npm - mulguard - Versions diffs - 1.1.3 → 1.1.4 - Mend

mulguard 1.1.3 → 1.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/core/auth/oauth-state-store-redis.d.ts +25 -0
package/dist/core/index.d.ts +1 -0
package/dist/index/index.js +1 -1
package/dist/index/index.mjs +254 -211
package/package.json +1 -1

package/dist/index/index.mjs CHANGED Viewed

@@ -2,9 +2,9 @@ var ne = Object.defineProperty;
 var se = (e, r, t) => r in e ? ne(e, r, { enumerable: !0, configurable: !0, writable: !0, value: t }) : e[r] = t;
 var U = (e, r, t) => se(e, typeof r != "symbol" ? r + "" : r, t);
 import { A as m, d as ie, e as oe, c as ae, g as ce } from "../actions-DeCfLtHA.mjs";
-import { a as lt, s as ft, b as dt, v as ht } from "../actions-DeCfLtHA.mjs";
+import { a as ft, s as dt, b as ht, v as gt } from "../actions-DeCfLtHA.mjs";
 import { v as N } from "../oauth-state-LE-qeq-K.mjs";
-import { c as wt, p as pt, k as mt, n as Et, m as yt, j as kt, l as vt, e as St, g as Rt, b as At, i as Tt, a as It, o as Ot, f as _t, h as Pt, r as Ct, d as bt, s as Ut } from "../oauth-state-LE-qeq-K.mjs";
+import { c as pt, p as mt, k as Et, n as yt, m as kt, j as vt, l as St, e as Rt, g as At, b as Ot, i as Tt, a as It, o as _t, f as Pt, h as Ct, r as bt, d as Ut, s as Nt } from "../oauth-state-LE-qeq-K.mjs";
 import { NextResponse as E } from "next/server";
 const x = typeof globalThis == "object" && "crypto" in globalThis ? globalThis.crypto : void 0;
 /*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */
@@ -56,7 +56,7 @@ class le {
     this.attempts.clear();
   }
 }
-function Tr(e) {
+function Or(e) {
   return new le(e);
 }
 const fe = {
@@ -74,7 +74,7 @@ function H(e) {
     ...e
   };
 }
-function Ir(e, r) {
+function Tr(e, r) {
   const t = H(r);
   for (const [n, s] of Object.entries(t))
     s && e.set(n, s);
@@ -112,7 +112,7 @@ const ge = /* @__PURE__ */ new Set([
   "guest",
   "user"
 ]), we = /012|123|234|345|456|567|678|789|abc|bcd|cde|def|efg|fgh|ghi|hij|ijk|jkl|klm|lmn|mno|nop|opq|pqr|qrs|rst|stu|tuv|uvw|vwx|wxy|xyz/i, pe = 8, me = 128;
-function Or(e, r = pe) {
+function Ir(e, r = pe) {
   if (typeof e != "string" || !e)
     return { valid: !1, error: "Password is required" };
   if (e.length < r)
@@ -185,7 +185,7 @@ function X(e, r) {
 function xr(e) {
   return e.valid === !0 && e.sanitized !== void 0;
 }
-class Te {
+class Oe {
   constructor() {
     U(this, "tokens", /* @__PURE__ */ new Map());
   }
@@ -206,11 +206,11 @@ class Te {
     this.tokens.clear();
   }
 }
-class Ie {
+class Te {
   constructor(r, t = 32) {
     U(this, "store");
     U(this, "tokenLength");
-    this.store = r || new Te(), this.tokenLength = t;
+    this.store = r || new Oe(), this.tokenLength = t;
   }
   /**
    * Generate CSRF token
@@ -243,9 +243,9 @@ class Ie {
   }
 }
 function Dr(e) {
-  return new Ie(e);
+  return new Te(e);
 }
-function Oe(e) {
+function Ie(e) {
   if (typeof e != "string")
     return "";
   const r = {
@@ -260,10 +260,10 @@ function Oe(e) {
 function Lr(e) {
   return typeof e != "string" ? "" : e.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, "").replace(/on\w+\s*=\s*["'][^"']*["']/gi, "").replace(/javascript:/gi, "");
 }
-function Vr(e) {
-  return typeof e != "string" ? "" : Oe(e.trim());
-}
 function Mr(e) {
+  return typeof e != "string" ? "" : Ie(e.trim());
+}
+function Vr(e) {
   return typeof e != "string" ? !1 : [
     /<script/i,
     /javascript:/i,
@@ -413,11 +413,11 @@ function be(e, r, t, n) {
     state: n
   });
   if (s.defaultParams)
-    for (const [f, l] of Object.entries(s.defaultParams))
-      a.append(f, l);
+    for (const [l, f] of Object.entries(s.defaultParams))
+      a.append(l, f);
   if (r.params)
-    for (const [f, l] of Object.entries(r.params))
-      a.set(f, l);
+    for (const [l, f] of Object.entries(r.params))
+      a.set(l, f);
   return `${s.authorizationUrl}?${a.toString()}`;
 }
 async function Ue(e, r, t, n) {
@@ -445,14 +445,14 @@ async function Ue(e, r, t, n) {
       body: i.toString()
     });
     if (!o.ok) {
-      const f = await o.text();
-      let l = `Failed to exchange code for tokens: ${f}`;
+      const l = await o.text();
+      let f = `Failed to exchange code for tokens: ${l}`;
       try {
-        const w = JSON.parse(f);
-        l = w.error_description ?? w.error ?? l;
+        const w = JSON.parse(l);
+        f = w.error_description ?? w.error ?? f;
       } catch {
       }
-      throw new Error(l);
+      throw new Error(f);
     }
     const a = await o.json();
     if (!Ne(a))
@@ -501,9 +501,9 @@ async function xe(e, r, t) {
     case "github":
       return await Le(r, t);
     case "apple":
-      return Ve(r);
-    case "facebook":
       return Me(r);
+    case "facebook":
+      return Ve(r);
     default:
       return je(r);
   }
@@ -542,7 +542,7 @@ async function Le(e, r) {
     rawProfile: n
   };
 }
-function Ve(e) {
+function Me(e) {
   const r = e.name, t = r ? `${r.firstName ?? ""} ${r.lastName ?? ""}`.trim() : "";
   return {
     id: String(e.sub ?? ""),
@@ -552,7 +552,7 @@ function Ve(e) {
     rawProfile: e
   };
 }
