mulguard 1.1.6 → 1.1.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (61) hide show
  1. package/README.md +210 -706
  2. package/dist/actions-CMtg7FGv.js +1 -0
  3. package/dist/{actions-DeCfLtHA.mjs → actions-CjQUKaXF.mjs} +54 -38
  4. package/dist/client/index.js +1 -1
  5. package/dist/client/index.mjs +84 -78
  6. package/dist/core/auth/email-password.d.ts +145 -0
  7. package/dist/core/auth/oauth/index.d.ts +14 -0
  8. package/dist/core/auth/oauth/oauth-handler.d.ts +172 -0
  9. package/dist/core/auth/oauth/pkce.d.ts +168 -0
  10. package/dist/core/auth/{oauth-providers.d.ts → oauth/providers.d.ts} +8 -7
  11. package/dist/core/auth/{oauth-state-store-cookie.d.ts → oauth/state-store-cookie.d.ts} +4 -4
  12. package/dist/core/auth/{oauth-state-store-redis.d.ts → oauth/state-store-redis.d.ts} +1 -1
  13. package/dist/core/auth/{oauth-state-store.d.ts → oauth/state-store.d.ts} +4 -1
  14. package/dist/core/auth/otp.d.ts +184 -0
  15. package/dist/core/errors/index.d.ts +269 -0
  16. package/dist/core/index.d.ts +1 -3
  17. package/dist/core/logger/index.d.ts +147 -0
  18. package/dist/core/mulguard/integration.d.ts +104 -0
  19. package/dist/core/mulguard/oauth-handler.d.ts +1 -1
  20. package/dist/core/security/security-manager.d.ts +236 -0
  21. package/dist/core/session/session-manager.d.ts +235 -0
  22. package/dist/core/types/index.d.ts +27 -5
  23. package/dist/index/index.js +1 -1
  24. package/dist/index/index.mjs +1388 -881
  25. package/dist/index.d.ts +3 -6
  26. package/dist/{client → nextjs/client}/hooks.d.ts +2 -2
  27. package/dist/nextjs/client/index.d.ts +13 -0
  28. package/dist/{client → nextjs/client}/provider.d.ts +1 -1
  29. package/dist/{client → nextjs/client}/server-actions-helper.d.ts +2 -2
  30. package/dist/{handlers → nextjs/handlers}/api.d.ts +1 -1
  31. package/dist/nextjs/handlers/index.d.ts +9 -0
  32. package/dist/{handlers → nextjs/handlers}/route.d.ts +1 -1
  33. package/dist/nextjs/index.d.ts +15 -0
  34. package/dist/nextjs/proxy/index.d.ts +149 -0
  35. package/dist/nextjs/server/actions.d.ts +30 -0
  36. package/dist/{server → nextjs/server}/auth.d.ts +6 -6
  37. package/dist/{server → nextjs/server}/cookies.d.ts +5 -6
  38. package/dist/nextjs/server/index.d.ts +18 -0
  39. package/dist/{server → nextjs/server}/oauth-state.d.ts +5 -3
  40. package/dist/{server → nextjs/server}/session-helpers.d.ts +1 -3
  41. package/dist/nextjs/server/session.d.ts +144 -0
  42. package/dist/oauth-state-Drwz6fES.js +1 -0
  43. package/dist/oauth-state-pdypStuS.mjs +210 -0
  44. package/dist/server/index.js +1 -1
  45. package/dist/server/index.mjs +27 -29
  46. package/package.json +64 -11
  47. package/dist/actions-CExpv_dD.js +0 -1
  48. package/dist/client/index.d.ts +0 -5
  49. package/dist/core/auth/index.d.ts +0 -40
  50. package/dist/core/auth/oauth.d.ts +0 -20
  51. package/dist/middleware/index.d.ts +0 -28
  52. package/dist/middleware/proxy.d.ts +0 -53
  53. package/dist/oauth-state-DKle8eCr.mjs +0 -289
  54. package/dist/oauth-state-DlvrCV11.js +0 -1
  55. package/dist/server/actions.d.ts +0 -86
  56. package/dist/server/helpers.d.ts +0 -10
  57. package/dist/server/index.d.ts +0 -14
  58. package/dist/server/middleware.d.ts +0 -39
  59. package/dist/server/session.d.ts +0 -28
  60. package/dist/server/utils.d.ts +0 -10
  61. /package/dist/{middleware → nextjs/proxy}/security.d.ts +0 -0
package/dist/index/index.mjs CHANGED
@@ -1,24 +1,69 @@
1
- var ne = Object.defineProperty;
2
- var se = (e, r, t) => r in e ? ne(e, r, { enumerable: !0, configurable: !0, writable: !0, value: t }) : e[r] = t;
3
- var b = (e, r, t) => se(e, typeof r != "symbol" ? r + "" : r, t);
4
- import { A as m, d as oe, e as ie, c as ae, g as ce } from "../actions-DeCfLtHA.mjs";
5
- import { a as wt, s as pt, b as mt, v as Et } from "../actions-DeCfLtHA.mjs";
6
- import { v as U } from "../oauth-state-DKle8eCr.mjs";
7
- import { c as kt, p as vt, k as St, n as At, m as Rt, j as Ot, l as Tt, e as It, g as _t, b as Pt, i as Ct, a as Nt, o as bt, f as Ut, h as Ft, r as xt, d as Dt, s as Lt } from "../oauth-state-DKle8eCr.mjs";
8
- import { NextResponse as E } from "next/server";
9
- const x = typeof globalThis == "object" && "crypto" in globalThis ? globalThis.crypto : void 0;
1
+ var ve = Object.defineProperty;
2
+ var Se = (e, r, t) => r in e ? ve(e, r, { enumerable: !0, configurable: !0, writable: !0, value: t }) : e[r] = t;
3
+ var x = (e, r, t) => Se(e, typeof r != "symbol" ? r + "" : r, t);
4
+ import { A as m, d as Ae, e as Re, c as Oe, g as Te } from "../actions-CjQUKaXF.mjs";
5
+ import { a as Gt, s as Kt, b as Xt, v as Jt } from "../actions-CjQUKaXF.mjs";
6
+ import { v as F } from "../oauth-state-pdypStuS.mjs";
7
+ import { S as Qt, e as Zt, d as en, m as rn, g as tn, l as nn, b as sn, c as on, j as an, i as cn, f as un, h as ln, k as fn, r as dn, a as hn, s as gn } from "../oauth-state-pdypStuS.mjs";
8
+ import { NextResponse as A } from "next/server";
9
+ const L = typeof globalThis == "object" && "crypto" in globalThis ? globalThis.crypto : void 0;
10
10
  /*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */
11
- function ue(e = 32) {
12
- if (x && typeof x.getRandomValues == "function")
13
- return x.getRandomValues(new Uint8Array(e));
14
- if (x && typeof x.randomBytes == "function")
15
- return Uint8Array.from(x.randomBytes(e));
11
+ function _e(e) {
12
+ return e instanceof Uint8Array || ArrayBuffer.isView(e) && e.constructor.name === "Uint8Array";
13
+ }
14
+ function G(e, ...r) {
15
+ if (!_e(e))
16
+ throw new Error("Uint8Array expected");
17
+ if (r.length > 0 && !r.includes(e.length))
18
+ throw new Error("Uint8Array expected of length " + r + ", got length=" + e.length);
19
+ }
20
+ function Q(e, r = !0) {
21
+ if (e.destroyed)
22
+ throw new Error("Hash instance has been destroyed");
23
+ if (r && e.finished)
24
+ throw new Error("Hash#digest() has already been called");
25
+ }
26
+ function be(e, r) {
27
+ G(e);
28
+ const t = r.outputLen;
29
+ if (e.length < t)
30
+ throw new Error("digestInto() expects output buffer of length at least " + t);
31
+ }
32
+ function q(...e) {
33
+ for (let r = 0; r < e.length; r++)
34
+ e[r].fill(0);
35
+ }
36
+ function H(e) {
37
+ return new DataView(e.buffer, e.byteOffset, e.byteLength);
38
+ }
39
+ function P(e, r) {
40
+ return e << 32 - r | e >>> r;
41
+ }
42
+ function Ce(e) {
43
+ if (typeof e != "string")
44
+ throw new Error("string expected");
45
+ return new Uint8Array(new TextEncoder().encode(e));
46
+ }
47
+ function re(e) {
48
+ return typeof e == "string" && (e = Ce(e)), G(e), e;
49
+ }
50
+ class Ie {
51
+ }
52
+ function xe(e) {
53
+ const r = (n) => e().update(re(n)).digest(), t = e();
54
+ return r.outputLen = t.outputLen, r.blockLen = t.blockLen, r.create = () => e(), r;
55
+ }
56
+ function te(e = 32) {
57
+ if (L && typeof L.getRandomValues == "function")
58
+ return L.getRandomValues(new Uint8Array(e));
59
+ if (L && typeof L.randomBytes == "function")
60
+ return Uint8Array.from(L.randomBytes(e));
16
61
  throw new Error("crypto.getRandomValues must be defined");
17
62
  }
18
- class le {
63
+ class Pe {
19
64
  constructor(r) {
20
- b(this, "attempts", /* @__PURE__ */ new Map());
21
- b(this, "config");
65
+ x(this, "attempts", /* @__PURE__ */ new Map());
66
+ x(this, "config");
22
67
  this.config = r;
23
68
  }
24
69
  /**
@@ -56,10 +101,10 @@ class le {
56
101
  this.attempts.clear();
57
102
  }
58
103
  }
59
- function _r(e) {
60
- return new le(e);
104
+ function ut(e) {
105
+ return new Pe(e);
61
106
  }
62
- const fe = {
107
+ const Ne = {
63
108
  "X-Content-Type-Options": "nosniff",
64
109
  "X-Frame-Options": "DENY",
65
110
  "X-XSS-Protection": "1; mode=block",
@@ -68,29 +113,29 @@ const fe = {
68
113
  "Referrer-Policy": "strict-origin-when-cross-origin",
69
114
  "Permissions-Policy": "geolocation=(), microphone=(), camera=()"
70
115
  };
71
- function H(e) {
116
+ function ne(e) {
72
117
  return {
73
- ...fe,
118
+ ...Ne,
74
119
  ...e
75
120
  };
76
121
  }
77
- function Pr(e, r) {
78
- const t = H(r);
122
+ function lt(e, r) {
123
+ const t = ne(r);
79
124
  for (const [n, s] of Object.entries(t))
80
125
  s && e.set(n, s);
81
126
  }
82
- const de = /^[^\s@]+@[^\s@]+\.[^\s@]+$/, he = 254;
83
- function G(e) {
127
+ const Ue = /^[^\s@]+@[^\s@]+\.[^\s@]+$/, De = 254;
128
+ function se(e) {
84
129
  var t;
85
130
  if (typeof e != "string" || !e)
86
131
  return { valid: !1, error: "Email is required" };
87
132
  const r = e.trim().toLowerCase();
88
- return de.test(r) ? r.length > he ? { valid: !1, error: "Email is too long" } : r.includes("..") || r.startsWith(".") || r.endsWith(".") ? { valid: !1, error: "Invalid email format" } : (t = r.split("@")[1]) != null && t.includes("..") ? { valid: !1, error: "Invalid email format" } : { valid: !0, sanitized: r } : { valid: !1, error: "Invalid email format" };
133
+ return Ue.test(r) ? r.length > De ? { valid: !1, error: "Email is too long" } : r.includes("..") || r.startsWith(".") || r.endsWith(".") ? { valid: !1, error: "Invalid email format" } : (t = r.split("@")[1]) != null && t.includes("..") ? { valid: !1, error: "Invalid email format" } : { valid: !0, sanitized: r } : { valid: !1, error: "Invalid email format" };
89
134
  }
90
- function K(e) {
135
+ function ie(e) {
91
136
  return e.valid === !0 && e.sanitized !== void 0;
92
137
  }
93
- const ge = /* @__PURE__ */ new Set([
138
+ const Fe = /* @__PURE__ */ new Set([
94
139
  "password",
95
140
  "12345678",
96
141
  "qwerty",
@@ -111,83 +156,83 @@ const ge = /* @__PURE__ */ new Set([
111
156
  "test",
112
157
  "guest",
113
158
  "user"
114
- ]), we = /012|123|234|345|456|567|678|789|abc|bcd|cde|def|efg|fgh|ghi|hij|ijk|jkl|klm|lmn|mno|nop|opq|pqr|qrs|rst|stu|tuv|uvw|vwx|wxy|xyz/i, pe = 8, me = 128;
115
- function Cr(e, r = pe) {
159
+ ]), Le = /012|123|234|345|456|567|678|789|abc|bcd|cde|def|efg|fgh|ghi|hij|ijk|jkl|klm|lmn|mno|nop|opq|pqr|qrs|rst|stu|tuv|uvw|vwx|wxy|xyz/i, Ve = 8, Me = 128;
160
+ function ft(e, r = Ve) {
116
161
  if (typeof e != "string" || !e)
117
162
  return { valid: !1, error: "Password is required" };
118
163
  if (e.length < r)
119
164
  return { valid: !1, error: `Password must be at least ${r} characters` };
120
- if (e.length > me)
165
+ if (e.length > Me)
121
166
  return { valid: !1, error: "Password is too long" };
122
167
  const t = e.toLowerCase();
123
- if (ge.has(t))
168
+ if (Fe.has(t))
124
169
  return { valid: !1, error: "Password is too common" };
125
170
  if (/(.)\1{3,}/.test(e))
126
171
  return { valid: !1, error: "Password contains too many repeated characters" };
127
- if (we.test(e))
172
+ if (Le.test(e))
128
173
  return { valid: !1, error: "Password contains sequential characters" };
129
- const n = Ee(e);
174
+ const n = je(e);
130
175
  return { valid: !0, sanitized: e, strength: n };
131
176
  }
132
- function Ee(e) {
177
+ function je(e) {
133
178
  let r = 0;
134
179
  return e.length >= 12 ? r += 2 : e.length >= 8 && (r += 1), /[a-z]/.test(e) && (r += 1), /[A-Z]/.test(e) && (r += 1), /[0-9]/.test(e) && (r += 1), /[^a-zA-Z0-9]/.test(e) && (r += 1), r >= 5 ? "strong" : r >= 3 ? "medium" : "weak";
135
180
  }
136
- function Nr(e) {
181
+ function dt(e) {
137
182
  return e.valid === !0 && e.sanitized !== void 0;
138
183
  }
139
- const ye = 100;
140
- function br(e) {
184
+ const ze = 100;
185
+ function ht(e) {
141
186
  if (typeof e != "string" || !e)
142
187
  return { valid: !1, error: "Name is required" };
143
188
  const r = e.trim();
144
189
  if (r.length < 1)
145
190
  return { valid: !1, error: "Name cannot be empty" };
146
- if (r.length > ye)
191
+ if (r.length > ze)
147
192
  return { valid: !1, error: "Name is too long" };
148
193
  const t = r.replace(/[<>"']/g, "");
149
194
  return t.length === 0 ? { valid: !1, error: "Name contains only invalid characters" } : { valid: !0, sanitized: t };
150
195
  }
151
- function Ur(e) {
196
+ function gt(e) {
152
197
  return e.valid === !0 && e.sanitized !== void 0;
153
198
  }
154
- const ke = /* @__PURE__ */ new Set(["http:", "https:"]);
155
- function Fr(e) {
199
+ const Be = /* @__PURE__ */ new Set(["http:", "https:"]);
200
+ function wt(e) {
156
201
  if (typeof e != "string" || !e)
157
202
  return { valid: !1, error: "URL is required" };
158
203
  try {
159
204
  const r = new URL(e);
160
- return ke.has(r.protocol) ? { valid: !0, sanitized: e } : { valid: !1, error: "URL must use http or https protocol" };
205
+ return Be.has(r.protocol) ? { valid: !0, sanitized: e } : { valid: !1, error: "URL must use http or https protocol" };
161
206
  } catch {
162
207
  return { valid: !1, error: "Invalid URL format" };
163
208
  }
164
209
  }
165
- function xr(e) {
210
+ function pt(e) {
166
211
  return e.valid === !0 && e.sanitized !== void 0;
167
212
  }
168
- const ve = 16, Se = 512, Ae = /^[A-Za-z0-9_-]+$/;
169
- function Dr(e, r = ve) {
170
- return typeof e != "string" || !e ? { valid: !1, error: "Token is required" } : e.length < r ? { valid: !1, error: "Token is too short" } : e.length > Se ? { valid: !1, error: "Token is too long" } : Ae.test(e) ? /(.)\1{10,}/.test(e) ? { valid: !1, error: "Token contains suspicious pattern" } : { valid: !0, sanitized: e } : { valid: !1, error: "Invalid token format" };
213
+ const $e = 16, He = 512, qe = /^[A-Za-z0-9_-]+$/;
214
+ function mt(e, r = $e) {
215
+ return typeof e != "string" || !e ? { valid: !1, error: "Token is required" } : e.length < r ? { valid: !1, error: "Token is too short" } : e.length > He ? { valid: !1, error: "Token is too long" } : qe.test(e) ? /(.)\1{10,}/.test(e) ? { valid: !1, error: "Token contains suspicious pattern" } : { valid: !0, sanitized: e } : { valid: !1, error: "Invalid token format" };
171
216
  }
172
- function Lr(e) {
217
+ function Et(e) {
173
218
  return e.valid === !0 && e.sanitized !== void 0;
174
219
  }
175
- const Re = 1e3;
176
- function X(e, r) {
177
- const { maxLength: t = Re, allowHtml: n = !1, required: s = !0 } = r ?? {};
220
+ const We = 1e3;
221
+ function oe(e, r) {
222
+ const { maxLength: t = We, allowHtml: n = !1, required: s = !0 } = r ?? {};
178
223
  if (s && (typeof e != "string" || !e || e.trim().length === 0))
179
224
  return { valid: !1, error: "Input is required" };
180
225
  if (typeof e != "string" || !e)
181
226
  return { valid: !0, sanitized: "" };
182
- let o = e.trim();
183
- return o.length > t ? { valid: !1, error: `Input must be less than ${t} characters` } : (n || (o = o.replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#x27;").replace(/\//g, "&#x2F;")), o = o.replace(/[\x00-\x1F\x7F]/g, ""), { valid: !0, sanitized: o });
227
+ let i = e.trim();
228
+ return i.length > t ? { valid: !1, error: `Input must be less than ${t} characters` } : (n || (i = i.replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#x27;").replace(/\//g, "&#x2F;")), i = i.replace(/[\x00-\x1F\x7F]/g, ""), { valid: !0, sanitized: i });
184
229
  }
185
- function Mr(e) {
230
+ function yt(e) {
186
231
  return e.valid === !0 && e.sanitized !== void 0;
187
232
  }
188
- class Oe {
233
+ class Ge {
189
234
  constructor() {
190
- b(this, "tokens", /* @__PURE__ */ new Map());
235
+ x(this, "tokens", /* @__PURE__ */ new Map());
191
236
  }
192
237
  get(r) {
193
238
  const t = this.tokens.get(r);
@@ -206,17 +251,17 @@ class Oe {
206
251
  this.tokens.clear();
207
252
  }
208
253
  }
209
- class Te {
254
+ class Ke {
210
255
  constructor(r, t = 32) {
