nterminal 1.2.0

package/dist/server/agent/agentWebSocketProxy.js

@@ -0,0 +1,65 @@
+import WebSocket from 'ws';
+export function proxyAgentWebSocket(browserSocket, agent, terminalId) {
+    const agentUrl = `${agent.url.replace(/^http/, 'ws')}/api/agent/terminals/${encodeURIComponent(terminalId)}/ws`;
+    const agentSocket = new WebSocket(agentUrl, { headers: { Authorization: `Bearer ${agent.token}` } });
+    // Pending entries hold both the raw data and the frame type so the relay
+    // never silently changes a text frame into a binary one — the browser's
+    // ws handler ignores non-string data, which manifests as "agent terminal
+    // pane opens but has no output and no input ever takes effect".
+    const pendingFromBrowser = [];
+    agentSocket.on('open', () => {
+        for (const entry of pendingFromBrowser) {
+            agentSocket.send(entry.data, { binary: entry.binary });
+        }
+        pendingFromBrowser.length = 0;
+    });
+    agentSocket.on('message', (data, isBinary) => {
+        if (browserSocket.readyState === WebSocket.OPEN) {
+            browserSocket.send(data, { binary: isBinary });
+        }
+    });
+    browserSocket.on('message', (data, isBinary) => {
+        if (agentSocket.readyState === WebSocket.OPEN) {
+            agentSocket.send(data, { binary: isBinary });
+        }
+        else if (agentSocket.readyState === WebSocket.CONNECTING) {
+            pendingFromBrowser.push({ data, binary: isBinary });
+        }
+    });
+    agentSocket.on('close', (code, reason) => {
+        if (browserSocket.readyState === WebSocket.OPEN) {
+            // Reserved codes 1005/1006/1015 (and anything <1000) cannot be sent
+            // back over the wire — ws throws synchronously on close() if we try.
+            // Map them to 1011 (internal error) so an agent that goes away
+            // mid-update doesn't bring the main process down.
+            const safeCode = code >= 1000 && code !== 1005 && code !== 1006 && code !== 1015 ? code : 1011;
+            const safeReason = Buffer.isBuffer(reason) && reason.length <= 123 ? reason : undefined;
+            try {
+                browserSocket.close(safeCode, safeReason);
+            }
+            catch {
+                // Last-resort: give up cleanly so a malformed reason can't crash us.
+                try {
+                    browserSocket.terminate();
+                }
+                catch { /* swallow */ }
+            }
+        }
+    });
+    browserSocket.on('close', () => {
+        if (agentSocket.readyState === WebSocket.OPEN || agentSocket.readyState === WebSocket.CONNECTING) {
+            agentSocket.close();
+        }
+    });
+    agentSocket.on('error', () => {
+        if (browserSocket.readyState === WebSocket.OPEN) {
+            browserSocket.close(1011, 'agent error');
+        }
+    });
+    browserSocket.on('error', () => {
+        if (agentSocket.readyState === WebSocket.OPEN || agentSocket.readyState === WebSocket.CONNECTING) {
+            agentSocket.close();
+        }
+    });
+}
+//# sourceMappingURL=agentWebSocketProxy.js.map

package/dist/server/agent/agentWebSocketProxy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"agentWebSocketProxy.js","sourceRoot":"","sources":["../../../src/server/agent/agentWebSocketProxy.ts"],"names":[],"mappings":"AAAA,OAAO,SAAS,MAAM,IAAI,CAAC;AAG3B,MAAM,UAAU,mBAAmB,CACjC,aAAwB,EACxB,KAAkB,EAClB,UAAkB;IAElB,MAAM,QAAQ,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,wBAAwB,kBAAkB,CAAC,UAAU,CAAC,KAAK,CAAC;IAChH,MAAM,WAAW,GAAG,IAAI,SAAS,CAAC,QAAQ,EAAE,EAAE,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,KAAK,CAAC,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC;IACrG,yEAAyE;IACzE,wEAAwE;IACxE,yEAAyE;IACzE,gEAAgE;IAChE,MAAM,kBAAkB,GAAwD,EAAE,CAAC;IAEnF,WAAW,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE;QAC1B,KAAK,MAAM,KAAK,IAAI,kBAAkB,EAAE,CAAC;YACvC,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;QACzD,CAAC;QACD,kBAAkB,CAAC,MAAM,GAAG,CAAC,CAAC;IAChC,CAAC,CAAC,CAAC;IAEH,WAAW,CAAC,EAAE,CAAC,SAAS,EAAE,CAAC,IAAI,EAAE,QAAQ,EAAE,EAAE;QAC3C,IAAI,aAAa,CAAC,UAAU,KAAK,SAAS,CAAC,IAAI,EAAE,CAAC;YAChD,aAAa,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC;QACjD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,aAAa,CAAC,EAAE,CAAC,SAAS,EAAE,CAAC,IAAI,EAAE,QAAQ,EAAE,EAAE;QAC7C,IAAI,WAAW,CAAC,UAAU,KAAK,SAAS,CAAC,IAAI,EAAE,CAAC;YAC9C,WAAW,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC/C,CAAC;aAAM,IAAI,WAAW,CAAC,UAAU,KAAK,SAAS,CAAC,UAAU,EAAE,CAAC;YAC3D,kBAAkB,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC;QACtD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,WAAW,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE;QACvC,IAAI,aAAa,CAAC,UAAU,KAAK,SAAS,CAAC,IAAI,EAAE,CAAC;YAChD,oEAAoE;YACpE,qEAAqE;YACrE,+DAA+D;YAC/D,kDAAkD;YAClD,MAAM,QAAQ,GAAG,IAAI,IAAI,IAAI,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;YAC/F,MAAM,UAAU,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC;YACxF,IAAI,CAAC;gBACH,aAAa,CAAC,KAAK,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;YAC5C,CAAC;YAAC,MAAM,CAAC;gBACP,qEAAqE;gBACrE,IAAI,CAAC;oBAAC,aAAa,CAAC,SAAS,EAAE,CAAC;gBAAC,CAAC;gBAAC,MAAM,CAAC,CAAC,aAAa,CAAC,CAAC;YAC5D,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,aAAa,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;QAC7B,IAAI,WAAW,CAAC,UAAU,KAAK,SAAS,CAAC,IAAI,IAAI,WAAW,CAAC,UAAU,KAAK,SAAS,CAAC,UAAU,EAAE,CAAC;YACjG,WAAW,CAAC,KAAK,EAAE,CAAC;QACtB,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,WAAW,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;QAC3B,IAAI,aAAa,CAAC,UAAU,KAAK,SAAS,CAAC,IAAI,EAAE,CAAC;YAChD,aAAa,CAAC,KAAK,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,aAAa,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;QAC7B,IAAI,WAAW,CAAC,UAAU,KAAK,SAAS,CAAC,IAAI,IAAI,WAAW,CAAC,UAAU,KAAK,SAAS,CAAC,UAAU,EAAE,CAAC;YACjG,WAAW,CAAC,KAAK,EAAE,CAAC;QACtB,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/server/auth/authService.d.ts

