKey authentication failed"
1542
+ error: d instanceof Error ? d.message : "PassKey authentication failed"
1200
1543
  };
1201
1544
  }
1202
1545
  },
1203
- list: s.passkey.list,
1204
- remove: s.passkey.remove
1546
+ list: t.passkey.list ? async () => {
1547
+ var u;
1548
+ if (!((u = t.passkey) != null && u.list))
1549
+ throw new Error("PassKey list is not configured.");
1550
+ return [...await t.passkey.list()];
1551
+ } : void 0,
1552
+ remove: t.passkey.remove
1205
1553
  } : void 0,
1206
1554
  /**
1207
1555
  * Two-Factor Authentication methods
1208
1556
  */
1209
- twoFactor: s.twoFactor ? {
1210
- enable: s.twoFactor.enable,
1211
- verify: s.twoFactor.verify,
1212
- disable: s.twoFactor.disable,
1213
- generateBackupCodes: s.twoFactor.generateBackupCodes,
1214
- isEnabled: s.twoFactor.isEnabled,
1215
- verify2FA: async (n) => {
1216
- var u;
1217
- const i = ((u = s.twoFactor) == null ? void 0 : u.verify2FA) || s.verify2FA;
1218
- if (!i)
1557
+ twoFactor: t.twoFactor ? {
1558
+ enable: t.twoFactor.enable,
1559
+ verify: t.twoFactor.verify,
1560
+ disable: t.twoFactor.disable,
1561
+ generateBackupCodes: t.twoFactor.generateBackupCodes,
1562
+ isEnabled: t.twoFactor.isEnabled,
1563
+ verify2FA: async (c) => {
1564
+ var d;
1565
+ const u = ((d = t.twoFactor) == null ? void 0 : d.verify2FA) || t.verify2FA;
1566
+ if (!u)
1219
1567
  throw new Error("2FA verification is not configured. Provide verify2FA action in config.");
1220
1568
  try {
1221
- const p = await i(n);
1222
- if (p.success && p.session) {
1223
- const R = await U(p);
1224
- R.success || (process.env.NODE_ENV === "development" && P.debug("Failed to save session cookie after twoFactor.verify2FA", {
1225
- error: R.error,
1226
- warning: R.warning
1227
- }), t.onError && await g(
1228
- t.onError,
1229
- new Error(R.warning || R.error || "Failed to save session cookie"),
1569
+ const R = await u(c);
1570
+ if (R.success && R.session) {
1571
+ const C = await y(R);
1572
+ C.success || (process.env.NODE_ENV === "development" && O.debug("Failed to save session cookie after twoFactor.verify2FA", {
1573
+ error: C.error,
1574
+ warning: C.warning
1575
+ }), n.onError && await S(
1576
+ n.onError,
1577
+ new Error(C.warning || C.error || "Failed to save session cookie"),
1230
1578
  "twoFactor.verify2FA.setSession"
1231
1579
  ));
1232
1580
  }
1233
- return p;
1234
- } catch (p) {
1235
- return t.onError && await g(t.onError, p instanceof Error ? p : new Error(String(p)), "twoFactor.verify2FA"), {
1581
+ return R;
1582
+ } catch (R) {
1583
+ return n.onError && await S(n.onError, R instanceof Error ? R : new Error(String(R)), "twoFactor.verify2FA"), {
1236
1584
  success: !1,
1237
- error: p instanceof Error ? p.message : "2FA verification failed",
1238
- errorCode: y.UNKNOWN_ERROR
1585
+ error: R instanceof Error ? R.message : "2FA verification failed",
1586
+ errorCode: m.UNKNOWN_ERROR
1239
1587
  };
1240
1588
  }
1241
1589
  }
1242
1590
  } : void 0,
1243
1591
  /**
1244
1592
  * Sign in methods - alias for signIn (for backward compatibility)
1245
- * ✅ IMPROVEMENT: Uses unified signIn logic
1246
1593
  */
1247
1594
  signInMethods: {
1248
- email: (n) => O.email(n),
1249
- oauth: (n) => {
1250
- var i;
1251
- return ((i = O.oauth) == null ? void 0 : i.call(O, n)) || Promise.reject(new Error("OAuth not configured"));
1252
- },
1253
- passkey: (n) => {
1254
- var i;
1255
- return ((i = O.passkey) == null ? void 0 : i.call(O, n)) || Promise.reject(new Error("Passkey not configured"));
1595
+ email: (c) => h.email(c),
1596
+ oauth: (c) => {
1597
+ var u;
1598
+ return ((u = h.oauth) == null ? void 0 : u.call(h, c)) || Promise.reject(new Error("OAuth not configured"));
1256
1599
  },
1257
- otp: (n, i) => {
1600
+ passkey: (c) => {
1258
1601
  var u;
1259
- return ((u = O.otp) == null ? void 0 : u.call(O, n, i)) || Promise.reject(new Error("OTP not configured"));
1602
+ return ((u = h.passkey) == null ? void 0 : u.call(h, c)) || Promise.reject(new Error("Passkey not configured"));
1603
+ },
1604
+ otp: (c, u) => {
1605
+ var d;
1606
+ return ((d = h.otp) == null ? void 0 : d.call(h, c, u)) || Promise.reject(new Error("OTP not configured"));
1260
1607
  }
1261
1608
  }
1262
1609
  };
1263
- if (s.refreshSession) {
1264
- const n = he(
1265
- async () => await C.refreshSession(),
1266
- async () => await C.signOut(),
1610
+ if (t.refreshSession) {
1611
+ const c = Ge(
1612
+ async () => await _.refreshSession(),
1613
+ async () => await _.signOut(),
1267
1614
  async () => {
1268
- await T();
1615
+ await v.clearSessionCookie(), v.clearCache();
1269
1616
  },
1270
1617
  {
1271
- ...c,
1272
- onTokenRefreshed: c.onTokenRefreshed,
1273
- onTokenRefreshFailed: c.onTokenRefreshFailed,
1274
- onBeforeRedirect: c.onBeforeRedirect
1618
+ ...o,
1619
+ onTokenRefreshed: o.onTokenRefreshed,
1620
+ onTokenRefreshFailed: o.onTokenRefreshFailed,
1621
+ onBeforeRedirect: o.onBeforeRedirect
1275
1622
  }
1276
1623
  );
1277
