{"version":3,"sources":["../src/paths.ts","../src/nextauth.ts"],"names":[],"mappings":";;;AAoBO,IAAM,UAAA,GAAa;AAAA;AAAA,EAExB,SAAA,EAAW,mCAAA;AAAA;AAAA,EAEX,SAAA,EAAW,yBAAA;AAAA;AAAA,EAEX,KAAA,EAAO,qBAAA;AAAA;AAAA,EAEP,QAAA,EAAU,wBAAA;AAAA;AAAA,EAEV,IAAA,EAAM,0BAAA;AAAA;AAAA,EAEN,MAAA,EAAQ;AACV,CAAA;AA2DO,SAAS,cAAc,SAAA,EAA2B;AACvD,EAAA,OAAO,SAAA,CAAU,OAAA,CAAQ,MAAA,EAAQ,EAAE,CAAA;AACrC;AAQO,SAAS,MAAA,CAAO,WAAmB,GAAA,EAA0B;AAClE,EAAA,OAAO,GAAG,aAAA,CAAc,SAAS,CAAC,CAAA,EAAG,UAAA,CAAW,GAAG,CAAC,CAAA,CAAA;AACtD;;;ACnBO,SAAS,iBACd,OAAA,EACyB;AACzB,EAAA,MAAM,MAAA,GAAS,aAAA,CAAc,OAAA,CAAQ,SAAS,CAAA;AAC9C,EAAA,MAAM,MAAA,GAAS,OAAA,CAAQ,MAAA,IAAU,CAAC,SAAS,MAAM,CAAA;AAEjD,EAAA,OAAO;AAAA,IACL,EAAA,EAAI,WAAA;AAAA,IACJ,IAAA,EAAM,WAAA;AAAA,IACN,IAAA,EAAM,OAAA;AAAA,IACN,MAAA;AAAA;AAAA,IAEA,aAAA,EAAe;AAAA,MACb,GAAA,EAAK,MAAA,CAAO,MAAA,EAAQ,WAAW,CAAA;AAAA,MAC/B,MAAA,EAAQ,EAAE,KAAA,EAAO,sBAAA;AAAuB,KAC1C;AAAA,IACA,OAAO,EAAE,GAAA,EAAK,MAAA,CAAO,MAAA,EAAQ,OAAO,CAAA,EAAE;AAAA,IACtC,UAAU,EAAE,GAAA,EAAK,MAAA,CAAO,MAAA,EAAQ,UAAU,CAAA,EAAE;AAAA,IAC5C,aAAA,EAAe,MAAA,CAAO,MAAA,EAAQ,MAAM,CAAA;AAAA,IACpC,OAAA,EAAS,IAAA;AAAA,IACT,MAAA;AAAA,IACA,UAAU,OAAA,CAAQ,QAAA;AAAA,IAClB,cAAc,OAAA,CAAQ,YAAA;AAAA,IACtB,MAAA,EAAQ,EAAE,0BAAA,EAA4B,qBAAA,EAAsB;AAAA,IAC5D,QAAQ,OAAA,EAAY;AAClB,MAAA,OAAO;AAAA,QACL,IAAI,OAAA,CAAQ,GAAA;AAAA,QACZ,IAAA,EACE,QAAQ,WAAA,IACR,OAAA,CAAQ,QACR,OAAA,CAAQ,kBAAA,IACR,QAAQ,KAAA,IACR,EAAA;AAAA,QACF,OAAO,OAAA,CAAQ,KAAA;AAAA,QACf,KAAA,EAAO,OAAA,CAAQ,MAAA,IAAU,OAAA,CAAQ,OAAA,IAAW;AAAA,OAC9C;AAAA,IACF,CAAA;AAAA,IACA,KAAA,EAAO;AAAA,MACL,EAAA,EAAI,SAAA;AAAA,MACJ,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM;AAAA,KACR;AAAA,IACA;AAAA,GACF;AACF;AAQO,IAAM,WAAA,GAAc","file":"nextauth.cjs","sourcesContent":["/**\n * The single source of truth for Hanzo IAM OIDC endpoint paths.\n *\n * Hanzo IAM is a Casdoor-derived OIDC provider served per-brand from a\n * configurable origin (`serverUrl`): hanzo → https://iam.hanzo.ai,\n * lux → https://lux.id, zoo → https://zoo.id, bootnode → https://id.bootno.de.\n *\n * These are the ONLY paths. There is no legacy `/oauth/*` and no\n * `/api/login/*`. Every module in this SDK references `OIDC_PATHS` —\n * no path string is written anywhere else.\n *\n * CRITICAL GOTCHA: IAM serves a 200 `text/html` SPA catch-all for ANY\n * unregistered path. A client that hits a wrong path therefore gets a\n * 200 HTML body, not a 404 — silent breakage. So clients MUST hit these\n * exact paths, and a discovery round-trip must never be allowed to\n * resolve to a different path. The hard-coded fallbacks here are these\n * same values, so a failed discovery degrades to correct paths.\n */\n\n/** OIDC endpoint paths, relative to the brand `serverUrl`. */\nexport const OIDC_PATHS = {\n  /** OIDC discovery document. */\n  discovery: \"/.well-known/openid-configuration\",\n  /** Authorization endpoint (RFC 6749 §3.1). */\n  authorize: \"/v1/iam/oauth/authorize\",\n  /** Token endpoint (RFC 6749 §3.2). */\n  token: \"/v1/iam/oauth/token\",\n  /** UserInfo endpoint (OIDC Core §5.3). */\n  userinfo: \"/v1/iam/oauth/userinfo\",\n  /** JWKS endpoint (RFC 7517). */\n  jwks: \"/v1/iam/.well-known/jwks\",\n  /** RP-initiated logout endpoint (OIDC RP-Initiated Logout). */\n  logout: \"/v1/iam/oauth/logout\",\n} as const;\n\nexport type OidcPathKey = keyof typeof OIDC_PATHS;\n\n/**\n * Hanzo-IAM application paths that are NOT part of the OIDC spec — the\n * auth-method discovery endpoint and the onboarding state machine the\n * embedded views drive. Mounted under the same `/v1/iam` prefix.