npm - @absolutejs/auth - Versions diffs - 0.23.0 → 0.24.0 - Mend

@absolutejs/auth 0.23.0 → 0.24.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/index.js CHANGED Viewed

@@ -2124,7 +2124,7 @@ var createOAuth2Client = async (providerName, config) => {
 };
 // src/index.ts
-import { Elysia as Elysia11 } from "elysia";
+import { Elysia as Elysia12 } from "elysia";
 // src/authorize.ts
 import { Elysia, t as t2 } from "elysia";
@@ -2698,14 +2698,201 @@ var callback = ({
   })
 });
-// src/profile.ts
+// src/htmxRoutes.ts
+import { Elysia as Elysia5 } from "elysia";
+// src/protectRoute.ts
 import { Elysia as Elysia4, t as t4 } from "elysia";
+var protectRoutePlugin = ({
+  authSessionStore
+} = {}) => new Elysia4().use(sessionStore()).guard({ cookie: t4.Cookie({ user_session_id: userSessionIdTypebox }) }).derive(({ store: { session }, cookie: { user_session_id }, status }) => ({
+  protectRoute: (handleAuth, handleAuthFail) => getStatusFromSource({
+    authSessionStore,
+    session,
+    user_session_id
+  }).then(async ({ user, error }) => {
+    if (error) {
+      return handleAuthFail?.(error) ?? status(error.code, error.message);
+    }
+    if (!user) {
+      return handleAuthFail?.({
+        code: "Unauthorized",
+        message: "User is not authenticated"
+      }) ?? status("Unauthorized", "User is not authenticated");
+    }
+    return await handleAuth(user);
+  })
+})).as("global");
+// src/ui/renderers.ts
+var escapeHtml = (value) => value.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll('"', "&quot;");
+var defaultAuthorizationHref = (provider, client) => client ? `/oauth2/${provider}/authorization?client=${client}` : `/oauth2/${provider}/authorization`;
+var resolveAuthHtmxRenderers = (config) => {
+  const { connectorTargets, featuredLoginProviders, providerData } = config;
+  const authorizationHref = config.authorizationHref ?? defaultAuthorizationHref;
+  const overrides = config.render ?? {};
+  const providerLabel = (key) => isValidProviderOption(key) ? providerData[key]?.name ?? key : key;
+  const providerLogo = (key) => isValidProviderOption(key) ? providerData[key]?.logoUrl ?? "" : "";
+  const account = (user) => {
+    const fullName = [user.first_name, user.last_name].filter((part) => typeof part === "string" && part.length > 0).join(" ");
+    return `<div class="grid-2">
+    <div class="card"><h2 class="card__title">Canonical account</h2><p class="muted">Absolute Auth keeps one canonical user and links every OAuth identity to it. Conflicting identities raise a merge request.</p></div>
+    <div class="card text-left"><h2 class="card__title">Profile fields</h2>
+      <div class="spread"><span class="muted">Subject</span><span>${escapeHtml(user.sub)}</span></div>
+      <div class="spread"><span class="muted">Name</span><span>${escapeHtml(fullName || "\u2014")}</span></div>
+      <div class="spread"><span class="muted">Email</span><span>${escapeHtml(user.email ?? "\u2014")}</span></div>
+      <div class="spread"><span class="muted">Primary identity</span><span>${escapeHtml(user.primary_auth_identity_id ?? "\u2014")}</span></div>
+    </div>
+  </div>`;
+  };
+  const authMenu = (user) => {
+    if (!user) {
+      return `<a class="btn btn--primary btn--sm" href="/htmx">Sign in</a>`;
+    }
+    const label = user.email ?? user.first_name ?? "Account";
+    return `<span class="muted">${escapeHtml(label)}</span><a class="btn btn--ghost btn--sm" href="/htmx/signout">Sign out</a>`;
+  };