211
- b(this, "store");
212
- b(this, "tokenLength");
213
- this.store = r || new Oe(), this.tokenLength = t;
256
+ x(this, "store");
257
+ x(this, "tokenLength");
258
+ this.store = r || new Ge(), this.tokenLength = t;
214
259
  }
215
260
  /**
216
261
  * Generate CSRF token
217
262
  */
218
263
  generateToken(r, t) {
219
- const n = Y(this.tokenLength);
264
+ const n = ce(this.tokenLength);
220
265
  return this.store.set(r, n, t), n;
221
266
  }
222
267
  /**
@@ -226,7 +271,7 @@ class Te {
226
271
  const n = this.store.get(r);
227
272
  if (!n)
228
273
  return !1;
229
- const s = Q(t, n);
274
+ const s = le(t, n);
230
275
  return s && this.store.delete(r), s;
231
276
  }
232
277
  /**
@@ -242,10 +287,10 @@ class Te {
242
287
  this.store.delete(r);
243
288
  }
244
289
  }
245
- function Vr(e) {
246
- return new Te(e);
290
+ function kt(e) {
291
+ return new Ke(e);
247
292
  }
248
- function Ie(e) {
293
+ function Xe(e) {
249
294
  if (typeof e != "string")
250
295
  return "";
251
296
  const r = {
@@ -257,13 +302,13 @@ function Ie(e) {
257
302
  };
258
303
  return e.replace(/[&<>"']/g, (t) => r[t] || t);
259
304
  }
260
- function jr(e) {
305
+ function vt(e) {
261
306
  return typeof e != "string" ? "" : e.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, "").replace(/on\w+\s*=\s*["'][^"']*["']/gi, "").replace(/javascript:/gi, "");
262
307
  }
263
- function zr(e) {
264
- return typeof e != "string" ? "" : Ie(e.trim());
308
+ function St(e) {
309
+ return typeof e != "string" ? "" : Xe(e.trim());
265
310
  }
266
- function $r(e) {
311
+ function At(e) {
267
312
  return typeof e != "string" ? !1 : [
268
313
  /<script/i,
269
314
  /javascript:/i,
@@ -277,17 +322,17 @@ function $r(e) {
277
322
  /vbscript:/i
278
323
  ].some((t) => t.test(e));
279
324
  }
280
- const J = 32;
281
- function Y(e = J) {
325
+ const ae = 32;
326
+ function ce(e = ae) {
282
327
  if (e < 1 || e > 256)
283
328
  throw new Error("Token length must be between 1 and 256 bytes");
284
- const r = ue(e);
329
+ const r = te(e);
285
330
  return Buffer.from(r).toString("base64url");
286
331
  }
287
- function _e() {
288
- return Y(J);
332
+ function ue() {
333
+ return ce(ae);
289
334
  }
290
- function Q(e, r) {
335
+ function le(e, r) {
291
336
  if (typeof e != "string" || typeof r != "string" || !e || !r || e.length !== r.length)
292
337
  return !1;
293
338
  let t = 0;
@@ -295,36 +340,36 @@ function Q(e, r) {
295
340
  t |= e.charCodeAt(n) ^ r.charCodeAt(n);
296
341
  return t === 0;
297
342
  }
298
- function Wr(e, r) {
299
- return Q(e, r);
343
+ function Rt(e, r) {
344
+ return le(e, r);
300
345
  }
301
- function qr(e) {
346
+ function Ot(e) {
302
347
  return typeof e != "string" ? "" : e.trim().replace(/[<>]/g, "");
303
348
  }
304
- const Pe = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
305
- function Br(e) {
306
- return typeof e == "string" && Pe.test(e);
349
+ const Je = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
350
+ function Tt(e) {
351
+ return typeof e == "string" && Je.test(e);
307
352
  }
308
- function Ce(e) {
353
+ function Ye(e) {
309
354
  return !e.success && !!e.error;
310
355
  }
311
- function Hr(e) {
356
+ function _t(e) {
312
357
  return e.requires2FA === !0 || e.errorCode === m.TWO_FA_REQUIRED;
313
358
  }
314
- function Gr(e, r) {
359
+ function bt(e, r) {
315
360
  return e.error ? e.error : r || "Authentication failed";
316
361
  }
317
- function Kr(e) {
362
+ function Ct(e) {
318
363
  return e.errorCode;
319
364
  }
320
- function Xr(e) {
365
+ function It(e) {
321
366
  return e.success === !0 && !!e.user;
322
367
  }
323
- function Jr(e, r) {
368
+ function xt(e, r) {
324
369
  return e.errorCode === r;
325
370
  }
326
- function Yr(e) {
327
- if (!Ce(e)) return !1;
371
+ function Pt(e) {
372
+ if (!Ye(e)) return !1;
328
373
  const r = [
329
374
  m.NETWORK_ERROR,
330
375
  m.RATE_LIMITED,
@@ -332,7 +377,7 @@ function Yr(e) {
332
377
  ];
333
378
  return e.errorCode ? r.includes(e.errorCode) : !1;
334
379
  }
335
- function Qr(e) {
380
+ function Nt(e) {
336
381
  if (e.error) return e.error;
337
382
  switch (e.errorCode) {
338
383
  case m.INVALID_CREDENTIALS:
@@ -360,10 +405,16 @@ function Qr(e) {
360
405
  return "An unexpected error occurred. Please try again.";
361
406
  }
362
407
  }
363
- async function Zr(e, r, t) {
364
- return e.signIn(r, t);
408
+ async function Ut(e, r, t) {
409
+ return r === "credentials" ? !t || !("email" in t) || !("password" in t) ? {
410
+ success: !1,
411
+ error: "Credentials are required"
412
+ } : e.signIn("credentials", t) : r === "otp" ? !t || !("email" in t) ? {
413
+ success: !1,
414
+ error: "Email is required"
415
+ } : e.signIn("otp", t) : r === "passkey" ? e.signIn("passkey", t) : e.signIn(r);
365
416
  }
366
- const Z = {
417
+ const fe = {
367
418
  google: {
368
419
  authorizationUrl: "https://accounts.google.com/o/oauth2/v2/auth",
369
420
  tokenUrl: "https://oauth2.googleapis.com/token",
@@ -393,36 +444,36 @@ const Z = {
393
444
  defaultScopes: ["email", "public_profile"]
394
445
  }
395
446
  };
396
- function j(e) {
397
- return Z[e] ?? null;
447
+ function K(e) {
448
+ return fe[e] ?? null;
398
449
  }
399
- function et(e) {
400
- return e in Z;
450
+ function Dt(e) {
451
+ return e in fe;
401
452
  }
402
- function Ne(e, r, t, n) {
403
- const s = j(e);
453
+ function de(e, r, t, n) {
454
+ const s = K(e);
404
455
  if (!s)
405
456
  throw new Error(`Unknown OAuth provider: ${e}`);
406
457
  if (!r.clientId)
407
458
  throw new Error(`OAuth provider "${e}" is missing clientId`);
408
- const o = r.redirectUri ?? `${t}/api/auth/callback/${e}`, i = r.scopes ?? s.defaultScopes, a = new URLSearchParams({
459
+ const i = r.redirectUri ?? `${t}/api/auth/callback/${e}`, o = r.scopes ?? s.defaultScopes, a = new URLSearchParams({
409
460
  client_id: r.clientId,
410
- redirect_uri: o,
461
+ redirect_uri: i,
411
462
  response_type: "code",
412
- scope: Array.isArray(i) ? i.join(" ") : String(i),
463
+ scope: Array.isArray(o) ? o.join(" ") : String(o),
413
464
  state: n
414
465
  });
415
466
  if (s.defaultParams)
416
- for (const [u, f] of Object.entries(s.defaultParams))
417
- a.append(u, f);
467
+ for (const [c, u] of Object.entries(s.defaultParams))
468
+ a.append(c, u);
418
469
  if (r.params)
419
- for (const [u, f] of Object.entries(r.params))
420
- a.set(u, f);
470
+ for (const [c, u] of Object.entries(r.params))
471
+ a.set(c, u);
421
472
  return `${s.authorizationUrl}?${a.toString()}`;
422
473
  }
423
- async function be(e, r, t, n) {
424
- const s = j(e);
425
- if (!s)
474
+ async function he(e, r, t, n, s) {
475
+ const i = K(e);
476
+ if (!i)
426
477
  throw new Error(`Unknown OAuth provider: ${e}`);
427
478
  if (!t || typeof t != "string")
428
479
  throw new Error("Authorization code is required");
@@ -434,9 +485,9 @@ async function be(e, r, t, n) {
434
485
  redirect_uri: n,
435
486
  grant_type: "authorization_code"
436
487
  });
437
- r.clientSecret && o.append("client_secret", r.clientSecret);
488
+ s && o.append("code_verifier", s), r.clientSecret && o.append("client_secret", r.clientSecret);
438
489
  try {
439
- const i = await fetch(s.tokenUrl, {
490
+ const a = await fetch(i.tokenUrl, {
440
491
  method: "POST",
441
492
  headers: {
442
493
  "Content-Type": "application/x-www-form-urlencoded",
@@ -444,29 +495,29 @@ async function be(e, r, t, n) {
444
495
  },
445
496
  body: o.toString()
446
497
  });
447
- if (!i.ok) {
448
- const u = await i.text();
449
- let f = `Failed to exchange code for tokens: ${u}`;
498
+ if (!a.ok) {
499
+ const u = await a.text();
500
+ let h = `Failed to exchange code for tokens: ${u}`;
450
501
  try {
451
- const g = JSON.parse(u);
452
- f = g.error_description ?? g.error ?? f;
502
+ const f = JSON.parse(u);
503
+ h = f.error_description ?? f.error ?? h;
453
504
  } catch {
454
505
  }
455
- throw new Error(f);
506
+ throw new Error(h);
456
507
  }
457
- const a = await i.json();
458
- if (!Ue(a))
508
+ const c = await a.json();
509
+ if (!Qe(c))
459
510
  throw new Error("Invalid token exchange response format");
460
- return a;
461
- } catch (i) {
462
- throw i instanceof Error ? i : new Error(`OAuth token exchange failed: ${String(i)}`);
511
+ return c;
512
+ } catch (a) {
513
+ throw a instanceof Error ? a : new Error(`OAuth token exchange failed: ${String(a)}`);
463
514
  }
464
515
  }
465
- function Ue(e) {
516
+ function Qe(e) {
466
517
  return typeof e == "object" && e !== null && "access_token" in e && typeof e.access_token == "string";
467
518
  }
468
- async function Fe(e, r) {
469
- const t = j(e);
519
+ async function ge(e, r) {
520
+ const t = K(e);
470
521
  if (!t)
471
522
  throw new Error(`Unknown OAuth provider: ${e}`);
472
523
  if (!r || typeof r != "string")
@@ -479,36 +530,36 @@ async function Fe(e, r) {
479
530
  }
480
531
  });
481
532
  if (!n.ok) {
482
- const o = await n.text();
483
- let i = `Failed to fetch user info: ${o}`;
533
+ const i = await n.text();
534
+ let o = `Failed to fetch user info: ${i}`;
484
535
  try {
485
- const a = JSON.parse(o);
486
- i = a.error_description ?? a.error ?? i;
536
+ const a = JSON.parse(i);
537
+ o = a.error_description ?? a.error ?? o;
487
538
  } catch {
488
539
  }
489
- throw new Error(i);
540
+ throw new Error(o);
490
541
  }
491
542
  const s = await n.json();
492
- return xe(e, s, r);
543
+ return Ze(e, s, r);
493
544
  } catch (n) {
494
545
  throw n instanceof Error ? n : new Error(`OAuth user info retrieval failed: ${String(n)}`);
495
546
  }
496
547
  }
497
- async function xe(e, r, t) {
548
+ async function Ze(e, r, t) {
498
549
  switch (e) {
499
550
  case "google":
500
- return De(r);
551
+ return er(r);
501
552
  case "github":
502
- return await Le(r, t);
553
+ return await rr(r, t);
503
554
  case "apple":
504
- return Me(r);
555
+ return tr(r);
505
556
  case "facebook":
506
- return Ve(r);
557
+ return nr(r);
507
558
  default:
508
- return je(r);
559
+ return sr(r);
509
560
  }
510
561
  }
511
- function De(e) {
562
+ function er(e) {
512
563
  return {
513
564
  id: String(e.sub ?? e.id ?? ""),
514
565
  email: String(e.email ?? ""),
@@ -518,7 +569,7 @@ function De(e) {
518
569
  rawProfile: e
519
570
  };
520
571
  }
521
- async function Le(e, r) {
572
+ async function rr(e, r) {
522
573
  let t = typeof e.email == "string" ? e.email : void 0, n = { ...e };
523
574
  if (!t)
524
575
  try {
@@ -526,8 +577,8 @@ async function Le(e, r) {
526
577
  headers: { Authorization: `Bearer ${r}` }
527
578
  });
528
579
  if (s.ok) {
529
- const o = await s.json(), i = o.find((a) => a.primary) ?? o[0];
530
- t = (i == null ? void 0 : i.email) ?? `${String(e.login ?? "user")}@users.noreply.github.com`, n = { ...e, emails: o };
580
+ const i = await s.json(), o = i.find((a) => a.primary) ?? i[0];
581
+ t = (o == null ? void 0 : o.email) ?? `${String(e.login ?? "user")}@users.noreply.github.com`, n = { ...e, emails: i };
531
582
  } else
532
583
  t = `${String(e.login ?? "user")}@users.noreply.github.com`;
533
584
  } catch {
@@ -542,7 +593,7 @@ async function Le(e, r) {
542
593
  rawProfile: n
543
594
  };
544
595
  }
545
- function Me(e) {
596
+ function tr(e) {
546
597
  const r = e.name, t = r ? `${r.firstName ?? ""} ${r.lastName ?? ""}`.trim() : "";
547
598
  return {
548
599
  id: String(e.sub ?? ""),
@@ -552,7 +603,7 @@ function Me(e) {
552
603
  rawProfile: e
553
604
  };
554
605
  }
555
- function Ve(e) {
606
+ function nr(e) {
556
607
  var t;
557
608
  const r = e.picture;
558
609
  return {
@@ -564,7 +615,7 @@ function Ve(e) {
564
615
  rawProfile: e
565
616
  };
566
617
  }
567
- function je(e) {
618
+ function sr(e) {
568
619
  return {
569
620
  id: String(e.id ?? e.sub ?? ""),
570
621
  email: String(e.email ?? ""),
@@ -574,59 +625,300 @@ function je(e) {
574
625
  rawProfile: e
575
626
  };
576
627
  }
577
- function rt(e) {
628
+ function Ft(e) {
578
629
  return typeof e == "object" && e !== null && "clientId" in e && typeof e.clientId == "string";
579
630
  }
580
- const ze = "__mulguard_oauth_state", $e = 10 * 60 * 1e3;
581
- function We(e) {
582
- const r = e.cookieName || ze, t = e.ttl || $e, n = process.env.NODE_ENV === "production", s = e.secure ?? n, o = e.sameSite || "strict", i = e.cookieHandler, a = (u) => ({
631
+ function ir(e, r, t, n) {
632
+ if (typeof e.setBigUint64 == "function")
633
+ return e.setBigUint64(r, t, n);
634
+ const s = BigInt(32), i = BigInt(4294967295), o = Number(t >> s & i), a = Number(t & i), c = n ? 4 : 0, u = n ? 0 : 4;
635
+ e.setUint32(r + c, o, n), e.setUint32(r + u, a, n);
636
+ }
637
+ function or(e, r, t) {
638
+ return e & r ^ ~e & t;
639
+ }
640
+ function ar(e, r, t) {
641
+ return e & r ^ e & t ^ r & t;
642
+ }
643
+ class cr extends Ie {
644
+ constructor(r, t, n, s) {
645
+ super(), this.finished = !1, this.length = 0, this.pos = 0, this.destroyed = !1, this.blockLen = r, this.outputLen = t, this.padOffset = n, this.isLE = s, this.buffer = new Uint8Array(r), this.view = H(this.buffer);
646
+ }
647
+ update(r) {
648
+ Q(this), r = re(r), G(r);
649
+ const { view: t, buffer: n, blockLen: s } = this, i = r.length;
650
+ for (let o = 0; o < i; ) {
651
+ const a = Math.min(s - this.pos, i - o);
652
+ if (a === s) {
653
+ const c = H(r);
654
+ for (; s <= i - o; o += s)
655
+ this.process(c, o);
656
+ continue;
657
+ }
658
+ n.set(r.subarray(o, o + a), this.pos), this.pos += a, o += a, this.pos === s && (this.process(t, 0), this.pos = 0);
659
+ }
660
+ return this.length += r.length, this.roundClean(), this;
661
+ }
662
+ digestInto(r) {
663
+ Q(this), be(r, this), this.finished = !0;
664
+ const { buffer: t, view: n, blockLen: s, isLE: i } = this;
665
+ let { pos: o } = this;
666
+ t[o++] = 128, q(this.buffer.subarray(o)), this.padOffset > s - o && (this.process(n, 0), o = 0);
667
+ for (let f = o; f < s; f++)
668
+ t[f] = 0;
669
+ ir(n, s - 8, BigInt(this.length * 8), i), this.process(n, 0);
670
+ const a = H(r), c = this.outputLen;
671
+ if (c % 4)
672
+ throw new Error("_sha2: outputLen should be aligned to 32bit");
673
+ const u = c / 4, h = this.get();
674
+ if (u > h.length)
675
+ throw new Error("_sha2: outputLen bigger than state");
676
+ for (let f = 0; f < u; f++)
677
+ a.setUint32(4 * f, h[f], i);
678
+ }
679
+ digest() {
680
+ const { buffer: r, outputLen: t } = this;
681
+ this.digestInto(r);
682
+ const n = r.slice(0, t);
683
+ return this.destroy(), n;
684
+ }
685
+ _cloneInto(r) {
686
+ r || (r = new this.constructor()), r.set(...this.get());
687
+ const { blockLen: t, buffer: n, length: s, finished: i, destroyed: o, pos: a } = this;
688
+ return r.destroyed = o, r.finished = i, r.length = s, r.pos = a, s % t && r.buffer.set(n), r;
689
+ }
690
+ clone() {
691
+ return this._cloneInto();
692
+ }
693
+ }
694
+ const N = /* @__PURE__ */ Uint32Array.from([
695
+ 1779033703,
696
+ 3144134277,
697
+ 1013904242,
698
+ 2773480762,
699
+ 1359893119,
700
+ 2600822924,
701
+ 528734635,
702
+ 1541459225
703
+ ]), ur = /* @__PURE__ */ Uint32Array.from([
704
+ 1116352408,
705
+ 1899447441,
706
+ 3049323471,
707
+ 3921009573,
708
+ 961987163,
709
+ 1508970993,
710
+ 2453635748,
711
+ 2870763221,
712
+ 3624381080,
713
+ 310598401,
714
+ 607225278,
715
+ 1426881987,
716
+ 1925078388,
717
+ 2162078206,
718
+ 2614888103,
719
+ 3248222580,
720
+ 3835390401,
721
+ 4022224774,
722
+ 264347078,
723
+ 604807628,
724
+ 770255983,
725
+ 1249150122,
726
+ 1555081692,
727
+ 1996064986,
728