@@ -0,0 +1,100 @@
+import type { AppConfig } from '../config.js';
+import type { FileStore } from '../storage/fileStore.js';
+import { InMemoryRateLimit } from './rateLimit.js';
+import type { TotpService } from './totpService.js';
+export declare class AuthError extends Error {
+    readonly code: string;
+    readonly statusCode: number;
+    constructor(code: string, message: string, statusCode?: number);
+}
+export interface PasswordSession {
+    sessionId: string;
+    expiresAt: string;
+}
+export interface LoginResult {
+    session: PasswordSession;
+    deviceToken: string;
+}
+export interface AuthContext {
+    ip?: string | null | undefined;
+    userAgent?: string | null | undefined;
+    rememberNetwork?: boolean | undefined;
+    deviceToken?: string | null | undefined;
+    clientKey?: string | undefined;
+}
+export interface TrustedDeviceSummary {
+    id: string;
+    label: string;
+    createdAt: string;
+    lastSeenAt: string;
+    current: boolean;
+}
+export interface IpRuleSummary {
+    id: string;
+    value: string;
+    label: string;
+    createdAt: string;
+}
+export interface AuthServiceOptions {
+    now?: () => number;
+    passwordRateLimit?: InMemoryRateLimit;
+    totpService?: TotpService;
+}
+export declare class AuthService {
+    private readonly config;
+    private readonly store;
+    private readonly now;
+    private readonly passwordRateLimit;
+    private readonly sessions;
+    private readonly totpService;
+    constructor(config: AppConfig, store: FileStore, options?: AuthServiceOptions);
+    setupPassword(password: string, ctx?: AuthContext): Promise<LoginResult>;
+    loginWithPassword(password: string, otp?: string, ctx?: AuthContext): Promise<LoginResult>;
+    reauthWithOtp(otp: string | undefined, ctx?: AuthContext): Promise<PasswordSession>;
+    setupTotp(sessionId: string | undefined, ip?: string | null): Promise<{
+        secret: string;
+        qrDataUrl: string;
+    }>;
+    activateTotp(sessionId: string | undefined, secret: string, otp: string, ip?: string | null): Promise<void>;
+    disableTotp(sessionId: string | undefined, ip?: string | null): Promise<void>;
+    isTotpEnabled(): Promise<boolean>;
+    validateSession(sessionId: string | undefined, ip?: string | null, options?: {
+        destroy?: boolean;
+    }): Promise<boolean>;
+    getSessionStatus(sessionId: string | undefined, ctx?: {
+        ip?: string | null | undefined;
+        deviceToken?: string | null | undefined;
+    }): Promise<{
+        passwordSet: boolean;
+        authenticated: boolean;
+        totpEnabled: boolean;
+        deviceTrusted: boolean;
+        currentIpWhitelisted: boolean;
+        expiresAt: string | null;
+    }>;
+    requireSession(request: {
+        cookies?: Record<string, string | undefined>;
+        headers?: Record<string, string | string[] | undefined>;
+        ip?: string;
+    }): Promise<{
+        sessionId: string;
+    } | null>;
+    logout(sessionId: string | undefined, deviceToken?: string | null): Promise<void>;
+    listTrustedDevices(currentDeviceToken?: string | null): Promise<TrustedDeviceSummary[]>;
+    revokeTrustedDevice(id: string): Promise<void>;
+    listIpRules(): Promise<IpRuleSummary[]>;
+    addIpRule(value: string, label: string): Promise<IpRuleSummary>;
+    removeIpRule(id: string): Promise<void>;
+    private createSession;
+    private buildTrustedDevice;
+    private pruneDevices;
+    private findValidDevice;
+    private deviceMatchesToken;
+    private hashDeviceToken;
+    private maybeAddIp;
+    private validatePassword;
+    private hashPassword;
+    private verifyPassword;
+    private safeEqual;
+    private parseCookieHeader;
+}

package/dist/server/auth/authService.js

@@ -0,0 +1,415 @@
+import crypto from 'node:crypto';
+import { randomUUID } from 'node:crypto';
+import { promisify } from 'node:util';
+import { InMemoryRateLimit } from './rateLimit.js';
+import { normalizeIp, ipMatchesAny, isValidIpRule, isWithinSessionNetwork } from './ipMatch.js';
+const scrypt = promisify(crypto.scrypt);
+const deviceTtlMs = 30 * 24 * 60 * 60 * 1000;
+export class AuthError extends Error {
+    code;
+    statusCode;
+    constructor(code, message, statusCode = 400) {
+        super(message);
+        this.code = code;
+        this.statusCode = statusCode;
+    }
+}
+export class AuthService {
+    config;
+    store;
+    now;
+    passwordRateLimit;
+    sessions = new Map();
+    totpService;
+    constructor(config, store, options = {}) {
+        this.config = config;
+        this.store = store;
+        this.now = options.now ?? Date.now;
+        this.passwordRateLimit =
+            options.passwordRateLimit ??
