sentri 5.0.0 → 5.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/adapters/elysia/index.cjs +1 -1
- package/dist/adapters/elysia/index.d.cts +15 -0
- package/dist/adapters/elysia/index.d.ts +15 -0
- package/dist/adapters/elysia/index.js +1 -1
- package/dist/adapters/express/index.cjs +1 -1
- package/dist/adapters/express/index.d.cts +12 -0
- package/dist/adapters/express/index.d.ts +12 -0
- package/dist/adapters/express/index.js +1 -1
- package/dist/adapters/fastify/index.cjs +1 -1
- package/dist/adapters/fastify/index.d.cts +15 -0
- package/dist/adapters/fastify/index.d.ts +15 -0
- package/dist/adapters/fastify/index.js +1 -1
- package/dist/adapters/hono/index.cjs +1 -1
- package/dist/adapters/hono/index.d.cts +15 -0
- package/dist/adapters/hono/index.d.ts +15 -0
- package/dist/adapters/hono/index.js +1 -1
- package/dist/adapters/koa/index.cjs +1 -1
- package/dist/adapters/koa/index.d.cts +15 -0
- package/dist/adapters/koa/index.d.ts +15 -0
- package/dist/adapters/koa/index.js +1 -1
- package/dist/cli.cjs +16 -1
- package/dist/cli.js +16 -1
- package/dist/core/index.d.cts +35 -0
- package/dist/core/index.d.ts +35 -0
- package/package.json +1 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
'use strict';var crypto=require('crypto'),kysely=require('kysely'),Ze=require('bcrypt'),Q=require('jsonwebtoken'),ioredis=require('ioredis'),express=require('express');function _interopDefault(e){return e&&e.__esModule?e:{default:e}}var Ze__default=/*#__PURE__*/_interopDefault(Ze);var Q__default=/*#__PURE__*/_interopDefault(Q);var Kr=Object.defineProperty;var n=(e,r)=>Kr(e,"name",{value:r,configurable:true});var Me=Object.assign(Object.create(null),{UNAUTHORIZED:401,TOKEN_EXPIRED:401,TOKEN_INVALID:401,INVALID_CREDENTIALS:401,FORBIDDEN:403,USER_NOT_FOUND:404,IDENTIFIER_NOT_FOUND:404,USER_ALREADY_EXISTS:409,IDENTIFIER_ALREADY_EXISTS:409,INVALID_ROLE:400,VALIDATION_ERROR:400,CONFIGURATION_ERROR:500,TOKEN_REUSE:401}),u=class extends Error{static{n(this,"SentriError");}code;statusCode;constructor(r,t,s){super(t),this.name="SentriError",this.code=r,this.statusCode=s??Me[r]??500;}};var je=new WeakMap,Ve=32,Be=10,Xe=31;function Je(e){if(e.mode==="client"){if(!e.keyUri||e.keyUri.trim().length===0)throw new u("CONFIGURATION_ERROR","keyUri must not be empty");return}if(!e.secret||e.secret.trim().length===0)throw new u("CONFIGURATION_ERROR","secret must not be empty");if((e.algorithm??"HS256").startsWith("HS")&&e.secret.length<Ve)throw new u("CONFIGURATION_ERROR",`secret must be at least ${Ve} characters for HMAC algorithms`);let s=e.saltRounds??12;if(!Number.isInteger(s)||s<Be||s>Xe)throw new u("CONFIGURATION_ERROR",`saltRounds must be an integer between ${Be} and ${Xe}`);if(!e.validRoles||e.validRoles.length===0)throw new u("CONFIGURATION_ERROR","validRoles must contain at least one role");if(!e.dialect)throw new u("CONFIGURATION_ERROR","dialect is required in server mode")}n(Je,"validateConfig");function T(e){let r=je.get(e);if(r)return r;let t={algorithm:e.algorithm??"HS256",accessExpiresIn:e.accessExpiresIn??"15m",refreshExpiresIn:e.refreshExpiresIn??"7d",saltRounds:e.saltRounds??12,validRoles:e.validRoles,validRolesSet:new Set(e.validRoles),cookieName:e.cookie?.name??"refresh_token",accessCookieName:e.accessCookie?.name??"access_token"};return je.set(e,t),t}n(T,"resolveServerConfig");var $r=/^(\d+)([smhdw])$/,Hr={s:1e3,m:6e4,h:36e5,d:864e5,w:6048e5},ze=new Map;function V(e){if(typeof e=="number")return e*1e3;let r=ze.get(e);if(r!==void 0)return r;let t=$r.exec(e);if(!t?.[1]||!t?.[2])throw new Error(`Invalid expiresIn: "${e}". Use e.g. "15m", "7d", "1h".`);let s=Hr[t[2]];if(s===void 0)throw new Error(`Invalid expiresIn: "${e}". Use e.g. "15m", "7d", "1h".`);let o=parseInt(t[1],10)*s;return ze.set(e,o),o}n(V,"parseExpiry");var U={info:n(()=>{},"info"),warn:n(()=>{},"warn"),error:n(()=>{},"error")};function p(e,r,t){return {service:e,event:r,...t}}n(p,"buildLogData");async function Ge(e){await e.schema.createTable("sentri_users").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("password_hash","varchar(255)",r=>r.notNull()).addColumn("roles","text",r=>r.notNull().defaultTo("[]")).addColumn("created_at","timestamp",r=>r.notNull().defaultTo(kysely.sql`CURRENT_TIMESTAMP`)).execute(),await e.schema.createTable("sentri_sessions").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("user_id","varchar(36)",r=>r.notNull().references("sentri_users.id").onDelete("cascade")).addColumn("expires_at","timestamp",r=>r.notNull()).addColumn("ip_address","varchar(45)").addColumn("user_agent","text").addColumn("replaced_by","varchar(36)").addColumn("created_at","timestamp",r=>r.notNull().defaultTo(kysely.sql`CURRENT_TIMESTAMP`)).execute(),await e.schema.createTable("sentri_identifiers").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("user_id","varchar(36)",r=>r.notNull().references("sentri_users.id").onDelete("cascade")).addColumn("type","varchar(100)",r=>r.notNull()).addColumn("value","varchar(255)",r=>r.notNull().unique()).addColumn("created_at","timestamp",r=>r.notNull().defaultTo(kysely.sql`CURRENT_TIMESTAMP`)).execute(),await e.schema.createIndex("idx_sentri_sessions_user_id").ifNotExists().on("sentri_sessions").column("user_id").execute(),await e.schema.createIndex("idx_sentri_identifiers_user_id").ifNotExists().on("sentri_identifiers").column("user_id").execute();}n(Ge,"runMigrations");var We=new Map;function D(e){let r=We.get(e);return r||(r=new kysely.Kysely({dialect:e}),We.set(e,r)),r}n(D,"getDatabase");async function Y(e,r=12){return Ze__default.default.hash(e,r)}n(Y,"hashPassword");async function q(e,r){return Ze__default.default.compare(e,r)}n(q,"verifyPassword");var Ye=new Map,qe=new Map,Br=3600*1e3;function er(e){let r=Ye.get(e);if(!r){let t=crypto.createPrivateKey(e),s=crypto.createPublicKey(t),o=s.export({format:"jwk"}),l=crypto.createHash("sha256").update(JSON.stringify({e:o.e,kty:o.kty,n:o.n})).digest("base64url"),d={...o,use:"sig",kid:l};r={kid:l,publicKey:s,jwk:d},Ye.set(e,r);}return r}n(er,"getOrBuildKey");function rr(e){let{jwk:r}=er(e);return {keys:[r]}}n(rr,"buildJwks");function tr(e){return er(e).publicKey}n(tr,"getPublicKeyFromPrivate");async function sr(e){let r=Date.now(),t=qe.get(e);if(t&&r-t.fetchedAt<Br)return t.publicKey;let s=await fetch(e);if(!s.ok)throw new u("CONFIGURATION_ERROR",`Failed to fetch public key from ${e}: HTTP ${s.status}`);let o=await s.json();if(!o.keys||o.keys.length===0)throw new u("CONFIGURATION_ERROR",`No keys found in JWKS response from ${e}`);let a=o.keys[0],l=crypto.createPublicKey({key:a,format:"jwk"});return qe.set(e,{publicKey:l,fetchedAt:r}),l}n(sr,"fetchPublicKey");var nr=new Map,or=new Map,ir=new Map;function ar(e){return e.startsWith("RS")||e.startsWith("PS")}n(ar,"isRSA");function dr(e){let r=nr.get(e);return r||(r={access:`${e}:access`,refresh:`${e}:refresh`},nr.set(e,r)),r}n(dr,"getHsSecrets");function zr(e){let r=or.get(e);return r||(r=crypto.createPrivateKey(e),or.set(e,r)),r}n(zr,"getRsPrivateKey");function cr(e){let r=T(e);if(ar(r.algorithm)){let o=zr(e.secret);return {accessKey:o,refreshKey:o}}let{access:t,refresh:s}=dr(e.secret);return {accessKey:t,refreshKey:s}}n(cr,"getSigningKeys");function ur(e,r){let t=T(e);if(ar(t.algorithm))return tr(e.secret);let{access:s,refresh:o}=dr(e.secret);return r==="access"?s:o}n(ur,"getVerifyKey");function lr(e,r,t,s){let o=`${t}:${s}`,a=ir.get(o);return a||(a={expiresIn:t,algorithm:s},ir.set(o,a)),Q__default.default.sign(e,r,a)}n(lr,"sign");function fr(e,r,t){try{let s=Q__default.default.verify(e,r,{algorithms:[t]});if(typeof s=="string"||s===null)throw new u("TOKEN_INVALID","Token payload is not an object");return s}catch(s){throw s instanceof u?s:s instanceof Q__default.default.TokenExpiredError?new u("TOKEN_EXPIRED","Token has expired"):new u("TOKEN_INVALID","Token is invalid or malformed")}}n(fr,"verify");function ee(e,r){let t=T(r),{accessKey:s}=cr(r);return lr(e,s,t.accessExpiresIn,t.algorithm)}n(ee,"signAccessToken");function re(e,r){let t=T(r),{refreshKey:s}=cr(r);return lr({sessionId:e},s,t.refreshExpiresIn,t.algorithm)}n(re,"signRefreshToken");function le(e,r){let t=T(r),s=ur(r,"access");return fr(e,s,t.algorithm)}n(le,"verifyAccessToken");function te(e,r){let t=T(r),s=ur(r,"refresh");return fr(e,s,t.algorithm)}n(te,"verifyRefreshToken");function hr(e,r){try{let t=Q__default.default.verify(e,r,{algorithms:["RS256","RS384","RS512","PS256","PS384","PS512"]});if(typeof t=="string"||t===null)throw new u("TOKEN_INVALID","Token payload is not an object");return t}catch(t){throw t instanceof u?t:t instanceof Q__default.default.TokenExpiredError?new u("TOKEN_EXPIRED","Token has expired"):new u("TOKEN_INVALID","Token is invalid or malformed")}}n(hr,"verifyTokenWithPublicKey");function Oe(e){try{return JSON.parse(e)}catch{return []}}n(Oe,"parseRoles");function Jr(e){return JSON.stringify(e)}n(Jr,"serializeRoles");function pr(e){return {id:e.id,userId:e.user_id,type:e.type,value:e.value,createdAt:new Date(e.created_at)}}n(pr,"mapIdentifier");async function se(e,r){let t=await e.selectFrom("sentri_identifiers as i").innerJoin("sentri_users as u","u.id","i.user_id").select(["u.id","u.password_hash","u.roles"]).where("i.value","=",r).executeTakeFirst();return t?{id:t.id,passwordHash:t.password_hash,roles:Oe(t.roles)}:null}n(se,"findUserByIdentifierValue");async function fe(e,r){let t=await e.selectFrom("sentri_users").select(["id","password_hash","roles"]).where("id","=",r).executeTakeFirst();return t?{id:t.id,passwordHash:t.password_hash,roles:Oe(t.roles)}:null}n(fe,"findUserById");async function wr(e,r,t){let s=t.map(o=>({id:crypto.randomUUID(),user_id:r,type:o.type,value:o.value}));return await e.insertInto("sentri_identifiers").values(s).execute(),s.map(o=>({id:o.id,userId:o.user_id,type:o.type,value:o.value,createdAt:new Date}))}n(wr,"createIdentifiers");async function ne(e,r){return (await e.selectFrom("sentri_identifiers").selectAll().where("user_id","=",r).orderBy("created_at","asc").execute()).map(pr)}n(ne,"findIdentifiersByUserId");async function Ue(e,r,t){let s=await e.selectFrom("sentri_identifiers").selectAll().where("id","=",r).where("user_id","=",t).executeTakeFirst();return s?pr(s):null}n(Ue,"findIdentifierById");async function yr(e,r){let t=await e.selectFrom("sentri_identifiers").select(s=>s.fn.countAll().as("count")).where("user_id","=",r).executeTakeFirst();return Number(t?.count??0)}n(yr,"countIdentifiersByUserId");async function Ir(e,r,t,s){await e.updateTable("sentri_identifiers").set({type:s.type,value:s.value}).where("id","=",r).where("user_id","=",t).execute();}n(Ir,"updateIdentifier");async function _r(e,r,t){await e.deleteFrom("sentri_identifiers").where("user_id","=",r).where("id","in",t).execute();}n(_r,"deleteIdentifiers");async function gr(e,r,t){await e.updateTable("sentri_users").set({password_hash:t}).where("id","=",r).execute();}n(gr,"updateUserPassword");async function Rr(e,r,t){await e.updateTable("sentri_users").set({roles:Jr(t)}).where("id","=",r).execute();}n(Rr,"updateUserRoles");async function Le(e,r){let t=crypto.randomUUID();return await e.insertInto("sentri_sessions").values({id:t,user_id:r.userId,expires_at:r.expiresAt.toISOString(),ip_address:r.ipAddress??null,user_agent:r.userAgent??null}).execute(),{id:t}}n(Le,"createSession");async function he(e,r){let t=await e.selectFrom("sentri_sessions as s").innerJoin("sentri_users as u","u.id","s.user_id").select(["s.id as session_id","s.user_id","s.expires_at","s.ip_address","s.user_agent","s.replaced_by","s.created_at as session_created_at","u.id as user_id_col","u.password_hash","u.roles"]).where("s.id","=",r).executeTakeFirst();return t?{id:t.session_id,userId:t.user_id,expiresAt:new Date(t.expires_at),ipAddress:t.ip_address,userAgent:t.user_agent,replacedBy:t.replaced_by,createdAt:new Date(t.session_created_at),user:{id:t.user_id_col,passwordHash:t.password_hash,roles:Oe(t.roles)}}:null}n(he,"findSessionById");async function me(e,r){await e.deleteFrom("sentri_sessions").where("id","=",r).execute();}n(me,"deleteSession");async function kr(e,r,t){await e.updateTable("sentri_sessions").set({replaced_by:t}).where("id","=",r).execute();}n(kr,"markSessionReplaced");async function pe(e,r){await e.deleteFrom("sentri_sessions").where("user_id","=",r).execute();}n(pe,"deleteAllSessionsForUser");async function Ar(e,r){return (await e.selectFrom("sentri_sessions").selectAll().where("user_id","=",r).where("replaced_by","is",null).where("expires_at",">",new Date).execute()).map(s=>({id:s.id,userId:s.user_id,expiresAt:new Date(s.expires_at),ipAddress:s.ip_address,userAgent:s.user_agent,replacedBy:s.replaced_by,createdAt:new Date(s.created_at)}))}n(Ar,"findSessionsByUserId");async function we(e,r,t){let s=T(r),o=D(r.dialect),a=e.roles??[],l=a.filter(k=>!s.validRolesSet.has(k));if(l.length>0)return {success:false,error:new u("INVALID_ROLE",`Invalid roles: ${l.join(", ")}`)};if(!e.identifiers||e.identifiers.length===0)return {success:false,error:new u("VALIDATION_ERROR","At least one identifier is required")};let d=e.identifiers.map(k=>({type:k.type.trim(),value:k.value.trim()}));if(new Set(d.map(k=>k.value)).size!==d.length)return {success:false,error:new u("VALIDATION_ERROR","Duplicate identifier values in request")};for(let k of d)if(await se(o,k.value))return {success:false,error:new u("IDENTIFIER_ALREADY_EXISTS",`Identifier already taken: ${k.value}`)};let m=await Y(e.password,s.saltRounds),{userId:_,identifierRows:b}=await o.transaction().execute(async k=>{let L=crypto.randomUUID();await k.insertInto("sentri_users").values({id:L,password_hash:m,roles:JSON.stringify(a)}).execute();let K=d.map($=>({id:crypto.randomUUID(),user_id:L,type:$.type,value:$.value}));return await k.insertInto("sentri_identifiers").values(K).execute(),{userId:L,identifierRows:K}}),v={success:true,user:{id:_,roles:a,identifiers:b.map(k=>({id:k.id,type:k.type,value:k.value}))}};return r.hooks?.onRegister&&await r.hooks.onRegister(v.user),v}n(we,"register");async function ye(e,r,t){let s=T(r),o=D(r.dialect),a=await se(o,e.identifier.trim());if(!a){let v=new u("INVALID_CREDENTIALS","Invalid credentials");return r.hooks?.onLoginFailed&&await r.hooks.onLoginFailed(e.identifier,v,{ip:t?.ip??""}),{success:false,error:v}}if(!await q(e.password,a.passwordHash)){let v=new u("INVALID_CREDENTIALS","Invalid credentials");return r.hooks?.onLoginFailed&&await r.hooks.onLoginFailed(e.identifier,v,{ip:t?.ip??""}),{success:false,error:v}}let d=new Date(Date.now()+V(s.refreshExpiresIn)),i=await Le(o,{userId:a.id,expiresAt:d,ipAddress:t?.ip??null,userAgent:t?.userAgent??null}),m={id:a.id,roles:a.roles},_=ee({id:a.id,roles:a.roles,sessionId:i.id},r),b=re(i.id,r);return r.hooks?.onLoginSuccess&&await r.hooks.onLoginSuccess(m,{ip:t?.ip??"",userAgent:t?.userAgent??""}),{success:true,accessToken:_,refreshToken:b,user:m}}n(ye,"login");async function B(e,r,t){let s=T(r),o=D(r.dialect),a;try{({sessionId:a}=te(e,r));}catch(v){return v instanceof u?{success:false,error:v}:{success:false,error:new u("TOKEN_INVALID","Invalid refresh token")}}let l=await he(o,a);if(!l)return {success:false,error:new u("UNAUTHORIZED","Session not found or revoked")};if(l.replacedBy)return await pe(o,l.userId),{success:false,error:new u("TOKEN_REUSE","Token reuse detected. All sessions revoked.")};if(l.expiresAt.getTime()<Date.now())return await me(o,a),{success:false,error:new u("TOKEN_EXPIRED","Session has expired")};let d=new Date(Date.now()+V(s.refreshExpiresIn)),i=await Le(o,{userId:l.userId,expiresAt:d,ipAddress:t?.ip??null,userAgent:t?.userAgent??null});await kr(o,a,i.id);let m={id:l.user.id,roles:l.user.roles},_=ee({...m,sessionId:i.id},r),b=re(i.id,r);return {success:true,accessToken:_,refreshToken:b,user:m}}n(B,"refresh");async function Ie(e,r){let t=D(r.dialect),s;try{({sessionId:s}=te(e,r));}catch{return}let o=await he(t,s);o&&(await me(t,s),r.hooks?.onLogout&&await r.hooks.onLogout(o.userId));}n(Ie,"logout");async function _e(e,r){let t=D(r.dialect);await pe(t,e),r.hooks?.onLogout&&await r.hooks.onLogout(e);}n(_e,"logoutAll");async function ge(e,r){let t=D(r.dialect),s=await fe(t,e);if(!s)return {success:false,error:new u("USER_NOT_FOUND","User not found")};let o=await ne(t,e);return {success:true,user:{id:s.id,roles:s.roles,identifiers:o.map(a=>({id:a.id,type:a.type,value:a.value}))}}}n(ge,"getUser");async function Re(e,r,t,s){let o=T(s),a=D(s.dialect),l=await fe(a,e);if(!l)return {success:false,error:new u("USER_NOT_FOUND","User not found")};if(!await q(r,l.passwordHash))return {success:false,error:new u("INVALID_CREDENTIALS","Invalid credentials")};let i=await Y(t,o.saltRounds);return await gr(a,e,i),await pe(a,e),s.hooks?.onPasswordChanged&&await s.hooks.onPasswordChanged(e),{success:true}}n(Re,"changePassword");async function ke(e,r,t){let s=T(t),o=D(t.dialect),a=r.filter(m=>!s.validRolesSet.has(m));if(a.length>0)return {success:false,error:new u("INVALID_ROLE",`Invalid roles: ${a.join(", ")}`)};let l=await fe(o,e);if(!l)return {success:false,error:new u("USER_NOT_FOUND","User not found")};let d=new Set(l.roles);for(let m of r)d.add(m);let i=Array.from(d);return await Rr(o,e,i),{success:true,user:{id:l.id,roles:i}}}n(ke,"assignRoles");async function Ae(e,r,t){let s=D(t.dialect);if(r.length===0)return {success:false,error:new u("VALIDATION_ERROR","At least one identifier is required")};let o=r.map(d=>({type:d.type.trim(),value:d.value.trim()}));if(new Set(o.map(d=>d.value)).size!==o.length)return {success:false,error:new u("VALIDATION_ERROR","Duplicate identifier values in request")};for(let d of o)if(await se(s,d.value))return {success:false,error:new u("IDENTIFIER_ALREADY_EXISTS",`Identifier already taken: ${d.value}`)};return await wr(s,e,o),{success:true,identifiers:(await ne(s,e)).map(d=>({id:d.id,type:d.type,value:d.value}))}}n(Ae,"bulkCreateIdentifiers");async function ve(e,r,t){let s=D(t.dialect);if(r.length===0)return {success:false,error:new u("VALIDATION_ERROR","At least one update is required")};let o=r.map(d=>({id:d.id,type:d.type.trim(),value:d.value.trim()}));if(new Set(o.map(d=>d.value)).size!==o.length)return {success:false,error:new u("VALIDATION_ERROR","Duplicate identifier values in request")};for(let d of o){let i=await Ue(s,d.id,e);if(!i)return {success:false,error:new u("IDENTIFIER_NOT_FOUND",`Identifier not found: ${d.id}`)};if(i.value!==d.value&&await se(s,d.value))return {success:false,error:new u("IDENTIFIER_ALREADY_EXISTS",`Identifier already taken: ${d.value}`)}}return await s.transaction().execute(async d=>{for(let i of o)await Ir(d,i.id,e,{type:i.type,value:i.value});}),{success:true,identifiers:(await ne(s,e)).map(d=>({id:d.id,type:d.type,value:d.value}))}}n(ve,"bulkUpdateIdentifiers");async function Ee(e,r,t){let s=D(t.dialect);if(r.length===0)return {success:false,error:new u("VALIDATION_ERROR","At least one ID is required")};let o=Array.from(new Set(r));for(let d of o)if(!await Ue(s,d,e))return {success:false,error:new u("IDENTIFIER_NOT_FOUND",`Identifier not found: ${d}`)};return await yr(s,e)-o.length<1?{success:false,error:new u("VALIDATION_ERROR","Cannot delete all identifiers \u2014 at least one must remain")}:(await _r(s,e,o),{success:true,identifiers:(await ne(s,e)).map(d=>({id:d.id,type:d.type,value:d.value}))})}n(Ee,"bulkDeleteIdentifiers");async function Er(e,r){let t=D(r.dialect);return (await Ar(t,e)).map(o=>({id:o.id,ipAddress:o.ipAddress,userAgent:o.userAgent,createdAt:o.createdAt,expiresAt:o.expiresAt}))}n(Er,"getSessions");async function Tr(e,r,t){let s=D(t.dialect),o=await he(s,r);o&&o.userId===e&&await me(s,r);}n(Tr,"revokeSession");function P(e){return T(e).cookieName}n(P,"getCookieName");function Te(e){return T(e).accessCookieName}n(Te,"getAccessCookieName");function H(e,r){if(!e)return;let t=`${r}=`,s=0;for(;s<e.length;){for(;s<e.length&&e[s]===" ";)s++;let o=e.indexOf(";",s),a=o===-1?e.length:o;if(e.startsWith(t,s))return e.slice(s+t.length,a);s=a+1;}}n(H,"readCookie");function oe(e,r,t){let s=t.cookie??{},o=V(T(t).refreshExpiresIn);e.cookie(P(t),r,{httpOnly:s.httpOnly??true,secure:s.secure??false,sameSite:s.sameSite??"strict",path:s.path??"/",maxAge:o});}n(oe,"setCookieFromConfig");function xe(e,r){let t=r.cookie??{};e.clearCookie(P(r),{path:t.path??"/"});}n(xe,"clearCookieFromConfig");function ie(e,r,t){if(!t.accessCookie)return;let s=t.accessCookie,o=V(T(t).accessExpiresIn);e.cookie(Te(t),r,{httpOnly:false,secure:s.secure??false,sameSite:s.sameSite??"strict",path:s.path??"/",maxAge:o});}n(ie,"setAccessCookieFromConfig");function Fe(e,r){if(!r.accessCookie)return;let t=r.accessCookie;e.clearCookie(Te(r),{path:t.path??"/"});}n(Fe,"clearAccessCookieFromConfig");function Ne(e,r){let t=e.headers.authorization;return t?.startsWith("Bearer ")?t.slice(7):H(e.headers.cookie,Te(r))}n(Ne,"getCurrentAccessToken");function C(e){let r=e.logger??U,t=e.loggerService??"sentri";return e.mode==="client"?Gr(e.keyUri,r,t):Wr(e,r,t)}n(C,"protect");function Gr(e,r,t){return async(s,o,a)=>{let l=s.headers.authorization,d=l?.startsWith("Bearer ")?l.slice(7):void 0,i=s.requestId;if(!d)return r.warn(p(t,"auth.protect.failure",{mode:"client",errorCode:"UNAUTHORIZED",...i!==void 0&&{requestId:i}})),a(new u("UNAUTHORIZED","Missing or malformed Authorization header"));try{let m=await sr(e),_=hr(d,m);s.user={id:_.id,roles:_.roles},r.info(p(t,"auth.protect.success",{mode:"client",userId:_.id,...i!==void 0&&{requestId:i}})),a();}catch(m){let _=m instanceof u?m.code:"TOKEN_INVALID";r.warn(p(t,"auth.protect.failure",{mode:"client",errorCode:_,...i!==void 0&&{requestId:i}})),a(m);}}}n(Gr,"protectClient");function Wr(e,r,t){return async(s,o,a)=>{let l=Ne(s,e),d=s.requestId;if(!l)return r.warn(p(t,"auth.protect.failure",{mode:"server",errorCode:"UNAUTHORIZED",...d!