or3-provider-basic-auth 0.0.1

package/dist/runtime/server/lib/jwt.js

@@ -0,0 +1,77 @@
+import { randomUUID, createHash } from "node:crypto";
+import { getCookie } from "h3";
+import jwt from "jsonwebtoken";
+import { ACCESS_COOKIE_NAME, REFRESH_COOKIE_NAME } from "../../lib/constants.js";
+import { getBasicAuthConfig } from "./config.js";
+export async function signAccessToken(input) {
+  const config = getBasicAuthConfig();
+  return jwt.sign(
+    {
+      sid: input.sid,
+      ver: input.ver,
+      typ: "access",
+      email: input.email,
+      display_name: input.display_name ?? null
+    },
+    config.jwtSecret,
+    {
+      expiresIn: config.accessTtlSeconds,
+      subject: input.sub
+    }
+  );
+}
+export async function signRefreshToken(input) {
+  const config = getBasicAuthConfig();
+  return jwt.sign(
+    {
+      sid: input.sid,
+      ver: input.ver,
+      typ: "refresh",
+      jti: randomUUID()
+    },
+    config.refreshSecret,
+    {
+      expiresIn: config.refreshTtlSeconds,
+      subject: input.sub
+    }
+  );
+}
+function isAccessClaims(payload) {
+  return payload.typ === "access" && typeof payload.sub === "string" && typeof payload.sid === "string" && typeof payload.ver === "number";
+}
+function isRefreshClaims(payload) {
+  return payload.typ === "refresh" && typeof payload.sub === "string" && typeof payload.sid === "string" && typeof payload.ver === "number" && typeof payload.jti === "string";
+}
+export async function verifyAccessToken(token) {
+  try {
+    const config = getBasicAuthConfig();
+    const payload = jwt.verify(token, config.jwtSecret, {
+      algorithms: ["HS256"]
+    });
+    if (!isAccessClaims(payload)) return null;
+    return payload;
+  } catch {
+    return null;
+  }
+}
+export async function verifyRefreshToken(token) {
+  try {
+    const config = getBasicAuthConfig();
+    const payload = jwt.verify(token, config.refreshSecret, {
+      algorithms: ["HS256"]
+    });
+    if (!isRefreshClaims(payload)) return null;
+    return payload;
+  } catch {
+    return null;
+  }
+}
+export function getAccessTokenFromEvent(event) {
+  return getCookie(event, ACCESS_COOKIE_NAME) ?? null;
+}
+export function getRefreshTokenFromEvent(event) {
+  return getCookie(event, REFRESH_COOKIE_NAME) ?? null;
+}
+export function hashRefreshToken(token) {
+  return createHash("sha256").update(token).digest("hex");
+}

package/dist/runtime/server/lib/password.d.ts

@@ -0,0 +1,2 @@
+export declare function hashPassword(password: string): Promise<string>;
+export declare function verifyPassword(password: string, hash: string): Promise<boolean>;

package/dist/runtime/server/lib/password.js

@@ -0,0 +1,8 @@
+import bcrypt from "bcryptjs";
+const PASSWORD_COST = 12;
+export async function hashPassword(password) {
+  return await bcrypt.hash(password, PASSWORD_COST);
+}
+export async function verifyPassword(password, hash) {
+  return await bcrypt.compare(password, hash);
+}

package/dist/runtime/server/lib/rate-limit.d.ts

@@ -0,0 +1,6 @@
+import { type H3Event } from 'h3';
+type Operation = 'basic-auth:sign-in' | 'basic-auth:register' | 'basic-auth:refresh' | 'basic-auth:sign-out' | 'basic-auth:change-password';
+export declare function enforceBasicAuthRateLimit(event: H3Event, operation: Operation): void;
+export declare function resetBasicAuthRateLimitStore(): void;
+export declare function getBasicAuthRateLimitStoreSizeForTests(): number;
+export {};