- C._tokenRefreshManager = n, C._getTokenRefreshManager = () => n;
1624
+ _._tokenRefreshManager = c, _._getTokenRefreshManager = () => c;
1278
1625
  }
1279
- return C;
1626
+ return _;
1280
1627
  }
1281
- function ze(r) {
1628
+ function et(e) {
1282
1629
  return {
1283
- GET: async (e) => W(e, r, "GET"),
1284
- POST: async (e) => W(e, r, "POST")
1630
+ GET: async (r) => B(r, e, "GET"),
1631
+ POST: async (r) => B(r, e, "POST")
1285
1632
  };
1286
1633
  }
1287
- async function W(r, e, s) {
1288
- const t = new URL(r.url), o = t.pathname.replace(/^\/api\/auth/, "") || "/session", d = o.split("/").filter(Boolean);
1634
+ async function B(e, r, t) {
1635
+ const n = new URL(e.url), s = or(n.pathname), i = s.split("/").filter(Boolean);
1289
1636
  try {
1290
- if (s === "GET") {
1291
- if (o === "/session" || o === "/") {
1292
- const c = await e.getSession();
1293
- return f.json({ session: c });
1294
- }
1295
- if (o === "/providers")
1296
- return f.json({
1297
- providers: {
1298
- email: !!e.signIn.email,
1299
- oauth: !!e.signIn.oauth,
1300
- passkey: !!e.signIn.passkey
1301
- }
1302
- });
1303
- if (o.startsWith("/oauth/callback") || d[0] === "oauth" && d[1] === "callback") {
1304
- if (!e.oauthCallback)
1305
- return f.redirect(new URL("/login?error=oauth_not_configured", r.url));
1306
- const c = d[2] || t.searchParams.get("provider"), a = t.searchParams.get("code"), m = t.searchParams.get("state");
1307
- if (!c || !a || !m)
1308
- return f.redirect(new URL("/login?error=oauth_missing_params", r.url));
1309
- try {
1310
- const k = await e.oauthCallback(c, a, m);
1311
- if (k.success) {
1312
- const I = t.searchParams.get("callbackUrl") || "/";
1313
- return f.redirect(new URL(I, r.url));
1314
- } else
1315
- return f.redirect(
1316
- new URL(`/login?error=${encodeURIComponent(k.error || "oauth_failed")}`, r.url)
1317
- );
1318
- } catch (k) {
1319
- return f.redirect(
1320
- new URL(
1321
- `/login?error=${encodeURIComponent(k instanceof Error ? k.message : "oauth_error")}`,
1322
- r.url
1323
- )
1324
- );
1325
- }
1326
- }
1327
- return f.json(
1328
- { error: "Not found" },
1329
- { status: 404 }
1330
- );
1331
- }
1332
- if (s === "POST") {
1333
- const c = await r.json().catch(() => ({}));
1334
- if (o === "/sign-in" || d[0] === "sign-in") {
1335
- if (c.provider === "email" && c.email && c.password) {
1336
- const a = await e.signIn.email({
1337
- email: c.email,
1338
- password: c.password
1339
- });
1340
- return f.json(a);
1341
- }
1342
- if (c.provider === "oauth" && c.providerName) {
1343
- if (!e.signIn.oauth)
1344
- return f.json(
1345
- { success: !1, error: "OAuth is not configured" },
1346
- { status: 400 }
1347
- );
1348
- const a = await e.signIn.oauth(c.providerName);
1349
- return f.json(a);
1350
- }
1351
- if (c.provider === "passkey") {
1352
- if (!e.signIn.passkey)
1353
- return f.json(
1354
- { success: !1, error: "PassKey is not configured" },
1355
- { status: 400 }
1356
- );
1357
- const a = await e.signIn.passkey(c.options);
1358
- return f.json(a);
1359
- }
1360
- return f.json(
1361
- { success: !1, error: "Invalid sign in request" },
1362
- { status: 400 }
1363
- );
1364
- }
1365
- if (o === "/sign-up" || d[0] === "sign-up") {
1366
- if (!e.signUp)
1367
- return f.json(
1368
- { success: !1, error: "Sign up is not configured" },
1369
- { status: 400 }
1370
- );
1371
- const a = await e.signUp(c);
1372
- return f.json(a);
1373
- }
1374
- if (o === "/sign-out" || d[0] === "sign-out") {
1375
- const a = await e.signOut();
1376
- return f.json(a);
1377
- }
1378
- if (o === "/reset-password" || d[0] === "reset-password") {
1379
- if (!e.resetPassword)
1380
- return f.json(
1381
- { success: !1, error: "Password reset is not configured" },
1382
- { status: 400 }
1383
- );
1384
- const a = await e.resetPassword(c.email);
1385
- return f.json(a);
1386
- }
1387
- if (o === "/verify-email" || d[0] === "verify-email") {
1388
- if (!e.verifyEmail)
1389
- return f.json(
1390
- { success: !1, error: "Email verification is not configured" },
1391
- { status: 400 }
1392
- );
1393
- const a = await e.verifyEmail(c.token);
1394
- return f.json(a);
1395
- }
1396
- if (o === "/refresh" || d[0] === "refresh") {
1397
- if (!e.refreshSession) {
1398
- const m = await e.getSession();
1399
- return f.json({ session: m });
1400
- }
1401
- const a = await e.refreshSession();
1402
- return f.json({ session: a });
1403
- }
1404
- if (o.startsWith("/oauth/callback") || d[0] === "oauth" && d[1] === "callback") {
1405
- if (!e.oauthCallback)
1406
- return f.json(
1407
- { success: !1, error: "OAuth callback is not configured" },
1408
- { status: 400 }
1409
- );
1410
- const a = c.provider || d[2] || t.searchParams.get("provider"), m = c.code || t.searchParams.get("code"), k = c.state || t.searchParams.get("state");
1411
- if (!a || !m || !k)
1412
- return f.json(
1413
- {
1414
- success: !1,
1415
- error: "Missing required OAuth parameters. Provider, code, and state are required."
