payload-better-auth 1.0.0

package/README.md

@@ -0,0 +1,225 @@
+# Payload Plugin Template
+
+A template repo to create a [Payload CMS](https://payloadcms.com) plugin.
+
+Payload is built with a robust infrastructure intended to support Plugins with ease. This provides a simple, modular, and reusable way for developers to extend the core capabilities of Payload.
+
+To build your own Payload plugin, all you need is:
+
+- An understanding of the basic Payload concepts
+- And some JavaScript/Typescript experience
+
+## Getting started
+
+1. Install: `pnpm i`
+2. Generate import map for payload: `cd packages/plugins/dev && pnpx payload generate:importmap`
+3. Initialize / migrate the better-auth database: `pnpx @better-auth/cli migrate --yes` (Also from `dev` directory)
+4. Run dev: `pnpm dev`
+
+## Background
+
+Here is a short recap on how to integrate plugins with Payload, to learn more visit the [plugin overview page](https://payloadcms.com/docs/plugins/overview).
+
+### How to install a plugin
+
+To install any plugin, simply add it to your payload.config() in the Plugin array.
+
+```ts
+import myPlugin from 'my-plugin'
+
+export const config = buildConfig({
+  plugins: [
+    // You can pass options to the plugin
+    myPlugin({
+      enabled: true,
+    }),
+  ],
+})
+```
+
+### Initialization
+
+The initialization process goes in the following order:
+
+1. Incoming config is validated
+2. **Plugins execute**
+3. Default options are integrated
+4. Sanitization cleans and validates data
+5. Final config gets initialized
+
+## Building the Plugin
+
+When you build a plugin, you are purely building a feature for your project and then abstracting it outside of the project.
+
+### Template Files
+
+In the Payload [plugin template](https://github.com/payloadcms/payload/tree/main/templates/plugin), you will see a common file structure that is used across all plugins:
+
+1. root folder
+2. /src folder
+3. /dev folder
+
+#### Root
+
+In the root folder, you will see various files that relate to the configuration of the plugin. We set up our environment in a similar manner in Payload core and across other projects, so hopefully these will look familiar:
+
+- **README**.md\* - This contains instructions on how to use the template. When you are ready, update this to contain instructions on how to use your Plugin.
+- **package**.json\* - Contains necessary scripts and dependencies. Overwrite the metadata in this file to describe your Plugin.
+- .**eslint**.config.js - Eslint configuration for reporting on problematic patterns.
+- .**gitignore** - List specific untracked files to omit from Git.
+- .**prettierrc**.json - Configuration for Prettier code formatting.
+- **tsconfig**.json - Configures the compiler options for TypeScript
+- .**swcrc** - Configuration for SWC, a fast compiler that transpiles and bundles TypeScript.
+- **vitest**.config.js - Config file for Vitest, defining how tests are run and how modules are resolved
+
+**IMPORTANT\***: You will need to modify these files.
+
+#### Dev
+
+In the dev folder, you’ll find a basic payload project, created with `npx create-payload-app` and the blank template.
+
+**IMPORTANT**: Make a copy of the `.env.example` file and rename it to `.env`. Update the `DATABASE_URI` to match the database you are using and your plugin name. Update `PAYLOAD_SECRET` to a unique string.
+**You will not be able to run `pnpm/yarn dev` until you have created this `.env` file.**
+
+`myPlugin` has already been added to the `payload.config()` file in this project.
+
+```ts
+plugins: [
+  myPlugin({
+    collections: {
+      posts: true,
+    },
+  }),
+]
+```
+
+Later when you rename the plugin or add additional options, **make sure to update it here**.
+
+You may wish to add collections or expand the test project depending on the purpose of your plugin. Just make sure to keep this dev environment as simplified as possible - users should be able to install your plugin without additional configuration required.
+
+When you’re ready to start development, initiate the project with `pnpm/npm/yarn dev` and pull up [http://localhost:3000](http://localhost:3000) in your browser.
+
+#### Src
+
+Now that we have our environment setup and we have a dev project ready to - it’s time to build the plugin!
+
+**index.ts**
+
+The essence of a Payload plugin is simply to extend the payload config - and that is exactly what we are doing in this file.
+
+```ts
+export const myPlugin =
+  (pluginOptions: MyPluginConfig) =>
+  (config: Config): Config => {
+    // do cool stuff with the config here
+
+    return config
+  }
+```
+
+First, we receive the existing payload config along with any plugin options.
+
+From here, you can extend the config as you wish.
+
+Finally, you return the config and that is it!
+
+##### Spread Syntax
+
+Spread syntax (or the spread operator) is a feature in JavaScript that uses the dot notation **(...)** to spread elements from arrays, strings, or objects into various contexts.
+
+We are going to use spread syntax to allow us to add data to existing arrays without losing the existing data. It is crucial to spread the existing data correctly – else this can cause adverse behavior and conflicts with Payload config and other plugins.
+
+Let’s say you want to build a plugin that adds a new collection:
+
+```ts
+config.collections = [
+  ...(config.collections || []),
+  // Add additional collections here
+]
+```
+
+First we spread the `config.collections` to ensure that we don’t lose the existing collections, then you can add any additional collections just as you would in a regular payload config.
+
+This same logic is applied to other properties like admin, hooks, globals:
+
+```ts
+config.globals = [
+  ...(config.globals || []),
+  // Add additional globals here
+]
+
+config.hooks = {
+  ...(incomingConfig.hooks || {}),
+  // Add additional hooks here
+}
+```
+
+Some properties will be slightly different to extend, for instance the onInit property:
+
+```ts
+import { onInitExtension } from './onInitExtension' // example file
+
+config.onInit = async (payload) => {
+  if (incomingConfig.onInit) await incomingConfig.onInit(payload)
+  // Add additional onInit code by defining an onInitExtension function
+  onInitExtension(pluginOptions, payload)
+}
+```
+
+If you wish to add to the onInit, you must include the **async/await**. We don’t use spread syntax in this case, instead you must await the existing `onInit` before running additional functionality.
+
+In the template, we have stubbed out some addition `onInit` actions that seeds in a document to the `plugin-collection`, you can use this as a base point to add more actions - and if not needed, feel free to delete it.
+
+##### Types.ts
+
+If your plugin has options, you should define and provide types for these options.
+
+```ts
+export type MyPluginConfig = {
+  /**
+   * List of collections to add a custom field
+   */
+  collections?: Partial<Record<CollectionSlug, true>>
+  /**
+   * Disable the plugin
+   */
+  disabled?: boolean
+}
+```
+
+If possible, include JSDoc comments to describe the options and their types. This allows a developer to see details about the options in their editor.
+
+##### Testing
+
+Having a test suite for your plugin is essential to ensure quality and stability. **Vitest** is a fast, modern testing framework that works seamlessly with Vite and supports TypeScript out of the box.
+
+Vitest organizes tests into test suites and cases, similar to other testing frameworks. We recommend creating individual tests based on the expected behavior of your plugin from start to finish.
+
+Writing tests with Vitest is very straightforward, and you can learn more about how it works in the [Vitest documentation.](https://vitest.dev/)
+
+For this template, we stubbed out `int.spec.ts` in the `dev` folder where you can write your tests.
+
+```ts
+describe('Plugin tests', () => {
+  // Create tests to ensure expected behavior from the plugin
+  it('some condition that must be met', () => {
+   // Write your test logic here
+   expect(...)
+  })
+})
+```
+
+## Best practices
+
+With this tutorial and the plugin template, you should have everything you need to start building your own plugin.
+In addition to the setup, here are other best practices aim we follow:
+
+- **Providing an enable / disable option:** For a better user experience, provide a way to disable the plugin without uninstalling it. This is especially important if your plugin adds additional webpack aliases, this will allow you to still let the webpack run to prevent errors.
+- **Include tests in your GitHub CI workflow**: If you’ve configured tests for your package, integrate them into your workflow to run the tests each time you commit to the plugin repository. Learn more about [how to configure tests into your GitHub CI workflow.](https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-nodejs)
+- **Publish your finished plugin to NPM**: The best way to share and allow others to use your plugin once it is complete is to publish an NPM package. This process is straightforward and well documented, find out more [creating and publishing a NPM package here.](https://docs.npmjs.com/creating-and-publishing-scoped-public-packages/).
+- **Add payload-plugin topic tag**: Apply the tag **payload-plugin **to your GitHub repository. This will boost the visibility of your plugin and ensure it gets listed with [existing payload plugins](https://github.com/topics/payload-plugin).
+- **Use [Semantic Versioning](https://semver.org/) (SemVar)** - With the SemVar system you release version numbers that reflect the nature of changes (major, minor, patch). Ensure all major versions reference their Payload compatibility.
+
+# Questions
+
+Please contact [Payload](mailto:dev@payloadcms.com) with any questions about using this plugin template.

