@_mustachio/openauth 0.7.0 → 0.8.0

package/dist/esm/issuer.js

@@ -66,6 +66,13 @@ function issuer(input) {
   const allEncryption = lazy(() => encryptionKeys(storage));
   const signingKey = lazy(() => allSigning().then((all) => all[0]));
   const encryptionKey = lazy(() => allEncryption().then((all) => all[0]));
+  const getBasePath = (req) => {
+    if (!input.basePath)
+      return "";
+    if (typeof input.basePath === "string")
+      return input.basePath;
+    return input.basePath(req);
+  };
   const auth = {
     async success(ctx, properties, successOpts) {
       const authorization = await getAuthorization(ctx);
@@ -125,6 +132,7 @@ function issuer(input) {
       }, {
         provider: ctx.get("provider"),
         tenantId: authorization.tenantId,
+        context: ctx.get("requestContext"),
         ...properties
       }, ctx.req.raw);
     },
@@ -135,6 +143,7 @@ function issuer(input) {
       setCookie(ctx, key, await encrypt(value), {
         maxAge,
         httpOnly: true,
+        path: input.cookies?.path,
         ...ctx.req.url.startsWith("https://") ? { secure: true, sameSite: "None" } : {}
       });
     },
@@ -147,7 +156,7 @@ function issuer(input) {
       });
     },
     async unset(ctx, key) {
-      deleteCookie(ctx, key);
+      deleteCookie(ctx, key, { path: input.cookies?.path });
     },
     async invalidate(subject) {
       const keys = await Array.fromAsync(Storage.scan(this.storage, ["oauth:refresh", subject]));
@@ -207,9 +216,16 @@ function issuer(input) {
     return JSON.parse(new TextDecoder().decode(await compactDecrypt(value, await encryptionKey().then((v) => v.private)).then((value2) => value2.plaintext)));
   }
   function issuer2(ctx) {
-    return new URL(getRelativeUrl(ctx, "/")).origin;
+    const base = getBasePath(ctx.req.raw);
+    return new URL(getRelativeUrl(ctx, base || "/")).origin + base;
   }
   const app = new Hono().use(logger());
+  app.use(async (c, next) => {
+    if (input.context) {
+      c.set("requestContext", input.context(c.req.raw));
+    }
+    await next();
+  });
   const getProviders = async (c) => {
     if (typeof input.providers === "function") {
       return input.providers(c);
@@ -434,6 +450,7 @@ function issuer(input) {
         }
       }, {
         provider: provider.toString(),
+        context: c.get("requestContext"),
         ...response
       }, c.req.raw);
     }
@@ -480,11 +497,11 @@ function issuer(input) {
     await auth.set(c, "authorization", 60 * 60 * 24, authorization);
     c.set("authorization", authorization);
     if (provider)
-      return c.redirect(`/${provider}/authorize`);
+      return c.redirect(`${getBasePath(c.req.raw)}/${provider}/authorize`);
     const resolvedProviders = await getProviders(c);
     const providerNames = Object.keys(resolvedProviders);
     if (providerNames.length === 1)
-      return c.redirect(`/${providerNames[0]}/authorize`);
+      return c.redirect(`${getBasePath(c.req.raw)}/${providerNames[0]}/authorize`);
     return auth.forward(c, await select()(Object.fromEntries(Object.entries(resolvedProviders).map(([key, value]) => [
       key,
       value.type
@@ -537,11 +554,11 @@ function issuer(input) {
     await auth.set(c, "authorization", 60 * 60 * 24, authorization);
     c.set("authorization", authorization);
     if (provider)
-      return c.redirect(`/tenant/${tenantId}/${provider}/authorize`);
+      return c.redirect(`${getBasePath(c.req.raw)}/tenant/${tenantId}/${provider}/authorize`);
     const resolvedProviders = await getProviders(c);
     const providerNames = Object.keys(resolvedProviders);
     if (providerNames.length === 1)
-      return c.redirect(`/tenant/${tenantId}/${providerNames[0]}/authorize`);