+ 2554220882,
729
+ 2821834349,
730
+ 2952996808,
731
+ 3210313671,
732
+ 3336571891,
733
+ 3584528711,
734
+ 113926993,
735
+ 338241895,
736
+ 666307205,
737
+ 773529912,
738
+ 1294757372,
739
+ 1396182291,
740
+ 1695183700,
741
+ 1986661051,
742
+ 2177026350,
743
+ 2456956037,
744
+ 2730485921,
745
+ 2820302411,
746
+ 3259730800,
747
+ 3345764771,
748
+ 3516065817,
749
+ 3600352804,
750
+ 4094571909,
751
+ 275423344,
752
+ 430227734,
753
+ 506948616,
754
+ 659060556,
755
+ 883997877,
756
+ 958139571,
757
+ 1322822218,
758
+ 1537002063,
759
+ 1747873779,
760
+ 1955562222,
761
+ 2024104815,
762
+ 2227730452,
763
+ 2361852424,
764
+ 2428436474,
765
+ 2756734187,
766
+ 3204031479,
767
+ 3329325298
768
+ ]), U = /* @__PURE__ */ new Uint32Array(64);
769
+ class lr extends cr {
770
+ constructor(r = 32) {
771
+ super(64, r, 8, !1), this.A = N[0] | 0, this.B = N[1] | 0, this.C = N[2] | 0, this.D = N[3] | 0, this.E = N[4] | 0, this.F = N[5] | 0, this.G = N[6] | 0, this.H = N[7] | 0;
772
+ }
773
+ get() {
774
+ const { A: r, B: t, C: n, D: s, E: i, F: o, G: a, H: c } = this;
775
+ return [r, t, n, s, i, o, a, c];
776
+ }
777
+ // prettier-ignore
778
+ set(r, t, n, s, i, o, a, c) {
779
+ this.A = r | 0, this.B = t | 0, this.C = n | 0, this.D = s | 0, this.E = i | 0, this.F = o | 0, this.G = a | 0, this.H = c | 0;
780
+ }
781
+ process(r, t) {
782
+ for (let f = 0; f < 16; f++, t += 4)
783
+ U[f] = r.getUint32(t, !1);
784
+ for (let f = 16; f < 64; f++) {
785
+ const y = U[f - 15], E = U[f - 2], v = P(y, 7) ^ P(y, 18) ^ y >>> 3, p = P(E, 17) ^ P(E, 19) ^ E >>> 10;
786
+ U[f] = p + U[f - 7] + v + U[f - 16] | 0;
787
+ }
788
+ let { A: n, B: s, C: i, D: o, E: a, F: c, G: u, H: h } = this;
789
+ for (let f = 0; f < 64; f++) {
790
+ const y = P(a, 6) ^ P(a, 11) ^ P(a, 25), E = h + y + or(a, c, u) + ur[f] + U[f] | 0, p = (P(n, 2) ^ P(n, 13) ^ P(n, 22)) + ar(n, s, i) | 0;
791
+ h = u, u = c, c = a, a = o + E | 0, o = i, i = s, s = n, n = E + p | 0;
792
+ }
793
+ n = n + this.A | 0, s = s + this.B | 0, i = i + this.C | 0, o = o + this.D | 0, a = a + this.E | 0, c = c + this.F | 0, u = u + this.G | 0, h = h + this.H | 0, this.set(n, s, i, o, a, c, u, h);
794
+ }
795
+ roundClean() {
796
+ q(U);
797
+ }
798
+ destroy() {
799
+ this.set(0, 0, 0, 0, 0, 0, 0, 0), q(this.buffer);
800
+ }
801
+ }
802
+ const fr = /* @__PURE__ */ xe(() => new lr()), dr = fr, we = 43;
803
+ function hr(e = we) {
804
+ if (e < 43 || e > 128)
805
+ throw new Error("Code verifier length must be between 43 and 128 characters");
806
+ const r = te(Math.ceil(e * 0.75));
807
+ return Buffer.from(r).toString("base64url").substring(0, e);
808
+ }
809
+ function pe(e) {
810
+ if (!e || e.length < 43 || e.length > 128)
811
+ throw new Error("Invalid code verifier");
812
+ const r = dr(e);
813
+ return Buffer.from(r).toString("base64url");
814
+ }
815
+ function gr(e = we, r = "S256") {
816
+ const t = hr(e), n = r === "S256" ? pe(t) : t;
817
+ return {
818
+ codeVerifier: t,
819
+ codeChallenge: n,
820
+ codeChallengeMethod: r
821
+ };
822
+ }
823
+ function Lt(e, r, t = "S256") {
824
+ if (!e || !r)
825
+ return {
826
+ valid: !1,
827
+ error: "Code verifier and challenge are required"
828
+ };
829
+ let n;
830
+ if (t === "S256")
831
+ try {
832
+ n = pe(e);
833
+ } catch (s) {
834
+ return {
835
+ valid: !1,
836
+ error: s instanceof Error ? s.message : "Failed to generate expected challenge"
837
+ };
838
+ }
839
+ else
840
+ n = e;
841
+ return wr(r, n) ? { valid: !0 } : {
842
+ valid: !1,
843
+ error: "Code challenge verification failed"
844
+ };
845
+ }
846
+ function wr(e, r) {
847
+ if (e.length !== r.length)
848
+ return !1;
849
+ let t = 0;
850
+ for (let n = 0; n < e.length; n++)
851
+ t |= e.charCodeAt(n) ^ r.charCodeAt(n);
852
+ return t === 0;
853
+ }
854
+ class pr {
855
+ constructor() {
856
+ x(this, "storage", /* @__PURE__ */ new Map());
857
+ }
858
+ async set(r, t, n) {
859
+ this.storage.set(r, {
860
+ codeVerifier: t,
861
+ expiresAt: Date.now() + n
862
+ });
863
+ }
864
+ async get(r) {
865
+ const t = this.storage.get(r);
866
+ return t ? t.expiresAt < Date.now() ? (this.storage.delete(r), null) : t.codeVerifier : null;
867
+ }
868
+ async delete(r) {
869
+ this.storage.delete(r);
870
+ }
871
+ }
872
+ const mr = "__mulguard_oauth_state", Er = 10 * 60 * 1e3;
873
+ function yr(e) {
874
+ const r = e.cookieName || mr, t = e.ttl || Er, n = process.env.NODE_ENV === "production", s = e.secure ?? n, i = e.sameSite || "strict", o = e.cookieHandler, a = (c) => ({
583
875
  httpOnly: !0,
584
876
  secure: s,
585
- sameSite: o,
586
- maxAge: Math.floor(u / 1e3),
877
+ sameSite: i,
878
+ maxAge: Math.floor(c / 1e3),
587
879
  // Convert to seconds
588
880
  path: "/"
589
881
  });
590
882
  return {
591
- async set(u, f, g) {
592
- const w = JSON.stringify({
593
- state: u,
594
- provider: f.provider,
595
- expiresAt: f.expiresAt
883
+ async set(c, u, h) {
884
+ const f = JSON.stringify({
885
+ state: c,
886
+ provider: u.provider,
887
+ expiresAt: u.expiresAt
596
888
  });
597
889
  await Promise.resolve(
598
- i.setCookie(r, w, a(t))
890
+ o.setCookie(r, f, a(t))
599
891
  );
600
892
  },
601
- async get(u) {
602
- const f = await Promise.resolve(i.getCookie(r));
603
- if (!f)
893
+ async get(c) {
894
+ const u = await Promise.resolve(o.getCookie(r));
895
+ if (!u)
604
896
  return null;
605
897
  try {
606
- const g = JSON.parse(f);
607
- return g.state !== u ? null : g.expiresAt < Date.now() ? (await Promise.resolve(
608
- i.deleteCookie(r, { path: "/" })
898
+ const h = JSON.parse(u);
899
+ return h.state !== c ? null : h.expiresAt < Date.now() ? (await Promise.resolve(
900
+ o.deleteCookie(r, { path: "/" })
609
901
  ), null) : {
610
- provider: g.provider,
611
- expiresAt: g.expiresAt
902
+ provider: h.provider,
903
+ expiresAt: h.expiresAt
612
904
  };
613
905
  } catch {
614
906
  return await Promise.resolve(
615
- i.deleteCookie(r, { path: "/" })
907
+ o.deleteCookie(r, { path: "/" })
616
908
  ), null;
617
909
  }
618
910
  },
619
- async delete(u) {
620
- await this.get(u) && await Promise.resolve(
621
- i.deleteCookie(r, { path: "/" })
911
+ async delete(c) {
912
+ await this.get(c) && await Promise.resolve(
913
+ o.deleteCookie(r, { path: "/" })
622
914
  );
623
915
  },
624
916
  async cleanup() {
625
917
  }
626
918
  };
627
919
  }
628
- function tt() {
629
- return We({
920
+ function Vt() {
921
+ return yr({
630
922
  cookieHandler: {
631
923
  async getCookie(e) {
632
924
  var r;
@@ -665,45 +957,22 @@ function tt() {
665
957
  }
666
958
  });
667
959
  }
668
- class qe {
669
- constructor() {
670
- b(this, "states", /* @__PURE__ */ new Map());
671
- }
672
- set(r, t, n) {
673
- this.states.set(r, t), this.cleanup();
674
- }
675
- get(r) {
676
- const t = this.states.get(r);
677
- return t ? t.expiresAt < Date.now() ? (this.delete(r), null) : t : null;
678
- }
679
- delete(r) {
680
- this.states.delete(r);
681
- }
682
- cleanup() {
683
- const r = Date.now();
684
- for (const [t, n] of this.states.entries())
685
- n.expiresAt < r && this.states.delete(t);
686
- }
687
- }
688
- function Be() {
689
- return new qe();
690
- }
691
- function nt(e, r = "mulguard:oauth:state:") {
960
+ function Mt(e, r = "mulguard:oauth:state:") {
692
961
  const t = (s) => `${r}${s}`, n = async (s) => {
693
- const o = t(s);
694
- await e.del(o);
962
+ const i = t(s);
963
+ await e.del(i);
695
964
  };
696
965
  return {
697
- async set(s, o, i) {
698
- const a = t(s), u = JSON.stringify(o);
699
- await e.set(a, u, "EX", Math.floor(i / 1e3));
966
+ async set(s, i, o) {
967
+ const a = t(s), c = JSON.stringify(i);
968
+ await e.set(a, c, "EX", Math.floor(o / 1e3));
700
969
  },
701
970
  async get(s) {
702
- const o = t(s), i = await e.get(o);
703
- if (!i)
971
+ const i = t(s), o = await e.get(i);
972
+ if (!o)
704
973
  return null;
705
974
  try {
706
- const a = JSON.parse(i);
975
+ const a = JSON.parse(o);
707
976
  return a.expiresAt < Date.now() ? (await n(s), null) : a;
708
977
  } catch {
709
978
  return await n(s), null;
@@ -714,14 +983,14 @@ function nt(e, r = "mulguard:oauth:state:") {
714
983
  },
715
984
  async cleanup() {
716
985
  try {
717
- const s = await e.keys(`${r}*`), o = Date.now();
718
- for (const i of s) {
719
- const a = await e.get(i);
986
+ const s = await e.keys(`${r}*`), i = Date.now();
987
+ for (const o of s) {
988
+ const a = await e.get(o);
720
989
  if (a)
721
990
  try {
722
- JSON.parse(a).expiresAt < o && await e.del(i);
991
+ JSON.parse(a).expiresAt < i && await e.del(o);
723
992
  } catch {
724
- await e.del(i);
993
+ await e.del(o);
725
994
  }
726
995
  }
727
996
  } catch (s) {
@@ -730,175 +999,458 @@ function nt(e, r = "mulguard:oauth:state:") {
730
999
  }
731
1000
  };
732
1001
  }
733
- function D(e) {
1002
+ class kr {
1003
+ constructor() {
1004
+ x(this, "states", /* @__PURE__ */ new Map());
1005
+ }
1006
+ set(r, t, n) {
1007
+ this.states.set(r, t), this.cleanup();
1008
+ }
1009
+ get(r) {
1010
+ const t = this.states.get(r);
1011
+ return t ? t.expiresAt < Date.now() ? (this.delete(r), null) : t : null;
1012
+ }
1013
+ delete(r) {
1014
+ this.states.delete(r);
1015
+ }
1016
+ cleanup() {
1017
+ const r = Date.now();
1018
+ for (const [t, n] of this.states.entries())
1019
+ n.expiresAt < r && this.states.delete(t);
1020
+ }
1021
+ }
1022
+ function vr() {
1023
+ return new kr();
1024
+ }
1025
+ class Sr {
1026
+ constructor(r) {
1027
+ x(this, "config");
1028
+ x(this, "pkceStorage");
1029
+ var t, n;
1030
+ this.config = {
1031
+ ...r,
1032
+ pkce: {
1033
+ enabled: ((t = r.pkce) == null ? void 0 : t.enabled) ?? !0,
1034
+ // PKCE enabled by default
1035
+ storage: (n = r.pkce) == null ? void 0 : n.storage
1036
+ },
1037
+ stateStore: r.stateStore,
1038
+ logger: r.logger
1039
+ }, this.pkceStorage = this.config.pkce.enabled ? this.config.pkce.storage || new pr() : null;
1040
+ }
1041
+ /**
1042
+ * Initiates OAuth authentication flow.
1043
+ *
1044
+ * Generates authorization URL with PKCE (if enabled) and CSRF state token.
1045
+ *
1046
+ * @param providerId - OAuth provider identifier
1047
+ * @returns OAuth initiation result with authorization URL and state
1048
+ *
1049
+ * @example
1050
+ * ```typescript
1051
+ * const { url, state, codeVerifier } = await handler.initiate('google')
1052
+ * // Store state and codeVerifier securely
1053
+ * // Redirect user to url
1054
+ * ```
1055
+ */
1056
+ async initiate(r) {
1057
+ const t = this.config.providers[r];
1058
+ if (!t)
1059
+ throw new Error(`OAuth provider "${r}" is not configured`);
1060
+ const n = ue();
1061
+ let s, i;
1062
+ if (this.config.pkce.enabled && this.pkceStorage) {
1063
+ const a = gr();
1064
+ s = a.codeVerifier, i = a.codeChallenge, await this.pkceStorage.set(n, s, 10 * 60 * 1e3);
1065
+ }
1066
+ const o = de(
1067
+ r,
1068
+ {
1069
+ ...t,
1070
+ params: {
1071
+ ...t.params,
1072
+ ...i && {
1073
+ code_challenge: i,
1074
+ code_challenge_method: "S256"
1075
+ }
1076
+ }
1077
+ },
1078
+ this.config.baseUrl,
1079
+ n
1080
+ );
1081
+ return this.config.stateStore && await this.config.stateStore.set(n, {
1082
+ provider: r,
1083
+ expiresAt: Date.now() + 10 * 60 * 1e3
1084
+ // 10 minutes
1085
+ }, 10 * 60 * 1e3), {
1086
+ url: o,
1087
+ state: n,
1088
+ ...s && { codeVerifier: s }
1089
+ };
1090
+ }
1091
+ /**
1092
+ * Handles OAuth callback and completes authentication.
1093
+ *
1094
+ * Validates state token, verifies PKCE (if enabled), exchanges code for tokens,
1095
+ * retrieves user profile, and creates session.
1096
+ *
1097
+ * @template TUser - User type
1098
+ * @template TSession - Session type
1099
+ * @param providerId - OAuth provider identifier
1100
+ * @param code - Authorization code from OAuth callback
1101
+ * @param state - CSRF state token
1102
+ * @param codeVerifier - PKCE code verifier (required if PKCE is enabled)
1103
+ * @param userLookup - Function to lookup/create user from OAuth profile
1104
+ * @param createSession - Function to create session (optional)
1105
+ * @returns Authentication result
1106
+ *
1107
+ * @example
1108
+ * ```typescript
1109
+ * const result = await handler.handleCallback(
1110
+ * 'google',
1111
+ * code,
1112
+ * state,
1113
+ * storedCodeVerifier,
1114
+ * async (userInfo) => {
1115
+ * // Lookup or create user
1116
+ * return await db.user.findOrCreate({ email: userInfo.email })
1117
+ * }
1118
+ * )
1119
+ * ```
1120
+ */
1121
+ async handleCallback(r, t, n, s, i, o) {
1122
+ try {
1123
+ if (!t || !n)
1124
+ return {
1125
+ success: !1,
1126
+ error: "Authorization code and state are required",
1127
+ errorCode: m.VALIDATION_ERROR
1128
+ };
1129
+ if (!await this.validateState(n, r))
1130
+ return {
1131
+ success: !1,
1132
+ error: "Invalid or expired state token",
1133
+ errorCode: m.VALIDATION_ERROR
1134
+ };
1135
+ const c = this.config.providers[r];
1136
+ if (!c)
1137
+ return {
1138
+ success: !1,
1139
+ error: `OAuth provider "${r}" is not configured`,
1140
+ errorCode: m.VALIDATION_ERROR
1141
+ };
1142
+ if (this.config.pkce.enabled && this.pkceStorage) {
1143
+ const p = s || await this.pkceStorage.get(n);
1144
+ if (!p)
1145
+ return {
1146
+ success: !1,
1147
+ error: "PKCE code verifier not found",
1148
+ errorCode: m.VALIDATION_ERROR
1149
+ };
1150
+ s = p;
1151
+ }
1152
+ const u = c.redirectUri || `${this.config.baseUrl}/api/auth/callback/${r}`;
1153
+ let h;
1154
+ try {
1155
+ h = await he(r, c, t, u, s);
1156
+ } catch (p) {
1157
+ return this.config.logger && this.config.logger.error("OAuth token exchange failed", p), {
1158
+ success: !1,
1159
+ error: p instanceof Error ? p.message : "Token exchange failed",
1160
+ errorCode: m.NETWORK_ERROR
1161
+ };
1162
+ }
1163
+ let f;
1164
+ try {
1165
+ f = await ge(r, h.access_token);
1166
+ } catch (p) {
1167
+ return this.config.logger && this.config.logger.error("OAuth user profile retrieval failed", p), {
1168
+ success: !1,
1169
+ error: "Failed to retrieve user profile",
1170
+ errorCode: m.NETWORK_ERROR
1171
+ };
1172
+ }
1173
+ const y = {
1174
+ id: f.id,
1175
+ email: f.email,
1176
+ name: f.name,
1177
+ avatar: f.avatar,
1178
+ emailVerified: f.emailVerified,
1179
+ provider: r,
1180
+ accessToken: h.access_token,
1181
+ refreshToken: h.refresh_token,
1182
+ tokens: h,
1183
+ rawProfile: f.rawProfile
1184
+ };
1185
+ let E;
1186
+ i ? E = await i(y) : E = {
1187
+ id: y.id,
1188
+ email: y.email,
1189
+ name: y.name,
1190
+ avatar: y.avatar,
1191
+ emailVerified: y.emailVerified
1192
+ };
1193
+ const v = o ? await o(E, y) : {
1194
+ user: E,
1195
+ expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1e3),
1196
+ // 7 days
1197
+ accessToken: h.access_token,
1198
+ refreshToken: h.refresh_token,
1199
+ tokenType: h.token_type || "Bearer",
1200
+ expiresIn: h.expires_in
1201
+ };
1202
+ return this.config.pkce.enabled && this.pkceStorage && await this.pkceStorage.delete(n), {
1203
+ success: !0,
1204
+ user: E,
1205
+ session: v
1206
+ };
1207
+ } catch (a) {
1208
+ return this.config.logger && this.config.logger.error("OAuth callback error", a), {
1209
+ success: !1,
1210
+ error: a instanceof Error ? a.message : "OAuth callback failed",
1211
+ errorCode: m.UNKNOWN_ERROR
1212
+ };
1213
+ }
1214
+ }
1215
+ // ============================================================================
1216
+ // State Validation
1217
+ // ============================================================================
1218
+ /**
1219
+ * Validates OAuth state token.
