mulguard 1.1.3 → 1.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. package/dist/core/auth/oauth-state-store-cookie.d.ts +83 -0
  2. package/dist/core/auth/oauth-state-store-redis.d.ts +25 -0
  3. package/dist/core/auth/oauth-state-store.d.ts +1 -0
  4. package/dist/core/index.d.ts +1 -0
  5. package/dist/index/index.js +1 -1
  6. package/dist/index/index.mjs +666 -523
  7. package/dist/mulguard.d.ts +8 -0
  8. package/dist/server/oauth-state.d.ts +6 -0
  9. package/package.json +1 -1
package/dist/index/index.mjs CHANGED
@@ -1,10 +1,10 @@
1
1
  var ne = Object.defineProperty;
2
2
  var se = (e, r, t) => r in e ? ne(e, r, { enumerable: !0, configurable: !0, writable: !0, value: t }) : e[r] = t;
3
- var U = (e, r, t) => se(e, typeof r != "symbol" ? r + "" : r, t);
4
- import { A as m, d as ie, e as oe, c as ae, g as ce } from "../actions-DeCfLtHA.mjs";
5
- import { a as lt, s as ft, b as dt, v as ht } from "../actions-DeCfLtHA.mjs";
6
- import { v as N } from "../oauth-state-LE-qeq-K.mjs";
7
- import { c as wt, p as pt, k as mt, n as Et, m as yt, j as kt, l as vt, e as St, g as Rt, b as At, i as Tt, a as It, o as Ot, f as _t, h as Pt, r as Ct, d as bt, s as Ut } from "../oauth-state-LE-qeq-K.mjs";
3
+ var b = (e, r, t) => se(e, typeof r != "symbol" ? r + "" : r, t);
4
+ import { A as m, d as oe, e as ie, c as ae, g as ce } from "../actions-DeCfLtHA.mjs";
5
+ import { a as wt, s as pt, b as mt, v as Et } from "../actions-DeCfLtHA.mjs";
6
+ import { v as U } from "../oauth-state-LE-qeq-K.mjs";
7
+ import { c as kt, p as vt, k as St, n as At, m as Rt, j as Ot, l as Tt, e as It, g as _t, b as Pt, i as Ct, a as Nt, o as bt, f as Ut, h as Ft, r as xt, d as Dt, s as Lt } from "../oauth-state-LE-qeq-K.mjs";
8
8
  import { NextResponse as E } from "next/server";
9
9
  const x = typeof globalThis == "object" && "crypto" in globalThis ? globalThis.crypto : void 0;
10
10
  /*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */
@@ -17,8 +17,8 @@ function ue(e = 32) {
17
17
  }
18
18
  class le {
19
19
  constructor(r) {
20
- U(this, "attempts", /* @__PURE__ */ new Map());
21
- U(this, "config");
20
+ b(this, "attempts", /* @__PURE__ */ new Map());
21
+ b(this, "config");
22
22
  this.config = r;
23
23
  }
24
24
  /**
@@ -56,7 +56,7 @@ class le {
56
56
  this.attempts.clear();
57
57
  }
58
58
  }
59
- function Tr(e) {
59
+ function _r(e) {
60
60
  return new le(e);
61
61
  }
62
62
  const fe = {
@@ -74,7 +74,7 @@ function H(e) {
74
74
  ...e
75
75
  };
76
76
  }
77
- function Ir(e, r) {
77
+ function Pr(e, r) {
78
78
  const t = H(r);
79
79
  for (const [n, s] of Object.entries(t))
80
80
  s && e.set(n, s);
@@ -112,7 +112,7 @@ const ge = /* @__PURE__ */ new Set([
112
112
  "guest",
113
113
  "user"
114
114
  ]), we = /012|123|234|345|456|567|678|789|abc|bcd|cde|def|efg|fgh|ghi|hij|ijk|jkl|klm|lmn|mno|nop|opq|pqr|qrs|rst|stu|tuv|uvw|vwx|wxy|xyz/i, pe = 8, me = 128;
115
- function Or(e, r = pe) {
115
+ function Cr(e, r = pe) {
116
116
  if (typeof e != "string" || !e)
117
117
  return { valid: !1, error: "Password is required" };
118
118
  if (e.length < r)
@@ -133,11 +133,11 @@ function Ee(e) {
133
133
  let r = 0;
134
134
  return e.length >= 12 ? r += 2 : e.length >= 8 && (r += 1), /[a-z]/.test(e) && (r += 1), /[A-Z]/.test(e) && (r += 1), /[0-9]/.test(e) && (r += 1), /[^a-zA-Z0-9]/.test(e) && (r += 1), r >= 5 ? "strong" : r >= 3 ? "medium" : "weak";
135
135
  }
136
- function _r(e) {
136
+ function Nr(e) {
137
137
  return e.valid === !0 && e.sanitized !== void 0;
138
138
  }
139
139
  const ye = 100;
140
- function Pr(e) {
140
+ function br(e) {
141
141
  if (typeof e != "string" || !e)
142
142
  return { valid: !1, error: "Name is required" };
143
143
  const r = e.trim();
@@ -148,11 +148,11 @@ function Pr(e) {
148
148
  const t = r.replace(/[<>"']/g, "");
149
149
  return t.length === 0 ? { valid: !1, error: "Name contains only invalid characters" } : { valid: !0, sanitized: t };
150
150
  }
151
- function Cr(e) {
151
+ function Ur(e) {
152
152
  return e.valid === !0 && e.sanitized !== void 0;
153
153
  }
154
154
  const ke = /* @__PURE__ */ new Set(["http:", "https:"]);
155
- function br(e) {
155
+ function Fr(e) {
156
156
  if (typeof e != "string" || !e)
157
157
  return { valid: !1, error: "URL is required" };
158
158
  try {
@@ -162,32 +162,32 @@ function br(e) {
162
162
  return { valid: !1, error: "Invalid URL format" };
163
163
  }
164
164
  }
165
- function Ur(e) {
165
+ function xr(e) {
166
166
  return e.valid === !0 && e.sanitized !== void 0;
167
167
  }
168
- const ve = 16, Se = 512, Re = /^[A-Za-z0-9_-]+$/;
169
- function Nr(e, r = ve) {
170
- return typeof e != "string" || !e ? { valid: !1, error: "Token is required" } : e.length < r ? { valid: !1, error: "Token is too short" } : e.length > Se ? { valid: !1, error: "Token is too long" } : Re.test(e) ? /(.)\1{10,}/.test(e) ? { valid: !1, error: "Token contains suspicious pattern" } : { valid: !0, sanitized: e } : { valid: !1, error: "Invalid token format" };
168
+ const ve = 16, Se = 512, Ae = /^[A-Za-z0-9_-]+$/;
169
+ function Dr(e, r = ve) {
170
+ return typeof e != "string" || !e ? { valid: !1, error: "Token is required" } : e.length < r ? { valid: !1, error: "Token is too short" } : e.length > Se ? { valid: !1, error: "Token is too long" } : Ae.test(e) ? /(.)\1{10,}/.test(e) ? { valid: !1, error: "Token contains suspicious pattern" } : { valid: !0, sanitized: e } : { valid: !1, error: "Invalid token format" };
171
171
  }
172
- function Fr(e) {
172
+ function Lr(e) {
173
173
  return e.valid === !0 && e.sanitized !== void 0;
174
174
  }
175
- const Ae = 1e3;
175
+ const Re = 1e3;
176
176
  function X(e, r) {
177
- const { maxLength: t = Ae, allowHtml: n = !1, required: s = !0 } = r ?? {};
177
+ const { maxLength: t = Re, allowHtml: n = !1, required: s = !0 } = r ?? {};
178
178
  if (s && (typeof e != "string" || !e || e.trim().length === 0))
179
179
  return { valid: !1, error: "Input is required" };
180
180
  if (typeof e != "string" || !e)
181
181
  return { valid: !0, sanitized: "" };
182
- let i = e.trim();
183
- return i.length > t ? { valid: !1, error: `Input must be less than ${t} characters` } : (n || (i = i.replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#x27;").replace(/\//g, "&#x2F;")), i = i.replace(/[\x00-\x1F\x7F]/g, ""), { valid: !0, sanitized: i });
182
+ let o = e.trim();
183
+ return o.length > t ? { valid: !1, error: `Input must be less than ${t} characters` } : (n || (o = o.replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#x27;").replace(/\//g, "&#x2F;")), o = o.replace(/[\x00-\x1F\x7F]/g, ""), { valid: !0, sanitized: o });
184
184
  }
185
- function xr(e) {
185
+ function Mr(e) {
186
186
  return e.valid === !0 && e.sanitized !== void 0;
187
187
  }
188
- class Te {
188
+ class Oe {
189
189
  constructor() {
190
- U(this, "tokens", /* @__PURE__ */ new Map());
190
+ b(this, "tokens", /* @__PURE__ */ new Map());
191
191
  }
192
192
  get(r) {
193
193
  const t = this.tokens.get(r);
@@ -206,11 +206,11 @@ class Te {
206
206
  this.tokens.clear();
207
207
  }
208
208
  }
209
- class Ie {
209
+ class Te {
210
210
  constructor(r, t = 32) {
211
- U(this, "store");
212
- U(this, "tokenLength");
213
- this.store = r || new Te(), this.tokenLength = t;
211
+ b(this, "store");
212
+ b(this, "tokenLength");
213
+ this.store = r || new Oe(), this.tokenLength = t;
214
214
  }
215
215
  /**
216
216
  * Generate CSRF token
@@ -242,10 +242,10 @@ class Ie {
242
242
  this.store.delete(r);
243
243
  }
244
244
  }
245
- function Dr(e) {
246
- return new Ie(e);
245
+ function Vr(e) {
246
+ return new Te(e);
247
247
  }
248
- function Oe(e) {
248
+ function Ie(e) {
249
249
  if (typeof e != "string")
250
250
  return "";
251
251
  const r = {
@@ -257,13 +257,13 @@ function Oe(e) {
257
257
  };
258
258
  return e.replace(/[&<>"']/g, (t) => r[t] || t);
259
259
  }
260
- function Lr(e) {
260
+ function jr(e) {
261
261
  return typeof e != "string" ? "" : e.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, "").replace(/on\w+\s*=\s*["'][^"']*["']/gi, "").replace(/javascript:/gi, "");
262
262
  }
263
- function Vr(e) {
264
- return typeof e != "string" ? "" : Oe(e.trim());
263
+ function zr(e) {
264
+ return typeof e != "string" ? "" : Ie(e.trim());
265
265
  }
266
- function Mr(e) {
266
+ function $r(e) {
267
267
  return typeof e != "string" ? !1 : [
268
268
  /<script/i,
269
269
  /javascript:/i,
@@ -295,35 +295,35 @@ function Q(e, r) {
295
295
  t |= e.charCodeAt(n) ^ r.charCodeAt(n);
296
296
  return t === 0;
297
297
  }
298
- function jr(e, r) {
298
+ function Wr(e, r) {
299
299
  return Q(e, r);
300
300
  }
301
- function zr(e) {
301
+ function qr(e) {
302
302
  return typeof e != "string" ? "" : e.trim().replace(/[<>]/g, "");
303
303
  }
304
304
  const Pe = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
305
- function $r(e) {
305
+ function Br(e) {
306
306
  return typeof e == "string" && Pe.test(e);
307
307
  }
308
308
  function Ce(e) {
309
309
  return !e.success && !!e.error;
310
310
  }
311
- function Wr(e) {
311
+ function Hr(e) {
312
312
  return e.requires2FA === !0 || e.errorCode === m.TWO_FA_REQUIRED;
313
313
  }
314
- function qr(e, r) {
314
+ function Gr(e, r) {
315
315
  return e.error ? e.error : r || "Authentication failed";
316
316
  }
317
- function Br(e) {
317
+ function Kr(e) {
318
318
  return e.errorCode;
319
319
  }
320
- function Hr(e) {
320
+ function Xr(e) {
321
321
  return e.success === !0 && !!e.user;
322
322
  }
323
- function Gr(e, r) {
323
+ function Jr(e, r) {
324
324
  return e.errorCode === r;
325
325
  }
326
- function Kr(e) {
326
+ function Yr(e) {
327
327
  if (!Ce(e)) return !1;
328
328
  const r = [
329
329
  m.NETWORK_ERROR,
@@ -332,7 +332,7 @@ function Kr(e) {
332
332
  ];
333
333
  return e.errorCode ? r.includes(e.errorCode) : !1;
334
334
  }
335
- function Xr(e) {
335
+ function Qr(e) {
336
336
  if (e.error) return e.error;
337
337
  switch (e.errorCode) {
338
338
  case m.INVALID_CREDENTIALS:
@@ -360,7 +360,7 @@ function Xr(e) {
360
360
  return "An unexpected error occurred. Please try again.";
361
361
  }
362
362
  }
363
- async function Jr(e, r, t) {
363
+ async function Zr(e, r, t) {
364
364
  return e.signIn(r, t);
365
365
  }
366
366
  const Z = {
@@ -396,31 +396,31 @@ const Z = {
396
396
  function j(e) {
397
397
  return Z[e] ?? null;
398
398
  }
399
- function Yr(e) {
399
+ function et(e) {
400
400
  return e in Z;
401
401
  }
402
- function be(e, r, t, n) {
402
+ function Ne(e, r, t, n) {
403
403