==void 0&&{requestId:d}})),a(new u("UNAUTHORIZED","Missing or malformed Authorization header"));try{let i=le(l,e);if(e.isTokenRevoked&&await e.isTokenRevoked(i.sessionId))return r.warn(p(t,"auth.protect.token_revoked",{mode:"server",userId:i.id,...d!==void 0&&{requestId:d}})),a(new u("UNAUTHORIZED","Token has been revoked"));s.user={id:i.id,roles:i.roles},r.info(p(t,"auth.protect.success",{mode:"server",userId:i.id,...d!==void 0&&{requestId:d}})),a();}catch(i){if(i instanceof u&&i.code==="TOKEN_EXPIRED"){let m=H(s.headers.cookie,P(e));if(!m)return r.warn(p(t,"auth.protect.failure",{mode:"server",errorCode:"TOKEN_EXPIRED",...d!==void 0&&{requestId:d}})),a(new u("UNAUTHORIZED","Token expired. Please login again."));try{let _=await B(m,e);if(!_.success)return r.warn(p(t,"auth.protect.failure",{mode:"server",errorCode:_.error.code,...d!==void 0&&{requestId:d}})),a(new u("UNAUTHORIZED","Session expired. Please login again."));oe(o,_.refreshToken,e),ie(o,_.accessToken,e),o.setHeader("X-New-Access-Token",_.accessToken),s.user=_.user,r.info(p(t,"auth.protect.auto_refresh",{mode:"server",userId:_.user.id,...d!==void 0&&{requestId:d}})),a();}catch{r.warn(p(t,"auth.protect.failure",{mode:"server",errorCode:"TOKEN_EXPIRED",...d!==void 0&&{requestId:d}})),a(new u("UNAUTHORIZED","Session expired. Please login again."));}}else {let m=i instanceof u?i.code:"TOKEN_INVALID";r.warn(p(t,"auth.protect.failure",{mode:"server",errorCode:m,...d!==void 0&&{requestId:d}})),a(i);}}}}n(Wr,"protectServer");function xr(e,r,t){let s=`Requires one of roles: ${e.join(", ")}`;return (o,a,l)=>{let d=o.requestId;if(!o.user)return r.warn(p(t,"auth.authorize.unauthenticated",{requiredRoles:e,...d!==void 0&&{requestId:d}})),l(new u("UNAUTHORIZED","Not authenticated"));let i=o.user.roles;if(!e.some(m=>i.includes(m)))return r.warn(p(t,"auth.authorize.denied",{userId:o.user.id,userRoles:[...i],requiredRoles:e,...d!==void 0&&{requestId:d}})),l(new u("FORBIDDEN",s));r.info(p(t,"auth.authorize.passed",{userId:o.user.id,userRoles:[...i],requiredRoles:e,...d!==void 0&&{requestId:d}})),l();}}n(xr,"createAuthorizeHandler");function ae(e,r){return n(function(...s){return xr(s,e,r)},"authorize")}n(ae,"createAuthorize");function Zr(...e){return xr(e,U,"sentri")}n(Zr,"authorize");var Yr=new u("FORBIDDEN","You do not have permission to perform this action");function Nr(e,r,t){return async(s,o,a)=>{let l=s.requestId;if(!s.user)return r.warn(p(t,"auth.permit.unauthenticated",{...l!==void 0&&{requestId:l}})),a(new u("UNAUTHORIZED","Not authenticated"));let d=s.user.id;if(e.roles&&e.roles.length>0){let i=s.user.roles;if(e.roles.some(m=>i.includes(m)))return r.info(p(t,"auth.permit.role_bypass",{userId:d,bypassedByRole:true,...l!==void 0&&{requestId:l}})),a()}try{let i=e.check(s);(i instanceof Promise?await i:i)?(r.info(p(t,"auth.permit.passed",{userId:d,...l!==void 0&&{requestId:l}})),a()):(r.warn(p(t,"auth.permit.denied",{userId:d,...l!==void 0&&{requestId:l}})),a(Yr));}catch(i){a(i);}}}n(Nr,"createPermitHandler");function de(e,r){return n(function(s){return Nr(typeof s=="function"?{check:s}:s,e,r)},"permit")}n(de,"createPermit");function qr(e){return Nr(typeof e=="function"?{check:e}:e,U,"sentri")}n(qr,"permit");function ce(e){return (r,t,s,o)=>{if(r instanceof u){s.status(r.statusCode).json({error:true,statusCode:r.statusCode,code:r.code,message:r.message,data:null});return}e?.onUnhandled?.(r),s.status(500).json({error:true,statusCode:500,code:"INTERNAL_SERVER_ERROR",message:"Internal server error",data:null});}}n(ce,"createErrorHandler");var Dr=new Map;function Cr(e){let r=Dr.get(e);return r||(r=new ioredis.Redis(e,{lazyConnect:true,enableOfflineQueue:false}),r.on("error",t=>{console.error("Sentri Redis Client Error:",t.message);}),Dr.set(e,r)),r}n(Cr,"getRedisClient");function Sr(e){let r=e?.ttl??3e5,t=(e?.header??"X-Idempotency-Key").toLowerCase(),s=new Set((e?.methods??["POST","PUT","PATCH"]).map(a=>a.toUpperCase())),o=e?.redisUrl;return o?et(o,r,t,s):rt(r,t,s,e?.maxSize??1e4)}n(Sr,"createIdempotencyMiddleware");function et(e,r,t,s){let o=Cr(e),a="sentri:idempotency:";return async(l,d,i)=>{let m=l.headers[t];if(!m||typeof m!="string"||!s.has(l.method))return i();l.requestId=m,d.setHeader("X-Request-Id",m);let _=await o.get(`${a}${m}`);if(_){let v=JSON.parse(_);return d.setHeader("X-Idempotent-Replayed","true"),d.status(v.statusCode).json(v.body)}let b=d.json.bind(d);d.json=n(function(k){if(d.statusCode>=200&&d.statusCode<300){let L={statusCode:d.statusCode,body:k,expiresAt:Date.now()+r};o.set(`${a}${m}`,JSON.stringify(L),"PX",r).catch(()=>{});}return b(k)},"idempotentJson"),i();}}n(et,"buildRedisMiddleware");function rt(e,r,t,s){let o=Math.max(e,5e3),a=new Map,l=setInterval(()=>{let d=Date.now();for(let[i,m]of a)m.expiresAt<=d&&a.delete(i);},o);return typeof l=="object"&&l!==null&&"unref"in l&&l.unref(),(d,i,m)=>{let _=d.headers[r];if(!_||typeof _!="string"||!t.has(d.method))return m();d.requestId=_,i.setHeader("X-Request-Id",_);let b=Date.now(),v=a.get(_);if(v&&v.expiresAt>b)return i.setHeader("X-Idempotent-Replayed","true"),i.status(v.statusCode).json(v.body);let k=i.json.bind(i);i.json=n(function(K){if(i.statusCode>=200&&i.statusCode<300){if(a.size>=s){let $=a.keys().next().value;$!==void 0&&a.delete($);}a.set(_,{statusCode:i.statusCode,body:K,expiresAt:Date.now()+e});}return k(K)},"idempotentJson"),m();}}n(rt,"buildMemoryMiddleware");var Pe=class{static{n(this,"InMemoryRateLimiter");}store=new Map;constructor(){setInterval(()=>{let r=Date.now();for(let[t,s]of this.store.entries())s.expiresAt<r&&this.store.delete(t);},6e4).unref();}async consume(r,t,s){let o=Date.now(),a=this.store.get(r);if((!a||a.expiresAt<o)&&(a={count:0,expiresAt:o+s},this.store.set(r,a)),a.count>t){let l=Math.ceil((a.expiresAt-o)/1e3);throw new Error(`Rate limit exceeded. Try again in ${l} seconds.`)}a.count++;}},Ke=class{static{n(this,"RedisRateLimiter");}redis;logger;constructor(r,t){this.redis=r,this.logger=t;}async consume(r,t,s){let o=`sentri:rl:${r}`,a=Math.ceil(s/1e3);try{let l=await this.redis.multi().incr(o).expire(o,a,"NX").exec();if(!l||l.length===0)return;if(l[0][1]>t)throw new Error("Rate limit exceeded. Try again later.")}catch(l){if(l instanceof Error&&l.message.includes("Rate limit exceeded"))throw l;this.logger.error({msg:"Redis RateLimiter failed, bypassing limit",error:l});}}},X=null;async function br(e,r){if(X)return X;if(e)try{let{Redis:t}=await import('ioredis'),s=new t(e,{lazyConnect:!0,maxRetriesPerRequest:1});return await s.connect(),r?.info({msg:"Connected to Redis for Rate Limiting"}),X=new Ke(s,r??U),X}catch(t){r?.warn({msg:"Failed to connect to Redis for Rate Limiting, falling back to InMemoryRateLimiter",error:t});}return X=new Pe,X}n(br,"getRateLimiter");var De=8,z=72,Ce=255,Or=100,J=50;function R(e){return new u("VALIDATION_ERROR",e)}n(R,"badRequest");function S(e,r,t,s){e.status(r).json({error:false,statusCode:r,message:t,data:s});}n(S,"ok");function F(e,r){e.status(r.statusCode).json({error:true,statusCode:r.statusCode,code:r.code,message:r.message,data:null});}n(F,"fail");function M(e){if(e==null||typeof e!="object"||Array.isArray(e))throw new u("VALIDATION_ERROR","Request body is missing or not a JSON object. Did you apply express.json()?");return e}n(M,"parseBody");function st(e,r){if(!r.apiKey)return;let t=e.headers["x-api-key"];if(typeof t!="string"||t!==r.apiKey)throw new u("UNAUTHORIZED","Invalid or missing API key")}n(st,"validateApiKey");function $e(e){if(e)try{let r=e();r instanceof Promise&&r.catch(()=>{});}catch{}}n($e,"fireHook");function nt(e){return e.startsWith("RS")||e.startsWith("PS")}n(nt,"isRSA");function He(e,r){if(typeof e!="object"||e===null||Array.isArray(e))throw R(`identifiers[${r}] must be an object`);let t=e;if(typeof t.type!="string"||t.type.trim().length===0)throw R(`identifiers[${r}].type is required and must be a non-empty string`);if(t.type.length>Or)throw R(`identifiers[${r}].type must not exceed ${Or} characters`);if(typeof t.value!="string"||t.value.trim().length===0)throw R(`identifiers[${r}].value is required and must be a non-empty string`);if(t.value.length>Ce)throw R(`identifiers[${r}].value must not exceed ${Ce} characters`);return {type:t.type,value:t.value}}n(He,"validateIdentifierInput");function E(e){return e.requestId!==void 0?{requestId:e.requestId}:{}}n(E,"reqId");function Ur(e){let r=express.Router(),t=e,s=T(t),o=e.logger??U,a=e.loggerService??"sentri",l=ae(o,a),d=de(o,a),i=br(e.redisUrl,o),m=e.router?.register??(c=>we(c,t)),_=e.router?.login??(c=>ye(c,t)),b=e.router?.refresh??(c=>B(c,t)),v=e.router?.logout??(c=>c!==void 0?Ie(c,t):Promise.resolve()),k=e.router?.logoutAll??(c=>_e(c,t)),L=e.router?.getUser??(c=>ge(c,t)),K=e.router?.assignRoles??((c,h)=>ke(c,h,t)),$=e.router?.changePassword??((c,h,A)=>Re(c,h,A,t)),Lr=e.router?.bulkCreateIdentifiers??((c,h)=>Ae(c,h,t)),Fr=e.router?.bulkUpdateIdentifiers??((c,h)=>ve(c,h,t)),Pr=e.router?.bulkDeleteIdentifiers??((c,h)=>Ee(c,h,t));nt(s.algorithm)&&r.get("/keys",(c,h)=>{h.setHeader("Cache-Control","public, max-age=3600"),h.json(rr(e.secret));}),r.post("/register",async(c,h,A)=>{let I=Date.now();try{st(c,e);let f=M(c.body),{identifiers:y,password:g,roles:w}=f;if(!Array.isArray(y)||y.length===0)throw R("identifiers is required and must be a non-empty array");if(y.length>J)throw R(`identifiers must not exceed ${J} entries`);let x=y.map((Z,Se)=>He(Z,Se));if(typeof g!="string"||g.length<De)throw R(`password is required and must be at least ${De} characters`);if(g.length>z)throw R(`password must not exceed ${z} characters`);if(w!==void 0&&!Array.isArray(w))throw R("roles must be an array of strings when provided");if(Array.isArray(w)&&!w.every(Z=>typeof Z=="string"))throw R("each role must be a string");let O=Array.isArray(w)?w:void 0,N=O!==void 0?{identifiers:x,password:g,roles:O}:{identifiers:x,password:g},j=c.ip||"127.0.0.1",G=c.get("user-agent")||"Unknown";if(e.rateLimit!==!1){let Z=await i,Se=typeof e.rateLimit=="object"?e.rateLimit.maxRegisterAttempts??5:5;await Z.consume(`register:${j}`,Se,900*1e3);}let W=await m(N,{ip:j,userAgent:G});if(!W.success){o.warn(p(a,"auth.register.failure",{errorCode:W.error.code,duration_ms:Date.now()-I,...E(c)})),F(h,W.error);return}o.info(p(a,"auth.register.success",{userId:W.user.id,duration_ms:Date.now()-I,...E(c)})),S(h,201,"User registered successfully",{user:W.user});}catch(f){A(f);}}),r.post("/login",async(c,h,A)=>{let I=Date.now();try{let f=M(c.body),{identifier:y,password:g}=f;if(typeof y!="string"||y.trim().length===0)throw R("identifier is required and must be a non-empty string");if(y.length>Ce)throw R(`identifier must not exceed ${Ce} characters`);if(typeof g!="string"||g.length===0)throw R("password is required");if(g.length>z)throw R(`password must not exceed ${z} characters`);let w=y.trim(),x=c.ip||"127.0.0.1",O=c.get("user-agent")||"Unknown";if(e.rateLimit!==!1){let j=await i,G=typeof e.rateLimit=="object"?e.rateLimit.maxLoginAttempts??5:5;await j.consume(`login:${x}`,G,900*1e3);}let N=await _({identifier:w,password:g},{ip:x,userAgent:O});if(!N.success){$e(()=>e.hooks?.onLoginFailed?.(w,N.error,{ip:x})),o.warn(p(a,"auth.login.failure",{errorCode:N.error.code,duration_ms:Date.now()-I,...E(c)})),F(h,N.error);return}$e(()=>e.hooks?.onLoginSuccess?.(N.user,{ip:x,userAgent:O})),oe(h,N.refreshToken,e),ie(h,N.accessToken,e),o.info(p(a,"auth.login.success",{userId:N.user.id,duration_ms:Date.now()-I,...E(c)})),S(h,200,"Login successful",{accessToken:N.accessToken,user:N.user});}catch(f){A(f);}}),r.post("/refresh",async(c,h,A)=>{let I=Date.now();try{let f=H(c.headers.cookie,P(e));if(!f)throw new u("UNAUTHORIZED","Refresh token cookie is missing");let y=c.ip||"127.0.0.1",g=c.get("user-agent")||"Unknown",w=await b(f,{ip:y,userAgent:g});if(!w.success){xe(h,e),o.warn(p(a,"auth.refresh.failure",{errorCode:w.error.code,duration_ms:Date.now()-I,...E(c)})),F(h,w.error);return}oe(h,w.refreshToken,e),ie(h,w.accessToken,e),o.info(p(a,"auth.refresh.success",{userId:w.user.id,duration_ms:Date.now()-I,...E(c)})),S(h,200,"Token refreshed",{accessToken:w.accessToken});}catch(f){A(f);}}),r.post("/logout",async(c,h,A)=>{let I=Date.now();try{let f=H(c.headers.cookie,P(e));await v(f),xe(h,e),Fe(h,e),o.info(p(a,"auth.logout",{duration_ms:Date.now()-I,...E(c)})),S(h,200,"Logged out",null);}catch(f){A(f);}}),r.post("/logout-all",C(e),async(c,h,A)=>{let I=Date.now();try{let f=c.user.id;await k(f),$e(()=>e.hooks?.onLogout?.(f)),xe(h,e),Fe(h,e),o.info(p(a,"auth.logout_all",{userId:f,duration_ms:Date.now()-I,...E(c)})),S(h,200,"All sessions revoked",null);}catch(f){A(f);}}),r.get("/me",C(e),async(c,h,A)=>{let I=Date.now();try{let f=await L(c.user.id);if(!f.success){o.warn(p(a,"auth.me.failure",{userId:c.user.id,errorCode:f.error.code,duration_ms:Date.now()-I,...E(c)})),F(h,f.error);return}o.info(p(a,"auth.me.success",{userId:f.user.id,duration_ms:Date.now()-I,...E(c)})),S(h,200,"OK",f.user);}catch(f){A(f);}}),r.get("/me/identifiers",C(e),async(c,h,A)=>{let I=Date.now();try{let f=await L(c.user.id);if(!f.success){o.warn(p(a,"auth.me.identifiers.failure",{userId:c.user.id,errorCode:f.error.code,duration_ms:Date.now()-I,...E(c)})),F(h,f.error);return}o.info(p(a,"auth.me.identifiers.success",{userId:f.user.id,count:f.user.identifiers?.length??0,duration_ms:Date.now()-I,...E(c)})),S(h,200,"OK",{identifiers:f.user.identifiers??[]});}catch(f){A(f);}});let ue=d(c=>!!c.user);return r.post("/me/identifiers",C(e),ue,async(c,h,A)=>{let I=Date.now();try{let f=M(c.body),{identifiers:y}=f;if(!Array.isArray(y)||y.length===0)throw R("identifiers is required and must be a non-empty array");if(y.length>J)throw R(`identifiers must not exceed ${J} entries`);let g=y.map((x,O)=>He(x,O)),w=await Lr(c.user.id,g);if(!w.success){o.warn(p(a,"auth.identifiers.create_failure",{userId:c.user.id,errorCode:w.error.code,duration_ms:Date.now()-I,...E(c)})),F(h,w.error);return}o.info(p(a,"auth.identifiers.created",{userId:c.user.id,count:w.identifiers.length,duration_ms:Date.now()-I,...E(c)})),S(h,201,"Identifiers added successfully",{identifiers:w.identifiers});}catch(f){A(f);}}),r.put("/me/identifiers",C(e),ue,async(c,h,A)=>{let I=Date.now();try{let f=M(c.body),{identifiers:y}=f;if(!Array.isArray(y)||y.length===0)throw R("identifiers is required and must be a non-empty array");if(y.length>J)throw R(`identifiers must not exceed ${J} entries`);let g=y.map((x,O)=>{if(typeof x!="object"||x===null||Array.isArray(x))throw R(`identifiers[${O}] must be an object`);let N=x;if(typeof N.id!="string"||N.id.trim().length===0)throw R(`identifiers[${O}].id is required and must be a non-empty string`);let{type:j,value:G}=He(x,O);return {id:N.id,type:j,value:G}}),w=await Fr(c.user.id,g);if(!w.success){o.warn(p(a,"auth.identifiers.update_failure",{userId:c.user.id,errorCode:w.error.code,duration_ms:Date.now()-I,...E(c)})),F(h,w.error);return}o.info(p(a,"auth.identifiers.updated",{userId:c.user.id,count:w.identifiers.length,duration_ms:Date.now()-I,...E(c)})),S(h,200,"Identifiers updated successfully",{identifiers:w.identifiers});}catch(f){A(f);}}),r.delete("/me/identifiers",C(e),ue,async(c,h,A)=>{let I=Date.now();try{let f=M(c.body),{ids:y}=f;if(!Array.isArray(y)||y.length===0)throw R("ids is required and must be a non-empty array of strings");if(!y.every(w=>typeof w=="string"))throw R("each id must be a string");let g=await Pr(c.user.id,y);if(!g.success){o.warn(p(a,"auth.identifiers.delete_failure",{userId:c.user.id,errorCode:g.error.code,duration_ms:Date.now()-I,...E(c)})),F(h,g.error);return}o.info(p(a,"auth.identifiers.deleted",{userId:c.user.id,duration_ms:Date.now()-I,...E(c)})),S(h,200,"Identifiers deleted successfully",{identifiers:g.identifiers});}catch(f){A(f);}}),r.patch("/me/password",C(e),ue,async(c,h,A)=>{let I=Date.now();try{let f=M(c.body),{currentPassword:y,newPassword:g}=f;if(typeof y!="string"||y.length===0)throw R("currentPassword is required");if(typeof g!="string"||g.length<De)throw R(`newPassword must be at least ${De} characters`);if(g.length>z)throw R(`newPassword must not exceed ${z} characters`);if(y===g)throw R("newPassword must be different from currentPassword");let w=await $(c.user.id,y,g);if(!w.success){o.warn(p(a,"auth.password.change_failure",{userId:c.user.id,errorCode:w.error.code,duration_ms:Date.now()-I,...E(c)})),F(h,w.error);return}o.info(p(a,"auth.password.changed",{userId:c.user.id,duration_ms:Date.now()-I,...E(c)})),S(h,200,"Password updated successfully. All sessions have been revoked.",null);}catch(f){A(f);}}),r.post("/users/:userId/roles",C(e),l("admin"),async(c,h,A)=>{let I=Date.now();try{let f=M(c.body),{roles:y}=f,g=c.params.userId,w=typeof g=="string"?g:void 0;if(!w)throw R("userId is required");if(!Array.isArray(y)||y.length===0)throw R("roles must be a non-empty array of strings");if(!y.every(O=>typeof O=="string"))throw R("each role must be a string");let x=await K(w,y);if(!x.success){o.warn(p(a,"auth.roles.assign_failure",{targetUserId:w,errorCode:x.error.code,duration_ms:Date.now()-I,...E(c)})),F(h,x.error);return}o.info(p(a,"auth.roles.assigned",{targetUserId:w,roles:y,duration_ms:Date.now()-I,...E(c)})),S(h,200,"Roles assigned successfully",{user:x.user});}catch(f){A(f);}}),r.use(ce()),r.get("/sessions",C(e),async(c,h,A)=>{let I=Date.now();try{let f=c.user.id,g=await(e.router?.getSessions??(w=>Er(w,t)))(f);o.info(p(a,"auth.sessions.get",{userId:f,duration_ms:Date.now()-I,...E(c)})),S(h,200,"OK",{sessions:g});}catch(f){A(f);}}),r.delete("/sessions/:id",C(e),async(c,h,A)=>{let I=Date.now();try{let f=c.user.id,y=c.params.id;await(e.router?.revokeSession??((w,x)=>Tr(w,x,t)))(f,y),o.info(p(a,"auth.sessions.revoke",{userId:f,sessionId:y,duration_ms:Date.now()-I,...E(c)})),S(h,200,"Session revoked",null);}catch(f){A(f);}}),r}n(Ur,"createAuthRouter");function tn(e){if(e.mode==="client"){let i={mode:"client",keyUri:e.keyUri,...e.validRoles!==void 0&&{validRoles:e.validRoles},...e.logger!==void 0&&{logger:e.logger},...e.loggerService!==void 0&&{loggerService:e.loggerService}};Je(i);let m=i.logger??U,_=i.loggerService??"sentri",b=ae(m,_),v=de(m,_);return {protect:n(()=>C(i),"protect"),authorize:n((...k)=>b(...k),"authorize"),permit:n(k=>v(k),"permit"),errorHandler:n(k=>ce(k),"errorHandler")}}let{privateKey:r}=crypto.generateKeyPairSync("rsa",{modulusLength:2048,privateKeyEncoding:{type:"pkcs8",format:"pem"},publicKeyEncoding:{type:"spki",format:"pem"}}),t={mode:"server",dialect:e.dialect,secret:r,algorithm:"RS256",validRoles:e.validRoles,...e.accessExpiresIn!==void 0&&{accessExpiresIn:e.accessExpiresIn},...e.refreshExpiresIn!==void 0&&{refreshExpiresIn:e.refreshExpiresIn},...e.saltRounds!==void 0&&{saltRounds:e.saltRounds},...e.apiKey!==void 0&&{apiKey:e.apiKey},...e.cookie!==void 0&&{cookie:e.cookie},...e.accessCookie!==void 0&&{accessCookie:e.accessCookie},...e.hooks!==void 0&&{hooks:e.hooks},...e.router!==void 0&&{router:e.router},...e.isTokenRevoked!==void 0&&{isTokenRevoked:e.isTokenRevoked},...e.redisUrl!==void 0&&{redisUrl:e.redisUrl},...e.logger!==void 0&&{logger:e.logger},...e.loggerService!==void 0&&{loggerService:e.loggerService}},s=t.logger??U,o=t.loggerService??"sentri",a=T(t),l=ae(s,o),d=de(s,o);return {protect:n(()=>C(t),"protect"),authorize:n((...i)=>l(...i),"authorize"),permit:n(i=>d(i),"permit"),errorHandler:n(i=>ce(i),"errorHandler"),hashPassword:n(i=>Y(i,a.saltRounds),"hashPassword"),verifyPassword:n((i,m)=>q(i,m),"verifyPassword"),signAccessToken:n(i=>ee(i,t),"signAccessToken"),signRefreshToken:n(i=>re(i,t),"signRefreshToken"),verifyAccessToken:n(i=>le(i,t),"verifyAccessToken"),verifyRefreshToken:n(i=>te(i,t),"verifyRefreshToken"),getCurrentAccessToken:n(i=>Ne(i,t),"getCurrentAccessToken"),router:n(()=>Ur(t),"router"),migrate:n(()=>Ge(D(t.dialect)),"migrate"),idempotencyMiddleware:n(i=>Sr({...i,...t.redisUrl!==void 0&&{redisUrl:t.redisUrl}}),"idempotencyMiddleware"),register:n(i=>we(i,t),"register"),login:n(i=>ye(i,t),"login"),refresh:n(i=>B(i,t),"refresh"),logout:n(i=>Ie(i,t),"logout"),logoutAll:n(i=>_e(i,t),"logoutAll"),getUser:n(i=>ge(i,t),"getUser"),changePassword:n((i,m,_)=>Re(i,m,_,t),"changePassword"),assignRoles:n((i,m)=>ke(i,m,t),"assignRoles"),bulkCreateIdentifiers:n((i,m)=>Ae(i,m,t),"bulkCreateIdentifiers"),bulkUpdateIdentifiers:n((i,m)=>ve(i,m,t),"bulkUpdateIdentifiers"),bulkDeleteIdentifiers:n((i,m)=>Ee(i,m,t),"bulkDeleteIdentifiers")}}n(tn,"createAuthExpress");exports.SENTRI_ERROR_STATUS=Me;exports.SentriError=u;exports.authorize=Zr;exports.createAuthExpress=tn;exports.createAuthRouter=Ur;exports.createAuthorize=ae;exports.createErrorHandler=ce;exports.createIdempotencyMiddleware=Sr;exports.createPermit=de;exports.getCurrentAccessToken=Ne;exports.permit=qr;exports.protect=C;
|
|
1
|
+
