mulguard 1.1.6 → 1.1.8

package/dist/core/utils/auth-helpers.d.ts

@@ -1,136 +0,0 @@
-import { AuthResult, TwoFactorAuthResult } from '../types/auth';
-import { AuthErrorCode } from '../types/errors';
-/**
- * Check if an authentication result indicates an error
- *
- * @param result - Authentication result to check
- * @returns True if the result indicates an error
- *
- * @example
- * ```typescript
- * const result = await auth.signIn.email(credentials)
- * if (isAuthError(result)) {
- *   console.error('Authentication failed:', result.error)
- * }
- * ```
- */
-export declare function isAuthError(result: AuthResult): boolean;
-/**
- * Type guard to check if 2FA is required
- *
- * This function narrows the type to TwoFactorAuthResult when true,
- * making it easier to work with 2FA flows in TypeScript.
- *
- * @param result - Authentication result to check
- * @returns True if 2FA is required (type guard)
- *
- * @example
- * ```typescript
- * const result = await auth.signIn.email(credentials)
- * if (isTwoFactorRequired(result)) {
- *   // TypeScript knows result is TwoFactorAuthResult here
- *   console.log('2FA required for:', result.email)
- *   // Can safely access result.email, result.userId, result.twoFactorMethod
- * }
- * ```
- */
-export declare function isTwoFactorRequired(result: AuthResult): result is TwoFactorAuthResult;
-/**
- * Get error message from authentication result
- *
- * @param result - Authentication result
- * @param defaultMessage - Default message if no error is present
- * @returns Error message or default message
- *
- * @example
- * ```typescript
- * const result = await auth.signIn.email(credentials)
- * if (!result.success) {
- *   const message = getErrorMessage(result, 'Authentication failed')
- *   showToast(message)
- * }
- * ```
- */
-export declare function getErrorMessage(result: AuthResult, defaultMessage?: string): string;
-/**
- * Get error code from authentication result
- *
- * @param result - Authentication result
- * @returns Error code or undefined
- *
- * @example
- * ```typescript
- * const result = await auth.signIn.email(credentials)
- * const errorCode = getErrorCode(result)
- * if (errorCode === AuthErrorCode.ACCOUNT_LOCKED) {
- *   showAccountLockedMessage()
- * }
- * ```
- */
-export declare function getErrorCode(result: AuthResult): AuthErrorCode | undefined;
-/**
- * Check if authentication was successful
- *
- * @param result - Authentication result to check
- * @returns True if authentication was successful
- *
- * @example
- * ```typescript
- * const result = await auth.signIn.email(credentials)
- * if (isAuthSuccess(result)) {
- *   console.log('Welcome,', result.user?.name)
- * }
- * ```
- */
-export declare function isAuthSuccess(result: AuthResult): boolean;
-/**
- * Check if a specific error code matches
- *
- * @param result - Authentication result
- * @param code - Error code to check for
- * @returns True if the error code matches
- *
- * @example
- * ```typescript
- * const result = await auth.signIn.email(credentials)
- * if (hasErrorCode(result, AuthErrorCode.ACCOUNT_LOCKED)) {
- *   showAccountLockedMessage()
- * }
- * ```
- */
-export declare function hasErrorCode(result: AuthResult, code: AuthErrorCode): boolean;
-/**
- * Check if the error is retryable
- *
- * Some errors (like network errors or rate limits) may be retryable,
- * while others (like invalid credentials) should not be retried.
- *
- * @param result - Authentication result
- * @returns True if the error is retryable
- *
- * @example
- * ```typescript
- * const result = await auth.signIn.email(credentials)
- * if (isAuthError(result) && isRetryableError(result)) {
- *   // Show retry button
- *   showRetryButton()
- * }
- * ```
- */
-export declare function isRetryableError(result: AuthResult): boolean;
-/**
- * Get user-friendly error message based on error code
- *
- * @param result - Authentication result
- * @returns User-friendly error message
- *
- * @example
- * ```typescript
- * const result = await auth.signIn.email(credentials)
- * if (!result.success) {
- *   const message = getUserFriendlyError(result)
- *   showToast(message)
- * }
- * ```
- */
-export declare function getUserFriendlyError(result: AuthResult): string;

package/dist/core/utils/logger.d.ts

@@ -1,121 +0,0 @@
-/**
- * Structured logging utilities for Mulguard Authentication Library.
- *
- * Provides type-safe, structured logging with context and error handling.
- *
- * @module @mulguard/core/utils/logger
- */
-/**
- * Log level enumeration.
- */
-export declare enum LogLevel {
-    DEBUG = 0,
-    INFO = 1,
-    WARN = 2,
-    ERROR = 3
-}
-/**
- * Log entry structure.
- */
-export interface LogEntry {
-    readonly level: LogLevel;
-    readonly message: string;
-    readonly timestamp: Date;
-    readonly context?: string;
-    readonly data?: Readonly<Record<string, unknown>>;
-    readonly error?: Error;
-}
-/**
- * Logger interface.
- */
-export interface Logger {
-    readonly debug: (message: string, data?: Readonly<Record<string, unknown>>) => void;
-    readonly info: (message: string, data?: Readonly<Record<string, unknown>>) => void;
-    readonly warn: (message: string, data?: Readonly<Record<string, unknown>>) => void;
-    readonly error: (message: string, error?: Error | Readonly<Record<string, unknown>>) => void;
-}
-/**
- * Logger configuration.
- */
-export interface LoggerConfig {
-    readonly enabled?: boolean;
-    readonly level?: LogLevel;
-    readonly prefix?: string;
-    readonly context?: string;
-    readonly formatter?: (entry: LogEntry) => string;
-}
-/**
- * Creates a logger instance with configuration.
- *
- * @param config - Logger configuration
- * @returns Logger instance
- *
- * @example
- * ```typescript
- * const logger = createLogger({
- *   enabled: true,
- *   level: LogLevel.INFO,
- *   context: 'Auth'
- * })
- *
- * logger.info('User signed in', { userId: '123' })
- * ```
- */
-export declare function createLogger(config?: LoggerConfig): Logger;
-/**
- * Default logger instance.
- *
- * Uses development settings by default.
- */
-export declare const logger: Logger;
-/**
- * Type predicate to check if a value is a valid Logger.
- *
- * @param value - Value to check
- * @returns True if value is a Logger
- */
-export declare function isLogger(value: unknown): value is Logger;
-/**
- * TODO: Performance
- * - [ ] Add log batching for high-frequency operations
- * - [ ] Implement async logging for non-blocking operations
- * - [ ] Add log rotation and cleanup
- * - [ ] Consider structured logging libraries (pino, winston)
- *
- * TODO: Features
- * - [ ] Add log levels filtering at runtime
- * - [ ] Implement log transport abstraction (console, file, remote)
- * - [ ] Add log correlation IDs
- * - [ ] Create log aggregation support
- * - [ ] Add performance metrics logging
- * - [ ] Implement log sampling for high-volume scenarios
- *
- * TODO: Type Safety
- * - [ ] Add type-safe log data validation
- * - [ ] Create log schema definitions
- * - [ ] Add compile-time log level checking
- * - [ ] Implement type-safe log context
- *
- * TODO: Security
- * - [ ] Enhance sensitive data detection
- * - [ ] Add PII (Personally Identifiable Information) masking
- * - [ ] Implement log encryption for sensitive logs
- * - [ ] Add audit log support
- *
- * TODO: Testing
- * - [ ] Add logger unit tests
- * - [ ] Test log sanitization
- * - [ ] Test log formatting
- * - [ ] Add performance tests
- *
- * TODO: Documentation
- * - [ ] Document logging best practices
- * - [ ] Add logging configuration guide
- * - [ ] Document log levels and when to use them
- *
- * TODO: Limitations
- * - [ ] Current implementation uses console (consider transport abstraction)
- * - [ ] Log sanitization is basic (may need enhancement)
- * - [ ] No log persistence (consider file/remote logging)
- * - [ ] No log correlation (consider adding request IDs)
- */

package/dist/handlers/api.d.ts

@@ -1,10 +0,0 @@
-import { NextRequest, NextResponse } from 'next/server';
-import { MulguardInstance } from '../mulguard';
-/**
- * Create API route handler
- */
-export declare function createApiHandler(_auth: MulguardInstance): (request: NextRequest) => Promise<NextResponse<any>>;
-/**
- * OAuth callback handler
- */
-export declare function createOAuthCallbackHandler(auth: MulguardInstance): (request: NextRequest) => Promise<NextResponse<unknown>>;

package/dist/handlers/route.d.ts

@@ -1,76 +0,0 @@
-import { NextRequest, NextResponse } from 'next/server';
-import { MulguardInstance } from '../mulguard';
-/**
- * Route handler options.
- */
-export interface RouteHandlerOptions {
-    readonly auth: MulguardInstance;
-}
-/**
- * Creates Next.js route handlers for Mulguard authentication.
