sentri 5.0.1 → 5.0.2

package/dist/adapters/fastify/index.cjs

@@ -1 +1 @@
-'use strict';var crypto=require('crypto'),kysely=require('kysely'),Ze=require('bcrypt'),J=require('jsonwebtoken');require('@fastify/cookie');var stream=require('stream');function _interopDefault(e){return e&&e.__esModule?e:{default:e}}var Ze__default=/*#__PURE__*/_interopDefault(Ze);var J__default=/*#__PURE__*/_interopDefault(J);var Lr=Object.defineProperty;var n=(e,r)=>Lr(e,"name",{value:r,configurable:true});var $e=Object.assign(Object.create(null),{UNAUTHORIZED:401,TOKEN_EXPIRED:401,TOKEN_INVALID:401,INVALID_CREDENTIALS:401,FORBIDDEN:403,USER_NOT_FOUND:404,IDENTIFIER_NOT_FOUND:404,USER_ALREADY_EXISTS:409,IDENTIFIER_ALREADY_EXISTS:409,INVALID_ROLE:400,VALIDATION_ERROR:400,CONFIGURATION_ERROR:500,TOKEN_REUSE:401}),u=class extends Error{static{n(this,"SentriError");}code;statusCode;constructor(r,t,s){super(t),this.name="SentriError",this.code=r,this.statusCode=s??$e[r]??500;}};var Ve=new WeakMap,Me=32,Be=10,je=31;function Xe(e){if(e.mode==="client"){if(!e.keyUri||e.keyUri.trim().length===0)throw new u("CONFIGURATION_ERROR","keyUri must not be empty");return}if(!e.secret||e.secret.trim().length===0)throw new u("CONFIGURATION_ERROR","secret must not be empty");if((e.algorithm??"HS256").startsWith("HS")&&e.secret.length<Me)throw new u("CONFIGURATION_ERROR",`secret must be at least ${Me} characters for HMAC algorithms`);let s=e.saltRounds??12;if(!Number.isInteger(s)||s<Be||s>je)throw new u("CONFIGURATION_ERROR",`saltRounds must be an integer between ${Be} and ${je}`);if(!e.validRoles||e.validRoles.length===0)throw new u("CONFIGURATION_ERROR","validRoles must contain at least one role");if(e.validIdentifiers!==void 0&&e.validIdentifiers.length===0)throw new u("CONFIGURATION_ERROR","validIdentifiers must contain at least one identifier type");if(!e.dialect)throw new u("CONFIGURATION_ERROR","dialect is required in server mode")}n(Xe,"validateConfig");function g(e){let r=Ve.get(e);if(r)return r;let t={algorithm:e.algorithm??"HS256",accessExpiresIn:e.accessExpiresIn??"15m",refreshExpiresIn:e.refreshExpiresIn??"7d",saltRounds:e.saltRounds??12,validRoles:e.validRoles,validRolesSet:new Set(e.validRoles),validIdentifiers:e.validIdentifiers??["email","username"],validIdentifiersSet:new Set(e.validIdentifiers??["email","username"]),cookieName:e.cookie?.name??"refresh_token",accessCookieName:e.accessCookie?.name??"access_token"};return Ve.set(e,t),t}n(g,"resolveServerConfig");var Fr=/^(\d+)([smhdw])$/,Pr={s:1e3,m:6e4,h:36e5,d:864e5,w:6048e5},ze=new Map;function H(e){if(typeof e=="number")return e*1e3;let r=ze.get(e);if(r!==void 0)return r;let t=Fr.exec(e);if(!t?.[1]||!t?.[2])throw new Error(`Invalid expiresIn: "${e}". Use e.g. "15m", "7d", "1h".`);let s=Pr[t[2]];if(s===void 0)throw new Error(`Invalid expiresIn: "${e}". Use e.g. "15m", "7d", "1h".`);let i=parseInt(t[1],10)*s;return ze.set(e,i),i}n(H,"parseExpiry");var D={info:n(()=>{},"info"),warn:n(()=>{},"warn"),error:n(()=>{},"error")};function m(e,r,t){return {service:e,event:r,...t}}n(m,"buildLogData");async function Ge(e){await e.schema.createTable("sentri_users").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("password_hash","varchar(255)",r=>r.notNull()).addColumn("roles","text",r=>r.notNull().defaultTo("[]")).addColumn("created_at","timestamp",r=>r.notNull().defaultTo(kysely.sql`CURRENT_TIMESTAMP`)).execute(),await e.schema.createTable("sentri_sessions").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("user_id","varchar(36)",r=>r.notNull().references("sentri_users.id").onDelete("cascade")).addColumn("expires_at","timestamp",r=>r.notNull()).addColumn("ip_address","varchar(45)").addColumn("user_agent","text").addColumn("replaced_by","varchar(36)").addColumn("created_at","timestamp",r=>r.notNull().defaultTo(kysely.sql`CURRENT_TIMESTAMP`)).execute(),await e.schema.createTable("sentri_identifiers").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("user_id","varchar(36)",r=>r.notNull().references("sentri_users.id").onDelete("cascade")).addColumn("type","varchar(100)",r=>r.notNull()).addColumn("value","varchar(255)",r=>r.notNull().unique()).addColumn("created_at","timestamp",r=>r.notNull().defaultTo(kysely.sql`CURRENT_TIMESTAMP`)).execute(),await e.schema.createIndex("idx_sentri_sessions_user_id").ifNotExists().on("sentri_sessions").column("user_id").execute(),await e.schema.createIndex("idx_sentri_identifiers_user_id").ifNotExists().on("sentri_identifiers").column("user_id").execute();}n(Ge,"runMigrations");var We=new Map;function T(e){let r=We.get(e);return r||(r=new kysely.Kysely({dialect:e}),We.set(e,r)),r}n(T,"getDatabase");async function W(e,r=12){return Ze__default.default.hash(e,r)}n(W,"hashPassword");async function Z(e,r){return Ze__default.default.compare(e,r)}n(Z,"verifyPassword");var Je=new Map,Ye=new Map,Vr=3600*1e3;function Qe(e){let r=Je.get(e);if(!r){let t=crypto.createPrivateKey(e),s=crypto.createPublicKey(t),i=s.export({format:"jwk"}),c=crypto.createHash("sha256").update(JSON.stringify({e:i.e,kty:i.kty,n:i.n})).digest("base64url"),y={...i,use:"sig",kid:c};r={kid:c,publicKey:s,jwk:y},Je.set(e,r);}return r}n(Qe,"getOrBuildKey");function er(e){let{jwk:r}=Qe(e);return {keys:[r]}}n(er,"buildJwks");function rr(e){return Qe(e).publicKey}n(rr,"getPublicKeyFromPrivate");async function tr(e){let r=Date.now(),t=Ye.get(e);if(t&&r-t.fetchedAt<Vr)return t.publicKey;let s=await fetch(e);if(!s.ok)throw new u("CONFIGURATION_ERROR",`Failed to fetch public key from ${e}: HTTP ${s.status}`);let i=await s.json();if(!i.keys||i.keys.length===0)throw new u("CONFIGURATION_ERROR",`No keys found in JWKS response from ${e}`);let o=i.keys[0],c=crypto.createPublicKey({key:o,format:"jwk"});return Ye.set(e,{publicKey:c,fetchedAt:r}),c}n(tr,"fetchPublicKey");var sr=new Map,nr=new Map,ir=new Map;function or(e){return e.startsWith("RS")||e.startsWith("PS")}n(or,"isRSA");function ar(e){let r=sr.get(e);return r||(r={access:`${e}:access`,refresh:`${e}:refresh`},sr.set(e,r)),r}n(ar,"getHsSecrets");function Br(e){let r=nr.get(e);return r||(r=crypto.createPrivateKey(e),nr.set(e,r)),r}n(Br,"getRsPrivateKey");function dr(e){let r=g(e);if(or(r.algorithm)){let i=Br(e.secret);return {accessKey:i,refreshKey:i}}let{access:t,refresh:s}=ar(e.secret);return {accessKey:t,refreshKey:s}}n(dr,"getSigningKeys");function cr(e,r){let t=g(e);if(or(t.algorithm))return rr(e.secret);let{access:s,refresh:i}=ar(e.secret);return r==="access"?s:i}n(cr,"getVerifyKey");function ur(e,r,t,s){let i=`${t}:${s}`,o=ir.get(i);return o||(o={expiresIn:t,algorithm:s},ir.set(i,o)),J__default.default.sign(e,r,o)}n(ur,"sign");function lr(e,r,t){try{let s=J__default.default.verify(e,r,{algorithms:[t]});if(typeof s=="string"||s===null)throw new u("TOKEN_INVALID","Token payload is not an object");return s}catch(s){throw s instanceof u?s:s instanceof J__default.default.TokenExpiredError?new u("TOKEN_EXPIRED","Token has expired"):new u("TOKEN_INVALID","Token is invalid or malformed")}}n(lr,"verify");function Y(e,r){let t=g(r),{accessKey:s}=dr(r);return ur(e,s,t.accessExpiresIn,t.algorithm)}n(Y,"signAccessToken");function q(e,r){let t=g(r),{refreshKey:s}=dr(r);return ur({sessionId:e},s,t.refreshExpiresIn,t.algorithm)}n(q,"signRefreshToken");function ce(e,r){let t=g(r),s=cr(r,"access");return lr(e,s,t.algorithm)}n(ce,"verifyAccessToken");function Q(e,r){let t=g(r),s=cr(r,"refresh");return lr(e,s,t.algorithm)}n(Q,"verifyRefreshToken");function fr(e,r){try{let t=J__default.default.verify(e,r,{algorithms:["RS256","RS384","RS512","PS256","PS384","PS512"]});if(typeof t=="string"||t===null)throw new u("TOKEN_INVALID","Token payload is not an object");return t}catch(t){throw t instanceof u?t:t instanceof J__default.default.TokenExpiredError?new u("TOKEN_EXPIRED","Token has expired"):new u("TOKEN_INVALID","Token is invalid or malformed")}}n(fr,"verifyTokenWithPublicKey");function Ce(e){try{return JSON.parse(e)}catch{return []}}n(Ce,"parseRoles");function jr(e){return JSON.stringify(e)}n(jr,"serializeRoles");function mr(e){return {id:e.id,userId:e.user_id,type:e.type,value:e.value,createdAt:new Date(e.created_at)}}n(mr,"mapIdentifier");async function ee(e,r){let t=await e.selectFrom("sentri_identifiers as i").innerJoin("sentri_users as u","u.id","i.user_id").select(["u.id","u.password_hash","u.roles"]).where("i.value","=",r).executeTakeFirst();return t?{id:t.id,passwordHash:t.password_hash,roles:Ce(t.roles)}:null}n(ee,"findUserByIdentifierValue");async function ue(e,r){let t=await e.selectFrom("sentri_users").select(["id","password_hash","roles"]).where("id","=",r).executeTakeFirst();return t?{id:t.id,passwordHash:t.password_hash,roles:Ce(t.roles)}:null}n(ue,"findUserById");async function pr(e,r,t){let s=t.map(i=>({id:crypto.randomUUID(),user_id:r,type:i.type,value:i.value}));return await e.insertInto("sentri_identifiers").values(s).execute(),s.map(i=>({id:i.id,userId:i.user_id,type:i.type,value:i.value,createdAt:new Date}))}n(pr,"createIdentifiers");async function re(e,r){return (await e.selectFrom("sentri_identifiers").selectAll().where("user_id","=",r).orderBy("created_at","asc").execute()).map(mr)}n(re,"findIdentifiersByUserId");async function Oe(e,r,t){let s=await e.selectFrom("sentri_identifiers").selectAll().where("id","=",r).where("user_id","=",t).executeTakeFirst();return s?mr(s):null}n(Oe,"findIdentifierById");async function wr(e,r){let t=await e.selectFrom("sentri_identifiers").select(s=>s.fn.countAll().as("count")).where("user_id","=",r).executeTakeFirst();return Number(t?.count??0)}n(wr,"countIdentifiersByUserId");async function Ir(e,r,t,s){await e.updateTable("sentri_identifiers").set({type:s.type,value:s.value}).where("id","=",r).where("user_id","=",t).execute();}n(Ir,"updateIdentifier");async function yr(e,r,t){await e.deleteFrom("sentri_identifiers").where("user_id","=",r).where("id","in",t).execute();}n(yr,"deleteIdentifiers");async function Rr(e,r,t){await e.updateTable("sentri_users").set({password_hash:t}).where("id","=",r).execute();}n(Rr,"updateUserPassword");async function _r(e,r,t){await e.updateTable("sentri_users").set({roles:jr(t)}).where("id","=",r).execute();}n(_r,"updateUserRoles");async function be(e,r){let t=crypto.randomUUID();return await e.insertInto("sentri_sessions").values({id:t,user_id:r.userId,expires_at:r.expiresAt.toISOString(),ip_address:r.ipAddress??null,user_agent:r.userAgent??null}).execute(),{id:t}}n(be,"createSession");async function le(e,r){let t=await e.selectFrom("sentri_sessions as s").innerJoin("sentri_users as u","u.id","s.user_id").select(["s.id as session_id","s.user_id","s.expires_at","s.ip_address","s.user_agent","s.replaced_by","s.created_at as session_created_at","u.id as user_id_col","u.password_hash","u.roles"]).where("s.id","=",r).executeTakeFirst();return t?{id:t.session_id,userId:t.user_id,expiresAt:new Date(t.expires_at),ipAddress:t.ip_address,userAgent:t.user_agent,replacedBy:t.replaced_by,createdAt:new Date(t.session_created_at),user:{id:t.user_id_col,passwordHash:t.password_hash,roles:Ce(t.roles)}}:null}n(le,"findSessionById");async function fe(e,r){await e.deleteFrom("sentri_sessions").where("id","=",r).execute();}n(fe,"deleteSession");async function gr(e,r,t){await e.updateTable("sentri_sessions").set({replaced_by:t}).where("id","=",r).execute();}n(gr,"markSessionReplaced");async function he(e,r){await e.deleteFrom("sentri_sessions").where("user_id","=",r).execute();}n(he,"deleteAllSessionsForUser");async function vr(e,r){return (await e.selectFrom("sentri_sessions").selectAll().where("user_id","=",r).where("replaced_by","is",null).where("expires_at",">",new Date).execute()).map(s=>({id:s.id,userId:s.user_id,expiresAt:new Date(s.expires_at),ipAddress:s.ip_address,userAgent:s.user_agent,replacedBy:s.replaced_by,createdAt:new Date(s.created_at)}))}n(vr,"findSessionsByUserId");async function me(e,r,t){let s=g(r),i=T(r.dialect),o=e.roles??[],c=o.filter(A=>!s.validRolesSet.has(A));if(c.length>0)return {success:false,error:new u("INVALID_ROLE",`Invalid roles: ${c.join(", ")}`)};if(!e.identifiers||e.identifiers.length===0)return {success:false,error:new u("VALIDATION_ERROR","At least one identifier is required")};let y=e.identifiers.map(A=>({type:A.type.trim(),value:A.value.trim()})),d=y.filter(A=>!s.validIdentifiersSet.has(A.type));if(d.length>0)return {success:false,error:new u("VALIDATION_ERROR",`Invalid identifier types: ${d.map(A=>A.type).join(", ")}`)};if(new Set(y.map(A=>A.value)).size!==y.length)return {success:false,error:new u("VALIDATION_ERROR","Duplicate identifier values in request")};for(let A of y)if(await ee(i,A.value))return {success:false,error:new u("IDENTIFIER_ALREADY_EXISTS",`Identifier already taken: ${A.value}`)};let v=await W(e.password,s.saltRounds),{userId:C,identifierRows:x}=await i.transaction().execute(async A=>{let P=crypto.randomUUID();await A.insertInto("sentri_users").values({id:P,password_hash:v,roles:JSON.stringify(o)}).execute();let j=y.map(de=>({id:crypto.randomUUID(),user_id:P,type:de.type,value:de.value}));return await A.insertInto("sentri_identifiers").values(j).execute(),{userId:P,identifierRows:j}}),O={success:true,user:{id:C,roles:o,identifiers:x.map(A=>({id:A.id,type:A.type,value:A.value}))}};return r.hooks?.onRegister&&await r.hooks.onRegister(O.user),O}n(me,"register");async function pe(e,r,t){let s=g(r),i=T(r.dialect),o=await ee(i,e.identifier.trim());if(!o){let x=new u("INVALID_CREDENTIALS","Invalid credentials");return r.hooks?.onLoginFailed&&await r.hooks.onLoginFailed(e.identifier,x,{ip:t?.ip??""}),{success:false,error:x}}if(!await Z(e.password,o.passwordHash)){let x=new u("INVALID_CREDENTIALS","Invalid credentials");return r.hooks?.onLoginFailed&&await r.hooks.onLoginFailed(e.identifier,x,{ip:t?.ip??""}),{success:false,error:x}}let y=new Date(Date.now()+H(s.refreshExpiresIn)),d=await be(i,{userId:o.id,expiresAt:y,ipAddress:t?.ip??null,userAgent:t?.userAgent??null}),l={id:o.id,roles:o.roles},v=Y({id:o.id,roles:o.roles,sessionId:d.id},r),C=q(d.id,r);return r.hooks?.onLoginSuccess&&await r.hooks.onLoginSuccess(l,{ip:t?.ip??"",userAgent:t?.userAgent??""}),{success:true,accessToken:v,refreshToken:C,user:l}}n(pe,"login");async function $(e,r,t){let s=g(r),i=T(r.dialect),o;try{({sessionId:o}=Q(e,r));}catch(x){return x instanceof u?{success:false,error:x}:{success:false,error:new u("TOKEN_INVALID","Invalid refresh token")}}let c=await le(i,o);if(!c)return {success:false,error:new u("UNAUTHORIZED","Session not found or revoked")};if(c.replacedBy)return await he(i,c.userId),{success:false,error:new u("TOKEN_REUSE","Token reuse detected. All sessions revoked.")};if(c.expiresAt.getTime()<Date.now())return await fe(i,o),{success:false,error:new u("TOKEN_EXPIRED","Session has expired")};let y=new Date(Date.now()+H(s.refreshExpiresIn)),d=await be(i,{userId:c.userId,expiresAt:y,ipAddress:t?.ip??null,userAgent:t?.userAgent??null});await gr(i,o,d.id);let l={id:c.user.id,roles:c.user.roles},v=Y({...l,sessionId:d.id},r),C=q(d.id,r);return {success:true,accessToken:v,refreshToken:C,user:l}}n($,"refresh");async function we(e,r){let t=T(r.dialect),s;try{({sessionId:s}=Q(e,r));}catch{return}let i=await le(t,s);i&&(await fe(t,s),r.hooks?.onLogout&&await r.hooks.onLogout(i.userId));}n(we,"logout");async function Ie(e,r){let t=T(r.dialect);await he(t,e),r.hooks?.onLogout&&await r.hooks.onLogout(e);}n(Ie,"logoutAll");async function ye(e,r){let t=T(r.dialect),s=await ue(t,e);if(!s)return {success:false,error:new u("USER_NOT_FOUND","User not found")};let i=await re(t,e);return {success:true,user:{id:s.id,roles:s.roles,identifiers:i.map(o=>({id:o.id,type:o.type,value:o.value}))}}}n(ye,"getUser");async function Re(e,r,t,s){let i=g(s),o=T(s.dialect),c=await ue(o,e);if(!c)return {success:false,error:new u("USER_NOT_FOUND","User not found")};if(!await Z(r,c.passwordHash))return {success:false,error:new u("INVALID_CREDENTIALS","Invalid credentials")};let d=await W(t,i.saltRounds);return await Rr(o,e,d),await he(o,e),s.hooks?.onPasswordChanged&&await s.hooks.onPasswordChanged(e),{success:true}}n(Re,"changePassword");async function _e(e,r,t){let s=g(t),i=T(t.dialect),o=r.filter(l=>!s.validRolesSet.has(l));if(o.length>0)return {success:false,error:new u("INVALID_ROLE",`Invalid roles: ${o.join(", ")}`)};let c=await ue(i,e);if(!c)return {success:false,error:new u("USER_NOT_FOUND","User not found")};let y=new Set(c.roles);for(let l of r)y.add(l);let d=Array.from(y);return await _r(i,e,d),{success:true,user:{id:c.id,roles:d}}}n(_e,"assignRoles");async function ge(e,r,t){let s=g(t),i=T(t.dialect);if(r.length===0)return {success:false,error:new u("VALIDATION_ERROR","At least one identifier is required")};let o=r.map(l=>({type:l.type.trim(),value:l.value.trim()})),c=o.filter(l=>!s.validIdentifiersSet.has(l.type));if(c.length>0)return {success:false,error:new u("VALIDATION_ERROR",`Invalid identifier types: ${c.map(l=>l.type).join(", ")}`)};if(new Set(o.map(l=>l.value)).size!==o.length)return {success:false,error:new u("VALIDATION_ERROR","Duplicate identifier values in request")};for(let l of o)if(await ee(i,l.value))return {success:false,error:new u("IDENTIFIER_ALREADY_EXISTS",`Identifier already taken: ${l.value}`)};return await pr(i,e,o),{success:true,identifiers:(await re(i,e)).map(l=>({id:l.id,type:l.type,value:l.value}))}}n(ge,"bulkCreateIdentifiers");async function ve(e,r,t){let s=g(t),i=T(t.dialect);if(r.length===0)return {success:false,error:new u("VALIDATION_ERROR","At least one update is required")};let o=r.map(l=>({id:l.id,type:l.type.trim(),value:l.value.trim()})),c=o.filter(l=>!s.validIdentifiersSet.has(l.type));if(c.length>0)return {success:false,error:new u("VALIDATION_ERROR",`Invalid identifier types: ${c.map(l=>l.type).join(", ")}`)};if(new Set(o.map(l=>l.value)).size!==o.length)return {success:false,error:new u("VALIDATION_ERROR","Duplicate identifier values in request")};for(let l of o){let v=await Oe(i,l.id,e);if(!v)return {success:false,error:new u("IDENTIFIER_NOT_FOUND",`Identifier not found: ${l.id}`)};if(v.value!==l.value&&await ee(i,l.value))return {success:false,error:new u("IDENTIFIER_ALREADY_EXISTS",`Identifier already taken: ${l.value}`)}}return await i.transaction().execute(async l=>{for(let v of o)await Ir(l,v.id,e,{type:v.type,value:v.value});}),{success:true,identifiers:(await re(i,e)).map(l=>({id:l.id,type:l.type,value:l.value}))}}n(ve,"bulkUpdateIdentifiers");async function Ae(e,r,t){let s=T(t.dialect);if(r.length===0)return {success:false,error:new u("VALIDATION_ERROR","At least one ID is required")};let i=Array.from(new Set(r));for(let y of i)if(!await Oe(s,y,e))return {success:false,error:new u("IDENTIFIER_NOT_FOUND",`Identifier not found: ${y}`)};return await wr(s,e)-i.length<1?{success:false,error:new u("VALIDATION_ERROR","Cannot delete all identifiers \u2014 at least one must remain")}:(await yr(s,e,i),{success:true,identifiers:(await re(s,e)).map(y=>({id:y.id,type:y.type,value:y.value}))})}n(Ae,"bulkDeleteIdentifiers");async function kr(e,r){let t=T(r.dialect);return (await vr(t,e)).map(i=>({id:i.id,ipAddress:i.ipAddress,userAgent:i.userAgent,createdAt:i.createdAt,expiresAt:i.expiresAt}))}n(kr,"getSessions");async function Er(e,r,t){let s=T(t.dialect),i=await le(s,r);i&&i.userId===e&&await fe(s,r);}n(Er,"revokeSession");function U(e){return g(e).cookieName}n(U,"getCookieName");function ke(e){return g(e).accessCookieName}n(ke,"getAccessCookieName");function L(e,r){if(!e)return;let t=`${r}=`,s=0;for(;s<e.length;){for(;s<e.length&&e[s]===" ";)s++;let i=e.indexOf(";",s),o=i===-1?e.length:i;if(e.startsWith(t,s))return e.slice(s+t.length,o);s=o+1;}}n(L,"readCookie");function te(e,r,t){let s=t.cookie??{},i=H(g(t).refreshExpiresIn)/1e3;e.setCookie(U(t),r,{httpOnly:s.httpOnly??true,secure:s.secure??false,sameSite:s.sameSite??"strict",path:s.path??"/",maxAge:i});}n(te,"setCookieFromConfig");function Ee(e,r){let t=r.cookie??{};e.clearCookie(U(r),{path:t.path??"/"});}n(Ee,"clearCookieFromConfig");function se(e,r,t){if(!t.accessCookie)return;let s=t.accessCookie,i=H(g(t).accessExpiresIn)/1e3;e.setCookie(ke(t),r,{httpOnly:false,secure:s.secure??false,sameSite:s.sameSite??"strict",path:s.path??"/",maxAge:i});}n(se,"setAccessCookieFromConfig");function Ue(e,r){if(!r.accessCookie)return;let t=r.accessCookie;e.clearCookie(ke(r),{path:t.path??"