@absolutejs/auth 0.26.0-beta.1 → 0.26.0-beta.3

package/dist/types.d.ts

@@ -2,13 +2,18 @@ import { CredentialsFor, NonEmptyArray, OAuth2Client, OAuth2TokenResponse, Provi
 import { Cookie, status as statusType, redirect as redirectType } from 'elysia';
 import { ElysiaCustomStatusResponse } from 'elysia/error';
 import type { AuditConfig } from './audit/config';
+import type { AuthorizationConfig } from './authorization/config';
+import type { ComplianceConfig } from './compliance/config';
 import type { CredentialsConfig } from './credentials/config';
 import type { AuthIdentityConflict } from './errors';
 import type { AuthHtmxConfig, AuthHtmxUser } from './htmx/types';
 import type { LockoutConfig } from './lockout/config';
 import type { MfaConfig } from './mfa/config';
+import type { ScimConfig } from './scim/config';
 import type { SessionsConfig } from './session/sessionsConfig';
 import type { AuthSessionStore } from './session/types';
+import type { SSOConfig } from './sso/config';
+import type { WebAuthnConfig } from './webauthn/config';
 export type AuthIntent = 'login' | 'link_identity' | 'link_connector';
 export type OAuth2ProviderClientConfiguration<Provider extends ProviderOption> = {
     credentials: CredentialsFor<Provider>;
@@ -34,6 +39,14 @@ export type SessionData<UserType> = {
     /** When the session was last established by an actual authentication (login, OAuth
      *  callback, or MFA challenge — NOT a token refresh). Drives step-up `requireRecentAuth`. */
     authenticatedAt?: number;
+    /** SAML SP-initiated Single Logout context, captured at the SAML ACS. Lets
+     *  `{ssoRoute}/saml/:org/logout` build a signed LogoutRequest (the IdP needs the original
+     *  NameID + SessionIndex) for the connection the session was created from. */
+    samlLogout?: {
+        connectionId: string;
+        nameId: string;
+        sessionIndex?: string;
+    };
 };
 export type SessionRecord<UserType> = Record<UserSessionId, SessionData<UserType>>;
 export type UnregisteredSessionData = {
@@ -181,6 +194,29 @@ export type AuthConfig<UserType> = {
      *  sessions) and `DELETE /auth/sessions/:id` (remote revoke). Requires an
      *  `authSessionStore` that can enumerate sessions. */
     sessions?: SessionsConfig<UserType>;
+    /** Per-organization enterprise SSO (the WorkOS-style model). When present, mounts
+     *  `GET {ssoRoute}/oidc/:organizationId/authorize` + `.../callback`, resolves the org's
+     *  OIDC connection from `ssoConnectionStore`, verifies the id_token in-house against the
+     *  issuer's JWKS, and mints the same `SessionData<UserType>` as every other flow. */
+    sso?: SSOConfig<UserType>;
+    /** SCIM 2.0 auto-provisioning for enterprise directory sync (Okta / Azure AD). When present,
+     *  mounts `{scimRoute}/Users` (+ `/ServiceProviderConfig`) with per-org bearer-token auth via
+     *  `scimTokenStore`, and maps SCIM resources to the consumer's user store through hooks. */
+    scim?: ScimConfig;
+    /** Role-based / attribute-based access control (E4). When present, `auth()` exposes a
+     *  `protectPermission(check, handler)` derive (alongside `protectRoute`) that delegates the
+     *  decision to your `hasPermission` hook — the package stays schema-agnostic about roles. */
+    authorization?: AuthorizationConfig<UserType>;
+    /** GDPR/CCPA self-service compliance (E5). When present, mounts `GET {complianceRoute}/export`
+     *  (right to access) and `DELETE {complianceRoute}` (right to erasure — runs your delete hook,
+     *  revokes the user's sessions, clears the cookie). Pair with `audit.redact` for PII redaction. */
+    compliance?: ComplianceConfig<UserType>;
+    /** Passwordless / passkey auth (WebAuthn). When present, mounts the registration ceremony
+     *  (`{webauthnRoute}/register/options` + `/verify`, adds a passkey to the authenticated caller)
+     *  and the authentication ceremony (`.../authenticate/options` + `/verify`, passwordless sign-in
+     *  → mints the same `SessionData<UserType>`). A `webauthnAdapter` wraps a vetted library (e.g.
+     *  `@simplewebauthn/server`); the package never bundles the WebAuthn crypto. */
+    webauthn?: WebAuthnConfig<UserType>;
     /** Enable the built-in HTMX fragment routes (login, identities, connectors,
      *  account, signout, delete-account). Supply provider display data + the
      *  identity/connector data actions; the package owns the route wiring and