1416
- },
1417
- { status: 400 }
1418
- );
1419
- const I = await e.oauthCallback(a, m, k);
1420
- return f.json(I);
1421
- }
1422
- if (o.startsWith("/passkey")) {
1423
- if (!e.passkey)
1424
- return f.json(
1425
- { success: !1, error: "PassKey is not configured" },
1426
- { status: 400 }
1427
- );
1428
- if (d[1] === "register" && e.passkey.register) {
1429
- const a = await e.passkey.register(c.options);
1430
- return f.json(a);
1431
- }
1432
- if (d[1] === "list" && e.passkey.list) {
1433
- const a = await e.passkey.list();
1434
- return f.json(a);
1435
- }
1436
- if (d[1] === "remove" && e.passkey.remove) {
1437
- const a = await e.passkey.remove(c.passkeyId);
1438
- return f.json(a);
1439
- }
1440
- }
1441
- if (o === "/verify-2fa" || d[0] === "verify-2fa") {
1442
- if (!e.verify2FA)
1443
- return f.json(
1444
- { success: !1, error: "2FA verification is not configured" },
1445
- { status: 400 }
1446
- );
1447
- if (!c.email || !c.userId || !c.code)
1448
- return f.json(
1449
- {
1450
- success: !1,
1451
- error: "Missing required parameters. Email, userId, and code are required."
1452
- },
1453
- { status: 400 }
1454
- );
1455
- const a = await e.verify2FA({
1456
- email: c.email,
1457
- userId: c.userId,
1458
- code: c.code
1459
- });
1460
- return f.json(a);
1461
- }
1462
- if (o.startsWith("/two-factor")) {
1463
- if (!e.twoFactor)
1464
- return f.json(
1465
- { success: !1, error: "Two-Factor Authentication is not configured" },
1466
- { status: 400 }
1467
- );
1468
- if (d[1] === "enable" && e.twoFactor.enable) {
1469
- const a = await e.twoFactor.enable();
1470
- return f.json(a);
1471
- }
1472
- if (d[1] === "verify" && e.twoFactor.verify) {
1473
- const a = await e.twoFactor.verify(c.code);
1474
- return f.json(a);
1475
- }
1476
- if (d[1] === "disable" && e.twoFactor.disable) {
1477
- const a = await e.twoFactor.disable();
1478
- return f.json(a);
1479
- }
1480
- if (d[1] === "backup-codes" && e.twoFactor.generateBackupCodes) {
1481
- const a = await e.twoFactor.generateBackupCodes();
1482
- return f.json(a);
1483
- }
1484
- if (d[1] === "is-enabled" && e.twoFactor.isEnabled) {
1485
- const a = await e.twoFactor.isEnabled();
1486
- return f.json({ enabled: a });
1487
- }
1488
- }
1489
- return f.json(
1490
- { error: "Not found" },
1491
- { status: 404 }
1492
- );
1493
- }
1494
- return f.json(
1495
- { error: "Method not allowed" },
1496
- { status: 405 }
1497
- );
1498
- } catch (c) {
1499
- return f.json(
1500
- {
1501
- success: !1,
1502
- error: c instanceof Error ? c.message : "Request failed"
1503
- },
1504
- { status: 500 }
1637
+ return t === "GET" ? await ar(e, r, s, i, n) : t === "POST" ? await cr(e, r, s, i, n) : T("Method not allowed", 405);
1638
+ } catch (o) {
1639
+ return T(
1640
+ o instanceof Error ? o.message : "Request failed",
1641
+ 500
1505
1642
  );
1506
1643
  }
1507
1644
  }
1508
- function We(r) {
1509
- return async (e) => {
1510
- const { method: s, nextUrl: t } = e, d = t.pathname.replace(/^\/api\/auth/, "") || "/";
1645
+ function or(e) {
1646
+ return e.replace(/^\/api\/auth/, "") || "/session";
1647
+ }
1648
+ async function ar(e, r, t, n, s) {
1649
+ if (t === "/session" || t === "/") {
1650
+ const i = await r.getSession();
1651
+ return E.json({ session: i });
1652
+ }
1653
+ return t === "/providers" ? E.json({
1654
+ providers: {
1655
+ email: !!r.signIn.email,
1656
+ oauth: !!r.signIn.oauth,
1657
+ passkey: !!r.signIn.passkey
1658
+ }
1659
+ }) : re(t, n) ? await te(e, r, t, n, s, "GET") : T("Not found", 404);
1660
+ }
1661
+ async function cr(e, r, t, n, s) {
1662
+ const i = await ur(e);
1663
+ return t === "/sign-in" || n[0] === "sign-in" ? await fr(r, i) : t === "/sign-up" || n[0] === "sign-up" ? await dr(r, i) : t === "/sign-out" || n[0] === "sign-out" ? await hr(r) : t === "/reset-password" || n[0] === "reset-password" ? await gr(r, i) : t === "/verify-email" || n[0] === "verify-email" ? await wr(r, i) : t === "/refresh" || n[0] === "refresh" ? await pr(r) : re(t, n) ? await te(e, r, t, n, s, "POST", i) : t.startsWith("/passkey") ? await Er(r, t, n, i) : t === "/verify-2fa" || n[0] === "verify-2fa" ? await mr(r, i) : t.startsWith("/two-factor") ? await yr(r, n, i) : T("Not found", 404);