- *
- * @param auth - Mulguard instance
- * @returns Route handlers for GET and POST requests
- *
- * @example
- * ```typescript
- * // app/api/auth/[...mulguard]/route.ts
- * import { auth } from '@/auth'
- * import { toNextJsHandler } from 'mulguard'
- *
- * export const { GET, POST } = toNextJsHandler(auth)
- * ```
- */
-export declare function toNextJsHandler(auth: MulguardInstance): {
-    GET: (request: NextRequest) => Promise<NextResponse>;
-    POST: (request: NextRequest) => Promise<NextResponse>;
-};
-/**
- * TODO: Performance
- * - [ ] Add request rate limiting middleware
- * - [ ] Implement request caching for GET /session
- * - [ ] Add request body size limits
- * - [ ] Optimize path matching with compiled regex
- *
- * TODO: Features
- * - [ ] Add request logging middleware
- * - [ ] Implement request validation middleware
- * - [ ] Add CORS support configuration
- * - [ ] Create request/response transformation hooks
- * - [ ] Add request timeout handling
- *
- * TODO: Type Safety
- * - [ ] Add runtime validation for request bodies
- * - [ ] Create type-safe route definitions
- * - [ ] Implement compile-time route validation
- * - [ ] Add type guards for all request bodies
- *
- * TODO: Security
- * - [ ] Add CSRF token validation for state-changing operations
- * - [ ] Implement request origin validation
- * - [ ] Add request signing verification
- * - [ ] Create security headers middleware
- *
- * TODO: Error Handling
- * - [ ] Add structured error responses
- * - [ ] Implement error logging
- * - [ ] Create error recovery strategies
- * - [ ] Add error reporting
- *
- * TODO: Testing
- * - [ ] Add comprehensive route handler tests
- * - [ ] Test all error scenarios
- * - [ ] Test path matching logic
- * - [ ] Add integration tests
- *
- * TODO: Documentation
- * - [ ] Document all supported routes
- * - [ ] Add route examples
- * - [ ] Create troubleshooting guide
- *
- * TODO: Limitations
- * - [ ] Path matching is basic (consider route table)
- * - [ ] No request body validation (add schema validation)
- * - [ ] Error messages may expose internal details
- * - [ ] No request timeout configuration
- */

package/dist/index/index.js

@@ -1 +0,0 @@
-"use strict";var Ee=Object.create;var j=Object.defineProperty;var Se=Object.getOwnPropertyDescriptor;var ye=Object.getOwnPropertyNames;var ke=Object.getPrototypeOf,Ae=Object.prototype.hasOwnProperty;var ve=(e,r,t)=>r in e?j(e,r,{enumerable:!0,configurable:!0,writable:!0,value:t}):e[r]=t;var Re=(e,r,t,n)=>{if(r&&typeof r=="object"||typeof r=="function")for(let o of ye(r))!Ae.call(e,o)&&o!==t&&j(e,o,{get:()=>r[o],enumerable:!(n=Se(r,o))||n.enumerable});return e};var $=(e,r,t)=>(t=e!=null?Ee(ke(e)):{},Re(r||!e||!e.__esModule?j(t,"default",{value:e,enumerable:!0}):t,e));var b=(e,r,t)=>ve(e,typeof r!="symbol"?r+"":r,t);Object.defineProperty(exports,Symbol.toStringTag,{value:"Module"});const h=require("../actions-CExpv_dD.js"),C=require("../oauth-state-DlvrCV11.js"),E=require("next/server"),F=typeof globalThis=="object"&&"crypto"in globalThis?globalThis.crypto:void 0;/*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */function Ce(e=32){if(F&&typeof F.getRandomValues=="function")return F.getRandomValues(new Uint8Array(e));if(F&&typeof F.randomBytes=="function")return Uint8Array.from(F.randomBytes(e));throw new Error("crypto.getRandomValues must be defined")}class Z{constructor(r){b(this,"attempts",new Map);b(this,"config");this.config=r}check(r){const t=Date.now(),n=this.attempts.get(r);return!n||n.resetAt<t?(this.attempts.set(r,{count:1,resetAt:t+this.config.windowMs}),{allowed:!0,remaining:this.config.maxAttempts-1,resetAt:new Date(t+this.config.windowMs)}):n.count>=this.config.maxAttempts?{allowed:!1,remaining:0,resetAt:new Date(n.resetAt)}:(n.count++,{allowed:!0,remaining:this.config.maxAttempts-n.count,resetAt:new Date(n.resetAt)})}reset(r){this.attempts.delete(r)}clear(){this.attempts.clear()}}function Oe(e){return new Z(e)}const ee={"X-Content-Type-Options":"nosniff","X-Frame-Options":"DENY","X-XSS-Protection":"1; mode=block","Strict-Transport-Security":"max-age=31536000; includeSubDomains","Content-Security-Policy":"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';","Referrer-Policy":"strict-origin-when-cross-origin","Permissions-Policy":"geolocation=(), microphone=(), camera=()"};function H(e){return{...ee,...e}}function Te(e,r){const t=H(r);for(const[n,o]of Object.entries(t))o&&e.set(n,o)}const Ie=/^[^\s@]+@[^\s@]+\.[^\s@]+$/,_e=254;function q(e){var t;if(typeof e!="string"||!e)return{valid:!1,error:"Email is required"};const r=e.trim().toLowerCase();return Ie.test(r)?r.length>_e?{valid:!1,error:"Email is too long"}:r.includes("..")||r.startsWith(".")||r.endsWith(".")?{valid:!1,error:"Invalid email format"}:(t=r.split("@")[1])!=null&&t.includes("..")?{valid:!1,error:"Invalid email format"}:{valid:!0,sanitized:r}:{valid:!1,error:"Invalid email format"}}function re(e){return e.valid===!0&&e.sanitized!==void 0}const Pe=new Set(["password","12345678","qwerty","abc123","password123","123456789","1234567890","letmein","welcome","monkey","dragon","master","sunshine","princess","football","admin","root","test","guest","user"]),Ne=/012|123|234|345|456|567|678|789|abc|bcd|cde|def|efg|fgh|ghi|hij|ijk|jkl|klm|lmn|mno|nop|opq|pqr|qrs|rst|stu|tuv|uvw|vwx|wxy|xyz/i,xe=8,Ue=128;function be(e,r=xe){if(typeof e!="string"||!e)return{valid:!1,error:"Password is required"};if(e.length<r)return{valid:!1,error:`Password must be at least ${r} characters`};if(e.length>Ue)return{valid:!1,error:"Password is too long"};const t=e.toLowerCase();if(Pe.has(t))return{valid:!1,error:"Password is too common"};if(/(.)\1{3,}/.test(e))return{valid:!1,error:"Password contains too many repeated characters"};if(Ne.test(e))return{valid:!1,error:"Password contains sequential characters"};const n=Fe(e);return{valid:!0,sanitized:e,strength:n}}function Fe(e){let r=0;return e.length>=12?r+=2:e.length>=8&&(r+=1),/[a-z]/.test(e)&&(r+=1),/[A-Z]/.test(e)&&(r+=1),/[0-9]/.test(e)&&(r+=1),/[^a-zA-Z0-9]/.test(e)&&(r+=1),r>=5?"strong":r>=3?"medium":"weak"}function De(e){return e.valid===!0&&e.sanitized!==void 0}const Le=100;function Me(e){if(typeof e!="string"||!e)return{valid:!1,error:"Name is required"};const r=e.trim();if(r.length<1)return{valid:!1,error:"Name cannot be empty"};if(r.length>Le)return{valid:!1,error:"Name is too long"};const t=r.replace(/[<>"']/g,"");return t.length===0?{valid:!1,error:"Name contains only invalid characters"}:{valid:!0,sanitized:t}}function Ve(e){return e.valid===!0&&e.sanitized!==void 0}const ze=new Set(["http:","https:"]);function je(e){if(typeof e!="string"||!e)return{valid:!1,error:"URL is required"};try{const r=new URL(e);return ze.has(r.protocol)?{valid:!0,sanitized:e}:{valid:!1,error:"URL must use http or https protocol"}}catch{return{valid:!1,error:"Invalid URL format"}}}function $e(e){return e.valid===!0&&e.sanitized!==void 0}const He=16,qe=512,We=/^[A-Za-z0-9_-]+$/;function Be(e,r=He){return typeof e!="string"||!e?{valid:!1,error:"Token is required"}:e.length<r?{valid:!1,error:"Token is too short"}:e.length>qe?{valid:!1,error:"Token is too long"}:We.test(e)?/(.)\1{10,}/.test(e)?{valid:!1,error:"Token contains suspicious pattern"}:{valid:!0,sanitized:e}:{valid:!1,error:"Invalid token format"}}function Ge(e){return e.valid===!0&&e.sanitized!==void 0}const Ke=1e3;function W(e,r){const{maxLength:t=Ke,allowHtml:n=!1,required:o=!0}=r??{};if(o&&(typeof e!="string"||!e||e.trim().length===0))return{valid:!1,error:"Input is required"};if(typeof e!