stellar-drive 1.2.28 → 1.2.30

package/README.md

@@ -52,7 +52,7 @@ Building offline-first sync is notoriously difficult. stellar-drive handles the
 - **Diagnostics** -- Comprehensive runtime diagnostics covering sync, queue, realtime, conflicts, egress, and network state.
 - **Debug utilities** -- Opt-in debug logging and `window` debug utilities for browser console inspection during development.
 - **SvelteKit integration** (optional) -- Layout helpers, server handlers, email confirmation, service worker lifecycle, and auth hydration.
-- **PWA scaffolding CLI** -- `stellar-drive install pwa` generates a complete SvelteKit PWA project (34+ files) with an interactive walkthrough.
+- **PWA scaffolding CLI** -- `stellar-drive install pwa` generates a fully wired SvelteKit PWA skeleton (51 files) with auth, PIN gate, device verification, profile page, demo mode, adaptive navbar, and PWA plumbing pre-connected.
 
 ### Use cases
 
@@ -402,31 +402,156 @@ See [API Reference -- Vite Plugin](./API_REFERENCE.md#vite-plugin-stellarpwa) fo
 
 ### Install PWA
 
-Scaffold a complete offline-first SvelteKit PWA project with an interactive walkthrough:
+Scaffold a complete offline-first SvelteKit PWA skeleton with an interactive walkthrough:
 
 ```bash
 npx stellar-drive install pwa
 ```
 
-The wizard prompts for:
+Run this in an empty directory. The wizard collects four inputs, installs dependencies, and writes 51 files — a fully wired skeleton that passes `npm run validate` and `npm run cleanup` out of the box.
+
+#### Wizard prompts
 
 | Prompt | Required | Description |
 |--------|----------|-------------|
-| App Name | Yes | Full app name (e.g., "Stellar Planner") |
-| Short Name | Yes | Short name for PWA home screen (under 12 chars) |
-| Prefix | Yes | Lowercase key for localStorage, caches, SW, and Supabase table names (auto-suggested from name) |
-| Description | No | App description (default: "A self-hosted offline-first PWA") |
-
-Generates **34+ files** for a production-ready SvelteKit 2 + Svelte 5 project:
-
-- **Config files (8):** `vite.config.ts`, `tsconfig.json`, `svelte.config.js`, `eslint.config.js`, `.prettierrc`, `.prettierignore`, `knip.json`, `.gitignore`
-- **Documentation (3):** `README.md`, `ARCHITECTURE.md`, `FRAMEWORKS.md`
-- **Static assets (13):** `manifest.json`, `offline.html`, placeholder SVG icons, email template placeholders
-- **Database (1):** `supabase-schema.sql` with helper functions, example tables, and `trusted_devices` table
-- **Source files (2):** `src/app.html` (PWA-ready with iOS meta tags, SW registration), `src/app.d.ts`
-- **Route files (16):** Root layout, login, setup, profile, protected area, API endpoints, catch-all redirect
-- **Library (1):** `src/lib/types.ts` with re-exports and app-specific type stubs
-- **Git hooks (1):** `.husky/pre-commit` with lint + format + validate
+| App Name | Yes | Full app name (e.g., "Stellar Planner"). Used in page titles, manifest, and email templates. |
+| Short Name | Yes | Condensed name for the PWA home-screen icon (12 chars max). |
+| Prefix | Yes | Lowercase key used for localStorage, caches, the service worker scope, and Supabase table prefixes. Auto-suggested from the app name. |
+| Description | No | One-line description shown in the manifest (default: `"A self-hosted offline-first PWA"`). |
+
+#### What gets generated — 51 files
+
+**Project config (10)**
+
+| File | Purpose |
+|------|---------|
+| `package.json` | All deps and scripts pre-configured: `dev`, `build`, `validate`, `cleanup` |
+| `vite.config.ts` | `stellarPWA` plugin wired with your prefix; schema generation enabled |
+| `tsconfig.json` | Extends SvelteKit's generated config with strict mode |
+| `svelte.config.js` | `adapter-auto` + `vitePreprocess` |
+| `eslint.config.js` | TypeScript-aware ESLint with Svelte plugin |
+| `.prettierrc` | Consistent formatting rules |
+| `.prettierignore` | Ignores build artifacts and generated files |
+| `knip.json` | Dead-code detection configured for SvelteKit |
+| `.gitignore` | Node, SvelteKit, and environment file ignores |
+| `.env.example` | Template for `PUBLIC_SUPABASE_URL` and `PUBLIC_SUPABASE_PUBLISHABLE_DEFAULT_KEY` |
+
+**Documentation (3)**
+
+| File | Purpose |
+|------|---------|
+| `README.md` | Project-level readme linking architecture and framework docs |
+| `ARCHITECTURE.md` | Directory layout, data flow, and module responsibilities |
+| `FRAMEWORKS.md` | Technology choices, rationale, and Svelte 5 rune patterns |
+
+**Git hooks (1)**
+
+| File | Purpose |
+|------|---------|
+| `.husky/pre-commit` | Runs `npm run cleanup && npm run validate && git add -u` before every commit |
+
+**Static assets (12)**
+
+| File | Purpose |
+|------|---------|
+| `static/manifest.json` | PWA manifest with all icon sizes and display settings |
+| `static/offline.html` | Offline fallback shown by the service worker |
+| `static/icons/app.svg` | Green primary app icon (letter placeholder) |
+| `static/icons/app-dark.svg` | Dark variant for light-mode context |
+| `static/icons/maskable.svg` | Maskable icon for Android home screens |
+| `static/icons/favicon.svg` | Browser tab favicon |
+| `static/icons/monochrome.svg` | Monochrome icon for notification badges |
+| `static/icons/splash.svg` | Splash screen icon |
+| `static/icons/apple-touch.svg` | iOS Add-to-Home-Screen icon |
+| `static/signup-email.html` | Signup confirmation email template |
+| `static/change-email.html` | Email change confirmation template |
+| `static/device-verification-email.html` | Device trust OTP email template |
+
+**App core (2)**
+
+| File | Purpose |
+|------|---------|
+| `src/app.html` | PWA shell: iOS meta tags, theme color, service-worker registration script |
+| `src/app.d.ts` | SvelteKit ambient types (`App.Locals`, `App.PageData`) |
+
+**Routes (16)**
+
+| Route | File(s) | What it does |
+|-------|---------|-------------|
+| Root layout | `+layout.ts`, `+layout.svelte` | Engine bootstrap, auth resolution, adaptive navbar (top on desktop / bottom on mobile), sync status, offline toast, demo banner, PWA update prompt |
+| Home | `+page.svelte` | Protected placeholder — add your app content here |
+| Error | `+error.svelte` | SvelteKit error page with retry and home link |
+| Login | `login/+page.svelte` | PIN-based login, device linking, device verification email flow, BroadcastChannel handshake, persistent lockout countdown |
+| Email confirm | `confirm/+page.svelte` | Verifies Supabase email OTP, broadcasts `AUTH_CONFIRMED` to the login tab, then closes or redirects |
+| Setup (initial) | `setup/+page.ts`, `setup/+page.svelte` | Multi-step wizard: Supabase credentials → validate → deploy schema → create account. Guarded by `resolveSetupAccess()` — only accessible before a user account exists. |
+| Reconfigure | `setup/Reconfigure.svelte` | Single-page re-setup form for changing credentials after initial setup. Accessible from the profile settings. |
+| Profile | `profile/+page.svelte` | Full settings hub: display name, email change (with re-verification), PIN/code change, trusted devices list with revocation, debug mode toggle, diagnostics dashboard (sync, realtime, queue, egress, errors), reset database |
+| Demo | `demo/+page.svelte` | Toggle demo mode on/off with explanation and confirmation; triggers full page reload |
+| Privacy policy | `policy/+page.svelte` | Static placeholder — replace with your actual policy |
+| Config API | `api/config/+server.ts` | Returns `PUBLIC_SUPABASE_URL` and `PUBLIC_SUPABASE_PUBLISHABLE_DEFAULT_KEY` to the client |
+| Setup deploy | `api/setup/deploy/+server.ts` | Writes `.env` during initial setup, creates Supabase auth user + pushes schema SQL |
+| Setup validate | `api/setup/validate/+server.ts` | Validates Supabase credentials without writing anything |
+| Catch-all | `[...catchall]/+page.server.ts` | 302 redirect to `/` for unknown URLs |
+
+**Library (7)**
+
+| File | Purpose |
+|------|---------|
+| `src/lib/routes.ts` | `ROUTES` constants for all app paths — single source of truth |
+| `src/lib/schema.ts` | Example schema with two tables (`items`, `settings`); replace with your domain schema |
+| `src/lib/types.generated.ts` | Placeholder for Vite-plugin-generated TypeScript interfaces |
+| `src/lib/types.ts` | App-specific type stubs and re-exports |
+| `src/lib/components/UpdatePrompt.svelte` | PWA update prompt that appears when a new service worker is waiting |
+| `src/lib/demo/mockData.ts` | Mock data seeded into the demo database on each page load |
+| `src/lib/demo/config.ts` | Demo configuration wired into `initEngine()` |
+
+#### What's pre-wired
+
+The skeleton is not just file stubs — the entire auth and engine lifecycle is already connected:
+
+- **Engine bootstrap** — `initEngine()` in `+layout.ts` with your prefix, name, and demo config; `initConfig()` pulls Supabase credentials from `/api/config` at runtime
+- **Auth resolution** — `resolveRootLayout()` in the layout load determines `authMode` (`'none'` | `'offline'` | `'demo'`) and redirects unauthenticated users to login
+- **Single-user PIN gate** — login page handles first-time setup detection, `unlockSingleUser`, `setupSingleUser` inside the login flow, device linking, and persistent lockout
+- **Device verification** — email OTP flow fully wired through login → confirm → BroadcastChannel → login tab reaction
+- **Setup wizard** — multi-step Supabase credential entry, live validation, schema deploy, and user account creation; guarded so it only appears before initial setup
+- **Profile page** — change name, email (with re-verification cooldown and resend), PIN, revoke trusted devices, toggle debug mode, full diagnostics panel, and reset database
+- **Demo mode** — sandboxed IndexedDB, zero Supabase calls, mock profile, seeded data; toggle from `/demo` or profile settings
+- **Adaptive navbar** — top bar on ≥768px, fixed bottom bar on mobile; active state driven by SvelteKit's `page` store; Dynamic Island safe area padding
+- **PWA plumbing** — service worker via `stellarPWA` Vite plugin, Web App Manifest, offline fallback, `UpdatePrompt` for background updates, iOS splash/touch icons
+- **Email templates** — Supabase-compatible HTML templates for signup, email change, and device verification; drop-in replacements for the default Supabase emails
+
+#### Design theme
+
+The skeleton uses a minimal green theme derived from the email templates:
+
+| Token | Value | Use |
+|-------|-------|-----|
+| Primary | `#6B9E6B` | Buttons, active nav, focus rings, borders |
+| Card background | `#0f0f1e` | Modal and card surfaces |
+| Page background | `#111116` | App background |
+| Card border | `#3d5a3d` | Card outlines |
+| Text | `#f0f0ff` | Primary text |
+| Text secondary | `#c8c8e0` | Descriptions, labels |
+| Text muted | `#7878a0` | Hints, timestamps |
+
+All colors are CSS custom properties — override `:root` in your app's global CSS to adopt any theme.
+
+#### Building on the skeleton
+
+After scaffolding, the typical customisation path is:
+
+1. **Define your schema** — edit `src/lib/schema.ts` to replace the example tables with your domain entities; the Vite plugin auto-generates TypeScript interfaces and pushes Supabase migrations on `npm run dev`
+2. **Add app pages** — create new routes under `src/routes/`; import stores and CRUD helpers from `stellar-drive`
+3. **Wire stores** — in `+page.svelte`, create collection/detail stores with `createCollectionStore` / `createDetailStore` and refresh them with `onSyncComplete`
+4. **Customise the navbar** — the root layout's navbar lists only the home and profile links; add your app's sections to the `navItems` array in `+layout.svelte`
+5. **Replace placeholder content** — swap the privacy policy text, update icon SVGs with your actual branding, and fill in the demo mock data with representative records
+6. **Set environment variables** — copy `.env.example` to `.env` and add your Supabase project URL and publishable key; run the setup wizard on first launch to push the schema
+
+#### Prerequisites
+
+- Node.js ≥ 18
+- A [Supabase](https://supabase.com) project (free tier is sufficient)
+- `PUBLIC_SUPABASE_URL` and `PUBLIC_SUPABASE_PUBLISHABLE_DEFAULT_KEY` from the Supabase dashboard (Settings → API)
 
