npm - @_mustachio/openauth - Versions diffs - 0.6.0 → 0.7.0 - Mend

@_mustachio/openauth 0.6.0 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/esm/issuer.js +95 -1
package/dist/esm/provider/m2m.js +1 -2
package/dist/types/issuer.d.ts +46 -1
package/dist/types/issuer.d.ts.map +1 -1
package/package.json +5 -1
package/src/issuer.ts +177 -2

package/dist/esm/issuer.js CHANGED Viewed

@@ -19,6 +19,10 @@ import { DynamoStorage } from "./storage/dynamo.js";
 import { MemoryStorage } from "./storage/memory.js";
 import { cors } from "hono/cors";
 import { logger } from "hono/logger";
+var TENANT_ID_REGEX = /^[a-zA-Z0-9_-]{1,64}$/;
+function isValidTenantId(tenantId) {
+  return TENANT_ID_REGEX.test(tenantId);
+}
 var aws = awsHandle;
 function issuer(input) {
   const error = input.error ?? function(err) {
@@ -64,9 +68,16 @@ function issuer(input) {
   const encryptionKey = lazy(() => allEncryption().then((all) => all[0]));
   const auth = {
     async success(ctx, properties, successOpts) {
+      const authorization = await getAuthorization(ctx);
+      const tenantIdFromPath = ctx.get("tenantId");
+      if (authorization.tenantId !== tenantIdFromPath) {
+        const url = new URL(authorization.redirect_uri);
+        url.searchParams.set("error", "invalid_request");
+        url.searchParams.set("error_description", "Tenant ID mismatch");
+        return ctx.redirect(url.toString());
+      }
       return await input.success({
         async subject(type, properties2, subjectOpts) {
-          const authorization = await getAuthorization(ctx);
           const subject = subjectOpts?.subject ? subjectOpts.subject : await resolveSubject(type, properties2);
           await successOpts?.invalidate?.(await resolveSubject(type, properties2));
           if (authorization.response_type === "token") {
@@ -113,6 +124,7 @@ function issuer(input) {
         }
       }, {
         provider: ctx.get("provider"),
+        tenantId: authorization.tenantId,
         ...properties
       }, ctx.req.raw);
     },
@@ -478,6 +490,63 @@ function issuer(input) {
       value.type
     ])), c.req.raw));
   });
+  app.get("/tenant/:tenantId/authorize", async (c) => {
+    const tenantId = c.req.param("tenantId");
+    if (!isValidTenantId(tenantId)) {
+      return c.json({ error: "invalid_tenant_id" }, 400);
+    }
+    c.set("tenantId", tenantId);
+    const provider = c.req.query("provider");
+    const response_type = c.req.query("response_type");
+    const redirect_uri = c.req.query("redirect_uri");
+    const state = c.req.query("state");
+    const client_id = c.req.query("client_id");
+    const audience = c.req.query("audience");
+    const code_challenge = c.req.query("code_challenge");
+    const code_challenge_method = c.req.query("code_challenge_method");
+    const authorization = {
+      response_type,
+      redirect_uri,
+      state,
+      client_id,
+      audience,
+      pkce: code_challenge && code_challenge_method ? {
+        challenge: code_challenge,
+        method: code_challenge_method
+      } : undefined,
+      tenantId
+    };
+    if (!redirect_uri) {
+      return c.text("Missing redirect_uri", { status: 400 });
+    }
+    if (!response_type) {
+      throw new MissingParameterError("response_type");
+    }
+    if (!client_id) {
+      throw new MissingParameterError("client_id");
+    }
+    if (input.start) {
+      await input.start(c.req.raw);
+    }
+    if (!await allow()({
+      clientID: client_id,
+      redirectURI: redirect_uri,
