palaryn 0.1.0

package/dist/src/auth/providers.js

@@ -0,0 +1,198 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildGoogleAuthUrl = buildGoogleAuthUrl;
+exports.exchangeGoogleCode = exchangeGoogleCode;
+exports.getGoogleUserInfo = getGoogleUserInfo;
+exports.buildGitHubAuthUrl = buildGitHubAuthUrl;
+exports.exchangeGitHubCode = exchangeGitHubCode;
+exports.getGitHubUserInfo = getGitHubUserInfo;
+const https = __importStar(require("https"));
+const http = __importStar(require("http"));
+const url_1 = require("url");
+const pkce_1 = require("./pkce");
+function httpRequest(url, options) {
+    return new Promise((resolve, reject) => {
+        const parsed = new url_1.URL(url);
+        const mod = parsed.protocol === 'https:' ? https : http;
+        const req = mod.request(parsed, {
+            method: options.method || 'GET',
+            headers: options.headers || {},
+        }, (res) => {
+            const chunks = [];
+            res.on('data', (c) => chunks.push(c));
+            res.on('end', () => {
+                resolve({
+                    statusCode: res.statusCode || 0,
+                    body: Buffer.concat(chunks).toString('utf-8'),
+                });
+            });
+        });
+        req.on('error', reject);
+        if (options.body)
+            req.write(options.body);
+        req.end();
+    });
+}
+// ---------------------------------------------------------------------------
+// Google OAuth
+// ---------------------------------------------------------------------------
+function buildGoogleAuthUrl(config, redirectUri, state, codeVerifier) {
+    const codeChallenge = (0, pkce_1.generateCodeChallenge)(codeVerifier);
+    const params = new URLSearchParams({
+        client_id: config.client_id,
+        redirect_uri: redirectUri,
+        response_type: 'code',
+        scope: 'openid email profile',
+        state,
+        code_challenge: codeChallenge,
+        code_challenge_method: 'S256',
+        access_type: 'offline',
+        prompt: 'consent',
+    });
+    return {
+        url: `https://accounts.google.com/o/oauth2/v2/auth?${params.toString()}`,
+        code_verifier: codeVerifier,
+        code_challenge: codeChallenge,
+    };
+}
+async function exchangeGoogleCode(config, redirectUri, code, codeVerifier) {
+    const body = new URLSearchParams({
+        client_id: config.client_id,
+        client_secret: config.client_secret,
+        redirect_uri: redirectUri,
+        code,
+        grant_type: 'authorization_code',
+        code_verifier: codeVerifier,
+    }).toString();
+    const res = await httpRequest('https://oauth2.googleapis.com/token', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body,
+    });
+    if (res.statusCode !== 200) {
+        throw new Error(`Google token exchange failed (${res.statusCode}): ${res.body}`);
+    }
+    return JSON.parse(res.body);
+}
+async function getGoogleUserInfo(accessToken) {
+    const res = await httpRequest('https://www.googleapis.com/oauth2/v2/userinfo', {
+        headers: { Authorization: `Bearer ${accessToken}` },
+    });
+    if (res.statusCode !== 200) {
+        throw new Error(`Google userinfo failed (${res.statusCode}): ${res.body}`);
+    }
+    const data = JSON.parse(res.body);
+    return {
+        provider: 'google',
+        provider_user_id: data.id,
+        email: data.email,
+        display_name: data.name || data.email,
+        avatar_url: data.picture,
+    };
+}
+// ---------------------------------------------------------------------------
+// GitHub OAuth
+// ---------------------------------------------------------------------------
+function buildGitHubAuthUrl(config, redirectUri, state) {
+    const params = new URLSearchParams({
