wabe 0.6.8 → 0.6.9

package/dist/index.js

@@ -33,14 +33,14 @@ var require_plugin_crypto = __commonJS((exports) => {
   function _interopDefault(ex) {
     return ex && typeof ex === "object" && "default" in ex ? ex["default"] : ex;
   }
-  var crypto2 = _interopDefault(__require("crypto"));
+  var crypto4 = _interopDefault(__require("crypto"));
   var createDigest = (algorithm, hmacKey, counter) => {
-    const hmac = crypto2.createHmac(algorithm, Buffer.from(hmacKey, "hex"));
+    const hmac = crypto4.createHmac(algorithm, Buffer.from(hmacKey, "hex"));
     const digest = hmac.update(Buffer.from(counter, "hex")).digest();
     return digest.toString("hex");
   };
   var createRandomBytes = (size, encoding) => {
-    return crypto2.randomBytes(size).toString(encoding);
+    return crypto4.randomBytes(size).toString(encoding);
   };
   exports.createDigest = createDigest;
   exports.createRandomBytes = createRandomBytes;
@@ -270,7 +270,7 @@ var require_core = __commonJS((exports) => {
   }
   function keyuri(options) {
     const tmpl = `otpauth://${options.type}/{labelPrefix}:{accountName}?secret={secret}{query}`;
-    const params = [];
+    const params2 = [];
     if (STRATEGY.indexOf(options.type) < 0) {
       throw new Error(`Expecting options.type to be one of ${STRATEGY.join(", ")}. Received ${options.type}.`);
     }
@@ -278,21 +278,21 @@ var require_core = __commonJS((exports) => {
       if (options.counter == null || typeof options.counter !== "number") {
         throw new Error('Expecting options.counter to be a number when options.type is "hotp".');
       }
-      params.push(`&counter=${options.counter}`);
+      params2.push(`&counter=${options.counter}`);
     }
     if (options.type === "totp" && options.step) {
-      params.push(`&period=${options.step}`);
+      params2.push(`&period=${options.step}`);
     }
     if (options.digits) {
-      params.push(`&digits=${options.digits}`);
+      params2.push(`&digits=${options.digits}`);
     }
     if (options.algorithm) {
-      params.push(`&algorithm=${options.algorithm.toUpperCase()}`);
+      params2.push(`&algorithm=${options.algorithm.toUpperCase()}`);
     }
     if (options.issuer) {
-      params.push(`&issuer=${encodeURIComponent(options.issuer)}`);
+      params2.push(`&issuer=${encodeURIComponent(options.issuer)}`);
     }
-    return tmpl.replace("{labelPrefix}", encodeURIComponent(options.issuer || options.accountName)).replace("{accountName}", encodeURIComponent(options.accountName)).replace("{secret}", options.secret).replace("{query}", params.join(""));
+    return tmpl.replace("{labelPrefix}", encodeURIComponent(options.issuer || options.accountName)).replace("{accountName}", encodeURIComponent(options.accountName)).replace("{secret}", options.secret).replace("{query}", params2.join(""));
   }
 
   class OTP {
@@ -1057,7 +1057,7 @@ var require_ecdsa_sig_formatter = __commonJS((exports, module) => {
 var require_jwa = __commonJS((exports, module) => {
   var bufferEqual = require_buffer_equal_constant_time();
   var Buffer2 = require_safe_buffer().Buffer;
-  var crypto2 = __require("crypto");
+  var crypto4 = __require("crypto");
   var formatEcdsa = require_ecdsa_sig_formatter();
   var util = __require("util");
   var MSG_INVALID_ALGORITHM = `"%s" is not a valid algorithm.
@@ -1066,7 +1066,7 @@ var require_jwa = __commonJS((exports, module) => {
   var MSG_INVALID_SECRET = "secret must be a string or buffer";
   var MSG_INVALID_VERIFIER_KEY = "key must be a string or a buffer";
   var MSG_INVALID_SIGNER_KEY = "key must be a string, a buffer or an object";
-  var supportsKeyObjects = typeof crypto2.createPublicKey === "function";
+  var supportsKeyObjects = typeof crypto4.createPublicKey === "function";
   if (supportsKeyObjects) {
     MSG_INVALID_VERIFIER_KEY += " or a KeyObject";
     MSG_INVALID_SECRET += "or a KeyObject";
@@ -1156,7 +1156,7 @@ var require_jwa = __commonJS((exports, module) => {
     return function sign(thing, secret) {
       checkIsSecretKey(secret);
       thing = normalizeInput(thing);
-      var hmac = crypto2.createHmac("sha" + bits, secret);
+      var hmac = crypto4.createHmac("sha" + bits, secret);
       var sig = (hmac.update(thing), hmac.digest("base64"));
       return fromBase64(sig);
     };
@@ -1171,7 +1171,7 @@ var require_jwa = __commonJS((exports, module) => {
     return function sign(thing, privateKey) {
       checkIsPrivateKey(privateKey);
       thing = normalizeInput(thing);
-      var signer = crypto2.createSign("RSA-SHA" + bits);
+      var signer = crypto4.createSign("RSA-SHA" + bits);
       var sig = (signer.update(thing), signer.sign(privateKey, "base64"));
       return fromBase64(sig);
     };
@@ -1181,7 +1181,7 @@ var require_jwa = __commonJS((exports, module) => {
       checkIsPublicKey(publicKey);
       thing = normalizeInput(thing);
       signature = toBase64(signature);
-      var verifier = crypto2.createVerify("RSA-SHA" + bits);
+      var verifier = crypto4.createVerify("RSA-SHA" + bits);
       verifier.update(thing);
       return verifier.verify(publicKey, signature, "base64");
     };
@@ -1190,11 +1190,11 @@ var require_jwa = __commonJS((exports, module) => {
     return function sign(thing, privateKey) {
       checkIsPrivateKey(privateKey);
       thing = normalizeInput(thing);
-      var signer = crypto2.createSign("RSA-SHA" + bits);
+      var signer = crypto4.createSign("RSA-SHA" + bits);
       var sig = (signer.update(thing), signer.sign({
         key: privateKey,
-        padding: crypto2.constants.RSA_PKCS1_PSS_PADDING,
-        saltLength: crypto2.constants.RSA_PSS_SALTLEN_DIGEST
+        padding: crypto4.constants.RSA_PKCS1_PSS_PADDING,
+        saltLength: crypto4.constants.RSA_PSS_SALTLEN_DIGEST
       }, "base64"));
       return fromBase64(sig);
     };
@@ -1204,12 +1204,12 @@ var require_jwa = __commonJS((exports, module) => {
       checkIsPublicKey(publicKey);
       thing = normalizeInput(thing);
       signature = toBase64(signature);
-      var verifier = crypto2.createVerify("RSA-SHA" + bits);
+      var verifier = crypto4.createVerify("RSA-SHA" + bits);
       verifier.update(thing);
       return verifier.verify({
         key: publicKey,
-        padding: crypto2.constants.RSA_PKCS1_PSS_PADDING,
-        saltLength: crypto2.constants.RSA_PSS_SALTLEN_DIGEST
+        padding: crypto4.constants.RSA_PKCS1_PSS_PADDING,
+        saltLength: crypto4.constants.RSA_PSS_SALTLEN_DIGEST
       }, signature, "base64");
     };
   }
@@ -22825,7 +22825,7 @@ var require_utils2 = __commonJS((exports, module) => {
   function parseContentType(str) {
     if (str.length === 0)
       return;
-    const params = Object.create(null);
+    const params2 = Object.create(null);
     let i = 0;
     for (;i < str.length; ++i) {
       const code = str.charCodeAt(i);
@@ -22844,7 +22844,7 @@ var require_utils2 = __commonJS((exports, module) => {
       if (TOKEN[code] !== 1) {
         if (i === subtypeStart)
           return;
-        if (parseContentTypeParams(str, i, params) === undefined)
+        if (parseContentTypeParams(str, i, params2) === undefined)
           return;
         break;
       }
@@ -22852,9 +22852,9 @@ var require_utils2 = __commonJS((exports, module) => {
     if (i === subtypeStart)
       return;
     const subtype = str.slice(subtypeStart, i).toLowerCase();
-    return { type, subtype, params };
+    return { type, subtype, params: params2 };
   }
-  function parseContentTypeParams(str, i, params) {
+  function parseContentTypeParams(str, i, params2) {
     while (i < str.length) {
       for (;i < str.length; ++i) {
         const code = str.charCodeAt(i);
@@ -22937,28 +22937,28 @@ var require_utils2 = __commonJS((exports, module) => {
         value = str.slice(valueStart, i);
       }
       name = name.toLowerCase();
-      if (params[name] === undefined)
-        params[name] = value;
+      if (params2[name] === undefined)
+        params2[name] = value;
     }
-    return params;
+    return params2;
   }
   function parseDisposition(str, defDecoder) {
     if (str.length === 0)
       return;
-    const params = Object.create(null);
+    const params2 = Object.create(null);
     let i = 0;
     for (;i < str.length; ++i) {
       const code = str.charCodeAt(i);
       if (TOKEN[code] !== 1) {
-        if (parseDispositionParams(str, i, params, defDecoder) === undefined)
+        if (parseDispositionParams(str, i, params2, defDecoder) === undefined)
           return;
         break;
       }
     }
     const type = str.slice(0, i).toLowerCase();
-    return { type, params };
+    return { type, params: params2 };
   }
-  function parseDispositionParams(str, i, params, defDecoder) {
+  function parseDispositionParams(str, i, params2, defDecoder) {
     while (i < str.length) {
       for (;i < str.length; ++i) {
         const code = str.charCodeAt(i);
@@ -23100,10 +23100,10 @@ var require_utils2 = __commonJS((exports, module) => {
           return;
       }
       name = name.toLowerCase();
-      if (params[name] === undefined)
-        params[name] = value;
+      if (params2[name] === undefined)
+        params2[name] = value;
     }
-    return params;
+    return params2;
   }
   function getDecoder(charset) {
     let lc;
@@ -29439,14 +29439,14 @@ var deleteFile = async (hookObject) => {
   const schema = hookObject.context.wabe.config.schema?.classes?.find((currentClass) => currentClass.name === hookObject.className);
   if (!schema)
     return;
-  Object.entries(schema.fields).filter(([_, value]) => value.type === "File").map(async ([fieldName]) => {
+  await Promise.all(Object.entries(schema.fields).filter(([_, value]) => value.type === "File").map(([fieldName]) => {
     const fileName = hookObject.originalObject?.[fieldName]?.name;
     if (!fileName)
       return;
     if (!hookObject.context.wabe.controllers.file)
       throw new Error("No file adapter found");
-    await hookObject.context.wabe.controllers.file?.deleteFile(fileName);
-  });
+    return hookObject.context.wabe.controllers.file?.deleteFile(fileName);
+  }));
 };
 var defaultAfterDeleteFile = (hookObject) => deleteFile(hookObject);
 