package/dist/runtime/server/lib/rate-limit.js

@@ -0,0 +1,163 @@
+import { createError, setResponseHeader } from "h3";
+import {
+  getClientIp as getProxyClientIp,
+  normalizeProxyTrustConfig
+} from "./request-identity.js";
+import { getBasicAuthDb } from "../db/client.js";
+const RULES = {
+  "basic-auth:sign-in": { windowMs: 6e4, maxRequests: 20 },
+  "basic-auth:register": { windowMs: 6e4, maxRequests: 10 },
+  "basic-auth:refresh": { windowMs: 6e4, maxRequests: 120 },
+  "basic-auth:sign-out": { windowMs: 6e4, maxRequests: 60 },
+  "basic-auth:change-password": { windowMs: 6e4, maxRequests: 20 }
+};
+const store = /* @__PURE__ */ new Map();
+const MAX_WINDOW_MS = Math.max(...Object.values(RULES).map((rule) => rule.windowMs));
+const SWEEP_INTERVAL_MS = 6e4;
+let lastSweepAt = 0;
+const RATE_LIMIT_BACKEND_ENV = "OR3_BASIC_AUTH_RATE_LIMIT_BACKEND";
+const DEFAULT_RATE_LIMIT_BACKEND = "sqlite";
+function getClientIp(event) {
+  const runtimeConfig = useRuntimeConfig(event);
+  const proxyConfig = normalizeProxyTrustConfig(runtimeConfig.security?.proxy);
+  return getProxyClientIp(event, proxyConfig) ?? event.node.req.socket.remoteAddress ?? "unknown";
+}
+function getKey(subject, operation) {
+  return `${subject}:${operation}`;
+}
+function getWindowKey(subject, operation, windowStartMs) {
+  return `${subject}:${operation}:${windowStartMs}`;
+}
+function resolveRateLimitBackend() {
+  const raw = (process.env[RATE_LIMIT_BACKEND_ENV] ?? "").trim().toLowerCase();
+  if (raw === "memory") return "memory";
+  return DEFAULT_RATE_LIMIT_BACKEND;
+}
+function pruneRateLimitStore(now) {
+  if (now - lastSweepAt < SWEEP_INTERVAL_MS) {
+    return;
+  }
+  const cutoff = now - MAX_WINDOW_MS;
+  for (const [key, entry] of store) {
+    const recent = entry.timestamps.filter((timestamp) => timestamp > cutoff);
+    if (recent.length === 0) {
+      store.delete(key);
+      continue;
+    }
+    entry.timestamps = recent;
+  }
+  lastSweepAt = now;
+}
+function pruneSqliteRateLimitStore(now) {
+  if (now - lastSweepAt < SWEEP_INTERVAL_MS) {
+    return;
+  }
+  getBasicAuthDb().prepare("DELETE FROM basic_auth_rate_limits WHERE updated_at <= ?").run(now - MAX_WINDOW_MS);
+  lastSweepAt = now;
+}
+function enforceInMemoryRateLimit(event, operation, now) {
+  pruneRateLimitStore(now);
+  const subject = getClientIp(event);
+  const key = getKey(subject, operation);
+  const rule = RULES[operation];
+  const windowStart = now - rule.windowMs;
+  const current = store.get(key) ?? { timestamps: [] };
+  const recent = current.timestamps.filter((timestamp) => timestamp > windowStart);
+  if (recent.length >= rule.maxRequests) {
+    const oldest = recent[0] ?? now;
+    const retryAfterMs = Math.max(0, oldest + rule.windowMs - now);
+    const retryAfterSeconds = Math.ceil(retryAfterMs / 1e3);
+    setResponseHeader(event, "Retry-After", retryAfterSeconds);
+    setResponseHeader(event, "X-RateLimit-Limit", String(rule.maxRequests));
+    setResponseHeader(event, "X-RateLimit-Remaining", "0");
+    throw createError({
+      statusCode: 429,