+      return c.redirect(`${getBasePath(c.req.raw)}/tenant/${tenantId}/${providerNames[0]}/authorize`);
     return auth.forward(c, await select()(Object.fromEntries(Object.entries(resolvedProviders).map(([key, value]) => [
       key,
       value.type

package/dist/types/issuer.d.ts

@@ -109,6 +109,51 @@
  * })
  * ```
  *
+ * #### Advanced multi-tenant configuration
+ *
+ * For complex multi-tenant scenarios, OpenAuth provides three additional configuration options:
+ *
+ * - **`basePath`** - Dynamic URL prefix when the issuer is mounted at a variable path
+ * - **`cookies.path`** - Set to `"/"` so cookies work across all paths
+ * - **`context`** - Extract custom data from requests, available in providers and callbacks
+ *
+ * ```ts title="issuer.ts"
+ * const app = issuer({
+ *   storage,
+ *   subjects,
+ *   // Dynamic base path based on request headers
+ *   basePath: (req) => `/auth/${req.headers.get("x-org-slug")}`,
+ *   // Root-level cookies that work across all paths
+ *   cookies: { path: "/" },
+ *   // Extract org/app context from each request
+ *   context: (req) => ({
+ *     orgSlug: req.headers.get("x-org-slug")!,
+ *     appSlug: req.headers.get("x-app-slug")!,
+ *   }),
+ *   providers: async (ctx) => {
+ *     const { orgSlug, appSlug } = ctx.get("requestContext") as { orgSlug: string; appSlug: string }
+ *     const config = await db.getAppConfig(orgSlug, appSlug)
+ *     return {
+ *       github: GithubProvider({
+ *         clientID: config.githubClientId,
+ *         clientSecret: config.githubClientSecret,
+ *       })
+ *     }
+ *   },
+ *   success: async (ctx, value) => {
+ *     const { orgSlug, appSlug } = value.context
+ *     return ctx.subject("user", {
+ *       userID: value.email,
+ *       orgSlug,
+ *       appSlug,
+ *     })
+ *   },
+ * })
+ *
+ * // Mount the issuer at a dynamic route
+ * honoApp.route("/auth/:orgSlug/:appSlug", app)
+ * ```
+ *
  * #### Deploy
  *
  * Since `issuer` is a Hono app, you can deploy it anywhere Hono supports.
@@ -215,9 +260,11 @@ export declare const aws: <E extends import("hono").Env = import("hono").Env, S
     headers: Record<string, string>;
     multiValueHeaders?: undefined;
 })>);
-export interface IssuerInput<Providers extends Record<string, Provider<any>>, Subjects extends SubjectSchema, Result = {
+export interface IssuerInput<Providers extends Record<string, Provider<any>>, Subjects extends SubjectSchema, RequestContext = undefined, Result = {
     [key in keyof Providers]: Prettify<{
         provider: key;
+        tenantId?: string;
+        context: RequestContext;
     } & (Providers[key] extends Provider<infer T> ? T : {})>;
 }[keyof Providers]> {
     /**
@@ -492,19 +539,56 @@ export interface IssuerInput<Providers extends Record<string, Provider<any>>, Su
      * ```
      */
     allow?(input: AllowCallbackInput, req: Request): Promise<boolean>;
+    /**
+     * Cookie configuration options.
+     */
+    cookies?: {
+        /**
+         * Path for cookies. Defaults to the current path.
+         * Set to "/" for root-level cookies that work across all paths.
+         */
+        path?: string;
+    };
+    /**
+     * Extract custom context from the request. This context is available
+     * in providers via `ctx.get("requestContext")` and in callbacks via `input.context`.
+     *
+     * @example
+     * ```ts
+     * context: (req) => ({
+     *   orgSlug: req.header("x-org-slug")!,
+     *   appSlug: req.header("x-app-slug")!,
+     * }),
+     * ```
+     */
+    context?: (req: Request) => RequestContext;
+    /**
+     * Base path for all routes. Can be a static string or a function that
+     * receives the request and returns the path.
