@absolutejs/auth 0.26.0-beta.2 → 0.26.0-beta.4

package/dist/sso/postgresSsoConnectionStore.d.ts

@@ -0,0 +1,139 @@
+import { type AnyPgDatabase } from '../stores/postgres';
+import type { OidcConnectionConfig, SamlConnectionConfig, SSOConnectionStore, SSOConnectionType } from './types';
+export declare const ssoConnectionsTable: import("drizzle-orm/pg-core").PgTableWithColumns<{
+    name: "auth_sso_connections";
+    schema: undefined;
+    columns: {
+        config: import("drizzle-orm/pg-core").PgColumn<{
+            name: "config";
+            tableName: "auth_sso_connections";
+            dataType: "json";
+            columnType: "PgJsonb";
+            data: OidcConnectionConfig | SamlConnectionConfig;
+            driverParam: unknown;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            $type: OidcConnectionConfig | SamlConnectionConfig;
+        }>;
+        connection_id: import("drizzle-orm/pg-core").PgColumn<{
+            name: "connection_id";
+            tableName: "auth_sso_connections";
+            dataType: "string";
+            columnType: "PgVarchar";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: true;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: 255;
+        }>;
+        created_at_ms: import("drizzle-orm/pg-core").PgColumn<{
+            name: "created_at_ms";
+            tableName: "auth_sso_connections";
+            dataType: "number";
+            columnType: "PgBigInt53";
+            data: number;
+            driverParam: string | number;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        enabled: import("drizzle-orm/pg-core").PgColumn<{
+            name: "enabled";
+            tableName: "auth_sso_connections";
+            dataType: "boolean";
+            columnType: "PgBoolean";
+            data: boolean;
+            driverParam: boolean;
+            notNull: true;
+            hasDefault: true;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        organization_id: import("drizzle-orm/pg-core").PgColumn<{
+            name: "organization_id";
+            tableName: "auth_sso_connections";
+            dataType: "string";
+            columnType: "PgVarchar";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: 255;
+        }>;
+        type: import("drizzle-orm/pg-core").PgColumn<{
+            name: "type";
+            tableName: "auth_sso_connections";
+            dataType: "string";
+            columnType: "PgVarchar";
+            data: SSOConnectionType;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: 16;
+            $type: SSOConnectionType;
+        }>;
+        updated_at_ms: import("drizzle-orm/pg-core").PgColumn<{
+            name: "updated_at_ms";
+            tableName: "auth_sso_connections";
+            dataType: "number";
+            columnType: "PgBigInt53";
+            data: number;
+            driverParam: string | number;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+    };
+    dialect: "pg";
+}>;
+export declare const createNeonSsoConnectionStore: (databaseUrl: string) => SSOConnectionStore;
+export declare const createPostgresSsoConnectionStore: (db: AnyPgDatabase) => SSOConnectionStore;