@@ -29464,7 +29464,7 @@ var getFile = async (hookObject) => {
     if (!fileName && fileInfo.url)
       return fileInfo.url;
     const fileUrlGeneratedAt = new Date(fileInfo.urlGeneratedAt);
-    if (fileUrlGeneratedAt && fileUrlGeneratedAt.getTime() + urlCacheInSeconds * 1000 > new Date().getTime())
+    if (fileUrlGeneratedAt && fileUrlGeneratedAt.getTime() + urlCacheInSeconds * 1000 > Date.now())
       return;
     if (!hookObject.context.wabe.controllers.file)
       throw new Error("No file adapter found");
@@ -29480,7 +29480,7 @@ var getFile = async (hookObject) => {
           url: fileUrlFromBucket || fileInfo.url
         }
       },
-      skipHooks: true
+      _skipHooks: true
     });
   }));
 };
@@ -29517,6 +29517,52 @@ var handleFile = async (hookObject) => {
 var defaultBeforeCreateUpload = (hookObject) => handleFile(hookObject);
 var defaultBeforeUpdateUpload = (hookObject) => handleFile(hookObject);
 
+// ../wabe/src/utils/crypto.ts
+import { randomBytes } from "node:crypto";
+import { promisify } from "node:util";
+var params = {
+  parallelism: 1,
+  tagLength: 64,
+  memory: 65536,
+  passes: 2
+};
+var hashArgon2 = async (text) => {
+  if (process.versions.bun)
+    return Bun.password.hash(text, { algorithm: "argon2id" });
+  const argon2 = promisify(__require("node:crypto").argon2);
+  const nonce = randomBytes(16);
+  const result = await argon2("argon2id", {
+    message: text,
+    nonce,
+    ...params
+  });
+  return `$argon2id$v=19$m=${params.memory},t=${params.passes},p=${params.parallelism}$${nonce.toString("base64").replace(/=+$/, "")}$${result.toString("base64").replace(/=+$/, "")}`;
+};
+var verifyArgon2 = async (password, hash) => {
+  if (process.versions.bun)
+    return Bun.password.verify(password, hash, "argon2id");
+  const [, algorithm, , paramString, nonceHex, storedHashHex] = hash.split("$");
+  const kvPairs = paramString?.split(",");
+  const parsedParams = Object.fromEntries(kvPairs?.map((pair) => {
+    const [key, value] = pair.split("=");
+    return [key, Number.parseInt(value || "", 10)];
+  }) || []);
+  const memory = parsedParams.m;
+  const passes = parsedParams.t;
+  const parallelism = parsedParams.p;
+  const newDerived = await promisify(__require("node:crypto"))(algorithm, {
+    nonce: Buffer.from(nonceHex || "", "base64"),
+    parallelism,
+    tagLength: 64,
+    memory,
+    passes,
+    message: password
+  });
+  const isMatch = crypto.timingSafeEqual(Buffer.from(newDerived), Buffer.from(storedHashHex || "", "base64"));
+  return isMatch;
+};
+var isArgon2Hash = (value) => typeof value === "string" && value.startsWith("$argon2");
+
 // ../wabe/src/utils/export.ts
 var contextWithRoot = (context) => ({
   ...context,
@@ -29637,13 +29683,51 @@ class HookObject {
 }
 
 // ../wabe/src/utils/index.ts
-var toBase32 = (stringToEncode) => {
-  const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+var contextWithoutGraphQLCall = (context) => ({
+  ...context,
+  isGraphQLCall: false
+});
+var RFC4648 = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+var RFC4648_HEX = "0123456789ABCDEFGHIJKLMNOPQRSTUV";
+var CROCKFORD = "0123456789ABCDEFGHJKMNPQRSTVWXYZ";
+var toUint8Array = (data) => {
+  if (data instanceof Uint8Array)
+    return data;
+  if (typeof data === "string") {
+    const encoder = new TextEncoder;
+    return encoder.encode(data);
+  }
+  if (data instanceof ArrayBuffer)
+    return new Uint8Array(data);
+  throw new TypeError("Unsupported data type for base32 encoding");
+};
+var base32Encode = (data, variant, options = {}) => {
+  let alphabet;
+  let defaultPadding;
+  switch (variant) {
+    case "RFC3548":
+    case "RFC4648":
+      alphabet = RFC4648;
+      defaultPadding = true;
+      break;
+    case "RFC4648-HEX":
+      alphabet = RFC4648_HEX;
+      defaultPadding = true;
+      break;
+    case "Crockford":
+      alphabet = CROCKFORD;
+      defaultPadding = false;
+      break;
+    default:
+      throw new Error(`Unknown base32 variant: ${variant}`);
+  }
+  const padding = options.padding !== undefined ? options.padding : defaultPadding;
+  const view = toUint8Array(data);
   let bits = 0;
   let value = 0;
   let output = "";
-  for (let i = 0;i < stringToEncode.length; i++) {
-    value = value << 8 | stringToEncode[i];
+  for (let i = 0;i < view.length; i++) {
+    value = value << 8 | view[i];
     bits += 8;
     while (bits >= 5) {
       output += alphabet[value >>> bits - 5 & 31];
@@ -29653,6 +29737,11 @@ var toBase32 = (stringToEncode) => {
   if (bits > 0) {
     output += alphabet[value << 5 - bits & 31];
   }
+  if (padding) {
+    while (output.length % 8 !== 0) {
+      output += "=";
+    }
+  }
   return output;
 };
 var getNewObjectAfterUpdateNestedProperty = (obj, path, value) => {
@@ -29673,7 +29762,6 @@ var getNewObjectAfterUpdateNestedProperty = (obj, path, value) => {
 var getNestedProperty = (obj, path) => {
   return path.split(".").reduce((acc, part) => acc?.[part], obj);
 };
-var isArgon2Hash = (value) => typeof value === "string" && value.startsWith("$argon2");
 var firstLetterInUpperCase = (str) => {
   const indexOfFirstLetter = str.search(/[a-z]/i);
   return str.slice(0, indexOfFirstLetter) + str[indexOfFirstLetter]?.toUpperCase() + str.slice(indexOfFirstLetter + 1);
@@ -29712,7 +29800,7 @@ var defaultBeforeCreateForCreatedAt = (object) => {
 var defaultBeforeUpdateForUpdatedAt = (object) => {
   object.upsertNewData("updatedAt", new Date);
 };
-var defaultBeforeCreateForDefaultValue = async (object) => {
+var defaultBeforeCreateForDefaultValue = (object) => {
   const schemaClass = getClassFromClassName(object.className, object.context.wabe.config);
   const allFields = Object.keys(schemaClass.fields);
   allFields.map((field) => {
@@ -29749,7 +29837,7 @@ var convertOperationTypeToPermission = (operationType) => {
   };
   return template[operationType];
 };
-var _getPermissionPropertiesOfAClass = async ({
+var _getPermissionPropertiesOfAClass = ({
   className,
   operation,
   context
@@ -29803,6 +29891,8 @@ var _checkProtected = (hookObject, operationType) => {
   if (operationType === "beforeRead" /* BeforeRead */) {
     Object.keys(hookObject.select).map((fieldName) => {
       const protectedForCurrentField = schemaClass.fields[fieldName]?.protected;
+      if (!protectedForCurrentField)
+        return;
       if (protectedForCurrentField?.protectedOperations.includes("read")) {
         if (isRoot && protectedForCurrentField.authorizedRoles.includes("rootOnly"))
           return;
@@ -29979,13 +30069,12 @@ var defaultSetupAclBeforeCreate = async (hookObject) => {
 var defaultSetupAclOnUserAfterCreate = async (hookObject) => setupAcl(hookObject);
 