+  const connectorLinks = () => connectorTargets.map((target) => `<div class="card text-left"><h2 class="card__title row"><img class="entity__logo" alt="" src="${providerLogo(target.provider)}" />${escapeHtml(target.label)}</h2><p class="muted">${escapeHtml(target.description)}</p><a class="btn btn--primary" href="${authorizationHref(target.provider, "connector")}">Link ${escapeHtml(target.label)}</a></div>`).join("");
+  const connectors = (payload) => {
+    const scopeList = (scopes) => scopes.map((scope) => `<span class="scope">${escapeHtml(scope)}</span>`).join("");
+    const bindings = payload.bindings.length === 0 ? `<div class="empty-state">No external accounts linked.</div>` : `<div class="entity-list">${payload.bindings.map((binding) => `<div class="entity"><div class="entity__meta"><span class="entity__title">${escapeHtml(binding.label ?? binding.externalAccountId)}<span class="pill">${escapeHtml(binding.connectorProvider)}</span></span><span class="entity__sub">${escapeHtml(binding.externalAccountType)} \xB7 ${escapeHtml(binding.status)}</span><div class="scope-list">${scopeList(binding.availableScopes)}</div></div><div class="entity__actions"><form hx-delete="/htmx/connectors/bindings/${binding.id}" hx-target="#connector-list" hx-swap="innerHTML"><button class="btn btn--danger btn--sm" type="submit">Remove</button></form></div></div>`).join("")}</div>`;
+    const grants = payload.grants.length === 0 ? `<div class="empty-state">No connector grants yet.</div>` : `<div class="entity-list">${payload.grants.map((grant) => `<div class="entity"><div class="entity__meta"><span class="entity__title">${escapeHtml(grant.authProviderKey)}<span class="pill pill--indigo">${escapeHtml(grant.status)}</span></span><span class="entity__sub">Subject ${escapeHtml(grant.providerSubject)}</span><div class="scope-list">${scopeList(grant.grantedScopes)}</div></div><div class="entity__actions"><form hx-delete="/htmx/connectors/grants/${grant.id}" hx-target="#connector-list" hx-swap="innerHTML"><button class="btn btn--danger btn--sm" type="submit">Remove</button></form></div></div>`).join("")}</div>`;
+    return `<h3 class="provider-heading">External accounts</h3>${bindings}<h3 class="provider-heading">Grants</h3>${grants}`;
+  };
+  const identities = (payload, query) => {
+    const pending = payload.mergeRequests.filter((req) => req.status === "pending");
+    const mergesHtml = pending.length === 0 ? "" : `<div class="stack"><h3 class="provider-heading">Merge requests</h3><div class="entity-list">${pending.map((req) => `<div class="entity card--danger"><div class="entity__meta"><span class="entity__title">${escapeHtml(providerLabel(req.conflicting_auth_provider))} conflict</span><span class="entity__sub">Subject ${escapeHtml(req.conflicting_provider_subject)}</span></div><div class="entity__actions">
+                <form hx-post="/htmx/merge/${req.id}" hx-target="#identities-list" hx-swap="innerHTML" hx-include="#identity-query"><button class="btn btn--primary btn--sm" type="submit">Merge</button></form>
+                <form hx-delete="/htmx/merge/${req.id}" hx-target="#identities-list" hx-swap="innerHTML" hx-include="#identity-query"><button class="btn btn--ghost btn--sm" type="submit">Dismiss</button></form>
+              </div></div>`).join("")}</div></div>`;
+    const term = query.trim().toLowerCase();
+    const groups = Object.entries(payload.identities).map(([provider, list]) => ({
+      identities: list.filter((identity) => term === "" || providerLabel(provider).toLowerCase().includes(term) || identity.id.toLowerCase().includes(term) || identity.provider_subject.toLowerCase().includes(term)),