/"});}n(Ue,"clearAccessCookieFromConfig");function Te(e,r){let t=e.headers.authorization;return t?.startsWith("Bearer ")?t.slice(7):L(e.headers.cookie,ke(r))}n(Te,"getCurrentAccessToken");function ne(e){let r=e.logger??D,t=e.loggerService??"sentri";return e.mode==="client"?zr(e.keyUri,r,t):Xr(e,r,t)}n(ne,"protect");function zr(e,r,t){return async s=>{let i=s.headers.authorization,o=i?.startsWith("Bearer ")?i.slice(7):void 0;if(!o)throw r.warn(m(t,"auth.protect.failure",{mode:"client",errorCode:"UNAUTHORIZED",requestId:s.id})),new u("UNAUTHORIZED","Missing or malformed Authorization header");try{let c=await tr(e),y=fr(o,c);s.user={id:y.id,roles:y.roles},r.info(m(t,"auth.protect.success",{mode:"client",userId:y.id,requestId:s.id}));}catch(c){let y=c instanceof u?c.code:"TOKEN_INVALID";throw r.warn(m(t,"auth.protect.failure",{mode:"client",errorCode:y,requestId:s.id})),c}}}n(zr,"protectClient");function Xr(e,r,t){return async(s,i)=>{let o=Te(s,e);if(!o)throw r.warn(m(t,"auth.protect.failure",{mode:"server",errorCode:"UNAUTHORIZED",requestId:s.id})),new u("UNAUTHORIZED","Missing or malformed Authorization header");try{let c=ce(o,e);if(e.isTokenRevoked&&await e.isTokenRevoked(c.sessionId))throw r.warn(m(t,"auth.protect.token_revoked",{mode:"server",userId:c.id,requestId:s.id})),new u("UNAUTHORIZED","Token has been revoked");s.user={id:c.id,roles:c.roles},r.info(m(t,"auth.protect.success",{mode:"server",userId:c.id,requestId:s.id}));}catch(c){if(c instanceof u&&c.code==="TOKEN_EXPIRED"){let y=L(s.headers.cookie,U(e));if(!y)throw r.warn(m(t,"auth.protect.failure",{mode:"server",errorCode:"TOKEN_EXPIRED",requestId:s.id})),new u("UNAUTHORIZED","Token expired. Please login again.");let d;try{d=await $(y,e);}catch{throw r.warn(m(t,"auth.protect.failure",{mode:"server",errorCode:"TOKEN_EXPIRED",requestId:s.id})),new u("UNAUTHORIZED","Session expired. Please login again.")}if(!d.success)throw r.warn(m(t,"auth.protect.failure",{mode:"server",errorCode:d.error.code,requestId:s.id})),new u("UNAUTHORIZED","Session expired. Please login again.");te(i,d.refreshToken,e),se(i,d.accessToken,e),i.header("X-New-Access-Token",d.accessToken),s.user=d.user,r.info(m(t,"auth.protect.auto_refresh",{mode:"server",userId:d.user.id,requestId:s.id}));}else {let y=c instanceof u?c.code:"TOKEN_INVALID";throw r.warn(m(t,"auth.protect.failure",{mode:"server",errorCode:y,requestId:s.id})),c}}}}n(Xr,"protectServer");function Tr(e,r,t){let s=`Requires one of roles: ${e.join(", ")}`;return async i=>{if(!i.user)throw r.warn(m(t,"auth.authorize.unauthenticated",{requiredRoles:e,requestId:i.id})),new u("UNAUTHORIZED","Not authenticated");let o=i.user.roles;if(!e.some(c=>o.includes(c)))throw r.warn(m(t,"auth.authorize.denied",{userId:i.user.id,userRoles:[...o],requiredRoles:e,requestId:i.id})),new u("FORBIDDEN",s);r.info(m(t,"auth.authorize.passed",{userId:i.user.id,userRoles:[...o],requiredRoles:e,requestId:i.id}));}}n(Tr,"createAuthorizeHandler");function ie(e,r){return n(function(...s){return Tr(s,e,r)},"authorize")}n(ie,"createAuthorize");function Gr(...e){return Tr(e,D,"sentri")}n(Gr,"authorize");var Wr=new u("FORBIDDEN","You do not have permission to perform this action");function xr(e,r,t){return async s=>{if(!s.user)throw r.warn(m(t,"auth.permit.unauthenticated",{requestId:s.id})),new u("UNAUTHORIZED","Not authenticated");let i=s.user.id;if(e.roles&&e.roles.length>0){let y=s.user.roles;if(e.roles.some(d=>y.includes(d))){r.info(m(t,"auth.permit.role_bypass",{userId:i,bypassedByRole:true,requestId:s.id}));return}}let o=e.check(s);if(o instanceof Promise?await o:o)r.info(m(t,"auth.permit.passed",{userId:i,requestId:s.id}));else throw r.warn(m(t,"auth.permit.denied",{userId:i,requestId:s.id})),Wr}}n(xr,"createPermitHandler");function oe(e,r){return n(function(s){return xr(typeof s=="function"?{check:s}:s,e,r)},"permit")}n(oe,"createPermit");function Zr(e){return xr(typeof e=="function"?{check:e}:e,D,"sentri")}n(Zr,"permit");var Le=class{static{n(this,"InMemoryRateLimiter");}store=new Map;constructor(){setInterval(()=>{let r=Date.now();for(let[t,s]of this.store.entries())s.expiresAt<r&&this.store.delete(t);},6e4).unref();}async consume(r,t,s){let i=Date.now(),o=this.store.get(r);if((!o||o.expiresAt<i)&&(o={count:0,expiresAt:i+s},this.store.set(r,o)),o.count>t){let c=Math.ceil((o.expiresAt-i)/1e3);throw new Error(`Rate limit exceeded. Try again in ${c} seconds.`)}o.count++;}},Fe=class{static{n(this,"RedisRateLimiter");}redis;logger;constructor(r,t){this.redis=r,this.logger=t;}async consume(r,t,s){let i=`sentri:rl:${r}`,o=Math.ceil(s/1e3);try{let c=await this.redis.multi().incr(i).expire(i,o,"NX").exec();if(!c||c.length===0)return;if(c[0][1]>t)throw new Error("Rate limit exceeded. Try again later.")}catch(c){if(c instanceof Error&&c.message.includes("Rate limit exceeded"))throw c;this.logger.error({msg:"Redis RateLimiter failed, bypassing limit",error:c});}}},V=null;async function Nr(e,r){if(V)return V;if(e)try{let{Redis:t}=await import('ioredis'),s=new t(e,{lazyConnect:!0,maxRetriesPerRequest:1});return await s.connect(),r?.info({msg:"Connected to Redis for Rate Limiting"}),V=new Fe(s,r??D),V}catch(t){r?.warn({msg:"Failed to connect to Redis for Rate Limiting, falling back to InMemoryRateLimiter",error:t});}return V=new Le,V}n(Nr,"getRateLimiter");function ae(e){return (r,t,s)=>{if(r instanceof u){s.code(r.statusCode).send({error:true,statusCode:r.statusCode,code:r.code,message:r.message,data:null});return}e?.onUnhandled?.(r),s.code(500).send({error:true,statusCode:500,code:"INTERNAL_SERVER_ERROR",message:"Internal server error",data:null});}}n(ae,"createErrorHandler");var xe=8,M=72,Ne=255,Dr=100,B=50;function _(e){return new u("VALIDATION_ERROR",e)}n(_,"badRequest");function N(e,r,t,s){e.code(r).send({error:false,statusCode:r,message:t,data:s});}n(N,"ok");function b(e,r){e.code(r.statusCode).send({error:true,statusCode:r.statusCode,code:r.code,message:r.message,data:null});}n(b,"fail");function F(e){let r=e.body;if(r==null||typeof r!="object"||Array.isArray(r))throw new u("VALIDATION_ERROR","Request body is missing or not a JSON object.");return r}n(F,"parseBody");function Jr(e,r){if(!r.apiKey)return;let t=e.headers["x-api-key"];if(typeof t!="string"||t!==r.apiKey)throw new u("UNAUTHORIZED","Invalid or missing API key")}n(Jr,"validateApiKey");function Ke(e){if(e)try{let r=e();r instanceof Promise&&r.catch(()=>{});}catch{}}n(Ke,"fireHook");function Yr(e){return e.startsWith("RS")||e.startsWith("PS")}n(Yr,"isRSA");function He(e,r){if(typeof e!="object"||e===null||Array.isArray(e))throw _(`identifiers[${r}] must be an object`);let t=e;if(typeof t.type!="string"||t.type.trim().length===0)throw _(`identifiers[${r}].type is required and must be a non-empty string`);if(t.type.length>Dr)throw _(`identifiers[${r}].type must not exceed ${Dr} characters`);if(typeof t.value!="string"||t.value.trim().length===0)throw _(`identifiers[${r}].value is required and must be a non-empty string`);if(t.value.length>Ne)throw _(`identifiers[${r}].value must not exceed ${Ne} characters`);return {type:t.type,value:t.value}}n(He,"validateIdentifierInput");function Sr(e){return async r=>{let t=e,s=g(t),i=e.logger??D,o=e.loggerService??"sentri",c=ne(e),y=ie(i,o),d=oe(i,o),l=Nr(e.redisUrl,i),v=d(a=>!!a.user);r.setErrorHandler(ae()),r.addHook("preParsing",function(a,f,p,h){if(!a.headers["content-type"]?.includes("application/json")){h(null,p);return}if(p==null){h(null,stream.Readable.from("{}"));return}let w=[];p.on("data",R=>w.push(R)),p.on("end",()=>{let R=Buffer.concat(w);h(null,R.length===0?stream.Readable.from("{}"):stream.Readable.from(R));}),p.on("error",R=>h(R));});let C=e.router?.register??(a=>me(a,t)),x=e.router?.login??(a=>pe(a,t)),O=e.router?.refresh??(a=>$(a,t)),A=e.router?.logout??(a=>a!==void 0?we(a,t):Promise.resolve()),P=e.router?.logoutAll??(a=>Ie(a,t)),j=e.router?.getUser??(a=>ye(a,t)),de=e.router?.assignRoles??((a,f)=>_e(a,f,t)),Cr=e.router?.changePassword??((a,f,p)=>Re(a,f,p,t)),Or=e.router?.bulkCreateIdentifiers??((a,f)=>ge(a,f,t)),br=e.router?.bulkUpdateIdentifiers??((a,f)=>ve(a,f,t)),Ur=e.router?.bulkDeleteIdentifiers??((a,f)=>Ae(a,f,t));Yr(s.algorithm)&&r.get("/keys",async(a,f)=>{f.header("Cache-Control","public, max-age=3600").send(er(e.secret));}),r.post("/register",async(a,f)=>{let p=Date.now();Jr(a,e);let h=F(a),{identifiers:w,password:R,roles:I}=h;if(!Array.isArray(w)||w.length===0)throw _("identifiers is required and must be a non-empty array");if(w.length>B)throw _(`identifiers must not exceed ${B} entries`);let k=w.map((G,De)=>He(G,De));if(typeof R!="string"||R.length<xe)throw _(`password is required and must be at least ${xe} characters`);if(R.length>M)throw _(`password must not exceed ${M} characters`);if(I!==void 0&&!Array.isArray(I))throw _("roles must be an array of strings when provided");if(Array.isArray(I)&&!I.every(G=>typeof G=="string"))throw _("each role must be a string");let S=Array.isArray(I)?I:void 0,E=S!==void 0?{identifiers:k,password:R,roles:S}:{identifiers:k,password:R},K=a.ip||"127.0.0.1",z=a.headers["user-agent"]||"Unknown";if(e.rateLimit!==false){let G=await l,De=typeof e.rateLimit=="object"?e.rateLimit.maxRegisterAttempts??5:5;await G.consume(`register:${K}`,De,900*1e3);}let X=await C(E,{ip:K,userAgent:z});if(!X.success){i.warn(m(o,"auth.register.failure",{errorCode:X.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,X.error);return}i.info(m(o,"auth.register.success",{userId:X.user.id,duration_ms:Date.now()-p,requestId:a.id})),N(f,201,"User registered successfully",{user:X.user});}),r.post("/login",async(a,f)=>{let p=Date.now(),h=F(a),{identifier:w,password:R}=h;if(typeof w!="string"||w.trim().length===0)throw _("identifier is required and must be a non-empty string");if(w.length>Ne)throw _(`identifier must not exceed ${Ne} characters`);if(typeof R!="string"||R.length===0)throw _("password is required");if(R.length>M)throw _(`password must not exceed ${M} characters`);let I=w.trim(),k=a.ip||"127.0.0.1",S=a.headers["user-agent"]||"Unknown";if(e.rateLimit!==false){let K=await l,z=typeof e.rateLimit=="object"?e.rateLimit.maxLoginAttempts??5:5;await K.consume(`login:${k}`,z,900*1e3);}let E=await x({identifier:I,password:R},{ip:k,userAgent:S});if(!E.success){Ke(()=>e.hooks?.onLoginFailed?.(I,E.error,{ip:k})),i.warn(m(o,"auth.login.failure",{errorCode:E.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,E.error);return}Ke(()=>e.hooks?.onLoginSuccess?.(E.user,{ip:k,userAgent:S})),te(f,E.refreshToken,e),se(f,E.accessToken,e),i.info(m(o,"auth.login.success",{userId:E.user.id,duration_ms:Date.now()-p,requestId:a.id})),N(f,200,"Login successful",{accessToken:E.accessToken,user:E.user});}),r.post("/refresh",async(a,f)=>{let p=Date.now(),h=L(a.headers.cookie,U(e));if(!h)throw new u("UNAUTHORIZED","Refresh token cookie is missing");let w=a.ip||"127.0.0.1",R=a.headers["user-agent"]||"Unknown",I=await O(h,{ip:w,userAgent:R});if(!I.success){Ee(f,e),i.warn(m(o,"auth.refresh.failure",{errorCode:I.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,I.error);return}te(f,I.refreshToken,e),se(f,I.accessToken,e),i.info(m(o,"auth.refresh.success",{userId:I.user.id,duration_ms:Date.now()-p,requestId:a.id})),N(f,200,"Token refreshed",{accessToken:I.accessToken});}),r.post("/logout",async(a,f)=>{let p=Date.now(),h=L(a.headers.cookie,U(e));await A(h),Ee(f,e),Ue(f,e),i.info(m(o,"auth.logout",{duration_ms:Date.now()-p,requestId:a.id})),N(f,200,"Logged out",null);}),r.post("/logout-all",{preHandler:c},async(a,f)=>{let p=Date.now(),h=a.user.id;await P(h),Ke(()=>e.hooks?.onLogout?.(h)),Ee(f,e),Ue(f,e),i.info(m(o,"auth.logout_all",{userId:h,duration_ms:Date.now()-p,requestId:a.id})),N(f,200,"All sessions revoked",null);}),r.get("/me",{preHandler:c},async(a,f)=>{let p=Date.now(),h=await j(a.user.id);if(!h.success){i.warn(m(o,"auth.me.failure",{userId:a.user.id,errorCode:h.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,h.error);return}i.info(m(o,"auth.me.success",{userId:h.user.id,duration_ms:Date.now()-p,requestId:a.id})),N(f,200,"OK",h.user);}),r.get("/me/identifiers",{preHandler:c},async(a,f)=>{let p=Date.now(),h=await j(a.user.id);if(!h.success){i.warn(m(o,"auth.me.identifiers.failure",{userId:a.user.id,errorCode:h.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,h.error);return}i.info(m(o,"auth.me.identifiers.success",{userId:h.user.id,count:h.user.identifiers?.length??0,duration_ms:Date.now()-p,requestId:a.id})),N(f,200,"OK",{identifiers:h.user.identifiers??[]});}),r.post("/me/identifiers",{preHandler:[c,v]},async(a,f)=>{let p=Date.now(),h=F(a),{identifiers:w}=h;if(!Array.isArray(w)||w.length===0)throw _("identifiers is required and must be a non-empty array");if(w.length>B)throw _(`identifiers must not exceed ${B} entries`);let R=w.map((k,S)=>He(k,S)),I=await Or(a.user.id,R);if(!I.success){i.warn(m(o,"auth.identifiers.create_failure",{userId:a.user.id,errorCode:I.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,I.error);return}i.info(m(o,"auth.identifiers.created",{userId:a.user.id,count:I.identifiers.length,duration_ms:Date.now()-p,requestId:a.id})),N(f,201,"Identifiers added successfully",{identifiers:I.identifiers});}),r.put("/me/identifiers",{preHandler:[c,v]},async(a,f)=>{let p=Date.now(),h=F(a),{identifiers:w}=h;if(!Array.isArray(w)||w.length===0)throw _("identifiers is required and must be a non-empty array");if(w.length>B)throw _(`identifiers must not exceed ${B} entries`);let R=w.map((k,S)=>{if(typeof k!="object"||k===null||Array.isArray(k))throw _(`identifiers[${S}] must be an object`);let E=k;if(typeof E.id!="string"||E.id.trim().length===0)throw _(`identifiers[${S}].id is required and must be a non-empty string`);let{type:K,value:z}=He(k,S);return {id:E.id,type:K,value:z}}),I=await br(a.user.id,R);if(!I.success){i.warn(m(o,"auth.identifiers.update_failure",{userId:a.user.id,errorCode:I.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,I.error);return}i.info(m(o,"auth.identifiers.updated",{userId:a.user.id,count:I.identifiers.length,duration_ms:Date.now()-p,requestId:a.id})),N(f,200,"Identifiers updated successfully",{identifiers:I.identifiers});}),r.delete("/me/identifiers",{preHandler:[c,v]},async(a,f)=>{let p=Date.now(),h=F(a),{ids:w}=h;if(!Array.isArray(w)||w.length===0)throw _("ids is required and must be a non-empty array of strings");if(!w.every(I=>typeof I=="string"))throw _("each id must be a string");let R=await Ur(a.user.id,w);if(!R.success){i.warn(m(o,"auth.identifiers.delete_failure",{userId:a.user.id,errorCode:R.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,R.error);return}i.info(m(o,"auth.identifiers.deleted",{userId:a.user.id,duration_ms:Date.now()-p,requestId:a.id})),N(f,200,"Identifiers deleted successfully",{identifiers:R.identifiers});}),r.patch("/me/password",{preHandler:[c,v]},async(a,f)=>{let p=Date.now(),h=F(a),{currentPassword:w,newPassword:R}=h;if(typeof w!="string"||w.length===0)throw _("currentPassword is required");if(typeof R!="string"||R.length<xe)throw _(`newPassword must be at least ${xe} characters`);if(R.length>M)throw _(`newPassword must not exceed ${M} characters`);if(w===R)throw _("newPassword must be different from currentPassword");let I=await Cr(a.user.id,w,R);if(!I.success){i.warn(m(o,"auth.password.change_failure",{userId:a.user.id,errorCode:I.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,I.error);return}i.info(m(o,"auth.password.changed",{userId:a.user.id,duration_ms:Date.now()-p,requestId:a.id})),N(f,200,"Password updated successfully. All sessions have been revoked.",null);}),r.post("/users/:userId/roles",{preHandler:[c,y("admin")]},async(a,f)=>{let p=Date.now(),h=F(a),{roles:w}=h,R=a.params.userId;if(!R)throw _("userId is required");if(!Array.isArray(w)||w.length===0)throw _("roles must be a non-empty array of strings");if(!w.every(k=>typeof k=="string"))throw _("each role must be a string");let I=await de(R,w);if(!I.success){i.warn(m(o,"auth.roles.assign_failure",{targetUserId:R,errorCode:I.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,I.error);return}i.info(m(o,"auth.roles.assigned",{targetUserId:R,roles:w,duration_ms:Date.now()-p,requestId:a.id})),N(f,200,"Roles assigned successfully",{user:I.user});}),r.get("/sessions",{preHandler:c},async(a,f)=>{let p=Date.now(),h=a.user.id,R=await(e.router?.getSessions??(I=>kr(I,t)))(h);i.info(m(o,"auth.sessions.get",{userId:h,duration_ms:Date.now()-p,requestId:a.id})),N(f,200,"OK",{sessions:R});}),r.delete("/sessions/:id",{preHandler:c},async(a,f)=>{let p=Date.now(),h=a.user.id,w=a.params.id;await(e.router?.revokeSession??((I,k)=>Er(I,k,t)))(h,w),i.info(m(o,"auth.sessions.revoke",{userId:h,sessionId:w,duration_ms:Date.now()-p,requestId:a.id})),N(f,200,"Session revoked",null);});}}n(Sr,"createAuthPlugin");function Bs(e){if(e.mode==="client"){let d={mode:"client",keyUri:e.keyUri,...e.validRoles!==void 0&&{validRoles:e.validRoles},...e.logger!==void 0&&{logger:e.logger},...e.loggerService!==void 0&&{loggerService:e.loggerService}};Xe(d);let l=d.logger??D,v=d.loggerService??"sentri",C=ie(l,v),x=oe(l,v);return {protect:n(()=>ne(d),"protect"),authorize:n((...O)=>C(...O),"authorize"),permit:n(O=>x(O),"permit"),errorHandler:n(O=>ae(O),"errorHandler")}}let{privateKey:r}=crypto.generateKeyPairSync("rsa",{modulusLength:2048,privateKeyEncoding:{type:"pkcs8",format:"pem"},publicKeyEncoding:{type:"spki",format:"pem"}}),t={mode:"server",dialect:e.dialect,secret:r,algorithm:"RS256",validRoles:e.validRoles,...e.validIdentifiers!==void 0&&{validIdentifiers:e.validIdentifiers},...e.accessExpiresIn!==void 0&&{accessExpiresIn:e.accessExpiresIn},...e.refreshExpiresIn!==void 0&&{refreshExpiresIn:e.refreshExpiresIn},...e.saltRounds!==void 0&&{saltRounds:e.saltRounds},...e.apiKey!==void 0&&{apiKey:e.apiKey},...e.cookie!==void 0&&{cookie:e.cookie},...e.accessCookie!==void 0&&{accessCookie:e.accessCookie},...e.hooks!==void 0&&{hooks:e.hooks},...e.router!==void 0&&{router:e.router},...e.isTokenRevoked!==void 0&&{isTokenRevoked:e.isTokenRevoked},...e.redisUrl!==void 0&&{redisUrl:e.redisUrl},...e.logger!==void 0&&{logger:e.logger},...e.loggerService!==void 0&&{loggerService:e.loggerService}},s=t.logger??D,i=t.loggerService??"sentri",o=g(t),c=ie(s,i),y=oe(s,i);return {protect:n(()=>ne(t),"protect"),authorize:n((...d)=>c(...d),"authorize"),permit:n(d=>y(d),"permit"),plugin:n(()=>Sr(t),"plugin"),errorHandler:n(d=>ae(d),"errorHandler"),migrate:n(()=>Ge(T(t.dialect)),"migrate"),getCurrentAccessToken:n(d=>Te(d,t),"getCurrentAccessToken"),hashPassword:n(d=>W(d,o.saltRounds),"hashPassword"),verifyPassword:n((d,l)=>Z(d,l),"verifyPassword"),signAccessToken:n(d=>Y(d,t),"signAccessToken"),signRefreshToken:n(d=>q(d,t),"signRefreshToken"),verifyAccessToken:n(d=>ce(d,t),"verifyAccessToken"),verifyRefreshToken:n(d=>Q(d,t),"verifyRefreshToken"),register:n(d=>me(d,t),"register"),login:n(d=>pe(d,t),"login"),refresh:n(d=>$(d,t),"refresh"),logout:n(d=>we(d,t),"logout"),logoutAll:n(d=>Ie(d,t),"logoutAll"),getUser:n(d=>ye(d,t),"getUser"),changePassword:n((d,l,v)=>Re(d,l,v,t),"changePassword"),assignRoles:n((d,l)=>_e(d,l,t),"assignRoles"),bulkCreateIdentifiers:n((d,l)=>ge(d,l,t),"bulkCreateIdentifiers"),bulkUpdateIdentifiers:n((d,l)=>ve(d,l,t),"bulkUpdateIdentifiers"),bulkDeleteIdentifiers:n((d,l)=>Ae(d,l,t),"bulkDeleteIdentifiers")}}n(Bs,"createAuthFastify");exports.SENTRI_ERROR_STATUS=$e;exports.SentriError=u;exports.authorize=Gr;exports.createAuthFastify=Bs;exports.createAuthPlugin=Sr;exports.createAuthorize=ie;exports.createErrorHandler=ae;exports.createPermit=oe;exports.getCurrentAccessToken=Te;exports.permit=Zr;exports.protect=ne;
