sentri 4.1.1 → 5.0.0

package/dist/adapters/express/index.js

@@ -0,0 +1 @@
+import {generateKeyPairSync,createPrivateKey,createPublicKey,createHash,randomUUID}from'crypto';import {sql,Kysely}from'kysely';import Ze from'bcrypt';import Q from'jsonwebtoken';import {Redis}from'ioredis';import {Router}from'express';var Kr=Object.defineProperty;var n=(e,r)=>Kr(e,"name",{value:r,configurable:true});var Me=Object.assign(Object.create(null),{UNAUTHORIZED:401,TOKEN_EXPIRED:401,TOKEN_INVALID:401,INVALID_CREDENTIALS:401,FORBIDDEN:403,USER_NOT_FOUND:404,IDENTIFIER_NOT_FOUND:404,USER_ALREADY_EXISTS:409,IDENTIFIER_ALREADY_EXISTS:409,INVALID_ROLE:400,VALIDATION_ERROR:400,CONFIGURATION_ERROR:500,TOKEN_REUSE:401}),u=class extends Error{static{n(this,"SentriError");}code;statusCode;constructor(r,t,s){super(t),this.name="SentriError",this.code=r,this.statusCode=s??Me[r]??500;}};var je=new WeakMap,Ve=32,Be=10,Xe=31;function Je(e){if(e.mode==="client"){if(!e.keyUri||e.keyUri.trim().length===0)throw new u("CONFIGURATION_ERROR","keyUri must not be empty");return}if(!e.secret||e.secret.trim().length===0)throw new u("CONFIGURATION_ERROR","secret must not be empty");if((e.algorithm??"HS256").startsWith("HS")&&e.secret.length<Ve)throw new u("CONFIGURATION_ERROR",`secret must be at least ${Ve} characters for HMAC algorithms`);let s=e.saltRounds??12;if(!Number.isInteger(s)||s<Be||s>Xe)throw new u("CONFIGURATION_ERROR",`saltRounds must be an integer between ${Be} and ${Xe}`);if(!e.validRoles||e.validRoles.length===0)throw new u("CONFIGURATION_ERROR","validRoles must contain at least one role");if(!e.dialect)throw new u("CONFIGURATION_ERROR","dialect is required in server mode")}n(Je,"validateConfig");function T(e){let r=je.get(e);if(r)return r;let t={algorithm:e.algorithm??"HS256",accessExpiresIn:e.accessExpiresIn??"15m",refreshExpiresIn:e.refreshExpiresIn??"7d",saltRounds:e.saltRounds??12,validRoles:e.validRoles,validRolesSet:new Set(e.validRoles),cookieName:e.cookie?.name??"refresh_token",accessCookieName:e.accessCookie?.name??"access_token"};return je.set(e,t),t}n(T,"resolveServerConfig");var $r=/^(\d+)([smhdw])$/,Hr={s:1e3,m:6e4,h:36e5,d:864e5,w:6048e5},ze=new Map;function V(e){if(typeof e=="number")return e*1e3;let r=ze.get(e);if(r!==void 0)return r;let t=$r.exec(e);if(!t?.[1]||!t?.[2])throw new Error(`Invalid expiresIn: "${e}". Use e.g. "15m", "7d", "1h".`);let s=Hr[t[2]];if(s===void 0)throw new Error(`Invalid expiresIn: "${e}". Use e.g. "15m", "7d", "1h".`);let o=parseInt(t[1],10)*s;return ze.set(e,o),o}n(V,"parseExpiry");var U={info:n(()=>{},"info"),warn:n(()=>{},"warn"),error:n(()=>{},"error")};function p(e,r,t){return {service:e,event:r,...t}}n(p,"buildLogData");async function Ge(e){await e.schema.createTable("sentri_users").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("password_hash","varchar(255)",r=>r.notNull()).addColumn("roles","text",r=>r.notNull().defaultTo("[]")).addColumn("created_at","timestamp",r=>r.notNull().defaultTo(sql`CURRENT_TIMESTAMP`)).execute(),await e.schema.createTable("sentri_sessions").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("user_id","varchar(36)",r=>r.notNull().references("sentri_users.id").onDelete("cascade")).addColumn("expires_at","timestamp",r=>r.notNull()).addColumn("ip_address","varchar(45)").addColumn("user_agent","text").addColumn("replaced_by","varchar(36)").addColumn("created_at","timestamp",r=>r.notNull().defaultTo(sql`CURRENT_TIMESTAMP`)).execute(),await e.schema.createTable("sentri_identifiers").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("user_id","varchar(36)",r=>r.notNull().references("sentri_users.id").onDelete("cascade")).addColumn("type","varchar(100)",r=>r.notNull()).addColumn("value","varchar(255)",r=>r.notNull().unique()).addColumn("created_at","timestamp",r=>r.notNull().defaultTo(sql`CURRENT_TIMESTAMP`)).execute(),await e.schema.createIndex("idx_sentri_sessions_user_id").ifNotExists().on("sentri_sessions").column("user_id").execute(),await e.schema.createIndex("idx_sentri_identifiers_user_id").ifNotExists().on("sentri_identifiers").column("user_id").execute();}n(Ge,"runMigrations");var We=new Map;function D(e){let r=We.get(e);return r||(r=new Kysely({dialect:e}),We.set(e,r)),r}n(D,"getDatabase");async function Y(e,r=12){return Ze.hash(e,r)}n(Y,"hashPassword");async function q(e,r){return Ze.compare(e,r)}n(q,"verifyPassword");var Ye=new Map,qe=new Map,Br=3600*1e3;function er(e){let r=Ye.get(e);if(!r){let t=createPrivateKey(e),s=createPublicKey(t),o=s.export({format:"jwk"}),l=createHash("sha256").update(JSON.stringify({e:o.e,kty:o.kty,n:o.n})).digest("base64url"),d={...o,use:"sig",kid:l};r={kid:l,publicKey:s,jwk:d},Ye.set(e,r);}return r}n(er,"getOrBuildKey");function rr(e){let{jwk:r}=er(e);return {keys:[r]}}n(rr,"buildJwks");function tr(e){return er(e).publicKey}n(tr,"getPublicKeyFromPrivate");async function sr(e){let r=Date.now(),t=qe.get(e);if(t&&r-t.fetchedAt<Br)return t.publicKey;let s=await fetch(e);if(!s.ok)throw new u("CONFIGURATION_ERROR",`Failed to fetch public key from ${e}: HTTP ${s.status}`);let o=await s.json();if(!o.keys||o.keys.length===0)throw new u("CONFIGURATION_ERROR",`No keys found in JWKS response from ${e}`);let a=o.keys[0],l=createPublicKey({key:a,format:"jwk"});return qe.set(e,{publicKey:l,fetchedAt:r}),l}n(sr,"fetchPublicKey");var nr=new Map,or=new Map,ir=new Map;function ar(e){return e.startsWith("RS")||e.startsWith("PS")}n(ar,"isRSA");function dr(e){let r=nr.get(e);return r||(r={access:`${e}:access`,refresh:`${e}:refresh`},nr.set(e,r)),r}n(dr,"getHsSecrets");function zr(e){let r=or.get(e);return r||(r=createPrivateKey(e),or.set(e,r)),r}n(zr,"getRsPrivateKey");function cr(e){let r=T(e);if(ar(r.algorithm)){let o=zr(e.secret);return {accessKey:o,refreshKey:o}}let{access:t,refresh:s}=dr(e.secret);return {accessKey:t,refreshKey:s}}n(cr,"getSigningKeys");function ur(e,r){let t=T(e);if(ar(t.algorithm))return tr(e.secret);let{access:s,refresh:o}=dr(e.secret);return r==="access"?s:o}n(ur,"getVerifyKey");function lr(e,r,t,s){let o=`${t}:${s}`,a=ir.get(o);return a||(a={expiresIn:t,algorithm:s},ir.set(o,a)),Q.sign(e,r,a)}n(lr,"sign");function fr(e,r,t){try{let s=Q.verify(e,r,{algorithms:[t]});if(typeof s=="string"||s===null)throw new u("TOKEN_INVALID","Token payload is not an object");return s}catch(s){throw s instanceof u?s:s instanceof Q.TokenExpiredError?new u("TOKEN_EXPIRED","Token has expired"):new u("TOKEN_INVALID","Token is invalid or malformed")}}n(fr,"verify");function ee(e,r){let t=T(r),{accessKey:s}=cr(r);return lr(e,s,t.accessExpiresIn,t.algorithm)}n(ee,"signAccessToken");function re(e,r){let t=T(r),{refreshKey:s}=cr(r);return lr({sessionId:e},s,t.refreshExpiresIn,t.algorithm)}n(re,"signRefreshToken");function le(e,r){let t=T(r),s=ur(r,"access");return fr(e,s,t.algorithm)}n(le,"verifyAccessToken");function te(e,r){let t=T(r),s=ur(r,"refresh");return fr(e,s,t.algorithm)}n(te,"verifyRefreshToken");function hr(e,r){try{let t=Q.verify(e,r,{algorithms:["RS256","RS384","RS512","PS256","PS384","PS512"]});if(typeof t=="string"||t===null)throw new u("TOKEN_INVALID","Token payload is not an object");return t}catch(t){throw t instanceof u?t:t instanceof Q.TokenExpiredError?new u("TOKEN_EXPIRED","Token has expired"):new u("TOKEN_INVALID","Token is invalid or malformed")}}n(hr,"verifyTokenWithPublicKey");function Oe(e){try{return JSON.parse(e)}catch{return []}}n(Oe,"parseRoles");function Jr(e){return JSON.stringify(e)}n(Jr,"serializeRoles");function pr(e){return {id:e.id,userId:e.user_id,type:e.type,value:e.value,createdAt:new Date(e.created_at)}}n(pr,"mapIdentifier");async function se(e,r){let t=await e.selectFrom("sentri_identifiers as i").innerJoin("sentri_users as u","u.id","i.user_id").select(["u.id","u.password_hash","u.roles"]).where("i.value","=",r).executeTakeFirst();return t?{id:t.id,passwordHash:t.password_hash,roles:Oe(t.roles)}:null}n(se,"findUserByIdentifierValue");async function fe(e,r){let t=await e.selectFrom("sentri_users").select(["id","password_hash","roles"]).where("id","=",r).executeTakeFirst();return t?{id:t.id,passwordHash:t.password_hash,roles:Oe(t.roles)}:null}n(fe,"findUserById");async function wr(e,r,t){let s=t.map(o=>({id:randomUUID(),user_id:r,type:o.type,value:o.value}));return await e.insertInto("sentri_identifiers").values(s).execute(),s.map(o=>({id:o.id,userId:o.user_id,type:o.type,value:o.value,createdAt:new Date}))}n(wr,"createIdentifiers");async function ne(e,r){return (await e.selectFrom("sentri_identifiers").selectAll().where("user_id","=",r).orderBy("created_at","asc").execute()).map(pr)}n(ne,"findIdentifiersByUserId");async function Ue(e,r,t){let s=await e.selectFrom("sentri_identifiers").selectAll().where("id","=",r).where("user_id","=",t).executeTakeFirst();return s?pr(s):null}n(Ue,"findIdentifierById");async function yr(e,r){let t=await e.selectFrom("sentri_identifiers").select(s=>s.fn.countAll().as("count")).where("user_id","=",r).executeTakeFirst();return Number(t?.count??0)}n(yr,"countIdentifiersByUserId");async function Ir(e,r,t,s){await e.updateTable("sentri_identifiers").set({type:s.type,value:s.value}).where("id","=",r).where("user_id","=",t).execute();}n(Ir,"updateIdentifier");async function _r(e,r,t){await e.deleteFrom("sentri_identifiers").where("user_id","=",r).where("id","in",t).execute();}n(_r,"deleteIdentifiers");async function gr(e,r,t){await e.updateTable("sentri_users").set({password_hash:t}).where("id","=",r).execute();}n(gr,"updateUserPassword");async function Rr(e,r,t){await e.updateTable("sentri_users").set({roles:Jr(t)}).where("id","=",r).execute();}n(Rr,"updateUserRoles");async function Le(e,r){let t=randomUUID();return await e.insertInto("sentri_sessions").values({id:t,user_id:r.userId,expires_at:r.expiresAt.toISOString(),ip_address:r.ipAddress??null,user_agent:r.userAgent??null}).execute(),{id:t}}n(Le,"createSession");async function he(e,r){let t=await e.selectFrom("sentri_sessions as s").innerJoin("sentri_users as u","u.id","s.user_id").select(["s.id as session_id","s.user_id","s.expires_at","s.ip_address","s.user_agent","s.replaced_by","s.created_at as session_created_at","u.id as user_id_col","u.password_hash","u.roles"]).where("s.id","=",r).executeTakeFirst();return t?{id:t.session_id,userId:t.user_id,expiresAt:new Date(t.expires_at),ipAddress:t.ip_address,userAgent:t.user_agent,replacedBy:t.replaced_by,createdAt:new Date(t.session_created_at),user:{id:t.user_id_col,passwordHash:t.password_hash,roles:Oe(t.roles)}}:null}n(he,"findSessionById");async function me(e,r){await e.deleteFrom("sentri_sessions").where("id","=",r).execute();}n(me,"deleteSession");async function kr(e,r,t){await e.updateTable("sentri_sessions").set({replaced_by:t}).where("id","=",r).execute();}n(kr,"markSessionReplaced");async function pe(e,r){await e.deleteFrom("sentri_sessions").where("user_id","=",r).execute();}n(pe,"deleteAllSessionsForUser");async function Ar(e,r){return (await e.selectFrom("sentri_sessions").selectAll().where("user_id","=",r).where("replaced_by","is",null).where("expires_at",">",new Date).execute()).map(s=>({id:s.id,userId:s.user_id,expiresAt:new Date(s.expires_at),ipAddress:s.ip_address,userAgent:s.user_agent,replacedBy:s.replaced_by,createdAt:new Date(s.created_at)}))}n(Ar,"findSessionsByUserId");async function we(e,r,t){let s=T(r),o=D(r.dialect),a=e.roles??[],l=a.filter(k=>!s.validRolesSet.has(k));if(l.length>0)return {success:false,error:new u("INVALID_ROLE",`Invalid roles: ${l.join(", ")}`)};if(!e.identifiers||e.identifiers.length===0)return {success:false,error:new u("VALIDATION_ERROR","At least one identifier is required")};let d=e.identifiers.map(k=>({type:k.type.trim(),value:k.value.trim()}));if(new Set(d.map(k=>k.value)).size!==d.length)return {success:false,error:new u("VALIDATION_ERROR","Duplicate identifier values in request")};for(let k of d)if(await se(o,k.value))return {success:false,error:new u("IDENTIFIER_ALREADY_EXISTS",`Identifier already taken: ${k.value}`)};let m=await Y(e.password,s.saltRounds),{userId:_,identifierRows:b}=await o.transaction().execute(async k=>{let L=randomUUID();await k.insertInto("sentri_users").values({id:L,password_hash:m,roles:JSON.stringify(a)}).execute();let K=d.map($=>({id:randomUUID(),user_id:L,type:$.type,value:$.value}));return await k.insertInto("sentri_identifiers").values(K).execute(),{userId:L,identifierRows:K}}),v={success:true,user:{id:_,roles:a,identifiers:b.map(k=>({id:k.id,type:k.type,value:k.value}))}};return r.hooks?.onRegister&&await r.hooks.onRegister(v.user),v}n(we,"register");async function ye(e,r,t){let s=T(r),o=D(r.dialect),a=await se(o,e.identifier.trim());if(!a){let v=new u("INVALID_CREDENTIALS","Invalid credentials");return r.hooks?.onLoginFailed&&await r.hooks.onLoginFailed(e.identifier,v,{ip:t?.ip??""}),{success:false,error:v}}if(!await q(e.password,a.passwordHash)){let v=new u("INVALID_CREDENTIALS","Invalid credentials");return r.hooks?.onLoginFailed&&await r.hooks.onLoginFailed(e.identifier,v,{ip:t?.ip??""}),{success:false,error:v}}let d=new Date(Date.now()+V(s.refreshExpiresIn)),i=await Le(o,{userId:a.id,expiresAt:d,ipAddress:t?.ip??null,userAgent:t?.userAgent??null}),m={id:a.id,roles:a.roles},_=ee({id:a.id,roles:a.roles,sessionId:i.id},r),b=re(i.id,r);return r.hooks?.onLoginSuccess&&await r.hooks.onLoginSuccess(m,{ip:t?.ip??"",userAgent:t?.userAgent??""}),{success:true,accessToken:_,refreshToken:b,user:m}}n(ye,"login");async function B(e,r,t){let s=T(r),o=D(r.dialect),a;try{({sessionId:a}=te(e,r));}catch(v){return v instanceof u?{success:false,error:v}:{success:false,error:new u("TOKEN_INVALID","Invalid refresh token")}}let l=await he(o,a);if(!l)return {success:false,error:new u("UNAUTHORIZED","Session not found or revoked")};if(l.replacedBy)return await pe(o,l.userId),{success:false,error:new u("TOKEN_REUSE","Token reuse detected. All sessions revoked.")};if(l.expiresAt.getTime()<Date.now())return await me(o,a),{success:false,error:new u("TOKEN_EXPIRED","Session has expired")};let d=new Date(Date.now()+V(s.refreshExpiresIn)),i=await Le(o,{userId:l.userId,expiresAt:d,ipAddress:t?.ip??null,userAgent:t?.userAgent??null});await kr(o,a,i.id);let m={id:l.user.id,roles:l.user.roles},_=ee({...m,sessionId:i.id},r),b=re(i.id,r);return {success:true,accessToken:_,refreshToken:b,user:m}}n(B,"refresh");async function Ie(e,r){let t=D(r.dialect),s;try{({sessionId:s}=te(e,r));}catch{return}let o=await he(t,s);o&&(await me(t,s),r.hooks?.onLogout&&await r.hooks.onLogout(o.userId));}n(Ie,"logout");async function _e(e,r){let t=D(r.dialect);await pe(t,e),r.hooks?.onLogout&&await r.hooks.onLogout(e);}n(_e,"logoutAll");async function ge(e,r){let t=D(r.dialect),s=await fe(t,e);if(!s)return {success:false,error:new u("USER_NOT_FOUND","User not found")};let o=await ne(t,e);return {success:true,user:{id:s.id,roles:s.roles,identifiers:o.map(a=>({id:a.id,type:a.type,value:a.value}))}}}n(ge,"getUser");async function Re(e,r,t,s){let o=T(s),a=D(s.dialect),l=await fe(a,e);if(!l)return {success:false,error:new u("USER_NOT_FOUND","User not found")};if(!await q(r,l.passwordHash))return {success:false,error:new u("INVALID_CREDENTIALS","Invalid credentials")};let i=await Y(t,o.saltRounds);return await gr(a,e,i),await pe(a,e),s.hooks?.onPasswordChanged&&await s.hooks.onPasswordChanged(e),{success:true}}n(Re,"changePassword");async function ke(e,r,t){let s=T(t),o=D(t.dialect),a=r.filter(m=>!s.validRolesSet.has(m));if(a.length>0)return {success:false,error:new u("INVALID_ROLE",`Invalid roles: ${a.join(", ")}`)};let l=await fe(o,e);if(!l)return {success:false,error:new u("USER_NOT_FOUND","User not found")};let d=new Set(l.roles);for(let m of r)d.add(m);let i=Array.from(d);return await Rr(o,e,i),{success:true,user:{id:l.id,roles:i}}}n(ke,"assignRoles");async function Ae(e,r,t){let s=D(t.dialect);if(r.length===0)return {success:false,error:new u("VALIDATION_ERROR","At least one identifier is required")};let o=r.map(d=>({type:d.type.trim(),value:d.value.trim()}));if(new Set(o.map(d=>d.value)).size!