  const s = j(e);
404
404
  if (!s)
405
405
  throw new Error(`Unknown OAuth provider: ${e}`);
406
406
  if (!r.clientId)
407
407
  throw new Error(`OAuth provider "${e}" is missing clientId`);
408
- const i = r.redirectUri ?? `${t}/api/auth/callback/${e}`, o = r.scopes ?? s.defaultScopes, a = new URLSearchParams({
408
+ const o = r.redirectUri ?? `${t}/api/auth/callback/${e}`, i = r.scopes ?? s.defaultScopes, a = new URLSearchParams({
409
409
  client_id: r.clientId,
410
- redirect_uri: i,
410
+ redirect_uri: o,
411
411
  response_type: "code",
412
- scope: Array.isArray(o) ? o.join(" ") : String(o),
412
+ scope: Array.isArray(i) ? i.join(" ") : String(i),
413
413
  state: n
414
414
  });
415
415
  if (s.defaultParams)
416
- for (const [f, l] of Object.entries(s.defaultParams))
417
- a.append(f, l);
416
+ for (const [u, l] of Object.entries(s.defaultParams))
417
+ a.append(u, l);
418
418
  if (r.params)
419
- for (const [f, l] of Object.entries(r.params))
420
- a.set(f, l);
419
+ for (const [u, l] of Object.entries(r.params))
420
+ a.set(u, l);
421
421
  return `${s.authorizationUrl}?${a.toString()}`;
422
422
  }
423
- async function Ue(e, r, t, n) {
423
+ async function be(e, r, t, n) {
424
424
  const s = j(e);
425
425
  if (!s)
426
426
  throw new Error(`Unknown OAuth provider: ${e}`);
@@ -428,41 +428,41 @@ async function Ue(e, r, t, n) {
428
428
  throw new Error("Authorization code is required");
429
429
  if (!r.clientId)
430
430
  throw new Error(`OAuth provider "${e}" is missing clientId`);
431
- const i = new URLSearchParams({
431
+ const o = new URLSearchParams({
432
432
  client_id: r.clientId,
433
433
  code: t,
434
434
  redirect_uri: n,
435
435
  grant_type: "authorization_code"
436
436
  });
437
- r.clientSecret && i.append("client_secret", r.clientSecret);
437
+ r.clientSecret && o.append("client_secret", r.clientSecret);
438
438
  try {
439
- const o = await fetch(s.tokenUrl, {
439
+ const i = await fetch(s.tokenUrl, {
440
440
  method: "POST",
441
441
  headers: {
442
442
  "Content-Type": "application/x-www-form-urlencoded",
443
443
  Accept: "application/json"
444
444
  },
445
- body: i.toString()
445
+ body: o.toString()
446
446
  });
447
- if (!o.ok) {
448
- const f = await o.text();
449
- let l = `Failed to exchange code for tokens: ${f}`;
447
+ if (!i.ok) {
448
+ const u = await i.text();
449
+ let l = `Failed to exchange code for tokens: ${u}`;
450
450
  try {
451
- const w = JSON.parse(f);
452
- l = w.error_description ?? w.error ?? l;
451
+ const g = JSON.parse(u);
452
+ l = g.error_description ?? g.error ?? l;
453
453
  } catch {
454
454
  }
455
455
  throw new Error(l);
456
456
  }
457
- const a = await o.json();
458
- if (!Ne(a))
457
+ const a = await i.json();
458
+ if (!Ue(a))
459
459
  throw new Error("Invalid token exchange response format");
460
460
  return a;
461
- } catch (o) {
462
- throw o instanceof Error ? o : new Error(`OAuth token exchange failed: ${String(o)}`);
461
+ } catch (i) {
462
+ throw i instanceof Error ? i : new Error(`OAuth token exchange failed: ${String(i)}`);
463
463
  }
464
464
  }
465
- function Ne(e) {
465
+ function Ue(e) {
466
466
  return typeof e == "object" && e !== null && "access_token" in e && typeof e.access_token == "string";
467
467
  }
468
468
  async function Fe(e, r) {
@@ -479,14 +479,14 @@ async function Fe(e, r) {
479
479
  }
480
480
  });
481
481
  if (!n.ok) {
482
- const i = await n.text();
483
- let o = `Failed to fetch user info: ${i}`;
482
+ const o = await n.text();
483
+ let i = `Failed to fetch user info: ${o}`;
484
484
  try {
485
- const a = JSON.parse(i);
486
- o = a.error_description ?? a.error ?? o;
485
+ const a = JSON.parse(o);
486
+ i = a.error_description ?? a.error ?? i;
487
487
  } catch {
488
488
  }
489
- throw new Error(o);
489
+ throw new Error(i);
490
490
  }
491
491
  const s = await n.json();
492
492
  return xe(e, s, r);
@@ -501,9 +501,9 @@ async function xe(e, r, t) {
501
501
  case "github":
502
502
  return await Le(r, t);
503
503
  case "apple":
504
- return Ve(r);
505
- case "facebook":
506
504
  return Me(r);
505
+ case "facebook":
506
+ return Ve(r);
507
507
  default:
508
508
  return je(r);
509
509
  }
@@ -526,8 +526,8 @@ async function Le(e, r) {
526
526
  headers: { Authorization: `Bearer ${r}` }
527
527
  });
528
528
  if (s.ok) {
529
- const i = await s.json(), o = i.find((a) => a.primary) ?? i[0];
530
- t = (o == null ? void 0 : o.email) ?? `${String(e.login ?? "user")}@users.noreply.github.com`, n = { ...e, emails: i };
529
+ const o = await s.json(), i = o.find((a) => a.primary) ?? o[0];
530
+ t = (i == null ? void 0 : i.email) ?? `${String(e.login ?? "user")}@users.noreply.github.com`, n = { ...e, emails: o };
531
531
  } else
532
532
  t = `${String(e.login ?? "user")}@users.noreply.github.com`;
533
533
  } catch {
@@ -542,7 +542,7 @@ async function Le(e, r) {
542
542
  rawProfile: n
543
543
  };
544
544
  }
545
- function Ve(e) {
545
+ function Me(e) {
546
546
  const r = e.name, t = r ? `${r.firstName ?? ""} ${r.lastName ?? ""}`.trim() : "";
547
547
  return {
548
548
  id: String(e.sub ?? ""),
@@ -552,7 +552,7 @@ function Ve(e) {
552
552
  rawProfile: e
553
553
  };
554
554
  }
555
- function Me(e) {
555
+ function Ve(e) {
556
556
  var t;
557
557
  const r = e.picture;
558
558
  return {
@@ -574,12 +574,100 @@ function je(e) {
574
574
  rawProfile: e
575
575
  };
576
576
  }
577
- function Qr(e) {
577
+ function rt(e) {
578
578
  return typeof e == "object" && e !== null && "clientId" in e && typeof e.clientId == "string";
579
579
  }
580
- class ze {
580
+ const ze = "__mulguard_oauth_state", $e = 10 * 60 * 1e3;
581
+ function We(e) {
582
+ const r = e.cookieName || ze, t = e.ttl || $e, n = process.env.NODE_ENV === "production", s = e.secure ?? n, o = e.sameSite || "strict", i = e.cookieHandler, a = (u) => ({
583
+ httpOnly: !0,
584
+ secure: s,
585
+ sameSite: o,
586
+ maxAge: Math.floor(u / 1e3),
587
+ // Convert to seconds
588
+ path: "/"
589
+ });
590
+ return {
591
+ async set(u, l, g) {
592
+ const w = JSON.stringify({
593
+ state: u,
594
+ provider: l.provider,
595
+ expiresAt: l.expiresAt
596
+ });
597
+ await Promise.resolve(
598
+ i.setCookie(r, w, a(t))
599
+ );
600
+ },
601
+ async get(u) {
602
+ const l = await Promise.resolve(i.getCookie(r));
603
+ if (!l)
604
+ return null;
605
+ try {
606
+ const g = JSON.parse(l);
607
+ return g.state !== u ? null : g.expiresAt < Date.now() ? (await Promise.resolve(
608
+ i.deleteCookie(r, { path: "/" })
609
+ ), null) : {
610
+ provider: g.provider,
611
+ expiresAt: g.expiresAt
612
+ };
613
+ } catch {
614
+ return await Promise.resolve(
615
+ i.deleteCookie(r, { path: "/" })
616
+ ), null;
617
+ }
618
+ },
619
+ async delete(u) {
620
+ await this.get(u) && await Promise.resolve(
621
+ i.deleteCookie(r, { path: "/" })
622
+ );
623
+ },
624
+ async cleanup() {
625
+ }
626
+ };
627
+ }
628
+ function tt() {
629
+ return We({
630
+ cookieHandler: {
631
+ async getCookie(e) {
632
+ var r;
633
+ try {
634
+ const { cookies: t } = await import("next/headers");
635
+ return ((r = (await t()).get(e)) == null ? void 0 : r.value) || null;
636
+ } catch {
637
+ return null;
638
+ }
639
+ },
640
+ async setCookie(e, r, t) {
641
+ try {
642
+ const { cookies: n } = await import("next/headers");
643
+ (await n()).set(e, r, {
644
+ httpOnly: t.httpOnly ?? !0,
645
+ secure: t.secure ?? process.env.NODE_ENV === "production",
646
+ sameSite: t.sameSite || "strict",
647
+ maxAge: t.maxAge,
648
+ path: t.path || "/"
649
+ });
650
+ } catch (n) {
651
+ console.warn("[Mulguard] Failed to set OAuth state cookie:", n);
652
+ }
653
+ },
654
+ async deleteCookie(e, r) {
655
+ try {
656
+ const { cookies: t } = await import("next/headers");
657
+ (await t()).set(e, "", {
658
+ maxAge: 0,
659
+ expires: /* @__PURE__ */ new Date(0),
660
+ path: (r == null ? void 0 : r.path) || "/"
661
+ });
662
+ } catch {
663
+ }
664
+ }
665
+ }
666
+ });
667
+ }
668
+ class qe {
581
669
  constructor() {
582
- U(this, "states", /* @__PURE__ */ new Map());
670
+ b(this, "states", /* @__PURE__ */ new Map());
583
671
  }
584
672
  set(r, t, n) {
585
673
  this.states.set(r, t), this.cleanup();
@@ -597,108 +685,150 @@ class ze {
597
685
  n.expiresAt < r && this.states.delete(t);
598
686
  }
599
687
  }
600
- function $e() {
601
- return new ze();
688
+ function Be() {
689
+ return new qe();
690
+ }
691
+ function nt(e, r = "mulguard:oauth:state:") {
692
+ const t = (s) => `${r}${s}`, n = async (s) => {
693
+ const o = t(s);
694
+ await e.del(o);
695
+ };
696
+ return {
697
+ async set(s, o, i) {
698
+ const a = t(s), u = JSON.stringify(o);
699
+ await e.set(a, u, "EX", Math.floor(i / 1e3));
700
+ },
701
+ async get(s) {
702
+ const o = t(s), i = await e.get(o);
703
+ if (!i)
704
+ return null;
705
+ try {
706
+ const a = JSON.parse(i);
707
+ return a.expiresAt < Date.now() ? (await n(s), null) : a;
708
+ } catch {
709
+ return await n(s), null;
710
+ }
711
+ },
712
+ async delete(s) {
713
+ await n(s);
714
+ },
715
+ async cleanup() {
716
+ try {
717
+ const s = await e.keys(`${r}*`), o = Date.now();
718
+ for (const i of s) {
719
+ const a = await e.get(i);
720
+ if (a)
721
+ try {
722
+ JSON.parse(a).expiresAt < o && await e.del(i);
723
+ } catch {
724
+ await e.del(i);
725
+ }
726
+ }
727
+ } catch (s) {
728
+ console.warn("[Mulguard] OAuth state cleanup warning:", s);
729
+ }
730
+ }
731
+ };
602
732
  }
603
733
  function D(e) {
604
734
  return e.success === !0 && e.user !== void 0 && e.session !== void 0;
605
735
  }
606
736
  var ee = /* @__PURE__ */ ((e) => (e[e.DEBUG = 0] = "DEBUG", e[e.INFO = 1] = "INFO", e[e.WARN = 2] = "WARN", e[e.ERROR = 3] = "ERROR", e))(ee || {});
607
- const We = process.env.NODE_ENV === "development" ? 0 : 1;
608
- function qe(e = {}) {
737
+ const He = process.env.NODE_ENV === "development" ? 0 : 1;
738
+ function Ge(e = {}) {
609
739
  const {
610
740
  enabled: r = process.env.NODE_ENV === "development",
611
- level: t = We,
741
+ level: t = He,
612
742
  context: n,
613
- formatter: s = Be
614
- } = e, i = (a) => r && a >= t, o = (a, f, l, w) => ({
743
+ formatter: s = Ke
744
+ } = e, o = (a) => r && a >= t, i = (a, u, l, g) => ({
615
745
  level: a,
616
- message: f,
746
+ message: u,
617
747
  timestamp: /* @__PURE__ */ new Date(),
618
748
  context: n,
619
- data: l ? He(l) : void 0,
620
- error: w
749
+ data: l ? Xe(l) : void 0,
750
+ error: g
621
751
  });
622
752
  return {
623
- debug: (a, f) => {
624
- if (i(
753
+ debug: (a, u) => {
754
+ if (o(
625
755
  0
626
756
  /* DEBUG */