package/dist/better-auth/crypto-shared.d.ts

@@ -0,0 +1,61 @@
+/**
+ * Signature object containing timestamp, nonce, and MAC
+ */
+export interface CryptoSignature {
+    /** HMAC-SHA256 signature */
+    mac: string;
+    /** Unique nonce for this signature */
+    nonce: string;
+    /** Unix timestamp as string */
+    ts: string;
+}
+/**
+ * Input parameters for signature verification
+ */
+export interface VerifySignatureInput {
+    /** The data that was signed */
+    body: unknown;
+    /** Maximum allowed time skew in seconds (default: 300) */
+    maxSkewSec?: number;
+    /** Secret key for verification */
+    secret: string;
+    /** The signature to verify */
+    signature: CryptoSignature;
+}
+/**
+ * Input parameters for signature creation
+ */
+export interface SignCanonicalInput {
+    /** The data to sign */
+    body: unknown;
+    /** Secret key for signing */
+    secret: string;
+}
+/**
+ * Creates a cryptographic signature for the given data
+ * @param body - The data to sign
+ * @param secret - Secret key for signing
+ * @returns Signature object with timestamp, nonce, and MAC
+ */
+export declare function signCanonical(body: unknown, secret: string): CryptoSignature;
+/**
+ * Verifies a cryptographic signature
+ * @param body - The original data that was signed
+ * @param sig - The signature to verify
+ * @param secret - Secret key for verification
+ * @param maxSkewSec - Maximum allowed time skew in seconds (default: 300)
+ * @returns true if signature is valid, false otherwise
+ */
+export declare function verifyCanonical(body: unknown, sig: CryptoSignature, secret: string, maxSkewSec?: number): boolean;
+/**
+ * Convenience function for verifying signatures with input object
+ * @param input - Verification parameters
+ * @returns true if signature is valid, false otherwise
+ */
+export declare function verifySignature(input: VerifySignatureInput): boolean;
+/**
+ * Convenience function for creating signatures with input object
+ * @param input - Signing parameters
+ * @returns Signature object
+ */
+export declare function createSignature(input: SignCanonicalInput): CryptoSignature;

package/dist/better-auth/crypto-shared.js

@@ -0,0 +1,90 @@
+// crypto-shared.ts
+import crypto from 'crypto';
+/**
+ * Converts an object to a canonical string representation
+ * Handles circular references and ensures consistent ordering
+ */ function canonicalStringify(obj) {
+    const seen = new WeakSet();
+    const walk = (v)=>{
+        if (v && typeof v === 'object') {
+            if (seen.has(v)) {
+                throw new Error('Circular reference detected in object');
+            }
+            seen.add(v);
+            if (Array.isArray(v)) {
+                const result = `[${v.map(walk).join(',')}]`;
+                seen.delete(v);
+                return result;
+            }
+            const keys = Object.keys(v).sort();
+            const result = `{${keys.map((k)=>`"${k}":${walk(v[k])}`).join(',')}}`;
+            seen.delete(v);
+            return result;
+        }
+        return JSON.stringify(v);
+    };
+    return walk(obj);
+}
+/**
+ * Creates a cryptographic signature for the given data
+ * @param body - The data to sign
+ * @param secret - Secret key for signing
+ * @returns Signature object with timestamp, nonce, and MAC
+ */ export function signCanonical(body, secret) {
+    if (!secret || typeof secret !== 'string') {
+        throw new Error('Secret must be a non-empty string');
+    }
+    const ts = Math.floor(Date.now() / 1000).toString();
+    const nonce = crypto.randomUUID();
+    const payload = canonicalStringify(body);
+    const mac = crypto.createHmac('sha256', secret).update(`${ts}.${nonce}.${payload}`).digest('hex');
+    return {
+        mac,
+        nonce,
+        ts
+    };
+}
+/**
+ * Verifies a cryptographic signature
+ * @param body - The original data that was signed
+ * @param sig - The signature to verify
+ * @param secret - Secret key for verification
+ * @param maxSkewSec - Maximum allowed time skew in seconds (default: 300)
+ * @returns true if signature is valid, false otherwise
+ */ export function verifyCanonical(body, sig, secret, maxSkewSec = 300) {
+    if (!secret || typeof secret !== 'string') {
+        return false;
+    }
+    if (!sig || typeof sig !== 'object' || !sig.ts || !sig.nonce || !sig.mac) {
+        return false;
+    }
+    // Validate timestamp
+    const now = Math.floor(Date.now() / 1000);
+    const t = Number(sig.ts);
+    if (!Number.isFinite(t) || Math.abs(now - t) > maxSkewSec) {
+        return false;
+    }
+    try {
+        const payload = canonicalStringify(body);
+        const expected = crypto.createHmac('sha256', secret).update(`${sig.ts}.${sig.nonce}.${payload}`).digest('hex');
+        return crypto.timingSafeEqual(new Uint8Array(Buffer.from(sig.mac, 'hex')), new Uint8Array(Buffer.from(expected, 'hex')));
+    } catch  {
+        return false;
+    }
+}
+/**
+ * Convenience function for verifying signatures with input object
+ * @param input - Verification parameters
+ * @returns true if signature is valid, false otherwise
+ */ export function verifySignature(input) {
+    return verifyCanonical(input.body, input.signature, input.secret, input.maxSkewSec);
+}
+/**
+ * Convenience function for creating signatures with input object
+ * @param input - Signing parameters
+ * @returns Signature object
+ */ export function createSignature(input) {
+    return signCanonical(input.body, input.secret);
+}
+
+//# sourceMappingURL=crypto-shared.js.map