 ---
 
@@ -450,7 +575,8 @@ Import only what you need:
 | `stellar-drive/config` | Runtime config management (`initConfig`, `getConfig`, `setConfig`, `getDexieTableFor`) |
 | `stellar-drive/vite` | Vite plugin (`stellarPWA`) for service worker builds, asset manifests, and schema auto-generation |
 | `stellar-drive/kit` | SvelteKit helpers: server route factories, layout loaders, email confirmation, SW lifecycle, auth hydration |
-| `stellar-drive/components/*` | Svelte components: `SyncStatus`, `DeferredChangesBanner`, `DemoBanner`, `DemoBlockedMessage` |
+| `stellar-drive/toast` | Toast notifications: `addToast`, `dismissToast`, `toastStore`, `ToastVariant` type |
+| `stellar-drive/components/*` | Svelte components: `SyncStatus`, `DeferredChangesBanner`, `DemoBanner`, `DemoBlockedMessage`, `OfflineToast`, `GlobalToast` |
 
 ### Key categories at a glance
 
@@ -460,7 +586,7 @@ Import only what you need:
 
 **CRUD and queries:** `engineCreate`, `engineUpdate`, `engineDelete`, `engineIncrement`, `engineBatchWrite`, `engineGetOrCreate`, `queryAll`, `queryOne`, `engineGet`, `markEntityModified`
 
-**Authentication:** `resolveAuthState`, `signOut`, `getValidSession`, `setupSingleUser`, `unlockSingleUser`, `lockSingleUser`, `resetSingleUser`, device verification functions, display helpers (`resolveFirstName`, `resolveUserId`, `resolveAvatarInitial`)
+**Authentication:** `resolveAuthState`, `signOut`, `getValidSession`, `setupSingleUser`, `unlockSingleUser`, `lockSingleUser` (voluntary soft-lock only — use `signOut` in `onAuthKicked`), `resetSingleUser`, device verification functions, display helpers (`resolveFirstName`, `resolveUserId`, `resolveAvatarInitial`)
 