package/dist/webauthn/adapter.d.ts

@@ -0,0 +1,59 @@
+export type WebAuthnCredentialDescriptor = {
+    id: string;
+    transports?: string[];
+};
+export type WebAuthnRegistrationOptions = {
+    challenge: string;
+    options: Record<string, unknown>;
+};
+export type WebAuthnAuthenticationOptions = {
+    challenge: string;
+    options: Record<string, unknown>;
+};
+export type WebAuthnRegistrationResult = {
+    credential?: {
+        backedUp?: boolean;
+        counter: number;
+        credentialId: string;
+        deviceType?: string;
+        publicKey: string;
+        transports?: string[];
+    };
+    verified: boolean;
+};
+export type WebAuthnAuthenticationResult = {
+    newCounter?: number;
+    verified: boolean;
+};
+export type WebAuthnAdapter = {
+    createAuthenticationOptions: (request: {
+        allowCredentials: WebAuthnCredentialDescriptor[];
+        rpId: string;
+    }) => Promise<WebAuthnAuthenticationOptions> | WebAuthnAuthenticationOptions;
+    createRegistrationOptions: (request: {
+        excludeCredentials: WebAuthnCredentialDescriptor[];
+        rpId: string;
+        rpName: string;
+        userDisplayName: string;
+        userId: string;
+        userName: string;
+    }) => Promise<WebAuthnRegistrationOptions> | WebAuthnRegistrationOptions;
+    verifyAuthentication: (request: {
+        credential: {
+            counter: number;
+            credentialId: string;
+            publicKey: string;
+            transports?: string[];
+        };
+        expectedChallenge: string;
+        expectedOrigin: string;
+        expectedRPID: string;
+        response: unknown;
+    }) => Promise<WebAuthnAuthenticationResult>;
+    verifyRegistration: (request: {
+        expectedChallenge: string;
+        expectedOrigin: string;
+        expectedRPID: string;
+        response: unknown;
+    }) => Promise<WebAuthnRegistrationResult>;
+};

package/dist/webauthn/config.d.ts

@@ -0,0 +1,35 @@
+import type { AuditEmitter } from '../audit/config';
+import type { AuthSessionStore } from '../session/types';
+import type { RouteString, UserSessionId } from '../types';
+import type { WebAuthnAdapter } from './adapter';
+import type { WebAuthnCredentialStore } from './types';
+export declare const DEFAULT_WEBAUTHN_CHALLENGE_TTL_MS = 300000;
+export declare const DEFAULT_WEBAUTHN_ROUTE: RouteString;
+export declare const DEFAULT_WEBAUTHN_SESSION_TTL_MS: number;
+export declare const WEBAUTHN_CHALLENGE_COOKIE = "webauthn_challenge";
+export type WebAuthnConfig<UserType> = {
+    credentialStore: WebAuthnCredentialStore;
+    getUserId: (user: UserType) => string;
+    getWebAuthnUser: (userId: string) => Promise<UserType | null | undefined> | UserType | null | undefined;
+    origin: string;
+    rpId: string;
+    rpName: string;
+    webauthnAdapter: WebAuthnAdapter;
+    challengeDurationMs?: number;
+    getUserDisplayName?: (user: UserType) => string;
+    getUserName?: (user: UserType) => string;
+    onWebAuthnAuthenticated?: (context: {
+        user: UserType;
+        userSessionId: UserSessionId;
+    }) => void | Promise<void>;
+    onWebAuthnRegistered?: (context: {
+        credentialId: string;
+        userId: string;
+    }) => void | Promise<void>;
+    sessionDurationMs?: number;
+    webauthnRoute?: RouteString;
+};
+export type WebAuthnRouteProps<UserType> = WebAuthnConfig<UserType> & {
+    authSessionStore?: AuthSessionStore<UserType>;
+    emit?: AuditEmitter;
+};