+        client_id: config.client_id,
+        redirect_uri: redirectUri,
+        scope: 'read:user user:email',
+        state,
+    });
+    return `https://github.com/login/oauth/authorize?${params.toString()}`;
+}
+async function exchangeGitHubCode(config, code) {
+    const body = new URLSearchParams({
+        client_id: config.client_id,
+        client_secret: config.client_secret,
+        code,
+    }).toString();
+    const res = await httpRequest('https://github.com/login/oauth/access_token', {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+            'Accept': 'application/json',
+        },
+        body,
+    });
+    if (res.statusCode !== 200) {
+        throw new Error(`GitHub token exchange failed (${res.statusCode}): ${res.body}`);
+    }
+    const data = JSON.parse(res.body);
+    if (data.error) {
+        throw new Error(`GitHub token error: ${data.error_description || data.error}`);
+    }
+    return data;
+}
+async function getGitHubUserInfo(accessToken) {
+    const res = await httpRequest('https://api.github.com/user', {
+        headers: {
+            Authorization: `Bearer ${accessToken}`,
+            'User-Agent': 'Palaryn',
+            'Accept': 'application/json',
+        },
+    });
+    if (res.statusCode !== 200) {
+        throw new Error(`GitHub user API failed (${res.statusCode}): ${res.body}`);
+    }
+    const data = JSON.parse(res.body);
+    // GitHub might not return email in user endpoint, fetch from emails API
+    let email = data.email;
+    if (!email) {
+        const emailRes = await httpRequest('https://api.github.com/user/emails', {
+            headers: {
+                Authorization: `Bearer ${accessToken}`,
+                'User-Agent': 'Palaryn',
+                'Accept': 'application/json',
+            },
+        });
+        if (emailRes.statusCode === 200) {
+            const emails = JSON.parse(emailRes.body);
+            const primary = emails.find((e) => e.primary) || emails[0];
+            if (primary)
+                email = primary.email;
+        }
+    }
+    return {
+        provider: 'github',
+        provider_user_id: String(data.id),
+        email: email || `${data.login}@github.noreply.com`,
+        display_name: data.name || data.login,
+        avatar_url: data.avatar_url,
+    };
+}
+//# sourceMappingURL=providers.js.map

package/dist/src/auth/providers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"providers.js","sourceRoot":"","sources":["../../../src/auth/providers.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA8CA,gDAsBC;AAED,gDAyBC;AAED,8CAeC;AAMD,gDAQC;AAED,gDA4BC;AAED,8CAqCC;AAnMD,6CAA+B;AAC/B,2CAA6B;AAC7B,6BAA0B;AAE1B,iCAAqE;AAWrE,SAAS,WAAW,CAAC,GAAW,EAAE,OAIjC;IACC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,MAAM,GAAG,IAAI,SAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;QACxD,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE;YAC9B,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,KAAK;YAC/B,OAAO,EAAE,OAAO,CAAC,OAAO,IAAI,EAAE;SAC/B,EAAE,CAAC,GAAG,EAAE,EAAE;YACT,MAAM,MAAM,GAAa,EAAE,CAAC;YAC5B,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;YACtC,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;gBACjB,OAAO,CAAC;oBACN,UAAU,EAAE,GAAG,CAAC,UAAU,IAAI,CAAC;oBAC/B,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC;iBAC9C,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QACH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QACxB,IAAI,OAAO,CAAC,IAAI;YAAE,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC1C,GAAG,CAAC,GAAG,EAAE,CAAC;IACZ,CAAC,CAAC,CAAC;AACL,CAAC;AAED,8EAA8E;AAC9E,eAAe;AACf,8EAA8E;AAE9E,SAAgB,kBAAkB,CAAC,MAA2B,EAAE,WAAmB,EAAE,KAAa,EAAE,YAAoB;IAKtH,MAAM,aAAa,GAAG,IAAA,4BAAqB,EAAC,YAAY,CAAC,CAAC;IAC1D,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;QACjC,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,YAAY,EAAE,WAAW;QACzB,aAAa,EAAE,MAAM;QACrB,KAAK,EAAE,sBAAsB;QAC7B,KAAK;QACL,cAAc,EAAE,aAAa;QAC7B,qBAAqB,EAAE,MAAM;QAC7B,WAAW,EAAE,SAAS;QACtB,MAAM,EAAE,SAAS;KAClB,CAAC,CAAC;IACH,OAAO;QACL,GAAG,EAAE,gDAAgD,MAAM,CAAC,QAAQ,EAAE,EAAE;QACxE,aAAa,EAAE,YAAY;QAC3B,cAAc,EAAE,aAAa;KAC9B,CAAC;AACJ,CAAC;AAEM,KAAK,UAAU,kBAAkB,CAAC,MAA2B,EAAE,WAAmB,EAAE,IAAY,EAAE,YAAoB;IAM3H,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,aAAa,EAAE,MAAM,CAAC,aAAa;QACnC,YAAY,EAAE,WAAW;QACzB,IAAI;QACJ,UAAU,EAAE,oBAAoB;QAChC,aAAa,EAAE,YAAY;KAC5B,CAAC,CAAC,QAAQ,EAAE,CAAC;IAEd,MAAM,GAAG,GAAG,MAAM,WAAW,CAAC,qCAAqC,EAAE;QACnE,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI;KACL,CAAC,CAAC;IAEH,IAAI,GAAG,CAAC,UAAU,KAAK,GAAG,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,iCAAiC,GAAG,CAAC,UAAU,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;IACnF,CAAC;IACD,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AAC9B,CAAC;AAEM,KAAK,UAAU,iBAAiB,CAAC,WAAmB;IACzD,MAAM,GAAG,GAAG,MAAM,WAAW,CAAC,+CAA+C,EAAE;QAC7E,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,WAAW,EAAE,EAAE;KACpD,CAAC,CAAC;IACH,IAAI,GAAG,CAAC,UAAU,KAAK,GAAG,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,2BAA2B,GAAG,CAAC,UAAU,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;IAC7E,CAAC;IACD,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAClC,OAAO;QACL,QAAQ,EAAE,QAAQ;QAClB,gBAAgB,EAAE,IAAI,CAAC,EAAE;QACzB,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,YAAY,EAAE,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK;QACrC,UAAU,EAAE,IAAI,CAAC,OAAO;KACzB,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,eAAe;AACf,8EAA8E;AAE9E,SAAgB,kBAAkB,CAAC,MAA2B,EAAE,WAAmB,EAAE,KAAa;IAChG,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;QACjC,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,YAAY,EAAE,WAAW;QACzB,KAAK,EAAE,sBAAsB;QAC7B,KAAK;KACN,CAAC,CAAC;IACH,OAAO,4CAA4C,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC;AACzE,CAAC;AAEM,KAAK,UAAU,kBAAkB,CAAC,MAA2B,EAAE,IAAY;IAKhF,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,aAAa,EAAE,MAAM,CAAC,aAAa;QACnC,IAAI;KACL,CAAC,CAAC,QAAQ,EAAE,CAAC;IAEd,MAAM,GAAG,GAAG,MAAM,WAAW,CAAC,6CAA6C,EAAE;QAC3E,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,mCAAmC;YACnD,QAAQ,EAAE,kBAAkB;SAC7B;QACD,IAAI;KACL,CAAC,CAAC;IAEH,IAAI,GAAG,CAAC,UAAU,KAAK,GAAG,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,iCAAiC,GAAG,CAAC,UAAU,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;IACnF,CAAC;IACD,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAClC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,uBAAuB,IAAI,CAAC,iBAAiB,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;IACjF,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAEM,KAAK,UAAU,iBAAiB,CAAC,WAAmB;IACzD,MAAM,GAAG,GAAG,MAAM,WAAW,CAAC,6BAA6B,EAAE;QAC3D,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,WAAW,EAAE;YACtC,YAAY,EAAE,SAAS;YACvB,QAAQ,EAAE,kBAAkB;SAC7B;KACF,CAAC,CAAC;IACH,IAAI,GAAG,CAAC,UAAU,KAAK,GAAG,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,2BAA2B,GAAG,CAAC,UAAU,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;IAC7E,CAAC;IACD,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAElC,wEAAwE;IACxE,IAAI,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;IACvB,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,oCAAoC,EAAE;YACvE,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,WAAW,EAAE;gBACtC,YAAY,EAAE,SAAS;gBACvB,QAAQ,EAAE,kBAAkB;aAC7B;SACF,CAAC,CAAC;QACH,IAAI,QAAQ,CAAC,UAAU,KAAK,GAAG,EAAE,CAAC;YAChC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YACzC,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,CAAC;YAChE,IAAI,OAAO;gBAAE,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QACrC,CAAC;IACH,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,QAAQ;QAClB,gBAAgB,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;QACjC,KAAK,EAAE,KAAK,IAAI,GAAG,IAAI,CAAC,KAAK,qBAAqB;QAClD,YAAY,EAAE,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK;QACrC,UAAU,EAAE,IAAI,CAAC,UAAU;KAC5B,CAAC;AACJ,CAAC"}