+     *
+     * @example
+     * ```ts
+     * basePath: "/auth/acme"
+     * // or
+     * basePath: (req) => `/auth/${req.headers.get("x-org-slug")}`
+     * ```
+     */
+    basePath?: string | ((req: Request) => string);
 }
 /**
  * Create an OpenAuth server, a Hono app.
  */
-export declare function issuer<Providers extends Record<string, Provider<any>>, Subjects extends SubjectSchema, Result = {
+export declare function issuer<Providers extends Record<string, Provider<any>>, Subjects extends SubjectSchema, RequestContext = undefined, Result = {
     [key in keyof Providers]: Prettify<{
         provider: key;
         tenantId?: string;
+        context: RequestContext;
     } & (Providers[key] extends Provider<infer T> ? T : {})>;
-}[keyof Providers]>(input: IssuerInput<Providers, Subjects, Result>): import("hono/hono-base").HonoBase<{
+}[keyof Providers]>(input: IssuerInput<Providers, Subjects, RequestContext, Result>): import("hono/hono-base").HonoBase<{
     Variables: {
         authorization: AuthorizationState;
         tenantId: string;
+        requestContext: RequestContext;
     };
 }, import("hono/types").BlankSchema, "/", "*">;
 //# sourceMappingURL=issuer.d.ts.map

package/dist/types/issuer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"issuer.d.ts","sourceRoot":"","sources":["../../src/issuer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+IG;AACH,OAAO,EAAE,QAAQ,EAAmB,MAAM,wBAAwB,CAAA;AAClE,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,cAAc,CAAA;AAG5D,OAAO,EAAE,OAAO,EAAE,MAAM,MAAM,CAAA;AAI9B;;;;;;;;GAQG;AACH,MAAM,WAAW,kBAAkB,CACjC,CAAC,SAAS;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,GAAG,CAAA;CAAE;IAE3C;;;;;OAKG;IACH,OAAO,CAAC,IAAI,SAAS,CAAC,CAAC,MAAM,CAAC,EAC5B,IAAI,EAAE,IAAI,EACV,UAAU,EAAE,OAAO,CAAC,CAAC,EAAE;QAAE,IAAI,EAAE,IAAI,CAAA;KAAE,CAAC,CAAC,YAAY,CAAC,EACpD,IAAI,CAAC,EAAE;QACL,GAAG,CAAC,EAAE;YACJ,MAAM,CAAC,EAAE,MAAM,CAAA;YACf,OAAO,CAAC,EAAE,MAAM,CAAA;SACjB,CAAA;QACD,OAAO,CAAC,EAAE,MAAM,CAAA;KACjB,GACA,OAAO,CAAC,QAAQ,CAAC,CAAA;CACrB;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,MAAM,CAAA;IAChB,WAAW,EAAE,MAAM,CAAA;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,YAAY,EAAE,MAAM,CAAA;IACpB,aAAa,EAAE,MAAM,CAAA;IACrB,KAAK,EAAE,MAAM,CAAA;IACb,SAAS,EAAE,MAAM,CAAA;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,IAAI,CAAC,EAAE;QACL,SAAS,EAAE,MAAM,CAAA;QACjB,MAAM,EAAE,MAAM,CAAA;KACf,CAAA;IACD,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAED;;GAEG;AACH,MAAM,MAAM,QAAQ,CAAC,CAAC,IAAI;KACvB,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;CACrB,GAAG,EAAE,CAAA;AAEN,OAAO,EAIL,iBAAiB,EAClB,MAAM,YAAY,CAAA;AAEnB,OAAO,EAAW,cAAc,EAAE,MAAM,sBAAsB,CAAA;AAI9D,OAAO,EAAY,KAAK,EAAE,MAAM,eAAe,CAAA;AAc/C,gBAAgB;AAChB,eAAO,MAAM,GAAG;;gFAvEW,CAAC;;;;;;;;IAuEA,CAAA;AAE5B,MAAM,WAAW,WAAW,CAC1B,SAAS,SAAS,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,EAC/C,QAAQ,SAAS,aAAa,EAC9B,MAAM,GAAG;KACN,GAAG,IAAI,MAAM,SAAS,GAAG,QAAQ,CAChC;QACE,QAAQ,EAAE,GAAG,CAAA;KACd,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,SAAS,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CACxD;CACF,CAAC,MAAM,SAAS,CAAC;IAElB;;;;;;;;;;;;;;;;;;OAkBG;IACH,QAAQ,EAAE,QAAQ,CAAA;IAClB;;;;;;;;;;;;OAYG;IACH,OAAO,CAAC,EAAE,cAAc,CAAA;IACxB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA+CG;IACH,SAAS,EAAE,SAAS,GAAG,CAAC,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,SAAS,CAAC,CAAC,CAAA;IAC7D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA8BG;IACH,KAAK,CAAC,EAAE,KAAK,CAAA;IACb;;;;;;;;;;;;OAYG;IACH,GAAG,CAAC,EAAE;QACJ;;;WAGG;QACH,MAAM,CAAC,EAAE,MAAM,CAAA;QACf;;;WAGG;QACH,OAAO,CAAC,EAAE,MAAM,CAAA;QAChB;;;;WAIG;QACH,KAAK,CAAC,EAAE,MAAM,CAAA;QACd;;;WAGG;QACH,SAAS,CAAC,EAAE,MAAM,CAAA;KACnB,CAAA;IACD;;;;;;;;;;;;;;;;;;;OAmBG;IACH,MAAM,CAAC,CAAC,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAA;IAC3E;;OAEG;IACH,KAAK,CAAC,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IACnC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA8BG;IACH,OAAO,CACL,QAAQ,EAAE,kBAAkB,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,EACtD,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,OAAO,GACX,OAAO,CAAC,QAAQ,CAAC,CAAA;IACpB;;;;;;;;;;;;;;;;;;;;;OAqBG;IACH,OAAO,CAAC,CACN,QAAQ,EAAE,kBAAkB,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,EACtD,KAAK,EAAE;QACL,IAAI,EAAE,MAAM,CAAA;QACZ,UAAU,EAAE,GAAG,CAAA;QACf,OAAO,EAAE,MAAM,CAAA;QACf,QAAQ,EAAE,MAAM,CAAA;KACjB,EACD,GAAG,EAAE,OAAO,GACX,OAAO,CAAC,QAAQ,CAAC,CAAA;IACpB;;OAEG;IACH,KAAK,CAAC,CAAC,KAAK,EAAE,iBAAiB,EAAE,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAA;IACjE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA8BG;IACH,KAAK,CAAC,CAAC,KAAK,EAAE,kBAAkB,EAAE,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;CAClE;AAED;;GAEG;AACH,wBAAgB,MAAM,CACpB,SAAS,SAAS,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,EAC/C,QAAQ,SAAS,aAAa,EAC9B,MAAM,GAAG;KACN,GAAG,IAAI,MAAM,SAAS,GAAG,QAAQ,CAChC;QACE,QAAQ,EAAE,GAAG,CAAA;QACb,QAAQ,CAAC,EAAE,MAAM,CAAA;KAClB,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,SAAS,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CACxD;CACF,CAAC,MAAM,SAAS,CAAC,EAClB,KAAK,EAAE,WAAW,CAAC,SAAS,EAAE,QAAQ,EAAE,MAAM,CAAC;eA+RlC;QACT,aAAa,EAAE,kBAAkB,CAAA;QACjC,QAAQ,EAAE,MAAM,CAAA;KACjB;+CA+nBJ"}