==o.length)return {success:false,error:new u("VALIDATION_ERROR","Duplicate identifier values in request")};for(let d of o)if(await se(s,d.value))return {success:false,error:new u("IDENTIFIER_ALREADY_EXISTS",`Identifier already taken: ${d.value}`)};return await wr(s,e,o),{success:true,identifiers:(await ne(s,e)).map(d=>({id:d.id,type:d.type,value:d.value}))}}n(Ae,"bulkCreateIdentifiers");async function ve(e,r,t){let s=D(t.dialect);if(r.length===0)return {success:false,error:new u("VALIDATION_ERROR","At least one update is required")};let o=r.map(d=>({id:d.id,type:d.type.trim(),value:d.value.trim()}));if(new Set(o.map(d=>d.value)).size!==o.length)return {success:false,error:new u("VALIDATION_ERROR","Duplicate identifier values in request")};for(let d of o){let i=await Ue(s,d.id,e);if(!i)return {success:false,error:new u("IDENTIFIER_NOT_FOUND",`Identifier not found: ${d.id}`)};if(i.value!==d.value&&await se(s,d.value))return {success:false,error:new u("IDENTIFIER_ALREADY_EXISTS",`Identifier already taken: ${d.value}`)}}return await s.transaction().execute(async d=>{for(let i of o)await Ir(d,i.id,e,{type:i.type,value:i.value});}),{success:true,identifiers:(await ne(s,e)).map(d=>({id:d.id,type:d.type,value:d.value}))}}n(ve,"bulkUpdateIdentifiers");async function Ee(e,r,t){let s=D(t.dialect);if(r.length===0)return {success:false,error:new u("VALIDATION_ERROR","At least one ID is required")};let o=Array.from(new Set(r));for(let d of o)if(!await Ue(s,d,e))return {success:false,error:new u("IDENTIFIER_NOT_FOUND",`Identifier not found: ${d}`)};return await yr(s,e)-o.length<1?{success:false,error:new u("VALIDATION_ERROR","Cannot delete all identifiers \u2014 at least one must remain")}:(await _r(s,e,o),{success:true,identifiers:(await ne(s,e)).map(d=>({id:d.id,type:d.type,value:d.value}))})}n(Ee,"bulkDeleteIdentifiers");async function Er(e,r){let t=D(r.dialect);return (await Ar(t,e)).map(o=>({id:o.id,ipAddress:o.ipAddress,userAgent:o.userAgent,createdAt:o.createdAt,expiresAt:o.expiresAt}))}n(Er,"getSessions");async function Tr(e,r,t){let s=D(t.dialect),o=await he(s,r);o&&o.userId===e&&await me(s,r);}n(Tr,"revokeSession");function P(e){return T(e).cookieName}n(P,"getCookieName");function Te(e){return T(e).accessCookieName}n(Te,"getAccessCookieName");function H(e,r){if(!e)return;let t=`${r}=`,s=0;for(;s<e.length;){for(;s<e.length&&e[s]===" ";)s++;let o=e.indexOf(";",s),a=o===-1?e.length:o;if(e.startsWith(t,s))return e.slice(s+t.length,a);s=a+1;}}n(H,"readCookie");function oe(e,r,t){let s=t.cookie??{},o=V(T(t).refreshExpiresIn);e.cookie(P(t),r,{httpOnly:s.httpOnly??true,secure:s.secure??false,sameSite:s.sameSite??"strict",path:s.path??"/",maxAge:o});}n(oe,"setCookieFromConfig");function xe(e,r){let t=r.cookie??{};e.clearCookie(P(r),{path:t.path??"/"});}n(xe,"clearCookieFromConfig");function ie(e,r,t){if(!t.accessCookie)return;let s=t.accessCookie,o=V(T(t).accessExpiresIn);e.cookie(Te(t),r,{httpOnly:false,secure:s.secure??false,sameSite:s.sameSite??"strict",path:s.path??"/",maxAge:o});}n(ie,"setAccessCookieFromConfig");function Fe(e,r){if(!r.accessCookie)return;let t=r.accessCookie;e.clearCookie(Te(r),{path:t.path??"/"});}n(Fe,"clearAccessCookieFromConfig");function Ne(e,r){let t=e.headers.authorization;return t?.startsWith("Bearer ")?t.slice(7):H(e.headers.cookie,Te(r))}n(Ne,"getCurrentAccessToken");function C(e){let r=e.logger??U,t=e.loggerService??"sentri";return e.mode==="client"?Gr(e.keyUri,r,t):Wr(e,r,t)}n(C,"protect");function Gr(e,r,t){return async(s,o,a)=>{let l=s.headers.authorization,d=l?.startsWith("Bearer ")?l.slice(7):void 0,i=s.requestId;if(!d)return r.warn(p(t,"auth.protect.failure",{mode:"client",errorCode:"UNAUTHORIZED",...i!==void 0&&{requestId:i}})),a(new u("UNAUTHORIZED","Missing or malformed Authorization header"));try{let m=await sr(e),_=hr(d,m);s.user={id:_.id,roles:_.roles},r.info(p(t,"auth.protect.success",{mode:"client",userId:_.id,...i!==void 0&&{requestId:i}})),a();}catch(m){let _=m instanceof u?m.code:"TOKEN_INVALID";r.warn(p(t,"auth.protect.failure",{mode:"client",errorCode:_,...i!==void 0&&{requestId:i}})),a(m);}}}n(Gr,"protectClient");function Wr(e,r,t){return async(s,o,a)=>{let l=Ne(s,e),d=s.requestId;if(!l)return r.warn(p(t,"auth.protect.failure",{mode:"server",errorCode:"UNAUTHORIZED",...d!==void 0&&{requestId:d}})),a(new u("UNAUTHORIZED","Missing or malformed Authorization header"));try{let i=le(l,e);if(e.isTokenRevoked&&await e.isTokenRevoked(i.sessionId))return r.warn(p(t,"auth.protect.token_revoked",{mode:"server",userId:i.id,...d!==void 0&&{requestId:d}})),a(new u("UNAUTHORIZED","Token has been revoked"));s.user={id:i.id,roles:i.roles},r.info(p(t,"auth.protect.success",{mode:"server",userId:i.id,...d!==void 0&&{requestId:d}})),a();}catch(i){if(i instanceof u&&i.code==="TOKEN_EXPIRED"){let m=H(s.headers.cookie,P(e));if(!m)return r.warn(p(t,"auth.protect.failure",{mode:"server",errorCode:"TOKEN_EXPIRED",...d!==void 0&&{requestId:d}})),a(new u("UNAUTHORIZED","Token expired. Please login again."));try{let _=await B(m,e);if(!_.success)return r.warn(p(t,"auth.protect.failure",{mode:"server",errorCode:_.error.code,...d!==void 0&&{requestId:d}})),a(new u("UNAUTHORIZED","Session expired. Please login again."));oe(o,_.refreshToken,e),ie(o,_.accessToken,e),o.setHeader("X-New-Access-Token",_.accessToken),s.user=_.user,r.info(p(t,"auth.protect.auto_refresh",{mode:"server",userId:_.user.id,...d!==void 0&&{requestId:d}})),a();}catch{r.warn(p(t,"auth.protect.failure",{mode:"server",errorCode:"TOKEN_EXPIRED",...d!==void 0&&{requestId:d}})),a(new u("UNAUTHORIZED","Session expired. Please login again."));}}else {let m=i instanceof u?i.code:"TOKEN_INVALID";r.warn(p(t,"auth.protect.failure",{mode:"server",errorCode:m,...d!==void 0&&{requestId:d}})),a(i);}}}}n(Wr,"protectServer");function xr(e,r,t){let s=`Requires one of roles: ${e.join(", ")}`;return (o,a,l)=>{let d=o.requestId;if(!o.user)return r.warn(p(t,"auth.authorize.unauthenticated",{requiredRoles:e,...d!==void 0&&{requestId:d}})),l(new u("UNAUTHORIZED","Not authenticated"));let i=o.user.roles;if(!e.some(m=>i.includes(m)))return r.warn(p(t,"auth.authorize.denied",{userId:o.user.id,userRoles:[...i],requiredRoles:e,...d!==void 0&&{requestId:d}})),l(new u("FORBIDDEN",s));r.info(p(t,"auth.authorize.passed",{userId:o.user.id,userRoles:[...i],requiredRoles:e,...d!==void 0&&{requestId:d}})),l();}}n(xr,"createAuthorizeHandler");function ae(e,r){return n(function(...s){return xr(s,e,r)},"authorize")}n(ae,"createAuthorize");function Zr(...e){return xr(e,U,"sentri")}n(Zr,"authorize");var Yr=new u("FORBIDDEN","You do not have permission to perform this action");function Nr(e,r,t){return async(s,o,a)=>{let l=s.requestId;if(!s.user)return r.warn(p(t,"auth.permit.unauthenticated",{...l!==void 0&&{requestId:l}})),a(new u("UNAUTHORIZED","Not authenticated"));let d=s.user.id;if(e.roles&&e.roles.length>0){let i=s.user.roles;if(e.roles.some(m=>i.includes(m)))return r.info(p(t,"auth.permit.role_bypass",{userId:d,bypassedByRole:true,...l!==void 0&&{requestId:l}})),a()}try{let i=e.check(s);(i instanceof Promise?await i:i)?(r.info(p(t,"auth.permit.passed",{userId:d,...l!==void 0&&{requestId:l}})),a()):(r.warn(p(t,"auth.permit.denied",{userId:d,...l!==void 0&&{requestId:l}})),a(Yr));}catch(i){a(i);}}}n(Nr,"createPermitHandler");function de(e,r){return n(function(s){return Nr(typeof s=="function"?{check:s}:s,e,r)},"permit")}n(de,"createPermit");function qr(e){return Nr(typeof e=="function"?{check:e}:e,U,"sentri")}n(qr,"permit");function ce(e){return (r,t,s,o)=>{if(r instanceof u){s.status(r.statusCode).json({error:true,statusCode:r.statusCode,code:r.code,message:r.message,data:null});return}e?.onUnhandled?.(r),s.status(500).json({error:true,statusCode:500,code:"INTERNAL_SERVER_ERROR",message:"Internal server error",data:null});}}n(ce,"createErrorHandler");var Dr=new Map;function Cr(e){let r=Dr.get(e);return r||(r=new Redis(e,{lazyConnect:true,enableOfflineQueue:false}),r.on("error",t=>{console.error("Sentri Redis Client Error:",t.message);}),Dr.set(e,r)),r}n(Cr,"getRedisClient");function Sr(e){let r=e?.ttl??3e5,t=(e?.header??"X-Idempotency-Key").toLowerCase(),s=new Set((e?.methods??["POST","PUT","PATCH"]).map(a=>a.toUpperCase())),o=e?.redisUrl;return o?et(o,r,t,s):rt(r,t,s,e?.maxSize??1e4)}n(Sr,"createIdempotencyMiddleware");function et(e,r,t,s){let o=Cr(e),a="sentri:idempotency:";return async(l,d,i)=>{let m=l.headers[t];if(!m||typeof m!="string"||!s.has(l.method))return i();l.requestId=m,d.setHeader("X-Request-Id",m);let _=await o.get(`${a}${m}`);if(_){let v=JSON.parse(_);return d.setHeader("X-Idempotent-Replayed","true"),d.status(v.statusCode).json(v.body)}let b=d.json.bind(d);d.json=n(function(k){if(d.statusCode>=200&&d.statusCode<300){let L={statusCode:d.statusCode,body:k,expiresAt:Date.now()+r};o.set(`${a}${m}`,JSON.stringify(L),"PX",r).catch(()=>{});}return b(k)},"idempotentJson"),i();}}n(et,"buildRedisMiddleware");function rt(e,r,t,s){let o=Math.max(e,5e3),a=new Map,l=setInterval(()=>{let d=Date.now();for(let[i,m]of a)m.expiresAt<=d&&a.delete(i);},o);return typeof l=="object"&&l!==null&&"unref"in l&&l.unref(),(d,i,m)=>{let _=d.headers[r];if(!_||typeof _!="string"||!t.has(d.method))return m();d.requestId=_,i.setHeader("X-Request-Id",_);let b=Date.now(),v=a.get(_);if(v&&v.expiresAt>b)return i.setHeader("X-Idempotent-Replayed","true"),i.status(v.statusCode).json(v.body);let k=i.json.bind(i);i.json=n(function(K){if(i.statusCode>=200&&i.statusCode<300){if(a.size>=s){let $=a.keys().next().value;$!==void 0&&a.delete($);}a.set(_,{statusCode:i.statusCode,body:K,expiresAt:Date.now()+e});}return k(K)},"idempotentJson"),m();}}n(rt,"buildMemoryMiddleware");var Pe=class{static{n(this,"InMemoryRateLimiter");}store=new Map;constructor(){setInterval(()=>{let r=Date.now();for(let[t,s]of this.store.entries())s.expiresAt<r&&this.store.delete(t);},6e4).unref();}async consume(r,t,s){let o=Date.now(),a=this.store.get(r);if((!a||a.expiresAt<o)&&(a={count:0,expiresAt:o+s},this.store.set(r,a)),a.count>t){let l=Math.ceil((a.expiresAt-o)/1e3);throw new Error(`Rate limit exceeded. Try again in ${l} seconds.`)}a.count++;}},Ke=class{static{n(this,"RedisRateLimiter");}redis;logger;constructor(r,t){this.redis=r,this.logger=t;}async consume(r,t,s){let o=`sentri:rl:${r}`,a=Math.ceil(s/1e3);try{let l=await this.redis.multi().incr(o).expire(o,a,"NX").exec();if(!l||l.length===0)return;if(l[0][1]>t)throw new Error("Rate limit exceeded. Try again later.")}catch(l){if(l instanceof Error&&l.message.includes("Rate limit exceeded"))throw l;this.logger.error({msg:"Redis RateLimiter failed, bypassing limit",error:l});}}},X=null;async function br(e,r){if(X)return X;if(e)try{let{Redis:t}=await import('ioredis'),s=new t(e,{lazyConnect:!0,maxRetriesPerRequest:1});return await s.connect(),r?.info({msg:"Connected to Redis for Rate Limiting"}),X=new Ke(s,r??U),X}catch(t){r?.warn({msg:"Failed to connect to Redis for Rate Limiting, falling back to InMemoryRateLimiter",error:t});}return X=new Pe,X}n(br,"getRateLimiter");var De=8,z=72,Ce=255,Or=100,J=50;function R(e){return new u("VALIDATION_ERROR",e)}n(R,"badRequest");function S(e,r,t,s){e.status(r).json({error:false,statusCode:r,message:t,data:s});}n(S,"ok");function F(e,r){e.status(r.statusCode).json({error:true,statusCode:r.statusCode,code:r.code,message:r.message,data:null});}n(F,"fail");function M(e){if(e==null||typeof e!="object"||Array.isArray(e))throw new u("VALIDATION_ERROR","Request body is missing or not a JSON object. Did you apply express.json()?");return e}n(M,"parseBody");function st(e,r){if(!r.apiKey)return;let t=e.headers["x-api-key"];if(typeof t!="string"||t!==r.apiKey)throw new u("UNAUTHORIZED","Invalid or missing API key")}n(st,"validateApiKey");function $e(e){if(e)try{let r=e();r instanceof Promise&&r.catch(()=>{});}catch{}}n($e,"fireHook");function nt(e){return e.startsWith("RS")||e.startsWith("PS")}n(nt,"isRSA");function He(e,r){if(typeof e!="object"||e===null||Array.isArray(e))throw R(`identifiers[${r}] must be an object`);let t=e;if(typeof t.type!="string"||t.type.trim().length===0)throw R(`identifiers[${r}].type is required and must be a non-empty string`);if(t.type.length>Or)throw R(`identifiers[${r}].type must not exceed ${Or} characters`);if(typeof t.value!="string"||t.value.trim().length===0)throw R(`identifiers[${r}].value is required and must be a non-empty string`);if(t.value.length>Ce)throw R(`identifiers[${r}].value must not exceed ${Ce} characters`);return {type:t.type,value:t.value}}n(He,"validateIdentifierInput");function E(e){return e.requestId!==void 0?{requestId:e.requestId}:{}}n(E,"reqId");function Ur(e){let r=Router(),t=e,s=T(t),o=e.logger??U,a=e.loggerService??"sentri",l=ae(o,a),d=de(o,a),i=br(e.redisUrl,o),m=e.router?.register??(c=>we(c,t)),_=e.router?.login??(c=>ye(c,t)),b=e.router?.refresh??(c=>B(c,t)),v=e.router?.logout??(c=>c!==void 0?Ie(c,t):Promise.resolve()),k=e.router?.logoutAll??(c=>_e(c,t)),L=e.router?.getUser??(c=>ge(c,t)),K=e.router?.assignRoles??((c,h)=>ke(c,h,t)),$=e.router?.changePassword??((c,h,A)=>Re(c,h,A,t)),Lr=e.router?.bulkCreateIdentifiers??((c,h)=>Ae(c,h,t)),Fr=e.router?.bulkUpdateIdentifiers??((c,h)=>ve(c,h,t)),Pr=e.router?.bulkDeleteIdentifiers??((c,h)=>Ee(c,h,t));nt(s.algorithm)&&r.get("/keys",(c,h)=>{h.setHeader("Cache-Control","public, max-age=3600"),h.json(rr(e.secret));}),r.post("/register",async(c,h,A)=>{let I=Date.now();try{st(c,e);let f=M(c.body),{identifiers:y,password:g,roles:w}=f;if(!Array.isArray(y)||y.length===0)throw R("identifiers is required and must be a non-empty array");if(y.length>J)throw R(`identifiers must not exceed ${J} entries`);let x=y.map((Z,Se)=>He(Z,Se));if(typeof g!="string"||g.length<De)throw R(`password is required and must be at least ${De} characters`);if(g.length>z)throw R(`password must not exceed ${z} characters`);if(w!==void 0&&!Array.isArray(w))throw R("roles must be an array of strings when provided");if(Array.isArray(w)&&!w.every(Z=>typeof Z=="string"))throw R("each role must be a string");let O=Array.isArray(w)?w:void 0,N=O!==void 0?{identifiers:x,password:g,roles:O}:{identifiers:x,password:g},j=c.ip||"127.0.0.1",G=c.get("user-agent")||"Unknown";if(e.rateLimit!==!1){let Z=await i,Se=typeof e.rateLimit=="object"?e.rateLimit.maxRegisterAttempts??5:5;await Z.consume(`register:${j}`,Se,900*1e3);}let W=await m(N,{ip:j,userAgent:G});if(!W.success){o.warn(p(a,"auth.register.failure",{errorCode:W.error.code,duration_ms:Date.now()-I,...E(c)})),F(h,W.error);return}o.info(p(a,"auth.register.success",{userId:W.user.id,duration_ms:Date.now()-I,...E(c)})),S(h,201,"User registered successfully",{user:W.user});}catch(f){A(f);}}),r.post("/login",async(c,h,A)=>{let I=Date.now();try{let f=M(c.body),{identifier:y,password:g}=f;if(typeof y!="string"||y.trim().length===0)throw R("identifier is required and must be a non-empty string");if(y.length>Ce)throw R(`identifier must not exceed ${Ce} characters`);if(typeof g!="string"||g.length===0)throw R("password is required");if(g.length>z)throw R(`password must not exceed ${z} characters`);let w=y.trim(),x=c.ip||"127.0.0.1",O=c.get("user-agent")||"Unknown";if(e.rateLimit!==!1){let j=await i,G=typeof e.rateLimit=="object"?e.rateLimit.maxLoginAttempts??5:5;await j.consume(`login:${x}`,G,900*1e3);}let N=await _({identifier:w,password:g},{ip:x,userAgent:O});if(!N.success){$e(()=>e.hooks?.onLoginFailed?.(w,N.error,{ip:x})),o.warn(p(a,"auth.login.failure",{errorCode:N.error.code,duration_ms:Date.now()-I,...E(c)})),F(h,N.error);return}$e(()=>e.hooks?.onLoginSuccess?.(N.user,{ip:x,userAgent:O})),oe(h,N.refreshToken,e),ie(h,N.accessToken,e),o.info(p(a,"auth.login.success",{userId:N.user.id,duration_ms:Date.now()-I,...E(c)})),S(h,200,"Login successful",{accessToken:N.accessToken,user:N.user});}catch(f){A(f);}}),r.post("/refresh",async(c,h,A)=>{let I=Date.now();try{let f=H(c.headers.cookie,P(e));if(!f)throw new u("UNAUTHORIZED","Refresh token cookie is missing");let y=c.ip||"127.0.0.1",g=c.get("user-agent")||"Unknown",w=await b(f,{ip:y,userAgent:g});if(!w.success){xe(h,e),o.warn(p(a,"auth.refresh.failure",{errorCode:w.error.code,duration_ms:Date.now()-I,...E(c)})),F(h,w.error);return}oe(h,w.refreshToken,e),ie(h,w.accessToken,e),o.info(p(a,"auth.refresh.success",{userId:w.user.id,duration_ms:Date.now()-I,...E(c)})),S(h,200,"Token refreshed",{accessToken:w.accessToken});}catch(f){A(f);}}),r.post("/logout",async(c,h,A)=>{let I=Date.now();try{let f=H(c.headers.cookie,P(e));await v(f),xe(h,e),Fe(h,e),o.info(p(a,"auth.logout",{duration_ms:Date.now()-I,...E(c)})),S(h,200,"Logged out",null);}catch(f){A(f);}}),r.post("/logout-all",C(e),async(c,h,A)=>{let I=Date.now();try{let f=c.user.id;await k(f),$e(()=>e.hooks?.onLogout?.