-function Me(e) {
+function Ve(e) {
   var t;
   const r = e.picture;
   return {
@@ -600,6 +600,48 @@ class ze {
 function $e() {
   return new ze();
 }
+function Zr(e, r = "mulguard:oauth:state:") {
+  const t = (s) => `${r}${s}`, n = async (s) => {
+    const i = t(s);
+    await e.del(i);
+  };
+  return {
+    async set(s, i, o) {
+      const a = t(s), l = JSON.stringify(i);
+      await e.set(a, l, "EX", Math.floor(o / 1e3));
+    },
+    async get(s) {
+      const i = t(s), o = await e.get(i);
+      if (!o)
+        return null;
+      try {
+        const a = JSON.parse(o);
+        return a.expiresAt < Date.now() ? (await n(s), null) : a;
+      } catch {
+        return await n(s), null;
+      }
+    },
+    async delete(s) {
+      await n(s);
+    },
+    async cleanup() {
+      try {
+        const s = await e.keys(`${r}*`), i = Date.now();
+        for (const o of s) {
+          const a = await e.get(o);
+          if (a)
+            try {
+              JSON.parse(a).expiresAt < i && await e.del(o);
+            } catch {
+              await e.del(o);
+            }
+        }
+      } catch (s) {
+        console.warn("[Mulguard] OAuth state cleanup warning:", s);
+      }
+    }
+  };
+}
 function D(e) {
   return e.success === !0 && e.user !== void 0 && e.session !== void 0;
 }
@@ -611,49 +653,49 @@ function qe(e = {}) {
     level: t = We,
     context: n,
     formatter: s = Be
-  } = e, i = (a) => r && a >= t, o = (a, f, l, w) => ({
+  } = e, i = (a) => r && a >= t, o = (a, l, f, w) => ({
     level: a,
-    message: f,
+    message: l,
     timestamp: /* @__PURE__ */ new Date(),
     context: n,
-    data: l ? He(l) : void 0,
+    data: f ? He(f) : void 0,
     error: w
   });
   return {
-    debug: (a, f) => {
+    debug: (a, l) => {
       if (i(
         0
         /* DEBUG */
       )) {
-        const l = o(0, a, f);
-        console.debug(s(l));
+        const f = o(0, a, l);
+        console.debug(s(f));
       }
     },
-    info: (a, f) => {
+    info: (a, l) => {
       if (i(
         1
         /* INFO */
       )) {
-        const l = o(1, a, f);
-        console.info(s(l));
+        const f = o(1, a, l);
+        console.info(s(f));
       }
     },
-    warn: (a, f) => {
+    warn: (a, l) => {
       if (i(
         2
         /* WARN */
       )) {
-        const l = o(2, a, f);
-        console.warn(s(l));
+        const f = o(2, a, l);
+        console.warn(s(f));
       }
     },
-    error: (a, f) => {
+    error: (a, l) => {
       if (i(
         3
         /* ERROR */
       )) {
-        const l = f instanceof Error ? f : void 0, w = f instanceof Error ? void 0 : f, g = o(3, a, w, l);
-        console.error(s(g)), l && console.error(l);
+        const f = l instanceof Error ? l : void 0, w = l instanceof Error ? void 0 : l, g = o(3, a, w, f);
+        console.error(s(g)), f && console.error(f);
       }
     }
   };
@@ -678,27 +720,27 @@ function He(e) {
       t[n] = s;
   return t;
 }
-const O = qe();
+const I = qe();
 function Ge(e, r, t, n = {}) {
   const {
     enabled: s = !0,
     maxRetries: i = 1,
     retryDelay: o = 1e3,
     rateLimit: a = 3,
-    autoSignOutOnFailure: f = !0,
-    redirectToLogin: l = "/login",
+    autoSignOutOnFailure: l = !0,
+    redirectToLogin: f = "/login",
     autoRedirectOnFailure: w = !0
   } = n;
   let g = null, A = !1;
   const S = [], v = [], y = 60 * 1e3;
-  let h = 0, I = !1, _ = null;
-  const L = 2, V = 60 * 1e3;
+  let h = 0, T = !1, _ = null;
+  const L = 2, M = 60 * 1e3;
   function c() {
     const k = Date.now();
-    if (I && _) {
+    if (T && _) {
       if (k < _)
         return !1;
-      I = !1, _ = null, h = 0;
+      T = !1, _ = null, h = 0;
     }
     for (; v.length > 0; ) {
       const p = v[0];
@@ -710,10 +752,10 @@ function Ge(e, r, t, n = {}) {
     return v.length >= a ? !1 : (v.push(k), !0);
   }
   function u() {
-    h++, h >= L && (I = !0, _ = Date.now() + V, process.env.NODE_ENV === "development" && console.warn("[TokenRefreshManager] Circuit breaker opened - too many consecutive failures"));
+    h++, h >= L && (T = !0, _ = Date.now() + M, process.env.NODE_ENV === "development" && console.warn("[TokenRefreshManager] Circuit breaker opened - too many consecutive failures"));
   }
   function d() {
-    h = 0, I = !1, _ = null;
+    h = 0, T = !1, _ = null;
   }
   async function R(k = 1) {
     if (!s)
@@ -760,10 +802,10 @@ function Ge(e, r, t, n = {}) {
   }
   async function W(k) {
     try {
-      if (n.onTokenRefreshFailed && await Promise.resolve(n.onTokenRefreshFailed(k)), f && (await t(), await r(), w && typeof window < "u")) {
+      if (n.onTokenRefreshFailed && await Promise.resolve(n.onTokenRefreshFailed(k)), l && (await t(), await r(), w && typeof window < "u")) {
         let p = !0;
         if (n.onBeforeRedirect && (p = await Promise.resolve(n.onBeforeRedirect(k))), p) {
-          const b = new URL(l, window.location.origin);
+          const b = new URL(f, window.location.origin);
           b.searchParams.set("reason", "session_expired"), b.searchParams.set("redirect", window.location.pathname + window.location.search), window.location.href = b.toString();
