@_mustachio/openauth 0.6.0

package/dist/types/issuer.d.ts

@@ -0,0 +1,465 @@
+/**
+ * The `issuer` create an OpentAuth server, a [Hono](https://hono.dev) app that's
+ * designed to run anywhere.
+ *
+ * The `issuer` function requires a few things:
+ *
+ * ```ts title="issuer.ts"
+ * import { issuer } from "@openauthjs/openauth"
+ *
+ * const app = issuer({
+ *   providers: { ... },
+ *   storage,
+ *   subjects,
+ *   success: async (ctx, value) => { ... }
+ * })
+ * ```
+ *
+ * #### Add providers
+ *
+ * You start by specifying the auth providers you are going to use. Let's say you want your users
+ * to be able to authenticate with GitHub and with their email and password.
+ *
+ * ```ts title="issuer.ts"
+ * import { GithubProvider } from "@openauthjs/openauth/provider/github"
+ * import { PasswordProvider } from "@openauthjs/openauth/provider/password"
+ *
+ * const app = issuer({
+ *   providers: {
+ *     github: GithubProvider({
+ *       // ...
+ *     }),
+ *     password: PasswordProvider({
+ *       // ...
+ *     }),
+ *   },
+ * })
+ * ```
+ *
+ * #### Handle success
+ *
+ * The `success` callback receives the payload when a user completes a provider's auth flow.
+ *
+ * ```ts title="issuer.ts"
+ * const app = issuer({
+ *   providers: { ... },
+ *   subjects,
+ *   async success(ctx, value) {
+ *     let userID
+ *     if (value.provider === "password") {
+ *       console.log(value.email)
+ *       userID = ... // lookup user or create them
+ *     }
+ *     if (value.provider === "github") {
+ *       console.log(value.tokenset.access)
+ *       userID = ... // lookup user or create them
+ *     }
+ *     return ctx.subject("user", {
+ *       userID
+ *     })
+ *   }
+ * })
+ * ```
+ *
+ * Once complete, the `issuer` issues the access tokens that a client can use. The `ctx.subject`
+ * call is what is placed in the access token as a JWT.
+ *
+ * #### Define subjects
+ *
+ * You define the shape of these in the `subjects` field.
+ *
+ * ```ts title="subjects.ts"
+ * import { object, string } from "valibot"
+ * import { createSubjects } from "@openauthjs/openauth/subject"
+ *
+ * const subjects = createSubjects({
+ *   user: object({
+ *     userID: string()
+ *   })
+ * })
+ * ```
+ *
+ * It's good to place this in a separate file since this'll be used in your client apps as well.
+ *
+ * ```ts title="issuer.ts"
+ * import { subjects } from "./subjects.js"
+ *
+ * const app = issuer({
+ *   providers: { ... },
+ *   subjects,
+ *   // ...
+ * })
+ * ```
+ *
+ * #### Deploy
+ *
+ * Since `issuer` is a Hono app, you can deploy it anywhere Hono supports.
+ *
+ * <Tabs>
+ *   <TabItem label="Node">
+ *   ```ts title="issuer.ts"
+ *   import { serve } from "@hono/node-server"
+ *
+ *   serve(app)
+ *   ```
+ *   </TabItem>
+ *   <TabItem label="Lambda">
+ *   ```ts title="issuer.ts"
+ *   import { handle } from "hono/aws-lambda"
+ *
+ *   export const handler = handle(app)
+ *   ```
+ *   </TabItem>
+ *   <TabItem label="Bun">
+ *   ```ts title="issuer.ts"
+ *   export default app
+ *   ```
+ *   </TabItem>
+ *   <TabItem label="Workers">
+ *   ```ts title="issuer.ts"
+ *   export default app
+ *   ```
+ *   </TabItem>
+ * </Tabs>
+ *
+ * @packageDocumentation
+ */
+import { Provider } from "./provider/provider.js";
+import { SubjectPayload, SubjectSchema } from "./subject.js";
+import { Context } from "hono";
+/**
+ * Sets the subject payload in the JWT token and returns the response.
+ *
+ * ```ts
+ * ctx.subject("user", {
+ *   userID
+ * })
+ * ```
+ */
+export interface OnSuccessResponder<T extends {
+    type: string;
+    properties: any;
+}> {
+    /**
+     * The `type` is the type of the subject, that was defined in the `subjects` field.
+     *
+     * The `properties` are the properties of the subject. This is the shape of the subject that
+     * you defined in the `subjects` field.
+     */
+    subject<Type extends T["type"]>(type: Type, properties: Extract<T, {
+        type: Type;
+    }>["properties"], opts?: {
+        ttl?: {
+            access?: number;
+            refresh?: number;
+        };
+        subject?: string;
+    }): Promise<Response>;
+}
+export interface AllowCallbackInput {
+    clientID: string;
+    redirectURI: string;
+    audience?: string;
+}
+/**
+ * @internal
+ */
+export interface AuthorizationState {
+    redirect_uri: string;
+    response_type: string;
+    state: string;
+    client_id: string;
+    audience?: string;
+    pkce?: {
+        challenge: string;
+        method: "S256";
+    };
+}
+/**
+ * @internal