(f)),xe(h,e),Fe(h,e),o.info(p(a,"auth.logout_all",{userId:f,duration_ms:Date.now()-I,...E(c)})),S(h,200,"All sessions revoked",null);}catch(f){A(f);}}),r.get("/me",C(e),async(c,h,A)=>{let I=Date.now();try{let f=await L(c.user.id);if(!f.success){o.warn(p(a,"auth.me.failure",{userId:c.user.id,errorCode:f.error.code,duration_ms:Date.now()-I,...E(c)})),F(h,f.error);return}o.info(p(a,"auth.me.success",{userId:f.user.id,duration_ms:Date.now()-I,...E(c)})),S(h,200,"OK",f.user);}catch(f){A(f);}}),r.get("/me/identifiers",C(e),async(c,h,A)=>{let I=Date.now();try{let f=await L(c.user.id);if(!f.success){o.warn(p(a,"auth.me.identifiers.failure",{userId:c.user.id,errorCode:f.error.code,duration_ms:Date.now()-I,...E(c)})),F(h,f.error);return}o.info(p(a,"auth.me.identifiers.success",{userId:f.user.id,count:f.user.identifiers?.length??0,duration_ms:Date.now()-I,...E(c)})),S(h,200,"OK",{identifiers:f.user.identifiers??[]});}catch(f){A(f);}});let ue=d(c=>!!c.user);return r.post("/me/identifiers",C(e),ue,async(c,h,A)=>{let I=Date.now();try{let f=M(c.body),{identifiers:y}=f;if(!Array.isArray(y)||y.length===0)throw R("identifiers is required and must be a non-empty array");if(y.length>J)throw R(`identifiers must not exceed ${J} entries`);let g=y.map((x,O)=>He(x,O)),w=await Lr(c.user.id,g);if(!w.success){o.warn(p(a,"auth.identifiers.create_failure",{userId:c.user.id,errorCode:w.error.code,duration_ms:Date.now()-I,...E(c)})),F(h,w.error);return}o.info(p(a,"auth.identifiers.created",{userId:c.user.id,count:w.identifiers.length,duration_ms:Date.now()-I,...E(c)})),S(h,201,"Identifiers added successfully",{identifiers:w.identifiers});}catch(f){A(f);}}),r.put("/me/identifiers",C(e),ue,async(c,h,A)=>{let I=Date.now();try{let f=M(c.body),{identifiers:y}=f;if(!Array.isArray(y)||y.length===0)throw R("identifiers is required and must be a non-empty array");if(y.length>J)throw R(`identifiers must not exceed ${J} entries`);let g=y.map((x,O)=>{if(typeof x!="object"||x===null||Array.isArray(x))throw R(`identifiers[${O}] must be an object`);let N=x;if(typeof N.id!="string"||N.id.trim().length===0)throw R(`identifiers[${O}].id is required and must be a non-empty string`);let{type:j,value:G}=He(x,O);return {id:N.id,type:j,value:G}}),w=await Fr(c.user.id,g);if(!w.success){o.warn(p(a,"auth.identifiers.update_failure",{userId:c.user.id,errorCode:w.error.code,duration_ms:Date.now()-I,...E(c)})),F(h,w.error);return}o.info(p(a,"auth.identifiers.updated",{userId:c.user.id,count:w.identifiers.length,duration_ms:Date.now()-I,...E(c)})),S(h,200,"Identifiers updated successfully",{identifiers:w.identifiers});}catch(f){A(f);}}),r.delete("/me/identifiers",C(e),ue,async(c,h,A)=>{let I=Date.now();try{let f=M(c.body),{ids:y}=f;if(!Array.isArray(y)||y.length===0)throw R("ids is required and must be a non-empty array of strings");if(!y.every(w=>typeof w=="string"))throw R("each id must be a string");let g=await Pr(c.user.id,y);if(!g.success){o.warn(p(a,"auth.identifiers.delete_failure",{userId:c.user.id,errorCode:g.error.code,duration_ms:Date.now()-I,...E(c)})),F(h,g.error);return}o.info(p(a,"auth.identifiers.deleted",{userId:c.user.id,duration_ms:Date.now()-I,...E(c)})),S(h,200,"Identifiers deleted successfully",{identifiers:g.identifiers});}catch(f){A(f);}}),r.patch("/me/password",C(e),ue,async(c,h,A)=>{let I=Date.now();try{let f=M(c.body),{currentPassword:y,newPassword:g}=f;if(typeof y!="string"||y.length===0)throw R("currentPassword is required");if(typeof g!="string"||g.length<De)throw R(`newPassword must be at least ${De} characters`);if(g.length>z)throw R(`newPassword must not exceed ${z} characters`);if(y===g)throw R("newPassword must be different from currentPassword");let w=await $(c.user.id,y,g);if(!w.success){o.warn(p(a,"auth.password.change_failure",{userId:c.user.id,errorCode:w.error.code,duration_ms:Date.now()-I,...E(c)})),F(h,w.error);return}o.info(p(a,"auth.password.changed",{userId:c.user.id,duration_ms:Date.now()-I,...E(c)})),S(h,200,"Password updated successfully. All sessions have been revoked.",null);}catch(f){A(f);}}),r.post("/users/:userId/roles",C(e),l("admin"),async(c,h,A)=>{let I=Date.now();try{let f=M(c.body),{roles:y}=f,g=c.params.userId,w=typeof g=="string"?g:void 0;if(!w)throw R("userId is required");if(!Array.isArray(y)||y.length===0)throw R("roles must be a non-empty array of strings");if(!y.every(O=>typeof O=="string"))throw R("each role must be a string");let x=await K(w,y);if(!x.success){o.warn(p(a,"auth.roles.assign_failure",{targetUserId:w,errorCode:x.error.code,duration_ms:Date.now()-I,...E(c)})),F(h,x.error);return}o.info(p(a,"auth.roles.assigned",{targetUserId:w,roles:y,duration_ms:Date.now()-I,...E(c)})),S(h,200,"Roles assigned successfully",{user:x.user});}catch(f){A(f);}}),r.use(ce()),r.get("/sessions",C(e),async(c,h,A)=>{let I=Date.now();try{let f=c.user.id,g=await(e.router?.getSessions??(w=>Er(w,t)))(f);o.info(p(a,"auth.sessions.get",{userId:f,duration_ms:Date.now()-I,...E(c)})),S(h,200,"OK",{sessions:g});}catch(f){A(f);}}),r.delete("/sessions/:id",C(e),async(c,h,A)=>{let I=Date.now();try{let f=c.user.id,y=c.params.id;await(e.router?.revokeSession??((w,x)=>Tr(w,x,t)))(f,y),o.info(p(a,"auth.sessions.revoke",{userId:f,sessionId:y,duration_ms:Date.now()-I,...E(c)})),S(h,200,"Session revoked",null);}catch(f){A(f);}}),r}n(Ur,"createAuthRouter");function tn(e){if(e.mode==="client"){let i={mode:"client",keyUri:e.keyUri,...e.validRoles!==void 0&&{validRoles:e.validRoles},...e.logger!==void 0&&{logger:e.logger},...e.loggerService!==void 0&&{loggerService:e.loggerService}};Je(i);let m=i.logger??U,_=i.loggerService??"sentri",b=ae(m,_),v=de(m,_);return {protect:n(()=>C(i),"protect"),authorize:n((...k)=>b(...k),"authorize"),permit:n(k=>v(k),"permit"),errorHandler:n(k=>ce(k),"errorHandler")}}let{privateKey:r}=generateKeyPairSync("rsa",{modulusLength:2048,privateKeyEncoding:{type:"pkcs8",format:"pem"},publicKeyEncoding:{type:"spki",format:"pem"}}),t={mode:"server",dialect:e.dialect,secret:r,algorithm:"RS256",validRoles:e.validRoles,...e.accessExpiresIn!==void 0&&{accessExpiresIn:e.accessExpiresIn},...e.refreshExpiresIn!==void 0&&{refreshExpiresIn:e.refreshExpiresIn},...e.saltRounds!==void 0&&{saltRounds:e.saltRounds},...e.apiKey!==void 0&&{apiKey:e.apiKey},...e.cookie!==void 0&&{cookie:e.cookie},...e.accessCookie!==void 0&&{accessCookie:e.accessCookie},...e.hooks!==void 0&&{hooks:e.hooks},...e.router!==void 0&&{router:e.router},...e.isTokenRevoked!==void 0&&{isTokenRevoked:e.isTokenRevoked},...e.redisUrl!==void 0&&{redisUrl:e.redisUrl},...e.logger!==void 0&&{logger:e.logger},...e.loggerService!==void 0&&{loggerService:e.loggerService}},s=t.logger??U,o=t.loggerService??"sentri",a=T(t),l=ae(s,o),d=de(s,o);return {protect:n(()=>C(t),"protect"),authorize:n((...i)=>l(...i),"authorize"),permit:n(i=>d(i),"permit"),errorHandler:n(i=>ce(i),"errorHandler"),hashPassword:n(i=>Y(i,a.saltRounds),"hashPassword"),verifyPassword:n((i,m)=>q(i,m),"verifyPassword"),signAccessToken:n(i=>ee(i,t),"signAccessToken"),signRefreshToken:n(i=>re(i,t),"signRefreshToken"),verifyAccessToken:n(i=>le(i,t),"verifyAccessToken"),verifyRefreshToken:n(i=>te(i,t),"verifyRefreshToken"),getCurrentAccessToken:n(i=>Ne(i,t),"getCurrentAccessToken"),router:n(()=>Ur(t),"router"),migrate:n(()=>Ge(D(t.dialect)),"migrate"),idempotencyMiddleware:n(i=>Sr({...i,...t.redisUrl!==void 0&&{redisUrl:t.redisUrl}}),"idempotencyMiddleware"),register:n(i=>we(i,t),"register"),login:n(i=>ye(i,t),"login"),refresh:n(i=>B(i,t),"refresh"),logout:n(i=>Ie(i,t),"logout"),logoutAll:n(i=>_e(i,t),"logoutAll"),getUser:n(i=>ge(i,t),"getUser"),changePassword:n((i,m,_)=>Re(i,m,_,t),"changePassword"),assignRoles:n((i,m)=>ke(i,m,t),"assignRoles"),bulkCreateIdentifiers:n((i,m)=>Ae(i,m,t),"bulkCreateIdentifiers"),bulkUpdateIdentifiers:n((i,m)=>ve(i,m,t),"bulkUpdateIdentifiers"),bulkDeleteIdentifiers:n((i,m)=>Ee(i,m,t),"bulkDeleteIdentifiers")}}n(tn,"createAuthExpress");export{Me as SENTRI_ERROR_STATUS,u as SentriError,Zr as authorize,tn as createAuthExpress,Ur as createAuthRouter,ae as createAuthorize,ce as createErrorHandler,Sr as createIdempotencyMiddleware,de as createPermit,Ne as getCurrentAccessToken,qr as permit,C as protect};

package/dist/adapters/fastify/index.cjs

@@ -0,0 +1 @@
+'use strict';var crypto=require('crypto'),kysely=require('kysely'),We=require('bcrypt'),Z=require('jsonwebtoken');require('@fastify/cookie');var stream=require('stream');function _interopDefault(e){return e&&e.__esModule?e:{default:e}}var We__default=/*#__PURE__*/_interopDefault(We);var Z__default=/*#__PURE__*/_interopDefault(Z);var Lr=Object.defineProperty;var n=(e,r)=>Lr(e,"name",{value:r,configurable:true});var He=Object.assign(Object.create(null),{UNAUTHORIZED:401,TOKEN_EXPIRED:401,TOKEN_INVALID:401,INVALID_CREDENTIALS:401,FORBIDDEN:403,USER_NOT_FOUND:404,IDENTIFIER_NOT_FOUND:404,USER_ALREADY_EXISTS:409,IDENTIFIER_ALREADY_EXISTS:409,INVALID_ROLE:400,VALIDATION_ERROR:400,CONFIGURATION_ERROR:500,TOKEN_REUSE:401}),u=class extends Error{static{n(this,"SentriError");}code;statusCode;constructor(r,t,s){super(t),this.name="SentriError",this.code=r,this.statusCode=s??He[r]??500;}};var $e=new WeakMap,Ve=32,Me=10,Be=31;function ze(e){if(e.mode==="client"){if(!e.keyUri||e.keyUri.trim().length===0)throw new u("CONFIGURATION_ERROR","keyUri must not be empty");return}if(!e.secret||e.secret.trim().length===0)throw new u("CONFIGURATION_ERROR","secret must not be empty");if((e.algorithm??"HS256").startsWith("HS")&&e.secret.length<Ve)throw new u("CONFIGURATION_ERROR",`secret must be at least ${Ve} characters for HMAC algorithms`);let s=e.saltRounds??12;if(!Number.isInteger(s)||s<Me||s>Be)throw new u("CONFIGURATION_ERROR",`saltRounds must be an integer between ${Me} and ${Be}`);if(!e.validRoles||e.validRoles.length===0)throw new u("CONFIGURATION_ERROR","validRoles must contain at least one role");if(!e.dialect)throw new u("CONFIGURATION_ERROR","dialect is required in server mode")}n(ze,"validateConfig");function k(e){let r=$e.get(e);if(r)return r;let t={algorithm:e.algorithm??"HS256",accessExpiresIn:e.accessExpiresIn??"15m",refreshExpiresIn:e.refreshExpiresIn??"7d",saltRounds:e.saltRounds??12,validRoles:e.validRoles,validRolesSet:new Set(e.validRoles),cookieName:e.cookie?.name??"refresh_token",accessCookieName:e.accessCookie?.name??"access_token"};return $e.set(e,t),t}n(k,"resolveServerConfig");var Fr=/^(\d+)([smhdw])$/,Pr={s:1e3,m:6e4,h:36e5,d:864e5,w:6048e5},je=new Map;function K(e){if(typeof e=="number")return e*1e3;let r=je.get(e);if(r!==void 0)return r;let t=Fr.exec(e);if(!t?.[1]||!t?.[2])throw new Error(`Invalid expiresIn: "${e}". Use e.g. "15m", "7d", "1h".`);let s=Pr[t[2]];if(s===void 0)throw new Error(`Invalid expiresIn: "${e}". Use e.g. "15m", "7d", "1h".`);let o=parseInt(t[1],10)*s;return je.set(e,o),o}n(K,"parseExpiry");var D={info:n(()=>{},"info"),warn:n(()=>{},"warn"),error:n(()=>{},"error")};function m(e,r,t){return {service:e,event:r,...t}}n(m,"buildLogData");async function Xe(e){await e.schema.createTable("sentri_users").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("password_hash","varchar(255)",r=>r.notNull()).addColumn("roles","text",r=>r.notNull().defaultTo("[]")).addColumn("created_at","timestamp",r=>r.notNull().defaultTo(kysely.sql`CURRENT_TIMESTAMP`)).execute(),await e.schema.createTable("sentri_sessions").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("user_id","varchar(36)",r=>r.notNull().references("sentri_users.id").onDelete("cascade")).addColumn("expires_at","timestamp",r=>r.notNull()).addColumn("ip_address","varchar(45)").addColumn("user_agent","text").addColumn("replaced_by","varchar(36)").addColumn("created_at","timestamp",r=>r.notNull().defaultTo(kysely.sql`CURRENT_TIMESTAMP`)).execute(),await e.schema.createTable("sentri_identifiers").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("user_id","varchar(36)",r=>r.notNull().references("sentri_users.id").onDelete("cascade")).addColumn("type","varchar(100)",r=>r.notNull()).addColumn("value","varchar(255)",r=>r.notNull().unique()).addColumn("created_at","timestamp",r=>r.notNull().defaultTo(kysely.sql`CURRENT_TIMESTAMP`)).execute(),await e.schema.createIndex("idx_sentri_sessions_user_id").ifNotExists().on("sentri_sessions").column("user_id").execute(),await e.schema.createIndex("idx_sentri_identifiers_user_id").ifNotExists().on("sentri_identifiers").column("user_id").execute();}n(Xe,"runMigrations");var Ge=new Map;function E(e){let r=Ge.get(e);return r||(r=new kysely.Kysely({dialect:e}),Ge.set(e,r)),r}n(E,"getDatabase");async function G(e,r=12){return We__default.default.hash(e,r)}n(G,"hashPassword");async function W(e,r){return We__default.default.compare(e,r)}n(W,"verifyPassword");var Ze=new Map,Je=new Map,Vr=3600*1e3;function qe(e){let r=Ze.get(e);if(!r){let t=crypto.createPrivateKey(e),s=crypto.createPublicKey(t),o=s.export({format:"jwk"}),c=crypto.createHash("sha256").update(JSON.stringify({e:o.e,kty:o.kty,n:o.n})).digest("base64url"),l={...o,use:"sig",kid:c};r={kid:c,publicKey:s,jwk:l},Ze.set(e,r);}return r}n(qe,"getOrBuildKey");function Qe(e){let{jwk:r}=qe(e);return {keys:[r]}}n(Qe,"buildJwks");function er(e){return qe(e).publicKey}n(er,"getPublicKeyFromPrivate");async function rr(e){let r=Date.now(),t=Je.get(e);if(t&&r-t.fetchedAt<Vr)return t.publicKey;let s=await fetch(e);if(!s.ok)throw new u("CONFIGURATION_ERROR",`Failed to fetch public key from ${e}: HTTP ${s.status}`);let o=await s.json();if(!o.keys||o.keys.length===0)throw new u("CONFIGURATION_ERROR",`No keys found in JWKS response from ${e}`);let a=o.keys[0],c=crypto.createPublicKey({key:a,format:"jwk"});return Je.set(e,{publicKey:c,fetchedAt:r}),c}n(rr,"fetchPublicKey");var tr=new Map,sr=new Map,nr=new Map;function or(e){return e.startsWith("RS")||e.startsWith("PS")}n(or,"isRSA");function ir(e){let r=tr.get(e);return r||(r={access:`${e}:access`,refresh:`${e}:refresh`},tr.set(e,r)),r}n(ir,"getHsSecrets");function Br(e){let r=sr.get(e);return r||(r=crypto.createPrivateKey(e),sr.set(e,r)),r}n(Br,"getRsPrivateKey");function ar(e){let r=k(e);if(or(r.algorithm)){let o=Br(e.secret);return {accessKey:o,refreshKey:o}}let{access:t,refresh:s}=ir(e.secret);return {accessKey:t,refreshKey:s}}n(ar,"getSigningKeys");function dr(e,r){let t=k(e);if(or(t.algorithm))return er(e.secret);let{access:s,refresh:o}=ir(e.secret);return r==="access"?s:o}n(dr,"getVerifyKey");function cr(e,r,t,s){let o=`${t}:${s}`,a=nr.get(o);return a||(a={expiresIn:t,algorithm:s},nr.set(o,a)),Z__default.default.sign(e,r,a)}n(cr,"sign");function ur(e,r,t){try{let s=Z__default.default.verify(e,r,{algorithms:[t]});if(typeof s=="string"||s===null)throw new u("TOKEN_INVALID","Token payload is not an object");return s}catch(s){throw s instanceof u?s:s instanceof Z__default.default.TokenExpiredError?new u("TOKEN_EXPIRED","Token has expired"):new u("TOKEN_INVALID","Token is invalid or malformed")}}n(ur,"verify");function J(e,r){let t=k(r),{accessKey:s}=ar(r);return cr(e,s,t.accessExpiresIn,t.algorithm)}n(J,"signAccessToken");function Y(e,r){let t=k(r),{refreshKey:s}=ar(r);return cr({sessionId:e},s,t.refreshExpiresIn,t.algorithm)}n(Y,"signRefreshToken");function de(e,r){let t=k(r),s=dr(r,"access");return ur(e,s,t.algorithm)}n(de,"verifyAccessToken");function q(e,r){let t=k(r),s=dr(r,"refresh");return ur(e,s,t.algorithm)}n(q,"verifyRefreshToken");function lr(e,r){try{let t=Z__default.default.verify(e,r,{algorithms:["RS256","RS384","RS512","PS256","PS384","PS512"]});if(typeof t=="string"||t===null)throw new u("TOKEN_INVALID","Token payload is not an object");return t}catch(t){throw t instanceof u?t:t instanceof Z__default.default.TokenExpiredError?new u("TOKEN_EXPIRED","Token has expired"):new u("TOKEN_INVALID","Token is invalid or malformed")}}n(lr,"verifyTokenWithPublicKey");function Se(e){try{return JSON.parse(e)}catch{return []}}n(Se,"parseRoles");function jr(e){return JSON.stringify(e)}n(jr,"serializeRoles");function hr(e){return {id:e.id,userId:e.user_id,type:e.type,value:e.value,createdAt:new Date(e.created_at)}}n(hr,"mapIdentifier");async function Q(e,r){let t=await e.selectFrom("sentri_identifiers as i").innerJoin("sentri_users as u","u.id","i.user_id").select(["u.id","u.password_hash","u.roles"]).where("i.value","=",r).executeTakeFirst();return t?