="string"||!e)return{valid:!0,sanitized:""};let s=e.trim();return s.length>t?{valid:!1,error:`Input must be less than ${t} characters`}:(n||(s=s.replace(/</g,"&lt;").replace(/>/g,"&gt;").replace(/"/g,"&quot;").replace(/'/g,"&#x27;").replace(/\//g,"&#x2F;")),s=s.replace(/[\x00-\x1F\x7F]/g,""),{valid:!0,sanitized:s})}function Xe(e){return e.valid===!0&&e.sanitized!==void 0}class te{constructor(){b(this,"tokens",new Map)}get(r){const t=this.tokens.get(r);return t?t.expiresAt<Date.now()?(this.delete(r),null):t.value:null}set(r,t,n=36e5){this.tokens.set(r,{value:t,expiresAt:Date.now()+n})}delete(r){this.tokens.delete(r)}clear(){this.tokens.clear()}}class ne{constructor(r,t=32){b(this,"store");b(this,"tokenLength");this.store=r||new te,this.tokenLength=t}generateToken(r,t){const n=B(this.tokenLength);return this.store.set(r,n,t),n}validateToken(r,t){const n=this.store.get(r);if(!n)return!1;const o=G(t,n);return o&&this.store.delete(r),o}getToken(r){return this.store.get(r)}deleteToken(r){this.store.delete(r)}}function Je(e){return new ne(e)}function oe(e){if(typeof e!="string")return"";const r={"&":"&amp;","<":"&lt;",">":"&gt;",'"':"&quot;","'":"&#039;"};return e.replace(/[&<>"']/g,t=>r[t]||t)}function Ye(e){return typeof e!="string"?"":e.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi,"").replace(/on\w+\s*=\s*["'][^"']*["']/gi,"").replace(/javascript:/gi,"")}function Qe(e){return typeof e!="string"?"":oe(e.trim())}function Ze(e){return typeof e!="string"?!1:[/<script/i,/javascript:/i,/on\w+\s*=/i,/<iframe/i,/<object/i,/<embed/i,/<link/i,/<meta/i,/expression\s*\(/i,/vbscript:/i].some(t=>t.test(e))}const se=32;function B(e=se){if(e<1||e>256)throw new Error("Token length must be between 1 and 256 bytes");const r=Ce(e);return Buffer.from(r).toString("base64url")}function ie(){return B(se)}function G(e,r){if(typeof e!="string"||typeof r!="string"||!e||!r||e.length!==r.length)return!1;let t=0;for(let n=0;n<e.length;n++)t|=e.charCodeAt(n)^r.charCodeAt(n);return t===0}function er(e,r){return G(e,r)}function rr(e){return typeof e!="string"?"":e.trim().replace(/[<>]/g,"")}const tr=/^[^\s@]+@[^\s@]+\.[^\s@]+$/;function nr(e){return typeof e=="string"&&tr.test(e)}function ae(e){return!e.success&&!!e.error}function or(e){return e.requires2FA===!0||e.errorCode===h.AuthErrorCode.TWO_FA_REQUIRED}function sr(e,r){return e.error?e.error:r||"Authentication failed"}function ir(e){return e.errorCode}function ar(e){return e.success===!0&&!!e.user}function cr(e,r){return e.errorCode===r}function ur(e){if(!ae(e))return!1;const r=[h.AuthErrorCode.NETWORK_ERROR,h.AuthErrorCode.RATE_LIMITED,h.AuthErrorCode.UNKNOWN_ERROR];return e.errorCode?r.includes(e.errorCode):!1}function lr(e){if(e.error)return e.error;switch(e.errorCode){case h.AuthErrorCode.INVALID_CREDENTIALS:return"Invalid email or password. Please try again.";case h.AuthErrorCode.ACCOUNT_LOCKED:return"Your account has been temporarily locked. Please try again later.";case h.AuthErrorCode.ACCOUNT_INACTIVE:return"Your account is inactive. Please contact support.";case h.AuthErrorCode.TWO_FA_REQUIRED:return"Two-factor authentication is required. Please enter your code.";case h.AuthErrorCode.INVALID_TWO_FA_CODE:return"Invalid two-factor authentication code. Please try again.";case h.AuthErrorCode.SESSION_EXPIRED:return"Your session has expired. Please sign in again.";case h.AuthErrorCode.UNAUTHORIZED:return"You are not authorized to perform this action.";case h.AuthErrorCode.NETWORK_ERROR:return"Network error. Please check your connection and try again.";case h.AuthErrorCode.VALIDATION_ERROR:return"Please check your input and try again.";case h.AuthErrorCode.RATE_LIMITED:return"Too many attempts. Please try again later.";case h.AuthErrorCode.UNKNOWN_ERROR:default:return"An unexpected error occurred. Please try again."}}async function fr(e,r,t){return e.signIn(r,t)}const ce={google:{authorizationUrl:"https://accounts.google.com/o/oauth2/v2/auth",tokenUrl:"https://oauth2.googleapis.com/token",userInfoUrl:"https://www.googleapis.com/oauth2/v2/userinfo",defaultScopes:["openid","profile","email"]},github:{authorizationUrl:"https://github.com/login/oauth/authorize",tokenUrl:"https://github.com/login/oauth/access_token",userInfoUrl:"https://api.github.com/user",defaultScopes:["user:email"]},apple:{authorizationUrl:"https://appleid.apple.com/auth/authorize",tokenUrl:"https://appleid.apple.com/auth/token",userInfoUrl:"https://appleid.apple.com/auth/userinfo",defaultScopes:["name","email"],defaultParams:{response_mode:"form_post",response_type:"code id_token"}},facebook:{authorizationUrl:"https://www.facebook.com/v18.0/dialog/oauth",tokenUrl:"https://graph.facebook.com/v18.0/oauth/access_token",userInfoUrl:"https://graph.facebook.com/v18.0/me?fields=id,name,email,picture",defaultScopes:["email","public_profile"]}};function z(e){return ce[e]??null}function dr(e){return e in ce}function ue(e,r,t,n){const o=z(e);if(!o)throw new Error(`Unknown OAuth provider: ${e}`);if(!r.clientId)throw new Error(`OAuth provider "${e}" is missing clientId`);const s=r.redirectUri??`${t}/api/auth/callback/${e}`,i=r.scopes??o.defaultScopes,a=new URLSearchParams({client_id:r.clientId,redirect_uri:s,response_type:"code",scope:Array.isArray(i)?i.join(" "):String(i),state:n});if(o.defaultParams)for(const[u,f]of Object.entries(o.defaultParams))a.append(u,f);if(r.params)for(const[u,f]of Object.entries(r.params))a.set(u,f);return`${o.authorizationUrl}?${a.toString()}`}async function le(e,r,t,n){const o=z(e);if(!o)throw new Error(`Unknown OAuth provider: ${e}`);if(!t||typeof t!="string")throw new Error("Authorization code is required");if(!r.clientId)throw new Error(`OAuth provider "${e}" is missing clientId`);const s=new URLSearchParams({client_id:r.clientId,code:t,redirect_uri:n,grant_type:"authorization_code"});r.clientSecret&&s.append("client_secret",r.clientSecret);try{const i=await fetch(o.tokenUrl,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"},body:s.toString()});if(!i.ok){const u=await i.text();let f=`Failed to exchange code for tokens: ${u}`;try{const w=JSON.parse(u);f=w.error_description??w.error??f}catch{}throw new Error(f)}const a=await i.json();if(!hr(a))throw new Error("Invalid token exchange response format");return a}catch(i){throw i instanceof Error?i:new Error(`OAuth token exchange failed: ${String(i)}`)}}function hr(e){return typeof e=="object"&&e!==null&&"access_token"in e&&typeof e.access_token=="string"}async function fe(e,r){const t=z(e);if(!t)throw new Error(`Unknown OAuth provider: ${e}`);if(!r||typeof r!="string")throw new Error("Access token is required");try{const n=await fetch(t.userInfoUrl,{headers:{Authorization:`Bearer ${r}`,Accept:"application/json"}});if(!n.ok){const s=await n.text();let i=`Failed to fetch user info: ${s}`;try{const a=JSON.parse(s);i=a.error_description??a.error??i}catch{}throw new Error(i)}const o=await n.json();return gr(e,o,r)}catch(n){throw n instanceof Error?n:new Error(`OAuth user info retrieval failed: ${String(n)}`)}}async function gr(e,r,t){switch(e){case"google":return wr(r);case"github":return await pr(r,t);case"apple":return mr(r);case"facebook":return Er(r);default:return Sr(r)}}function wr(e){return{id:String(e.sub??e.id??""),email:String(e.email??""),name:String(e.name??""),avatar:typeof e.picture=="string"?e.picture:void 0,emailVerified:!!e.email_verified,rawProfile:e}}async function pr(e,r){let t=typeof e.email=="string"?e.email:void 0,n={...e};if(!t)try{const o=await fetch("https://api.github.com/user/emails",{headers:{Authorization:`Bearer ${r}`}});if(o.ok){const s=await o.json(),i=s.find(a=>a.primary)??s[0];t=(i==null?void 0:i.email)??