npm - mulguard - Versions diffs - 1.1.4 → 1.1.5 - Mend

mulguard 1.1.4 → 1.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/core/auth/oauth-state-store-cookie.d.ts +83 -0
package/dist/core/auth/oauth-state-store.d.ts +1 -0
package/dist/index/index.js +1 -1
package/dist/index/index.mjs +604 -504
package/dist/mulguard.d.ts +8 -0
package/dist/server/oauth-state.d.ts +6 -0
package/package.json +1 -1

package/dist/index/index.mjs CHANGED Viewed

@@ -1,10 +1,10 @@
 var ne = Object.defineProperty;
 var se = (e, r, t) => r in e ? ne(e, r, { enumerable: !0, configurable: !0, writable: !0, value: t }) : e[r] = t;
-var U = (e, r, t) => se(e, typeof r != "symbol" ? r + "" : r, t);
-import { A as m, d as ie, e as oe, c as ae, g as ce } from "../actions-DeCfLtHA.mjs";
-import { a as ft, s as dt, b as ht, v as gt } from "../actions-DeCfLtHA.mjs";
-import { v as N } from "../oauth-state-LE-qeq-K.mjs";
-import { c as pt, p as mt, k as Et, n as yt, m as kt, j as vt, l as St, e as Rt, g as At, b as Ot, i as Tt, a as It, o as _t, f as Pt, h as Ct, r as bt, d as Ut, s as Nt } from "../oauth-state-LE-qeq-K.mjs";
+var b = (e, r, t) => se(e, typeof r != "symbol" ? r + "" : r, t);
+import { A as m, d as oe, e as ie, c as ae, g as ce } from "../actions-DeCfLtHA.mjs";
+import { a as wt, s as pt, b as mt, v as Et } from "../actions-DeCfLtHA.mjs";
+import { v as U } from "../oauth-state-LE-qeq-K.mjs";
+import { c as kt, p as vt, k as St, n as At, m as Rt, j as Ot, l as Tt, e as It, g as _t, b as Pt, i as Ct, a as Nt, o as bt, f as Ut, h as Ft, r as xt, d as Dt, s as Lt } from "../oauth-state-LE-qeq-K.mjs";
 import { NextResponse as E } from "next/server";
 const x = typeof globalThis == "object" && "crypto" in globalThis ? globalThis.crypto : void 0;
 /*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */
@@ -17,8 +17,8 @@ function ue(e = 32) {
 }
 class le {
   constructor(r) {
-    U(this, "attempts", /* @__PURE__ */ new Map());
-    U(this, "config");
+    b(this, "attempts", /* @__PURE__ */ new Map());
+    b(this, "config");
     this.config = r;
   }
   /**
@@ -56,7 +56,7 @@ class le {
     this.attempts.clear();
   }
 }
-function Or(e) {
+function _r(e) {
   return new le(e);
 }
 const fe = {
@@ -74,7 +74,7 @@ function H(e) {
     ...e
   };
 }
-function Tr(e, r) {
+function Pr(e, r) {
   const t = H(r);
   for (const [n, s] of Object.entries(t))
     s && e.set(n, s);
@@ -112,7 +112,7 @@ const ge = /* @__PURE__ */ new Set([
   "guest",
   "user"
 ]), we = /012|123|234|345|456|567|678|789|abc|bcd|cde|def|efg|fgh|ghi|hij|ijk|jkl|klm|lmn|mno|nop|opq|pqr|qrs|rst|stu|tuv|uvw|vwx|wxy|xyz/i, pe = 8, me = 128;
-function Ir(e, r = pe) {
+function Cr(e, r = pe) {
   if (typeof e != "string" || !e)
     return { valid: !1, error: "Password is required" };
   if (e.length < r)
@@ -133,11 +133,11 @@ function Ee(e) {
   let r = 0;
   return e.length >= 12 ? r += 2 : e.length >= 8 && (r += 1), /[a-z]/.test(e) && (r += 1), /[A-Z]/.test(e) && (r += 1), /[0-9]/.test(e) && (r += 1), /[^a-zA-Z0-9]/.test(e) && (r += 1), r >= 5 ? "strong" : r >= 3 ? "medium" : "weak";
 }
-function _r(e) {
+function Nr(e) {
   return e.valid === !0 && e.sanitized !== void 0;
 }
 const ye = 100;
-function Pr(e) {
+function br(e) {
   if (typeof e != "string" || !e)
     return { valid: !1, error: "Name is required" };
   const r = e.trim();
@@ -148,11 +148,11 @@ function Pr(e) {
   const t = r.replace(/[<>"']/g, "");
   return t.length === 0 ? { valid: !1, error: "Name contains only invalid characters" } : { valid: !0, sanitized: t };
 }
-function Cr(e) {
+function Ur(e) {
   return e.valid === !0 && e.sanitized !== void 0;
 }
 const ke = /* @__PURE__ */ new Set(["http:", "https:"]);
-function br(e) {
+function Fr(e) {
   if (typeof e != "string" || !e)
     return { valid: !1, error: "URL is required" };
   try {
@@ -162,32 +162,32 @@ function br(e) {
     return { valid: !1, error: "Invalid URL format" };
   }
 }
-function Ur(e) {
+function xr(e) {
   return e.valid === !0 && e.sanitized !== void 0;
 }
-const ve = 16, Se = 512, Re = /^[A-Za-z0-9_-]+$/;
-function Nr(e, r = ve) {
-  return typeof e != "string" || !e ? { valid: !1, error: "Token is required" } : e.length < r ? { valid: !1, error: "Token is too short" } : e.length > Se ? { valid: !1, error: "Token is too long" } : Re.test(e) ? /(.)\1{10,}/.test(e) ? { valid: !1, error: "Token contains suspicious pattern" } : { valid: !0, sanitized: e } : { valid: !1, error: "Invalid token format" };
+const ve = 16, Se = 512, Ae = /^[A-Za-z0-9_-]+$/;
+function Dr(e, r = ve) {
+  return typeof e != "string" || !e ? { valid: !1, error: "Token is required" } : e.length < r ? { valid: !1, error: "Token is too short" } : e.length > Se ? { valid: !1, error: "Token is too long" } : Ae.test(e) ? /(.)\1{10,}/.test(e) ? { valid: !1, error: "Token contains suspicious pattern" } : { valid: !0, sanitized: e } : { valid: !1, error: "Invalid token format" };
 }
-function Fr(e) {
+function Lr(e) {
   return e.valid === !0 && e.sanitized !== void 0;
 }
-const Ae = 1e3;
+const Re = 1e3;
 function X(e, r) {
-  const { maxLength: t = Ae, allowHtml: n = !1, required: s = !0 } = r ?? {};
+  const { maxLength: t = Re, allowHtml: n = !1, required: s = !0 } = r ?? {};
   if (s && (typeof e != "string" || !e || e.trim().length === 0))
     return { valid: !1, error: "Input is required" };
   if (typeof e != "string" || !e)
     return { valid: !0, sanitized: "" };
-  let i = e.trim();
-  return i.length > t ? { valid: !1, error: `Input must be less than ${t} characters` } : (n || (i = i.replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#x27;").replace(/\//g, "&#x2F;")), i = i.replace(/[\x00-\x1F\x7F]/g, ""), { valid: !0, sanitized: i });
+  let o = e.trim();
+  return o.length > t ? { valid: !1, error: `Input must be less than ${t} characters` } : (n || (o = o.replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#x27;").replace(/\//g, "&#x2F;")), o = o.replace(/[\x00-\x1F\x7F]/g, ""), { valid: !0, sanitized: o });
 }
-function xr(e) {
+function Mr(e) {
   return e.valid === !0 && e.sanitized !== void 0;
 }
 class Oe {
   constructor() {
-    U(this, "tokens", /* @__PURE__ */ new Map());
+    b(this, "tokens", /* @__PURE__ */ new Map());
   }
   get(r) {
     const t = this.tokens.get(r);
@@ -208,8 +208,8 @@ class Oe {
 }
 class Te {
   constructor(r, t = 32) {
-    U(this, "store");
-    U(this, "tokenLength");
+    b(this, "store");
+    b(this, "tokenLength");
     this.store = r || new Oe(), this.tokenLength = t;
   }
   /**
@@ -242,7 +242,7 @@ class Te {
     this.store.delete(r);
   }
 }
-function Dr(e) {
+function Vr(e) {
   return new Te(e);
 }
 function Ie(e) {
@@ -257,13 +257,13 @@ function Ie(e) {
   };
   return e.replace(/[&<>"']/g, (t) => r[t] || t);
 }
-function Lr(e) {
+function jr(e) {
   return typeof e != "string" ? "" : e.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, "").replace(/on\w+\s*=\s*["'][^"']*["']/gi, "").replace(/javascript:/gi, "");
 }
-function Mr(e) {
+function zr(e) {
   return typeof e != "string" ? "" : Ie(e.trim());
 }
-function Vr(e) {
+function $r(e) {
   return typeof e != "string" ? !1 : [
     /<script/i,
     /javascript:/i,
@@ -295,35 +295,35 @@ function Q(e, r) {
     t |= e.charCodeAt(n) ^ r.charCodeAt(n);
   return t === 0;
 }
-function jr(e, r) {
+function Wr(e, r) {
   return Q(e, r);
 }
-function zr(e) {
+function qr(e) {
   return typeof e != "string" ? "" : e.trim().replace(/[<>]/g, "");
 }
 const Pe = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
-function $r(e) {
+function Br(e) {
   return typeof e == "string" && Pe.test(e);
 }
 function Ce(e) {
   return !e.success && !!e.error;
 }
-function Wr(e) {
+function Hr(e) {
   return e.requires2FA === !0 || e.errorCode === m.TWO_FA_REQUIRED;
 }
-function qr(e, r) {
+function Gr(e, r) {
   return e.error ? e.error : r || "Authentication failed";
 }
-function Br(e) {
+function Kr(e) {
   return e.errorCode;
 }
-function Hr(e) {
+function Xr(e) {
   return e.success === !0 && !!e.user;
 }
-function Gr(e, r) {
+function Jr(e, r) {
   return e.errorCode === r;
 }
-function Kr(e) {
+function Yr(e) {
   if (!Ce(e)) return !1;
   const r = [
     m.NETWORK_ERROR,
@@ -332,7 +332,7 @@ function Kr(e) {
   ];
   return e.errorCode ? r.includes(e.errorCode) : !1;
 }
-function Xr(e) {
+function Qr(e) {
   if (e.error) return e.error;
   switch (e.errorCode) {
     case m.INVALID_CREDENTIALS:
@@ -360,7 +360,7 @@ function Xr(e) {
       return "An unexpected error occurred. Please try again.";
   }
 }
-async function Jr(e, r, t) {
+async function Zr(e, r, t) {
   return e.signIn(r, t);
 }
 const Z = {
@@ -396,31 +396,31 @@ const Z = {
 function j(e) {
   return Z[e] ?? null;
 }
-function Yr(e) {
+function et(e) {
   return e in Z;
 }
-function be(e, r, t, n) {
+function Ne(e, r, t, n) {
   const s = j(e);
   if (!s)
     throw new Error(`Unknown OAuth provider: ${e}`);
   if (!r.clientId)
     throw new Error(`OAuth provider "${e}" is missing clientId`);
-  const i = r.redirectUri ?? `${t}/api/auth/callback/${e}`, o = r.scopes ?? s.defaultScopes, a = new URLSearchParams({
+  const o = r.redirectUri ?? `${t}/api/auth/callback/${e}`, i = r.scopes ?? s.defaultScopes, a = new URLSearchParams({