+'use strict';var crypto=require('crypto'),kysely=require('kysely'),Ze=require('bcrypt'),J=require('jsonwebtoken');require('@fastify/cookie');var stream=require('stream');function _interopDefault(e){return e&&e.__esModule?e:{default:e}}var Ze__default=/*#__PURE__*/_interopDefault(Ze);var J__default=/*#__PURE__*/_interopDefault(J);var Lr=Object.defineProperty;var n=(e,r)=>Lr(e,"name",{value:r,configurable:true});var $e=Object.assign(Object.create(null),{UNAUTHORIZED:401,TOKEN_EXPIRED:401,TOKEN_INVALID:401,INVALID_CREDENTIALS:401,FORBIDDEN:403,USER_NOT_FOUND:404,IDENTIFIER_NOT_FOUND:404,USER_ALREADY_EXISTS:409,IDENTIFIER_ALREADY_EXISTS:409,INVALID_ROLE:400,VALIDATION_ERROR:400,CONFIGURATION_ERROR:500,TOKEN_REUSE:401,RATE_LIMIT_EXCEEDED:429}),d=class extends Error{static{n(this,"SentriError");}code;statusCode;constructor(r,t,s){super(t),this.name="SentriError",this.code=r,this.statusCode=s??$e[r]??500;}};var Ve=new WeakMap,Me=32,Be=10,je=31;function ze(e){if(e.mode==="client"){if(!e.keyUri||e.keyUri.trim().length===0)throw new d("CONFIGURATION_ERROR","keyUri must not be empty");return}if(!e.secret||e.secret.trim().length===0)throw new d("CONFIGURATION_ERROR","secret must not be empty");if((e.algorithm??"HS256").startsWith("HS")&&e.secret.length<Me)throw new d("CONFIGURATION_ERROR",`secret must be at least ${Me} characters for HMAC algorithms`);let s=e.saltRounds??12;if(!Number.isInteger(s)||s<Be||s>je)throw new d("CONFIGURATION_ERROR",`saltRounds must be an integer between ${Be} and ${je}`);if(!e.validRoles||e.validRoles.length===0)throw new d("CONFIGURATION_ERROR","validRoles must contain at least one role");if(e.validIdentifiers!==void 0&&e.validIdentifiers.length===0)throw new d("CONFIGURATION_ERROR","validIdentifiers must contain at least one identifier type");if(!e.dialect)throw new d("CONFIGURATION_ERROR","dialect is required in server mode")}n(ze,"validateConfig");function g(e){let r=Ve.get(e);if(r)return r;let t={algorithm:e.algorithm??"HS256",accessExpiresIn:e.accessExpiresIn??"15m",refreshExpiresIn:e.refreshExpiresIn??"7d",saltRounds:e.saltRounds??12,validRoles:e.validRoles,validRolesSet:new Set(e.validRoles),validIdentifiers:e.validIdentifiers??["email","username"],validIdentifiersSet:new Set(e.validIdentifiers??["email","username"]),cookieName:e.cookie?.name??"refresh_token",accessCookieName:e.accessCookie?.name??"access_token"};return Ve.set(e,t),t}n(g,"resolveServerConfig");var Fr=/^(\d+)([smhdw])$/,Pr={s:1e3,m:6e4,h:36e5,d:864e5,w:6048e5},Xe=new Map;function H(e){if(typeof e=="number")return e*1e3;let r=Xe.get(e);if(r!==void 0)return r;let t=Fr.exec(e);if(!t?.[1]||!t?.[2])throw new Error(`Invalid expiresIn: "${e}". Use e.g. "15m", "7d", "1h".`);let s=Pr[t[2]];if(s===void 0)throw new Error(`Invalid expiresIn: "${e}". Use e.g. "15m", "7d", "1h".`);let i=parseInt(t[1],10)*s;return Xe.set(e,i),i}n(H,"parseExpiry");var N={info:n(()=>{},"info"),warn:n(()=>{},"warn"),error:n(()=>{},"error")};function m(e,r,t){return {service:e,event:r,...t}}n(m,"buildLogData");async function Ge(e){await e.schema.createTable("sentri_users").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("password_hash","varchar(255)",r=>r.notNull()).addColumn("roles","text",r=>r.notNull().defaultTo("[]")).addColumn("created_at","timestamp",r=>r.notNull().defaultTo(kysely.sql`CURRENT_TIMESTAMP`)).execute(),await e.schema.createTable("sentri_sessions").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("user_id","varchar(36)",r=>r.notNull().references("sentri_users.id").onDelete("cascade")).addColumn("expires_at","timestamp",r=>r.notNull()).addColumn("ip_address","varchar(45)").addColumn("user_agent","text").addColumn("replaced_by","varchar(36)").addColumn("created_at","timestamp",r=>r.notNull().defaultTo(kysely.sql`CURRENT_TIMESTAMP`)).execute(),await e.schema.createTable("sentri_identifiers").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("user_id","varchar(36)",r=>r.notNull().references("sentri_users.id").onDelete("cascade")).addColumn("type","varchar(100)",r=>r.notNull()).addColumn("value","varchar(255)",r=>r.notNull().unique()).addColumn("created_at","timestamp",r=>r.notNull().defaultTo(kysely.sql`CURRENT_TIMESTAMP`)).execute(),await e.schema.createIndex("idx_sentri_sessions_user_id").ifNotExists().on("sentri_sessions").column("user_id").execute(),await e.schema.createIndex("idx_sentri_identifiers_user_id").ifNotExists().on("sentri_identifiers").column("user_id").execute();}n(Ge,"runMigrations");var We=new Map;function T(e){let r=We.get(e);return r||(r=new kysely.Kysely({dialect:e}),We.set(e,r)),r}n(T,"getDatabase");async function W(e,r=12){return Ze__default.default.hash(e,r)}n(W,"hashPassword");async function Z(e,r){return Ze__default.default.compare(e,r)}n(Z,"verifyPassword");var Je=new Map,Ye=new Map,Vr=3600*1e3;function Qe(e){let r=Je.get(e);if(!r){let t=crypto.createPrivateKey(e),s=crypto.createPublicKey(t),i=s.export({format:"jwk"}),u=crypto.createHash("sha256").update(JSON.stringify({e:i.e,kty:i.kty,n:i.n})).digest("base64url"),y={...i,use:"sig",kid:u};r={kid:u,publicKey:s,jwk:y},Je.set(e,r);}return r}n(Qe,"getOrBuildKey");function er(e){let{jwk:r}=Qe(e);return {keys:[r]}}n(er,"buildJwks");function rr(e){return Qe(e).publicKey}n(rr,"getPublicKeyFromPrivate");async function tr(e){let r=Date.now(),t=Ye.get(e);if(t&&r-t.fetchedAt<Vr)return t.publicKey;let s=await fetch(e);if(!s.ok)throw new d("CONFIGURATION_ERROR",`Failed to fetch public key from ${e}: HTTP ${s.status}`);let i=await s.json();if(!i.keys||i.keys.length===0)throw new d("CONFIGURATION_ERROR",`No keys found in JWKS response from ${e}`);let o=i.keys[0],u=crypto.createPublicKey({key:o,format:"jwk"});return Ye.set(e,{publicKey:u,fetchedAt:r}),u}n(tr,"fetchPublicKey");var sr=new Map,nr=new Map,ir=new Map;function or(e){return e.startsWith("RS")||e.startsWith("PS")}n(or,"isRSA");function ar(e){let r=sr.get(e);return r||(r={access:`${e}:access`,refresh:`${e}:refresh`},sr.set(e,r)),r}n(ar,"getHsSecrets");function Br(e){let r=nr.get(e);return r||(r=crypto.createPrivateKey(e),nr.set(e,r)),r}n(Br,"getRsPrivateKey");function dr(e){let r=g(e);if(or(r.algorithm)){let i=Br(e.secret);return {accessKey:i,refreshKey:i}}let{access:t,refresh:s}=ar(e.secret);return {accessKey:t,refreshKey:s}}n(dr,"getSigningKeys");function cr(e,r){let t=g(e);if(or(t.algorithm))return rr(e.secret);let{access:s,refresh:i}=ar(e.secret);return r==="access"?s:i}n(cr,"getVerifyKey");function ur(e,r,t,s){let i=`${t}:${s}`,o=ir.get(i);return o||(o={expiresIn:t,algorithm:s},ir.set(i,o)),J__default.default.sign(e,r,o)}n(ur,"sign");function lr(e,r,t){try{let s=J__default.default.verify(e,r,{algorithms:[t]});if(typeof s=="string"||s===null)throw new d("TOKEN_INVALID","Token payload is not an object");return s}catch(s){throw s instanceof d?s:s instanceof J__default.default.TokenExpiredError?new d("TOKEN_EXPIRED","Token has expired"):new d("TOKEN_INVALID","Token is invalid or malformed")}}n(lr,"verify");function Y(e,r){let t=g(r),{accessKey:s}=dr(r);return ur(e,s,t.accessExpiresIn,t.algorithm)}n(Y,"signAccessToken");function q(e,r){let t=g(r),{refreshKey:s}=dr(r);return ur({sessionId:e},s,t.refreshExpiresIn,t.algorithm)}n(q,"signRefreshToken");function ce(e,r){let t=g(r),s=cr(r,"access");return lr(e,s,t.algorithm)}n(ce,"verifyAccessToken");function Q(e,r){let t=g(r),s=cr(r,"refresh");return lr(e,s,t.algorithm)}n(Q,"verifyRefreshToken");function fr(e,r){try{let t=J__default.default.verify(e,r,{algorithms:["RS256","RS384","RS512","PS256","PS384","PS512"]});if(typeof t=="string"||t===null)throw new d("TOKEN_INVALID","Token payload is not an object");return t}catch(t){throw t instanceof d?t:t instanceof J__default.default.TokenExpiredError?new d("TOKEN_EXPIRED","Token has expired"):new d("TOKEN_INVALID","Token is invalid or malformed")}}n(fr,"verifyTokenWithPublicKey");function Ce(e){try{return JSON.parse(e)}catch{return []}}n(Ce,"parseRoles");function jr(e){return JSON.stringify(e)}n(jr,"serializeRoles");function mr(e){return {id:e.id,userId:e.user_id,type:e.type,value:e.value,createdAt:new Date(e.created_at)}}n(mr,"mapIdentifier");async function ee(e,r){let t=await e.selectFrom("sentri_identifiers as i").innerJoin("sentri_users as u","u.id","i.user_id").select(["u.id","u.password_hash","u.roles"]).where("i.value","=",r).executeTakeFirst();return t?{id:t.id,passwordHash:t.password_hash,roles:Ce(t.roles)}:null}n(ee,"findUserByIdentifierValue");async function ue(e,r){let t=await e.selectFrom("sentri_users").select(["id","password_hash","roles"]).where("id","=",r).executeTakeFirst();return t?{id:t.id,passwordHash:t.password_hash,roles:Ce(t.roles)}:null}n(ue,"findUserById");async function pr(e,r,t){let s=t.map(i=>({id:crypto.randomUUID(),user_id:r,type:i.type,value:i.value}));return await e.insertInto("sentri_identifiers").values(s).execute(),s.map(i=>({id:i.id,userId:i.user_id,type:i.type,value:i.value,createdAt:new Date}))}n(pr,"createIdentifiers");async function re(e,r){return (await e.selectFrom("sentri_identifiers").selectAll().where("user_id","=",r).orderBy("created_at","asc").execute()).map(mr)}n(re,"findIdentifiersByUserId");async function Oe(e,r,t){let s=await e.selectFrom("sentri_identifiers").selectAll().where("id","=",r).where("user_id","=",t).executeTakeFirst();return s?mr(s):null}n(Oe,"findIdentifierById");async function wr(e,r){let t=await e.selectFrom("sentri_identifiers").select(s=>s.fn.countAll().as("count")).where("user_id","=",r).executeTakeFirst();return Number(t?.count??0)}n(wr,"countIdentifiersByUserId");async function Ir(e,r,t,s){await e.updateTable("sentri_identifiers").set({type:s.type,value:s.value}).where("id","=",r).where("user_id","=",t).execute();}n(Ir,"updateIdentifier");async function yr(e,r,t){await e.deleteFrom("sentri_identifiers").where("user_id","=",r).where("id","in",t).execute();}n(yr,"deleteIdentifiers");async function _r(e,r,t){await e.updateTable("sentri_users").set({password_hash:t}).where("id","=",r).execute();}n(_r,"updateUserPassword");async function Rr(e,r,t){await e.updateTable("sentri_users").set({roles:jr(t)}).where("id","=",r).execute();}n(Rr,"updateUserRoles");async function be(e,r){let t=crypto.randomUUID();return await e.insertInto("sentri_sessions").values({id:t,user_id:r.userId,expires_at:r.expiresAt.toISOString(),ip_address:r.ipAddress??null,user_agent:r.userAgent??null}).execute(),{id:t}}n(be,"createSession");async function le(e,r){let t=await e.selectFrom("sentri_sessions as s").innerJoin("sentri_users as u","u.id","s.user_id").select(["s.id as session_id","s.user_id","s.expires_at","s.ip_address","s.user_agent","s.replaced_by","s.created_at as session_created_at","u.id as user_id_col","u.password_hash","u.roles"]).where("s.id","=",r).executeTakeFirst();return t?{id:t.session_id,userId:t.user_id,expiresAt:new Date(t.expires_at),ipAddress:t.ip_address,userAgent:t.user_agent,replacedBy:t.replaced_by,createdAt:new Date(t.session_created_at),user:{id:t.user_id_col,passwordHash:t.password_hash,roles:Ce(t.roles)}}:null}n(le,"findSessionById");async function fe(e,r){await e.deleteFrom("sentri_sessions").where("id","=",r).execute();}n(fe,"deleteSession");async function gr(e,r,t){await e.updateTable("sentri_sessions").set({replaced_by:t}).where("id","=",r).execute();}n(gr,"markSessionReplaced");async function he(e,r){await e.deleteFrom("sentri_sessions").where("user_id","=",r).execute();}n(he,"deleteAllSessionsForUser");async function vr(e,r){return (await e.selectFrom("sentri_sessions").selectAll().where("user_id","=",r).where("replaced_by","is",null).where("expires_at",">",new Date).execute()).map(s=>({id:s.id,userId:s.user_id,expiresAt:new Date(s.expires_at),ipAddress:s.ip_address,userAgent:s.user_agent,replacedBy:s.replaced_by,createdAt:new Date(s.created_at)}))}n(vr,"findSessionsByUserId");async function me(e,r,t){let s=g(r),i=T(r.dialect),o=e.roles??[],u=o.filter(A=>!s.validRolesSet.has(A));if(u.length>0)return {success:false,error:new d("INVALID_ROLE",`Invalid roles: ${u.join(", ")}`)};if(!e.identifiers||e.identifiers.length===0)return {success:false,error:new d("VALIDATION_ERROR","At least one identifier is required")};let y=e.identifiers.map(A=>({type:A.type.trim(),value:A.value.trim()})),c=y.filter(A=>!s.validIdentifiersSet.has(A.type));if(c.length>0)return {success:false,error:new d("VALIDATION_ERROR",`Invalid identifier types: ${c.map(A=>A.type).join(", ")}`)};if(new Set(y.map(A=>A.value)).size!==y.length)return {success:false,error:new d("VALIDATION_ERROR","Duplicate identifier values in request")};for(let A of y)if(await ee(i,A.value))return {success:false,error:new d("IDENTIFIER_ALREADY_EXISTS",`Identifier already taken: ${A.value}`)};let v=await W(e.password,s.saltRounds),{userId:C,identifierRows:x}=await i.transaction().execute(async A=>{let P=crypto.randomUUID();await A.insertInto("sentri_users").values({id:P,password_hash:v,roles:JSON.stringify(o)}).execute();let j=y.map(de=>({id:crypto.randomUUID(),user_id:P,type:de.type,value:de.value}));return await A.insertInto("sentri_identifiers").values(j).execute(),{userId:P,identifierRows:j}}),O={success:true,user:{id:C,roles:o,identifiers:x.map(A=>({id:A.id,type:A.type,value:A.value}))}};return r.hooks?.onRegister&&await r.hooks.onRegister(O.user),O}n(me,"register");async function pe(e,r,t){let s=g(r),i=T(r.dialect),o=await ee(i,e.identifier.trim());if(!o){let x=new d("INVALID_CREDENTIALS","Invalid credentials");return r.hooks?.onLoginFailed&&await r.hooks.onLoginFailed(e.identifier,x,{ip:t?.ip??""}),{success:false,error:x}}if(!await Z(e.password,o.passwordHash)){let x=new d("INVALID_CREDENTIALS","Invalid credentials");return r.hooks?.onLoginFailed&&await r.hooks.onLoginFailed(e.identifier,x,{ip:t?.ip??""}),{success:false,error:x}}let y=new Date(Date.now()+H(s.refreshExpiresIn)),c=await be(i,{userId:o.id,expiresAt:y,ipAddress:t?.ip??null,userAgent:t?.userAgent??null}),l={id:o.id,roles:o.roles},v=Y({id:o.id,roles:o.roles,sessionId:c.id},r),C=q(c.id,r);return r.hooks?.onLoginSuccess&&await r.hooks.onLoginSuccess(l,{ip:t?.ip??"",userAgent:t?.userAgent??""}),{success:true,accessToken:v,refreshToken:C,user:l}}n(pe,"login");async function $(e,r,t){let s=g(r),i=T(r.dialect),o;try{({sessionId:o}=Q(e,r));}catch(x){return x instanceof d?{success:false,error:x}:{success:false,error:new d("TOKEN_INVALID","Invalid refresh token")}}let u=await le(i,o);if(!u)return {success:false,error:new d("UNAUTHORIZED","Session not found or revoked")};if(u.replacedBy)return await he(i,u.userId),{success:false,error:new d("TOKEN_REUSE","Token reuse detected. All sessions revoked.")};if(u.expiresAt.getTime()<Date.now())return await fe(i,o),{success:false,error:new d("TOKEN_EXPIRED","Session has expired")};let y=new Date(Date.now()+H(s.refreshExpiresIn)),c=await be(i,{userId:u.userId,expiresAt:y,ipAddress:t?.ip??null,userAgent:t?.userAgent??null});await gr(i,o,c.id);let l={id:u.user.id,roles:u.user.roles},v=Y({...l,sessionId:c.id},r),C=q(c.id,r);return {success:true,accessToken:v,refreshToken:C,user:l}}n($,"refresh");async function we(e,r){let t=T(r.dialect),s;try{({sessionId:s}=Q(e,r));}catch{return}let i=await le(t,s);i&&(await fe(t,s),r.hooks?.onLogout&&await r.hooks.onLogout(i.userId));}n(we,"logout");async function Ie(e,r){let t=T(r.dialect);await he(t,e),r.hooks?.onLogout&&await r.hooks.onLogout(e);}n(Ie,"logoutAll");async function ye(e,r){let t=T(r.dialect),s=await ue(t,e);if(!s)return {success:false,error:new d("USER_NOT_FOUND","User not found")};let i=await re(t,e);return {success:true,user:{id:s.id,roles:s.roles,identifiers:i.map(o=>({id:o.id,type:o.type,value:o.value}))}}}n(ye,"getUser");async function _e(e,r,t,s){let i=g(s),o=T(s.dialect),u=await ue(o,e);if(!u)return {success:false,error:new d("USER_NOT_FOUND","User not found")};if(!await Z(r,u.passwordHash))return {success:false,error:new d("INVALID_CREDENTIALS","Invalid credentials")};let c=await W(t,i.saltRounds);return await _r(o,e,c),await he(o,e),s.hooks?.onPasswordChanged&&await s.hooks.onPasswordChanged(e),{success:true}}n(_e,"changePassword");async function Re(e,r,t){let s=g(t),i=T(t.dialect),o=r.filter(l=>!s.validRolesSet.has(l));if(o.length>0)return {success:false,error:new d("INVALID_ROLE",`Invalid roles: ${o.join(", ")}`)};let u=await ue(i,e);if(!u)return {success:false,error:new d("USER_NOT_FOUND","User not found")};let y=new Set(u.roles);for(let l of r)y.add(l);let c=Array.from(y);return await Rr(i,e,c),{success:true,user:{id:u.id,roles:c}}}n(Re,"assignRoles");async function ge(e,r,t){let s=g(t),i=T(t.dialect);if(r.length===0)return {success:false,error:new d("VALIDATION_ERROR","At least one identifier is required")};let o=r.map(l=>({type:l.type.trim(),value:l.value.trim()})),u=o.filter(l=>!s.validIdentifiersSet.has(l.type));if(u.length>0)return {success:false,error:new d("VALIDATION_ERROR",`Invalid identifier types: ${u.map(l=>l.type).join(", ")}`)};if(new Set(o.map(l=>l.value)).size!==o.length)return {success:false,error:new d("VALIDATION_ERROR","Duplicate identifier values in request")};for(let l of o)if(await ee(i,l.value))return {success:false,error:new d("IDENTIFIER_ALREADY_EXISTS",`Identifier already taken: ${l.value}`)};return await pr(i,e,o),{success:true,identifiers:(await re(i,e)).map(l=>({id:l.id,type:l.type,value:l.value}))}}n(ge,"bulkCreateIdentifiers");async function ve(e,r,t){let s=g(t),i=T(t.dialect);if(r.length===0)return {success:false,error:new d("VALIDATION_ERROR","At least one update is required")};let o=r.map(l=>({id:l.id,type:l.type.trim(),value:l.value.trim()})),u=o.filter(l=>!s.validIdentifiersSet.has(l.type));if(u.length>0)return {success:false,error:new d("VALIDATION_ERROR",`Invalid identifier types: ${u.map(l=>l.type).join(", ")}`)};if(new Set(o.map(l=>l.value)).size!==o.length)return {success:false,error:new d("VALIDATION_ERROR","Duplicate identifier values in request")};for(let l of o){let v=await Oe(i,l.id,e);if(!v)return {success:false,error:new d("IDENTIFIER_NOT_FOUND",`Identifier not found: ${l.id}`)};if(v.value!==l.value&&await ee(i,l.value))return {success:false,error:new d("IDENTIFIER_ALREADY_EXISTS",`Identifier already taken: ${l.value}`)}}return await i.transaction().execute(async l=>{for(let v of o)await Ir(l,v.id,e,{type:v.type,value:v.value});}),{success:true,identifiers:(await re(i,e)).map(l=>({id:l.id,type:l.type,value:l.value}))}}n(ve,"bulkUpdateIdentifiers");async function Ae(e,r,t){let s=T(t.dialect);if(r.length===0)return {success:false,error:new d("VALIDATION_ERROR","At least one ID is required")};let i=Array.from(new Set(r));for(let y of i)if(!await Oe(s,y,e))return {success:false,error:new d("IDENTIFIER_NOT_FOUND",`Identifier not found: ${y}`)};return await wr(s,e)-i.length<1?{success:false,error:new d("VALIDATION_ERROR","Cannot delete all identifiers \u2014 at least one must remain")}:(await yr(s,e,i),{success:true,identifiers:(await re(s,e)).map(y=>({id:y.id,type:y.type,value:y.value}))})}n(Ae,"bulkDeleteIdentifiers");async function Er(e,r){let t=T(r.dialect);return (await vr(t,e)).map(i=>({id:i.id,ipAddress:i.ipAddress,userAgent:i.userAgent,createdAt:i.createdAt,expiresAt:i.expiresAt}))}n(Er,"getSessions");async function kr(e,r,t){let s=T(t.dialect),i=await le(s,r);i&&i.userId===e&&await fe(s,r);}n(kr,"revokeSession");function U(e){return g(e).cookieName}n(U,"getCookieName");function Ee(e){return g(e).accessCookieName}n(Ee,"getAccessCookieName");function L(e,r){if(!e)return;let t=`${r}=`,s=0;for(;s<e.length;){for(;s<e.length&&e[s]===" ";)s++;let i=e.indexOf(";",s),o=i===-1?e.length:i;if(e.startsWith(t,s))return e.slice(s+t.length,o);s=o+1;}}n(L,"readCookie");function te(e,r,t){let s=t.cookie??{},i=H(g(t).refreshExpiresIn)/1e3;e.setCookie(U(t),r,{httpOnly:s.httpOnly??true,secure:s.secure??false,sameSite:s.sameSite??"strict",path:s.path??"/",maxAge:i});}n(te,"setCookieFromConfig");function ke(e,r){let t=r.cookie??{};e.clearCookie(U(r),{path:t.path??"/"});}n(ke,"clearCookieFromConfig");function se(e,r,t){if(!t.accessCookie)return;let s=t.accessCookie,i=H(g(t).accessExpiresIn)/1e3;e.setCookie(Ee(t),r,{httpOnly:false,secure:s.secure??false,sameSite:s.sameSite??"strict",path:s.path??"/",maxAge:i});}n(se,"setAccessCookieFromConfig");function Ue(e,r){if(!r.accessCookie)return;let t=r.accessCookie;e.clearCookie(Ee(r),{path:t.path??"