 // ../wabe/src/hooks/hashFieldHook.ts
-import { hash, Algorithm } from "@node-rs/argon2";
 var hashField = ({
   value
 }) => {
   if (!value || typeof value !== "string" || isArgon2Hash(value))
     return value;
-  return hash(value, { algorithm: Algorithm.Argon2id });
+  return hashArgon2(value);
 };
 async function hashFieldHook(hookObject) {
   if (hookObject.operationType !== "beforeCreate" /* BeforeCreate */ && hookObject.operationType !== "beforeUpdate" /* BeforeUpdate */)
@@ -30037,6 +30126,62 @@ var defaultBeforeCreateUser = (object) => {
     throw new Error("Sign up is disabled");
 };
 
+// ../wabe/src/authentication/utils.ts
+var getAuthenticationMethod = (listOfMethods, context) => {
+  const customAuthenticationConfig = context.wabe.config?.authentication?.customAuthenticationMethods;
+  if (!customAuthenticationConfig)
+    throw new Error("No custom authentication methods found");
+  const authenticationMethods = listOfMethods.filter((method) => method !== "secondaryFactor");
+  if (authenticationMethods.length > 1 || authenticationMethods.length === 0)
+    throw new Error("One authentication method is required at the time");
+  const authenticationMethod = authenticationMethods[0];
+  const validAuthenticationMethod = customAuthenticationConfig.find((method) => method.name.toLowerCase() === authenticationMethod?.toLowerCase());
+  if (!validAuthenticationMethod)
+    throw new Error("No available custom authentication methods found");
+  return validAuthenticationMethod;
+};
+
+// ../wabe/src/hooks/authentication.ts
+var defaultCallAuthenticationProviderOnBeforeCreateUser = async (hookObject) => {
+  if (!hookObject.isFieldUpdated("authentication") || hookObject.getNewData().isOauth)
+    return;
+  const context = hookObject.context;
+  const authentication = hookObject.getNewData().authentication;
+  if (authentication.emailPasswordSRP)
+    return;
+  const { provider, name } = getAuthenticationMethod(Object.keys(authentication), context);
+  const inputOfTheGoodAuthenticationMethod = authentication[name];
+  const { authenticationDataToSave } = await provider.onSignUp({
+    input: inputOfTheGoodAuthenticationMethod,
+    context
+  });
+  hookObject.upsertNewData("authentication", {
+    [name]: authenticationDataToSave
+  });
+};
+var defaultCallAuthenticationProviderOnBeforeUpdateUser = async (hookObject) => {
+  if (!hookObject.isFieldUpdated("authentication") || hookObject.getNewData().isOauth)
+    return;
+  const context = hookObject.context;
+  const authentication = hookObject.getNewData().authentication;
+  if (authentication.emailPasswordSRP)
+    return;
+  const { provider, name } = getAuthenticationMethod(Object.keys(authentication), context);
+  if (!provider.onUpdateAuthenticationData)
+    return;
+  const inputOfTheGoodAuthenticationMethod = authentication[name];
+  if (!hookObject.object?.id)
+    return;
+  const { authenticationDataToSave } = await provider.onUpdateAuthenticationData({
+    context,
+    input: inputOfTheGoodAuthenticationMethod,
+    userId: hookObject.object.id
+  });
+  hookObject.upsertNewData("authentication", {
+    [name]: authenticationDataToSave
+  });
+};
+
 // ../wabe/src/hooks/index.ts
 var OperationType;
 ((OperationType2) => {
@@ -30073,9 +30218,9 @@ var initializeHook = ({
       return {};
     return context.wabe.controllers.database.getObject({
       className,
-      context: contextWithRoot(context),
+      context: contextWithoutGraphQLCall(contextWithRoot(context)),
       id,
-      skipHooks: true
+      _skipHooks: true
     });
   };
   const computeObjects = async ({
@@ -30086,9 +30231,9 @@ var initializeHook = ({
       return [{}];
     const res = await context.wabe.controllers.database.getObjects({
       className,
-      context: contextWithRoot(context),
+      context: contextWithoutGraphQLCall(contextWithRoot(context)),
       where: where ? where : { id: { in: ids } },
-      skipHooks: true
+      _skipHooks: true
     });
     if (res.length === 0)
       return [{}];
@@ -30106,7 +30251,7 @@ var initializeHook = ({
         className,
         newData,
         operationType: options.operationType,
-        context,
+        context: contextWithoutGraphQLCall(context),
         object,
         originalObject: options.originalObject,
         select
@@ -30137,7 +30282,7 @@ var initializeHook = ({
           className,
           newData,
           operationType: options.operationType,
-          context,
+          context: contextWithoutGraphQLCall(context),
           object,
           originalObject: originalObjectToUse,
           select
@@ -30301,6 +30446,18 @@ var getDefaultHooks = () => [
     operationType: "beforeCreate" /* BeforeCreate */,
     priority: 1,
     callback: defaultBeforeCreateUser
+  },
+  {
+    className: "User",
+    operationType: "beforeCreate" /* BeforeCreate */,
+    priority: 1,
+    callback: defaultCallAuthenticationProviderOnBeforeCreateUser
+  },
+  {
+    className: "User",
+    operationType: "beforeUpdate" /* BeforeUpdate */,
+    priority: 1,
+    callback: defaultCallAuthenticationProviderOnBeforeUpdateUser
   }
 ];
 