package/dist/better-auth/crypto-shared.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/better-auth/crypto-shared.ts"],"sourcesContent":["// crypto-shared.ts\nimport crypto from 'crypto'\n\n/**\n * Type for serializable values that can be canonically stringified\n */\ntype SerializableValue =\n  | boolean\n  | null\n  | number\n  | SerializableArray\n  | SerializableObject\n  | string\n  | undefined\n\ninterface SerializableObject {\n  [key: string]: SerializableValue\n}\n\ninterface SerializableArray extends Array<SerializableValue> {}\n\n/**\n * Signature object containing timestamp, nonce, and MAC\n */\nexport interface CryptoSignature {\n  /** HMAC-SHA256 signature */\n  mac: string\n  /** Unique nonce for this signature */\n  nonce: string\n  /** Unix timestamp as string */\n  ts: string\n}\n\n/**\n * Input parameters for signature verification\n */\nexport interface VerifySignatureInput {\n  /** The data that was signed */\n  body: unknown\n  /** Maximum allowed time skew in seconds (default: 300) */\n  maxSkewSec?: number\n  /** Secret key for verification */\n  secret: string\n  /** The signature to verify */\n  signature: CryptoSignature\n}\n\n/**\n * Input parameters for signature creation\n */\nexport interface SignCanonicalInput {\n  /** The data to sign */\n  body: unknown\n  /** Secret key for signing */\n  secret: string\n}\n\n/**\n * Converts an object to a canonical string representation\n * Handles circular references and ensures consistent ordering\n */\nfunction canonicalStringify(obj: unknown): string {\n  const seen = new WeakSet<object>()\n\n  const walk = (v: unknown): string => {\n    if (v && typeof v === 'object') {\n      if (seen.has(v)) {\n        throw new Error('Circular reference detected in object')\n      }\n      seen.add(v)\n\n      if (Array.isArray(v)) {\n        const result = `[${v.map(walk).join(',')}]`\n        seen.delete(v)\n        return result\n      }\n\n      const keys = Object.keys(v).sort()\n      const result = `{${keys.map((k) => `\"${k}\":${walk((v as Record<string, unknown>)[k])}`).join(',')}}`\n      seen.delete(v)\n      return result\n    }\n    return JSON.stringify(v)\n  }\n\n  return walk(obj)\n}\n\n/**\n * Creates a cryptographic signature for the given data\n * @param body - The data to sign\n * @param secret - Secret key for signing\n * @returns Signature object with timestamp, nonce, and MAC\n */\nexport function signCanonical(body: unknown, secret: string): CryptoSignature {\n  if (!secret || typeof secret !== 'string') {\n    throw new Error('Secret must be a non-empty string')\n  }\n\n  const ts = Math.floor(Date.now() / 1000).toString()\n  const nonce = crypto.randomUUID()\n  const payload = canonicalStringify(body)\n  const mac = crypto.createHmac('sha256', secret).update(`${ts}.${nonce}.${payload}`).digest('hex')\n\n  return { mac, nonce, ts }\n}\n\n/**\n * Verifies a cryptographic signature\n * @param body - The original data that was signed\n * @param sig - The signature to verify\n * @param secret - Secret key for verification\n * @param maxSkewSec - Maximum allowed time skew in seconds (default: 300)\n * @returns true if signature is valid, false otherwise\n */\nexport function verifyCanonical(\n  body: unknown,\n  sig: CryptoSignature,\n  secret: string,\n  maxSkewSec: number = 300,\n) {\n  if (!secret || typeof secret !== 'string') {\n    return false\n  }\n\n  if (!sig || typeof sig !== 'object' || !sig.ts || !sig.nonce || !sig.mac) {\n    return false\n  }\n\n  // Validate timestamp\n  const now = Math.floor(Date.now() / 1000)\n  const t = Number(sig.ts)\n  if (!Number.isFinite(t) || Math.abs(now - t) > maxSkewSec) {\n    return false\n  }\n\n  try {\n    const payload = canonicalStringify(body)\n    const expected = crypto\n      .createHmac('sha256', secret)\n      .update(`${sig.ts}.