package/dist/sso/samlRoutes.d.ts

@@ -0,0 +1,176 @@
+import { Elysia } from 'elysia';
+import type { AuthSessionStore } from '../session/types';
+import type { SessionRecord } from '../types';
+import { type SamlAdapter, type SSOConfig } from './config';
+type SamlRoutesProps<UserType> = SSOConfig<UserType> & {
+    authSessionStore?: AuthSessionStore<UserType>;
+    samlAdapter: SamlAdapter;
+};
+export declare const samlSsoRoutes: <UserType>({ authSessionStore, getSsoUser, onSsoCallbackError, onSsoCallbackSuccess, samlAdapter, sessionDurationMs, ssoConnectionStore, ssoRoute }: SamlRoutesProps<UserType>) => Elysia<"", {
+    decorator: {};
+    store: {
+        session: SessionRecord<UserType>;
+        unregisteredSession: import("..").UnregisteredSessionRecord;
+    };
+    derive: {};
+    resolve: {};
+}, {
+    typebox: {};
+    error: {};
+}, {
+    schema: {};
+    standaloneSchema: {};
+    macro: {};
+    macroFn: {};
+    parser: {};
+    response: {};
+}, {
+    [x: string]: {
+        get: {
+            body: unknown;
+            params: {
+                organizationId: string;
+            };
+            query: unknown;
+            headers: unknown;
+            response: {
+                200: Response;
+                404: "No SAML connection is configured for this organization";
+                422: {
+                    type: "validation";
+                    on: string;
+                    summary?: string;
+                    message?: string;
+                    found?: unknown;
+                    property?: string;
+                    expected?: string;
+                };
+            };
+        };
+    };
+} & {
+    [x: string]: {
+        post: {
+            body: {
+                RelayState?: string | undefined;
+                SAMLResponse: string;
+            };
+            params: {
+                organizationId: string;
+            };
+            query: unknown;
+            headers: unknown;
+            response: {
+                200: Response;
+                404: "No SAML connection is configured for this organization";
+                422: {
+                    type: "validation";
+                    on: string;
+                    summary?: string;
+                    message?: string;
+                    found?: unknown;
+                    property?: string;
+                    expected?: string;
+                };
+                500: "SAML sign-in failed";
+            };
+        };
+    };
+} & {
+    [x: string]: {
+        get: {
+            body: unknown;
+            params: {
+                organizationId: string;
+            };
+            query: unknown;
+            headers: unknown;
+            response: {
+                200: Response;
+                404: "No SAML connection is configured for this organization";
+                422: {
+                    type: "validation";
+                    on: string;
+                    summary?: string;
+                    message?: string;
+                    found?: unknown;
+                    property?: string;
+                    expected?: string;
+                };
+            };
+        };
+    };
+} & {
+    [x: string]: {
+        get: {
+            body: unknown;
+            params: {
+                organizationId: string;
+            };
+            query: unknown;
+            headers: unknown;
+            response: {
+                200: Response;
+                422: {
+                    type: "validation";
+                    on: string;
+                    summary?: string;
+                    message?: string;
+                    found?: unknown;
+                    property?: string;
+                    expected?: string;
+                };
+            };
+        };
+    };
+} & {
+    [x: string]: {
+        get: {
+            body: unknown;
+            params: {
+                organizationId: string;
+            };
+            query: {
+                RelayState?: string | undefined;
+                SAMLResponse?: string | undefined;
+                SAMLRequest?: string | undefined;
+            };
+            headers: unknown;
+            response: {
+                200: Response;
+                400: "Missing SAMLRequest or SAMLResponse" | "Invalid SAML LogoutRequest";
+                404: "No SAML connection is configured for this organization";
+                422: {
+                    type: "validation";
+                    on: string;
+                    summary?: string;
+                    message?: string;
+                    found?: unknown;
+                    property?: string;
+                    expected?: string;
+                };
+                500: "SAML logout failed";
+                501: "SAML Single Logout is not configured";
+            };
+        };
+    };
+}, {
+    derive: {};
+    resolve: {};
+    schema: {};
+    standaloneSchema: {};
+    response: {};
+}, {
+    derive: {};
+    resolve: {};
+    schema: {};
+    standaloneSchema: {};
+    response: {};
+} & {
+    derive: {};
+    resolve: {};
+    schema: {};
+    standaloneSchema: {};
+    response: {};
+}>;
+export {};

package/dist/sso/types.d.ts

@@ -0,0 +1,39 @@
+import type { OrganizationId } from '../tenancy';
+export type SSOConnectionType = 'oidc' | 'saml';
+export type OidcConnectionConfig = {
+    clientId: string;
+    clientSecret: string;
+    issuer: string;
+    redirectUri: string;
+    scopes: string[];
+};
+export type SamlConnectionConfig = {
+    idpEntityId: string;
+    idpSloUrl?: string;
+    idpSsoUrl: string;
+    idpX509Cert: string;
+};
+type SSOConnectionBase = {
+    connectionId: string;
+    createdAt: number;
+    enabled: boolean;
+    organizationId: OrganizationId;
+    updatedAt: number;
+};
+export type OidcConnection = SSOConnectionBase & {
+    config: OidcConnectionConfig;
+    type: 'oidc';
+};
+export type SamlConnection = SSOConnectionBase & {
+    config: SamlConnectionConfig;
+    type: 'saml';
+};
+export type SSOConnection = OidcConnection | SamlConnection;
+export type SSOConnectionStore = {
+    deleteConnection: (connectionId: string) => Promise<void>;
+    getConnection: (connectionId: string) => Promise<SSOConnection | undefined>;
+    getConnectionByOrganization: (organizationId: OrganizationId, type?: SSOConnectionType) => Promise<SSOConnection | undefined>;
+    listConnectionsByOrganization: (organizationId: OrganizationId) => Promise<SSOConnection[]>;
+    saveConnection: (connection: SSOConnection) => Promise<void>;
+};
+export {};