/"});}n(Ue,"clearAccessCookieFromConfig");function Te(e,r){let t=e.headers.authorization;return t?.startsWith("Bearer ")?t.slice(7):L(e.headers.cookie,Ee(r))}n(Te,"getCurrentAccessToken");function ne(e){let r=e.logger??N,t=e.loggerService??"sentri";return e.mode==="client"?Xr(e.keyUri,r,t):zr(e,r,t)}n(ne,"protect");function Xr(e,r,t){return async s=>{let i=s.headers.authorization,o=i?.startsWith("Bearer ")?i.slice(7):void 0;if(!o)throw r.warn(m(t,"auth.protect.failure",{mode:"client",errorCode:"UNAUTHORIZED",requestId:s.id})),new d("UNAUTHORIZED","Missing or malformed Authorization header");try{let u=await tr(e),y=fr(o,u);s.user={id:y.id,roles:y.roles},r.info(m(t,"auth.protect.success",{mode:"client",userId:y.id,requestId:s.id}));}catch(u){let y=u instanceof d?u.code:"TOKEN_INVALID";throw r.warn(m(t,"auth.protect.failure",{mode:"client",errorCode:y,requestId:s.id})),u}}}n(Xr,"protectClient");function zr(e,r,t){return async(s,i)=>{let o=Te(s,e);if(!o)throw r.warn(m(t,"auth.protect.failure",{mode:"server",errorCode:"UNAUTHORIZED",requestId:s.id})),new d("UNAUTHORIZED","Missing or malformed Authorization header");try{let u=ce(o,e);if(e.isTokenRevoked&&await e.isTokenRevoked(u.sessionId))throw r.warn(m(t,"auth.protect.token_revoked",{mode:"server",userId:u.id,requestId:s.id})),new d("UNAUTHORIZED","Token has been revoked");s.user={id:u.id,roles:u.roles},r.info(m(t,"auth.protect.success",{mode:"server",userId:u.id,requestId:s.id}));}catch(u){if(u instanceof d&&u.code==="TOKEN_EXPIRED"){let y=L(s.headers.cookie,U(e));if(!y)throw r.warn(m(t,"auth.protect.failure",{mode:"server",errorCode:"TOKEN_EXPIRED",requestId:s.id})),new d("UNAUTHORIZED","Token expired. Please login again.");let c;try{c=await $(y,e);}catch{throw r.warn(m(t,"auth.protect.failure",{mode:"server",errorCode:"TOKEN_EXPIRED",requestId:s.id})),new d("UNAUTHORIZED","Session expired. Please login again.")}if(!c.success)throw r.warn(m(t,"auth.protect.failure",{mode:"server",errorCode:c.error.code,requestId:s.id})),new d("UNAUTHORIZED","Session expired. Please login again.");te(i,c.refreshToken,e),se(i,c.accessToken,e),i.header("X-New-Access-Token",c.accessToken),s.user=c.user,r.info(m(t,"auth.protect.auto_refresh",{mode:"server",userId:c.user.id,requestId:s.id}));}else {let y=u instanceof d?u.code:"TOKEN_INVALID";throw r.warn(m(t,"auth.protect.failure",{mode:"server",errorCode:y,requestId:s.id})),u}}}}n(zr,"protectServer");function Tr(e,r,t){let s=`Requires one of roles: ${e.join(", ")}`;return async i=>{if(!i.user)throw r.warn(m(t,"auth.authorize.unauthenticated",{requiredRoles:e,requestId:i.id})),new d("UNAUTHORIZED","Not authenticated");let o=i.user.roles;if(!e.some(u=>o.includes(u)))throw r.warn(m(t,"auth.authorize.denied",{userId:i.user.id,userRoles:[...o],requiredRoles:e,requestId:i.id})),new d("FORBIDDEN",s);r.info(m(t,"auth.authorize.passed",{userId:i.user.id,userRoles:[...o],requiredRoles:e,requestId:i.id}));}}n(Tr,"createAuthorizeHandler");function ie(e,r){return n(function(...s){return Tr(s,e,r)},"authorize")}n(ie,"createAuthorize");function Gr(...e){return Tr(e,N,"sentri")}n(Gr,"authorize");var Wr=new d("FORBIDDEN","You do not have permission to perform this action");function xr(e,r,t){return async s=>{if(!s.user)throw r.warn(m(t,"auth.permit.unauthenticated",{requestId:s.id})),new d("UNAUTHORIZED","Not authenticated");let i=s.user.id;if(e.roles&&e.roles.length>0){let y=s.user.roles;if(e.roles.some(c=>y.includes(c))){r.info(m(t,"auth.permit.role_bypass",{userId:i,bypassedByRole:true,requestId:s.id}));return}}let o=e.check(s);if(o instanceof Promise?await o:o)r.info(m(t,"auth.permit.passed",{userId:i,requestId:s.id}));else throw r.warn(m(t,"auth.permit.denied",{userId:i,requestId:s.id})),Wr}}n(xr,"createPermitHandler");function oe(e,r){return n(function(s){return xr(typeof s=="function"?{check:s}:s,e,r)},"permit")}n(oe,"createPermit");function Zr(e){return xr(typeof e=="function"?{check:e}:e,N,"sentri")}n(Zr,"permit");var Le=class{static{n(this,"InMemoryRateLimiter");}store=new Map;constructor(){setInterval(()=>{let r=Date.now();for(let[t,s]of this.store.entries())s.expiresAt<r&&this.store.delete(t);},6e4).unref();}async consume(r,t,s){let i=Date.now(),o=this.store.get(r);if((!o||o.expiresAt<i)&&(o={count:0,expiresAt:i+s},this.store.set(r,o)),o.count>=t){let u=Math.ceil((o.expiresAt-i)/1e3);throw new d("RATE_LIMIT_EXCEEDED",`Rate limit exceeded. Try again in ${u} seconds.`)}o.count++;}},Fe=class{static{n(this,"RedisRateLimiter");}redis;logger;constructor(r,t){this.redis=r,this.logger=t;}async consume(r,t,s){let i=`sentri:rl:${r}`,o=Math.ceil(s/1e3);try{let u=await this.redis.multi().incr(i).expire(i,o,"NX").exec();if(!u||u.length===0)return;if(u[0][1]>t)throw new d("RATE_LIMIT_EXCEEDED","Rate limit exceeded. Try again later.")}catch(u){if(u instanceof d&&u.code==="RATE_LIMIT_EXCEEDED")throw u;this.logger.error({msg:"Redis RateLimiter failed, bypassing limit",error:u});}}},V=null;async function Dr(e,r){if(V)return V;if(e)try{let{Redis:t}=await import('ioredis'),s=new t(e,{lazyConnect:!0,maxRetriesPerRequest:1});return await s.connect(),r?.info({msg:"Connected to Redis for Rate Limiting"}),V=new Fe(s,r??N),V}catch(t){r?.warn({msg:"Failed to connect to Redis for Rate Limiting, falling back to InMemoryRateLimiter",error:t});}return V=new Le,V}n(Dr,"getRateLimiter");function ae(e){return (r,t,s)=>{if(r instanceof d){s.code(r.statusCode).send({error:true,statusCode:r.statusCode,code:r.code,message:r.message,data:null});return}e?.onUnhandled?.(r),s.code(500).send({error:true,statusCode:500,code:"INTERNAL_SERVER_ERROR",message:"Internal server error",data:null});}}n(ae,"createErrorHandler");var xe=8,M=72,De=255,Nr=100,B=50;function R(e){return new d("VALIDATION_ERROR",e)}n(R,"badRequest");function D(e,r,t,s){e.code(r).send({error:false,statusCode:r,message:t,data:s});}n(D,"ok");function b(e,r){e.code(r.statusCode).send({error:true,statusCode:r.statusCode,code:r.code,message:r.message,data:null});}n(b,"fail");function F(e){let r=e.body;if(r==null||typeof r!="object"||Array.isArray(r))throw new d("VALIDATION_ERROR","Request body is missing or not a JSON object.");return r}n(F,"parseBody");function Jr(e,r){if(!r.apiKey)return;let t=e.headers["x-api-key"];if(typeof t!="string"||t!==r.apiKey)throw new d("UNAUTHORIZED","Invalid or missing API key")}n(Jr,"validateApiKey");function Ke(e){if(e)try{let r=e();r instanceof Promise&&r.catch(()=>{});}catch{}}n(Ke,"fireHook");function Yr(e){return e.startsWith("RS")||e.startsWith("PS")}n(Yr,"isRSA");function He(e,r){if(typeof e!="object"||e===null||Array.isArray(e))throw R(`identifiers[${r}] must be an object`);let t=e;if(typeof t.type!="string"||t.type.trim().length===0)throw R(`identifiers[${r}].type is required and must be a non-empty string`);if(t.type.length>Nr)throw R(`identifiers[${r}].type must not exceed ${Nr} characters`);if(typeof t.value!="string"||t.value.trim().length===0)throw R(`identifiers[${r}].value is required and must be a non-empty string`);if(t.value.length>De)throw R(`identifiers[${r}].value must not exceed ${De} characters`);return {type:t.type,value:t.value}}n(He,"validateIdentifierInput");function Sr(e){return async r=>{let t=e,s=g(t),i=e.logger??N,o=e.loggerService??"sentri",u=ne(e),y=ie(i,o),c=oe(i,o),l=Dr(e.redisUrl,i),v=c(a=>!!a.user);r.setErrorHandler(ae()),r.addHook("preParsing",function(a,f,p,h){if(!a.headers["content-type"]?.includes("application/json")){h(null,p);return}if(p==null){h(null,stream.Readable.from("{}"));return}let w=[];p.on("data",_=>w.push(_)),p.on("end",()=>{let _=Buffer.concat(w);h(null,_.length===0?stream.Readable.from("{}"):stream.Readable.from(_));}),p.on("error",_=>h(_));});let C=e.router?.register??(a=>me(a,t)),x=e.router?.login??(a=>pe(a,t)),O=e.router?.refresh??(a=>$(a,t)),A=e.router?.logout??(a=>a!==void 0?we(a,t):Promise.resolve()),P=e.router?.logoutAll??(a=>Ie(a,t)),j=e.router?.getUser??(a=>ye(a,t)),de=e.router?.assignRoles??((a,f)=>Re(a,f,t)),Cr=e.router?.changePassword??((a,f,p)=>_e(a,f,p,t)),Or=e.router?.bulkCreateIdentifiers??((a,f)=>ge(a,f,t)),br=e.router?.bulkUpdateIdentifiers??((a,f)=>ve(a,f,t)),Ur=e.router?.bulkDeleteIdentifiers??((a,f)=>Ae(a,f,t));Yr(s.algorithm)&&r.get("/keys",async(a,f)=>{f.header("Cache-Control","public, max-age=3600").send(er(e.secret));}),r.post("/register",async(a,f)=>{let p=Date.now();Jr(a,e);let h=F(a),{identifiers:w,password:_,roles:I}=h;if(!Array.isArray(w)||w.length===0)throw R("identifiers is required and must be a non-empty array");if(w.length>B)throw R(`identifiers must not exceed ${B} entries`);let E=w.map((G,Ne)=>He(G,Ne));if(typeof _!="string"||_.length<xe)throw R(`password is required and must be at least ${xe} characters`);if(_.length>M)throw R(`password must not exceed ${M} characters`);if(I!==void 0&&!Array.isArray(I))throw R("roles must be an array of strings when provided");if(Array.isArray(I)&&!I.every(G=>typeof G=="string"))throw R("each role must be a string");let S=Array.isArray(I)?I:void 0,k=S!==void 0?{identifiers:E,password:_,roles:S}:{identifiers:E,password:_},K=a.ip||"127.0.0.1",X=a.headers["user-agent"]||"Unknown";if(e.rateLimit!==false){let G=await l,Ne=typeof e.rateLimit=="object"?e.rateLimit.maxRegisterAttempts??5:5;await G.consume(`register:${K}`,Ne,900*1e3);}let z=await C(k,{ip:K,userAgent:X});if(!z.success){i.warn(m(o,"auth.register.failure",{errorCode:z.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,z.error);return}i.info(m(o,"auth.register.success",{userId:z.user.id,duration_ms:Date.now()-p,requestId:a.id})),D(f,201,"User registered successfully",{user:z.user});}),r.post("/login",async(a,f)=>{let p=Date.now(),h=F(a),{identifier:w,password:_}=h;if(typeof w!="string"||w.trim().length===0)throw R("identifier is required and must be a non-empty string");if(w.length>De)throw R(`identifier must not exceed ${De} characters`);if(typeof _!="string"||_.length===0)throw R("password is required");if(_.length>M)throw R(`password must not exceed ${M} characters`);let I=w.trim(),E=a.ip||"127.0.0.1",S=a.headers["user-agent"]||"Unknown";if(e.rateLimit!==false){let K=await l,X=typeof e.rateLimit=="object"?e.rateLimit.maxLoginAttempts??5:5;await K.consume(`login:${E}`,X,900*1e3);}let k=await x({identifier:I,password:_},{ip:E,userAgent:S});if(!k.success){Ke(()=>e.hooks?.onLoginFailed?.(I,k.error,{ip:E})),i.warn(m(o,"auth.login.failure",{errorCode:k.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,k.error);return}Ke(()=>e.hooks?.onLoginSuccess?.(k.user,{ip:E,userAgent:S})),te(f,k.refreshToken,e),se(f,k.accessToken,e),i.info(m(o,"auth.login.success",{userId:k.user.id,duration_ms:Date.now()-p,requestId:a.id})),D(f,200,"Login successful",{accessToken:k.accessToken,user:k.user});}),r.post("/refresh",async(a,f)=>{let p=Date.now(),h=L(a.headers.cookie,U(e));if(!h)throw new d("UNAUTHORIZED","Refresh token cookie is missing");let w=a.ip||"127.0.0.1",_=a.headers["user-agent"]||"Unknown",I=await O(h,{ip:w,userAgent:_});if(!I.success){ke(f,e),i.warn(m(o,"auth.refresh.failure",{errorCode:I.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,I.error);return}te(f,I.refreshToken,e),se(f,I.accessToken,e),i.info(m(o,"auth.refresh.success",{userId:I.user.id,duration_ms:Date.now()-p,requestId:a.id})),D(f,200,"Token refreshed",{accessToken:I.accessToken});}),r.post("/logout",async(a,f)=>{let p=Date.now(),h=L(a.headers.cookie,U(e));await A(h),ke(f,e),Ue(f,e),i.info(m(o,"auth.logout",{duration_ms:Date.now()-p,requestId:a.id})),D(f,200,"Logged out",null);}),r.post("/logout-all",{preHandler:u},async(a,f)=>{let p=Date.now(),h=a.user.id;await P(h),Ke(()=>e.hooks?.onLogout?.(h)),ke(f,e),Ue(f,e),i.info(m(o,"auth.logout_all",{userId:h,duration_ms:Date.now()-p,requestId:a.id})),D(f,200,"All sessions revoked",null);}),r.get("/me",{preHandler:u},async(a,f)=>{let p=Date.now(),h=await j(a.user.id);if(!h.success){i.warn(m(o,"auth.me.failure",{userId:a.user.id,errorCode:h.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,h.error);return}i.info(m(o,"auth.me.success",{userId:h.user.id,duration_ms:Date.now()-p,requestId:a.id})),D(f,200,"OK",h.user);}),r.get("/me/identifiers",{preHandler:u},async(a,f)=>{let p=Date.now(),h=await j(a.user.id);if(!h.success){i.warn(m(o,"auth.me.identifiers.failure",{userId:a.user.id,errorCode:h.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,h.error);return}i.info(m(o,"auth.me.identifiers.success",{userId:h.user.id,count:h.user.identifiers?.length??0,duration_ms:Date.now()-p,requestId:a.id})),D(f,200,"OK",{identifiers:h.user.identifiers??[]});}),r.post("/me/identifiers",{preHandler:[u,v]},async(a,f)=>{let p=Date.now(),h=F(a),{identifiers:w}=h;if(!Array.isArray(w)||w.length===0)throw R("identifiers is required and must be a non-empty array");if(w.length>B)throw R(`identifiers must not exceed ${B} entries`);let _=w.map((E,S)=>He(E,S)),I=await Or(a.user.id,_);if(!I.success){i.warn(m(o,"auth.identifiers.create_failure",{userId:a.user.id,errorCode:I.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,I.error);return}i.info(m(o,"auth.identifiers.created",{userId:a.user.id,count:I.identifiers.length,duration_ms:Date.now()-p,requestId:a.id})),D(f,201,"Identifiers added successfully",{identifiers:I.identifiers});}),r.put("/me/identifiers",{preHandler:[u,v]},async(a,f)=>{let p=Date.now(),h=F(a),{identifiers:w}=h;if(!Array.isArray(w)||w.length===0)throw R("identifiers is required and must be a non-empty array");if(w.length>B)throw R(`identifiers must not exceed ${B} entries`);let _=w.map((E,S)=>{if(typeof E!="object"||E===null||Array.isArray(E))throw R(`identifiers[${S}] must be an object`);let k=E;if(typeof k.id!="string"||k.id.trim().length===0)throw R(`identifiers[${S}].id is required and must be a non-empty string`);let{type:K,value:X}=He(E,S);return {id:k.id,type:K,value:X}}),I=await br(a.user.id,_);if(!I.success){i.warn(m(o,"auth.identifiers.update_failure",{userId:a.user.id,errorCode:I.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,I.error);return}i.info(m(o,"auth.identifiers.updated",{userId:a.user.id,count:I.identifiers.length,duration_ms:Date.now()-p,requestId:a.id})),D(f,200,"Identifiers updated successfully",{identifiers:I.identifiers});}),r.delete("/me/identifiers",{preHandler:[u,v]},async(a,f)=>{let p=Date.now(),h=F(a),{ids:w}=h;if(!Array.isArray(w)||w.length===0)throw R("ids is required and must be a non-empty array of strings");if(!w.every(I=>typeof I=="string"))throw R("each id must be a string");let _=await Ur(a.user.id,w);if(!_.success){i.warn(m(o,"auth.identifiers.delete_failure",{userId:a.user.id,errorCode:_.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,_.error);return}i.info(m(o,"auth.identifiers.deleted",{userId:a.user.id,duration_ms:Date.now()-p,requestId:a.id})),D(f,200,"Identifiers deleted successfully",{identifiers:_.identifiers});}),r.patch("/me/password",{preHandler:[u,v]},async(a,f)=>{let p=Date.now(),h=F(a),{currentPassword:w,newPassword:_}=h;if(typeof w!="string"||w.length===0)throw R("currentPassword is required");if(typeof _!="string"||_.length<xe)throw R(`newPassword must be at least ${xe} characters`);if(_.length>M)throw R(`newPassword must not exceed ${M} characters`);if(w===_)throw R("newPassword must be different from currentPassword");let I=await Cr(a.user.id,w,_);if(!I.success){i.warn(m(o,"auth.password.change_failure",{userId:a.user.id,errorCode:I.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,I.error);return}i.info(m(o,"auth.password.changed",{userId:a.user.id,duration_ms:Date.now()-p,requestId:a.id})),D(f,200,"Password updated successfully. All sessions have been revoked.",null);}),r.post("/users/:userId/roles",{preHandler:[u,y("admin")]},async(a,f)=>{let p=Date.now(),h=F(a),{roles:w}=h,_=a.params.userId;if(!_)throw R("userId is required");if(!Array.isArray(w)||w.length===0)throw R("roles must be a non-empty array of strings");if(!w.every(E=>typeof E=="string"))throw R("each role must be a string");let I=await de(_,w);if(!I.success){i.warn(m(o,"auth.roles.assign_failure",{targetUserId:_,errorCode:I.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,I.error);return}i.info(m(o,"auth.roles.assigned",{targetUserId:_,roles:w,duration_ms:Date.now()-p,requestId:a.id})),D(f,200,"Roles assigned successfully",{user:I.user});}),r.get("/sessions",{preHandler:u},async(a,f)=>{let p=Date.now(),h=a.user.id,_=await(e.router?.getSessions??(I=>Er(I,t)))(h);i.info(m(o,"auth.sessions.get",{userId:h,duration_ms:Date.now()-p,requestId:a.id})),D(f,200,"OK",{sessions:_});}),r.delete("/sessions/:id",{preHandler:u},async(a,f)=>{let p=Date.now(),h=a.user.id,w=a.params.id;await(e.router?.revokeSession??((I,E)=>kr(I,E,t)))(h,w),i.info(m(o,"auth.sessions.revoke",{userId:h,sessionId:w,duration_ms:Date.now()-p,requestId:a.id})),D(f,200,"Session revoked",null);});}}n(Sr,"createAuthPlugin");function js(e){if(e.mode==="client"){let c={mode:"client",keyUri:e.keyUri,...e.validRoles!==void 0&&{validRoles:e.validRoles},...e.logger!==void 0&&{logger:e.logger},...e.loggerService!==void 0&&{loggerService:e.loggerService}};ze(c);let l=c.logger??N,v=c.loggerService??"sentri",C=ie(l,v),x=oe(l,v);return {protect:n(()=>ne(c),"protect"),authorize:n((...O)=>C(...O),"authorize"),permit:n(O=>x(O),"permit"),errorHandler:n(O=>ae(O),"errorHandler")}}let{privateKey:r}=crypto.generateKeyPairSync("rsa",{modulusLength:2048,privateKeyEncoding:{type:"pkcs8",format:"pem"},publicKeyEncoding:{type:"spki",format:"pem"}}),t={mode:"server",dialect:e.dialect,secret:r,algorithm:"RS256",validRoles:e.validRoles,...e.validIdentifiers!==void 0&&{validIdentifiers:e.validIdentifiers},...e.accessExpiresIn!==void 0&&{accessExpiresIn:e.accessExpiresIn},...e.refreshExpiresIn!==void 0&&{refreshExpiresIn:e.refreshExpiresIn},...e.saltRounds!==void 0&&{saltRounds:e.saltRounds},...e.apiKey!==void 0&&{apiKey:e.apiKey},...e.cookie!==void 0&&{cookie:e.cookie},...e.accessCookie!==void 0&&{accessCookie:e.accessCookie},...e.hooks!==void 0&&{hooks:e.hooks},...e.router!==void 0&&{router:e.router},...e.isTokenRevoked!==void 0&&{isTokenRevoked:e.isTokenRevoked},...e.rateLimit!==void 0&&{rateLimit:e.rateLimit},...e.redisUrl!==void 0&&{redisUrl:e.redisUrl},...e.logger!==void 0&&{logger:e.logger},...e.loggerService!==void 0&&{loggerService:e.loggerService}},s=t.logger??N,i=t.loggerService??"sentri",o=g(t),u=ie(s,i),y=oe(s,i);return {protect:n(()=>ne(t),"protect"),authorize:n((...c)=>u(...c),"authorize"),permit:n(c=>y(c),"permit"),plugin:n(()=>Sr(t),"plugin"),errorHandler:n(c=>ae(c),"errorHandler"),migrate:n(()=>Ge(T(t.dialect)),"migrate"),getCurrentAccessToken:n(c=>Te(c,t),"getCurrentAccessToken"),hashPassword:n(c=>W(c,o.saltRounds),"hashPassword"),verifyPassword:n((c,l)=>Z(c,l),"verifyPassword"),signAccessToken:n(c=>Y(c,t),"signAccessToken"),signRefreshToken:n(c=>q(c,t),"signRefreshToken"),verifyAccessToken:n(c=>ce(c,t),"verifyAccessToken"),verifyRefreshToken:n(c=>Q(c,t),"verifyRefreshToken"),register:n(c=>me(c,t),"register"),login:n(c=>pe(c,t),"login"),refresh:n(c=>$(c,t),"refresh"),logout:n(c=>we(c,t),"logout"),logoutAll:n(c=>Ie(c,t),"logoutAll"),getUser:n(c=>ye(c,t),"getUser"),changePassword:n((c,l,v)=>_e(c,l,v,t),"changePassword"),assignRoles:n((c,l)=>Re(c,l,t),"assignRoles"),bulkCreateIdentifiers:n((c,l)=>ge(c,l,t),"bulkCreateIdentifiers"),bulkUpdateIdentifiers:n((c,l)=>ve(c,l,t),"bulkUpdateIdentifiers"),bulkDeleteIdentifiers:n((c,l)=>Ae(c,l,t),"bulkDeleteIdentifiers")}}n(js,"createAuthFastify");exports.SENTRI_ERROR_STATUS=$e;exports.SentriError=d;exports.authorize=Gr;exports.createAuthFastify=js;exports.createAuthPlugin=Sr;exports.createAuthorize=ie;exports.createErrorHandler=ae;exports.createPermit=oe;exports.getCurrentAccessToken=Te;exports.permit=Zr;exports.protect=ne;

package/dist/adapters/fastify/index.d.cts

@@ -1,7 +1,7 @@
+import { A as AuthUser, a as AuthConfig, S as SentriLogger, b as ServerAuthConfig, C as CookieConfig, c as AccessCookieConfig, d as AuthHooks, R as RouterHandlers, e as RateLimitOptions, f as RegisterInput, g as RegisterResult, L as LoginInput, h as AuthResult, i as RefreshResult, G as GetUserResult, j as ChangePasswordResult, k as AssignRolesResult, I as IdentifierInput, B as BulkIdentifiersResult } from '../../index-CVb3-EnK.cjs';
+export { l as SENTRI_ERROR_STATUS, m as SentriError } from '../../index-CVb3-EnK.cjs';
 import * as kysely from 'kysely';
 import { FastifyRequest, FastifyReply, FastifyPluginAsync, FastifyError } from 'fastify';
-import { AuthUser, AuthConfig, SentriLogger, ServerAuthConfig, CookieConfig, AccessCookieConfig, AuthHooks, RouterHandlers, RegisterInput, RegisterResult, LoginInput, AuthResult, RefreshResult, GetUserResult, ChangePasswordResult, AssignRolesResult, IdentifierInput, BulkIdentifiersResult } from '../../core/index.cjs';
-export { SENTRI_ERROR_STATUS, SentriError } from '../../core/index.cjs';
 
 type SentriFastifyHook = (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