${sig.nonce}.${payload}`)\n      .digest('hex')\n\n    return crypto.timingSafeEqual(\n      new Uint8Array(Buffer.from(sig.mac, 'hex')),\n      new Uint8Array(Buffer.from(expected, 'hex')),\n    )\n  } catch {\n    return false\n  }\n}\n\n/**\n * Convenience function for verifying signatures with input object\n * @param input - Verification parameters\n * @returns true if signature is valid, false otherwise\n */\nexport function verifySignature(input: VerifySignatureInput) {\n  return verifyCanonical(input.body, input.signature, input.secret, input.maxSkewSec)\n}\n\n/**\n * Convenience function for creating signatures with input object\n * @param input - Signing parameters\n * @returns Signature object\n */\nexport function createSignature(input: SignCanonicalInput) {\n  return signCanonical(input.body, input.secret)\n}\n"],"names":["crypto","canonicalStringify","obj","seen","WeakSet","walk","v","has","Error","add","Array","isArray","result","map","join","delete","keys","Object","sort","k","JSON","stringify","signCanonical","body","secret","ts","Math","floor","Date","now","toString","nonce","randomUUID","payload","mac","createHmac","update","digest","verifyCanonical","sig","maxSkewSec","t","Number","isFinite","abs","expected","timingSafeEqual","Uint8Array","Buffer","from","verifySignature","input","signature","createSignature"],"mappings":"AAAA,mBAAmB;AACnB,OAAOA,YAAY,SAAQ;AAwD3B;;;CAGC,GACD,SAASC,mBAAmBC,GAAY;IACtC,MAAMC,OAAO,IAAIC;IAEjB,MAAMC,OAAO,CAACC;QACZ,IAAIA,KAAK,OAAOA,MAAM,UAAU;YAC9B,IAAIH,KAAKI,GAAG,CAACD,IAAI;gBACf,MAAM,IAAIE,MAAM;YAClB;YACAL,KAAKM,GAAG,CAACH;YAET,IAAII,MAAMC,OAAO,CAACL,IAAI;gBACpB,MAAMM,SAAS,CAAC,CAAC,EAAEN,EAAEO,GAAG,CAACR,MAAMS,IAAI,CAAC,KAAK,CAAC,CAAC;gBAC3CX,KAAKY,MAAM,CAACT;gBACZ,OAAOM;YACT;YAEA,MAAMI,OAAOC,OAAOD,IAAI,CAACV,GAAGY,IAAI;YAChC,MAAMN,SAAS,CAAC,CAAC,EAAEI,KAAKH,GAAG,CAAC,CAACM,IAAM,CAAC,CAAC,EAAEA,EAAE,EAAE,EAAEd,KAAK,AAACC,CAA6B,CAACa,EAAE,GAAG,EAAEL,IAAI,CAAC,KAAK,CAAC,CAAC;YACpGX,KAAKY,MAAM,CAACT;YACZ,OAAOM;QACT;QACA,OAAOQ,KAAKC,SAAS,CAACf;IACxB;IAEA,OAAOD,KAAKH;AACd;AAEA;;;;;CAKC,GACD,OAAO,SAASoB,cAAcC,IAAa,EAAEC,MAAc;IACzD,IAAI,CAACA,UAAU,OAAOA,WAAW,UAAU;QACzC,MAAM,IAAIhB,MAAM;IAClB;IAEA,MAAMiB,KAAKC,KAAKC,KAAK,CAACC,KAAKC,GAAG,KAAK,MAAMC,QAAQ;IACjD,MAAMC,QAAQ/B,OAAOgC,UAAU;IAC/B,MAAMC,UAAUhC,mBAAmBsB;IACnC,MAAMW,MAAMlC,OAAOmC,UAAU,CAAC,UAAUX,QAAQY,MAAM,CAAC,GAAGX,GAAG,CAAC,EAAEM,MAAM,CAAC,EAAEE,SAAS,EAAEI,MAAM,CAAC;IAE3F,OAAO;QAAEH;QAAKH;QAAON;IAAG;AAC1B;AAEA;;;;;;;CAOC,GACD,OAAO,SAASa,gBACdf,IAAa,EACbgB,GAAoB,EACpBf,MAAc,EACdgB,aAAqB,GAAG;IAExB,IAAI,CAAChB,UAAU,OAAOA,WAAW,UAAU;QACzC,OAAO;IACT;IAEA,IAAI,CAACe,OAAO,OAAOA,QAAQ,YAAY,CAACA,IAAId,EAAE,IAAI,CAACc,IAAIR,KAAK,IAAI,CAACQ,IAAIL,GAAG,EAAE;QACxE,OAAO;IACT;IAEA,qBAAqB;IACrB,MAAML,MAAMH,KAAKC,KAAK,CAACC,KAAKC,GAAG,KAAK;IACpC,MAAMY,IAAIC,OAAOH,IAAId,EAAE;IACvB,IAAI,CAACiB,OAAOC,QAAQ,CAACF,MAAMf,KAAKkB,GAAG,CAACf,MAAMY,KAAKD,YAAY;QACzD,OAAO;IACT;IAEA,IAAI;QACF,MAAMP,UAAUhC,mBAAmBsB;QACnC,MAAMsB,WAAW7C,OACdmC,UAAU,CAAC,UAAUX,QACrBY,MAAM,CAAC,GAAGG,IAAId,EAAE,CAAC,CAAC,EAAEc,IAAIR,KAAK,CAAC,CAAC,EAAEE,SAAS,EAC1CI,MAAM,CAAC;QAEV,OAAOrC,OAAO8C,eAAe,CAC3B,IAAIC,WAAWC,OAAOC,IAAI,CAACV,IAAIL,GAAG,EAAE,SACpC,IAAIa,WAAWC,OAAOC,IAAI,CAACJ,UAAU;IAEzC,EAAE,OAAM;QACN,OAAO;IACT;AACF;AAEA;;;;CAIC,GACD,OAAO,SAASK,gBAAgBC,KAA2B;IACzD,OAAOb,gBAAgBa,MAAM5B,IAAI,EAAE4B,MAAMC,SAAS,EAAED,MAAM3B,MAAM,EAAE2B,MAAMX,UAAU;AACpF;AAEA;;;;CAIC,GACD,OAAO,SAASa,gBAAgBF,KAAyB;IACvD,OAAO7B,cAAc6B,MAAM5B,IAAI,EAAE4B,MAAM3B,MAAM;AAC/C"}