         }
       }
@@ -843,7 +885,7 @@ function Je() {
 function Ye(e) {
   const { sessionConfig: r, cacheTtl: t, getSessionAction: n, onSessionExpired: s, onError: i } = e, o = r.cookieName ?? "__mulguard_session";
   let a = null;
-  const f = async () => {
+  const l = async () => {
     const y = Date.now();
     if (a && y - a.timestamp < t)
       return a.session;
@@ -854,41 +896,41 @@ function Ye(e) {
           return a = { session: h, timestamp: y }, h;
         h && !N(h) && (await w(), a = null);
       } catch (h) {
-        O.debug("getSession error", { error: h }), i && await i(h instanceof Error ? h : new Error(String(h)), "getSession"), a = null;
+        I.debug("getSession error", { error: h }), i && await i(h instanceof Error ? h : new Error(String(h)), "getSession"), a = null;
       }
     try {
       const h = await ce(o);
       if (h)
         try {
-          const I = JSON.parse(h);
-          if (N(I))
-            return I.expiresAt && new Date(I.expiresAt) < /* @__PURE__ */ new Date() ? (s && await s(I), await w(), a = null, null) : (a = { session: I, timestamp: y }, I);
+          const T = JSON.parse(h);
+          if (N(T))
+            return T.expiresAt && new Date(T.expiresAt) < /* @__PURE__ */ new Date() ? (s && await s(T), await w(), a = null, null) : (a = { session: T, timestamp: y }, T);
           await w(), a = null;
         } catch {
           await w(), a = null;
         }
     } catch (h) {
-      const I = h instanceof Error ? h.message : String(h);
-      !I.includes("request scope") && !I.includes("cookies") && (O.warn("getSession cookie error", { error: h }), i && await i(
+      const T = h instanceof Error ? h.message : String(h);
+      !T.includes("request scope") && !T.includes("cookies") && (I.warn("getSession cookie error", { error: h }), i && await i(
         h instanceof Error ? h : new Error(String(h)),
         "getSession.cookie"
       ));
     }
     return null;
-  }, l = async (y) => {
+  }, f = async (y) => {
     if (!N(y))
       return {
         success: !1,
         error: "Invalid session structure"
       };
     try {
-      const h = typeof y == "object" && "token" in y ? String(y.token) : JSON.stringify(y), I = oe(o, h, r), _ = await ae(I);
+      const h = typeof y == "object" && "token" in y ? String(y.token) : JSON.stringify(y), T = oe(o, h, r), _ = await ae(T);
       return _.success && (a = { session: y, timestamp: Date.now() }), _;
     } catch (h) {
-      const I = h instanceof Error ? h.message : "Failed to set session";
-      return O.error("setSession error", { error: h }), i && await i(h instanceof Error ? h : new Error(String(h)), "setSession"), {
+      const T = h instanceof Error ? h.message : "Failed to set session";
+      return I.error("setSession error", { error: h }), i && await i(h instanceof Error ? h : new Error(String(h)), "setSession"), {
         success: !1,
-        error: I
+        error: T
       };
     }
   }, w = async () => {
@@ -898,19 +940,19 @@ function Ye(e) {
         domain: r.domain
       }), a = null;
     } catch (y) {
-      O.warn("clearSessionCookie error", { error: y });
+      I.warn("clearSessionCookie error", { error: y });
     }
   }, g = async () => {
-    const y = await f();
+    const y = await l();
     return y != null && y.accessToken && typeof y.accessToken == "string" ? y.accessToken : null;
   };
   return {
-    getSession: f,
-    setSession: l,
+    getSession: l,
+    setSession: f,
     clearSessionCookie: w,
     getAccessToken: g,
     getRefreshToken: async () => {
-      const y = await f();
+      const y = await l();
       return y != null && y.refreshToken && typeof y.refreshToken == "string" ? y.refreshToken : null;
     },
     hasValidTokens: async () => !!await g(),
@@ -961,17 +1003,17 @@ function Qe(e) {
       }, s = await e.actions.signIn.email(n);
       if (D(s)) {
         const i = await e.saveSessionAfterAuth(s);
-        !i.success && i.warning && O.warn("Session save warning", { warning: i.warning });
+        !i.success && i.warning && I.warn("Session save warning", { warning: i.warning });
       }
-      return s.success ? O.info("Sign in successful", {
+      return s.success ? I.info("Sign in successful", {
         email: n.email.substring(0, 3) + "***"
-      }) : O.warn("Sign in failed", {
+      }) : I.warn("Sign in failed", {
         email: n.email.substring(0, 3) + "***",
         errorCode: s.errorCode
       }), s;
     } catch (t) {
       const n = t instanceof Error ? t.message : "Sign in failed";
-      return O.error("Sign in error", { error: n, context: "signIn.email" }), e.onError && await e.onError(
+      return I.error("Sign in error", { error: n, context: "signIn.email" }), e.onError && await e.onError(
         t instanceof Error ? t : new Error(String(t)),
         "signIn.email"
       ), {
@@ -999,7 +1041,7 @@ function Ze(e, r) {
         "OAuth sign in is not configured. Either provide oauth action in signIn, or configure providers.oauth in config."