+ */
+export type Prettify<T> = {
+    [K in keyof T]: T[K];
+} & {};
+import { UnknownStateError } from "./error.js";
+import { StorageAdapter } from "./storage/storage.js";
+import { Theme } from "./ui/theme.js";
+/** @internal */
+export declare const aws: <E extends import("hono").Env = import("hono").Env, S extends import("hono").Schema = {}, BasePath extends string = "/">(app: import("hono").Hono<E, S, BasePath>, { isContentTypeBinary }?: {
+    isContentTypeBinary: ((contentType: string) => boolean) | undefined;
+}) => (<L extends import("hono/aws-lambda").LambdaEvent>(event: L, lambdaContext?: import("hono/aws-lambda").LambdaContext) => Promise<import("hono/aws-lambda").APIGatewayProxyResult & (L extends {
+    multiValueHeaders: Record<string, string[]>;
+} ? {
+    headers?: undefined;
+    multiValueHeaders: Record<string, string[]>;
+} : {
+    headers: Record<string, string>;
+    multiValueHeaders?: undefined;
+})>);
+export interface IssuerInput<Providers extends Record<string, Provider<any>>, Subjects extends SubjectSchema, Result = {
+    [key in keyof Providers]: Prettify<{
+        provider: key;
+    } & (Providers[key] extends Provider<infer T> ? T : {})>;
+}[keyof Providers]> {
+    /**
+     * The shape of the subjects that you want to return.
+     *
+     * @example
+     *
+     * ```ts title="issuer.ts"
+     * import { object, string } from "valibot"
+     * import { createSubjects } from "@openauthjs/openauth/subject"
+     *
+     * issuer({
+     *   subjects: createSubjects({
+     *     user: object({
+     *       userID: string()
+     *     })
+     *   })
+     *   // ...
+     * })
+     * ```
+     */
+    subjects: Subjects;
+    /**
+     * The storage adapter that you want to use.
+     *
+     * @example
+     * ```ts title="issuer.ts"
+     * import { DynamoStorage } from "@openauthjs/openauth/storage/dynamo"
+     *
+     * issuer({
+     *   storage: DynamoStorage()
+     *   // ...
+     * })
+     * ```
+     */
+    storage?: StorageAdapter;
+    /**
+     * The providers that you want your OpenAuth server to support.
+     *
+     * @example
+     *
+     * ```ts title="issuer.ts"
+     * import { GithubProvider } from "@openauthjs/openauth/provider/github"
+     *
+     * issuer({
+     *   providers: {
+     *     github: GithubProvider()
+     *   }
+     * })
+     * ```
+     *
+     * The key is just a string that you can use to identify the provider. It's passed back to
+     * the `success` callback.
+     *
+     * You can also specify multiple providers.
+     *
+     * ```ts
+     * {
+     *   providers: {
+     *     github: GithubProvider(),
+     *     google: GoogleProvider()
+     *   }
+     * }
+     * ```
+     */
+    providers: Providers | ((ctx: Context) => Promise<Providers>);
+    /**
+     * The theme you want to use for the UI.
+     *
+     * This includes the UI the user sees when selecting a provider. And the `PasswordUI` and
+     * `CodeUI` that are used by the `PasswordProvider` and `CodeProvider`.
+     *
+     * @example
+     * ```ts title="issuer.ts"
+     * import { THEME_SST } from "@openauthjs/openauth/ui/theme"
+     *
+     * issuer({
+     *   theme: THEME_SST
+     *   // ...
+     * })
+     * ```
+     *
+     * Or define your own.
+     *
+     * ```ts title="issuer.ts"
+     * import type { Theme } from "@openauthjs/openauth/ui/theme"
+     *
+     * const MY_THEME: Theme = {
+     *   // ...
+     * }
+     *
+     * issuer({
+     *   theme: MY_THEME
+     *   // ...
+     * })
+     * ```
+     */
+    theme?: Theme;
+    /**
+     * Set the TTL, in seconds, for access and refresh tokens.
+     *
+     * @example
+     * ```ts
+     * {
+     *   ttl: {
+     *     access: 60 * 60 * 24 * 30,
+     *     refresh: 60 * 60 * 24 * 365
+     *   }
+     * }
+     * ```
+     */
+    ttl?: {
+        /**
+         * Interval in seconds where the access token is valid.
+         * @default 30d
+         */
+        access?: number;
+        /**
+         * Interval in seconds where the refresh token is valid.
+         * @default 1y
+         */
+        refresh?: number;
+        /**
+         * Interval in seconds where refresh token reuse is allowed. This helps mitigrate
+         * concurrency issues.
+         * @default 60s
+         */
+        reuse?: number;
+        /**
+         * Interval in seconds to retain refresh tokens for reuse detection.
+         * @default 0s
+         */
+        retention?: number;
+    };
+    /**