{id:t.id,passwordHash:t.password_hash,roles:Se(t.roles)}:null}n(Q,"findUserByIdentifierValue");async function ce(e,r){let t=await e.selectFrom("sentri_users").select(["id","password_hash","roles"]).where("id","=",r).executeTakeFirst();return t?{id:t.id,passwordHash:t.password_hash,roles:Se(t.roles)}:null}n(ce,"findUserById");async function mr(e,r,t){let s=t.map(o=>({id:crypto.randomUUID(),user_id:r,type:o.type,value:o.value}));return await e.insertInto("sentri_identifiers").values(s).execute(),s.map(o=>({id:o.id,userId:o.user_id,type:o.type,value:o.value,createdAt:new Date}))}n(mr,"createIdentifiers");async function ee(e,r){return (await e.selectFrom("sentri_identifiers").selectAll().where("user_id","=",r).orderBy("created_at","asc").execute()).map(hr)}n(ee,"findIdentifiersByUserId");async function Ce(e,r,t){let s=await e.selectFrom("sentri_identifiers").selectAll().where("id","=",r).where("user_id","=",t).executeTakeFirst();return s?hr(s):null}n(Ce,"findIdentifierById");async function pr(e,r){let t=await e.selectFrom("sentri_identifiers").select(s=>s.fn.countAll().as("count")).where("user_id","=",r).executeTakeFirst();return Number(t?.count??0)}n(pr,"countIdentifiersByUserId");async function wr(e,r,t,s){await e.updateTable("sentri_identifiers").set({type:s.type,value:s.value}).where("id","=",r).where("user_id","=",t).execute();}n(wr,"updateIdentifier");async function Ir(e,r,t){await e.deleteFrom("sentri_identifiers").where("user_id","=",r).where("id","in",t).execute();}n(Ir,"deleteIdentifiers");async function yr(e,r,t){await e.updateTable("sentri_users").set({password_hash:t}).where("id","=",r).execute();}n(yr,"updateUserPassword");async function gr(e,r,t){await e.updateTable("sentri_users").set({roles:jr(t)}).where("id","=",r).execute();}n(gr,"updateUserRoles");async function be(e,r){let t=crypto.randomUUID();return await e.insertInto("sentri_sessions").values({id:t,user_id:r.userId,expires_at:r.expiresAt.toISOString(),ip_address:r.ipAddress??null,user_agent:r.userAgent??null}).execute(),{id:t}}n(be,"createSession");async function ue(e,r){let t=await e.selectFrom("sentri_sessions as s").innerJoin("sentri_users as u","u.id","s.user_id").select(["s.id as session_id","s.user_id","s.expires_at","s.ip_address","s.user_agent","s.replaced_by","s.created_at as session_created_at","u.id as user_id_col","u.password_hash","u.roles"]).where("s.id","=",r).executeTakeFirst();return t?{id:t.session_id,userId:t.user_id,expiresAt:new Date(t.expires_at),ipAddress:t.ip_address,userAgent:t.user_agent,replacedBy:t.replaced_by,createdAt:new Date(t.session_created_at),user:{id:t.user_id_col,passwordHash:t.password_hash,roles:Se(t.roles)}}:null}n(ue,"findSessionById");async function le(e,r){await e.deleteFrom("sentri_sessions").where("id","=",r).execute();}n(le,"deleteSession");async function _r(e,r,t){await e.updateTable("sentri_sessions").set({replaced_by:t}).where("id","=",r).execute();}n(_r,"markSessionReplaced");async function fe(e,r){await e.deleteFrom("sentri_sessions").where("user_id","=",r).execute();}n(fe,"deleteAllSessionsForUser");async function Rr(e,r){return (await e.selectFrom("sentri_sessions").selectAll().where("user_id","=",r).where("replaced_by","is",null).where("expires_at",">",new Date).execute()).map(s=>({id:s.id,userId:s.user_id,expiresAt:new Date(s.expires_at),ipAddress:s.ip_address,userAgent:s.user_agent,replacedBy:s.replaced_by,createdAt:new Date(s.created_at)}))}n(Rr,"findSessionsByUserId");async function he(e,r,t){let s=k(r),o=E(r.dialect),a=e.roles??[],c=a.filter(R=>!s.validRolesSet.has(R));if(c.length>0)return {success:false,error:new u("INVALID_ROLE",`Invalid roles: ${c.join(", ")}`)};if(!e.identifiers||e.identifiers.length===0)return {success:false,error:new u("VALIDATION_ERROR","At least one identifier is required")};let l=e.identifiers.map(R=>({type:R.type.trim(),value:R.value.trim()}));if(new Set(l.map(R=>R.value)).size!==l.length)return {success:false,error:new u("VALIDATION_ERROR","Duplicate identifier values in request")};for(let R of l)if(await Q(o,R.value))return {success:false,error:new u("IDENTIFIER_ALREADY_EXISTS",`Identifier already taken: ${R.value}`)};let g=await G(e.password,s.saltRounds),{userId:T,identifierRows:b}=await o.transaction().execute(async R=>{let F=crypto.randomUUID();await R.insertInto("sentri_users").values({id:F,password_hash:g,roles:JSON.stringify(a)}).execute();let ae=l.map(B=>({id:crypto.randomUUID(),user_id:F,type:B.type,value:B.value}));return await R.insertInto("sentri_identifiers").values(ae).execute(),{userId:F,identifierRows:ae}}),x={success:true,user:{id:T,roles:a,identifiers:b.map(R=>({id:R.id,type:R.type,value:R.value}))}};return r.hooks?.onRegister&&await r.hooks.onRegister(x.user),x}n(he,"register");async function me(e,r,t){let s=k(r),o=E(r.dialect),a=await Q(o,e.identifier.trim());if(!a){let x=new u("INVALID_CREDENTIALS","Invalid credentials");return r.hooks?.onLoginFailed&&await r.hooks.onLoginFailed(e.identifier,x,{ip:t?.ip??""}),{success:false,error:x}}if(!await W(e.password,a.passwordHash)){let x=new u("INVALID_CREDENTIALS","Invalid credentials");return r.hooks?.onLoginFailed&&await r.hooks.onLoginFailed(e.identifier,x,{ip:t?.ip??""}),{success:false,error:x}}let l=new Date(Date.now()+K(s.refreshExpiresIn)),d=await be(o,{userId:a.id,expiresAt:l,ipAddress:t?.ip??null,userAgent:t?.userAgent??null}),g={id:a.id,roles:a.roles},T=J({id:a.id,roles:a.roles,sessionId:d.id},r),b=Y(d.id,r);return r.hooks?.onLoginSuccess&&await r.hooks.onLoginSuccess(g,{ip:t?.ip??"",userAgent:t?.userAgent??""}),{success:true,accessToken:T,refreshToken:b,user:g}}n(me,"login");async function H(e,r,t){let s=k(r),o=E(r.dialect),a;try{({sessionId:a}=q(e,r));}catch(x){return x instanceof u?{success:false,error:x}:{success:false,error:new u("TOKEN_INVALID","Invalid refresh token")}}let c=await ue(o,a);if(!c)return {success:false,error:new u("UNAUTHORIZED","Session not found or revoked")};if(c.replacedBy)return await fe(o,c.userId),{success:false,error:new u("TOKEN_REUSE","Token reuse detected. All sessions revoked.")};if(c.expiresAt.getTime()<Date.now())return await le(o,a),{success:false,error:new u("TOKEN_EXPIRED","Session has expired")};let l=new Date(Date.now()+K(s.refreshExpiresIn)),d=await be(o,{userId:c.userId,expiresAt:l,ipAddress:t?.ip??null,userAgent:t?.userAgent??null});await _r(o,a,d.id);let g={id:c.user.id,roles:c.user.roles},T=J({...g,sessionId:d.id},r),b=Y(d.id,r);return {success:true,accessToken:T,refreshToken:b,user:g}}n(H,"refresh");async function pe(e,r){let t=E(r.dialect),s;try{({sessionId:s}=q(e,r));}catch{return}let o=await ue(t,s);o&&(await le(t,s),r.hooks?.onLogout&&await r.hooks.onLogout(o.userId));}n(pe,"logout");async function we(e,r){let t=E(r.dialect);await fe(t,e),r.hooks?.onLogout&&await r.hooks.onLogout(e);}n(we,"logoutAll");async function Ie(e,r){let t=E(r.dialect),s=await ce(t,e);if(!s)return {success:false,error:new u("USER_NOT_FOUND","User not found")};let o=await ee(t,e);return {success:true,user:{id:s.id,roles:s.roles,identifiers:o.map(a=>({id:a.id,type:a.type,value:a.value}))}}}n(Ie,"getUser");async function ye(e,r,t,s){let o=k(s),a=E(s.dialect),c=await ce(a,e);if(!c)return {success:false,error:new u("USER_NOT_FOUND","User not found")};if(!await W(r,c.passwordHash))return {success:false,error:new u("INVALID_CREDENTIALS","Invalid credentials")};let d=await G(t,o.saltRounds);return await yr(a,e,d),await fe(a,e),s.hooks?.onPasswordChanged&&await s.hooks.onPasswordChanged(e),{success:true}}n(ye,"changePassword");async function ge(e,r,t){let s=k(t),o=E(t.dialect),a=r.filter(g=>!s.validRolesSet.has(g));if(a.length>0)return {success:false,error:new u("INVALID_ROLE",`Invalid roles: ${a.join(", ")}`)};let c=await ce(o,e);if(!c)return {success:false,error:new u("USER_NOT_FOUND","User not found")};let l=new Set(c.roles);for(let g of r)l.add(g);let d=Array.from(l);return await gr(o,e,d),{success:true,user:{id:c.id,roles:d}}}n(ge,"assignRoles");async function _e(e,r,t){let s=E(t.dialect);if(r.length===0)return {success:false,error:new u("VALIDATION_ERROR","At least one identifier is required")};let o=r.map(l=>({type:l.type.trim(),value:l.value.trim()}));if(new Set(o.map(l=>l.value)).size!==o.length)return {success:false,error:new u("VALIDATION_ERROR","Duplicate identifier values in request")};for(let l of o)if(await Q(s,l.value))return {success:false,error:new u("IDENTIFIER_ALREADY_EXISTS",`Identifier already taken: ${l.value}`)};return await mr(s,e,o),{success:true,identifiers:(await ee(s,e)).map(l=>({id:l.id,type:l.type,value:l.value}))}}n(_e,"bulkCreateIdentifiers");async function Re(e,r,t){let s=E(t.dialect);if(r.length===0)return {success:false,error:new u("VALIDATION_ERROR","At least one update is required")};let o=r.map(l=>({id:l.id,type:l.type.trim(),value:l.value.trim()}));if(new Set(o.map(l=>l.value)).size!==o.length)return {success:false,error:new u("VALIDATION_ERROR","Duplicate identifier values in request")};for(let l of o){let d=await Ce(s,l.id,e);if(!d)return {success:false,error:new u("IDENTIFIER_NOT_FOUND",`Identifier not found: ${l.id}`)};if(d.value!==l.value&&await Q(s,l.value))return {success:false,error:new u("IDENTIFIER_ALREADY_EXISTS",`Identifier already taken: ${l.value}`)}}return await s.transaction().execute(async l=>{for(let d of o)await wr(l,d.id,e,{type:d.type,value:d.value});}),{success:true,identifiers:(await ee(s,e)).map(l=>({id:l.id,type:l.type,value:l.value}))}}n(Re,"bulkUpdateIdentifiers");async function ke(e,r,t){let s=E(t.dialect);if(r.length===0)return {success:false,error:new u("VALIDATION_ERROR","At least one ID is required")};let o=Array.from(new Set(r));for(let l of o)if(!await Ce(s,l,e))return {success:false,error:new u("IDENTIFIER_NOT_FOUND",`Identifier not found: ${l}`)};return await pr(s,e)-o.length<1?{success:false,error:new u("VALIDATION_ERROR","Cannot delete all identifiers \u2014 at least one must remain")}:(await Ir(s,e,o),{success:true,identifiers:(await ee(s,e)).map(l=>({id:l.id,type:l.type,value:l.value}))})}n(ke,"bulkDeleteIdentifiers");async function Ar(e,r){let t=E(r.dialect);return (await Rr(t,e)).map(o=>({id:o.id,ipAddress:o.ipAddress,userAgent:o.userAgent,createdAt:o.createdAt,expiresAt:o.expiresAt}))}n(Ar,"getSessions");async function vr(e,r,t){let s=E(t.dialect),o=await ue(s,r);o&&o.userId===e&&await le(s,r);}n(vr,"revokeSession");function O(e){return k(e).cookieName}n(O,"getCookieName");function Ae(e){return k(e).accessCookieName}n(Ae,"getAccessCookieName");function U(e,r){if(!e)return;let t=`${r}=`,s=0;for(;s<e.length;){for(;s<e.length&&e[s]===" ";)s++;let o=e.indexOf(";",s),a=o===-1?e.length:o;if(e.startsWith(t,s))return e.slice(s+t.length,a);s=a+1;}}n(U,"readCookie");function re(e,r,t){let s=t.cookie??{},o=K(k(t).refreshExpiresIn)/1e3;e.setCookie(O(t),r,{httpOnly:s.httpOnly??true,secure:s.secure??false,sameSite:s.sameSite??"strict",path:s.path??"/",maxAge:o});}n(re,"setCookieFromConfig");function ve(e,r){let t=r.cookie??{};e.clearCookie(O(r),{path:t.path??"/"});}n(ve,"clearCookieFromConfig");function te(e,r,t){if(!t.accessCookie)return;let s=t.accessCookie,o=K(k(t).accessExpiresIn)/1e3;e.setCookie(Ae(t),r,{httpOnly:false,secure:s.secure??false,sameSite:s.sameSite??"strict",path:s.path??"/",maxAge:o});}n(te,"setAccessCookieFromConfig");function Oe(e,r){if(!r.accessCookie)return;let t=r.accessCookie;e.clearCookie(Ae(r),{path:t.path??"/"});}n(Oe,"clearAccessCookieFromConfig");function Ee(e,r){let t=e.headers.authorization;return t?.startsWith("Bearer ")?t.slice(7):U(e.headers.cookie,Ae(r))}n(Ee,"getCurrentAccessToken");function se(e){let r=e.logger??D,t=e.loggerService??"sentri";return e.mode==="client"?zr(e.keyUri,r,t):Xr(e,r,t)}n(se,"protect");function zr(e,r,t){return async s=>{let o=s.headers.authorization,a=o?.startsWith("Bearer ")?o.slice(7):void 0;if(!a)throw r.warn(m(t,"auth.protect.failure",{mode:"client",errorCode:"UNAUTHORIZED",requestId:s.id})),new u("UNAUTHORIZED","Missing or malformed Authorization header");try{let c=await rr(e),l=lr(a,c);s.user={id:l.id,roles:l.roles},r.info(m(t,"auth.protect.success",{mode:"client",userId:l.id,requestId:s.id}));}catch(c){let l=c instanceof u?c.code:"TOKEN_INVALID";throw r.warn(m(t,"auth.protect.failure",{mode:"client",errorCode:l,requestId:s.id})),c}}}n(zr,"protectClient");function Xr(e,r,t){return async(s,o)=>{let a=Ee(s,e);if(!a)throw r.warn(m(t,"auth.protect.failure",{mode:"server",errorCode:"UNAUTHORIZED",requestId:s.id})),new u("UNAUTHORIZED","Missing or malformed Authorization header");try{let c=de(a,e);if(e.isTokenRevoked&&await e.isTokenRevoked(c.sessionId))throw r.warn(m(t,"auth.protect.token_revoked",{mode:"server",userId:c.id,requestId:s.id})),new u("UNAUTHORIZED","Token has been revoked");s.user={id:c.id,roles:c.roles},r.info(m(t,"auth.protect.success",{mode:"server",userId:c.id,requestId:s.id}));}catch(c){if(c instanceof u&&c.code==="TOKEN_EXPIRED"){let l=U(s.headers.cookie,O(e));if(!l)throw r.warn(m(t,"auth.protect.failure",{mode:"server",errorCode:"TOKEN_EXPIRED",requestId:s.id})),new u("UNAUTHORIZED","Token expired. Please login again.");let d;try{d=await H(l,e);}catch{throw r.warn(m(t,"auth.protect.failure",{mode:"server",errorCode:"TOKEN_EXPIRED",requestId:s.id})),new u("UNAUTHORIZED","Session expired. Please login again.")}if(!d.success)throw r.warn(m(t,"auth.protect.failure",{mode:"server",errorCode:d.error.code,requestId:s.id})),new u("UNAUTHORIZED","Session expired. Please login again.");re(o,d.refreshToken,e),te(o,d.accessToken,e),o.header("X-New-Access-Token",d.accessToken),s.user=d.user,r.info(m(t,"auth.protect.auto_refresh",{mode:"server",userId:d.user.id,requestId:s.id}));}else {let l=c instanceof u?c.code:"TOKEN_INVALID";throw r.warn(m(t,"auth.protect.failure",{mode:"server",errorCode:l,requestId:s.id})),c}}}}n(Xr,"protectServer");function Er(e,r,t){let s=`Requires one of roles: ${e.join(", ")}`;return async o=>{if(!o.user)throw r.warn(m(t,"auth.authorize.unauthenticated",{requiredRoles:e,requestId:o.id})),new u("UNAUTHORIZED","Not authenticated");let a=o.user.roles;if(!e.some(c=>a.includes(c)))throw r.warn(m(t,"auth.authorize.denied",{userId:o.user.id,userRoles:[...a],requiredRoles:e,requestId:o.id})),new u("FORBIDDEN",s);r.info(m(t,"auth.authorize.passed",{userId:o.user.id,userRoles:[...a],requiredRoles:e,requestId:o.id}));}}n(Er,"createAuthorizeHandler");function ne(e,r){return n(function(...s){return Er(s,e,r)},"authorize")}n(ne,"createAuthorize");function Gr(...e){return Er(e,D,"sentri")}n(Gr,"authorize");var Wr=new u("FORBIDDEN","You do not have permission to perform this action");function Tr(e,r,t){return async s=>{if(!s.user)throw r.warn(m(t,"auth.permit.unauthenticated",{requestId:s.id})),new u("UNAUTHORIZED","Not authenticated");let o=s.user.id;if(e.roles&&e.roles.length>0){let l=s.user.roles;if(e.roles.some(d=>l.includes(d))){r.info(m(t,"auth.permit.role_bypass",{userId:o,bypassedByRole:true,requestId:s.id}));return}}let a=e.check(s);if(a instanceof Promise?await a:a)r.info(m(t,"auth.permit.passed",{userId:o,requestId:s.id}));else throw r.warn(m(t,"auth.permit.denied",{userId:o,requestId:s.id})),Wr}}n(Tr,"createPermitHandler");function oe(e,r){return n(function(s){return Tr(typeof s=="function"?{check:s}:s,e,r)},"permit")}n(oe,"createPermit");function Zr(e){return Tr(typeof e=="function"?{check:e}:e,D,"sentri")}n(Zr,"permit");var Ue=class{static{n(this,"InMemoryRateLimiter");}store=new Map;constructor(){setInterval(()=>{let r=Date.now();for(let[t,s]of this.store.entries())s.expiresAt<r&&this.store.delete(t);},6e4).unref();}async consume(r,t,s){let o=Date.now(),a=this.store.get(r);if((!a||a.expiresAt<o)&&(a={count:0,expiresAt:o+s},this.store.set(r,a)),a.count>t){let c=Math.ceil((a.expiresAt-o)/1e3);throw new Error(`Rate limit exceeded. Try again in ${c} seconds.