 declare module 'fastify' {
@@ -46,6 +46,7 @@ interface CreateFastifyServerOptions<TRole extends string = string> {
     hooks?: AuthHooks;
     router?: RouterHandlers;
     isTokenRevoked?: (sessionId: string) => boolean | Promise<boolean>;
+    rateLimit?: RateLimitOptions | boolean;
     redisUrl?: string;
     logger?: SentriLogger;
     loggerService?: string;

package/dist/adapters/fastify/index.d.ts

@@ -1,7 +1,7 @@
+import { A as AuthUser, a as AuthConfig, S as SentriLogger, b as ServerAuthConfig, C as CookieConfig, c as AccessCookieConfig, d as AuthHooks, R as RouterHandlers, e as RateLimitOptions, f as RegisterInput, g as RegisterResult, L as LoginInput, h as AuthResult, i as RefreshResult, G as GetUserResult, j as ChangePasswordResult, k as AssignRolesResult, I as IdentifierInput, B as BulkIdentifiersResult } from '../../index-CVb3-EnK.js';
+export { l as SENTRI_ERROR_STATUS, m as SentriError } from '../../index-CVb3-EnK.js';
 import * as kysely from 'kysely';
 import { FastifyRequest, FastifyReply, FastifyPluginAsync, FastifyError } from 'fastify';
-import { AuthUser, AuthConfig, SentriLogger, ServerAuthConfig, CookieConfig, AccessCookieConfig, AuthHooks, RouterHandlers, RegisterInput, RegisterResult, LoginInput, AuthResult, RefreshResult, GetUserResult, ChangePasswordResult, AssignRolesResult, IdentifierInput, BulkIdentifiersResult } from '../../core/index.js';
-export { SENTRI_ERROR_STATUS, SentriError } from '../../core/index.js';
 
 type SentriFastifyHook = (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
 declare module 'fastify' {
@@ -46,6 +46,7 @@ interface CreateFastifyServerOptions<TRole extends string = string> {
     hooks?: AuthHooks;
     router?: RouterHandlers;
     isTokenRevoked?: (sessionId: string) => boolean | Promise<boolean>;
+    rateLimit?: RateLimitOptions | boolean;
     redisUrl?: string;
     logger?: SentriLogger;
     loggerService?: string;

package/dist/adapters/fastify/index.js

@@ -1 +1 @@
-import {generateKeyPairSync,createPrivateKey,createPublicKey,createHash,randomUUID}from'crypto';import {sql,Kysely}from'kysely';import Ze from'bcrypt';import J from'jsonwebtoken';import'@fastify/cookie';import {Readable}from'stream';var Lr=Object.defineProperty;var n=(e,r)=>Lr(e,"name",{value:r,configurable:true});var $e=Object.assign(Object.create(null),{UNAUTHORIZED:401,TOKEN_EXPIRED:401,TOKEN_INVALID:401,INVALID_CREDENTIALS:401,FORBIDDEN:403,USER_NOT_FOUND:404,IDENTIFIER_NOT_FOUND:404,USER_ALREADY_EXISTS:409,IDENTIFIER_ALREADY_EXISTS:409,INVALID_ROLE:400,VALIDATION_ERROR:400,CONFIGURATION_ERROR:500,TOKEN_REUSE:401}),u=class extends Error{static{n(this,"SentriError");}code;statusCode;constructor(r,t,s){super(t),this.name="SentriError",this.code=r,this.statusCode=s??$e[r]??500;}};var Ve=new WeakMap,Me=32,Be=10,je=31;function Xe(e){if(e.mode==="client"){if(!e.keyUri||e.keyUri.trim().length===0)throw new u("CONFIGURATION_ERROR","keyUri must not be empty");return}if(!e.secret||e.secret.trim().length===0)throw new u("CONFIGURATION_ERROR","secret must not be empty");if((e.algorithm??"HS256").startsWith("HS")&&e.secret.length<Me)throw new u("CONFIGURATION_ERROR",`secret must be at least ${Me} characters for HMAC algorithms`);let s=e.saltRounds??12;if(!Number.isInteger(s)||s<Be||s>je)throw new u("CONFIGURATION_ERROR",`saltRounds must be an integer between ${Be} and ${je}`);if(!e.validRoles||e.validRoles.length===0)throw new u("CONFIGURATION_ERROR","validRoles must contain at least one role");if(e.validIdentifiers!==void 0&&e.validIdentifiers.length===0)throw new u("CONFIGURATION_ERROR","validIdentifiers must contain at least one identifier type");if(!e.dialect)throw new u("CONFIGURATION_ERROR","dialect is required in server mode")}n(Xe,"validateConfig");function g(e){let r=Ve.get(e);if(r)return r;let t={algorithm:e.algorithm??"HS256",accessExpiresIn:e.accessExpiresIn??"15m",refreshExpiresIn:e.refreshExpiresIn??"7d",saltRounds:e.saltRounds??12,validRoles:e.validRoles,validRolesSet:new Set(e.validRoles),validIdentifiers:e.validIdentifiers??["email","username"],validIdentifiersSet:new Set(e.validIdentifiers??["email","username"]),cookieName:e.cookie?.name??"refresh_token",accessCookieName:e.accessCookie?.name??"access_token"};return Ve.set(e,t),t}n(g,"resolveServerConfig");var Fr=/^(\d+)([smhdw])$/,Pr={s:1e3,m:6e4,h:36e5,d:864e5,w:6048e5},ze=new Map;function H(e){if(typeof e=="number")return e*1e3;let r=ze.get(e);if(r!==void 0)return r;let t=Fr.exec(e);if(!t?.[1]||!t?.[2])throw new Error(`Invalid expiresIn: "${e}". Use e.g. "15m", "7d", "1h".`);let s=Pr[t[2]];if(s===void 0)throw new Error(`Invalid expiresIn: "${e}". Use e.g. "15m", "7d", "1h".`);let i=parseInt(t[1],10)*s;return ze.set(e,i),i}n(H,"parseExpiry");var D={info:n(()=>{},"info"),warn:n(()=>{},"warn"),error:n(()=>{},"error")};function m(e,r,t){return {service:e,event:r,...t}}n(m,"buildLogData");async function Ge(e){await e.schema.createTable("sentri_users").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("password_hash","varchar(255)",r=>r.notNull()).addColumn("roles","text",r=>r.notNull().defaultTo("[]")).addColumn("created_at","timestamp",r=>r.notNull().defaultTo(sql`CURRENT_TIMESTAMP`)).execute(),await e.schema.createTable("sentri_sessions").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("user_id","varchar(36)",r=>r.notNull().references("sentri_users.id").onDelete("cascade")).addColumn("expires_at","timestamp",r=>r.notNull()).addColumn("ip_address","varchar(45)").addColumn("user_agent","text").addColumn("replaced_by","varchar(36)").addColumn("created_at","timestamp",r=>r.notNull().defaultTo(sql`CURRENT_TIMESTAMP`)).execute(),await e.schema.createTable("sentri_identifiers").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("user_id","varchar(36)",r=>r.notNull().references("sentri_users.id").onDelete("cascade")).addColumn("type","varchar(100)",r=>r.notNull()).addColumn("value","varchar(255)",r=>r.notNull().unique()).addColumn("created_at","timestamp",r=>r.notNull().defaultTo(sql`CURRENT_TIMESTAMP`)).execute(),await e.schema.createIndex("idx_sentri_sessions_user_id").ifNotExists().on("sentri_sessions").column("user_id").execute(),await e.schema.createIndex("idx_sentri_identifiers_user_id").ifNotExists().on("sentri_identifiers").column("user_id").execute();}n(Ge,"runMigrations");var We=new Map;function T(e){let r=We.get(e);return r||(r=new Kysely({dialect:e}),We.set(e,r)),r}n(T,"getDatabase");async function W(e,r=12){return Ze.hash(e,r)}n(W,"hashPassword");async function Z(e,r){return Ze.compare(e,r)}n(Z,"verifyPassword");var Je=new Map,Ye=new Map,Vr=3600*1e3;function Qe(e){let r=Je.get(e);if(!r){let t=createPrivateKey(e),s=createPublicKey(t),i=s.export({format:"jwk"}),c=createHash("sha256").update(JSON.stringify({e:i.e,kty:i.kty,n:i.n})).digest("base64url"),y={...i,use:"sig",kid:c};r={kid:c,publicKey:s,jwk:y},Je.set(e,r);}return r}n(Qe,"getOrBuildKey");function er(e){let{jwk:r}=Qe(e);return {keys:[r]}}n(er,"buildJwks");function rr(e){return Qe(e).publicKey}n(rr,"getPublicKeyFromPrivate");async function tr(e){let r=Date.now(),t=Ye.get(e);if(t&&r-t.fetchedAt<Vr)return t.publicKey;let s=await fetch(e);if(!s.ok)throw new u("CONFIGURATION_ERROR",`Failed to fetch public key from ${e}: HTTP ${s.status}`);let i=await s.json();if(!i.keys||i.keys.length===0)throw new u("CONFIGURATION_ERROR",`No keys found in JWKS response from ${e}`);let o=i.keys[0],c=createPublicKey({key:o,format:"jwk"});return Ye.set(e,{publicKey:c,fetchedAt:r}),c}n(tr,"fetchPublicKey");var sr=new Map,nr=new Map,ir=new Map;function or(e){return e.startsWith("RS")||e.startsWith("PS")}n(or,"isRSA");function ar(e){let r=sr.get(e);return r||(r={access:`${e}:access`,refresh:`${e}:refresh`},sr.set(e,r)),r}n(ar,"getHsSecrets");function Br(e){let r=nr.get(e);return r||(r=createPrivateKey(e),nr.set(e,r)),r}n(Br,"getRsPrivateKey");function dr(e){let r=g(e);if(or(r.algorithm)){let i=Br(e.secret);return {accessKey:i,refreshKey:i}}let{access:t,refresh:s}=ar(e.secret);return {accessKey:t,refreshKey:s}}n(dr,"getSigningKeys");function cr(e,r){let t=g(e);if(or(t.algorithm))return rr(e.secret);let{access:s,refresh:i}=ar(e.secret);return r==="access"?s:i}n(cr,"getVerifyKey");function ur(e,r,t,s){let i=`${t}:${s}`,o=ir.get(i);return o||(o={expiresIn:t,algorithm:s},ir.set(i,o)),J.sign(e,r,o)}n(ur,"sign");function lr(e,r,t){try{let s=J.verify(e,r,{algorithms:[t]});if(typeof s=="string"||s===null)throw new u("TOKEN_INVALID","Token payload is not an object");return s}catch(s){throw s instanceof u?s:s instanceof J.TokenExpiredError?new u("TOKEN_EXPIRED","Token has expired"):new u("TOKEN_INVALID","Token is invalid or malformed")}}n(lr,"verify");function Y(e,r){let t=g(r),{accessKey:s}=dr(r);return ur(e,s,t.accessExpiresIn,t.algorithm)}n(Y,"signAccessToken");function q(e,r){let t=g(r),{refreshKey:s}=dr(r);return ur({sessionId:e},s,t.refreshExpiresIn,t.algorithm)}n(q,"signRefreshToken");function ce(e,r){let t=g(r),s=cr(r,"access");return lr(e,s,t.algorithm)}n(ce,"verifyAccessToken");function Q(e,r){let t=g(r),s=cr(r,"refresh");return lr(e,s,t.algorithm)}n(Q,"verifyRefreshToken");function fr(e,r){try{let t=J.verify(e,r,{algorithms:["RS256","RS384","RS512","PS256","PS384","PS512"]});if(typeof t=="string"||t===null)throw new u("TOKEN_INVALID","Token payload is not an object");return t}catch(t){throw t instanceof u?t:t instanceof J.TokenExpiredError?new u("TOKEN_EXPIRED","Token has expired"):new u("TOKEN_INVALID","Token is invalid or malformed")}}n(fr,"verifyTokenWithPublicKey");function Ce(e){try{return JSON.parse(e)}catch{return []}}n(Ce,"parseRoles");function jr(e){return JSON.stringify(e)}n(jr,"serializeRoles");function mr(e){return {id:e.id,userId:e.user_id,type:e.type,value:e.value,createdAt:new Date(e.created_at)}}n(mr,"mapIdentifier");async function ee(e,r){let t=await e.selectFrom("sentri_identifiers as i").innerJoin("sentri_users as u","u.id","i.user_id").select(["u.id","u.password_hash","u.roles"]).where("i.value","=",r).executeTakeFirst();return t?{id:t.id,passwordHash:t.password_hash,roles:Ce(t.roles)}:null}n(ee,"findUserByIdentifierValue");async function ue(e,r){let t=await e.selectFrom("sentri_users").select(["id","password_hash","roles"]).where("id","=",r).executeTakeFirst();return t?{id:t.id,passwordHash:t.password_hash,roles:Ce(t.roles)}:null}n(ue,"findUserById");async function pr(e,r,t){let s=t.map(i=>({id:randomUUID(),user_id:r,type:i.type,value:i.value}));return await e.insertInto("sentri_identifiers").values(s).execute(),s.map(i=>({id:i.id,userId:i.user_id,type:i.type,value:i.value,createdAt:new Date}))}n(pr,"createIdentifiers");async function re(e,r){return (await e.selectFrom("sentri_identifiers").selectAll().where("user_id","=",r).orderBy("created_at","asc").execute()).map(mr)}n(re,"findIdentifiersByUserId");async function Oe(e,r,t){let s=await e.selectFrom("sentri_identifiers").selectAll().where("id","=",r).where("user_id","=",t).executeTakeFirst();return s?mr(s):null}n(Oe,"findIdentifierById");async function wr(e,r){let t=await e.selectFrom("sentri_identifiers").select(s=>s.fn.countAll().as("count")).where("user_id","=",r).executeTakeFirst();return Number(t?.count??0)}n(wr,"countIdentifiersByUserId");async function Ir(e,r,t,s){await e.updateTable("sentri_identifiers").set({type:s.type,value:s.value}).where("id","=",r).where("user_id","=",t).execute();}n(Ir,"updateIdentifier");async function yr(e,r,t){await e.deleteFrom("sentri_identifiers").where("user_id","=",r).where("id","in",t).execute();}n(yr,"deleteIdentifiers");async function Rr(e,r,t){await e.updateTable("sentri_users").set({password_hash:t}).where("id","=",r).execute();}n(Rr,"updateUserPassword");async function _r(e,r,t){await e.updateTable("sentri_users").set({roles:jr(t)}).where("id","=",r).execute();}n(_r,"updateUserRoles");async function be(e,r){let t=randomUUID();return await e.insertInto("sentri_sessions").values({id:t,user_id:r.userId,expires_at:r.expiresAt.toISOString(),ip_address:r.ipAddress??null,user_agent:r.userAgent??null}).execute(),{id:t}}n(be,"createSession");async function le(e,r){let t=await e.selectFrom("sentri_sessions as s").innerJoin("sentri_users as u","u.id","s.user_id").select(["s.id as session_id","s.user_id","s.expires_at","s.ip_address","s.user_agent","s.replaced_by","s.created_at as session_created_at","u.id as user_id_col","u.password_hash","u.roles"]).where("s.id","=",r).executeTakeFirst();return t?{id:t.session_id,userId:t.user_id,expiresAt:new Date(t.expires_at),ipAddress:t.ip_address,userAgent:t.user_agent,replacedBy:t.replaced_by,createdAt:new Date(t.session_created_at),user:{id:t.user_id_col,passwordHash:t.password_hash,roles:Ce(t.roles)}}:null}n(le,"findSessionById");async function fe(e,r){await e.deleteFrom("sentri_sessions").where("id","=",r).execute();}n(fe,"deleteSession");async function gr(e,r,t){await e.updateTable("sentri_sessions").set({replaced_by:t}).where("id","=",r).execute();}n(gr,"markSessionReplaced");async function he(e,r){await e.deleteFrom("sentri_sessions").where("user_id","=",r).execute();}n(he,"deleteAllSessionsForUser");async function vr(e,r){return (await e.selectFrom("sentri_sessions").selectAll().where("user_id","=",r).where("replaced_by","is",null).where("expires_at",">",new Date).execute()).map(s=>({id:s.id,userId:s.user_id,expiresAt:new Date(s.expires_at),ipAddress:s.ip_address,userAgent:s.user_agent,replacedBy:s.replaced_by,createdAt:new Date(s.created_at)}))}n(vr,"findSessionsByUserId");async function me(e,r,t){let s=g(r),i=T(r.dialect),o=e.roles??[],c=o.filter(A=>!s.validRolesSet.has(A));if(c.length>0)return {success:false,error:new u("INVALID_ROLE",`Invalid roles: ${c.join(", ")}`)};if(!e.identifiers||e.identifiers.length===0)return {success:false,error:new u("VALIDATION_ERROR","At least one identifier is required")};let y=e.identifiers.map(A=>({type:A.type.trim(),value:A.value.trim()})),d=y.filter(A=>!s.validIdentifiersSet.has(A.type));if(d.length>0)return {success:false,error:new u("VALIDATION_ERROR",`Invalid identifier types: ${d.map(A=>A.type).join(", ")}`)};if(new Set(y.map(A=>A.value)).size!==y.length)return {success:false,error:new u("VALIDATION_ERROR","Duplicate identifier values in request")};for(let A of y)if(await ee(i,A.value))return {success:false,error:new u("IDENTIFIER_ALREADY_EXISTS",`Identifier already taken: ${A.value}`)};let v=await W(e.password,s.saltRounds),{userId:C,identifierRows:x}=await i.transaction().execute(async A=>{let P=randomUUID();await A.insertInto("sentri_users").values({id:P,password_hash:v,roles:JSON.stringify(o)}).execute();let j=y.map(de=>({id:randomUUID(),user_id:P,type:de.type,value:de.value}));return await A.insertInto("sentri_identifiers").values(j).execute(),{userId:P,identifierRows:j}}),O={success:true,user:{id:C,roles:o,identifiers:x.map(A=>({id:A.id,type:A.type,value:A.value}))}};return r.hooks?.onRegister&&await r.hooks.onRegister(O.user),O}n(me,"register");async function pe(e,r,t){let s=g(r),i=T(r.dialect),o=await ee(i,e.identifier.trim());if(!o){let x=new u("INVALID_CREDENTIALS","Invalid credentials");return r.hooks?.onLoginFailed&&await r.hooks.onLoginFailed(e.identifier,x,{ip:t?.ip??""}),{success:false,error:x}}if(!await Z(e.password,o.passwordHash)){let x=new u("INVALID_CREDENTIALS","Invalid credentials");return r.hooks?.onLoginFailed&&await r.hooks.onLoginFailed(e.identifier,x,{ip:t?.ip??""}),{success:false,error:x}}let y=new Date(Date.now()+H(s.refreshExpiresIn)),d=await be(i,{userId:o.id,expiresAt:y,ipAddress:t?.ip??null,userAgent:t?.userAgent??null}),l={id:o.id,roles:o.roles},v=Y({id:o.id,roles:o.roles,sessionId:d.id},r),C=q(d.id,r);return r.hooks?.onLoginSuccess&&await r.hooks.onLoginSuccess(l,{ip:t?.ip??"",userAgent:t?.userAgent??""}),{success:true,accessToken:v,refreshToken:C,user:l}}n(pe,"login");async function $(e,r,t){let s=g(r),i=T(r.dialect),o;try{({sessionId:o}=Q(e,r));}catch(x){return x instanceof u?{success:false,error:x}:{success:false,error:new u("TOKEN_INVALID","Invalid refresh token")}}let c=await le(i,o);if(!c)return {success:false,error:new u("UNAUTHORIZED","Session not found or revoked")};if(c.replacedBy)return await he(i,c.userId),{success:false,error:new u("TOKEN_REUSE","Token reuse detected. All sessions revoked.")};if(c.expiresAt.getTime()<Date.now())return await fe(i,o),{success:false,error:new u("TOKEN_EXPIRED","Session has expired")};let y=new Date(Date.now()+H(s.refreshExpiresIn)),d=await be(i,{userId:c.userId,expiresAt:y,ipAddress:t?.ip??null,userAgent:t?.userAgent??null});await gr(i,o,d.id);let l={id:c.user.id,roles:c.user.roles},v=Y({...l,sessionId:d.id},r),C=q(d.id,r);return {success:true,accessToken:v,refreshToken:C,user:l}}n($,"refresh");async function we(e,r){let t=T(r.dialect),s;try{({sessionId:s}=Q(e,r));}catch{return}let i=await le(t,s);i&&(await fe(t,s),r.hooks?.onLogout&&await r.hooks.onLogout(i.userId));}n(we,"logout");async function Ie(e,r){let t=T(r.dialect);await he(t,e),r.hooks?.onLogout&&await r.hooks.onLogout(e);}n(Ie,"logoutAll");async function ye(e,r){let t=T(r.dialect),s=await ue(t,e);if(!s)return {success:false,error:new u("USER_NOT_FOUND","User not found")};let i=await re(t,e);return {success:true,user:{id:s.id,roles:s.roles,identifiers:i.map(o=>({id:o.id,type:o.type,value:o.value}))}}}n(ye,"getUser");async function Re(e,r,t,s){let i=g(s),o=T(s.dialect),c=await ue(o,e);if(!c)return {success:false,error:new u("USER_NOT_FOUND","User not found")};if(!await Z(r,c.passwordHash))return {success:false,error:new u("INVALID_CREDENTIALS","Invalid credentials")};let d=await W(t,i.saltRounds);return await Rr(o,e,d),await he(o,e),s.hooks?.onPasswordChanged&&await s.hooks.onPasswordChanged(e),{success:true}}n(Re,"changePassword");async function _e(e,r,t){let s=g(t),i=T(t.dialect),o=r.filter(l=>!s.validRolesSet.has(l));if(o.length>0)return {success:false,error:new u("INVALID_ROLE",`Invalid roles: ${o.join(", ")}`)};let c=await ue(i,e);if(!c)return {success:false,error:new u("USER_NOT_FOUND","User not found")};let y=new Set(c.roles);for(let l of r)y.add(l);let d=Array.from(y);return await _r(i,e,d),{success:true,user:{id:c.id,roles:d}}}n(_e,"assignRoles");async function ge(e,r,t){let s=g(t),i=T(t.dialect);if(r.length===0)return {success:false,error:new u("VALIDATION_ERROR","At least one identifier is required")};let o=r.map(l=>({type:l.type.trim(),value:l.value.trim()})),c=o.filter(l=>!s.validIdentifiersSet.has(l.type));if(c.length>0)return {success:false,error:new u("VALIDATION_ERROR",`Invalid identifier types: ${c.map(l=>l.type).join(", ")}`)};if(new Set(o.map(l=>l.value)).size!==o.length)return {success:false,error:new u("VALIDATION_ERROR","Duplicate identifier values in request")};for(let l of o)if(await ee(i,l.value))return {success:false,error:new u("IDENTIFIER_ALREADY_EXISTS",`Identifier already taken: ${l.value}`)};return await pr(i,e,o),{success:true,identifiers:(await re(i,e)).map(l=>({id:l.id,type:l.type,value:l.value}))}}n(ge,"bulkCreateIdentifiers");async function ve(e,r,t){let s=g(t),i=T(t.dialect);if(r.length===0)return {success:false,error:new u("VALIDATION_ERROR","At least one update is required")};let o=r.map(l=>({id:l.id,type:l.type.trim(),value:l.value.trim()})),c=o.filter(l=>!s.validIdentifiersSet.has(l.type));if(c.length>0)return {success:false,error:new u("VALIDATION_ERROR",`Invalid identifier types: ${c.map(l=>l.type).join(", ")}`)};if(new Set(o.map(l=>l.value)).size!==o.length)return {success:false,error:new u("VALIDATION_ERROR","Duplicate identifier values in request")};for(let l of o){let v=await Oe(i,l.id,e);if(!v)return {success:false,error:new u("IDENTIFIER_NOT_FOUND",`Identifier not found: ${l.id}`)};if(v.value!==l.value&&await ee(i,l.value))return {success:false,error:new u("IDENTIFIER_ALREADY_EXISTS",`Identifier already taken: ${l.value}`)}}return await i.transaction().execute(async l=>{for(let v of o)await Ir(l,v.id,e,{type:v.type,value:v.value});}),{success:true,identifiers:(await re(i,e)).map(l=>({id:l.id,type:l.type,value:l.value}))}}n(ve,"bulkUpdateIdentifiers");async function Ae(e,r,t){let s=T(t.dialect);if(r.length===0)return {success:false,error:new u("VALIDATION_ERROR","At least one ID is required")};let i=Array.from(new Set(r));for(let y of i)if(!await Oe(s,y,e))return {success:false,error:new u("IDENTIFIER_NOT_FOUND",`Identifier not found: ${y}`)};return await wr(s,e)-i.length<1?