     client_id: r.clientId,
-    redirect_uri: i,
+    redirect_uri: o,
     response_type: "code",
-    scope: Array.isArray(o) ? o.join(" ") : String(o),
+    scope: Array.isArray(i) ? i.join(" ") : String(i),
     state: n
   });
   if (s.defaultParams)
-    for (const [l, f] of Object.entries(s.defaultParams))
-      a.append(l, f);
+    for (const [u, l] of Object.entries(s.defaultParams))
+      a.append(u, l);
   if (r.params)
-    for (const [l, f] of Object.entries(r.params))
-      a.set(l, f);
+    for (const [u, l] of Object.entries(r.params))
+      a.set(u, l);
   return `${s.authorizationUrl}?${a.toString()}`;
 }
-async function Ue(e, r, t, n) {
+async function be(e, r, t, n) {
   const s = j(e);
   if (!s)
     throw new Error(`Unknown OAuth provider: ${e}`);
@@ -428,41 +428,41 @@ async function Ue(e, r, t, n) {
     throw new Error("Authorization code is required");
   if (!r.clientId)
     throw new Error(`OAuth provider "${e}" is missing clientId`);
-  const i = new URLSearchParams({
+  const o = new URLSearchParams({
     client_id: r.clientId,
     code: t,
     redirect_uri: n,
     grant_type: "authorization_code"
   });
-  r.clientSecret && i.append("client_secret", r.clientSecret);
+  r.clientSecret && o.append("client_secret", r.clientSecret);
   try {
-    const o = await fetch(s.tokenUrl, {
+    const i = await fetch(s.tokenUrl, {
       method: "POST",
       headers: {
         "Content-Type": "application/x-www-form-urlencoded",
         Accept: "application/json"
       },
-      body: i.toString()
+      body: o.toString()
     });
-    if (!o.ok) {
-      const l = await o.text();
-      let f = `Failed to exchange code for tokens: ${l}`;
+    if (!i.ok) {
+      const u = await i.text();
+      let l = `Failed to exchange code for tokens: ${u}`;
       try {
-        const w = JSON.parse(l);
-        f = w.error_description ?? w.error ?? f;
+        const g = JSON.parse(u);
+        l = g.error_description ?? g.error ?? l;
       } catch {
       }
-      throw new Error(f);
+      throw new Error(l);
     }
-    const a = await o.json();
-    if (!Ne(a))
+    const a = await i.json();
+    if (!Ue(a))
       throw new Error("Invalid token exchange response format");
     return a;
-  } catch (o) {
-    throw o instanceof Error ? o : new Error(`OAuth token exchange failed: ${String(o)}`);
+  } catch (i) {
+    throw i instanceof Error ? i : new Error(`OAuth token exchange failed: ${String(i)}`);
   }
 }
-function Ne(e) {
+function Ue(e) {
   return typeof e == "object" && e !== null && "access_token" in e && typeof e.access_token == "string";
 }
 async function Fe(e, r) {
@@ -479,14 +479,14 @@ async function Fe(e, r) {
       }
     });
     if (!n.ok) {
-      const i = await n.text();
-      let o = `Failed to fetch user info: ${i}`;
+      const o = await n.text();
+      let i = `Failed to fetch user info: ${o}`;
       try {
-        const a = JSON.parse(i);
-        o = a.error_description ?? a.error ?? o;
+        const a = JSON.parse(o);
+        i = a.error_description ?? a.error ?? i;
       } catch {
       }
-      throw new Error(o);
+      throw new Error(i);
     }
     const s = await n.json();
     return xe(e, s, r);
@@ -526,8 +526,8 @@ async function Le(e, r) {
         headers: { Authorization: `Bearer ${r}` }
       });
       if (s.ok) {
-        const i = await s.json(), o = i.find((a) => a.primary) ?? i[0];
-        t = (o == null ? void 0 : o.email) ?? `${String(e.login ?? "user")}@users.noreply.github.com`, n = { ...e, emails: i };
+        const o = await s.json(), i = o.find((a) => a.primary) ?? o[0];
+        t = (i == null ? void 0 : i.email) ?? `${String(e.login ?? "user")}@users.noreply.github.com`, n = { ...e, emails: o };
       } else
         t = `${String(e.login ?? "user")}@users.noreply.github.com`;
     } catch {
@@ -574,12 +574,100 @@ function je(e) {
     rawProfile: e
   };
 }
-function Qr(e) {
+function rt(e) {
   return typeof e == "object" && e !== null && "clientId" in e && typeof e.clientId == "string";
 }
-class ze {
+const ze = "__mulguard_oauth_state", $e = 10 * 60 * 1e3;
+function We(e) {
+  const r = e.cookieName || ze, t = e.ttl || $e, n = process.env.NODE_ENV === "production", s = e.secure ?? n, o = e.sameSite || "strict", i = e.cookieHandler, a = (u) => ({
+    httpOnly: !0,
+    secure: s,
+    sameSite: o,
+    maxAge: Math.floor(u / 1e3),
+    // Convert to seconds
+    path: "/"
+  });
+  return {
+    async set(u, l, g) {
+      const w = JSON.stringify({
+        state: u,
+        provider: l.provider,
+        expiresAt: l.expiresAt
+      });
+      await Promise.resolve(
+        i.setCookie(r, w, a(t))
+      );
+    },
+    async get(u) {
+      const l = await Promise.resolve(i.getCookie(r));
+      if (!l)
+        return null;
+      try {
+        const g = JSON.parse(l);
+        return g.state !== u ? null : g.expiresAt < Date.now() ? (await Promise.resolve(
+          i.deleteCookie(r, { path: "/" })
+        ), null) : {
+          provider: g.provider,
+          expiresAt: g.expiresAt
+        };
+      } catch {
+        return await Promise.resolve(
+          i.deleteCookie(r, { path: "/" })
+        ), null;
+      }
+    },
+    async delete(u) {
+      await this.get(u) && await Promise.resolve(
+        i.deleteCookie(r, { path: "/" })
+      );
+    },
+    async cleanup() {
+    }
+  };
+}
+function tt() {
+  return We({
+    cookieHandler: {
+      async getCookie(e) {
+        var r;
+        try {
+          const { cookies: t } = await import("next/headers");
+          return ((r = (await t()).get(e)) == null ? void 0 : r.value) || null;
+        } catch {
+          return null;
+        }
+      },
+      async setCookie(e, r, t) {
+        try {
+          const { cookies: n } = await import("next/headers");
+          (await n()).set(e, r, {
+            httpOnly: t.httpOnly ?? !0,
+            secure: t.secure ?? process.env.NODE_ENV === "production",
+            sameSite: t.sameSite || "strict",
+            maxAge: t.maxAge,
+            path: t.path || "/"
+          });
+        } catch (n) {
+          console.warn("[Mulguard] Failed to set OAuth state cookie:", n);
+        }
+      },
+      async deleteCookie(e, r) {
+        try {
+          const { cookies: t } = await import("next/headers");
+          (await t()).set(e, "", {
+            maxAge: 0,
+            expires: /* @__PURE__ */ new Date(0),
+            path: (r == null ? void 0 : r.path) || "/"
+          });
+        } catch {
+        }
+      }
+    }
+  });
+}
+class qe {
   constructor() {
-    U(this, "states", /* @__PURE__ */ new Map());
+    b(this, "states", /* @__PURE__ */ new Map());
   }
   set(r, t, n) {
     this.states.set(r, t), this.cleanup();
@@ -597,25 +685,25 @@ class ze {
       n.expiresAt < r && this.states.delete(t);
   }
 }
-function $e() {
-  return new ze();
+function Be() {
+  return new qe();
 }
-function Zr(e, r = "mulguard:oauth:state:") {
+function nt(e, r = "mulguard:oauth:state:") {
   const t = (s) => `${r}${s}`, n = async (s) => {
-    const i = t(s);
-    await e.del(i);
+    const o = t(s);
+    await e.del(o);
   };
   return {
-    async set(s, i, o) {
-      const a = t(s), l = JSON.stringify(i);
-      await e.set(a, l, "EX", Math.floor(o / 1e3));
+    async set(s, o, i) {
+      const a = t(s), u = JSON.stringify(o);
+      await e.set(a, u, "EX", Math.floor(i / 1e3));
     },
     async get(s) {
-      const i = t(s), o = await e.get(i);
-      if (!o)
+      const o = t(s), i = await e.get(o);
+      if (!i)
         return null;
       try {
-        const a = JSON.parse(o);
+        const a = JSON.parse(i);
         return a.expiresAt < Date.now() ? (await n(s), null) : a;
       } catch {
         return await n(s), null;
@@ -626,14 +714,14 @@ function Zr(e, r = "mulguard:oauth:state:") {
     },
     async cleanup() {
       try {
-        const s = await e.keys(`${r}*`), i = Date.now();
-        for (const o of s) {
-          const a = await e.get(o);
+        const s = await e.keys(`${r}*`), o = Date.now();
+        for (const i of s) {
+          const a = await e.get(i);
           if (a)
             try {
-              JSON.parse(a).expiresAt < i && await e.del(o);
+              JSON.parse(a).expiresAt < o && await e.del(i);
             } catch {
-              await e.del(o);
+              await e.del(i);
             }
         }
       } catch (s) {
@@ -646,92 +734,92 @@ function D(e) {
   return e.success === !0 && e.user !== void 0 && e.session !== void 0;
 }
 var ee = /* @__PURE__ */ ((e) => (e[e.DEBUG = 0] = "DEBUG", e[e.INFO = 1] = "INFO", e[e.WARN = 2] = "WARN", e[e.ERROR = 3] = "ERROR", e))(ee || {});
-const We = process.env.NODE_ENV === "development" ? 0 : 1;
-function qe(e = {}) {
+const He = process.env.NODE_ENV === "development" ? 0 : 1;
+function Ge(e = {}) {
   const {
     enabled: r = process.env.NODE_ENV === "development",
-    level: t = We,
+    level: t = He,
     context: n,
-    formatter: s = Be
-  } = e, i = (a) => r && a >= t, o = (a, l, f, w) => ({
+    formatter: s = Ke
+  } = e, o = (a) => r && a >= t, i = (a, u, l, g) => ({