+{"version":3,"file":"issuer.d.ts","sourceRoot":"","sources":["../../src/issuer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4LG;AACH,OAAO,EAAE,QAAQ,EAAmB,MAAM,wBAAwB,CAAA;AAClE,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,cAAc,CAAA;AAG5D,OAAO,EAAE,OAAO,EAAE,MAAM,MAAM,CAAA;AAI9B;;;;;;;;GAQG;AACH,MAAM,WAAW,kBAAkB,CACjC,CAAC,SAAS;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,GAAG,CAAA;CAAE;IAE3C;;;;;OAKG;IACH,OAAO,CAAC,IAAI,SAAS,CAAC,CAAC,MAAM,CAAC,EAC5B,IAAI,EAAE,IAAI,EACV,UAAU,EAAE,OAAO,CAAC,CAAC,EAAE;QAAE,IAAI,EAAE,IAAI,CAAA;KAAE,CAAC,CAAC,YAAY,CAAC,EACpD,IAAI,CAAC,EAAE;QACL,GAAG,CAAC,EAAE;YACJ,MAAM,CAAC,EAAE,MAAM,CAAA;YACf,OAAO,CAAC,EAAE,MAAM,CAAA;SACjB,CAAA;QACD,OAAO,CAAC,EAAE,MAAM,CAAA;KACjB,GACA,OAAO,CAAC,QAAQ,CAAC,CAAA;CACrB;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,MAAM,CAAA;IAChB,WAAW,EAAE,MAAM,CAAA;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,YAAY,EAAE,MAAM,CAAA;IACpB,aAAa,EAAE,MAAM,CAAA;IACrB,KAAK,EAAE,MAAM,CAAA;IACb,SAAS,EAAE,MAAM,CAAA;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,IAAI,CAAC,EAAE;QACL,SAAS,EAAE,MAAM,CAAA;QACjB,MAAM,EAAE,MAAM,CAAA;KACf,CAAA;IACD,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAED;;GAEG;AACH,MAAM,MAAM,QAAQ,CAAC,CAAC,IAAI;KACvB,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;CACrB,GAAG,EAAE,CAAA;AAEN,OAAO,EAIL,iBAAiB,EAClB,MAAM,YAAY,CAAA;AAEnB,OAAO,EAAW,cAAc,EAAE,MAAM,sBAAsB,CAAA;AAI9D,OAAO,EAAY,KAAK,EAAE,MAAM,eAAe,CAAA;AAc/C,gBAAgB;AAChB,eAAO,MAAM,GAAG;;gFAzIP,CAAA;;;;;;;;IAyImB,CAAA;AAE5B,MAAM,WAAW,WAAW,CAC1B,SAAS,SAAS,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,EAC/C,QAAQ,SAAS,aAAa,EAC9B,cAAc,GAAG,SAAS,EAC1B,MAAM,GAAG;KACN,GAAG,IAAI,MAAM,SAAS,GAAG,QAAQ,CAChC;QACE,QAAQ,EAAE,GAAG,CAAA;QACb,QAAQ,CAAC,EAAE,MAAM,CAAA;QACjB,OAAO,EAAE,cAAc,CAAA;KACxB,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,SAAS,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CACxD;CACF,CAAC,MAAM,SAAS,CAAC;IAElB;;;;;;;;;;;;;;;;;;OAkBG;IACH,QAAQ,EAAE,QAAQ,CAAA;IAClB;;;;;;;;;;;;OAYG;IACH,OAAO,CAAC,EAAE,cAAc,CAAA;IACxB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA+CG;IACH,SAAS,EAAE,SAAS,GAAG,CAAC,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,SAAS,CAAC,CAAC,CAAA;IAC7D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA8BG;IACH,KAAK,CAAC,EAAE,KAAK,CAAA;IACb;;;;;;;;;;;;OAYG;IACH,GAAG,CAAC,EAAE;QACJ;;;WAGG;QACH,MAAM,CAAC,EAAE,MAAM,CAAA;QACf;;;WAGG;QACH,OAAO,CAAC,EAAE,MAAM,CAAA;QAChB;;;;WAIG;QACH,KAAK,CAAC,EAAE,MAAM,CAAA;QACd;;;WAGG;QACH,SAAS,CAAC,EAAE,MAAM,CAAA;KACnB,CAAA;IACD;;;;;;;;;;;;;;;;;;;OAmBG;IACH,MAAM,CAAC,CAAC,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAA;IAC3E;;OAEG;IACH,KAAK,CAAC,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IACnC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA8BG;IACH,OAAO,CACL,QAAQ,EAAE,kBAAkB,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,EACtD,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,OAAO,GACX,OAAO,CAAC,QAAQ,CAAC,CAAA;IACpB;;;;;;;;;;;;;;;;;;;;;OAqBG;IACH,OAAO,