`${String(e.login??"user")}@users.noreply.github.com`,n={...e,emails:s}}else t=`${String(e.login??"user")}@users.noreply.github.com`}catch{t=`${String(e.login??"user")}@users.noreply.github.com`}return{id:String(e.id??""),email:t??"",name:String(e.name??e.login??""),avatar:typeof e.avatar_url=="string"?e.avatar_url:void 0,emailVerified:!!t,rawProfile:n}}function mr(e){const r=e.name,t=r?`${r.firstName??""} ${r.lastName??""}`.trim():"";return{id:String(e.sub??""),email:String(e.email??""),name:t,emailVerified:!!e.email_verified,rawProfile:e}}function Er(e){var t;const r=e.picture;return{id:String(e.id??""),email:String(e.email??""),name:String(e.name??""),avatar:(t=r==null?void 0:r.data)==null?void 0:t.url,emailVerified:!0,rawProfile:e}}function Sr(e){return{id:String(e.id??e.sub??""),email:String(e.email??""),name:String(e.name??e.display_name??e.username??""),avatar:typeof e.avatar=="string"?e.avatar:typeof e.picture=="string"?e.picture:typeof e.avatar_url=="string"?e.avatar_url:void 0,emailVerified:!!(e.email_verified??e.emailVerified??!1),rawProfile:e}}function yr(e){return typeof e=="object"&&e!==null&&"clientId"in e&&typeof e.clientId=="string"}const kr="__mulguard_oauth_state",Ar=10*60*1e3;function de(e){const r=e.cookieName||kr,t=e.ttl||Ar,n=process.env.NODE_ENV==="production",o=e.secure??n,s=e.sameSite||"strict",i=e.cookieHandler,a=u=>({httpOnly:!0,secure:o,sameSite:s,maxAge:Math.floor(u/1e3),path:"/"});return{async set(u,f,w){const p=JSON.stringify({state:u,provider:f.provider,expiresAt:f.expiresAt});await Promise.resolve(i.setCookie(r,p,a(t)))},async get(u){const f=await Promise.resolve(i.getCookie(r));if(!f)return null;try{const w=JSON.parse(f);return w.state!==u?null:w.expiresAt<Date.now()?(await Promise.resolve(i.deleteCookie(r,{path:"/"})),null):{provider:w.provider,expiresAt:w.expiresAt}}catch{return await Promise.resolve(i.deleteCookie(r,{path:"/"})),null}},async delete(u){await this.get(u)&&await Promise.resolve(i.deleteCookie(r,{path:"/"}))},async cleanup(){}}}function vr(){return de({cookieHandler:{async getCookie(e){var r;try{const{cookies:t}=await import("next/headers");return((r=(await t()).get(e))==null?void 0:r.value)||null}catch{return null}},async setCookie(e,r,t){try{const{cookies:n}=await import("next/headers");(await n()).set(e,r,{httpOnly:t.httpOnly??!0,secure:t.secure??process.env.NODE_ENV==="production",sameSite:t.sameSite||"strict",maxAge:t.maxAge,path:t.path||"/"})}catch(n){console.warn("[Mulguard] Failed to set OAuth state cookie:",n)}},async deleteCookie(e,r){try{const{cookies:t}=await import("next/headers");(await t()).set(e,"",{maxAge:0,expires:new Date(0),path:(r==null?void 0:r.path)||"/"})}catch{}}}})}class he{constructor(){b(this,"states",new Map)}set(r,t,n){this.states.set(r,t),this.cleanup()}get(r){const t=this.states.get(r);return t?t.expiresAt<Date.now()?(this.delete(r),null):t:null}delete(r){this.states.delete(r)}cleanup(){const r=Date.now();for(const[t,n]of this.states.entries())n.expiresAt<r&&this.states.delete(t)}}function ge(){return new he}function Rr(e,r="mulguard:oauth:state:"){const t=o=>`${r}${o}`,n=async o=>{const s=t(o);await e.del(s)};return{async set(o,s,i){const a=t(o),u=JSON.stringify(s);await e.set(a,u,"EX",Math.floor(i/1e3))},async get(o){const s=t(o),i=await e.get(s);if(!i)return null;try{const a=JSON.parse(i);return a.expiresAt<Date.now()?(await n(o),null):a}catch{return await n(o),null}},async delete(o){await n(o)},async cleanup(){try{const o=await e.keys(`${r}*`),s=Date.now();for(const i of o){const a=await e.get(i);if(a)try{JSON.parse(a).expiresAt<s&&await e.del(i)}catch{await e.del(i)}}}catch(o){console.warn("[Mulguard] OAuth state cleanup warning:",o)}}}}function D(e){return e.success===!0&&e.user!==void 0&&e.session!==void 0}var we=(e=>(e[e.DEBUG=0]="DEBUG",e[e.INFO=1]="INFO",e[e.WARN=2]="WARN",e[e.ERROR=3]="ERROR",e))(we||{});const Cr=process.env.NODE_ENV==="development"?0:1;function Or(e={}){const{enabled:r=process.env.NODE_ENV==="development",level:t=Cr,context:n,formatter:o=Tr}=e,s=a=>r&&a>=t,i=(a,u,f,w)=>({level:a,message:u,timestamp:new Date,context:n,data:f?Ir(f):void 0,error:w});return{debug:(a,u)=>{if(s(0)){const f=i(0,a,u);console.debug(o(f))}},info:(a,u)=>{if(s(1)){const f=i(1,a,u);console.info(o(f))}},warn:(a,u)=>{if(s(2)){const f=i(2,a,u);console.warn(o(f))}},error:(a,u)=>{if(s(3)){const f=u instanceof Error?u:void 0,w=u instanceof Error?void 0:u,p=i(3,a,w,f);console.error(o(p)),f&&console.error(f)}}}}function Tr(e){const r=e.timestamp.toISOString(),t=we[e.level],n=e.context?`[${e.context}]`:"",o=e.data?` ${JSON.stringify(e.data)}`:"";return`${r} [${t}]${n} ${e.message}${o}`}function Ir(e){const r=new Set(["password","token","secret","key","accessToken","refreshToken"]),t={};for(const[n,o]of Object.entries(e))if(r.has(n.toLowerCase()))t[n]="***REDACTED***";else if(typeof o=="string"&&n.toLowerCase().includes("email")){const s=o.split("@");if(s.length===2&&s[0]){const i=s[0].substring(0,3)+"***@"+s[1];t[n]=i}else t[n]=o}else t[n]=o;return t}const I=Or();function _r(e,r,t,n={}){const{enabled:o=!0,maxRetries:s=1,retryDelay:i=1e3,rateLimit:a=3,autoSignOutOnFailure:u=!0,redirectToLogin:f="/login",autoRedirectOnFailure:w=!0}=n;let p=null,R=!1;const v=[],A=[],S=60*1e3;let g=0,T=!1,_=null;const L=2,M=60*1e3;function c(){const y=Date.now();if(T&&_){if(y<_)return!1;T=!1,_=null,g=0}for(;A.length>0;){const m=A[0];if(m!==void 0&&m<y-S)A.shift();else break}return A.length>=a?!1:(A.push(y),!0)}function l(){g++,g>=L&&(T=!0,_=Date.now()+M,process.env.NODE_ENV==="development"&&console.warn("[TokenRefreshManager] Circuit breaker opened - too many consecutive failures"))}function d(){g=0,T=!1,_=null}async function k(y=1){if(!o)return null;if(!c())throw new Error("Rate limit exceeded for token refresh");try{const m=await e();if(m)return d(),P(m),n.onTokenRefreshed&&await Promise.resolve(n.onTokenRefreshed(m)),m;if(l(),y<s)return await X(i*y),k(y+1);throw new Error("Token refresh failed: refresh function returned null")}catch(m){if(l(),y<s&&N(m))return await X(i*y),k(y+1);throw m}}function N(y){if(y instanceof Error){const m=y.message.toLowerCase();if(m.includes("rate limit")||m.includes("too many requests")||m.includes("429")||m.includes("limit:")||m.includes("requests per minute")||m.includes("token_blacklisted")||m.includes("blacklisted")||m.includes("invalid")||m.includes("401")||m.includes("unauthorized")||m.includes("session has been revoked")||m.includes("session expired"))return!1;if(m.includes("network")||m.includes("fetch")||m.includes("timeout"))return!0}return!1}function P(y){const m=[...v];v.length=0;for(const{resolve:U}of m)U(y)}function K(y){const m=[...v];v.length=0;for(const{reject:U}of m)U(y)}function X(y){return new Promise(m=>setTimeout(m,y))}async function J(y){try{if(n.onTokenRefreshFailed&&await Promise.resolve(n.onTokenRefreshFailed(y)),u&&(await t(),await r(),w&&typeof window<"u")){let m=!0;if(n.onBeforeRedirect&&(m=await Promise.resolve(n.onBeforeRedirect(y))),m){const U=new URL(f,window.location.origin);U.searchParams.set("reason","session_expired"),U.searchParams.set("redirect",window.location.pathname+window.location.search),window.location.href=U.toString()}}}catch(m){process.env.NODE_ENV==="development"&&console.error("[TokenRefreshManager] Error in handleRefreshFailure:",m)}}return{async refreshToken(){return o?p||(R=!0,p=k().then(y=>(R=!1,p=null,y)).catch(y=>{throw R=!1,p=null,K(y),J(y).catch(()=>{}),y}),p):null},isRefreshing(){return R},async waitForRefresh(){return p?new Promise((y,m)=>{v.push({resolve:y,reject:m})}):null},clear(){p=null,R=!1,A.length=0,d(),K(new Error("Token refresh manager cleared"))},async handleRefreshFailure(y){return J(y)}}}function Pr(){const e=process.env.NODE_ENV==="production";return{cookieName:"__mulguard_session",expiresIn:60*60*24*7,httpOnly:!0,secure:e,sameSite:"lax",path:"/"}}function Nr(){return{enabled:!0,refreshThreshold:300,maxRetries:0,retryDelay:1e3,rateLimit:1,autoSignOutOnFailure:!0,redirectToLogin:"/login",autoRedirectOnFailure:!0}}function xr(){return process.env.NEXT_PUBLIC_URL??