better-auth

Version:

The most comprehensive authentication framework for TypeScript.

1 lines • 65.8 kB

Source Map (JSON)

{"version":3,"file":"routes.mjs","names":["where: Where[]"],"sources":["../../../src/plugins/admin/routes.ts"],"sourcesContent":["import {\n\tcreateAuthEndpoint,\n\tcreateAuthMiddleware,\n} from \"@better-auth/core/api\";\nimport type { Session } from \"@better-auth/core/db\";\nimport type { Where } from \"@better-auth/core/db/adapter\";\nimport { BASE_ERROR_CODES } from \"@better-auth/core/error\";\nimport * as z from \"zod\";\nimport { APIError, getSessionFromCtx } from \"../../api\";\nimport { deleteSessionCookie, setSessionCookie } from \"../../cookies\";\nimport { parseUserOutput } from \"../../db/schema\";\nimport { getDate } from \"../../utils/date\";\nimport type { AccessControl } from \"../access\";\nimport type { defaultStatements } from \"./access\";\nimport { ADMIN_ERROR_CODES } from \"./error-codes\";\nimport { hasPermission } from \"./has-permission\";\nimport type {\n\tAdminOptions,\n\tInferAdminRolesFromOption,\n\tSessionWithImpersonatedBy,\n\tUserWithRole,\n} from \"./types\";\n\n/**\n * Ensures a valid session, if not will throw.\n * Will also provide additional types on the user to include role types.\n */\nconst adminMiddleware = createAuthMiddleware(async (ctx) => {\n\tconst session = await getSessionFromCtx(ctx);\n\tif (!session) {\n\t\tthrow new APIError(\"UNAUTHORIZED\");\n\t}\n\treturn {\n\t\tsession,\n\t} as {\n\t\tsession: {\n\t\t\tuser: UserWithRole;\n\t\t\tsession: Session;\n\t\t};\n\t};\n});\n\nfunction parseRoles(roles: string | string[]): string {\n\treturn Array.isArray(roles) ? roles.join(\",\") : roles;\n}\n\nconst setRoleBodySchema = z.object({\n\tuserId: z.coerce.string().meta({\n\t\tdescription: \"The user id\",\n\t}),\n\trole: z\n\t\t.union([\n\t\t\tz.string().meta({\n\t\t\t\tdescription: \"The role to set. `admin` or `user` by default\",\n\t\t\t}),\n\t\t\tz.array(\n\t\t\t\tz.string().meta({\n\t\t\t\t\tdescription: \"The roles to set. `admin` or `user` by default\",\n\t\t\t\t}),\n\t\t\t),\n\t\t])\n\t\t.meta({\n\t\t\tdescription:\n\t\t\t\t\"The role to set, this can be a string or an array of strings. Eg: `admin` or `[admin, user]`\",\n\t\t}),\n});\n\n/**\n * ### Endpoint\n *\n * POST `/admin/set-role`\n *\n * ### API Methods\n *\n * **server:**\n * `auth.api.setRole`\n *\n * **client:**\n * `authClient.admin.setRole`\n *\n * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/admin#api-method-admin-set-role)\n */\nexport const setRole = <O extends AdminOptions>(opts: O) =>\n\tcreateAuthEndpoint(\n\t\t\"/admin/set-role\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: setRoleBodySchema,\n\t\t\trequireHeaders: true,\n\t\t\tuse: [adminMiddleware],\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\toperationId: \"setUserRole\",\n\t\t\t\t\tsummary: \"Set the role of a user\",\n\t\t\t\t\tdescription: \"Set the role of a user\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\tdescription: \"User role updated\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\tuser: {\n\t\t\t\t\t\t\t\t\t\t\t\t$ref: \"#/components/schemas/User\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t$Infer: {\n\t\t\t\t\tbody: {} as {\n\t\t\t\t\t\tuserId: string;\n\t\t\t\t\t\trole: InferAdminRolesFromOption<O> | InferAdminRolesFromOption<O>[];\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst canSetRole = hasPermission({\n\t\t\t\tuserId: ctx.context.session.user.id,\n\t\t\t\trole: ctx.context.session.user.role,\n\t\t\t\toptions: opts,\n\t\t\t\tpermissions: {\n\t\t\t\t\tuser: [\"set-role\"],\n\t\t\t\t},\n\t\t\t});\n\t\t\tif (!canSetRole) {\n\t\t\t\tthrow new APIError(\"FORBIDDEN\", {\n\t\t\t\t\tmessage: ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_CHANGE_USERS_ROLE,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst roles = opts.roles;\n\t\t\tif (roles) {\n\t\t\t\tconst inputRoles = Array.isArray(ctx.body.role)\n\t\t\t\t\t? ctx.body.role\n\t\t\t\t\t: [ctx.body.role];\n\t\t\t\tfor (const role of inputRoles) {\n\t\t\t\t\tif (!roles[role as keyof typeof roles]) {\n\t\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\t\tmessage:\n\t\t\t\t\t\t\t\tADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_SET_NON_EXISTENT_VALUE,\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\tconst updatedUser = await ctx.context.internalAdapter.updateUser(\n\t\t\t\tctx.body.userId,\n\t\t\t\t{\n\t\t\t\t\trole: parseRoles(ctx.body.role),\n\t\t\t\t},\n\t\t\t);\n\t\t\treturn ctx.json({\n\t\t\t\tuser: updatedUser as UserWithRole,\n\t\t\t});\n\t\t},\n\t);\n\nconst getUserQuerySchema = z.object({\n\tid: z.string().meta({\n\t\tdescription: \"The id of the User\",\n\t}),\n});\n\nexport const getUser = (opts: AdminOptions) =>\n\tcreateAuthEndpoint(\n\t\t\"/admin/get-user\",\n\t\t{\n\t\t\tmethod: \"GET\",\n\t\t\tquery: getUserQuerySchema,\n\t\t\tuse: [adminMiddleware],\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\toperationId: \"getUser\",\n\t\t\t\t\tsummary: \"Get an existing user\",\n\t\t\t\t\tdescription: \"Get an existing user\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\tdescription: \"User\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\tuser: {\n\t\t\t\t\t\t\t\t\t\t\t\t$ref: \"#/components/schemas/User\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst { id } = ctx.query;\n\n\t\t\tconst canGetUser = hasPermission({\n\t\t\t\tuserId: ctx.context.session.user.id,\n\t\t\t\trole: ctx.context.session.user.role,\n\t\t\t\toptions: opts,\n\t\t\t\tpermissions: {\n\t\t\t\t\tuser: [\"get\"],\n\t\t\t\t},\n\t\t\t});\n\n\t\t\tif (!canGetUser) {\n\t\t\t\tthrow ctx.error(\"FORBIDDEN\", {\n\t\t\t\t\tmessage: ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_GET_USER,\n\t\t\t\t\tcode: \"YOU_ARE_NOT_ALLOWED_TO_GET_USER\",\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tconst