CAAC,CACN,QAAQ,EAAE,kBAAkB,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,EACtD,KAAK,EAAE;QACL,IAAI,EAAE,MAAM,CAAA;QACZ,UAAU,EAAE,GAAG,CAAA;QACf,OAAO,EAAE,MAAM,CAAA;QACf,QAAQ,EAAE,MAAM,CAAA;KACjB,EACD,GAAG,EAAE,OAAO,GACX,OAAO,CAAC,QAAQ,CAAC,CAAA;IACpB;;OAEG;IACH,KAAK,CAAC,CAAC,KAAK,EAAE,iBAAiB,EAAE,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAA;IACjE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA8BG;IACH,KAAK,CAAC,CAAC,KAAK,EAAE,kBAAkB,EAAE,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;IACjE;;OAEG;IACH,OAAO,CAAC,EAAE;QACR;;;WAGG;QACH,IAAI,CAAC,EAAE,MAAM,CAAA;KACd,CAAA;IACD;;;;;;;;;;;OAWG;IACH,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,cAAc,CAAA;IAC1C;;;;;;;;;;OAUG;IACH,QAAQ,CAAC,EAAE,MAAM,GAAG,CAAC,CAAC,GAAG,EAAE,OAAO,KAAK,MAAM,CAAC,CAAA;CAC/C;AAED;;GAEG;AACH,wBAAgB,MAAM,CACpB,SAAS,SAAS,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,EAC/C,QAAQ,SAAS,aAAa,EAC9B,cAAc,GAAG,SAAS,EAC1B,MAAM,GAAG;KACN,GAAG,IAAI,MAAM,SAAS,GAAG,QAAQ,CAChC;QACE,QAAQ,EAAE,GAAG,CAAA;QACb,QAAQ,CAAC,EAAE,MAAM,CAAA;QACjB,OAAO,EAAE,cAAc,CAAA;KACxB,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,SAAS,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CACxD;CACF,CAAC,MAAM,SAAS,CAAC,EAClB,KAAK,EAAE,WAAW,CAAC,SAAS,EAAE,QAAQ,EAAE,cAAc,EAAE,MAAM,CAAC;eAwSlD;QACT,aAAa,EAAE,kBAAkB,CAAA;QACjC,QAAQ,EAAE,MAAM,CAAA;QAChB,cAAc,EAAE,cAAc,CAAA;KAC/B;+CAgpBJ"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@_mustachio/openauth",
-  "version": "0.7.0",
+  "version": "0.8.0",
   "license": "MIT",
   "repository": {
     "type": "git",

package/src/issuer.ts

@@ -109,6 +109,51 @@
  * })
  * ```
  *
+ * #### Advanced multi-tenant configuration
+ *
+ * For complex multi-tenant scenarios, OpenAuth provides three additional configuration options:
+ *
+ * - **`basePath`** - Dynamic URL prefix when the issuer is mounted at a variable path
+ * - **`cookies.path`** - Set to `"/"` so cookies work across all paths
+ * - **`context`** - Extract custom data from requests, available in providers and callbacks
+ *
+ * ```ts title="issuer.ts"
+ * const app = issuer({
+ *   storage,
+ *   subjects,
+ *   // Dynamic base path based on request headers
+ *   basePath: (req) => `/auth/${req.headers.get("x-org-slug")}`,
+ *   // Root-level cookies that work across all paths
+ *   cookies: { path: "/" },
+ *   // Extract org/app context from each request
+ *   context: (req) => ({
+ *     orgSlug: req.headers.get("x-org-slug")!,
+ *     appSlug: req.headers.get("x-app-slug")!,
+ *   }),
+ *   providers: async (ctx) => {
+ *     const { orgSlug, appSlug } = ctx.get("requestContext") as { orgSlug: string; appSlug: string }
+ *     const config = await db.getAppConfig(orgSlug, appSlug)
+ *     return {