627
757
  )) {
628
- const l = o(0, a, f);
758
+ const l = i(0, a, u);
629
759
  console.debug(s(l));
630
760
  }
631
761
  },
632
- info: (a, f) => {
633
- if (i(
762
+ info: (a, u) => {
763
+ if (o(
634
764
  1
635
765
  /* INFO */
636
766
  )) {
637
- const l = o(1, a, f);
767
+ const l = i(1, a, u);
638
768
  console.info(s(l));
639
769
  }
640
770
  },
641
- warn: (a, f) => {
642
- if (i(
771
+ warn: (a, u) => {
772
+ if (o(
643
773
  2
644
774
  /* WARN */
645
775
  )) {
646
- const l = o(2, a, f);
776
+ const l = i(2, a, u);
647
777
  console.warn(s(l));
648
778
  }
649
779
  },
650
- error: (a, f) => {
651
- if (i(
780
+ error: (a, u) => {
781
+ if (o(
652
782
  3
653
783
  /* ERROR */
654
784
  )) {
655
- const l = f instanceof Error ? f : void 0, w = f instanceof Error ? void 0 : f, g = o(3, a, w, l);
656
- console.error(s(g)), l && console.error(l);
785
+ const l = u instanceof Error ? u : void 0, g = u instanceof Error ? void 0 : u, w = i(3, a, g, l);
786
+ console.error(s(w)), l && console.error(l);
657
787
  }
658
788
  }
659
789
  };
660
790
  }
661
- function Be(e) {
791
+ function Ke(e) {
662
792
  const r = e.timestamp.toISOString(), t = ee[e.level], n = e.context ? `[${e.context}]` : "", s = e.data ? ` ${JSON.stringify(e.data)}` : "";
663
793
  return `${r} [${t}]${n} ${e.message}${s}`;
664
794
  }
665
- function He(e) {
795
+ function Xe(e) {
666
796
  const r = /* @__PURE__ */ new Set(["password", "token", "secret", "key", "accessToken", "refreshToken"]), t = {};
667
797
  for (const [n, s] of Object.entries(e))
668
798
  if (r.has(n.toLowerCase()))
669
799
  t[n] = "***REDACTED***";
670
800
  else if (typeof s == "string" && n.toLowerCase().includes("email")) {
671
- const i = s.split("@");
672
- if (i.length === 2 && i[0]) {
673
- const o = i[0].substring(0, 3) + "***@" + i[1];
674
- t[n] = o;
801
+ const o = s.split("@");
802
+ if (o.length === 2 && o[0]) {
803
+ const i = o[0].substring(0, 3) + "***@" + o[1];
804
+ t[n] = i;
675
805
  } else
676
806
  t[n] = s;
677
807
  } else
678
808
  t[n] = s;
679
809
  return t;
680
810
  }
681
- const O = qe();
682
- function Ge(e, r, t, n = {}) {
811
+ const I = Ge();
812
+ function Je(e, r, t, n = {}) {
683
813
  const {
684
814
  enabled: s = !0,
685
- maxRetries: i = 1,
686
- retryDelay: o = 1e3,
815
+ maxRetries: o = 1,
816
+ retryDelay: i = 1e3,
687
817
  rateLimit: a = 3,
688
- autoSignOutOnFailure: f = !0,
818
+ autoSignOutOnFailure: u = !0,
689
819
  redirectToLogin: l = "/login",
690
- autoRedirectOnFailure: w = !0
820
+ autoRedirectOnFailure: g = !0
691
821
  } = n;
692
- let g = null, A = !1;
822
+ let w = null, R = !1;
693
823
  const S = [], v = [], y = 60 * 1e3;
694
- let h = 0, I = !1, _ = null;
695
- const L = 2, V = 60 * 1e3;
824
+ let h = 0, T = !1, _ = null;
825
+ const L = 2, M = 60 * 1e3;
696
826
  function c() {
697
827
  const k = Date.now();
698
- if (I && _) {
828
+ if (T && _) {
699
829
  if (k < _)
700
830
  return !1;
701
- I = !1, _ = null, h = 0;
831
+ T = !1, _ = null, h = 0;
702
832
  }
703
833
  for (; v.length > 0; ) {
704
834
  const p = v[0];
@@ -709,13 +839,13 @@ function Ge(e, r, t, n = {}) {
709
839
  }
710
840
  return v.length >= a ? !1 : (v.push(k), !0);
711
841
  }
712
- function u() {
713
- h++, h >= L && (I = !0, _ = Date.now() + V, process.env.NODE_ENV === "development" && console.warn("[TokenRefreshManager] Circuit breaker opened - too many consecutive failures"));
842
+ function f() {
843
+ h++, h >= L && (T = !0, _ = Date.now() + M, process.env.NODE_ENV === "development" && console.warn("[TokenRefreshManager] Circuit breaker opened - too many consecutive failures"));
714
844
  }
715
845
  function d() {
716
- h = 0, I = !1, _ = null;
846
+ h = 0, T = !1, _ = null;
717
847
  }
718
- async function R(k = 1) {
848
+ async function A(k = 1) {
719
849
  if (!s)
720
850
  return null;
721
851
  if (!c())
@@ -724,12 +854,12 @@ function Ge(e, r, t, n = {}) {
724
854
  const p = await e();
725
855
  if (p)
726
856
  return d(), P(p), n.onTokenRefreshed && await Promise.resolve(n.onTokenRefreshed(p)), p;
727
- if (u(), k < i)
728
- return await $(o * k), R(k + 1);
857
+ if (f(), k < o)
858
+ return await $(i * k), A(k + 1);
729
859
  throw new Error("Token refresh failed: refresh function returned null");
730
860
  } catch (p) {
731
- if (u(), k < i && C(p))
732
- return await $(o * k), R(k + 1);
861
+ if (f(), k < o && C(p))
862
+ return await $(i * k), A(k + 1);
733
863
  throw p;
734
864
  }
735
865
  }
@@ -746,25 +876,25 @@ function Ge(e, r, t, n = {}) {
746
876
  function P(k) {
747
877
  const p = [...S];
748
878
  S.length = 0;
749
- for (const { resolve: b } of p)
750
- b(k);
879
+ for (const { resolve: N } of p)
880
+ N(k);
751
881
  }
752
882
  function z(k) {
753
883
  const p = [...S];
754
884
  S.length = 0;
755
- for (const { reject: b } of p)
756
- b(k);
885
+ for (const { reject: N } of p)
886
+ N(k);
757
887
  }
758
888
  function $(k) {
759
889
  return new Promise((p) => setTimeout(p, k));
760
890
  }
761
891
  async function W(k) {
762
892
  try {
763
- if (n.onTokenRefreshFailed && await Promise.resolve(n.onTokenRefreshFailed(k)), f && (await t(), await r(), w && typeof window < "u")) {
893
+ if (n.onTokenRefreshFailed && await Promise.resolve(n.onTokenRefreshFailed(k)), u && (await t(), await r(), g && typeof window < "u")) {
764
894
  let p = !0;
765
895
  if (n.onBeforeRedirect && (p = await Promise.resolve(n.onBeforeRedirect(k))), p) {
766
- const b = new URL(l, window.location.origin);
767
- b.searchParams.set("reason", "session_expired"), b.searchParams.set("redirect", window.location.pathname + window.location.search), window.location.href = b.toString();
896
+ const N = new URL(l, window.location.origin);
897
+ N.searchParams.set("reason", "session_expired"), N.searchParams.set("redirect", window.location.pathname + window.location.search), window.location.href = N.toString();
768
898
  }
769
899
  }
770
900
  } catch (p) {
@@ -776,22 +906,22 @@ function Ge(e, r, t, n = {}) {
776
906
  * Refresh token with single refresh queue
777
907
  */
778
908
  async refreshToken() {
779
- return s ? g || (A = !0, g = R().then((k) => (A = !1, g = null, k)).catch((k) => {
780
- throw A = !1, g = null, z(k), W(k).catch(() => {
909
+ return s ? w || (R = !0, w = A().then((k) => (R = !1, w = null, k)).catch((k) => {
910
+ throw R = !1, w = null, z(k), W(k).catch(() => {
781
911
  }), k;
782
- }), g) : null;
912
+ }), w) : null;
783
913
  },
784
914
  /**
785
915
  * Check if refresh is in progress
786
916
  */
787
917
  isRefreshing() {
788
- return A;
918
+ return R;
789
919
  },
790
920
  /**
791
921
  * Wait for current refresh to complete
792
922
  */
793
923
  async waitForRefresh() {
794
- return g ? new Promise((k, p) => {
924
+ return w ? new Promise((k, p) => {
795
925
  S.push({ resolve: k, reject: p });
796
926
  }) : null;
797
927
  },
@@ -799,7 +929,7 @@ function Ge(e, r, t, n = {}) {
799
929
  * Clear state
800
930
  */
801
931
  clear() {
802
- g = null, A = !1, v.length = 0, d(), z(new Error("Token refresh manager cleared"));
932
+ w = null, R = !1, v.length = 0, d(), z(new Error("Token refresh manager cleared"));
803
933
  },
804
934
  /**
805
935
  * Handle token refresh failure
@@ -809,7 +939,7 @@ function Ge(e, r, t, n = {}) {
809
939
  }
810
940
  };
811
941
  }
812
- function Ke() {
942
+ function Ye() {
813
943
  const e = process.env.NODE_ENV === "production";
814
944
  return {
815
945
  cookieName: "__mulguard_session",
@@ -822,7 +952,7 @@ function Ke() {
822
952
  path: "/"
823
953
  };
824
954
  }
825
- function Xe() {
955
+ function Qe() {
826
956
  return {
827
957
  enabled: !0,
828
958
  refreshThreshold: 300,
@@ -837,90 +967,90 @@ function Xe() {
837
967
  autoRedirectOnFailure: !0
838
968
  };
839
969
  }
840
- function Je() {
970
+ function Ze() {
841
971
  return process.env.NEXT_PUBLIC_URL ?? (process.env.VERCEL_URL ? `https://${process.env.VERCEL_URL}` : "http://localhost:3000");
842
972
  }
843
- function Ye(e) {
844
- const { sessionConfig: r, cacheTtl: t, getSessionAction: n, onSessionExpired: s, onError: i } = e, o = r.cookieName ?? "__mulguard_session";
973
+ function er(e) {
974
+ const { sessionConfig: r, cacheTtl: t, getSessionAction: n, onSessionExpired: s, onError: o } = e, i = r.cookieName ?? "__mulguard_session";
845
975
  let a = null;
846
- const f = async () => {
976
+ const u = async () => {
847
977
  const y = Date.now();
848
978
  if (a && y - a.timestamp < t)
849
979
  return a.session;
850
980
  if (n)
851
981
  try {
852
982
  const h = await n();
853
- if (h && N(h))
983
+ if (h && U(h))
854
984
  return a = { session: h, timestamp: y }, h;
855
- h && !N(h) && (await w(), a = null);
985
+ h && !U(h) && (await g(), a = null);
856
986
  } catch (h) {
857
- O.debug("getSession error", { error: h }), i && await i(h instanceof Error ? h : new Error(String(h)), "getSession"), a = null;
987
+ I.debug("getSession error", { error: h }), o && await o(h instanceof Error ? h : new Error(String(h)), "getSession"), a = null;
858
988
  }
859
989
  try {
860
- const h = await ce(o);
990
+ const h = await ce(i);
861
991
  if (h)
862
992
  try {
863
- const I = JSON.parse(h);
864
- if (N(I))
865
- return I.expiresAt && new Date(I.expiresAt) < /* @__PURE__ */ new Date() ? (s && await s(I), await w(), a = null, null) : (a = { session: I, timestamp: y }, I);
866
- await w(), a = null;
993
+ const T = JSON.parse(h);
994
+ if (U(T))
995
+ return T.expiresAt && new Date(T.expiresAt) < /* @__PURE__ */ new Date() ? (s && await s(T), await g(), a = null, null) : (a = { session: T, timestamp: y }, T);
996
+ await g(), a = null;
867
997
  } catch {
868
- await w(), a = null;
998
+ await g(), a = null;
869
999
  }
870
1000
  } catch (h) {
871
- const I = h instanceof Error ? h.message : String(h);
872
- !I.includes("request scope") && !I.includes("cookies") && (O.warn("getSession cookie error", { error: h }), i && await i(
1001
+ const T = h instanceof Error ? h.message : String(h);
1002
+ !T.includes("request scope") && !T.includes("cookies") && (I.warn("getSession cookie error", { error: h }), o && await o(
873
1003
  h instanceof Error ? h : new Error(String(h)),
874
1004
  "getSession.cookie"
875
1005
  ));
876
1006
  }
877
1007
  return null;
878
1008
  }, l = async (y) => {
879
- if (!N(y))
1009
+ if (!U(y))
880
1010
  return {
881
1011
  success: !1,
882
1012
  error: "Invalid session structure"
883
1013
  };
884
1014
  try {
885
- const h = typeof y == "object" && "token" in y ? String(y.token) : JSON.stringify(y), I = oe(o, h, r), _ = await ae(I);