(process.env.VERCEL_URL?`https://${process.env.VERCEL_URL}`:"http://localhost:3000")}function Ur(e){const{sessionConfig:r,cacheTtl:t,getSessionAction:n,onSessionExpired:o,onError:s}=e,i=r.cookieName??"__mulguard_session";let a=null;const u=async()=>{const S=Date.now();if(a&&S-a.timestamp<t)return a.session;if(n)try{const g=await n();if(g&&C.validateSessionStructure(g))return a={session:g,timestamp:S},g;g&&!C.validateSessionStructure(g)&&(await w(),a=null)}catch(g){I.debug("getSession error",{error:g}),s&&await s(g instanceof Error?g:new Error(String(g)),"getSession"),a=null}try{const g=await h.getCookie(i);if(g)try{const T=JSON.parse(g);if(C.validateSessionStructure(T))return T.expiresAt&&new Date(T.expiresAt)<new Date?(o&&await o(T),await w(),a=null,null):(a={session:T,timestamp:S},T);await w(),a=null}catch{await w(),a=null}}catch(g){const T=g instanceof Error?g.message:String(g);!T.includes("request scope")&&!T.includes("cookies")&&(I.warn("getSession cookie error",{error:g}),s&&await s(g instanceof Error?g:new Error(String(g)),"getSession.cookie"))}return null},f=async S=>{if(!C.validateSessionStructure(S))return{success:!1,error:"Invalid session structure"};try{const g=typeof S=="object"&&"token"in S?String(S.token):JSON.stringify(S),T=h.buildCookieOptions(i,g,r),_=await h.setCookie(T);return _.success&&(a={session:S,timestamp:Date.now()}),_}catch(g){const T=g instanceof Error?g.message:"Failed to set session";return I.error("setSession error",{error:g}),s&&await s(g instanceof Error?g:new Error(String(g)),"setSession"),{success:!1,error:T}}},w=async()=>{try{await h.deleteCookie(i,{path:r.path,domain:r.domain}),a=null}catch(S){I.warn("clearSessionCookie error",{error:S})}},p=async()=>{const S=await u();return S!=null&&S.accessToken&&typeof S.accessToken=="string"?S.accessToken:null};return{getSession:u,setSession:f,clearSessionCookie:w,getAccessToken:p,getRefreshToken:async()=>{const S=await u();return S!=null&&S.refreshToken&&typeof S.refreshToken=="string"?S.refreshToken:null},hasValidTokens:async()=>!!await p(),clearCache:()=>{a=null},getSessionConfig:()=>({cookieName:i,config:r})}}function br(e){return async r=>{try{if(!r||typeof r!="object")return{success:!1,error:"Invalid credentials",errorCode:h.AuthErrorCode.VALIDATION_ERROR};if(!r.email||typeof r.email!="string")return{success:!1,error:"Email is required",errorCode:h.AuthErrorCode.VALIDATION_ERROR};const t=q(r.email);if(!re(t))return{success:!1,error:t.error??"Invalid email format",errorCode:h.AuthErrorCode.VALIDATION_ERROR};if(!r.password||typeof r.password!="string")return{success:!1,error:"Password is required",errorCode:h.AuthErrorCode.VALIDATION_ERROR};if(r.password.length>128)return{success:!1,error:"Invalid credentials",errorCode:h.AuthErrorCode.VALIDATION_ERROR};const n={email:t.sanitized,password:r.password},o=await e.actions.signIn.email(n);if(D(o)){const s=await e.saveSessionAfterAuth(o);!s.success&&s.warning&&I.warn("Session save warning",{warning:s.warning})}return o.success?I.info("Sign in successful",{email:n.email.substring(0,3)+"***"}):I.warn("Sign in failed",{email:n.email.substring(0,3)+"***",errorCode:o.errorCode}),o}catch(t){const n=t instanceof Error?t.message:"Sign in failed";return I.error("Sign in error",{error:n,context:"signIn.email"}),e.onError&&await e.onError(t instanceof Error?t:new Error(String(t)),"signIn.email"),{success:!1,error:"Sign in failed. Please try again.",errorCode:h.AuthErrorCode.UNKNOWN_ERROR}}}}function Fr(e,r){return async t=>{if(!t||typeof t!="string")throw new Error("Provider is required");const n=W(t,{maxLength:50,allowHtml:!1,required:!0});if(!n.valid||!n.sanitized)throw new Error("Invalid provider");const o=n.sanitized.toLowerCase();if(!e.actions.signIn.oauth)throw new Error("OAuth sign in is not configured. Either provide oauth action in signIn, or configure providers.oauth in config.");const s=await e.actions.signIn.oauth(o);return await r(s.state,o),I.info("OAuth sign in initiated",{provider:o}),s}}function Dr(e){return async(r,t)=>{if(!r||typeof r!="string")return{success:!1,error:"Email is required",errorCode:h.AuthErrorCode.VALIDATION_ERROR};const n=q(r);if(!re(n))return{success:!1,error:n.error??"Invalid email format",errorCode:h.AuthErrorCode.VALIDATION_ERROR};if(t!==void 0&&(typeof t!="string"||t.length<4||t.length>10))return{success:!1,error:"Invalid OTP code format",errorCode:h.AuthErrorCode.VALIDATION_ERROR};if(!e.actions.signIn.otp)return{success:!1,error:"OTP sign in is not configured",errorCode:h.AuthErrorCode.VALIDATION_ERROR};try{const o=await e.actions.signIn.otp(n.sanitized,t);if(D(o)){const s=await e.saveSessionAfterAuth(o);!s.success&&s.warning&&I.warn("Session save warning",{warning:s.warning})}return o.success?I.info("OTP sign in successful",{email:n.sanitized.substring(0,3)+"***"}):I.warn("OTP sign in failed",{email:n.sanitized.substring(0,3)+"***"}),o}catch(o){return I.error("OTP sign in error",{error:o instanceof Error?o.message:"Unknown error",context:"signIn.otp"}),e.onError&&await e.onError(o instanceof Error?o:new Error(String(o)),"signIn.otp"),{success:!1,error:"OTP sign in failed. Please try again.",errorCode:h.AuthErrorCode.UNKNOWN_ERROR}}}}function Lr(e){return async r=>{if(!e.actions.signIn.passkey)throw new Error("PassKey sign in is not configured. Provide passkey action in signIn.");try{const t=await e.actions.signIn.passkey(r);if(D(t)){const n=await e.saveSessionAfterAuth(t);!n.success&&n.warning&&I.warn("Session save warning",{warning:n.warning})}return t}catch(t){return e.onError&&await e.onError(t instanceof Error?t:new Error(String(t)),"signIn.passkey"),{success:!1,error:t instanceof Error?t.message:"PassKey sign in failed"}}}}function Mr(e,r){const t=br(e),n=Fr(e,r),o=Dr(e),s=Lr(e);return Object.assign(async(u,f)=>{if(!u||typeof u!="string")throw new Error("Provider is required");const w=W(u,{maxLength:50,allowHtml:!1,required:!0});if(!w.valid||!w.sanitized)throw new Error("Invalid provider");const p=w.sanitized.toLowerCase();if(p==="google"||p==="github"||p==="apple"||p==="facebook"||typeof p=="string"&&!["credentials","otp","passkey"].includes(p))return n(p);if(p==="credentials")return!f||!("email"in f)||!("password"in f)?{success:!1,error:"Credentials are required",errorCode:h.AuthErrorCode.VALIDATION_ERROR}:t(f);if(p==="otp"){if(!f||!