'use strict';var crypto=require('crypto'),kysely=require('kysely'),Ye=require('bcrypt'),Q=require('jsonwebtoken'),ioredis=require('ioredis'),express=require('express');function _interopDefault(e){return e&&e.__esModule?e:{default:e}}var Ye__default=/*#__PURE__*/_interopDefault(Ye);var Q__default=/*#__PURE__*/_interopDefault(Q);var Kr=Object.defineProperty;var n=(e,r)=>Kr(e,"name",{value:r,configurable:true});var je=Object.assign(Object.create(null),{UNAUTHORIZED:401,TOKEN_EXPIRED:401,TOKEN_INVALID:401,INVALID_CREDENTIALS:401,FORBIDDEN:403,USER_NOT_FOUND:404,IDENTIFIER_NOT_FOUND:404,USER_ALREADY_EXISTS:409,IDENTIFIER_ALREADY_EXISTS:409,INVALID_ROLE:400,VALIDATION_ERROR:400,CONFIGURATION_ERROR:500,TOKEN_REUSE:401}),l=class extends Error{static{n(this,"SentriError");}code;statusCode;constructor(r,t,s){super(t),this.name="SentriError",this.code=r,this.statusCode=s??je[r]??500;}};var Ve=new WeakMap,Be=32,Xe=10,ze=31;function Ge(e){if(e.mode==="client"){if(!e.keyUri||e.keyUri.trim().length===0)throw new l("CONFIGURATION_ERROR","keyUri must not be empty");return}if(!e.secret||e.secret.trim().length===0)throw new l("CONFIGURATION_ERROR","secret must not be empty");if((e.algorithm??"HS256").startsWith("HS")&&e.secret.length<Be)throw new l("CONFIGURATION_ERROR",`secret must be at least ${Be} characters for HMAC algorithms`);let s=e.saltRounds??12;if(!Number.isInteger(s)||s<Xe||s>ze)throw new l("CONFIGURATION_ERROR",`saltRounds must be an integer between ${Xe} and ${ze}`);if(!e.validRoles||e.validRoles.length===0)throw new l("CONFIGURATION_ERROR","validRoles must contain at least one role");if(e.validIdentifiers!==void 0&&e.validIdentifiers.length===0)throw new l("CONFIGURATION_ERROR","validIdentifiers must contain at least one identifier type");if(!e.dialect)throw new l("CONFIGURATION_ERROR","dialect is required in server mode")}n(Ge,"validateConfig");function k(e){let r=Ve.get(e);if(r)return r;let t={algorithm:e.algorithm??"HS256",accessExpiresIn:e.accessExpiresIn??"15m",refreshExpiresIn:e.refreshExpiresIn??"7d",saltRounds:e.saltRounds??12,validRoles:e.validRoles,validRolesSet:new Set(e.validRoles),validIdentifiers:e.validIdentifiers??["email","username"],validIdentifiersSet:new Set(e.validIdentifiers??["email","username"]),cookieName:e.cookie?.name??"refresh_token",accessCookieName:e.accessCookie?.name??"access_token"};return Ve.set(e,t),t}n(k,"resolveServerConfig");var $r=/^(\d+)([smhdw])$/,Hr={s:1e3,m:6e4,h:36e5,d:864e5,w:6048e5},Je=new Map;function V(e){if(typeof e=="number")return e*1e3;let r=Je.get(e);if(r!==void 0)return r;let t=$r.exec(e);if(!t?.[1]||!t?.[2])throw new Error(`Invalid expiresIn: "${e}". Use e.g. "15m", "7d", "1h".`);let s=Hr[t[2]];if(s===void 0)throw new Error(`Invalid expiresIn: "${e}". Use e.g. "15m", "7d", "1h".`);let i=parseInt(t[1],10)*s;return Je.set(e,i),i}n(V,"parseExpiry");var L={info:n(()=>{},"info"),warn:n(()=>{},"warn"),error:n(()=>{},"error")};function p(e,r,t){return {service:e,event:r,...t}}n(p,"buildLogData");async function We(e){await e.schema.createTable("sentri_users").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("password_hash","varchar(255)",r=>r.notNull()).addColumn("roles","text",r=>r.notNull().defaultTo("[]")).addColumn("created_at","timestamp",r=>r.notNull().defaultTo(kysely.sql`CURRENT_TIMESTAMP`)).execute(),await e.schema.createTable("sentri_sessions").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("user_id","varchar(36)",r=>r.notNull().references("sentri_users.id").onDelete("cascade")).addColumn("expires_at","timestamp",r=>r.notNull()).addColumn("ip_address","varchar(45)").addColumn("user_agent","text").addColumn("replaced_by","varchar(36)").addColumn("created_at","timestamp",r=>r.notNull().defaultTo(kysely.sql`CURRENT_TIMESTAMP`)).execute(),await e.schema.createTable("sentri_identifiers").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("user_id","varchar(36)",r=>r.notNull().references("sentri_users.id").onDelete("cascade")).addColumn("type","varchar(100)",r=>r.notNull()).addColumn("value","varchar(255)",r=>r.notNull().unique()).addColumn("created_at","timestamp",r=>r.notNull().defaultTo(kysely.sql`CURRENT_TIMESTAMP`)).execute(),await e.schema.createIndex("idx_sentri_sessions_user_id").ifNotExists().on("sentri_sessions").column("user_id").execute(),await e.schema.createIndex("idx_sentri_identifiers_user_id").ifNotExists().on("sentri_identifiers").column("user_id").execute();}n(We,"runMigrations");var Ze=new Map;function D(e){let r=Ze.get(e);return r||(r=new kysely.Kysely({dialect:e}),Ze.set(e,r)),r}n(D,"getDatabase");async function Y(e,r=12){return Ye__default.default.hash(e,r)}n(Y,"hashPassword");async function q(e,r){return Ye__default.default.compare(e,r)}n(q,"verifyPassword");var qe=new Map,Qe=new Map,Br=3600*1e3;function rr(e){let r=qe.get(e);if(!r){let t=crypto.createPrivateKey(e),s=crypto.createPublicKey(t),i=s.export({format:"jwk"}),f=crypto.createHash("sha256").update(JSON.stringify({e:i.e,kty:i.kty,n:i.n})).digest("base64url"),c={...i,use:"sig",kid:f};r={kid:f,publicKey:s,jwk:c},qe.set(e,r);}return r}n(rr,"getOrBuildKey");function tr(e){let{jwk:r}=rr(e);return {keys:[r]}}n(tr,"buildJwks");function sr(e){return rr(e).publicKey}n(sr,"getPublicKeyFromPrivate");async function nr(e){let r=Date.now(),t=Qe.get(e);if(t&&r-t.fetchedAt<Br)return t.publicKey;let s=await fetch(e);if(!s.ok)throw new l("CONFIGURATION_ERROR",`Failed to fetch public key from ${e}: HTTP ${s.status}`);let i=await s.json();if(!i.keys||i.keys.length===0)throw new l("CONFIGURATION_ERROR",`No keys found in JWKS response from ${e}`);let o=i.keys[0],f=crypto.createPublicKey({key:o,format:"jwk"});return Qe.set(e,{publicKey:f,fetchedAt:r}),f}n(nr,"fetchPublicKey");var ir=new Map,or=new Map,ar=new Map;function dr(e){return e.startsWith("RS")||e.startsWith("PS")}n(dr,"isRSA");function ur(e){let r=ir.get(e);return r||(r={access:`${e}:access`,refresh:`${e}:refresh`},ir.set(e,r)),r}n(ur,"getHsSecrets");function zr(e){let r=or.get(e);return r||(r=crypto.createPrivateKey(e),or.set(e,r)),r}n(zr,"getRsPrivateKey");function cr(e){let r=k(e);if(dr(r.algorithm)){let i=zr(e.secret);return {accessKey:i,refreshKey:i}}let{access:t,refresh:s}=ur(e.secret);return {accessKey:t,refreshKey:s}}n(cr,"getSigningKeys");function lr(e,r){let t=k(e);if(dr(t.algorithm))return sr(e.secret);let{access:s,refresh:i}=ur(e.secret);return r==="access"?s:i}n(lr,"getVerifyKey");function fr(e,r,t,s){let i=`${t}:${s}`,o=ar.get(i);return o||(o={expiresIn:t,algorithm:s},ar.set(i,o)),Q__default.default.sign(e,r,o)}n(fr,"sign");function hr(e,r,t){try{let s=Q__default.default.verify(e,r,{algorithms:[t]});if(typeof s=="string"||s===null)throw new l("TOKEN_INVALID","Token payload is not an object");return s}catch(s){throw s instanceof l?s:s instanceof Q__default.default.TokenExpiredError?new l("TOKEN_EXPIRED","Token has expired"):new l("TOKEN_INVALID","Token is invalid or malformed")}}n(hr,"verify");function ee(e,r){let t=k(r),{accessKey:s}=cr(r);return fr(e,s,t.accessExpiresIn,t.algorithm)}n(ee,"signAccessToken");function re(e,r){let t=k(r),{refreshKey:s}=cr(r);return fr({sessionId:e},s,t.refreshExpiresIn,t.algorithm)}n(re,"signRefreshToken");function fe(e,r){let t=k(r),s=lr(r,"access");return hr(e,s,t.algorithm)}n(fe,"verifyAccessToken");function te(e,r){let t=k(r),s=lr(r,"refresh");return hr(e,s,t.algorithm)}n(te,"verifyRefreshToken");function mr(e,r){try{let t=Q__default.default.verify(e,r,{algorithms:["RS256","RS384","RS512","PS256","PS384","PS512"]});if(typeof t=="string"||t===null)throw new l("TOKEN_INVALID","Token payload is not an object");return t}catch(t){throw t instanceof l?t:t instanceof Q__default.default.TokenExpiredError?new l("TOKEN_EXPIRED","Token has expired"):new l("TOKEN_INVALID","Token is invalid or malformed")}}n(mr,"verifyTokenWithPublicKey");function Ue(e){try{return JSON.parse(e)}catch{return []}}n(Ue,"parseRoles");function Jr(e){return JSON.stringify(e)}n(Jr,"serializeRoles");function wr(e){return {id:e.id,userId:e.user_id,type:e.type,value:e.value,createdAt:new Date(e.created_at)}}n(wr,"mapIdentifier");async function se(e,r){let t=await e.selectFrom("sentri_identifiers as i").innerJoin("sentri_users as u","u.id","i.user_id").select(["u.id","u.password_hash","u.roles"]).where("i.value","=",r).executeTakeFirst();return t?{id:t.id,passwordHash:t.password_hash,roles:Ue(t.roles)}:null}n(se,"findUserByIdentifierValue");async function he(e,r){let t=await e.selectFrom("sentri_users").select(["id","password_hash","roles"]).where("id","=",r).executeTakeFirst();return t?{id:t.id,passwordHash:t.password_hash,roles:Ue(t.roles)}:null}n(he,"findUserById");async function yr(e,r,t){let s=t.map(i=>({id:crypto.randomUUID(),user_id:r,type:i.type,value:i.value}));return await e.insertInto("sentri_identifiers").values(s).execute(),s.map(i=>({id:i.id,userId:i.user_id,type:i.type,value:i.value,createdAt:new Date}))}n(yr,"createIdentifiers");async function ne(e,r){return (await e.selectFrom("sentri_identifiers").selectAll().where("user_id","=",r).orderBy("created_at","asc").execute()).map(wr)}n(ne,"findIdentifiersByUserId");async function Le(e,r,t){let s=await e.selectFrom("sentri_identifiers").selectAll().where("id","=",r).where("user_id","=",t).executeTakeFirst();return s?wr(s):null}n(Le,"findIdentifierById");async function Ir(e,r){let t=await e.selectFrom("sentri_identifiers").select(s=>s.fn.countAll().as("count")).where("user_id","=",r).executeTakeFirst();return Number(t?.count??0)}n(Ir,"countIdentifiersByUserId");async function Rr(e,r,t,s){await e.updateTable("sentri_identifiers").set({type:s.type,value:s.value}).where("id","=",r).where("user_id","=",t).execute();}n(Rr,"updateIdentifier");async function _r(e,r,t){await e.deleteFrom("sentri_identifiers").where("user_id","=",r).where("id","in",t).execute();}n(_r,"deleteIdentifiers");async function gr(e,r,t){await e.updateTable("sentri_users").set({password_hash:t}).where("id","=",r).execute();}n(gr,"updateUserPassword");async function vr(e,r,t){await e.updateTable("sentri_users").set({roles:Jr(t)}).where("id","=",r).execute();}n(vr,"updateUserRoles");async function Fe(e,r){let t=crypto.randomUUID();return await e.insertInto("sentri_sessions").values({id:t,user_id:r.userId,expires_at:r.expiresAt.toISOString(),ip_address:r.ipAddress??null,user_agent:r.userAgent??null}).execute(),{id:t}}n(Fe,"createSession");async function me(e,r){let t=await e.selectFrom("sentri_sessions as s").innerJoin("sentri_users as u","u.id","s.user_id").select(["s.id as session_id","s.user_id","s.expires_at","s.ip_address","s.user_agent","s.replaced_by","s.created_at as session_created_at","u.id as user_id_col","u.password_hash","u.roles"]).where("s.id","=",r).executeTakeFirst();return t?{id:t.session_id,userId:t.user_id,expiresAt:new Date(t.expires_at),ipAddress:t.ip_address,userAgent:t.user_agent,replacedBy:t.replaced_by,createdAt:new Date(t.session_created_at),user:{id:t.user_id_col,passwordHash:t.password_hash,roles:Ue(t.roles)}}:null}n(me,"findSessionById");async function pe(e,r){await e.deleteFrom("sentri_sessions").where("id","=",r).execute();}n(pe,"deleteSession");async function Ar(e,r,t){await e.updateTable("sentri_sessions").set({replaced_by:t}).where("id","=",r).execute();}n(Ar,"markSessionReplaced");async function we(e,r){await e.deleteFrom("sentri_sessions").where("user_id","=",r).execute();}n(we,"deleteAllSessionsForUser");async function kr(e,r){return (await e.selectFrom("sentri_sessions").selectAll().where("user_id","=",r).where("replaced_by","is",null).where("expires_at",">",new Date).execute()).map(s=>({id:s.id,userId:s.user_id,expiresAt:new Date(s.expires_at),ipAddress:s.ip_address,userAgent:s.user_agent,replacedBy:s.replaced_by,createdAt:new Date(s.created_at)}))}n(kr,"findSessionsByUserId");async function ye(e,r,t){let s=k(r),i=D(r.dialect),o=e.roles??[],f=o.filter(A=>!s.validRolesSet.has(A));if(f.length>0)return {success:false,error:new l("INVALID_ROLE",`Invalid roles: ${f.join(", ")}`)};if(!e.identifiers||e.identifiers.length===0)return {success:false,error:new l("VALIDATION_ERROR","At least one identifier is required")};let c=e.identifiers.map(A=>({type:A.type.trim(),value:A.value.trim()})),a=c.filter(A=>!s.validIdentifiersSet.has(A.type));if(a.length>0)return {success:false,error:new l("VALIDATION_ERROR",`Invalid identifier types: ${a.map(A=>A.type).join(", ")}`)};if(new Set(c.map(A=>A.value)).size!==c.length)return {success:false,error:new l("VALIDATION_ERROR","Duplicate identifier values in request")};for(let A of c)if(await se(i,A.value))return {success:false,error:new l("IDENTIFIER_ALREADY_EXISTS",`Identifier already taken: ${A.value}`)};let w=await Y(e.password,s.saltRounds),{userId:C,identifierRows:T}=await i.transaction().execute(async A=>{let P=crypto.randomUUID();await A.insertInto("sentri_users").values({id:P,password_hash:w,roles:JSON.stringify(o)}).execute();let $=c.map(ce=>({id:crypto.randomUUID(),user_id:P,type:ce.type,value:ce.value}));return await A.insertInto("sentri_identifiers").values($).execute(),{userId:P,identifierRows:$}}),S={success:true,user:{id:C,roles:o,identifiers:T.map(A=>({id:A.id,type:A.type,value:A.value}))}};return r.hooks?.onRegister&&await r.hooks.onRegister(S.user),S}n(ye,"register");async function Ie(e,r,t){let s=k(r),i=D(r.dialect),o=await se(i,e.identifier.trim());if(!o){let T=new l("INVALID_CREDENTIALS","Invalid credentials");return r.hooks?.onLoginFailed&&await r.hooks.onLoginFailed(e.identifier,T,{ip:t?.ip??""}),{success:false,error:T}}if(!await q(e.password,o.passwordHash)){let T=new l("INVALID_CREDENTIALS","Invalid credentials");return r.hooks?.onLoginFailed&&await r.hooks.onLoginFailed(e.identifier,T,{ip:t?.ip??""}),{success:false,error:T}}let c=new Date(Date.now()+V(s.refreshExpiresIn)),a=await Fe(i,{userId:o.id,expiresAt:c,ipAddress:t?.ip??null,userAgent:t?.userAgent??null}),u={id:o.id,roles:o.roles},w=ee({id:o.id,roles:o.roles,sessionId:a.id},r),C=re(a.id,r);return r.hooks?.onLoginSuccess&&await r.hooks.onLoginSuccess(u,{ip:t?.ip??"",userAgent:t?.userAgent??""}),{success:true,accessToken:w,refreshToken:C,user:u}}n(Ie,"login");async function B(e,r,t){let s=k(r),i=D(r.dialect),o;try{({sessionId:o}=te(e,r));}catch(T){return T instanceof l?{success:false,error:T}:{success:false,error:new l("TOKEN_INVALID","Invalid refresh token")}}let f=await me(i,o);if(!f)return {success:false,error:new l("UNAUTHORIZED","Session not found or revoked")};if(f.replacedBy)return await we(i,f.userId),{success:false,error:new l("TOKEN_REUSE","Token reuse detected. All sessions revoked.")};if(f.expiresAt.getTime()<Date.now())return await pe(i,o),{success:false,error:new l("TOKEN_EXPIRED","Session has expired")};let c=new Date(Date.now()+V(s.refreshExpiresIn)),a=await Fe(i,{userId:f.userId,expiresAt:c,ipAddress:t?.ip??null,userAgent:t?.userAgent??null});await Ar(i,o,a.id);let u={id:f.user.id,roles:f.user.roles},w=ee({...u,sessionId:a.id},r),C=re(a.id,r);return {success:true,accessToken:w,refreshToken:C,user:u}}n(B,"refresh");async function Re(e,r){let t=D(r.dialect),s;try{({sessionId:s}=te(e,r));}catch{return}let i=await me(t,s);i&&(await pe(t,s),r.hooks?.onLogout&&await r.hooks.onLogout(i.userId));}n(Re,"logout");async function _e(e,r){let t=D(r.dialect);await we(t,e),r.hooks?.onLogout&&await r.hooks.onLogout(e);}n(_e,"logoutAll");async function ge(e,r){let t=D(r.dialect),s=await he(t,e);if(!s)return {success:false,error:new l("USER_NOT_FOUND","User not found")};let i=await ne(t,e);return {success:true,user:{id:s.id,roles:s.roles,identifiers:i.map(o=>({id:o.id,type:o.type,value:o.value}))}}}n(ge,"getUser");async function ve(e,r,t,s){let i=k(s),o=D(s.dialect),f=await he(o,e);if(!f)return {success:false,error:new l("USER_NOT_FOUND","User not found")};if(!await q(r,f.passwordHash))return {success:false,error:new l("INVALID_CREDENTIALS","Invalid credentials")};let a=await Y(t,i.saltRounds);return await gr(o,e,a),await we(o,e),s.hooks?.onPasswordChanged&&await s.hooks.onPasswordChanged(e),{success:true}}n(ve,"changePassword");async function Ae(e,r,t){let s=k(t),i=D(t.dialect),o=r.filter(u=>!s.validRolesSet.has(u));if(o.length>0)return {success:false,error:new l("INVALID_ROLE",`Invalid roles: ${o.join(", ")}`)};let f=await he(i,e);if(!f)return {success:false,error:new l("USER_NOT_FOUND","User not found")};let c=new Set(f.roles);for(let u of r)c.add(u);let a=Array.from(c);return await vr(i,e,a),{success:true,user:{id:f.id,roles:a}}}n(Ae,"assignRoles");async function ke(e,r,t){let s=k(t),i=D(t.dialect);if(r.length===0)return {success:false,error:new l("VALIDATION_ERROR","At least one identifier is required")};let o=r.map(u=>({type:u.type.trim(),value:u.value.trim()})),f=o.filter(u=>!s.validIdentifiersSet.has(u.type));if(f.length>0)return {success:false,error:new l("VALIDATION_ERROR",`Invalid identifier types: ${f.map(u=>u.type).join(", ")}`)};if(new Set(o.map(u=>u.value)).size!==o.length)return {success:false,error:new l("VALIDATION_ERROR","Duplicate identifier values in request")};for(let u of o)if(await se(i,u.value))return {success:false,error:new l("IDENTIFIER_ALREADY_EXISTS",`Identifier already taken: ${u.value}`)};return await yr(i,e,o),{success:true,identifiers:(await ne(i,e)).map(u=>({id:u.id,type:u.type,value:u.value}))}}n(ke,"bulkCreateIdentifiers");async function Ee(e,r,t){let s=k(t),i=D(t.dialect);if(r.length===0)return {success:false,error:new l("VALIDATION_ERROR","At least one update is required")};let o=r.map(u=>({id:u.id,type:u.type.trim(),value:u.value.trim()})),f=o.filter(u=>!s.validIdentifiersSet.has(u.type));if(f.length>0)return {success:false,error:new l("VALIDATION_ERROR",`Invalid identifier types: ${f.map(u=>u.type).join(", ")}`)};if(new Set(o.map(u=>u.value)).size!==o.length)return {success:false,error:new l("VALIDATION_ERROR","Duplicate identifier values in request")};for(let u of o){let w=await Le(i,u.id,e);if(!w)return {success:false,error:new l("IDENTIFIER_NOT_FOUND",`Identifier not found: ${u.id}`)};if(w.value!==u.value&&await se(i,u.value))return {success:false,error:new l("IDENTIFIER_ALREADY_EXISTS",`Identifier already taken: ${u.value}`)}}return await i.transaction().execute(async u=>{for(let w of o)await Rr(u,w.id,e,{type:w.type,value:w.value});}),{success:true,identifiers:(await ne(i,e)).map(u=>({id:u.id,type:u.type,value:u.value}))}}n(Ee,"bulkUpdateIdentifiers");async function Te(e,r,t){let s=D(t.dialect);if(r.length===0)return {success:false,error:new l("VALIDATION_ERROR","At least one ID is required")};let i=Array.from(new Set(r));for(let c of i)if(!await Le(s,c,e))return {success:false,error:new l("IDENTIFIER_NOT_FOUND",`Identifier not found: ${c}`)};return await Ir(s,e)-i.length<1?{success:false,error:new l("VALIDATION_ERROR","Cannot delete all identifiers \u2014 at least one must remain")}:(await _r(s,e,i),{success:true,identifiers:(await ne(s,e)).map(c=>({id:c.id,type:c.type,value:c.value}))})}n(Te,"bulkDeleteIdentifiers");async function Tr(e,r){let t=D(r.dialect);return (await kr(t,e)).map(i=>({id:i.id,ipAddress:i.ipAddress,userAgent:i.userAgent,createdAt:i.createdAt,expiresAt:i.expiresAt}))}n(Tr,"getSessions");async function xr(e,r,t){let s=D(t.dialect),i=await me(s,r);i&&i.userId===e&&await pe(s,r);}n(xr,"revokeSession");function K(e){return k(e).cookieName}n(K,"getCookieName");function xe(e){return k(e).accessCookieName}n(xe,"getAccessCookieName");function H(e,r){if(!e)return;let t=`${r}=`,s=0;for(;s<e.length;){for(;s<e.length&&e[s]===" ";)s++;let i=e.indexOf(";",s),o=i===-1?e.length:i;if(e.startsWith(t,s))return e.slice(s+t.length,o);s=o+1;}}n(H,"readCookie");function ie(e,r,t){let s=t.cookie??{},i=V(k(t).refreshExpiresIn);e.cookie(K(t),r,{httpOnly:s.httpOnly??true,secure:s.secure??false,sameSite:s.sameSite??"strict",path:s.path??"/",maxAge:i});}n(ie,"setCookieFromConfig");function Ne(e,r){let t=r.cookie??{};e.clearCookie(K(r),{path:t.path??"/"});}n(Ne,"clearCookieFromConfig");function oe(e,r,t){if(!t.accessCookie)return;let s=t.accessCookie,i=V(k(t).accessExpiresIn);e.cookie(xe(t),r,{httpOnly:false,secure:s.secure??false,sameSite:s.sameSite??"strict",path:s.path??"/",maxAge:i});}n(oe,"setAccessCookieFromConfig");function Pe(e,r){if(!r.accessCookie)return;let t=r.accessCookie;e.clearCookie(xe(r),{path:t.path??"/"});}n(Pe,"clearAccessCookieFromConfig");function De(e,r){let t=e.headers.authorization;return t?.startsWith("Bearer ")?t.slice(7):H(e.headers.cookie,xe(r))}n(De,"getCurrentAccessToken");function O(e){let r=e.logger??L,t=e.loggerService??"sentri";return e.mode==="client"?Gr(e.keyUri,r,t):Wr(e,r,t)}n(O,"protect");function Gr(e,r,t){return async(s,i,o)=>{let f=s.headers.authorization,c=f?.startsWith("Bearer ")?f.slice(7):void 0,a=s.requestId;if(!c)return r.warn(p(t,"auth.protect.failure",{mode:"client",errorCode:"UNAUTHORIZED",...a!==void 0&&{requestId:a}})),o(new l("UNAUTHORIZED","Missing or malformed Authorization header"));try{let u=await nr(e),w=mr(c,u);s.user={id:w.id,roles:w.roles},r.info(p(t,"auth.protect.success",{mode:"client",userId:w.id,...a!==void 0&&{requestId:a}})),o();}catch(u){let w=u instanceof l?u.code:"TOKEN_INVALID";r.warn(p(t,"auth.protect.failure",{mode:"client",errorCode:w,...a!==void 0&&{requestId:a}})),o(u);}}}n(Gr,"protectClient");function Wr(e,r,t){return async(s,i,o)=>{let f=De(s,e),c=s.requestId;if(!f)return r.warn(p(t,"auth.protect.failure",{mode:"server",errorCode:"UNAUTHORIZED",...c!==void 0&&{requestId:c}})),o(new l("UNAUTHORIZED","Missing or malformed Authorization header"));try{let a=fe(f,e);if(e.isTokenRevoked&&await e.isTokenRevoked(a.sessionId))return r.warn(p(t,"auth.protect.token_revoked",{mode:"server",userId:a.id,...c!==void 0&&{requestId:c}})),o(new l("UNAUTHORIZED","Token has been revoked"));s.user={id:a.id,roles:a.roles},r.info(p(t,"auth.protect.success",{mode:"server",userId:a.id,...c!==void 0&&{requestId:c}})),o();}catch(a){if(a instanceof l&&a.code==="TOKEN_EXPIRED"){let u=H(s.headers.cookie,K(e));if(!u)return r.warn(p(t,"auth.protect.failure",{mode:"server",errorCode:"TOKEN_EXPIRED",...c!==void 0&&{requestId:c}})),o(new l("UNAUTHORIZED","Token expired. Please login again."));try{let w=await B(u,e);if(!w.success)return r.warn(p(t,"auth.protect.failure",{mode:"server",errorCode:w.error.code,...c!==void 0&&{requestId:c}})),o(new l("UNAUTHORIZED","Session expired. Please login again."));ie(i,w.refreshToken,e),oe(i,w.accessToken,e),i.setHeader("X-New-Access-Token",w.accessToken),s.user=w.user,r.info(p(t,"auth.protect.auto_refresh",{mode:"server",userId:w.user.id,...c!==void 0&&{requestId:c}})),o();}catch{r.warn(p(t,"auth.protect.failure",{mode:"server",errorCode:"TOKEN_EXPIRED",...c!==void 0&&{requestId:c}})),o(new l("UNAUTHORIZED","Session expired. Please login again."));}}else {let u=a instanceof l?a.code:"TOKEN_INVALID";r.warn(p(t,"auth.protect.failure",{mode:"server",errorCode:u,...c!==void 0&&{requestId:c}})),o(a);}}}}n(Wr,"protectServer");function Nr(e,r,t){let s=`Requires one of roles: ${e.join(", ")}`;return (i,o,f)=>{let c=i.requestId;if(!i.user)return r.warn(p(t,"auth.authorize.unauthenticated",{requiredRoles:e,...c!