1015
+ const h = typeof y == "object" && "token" in y ? String(y.token) : JSON.stringify(y), T = ie(i, h, r), _ = await ae(T);
886
1016
  return _.success && (a = { session: y, timestamp: Date.now() }), _;
887
1017
  } catch (h) {
888
- const I = h instanceof Error ? h.message : "Failed to set session";
889
- return O.error("setSession error", { error: h }), i && await i(h instanceof Error ? h : new Error(String(h)), "setSession"), {
1018
+ const T = h instanceof Error ? h.message : "Failed to set session";
1019
+ return I.error("setSession error", { error: h }), o && await o(h instanceof Error ? h : new Error(String(h)), "setSession"), {
890
1020
  success: !1,
891
- error: I
1021
+ error: T
892
1022
  };
893
1023
  }
894
- }, w = async () => {
1024
+ }, g = async () => {
895
1025
  try {
896
- await ie(o, {
1026
+ await oe(i, {
897
1027
  path: r.path,
898
1028
  domain: r.domain
899
1029
  }), a = null;
900
1030
  } catch (y) {
901
- O.warn("clearSessionCookie error", { error: y });
1031
+ I.warn("clearSessionCookie error", { error: y });
902
1032
  }
903
- }, g = async () => {
904
- const y = await f();
1033
+ }, w = async () => {
1034
+ const y = await u();
905
1035
  return y != null && y.accessToken && typeof y.accessToken == "string" ? y.accessToken : null;
906
1036
  };
907
1037
  return {
908
- getSession: f,
1038
+ getSession: u,
909
1039
  setSession: l,
910
- clearSessionCookie: w,
911
- getAccessToken: g,
1040
+ clearSessionCookie: g,
1041
+ getAccessToken: w,
912
1042
  getRefreshToken: async () => {
913
- const y = await f();
1043
+ const y = await u();
914
1044
  return y != null && y.refreshToken && typeof y.refreshToken == "string" ? y.refreshToken : null;
915
1045
  },
916
- hasValidTokens: async () => !!await g(),
1046
+ hasValidTokens: async () => !!await w(),
917
1047
  clearCache: () => {
918
1048
  a = null;
919
1049
  },
920
- getSessionConfig: () => ({ cookieName: o, config: r })
1050
+ getSessionConfig: () => ({ cookieName: i, config: r })
921
1051
  };
922
1052
  }
923
- function Qe(e) {
1053
+ function rr(e) {
924
1054
  return async (r) => {
925
1055
  try {
926
1056
  if (!r || typeof r != "object")
@@ -960,18 +1090,18 @@ function Qe(e) {
960
1090
  // Don't sanitize password (needed for hashing)
961
1091
  }, s = await e.actions.signIn.email(n);
962
1092
  if (D(s)) {
963
- const i = await e.saveSessionAfterAuth(s);
964
- !i.success && i.warning && O.warn("Session save warning", { warning: i.warning });
1093
+ const o = await e.saveSessionAfterAuth(s);
1094
+ !o.success && o.warning && I.warn("Session save warning", { warning: o.warning });
965
1095
  }
966
- return s.success ? O.info("Sign in successful", {
1096
+ return s.success ? I.info("Sign in successful", {
967
1097
  email: n.email.substring(0, 3) + "***"
968
- }) : O.warn("Sign in failed", {
1098
+ }) : I.warn("Sign in failed", {
969
1099
  email: n.email.substring(0, 3) + "***",
970
1100
  errorCode: s.errorCode
971
1101
  }), s;
972
1102
  } catch (t) {
973
1103
  const n = t instanceof Error ? t.message : "Sign in failed";
974
- return O.error("Sign in error", { error: n, context: "signIn.email" }), e.onError && await e.onError(
1104
+ return I.error("Sign in error", { error: n, context: "signIn.email" }), e.onError && await e.onError(
975
1105
  t instanceof Error ? t : new Error(String(t)),
976
1106
  "signIn.email"
977
1107
  ), {
@@ -982,7 +1112,7 @@ function Qe(e) {
982
1112
  }
983
1113
  };
984
1114
  }
985
- function Ze(e, r) {
1115
+ function tr(e, r) {
986
1116
  return async (t) => {
987
1117
  if (!t || typeof t != "string")
988
1118
  throw new Error("Provider is required");
@@ -998,11 +1128,11 @@ function Ze(e, r) {
998
1128
  throw new Error(
999
1129
  "OAuth sign in is not configured. Either provide oauth action in signIn, or configure providers.oauth in config."
1000
1130
  );
1001
- const i = await e.actions.signIn.oauth(s);
1002
- return await r(i.state, s), O.info("OAuth sign in initiated", { provider: s }), i;
1131
+ const o = await e.actions.signIn.oauth(s);
1132
+ return await r(o.state, s), I.info("OAuth sign in initiated", { provider: s }), o;
1003
1133
  };
1004
1134
  }
1005
- function er(e) {
1135
+ function nr(e) {
1006
1136
  return async (r, t) => {
1007
1137
  if (!r || typeof r != "string")
1008
1138
  return {
@@ -1032,16 +1162,16 @@ function er(e) {
1032
1162
  try {
1033
1163
  const s = await e.actions.signIn.otp(n.sanitized, t);
1034
1164
  if (D(s)) {
1035
- const i = await e.saveSessionAfterAuth(s);
1036
- !i.success && i.warning && O.warn("Session save warning", { warning: i.warning });
1165
+ const o = await e.saveSessionAfterAuth(s);
1166
+ !o.success && o.warning && I.warn("Session save warning", { warning: o.warning });
1037
1167
  }
1038
- return s.success ? O.info("OTP sign in successful", {
1168
+ return s.success ? I.info("OTP sign in successful", {
1039
1169
  email: n.sanitized.substring(0, 3) + "***"
1040
- }) : O.warn("OTP sign in failed", {
1170
+ }) : I.warn("OTP sign in failed", {
1041
1171
  email: n.sanitized.substring(0, 3) + "***"
1042
1172
  }), s;
1043
1173
  } catch (s) {
1044
- return O.error("OTP sign in error", {
1174
+ return I.error("OTP sign in error", {
1045
1175
  error: s instanceof Error ? s.message : "Unknown error",
1046
1176
  context: "signIn.otp"
1047
1177
  }), e.onError && await e.onError(
@@ -1055,7 +1185,7 @@ function er(e) {
1055
1185
  }
1056
1186
  };
1057
1187
  }
1058
- function rr(e) {
1188
+ function sr(e) {
1059
1189
  return async (r) => {
1060
1190
  if (!e.actions.signIn.passkey)
1061
1191
  throw new Error("PassKey sign in is not configured. Provide passkey action in signIn.");
@@ -1063,7 +1193,7 @@ function rr(e) {
1063
1193
  const t = await e.actions.signIn.passkey(r);
1064
1194
  if (D(t)) {
1065
1195
  const n = await e.saveSessionAfterAuth(t);
1066
- !n.success && n.warning && O.warn("Session save warning", { warning: n.warning });
1196
+ !n.success && n.warning && I.warn("Session save warning", { warning: n.warning });
1067
1197
  }
1068
1198
  return t;
1069
1199
  } catch (t) {
@@ -1077,38 +1207,38 @@ function rr(e) {
1077
1207
  }
1078
1208
  };
1079
1209
  }
1080
- function tr(e, r) {
1081
- const t = Qe(e), n = Ze(e, r), s = er(e), i = rr(e);
1082
- return Object.assign(async (f, l) => {
1083
- if (!f || typeof f != "string")
1210
+ function or(e, r) {
1211
+ const t = rr(e), n = tr(e, r), s = nr(e), o = sr(e);
1212
+ return Object.assign(async (u, l) => {
1213
+ if (!u || typeof u != "string")
1084
1214
  throw new Error("Provider is required");
1085
- const w = X(f, {
1215
+ const g = X(u, {
1086
1216
  maxLength: 50,
1087
1217
  allowHtml: !1,
1088
1218
  required: !0
1089
1219
  });
1090
- if (!w.valid || !w.sanitized)
1220
+ if (!g.valid || !g.sanitized)
1091
1221
  throw new Error("Invalid provider");
1092
- const g = w.sanitized.toLowerCase();
1093
- if (g === "google" || g === "github" || g === "apple" || g === "facebook" || typeof g == "string" && !["credentials", "otp", "passkey"].includes(g))
1094
- return n(g);
1095
- if (g === "credentials")
1222
+ const w = g.sanitized.toLowerCase();
1223
+ if (w === "google" || w === "github" || w === "apple" || w === "facebook" || typeof w == "string" && !["credentials", "otp", "passkey"].includes(w))
1224
+ return n(w);
1225
+ if (w === "credentials")
1096
1226
  return !l || !("email" in l) || !("password" in l) ? {
1097
1227
  success: !1,
1098
1228
  error: "Credentials are required",
1099
1229
  errorCode: m.VALIDATION_ERROR
1100
1230
  } : t(l);
1101
- if (g === "otp") {
1231
+ if (w === "otp") {
1102
1232
  if (!l || !("email" in l))
1103
1233
  return {
1104
1234
  success: !1,
1105
1235
  error: "Email is required",
1106
1236
  errorCode: m.VALIDATION_ERROR
1107
1237
  };
1108
- const A = l;
1109
- return s(A.email, A.code);
1238
+ const R = l;
1239
+ return s(R.email, R.code);
1110
1240
  }
1111
- return g === "passkey" ? i(l) : {
1241
+ return w === "passkey" ? o(l) : {
1112
1242
  success: !1,
1113
1243
  error: "Invalid provider",
1114
1244
  errorCode: m.VALIDATION_ERROR
@@ -1116,11 +1246,11 @@ function tr(e, r) {
1116
1246
  }, {
1117
1247
  email: t,
1118
1248
  oauth: e.actions.signIn.oauth ? n : void 0,
1119
- passkey: e.actions.signIn.passkey ? i : void 0,
1249
+ passkey: e.actions.signIn.passkey ? o : void 0,
1120
1250
  otp: e.actions.signIn.otp ? s : void 0
1121
1251
  });
1122
1252
  }
1123
- function nr(e) {
1253
+ function ir(e) {
1124
1254
  return async (r) => {
1125
1255
  if (!e.actions.signUp)
1126
1256
  throw new Error("Sign up is not configured. Provide signUp action in config.");
@@ -1128,7 +1258,7 @@ function nr(e) {
1128
1258
  const t = await e.actions.signUp(r);
1129
1259
  if (D(t)) {
1130
1260
  const n = await e.saveSessionAfterAuth(t);
1131
- !n.success && n.warning && O.warn("Session save warning", { warning: n.warning });
1261
+ !n.success && n.warning && I.warn("Session save warning", { warning: n.warning });
1132
1262
  }
1133
1263
  return t;
1134
1264
  } catch (t) {
@@ -1142,22 +1272,22 @@ function nr(e) {
1142
1272
  }
1143
1273
  };
1144
1274
  }
1145
- function sr(e, r) {
1275
+ function ar(e, r) {
1146
1276
  return async (t, n, s) => {
1147
- const i = e.oauthProviders[t];
1148
- if (!i)
1277
+ const o = e.oauthProviders[t];
1278
+ if (!o)
1149
1279
  return {
1150
1280
  success: !1,
1151
1281
  error: `OAuth provider "${t}" is not configured`,
1152
1282
  errorCode: m.VALIDATION_ERROR
1153
1283
  };
1154
1284
  try {
1155
- const o = i.redirectUri ?? `${e.baseUrl}/api/auth/callback/${t}`, a = await Ue(t, i, n, o), f = await Fe(t, a.access_token), l = {
1156
- id: f.id,
1157
- email: f.email,
1158
- name: f.name,
1159
- avatar: f.avatar,
1160
- emailVerified: f.emailVerified,
1285
+ const i = o.redirectUri ?? `${e.baseUrl}/api/auth/callback/${t}`, a = await be(t, o, n, i), u = await Fe(t, a.access_token), l = {
1286
+ id: u.id,
1287
+ email: u.email,
1288
+ name: u.name,
1289
+ avatar: u.avatar,
1290
+ emailVerified: u.emailVerified,
1161
1291
  provider: t,
1162
1292
  accessToken: a.access_token,
1163
1293
  refreshToken: a.refresh_token,
@@ -1168,36 +1298,36 @@ function sr(e, r) {
1168
1298
  token_type: a.token_type,
1169
1299
  id_token: a.id_token
1170
1300
  },
1171
- rawProfile: f.rawProfile
1301
+ rawProfile: u.rawProfile
1172
1302
  };
1173
1303
  if (e.callbacks.onOAuthUser) {
1174
- const w = await q(
1304
+ const g = await q(
1175
1305
  e.callbacks.onOAuthUser,
1176
1306
  [l, t],
1177