user = await ctx.context.internalAdapter.findUserById(id);\n\n\t\t\tif (!user) {\n\t\t\t\tthrow new APIError(\"NOT_FOUND\", {\n\t\t\t\t\tmessage: BASE_ERROR_CODES.USER_NOT_FOUND,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\treturn parseUserOutput(ctx.context.options, user);\n\t\t},\n\t);\n\nconst createUserBodySchema = z.object({\n\temail: z.string().meta({\n\t\tdescription: \"The email of the user\",\n\t}),\n\tpassword: z.string().meta({\n\t\tdescription: \"The password of the user\",\n\t}),\n\tname: z.string().meta({\n\t\tdescription: \"The name of the user\",\n\t}),\n\trole: z\n\t\t.union([\n\t\t\tz.string().meta({\n\t\t\t\tdescription: \"The role of the user\",\n\t\t\t}),\n\t\t\tz.array(\n\t\t\t\tz.string().meta({\n\t\t\t\t\tdescription: \"The roles of user\",\n\t\t\t\t}),\n\t\t\t),\n\t\t])\n\t\t.optional()\n\t\t.meta({\n\t\t\tdescription: `A string or array of strings representing the roles to apply to the new user. Eg: \\\"user\\\"`,\n\t\t}),\n\t/**\n\t * extra fields for user\n\t */\n\tdata: z.record(z.string(), z.any()).optional().meta({\n\t\tdescription:\n\t\t\t\"Extra fields for the user. Including custom additional fields.\",\n\t}),\n});\n\n/**\n * ### Endpoint\n *\n * POST `/admin/create-user`\n *\n * ### API Methods\n *\n * **server:**\n * `auth.api.createUser`\n *\n * **client:**\n * `authClient.admin.createUser`\n *\n * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/admin#api-method-admin-create-user)\n */\nexport const createUser = <O extends AdminOptions>(opts: O) =>\n\tcreateAuthEndpoint(\n\t\t\"/admin/create-user\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: createUserBodySchema,\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\toperationId: \"createUser\",\n\t\t\t\t\tsummary: \"Create a new user\",\n\t\t\t\t\tdescription: \"Create a new user\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\tdescription: \"User created\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\tuser: {\n\t\t\t\t\t\t\t\t\t\t\t\t$ref: \"#/components/schemas/User\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t$Infer: {\n\t\t\t\t\tbody: {} as {\n\t\t\t\t\t\temail: string;\n\t\t\t\t\t\tpassword: string;\n\t\t\t\t\t\tname: string;\n\t\t\t\t\t\trole?:\n\t\t\t\t\t\t\t| (InferAdminRolesFromOption<O> | InferAdminRolesFromOption<O>[])\n\t\t\t\t\t\t\t| undefined;\n\t\t\t\t\t\tdata?: Record<string, any> | undefined;\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst session = await getSessionFromCtx<{ role: string }>(ctx);\n\t\t\tif (!session && (ctx.request || ctx.headers)) {\n\t\t\t\tthrow ctx.error(\"UNAUTHORIZED\");\n\t\t\t}\n\t\t\tif (session) {\n\t\t\t\tconst canCreateUser = hasPermission({\n\t\t\t\t\tuserId: session.user.id,\n\t\t\t\t\trole: session.user.role,\n\t\t\t\t\toptions: opts,\n\t\t\t\t\tpermissions: {\n\t\t\t\t\t\tuser: [\"create\"],\n\t\t\t\t\t},\n\t\t\t\t});\n\t\t\t\tif (!canCreateUser) {\n\t\t\t\t\tthrow new APIError(\"FORBIDDEN\", {\n\t\t\t\t\t\tmessage: ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_CREATE_USERS,\n\t\t\t\t\t});\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tconst email = ctx.body.email.toLowerCase();\n\t\t\tconst isValidEmail = z.email().safeParse(email);\n\t\t\tif (!isValidEmail.success) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: BASE_ERROR_CODES.INVALID_EMAIL,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tconst existUser =\n\t\t\t\tawait ctx.context.internalAdapter.findUserByEmail(email);\n\t\t\tif (existUser) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ADMIN_ERROR_CODES.USER_ALREADY_EXISTS_USE_ANOTHER_EMAIL,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst user = await ctx.context.internalAdapter.createUser<UserWithRole>({\n\t\t\t\temail: email,\n\t\t\t\tname: ctx.body.name,\n\t\t\t\trole:\n\t\t\t\t\t(ctx.body.role && parseRoles(ctx.body.role)) ??\n\t\t\t\t\topts?.defaultRole ??\n\t\t\t\t\t\"user\",\n\t\t\t\t...ctx.body.data,\n\t\t\t});\n\n\t\t\tif (!user) {\n\t\t\t\tthrow new APIError(\"INTERNAL_SERVER_ERROR\", {\n\t\t\t\t\tmessage: ADMIN_ERROR_CODES.FAILED_TO_CREATE_USER,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst hashedPassword = await ctx.context.password.hash(ctx.body.password);\n\t\t\tawait ctx.context.internalAdapter.linkAccount({\n\t\t\t\taccountId: user.id,\n\t\t\t\tproviderId: \"credential\",\n\t\t\t\tpassword: hashedPassword,\n\t\t\t\tuserId: user.id,\n\t\t\t});\n\t\t\treturn ctx.json({\n\t\t\t\tuser: user as UserWithRole,\n\t\t\t});\n\t\t},\n\t);\n\nconst adminUpdateUserBodySchema = z.object({\n\tuserId: z.coerce.string().meta({\n\t\tdescription: \"The user id\",\n\t}),\n\tdata: z.record(z.any(), z.any()).meta({\n\t\tdescription: \"The user data to update\",\n\t}),\n});\n\n/**\n * ### Endpoint\n *\n * POST `/admin/update-user`\n *\n * ### API Methods\n *\n * **server:**\n * `auth.api.adminUpdateUser`\n *\n * **client:**\n * `authClient.admin.updateUser`\n *\n * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/admin#api-method-admin-update-user)\n */\nexport const adminUpdateUser = (opts: AdminOptions) =>\n\tcreateAuthEndpoint(\n\t\t\"/admin/update-user\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: adminUpdateUserBodySchema,\n\t\t\tuse: [adminMiddleware],\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\toperationId: \"updateUser\",\n\t\t\t\t\tsummary: \"Update a user\",\n\t\t\t\t\tdescription: \"Update a user's details\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\tdescription: \"User updated\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\tuser: {\n\t\t\t\t\t\t\t\t\t\t\t\t$ref: \"#/components/schemas/User\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst canUpdateUser = hasPermission({\n\t\t\t\tuserId: ctx.context.session.user.id,\n\t\t\t\trole: ctx.context.session.user.role,\n\t\t\t\toptions: opts,\n\t\t\t\tpermissions: {\n\t\t\t\t\tuser: [\"update\"],\n\t\t\t\t},\n\t\t\t});\n\t\t\tif (!canUpdateUser) {\n\t\t\t\tthrow ctx.error(\"FORBIDDEN\", {\n\t\t\t\t\tmessage: ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_UPDATE_USERS,\n\t\t\t\t\tcode: \"YOU_ARE_NOT_ALLOWED_TO_UPDATE_USERS\",\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tif (Object.keys(ctx.body.data).length === 0) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ADMIN_ERROR_CODES.NO_DATA_TO_UPDATE,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\t// Role changes must be guarded by `user:set-role` and validated against the role allow-list.