==void 0&&{requestId:c}})),f(new l("UNAUTHORIZED","Not authenticated"));let a=i.user.roles;if(!e.some(u=>a.includes(u)))return r.warn(p(t,"auth.authorize.denied",{userId:i.user.id,userRoles:[...a],requiredRoles:e,...c!==void 0&&{requestId:c}})),f(new l("FORBIDDEN",s));r.info(p(t,"auth.authorize.passed",{userId:i.user.id,userRoles:[...a],requiredRoles:e,...c!==void 0&&{requestId:c}})),f();}}n(Nr,"createAuthorizeHandler");function ae(e,r){return n(function(...s){return Nr(s,e,r)},"authorize")}n(ae,"createAuthorize");function Zr(...e){return Nr(e,L,"sentri")}n(Zr,"authorize");var Yr=new l("FORBIDDEN","You do not have permission to perform this action");function Dr(e,r,t){return async(s,i,o)=>{let f=s.requestId;if(!s.user)return r.warn(p(t,"auth.permit.unauthenticated",{...f!==void 0&&{requestId:f}})),o(new l("UNAUTHORIZED","Not authenticated"));let c=s.user.id;if(e.roles&&e.roles.length>0){let a=s.user.roles;if(e.roles.some(u=>a.includes(u)))return r.info(p(t,"auth.permit.role_bypass",{userId:c,bypassedByRole:true,...f!==void 0&&{requestId:f}})),o()}try{let a=e.check(s);(a instanceof Promise?await a:a)?(r.info(p(t,"auth.permit.passed",{userId:c,...f!==void 0&&{requestId:f}})),o()):(r.warn(p(t,"auth.permit.denied",{userId:c,...f!==void 0&&{requestId:f}})),o(Yr));}catch(a){o(a);}}}n(Dr,"createPermitHandler");function de(e,r){return n(function(s){return Dr(typeof s=="function"?{check:s}:s,e,r)},"permit")}n(de,"createPermit");function qr(e){return Dr(typeof e=="function"?{check:e}:e,L,"sentri")}n(qr,"permit");function ue(e){return (r,t,s,i)=>{if(r instanceof l){s.status(r.statusCode).json({error:true,statusCode:r.statusCode,code:r.code,message:r.message,data:null});return}e?.onUnhandled?.(r),s.status(500).json({error:true,statusCode:500,code:"INTERNAL_SERVER_ERROR",message:"Internal server error",data:null});}}n(ue,"createErrorHandler");var Sr=new Map;function Cr(e){let r=Sr.get(e);return r||(r=new ioredis.Redis(e,{lazyConnect:true,enableOfflineQueue:false}),r.on("error",t=>{console.error("Sentri Redis Client Error:",t.message);}),Sr.set(e,r)),r}n(Cr,"getRedisClient");function Or(e){let r=e?.ttl??3e5,t=(e?.header??"X-Idempotency-Key").toLowerCase(),s=new Set((e?.methods??["POST","PUT","PATCH"]).map(o=>o.toUpperCase())),i=e?.redisUrl;return i?et(i,r,t,s):rt(r,t,s,e?.maxSize??1e4)}n(Or,"createIdempotencyMiddleware");function et(e,r,t,s){let i=Cr(e),o="sentri:idempotency:";return async(f,c,a)=>{let u=f.headers[t];if(!u||typeof u!="string"||!s.has(f.method))return a();f.requestId=u,c.setHeader("X-Request-Id",u);let w=await i.get(`${o}${u}`);if(w){let T=JSON.parse(w);return c.setHeader("X-Idempotent-Replayed","true"),c.status(T.statusCode).json(T.body)}let C=c.json.bind(c);c.json=n(function(S){if(c.statusCode>=200&&c.statusCode<300){let A={statusCode:c.statusCode,body:S,expiresAt:Date.now()+r};i.set(`${o}${u}`,JSON.stringify(A),"PX",r).catch(()=>{});}return C(S)},"idempotentJson"),a();}}n(et,"buildRedisMiddleware");function rt(e,r,t,s){let i=Math.max(e,5e3),o=new Map,f=setInterval(()=>{let c=Date.now();for(let[a,u]of o)u.expiresAt<=c&&o.delete(a);},i);return typeof f=="object"&&f!==null&&"unref"in f&&f.unref(),(c,a,u)=>{let w=c.headers[r];if(!w||typeof w!="string"||!t.has(c.method))return u();c.requestId=w,a.setHeader("X-Request-Id",w);let C=Date.now(),T=o.get(w);if(T&&T.expiresAt>C)return a.setHeader("X-Idempotent-Replayed","true"),a.status(T.statusCode).json(T.body);let S=a.json.bind(a);a.json=n(function(P){if(a.statusCode>=200&&a.statusCode<300){if(o.size>=s){let $=o.keys().next().value;$!==void 0&&o.delete($);}o.set(w,{statusCode:a.statusCode,body:P,expiresAt:Date.now()+e});}return S(P)},"idempotentJson"),u();}}n(rt,"buildMemoryMiddleware");var Ke=class{static{n(this,"InMemoryRateLimiter");}store=new Map;constructor(){setInterval(()=>{let r=Date.now();for(let[t,s]of this.store.entries())s.expiresAt<r&&this.store.delete(t);},6e4).unref();}async consume(r,t,s){let i=Date.now(),o=this.store.get(r);if((!o||o.expiresAt<i)&&(o={count:0,expiresAt:i+s},this.store.set(r,o)),o.count>t){let f=Math.ceil((o.expiresAt-i)/1e3);throw new Error(`Rate limit exceeded. Try again in ${f} seconds.`)}o.count++;}},$e=class{static{n(this,"RedisRateLimiter");}redis;logger;constructor(r,t){this.redis=r,this.logger=t;}async consume(r,t,s){let i=`sentri:rl:${r}`,o=Math.ceil(s/1e3);try{let f=await this.redis.multi().incr(i).expire(i,o,"NX").exec();if(!f||f.length===0)return;if(f[0][1]>t)throw new Error("Rate limit exceeded. Try again later.")}catch(f){if(f instanceof Error&&f.message.includes("Rate limit exceeded"))throw f;this.logger.error({msg:"Redis RateLimiter failed, bypassing limit",error:f});}}},X=null;async function br(e,r){if(X)return X;if(e)try{let{Redis:t}=await import('ioredis'),s=new t(e,{lazyConnect:!0,maxRetriesPerRequest:1});return await s.connect(),r?.info({msg:"Connected to Redis for Rate Limiting"}),X=new $e(s,r??L),X}catch(t){r?.warn({msg:"Failed to connect to Redis for Rate Limiting, falling back to InMemoryRateLimiter",error:t});}return X=new Ke,X}n(br,"getRateLimiter");var Se=8,z=72,Ce=255,Ur=100,J=50;function g(e){return new l("VALIDATION_ERROR",e)}n(g,"badRequest");function b(e,r,t,s){e.status(r).json({error:false,statusCode:r,message:t,data:s});}n(b,"ok");function F(e,r){e.status(r.statusCode).json({error:true,statusCode:r.statusCode,code:r.code,message:r.message,data:null});}n(F,"fail");function M(e){if(e==null||typeof e!="object"||Array.isArray(e))throw new l("VALIDATION_ERROR","Request body is missing or not a JSON object. Did you apply express.json()?");return e}n(M,"parseBody");function st(e,r){if(!r.apiKey)return;let t=e.headers["x-api-key"];if(typeof t!="string"||t!==r.apiKey)throw new l("UNAUTHORIZED","Invalid or missing API key")}n(st,"validateApiKey");function He(e){if(e)try{let r=e();r instanceof Promise&&r.catch(()=>{});}catch{}}n(He,"fireHook");function nt(e){return e.startsWith("RS")||e.startsWith("PS")}n(nt,"isRSA");function Me(e,r){if(typeof e!="object"||e===null||Array.isArray(e))throw g(`identifiers[${r}] must be an object`);let t=e;if(typeof t.type!="string"||t.type.trim().length===0)throw g(`identifiers[${r}].type is required and must be a non-empty string`);if(t.type.length>Ur)throw g(`identifiers[${r}].type must not exceed ${Ur} characters`);if(typeof t.value!="string"||t.value.trim().length===0)throw g(`identifiers[${r}].value is required and must be a non-empty string`);if(t.value.length>Ce)throw g(`identifiers[${r}].value must not exceed ${Ce} characters`);return {type:t.type,value:t.value}}n(Me,"validateIdentifierInput");function E(e){return e.requestId!==void 0?{requestId:e.requestId}:{}}n(E,"reqId");function Lr(e){let r=express.Router(),t=e,s=k(t),i=e.logger??L,o=e.loggerService??"sentri",f=ae(i,o),c=de(i,o),a=br(e.redisUrl,i),u=e.router?.register??(d=>ye(d,t)),w=e.router?.login??(d=>Ie(d,t)),C=e.router?.refresh??(d=>B(d,t)),T=e.router?.logout??(d=>d!==void 0?Re(d,t):Promise.resolve()),S=e.router?.logoutAll??(d=>_e(d,t)),A=e.router?.getUser??(d=>ge(d,t)),P=e.router?.assignRoles??((d,m)=>Ae(d,m,t)),$=e.router?.changePassword??((d,m,v)=>ve(d,m,v,t)),ce=e.router?.bulkCreateIdentifiers??((d,m)=>ke(d,m,t)),Fr=e.router?.bulkUpdateIdentifiers??((d,m)=>Ee(d,m,t)),Pr=e.router?.bulkDeleteIdentifiers??((d,m)=>Te(d,m,t));nt(s.algorithm)&&r.get("/keys",(d,m)=>{m.setHeader("Cache-Control","public, max-age=3600"),m.json(tr(e.secret));}),r.post("/register",async(d,m,v)=>{let R=Date.now();try{st(d,e);let h=M(d.body),{identifiers:I,password:_,roles:y}=h;if(!Array.isArray(I)||I.length===0)throw g("identifiers is required and must be a non-empty array");if(I.length>J)throw g(`identifiers must not exceed ${J} entries`);let x=I.map((Z,Oe)=>Me(Z,Oe));if(typeof _!="string"||_.length<Se)throw g(`password is required and must be at least ${Se} characters`);if(_.length>z)throw g(`password must not exceed ${z} characters`);if(y!==void 0&&!Array.isArray(y))throw g("roles must be an array of strings when provided");if(Array.isArray(y)&&!y.every(Z=>typeof Z=="string"))throw g("each role must be a string");let U=Array.isArray(y)?y:void 0,N=U!==void 0?{identifiers:x,password:_,roles:U}:{identifiers:x,password:_},j=d.ip||"127.0.0.1",G=d.get("user-agent")||"Unknown";if(e.rateLimit!==!1){let Z=await a,Oe=typeof e.rateLimit=="object"?e.rateLimit.maxRegisterAttempts??5:5;await Z.consume(`register:${j}`,Oe,900*1e3);}let W=await u(N,{ip:j,userAgent:G});if(!W.success){i.warn(p(o,"auth.register.failure",{errorCode:W.error.code,duration_ms:Date.now()-R,...E(d)})),F(m,W.error);return}i.info(p(o,"auth.register.success",{userId:W.user.id,duration_ms:Date.now()-R,...E(d)})),b(m,201,"User registered successfully",{user:W.user});}catch(h){v(h);}}),r.post("/login",async(d,m,v)=>{let R=Date.now();try{let h=M(d.body),{identifier:I,password:_}=h;if(typeof I!="string"||I.trim().length===0)throw g("identifier is required and must be a non-empty string");if(I.length>Ce)throw g(`identifier must not exceed ${Ce} characters`);if(typeof _!="string"||_.length===0)throw g("password is required");if(_.length>z)throw g(`password must not exceed ${z} characters`);let y=I.trim(),x=d.ip||"127.0.0.1",U=d.get("user-agent")||"Unknown";if(e.rateLimit!==!1){let j=await a,G=typeof e.rateLimit=="object"?e.rateLimit.maxLoginAttempts??5:5;await j.consume(`login:${x}`,G,900*1e3);}let N=await w({identifier:y,password:_},{ip:x,userAgent:U});if(!N.success){He(()=>e.hooks?.onLoginFailed?.(y,N.error,{ip:x})),i.warn(p(o,"auth.login.failure",{errorCode:N.error.code,duration_ms:Date.now()-R,...E(d)})),F(m,N.error);return}He(()=>e.hooks?.onLoginSuccess?.(N.user,{ip:x,userAgent:U})),ie(m,N.refreshToken,e),oe(m,N.accessToken,e),i.info(p(o,"auth.login.success",{userId:N.user.id,duration_ms:Date.now()-R,...E(d)})),b(m,200,"Login successful",{accessToken:N.accessToken,user:N.user});}catch(h){v(h);}}),r.post("/refresh",async(d,m,v)=>{let R=Date.now();try{let h=H(d.headers.cookie,K(e));if(!h)throw new l("UNAUTHORIZED","Refresh token cookie is missing");let I=d.ip||"127.0.0.1",_=d.get("user-agent")||"Unknown",y=await C(h,{ip:I,userAgent:_});if(!y.success){Ne(m,e),i.warn(p(o,"auth.refresh.failure",{errorCode:y.error.code,duration_ms:Date.now()-R,...E(d)})),F(m,y.error);return}ie(m,y.refreshToken,e),oe(m,y.accessToken,e),i.info(p(o,"auth.refresh.success",{userId:y.user.id,duration_ms:Date.now()-R,...E(d)})),b(m,200,"Token refreshed",{accessToken:y.accessToken});}catch(h){v(h);}}),r.post("/logout",async(d,m,v)=>{let R=Date.now();try{let h=H(d.headers.cookie,K(e));await T(h),Ne(m,e),Pe(m,e),i.info(p(o,"auth.logout",{duration_ms:Date.now()-R,...E(d)})),b(m,200,"Logged out",null);}catch(h){v(h);}}),r.post("/logout-all",O(e),async(d,m,v)=>{let R=Date.now();try{let h=d.user.id;await S(h),He(()=>e.hooks?.onLogout?.(h)),Ne(m,e),Pe(m,e),i.info(p(o,"auth.logout_all",{userId:h,duration_ms:Date.now()-R,...E(d)})),b(m,200,"All sessions revoked",null);}catch(h){v(h);}}),r.get("/me",O(e),async(d,m,v)=>{let R=Date.now();try{let h=await A(d.user.id);if(!h.success){i.warn(p(o,"auth.me.failure",{userId:d.user.id,errorCode:h.error.code,duration_ms:Date.now()-R,...E(d)})),F(m,h.error);return}i.info(p(o,"auth.me.success",{userId:h.user.id,duration_ms:Date.now()-R,...E(d)})),b(m,200,"OK",h.user);}catch(h){v(h);}}),r.get("/me/identifiers",O(e),async(d,m,v)=>{let R=Date.now();try{let h=await A(d.user.id);if(!h.success){i.warn(p(o,"auth.me.identifiers.failure",{userId:d.user.id,errorCode:h.error.code,duration_ms:Date.now()-R,...E(d)})),F(m,h.error);return}i.info(p(o,"auth.me.identifiers.success",{userId:h.user.id,count:h.user.identifiers?.length??0,duration_ms:Date.now()-R,...E(d)})),b(m,200,"OK",{identifiers:h.user.identifiers??[]});}catch(h){v(h);}});let le=c(d=>!!d.user);return r.post("/me/identifiers",O(e),le,async(d,m,v)=>{let R=Date.now();try{let h=M(d.body),{identifiers:I}=h;if(!Array.isArray(I)||I.length===0)throw g("identifiers is required and must be a non-empty array");if(I.length>J)throw g(`identifiers must not exceed ${J} entries`);let _=I.map((x,U)=>Me(x,U)),y=await ce(d.user.id,_);if(!y.success){i.warn(p(o,"auth.identifiers.create_failure",{userId:d.user.id,errorCode:y.error.code,duration_ms:Date.now()-R,...E(d)})),F(m,y.error);return}i.info(p(o,"auth.identifiers.created",{userId:d.user.id,count:y.identifiers.length,duration_ms:Date.now()-R,...E(d)})),b(m,201,"Identifiers added successfully",{identifiers:y.identifiers});}catch(h){v(h);}}),r.put("/me/identifiers",O(e),le,async(d,m,v)=>{let R=Date.now();try{let h=M(d.body),{identifiers:I}=h;if(!Array.isArray(I)||I.length===0)throw g("identifiers is required and must be a non-empty array");if(I.length>J)throw g(`identifiers must not exceed ${J} entries`);let _=I.map((x,U)=>{if(typeof x!="object"||x===null||Array.isArray(x))throw g(`identifiers[${U}] must be an object`);let N=x;if(typeof N.id!="string"||N.id.trim().length===0)throw g(`identifiers[${U}].id is required and must be a non-empty string`);let{type:j,value:G}=Me(x,U);return {id:N.id,type:j,value:G}}),y=await Fr(d.user.id,_);if(!y.success){i.warn(p(o,"auth.identifiers.update_failure",{userId:d.user.id,errorCode:y.error.code,duration_ms:Date.now()-R,...E(d)})),F(m,y.error);return}i.info(p(o,"auth.identifiers.updated",{userId:d.user.id,count:y.identifiers.length,duration_ms:Date.now()-R,...E(d)})),b(m,200,"Identifiers updated successfully",{identifiers:y.identifiers});}catch(h){v(h);}}),r.delete("/me/identifiers",O(e),le,async(d,m,v)=>{let R=Date.now();try{let h=M(d.body),{ids:I}=h;if(!Array.isArray(I)||I.length===0)throw g("ids is required and must be a non-empty array of strings");if(!I.every(y=>typeof y=="string"))throw g("each id must be a string");let _=await Pr(d.user.id,I);if(!_.success){i.warn(p(o,"auth.identifiers.delete_failure",{userId:d.user.id,errorCode:_.error.code,duration_ms:Date.now()-R,...E(d)})),F(m,_.error);return}i.info(p(o,"auth.identifiers.deleted",{userId:d.user.id,duration_ms:Date.now()-R,...E(d)})),b(m,200,"Identifiers deleted successfully",{identifiers:_.identifiers});}catch(h){v(h);}}),r.patch("/me/password",O(e),le,async(d,m,v)=>{let R=Date.now();try{let h=M(d.body),{currentPassword:I,newPassword:_}=h;if(typeof I!="string"||I.length===0)throw g("currentPassword is required");if(typeof _!="string"||_.length<Se)throw g(`newPassword must be at least ${Se} characters`);if(_.length>z)throw g(`newPassword must not exceed ${z} characters`);if(I===_)throw g("newPassword must be different from currentPassword");let y=await $(d.user.id,I,_);if(!y.success){i.warn(p(o,"auth.password.change_failure",{userId:d.user.id,errorCode:y.error.code,duration_ms:Date.now()-R,...E(d)})),F(m,y.error);return}i.info(p(o,"auth.password.changed",{userId:d.user.id,duration_ms:Date.now()-R,...E(d)})),b(m,200,"Password updated successfully. All sessions have been revoked.",null);}catch(h){v(h);}}),r.post("/users/:userId/roles",O(e),f("admin"),async(d,m,v)=>{let R=Date.now();try{let h=M(d.body),{roles:I}=h,_=d.params.userId,y=typeof _=="string"?_:void 0;if(!y)throw g("userId is required");if(!Array.isArray(I)||I.length===0)throw g("roles must be a non-empty array of strings");if(!I.every(U=>typeof U=="string"))throw g("each role must be a string");let x=await P(y,I);if(!x.success){i.warn(p(o,"auth.roles.assign_failure",{targetUserId:y,errorCode:x.error.code,duration_ms:Date.now()-R,...E(d)})),F(m,x.error);return}i.info(p(o,"auth.roles.assigned",{targetUserId:y,roles:I,duration_ms:Date.now()-R,...E(d)})),b(m,200,"Roles assigned successfully",{user:x.user});}catch(h){v(h);}}),r.use(ue()),r.get("/sessions",O(e),async(d,m,v)=>{let R=Date.now();try{let h=d.user.id,_=await(e.router?.getSessions??(y=>Tr(y,t)))(h);i.info(p(o,"auth.sessions.get",{userId:h,duration_ms:Date.now()-R,...E(d)})),b(m,200,"OK",{sessions:_});}catch(h){v(h);}}),r.delete("/sessions/:id",O(e),async(d,m,v)=>{let R=Date.now();try{let h=d.user.id,I=d.params.id;await(e.router?.revokeSession??((y,x)=>xr(y,x,t)))(h,I),i.info(p(o,"auth.sessions.revoke",{userId:h,sessionId:I,duration_ms:Date.now()-R,...E(d)})),b(m,200,"Session revoked",null);}catch(h){v(h);}}),r}n(Lr,"createAuthRouter");function tn(e){if(e.mode==="client"){let a={mode:"client",keyUri:e.keyUri,...e.validRoles!==void 0&&{validRoles:e.validRoles},...e.logger!==void 0&&{logger:e.logger},...e.loggerService!==void 0&&{loggerService:e.loggerService}};Ge(a);let u=a.logger??L,w=a.loggerService??"sentri",C=ae(u,w),T=de(u,w);return {protect:n(()=>O(a),"protect"),authorize:n((...S)=>C(...S),"authorize"),permit:n(S=>T(S),"permit"),errorHandler:n(S=>ue(S),"errorHandler")}}let{privateKey:r}=crypto.generateKeyPairSync("rsa",{modulusLength:2048,privateKeyEncoding:{type:"pkcs8",format:"pem"},publicKeyEncoding:{type:"spki",format:"pem"}}),t={mode:"server",dialect:e.dialect,secret:r,algorithm:"RS256",validRoles:e.validRoles,...e.validIdentifiers!==void 0&&{validIdentifiers:e.validIdentifiers},...e.accessExpiresIn!==void 0&&{accessExpiresIn:e.accessExpiresIn},...e.refreshExpiresIn!==void 0&&{refreshExpiresIn:e.refreshExpiresIn},...e.saltRounds!==void 0&&{saltRounds:e.saltRounds},...e.apiKey!==void 0&&{apiKey:e.apiKey},...e.cookie!==void 0&&{cookie:e.cookie},...e.accessCookie!==void 0&&{accessCookie:e.accessCookie},...e.hooks!==void 0&&{hooks:e.hooks},...e.router!==void 0&&{router:e.router},...e.isTokenRevoked!==void 0&&{isTokenRevoked:e.isTokenRevoked},...e.redisUrl!==void 0&&{redisUrl:e.redisUrl},...e.logger!==void 0&&{logger:e.logger},...e.loggerService!==void 0&&{loggerService:e.loggerService}},s=t.logger??L,i=t.loggerService??"sentri",o=k(t),f=ae(s,i),c=de(s,i);return {protect:n(()=>O(t),"protect"),authorize:n((...a)=>f(...a),"authorize"),permit:n(a=>c(a),"permit"),errorHandler:n(a=>ue(a),"errorHandler"),hashPassword:n(a=>Y(a,o.saltRounds),"hashPassword"),verifyPassword:n((a,u)=>q(a,u),"verifyPassword"),signAccessToken:n(a=>ee(a,t),"signAccessToken"),signRefreshToken:n(a=>re(a,t),"signRefreshToken"),verifyAccessToken:n(a=>fe(a,t),"verifyAccessToken"),verifyRefreshToken:n(a=>te(a,t),"verifyRefreshToken"),getCurrentAccessToken:n(a=>De(a,t),"getCurrentAccessToken"),router:n(()=>Lr(t),"router"),migrate:n(()=>We(D(t.dialect)),"migrate"),idempotencyMiddleware:n(a=>Or({...a,...t.redisUrl!==void 0&&{redisUrl:t.redisUrl}}),"idempotencyMiddleware"),register:n(a=>ye(a,t),"register"),login:n(a=>Ie(a,t),"login"),refresh:n(a=>B(a,t),"refresh"),logout:n(a=>Re(a,t),"logout"),logoutAll:n(a=>_e(a,t),"logoutAll"),getUser:n(a=>ge(a,t),"getUser"),changePassword:n((a,u,w)=>ve(a,u,w,t),"changePassword"),assignRoles:n((a,u)=>Ae(a,u,t),"assignRoles"),bulkCreateIdentifiers:n((a,u)=>ke(a,u,t),"bulkCreateIdentifiers"),bulkUpdateIdentifiers:n((a,u)=>Ee(a,u,t),"bulkUpdateIdentifiers"),bulkDeleteIdentifiers:n((a,u)=>Te(a,u,t),"bulkDeleteIdentifiers")}}n(tn,"createAuthExpress");exports.SENTRI_ERROR_STATUS=je;exports.SentriError=l;exports.authorize=Zr;exports.createAuthExpress=tn;exports.createAuthRouter=Lr;exports.createAuthorize=ae;exports.createErrorHandler=ue;exports.createIdempotencyMiddleware=Or;exports.createPermit=de;exports.getCurrentAccessToken=De;exports.permit=qr;exports.protect=O;
|
|
@@ -244,6 +244,7 @@ declare global {
|
|
|
244
244
|
interface CreateExpressServerOptions<TRole extends string = string> {
|
|
245
245
|
mode: 'server';
|
|
246
246
|
validRoles: readonly TRole[];
|
|
247
|
+
validIdentifiers?: readonly string[];
|
|
247
248
|
dialect: kysely.Dialect;
|
|
248
249
|
accessExpiresIn?: string | number;
|
|
249
250
|
refreshExpiresIn?: string | number;
|
|
@@ -266,10 +267,14 @@ interface CreateExpressClientOptions<TRole extends string = string> {
|
|
|
266
267
|
loggerService?: string;
|
|
267
268
|
}
|
|
268
269
|
interface AuthExpressClient<TRole extends string = string> {
|
|
270
|
+
/** Middleware that ensures the request has a valid access token. Attaches `req.user`. */
|
|
269
271
|
protect(): RequestHandler;
|
|
272
|
+
/** Middleware that ensures the user has AT LEAST ONE of the required roles. */
|
|
270
273
|
authorize(...roles: TRole[]): RequestHandler;
|
|
274
|
+
/** Middleware that evaluates a custom authorization condition or ABAC rules. */
|
|
271
275
|
permit(check: PermitCheck): RequestHandler;
|
|
272
276
|
permit(options: PermitOptions<TRole>): RequestHandler;
|
|
277
|
+
/** Express error handler that converts Sentri errors to standardized JSON responses. */
|
|
273
278
|
errorHandler(options?: ErrorHandlerOptions): ErrorRequestHandler;
|
|
274
279
|
}
|
|
275
280
|
interface ServerAuthExpressClient<TRole extends string = string> extends AuthExpressClient<TRole> {
|
|
@@ -282,8 +287,11 @@ interface ServerAuthExpressClient<TRole extends string = string> extends AuthExp
|
|
|
282
287
|
sessionId: string;
|
|
283
288
|
};
|
|
284
289
|
getCurrentAccessToken(request: Request): string | undefined;
|
|
290
|
+
/** Returns an Express Router containing all auth endpoints (e.g. POST /register). */
|
|
285
291
|
router(): Router;
|
|
292
|
+
/** Runs Kysely database migrations for Sentri tables. */
|
|
286
293
|
migrate(): Promise<void>;
|
|
294
|
+
/** Middleware to prevent duplicate requests using idempotency keys. */
|
|
287
295
|
idempotencyMiddleware(options?: IdempotencyOptions): RequestHandler;
|
|
288
296
|
register(input: RegisterInput<TRole>): Promise<RegisterResult<TRole>>;
|
|
289
297
|
login(input: LoginInput): Promise<AuthResult<TRole>>;
|
|
@@ -303,6 +311,10 @@ interface ServerAuthExpressClient<TRole extends string = string> extends AuthExp
|
|
|
303
311
|
}
|
|
304
312
|
type ClientAuthExpressClient<TRole extends string = string> = AuthExpressClient<TRole>;
|
|
305
313
|
declare function createAuthExpress<TRole extends string = string>(options: CreateExpressServerOptions<TRole>): ServerAuthExpressClient<TRole>;
|
|
314
|
+
/**
|
|
315
|
+
* Creates an Express authentication client (Client Mode).