+      statusMessage: "Too many requests"
+    });
+  }
+  recent.push(now);
+  store.set(key, { timestamps: recent });
+  setResponseHeader(event, "X-RateLimit-Limit", String(rule.maxRequests));
+  setResponseHeader(
+    event,
+    "X-RateLimit-Remaining",
+    String(Math.max(0, rule.maxRequests - recent.length))
+  );
+}
+function enforceSqliteRateLimit(event, operation, now) {
+  pruneSqliteRateLimitStore(now);
+  const subject = getClientIp(event);
+  const rule = RULES[operation];
+  const windowStart = Math.floor(now / rule.windowMs) * rule.windowMs;
+  const windowKey = getWindowKey(subject, operation, windowStart);
+  const db = getBasicAuthDb();
+  const loadCount = db.prepare(
+    "SELECT request_count FROM basic_auth_rate_limits WHERE key = ?"
+  );
+  const insertCount = db.prepare(`
+    INSERT INTO basic_auth_rate_limits (key, subject, operation, window_started_at, request_count, updated_at)
+    VALUES (?, ?, ?, ?, 1, ?)
+  `);
+  const incrementCount = db.prepare(`
+    UPDATE basic_auth_rate_limits
+    SET request_count = request_count + 1, updated_at = ?
+    WHERE key = ?
+  `);
+  const evaluate = db.transaction(() => {
+    const existing = loadCount.get(windowKey);
+    if (!existing) {
+      insertCount.run(windowKey, subject, operation, windowStart, now);
+      return { blocked: false, requestCount: 1 };
+    }
+    if (existing.request_count >= rule.maxRequests) {
+      return { blocked: true, requestCount: existing.request_count };
+    }
+    incrementCount.run(now, windowKey);
+    return { blocked: false, requestCount: existing.request_count + 1 };
+  });
+  const result = evaluate.immediate();
+  if (result.blocked) {
+    const retryAfterMs = Math.max(0, windowStart + rule.windowMs - now);
+    const retryAfterSeconds = Math.ceil(retryAfterMs / 1e3);
+    setResponseHeader(event, "Retry-After", retryAfterSeconds);
+    setResponseHeader(event, "X-RateLimit-Limit", String(rule.maxRequests));
+    setResponseHeader(event, "X-RateLimit-Remaining", "0");
+    throw createError({
+      statusCode: 429,
+      statusMessage: "Too many requests"
+    });
+  }
+  setResponseHeader(event, "X-RateLimit-Limit", String(rule.maxRequests));
+  setResponseHeader(
+    event,
+    "X-RateLimit-Remaining",
+    String(Math.max(0, rule.maxRequests - result.requestCount))
+  );
+}
+export function enforceBasicAuthRateLimit(event, operation) {
+  const now = Date.now();
+  if (resolveRateLimitBackend() === "memory") {
+    enforceInMemoryRateLimit(event, operation, now);
+    return;
+  }
+  enforceSqliteRateLimit(event, operation, now);
+}
+export function resetBasicAuthRateLimitStore() {
+  store.clear();
+  lastSweepAt = 0;
+  try {
+    getBasicAuthDb().prepare("DELETE FROM basic_auth_rate_limits").run();
+  } catch {
+  }
+}
+export function getBasicAuthRateLimitStoreSizeForTests() {
+  if (resolveRateLimitBackend() === "memory") {
+    return store.size;
+  }
+  try {
+    const row = getBasicAuthDb().prepare("SELECT COUNT(*) as count FROM basic_auth_rate_limits").get();
+    return row?.count ?? 0;
+  } catch {
+    return 0;
+  }
+}