`)}a.count++;}},Le=class{static{n(this,"RedisRateLimiter");}redis;logger;constructor(r,t){this.redis=r,this.logger=t;}async consume(r,t,s){let o=`sentri:rl:${r}`,a=Math.ceil(s/1e3);try{let c=await this.redis.multi().incr(o).expire(o,a,"NX").exec();if(!c||c.length===0)return;if(c[0][1]>t)throw new Error("Rate limit exceeded. Try again later.")}catch(c){if(c instanceof Error&&c.message.includes("Rate limit exceeded"))throw c;this.logger.error({msg:"Redis RateLimiter failed, bypassing limit",error:c});}}},$=null;async function xr(e,r){if($)return $;if(e)try{let{Redis:t}=await import('ioredis'),s=new t(e,{lazyConnect:!0,maxRetriesPerRequest:1});return await s.connect(),r?.info({msg:"Connected to Redis for Rate Limiting"}),$=new Le(s,r??D),$}catch(t){r?.warn({msg:"Failed to connect to Redis for Rate Limiting, falling back to InMemoryRateLimiter",error:t});}return $=new Ue,$}n(xr,"getRateLimiter");function ie(e){return (r,t,s)=>{if(r instanceof u){s.code(r.statusCode).send({error:true,statusCode:r.statusCode,code:r.code,message:r.message,data:null});return}e?.onUnhandled?.(r),s.code(500).send({error:true,statusCode:500,code:"INTERNAL_SERVER_ERROR",message:"Internal server error",data:null});}}n(ie,"createErrorHandler");var Te=8,V=72,xe=255,Nr=100,M=50;function _(e){return new u("VALIDATION_ERROR",e)}n(_,"badRequest");function N(e,r,t,s){e.code(r).send({error:false,statusCode:r,message:t,data:s});}n(N,"ok");function C(e,r){e.code(r.statusCode).send({error:true,statusCode:r.statusCode,code:r.code,message:r.message,data:null});}n(C,"fail");function L(e){let r=e.body;if(r==null||typeof r!="object"||Array.isArray(r))throw new u("VALIDATION_ERROR","Request body is missing or not a JSON object.");return r}n(L,"parseBody");function Jr(e,r){if(!r.apiKey)return;let t=e.headers["x-api-key"];if(typeof t!="string"||t!==r.apiKey)throw new u("UNAUTHORIZED","Invalid or missing API key")}n(Jr,"validateApiKey");function Pe(e){if(e)try{let r=e();r instanceof Promise&&r.catch(()=>{});}catch{}}n(Pe,"fireHook");function Yr(e){return e.startsWith("RS")||e.startsWith("PS")}n(Yr,"isRSA");function Ke(e,r){if(typeof e!="object"||e===null||Array.isArray(e))throw _(`identifiers[${r}] must be an object`);let t=e;if(typeof t.type!="string"||t.type.trim().length===0)throw _(`identifiers[${r}].type is required and must be a non-empty string`);if(t.type.length>Nr)throw _(`identifiers[${r}].type must not exceed ${Nr} characters`);if(typeof t.value!="string"||t.value.trim().length===0)throw _(`identifiers[${r}].value is required and must be a non-empty string`);if(t.value.length>xe)throw _(`identifiers[${r}].value must not exceed ${xe} characters`);return {type:t.type,value:t.value}}n(Ke,"validateIdentifierInput");function Dr(e){return async r=>{let t=e,s=k(t),o=e.logger??D,a=e.loggerService??"sentri",c=se(e),l=ne(o,a),d=oe(o,a),g=xr(e.redisUrl,o),T=d(i=>!!i.user);r.setErrorHandler(ie()),r.addHook("preParsing",function(i,f,p,h){if(!i.headers["content-type"]?.includes("application/json")){h(null,p);return}if(p==null){h(null,stream.Readable.from("{}"));return}let w=[];p.on("data",y=>w.push(y)),p.on("end",()=>{let y=Buffer.concat(w);h(null,y.length===0?stream.Readable.from("{}"):stream.Readable.from(y));}),p.on("error",y=>h(y));});let b=e.router?.register??(i=>he(i,t)),x=e.router?.login??(i=>me(i,t)),R=e.router?.refresh??(i=>H(i,t)),F=e.router?.logout??(i=>i!==void 0?pe(i,t):Promise.resolve()),ae=e.router?.logoutAll??(i=>we(i,t)),B=e.router?.getUser??(i=>Ie(i,t)),Sr=e.router?.assignRoles??((i,f)=>ge(i,f,t)),Cr=e.router?.changePassword??((i,f,p)=>ye(i,f,p,t)),br=e.router?.bulkCreateIdentifiers??((i,f)=>_e(i,f,t)),Or=e.router?.bulkUpdateIdentifiers??((i,f)=>Re(i,f,t)),Ur=e.router?.bulkDeleteIdentifiers??((i,f)=>ke(i,f,t));Yr(s.algorithm)&&r.get("/keys",async(i,f)=>{f.header("Cache-Control","public, max-age=3600").send(Qe(e.secret));}),r.post("/register",async(i,f)=>{let p=Date.now();Jr(i,e);let h=L(i),{identifiers:w,password:y,roles:I}=h;if(!Array.isArray(w)||w.length===0)throw _("identifiers is required and must be a non-empty array");if(w.length>M)throw _(`identifiers must not exceed ${M} entries`);let A=w.map((X,Ne)=>Ke(X,Ne));if(typeof y!="string"||y.length<Te)throw _(`password is required and must be at least ${Te} characters`);if(y.length>V)throw _(`password must not exceed ${V} characters`);if(I!==void 0&&!Array.isArray(I))throw _("roles must be an array of strings when provided");if(Array.isArray(I)&&!I.every(X=>typeof X=="string"))throw _("each role must be a string");let S=Array.isArray(I)?I:void 0,v=S!==void 0?{identifiers:A,password:y,roles:S}:{identifiers:A,password:y},P=i.ip||"127.0.0.1",j=i.headers["user-agent"]||"Unknown";if(e.rateLimit!==false){let X=await g,Ne=typeof e.rateLimit=="object"?e.rateLimit.maxRegisterAttempts??5:5;await X.consume(`register:${P}`,Ne,900*1e3);}let z=await b(v,{ip:P,userAgent:j});if(!z.success){o.warn(m(a,"auth.register.failure",{errorCode:z.error.code,duration_ms:Date.now()-p,requestId:i.id})),C(f,z.error);return}o.info(m(a,"auth.register.success",{userId:z.user.id,duration_ms:Date.now()-p,requestId:i.id})),N(f,201,"User registered successfully",{user:z.user});}),r.post("/login",async(i,f)=>{let p=Date.now(),h=L(i),{identifier:w,password:y}=h;if(typeof w!="string"||w.trim().length===0)throw _("identifier is required and must be a non-empty string");if(w.length>xe)throw _(`identifier must not exceed ${xe} characters`);if(typeof y!="string"||y.length===0)throw _("password is required");if(y.length>V)throw _(`password must not exceed ${V} characters`);let I=w.trim(),A=i.ip||"127.0.0.1",S=i.headers["user-agent"]||"Unknown";if(e.rateLimit!==false){let P=await g,j=typeof e.rateLimit=="object"?e.rateLimit.maxLoginAttempts??5:5;await P.consume(`login:${A}`,j,900*1e3);}let v=await x({identifier:I,password:y},{ip:A,userAgent:S});if(!v.success){Pe(()=>e.hooks?.onLoginFailed?.(I,v.error,{ip:A})),o.warn(m(a,"auth.login.failure",{errorCode:v.error.code,duration_ms:Date.now()-p,requestId:i.id})),C(f,v.error);return}Pe(()=>e.hooks?.onLoginSuccess?.(v.user,{ip:A,userAgent:S})),re(f,v.refreshToken,e),te(f,v.accessToken,e),o.info(m(a,"auth.login.success",{userId:v.user.id,duration_ms:Date.now()-p,requestId:i.id})),N(f,200,"Login successful",{accessToken:v.accessToken,user:v.user});}),r.post("/refresh",async(i,f)=>{let p=Date.now(),h=U(i.headers.cookie,O(e));if(!h)throw new u("UNAUTHORIZED","Refresh token cookie is missing");let w=i.ip||"127.0.0.1",y=i.headers["user-agent"]||"Unknown",I=await R(h,{ip:w,userAgent:y});if(!I.success){ve(f,e),o.warn(m(a,"auth.refresh.failure",{errorCode:I.error.code,duration_ms:Date.now()-p,requestId:i.id})),C(f,I.error);return}re(f,I.refreshToken,e),te(f,I.accessToken,e),o.info(m(a,"auth.refresh.success",{userId:I.user.id,duration_ms:Date.now()-p,requestId:i.id})),N(f,200,"Token refreshed",{accessToken:I.accessToken});}),r.post("/logout",async(i,f)=>{let p=Date.now(),h=U(i.headers.cookie,O(e));await F(h),ve(f,e),Oe(f,e),o.info(m(a,"auth.logout",{duration_ms:Date.now()-p,requestId:i.id})),N(f,200,"Logged out",null);}),r.post("/logout-all",{preHandler:c},async(i,f)=>{let p=Date.now(),h=i.user.id;await ae(h),Pe(()=>e.hooks?.onLogout?.(h)),ve(f,e),Oe(f,e),o.info(m(a,"auth.logout_all",{userId:h,duration_ms:Date.now()-p,requestId:i.id})),N(f,200,"All sessions revoked",null);}),r.get("/me",{preHandler:c},async(i,f)=>{let p=Date.now(),h=await B(i.user.id);if(!h.success){o.warn(m(a,"auth.me.failure",{userId:i.user.id,errorCode:h.error.code,duration_ms:Date.now()-p,requestId:i.id})),C(f,h.error);return}o.info(m(a,"auth.me.success",{userId:h.user.id,duration_ms:Date.now()-p,requestId:i.id})),N(f,200,"OK",h.user);}),r.get("/me/identifiers",{preHandler:c},async(i,f)=>{let p=Date.now(),h=await B(i.user.id);if(!h.success){o.warn(m(a,"auth.me.identifiers.failure",{userId:i.user.id,errorCode:h.error.code,duration_ms:Date.now()-p,requestId:i.id})),C(f,h.error);return}o.info(m(a,"auth.me.identifiers.success",{userId:h.user.id,count:h.user.identifiers?.length??0,duration_ms:Date.now()-p,requestId:i.id})),N(f,200,"OK",{identifiers:h.user.identifiers??[]});}),r.post("/me/identifiers",{preHandler:[c,T]},async(i,f)=>{let p=Date.now(),h=L(i),{identifiers:w}=h;if(!Array.isArray(w)||w.length===0)throw _("identifiers is required and must be a non-empty array");if(w.length>M)throw _(`identifiers must not exceed ${M} entries`);let y=w.map((A,S)=>Ke(A,S)),I=await br(i.user.id,y);if(!I.success){o.warn(m(a,"auth.identifiers.create_failure",{userId:i.user.id,errorCode:I.error.code,duration_ms:Date.now()-p,requestId:i.id})),C(f,I.error);return}o.info(m(a,"auth.identifiers.created",{userId:i.user.id,count:I.identifiers.length,duration_ms:Date.now()-p,requestId:i.id})),N(f,201,"Identifiers added successfully",{identifiers:I.identifiers});}),r.put("/me/identifiers",{preHandler:[c,T]},async(i,f)=>{let p=Date.now(),h=L(i),{identifiers:w}=h;if(!Array.isArray(w)||w.length===0)throw _("identifiers is required and must be a non-empty array");if(w.length>M)throw _(`identifiers must not exceed ${M} entries`);let y=w.map((A,S)=>{if(typeof A!="object"||A===null||Array.isArray(A))throw _(`identifiers[${S}] must be an object`);let v=A;if(typeof v.id!="string"||v.id.trim().length===0)throw _(`identifiers[${S}].id is required and must be a non-empty string`);let{type:P,value:j}=Ke(A,S);return {id:v.id,type:P,value:j}}),I=await Or(i.user.id,y);if(!I.success){o.warn(m(a,"auth.identifiers.update_failure",{userId:i.user.id,errorCode:I.error.code,duration_ms:Date.now()-p,requestId:i.id})),C(f,I.error);return}o.info(m(a,"auth.identifiers.updated",{userId:i.user.id,count:I.identifiers.length,duration_ms:Date.now()-p,requestId:i.id})),N(f,200,"Identifiers updated successfully",{identifiers:I.identifiers});}),r.delete("/me/identifiers",{preHandler:[c,T]},async(i,f)=>{let p=Date.now(),h=L(i),{ids:w}=h;if(!Array.isArray(w)||w.length===0)throw _("ids is required and must be a non-empty array of strings");if(!w.every(I=>typeof I=="string"))throw _("each id must be a string");let y=await Ur(i.user.id,w);if(!y.success){o.warn(m(a,"auth.identifiers.delete_failure",{userId:i.user.id,errorCode:y.error.code,duration_ms:Date.now()-p,requestId:i.id})),C(f,y.error);return}o.info(m(a,"auth.identifiers.deleted",{userId:i.user.id,duration_ms:Date.now()-p,requestId:i.id})),N(f,200,"Identifiers deleted successfully",{identifiers:y.identifiers});}),r.patch("/me/password",{preHandler:[c,T]},async(i,f)=>{let p=Date.now(),h=L(i),{currentPassword:w,newPassword:y}=h;if(typeof w!="string"||w.length===0)throw _("currentPassword is required");if(typeof y!="string"||y.length<Te)throw _(`newPassword must be at least ${Te} characters`);if(y.length>V)throw _(`newPassword must not exceed ${V} characters`);if(w===y)throw _("newPassword must be different from currentPassword");let I=await Cr(i.user.id,w,y);if(!I.success){o.warn(m(a,"auth.password.change_failure",{userId:i.user.id,errorCode:I.error.code,duration_ms:Date.now()-p,requestId:i.id})),C(f,I.error);return}o.info(m(a,"auth.password.changed",{userId:i.user.id,duration_ms:Date.now()-p,requestId:i.id})),N(f,200,"Password updated successfully. All sessions have been revoked.",null);}),r.post("/users/:userId/roles",{preHandler:[c,l("admin")]},async(i,f)=>{let p=Date.now(),h=L(i),{roles:w}=h,y=i.params.userId;if(!y)throw _("userId is required");if(!Array.isArray(w)||w.length===0)throw _("roles must be a non-empty array of strings");if(!w.every(A=>typeof A=="string"))throw _("each role must be a string");let I=await Sr(y,w);if(!I.success){o.warn(m(a,"auth.roles.assign_failure",{targetUserId:y,errorCode:I.error.code,duration_ms:Date.now()-p,requestId:i.id})),C(f,I.error);return}o.info(m(a,"auth.roles.assigned",{targetUserId:y,roles:w,duration_ms:Date.now()-p,requestId:i.id})),N(f,200,"Roles assigned successfully",{user:I.user});}),r.get("/sessions",{preHandler:c},async(i,f)=>{let p=Date.now(),h=i.user.id,y=await(e.router?.getSessions??(I=>Ar(I,t)))(h);o.info(m(a,"auth.sessions.get",{userId:h,duration_ms:Date.now()-p,requestId:i.id})),N(f,200,"OK",{sessions:y});}),r.delete("/sessions/:id",{preHandler:c},async(i,f)=>{let p=Date.now(),h=i.user.id,w=i.params.id;await(e.router?.revokeSession??((I,A)=>vr(I,A,t)))(h,w),o.info(m(a,"auth.sessions.revoke",{userId:h,sessionId:w,duration_ms:Date.now()-p,requestId:i.id})),N(f,200,"Session revoked",null);});}}n(Dr,"createAuthPlugin");function Bs(e){if(e.mode==="client"){let d={mode:"client",keyUri:e.keyUri,...e.validRoles!==void 0&&{validRoles:e.validRoles},...e.logger!==void 0&&{logger:e.logger},...e.loggerService!==void 0&&{loggerService:e.loggerService}};ze(d);let g=d.logger??D,T=d.loggerService??"sentri",b=ne(g,T),x=oe(g,T);return {protect:n(()=>se(d),"protect"),authorize:n((...R)=>b(...R),"authorize"),permit:n(R=>x(R),"permit"),errorHandler:n(R=>ie(R),"errorHandler")}}let{privateKey:r}=crypto.generateKeyPairSync("rsa",{modulusLength:2048,privateKeyEncoding:{type:"pkcs8",format:"pem"},publicKeyEncoding:{type:"spki",format:"pem"}}),t={mode:"server",dialect:e.dialect,secret:r,algorithm:"RS256",validRoles:e.validRoles,...e.accessExpiresIn!==void 0&&{accessExpiresIn:e.accessExpiresIn},...e.refreshExpiresIn!==void 0&&{refreshExpiresIn:e.refreshExpiresIn},...e.saltRounds!==void 0&&{saltRounds:e.saltRounds},...e.apiKey!==void 0&&{apiKey:e.apiKey},...e.cookie!==void 0&&{cookie:e.cookie},...e.accessCookie!==void 0&&{accessCookie:e.accessCookie},...e.hooks!==void 0&&{hooks:e.hooks},...e.router!==void 0&&{router:e.router},...e.isTokenRevoked!==void 0&&{isTokenRevoked:e.isTokenRevoked},...e.redisUrl!==void 0&&{redisUrl:e.redisUrl},...e.logger!==void 0&&{logger:e.logger},...e.loggerService!==void 0&&{loggerService:e.loggerService}},s=t.logger??D,o=t.loggerService??"sentri",a=k(t),c=ne(s,o),l=oe(s,o);return {protect:n(()=>se(t),"protect"),authorize:n((...d)=>c(...d),"authorize"),permit:n(d=>l(d),"permit"),plugin:n(()=>Dr(t),"plugin"),errorHandler:n(d=>ie(d),"errorHandler"),migrate:n(()=>Xe(E(t.dialect)),"migrate"),getCurrentAccessToken:n(d=>Ee(d,t),"getCurrentAccessToken"),hashPassword:n(d=>G(d,a.saltRounds),"hashPassword"),verifyPassword:n((d,g)=>W(d,g),"verifyPassword"),signAccessToken:n(d=>J(d,t),"signAccessToken"),signRefreshToken:n(d=>Y(d,t),"signRefreshToken"),verifyAccessToken:n(d=>de(d,t),"verifyAccessToken"),verifyRefreshToken:n(d=>q(d,t),"verifyRefreshToken"),register:n(d=>he(d,t),"register"),login:n(d=>me(d,t),"login"),refresh:n(d=>H(d,t),"refresh"),logout:n(d=>pe(d,t),"logout"),logoutAll:n(d=>we(d,t),"logoutAll"),getUser:n(d=>Ie(d,t),"getUser"),changePassword:n((d,g,T)=>ye(d,g,T,t),"changePassword"),assignRoles:n((d,g)=>ge(d,g,t),"assignRoles"),bulkCreateIdentifiers:n((d,g)=>_e(d,g,t),"bulkCreateIdentifiers"),bulkUpdateIdentifiers:n((d,g)=>Re(d,g,t),"bulkUpdateIdentifiers"),bulkDeleteIdentifiers:n((d,g)=>ke(d,g,t),"bulkDeleteIdentifiers")}}n(Bs,"createAuthFastify");exports.SENTRI_ERROR_STATUS=He;exports.SentriError=u;exports.authorize=Gr;exports.createAuthFastify=Bs;exports.createAuthPlugin=Dr;exports.createAuthorize=ne;exports.createErrorHandler=ie;exports.createPermit=oe;exports.getCurrentAccessToken=Ee;exports.permit=Zr;exports.protect=se;

package/dist/adapters/fastify/index.d.cts

@@ -0,0 +1,98 @@
+import * as kysely from 'kysely';
+import { FastifyRequest, FastifyReply, FastifyPluginAsync, FastifyError } from 'fastify';
+import { AuthUser, AuthConfig, SentriLogger, ServerAuthConfig, CookieConfig, AccessCookieConfig, AuthHooks, RouterHandlers, RegisterInput, RegisterResult, LoginInput, AuthResult, RefreshResult, GetUserResult, ChangePasswordResult, AssignRolesResult, IdentifierInput, BulkIdentifiersResult } from '../../core/index.cjs';
+export { SENTRI_ERROR_STATUS, SentriError } from '../../core/index.cjs';
+
+type SentriFastifyHook = (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
+declare module 'fastify' {
+    interface FastifyRequest {
+        user?: AuthUser;
+    }
+}
+declare function protect(config: AuthConfig): SentriFastifyHook;
+
+declare function createAuthorize(logger: SentriLogger, service: string): <TRole extends string>(...allowedRoles: TRole[]) => SentriFastifyHook;
+declare function authorize<TRole extends string>(...allowedRoles: TRole[]): SentriFastifyHook;
+
+type FastifyPermitCheck = (request: FastifyRequest) => boolean | Promise<boolean>;
+interface FastifyPermitOptions<TRole extends string> {