     level: a,
-    message: l,
+    message: u,
     timestamp: /* @__PURE__ */ new Date(),
     context: n,
-    data: f ? He(f) : void 0,
-    error: w
+    data: l ? Xe(l) : void 0,
+    error: g
   });
   return {
-    debug: (a, l) => {
-      if (i(
+    debug: (a, u) => {
+      if (o(
         0
         /* DEBUG */
       )) {
-        const f = o(0, a, l);
-        console.debug(s(f));
+        const l = i(0, a, u);
+        console.debug(s(l));
       }
     },
-    info: (a, l) => {
-      if (i(
+    info: (a, u) => {
+      if (o(
         1
         /* INFO */
       )) {
-        const f = o(1, a, l);
-        console.info(s(f));
+        const l = i(1, a, u);
+        console.info(s(l));
       }
     },
-    warn: (a, l) => {
-      if (i(
+    warn: (a, u) => {
+      if (o(
         2
         /* WARN */
       )) {
-        const f = o(2, a, l);
-        console.warn(s(f));
+        const l = i(2, a, u);
+        console.warn(s(l));
       }
     },
-    error: (a, l) => {
-      if (i(
+    error: (a, u) => {
+      if (o(
         3
         /* ERROR */
       )) {
-        const f = l instanceof Error ? l : void 0, w = l instanceof Error ? void 0 : l, g = o(3, a, w, f);
-        console.error(s(g)), f && console.error(f);
+        const l = u instanceof Error ? u : void 0, g = u instanceof Error ? void 0 : u, w = i(3, a, g, l);
+        console.error(s(w)), l && console.error(l);
       }
     }
   };
 }
-function Be(e) {
+function Ke(e) {
   const r = e.timestamp.toISOString(), t = ee[e.level], n = e.context ? `[${e.context}]` : "", s = e.data ? ` ${JSON.stringify(e.data)}` : "";
   return `${r} [${t}]${n} ${e.message}${s}`;
 }
-function He(e) {
+function Xe(e) {
   const r = /* @__PURE__ */ new Set(["password", "token", "secret", "key", "accessToken", "refreshToken"]), t = {};
   for (const [n, s] of Object.entries(e))
     if (r.has(n.toLowerCase()))
       t[n] = "***REDACTED***";
     else if (typeof s == "string" && n.toLowerCase().includes("email")) {
-      const i = s.split("@");
-      if (i.length === 2 && i[0]) {
-        const o = i[0].substring(0, 3) + "***@" + i[1];
-        t[n] = o;
+      const o = s.split("@");
+      if (o.length === 2 && o[0]) {
+        const i = o[0].substring(0, 3) + "***@" + o[1];
+        t[n] = i;
       } else
         t[n] = s;
     } else
       t[n] = s;
   return t;
 }
-const I = qe();
-function Ge(e, r, t, n = {}) {
+const I = Ge();
+function Je(e, r, t, n = {}) {
   const {
     enabled: s = !0,
-    maxRetries: i = 1,
-    retryDelay: o = 1e3,
+    maxRetries: o = 1,
+    retryDelay: i = 1e3,
     rateLimit: a = 3,
-    autoSignOutOnFailure: l = !0,
-    redirectToLogin: f = "/login",
-    autoRedirectOnFailure: w = !0
+    autoSignOutOnFailure: u = !0,
+    redirectToLogin: l = "/login",
+    autoRedirectOnFailure: g = !0
   } = n;
-  let g = null, A = !1;
+  let w = null, R = !1;
   const S = [], v = [], y = 60 * 1e3;
   let h = 0, T = !1, _ = null;
   const L = 2, M = 60 * 1e3;
@@ -751,13 +839,13 @@ function Ge(e, r, t, n = {}) {
     }
     return v.length >= a ? !1 : (v.push(k), !0);
   }
-  function u() {
+  function f() {
     h++, h >= L && (T = !0, _ = Date.now() + M, process.env.NODE_ENV === "development" && console.warn("[TokenRefreshManager] Circuit breaker opened - too many consecutive failures"));
   }
   function d() {
     h = 0, T = !1, _ = null;
   }
-  async function R(k = 1) {
+  async function A(k = 1) {
     if (!s)
       return null;
     if (!c())
@@ -766,12 +854,12 @@ function Ge(e, r, t, n = {}) {
       const p = await e();
       if (p)
         return d(), P(p), n.onTokenRefreshed && await Promise.resolve(n.onTokenRefreshed(p)), p;
-      if (u(), k < i)
-        return await $(o * k), R(k + 1);
+      if (f(), k < o)
+        return await $(i * k), A(k + 1);
       throw new Error("Token refresh failed: refresh function returned null");
     } catch (p) {
-      if (u(), k < i && C(p))
-        return await $(o * k), R(k + 1);
+      if (f(), k < o && C(p))
+        return await $(i * k), A(k + 1);
       throw p;
     }
   }
@@ -788,25 +876,25 @@ function Ge(e, r, t, n = {}) {
   function P(k) {
     const p = [...S];
     S.length = 0;
-    for (const { resolve: b } of p)
-      b(k);
+    for (const { resolve: N } of p)
+      N(k);
   }
   function z(k) {
     const p = [...S];
     S.length = 0;
-    for (const { reject: b } of p)
-      b(k);
+    for (const { reject: N } of p)
+      N(k);
   }
   function $(k) {
     return new Promise((p) => setTimeout(p, k));
   }
   async function W(k) {
     try {
-      if (n.onTokenRefreshFailed && await Promise.resolve(n.onTokenRefreshFailed(k)), l && (await t(), await r(), w && typeof window < "u")) {
+      if (n.onTokenRefreshFailed && await Promise.resolve(n.onTokenRefreshFailed(k)), u && (await t(), await r(), g && typeof window < "u")) {
         let p = !0;
         if (n.onBeforeRedirect && (p = await Promise.resolve(n.onBeforeRedirect(k))), p) {
-          const b = new URL(f, window.location.origin);
-          b.searchParams.set("reason", "session_expired"), b.searchParams.set("redirect", window.location.pathname + window.location.search), window.location.href = b.toString();
+          const N = new URL(l, window.location.origin);
+          N.searchParams.set("reason", "session_expired"), N.searchParams.set("redirect", window.location.pathname + window.location.search), window.location.href = N.toString();
         }
       }
     } catch (p) {
@@ -818,22 +906,22 @@ function Ge(e, r, t, n = {}) {
      * Refresh token with single refresh queue
      */
     async refreshToken() {
-      return s ? g || (A = !0, g = R().then((k) => (A = !1, g = null, k)).catch((k) => {
-        throw A = !1, g = null, z(k), W(k).catch(() => {
+      return s ? w || (R = !0, w = A().then((k) => (R = !1, w = null, k)).catch((k) => {
+        throw R = !1, w = null, z(k), W(k).catch(() => {
         }), k;
-      }), g) : null;
+      }), w) : null;
     },
     /**
      * Check if refresh is in progress
      */
     isRefreshing() {
-      return A;
+      return R;
     },
     /**
      * Wait for current refresh to complete
      */
     async waitForRefresh() {
-      return g ? new Promise((k, p) => {
+      return w ? new Promise((k, p) => {
         S.push({ resolve: k, reject: p });
       }) : null;
     },
@@ -841,7 +929,7 @@ function Ge(e, r, t, n = {}) {
      * Clear state
      */
     clear() {
-      g = null, A = !1, v.length = 0, d(), z(new Error("Token refresh manager cleared"));
+      w = null, R = !1, v.length = 0, d(), z(new Error("Token refresh manager cleared"));
     },
     /**
      * Handle token refresh failure
@@ -851,7 +939,7 @@ function Ge(e, r, t, n = {}) {
     }
   };
 }
-function Ke() {
+function Ye() {
   const e = process.env.NODE_ENV === "production";
   return {
     cookieName: "__mulguard_session",
@@ -864,7 +952,7 @@ function Ke() {
     path: "/"
   };
 }
-function Xe() {
+function Qe() {
   return {
     enabled: !0,
     refreshThreshold: 300,
@@ -879,90 +967,90 @@ function Xe() {
     autoRedirectOnFailure: !0
   };
 }
-function Je() {
+function Ze() {
   return process.env.NEXT_PUBLIC_URL ?? (process.env.VERCEL_URL ? `https://${process.env.VERCEL_URL}` : "http://localhost:3000");
 }
-function Ye(e) {
-  const { sessionConfig: r, cacheTtl: t, getSessionAction: n, onSessionExpired: s, onError: i } = e, o = r.cookieName ?? "__mulguard_session";
+function er(e) {
+  const { sessionConfig: r, cacheTtl: t, getSessionAction: n, onSessionExpired: s, onError: o } = e, i = r.cookieName ?? "__mulguard_session";
   let a = null;
-  const l = async () => {
+  const u = async () => {
     const y = Date.now();
     if (a && y - a.timestamp < t)
       return a.session;
     if (n)
       try {
         const h = await n();
-        if (h && N(h))
+        if (h && U(h))
           return a = { session: h, timestamp: y }, h;
-        h && !N(h) && (await w(), a = null);
+        h && !U(h) && (await g(), a = null);
       } catch (h) {
-        I.debug("getSession error", { error: h }), i && await i(h instanceof Error ? h : new Error(String(h)), "getSession"), a = null;
+        I.debug("getSession error", { error: h }), o && await o(h instanceof Error ? h : new Error(String(h)), "getSession"), a = null;
       }
     try {
-      const h = await ce(o);
+      const h = await ce(i);
       if (h)
         try {
           const T = JSON.parse(h);
-          if (N(T))
-            return T.expiresAt && new Date(T.expiresAt) < /* @__PURE__ */ new Date() ? (s && await s(T), await w(), a = null, null) : (a = { session: T, timestamp: y }, T);
-          await w(), a = null;
+          if (U(T))
+            return T.expiresAt && new Date(T.expiresAt) < /* @__PURE__ */ new Date() ? (s && await s(T), await g(), a = null, null) : (a = { session: T, timestamp: y }, T);
+          await g(), a = null;
         } catch {
-          await w(), a = null;
+          await g(), a = null;
         }
     } catch (h) {
       const T = h instanceof Error ? h.message : String(h);
-      !T.includes("request scope") && !T.includes("cookies") && (I.warn("getSession cookie error", { error: h }), i && await i(