\n */\nexport const IAM_PATHS = {\n  /** Live list of enabled auth methods for the embedded login views. */\n  authMethods: \"/v1/iam/auth/methods\",\n  /** Onboarding state-machine base (steps append `/identity`, etc.). */\n  onboarding: \"/v1/iam/onboarding\",\n  /**\n   * Casdoor credential-login endpoint the embedded `<Login>` views POST to.\n   * `type=code` (a client `redirectUri` is present) mints an authorization\n   * code returned in `data`; `type=login` establishes the session cookie.\n   * This is what the deployed IAM actually authenticates against — the OIDC\n   * token endpoint's password/OTP grants are NOT enabled per-client.\n   */\n  login: \"/v1/iam/login\",\n  /** Send an email/SMS verification code (passwordless login). */\n  sendCode: \"/v1/iam/send-verification-code\",\n  /** Account registration. */\n  signup: \"/v1/iam/signup\",\n} as const;\n\nexport type IamPathKey = keyof typeof IAM_PATHS;\n\n/**\n * The canonical `serverUrl` origin for each Hanzo IAM brand. White-label\n * is host-based: one IAM deployment serves every brand and selects the\n * tenant by the origin it is reached on. This is the SINGLE place the\n * brand→origin mapping lives — adapters take a `brand` and resolve here\n * rather than each app hard-coding a hostname.\n */\nexport const BRAND_SERVER_URLS = {\n  hanzo: \"https://iam.hanzo.ai\",\n  lux: \"https://lux.id\",\n  zoo: \"https://zoo.id\",\n  bootnode: \"https://id.bootno.de\",\n  pars: \"https://pars.id\",\n} as const;\n\n/** A known Hanzo IAM brand key. */\nexport type IamBrand = keyof typeof BRAND_SERVER_URLS;\n\n/**\n * Resolve a brand to its canonical IAM `serverUrl`.\n *\n * @example\n * serverUrlForBrand(\"lux\") // → \"https://lux.id\"\n */\nexport function serverUrlForBrand(brand: IamBrand): string {\n  return BRAND_SERVER_URLS[brand];\n}\n\n/** Strip trailing slashes from a server origin so paths concat cleanly. */\nexport function trimServerUrl(serverUrl: string): string {\n  return serverUrl.replace(/\\/+$/, \"\");\n}\n\n/**\n * Build an absolute IAM endpoint URL from a server origin and a path key.\n *\n * @example\n * iamUrl(\"https://iam.hanzo.ai\", \"token\") // → \"https://iam.hanzo.ai/v1/iam/oauth/token\"\n */\nexport function iamUrl(serverUrl: string, key: OidcPathKey): string {\n  return `${trimServerUrl(serverUrl)}${OIDC_PATHS[key]}`;\n}\n","/**\n * NextAuth.js / Auth.js provider for Hanzo IAM (OIDC).\n *\n * One canonical provider so every Next.js / Auth.js app shares a single\n * implementation. NextAuth keeps its NATIVE routes (it hard-mounts\n * `/api/auth/*`); this SDK never moves them. The provider's ONLY job is to\n * point NextAuth's authorize/token/userinfo at our canonical\n * `/v1/iam/oauth/*` endpoints — the one translation, in code, once.\n *\n * Endpoints are EXPLICIT (from {@link OIDC_PATHS}); we do NOT rely on the\n * `wellKnown`/discovery round-trip. IAM serves a 200 `text/html` SPA for\n * any unregistered path, so a discovery fetch that fails or resolves to a\n * wrong path is silent breakage. Pinning the exact endpoints removes that\n * failure mode. `issuer` + `jwks_endpoint` are supplied so openid-client\n * can still verify the id_token signature without discovery.