       );
     const i = await e.actions.signIn.oauth(s);
-    return await r(i.state, s), O.info("OAuth sign in initiated", { provider: s }), i;
+    return await r(i.state, s), I.info("OAuth sign in initiated", { provider: s }), i;
   };
 }
 function er(e) {
@@ -1033,15 +1075,15 @@ function er(e) {
       const s = await e.actions.signIn.otp(n.sanitized, t);
       if (D(s)) {
         const i = await e.saveSessionAfterAuth(s);
-        !i.success && i.warning && O.warn("Session save warning", { warning: i.warning });
+        !i.success && i.warning && I.warn("Session save warning", { warning: i.warning });
       }
-      return s.success ? O.info("OTP sign in successful", {
+      return s.success ? I.info("OTP sign in successful", {
         email: n.sanitized.substring(0, 3) + "***"
-      }) : O.warn("OTP sign in failed", {
+      }) : I.warn("OTP sign in failed", {
         email: n.sanitized.substring(0, 3) + "***"
       }), s;
     } catch (s) {
-      return O.error("OTP sign in error", {
+      return I.error("OTP sign in error", {
         error: s instanceof Error ? s.message : "Unknown error",
         context: "signIn.otp"
       }), e.onError && await e.onError(
@@ -1063,7 +1105,7 @@ function rr(e) {
       const t = await e.actions.signIn.passkey(r);
       if (D(t)) {
         const n = await e.saveSessionAfterAuth(t);
-        !n.success && n.warning && O.warn("Session save warning", { warning: n.warning });
+        !n.success && n.warning && I.warn("Session save warning", { warning: n.warning });
       }
       return t;
     } catch (t) {
@@ -1079,10 +1121,10 @@ function rr(e) {
 }
 function tr(e, r) {
   const t = Qe(e), n = Ze(e, r), s = er(e), i = rr(e);
-  return Object.assign(async (f, l) => {
-    if (!f || typeof f != "string")
+  return Object.assign(async (l, f) => {
+    if (!l || typeof l != "string")
       throw new Error("Provider is required");
-    const w = X(f, {
+    const w = X(l, {
       maxLength: 50,
       allowHtml: !1,
       required: !0
@@ -1093,22 +1135,22 @@ function tr(e, r) {
     if (g === "google" || g === "github" || g === "apple" || g === "facebook" || typeof g == "string" && !["credentials", "otp", "passkey"].includes(g))
       return n(g);
     if (g === "credentials")
-      return !l || !("email" in l) || !("password" in l) ? {
+      return !f || !("email" in f) || !("password" in f) ? {
         success: !1,
         error: "Credentials are required",
         errorCode: m.VALIDATION_ERROR
-      } : t(l);
+      } : t(f);
     if (g === "otp") {
-      if (!l || !("email" in l))
+      if (!f || !("email" in f))
         return {
           success: !1,
           error: "Email is required",
           errorCode: m.VALIDATION_ERROR
         };
-      const A = l;
+      const A = f;
       return s(A.email, A.code);
     }
-    return g === "passkey" ? i(l) : {
+    return g === "passkey" ? i(f) : {
       success: !1,
       error: "Invalid provider",
       errorCode: m.VALIDATION_ERROR
@@ -1128,7 +1170,7 @@ function nr(e) {
       const t = await e.actions.signUp(r);
       if (D(t)) {
         const n = await e.saveSessionAfterAuth(t);
-        !n.success && n.warning && O.warn("Session save warning", { warning: n.warning });
+        !n.success && n.warning && I.warn("Session save warning", { warning: n.warning });
       }
       return t;
     } catch (t) {
@@ -1152,12 +1194,12 @@ function sr(e, r) {
         errorCode: m.VALIDATION_ERROR
       };
     try {
-      const o = i.redirectUri ?? `${e.baseUrl}/api/auth/callback/${t}`, a = await Ue(t, i, n, o), f = await Fe(t, a.access_token), l = {
-        id: f.id,
-        email: f.email,
-        name: f.name,
-        avatar: f.avatar,
-        emailVerified: f.emailVerified,
+      const o = i.redirectUri ?? `${e.baseUrl}/api/auth/callback/${t}`, a = await Ue(t, i, n, o), l = await Fe(t, a.access_token), f = {
+        id: l.id,
+        email: l.email,
+        name: l.name,
+        avatar: l.avatar,
+        emailVerified: l.emailVerified,
         provider: t,
         accessToken: a.access_token,
         refreshToken: a.refresh_token,
@@ -1168,12 +1210,12 @@ function sr(e, r) {
           token_type: a.token_type,
           id_token: a.id_token
         },
-        rawProfile: f.rawProfile
+        rawProfile: l.rawProfile
       };
       if (e.callbacks.onOAuthUser) {
         const w = await q(
           e.callbacks.onOAuthUser,
-          [l, t],
+          [f, t],
           e.onError
         );
         if (!w)
@@ -1182,7 +1224,7 @@ function sr(e, r) {
             error: "Failed to create or retrieve user",
             errorCode: m.VALIDATION_ERROR
           };
-        const g = e.createSession(w, l, a);
+        const g = e.createSession(w, f, a);
         return await e.saveSession(g), e.callbacks.onSignIn && await q(
           e.callbacks.onSignIn,
           [g.user, g],
@@ -1195,7 +1237,7 @@ function sr(e, r) {
         errorCode: m.VALIDATION_ERROR
       };
     } catch (o) {
-      return O.error("OAuth callback failed", { provider: t, error: o }), {
+      return I.error("OAuth callback failed", { provider: t, error: o }), {
         success: !1,