|
|
316
|
+
* Used for microservices that only verify tokens issued by a separate auth server.
|
|
317
|
+
*/
|
|
306
318
|
declare function createAuthExpress<TRole extends string = string>(options: CreateExpressClientOptions<TRole>): ClientAuthExpressClient<TRole>;
|
|
307
319
|
|
|
308
320
|
export { AccessCookieConfig, AssignRolesResult, AuthConfig, type AuthExpressClient, AuthHooks, AuthResult, AuthUser, BulkIdentifiersResult, ChangePasswordResult, type ClientAuthExpressClient, CookieConfig, type CreateExpressClientOptions, type CreateExpressServerOptions, type ErrorHandlerOptions, GetUserResult, type IdempotencyOptions, IdentifierInput, LoginInput, type PermitCheck, type PermitOptions, RefreshResult, RegisterInput, RegisterResult, RouterHandlers, SentriLogger, ServerAuthConfig, type ServerAuthExpressClient, authorize, createAuthExpress, createAuthRouter, createAuthorize, createErrorHandler, createIdempotencyMiddleware, createPermit, getCurrentAccessToken, permit, protect };
|
|
@@ -244,6 +244,7 @@ declare global {
|
|
|
244
244
|
interface CreateExpressServerOptions<TRole extends string = string> {
|
|
245
245
|
mode: 'server';
|
|
246
246
|
validRoles: readonly TRole[];
|
|
247
|
+
validIdentifiers?: readonly string[];
|
|
247
248
|
dialect: kysely.Dialect;
|
|
248
249
|
accessExpiresIn?: string | number;
|
|
249
250
|
refreshExpiresIn?: string | number;
|
|
@@ -266,10 +267,14 @@ interface CreateExpressClientOptions<TRole extends string = string> {
|
|
|
266
267
|
loggerService?: string;
|
|
267
268
|
}
|
|
268
269
|
interface AuthExpressClient<TRole extends string = string> {
|
|
270
|
+
/** Middleware that ensures the request has a valid access token. Attaches `req.user`. */
|
|
269
271
|
protect(): RequestHandler;
|
|
272
|
+
/** Middleware that ensures the user has AT LEAST ONE of the required roles. */
|
|
270
273
|
authorize(...roles: TRole[]): RequestHandler;
|
|
274
|
+
/** Middleware that evaluates a custom authorization condition or ABAC rules. */
|
|
271
275
|
permit(check: PermitCheck): RequestHandler;
|
|
272
276
|
permit(options: PermitOptions<TRole>): RequestHandler;
|
|
277
|
+
/** Express error handler that converts Sentri errors to standardized JSON responses. */
|
|
273
278
|
errorHandler(options?: ErrorHandlerOptions): ErrorRequestHandler;
|
|
274
279
|
}
|
|
275
280
|
interface ServerAuthExpressClient<TRole extends string = string> extends AuthExpressClient<TRole> {
|
|
@@ -282,8 +287,11 @@ interface ServerAuthExpressClient<TRole extends string = string> extends AuthExp
|
|
|
282
287
|
sessionId: string;
|
|
283
288
|
};
|
|
284
289
|
getCurrentAccessToken(request: Request): string | undefined;
|
|
290
|
+
/** Returns an Express Router containing all auth endpoints (e.g. POST /register). */
|
|
285
291
|
router(): Router;
|
|
292
|
+
/** Runs Kysely database migrations for Sentri tables. */
|
|
286
293
|
migrate(): Promise<void>;
|
|
294
|
+
/** Middleware to prevent duplicate requests using idempotency keys. */
|
|
287
295
|
idempotencyMiddleware(options?: IdempotencyOptions): RequestHandler;
|
|
288
296
|
register(input: RegisterInput<TRole>): Promise<RegisterResult<TRole>>;
|
|
289
297
|
login(input: LoginInput): Promise<AuthResult<TRole>>;
|
|
@@ -303,6 +311,10 @@ interface ServerAuthExpressClient<TRole extends string = string> extends AuthExp
|
|
|
303
311
|
}
|
|
304
312
|
type ClientAuthExpressClient<TRole extends string = string> = AuthExpressClient<TRole>;
|
|
305
313
|
declare function createAuthExpress<TRole extends string = string>(options: CreateExpressServerOptions<TRole>): ServerAuthExpressClient<TRole>;
|
|
314
|
+
/**
|
|
315
|
+
* Creates an Express authentication client (Client Mode).
|
|
316
|
+
* Used for microservices that only verify tokens issued by a separate auth server.
|
|
317
|
+
*/
|
|
306
318
|
declare function createAuthExpress<TRole extends string = string>(options: CreateExpressClientOptions<TRole>): ClientAuthExpressClient<TRole>;
|
|
307
319
|
|
|
308
320
|
export { AccessCookieConfig, AssignRolesResult, AuthConfig, type AuthExpressClient, AuthHooks, AuthResult, AuthUser, BulkIdentifiersResult, ChangePasswordResult, type ClientAuthExpressClient, CookieConfig, type CreateExpressClientOptions, type CreateExpressServerOptions, type ErrorHandlerOptions, GetUserResult, type IdempotencyOptions, IdentifierInput, LoginInput, type PermitCheck, type PermitOptions, RefreshResult, RegisterInput, RegisterResult, RouterHandlers, SentriLogger, ServerAuthConfig, type ServerAuthExpressClient, authorize, createAuthExpress, createAuthRouter, createAuthorize, createErrorHandler, createIdempotencyMiddleware, createPermit, getCurrentAccessToken, permit, protect };
|
|
@@ -1 +1 @@
|
|
|
1
|
-
import {generateKeyPairSync,createPrivateKey,createPublicKey,createHash,randomUUID}from'crypto';import {sql,Kysely}from'kysely';import Ze from'bcrypt';import Q from'jsonwebtoken';import {Redis}from'ioredis';import {Router}from'express';var Kr=Object.defineProperty;var n=(e,r)=>Kr(e,"name",{value:r,configurable:true});var Me=Object.assign(Object.create(null),{UNAUTHORIZED:401,TOKEN_EXPIRED:401,TOKEN_INVALID:401,INVALID_CREDENTIALS:401,FORBIDDEN:403,USER_NOT_FOUND:404,IDENTIFIER_NOT_FOUND:404,USER_ALREADY_EXISTS:409,IDENTIFIER_ALREADY_EXISTS:409,INVALID_ROLE:400,VALIDATION_ERROR:400,CONFIGURATION_ERROR:500,TOKEN_REUSE:401}),u=class extends Error{static{n(this,"SentriError");}code;statusCode;constructor(r,t,s){super(t),this.name="SentriError",this.code=r,this.statusCode=s??Me[r]??500;}};var je=new WeakMap,Ve=32,Be=10,Xe=31;function Je(e){if(e.mode==="client"){if(!e.keyUri||e.keyUri.trim().length===0)throw new u("CONFIGURATION_ERROR","keyUri must not be empty");return}if(!e.secret||e.secret.trim().length===0)throw new u("CONFIGURATION_ERROR","secret must not be empty");if((e.algorithm??"HS256").startsWith("HS")&&e.secret.length<Ve)throw new u("CONFIGURATION_ERROR",`secret must be at least ${Ve} characters for HMAC algorithms`);let s=e.saltRounds??12;if(!Number.isInteger(s)||s<Be||s>Xe)throw new u("CONFIGURATION_ERROR",`saltRounds must be an integer between ${Be} and ${Xe}`);if(!e.validRoles||e.validRoles.length===0)throw new u("CONFIGURATION_ERROR","validRoles must contain at least one role");if(!e.dialect)throw new u("CONFIGURATION_ERROR","dialect is required in server mode")}n(Je,"validateConfig");function T(e){let r=je.get(e);if(r)return r;let t={algorithm:e.algorithm??"HS256",accessExpiresIn:e.accessExpiresIn??"15m",refreshExpiresIn:e.refreshExpiresIn??"7d",saltRounds:e.saltRounds??12,validRoles:e.validRoles,validRolesSet:new Set(e.validRoles),cookieName:e.cookie?.name??"refresh_token",accessCookieName:e.accessCookie?.name??"access_token"};return je.set(e,t),t}n(T,"resolveServerConfig");var $r=/^(\d+)([smhdw])$/,Hr={s:1e3,m:6e4,h:36e5,d:864e5,w:6048e5},ze=new Map;function V(e){if(typeof e=="number")return e*1e3;let r=ze.get(e);if(r!==void 0)return r;let t=$r.exec(e);if(!t?.[1]||!t?.[2])throw new Error(`Invalid expiresIn: "${e}". Use e.g. "15m", "7d", "1h".`);let s=Hr[t[2]];if(s===void 0)throw new Error(`Invalid expiresIn: "${e}". Use e.g. "15m", "7d", "1h".`);let o=parseInt(t[1],10)*s;return ze.set(e,o),o}n(V,"parseExpiry");var U={info:n(()=>{},"info"),warn:n(()=>{},"warn"),error:n(()=>{},"error")};function p(e,r,t){return {service:e,event:r,...t}}n(p,"buildLogData");async function Ge(e){await e.schema.createTable("sentri_users").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("password_hash","varchar(255)",r=>r.notNull()).addColumn("roles","text",r=>r.notNull().defaultTo("[]")).addColumn("created_at","timestamp",r=>r.notNull().defaultTo(sql`CURRENT_TIMESTAMP`)).execute(),await e.schema.createTable("sentri_sessions").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("user_id","varchar(36)",r=>r.notNull().references("sentri_users.id").onDelete("cascade")).addColumn("expires_at","timestamp",r=>r.notNull()).addColumn("ip_address","varchar(45)").addColumn("user_agent","text").addColumn("replaced_by","varchar(36)").addColumn("created_at","timestamp",r=>r.notNull().defaultTo(sql`CURRENT_TIMESTAMP`)).execute(),await e.schema.createTable("sentri_identifiers").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("user_id","varchar(36)",r=>r.notNull().references("sentri_users.id").onDelete("cascade")).addColumn("type","varchar(100)",r=>r.notNull()).addColumn("value","varchar(255)",r=>r.notNull().unique()).addColumn("created_at","timestamp",r=>r.notNull().defaultTo(sql`CURRENT_TIMESTAMP`)).execute(),await e.schema.createIndex("idx_sentri_sessions_user_id").ifNotExists().on("sentri_sessions").column("user_id").execute(),await e.schema.createIndex("idx_sentri_identifiers_user_id").ifNotExists().on("sentri_identifiers").column("user_id").execute();}n(Ge,"runMigrations");var We=new Map;function D(e){let r=We.get(e);return r||(r=new Kysely({dialect:e}),We.set(e,r)),r}n(D,"getDatabase");async function Y(e,r=12){return Ze.hash(e,r)}n(Y,"hashPassword");async function q(e,r){return Ze.compare(e,r)}n(q,"verifyPassword");var Ye=new Map,qe=new Map,Br=3600*1e3;function er(e){let r=Ye.get(e);if(!r){let t=createPrivateKey(e),s=createPublicKey(t),o=s.export({format:"jwk"}),l=createHash("sha256").update(JSON.stringify({e:o.e,kty:o.kty,n:o.n})).digest("base64url"),d={...o,use:"sig",kid:l};r={kid:l,publicKey:s,jwk:d},Ye.set(e,r);}return r}n(er,"getOrBuildKey");function rr(e){let{jwk:r}=er(e);return {keys:[r]}}n(rr,"buildJwks");function tr(e){return er(e).publicKey}n(tr,"getPublicKeyFromPrivate");async function sr(e){let r=Date.now(),t=qe.get(e);if(t&&r-t.fetchedAt<Br)return t.publicKey;let s=await fetch(e);if(!s.ok)throw new u("CONFIGURATION_ERROR",`Failed to fetch public key from ${e}: HTTP ${s.status}`);let o=await s.json();if(!o.keys||o.keys.length===0)throw new u("CONFIGURATION_ERROR",`No keys found in JWKS response from ${e}`);let a=o.keys[0],l=createPublicKey({key:a,format:"jwk"});return qe.set(e,{publicKey:l,fetchedAt:r}),l}n(sr,"fetchPublicKey");var nr=new Map,or=new Map,ir=new Map;function ar(e){return e.startsWith("RS")||e.startsWith("PS")}n(ar,"isRSA");function dr(e){let r=nr.get(e);return r||(r={access:`${e}:access`,refresh:`${e}:refresh`},nr.set(e,r)),r}n(dr,"getHsSecrets");function zr(e){let r=or.get(e);return r||(r=createPrivateKey(e),or.set(e,r)),r}n(zr,"getRsPrivateKey");function cr(e){let r=T(e);if(ar(r.algorithm)){let o=zr(e.secret);return {accessKey:o,refreshKey:o}}let{access:t,refresh:s}=dr(e.secret);return {accessKey:t,refreshKey:s}}n(cr,"getSigningKeys");function ur(e,r){let t=T(e);if(ar(t.algorithm))return tr(e.secret);let{access:s,refresh:o}=dr(e.secret);return r==="access"?s:o}n(ur,"getVerifyKey");function lr(e,r,t,s){let o=`${t}:${s}`,a=ir.get(o);return a||(a={expiresIn:t,algorithm:s},ir.set(o,a)),Q.sign(e,r,a)}n(lr,"sign");function fr(e,r,t){try{let s=Q.verify(e,r,{algorithms:[t]});if(typeof s=="string"||s===null)throw new u("TOKEN_INVALID","Token payload is not an object");return s}catch(s){throw s instanceof u?s:s instanceof Q.TokenExpiredError?new u("TOKEN_EXPIRED","Token has expired"):new u("TOKEN_INVALID","Token is invalid or malformed")}}n(fr,"verify");function ee(e,r){let t=T(r),{accessKey:s}=cr(r);return lr(e,s,t.accessExpiresIn,t.algorithm)}n(ee,"signAccessToken");function re(e,r){let t=T(r),{refreshKey:s}=cr(r);return lr({sessionId:e},s,t.refreshExpiresIn,t.algorithm)}n(re,"signRefreshToken");function le(e,r){let t=T(r),s=ur(r,"access");return fr(e,s,t.algorithm)}n(le,"verifyAccessToken");function te(e,r){let t=T(r),s=ur(r,"refresh");return fr(e,s,t.algorithm)}n(te,"verifyRefreshToken");function hr(e,r){try{let t=Q.verify(e,r,{algorithms:["RS256","RS384","RS512","PS256","PS384","PS512"]});if(typeof t=="string"||t===null)throw new u("TOKEN_INVALID","Token payload is not an object");return t}catch(t){throw t instanceof u?t:t instanceof Q.TokenExpiredError?new u("TOKEN_EXPIRED","Token has expired"):new u("TOKEN_INVALID","Token is invalid or malformed")}}n(hr,"verifyTokenWithPublicKey");function Oe(e){try{return JSON.parse(e)}catch{return []}}n(Oe,"parseRoles");function Jr(e){return JSON.stringify(e)}n(Jr,"serializeRoles");function pr(e){return {id:e.id,userId:e.user_id,type:e.type,value:e.value,createdAt:new Date(e.created_at)}}n(pr,"mapIdentifier");async function se(e,r){let t=await e.selectFrom("sentri_identifiers as i").innerJoin("sentri_users as u","u.id","i.user_id").select(["u.id","u.password_hash","u.roles"]).where("i.value","=",r).executeTakeFirst();return t?{id:t.id,passwordHash:t.password_hash,roles:Oe(t.roles)}:null}n(se,"findUserByIdentifierValue");async function fe(e,r){let t=await e.selectFrom("sentri_users").select(["id","password_hash","roles"]).where("id","=",r).executeTakeFirst();return t?{id:t.id,passwordHash:t.password_hash,roles:Oe(t.roles)}:null}n(fe,"findUserById");async function wr(e,r,t){let s=t.map(o=>({id:randomUUID(),user_id:r,type:o.type,value:o.value}));return await e.insertInto("sentri_identifiers").values(s).execute(),s.map(o=>({id:o.id,userId:o.user_id,type:o.type,value:o.value,createdAt:new Date}))}n(wr,"createIdentifiers");async function ne(e,r){return (await e.selectFrom("sentri_identifiers").selectAll().where("user_id","=",r).orderBy("created_at","asc").execute()).map(pr)}n(ne,"findIdentifiersByUserId");async function Ue(e,r,t){let s=await e.selectFrom("sentri_identifiers").selectAll().where("id","=",r).where("user_id","=",t).executeTakeFirst();return s?pr(s):null}n(Ue,"findIdentifierById");async function yr(e,r){let t=await e.selectFrom("sentri_identifiers").select(s=>s.fn.countAll().as("count")).where("user_id","=",r).executeTakeFirst();return Number(t?.count??0)}n(yr,"countIdentifiersByUserId");async function Ir(e,r,t,s){await e.updateTable("sentri_identifiers").set({type:s.type,value:s.value}).where("id","=",r).where("user_id","=",t).execute();}n(Ir,"updateIdentifier");async function _r(e,r,t){await e.deleteFrom("sentri_identifiers").where("user_id","=",r).where("id","in",t).execute();}n(_r,"deleteIdentifiers");async function gr(e,r,t){await e.updateTable("sentri_users").set({password_hash:t}).where("id","=",r).execute();}n(gr,"updateUserPassword");async function Rr(e,r,t){await e.updateTable("sentri_users").set({roles:Jr(t)}).where("id","=",r).execute();}n(Rr,"updateUserRoles");async function Le(e,r){let t=randomUUID();return await e.insertInto("sentri_sessions").values({id:t,user_id:r.userId,expires_at:r.expiresAt.toISOString(),ip_address:r.ipAddress??null,user_agent:r.userAgent??null}).execute(),{id:t}}n(Le,"createSession");async function he(e,r){let t=await e.selectFrom("sentri_sessions as s").innerJoin("sentri_users as u","u.id","s.user_id").select(["s.id as session_id","s.user_id","s.expires_at","s.ip_address","s.user_agent","s.replaced_by","s.created_at as session_created_at","u.id as user_id_col","u.password_hash","u.roles"]).where("s.id","=",r).executeTakeFirst();return t?{id:t.session_id,userId:t.user_id,expiresAt:new Date(t.expires_at),ipAddress:t.ip_address,userAgent:t.user_agent,replacedBy:t.replaced_by,createdAt:new Date(t.session_created_at),user:{id:t.user_id_col,passwordHash:t.password_hash,roles:Oe(t.roles)}}:null}n(he,"findSessionById");async function me(e,r){await e.deleteFrom("sentri_sessions").where("id","=",r).execute();}n(me,"deleteSession");async function kr(e,r,t){await e.updateTable("sentri_sessions").set({replaced_by:t}).where("id","=",r).execute();}n(kr,"markSessionReplaced");async function pe(e,r){await e.deleteFrom("sentri_sessions").where("user_id","=",r).execute();}n(pe,"deleteAllSessionsForUser");async function Ar(e,r){return (await e.selectFrom("sentri_sessions").selectAll().where("user_id","=",r).where("replaced_by","is",null).where("expires_at",">",new Date).execute()).map(s=>({id:s.id,userId:s.user_id,expiresAt:new Date(s.expires_at),ipAddress:s.ip_address,userAgent:s.user_agent,replacedBy:s.replaced_by,createdAt:new Date(s.created_at)}))}n(Ar,"findSessionsByUserId");async function we(e,r,t){let s=T(r),o=D(r.dialect),a=e.roles??[],l=a.filter(k=>!s.validRolesSet.has(k));if(l.length>0)return {success:false,error:new u("INVALID_ROLE",`Invalid roles: ${l.join(", ")}`)};if(!e.identifiers||e.identifiers.length===0)return {success:false,error:new u("VALIDATION_ERROR","At least one identifier is required")};let d=e.identifiers.map(k=>({type:k.type.trim(),value:k.value.trim()}));if(new Set(d.map(k=>k.value)).size!==d.length)return {success:false,error:new u("VALIDATION_ERROR","Duplicate identifier values in request")};for(let k of d)if(await se(o,k.value))return {success:false,error:new u("IDENTIFIER_ALREADY_EXISTS",`Identifier already taken: ${k.value}`)};let m=await Y(e.password,s.saltRounds),{userId:_,identifierRows:b}=await o.transaction().execute(async k=>{let L=randomUUID();await k.insertInto("sentri_users").values({id:L,password_hash:m,roles:JSON.stringify(a)}).execute();let K=d.map($=>({id:randomUUID(),user_id:L,type:$.type,value:$.value}));return await k.insertInto("sentri_identifiers").values(K).execute(),{userId:L,identifierRows:K}}),v={success:true,user:{id:_,roles:a,identifiers:b.map(k=>({id:k.id,type:k.type,value:k.value}))}};return r.hooks?.onRegister&&await r.hooks.onRegister(v.user),v}n(we,"register");async function ye(e,r,t){let s=T(r),o=D(r.dialect),a=await se(o,e.identifier.trim());if(!a){let v=new u("INVALID_CREDENTIALS","Invalid credentials");return r.hooks?.onLoginFailed&&await r.hooks.onLoginFailed(e.identifier,v,{ip:t?.ip??""}),{success:false,error:v}}if(!await q(e.password,a.passwordHash)){let v=new u("INVALID_CREDENTIALS","Invalid credentials");return r.hooks?.onLoginFailed&&await r.hooks.onLoginFailed(e.identifier,v,{ip:t?.ip??""}),{success:false,error:v}}let d=new Date(Date.now()+V(s.refreshExpiresIn)),i=await Le(o,{userId:a.id,expiresAt:d,ipAddress:t?.ip??null,userAgent:t?.userAgent??null}),m={id:a.id,roles:a.roles},_=ee({id:a.id,roles:a.roles,sessionId:i.id},r),b=re(i.id,r);return r.hooks?.onLoginSuccess&&await r.hooks.onLoginSuccess(m,{ip:t?.ip??"",userAgent:t?.userAgent??""}),{success:true,accessToken:_,refreshToken:b,user:m}}n(ye,"login");async function B(e,r,t){let s=T(r),o=D(r.dialect),a;try{({sessionId:a}=te(e,r));}catch(v){return v instanceof u?{success:false,error:v}:{success:false,error:new u("TOKEN_INVALID","Invalid refresh token")}}let l=await he(o,a);if(!l)return {success:false,error:new u("UNAUTHORIZED","Session not found or revoked")};if(l.replacedBy)return await pe(o,l.userId),{success:false,error:new u("TOKEN_REUSE","Token reuse detected. All sessions revoked.")};if(l.expiresAt.getTime()<Date.now())return await me(o,a),{success:false,error:new u("TOKEN_EXPIRED","Session has expired")};let d=new Date(Date.now()+V(s.refreshExpiresIn)),i=await Le(o,{userId:l.userId,expiresAt:d,ipAddress:t?.ip??null,userAgent:t?.userAgent??null});await kr(o,a,i.id);let m={id:l.user.id,roles:l.user.roles},_=ee({...m,sessionId:i.id},r),b=re(i.id,r);return {success:true,accessToken:_,refreshToken:b,user:m}}n(B,"refresh");async function Ie(e,r){let t=D(r.dialect),s;try{({sessionId:s}=te(e,r));}catch{return}let o=await he(t,s);o&&(await me(t,s),r.hooks?.onLogout&&await r.hooks.onLogout(o.userId));}n(Ie,"logout");async function _e(e,r){let t=D(r.dialect);await pe(t,e),r.hooks?.onLogout&&await r.hooks.onLogout(e);}n(_e,"logoutAll");async function ge(e,r){let t=D(r.dialect),s=await fe(t,e);if(!s)return {success:false,error:new u("USER_NOT_FOUND","User not found")};let o=await ne(t,e);return {success:true,user:{id:s.id,roles:s.roles,identifiers:o.map(a=>({id:a.id,type:a.type,value:a.value}))}}}n(ge,"getUser");async function Re(e,r,t,s){let o=T(s),a=D(s.dialect),l=await fe(a,e);if(!l)return {success:false,error:new u("USER_NOT_FOUND","User not found")};if(!await q(r,l.passwordHash))return {success:false,error:new u("INVALID_CREDENTIALS","Invalid credentials")};let i=await Y(t,o.saltRounds);return await gr(a,e,i),await pe(a,e),s.hooks?.onPasswordChanged&&await s.hooks.onPasswordChanged(e),{success:true}}n(Re,"changePassword");async function ke(e,r,t){let s=T(t),o=D(t.dialect),a=r.filter(m=>!s.validRolesSet.has(m));if(a.length>0)return {success:false,error:new u("INVALID_ROLE",`Invalid roles: ${a.join(", ")}`)};let l=await fe(o,e);if(!l)return {success:false,error:new u("USER_NOT_FOUND","User not found")};let d=new Set(l.roles);for(let m of r)d.add(m);let i=Array.from(d);return await Rr(o,e,i),{success:true,user:{id:l.id,roles:i}}}n(ke,"assignRoles");async function Ae(e,r,t){let s=D(t.dialect);if(r.length===0)return {success:false,error:new u("VALIDATION_ERROR","At least one identifier is required")};let o=r.map(d=>({type:d.type.trim(),value:d.value.trim()}));if(new Set(o.map(d=>d.value)).size!==o.length)return {success:false,error:new u("VALIDATION_ERROR","Duplicate identifier values in request")};for(let d of o)if(await se(s,d.value))return {success:false,error:new u("IDENTIFIER_ALREADY_EXISTS",`Identifier already taken: ${d.value}`)};return await wr(s,e,o),{success:true,identifiers:(await ne(s,e)).map(d=>({id:d.id,type:d.type,value:d.value}))}}n(Ae,"bulkCreateIdentifiers");async function ve(e,r,t){let s=D(t.dialect);if(r.length===0)return {success:false,error:new u("VALIDATION_ERROR","At least one update is required")};let o=r.map(d=>({id:d.id,type:d.type.trim(),value:d.value.trim()}));if(new Set(o.map(d=>d.value)).size!==o.length)return {success:false,error:new u("VALIDATION_ERROR","Duplicate identifier values in request")};for(let d of o){let i=await Ue(s,d.id,e);if(!i)return {success:false,error:new u("IDENTIFIER_NOT_FOUND",`Identifier not found: ${d.id}`)};if(i.value!