+      audience
+    }, c.req.raw))
+      throw new UnauthorizedClientError(client_id, redirect_uri);
+    await auth.set(c, "authorization", 60 * 60 * 24, authorization);
+    c.set("authorization", authorization);
+    if (provider)
+      return c.redirect(`/tenant/${tenantId}/${provider}/authorize`);
+    const resolvedProviders = await getProviders(c);
+    const providerNames = Object.keys(resolvedProviders);
+    if (providerNames.length === 1)
+      return c.redirect(`/tenant/${tenantId}/${providerNames[0]}/authorize`);
+    return auth.forward(c, await select()(Object.fromEntries(Object.entries(resolvedProviders).map(([key, value]) => [
+      key,
+      value.type
+    ])), c.req.raw));
+  });
   app.get("/userinfo", async (c) => {
     const header = c.req.header("Authorization");
     if (!header) {
@@ -512,6 +581,31 @@ function issuer(input) {
     });
   });
   if (typeof input.providers === "function") {
+    app.all("/tenant/:tenantId/:provider_name/*", async (c, next) => {
+      const tenantId = c.req.param("tenantId");
+      if (!isValidTenantId(tenantId)) {
+        return c.json({ error: "invalid_tenant_id" }, 400);
+      }
+      c.set("tenantId", tenantId);
+      const name = c.req.param("provider_name");
+      const providers = await getProviders(c);
+      const value = providers[name];
+      if (!value)
+        return next();
+      const route = new Hono;
+      route.use(async (c2, next2) => {
+        c2.set("provider", name);
+        c2.set("tenantId", tenantId);
+        await next2();
+      });
+      value.init(route, {
+        name,
+        ...auth
+      });
+      const sub = new Hono;
+      sub.route(`/tenant/${tenantId}/${name}`, route);
+      return sub.fetch(c.req.raw);
+    });
     app.all("/:provider_name/*", async (c, next) => {
       const name = c.req.param("provider_name");
       const providers = await getProviders(c);

package/dist/esm/provider/m2m.js CHANGED Viewed

@@ -2,8 +2,7 @@
 function M2MProvider(config) {
   return {
     type: "m2m",
-    init() {
-    },
+    init() {},
     async client(input) {
       const result = await config.verify(input.clientID, input.clientSecret, input.params);
       if (!result)

package/dist/types/issuer.d.ts CHANGED Viewed

@@ -91,6 +91,24 @@
  * })
  * ```
  *
+ * #### Multi-tenant routes
+ *
+ * For environments where subdomains or headers can't identify tenants (e.g., Lambda URLs),
+ * use explicit tenant routes: `/tenant/:tenantId/authorize` instead of `/authorize`.
+ *
+ * ```ts title="issuer.ts"
+ * const app = issuer({
+ *   providers: async (ctx) => {
+ *     const tenantId = ctx.get("tenantId") as string
+ *     const config = await db.tenants.findUnique({ where: { id: tenantId } })
+ *     return { github: GithubProvider({ clientID: config.githubClientId, ... }) }
+ *   },
+ *   success: async (ctx, value) => {
+ *     return ctx.subject("user", { userID: value.email, tenantId: value.tenantId })
+ *   }
+ * })
+ * ```
+ *
  * #### Deploy
  *
  * Since `issuer` is a Hono app, you can deploy it anywhere Hono supports.
@@ -174,6 +192,7 @@ export interface AuthorizationState {
         challenge: string;
         method: "S256";
     };
+    tenantId?: string;
 }
 /**
  * @internal
@@ -263,6 +282,25 @@ export interface IssuerInput<Providers extends Record<string, Provider<any>>, Su
      *   }
      * }
      * ```
+     *
+     * For multi-tenant applications, you can provide a function that returns providers dynamically.