package/dist/runtime/server/lib/request-identity.d.ts

@@ -0,0 +1,16 @@
+import { type H3Event } from 'h3';
+export type ForwardedForHeader = 'x-forwarded-for' | 'x-real-ip';
+export type ForwardedHostHeader = 'x-forwarded-host';
+export interface ProxyTrustConfig {
+    trustProxy: boolean;
+    forwardedForHeader: ForwardedForHeader;
+    forwardedHostHeader: ForwardedHostHeader;
+}
+export interface ProxyTrustConfigInput {
+    trustProxy?: boolean;
+    forwardedForHeader?: string;
+    forwardedHostHeader?: string;
+}
+export declare function normalizeProxyTrustConfig(input?: ProxyTrustConfigInput): ProxyTrustConfig;
+export declare function getClientIp(event: H3Event, config: ProxyTrustConfig): string | null;
+export declare function getProxyRequestHost(event: H3Event, config: ProxyTrustConfig): string | null;

package/dist/runtime/server/lib/request-identity.js

@@ -0,0 +1,32 @@
+import { getRequestHeader } from "h3";
+const IP_REGEX = /^(\d{1,3}\.){3}\d{1,3}$|^[0-9a-fA-F:.]+$/;
+export function normalizeProxyTrustConfig(input) {
+  return {
+    trustProxy: input?.trustProxy === true,
+    forwardedForHeader: input?.forwardedForHeader === "x-real-ip" ? "x-real-ip" : "x-forwarded-for",
+    forwardedHostHeader: "x-forwarded-host"
+  };
+}
+function parseForwardedFor(value) {
+  const firstIp = value.split(",")[0]?.trim();
+  if (!firstIp) return null;
+  if (!IP_REGEX.test(firstIp)) return null;
+  return firstIp;
+}
+export function getClientIp(event, config) {
+  if (config.trustProxy) {
+    const forwarded = getRequestHeader(event, config.forwardedForHeader);
+    if (!forwarded) return null;
+    return parseForwardedFor(forwarded);
+  }
+  return event.node.req.socket.remoteAddress ?? null;
+}
+export function getProxyRequestHost(event, config) {
+  if (config.trustProxy) {
+    const forwardedHost = getRequestHeader(event, config.forwardedHostHeader);
+    const firstHost = forwardedHost?.split(",")[0]?.trim().toLowerCase();
+    return firstHost && firstHost.length > 0 ? firstHost : null;
+  }
+  const host = getRequestHeader(event, "host");
+  return host ? host.trim().toLowerCase() : null;
+}

package/dist/runtime/server/lib/request-security.d.ts

@@ -0,0 +1,2 @@
+import { type H3Event } from 'h3';
+export declare function enforceMutationOriginPolicy(event: H3Event): void;

package/dist/runtime/server/lib/request-security.js

@@ -0,0 +1,37 @@
+import { createError, getRequestHeader } from "h3";
+import { getProxyRequestHost, normalizeProxyTrustConfig } from "./request-identity.js";
+function getOriginHost(originOrReferer) {
+  try {
+    return new URL(originOrReferer).host.toLowerCase();
+  } catch {
+    return null;
+  }
+}
+function normalizeHost(host) {
+  return host.trim().toLowerCase();
+}
+function getRequestHost(event) {
+  const runtimeConfig = useRuntimeConfig(event);
+  const proxyConfig = normalizeProxyTrustConfig(runtimeConfig.security?.proxy);
+  return getProxyRequestHost(event, proxyConfig);
+}
+function isSafeMethod(method) {
+  const normalized = (method ?? "GET").toUpperCase();
+  return normalized === "GET" || normalized === "HEAD" || normalized === "OPTIONS";
+}
+export function enforceMutationOriginPolicy(event) {
+  if (isSafeMethod(event.method)) return;
+  const originHeader = getRequestHeader(event, "origin") ?? getRequestHeader(event, "referer");
+  if (!originHeader) return;
+  const originHost = getOriginHost(originHeader);
+  if (!originHost) {
+    throw createError({ statusCode: 403, statusMessage: "Forbidden" });
+  }
+  const requestHost = getRequestHost(event);
+  if (!requestHost) {
+    throw createError({ statusCode: 403, statusMessage: "Forbidden" });
+  }
+  if (normalizeHost(originHost) !== normalizeHost(requestHost)) {
+    throw createError({ statusCode: 403, statusMessage: "Forbidden" });
+  }
+}

package/dist/runtime/server/lib/session-store.d.ts

@@ -0,0 +1,46 @@
+import { type H3Event } from 'h3';
+import type { BasicAuthAccount, BasicAuthSession } from '../db/schema.js';
+export interface CreateAccountInput {
+    email: string;
+    passwordHash: string;
+    displayName?: string | null;
+}
+export interface SessionMetadata {
+    ipAddress?: string | null;
+    userAgent?: string | null;
+}
+export interface CreateSessionInput {
+    accountId: string;
+    sessionId: string;
+    refreshTokenHash: string;
+    expiresAtMs: number;
+    rotatedFromSessionId?: string | null;
+    metadata?: SessionMetadata;
+}
+export interface RotationInput {
+    currentSessionId: string;
+    currentRefreshHash: string;
+    newSessionId: string;
+    newRefreshHash: string;
+    newExpiresAtMs: number;
+    metadata?: SessionMetadata;
+}
+export interface RotationResult {
+    ok: boolean;
+    reason?: 'not_found' | 'expired' | 'revoked' | 'replayed';
+    accountId?: string;
+    sessionId?: string;
+}
+export declare function normalizeEmail(email: string): string;
+export declare function getSessionMetadataFromEvent(event: H3Event): SessionMetadata;
+export declare function findAccountByEmail(email: string): BasicAuthAccount | null;
+export declare function findAccountById(id: string): BasicAuthAccount | null;
+export declare function createAccount(input: CreateAccountInput): BasicAuthAccount;
+export declare function ensureBootstrapAccount(input: CreateAccountInput): BasicAuthAccount;
+export declare function createAuthSession(input: CreateSessionInput): BasicAuthSession;
+export declare function findSessionById(sessionId: string): BasicAuthSession | null;
+export declare function revokeSessionById(sessionId: string, revokedAtMs?: number): void;
+export declare function revokeAllSessionsForAccount(accountId: string, revokedAtMs?: number): void;
+export declare function rotateSession(input: RotationInput): RotationResult;
+export declare function updatePasswordAndRevokeSessions(accountId: string, newPasswordHash: string): void;
+export declare function isSessionUsable(session: BasicAuthSession | null): boolean;