1220
+ *
1221
+ * @param state - State token
1222
+ * @param providerId - Provider identifier
1223
+ * @returns True if state is valid
1224
+ */
1225
+ async validateState(r, t) {
1226
+ if (this.config.stateStore) {
1227
+ const n = await this.config.stateStore.get(r);
1228
+ return n ? n.expiresAt < Date.now() ? (await this.config.stateStore.delete(r), !1) : n.provider !== t ? !1 : (await this.config.stateStore.delete(r), !0) : !1;
1229
+ }
1230
+ return !0;
1231
+ }
1232
+ }
1233
+ function jt(e) {
1234
+ return new Sr(e);
1235
+ }
1236
+ function M(e) {
734
1237
  return e.success === !0 && e.user !== void 0 && e.session !== void 0;
735
1238
  }
736
- var ee = /* @__PURE__ */ ((e) => (e[e.DEBUG = 0] = "DEBUG", e[e.INFO = 1] = "INFO", e[e.WARN = 2] = "WARN", e[e.ERROR = 3] = "ERROR", e))(ee || {});
737
- const He = process.env.NODE_ENV === "development" ? 0 : 1;
738
- function Ge(e = {}) {
1239
+ var V = /* @__PURE__ */ ((e) => (e[e.DEBUG = 0] = "DEBUG", e[e.INFO = 1] = "INFO", e[e.WARN = 2] = "WARN", e[e.ERROR = 3] = "ERROR", e))(V || {});
1240
+ const Ar = process.env.NODE_ENV === "development" ? 0 : 1;
1241
+ function me(e = {}) {
739
1242
  const {
740
1243
  enabled: r = process.env.NODE_ENV === "development",
741
- level: t = He,
1244
+ level: t = Ar,
742
1245
  context: n,
743
- formatter: s = Ke
744
- } = e, o = (a) => r && a >= t, i = (a, u, f, g) => ({
1246
+ formatter: s = Rr
1247
+ } = e, i = (a) => r && a >= t, o = (a, c, u, h) => ({
745
1248
  level: a,
746
- message: u,
1249
+ message: c,
747
1250
  timestamp: /* @__PURE__ */ new Date(),
748
1251
  context: n,
749
- data: f ? Xe(f) : void 0,
750
- error: g
1252
+ data: u ? Or(u) : void 0,
1253
+ error: h
751
1254
  });
752
1255
  return {
753
- debug: (a, u) => {
754
- if (o(
1256
+ debug: (a, c) => {
1257
+ if (i(
755
1258
  0
756
1259
  /* DEBUG */
757
1260
  )) {
758
- const f = i(0, a, u);
759
- console.debug(s(f));
1261
+ const u = o(0, a, c);
1262
+ console.debug(s(u));
760
1263
  }
761
1264
  },
762
- info: (a, u) => {
763
- if (o(
1265
+ info: (a, c) => {
1266
+ if (i(
764
1267
  1
765
1268
  /* INFO */
766
1269
  )) {
767
- const f = i(1, a, u);
768
- console.info(s(f));
1270
+ const u = o(1, a, c);
1271
+ console.info(s(u));
769
1272
  }
770
1273
  },
771
- warn: (a, u) => {
772
- if (o(
1274
+ warn: (a, c) => {
1275
+ if (i(
773
1276
  2
774
1277
  /* WARN */
775
1278
  )) {
776
- const f = i(2, a, u);
777
- console.warn(s(f));
1279
+ const u = o(2, a, c);
1280
+ console.warn(s(u));
778
1281
  }
779
1282
  },
780
- error: (a, u) => {
781
- if (o(
1283
+ error: (a, c) => {
1284
+ if (i(
782
1285
  3
783
1286
  /* ERROR */
784
1287
  )) {
785
- const f = u instanceof Error ? u : void 0, g = u instanceof Error ? void 0 : u, w = i(3, a, g, f);
786
- console.error(s(w)), f && console.error(f);
1288
+ const u = c instanceof Error ? c : void 0, h = c instanceof Error ? void 0 : c, f = o(3, a, h, u);
1289
+ console.error(s(f)), u && console.error(u);
787
1290
  }
788
1291
  }
789
1292
  };
790
1293
  }
791
- function Ke(e) {
792
- const r = e.timestamp.toISOString(), t = ee[e.level], n = e.context ? `[${e.context}]` : "", s = e.data ? ` ${JSON.stringify(e.data)}` : "";
1294
+ function Rr(e) {
1295
+ const r = e.timestamp.toISOString(), t = V[e.level], n = e.context ? `[${e.context}]` : "", s = e.data ? ` ${JSON.stringify(e.data)}` : "";
793
1296
  return `${r} [${t}]${n} ${e.message}${s}`;
794
1297
  }
795
- function Xe(e) {
1298
+ function Or(e) {
796
1299
  const r = /* @__PURE__ */ new Set(["password", "token", "secret", "key", "accessToken", "refreshToken"]), t = {};
797
1300
  for (const [n, s] of Object.entries(e))
798
1301
  if (r.has(n.toLowerCase()))
799
1302
  t[n] = "***REDACTED***";
800
1303
  else if (typeof s == "string" && n.toLowerCase().includes("email")) {
801
- const o = s.split("@");
802
- if (o.length === 2 && o[0]) {
803
- const i = o[0].substring(0, 3) + "***@" + o[1];
804
- t[n] = i;
1304
+ const i = s.split("@");
1305
+ if (i.length === 2 && i[0]) {
1306
+ const o = i[0].substring(0, 3) + "***@" + i[1];
1307
+ t[n] = o;
805
1308
  } else
806
1309
  t[n] = s;
807
1310
  } else
808
1311
  t[n] = s;
809
1312
  return t;
810
1313
  }
811
- const I = Ge();
812
- function Je(e, r, t, n = {}) {
1314
+ me();
1315
+ function Ee(e = {}) {
1316
+ return me(e);
1317
+ }
1318
+ function Tr(e = {}) {
1319
+ try {
1320
+ const r = require("pino"), t = {
1321
+ level: e.level !== void 0 ? V[e.level].toLowerCase() : "info",
1322
+ base: e.context ? { context: e.context } : void 0,
1323
+ timestamp: !0
1324
+ }, n = r(t);
1325
+ return {
1326
+ debug: (s, i) => {
1327
+ n.debug(i || {}, s);
1328
+ },
1329
+ info: (s, i) => {
1330
+ n.info(i || {}, s);
1331
+ },
1332
+ warn: (s, i) => {
1333
+ n.warn(i || {}, s);
1334
+ },
1335
+ error: (s, i) => {
1336
+ i instanceof Error ? n.error({ err: i }, s) : n.error(i || {}, s);
1337
+ }
1338
+ };
1339
+ } catch {
1340
+ return Ee(e);
1341
+ }
1342
+ }
1343
+ function _r(e = {}) {
1344
+ const { adapter: r = "console", ...t } = e;
1345
+ let n;
1346
+ if (typeof r == "string")
1347
+ switch (r) {
1348
+ case "pino":
1349
+ n = Tr(t);
1350
+ break;
1351
+ case "console":
1352
+ default:
1353
+ n = Ee(t);
1354
+ break;
1355
+ }
1356
+ else
1357
+ n = r;
1358
+ return n;
1359
+ }
1360
+ const _ = _r({
1361
+ adapter: process.env.MULGUARD_LOGGER_ADAPTER || "console",
1362
+ level: process.env.NODE_ENV === "production" ? V.WARN : V.DEBUG
1363
+ });
1364
+ function br(e, r, t, n = {}) {
813
1365
  const {
814
1366
  enabled: s = !0,
815
- maxRetries: o = 1,
816
- retryDelay: i = 1e3,
1367
+ maxRetries: i = 1,
1368
+ retryDelay: o = 1e3,
817
1369
  rateLimit: a = 3,
818
- autoSignOutOnFailure: u = !0,
819
- redirectToLogin: f = "/login",
820
- autoRedirectOnFailure: g = !0
1370
+ autoSignOutOnFailure: c = !0,
1371
+ redirectToLogin: u = "/login",
1372
+ autoRedirectOnFailure: h = !0
821
1373
  } = n;
822
- let w = null, R = !1;
823
- const A = [], S = [], y = 60 * 1e3;
824
- let h = 0, T = !1, _ = null;
825
- const L = 2, M = 60 * 1e3;
826
- function c() {
827
- const k = Date.now();
828
- if (T && _) {
829
- if (k < _)
1374
+ let f = null, y = !1;
1375
+ const E = [], v = [], p = 60 * 1e3;
1376
+ let w = 0, T = !1, b = null;
1377
+ const j = 2, z = 60 * 1e3;
1378
+ function l() {
1379
+ const S = Date.now();
1380
+ if (T && b) {
1381
+ if (S < b)
830
1382
  return !1;
831
- T = !1, _ = null, h = 0;
1383
+ T = !1, b = null, w = 0;
832
1384
  }
833
- for (; S.length > 0; ) {
834
- const p = S[0];
835
- if (p !== void 0 && p < k - y)
836
- S.shift();
1385
+ for (; v.length > 0; ) {
1386
+ const k = v[0];
1387
+ if (k !== void 0 && k < S - p)
1388
+ v.shift();
837
1389
  else
838
1390
  break;
839
1391
  }
840
- return S.length >= a ? !1 : (S.push(k), !0);
841
- }
842
- function l() {
843
- h++, h >= L && (T = !0, _ = Date.now() + M, process.env.NODE_ENV === "development" && console.warn("[TokenRefreshManager] Circuit breaker opened - too many consecutive failures"));
1392
+ return v.length >= a ? !1 : (v.push(S), !0);
844
1393
  }
845
1394
  function d() {
846
- h = 0, T = !1, _ = null;
1395
+ w++, w >= j && (T = !0, b = Date.now() + z, process.env.NODE_ENV === "development" && console.warn("[TokenRefreshManager] Circuit breaker opened - too many consecutive failures"));
1396
+ }
1397
+ function g() {
1398
+ w = 0, T = !1, b = null;
847
1399
  }
848
- async function v(k = 1) {
1400
+ async function R(S = 1) {
849
1401
  if (!s)
850
1402
  return null;
851
- if (!c())
1403
+ if (!l())
852
1404
  throw new Error("Rate limit exceeded for token refresh");
853
1405
  try {
854
- const p = await e();
855
- if (p)
856
- return d(), P(p), n.onTokenRefreshed && await Promise.resolve(n.onTokenRefreshed(p)), p;
857
- if (l(), k < o)
858
- return await $(i * k), v(k + 1);
1406
+ const k = await e();
1407
+ if (k)
1408
+ return g(), C(k), n.onTokenRefreshed && await Promise.resolve(n.onTokenRefreshed(k)), k;
1409
+ if (d(), S < i)
1410
+ return await J(o * S), R(S + 1);
859
1411
  throw new Error("Token refresh failed: refresh function returned null");
860
- } catch (p) {
861
- if (l(), k < o && C(p))
862
- return await $(i * k), v(k + 1);
863
- throw p;
1412
+ } catch (k) {
1413
+ if (d(), S < i && I(k))
1414
+ return await J(o * S), R(S + 1);
1415
+ throw k;
864
1416
  }
865
1417
  }
866
- function C(k) {
867
- if (k instanceof Error) {
868
- const p = k.message.toLowerCase();
869
- if (p.includes("rate limit") || p.includes("too many requests") || p.includes("429") || p.includes("limit:") || p.includes("requests per minute") || p.includes("token_blacklisted") || p.includes("blacklisted") || p.includes("invalid") || p.includes("401") || p.includes("unauthorized") || p.includes("session has been revoked") || p.includes("session expired"))
1418
+ function I(S) {
1419
+ if (S instanceof Error) {
1420
+ const k = S.message.toLowerCase();
1421
+ if (k.includes("rate limit") || k.includes("too many requests") || k.includes("429") || k.includes("limit:") || k.includes("requests per minute") || k.includes("token_blacklisted") || k.includes("blacklisted") || k.includes("invalid") || k.includes("401") || k.includes("unauthorized") || k.includes("session has been revoked") || k.includes("session expired"))
870
1422
  return !1;
871
- if (p.includes("network") || p.includes("fetch") || p.includes("timeout"))
1423
+ if (k.includes("network") || k.includes("fetch") || k.includes("timeout"))
872
1424
  return !0;
873
1425
  }
874
1426
  return !1;
875
1427
  }
876
- function P(k) {
877
- const p = [...A];
878
- A.length = 0;
879
- for (const { resolve: N } of p)
880
- N(k);
1428
+ function C(S) {
1429
+ const k = [...E];
1430
+ E.length = 0;
1431
+ for (const { resolve: D } of k)
1432
+ D(S);
881
1433
  }
882
- function z(k) {
883
- const p = [...A];
884
- A.length = 0;
885
- for (const { reject: N } of p)
886
- N(k);
1434
+ function X(S) {
1435
+ const k = [...E];
1436
+ E.length = 0;
1437
+ for (const { reject: D } of k)
1438
+ D(S);
887
1439
  }
888
- function $(k) {
889
- return new Promise((p) => setTimeout(p, k));
1440
+ function J(S) {
1441
+ return new Promise((k) => setTimeout(k, S));
890
1442
  }
891
- async function W(k) {
1443
+ async function Y(S) {
892
1444
  try {
893
- if (n.onTokenRefreshFailed && await Promise.resolve(n.onTokenRefreshFailed(k)), u && (await t(), await r(), g && typeof window < "u")) {
894
- let p = !0;
895
- if (n.onBeforeRedirect && (p = await Promise.resolve(n.onBeforeRedirect(k))), p) {
896
- const N = new URL(f, window.location.origin);
897
- N.searchParams.set("reason", "session_expired"), N.searchParams.set("redirect", window.location.pathname + window.location.search), window.location.href = N.toString();
1445
+ if (n.onTokenRefreshFailed && await Promise.resolve(n.onTokenRefreshFailed(S)), c && (await t(), await r(), h && typeof window < "u")) {
1446
+ let k = !0;
1447
+ if (n.onBeforeRedirect && (k = await Promise.resolve(n.onBeforeRedirect(S))), k) {
1448
+ const D = new URL(u, window.location.origin);
1449
+ D.searchParams.set("reason", "session_expired"), D.searchParams.set("redirect", window.location.pathname + window.location.search), window.location.href = D.toString();
898
1450
  }
899
1451
  }
900
- } catch (p) {
901
- process.env.NODE_ENV === "development" && console.error("[TokenRefreshManager] Error in handleRefreshFailure:", p);
1452
+ } catch (k) {
1453
+ process.env.NODE_ENV === "development" && console.error("[TokenRefreshManager] Error in handleRefreshFailure:", k);
902
1454
  }
903
1455
  }
904
1456
  return {
@@ -906,40 +1458,40 @@ function Je(e, r, t, n = {}) {
906
1458
  * Refresh token with single refresh queue
907
1459
  */
908
1460
  async refreshToken() {
909
- return s ? w || (R = !0, w = v().then((k) => (R = !1, w = null, k)).catch((k) => {
910
- throw R = !1, w = null, z(k), W(k).catch(() => {
911
- }), k;
912
- }), w) : null;
1461
+ return s ? f || (y = !0, f = R().then((S) => (y = !1, f = null, S)).catch((S) => {
1462
+ throw y = !1, f = null, X(S), Y(S).catch(() => {
1463
+ }), S;
1464
+ }), f) : null;
913
1465
  },
914
1466
  /**
915
1467
  * Check if refresh is in progress
916
1468
  */
917
1469
  isRefreshing() {
918
- return R;
1470
+ return y;
919
1471
  },
920
1472
  /**
921
1473
  * Wait for current refresh to complete
922
1474
  */
923
1475
  async waitForRefresh() {
924
- return w ? new Promise((k, p) => {
925
- A.push({ resolve: k, reject: p });
1476
+ return f ? new Promise((S, k) => {
1477
+ E.push({ resolve: S, reject: k });
926
1478
  }) : null;
927
1479
  },
928
1480
  /**
929
1481
  * Clear state
930
1482
  */
931
1483
  clear() {
932
- w = null, R = !1, S.length = 0, d(), z(new Error("Token refresh manager cleared"));
1484
+ f = null, y = !1, v.length = 0, g(), X(new Error("Token refresh manager cleared"));
933
1485
  },
934
1486
  /**
935
1487
  * Handle token refresh failure
936
1488
  */
937
- async handleRefreshFailure(k) {
938
- return W(k);
1489
+ async handleRefreshFailure(S) {
1490
+ return Y(S);
939
1491
  }
940
1492
  };
941
1493
  }
942
- function Ye() {
1494
+ function Cr() {
943
1495
  const e = process.env.NODE_ENV === "production";
944
1496
  return {
945
1497
  cookieName: "__mulguard_session",
@@ -952,7 +1504,7 @@ function Ye() {
952
1504
  path: "/"
953
1505
  };
954
1506
  }
955
- function Qe() {
1507
+ function Ir() {
956
1508
  return {
957
1509
  enabled: !0,
958
1510
  refreshThreshold: 300,
@@ -967,90 +1519,90 @@ function Qe() {
967
1519
  autoRedirectOnFailure: !0
968
1520
  };
969
1521
  }
970
- function Ze() {
1522
+ function xr() {
971
1523
  return process.env.NEXT_PUBLIC_URL ?? (process.env.VERCEL_URL ? `https://${process.env.VERCEL_URL}` : "http://localhost:3000");
972
1524
  }
973
- function er(e) {
974
- const { sessionConfig: r, cacheTtl: t, getSessionAction: n, onSessionExpired: s, onError: o } = e, i = r.cookieName ?? "__mulguard_session";
1525
+ function Pr(e) {
1526
+ const { sessionConfig: r, cacheTtl: t, getSessionAction: n, onSessionExpired: s, onError: i } = e, o = r.cookieName ?? "__mulguard_session";
975
1527
  let a = null;
976
- const u = async () => {
977
- const y = Date.now();
978