+      provider
+    })).filter((group) => group.identities.length > 0);
+    const groupsHtml = groups.length === 0 ? `<div class="empty-state">No identities match your search.</div>` : groups.map((group) => `<div class="provider-group"><h3 class="provider-heading">${providerLogo(group.provider) ? `<img class="entity__logo" alt="" src="${providerLogo(group.provider)}" />` : ""}${escapeHtml(providerLabel(group.provider))}</h3><div class="entity-list">${group.identities.map((identity) => `<div class="entity"><div class="entity__main"><div class="entity__meta"><span class="entity__title">${escapeHtml(identity.provider_subject)}${identity.isPrimary ? `<span class="pill pill--primary">Primary</span>` : ""}</span><span class="entity__sub">${escapeHtml(identity.id)}</span></div></div><div class="entity__actions">
+                      ${identity.isPrimary ? "" : `<form hx-post="/htmx/identities/${identity.id}/primary" hx-target="#identities-list" hx-swap="innerHTML" hx-include="#identity-query"><button class="btn btn--neutral btn--sm" type="submit">Set primary</button></form>`}
+                      <form hx-delete="/htmx/identities/${identity.id}" hx-target="#identities-list" hx-swap="innerHTML" hx-include="#identity-query"><button class="btn btn--danger btn--sm" type="submit">Remove</button></form>
+                    </div></div>`).join("")}</div></div>`).join("");
+    return `${mergesHtml}${groupsHtml}`;
+  };
+  const protectedView = (user) => `<section class="auth-section stack"><div><h1 class="page-heading">Protected page</h1><p class="muted">Your authenticated session resolves to this user record.</p></div><pre class="json">${escapeHtml(JSON.stringify(user, null, 2))}</pre></section>`;
+  const providerLogin = (verb, includeDropdown) => {
+    const featured = featuredLoginProviders.map((provider) => `<a class="oauth-button" href="${authorizationHref(provider)}"><img class="oauth-button__icon" alt="" src="${providerLogo(provider)}" /><span class="oauth-button__text">${escapeHtml(verb)} ${escapeHtml(providerLabel(provider))}</span></a>`).join("");
+    if (!includeDropdown) {
+      return `<div class="oauth-grid">${featured}</div>`;
+    }
+    const options = providerOptions.map((provider) => `<option value="${provider}">${escapeHtml(providerLabel(provider))}</option>`).join("");
+    return `<div class="oauth-grid">${featured}
+    <div class="separator"><span class="separator__line"></span><span class="separator__text">or any provider</span><span class="separator__line"></span></div>
+    <form class="oauth-grid" action="/htmx/login-redirect" method="get">
+      <select class="provider-select" name="provider" required>
+        <option value="">Select a provider\u2026</option>${options}
+      </select>
+      <button class="btn btn--primary" type="submit">Continue</button>
+    </form>
+  </div>`;
+  };
+  return {
+    account: overrides.account ?? account,
+    authMenu: overrides.authMenu ?? authMenu,
+    connectorLinks: overrides.connectorLinks ?? connectorLinks,
+    connectors: overrides.connectors ?? connectors,
+    escapeHtml,
+    identities: overrides.identities ?? identities,
+    protected: overrides.protected ?? protectedView,
+    providerLogin: overrides.providerLogin ?? providerLogin
+  };
+};
+// src/htmxRoutes.ts
+var SEE_OTHER = 303;
+var html = (markup) => new Response(markup, {
+  headers: { "content-type": "text/html; charset=utf-8" }
+});
+var signInPrompt = `<section class="auth-content"><h1 class="page-heading">Not authorized</h1><p class="muted">You need to sign in to view this page.</p><a class="btn btn--primary" href="/htmx">Go to sign in</a></section>`;