package/dist/src/auth/routes.d.ts

@@ -0,0 +1,14 @@
+import { Router } from 'express';
+import { OAuthConfig } from '../types/user';
+import { UserStore, OAuthAccountStore, SessionStore, WorkspaceStore, WorkspaceMemberStore, UserApiKeyStore } from '../storage/interfaces';
+export interface AuthRouteDeps {
+    config: OAuthConfig;
+    userStore: UserStore;
+    oauthAccountStore: OAuthAccountStore;
+    sessionStore: SessionStore;
+    workspaceStore: WorkspaceStore;
+    workspaceMemberStore: WorkspaceMemberStore;
+    userApiKeyStore?: UserApiKeyStore;
+}
+export declare function createAuthRouter(deps: AuthRouteDeps): Router;
+//# sourceMappingURL=routes.d.ts.map

package/dist/src/auth/routes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"routes.d.ts","sourceRoot":"","sources":["../../../src/auth/routes.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAqB,MAAM,SAAS,CAAC;AAEpD,OAAO,EAAE,WAAW,EAA+B,MAAM,eAAe,CAAC;AACzE,OAAO,EACL,SAAS,EACT,iBAAiB,EACjB,YAAY,EACZ,cAAc,EACd,oBAAoB,EACpB,eAAe,EAChB,MAAM,uBAAuB,CAAC;AAa/B,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,WAAW,CAAC;IACpB,SAAS,EAAE,SAAS,CAAC;IACrB,iBAAiB,EAAE,iBAAiB,CAAC;IACrC,YAAY,EAAE,YAAY,CAAC;IAC3B,cAAc,EAAE,cAAc,CAAC;IAC/B,oBAAoB,EAAE,oBAAoB,CAAC;IAC3C,eAAe,CAAC,EAAE,eAAe,CAAC;CACnC;AAED,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,aAAa,GAAG,MAAM,CAue5D"}

package/dist/src/auth/routes.js

@@ -0,0 +1,431 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createAuthRouter = createAuthRouter;
+const express_1 = require("express");
+const crypto_1 = require("crypto");
+const pkce_1 = require("./pkce");
+const pkce_2 = require("./pkce");
+const providers_1 = require("./providers");
+const session_1 = require("./session");
+const password_1 = require("./password");
+function createAuthRouter(deps) {
+    const router = (0, express_1.Router)();
+    const { config, userStore, oauthAccountStore, sessionStore, workspaceStore, workspaceMemberStore, userApiKeyStore } = deps;
+    const isProduction = process.env.NODE_ENV === 'production';
+    // ---------------------------------------------------------------------------
+    // GET /auth/:provider/authorize — redirect to OAuth provider
+    // ---------------------------------------------------------------------------
+    router.get('/:provider/authorize', (req, res) => {
+        const provider = req.params.provider;
+        const baseUrl = `${req.protocol}://${req.get('host')}`;
+        if (provider === 'google' && config.google) {
+            const redirectUri = config.google.redirect_uri || `${baseUrl}/auth/google/callback`;
+            const nonce = (0, pkce_2.generateNonce)();
+            const codeVerifier = (0, pkce_1.generateCodeVerifier)();
+            const state = (0, session_1.encryptState)({
+                provider: 'google',
+                code_verifier: codeVerifier,
+                nonce,
+                redirect_uri: redirectUri,
+                created_at: Date.now(),
+            }, config.session_secret);
+            const { url } = (0, providers_1.buildGoogleAuthUrl)(config.google, redirectUri, state, codeVerifier);
+            res.cookie(session_1.STATE_COOKIE_NAME, state, {
+                httpOnly: true,
+                secure: isProduction,
+                sameSite: 'lax',
+                maxAge: 600000, // 10 min