 **Reactive stores:** `syncStatusStore`, `authState`, `isAuthenticated`, `userDisplayInfo`, `isOnline`, `remoteChangesStore`, `createCollectionStore`, `createDetailStore`, `onSyncComplete`, `onRealtimeDataUpdate`
 

package/dist/auth/deviceVerification.d.ts

@@ -16,11 +16,13 @@
  *   days (default: 90). The `last_used_at` column is refreshed on each
  *   successful login via {@link touchTrustedDevice}.
  * - **OTP flow**: Uses Supabase `signInWithOtp()` with `shouldCreateUser: false`
- *   to send a magic link email. The confirm page verifies the token and trusts
- *   both the originating device and the confirming device.
- * - **Cross-device verification**: The originating device's ID is stored in
- *   `user_metadata` as `pending_{prefix}_device_id` so the confirm page can trust it
- *   even when opened on a different device (e.g., phone).
+ *   to send a magic link email. The originating device's ID and label are
+ *   embedded directly in the `emailRedirectTo` URL as query params
+ *   (`pending_device_id`, `pending_device_label`). The confirm page reads them
+ *   from the URL and trusts exactly that device — no shared mutable state.
+ * - **Cross-device verification**: Because the device ID travels inside the
+ *   email link itself, each OTP is 1:1 with its originating device. Concurrent
+ *   OTPs from multiple devices are fully isolated with no race condition.
  *
  * ## Database Schema
  *
@@ -48,6 +50,12 @@
  *   and security. Reduce this for higher-security applications.
  * - **RLS**: The `trusted_devices` table should have Row Level Security
  *   policies ensuring users can only read/write their own device records.
+ * - **URL param trust**: `pending_device_id` travels in the email link URL.
+ *   It controls only which device is trusted after a valid `token_hash`
+ *   verification — not whether trust is granted at all. Tampering with this
+ *   param requires intercepting the email delivery chain, which already gives
+ *   full account compromise via the token itself. `pending_device_label` is
+ *   capped at 100 characters before storage to prevent oversized DB writes.
  *
  * @module deviceVerification
  * @see {@link singleUser} for how device verification integrates into the auth flow
@@ -130,7 +138,7 @@ export declare function isDeviceTrusted(userId: string): Promise<boolean>;
  * await trustCurrentDevice(user.id);
  * ```
  *
- * @see {@link trustPendingDevice} for trusting a remote device via user_metadata
+ * @see {@link trustPendingDevice} for trusting the originating device after OTP confirmation
  */
 export declare function trustCurrentDevice(userId: string): Promise<void>;
 /**
@@ -185,12 +193,13 @@ export declare function removeTrustedDevice(id: string): Promise<void>;
 /**
  * Send a device verification OTP email to the user.
  *
- * This function performs two actions:
- * 1. **Stores pending device info** in Supabase `user_metadata` so that the
- *    confirm page can trust the originating device even if the link is opened
- *    on a different device.
- * 2. **Sends an OTP email** via `signInWithOtp()` with `shouldCreateUser: false`
- *    to prevent account creation through this endpoint.
+ * Builds an `emailRedirectTo` URL containing the originating device's ID and
+ * label as query params (`pending_device_id`, `pending_device_label`), then
+ * sends an OTP email via `signInWithOtp()` with `shouldCreateUser: false` to
+ * prevent account creation through this endpoint.
+ *
+ * Each email is 1:1 with the device that sent it — no shared `user_metadata`
+ * field, so concurrent OTPs from multiple devices cannot interfere.
  *
  * The existing session is intentionally kept alive so that
  * {@link pollDeviceVerification} can continue checking trust status.
@@ -211,35 +220,36 @@ export declare function sendDeviceVerification(email: string): Promise<{
     error: string | null;
 }>;
 /**
- * Trust the pending device stored in `user_metadata`.
+ * Trust the device that originated a verification OTP.
  *
- * Called from the confirm page after a device OTP is verified. This function
- * trusts the ORIGINATING device (the one that entered the PIN and triggered
- * verification), not necessarily the device opening the confirmation link.
+ * Called from the confirm page after a device OTP is verified. Accepts the
+ * originating device ID and label directly from the email redirect URL — no
+ * shared `user_metadata` field, so concurrent OTPs from multiple devices
+ * each trust only their own originating device.
  *
  * ## Cross-Device Flow
  *
- * 1. Device A enters the PIN -> untrusted -> OTP sent, device A's ID stored
- *    in `user_metadata.pending_{prefix}_device_id`.
- * 2. User opens the OTP link on Device B (or Device A).
- * 3. This function reads `pending_{prefix}_device_id` from metadata and trusts Device A.
- * 4. Device A polls via {@link pollDeviceVerification} and discovers it's now trusted.
- * 5. Only Device A is trusted — the confirming device (B) is NOT added, since
- *    the user never signed into the app on that device.
+ * 1. Device A sends OTP → redirect URL contains Device A's ID as query params.
+ * 2. User opens the link (on Device A or Device B).
+ * 3. Confirm page passes `pendingDeviceId` / `pendingDeviceLabel` here.
+ * 4. This function upserts only Device A into `trusted_devices`.
+ * 5. Device A polls via {@link pollDeviceVerification} and discovers it's now trusted.
+ *
+ * If `pendingDeviceId` is not provided (edge case: old-format links), falls
+ * back to trusting the current device.
  *
- * If no `pending_{prefix}_device_id` is found in metadata (same-browser case where the
- * link was opened in the same browser), falls back to trusting the current
- * device only.
+ * @param pendingDeviceId    - Device ID from the email redirect URL query param.
+ * @param pendingDeviceLabel - Device label from the email redirect URL query param.
  *
  * @example
  * ```ts
  * // Called from the /confirm page after OTP verification:
- * await trustPendingDevice();
+ * await trustPendingDevice(pendingDeviceId, pendingDeviceLabel);
  * ```
  *
- * @see {@link sendDeviceVerification} which stores the pending device ID
+ * @see {@link sendDeviceVerification} which embeds the device ID in the redirect URL
  */
-export declare function trustPendingDevice(): Promise<void>;
+export declare function trustPendingDevice(pendingDeviceId?: string, pendingDeviceLabel?: string): Promise<void>;
 /**
  * Verify a device verification OTP token hash from an email link.
  *

package/dist/auth/deviceVerification.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"deviceVerification.d.ts","sourceRoot":"","sources":["../../src/auth/deviceVerification.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqDG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAuE9C;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,cAAc,IAAI,MAAM,CAyBvC;AAMD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAS/C;AAMD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAsB,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAiCtE;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CA2BtE;AAED;;;;;;;;;GASG;AACH,wBAAsB,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAkBtE;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAsB,iBAAiB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC,CAoBhF;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,mBAAmB,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAanE;AAMD;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAsB,sBAAsB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,CAAC,CAoC7F;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,wBAAsB,kBAAkB,IAAI,OAAO,CAAC,IAAI,CAAC,CA6DxD;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAsB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,CAAC,CAmB3F;AAMD;;;;;;;;;GASG;AACH,wBAAgB,kBAAkB,IAAI,MAAM,CAE3C"}
+{"version":3,"file":"deviceVerification.d.ts","sourceRoot":"","sources":["../../src/auth/deviceVerification.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6DG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAwE9C;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,cAAc,IAAI,MAAM,CAyBvC;AAMD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAS/C;AAMD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAsB,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAiCtE;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CA2BtE;AAED;;;;;;;;;GASG;AACH,wBAAsB,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAkBtE;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAsB,iBAAiB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC,CAoBhF;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,mBAAmB,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAanE;AAMD;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAsB,sBAAsB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,CAAC,CAkD7F;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAsB,kBAAkB,CACtC,eAAe,CAAC,EAAE,MAAM,EACxB,kBAAkB,CAAC,EAAE,MAAM,GAC1B,OAAO,CAAC,IAAI,CAAC,CA0Df;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAsB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,CAAC,CAmB3F;AAMD;;;;;;;;;GASG;AACH,wBAAgB,kBAAkB,IAAI,MAAM,CAE3C"}

package/dist/auth/deviceVerification.js

@@ -16,11 +16,13 @@
  *   days (default: 90). The `last_used_at` column is refreshed on each
  *   successful login via {@link touchTrustedDevice}.
  * - **OTP flow**: Uses Supabase `signInWithOtp()` with `shouldCreateUser: false`
- *   to send a magic link email. The confirm page verifies the token and trusts
- *   both the originating device and the confirming device.
- * - **Cross-device verification**: The originating device's ID is stored in
- *   `user_metadata` as `pending_{prefix}_device_id` so the confirm page can trust it
- *   even when opened on a different device (e.g., phone).
+ *   to send a magic link email. The originating device's ID and label are
+ *   embedded directly in the `emailRedirectTo` URL as query params
+ *   (`pending_device_id`, `pending_device_label`). The confirm page reads them
+ *   from the URL and trusts exactly that device — no shared mutable state.
+ * - **Cross-device verification**: Because the device ID travels inside the
+ *   email link itself, each OTP is 1:1 with its originating device. Concurrent
+ *   OTPs from multiple devices are fully isolated with no race condition.
  *
  * ## Database Schema
  *
@@ -48,6 +50,12 @@
  *   and security. Reduce this for higher-security applications.
  * - **RLS**: The `trusted_devices` table should have Row Level Security
  *   policies ensuring users can only read/write their own device records.
+ * - **URL param trust**: `pending_device_id` travels in the email link URL.
+ *   It controls only which device is trusted after a valid `token_hash`
+ *   verification — not whether trust is granted at all. Tampering with this
+ *   param requires intercepting the email delivery chain, which already gives