package/dist/webauthn/inMemoryWebAuthnCredentialStore.d.ts

@@ -0,0 +1,2 @@
+import type { WebAuthnCredentialStore } from './types';
+export declare const createInMemoryWebAuthnCredentialStore: () => WebAuthnCredentialStore;

package/dist/webauthn/postgresWebAuthnCredentialStore.d.ts

@@ -0,0 +1,172 @@
+import { type AnyPgDatabase } from '../stores/postgres';
+import type { WebAuthnCredentialStore } from './types';
+export declare const webauthnCredentialsTable: import("drizzle-orm/pg-core").PgTableWithColumns<{
+    name: "auth_webauthn_credentials";
+    schema: undefined;
+    columns: {
+        backed_up: import("drizzle-orm/pg-core").PgColumn<{
+            name: "backed_up";
+            tableName: "auth_webauthn_credentials";
+            dataType: "boolean";
+            columnType: "PgBoolean";
+            data: boolean;
+            driverParam: boolean;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        counter: import("drizzle-orm/pg-core").PgColumn<{
+            name: "counter";
+            tableName: "auth_webauthn_credentials";
+            dataType: "number";
+            columnType: "PgBigInt53";
+            data: number;
+            driverParam: string | number;
+            notNull: true;
+            hasDefault: true;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        created_at_ms: import("drizzle-orm/pg-core").PgColumn<{
+            name: "created_at_ms";
+            tableName: "auth_webauthn_credentials";
+            dataType: "number";
+            columnType: "PgBigInt53";
+            data: number;
+            driverParam: string | number;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        credential_id: import("drizzle-orm/pg-core").PgColumn<{
+            name: "credential_id";
+            tableName: "auth_webauthn_credentials";
+            dataType: "string";
+            columnType: "PgVarchar";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: true;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: 255;
+        }>;
+        device_type: import("drizzle-orm/pg-core").PgColumn<{
+            name: "device_type";
+            tableName: "auth_webauthn_credentials";
+            dataType: "string";
+            columnType: "PgVarchar";
+            data: string;
+            driverParam: string;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: 32;
+        }>;
+        last_used_at_ms: import("drizzle-orm/pg-core").PgColumn<{
+            name: "last_used_at_ms";
+            tableName: "auth_webauthn_credentials";
+            dataType: "number";
+            columnType: "PgBigInt53";
+            data: number;
+            driverParam: string | number;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        public_key: import("drizzle-orm/pg-core").PgColumn<{
+            name: "public_key";
+            tableName: "auth_webauthn_credentials";
+            dataType: "string";
+            columnType: "PgText";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        transports: import("drizzle-orm/pg-core").PgColumn<{
+            name: "transports";
+            tableName: "auth_webauthn_credentials";
+            dataType: "json";
+            columnType: "PgJsonb";
+            data: string[];
+            driverParam: unknown;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            $type: string[];
+        }>;
+        user_id: import("drizzle-orm/pg-core").PgColumn<{
+            name: "user_id";
+            tableName: "auth_webauthn_credentials";
+            dataType: "string";
+            columnType: "PgVarchar";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: 255;
+        }>;
+    };
+    dialect: "pg";
+}>;
+export declare const createNeonWebAuthnCredentialStore: (databaseUrl: string) => WebAuthnCredentialStore;
+export declare const createPostgresWebAuthnCredentialStore: (db: AnyPgDatabase) => WebAuthnCredentialStore;