+      !T.includes("request scope") && !T.includes("cookies") && (I.warn("getSession cookie error", { error: h }), o && await o(
         h instanceof Error ? h : new Error(String(h)),
         "getSession.cookie"
       ));
     }
     return null;
-  }, f = async (y) => {
-    if (!N(y))
+  }, l = async (y) => {
+    if (!U(y))
       return {
         success: !1,
         error: "Invalid session structure"
       };
     try {
-      const h = typeof y == "object" && "token" in y ? String(y.token) : JSON.stringify(y), T = oe(o, h, r), _ = await ae(T);
+      const h = typeof y == "object" && "token" in y ? String(y.token) : JSON.stringify(y), T = ie(i, h, r), _ = await ae(T);
       return _.success && (a = { session: y, timestamp: Date.now() }), _;
     } catch (h) {
       const T = h instanceof Error ? h.message : "Failed to set session";
-      return I.error("setSession error", { error: h }), i && await i(h instanceof Error ? h : new Error(String(h)), "setSession"), {
+      return I.error("setSession error", { error: h }), o && await o(h instanceof Error ? h : new Error(String(h)), "setSession"), {
         success: !1,
         error: T
       };
     }
-  }, w = async () => {
+  }, g = async () => {
     try {
-      await ie(o, {
+      await oe(i, {
         path: r.path,
         domain: r.domain
       }), a = null;
     } catch (y) {
       I.warn("clearSessionCookie error", { error: y });
     }
-  }, g = async () => {
-    const y = await l();
+  }, w = async () => {
+    const y = await u();
     return y != null && y.accessToken && typeof y.accessToken == "string" ? y.accessToken : null;
   };
   return {
-    getSession: l,
-    setSession: f,
-    clearSessionCookie: w,
-    getAccessToken: g,
+    getSession: u,
+    setSession: l,
+    clearSessionCookie: g,
+    getAccessToken: w,
     getRefreshToken: async () => {
-      const y = await l();
+      const y = await u();
       return y != null && y.refreshToken && typeof y.refreshToken == "string" ? y.refreshToken : null;
     },
-    hasValidTokens: async () => !!await g(),
+    hasValidTokens: async () => !!await w(),
     clearCache: () => {
       a = null;
     },
-    getSessionConfig: () => ({ cookieName: o, config: r })
+    getSessionConfig: () => ({ cookieName: i, config: r })
   };
 }
-function Qe(e) {
+function rr(e) {
   return async (r) => {
     try {
       if (!r || typeof r != "object")
@@ -1002,8 +1090,8 @@ function Qe(e) {
         // Don't sanitize password (needed for hashing)
       }, s = await e.actions.signIn.email(n);
       if (D(s)) {
-        const i = await e.saveSessionAfterAuth(s);
-        !i.success && i.warning && I.warn("Session save warning", { warning: i.warning });
+        const o = await e.saveSessionAfterAuth(s);
+        !o.success && o.warning && I.warn("Session save warning", { warning: o.warning });
       }
       return s.success ? I.info("Sign in successful", {
         email: n.email.substring(0, 3) + "***"
@@ -1024,7 +1112,7 @@ function Qe(e) {
     }
   };
 }
-function Ze(e, r) {
+function tr(e, r) {
   return async (t) => {
     if (!t || typeof t != "string")
       throw new Error("Provider is required");
@@ -1040,11 +1128,11 @@ function Ze(e, r) {
       throw new Error(
         "OAuth sign in is not configured. Either provide oauth action in signIn, or configure providers.oauth in config."
       );
-    const i = await e.actions.signIn.oauth(s);
-    return await r(i.state, s), I.info("OAuth sign in initiated", { provider: s }), i;
+    const o = await e.actions.signIn.oauth(s);
+    return await r(o.state, s), I.info("OAuth sign in initiated", { provider: s }), o;
   };
 }
-function er(e) {
+function nr(e) {
   return async (r, t) => {
     if (!r || typeof r != "string")
       return {
@@ -1074,8 +1162,8 @@ function er(e) {
     try {
       const s = await e.actions.signIn.otp(n.sanitized, t);
       if (D(s)) {
-        const i = await e.saveSessionAfterAuth(s);
-        !i.success && i.warning && I.warn("Session save warning", { warning: i.warning });
+        const o = await e.saveSessionAfterAuth(s);
+        !o.success && o.warning && I.warn("Session save warning", { warning: o.warning });
       }
       return s.success ? I.info("OTP sign in successful", {
         email: n.sanitized.substring(0, 3) + "***"
@@ -1097,7 +1185,7 @@ function er(e) {
     }
   };
 }
-function rr(e) {
+function sr(e) {
   return async (r) => {
     if (!e.actions.signIn.passkey)
       throw new Error("PassKey sign in is not configured. Provide passkey action in signIn.");
@@ -1119,38 +1207,38 @@ function rr(e) {
     }
   };
 }
-function tr(e, r) {
-  const t = Qe(e), n = Ze(e, r), s = er(e), i = rr(e);
-  return Object.assign(async (l, f) => {
-    if (!l || typeof l != "string")
+function or(e, r) {
+  const t = rr(e), n = tr(e, r), s = nr(e), o = sr(e);
+  return Object.assign(async (u, l) => {
+    if (!u || typeof u != "string")
       throw new Error("Provider is required");
-    const w = X(l, {
+    const g = X(u, {
       maxLength: 50,
       allowHtml: !1,
       required: !0
     });
-    if (!w.valid || !w.sanitized)
+    if (!g.valid || !g.sanitized)
       throw new Error("Invalid provider");
-    const g = w.sanitized.toLowerCase();
-    if (g === "google" || g === "github" || g === "apple" || g === "facebook" || typeof g == "string" && !["credentials", "otp", "passkey"].includes(g))
-      return n(g);
-    if (g === "credentials")
-      return !f || !("email" in f) || !("password" in f) ? {
+    const w = g.sanitized.toLowerCase();
+    if (w === "google" || w === "github" || w === "apple" || w === "facebook" || typeof w == "string" && !["credentials", "otp", "passkey"].includes(w))
+      return n(w);
+    if (w === "credentials")
+      return !l || !("email" in l) || !("password" in l) ? {
         success: !1,
         error: "Credentials are required",
         errorCode: m.VALIDATION_ERROR
-      } : t(f);
-    if (g === "otp") {
-      if (!f || !("email" in f))
+      } : t(l);
+    if (w === "otp") {
+      if (!l || !("email" in l))
         return {
           success: !1,
           error: "Email is required",
           errorCode: m.VALIDATION_ERROR
         };
-      const A = f;
-      return s(A.email, A.code);
+      const R = l;
+      return s(R.email, R.code);
     }
-    return g === "passkey" ? i(f) : {
+    return w === "passkey" ? o(l) : {
       success: !1,
       error: "Invalid provider",
       errorCode: m.VALIDATION_ERROR
@@ -1158,11 +1246,11 @@ function tr(e, r) {
   }, {
     email: t,
     oauth: e.actions.signIn.oauth ? n : void 0,
-    passkey: e.actions.signIn.passkey ? i : void 0,
+    passkey: e.actions.signIn.passkey ? o : void 0,
     otp: e.actions.signIn.otp ? s : void 0
   });
 }
-function nr(e) {
+function ir(e) {
   return async (r) => {
     if (!e.actions.signUp)
       throw new Error("Sign up is not configured. Provide signUp action in config.");
@@ -1184,22 +1272,22 @@ function nr(e) {
     }
   };
 }
-function sr(e, r) {
+function ar(e, r) {
   return async (t, n, s) => {
-    const i = e.oauthProviders[t];
-    if (!i)
+    const o = e.oauthProviders[t];
+    if (!o)
       return {
         success: !1,
         error: `OAuth provider "${t}" is not configured`,
         errorCode: m.VALIDATION_ERROR
       };
     try {
-      const o = i.redirectUri ?? `${e.baseUrl}/api/auth/callback/${t}`, a = await Ue(t, i, n, o), l = await Fe(t, a.access_token), f = {
-        id: l.id,
-        email: l.email,
-        name: l.name,
-        avatar: l.avatar,
-        emailVerified: l.emailVerified,
+      const i = o.redirectUri ?? `${e.baseUrl}/api/auth/callback/${t}`, a = await be(t, o, n, i), u = await Fe(t, a.access_token), l = {
+        id: u.id,
+        email: u.email,
+        name: u.name,
+        avatar: u.avatar,
+        emailVerified: u.emailVerified,
         provider: t,
         accessToken: a.access_token,
         refreshToken: a.refresh_token,
@@ -1210,36 +1298,36 @@ function sr(e, r) {
           token_type: a.token_type,
           id_token: a.id_token
         },
-        rawProfile: l.rawProfile
+        rawProfile: u.rawProfile
       };
       if (e.callbacks.onOAuthUser) {
-        const w = await q(
+        const g = await q(
           e.callbacks.onOAuthUser,
-          [f, t],
+          [l, t],
           e.onError
         );
-        if (!w)
+        if (!g)
           return {
             success: !1,
             error: "Failed to create or retrieve user",
             errorCode: m.VALIDATION_ERROR
           };
-        const g = e.createSession(w, f, a);
-        return await e.saveSession(g), e.callbacks.onSignIn && await q(
+        const w = e.createSession(g, l, a);
+        return await e.saveSession(w), e.callbacks.onSignIn && await q(
           e.callbacks.onSignIn,
-          [g.user, g],
+          [w.user, w],
           e.onError
-        ), { success: !0, user: g.user, session: g };
+        ), { success: !0, user: w.user, session: w };
       }
       return {
         success: !1,
         error: "OAuth user callback not implemented. Provide onOAuthUser callback or implement oauthCallback action.",