+    roles?: TRole[];
+    check: FastifyPermitCheck;
+}
+declare function createPermit(logger: SentriLogger, service: string): <TRole extends string>(optionsOrCheck: FastifyPermitOptions<TRole> | FastifyPermitCheck) => SentriFastifyHook;
+declare function permit<TRole extends string>(optionsOrCheck: FastifyPermitOptions<TRole> | FastifyPermitCheck): SentriFastifyHook;
+
+declare function createAuthPlugin<TRole extends string>(config: ServerAuthConfig<TRole>): FastifyPluginAsync;
+
+interface FastifyErrorHandlerOptions {
+    onUnhandled?: (error: unknown) => void;
+}
+type FastifyErrorHandler = (error: FastifyError | Error, request: FastifyRequest, reply: FastifyReply) => void;
+declare function createErrorHandler(options?: FastifyErrorHandlerOptions): FastifyErrorHandler;
+
+declare function getCurrentAccessToken(request: FastifyRequest, config: ServerAuthConfig): string | undefined;
+
+interface CreateFastifyServerOptions<TRole extends string = string> {
+    mode: 'server';
+    validRoles: readonly TRole[];
+    dialect: kysely.Dialect;
+    accessExpiresIn?: string | number;
+    refreshExpiresIn?: string | number;
+    saltRounds?: number;
+    apiKey?: string;
+    cookie?: CookieConfig;
+    accessCookie?: AccessCookieConfig;
+    hooks?: AuthHooks;
+    router?: RouterHandlers;
+    isTokenRevoked?: (sessionId: string) => boolean | Promise<boolean>;
+    redisUrl?: string;
+    logger?: SentriLogger;
+    loggerService?: string;
+}
+interface CreateFastifyClientOptions<TRole extends string = string> {
+    mode: 'client';
+    keyUri: string;
+    validRoles?: readonly TRole[];
+    logger?: SentriLogger;
+    loggerService?: string;
+}
+interface FastifyAuthClient<TRole extends string = string> {
+    protect(): SentriFastifyHook;
+    authorize(...roles: TRole[]): SentriFastifyHook;
+    permit(check: FastifyPermitCheck): SentriFastifyHook;
+    permit(options: FastifyPermitOptions<TRole>): SentriFastifyHook;
+    errorHandler(options?: FastifyErrorHandlerOptions): FastifyErrorHandler;
+}
+interface FastifyServerAuthClient<TRole extends string = string> extends FastifyAuthClient<TRole> {
+    plugin(): FastifyPluginAsync;
+    migrate(): Promise<void>;
+    getCurrentAccessToken(request: FastifyRequest): string | undefined;
+    hashPassword(plain: string): Promise<string>;
+    verifyPassword(plain: string, hash: string): Promise<boolean>;
+    signAccessToken(payload: AuthUser<TRole>): string;
+    signRefreshToken(sessionId: string): string;
+    verifyAccessToken(token: string): AuthUser<TRole>;
+    verifyRefreshToken(token: string): {
+        sessionId: string;
+    };
+    register(input: RegisterInput<TRole>): Promise<RegisterResult<TRole>>;
+    login(input: LoginInput): Promise<AuthResult<TRole>>;
+    refresh(refreshToken: string): Promise<RefreshResult<TRole>>;
+    logout(refreshToken: string): Promise<void>;
+    logoutAll(userId: string): Promise<void>;
+    getUser(userId: string): Promise<GetUserResult<TRole>>;
+    changePassword(userId: string, currentPassword: string, newPassword: string): Promise<ChangePasswordResult>;
+    assignRoles(userId: string, roles: TRole[]): Promise<AssignRolesResult<TRole>>;
+    bulkCreateIdentifiers(userId: string, identifiers: IdentifierInput[]): Promise<BulkIdentifiersResult>;
+    bulkUpdateIdentifiers(userId: string, updates: Array<{
+        id: string;
+        type: string;
+        value: string;
+    }>): Promise<BulkIdentifiersResult>;
+    bulkDeleteIdentifiers(userId: string, ids: string[]): Promise<BulkIdentifiersResult>;
+}
+type FastifyClientAuthClient<TRole extends string = string> = FastifyAuthClient<TRole>;
+declare function createAuthFastify<TRole extends string = string>(options: CreateFastifyServerOptions<TRole>): FastifyServerAuthClient<TRole>;
+declare function createAuthFastify<TRole extends string = string>(options: CreateFastifyClientOptions<TRole>): FastifyClientAuthClient<TRole>;
+
+export { type CreateFastifyClientOptions, type CreateFastifyServerOptions, type FastifyAuthClient, type FastifyClientAuthClient, type FastifyErrorHandler, type FastifyErrorHandlerOptions, type FastifyPermitCheck, type FastifyPermitOptions, type FastifyServerAuthClient, type SentriFastifyHook, SentriLogger, authorize, createAuthFastify, createAuthPlugin, createAuthorize, createErrorHandler, createPermit, getCurrentAccessToken, permit, protect };

package/dist/adapters/fastify/index.d.ts

@@ -0,0 +1,98 @@
+import * as kysely from 'kysely';
+import { FastifyRequest, FastifyReply, FastifyPluginAsync, FastifyError } from 'fastify';
+import { AuthUser, AuthConfig, SentriLogger, ServerAuthConfig, CookieConfig, AccessCookieConfig, AuthHooks, RouterHandlers, RegisterInput, RegisterResult, LoginInput, AuthResult, RefreshResult, GetUserResult, ChangePasswordResult, AssignRolesResult, IdentifierInput, BulkIdentifiersResult } from '../../core/index.js';
+export { SENTRI_ERROR_STATUS, SentriError } from '../../core/index.js';
+
+type SentriFastifyHook = (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
+declare module 'fastify' {
+    interface FastifyRequest {
+        user?: AuthUser;
+    }
+}
+declare function protect(config: AuthConfig): SentriFastifyHook;
+
+declare function createAuthorize(logger: SentriLogger, service: string): <TRole extends string>(...allowedRoles: TRole[]) => SentriFastifyHook;
+declare function authorize<TRole extends string>(...allowedRoles: TRole[]): SentriFastifyHook;
+
+type FastifyPermitCheck = (request: FastifyRequest) => boolean | Promise<boolean>;
+interface FastifyPermitOptions<TRole extends string> {
+    roles?: TRole[];
+    check: FastifyPermitCheck;
+}
+declare function createPermit(logger: SentriLogger, service: string): <TRole extends string>(optionsOrCheck: FastifyPermitOptions<TRole> | FastifyPermitCheck) => SentriFastifyHook;
+declare function permit<TRole extends string>(optionsOrCheck: FastifyPermitOptions<TRole> | FastifyPermitCheck): SentriFastifyHook;
+
+declare function createAuthPlugin<TRole extends string>(config: ServerAuthConfig<TRole>): FastifyPluginAsync;
+
+interface FastifyErrorHandlerOptions {
+    onUnhandled?: (error: unknown) => void;
+}
+type FastifyErrorHandler = (error: FastifyError | Error, request: FastifyRequest, reply: FastifyReply) => void;
+declare function createErrorHandler(options?: FastifyErrorHandlerOptions): FastifyErrorHandler;
+
+declare function getCurrentAccessToken(request: FastifyRequest, config: ServerAuthConfig): string | undefined;
+
+interface CreateFastifyServerOptions<TRole extends string = string> {
+    mode: 'server';
+    validRoles: readonly TRole[];
+    dialect: kysely.Dialect;
+    accessExpiresIn?: string | number;
+    refreshExpiresIn?: string | number;
+    saltRounds?: number;
+    apiKey?: string;
+    cookie?: CookieConfig;
+    accessCookie?: AccessCookieConfig;
+    hooks?: AuthHooks;
+    router?: RouterHandlers;
+    isTokenRevoked?: (sessionId: string) => boolean | Promise<boolean>;
+    redisUrl?: string;
+    logger?: SentriLogger;
+    loggerService?: string;
+}
+interface CreateFastifyClientOptions<TRole extends string = string> {
+    mode: 'client';
+    keyUri: string;
+    validRoles?: readonly TRole[];
+    logger?: SentriLogger;
+    loggerService?: string;
+}
+interface FastifyAuthClient<TRole extends string = string> {
+    protect(): SentriFastifyHook;
+    authorize(...roles: TRole[]): SentriFastifyHook;
+    permit(check: FastifyPermitCheck): SentriFastifyHook;
+    permit(options: FastifyPermitOptions<TRole>): SentriFastifyHook;
+    errorHandler(options?: FastifyErrorHandlerOptions): FastifyErrorHandler;
+}
+interface FastifyServerAuthClient<TRole extends string = string> extends FastifyAuthClient<TRole> {
+    plugin(): FastifyPluginAsync;
+    migrate(): Promise<void>;
+    getCurrentAccessToken(request: FastifyRequest): string | undefined;
+    hashPassword(plain: string): Promise<string>;
+    verifyPassword(plain: string, hash: string): Promise<boolean>;
+    signAccessToken(payload: AuthUser<TRole>): string;
+    signRefreshToken(sessionId: string): string;
+    verifyAccessToken(token: string): AuthUser<TRole>;
+    verifyRefreshToken(token: string): {
+        sessionId: string;
+    };
+    register(input: RegisterInput<TRole>): Promise<RegisterResult<TRole>>;
+    login(input: LoginInput): Promise<AuthResult<TRole>>;
+    refresh(refreshToken: string): Promise<RefreshResult<TRole>>;
+    logout(refreshToken: string): Promise<void>;
+    logoutAll(userId: string): Promise<void>;
+    getUser(userId: string): Promise<GetUserResult<TRole>>;
+    changePassword(userId: string, currentPassword: string, newPassword: string): Promise<ChangePasswordResult>;
+    assignRoles(userId: string, roles: TRole[]): Promise<AssignRolesResult<TRole>>;
+    bulkCreateIdentifiers(userId: string, identifiers: IdentifierInput[]): Promise<BulkIdentifiersResult>;
+    bulkUpdateIdentifiers(userId: string, updates: Array<{
+        id: string;
+        type: string;
+        value: string;
+    }>): Promise<BulkIdentifiersResult>;
+    bulkDeleteIdentifiers(userId: string, ids: string[]): Promise<BulkIdentifiersResult>;
+}
+type FastifyClientAuthClient<TRole extends string = string> = FastifyAuthClient<TRole>;
+declare function createAuthFastify<TRole extends string = string>(options: CreateFastifyServerOptions<TRole>): FastifyServerAuthClient<TRole>;
+declare function createAuthFastify<TRole extends string = string>(options: CreateFastifyClientOptions<TRole>): FastifyClientAuthClient<TRole>;
+
+export { type CreateFastifyClientOptions, type CreateFastifyServerOptions, type FastifyAuthClient, type FastifyClientAuthClient, type FastifyErrorHandler, type FastifyErrorHandlerOptions, type FastifyPermitCheck, type FastifyPermitOptions, type FastifyServerAuthClient, type SentriFastifyHook, SentriLogger, authorize, createAuthFastify, createAuthPlugin, createAuthorize, createErrorHandler, createPermit, getCurrentAccessToken, permit, protect };

package/dist/adapters/fastify/index.js

@@ -0,0 +1 @@
+import {generateKeyPairSync,createPrivateKey,createPublicKey,createHash,randomUUID}from'crypto';import {sql,Kysely}from'kysely';import We from'bcrypt';import Z from'jsonwebtoken';import'@fastify/cookie';import {Readable}from'stream';var Lr=Object.defineProperty;var n=(e,r)=>Lr(e,"name",{value:r,configurable:true});var He=Object.assign(Object.create(null),{UNAUTHORIZED:401,TOKEN_EXPIRED:401,TOKEN_INVALID:401,INVALID_CREDENTIALS:401,FORBIDDEN:403,USER_NOT_FOUND:404,IDENTIFIER_NOT_FOUND:404,USER_ALREADY_EXISTS:409,IDENTIFIER_ALREADY_EXISTS:409,INVALID_ROLE:400,VALIDATION_ERROR:400,CONFIGURATION_ERROR:500,TOKEN_REUSE:401}),u=class extends Error{static{n(this,"SentriError");}code;statusCode;constructor(r,t,s){super(t),this.name="SentriError",this.code=r,this.statusCode=s??He[r]??500;}};var $e=new WeakMap,Ve=32,Me=10,Be=31;function ze(e){if(e.mode==="client"){if(!e.keyUri||e.keyUri.trim().length===0)throw new u("CONFIGURATION_ERROR","keyUri must not be empty");return}if(!e.secret||e.secret.trim().length===0)throw new u("CONFIGURATION_ERROR","secret must not be empty");if((e.algorithm??"HS256").startsWith("HS")&&e.secret.length<Ve)throw new u("CONFIGURATION_ERROR",`secret must be at least ${Ve} characters for HMAC algorithms`);let s=e.saltRounds??12;if(!Number.isInteger(s)||s<Me||s>Be)throw new u("CONFIGURATION_ERROR",`saltRounds must be an integer between ${Me} and ${Be}`);if(!e.validRoles||e.validRoles.length===0)throw new u("CONFIGURATION_ERROR","validRoles must contain at least one role");if(!e.dialect)throw new u("CONFIGURATION_ERROR","dialect is required in server mode")}n(ze,"validateConfig");function k(e){let r=$e.get(e);if(r)return r;let t={algorithm:e.algorithm??"HS256",accessExpiresIn:e.accessExpiresIn??"15m",refreshExpiresIn:e.refreshExpiresIn??"7d",saltRounds:e.saltRounds??12,validRoles:e.validRoles,validRolesSet:new Set(e.validRoles),cookieName:e.cookie?.name??"refresh_token",accessCookieName:e.accessCookie?.name??"access_token"};return $e.set(e,t),t}n(k,"resolveServerConfig");var Fr=/^(\d+)([smhdw])$/,Pr={s:1e3,m:6e4,h:36e5,d:864e5,w:6048e5},je=new Map;function K(e){if(typeof e=="number")return e*1e3;let r=je.get(e);if(r!==void 0)return r;let t=Fr.exec(e);if(!t?.[1]||!t?.[2])throw new Error(`Invalid expiresIn: "${e}". Use e.g. "15m", "7d", "1h".`);let s=Pr[t[2]];if(s===void 0)throw new Error(`Invalid expiresIn: "${e}". Use e.g. "15m", "7d", "1h".`);let o=parseInt(t[1],10)*s;return je.set(e,o),o}n(K,"parseExpiry");var D={info:n(()=>{},"info"),warn:n(()=>{},"warn"),error:n(()=>{},"error")};function m(e,r,t){return {service:e,event:r,...t}}n(m,"buildLogData");async function Xe(e){await e.schema.createTable("sentri_users").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("password_hash","varchar(255)",r=>r.notNull()).addColumn("roles","text",r=>r.notNull().defaultTo("[]")).addColumn("created_at","timestamp",r=>r.notNull().defaultTo(sql`CURRENT_TIMESTAMP`)).execute(),await e.schema.createTable("sentri_sessions").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("user_id","varchar(36)",r=>r.notNull().references("sentri_users.id").onDelete("cascade")).addColumn("expires_at","timestamp",r=>r.notNull()).addColumn("ip_address","varchar(45)").addColumn("user_agent","text").addColumn("replaced_by","varchar(36)").addColumn("created_at","timestamp",r=>r.notNull().defaultTo(sql`CURRENT_TIMESTAMP`)).execute(),await e.schema.createTable("sentri_identifiers").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("user_id","varchar(36)",r=>r.notNull().references("sentri_users.id").onDelete("cascade")).addColumn("type","varchar(100)",r=>r.notNull()).addColumn("value","varchar(255)",r=>r.notNull().unique()).addColumn("created_at","timestamp",r=>r.notNull().defaultTo(sql`CURRENT_TIMESTAMP`)).execute(),await e.schema.createIndex("idx_sentri_sessions_user_id").ifNotExists().on("sentri_sessions").column("user_id").execute(),await e.schema.createIndex("idx_sentri_identifiers_user_id").ifNotExists().on("sentri_identifiers").column("user_id").execute();}n(Xe,"runMigrations");var Ge=new Map;function E(e){let r=Ge.get(e);return r||(r=new Kysely({dialect:e}),Ge.set(e,r)),r}n(E,"getDatabase");async function G(e,r=12){return We.hash(e,r)}n(G,"hashPassword");async function W(e,r){return We.compare(e,r)}n(W,"verifyPassword");var Ze=new Map,Je=new Map,Vr=3600*1e3;function qe(e){let r=Ze.get(e);if(!r){let t=createPrivateKey(e),s=createPublicKey(t),o=s.export({format:"jwk"}),c=createHash("sha256").update(JSON.stringify({e:o.e,kty:o.kty,n:o.n})).digest("base64url"),l={...o,use:"sig",kid:c};r={kid:c,publicKey:s,jwk:l},Ze.set(e,r);}return r}n(qe,"getOrBuildKey");function Qe(e){let{jwk:r}=qe(e);return {keys:[r]}}n(Qe,"buildJwks");function er(e){return qe(e).publicKey}n(er,"getPublicKeyFromPrivate");async function rr(e){let r=Date.now(),t=Je.get(e);if(t&&r-t.fetchedAt<Vr)return t.publicKey;let s=await fetch(e);if(!s.ok)throw new u("CONFIGURATION_ERROR",`Failed to fetch public key from ${e}: HTTP ${s.status}`);let o=await s.json();if(!o.keys||o.keys.length===0)throw new u("CONFIGURATION_ERROR",`No keys found in JWKS response from ${e}`);let a=o.keys[0],c=createPublicKey({key:a,format:"jwk"});return Je.set(e,{publicKey:c,fetchedAt:r}),c}n(rr,"fetchPublicKey");var tr=new Map,sr=new Map,nr=new Map;function or(e){return e.startsWith("RS")||e.startsWith("PS")}n(or,"isRSA");function ir(e){let r=tr.get(e);return r||(r={access:`${e}:access`,refresh:`${e}:refresh`},tr.set(e,r)),r}n(ir,"getHsSecrets");function Br(e){let r=sr.get(e);return r||(r=createPrivateKey(e),sr.set(e,r)),r}n(Br,"getRsPrivateKey");function ar(e){let r=k(e);if(or(r.algorithm)){let o=Br(e.secret);return {accessKey:o,refreshKey:o}}let{access:t,refresh:s}=ir(e.secret);return {accessKey:t,refreshKey:s}}n(ar,"getSigningKeys");function dr(e,r){let t=k(e);if(or(t.algorithm))return er(e.secret);let{access:s,refresh:o}=ir(e.secret);return r==="access"?s:o}n(dr,"getVerifyKey");function cr(e,r,t,s){let o=`${t}:${s}`,a=nr.get(o);return a||(a={expiresIn:t,algorithm:s},nr.set(o,a)),Z.sign(e,r,a)}n(cr,"sign");function ur(e,r,t){try{let s=Z.verify(e,r,{algorithms:[t]});if(typeof s=="string"||s===null)throw new u("TOKEN_INVALID","Token payload is not an object");return s}catch(s){throw s instanceof u?s:s instanceof Z.TokenExpiredError?new u("TOKEN_EXPIRED","Token has expired"):new u("TOKEN_INVALID","Token is invalid or malformed")}}n(ur,"verify");function J(e,r){let t=k(r),{accessKey:s}=ar(r);return cr(e,s,t.accessExpiresIn,t.algorithm)}n(J,"signAccessToken");function Y(e,r){let t=k(r),{refreshKey:s}=ar(r);return cr({sessionId:e},s,t.refreshExpiresIn,t.algorithm)}n(Y,"signRefreshToken");function de(e,r){let t=k(r),s=dr(r,"access");return ur(e,s,t.algorithm)}n(de,"verifyAccessToken");function q(e,r){let t=k(r),s=dr(r,"refresh");return ur(e,s,t.algorithm)}n(q,"verifyRefreshToken");function lr(e,r){try{let t=Z.verify(e,r,{algorithms:["RS256","RS384","RS512","PS256","PS384","PS512"]});if(typeof t=="string"||t===null)throw new u("TOKEN_INVALID","Token payload is not an object");return t}catch(t){throw t instanceof u?t:t instanceof Z.TokenExpiredError?new u("TOKEN_EXPIRED","Token has expired"):new u("TOKEN_INVALID","Token is invalid or malformed")}}n(lr,"verifyTokenWithPublicKey");function Se(e){try{return JSON.parse(e)}catch{return []}}n(Se,"parseRoles");function jr(e){return JSON.stringify(e)}n(jr,"serializeRoles");function hr(e){return {id:e.id,userId:e.user_id,type:e.type,value:e.value,createdAt:new Date(e.created_at)}}n(hr,"mapIdentifier");async function Q(e,r){let t=await e.selectFrom("sentri_identifiers as i").innerJoin("sentri_users as u","u.id","i.user_id").select(["u.id","u.password_hash","u.roles"]).where("i.value","=",r).executeTakeFirst();return t?