         error: o instanceof Error ? o.message : "OAuth callback failed",
         errorCode: m.NETWORK_ERROR
@@ -1226,33 +1268,33 @@ function ir(e, r, t, n) {
       return { url: n(s, i, r, o), state: o };
     };
 }
-function Zr(e) {
-  var L, V;
+function et(e) {
+  var L, M;
   const r = {
     ...Ke(),
     ...e.session
   }, t = e.actions, n = e.callbacks || {}, s = ((L = e.providers) == null ? void 0 : L.oauth) || {}, i = Je(), o = {
     ...Xe(),
     ...e.tokenRefresh
-  }, a = ((V = e.session) == null ? void 0 : V.cacheTtl) ?? e.sessionCacheTtl ?? 5e3, f = e.oauthStateStore || $e(), l = { ...t }, w = async (c, u) => {
+  }, a = ((M = e.session) == null ? void 0 : M.cacheTtl) ?? e.sessionCacheTtl ?? 5e3, l = e.oauthStateStore || $e(), f = { ...t }, w = async (c, u) => {
     const d = {
       provider: u,
       expiresAt: Date.now() + 6e5
       // 10 minutes
     };
-    await Promise.resolve(f.set(c, d, 10 * 60 * 1e3)), f.cleanup && await Promise.resolve(f.cleanup());
+    await Promise.resolve(l.set(c, d, 10 * 60 * 1e3)), l.cleanup && await Promise.resolve(l.cleanup());
   }, g = async (c, u) => {
-    const d = await Promise.resolve(f.get(c));
-    return d ? d.expiresAt < Date.now() ? (await Promise.resolve(f.delete(c)), !1) : d.provider !== u ? !1 : (await Promise.resolve(f.delete(c)), !0) : !1;
+    const d = await Promise.resolve(l.get(c));
+    return d ? d.expiresAt < Date.now() ? (await Promise.resolve(l.delete(c)), !1) : d.provider !== u ? !1 : (await Promise.resolve(l.delete(c)), !0) : !1;
   }, A = ir(
     s,
     i,
     _e,
     be
   );
-  if (A && !l.signIn.oauth) {
-    const c = l.signIn;
-    l.signIn = {
+  if (A && !f.signIn.oauth) {
+    const c = f.signIn;
+    f.signIn = {
       ...c,
       oauth: async (u) => {
         const d = await A(u);
@@ -1260,7 +1302,7 @@ function Zr(e) {
       }
     };
   }
-  if (!l.signIn || !l.signIn.email)
+  if (!f.signIn || !f.signIn.email)
     throw new Error("mulguard: signIn.email action is required");
   const S = async (c, ...u) => {
     if (c)
@@ -1281,7 +1323,7 @@ function Zr(e) {
     const u = await v.setSession(c.session);
     return c.user && n.onSignIn && await S(n.onSignIn, c.user, c.session), u;
   };
-  if (Object.keys(s).length > 0 && !l.oauthCallback) {
+  if (Object.keys(s).length > 0 && !f.oauthCallback) {
     const c = sr(
       {
         oauthProviders: s,
@@ -1305,18 +1347,18 @@ function Zr(e) {
         onError: n.onError
       }
     );
-    l.oauthCallback = c;
+    f.oauthCallback = c;
   }
   const h = tr(
     {
-      actions: l,
+      actions: f,
       callbacks: n,
       saveSessionAfterAuth: y,
       onError: n.onError
     },
     w
-  ), I = nr({
-    actions: l,
+  ), T = nr({
+    actions: f,
     callbacks: n,
     saveSessionAfterAuth: y,
     onError: n.onError
@@ -1354,9 +1396,9 @@ function Zr(e) {
      * Sign up new user
      */
     async signUp(c) {
-      if (!I)
+      if (!T)
         throw new Error("Sign up is not configured. Provide signUp action in config.");
-      return await I(c);
+      return await T(c);
     },
     /**
      * Sign out
@@ -1439,7 +1481,7 @@ function Zr(e) {
      * ✅ Auto-generated if providers.oauth is configured in config
      */
     async oauthCallback(c, u, d) {
-      if (!l.oauthCallback)
+      if (!f.oauthCallback)
         throw new Error(
           "OAuth callback is not configured. Either provide oauthCallback action, or configure providers.oauth in config."
         );
@@ -1451,7 +1493,7 @@ function Zr(e) {
         };
       let R = c;
       if (!R) {
-        const P = await Promise.resolve(f.get(d));
+        const P = await Promise.resolve(l.get(d));
         if (P && P.provider)
           R = P.provider;
         else
@@ -1468,7 +1510,7 @@ function Zr(e) {
           errorCode: m.VALIDATION_ERROR
         };
       try {
-        return await l.oauthCallback(R, u, d);
+        return await f.oauthCallback(R, u, d);
       } catch (P) {
         return n.onError && await S(n.onError, P instanceof Error ? P : new Error(String(P)), "oauthCallback"), {
           success: !1,
@@ -1488,7 +1530,7 @@ function Zr(e) {
         const d = await t.verify2FA(c);
         if (d.success && d.session && !(u != null && u.skipCookieSave)) {
           const R = await y(d);
-          R.success || (process.env.NODE_ENV === "development" && O.debug("Failed to save session cookie after verify2FA", {
+          R.success || (process.env.NODE_ENV === "development" && I.debug("Failed to save session cookie after verify2FA", {
             error: R.error,
             warning: R.warning
           }), n.onError && await S(
@@ -1569,7 +1611,7 @@ function Zr(e) {
           const R = await u(c);
           if (R.success && R.session) {
             const C = await y(R);
-            C.success || (process.env.NODE_ENV === "development" && O.debug("Failed to save session cookie after twoFactor.verify2FA", {
+            C.success || (process.env.NODE_ENV === "development" && I.debug("Failed to save session cookie after twoFactor.verify2FA", {
               error: C.error,
               warning: C.warning
             }), n.onError && await S(