         errorCode: m.VALIDATION_ERROR
       };
-    } catch (o) {
-      return I.error("OAuth callback failed", { provider: t, error: o }), {
+    } catch (i) {
+      return I.error("OAuth callback failed", { provider: t, error: i }), {
         success: !1,
-        error: o instanceof Error ? o.message : "OAuth callback failed",
+        error: i instanceof Error ? i.message : "OAuth callback failed",
         errorCode: m.NETWORK_ERROR
       };
     }
@@ -1256,62 +1344,62 @@ async function q(e, r, t) {
       ), n;
     }
 }
-function ir(e, r, t, n) {
+function cr(e, r, t, n) {
   if (Object.keys(e).length !== 0)
     return async (s) => {
-      const i = e[s];
-      if (!i)
+      const o = e[s];
+      if (!o)
         throw new Error(`OAuth provider "${s}" is not configured. Add it to providers.oauth in config.`);
-      if (!i.clientId)
+      if (!o.clientId)
         throw new Error(`OAuth provider "${s}" is missing clientId`);
-      const o = t();
-      return { url: n(s, i, r, o), state: o };
+      const i = t();
+      return { url: n(s, o, r, i), state: i };
     };
 }
-function et(e) {
+function st(e) {
   var L, M;
   const r = {
-    ...Ke(),
+    ...Ye(),
     ...e.session
-  }, t = e.actions, n = e.callbacks || {}, s = ((L = e.providers) == null ? void 0 : L.oauth) || {}, i = Je(), o = {
-    ...Xe(),
+  }, t = e.actions, n = e.callbacks || {}, s = ((L = e.providers) == null ? void 0 : L.oauth) || {}, o = Ze(), i = {
+    ...Qe(),
     ...e.tokenRefresh
-  }, a = ((M = e.session) == null ? void 0 : M.cacheTtl) ?? e.sessionCacheTtl ?? 5e3, l = e.oauthStateStore || $e(), f = { ...t }, w = async (c, u) => {
+  }, a = ((M = e.session) == null ? void 0 : M.cacheTtl) ?? e.sessionCacheTtl ?? 5e3, u = e.oauthStateStore || Be(), l = { ...t }, g = async (c, f) => {
     const d = {
-      provider: u,
+      provider: f,
       expiresAt: Date.now() + 6e5
       // 10 minutes
     };
-    await Promise.resolve(l.set(c, d, 10 * 60 * 1e3)), l.cleanup && await Promise.resolve(l.cleanup());
-  }, g = async (c, u) => {
-    const d = await Promise.resolve(l.get(c));
-    return d ? d.expiresAt < Date.now() ? (await Promise.resolve(l.delete(c)), !1) : d.provider !== u ? !1 : (await Promise.resolve(l.delete(c)), !0) : !1;
-  }, A = ir(
+    await Promise.resolve(u.set(c, d, 10 * 60 * 1e3)), u.cleanup && await Promise.resolve(u.cleanup());
+  }, w = async (c, f) => {
+    const d = await Promise.resolve(u.get(c));
+    return d ? d.expiresAt < Date.now() ? (await Promise.resolve(u.delete(c)), !1) : d.provider !== f ? !1 : (await Promise.resolve(u.delete(c)), !0) : !1;
+  }, R = cr(
     s,
-    i,
+    o,
     _e,
-    be
+    Ne
   );
-  if (A && !f.signIn.oauth) {
-    const c = f.signIn;
-    f.signIn = {
+  if (R && !l.signIn.oauth) {
+    const c = l.signIn;
+    l.signIn = {
       ...c,
-      oauth: async (u) => {
-        const d = await A(u);
-        return await w(d.state, u), d;
+      oauth: async (f) => {
+        const d = await R(f);
+        return await g(d.state, f), d;
       }
     };
   }
-  if (!f.signIn || !f.signIn.email)
+  if (!l.signIn || !l.signIn.email)
     throw new Error("mulguard: signIn.email action is required");
-  const S = async (c, ...u) => {
+  const S = async (c, ...f) => {
     if (c)
       try {
-        return await c(...u);
+        return await c(...f);
       } catch (d) {
         throw n.onError && await n.onError(d instanceof Error ? d : new Error(String(d)), "callback"), d;
       }
-  }, v = Ye({
+  }, v = er({
     sessionConfig: r,
     cacheTtl: a,
     getSessionAction: t.getSession,
@@ -1320,45 +1408,45 @@ function et(e) {
   }), y = async (c) => {
     if (!D(c) || !c.session)
       return { success: !0 };
-    const u = await v.setSession(c.session);
-    return c.user && n.onSignIn && await S(n.onSignIn, c.user, c.session), u;
+    const f = await v.setSession(c.session);
+    return c.user && n.onSignIn && await S(n.onSignIn, c.user, c.session), f;
   };
-  if (Object.keys(s).length > 0 && !f.oauthCallback) {
-    const c = sr(
+  if (Object.keys(s).length > 0 && !l.oauthCallback) {
+    const c = ar(
       {
         oauthProviders: s,
-        baseUrl: i,
+        baseUrl: o,
         callbacks: n,
-        createSession: (u, d, R) => ({
+        createSession: (f, d, A) => ({
           user: {
-            ...u,
+            ...f,
             avatar: d.avatar,
             emailVerified: d.emailVerified
           },
           expiresAt: new Date(Date.now() + (r.expiresIn || 604800) * 1e3),
-          accessToken: R.access_token,
-          refreshToken: R.refresh_token,
+          accessToken: A.access_token,
+          refreshToken: A.refresh_token,
           tokenType: "Bearer",
-          expiresIn: R.expires_in
+          expiresIn: A.expires_in
         }),
-        saveSession: async (u) => {
-          await v.setSession(u);
+        saveSession: async (f) => {
+          await v.setSession(f);
         },
         onError: n.onError
       }
     );
-    f.oauthCallback = c;
+    l.oauthCallback = c;
   }
-  const h = tr(
+  const h = or(
     {
-      actions: f,
+      actions: l,
       callbacks: n,
       saveSessionAfterAuth: y,
       onError: n.onError
     },
-    w
-  ), T = nr({
-    actions: f,
+    g
+  ), T = ir({
+    actions: l,
     callbacks: n,
     saveSessionAfterAuth: y,
     onError: n.onError
@@ -1405,8 +1493,8 @@ function et(e) {
      */
     async signOut() {
       try {
-        const c = await this.getSession(), u = c == null ? void 0 : c.user;
-        return t.signOut && await t.signOut(), await v.clearSessionCookie(), v.clearCache(), u && n.onSignOut && await S(n.onSignOut, u), { success: !0 };
+        const c = await this.getSession(), f = c == null ? void 0 : c.user;
+        return t.signOut && await t.signOut(), await v.clearSessionCookie(), v.clearCache(), f && n.onSignOut && await S(n.onSignOut, f), { success: !0 };
       } catch (c) {
         return await v.clearSessionCookie(), v.clearCache(), n.onError && await S(n.onError, c instanceof Error ? c : new Error(String(c)), "signOut"), {
           success: !1,
@@ -1422,10 +1510,10 @@ function et(e) {
         throw new Error("Password reset is not configured. Provide resetPassword action in config.");
       try {
         return await t.resetPassword(c);
-      } catch (u) {
-        return n.onError && await S(n.onError, u instanceof Error ? u : new Error(String(u)), "resetPassword"), {
+      } catch (f) {
+        return n.onError && await S(n.onError, f instanceof Error ? f : new Error(String(f)), "resetPassword"), {
           success: !1,
-          error: u instanceof Error ? u.message : "Password reset failed"
+          error: f instanceof Error ? f.message : "Password reset failed"
         };
       }
     },
@@ -1437,10 +1525,10 @@ function et(e) {
         throw new Error("Email verification is not configured. Provide verifyEmail action in config.");
       try {
         return await t.verifyEmail(c);
-      } catch (u) {
-        return n.onError && await S(n.onError, u instanceof Error ? u : new Error(String(u)), "verifyEmail"), {
+      } catch (f) {
+        return n.onError && await S(n.onError, f instanceof Error ? f : new Error(String(f)), "verifyEmail"), {
           success: !1,
-          error: u instanceof Error ? u.message : "Email verification failed"
+          error: f instanceof Error ? f.message : "Email verification failed"
         };
       }
     },
@@ -1453,23 +1541,23 @@ function et(e) {
         return this.getSession();
       try {
         const c = await t.refreshSession();
-        if (c && N(c)) {
+        if (c && U(c)) {
           if (await v.setSession(c), n.onSessionUpdate) {
-            const u = await S(n.onSessionUpdate, c);
-            if (u && N(u)) {
-              if (await v.setSession(u), n.onTokenRefresh) {
+            const f = await S(n.onSessionUpdate, c);
+            if (f && U(f)) {
+              if (await v.setSession(f), n.onTokenRefresh) {
                 const d = await this.getSession();
-                d && await S(n.onTokenRefresh, d, u);
+                d && await S(n.onTokenRefresh, d, f);
               }
-              return u;
+              return f;
             }
           }
           if (n.onTokenRefresh) {
-            const u = await this.getSession();
-            u && await S(n.onTokenRefresh, u, c);
+            const f = await this.getSession();
+            f && await S(n.onTokenRefresh, f, c);
           }
           return c;
-        } else if (c && !N(c))
+        } else if (c && !U(c))
           return await v.clearSessionCookie(), v.clearCache(), null;
         return null;
       } catch (c) {
@@ -1480,22 +1568,22 @@ function et(e) {
      * OAuth callback handler
      * ✅ Auto-generated if providers.oauth is configured in config
      */
-    async oauthCallback(c, u, d) {
-      if (!f.oauthCallback)
+    async oauthCallback(c, f, d) {
+      if (!l.oauthCallback)
         throw new Error(
           "OAuth callback is not configured. Either provide oauthCallback action, or configure providers.oauth in config."