package/dist/better-auth/databaseHooks.d.ts

@@ -0,0 +1,5 @@
+import type { betterAuth } from 'better-auth';
+import type { SanitizedConfig } from 'payload';
+export declare function createDatabaseHooks({ config, }: {
+    config: Promise<SanitizedConfig>;
+}): Parameters<typeof betterAuth>['0']['databaseHooks'];

package/dist/better-auth/databaseHooks.js

@@ -0,0 +1,24 @@
+import { createDeleteUserFromPayload, createSyncUserToPayload } from './sources.js';
+export function createDatabaseHooks({ config }) {
+    const syncUserToPayload = createSyncUserToPayload(config);
+    const deleteUserFromPayload = createDeleteUserFromPayload(config);
+    return {
+        user: {
+            create: {
+                // After the BA user exists, sync to Payload. On failure, enqueue in memory.
+                after: async (user)=>{
+                    // push BA-induced ensure to the **front** of the queue
+                    await syncUserToPayload(user);
+                }
+            },
+            // TODO: possibly offer "update"
+            delete: {
+                after: async (user)=>{
+                    await deleteUserFromPayload(user.id);
+                }
+            }
+        }
+    };
+}
+
+//# sourceMappingURL=databaseHooks.js.map

package/dist/better-auth/databaseHooks.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/better-auth/databaseHooks.ts"],"sourcesContent":["import type { betterAuth } from 'better-auth'\nimport type { SanitizedConfig } from 'payload'\n\nimport { createDeleteUserFromPayload, createSyncUserToPayload } from './sources.js'\n\nexport function createDatabaseHooks({\n  config,\n}: {\n  config: Promise<SanitizedConfig>\n}): Parameters<typeof betterAuth>['0']['databaseHooks'] {\n  const syncUserToPayload = createSyncUserToPayload(config)\n  const deleteUserFromPayload = createDeleteUserFromPayload(config)\n  return {\n    user: {\n      create: {\n        // After the BA user exists, sync to Payload. On failure, enqueue in memory.\n        after: async (user) => {\n          // push BA-induced ensure to the **front** of the queue\n          await syncUserToPayload(user)\n        },\n      },\n      // TODO: possibly offer \"update\"\n      delete: {\n        after: async (user) => {\n          await deleteUserFromPayload(user.id)\n        },\n      },\n    },\n  }\n}\n"],"names":["createDeleteUserFromPayload","createSyncUserToPayload","createDatabaseHooks","config","syncUserToPayload","deleteUserFromPayload","user","create","after","delete","id"],"mappings":"AAGA,SAASA,2BAA2B,EAAEC,uBAAuB,QAAQ,eAAc;AAEnF,OAAO,SAASC,oBAAoB,EAClCC,MAAM,EAGP;IACC,MAAMC,oBAAoBH,wBAAwBE;IAClD,MAAME,wBAAwBL,4BAA4BG;IAC1D,OAAO;QACLG,MAAM;YACJC,QAAQ;gBACN,4EAA4E;gBAC5EC,OAAO,OAAOF;oBACZ,uDAAuD;oBACvD,MAAMF,kBAAkBE;gBAC1B;YACF;YACA,gCAAgC;YAChCG,QAAQ;gBACND,OAAO,OAAOF;oBACZ,MAAMD,sBAAsBC,KAAKI,EAAE;gBACrC;YACF;QACF;IACF;AACF"}

package/dist/better-auth/plugin.d.ts

@@ -0,0 +1,13 @@
+import type { AuthContext, BetterAuthPlugin } from 'better-auth';
+import type { SanitizedConfig } from 'payload';
+import { type InitOptions } from './reconcile-queue.js';
+type CreateAdminsUser = Parameters<AuthContext['internalAdapter']['createUser']>['0'];
+export declare const payloadBetterAuthPlugin: (opts: {
+    createAdmins?: {
+        overwrite?: boolean;
+        user: CreateAdminsUser;
+    }[];
+    payloadConfig: Promise<SanitizedConfig>;
+    token: string;
+} & InitOptions) => BetterAuthPlugin;
+export {};