- if (a && y - a.timestamp < t)
1528
+ const c = async () => {
1529
+ const p = Date.now();
1530
+ if (a && p - a.timestamp < t)
979
1531
  return a.session;
980
1532
  if (n)
981
1533
  try {
982
- const h = await n();
983
- if (h && U(h))
984
- return a = { session: h, timestamp: y }, h;
985
- h && !U(h) && (await g(), a = null);
986
- } catch (h) {
987
- I.debug("getSession error", { error: h }), o && await o(h instanceof Error ? h : new Error(String(h)), "getSession"), a = null;
1534
+ const w = await n();
1535
+ if (w && F(w))
1536
+ return a = { session: w, timestamp: p }, w;
1537
+ w && !F(w) && (await h(), a = null);
1538
+ } catch (w) {
1539
+ _.debug("getSession error", { error: w }), i && await i(w instanceof Error ? w : new Error(String(w)), "getSession"), a = null;
988
1540
  }
989
1541
  try {
990
- const h = await ce(i);
991
- if (h)
1542
+ const w = await Te(o);
1543
+ if (w)
992
1544
  try {
993
- const T = JSON.parse(h);
994
- if (U(T))
995
- return T.expiresAt && new Date(T.expiresAt) < /* @__PURE__ */ new Date() ? (s && await s(T), await g(), a = null, null) : (a = { session: T, timestamp: y }, T);
996
- await g(), a = null;
1545
+ const T = JSON.parse(w);
1546
+ if (F(T))
1547
+ return T.expiresAt && new Date(T.expiresAt) < /* @__PURE__ */ new Date() ? (s && await s(T), await h(), a = null, null) : (a = { session: T, timestamp: p }, T);
1548
+ await h(), a = null;
997
1549
  } catch {
998
- await g(), a = null;
1550
+ await h(), a = null;
999
1551
  }
1000
- } catch (h) {
1001
- const T = h instanceof Error ? h.message : String(h);
1002
- !T.includes("request scope") && !T.includes("cookies") && (I.warn("getSession cookie error", { error: h }), o && await o(
1003
- h instanceof Error ? h : new Error(String(h)),
1552
+ } catch (w) {
1553
+ const T = w instanceof Error ? w.message : String(w);
1554
+ !T.includes("request scope") && !T.includes("cookies") && (_.warn("getSession cookie error", { error: w }), i && await i(
1555
+ w instanceof Error ? w : new Error(String(w)),
1004
1556
  "getSession.cookie"
1005
1557
  ));
1006
1558
  }
1007
1559
  return null;
1008
- }, f = async (y) => {
1009
- if (!U(y))
1560
+ }, u = async (p) => {
1561
+ if (!F(p))
1010
1562
  return {
1011
1563
  success: !1,
1012
1564
  error: "Invalid session structure"
1013
1565
  };
1014
1566
  try {
1015
- const h = typeof y == "object" && "token" in y ? String(y.token) : JSON.stringify(y), T = ie(i, h, r), _ = await ae(T);
1016
- return _.success && (a = { session: y, timestamp: Date.now() }), _;
1017
- } catch (h) {
1018
- const T = h instanceof Error ? h.message : "Failed to set session";
1019
- return I.error("setSession error", { error: h }), o && await o(h instanceof Error ? h : new Error(String(h)), "setSession"), {
1567
+ const w = typeof p == "object" && "token" in p ? String(p.token) : JSON.stringify(p), T = Re(o, w, r), b = await Oe(T);
1568
+ return b.success && (a = { session: p, timestamp: Date.now() }), b;
1569
+ } catch (w) {
1570
+ const T = w instanceof Error ? w.message : "Failed to set session";
1571
+ return _.error("setSession error", { error: w }), i && await i(w instanceof Error ? w : new Error(String(w)), "setSession"), {
1020
1572
  success: !1,
1021
1573
  error: T
1022
1574
  };
1023
1575
  }
1024
- }, g = async () => {
1576
+ }, h = async () => {
1025
1577
  try {
1026
- await oe(i, {
1578
+ await Ae(o, {
1027
1579
  path: r.path,
1028
1580
  domain: r.domain
1029
1581
  }), a = null;
1030
- } catch (y) {
1031
- I.warn("clearSessionCookie error", { error: y });
1582
+ } catch (p) {
1583
+ _.warn("clearSessionCookie error", { error: p });
1032
1584
  }
1033
- }, w = async () => {
1034
- const y = await u();
1035
- return y != null && y.accessToken && typeof y.accessToken == "string" ? y.accessToken : null;
1585
+ }, f = async () => {
1586
+ const p = await c();
1587
+ return p != null && p.accessToken && typeof p.accessToken == "string" ? p.accessToken : null;
1036
1588
  };
1037
1589
  return {
1038
- getSession: u,
1039
- setSession: f,
1040
- clearSessionCookie: g,
1041
- getAccessToken: w,
1590
+ getSession: c,
1591
+ setSession: u,
1592
+ clearSessionCookie: h,
1593
+ getAccessToken: f,
1042
1594
  getRefreshToken: async () => {
1043
- const y = await u();
1044
- return y != null && y.refreshToken && typeof y.refreshToken == "string" ? y.refreshToken : null;
1595
+ const p = await c();
1596
+ return p != null && p.refreshToken && typeof p.refreshToken == "string" ? p.refreshToken : null;
1045
1597
  },
1046
- hasValidTokens: async () => !!await w(),
1598
+ hasValidTokens: async () => !!await f(),
1047
1599
  clearCache: () => {
1048
1600
  a = null;
1049
1601
  },
1050
- getSessionConfig: () => ({ cookieName: i, config: r })
1602
+ getSessionConfig: () => ({ cookieName: o, config: r })
1051
1603
  };
1052
1604
  }
1053
- function rr(e) {
1605
+ function Nr(e) {
1054
1606
  return async (r) => {
1055
1607
  try {
1056
1608
  if (!r || typeof r != "object")
@@ -1065,8 +1617,8 @@ function rr(e) {
1065
1617
  error: "Email is required",
1066
1618
  errorCode: m.VALIDATION_ERROR
1067
1619
  };
1068
- const t = G(r.email);
1069
- if (!K(t))
1620
+ const t = se(r.email);
1621
+ if (!ie(t))
1070
1622
  return {
1071
1623
  success: !1,
1072
1624
  error: t.error ?? "Invalid email format",
@@ -1089,19 +1641,19 @@ function rr(e) {
1089
1641
  password: r.password
1090
1642
  // Don't sanitize password (needed for hashing)
1091
1643
  }, s = await e.actions.signIn.email(n);
1092
- if (D(s)) {
1093
- const o = await e.saveSessionAfterAuth(s);
1094
- !o.success && o.warning && I.warn("Session save warning", { warning: o.warning });
1644
+ if (M(s)) {
1645
+ const i = await e.saveSessionAfterAuth(s);
1646
+ !i.success && i.warning && _.warn("Session save warning", { warning: i.warning });
1095
1647
  }
1096
- return s.success ? I.info("Sign in successful", {
1648
+ return s.success ? _.info("Sign in successful", {
1097
1649
  email: n.email.substring(0, 3) + "***"
1098
- }) : I.warn("Sign in failed", {
1650
+ }) : _.warn("Sign in failed", {
1099
1651
  email: n.email.substring(0, 3) + "***",
1100
1652
  errorCode: s.errorCode
1101
1653
  }), s;
1102
1654
  } catch (t) {
1103
1655
  const n = t instanceof Error ? t.message : "Sign in failed";
1104
- return I.error("Sign in error", { error: n, context: "signIn.email" }), e.onError && await e.onError(
1656
+ return _.error("Sign in error", { error: n, context: "signIn.email" }), e.onError && await e.onError(
1105
1657
  t instanceof Error ? t : new Error(String(t)),
1106
1658
  "signIn.email"
1107
1659
  ), {
@@ -1112,11 +1664,11 @@ function rr(e) {
1112
1664
  }
1113
1665
  };
1114
1666
  }
1115
- function tr(e, r) {
1667
+ function Ur(e, r) {
1116
1668
  return async (t) => {
1117
1669
  if (!t || typeof t != "string")
1118
1670
  throw new Error("Provider is required");
1119
- const n = X(t, {
1671
+ const n = oe(t, {
1120
1672
  maxLength: 50,
1121
1673
  allowHtml: !1,
1122
1674
  required: !0
@@ -1128,11 +1680,11 @@ function tr(e, r) {
1128
1680
  throw new Error(
1129
1681
  "OAuth sign in is not configured. Either provide oauth action in signIn, or configure providers.oauth in config."
1130
1682
  );
1131
- const o = await e.actions.signIn.oauth(s);
1132
- return await r(o.state, s), I.info("OAuth sign in initiated", { provider: s }), o;
1683
+ const i = await e.actions.signIn.oauth(s);
1684
+ return await r(i.state, s), _.info("OAuth sign in initiated", { provider: s }), i;
1133
1685
  };
1134
1686
  }
1135
- function nr(e) {
1687
+ function Dr(e) {
1136
1688
  return async (r, t) => {
1137
1689
  if (!r || typeof r != "string")
1138
1690
  return {
@@ -1140,8 +1692,8 @@ function nr(e) {
1140
1692
  error: "Email is required",
1141
1693
  errorCode: m.VALIDATION_ERROR
1142
1694
  };
1143
- const n = G(r);
1144
- if (!K(n))
1695
+ const n = se(r);
1696
+ if (!ie(n))
1145
1697
  return {
1146
1698
  success: !1,
1147
1699
  error: n.error ?? "Invalid email format",
@@ -1161,17 +1713,17 @@ function nr(e) {
1161
1713
  };
1162
1714
  try {
1163
1715
  const s = await e.actions.signIn.otp(n.sanitized, t);
1164
- if (D(s)) {
1165
- const o = await e.saveSessionAfterAuth(s);
1166
- !o.success && o.warning && I.warn("Session save warning", { warning: o.warning });
1716
+ if (M(s)) {
1717
+ const i = await e.saveSessionAfterAuth(s);
1718
+ !i.success && i.warning && _.warn("Session save warning", { warning: i.warning });
1167
1719
  }
1168
- return s.success ? I.info("OTP sign in successful", {
1720
+ return s.success ? _.info("OTP sign in successful", {
1169
1721
  email: n.sanitized.substring(0, 3) + "***"
1170
- }) : I.warn("OTP sign in failed", {
1722
+ }) : _.warn("OTP sign in failed", {
1171
1723
  email: n.sanitized.substring(0, 3) + "***"
1172
1724
  }), s;
1173
1725
  } catch (s) {
1174
- return I.error("OTP sign in error", {
1726
+ return _.error("OTP sign in error", {
1175
1727
  error: s instanceof Error ? s.message : "Unknown error",
1176
1728
  context: "signIn.otp"
1177
1729
  }), e.onError && await e.onError(
@@ -1185,15 +1737,15 @@ function nr(e) {
1185
1737
  }
1186
1738
  };
1187
1739
  }
1188
- function sr(e) {
1740
+ function Fr(e) {
1189
1741
  return async (r) => {
1190
1742
  if (!e.actions.signIn.passkey)
1191
1743
  throw new Error("PassKey sign in is not configured. Provide passkey action in signIn.");
1192
1744
  try {
1193
1745
  const t = await e.actions.signIn.passkey(r);
1194
- if (D(t)) {
1746
+ if (M(t)) {
1195
1747
  const n = await e.saveSessionAfterAuth(t);
1196
- !n.success && n.warning && I.warn("Session save warning", { warning: n.warning });
1748
+ !n.success && n.warning && _.warn("Session save warning", { warning: n.warning });
1197
1749
  }
1198
1750
  return t;
1199
1751
  } catch (t) {
@@ -1207,38 +1759,38 @@ function sr(e) {
1207
1759
  }
1208
1760
  };
1209
1761
  }
1210
- function or(e, r) {
1211
- const t = rr(e), n = tr(e, r), s = nr(e), o = sr(e);
1212
- return Object.assign(async (u, f) => {
1213
- if (!u || typeof u != "string")
1762
+ function Lr(e, r) {
1763
+ const t = Nr(e), n = Ur(e, r), s = Dr(e), i = Fr(e);
1764
+ return Object.assign(async (c, u) => {
1765
+ if (!c || typeof c != "string")
1214
1766
  throw new Error("Provider is required");
1215
- const g = X(u, {
1767
+ const h = oe(c, {
1216
1768
  maxLength: 50,
1217
1769
  allowHtml: !1,
1218
1770
  required: !0
1219
1771
  });
1220
- if (!g.valid || !g.sanitized)
1772
+ if (!h.valid || !h.sanitized)
1221
1773
  throw new Error("Invalid provider");
1222
- const w = g.sanitized.toLowerCase();
1223
- if (w === "google" || w === "github" || w === "apple" || w === "facebook" || typeof w == "string" && !["credentials", "otp", "passkey"].includes(w))
1224
- return n(w);
1225
- if (w === "credentials")
1226
- return !f || !("email" in f) || !("password" in f) ? {
1774
+ const f = h.sanitized.toLowerCase();
1775
+ if (f === "google" || f === "github" || f === "apple" || f === "facebook" || typeof f == "string" && !["credentials", "otp", "passkey"].includes(f))
1776
+ return n(f);
1777
+ if (f === "credentials")
1778
+ return !u || !("email" in u) || !("password" in u) ? {
1227
1779
  success: !1,
1228
1780
  error: "Credentials are required",
1229
1781
  errorCode: m.VALIDATION_ERROR
1230
- } : t(f);
1231
- if (w === "otp") {
1232
- if (!f || !("email" in f))
1782
+ } : t(u);
1783
+ if (f === "otp") {
1784
+ if (!u || !("email" in u))
1233
1785
  return {
1234
1786
  success: !1,
1235
1787
  error: "Email is required",
1236
1788
  errorCode: m.VALIDATION_ERROR
1237
1789
  };
1238
- const R = f;
1239
- return s(R.email, R.code);
1790
+ const y = u;
1791
+ return s(y.email, y.code);
1240
1792
  }
1241
- return w === "passkey" ? o(f) : {
1793
+ return f === "passkey" ? i(u) : {
1242
1794
  success: !1,
1243
1795
  error: "Invalid provider",
1244
1796
  errorCode: m.VALIDATION_ERROR
@@ -1246,19 +1798,19 @@ function or(e, r) {
1246
1798
  }, {
1247
1799
  email: t,
1248
1800
  oauth: e.actions.signIn.oauth ? n : void 0,
1249
- passkey: e.actions.signIn.passkey ? o : void 0,
1801
+ passkey: e.actions.signIn.passkey ? i : void 0,
1250
1802
  otp: e.actions.signIn.otp ? s : void 0
1251
1803
  });
1252
1804
  }
1253
- function ir(e) {
1805
+ function Vr(e) {
1254
1806
  return async (r) => {
1255
1807
  if (!e.actions.signUp)
1256
1808
  throw new Error("Sign up is not configured. Provide signUp action in config.");
1257
1809
  try {
1258
1810
  const t = await e.actions.signUp(r);
1259
- if (D(t)) {
1811
+ if (M(t)) {
1260
1812
  const n = await e.saveSessionAfterAuth(t);
1261
- !n.success && n.warning && I.warn("Session save warning", { warning: n.warning });
1813
+ !n.success && n.warning && _.warn("Session save warning", { warning: n.warning });
1262
1814
  }
1263
1815
  return t;
1264
1816
  } catch (t) {
@@ -1272,22 +1824,22 @@ function ir(e) {
1272
1824
  }
1273
1825
  };
1274
1826
  }
1275
- function ar(e, r) {
1827
+ function Mr(e, r) {
1276
1828
  return async (t, n, s) => {
1277
- const o = e.oauthProviders[t];
1278
- if (!o)
1829
+ const i = e.oauthProviders[t];
1830
+ if (!i)
1279
1831
  return {
1280
1832
  success: !1,
1281
1833
  error: `OAuth provider "${t}" is not configured`,
1282
1834
  errorCode: m.VALIDATION_ERROR
1283
1835
  };
1284
1836
  try {
1285
- const i = o.redirectUri ?? `${e.baseUrl}/api/auth/callback/${t}`, a = await be(t, o, n, i), u = await Fe(t, a.access_token), f = {
1286
- id: u.id,
1287
- email: u.email,
1288
- name: u.name,
1289
- avatar: u.avatar,
1290
- emailVerified: u.emailVerified,
1837
+ const o = i.redirectUri ?? `${e.baseUrl}/api/auth/callback/${t}`, a = await he(t, i, n, o), c = await ge(t, a.access_token), u = {
1838
+ id: c.id,
1839
+ email: c.email,
1840
+ name: c.name,
1841
+ avatar: c.avatar,
1842
+ emailVerified: c.emailVerified,
1291
1843
  provider: t,
1292
1844
  accessToken: a.access_token,
1293
1845
  refreshToken: a.refresh_token,
@@ -1298,42 +1850,42 @@ function ar(e, r) {
1298
1850
  token_type: a.token_type,
1299
1851
  id_token: a.id_token
1300
1852
  },
1301
- rawProfile: u.rawProfile
1853
+ rawProfile: c.rawProfile
1302
1854
  };
1303
1855
  if (e.callbacks.onOAuthUser) {
1304
- const g = await q(