+                path: '/',
+            });
+            res.redirect(url);
+        }
+        else if (provider === 'github' && config.github) {
+            const redirectUri = config.github.redirect_uri || `${baseUrl}/auth/github/callback`;
+            const nonce = (0, pkce_2.generateNonce)();
+            const state = (0, session_1.encryptState)({
+                provider: 'github',
+                nonce,
+                redirect_uri: redirectUri,
+                created_at: Date.now(),
+            }, config.session_secret);
+            const url = (0, providers_1.buildGitHubAuthUrl)(config.github, redirectUri, state);
+            res.cookie(session_1.STATE_COOKIE_NAME, state, {
+                httpOnly: true,
+                secure: isProduction,
+                sameSite: 'lax',
+                maxAge: 600000,
+                path: '/',
+            });
+            res.redirect(url);
+        }
+        else {
+            res.status(400).json({ error: `Unsupported or unconfigured provider: ${provider}` });
+        }
+    });
+    // ---------------------------------------------------------------------------
+    // GET /auth/:provider/callback — handle OAuth callback
+    // ---------------------------------------------------------------------------
+    router.get('/:provider/callback', async (req, res) => {
+        const provider = req.params.provider;
+        const { code, state: stateParam, error } = req.query;
+        if (error) {
+            return res.redirect(`/login?error=${encodeURIComponent(error)}`);
+        }
+        if (!code || !stateParam) {
+            return res.redirect('/login?error=missing_params');
+        }
+        // Validate state cookie
+        const stateCookie = req.cookies?.[session_1.STATE_COOKIE_NAME];
+        if (!stateCookie || stateCookie !== stateParam) {
+            return res.redirect('/login?error=invalid_state');
+        }
+        // Clear state cookie
+        res.clearCookie(session_1.STATE_COOKIE_NAME, { path: '/' });
+        let flowState;
+        try {
+            flowState = (0, session_1.decryptState)(stateCookie, config.session_secret);
+        }
+        catch {
+            return res.redirect('/login?error=invalid_state');
+        }
+        // Check state expiry (10 min max)
+        if (Date.now() - flowState.created_at > 600000) {
+            return res.redirect('/login?error=state_expired');
+        }
+        try {
+            let profile;
+            let accessToken;
+            let refreshToken;
+            if (provider === 'google' && config.google) {
+                const tokens = await (0, providers_1.exchangeGoogleCode)(config.google, flowState.redirect_uri, code, flowState.code_verifier || '');
+                accessToken = tokens.access_token;
+                refreshToken = tokens.refresh_token;
+                profile = await (0, providers_1.getGoogleUserInfo)(tokens.access_token);
+            }
+            else if (provider === 'github' && config.github) {
+                const tokens = await (0, providers_1.exchangeGitHubCode)(config.github, code);
+                accessToken = tokens.access_token;
+                profile = await (0, providers_1.getGitHubUserInfo)(tokens.access_token);
+            }
+            else {
+                return res.redirect('/login?error=unsupported_provider');
+            }
+            // Find or create user + link OAuth account
+            const { user, isNewUser, needsLinking } = findOrCreateUser(profile, accessToken, refreshToken);
+            // If an existing account with the same email was found but OAuth is not
+            // linked, redirect to login with a message instead of auto-linking.