+     * Optionally, configure the UI that's displayed when the user visits the root URL of the
+     * of the OpenAuth server.
+     *
+     * ```ts title="issuer.ts"
+     * import { Select } from "@openauthjs/openauth/ui/select"
+     *
+     * issuer({
+     *   select: Select({
+     *     providers: {
+     *       github: { hide: true },
+     *       google: { display: "Google" }
+     *     }
+     *   })
+     *   // ...
+     * })
+     * ```
+     *
+     * @default Select()
+     */
+    select?(providers: Record<string, string>, req: Request): Promise<Response>;
+    /**
+     * @internal
+     */
+    start?(req: Request): Promise<void>;
+    /**
+     * The success callback that's called when the user completes the flow.
+     *
+     * This is called after the user has been redirected back to your app after the OAuth flow.
+     *
+     * @example
+     * ```ts
+     * {
+     *   success: async (ctx, value) => {
+     *     let userID
+     *     if (value.provider === "password") {
+     *       console.log(value.email)
+     *       userID = ... // lookup user or create them
+     *     }
+     *     if (value.provider === "github") {
+     *       console.log(value.tokenset.access)
+     *       userID = ... // lookup user or create them
+     *     }
+     *     return ctx.subject("user", {
+     *       userID
+     *     })
+     *   },
+     *   // ...
+     * }
+     * ```
+     */
+    success(response: OnSuccessResponder<SubjectPayload<Subjects>>, input: Result, req: Request): Promise<Response>;
+    /**
+     * Optional callback that's called when a refresh token is used to get new access tokens.
+     *
+     * This allows you to update dynamic user attributes (permissions, roles, etc.) during
+     * token refresh without requiring the user to re-authenticate.
+     *
+     * If not provided, the original properties from the initial authentication will be reused.
+     *
+     * @example
+     * ```ts
+     * {
+     *   refresh: async (ctx, value) => {
+     *     // Fetch updated permissions from database
+     *     const permissions = await db.getPermissions(value.properties.userId)
+     *     return ctx.subject("user", {
+     *       ...value.properties,
+     *       permissions // Updated value
+     *     })
+     *   }
+     * }
+     * ```
+     */
+    refresh?(response: OnSuccessResponder<SubjectPayload<Subjects>>, input: {
+        type: string;
+        properties: any;
+        subject: string;
+        clientID: string;
+    }, req: Request): Promise<Response>;
+    /**
+     * @internal
+     */
+    error?(error: UnknownStateError, req: Request): Promise<Response>;
+    /**
+     * Override the logic for whether a client request is allowed to call the issuer.
+     *
+     * By default, it uses the following:
+     *
+     * - Allow if the `redirectURI` is localhost.
+     * - Compare `redirectURI` to the request's hostname or the `x-forwarded-host` header. If they
+     *   share the same apex domain, then allow.
+     *
+     * :::caution[Security Notice]
+     * The default implementation allows ANY `redirect_uri` on the same apex domain with no per-client isolation.
+     * Consider implementing a custom `allow` function with strict per-client validation if your deployment has:
+     * - Untrusted content on subdomains (user-generated content, third-party scripts)
+     * - Potential XSS attack vectors
+     * - Multiple client applications requiring isolation
+     * :::
+     *
+     * @example
+     * Recommended for production (per-client allowlist):
+     * ```ts
+     * {
+     *   allow: async (input, req) => {
+     *     const allowedRedirects = {
+     *       'web-client': ['https://app.example.com/callback'],
+     *       'mobile-client': ['https://admin.example.com/oauth'],
+     *     }
+     *     return allowedRedirects[input.clientID]?.includes(input.redirectURI) ?? false
+     *   }
+     * }
+     * ```
+     */
+    allow?(input: AllowCallbackInput, req: Request): Promise<boolean>;
+}
+/**
+ * Create an OpenAuth server, a Hono app.
+ */
+export declare function issuer<Providers extends Record<string, Provider<any>>, Subjects extends SubjectSchema, Result = {
+    [key in keyof Providers]: Prettify<{
+        provider: key;
+    } & (Providers[key] extends Provider<infer T> ? T : {})>;
+}[keyof Providers]>(input: IssuerInput<Providers, Subjects, Result>): import("hono/hono-base").HonoBase<{
+    Variables: {
+        authorization: AuthorizationState;
+    };
+}, import("hono/types").BlankSchema, "/", "*">;
+//# sourceMappingURL=issuer.d.ts.map