@@ -30453,7 +30610,7 @@ class DatabaseController {
     context,
     originClassName,
     object,
-    isGraphQLCall
+    _skipHooks
   }) {
     return Object.entries(pointers).reduce(async (acc, [pointerField, { className: currentClassName, select: currentSelect }]) => {
       const accObject = await acc;
@@ -30473,7 +30630,8 @@ class DatabaseController {
           className: currentClassName,
           id: object[pointerField],
           context,
-          select: currentSelect
+          select: currentSelect,
+          _skipHooks
         });
         return {
           ...accObject,
@@ -30499,11 +30657,12 @@ class DatabaseController {
           className: currentClassName,
           select: selectWithoutTotalCount,
           where: { id: { in: object[pointerField] } },
-          context
+          context,
+          _skipHooks
         });
         return {
-          ...acc,
-          [pointerField]: isGraphQLCall ? {
+          ...accObject,
+          [pointerField]: context.isGraphQLCall ? {
             totalCount: relationObjects.length,
             edges: relationObjects.map((object2) => ({
               node: object2
@@ -30549,17 +30708,16 @@ class DatabaseController {
     select,
     className,
     context,
-    skipHooks,
+    _skipHooks,
     id,
-    where,
-    isGraphQLCall = false
+    where
   }) {
     const { pointers, selectWithoutPointers } = this._getSelectMinusPointersAndRelations({
       className,
       context,
       select
     });
-    const hook = !skipHooks ? initializeHook({
+    const hook = !_skipHooks ? initializeHook({
       className,
       context,
       select: selectWithoutPointers
@@ -30591,7 +30749,7 @@ class DatabaseController {
         originClassName: className,
         pointers,
         object: objectToReturn,
-        isGraphQLCall
+        _skipHooks
       })
     };
   }
@@ -30600,11 +30758,10 @@ class DatabaseController {
     select,
     context,
     where,
-    skipHooks,
+    _skipHooks,
     first,
     offset,
-    order,
-    isGraphQLCall = false
+    order
   }) {
     const { pointers, selectWithoutPointers } = this._getSelectMinusPointersAndRelations({
       className,
@@ -30617,7 +30774,7 @@ class DatabaseController {
       acc[fieldName] = true;
       return acc;
     }, selectWithoutPointers);
-    const hook = !skipHooks ? initializeHook({
+    const hook = !_skipHooks ? initializeHook({
       className,
       select: selectWithoutPointers,
       context
@@ -30639,23 +30796,24 @@ class DatabaseController {
       select: !select ? undefined : selectWithPointersAndRelationsToGetId,
       order
     });
-    return Promise.all(objectsToReturn.map(async (object) => ({
-      ...object,
-      ...await this._getFinalObjectWithPointerAndRelation({
-        object,
-        context,
-        originClassName: className,
-        pointers,
-        isGraphQLCall
-      })
-    })));
+    return Promise.all(objectsToReturn.map(async (object) => {
+      return {
+        ...object,
+        ...await this._getFinalObjectWithPointerAndRelation({
+          object,
+          context,
+          originClassName: className,
+          pointers,
+          _skipHooks
+        })
+      };
+    }));
   }
   async createObject({
     className,
     context,
     data,
-    select,
-    isGraphQLCall = false
+    select
   }) {
     const hook = initializeHook({
       className,
@@ -30683,8 +30841,7 @@ class DatabaseController {
       context: contextWithRoot(context),
       select,
       id,
-      skipHooks: true,
-      isGraphQLCall
+      _skipHooks: true
     });
   }
   async createObjects({
@@ -30694,8 +30851,7 @@ class DatabaseController {
     context,
     first,
     offset,
-    order,
-    isGraphQLCall = false
+    order
   }) {
     if (data.length === 0)
       return [];
@@ -30729,11 +30885,10 @@ class DatabaseController {
       context,
       select,
       where: { id: { in: ids } },
-      skipHooks: true,
+      _skipHooks: true,
       first,
       offset,
-      order,
-      isGraphQLCall
+      order
     });
   }
   async updateObject({
@@ -30742,10 +30897,9 @@ class DatabaseController {
     context,
     data,
     select,
-    skipHooks,
-    isGraphQLCall = false
+    _skipHooks
   }) {
-    const hook = !skipHooks ? initializeHook({
+    const hook = !_skipHooks ? initializeHook({
       className,
       context,
       newData: data,
@@ -30775,8 +30929,7 @@ class DatabaseController {
       className,
       context,
       select,
-      id,
-      isGraphQLCall
+      id
     });
   }
   async updateObjects({
@@ -30788,11 +30941,10 @@ class DatabaseController {
     first,
     offset,
     order,
-    skipHooks,
-    isGraphQLCall = false
+    _skipHooks
   }) {
     const whereObject = await this._getWhereObjectWithPointerOrRelation(className, where || {}, context);
-    const hook = !skipHooks ? initializeHook({
+    const hook = !_skipHooks ? initializeHook({
       className,
       context,
       newData: data,
@@ -30828,16 +30980,14 @@ class DatabaseController {
       where: { id: { in: objectsId } },
       first,
       offset,
-      order,
-      isGraphQLCall
+      order
     });
   }
   async deleteObject({
     context,
     className,
     id,
-    select,
-    isGraphQLCall = false
+    select
   }) {
     const hook = initializeHook({
       className,
@@ -30851,8 +31001,7 @@ class DatabaseController {
         className,
         select,
         id,
-        context,
-        isGraphQLCall
+        context
       });
     const resultOfBeforeDelete = await hook.runOnSingleObject({
       operationType: "beforeDelete" /* BeforeDelete */,
@@ -30878,8 +31027,7 @@ class DatabaseController {
     where,
     first,
     offset,
-    order,
-    isGraphQLCall = false
+    order
   }) {
     const whereObject = await this._getWhereObjectWithPointerOrRelation(className, where || {}, context);
     const hook = initializeHook({
@@ -30897,8 +31045,7 @@ class DatabaseController {
         context,
         first,
         offset,
-        order,
-        isGraphQLCall
+        order
       });
     const resultOfBeforeDelete = await hook.runOnMultipleObjects({
       operationType: "beforeDelete" /* BeforeDelete */,
@@ -30937,15 +31084,16 @@ var AuthenticationProvider;
 var SecondaryFactor;
 ((SecondaryFactor2) => {
   SecondaryFactor2["EmailOTP"] = "emailOTP";
+  SecondaryFactor2["QRCodeOTP"] = "qrcodeOTP";
 })(SecondaryFactor ||= {});
 // ../wabe/src/authentication/oauth/utils.ts
-import crypto from "node:crypto";
+import crypto3 from "node:crypto";
 var base64URLencode = (content) => {
-  const hasher = crypto.createHash("sha256").update(content);
+  const hasher = crypto3.createHash("sha256").update(content);
   const result = hasher.digest("base64");
   return result.split("=")[0].replaceAll("+", "-").replaceAll("/", "_");
 };
-var generateRandomValues = () => crypto.randomBytes(60).toString("base64url");
+var generateRandomValues = () => crypto3.randomBytes(60).toString("base64url");
 
 // ../wabe/src/authentication/oauth/Oauth2Client.ts
 class OAuth2Client {
@@ -31083,7 +31231,7 @@ class Google {
 // ../wabe/src/authentication/OTP.ts
 var import_otplib = __toESM(require_otplib(), 1);
 import { createHash } from "node:crypto";
-var FIVE_MINUTES = 5;
+var TWO_MINUTES = 5;
 