+     * When using tenant routes (`/tenant/:tenantId/authorize`), the tenant ID is available via
+     * `ctx.get("tenantId")`:
+     *
+     * ```ts
+     * {
+     *   providers: async (ctx) => {
+     *     const tenantId = ctx.get("tenantId") as string
+     *     const config = await db.tenants.findUnique({ where: { id: tenantId } })
+     *     return {
+     *       github: GithubProvider({
+     *         clientID: config.githubClientId,
+     *         clientSecret: config.githubClientSecret,
+     *       })
+     *     }
+     *   }
+     * }
+     * ```
      */
     providers: Providers | ((ctx: Context) => Promise<Providers>);
     /**
@@ -363,6 +401,9 @@ export interface IssuerInput<Providers extends Record<string, Provider<any>>, Su
      *
      * This is called after the user has been redirected back to your app after the OAuth flow.
      *
+     * The `value` parameter includes `provider` (the provider name) and any provider-specific
+     * data. When using tenant routes (`/tenant/:tenantId/authorize`), it also includes `tenantId`.
+     *
      * @example
      * ```ts
      * {
@@ -377,7 +418,9 @@ export interface IssuerInput<Providers extends Record<string, Provider<any>>, Su
      *       userID = ... // lookup user or create them
      *     }
      *     return ctx.subject("user", {
-     *       userID
+     *       userID,
+     *       // For multi-tenant, store tenantId in subject for refresh access
+     *       tenantId: value.tenantId,
      *     })
      *   },
      *   // ...
@@ -456,10 +499,12 @@ export interface IssuerInput<Providers extends Record<string, Provider<any>>, Su
 export declare function issuer<Providers extends Record<string, Provider<any>>, Subjects extends SubjectSchema, Result = {
     [key in keyof Providers]: Prettify<{
         provider: key;
+        tenantId?: string;
     } & (Providers[key] extends Provider<infer T> ? T : {})>;
 }[keyof Providers]>(input: IssuerInput<Providers, Subjects, Result>): import("hono/hono-base").HonoBase<{
     Variables: {
         authorization: AuthorizationState;
+        tenantId: string;
     };
 }, import("hono/types").BlankSchema, "/", "*">;
 //# sourceMappingURL=issuer.d.ts.map

package/dist/types/issuer.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"issuer.d.ts","sourceRoot":"","sources":["../../src/issuer.ts"],"names":[],"mappings":"AAAA~~;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6HG~~;AACH,OAAO,EAAE,QAAQ,EAAmB,MAAM,wBAAwB,CAAA;AAClE,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,cAAc,CAAA;AAG5D,OAAO,EAAE,OAAO,EAAE,MAAM,MAAM,CAAA;AAI9B;;;;;;;;GAQG;AACH,MAAM,WAAW,kBAAkB,CACjC,CAAC,SAAS;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,GAAG,CAAA;CAAE;IAE3C;;;;;OAKG;IACH,OAAO,CAAC,IAAI,SAAS,CAAC,CAAC,MAAM,CAAC,EAC5B,IAAI,EAAE,IAAI,EACV,UAAU,EAAE,OAAO,CAAC,CAAC,EAAE;QAAE,IAAI,EAAE,IAAI,CAAA;KAAE,CAAC,CAAC,YAAY,CAAC,EACpD,IAAI,CAAC,EAAE;QACL,GAAG,CAAC,EAAE;YACJ,MAAM,CAAC,EAAE,MAAM,CAAA;YACf,OAAO,CAAC,EAAE,MAAM,CAAA;SACjB,CAAA;QACD,OAAO,CAAC,EAAE,MAAM,CAAA;KACjB,GACA,OAAO,CAAC,QAAQ,CAAC,CAAA;CACrB;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,MAAM,CAAA;IAChB,WAAW,EAAE,MAAM,CAAA;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,YAAY,EAAE,MAAM,CAAA;IACpB,aAAa,EAAE,MAAM,CAAA;IACrB,KAAK,EAAE,MAAM,CAAA;IACb,SAAS,EAAE,MAAM,CAAA;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,IAAI,CAAC,EAAE;QACL,SAAS,EAAE,MAAM,CAAA;QACjB,MAAM,EAAE,MAAM,CAAA;KACf,CAAA;~~CACF~~;AAED;;GAEG;AACH,MAAM,MAAM,QAAQ,CAAC,CAAC,IAAI;KACvB,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;CACrB,GAAG,EAAE,CAAA;AAEN,OAAO,EAIL,iBAAiB,EAClB,MAAM,YAAY,CAAA;AAEnB,OAAO,EAAW,cAAc,EAAE,MAAM,sBAAsB,CAAA;AAI9D,OAAO,EAAY,KAAK,EAAE,MAAM,eAAe,CAAA;~~AAO~~/C,gBAAgB;AAChB,eAAO,MAAM,GAAG;;~~gFA9BZ~~,CAAC;;;;;;;;~~IA8BuB~~,CAAA;AAE5B,MAAM,WAAW,WAAW,CAC1B,SAAS,SAAS,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,EAC/C,QAAQ,SAAS,aAAa,EAC9B,MAAM,GAAG;KACN,GAAG,IAAI,MAAM,SAAS,GAAG,QAAQ,CAChC;QACE,QAAQ,EAAE,GAAG,CAAA;KACd,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,SAAS,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CACxD;CACF,CAAC,MAAM,SAAS,CAAC;IAElB;;;;;;;;;;;;;;;;;;OAkBG;IACH,QAAQ,EAAE,QAAQ,CAAA;IAClB;;;;;;;;;;;;OAYG;IACH,OAAO,CAAC,EAAE,cAAc,CAAA;IACxB~~;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA4BG~~;IACH,SAAS,EAAE,SAAS,GAAG,CAAC,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,SAAS,CAAC,CAAC,CAAA;IAC7D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA8BG;IACH,KAAK,CAAC,EAAE,KAAK,CAAA;IACb;;;;;;;;;;;;OAYG;IACH,GAAG,CAAC,EAAE;QACJ;;;WAGG;QACH,MAAM,CAAC,EAAE,MAAM,CAAA;QACf;;;WAGG;QACH,OAAO,CAAC,EAAE,MAAM,CAAA;QAChB;;;;WAIG;QACH,KAAK,CAAC,EAAE,MAAM,CAAA;QACd;;;WAGG;QACH,SAAS,CAAC,EAAE,MAAM,CAAA;KACnB,CAAA;IACD;;;;;;;;;;;;;;;;;;;OAmBG;IACH,MAAM,CAAC,CAAC,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAA;IAC3E;;OAEG;IACH,KAAK,CAAC,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IACnC~~;;;;;;;;;;;;;;;;;;;;;;;;;OAyBG~~;IACH,OAAO,CACL,QAAQ,EAAE,kBAAkB,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,EACtD,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,OAAO,GACX,OAAO,CAAC,QAAQ,CAAC,CAAA;IACpB;;;;;;;;;;;;;;;;;;;;;OAqBG;IACH,OAAO,CAAC,CACN,QAAQ,EAAE,kBAAkB,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,EACtD,KAAK,EAAE;QACL,IAAI,EAAE,MAAM,CAAA;QACZ,UAAU,EAAE,GAAG,CAAA;QACf,OAAO,EAAE,MAAM,CAAA;QACf,QAAQ,EAAE,MAAM,CAAA;KACjB,EACD,GAAG,EAAE,OAAO,GACX,OAAO,CAAC,QAAQ,CAAC,CAAA;IACpB;;OAEG;IACH,KAAK,CAAC,CAAC,KAAK,EAAE,iBAAiB,EAAE,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAA;IACjE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA8BG;IACH,KAAK,CAAC,CAAC,KAAK,EAAE,kBAAkB,EAAE,