("email"in f))return{success:!1,error:"Email is required",errorCode:h.AuthErrorCode.VALIDATION_ERROR};const R=f;return o(R.email,R.code)}return p==="passkey"?s(f):{success:!1,error:"Invalid provider",errorCode:h.AuthErrorCode.VALIDATION_ERROR}},{email:t,oauth:e.actions.signIn.oauth?n:void 0,passkey:e.actions.signIn.passkey?s:void 0,otp:e.actions.signIn.otp?o:void 0})}function Vr(e){return async r=>{if(!e.actions.signUp)throw new Error("Sign up is not configured. Provide signUp action in config.");try{const t=await e.actions.signUp(r);if(D(t)){const n=await e.saveSessionAfterAuth(t);!n.success&&n.warning&&I.warn("Session save warning",{warning:n.warning})}return t}catch(t){return e.onError&&await e.onError(t instanceof Error?t:new Error(String(t)),"signUp"),{success:!1,error:t instanceof Error?t.message:"Sign up failed"}}}}function zr(e,r){return async(t,n,o)=>{const s=e.oauthProviders[t];if(!s)return{success:!1,error:`OAuth provider "${t}" is not configured`,errorCode:h.AuthErrorCode.VALIDATION_ERROR};try{const i=s.redirectUri??`${e.baseUrl}/api/auth/callback/${t}`,a=await le(t,s,n,i),u=await fe(t,a.access_token),f={id:u.id,email:u.email,name:u.name,avatar:u.avatar,emailVerified:u.emailVerified,provider:t,accessToken:a.access_token,refreshToken:a.refresh_token,tokens:{access_token:a.access_token,refresh_token:a.refresh_token,expires_in:a.expires_in,token_type:a.token_type,id_token:a.id_token},rawProfile:u.rawProfile};if(e.callbacks.onOAuthUser){const w=await Y(e.callbacks.onOAuthUser,[f,t],e.onError);if(!w)return{success:!1,error:"Failed to create or retrieve user",errorCode:h.AuthErrorCode.VALIDATION_ERROR};const p=e.createSession(w,f,a);return await e.saveSession(p),e.callbacks.onSignIn&&await Y(e.callbacks.onSignIn,[p.user,p],e.onError),{success:!0,user:p.user,session:p}}return{success:!1,error:"OAuth user callback not implemented. Provide onOAuthUser callback or implement oauthCallback action.",errorCode:h.AuthErrorCode.VALIDATION_ERROR}}catch(i){return I.error("OAuth callback failed",{provider:t,error:i}),{success:!1,error:i instanceof Error?i.message:"OAuth callback failed",errorCode:h.AuthErrorCode.NETWORK_ERROR}}}}async function Y(e,r,t){if(e)try{return await e(...r)}catch(n){throw t&&await t(n instanceof Error?n:new Error(String(n)),"callback"),n}}function jr(e,r,t,n){if(Object.keys(e).length!==0)return async o=>{const s=e[o];if(!s)throw new Error(`OAuth provider "${o}" is not configured. Add it to providers.oauth in config.`);if(!s.clientId)throw new Error(`OAuth provider "${o}" is missing clientId`);const i=t();return{url:n(o,s,r,i),state:i}}}function $r(e){var L,M;const r={...Pr(),...e.session},t=e.actions,n=e.callbacks||{},o=((L=e.providers)==null?void 0:L.oauth)||{},s=xr(),i={...Nr(),...e.tokenRefresh},a=((M=e.session)==null?void 0:M.cacheTtl)??e.sessionCacheTtl??5e3,u=e.oauthStateStore||ge(),f={...t},w=async(c,l)=>{const d={provider:l,expiresAt:Date.now()+6e5};await Promise.resolve(u.set(c,d,10*60*1e3)),u.cleanup&&await Promise.resolve(u.cleanup())},p=async(c,l)=>{let d=await Promise.resolve(u.get(c));if(!d)try{const{getOAuthStateCookie:k}=await Promise.resolve().then(()=>require("../oauth-state-DlvrCV11.js")).then(P=>P.oauthState),N=await k();if(N&&N.state===c&&N.provider===l)return!0}catch{}return d?d.expiresAt<Date.now()?(await Promise.resolve(u.delete(c)),!1):d.provider!==l?!1:(await Promise.resolve(u.delete(c)),!0):!1},R=jr(o,s,ie,ue);if(R&&!f.signIn.oauth){const c=f.signIn;f.signIn={...c,oauth:async l=>{const d=await R(l);return await w(d.state,l),d}}}if(!f.signIn||!f.signIn.email)throw new Error("mulguard: signIn.email action is required");const v=async(c,...l)=>{if(c)try{return await c(...l)}catch(d){throw n.onError&&await n.onError(d instanceof Error?d:new Error(String(d)),"callback"),d}},A=Ur({sessionConfig:r,cacheTtl:a,getSessionAction:t.getSession,onSessionExpired:n.onSessionExpired,onError:n.onError}),S=async c=>{if(!D(c)||!c.session)return{success:!0};const l=await A.setSession(c.session);return c.user&&n.onSignIn&&await v(n.onSignIn,c.user,c.session),l};if(Object.keys(o).length>0&&!f.oauthCallback){const c=zr({oauthProviders:o,baseUrl:s,callbacks:n,createSession:(l,d,k)=>({user:{...l,avatar:d.avatar,emailVerified:d.emailVerified},expiresAt:new Date(Date.now()+(r.expiresIn||604800)*1e3),accessToken:k.access_token,refreshToken:k.refresh_token,tokenType:"Bearer",expiresIn:k.expires_in}),saveSession:async l=>{await A.setSession(l)},onError:n.onError});f.oauthCallback=c}const g=Mr({actions:f,callbacks:n,saveSessionAfterAuth:S,onError:n.onError},w),T=Vr({actions:f,callbacks:n,saveSessionAfterAuth:S,onError:n.onError}),_={async getSession(){return await A.getSession()},async getAccessToken(){return await A.getAccessToken()},async getRefreshToken(){return await A.getRefreshToken()},async hasValidTokens(){return await A.hasValidTokens()},signIn:g,async signUp(c){if(!T)throw new Error("Sign up is not configured. Provide signUp action in config.");return await T(c)},async signOut(){try{const c=await this.getSession(),l=c==null?void 0:c.user;return t.signOut&&await t.signOut(),await A.clearSessionCookie(),A.clearCache(),l&&n.onSignOut&&await v(n.onSignOut,l),{success:!0}}catch(c){return await A.clearSessionCookie(),A.clearCache(),n.onError&&await v(n.onError,c instanceof Error?c:new Error(String(c)),"signOut"),{success:!1,error:c instanceof Error?c.message:"Sign out failed"}}},async resetPassword(c){if(!t.resetPassword)throw new Error("Password reset is not configured. Provide resetPassword action in config.");try{return await t.resetPassword(c)}catch(l){return n.onError&&await v(n.onError,l instanceof Error?l:new Error(String(l)),"resetPassword"),{success:!1,error:l instanceof Error?l.message:"Password reset failed"}}},async verifyEmail(c){if(!t.verifyEmail)throw new Error("Email verification is not configured. Provide verifyEmail action in config.");try{return await t.verifyEmail(c)}catch(l){return n.onError&&await v(n.onError,l instanceof Error?l:new Error(String(l)),"verifyEmail"),{success:!1,error:l instanceof Error?l.message:"Email verification failed"}}},async refreshSession(){if(!t.refreshSession)return this.getSession();try{const c=await t.refreshSession();if(c&&C.validateSessionStructure(c)){if(await A.setSession(c),n.onSessionUpdate){const l=await v(n.onSessionUpdate,c);if(l&&C.validateSessionStructure(l)){if(await A.setSession(l),n.onTokenRefresh){const d=await this.getSession();d&&await v(n.onTokenRefresh,d,l)}return l}}if(n.onTokenRefresh){const l=await this.getSession();l&&await v(n.onTokenRefresh,l,c)}return c}else if(c&&!C.validateSessionStructure(c))return await A.clearSessionCookie(),A.clearCache(),null;return null}catch(c){return await A.clearSessionCookie(),A.clearCache(),n.onError&&await v(n.onError,c instanceof Error?c:new Error(String(c)),"refreshSession"),null}},async oauthCallback(c,l,d){if(!f.oauthCallback)throw new Error("OAuth callback is not configured. Either provide oauthCallback action, or configure providers.oauth in config.");if(!l||!d)return{success:!1,error:"Missing required OAuth parameters (code or state)",errorCode:h.AuthErrorCode.VALIDATION_ERROR};let k=c;if(!k){const P=await Promise.resolve(u.get(d));if(P&&P.provider)k=P.provider;else return{success:!1,error:"Provider is required and could not be extracted from state",errorCode:h.AuthErrorCode.VALIDATION_ERROR}}if(!await p(d,k))return{success:!1,error:"Invalid or expired state parameter",errorCode:h.AuthErrorCode.VALIDATION_ERROR};try{return await f.oauthCallback(k,l,d)}catch(P){return n.onError&&await v(n.onError,P instanceof Error?P:new Error(String(P)),"oauthCallback"),{success:!1,error:P instanceof Error?P.message:"OAuth callback failed",errorCode:h.AuthErrorCode.NETWORK_ERROR}}},async verify2FA(c,l){if(!t.verify2FA)throw new Error("2FA verification is not configured. Provide verify2FA action in config.");try{const d=await t.verify2FA(c);if(d.success&&d.session&&!(l!