+var createAuthHtmxRoutes = (config) => {
+  const renderers = resolveAuthHtmxRenderers(config);
+  const authorizationHref = config.authorizationHref ?? ((provider) => `/oauth2/${provider}/authorization`);
+  return new Elysia5().use(protectRoutePlugin({
+    authSessionStore: config.authSessionStore
+  })).get("/htmx/login", () => html(renderers.providerLogin("Sign in with", true))).get("/htmx/link", () => html(renderers.providerLogin("Link", false))).get("/htmx/connector-links", () => html(renderers.connectorLinks())).get("/htmx/auth-menu", ({ protectRoute }) => protectRoute((user) => html(renderers.authMenu(user)), () => html(renderers.authMenu(null)))).get("/htmx/me", ({ protectRoute }) => protectRoute((user) => html(renderers.protected(user)), () => html(signInPrompt))).get("/htmx/account", ({ protectRoute }) => protectRoute((user) => html(renderers.account(user)), () => html(signInPrompt))).get("/htmx/identities", ({ protectRoute, query }) => protectRoute(async (user) => {
+    const search = typeof query.query === "string" ? query.query : "";
+    return html(renderers.identities(await config.loadAuthIdentities(user.sub), search));
+  })).post("/htmx/identities/:id/primary", ({ params, protectRoute }) => protectRoute(async (user) => {
+    try {
+      await config.setPrimaryIdentity({
+        identityId: params.id,
+        userSub: user.sub
+      });
+    } catch {}
+    return html(renderers.identities(await config.loadAuthIdentities(user.sub), ""));
+  })).delete("/htmx/identities/:id", ({ params, protectRoute }) => protectRoute(async (user) => {
+    const payload = await config.loadAuthIdentities(user.sub);
+    const identities = Object.values(payload.identities).flat();
+    const identity = identities.find((candidate) => candidate.id === params.id);
+    if (identity && identities.length > 1 && identity.isPrimary !== true) {
+      await config.removeIdentity({
+        identityId: identity.id,
+        userSub: user.sub
+      });
+    }
+    return html(renderers.identities(await config.loadAuthIdentities(user.sub), ""));
+  })).post("/htmx/merge/:id", ({ params, protectRoute }) => protectRoute(async (user) => {
+    try {
+      await config.mergeIdentity({
+        mergeRequestId: params.id,
+        userSub: user.sub
+      });
+    } catch {}
+    return html(renderers.identities(await config.loadAuthIdentities(user.sub), ""));
+  })).delete("/htmx/merge/:id", ({ params, protectRoute }) => protectRoute(async (user) => {
+    await config.dismissMergeRequest({
+      mergeRequestId: params.id,
+      userSub: user.sub
+    });
+    return html(renderers.identities(await config.loadAuthIdentities(user.sub), ""));
+  })).get("/htmx/connector-list", ({ protectRoute }) => protectRoute(async (user) => html(renderers.connectors(await config.loadLinkedProviders(user.sub))), () => html(signInPrompt))).delete("/htmx/connectors/grants/:id", ({ params, protectRoute }) => protectRoute(async (user) => {
+    await config.removeGrant({
+      grantId: params.id,
+      userSub: user.sub
+    });
+    return html(renderers.connectors(await config.loadLinkedProviders(user.sub)));
+  })).delete("/htmx/connectors/bindings/:id", ({ params, protectRoute }) => protectRoute(async (user) => {
+    await config.removeBinding({
+      bindingId: params.id,
+      userSub: user.sub
+    });
+    return html(renderers.connectors(await config.loadLinkedProviders(user.sub)));
+  })).get("/htmx/login-redirect", ({ query, redirect }) => {