package/dist/runtime/server/lib/session-store.js

@@ -0,0 +1,190 @@
+import { randomUUID, timingSafeEqual } from "node:crypto";
+import { getRequestHeader } from "h3";
+import { getBasicAuthDb } from "../db/client.js";
+import {
+  getClientIp as getProxyClientIp,
+  normalizeProxyTrustConfig
+} from "./request-identity.js";
+export function normalizeEmail(email) {
+  return email.trim().toLowerCase();
+}
+function toHexBuffer(value) {
+  return Buffer.from(value, "hex");
+}
+function safeHexEquals(left, right) {
+  if (left.length !== right.length) return false;
+  const leftBuffer = toHexBuffer(left);
+  const rightBuffer = toHexBuffer(right);
+  if (leftBuffer.length !== rightBuffer.length) return false;
+  return timingSafeEqual(leftBuffer, rightBuffer);
+}
+export function getSessionMetadataFromEvent(event) {
+  const proxyConfig = normalizeProxyTrustConfig(useRuntimeConfig(event).security?.proxy);
+  return {
+    ipAddress: getProxyClientIp(event, proxyConfig) ?? event.node.req.socket.remoteAddress ?? null,
+    userAgent: getRequestHeader(event, "user-agent") ?? null
+  };
+}
+export function findAccountByEmail(email) {
+  const db = getBasicAuthDb();
+  const row = db.prepare("SELECT * FROM basic_auth_accounts WHERE email = ? LIMIT 1").get(normalizeEmail(email));
+  return row ?? null;
+}
+export function findAccountById(id) {
+  const db = getBasicAuthDb();
+  const row = db.prepare("SELECT * FROM basic_auth_accounts WHERE id = ? LIMIT 1").get(id);
+  return row ?? null;
+}
+export function createAccount(input) {
+  const db = getBasicAuthDb();
+  const now = Date.now();
+  const account = {
+    id: randomUUID(),
+    email: normalizeEmail(input.email),
+    password_hash: input.passwordHash,
+    display_name: input.displayName ?? null,
+    token_version: 0,
+    created_at: now,
+    updated_at: now
+  };
+  db.prepare(
+    `INSERT INTO basic_auth_accounts (
+      id, email, password_hash, display_name, token_version, created_at, updated_at
+    ) VALUES (?, ?, ?, ?, ?, ?, ?)`
+  ).run(
+    account.id,
+    account.email,
+    account.password_hash,
+    account.display_name,
+    account.token_version,
+    account.created_at,
+    account.updated_at
+  );
+  return account;
+}
+export function ensureBootstrapAccount(input) {
+  const existing = findAccountByEmail(input.email);
+  if (existing) return existing;
+  return createAccount(input);
+}
+export function createAuthSession(input) {
+  const db = getBasicAuthDb();
+  const createdAt = Date.now();
+  const row = {
+    id: input.sessionId,
+    account_id: input.accountId,
+    refresh_token_hash: input.refreshTokenHash,
+    expires_at: input.expiresAtMs,
+    revoked_at: null,
+    created_at: createdAt,
+    rotated_from_session_id: input.rotatedFromSessionId ?? null,
+    replaced_by_session_id: null,
+    ip_address: input.metadata?.ipAddress ?? null,
+    user_agent: input.metadata?.userAgent ?? null
+  };
+  db.prepare(
+    `INSERT INTO basic_auth_sessions (
+      id, account_id, refresh_token_hash, expires_at, revoked_at, created_at,
+      rotated_from_session_id, replaced_by_session_id, ip_address, user_agent
+    ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
+  ).run(
+    row.id,
+    row.account_id,
+    row.refresh_token_hash,
+    row.expires_at,