=null&&l.skipCookieSave)){const k=await S(d);k.success||(process.env.NODE_ENV==="development"&&I.debug("Failed to save session cookie after verify2FA",{error:k.error,warning:k.warning}),n.onError&&await v(n.onError,new Error(k.warning||k.error||"Failed to save session cookie"),"verify2FA.setSession"))}return d}catch(d){return n.onError&&await v(n.onError,d instanceof Error?d:new Error(String(d)),"verify2FA"),{success:!1,error:d instanceof Error?d.message:"2FA verification failed",errorCode:h.AuthErrorCode.TWO_FA_REQUIRED}}},async setSession(c){return await A.setSession(c)},_getSessionConfig(){return A.getSessionConfig()},_getCallbacks(){return n},async storeOAuthState(c,l){await w(c,l)},passkey:t.passkey?{register:t.passkey.register,authenticate:async c=>{var l;if(!((l=t.passkey)!=null&&l.authenticate))throw new Error("PassKey authenticate is not configured.");try{const d=await t.passkey.authenticate(c);return d.success&&d.session&&await S(d),d}catch(d){return n.onError&&await v(n.onError,d instanceof Error?d:new Error(String(d)),"passkey.authenticate"),{success:!1,error:d instanceof Error?d.message:"PassKey authentication failed"}}},list:t.passkey.list?async()=>{var l;if(!((l=t.passkey)!=null&&l.list))throw new Error("PassKey list is not configured.");return[...await t.passkey.list()]}:void 0,remove:t.passkey.remove}:void 0,twoFactor:t.twoFactor?{enable:t.twoFactor.enable,verify:t.twoFactor.verify,disable:t.twoFactor.disable,generateBackupCodes:t.twoFactor.generateBackupCodes,isEnabled:t.twoFactor.isEnabled,verify2FA:async c=>{var d;const l=((d=t.twoFactor)==null?void 0:d.verify2FA)||t.verify2FA;if(!l)throw new Error("2FA verification is not configured. Provide verify2FA action in config.");try{const k=await l(c);if(k.success&&k.session){const N=await S(k);N.success||(process.env.NODE_ENV==="development"&&I.debug("Failed to save session cookie after twoFactor.verify2FA",{error:N.error,warning:N.warning}),n.onError&&await v(n.onError,new Error(N.warning||N.error||"Failed to save session cookie"),"twoFactor.verify2FA.setSession"))}return k}catch(k){return n.onError&&await v(n.onError,k instanceof Error?k:new Error(String(k)),"twoFactor.verify2FA"),{success:!1,error:k instanceof Error?k.message:"2FA verification failed",errorCode:h.AuthErrorCode.UNKNOWN_ERROR}}}}:void 0,signInMethods:{email:c=>g.email(c),oauth:c=>{var l;return((l=g.oauth)==null?void 0:l.call(g,c))||Promise.reject(new Error("OAuth not configured"))},passkey:c=>{var l;return((l=g.passkey)==null?void 0:l.call(g,c))||Promise.reject(new Error("Passkey not configured"))},otp:(c,l)=>{var d;return((d=g.otp)==null?void 0:d.call(g,c,l))||Promise.reject(new Error("OTP not configured"))}}};if(t.refreshSession){const c=_r(async()=>await _.refreshSession(),async()=>await _.signOut(),async()=>{await A.clearSessionCookie(),A.clearCache()},{...i,onTokenRefreshed:i.onTokenRefreshed,onTokenRefreshFailed:i.onTokenRefreshFailed,onBeforeRedirect:i.onBeforeRedirect});_._tokenRefreshManager=c,_._getTokenRefreshManager=()=>c}return _}function Hr(e){return{GET:async r=>Q(r,e,"GET"),POST:async r=>Q(r,e,"POST")}}async function Q(e,r,t){const n=new URL(e.url),o=qr(n.pathname),s=o.split("/").filter(Boolean);try{return t==="GET"?await Wr(e,r,o,s,n):t==="POST"?await Br(e,r,o,s,n):O("Method not allowed",405)}catch(i){return O(i instanceof Error?i.message:"Request failed",500)}}function qr(e){return e.replace(/^\/api\/auth/,"")||"/session"}async function Wr(e,r,t,n,o){if(t==="/session"||t==="/"){const s=await r.getSession();return E.NextResponse.json({session:s})}return t==="/providers"?E.NextResponse.json({providers:{email:!!r.signIn.email,oauth:!!r.signIn.oauth,passkey:!!r.signIn.passkey}}):pe(t,n)?await me(e,r,t,n,o,"GET"):O("Not found",404)}async function Br(e,r,t,n,o){const s=await Gr(e);return t==="/sign-in"||n[0]==="sign-in"?await Xr(r,s):t==="/sign-up"||n[0]==="sign-up"?await Jr(r,s):t==="/sign-out"||n[0]==="sign-out"?await Yr(r):t==="/reset-password"||n[0]==="reset-password"?await Qr(r,s):t==="/verify-email"||n[0]==="verify-email"?await Zr(r,s):t==="/refresh"||n[0]==="refresh"?await et(r):pe(t,n)?await me(e,r,t,n,o,"POST",s):t.startsWith("/passkey")?await tt(r,t,n,s):t==="/verify-2fa"||n[0]==="verify-2fa"?await rt(r,s):t.startsWith("/two-factor")?await nt(r,n,s):O("Not found",404)}async function Gr(e){try{return await e.json()}catch{return{}}}function pe(e,r){return e==="/callback"||e.startsWith("/oauth/callback")||r[0]==="oauth"&&r[1]==="callback"||r[0]==="callback"}async function me(e,r,t,n,o,s,i){if(!r.oauthCallback)return s==="GET"?V(e.url,"oauth_not_configured"):O("OAuth callback is not configured",400);const a=Kr(n,o,i),u=(i==null?void 0:i.code)??o.searchParams.get("code"),f=(i==null?void 0:i.state)??o.searchParams.get("state");if(!u||!f)return s==="GET"?V(e.url,"oauth_missing_params"):O("Missing required OAuth parameters. Code and state are required.",400);try{const w=await r.oauthCallback(a??"",u,f);return s==="GET"?w.success?ot(e.url,o.searchParams.get("callbackUrl")):V(e.url,w.error??"oauth_failed"):E.NextResponse.json(w)}catch(w){return s==="GET"?V(e.url,w instanceof Error?w.message:"oauth_error"):O(w instanceof Error?w.message:"OAuth callback failed",500)}}function Kr(e,r,t){return t!=null&&t.provider?t.provider:e[0]==="callback"&&e[1]?e[1]:e[0]==="oauth"&&e[1]==="callback"&&e[2]?e[2]:r.searchParams.get("provider")}async function Xr(e,r){if(r.provider==="email"&&r.email&&r.password){const t={email:r.email,password:r.password},n=await e.signIn.email(t);return E.NextResponse.json(n)}if(r.provider==="oauth"&&r.providerName){if(!e.signIn.oauth)return O("OAuth is not configured",400);const t=await e.signIn.oauth(r.providerName);return E.NextResponse.json(t)}if(r.provider==="passkey"){if(!e.signIn.passkey)return O("PassKey is not configured",400);const t=await e.signIn.passkey(r.options);return E.NextResponse.json(t)}return O("Invalid sign in request",400)}async function Jr(e,r){if(!e.signUp)return O("Sign up is not configured",400);const t=await e.signUp(r);return E.NextResponse.json(t)}async function Yr(e){const r=await e.signOut();return E.NextResponse.json(r)}async function Qr(e,r){if(!e.resetPassword)return O("Password reset is not configured",400);if(!r.email||typeof r.email!="string")return O("Email is required",400);const t=await e.resetPassword(r.email);return E.NextResponse.json(t)}async function Zr(e,r){if(!e.verifyEmail)return O("Email verification is not configured",400);if(!r.token||typeof r.token!="string")return O("Token is required",400);const t=await e.verifyEmail(r.token);return E.NextResponse.json(t)}async function et(e){if(!e.refreshSession){const t=await e.getSession();return E.NextResponse.json({session:t})}const r=await e.refreshSession();return E.NextResponse.json({session:r})}async function rt(e,r){if(!e.verify2FA)return O("2FA verification is not configured",400);if(!r.email||!r.userId||!r.code)return O("Missing required parameters. Email, userId, and code are required.",400);const t={email:r.email,userId:r.userId,code:r.code},n=await e.verify2FA(t);return E.NextResponse.json(n)}async function tt(e,r,t,n){if(!e.passkey)return O("PassKey is not configured",400);const o=t[1];if(o==="register"&&e.passkey.register){const s=await e.passkey.register(n.options);return E.NextResponse.json(s)}if(o==="list"&&e.passkey.list){const s=await e.passkey.list();return E.NextResponse.json(s)}if(o==="remove"&&e.passkey.remove){if(!n.passkeyId||typeof n.passkeyId!