 class OTP {
   secret;
@@ -31091,24 +31239,39 @@ class OTP {
   constructor(rootKey) {
     this.secret = rootKey;
     this.internalTotp = import_otplib.totp.clone({
-      window: [FIVE_MINUTES, 0]
+      window: [TWO_MINUTES, 0]
     });
   }
+  deriveSecret(userId) {
+    const hash = createHash("sha256").update(`${this.secret}:${userId}`).digest();
+    return base32Encode(hash, "RFC4648", { padding: false });
+  }
   generate(userId) {
-    const hashedSecret = createHash("sha256").update(`${this.secret}:${userId}`).digest("hex");
-    return this.internalTotp.generate(hashedSecret);
+    const secret = this.deriveSecret(userId);
+    return this.internalTotp.generate(secret);
   }
   verify(otp, userId) {
-    const hashedSecret = createHash("sha256").update(`${this.secret}:${userId}`).digest("hex");
-    return this.internalTotp.verify({ secret: hashedSecret, token: otp });
+    const secret = this.deriveSecret(userId);
+    return this.internalTotp.verify({ secret, token: otp });
+  }
+  authenticatorGenerate(userId) {
+    const secret = this.deriveSecret(userId);
+    return import_otplib.authenticator.generate(secret);
+  }
+  authenticatorVerify(otp, userId) {
+    const secret = this.deriveSecret(userId);
+    return import_otplib.authenticator.verify({
+      secret,
+      token: otp
+    });
   }
   generateKeyuri({
     userId,
     emailOrUsername,
     applicationName
   }) {
-    const hashedSecret = createHash("sha256").update(`${this.secret}:${userId}`).digest("hex");
-    return this.internalTotp.keyuri(emailOrUsername, applicationName, toBase32(hashedSecret));
+    const secret = this.deriveSecret(userId);
+    return import_otplib.authenticator.keyuri(emailOrUsername, applicationName, secret);
   }
 }
 // ../wabe/src/authentication/Session.ts
@@ -31133,6 +31296,14 @@ class Session {
     return new Date(Date.now() + expiresInMs);
   }
   async meFromAccessToken(accessToken, context) {
+    if (!import_jsonwebtoken.verify(accessToken, context.wabe.config.authentication?.session?.jwtSecret || "dev", {})) {
+      return {
+        sessionId: null,
+        user: null,
+        accessToken: null,
+        refreshToken: null
+      };
+    }
     const sessions = await context.wabe.controllers.database.getObjects({
       className: "_Session",
       where: {
@@ -31203,13 +31374,22 @@ class Session {
     };
   }
   async create(userId, context) {
+    const jwtTokenFields = context.wabe.config.authentication?.session?.jwtTokenFields;
+    const result = jwtTokenFields ? await context.wabe.controllers.database.getObject({
+      className: "User",
+      select: jwtTokenFields,
+      context,
+      id: userId
+    }) : undefined;
     this.accessToken = import_jsonwebtoken.default.sign({
       userId,
+      user: result,
       iat: Date.now(),
       exp: this.getAccessTokenExpireAt(context.wabe.config).getTime()
     }, context.wabe.config.authentication?.session?.jwtSecret || "dev");
     this.refreshToken = import_jsonwebtoken.default.sign({
       userId,
+      user: result,
       iat: Date.now(),
       exp: this.getRefreshTokenExpireAt(context.wabe.config).getTime()
     }, context.wabe.config.authentication?.session?.jwtSecret || "dev");
@@ -31233,22 +31413,17 @@ class Session {
       sessionId: res.id
     };
   }
-  async delete(context) {
-    if (!context.sessionId)
-      return;
-    await context.wabe.controllers.database.deleteObject({
-      className: "_Session",
-      context: contextWithRoot(context),
-      id: context.sessionId,
-      select: {}
-    });
-  }
-  _isRefreshTokenExpired(userRefreshTokenExpiresAt, refreshTokenAgeInMs) {
-    const refreshTokenEmittedAt = userRefreshTokenExpiresAt.getTime() - refreshTokenAgeInMs;
-    const numberOfMsSinceRefreshTokenEmitted = Date.now() - refreshTokenEmittedAt;
-    return numberOfMsSinceRefreshTokenEmitted >= 0.75 * refreshTokenAgeInMs;
-  }
   async refresh(accessToken, refreshToken, context) {
+    if (!import_jsonwebtoken.verify(accessToken, context.wabe.config.authentication?.session?.jwtSecret || "dev", {}))
+      return {
+        accessToken: null,
+        refreshToken: null
+      };
+    if (!import_jsonwebtoken.verify(refreshToken, context.wabe.config.authentication?.session?.jwtSecret || "dev", {}))
+      return {
+        accessToken: null,
+        refreshToken: null
+      };
     const session = await context.wabe.controllers.database.getObjects({
       className: "_Session",
       where: {
@@ -31297,13 +31472,22 @@ class Session {
         accessToken: null,
         refreshToken: null
       };
+    const jwtTokenFields = context.wabe.config.authentication?.session?.jwtTokenFields;
+    const result = jwtTokenFields ? await context.wabe.controllers.database.getObject({
+      className: "User",
+      select: jwtTokenFields,
+      context,
+      id: userId
+    }) : undefined;
     const newAccessToken = import_jsonwebtoken.default.sign({
       userId,
+      user: result,
       iat: Date.now(),
       exp: this.getAccessTokenExpireAt(context.wabe.config).getTime()
     }, context.wabe.config.authentication?.session?.jwtSecret || "dev");
     const newRefreshToken = import_jsonwebtoken.default.sign({
       userId,
+      user: result,
       iat: Date.now(),
       exp: this.getRefreshTokenExpireAt(context.wabe.config).getTime()
     }, context.wabe.config.authentication?.session?.jwtSecret || "dev");
@@ -31324,6 +31508,21 @@ class Session {
       refreshToken: newRefreshToken
     };
   }
+  async delete(context) {
+    if (!context.sessionId)
+      return;
+    await context.wabe.controllers.database.deleteObject({
+      className: "_Session",
+      context: contextWithRoot(context),
+      id: context.sessionId,
+      select: {}
+    });
+  }
+  _isRefreshTokenExpired(userRefreshTokenExpiresAt, refreshTokenAgeInMs) {
+    const refreshTokenEmittedAt = userRefreshTokenExpiresAt.getTime() - refreshTokenAgeInMs;
+    const numberOfMsSinceRefreshTokenEmitted = Date.now() - refreshTokenEmittedAt;
+    return numberOfMsSinceRefreshTokenEmitted >= 0.75 * refreshTokenAgeInMs;
+  }
 }
 
 // ../wabe/src/authentication/resolvers/refreshResolver.ts
@@ -31347,25 +31546,6 @@ var signOutResolver = async (_, __, context) => {
   return true;
 };
 
-// ../wabe/src/authentication/utils.ts
-import { Algorithm as Algorithm2, hash as hash2 } from "@node-rs/argon2";
-var getAuthenticationMethod = (listOfMethods, context) => {
-  const customAuthenticationConfig = context.wabe.config?.authentication?.customAuthenticationMethods;
-  if (!customAuthenticationConfig)
-    throw new Error("No custom authentication methods found");
-  const authenticationMethods = listOfMethods.filter((method) => method !== "secondaryFactor");
-  if (authenticationMethods.length > 1 || authenticationMethods.length === 0)
-    throw new Error("One authentication method is required at the time");
-  const authenticationMethod = authenticationMethods[0];
-  const validAuthenticationMethod = customAuthenticationConfig.find((method) => method.name.toLowerCase() === authenticationMethod?.toLowerCase());
-  if (!validAuthenticationMethod)
-    throw new Error("No available custom authentication methods found");
-  return validAuthenticationMethod;
-};
-var hashPassword = (password) => hash2(password, {
-  algorithm: Algorithm2.Argon2id
-});
-
 // ../wabe/src/authentication/resolvers/verifyChallenge.ts
 var verifyChallengeResolver = async (_, {
   input
@@ -31774,7 +31954,7 @@ var signInWithResolver = async (_, {
       context,
       user
     });
-    return { accessToken: null, refreshToken: null, id: userId };
+    return { accessToken: null, refreshToken: null, user };
   }
   const session = new Session;
   const { refreshToken, accessToken } = await session.create(userId, context);
@@ -31796,7 +31976,7 @@ var signInWithResolver = async (_, {
       expires: accessTokenExpiresAt
     });
   }
-  return { accessToken, refreshToken, id: userId, srp };
+  return { accessToken, refreshToken, user, srp };
 };
 