@@ -1625,7 +1667,7 @@ function Zr(e) {
   }
   return _;
 }
-function et(e) {
+function rt(e) {
   return {
     GET: async (r) => B(r, e, "GET"),
     POST: async (r) => B(r, e, "POST")
@@ -1634,9 +1676,9 @@ function et(e) {
 async function B(e, r, t) {
   const n = new URL(e.url), s = or(n.pathname), i = s.split("/").filter(Boolean);
   try {
-    return t === "GET" ? await ar(e, r, s, i, n) : t === "POST" ? await cr(e, r, s, i, n) : T("Method not allowed", 405);
+    return t === "GET" ? await ar(e, r, s, i, n) : t === "POST" ? await cr(e, r, s, i, n) : O("Method not allowed", 405);
   } catch (o) {
-    return T(
+    return O(
       o instanceof Error ? o.message : "Request failed",
       500
     );
@@ -1656,11 +1698,11 @@ async function ar(e, r, t, n, s) {
       oauth: !!r.signIn.oauth,
       passkey: !!r.signIn.passkey
     }
-  }) : re(t, n) ? await te(e, r, t, n, s, "GET") : T("Not found", 404);
+  }) : re(t, n) ? await te(e, r, t, n, s, "GET") : O("Not found", 404);
 }
 async function cr(e, r, t, n, s) {
   const i = await ur(e);
-  return t === "/sign-in" || n[0] === "sign-in" ? await fr(r, i) : t === "/sign-up" || n[0] === "sign-up" ? await dr(r, i) : t === "/sign-out" || n[0] === "sign-out" ? await hr(r) : t === "/reset-password" || n[0] === "reset-password" ? await gr(r, i) : t === "/verify-email" || n[0] === "verify-email" ? await wr(r, i) : t === "/refresh" || n[0] === "refresh" ? await pr(r) : re(t, n) ? await te(e, r, t, n, s, "POST", i) : t.startsWith("/passkey") ? await Er(r, t, n, i) : t === "/verify-2fa" || n[0] === "verify-2fa" ? await mr(r, i) : t.startsWith("/two-factor") ? await yr(r, n, i) : T("Not found", 404);
+  return t === "/sign-in" || n[0] === "sign-in" ? await fr(r, i) : t === "/sign-up" || n[0] === "sign-up" ? await dr(r, i) : t === "/sign-out" || n[0] === "sign-out" ? await hr(r) : t === "/reset-password" || n[0] === "reset-password" ? await gr(r, i) : t === "/verify-email" || n[0] === "verify-email" ? await wr(r, i) : t === "/refresh" || n[0] === "refresh" ? await pr(r) : re(t, n) ? await te(e, r, t, n, s, "POST", i) : t.startsWith("/passkey") ? await Er(r, t, n, i) : t === "/verify-2fa" || n[0] === "verify-2fa" ? await mr(r, i) : t.startsWith("/two-factor") ? await yr(r, n, i) : O("Not found", 404);
 }
 async function ur(e) {
   try {
@@ -1674,15 +1716,15 @@ function re(e, r) {
 }
 async function te(e, r, t, n, s, i, o) {
   if (!r.oauthCallback)
-    return i === "GET" ? M(e.url, "oauth_not_configured") : T("OAuth callback is not configured", 400);
-  const a = lr(n, s, o), f = (o == null ? void 0 : o.code) ?? s.searchParams.get("code"), l = (o == null ? void 0 : o.state) ?? s.searchParams.get("state");
-  if (!f || !l)
-    return i === "GET" ? M(e.url, "oauth_missing_params") : T("Missing required OAuth parameters. Code and state are required.", 400);
+    return i === "GET" ? V(e.url, "oauth_not_configured") : O("OAuth callback is not configured", 400);
+  const a = lr(n, s, o), l = (o == null ? void 0 : o.code) ?? s.searchParams.get("code"), f = (o == null ? void 0 : o.state) ?? s.searchParams.get("state");
+  if (!l || !f)
+    return i === "GET" ? V(e.url, "oauth_missing_params") : O("Missing required OAuth parameters. Code and state are required.", 400);
   try {
-    const w = await r.oauthCallback(a ?? "", f, l);
-    return i === "GET" ? w.success ? kr(e.url, s.searchParams.get("callbackUrl")) : M(e.url, w.error ?? "oauth_failed") : E.json(w);
+    const w = await r.oauthCallback(a ?? "", l, f);
+    return i === "GET" ? w.success ? kr(e.url, s.searchParams.get("callbackUrl")) : V(e.url, w.error ?? "oauth_failed") : E.json(w);
   } catch (w) {
-    return i === "GET" ? M(e.url, w instanceof Error ? w.message : "oauth_error") : T(w instanceof Error ? w.message : "OAuth callback failed", 500);
+    return i === "GET" ? V(e.url, w instanceof Error ? w.message : "oauth_error") : O(w instanceof Error ? w.message : "OAuth callback failed", 500);
   }
 }
 function lr(e, r, t) {
@@ -1698,21 +1740,21 @@ async function fr(e, r) {
   }
   if (r.provider === "oauth" && r.providerName) {
     if (!e.signIn.oauth)
-      return T("OAuth is not configured", 400);
+      return O("OAuth is not configured", 400);
     const t = await e.signIn.oauth(r.providerName);
     return E.json(t);
   }
   if (r.provider === "passkey") {
     if (!e.signIn.passkey)
-      return T("PassKey is not configured", 400);
+      return O("PassKey is not configured", 400);
     const t = await e.signIn.passkey(r.options);
     return E.json(t);
   }
-  return T("Invalid sign in request", 400);
+  return O("Invalid sign in request", 400);
 }
 async function dr(e, r) {
   if (!e.signUp)
-    return T("Sign up is not configured", 400);
+    return O("Sign up is not configured", 400);
   const t = await e.signUp(r);
   return E.json(t);
 }
@@ -1722,17 +1764,17 @@ async function hr(e) {
 }
 async function gr(e, r) {
   if (!e.resetPassword)
-    return T("Password reset is not configured", 400);
+    return O("Password reset is not configured", 400);
   if (!r.email || typeof r.email != "string")
-    return T("Email is required", 400);
+    return O("Email is required", 400);