1664
+ }
1665
+ async function ur(e) {
1666
+ try {
1667
+ return await e.json();
1668
+ } catch {
1669
+ return {};
1670
+ }
1671
+ }
1672
+ function re(e, r) {
1673
+ return e === "/callback" || e.startsWith("/oauth/callback") || r[0] === "oauth" && r[1] === "callback" || r[0] === "callback";
1674
+ }
1675
+ async function te(e, r, t, n, s, i, o) {
1676
+ if (!r.oauthCallback)
1677
+ return i === "GET" ? M(e.url, "oauth_not_configured") : T("OAuth callback is not configured", 400);
1678
+ const a = lr(n, s, o), f = (o == null ? void 0 : o.code) ?? s.searchParams.get("code"), l = (o == null ? void 0 : o.state) ?? s.searchParams.get("state");
1679
+ if (!f || !l)
1680
+ return i === "GET" ? M(e.url, "oauth_missing_params") : T("Missing required OAuth parameters. Code and state are required.", 400);
1681
+ try {
1682
+ const w = await r.oauthCallback(a ?? "", f, l);
1683
+ return i === "GET" ? w.success ? kr(e.url, s.searchParams.get("callbackUrl")) : M(e.url, w.error ?? "oauth_failed") : E.json(w);
1684
+ } catch (w) {
1685
+ return i === "GET" ? M(e.url, w instanceof Error ? w.message : "oauth_error") : T(w instanceof Error ? w.message : "OAuth callback failed", 500);
1686
+ }
1687
+ }
1688
+ function lr(e, r, t) {
1689
+ return t != null && t.provider ? t.provider : e[0] === "callback" && e[1] ? e[1] : e[0] === "oauth" && e[1] === "callback" && e[2] ? e[2] : r.searchParams.get("provider");
1690
+ }
1691
+ async function fr(e, r) {
1692
+ if (r.provider === "email" && r.email && r.password) {
1693
+ const t = {
1694
+ email: r.email,
1695
+ password: r.password
1696
+ }, n = await e.signIn.email(t);
1697
+ return E.json(n);
1698
+ }
1699
+ if (r.provider === "oauth" && r.providerName) {
1700
+ if (!e.signIn.oauth)
1701
+ return T("OAuth is not configured", 400);
1702
+ const t = await e.signIn.oauth(r.providerName);
1703
+ return E.json(t);
1704
+ }
1705
+ if (r.provider === "passkey") {
1706
+ if (!e.signIn.passkey)
1707
+ return T("PassKey is not configured", 400);
1708
+ const t = await e.signIn.passkey(r.options);
1709
+ return E.json(t);
1710
+ }
1711
+ return T("Invalid sign in request", 400);
1712
+ }
1713
+ async function dr(e, r) {
1714
+ if (!e.signUp)
1715
+ return T("Sign up is not configured", 400);
1716
+ const t = await e.signUp(r);
1717
+ return E.json(t);
1718
+ }
1719
+ async function hr(e) {
1720
+ const r = await e.signOut();
1721
+ return E.json(r);
1722
+ }
1723
+ async function gr(e, r) {
1724
+ if (!e.resetPassword)
1725
+ return T("Password reset is not configured", 400);
1726
+ if (!r.email || typeof r.email != "string")
1727
+ return T("Email is required", 400);
1728
+ const t = await e.resetPassword(r.email);
1729
+ return E.json(t);
1730
+ }
1731
+ async function wr(e, r) {
1732
+ if (!e.verifyEmail)
1733
+ return T("Email verification is not configured", 400);
1734
+ if (!r.token || typeof r.token != "string")
1735
+ return T("Token is required", 400);
1736
+ const t = await e.verifyEmail(r.token);
1737
+ return E.json(t);
1738
+ }
1739
+ async function pr(e) {
1740
+ if (!e.refreshSession) {
1741
+ const t = await e.getSession();
1742
+ return E.json({ session: t });
1743
+ }
1744
+ const r = await e.refreshSession();
1745
+ return E.json({ session: r });
1746
+ }
1747
+ async function mr(e, r) {
1748
+ if (!e.verify2FA)
1749
+ return T("2FA verification is not configured", 400);
1750
+ if (!r.email || !r.userId || !r.code)
1751
+ return T("Missing required parameters. Email, userId, and code are required.", 400);
1752
+ const t = {
1753
+ email: r.email,
1754
+ userId: r.userId,
1755
+ code: r.code
1756
+ }, n = await e.verify2FA(t);
1757
+ return E.json(n);
1758
+ }
1759
+ async function Er(e, r, t, n) {
1760
+ if (!e.passkey)
1761
+ return T("PassKey is not configured", 400);
1762
+ const s = t[1];
1763
+ if (s === "register" && e.passkey.register) {
1764
+ const i = await e.passkey.register(n.options);