package/dist/types/issuer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"issuer.d.ts","sourceRoot":"","sources":["../../src/issuer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6HG;AACH,OAAO,EAAE,QAAQ,EAAmB,MAAM,wBAAwB,CAAA;AAClE,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,cAAc,CAAA;AAG5D,OAAO,EAAE,OAAO,EAAE,MAAM,MAAM,CAAA;AAI9B;;;;;;;;GAQG;AACH,MAAM,WAAW,kBAAkB,CACjC,CAAC,SAAS;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,GAAG,CAAA;CAAE;IAE3C;;;;;OAKG;IACH,OAAO,CAAC,IAAI,SAAS,CAAC,CAAC,MAAM,CAAC,EAC5B,IAAI,EAAE,IAAI,EACV,UAAU,EAAE,OAAO,CAAC,CAAC,EAAE;QAAE,IAAI,EAAE,IAAI,CAAA;KAAE,CAAC,CAAC,YAAY,CAAC,EACpD,IAAI,CAAC,EAAE;QACL,GAAG,CAAC,EAAE;YACJ,MAAM,CAAC,EAAE,MAAM,CAAA;YACf,OAAO,CAAC,EAAE,MAAM,CAAA;SACjB,CAAA;QACD,OAAO,CAAC,EAAE,MAAM,CAAA;KACjB,GACA,OAAO,CAAC,QAAQ,CAAC,CAAA;CACrB;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,MAAM,CAAA;IAChB,WAAW,EAAE,MAAM,CAAA;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,YAAY,EAAE,MAAM,CAAA;IACpB,aAAa,EAAE,MAAM,CAAA;IACrB,KAAK,EAAE,MAAM,CAAA;IACb,SAAS,EAAE,MAAM,CAAA;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,IAAI,CAAC,EAAE;QACL,SAAS,EAAE,MAAM,CAAA;QACjB,MAAM,EAAE,MAAM,CAAA;KACf,CAAA;CACF;AAED;;GAEG;AACH,MAAM,MAAM,QAAQ,CAAC,CAAC,IAAI;KACvB,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;CACrB,GAAG,EAAE,CAAA;AAEN,OAAO,EAIL,iBAAiB,EAClB,MAAM,YAAY,CAAA;AAEnB,OAAO,EAAW,cAAc,EAAE,MAAM,sBAAsB,CAAA;AAI9D,OAAO,EAAY,KAAK,EAAE,MAAM,eAAe,CAAA;AAO/C,gBAAgB;AAChB,eAAO,MAAM,GAAG;;gFA9BZ,CAAC;;;;;;;;IA8BuB,CAAA;AAE5B,MAAM,WAAW,WAAW,CAC1B,SAAS,SAAS,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,EAC/C,QAAQ,SAAS,aAAa,EAC9B,MAAM,GAAG;KACN,GAAG,IAAI,MAAM,SAAS,GAAG,QAAQ,CAChC;QACE,QAAQ,EAAE,GAAG,CAAA;KACd,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,SAAS,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CACxD;CACF,CAAC,MAAM,SAAS,CAAC;IAElB;;;;;;;;;;;;;;;;;;OAkBG;IACH,QAAQ,EAAE,QAAQ,CAAA;IAClB;;;;;;;;;;;;OAYG;IACH,OAAO,CAAC,EAAE,cAAc,CAAA;IACxB;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA4BG;IACH,SAAS,EAAE,SAAS,GAAG,CAAC,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,SAAS,CAAC,CAAC,CAAA;IAC7D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA8BG;IACH,KAAK,CAAC,EAAE,KAAK,CAAA;IACb;;;;;;;;;;;;OAYG;IACH,GAAG,CAAC,EAAE;QACJ;;;WAGG;QACH,MAAM,CAAC,EAAE,MAAM,CAAA;QACf;;;WAGG;QACH,OAAO,CAAC,EAAE,MAAM,CAAA;QAChB;;;;WAIG;QACH,KAAK,CAAC,EAAE,MAAM,CAAA;QACd;;;WAGG;QACH,SAAS,CAAC,EAAE,MAAM,CAAA;KACnB,CAAA;IACD;;;;;;;;;;;;;;;;;;;OAmBG;IACH,MAAM,CAAC,CAAC,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAA;IAC3E;;OAEG;IACH,KAAK,CAAC,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IACnC;;;;;;;;;;;;;;;;;;;;;;;;;OAyBG;IACH,OAAO,CACL,QAAQ,EAAE,kBAAkB,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,EACtD,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,OAAO,GACX,OAAO,CAAC,QAAQ,CAAC,CAAA;IACpB;;;;;;;;;;;;;;;;;;;;;OAqBG;IACH,OAAO,CAAC,CACN,QAAQ,EAAE,kBAAkB,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,EACtD,KAAK,EAAE;QACL,IAAI,EAAE,MAAM,CAAA;QACZ,UAAU,EAAE,GAAG,CAAA;QACf,OAAO,EAAE,MAAM,CAAA;QACf,QAAQ,EAAE,MAAM,CAAA;KACjB,EACD,GAAG,EAAE,OAAO,GACX,OAAO,CAAC,QAAQ,CAAC,CAAA;IACpB;;OAEG;IACH,KAAK,CAAC,CAAC,KAAK,EAAE,iBAAiB,EAAE,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAA;IACjE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA8BG;IACH,KAAK,CAAC,CAAC,KAAK,EAAE,kBAAkB,EAAE,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;CAClE;AAED;;GAEG;AACH,wBAAgB,MAAM,CACpB,SAAS,SAAS,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,EAC/C,QAAQ,SAAS,aAAa,EAC9B,MAAM,GAAG;KACN,GAAG,IAAI,MAAM,SAAS,GAAG,QAAQ,CAChC;QACE,QAAQ,EAAE,GAAG,CAAA;KACd,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,SAAS,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CACxD;CACF,CAAC,MAAM,SAAS,CAAC,EAClB,KAAK,EAAE,WAAW,CAAC,SAAS,EAAE,QAAQ,EAAE,MAAM,CAAC;eAoRlC;QACT,aAAa,EAAE,kBAAkB,CAAA;KAClC;+CA+gBJ"}