package/dist/typebox.d.ts

@@ -1,6 +1,6 @@
 export declare const authClientOption: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TString>;
 export declare const authIntentOption: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TUnion<[import("@sinclair/typebox").TLiteral<"login">, import("@sinclair/typebox").TLiteral<"link_identity">, import("@sinclair/typebox").TLiteral<"link_connector">]>>;
 export declare const authProviderOption: import("@sinclair/typebox").TEnum<{
-    [k: string]: "42" | "amazoncognito" | "anilist" | "apple" | "atlassian" | "auth0" | "authentik" | "autodesk" | "battlenet" | "bitbucket" | "box" | "bungie" | "coinbase" | "discord" | "donationalerts" | "dribbble" | "dropbox" | "epicgames" | "etsy" | "facebook" | "figma" | "gitea" | "github" | "gitlab" | "google" | "intuit" | "kakao" | "keycloak" | "kick" | "lichess" | "line" | "linear" | "linkedin" | "mastodon" | "mercadolibre" | "mercadopago" | "microsoftentraid" | "myanimelist" | "naver" | "notion" | "okta" | "osu" | "patreon" | "polar" | "polaraccesslink" | "polarteampro" | "reddit" | "roblox" | "salesforce" | "shikimori" | "slack" | "spotify" | "startgg" | "strava" | "synology" | "tiktok" | "tiltify" | "tumblr" | "twitch" | "twitter" | "vk" | "withings" | "workos" | "yahoo" | "yandex" | "zoom";
+    [k: string]: "42" | "amazoncognito" | "anilist" | "apple" | "atlassian" | "attio" | "auth0" | "authentik" | "autodesk" | "battlenet" | "bitbucket" | "box" | "bungie" | "close" | "coinbase" | "discord" | "donationalerts" | "dribbble" | "dropbox" | "epicgames" | "etsy" | "facebook" | "figma" | "gitea" | "github" | "gitlab" | "gohighlevel" | "google" | "hubspot" | "intuit" | "kakao" | "keycloak" | "kick" | "lichess" | "line" | "linear" | "linkedin" | "mastodon" | "mercadolibre" | "mercadopago" | "microsoftentraid" | "monday" | "myanimelist" | "naver" | "notion" | "okta" | "osu" | "patreon" | "pipedrive" | "polar" | "polaraccesslink" | "polarteampro" | "reddit" | "roblox" | "salesforce" | "shikimori" | "slack" | "spotify" | "startgg" | "strava" | "synology" | "tiktok" | "tiltify" | "tumblr" | "twitch" | "twitter" | "vk" | "withings" | "workos" | "yahoo" | "yandex" | "zoho" | "zoom";
 }>;
 export declare const userSessionIdTypebox: import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TTemplateLiteralSyntax<"${string}-${string}-${string}-${string}-${string}">>;