         );
-      if (!u || !d)
+      if (!f || !d)
         return {
           success: !1,
           error: "Missing required OAuth parameters (code or state)",
           errorCode: m.VALIDATION_ERROR
         };
-      let R = c;
-      if (!R) {
-        const P = await Promise.resolve(l.get(d));
+      let A = c;
+      if (!A) {
+        const P = await Promise.resolve(u.get(d));
         if (P && P.provider)
-          R = P.provider;
+          A = P.provider;
         else
           return {
             success: !1,
@@ -1503,14 +1591,14 @@ function et(e) {
             errorCode: m.VALIDATION_ERROR
           };
       }
-      if (!await g(d, R))
+      if (!await w(d, A))
         return {
           success: !1,
           error: "Invalid or expired state parameter",
           errorCode: m.VALIDATION_ERROR
         };
       try {
-        return await f.oauthCallback(R, u, d);
+        return await l.oauthCallback(A, f, d);
       } catch (P) {
         return n.onError && await S(n.onError, P instanceof Error ? P : new Error(String(P)), "oauthCallback"), {
           success: !1,
@@ -1523,19 +1611,19 @@ function et(e) {
      * Verify 2FA code after initial sign in
      * Used when signIn returns requires2FA: true
      */
-    async verify2FA(c, u) {
+    async verify2FA(c, f) {
       if (!t.verify2FA)
         throw new Error("2FA verification is not configured. Provide verify2FA action in config.");
       try {
         const d = await t.verify2FA(c);
-        if (d.success && d.session && !(u != null && u.skipCookieSave)) {
-          const R = await y(d);
-          R.success || (process.env.NODE_ENV === "development" && I.debug("Failed to save session cookie after verify2FA", {
-            error: R.error,
-            warning: R.warning
+        if (d.success && d.session && !(f != null && f.skipCookieSave)) {
+          const A = await y(d);
+          A.success || (process.env.NODE_ENV === "development" && I.debug("Failed to save session cookie after verify2FA", {
+            error: A.error,
+            warning: A.warning
           }), n.onError && await S(
             n.onError,
-            new Error(R.warning || R.error || "Failed to save session cookie"),
+            new Error(A.warning || A.error || "Failed to save session cookie"),
             "verify2FA.setSession"
           ));
         }
@@ -1566,14 +1654,24 @@ function et(e) {
     _getCallbacks() {
       return n;
     },
+    /**
+     * Store OAuth state for validation (useful when using external backend API)
+     * This allows storing state generated by backend APIs in mulguard's state store
+     *
+     * @param state - OAuth state token
+     * @param provider - OAuth provider name
+     */
+    async storeOAuthState(c, f) {
+      await g(c, f);
+    },
     /**
      * PassKey methods
      */
     passkey: t.passkey ? {
       register: t.passkey.register,
       authenticate: async (c) => {
-        var u;
-        if (!((u = t.passkey) != null && u.authenticate))
+        var f;
+        if (!((f = t.passkey) != null && f.authenticate))
           throw new Error("PassKey authenticate is not configured.");
         try {
           const d = await t.passkey.authenticate(c);
@@ -1586,8 +1684,8 @@ function et(e) {
         }
       },
       list: t.passkey.list ? async () => {
-        var u;
-        if (!((u = t.passkey) != null && u.list))
+        var f;
+        if (!((f = t.passkey) != null && f.list))
           throw new Error("PassKey list is not configured.");
         return [...await t.passkey.list()];
       } : void 0,
@@ -1604,13 +1702,13 @@ function et(e) {
       isEnabled: t.twoFactor.isEnabled,
       verify2FA: async (c) => {
         var d;
-        const u = ((d = t.twoFactor) == null ? void 0 : d.verify2FA) || t.verify2FA;
-        if (!u)
+        const f = ((d = t.twoFactor) == null ? void 0 : d.verify2FA) || t.verify2FA;
+        if (!f)
           throw new Error("2FA verification is not configured. Provide verify2FA action in config.");
         try {
-          const R = await u(c);
-          if (R.success && R.session) {
-            const C = await y(R);
+          const A = await f(c);
+          if (A.success && A.session) {
+            const C = await y(A);
             C.success || (process.env.NODE_ENV === "development" && I.debug("Failed to save session cookie after twoFactor.verify2FA", {
               error: C.error,
               warning: C.warning
@@ -1620,11 +1718,11 @@ function et(e) {
               "twoFactor.verify2FA.setSession"
             ));
           }
-          return R;
-        } catch (R) {
-          return n.onError && await S(n.onError, R instanceof Error ? R : new Error(String(R)), "twoFactor.verify2FA"), {
+          return A;
+        } catch (A) {
+          return n.onError && await S(n.onError, A instanceof Error ? A : new Error(String(A)), "twoFactor.verify2FA"), {
             success: !1,
-            error: R instanceof Error ? R.message : "2FA verification failed",
+            error: A instanceof Error ? A.message : "2FA verification failed",
             errorCode: m.UNKNOWN_ERROR
           };
         }
@@ -1636,61 +1734,61 @@ function et(e) {
     signInMethods: {
       email: (c) => h.email(c),
       oauth: (c) => {
-        var u;
-        return ((u = h.oauth) == null ? void 0 : u.call(h, c)) || Promise.reject(new Error("OAuth not configured"));
+        var f;
+        return ((f = h.oauth) == null ? void 0 : f.call(h, c)) || Promise.reject(new Error("OAuth not configured"));
       },
       passkey: (c) => {
-        var u;
-        return ((u = h.passkey) == null ? void 0 : u.call(h, c)) || Promise.reject(new Error("Passkey not configured"));
+        var f;
+        return ((f = h.passkey) == null ? void 0 : f.call(h, c)) || Promise.reject(new Error("Passkey not configured"));
       },
-      otp: (c, u) => {
+      otp: (c, f) => {
         var d;
-        return ((d = h.otp) == null ? void 0 : d.call(h, c, u)) || Promise.reject(new Error("OTP not configured"));
+        return ((d = h.otp) == null ? void 0 : d.call(h, c, f)) || Promise.reject(new Error("OTP not configured"));
       }
     }
   };
   if (t.refreshSession) {
-    const c = Ge(
+    const c = Je(
       async () => await _.refreshSession(),
       async () => await _.signOut(),
       async () => {
         await v.clearSessionCookie(), v.clearCache();
       },
       {
-        ...o,
-        onTokenRefreshed: o.onTokenRefreshed,
-        onTokenRefreshFailed: o.onTokenRefreshFailed,
-        onBeforeRedirect: o.onBeforeRedirect
+        ...i,
+        onTokenRefreshed: i.onTokenRefreshed,
+        onTokenRefreshFailed: i.onTokenRefreshFailed,
+        onBeforeRedirect: i.onBeforeRedirect
       }
     );
     _._tokenRefreshManager = c, _._getTokenRefreshManager = () => c;
   }
   return _;
 }
-function rt(e) {
+function ot(e) {
   return {
     GET: async (r) => B(r, e, "GET"),
     POST: async (r) => B(r, e, "POST")
   };
 }
 async function B(e, r, t) {
-  const n = new URL(e.url), s = or(n.pathname), i = s.split("/").filter(Boolean);
+  const n = new URL(e.url), s = ur(n.pathname), o = s.split("/").filter(Boolean);
   try {
-    return t === "GET" ? await ar(e, r, s, i, n) : t === "POST" ? await cr(e, r, s, i, n) : O("Method not allowed", 405);
-  } catch (o) {
+    return t === "GET" ? await lr(e, r, s, o, n) : t === "POST" ? await fr(e, r, s, o, n) : O("Method not allowed", 405);
+  } catch (i) {
     return O(
-      o instanceof Error ? o.message : "Request failed",
+      i instanceof Error ? i.message : "Request failed",
       500
     );
   }
 }
-function or(e) {
+function ur(e) {
   return e.replace(/^\/api\/auth/, "") || "/session";
 }
-async function ar(e, r, t, n, s) {
+async function lr(e, r, t, n, s) {
   if (t === "/session" || t === "/") {
-    const i = await r.getSession();
-    return E.json({ session: i });
+    const o = await r.getSession();
+    return E.json({ session: o });
   }
   return t === "/providers" ? E.json({
     providers: {
@@ -1700,11 +1798,11 @@ async function ar(e, r, t, n, s) {
     }
   }) : re(t, n) ? await te(e, r, t, n, s, "GET") : O("Not found", 404);
 }
-async function cr(e, r, t, n, s) {
-  const i = await ur(e);
-  return t === "/sign-in" || n[0] === "sign-in" ? await fr(r, i) : t === "/sign-up" || n[0] === "sign-up" ? await dr(r, i) : t === "/sign-out" || n[0] === "sign-out" ? await hr(r) : t === "/reset-password" || n[0] === "reset-password" ? await gr(r, i) : t === "/verify-email" || n[0] === "verify-email" ? await wr(r, i) : t === "/refresh" || n[0] === "refresh" ? await pr(r) : re(t, n) ? await te(e, r, t, n, s, "POST", i) : t.startsWith("/passkey") ? await Er(r, t, n, i) : t === "/verify-2fa" || n[0] === "verify-2fa" ? await mr(r, i) : t.startsWith("/two-factor") ? await yr(r, n, i) : O("Not found", 404);