 // ../wabe/src/schema/Schema.ts
@@ -31891,7 +32071,10 @@ class Schema {
             outputObject: {
               name: "SignInWithOutput",
               fields: {
-                id: { type: "String" },
+                user: {
+                  type: "Pointer",
+                  class: "User"
+                },
                 accessToken: {
                   type: "String"
                 },
@@ -32153,7 +32336,7 @@ class Schema {
         class: "_Session",
         protected: {
           authorizedRoles: ["rootOnly"],
-          protectedOperations: ["update", "read"]
+          protectedOperations: ["create", "update"]
         }
       },
       secondFA: {
@@ -32248,7 +32431,7 @@ class Schema {
         },
         protected: {
           authorizedRoles: ["rootOnly"],
-          protectedOperations: ["update", "read"]
+          protectedOperations: ["create", "update"]
         }
       },
       createdAt: {
@@ -35329,7 +35512,7 @@ var executeRelationOnFields = ({
       newAcc[fieldName] = await createAndLink({
         createAndLink: value.createAndLink,
         fieldName,
-        context,
+        context: contextWithoutGraphQLCall(context),
         className
       });
     } else if (typeof value === "object" && value?.link) {
@@ -35340,13 +35523,13 @@ var executeRelationOnFields = ({
       newAcc[fieldName] = await createAndAdd({
         createAndAdd: value.createAndAdd,
         fieldName,
-        context,
+        context: contextWithoutGraphQLCall(context),
         className
       });
     } else if (typeof value === "object" && value?.add) {
       const addValue = await add({
         add: value.add,
-        context,
+        context: contextWithoutGraphQLCall(context),
         fieldName,
         typeOfExecution: typeOfExecution || "create",
         id,
@@ -35358,7 +35541,7 @@ var executeRelationOnFields = ({
     } else if (typeof value === "object" && value?.remove) {
       const removeValue = await remove({
         remove: value.remove,
-        context,
+        context: contextWithoutGraphQLCall(context),
         fieldName,
         typeOfExecution: typeOfExecution || "create",
         id,
@@ -35386,8 +35569,7 @@ var queryForOneObject = (_, { id }, context, info, className) => {
     className,
     id,
     select,
-    context,
-    isGraphQLCall: true
+    context
   });
 };
 var queryForMultipleObject = async (_, { where, offset, first, order }, context, info, className) => {
@@ -35400,8 +35582,7 @@ var queryForMultipleObject = async (_, { where, offset, first, order }, context,
     offset,
     first,
     context,
-    order: transformOrder(order),
-    isGraphQLCall: true
+    order: transformOrder(order)
   });
   return {
     totalCount: totalCount ? await context.wabe.controllers.database.count({
@@ -35426,8 +35607,7 @@ var mutationToCreateObject = async (_, args, context, info, className) => {
       className,
       data: updatedFieldsToCreate,
       select,
-      context,
-      isGraphQLCall: true
+      context
     }),
     ok: true
   };
@@ -35447,8 +35627,7 @@ var mutationToCreateMultipleObjects = async (_, { input: { fields, offset, first
     offset,
     first,
     context,
-    order: transformOrder(order),
-    isGraphQLCall: true
+    order: transformOrder(order)
   });
   return {
     edges: objects.map((object) => ({ node: object }))
@@ -35469,8 +35648,7 @@ var mutationToUpdateObject = async (_, args, context, info, className) => {
       id: args.input?.id,
       data: updatedFields,
       select,
-      context,
-      isGraphQLCall: true
+      context
     }),
     ok: true
   };
@@ -35492,8 +35670,7 @@ var mutationToUpdateMultipleObjects = async (_, { input: { fields, where, offset
     offset,
     first,
     context,
-    order,
-    isGraphQLCall: true
+    order
   });
   return {
     edges: objects.map((object) => ({ node: object }))
@@ -35506,8 +35683,7 @@ var mutationToDeleteObject = async (_, args, context, info, className) => {
       className,
       id: args.input?.id,
       select,
-      context,
-      isGraphQLCall: true
+      context
     }),
     ok: true
   };
@@ -35521,8 +35697,7 @@ var mutationToDeleteMultipleObjects = async (_, { input: { where, offset, first,
     offset,
     first,
     context,
-    order,
-    isGraphQLCall: true
+    order
   });
   return {
     edges: objects.map((object) => ({ node: object }))
@@ -36234,7 +36409,7 @@ class RadixTree {
     if (pathLength === 1 && localPath === "/")
       return this.root;
     let nextIndexToEnd = 0;
-    let params = undefined;
+    let params2 = undefined;
     const isNodeMatch = (node, indexToBegin, indexToEnd) => {
       const nextIndexToBegin = indexToBegin + (indexToEnd - indexToBegin);
       for (let i = 0;i < node.children.length; i++) {
@@ -36249,10 +36424,10 @@ class RadixTree {
         if (!isChildWildcardOrParameterNode && nextIndexToEnd - nextIndexToBegin !== childName.length)
           continue;
         if (child.isParameterNode) {
-          if (!params)
-            params = {};
+          if (!params2)
+            params2 = {};
           const indexToAddIfFirstNode = indexToBegin === 0 ? 0 : 1;
-          params[childName.slice(1 + indexToAddIfFirstNode)] = localPath.slice(nextIndexToBegin + indexToAddIfFirstNode, nextIndexToEnd);
+          params2[childName.slice(1 + indexToAddIfFirstNode)] = localPath.slice(nextIndexToBegin + indexToAddIfFirstNode, nextIndexToEnd);
         }
         if (isChildWildcardOrParameterNode && child.children.length === 0 && child.method === method)
           return child;
@@ -36270,8 +36445,8 @@ class RadixTree {
       return null;
     };
     const route = isNodeMatch(this.root, 0, this.root.name.length);
-    if (params && route)
-      route.params = params;
+    if (params2 && route)
+      route.params = params2;
     return route;
   }
   optimizeTree() {
@@ -37223,11 +37398,11 @@ var resolveHeaders = (headers) => {
   return oHeaders;
 };
 var cleanQuery = (str) => str.replace(/([\s,]|#[^\n\r]+)+/g, ` `).trim();
-var buildRequestConfig = (params) => {
-  if (!Array.isArray(params.query)) {
-    const params_2 = params;
+var buildRequestConfig = (params2) => {
+  if (!Array.isArray(params2.query)) {
+    const params_2 = params2;
     const search = [`query=${encodeURIComponent(cleanQuery(params_2.query))}`];
-    if (params.variables) {
+    if (params2.variables) {
       search.push(`variables=${encodeURIComponent(params_2.jsonSerializer.stringify(params_2.variables))}`);
     }
     if (params_2.operationName) {
@@ -37235,11 +37410,11 @@ var buildRequestConfig = (params) => {
     }
     return search.join(`&`);
   }
-  if (typeof params.variables !== `undefined` && !Array.isArray(params.variables)) {
+  if (typeof params2.variables !== `undefined` && !Array.isArray(params2.variables)) {
     throw new Error(`Cannot create query with given variable type, array expected`);
   }
-  const params_ = params;
-  const payload = params.query.reduce((acc, currentQuery, index) => {
+  const params_ = params2;
+  const payload = params2.query.reduce((acc, currentQuery, index) => {
     acc.push({
       query: cleanQuery(currentQuery),
       variables: params_.variables ? params_.jsonSerializer.stringify(params_.variables[index]) : undefined
@@ -37248,9 +37423,9 @@ var buildRequestConfig = (params) => {
   }, []);
   return `query=${encodeURIComponent(params_.jsonSerializer.stringify(payload))}`;
 };
-var createHttpMethodFetcher = (method) => async (params) => {
-  const { url, query, variables, operationName, fetch: fetch2, fetchOptions, middleware } = params;
-  const headers = { ...params.headers };
+var createHttpMethodFetcher = (method) => async (params2) => {
+  const { url, query, variables, operationName, fetch: fetch2, fetchOptions, middleware } = params2;
+  const headers = { ...params2.headers };
   let queryParams = ``;
   let body = undefined;
   if (method === `POST`) {
@@ -37410,11 +37585,11 @@ class GraphQLClient {
     return this;
   }
 }
-var makeRequest = async (params) => {
-  const { query, variables, fetchOptions } = params;
-  const fetcher = createHttpMethodFetcher(uppercase(params.method ?? `post`));
-  const isBatchingQuery = Array.isArray(params.query);
-  const response = await fetcher(params);
+var makeRequest = async (params2) => {
+  const { query, variables, fetchOptions } = params2;
+  const fetcher = createHttpMethodFetcher(uppercase(params2.method ?? `post`));
+  const isBatchingQuery = Array.isArray(params2.query);
+  const response = await fetcher(params2);
   const result2 = await getResult(response, fetchOptions.jsonSerializer ?? defaultJsonSerializer);
   const successfullyReceivedData = Array.isArray(result2) ? !result2.some(({ data }) => !data) : Boolean(result2.data);
   const successfullyPassedErrorPolicy = Array.isArray(result2) || !result2.errors || Array.isArray(result2.errors) && !result2.errors.length || fetchOptions.errorPolicy === `all` || fetchOptions.errorPolicy === `ignore`;
@@ -38005,8 +38180,7 @@ var generateCodegen = async ({
 };
 
 // ../wabe/src/authentication/providers/EmailPassword.ts
-import { Algorithm as Algorithm3, verify } from "@node-rs/argon2";
-var DUMMY_PASSWORD_HASH = "$argon2id$v=19$m=65536,t=2,p=1$YWJjZGVmZw$YzBhRkNiSEZlY3hzUVYxZg";
+var DUMMY_PASSWORD_HASH = "$argon2id$v=19$m=65536,t=2,p=1$wHZB9xRS/Mbo7L3SL9e935Ag5K+T2EuT/XgB8akwZgo$SPf8EZ4T1HYkuIll4v2hSzNCH7woX3VrZJo3yWg5u8U";
 