1765
+ return E.json(i);
1766
+ }
1767
+ if (s === "list" && e.passkey.list) {
1768
+ const i = await e.passkey.list();
1769
+ return E.json(i);
1770
+ }
1771
+ if (s === "remove" && e.passkey.remove) {
1772
+ if (!n.passkeyId || typeof n.passkeyId != "string")
1773
+ return T("Passkey ID is required", 400);
1774
+ const i = await e.passkey.remove(n.passkeyId);
1775
+ return E.json(i);
1776
+ }
1777
+ return T("Invalid Passkey request", 400);
1778
+ }
1779
+ async function yr(e, r, t) {
1780
+ if (!e.twoFactor)
1781
+ return T("Two-Factor Authentication is not configured", 400);
1782
+ const n = r[1];
1783
+ if (n === "enable" && e.twoFactor.enable) {
1784
+ const s = await e.twoFactor.enable();
1785
+ return E.json(s);
1786
+ }
1787
+ if (n === "verify" && e.twoFactor.verify) {
1788
+ if (!t.code || typeof t.code != "string")
1789
+ return T("Code is required", 400);
1790
+ const s = await e.twoFactor.verify(t.code);
1791
+ return E.json(s);
1792
+ }
1793
+ if (n === "disable" && e.twoFactor.disable) {
1794
+ const s = await e.twoFactor.disable();
1795
+ return E.json(s);
1796
+ }
1797
+ if (n === "backup-codes" && e.twoFactor.generateBackupCodes) {
1798
+ const s = await e.twoFactor.generateBackupCodes();
1799
+ return E.json(s);
1800
+ }
1801
+ if (n === "is-enabled" && e.twoFactor.isEnabled) {
1802
+ const s = await e.twoFactor.isEnabled();
1803
+ return E.json({ enabled: s });
1804
+ }
1805
+ return T("Invalid two-factor request", 400);
1806
+ }
1807
+ function T(e, r) {
1808
+ return E.json(
1809
+ {
1810
+ success: !1,
1811
+ error: e
1812
+ },
1813
+ { status: r }
1814
+ );
1815
+ }
1816
+ function M(e, r) {
1817
+ return E.redirect(new URL(`/login?error=${encodeURIComponent(r)}`, e));
1818
+ }
1819
+ function kr(e, r) {
1820
+ const t = r ?? "/";
1821
+ return E.redirect(new URL(t, e));
1822
+ }
1823
+ function rt(e) {
1824
+ return async (r) => {
1825
+ const { method: t, nextUrl: n } = r, i = n.pathname.replace(/^\/api\/auth/, "") || "/";
1511
1826
  try {
1512
- let c;
1513
- if (s !== "GET" && s !== "HEAD")
1827
+ let o;
1828
+ if (t !== "GET" && t !== "HEAD")
1514
1829
  try {
1515
- c = await e.json();
1830
+ o = await r.json();
1516
1831
  } catch {
1517
1832
  }
1518
- const a = Object.fromEntries(t.searchParams.entries()), m = await fetch(
1519
- `${process.env.NEXT_PUBLIC_API_URL || ""}/api/auth${d}${Object.keys(a).length > 0 ? `?${new URLSearchParams(a).toString()}` : ""}`,
1833
+ const a = Object.fromEntries(n.searchParams.entries()), f = await fetch(
1834
+ `${process.env.NEXT_PUBLIC_API_URL || ""}/api/auth${i}${Object.keys(a).length > 0 ? `?${new URLSearchParams(a).toString()}` : ""}`,
1520
1835
  {
1521
- method: s,
1836
+ method: t,
1522
1837
  headers: {
1523
1838
  "Content-Type": "application/json",
1524
- ...Object.fromEntries(e.headers.entries())
1839
+ ...Object.fromEntries(r.headers.entries())
1525
1840
  },
1526
- body: c ? JSON.stringify(c) : void 0
1841
+ body: o ? JSON.stringify(o) : void 0
1527
1842
  }
1528
- ), k = await m.json();
1529
- return f.json(k, {
1530
- status: m.status,
1843
+ ), l = await f.json();
1844
+ return E.json(l, {
1845
+ status: f.status,
1531
1846
  headers: {
1532
- ...Object.fromEntries(m.headers.entries())
1847
+ ...Object.fromEntries(f.headers.entries())
1533
1848
  }
1534
1849
  });
1535
- } catch (c) {
1536
- return console.error("API handler error:", c), f.json(
1850
+ } catch (o) {
1851
+ return console.error("API handler error:", o), E.json(
1537
1852
  {
1538
1853
  success: !1,
1539
- error: c instanceof Error ? c.message : "Internal server error"
1854
+ error: o instanceof Error ? o.message : "Internal server error"
1540
1855
  },
1541
1856
  { status: 500 }
1542
1857
  );
1543
1858
  }
1544
1859
  };
1545
1860
  }
1546
- function qe(r) {
1547
- return async (e) => {
1548
- const { searchParams: s } = e.nextUrl, t = s.get("provider"), o = s.get("code"), d = s.get("state");
1549
- if (!t || !o || !d)
1550
- return f.redirect(
1551
- new URL("/login?error=oauth_missing_params", e.url)
1861
+ function tt(e) {
1862