1307
  e.onError
1178
1308
  );
1179
- if (!w)
1309
+ if (!g)
1180
1310
  return {
1181
1311
  success: !1,
1182
1312
  error: "Failed to create or retrieve user",
1183
1313
  errorCode: m.VALIDATION_ERROR
1184
1314
  };
1185
- const g = e.createSession(w, l, a);
1186
- return await e.saveSession(g), e.callbacks.onSignIn && await q(
1315
+ const w = e.createSession(g, l, a);
1316
+ return await e.saveSession(w), e.callbacks.onSignIn && await q(
1187
1317
  e.callbacks.onSignIn,
1188
- [g.user, g],
1318
+ [w.user, w],
1189
1319
  e.onError
1190
- ), { success: !0, user: g.user, session: g };
1320
+ ), { success: !0, user: w.user, session: w };
1191
1321
  }
1192
1322
  return {
1193
1323
  success: !1,
1194
1324
  error: "OAuth user callback not implemented. Provide onOAuthUser callback or implement oauthCallback action.",
1195
1325
  errorCode: m.VALIDATION_ERROR
1196
1326
  };
1197
- } catch (o) {
1198
- return O.error("OAuth callback failed", { provider: t, error: o }), {
1327
+ } catch (i) {
1328
+ return I.error("OAuth callback failed", { provider: t, error: i }), {
1199
1329
  success: !1,
1200
- error: o instanceof Error ? o.message : "OAuth callback failed",
1330
+ error: i instanceof Error ? i.message : "OAuth callback failed",
1201
1331
  errorCode: m.NETWORK_ERROR
1202
1332
  };
1203
1333
  }
@@ -1214,62 +1344,62 @@ async function q(e, r, t) {
1214
1344
  ), n;
1215
1345
  }
1216
1346
  }
1217
- function ir(e, r, t, n) {
1347
+ function cr(e, r, t, n) {
1218
1348
  if (Object.keys(e).length !== 0)
1219
1349
  return async (s) => {
1220
- const i = e[s];
1221
- if (!i)
1350
+ const o = e[s];
1351
+ if (!o)
1222
1352
  throw new Error(`OAuth provider "${s}" is not configured. Add it to providers.oauth in config.`);
1223
- if (!i.clientId)
1353
+ if (!o.clientId)
1224
1354
  throw new Error(`OAuth provider "${s}" is missing clientId`);
1225
- const o = t();
1226
- return { url: n(s, i, r, o), state: o };
1355
+ const i = t();
1356
+ return { url: n(s, o, r, i), state: i };
1227
1357
  };
1228
1358
  }
1229
- function Zr(e) {
1230
- var L, V;
1359
+ function st(e) {
1360
+ var L, M;
1231
1361
  const r = {
1232
- ...Ke(),
1362
+ ...Ye(),
1233
1363
  ...e.session
1234
- }, t = e.actions, n = e.callbacks || {}, s = ((L = e.providers) == null ? void 0 : L.oauth) || {}, i = Je(), o = {
1235
- ...Xe(),
1364
+ }, t = e.actions, n = e.callbacks || {}, s = ((L = e.providers) == null ? void 0 : L.oauth) || {}, o = Ze(), i = {
1365
+ ...Qe(),
1236
1366
  ...e.tokenRefresh
1237
- }, a = ((V = e.session) == null ? void 0 : V.cacheTtl) ?? e.sessionCacheTtl ?? 5e3, f = e.oauthStateStore || $e(), l = { ...t }, w = async (c, u) => {
1367
+ }, a = ((M = e.session) == null ? void 0 : M.cacheTtl) ?? e.sessionCacheTtl ?? 5e3, u = e.oauthStateStore || Be(), l = { ...t }, g = async (c, f) => {
1238
1368
  const d = {
1239
- provider: u,
1369
+ provider: f,
1240
1370
  expiresAt: Date.now() + 6e5
1241
1371
  // 10 minutes
1242
1372
  };
1243
- await Promise.resolve(f.set(c, d, 10 * 60 * 1e3)), f.cleanup && await Promise.resolve(f.cleanup());
1244
- }, g = async (c, u) => {
1245
- const d = await Promise.resolve(f.get(c));
1246
- return d ? d.expiresAt < Date.now() ? (await Promise.resolve(f.delete(c)), !1) : d.provider !== u ? !1 : (await Promise.resolve(f.delete(c)), !0) : !1;
1247
- }, A = ir(
1373
+ await Promise.resolve(u.set(c, d, 10 * 60 * 1e3)), u.cleanup && await Promise.resolve(u.cleanup());
1374
+ }, w = async (c, f) => {
1375
+ const d = await Promise.resolve(u.get(c));
1376
+ return d ? d.expiresAt < Date.now() ? (await Promise.resolve(u.delete(c)), !1) : d.provider !== f ? !1 : (await Promise.resolve(u.delete(c)), !0) : !1;
1377
+ }, R = cr(
1248
1378
  s,
1249
- i,
1379
+ o,
1250
1380
  _e,
1251
- be
1381
+ Ne
1252
1382
  );
1253
- if (A && !l.signIn.oauth) {
1383
+ if (R && !l.signIn.oauth) {
1254
1384
  const c = l.signIn;
1255
1385
  l.signIn = {
1256
1386
  ...c,
1257
- oauth: async (u) => {
1258
- const d = await A(u);
1259
- return await w(d.state, u), d;
1387
+ oauth: async (f) => {
1388
+ const d = await R(f);
1389
+ return await g(d.state, f), d;
1260
1390
  }
1261
1391
  };
1262
1392
  }
1263
1393
  if (!l.signIn || !l.signIn.email)
1264
1394
  throw new Error("mulguard: signIn.email action is required");
1265
- const S = async (c, ...u) => {
1395
+ const S = async (c, ...f) => {
1266
1396
  if (c)
1267
1397
  try {
1268
- return await c(...u);
1398
+ return await c(...f);
1269
1399
  } catch (d) {
1270
1400
  throw n.onError && await n.onError(d instanceof Error ? d : new Error(String(d)), "callback"), d;
1271
1401
  }
1272
- }, v = Ye({
1402
+ }, v = er({
1273
1403
  sessionConfig: r,
1274
1404
  cacheTtl: a,
1275
1405
  getSessionAction: t.getSession,
@@ -1278,44 +1408,44 @@ function Zr(e) {
1278
1408
  }), y = async (c) => {
1279
1409
  if (!D(c) || !c.session)
1280
1410
  return { success: !0 };
1281
- const u = await v.setSession(c.session);
1282
- return c.user && n.onSignIn && await S(n.onSignIn, c.user, c.session), u;
1411
+ const f = await v.setSession(c.session);
1412
+ return c.user && n.onSignIn && await S(n.onSignIn, c.user, c.session), f;
1283
1413
  };
1284
1414
  if (Object.keys(s).length > 0 && !l.oauthCallback) {
1285
- const c = sr(
1415
+ const c = ar(
1286
1416
  {
1287
1417
  oauthProviders: s,
1288
- baseUrl: i,
1418
+ baseUrl: o,
1289
1419
  callbacks: n,
1290
- createSession: (u, d, R) => ({
1420
+ createSession: (f, d, A) => ({
1291
1421
  user: {
1292
- ...u,
1422
+ ...f,
1293
1423
  avatar: d.avatar,
1294
1424
  emailVerified: d.emailVerified
1295
1425
  },
1296
1426
  expiresAt: new Date(Date.now() + (r.expiresIn || 604800) * 1e3),
1297
- accessToken: R.access_token,
1298
- refreshToken: R.refresh_token,
1427
+ accessToken: A.access_token,
1428
+ refreshToken: A.refresh_token,
1299
1429
  tokenType: "Bearer",
1300
- expiresIn: R.expires_in
1430
+ expiresIn: A.expires_in
1301
1431
  }),
1302
- saveSession: async (u) => {
1303
- await v.setSession(u);
1432
+ saveSession: async (f) => {
1433
+ await v.setSession(f);
1304
1434
  },
1305
1435
  onError: n.onError
1306
1436
  }
1307
1437
  );
1308
1438
  l.oauthCallback = c;
1309
1439
  }
1310
- const h = tr(
1440
+ const h = or(
1311
1441
  {
1312
1442
  actions: l,
1313
1443
  callbacks: n,
1314
1444
  saveSessionAfterAuth: y,
1315
1445
  onError: n.onError
1316
1446
  },
1317
- w
1318
- ), I = nr({
1447
+ g
1448
+ ), T = ir({
1319
1449
  actions: l,
1320
1450
  callbacks: n,
1321
1451
  saveSessionAfterAuth: y,
@@ -1354,17 +1484,17 @@ function Zr(e) {
1354
1484
  * Sign up new user
1355
1485
  */
1356
1486
  async signUp(c) {
1357
- if (!I)
1487
+ if (!T)
1358
1488
  throw new Error("Sign up is not configured. Provide signUp action in config.");
1359
- return await I(c);
1489
+ return await T(c);
1360
1490
  },
1361
1491
  /**
1362
1492
  * Sign out
1363
1493
  */
1364
1494
  async signOut() {
1365
1495
  try {
1366
- const c = await this.getSession(), u = c == null ? void 0 : c.user;
1367
- return t.signOut && await t.signOut(), await v.clearSessionCookie(), v.clearCache(), u && n.onSignOut && await S(n.onSignOut, u), { success: !0 };
1496
+ const c = await this.getSession(), f = c == null ? void 0 : c.user;
1497
+ return t.signOut && await t.signOut(), await v.clearSessionCookie(), v.clearCache(), f && n.onSignOut && await S(n.onSignOut, f), { success: !0 };
1368
1498
  } catch (c) {
1369
1499
  return await v.clearSessionCookie(), v.clearCache(), n.onError && await S(n.onError, c instanceof Error ? c : new Error(String(c)), "signOut"), {
1370
1500
  success: !1,
@@ -1380,10 +1510,10 @@ function Zr(e) {
1380
1510
  throw new Error("Password reset is not configured. Provide resetPassword action in config.");
1381
1511
  try {
1382
1512
  return await t.resetPassword(c);
1383
- } catch (u) {
1384
- return n.onError && await S(n.onError, u instanceof Error ? u : new Error(String(u)), "resetPassword"), {
1513
+ } catch (f) {
1514
+ return n.onError && await S(n.onError, f instanceof Error ? f : new Error(String(f)), "resetPassword"), {
1385
1515
  success: !1,
1386
- error: u instanceof Error ? u.message : "Password reset failed"
1516
+ error: f instanceof Error ? f.message : "Password reset failed"
1387
1517
  };
1388
1518
  }
1389
1519
  },
@@ -1395,10 +1525,10 @@ function Zr(e) {
1395
1525
  throw new Error("Email verification is not configured. Provide verifyEmail action in config.");
1396
1526
  try {
1397
1527
  return await t.verifyEmail(c);
1398
- } catch (u) {
1399
- return n.onError && await S(n.onError, u instanceof Error ? u : new Error(String(u)), "verifyEmail"), {
1528
+ } catch (f) {
1529
+ return n.onError && await S(n.onError, f instanceof Error ? f : new Error(String(f)), "verifyEmail"), {
1400
1530
  success: !1,
1401
- error: u instanceof Error ? u.message : "Email verification failed"
1531
+ error: f instanceof Error ? f.message : "Email verification failed"
1402
1532
  };
1403
1533
  }
1404
1534
  },
@@ -1411,23 +1541,23 @@ function Zr(e) {
1411
1541
  return this.getSession();
1412
1542
  try {
1413
1543
  const c = await t.refreshSession();
1414
- if (c && N(c)) {
1544
+ if (c && U(c)) {
1415
1545
  if (await v.setSession(c), n.onSessionUpdate) {
1416
- const u = await S(n.onSessionUpdate, c);
1417
- if (u && N(u)) {
1418
- if (await v.setSession(u), n.onTokenRefresh) {
1546
+ const f = await S(n.onSessionUpdate, c);
1547
+ if (f && U(f)) {
1548
+ if (await v.setSession(f), n.onTokenRefresh) {
1419
1549
  const d = await this.getSession();
1420
- d && await S(n.onTokenRefresh, d, u);
1550
+ d && await S(n.onTokenRefresh, d, f);
1421
1551
  }
1422
- return u;
1552
+ return f;
1423
1553
  }
1424
1554
  }
1425
1555
  if (n.onTokenRefresh) {
1426
- const u = await this.getSession();
1427
- u && await S(n.onTokenRefresh, u, c);
1556
+ const f = await this.getSession();
1557
+ f && await S(n.onTokenRefresh, f, c);
1428
1558
  }
1429
1559
  return c;
1430
- } else if (c && !N(c))
1560
+ } else if (c && !U(c))
1431
1561
  return await v.clearSessionCookie(), v.clearCache(), null;
1432
1562
  return null;
1433
1563
  } catch (c) {
@@ -1438,22 +1568,22 @@ function Zr(e) {
1438
1568
  * OAuth callback handler
1439
1569
  * ✅ Auto-generated if providers.oauth is configured in config
1440
1570
  */
1441
- async oauthCallback(c, u, d) {
1571
+ async oauthCallback(c, f, d) {
1442
1572
  if (!l.oauthCallback)
1443
1573
  throw new Error(
1444
1574
  "OAuth callback is not configured. Either provide oauthCallback action, or configure providers.oauth in config."