 class EmailPassword {
   async onSignIn({
@@ -38023,15 +38197,23 @@ class EmailPassword {
         }
       },
       context: contextWithRoot(context),
-      select: { id: true, authentication: true, secondFA: true, email: true },
+      select: {
+        authentication: true,
+        role: true,
+        secondFA: true,
+        email: true,
+        id: true,
+        provider: true,
+        isOauth: true,
+        createdAt: true,
+        updatedAt: true
+      },
       first: 1
     });
     const user = users[0];
     const userDatabasePassword = user?.authentication?.emailPassword?.password;
     const passwordHashToCheck = userDatabasePassword ?? DUMMY_PASSWORD_HASH;
-    const isPasswordEquals = await verify(passwordHashToCheck, input.password, {
-      algorithm: Algorithm3.Argon2id
-    });
+    const isPasswordEquals = await verifyArgon2(input.password, passwordHashToCheck);
     if (!user || !isPasswordEquals || input.email !== user.authentication?.emailPassword?.email)
       throw new Error("Invalid authentication credentials");
     return {
@@ -38058,7 +38240,7 @@ class EmailPassword {
     return {
       authenticationDataToSave: {
         email: input.email,
-        password: await hashPassword(input.password)
+        password: input.password
       }
     };
   }
@@ -38083,7 +38265,7 @@ class EmailPassword {
     return {
       authenticationDataToSave: {
         email: input.email ?? user?.authentication?.emailPassword?.email,
-        password: input.password ? await hashPassword(input.password) : user?.authentication?.emailPassword?.password
+        password: input.password ? input.password : user?.authentication?.emailPassword?.password
       }
     };
   }
@@ -38119,7 +38301,17 @@ var oAuthAuthentication = (oAuthProvider) => async ({
     },
     context: contextWithRoot(context),
     first: 1,
-    select: { id: true }
+    select: {
+      authentication: true,
+      role: true,
+      secondFA: true,
+      email: true,
+      id: true,
+      provider: true,
+      isOauth: true,
+      createdAt: true,
+      updatedAt: true
+    }
   });
   if (user.length === 0) {
     const createdUser = await context.wabe.controllers.database.createObject({
@@ -38131,7 +38323,18 @@ var oAuthAuthentication = (oAuthProvider) => async ({
           [oAuthProvider]: userInfoToSave
         }
       },
-      context: contextWithRoot(context)
+      context: contextWithRoot(context),
+      select: {
+        authentication: true,
+        role: true,
+        secondFA: true,
+        email: true,
+        id: true,
+        provider: true,
+        isOauth: true,
+        createdAt: true,
+        updatedAt: true
+      }
     });
     if (!createdUser)
       throw new Error("User not found");
@@ -38167,8 +38370,7 @@ class GitHub2 {
   }
 }
 // ../wabe/src/authentication/providers/PhonePassword.ts
-import { Algorithm as Algorithm4, verify as verify2 } from "@node-rs/argon2";
-var DUMMY_PASSWORD_HASH2 = "$argon2id$v=19$m=65536,t=2,p=1$YWJjZGVmZw$YzBhRkNiSEZlY3hzUVYxZg";
+var DUMMY_PASSWORD_HASH2 = "$argon2id$v=19$m=65536,t=2,p=1$wHZB9xRS/Mbo7L3SL9e935Ag5K+T2EuT/XgB8akwZgo$SPf8EZ4T1HYkuIll4v2hSzNCH7woX3VrZJo3yWg5u8U";
 
 class PhonePassword {
   async onSignIn({
@@ -38185,15 +38387,23 @@ class PhonePassword {
         }
       },
       context: contextWithRoot(context),
-      select: { id: true, authentication: true },
+      select: {
+        authentication: true,
+        role: true,
+        secondFA: true,
+        email: true,
+        id: true,
+        provider: true,
+        isOauth: true,
+        createdAt: true,
+        updatedAt: true
+      },
       first: 1
     });
     const user = users[0];
     const userDatabasePassword = user?.authentication?.phonePassword?.password;
     const passwordHashToCheck = userDatabasePassword ?? DUMMY_PASSWORD_HASH2;
-    const isPasswordEquals = await verify2(passwordHashToCheck, input.password, {
-      algorithm: Algorithm4.Argon2id
-    });
+    const isPasswordEquals = await verifyArgon2(input.password, passwordHashToCheck);
     if (!user || !isPasswordEquals || input.phone !== user.authentication?.phonePassword?.phone)
       throw new Error("Invalid authentication credentials");
     return {
@@ -38220,7 +38430,7 @@ class PhonePassword {
     return {
       authenticationDataToSave: {
         phone: input.phone,
-        password: await hashPassword(input.password)
+        password: input.password
       }
     };
   }
@@ -38245,7 +38455,7 @@ class PhonePassword {
     return {
       authenticationDataToSave: {
         phone: input.phone ?? user?.authentication?.phonePassword?.phone,
-        password: input.password ? await hashPassword(input.password) : user?.authentication?.phonePassword?.password
+        password: input.password ? input.password : user?.authentication?.phonePassword?.password
       }
     };
   }
@@ -38287,7 +38497,17 @@ class EmailOTP {
           equalTo: input.email
         }
       },
-      select: { id: true, secondFA: true },
+      select: {
+        authentication: true,
+        role: true,
+        secondFA: true,
+        email: true,
+        id: true,
+        provider: true,
+        isOauth: true,
+        createdAt: true,
+        updatedAt: true
+      },
       first: 1,
       context: contextWithRoot(context)
     });
@@ -38317,7 +38537,17 @@ class QRCodeOTP {
           equalTo: input.email
         }
       },
-      select: { id: true, secondFA: true },
+      select: {
+        authentication: true,
+        role: true,
+        secondFA: true,
+        email: true,
+        id: true,
+        provider: true,
+        isOauth: true,
+        createdAt: true,
+        updatedAt: true
+      },
       first: 1,
       context: contextWithRoot(context)
     });
@@ -38325,7 +38555,7 @@ class QRCodeOTP {
     const userId = realUser?.id ?? DUMMY_USER_ID3;
     const isDevBypass = !context.wabe.config.isProduction && input.otp === "000000" && realUser !== null;
     const otpClass = new OTP(context.wabe.config.rootKey);
-    const isOtpValid = otpClass.verify(input.otp, userId);
+    const isOtpValid = otpClass.authenticatorVerify(input.otp, userId);
     if (realUser && (isOtpValid || isDevBypass))
       return { userId: realUser.id };
     return null;
@@ -39869,7 +40099,7 @@ class SRPInt {
     return new SRPInt(this[bi].xor(value[bi]), this.hexLength);
   }
 }
-var hash3 = async (hashAlgorithm, ...input) => {
+var hash = async (hashAlgorithm, ...input) => {
   const buffers = input.map((item) => typeof item === "string" ? encodeUtf8(item) : hexToBuffer(item.toHex()));
   const combined = new Uint8Array(buffers.reduce((offset, item) => offset + item.byteLength, 0));
   buffers.reduce((offset, item) => {
@@ -40033,7 +40263,7 @@ var getParams = (hashAlgorithm, primeGroup) => {
   const N = SRPInt.fromHex(group.N);
   const g = SRPInt.fromHex(group.g);
   const paddedHexLength = N.hexLength ?? 0;
-  const H = (...input) => hash3(hashAlgorithm, ...input);
+  const H = (...input) => hash(hashAlgorithm, ...input);
   const PAD = (integer) => integer.pad(paddedHexLength);
   const k = () => H(N, PAD(g));
   return {
@@ -40102,10 +40332,15 @@ class EmailPasswordSRP {
         email: { equalTo: input.email }
       },
       select: {
-        id: true,
         authentication: true,
+        role: true,
         secondFA: true,
-        email: true
+        email: true,
+        id: true,
+        provider: true,
+        isOauth: true,
+        createdAt: true,
+        updatedAt: true
       },
       first: 1
     });
@@ -47745,8 +47980,8 @@ async function parsePOSTMultipartRequest(request) {
 