+async function fr(e, r, t, n, s) {
+  const o = await dr(e);
+  return t === "/sign-in" || n[0] === "sign-in" ? await gr(r, o) : t === "/sign-up" || n[0] === "sign-up" ? await wr(r, o) : t === "/sign-out" || n[0] === "sign-out" ? await pr(r) : t === "/reset-password" || n[0] === "reset-password" ? await mr(r, o) : t === "/verify-email" || n[0] === "verify-email" ? await Er(r, o) : t === "/refresh" || n[0] === "refresh" ? await yr(r) : re(t, n) ? await te(e, r, t, n, s, "POST", o) : t.startsWith("/passkey") ? await vr(r, t, n, o) : t === "/verify-2fa" || n[0] === "verify-2fa" ? await kr(r, o) : t.startsWith("/two-factor") ? await Sr(r, n, o) : O("Not found", 404);
 }
-async function ur(e) {
+async function dr(e) {
   try {
     return await e.json();
   } catch {
@@ -1714,23 +1812,23 @@ async function ur(e) {
 function re(e, r) {
   return e === "/callback" || e.startsWith("/oauth/callback") || r[0] === "oauth" && r[1] === "callback" || r[0] === "callback";
 }
-async function te(e, r, t, n, s, i, o) {
+async function te(e, r, t, n, s, o, i) {
   if (!r.oauthCallback)
-    return i === "GET" ? V(e.url, "oauth_not_configured") : O("OAuth callback is not configured", 400);
-  const a = lr(n, s, o), l = (o == null ? void 0 : o.code) ?? s.searchParams.get("code"), f = (o == null ? void 0 : o.state) ?? s.searchParams.get("state");
-  if (!l || !f)
-    return i === "GET" ? V(e.url, "oauth_missing_params") : O("Missing required OAuth parameters. Code and state are required.", 400);
+    return o === "GET" ? V(e.url, "oauth_not_configured") : O("OAuth callback is not configured", 400);
+  const a = hr(n, s, i), u = (i == null ? void 0 : i.code) ?? s.searchParams.get("code"), l = (i == null ? void 0 : i.state) ?? s.searchParams.get("state");
+  if (!u || !l)
+    return o === "GET" ? V(e.url, "oauth_missing_params") : O("Missing required OAuth parameters. Code and state are required.", 400);
   try {
-    const w = await r.oauthCallback(a ?? "", l, f);
-    return i === "GET" ? w.success ? kr(e.url, s.searchParams.get("callbackUrl")) : V(e.url, w.error ?? "oauth_failed") : E.json(w);
-  } catch (w) {
-    return i === "GET" ? V(e.url, w instanceof Error ? w.message : "oauth_error") : O(w instanceof Error ? w.message : "OAuth callback failed", 500);
+    const g = await r.oauthCallback(a ?? "", u, l);
+    return o === "GET" ? g.success ? Ar(e.url, s.searchParams.get("callbackUrl")) : V(e.url, g.error ?? "oauth_failed") : E.json(g);
+  } catch (g) {
+    return o === "GET" ? V(e.url, g instanceof Error ? g.message : "oauth_error") : O(g instanceof Error ? g.message : "OAuth callback failed", 500);
   }
 }
-function lr(e, r, t) {
+function hr(e, r, t) {
   return t != null && t.provider ? t.provider : e[0] === "callback" && e[1] ? e[1] : e[0] === "oauth" && e[1] === "callback" && e[2] ? e[2] : r.searchParams.get("provider");
 }
-async function fr(e, r) {
+async function gr(e, r) {
   if (r.provider === "email" && r.email && r.password) {
     const t = {
       email: r.email,
@@ -1752,17 +1850,17 @@ async function fr(e, r) {
   }
   return O("Invalid sign in request", 400);
 }
-async function dr(e, r) {
+async function wr(e, r) {
   if (!e.signUp)
     return O("Sign up is not configured", 400);
   const t = await e.signUp(r);
   return E.json(t);
 }
-async function hr(e) {
+async function pr(e) {
   const r = await e.signOut();
   return E.json(r);
 }
-async function gr(e, r) {
+async function mr(e, r) {
   if (!e.resetPassword)
     return O("Password reset is not configured", 400);
   if (!r.email || typeof r.email != "string")
@@ -1770,7 +1868,7 @@ async function gr(e, r) {
   const t = await e.resetPassword(r.email);
   return E.json(t);
 }
-async function wr(e, r) {
+async function Er(e, r) {
   if (!e.verifyEmail)
     return O("Email verification is not configured", 400);
   if (!r.token || typeof r.token != "string")
@@ -1778,7 +1876,7 @@ async function wr(e, r) {
   const t = await e.verifyEmail(r.token);
   return E.json(t);
 }
-async function pr(e) {
+async function yr(e) {
   if (!e.refreshSession) {
     const t = await e.getSession();
     return E.json({ session: t });
@@ -1786,7 +1884,7 @@ async function pr(e) {
   const r = await e.refreshSession();
   return E.json({ session: r });
 }
-async function mr(e, r) {
+async function kr(e, r) {
   if (!e.verify2FA)
     return O("2FA verification is not configured", 400);
   if (!r.email || !r.userId || !r.code)
@@ -1798,27 +1896,27 @@ async function mr(e, r) {
   }, n = await e.verify2FA(t);
   return E.json(n);
 }
-async function Er(e, r, t, n) {
+async function vr(e, r, t, n) {
   if (!e.passkey)
     return O("PassKey is not configured", 400);
   const s = t[1];
   if (s === "register" && e.passkey.register) {
-    const i = await e.passkey.register(n.options);
-    return E.json(i);
+    const o = await e.passkey.register(n.options);
+    return E.json(o);
   }
   if (s === "list" && e.passkey.list) {
-    const i = await e.passkey.list();
-    return E.json(i);
+    const o = await e.passkey.list();
+    return E.json(o);
   }
   if (s === "remove" && e.passkey.remove) {
     if (!n.passkeyId || typeof n.passkeyId != "string")
       return O("Passkey ID is required", 400);
-    const i = await e.passkey.remove(n.passkeyId);
-    return E.json(i);
+    const o = await e.passkey.remove(n.passkeyId);
+    return E.json(o);
   }
   return O("Invalid Passkey request", 400);
 }
-async function yr(e, r, t) {
+async function Sr(e, r, t) {
   if (!e.twoFactor)
     return O("Two-Factor Authentication is not configured", 400);
   const n = r[1];
@@ -1858,52 +1956,52 @@ function O(e, r) {
 function V(e, r) {
   return E.redirect(new URL(`/login?error=${encodeURIComponent(r)}`, e));
 }
-function kr(e, r) {
+function Ar(e, r) {
   const t = r ?? "/";
   return E.redirect(new URL(t, e));
 }
-function tt(e) {
+function it(e) {
   return async (r) => {
-    const { method: t, nextUrl: n } = r, i = n.pathname.replace(/^\/api\/auth/, "") || "/";
+    const { method: t, nextUrl: n } = r, o = n.pathname.replace(/^\/api\/auth/, "") || "/";
     try {
-      let o;
+      let i;
       if (t !== "GET" && t !== "HEAD")
         try {
-          o = await r.json();
+          i = await r.json();
         } catch {
         }
-      const a = Object.fromEntries(n.searchParams.entries()), l = await fetch(
-        `${process.env.NEXT_PUBLIC_API_URL || ""}/api/auth${i}${Object.keys(a).length > 0 ? `?${new URLSearchParams(a).toString()}` : ""}`,
+      const a = Object.fromEntries(n.searchParams.entries()), u = await fetch(
+        `${process.env.NEXT_PUBLIC_API_URL || ""}/api/auth${o}${Object.keys(a).length > 0 ? `?${new URLSearchParams(a).toString()}` : ""}`,
         {
           method: t,
           headers: {
             "Content-Type": "application/json",
             ...Object.fromEntries(r.headers.entries())
           },
-          body: o ? JSON.stringify(o) : void 0
+          body: i ? JSON.stringify(i) : void 0
         }
-      ), f = await l.json();
-      return E.json(f, {
-        status: l.status,
+      ), l = await u.json();
+      return E.json(l, {
+        status: u.status,
         headers: {
-          ...Object.fromEntries(l.headers.entries())
+          ...Object.fromEntries(u.headers.entries())
         }
       });
-    } catch (o) {
-      return console.error("API handler error:", o), E.json(
+    } catch (i) {
+      return console.error("API handler error:", i), E.json(
         {
           success: !1,
-          error: o instanceof Error ? o.message : "Internal server error"
+          error: i instanceof Error ? i.message : "Internal server error"
         },
         { status: 500 }
       );
     }
   };
 }
-function nt(e) {
+function at(e) {
   return async (r) => {
-    const { searchParams: t } = r.nextUrl, n = t.get("provider"), s = t.get("code"), i = t.get("state");
-    if (!n || !s || !i)
+    const { searchParams: t } = r.nextUrl, n = t.get("provider"), s = t.get("code"), o = t.get("state");
+    if (!n || !s || !o)
       return E.redirect(
         new URL("/login?error=oauth_missing_params", r.url)
       );
@@ -1912,20 +2010,20 @@ function nt(e) {
         return E.redirect(
           new URL("/login?error=oauth_not_configured", r.url)
         );
-      const o = await e.oauthCallback(n, s, i);
-      if (o.success) {
+      const i = await e.oauthCallback(n, s, o);
+      if (i.success) {
         const a = t.get("callbackUrl") || "/";
         return E.redirect(new URL(a, r.url));
       } else {
-        const a = o.errorCode ? `${encodeURIComponent(o.error || "oauth_failed")}&code=${o.errorCode}` : encodeURIComponent(o.error || "oauth_failed");