package/dist/better-auth/plugin.js

@@ -0,0 +1,159 @@
+// src/plugins/reconcile-queue-plugin.ts
+import { APIError, createAuthEndpoint } from 'better-auth/api';
+import { createDatabaseHooks } from './databaseHooks.js';
+import { Queue } from './reconcile-queue.js';
+import { createDeleteUserFromPayload, createListPayloadUsersPage, createSyncUserToPayload } from './sources.js';
+const defaultLog = (msg, extra)=>{
+    console.log(`[reconcile] ${msg}`, extra ? JSON.stringify(extra, null, 2) : '');
+};
+export const payloadBetterAuthPlugin = (opts)=>{
+    return {
+        id: 'reconcile-queue-plugin',
+        endpoints: {
+            run: createAuthEndpoint('/reconcile/run', {
+                method: 'POST'
+            }, async ({ context, json, request })=>{
+                if (opts.token && request?.headers.get('x-reconcile-token') !== opts.token) {
+                    throw new APIError('UNAUTHORIZED', {
+                        message: 'invalid token'
+                    });
+                }
+                await context.payloadSyncPlugin.queue.seedFullReconcile();
+                return json({
+                    ok: true
+                });
+            }),
+            status: createAuthEndpoint('/reconcile/status', {
+                method: 'GET'
+            }, async ({ context, json, request })=>{
+                if (opts.token && request?.headers.get('x-reconcile-token') !== opts.token) {
+                    return Promise.reject(new APIError('UNAUTHORIZED', {
+                        message: 'invalid token'
+                    }));
+                }
+                return json(context.payloadSyncPlugin.queue.status());
+            }),
+            // convenience for tests/admin tools (optional)
+            authMethods: createAuthEndpoint('/auth/methods', {
+                method: 'GET'
+            }, async ({ context, json })=>{
+                const authMethods = [];
+                // Check if emailAndPassword is enabled, or if present at all (not present defaults to false)
+                if (context.options.emailAndPassword?.enabled) {
+                    authMethods.push('emailAndPassword');
+                }
+                return await json({
+                    authMethods
+                });
+            }),
+            deleteNow: createAuthEndpoint('/reconcile/delete', {
+                method: 'POST'
+            }, async ({ context, json, request })=>{
+                if (opts.token && request?.headers.get('x-reconcile-token') !== opts.token) {
+                    throw new APIError('UNAUTHORIZED', {
+                        message: 'invalid token'
+                    });
+                }
+                const body = await request?.json().catch(()=>({}));
+                const baId = body?.baId;
+                if (!baId) {
+                    throw new APIError('BAD_REQUEST', {
+                        message: 'missing baId'
+                    });
+                }
+                ;
+                context.payloadSyncPlugin.queue.enqueueDelete(baId, true, 'user-operation');
+                return json({
+                    ok: true
+                });
+            }),
+            ensureNow: createAuthEndpoint('/reconcile/ensure', {
+                method: 'POST'
+            }, async ({ context, json, request })=>{
+                if (opts.token && request?.headers.get('x-reconcile-token') !== opts.token) {
+                    throw new APIError('UNAUTHORIZED', {
+                        message: 'invalid token'
+                    });
+                }
+                const body = await request?.json().catch(()=>({}));
+                const user = body?.user;
+                if (!user?.id) {
+                    throw new APIError('BAD_REQUEST', {
+                        message: 'missing user'
+                    });
+                }
+                ;
+                context.payloadSyncPlugin.queue.enqueueEnsure(user, true, 'user-operation');
+                return json({
+                    ok: true
+                });
+            })
+        },
+        // TODO: the queue must be destroyed on better auth instance destruction, as it utilizes timers.
+        async init ({ internalAdapter, password }) {
+            if (opts.createAdmins) {
+                try {
+                    await Promise.all(opts.createAdmins.map(async ({ overwrite, user })=>{
+                        const alreadyExistingUser = await internalAdapter.findUserByEmail(user.email);
+                        if (alreadyExistingUser) {
+                            if (overwrite) {
+                                // clear accounts
+                                await internalAdapter.deleteAccounts(alreadyExistingUser.user.id);
+                                const createdUser = await internalAdapter.updateUser(alreadyExistingUser.user.id, {
+                                    ...user,
+                                    role: 'admin'
+                                });
+                                // assuming this creates an account?
+                                await internalAdapter.linkAccount({
+                                    accountId: createdUser.id,
+                                    password: await password.hash(user.password),
+                                    providerId: 'credential',
+                                    userId: createdUser.id
+                                });
+                            }
+                        } else {
+                            const createdUser = await internalAdapter.createUser({
+                                ...user,
+                                role: 'admin'
+                            });
+                            await internalAdapter.linkAccount({
+                                accountId: createdUser.id,
+                                password: await password.hash(user.password),
+                                providerId: 'credential',
+                                userId: createdUser.id
+                            });
+                        }
+                    }));
+                } catch (error) {
+                    defaultLog('Failed to create Admin user', error);
+                }
+            }
+            const queue = new Queue({
+                deleteUserFromPayload: createDeleteUserFromPayload(opts.payloadConfig),
+                internalAdapter,
+                listPayloadUsersPage: createListPayloadUsersPage(opts.payloadConfig),
+                log: defaultLog,
+                syncUserToPayload: createSyncUserToPayload(opts.payloadConfig)
+            }, opts);
+            return {
+                context: {
+                    payloadSyncPlugin: {
+                        queue
+                    }
+                },
+                options: {
+                    databaseHooks: createDatabaseHooks({
+                        config: opts.payloadConfig
+                    }),
+                    user: {
+                        deleteUser: {
+                            enabled: true
+                        }
+                    }
+                }
+            };
+        }
+    };
+};
+
+//# sourceMappingURL=plugin.js.map