1856
+ const h = await Z(
1305
1857
  e.callbacks.onOAuthUser,
1306
- [f, t],
1858
+ [u, t],
1307
1859
  e.onError
1308
1860
  );
1309
- if (!g)
1861
+ if (!h)
1310
1862
  return {
1311
1863
  success: !1,
1312
1864
  error: "Failed to create or retrieve user",
1313
1865
  errorCode: m.VALIDATION_ERROR
1314
1866
  };
1315
- const w = e.createSession(g, f, a);
1316
- return await e.saveSession(w), e.callbacks.onSignIn && await q(
1867
+ const f = e.createSession(h, u, a);
1868
+ return await e.saveSession(f), e.callbacks.onSignIn && await Z(
1317
1869
  e.callbacks.onSignIn,
1318
- [w.user, w],
1870
+ [f.user, f],
1319
1871
  e.onError
1320
- ), { success: !0, user: w.user, session: w };
1872
+ ), { success: !0, user: f.user, session: f };
1321
1873
  }
1322
1874
  return {
1323
1875
  success: !1,
1324
1876
  error: "OAuth user callback not implemented. Provide onOAuthUser callback or implement oauthCallback action.",
1325
1877
  errorCode: m.VALIDATION_ERROR
1326
1878
  };
1327
- } catch (i) {
1328
- return I.error("OAuth callback failed", { provider: t, error: i }), {
1879
+ } catch (o) {
1880
+ return _.error("OAuth callback failed", { provider: t, error: o }), {
1329
1881
  success: !1,
1330
- error: i instanceof Error ? i.message : "OAuth callback failed",
1882
+ error: o instanceof Error ? o.message : "OAuth callback failed",
1331
1883
  errorCode: m.NETWORK_ERROR
1332
1884
  };
1333
1885
  }
1334
1886
  };
1335
1887
  }
1336
- async function q(e, r, t) {
1888
+ async function Z(e, r, t) {
1337
1889
  if (e)
1338
1890
  try {
1339
1891
  return await e(...r);
@@ -1344,198 +1896,198 @@ async function q(e, r, t) {
1344
1896
  ), n;
1345
1897
  }
1346
1898
  }
1347
- function cr(e, r, t, n) {
1899
+ function jr(e, r, t, n) {
1348
1900
  if (Object.keys(e).length !== 0)
1349
1901
  return async (s) => {
1350
- const o = e[s];
1351
- if (!o)
1902
+ const i = e[s];
1903
+ if (!i)
1352
1904
  throw new Error(`OAuth provider "${s}" is not configured. Add it to providers.oauth in config.`);
1353
- if (!o.clientId)
1905
+ if (!i.clientId)
1354
1906
  throw new Error(`OAuth provider "${s}" is missing clientId`);
1355
- const i = t();
1356
- return { url: n(s, o, r, i), state: i };
1907
+ const o = t();
1908
+ return { url: n(s, i, r, o), state: o };
1357
1909
  };
1358
1910
  }
1359
- function st(e) {
1360
- var L, M;
1911
+ function zt(e) {
1912
+ var j, z;
1361
1913
  const r = {
1362
- ...Ye(),
1914
+ ...Cr(),
1363
1915
  ...e.session
1364
- }, t = e.actions, n = e.callbacks || {}, s = ((L = e.providers) == null ? void 0 : L.oauth) || {}, o = Ze(), i = {
1365
- ...Qe(),
1916
+ }, t = e.actions, n = e.callbacks || {}, s = ((j = e.providers) == null ? void 0 : j.oauth) || {}, i = xr(), o = {
1917
+ ...Ir(),
1366
1918
  ...e.tokenRefresh
1367
- }, a = ((M = e.session) == null ? void 0 : M.cacheTtl) ?? e.sessionCacheTtl ?? 5e3, u = e.oauthStateStore || Be(), f = { ...t }, g = async (c, l) => {
1368
- const d = {
1369
- provider: l,
1919
+ }, a = ((z = e.session) == null ? void 0 : z.cacheTtl) ?? e.sessionCacheTtl ?? 5e3, c = e.oauthStateStore || vr(), u = { ...t }, h = async (l, d) => {
1920
+ const g = {
1921
+ provider: d,
1370
1922
  expiresAt: Date.now() + 6e5
1371
1923
  // 10 minutes
1372
1924
  };
1373
- await Promise.resolve(u.set(c, d, 10 * 60 * 1e3)), u.cleanup && await Promise.resolve(u.cleanup());
1374
- }, w = async (c, l) => {
1375
- let d = await Promise.resolve(u.get(c));
1376
- if (!d)
1925
+ await Promise.resolve(c.set(l, g, 10 * 60 * 1e3)), c.cleanup && await Promise.resolve(c.cleanup());
1926
+ }, f = async (l, d) => {
1927
+ let g = await Promise.resolve(c.get(l));
1928
+ if (!g)
1377
1929
  try {
1378
- const { getOAuthStateCookie: v } = await import("../oauth-state-DKle8eCr.mjs").then((P) => P.q), C = await v();
1379
- if (C && C.state === c && C.provider === l)
1930
+ const { getOAuthStateCookie: R } = await import("../oauth-state-pdypStuS.mjs").then((C) => C.o), I = await R();
1931
+ if (I && I.state === l && I.provider === d)
1380
1932
  return !0;
1381
1933
  } catch {
1382
1934
  }
1383
- return d ? d.expiresAt < Date.now() ? (await Promise.resolve(u.delete(c)), !1) : d.provider !== l ? !1 : (await Promise.resolve(u.delete(c)), !0) : !1;
1384
- }, R = cr(
1935
+ return g ? g.expiresAt < Date.now() ? (await Promise.resolve(c.delete(l)), !1) : g.provider !== d ? !1 : (await Promise.resolve(c.delete(l)), !0) : !1;
1936
+ }, y = jr(
1385
1937
  s,
1386
- o,
1387
- _e,
1388
- Ne
1938
+ i,
1939
+ ue,
1940
+ de
1389
1941
  );
1390
- if (R && !f.signIn.oauth) {
1391
- const c = f.signIn;
1392
- f.signIn = {
1393
- ...c,
1394
- oauth: async (l) => {
1395
- const d = await R(l);
1396
- return await g(d.state, l), d;
1942
+ if (y && !u.signIn.oauth) {
1943
+ const l = u.signIn;
1944
+ u.signIn = {
1945
+ ...l,
1946
+ oauth: async (d) => {
1947
+ const g = await y(d);
1948
+ return await h(g.state, d), g;
1397
1949
  }
1398
1950
  };
1399
1951
  }
1400
- if (!f.signIn || !f.signIn.email)
1952
+ if (!u.signIn || !u.signIn.email)
1401
1953
  throw new Error("mulguard: signIn.email action is required");
1402
- const A = async (c, ...l) => {
1403
- if (c)
1954
+ const E = async (l, ...d) => {
1955
+ if (l)
1404
1956
  try {
1405
- return await c(...l);
1406
- } catch (d) {
1407
- throw n.onError && await n.onError(d instanceof Error ? d : new Error(String(d)), "callback"), d;
1957
+ return await l(...d);
1958
+ } catch (g) {
1959
+ throw n.onError && await n.onError(g instanceof Error ? g : new Error(String(g)), "callback"), g;
1408
1960
  }
1409
- }, S = er({
1961
+ }, v = Pr({
1410
1962
  sessionConfig: r,
1411
1963
  cacheTtl: a,
1412
1964
  getSessionAction: t.getSession,
1413
1965
  onSessionExpired: n.onSessionExpired,
1414
1966
  onError: n.onError
1415
- }), y = async (c) => {
1416
- if (!D(c) || !c.session)
1967
+ }), p = async (l) => {
1968
+ if (!M(l) || !l.session)
1417
1969
  return { success: !0 };
1418
- const l = await S.setSession(c.session);
1419
- return c.user && n.onSignIn && await A(n.onSignIn, c.user, c.session), l;
1970
+ const d = await v.setSession(l.session);
1971
+ return l.user && n.onSignIn && await E(n.onSignIn, l.user, l.session), d;
1420
1972
  };
1421
- if (Object.keys(s).length > 0 && !f.oauthCallback) {
1422
- const c = ar(
1973
+ if (Object.keys(s).length > 0 && !u.oauthCallback) {
1974
+ const l = Mr(
1423
1975
  {
1424
1976
  oauthProviders: s,
1425
- baseUrl: o,
1977
+ baseUrl: i,
1426
1978
  callbacks: n,
1427
- createSession: (l, d, v) => ({
1979
+ createSession: (d, g, R) => ({
1428
1980
  user: {
1429
- ...l,
1430
- avatar: d.avatar,
1431
- emailVerified: d.emailVerified
1981
+ ...d,
1982
+ avatar: g.avatar,
1983
+ emailVerified: g.emailVerified
1432
1984
  },
1433
1985
  expiresAt: new Date(Date.now() + (r.expiresIn || 604800) * 1e3),
1434
- accessToken: v.access_token,
1435
- refreshToken: v.refresh_token,
1986
+ accessToken: R.access_token,
1987
+ refreshToken: R.refresh_token,
1436
1988
  tokenType: "Bearer",
1437
- expiresIn: v.expires_in
1989
+ expiresIn: R.expires_in
1438
1990
  }),
1439
- saveSession: async (l) => {
1440
- await S.setSession(l);
1991
+ saveSession: async (d) => {
1992
+ await v.setSession(d);
1441
1993
  },
1442
1994
  onError: n.onError
1443
1995
  }
1444
1996
  );
1445
- f.oauthCallback = c;
1997
+ u.oauthCallback = l;
1446
1998
  }
1447
- const h = or(
1999
+ const w = Lr(
1448
2000
  {
1449
- actions: f,
2001
+ actions: u,
1450
2002
  callbacks: n,
1451
- saveSessionAfterAuth: y,
2003
+ saveSessionAfterAuth: p,
1452
2004
  onError: n.onError
1453
2005
  },
1454
- g
1455
- ), T = ir({
1456
- actions: f,
2006
+ h
2007
+ ), T = Vr({
2008
+ actions: u,
1457
2009
  callbacks: n,
1458
- saveSessionAfterAuth: y,
2010
+ saveSessionAfterAuth: p,
1459
2011
  onError: n.onError
1460
- }), _ = {
2012
+ }), b = {
1461
2013
  /**
1462
2014
  * Get current session
1463
2015
  * Uses custom getSession action if provided, otherwise falls back to reading from cookie
1464
2016
  */
1465
2017
  async getSession() {
1466
- return await S.getSession();
2018
+ return await v.getSession();
1467
2019
  },
1468
2020
  /**
1469
2021
  * Get access token from current session
1470
2022
  */
1471
2023
  async getAccessToken() {
1472
- return await S.getAccessToken();
2024
+ return await v.getAccessToken();
1473
2025
  },
1474
2026
  /**
1475
2027
  * Get refresh token from current session
1476
2028
  */
1477
2029
  async getRefreshToken() {
1478
- return await S.getRefreshToken();
2030
+ return await v.getRefreshToken();
1479
2031
  },
1480
2032
  /**
1481
2033
  * Check if session has valid tokens
1482
2034
  */
1483
2035
  async hasValidTokens() {
1484
- return await S.hasValidTokens();
2036
+ return await v.hasValidTokens();
1485
2037
  },
1486
2038
  /**
1487
2039
  * Unified sign in method - supports both unified and direct method calls
1488
2040
  */
1489
- signIn: h,
2041
+ signIn: w,
1490
2042
  /**
1491
2043
  * Sign up new user
1492
2044
  */
1493
- async signUp(c) {
2045
+ async signUp(l) {
1494
2046
  if (!T)
1495
2047
  throw new Error("Sign up is not configured. Provide signUp action in config.");
1496
- return await T(c);
2048
+ return await T(l);
1497
2049
  },
1498
2050
  /**
1499
2051
  * Sign out
1500
2052
  */
1501
2053
  async signOut() {
1502
2054
  try {
1503
- const c = await this.getSession(), l = c == null ? void 0 : c.user;
1504
- return t.signOut && await t.signOut(), await S.clearSessionCookie(), S.clearCache(), l && n.onSignOut && await A(n.onSignOut, l), { success: !0 };
1505
- } catch (c) {
1506
- return await S.clearSessionCookie(), S.clearCache(), n.onError && await A(n.onError, c instanceof Error ? c : new Error(String(c)), "signOut"), {
2055
+ const l = await this.getSession(), d = l == null ? void 0 : l.user;
2056
+ return t.signOut && await t.signOut(), await v.clearSessionCookie(), v.clearCache(), d && n.onSignOut && await E(n.onSignOut, d), { success: !0 };
2057
+ } catch (l) {
2058
+ return await v.clearSessionCookie(), v.clearCache(), n.onError && await E(n.onError, l instanceof Error ? l : new Error(String(l)), "signOut"), {
1507
2059
  success: !1,
1508
- error: c instanceof Error ? c.message : "Sign out failed"
2060
+ error: l instanceof Error ? l.message : "Sign out failed"
1509
2061
  };
1510
2062
  }
1511
2063
  },
1512
2064
  /**
1513
2065
  * Request password reset
1514
2066
  */
1515
- async resetPassword(c) {
2067
+ async resetPassword(l) {
1516
2068
  if (!t.resetPassword)
1517
2069
  throw new Error("Password reset is not configured. Provide resetPassword action in config.");
1518
2070
  try {
1519
- return await t.resetPassword(c);
1520
- } catch (l) {
1521
- return n.onError && await A(n.onError, l instanceof Error ? l : new Error(String(l)), "resetPassword"), {
2071
+ return await t.resetPassword(l);
2072
+ } catch (d) {
2073
+ return n.onError && await E(n.onError, d instanceof Error ? d : new Error(String(d)), "resetPassword"), {
1522
2074
  success: !1,
1523
- error: l instanceof Error ? l.message : "Password reset failed"
2075
+ error: d instanceof Error ? d.message : "Password reset failed"
1524
2076
  };
1525
2077
  }
1526
2078
  },
1527
2079
  /**
1528
2080
  * Verify email address
1529
2081
  */
1530
- async verifyEmail(c) {
2082
+ async verifyEmail(l) {
1531
2083
  if (!t.verifyEmail)
1532
2084
  throw new Error("Email verification is not configured. Provide verifyEmail action in config.");
1533
2085
  try {
1534
- return await t.verifyEmail(c);
1535
- } catch (l) {
1536
- return n.onError && await A(n.onError, l instanceof Error ? l : new Error(String(l)), "verifyEmail"), {
2086
+ return await t.verifyEmail(l);
2087
+ } catch (d) {
2088
+ return n.onError && await E(n.onError, d instanceof Error ? d : new Error(String(d)), "verifyEmail"), {
1537
2089
  success: !1,
1538
- error: l instanceof Error ? l.message : "Email verification failed"
2090
+ error: d instanceof Error ? d.message : "Email verification failed"
1539
2091
  };
1540
2092
  }
1541
2093
  },
@@ -1547,50 +2099,50 @@ function st(e) {
1547
2099
  if (!t.refreshSession)
1548
2100
  return this.getSession();
1549
2101
  try {
1550
- const c = await t.refreshSession();
1551
- if (c && U(c)) {
1552
- if (await S.setSession(c), n.onSessionUpdate) {
1553
- const l = await A(n.onSessionUpdate, c);
1554
- if (l && U(l)) {
1555
- if (await S.setSession(l), n.onTokenRefresh) {
1556
- const d = await this.getSession();
1557
- d && await A(n.onTokenRefresh, d, l);
2102
+ const l = await t.refreshSession();
2103
+ if (l && F(l)) {
2104
+ if (await v.setSession(l), n.onSessionUpdate) {
2105
+ const d = await E(n.onSessionUpdate, l);
2106
+ if (d && F(d)) {
2107
+ if (await v.setSession(d), n.onTokenRefresh) {
2108
+ const g = await this.getSession();
2109
+ g && await E(n.onTokenRefresh, g, d);
1558
2110
  }
1559
- return l;
2111
+ return d;
1560
2112
  }
1561
2113
  }
1562
2114
  if (n.onTokenRefresh) {
1563
- const l = await this.getSession();
1564
- l && await A(n.onTokenRefresh, l, c);
2115
+ const d = await this.getSession();
2116
+ d && await E(n.onTokenRefresh, d, l);
1565
2117
  }
1566
- return c;
1567
- } else if (c && !U(c))
1568
- return await S.clearSessionCookie(), S.clearCache(), null;
2118
+ return l;
2119
+ } else if (l && !F(l))
2120
+ return await v.clearSessionCookie(), v.clearCache(), null;
1569
2121
  return null;
1570
- } catch (c) {
1571
- return await S.clearSessionCookie(), S.clearCache(), n.onError && await A(n.onError, c instanceof Error ? c : new Error(String(c)), "refreshSession"), null;
2122
+ } catch (l) {
2123
+ return await v.clearSessionCookie(), v.clearCache(), n.onError && await E(n.onError, l instanceof Error ? l : new Error(String(l)), "refreshSession"), null;
1572
2124
  }
1573
2125
  },
1574
2126
  /**
1575
2127
  * OAuth callback handler
1576
2128
  * ✅ Auto-generated if providers.oauth is configured in config
1577
2129
  */
1578
- async oauthCallback(c, l, d) {
1579
- if (!f.oauthCallback)
2130
+ async oauthCallback(l, d, g) {
2131
+ if (!u.oauthCallback)
1580
2132
  throw new Error(
1581
2133
  "OAuth callback is not configured. Either provide oauthCallback action, or configure providers.oauth in config."