{success:false,error:new u("VALIDATION_ERROR","Cannot delete all identifiers \u2014 at least one must remain")}:(await yr(s,e,i),{success:true,identifiers:(await re(s,e)).map(y=>({id:y.id,type:y.type,value:y.value}))})}n(Ae,"bulkDeleteIdentifiers");async function kr(e,r){let t=T(r.dialect);return (await vr(t,e)).map(i=>({id:i.id,ipAddress:i.ipAddress,userAgent:i.userAgent,createdAt:i.createdAt,expiresAt:i.expiresAt}))}n(kr,"getSessions");async function Er(e,r,t){let s=T(t.dialect),i=await le(s,r);i&&i.userId===e&&await fe(s,r);}n(Er,"revokeSession");function U(e){return g(e).cookieName}n(U,"getCookieName");function ke(e){return g(e).accessCookieName}n(ke,"getAccessCookieName");function L(e,r){if(!e)return;let t=`${r}=`,s=0;for(;s<e.length;){for(;s<e.length&&e[s]===" ";)s++;let i=e.indexOf(";",s),o=i===-1?e.length:i;if(e.startsWith(t,s))return e.slice(s+t.length,o);s=o+1;}}n(L,"readCookie");function te(e,r,t){let s=t.cookie??{},i=H(g(t).refreshExpiresIn)/1e3;e.setCookie(U(t),r,{httpOnly:s.httpOnly??true,secure:s.secure??false,sameSite:s.sameSite??"strict",path:s.path??"/",maxAge:i});}n(te,"setCookieFromConfig");function Ee(e,r){let t=r.cookie??{};e.clearCookie(U(r),{path:t.path??"/"});}n(Ee,"clearCookieFromConfig");function se(e,r,t){if(!t.accessCookie)return;let s=t.accessCookie,i=H(g(t).accessExpiresIn)/1e3;e.setCookie(ke(t),r,{httpOnly:false,secure:s.secure??false,sameSite:s.sameSite??"strict",path:s.path??"/",maxAge:i});}n(se,"setAccessCookieFromConfig");function Ue(e,r){if(!r.accessCookie)return;let t=r.accessCookie;e.clearCookie(ke(r),{path:t.path??"/"});}n(Ue,"clearAccessCookieFromConfig");function Te(e,r){let t=e.headers.authorization;return t?.startsWith("Bearer ")?t.slice(7):L(e.headers.cookie,ke(r))}n(Te,"getCurrentAccessToken");function ne(e){let r=e.logger??D,t=e.loggerService??"sentri";return e.mode==="client"?zr(e.keyUri,r,t):Xr(e,r,t)}n(ne,"protect");function zr(e,r,t){return async s=>{let i=s.headers.authorization,o=i?.startsWith("Bearer ")?i.slice(7):void 0;if(!o)throw r.warn(m(t,"auth.protect.failure",{mode:"client",errorCode:"UNAUTHORIZED",requestId:s.id})),new u("UNAUTHORIZED","Missing or malformed Authorization header");try{let c=await tr(e),y=fr(o,c);s.user={id:y.id,roles:y.roles},r.info(m(t,"auth.protect.success",{mode:"client",userId:y.id,requestId:s.id}));}catch(c){let y=c instanceof u?c.code:"TOKEN_INVALID";throw r.warn(m(t,"auth.protect.failure",{mode:"client",errorCode:y,requestId:s.id})),c}}}n(zr,"protectClient");function Xr(e,r,t){return async(s,i)=>{let o=Te(s,e);if(!o)throw r.warn(m(t,"auth.protect.failure",{mode:"server",errorCode:"UNAUTHORIZED",requestId:s.id})),new u("UNAUTHORIZED","Missing or malformed Authorization header");try{let c=ce(o,e);if(e.isTokenRevoked&&await e.isTokenRevoked(c.sessionId))throw r.warn(m(t,"auth.protect.token_revoked",{mode:"server",userId:c.id,requestId:s.id})),new u("UNAUTHORIZED","Token has been revoked");s.user={id:c.id,roles:c.roles},r.info(m(t,"auth.protect.success",{mode:"server",userId:c.id,requestId:s.id}));}catch(c){if(c instanceof u&&c.code==="TOKEN_EXPIRED"){let y=L(s.headers.cookie,U(e));if(!y)throw r.warn(m(t,"auth.protect.failure",{mode:"server",errorCode:"TOKEN_EXPIRED",requestId:s.id})),new u("UNAUTHORIZED","Token expired. Please login again.");let d;try{d=await $(y,e);}catch{throw r.warn(m(t,"auth.protect.failure",{mode:"server",errorCode:"TOKEN_EXPIRED",requestId:s.id})),new u("UNAUTHORIZED","Session expired. Please login again.")}if(!d.success)throw r.warn(m(t,"auth.protect.failure",{mode:"server",errorCode:d.error.code,requestId:s.id})),new u("UNAUTHORIZED","Session expired. Please login again.");te(i,d.refreshToken,e),se(i,d.accessToken,e),i.header("X-New-Access-Token",d.accessToken),s.user=d.user,r.info(m(t,"auth.protect.auto_refresh",{mode:"server",userId:d.user.id,requestId:s.id}));}else {let y=c instanceof u?c.code:"TOKEN_INVALID";throw r.warn(m(t,"auth.protect.failure",{mode:"server",errorCode:y,requestId:s.id})),c}}}}n(Xr,"protectServer");function Tr(e,r,t){let s=`Requires one of roles: ${e.join(", ")}`;return async i=>{if(!i.user)throw r.warn(m(t,"auth.authorize.unauthenticated",{requiredRoles:e,requestId:i.id})),new u("UNAUTHORIZED","Not authenticated");let o=i.user.roles;if(!e.some(c=>o.includes(c)))throw r.warn(m(t,"auth.authorize.denied",{userId:i.user.id,userRoles:[...o],requiredRoles:e,requestId:i.id})),new u("FORBIDDEN",s);r.info(m(t,"auth.authorize.passed",{userId:i.user.id,userRoles:[...o],requiredRoles:e,requestId:i.id}));}}n(Tr,"createAuthorizeHandler");function ie(e,r){return n(function(...s){return Tr(s,e,r)},"authorize")}n(ie,"createAuthorize");function Gr(...e){return Tr(e,D,"sentri")}n(Gr,"authorize");var Wr=new u("FORBIDDEN","You do not have permission to perform this action");function xr(e,r,t){return async s=>{if(!s.user)throw r.warn(m(t,"auth.permit.unauthenticated",{requestId:s.id})),new u("UNAUTHORIZED","Not authenticated");let i=s.user.id;if(e.roles&&e.roles.length>0){let y=s.user.roles;if(e.roles.some(d=>y.includes(d))){r.info(m(t,"auth.permit.role_bypass",{userId:i,bypassedByRole:true,requestId:s.id}));return}}let o=e.check(s);if(o instanceof Promise?await o:o)r.info(m(t,"auth.permit.passed",{userId:i,requestId:s.id}));else throw r.warn(m(t,"auth.permit.denied",{userId:i,requestId:s.id})),Wr}}n(xr,"createPermitHandler");function oe(e,r){return n(function(s){return xr(typeof s=="function"?{check:s}:s,e,r)},"permit")}n(oe,"createPermit");function Zr(e){return xr(typeof e=="function"?{check:e}:e,D,"sentri")}n(Zr,"permit");var Le=class{static{n(this,"InMemoryRateLimiter");}store=new Map;constructor(){setInterval(()=>{let r=Date.now();for(let[t,s]of this.store.entries())s.expiresAt<r&&this.store.delete(t);},6e4).unref();}async consume(r,t,s){let i=Date.now(),o=this.store.get(r);if((!o||o.expiresAt<i)&&(o={count:0,expiresAt:i+s},this.store.set(r,o)),o.count>t){let c=Math.ceil((o.expiresAt-i)/1e3);throw new Error(`Rate limit exceeded. Try again in ${c} seconds.`)}o.count++;}},Fe=class{static{n(this,"RedisRateLimiter");}redis;logger;constructor(r,t){this.redis=r,this.logger=t;}async consume(r,t,s){let i=`sentri:rl:${r}`,o=Math.ceil(s/1e3);try{let c=await this.redis.multi().incr(i).expire(i,o,"NX").exec();if(!c||c.length===0)return;if(c[0][1]>t)throw new Error("Rate limit exceeded. Try again later.")}catch(c){if(c instanceof Error&&c.message.includes("Rate limit exceeded"))throw c;this.logger.error({msg:"Redis RateLimiter failed, bypassing limit",error:c});}}},V=null;async function Nr(e,r){if(V)return V;if(e)try{let{Redis:t}=await import('ioredis'),s=new t(e,{lazyConnect:!0,maxRetriesPerRequest:1});return await s.connect(),r?.info({msg:"Connected to Redis for Rate Limiting"}),V=new Fe(s,r??D),V}catch(t){r?.warn({msg:"Failed to connect to Redis for Rate Limiting, falling back to InMemoryRateLimiter",error:t});}return V=new Le,V}n(Nr,"getRateLimiter");function ae(e){return (r,t,s)=>{if(r instanceof u){s.code(r.statusCode).send({error:true,statusCode:r.statusCode,code:r.code,message:r.message,data:null});return}e?.onUnhandled?.(r),s.code(500).send({error:true,statusCode:500,code:"INTERNAL_SERVER_ERROR",message:"Internal server error",data:null});}}n(ae,"createErrorHandler");var xe=8,M=72,Ne=255,Dr=100,B=50;function _(e){return new u("VALIDATION_ERROR",e)}n(_,"badRequest");function N(e,r,t,s){e.code(r).send({error:false,statusCode:r,message:t,data:s});}n(N,"ok");function b(e,r){e.code(r.statusCode).send({error:true,statusCode:r.statusCode,code:r.code,message:r.message,data:null});}n(b,"fail");function F(e){let r=e.body;if(r==null||typeof r!="object"||Array.isArray(r))throw new u("VALIDATION_ERROR","Request body is missing or not a JSON object.");return r}n(F,"parseBody");function Jr(e,r){if(!r.apiKey)return;let t=e.headers["x-api-key"];if(typeof t!="string"||t!==r.apiKey)throw new u("UNAUTHORIZED","Invalid or missing API key")}n(Jr,"validateApiKey");function Ke(e){if(e)try{let r=e();r instanceof Promise&&r.catch(()=>{});}catch{}}n(Ke,"fireHook");function Yr(e){return e.startsWith("RS")||e.startsWith("PS")}n(Yr,"isRSA");function He(e,r){if(typeof e!="object"||e===null||Array.isArray(e))throw _(`identifiers[${r}] must be an object`);let t=e;if(typeof t.type!="string"||t.type.trim().length===0)throw _(`identifiers[${r}].type is required and must be a non-empty string`);if(t.type.length>Dr)throw _(`identifiers[${r}].type must not exceed ${Dr} characters`);if(typeof t.value!="string"||t.value.trim().length===0)throw _(`identifiers[${r}].value is required and must be a non-empty string`);if(t.value.length>Ne)throw _(`identifiers[${r}].value must not exceed ${Ne} characters`);return {type:t.type,value:t.value}}n(He,"validateIdentifierInput");function Sr(e){return async r=>{let t=e,s=g(t),i=e.logger??D,o=e.loggerService??"sentri",c=ne(e),y=ie(i,o),d=oe(i,o),l=Nr(e.redisUrl,i),v=d(a=>!!a.user);r.setErrorHandler(ae()),r.addHook("preParsing",function(a,f,p,h){if(!a.headers["content-type"]?.includes("application/json")){h(null,p);return}if(p==null){h(null,Readable.from("{}"));return}let w=[];p.on("data",R=>w.push(R)),p.on("end",()=>{let R=Buffer.concat(w);h(null,R.length===0?Readable.from("{}"):Readable.from(R));}),p.on("error",R=>h(R));});let C=e.router?.register??(a=>me(a,t)),x=e.router?.login??(a=>pe(a,t)),O=e.router?.refresh??(a=>$(a,t)),A=e.router?.logout??(a=>a!==void 0?we(a,t):Promise.resolve()),P=e.router?.logoutAll??(a=>Ie(a,t)),j=e.router?.getUser??(a=>ye(a,t)),de=e.router?.assignRoles??((a,f)=>_e(a,f,t)),Cr=e.router?.changePassword??((a,f,p)=>Re(a,f,p,t)),Or=e.router?.bulkCreateIdentifiers??((a,f)=>ge(a,f,t)),br=e.router?.bulkUpdateIdentifiers??((a,f)=>ve(a,f,t)),Ur=e.router?.bulkDeleteIdentifiers??((a,f)=>Ae(a,f,t));Yr(s.algorithm)&&r.get("/keys",async(a,f)=>{f.header("Cache-Control","public, max-age=3600").send(er(e.secret));}),r.post("/register",async(a,f)=>{let p=Date.now();Jr(a,e);let h=F(a),{identifiers:w,password:R,roles:I}=h;if(!Array.isArray(w)||w.length===0)throw _("identifiers is required and must be a non-empty array");if(w.length>B)throw _(`identifiers must not exceed ${B} entries`);let k=w.map((G,De)=>He(G,De));if(typeof R!="string"||R.length<xe)throw _(`password is required and must be at least ${xe} characters`);if(R.length>M)throw _(`password must not exceed ${M} characters`);if(I!==void 0&&!Array.isArray(I))throw _("roles must be an array of strings when provided");if(Array.isArray(I)&&!I.every(G=>typeof G=="string"))throw _("each role must be a string");let S=Array.isArray(I)?I:void 0,E=S!==void 0?{identifiers:k,password:R,roles:S}:{identifiers:k,password:R},K=a.ip||"127.0.0.1",z=a.headers["user-agent"]||"Unknown";if(e.rateLimit!==false){let G=await l,De=typeof e.rateLimit=="object"?e.rateLimit.maxRegisterAttempts??5:5;await G.consume(`register:${K}`,De,900*1e3);}let X=await C(E,{ip:K,userAgent:z});if(!X.success){i.warn(m(o,"auth.register.failure",{errorCode:X.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,X.error);return}i.info(m(o,"auth.register.success",{userId:X.user.id,duration_ms:Date.now()-p,requestId:a.id})),N(f,201,"User registered successfully",{user:X.user});}),r.post("/login",async(a,f)=>{let p=Date.now(),h=F(a),{identifier:w,password:R}=h;if(typeof w!="string"||w.trim().length===0)throw _("identifier is required and must be a non-empty string");if(w.length>Ne)throw _(`identifier must not exceed ${Ne} characters`);if(typeof R!="string"||R.length===0)throw _("password is required");if(R.length>M)throw _(`password must not exceed ${M} characters`);let I=w.trim(),k=a.ip||"127.0.0.1",S=a.headers["user-agent"]||"Unknown";if(e.rateLimit!==false){let K=await l,z=typeof e.rateLimit=="object"?e.rateLimit.maxLoginAttempts??5:5;await K.consume(`login:${k}`,z,900*1e3);}let E=await x({identifier:I,password:R},{ip:k,userAgent:S});if(!E.success){Ke(()=>e.hooks?.onLoginFailed?.(I,E.error,{ip:k})),i.warn(m(o,"auth.login.failure",{errorCode:E.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,E.error);return}Ke(()=>e.hooks?.onLoginSuccess?.(E.user,{ip:k,userAgent:S})),te(f,E.refreshToken,e),se(f,E.accessToken,e),i.info(m(o,"auth.login.success",{userId:E.user.id,duration_ms:Date.now()-p,requestId:a.id})),N(f,200,"Login successful",{accessToken:E.accessToken,user:E.user});}),r.post("/refresh",async(a,f)=>{let p=Date.now(),h=L(a.headers.cookie,U(e));if(!h)throw new u("UNAUTHORIZED","Refresh token cookie is missing");let w=a.ip||"127.0.0.1",R=a.headers["user-agent"]||"Unknown",I=await O(h,{ip:w,userAgent:R});if(!I.success){Ee(f,e),i.warn(m(o,"auth.refresh.failure",{errorCode:I.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,I.error);return}te(f,I.refreshToken,e),se(f,I.accessToken,e),i.info(m(o,"auth.refresh.success",{userId:I.user.id,duration_ms:Date.now()-p,requestId:a.id})),N(f,200,"Token refreshed",{accessToken:I.accessToken});}),r.post("/logout",async(a,f)=>{let p=Date.now(),h=L(a.headers.cookie,U(e));await A(h),Ee(f,e),Ue(f,e),i.info(m(o,"auth.logout",{duration_ms:Date.now()-p,requestId:a.id})),N(f,200,"Logged out",null);}),r.post("/logout-all",{preHandler:c},async(a,f)=>{let p=Date.now(),h=a.user.id;await P(h),Ke(()=>e.hooks?.onLogout?.(h)),Ee(f,e),Ue(f,e),i.info(m(o,"auth.logout_all",{userId:h,duration_ms:Date.now()-p,requestId:a.id})),N(f,200,"All sessions revoked",null);}),r.get("/me",{preHandler:c},async(a,f)=>{let p=Date.now(),h=await j(a.user.id);if(!h.success){i.warn(m(o,"auth.me.failure",{userId:a.user.id,errorCode:h.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,h.error);return}i.info(m(o,"auth.me.success",{userId:h.user.id,duration_ms:Date.now()-p,requestId:a.id})),N(f,200,"OK",h.user);}),r.get("/me/identifiers",{preHandler:c},async(a,f)=>{let p=Date.now(),h=await j(a.user.id);if(!h.success){i.warn(m(o,"auth.me.identifiers.failure",{userId:a.user.id,errorCode:h.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,h.error);return}i.info(m(o,"auth.me.identifiers.success",{userId:h.user.id,count:h.user.identifiers?.length??0,duration_ms:Date.now()-p,requestId:a.id})),N(f,200,"OK",{identifiers:h.user.identifiers??[]});}),r.post("/me/identifiers",{preHandler:[c,v]},async(a,f)=>{let p=Date.now(),h=F(a),{identifiers:w}=h;if(!Array.isArray(w)||w.length===0)throw _("identifiers is required and must be a non-empty array");if(w.length>B)throw _(`identifiers must not exceed ${B} entries`);let R=w.map((k,S)=>He(k,S)),I=await Or(a.user.id,R);if(!I.success){i.warn(m(o,"auth.identifiers.create_failure",{userId:a.user.id,errorCode:I.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,I.error);return}i.info(m(o,"auth.identifiers.created",{userId:a.user.id,count:I.identifiers.length,duration_ms:Date.now()-p,requestId:a.id})),N(f,201,"Identifiers added successfully",{identifiers:I.identifiers});}),r.put("/me/identifiers",{preHandler:[c,v]},async(a,f)=>{let p=Date.now(),h=F(a),{identifiers:w}=h;if(!Array.isArray(w)||w.length===0)throw _("identifiers is required and must be a non-empty array");if(w.length>B)throw _(`identifiers must not exceed ${B} entries`);let R=w.map((k,S)=>{if(typeof k!="object"||k===null||Array.isArray(k))throw _(`identifiers[${S}] must be an object`);let E=k;if(typeof E.id!="string"||E.id.trim().length===0)throw _(`identifiers[${S}].id is required and must be a non-empty string`);let{type:K,value:z}=He(k,S);return {id:E.id,type:K,value:z}}),I=await br(a.user.id,R);if(!I.success){i.warn(m(o,"auth.identifiers.update_failure",{userId:a.user.id,errorCode:I.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,I.error);return}i.info(m(o,"auth.identifiers.updated",{userId:a.user.id,count:I.identifiers.length,duration_ms:Date.now()-p,requestId:a.id})),N(f,200,"Identifiers updated successfully",{identifiers:I.identifiers});}),r.delete("/me/identifiers",{preHandler:[c,v]},async(a,f)=>{let p=Date.now(),h=F(a),{ids:w}=h;if(!Array.isArray(w)||w.length===0)throw _("ids is required and must be a non-empty array of strings");if(!w.every(I=>typeof I=="string"))throw _("each id must be a string");let R=await Ur(a.user.id,w);if(!R.success){i.warn(m(o,"auth.identifiers.delete_failure",{userId:a.user.id,errorCode:R.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,R.error);return}i.info(m(o,"auth.identifiers.deleted",{userId:a.user.id,duration_ms:Date.now()-p,requestId:a.id})),N(f,200,"Identifiers deleted successfully",{identifiers:R.identifiers});}),r.patch("/me/password",{preHandler:[c,v]},async(a,f)=>{let p=Date.now(),h=F(a),{currentPassword:w,newPassword:R}=h;if(typeof w!="string"||w.length===0)throw _("currentPassword is required");if(typeof R!="string"||R.length<xe)throw _(`newPassword must be at least ${xe} characters`);if(R.length>M)throw _(`newPassword must not exceed ${M} characters`);if(w===R)throw _("newPassword must be different from currentPassword");let I=await Cr(a.user.id,w,R);if(!I.success){i.warn(m(o,"auth.password.change_failure",{userId:a.user.id,errorCode:I.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,I.error);return}i.info(m(o,"auth.password.changed",{userId:a.user.id,duration_ms:Date.now()-p,requestId:a.id})),N(f,200,"Password updated successfully. All sessions have been revoked.",null);}),r.post("/users/:userId/roles",{preHandler:[c,y("admin")]},async(a,f)=>{let p=Date.now(),h=F(a),{roles:w}=h,R=a.params.userId;if(!R)throw _("userId is required");if(!Array.isArray(w)||w.length===0)throw _("roles must be a non-empty array of strings");if(!w.every(k=>typeof k=="string"))throw _("each role must be a string");let I=await de(R,w);if(!I.success){i.warn(m(o,"auth.roles.assign_failure",{targetUserId:R,errorCode:I.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,I.error);return}i.info(m(o,"auth.roles.assigned",{targetUserId:R,roles:w,duration_ms:Date.now()-p,requestId:a.id})),N(f,200,"Roles assigned successfully",{user:I.user});}),r.get("/sessions",{preHandler:c},async(a,f)=>{let p=Date.now(),h=a.user.id,R=await(e.router?.getSessions??(I=>kr(I,t)))(h);i.info(m(o,"auth.sessions.get",{userId:h,duration_ms:Date.now()-p,requestId:a.id})),N(f,200,"OK",{sessions:R});}),r.delete("/sessions/:id",{preHandler:c},async(a,f)=>{let p=Date.now(),h=a.user.id,w=a.params.id;await(e.router?.revokeSession??((I,k)=>Er(I,k,t)))(h,w),i.info(m(o,"auth.sessions.revoke",{userId:h,sessionId:w,duration_ms:Date.now()-p,requestId:a.id})),N(f,200,"Session revoked",null);});}}n(Sr,"createAuthPlugin");function Bs(e){if(e.mode==="client"){let d={mode:"client",keyUri:e.keyUri,...e.validRoles!==void 0&&{validRoles:e.validRoles},...e.logger!==void 0&&{logger:e.logger},...e.loggerService!==void 0&&{loggerService:e.loggerService}};Xe(d);let l=d.logger??D,v=d.loggerService??"sentri",C=ie(l,v),x=oe(l,v);return {protect:n(()=>ne(d),"protect"),authorize:n((...O)=>C(...O),"authorize"),permit:n(O=>x(O),"permit"),errorHandler:n(O=>ae(O),"errorHandler")}}let{privateKey:r}=generateKeyPairSync("rsa",{modulusLength:2048,privateKeyEncoding:{type:"pkcs8",format:"pem"},publicKeyEncoding:{type:"spki",format:"pem"}}),t={mode:"server",dialect:e.dialect,secret:r,algorithm:"RS256",validRoles:e.validRoles,...e.validIdentifiers!==void 0&&{validIdentifiers:e.validIdentifiers},...e.accessExpiresIn!==void 0&&{accessExpiresIn:e.accessExpiresIn},...e.refreshExpiresIn!==void 0&&{refreshExpiresIn:e.refreshExpiresIn},...e.saltRounds!==void 0&&{saltRounds:e.saltRounds},...e.apiKey!==void 0&&{apiKey:e.apiKey},...e.cookie!==void 0&&{cookie:e.cookie},...e.accessCookie!==void 0&&{accessCookie:e.accessCookie},...e.hooks!==void 0&&{hooks:e.hooks},...e.router!==void 0&&{router:e.router},...e.isTokenRevoked!==void 0&&{isTokenRevoked:e.isTokenRevoked},...e.redisUrl!==void 0&&{redisUrl:e.redisUrl},...e.logger!==void 0&&{logger:e.logger},...e.loggerService!==void 0&&{loggerService:e.loggerService}},s=t.logger??D,i=t.loggerService??"sentri",o=g(t),c=ie(s,i),y=oe(s,i);return {protect:n(()=>ne(t),"protect"),authorize:n((...d)=>c(...d),"authorize"),permit:n(d=>y(d),"permit"),plugin:n(()=>Sr(t),"plugin"),errorHandler:n(d=>ae(d),"errorHandler"),migrate:n(()=>Ge(T(t.dialect)),"migrate"),getCurrentAccessToken:n(d=>Te(d,t),"getCurrentAccessToken"),hashPassword:n(d=>W(d,o.saltRounds),"hashPassword"),verifyPassword:n((d,l)=>Z(d,l),"verifyPassword"),signAccessToken:n(d=>Y(d,t),"signAccessToken"),signRefreshToken:n(d=>q(d,t),"signRefreshToken"),verifyAccessToken:n(d=>ce(d,t),"verifyAccessToken"),verifyRefreshToken:n(d=>Q(d,t),"verifyRefreshToken"),register:n(d=>me(d,t),"register"),login:n(d=>pe(d,t),"login"),refresh:n(d=>$(d,t),"refresh"),logout:n(d=>we(d,t),"logout"),logoutAll:n(d=>Ie(d,t),"logoutAll"),getUser:n(d=>ye(d,t),"getUser"),changePassword:n((d,l,v)=>Re(d,l,v,t),"changePassword"),assignRoles:n((d,l)=>_e(d,l,t),"assignRoles"),bulkCreateIdentifiers:n((d,l)=>ge(d,l,t),"bulkCreateIdentifiers"),bulkUpdateIdentifiers:n((d,l)=>ve(d,l,t),"bulkUpdateIdentifiers"),bulkDeleteIdentifiers:n((d,l)=>Ae(d,l,t),"bulkDeleteIdentifiers")}}n(Bs,"createAuthFastify");export{$e as SENTRI_ERROR_STATUS,u as SentriError,Gr as authorize,Bs as createAuthFastify,Sr as createAuthPlugin,ie as createAuthorize,ae as createErrorHandler,oe as createPermit,Te as getCurrentAccessToken,Zr as permit,ne as protect};