{id:t.id,passwordHash:t.password_hash,roles:Se(t.roles)}:null}n(Q,"findUserByIdentifierValue");async function ce(e,r){let t=await e.selectFrom("sentri_users").select(["id","password_hash","roles"]).where("id","=",r).executeTakeFirst();return t?{id:t.id,passwordHash:t.password_hash,roles:Se(t.roles)}:null}n(ce,"findUserById");async function mr(e,r,t){let s=t.map(o=>({id:randomUUID(),user_id:r,type:o.type,value:o.value}));return await e.insertInto("sentri_identifiers").values(s).execute(),s.map(o=>({id:o.id,userId:o.user_id,type:o.type,value:o.value,createdAt:new Date}))}n(mr,"createIdentifiers");async function ee(e,r){return (await e.selectFrom("sentri_identifiers").selectAll().where("user_id","=",r).orderBy("created_at","asc").execute()).map(hr)}n(ee,"findIdentifiersByUserId");async function Ce(e,r,t){let s=await e.selectFrom("sentri_identifiers").selectAll().where("id","=",r).where("user_id","=",t).executeTakeFirst();return s?hr(s):null}n(Ce,"findIdentifierById");async function pr(e,r){let t=await e.selectFrom("sentri_identifiers").select(s=>s.fn.countAll().as("count")).where("user_id","=",r).executeTakeFirst();return Number(t?.count??0)}n(pr,"countIdentifiersByUserId");async function wr(e,r,t,s){await e.updateTable("sentri_identifiers").set({type:s.type,value:s.value}).where("id","=",r).where("user_id","=",t).execute();}n(wr,"updateIdentifier");async function Ir(e,r,t){await e.deleteFrom("sentri_identifiers").where("user_id","=",r).where("id","in",t).execute();}n(Ir,"deleteIdentifiers");async function yr(e,r,t){await e.updateTable("sentri_users").set({password_hash:t}).where("id","=",r).execute();}n(yr,"updateUserPassword");async function gr(e,r,t){await e.updateTable("sentri_users").set({roles:jr(t)}).where("id","=",r).execute();}n(gr,"updateUserRoles");async function be(e,r){let t=randomUUID();return await e.insertInto("sentri_sessions").values({id:t,user_id:r.userId,expires_at:r.expiresAt.toISOString(),ip_address:r.ipAddress??null,user_agent:r.userAgent??null}).execute(),{id:t}}n(be,"createSession");async function ue(e,r){let t=await e.selectFrom("sentri_sessions as s").innerJoin("sentri_users as u","u.id","s.user_id").select(["s.id as session_id","s.user_id","s.expires_at","s.ip_address","s.user_agent","s.replaced_by","s.created_at as session_created_at","u.id as user_id_col","u.password_hash","u.roles"]).where("s.id","=",r).executeTakeFirst();return t?{id:t.session_id,userId:t.user_id,expiresAt:new Date(t.expires_at),ipAddress:t.ip_address,userAgent:t.user_agent,replacedBy:t.replaced_by,createdAt:new Date(t.session_created_at),user:{id:t.user_id_col,passwordHash:t.password_hash,roles:Se(t.roles)}}:null}n(ue,"findSessionById");async function le(e,r){await e.deleteFrom("sentri_sessions").where("id","=",r).execute();}n(le,"deleteSession");async function _r(e,r,t){await e.updateTable("sentri_sessions").set({replaced_by:t}).where("id","=",r).execute();}n(_r,"markSessionReplaced");async function fe(e,r){await e.deleteFrom("sentri_sessions").where("user_id","=",r).execute();}n(fe,"deleteAllSessionsForUser");async function Rr(e,r){return (await e.selectFrom("sentri_sessions").selectAll().where("user_id","=",r).where("replaced_by","is",null).where("expires_at",">",new Date).execute()).map(s=>({id:s.id,userId:s.user_id,expiresAt:new Date(s.expires_at),ipAddress:s.ip_address,userAgent:s.user_agent,replacedBy:s.replaced_by,createdAt:new Date(s.created_at)}))}n(Rr,"findSessionsByUserId");async function he(e,r,t){let s=k(r),o=E(r.dialect),a=e.roles??[],c=a.filter(R=>!s.validRolesSet.has(R));if(c.length>0)return {success:false,error:new u("INVALID_ROLE",`Invalid roles: ${c.join(", ")}`)};if(!e.identifiers||e.identifiers.length===0)return {success:false,error:new u("VALIDATION_ERROR","At least one identifier is required")};let l=e.identifiers.map(R=>({type:R.type.trim(),value:R.value.trim()}));if(new Set(l.map(R=>R.value)).size!==l.length)return {success:false,error:new u("VALIDATION_ERROR","Duplicate identifier values in request")};for(let R of l)if(await Q(o,R.value))return {success:false,error:new u("IDENTIFIER_ALREADY_EXISTS",`Identifier already taken: ${R.value}`)};let g=await G(e.password,s.saltRounds),{userId:T,identifierRows:b}=await o.transaction().execute(async R=>{let F=randomUUID();await R.insertInto("sentri_users").values({id:F,password_hash:g,roles:JSON.stringify(a)}).execute();let ae=l.map(B=>({id:randomUUID(),user_id:F,type:B.type,value:B.value}));return await R.insertInto("sentri_identifiers").values(ae).execute(),{userId:F,identifierRows:ae}}),x={success:true,user:{id:T,roles:a,identifiers:b.map(R=>({id:R.id,type:R.type,value:R.value}))}};return r.hooks?.onRegister&&await r.hooks.onRegister(x.user),x}n(he,"register");async function me(e,r,t){let s=k(r),o=E(r.dialect),a=await Q(o,e.identifier.trim());if(!a){let x=new u("INVALID_CREDENTIALS","Invalid credentials");return r.hooks?.onLoginFailed&&await r.hooks.onLoginFailed(e.identifier,x,{ip:t?.ip??""}),{success:false,error:x}}if(!await W(e.password,a.passwordHash)){let x=new u("INVALID_CREDENTIALS","Invalid credentials");return r.hooks?.onLoginFailed&&await r.hooks.onLoginFailed(e.identifier,x,{ip:t?.ip??""}),{success:false,error:x}}let l=new Date(Date.now()+K(s.refreshExpiresIn)),d=await be(o,{userId:a.id,expiresAt:l,ipAddress:t?.ip??null,userAgent:t?.userAgent??null}),g={id:a.id,roles:a.roles},T=J({id:a.id,roles:a.roles,sessionId:d.id},r),b=Y(d.id,r);return r.hooks?.onLoginSuccess&&await r.hooks.onLoginSuccess(g,{ip:t?.ip??"",userAgent:t?.userAgent??""}),{success:true,accessToken:T,refreshToken:b,user:g}}n(me,"login");async function H(e,r,t){let s=k(r),o=E(r.dialect),a;try{({sessionId:a}=q(e,r));}catch(x){return x instanceof u?{success:false,error:x}:{success:false,error:new u("TOKEN_INVALID","Invalid refresh token")}}let c=await ue(o,a);if(!c)return {success:false,error:new u("UNAUTHORIZED","Session not found or revoked")};if(c.replacedBy)return await fe(o,c.userId),{success:false,error:new u("TOKEN_REUSE","Token reuse detected. All sessions revoked.")};if(c.expiresAt.getTime()<Date.now())return await le(o,a),{success:false,error:new u("TOKEN_EXPIRED","Session has expired")};let l=new Date(Date.now()+K(s.refreshExpiresIn)),d=await be(o,{userId:c.userId,expiresAt:l,ipAddress:t?.ip??null,userAgent:t?.userAgent??null});await _r(o,a,d.id);let g={id:c.user.id,roles:c.user.roles},T=J({...g,sessionId:d.id},r),b=Y(d.id,r);return {success:true,accessToken:T,refreshToken:b,user:g}}n(H,"refresh");async function pe(e,r){let t=E(r.dialect),s;try{({sessionId:s}=q(e,r));}catch{return}let o=await ue(t,s);o&&(await le(t,s),r.hooks?.onLogout&&await r.hooks.onLogout(o.userId));}n(pe,"logout");async function we(e,r){let t=E(r.dialect);await fe(t,e),r.hooks?.onLogout&&await r.hooks.onLogout(e);}n(we,"logoutAll");async function Ie(e,r){let t=E(r.dialect),s=await ce(t,e);if(!s)return {success:false,error:new u("USER_NOT_FOUND","User not found")};let o=await ee(t,e);return {success:true,user:{id:s.id,roles:s.roles,identifiers:o.map(a=>({id:a.id,type:a.type,value:a.value}))}}}n(Ie,"getUser");async function ye(e,r,t,s){let o=k(s),a=E(s.dialect),c=await ce(a,e);if(!c)return {success:false,error:new u("USER_NOT_FOUND","User not found")};if(!await W(r,c.passwordHash))return {success:false,error:new u("INVALID_CREDENTIALS","Invalid credentials")};let d=await G(t,o.saltRounds);return await yr(a,e,d),await fe(a,e),s.hooks?.onPasswordChanged&&await s.hooks.onPasswordChanged(e),{success:true}}n(ye,"changePassword");async function ge(e,r,t){let s=k(t),o=E(t.dialect),a=r.filter(g=>!s.validRolesSet.has(g));if(a.length>0)return {success:false,error:new u("INVALID_ROLE",`Invalid roles: ${a.join(", ")}`)};let c=await ce(o,e);if(!c)return {success:false,error:new u("USER_NOT_FOUND","User not found")};let l=new Set(c.roles);for(let g of r)l.add(g);let d=Array.from(l);return await gr(o,e,d),{success:true,user:{id:c.id,roles:d}}}n(ge,"assignRoles");async function _e(e,r,t){let s=E(t.dialect);if(r.length===0)return {success:false,error:new u("VALIDATION_ERROR","At least one identifier is required")};let o=r.map(l=>({type:l.type.trim(),value:l.value.trim()}));if(new Set(o.map(l=>l.value)).size!==o.length)return {success:false,error:new u("VALIDATION_ERROR","Duplicate identifier values in request")};for(let l of o)if(await Q(s,l.value))return {success:false,error:new u("IDENTIFIER_ALREADY_EXISTS",`Identifier already taken: ${l.value}`)};return await mr(s,e,o),{success:true,identifiers:(await ee(s,e)).map(l=>({id:l.id,type:l.type,value:l.value}))}}n(_e,"bulkCreateIdentifiers");async function Re(e,r,t){let s=E(t.dialect);if(r.length===0)return {success:false,error:new u("VALIDATION_ERROR","At least one update is required")};let o=r.map(l=>({id:l.id,type:l.type.trim(),value:l.value.trim()}));if(new Set(o.map(l=>l.value)).size!==o.length)return {success:false,error:new u("VALIDATION_ERROR","Duplicate identifier values in request")};for(let l of o){let d=await Ce(s,l.id,e);if(!d)return {success:false,error:new u("IDENTIFIER_NOT_FOUND",`Identifier not found: ${l.id}`)};if(d.value!==l.value&&await Q(s,l.value))return {success:false,error:new u("IDENTIFIER_ALREADY_EXISTS",`Identifier already taken: ${l.value}`)}}return await s.transaction().execute(async l=>{for(let d of o)await wr(l,d.id,e,{type:d.type,value:d.value});}),{success:true,identifiers:(await ee(s,e)).map(l=>({id:l.id,type:l.type,value:l.value}))}}n(Re,"bulkUpdateIdentifiers");async function ke(e,r,t){let s=E(t.dialect);if(r.length===0)return {success:false,error:new u("VALIDATION_ERROR","At least one ID is required")};let o=Array.from(new Set(r));for(let l of o)if(!await Ce(s,l,e))return {success:false,error:new u("IDENTIFIER_NOT_FOUND",`Identifier not found: ${l}`)};return await pr(s,e)-o.length<1?{success:false,error:new u("VALIDATION_ERROR","Cannot delete all identifiers \u2014 at least one must remain")}:(await Ir(s,e,o),{success:true,identifiers:(await ee(s,e)).map(l=>({id:l.id,type:l.type,value:l.value}))})}n(ke,"bulkDeleteIdentifiers");async function Ar(e,r){let t=E(r.dialect);return (await Rr(t,e)).map(o=>({id:o.id,ipAddress:o.ipAddress,userAgent:o.userAgent,createdAt:o.createdAt,expiresAt:o.expiresAt}))}n(Ar,"getSessions");async function vr(e,r,t){let s=E(t.dialect),o=await ue(s,r);o&&o.userId===e&&await le(s,r);}n(vr,"revokeSession");function O(e){return k(e).cookieName}n(O,"getCookieName");function Ae(e){return k(e).accessCookieName}n(Ae,"getAccessCookieName");function U(e,r){if(!e)return;let t=`${r}=`,s=0;for(;s<e.length;){for(;s<e.length&&e[s]===" ";)s++;let o=e.indexOf(";",s),a=o===-1?e.length:o;if(e.startsWith(t,s))return e.slice(s+t.length,a);s=a+1;}}n(U,"readCookie");function re(e,r,t){let s=t.cookie??{},o=K(k(t).refreshExpiresIn)/1e3;e.setCookie(O(t),r,{httpOnly:s.httpOnly??true,secure:s.secure??false,sameSite:s.sameSite??"strict",path:s.path??"/",maxAge:o});}n(re,"setCookieFromConfig");function ve(e,r){let t=r.cookie??{};e.clearCookie(O(r),{path:t.path??"/"});}n(ve,"clearCookieFromConfig");function te(e,r,t){if(!t.accessCookie)return;let s=t.accessCookie,o=K(k(t).accessExpiresIn)/1e3;e.setCookie(Ae(t),r,{httpOnly:false,secure:s.secure??false,sameSite:s.sameSite??"strict",path:s.path??"/",maxAge:o});}n(te,"setAccessCookieFromConfig");function Oe(e,r){if(!r.accessCookie)return;let t=r.accessCookie;e.clearCookie(Ae(r),{path:t.path??"/"});}n(Oe,"clearAccessCookieFromConfig");function Ee(e,r){let t=e.headers.authorization;return t?.startsWith("Bearer ")?t.slice(7):U(e.headers.cookie,Ae(r))}n(Ee,"getCurrentAccessToken");function se(e){let r=e.logger??D,t=e.loggerService??"sentri";return e.mode==="client"?zr(e.keyUri,r,t):Xr(e,r,t)}n(se,"protect");function zr(e,r,t){return async s=>{let o=s.headers.authorization,a=o?.startsWith("Bearer ")?o.slice(7):void 0;if(!a)throw r.warn(m(t,"auth.protect.failure",{mode:"client",errorCode:"UNAUTHORIZED",requestId:s.id})),new u("UNAUTHORIZED","Missing or malformed Authorization header");try{let c=await rr(e),l=lr(a,c);s.user={id:l.id,roles:l.roles},r.info(m(t,"auth.protect.success",{mode:"client",userId:l.id,requestId:s.id}));}catch(c){let l=c instanceof u?c.code:"TOKEN_INVALID";throw r.warn(m(t,"auth.protect.failure",{mode:"client",errorCode:l,requestId:s.id})),c}}}n(zr,"protectClient");function Xr(e,r,t){return async(s,o)=>{let a=Ee(s,e);if(!a)throw r.warn(m(t,"auth.protect.failure",{mode:"server",errorCode:"UNAUTHORIZED",requestId:s.id})),new u("UNAUTHORIZED","Missing or malformed Authorization header");try{let c=de(a,e);if(e.isTokenRevoked&&await e.isTokenRevoked(c.sessionId))throw r.warn(m(t,"auth.protect.token_revoked",{mode:"server",userId:c.id,requestId:s.id})),new u("UNAUTHORIZED","Token has been revoked");s.user={id:c.id,roles:c.roles},r.info(m(t,"auth.protect.success",{mode:"server",userId:c.id,requestId:s.id}));}catch(c){if(c instanceof u&&c.code==="TOKEN_EXPIRED"){let l=U(s.headers.cookie,O(e));if(!l)throw r.warn(m(t,"auth.protect.failure",{mode:"server",errorCode:"TOKEN_EXPIRED",requestId:s.id})),new u("UNAUTHORIZED","Token expired. Please login again.");let d;try{d=await H(l,e);}catch{throw r.warn(m(t,"auth.protect.failure",{mode:"server",errorCode:"TOKEN_EXPIRED",requestId:s.id})),new u("UNAUTHORIZED","Session expired. Please login again.")}if(!d.success)throw r.warn(m(t,"auth.protect.failure",{mode:"server",errorCode:d.error.code,requestId:s.id})),new u("UNAUTHORIZED","Session expired. Please login again.");re(o,d.refreshToken,e),te(o,d.accessToken,e),o.header("X-New-Access-Token",d.accessToken),s.user=d.user,r.info(m(t,"auth.protect.auto_refresh",{mode:"server",userId:d.user.id,requestId:s.id}));}else {let l=c instanceof u?c.code:"TOKEN_INVALID";throw r.warn(m(t,"auth.protect.failure",{mode:"server",errorCode:l,requestId:s.id})),c}}}}n(Xr,"protectServer");function Er(e,r,t){let s=`Requires one of roles: ${e.join(", ")}`;return async o=>{if(!o.user)throw r.warn(m(t,"auth.authorize.unauthenticated",{requiredRoles:e,requestId:o.id})),new u("UNAUTHORIZED","Not authenticated");let a=o.user.roles;if(!e.some(c=>a.includes(c)))throw r.warn(m(t,"auth.authorize.denied",{userId:o.user.id,userRoles:[...a],requiredRoles:e,requestId:o.id})),new u("FORBIDDEN",s);r.info(m(t,"auth.authorize.passed",{userId:o.user.id,userRoles:[...a],requiredRoles:e,requestId:o.id}));}}n(Er,"createAuthorizeHandler");function ne(e,r){return n(function(...s){return Er(s,e,r)},"authorize")}n(ne,"createAuthorize");function Gr(...e){return Er(e,D,"sentri")}n(Gr,"authorize");var Wr=new u("FORBIDDEN","You do not have permission to perform this action");function Tr(e,r,t){return async s=>{if(!s.user)throw r.warn(m(t,"auth.permit.unauthenticated",{requestId:s.id})),new u("UNAUTHORIZED","Not authenticated");let o=s.user.id;if(e.roles&&e.roles.length>0){let l=s.user.roles;if(e.roles.some(d=>l.includes(d))){r.info(m(t,"auth.permit.role_bypass",{userId:o,bypassedByRole:true,requestId:s.id}));return}}let a=e.check(s);if(a instanceof Promise?await a:a)r.info(m(t,"auth.permit.passed",{userId:o,requestId:s.id}));else throw r.warn(m(t,"auth.permit.denied",{userId:o,requestId:s.id})),Wr}}n(Tr,"createPermitHandler");function oe(e,r){return n(function(s){return Tr(typeof s=="function"?