+                new InMemoryRateLimit({
+                    limit: 5,
+                    windowMs: 60_000,
+                    now: this.now
+                });
+        this.totpService = options.totpService ?? null;
+    }
+    async setupPassword(password, ctx = {}) {
+        this.validatePassword(password);
+        const state = await this.store.read();
+        if (state.passwordCredential) {
+            throw new AuthError('PASSWORD_ALREADY_SET', 'Password is already set', 409);
+        }
+        const timestamp = new Date(this.now()).toISOString();
+        const salt = crypto.randomBytes(16).toString('base64url');
+        const credential = {
+            algorithm: 'scrypt',
+            hash: await this.hashPassword(password, salt),
+            salt,
+            createdAt: timestamp,
+            updatedAt: timestamp
+        };
+        const { token: deviceToken, record: device } = this.buildTrustedDevice(ctx);
+        const ip = normalizeIp(ctx.ip);
+        await this.store.update((current) => {
+            if (current.passwordCredential) {
+                throw new AuthError('PASSWORD_ALREADY_SET', 'Password is already set', 409);
+            }
+            return {
+                ...current,
+                passwordCredential: credential,
+                trustedDevices: [device],
+                ipWhitelist: this.maybeAddIp(current.ipWhitelist, ip, ctx.rememberNetwork)
+            };
+        }, { flush: 'immediate' });
+        const session = this.createSession(ip, device.id);
+        return { session, deviceToken };
+    }
+    async loginWithPassword(password, otp, ctx = {}) {
+        const state = await this.store.read();
+        const credential = state.passwordCredential;
+        if (!credential) {
+            throw new AuthError('PASSWORD_NOT_SET', 'Password is not set', 409);
+        }
+        const rateLimitKey = `password:${ctx.clientKey ?? 'default'}`;
+        const rate = this.passwordRateLimit.consume(rateLimitKey);
+        if (!rate.allowed) {
+            throw new AuthError('RATE_LIMITED', 'Too many password attempts', 429);
+        }
+        if (!(await this.verifyPassword(password, credential))) {
+            throw new AuthError('INVALID_PASSWORD', 'Invalid password', 401);
+        }
+        const totpCredential = state.totpCredential;
+        if (totpCredential) {
+            if (!otp) {
+                throw new AuthError('OTP_REQUIRED', 'OTP code is required', 401);
+            }
+            if (!this.totpService?.verify(totpCredential.secret, otp)) {
+                throw new AuthError('INVALID_OTP', 'Invalid OTP code', 401);
+            }
+        }
+        this.passwordRateLimit.reset(rateLimitKey);
+        const { token: deviceToken, record: device } = this.buildTrustedDevice(ctx);
+        const ip = normalizeIp(ctx.ip);
+        await this.store.update((current) => {
+            const devices = this.pruneDevices(current.trustedDevices).filter((d) => !this.deviceMatchesToken(ctx.deviceToken, d));
+            return {
+                ...current,
+                trustedDevices: [...devices, device],
+                ipWhitelist: this.maybeAddIp(current.ipWhitelist, ip, ctx.rememberNetwork)
+            };
+        }, { flush: 'immediate' });
+        const session = this.createSession(ip, device.id);
+        return { session, deviceToken };
+    }
+    async reauthWithOtp(otp, ctx = {}) {
+        const state = await this.store.read();
+        const device = this.findValidDevice(ctx.deviceToken, state.trustedDevices);
+        if (!device) {
+            throw new AuthError('DEVICE_NOT_TRUSTED', 'This device is not trusted', 401);
+        }
+        const ip = normalizeIp(ctx.ip);
+        const totpCredential = state.totpCredential;
+        const ipTrusted = ipMatchesAny(ip, state.ipWhitelist);
+        // OTP-only reauth is only meaningful once TOTP is enabled. Without it, a leftover device
+        // cookie (e.g. between password setup and TOTP activation, or after disabling 2FA) could mint
+        // a session with no second factor — force a full password login instead.
+        if (!totpCredential) {
+            throw new AuthError('PASSWORD_REQUIRED', 'Full login required', 401);
+        }
+        if (!ipTrusted) {
+            const rateLimitKey = `otp:${ctx.clientKey ?? 'default'}`;
+            const rate = this.passwordRateLimit.consume(rateLimitKey);
+            if (!rate.allowed) {
+                throw new AuthError('RATE_LIMITED', 'Too many attempts', 429);
+            }
+            if (!otp) {
+                throw new AuthError('OTP_REQUIRED', 'OTP code is required', 401);
+            }
+            if (!this.totpService?.verify(totpCredential.secret, otp)) {
+                throw new AuthError('INVALID_OTP', 'Invalid OTP code', 401);
+            }
+            this.passwordRateLimit.reset(rateLimitKey);
+        }
+        const seenAt = new Date(this.now()).toISOString();
+        await this.store.update((current) => ({
+            ...current,
+            trustedDevices: current.trustedDevices.map((d) => (d.id === device.id ? { ...d, lastSeenAt: seenAt } : d)),
+            ipWhitelist: this.maybeAddIp(current.ipWhitelist, ip, ctx.rememberNetwork)
+        }));
+        return this.createSession(ip, device.id);
+    }
+    async setupTotp(sessionId, ip) {
+        if (!(await this.validateSession(sessionId, ip))) {
+            throw new AuthError('UNAUTHORIZED', 'Not authenticated', 401);
+        }
+        if (!this.totpService) {
+            throw new AuthError('TOTP_NOT_AVAILABLE', 'TOTP service is not configured', 500);
+        }
+        const state = await this.store.read();
+        if (state.totpCredential) {
+            throw new AuthError('TOTP_ALREADY_SET', 'TOTP is already enabled', 409);
+        }
+        return this.totpService.generateSetup('nterminal');
+    }
+    async activateTotp(sessionId, secret, otp, ip) {
+        if (!(await this.validateSession(sessionId, ip))) {
+            throw new AuthError('UNAUTHORIZED', 'Not authenticated', 401);
+        }
+        if (!this.totpService) {
+            throw new AuthError('TOTP_NOT_AVAILABLE', 'TOTP service is not configured', 500);
+        }
+        if (!this.totpService.verify(secret, otp)) {
+            throw new AuthError('INVALID_OTP', 'Invalid OTP code', 401);
+        }
+        const credential = {
+            secret,
+            algorithm: 'SHA1',
+            digits: 6,
+            period: 30,
+            createdAt: new Date(this.now()).toISOString()
+        };
+        await this.store.update((current) => {
+            if (current.totpCredential) {
+                throw new AuthError('TOTP_ALREADY_SET', 'TOTP is already enabled', 409);
+            }
+            return { ...current, totpCredential: credential };
+        }, { flush: 'immediate' });
+    }
+    async disableTotp(sessionId, ip) {
+        if (!(await this.validateSession(sessionId, ip))) {
+            throw new AuthError('UNAUTHORIZED', 'Not authenticated', 401);
+        }
+        await this.store.update((current) => ({ ...current, totpCredential: null }), { flush: 'immediate' });
+    }
+    async isTotpEnabled() {
+        return Boolean((await this.store.read()).totpCredential);
+    }
+    async validateSession(sessionId, ip, options = {}) {
+        const destroy = options.destroy ?? true;
+        if (!sessionId) {
+            return false;
+        }
+        const session = this.sessions.get(sessionId);
+        if (!session) {
+            return false;
+        }
+        if (session.expiresAtMs <= this.now()) {
+            this.sessions.delete(sessionId);
+            return false;
+        }
+        // IP binding: enforced when an IP is supplied for an IP-bound session.