+    const provider = typeof query.provider === "string" ? query.provider : "";
+    return redirect(isValidProviderOption(provider) ? authorizationHref(provider) : "/htmx");
+  }).post("/htmx/delete-account", (context) => context.protectRoute(async (user) => {
+    const confirm = typeof context.body === "object" && context.body !== null && "confirm" in context.body ? String(context.body.confirm) : "";
+    if (confirm !== "DELETE") {
+      return html(`<div class="error-banner">Type DELETE to confirm.</div>`);
+    }
+    await config.deleteAccount({ userSub: user.sub });
+    context.set.headers["HX-Redirect"] = "/htmx";
+    return html("");
+  })).get("/htmx/signout", async ({ cookie: { user_session_id }, redirect }) => {
+    const sessionId = user_session_id.value;
+    if (sessionId !== undefined && isUserSessionId(sessionId)) {
+      await config.authSessionStore?.removeSession(sessionId);
+    }
+    user_session_id.remove();
+    return redirect("/htmx", SEE_OTHER);
+  });
+};
+// src/profile.ts
+import { Elysia as Elysia6, t as t5 } from "elysia";
 var profile = ({
   clientProviders,
   profileRoute = "/oauth2/profile",
   onProfileSuccess,
   onProfileError
-}) => new Elysia4().use(sessionStore()).get(profileRoute, async ({
+}) => new Elysia6().use(sessionStore()).get(profileRoute, async ({
   status,
   store: { session },
   cookie: { user_session_id, auth_provider, auth_client }
@@ -2752,38 +2939,15 @@ var profile = ({
     return err instanceof Error ? status("Internal Server Error", `${err.message} - ${err.stack ?? ""}`) : status("Internal Server Error", `Failed to validate authorization code: Unknown status: ${err}`);
   }
 }, {
-  cookie: t4.Cookie({
+  cookie: t5.Cookie({
     auth_client: authClientOption,
     auth_provider: authProviderOption,
     user_session_id: userSessionIdTypebox
   })
 });
-// src/protectRoute.ts
-import { Elysia as Elysia5, t as t5 } from "elysia";
-var protectRoutePlugin = ({
-  authSessionStore
-} = {}) => new Elysia5().use(sessionStore()).guard({ cookie: t5.Cookie({ user_session_id: userSessionIdTypebox }) }).derive(({ store: { session }, cookie: { user_session_id }, status }) => ({
-  protectRoute: (handleAuth, handleAuthFail) => getStatusFromSource({
-    authSessionStore,
-    session,
-    user_session_id
-  }).then(async ({ user, error }) => {
-    if (error) {
-      return handleAuthFail?.(error) ?? status(error.code, error.message);
-    }
-    if (!user) {
-      return handleAuthFail?.({
-        code: "Unauthorized",
-        message: "User is not authenticated"
-      }) ?? status("Unauthorized", "User is not authenticated");
-    }
-    return await handleAuth(user);
-  })
-})).as("global");
 // src/refresh.ts
-import { Elysia as Elysia6, t as t6 } from "elysia";
+import { Elysia as Elysia7, t as t6 } from "elysia";
 var refresh = ({
   authSessionStore,
   clientProviders,
@@ -2791,7 +2955,7 @@ var refresh = ({
   onRefreshSuccess,
   onRefreshError,
   sessionDurationMs = MILLISECONDS_IN_A_DAY
-}) => new Elysia6().use(sessionStore()).post(refreshRoute, async ({
+}) => new Elysia7().use(sessionStore()).post(refreshRoute, async ({
   status,
   store: { session },
   cookie: { user_session_id, auth_provider, auth_client }
@@ -2870,14 +3034,14 @@ var refresh = ({
 });
 // src/revoke.ts
-import { Elysia as Elysia7, t as t7 } from "elysia";
+import { Elysia as Elysia8, t as t7 } from "elysia";
 var revoke = ({
   authSessionStore,
   clientProviders,
   revokeRoute = "/oauth2/revocation",
   onRevocationSuccess,
   onRevocationError