package/dist/better-auth/plugin.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/better-auth/plugin.ts"],"sourcesContent":["// src/plugins/reconcile-queue-plugin.ts\nimport type { AuthContext, BetterAuthPlugin, DeepPartial } from 'better-auth'\nimport type { SanitizedConfig } from 'payload'\n\nimport { APIError, createAuthEndpoint } from 'better-auth/api'\n\nimport { createDatabaseHooks } from './databaseHooks.js'\nimport { type InitOptions, Queue } from './reconcile-queue.js'\nimport {\n  type BAUser,\n  createDeleteUserFromPayload,\n  createListPayloadUsersPage,\n  createSyncUserToPayload,\n} from './sources.js'\n\ntype PayloadSyncPluginContext = { payloadSyncPlugin: { queue: Queue } } & AuthContext\n\ntype CreateAdminsUser = Parameters<AuthContext['internalAdapter']['createUser']>['0']\n\nconst defaultLog = (msg: string, extra?: any) => {\n  console.log(`[reconcile] ${msg}`, extra ? JSON.stringify(extra, null, 2) : '')\n}\n\nexport const payloadBetterAuthPlugin = (\n  opts: {\n    createAdmins?: { overwrite?: boolean; user: CreateAdminsUser }[]\n    payloadConfig: Promise<SanitizedConfig>\n    token: string // simple header token for admin endpoints\n  } & InitOptions,\n): BetterAuthPlugin => {\n  return {\n    id: 'reconcile-queue-plugin',\n    endpoints: {\n      run: createAuthEndpoint(\n        '/reconcile/run',\n        { method: 'POST' },\n        async ({ context, json, request }) => {\n          if (opts.token && request?.headers.get('x-reconcile-token') !== opts.token) {\n            throw new APIError('UNAUTHORIZED', { message: 'invalid token' })\n          }\n          await (context as PayloadSyncPluginContext).payloadSyncPlugin.queue.seedFullReconcile()\n          return json({ ok: true })\n        },\n      ),\n      status: createAuthEndpoint(\n        '/reconcile/status',\n        { method: 'GET' },\n        async ({ context, json, request }) => {\n          if (opts.token && request?.headers.get('x-reconcile-token') !== opts.token) {\n            return Promise.reject(\n              new APIError('UNAUTHORIZED', { message: 'invalid token' }) as Error,\n            )\n          }\n          return json((context as PayloadSyncPluginContext).payloadSyncPlugin.queue.status())\n        },\n      ),\n      // convenience for tests/admin tools (optional)\n      authMethods: createAuthEndpoint(\n        '/auth/methods',\n        { method: 'GET' },\n        async ({ context, json }) => {\n          const authMethods: string[] = []\n\n          // Check if emailAndPassword is enabled, or if present at all (not present defaults to false)\n          if (context.options.emailAndPassword?.enabled) {\n            authMethods.push('emailAndPassword')\n          }\n\n          return await json({ authMethods })\n        },\n      ),\n      deleteNow: createAuthEndpoint(\n        '/reconcile/delete',\n        { method: 'POST' },\n        async ({ context, json, request }) => {\n          if (opts.token && request?.headers.get('x-reconcile-token') !== opts.token) {\n            throw new APIError('UNAUTHORIZED', { message: 'invalid token' })\n          }\n          const body = (await request?.json().catch(() => ({}))) as { baId?: string } | undefined\n          const baId = body?.baId\n          if (!baId) {\n            throw new APIError('BAD_REQUEST', { message: 'missing baId' })\n          }\n          ;(context as PayloadSyncPluginContext).payloadSyncPlugin.queue.enqueueDelete(\n            baId,\n            true,\n            'user-operation',\n          )\n          return json({ ok: true })\n        },\n      ),\n      ensureNow: createAuthEndpoint(\n        '/reconcile/ensure',\n        { method: 'POST' },\n        async ({ context, json, request }) => {\n          if (opts.token && request?.headers.get('x-reconcile-token') !== opts.token) {\n            throw new APIError('UNAUTHORIZED', { message: 'invalid token' })\n          }\n          const body = (await request?.json().catch(() => ({}))) as { user?: BAUser } | undefined\n          const user = body?.user\n          if (!user?.id) {\n            throw new APIError('BAD_REQUEST', { message: 'missing user' })\n          }\n          ;(context as PayloadSyncPluginContext).payloadSyncPlugin.queue.enqueueEnsure(\n            user,\n            true,\n            'user-operation',\n          )\n          return json({ ok: true })\n        },\n      ),\n    },\n    // TODO: the queue must be destroyed on better auth instance destruction, as it utilizes timers.\n    async init({ internalAdapter, password }) {\n      if (opts.createAdmins) {\n        try {\n          await Promise.all(\n            opts.createAdmins.map(async ({ overwrite, user }) => {\n              const alreadyExistingUser = await internalAdapter.findUserByEmail(user.email)\n              if (alreadyExistingUser) {\n                if (overwrite) {\n                  // clear accounts\n                  await internalAdapter.deleteAccounts(alreadyExistingUser.user.id)\n                  const createdUser = await internalAdapter.updateUser(\n                    alreadyExistingUser.user.id,\n                    {\n                      ...user,\n                      role: 'admin',\n                    },\n                  )\n                  // assuming this creates an account?