package/dist/types.d.ts

@@ -2,13 +2,22 @@ import { CredentialsFor, NonEmptyArray, OAuth2Client, OAuth2TokenResponse, Provi
 import { Cookie, status as statusType, redirect as redirectType } from 'elysia';
 import { ElysiaCustomStatusResponse } from 'elysia/error';
 import type { AuditConfig } from './audit/config';
+import type { AuthorizationConfig } from './authorization/config';
+import type { ComplianceConfig } from './compliance/config';
 import type { CredentialsConfig } from './credentials/config';
 import type { AuthIdentityConflict } from './errors';
 import type { AuthHtmxConfig, AuthHtmxUser } from './htmx/types';
 import type { LockoutConfig } from './lockout/config';
 import type { MfaConfig } from './mfa/config';
+import type { OrganizationsConfig } from './organizations/config';
+import type { PasswordlessConfig } from './passwordless/config';
+import type { RolesConfig } from './roles/config';
+import type { ScimConfig } from './scim/config';
 import type { SessionsConfig } from './session/sessionsConfig';
 import type { AuthSessionStore } from './session/types';
+import type { SSOConfig } from './sso/config';
+import type { WebAuthnConfig } from './webauthn/config';
+import type { WebhooksConfig } from './webhooks/config';
 export type AuthIntent = 'login' | 'link_identity' | 'link_connector';
 export type OAuth2ProviderClientConfiguration<Provider extends ProviderOption> = {
     credentials: CredentialsFor<Provider>;
@@ -34,6 +43,14 @@ export type SessionData<UserType> = {
     /** When the session was last established by an actual authentication (login, OAuth
      *  callback, or MFA challenge — NOT a token refresh). Drives step-up `requireRecentAuth`. */
     authenticatedAt?: number;
+    /** SAML SP-initiated Single Logout context, captured at the SAML ACS. Lets
+     *  `{ssoRoute}/saml/:org/logout` build a signed LogoutRequest (the IdP needs the original
+     *  NameID + SessionIndex) for the connection the session was created from. */
+    samlLogout?: {
+        connectionId: string;
+        nameId: string;
+        sessionIndex?: string;
+    };
 };
 export type SessionRecord<UserType> = Record<UserSessionId, SessionData<UserType>>;
 export type UnregisteredSessionData = {
@@ -170,6 +187,11 @@ export type AuthConfig<UserType> = {
      *  mounts register / verify-email / login / reset-password routes that produce the
      *  same `SessionData<UserType>` as OAuth, transparent to `protectRoute`. */
     credentials?: CredentialsConfig<UserType>;
+    /** Passwordless login: magic links + email/SMS OTP. When present, mounts the magic-link flow
+     *  (if `onSendMagicLink` is set) and/or the OTP flow (if `onSendOtp` is set) under
+     *  `{passwordlessRoute}`; each verify route resolves the email to a user and mints the same
+     *  `SessionData<UserType>` as every other flow. */
+    passwordless?: PasswordlessConfig<UserType>;
     /** Multi-factor auth (TOTP + backup codes). When present alongside `credentials`,
      *  `auth()` auto-wires the login MFA gate, mounts the enroll/challenge routes, and
      *  promotes the parked session once a factor is verified. */
@@ -181,6 +203,43 @@ export type AuthConfig<UserType> = {
      *  sessions) and `DELETE /auth/sessions/:id` (remote revoke). Requires an
      *  `authSessionStore` that can enumerate sessions. */
     sessions?: SessionsConfig<UserType>;
+    /** Per-organization enterprise SSO (the WorkOS-style model). When present, mounts
+     *  `GET {ssoRoute}/oidc/:organizationId/authorize` + `.../callback`, resolves the org's
+     *  OIDC connection from `ssoConnectionStore`, verifies the id_token in-house against the
+     *  issuer's JWKS, and mints the same `SessionData<UserType>` as every other flow. */
+    sso?: SSOConfig<UserType>;
+    /** SCIM 2.0 auto-provisioning for enterprise directory sync (Okta / Azure AD). When present,
+     *  mounts `{scimRoute}/Users` (+ `/ServiceProviderConfig`) with per-org bearer-token auth via
+     *  `scimTokenStore`, and maps SCIM resources to the consumer's user store through hooks. */
+    scim?: ScimConfig;
+    /** First-class multi-tenancy (the WorkOS model). When present, mounts organization +
+     *  membership + invitation routes under `{organizationsRoute}`: list the caller's orgs, create
+     *  one (caller becomes owner), invite/accept/revoke by email, and list/remove members. Ties the
+     *  bare `organizationId` used by SSO/SCIM/RBAC into a real tenant model with org-scoped roles. */
+    organizations?: OrganizationsConfig<UserType>;
+    /** Org-scoped roles & permissions (builds on `organizations`). When present, mounts routes to
+     *  list an org's role definitions and set a member's roles. Pair with
+     *  `createMembershipPermissionResolver` to make `authorization.hasPermission` turnkey. */
+    roles?: RolesConfig<UserType>;
+    /** Role-based / attribute-based access control (E4). When present, `auth()` exposes a
+     *  `protectPermission(check, handler)` derive (alongside `protectRoute`) that delegates the
+     *  decision to your `hasPermission` hook — the package stays schema-agnostic about roles. */
+    authorization?: AuthorizationConfig<UserType>;
+    /** GDPR/CCPA self-service compliance (E5). When present, mounts `GET {complianceRoute}/export`
+     *  (right to access) and `DELETE {complianceRoute}` (right to erasure — runs your delete hook,
+     *  revokes the user's sessions, clears the cookie). Pair with `audit.redact` for PII redaction. */
+    compliance?: ComplianceConfig<UserType>;
+    /** Passwordless / passkey auth (WebAuthn). When present, mounts the registration ceremony
+     *  (`{webauthnRoute}/register/options` + `/verify`, adds a passkey to the authenticated caller)
+     *  and the authentication ceremony (`.../authenticate/options` + `/verify`, passwordless sign-in
+     *  → mints the same `SessionData<UserType>`). A `webauthnAdapter` wraps a vetted library (e.g.
+     *  `@simplewebauthn/server`); the package never bundles the WebAuthn crypto. */
+    webauthn?: WebAuthnConfig<UserType>;
+    /** Signed outbound webhooks. When present, every emitted auth event (the audit taxonomy) is
+     *  HMAC-signed (Standard Webhooks scheme) and POSTed to each endpoint. Delivery is best-effort
+     *  and isolated per endpoint; configuring this alone (without `audit`) is enough to turn on
+     *  event emission. PII redaction (`audit.redact`) applies before delivery. */
+    webhooks?: WebhooksConfig;
     /** Enable the built-in HTMX fragment routes (login, identities, connectors,
      *  account, signout, delete-account). Supply provider display data + the
      *  identity/connector data actions; the package owns the route wiring and