package/dist/types/jwt.d.ts

@@ -0,0 +1,6 @@
+import { JWTPayload, KeyLike } from "jose";
+export declare namespace jwt {
+    function create(payload: JWTPayload, algorithm: string, privateKey: KeyLike): Promise<string>;
+    function verify<T>(token: string, publicKey: KeyLike): Promise<import("jose").JWTVerifyResult<T>>;
+}
+//# sourceMappingURL=jwt.d.ts.map

package/dist/types/jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../src/jwt.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAa,OAAO,EAAW,MAAM,MAAM,CAAA;AAE9D,yBAAiB,GAAG,CAAC;IACnB,SAAgB,MAAM,CACpB,OAAO,EAAE,UAAU,EACnB,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,OAAO,mBAKpB;IAED,SAAgB,MAAM,CAAC,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,OAAO,8CAE1D;CACF"}

package/dist/types/keys.d.ts

@@ -0,0 +1,18 @@
+import { JWK, KeyLike } from "jose";
+import { StorageAdapter } from "./storage/storage.js";
+export interface KeyPair {
+    id: string;
+    alg: string;
+    public: KeyLike;
+    private: KeyLike;
+    created: Date;
+    expired?: Date;
+    jwk: JWK;
+}
+/**
+ * @deprecated use `signingKeys` instead
+ */
+export declare function legacySigningKeys(storage: StorageAdapter): Promise<KeyPair[]>;
+export declare function signingKeys(storage: StorageAdapter): Promise<KeyPair[]>;
+export declare function encryptionKeys(storage: StorageAdapter): Promise<KeyPair[]>;
+//# sourceMappingURL=keys.d.ts.map

package/dist/types/keys.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keys.d.ts","sourceRoot":"","sources":["../../src/keys.ts"],"names":[],"mappings":"AAAA,OAAO,EAOL,GAAG,EACH,OAAO,EACR,MAAM,MAAM,CAAA;AACb,OAAO,EAAW,cAAc,EAAE,MAAM,sBAAsB,CAAA;AAc9D,MAAM,WAAW,OAAO;IACtB,EAAE,EAAE,MAAM,CAAA;IACV,GAAG,EAAE,MAAM,CAAA;IACX,MAAM,EAAE,OAAO,CAAA;IACf,OAAO,EAAE,OAAO,CAAA;IAChB,OAAO,EAAE,IAAI,CAAA;IACb,OAAO,CAAC,EAAE,IAAI,CAAA;IACd,GAAG,EAAE,GAAG,CAAA;CACT;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,OAAO,EAAE,CAAC,CAsBpB;AAED,wBAAsB,WAAW,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CAoC7E;AAED,wBAAsB,cAAc,CAClC,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,OAAO,EAAE,CAAC,CAmCpB"}

package/dist/types/pkce.d.ts

@@ -0,0 +1,7 @@
+export declare function generatePKCE(length?: number): Promise<{
+    verifier: string;
+    challenge: string;
+    method: string;
+}>;
+export declare function validatePKCE(verifier: string, challenge: string, method?: "S256" | "plain"): Promise<boolean>;
+//# sourceMappingURL=pkce.d.ts.map

package/dist/types/pkce.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkce.d.ts","sourceRoot":"","sources":["../../src/pkce.ts"],"names":[],"mappings":"AAgBA,wBAAsB,YAAY,CAAC,MAAM,GAAE,MAAW;;;;GAarD;AAED,wBAAsB,YAAY,CAChC,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,EACjB,MAAM,GAAE,MAAM,GAAG,OAAgB,oBAKlC"}