+    row.revoked_at,
+    row.created_at,
+    row.rotated_from_session_id,
+    row.replaced_by_session_id,
+    row.ip_address,
+    row.user_agent
+  );
+  return row;
+}
+export function findSessionById(sessionId) {
+  const db = getBasicAuthDb();
+  const row = db.prepare("SELECT * FROM basic_auth_sessions WHERE id = ? LIMIT 1").get(sessionId);
+  return row ?? null;
+}
+export function revokeSessionById(sessionId, revokedAtMs = Date.now()) {
+  const db = getBasicAuthDb();
+  db.prepare(
+    "UPDATE basic_auth_sessions SET revoked_at = COALESCE(revoked_at, ?) WHERE id = ?"
+  ).run(revokedAtMs, sessionId);
+}
+export function revokeAllSessionsForAccount(accountId, revokedAtMs = Date.now()) {
+  const db = getBasicAuthDb();
+  db.prepare(
+    "UPDATE basic_auth_sessions SET revoked_at = COALESCE(revoked_at, ?) WHERE account_id = ?"
+  ).run(revokedAtMs, accountId);
+}
+export function rotateSession(input) {
+  const db = getBasicAuthDb();
+  const now = Date.now();
+  const currentSession = findSessionById(input.currentSessionId);
+  if (!currentSession) {
+    return { ok: false, reason: "not_found" };
+  }
+  if (currentSession.expires_at <= now) {
+    revokeSessionById(currentSession.id, now);
+    return { ok: false, reason: "expired" };
+  }
+  const isSameTokenHash = safeHexEquals(
+    currentSession.refresh_token_hash,
+    input.currentRefreshHash
+  );
+  if (currentSession.revoked_at !== null) {
+    const replayedRotatedToken = currentSession.replaced_by_session_id !== null && isSameTokenHash;
+    if (replayedRotatedToken) {
+      revokeAllSessionsForAccount(currentSession.account_id, now);
+      return {
+        ok: false,
+        reason: "replayed"
+      };
+    }
+    return { ok: false, reason: "revoked" };
+  }
+  if (!isSameTokenHash) {
+    revokeAllSessionsForAccount(currentSession.account_id, now);
+    return {
+      ok: false,
+      reason: "replayed"
+    };
+  }
+  db.transaction(() => {
+    createAuthSession({
+      accountId: currentSession.account_id,
+      sessionId: input.newSessionId,
+      refreshTokenHash: input.newRefreshHash,
+      expiresAtMs: input.newExpiresAtMs,
+      rotatedFromSessionId: currentSession.id,
+      metadata: input.metadata
+    });
+    db.prepare(
+      "UPDATE basic_auth_sessions SET revoked_at = ?, replaced_by_session_id = ? WHERE id = ?"
+    ).run(now, input.newSessionId, currentSession.id);
+  })();
+  return {
+    ok: true,
+    accountId: currentSession.account_id,
+    sessionId: input.newSessionId
+  };
+}
+export function updatePasswordAndRevokeSessions(accountId, newPasswordHash) {
+  const db = getBasicAuthDb();
+  const now = Date.now();
+  db.transaction(() => {
+    db.prepare(
+      `UPDATE basic_auth_accounts
+       SET password_hash = ?, token_version = token_version + 1, updated_at = ?
+       WHERE id = ?`
+    ).run(newPasswordHash, now, accountId);
+    revokeAllSessionsForAccount(accountId, now);
+  })();
+}
+export function isSessionUsable(session) {
+  if (!session) return false;
+  if (session.revoked_at !== null) return false;
+  if (session.expires_at <= Date.now()) return false;
+  return true;
+}

package/dist/runtime/server/plugins/register.d.ts

@@ -0,0 +1,2 @@
+declare const _default: any;
+export default _default;