="string")return O("Passkey ID is required",400);const s=await e.passkey.remove(n.passkeyId);return E.NextResponse.json(s)}return O("Invalid Passkey request",400)}async function nt(e,r,t){if(!e.twoFactor)return O("Two-Factor Authentication is not configured",400);const n=r[1];if(n==="enable"&&e.twoFactor.enable){const o=await e.twoFactor.enable();return E.NextResponse.json(o)}if(n==="verify"&&e.twoFactor.verify){if(!t.code||typeof t.code!="string")return O("Code is required",400);const o=await e.twoFactor.verify(t.code);return E.NextResponse.json(o)}if(n==="disable"&&e.twoFactor.disable){const o=await e.twoFactor.disable();return E.NextResponse.json(o)}if(n==="backup-codes"&&e.twoFactor.generateBackupCodes){const o=await e.twoFactor.generateBackupCodes();return E.NextResponse.json(o)}if(n==="is-enabled"&&e.twoFactor.isEnabled){const o=await e.twoFactor.isEnabled();return E.NextResponse.json({enabled:o})}return O("Invalid two-factor request",400)}function O(e,r){return E.NextResponse.json({success:!1,error:e},{status:r})}function V(e,r){return E.NextResponse.redirect(new URL(`/login?error=${encodeURIComponent(r)}`,e))}function ot(e,r){const t=r??"/";return E.NextResponse.redirect(new URL(t,e))}function st(e){return async r=>{const{method:t,nextUrl:n}=r,s=n.pathname.replace(/^\/api\/auth/,"")||"/";try{let i;if(t!=="GET"&&t!=="HEAD")try{i=await r.json()}catch{}const a=Object.fromEntries(n.searchParams.entries()),u=await fetch(`${process.env.NEXT_PUBLIC_API_URL||""}/api/auth${s}${Object.keys(a).length>0?`?${new URLSearchParams(a).toString()}`:""}`,{method:t,headers:{"Content-Type":"application/json",...Object.fromEntries(r.headers.entries())},body:i?JSON.stringify(i):void 0}),f=await u.json();return E.NextResponse.json(f,{status:u.status,headers:{...Object.fromEntries(u.headers.entries())}})}catch(i){return console.error("API handler error:",i),E.NextResponse.json({success:!1,error:i instanceof Error?i.message:"Internal server error"},{status:500})}}}function it(e){return async r=>{const{searchParams:t}=r.nextUrl,n=t.get("provider"),o=t.get("code"),s=t.get("state");if(!n||!o||!s)return E.NextResponse.redirect(new URL("/login?error=oauth_missing_params",r.url));try{if(!e.oauthCallback)return E.NextResponse.redirect(new URL("/login?error=oauth_not_configured",r.url));const i=await e.oauthCallback(n,o,s);if(i.success){const a=t.get("callbackUrl")||"/";return E.NextResponse.redirect(new URL(a,r.url))}else{const a=i.errorCode?`${encodeURIComponent(i.error||"oauth_failed")}&code=${i.errorCode}`:encodeURIComponent(i.error||"oauth_failed");return E.NextResponse.redirect(new URL(`/login?error=${a}`,r.url))}}catch(i){return process.env.NODE_ENV==="development"&&console.error("[Mulguard] OAuth callback error:",i),E.NextResponse.redirect(new URL(`/login?error=${encodeURIComponent(i instanceof Error?i.message:"oauth_error")}`,r.url))}}}function x(e,r){const t=H({"X-Frame-Options":"SAMEORIGIN"});for(const[n,o]of Object.entries(t))o&&typeof o=="string"&&r.headers.set(n,o);return r}function at(){return async e=>{const r=E.NextResponse.next();return x(e,r)}}function ct(e,r={}){const{protectedRoutes:t=[],publicRoutes:n=[],redirectTo:o="/login",redirectIfAuthenticated:s}=r;return async i=>{const{pathname:a}=i.nextUrl,u=t.some(p=>a.startsWith(p));let f=null;try{f=await e.getSession()}catch(p){console.error("Middleware: Failed to get session:",p)}if(u&&!f){const p=i.nextUrl.clone();return p.pathname=o,p.searchParams.set("callbackUrl",a),E.NextResponse.redirect(p)}if(s&&f&&(a.startsWith("/login")||a.startsWith("/register"))){const R=i.nextUrl.clone();R.pathname=s;const v=E.NextResponse.redirect(R);return x(i,v)}const w=E.NextResponse.next();return x(i,w)}}async function ut(e,r){var t;try{const n=await e.getSession();return n?((t=n.user.roles)==null?void 0:t.includes(r))??!1:!1}catch{return!1}}function lt(e){const{auth:r,protectedRoutes:t=[],publicRoutes:n=[],redirectTo:o="/login",redirectIfAuthenticated:s,apiPrefix:i="/api/auth"}=e;return async a=>{const{pathname:u}=a.nextUrl;if(u.startsWith(i)){const R=E.NextResponse.next();return x(a,R)}const f=t.some(R=>u.startsWith(R));let w=null;if(f||s)try{w=await r.getSession()}catch(R){console.error("Middleware: Failed to get session:",R)}if(f&&!w){const R=a.nextUrl.clone();R.pathname=o,R.searchParams.set("callbackUrl",u);const v=E.NextResponse.redirect(R);return x(a,v)}if(s&&w&&(u.startsWith("/login")||u.startsWith("/register"))){const v=a.nextUrl.clone();v.pathname=s;const A=E.NextResponse.redirect(v);return x(a,A)}const p=E.NextResponse.next();return x(a,p)}}async function ft(e,r){var t;try{const n=await e.getSession();return n?((t=n.user.roles)==null?void 0:t.includes(r))??!1:!1}catch{return!1}}exports.buildCookieOptions=h.buildCookieOptions;exports.deleteCookie=h.deleteCookie;exports.getCookie=h.getCookie;exports.setCookie=h.setCookie;exports.signInEmailAction=h.signInEmailAction;exports.signOutAction=h.signOutAction;exports.signUpAction=h.signUpAction;exports.verify2FAAction=h.verify2FAAction;exports.createServerAuthMiddleware=C.createAuthMiddleware;exports.createServerHelpers=C.createServerHelpers;exports.createServerUtils=C.createServerUtils;exports.createSessionManager=C.createSessionManager;exports.deleteOAuthStateCookie=C.deleteOAuthStateCookie;exports.getCurrentUser=C.getCurrentUser;exports.getOAuthStateCookie=C.getOAuthStateCookie;exports.getServerSession=C.getServerSession;exports.getSessionTimeUntilExpiry=C.getSessionTimeUntilExpiry;exports.isSessionExpiredNullable=C.isSessionExpiredNullable;exports.isSessionExpiringSoon=C.isSessionExpiringSoon;exports.isSessionValid=C.isSessionValid;exports.refreshSession=C.refreshSession;exports.requireAuth=C.requireAuth;exports.requireRole=C.requireRole;exports.requireServerAuthMiddleware=C.requireAuthMiddleware;exports.requireServerRoleMiddleware=C.requireRoleMiddleware;exports.storeOAuthStateCookie=C.storeOAuthStateCookie;exports.validateSessionStructure=C.validateSessionStructure;exports.CSRFProtection=ne;exports.DEFAULT_SECURITY_HEADERS=ee;exports.MemoryCSRFStore=te;exports.MemoryOAuthStateStore=he;exports.RateLimiter=Z;exports.applySecurityHeaders=Te;exports.buildOAuthAuthorizationUrl=ue;exports.checkRole=ut;exports.checkRoleProxy=ft;exports.containsXSSPattern=Ze;exports.createApiHandler=st;exports.createAuthMiddleware=ct;exports.createCSRFProtection=Je;exports.createCookieOAuthStateStore=de;exports.createMemoryOAuthStateStore=ge;exports.createNextJsCookieOAuthStateStore=vr;exports.createOAuthCallbackHandler=it;exports.createProxyMiddleware=lt;exports.createRateLimiter=Oe;exports.createRedisOAuthStateStore=Rr;exports.createSecurityMiddleware=at;exports.escapeHTML=oe;exports.exchangeOAuthCode=le;exports.generateCSRFToken=ie;exports.generateToken=B;exports.getErrorCode=ir;exports.getErrorMessage=sr;exports.getOAuthUserInfo=fe;exports.getProviderMetadata=z;exports.getSecurityHeaders=H;exports.getUserFriendlyError=lr;exports.hasErrorCode=cr;exports.isAuthError=ae;exports.isAuthSuccess=ar;exports.isOAuthProviderConfig=yr;exports.isRetryableError=ur;exports.isSupportedProvider=dr;exports.isTwoFactorRequired=or;exports.isValidCSRFToken=er;exports.isValidEmail=nr;exports.isValidInput=Xe;exports.isValidName=Ve;exports.isValidPassword=De;exports.isValidToken=Ge;exports.isValidURL=$e;exports.mulguard=$r;exports.sanitizeHTML=Ye;exports.sanitizeInput=rr;exports.sanitizeUserInput=Qe;exports.signIn=fr;exports.toNextJsHandler=Hr;exports.validateAndSanitizeEmail=q;exports.validateAndSanitizeInput=W;exports.validateAndSanitizeName=Me;exports.validateAndSanitizePassword=be;exports.validateCSRFToken=G;exports.validateToken=Be;exports.validateURL=je;exports.withSecurityHeaders=x;