\n *\n * @example\n * ```ts\n * import NextAuth from \"next-auth\";\n * import { HanzoIamProvider } from \"@hanzo/iam/nextauth\";\n *\n * export default NextAuth({\n *   providers: [\n *     HanzoIamProvider({\n *       serverUrl: process.env.IAM_SERVER_URL!,   // e.g. https://iam.hanzo.ai\n *       clientId: process.env.IAM_CLIENT_ID!,\n *       clientSecret: process.env.IAM_CLIENT_SECRET,\n *     }),\n *   ],\n * });\n * ```\n *\n * @packageDocumentation\n */\n\nimport { OIDC_PATHS, iamUrl, trimServerUrl } from \"./paths.js\";\n\n/**\n * The OIDC userinfo / id_token profile shape Hanzo IAM returns. Carries\n * the raw OIDC claims so a consumer's own `profile()` mapper can read\n * `sub`, `email`, `name`, `picture`, etc.\n */\nexport interface HanzoIamProfile extends Record<string, unknown> {\n  sub: string;\n  name: string;\n  email: string;\n  preferred_username?: string;\n  picture?: string;\n  avatar?: string;\n  displayName?: string;\n  email_verified?: boolean;\n}\n\n/** @deprecated Use {@link HanzoIamProfile}. Kept as an in-SDK alias. */\nexport type IamProfile = HanzoIamProfile;\n\n/** Options for {@link HanzoIamProvider}. */\nexport interface HanzoIamProviderOptions {\n  /** IAM origin (`serverUrl`), e.g. \"https://iam.hanzo.ai\". */\n  serverUrl: string;\n  /** OAuth2 client id (`<org>-<app>`). */\n  clientId: string;\n  /** OAuth2 client secret (confidential client). */\n  clientSecret?: string;\n  /** Organization name (owner context); passed through on `options`. */\n  orgName?: string;\n  /** Application name; passed through on `options`. */\n  appName?: string;\n  /** OAuth state/PKCE checks. Default: [\"state\", \"pkce\"]. */\n  checks?: (\"state\" | \"pkce\" | \"nonce\" | \"none\")[];\n  [key: string]: unknown;\n}\n\n/**\n * NextAuth.js / Auth.js compatible OAuth provider config for Hanzo IAM.\n *\n * Returns a plain `OAuthConfig`-shaped object. The caller spreads it into\n * `providers: [...]` and may override `id`/`name`/`profile` (console does:\n * it pins `id: \"hanzo-iam\"` and supplies its own `profile()` that upserts\n * the user). The default `id` is already `\"hanzo-iam\"`, so apps that don't\n * override it get the canonical id.\n *\n * PKCE (S256) is on by default (`checks: [\"state\", \"pkce\"]`). All endpoints\n * are explicit — no discovery round-trip.\n */\nexport function HanzoIamProvider<P extends HanzoIamProfile>(\n  options: HanzoIamProviderOptions,\n): Record<string, unknown> {\n  const issuer = trimServerUrl(options.serverUrl);\n  const checks = options.checks ?? [\"state\", \"pkce\"];\n\n  return {\n    id: \"hanzo-iam\",\n    name: \"Hanzo IAM\",\n    type: \"oauth\",\n    issuer,\n    // Explicit endpoints from the single source of truth — never discovery.\n    authorization: {\n      url: iamUrl(issuer, \"authorize\"),\n      params: { scope: \"openid profile email\" },\n    },\n    token: { url: iamUrl(issuer, \"token\") },\n    userinfo: { url: iamUrl(issuer, \"userinfo\") },\n    jwks_endpoint: iamUrl(issuer, \"jwks\"),\n    idToken: true,\n    checks,\n    clientId: options.clientId,\n    clientSecret: options.clientSecret,\n    client: { token_endpoint_auth_method: \"client_secret_basic\" },\n    profile(profile: P) {\n      return {\n        id: profile.sub,\n        name:\n          profile.displayName ||\n          profile.name ||\n          profile.preferred_username ||\n          profile.email ||\n          \"\",\n        email: profile.email,\n        image: profile.avatar || profile.picture || null,\n      };\n    },\n    style: {\n      bg: \"#050508\",\n      text: \"#fff\",\n      logo: \"\",\n    },\n    options,\n  };\n}\n\n/**\n * Canonical alias for {@link HanzoIamProvider}.\n *\n * `@hanzo/iam` is the namespace, so `IamProvider` reads cleanly in app code.\n * Both names are stable exports; they are the same function.\n */\nexport const IamProvider = HanzoIamProvider;\n"]}