+ *   full account compromise via the token itself. `pending_device_label` is
+ *   capped at 100 characters before storage to prevent oversized DB writes.
  *
  * @module deviceVerification
  * @see {@link singleUser} for how device verification integrates into the auth flow
@@ -57,6 +65,7 @@ import { supabase } from '../supabase/client';
 import { getDeviceId, waitForDeviceId } from '../deviceId';
 import { debugLog, debugWarn, debugError } from '../debug';
 import { isDemoMode } from '../demo';
+import { getDb, TABLE } from '../database';
 /** Default number of days a device remains trusted before requiring re-verification. */
 const DEFAULT_TRUST_DURATION_DAYS = 90;
 // =============================================================================
@@ -268,7 +277,7 @@ export async function isDeviceTrusted(userId) {
  * await trustCurrentDevice(user.id);
  * ```
  *
- * @see {@link trustPendingDevice} for trusting a remote device via user_metadata
+ * @see {@link trustPendingDevice} for trusting the originating device after OTP confirmation
  */
 export async function trustCurrentDevice(userId) {
     if (isDemoMode())
@@ -404,12 +413,13 @@ export async function removeTrustedDevice(id) {
 /**
  * Send a device verification OTP email to the user.
  *
- * This function performs two actions:
- * 1. **Stores pending device info** in Supabase `user_metadata` so that the
- *    confirm page can trust the originating device even if the link is opened
- *    on a different device.
- * 2. **Sends an OTP email** via `signInWithOtp()` with `shouldCreateUser: false`
- *    to prevent account creation through this endpoint.
+ * Builds an `emailRedirectTo` URL containing the originating device's ID and
+ * label as query params (`pending_device_id`, `pending_device_label`), then
+ * sends an OTP email via `signInWithOtp()` with `shouldCreateUser: false` to
+ * prevent account creation through this endpoint.
+ *
+ * Each email is 1:1 with the device that sent it — no shared `user_metadata`
+ * field, so concurrent OTPs from multiple devices cannot interfere.
  *
  * The existing session is intentionally kept alive so that
  * {@link pollDeviceVerification} can continue checking trust status.
@@ -431,23 +441,35 @@ export async function sendDeviceVerification(email) {
         return { error: null };
     try {
         /* Ensure the IDB recovery attempt has completed so the device ID we
-           embed in user_metadata is the recovered UUID, not a fresh one. */
+           embed in the redirect URL is the recovered UUID, not a fresh one. */
         await waitForDeviceId();
-        /* Store the pending device info in user_metadata so the confirm page
-           can trust THIS device even if the link is opened on a different one.
-           This enables the cross-device verification pattern. */
         const deviceId = getDeviceId();
         const deviceLabel = getDeviceLabel();
-        const prefix = getEngineConfig().prefix;
-        await supabase.auth.updateUser({
-            data: {
-                [`pending_${prefix}_device_id`]: deviceId,
-                [`pending_${prefix}_device_label`]: deviceLabel
-            }
+        /* Build a redirect URL with the originating device's ID baked in as
+           query params. Each OTP email is 1:1 with the device that sent it —
+           no shared user_metadata field, no race condition possible. */
+        const path = getEngineConfig().auth?.confirmRedirectPath || '/confirm';
+        const base = typeof window !== 'undefined' ? `${window.location.origin}${path}` : path;
+        const redirectUrl = new URL(base);
+        redirectUrl.searchParams.set('pending_device_id', deviceId);
+        redirectUrl.searchParams.set('pending_device_label', deviceLabel);
+        /* Write app_name and app_domain just before sending the OTP so that
+           email templates ({{ .Data.app_name }}, {{ .Data.app_domain }}) resolve
+           to the correct app. This is the only safe place to write these fields —
+           doing it at unlock time would clobber them with whichever app ran last,
+           since both apps share the same Supabase user. */
+        const { name: appName, domain: appDomain } = getEngineConfig();
+        await supabase.auth
+            .updateUser({ data: { app_name: appName, app_domain: appDomain } })
+            .catch((e) => {
+            debugWarn('[DeviceVerification] Failed to set app metadata before OTP:', e);
         });
         const { error } = await supabase.auth.signInWithOtp({
             email,
-            options: { shouldCreateUser: false }
+            options: {
+                shouldCreateUser: false,
+                emailRedirectTo: redirectUrl.toString()
+            }
         });
         if (error) {
             debugError('[DeviceVerification] Send OTP failed:', error.message);
@@ -462,35 +484,36 @@ export async function sendDeviceVerification(email) {
     }
 }
 /**
- * Trust the pending device stored in `user_metadata`.
+ * Trust the device that originated a verification OTP.
  *
- * Called from the confirm page after a device OTP is verified. This function
- * trusts the ORIGINATING device (the one that entered the PIN and triggered
- * verification), not necessarily the device opening the confirmation link.
+ * Called from the confirm page after a device OTP is verified. Accepts the
+ * originating device ID and label directly from the email redirect URL — no
+ * shared `user_metadata` field, so concurrent OTPs from multiple devices
+ * each trust only their own originating device.
  *
  * ## Cross-Device Flow
  *
- * 1. Device A enters the PIN -> untrusted -> OTP sent, device A's ID stored
- *    in `user_metadata.pending_{prefix}_device_id`.
- * 2. User opens the OTP link on Device B (or Device A).
- * 3. This function reads `pending_{prefix}_device_id` from metadata and trusts Device A.
- * 4. Device A polls via {@link pollDeviceVerification} and discovers it's now trusted.
- * 5. Only Device A is trusted — the confirming device (B) is NOT added, since
- *    the user never signed into the app on that device.
+ * 1. Device A sends OTP → redirect URL contains Device A's ID as query params.
+ * 2. User opens the link (on Device A or Device B).
+ * 3. Confirm page passes `pendingDeviceId` / `pendingDeviceLabel` here.
+ * 4. This function upserts only Device A into `trusted_devices`.
+ * 5. Device A polls via {@link pollDeviceVerification} and discovers it's now trusted.
  *
- * If no `pending_{prefix}_device_id` is found in metadata (same-browser case where the
- * link was opened in the same browser), falls back to trusting the current
- * device only.
+ * If `pendingDeviceId` is not provided (edge case: old-format links), falls
+ * back to trusting the current device.
+ *
+ * @param pendingDeviceId    - Device ID from the email redirect URL query param.
+ * @param pendingDeviceLabel - Device label from the email redirect URL query param.
  *
  * @example
  * ```ts
  * // Called from the /confirm page after OTP verification:
- * await trustPendingDevice();
+ * await trustPendingDevice(pendingDeviceId, pendingDeviceLabel);
  * ```
  *
- * @see {@link sendDeviceVerification} which stores the pending device ID
+ * @see {@link sendDeviceVerification} which embeds the device ID in the redirect URL
  */
-export async function trustPendingDevice() {
+export async function trustPendingDevice(pendingDeviceId, pendingDeviceLabel) {
     if (isDemoMode())
         return;
     try {
@@ -499,45 +522,43 @@ export async function trustPendingDevice() {
             debugWarn('[DeviceVerification] trustPendingDevice: no user');
             return;
         }
-        const prefix = getEngineConfig().prefix;
-        const pendingDeviceId = user.user_metadata?.[`pending_${prefix}_device_id`];
-        const pendingDeviceLabel = user.user_metadata?.[`pending_${prefix}_device_label`];
         if (!pendingDeviceId) {
-            /* No pending device — fall back to trusting the current device.
-               This handles the same-browser case where the OTP link is opened
-               in the same browser that initiated verification. */
+            /* No pending device ID in URL — fall back to trusting the current device.
+               Covers same-browser flows and any old-format links. */
             await trustCurrentDevice(user.id);
+            try {
+                await getDb().table(TABLE.SINGLE_USER_CONFIG).delete('device_revoked');
+            }
+            catch (e) {
+                debugWarn('[DeviceVerification] Failed to clear revocation flag:', e);
+            }
             return;
         }
         const now = new Date().toISOString();
-        /* Trust the originating device (the one that entered the PIN) by
-           upserting its device ID into the trusted_devices table.
-           We intentionally do NOT trust the confirming device here — the device
-           opening the email link is just a messenger (e.g. Firefox on desktop
-           confirming for a mobile PWA). Only devices the user actually signs
-           into should appear as trusted. */
+        /* Cap label length — it comes from a URL param and should not be stored
+           verbatim at arbitrary length. getDeviceLabel() produces ~20 chars in
+           practice; 100 is generous while preventing oversized DB writes. */
+        const safeLabel = (pendingDeviceLabel || 'Unknown device').slice(0, 100);
         const { error: upsertError } = await supabase.from('trusted_devices').upsert({
             user_id: user.id,
             device_id: pendingDeviceId,
-            device_label: pendingDeviceLabel || 'Unknown device',
+            device_label: safeLabel,
             app_prefix: getAppPrefix(),
             trusted_at: now,
             last_used_at: now
         }, { onConflict: 'user_id,device_id,app_prefix' });
         if (upsertError) {
             debugError('[DeviceVerification] trustPendingDevice upsert failed:', upsertError.message);
+            return;
         }
-        else {
-            debugLog('[DeviceVerification] Pending device trusted:', pendingDeviceLabel);
+        debugLog('[DeviceVerification] Device trusted:', pendingDeviceLabel || pendingDeviceId);
+        // Clear any stale revocation flag now that this device is trusted
+        try {
+            await getDb().table(TABLE.SINGLE_USER_CONFIG).delete('device_revoked');
+        }
+        catch (e) {
+            debugWarn('[DeviceVerification] Failed to clear revocation flag:', e);
         }
-        /* Clear pending device from metadata to prevent stale references.
-           Setting to null removes the keys from user_metadata. */
-        await supabase.auth.updateUser({
-            data: {
-                [`pending_${prefix}_device_id`]: null,
-                [`pending_${prefix}_device_label`]: null
-            }
-        });
     }
     catch (e) {
         debugError('[DeviceVerification] trustPendingDevice error:', e);