==d.value&&await se(s,d.value))return {success:false,error:new u("IDENTIFIER_ALREADY_EXISTS",`Identifier already taken: ${d.value}`)}}return await s.transaction().execute(async d=>{for(let i of o)await Ir(d,i.id,e,{type:i.type,value:i.value});}),{success:true,identifiers:(await ne(s,e)).map(d=>({id:d.id,type:d.type,value:d.value}))}}n(ve,"bulkUpdateIdentifiers");async function Ee(e,r,t){let s=D(t.dialect);if(r.length===0)return {success:false,error:new u("VALIDATION_ERROR","At least one ID is required")};let o=Array.from(new Set(r));for(let d of o)if(!await Ue(s,d,e))return {success:false,error:new u("IDENTIFIER_NOT_FOUND",`Identifier not found: ${d}`)};return await yr(s,e)-o.length<1?{success:false,error:new u("VALIDATION_ERROR","Cannot delete all identifiers \u2014 at least one must remain")}:(await _r(s,e,o),{success:true,identifiers:(await ne(s,e)).map(d=>({id:d.id,type:d.type,value:d.value}))})}n(Ee,"bulkDeleteIdentifiers");async function Er(e,r){let t=D(r.dialect);return (await Ar(t,e)).map(o=>({id:o.id,ipAddress:o.ipAddress,userAgent:o.userAgent,createdAt:o.createdAt,expiresAt:o.expiresAt}))}n(Er,"getSessions");async function Tr(e,r,t){let s=D(t.dialect),o=await he(s,r);o&&o.userId===e&&await me(s,r);}n(Tr,"revokeSession");function P(e){return T(e).cookieName}n(P,"getCookieName");function Te(e){return T(e).accessCookieName}n(Te,"getAccessCookieName");function H(e,r){if(!e)return;let t=`${r}=`,s=0;for(;s<e.length;){for(;s<e.length&&e[s]===" ";)s++;let o=e.indexOf(";",s),a=o===-1?e.length:o;if(e.startsWith(t,s))return e.slice(s+t.length,a);s=a+1;}}n(H,"readCookie");function oe(e,r,t){let s=t.cookie??{},o=V(T(t).refreshExpiresIn);e.cookie(P(t),r,{httpOnly:s.httpOnly??true,secure:s.secure??false,sameSite:s.sameSite??"strict",path:s.path??"/",maxAge:o});}n(oe,"setCookieFromConfig");function xe(e,r){let t=r.cookie??{};e.clearCookie(P(r),{path:t.path??"/"});}n(xe,"clearCookieFromConfig");function ie(e,r,t){if(!t.accessCookie)return;let s=t.accessCookie,o=V(T(t).accessExpiresIn);e.cookie(Te(t),r,{httpOnly:false,secure:s.secure??false,sameSite:s.sameSite??"strict",path:s.path??"/",maxAge:o});}n(ie,"setAccessCookieFromConfig");function Fe(e,r){if(!r.accessCookie)return;let t=r.accessCookie;e.clearCookie(Te(r),{path:t.path??"/"});}n(Fe,"clearAccessCookieFromConfig");function Ne(e,r){let t=e.headers.authorization;return t?.startsWith("Bearer ")?t.slice(7):H(e.headers.cookie,Te(r))}n(Ne,"getCurrentAccessToken");function C(e){let r=e.logger??U,t=e.loggerService??"sentri";return e.mode==="client"?Gr(e.keyUri,r,t):Wr(e,r,t)}n(C,"protect");function Gr(e,r,t){return async(s,o,a)=>{let l=s.headers.authorization,d=l?.startsWith("Bearer ")?l.slice(7):void 0,i=s.requestId;if(!d)return r.warn(p(t,"auth.protect.failure",{mode:"client",errorCode:"UNAUTHORIZED",...i!==void 0&&{requestId:i}})),a(new u("UNAUTHORIZED","Missing or malformed Authorization header"));try{let m=await sr(e),_=hr(d,m);s.user={id:_.id,roles:_.roles},r.info(p(t,"auth.protect.success",{mode:"client",userId:_.id,...i!==void 0&&{requestId:i}})),a();}catch(m){let _=m instanceof u?m.code:"TOKEN_INVALID";r.warn(p(t,"auth.protect.failure",{mode:"client",errorCode:_,...i!==void 0&&{requestId:i}})),a(m);}}}n(Gr,"protectClient");function Wr(e,r,t){return async(s,o,a)=>{let l=Ne(s,e),d=s.requestId;if(!l)return r.warn(p(t,"auth.protect.failure",{mode:"server",errorCode:"UNAUTHORIZED",...d!==void 0&&{requestId:d}})),a(new u("UNAUTHORIZED","Missing or malformed Authorization header"));try{let i=le(l,e);if(e.isTokenRevoked&&await e.isTokenRevoked(i.sessionId))return r.warn(p(t,"auth.protect.token_revoked",{mode:"server",userId:i.id,...d!==void 0&&{requestId:d}})),a(new u("UNAUTHORIZED","Token has been revoked"));s.user={id:i.id,roles:i.roles},r.info(p(t,"auth.protect.success",{mode:"server",userId:i.id,...d!==void 0&&{requestId:d}})),a();}catch(i){if(i instanceof u&&i.code==="TOKEN_EXPIRED"){let m=H(s.headers.cookie,P(e));if(!m)return r.warn(p(t,"auth.protect.failure",{mode:"server",errorCode:"TOKEN_EXPIRED",...d!==void 0&&{requestId:d}})),a(new u("UNAUTHORIZED","Token expired. Please login again."));try{let _=await B(m,e);if(!_.success)return r.warn(p(t,"auth.protect.failure",{mode:"server",errorCode:_.error.code,...d!==void 0&&{requestId:d}})),a(new u("UNAUTHORIZED","Session expired. Please login again."));oe(o,_.refreshToken,e),ie(o,_.accessToken,e),o.setHeader("X-New-Access-Token",_.accessToken),s.user=_.user,r.info(p(t,"auth.protect.auto_refresh",{mode:"server",userId:_.user.id,...d!==void 0&&{requestId:d}})),a();}catch{r.warn(p(t,"auth.protect.failure",{mode:"server",errorCode:"TOKEN_EXPIRED",...d!==void 0&&{requestId:d}})),a(new u("UNAUTHORIZED","Session expired. Please login again."));}}else {let m=i instanceof u?i.code:"TOKEN_INVALID";r.warn(p(t,"auth.protect.failure",{mode:"server",errorCode:m,...d!==void 0&&{requestId:d}})),a(i);}}}}n(Wr,"protectServer");function xr(e,r,t){let s=`Requires one of roles: ${e.join(", ")}`;return (o,a,l)=>{let d=o.requestId;if(!o.user)return r.warn(p(t,"auth.authorize.unauthenticated",{requiredRoles:e,...d!==void 0&&{requestId:d}})),l(new u("UNAUTHORIZED","Not authenticated"));let i=o.user.roles;if(!e.some(m=>i.includes(m)))return r.warn(p(t,"auth.authorize.denied",{userId:o.user.id,userRoles:[...i],requiredRoles:e,...d!==void 0&&{requestId:d}})),l(new u("FORBIDDEN",s));r.info(p(t,"auth.authorize.passed",{userId:o.user.id,userRoles:[...i],requiredRoles:e,...d!==void 0&&{requestId:d}})),l();}}n(xr,"createAuthorizeHandler");function ae(e,r){return n(function(...s){return xr(s,e,r)},"authorize")}n(ae,"createAuthorize");function Zr(...e){return xr(e,U,"sentri")}n(Zr,"authorize");var Yr=new u("FORBIDDEN","You do not have permission to perform this action");function Nr(e,r,t){return async(s,o,a)=>{let l=s.requestId;if(!s.user)return r.warn(p(t,"auth.permit.unauthenticated",{...l!==void 0&&{requestId:l}})),a(new u("UNAUTHORIZED","Not authenticated"));let d=s.user.id;if(e.roles&&e.roles.length>0){let i=s.user.roles;if(e.roles.some(m=>i.includes(m)))return r.info(p(t,"auth.permit.role_bypass",{userId:d,bypassedByRole:true,...l!==void 0&&{requestId:l}})),a()}try{let i=e.check(s);(i instanceof Promise?await i:i)?(r.info(p(t,"auth.permit.passed",{userId:d,...l!==void 0&&{requestId:l}})),a()):(r.warn(p(t,"auth.permit.denied",{userId:d,...l!==void 0&&{requestId:l}})),a(Yr));}catch(i){a(i);}}}n(Nr,"createPermitHandler");function de(e,r){return n(function(s){return Nr(typeof s=="function"?{check:s}:s,e,r)},"permit")}n(de,"createPermit");function qr(e){return Nr(typeof e=="function"?{check:e}:e,U,"sentri")}n(qr,"permit");function ce(e){return (r,t,s,o)=>{if(r instanceof u){s.status(r.statusCode).json({error:true,statusCode:r.statusCode,code:r.code,message:r.message,data:null});return}e?.onUnhandled?.(r),s.status(500).json({error:true,statusCode:500,code:"INTERNAL_SERVER_ERROR",message:"Internal server error",data:null});}}n(ce,"createErrorHandler");var Dr=new Map;function Cr(e){let r=Dr.get(e);return r||(r=new Redis(e,{lazyConnect:true,enableOfflineQueue:false}),r.on("error",t=>{console.error("Sentri Redis Client Error:",t.message);}),Dr.set(e,r)),r}n(Cr,"getRedisClient");function Sr(e){let r=e?.ttl??3e5,t=(e?.header??"X-Idempotency-Key").toLowerCase(),s=new Set((e?.methods??["POST","PUT","PATCH"]).map(a=>a.toUpperCase())),o=e?.redisUrl;return o?et(o,r,t,s):rt(r,t,s,e?.maxSize??1e4)}n(Sr,"createIdempotencyMiddleware");function et(e,r,t,s){let o=Cr(e),a="sentri:idempotency:";return async(l,d,i)=>{let m=l.headers[t];if(!m||typeof m!="string"||!s.has(l.method))return i();l.requestId=m,d.setHeader("X-Request-Id",m);let _=await o.get(`${a}${m}`);if(_){let v=JSON.parse(_);return d.setHeader("X-Idempotent-Replayed","true"),d.status(v.statusCode).json(v.body)}let b=d.json.bind(d);d.json=n(function(k){if(d.statusCode>=200&&d.statusCode<300){let L={statusCode:d.statusCode,body:k,expiresAt:Date.now()+r};o.set(`${a}${m}`,JSON.stringify(L),"PX",r).catch(()=>{});}return b(k)},"idempotentJson"),i();}}n(et,"buildRedisMiddleware");function rt(e,r,t,s){let o=Math.max(e,5e3),a=new Map,l=setInterval(()=>{let d=Date.now();for(let[i,m]of a)m.expiresAt<=d&&a.delete(i);},o);return typeof l=="object"&&l!==null&&"unref"in l&&l.unref(),(d,i,m)=>{let _=d.headers[r];if(!_||typeof _!="string"||!t.has(d.method))return m();d.requestId=_,i.setHeader("X-Request-Id",_);let b=Date.now(),v=a.get(_);if(v&&v.expiresAt>b)return i.setHeader("X-Idempotent-Replayed","true"),i.status(v.statusCode).json(v.body);let k=i.json.bind(i);i.json=n(function(K){if(i.statusCode>=200&&i.statusCode<300){if(a.size>=s){let $=a.keys().next().value;$!==void 0&&a.delete($);}a.set(_,{statusCode:i.statusCode,body:K,expiresAt:Date.now()+e});}return k(K)},"idempotentJson"),m();}}n(rt,"buildMemoryMiddleware");var Pe=class{static{n(this,"InMemoryRateLimiter");}store=new Map;constructor(){setInterval(()=>{let r=Date.now();for(let[t,s]of this.store.entries())s.expiresAt<r&&this.store.delete(t);},6e4).unref();}async consume(r,t,s){let o=Date.now(),a=this.store.get(r);if((!a||a.expiresAt<o)&&(a={count:0,expiresAt:o+s},this.store.set(r,a)),a.count>t){let l=Math.ceil((a.expiresAt-o)/1e3);throw new Error(`Rate limit exceeded. Try again in ${l} seconds.`)}a.count++;}},Ke=class{static{n(this,"RedisRateLimiter");}redis;logger;constructor(r,t){this.redis=r,this.logger=t;}async consume(r,t,s){let o=`sentri:rl:${r}`,a=Math.ceil(s/1e3);try{let l=await this.redis.multi().incr(o).expire(o,a,"NX").exec();if(!l||l.length===0)return;if(l[0][1]>t)throw new Error("Rate limit exceeded. Try again later.")}catch(l){if(l instanceof Error&&l.message.includes("Rate limit exceeded"))throw l;this.logger.error({msg:"Redis RateLimiter failed, bypassing limit",error:l});}}},X=null;async function br(e,r){if(X)return X;if(e)try{let{Redis:t}=await import('ioredis'),s=new t(e,{lazyConnect:!0,maxRetriesPerRequest:1});return await s.connect(),r?.info({msg:"Connected to Redis for Rate Limiting"}),X=new Ke(s,r??U),X}catch(t){r?.warn({msg:"Failed to connect to Redis for Rate Limiting, falling back to InMemoryRateLimiter",error:t});}return X=new Pe,X}n(br,"getRateLimiter");var De=8,z=72,Ce=255,Or=100,J=50;function R(e){return new u("VALIDATION_ERROR",e)}n(R,"badRequest");function S(e,r,t,s){e.status(r).json({error:false,statusCode:r,message:t,data:s});}n(S,"ok");function F(e,r){e.status(r.statusCode).json({error:true,statusCode:r.statusCode,code:r.code,message:r.message,data:null});}n(F,"fail");function M(e){if(e==null||typeof e!="object"||Array.isArray(e))throw new u("VALIDATION_ERROR","Request body is missing or not a JSON object. Did you apply express.json()?");return e}n(M,"parseBody");function st(e,r){if(!r.apiKey)return;let t=e.headers["x-api-key"];if(typeof t!="string"||t!==r.apiKey)throw new u("UNAUTHORIZED","Invalid or missing API key")}n(st,"validateApiKey");function $e(e){if(e)try{let r=e();r instanceof Promise&&r.catch(()=>{});}catch{}}n($e,"fireHook");function nt(e){return e.startsWith("RS")||e.startsWith("PS")}n(nt,"isRSA");function He(e,r){if(typeof e!="object"||e===null||Array.isArray(e))throw R(`identifiers[${r}] must be an object`);let t=e;if(typeof t.type!="string"||t.type.trim().length===0)throw R(`identifiers[${r}].type is required and must be a non-empty string`);if(t.type.length>Or)throw R(`identifiers[${r}].type must not exceed ${Or} characters`);if(typeof t.value!="string"||t.value.trim().length===0)throw R(`identifiers[${r}].value is required and must be a non-empty string`);if(t.value.length>Ce)throw R(`identifiers[${r}].value must not exceed ${Ce} characters`);return {type:t.type,value:t.value}}n(He,"validateIdentifierInput");function E(e){return e.requestId!==void 0?{requestId:e.requestId}:{}}n(E,"reqId");function Ur(e){let r=Router(),t=e,s=T(t),o=e.logger??U,a=e.loggerService??"sentri",l=ae(o,a),d=de(o,a),i=br(e.redisUrl,o),m=e.router?.register??(c=>we(c,t)),_=e.router?.login??(c=>ye(c,t)),b=e.router?.refresh??(c=>B(c,t)),v=e.router?.logout??(c=>c!==void 0?Ie(c,t):Promise.resolve()),k=e.router?.logoutAll??(c=>_e(c,t)),L=e.router?.getUser??(c=>ge(c,t)),K=e.router?.assignRoles??((c,h)=>ke(c,h,t)),$=e.router?.changePassword??((c,h,A)=>Re(c,h,A,t)),Lr=e.router?.bulkCreateIdentifiers??((c,h)=>Ae(c,h,t)),Fr=e.router?.bulkUpdateIdentifiers??((c,h)=>ve(c,h,t)),Pr=e.router?.bulkDeleteIdentifiers??((c,h)=>Ee(c,h,t));nt(s.algorithm)&&r.get("/keys",(c,h)=>{h.setHeader("Cache-Control","public, max-age=3600"),h.json(rr(e.secret));}),r.post("/register",async(c,h,A)=>{let I=Date.now();try{st(c,e);let f=M(c.body),{identifiers:y,password:g,roles:w}=f;if(!Array.isArray(y)||y.length===0)throw R("identifiers is required and must be a non-empty array");if(y.length>J)throw R(`identifiers must not exceed ${J} entries`);let x=y.map((Z,Se)=>He(Z,Se));if(typeof g!="string"||g.length<De)throw R(`password is required and must be at least ${De} characters`);if(g.length>z)throw R(`password must not exceed ${z} characters`);if(w!==void 0&&!Array.isArray(w))throw R("roles must be an array of strings when provided");if(Array.isArray(w)&&!w.every(Z=>typeof Z=="string"))throw R("each role must be a string");let O=Array.isArray(w)?w:void 0,N=O!==void 0?{identifiers:x,password:g,roles:O}:{identifiers:x,password:g},j=c.ip||"127.0.0.1",G=c.get("user-agent")||"Unknown";if(e.rateLimit!==!1){let Z=await i,Se=typeof e.rateLimit=="object"?e.rateLimit.maxRegisterAttempts??5:5;await Z.consume(`register:${j}`,Se,900*1e3);}let W=await m(N,{ip:j,userAgent:G});if(!W.success){o.warn(p(a,"auth.register.failure",{errorCode:W.error.code,duration_ms:Date.now()-I,...E(c)})),F(h,W.error);return}o.info(p(a,"auth.register.success",{userId:W.user.id,duration_ms:Date.now()-I,...E(c)})),S(h,201,"User registered successfully",{user:W.user});}catch(f){A(f);}}),r.post("/login",async(c,h,A)=>{let I=Date.now();try{let f=M(c.body),{identifier:y,password:g}=f;if(typeof y!="string"||y.trim().length===0)throw R("identifier is required and must be a non-empty string");if(y.length>Ce)throw R(`identifier must not exceed ${Ce} characters`);if(typeof g!="string"||g.length===0)throw R("password is required");if(g.length>z)throw R(`password must not exceed ${z} characters`);let w=y.trim(),x=c.ip||"127.0.0.1",O=c.get("user-agent")||"Unknown";if(e.rateLimit!==!1){let j=await i,G=typeof e.rateLimit=="object"?e.rateLimit.maxLoginAttempts??5:5;await j.consume(`login:${x}`,G,900*1e3);}let N=await _({identifier:w,password:g},{ip:x,userAgent:O});if(!N.success){$e(()=>e.hooks?.onLoginFailed?.(w,N.error,{ip:x})),o.warn(p(a,"auth.login.failure",{errorCode:N.error.code,duration_ms:Date.now()-I,...E(c)})),F(h,N.error);return}$e(()=>e.hooks?.onLoginSuccess?.(N.user,{ip:x,userAgent:O})),oe(h,N.refreshToken,e),ie(h,N.accessToken,e),o.info(p(a,"auth.login.success",{userId:N.user.id,duration_ms:Date.now()-I,...E(c)})),S(h,200,"Login successful",{accessToken:N.accessToken,user:N.user});}catch(f){A(f);}}),r.post("/refresh",async(c,h,A)=>{let I=Date.now();try{let f=H(c.headers.cookie,P(e));if(!f)throw new u("UNAUTHORIZED","Refresh token cookie is missing");let y=c.ip||"127.0.0.1",g=c.get("user-agent")||"Unknown",w=await b(f,{ip:y,userAgent:g});if(!w.success){xe(h,e),o.warn(p(a,"auth.refresh.failure",{errorCode:w.error.code,duration_ms:Date.now()-I,...E(c)})),F(h,w.error);return}oe(h,w.refreshToken,e),ie(h,w.accessToken,e),o.info(p(a,"auth.refresh.success",{userId:w.user.id,duration_ms:Date.now()-I,...E(c)})),S(h,200,"Token refreshed",{accessToken:w.accessToken});}catch(f){A(f);}}),r.post("/logout",async(c,h,A)=>{let I=Date.now();try{let f=H(c.headers.cookie,P(e));await v(f),xe(h,e),Fe(h,e),o.info(p(a,"auth.logout",{duration_ms:Date.now()-I,...E(c)})),S(h,200,"Logged out",null);}catch(f){A(f);}}),r.post("/logout-all",C(e),async(c,h,A)=>{let I=Date.now();try{let f=c.user.id;await k(f),$e(()=>e.hooks?.onLogout?.(f)),xe(h,e),Fe(h,e),o.info(p(a,"auth.logout_all",{userId:f,duration_ms:Date.now()-I,...E(c)})),S(h,200,"All sessions revoked",null);}catch(f){A(f);}}),r.get("/me",C(e),async(c,h,A)=>{let I=Date.now();try{let f=await L(c.user.id);if(!f.success){o.warn(p(a,"auth.me.failure",{userId:c.user.id,errorCode:f.error.code,duration_ms:Date.now()-I,...E(c)})),F(h,f.error);return}o.info(p(a,"auth.me.success",{userId:f.user.id,duration_ms:Date.now()-I,...E(c)})),S(h,200,"OK",f.user);}catch(f){A(f);}}),r.get("/me/identifiers",C(e),async(c,h,A)=>{let I=Date.now();try{let f=await L(c.user.id);if(!f.success){o.warn(p(a,"auth.me.identifiers.failure",{userId:c.user.id,errorCode:f.error.code,duration_ms:Date.now()-I,...E(c)})),F(h,f.error);return}o.info(p(a,"auth.me.identifiers.success",{userId:f.user.id,count:f.user.identifiers?.length??0,duration_ms:Date.now()-I,...E(c)})),S(h,200,"OK",{identifiers:f.user.identifiers??[]});}catch(f){A(f);}});let ue=d(c=>!!c.user);return r.post("/me/identifiers",C(e),ue,async(c,h,A)=>{let I=Date.now();try{let f=M(c.body),{identifiers:y}=f;if(!Array.isArray(y)||y.length===0)throw R("identifiers is required and must be a non-empty array");if(y.length>J)throw R(`identifiers must not exceed ${J} entries`);let g=y.map((x,O)=>He(x,O)),w=await Lr(c.user.id,g);if(!w.success){o.warn(p(a,"auth.identifiers.create_failure",{userId:c.user.id,errorCode:w.error.code,duration_ms:Date.now()-I,...E(c)})),F(h,w.error);return}o.info(p(a,"auth.identifiers.created",{userId:c.user.id,count:w.identifiers.length,duration_ms:Date.now()-I,...E(c)})),S(h,201,"Identifiers added successfully",{identifiers:w.identifiers});}catch(f){A(f);}}),r.put("/me/identifiers",C(e),ue,async(c,h,A)=>{let I=Date.now();try{let f=M(c.body),{identifiers:y}=f;if(!Array.isArray(y)||y.length===0)throw R("identifiers is required and must be a non-empty array");if(y.length>J)throw R(`identifiers must not exceed ${J} entries`);let g=y.map((x,O)=>{if(typeof x!="object"||x===null||Array.isArray(x))throw R(`identifiers[${O}] must be an object`);let N=x;if(typeof N.id!="string"||N.id.trim().length===0)throw R(`identifiers[${O}].id is required and must be a non-empty string`);let{type:j,value:G}=He(x,O);return {id:N.id,type:j,value:G}}),w=await Fr(c.user.id,g);if(!w.success){o.warn(p(a,"auth.identifiers.update_failure",{userId:c.user.id,errorCode:w.error.code,duration_ms:Date.now()-I,...E(c)})),F(h,w.error);return}o.info(p(a,"auth.identifiers.updated",{userId:c.user.id,count:w.identifiers.length,duration_ms:Date.now()-I,...E(c)})),S(h,200,"Identifiers updated successfully",{identifiers:w.identifiers});}catch(f){A(f);}}),r.delete("/me/identifiers",C(e),ue,async(c,h,A)=>{let I=Date.now();try{let f=M(c.body),{ids:y}=f;if(!Array.isArray(y)||y.length===0)throw R("ids is required and must be a non-empty array of strings");if(!y.every(w=>typeof w=="string"))throw R("each id must be a string");let g=await Pr(c.user.id,y);if(!g.success){o.warn(p(a,"auth.identifiers.delete_failure",{userId:c.user.id,errorCode:g.error.code,duration_ms:Date.now()-I,...E(c)})),F(h,g.error);return}o.info(p(a,"auth.identifiers.deleted",{userId:c.user.id,duration_ms:Date.now()-I,...E(c)})),S(h,200,"Identifiers deleted successfully",{identifiers:g.identifiers});}catch(f){A(f);}}),r.patch("/me/password",C(e),ue,async(c,h,A)=>{let I=Date.now();try{let f=M(c.body),{currentPassword:y,newPassword:g}=f;if(typeof y!="string"||y.length===0)throw R("currentPassword is required");if(typeof g!="string"||g.length<De)throw R(`newPassword must be at least ${De} characters`);if(g.length>z)throw R(`newPassword must not exceed ${z} characters`);if(y===g)throw R("newPassword must be different from currentPassword");let w=await $(c.user.id,y,g);if(!w.success){o.warn(p(a,"auth.password.change_failure",{userId:c.user.id,errorCode:w.error.code,duration_ms:Date.now()-I,...E(c)})),F(h,w.error);return}o.info(p(a,"auth.password.changed",{userId:c.user.id,duration_ms:Date.now()-I,...E(c)})),S(h,200,"Password updated successfully. All sessions have been revoked.",null);}catch(f){A(f);}}),r.post("/users/:userId/roles",C(e),l("admin"),async(c,h,A)=>{let I=Date.now();try{let f=M(c.body),{roles:y}=f,g=c.params.userId,w=typeof g=="string"?g:void 0;if(!w)throw R("userId is required");if(!Array.isArray(y)||y.length===0)throw R("roles must be a non-empty array of strings");if(!y.every(O=>typeof O=="string"))throw R("each role must be a string");let x=await K(w,y);if(!x.success){o.warn(p(a,"auth.roles.assign_failure",{targetUserId:w,errorCode:x.error.code,duration_ms:Date.now()-I,...E(c)})),F(h,x.error);return}o.info(p(a,"auth.roles.assigned",{targetUserId:w,roles:y,duration_ms:Date.now()-I,...E(c)})),S(h,200,"Roles assigned successfully",{user:x.user});}catch(f){A(f);}}),r.use(ce()),r.get("/sessions",C(e),async(c,h,A)=>{let I=Date.now();try{let f=c.user.id,g=await(e.router?.getSessions??(w=>Er(w,t)))(f);o.info(p(a,"auth.sessions.get",{userId:f,duration_ms:Date.now()-I,...E(c)})),S(h,200,"OK",{sessions:g});}catch(f){A(f);}}),r.delete("/sessions/:id",C(e),async(c,h,A)=>{let I=Date.now();try{let f=c.user.id,y=c.params.id;await(e.router?.revokeSession??((w,x)=>Tr(w,x,t)))(f,y),o.info(p(a,"auth.sessions.revoke",{userId:f,sessionId:y,duration_ms:Date.now()-I,...E(c)})),S(h,200,"Session revoked",null);}catch(f){A(f);}}),r}n(Ur,"createAuthRouter");function tn(e){if(e.mode==="client"){let i={mode:"client",keyUri:e.keyUri,...e.validRoles!==void 0&&{validRoles:e.validRoles},...e.logger!==void 0&&{logger:e.logger},...e.loggerService!==void 0&&{loggerService:e.loggerService}};Je(i);let m=i.logger??U,_=i.loggerService??"sentri",b=ae(m,_),v=de(m,_);return {protect:n(()=>C(i),"protect"),authorize:n((...k)=>b(...k),"authorize"),permit:n(k=>v(k),"permit"),errorHandler:n(k=>ce(k),"errorHandler")}}let{privateKey:r}=generateKeyPairSync("rsa",{modulusLength:2048,privateKeyEncoding:{type:"pkcs8",format:"pem"},publicKeyEncoding:{type:"spki",format:"pem"}}),t={mode:"server",dialect:e.dialect,secret:r,algorithm:"RS256",validRoles:e.validRoles,...e.accessExpiresIn!==void 0&&{accessExpiresIn:e.accessExpiresIn},...e.refreshExpiresIn!==void 0&&{refreshExpiresIn:e.refreshExpiresIn},...e.saltRounds!==void 0&&{saltRounds:e.saltRounds},...e.apiKey!==void 0&&{apiKey:e.apiKey},...e.cookie!==void 0&&{cookie:e.cookie},...e.accessCookie!==void 0&&{accessCookie:e.accessCookie},...e.hooks!==void 0&&{hooks:e.hooks},...e.router!==void 0&&{router:e.router},...e.isTokenRevoked!==void 0&&{isTokenRevoked:e.isTokenRevoked},...e.redisUrl!==void 0&&{redisUrl:e.redisUrl},...e.logger!==void 0&&{logger:e.logger},...e.loggerService!==void 0&&{loggerService:e.loggerService}},s=t.logger??U,o=t.loggerService??"sentri",a=T(t),l=ae(s,o),d=de(s,o);return {protect:n(()=>C(t),"protect"),authorize:n((...i)=>l(...i),"authorize"),permit:n(i=>d(i),"permit"),errorHandler:n(i=>ce(i),"errorHandler"),hashPassword:n(i=>Y(i,a.saltRounds),"hashPassword"),verifyPassword:n((i,m)=>q(i,m),"verifyPassword"),signAccessToken:n(i=>ee(i,t),"signAccessToken"),signRefreshToken:n(i=>re(i,t),"signRefreshToken"),verifyAccessToken:n(i=>le(i,t),"verifyAccessToken"),verifyRefreshToken:n(i=>te(i,t),"verifyRefreshToken"),getCurrentAccessToken:n(i=>Ne(i,t),"getCurrentAccessToken"),router:n(()=>Ur(t),"router"),migrate:n(()=>Ge(D(t.dialect)),"migrate"),idempotencyMiddleware:n(i=>Sr({...i,...t.redisUrl!==void 0&&{redisUrl:t.redisUrl}}),"idempotencyMiddleware"),register:n(i=>we(i,t),"register"),login:n(i=>ye(i,t),"login"),refresh:n(i=>B(i,t),"refresh"),logout:n(i=>Ie(i,t),"logout"),logoutAll:n(i=>_e(i,t),"logoutAll"),getUser:n(i=>ge(i,t),"getUser"),changePassword:n((i,m,_)=>Re(i,m,_,t),"changePassword"),assignRoles:n((i,m)=>ke(i,m,t),"assignRoles"),bulkCreateIdentifiers:n((i,m)=>Ae(i,m,t),"bulkCreateIdentifiers"),bulkUpdateIdentifiers:n((i,m)=>ve(i,m,t),"bulkUpdateIdentifiers"),bulkDeleteIdentifiers:n((i,m)=>Ee(i,m,t),"bulkDeleteIdentifiers")}}n(tn,"createAuthExpress");export{Me as SENTRI_ERROR_STATUS,u as SentriError,Zr as authorize,tn as createAuthExpress,Ur as createAuthRouter,ae as createAuthorize,ce as createErrorHandler,Sr as createIdempotencyMiddleware,de as createPermit,Ne as getCurrentAccessToken,qr as permit,C as protect};