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;CAClE;AAED;;GAEG;AACH,wBAAgB,MAAM,CACpB,SAAS,SAAS,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,EAC/C,QAAQ,SAAS,aAAa,EAC9B,MAAM,GAAG;KACN,GAAG,IAAI,MAAM,SAAS,GAAG,QAAQ,CAChC;QACE,QAAQ,EAAE,GAAG,CAAA;~~KACd~~,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,SAAS,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CACxD;CACF,CAAC,MAAM,SAAS,CAAC,EAClB,KAAK,EAAE,WAAW,CAAC,SAAS,EAAE,QAAQ,EAAE,MAAM,CAAC;~~eAoRlC~~;QACT,aAAa,EAAE,kBAAkB,CAAA;~~KAClC~~;+CA+~~gBJ~~"}
1	+ {"version":3,"file":"issuer.d.ts","sourceRoot":"","sources":["../../src/issuer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+IG;AACH,OAAO,EAAE,QAAQ,EAAmB,MAAM,wBAAwB,CAAA;AAClE,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,cAAc,CAAA;AAG5D,OAAO,EAAE,OAAO,EAAE,MAAM,MAAM,CAAA;AAI9B;;;;;;;;GAQG;AACH,MAAM,WAAW,kBAAkB,CACjC,CAAC,SAAS;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,GAAG,CAAA;CAAE;IAE3C;;;;;OAKG;IACH,OAAO,CAAC,IAAI,SAAS,CAAC,CAAC,MAAM,CAAC,EAC5B,IAAI,EAAE,IAAI,EACV,UAAU,EAAE,OAAO,CAAC,CAAC,EAAE;QAAE,IAAI,EAAE,IAAI,CAAA;KAAE,CAAC,CAAC,YAAY,CAAC,EACpD,IAAI,CAAC,EAAE;QACL,GAAG,CAAC,EAAE;YACJ,MAAM,CAAC,EAAE,MAAM,CAAA;YACf,OAAO,CAAC,EAAE,MAAM,CAAA;SACjB,CAAA;QACD,OAAO,CAAC,EAAE,MAAM,CAAA;KACjB,GACA,OAAO,CAAC,QAAQ,CAAC,CAAA;CACrB;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,MAAM,CAAA;IAChB,WAAW,EAAE,MAAM,CAAA;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,YAAY,EAAE,MAAM,CAAA;IACpB,aAAa,EAAE,MAAM,CAAA;IACrB,KAAK,EAAE,MAAM,CAAA;IACb,SAAS,EAAE,MAAM,CAAA;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,IAAI,CAAC,EAAE;QACL,SAAS,EAAE,MAAM,CAAA;QACjB,MAAM,EAAE,MAAM,CAAA;KACf,CAAA;IACD,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAED;;GAEG;AACH,MAAM,MAAM,QAAQ,CAAC,CAAC,IAAI;KACvB,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;CACrB,GAAG,EAAE,CAAA;AAEN,OAAO,EAIL,iBAAiB,EAClB,MAAM,YAAY,CAAA;AAEnB,OAAO,EAAW,cAAc,EAAE,MAAM,sBAAsB,CAAA;AAI9D,OAAO,EAAY,KAAK,EAAE,MAAM,eAAe,CAAA;AAc/C,gBAAgB;AAChB,eAAO,MAAM,GAAG;;gFAvEW,CAAC;;;;;;;;IAuEA,CAAA;AAE5B,MAAM,WAAW,WAAW,CAC1B,SAAS,SAAS,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,EAC/C,QAAQ,SAAS,aAAa,EAC9B,MAAM,GAAG;KACN,GAAG,IAAI,MAAM,SAAS,GAAG,QAAQ,CAChC;QACE,QAAQ,EAAE,GAAG,CAAA;KACd,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,SAAS,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CACxD;CACF,CAAC,MAAM,SAAS,CAAC;IAElB;;;;;;;;;;;;;;;;;;OAkBG;IACH,QAAQ,EAAE,QAAQ,CAAA;IAClB;;;;;;;;;;;;OAYG;IACH,OAAO,CAAC,EAAE,cAAc,CAAA;IACxB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA+CG;IACH,SAAS,EAAE,SAAS,GAAG,CAAC,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,SAAS,CAAC,CAAC,CAAA;IAC7D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA8BG;IACH,KAAK,CAAC,EAAE,KAAK,CAAA;IACb;;;;;;;;;;;;OAYG;IACH,GAAG,CAAC,EAAE;QACJ;;;WAGG;QACH,MAAM,CAAC,EAAE,MAAM,CAAA;QACf;;;WAGG;QACH,OAAO,CAAC,EAAE,MAAM,CAAA;QAChB;;;;WAIG;QACH,KAAK,CAAC,EAAE,MAAM,CAAA;QACd;;;WAGG;QACH,SAAS,CAAC,EAAE,MAAM,CAAA;KACnB,CAAA;IACD;;;;;;;;;;;;;;;;;;;OAmBG;IACH,MAAM,CAAC,CAAC,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAA;IAC3E;;OAEG;IACH,KAAK,CAAC,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IACnC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA8BG;IACH,OAAO,CACL,QAAQ,EAAE,kBAAkB,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,EACtD,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,OAAO,GACX,OAAO,CAAC,QAAQ,CAAC,CAAA;IACpB;;;;;;;;;;;;;;;;;;;;;OAqBG;IACH,OAAO,CAAC,CACN,QAAQ,EAAE,kBAAkB,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,EACtD,KAAK,EAAE;QACL,IAAI,EAAE,MAAM,CAAA;QACZ,UAAU,EAAE,GAAG,CAAA;QACf,OAAO,EAAE,MAAM,CAAA;QACf,QAAQ,EAAE,MAAM,CAAA;KACjB,EACD,GAAG,EAAE,OAAO,GACX,OAAO,CAAC,QAAQ,CAAC,CAAA;IACpB;;OAEG;IACH,KAAK,CAAC,CAAC,KAAK,EAAE,iBAAiB,EAAE,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAA;IACjE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA8BG;IACH,KAAK,CAAC,CAAC,KAAK,EAAE,kBAAkB,EAAE,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;CAClE;AAED;;GAEG;AACH,wBAAgB,MAAM,CACpB,SAAS,SAAS,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,EAC/C,QAAQ,SAAS,aAAa,EAC9B,MAAM,GAAG;KACN,GAAG,IAAI,MAAM,SAAS,GAAG,QAAQ,CAChC;QACE,QAAQ,EAAE,GAAG,CAAA;QACb,QAAQ,CAAC,EAAE,MAAM,CAAA;KAClB,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,SAAS,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CACxD;CACF,CAAC,MAAM,SAAS,CAAC,EAClB,KAAK,EAAE,WAAW,CAAC,SAAS,EAAE,QAAQ,EAAE,MAAM,CAAC;eA+RlC;QACT,aAAa,EAAE,kBAAkB,CAAA;QACjC,QAAQ,EAAE,MAAM,CAAA;KACjB;+CA+nBJ"}

package/package.json CHANGED Viewed

@@ -1,7 +1,11 @@
 {
   "name": "@_mustachio/openauth",
-  "version": "0.6.0",
+  "version": "0.7.0",
   "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/the-human-mustachio/openauth.git"
+  },
   "type": "module",
   "scripts": {
     "build": "bun run script/build.ts",

package/src/issuer.ts CHANGED Viewed

@@ -91,6 +91,24 @@
  * })
  * ```
  *
+ * #### Multi-tenant routes
+ *
+ * For environments where subdomains or headers can't identify tenants (e.g., Lambda URLs),
+ * use explicit tenant routes: `/tenant/:tenantId/authorize` instead of `/authorize`.
+ *
+ * ```ts title="issuer.ts"
+ * const app = issuer({
+ *   providers: async (ctx) => {
+ *     const tenantId = ctx.get("tenantId") as string
+ *     const config = await db.tenants.findUnique({ where: { id: tenantId } })
+ *     return { github: GithubProvider({ clientID: config.githubClientId, ... }) }
+ *   },
+ *   success: async (ctx, value) => {
+ *     return ctx.subject("user", { userID: value.email, tenantId: value.tenantId })
+ *   }
+ * })
+ * ```
+ *
  * #### Deploy
  *
  * Since `issuer` is a Hono app, you can deploy it anywhere Hono supports.