1445
1575
  );
1446
- if (!u || !d)
1576
+ if (!f || !d)
1447
1577
  return {
1448
1578
  success: !1,
1449
1579
  error: "Missing required OAuth parameters (code or state)",
1450
1580
  errorCode: m.VALIDATION_ERROR
1451
1581
  };
1452
- let R = c;
1453
- if (!R) {
1454
- const P = await Promise.resolve(f.get(d));
1582
+ let A = c;
1583
+ if (!A) {
1584
+ const P = await Promise.resolve(u.get(d));
1455
1585
  if (P && P.provider)
1456
- R = P.provider;
1586
+ A = P.provider;
1457
1587
  else
1458
1588
  return {
1459
1589
  success: !1,
@@ -1461,14 +1591,14 @@ function Zr(e) {
1461
1591
  errorCode: m.VALIDATION_ERROR
1462
1592
  };
1463
1593
  }
1464
- if (!await g(d, R))
1594
+ if (!await w(d, A))
1465
1595
  return {
1466
1596
  success: !1,
1467
1597
  error: "Invalid or expired state parameter",
1468
1598
  errorCode: m.VALIDATION_ERROR
1469
1599
  };
1470
1600
  try {
1471
- return await l.oauthCallback(R, u, d);
1601
+ return await l.oauthCallback(A, f, d);
1472
1602
  } catch (P) {
1473
1603
  return n.onError && await S(n.onError, P instanceof Error ? P : new Error(String(P)), "oauthCallback"), {
1474
1604
  success: !1,
@@ -1481,19 +1611,19 @@ function Zr(e) {
1481
1611
  * Verify 2FA code after initial sign in
1482
1612
  * Used when signIn returns requires2FA: true
1483
1613
  */
1484
- async verify2FA(c, u) {
1614
+ async verify2FA(c, f) {
1485
1615
  if (!t.verify2FA)
1486
1616
  throw new Error("2FA verification is not configured. Provide verify2FA action in config.");
1487
1617
  try {
1488
1618
  const d = await t.verify2FA(c);
1489
- if (d.success && d.session && !(u != null && u.skipCookieSave)) {
1490
- const R = await y(d);
1491
- R.success || (process.env.NODE_ENV === "development" && O.debug("Failed to save session cookie after verify2FA", {
1492
- error: R.error,
1493
- warning: R.warning
1619
+ if (d.success && d.session && !(f != null && f.skipCookieSave)) {
1620
+ const A = await y(d);
1621
+ A.success || (process.env.NODE_ENV === "development" && I.debug("Failed to save session cookie after verify2FA", {
1622
+ error: A.error,
1623
+ warning: A.warning
1494
1624
  }), n.onError && await S(
1495
1625
  n.onError,
1496
- new Error(R.warning || R.error || "Failed to save session cookie"),
1626
+ new Error(A.warning || A.error || "Failed to save session cookie"),
1497
1627
  "verify2FA.setSession"
1498
1628
  ));
1499
1629
  }
@@ -1524,14 +1654,24 @@ function Zr(e) {
1524
1654
  _getCallbacks() {
1525
1655
  return n;
1526
1656
  },
1657
+ /**
1658
+ * Store OAuth state for validation (useful when using external backend API)
1659
+ * This allows storing state generated by backend APIs in mulguard's state store
1660
+ *
1661
+ * @param state - OAuth state token
1662
+ * @param provider - OAuth provider name
1663
+ */
1664
+ async storeOAuthState(c, f) {
1665
+ await g(c, f);
1666
+ },
1527
1667
  /**
1528
1668
  * PassKey methods
1529
1669
  */
1530
1670
  passkey: t.passkey ? {
1531
1671
  register: t.passkey.register,
1532
1672
  authenticate: async (c) => {
1533
- var u;
1534
- if (!((u = t.passkey) != null && u.authenticate))
1673
+ var f;
1674
+ if (!((f = t.passkey) != null && f.authenticate))
1535
1675
  throw new Error("PassKey authenticate is not configured.");
1536
1676
  try {
1537
1677
  const d = await t.passkey.authenticate(c);
@@ -1544,8 +1684,8 @@ function Zr(e) {
1544
1684
  }
1545
1685
  },
1546
1686
  list: t.passkey.list ? async () => {
1547
- var u;
1548
- if (!((u = t.passkey) != null && u.list))
1687
+ var f;
1688
+ if (!((f = t.passkey) != null && f.list))
1549
1689
  throw new Error("PassKey list is not configured.");
1550
1690
  return [...await t.passkey.list()];
1551
1691
  } : void 0,
@@ -1562,14 +1702,14 @@ function Zr(e) {
1562
1702
  isEnabled: t.twoFactor.isEnabled,
1563
1703
  verify2FA: async (c) => {
1564
1704
  var d;
1565
- const u = ((d = t.twoFactor) == null ? void 0 : d.verify2FA) || t.verify2FA;
1566
- if (!u)
1705
+ const f = ((d = t.twoFactor) == null ? void 0 : d.verify2FA) || t.verify2FA;
1706
+ if (!f)
1567
1707
  throw new Error("2FA verification is not configured. Provide verify2FA action in config.");
1568
1708
  try {
1569
- const R = await u(c);
1570
- if (R.success && R.session) {
1571
- const C = await y(R);
1572
- C.success || (process.env.NODE_ENV === "development" && O.debug("Failed to save session cookie after twoFactor.verify2FA", {
1709
+ const A = await f(c);
1710
+ if (A.success && A.session) {
1711
+ const C = await y(A);
1712
+ C.success || (process.env.NODE_ENV === "development" && I.debug("Failed to save session cookie after twoFactor.verify2FA", {
1573
1713
  error: C.error,
1574
1714
  warning: C.warning
1575
1715
  }), n.onError && await S(
@@ -1578,11 +1718,11 @@ function Zr(e) {
1578
1718
  "twoFactor.verify2FA.setSession"
1579
1719
  ));
1580
1720
  }
1581
- return R;
1582
- } catch (R) {
1583
- return n.onError && await S(n.onError, R instanceof Error ? R : new Error(String(R)), "twoFactor.verify2FA"), {
1721
+ return A;
1722
+ } catch (A) {
1723
+ return n.onError && await S(n.onError, A instanceof Error ? A : new Error(String(A)), "twoFactor.verify2FA"), {
1584
1724
  success: !1,
1585
- error: R instanceof Error ? R.message : "2FA verification failed",
1725
+ error: A instanceof Error ? A.message : "2FA verification failed",
1586
1726
  errorCode: m.UNKNOWN_ERROR
1587
1727
  };
1588
1728
  }
@@ -1594,61 +1734,61 @@ function Zr(e) {
1594
1734
  signInMethods: {
1595
1735
  email: (c) => h.email(c),
1596
1736
  oauth: (c) => {
1597
- var u;
1598
- return ((u = h.oauth) == null ? void 0 : u.call(h, c)) || Promise.reject(new Error("OAuth not configured"));
1737
+ var f;
1738
+ return ((f = h.oauth) == null ? void 0 : f.call(h, c)) || Promise.reject(new Error("OAuth not configured"));
1599
1739
  },
1600
1740
  passkey: (c) => {
1601
- var u;
1602
- return ((u = h.passkey) == null ? void 0 : u.call(h, c)) || Promise.reject(new Error("Passkey not configured"));
1741
+ var f;
1742
+ return ((f = h.passkey) == null ? void 0 : f.call(h, c)) || Promise.reject(new Error("Passkey not configured"));
1603
1743
  },
1604
- otp: (c, u) => {
1744
+ otp: (c, f) => {
1605
1745
  var d;
1606
- return ((d = h.otp) == null ? void 0 : d.call(h, c, u)) || Promise.reject(new Error("OTP not configured"));
1746
+ return ((d = h.otp) == null ? void 0 : d.call(h, c, f)) || Promise.reject(new Error("OTP not configured"));
1607
1747
  }
1608
1748
  }
1609
1749
  };
1610
1750
  if (t.refreshSession) {
1611
- const c = Ge(
1751
+ const c = Je(
1612
1752
  async () => await _.refreshSession(),
1613
1753
  async () => await _.signOut(),
1614
1754
  async () => {
1615
1755
  await v.clearSessionCookie(), v.clearCache();
1616
1756
  },
1617
1757
  {
1618
- ...o,
1619
- onTokenRefreshed: o.onTokenRefreshed,
1620
- onTokenRefreshFailed: o.onTokenRefreshFailed,
1621
- onBeforeRedirect: o.onBeforeRedirect
1758
+ ...i,
1759
+ onTokenRefreshed: i.onTokenRefreshed,
1760
+ onTokenRefreshFailed: i.onTokenRefreshFailed,
1761
+ onBeforeRedirect: i.onBeforeRedirect
1622
1762
  }
1623
1763
  );
1624
1764
  _._tokenRefreshManager = c, _._getTokenRefreshManager = () => c;
1625
1765
  }
1626
1766
  return _;
1627
1767
  }
1628
- function et(e) {
1768
+ function ot(e) {
1629
1769
  return {
1630
1770
  GET: async (r) => B(r, e, "GET"),
1631
1771
  POST: async (r) => B(r, e, "POST")
1632
1772
  };
1633
1773
  }
1634
1774
  async function B(e, r, t) {
1635
- const n = new URL(e.url), s = or(n.pathname), i = s.split("/").filter(Boolean);
1775
+ const n = new URL(e.url), s = ur(n.pathname), o = s.split("/").filter(Boolean);
1636
1776
  try {
1637
- return t === "GET" ? await ar(e, r, s, i, n) : t === "POST" ? await cr(e, r, s, i, n) : T("Method not allowed", 405);
1638
- } catch (o) {
1639
- return T(
1640
- o instanceof Error ? o.message : "Request failed",
1777
+ return t === "GET" ? await lr(e, r, s, o, n) : t === "POST" ? await fr(e, r, s, o, n) : O("Method not allowed", 405);
1778
+ } catch (i) {
1779
+ return O(
1780
+ i instanceof Error ? i.message : "Request failed",
1641
1781
  500
1642
1782
  );
1643
1783
  }
1644
1784
  }
1645
- function or(e) {
1785
+ function ur(e) {
1646
1786
  return e.replace(/^\/api\/auth/, "") || "/session";
1647
1787
  }
1648
- async function ar(e, r, t, n, s) {
1788
+ async function lr(e, r, t, n, s) {
1649
1789
  if (t === "/session" || t === "/") {
1650
- const i = await r.getSession();
1651
- return E.json({ session: i });
1790
+ const o = await r.getSession();
1791
+ return E.json({ session: o });
1652
1792
  }
1653
1793
  return t === "/providers" ? E.json({
1654
1794
  providers: {
@@ -1656,13 +1796,13 @@ async function ar(e, r, t, n, s) {
1656
1796
  oauth: !!r.signIn.oauth,
1657
1797
  passkey: !!r.signIn.passkey
1658
1798
  }
1659
- }) : re(t, n) ? await te(e, r, t, n, s, "GET") : T("Not found", 404);
1799
+ }) : re(t, n) ? await te(e, r, t, n, s, "GET") : O("Not found", 404);
1660
1800
  }
1661
- async function cr(e, r, t, n, s) {
1662
- const i = await ur(e);
1663
- return t === "/sign-in" || n[0] === "sign-in" ? await fr(r, i) : t === "/sign-up" || n[0] === "sign-up" ? await dr(r, i) : t === "/sign-out" || n[0] === "sign-out" ? await hr(r) : t === "/reset-password" || n[0] === "reset-password" ? await gr(r, i) : t === "/verify-email" || n[0] === "verify-email" ? await wr(r, i) : t === "/refresh" || n[0] === "refresh" ? await pr(r) : re(t, n) ? await te(e, r, t, n, s, "POST", i) : t.startsWith("/passkey") ? await Er(r, t, n, i) : t === "/verify-2fa" || n[0] === "verify-2fa" ? await mr(r, i) : t.startsWith("/two-factor") ? await yr(r, n, i) : T("Not found", 404);
1801
+ async function fr(e, r, t, n, s) {
1802
+ const o = await dr(e);
1803
+ return t === "/sign-in" || n[0] === "sign-in" ? await gr(r, o) : t === "/sign-up" || n[0] === "sign-up" ? await wr(r, o) : t === "/sign-out" || n[0] === "sign-out" ? await pr(r) : t === "/reset-password" || n[0] === "reset-password" ? await mr(r, o) : t === "/verify-email" || n[0] === "verify-email" ? await Er(r, o) : t === "/refresh" || n[0] === "refresh" ? await yr(r) : re(t, n) ? await te(e, r, t, n, s, "POST", o) : t.startsWith("/passkey") ? await vr(r, t, n, o) : t === "/verify-2fa" || n[0] === "verify-2fa" ? await kr(r, o) : t.startsWith("/two-factor") ? await Sr(r, n, o) : O("Not found", 404);
1664
1804
  }
1665
- async function ur(e) {
1805
+ async function dr(e) {
1666
1806
  try {
1667
1807
  return await e.json();
1668
1808
  } catch {
@@ -1672,23 +1812,23 @@ async function ur(e) {
1672
1812
  function re(e, r) {
1673
1813