1582
2134
  );
1583
- if (!l || !d)
2135
+ if (!d || !g)
1584
2136
  return {
1585
2137
  success: !1,
1586
2138
  error: "Missing required OAuth parameters (code or state)",
1587
2139
  errorCode: m.VALIDATION_ERROR
1588
2140
  };
1589
- let v = c;
1590
- if (!v) {
1591
- const P = await Promise.resolve(u.get(d));
1592
- if (P && P.provider)
1593
- v = P.provider;
2141
+ let R = l;
2142
+ if (!R) {
2143
+ const C = await Promise.resolve(c.get(g));
2144
+ if (C && C.provider)
2145
+ R = C.provider;
1594
2146
  else
1595
2147
  return {
1596
2148
  success: !1,
@@ -1598,18 +2150,18 @@ function st(e) {
1598
2150
  errorCode: m.VALIDATION_ERROR
1599
2151
  };
1600
2152
  }
1601
- if (!await w(d, v))
2153
+ if (!await f(g, R))
1602
2154
  return {
1603
2155
  success: !1,
1604
2156
  error: "Invalid or expired state parameter",
1605
2157
  errorCode: m.VALIDATION_ERROR
1606
2158
  };
1607
2159
  try {
1608
- return await f.oauthCallback(v, l, d);
1609
- } catch (P) {
1610
- return n.onError && await A(n.onError, P instanceof Error ? P : new Error(String(P)), "oauthCallback"), {
2160
+ return await u.oauthCallback(R, d, g);
2161
+ } catch (C) {
2162
+ return n.onError && await E(n.onError, C instanceof Error ? C : new Error(String(C)), "oauthCallback"), {
1611
2163
  success: !1,
1612
- error: P instanceof Error ? P.message : "OAuth callback failed",
2164
+ error: C instanceof Error ? C.message : "OAuth callback failed",
1613
2165
  errorCode: m.NETWORK_ERROR
1614
2166
  };
1615
2167
  }
@@ -1618,27 +2170,27 @@ function st(e) {
1618
2170
  * Verify 2FA code after initial sign in
1619
2171
  * Used when signIn returns requires2FA: true
1620
2172
  */
1621
- async verify2FA(c, l) {
2173
+ async verify2FA(l, d) {
1622
2174
  if (!t.verify2FA)
1623
2175
  throw new Error("2FA verification is not configured. Provide verify2FA action in config.");
1624
2176
  try {
1625
- const d = await t.verify2FA(c);
1626
- if (d.success && d.session && !(l != null && l.skipCookieSave)) {
1627
- const v = await y(d);
1628
- v.success || (process.env.NODE_ENV === "development" && I.debug("Failed to save session cookie after verify2FA", {
1629
- error: v.error,
1630
- warning: v.warning
1631
- }), n.onError && await A(
2177
+ const g = await t.verify2FA(l);
2178
+ if (g.success && g.session && !(d != null && d.skipCookieSave)) {
2179
+ const R = await p(g);
2180
+ R.success || (process.env.NODE_ENV === "development" && _.debug("Failed to save session cookie after verify2FA", {
2181
+ error: R.error,
2182
+ warning: R.warning
2183
+ }), n.onError && await E(
1632
2184
  n.onError,
1633
- new Error(v.warning || v.error || "Failed to save session cookie"),
2185
+ new Error(R.warning || R.error || "Failed to save session cookie"),
1634
2186
  "verify2FA.setSession"
1635
2187
  ));
1636
2188
  }
1637
- return d;
1638
- } catch (d) {
1639
- return n.onError && await A(n.onError, d instanceof Error ? d : new Error(String(d)), "verify2FA"), {
2189
+ return g;
2190
+ } catch (g) {
2191
+ return n.onError && await E(n.onError, g instanceof Error ? g : new Error(String(g)), "verify2FA"), {
1640
2192
  success: !1,
1641
- error: d instanceof Error ? d.message : "2FA verification failed",
2193
+ error: g instanceof Error ? g.message : "2FA verification failed",
1642
2194
  errorCode: m.TWO_FA_REQUIRED
1643
2195
  };
1644
2196
  }
@@ -1647,8 +2199,8 @@ function st(e) {
1647
2199
  * Set session directly
1648
2200
  * Useful for Server Actions that need to save session manually
1649
2201
  */
1650
- async setSession(c) {
1651
- return await S.setSession(c);
2202
+ async setSession(l) {
2203
+ return await v.setSession(l);
1652
2204
  },
1653
2205
  /**
1654
2206
  * Internal method to get session config for Server Actions
@@ -1656,7 +2208,7 @@ function st(e) {
1656
2208
  * @internal
1657
2209
  */
1658
2210
  _getSessionConfig() {
1659
- return S.getSessionConfig();
2211
+ return v.getSessionConfig();
1660
2212
  },
1661
2213
  _getCallbacks() {
1662
2214
  return n;
@@ -1668,31 +2220,31 @@ function st(e) {
1668
2220
  * @param state - OAuth state token
1669
2221
  * @param provider - OAuth provider name
1670
2222
  */
1671
- async storeOAuthState(c, l) {
1672
- await g(c, l);
2223
+ async storeOAuthState(l, d) {
2224
+ await h(l, d);
1673
2225
  },
1674
2226
  /**
1675
2227
  * PassKey methods
1676
2228
  */
1677
2229
  passkey: t.passkey ? {
1678
2230
  register: t.passkey.register,
1679
- authenticate: async (c) => {
1680
- var l;
1681
- if (!((l = t.passkey) != null && l.authenticate))
2231
+ authenticate: async (l) => {
2232
+ var d;
2233
+ if (!((d = t.passkey) != null && d.authenticate))
1682
2234
  throw new Error("PassKey authenticate is not configured.");
1683
2235
  try {
1684
- const d = await t.passkey.authenticate(c);
1685
- return d.success && d.session && await y(d), d;
1686
- } catch (d) {
1687
- return n.onError && await A(n.onError, d instanceof Error ? d : new Error(String(d)), "passkey.authenticate"), {
2236
+ const g = await t.passkey.authenticate(l);
2237
+ return g.success && g.session && await p(g), g;
2238
+ } catch (g) {
2239
+ return n.onError && await E(n.onError, g instanceof Error ? g : new Error(String(g)), "passkey.authenticate"), {
1688
2240
  success: !1,
1689
- error: d instanceof Error ? d.message : "PassKey authentication failed"
2241
+ error: g instanceof Error ? g.message : "PassKey authentication failed"
1690
2242
  };
1691
2243
  }
1692
2244
  },
1693
2245
  list: t.passkey.list ? async () => {
1694
- var l;
1695
- if (!((l = t.passkey) != null && l.list))
2246
+ var d;
2247
+ if (!((d = t.passkey) != null && d.list))
1696
2248
  throw new Error("PassKey list is not configured.");
1697
2249
  return [...await t.passkey.list()];
1698
2250
  } : void 0,
@@ -1707,29 +2259,29 @@ function st(e) {
1707
2259
  disable: t.twoFactor.disable,
1708
2260
  generateBackupCodes: t.twoFactor.generateBackupCodes,
1709
2261
  isEnabled: t.twoFactor.isEnabled,
1710
- verify2FA: async (c) => {
1711
- var d;
1712
- const l = ((d = t.twoFactor) == null ? void 0 : d.verify2FA) || t.verify2FA;
1713
- if (!l)
2262
+ verify2FA: async (l) => {
2263
+ var g;
2264
+ const d = ((g = t.twoFactor) == null ? void 0 : g.verify2FA) || t.verify2FA;
2265
+ if (!d)
1714
2266
  throw new Error("2FA verification is not configured. Provide verify2FA action in config.");
1715
2267
  try {
1716
- const v = await l(c);
1717
- if (v.success && v.session) {
1718
- const C = await y(v);
1719
- C.success || (process.env.NODE_ENV === "development" && I.debug("Failed to save session cookie after twoFactor.verify2FA", {
1720
- error: C.error,
1721
- warning: C.warning
1722
- }), n.onError && await A(
2268
+ const R = await d(l);
2269
+ if (R.success && R.session) {
2270
+ const I = await p(R);
2271
+ I.success || (process.env.NODE_ENV === "development" && _.debug("Failed to save session cookie after twoFactor.verify2FA", {
2272
+ error: I.error,
2273
+ warning: I.warning
2274
+ }), n.onError && await E(
1723
2275
  n.onError,
1724
- new Error(C.warning || C.error || "Failed to save session cookie"),
2276
+ new Error(I.warning || I.error || "Failed to save session cookie"),
1725
2277
  "twoFactor.verify2FA.setSession"
1726
2278
  ));
1727
2279
  }
1728
- return v;
1729
- } catch (v) {
1730
- return n.onError && await A(n.onError, v instanceof Error ? v : new Error(String(v)), "twoFactor.verify2FA"), {
2280
+ return R;
2281
+ } catch (R) {
2282
+ return n.onError && await E(n.onError, R instanceof Error ? R : new Error(String(R)), "twoFactor.verify2FA"), {
1731
2283
  success: !1,
1732
- error: v instanceof Error ? v.message : "2FA verification failed",
2284
+ error: R instanceof Error ? R.message : "2FA verification failed",
1733
2285
  errorCode: m.UNKNOWN_ERROR
1734
2286
  };
1735
2287
  }
@@ -1739,159 +2291,165 @@ function st(e) {
1739
2291
  * Sign in methods - alias for signIn (for backward compatibility)
1740
2292
  */
1741
2293
  signInMethods: {
1742
- email: (c) => h.email(c),
1743
- oauth: (c) => {
1744
- var l;
1745
- return ((l = h.oauth) == null ? void 0 : l.call(h, c)) || Promise.reject(new Error("OAuth not configured"));
1746
- },
1747
- passkey: (c) => {
1748
- var l;
1749
- return ((l = h.passkey) == null ? void 0 : l.call(h, c)) || Promise.reject(new Error("Passkey not configured"));
2294
+ email: (l) => w.email(l),
2295
+ oauth: (l) => {
2296
+ var d;
2297
+ return ((d = w.oauth) == null ? void 0 : d.call(w, l)) || Promise.reject(new Error("OAuth not configured"));
1750
2298
  },
1751
- otp: (c, l) => {
2299
+ passkey: (l) => {
1752
2300
  var d;
1753
- return ((d = h.otp) == null ? void 0 : d.call(h, c, l)) || Promise.reject(new Error("OTP not configured"));
2301
+ return ((d = w.passkey) == null ? void 0 : d.call(w, l)) || Promise.reject(new Error("Passkey not configured"));
2302
+ },
2303
+ otp: (l, d) => {
2304
+ var g;
2305
+ return ((g = w.otp) == null ? void 0 : g.call(w, l, d)) || Promise.reject(new Error("OTP not configured"));
1754
2306
  }
1755
2307
  }
1756
2308
  };
1757
2309
  if (t.refreshSession) {
1758
- const c = Je(
1759
- async () => await _.refreshSession(),
1760
- async () => await _.signOut(),
2310
+ const l = br(
2311
+ async () => await b.refreshSession(),
2312
+ async () => await b.signOut(),
1761
2313
  async () => {
1762
- await S.clearSessionCookie(), S.clearCache();
2314
+ await v.clearSessionCookie(), v.clearCache();
1763
2315
  },
1764
2316
  {
1765
- ...i,
1766
- onTokenRefreshed: i.onTokenRefreshed,
1767
- onTokenRefreshFailed: i.onTokenRefreshFailed,
1768
- onBeforeRedirect: i.onBeforeRedirect
2317
+ ...o,
2318
+ onTokenRefreshed: o.onTokenRefreshed,
2319
+ onTokenRefreshFailed: o.onTokenRefreshFailed,
2320
+ onBeforeRedirect: o.onBeforeRedirect
1769
2321
  }
1770
2322
  );
1771
- _._tokenRefreshManager = c, _._getTokenRefreshManager = () => c;
2323
+ b._tokenRefreshManager = l, b._getTokenRefreshManager = () => l;
1772
2324
  }
1773
- return _;
2325
+ return b;
1774
2326
  }
1775
- function ot(e) {
2327
+ function W(e) {
2328
+ if (!e)
2329
+ return e;
2330
+ const { accessToken: r, refreshToken: t, ...n } = e;
2331
+ return n;
2332
+ }
2333
+ function Bt(e) {
1776
2334
  return {
1777
- GET: async (r) => B(r, e, "GET"),
1778
- POST: async (r) => B(r, e, "POST")
2335
+ GET: async (r) => ee(r, e, "GET"),
2336
+ POST: async (r) => ee(r, e, "POST")
1779
2337
  };
1780
2338
  }
1781
- async function B(e, r, t) {
1782
- const n = new URL(e.url), s = ur(n.pathname), o = s.split("/").filter(Boolean);
2339
+ async function ee(e, r, t) {
2340
+ const n = new URL(e.url), s = zr(n.pathname), i = s.split("/").filter(Boolean);
1783
2341
  try {
1784
- return t === "GET" ? await lr(e, r, s, o, n) : t === "POST" ? await fr(e, r, s, o, n) : O("Method not allowed", 405);
1785
- } catch (i) {
2342
+ return t === "GET" ? await Br(e, r, s, i, n) : t === "POST" ? await $r(e, r, s, i, n) : O("Method not allowed", 405);
2343
+ } catch (o) {
1786
2344
  return O(
1787
- i instanceof Error ? i.message : "Request failed",
2345
+ o instanceof Error ? o.message : "Request failed",
1788
2346
  500
1789
2347
  );
1790
2348
  }
1791
2349
  }
1792
- function ur(e) {
2350
+ function zr(e) {
1793
2351
  return e.replace(/^\/api\/auth/, "") || "/session";
1794
2352
  }
1795
- async function lr(e, r, t, n, s) {
2353
+ async function Br(e, r, t, n, s) {
1796
2354
  if (t === "/session" || t === "/") {
1797
- const o = await r.getSession();
1798
- return E.json({ session: o });
2355
+ const i = await r.getSession(), o = W(i);
2356
+ return A.json({ session: o });
1799
2357
  }
1800
- return t === "/providers" ? E.json({
2358
+ return t === "/providers" ? A.json({
1801
2359
  providers: {
1802
2360
  email: !!r.signIn.email,
1803
2361
  oauth: !!r.signIn.oauth,
1804
2362
  passkey: !!r.signIn.passkey
1805
2363
  }
1806
- }) : re(t, n) ? await te(e, r, t, n, s, "GET") : O("Not found", 404);
2364
+ }) : ye(t, n) ? await ke(e, r, t, n, s, "GET") : O("Not found", 404);
1807
2365
  }
1808
- async function fr(e, r, t, n, s) {
1809
- const o = await dr(e);
1810
- return t === "/sign-in" || n[0] === "sign-in" ? await gr(r, o) : t === "/sign-up" || n[0] === "sign-up" ? await wr(r, o) : t === "/sign-out" || n[0] === "sign-out" ? await pr(r) : t === "/reset-password" || n[0] === "reset-password" ? await mr(r, o) : t === "/verify-email" || n[0] === "verify-email" ? await Er(r, o) : t === "/refresh" || n[0] === "refresh" ? await yr(r) : re(t, n) ? await te(e, r, t, n, s, "POST", o) : t.startsWith("/passkey") ? await vr(r, t, n, o) : t === "/verify-2fa" || n[0] === "verify-2fa" ? await kr(r, o) : t.startsWith("/two-factor") ? await Sr(r, n, o) : O("Not found", 404);
2366
+ async function $r(e, r, t, n, s) {
2367
+ const i = await Hr(e);
2368
+ return t === "/sign-in" || n[0] === "sign-in" ? await Wr(r, i) : t === "/sign-up" || n[0] === "sign-up" ? await Gr(r, i) : t === "/sign-out" || n[0] === "sign-out" ? await Kr(r) : t === "/reset-password" || n[0] === "reset-password" ? await Xr(r, i) : t === "/verify-email" || n[0] === "verify-email" ? await Jr(r, i) : t === "/refresh" || n[0] === "refresh" ? await Yr(r) : ye(t, n) ? await ke(e, r, t, n, s, "POST", i) : t.startsWith("/passkey") ? await Zr(r, t, n, i) : t === "/verify-2fa" || n[0] === "verify-2fa" ? await Qr(r, i) : t.startsWith("/two-factor") ? await et(r, n, i) : O("Not found", 404);
1811
2369
  }
1812
- async function dr(e) {
2370
+ async function Hr(e) {
1813
2371
  try {
1814
2372
  return await e.json();
1815
2373
  } catch {
1816
2374
  return {};
1817
2375
  }
1818
2376
  }
1819
- function re(e, r) {
2377
+ function ye(e, r) {
1820
2378
  return e === "/callback" || e.startsWith("/oauth/callback") || r[0] === "oauth" && r[1] === "callback" || r[0] === "callback";
1821
2379
  }
1822
- async function te(e, r, t, n, s, o, i) {
2380
+ async function ke(e, r, t, n, s, i, o) {
1823
2381
  if (!r.oauthCallback)
1824
- return o === "GET" ? V(e.url, "oauth_not_configured") : O("OAuth callback is not configured", 400);
1825
- const a = hr(n, s, i), u = (i == null ? void 0 : i.code) ?? s.searchParams.get("code"), f = (i == null ? void 0 : i.state) ?? s.searchParams.get("state");
1826
- if (!u || !f)
1827
- return o === "GET" ? V(e.url, "oauth_missing_params") : O("Missing required OAuth parameters. Code and state are required.", 400);
2382
+ return i === "GET" ? B(e.url, "oauth_not_configured") : O("OAuth callback is not configured", 400);
2383
+ const a = qr(n, s, o), c = (o == null ? void 0 : o.code) ?? s.searchParams.get("code"), u = (o == null ? void 0 : o.state) ?? s.searchParams.get("state");
2384
+ if (!c || !u)
2385
+ return i === "GET" ? B(e.url, "oauth_missing_params") : O("Missing required OAuth parameters. Code and state are required.", 400);
1828
2386
  try {
1829
- const g = await r.oauthCallback(a ?? "", u, f);
1830
- return o === "GET" ? g.success ? Ar(e.url, s.searchParams.get("callbackUrl")) : V(e.url, g.error ?? "oauth_failed") : E.json(g);
1831
- } catch (g) {
1832
- return o === "GET" ? V(e.url, g instanceof Error ? g.message : "oauth_error") : O(g instanceof Error ? g.message : "OAuth callback failed", 500);
2387
+ const h = await r.oauthCallback(a ?? "", c, u);
2388
+ return i === "GET" ? h.success ? tt(e.url, s.searchParams.get("callbackUrl")) : B(e.url, h.error ?? "oauth_failed") : A.json(h);
2389
+ } catch (h) {
2390
+ return i === "GET" ? B(e.url, h instanceof Error ? h.message : "oauth_error") : O(h instanceof Error ? h.message : "OAuth callback failed", 500);
1833
2391
  }
1834
2392
  }
1835
- function hr(e, r, t) {
2393
+ function qr(e, r, t) {
1836
2394
  return t != null && t.provider ? t.provider : e[0] === "callback" && e[1] ? e[1] : e[0] === "oauth" && e[1] === "callback" && e[2] ? e[2] : r.searchParams.get("provider");
1837
2395
  }
1838
- async function gr(e, r) {
2396
+ async function Wr(e, r) {
1839
2397
  if (r.provider === "email" && r.email && r.password) {
1840
2398
  const t = {
1841
2399
  email: r.email,
1842
2400
  password: r.password
1843
2401
  }, n = await e.signIn.email(t);
1844
- return E.json(n);
2402
+ return A.json(n);
1845
2403
  }
1846
2404
  if (r.provider === "oauth" && r.providerName) {
1847
2405
  if (!e.signIn.oauth)
1848
2406
  return O("OAuth is not configured", 400);
1849
2407
  const t = await e.signIn.oauth(r.providerName);
1850
- return E.json(t);
2408
+ return A.json(t);
1851
2409
  }
1852
2410
  if (r.provider === "passkey") {
1853
2411
  if (!e.signIn.passkey)
1854
2412
  return O("PassKey is not configured", 400);
1855
2413
  const t = await e.signIn.passkey(r.options);
1856
- return E.json(t);
2414
+ return A.json(t);
1857
2415
  }
1858
2416
  return O("Invalid sign in request", 400);
1859
2417
  }
1860
- async function wr(e, r) {
2418
+ async function Gr(e, r) {
1861
2419
  if (!e.signUp)
1862
2420
  return O("Sign up is not configured", 400);
1863
2421
  const t = await e.signUp(r);
1864
- return E.json(t);
2422
+ return A.json(t);
1865
2423
  }
1866
- async function pr(e) {
2424
+ async function Kr(e) {
1867
2425
  const r = await e.signOut();
1868
- return E.json(r);
2426
+ return A.json(r);
1869
2427
  }
1870
- async function mr(e, r) {
2428
+ async function Xr(e, r) {
1871
2429
  if (!e.resetPassword)
1872
2430
  return O("Password reset is not configured", 400);
1873
2431
  if (!r.email || typeof r.email != "string")
1874
2432
  return O("Email is required", 400);
1875
2433
  const t = await e.resetPassword(r.email);
1876
- return E.json(t);
2434
+ return A.json(t);
1877
2435
  }
1878
- async function Er(e, r) {
2436
+ async function Jr(e, r) {
1879
2437
  if (!e.verifyEmail)
1880
2438
  return O("Email verification is not configured", 400);
1881
2439
  if (!r.token || typeof r.token != "string")
1882
2440
  return O("Token is required", 400);
1883
2441
  const t = await e.verifyEmail(r.token);
1884
- return E.json(t);
2442
+ return A.json(t);
1885
2443
  }
1886
- async function yr(e) {