@@ -182,6 +200,7 @@ export interface AuthorizationState {
     challenge: string
     method: "S256"
   }
+  tenantId?: string
 }
 /**
@@ -209,6 +228,13 @@ import { MemoryStorage } from "./storage/memory.js"
 import { cors } from "hono/cors"
 import { logger } from "hono/logger"
+// Tenant ID validation: alphanumeric, underscore, hyphen, 1-64 chars
+const TENANT_ID_REGEX = /^[a-zA-Z0-9_-]{1,64}$/
+function isValidTenantId(tenantId: string): boolean {
+  return TENANT_ID_REGEX.test(tenantId)
+}
 /** @internal */
 export const aws = awsHandle
@@ -285,6 +311,25 @@ export interface IssuerInput<
    *   }
    * }
    * ```
+   *
+   * For multi-tenant applications, you can provide a function that returns providers dynamically.
+   * When using tenant routes (`/tenant/:tenantId/authorize`), the tenant ID is available via
+   * `ctx.get("tenantId")`:
+   *
+   * ```ts
+   * {
+   *   providers: async (ctx) => {
+   *     const tenantId = ctx.get("tenantId") as string
+   *     const config = await db.tenants.findUnique({ where: { id: tenantId } })
+   *     return {
+   *       github: GithubProvider({
+   *         clientID: config.githubClientId,
+   *         clientSecret: config.githubClientSecret,
+   *       })
+   *     }
+   *   }
+   * }
+   * ```
    */
   providers: Providers | ((ctx: Context) => Promise<Providers>)
   /**
@@ -385,6 +430,9 @@ export interface IssuerInput<
    *
    * This is called after the user has been redirected back to your app after the OAuth flow.
    *
+   * The `value` parameter includes `provider` (the provider name) and any provider-specific
+   * data. When using tenant routes (`/tenant/:tenantId/authorize`), it also includes `tenantId`.
+   *
    * @example
    * ```ts
    * {
@@ -399,7 +447,9 @@ export interface IssuerInput<
    *       userID = ... // lookup user or create them
    *     }
    *     return ctx.subject("user", {
-   *       userID
+   *       userID,
+   *       // For multi-tenant, store tenantId in subject for refresh access
+   *       tenantId: value.tenantId,
    *     })
    *   },
    *   // ...
@@ -491,6 +541,7 @@ export function issuer<
     [key in keyof Providers]: Prettify<
       {
         provider: key
+        tenantId?: string
       } & (Providers[key] extends Provider<infer T> ? T : {})
     >
   }[keyof Providers],
@@ -556,10 +607,20 @@ export function issuer<
   const auth: Omit<ProviderOptions<any>, "name"> = {
     async success(ctx: Context, properties: any, successOpts) {
+      const authorization = await getAuthorization(ctx)
+      const tenantIdFromPath = ctx.get("tenantId") as string | undefined
+      // Security: Verify tenantId matches what was stored at authorize time
+      if (authorization.tenantId !== tenantIdFromPath) {
+        const url = new URL(authorization.redirect_uri)
+        url.searchParams.set("error", "invalid_request")
+        url.searchParams.set("error_description", "Tenant ID mismatch")
+        return ctx.redirect(url.toString())
+      }
       return await input.success(
         {
           async subject(type, properties, subjectOpts) {
-            const authorization = await getAuthorization(ctx)
             const subject = subjectOpts?.subject
               ? subjectOpts.subject
               : await resolveSubject(type, properties)
@@ -619,6 +680,7 @@ export function issuer<
         },
         {
           provider: ctx.get("provider"),
+          tenantId: authorization.tenantId,
           ...properties,
         },
         ctx.req.raw,
@@ -772,6 +834,7 @@ export function issuer<
   const app = new Hono<{
     Variables: {
       authorization: AuthorizationState
+      tenantId: string
     }
   }>().use(logger())
@@ -1188,6 +1251,87 @@ export function issuer<
     )