  return e === "/callback" || e.startsWith("/oauth/callback") || r[0] === "oauth" && r[1] === "callback" || r[0] === "callback";
1674
1814
  }
1675
- async function te(e, r, t, n, s, i, o) {
1815
+ async function te(e, r, t, n, s, o, i) {
1676
1816
  if (!r.oauthCallback)
1677
- return i === "GET" ? M(e.url, "oauth_not_configured") : T("OAuth callback is not configured", 400);
1678
- const a = lr(n, s, o), f = (o == null ? void 0 : o.code) ?? s.searchParams.get("code"), l = (o == null ? void 0 : o.state) ?? s.searchParams.get("state");
1679
- if (!f || !l)
1680
- return i === "GET" ? M(e.url, "oauth_missing_params") : T("Missing required OAuth parameters. Code and state are required.", 400);
1817
+ return o === "GET" ? V(e.url, "oauth_not_configured") : O("OAuth callback is not configured", 400);
1818
+ const a = hr(n, s, i), u = (i == null ? void 0 : i.code) ?? s.searchParams.get("code"), l = (i == null ? void 0 : i.state) ?? s.searchParams.get("state");
1819
+ if (!u || !l)
1820
+ return o === "GET" ? V(e.url, "oauth_missing_params") : O("Missing required OAuth parameters. Code and state are required.", 400);
1681
1821
  try {
1682
- const w = await r.oauthCallback(a ?? "", f, l);
1683
- return i === "GET" ? w.success ? kr(e.url, s.searchParams.get("callbackUrl")) : M(e.url, w.error ?? "oauth_failed") : E.json(w);
1684
- } catch (w) {
1685
- return i === "GET" ? M(e.url, w instanceof Error ? w.message : "oauth_error") : T(w instanceof Error ? w.message : "OAuth callback failed", 500);
1822
+ const g = await r.oauthCallback(a ?? "", u, l);
1823
+ return o === "GET" ? g.success ? Ar(e.url, s.searchParams.get("callbackUrl")) : V(e.url, g.error ?? "oauth_failed") : E.json(g);
1824
+ } catch (g) {
1825
+ return o === "GET" ? V(e.url, g instanceof Error ? g.message : "oauth_error") : O(g instanceof Error ? g.message : "OAuth callback failed", 500);
1686
1826
  }
1687
1827
  }
1688
- function lr(e, r, t) {
1828
+ function hr(e, r, t) {
1689
1829
  return t != null && t.provider ? t.provider : e[0] === "callback" && e[1] ? e[1] : e[0] === "oauth" && e[1] === "callback" && e[2] ? e[2] : r.searchParams.get("provider");
1690
1830
  }
1691
- async function fr(e, r) {
1831
+ async function gr(e, r) {
1692
1832
  if (r.provider === "email" && r.email && r.password) {
1693
1833
  const t = {
1694
1834
  email: r.email,
@@ -1698,45 +1838,45 @@ async function fr(e, r) {
1698
1838
  }
1699
1839
  if (r.provider === "oauth" && r.providerName) {
1700
1840
  if (!e.signIn.oauth)
1701
- return T("OAuth is not configured", 400);
1841
+ return O("OAuth is not configured", 400);
1702
1842
  const t = await e.signIn.oauth(r.providerName);
1703
1843
  return E.json(t);
1704
1844
  }
1705
1845
  if (r.provider === "passkey") {
1706
1846
  if (!e.signIn.passkey)
1707
- return T("PassKey is not configured", 400);
1847
+ return O("PassKey is not configured", 400);
1708
1848
  const t = await e.signIn.passkey(r.options);
1709
1849
  return E.json(t);
1710
1850
  }
1711
- return T("Invalid sign in request", 400);
1851
+ return O("Invalid sign in request", 400);
1712
1852
  }
1713
- async function dr(e, r) {
1853
+ async function wr(e, r) {
1714
1854
  if (!e.signUp)
1715
- return T("Sign up is not configured", 400);
1855
+ return O("Sign up is not configured", 400);
1716
1856
  const t = await e.signUp(r);
1717
1857
  return E.json(t);
1718
1858
  }
1719
- async function hr(e) {
1859
+ async function pr(e) {
1720
1860
  const r = await e.signOut();
1721
1861
  return E.json(r);
1722
1862
  }
1723
- async function gr(e, r) {
1863
+ async function mr(e, r) {
1724
1864
  if (!e.resetPassword)
1725
- return T("Password reset is not configured", 400);
1865
+ return O("Password reset is not configured", 400);
1726
1866
  if (!r.email || typeof r.email != "string")
1727
- return T("Email is required", 400);
1867
+ return O("Email is required", 400);
1728
1868
  const t = await e.resetPassword(r.email);
1729
1869
  return E.json(t);
1730
1870
  }
1731
- async function wr(e, r) {
1871
+ async function Er(e, r) {
1732
1872
  if (!e.verifyEmail)
1733
- return T("Email verification is not configured", 400);
1873
+ return O("Email verification is not configured", 400);
1734
1874
  if (!r.token || typeof r.token != "string")
1735
- return T("Token is required", 400);
1875
+ return O("Token is required", 400);
1736
1876
  const t = await e.verifyEmail(r.token);
1737
1877
  return E.json(t);
1738
1878
  }
1739
- async function pr(e) {
1879
+ async function yr(e) {
1740
1880
  if (!e.refreshSession) {
1741
1881
  const t = await e.getSession();
1742
1882
  return E.json({ session: t });
@@ -1744,11 +1884,11 @@ async function pr(e) {
1744
1884
  const r = await e.refreshSession();
1745
1885
  return E.json({ session: r });
1746
1886
  }
1747
- async function mr(e, r) {
1887
+ async function kr(e, r) {
1748
1888
  if (!e.verify2FA)
1749
- return T("2FA verification is not configured", 400);
1889
+ return O("2FA verification is not configured", 400);
1750
1890
  if (!r.email || !r.userId || !r.code)
1751
- return T("Missing required parameters. Email, userId, and code are required.", 400);
1891
+ return O("Missing required parameters. Email, userId, and code are required.", 400);
1752
1892
  const t = {
1753
1893
  email: r.email,
1754
1894
  userId: r.userId,
@@ -1756,29 +1896,29 @@ async function mr(e, r) {
1756
1896
  }, n = await e.verify2FA(t);
1757
1897
  return E.json(n);
1758
1898
  }
1759
- async function Er(e, r, t, n) {
1899
+ async function vr(e, r, t, n) {
1760
1900
  if (!e.passkey)
1761
- return T("PassKey is not configured", 400);
1901
+ return O("PassKey is not configured", 400);
1762
1902
  const s = t[1];
1763
1903
  if (s === "register" && e.passkey.register) {
1764
- const i = await e.passkey.register(n.options);
1765
- return E.json(i);
1904
+ const o = await e.passkey.register(n.options);
1905
+ return E.json(o);
1766
1906
  }
1767
1907
  if (s === "list" && e.passkey.list) {
1768
- const i = await e.passkey.list();
1769
- return E.json(i);
1908
+ const o = await e.passkey.list();
1909
+ return E.json(o);
1770
1910
  }
1771
1911
  if (s === "remove" && e.passkey.remove) {
1772
1912
  if (!n.passkeyId || typeof n.passkeyId != "string")
1773
- return T("Passkey ID is required", 400);
1774
- const i = await e.passkey.remove(n.passkeyId);
1775
- return E.json(i);
1913
+ return O("Passkey ID is required", 400);
1914
+ const o = await e.passkey.remove(n.passkeyId);
1915
+ return E.json(o);
1776
1916
  }
1777
- return T("Invalid Passkey request", 400);
1917
+ return O("Invalid Passkey request", 400);
1778
1918
  }
1779
- async function yr(e, r, t) {
1919
+ async function Sr(e, r, t) {
1780
1920
  if (!e.twoFactor)
1781
- return T("Two-Factor Authentication is not configured", 400);
1921
+ return O("Two-Factor Authentication is not configured", 400);
1782
1922
  const n = r[1];
1783
1923
  if (n === "enable" && e.twoFactor.enable) {
1784
1924
  const s = await e.twoFactor.enable();
@@ -1786,7 +1926,7 @@ async function yr(e, r, t) {
1786
1926
  }
1787
1927
  if (n === "verify" && e.twoFactor.verify) {
1788
1928
  if (!t.code || typeof t.code != "string")
1789
- return T("Code is required", 400);
1929
+ return O("Code is required", 400);
1790
1930
  const s = await e.twoFactor.verify(t.code);
1791
1931
  return E.json(s);
1792
1932
  }
@@ -1802,9 +1942,9 @@ async function yr(e, r, t) {
1802
1942
  const s = await e.twoFactor.isEnabled();
1803
1943
  return E.json({ enabled: s });
1804
1944
  }
1805
- return T("Invalid two-factor request", 400);
1945
+ return O("Invalid two-factor request", 400);
1806
1946
  }
1807
- function T(e, r) {
1947
+ function O(e, r) {
1808
1948
  return E.json(
1809
1949
  {
1810
1950
  success: !1,
@@ -1813,55 +1953,55 @@ function T(e, r) {
1813
1953
  { status: r }
1814
1954
  );
1815
1955
  }
1816
- function M(e, r) {
1956
+ function V(e, r) {
1817
1957
  return E.redirect(new URL(`/login?error=${encodeURIComponent(r)}`, e));
1818
1958
  }
1819
- function kr(e, r) {
1959
+ function Ar(e, r) {
1820
1960
  const t = r ?? "/";
1821
1961
  return E.redirect(new URL(t, e));
1822
1962
  }
1823
- function rt(e) {
1963
+ function it(e) {
1824
1964
  return async (r) => {
1825
- const { method: t, nextUrl: n } = r, i = n.pathname.replace(/^\/api\/auth/, "") || "/";
1965
+ const { method: t, nextUrl: n } = r, o = n.pathname.replace(/^\/api\/auth/, "") || "/";
1826
1966
  try {
1827
- let o;
1967
+ let i;
1828
1968
  if (t !== "GET" && t !== "HEAD")
1829
1969
  try {
1830
- o = await r.json();
1970
+ i = await r.json();
1831
1971
  } catch {
1832
1972
  }
1833
- const a = Object.fromEntries(n.searchParams.entries()), f = await fetch(
1834
- `${process.env.NEXT_PUBLIC_API_URL || ""}/api/auth${i}${Object.keys(a).length > 0 ? `?${new URLSearchParams(a).toString()}` : ""}`,
1973
+ const a = Object.fromEntries(n.searchParams.entries()), u = await fetch(
1974
+ `${process.env.NEXT_PUBLIC_API_URL || ""}/api/auth${o}${Object.keys(a).length > 0 ? `?${new URLSearchParams(a).toString()}` : ""}`,
1835
1975
  {
1836
1976
  method: t,
1837
1977
  headers: {
1838
1978
  "Content-Type": "application/json",
1839
1979
  ...Object.fromEntries(r.headers.entries())
1840
1980
  },
1841
- body: o ? JSON.stringify(o) : void 0
1981
+ body: i ? JSON.stringify(i) : void 0
1842
1982
  }
1843
- ), l = await f.json();
1983
+ ), l = await u.json();
1844
1984
  return E.json(l, {
1845
- status: f.status,
1985
+ status: u.status,
1846
1986
  headers: {
1847
- ...Object.fromEntries(f.headers.entries())
1987
+ ...Object.fromEntries(u.headers.entries())
1848
1988
  }
1849
1989
  });
1850
- } catch (o) {
1851
- return console.error("API handler error:", o), E.json(
1990
+ } catch (i) {
1991
+ return console.error("API handler error:", i), E.json(
1852
1992
  {
1853
1993
  success: !1,
1854
- error: o instanceof Error ? o.message : "Internal server error"
1994
+ error: i instanceof Error ? i.message : "Internal server error"
1855
1995
  },
1856
1996
  { status: 500 }
1857
1997
  );
1858
1998
  }
1859
1999
  };
1860
2000
  }
1861
- function tt(e) {
2001
+ function at(e) {
1862
2002
  return async (r) => {
1863
- const { searchParams: t } = r.nextUrl, n = t.get("provider"), s = t.get("code"), i = t.get("state");
1864
- if (!n || !s || !i)
2003
+ const { searchParams: t } = r.nextUrl, n = t.get("provider"), s = t.get("code"), o = t.get("state");
2004
+ if (!n || !s || !o)
1865
2005
  return E.redirect(
1866
2006
  new URL("/login?error=oauth_missing_params", r.url)
1867
2007
  );
@@ -1870,20 +2010,20 @@ function tt(e) {
1870
2010
  return E.redirect(
1871
2011