+            if (needsLinking) {
+                return res.redirect('/login?error=account_exists&message=' +
+                    encodeURIComponent('An account with this email already exists. Please sign in with your password first, then link your OAuth provider from settings.'));
+            }
+            // Create session
+            const sessionId = (0, session_1.generateSessionId)();
+            const now = new Date().toISOString();
+            // Find user's first workspace
+            const memberships = workspaceMemberStore.getByUser(user.id);
+            const workspaceId = memberships.length > 0 ? memberships[0].workspace_id : undefined;
+            sessionStore.create({
+                id: sessionId,
+                user_id: user.id,
+                workspace_id: workspaceId,
+                ip_address: req.ip || req.socket.remoteAddress,
+                user_agent: req.get('user-agent'),
+                expires_at: new Date(Date.now() + config.session_ttl_seconds * 1000).toISOString(),
+                last_active_at: now,
+                created_at: now,
+            });
+            // Set session cookie
+            res.cookie(session_1.SESSION_COOKIE_NAME, sessionId, {
+                httpOnly: true,
+                secure: isProduction,
+                sameSite: 'lax',
+                maxAge: config.session_ttl_seconds * 1000,
+                path: '/',
+            });
+            // Redirect based on user state
+            if (isNewUser || !user.onboarding_completed) {
+                return res.redirect('/onboarding');
+            }
+            return res.redirect('/dashboard');
+        }
+        catch (err) {
+            console.error(`[auth] OAuth callback error (${provider}):`, err);
+            return res.redirect('/login?error=auth_failed');
+        }
+    });
+    // ---------------------------------------------------------------------------
+    // POST /auth/register — create account with email + password
+    // ---------------------------------------------------------------------------
+    router.post('/register', async (req, res) => {
+        const { email, password, display_name } = req.body || {};
+        if (!email || !password) {
+            res.status(400).json({ error: 'email and password are required' });
+            return;
+        }
+        const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+        if (!emailRegex.test(email)) {
+            res.status(400).json({ error: 'Invalid email format' });
+            return;
+        }
+        if (password.length < 6) {
+            res.status(400).json({ error: 'Password must be at least 6 characters' });
+            return;
+        }
+        const existing = userStore.getByEmail(email);
+        if (existing) {
+            // Return identical response to prevent account enumeration
+            res.status(201).json({
+                user: { id: (0, crypto_1.randomUUID)(), email, display_name: display_name || email.split('@')[0] },
+            });
+            return;
+        }
+        const now = new Date().toISOString();
+        const userId = (0, crypto_1.randomUUID)();
+        const displayName = display_name || email.split('@')[0];
+        userStore.create({
+            id: userId,
+            email,
+            display_name: displayName,
+            password_hash: await (0, password_1.hashPassword)(password),
+            status: 'active',
+            onboarding_completed: false,
+            created_at: now,
+            updated_at: now,
+        });
+        // Auto-login: create session
+        const sessionId = (0, session_1.generateSessionId)();
+        sessionStore.create({
+            id: sessionId,
+            user_id: userId,
+            ip_address: req.ip || req.socket.remoteAddress,
+            user_agent: req.get('user-agent'),
+            expires_at: new Date(Date.now() + config.session_ttl_seconds * 1000).toISOString(),
+            last_active_at: now,
+            created_at: now,
+        });
+        res.cookie(session_1.SESSION_COOKIE_NAME, sessionId, {
+            httpOnly: true,
+            secure: isProduction,
+            sameSite: 'lax',
+            maxAge: config.session_ttl_seconds * 1000,
+            path: '/',
+        });
+        res.status(201).json({
+            user: { id: userId, email, display_name: displayName },
+        });
+    });
+    // ---------------------------------------------------------------------------
+    // POST /auth/login — sign in with email + password
+    // ---------------------------------------------------------------------------
+    router.post('/login', async (req, res) => {