+ *       github: GithubProvider({
+ *         clientID: config.githubClientId,
+ *         clientSecret: config.githubClientSecret,
+ *       })
+ *     }
+ *   },
+ *   success: async (ctx, value) => {
+ *     const { orgSlug, appSlug } = value.context
+ *     return ctx.subject("user", {
+ *       userID: value.email,
+ *       orgSlug,
+ *       appSlug,
+ *     })
+ *   },
+ * })
+ *
+ * // Mount the issuer at a dynamic route
+ * honoApp.route("/auth/:orgSlug/:appSlug", app)
+ * ```
+ *
  * #### Deploy
  *
  * Since `issuer` is a Hono app, you can deploy it anywhere Hono supports.
@@ -241,10 +286,13 @@ export const aws = awsHandle
 export interface IssuerInput<
   Providers extends Record<string, Provider<any>>,
   Subjects extends SubjectSchema,
+  RequestContext = undefined,
   Result = {
     [key in keyof Providers]: Prettify<
       {
         provider: key
+        tenantId?: string
+        context: RequestContext
       } & (Providers[key] extends Provider<infer T> ? T : {})
     >
   }[keyof Providers],
@@ -529,6 +577,41 @@ export interface IssuerInput<
    * ```
    */
   allow?(input: AllowCallbackInput, req: Request): Promise<boolean>
+  /**
+   * Cookie configuration options.
+   */
+  cookies?: {
+    /**
+     * Path for cookies. Defaults to the current path.
+     * Set to "/" for root-level cookies that work across all paths.
+     */
+    path?: string
+  }
+  /**
+   * Extract custom context from the request. This context is available
+   * in providers via `ctx.get("requestContext")` and in callbacks via `input.context`.
+   *
+   * @example
+   * ```ts
+   * context: (req) => ({
+   *   orgSlug: req.header("x-org-slug")!,
+   *   appSlug: req.header("x-app-slug")!,
+   * }),
+   * ```
+   */
+  context?: (req: Request) => RequestContext
+  /**
+   * Base path for all routes. Can be a static string or a function that
+   * receives the request and returns the path.
+   *
+   * @example
+   * ```ts
+   * basePath: "/auth/acme"
+   * // or
+   * basePath: (req) => `/auth/${req.headers.get("x-org-slug")}`
+   * ```
+   */
+  basePath?: string | ((req: Request) => string)
 }
 
 /**
@@ -537,15 +620,17 @@ export interface IssuerInput<
 export function issuer<
   Providers extends Record<string, Provider<any>>,
   Subjects extends SubjectSchema,
+  RequestContext = undefined,
   Result = {
     [key in keyof Providers]: Prettify<
       {
         provider: key
         tenantId?: string
+        context: RequestContext
       } & (Providers[key] extends Provider<infer T> ? T : {})
     >
   }[keyof Providers],
->(input: IssuerInput<Providers, Subjects, Result>) {
+>(input: IssuerInput<Providers, Subjects, RequestContext, Result>) {
   const error =
     input.error ??