 // ../../node_modules/graphql-yoga/esm/plugins/request-validation/use-check-graphql-query-params.js
 var expectedParameters = new Set(["query", "variables", "operationName", "extensions"]);
-function assertInvalidParams(params, extraParamNames) {
-  if (params == null || typeof params !== "object") {
+function assertInvalidParams(params2, extraParamNames) {
+  if (params2 == null || typeof params2 !== "object") {
     throw createGraphQLError('Invalid "params" in the request body', {
       extensions: {
         http: {
@@ -47756,8 +47991,8 @@ function assertInvalidParams(params, extraParamNames) {
       }
     });
   }
-  for (const paramKey in params) {
-    if (params[paramKey] == null) {
+  for (const paramKey in params2) {
+    if (params2[paramKey] == null) {
       continue;
     }
     if (!expectedParameters.has(paramKey)) {
@@ -47774,9 +48009,9 @@ function assertInvalidParams(params, extraParamNames) {
     }
   }
 }
-function checkGraphQLQueryParams(params, extraParamNames) {
-  if (!isObject3(params)) {
-    throw createGraphQLError(`Expected params to be an object but given ${extendedTypeof(params)}.`, {
+function checkGraphQLQueryParams(params2, extraParamNames) {
+  if (!isObject3(params2)) {
+    throw createGraphQLError(`Expected params to be an object but given ${extendedTypeof(params2)}.`, {
       extensions: {
         http: {
           status: 400,
@@ -47787,8 +48022,8 @@ function checkGraphQLQueryParams(params, extraParamNames) {
       }
     });
   }
-  assertInvalidParams(params, extraParamNames);
-  if (params["query"] == null) {
+  assertInvalidParams(params2, extraParamNames);
+  if (params2["query"] == null) {
     throw createGraphQLError("Must provide query string.", {
       extensions: {
         http: {
@@ -47801,7 +48036,7 @@ function checkGraphQLQueryParams(params, extraParamNames) {
       }
     });
   }
-  const queryType = extendedTypeof(params["query"]);
+  const queryType = extendedTypeof(params2["query"]);
   if (queryType !== "string") {
     throw createGraphQLError(`Expected "query" param to be a string, but given ${queryType}.`, {
       extensions: {
@@ -47814,7 +48049,7 @@ function checkGraphQLQueryParams(params, extraParamNames) {
       }
     });
   }
-  const variablesParamType = extendedTypeof(params["variables"]);
+  const variablesParamType = extendedTypeof(params2["variables"]);
   if (!["object", "null", "undefined"].includes(variablesParamType)) {
     throw createGraphQLError(`Expected "variables" param to be empty or an object, but given ${variablesParamType}.`, {
       extensions: {
@@ -47827,7 +48062,7 @@ function checkGraphQLQueryParams(params, extraParamNames) {
       }
     });
   }
-  const extensionsParamType = extendedTypeof(params["extensions"]);
+  const extensionsParamType = extendedTypeof(params2["extensions"]);
   if (!["object", "null", "undefined"].includes(extensionsParamType)) {
     throw createGraphQLError(`Expected "extensions" param to be empty or an object, but given ${extensionsParamType}.`, {
       extensions: {
@@ -47840,12 +48075,12 @@ function checkGraphQLQueryParams(params, extraParamNames) {
       }
     });
   }
-  return params;
+  return params2;
 }
 function useCheckGraphQLQueryParams(extraParamNames) {
   return {
-    onParams({ params }) {
-      checkGraphQLQueryParams(params, extraParamNames);
+    onParams({ params: params2 }) {
+      checkGraphQLQueryParams(params2, extraParamNames);
     }
   };
 }
@@ -49126,8 +49361,8 @@ function _createLRUCache({ max = DEFAULT_MAX, ttl = DEFAULT_TTL } = {}) {
 function useParserAndValidationCache({ documentCache = _createLRUCache(), errorCache = _createLRUCache(), validationCache = true }) {
   const validationCacheByRules = _createLRUCache();
   return {
-    onParse({ params, setParsedDocument }) {
-      const strDocument = params.source.toString();
+    onParse({ params: params2, setParsedDocument }) {
+      const strDocument = params2.source.toString();
       const document = documentCache.get(strDocument);
       if (document) {
         setParsedDocument(document);
@@ -49199,10 +49434,10 @@ function getMediaTypesForRequestInOrder(request) {
   const accepts = (request.headers.get("accept") || "*/*").replace(/\s/g, "").toLowerCase().split(",");
   const mediaTypes = [];
   for (const accept of accepts) {
-    const [mediaType, ...params] = accept.split(";");
+    const [mediaType, ...params2] = accept.split(";");
     if (mediaType === undefined)
       continue;
-    const charset = params?.find((param) => param.includes("charset=")) || "charset=utf-8";
+    const charset = params2?.find((param) => param.includes("charset=")) || "charset=utf-8";
     if (charset !== "charset=utf-8") {
       continue;
     }
@@ -49559,8 +49794,8 @@ async function processResult({ request, result: result2, fetchAPI, onResultProce
   }
   return resultProcessor(result2, fetchAPI, acceptedMediaType);
 }
-async function processRequest({ params, enveloped }) {
-  const document = enveloped.parse(params.query);
+async function processRequest({ params: params2, enveloped }) {
+  const document = enveloped.parse(params2.query);
   const errors2 = enveloped.validate(enveloped.schema, document);
   if (errors2.length > 0) {
     return { errors: errors2 };
@@ -49570,10 +49805,10 @@ async function processRequest({ params, enveloped }) {
     schema: enveloped.schema,
     document,
     contextValue,
-    variableValues: params.variables,
-    operationName: params.operationName
+    variableValues: params2.variables,
+    operationName: params2.operationName
   };
-  const operation = import_graphql46.getOperationAST(document, params.operationName);
+  const operation = import_graphql46.getOperationAST(document, params2.operationName);
   const executeFn = operation?.operation === "subscription" ? enveloped.subscribe : enveloped.execute;
   return executeFn(executionArgs);
 }
@@ -49800,20 +50035,20 @@ class YogaServer {
       }
     }
   }
-  handleParams = async ({ request, context, params }) => {
+  handleParams = async ({ request, context, params: params2 }) => {
     let result2;
     try {
       const additionalContext = context["request"] === request ? {
-        params
+        params: params2
       } : {
         request,
-        params
+        params: params2
       };
       Object.assign(context, additionalContext);
       const enveloped = this.getEnveloped(context);
       this.logger.debug(`Processing GraphQL Parameters`);
       result2 = await processRequest({
-        params,
+        params: params2,
         enveloped
       });
       this.logger.debug(`Processing GraphQL Parameters done.`);
@@ -49837,15 +50072,15 @@ class YogaServer {
     }
     return result2;
   };
-  async getResultForParams({ params, request }, context) {
+  async getResultForParams({ params: params2, request }, context) {
     let result2;
     let paramsHandler = this.handleParams;
     for (const onParamsHook of this.onParamsHooks) {
       await onParamsHook({
-        params,
+        params: params2,
         request,
         setParams(newParams) {
-          params = newParams;
+          params2 = newParams;
         },
         paramsHandler,
         setParamsHandler(newHandler) {
@@ -49860,7 +50095,7 @@ class YogaServer {
     }
     result2 ??= await paramsHandler({
       request,
-      params,
+      params: params2,
       context
     });
     for (const onExecutionResult of this.onExecutionResultHooks) {
@@ -49914,8 +50149,8 @@ class YogaServer {
         }
       });
     }
-    const result2 = await (Array.isArray(requestParserResult) ? Promise.all(requestParserResult.map((params) => this.getResultForParams({
-      params,
+    const result2 = await (Array.isArray(requestParserResult) ? Promise.all(requestParserResult.map((params2) => this.getResultForParams({
+      params: params2,
       request
     }, Object.create(serverContext)))) : this.getResultForParams({
       params: requestParserResult,
@@ -50048,13 +50283,15 @@ class FileController {
 import { timingSafeEqual } from "node:crypto";
 var defaultSessionHandler = (wabe) => async (ctx) => {
   const headers = ctx.request.headers;
+  const isGraphQLCall = ctx.request.url.includes("/graphql");
   const headerRootKey = Buffer.from(headers.get("Wabe-Root-Key") || "");
   const rootKey = Buffer.from(wabe.config.rootKey);
   if (headerRootKey.length === rootKey.length && timingSafeEqual(rootKey, headerRootKey)) {
     ctx.wabe = {
       isRoot: true,
       wabe,
-      response: ctx.res
+      response: ctx.res,
+      isGraphQLCall
     };
     return;
   }
@@ -50073,7 +50310,8 @@ var defaultSessionHandler = (wabe) => async (ctx) => {
     ctx.wabe = {
       isRoot: false,
       wabe,
-      response: ctx.res
+      response: ctx.res,
+      isGraphQLCall
     };
     return;
   }
@@ -50085,14 +50323,16 @@ var defaultSessionHandler = (wabe) => async (ctx) => {
     refreshToken: newRefreshToken
   } = await session.meFromAccessToken(accessToken, {
     wabe,
-    isRoot: true
+    isRoot: true,
+    isGraphQLCall
   });
   ctx.wabe = {
     isRoot: false,
     sessionId,
     user,
     wabe,
-    response: ctx.res
+    response: ctx.res,
+    isGraphQLCall
   };
   if (wabe.config.authentication?.session?.cookieSession && newAccessToken && newRefreshToken && newAccessToken !== accessToken) {
     ctx.res.setCookie("accessToken", newAccessToken, {
@@ -50806,8 +51046,11 @@ var CronExpressions;
   CronExpressions2["EVERY_12_HOURS"] = "0 0 */12 * * *";
 })(CronExpressions ||= {});
 export {
+  verifyArgon2,
   notEmpty,
+  isArgon2Hash,
   initializeHook,
+  hashArgon2,
   getDefaultHooks,
   generateCodegen,
   defaultRoutes,