+import {generateKeyPairSync,createPrivateKey,createPublicKey,createHash,randomUUID}from'crypto';import {sql,Kysely}from'kysely';import Ze from'bcrypt';import J from'jsonwebtoken';import'@fastify/cookie';import {Readable}from'stream';var Lr=Object.defineProperty;var n=(e,r)=>Lr(e,"name",{value:r,configurable:true});var $e=Object.assign(Object.create(null),{UNAUTHORIZED:401,TOKEN_EXPIRED:401,TOKEN_INVALID:401,INVALID_CREDENTIALS:401,FORBIDDEN:403,USER_NOT_FOUND:404,IDENTIFIER_NOT_FOUND:404,USER_ALREADY_EXISTS:409,IDENTIFIER_ALREADY_EXISTS:409,INVALID_ROLE:400,VALIDATION_ERROR:400,CONFIGURATION_ERROR:500,TOKEN_REUSE:401,RATE_LIMIT_EXCEEDED:429}),d=class extends Error{static{n(this,"SentriError");}code;statusCode;constructor(r,t,s){super(t),this.name="SentriError",this.code=r,this.statusCode=s??$e[r]??500;}};var Ve=new WeakMap,Me=32,Be=10,je=31;function ze(e){if(e.mode==="client"){if(!e.keyUri||e.keyUri.trim().length===0)throw new d("CONFIGURATION_ERROR","keyUri must not be empty");return}if(!e.secret||e.secret.trim().length===0)throw new d("CONFIGURATION_ERROR","secret must not be empty");if((e.algorithm??"HS256").startsWith("HS")&&e.secret.length<Me)throw new d("CONFIGURATION_ERROR",`secret must be at least ${Me} characters for HMAC algorithms`);let s=e.saltRounds??12;if(!Number.isInteger(s)||s<Be||s>je)throw new d("CONFIGURATION_ERROR",`saltRounds must be an integer between ${Be} and ${je}`);if(!e.validRoles||e.validRoles.length===0)throw new d("CONFIGURATION_ERROR","validRoles must contain at least one role");if(e.validIdentifiers!==void 0&&e.validIdentifiers.length===0)throw new d("CONFIGURATION_ERROR","validIdentifiers must contain at least one identifier type");if(!e.dialect)throw new d("CONFIGURATION_ERROR","dialect is required in server mode")}n(ze,"validateConfig");function g(e){let r=Ve.get(e);if(r)return r;let t={algorithm:e.algorithm??"HS256",accessExpiresIn:e.accessExpiresIn??"15m",refreshExpiresIn:e.refreshExpiresIn??"7d",saltRounds:e.saltRounds??12,validRoles:e.validRoles,validRolesSet:new Set(e.validRoles),validIdentifiers:e.validIdentifiers??["email","username"],validIdentifiersSet:new Set(e.validIdentifiers??["email","username"]),cookieName:e.cookie?.name??"refresh_token",accessCookieName:e.accessCookie?.name??"access_token"};return Ve.set(e,t),t}n(g,"resolveServerConfig");var Fr=/^(\d+)([smhdw])$/,Pr={s:1e3,m:6e4,h:36e5,d:864e5,w:6048e5},Xe=new Map;function H(e){if(typeof e=="number")return e*1e3;let r=Xe.get(e);if(r!==void 0)return r;let t=Fr.exec(e);if(!t?.[1]||!t?.[2])throw new Error(`Invalid expiresIn: "${e}". Use e.g. "15m", "7d", "1h".`);let s=Pr[t[2]];if(s===void 0)throw new Error(`Invalid expiresIn: "${e}". Use e.g. "15m", "7d", "1h".`);let i=parseInt(t[1],10)*s;return Xe.set(e,i),i}n(H,"parseExpiry");var N={info:n(()=>{},"info"),warn:n(()=>{},"warn"),error:n(()=>{},"error")};function m(e,r,t){return {service:e,event:r,...t}}n(m,"buildLogData");async function Ge(e){await e.schema.createTable("sentri_users").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("password_hash","varchar(255)",r=>r.notNull()).addColumn("roles","text",r=>r.notNull().defaultTo("[]")).addColumn("created_at","timestamp",r=>r.notNull().defaultTo(sql`CURRENT_TIMESTAMP`)).execute(),await e.schema.createTable("sentri_sessions").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("user_id","varchar(36)",r=>r.notNull().references("sentri_users.id").onDelete("cascade")).addColumn("expires_at","timestamp",r=>r.notNull()).addColumn("ip_address","varchar(45)").addColumn("user_agent","text").addColumn("replaced_by","varchar(36)").addColumn("created_at","timestamp",r=>r.notNull().defaultTo(sql`CURRENT_TIMESTAMP`)).execute(),await e.schema.createTable("sentri_identifiers").ifNotExists().addColumn("id","varchar(36)",r=>r.primaryKey().notNull()).addColumn("user_id","varchar(36)",r=>r.notNull().references("sentri_users.id").onDelete("cascade")).addColumn("type","varchar(100)",r=>r.notNull()).addColumn("value","varchar(255)",r=>r.notNull().unique()).addColumn("created_at","timestamp",r=>r.notNull().defaultTo(sql`CURRENT_TIMESTAMP`)).execute(),await e.schema.createIndex("idx_sentri_sessions_user_id").ifNotExists().on("sentri_sessions").column("user_id").execute(),await e.schema.createIndex("idx_sentri_identifiers_user_id").ifNotExists().on("sentri_identifiers").column("user_id").execute();}n(Ge,"runMigrations");var We=new Map;function T(e){let r=We.get(e);return r||(r=new Kysely({dialect:e}),We.set(e,r)),r}n(T,"getDatabase");async function W(e,r=12){return Ze.hash(e,r)}n(W,"hashPassword");async function Z(e,r){return Ze.compare(e,r)}n(Z,"verifyPassword");var Je=new Map,Ye=new Map,Vr=3600*1e3;function Qe(e){let r=Je.get(e);if(!r){let t=createPrivateKey(e),s=createPublicKey(t),i=s.export({format:"jwk"}),u=createHash("sha256").update(JSON.stringify({e:i.e,kty:i.kty,n:i.n})).digest("base64url"),y={...i,use:"sig",kid:u};r={kid:u,publicKey:s,jwk:y},Je.set(e,r);}return r}n(Qe,"getOrBuildKey");function er(e){let{jwk:r}=Qe(e);return {keys:[r]}}n(er,"buildJwks");function rr(e){return Qe(e).publicKey}n(rr,"getPublicKeyFromPrivate");async function tr(e){let r=Date.now(),t=Ye.get(e);if(t&&r-t.fetchedAt<Vr)return t.publicKey;let s=await fetch(e);if(!s.ok)throw new d("CONFIGURATION_ERROR",`Failed to fetch public key from ${e}: HTTP ${s.status}`);let i=await s.json();if(!i.keys||i.keys.length===0)throw new d("CONFIGURATION_ERROR",`No keys found in JWKS response from ${e}`);let o=i.keys[0],u=createPublicKey({key:o,format:"jwk"});return Ye.set(e,{publicKey:u,fetchedAt:r}),u}n(tr,"fetchPublicKey");var sr=new Map,nr=new Map,ir=new Map;function or(e){return e.startsWith("RS")||e.startsWith("PS")}n(or,"isRSA");function ar(e){let r=sr.get(e);return r||(r={access:`${e}:access`,refresh:`${e}:refresh`},sr.set(e,r)),r}n(ar,"getHsSecrets");function Br(e){let r=nr.get(e);return r||(r=createPrivateKey(e),nr.set(e,r)),r}n(Br,"getRsPrivateKey");function dr(e){let r=g(e);if(or(r.algorithm)){let i=Br(e.secret);return {accessKey:i,refreshKey:i}}let{access:t,refresh:s}=ar(e.secret);return {accessKey:t,refreshKey:s}}n(dr,"getSigningKeys");function cr(e,r){let t=g(e);if(or(t.algorithm))return rr(e.secret);let{access:s,refresh:i}=ar(e.secret);return r==="access"?s:i}n(cr,"getVerifyKey");function ur(e,r,t,s){let i=`${t}:${s}`,o=ir.get(i);return o||(o={expiresIn:t,algorithm:s},ir.set(i,o)),J.sign(e,r,o)}n(ur,"sign");function lr(e,r,t){try{let s=J.verify(e,r,{algorithms:[t]});if(typeof s=="string"||s===null)throw new d("TOKEN_INVALID","Token payload is not an object");return s}catch(s){throw s instanceof d?s:s instanceof J.TokenExpiredError?new d("TOKEN_EXPIRED","Token has expired"):new d("TOKEN_INVALID","Token is invalid or malformed")}}n(lr,"verify");function Y(e,r){let t=g(r),{accessKey:s}=dr(r);return ur(e,s,t.accessExpiresIn,t.algorithm)}n(Y,"signAccessToken");function q(e,r){let t=g(r),{refreshKey:s}=dr(r);return ur({sessionId:e},s,t.refreshExpiresIn,t.algorithm)}n(q,"signRefreshToken");function ce(e,r){let t=g(r),s=cr(r,"access");return lr(e,s,t.algorithm)}n(ce,"verifyAccessToken");function Q(e,r){let t=g(r),s=cr(r,"refresh");return lr(e,s,t.algorithm)}n(Q,"verifyRefreshToken");function fr(e,r){try{let t=J.verify(e,r,{algorithms:["RS256","RS384","RS512","PS256","PS384","PS512"]});if(typeof t=="string"||t===null)throw new d("TOKEN_INVALID","Token payload is not an object");return t}catch(t){throw t instanceof d?t:t instanceof J.TokenExpiredError?new d("TOKEN_EXPIRED","Token has expired"):new d("TOKEN_INVALID","Token is invalid or malformed")}}n(fr,"verifyTokenWithPublicKey");function Ce(e){try{return JSON.parse(e)}catch{return []}}n(Ce,"parseRoles");function jr(e){return JSON.stringify(e)}n(jr,"serializeRoles");function mr(e){return {id:e.id,userId:e.user_id,type:e.type,value:e.value,createdAt:new Date(e.created_at)}}n(mr,"mapIdentifier");async function ee(e,r){let t=await e.selectFrom("sentri_identifiers as i").innerJoin("sentri_users as u","u.id","i.user_id").select(["u.id","u.password_hash","u.roles"]).where("i.value","=",r).executeTakeFirst();return t?{id:t.id,passwordHash:t.password_hash,roles:Ce(t.roles)}:null}n(ee,"findUserByIdentifierValue");async function ue(e,r){let t=await e.selectFrom("sentri_users").select(["id","password_hash","roles"]).where("id","=",r).executeTakeFirst();return t?{id:t.id,passwordHash:t.password_hash,roles:Ce(t.roles)}:null}n(ue,"findUserById");async function pr(e,r,t){let s=t.map(i=>({id:randomUUID(),user_id:r,type:i.type,value:i.value}));return await e.insertInto("sentri_identifiers").values(s).execute(),s.map(i=>({id:i.id,userId:i.user_id,type:i.type,value:i.value,createdAt:new Date}))}n(pr,"createIdentifiers");async function re(e,r){return (await e.selectFrom("sentri_identifiers").selectAll().where("user_id","=",r).orderBy("created_at","asc").execute()).map(mr)}n(re,"findIdentifiersByUserId");async function Oe(e,r,t){let s=await e.selectFrom("sentri_identifiers").selectAll().where("id","=",r).where("user_id","=",t).executeTakeFirst();return s?mr(s):null}n(Oe,"findIdentifierById");async function wr(e,r){let t=await e.selectFrom("sentri_identifiers").select(s=>s.fn.countAll().as("count")).where("user_id","=",r).executeTakeFirst();return Number(t?.count??0)}n(wr,"countIdentifiersByUserId");async function Ir(e,r,t,s){await e.updateTable("sentri_identifiers").set({type:s.type,value:s.value}).where("id","=",r).where("user_id","=",t).execute();}n(Ir,"updateIdentifier");async function yr(e,r,t){await e.deleteFrom("sentri_identifiers").where("user_id","=",r).where("id","in",t).execute();}n(yr,"deleteIdentifiers");async function _r(e,r,t){await e.updateTable("sentri_users").set({password_hash:t}).where("id","=",r).execute();}n(_r,"updateUserPassword");async function Rr(e,r,t){await e.updateTable("sentri_users").set({roles:jr(t)}).where("id","=",r).execute();}n(Rr,"updateUserRoles");async function be(e,r){let t=randomUUID();return await e.insertInto("sentri_sessions").values({id:t,user_id:r.userId,expires_at:r.expiresAt.toISOString(),ip_address:r.ipAddress??null,user_agent:r.userAgent??null}).execute(),{id:t}}n(be,"createSession");async function le(e,r){let t=await e.selectFrom("sentri_sessions as s").innerJoin("sentri_users as u","u.id","s.user_id").select(["s.id as session_id","s.user_id","s.expires_at","s.ip_address","s.user_agent","s.replaced_by","s.created_at as session_created_at","u.id as user_id_col","u.password_hash","u.roles"]).where("s.id","=",r).executeTakeFirst();return t?{id:t.session_id,userId:t.user_id,expiresAt:new Date(t.expires_at),ipAddress:t.ip_address,userAgent:t.user_agent,replacedBy:t.replaced_by,createdAt:new Date(t.session_created_at),user:{id:t.user_id_col,passwordHash:t.password_hash,roles:Ce(t.roles)}}:null}n(le,"findSessionById");async function fe(e,r){await e.deleteFrom("sentri_sessions").where("id","=",r).execute();}n(fe,"deleteSession");async function gr(e,r,t){await e.updateTable("sentri_sessions").set({replaced_by:t}).where("id","=",r).execute();}n(gr,"markSessionReplaced");async function he(e,r){await e.deleteFrom("sentri_sessions").where("user_id","=",r).execute();}n(he,"deleteAllSessionsForUser");async function vr(e,r){return (await e.selectFrom("sentri_sessions").selectAll().where("user_id","=",r).where("replaced_by","is",null).where("expires_at",">",new Date).execute()).map(s=>({id:s.id,userId:s.user_id,expiresAt:new Date(s.expires_at),ipAddress:s.ip_address,userAgent:s.user_agent,replacedBy:s.replaced_by,createdAt:new Date(s.created_at)}))}n(vr,"findSessionsByUserId");async function me(e,r,t){let s=g(r),i=T(r.dialect),o=e.roles??[],u=o.filter(A=>!s.validRolesSet.has(A));if(u.length>0)return {success:false,error:new d("INVALID_ROLE",`Invalid roles: ${u.join(", ")}`)};if(!e.identifiers||e.identifiers.length===0)return {success:false,error:new d("VALIDATION_ERROR","At least one identifier is required")};let y=e.identifiers.map(A=>({type:A.type.trim(),value:A.value.trim()})),c=y.filter(A=>!s.validIdentifiersSet.has(A.type));if(c.length>0)return {success:false,error:new d("VALIDATION_ERROR",`Invalid identifier types: ${c.map(A=>A.type).join(", ")}`)};if(new Set(y.map(A=>A.value)).size!==y.length)return {success:false,error:new d("VALIDATION_ERROR","Duplicate identifier values in request")};for(let A of y)if(await ee(i,A.value))return {success:false,error:new d("IDENTIFIER_ALREADY_EXISTS",`Identifier already taken: ${A.value}`)};let v=await W(e.password,s.saltRounds),{userId:C,identifierRows:x}=await i.transaction().execute(async A=>{let P=randomUUID();await A.insertInto("sentri_users").values({id:P,password_hash:v,roles:JSON.stringify(o)}).execute();let j=y.map(de=>({id:randomUUID(),user_id:P,type:de.type,value:de.value}));return await A.insertInto("sentri_identifiers").values(j).execute(),{userId:P,identifierRows:j}}),O={success:true,user:{id:C,roles:o,identifiers:x.map(A=>({id:A.id,type:A.type,value:A.value}))}};return r.hooks?.onRegister&&await r.hooks.onRegister(O.user),O}n(me,"register");async function pe(e,r,t){let s=g(r),i=T(r.dialect),o=await ee(i,e.identifier.trim());if(!o){let x=new d("INVALID_CREDENTIALS","Invalid credentials");return r.hooks?.onLoginFailed&&await r.hooks.onLoginFailed(e.identifier,x,{ip:t?.ip??""}),{success:false,error:x}}if(!await Z(e.password,o.passwordHash)){let x=new d("INVALID_CREDENTIALS","Invalid credentials");return r.hooks?.onLoginFailed&&await r.hooks.onLoginFailed(e.identifier,x,{ip:t?.ip??""}),{success:false,error:x}}let y=new Date(Date.now()+H(s.refreshExpiresIn)),c=await be(i,{userId:o.id,expiresAt:y,ipAddress:t?.ip??null,userAgent:t?.userAgent??null}),l={id:o.id,roles:o.roles},v=Y({id:o.id,roles:o.roles,sessionId:c.id},r),C=q(c.id,r);return r.hooks?.onLoginSuccess&&await r.hooks.onLoginSuccess(l,{ip:t?.ip??"",userAgent:t?.userAgent??""}),{success:true,accessToken:v,refreshToken:C,user:l}}n(pe,"login");async function $(e,r,t){let s=g(r),i=T(r.dialect),o;try{({sessionId:o}=Q(e,r));}catch(x){return x instanceof d?{success:false,error:x}:{success:false,error:new d("TOKEN_INVALID","Invalid refresh token")}}let u=await le(i,o);if(!u)return {success:false,error:new d("UNAUTHORIZED","Session not found or revoked")};if(u.replacedBy)return await he(i,u.userId),{success:false,error:new d("TOKEN_REUSE","Token reuse detected. All sessions revoked.")};if(u.expiresAt.getTime()<Date.now())return await fe(i,o),{success:false,error:new d("TOKEN_EXPIRED","Session has expired")};let y=new Date(Date.now()+H(s.refreshExpiresIn)),c=await be(i,{userId:u.userId,expiresAt:y,ipAddress:t?.ip??null,userAgent:t?.userAgent??null});await gr(i,o,c.id);let l={id:u.user.id,roles:u.user.roles},v=Y({...l,sessionId:c.id},r),C=q(c.id,r);return {success:true,accessToken:v,refreshToken:C,user:l}}n($,"refresh");async function we(e,r){let t=T(r.dialect),s;try{({sessionId:s}=Q(e,r));}catch{return}let i=await le(t,s);i&&(await fe(t,s),r.hooks?.onLogout&&await r.hooks.onLogout(i.userId));}n(we,"logout");async function Ie(e,r){let t=T(r.dialect);await he(t,e),r.hooks?.onLogout&&await r.hooks.onLogout(e);}n(Ie,"logoutAll");async function ye(e,r){let t=T(r.dialect),s=await ue(t,e);if(!s)return {success:false,error:new d("USER_NOT_FOUND","User not found")};let i=await re(t,e);return {success:true,user:{id:s.id,roles:s.roles,identifiers:i.map(o=>({id:o.id,type:o.type,value:o.value}))}}}n(ye,"getUser");async function _e(e,r,t,s){let i=g(s),o=T(s.dialect),u=await ue(o,e);if(!u)return {success:false,error:new d("USER_NOT_FOUND","User not found")};if(!await Z(r,u.passwordHash))return {success:false,error:new d("INVALID_CREDENTIALS","Invalid credentials")};let c=await W(t,i.saltRounds);return await _r(o,e,c),await he(o,e),s.hooks?.onPasswordChanged&&await s.hooks.onPasswordChanged(e),{success:true}}n(_e,"changePassword");async function Re(e,r,t){let s=g(t),i=T(t.dialect),o=r.filter(l=>!s.validRolesSet.has(l));if(o.length>0)return {success:false,error:new d("INVALID_ROLE",`Invalid roles: ${o.join(", ")}`)};let u=await ue(i,e);if(!u)return {success:false,error:new d("USER_NOT_FOUND","User not found")};let y=new Set(u.roles);for(let l of r)y.add(l);let c=Array.from(y);return await Rr(i,e,c),{success:true,user:{id:u.id,roles:c}}}n(Re,"assignRoles");async function ge(e,r,t){let s=g(t),i=T(t.dialect);if(r.length===0)return {success:false,error:new d("VALIDATION_ERROR","At least one identifier is required")};let o=r.map(l=>({type:l.type.trim(),value:l.value.trim()})),u=o.filter(l=>!s.validIdentifiersSet.has(l.type));if(u.length>0)return {success:false,error:new d("VALIDATION_ERROR",`Invalid identifier types: ${u.map(l=>l.type).join(", ")}`)};if(new Set(o.map(l=>l.value)).size!==o.length)return {success:false,error:new d("VALIDATION_ERROR","Duplicate identifier values in request")};for(let l of o)if(await ee(i,l.value))return {success:false,error:new d("IDENTIFIER_ALREADY_EXISTS",`Identifier already taken: ${l.value}`)};return await pr(i,e,o),{success:true,identifiers:(await re(i,e)).map(l=>({id:l.id,type:l.type,value:l.value}))}}n(ge,"bulkCreateIdentifiers");async function ve(e,r,t){let s=g(t),i=T(t.dialect);if(r.length===0)return {success:false,error:new d("VALIDATION_ERROR","At least one update is required")};let o=r.map(l=>({id:l.id,type:l.type.trim(),value:l.value.trim()})),u=o.filter(l=>!s.validIdentifiersSet.has(l.type));if(u.length>0)return {success:false,error:new d("VALIDATION_ERROR",`Invalid identifier types: ${u.map(l=>l.type).join(", ")}`)};if(new Set(o.map(l=>l.value)).size!==o.length)return {success:false,error:new d("VALIDATION_ERROR","Duplicate identifier values in request")};for(let l of o){let v=await Oe(i,l.id,e);if(!v)return {success:false,error:new d("IDENTIFIER_NOT_FOUND",`Identifier not found: ${l.id}`)};if(v.value!==l.value&&await ee(i,l.value))return {success:false,error:new d("IDENTIFIER_ALREADY_EXISTS",`Identifier already taken: ${l.value}`)}}return await i.transaction().execute(async l=>{for(let v of o)await Ir(l,v.id,e,{type:v.type,value:v.value});}),{success:true,identifiers:(await re(i,e)).map(l=>({id:l.id,type:l.type,value:l.value}))}}n(ve,"bulkUpdateIdentifiers");async function Ae(e,r,t){let s=T(t.dialect);if(r.length===0)return {success:false,error:new d("VALIDATION_ERROR","At least one ID is required")};let i=Array.from(new Set(r));for(let y of i)if(!await Oe(s,y,e))return {success:false,error:new d("IDENTIFIER_NOT_FOUND",`Identifier not found: ${y}`)};return await wr(s,e)-i.length<1?{success:false,error:new d("VALIDATION_ERROR","Cannot delete all identifiers \u2014 at least one must remain")}:(await yr(s,e,i),{success:true,identifiers:(await re(s,e)).map(y=>({id:y.id,type:y.type,value:y.value}))})}n(Ae,"bulkDeleteIdentifiers");async function Er(e,r){let t=T(r.dialect);return (await vr(t,e)).map(i=>({id:i.id,ipAddress:i.ipAddress,userAgent:i.userAgent,createdAt:i.createdAt,expiresAt:i.expiresAt}))}n(Er,"getSessions");async function kr(e,r,t){let s=T(t.dialect),i=await le(s,r);i&&i.userId===e&&await fe(s,r);}n(kr,"revokeSession");function U(e){return g(e).cookieName}n(U,"getCookieName");function Ee(e){return g(e).accessCookieName}n(Ee,"getAccessCookieName");function L(e,r){if(!e)return;let t=`${r}=`,s=0;for(;s<e.length;){for(;s<e.length&&e[s]===" ";)s++;let i=e.indexOf(";",s),o=i===-1?e.length:i;if(e.startsWith(t,s))return e.slice(s+t.length,o);s=o+1;}}n(L,"readCookie");function te(e,r,t){let s=t.cookie??