+        const { email, password } = req.body || {};
+        if (!email || !password) {
+            res.status(400).json({ error: 'email and password are required' });
+            return;
+        }
+        const user = userStore.getByEmail(email);
+        if (!user || !user.password_hash) {
+            res.status(401).json({ error: 'Invalid email or password' });
+            return;
+        }
+        if (!(await (0, password_1.verifyPassword)(password, user.password_hash))) {
+            res.status(401).json({ error: 'Invalid email or password' });
+            return;
+        }
+        if (user.status !== 'active') {
+            res.status(403).json({ error: 'Account is suspended' });
+            return;
+        }
+        const now = new Date().toISOString();
+        const sessionId = (0, session_1.generateSessionId)();
+        const memberships = workspaceMemberStore.getByUser(user.id);
+        const workspaceId = memberships.length > 0 ? memberships[0].workspace_id : undefined;
+        sessionStore.create({
+            id: sessionId,
+            user_id: user.id,
+            workspace_id: workspaceId,
+            ip_address: req.ip || req.socket.remoteAddress,
+            user_agent: req.get('user-agent'),
+            expires_at: new Date(Date.now() + config.session_ttl_seconds * 1000).toISOString(),
+            last_active_at: now,
+            created_at: now,
+        });
+        res.cookie(session_1.SESSION_COOKIE_NAME, sessionId, {
+            httpOnly: true,
+            secure: isProduction,
+            sameSite: 'lax',
+            maxAge: config.session_ttl_seconds * 1000,
+            path: '/',
+        });
+        res.json({
+            user: {
+                id: user.id,
+                email: user.email,
+                display_name: user.display_name,
+                onboarding_completed: user.onboarding_completed,
+                default_workspace_id: workspaceId,
+            },
+        });
+    });
+    // ---------------------------------------------------------------------------
+    // GET /auth/me — return current user + session info
+    // ---------------------------------------------------------------------------
+    router.get('/me', (req, res) => {
+        const sessionUser = req.sessionUser;
+        if (!sessionUser) {
+            res.status(401).json({ error: 'Not authenticated' });
+            return;
+        }
+        const oauthAccounts = oauthAccountStore.getByUserId(sessionUser.id);
+        const memberships = workspaceMemberStore.getByUser(sessionUser.id);
+        const workspaces = memberships.map(m => {
+            const ws = workspaceStore.getById(m.workspace_id);
+            return ws ? { ...ws, role: m.role } : null;
+        }).filter(Boolean);
+        // Pick the first workspace as default
+        const defaultWorkspaceId = workspaces.length > 0 ? workspaces[0].id : undefined;
+        res.json({
+            user: {
+                id: sessionUser.id,
+                email: sessionUser.email,
+                display_name: sessionUser.display_name,
+                avatar_url: sessionUser.avatar_url,
+                status: sessionUser.status,
+                onboarding_completed: sessionUser.onboarding_completed,
+                default_workspace_id: defaultWorkspaceId,
+                created_at: sessionUser.created_at,
+            },
+            providers: oauthAccounts.map(a => ({
+                provider: a.provider,
+                email: a.provider_email,
+            })),
+            workspaces,
+            session: {
+                workspace_id: req.sessionData?.workspace_id,
+                expires_at: req.sessionData?.expires_at,
+            },
+        });
+    });
+    // ---------------------------------------------------------------------------
+    // DELETE /auth/users/:id — delete a user and all related data (self only)
+    // ---------------------------------------------------------------------------
+    router.delete('/users/:id', (req, res) => {
+        const sessionUser = req.sessionUser;
+        if (!sessionUser) {
+            res.status(401).json({ error: 'Not authenticated' });
+            return;
+        }
+        const targetId = Array.isArray(req.params.id) ? req.params.id[0] : req.params.id;
+        // Only allow deleting yourself (no admin role needed)
+        if (sessionUser.id !== targetId) {
+            res.status(403).json({ error: 'Can only delete your own account' });
+            return;
+        }
+        // Delete workspace memberships and owned workspaces
+        const memberships = workspaceMemberStore.getByUser(targetId);
+        for (const m of memberships) {