|
|
1
|
+
import {generateKeyPairSync,createPrivateKey,createPublicKey,createHash,randomUUID}from'crypto';import {sql,Kysely}from'kysely';import Ye from'bcrypt';import Q from'jsonwebtoken';import {Redis}from'ioredis';import {Router}from'express';var Kr=Object.defineProperty;var n=(e,r)=>Kr(e,"name",{value:r,configurable:true});var je=Object.assign(Object.create(null),{UNAUTHORIZED:401,TOKEN_EXPIRED:401,TOKEN_INVALID:401,INVALID_CREDENTIALS:401,FORBIDDEN:403,USER_NOT_FOUND:404,IDENTIFIER_NOT_FOUND:404,USER_ALREADY_EXISTS:409,IDENTIFIER_ALREADY_EXISTS:409,INVALID_ROLE:400,VALIDATION_ERROR:400,CONFIGURATION_ERROR:500,TOKEN_REUSE:401}),l=class extends Error{static{n(this,"SentriError");}code;statusCode;constructor(r,t,s){super(t),this.name="SentriError",this.code=r,this.statusCode=s??je[r]??500;}};var Ve=new WeakMap,Be=32,Xe=10,ze=31;function Ge(e){if(e.mode==="client"){if(!e.keyUri||e.keyUri.trim().length===0)throw new l("CONFIGURATION_ERROR","keyUri must not be empty");return}if(!e.secret||e.secret.trim().length===0)throw new l("CONFIGURATION_ERROR","secret must not be empty");if((e.algorithm??"HS256").startsWith("HS")&&e.secret.length<Be)throw new l("CONFIGURATION_ERROR",`secret must be at least ${Be} characters for HMAC algorithms`);let s=e.saltRounds??12;if(!Number.isInteger(s)||s<Xe||s>ze)throw new l("CONFIGURATION_ERROR",`saltRounds must be an integer between ${Xe} and ${ze}`);if(!e.validRoles||e.validRoles.length===0)throw new l("CONFIGURATION_ERROR","validRoles must contain at least one role");if(e.validIdentifiers!==void 0&&e.validIdentifiers.length===0)throw new l("CONFIGURATION_ERROR","validIdentifiers must contain at least one identifier type");if(!e.dialect)throw new l("CONFIGURATION_ERROR","dialect is required in server mode")}n(Ge,"validateConfig");function k(e){let r=Ve.get(e);if(r)return r;let t={algorithm:e.algorithm??"HS256",accessExpiresIn:e.accessExpiresIn??"15m",refreshExpiresIn:e.refreshExpiresIn??"7d",saltRounds:e.saltRounds??12,validRoles:e.validRoles,validRolesSet:new Set(e.validRoles),validIdentifiers:e.validIdentifiers??["email","username"],validIdentifiersSet:new Set(e.validIdentifiers??["email","username"]),cookieName:e.cookie?.name??"refresh_token",accessCookieName:e.accessCookie?.name??"access_token"};return Ve.set(e,t),t}n(k,"resolveServerConfig");var $r=/^(\d+)([smhdw])$/,Hr={s:1e3,m:6e4,h:36e5,d:864e5,w:6048e5},Je=new Map;function V(e){if(typeof e=="number")return e*1e3;let r=Je.get(e);if(r!==void 0)return r;let t=$r.exec(e);if(!t?.[1]||!t?.[2])throw new Error(`Invalid expiresIn: "${e}". Use e.g. "15m", "7d", "1h".`);let s=Hr[t[2]];if(s===void 0)throw new Error(`Invalid expiresIn: "${e}". Use e.g. "15m", "7d", "1h".`);let i=parseInt(t[1],10)*s;return Je.set(e,i),i}n(V,"parseExpiry");var L={info:n(()=>{},"info"),warn:n(()=>{},"warn"),error:n(()=>{},"error")};function p(e,r,t){return {service:e,event:r,...t}}n(p,"buildLogData");async function We(e){await e.schema.createTable("sentri_users").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("password_hash","varchar(255)",r=>r.notNull()).addColumn("roles","text",r=>r.notNull().defaultTo("[]")).addColumn("created_at","timestamp",r=>r.notNull().defaultTo(sql`CURRENT_TIMESTAMP`)).execute(),await e.schema.createTable("sentri_sessions").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("user_id","varchar(36)",r=>r.notNull().references("sentri_users.id").onDelete("cascade")).addColumn("expires_at","timestamp",r=>r.notNull()).addColumn("ip_address","varchar(45)").addColumn("user_agent","text").addColumn("replaced_by","varchar(36)").addColumn("created_at","timestamp",r=>r.notNull().defaultTo(sql`CURRENT_TIMESTAMP`)).execute(),await e.schema.createTable("sentri_identifiers").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("user_id","varchar(36)",r=>r.notNull().references("sentri_users.id").onDelete("cascade")).addColumn("type","varchar(100)",r=>r.notNull()).addColumn("value","varchar(255)",r=>r.notNull().unique()).addColumn("created_at","timestamp",r=>r.notNull().defaultTo(sql`CURRENT_TIMESTAMP`)).execute(),await e.schema.createIndex("idx_sentri_sessions_user_id").ifNotExists().on("sentri_sessions").column("user_id").execute(),await e.schema.createIndex("idx_sentri_identifiers_user_id").ifNotExists().on("sentri_identifiers").column("user_id").execute();}n(We,"runMigrations");var Ze=new Map;function D(e){let r=Ze.get(e);return r||(r=new Kysely({dialect:e}),Ze.set(e,r)),r}n(D,"getDatabase");async function Y(e,r=12){return Ye.hash(e,r)}n(Y,"hashPassword");async function q(e,r){return Ye.compare(e,r)}n(q,"verifyPassword");var qe=new Map,Qe=new Map,Br=3600*1e3;function rr(e){let r=qe.get(e);if(!r){let t=createPrivateKey(e),s=createPublicKey(t),i=s.export({format:"jwk"}),f=createHash("sha256").update(JSON.stringify({e:i.e,kty:i.kty,n:i.n})).digest("base64url"),c={...i,use:"sig",kid:f};r={kid:f,publicKey:s,jwk:c},qe.set(e,r);}return r}n(rr,"getOrBuildKey");function tr(e){let{jwk:r}=rr(e);return {keys:[r]}}n(tr,"buildJwks");function sr(e){return rr(e).publicKey}n(sr,"getPublicKeyFromPrivate");async function nr(e){let r=Date.now(),t=Qe.get(e);if(t&&r-t.fetchedAt<Br)return t.publicKey;let s=await fetch(e);if(!s.ok)throw new l("CONFIGURATION_ERROR",`Failed to fetch public key from ${e}: HTTP ${s.status}`);let i=await s.json();if(!i.keys||i.keys.length===0)throw new l("CONFIGURATION_ERROR",`No keys found in JWKS response from ${e}`);let o=i.keys[0],f=createPublicKey({key:o,format:"jwk"});return Qe.set(e,{publicKey:f,fetchedAt:r}),f}n(nr,"fetchPublicKey");var ir=new Map,or=new Map,ar=new Map;function dr(e){return e.startsWith("RS")||e.startsWith("PS")}n(dr,"isRSA");function ur(e){let r=ir.get(e);return r||(r={access:`${e}:access`,refresh:`${e}:refresh`},ir.set(e,r)),r}n(ur,"getHsSecrets");function zr(e){let r=or.get(e);return r||(r=createPrivateKey(e),or.set(e,r)),r}n(zr,"getRsPrivateKey");function cr(e){let r=k(e);if(dr(r.algorithm)){let i=zr(e.secret);return {accessKey:i,refreshKey:i}}let{access:t,refresh:s}=ur(e.secret);return {accessKey:t,refreshKey:s}}n(cr,"getSigningKeys");function lr(e,r){let t=k(e);if(dr(t.algorithm))return sr(e.secret);let{access:s,refresh:i}=ur(e.secret);return r==="access"?s:i}n(lr,"getVerifyKey");function fr(e,r,t,s){let i=`${t}:${s}`,o=ar.get(i);return o||(o={expiresIn:t,algorithm:s},ar.set(i,o)),Q.sign(e,r,o)}n(fr,"sign");function hr(e,r,t){try{let s=Q.verify(e,r,{algorithms:[t]});if(typeof s=="string"||s===null)throw new l("TOKEN_INVALID","Token payload is not an object");return s}catch(s){throw s instanceof l?s:s instanceof Q.TokenExpiredError?new l("TOKEN_EXPIRED","Token has expired"):new l("TOKEN_INVALID","Token is invalid or malformed")}}n(hr,"verify");function ee(e,r){let t=k(r),{accessKey:s}=cr(r);return fr(e,s,t.accessExpiresIn,t.algorithm)}n(ee,"signAccessToken");function re(e,r){let t=k(r),{refreshKey:s}=cr(r);return fr({sessionId:e},s,t.refreshExpiresIn,t.algorithm)}n(re,"signRefreshToken");function fe(e,r){let t=k(r),s=lr(r,"access");return hr(e,s,t.algorithm)}n(fe,"verifyAccessToken");function te(e,r){let t=k(r),s=lr(r,"refresh");return hr(e,s,t.algorithm)}n(te,"verifyRefreshToken");function mr(e,r){try{let t=Q.verify(e,r,{algorithms:["RS256","RS384","RS512","PS256","PS384","PS512"]});if(typeof t=="string"||t===null)throw new l("TOKEN_INVALID","Token payload is not an object");return t}catch(t){throw t instanceof l?t:t instanceof Q.TokenExpiredError?new l("TOKEN_EXPIRED","Token has expired"):new l("TOKEN_INVALID","Token is invalid or malformed")}}n(mr,"verifyTokenWithPublicKey");function Ue(e){try{return JSON.parse(e)}catch{return []}}n(Ue,"parseRoles");function Jr(e){return JSON.stringify(e)}n(Jr,"serializeRoles");function wr(e){return {id:e.id,userId:e.user_id,type:e.type,value:e.value,createdAt:new Date(e.created_at)}}n(wr,"mapIdentifier");async function se(e,r){let t=await e.selectFrom("sentri_identifiers as i").innerJoin("sentri_users as u","u.id","i.user_id").select(["u.id","u.password_hash","u.roles"]).where("i.value","=",r).executeTakeFirst();return t?{id:t.id,passwordHash:t.password_hash,roles:Ue(t.roles)}:null}n(se,"findUserByIdentifierValue");async function he(e,r){let t=await e.selectFrom("sentri_users").select(["id","password_hash","roles"]).where("id","=",r).executeTakeFirst();return t?{id:t.id,passwordHash:t.password_hash,roles:Ue(t.roles)}:null}n(he,"findUserById");async function yr(e,r,t){let s=t.map(i=>({id:randomUUID(),user_id:r,type:i.type,value:i.value}));return await e.insertInto("sentri_identifiers").values(s).execute(),s.map(i=>({id:i.id,userId:i.user_id,type:i.type,value:i.value,createdAt:new Date}))}n(yr,"createIdentifiers");async function ne(e,r){return (await e.selectFrom("sentri_identifiers").selectAll().where("user_id","=",r).orderBy("created_at","asc").execute()).map(wr)}n(ne,"findIdentifiersByUserId");async function Le(e,r,t){let s=await e.selectFrom("sentri_identifiers").selectAll().where("id","=",r).where("user_id","=",t).executeTakeFirst();return s?wr(s):null}n(Le,"findIdentifierById");async function Ir(e,r){let t=await e.selectFrom("sentri_identifiers").select(s=>s.fn.countAll().as("count")).where("user_id","=",r).executeTakeFirst();return Number(t?.count??0)}n(Ir,"countIdentifiersByUserId");async function Rr(e,r,t,s){await e.updateTable("sentri_identifiers").set({type:s.type,value:s.value}).where("id","=",r).where("user_id","=",t).execute();}n(Rr,"updateIdentifier");async function _r(e,r,t){await e.deleteFrom("sentri_identifiers").where("user_id","=",r).where("id","in",t).execute();}n(_r,"deleteIdentifiers");async function gr(e,r,t){await e.updateTable("sentri_users").set({password_hash:t}).where("id","=",r).execute();}n(gr,"updateUserPassword");async function vr(e,r,t){await e.updateTable("sentri_users").set({roles:Jr(t)}).where("id","=",r).execute();}n(vr,"updateUserRoles");async function Fe(e,r){let t=randomUUID();return await e.insertInto("sentri_sessions").values({id:t,user_id:r.userId,expires_at:r.expiresAt.toISOString(),ip_address:r.ipAddress??null,user_agent:r.userAgent??null}).execute(),{id:t}}n(Fe,"createSession");async function me(e,r){let t=await e.selectFrom("sentri_sessions as s").innerJoin("sentri_users as u","u.id","s.user_id").select(["s.id as session_id","s.user_id","s.expires_at","s.ip_address","s.user_agent","s.replaced_by","s.created_at as session_created_at","u.id as user_id_col","u.password_hash","u.roles"]).where("s.id","=",r).executeTakeFirst();return t?{id:t.session_id,userId:t.user_id,expiresAt:new Date(t.expires_at),ipAddress:t.ip_address,userAgent:t.user_agent,replacedBy:t.replaced_by,createdAt:new Date(t.session_created_at),user:{id:t.user_id_col,passwordHash:t.password_hash,roles:Ue(t.roles)}}:null}n(me,"findSessionById");async function pe(e,r){await e.deleteFrom("sentri_sessions").where("id","=",r).execute();}n(pe,"deleteSession");async function Ar(e,r,t){await e.updateTable("sentri_sessions").set({replaced_by:t}).where("id","=",r).execute();}n(Ar,"markSessionReplaced");async function we(e,r){await e.deleteFrom("sentri_sessions").where("user_id","=",r).execute();}n(we,"deleteAllSessionsForUser");async function kr(e,r){return (await e.selectFrom("sentri_sessions").selectAll().where("user_id","=",r).where("replaced_by","is",null).where("expires_at",">",new Date).execute()).map(s=>({id:s.id,userId:s.user_id,expiresAt:new Date(s.expires_at),ipAddress:s.ip_address,userAgent:s.user_agent,replacedBy:s.replaced_by,createdAt:new Date(s.created_at)}))}n(kr,"findSessionsByUserId");async function ye(e,r,t){let s=k(r),i=D(r.dialect),o=e.roles??[],f=o.filter(A=>!s.validRolesSet.has(A));if(f.length>0)return {success:false,error:new l("INVALID_ROLE",`Invalid roles: ${f.join(", ")}`)};if(!e.identifiers||e.identifiers.length===0)return {success:false,error:new l("VALIDATION_ERROR","At least one identifier is required")};let c=e.identifiers.map(A=>({type:A.type.trim(),value:A.value.trim()})),a=c.filter(A=>!s.validIdentifiersSet.has(A.type));if(a.length>0)return {success:false,error:new l("VALIDATION_ERROR",`Invalid identifier types: ${a.map(A=>A.type).join(", ")}`)};if(new Set(c.map(A=>A.value)).size!==c.length)return {success:false,error:new l("VALIDATION_ERROR","Duplicate identifier values in request")};for(let A of c)if(await se(i,A.value))return {success:false,error:new l("IDENTIFIER_ALREADY_EXISTS",`Identifier already taken: ${A.value}`)};let w=await Y(e.password,s.saltRounds),{userId:C,identifierRows:T}=await i.transaction().execute(async A=>{let P=randomUUID();await A.insertInto("sentri_users").values({id:P,password_hash:w,roles:JSON.stringify(o)}).execute();let $=c.map(ce=>({id:randomUUID(),user_id:P,type:ce.type,value:ce.value}));return await A.insertInto("sentri_identifiers").values($).execute(),{userId:P,identifierRows:$}}),S={success:true,user:{id:C,roles:o,identifiers:T.map(A=>({id:A.id,type:A.type,value:A.value}))}};return r.hooks?.onRegister&&await r.hooks.onRegister(S.user),S}n(ye,"register");async function Ie(e,r,t){let s=k(r),i=D(r.dialect),o=await se(i,e.identifier.trim());if(!o){let T=new l("INVALID_CREDENTIALS","Invalid credentials");return r.hooks?.onLoginFailed&&await r.hooks.onLoginFailed(e.identifier,T,{ip:t?.ip??""}),{success:false,error:T}}if(!await q(e.password,o.passwordHash)){let T=new l("INVALID_CREDENTIALS","Invalid credentials");return r.hooks?.onLoginFailed&&await r.hooks.onLoginFailed(e.identifier,T,{ip:t?.ip??""}),{success:false,error:T}}let c=new Date(Date.now()+V(s.refreshExpiresIn)),a=await Fe(i,{userId:o.id,expiresAt:c,ipAddress:t?.ip??null,userAgent:t?.userAgent??null}),u={id:o.id,roles:o.roles},w=ee({id:o.id,roles:o.roles,sessionId:a.id},r),C=re(a.id,r);return r.hooks?.onLoginSuccess&&await r.hooks.onLoginSuccess(u,{ip:t?.ip??"",userAgent:t?.userAgent??""}),{success:true,accessToken:w,refreshToken:C,user:u}}n(Ie,"login");async function B(e,r,t){let s=k(r),i=D(r.dialect),o;try{({sessionId:o}=te(e,r));}catch(T){return T instanceof l?{success:false,error:T}:{success:false,error:new l("TOKEN_INVALID","Invalid refresh token")}}let f=await me(i,o);if(!f)return {success:false,error:new l("UNAUTHORIZED","Session not found or revoked")};if(f.replacedBy)return await we(i,f.userId),{success:false,error:new l("TOKEN_REUSE","Token reuse detected. All sessions revoked.")};if(f.expiresAt.getTime()<Date.now())return await pe(i,o),{success:false,error:new l("TOKEN_EXPIRED","Session has expired")};let c=new Date(Date.now()+V(s.refreshExpiresIn)),a=await Fe(i,{userId:f.userId,expiresAt:c,ipAddress:t?.ip??null,userAgent:t?.userAgent??null});await Ar(i,o,a.id);let u={id:f.user.id,roles:f.user.roles},w=ee({...u,sessionId:a.id},r),C=re(a.id,r);return {success:true,accessToken:w,refreshToken:C,user:u}}n(B,"refresh");async function Re(e,r){let t=D(r.dialect),s;try{({sessionId:s}=te(e,r));}catch{return}let i=await me(t,s);i&&(await pe(t,s),r.hooks?.onLogout&&await r.hooks.onLogout(i.userId));}n(Re,"logout");async function _e(e,r){let t=D(r.dialect);await we(t,e),r.hooks?.onLogout&&await r.hooks.onLogout(e);}n(_e,"logoutAll");async function ge(e,r){let t=D(r.dialect),s=await he(t,e);if(!s)return {success:false,error:new l("USER_NOT_FOUND","User not found")};let i=await ne(t,e);return {success:true,user:{id:s.id,roles:s.roles,identifiers:i.map(o=>({id:o.id,type:o.type,value:o.value}))}}}n(ge,"getUser");async function ve(e,r,t,s){let i=k(s),o=D(s.dialect),f=await he(o,e);if(!f)return {success:false,error:new l("USER_NOT_FOUND","User not found")};if(!await q(r,f.passwordHash))return {success:false,error:new l("INVALID_CREDENTIALS","Invalid credentials")};let a=await Y(t,i.saltRounds);return await gr(o,e,a),await we(o,e),s.hooks?.onPasswordChanged&&await s.hooks.onPasswordChanged(e),{success:true}}n(ve,"changePassword");async function Ae(e,r,t){let s=k(t),i=D(t.dialect),o=r.filter(u=>!s.validRolesSet.has(u));if(o.length>0)return {success:false,error:new l("INVALID_ROLE",`Invalid roles: ${o.join(", ")}`)};let f=await he(i,e);if(!f)return {success:false,error:new l("USER_NOT_FOUND","User not found")};let c=new Set(f.roles);for(let u of r)c.add(u);let a=Array.from(c);return await vr(i,e,a),{success:true,user:{id:f.id,roles:a}}}n(Ae,"assignRoles");async function ke(e,r,t){let s=k(t),i=D(t.dialect);if(r.length===0)return {success:false,error:new l("VALIDATION_ERROR","At least one identifier is required")};let o=r.map(u=>({type:u.type.trim(),value:u.value.trim()})),f=o.filter(u=>!s.validIdentifiersSet.has(u.type));if(f.length>0)return {success:false,error:new l("VALIDATION_ERROR",`Invalid identifier types: ${f.map(u=>u.type).join(", ")}`)};if(new Set(o.map(u=>u.value)).size!==o.length)return {success:false,error:new l("VALIDATION_ERROR","Duplicate identifier values in request")};for(let u of o)if(await se(i,u.value))return {success:false,error:new l("IDENTIFIER_ALREADY_EXISTS",`Identifier already taken: ${u.value}`)};return await yr(i,e,o),{success:true,identifiers:(await ne(i,e)).map(u=>({id:u.id,type:u.type,value:u.value}))}}n(ke,"bulkCreateIdentifiers");async function Ee(e,r,t){let s=k(t),i=D(t.dialect);if(r.length===0)return {success:false,error:new l("VALIDATION_ERROR","At least one update is required")};let o=r.map(u=>({id:u.id,type:u.type.trim(),value:u.value.trim()})),f=o.filter(u=>!s.validIdentifiersSet.has(u.type));if(f.length>0)return {success:false,error:new l("VALIDATION_ERROR",`Invalid identifier types: ${f.map(u=>u.type).join(", ")}`)};if(new Set(o.map(u=>u.value)).size!==o.length)return {success:false,error:new l("VALIDATION_ERROR","Duplicate identifier values in request")};for(let u of o){let w=await Le(i,u.id,e);if(!w)return {success:false,error:new l("IDENTIFIER_NOT_FOUND",`Identifier not found: ${u.id}`)};if(w.value!==u.value&&await se(i,u.value))return {success:false,error:new l("IDENTIFIER_ALREADY_EXISTS",`Identifier already taken: ${u.value}`)}}return await i.transaction().execute(async u=>{for(let w of o)await Rr(u,w.id,e,{type:w.type,value:w.value});}),{success:true,identifiers:(await ne(i,e)).map(u=>({id:u.id,type:u.type,value:u.value}))}}n(Ee,"bulkUpdateIdentifiers");async function Te(e,r,t){let s=D(t.dialect);if(r.length===0)return {success:false,error:new l("VALIDATION_ERROR","At least one ID is required")};let i=Array.from(new Set(r));for(let c of i)if(!await Le(s,c,e))return {success:false,error:new l("IDENTIFIER_NOT_FOUND",`Identifier not found: ${c}`)};return await Ir(s,e)-i.length<1?{success:false,error:new l("VALIDATION_ERROR","Cannot delete all identifiers \u2014 at least one must remain")}:(await _r(s,e,i),{success:true,identifiers:(await ne(s,e)).map(c=>({id:c.id,type:c.type,value:c.value}))})}n(Te,"bulkDeleteIdentifiers");async function Tr(e,r){let t=D(r.dialect);return (await kr(t,e)).map(i=>({id:i.id,ipAddress:i.ipAddress,userAgent:i.userAgent,createdAt:i.createdAt,expiresAt:i.expiresAt}))}n(Tr,"getSessions");async function xr(e,r,t){let s=D(t.dialect),i=await me(s,r);i&&i.userId===e&&await pe(s,r);}n(xr,"revokeSession");function K(e){return k(e).cookieName}n(K,"getCookieName");function xe(e){return k(e).accessCookieName}n(xe,"getAccessCookieName");function H(e,r){if(!e)return;let t=`${r}=`,s=0;for(;s<e.length;){for(;s<e.length&&e[s]===" ";)s++;let i=e.indexOf(";",s),o=i===-1?e.length:i;if(e.startsWith(t,s))return e.slice(s+t.length,o);s=o+1;}}n(H,"readCookie");function ie(e,r,t){let s=t.cookie??{},i=V(k(t).refreshExpiresIn);e.cookie(K(t),r,{httpOnly:s.httpOnly??true,secure:s.secure??false,sameSite:s.sameSite??"strict",path:s.path??"/",maxAge:i});}n(ie,"setCookieFromConfig");function Ne(e,r){let t=r.cookie??{};e.clearCookie(K(r),{path:t.path??"/"});}n(Ne,"clearCookieFromConfig");function oe(e,r,t){if(!t.accessCookie)return;let s=t.accessCookie,i=V(k(t).accessExpiresIn);e.cookie(xe(t),r,{httpOnly:false,secure:s.secure??false,sameSite:s.sameSite??"strict",path:s.path??"/",maxAge:i});}n(oe,"setAccessCookieFromConfig");function Pe(e,r){if(!r.accessCookie)return;let t=r.accessCookie;e.clearCookie(xe(r),{path:t.path??"