-}) => new Elysia7().use(sessionStore()).post(revokeRoute, async ({
+}) => new Elysia8().use(sessionStore()).post(revokeRoute, async ({
   status,
   store: { session },
   cookie: { user_session_id, auth_provider, auth_client }
@@ -2947,7 +3111,7 @@ var revoke = ({
 });
 // src/sessionCleanup.ts
-import { Elysia as Elysia8 } from "elysia";
+import { Elysia as Elysia9 } from "elysia";
 var sessionCleanup = ({
   authSessionStore,
   cleanupIntervalMs = MILLISECONDS_IN_AN_HOUR,
@@ -2955,7 +3119,7 @@ var sessionCleanup = ({
   onSessionCleanup
 }) => {
   let intervalId = null;
-  return new Elysia8({ name: "sessionCleanup" }).use(sessionStore()).onStart(({ store: { session, unregisteredSession } }) => {
+  return new Elysia9({ name: "sessionCleanup" }).use(sessionStore()).onStart(({ store: { session, unregisteredSession } }) => {
     intervalId = setInterval(async () => {
       await performCleanup({
         authSessionStore,
@@ -3168,12 +3332,12 @@ var performCleanup = async ({
 };
 // src/signout.ts
-import { Elysia as Elysia9, t as t8 } from "elysia";
+import { Elysia as Elysia10, t as t8 } from "elysia";
 var signout = ({
   authSessionStore,
   signoutRoute = "/oauth2/signout",
   onSignOut
-}) => new Elysia9().use(sessionStore()).delete(signoutRoute, async ({
+}) => new Elysia10().use(sessionStore()).delete(signoutRoute, async ({
   status,
   store: { session },
   cookie: { user_session_id, auth_provider }
@@ -3228,12 +3392,12 @@ var signout = ({
 });
 // src/userStatus.ts
-import { Elysia as Elysia10, t as t9 } from "elysia";
+import { Elysia as Elysia11, t as t9 } from "elysia";
 var userStatus = ({
   authSessionStore,
   statusRoute = "/oauth2/status",
   onStatus
-}) => new Elysia10().use(sessionStore()).get(statusRoute, async ({ status, cookie: { user_session_id }, store: { session } }) => {
+}) => new Elysia11().use(sessionStore()).get(statusRoute, async ({ status, cookie: { user_session_id }, store: { session } }) => {
   const { user, error } = await getStatusFromSource({
     authSessionStore,
     session,
@@ -13774,6 +13938,7 @@ var absoluteAuth = async ({
   maxSessions,
   sessionDurationMs,
   authSessionStore,
+  htmx,
   resolveAuthIntent,
   onAuthorizeSuccess,
   onAuthorizeError,
@@ -13793,7 +13958,7 @@ var absoluteAuth = async ({
   onSessionCleanup
 }) => {
   const clientProviders = await buildClientProviders(providersConfiguration, createOAuth2Client);
-  return new Elysia11().use(sessionCleanup({
+  return new Elysia12().use(sessionCleanup({
     authSessionStore,
     cleanupIntervalMs,
     maxSessions,
@@ -13831,7 +13996,7 @@ var absoluteAuth = async ({
     onProfileError,
     onProfileSuccess,
     profileRoute
-  })).use(protectRoutePlugin({ authSessionStore }));
+  })).use(protectRoutePlugin({ authSessionStore })).use(htmx ? createAuthHtmxRoutes({ ...htmx, authSessionStore }) : new Elysia12);
 };
 export {
   validateSession,
@@ -13844,6 +14009,7 @@ export {
   resolveOAuthTokenExpiresAt,
   resolveOAuthAuthorization,
   resolveClientProviderEntry,
+  resolveAuthHtmxRenderers,
   refreshableProviderOptions,
   providers,
   providerOptions,
@@ -13873,6 +14039,7 @@ export {
   createLinkedProviderCredentialResolver,
   createInMemoryLinkedProviderStores,
   createInMemoryAuthSessionStore,
+  createAuthHtmxRoutes,
   createAuthConfiguration,
   buildClientProviders,
   authProviderOption,
@@ -13882,5 +14049,5 @@ export {
   AbsoluteAuthIdentityConflictError
 };
-//# debugId=7F98E858A24BE38A64756E2164756E21
+//# debugId=D6887201B1B4B2A864756E2164756E21
 //# sourceMappingURL=index.js.map