+        if (ip !== undefined && session.ip && ip) {
+            const normalized = normalizeIp(ip);
+            // Accept the originally bound /24 (IPv4) or /48 (IPv6) — strict /32
+            // binding broke residential/CGNAT users whose ISP rotates inside the
+            // same /24 every few minutes (each rotation destroyed the session,
+            // forcing a reauth dance on every WebSocket reconnect or split). The
+            // /24 still excludes unrelated networks, and ANY whitelisted CIDR
+            // (broader roaming) keeps working through ipMatchesAny below. An
+            // unparseable IP fails closed.
+            if (normalized && isWithinSessionNetwork(normalized, session.ip)) {
+                return true;
+            }
+            const { ipWhitelist } = await this.store.read();
+            if (normalized && ipMatchesAny(normalized, ipWhitelist)) {
+                return true;
+            }
+            if (destroy) {
+                this.sessions.delete(sessionId);
+            }
+            return false;
+        }
+        return true;
+    }
+    async getSessionStatus(sessionId, ctx = {}) {
+        const state = await this.store.read();
+        // Status reads must not revoke: an IP-mismatched poll reports unauthenticated but leaves the
+        // session for the protected routes (requireSession) to revoke on an actual mutating request.
+        const authenticated = await this.validateSession(sessionId, ctx.ip, { destroy: false });
+        const session = sessionId ? this.sessions.get(sessionId) : undefined;
+        const ip = normalizeIp(ctx.ip);
+        return {
+            passwordSet: Boolean(state.passwordCredential),
+            authenticated,
+            totpEnabled: Boolean(state.totpCredential),
+            deviceTrusted: this.findValidDevice(ctx.deviceToken, state.trustedDevices) !== null,
+            currentIpWhitelisted: ipMatchesAny(ip, state.ipWhitelist),
+            expiresAt: authenticated && session ? new Date(session.expiresAtMs).toISOString() : null
+        };
+    }
+    async requireSession(request) {
+        const cookies = request.cookies ?? this.parseCookieHeader(request.headers?.cookie);
+        const sessionId = cookies.nterminal_session;
+        const ok = await this.validateSession(sessionId, request.ip ?? null);
+        return ok && sessionId ? { sessionId } : null;
+    }
+    async logout(sessionId, deviceToken) {
+        if (sessionId) {
+            this.sessions.delete(sessionId);
+        }
+        if (deviceToken) {
+            await this.store.update((current) => ({
+                ...current,
+                trustedDevices: current.trustedDevices.filter((d) => !this.deviceMatchesToken(deviceToken, d))
+            }), { flush: 'immediate' });
+        }
+    }
+    async listTrustedDevices(currentDeviceToken) {
+        const { trustedDevices } = await this.store.read();
+        const currentHash = currentDeviceToken ? this.hashDeviceToken(currentDeviceToken) : null;
+        return this.pruneDevices(trustedDevices).map((d) => ({
+            id: d.id,
+            label: d.label,
+            createdAt: d.createdAt,
+            lastSeenAt: d.lastSeenAt,
+            current: currentHash !== null && this.safeEqual(currentHash, d.tokenHash)
+        }));
+    }
+    async revokeTrustedDevice(id) {
+        await this.store.update((current) => ({
+            ...current,
+            trustedDevices: current.trustedDevices.filter((d) => d.id !== id)
+        }), { flush: 'immediate' });
+    }
+    async listIpRules() {
+        return (await this.store.read()).ipWhitelist.map((r) => ({ id: r.id, value: r.value, label: r.label, createdAt: r.createdAt }));
+    }
+    async addIpRule(value, label) {
+        const trimmed = value.trim();
+        if (!isValidIpRule(trimmed)) {
+            throw new AuthError('INVALID_IP_RULE', 'Invalid IP or CIDR', 400);
+        }
+        const rule = {
+            id: randomUUID(),
+            value: trimmed,
+            label: label.trim() || trimmed,
+            createdAt: new Date(this.now()).toISOString()
+        };
+        await this.store.update((current) => ({ ...current, ipWhitelist: [...current.ipWhitelist, rule] }), { flush: 'immediate' });
+        return { id: rule.id, value: rule.value, label: rule.label, createdAt: rule.createdAt };
+    }
+    async removeIpRule(id) {
+        await this.store.update((current) => ({ ...current, ipWhitelist: current.ipWhitelist.filter((r) => r.id !== id) }), { flush: 'immediate' });
+    }
+    createSession(ip = null, deviceId = null) {
+        // Single active session: any new session supersedes existing ones.