package/dist/webauthn/routes.d.ts

@@ -0,0 +1,155 @@
+import { Elysia } from 'elysia';
+import { type WebAuthnRouteProps } from './config';
+export declare const webauthnRoutes: <UserType>({ authSessionStore, challengeDurationMs, credentialStore, emit, getUserDisplayName, getUserId, getUserName, getWebAuthnUser, onWebAuthnAuthenticated, onWebAuthnRegistered, origin, rpId, rpName, sessionDurationMs, webauthnAdapter, webauthnRoute }: WebAuthnRouteProps<UserType>) => Elysia<"", {
+    decorator: {};
+    store: {
+        session: import("..").SessionRecord<UserType>;
+        unregisteredSession: import("..").UnregisteredSessionRecord;
+    };
+    derive: {};
+    resolve: {};
+}, {
+    typebox: {};
+    error: {};
+}, {
+    schema: {};
+    standaloneSchema: {};
+    macro: {};
+    macroFn: {};
+    parser: {};
+    response: {};
+}, {
+    [x: string]: {
+        register: {
+            options: {
+                post: {
+                    body: unknown;
+                    params: {};
+                    query: unknown;
+                    headers: unknown;
+                    response: {
+                        200: {
+                            [x: string]: unknown;
+                        };
+                        401: "Authentication required";
+                        422: {
+                            type: "validation";
+                            on: string;
+                            summary?: string;
+                            message?: string;
+                            found?: unknown;
+                            property?: string;
+                            expected?: string;
+                        };
+                    };
+                };
+            };
+        };
+    };
+} & {
+    [x: string]: {
+        register: {
+            verify: {
+                post: {
+                    body: {};
+                    params: {};
+                    query: unknown;
+                    headers: unknown;
+                    response: {
+                        200: {
+                            readonly credentialId: string;
+                            readonly verified: true;
+                        };
+                        400: "No registration challenge in progress" | "WebAuthn registration failed";
+                        401: "Authentication required";
+                        422: {
+                            type: "validation";
+                            on: string;
+                            summary?: string;
+                            message?: string;
+                            found?: unknown;
+                            property?: string;
+                            expected?: string;
+                        };
+                    };
+                };
+            };
+        };
+    };
+} & {
+    [x: string]: {
+        authenticate: {
+            options: {
+                post: {
+                    body: unknown;
+                    params: {};
+                    query: unknown;
+                    headers: unknown;
+                    response: {
+                        200: {
+                            [x: string]: unknown;
+                        };
+                        422: {
+                            type: "validation";
+                            on: string;
+                            summary?: string;
+                            message?: string;
+                            found?: unknown;
+                            property?: string;
+                            expected?: string;
+                        };
+                    };
+                };
+            };
+        };
+    };
+} & {
+    [x: string]: {
+        authenticate: {
+            verify: {
+                post: {
+                    body: {
+                        id: string;
+                    };
+                    params: {};
+                    query: unknown;
+                    headers: unknown;
+                    response: {
+                        200: {
+                            readonly status: "authenticated";
+                        };
+                        400: "No authentication challenge in progress";
+                        401: "Unknown credential" | "WebAuthn authentication failed";
+                        422: {
+                            type: "validation";
+                            on: string;
+                            summary?: string;
+                            message?: string;
+                            found?: unknown;
+                            property?: string;
+                            expected?: string;
+                        };
+                    };
+                };
+            };
+        };
+    };
+}, {
+    derive: {};
+    resolve: {};
+    schema: {};
+    standaloneSchema: {};
+    response: {};
+}, {
+    derive: {};
+    resolve: {};
+    schema: {};
+    standaloneSchema: {};
+    response: {};
+} & {
+    derive: {};
+    resolve: {};
+    schema: {};
+    standaloneSchema: {};
+    response: {};
+}>;

package/dist/webauthn/types.d.ts

@@ -0,0 +1,17 @@
+export type WebAuthnCredential = {
+    backedUp?: boolean;
+    counter: number;
+    createdAt: number;
+    credentialId: string;
+    deviceType?: string;
+    lastUsedAt?: number;
+    publicKey: string;
+    transports?: string[];
+    userId: string;
+};
+export type WebAuthnCredentialStore = {
+    getCredential: (credentialId: string) => Promise<WebAuthnCredential | undefined>;
+    listCredentialsByUser: (userId: string) => Promise<WebAuthnCredential[]>;
+    removeCredential: (credentialId: string) => Promise<void>;
+    saveCredential: (credential: WebAuthnCredential) => Promise<void>;
+};

package/package.json

@@ -1,5 +1,5 @@
 {
-	"version": "0.26.0-beta.1",
+	"version": "0.26.0-beta.3",
 	"name": "@absolutejs/auth",
 	"description": "An authorization library for absolutejs",
 	"repository": {
@@ -30,8 +30,8 @@
 	},
 	"dependencies": {
 		"@absolutejs/linked-providers": "0.0.2",
-		"citra": "0.25.11",
 		"@neondatabase/serverless": "1.0.0",
+		"citra": "^0.28.0",
 		"drizzle-orm": "0.41.0"
 	},
 	"devDependencies": {