package/dist/webauthn/adapter.d.ts

@@ -0,0 +1,59 @@
+export type WebAuthnCredentialDescriptor = {
+    id: string;
+    transports?: string[];
+};
+export type WebAuthnRegistrationOptions = {
+    challenge: string;
+    options: Record<string, unknown>;
+};
+export type WebAuthnAuthenticationOptions = {
+    challenge: string;
+    options: Record<string, unknown>;
+};
+export type WebAuthnRegistrationResult = {
+    credential?: {
+        backedUp?: boolean;
+        counter: number;
+        credentialId: string;
+        deviceType?: string;
+        publicKey: string;
+        transports?: string[];
+    };
+    verified: boolean;
+};
+export type WebAuthnAuthenticationResult = {
+    newCounter?: number;
+    verified: boolean;
+};
+export type WebAuthnAdapter = {
+    createAuthenticationOptions: (request: {
+        allowCredentials: WebAuthnCredentialDescriptor[];
+        rpId: string;
+    }) => Promise<WebAuthnAuthenticationOptions> | WebAuthnAuthenticationOptions;
+    createRegistrationOptions: (request: {
+        excludeCredentials: WebAuthnCredentialDescriptor[];
+        rpId: string;
+        rpName: string;
+        userDisplayName: string;
+        userId: string;
+        userName: string;
+    }) => Promise<WebAuthnRegistrationOptions> | WebAuthnRegistrationOptions;
+    verifyAuthentication: (request: {
+        credential: {
+            counter: number;
+            credentialId: string;
+            publicKey: string;
+            transports?: string[];
+        };
+        expectedChallenge: string;
+        expectedOrigin: string;
+        expectedRPID: string;
+        response: unknown;
+    }) => Promise<WebAuthnAuthenticationResult>;
+    verifyRegistration: (request: {
+        expectedChallenge: string;
+        expectedOrigin: string;
+        expectedRPID: string;
+        response: unknown;
+    }) => Promise<WebAuthnRegistrationResult>;
+};

package/dist/webauthn/config.d.ts

@@ -0,0 +1,35 @@
+import type { AuditEmitter } from '../audit/config';
+import type { AuthSessionStore } from '../session/types';
+import type { RouteString, UserSessionId } from '../types';
+import type { WebAuthnAdapter } from './adapter';
+import type { WebAuthnCredentialStore } from './types';
+export declare const DEFAULT_WEBAUTHN_CHALLENGE_TTL_MS = 300000;
+export declare const DEFAULT_WEBAUTHN_ROUTE: RouteString;
+export declare const DEFAULT_WEBAUTHN_SESSION_TTL_MS: number;
+export declare const WEBAUTHN_CHALLENGE_COOKIE = "webauthn_challenge";
+export type WebAuthnConfig<UserType> = {
+    credentialStore: WebAuthnCredentialStore;
+    getUserId: (user: UserType) => string;
+    getWebAuthnUser: (userId: string) => Promise<UserType | null | undefined> | UserType | null | undefined;
+    origin: string;
+    rpId: string;
+    rpName: string;
+    webauthnAdapter: WebAuthnAdapter;
+    challengeDurationMs?: number;
+    getUserDisplayName?: (user: UserType) => string;
+    getUserName?: (user: UserType) => string;
+    onWebAuthnAuthenticated?: (context: {
+        user: UserType;
+        userSessionId: UserSessionId;
+    }) => void | Promise<void>;
+    onWebAuthnRegistered?: (context: {
+        credentialId: string;
+        userId: string;
+    }) => void | Promise<void>;
+    sessionDurationMs?: number;
+    webauthnRoute?: RouteString;
+};
+export type WebAuthnRouteProps<UserType> = WebAuthnConfig<UserType> & {
+    authSessionStore?: AuthSessionStore<UserType>;
+    emit?: AuditEmitter;
+};

package/dist/webauthn/inMemoryWebAuthnCredentialStore.d.ts

@@ -0,0 +1,2 @@
+import type { WebAuthnCredentialStore } from './types';
+export declare const createInMemoryWebAuthnCredentialStore: () => WebAuthnCredentialStore;