package/dist/types/provider/apple.d.ts

@@ -0,0 +1,108 @@
+/**
+ * Use this provider to authenticate with Apple. Supports both OAuth2 and OIDC.
+ *
+ * #### Using OAuth
+ *
+ * ```ts {5-8}
+ * import { AppleProvider } from "@openauthjs/openauth/provider/apple"
+ *
+ * export default issuer({
+ *   providers: {
+ *     apple: AppleProvider({
+ *       clientID: "1234567890",
+ *       clientSecret: "0987654321"
+ *     })
+ *   }
+ * })
+ * ```
+ *
+ * #### Using OAuth with form_post response mode
+ *
+ * When requesting name or email scopes from Apple, you must use form_post response mode:
+ *
+ * ```ts {5-9}
+ * import { AppleProvider } from "@openauthjs/openauth/provider/apple"
+ *
+ * export default issuer({
+ *   providers: {
+ *     apple: AppleProvider({
+ *       clientID: "1234567890",
+ *       clientSecret: "0987654321",
+ *       responseMode: "form_post"
+ *     })
+ *   }
+ * })
+ * ```
+ *
+ * #### Using OIDC
+ *
+ * ```ts {5-7}
+ * import { AppleOidcProvider } from "@openauthjs/openauth/provider/apple"
+ *
+ * export default issuer({
+ *   providers: {
+ *     apple: AppleOidcProvider({
+ *       clientID: "1234567890"
+ *     })
+ *   }
+ * })
+ * ```
+ *
+ * @packageDocumentation
+ */
+import { Oauth2WrappedConfig } from "./oauth2.js";
+import { OidcWrappedConfig } from "./oidc.js";
+export interface AppleConfig extends Oauth2WrappedConfig {
+    /**
+     * The response mode to use for the authorization request.
+     * Apple requires 'form_post' response mode when requesting name or email scopes.
+     * @default "query"
+     */
+    responseMode?: "query" | "form_post";
+}
+export interface AppleOidcConfig extends OidcWrappedConfig {
+}
+/**
+ * Create an Apple OAuth2 provider.
+ *
+ * @param config - The config for the provider.
+ * @example
+ * ```ts
+ * // Using default query response mode (GET callback)
+ * AppleProvider({
+ *   clientID: "1234567890",
+ *   clientSecret: "0987654321"
+ * })
+ *
+ * // Using form_post response mode (POST callback)
+ * // Required when requesting name or email scope
+ * AppleProvider({
+ *   clientID: "1234567890",
+ *   clientSecret: "0987654321",
+ *   responseMode: "form_post",
+ *   scopes: ["name", "email"]
+ * })
+ * ```
+ */
+export declare function AppleProvider(config: AppleConfig): import("./provider.js").Provider<{
+    tokenset: import("./oauth2.js").Oauth2Token;
+    clientID: string;
+}>;
+/**
+ * Create an Apple OIDC provider.
+ *
+ * This is useful if you just want to verify the user's email address.
+ *
+ * @param config - The config for the provider.
+ * @example
+ * ```ts
+ * AppleOidcProvider({
+ *   clientID: "1234567890"
+ * })
+ * ```
+ */
+export declare function AppleOidcProvider(config: AppleOidcConfig): import("./provider.js").Provider<{
+    id: import("hono/utils/jwt/types").JWTPayload;
+    clientID: string;
+}>;
+//# sourceMappingURL=apple.d.ts.map

package/dist/types/provider/apple.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"apple.d.ts","sourceRoot":"","sources":["../../../src/provider/apple.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmDG;AAEH,OAAO,EAAkB,mBAAmB,EAAE,MAAM,aAAa,CAAA;AACjE,OAAO,EAAgB,iBAAiB,EAAE,MAAM,WAAW,CAAA;AAE3D,MAAM,WAAW,WAAY,SAAQ,mBAAmB;IACtD;;;;OAIG;IACH,YAAY,CAAC,EAAE,OAAO,GAAG,WAAW,CAAA;CACrC;AACD,MAAM,WAAW,eAAgB,SAAQ,iBAAiB;CAAG;AAE7D;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,WAAW;;;GAiBhD;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,eAAe;;;GAMxD"}

package/dist/types/provider/arctic.d.ts

@@ -0,0 +1,16 @@
+import type { OAuth2Tokens } from "arctic";
+import { Provider } from "./provider.js";
+export interface ArcticProviderOptions {
+    scopes: string[];
+    clientID: string;
+    clientSecret: string;
+    query?: Record<string, string>;
+}
+export declare function ArcticProvider(provider: new (clientID: string, clientSecret: string, callback: string) => {
+    createAuthorizationURL(state: string, scopes: string[]): URL;
+    validateAuthorizationCode(code: string): Promise<OAuth2Tokens>;
+    refreshAccessToken(refreshToken: string): Promise<OAuth2Tokens>;
+}, config: ArcticProviderOptions): Provider<{
+    tokenset: OAuth2Tokens;
+}>;
+//# sourceMappingURL=arctic.d.ts.map

package/dist/types/provider/arctic.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"arctic.d.ts","sourceRoot":"","sources":["../../../src/provider/arctic.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,QAAQ,CAAA;AAE1C,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAA;AAIxC,MAAM,WAAW,qBAAqB;IACpC,MAAM,EAAE,MAAM,EAAE,CAAA;IAChB,QAAQ,EAAE,MAAM,CAAA;IAChB,YAAY,EAAE,MAAM,CAAA;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;CAC/B;AAMD,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,KACR,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,KACb;IACH,sBAAsB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,GAAG,CAAA;IAC5D,yBAAyB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAAA;IAC9D,kBAAkB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAAA;CAChE,EACD,MAAM,EAAE,qBAAqB,GAC5B,QAAQ,CAAC;IACV,QAAQ,EAAE,YAAY,CAAA;CACvB,CAAC,CAmCD"}