package/dist/auth/deviceVerification.js.map

@@ -1 +1 @@
-{"version":3,"file":"deviceVerification.js","sourceRoot":"","sources":["../../src/auth/deviceVerification.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqDG;AAGH,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAC3D,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAC3D,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAErC,wFAAwF;AACxF,MAAM,2BAA2B,GAAG,EAAE,CAAC;AAEvC,gFAAgF;AAChF,UAAU;AACV,gFAAgF;AAEhF;;;;;;GAMG;AACH,SAAS,oBAAoB;IAC3B,OAAO,CACL,eAAe,EAAE,CAAC,IAAI,EAAE,kBAAkB,EAAE,iBAAiB,IAAI,2BAA2B,CAC7F,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,YAAY;IACnB,OAAO,eAAe,EAAE,CAAC,MAAM,IAAI,SAAS,CAAC;AAC/C,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,kBAAkB,CAAC,GAA4B;IACtD,OAAO;QACL,0BAA0B;QAC1B,EAAE,EAAE,GAAG,CAAC,EAAY;QACpB,yDAAyD;QACzD,MAAM,EAAE,GAAG,CAAC,OAAiB;QAC7B,0DAA0D;QAC1D,QAAQ,EAAE,GAAG,CAAC,SAAmB;QACjC,sDAAsD;QACtD,WAAW,EAAE,GAAG,CAAC,YAAkC;QACnD,6CAA6C;QAC7C,SAAS,EAAE,GAAG,CAAC,UAAoB;QACnC,0DAA0D;QAC1D,SAAS,EAAE,GAAG,CAAC,UAAoB;QACnC,0EAA0E;QAC1E,UAAU,EAAE,GAAG,CAAC,YAAsB;KACvC,CAAC;AACJ,CAAC;AAED,gFAAgF;AAChF,eAAe;AACf,gFAAgF;AAEhF;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,cAAc;IAC5B,IAAI,OAAO,SAAS,KAAK,WAAW;QAAE,OAAO,gBAAgB,CAAC;IAE9D,MAAM,EAAE,GAAG,SAAS,CAAC,SAAS,CAAC;IAC/B,IAAI,OAAO,GAAG,SAAS,CAAC;IACxB,IAAI,EAAE,GAAG,EAAE,CAAC;IAEZ;+CAC2C;IAC3C,IAAI,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,OAAO,GAAG,SAAS,CAAC;SAC3C,IAAI,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,GAAG,MAAM,CAAC;SAC1C,IAAI,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,GAAG,QAAQ,CAAC;SACtE,IAAI,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAAE,OAAO,GAAG,QAAQ,CAAC;IAE7E;;iFAE6E;IAC7E,IAAI,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,EAAE,GAAG,KAAK,CAAC;SAC/E,IAAI,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,EAAE,GAAG,SAAS,CAAC;SAC3C,IAAI,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC;QAAE,EAAE,GAAG,OAAO,CAAC;SAC1C,IAAI,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,EAAE,GAAG,SAAS,CAAC;SAC3C,IAAI,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,EAAE,GAAG,UAAU,CAAC;SACzC,IAAI,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC;QAAE,EAAE,GAAG,OAAO,CAAC;IAE5C,OAAO,EAAE,CAAC,CAAC,CAAC,GAAG,OAAO,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;AAC9C,CAAC;AAED,gFAAgF;AAChF,gBAAgB;AAChB,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,UAAU,SAAS,CAAC,KAAa;IACrC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACzC,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAE1B;uCACmC;IACnC,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC;IAC9F,OAAO,GAAG,MAAM,IAAI,MAAM,EAAE,CAAC;AAC/B,CAAC;AAED,gFAAgF;AAChF,uBAAuB;AACvB,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,MAAc;IAClD,IAAI,UAAU,EAAE;QAAE,OAAO,IAAI,CAAC;IAC9B,IAAI,CAAC;QACH;oFAC4E;QAC5E,MAAM,eAAe,EAAE,CAAC;QACxB,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC;QAC/B,MAAM,SAAS,GAAG,oBAAoB,EAAE,CAAC;QAEzC;uDAC+C;QAC/C,MAAM,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QAC1B,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,SAAS,CAAC,CAAC;QAE7C,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ;aACnC,IAAI,CAAC,iBAAiB,CAAC;aACvB,MAAM,CAAC,kBAAkB,CAAC;aAC1B,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;aACrB,EAAE,CAAC,WAAW,EAAE,QAAQ,CAAC;aACzB,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,CAAC;aAChC,GAAG,CAAC,cAAc,EAAE,MAAM,CAAC,WAAW,EAAE,CAAC;aACzC,KAAK,CAAC,CAAC,CAAC,CAAC;QAEZ,IAAI,KAAK,EAAE,CAAC;YACV,SAAS,CAAC,0CAA0C,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;YACrE,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO,CAAC,IAAI,EAAE,MAAM,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;IACjC,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,UAAU,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;QACzD,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,MAAc;IACrD,IAAI,UAAU,EAAE;QAAE,OAAO;IACzB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,cAAc,EAAE,CAAC;QAC/B,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAErC,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,MAAM,CAC7D;YACE,OAAO,EAAE,MAAM;YACf,SAAS,EAAE,QAAQ;YACnB,YAAY,EAAE,KAAK;YACnB,UAAU,EAAE,YAAY,EAAE;YAC1B,UAAU,EAAE,GAAG;YACf,YAAY,EAAE,GAAG;SAClB,EACD,EAAE,UAAU,EAAE,8BAA8B,EAAE,CAC/C,CAAC;QAEF,IAAI,KAAK,EAAE,CAAC;YACV,UAAU,CAAC,2CAA2C,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;QACzE,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,sCAAsC,EAAE,KAAK,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,UAAU,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,MAAc;IACrD,IAAI,UAAU,EAAE;QAAE,OAAO;IACzB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC;QAE/B,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ;aAC7B,IAAI,CAAC,iBAAiB,CAAC;aACvB,MAAM,CAAC,EAAE,YAAY,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,YAAY,EAAE,cAAc,EAAE,EAAE,CAAC;aAClF,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;aACrB,EAAE,CAAC,WAAW,EAAE,QAAQ,CAAC;aACzB,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,CAAC,CAAC;QAEpC,IAAI,KAAK,EAAE,CAAC;YACV,SAAS,CAAC,2CAA2C,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;QACxE,CAAC;IACH,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,SAAS,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC;IAC3D,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,MAAc;IACpD,IAAI,UAAU,EAAE;QAAE,OAAO,EAAE,CAAC;IAC5B,IAAI,CAAC;QACH,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ;aACnC,IAAI,CAAC,iBAAiB,CAAC;aACvB,MAAM,CAAC,4EAA4E,CAAC;aACpF,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;aACrB,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,CAAC;aAChC,KAAK,CAAC,cAAc,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC,CAAC;QAE/C,IAAI,KAAK,EAAE,CAAC;YACV,UAAU,CAAC,0CAA0C,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;YACtE,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,OAAO,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;IAC9C,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,UAAU,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;QACzD,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,EAAU;IAClD,IAAI,UAAU,EAAE;QAAE,OAAO;IACzB,IAAI,CAAC;QACH,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QAE/E,IAAI,KAAK,EAAE,CAAC;YACV,UAAU,CAAC,4CAA4C,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;QAC1E,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,sCAAsC,EAAE,EAAE,CAAC,CAAC;QACvD,CAAC;IACH,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,UAAU,CAAC,2CAA2C,EAAE,CAAC,CAAC,CAAC;IAC7D,CAAC;AACH,CAAC;AAED,gFAAgF;AAChF,wBAAwB;AACxB,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,KAAa;IACxD,IAAI,UAAU,EAAE;QAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzC,IAAI,CAAC;QACH;4EACoE;QACpE,MAAM,eAAe,EAAE,CAAC;QAExB;;iEAEyD;QACzD,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC;QAC/B,MAAM,WAAW,GAAG,cAAc,EAAE,CAAC;QACrC,MAAM,MAAM,GAAG,eAAe,EAAE,CAAC,MAAM,CAAC;QACxC,MAAM,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC;YAC7B,IAAI,EAAE;gBACJ,CAAC,WAAW,MAAM,YAAY,CAAC,EAAE,QAAQ;gBACzC,CAAC,WAAW,MAAM,eAAe,CAAC,EAAE,WAAW;aAChD;SACF,CAAC,CAAC;QAEH,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC;YAClD,KAAK;YACL,OAAO,EAAE,EAAE,gBAAgB,EAAE,KAAK,EAAE;SACrC,CAAC,CAAC;QAEH,IAAI,KAAK,EAAE,CAAC;YACV,UAAU,CAAC,uCAAuC,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;YACnE,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC;QAClC,CAAC;QAED,QAAQ,CAAC,mCAAmC,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;QAChE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,UAAU,CAAC,sCAAsC,EAAE,CAAC,CAAC,CAAC;QACtD,OAAO,EAAE,KAAK,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,mCAAmC,EAAE,CAAC;IACzF,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB;IACtC,IAAI,UAAU,EAAE;QAAE,OAAO;IACzB,IAAI,CAAC;QACH,MAAM,EACJ,IAAI,EAAE,EAAE,IAAI,EAAE,EACd,KAAK,EACN,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;QAClC,IAAI,KAAK,IAAI,CAAC,IAAI,EAAE,CAAC;YACnB,SAAS,CAAC,kDAAkD,CAAC,CAAC;YAC9D,OAAO;QACT,CAAC;QAED,MAAM,MAAM,GAAG,eAAe,EAAE,CAAC,MAAM,CAAC;QACxC,MAAM,eAAe,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC,WAAW,MAAM,YAAY,CAAC,CAAC;QAC5E,MAAM,kBAAkB,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC,WAAW,MAAM,eAAe,CAAC,CAAC;QAElF,IAAI,CAAC,eAAe,EAAE,CAAC;YACrB;;kEAEsD;YACtD,MAAM,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAClC,OAAO;QACT,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAErC;;;;;4CAKoC;QACpC,MAAM,EAAE,KAAK,EAAE,WAAW,EAAE,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,MAAM,CAC1E;YACE,OAAO,EAAE,IAAI,CAAC,EAAE;YAChB,SAAS,EAAE,eAAe;YAC1B,YAAY,EAAE,kBAAkB,IAAI,gBAAgB;YACpD,UAAU,EAAE,YAAY,EAAE;YAC1B,UAAU,EAAE,GAAG;YACf,YAAY,EAAE,GAAG;SAClB,EACD,EAAE,UAAU,EAAE,8BAA8B,EAAE,CAC/C,CAAC;QAEF,IAAI,WAAW,EAAE,CAAC;YAChB,UAAU,CAAC,wDAAwD,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;QAC5F,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,8CAA8C,EAAE,kBAAkB,CAAC,CAAC;QAC/E,CAAC;QAED;kEAC0D;QAC1D,MAAM,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC;YAC7B,IAAI,EAAE;gBACJ,CAAC,WAAW,MAAM,YAAY,CAAC,EAAE,IAAI;gBACrC,CAAC,WAAW,MAAM,eAAe,CAAC,EAAE,IAAI;aACzC;SACF,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,UAAU,CAAC,gDAAgD,EAAE,CAAC,CAAC,CAAC;IAClE,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,SAAiB;IACtD,IAAI,UAAU,EAAE;QAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzC,IAAI,CAAC;QACH,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC;YAC9C,UAAU,EAAE,SAAS;YACrB,IAAI,EAAE,OAAO;SACd,CAAC,CAAC;QAEH,IAAI,KAAK,EAAE,CAAC;YACV,UAAU,CAAC,yCAAyC,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;YACrE,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC;QAClC,CAAC;QAED,QAAQ,CAAC,gDAAgD,CAAC,CAAC;QAC3D,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,UAAU,CAAC,wCAAwC,EAAE,CAAC,CAAC,CAAC;QACxD,OAAO,EAAE,KAAK,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,qBAAqB,EAAE,CAAC;IAC3E,CAAC;AACH,CAAC;AAED,gFAAgF;AAChF,mBAAmB;AACnB,gFAAgF;AAEhF;;;;;;;;;GASG;AACH,MAAM,UAAU,kBAAkB;IAChC,OAAO,WAAW,EAAE,CAAC;AACvB,CAAC"}
+{"version":3,"file":"deviceVerification.js","sourceRoot":"","sources":["../../src/auth/deviceVerification.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6DG;AAGH,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAC3D,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAC3D,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,aAAa,CAAC;AAE3C,wFAAwF;AACxF,MAAM,2BAA2B,GAAG,EAAE,CAAC;AAEvC,gFAAgF;AAChF,UAAU;AACV,gFAAgF;AAEhF;;;;;;GAMG;AACH,SAAS,oBAAoB;IAC3B,OAAO,CACL,eAAe,EAAE,CAAC,IAAI,EAAE,kBAAkB,EAAE,iBAAiB,IAAI,2BAA2B,CAC7F,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,YAAY;IACnB,OAAO,eAAe,EAAE,CAAC,MAAM,IAAI,SAAS,CAAC;AAC/C,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,kBAAkB,CAAC,GAA4B;IACtD,OAAO;QACL,0BAA0B;QAC1B,EAAE,EAAE,GAAG,CAAC,EAAY;QACpB,yDAAyD;QACzD,MAAM,EAAE,GAAG,CAAC,OAAiB;QAC7B,0DAA0D;QAC1D,QAAQ,EAAE,GAAG,CAAC,SAAmB;QACjC,sDAAsD;QACtD,WAAW,EAAE,GAAG,CAAC,YAAkC;QACnD,6CAA6C;QAC7C,SAAS,EAAE,GAAG,CAAC,UAAoB;QACnC,0DAA0D;QAC1D,SAAS,EAAE,GAAG,CAAC,UAAoB;QACnC,0EAA0E;QAC1E,UAAU,EAAE,GAAG,CAAC,YAAsB;KACvC,CAAC;AACJ,CAAC;AAED,gFAAgF;AAChF,eAAe;AACf,gFAAgF;AAEhF;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,cAAc;IAC5B,IAAI,OAAO,SAAS,KAAK,WAAW;QAAE,OAAO,gBAAgB,CAAC;IAE9D,MAAM,EAAE,GAAG,SAAS,CAAC,SAAS,CAAC;IAC/B,IAAI,OAAO,GAAG,SAAS,CAAC;IACxB,IAAI,EAAE,GAAG,EAAE,CAAC;IAEZ;+CAC2C;IAC3C,IAAI,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,OAAO,GAAG,SAAS,CAAC;SAC3C,IAAI,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,GAAG,MAAM,CAAC;SAC1C,IAAI,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,GAAG,QAAQ,CAAC;SACtE,IAAI,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAAE,OAAO,GAAG,QAAQ,CAAC;IAE7E;;iFAE6E;IAC7E,IAAI,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,EAAE,GAAG,KAAK,CAAC;SAC/E,IAAI,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,EAAE,GAAG,SAAS,CAAC;SAC3C,IAAI,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC;QAAE,EAAE,GAAG,OAAO,CAAC;SAC1C,IAAI,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,EAAE,GAAG,SAAS,CAAC;SAC3C,IAAI,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,EAAE,GAAG,UAAU,CAAC;SACzC,IAAI,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC;QAAE,EAAE,GAAG,OAAO,CAAC;IAE5C,OAAO,EAAE,CAAC,CAAC,CAAC,GAAG,OAAO,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;AAC9C,CAAC;AAED,gFAAgF;AAChF,gBAAgB;AAChB,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,UAAU,SAAS,CAAC,KAAa;IACrC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACzC,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAE1B;uCACmC;IACnC,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC;IAC9F,OAAO,GAAG,MAAM,IAAI,MAAM,EAAE,CAAC;AAC/B,CAAC;AAED,gFAAgF;AAChF,uBAAuB;AACvB,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,MAAc;IAClD,IAAI,UAAU,EAAE;QAAE,OAAO,IAAI,CAAC;IAC9B,IAAI,CAAC;QACH;oFAC4E;QAC5E,MAAM,eAAe,EAAE,CAAC;QACxB,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC;QAC/B,MAAM,SAAS,GAAG,oBAAoB,EAAE,CAAC;QAEzC;uDAC+C;QAC/C,MAAM,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QAC1B,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,SAAS,CAAC,CAAC;QAE7C,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ;aACnC,IAAI,CAAC,iBAAiB,CAAC;aACvB,MAAM,CAAC,kBAAkB,CAAC;aAC1B,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;aACrB,EAAE,CAAC,WAAW,EAAE,QAAQ,CAAC;aACzB,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,CAAC;aAChC,GAAG,CAAC,cAAc,EAAE,MAAM,CAAC,WAAW,EAAE,CAAC;aACzC,KAAK,CAAC,CAAC,CAAC,CAAC;QAEZ,IAAI,KAAK,EAAE,CAAC;YACV,SAAS,CAAC,0CAA0C,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;YACrE,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO,CAAC,IAAI,EAAE,MAAM,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;IACjC,