+        this.sessions.clear();
+        const sessionId = `sess_${crypto.randomBytes(32).toString('base64url')}`;
+        const expiresAtMs = this.now() + this.config.sessionTtlMs;
+        this.sessions.set(sessionId, { expiresAtMs, ip, deviceId });
+        return { sessionId, expiresAt: new Date(expiresAtMs).toISOString() };
+    }
+    buildTrustedDevice(ctx) {
+        const token = `dev_${crypto.randomBytes(32).toString('base64url')}`;
+        const timestamp = new Date(this.now()).toISOString();
+        const record = {
+            id: randomUUID(),
+            tokenHash: this.hashDeviceToken(token),
+            label: deviceLabel(ctx.userAgent),
+            createdAt: timestamp,
+            lastSeenAt: timestamp,
+            expiresAt: new Date(this.now() + deviceTtlMs).toISOString()
+        };
+        return { token, record };
+    }
+    pruneDevices(devices) {
+        const nowMs = this.now();
+        return devices.filter((d) => Date.parse(d.expiresAt) > nowMs);
+    }
+    findValidDevice(token, devices) {
+        if (!token) {
+            return null;
+        }
+        const hash = this.hashDeviceToken(token);
+        const nowMs = this.now();
+        for (const device of devices) {
+            if (Date.parse(device.expiresAt) > nowMs && this.safeEqual(hash, device.tokenHash)) {
+                return device;
+            }
+        }
+        return null;
+    }
+    deviceMatchesToken(token, device) {
+        if (!token) {
+            return false;
+        }
+        return this.safeEqual(this.hashDeviceToken(token), device.tokenHash);
+    }
+    hashDeviceToken(token) {
+        return crypto.createHmac('sha256', this.config.sessionSecret).update(token).digest('base64url');
+    }
+    maybeAddIp(rules, ip, remember) {
+        if (!remember || !ip || ipMatchesAny(ip, rules)) {
+            return rules;
+        }
+        return [
+            ...rules,
+            { id: randomUUID(), value: ip, label: ip, createdAt: new Date(this.now()).toISOString() }
+        ];
+    }
+    validatePassword(password) {
+        if (password.length < 8) {
+            throw new AuthError('PASSWORD_TOO_SHORT', 'Password must be at least 8 characters', 400);
+        }
+    }
+    async hashPassword(password, salt) {
+        const hash = (await scrypt(`${password}:${this.config.sessionSecret}`, salt, 64));
+        return hash.toString('base64url');
+    }
+    async verifyPassword(password, credential) {
+        const candidate = await this.hashPassword(password, credential.salt);
+        return this.safeEqual(candidate, credential.hash);
+    }
+    safeEqual(left, right) {
+        const leftBuffer = Buffer.from(left);
+        const rightBuffer = Buffer.from(right);
+        return leftBuffer.length === rightBuffer.length && crypto.timingSafeEqual(leftBuffer, rightBuffer);
+    }
+    parseCookieHeader(header) {
+        const raw = Array.isArray(header) ? header.join('; ') : header;
+        if (!raw) {
+            return {};
+        }
+        return Object.fromEntries(raw
+            .split(';')
+            .map((part) => part.trim())
+            .filter(Boolean)
+            .map((part) => {
+            const separator = part.indexOf('=');
+            if (separator === -1) {
+                return [part, ''];
+            }
+            return [part.slice(0, separator), decodeURIComponent(part.slice(separator + 1))];
+        }));
+    }
+}
+function deviceLabel(userAgent) {
+    if (!userAgent) {
+        return 'Unknown device';
+    }
+    const os = /Windows/i.test(userAgent)
+        ? 'Windows'
+        : /Mac OS X|Macintosh/i.test(userAgent)
+            ? 'macOS'
+            : /iPhone|iPad|iOS/i.test(userAgent)
+                ? 'iOS'
+                : /Android/i.test(userAgent)
+                    ? 'Android'
+                    : /Linux/i.test(userAgent)
+                        ? 'Linux'
+                        : 'Unknown OS';
+    const browser = /Edg/i.test(userAgent)
+        ? 'Edge'
+        : /OPR|Opera/i.test(userAgent)
+            ? 'Opera'
+            : /Chrome/i.test(userAgent)
+                ? 'Chrome'
+                : /Firefox/i.test(userAgent)
+                    ? 'Firefox'
+                    : /Safari/i.test(userAgent)
+                        ? 'Safari'
+                        : 'Browser';
+    return `${browser} / ${os}`;
+}
+//# sourceMappingURL=authService.js.map

package/dist/server/auth/authService.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authService.js","sourceRoot":"","sources":["../../../src/server/auth/authService.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAGtC,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AAEnD,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,aAAa,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAC;AAEhG,MAAM,MAAM,GAAG,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;AACxC,MAAM,WAAW,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAE7C,MAAM,OAAO,SAAU,SAAQ,KAAK;IAEhB;IAEA;IAHlB,YACkB,IAAY,EAC5B,OAAe,EACC,aAAa,GAAG;QAEhC,KAAK,CAAC,OAAO,CAAC,CAAC;QAJC,SAAI,GAAJ,IAAI,CAAQ;QAEZ,eAAU,GAAV,UAAU,CAAM;IAGlC,CAAC;CACF;AA+CD,MAAM,OAAO,WAAW;IAOH;IACA;IAPF,GAAG,CAAe;IAClB,iBAAiB,CAAoB;IACrC,QAAQ,GAAG,IAAI,GAAG,EAAyB,CAAC;IAC5C,WAAW,CAAqB;IAEjD,YACmB,MAAiB,EACjB,KAAgB,EACjC,UAA8B,EAAE;QAFf,WAAM,GAAN,MAAM,CAAW;QACjB,UAAK,GAAL,KAAK,CAAW;QAGjC,IAAI,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC;QACnC,IAAI,CAAC,iBAAiB;YACpB,OAAO,CAAC,iBAAiB;gBACzB,IAAI,iBAAiB,CAAC;oBACpB,KAAK,EAAE,CAAC;oBACR,QAAQ,EAAE,MAAM;oBAChB,GAAG,EAAE,IAAI,CAAC,GAAG;iBACd,CAAC,CAAC;QACL,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,IAAI,CAAC;IACjD,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,QAAgB,EAAE,MAAmB,EAAE;QACzD,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QAChC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QACtC,IAAI,KAAK,CAAC,kBAAkB,EAAE,CAAC;YAC7B,MAAM,IAAI,SAAS,CAAC,sBAAsB,EAAE,yBAAyB,EAAE,GAAG,CAAC,CAAC;QAC9E,CAAC;QAED,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;QACrD,MAAM,IAAI,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAC1D,MAAM,UAAU,GAA6B;YAC3C,SAAS,EAAE,QAAQ;YACnB,IAAI,EAAE,MAAM,IAAI,CAAC,YAAY,CAAC,QAAQ,EAAE,IAAI,CAAC;YAC7C,IAAI;YACJ,SAAS,EAAE,SAAS;YACpB,SAAS,EAAE,SAAS;SACrB,CAAC;QACF,MAAM,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC;QAC5E,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC/B,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CACrB,CAAC,OAAO,EAAE,EAAE;YACV,IAAI,OAAO,CAAC,kBAAkB,EAAE,CAAC;gBAC/B,MAAM,IAAI,SAAS,CAAC,sBAAsB,EAAE,yBAAyB,EAAE,GAAG,CAAC,CAAC;YAC9E,CAAC;YACD,OAAO;gBACL,GAAG,OAAO;gBACV,kBAAkB,EAAE,UAAU;gBAC9B,cAAc,EAAE,CAAC,MAAM,CAAC;gBACxB,WAAW,EAAE,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,EAAE,GAAG,CAAC,eAAe,CAAC;aAC3E,CAAC;QACJ,CAAC,EACD,EAAE,KAAK,EAAE,WAAW,EAAE,CACvB,CAAC;QACF,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAAC,EAAE,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC;QAClD,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC;IAClC,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,QAAgB,EAAE,GAAY,EAAE,MAAmB,EAAE;QAC3E,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QACtC,MAAM,UAAU,GAAG,KAAK,CAAC,kBAAkB,CAAC;QAC5C,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,SAAS,CAAC,kBAAkB,EAAE,qBAAqB,EAAE,GAAG,CAAC,CAAC;QACtE,CAAC;QAED,MAAM,YAAY,GAAG,YAAY,GAAG,CAAC,SAAS,IAAI,SAAS,EAAE,CAAC;QAC9D,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAC1D,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,MAAM,IAAI,SAAS,CAAC,cAAc,EAAE,4BAA4B,EAAE,GAAG,CAAC,CAAC;QACzE,CAAC;QAED,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,cAAc,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,EAAE,CAAC;YACvD,MAAM,IAAI,SAAS,CAAC,kBAAkB,EAAE,kBAAkB,EAAE,GAAG,CAAC,CAAC;QACnE,CAAC;QAED,MAAM,cAAc,GAAG,KAAK,CAAC,cAAc,CAAC;QAC5C,IAAI,cAAc,EAAE,CAAC;YACnB,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,MAAM,IAAI,SAAS,CAAC,cAAc,EAAE,sBAAsB,EAAE,GAAG,CAAC,CAAC;YACnE,CAAC;YACD,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,MAAM,CAAC,cAAc,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;gBAC1D,MAAM,IAAI,SAAS,CAAC,aAAa,EAAE,kBAAkB,EAAE,GAAG,CAAC,CAAC;YAC9D,CAAC;QACH,CAAC;QAED,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;QAE3C,MAAM,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC;QAC5E,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC/B,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CACrB,CAAC,OAAO,EAAE,EAAE;YACV,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,CAAC;YACtH,OAAO;gBACL,GAAG,OAAO;gBACV,cAAc,EAAE,CAAC,GAAG,OAAO,EAAE,MAAM,CAAC;gBACpC,WAAW,EAAE,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,EAAE,GAAG,CAAC,eAAe,CAAC;aAC3E,CAAC;QACJ,CAAC,EACD,EAAE,KAAK,EAAE,WAAW,EAAE,CACvB,CAAC;QACF,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAAC,EAAE,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC;QAClD,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC;IAClC,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,GAAuB,EAAE,MAAmB,EAAE;QAChE,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QACtC,MAAM,MAAM,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,WAAW,EAAE,KAAK,CAAC,cAAc,CAAC,CAAC;QAC3E,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,SAAS,CAAC,oBAAoB,EAAE,4BAA4B,EAAE,GAAG,CAAC,CAAC;QAC/E,CAAC;QAED,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC/B,MAAM,cAAc,GAAG,KAAK,CAAC,cAAc,CAAC;QAC5C,MAAM,SAAS,GAAG,YAAY,CAAC,EAAE,EAAE,KAAK,CAAC,WAAW,CAAC,CAAC;QAEtD,yFAAyF;QACzF,8FAA8F;QAC9F,yEAAyE;QACzE,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,MAAM,IAAI,SAAS,CAAC,mBAAmB,EAAE,qBAAqB,EAAE,GAAG,CAAC,CAAC;QACvE,CAAC;QAED,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,YAAY,GAAG,OAAO,GAAG,CAAC,SAAS,IAAI,SAAS,EAAE,CAAC;YACzD,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;YAC1D,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;gBAClB,MAAM,IAAI,SAAS,CAAC,cAAc,EAAE,mBAAmB,EAAE,GAAG,CAAC,CAAC;YAChE,CAAC;YACD,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,MAAM,IAAI,SAAS,CAAC,cAAc,EAAE,sBAAsB,EAAE,GAAG,CAAC,CAAC;YACnE,CAAC;YACD,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,MAAM,CAAC,cAAc,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;gBAC1D,MAAM,IAAI,SAAS,CAAC,aAAa,EAAE,kBAAkB,EAAE,GAAG,CAAC,CAAC;YAC9D,CAAC;YACD,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;QAC7C,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;QAClD,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;YACpC,GAAG,OAAO;YACV,cAAc,EAAE,OAAO,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,UAAU,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAC1G,WAAW,EAAE,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,EAAE,GAAG,CAAC,eAAe,CAAC;SAC3E,CAAC,CAAC,CAAC;QACJ,OAAO,IAAI,CAAC,aAAa,CAAC,EAAE,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC;IAC3C,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,SAA6B,EAAE,EAAkB;QAC/D,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,eAAe,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,EAAE,CAAC;YACjD,MAAM,IAAI,SAAS,CAAC,cAAc,EAAE,mBAAmB,EAAE,GAAG,CAAC,CAAC;QAChE,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACtB,MAAM,IAAI,SAAS,CAAC,oBAAoB,EAAE,gCAAgC,EAAE,GAAG,CAAC,CAAC;QACnF,CAAC;QACD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QACtC,IAAI,KAAK,CAAC,cAAc,EAAE,CAAC;YACzB,MAAM,IAAI,SAAS,CAAC,kBAAkB,EAAE,yBAAyB,EAAE,GAAG,CAAC,CAAC;QAC1E,CAAC;QACD,OAAO,IAAI,CAAC,WAAW,CAAC,aAAa,CAAC,WAAW,CAAC,CAAC;IACrD,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,SAA6B,EAAE,MAAc,EAAE,GAAW,EAAE,EAAkB;QAC/F,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,eAAe,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,EAAE,CAAC;YACjD,MAAM,IAAI,SAAS,CAAC,cAAc,EAAE,mBAAmB,EAAE,GAAG,CAAC,CAAC;QAChE,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACtB,MAAM,IAAI,SAAS,CAAC,oBAAoB,EAAE,gCAAgC,EAAE,GAAG,CAAC,CAAC;QACnF,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;YAC1C,MAAM,IAAI,SAAS,CAAC,aAAa,EAAE,kBAAkB,EAAE,GAAG,CAAC,CAAC;QAC9D,CAAC;QACD,MAAM,UAAU,GAAyB;YACvC,MAAM;YACN,SAAS,EAAE,MAAM;YACjB,MAAM,EAAE,CAAC;YACT,MAAM,EAAE,EAAE;YACV,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,WAAW,EAAE;SAC9C,CAAC;QACF,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CACrB,CAAC,OAAO,EAAE,EAAE;YACV,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;gBAC3B,MAAM,IAAI,SAAS,CAAC,kBAAkB,EAAE,yBAAyB,EAAE,GAAG,CAAC,CAAC;YAC1E,CAAC;YACD,OAAO,EAAE,GAAG,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,CAAC;QACpD,CAAC,EACD,EAAE,KAAK,EAAE,WAAW,EAAE,CACvB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,SAA6B,EAAE,EAAkB;QACjE,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,eAAe,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,EAAE,CAAC;YACjD,MAAM,IAAI,SAAS,CAAC,cAAc,EAAE,mBAAmB,EAAE,GAAG,CAAC,CAAC;QAChE,CAAC;QACD,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,OAAO,EAAE,cAAc,EAAE,IAAI,EAAE,CAAC,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;IACvG,CAAC;IAED,KAAK,CAAC,aAAa;QACjB,OAAO,OAAO,CAAC,CAAC,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,cAAc,CAAC,CAAC;IAC3D,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,SAA6B,EAAE,EAAkB,EAAE,UAAiC,EAAE;QAC1G,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,IAAI,CAAC;QACxC,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,OAAO,KAAK,CAAC;QACf,CAAC;QACD,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC7C,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,KAAK,CAAC;QACf,CAAC;QACD,IAAI,OAAO,CAAC,WAAW,IAAI,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YACtC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAChC,OAAO,KAAK,CAAC;QACf,CAAC;QACD,uEAAuE;QACvE,IAAI,EAAE,KAAK,SAAS,IAAI,OAAO,CAAC,EAAE,IAAI,EAAE,EAAE,CAAC;YACzC,MAAM,UAAU,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;YACnC,oEAAoE;YACpE,qEAAqE;YACrE,mEAAmE;YACnE,qEAAqE;YACrE,kEAAkE;YAClE,iEAAiE;YACjE,+BAA+B;YAC/B,IAAI,UAAU,IAAI,sBAAsB,CAAC,UAAU,EAAE,OAAO,CAAC,EAAE,CAAC,EAAE,CAAC;gBACjE,OAAO,IAAI,CAAC;YACd,CAAC;YACD,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;YAChD,IAAI,UAAU,IAAI,YAAY,CAAC,UAAU,EAAE,WAAW,CAAC,EAAE,CAAC;gBACxD,OAAO,IAAI,CAAC;YACd,CAAC;YACD,IAAI,OAAO,EAAE,CAAC;gBACZ,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAClC,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,gBAAgB,CACpB,SAA6B,EAC7B,MAAmF,EAAE;QAErF,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QACtC,6FAA6F;QAC7F,6FAA6F;QAC7F,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,SAAS,EAAE,GAAG,CAAC,EAAE,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;QACxF,MAAM,OAAO,GAAG,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QACrE,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC/B,OAAO;YACL,WAAW,EAAE,OAAO,CAAC,KAAK,CAAC,kBAAkB,CAAC;YAC9C,aAAa;YACb,WAAW,EAAE,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC;YAC1C,aAAa,EAAE,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,WAAW,EAAE,KAAK,CAAC,cAAc,CAAC,KAAK,IAAI;YACnF,oBAAoB,EAAE,YAAY,CAAC,EAAE,EAAE,KAAK,CAAC,WAAW,CAAC;YACzD,SAAS,EAAE,aAAa,IAAI,OAAO,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,IAAI;SACzF,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,OAIpB;QACC,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QACnF,MAAM,SAAS,GAAG,OAAO,CAAC,iBAAiB,CAAC;QAC5C,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,SAAS,EAAE,OAAO,CAAC,EAAE,IAAI,IAAI,CAAC,CAAC;QACrE,OAAO,EAAE,IAAI,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;IAChD,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,SAA6B,EAAE,WAA2B;QACrE,IAAI,SAAS,EAAE,CAAC;YACd,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAClC,CAAC;QACD,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CACrB,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;gBACZ,GAAG,OAAO;gBACV,cAAc,EAAE,OAAO,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;aAC/F,CAAC,EACF,EAAE,KAAK,EAAE,WAAW,EAAE,CACvB,CAAC;QACJ,CAAC;IACH,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,kBAAkC;QACzD,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QACnD,MAAM,WAAW,GAAG,kBAAkB,CAAC,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QACzF,OAAO,IAAI,CAAC,YAAY,CAAC,cAAc,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACnD,EAAE,EAAE,CAAC,CAAC,EAAE;YACR,KAAK,EAAE,CAAC,CAAC,KAAK;YACd,SAAS,EAAE,CAAC,CAAC,SAAS;YACtB,UAAU,EAAE,CAAC,CAAC,UAAU;YACxB,OAAO,EAAE,WAAW,KAAK,IAAI,IAAI,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC,CAAC,SAAS,CAAC;SAC1E,CAAC,CAAC,CAAC;IACN,CAAC;IAED,KAAK,CAAC,mBAAmB,CAAC,EAAU;QAClC,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CACrB,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;YACZ,GAAG,OAAO;YACV,cAAc,EAAE,OAAO,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC;SAClE,CAAC,EACF,EAAE,KAAK,EAAE,WAAW,EAAE,CACvB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,WAAW;QACf,OAAO,CAAC,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;IAClI,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,KAAa,EAAE,KAAa;QAC1C,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;QAC7B,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,SAAS,CAAC,iBAAiB,EAAE,oBAAoB,EAAE,GAAG,CAAC,CAAC;QACpE,CAAC;QACD,MAAM,IAAI,GAAiB;YACzB,EAAE,EAAE,UAAU,EAAE;YAChB,KAAK,EAAE,OAAO;YACd,KAAK,EAAE,KAAK,CAAC,IAAI,EAAE,IAAI,OAAO;YAC9B,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,WAAW,EAAE;SAC9C,CAAC;QACF,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CACrB,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,OAAO,EAAE,WAAW,EAAE,CAAC,GAAG,OAAO,CAAC,WAAW,EAAE,IAAI,CAAC,EAAE,CAAC,EAC1E,EAAE,KAAK,EAAE,WAAW,EAAE,CACvB,CAAC;QACF,OAAO,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC;IAC1F,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,EAAU;QAC3B,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