     function (err) {
@@ -605,6 +690,12 @@ export function issuer<
   const signingKey = lazy(() => allSigning().then((all) => all[0]))
   const encryptionKey = lazy(() => allEncryption().then((all) => all[0]))
 
+  const getBasePath = (req: Request) => {
+    if (!input.basePath) return ""
+    if (typeof input.basePath === "string") return input.basePath
+    return input.basePath(req)
+  }
+
   const auth: Omit<ProviderOptions<any>, "name"> = {
     async success(ctx: Context, properties: any, successOpts) {
       const authorization = await getAuthorization(ctx)
@@ -681,6 +772,7 @@ export function issuer<
         {
           provider: ctx.get("provider"),
           tenantId: authorization.tenantId,
+          context: ctx.get("requestContext"),
           ...properties,
         },
         ctx.req.raw,
@@ -697,6 +789,7 @@ export function issuer<
       setCookie(ctx, key, await encrypt(value), {
         maxAge,
         httpOnly: true,
+        path: input.cookies?.path,
         ...(ctx.req.url.startsWith("https://")
           ? { secure: true, sameSite: "None" }
           : {}),
@@ -710,7 +803,7 @@ export function issuer<
       })
     },
     async unset(ctx: Context, key: string) {
-      deleteCookie(ctx, key)
+      deleteCookie(ctx, key, { path: input.cookies?.path })
     },
     async invalidate(subject: string) {
       // Resolve the scan in case modifications interfere with iteration
@@ -828,16 +921,26 @@ export function issuer<
   }
 
   function issuer(ctx: Context) {
-    return new URL(getRelativeUrl(ctx, "/")).origin
+    const base = getBasePath(ctx.req.raw)
+    return new URL(getRelativeUrl(ctx, base || "/")).origin + base
   }
 
   const app = new Hono<{
     Variables: {
       authorization: AuthorizationState
       tenantId: string
+      requestContext: RequestContext
     }
   }>().use(logger())
 
+  // Extract custom context from request if configured
+  app.use(async (c, next) => {
+    if (input.context) {
+      c.set("requestContext", input.context(c.req.raw))
+    }
+    await next()
+  })
+
   const getProviders = async (c: Context): Promise<Providers> => {
     if (typeof input.providers === "function") {
       return input.providers(c)
@@ -1169,6 +1272,7 @@ export function issuer<
           },
           {
             provider: provider.toString(),
+            context: c.get("requestContext"),
             ...response,
           },
           c.req.raw,
@@ -1232,11 +1336,14 @@ export function issuer<
       throw new UnauthorizedClientError(client_id, redirect_uri)
     await auth.set(c, "authorization", 60 * 60 * 24, authorization)
     c.set("authorization", authorization)
-    if (provider) return c.redirect(`/${provider}/authorize`)
+    if (provider)
+      return c.redirect(`${getBasePath(c.req.raw)}/${provider}/authorize`)
     const resolvedProviders = await getProviders(c)
     const providerNames = Object.keys(resolvedProviders)
     if (providerNames.length === 1)
-      return c.redirect(`/${providerNames[0]}/authorize`)
+      return c.redirect(
+        `${getBasePath(c.req.raw)}/${providerNames[0]}/authorize`,
+      )
     return auth.forward(
       c,
       await select()(
@@ -1313,11 +1420,16 @@ export function issuer<
       throw new UnauthorizedClientError(client_id, redirect_uri)
     await auth.set(c, "authorization", 60 * 60 * 24, authorization)
     c.set("authorization", authorization)
-    if (provider) return c.redirect(`/tenant/${tenantId}/${provider}/authorize`)
+    if (provider)
+      return c.redirect(
+        `${getBasePath(c.req.raw)}/tenant/${tenantId}/${provider}/authorize`,
+      )
     const resolvedProviders = await getProviders(c)
     const providerNames = Object.keys(resolvedProviders)
     if (providerNames.length === 1)
-      return c.redirect(`/tenant/${tenantId}/${providerNames[0]}/authorize`)
+      return c.redirect(
+        `${getBasePath(c.req.raw)}/tenant/${tenantId}/${providerNames[0]}/authorize`,
+      )
     return auth.forward(
       c,
       await select()(