{check:s}:s,e,r)},"permit")}n(oe,"createPermit");function Zr(e){return Tr(typeof e=="function"?{check:e}:e,D,"sentri")}n(Zr,"permit");var Ue=class{static{n(this,"InMemoryRateLimiter");}store=new Map;constructor(){setInterval(()=>{let r=Date.now();for(let[t,s]of this.store.entries())s.expiresAt<r&&this.store.delete(t);},6e4).unref();}async consume(r,t,s){let o=Date.now(),a=this.store.get(r);if((!a||a.expiresAt<o)&&(a={count:0,expiresAt:o+s},this.store.set(r,a)),a.count>t){let c=Math.ceil((a.expiresAt-o)/1e3);throw new Error(`Rate limit exceeded. Try again in ${c} seconds.`)}a.count++;}},Le=class{static{n(this,"RedisRateLimiter");}redis;logger;constructor(r,t){this.redis=r,this.logger=t;}async consume(r,t,s){let o=`sentri:rl:${r}`,a=Math.ceil(s/1e3);try{let c=await this.redis.multi().incr(o).expire(o,a,"NX").exec();if(!c||c.length===0)return;if(c[0][1]>t)throw new Error("Rate limit exceeded. Try again later.")}catch(c){if(c instanceof Error&&c.message.includes("Rate limit exceeded"))throw c;this.logger.error({msg:"Redis RateLimiter failed, bypassing limit",error:c});}}},$=null;async function xr(e,r){if($)return $;if(e)try{let{Redis:t}=await import('ioredis'),s=new t(e,{lazyConnect:!0,maxRetriesPerRequest:1});return await s.connect(),r?.info({msg:"Connected to Redis for Rate Limiting"}),$=new Le(s,r??D),$}catch(t){r?.warn({msg:"Failed to connect to Redis for Rate Limiting, falling back to InMemoryRateLimiter",error:t});}return $=new Ue,$}n(xr,"getRateLimiter");function ie(e){return (r,t,s)=>{if(r instanceof u){s.code(r.statusCode).send({error:true,statusCode:r.statusCode,code:r.code,message:r.message,data:null});return}e?.onUnhandled?.(r),s.code(500).send({error:true,statusCode:500,code:"INTERNAL_SERVER_ERROR",message:"Internal server error",data:null});}}n(ie,"createErrorHandler");var Te=8,V=72,xe=255,Nr=100,M=50;function _(e){return new u("VALIDATION_ERROR",e)}n(_,"badRequest");function N(e,r,t,s){e.code(r).send({error:false,statusCode:r,message:t,data:s});}n(N,"ok");function C(e,r){e.code(r.statusCode).send({error:true,statusCode:r.statusCode,code:r.code,message:r.message,data:null});}n(C,"fail");function L(e){let r=e.body;if(r==null||typeof r!="object"||Array.isArray(r))throw new u("VALIDATION_ERROR","Request body is missing or not a JSON object.");return r}n(L,"parseBody");function Jr(e,r){if(!r.apiKey)return;let t=e.headers["x-api-key"];if(typeof t!="string"||t!==r.apiKey)throw new u("UNAUTHORIZED","Invalid or missing API key")}n(Jr,"validateApiKey");function Pe(e){if(e)try{let r=e();r instanceof Promise&&r.catch(()=>{});}catch{}}n(Pe,"fireHook");function Yr(e){return e.startsWith("RS")||e.startsWith("PS")}n(Yr,"isRSA");function Ke(e,r){if(typeof e!="object"||e===null||Array.isArray(e))throw _(`identifiers[${r}] must be an object`);let t=e;if(typeof t.type!="string"||t.type.trim().length===0)throw _(`identifiers[${r}].type is required and must be a non-empty string`);if(t.type.length>Nr)throw _(`identifiers[${r}].type must not exceed ${Nr} characters`);if(typeof t.value!="string"||t.value.trim().length===0)throw _(`identifiers[${r}].value is required and must be a non-empty string`);if(t.value.length>xe)throw _(`identifiers[${r}].value must not exceed ${xe} characters`);return {type:t.type,value:t.value}}n(Ke,"validateIdentifierInput");function Dr(e){return async r=>{let t=e,s=k(t),o=e.logger??D,a=e.loggerService??"sentri",c=se(e),l=ne(o,a),d=oe(o,a),g=xr(e.redisUrl,o),T=d(i=>!!i.user);r.setErrorHandler(ie()),r.addHook("preParsing",function(i,f,p,h){if(!i.headers["content-type"]?.includes("application/json")){h(null,p);return}if(p==null){h(null,Readable.from("{}"));return}let w=[];p.on("data",y=>w.push(y)),p.on("end",()=>{let y=Buffer.concat(w);h(null,y.length===0?Readable.from("{}"):Readable.from(y));}),p.on("error",y=>h(y));});let b=e.router?.register??(i=>he(i,t)),x=e.router?.login??(i=>me(i,t)),R=e.router?.refresh??(i=>H(i,t)),F=e.router?.logout??(i=>i!==void 0?pe(i,t):Promise.resolve()),ae=e.router?.logoutAll??(i=>we(i,t)),B=e.router?.getUser??(i=>Ie(i,t)),Sr=e.router?.assignRoles??((i,f)=>ge(i,f,t)),Cr=e.router?.changePassword??((i,f,p)=>ye(i,f,p,t)),br=e.router?.bulkCreateIdentifiers??((i,f)=>_e(i,f,t)),Or=e.router?.bulkUpdateIdentifiers??((i,f)=>Re(i,f,t)),Ur=e.router?.bulkDeleteIdentifiers??((i,f)=>ke(i,f,t));Yr(s.algorithm)&&r.get("/keys",async(i,f)=>{f.header("Cache-Control","public, max-age=3600").send(Qe(e.secret));}),r.post("/register",async(i,f)=>{let p=Date.now();Jr(i,e);let h=L(i),{identifiers:w,password:y,roles:I}=h;if(!Array.isArray(w)||w.length===0)throw _("identifiers is required and must be a non-empty array");if(w.length>M)throw _(`identifiers must not exceed ${M} entries`);let A=w.map((X,Ne)=>Ke(X,Ne));if(typeof y!="string"||y.length<Te)throw _(`password is required and must be at least ${Te} characters`);if(y.length>V)throw _(`password must not exceed ${V} characters`);if(I!==void 0&&!Array.isArray(I))throw _("roles must be an array of strings when provided");if(Array.isArray(I)&&!I.every(X=>typeof X=="string"))throw _("each role must be a string");let S=Array.isArray(I)?I:void 0,v=S!==void 0?{identifiers:A,password:y,roles:S}:{identifiers:A,password:y},P=i.ip||"127.0.0.1",j=i.headers["user-agent"]||"Unknown";if(e.rateLimit!==false){let X=await g,Ne=typeof e.rateLimit=="object"?e.rateLimit.maxRegisterAttempts??5:5;await X.consume(`register:${P}`,Ne,900*1e3);}let z=await b(v,{ip:P,userAgent:j});if(!z.success){o.warn(m(a,"auth.register.failure",{errorCode:z.error.code,duration_ms:Date.now()-p,requestId:i.id})),C(f,z.error);return}o.info(m(a,"auth.register.success",{userId:z.user.id,duration_ms:Date.now()-p,requestId:i.id})),N(f,201,"User registered successfully",{user:z.user});}),r.post("/login",async(i,f)=>{let p=Date.now(),h=L(i),{identifier:w,password:y}=h;if(typeof w!="string"||w.trim().length===0)throw _("identifier is required and must be a non-empty string");if(w.length>xe)throw _(`identifier must not exceed ${xe} characters`);if(typeof y!="string"||y.length===0)throw _("password is required");if(y.length>V)throw _(`password must not exceed ${V} characters`);let I=w.trim(),A=i.ip||"127.0.0.1",S=i.headers["user-agent"]||"Unknown";if(e.rateLimit!==false){let P=await g,j=typeof e.rateLimit=="object"?e.rateLimit.maxLoginAttempts??5:5;await P.consume(`login:${A}`,j,900*1e3);}let v=await x({identifier:I,password:y},{ip:A,userAgent:S});if(!v.success){Pe(()=>e.hooks?.onLoginFailed?.(I,v.error,{ip:A})),o.warn(m(a,"auth.login.failure",{errorCode:v.error.code,duration_ms:Date.now()-p,requestId:i.id})),C(f,v.error);return}Pe(()=>e.hooks?.onLoginSuccess?.(v.user,{ip:A,userAgent:S})),re(f,v.refreshToken,e),te(f,v.accessToken,e),o.info(m(a,"auth.login.success",{userId:v.user.id,duration_ms:Date.now()-p,requestId:i.id})),N(f,200,"Login successful",{accessToken:v.accessToken,user:v.user});}),r.post("/refresh",async(i,f)=>{let p=Date.now(),h=U(i.headers.cookie,O(e));if(!h)throw new u("UNAUTHORIZED","Refresh token cookie is missing");let w=i.ip||"127.0.0.1",y=i.headers["user-agent"]||"Unknown",I=await R(h,{ip:w,userAgent:y});if(!I.success){ve(f,e),o.warn(m(a,"auth.refresh.failure",{errorCode:I.error.code,duration_ms:Date.now()-p,requestId:i.id})),C(f,I.error);return}re(f,I.refreshToken,e),te(f,I.accessToken,e),o.info(m(a,"auth.refresh.success",{userId:I.user.id,duration_ms:Date.now()-p,requestId:i.id})),N(f,200,"Token refreshed",{accessToken:I.accessToken});}),r.post("/logout",async(i,f)=>{let p=Date.now(),h=U(i.headers.cookie,O(e));await F(h),ve(f,e),Oe(f,e),o.info(m(a,"auth.logout",{duration_ms:Date.now()-p,requestId:i.id})),N(f,200,"Logged out",null);}),r.post("/logout-all",{preHandler:c},async(i,f)=>{let p=Date.now(),h=i.user.id;await ae(h),Pe(()=>e.hooks?.onLogout?.(h)),ve(f,e),Oe(f,e),o.info(m(a,"auth.logout_all",{userId:h,duration_ms:Date.now()-p,requestId:i.id})),N(f,200,"All sessions revoked",null);}),r.get("/me",{preHandler:c},async(i,f)=>{let p=Date.now(),h=await B(i.user.id);if(!h.success){o.warn(m(a,"auth.me.failure",{userId:i.user.id,errorCode:h.error.code,duration_ms:Date.now()-p,requestId:i.id})),C(f,h.error);return}o.info(m(a,"auth.me.success",{userId:h.user.id,duration_ms:Date.now()-p,requestId:i.id})),N(f,200,"OK",h.user);}),r.get("/me/identifiers",{preHandler:c},async(i,f)=>{let p=Date.now(),h=await B(i.user.id);if(!h.success){o.warn(m(a,"auth.me.identifiers.failure",{userId:i.user.id,errorCode:h.error.code,duration_ms:Date.now()-p,requestId:i.id})),C(f,h.error);return}o.info(m(a,"auth.me.identifiers.success",{userId:h.user.id,count:h.user.identifiers?.length??0,duration_ms:Date.now()-p,requestId:i.id})),N(f,200,"OK",{identifiers:h.user.identifiers??[]});}),r.post("/me/identifiers",{preHandler:[c,T]},async(i,f)=>{let p=Date.now(),h=L(i),{identifiers:w}=h;if(!Array.isArray(w)||w.length===0)throw _("identifiers is required and must be a non-empty array");if(w.length>M)throw _(`identifiers must not exceed ${M} entries`);let y=w.map((A,S)=>Ke(A,S)),I=await br(i.user.id,y);if(!I.success){o.warn(m(a,"auth.identifiers.create_failure",{userId:i.user.id,errorCode:I.error.code,duration_ms:Date.now()-p,requestId:i.id})),C(f,I.error);return}o.info(m(a,"auth.identifiers.created",{userId:i.user.id,count:I.identifiers.length,duration_ms:Date.now()-p,requestId:i.id})),N(f,201,"Identifiers added successfully",{identifiers:I.identifiers});}),r.put("/me/identifiers",{preHandler:[c,T]},async(i,f)=>{let p=Date.now(),h=L(i),{identifiers:w}=h;if(!Array.isArray(w)||w.length===0)throw _("identifiers is required and must be a non-empty array");if(w.length>M)throw _(`identifiers must not exceed ${M} entries`);let y=w.map((A,S)=>{if(typeof A!="object"||A===null||Array.isArray(A))throw _(`identifiers[${S}] must be an object`);let v=A;if(typeof v.id!="string"||v.id.trim().length===0)throw _(`identifiers[${S}].id is required and must be a non-empty string`);let{type:P,value:j}=Ke(A,S);return {id:v.id,type:P,value:j}}),I=await Or(i.user.id,y);if(!I.success){o.warn(m(a,"auth.identifiers.update_failure",{userId:i.user.id,errorCode:I.error.code,duration_ms:Date.now()-p,requestId:i.id})),C(f,I.error);return}o.info(m(a,"auth.identifiers.updated",{userId:i.user.id,count:I.identifiers.length,duration_ms:Date.now()-p,requestId:i.id})),N(f,200,"Identifiers updated successfully",{identifiers:I.identifiers});}),r.delete("/me/identifiers",{preHandler:[c,T]},async(i,f)=>{let p=Date.now(),h=L(i),{ids:w}=h;if(!Array.isArray(w)||w.length===0)throw _("ids is required and must be a non-empty array of strings");if(!w.every(I=>typeof I=="string"))throw _("each id must be a string");let y=await Ur(i.user.id,w);if(!y.success){o.warn(m(a,"auth.identifiers.delete_failure",{userId:i.user.id,errorCode:y.error.code,duration_ms:Date.now()-p,requestId:i.id})),C(f,y.error);return}o.info(m(a,"auth.identifiers.deleted",{userId:i.user.id,duration_ms:Date.now()-p,requestId:i.id})),N(f,200,"Identifiers deleted successfully",{identifiers:y.identifiers});}),r.patch("/me/password",{preHandler:[c,T]},async(i,f)=>{let p=Date.now(),h=L(i),{currentPassword:w,newPassword:y}=h;if(typeof w!="string"||w.length===0)throw _("currentPassword is required");if(typeof y!="string"||y.length<Te)throw _(`newPassword must be at least ${Te} characters`);if(y.length>V)throw _(`newPassword must not exceed ${V} characters`);if(w===y)throw _("newPassword must be different from currentPassword");let I=await Cr(i.user.id,w,y);if(!I.success){o.warn(m(a,"auth.password.change_failure",{userId:i.user.id,errorCode:I.error.code,duration_ms:Date.now()-p,requestId:i.id})),C(f,I.error);return}o.info(m(a,"auth.password.changed",{userId:i.user.id,duration_ms:Date.now()-p,requestId:i.id})),N(f,200,"Password updated successfully. All sessions have been revoked.",null);}),r.post("/users/:userId/roles",{preHandler:[c,l("admin")]},async(i,f)=>{let p=Date.now(),h=L(i),{roles:w}=h,y=i.params.userId;if(!y)throw _("userId is required");if(!Array.isArray(w)||w.length===0)throw _("roles must be a non-empty array of strings");if(!w.every(A=>typeof A=="string"))throw _("each role must be a string");let I=await Sr(y,w);if(!I.success){o.warn(m(a,"auth.roles.assign_failure",{targetUserId:y,errorCode:I.error.code,duration_ms:Date.now()-p,requestId:i.id})),C(f,I.error);return}o.info(m(a,"auth.roles.assigned",{targetUserId:y,roles:w,duration_ms:Date.now()-p,requestId:i.id})),N(f,200,"Roles assigned successfully",{user:I.user});}),r.get("/sessions",{preHandler:c},async(i,f)=>{let p=Date.now(),h=i.user.id,y=await(e.router?.getSessions??(I=>Ar(I,t)))(h);o.info(m(a,"auth.sessions.get",{userId:h,duration_ms:Date.now()-p,requestId:i.id})),N(f,200,"OK",{sessions:y});}),r.delete("/sessions/:id",{preHandler:c},async(i,f)=>{let p=Date.now(),h=i.user.id,w=i.params.id;await(e.router?.revokeSession??((I,A)=>vr(I,A,t)))(h,w),o.info(m(a,"auth.sessions.revoke",{userId:h,sessionId:w,duration_ms:Date.now()-p,requestId:i.id})),N(f,200,"Session revoked",null);});}}n(Dr,"createAuthPlugin");function Bs(e){if(e.mode==="client"){let d={mode:"client",keyUri:e.keyUri,...e.validRoles!==void 0&&{validRoles:e.validRoles},...e.logger!==void 0&&{logger:e.logger},...e.loggerService!==void 0&&{loggerService:e.loggerService}};ze(d);let g=d.logger??D,T=d.loggerService??"sentri",b=ne(g,T),x=oe(g,T);return {protect:n(()=>se(d),"protect"),authorize:n((...R)=>b(...R),"authorize"),permit:n(R=>x(R),"permit"),errorHandler:n(R=>ie(R),"errorHandler")}}let{privateKey:r}=generateKeyPairSync("rsa",{modulusLength:2048,privateKeyEncoding:{type:"pkcs8",format:"pem"},publicKeyEncoding:{type:"spki",format:"pem"}}),t={mode:"server",dialect:e.dialect,secret:r,algorithm:"RS256",validRoles:e.validRoles,...e.accessExpiresIn!==void 0&&{accessExpiresIn:e.accessExpiresIn},...e.refreshExpiresIn!==void 0&&{refreshExpiresIn:e.refreshExpiresIn},...e.saltRounds!==void 0&&{saltRounds:e.saltRounds},...e.apiKey!==void 0&&{apiKey:e.apiKey},...e.cookie!==void 0&&{cookie:e.cookie},...e.accessCookie!==void 0&&{accessCookie:e.accessCookie},...e.hooks!==void 0&&{hooks:e.hooks},...e.router!==void 0&&{router:e.router},...e.isTokenRevoked!==void 0&&{isTokenRevoked:e.isTokenRevoked},...e.redisUrl!==void 0&&{redisUrl:e.redisUrl},...e.logger!==void 0&&{logger:e.logger},...e.loggerService!==void 0&&{loggerService:e.loggerService}},s=t.logger??D,o=t.loggerService??"sentri",a=k(t),c=ne(s,o),l=oe(s,o);return {protect:n(()=>se(t),"protect"),authorize:n((...d)=>c(...d),"authorize"),permit:n(d=>l(d),"permit"),plugin:n(()=>Dr(t),"plugin"),errorHandler:n(d=>ie(d),"errorHandler"),migrate:n(()=>Xe(E(t.dialect)),"migrate"),getCurrentAccessToken:n(d=>Ee(d,t),"getCurrentAccessToken"),hashPassword:n(d=>G(d,a.saltRounds),"hashPassword"),verifyPassword:n((d,g)=>W(d,g),"verifyPassword"),signAccessToken:n(d=>J(d,t),"signAccessToken"),signRefreshToken:n(d=>Y(d,t),"signRefreshToken"),verifyAccessToken:n(d=>de(d,t),"verifyAccessToken"),verifyRefreshToken:n(d=>q(d,t),"verifyRefreshToken"),register:n(d=>he(d,t),"register"),login:n(d=>me(d,t),"login"),refresh:n(d=>H(d,t),"refresh"),logout:n(d=>pe(d,t),"logout"),logoutAll:n(d=>we(d,t),"logoutAll"),getUser:n(d=>Ie(d,t),"getUser"),changePassword:n((d,g,T)=>ye(d,g,T,t),"changePassword"),assignRoles:n((d,g)=>ge(d,g,t),"assignRoles"),bulkCreateIdentifiers:n((d,g)=>_e(d,g,t),"bulkCreateIdentifiers"),bulkUpdateIdentifiers:n((d,g)=>Re(d,g,t),"bulkUpdateIdentifiers"),bulkDeleteIdentifiers:n((d,g)=>ke(d,g,t),"bulkDeleteIdentifiers")}}n(Bs,"createAuthFastify");export{He as SENTRI_ERROR_STATUS,u as SentriError,Gr as authorize,Bs as createAuthFastify,Dr as createAuthPlugin,ne as createAuthorize,ie as createErrorHandler,oe as createPermit,Ee as getCurrentAccessToken,Zr as permit,se as protect};