   const t = await e.resetPassword(r.email);
   return E.json(t);
 }
 async function wr(e, r) {
   if (!e.verifyEmail)
-    return T("Email verification is not configured", 400);
+    return O("Email verification is not configured", 400);
   if (!r.token || typeof r.token != "string")
-    return T("Token is required", 400);
+    return O("Token is required", 400);
   const t = await e.verifyEmail(r.token);
   return E.json(t);
 }
@@ -1746,9 +1788,9 @@ async function pr(e) {
 }
 async function mr(e, r) {
   if (!e.verify2FA)
-    return T("2FA verification is not configured", 400);
+    return O("2FA verification is not configured", 400);
   if (!r.email || !r.userId || !r.code)
-    return T("Missing required parameters. Email, userId, and code are required.", 400);
+    return O("Missing required parameters. Email, userId, and code are required.", 400);
   const t = {
     email: r.email,
     userId: r.userId,
@@ -1758,7 +1800,7 @@ async function mr(e, r) {
 }
 async function Er(e, r, t, n) {
   if (!e.passkey)
-    return T("PassKey is not configured", 400);
+    return O("PassKey is not configured", 400);
   const s = t[1];
   if (s === "register" && e.passkey.register) {
     const i = await e.passkey.register(n.options);
@@ -1770,15 +1812,15 @@ async function Er(e, r, t, n) {
   }
   if (s === "remove" && e.passkey.remove) {
     if (!n.passkeyId || typeof n.passkeyId != "string")
-      return T("Passkey ID is required", 400);
+      return O("Passkey ID is required", 400);
     const i = await e.passkey.remove(n.passkeyId);
     return E.json(i);
   }
-  return T("Invalid Passkey request", 400);
+  return O("Invalid Passkey request", 400);
 }
 async function yr(e, r, t) {
   if (!e.twoFactor)
-    return T("Two-Factor Authentication is not configured", 400);
+    return O("Two-Factor Authentication is not configured", 400);
   const n = r[1];
   if (n === "enable" && e.twoFactor.enable) {
     const s = await e.twoFactor.enable();
@@ -1786,7 +1828,7 @@ async function yr(e, r, t) {
   }
   if (n === "verify" && e.twoFactor.verify) {
     if (!t.code || typeof t.code != "string")
-      return T("Code is required", 400);
+      return O("Code is required", 400);
     const s = await e.twoFactor.verify(t.code);
     return E.json(s);
   }
@@ -1802,9 +1844,9 @@ async function yr(e, r, t) {
     const s = await e.twoFactor.isEnabled();
     return E.json({ enabled: s });
   }
-  return T("Invalid two-factor request", 400);
+  return O("Invalid two-factor request", 400);
 }
-function T(e, r) {
+function O(e, r) {
   return E.json(
     {
       success: !1,
@@ -1813,14 +1855,14 @@ function T(e, r) {
     { status: r }
   );
 }
-function M(e, r) {
+function V(e, r) {
   return E.redirect(new URL(`/login?error=${encodeURIComponent(r)}`, e));
 }
 function kr(e, r) {
   const t = r ?? "/";
   return E.redirect(new URL(t, e));
 }
-function rt(e) {
+function tt(e) {
   return async (r) => {
     const { method: t, nextUrl: n } = r, i = n.pathname.replace(/^\/api\/auth/, "") || "/";
     try {
@@ -1830,7 +1872,7 @@ function rt(e) {
           o = await r.json();
         } catch {
         }
-      const a = Object.fromEntries(n.searchParams.entries()), f = await fetch(
+      const a = Object.fromEntries(n.searchParams.entries()), l = await fetch(
         `${process.env.NEXT_PUBLIC_API_URL || ""}/api/auth${i}${Object.keys(a).length > 0 ? `?${new URLSearchParams(a).toString()}` : ""}`,
         {
           method: t,
@@ -1840,11 +1882,11 @@ function rt(e) {
           },
           body: o ? JSON.stringify(o) : void 0
         }
-      ), l = await f.json();
-      return E.json(l, {
-        status: f.status,
+      ), f = await l.json();
+      return E.json(f, {
+        status: l.status,
         headers: {
-          ...Object.fromEntries(f.headers.entries())
+          ...Object.fromEntries(l.headers.entries())
         }
       });
     } catch (o) {
@@ -1858,7 +1900,7 @@ function rt(e) {
     }
   };
 }
-function tt(e) {
+function nt(e) {
   return async (r) => {
     const { searchParams: t } = r.nextUrl, n = t.get("provider"), s = t.get("code"), i = t.get("state");
     if (!n || !s || !i)
@@ -1900,13 +1942,13 @@ function F(e, r) {
     s && typeof s == "string" && r.headers.set(n, s);
   return r;
 }
-function nt() {
+function st() {
   return async (e) => {
     const r = E.next();
     return F(e, r);
   };
 }
-function st(e, r = {}) {
+function it(e, r = {}) {
   const {
     protectedRoutes: t = [],
     publicRoutes: n = [],
@@ -1914,18 +1956,18 @@ function st(e, r = {}) {
     redirectIfAuthenticated: i
   } = r;
   return async (o) => {
-    const { pathname: a } = o.nextUrl, f = t.some((g) => a.startsWith(g));
-    let l = null;
+    const { pathname: a } = o.nextUrl, l = t.some((g) => a.startsWith(g));
+    let f = null;
     try {
-      l = await e.getSession();
+      f = await e.getSession();
     } catch (g) {
       console.error("Middleware: Failed to get session:", g);
     }
-    if (f && !l) {
+    if (l && !f) {
       const g = o.nextUrl.clone();
       return g.pathname = s, g.searchParams.set("callbackUrl", a), E.redirect(g);
     }
-    if (i && l && (a.startsWith("/login") || a.startsWith("/register"))) {
+    if (i && f && (a.startsWith("/login") || a.startsWith("/register"))) {
       const A = o.nextUrl.clone();
       A.pathname = i;
       const S = E.redirect(A);
@@ -1935,7 +1977,7 @@ function st(e, r = {}) {
     return F(o, w);
   };
 }
-async function it(e, r) {
+async function ot(e, r) {
   var t;
   try {
     const n = await e.getSession();
@@ -1944,7 +1986,7 @@ async function it(e, r) {
     return !1;
   }
 }
-function ot(e) {
+function at(e) {
   const {
     auth: r,
     protectedRoutes: t = [],
@@ -1954,26 +1996,26 @@ function ot(e) {
     apiPrefix: o = "/api/auth"
   } = e;
   return async (a) => {
-    const { pathname: f } = a.nextUrl;
-    if (f.startsWith(o)) {
+    const { pathname: l } = a.nextUrl;
+    if (l.startsWith(o)) {
       const A = E.next();
       return F(a, A);
     }
-    const l = t.some((A) => f.startsWith(A));
+    const f = t.some((A) => l.startsWith(A));
     let w = null;
-    if (l || i)
+    if (f || i)
       try {
         w = await r.getSession();
       } catch (A) {
         console.error("Middleware: Failed to get session:", A);
       }
-    if (l && !w) {
+    if (f && !w) {
       const A = a.nextUrl.clone();
-      A.pathname = s, A.searchParams.set("callbackUrl", f);
+      A.pathname = s, A.searchParams.set("callbackUrl", l);
       const S = E.redirect(A);
       return F(a, S);
     }
-    if (i && w && (f.startsWith("/login") || f.startsWith("/register"))) {
+    if (i && w && (l.startsWith("/login") || l.startsWith("/register"))) {
       const S = a.nextUrl.clone();
       S.pathname = i;
       const v = E.redirect(S);
@@ -1983,7 +2025,7 @@ function ot(e) {
     return F(a, g);
   };
 }
-async function at(e, r) {
+async function ct(e, r) {
   var t;
   try {
     const n = await e.getSession();
@@ -1993,52 +2035,53 @@ async function at(e, r) {
   }
 }
 export {
-  Ie as CSRFProtection,
+  Te as CSRFProtection,
   fe as DEFAULT_SECURITY_HEADERS,
-  Te as MemoryCSRFStore,
+  Oe as MemoryCSRFStore,
   ze as MemoryOAuthStateStore,
   le as RateLimiter,
-  Ir as applySecurityHeaders,
+  Tr as applySecurityHeaders,
   oe as buildCookieOptions,
   be as buildOAuthAuthorizationUrl,
-  it as checkRole,
-  at as checkRoleProxy,
-  Mr as containsXSSPattern,
-  rt as createApiHandler,
-  st as createAuthMiddleware,
+  ot as checkRole,
+  ct as checkRoleProxy,
+  Vr as containsXSSPattern,
+  tt as createApiHandler,
+  it as createAuthMiddleware,
   Dr as createCSRFProtection,
   $e as createMemoryOAuthStateStore,
-  tt as createOAuthCallbackHandler,
-  ot as createProxyMiddleware,
-  Tr as createRateLimiter,
-  nt as createSecurityMiddleware,
-  wt as createServerAuthMiddleware,
-  pt as createServerHelpers,
-  mt as createServerUtils,
-  Et as createSessionManager,
+  nt as createOAuthCallbackHandler,
+  at as createProxyMiddleware,
+  Or as createRateLimiter,
+  Zr as createRedisOAuthStateStore,
+  st as createSecurityMiddleware,
+  pt as createServerAuthMiddleware,
+  mt as createServerHelpers,
+  Et as createServerUtils,
+  yt as createSessionManager,
   ie as deleteCookie,
-  yt as deleteOAuthStateCookie,
-  Oe as escapeHTML,
+  kt as deleteOAuthStateCookie,
+  Ie as escapeHTML,
   Ue as exchangeOAuthCode,
   _e as generateCSRFToken,
   Y as generateToken,
   ce as getCookie,
-  kt as getCurrentUser,
+  vt as getCurrentUser,
   Br as getErrorCode,
   qr as getErrorMessage,
-  vt as getOAuthStateCookie,
+  St as getOAuthStateCookie,
   Fe as getOAuthUserInfo,
   j as getProviderMetadata,
   H as getSecurityHeaders,
-  St as getServerSession,
-  Rt as getSessionTimeUntilExpiry,
+  Rt as getServerSession,
+  At as getSessionTimeUntilExpiry,
   Xr as getUserFriendlyError,
   Gr as hasErrorCode,
   Ce as isAuthError,
   Hr as isAuthSuccess,
   Qr as isOAuthProviderConfig,
   Kr as isRetryableError,
-  At as isSessionExpiredNullable,
+  Ot as isSessionExpiredNullable,
   Tt as isSessionExpiringSoon,
   It as isSessionValid,
   Yr as isSupportedProvider,
@@ -2050,30 +2093,30 @@ export {
   _r as isValidPassword,
   Fr as isValidToken,
   Ur as isValidURL,
-  Zr as mulguard,
-  Ot as refreshSession,
-  _t as requireAuth,
-  Pt as requireRole,
-  Ct as requireServerAuthMiddleware,
-  bt as requireServerRoleMiddleware,
+  et as mulguard,
+  _t as refreshSession,
+  Pt as requireAuth,
+  Ct as requireRole,
+  bt as requireServerAuthMiddleware,
+  Ut as requireServerRoleMiddleware,
   Lr as sanitizeHTML,
   zr as sanitizeInput,
-  Vr as sanitizeUserInput,
+  Mr as sanitizeUserInput,
   ae as setCookie,
   Jr as signIn,
-  lt as signInEmailAction,
-  ft as signOutAction,
-  dt as signUpAction,
-  Ut as storeOAuthStateCookie,
-  et as toNextJsHandler,
+  ft as signInEmailAction,
+  dt as signOutAction,
+  ht as signUpAction,
+  Nt as storeOAuthStateCookie,
+  rt as toNextJsHandler,
   G as validateAndSanitizeEmail,
   X as validateAndSanitizeInput,
   Pr as validateAndSanitizeName,
-  Or as validateAndSanitizePassword,
+  Ir as validateAndSanitizePassword,
   Q as validateCSRFToken,
   N as validateSessionStructure,
   Nr as validateToken,
   br as validateURL,
-  ht as verify2FAAction,
+  gt as verify2FAAction,
   F as withSecurityHeaders
 };