CACrB,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,OAAO,EAAE,WAAW,EAAE,OAAO,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,EAC1F,EAAE,KAAK,EAAE,WAAW,EAAE,CACvB,CAAC;IACJ,CAAC;IAEO,aAAa,CAAC,KAAoB,IAAI,EAAE,WAA0B,IAAI;QAC5E,mEAAmE;QACnE,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;QACtB,MAAM,SAAS,GAAG,QAAQ,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;QACzE,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC;QAC1D,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC5D,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,IAAI,IAAI,CAAC,WAAW,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC;IACvE,CAAC;IAEO,kBAAkB,CAAC,GAAgB;QACzC,MAAM,KAAK,GAAG,OAAO,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;QACpE,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;QACrD,MAAM,MAAM,GAAwB;YAClC,EAAE,EAAE,UAAU,EAAE;YAChB,SAAS,EAAE,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC;YACtC,KAAK,EAAE,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC;YACjC,SAAS,EAAE,SAAS;YACpB,UAAU,EAAE,SAAS;YACrB,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,CAAC,CAAC,WAAW,EAAE;SAC5D,CAAC;QACF,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;IAC3B,CAAC;IAEO,YAAY,CAAC,OAA8B;QACjD,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACzB,OAAO,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,GAAG,KAAK,CAAC,CAAC;IAChE,CAAC;IAEO,eAAe,CAAC,KAAgC,EAAE,OAA8B;QACtF,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,IAAI,GAAG,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;QACzC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACzB,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,KAAK,IAAI,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC;gBACnF,OAAO,MAAM,CAAC;YAChB,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,kBAAkB,CAAC,KAAgC,EAAE,MAA2B;QACtF,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,KAAK,CAAC;QACf,CAAC;QACD,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;IACvE,CAAC;IAEO,eAAe,CAAC,KAAa;QACnC,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAClG,CAAC;IAEO,UAAU,CAAC,KAAqB,EAAE,EAAiB,EAAE,QAA6B;QACxF,IAAI,CAAC,QAAQ,IAAI,CAAC,EAAE,IAAI,YAAY,CAAC,EAAE,EAAE,KAAK,CAAC,EAAE,CAAC;YAChD,OAAO,KAAK,CAAC;QACf,CAAC;QACD,OAAO;YACL,GAAG,KAAK;YACR,EAAE,EAAE,EAAE,UAAU,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,WAAW,EAAE,EAAE;SAC1F,CAAC;IACJ,CAAC;IAEO,gBAAgB,CAAC,QAAgB;QACvC,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,MAAM,IAAI,SAAS,CAAC,oBAAoB,EAAE,wCAAwC,EAAE,GAAG,CAAC,CAAC;QAC3F,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,YAAY,CAAC,QAAgB,EAAE,IAAY;QACvD,MAAM,IAAI,GAAG,CAAC,MAAM,MAAM,CAAC,GAAG,QAAQ,IAAI,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,EAAE,IAAI,EAAE,EAAE,CAAC,CAAW,CAAC;QAC5F,OAAO,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACpC,CAAC;IAEO,KAAK,CAAC,cAAc,CAAC,QAAgB,EAAE,UAAoC;QACjF,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,QAAQ,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC;QACrE,OAAO,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC;IACpD,CAAC;IAEO,SAAS,CAAC,IAAY,EAAE,KAAa;QAC3C,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrC,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACvC,OAAO,UAAU,CAAC,MAAM,KAAK,WAAW,CAAC,MAAM,IAAI,MAAM,CAAC,eAAe,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;IACrG,CAAC;IAEO,iBAAiB,CAAC,MAAqC;QAC7D,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;QAC/D,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,OAAO,EAAE,CAAC;QACZ,CAAC;QACD,OAAO,MAAM,CAAC,WAAW,CACvB,GAAG;aACA,KAAK,CAAC,GAAG,CAAC;aACV,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;aAC1B,MAAM,CAAC,OAAO,CAAC;aACf,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE;YACZ,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YACpC,IAAI,SAAS,KAAK,CAAC,CAAC,EAAE,CAAC;gBACrB,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;YACpB,CAAC;YACD,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,EAAE,kBAAkB,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QACnF,CAAC,CAAC,CACL,CAAC;IACJ,CAAC;CACF;AAED,SAAS,WAAW,CAAC,SAAoC;IACvD,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,gBAAgB,CAAC;IAC1B,CAAC;IACD,MAAM,EAAE,GAAG,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC;QACnC,CAAC,CAAC,SAAS;QACX,CAAC,CAAC,qBAAqB,CAAC,IAAI,CAAC,SAAS,CAAC;YACrC,CAAC,CAAC,OAAO;YACT,CAAC,CAAC,kBAAkB,CAAC,IAAI,CAAC,SAAS,CAAC;gBAClC,CAAC,CAAC,KAAK;gBACP,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC;oBAC1B,CAAC,CAAC,SAAS;oBACX,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC;wBACxB,CAAC,CAAC,OAAO;wBACT,CAAC,CAAC,YAAY,CAAC;IACzB,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC;QACpC,CAAC,CAAC,MAAM;QACR,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC;YAC5B,CAAC,CAAC,OAAO;YACT,CAAC,CAAC,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC;gBACzB,CAAC,CAAC,QAAQ;gBACV,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC;oBAC1B,CAAC,CAAC,SAAS;oBACX,CAAC,CAAC,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC;wBACzB,CAAC,CAAC,QAAQ;wBACV,CAAC,CAAC,SAAS,CAAC;IACtB,OAAO,GAAG,OAAO,MAAM,EAAE,EAAE,CAAC;AAC9B,CAAC"}

package/dist/server/auth/cookies.d.ts

@@ -0,0 +1,11 @@
+import type { FastifyReply } from 'fastify';
+import type { AppConfig } from '../config.js';
+export declare const cookieNames: {
+    readonly session: "nterminal_session";
+    readonly device: "nterminal_device";
+};
+export declare function authCookieOptions(config: AppConfig, maxAgeSeconds?: number): import("@fastify/cookie").CookieSerializeOptions;
+export declare function setSessionCookie(reply: FastifyReply, config: AppConfig, sessionId: string): void;
+export declare function setDeviceCookie(reply: FastifyReply, config: AppConfig, token: string): void;
+export declare function clearSessionCookie(reply: FastifyReply, config: AppConfig): void;
+export declare function clearAuthCookies(reply: FastifyReply, config: AppConfig): void;