+ return async (r) => {
1863
+ const { searchParams: t } = r.nextUrl, n = t.get("provider"), s = t.get("code"), i = t.get("state");
1864
+ if (!n || !s || !i)
1865
+ return E.redirect(
1866
+ new URL("/login?error=oauth_missing_params", r.url)
1552
1867
  );
1553
1868
  try {
1554
- if (!r.oauthCallback)
1555
- return f.redirect(
1556
- new URL("/login?error=oauth_not_configured", e.url)
1869
+ if (!e.oauthCallback)
1870
+ return E.redirect(
1871
+ new URL("/login?error=oauth_not_configured", r.url)
1557
1872
  );
1558
- const c = await r.oauthCallback(t, o, d);
1559
- if (c.success) {
1560
- const a = s.get("callbackUrl") || "/";
1561
- return f.redirect(new URL(a, e.url));
1873
+ const o = await e.oauthCallback(n, s, i);
1874
+ if (o.success) {
1875
+ const a = t.get("callbackUrl") || "/";
1876
+ return E.redirect(new URL(a, r.url));
1562
1877
  } else {
1563
- const a = c.errorCode ? `${encodeURIComponent(c.error || "oauth_failed")}&code=${c.errorCode}` : encodeURIComponent(c.error || "oauth_failed");
1564
- return f.redirect(
1565
- new URL(`/login?error=${a}`, e.url)
1878
+ const a = o.errorCode ? `${encodeURIComponent(o.error || "oauth_failed")}&code=${o.errorCode}` : encodeURIComponent(o.error || "oauth_failed");
1879
+ return E.redirect(
1880
+ new URL(`/login?error=${a}`, r.url)
1566
1881
  );
1567
1882
  }
1568
- } catch (c) {
1569
- return process.env.NODE_ENV === "development" && console.error("[Mulguard] OAuth callback error:", c), f.redirect(
1883
+ } catch (o) {
1884
+ return process.env.NODE_ENV === "development" && console.error("[Mulguard] OAuth callback error:", o), E.redirect(
1570
1885
  new URL(
1571
- `/login?error=${encodeURIComponent(c instanceof Error ? c.message : "oauth_error")}`,
1572
- e.url
1886
+ `/login?error=${encodeURIComponent(o instanceof Error ? o.message : "oauth_error")}`,
1887
+ r.url
1573
1888
  )
1574
1889
  );
1575
1890
  }
1576
1891
  };
1577
1892
  }
1578
- function L(r, e) {
1579
- const s = q({
1893
+ function F(e, r) {
1894
+ const t = H({
1580
1895
  // Customize headers if needed
1581
1896
  "X-Frame-Options": "SAMEORIGIN"
1582
1897
  // Allow same-origin framing
1583
1898
  });
1584
- for (const [t, o] of Object.entries(s))
1585
- o && typeof o == "string" && e.headers.set(t, o);
1586
- return e;
1899
+ for (const [n, s] of Object.entries(t))
1900
+ s && typeof s == "string" && r.headers.set(n, s);
1901
+ return r;
1587
1902
  }
1588
- function Be() {
1589
- return async (r) => {
1590
- const e = f.next();
1591
- return L(r, e);
1903
+ function nt() {
1904
+ return async (e) => {
1905
+ const r = E.next();
1906
+ return F(e, r);
1592
1907
  };
1593
1908
  }
1594
- function He(r, e = {}) {
1909
+ function st(e, r = {}) {
1595
1910
  const {
1596
- protectedRoutes: s = [],
1597
- publicRoutes: t = [],
1598
- redirectTo: o = "/login",
1599
- redirectIfAuthenticated: d
1600
- } = e;
1601
- return async (c) => {
1602
- const { pathname: a } = c.nextUrl, m = s.some((g) => a.startsWith(g));
1603
- let k = null;
1911
+ protectedRoutes: t = [],
1912
+ publicRoutes: n = [],
1913
+ redirectTo: s = "/login",
1914
+ redirectIfAuthenticated: i
1915
+ } = r;
1916
+ return async (o) => {
1917
+ const { pathname: a } = o.nextUrl, f = t.some((g) => a.startsWith(g));
1918
+ let l = null;
1604
1919
  try {
1605
- k = await r.getSession();
1920
+ l = await e.getSession();
1606
1921
  } catch (g) {
1607
1922
  console.error("Middleware: Failed to get session:", g);
1608
1923
  }
1609
- if (m && !k) {
1610
- const g = c.nextUrl.clone();
1611
- return g.pathname = o, g.searchParams.set("callbackUrl", a), f.redirect(g);
1924
+ if (f && !l) {
1925
+ const g = o.nextUrl.clone();
1926
+ return g.pathname = s, g.searchParams.set("callbackUrl", a), E.redirect(g);
1612
1927
  }
1613
- if (d && k && (a.startsWith("/login") || a.startsWith("/register"))) {
1614
- const A = c.nextUrl.clone();
1615
- A.pathname = d;
1616
- const _ = f.redirect(A);
1617
- return L(c, _);
1928
+ if (i && l && (a.startsWith("/login") || a.startsWith("/register"))) {
1929
+ const A = o.nextUrl.clone();