2444
+ async function Yr(e) {
1887
2445
  if (!e.refreshSession) {
1888
- const t = await e.getSession();
1889
- return E.json({ session: t });
2446
+ const n = await e.getSession(), s = W(n);
2447
+ return A.json({ session: s });
1890
2448
  }
1891
- const r = await e.refreshSession();
1892
- return E.json({ session: r });
2449
+ const r = await e.refreshSession(), t = W(r);
2450
+ return A.json({ session: t });
1893
2451
  }
1894
- async function kr(e, r) {
2452
+ async function Qr(e, r) {
1895
2453
  if (!e.verify2FA)
1896
2454
  return O("2FA verification is not configured", 400);
1897
2455
  if (!r.email || !r.userId || !r.code)
@@ -1901,58 +2459,58 @@ async function kr(e, r) {
1901
2459
  userId: r.userId,
1902
2460
  code: r.code
1903
2461
  }, n = await e.verify2FA(t);
1904
- return E.json(n);
2462
+ return A.json(n);
1905
2463
  }
1906
- async function vr(e, r, t, n) {
2464
+ async function Zr(e, r, t, n) {
1907
2465
  if (!e.passkey)
1908
2466
  return O("PassKey is not configured", 400);
1909
2467
  const s = t[1];
1910
2468
  if (s === "register" && e.passkey.register) {
1911
- const o = await e.passkey.register(n.options);
1912
- return E.json(o);
2469
+ const i = await e.passkey.register(n.options);
2470
+ return A.json(i);
1913
2471
  }
1914
2472
  if (s === "list" && e.passkey.list) {
1915
- const o = await e.passkey.list();
1916
- return E.json(o);
2473
+ const i = await e.passkey.list();
2474
+ return A.json(i);
1917
2475
  }
1918
2476
  if (s === "remove" && e.passkey.remove) {
1919
2477
  if (!n.passkeyId || typeof n.passkeyId != "string")
1920
2478
  return O("Passkey ID is required", 400);
1921
- const o = await e.passkey.remove(n.passkeyId);
1922
- return E.json(o);
2479
+ const i = await e.passkey.remove(n.passkeyId);
2480
+ return A.json(i);
1923
2481
  }
1924
2482
  return O("Invalid Passkey request", 400);
1925
2483
  }
1926
- async function Sr(e, r, t) {
2484
+ async function et(e, r, t) {
1927
2485
  if (!e.twoFactor)
1928
2486
  return O("Two-Factor Authentication is not configured", 400);
1929
2487
  const n = r[1];
1930
2488
  if (n === "enable" && e.twoFactor.enable) {
1931
2489
  const s = await e.twoFactor.enable();
1932
- return E.json(s);
2490
+ return A.json(s);
1933
2491
  }
1934
2492
  if (n === "verify" && e.twoFactor.verify) {
1935
2493
  if (!t.code || typeof t.code != "string")
1936
2494
  return O("Code is required", 400);
1937
2495
  const s = await e.twoFactor.verify(t.code);
1938
- return E.json(s);
2496
+ return A.json(s);
1939
2497
  }
1940
2498
  if (n === "disable" && e.twoFactor.disable) {
1941
2499
  const s = await e.twoFactor.disable();
1942
- return E.json(s);
2500
+ return A.json(s);
1943
2501
  }
1944
2502
  if (n === "backup-codes" && e.twoFactor.generateBackupCodes) {
1945
2503
  const s = await e.twoFactor.generateBackupCodes();
1946
- return E.json(s);
2504
+ return A.json(s);
1947
2505
  }
1948
2506
  if (n === "is-enabled" && e.twoFactor.isEnabled) {
1949
2507
  const s = await e.twoFactor.isEnabled();
1950
- return E.json({ enabled: s });
2508
+ return A.json({ enabled: s });
1951
2509
  }
1952
2510
  return O("Invalid two-factor request", 400);
1953
2511
  }
1954
2512
  function O(e, r) {
1955
- return E.json(
2513
+ return A.json(
1956
2514
  {
1957
2515
  success: !1,
1958
2516
  error: e
@@ -1960,85 +2518,63 @@ function O(e, r) {
1960
2518
  { status: r }
1961
2519
  );
1962
2520
  }
1963
- function V(e, r) {
1964
- return E.redirect(new URL(`/login?error=${encodeURIComponent(r)}`, e));
2521
+ function B(e, r) {
2522
+ return A.redirect(new URL(`/login?error=${encodeURIComponent(r)}`, e));
1965
2523
  }
1966
- function Ar(e, r) {
1967
- const t = r ?? "/";
1968
- return E.redirect(new URL(t, e));
2524
+ function rt(e, r) {
2525
+ if (!e)
2526
+ return null;
2527
+ try {
2528
+ const t = new URL(e, r), n = new URL(r);
2529
+ return t.protocol !== n.protocol || t.hostname !== n.hostname || t.port !== n.port ? (process.env.NODE_ENV === "development" && console.warn("[Mulguard] Blocked redirect to external URL:", e), null) : t.protocol === "javascript:" || t.protocol === "data:" ? (process.env.NODE_ENV === "development" && console.warn("[Mulguard] Blocked dangerous redirect URL:", e), null) : t.pathname + t.search + t.hash;
2530
+ } catch {
2531
+ return null;
2532
+ }
1969
2533
  }
1970
- function it(e) {
2534
+ function tt(e, r) {
2535
+ const n = rt(r, e) ?? "/";
2536
+ return A.redirect(new URL(n, e));
2537
+ }
2538
+ function $t(e) {
1971
2539
  return async (r) => {
1972
- const { method: t, nextUrl: n } = r, o = n.pathname.replace(/^\/api\/auth/, "") || "/";
2540
+ const { method: t, nextUrl: n } = r, i = n.pathname.replace(/^\/api\/auth/, "") || "/";
1973
2541
  try {
1974
- let i;
2542
+ let o;
1975
2543
  if (t !== "GET" && t !== "HEAD")
1976
2544
  try {
1977
- i = await r.json();
2545
+ o = await r.json();
1978
2546
  } catch {
1979
2547
  }
1980
- const a = Object.fromEntries(n.searchParams.entries()), u = await fetch(
1981
- `${process.env.NEXT_PUBLIC_API_URL || ""}/api/auth${o}${Object.keys(a).length > 0 ? `?${new URLSearchParams(a).toString()}` : ""}`,
2548
+ const a = Object.fromEntries(n.searchParams.entries()), c = await fetch(
2549
+ `${process.env.NEXT_PUBLIC_API_URL || ""}/api/auth${i}${Object.keys(a).length > 0 ? `?${new URLSearchParams(a).toString()}` : ""}`,
1982
2550
  {
1983
2551
  method: t,
1984
2552
  headers: {
1985
2553
  "Content-Type": "application/json",
1986
2554
  ...Object.fromEntries(r.headers.entries())
1987
2555
  },
1988
- body: i ? JSON.stringify(i) : void 0
2556
+ body: o ? JSON.stringify(o) : void 0
1989
2557
  }
1990
- ), f = await u.json();
1991
- return E.json(f, {
1992
- status: u.status,
2558
+ ), u = await c.json();
2559
+ return A.json(u, {
2560
+ status: c.status,
1993
2561
  headers: {
1994
- ...Object.fromEntries(u.headers.entries())
2562
+ ...Object.fromEntries(c.headers.entries())
1995
2563
  }
1996
2564
  });
1997
- } catch (i) {
1998
- return console.error("API handler error:", i), E.json(
2565
+ } catch (o) {
2566
+ return console.error("API handler error:", o), A.json(
1999
2567
  {
2000
2568
  success: !1,
2001
- error: i instanceof Error ? i.message : "Internal server error"
2569
+ error: o instanceof Error ? o.message : "Internal server error"
2002
2570
  },
2003
2571
  { status: 500 }
2004
2572
  );
2005
2573
  }
2006
2574
  };
2007
2575
  }
2008
- function at(e) {
2009
- return async (r) => {
2010
- const { searchParams: t } = r.nextUrl, n = t.get("provider"), s = t.get("code"), o = t.get("state");
2011
- if (!n || !s || !o)
2012
- return E.redirect(
2013
- new URL("/login?error=oauth_missing_params", r.url)
2014
- );
2015
- try {
2016
- if (!e.oauthCallback)
2017
- return E.redirect(
2018
- new URL("/login?error=oauth_not_configured", r.url)
2019
- );
2020
- const i = await e.oauthCallback(n, s, o);
2021
- if (i.success) {
2022
- const a = t.get("callbackUrl") || "/";
2023
- return E.redirect(new URL(a, r.url));
2024
- } else {
2025
- const a = i.errorCode ? `${encodeURIComponent(i.error || "oauth_failed")}&code=${i.errorCode}` : encodeURIComponent(i.error || "oauth_failed");
2026
- return E.redirect(
2027
- new URL(`/login?error=${a}`, r.url)
2028
- );
2029
- }
2030
- } catch (i) {
2031
- return process.env.NODE_ENV === "development" && console.error("[Mulguard] OAuth callback error:", i), E.redirect(
2032
- new URL(
2033
- `/login?error=${encodeURIComponent(i instanceof Error ? i.message : "oauth_error")}`,
2034
- r.url
2035
- )
2036
- );
2037
- }
2038
- };
2039
- }
2040
- function F(e, r) {
2041
- const t = H({
2576
+ function $(e, r) {
2577
+ const t = ne({
2042
2578
  // Customize headers if needed
2043
2579
  "X-Frame-Options": "SAMEORIGIN"
2044
2580
  // Allow same-origin framing
@@ -2047,183 +2583,154 @@ function F(e, r) {
2047
2583
  s && typeof s == "string" && r.headers.set(n, s);
2048
2584
  return r;
2049
2585
  }
2050
- function ct() {
2051
- return async (e) => {
2052
- const r = E.next();
2053
- return F(e, r);
2054
- };
2055
- }
2056
- function ut(e, r = {}) {
2057
- const {
2058
- protectedRoutes: t = [],
2059
- publicRoutes: n = [],
2060
- redirectTo: s = "/login",
2061
- redirectIfAuthenticated: o
2062
- } = r;
2063
- return async (i) => {
2064
- const { pathname: a } = i.nextUrl, u = t.some((w) => a.startsWith(w));
2065
- let f = null;
2066
- try {
2067
- f = await e.getSession();
2068
- } catch (w) {
2069
- console.error("Middleware: Failed to get session:", w);
2070
- }
2071
- if (u && !f) {
2072
- const w = i.nextUrl.clone();
2073
- return w.pathname = s, w.searchParams.set("callbackUrl", a), E.redirect(w);
2074
- }
2075
- if (o && f && (a.startsWith("/login") || a.startsWith("/register"))) {
2076
- const R = i.nextUrl.clone();
2077
- R.pathname = o;
2078
- const A = E.redirect(R);
2079
- return F(i, A);
2080
- }
2081
- const g = E.next();
2082
- return F(i, g);
2083
- };
2084
- }
2085
- async function lt(e, r) {
2086
- var t;
2087
- try {
2088
- const n = await e.getSession();
2089
- return n ? ((t = n.user.roles) == null ? void 0 : t.includes(r)) ?? !1 : !1;
2090
- } catch {
2091
- return !1;
2092
- }
2093
- }
2094
- function ft(e) {
2586
+ function nt(e) {
2095
2587
  const {
2096
2588
  auth: r,
2097
2589
  protectedRoutes: t = [],
2098
- publicRoutes: n = [],
2099
- redirectTo: s = "/login",
2100
- redirectIfAuthenticated: o,
2101
- apiPrefix: i = "/api/auth"
2590
+ // publicRoutes is reserved for future use
2591
+ redirectTo: n = "/login",
2592
+ redirectIfAuthenticated: s,
2593
+ apiPrefix: i = "/api/auth",
2594
+ enableSecurityHeaders: o = !0
2102
2595
  } = e;
2103
2596
  return async (a) => {
2104
- const { pathname: u } = a.nextUrl;
2105
- if (u.startsWith(i)) {
2106
- const R = E.next();
2107
- return F(a, R);
2597
+ const { pathname: c } = a.nextUrl;
2598
+ if (c.startsWith(i)) {
2599
+ const y = A.next();
2600
+ return o ? $(a, y) : y;
2108
2601
  }
2109
- const f = t.some((R) => u.startsWith(R));
2110
- let g = null;
2111
- if (f || o)
2602
+ if (c.startsWith("/_next/") || c.startsWith("/api/") || c.match(/\.(ico|png|jpg|jpeg|svg|gif|webp|css|js|woff|woff2|ttf|eot)$/))
2603
+ return A.next();
2604
+ const u = t.length > 0 ? t.some((y) => c.startsWith(y)) : !1;
2605
+ let h = null;
2606
+ if (u || s)
2112
2607
  try {
2113
- g = await r.getSession();
2114
- } catch (R) {
2115
- console.error("Middleware: Failed to get session:", R);
2608
+ h = await r.getSession();
2609
+ } catch (y) {
2610
+ process.env.NODE_ENV === "development" && console.error("Proxy: Failed to get session:", y);
2116
2611
  }
2117
- if (f && !g) {
2118
- const R = a.nextUrl.clone();
2119
- R.pathname = s, R.searchParams.set("callbackUrl", u);
2120
- const A = E.redirect(R);
2121
- return F(a, A);
2612
+ if (u && !h) {
2613
+ const y = a.nextUrl.clone();
2614
+ y.pathname = n, y.searchParams.set("callbackUrl", c);
2615
+ const E = A.redirect(y);
2616
+ return o ? $(a, E) : E;
2122
2617
  }
2123
- if (o && g && (u.startsWith("/login") || u.startsWith("/register"))) {
2124
- const A = a.nextUrl.clone();
2125
- A.pathname = o;
2126
- const S = E.redirect(A);
2127
- return F(a, S);
2618
+ if (s && h && (c.startsWith("/login") || c.startsWith("/register") || c.startsWith("/signup") || c.startsWith("/sign-in"))) {
2619
+ const E = a.nextUrl.clone();
2620
+ E.pathname = s;
2621
+ const v = A.redirect(E);
2622
+ return o ? $(a, v) : v;
2128
2623
  }
2129
- const w = E.next();
2130
- return F(a, w);
2624
+ const f = A.next();
2625
+ return o ? $(a, f) : f;
2131
2626
  };
2132
2627
  }
2133
- async function dt(e, r) {
2134
- var t;
2628
+ async function st(e, r) {
2135
2629
  try {
2136
- const n = await e.getSession();
2137
- return n ? ((t = n.user.roles) == null ? void 0 : t.includes(r)) ?? !1 : !1;
2630
+ const t = await e.getSession();
2631
+ return t ? (t.user.roles || []).includes(r) : !1;
2138
2632
  } catch {
2139
2633
  return !1;
2140
2634
  }
2141
2635
  }
2636
+ function Ht(e, r) {
2637
+ const t = nt(e);
2638
+ return async (n) => {
2639
+ var o;
2640
+ const { pathname: s } = n.nextUrl;
2641
+ return ((o = e.protectedRoutes) == null ? void 0 : o.some(
2642
+ (a) => s.startsWith(a)
2643
+ )) && !await st(e.auth, r) ? A.json({ error: "Forbidden" }, { status: 403 }) : t(n);
2644
+ };
2645
+ }
2142
2646
  export {
2143
- Te as CSRFProtection,
2144
- fe as DEFAULT_SECURITY_HEADERS,
2145
- Oe as MemoryCSRFStore,
2146
- qe as MemoryOAuthStateStore,
2147
- le as RateLimiter,
2148
- Pr as applySecurityHeaders,
2149
- ie as buildCookieOptions,
2150
- Ne as buildOAuthAuthorizationUrl,
2151
- lt as checkRole,
2152
- dt as checkRoleProxy,
2153
- $r as containsXSSPattern,
2154
- it as createApiHandler,
2155
- ut as createAuthMiddleware,
2156
- Vr as createCSRFProtection,
2157
- We as createCookieOAuthStateStore,
2158
- Be as createMemoryOAuthStateStore,
2159
- tt as createNextJsCookieOAuthStateStore,
2160
- at as createOAuthCallbackHandler,
2161
- ft as createProxyMiddleware,
2162
- _r as createRateLimiter,
2163
- nt as createRedisOAuthStateStore,
2164
- ct as createSecurityMiddleware,
2165
- kt as createServerAuthMiddleware,
2166
- vt as createServerHelpers,
2167
- St as createServerUtils,
2168
- At as createSessionManager,
2169
- oe as deleteCookie,
2170
- Rt as deleteOAuthStateCookie,
2171
- Ie as escapeHTML,
2172
- be as exchangeOAuthCode,
2173
- _e as generateCSRFToken,
2174
- Y as generateToken,
2175
- ce as getCookie,
2176
- Ot as getCurrentUser,
2177
- Kr as getErrorCode,
2178
- Gr as getErrorMessage,
2179
- Tt as getOAuthStateCookie,
2180
- Fe as getOAuthUserInfo,
2181
- j as getProviderMetadata,
2182
- H as getSecurityHeaders,
2183
- It as getServerSession,
2184
- _t as getSessionTimeUntilExpiry,
2185
- Qr as getUserFriendlyError,
2186
- Jr as hasErrorCode,
2187
- Ce as isAuthError,
2188
- Xr as isAuthSuccess,
2189
- rt as isOAuthProviderConfig,
2190
- Yr as isRetryableError,
2191
- Pt as isSessionExpiredNullable,
2192
- Ct as isSessionExpiringSoon,
2193
- Nt as isSessionValid,
2194
- et as isSupportedProvider,
2195
- Hr as isTwoFactorRequired,
2196
- Wr as isValidCSRFToken,
2197
- Br as isValidEmail,
2198
- Mr as isValidInput,
2199
- Ur as isValidName,
2200
- Nr as isValidPassword,
2201
- Lr as isValidToken,
2202
- xr as isValidURL,
2203
- st as mulguard,
2204
- bt as refreshSession,
2205
- Ut as requireAuth,
2206
- Ft as requireRole,
2207
- xt as requireServerAuthMiddleware,
2208
- Dt as requireServerRoleMiddleware,
2209
- jr as sanitizeHTML,
2210
- qr as sanitizeInput,
2211
- zr as sanitizeUserInput,
2212
- ae as setCookie,
2213
- Zr as signIn,
2214
- wt as signInEmailAction,
2215
- pt as signOutAction,
2216
- mt as signUpAction,
2217
- Lt as storeOAuthStateCookie,
2218
- ot as toNextJsHandler,
2219
- G as validateAndSanitizeEmail,
2220
- X as validateAndSanitizeInput,
2221
- br as validateAndSanitizeName,
2222
- Cr as validateAndSanitizePassword,
2223
- Q as validateCSRFToken,
2224
- U as validateSessionStructure,
2225
- Dr as validateToken,
2226
- Fr as validateURL,
2227
- Et as verify2FAAction,
2228
- F as withSecurityHeaders
2647
+ Ke as CSRFProtection,
2648
+ Ne as DEFAULT_SECURITY_HEADERS,
2649
+ Ge as MemoryCSRFStore,
2650
+ kr as MemoryOAuthStateStore,
2651
+ pr as MemoryPKCEStorage,
2652
+ Sr as OAuthHandler,
2653
+ Pe as RateLimiter,
2654
+ Qt as SessionExpiredError,
2655
+ lt as applySecurityHeaders,
2656
+ Re as buildCookieOptions,
2657
+ de as buildOAuthAuthorizationUrl,
2658
+ st as checkRole,
2659
+ At as containsXSSPattern,
2660
+ $t as createApiHandler,
2661
+ Zt as createAuthenticatedAction,
2662
+ kt as createCSRFProtection,
2663
+ yr as createCookieOAuthStateStore,
2664
+ vr as createMemoryOAuthStateStore,
2665
+ Vt as createNextJsCookieOAuthStateStore,
2666
+ jt as createOAuthHandler,
2667
+ nt as createProxyMiddleware,
2668
+ ut as createRateLimiter,
2669
+ Mt as createRedisOAuthStateStore,
2670
+ Ht as createRoleBasedProxy,
2671
+ en as createServerAction,
2672
+ Ae as deleteCookie,
2673
+ rn as deleteOAuthStateCookie,
2674
+ Xe as escapeHTML,
2675
+ he as exchangeOAuthCode,
2676
+ ue as generateCSRFToken,
2677
+ pe as generateCodeChallenge,
2678
+ hr as generateCodeVerifier,
2679
+ gr as generatePKCECodePair,
2680
+ ce as generateToken,
2681
+ Te as getCookie,
2682
+ tn as getCurrentUser,
2683
+ Ct as getErrorCode,
2684
+ bt as getErrorMessage,
2685
+ nn as getOAuthStateCookie,
2686
+ ge as getOAuthUserInfo,
2687
+ K as getProviderMetadata,
2688
+ ne as getSecurityHeaders,
2689
+ sn as getServerSession,
2690
+ on as getServerUser,
2691
+ an as getSessionTimeUntilExpiry,
2692
+ Nt as getUserFriendlyError,
2693
+ ge as getUserProfile,
2694
+ xt as hasErrorCode,
2695
+ Ye as isAuthError,
2696
+ It as isAuthSuccess,
2697
+ cn as isAuthenticated,
2698
+ Ft as isOAuthProviderConfig,
2699
+ Pt as isRetryableError,
2700
+ un as isSessionExpiredNullable,
2701
+ ln as isSessionExpiringSoon,
2702
+ fn as isSessionValid,
2703
+ Dt as isSupportedProvider,
2704
+ _t as isTwoFactorRequired,
2705
+ Rt as isValidCSRFToken,
2706
+ Tt as isValidEmail,
2707
+ yt as isValidInput,
2708
+ gt as isValidName,
2709
+ dt as isValidPassword,
2710
+ Et as isValidToken,
2711
+ pt as isValidURL,
2712
+ zt as mulguard,
2713
+ dn as requireAuth,
2714
+ hn as requireRole,
2715
+ vt as sanitizeHTML,
2716
+ Ot as sanitizeInput,
2717
+ St as sanitizeUserInput,
2718
+ Oe as setCookie,
2719
+ Ut as signIn,
2720
+ Gt as signInEmailAction,
2721
+ Kt as signOutAction,
2722
+ Xt as signUpAction,
2723
+ gn as storeOAuthStateCookie,
2724
+ Bt as toNextJsHandler,
2725
+ se as validateAndSanitizeEmail,
2726
+ oe as validateAndSanitizeInput,
2727
+ ht as validateAndSanitizeName,
2728
+ ft as validateAndSanitizePassword,
2729
+ le as validateCSRFToken,
2730
+ F as validateSessionStructure,
2731
+ mt as validateToken,
2732
+ wt as validateURL,
2733
+ Jt as verify2FAAction,
2734
+ Lt as verifyPKCECode,
2735
+ $ as withSecurityHeaders
2229
2736
  };