@absolutejs/auth 0.27.0-beta.0 → 0.27.0-beta.10

package/dist/oidc/routes.d.ts

@@ -0,0 +1,142 @@
+import { Elysia } from 'elysia';
+import type { AuthSessionStore } from '../session/types';
+import { type OidcProviderConfig } from './config';
+export declare const oidcProviderRoutes: <UserType>(config: OidcProviderConfig<UserType> & {
+    authSessionStore?: AuthSessionStore<UserType>;
+}) => Elysia<"", {
+    decorator: {};
+    store: {
+        session: import("..").SessionRecord<UserType>;
+        unregisteredSession: import("..").UnregisteredSessionRecord;
+    };
+    derive: {};
+    resolve: {};
+}, {
+    typebox: {};
+    error: {};
+}, {
+    schema: {};
+    standaloneSchema: {};
+    macro: {};
+    macroFn: {};
+    parser: {};
+    response: {};
+}, {
+    [x: string]: {
+        get: {
+            body: unknown;
+            params: {};
+            query: {
+                nonce?: string | undefined;
+                client_id?: string | undefined;
+                scope?: string | undefined;
+                code_challenge?: string | undefined;
+                code_challenge_method?: string | undefined;
+                redirect_uri?: string | undefined;
+                response_type?: string | undefined;
+                state?: string | undefined;
+            };
+            headers: unknown;
+            response: {
+                200: Response;
+                422: {
+                    type: "validation";
+                    on: string;
+                    summary?: string;
+                    message?: string;
+                    found?: unknown;
+                    property?: string;
+                    expected?: string;
+                };
+            };
+        };
+    };
+} & {
+    [x: string]: {
+        post: {
+            body: {
+                audience?: string | undefined;
+                resource?: string | undefined;
+                client_id?: string | undefined;
+                scope?: string | undefined;
+                refresh_token?: string | undefined;
+                client_secret?: string | undefined;
+                grant_type?: string | undefined;
+                code?: string | undefined;
+                redirect_uri?: string | undefined;
+                code_verifier?: string | undefined;
+                subject_token?: string | undefined;
+                subject_token_type?: string | undefined;
+            };
+            params: {};
+            query: unknown;
+            headers: unknown;
+            response: {
+                200: Response;
+                422: {
+                    type: "validation";
+                    on: string;
+                    summary?: string;
+                    message?: string;
+                    found?: unknown;
+                    property?: string;
+                    expected?: string;
+                };
+            };
+        };
+    };
+} & {
+    [x: string]: {
+        get: {
+            body: unknown;
+            params: {};
+            query: unknown;
+            headers: unknown;
+            response: {
+                200: {
+                    keys: {
+                        alg: string;
+                        crv: string | undefined;
+                        kid: string;
+                        kty: string | undefined;
+                        use: string;
+                        x: string | undefined;
+                        y: string | undefined;
+                    }[];
+                };
+            };
+        };
+    };
+} & {
+    ".well-known": {
+        "openid-configuration": {
+            get: {
+                body: unknown;
+                params: {};
+                query: unknown;
+                headers: unknown;
+                response: {
+                    200: Record<string, string | string[]>;
+                };
+            };
+        };
+    };
+}, {
+    derive: {};
+    resolve: {};
+    schema: {};
+    standaloneSchema: {};
+    response: {};
+}, {
+    derive: {};
+    resolve: {};
+    schema: {};
+    standaloneSchema: {};
+    response: {};
+} & {
+    derive: {};
+    resolve: {};
+    schema: {};
+    standaloneSchema: {};
+    response: {};
+}>;

package/dist/oidc/types.d.ts

@@ -0,0 +1,42 @@
+export type OAuthClient = {
+    clientId: string;
+    hashedSecret?: string;
+    name: string;
+    redirectUris: string[];
+    scopes: string[];
+};
+export type OAuthClientStore = {
+    findClient: (clientId: string) => Promise<OAuthClient | undefined>;
+};
+export type AuthorizationCode = {
+    claims?: Record<string, unknown>;
+    clientId: string;
+    codeChallenge: string;
+    codeHash: string;
+    createdAt: number;
+    dpopJkt?: string;
+    expiresAt: number;
+    nonce?: string;
+    redirectUri: string;
+    scopes: string[];
+    userId: string;
+};
+export type AuthorizationCodeStore = {
+    consumeCode: (codeHash: string) => Promise<AuthorizationCode | undefined>;
+    saveCode: (code: AuthorizationCode) => Promise<void>;
+};
+export type OidcRefreshToken = {
+    claims?: Record<string, unknown>;
+    clientId: string;
+    createdAt: number;
+    dpopJkt?: string;
+    expiresAt: number;
+    scopes: string[];
+    tokenHash: string;
+    userId: string;
+};
+export type OidcRefreshTokenStore = {
+    consumeToken: (tokenHash: string) => Promise<OidcRefreshToken | undefined>;
+    deleteForUser: (userId: string) => Promise<void>;
+    saveToken: (token: OidcRefreshToken) => Promise<void>;
+};

package/dist/portal/routes.d.ts

@@ -91,8 +91,8 @@ export declare const portalRoutes: ({ emit, onScimTokenCreated, onSsoConnectionC
             oidc: {
                 put: {
                     body: {
-                        redirectUri?: string | undefined;
                         scopes?: string[] | undefined;
+                        redirectUri?: string | undefined;
                         issuer: string;
                         clientId: string;
                         clientSecret: string;