1930
+ A.pathname = i;
1931
+ const S = E.redirect(A);
1932
+ return F(o, S);
1618
1933
  }
1619
- const I = f.next();
1620
- return L(c, I);
1934
+ const w = E.next();
1935
+ return F(o, w);
1621
1936
  };
1622
1937
  }
1623
- async function Ke(r, e) {
1624
- var s;
1938
+ async function it(e, r) {
1939
+ var t;
1625
1940
  try {
1626
- const t = await r.getSession();
1627
- return t ? ((s = t.user.roles) == null ? void 0 : s.includes(e)) ?? !1 : !1;
1941
+ const n = await e.getSession();
1942
+ return n ? ((t = n.user.roles) == null ? void 0 : t.includes(r)) ?? !1 : !1;
1628
1943
  } catch {
1629
1944
  return !1;
1630
1945
  }
1631
1946
  }
1632
- function Xe(r) {
1947
+ function ot(e) {
1633
1948
  const {
1634
- auth: e,
1635
- protectedRoutes: s = [],
1636
- publicRoutes: t = [],
1637
- redirectTo: o = "/login",
1638
- redirectIfAuthenticated: d,
1639
- apiPrefix: c = "/api/auth"
1640
- } = r;
1949
+ auth: r,
1950
+ protectedRoutes: t = [],
1951
+ publicRoutes: n = [],
1952
+ redirectTo: s = "/login",
1953
+ redirectIfAuthenticated: i,
1954
+ apiPrefix: o = "/api/auth"
1955
+ } = e;
1641
1956
  return async (a) => {
1642
- const { pathname: m } = a.nextUrl;
1643
- if (m.startsWith(c)) {
1644
- const A = f.next();
1645
- return L(a, A);
1957
+ const { pathname: f } = a.nextUrl;
1958
+ if (f.startsWith(o)) {
1959
+ const A = E.next();
1960
+ return F(a, A);
1646
1961
  }
1647
- const k = s.some((A) => m.startsWith(A));
1648
- let I = null;
1649
- if (k || d)
1962
+ const l = t.some((A) => f.startsWith(A));
1963
+ let w = null;
1964
+ if (l || i)
1650
1965
  try {
1651
- I = await e.getSession();
1966
+ w = await r.getSession();
1652
1967
  } catch (A) {
1653
1968
  console.error("Middleware: Failed to get session:", A);
1654
1969
  }
1655
- if (k && !I) {
1970
+ if (l && !w) {
1656
1971
  const A = a.nextUrl.clone();
1657
- A.pathname = o, A.searchParams.set("callbackUrl", m);
1658
- const _ = f.redirect(A);
1659
- return L(a, _);
1972
+ A.pathname = s, A.searchParams.set("callbackUrl", f);
1973
+ const S = E.redirect(A);
1974
+ return F(a, S);
1660
1975
  }
1661
- if (d && I && (m.startsWith("/login") || m.startsWith("/register"))) {
1662
- const _ = a.nextUrl.clone();
1663
- _.pathname = d;
1664
- const b = f.redirect(_);
1665
- return L(a, b);
1976
+ if (i && w && (f.startsWith("/login") || f.startsWith("/register"))) {
1977
+ const S = a.nextUrl.clone();
1978
+ S.pathname = i;
1979
+ const v = E.redirect(S);
1980
+ return F(a, v);
1666
1981
  }
1667
- const g = f.next();
1668
- return L(a, g);
1982
+ const g = E.next();
1983
+ return F(a, g);
1669
1984
  };
1670
1985
  }
1671
- async function Ye(r, e) {
1672
- var s;
1986
+ async function at(e, r) {
1987
+ var t;
1673
1988
  try {
1674
- const t = await r.getSession();
1675
- return t ? ((s = t.user.roles) == null ? void 0 : s.includes(e)) ?? !1 : !1;
1989
+ const n = await e.getSession();
1990
+ return n ? ((t = n.user.roles) == null ? void 0 : t.includes(r)) ?? !1 : !1;
1676
1991
  } catch {
1677
1992
  return !1;
1678
1993
  }
1679
1994
  }
1680
1995
  export {
1681
- te as CSRFProtection,
1682
- ee as DEFAULT_SECURITY_HEADERS,
1683
- re as MemoryCSRFStore,
1684
- fe as MemoryOAuthStateStore,
1685
- Z as RateLimiter,
1686
- Re as applySecurityHeaders,
1687
- X as buildCookieOptions,
1688
- ce as buildOAuthAuthorizationUrl,
1689
- Ke as checkRole,
1690
- Ye as checkRoleProxy,
1691
- Pe as containsXSSPattern,
1692
- We as createApiHandler,
1693
- He as createAuthMiddleware,
1694
- Oe as createCSRFProtection,
1695
- de as createMemoryOAuthStateStore,
1696
- qe as createOAuthCallbackHandler,
1697
- Xe as createProxyMiddleware,
1698
- ve as createRateLimiter,
1699
- Be as createSecurityMiddleware,
1700
- sr as createServerAuthMiddleware,
1701
- nr as createServerHelpers,
1702
- or as createServerUtils,
1703
- ir as createSessionManager,
1704
- J as deleteCookie,
1705
- ar as deleteOAuthStateCookie,
1706
- se as escapeHTML,
1707
- le as exchangeOAuthCode,
1708
- ne as generateCSRFToken,
1709
- B as generateToken,
1710
- G as getCookie,