/"});}n(Pe,"clearAccessCookieFromConfig");function De(e,r){let t=e.headers.authorization;return t?.startsWith("Bearer ")?t.slice(7):H(e.headers.cookie,xe(r))}n(De,"getCurrentAccessToken");function O(e){let r=e.logger??L,t=e.loggerService??"sentri";return e.mode==="client"?Gr(e.keyUri,r,t):Wr(e,r,t)}n(O,"protect");function Gr(e,r,t){return async(s,i,o)=>{let f=s.headers.authorization,c=f?.startsWith("Bearer ")?f.slice(7):void 0,a=s.requestId;if(!c)return r.warn(p(t,"auth.protect.failure",{mode:"client",errorCode:"UNAUTHORIZED",...a!==void 0&&{requestId:a}})),o(new l("UNAUTHORIZED","Missing or malformed Authorization header"));try{let u=await nr(e),w=mr(c,u);s.user={id:w.id,roles:w.roles},r.info(p(t,"auth.protect.success",{mode:"client",userId:w.id,...a!==void 0&&{requestId:a}})),o();}catch(u){let w=u instanceof l?u.code:"TOKEN_INVALID";r.warn(p(t,"auth.protect.failure",{mode:"client",errorCode:w,...a!==void 0&&{requestId:a}})),o(u);}}}n(Gr,"protectClient");function Wr(e,r,t){return async(s,i,o)=>{let f=De(s,e),c=s.requestId;if(!f)return r.warn(p(t,"auth.protect.failure",{mode:"server",errorCode:"UNAUTHORIZED",...c!==void 0&&{requestId:c}})),o(new l("UNAUTHORIZED","Missing or malformed Authorization header"));try{let a=fe(f,e);if(e.isTokenRevoked&&await e.isTokenRevoked(a.sessionId))return r.warn(p(t,"auth.protect.token_revoked",{mode:"server",userId:a.id,...c!==void 0&&{requestId:c}})),o(new l("UNAUTHORIZED","Token has been revoked"));s.user={id:a.id,roles:a.roles},r.info(p(t,"auth.protect.success",{mode:"server",userId:a.id,...c!==void 0&&{requestId:c}})),o();}catch(a){if(a instanceof l&&a.code==="TOKEN_EXPIRED"){let u=H(s.headers.cookie,K(e));if(!u)return r.warn(p(t,"auth.protect.failure",{mode:"server",errorCode:"TOKEN_EXPIRED",...c!==void 0&&{requestId:c}})),o(new l("UNAUTHORIZED","Token expired. Please login again."));try{let w=await B(u,e);if(!w.success)return r.warn(p(t,"auth.protect.failure",{mode:"server",errorCode:w.error.code,...c!==void 0&&{requestId:c}})),o(new l("UNAUTHORIZED","Session expired. Please login again."));ie(i,w.refreshToken,e),oe(i,w.accessToken,e),i.setHeader("X-New-Access-Token",w.accessToken),s.user=w.user,r.info(p(t,"auth.protect.auto_refresh",{mode:"server",userId:w.user.id,...c!==void 0&&{requestId:c}})),o();}catch{r.warn(p(t,"auth.protect.failure",{mode:"server",errorCode:"TOKEN_EXPIRED",...c!==void 0&&{requestId:c}})),o(new l("UNAUTHORIZED","Session expired. Please login again."));}}else {let u=a instanceof l?a.code:"TOKEN_INVALID";r.warn(p(t,"auth.protect.failure",{mode:"server",errorCode:u,...c!==void 0&&{requestId:c}})),o(a);}}}}n(Wr,"protectServer");function Nr(e,r,t){let s=`Requires one of roles: ${e.join(", ")}`;return (i,o,f)=>{let c=i.requestId;if(!i.user)return r.warn(p(t,"auth.authorize.unauthenticated",{requiredRoles:e,...c!==void 0&&{requestId:c}})),f(new l("UNAUTHORIZED","Not authenticated"));let a=i.user.roles;if(!e.some(u=>a.includes(u)))return r.warn(p(t,"auth.authorize.denied",{userId:i.user.id,userRoles:[...a],requiredRoles:e,...c!==void 0&&{requestId:c}})),f(new l("FORBIDDEN",s));r.info(p(t,"auth.authorize.passed",{userId:i.user.id,userRoles:[...a],requiredRoles:e,...c!==void 0&&{requestId:c}})),f();}}n(Nr,"createAuthorizeHandler");function ae(e,r){return n(function(...s){return Nr(s,e,r)},"authorize")}n(ae,"createAuthorize");function Zr(...e){return Nr(e,L,"sentri")}n(Zr,"authorize");var Yr=new l("FORBIDDEN","You do not have permission to perform this action");function Dr(e,r,t){return async(s,i,o)=>{let f=s.requestId;if(!s.user)return r.warn(p(t,"auth.permit.unauthenticated",{...f!==void 0&&{requestId:f}})),o(new l("UNAUTHORIZED","Not authenticated"));let c=s.user.id;if(e.roles&&e.roles.length>0){let a=s.user.roles;if(e.roles.some(u=>a.includes(u)))return r.info(p(t,"auth.permit.role_bypass",{userId:c,bypassedByRole:true,...f!==void 0&&{requestId:f}})),o()}try{let a=e.check(s);(a instanceof Promise?await a:a)?(r.info(p(t,"auth.permit.passed",{userId:c,...f!==void 0&&{requestId:f}})),o()):(r.warn(p(t,"auth.permit.denied",{userId:c,...f!==void 0&&{requestId:f}})),o(Yr));}catch(a){o(a);}}}n(Dr,"createPermitHandler");function de(e,r){return n(function(s){return Dr(typeof s=="function"?{check:s}:s,e,r)},"permit")}n(de,"createPermit");function qr(e){return Dr(typeof e=="function"?{check:e}:e,L,"sentri")}n(qr,"permit");function ue(e){return (r,t,s,i)=>{if(r instanceof l){s.status(r.statusCode).json({error:true,statusCode:r.statusCode,code:r.code,message:r.message,data:null});return}e?.onUnhandled?.(r),s.status(500).json({error:true,statusCode:500,code:"INTERNAL_SERVER_ERROR",message:"Internal server error",data:null});}}n(ue,"createErrorHandler");var Sr=new Map;function Cr(e){let r=Sr.get(e);return r||(r=new Redis(e,{lazyConnect:true,enableOfflineQueue:false}),r.on("error",t=>{console.error("Sentri Redis Client Error:",t.message);}),Sr.set(e,r)),r}n(Cr,"getRedisClient");function Or(e){let r=e?.ttl??3e5,t=(e?.header??"X-Idempotency-Key").toLowerCase(),s=new Set((e?.methods??["POST","PUT","PATCH"]).map(o=>o.toUpperCase())),i=e?.redisUrl;return i?et(i,r,t,s):rt(r,t,s,e?.maxSize??1e4)}n(Or,"createIdempotencyMiddleware");function et(e,r,t,s){let i=Cr(e),o="sentri:idempotency:";return async(f,c,a)=>{let u=f.headers[t];if(!u||typeof u!="string"||!s.has(f.method))return a();f.requestId=u,c.setHeader("X-Request-Id",u);let w=await i.get(`${o}${u}`);if(w){let T=JSON.parse(w);return c.setHeader("X-Idempotent-Replayed","true"),c.status(T.statusCode).json(T.body)}let C=c.json.bind(c);c.json=n(function(S){if(c.statusCode>=200&&c.statusCode<300){let A={statusCode:c.statusCode,body:S,expiresAt:Date.now()+r};i.set(`${o}${u}`,JSON.stringify(A),"PX",r).catch(()=>{});}return C(S)},"idempotentJson"),a();}}n(et,"buildRedisMiddleware");function rt(e,r,t,s){let i=Math.max(e,5e3),o=new Map,f=setInterval(()=>{let c=Date.now();for(let[a,u]of o)u.expiresAt<=c&&o.delete(a);},i);return typeof f=="object"&&f!==null&&"unref"in f&&f.unref(),(c,a,u)=>{let w=c.headers[r];if(!w||typeof w!="string"||!t.has(c.method))return u();c.requestId=w,a.setHeader("X-Request-Id",w);let C=Date.now(),T=o.get(w);if(T&&T.expiresAt>C)return a.setHeader("X-Idempotent-Replayed","true"),a.status(T.statusCode).json(T.body);let S=a.json.bind(a);a.json=n(function(P){if(a.statusCode>=200&&a.statusCode<300){if(o.size>=s){let $=o.keys().next().value;$!==void 0&&o.delete($);}o.set(w,{statusCode:a.statusCode,body:P,expiresAt:Date.now()+e});}return S(P)},"idempotentJson"),u();}}n(rt,"buildMemoryMiddleware");var Ke=class{static{n(this,"InMemoryRateLimiter");}store=new Map;constructor(){setInterval(()=>{let r=Date.now();for(let[t,s]of this.store.entries())s.expiresAt<r&&this.store.delete(t);},6e4).unref();}async consume(r,t,s){let i=Date.now(),o=this.store.get(r);if((!o||o.expiresAt<i)&&(o={count:0,expiresAt:i+s},this.store.set(r,o)),o.count>t){let f=Math.ceil((o.expiresAt-i)/1e3);throw new Error(`Rate limit exceeded. Try again in ${f} seconds.`)}o.count++;}},$e=class{static{n(this,"RedisRateLimiter");}redis;logger;constructor(r,t){this.redis=r,this.logger=t;}async consume(r,t,s){let i=`sentri:rl:${r}`,o=Math.ceil(s/1e3);try{let f=await this.redis.multi().incr(i).expire(i,o,"NX").exec();if(!f||f.length===0)return;if(f[0][1]>t)throw new Error("Rate limit exceeded. Try again later.")}catch(f){if(f instanceof Error&&f.message.includes("Rate limit exceeded"))throw f;this.logger.error({msg:"Redis RateLimiter failed, bypassing limit",error:f});}}},X=null;async function br(e,r){if(X)return X;if(e)try{let{Redis:t}=await import('ioredis'),s=new t(e,{lazyConnect:!0,maxRetriesPerRequest:1});return await s.connect(),r?.info({msg:"Connected to Redis for Rate Limiting"}),X=new $e(s,r??L),X}catch(t){r?.warn({msg:"Failed to connect to Redis for Rate Limiting, falling back to InMemoryRateLimiter",error:t});}return X=new Ke,X}n(br,"getRateLimiter");var Se=8,z=72,Ce=255,Ur=100,J=50;function g(e){return new l("VALIDATION_ERROR",e)}n(g,"badRequest");function b(e,r,t,s){e.status(r).json({error:false,statusCode:r,message:t,data:s});}n(b,"ok");function F(e,r){e.status(r.statusCode).json({error:true,statusCode:r.statusCode,code:r.code,message:r.message,data:null});}n(F,"fail");function M(e){if(e==null||typeof e!="object"||Array.isArray(e))throw new l("VALIDATION_ERROR","Request body is missing or not a JSON object. Did you apply express.json()?");return e}n(M,"parseBody");function st(e,r){if(!r.apiKey)return;let t=e.headers["x-api-key"];if(typeof t!="string"||t!==r.apiKey)throw new l("UNAUTHORIZED","Invalid or missing API key")}n(st,"validateApiKey");function He(e){if(e)try{let r=e();r instanceof Promise&&r.catch(()=>{});}catch{}}n(He,"fireHook");function nt(e){return e.startsWith("RS")||e.startsWith("PS")}n(nt,"isRSA");function Me(e,r){if(typeof e!="object"||e===null||Array.isArray(e))throw g(`identifiers[${r}] must be an object`);let t=e;if(typeof t.type!="string"||t.type.trim().length===0)throw g(`identifiers[${r}].type is required and must be a non-empty string`);if(t.type.length>Ur)throw g(`identifiers[${r}].type must not exceed ${Ur} characters`);if(typeof t.value!="string"||t.value.trim().length===0)throw g(`identifiers[${r}].value is required and must be a non-empty string`);if(t.value.length>Ce)throw g(`identifiers[${r}].value must not exceed ${Ce} characters`);return {type:t.type,value:t.value}}n(Me,"validateIdentifierInput");function E(e){return e.requestId!==void 0?{requestId:e.requestId}:{}}n(E,"reqId");function Lr(e){let r=Router(),t=e,s=k(t),i=e.logger??L,o=e.loggerService??"sentri",f=ae(i,o),c=de(i,o),a=br(e.redisUrl,i),u=e.router?.register??(d=>ye(d,t)),w=e.router?.login??(d=>Ie(d,t)),C=e.router?.refresh??(d=>B(d,t)),T=e.router?.logout??(d=>d!==void 0?Re(d,t):Promise.resolve()),S=e.router?.logoutAll??(d=>_e(d,t)),A=e.router?.getUser??(d=>ge(d,t)),P=e.router?.assignRoles??((d,m)=>Ae(d,m,t)),$=e.router?.changePassword??((d,m,v)=>ve(d,m,v,t)),ce=e.router?.bulkCreateIdentifiers??((d,m)=>ke(d,m,t)),Fr=e.router?.bulkUpdateIdentifiers??((d,m)=>Ee(d,m,t)),Pr=e.router?.bulkDeleteIdentifiers??((d,m)=>Te(d,m,t));nt(s.algorithm)&&r.get("/keys",(d,m)=>{m.setHeader("Cache-Control","public, max-age=3600"),m.json(tr(e.secret));}),r.post("/register",async(d,m,v)=>{let R=Date.now();try{st(d,e);let h=M(d.body),{identifiers:I,password:_,roles:y}=h;if(!Array.isArray(I)||I.length===0)throw g("identifiers is required and must be a non-empty array");if(I.length>J)throw g(`identifiers must not exceed ${J} entries`);let x=I.map((Z,Oe)=>Me(Z,Oe));if(typeof _!="string"||_.length<Se)throw g(`password is required and must be at least ${Se} characters`);if(_.length>z)throw g(`password must not exceed ${z} characters`);if(y!==void 0&&!Array.isArray(y))throw g("roles must be an array of strings when provided");if(Array.isArray(y)&&!y.every(Z=>typeof Z=="string"))throw g("each role must be a string");let U=Array.isArray(y)?y:void 0,N=U!==void 0?{identifiers:x,password:_,roles:U}:{identifiers:x,password:_},j=d.ip||"127.0.0.1",G=d.get("user-agent")||"Unknown";if(e.rateLimit!==!1){let Z=await a,Oe=typeof e.rateLimit=="object"?e.rateLimit.maxRegisterAttempts??5:5;await Z.consume(`register:${j}`,Oe,900*1e3);}let W=await u(N,{ip:j,userAgent:G});if(!W.success){i.warn(p(o,"auth.register.failure",{errorCode:W.error.code,duration_ms:Date.now()-R,...E(d)})),F(m,W.error);return}i.info(p(o,"auth.register.success",{userId:W.user.id,duration_ms:Date.now()-R,...E(d)})),b(m,201,"User registered successfully",{user:W.user});}catch(h){v(h);}}),r.post("/login",async(d,m,v)=>{let R=Date.now();try{let h=M(d.body),{identifier:I,password:_}=h;if(typeof I!="string"||I.trim().length===0)throw g("identifier is required and must be a non-empty string");if(I.length>Ce)throw g(`identifier must not exceed ${Ce} characters`);if(typeof _!="string"||_.length===0)throw g("password is required");if(_.length>z)throw g(`password must not exceed ${z} characters`);let y=I.trim(),x=d.ip||"127.0.0.1",U=d.get("user-agent")||"Unknown";if(e.rateLimit!==!1){let j=await a,G=typeof e.rateLimit=="object"?e.rateLimit.maxLoginAttempts??5:5;await j.consume(`login:${x}`,G,900*1e3);}let N=await w({identifier:y,password:_},{ip:x,userAgent:U});if(!N.success){He(()=>e.hooks?.onLoginFailed?.(y,N.error,{ip:x})),i.warn(p(o,"auth.login.failure",{errorCode:N.error.code,duration_ms:Date.now()-R,...E(d)})),F(m,N.error);return}He(()=>e.hooks?.onLoginSuccess?.(N.user,{ip:x,userAgent:U})),ie(m,N.refreshToken,e),oe(m,N.accessToken,e),i.info(p(o,"auth.login.success",{userId:N.user.id,duration_ms:Date.now()-R,...E(d)})),b(m,200,"Login successful",{accessToken:N.accessToken,user:N.user});}catch(h){v(h);}}),r.post("/refresh",async(d,m,v)=>{let R=Date.now();try{let h=H(d.headers.cookie,K(e));if(!h)throw new l("UNAUTHORIZED","Refresh token cookie is missing");let I=d.ip||"127.0.0.1",_=d.get("user-agent")||"Unknown",y=await C(h,{ip:I,userAgent:_});if(!y.success){Ne(m,e),i.warn(p(o,"auth.refresh.failure",{errorCode:y.error.code,duration_ms:Date.now()-R,...E(d)})),F(m,y.error);return}ie(m,y.refreshToken,e),oe(m,y.accessToken,e),i.info(p(o,"auth.refresh.success",{userId:y.user.id,duration_ms:Date.now()-R,...E(d)})),b(m,200,"Token refreshed",{accessToken:y.accessToken});}catch(h){v(h);}}),r.post("/logout",async(d,m,v)=>{let R=Date.now();try{let h=H(d.headers.cookie,K(e));await T(h),Ne(m,e),Pe(m,e),i.info(p(o,"auth.logout",{duration_ms:Date.now()-R,...E(d)})),b(m,200,"Logged out",null);}catch(h){v(h);}}),r.post("/logout-all",O(e),async(d,m,v)=>{let R=Date.now();try{let h=d.user.id;await S(h),He(()=>e.hooks?.onLogout?.(h)),Ne(m,e),Pe(m,e),i.info(p(o,"auth.logout_all",{userId:h,duration_ms:Date.now()-R,...E(d)})),b(m,200,"All sessions revoked",null);}catch(h){v(h);}}),r.get("/me",O(e),async(d,m,v)=>{let R=Date.now();try{let h=await A(d.user.id);if(!h.success){i.warn(p(o,"auth.me.failure",{userId:d.user.id,errorCode:h.error.code,duration_ms:Date.now()-R,...E(d)})),F(m,h.error);return}i.info(p(o,"auth.me.success",{userId:h.user.id,duration_ms:Date.now()-R,...E(d)})),b(m,200,"OK",h.user);}catch(h){v(h);}}),r.get("/me/identifiers",O(e),async(d,m,v)=>{let R=Date.now();try{let h=await A(d.user.id);if(!h.success){i.warn(p(o,"auth.me.identifiers.failure",{userId:d.user.id,errorCode:h.error.code,duration_ms:Date.now()-R,...E(d)})),F(m,h.error);return}i.info(p(o,"auth.me.identifiers.success",{userId:h.user.id,count:h.user.identifiers?.length??0,duration_ms:Date.now()-R,...E(d)})),b(m,200,"OK",{identifiers:h.user.identifiers??[]});}catch(h){v(h);}});let le=c(d=>!!d.user);return r.post("/me/identifiers",O(e),le,async(d,m,v)=>{let R=Date.now();try{let h=M(d.body),{identifiers:I}=h;if(!Array.isArray(I)||I.length===0)throw g("identifiers is required and must be a non-empty array");if(I.length>J)throw g(`identifiers must not exceed ${J} entries`);let _=I.map((x,U)=>Me(x,U)),y=await ce(d.user.id,_);if(!y.success){i.warn(p(o,"auth.identifiers.create_failure",{userId:d.user.id,errorCode:y.error.code,duration_ms:Date.now()-R,...E(d)})),F(m,y.error);return}i.info(p(o,"auth.identifiers.created",{userId:d.user.id,count:y.identifiers.length,duration_ms:Date.now()-R,...E(d)})),b(m,201,"Identifiers added successfully",{identifiers:y.identifiers});}catch(h){v(h);}}),r.put("/me/identifiers",O(e),le,async(d,m,v)=>{let R=Date.now();try{let h=M(d.body),{identifiers:I}=h;if(!Array.isArray(I)||I.length===0)throw g("identifiers is required and must be a non-empty array");if(I.length>J)throw g(`identifiers must not exceed ${J} entries`);let _=I.map((x,U)=>{if(typeof x!="object"||x===null||Array.isArray(x))throw g(`identifiers[${U}] must be an object`);let N=x;if(typeof N.id!="string"||N.id.trim().length===0)throw g(`identifiers[${U}].id is required and must be a non-empty string`);let{type:j,value:G}=Me(x,U);return {id:N.id,type:j,value:G}}),y=await Fr(d.user.id,_);if(!y.success){i.warn(p(o,"auth.identifiers.update_failure",{userId:d.user.id,errorCode:y.error.code,duration_ms:Date.now()-R,...E(d)})),F(m,y.error);return}i.info(p(o,"auth.identifiers.updated",{userId:d.user.id,count:y.identifiers.length,duration_ms:Date.now()-R,...E(d)})),b(m,200,"Identifiers updated successfully",{identifiers:y.identifiers});}catch(h){v(h);}}),r.delete("/me/identifiers",O(e),le,async(d,m,v)=>{let R=Date.now();try{let h=M(d.body),{ids:I}=h;if(!Array.isArray(I)||I.length===0)throw g("ids is required and must be a non-empty array of strings");if(!I.every(y=>typeof y=="string"))throw g("each id must be a string");let _=await Pr(d.user.id,I);if(!_.success){i.warn(p(o,"auth.identifiers.delete_failure",{userId:d.user.id,errorCode:_.error.code,duration_ms:Date.now()-R,...E(d)})),F(m,_.error);return}i.info(p(o,"auth.identifiers.deleted",{userId:d.user.id,duration_ms:Date.now()-R,...E(d)})),b(m,200,"Identifiers deleted successfully",{identifiers:_.identifiers});}catch(h){v(h);}}),r.patch("/me/password",O(e),le,async(d,m,v)=>{let R=Date.now();try{let h=M(d.body),{currentPassword:I,newPassword:_}=h;if(typeof I!="string"||I.length===0)throw g("currentPassword is required");if(typeof _!="string"||_.length<Se)throw g(`newPassword must be at least ${Se} characters`);if(_.length>z)throw g(`newPassword must not exceed ${z} characters`);if(I===_)throw g("newPassword must be different from currentPassword");let y=await $(d.user.id,I,_);if(!y.success){i.warn(p(o,"auth.password.change_failure",{userId:d.user.id,errorCode:y.error.code,duration_ms:Date.now()-R,...E(d)})),F(m,y.error);return}i.info(p(o,"auth.password.changed",{userId:d.user.id,duration_ms:Date.now()-R,...E(d)})),b(m,200,"Password updated successfully. All sessions have been revoked.",null);}catch(h){v(h);}}),r.post("/users/:userId/roles",O(e),f("admin"),async(d,m,v)=>{let R=Date.now();try{let h=M(d.body),{roles:I}=h,_=d.params.userId,y=typeof _=="string"?_:void 0;if(!y)throw g("userId is required");if(!Array.isArray(I)||I.length===0)throw g("roles must be a non-empty array of strings");if(!I.every(U=>typeof U=="string"))throw g("each role must be a string");let x=await P(y,I);if(!x.success){i.warn(p(o,"auth.roles.assign_failure",{targetUserId:y,errorCode:x.error.code,duration_ms:Date.now()-R,...E(d)})),F(m,x.error);return}i.info(p(o,"auth.roles.assigned",{targetUserId:y,roles:I,duration_ms:Date.now()-R,...E(d)})),b(m,200,"Roles assigned successfully",{user:x.user});}catch(h){v(h);}}),r.use(ue()),r.get("/sessions",O(e),async(d,m,v)=>{let R=Date.now();try{let h=d.user.id,_=await(e.router?.getSessions??(y=>Tr(y,t)))(h);i.info(p(o,"auth.sessions.get",{userId:h,duration_ms:Date.now()-R,...E(d)})),b(m,200,"OK",{sessions:_});}catch(h){v(h);}}),r.delete("/sessions/:id",O(e),async(d,m,v)=>{let R=Date.now();try{let h=d.user.id,I=d.params.id;await(e.router?.revokeSession??((y,x)=>xr(y,x,t)))(h,I),i.info(p(o,"auth.sessions.revoke",{userId:h,sessionId:I,duration_ms:Date.now()-R,...E(d)})),b(m,200,"Session revoked",null);}catch(h){v(h);}}),r}n(Lr,"createAuthRouter");function tn(e){if(e.mode==="client"){let a={mode:"client",keyUri:e.keyUri,...e.validRoles!==void 0&&{validRoles:e.validRoles},...e.logger!==void 0&&{logger:e.logger},...e.loggerService!==void 0&&{loggerService:e.loggerService}};Ge(a);let u=a.logger??L,w=a.loggerService??"sentri",C=ae(u,w),T=de(u,w);return {protect:n(()=>O(a),"protect"),authorize:n((...S)=>C(...S),"authorize"),permit:n(S=>T(S),"permit"),errorHandler:n(S=>ue(S),"errorHandler")}}let{privateKey:r}=generateKeyPairSync("rsa",{modulusLength:2048,privateKeyEncoding:{type:"pkcs8",format:"pem"},publicKeyEncoding:{type:"spki",format:"pem"}}),t={mode:"server",dialect:e.dialect,secret:r,algorithm:"RS256",validRoles:e.validRoles,...e.validIdentifiers!==void 0&&{validIdentifiers:e.validIdentifiers},...e.accessExpiresIn!==void 0&&{accessExpiresIn:e.accessExpiresIn},...e.refreshExpiresIn!==void 0&&{refreshExpiresIn:e.refreshExpiresIn},...e.saltRounds!==void 0&&{saltRounds:e.saltRounds},...e.apiKey!==void 0&&{apiKey:e.apiKey},...e.cookie!==void 0&&{cookie:e.cookie},...e.accessCookie!==void 0&&{accessCookie:e.accessCookie},...e.hooks!==void 0&&{hooks:e.hooks},...e.router!==void 0&&{router:e.router},...e.isTokenRevoked!==void 0&&{isTokenRevoked:e.isTokenRevoked},...e.redisUrl!==void 0&&{redisUrl:e.redisUrl},...e.logger!==void 0&&{logger:e.logger},...e.loggerService!==void 0&&{loggerService:e.loggerService}},s=t.logger??L,i=t.loggerService??"sentri",o=k(t),f=ae(s,i),c=de(s,i);return {protect:n(()=>O(t),"protect"),authorize:n((...a)=>f(...a),"authorize"),permit:n(a=>c(a),"permit"),errorHandler:n(a=>ue(a),"errorHandler"),hashPassword:n(a=>Y(a,o.saltRounds),"hashPassword"),verifyPassword:n((a,u)=>q(a,u),"verifyPassword"),signAccessToken:n(a=>ee(a,t),"signAccessToken"),signRefreshToken:n(a=>re(a,t),"signRefreshToken"),verifyAccessToken:n(a=>fe(a,t),"verifyAccessToken"),verifyRefreshToken:n(a=>te(a,t),"verifyRefreshToken"),getCurrentAccessToken:n(a=>De(a,t),"getCurrentAccessToken"),router:n(()=>Lr(t),"router"),migrate:n(()=>We(D(t.dialect)),"migrate"),idempotencyMiddleware:n(a=>Or({...a,...t.redisUrl!==void 0&&{redisUrl:t.redisUrl}}),"idempotencyMiddleware"),register:n(a=>ye(a,t),"register"),login:n(a=>Ie(a,t),"login"),refresh:n(a=>B(a,t),"refresh"),logout:n(a=>Re(a,t),"logout"),logoutAll:n(a=>_e(a,t),"logoutAll"),getUser:n(a=>ge(a,t),"getUser"),changePassword:n((a,u,w)=>ve(a,u,w,t),"changePassword"),assignRoles:n((a,u)=>Ae(a,u,t),"assignRoles"),bulkCreateIdentifiers:n((a,u)=>ke(a,u,t),"bulkCreateIdentifiers"),bulkUpdateIdentifiers:n((a,u)=>Ee(a,u,t),"bulkUpdateIdentifiers"),bulkDeleteIdentifiers:n((a,u)=>Te(a,u,t),"bulkDeleteIdentifiers")}}n(tn,"createAuthExpress");export{je as SENTRI_ERROR_STATUS,l as SentriError,Zr as authorize,tn as createAuthExpress,Lr as createAuthRouter,ae as createAuthorize,ue as createErrorHandler,Or as createIdempotencyMiddleware,de as createPermit,De as getCurrentAccessToken,qr as permit,O as protect};
|