package/dist/runtime/server/plugins/register.js

@@ -0,0 +1,63 @@
+import { BASIC_AUTH_PROVIDER_ID } from "../../lib/constants.js";
+import { registerAuthProvider } from "~~/server/auth/registry";
+import { registerProviderAdminAdapter } from "~~/server/admin/providers/registry";
+import { registerProviderTokenBroker } from "~~/server/auth/token-broker/registry";
+import { basicAuthProvider } from "../auth/basic-auth-provider.js";
+import { createBasicAuthTokenBroker } from "../token-broker/basic-auth-token-broker.js";
+import {
+  BASIC_AUTH_INSECURE_DEV_ESCAPE_HATCH_ENV,
+  getBasicAuthConfig,
+  isBasicAuthInsecureDevEscapeHatchEnabled,
+  validateBasicAuthConfig
+} from "../lib/config.js";
+import { hashPassword } from "../lib/password.js";
+import { ensureBootstrapAccount, findAccountByEmail } from "../lib/session-store.js";
+import { basicAuthAdminAdapter } from "../admin/adapters/auth-basic-auth.js";
+async function ensureBootstrapUserIfConfigured() {
+  const config = getBasicAuthConfig();
+  const email = config.bootstrapEmail?.trim();
+  const password = config.bootstrapPassword;
+  if (!email || !password) {
+    return;
+  }
+  if (findAccountByEmail(email)) {
+    return;
+  }
+  const passwordHash = await hashPassword(password);
+  ensureBootstrapAccount({
+    email,
+    passwordHash,
+    displayName: email
+  });
+}
+export default defineNitroPlugin(async () => {
+  const runtimeConfig = useRuntimeConfig();
+  const diagnostics = validateBasicAuthConfig(runtimeConfig);
+  for (const warning of diagnostics.warnings) {
+    console.warn(`[basic-auth] ${warning}`);
+  }
+  if (!diagnostics.config.enabled) {
+    return;
+  }
+  if (diagnostics.config.providerId !== BASIC_AUTH_PROVIDER_ID) {
+    return;
+  }
+  if (!diagnostics.isValid) {
+    const message = `${diagnostics.errors.join(" ")} Install/configure basic-auth provider env values and restart.`;
+    if (isBasicAuthInsecureDevEscapeHatchEnabled() && !diagnostics.config.strict) {
+      console.warn(
+        `[basic-auth] ${message} Startup continues because ${BASIC_AUTH_INSECURE_DEV_ESCAPE_HATCH_ENV}=true (development only).`
+      );
+      return;
+    }
+    throw new Error(message);
+  }
+  await ensureBootstrapUserIfConfigured();
+  registerAuthProvider({
+    id: BASIC_AUTH_PROVIDER_ID,
+    order: 100,
+    create: () => basicAuthProvider
+  });
+  registerProviderTokenBroker(BASIC_AUTH_PROVIDER_ID, createBasicAuthTokenBroker);
+  registerProviderAdminAdapter(basicAuthAdminAdapter);
+});

package/dist/runtime/server/token-broker/basic-auth-token-broker.d.ts

@@ -0,0 +1,6 @@
+import type { H3Event } from 'h3';
+import type { ProviderTokenBroker, ProviderTokenRequest } from '~~/server/auth/token-broker/types';
+export declare class BasicAuthTokenBroker implements ProviderTokenBroker {
+    getProviderToken(_event: H3Event, _req: ProviderTokenRequest): Promise<string | null>;
+}
+export declare function createBasicAuthTokenBroker(): ProviderTokenBroker;

package/dist/runtime/server/token-broker/basic-auth-token-broker.js

@@ -0,0 +1,8 @@
+export class BasicAuthTokenBroker {
+  async getProviderToken(_event, _req) {
+    return null;
+  }
+}
+export function createBasicAuthTokenBroker() {
+  return new BasicAuthTokenBroker();
+}

package/dist/runtime/server/token-broker/index.d.ts

@@ -0,0 +1 @@
+export { BasicAuthTokenBroker, createBasicAuthTokenBroker } from './basic-auth-token-broker.js';

package/dist/runtime/server/token-broker/index.js

@@ -0,0 +1 @@
+export { BasicAuthTokenBroker, createBasicAuthTokenBroker } from "./basic-auth-token-broker.js";