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,UAAU,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;QACzD,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,MAAc;IACrD,IAAI,UAAU,EAAE;QAAE,OAAO;IACzB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,cAAc,EAAE,CAAC;QAC/B,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAErC,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,MAAM,CAC7D;YACE,OAAO,EAAE,MAAM;YACf,SAAS,EAAE,QAAQ;YACnB,YAAY,EAAE,KAAK;YACnB,UAAU,EAAE,YAAY,EAAE;YAC1B,UAAU,EAAE,GAAG;YACf,YAAY,EAAE,GAAG;SAClB,EACD,EAAE,UAAU,EAAE,8BAA8B,EAAE,CAC/C,CAAC;QAEF,IAAI,KAAK,EAAE,CAAC;YACV,UAAU,CAAC,2CAA2C,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;QACzE,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,sCAAsC,EAAE,KAAK,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,UAAU,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,MAAc;IACrD,IAAI,UAAU,EAAE;QAAE,OAAO;IACzB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC;QAE/B,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ;aAC7B,IAAI,CAAC,iBAAiB,CAAC;aACvB,MAAM,CAAC,EAAE,YAAY,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,YAAY,EAAE,cAAc,EAAE,EAAE,CAAC;aAClF,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;aACrB,EAAE,CAAC,WAAW,EAAE,QAAQ,CAAC;aACzB,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,CAAC,CAAC;QAEpC,IAAI,KAAK,EAAE,CAAC;YACV,SAAS,CAAC,2CAA2C,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;QACxE,CAAC;IACH,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,SAAS,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC;IAC3D,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,MAAc;IACpD,IAAI,UAAU,EAAE;QAAE,OAAO,EAAE,CAAC;IAC5B,IAAI,CAAC;QACH,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ;aACnC,IAAI,CAAC,iBAAiB,CAAC;aACvB,MAAM,CAAC,4EAA4E,CAAC;aACpF,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;aACrB,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,CAAC;aAChC,KAAK,CAAC,cAAc,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC,CAAC;QAE/C,IAAI,KAAK,EAAE,CAAC;YACV,UAAU,CAAC,0CAA0C,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;YACtE,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,OAAO,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;IAC9C,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,UAAU,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;QACzD,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,EAAU;IAClD,IAAI,UAAU,EAAE;QAAE,OAAO;IACzB,IAAI,CAAC;QACH,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QAE/E,IAAI,KAAK,EAAE,CAAC;YACV,UAAU,CAAC,4CAA4C,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;QAC1E,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,sCAAsC,EAAE,EAAE,CAAC,CAAC;QACvD,CAAC;IACH,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,UAAU,CAAC,2CAA2C,EAAE,CAAC,CAAC,CAAC;IAC7D,CAAC;AACH,CAAC;AAED,gFAAgF;AAChF,wBAAwB;AACxB,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,KAAa;IACxD,IAAI,UAAU,EAAE;QAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzC,IAAI,CAAC;QACH;+EACuE;QACvE,MAAM,eAAe,EAAE,CAAC;QAExB,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC;QAC/B,MAAM,WAAW,GAAG,cAAc,EAAE,CAAC;QAErC;;wEAEgE;QAChE,MAAM,IAAI,GAAG,eAAe,EAAE,CAAC,IAAI,EAAE,mBAAmB,IAAI,UAAU,CAAC;QACvE,MAAM,IAAI,GAAG,OAAO,MAAM,KAAK,WAAW,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;QACvF,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC;QAClC,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,EAAE,QAAQ,CAAC,CAAC;QAC5D,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,sBAAsB,EAAE,WAAW,CAAC,CAAC;QAElE;;;;2DAImD;QACnD,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,GAAG,eAAe,EAAE,CAAC;QAC/D,MAAM,QAAQ,CAAC,IAAI;aAChB,UAAU,CAAC,EAAE,IAAI,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,EAAE,CAAC;aAClE,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;YACX,SAAS,CAAC,6DAA6D,EAAE,CAAC,CAAC,CAAC;QAC9E,CAAC,CAAC,CAAC;QAEL,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC;YAClD,KAAK;YACL,OAAO,EAAE;gBACP,gBAAgB,EAAE,KAAK;gBACvB,eAAe,EAAE,WAAW,CAAC,QAAQ,EAAE;aACxC;SACF,CAAC,CAAC;QAEH,IAAI,KAAK,EAAE,CAAC;YACV,UAAU,CAAC,uCAAuC,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;YACnE,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC;QAClC,CAAC;QAED,QAAQ,CAAC,mCAAmC,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;QAChE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,UAAU,CAAC,sCAAsC,EAAE,CAAC,CAAC,CAAC;QACtD,OAAO,EAAE,KAAK,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,mCAAmC,EAAE,CAAC;IACzF,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,eAAwB,EACxB,kBAA2B;IAE3B,IAAI,UAAU,EAAE;QAAE,OAAO;IACzB,IAAI,CAAC;QACH,MAAM,EACJ,IAAI,EAAE,EAAE,IAAI,EAAE,EACd,KAAK,EACN,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;QAClC,IAAI,KAAK,IAAI,CAAC,IAAI,EAAE,CAAC;YACnB,SAAS,CAAC,kDAAkD,CAAC,CAAC;YAC9D,OAAO;QACT,CAAC;QAED,IAAI,CAAC,eAAe,EAAE,CAAC;YACrB;qEACyD;YACzD,MAAM,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAClC,IAAI,CAAC;gBACH,MAAM,KAAK,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;YACzE,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,SAAS,CAAC,uDAAuD,EAAE,CAAC,CAAC,CAAC;YACxE,CAAC;YACD,OAAO;QACT,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACrC;;6EAEqE;QACrE,MAAM,SAAS,GAAG,CAAC,kBAAkB,IAAI,gBAAgB,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QAEzE,MAAM,EAAE,KAAK,EAAE,WAAW,EAAE,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,MAAM,CAC1E;YACE,OAAO,EAAE,IAAI,CAAC,EAAE;YAChB,SAAS,EAAE,eAAe;YAC1B,YAAY,EAAE,SAAS;YACvB,UAAU,EAAE,YAAY,EAAE;YAC1B,UAAU,EAAE,GAAG;YACf,YAAY,EAAE,GAAG;SAClB,EACD,EAAE,UAAU,EAAE,8BAA8B,EAAE,CAC/C,CAAC;QAEF,IAAI,WAAW,EAAE,CAAC;YAChB,UAAU,CAAC,wDAAwD,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;YAC1F,OAAO;QACT,CAAC;QAED,QAAQ,CAAC,sCAAsC,EAAE,kBAAkB,IAAI,eAAe,CAAC,CAAC;QAExF,kEAAkE;QAClE,IAAI,CAAC;YACH,MAAM,KAAK,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;QACzE,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,SAAS,CAAC,uDAAuD,EAAE,CAAC,CAAC,CAAC;QACxE,CAAC;IACH,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,UAAU,CAAC,gDAAgD,EAAE,CAAC,CAAC,CAAC;IAClE,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,SAAiB;IACtD,IAAI,UAAU,EAAE;QAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzC,IAAI,CAAC;QACH,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC;YAC9C,UAAU,EAAE,SAAS;YACrB,IAAI,EAAE,OAAO;SACd,CAAC,CAAC;QAEH,IAAI,KAAK,EAAE,CAAC;YACV,UAAU,CAAC,yCAAyC,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;YACrE,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC;QAClC,CAAC;QAED,QAAQ,CAAC,gDAAgD,CAAC,CAAC;QAC3D,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,UAAU,CAAC,wCAAwC,EAAE,CAAC,CAAC,CAAC;QACxD,OAAO,EAAE,KAAK,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,qBAAqB,EAAE,CAAC;IAC3E,CAAC;AACH,CAAC;AAED,gFAAgF;AAChF,mBAAmB;AACnB,gFAAgF;AAEhF;;;;;;;;;GASG;AACH,MAAM,UAAU,kBAAkB;IAChC,OAAO,WAAW,EAAE,CAAC;AACvB,CAAC"}