{},i=H(g(t).refreshExpiresIn)/1e3;e.setCookie(U(t),r,{httpOnly:s.httpOnly??true,secure:s.secure??false,sameSite:s.sameSite??"strict",path:s.path??"/",maxAge:i});}n(te,"setCookieFromConfig");function ke(e,r){let t=r.cookie??{};e.clearCookie(U(r),{path:t.path??"/"});}n(ke,"clearCookieFromConfig");function se(e,r,t){if(!t.accessCookie)return;let s=t.accessCookie,i=H(g(t).accessExpiresIn)/1e3;e.setCookie(Ee(t),r,{httpOnly:false,secure:s.secure??false,sameSite:s.sameSite??"strict",path:s.path??"/",maxAge:i});}n(se,"setAccessCookieFromConfig");function Ue(e,r){if(!r.accessCookie)return;let t=r.accessCookie;e.clearCookie(Ee(r),{path:t.path??"/"});}n(Ue,"clearAccessCookieFromConfig");function Te(e,r){let t=e.headers.authorization;return t?.startsWith("Bearer ")?t.slice(7):L(e.headers.cookie,Ee(r))}n(Te,"getCurrentAccessToken");function ne(e){let r=e.logger??N,t=e.loggerService??"sentri";return e.mode==="client"?Xr(e.keyUri,r,t):zr(e,r,t)}n(ne,"protect");function Xr(e,r,t){return async s=>{let i=s.headers.authorization,o=i?.startsWith("Bearer ")?i.slice(7):void 0;if(!o)throw r.warn(m(t,"auth.protect.failure",{mode:"client",errorCode:"UNAUTHORIZED",requestId:s.id})),new d("UNAUTHORIZED","Missing or malformed Authorization header");try{let u=await tr(e),y=fr(o,u);s.user={id:y.id,roles:y.roles},r.info(m(t,"auth.protect.success",{mode:"client",userId:y.id,requestId:s.id}));}catch(u){let y=u instanceof d?u.code:"TOKEN_INVALID";throw r.warn(m(t,"auth.protect.failure",{mode:"client",errorCode:y,requestId:s.id})),u}}}n(Xr,"protectClient");function zr(e,r,t){return async(s,i)=>{let o=Te(s,e);if(!o)throw r.warn(m(t,"auth.protect.failure",{mode:"server",errorCode:"UNAUTHORIZED",requestId:s.id})),new d("UNAUTHORIZED","Missing or malformed Authorization header");try{let u=ce(o,e);if(e.isTokenRevoked&&await e.isTokenRevoked(u.sessionId))throw r.warn(m(t,"auth.protect.token_revoked",{mode:"server",userId:u.id,requestId:s.id})),new d("UNAUTHORIZED","Token has been revoked");s.user={id:u.id,roles:u.roles},r.info(m(t,"auth.protect.success",{mode:"server",userId:u.id,requestId:s.id}));}catch(u){if(u instanceof d&&u.code==="TOKEN_EXPIRED"){let y=L(s.headers.cookie,U(e));if(!y)throw r.warn(m(t,"auth.protect.failure",{mode:"server",errorCode:"TOKEN_EXPIRED",requestId:s.id})),new d("UNAUTHORIZED","Token expired. Please login again.");let c;try{c=await $(y,e);}catch{throw r.warn(m(t,"auth.protect.failure",{mode:"server",errorCode:"TOKEN_EXPIRED",requestId:s.id})),new d("UNAUTHORIZED","Session expired. Please login again.")}if(!c.success)throw r.warn(m(t,"auth.protect.failure",{mode:"server",errorCode:c.error.code,requestId:s.id})),new d("UNAUTHORIZED","Session expired. Please login again.");te(i,c.refreshToken,e),se(i,c.accessToken,e),i.header("X-New-Access-Token",c.accessToken),s.user=c.user,r.info(m(t,"auth.protect.auto_refresh",{mode:"server",userId:c.user.id,requestId:s.id}));}else {let y=u instanceof d?u.code:"TOKEN_INVALID";throw r.warn(m(t,"auth.protect.failure",{mode:"server",errorCode:y,requestId:s.id})),u}}}}n(zr,"protectServer");function Tr(e,r,t){let s=`Requires one of roles: ${e.join(", ")}`;return async i=>{if(!i.user)throw r.warn(m(t,"auth.authorize.unauthenticated",{requiredRoles:e,requestId:i.id})),new d("UNAUTHORIZED","Not authenticated");let o=i.user.roles;if(!e.some(u=>o.includes(u)))throw r.warn(m(t,"auth.authorize.denied",{userId:i.user.id,userRoles:[...o],requiredRoles:e,requestId:i.id})),new d("FORBIDDEN",s);r.info(m(t,"auth.authorize.passed",{userId:i.user.id,userRoles:[...o],requiredRoles:e,requestId:i.id}));}}n(Tr,"createAuthorizeHandler");function ie(e,r){return n(function(...s){return Tr(s,e,r)},"authorize")}n(ie,"createAuthorize");function Gr(...e){return Tr(e,N,"sentri")}n(Gr,"authorize");var Wr=new d("FORBIDDEN","You do not have permission to perform this action");function xr(e,r,t){return async s=>{if(!s.user)throw r.warn(m(t,"auth.permit.unauthenticated",{requestId:s.id})),new d("UNAUTHORIZED","Not authenticated");let i=s.user.id;if(e.roles&&e.roles.length>0){let y=s.user.roles;if(e.roles.some(c=>y.includes(c))){r.info(m(t,"auth.permit.role_bypass",{userId:i,bypassedByRole:true,requestId:s.id}));return}}let o=e.check(s);if(o instanceof Promise?await o:o)r.info(m(t,"auth.permit.passed",{userId:i,requestId:s.id}));else throw r.warn(m(t,"auth.permit.denied",{userId:i,requestId:s.id})),Wr}}n(xr,"createPermitHandler");function oe(e,r){return n(function(s){return xr(typeof s=="function"?{check:s}:s,e,r)},"permit")}n(oe,"createPermit");function Zr(e){return xr(typeof e=="function"?{check:e}:e,N,"sentri")}n(Zr,"permit");var Le=class{static{n(this,"InMemoryRateLimiter");}store=new Map;constructor(){setInterval(()=>{let r=Date.now();for(let[t,s]of this.store.entries())s.expiresAt<r&&this.store.delete(t);},6e4).unref();}async consume(r,t,s){let i=Date.now(),o=this.store.get(r);if((!o||o.expiresAt<i)&&(o={count:0,expiresAt:i+s},this.store.set(r,o)),o.count>=t){let u=Math.ceil((o.expiresAt-i)/1e3);throw new d("RATE_LIMIT_EXCEEDED",`Rate limit exceeded. Try again in ${u} seconds.`)}o.count++;}},Fe=class{static{n(this,"RedisRateLimiter");}redis;logger;constructor(r,t){this.redis=r,this.logger=t;}async consume(r,t,s){let i=`sentri:rl:${r}`,o=Math.ceil(s/1e3);try{let u=await this.redis.multi().incr(i).expire(i,o,"NX").exec();if(!u||u.length===0)return;if(u[0][1]>t)throw new d("RATE_LIMIT_EXCEEDED","Rate limit exceeded. Try again later.")}catch(u){if(u instanceof d&&u.code==="RATE_LIMIT_EXCEEDED")throw u;this.logger.error({msg:"Redis RateLimiter failed, bypassing limit",error:u});}}},V=null;async function Dr(e,r){if(V)return V;if(e)try{let{Redis:t}=await import('ioredis'),s=new t(e,{lazyConnect:!0,maxRetriesPerRequest:1});return await s.connect(),r?.info({msg:"Connected to Redis for Rate Limiting"}),V=new Fe(s,r??N),V}catch(t){r?.warn({msg:"Failed to connect to Redis for Rate Limiting, falling back to InMemoryRateLimiter",error:t});}return V=new Le,V}n(Dr,"getRateLimiter");function ae(e){return (r,t,s)=>{if(r instanceof d){s.code(r.statusCode).send({error:true,statusCode:r.statusCode,code:r.code,message:r.message,data:null});return}e?.onUnhandled?.(r),s.code(500).send({error:true,statusCode:500,code:"INTERNAL_SERVER_ERROR",message:"Internal server error",data:null});}}n(ae,"createErrorHandler");var xe=8,M=72,De=255,Nr=100,B=50;function R(e){return new d("VALIDATION_ERROR",e)}n(R,"badRequest");function D(e,r,t,s){e.code(r).send({error:false,statusCode:r,message:t,data:s});}n(D,"ok");function b(e,r){e.code(r.statusCode).send({error:true,statusCode:r.statusCode,code:r.code,message:r.message,data:null});}n(b,"fail");function F(e){let r=e.body;if(r==null||typeof r!="object"||Array.isArray(r))throw new d("VALIDATION_ERROR","Request body is missing or not a JSON object.");return r}n(F,"parseBody");function Jr(e,r){if(!r.apiKey)return;let t=e.headers["x-api-key"];if(typeof t!="string"||t!==r.apiKey)throw new d("UNAUTHORIZED","Invalid or missing API key")}n(Jr,"validateApiKey");function Ke(e){if(e)try{let r=e();r instanceof Promise&&r.catch(()=>{});}catch{}}n(Ke,"fireHook");function Yr(e){return e.startsWith("RS")||e.startsWith("PS")}n(Yr,"isRSA");function He(e,r){if(typeof e!="object"||e===null||Array.isArray(e))throw R(`identifiers[${r}] must be an object`);let t=e;if(typeof t.type!="string"||t.type.trim().length===0)throw R(`identifiers[${r}].type is required and must be a non-empty string`);if(t.type.length>Nr)throw R(`identifiers[${r}].type must not exceed ${Nr} characters`);if(typeof t.value!="string"||t.value.trim().length===0)throw R(`identifiers[${r}].value is required and must be a non-empty string`);if(t.value.length>De)throw R(`identifiers[${r}].value must not exceed ${De} characters`);return {type:t.type,value:t.value}}n(He,"validateIdentifierInput");function Sr(e){return async r=>{let t=e,s=g(t),i=e.logger??N,o=e.loggerService??"sentri",u=ne(e),y=ie(i,o),c=oe(i,o),l=Dr(e.redisUrl,i),v=c(a=>!!a.user);r.setErrorHandler(ae()),r.addHook("preParsing",function(a,f,p,h){if(!a.headers["content-type"]?.includes("application/json")){h(null,p);return}if(p==null){h(null,Readable.from("{}"));return}let w=[];p.on("data",_=>w.push(_)),p.on("end",()=>{let _=Buffer.concat(w);h(null,_.length===0?Readable.from("{}"):Readable.from(_));}),p.on("error",_=>h(_));});let C=e.router?.register??(a=>me(a,t)),x=e.router?.login??(a=>pe(a,t)),O=e.router?.refresh??(a=>$(a,t)),A=e.router?.logout??(a=>a!==void 0?we(a,t):Promise.resolve()),P=e.router?.logoutAll??(a=>Ie(a,t)),j=e.router?.getUser??(a=>ye(a,t)),de=e.router?.assignRoles??((a,f)=>Re(a,f,t)),Cr=e.router?.changePassword??((a,f,p)=>_e(a,f,p,t)),Or=e.router?.bulkCreateIdentifiers??((a,f)=>ge(a,f,t)),br=e.router?.bulkUpdateIdentifiers??((a,f)=>ve(a,f,t)),Ur=e.router?.bulkDeleteIdentifiers??((a,f)=>Ae(a,f,t));Yr(s.algorithm)&&r.get("/keys",async(a,f)=>{f.header("Cache-Control","public, max-age=3600").send(er(e.secret));}),r.post("/register",async(a,f)=>{let p=Date.now();Jr(a,e);let h=F(a),{identifiers:w,password:_,roles:I}=h;if(!Array.isArray(w)||w.length===0)throw R("identifiers is required and must be a non-empty array");if(w.length>B)throw R(`identifiers must not exceed ${B} entries`);let E=w.map((G,Ne)=>He(G,Ne));if(typeof _!="string"||_.length<xe)throw R(`password is required and must be at least ${xe} characters`);if(_.length>M)throw R(`password must not exceed ${M} characters`);if(I!==void 0&&!Array.isArray(I))throw R("roles must be an array of strings when provided");if(Array.isArray(I)&&!I.every(G=>typeof G=="string"))throw R("each role must be a string");let S=Array.isArray(I)?I:void 0,k=S!==void 0?{identifiers:E,password:_,roles:S}:{identifiers:E,password:_},K=a.ip||"127.0.0.1",X=a.headers["user-agent"]||"Unknown";if(e.rateLimit!==false){let G=await l,Ne=typeof e.rateLimit=="object"?e.rateLimit.maxRegisterAttempts??5:5;await G.consume(`register:${K}`,Ne,900*1e3);}let z=await C(k,{ip:K,userAgent:X});if(!z.success){i.warn(m(o,"auth.register.failure",{errorCode:z.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,z.error);return}i.info(m(o,"auth.register.success",{userId:z.user.id,duration_ms:Date.now()-p,requestId:a.id})),D(f,201,"User registered successfully",{user:z.user});}),r.post("/login",async(a,f)=>{let p=Date.now(),h=F(a),{identifier:w,password:_}=h;if(typeof w!="string"||w.trim().length===0)throw R("identifier is required and must be a non-empty string");if(w.length>De)throw R(`identifier must not exceed ${De} characters`);if(typeof _!="string"||_.length===0)throw R("password is required");if(_.length>M)throw R(`password must not exceed ${M} characters`);let I=w.trim(),E=a.ip||"127.0.0.1",S=a.headers["user-agent"]||"Unknown";if(e.rateLimit!==false){let K=await l,X=typeof e.rateLimit=="object"?e.rateLimit.maxLoginAttempts??5:5;await K.consume(`login:${E}`,X,900*1e3);}let k=await x({identifier:I,password:_},{ip:E,userAgent:S});if(!k.success){Ke(()=>e.hooks?.onLoginFailed?.(I,k.error,{ip:E})),i.warn(m(o,"auth.login.failure",{errorCode:k.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,k.error);return}Ke(()=>e.hooks?.onLoginSuccess?.(k.user,{ip:E,userAgent:S})),te(f,k.refreshToken,e),se(f,k.accessToken,e),i.info(m(o,"auth.login.success",{userId:k.user.id,duration_ms:Date.now()-p,requestId:a.id})),D(f,200,"Login successful",{accessToken:k.accessToken,user:k.user});}),r.post("/refresh",async(a,f)=>{let p=Date.now(),h=L(a.headers.cookie,U(e));if(!h)throw new d("UNAUTHORIZED","Refresh token cookie is missing");let w=a.ip||"127.0.0.1",_=a.headers["user-agent"]||"Unknown",I=await O(h,{ip:w,userAgent:_});if(!I.success){ke(f,e),i.warn(m(o,"auth.refresh.failure",{errorCode:I.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,I.error);return}te(f,I.refreshToken,e),se(f,I.accessToken,e),i.info(m(o,"auth.refresh.success",{userId:I.user.id,duration_ms:Date.now()-p,requestId:a.id})),D(f,200,"Token refreshed",{accessToken:I.accessToken});}),r.post("/logout",async(a,f)=>{let p=Date.now(),h=L(a.headers.cookie,U(e));await A(h),ke(f,e),Ue(f,e),i.info(m(o,"auth.logout",{duration_ms:Date.now()-p,requestId:a.id})),D(f,200,"Logged out",null);}),r.post("/logout-all",{preHandler:u},async(a,f)=>{let p=Date.now(),h=a.user.id;await P(h),Ke(()=>e.hooks?.onLogout?.(h)),ke(f,e),Ue(f,e),i.info(m(o,"auth.logout_all",{userId:h,duration_ms:Date.now()-p,requestId:a.id})),D(f,200,"All sessions revoked",null);}),r.get("/me",{preHandler:u},async(a,f)=>{let p=Date.now(),h=await j(a.user.id);if(!h.success){i.warn(m(o,"auth.me.failure",{userId:a.user.id,errorCode:h.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,h.error);return}i.info(m(o,"auth.me.success",{userId:h.user.id,duration_ms:Date.now()-p,requestId:a.id})),D(f,200,"OK",h.user);}),r.get("/me/identifiers",{preHandler:u},async(a,f)=>{let p=Date.now(),h=await j(a.user.id);if(!h.success){i.warn(m(o,"auth.me.identifiers.failure",{userId:a.user.id,errorCode:h.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,h.error);return}i.info(m(o,"auth.me.identifiers.success",{userId:h.user.id,count:h.user.identifiers?.length??0,duration_ms:Date.now()-p,requestId:a.id})),D(f,200,"OK",{identifiers:h.user.identifiers??[]});}),r.post("/me/identifiers",{preHandler:[u,v]},async(a,f)=>{let p=Date.now(),h=F(a),{identifiers:w}=h;if(!Array.isArray(w)||w.length===0)throw R("identifiers is required and must be a non-empty array");if(w.length>B)throw R(`identifiers must not exceed ${B} entries`);let _=w.map((E,S)=>He(E,S)),I=await Or(a.user.id,_);if(!I.success){i.warn(m(o,"auth.identifiers.create_failure",{userId:a.user.id,errorCode:I.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,I.error);return}i.info(m(o,"auth.identifiers.created",{userId:a.user.id,count:I.identifiers.length,duration_ms:Date.now()-p,requestId:a.id})),D(f,201,"Identifiers added successfully",{identifiers:I.identifiers});}),r.put("/me/identifiers",{preHandler:[u,v]},async(a,f)=>{let p=Date.now(),h=F(a),{identifiers:w}=h;if(!Array.isArray(w)||w.length===0)throw R("identifiers is required and must be a non-empty array");if(w.length>B)throw R(`identifiers must not exceed ${B} entries`);let _=w.map((E,S)=>{if(typeof E!="object"||E===null||Array.isArray(E))throw R(`identifiers[${S}] must be an object`);let k=E;if(typeof k.id!="string"||k.id.trim().length===0)throw R(`identifiers[${S}].id is required and must be a non-empty string`);let{type:K,value:X}=He(E,S);return {id:k.id,type:K,value:X}}),I=await br(a.user.id,_);if(!I.success){i.warn(m(o,"auth.identifiers.update_failure",{userId:a.user.id,errorCode:I.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,I.error);return}i.info(m(o,"auth.identifiers.updated",{userId:a.user.id,count:I.identifiers.length,duration_ms:Date.now()-p,requestId:a.id})),D(f,200,"Identifiers updated successfully",{identifiers:I.identifiers});}),r.delete("/me/identifiers",{preHandler:[u,v]},async(a,f)=>{let p=Date.now(),h=F(a),{ids:w}=h;if(!Array.isArray(w)||w.length===0)throw R("ids is required and must be a non-empty array of strings");if(!w.every(I=>typeof I=="string"))throw R("each id must be a string");let _=await Ur(a.user.id,w);if(!_.success){i.warn(m(o,"auth.identifiers.delete_failure",{userId:a.user.id,errorCode:_.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,_.error);return}i.info(m(o,"auth.identifiers.deleted",{userId:a.user.id,duration_ms:Date.now()-p,requestId:a.id})),D(f,200,"Identifiers deleted successfully",{identifiers:_.identifiers});}),r.patch("/me/password",{preHandler:[u,v]},async(a,f)=>{let p=Date.now(),h=F(a),{currentPassword:w,newPassword:_}=h;if(typeof w!="string"||w.length===0)throw R("currentPassword is required");if(typeof _!="string"||_.length<xe)throw R(`newPassword must be at least ${xe} characters`);if(_.length>M)throw R(`newPassword must not exceed ${M} characters`);if(w===_)throw R("newPassword must be different from currentPassword");let I=await Cr(a.user.id,w,_);if(!I.success){i.warn(m(o,"auth.password.change_failure",{userId:a.user.id,errorCode:I.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,I.error);return}i.info(m(o,"auth.password.changed",{userId:a.user.id,duration_ms:Date.now()-p,requestId:a.id})),D(f,200,"Password updated successfully. All sessions have been revoked.",null);}),r.post("/users/:userId/roles",{preHandler:[u,y("admin")]},async(a,f)=>{let p=Date.now(),h=F(a),{roles:w}=h,_=a.params.userId;if(!_)throw R("userId is required");if(!Array.isArray(w)||w.length===0)throw R("roles must be a non-empty array of strings");if(!w.every(E=>typeof E=="string"))throw R("each role must be a string");let I=await de(_,w);if(!I.success){i.warn(m(o,"auth.roles.assign_failure",{targetUserId:_,errorCode:I.error.code,duration_ms:Date.now()-p,requestId:a.id})),b(f,I.error);return}i.info(m(o,"auth.roles.assigned",{targetUserId:_,roles:w,duration_ms:Date.now()-p,requestId:a.id})),D(f,200,"Roles assigned successfully",{user:I.user});}),r.get("/sessions",{preHandler:u},async(a,f)=>{let p=Date.now(),h=a.user.id,_=await(e.router?.getSessions??(I=>Er(I,t)))(h);i.info(m(o,"auth.sessions.get",{userId:h,duration_ms:Date.now()-p,requestId:a.id})),D(f,200,"OK",{sessions:_});}),r.delete("/sessions/:id",{preHandler:u},async(a,f)=>{let p=Date.now(),h=a.user.id,w=a.params.id;await(e.router?.revokeSession??((I,E)=>kr(I,E,t)))(h,w),i.info(m(o,"auth.sessions.revoke",{userId:h,sessionId:w,duration_ms:Date.now()-p,requestId:a.id})),D(f,200,"Session revoked",null);});}}n(Sr,"createAuthPlugin");function js(e){if(e.mode==="client"){let c={mode:"client",keyUri:e.keyUri,...e.validRoles!==void 0&&{validRoles:e.validRoles},...e.logger!==void 0&&{logger:e.logger},...e.loggerService!==void 0&&{loggerService:e.loggerService}};ze(c);let l=c.logger??N,v=c.loggerService??"sentri",C=ie(l,v),x=oe(l,v);return {protect:n(()=>ne(c),"protect"),authorize:n((...O)=>C(...O),"authorize"),permit:n(O=>x(O),"permit"),errorHandler:n(O=>ae(O),"errorHandler")}}let{privateKey:r}=generateKeyPairSync("rsa",{modulusLength:2048,privateKeyEncoding:{type:"pkcs8",format:"pem"},publicKeyEncoding:{type:"spki",format:"pem"}}),t={mode:"server",dialect:e.dialect,secret:r,algorithm:"RS256",validRoles:e.validRoles,...e.validIdentifiers!==void 0&&{validIdentifiers:e.validIdentifiers},...e.accessExpiresIn!==void 0&&{accessExpiresIn:e.accessExpiresIn},...e.refreshExpiresIn!==void 0&&{refreshExpiresIn:e.refreshExpiresIn},...e.saltRounds!==void 0&&{saltRounds:e.saltRounds},...e.apiKey!==void 0&&{apiKey:e.apiKey},...e.cookie!==void 0&&{cookie:e.cookie},...e.accessCookie!==void 0&&{accessCookie:e.accessCookie},...e.hooks!==void 0&&{hooks:e.hooks},...e.router!==void 0&&{router:e.router},...e.isTokenRevoked!==void 0&&{isTokenRevoked:e.isTokenRevoked},...e.rateLimit!==void 0&&{rateLimit:e.rateLimit},...e.redisUrl!==void 0&&{redisUrl:e.redisUrl},...e.logger!==void 0&&{logger:e.logger},...e.loggerService!==void 0&&{loggerService:e.loggerService}},s=t.logger??N,i=t.loggerService??"sentri",o=g(t),u=ie(s,i),y=oe(s,i);return {protect:n(()=>ne(t),"protect"),authorize:n((...c)=>u(...c),"authorize"),permit:n(c=>y(c),"permit"),plugin:n(()=>Sr(t),"plugin"),errorHandler:n(c=>ae(c),"errorHandler"),migrate:n(()=>Ge(T(t.dialect)),"migrate"),getCurrentAccessToken:n(c=>Te(c,t),"getCurrentAccessToken"),hashPassword:n(c=>W(c,o.saltRounds),"hashPassword"),verifyPassword:n((c,l)=>Z(c,l),"verifyPassword"),signAccessToken:n(c=>Y(c,t),"signAccessToken"),signRefreshToken:n(c=>q(c,t),"signRefreshToken"),verifyAccessToken:n(c=>ce(c,t),"verifyAccessToken"),verifyRefreshToken:n(c=>Q(c,t),"verifyRefreshToken"),register:n(c=>me(c,t),"register"),login:n(c=>pe(c,t),"login"),refresh:n(c=>$(c,t),"refresh"),logout:n(c=>we(c,t),"logout"),logoutAll:n(c=>Ie(c,t),"logoutAll"),getUser:n(c=>ye(c,t),"getUser"),changePassword:n((c,l,v)=>_e(c,l,v,t),"changePassword"),assignRoles:n((c,l)=>Re(c,l,t),"assignRoles"),bulkCreateIdentifiers:n((c,l)=>ge(c,l,t),"bulkCreateIdentifiers"),bulkUpdateIdentifiers:n((c,l)=>ve(c,l,t),"bulkUpdateIdentifiers"),bulkDeleteIdentifiers:n((c,l)=>Ae(c,l,t),"bulkDeleteIdentifiers")}}n(js,"createAuthFastify");export{$e as SENTRI_ERROR_STATUS,d as SentriError,Gr as authorize,js as createAuthFastify,Sr as createAuthPlugin,ie as createAuthorize,ae as createErrorHandler,oe as createPermit,Te as getCurrentAccessToken,Zr as permit,ne as protect};