1711
- cr as getCurrentUser,
1712
- xe as getErrorCode,
1713
- Fe as getErrorMessage,
1714
- lr as getOAuthStateCookie,
1715
- ue as getOAuthUserInfo,
1716
- $ as getProviderMetadata,
1717
- q as getSecurityHeaders,
1718
- ur as getServerSession,
1719
- fr as getSessionTimeUntilExpiry,
1720
- Ve as getUserFriendlyError,
1721
- je as hasErrorCode,
1722
- ie as isAuthError,
1723
- Le as isAuthSuccess,
1724
- De as isRetryableError,
1725
- dr as isSessionExpiredNullable,
1726
- gr as isSessionExpiringSoon,
1727
- hr as isSessionValid,
1728
- Ne as isTwoFactorRequired,
1729
- Ue as isValidEmail,
1730
- Me as mulguard,
1731
- wr as refreshSession,
1732
- mr as requireAuth,
1733
- pr as requireRole,
1734
- yr as requireServerAuthMiddleware,
1735
- Er as requireServerRoleMiddleware,
1736
- be as sanitizeHTML,
1737
- Ce as sanitizeInput,
1738
- Te as sanitizeUserInput,
1739
- Y as setCookie,
1740
- $e as signIn,
1741
- Qe as signInEmailAction,
1742
- Ze as signOutAction,
1743
- er as signUpAction,
1744
- kr as storeOAuthStateCookie,
1745
- ze as toNextJsHandler,
1746
- M as validateAndSanitizeEmail,
1747
- z as validateAndSanitizeInput,
1748
- Se as validateAndSanitizeName,
1749
- Ae as validateAndSanitizePassword,
1750
- oe as validateCSRFToken,
1751
- x as validateSessionStructure,
1752
- _e as validateToken,
1753
- Ie as validateURL,
1754
- rr as verify2FAAction,
1755
- L as withSecurityHeaders
1996
+ Ie as CSRFProtection,
1997
+ fe as DEFAULT_SECURITY_HEADERS,
1998
+ Te as MemoryCSRFStore,
1999
+ ze as MemoryOAuthStateStore,
2000
+ le as RateLimiter,
2001
+ Ir as applySecurityHeaders,
2002
+ oe as buildCookieOptions,
2003
+ be as buildOAuthAuthorizationUrl,
2004
+ it as checkRole,
2005
+ at as checkRoleProxy,
2006
+ Mr as containsXSSPattern,
2007
+ rt as createApiHandler,
2008
+ st as createAuthMiddleware,
2009
+ Dr as createCSRFProtection,
2010
+ $e as createMemoryOAuthStateStore,
2011
+ tt as createOAuthCallbackHandler,
2012
+ ot as createProxyMiddleware,
2013
+ Tr as createRateLimiter,
2014
+ nt as createSecurityMiddleware,
2015
+ wt as createServerAuthMiddleware,
2016
+ pt as createServerHelpers,
2017
+ mt as createServerUtils,
2018
+ Et as createSessionManager,
2019
+ ie as deleteCookie,
2020
+ yt as deleteOAuthStateCookie,
2021
+ Oe as escapeHTML,
2022
+ Ue as exchangeOAuthCode,
2023
+ _e as generateCSRFToken,
2024
+ Y as generateToken,
2025
+ ce as getCookie,
2026
+ kt as getCurrentUser,
2027
+ Br as getErrorCode,
2028
+ qr as getErrorMessage,
2029
+ vt as getOAuthStateCookie,
2030
+ Fe as getOAuthUserInfo,
2031
+ j as getProviderMetadata,
2032
+ H as getSecurityHeaders,
2033
+ St as getServerSession,
2034
+ Rt as getSessionTimeUntilExpiry,
2035
+ Xr as getUserFriendlyError,
2036
+ Gr as hasErrorCode,
2037
+ Ce as isAuthError,
2038
+ Hr as isAuthSuccess,
2039
+ Qr as isOAuthProviderConfig,
2040
+ Kr as isRetryableError,
2041
+ At as isSessionExpiredNullable,
2042
+ Tt as isSessionExpiringSoon,
2043
+ It as isSessionValid,
2044
+ Yr as isSupportedProvider,
2045
+ Wr as isTwoFactorRequired,
2046
+ jr as isValidCSRFToken,
2047
+ $r as isValidEmail,
2048
+ xr as isValidInput,
2049
+ Cr as isValidName,
2050
+ _r as isValidPassword,
2051
+ Fr as isValidToken,
2052
+ Ur as isValidURL,
2053
+ Zr as mulguard,
2054
+ Ot as refreshSession,
2055
+ _t as requireAuth,
2056
+ Pt as requireRole,
2057
+ Ct as requireServerAuthMiddleware,
2058
+ bt as requireServerRoleMiddleware,
2059
+ Lr as sanitizeHTML,
2060
+ zr as sanitizeInput,
2061
+ Vr as sanitizeUserInput,
2062
+ ae as setCookie,
2063
+ Jr as signIn,
2064
+ lt as signInEmailAction,
2065
+ ft as signOutAction,
2066
+ dt as signUpAction,
2067
+ Ut as storeOAuthStateCookie,
2068
+ et as toNextJsHandler,
2069
+ G as validateAndSanitizeEmail,
2070
+ X as validateAndSanitizeInput,
2071
+ Pr as validateAndSanitizeName,
2072
+ Or as validateAndSanitizePassword,
2073
+ Q as validateCSRFToken,
2074
+ N as validateSessionStructure,
2075
+ Nr as validateToken,
2076
+ br as validateURL,
2077
+ ht as verify2FAAction,
2078
+ F as withSecurityHeaders
1756
2079
  };