package/dist/auth/resolveAuthState.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"resolveAuthState.d.ts","sourceRoot":"","sources":["../../src/auth/resolveAuthState.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,KAAK,EAAE,kBAAkB,EAAoB,MAAM,UAAU,CAAC;AAerE;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,0FAA0F;IAC1F,OAAO,EAAE,OAAO,GAAG,IAAI,CAAC;IAExB;;;;;;OAMG;IACH,QAAQ,EAAE,UAAU,GAAG,SAAS,GAAG,MAAM,GAAG,MAAM,CAAC;IAEnD,sFAAsF;IACtF,cAAc,EAAE,kBAAkB,GAAG,IAAI,CAAC;IAE1C;;;;OAIG;IACH,gBAAgB,CAAC,EAAE,OAAO,CAAC;CAC5B;AAMD;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAsB,gBAAgB,IAAI,OAAO,CAAC,eAAe,CAAC,CAiCjE"}
+{"version":3,"file":"resolveAuthState.d.ts","sourceRoot":"","sources":["../../src/auth/resolveAuthState.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,KAAK,EAAE,kBAAkB,EAAoB,MAAM,UAAU,CAAC;AAgBrE;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,0FAA0F;IAC1F,OAAO,EAAE,OAAO,GAAG,IAAI,CAAC;IAExB;;;;;;OAMG;IACH,QAAQ,EAAE,UAAU,GAAG,SAAS,GAAG,MAAM,GAAG,MAAM,CAAC;IAEnD,sFAAsF;IACtF,cAAc,EAAE,kBAAkB,GAAG,IAAI,CAAC;IAE1C;;;;OAIG;IACH,gBAAgB,CAAC,EAAE,OAAO,CAAC;CAC5B;AAMD;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAsB,gBAAgB,IAAI,OAAO,CAAC,eAAe,CAAC,CAiCjE"}