\n\t\t\tif (Object.prototype.hasOwnProperty.call(ctx.body.data, \"role\")) {\n\t\t\t\tconst canSetRole = hasPermission({\n\t\t\t\t\tuserId: ctx.context.session.user.id,\n\t\t\t\t\trole: ctx.context.session.user.role,\n\t\t\t\t\toptions: opts,\n\t\t\t\t\tpermissions: {\n\t\t\t\t\t\tuser: [\"set-role\"],\n\t\t\t\t\t},\n\t\t\t\t});\n\t\t\t\tif (!canSetRole) {\n\t\t\t\t\tthrow new APIError(\"FORBIDDEN\", {\n\t\t\t\t\t\tmessage: ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_CHANGE_USERS_ROLE,\n\t\t\t\t\t});\n\t\t\t\t}\n\n\t\t\t\tconst roleValue = (ctx.body.data as Record<string, any>).role;\n\t\t\t\tconst inputRoles = Array.isArray(roleValue) ? roleValue : [roleValue];\n\t\t\t\tfor (const role of inputRoles) {\n\t\t\t\t\tif (typeof role !== \"string\") {\n\t\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\t\tmessage: ADMIN_ERROR_CODES.INVALID_ROLE_TYPE,\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t\tif (opts.roles && !opts.roles[role as keyof typeof opts.roles]) {\n\t\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\t\tmessage:\n\t\t\t\t\t\t\t\tADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_SET_NON_EXISTENT_VALUE,\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\t(ctx.body.data as Record<string, any>).role = parseRoles(\n\t\t\t\t\tinputRoles as string[],\n\t\t\t\t);\n\t\t\t}\n\t\t\tconst updatedUser = await ctx.context.internalAdapter.updateUser(\n\t\t\t\tctx.body.userId,\n\t\t\t\tctx.body.data,\n\t\t\t);\n\n\t\t\treturn ctx.json(updatedUser as UserWithRole);\n\t\t},\n\t);\n\nconst listUsersQuerySchema = z.object({\n\tsearchValue: z.string().optional().meta({\n\t\tdescription: 'The value to search for. Eg: \"some name\"',\n\t}),\n\tsearchField: z\n\t\t.enum([\"email\", \"name\"])\n\t\t.meta({\n\t\t\tdescription:\n\t\t\t\t'The field to search in, defaults to email. Can be `email` or `name`. Eg: \"name\"',\n\t\t})\n\t\t.optional(),\n\tsearchOperator: z\n\t\t.enum([\"contains\", \"starts_with\", \"ends_with\"])\n\t\t.meta({\n\t\t\tdescription:\n\t\t\t\t'The operator to use for the search. Can be `contains`, `starts_with` or `ends_with`. Eg: \"contains\"',\n\t\t})\n\t\t.optional(),\n\tlimit: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription: \"The number of users to return\",\n\t\t})\n\t\t.or(z.number())\n\t\t.optional(),\n\toffset: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription: \"The offset to start from\",\n\t\t})\n\t\t.or(z.number())\n\t\t.optional(),\n\tsortBy: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription: \"The field to sort by\",\n\t\t})\n\t\t.optional(),\n\tsortDirection: z\n\t\t.enum([\"asc\", \"desc\"])\n\t\t.meta({\n\t\t\tdescription: \"The direction to sort by\",\n\t\t})\n\t\t.optional(),\n\tfilterField: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription: \"The field to filter by\",\n\t\t})\n\t\t.optional(),\n\tfilterValue: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription: \"The value to filter by\",\n\t\t})\n\t\t.or(z.number())\n\t\t.or(z.boolean())\n\t\t.optional(),\n\tfilterOperator: z\n\t\t.enum([\"eq\", \"ne\", \"lt\", \"lte\", \"gt\", \"gte\", \"contains\"])\n\t\t.meta({\n\t\t\tdescription: \"The operator to use for the filter\",\n\t\t})\n\t\t.optional(),\n});\n\nexport const listUsers = (opts: AdminOptions) =>\n\tcreateAuthEndpoint(\n\t\t\"/admin/list-users\",\n\t\t{\n\t\t\tmethod: \"GET\",\n\t\t\tuse: [adminMiddleware],\n\t\t\tquery: listUsersQuerySchema,\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\toperationId: \"listUsers\",\n\t\t\t\t\tsummary: \"List users\",\n\t\t\t\t\tdescription: \"List users\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\tdescription: \"List of users\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\tusers: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"array\",\n\t\t\t\t\t\t\t\t\t\t\t\titems: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t$ref: \"#/components/schemas/User\",\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\ttotal: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"number\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tlimit: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"number\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\toffset: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"number\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\trequired: [\"users\", \"total\"],\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst session = ctx.context.session;\n\t\t\tconst canListUsers = hasPermission({\n\t\t\t\tuserId: ctx.context.session.user.id,\n\t\t\t\trole: session.user.role,\n\t\t\t\toptions: opts,\n\t\t\t\tpermissions: {\n\t\t\t\t\tuser: [\"list\"],\n\t\t\t\t},\n\t\t\t});\n\t\t\tif (!canListUsers) {\n\t\t\t\tthrow new APIError(\"FORBIDDEN\", {\n\t\t\t\t\tmessage: ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_LIST_USERS,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tconst where: Where[] = [];\n\n\t\t\tif (ctx.query?.searchValue) {\n\t\t\t\twhere.push({\n\t\t\t\t\tfield: ctx.query.searchField || \"email\",\n\t\t\t\t\toperator: ctx.query.searchOperator || \"contains\",\n\t\t\t\t\tvalue: ctx.query.searchValue,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tif (ctx.query?.filterValue) {\n\t\t\t\twhere.push({\n\t\t\t\t\tfield: ctx.query.filterField || \"email\",\n\t\t\t\t\toperator: ctx.query.filterOperator || \"eq\",\n\t\t\t\t\tvalue: ctx.query.filterValue,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\ttry {\n\t\t\t\tconst users = await ctx.context.internalAdapter.listUsers(\n\t\t\t\t\tNumber(ctx.query?.limit) || undefined,\n\t\t\t\t\tNumber(ctx.query?.offset) || undefined,\n\t\t\t\t\tctx.query?.sortBy\n\t\t\t\t\t\t? {\n\t\t\t\t\t\t\t\tfield: ctx.query.sortBy,\n\t\t\t\t\t\t\t\tdirection: ctx.query.sortDirection || \"asc\",\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t: undefined,\n\t\t\t\t\twhere.length ? where : undefined,\n\t\t\t\t);\n\t\t\t\tconst total = await ctx.context.internalAdapter.countTotalUsers(\n\t\t\t\t\twhere.length ? where : undefined,\n\t\t\t\t);\n\t\t\t\treturn ctx.json({\n\t\t\t\t\tusers: users as UserWithRole[],\n\t\t\t\t\ttotal: total,\n\t\t\t\t\tlimit: Number(ctx.query?.limit) || undefined,\n\t\t\t\t\toffset: Number(ctx.query?.offset) || undefined,\n\t\t\t\t});\n\t\t\t} catch {\n\t\t\t\treturn ctx.json({\n\t\t\t\t\tusers: [],\n\t\t\t\t\ttotal: 0,\n\t\t\t\t});\n\t\t\t}\n\t\t},\n\t);\n\nconst listUserSessionsBodySchema = z.object({\n\tuserId: z.coerce.string().meta({\n\t\tdescription: \"The user id\",\n\t}),\n});\n\n/**\n * ### Endpoint\n *\n * POST `/admin/list-user-sessions`\n *\n * ### API Methods\n *\n * **server:**\n * `auth.api.listUserSessions`\n *\n * **client:**\n * `authClient.admin.listUserSessions`\n *\n * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/admin#api-method-admin-list-user-sessions)\n */\nexport const listUserSessions = (opts: AdminOptions) =>\n\tcreateAuthEndpoint(\n\t\t\"/admin/list-user-sessions\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tuse: [adminMiddleware],\n\t\t\tbody: listUserSessionsBodySchema,\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\toperationId: \"listUserSessions\",\n\t\t\t\t\tsummary: \"List user sessions\",\n\t\t\t\t\tdescription: \"List user sessions\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\tdescription: \"List of user sessions\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\tsessions: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"array\",\n\t\t\t\t\t\t\t\t\t\t\t\titems: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t$ref: \"#/components/schemas/Session\",\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst session = ctx.context.session;\n\t\t\tconst canListSessions = hasPermission({\n\t\t\t\tuserId: ctx.context.session.user.id,\n\t\t\t\trole: session.user.role,\n\t\t\t\toptions: opts,\n\t\t\t\tpermissions: {\n\t\t\t\t\tsession: [\"list\"],\n\t\t\t\t},\n\t\t\t});\n\t\t\tif (!canListSessions) {\n\t\t\t\tthrow new APIError(\"FORBIDDEN\", {\n\t\t\t\t\tmessage: ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_LIST_USERS_SESSIONS,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tconst sessions: SessionWithImpersonatedBy[] =\n\t\t\t\tawait ctx.context.internalAdapter.listSessions(ctx.body.userId);\n\t\t\treturn {\n\t\t\t\tsessions: sessions,\n\t\t\t};\n\t\t},\n\t);\n\nconst unbanUserBodySchema = z.object({\n\tuserId: z.coerce.string().meta({\n\t\tdescription: \"The user id\",\n\t}),\n});\n\n/**\n * ### Endpoint\n *\n * POST `/admin/unban-user`\n *\n * ### API Methods\n *\n * **server:**\n * `auth.api.unbanUser`\n *\n * **client:**\n * `authClient.admin.unbanUser`\n *\n * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/admin#api-method-admin-unban-user)\n */\nexport const unbanUser = (opts: AdminOptions) =>\n\tcreateAuthEndpoint(\n\t\t\"/admin/unban-user\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: unbanUserBodySchema,\n\t\t\tuse: [adminMiddleware],\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\toperationId: \"unbanUser\",\n\t\t\t\t\tsummary: \"Unban a user\",\n\t\t\t\t\tdescription: \"Unban a user\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\tdescription: \"User unbanned\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\tuser: {\n\t\t\t\t\t\t\t\t\t\t\t\t$ref: \"#/components/schemas/User\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst session = ctx.context.session;\n\t\t\tconst canBanUser = hasPermission({\n\t\t\t\tuserId: ctx.context.session.user.id,\n\t\t\t\trole: session.user.role,\n\t\t\t\toptions: opts,\n\t\t\t\tpermissions: {\n\t\t\t\t\tuser: [\"ban\"],\n\t\t\t\t},\n\t\t\t});\n\t\t\tif (!canBanUser) {\n\t\t\t\tthrow new APIError(\"FORBIDDEN\", {\n\t\t\t\t\tmessage: ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_BAN_USERS,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tconst user = await ctx.context.internalAdapter.updateUser(\n\t\t\t\tctx.body.userId,\n\t\t\t\t{\n\t\t\t\t\tbanned: false,\n\t\t\t\t\tbanExpires: null,\n\t\t\t\t\tbanReason: null,\n\t\t\t\t\tupdatedAt: new Date(),\n\t\t\t\t},\n\t\t\t);\n\t\t\treturn ctx.json({\n\t\t\t\tuser: user,\n\t\t\t});\n\t\t},\n\t);\n\nconst banUserBodySchema = z.object({\n\tuserId: z.coerce.string().meta({\n\t\tdescription: \"The user id\",\n\t}),\n\t/**\n\t * Reason for the ban\n\t */\n\tbanReason: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription: \"The reason for the ban\",\n\t\t})\n\t\t.optional(),\n\t/**\n\t * Number of seconds until the ban expires\n\t */\n\tbanExpiresIn: z\n\t\t.number()\n\t\t.meta({\n\t\t\tdescription: \"The number of seconds until the ban expires\",\n\t\t})\n\t\t.optional(),\n});\n\n/**\n * ### Endpoint\n *\n * POST `/admin/ban-user`\n *\n * ### API Methods\n *\n * **server:**\n * `auth.api.banUser`\n *\n * **client:**\n * `authClient.admin.banUser`\n *\n * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/admin#api-method-admin-ban-user)\n */\nexport const banUser = (opts: AdminOptions) =>\n\tcreateAuthEndpoint(\n\t\t\"/admin/ban-user\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: banUserBodySchema,\n\t\t\tuse: [adminMiddleware],\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\toperationId: \"banUser\",\n\t\t\t\t\tsummary: \"Ban a user\",\n\t\t\t\t\tdescription: \"Ban a user\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\tdescription: \"User banned\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\tuser: {\n\t\t\t\t\t\t\t\t\t\t\t\t$ref: \"#/components/schemas/User\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst session = ctx.context.session;\n\t\t\tconst canBanUser = hasPermission({\n\t\t\t\tuserId: ctx.context.session.user.id,\n\t\t\t\trole: session.user.role,\n\t\t\t\toptions: opts,\n\t\t\t\tpermissions: {\n\t\t\t\t\tuser: [\"ban\"],\n\t\t\t\t},\n\t\t\t});\n\t\t\tif (!canBanUser) {\n\t\t\t\tthrow new APIError(\"FORBIDDEN\", {\n\t\t\t\t\tmessage: ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_BAN_USERS,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tconst foundUser = await ctx.context.internalAdapter.findUserById(\n\t\t\t\tctx.body.userId,\n\t\t\t);\n\n\t\t\tif (!foundUser) {\n\t\t\t\tthrow new APIError(\"NOT_FOUND\", {\n\t\t\t\t\tmessage: BASE_ERROR_CODES.USER_NOT_FOUND,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tif (ctx.body.userId === ctx.context.session.user.id) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ADMIN_ERROR_CODES.YOU_CANNOT_BAN_YOURSELF,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst user = await ctx.context.internalAdapter.updateUser(\n\t\t\t\tctx.body.userId,\n\t\t\t\t{\n\t\t\t\t\tbanned: true,\n\t\t\t\t\tbanReason:\n\t\t\t\t\t\tctx.body.banReason || opts?.defaultBanReason || \"No reason\",\n\t\t\t\t\tbanExpires: ctx.body.banExpiresIn\n\t\t\t\t\t\t? getDate(ctx.body.banExpiresIn, \"sec\")\n\t\t\t\t\t\t: opts?.defaultBanExpiresIn\n\t\t\t\t\t\t\t? getDate(opts.defaultBanExpiresIn, \"sec\")\n\t\t\t\t\t\t\t: undefined,\n\t\t\t\t\tupdatedAt: new Date(),\n\t\t\t\t},\n\t\t\t);\n\t\t\t//revoke all sessions\n\t\t\tawait ctx.context.internalAdapter.deleteSessions(ctx.body.userId);\n\t\t\treturn ctx.json({\n\t\t\t\tuser: user,\n\t\t\t});\n\t\t},\n\t);\n\nconst impersonateUserBodySchema = z.object({\n\tuserId: z.coerce.string().meta({\n\t\tdescription: \"The user id\",\n\t}),\n});\n/**\n * ### Endpoint\n *\n * POST `/admin/impersonate-user`\n *\n * ### API Methods\n *\n * **server:**\n * `auth.api.impersonateUser`\n *\n * **client:**\n * `authClient.admin.impersonateUser`\n *\n * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/admin#api-method-admin-impersonate-user)\n */\nexport const impersonateUser = (opts: AdminOptions) =>\n\tcreateAuthEndpoint(\n\t\t\"/admin/impersonate-user\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: impersonateUserBodySchema,\n\t\t\tuse: [adminMiddleware],\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\toperationId: \"impersonateUser\",\n\t\t\t\t\tsummary: \"Impersonate a user\",\n\t\t\t\t\tdescription: \"Impersonate a user\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\tdescription: \"Impersonation session created\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\tsession: {\n\t\t\t\t\t\t\t\t\t\t\t\t$ref: \"#/components/schemas/Session\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tuser: {\n\t\t\t\t\t\t\t\t\t\t\t\t$ref: \"#/components/schemas/User\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst canImpersonateUser = hasPermission({\n\t\t\t\tuserId: ctx.context.session.user.id,\n\t\t\t\trole: ctx.context.session.user.role,\n\t\t\t\toptions: opts,\n\t\t\t\tpermissions: {\n\t\t\t\t\tuser: [\"impersonate\"],\n\t\t\t\t},\n\t\t\t});\n\t\t\tif (!canImpersonateUser) {\n\t\t\t\tthrow new APIError(\"FORBIDDEN\", {\n\t\t\t\t\tmessage: ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_IMPERSONATE_USERS,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tconst targetUser = (await ctx.context.internalAdapter.findUserById(\n\t\t\t\tctx.body.userId,\n\t\t\t)) as UserWithRole | null;\n\n\t\t\tif (!targetUser) {\n\t\t\t\tthrow new APIError(\"NOT_FOUND\", {\n\t\t\t\t\tmessage: \"User not found\",\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tconst adminRoles = (\n\t\t\t\tArray.isArray(opts.adminRoles)\n\t\t\t\t\t? opts.adminRoles\n\t\t\t\t\t: opts.adminRoles?.split(\",\") || []\n\t\t\t).map((role) => role.trim());\n\t\t\tconst targetUserRole = (\n\t\t\t\ttargetUser.role ||\n\t\t\t\topts.defaultRole ||\n\t\t\t\t\"user\"\n\t\t\t).split(\",\");\n\t\t\tif (\n\t\t\t\topts.allowImpersonatingAdmins !== true &&\n\t\t\t\t(targetUserRole.some((role) => adminRoles.includes(role)) ||\n\t\t\t\t\topts.adminUserIds?.includes(targetUser.id))\n\t\t\t) {\n\t\t\t\tthrow new APIError(\"FORBIDDEN\", {\n\t\t\t\t\tmessage: ADMIN_ERROR_CODES.YOU_CANNOT_IMPERSONATE_ADMINS,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tconst session = await ctx.context.internalAdapter.createSession(\n\t\t\t\ttargetUser.id,\n\t\t\t\ttrue,\n\t\t\t\t{\n\t\t\t\t\timpersonatedBy: ctx.context.session.user.id,\n\t\t\t\t\texpiresAt: opts?.impersonationSessionDuration\n\t\t\t\t\t\t? getDate(opts.impersonationSessionDuration, \"sec\")\n\t\t\t\t\t\t: getDate(60 * 60, \"sec\"), // 1 hour\n\t\t\t\t},\n\t\t\t\ttrue,\n\t\t\t);\n\t\t\tif (!session) {\n\t\t\t\tthrow new APIError(\"INTERNAL_SERVER_ERROR\", {\n\t\t\t\t\tmessage: ADMIN_ERROR_CODES.FAILED_TO_CREATE_USER,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst authCookies = ctx.context.authCookies;\n\t\t\tdeleteSessionCookie(ctx);\n\t\t\tconst dontRememberMeCookie = await ctx.getSignedCookie(\n\t\t\t\tctx.context.authCookies.dontRememberToken.name,\n\t\t\t\tctx.context.secret,\n\t\t\t);\n\t\t\tconst adminCookieProp = ctx.context.createAuthCookie(\"admin_session\");\n\t\t\tawait ctx.setSignedCookie(\n\t\t\t\tadminCookieProp.name,\n\t\t\t\t`${ctx.context.session.session.token}:${dontRememberMeCookie || \"\"}`,\n\t\t\t\tctx.context.secret,\n\t\t\t\tauthCookies.sessionToken.options,\n\t\t\t);\n\t\t\tawait setSessionCookie(\n\t\t\t\tctx,\n\t\t\t\t{\n\t\t\t\t\tsession: session,\n\t\t\t\t\tuser: targetUser,\n\t\t\t\t},\n\t\t\t\ttrue,\n\t\t\t);\n\t\t\treturn ctx.json({\n\t\t\t\tsession: session,\n\t\t\t\tuser: targetUser,\n\t\t\t});\n\t\t},\n\t);\n\n/**\n * ### Endpoint\n *\n * POST `/admin/stop-impersonating`\n *\n * ### API Methods\n *\n * **server:**\n * `auth.api.stopImpersonating`\n *\n * **client:**\n * `authClient.admin.stopImpersonating`\n *\n * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/admin#api-method-admin-stop-impersonating)\n */\nexport const stopImpersonating = () =>\n\tcreateAuthEndpoint(\n\t\t\"/admin/stop-impersonating\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\trequireHeaders: true,\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst session = await getSessionFromCtx<\n\t\t\t\t{},\n\t\t\t\t{\n\t\t\t\t\timpersonatedBy: string;\n\t\t\t\t}\n\t\t\t>(ctx);\n\t\t\tif (!session) {\n\t\t\t\tthrow new APIError(\"UNAUTHORIZED\");\n\t\t\t}\n\t\t\tif (!session.session.impersonatedBy) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: \"You are not impersonating anyone\",\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst user = await ctx.context.internalAdapter.findUserById(\n\t\t\t\tsession.session.impersonatedBy,\n\t\t\t);\n\t\t\tif (!user) {\n\t\t\t\tthrow new APIError(\"INTERNAL_SERVER_ERROR\", {\n\t\t\t\t\tmessage: \"Failed to find user\",\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst adminCookieName =\n\t\t\t\tctx.context.createAuthCookie(\"admin_session\").name;\n\t\t\tconst adminCookie = await ctx.getSignedCookie(\n\t\t\t\tadminCookieName,\n\t\t\t\tctx.context.secret,\n\t\t\t);\n\n\t\t\tif (!adminCookie) {\n\t\t\t\tthrow new APIError(\"INTERNAL_SERVER_ERROR\", {\n\t\t\t\t\tmessage: \"Failed to find admin session\",\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst [adminSessionToken, dontRememberMeCookie] = adminCookie?.split(\":\");\n\t\t\tconst adminSession = await ctx.context.internalAdapter.findSession(\n\t\t\t\tadminSessionToken!,\n\t\t\t);\n\t\t\tif (!adminSession || adminSession.session.userId !== user.id) {\n\t\t\t\tthrow new APIError(\"INTERNAL_SERVER_ERROR\", {\n\t\t\t\t\tmessage: \"Failed to find admin session\",\n\t\t\t\t});\n\t\t\t}\n\t\t\tawait ctx.context.internalAdapter.deleteSession(session.session.token);\n\t\t\tawait setSessionCookie(ctx, adminSession, !!dontRememberMeCookie);\n\t\t\tawait ctx.setSignedCookie(adminCookieName, \"\", ctx.context.secret, {\n\t\t\t\t...ctx.context.authCookies.sessionToken.options,\n\t\t\t\tmaxAge: 0,\n\t\t\t});\n\t\t\treturn ctx.json(adminSession);\n\t\t},\n\t);\n\nconst revokeUserSessionBodySchema = z.object({\n\tsessionToken: z.string().meta({\n\t\tdescription: \"The session token\",\n\t}),\n});\n/**\n * ### Endpoint\n *\n * POST `/admin/revoke-user-session`\n *\n * ### API Methods\n *\n * **server:**\n * `auth.api.revokeUserSession`\n *\n * **client:**\n * `authClient.admin.revokeUserSession`\n *\n * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/admin#api-method-admin-revoke-user-session)\n */\nexport const revokeUserSession = (opts: AdminOptions) =>\n\tcreateAuthEndpoint(\n\t\t\"/admin/revoke-user-session\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: revokeUserSessionBodySchema,\n\t\t\tuse: [adminMiddleware],\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\toperationId: \"revokeUserSession\",\n\t\t\t\t\tsummary: \"Revoke a user session\",\n\t\t\t\t\tdescription: \"Revoke a user session\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\tdescription: \"Session revoked\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\tsuccess: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst session = ctx.context.session;\n\t\t\tconst canRevokeSession = hasPermission({\n\t\t\t\tuserId: ctx.context.session.user.id,\n\t\t\t\trole: session.user.role,\n\t\t\t\toptions: opts,\n\t\t\t\tpermissions: {\n\t\t\t\t\tsession: [\"revoke\"],\n\t\t\t\t},\n\t\t\t});\n\t\t\tif (!canRevokeSession) {\n\t\t\t\tthrow new APIError(\"FORBIDDEN\", {\n\t\t\t\t\tmessage:\n\t\t\t\t\t\tADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_REVOKE_USERS_SESSIONS,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tawait ctx.context.internalAdapter.deleteSession(ctx.body.sessionToken);\n\t\t\treturn ctx.json({\n\t\t\t\tsuccess: true,\n\t\t\t});\n\t\t},\n\t);\n\nconst revokeUserSessionsBodySchema = z.object({\n\tuserId: z.coerce.string().meta({\n\t\tdescription: \"The user id\",\n\t}),\n});\n/**\n * ### Endpoint\n *\n * POST `/admin/revoke-user-sessions`\n *\n * ### API Methods\n *\n * **server:**\n * `auth.api.revokeUserSessions`\n *\n * **client:**\n * `authClient.admin.revokeUserSessions`\n *\n * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/admin#api-method-admin-revoke-user-sessions)\n */\nexport const revokeUserSessions = (opts: AdminOptions) =>\n\tcreateAuthEndpoint(\n\t\t\"/admin/revoke-user-sessions\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: revokeUserSessionsBodySchema,\n\t\t\tuse: [adminMiddleware],\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\toperationId: \"revokeUserSessions\",\n\t\t\t\t\tsummary: \"Revoke all user sessions\",\n\t\t\t\t\tdescription: \"Revoke all user sessions\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\tdescription: \"Sessions revoked\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\tsuccess: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst session = ctx.context.session;\n\t\t\tconst canRevokeSession = hasPermission({\n\t\t\t\tuserId: ctx.context.session.user.id,\n\t\t\t\trole: session.user.role,\n\t\t\t\toptions: opts,\n\t\t\t\tpermissions: {\n\t\t\t\t\tsession: [\"revoke\"],\n\t\t\t\t},\n\t\t\t});\n\t\t\tif (!canRevokeSession) {\n\t\t\t\tthrow new