  new URL("/login?error=oauth_not_configured", r.url)
1872
2012
  );
1873
- const o = await e.oauthCallback(n, s, i);
1874
- if (o.success) {
2013
+ const i = await e.oauthCallback(n, s, o);
2014
+ if (i.success) {
1875
2015
  const a = t.get("callbackUrl") || "/";
1876
2016
  return E.redirect(new URL(a, r.url));
1877
2017
  } else {
1878
- const a = o.errorCode ? `${encodeURIComponent(o.error || "oauth_failed")}&code=${o.errorCode}` : encodeURIComponent(o.error || "oauth_failed");
2018
+ const a = i.errorCode ? `${encodeURIComponent(i.error || "oauth_failed")}&code=${i.errorCode}` : encodeURIComponent(i.error || "oauth_failed");
1879
2019
  return E.redirect(
1880
2020
  new URL(`/login?error=${a}`, r.url)
1881
2021
  );
1882
2022
  }
1883
- } catch (o) {
1884
- return process.env.NODE_ENV === "development" && console.error("[Mulguard] OAuth callback error:", o), E.redirect(
2023
+ } catch (i) {
2024
+ return process.env.NODE_ENV === "development" && console.error("[Mulguard] OAuth callback error:", i), E.redirect(
1885
2025
  new URL(
1886
- `/login?error=${encodeURIComponent(o instanceof Error ? o.message : "oauth_error")}`,
2026
+ `/login?error=${encodeURIComponent(i instanceof Error ? i.message : "oauth_error")}`,
1887
2027
  r.url
1888
2028
  )
1889
2029
  );
@@ -1900,42 +2040,42 @@ function F(e, r) {
1900
2040
  s && typeof s == "string" && r.headers.set(n, s);
1901
2041
  return r;
1902
2042
  }
1903
- function nt() {
2043
+ function ct() {
1904
2044
  return async (e) => {
1905
2045
  const r = E.next();
1906
2046
  return F(e, r);
1907
2047
  };
1908
2048
  }
1909
- function st(e, r = {}) {
2049
+ function ut(e, r = {}) {
1910
2050
  const {
1911
2051
  protectedRoutes: t = [],
1912
2052
  publicRoutes: n = [],
1913
2053
  redirectTo: s = "/login",
1914
- redirectIfAuthenticated: i
2054
+ redirectIfAuthenticated: o
1915
2055
  } = r;
1916
- return async (o) => {
1917
- const { pathname: a } = o.nextUrl, f = t.some((g) => a.startsWith(g));
2056
+ return async (i) => {
2057
+ const { pathname: a } = i.nextUrl, u = t.some((w) => a.startsWith(w));
1918
2058
  let l = null;
1919
2059
  try {
1920
2060
  l = await e.getSession();
1921
- } catch (g) {
1922
- console.error("Middleware: Failed to get session:", g);
2061
+ } catch (w) {
2062
+ console.error("Middleware: Failed to get session:", w);
1923
2063
  }
1924
- if (f && !l) {
1925
- const g = o.nextUrl.clone();
1926
- return g.pathname = s, g.searchParams.set("callbackUrl", a), E.redirect(g);
2064
+ if (u && !l) {
2065
+ const w = i.nextUrl.clone();
2066
+ return w.pathname = s, w.searchParams.set("callbackUrl", a), E.redirect(w);
1927
2067
  }
1928
- if (i && l && (a.startsWith("/login") || a.startsWith("/register"))) {
1929
- const A = o.nextUrl.clone();
1930
- A.pathname = i;
1931
- const S = E.redirect(A);
1932
- return F(o, S);
2068
+ if (o && l && (a.startsWith("/login") || a.startsWith("/register"))) {
2069
+ const R = i.nextUrl.clone();
2070
+ R.pathname = o;
2071
+ const S = E.redirect(R);
2072
+ return F(i, S);
1933
2073
  }
1934
- const w = E.next();
1935
- return F(o, w);
2074
+ const g = E.next();
2075
+ return F(i, g);
1936
2076
  };
1937
2077
  }
1938
- async function it(e, r) {
2078
+ async function lt(e, r) {
1939
2079
  var t;
1940
2080
  try {
1941
2081
  const n = await e.getSession();
@@ -1944,46 +2084,46 @@ async function it(e, r) {
1944
2084
  return !1;
1945
2085
  }
1946
2086
  }
1947
- function ot(e) {
2087
+ function ft(e) {
1948
2088
  const {
1949
2089
  auth: r,
1950
2090
  protectedRoutes: t = [],
1951
2091
  publicRoutes: n = [],
1952
2092
  redirectTo: s = "/login",
1953
- redirectIfAuthenticated: i,
1954
- apiPrefix: o = "/api/auth"
2093
+ redirectIfAuthenticated: o,
2094
+ apiPrefix: i = "/api/auth"
1955
2095
  } = e;
1956
2096
  return async (a) => {
1957
- const { pathname: f } = a.nextUrl;
1958
- if (f.startsWith(o)) {
1959
- const A = E.next();
1960
- return F(a, A);
2097
+ const { pathname: u } = a.nextUrl;
2098
+ if (u.startsWith(i)) {
2099
+ const R = E.next();
2100
+ return F(a, R);
1961
2101
  }
1962
- const l = t.some((A) => f.startsWith(A));
1963
- let w = null;
1964
- if (l || i)
2102
+ const l = t.some((R) => u.startsWith(R));
2103
+ let g = null;
2104
+ if (l || o)
1965
2105
  try {
1966
- w = await r.getSession();
1967
- } catch (A) {
1968
- console.error("Middleware: Failed to get session:", A);
2106
+ g = await r.getSession();
2107
+ } catch (R) {
2108
+ console.error("Middleware: Failed to get session:", R);
1969
2109
  }
1970
- if (l && !w) {
1971
- const A = a.nextUrl.clone();
1972
- A.pathname = s, A.searchParams.set("callbackUrl", f);
1973
- const S = E.redirect(A);
2110
+ if (l && !g) {
2111
+ const R = a.nextUrl.clone();
2112
+ R.pathname = s, R.searchParams.set("callbackUrl", u);
2113
+ const S = E.redirect(R);
1974
2114
  return F(a, S);
1975
2115
  }
1976
- if (i && w && (f.startsWith("/login") || f.startsWith("/register"))) {
2116
+ if (o && g && (u.startsWith("/login") || u.startsWith("/register"))) {
1977
2117
  const S = a.nextUrl.clone();
1978
- S.pathname = i;
2118
+ S.pathname = o;
1979
2119
  const v = E.redirect(S);
1980
2120
  return F(a, v);
1981
2121
  }
1982
- const g = E.next();
1983
- return F(a, g);
2122
+ const w = E.next();
2123
+ return F(a, w);
1984
2124
  };
1985
2125
  }
1986
- async function at(e, r) {
2126
+ async function dt(e, r) {
1987
2127
  var t;
1988
2128
  try {
1989
2129
  const n = await e.getSession();
@@ -1993,87 +2133,90 @@ async function at(e, r) {
1993
2133
  }
1994
2134
  }
1995
2135
  export {
1996
- Ie as CSRFProtection,
2136
+ Te as CSRFProtection,
1997
2137
  fe as DEFAULT_SECURITY_HEADERS,
1998
- Te as MemoryCSRFStore,
1999
- ze as MemoryOAuthStateStore,
2138
+ Oe as MemoryCSRFStore,
2139
+ qe as MemoryOAuthStateStore,
2000
2140
  le as RateLimiter,
2001
- Ir as applySecurityHeaders,
2002
- oe as buildCookieOptions,
2003
- be as buildOAuthAuthorizationUrl,
2004
- it as checkRole,
2005
- at as checkRoleProxy,
2006
- Mr as containsXSSPattern,
2007
- rt as createApiHandler,
2008
- st as createAuthMiddleware,
2009
- Dr as createCSRFProtection,
2010
- $e as createMemoryOAuthStateStore,
2011
- tt as createOAuthCallbackHandler,
2012
- ot as createProxyMiddleware,
2013
- Tr as createRateLimiter,
2014
- nt as createSecurityMiddleware,
2015
- wt as createServerAuthMiddleware,
2016
- pt as createServerHelpers,
2017
- mt as createServerUtils,
2018
- Et as createSessionManager,
2019
- ie as deleteCookie,
2020
- yt as deleteOAuthStateCookie,
2021
- Oe as escapeHTML,
2022
- Ue as exchangeOAuthCode,
2141
+ Pr as applySecurityHeaders,
2142
+ ie as buildCookieOptions,
2143
+ Ne as buildOAuthAuthorizationUrl,
2144
+ lt as checkRole,
2145
+ dt as checkRoleProxy,
2146
+ $r as containsXSSPattern,
2147
+ it as createApiHandler,
2148
+ ut as createAuthMiddleware,
2149
+ Vr as createCSRFProtection,
2150
+ We as createCookieOAuthStateStore,
2151
+ Be as createMemoryOAuthStateStore,
2152
+ tt as createNextJsCookieOAuthStateStore,
2153
+ at as createOAuthCallbackHandler,
2154
+ ft as createProxyMiddleware,
2155
+ _r as createRateLimiter,
2156
+ nt as createRedisOAuthStateStore,
2157
+ ct as createSecurityMiddleware,
2158
+ kt as createServerAuthMiddleware,
2159
+ vt as createServerHelpers,
2160
+ St as createServerUtils,
2161
+ At as createSessionManager,
2162
+ oe as deleteCookie,
2163
+ Rt as deleteOAuthStateCookie,
2164
+ Ie as escapeHTML,
2165
+ be as exchangeOAuthCode,
2023
2166
  _e as generateCSRFToken,
2024
2167
  Y as generateToken,
2025
2168
  ce as getCookie,
2026
- kt as getCurrentUser,
2027
- Br as getErrorCode,
2028
- qr as getErrorMessage,
2029
- vt as getOAuthStateCookie,
2169
+ Ot as getCurrentUser,
2170
+ Kr as getErrorCode,
2171
+ Gr as getErrorMessage,
2172
+ Tt as getOAuthStateCookie,
2030
2173
  Fe as getOAuthUserInfo,
2031
2174
  j as getProviderMetadata,
2032
2175
  H as getSecurityHeaders,
2033
- St as getServerSession,
2034
- Rt as getSessionTimeUntilExpiry,
2035
- Xr as getUserFriendlyError,
2036
- Gr as hasErrorCode,
2176
+ It as getServerSession,
2177
+ _t as getSessionTimeUntilExpiry,
2178
+ Qr as getUserFriendlyError,
2179
+ Jr as hasErrorCode,
2037
2180
  Ce as isAuthError,
2038
- Hr as isAuthSuccess,
2039
- Qr as isOAuthProviderConfig,
2040
- Kr as isRetryableError,
2041
- At as isSessionExpiredNullable,
2042
- Tt as isSessionExpiringSoon,
2043
- It as isSessionValid,
2044
- Yr as isSupportedProvider,
2045
- Wr as isTwoFactorRequired,
2046
- jr as isValidCSRFToken,
2047
- $r as isValidEmail,
2048
- xr as isValidInput,
2049
- Cr as isValidName,
2050
- _r as isValidPassword,
2051
- Fr as isValidToken,
2052
- Ur as isValidURL,
2053
- Zr as mulguard,
2054
- Ot as refreshSession,
2055
- _t as requireAuth,
2056
- Pt as requireRole,
2057
- Ct as requireServerAuthMiddleware,
2058
- bt as requireServerRoleMiddleware,
2059
- Lr as sanitizeHTML,
2060
- zr as sanitizeInput,
2061
- Vr as sanitizeUserInput,
2181
+ Xr as isAuthSuccess,
2182
+ rt as isOAuthProviderConfig,
2183
+ Yr as isRetryableError,
2184
+ Pt as isSessionExpiredNullable,
2185
+ Ct as isSessionExpiringSoon,
2186
+ Nt as isSessionValid,
2187
+ et as isSupportedProvider,
2188
+ Hr as isTwoFactorRequired,
2189
+ Wr as isValidCSRFToken,
2190
+ Br as isValidEmail,
2191
+ Mr as isValidInput,
2192
+ Ur as isValidName,
2193
+ Nr as isValidPassword,
2194
+ Lr as isValidToken,
2195
+ xr as isValidURL,
2196
+ st as mulguard,
2197
+ bt as refreshSession,
2198
+ Ut as requireAuth,
2199
+ Ft as requireRole,
2200
+ xt as requireServerAuthMiddleware,
2201
+ Dt as requireServerRoleMiddleware,
2202
+ jr as sanitizeHTML,
2203
+ qr as sanitizeInput,
2204
+ zr as sanitizeUserInput,
2062
2205
  ae as setCookie,
2063
- Jr as signIn,
2064
- lt as signInEmailAction,
2065
- ft as signOutAction,
2066
- dt as signUpAction,
2067
- Ut as storeOAuthStateCookie,
2068
- et as toNextJsHandler,
2206
+ Zr as signIn,
2207
+ wt as signInEmailAction,
2208
+ pt as signOutAction,
2209
+ mt as signUpAction,
2210
+ Lt as storeOAuthStateCookie,
2211
+ ot as toNextJsHandler,
2069
2212
  G as validateAndSanitizeEmail,
2070
2213
  X as validateAndSanitizeInput,
2071
- Pr as validateAndSanitizeName,
2072
- Or as validateAndSanitizePassword,
2214
+ br as validateAndSanitizeName,
2215
+ Cr as validateAndSanitizePassword,
2073
2216
  Q as validateCSRFToken,
2074
- N as validateSessionStructure,
2075
- Nr as validateToken,
2076
- br as validateURL,
2077
- ht as verify2FAAction,
2217
+ U as validateSessionStructure,
2218
+ Dr as validateToken,
2219
+ Fr as validateURL,
2220
+ Et as verify2FAAction,
2078
2221
  F as withSecurityHeaders
2079
2222
  };