   })
+  app.get("/tenant/:tenantId/authorize", async (c) => {
+    const tenantId = c.req.param("tenantId")
+    // Validate tenantId to prevent path traversal/injection attacks
+    if (!isValidTenantId(tenantId)) {
+      return c.json({ error: "invalid_tenant_id" }, 400)
+    }
+    c.set("tenantId", tenantId)
+    const provider = c.req.query("provider")
+    const response_type = c.req.query("response_type")
+    const redirect_uri = c.req.query("redirect_uri")
+    const state = c.req.query("state")
+    const client_id = c.req.query("client_id")
+    const audience = c.req.query("audience")
+    const code_challenge = c.req.query("code_challenge")
+    const code_challenge_method = c.req.query("code_challenge_method")
+    const authorization: AuthorizationState = {
+      response_type,
+      redirect_uri,
+      state,
+      client_id,
+      audience,
+      pkce:
+        code_challenge && code_challenge_method
+          ? {
+              challenge: code_challenge,
+              method: code_challenge_method,
+            }
+          : undefined,
+      tenantId,
+    } as AuthorizationState
+    if (!redirect_uri) {
+      return c.text("Missing redirect_uri", { status: 400 })
+    }
+    if (!response_type) {
+      throw new MissingParameterError("response_type")
+    }
+    if (!client_id) {
+      throw new MissingParameterError("client_id")
+    }
+    if (input.start) {
+      await input.start(c.req.raw)
+    }
+    if (
+      !(await allow()(
+        {
+          clientID: client_id,
+          redirectURI: redirect_uri,
+          audience,
+        },
+        c.req.raw,
+      ))
+    )
+      throw new UnauthorizedClientError(client_id, redirect_uri)
+    await auth.set(c, "authorization", 60 * 60 * 24, authorization)
+    c.set("authorization", authorization)
+    if (provider) return c.redirect(`/tenant/${tenantId}/${provider}/authorize`)
+    const resolvedProviders = await getProviders(c)
+    const providerNames = Object.keys(resolvedProviders)
+    if (providerNames.length === 1)
+      return c.redirect(`/tenant/${tenantId}/${providerNames[0]}/authorize`)
+    return auth.forward(
+      c,
+      await select()(
+        Object.fromEntries(
+          Object.entries(resolvedProviders).map(([key, value]) => [
+            key,
+            value.type,
+          ]),
+        ),
+        c.req.raw,
+      ),
+    )
+  })
   app.get("/userinfo", async (c) => {
     const header = c.req.header("Authorization")
@@ -1246,6 +1390,37 @@ export function issuer<
   })
   if (typeof input.providers === "function") {
+    // Tenant-specific provider routes (must be before generic /:provider_name/*)
+    app.all("/tenant/:tenantId/:provider_name/*", async (c, next) => {
+      const tenantId = c.req.param("tenantId")
+      // Validate tenantId to prevent path traversal/injection attacks
+      if (!isValidTenantId(tenantId)) {
+        return c.json({ error: "invalid_tenant_id" }, 400)
+      }
+      c.set("tenantId", tenantId)
+      const name = c.req.param("provider_name")
+      const providers = await getProviders(c)
+      const value = providers[name]
+      if (!value) return next()
+      const route = new Hono<any>()
+      route.use(async (c, next) => {
+        c.set("provider", name)
+        c.set("tenantId", tenantId)
+        await next()
+      })
+      value.init(route, {
+        name,
+        ...auth,
+      })
+      const sub = new Hono()
+      sub.route(`/tenant/${tenantId}/${name}`, route)
+      return sub.fetch(c.req.raw)
+    })
+    // Generic provider routes (for non-tenant flows)
     app.all("/:provider_name/*", async (c, next) => {
       const name = c.req.param("provider_name")
       const providers = await getProviders(c)