APIError(\"FORBIDDEN\", {\n\t\t\t\t\tmessage:\n\t\t\t\t\t\tADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_REVOKE_USERS_SESSIONS,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tawait ctx.context.internalAdapter.deleteSessions(ctx.body.userId);\n\t\t\treturn ctx.json({\n\t\t\t\tsuccess: true,\n\t\t\t});\n\t\t},\n\t);\n\nconst removeUserBodySchema = z.object({\n\tuserId: z.coerce.string().meta({\n\t\tdescription: \"The user id\",\n\t}),\n});\n\n/**\n * ### Endpoint\n *\n * POST `/admin/remove-user`\n *\n * ### API Methods\n *\n * **server:**\n * `auth.api.removeUser`\n *\n * **client:**\n * `authClient.admin.removeUser`\n *\n * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/admin#api-method-admin-remove-user)\n */\nexport const removeUser = (opts: AdminOptions) =>\n\tcreateAuthEndpoint(\n\t\t\"/admin/remove-user\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: removeUserBodySchema,\n\t\t\tuse: [adminMiddleware],\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\toperationId: \"removeUser\",\n\t\t\t\t\tsummary: \"Remove a user\",\n\t\t\t\t\tdescription:\n\t\t\t\t\t\t\"Delete a user and all their sessions and accounts. Cannot be undone.\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\tdescription: \"User removed\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\tsuccess: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst session = ctx.context.session;\n\t\t\tconst canDeleteUser = hasPermission({\n\t\t\t\tuserId: ctx.context.session.user.id,\n\t\t\t\trole: session.user.role,\n\t\t\t\toptions: opts,\n\t\t\t\tpermissions: {\n\t\t\t\t\tuser: [\"delete\"],\n\t\t\t\t},\n\t\t\t});\n\t\t\tif (!canDeleteUser) {\n\t\t\t\tthrow new APIError(\"FORBIDDEN\", {\n\t\t\t\t\tmessage: ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_DELETE_USERS,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tif (ctx.body.userId === ctx.context.session.user.id) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ADMIN_ERROR_CODES.YOU_CANNOT_REMOVE_YOURSELF,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tconst user = await ctx.context.internalAdapter.findUserById(\n\t\t\t\tctx.body.userId,\n\t\t\t);\n\n\t\t\tif (!user) {\n\t\t\t\tthrow new APIError(\"NOT_FOUND\", {\n\t\t\t\t\tmessage: \"User not found\",\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tawait ctx.context.internalAdapter.deleteUser(ctx.body.userId);\n\t\t\treturn ctx.json({\n\t\t\t\tsuccess: true,\n\t\t\t});\n\t\t},\n\t);\n\nconst setUserPasswordBodySchema = z.object({\n\tnewPassword: z.string().nonempty(\"newPassword cannot be empty\").meta({\n\t\tdescription: \"The new password\",\n\t}),\n\tuserId: z.coerce.string().nonempty(\"userId cannot be empty\").meta({\n\t\tdescription: \"The user id\",\n\t}),\n});\n\n/**\n * ### Endpoint\n *\n * POST `/admin/set-user-password`\n *\n * ### API Methods\n *\n * **server:**\n * `auth.api.setUserPassword`\n *\n * **client:**\n * `authClient.admin.setUserPassword`\n *\n * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/admin#api-method-admin-set-user-password)\n */\nexport const setUserPassword = (opts: AdminOptions) =>\n\tcreateAuthEndpoint(\n\t\t\"/admin/set-user-password\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: setUserPasswordBodySchema,\n\t\t\tuse: [adminMiddleware],\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\toperationId: \"setUserPassword\",\n\t\t\t\t\tsummary: \"Set a user's password\",\n\t\t\t\t\tdescription: \"Set a user's password\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\tdescription: \"Password set\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\tstatus: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst canSetUserPassword = hasPermission({\n\t\t\t\tuserId: ctx.context.session.user.id,\n\t\t\t\trole: ctx.context.session.user.role,\n\t\t\t\toptions: opts,\n\t\t\t\tpermissions: {\n\t\t\t\t\tuser: [\"set-password\"],\n\t\t\t\t},\n\t\t\t});\n\t\t\tif (!canSetUserPassword) {\n\t\t\t\tthrow new APIError(\"FORBIDDEN\", {\n\t\t\t\t\tmessage: ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_SET_USERS_PASSWORD,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tconst { newPassword, userId } = ctx.body;\n\t\t\tconst minPasswordLength = ctx.context.password.config.minPasswordLength;\n\t\t\tif (newPassword.length < minPasswordLength) {\n\t\t\t\tctx.context.logger.error(\"Password is too short\");\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: BASE_ERROR_CODES.PASSWORD_TOO_SHORT,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst maxPasswordLength = ctx.context.password.config.maxPasswordLength;\n\t\t\tif (newPassword.length > maxPasswordLength) {\n\t\t\t\tctx.context.logger.error(\"Password is too long\");\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: BASE_ERROR_CODES.PASSWORD_TOO_LONG,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst hashedPassword = await ctx.context.password.hash(newPassword);\n\t\t\tawait ctx.context.internalAdapter.updatePassword(userId, hashedPassword);\n\t\t\treturn ctx.json({\n\t\t\t\tstatus: true,\n\t\t\t});\n\t\t},\n\t);\n\nconst userHasPermissionBodySchema = z\n\t.object({\n\t\tuserId: z.coerce.string().optional().meta({\n\t\t\tdescription: `The user id. Eg: \"user-id\"`,\n\t\t}),\n\t\trole: z.string().optional().meta({\n\t\t\tdescription: `The role to check permission for. Eg: \"admin\"`,\n\t\t}),\n\t})\n\t.and(\n\t\tz.union([\n\t\t\tz.object({\n\t\t\t\tpermission: z.record(z.string(), z.array(z.string())),\n\t\t\t\tpermissions: z.undefined(),\n\t\t\t}),\n\t\t\tz.object({\n\t\t\t\tpermission: z.undefined(),\n\t\t\t\tpermissions: z.record(z.string(), z.array(z.string())),\n\t\t\t}),\n\t\t]),\n\t);\n\n/**\n * ### Endpoint\n *\n * POST `/admin/has-permission`\n *\n * ### API Methods\n *\n * **server:**\n * `auth.api.userHasPermission`\n *\n * **client:**\n * `authClient.admin.hasPermission`\n *\n * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/admin#api-method-admin-has-permission)\n */\nexport const userHasPermission = <O extends AdminOptions>(opts: O) => {\n\ttype DefaultStatements = typeof defaultStatements;\n\ttype Statements =\n\t\tO[\"ac\"] extends AccessControl<infer S> ? S : DefaultStatements;\n\n\ttype PermissionType = {\n\t\t[key in keyof Statements]?: Array<\n\t\t\tStatements[key] extends readonly unknown[]\n\t\t\t\t? Statements[key][number]\n\t\t\t\t: never\n\t\t>;\n\t};\n\ttype PermissionExclusive =\n\t\t| {\n\t\t\t\t/**\n\t\t\t\t * @deprecated Use `permissions` instead\n\t\t\t\t */\n\t\t\t\tpermission: PermissionType;\n\t\t\t\tpermissions?: never | undefined;\n\t\t }\n\t\t| {\n\t\t\t\tpermissions: PermissionType;\n\t\t\t\tpermission?: never | undefined;\n\t\t };\n\n\treturn createAuthEndpoint(\n\t\t\"/admin/has-permission\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: userHasPermissionBodySchema,\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\tdescription: \"Check if the user has permission\",\n\t\t\t\t\trequestBody: {\n\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\tpermission: {\n\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\tdescription: \"The permission to check\",\n\t\t\t\t\t\t\t\t\t\t\tdeprecated: true,\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\tpermissions: {\n\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\tdescription: \"The permission to check\",\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\trequired: [\"permissions\"],\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\tdescription: \"Success\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\terror: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tsuccess: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\trequired: [\"success\"],\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t$Infer: {\n\t\t\t\t\tbody: {} as PermissionExclusive & {\n\t\t\t\t\t\tuserId?: string | undefined;\n\t\t\t\t\t\trole?: InferAdminRolesFromOption<O> | undefined;\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tif (!ctx.body?.permission && !ctx.body?.permissions) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: \"invalid permission check. no permission(s) were passed.\",\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst session = await getSessionFromCtx(ctx);\n\n\t\t\tif (!session && (ctx.request || ctx.headers)) {\n\t\t\t\tthrow new APIError(\"UNAUTHORIZED\");\n\t\t\t}\n\t\t\tif (!session && !ctx.body.userId && !ctx.body.role) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: \"user id or role is required\",\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst user =\n\t\t\t\tsession?.user ||\n\t\t\t\t(ctx.body.role\n\t\t\t\t\t? { id: ctx.body.userId || \"\", role: ctx.body.role }\n\t\t\t\t\t: null) ||\n\t\t\t\t((await ctx.context.internalAdapter.findUserById(\n\t\t\t\t\tctx.body.userId as string,\n\t\t\t\t)) as { role?: string | undefined; id: string });\n\t\t\tif (!user) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: \"user not found\",\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst result = hasPermission({\n\t\t\t\tuserId: user.id,\n\t\t\t\trole: user.role,\n\t\t\t\toptions: opts as AdminOptions,\n\t\t\t\tpermissions: (ctx.body.permissions ?? ctx.body.permission) as any,\n\t\t\t});\n\t\t\treturn ctx.json({\n\t\t\t\terror: null,\n\t\t\t\tsuccess: result,\n\t\t\t});\n\t\t},\n\t);\n};\n"],"mappings":";;;;;;;;;;;;;;;;AA2BA,MAAM,kBAAkB,qBAAqB,OAAO,QAAQ;CAC3D,MAAM,UAAU,MAAM,kBAAkB,IAAI;AAC5C,KAAI,CAAC,QACJ,OAAM,IAAI,SAAS,eAAe;AAEnC,QAAO,EACN,SACA;EAMA;AAEF,SAAS,WAAW,OAAkC;AACrD,QAAO,MAAM,QAAQ,MAAM,GAAG,MAAM,KAAK,IAAI,GAAG;;AAGjD,MAAM,oBAAoB,EAAE,OAAO;CAClC,QAAQ,EAAE,OAAO,QAAQ,CAAC,KAAK,EAC9B,aAAa,eACb,CAAC;CACF,MAAM,EACJ,MAAM,CACN,EAAE,QAAQ,CAAC,KAAK,EACf,aAAa,iDACb,CAAC,EACF,EAAE,MACD,EAAE,QAAQ,CAAC,KAAK,EACf,aAAa,kDACb,CAAC,CACF,CACD,CAAC,CACD,KAAK,EACL,aACC,gGACD,CAAC;CACH,CAAC;;;;;;;;;;;;;;;;AAiBF,MAAa,WAAmC,SAC/C,mBACC,mBACA;CACC,QAAQ;CACR,MAAM;CACN,gBAAgB;CAChB,KAAK,CAAC,gBAAgB;CACtB,UAAU;EACT,SAAS;GACR,aAAa;GACb,SAAS;GACT,aAAa;GACb,WAAW,EACV,KAAK;IACJ,aAAa;IACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;KACP,MAAM;KACN,YAAY,EACX,MAAM,EACL,MAAM,6BACN,EACD;KACD,EACD,EACD;IACD,EACD;GACD;EACD,QAAQ,EACP,MAAM,EAAE,EAIR;EACD;CACD,EACD,OAAO,QAAQ;AASd,KAAI,CARe,cAAc;EAChC,QAAQ,IAAI,QAAQ,QAAQ,KAAK;EACjC,MAAM,IAAI,QAAQ,QAAQ,KAAK;EAC/B,SAAS;EACT,aAAa,EACZ,MAAM,CAAC,WAAW,EAClB;EACD,CAAC,CAED,OAAM,IAAI,SAAS,aAAa,EAC/B,SAAS,kBAAkB,0CAC3B,CAAC;CAEH,MAAM,QAAQ,KAAK;AACnB,KAAI,OAAO;EACV,MAAM,aAAa,MAAM,QAAQ,IAAI,KAAK,KAAK,GAC5C,IAAI,KAAK,OACT,CAAC,IAAI,KAAK,KAAK;AAClB,OAAK,MAAM,QAAQ,WAClB,KAAI,CAAC,MAAM,MACV,OAAM,IAAI,SAAS,eAAe,EACjC,SACC,kBAAkB,+CACnB,CAAC;;CAIL,MAAM,cAAc,MAAM,IAAI,QAAQ,gBAAgB,WACrD,IAAI,KAAK,QACT,EACC,MAAM,WAAW,IAAI,KAAK,KAAK,EAC/B,CACD;AACD,QAAO,IAAI,KAAK,EACf,MAAM,aACN,CAAC;EAEH;AAEF,MAAM,qBAAqB,EAAE,OAAO,EACnC,IAAI,EAAE,QAAQ,CAAC,KAAK,EACnB,aAAa,sBACb,CAAC,EACF,CAAC;AAEF,MAAa,WAAW,SACvB,mBACC,mBACA;CACC,QAAQ;CACR,OAAO;CACP,KAAK,CAAC,gBAAgB;CACtB,UAAU,EACT,SAAS;EACR,aAAa;EACb,SAAS;EACT,aAAa;EACb,WAAW,EACV,KAAK;GACJ,aAAa;GACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;IACP,MAAM;IACN,YAAY,EACX,MAAM,EACL,MAAM,6BACN,EACD;IACD,EACD,EACD;GACD,EACD;EACD,EACD;CACD,EACD,OAAO,QAAQ;CACd,MAAM,EAAE,OAAO,IAAI;AAWnB,KAAI,CATe,cAAc;EAChC,QAAQ,IAAI,QAAQ,QAAQ,KAAK;EACjC,MAAM,IAAI,QAAQ,QAAQ,KAAK;EAC/B,SAAS;EACT,aAAa,EACZ,MAAM,CAAC,MAAM,EACb;EACD,CAAC,CAGD,OAAM,IAAI,MAAM,aAAa;EAC5B,SAAS,kBAAkB;EAC3B,MAAM;EACN,CAAC;CAGH,MAAM,OAAO,MAAM,IAAI,QAAQ,gBAAgB,aAAa,GAAG;AAE/D,KAAI,CAAC,KACJ,OAAM,IAAI,SAAS,aAAa,EAC/B,SAAS,iBAAiB,gBAC1B,CAAC;AAGH,QAAO,gBAAgB,IAAI,QAAQ,SAAS,KAAK;EAElD;AAEF,MAAM,uBAAuB,EAAE,OAAO;CACrC,OAAO,EAAE,QAAQ,CAAC,KAAK,EACtB,aAAa,yBACb,CAAC;CACF,UAAU,EAAE,QAAQ,CAAC,KAAK,EACzB,aAAa,4BACb,CAAC;CACF,MAAM,EAAE,QAAQ,CAAC