+            // If sole owner of workspace, delete the workspace too
+            const wsMembers = workspaceMemberStore.getByWorkspace(m.workspace_id);
+            const otherOwners = wsMembers.filter(wm => wm.user_id !== targetId && wm.role === 'owner');
+            if (otherOwners.length === 0) {
+                // Delete all members of this workspace
+                for (const wm of wsMembers) {
+                    workspaceMemberStore.delete(wm.id);
+                }
+                // Delete workspace API keys
+                if (userApiKeyStore) {
+                    const keys = userApiKeyStore.getByWorkspace(m.workspace_id);
+                    for (const k of keys) {
+                        userApiKeyStore.delete(k.id);
+                    }
+                }
+                workspaceStore.delete(m.workspace_id);
+            }
+            else {
+                workspaceMemberStore.delete(m.id);
+            }
+        }
+        // Delete OAuth accounts
+        const oauthAccounts = oauthAccountStore.getByUserId(targetId);
+        for (const oa of oauthAccounts) {
+            oauthAccountStore.delete(oa.id);
+        }
+        // Delete user API keys
+        if (userApiKeyStore) {
+            const keys = userApiKeyStore.getByUser(targetId);
+            for (const k of keys) {
+                userApiKeyStore.delete(k.id);
+            }
+        }
+        // Clear session
+        const sessionId = req.cookies?.[session_1.SESSION_COOKIE_NAME];
+        if (sessionId) {
+            sessionStore.delete(sessionId);
+        }
+        // Delete user
+        userStore.delete(targetId);
+        res.clearCookie(session_1.SESSION_COOKIE_NAME, { path: '/' });
+        res.json({ status: 'ok', deleted_user_id: targetId });
+    });
+    // ---------------------------------------------------------------------------
+    // POST /auth/logout — clear session
+    // ---------------------------------------------------------------------------
+    router.post('/logout', (req, res) => {
+        const sessionId = req.cookies?.[session_1.SESSION_COOKIE_NAME];
+        if (sessionId) {
+            sessionStore.delete(sessionId);
+        }
+        res.clearCookie(session_1.SESSION_COOKIE_NAME, { path: '/' });
+        res.json({ status: 'ok' });
+    });
+    // ---------------------------------------------------------------------------
+    // Helper: find or create user from OAuth profile
+    // ---------------------------------------------------------------------------
+    function findOrCreateUser(profile, accessToken, refreshToken) {
+        const now = new Date().toISOString();
+        // Check if OAuth account already exists
+        const existingOAuth = oauthAccountStore.getByProvider(profile.provider, profile.provider_user_id);
+        if (existingOAuth) {
+            // Update tokens
+            oauthAccountStore.update(existingOAuth.id, {
+                access_token_encrypted: (0, session_1.encryptToken)(accessToken, config.session_secret),
+                refresh_token_encrypted: refreshToken ? (0, session_1.encryptToken)(refreshToken, config.session_secret) : undefined,
+                updated_at: now,
+            });
+            const user = userStore.getById(existingOAuth.user_id);
+            return { user, isNewUser: false };
+        }
+        // Check if user exists with same email — do NOT auto-link
+        const existingUser = userStore.getByEmail(profile.email);
+        if (existingUser) {
+            return { user: existingUser, isNewUser: false, needsLinking: true };
+        }
+        // Create new user
+        const user = {
+            id: (0, crypto_1.randomUUID)(),
+            email: profile.email,
+            display_name: profile.display_name,
+            avatar_url: profile.avatar_url,
+            status: 'active',
+            onboarding_completed: false,
+            created_at: now,
+            updated_at: now,
+        };
+        userStore.create(user);
+        // Create OAuth account link for new users only
+        oauthAccountStore.create({
+            id: (0, crypto_1.randomUUID)(),
+            user_id: user.id,
+            provider: profile.provider,
+            provider_user_id: profile.provider_user_id,
+            provider_email: profile.email,
+            access_token_encrypted: (0, session_1.encryptToken)(accessToken, config.session_secret),
+            refresh_token_encrypted: refreshToken ? (0, session_1.encryptToken)(refreshToken, config.session_secret) : undefined,
+            created_at: now,
+            updated_at: now,
+        });
+        return { user, isNewUser: true };
+    }
+    return router;
+}
+//# sourceMappingURL=routes.js.map