+        const a = i.errorCode ? `${encodeURIComponent(i.error || "oauth_failed")}&code=${i.errorCode}` : encodeURIComponent(i.error || "oauth_failed");
         return E.redirect(
           new URL(`/login?error=${a}`, r.url)
         );
       }
-    } catch (o) {
-      return process.env.NODE_ENV === "development" && console.error("[Mulguard] OAuth callback error:", o), E.redirect(
+    } catch (i) {
+      return process.env.NODE_ENV === "development" && console.error("[Mulguard] OAuth callback error:", i), E.redirect(
         new URL(
-          `/login?error=${encodeURIComponent(o instanceof Error ? o.message : "oauth_error")}`,
+          `/login?error=${encodeURIComponent(i instanceof Error ? i.message : "oauth_error")}`,
           r.url
         )
       );
@@ -1942,42 +2040,42 @@ function F(e, r) {
     s && typeof s == "string" && r.headers.set(n, s);
   return r;
 }
-function st() {
+function ct() {
   return async (e) => {
     const r = E.next();
     return F(e, r);
   };
 }
-function it(e, r = {}) {
+function ut(e, r = {}) {
   const {
     protectedRoutes: t = [],
     publicRoutes: n = [],
     redirectTo: s = "/login",
-    redirectIfAuthenticated: i
+    redirectIfAuthenticated: o
   } = r;
-  return async (o) => {
-    const { pathname: a } = o.nextUrl, l = t.some((g) => a.startsWith(g));
-    let f = null;
+  return async (i) => {
+    const { pathname: a } = i.nextUrl, u = t.some((w) => a.startsWith(w));
+    let l = null;
     try {
-      f = await e.getSession();
-    } catch (g) {
-      console.error("Middleware: Failed to get session:", g);
+      l = await e.getSession();
+    } catch (w) {
+      console.error("Middleware: Failed to get session:", w);
     }
-    if (l && !f) {
-      const g = o.nextUrl.clone();
-      return g.pathname = s, g.searchParams.set("callbackUrl", a), E.redirect(g);
+    if (u && !l) {
+      const w = i.nextUrl.clone();
+      return w.pathname = s, w.searchParams.set("callbackUrl", a), E.redirect(w);
     }
-    if (i && f && (a.startsWith("/login") || a.startsWith("/register"))) {
-      const A = o.nextUrl.clone();
-      A.pathname = i;
-      const S = E.redirect(A);
-      return F(o, S);
+    if (o && l && (a.startsWith("/login") || a.startsWith("/register"))) {
+      const R = i.nextUrl.clone();
+      R.pathname = o;
+      const S = E.redirect(R);
+      return F(i, S);
     }
-    const w = E.next();
-    return F(o, w);
+    const g = E.next();
+    return F(i, g);
   };
 }
-async function ot(e, r) {
+async function lt(e, r) {
   var t;
   try {
     const n = await e.getSession();
@@ -1986,46 +2084,46 @@ async function ot(e, r) {
     return !1;
   }
 }
-function at(e) {
+function ft(e) {
   const {
     auth: r,
     protectedRoutes: t = [],
     publicRoutes: n = [],
     redirectTo: s = "/login",
-    redirectIfAuthenticated: i,
-    apiPrefix: o = "/api/auth"
+    redirectIfAuthenticated: o,
+    apiPrefix: i = "/api/auth"
   } = e;
   return async (a) => {
-    const { pathname: l } = a.nextUrl;
-    if (l.startsWith(o)) {
-      const A = E.next();
-      return F(a, A);
+    const { pathname: u } = a.nextUrl;
+    if (u.startsWith(i)) {
+      const R = E.next();
+      return F(a, R);
     }
-    const f = t.some((A) => l.startsWith(A));
-    let w = null;
-    if (f || i)
+    const l = t.some((R) => u.startsWith(R));
+    let g = null;
+    if (l || o)
       try {
-        w = await r.getSession();
-      } catch (A) {
-        console.error("Middleware: Failed to get session:", A);
+        g = await r.getSession();
+      } catch (R) {
+        console.error("Middleware: Failed to get session:", R);
       }
-    if (f && !w) {
-      const A = a.nextUrl.clone();
-      A.pathname = s, A.searchParams.set("callbackUrl", l);
-      const S = E.redirect(A);
+    if (l && !g) {
+      const R = a.nextUrl.clone();
+      R.pathname = s, R.searchParams.set("callbackUrl", u);
+      const S = E.redirect(R);
       return F(a, S);
     }
-    if (i && w && (l.startsWith("/login") || l.startsWith("/register"))) {
+    if (o && g && (u.startsWith("/login") || u.startsWith("/register"))) {
       const S = a.nextUrl.clone();
-      S.pathname = i;
+      S.pathname = o;
       const v = E.redirect(S);
       return F(a, v);
     }
-    const g = E.next();
-    return F(a, g);
+    const w = E.next();
+    return F(a, w);
   };
 }
-async function ct(e, r) {
+async function dt(e, r) {
   var t;
   try {
     const n = await e.getSession();
@@ -2038,85 +2136,87 @@ export {
   Te as CSRFProtection,
   fe as DEFAULT_SECURITY_HEADERS,
   Oe as MemoryCSRFStore,
-  ze as MemoryOAuthStateStore,
+  qe as MemoryOAuthStateStore,
   le as RateLimiter,
-  Tr as applySecurityHeaders,
-  oe as buildCookieOptions,
-  be as buildOAuthAuthorizationUrl,
-  ot as checkRole,
-  ct as checkRoleProxy,
-  Vr as containsXSSPattern,
-  tt as createApiHandler,
-  it as createAuthMiddleware,
-  Dr as createCSRFProtection,
-  $e as createMemoryOAuthStateStore,
-  nt as createOAuthCallbackHandler,
-  at as createProxyMiddleware,
-  Or as createRateLimiter,
-  Zr as createRedisOAuthStateStore,
-  st as createSecurityMiddleware,
-  pt as createServerAuthMiddleware,
-  mt as createServerHelpers,
-  Et as createServerUtils,
-  yt as createSessionManager,
-  ie as deleteCookie,
-  kt as deleteOAuthStateCookie,
+  Pr as applySecurityHeaders,
+  ie as buildCookieOptions,
+  Ne as buildOAuthAuthorizationUrl,
+  lt as checkRole,
+  dt as checkRoleProxy,
+  $r as containsXSSPattern,
+  it as createApiHandler,
+  ut as createAuthMiddleware,
+  Vr as createCSRFProtection,
+  We as createCookieOAuthStateStore,
+  Be as createMemoryOAuthStateStore,
+  tt as createNextJsCookieOAuthStateStore,
+  at as createOAuthCallbackHandler,
+  ft as createProxyMiddleware,
+  _r as createRateLimiter,
+  nt as createRedisOAuthStateStore,
+  ct as createSecurityMiddleware,
+  kt as createServerAuthMiddleware,
+  vt as createServerHelpers,
+  St as createServerUtils,
+  At as createSessionManager,
+  oe as deleteCookie,
+  Rt as deleteOAuthStateCookie,
   Ie as escapeHTML,
-  Ue as exchangeOAuthCode,
+  be as exchangeOAuthCode,
   _e as generateCSRFToken,
   Y as generateToken,
   ce as getCookie,
-  vt as getCurrentUser,
-  Br as getErrorCode,
-  qr as getErrorMessage,
-  St as getOAuthStateCookie,
+  Ot as getCurrentUser,
+  Kr as getErrorCode,
+  Gr as getErrorMessage,
+  Tt as getOAuthStateCookie,
   Fe as getOAuthUserInfo,
   j as getProviderMetadata,
   H as getSecurityHeaders,
-  Rt as getServerSession,
-  At as getSessionTimeUntilExpiry,
-  Xr as getUserFriendlyError,
-  Gr as hasErrorCode,
+  It as getServerSession,
+  _t as getSessionTimeUntilExpiry,
+  Qr as getUserFriendlyError,
+  Jr as hasErrorCode,
   Ce as isAuthError,
-  Hr as isAuthSuccess,
-  Qr as isOAuthProviderConfig,
-  Kr as isRetryableError,
-  Ot as isSessionExpiredNullable,
-  Tt as isSessionExpiringSoon,
-  It as isSessionValid,
-  Yr as isSupportedProvider,
-  Wr as isTwoFactorRequired,
-  jr as isValidCSRFToken,
-  $r as isValidEmail,
-  xr as isValidInput,
-  Cr as isValidName,
-  _r as isValidPassword,
-  Fr as isValidToken,
-  Ur as isValidURL,
-  et as mulguard,
-  _t as refreshSession,
-  Pt as requireAuth,
-  Ct as requireRole,
-  bt as requireServerAuthMiddleware,
-  Ut as requireServerRoleMiddleware,
-  Lr as sanitizeHTML,
-  zr as sanitizeInput,
-  Mr as sanitizeUserInput,
+  Xr as isAuthSuccess,
+  rt as isOAuthProviderConfig,
+  Yr as isRetryableError,
+  Pt as isSessionExpiredNullable,
+  Ct as isSessionExpiringSoon,
+  Nt as isSessionValid,
+  et as isSupportedProvider,
+  Hr as isTwoFactorRequired,
+  Wr as isValidCSRFToken,
+  Br as isValidEmail,
+  Mr as isValidInput,
+  Ur as isValidName,
+  Nr as isValidPassword,
+  Lr as isValidToken,
+  xr as isValidURL,
+  st as mulguard,
+  bt as refreshSession,
+  Ut as requireAuth,
+  Ft as requireRole,
+  xt as requireServerAuthMiddleware,
+  Dt as requireServerRoleMiddleware,
+  jr as sanitizeHTML,
+  qr as sanitizeInput,
+  zr as sanitizeUserInput,
   ae as setCookie,
-  Jr as signIn,
-  ft as signInEmailAction,
-  dt as signOutAction,
-  ht as signUpAction,
-  Nt as storeOAuthStateCookie,
-  rt as toNextJsHandler,
+  Zr as signIn,
+  wt as signInEmailAction,
+  pt as signOutAction,
+  mt as signUpAction,
+  Lt as storeOAuthStateCookie,
+  ot as toNextJsHandler,
   G as validateAndSanitizeEmail,
   X as validateAndSanitizeInput,
-  Pr as validateAndSanitizeName,
-  Ir as validateAndSanitizePassword,
+  br as validateAndSanitizeName,
+  Cr as validateAndSanitizePassword,
   Q as validateCSRFToken,
-  N as validateSessionStructure,
-  Nr as validateToken,
-  br as validateURL,
-  gt as verify2FAAction,
+  U as validateSessionStructure,
+  Dr as validateToken,
+  Fr as validateURL,
+  Et as verify2FAAction,
   F as withSecurityHeaders
 };