\n                  await internalAdapter.linkAccount({\n                    accountId: createdUser.id,\n                    password: await password.hash(user.password),\n                    providerId: 'credential',\n                    userId: createdUser.id,\n                  })\n                }\n              }\n              // if the user doesnt exist there can't be an account\n              else {\n                const createdUser = await internalAdapter.createUser({ ...user, role: 'admin' })\n                await internalAdapter.linkAccount({\n                  accountId: createdUser.id,\n                  password: await password.hash(user.password),\n                  providerId: 'credential',\n                  userId: createdUser.id,\n                })\n              }\n            }),\n          )\n        } catch (error) {\n          defaultLog('Failed to create Admin user', error)\n        }\n      }\n\n      const queue = new Queue(\n        {\n          deleteUserFromPayload: createDeleteUserFromPayload(opts.payloadConfig),\n          internalAdapter,\n          listPayloadUsersPage: createListPayloadUsersPage(opts.payloadConfig),\n          log: defaultLog,\n          syncUserToPayload: createSyncUserToPayload(opts.payloadConfig),\n        },\n        opts,\n      )\n      return {\n        context: { payloadSyncPlugin: { queue } } as DeepPartial<Omit<AuthContext, 'options'>>,\n        options: {\n          databaseHooks: createDatabaseHooks({ config: opts.payloadConfig }),\n          user: { deleteUser: { enabled: true } },\n        },\n      }\n    },\n  }\n}\n"],"names":["APIError","createAuthEndpoint","createDatabaseHooks","Queue","createDeleteUserFromPayload","createListPayloadUsersPage","createSyncUserToPayload","defaultLog","msg","extra","console","log","JSON","stringify","payloadBetterAuthPlugin","opts","id","endpoints","run","method","context","json","request","token","headers","get","message","payloadSyncPlugin","queue","seedFullReconcile","ok","status","Promise","reject","authMethods","options","emailAndPassword","enabled","push","deleteNow","body","catch","baId","enqueueDelete","ensureNow","user","enqueueEnsure","init","internalAdapter","password","createAdmins","all","map","overwrite","alreadyExistingUser","findUserByEmail","email","deleteAccounts","createdUser","updateUser","role","linkAccount","accountId","hash","providerId","userId","createUser","error","deleteUserFromPayload","payloadConfig","listPayloadUsersPage","syncUserToPayload","databaseHooks","config","deleteUser"],"mappings":"AAAA,wCAAwC;AAIxC,SAASA,QAAQ,EAAEC,kBAAkB,QAAQ,kBAAiB;AAE9D,SAASC,mBAAmB,QAAQ,qBAAoB;AACxD,SAA2BC,KAAK,QAAQ,uBAAsB;AAC9D,SAEEC,2BAA2B,EAC3BC,0BAA0B,EAC1BC,uBAAuB,QAClB,eAAc;AAMrB,MAAMC,aAAa,CAACC,KAAaC;IAC/BC,QAAQC,GAAG,CAAC,CAAC,YAAY,EAAEH,KAAK,EAAEC,QAAQG,KAAKC,SAAS,CAACJ,OAAO,MAAM,KAAK;AAC7E;AAEA,OAAO,MAAMK,0BAA0B,CACrCC;IAMA,OAAO;QACLC,IAAI;QACJC,WAAW;YACTC,KAAKjB,mBACH,kBACA;gBAAEkB,QAAQ;YAAO,GACjB,OAAO,EAAEC,OAAO,EAAEC,IAAI,EAAEC,OAAO,EAAE;gBAC/B,IAAIP,KAAKQ,KAAK,IAAID,SAASE,QAAQC,IAAI,yBAAyBV,KAAKQ,KAAK,EAAE;oBAC1E,MAAM,IAAIvB,SAAS,gBAAgB;wBAAE0B,SAAS;oBAAgB;gBAChE;gBACA,MAAM,AAACN,QAAqCO,iBAAiB,CAACC,KAAK,CAACC,iBAAiB;gBACrF,OAAOR,KAAK;oBAAES,IAAI;gBAAK;YACzB;YAEFC,QAAQ9B,mBACN,qBACA;gBAAEkB,QAAQ;YAAM,GAChB,OAAO,EAAEC,OAAO,EAAEC,IAAI,EAAEC,OAAO,EAAE;gBAC/B,IAAIP,KAAKQ,KAAK,IAAID,SAASE,QAAQC,IAAI,yBAAyBV,KAAKQ,KAAK,EAAE;oBAC1E,OAAOS,QAAQC,MAAM,CACnB,IAAIjC,SAAS,gBAAgB;wBAAE0B,SAAS;oBAAgB;gBAE5D;gBACA,OAAOL,KAAK,AAACD,QAAqCO,iBAAiB,CAACC,KAAK,CAACG,MAAM;YAClF;YAEF,+CAA+C;YAC/CG,aAAajC,mBACX,iBACA;gBAAEkB,QAAQ;YAAM,GAChB,OAAO,EAAEC,OAAO,EAAEC,IAAI,EAAE;gBACtB,MAAMa,cAAwB,EAAE;gBAEhC,6FAA6F;gBAC7F,IAAId,QAAQe,OAAO,CAACC,gBAAgB,EAAEC,SAAS;oBAC7CH,YAAYI,IAAI,CAAC;gBACnB;gBAEA,OAAO,MAAMjB,KAAK;oBAAEa;gBAAY;YAClC;YAEFK,WAAWtC,mBACT,qBACA;gBAAEkB,QAAQ;YAAO,GACjB,OAAO,EAAEC,OAAO,EAAEC,IAAI,EAAEC,OAAO,EAAE;gBAC/B,IAAIP,KAAKQ,KAAK,IAAID,SAASE,QAAQC,IAAI,yBAAyBV,KAAKQ,KAAK,EAAE;oBAC1E,MAAM,IAAIvB,SAAS,gBAAgB;wBAAE0B,SAAS;oBAAgB;gBAChE;gBACA,MAAMc,OAAQ,MAAMlB,SAASD,OAAOoB,MAAM,IAAO,CAAA,CAAC,CAAA;gBAClD,MAAMC,OAAOF,MAAME;gBACnB,IAAI,CAACA,MAAM;oBACT,MAAM,IAAI1C,SAAS,eAAe;wBAAE0B,SAAS;oBAAe;gBAC9D;;gBACEN,QAAqCO,iBAAiB,CAACC,KAAK,CAACe,aAAa,CAC1ED,MACA,MACA;gBAEF,OAAOrB,KAAK;oBAAES,IAAI;gBAAK;YACzB;YAEFc,WAAW3C,mBACT,qBACA;gBAAEkB,QAAQ;YAAO,GACjB,OAAO,EAAEC,OAAO,EAAEC,IAAI,EAAEC,OAAO,EAAE;gBAC/B,IAAIP,KAAKQ,KAAK,IAAID,SAASE,QAAQC,IAAI,yBAAyBV,KAAKQ,KAAK,EAAE;oBAC1E,MAAM,IAAIvB,SAAS,gBAAgB;wBAAE0B,SAAS;oBAAgB;gBAChE;gBACA,MAAMc,OAAQ,MAAMlB,SAASD,OAAOoB,MAAM,IAAO,CAAA,CAAC,CAAA;gBAClD,MAAMI,OAAOL,MAAMK;gBACnB,IAAI,CAACA,MAAM7B,IAAI;oBACb,MAAM,IAAIhB,SAAS,eAAe;wBAAE0B,SAAS;oBAAe;gBAC9D;;gBACEN,QAAqCO,iBAAiB,CAACC,KAAK,CAACkB,aAAa,CAC1ED,MACA,MACA;gBAEF,OAAOxB,KAAK;oBAAES,IAAI;gBAAK;YACzB;QAEJ;QACA,gGAAgG;QAChG,MAAMiB,MAAK,EAAEC,eAAe,EAAEC,QAAQ,EAAE;YACtC,IAAIlC,KAAKmC,YAAY,EAAE;gBACrB,IAAI;oBACF,MAAMlB,QAAQmB,GAAG,CACfpC,KAAKmC,YAAY,CAACE,GAAG,CAAC,OAAO,EAAEC,SAAS,EAAER,IAAI,EAAE;wBAC9C,MAAMS,sBAAsB,MAAMN,gBAAgBO,eAAe,CAACV,KAAKW,KAAK;wBAC5E,IAAIF,qBAAqB;4BACvB,IAAID,WAAW;gCACb,iBAAiB;gCACjB,MAAML,gBAAgBS,cAAc,CAACH,oBAAoBT,IAAI,CAAC7B,EAAE;gCAChE,MAAM0C,cAAc,MAAMV,gBAAgBW,UAAU,CAClDL,oBAAoBT,IAAI,CAAC7B,EAAE,EAC3B;oCACE,GAAG6B,IAAI;oCACPe,MAAM;gCACR;gCAEF,oCAAoC;gCACpC,MAAMZ,gBAAgBa,WAAW,CAAC;oCAChCC,WAAWJ,YAAY1C,EAAE;oCACzBiC,UAAU,MAAMA,SAASc,IAAI,CAAClB,KAAKI,QAAQ;oCAC3Ce,YAAY;oCACZC,QAAQP,YAAY1C,EAAE;gCACxB;4BACF;wBACF,OAEK;4BACH,MAAM0C,cAAc,MAAMV,gBAAgBkB,UAAU,CAAC;gCAAE,GAAGrB,IAAI;gCAAEe,MAAM;4BAAQ;4BAC9E,MAAMZ,gBAAgBa,WAAW,CAAC;gCAChCC,WAAWJ,YAAY1C,EAAE;gCACzBiC,UAAU,MAAMA,SAASc,IAAI,CAAClB,KAAKI,QAAQ;gCAC3Ce,YAAY;gCACZC,QAAQP,YAAY1C,EAAE;4BACxB;wBACF;oBACF;gBAEJ,EAAE,OAAOmD,OAAO;oBACd5D,WAAW,+BAA+B4D;gBAC5C;YACF;YAEA,MAAMvC,QAAQ,IAAIzB,MAChB;gBACEiE,uBAAuBhE,4BAA4BW,KAAKsD,aAAa;gBACrErB;gBACAsB,sBAAsBjE,2BAA2BU,KAAKsD,aAAa;gBACnE1D,KAAKJ;gBACLgE,mBAAmBjE,wBAAwBS,KAAKsD,aAAa;YAC/D,GACAtD;YAEF,OAAO;gBACLK,SAAS;oBAAEO,mBAAmB;wBAAEC;oBAAM;gBAAE;gBACxCO,SAAS;oBACPqC,eAAetE,oBAAoB;wBAAEuE,QAAQ1D,KAAKsD,aAAa;oBAAC;oBAChExB,MAAM;wBAAE6B,YAAY;4BAAErC,SAAS;wBAAK;oBAAE;gBACxC;YACF;QACF;IACF;AACF,EAAC"}