package/dist/session/anonymous.d.ts

@@ -0,0 +1,11 @@
+import type { Cookie } from 'elysia';
+import type { SessionData, SessionRecord, UserSessionId } from '../types';
+import type { AuthSessionStore } from './types';
+export declare const createAnonymousSession: <UserType>({ authSessionStore, cookie, guestUser, inMemorySession, sessionDurationMs }: {
+    authSessionStore?: AuthSessionStore<UserType>;
+    cookie: Cookie<UserSessionId | undefined>;
+    guestUser: UserType;
+    inMemorySession: SessionRecord<UserType>;
+    sessionDurationMs?: number;
+}) => Promise<`${string}-${string}-${string}-${string}-${string}`>;
+export declare const isAnonymousSession: <UserType>(session: SessionData<UserType> | undefined) => boolean;

package/dist/session/impersonation.d.ts

@@ -0,0 +1,29 @@
+import type { Cookie } from 'elysia';
+import type { AuditEvent } from '../audit/types';
+import type { SessionData, SessionRecord, UserSessionId } from '../types';
+import type { AuthSessionStore } from './types';
+type Emit = (event: AuditEvent) => Promise<void> | void;
+export declare const endImpersonation: <UserType>({ authSessionStore, cookie, emit, inMemorySession }: {
+    authSessionStore?: AuthSessionStore<UserType>;
+    cookie: Cookie<UserSessionId | undefined>;
+    emit?: Emit;
+    inMemorySession: SessionRecord<UserType>;
+}) => Promise<{
+    restored: boolean;
+}>;
+export declare const isImpersonating: <UserType>(session: SessionData<UserType> | undefined) => boolean;
+export declare const startImpersonation: <UserType>({ authSessionStore, cookie, emit, getUserId, impersonator, inMemorySession, sessionDurationMs, user }: {
+    authSessionStore?: AuthSessionStore<UserType>;
+    cookie: Cookie<UserSessionId | undefined>;
+    emit?: Emit;
+    getUserId?: (user: UserType) => string;
+    impersonator: {
+        actorEmail?: string;
+        actorId: string;
+        reason: string;
+    };
+    inMemorySession: SessionRecord<UserType>;
+    sessionDurationMs?: number;
+    user: UserType;
+}) => Promise<`${string}-${string}-${string}-${string}-${string}`>;
+export {};

package/dist/session/multiSession.d.ts

@@ -0,0 +1,25 @@
+import type { Cookie } from 'elysia';
+import type { SessionRecord, UserSessionId } from '../types';
+import type { AuthSessionStore } from './types';
+export declare const addToSessionRing: (ring: Cookie<string | undefined>, sessionId: UserSessionId) => Cookie<string | undefined>;
+export declare const listRingSessions: <UserType>({ authSessionStore, inMemorySession, ring }: {
+    authSessionStore?: AuthSessionStore<UserType>;
+    inMemorySession?: SessionRecord<UserType>;
+    ring: Cookie<string | undefined>;
+}) => Promise<{
+    sessionId: UserSessionId;
+    user: UserType;
+}[]>;
+export declare const readSessionRing: (ring: Cookie<string | undefined>) => `${string}-${string}-${string}-${string}-${string}`[];
+export declare const removeFromSessionRing: <UserType>({ activeCookie, authSessionStore, inMemorySession, ring, sessionId }: {
+    activeCookie?: Cookie<UserSessionId | undefined>;
+    authSessionStore?: AuthSessionStore<UserType>;
+    inMemorySession?: SessionRecord<UserType>;
+    ring: Cookie<string | undefined>;
+    sessionId: UserSessionId;
+}) => Promise<void>;
+export declare const switchActiveSession: ({ activeCookie, ring, sessionId }: {
+    activeCookie: Cookie<UserSessionId | undefined>;
+    ring: Cookie<string | undefined>;
+    sessionId: UserSessionId;
+}) => boolean;

package/dist/session/promote.d.ts

@@ -9,12 +9,14 @@ type ClearSessionProps<UserType> = {
 export declare const clearSession: <UserType>({ authSessionStore, cookie, inMemorySession }: ClearSessionProps<UserType>) => Promise<void>;
 export declare const persistWhen: (shouldPersist: boolean, persist: () => Promise<void>) => Promise<void>;
 type PromoteToSessionProps<UserType> = {
+    anonymous?: boolean;
     authSessionStore?: AuthSessionStore<UserType>;
     cookie: Cookie<UserSessionId | undefined>;
+    impersonator?: SessionData<UserType>['impersonator'];
     inMemorySession: SessionRecord<UserType>;
     samlLogout?: SessionData<UserType>['samlLogout'];
     sessionDurationMs: number;
     user: UserType;
 };
-export declare const promoteToSession: <UserType>({ authSessionStore, cookie, inMemorySession, samlLogout, sessionDurationMs, user }: PromoteToSessionProps<UserType>) => Promise<`${string}-${string}-${string}-${string}-${string}`>;
+export declare const promoteToSession: <UserType>({ anonymous, authSessionStore, cookie, impersonator, inMemorySession, samlLogout, sessionDurationMs, user }: PromoteToSessionProps<UserType>) => Promise<`${string}-${string}-${string}-${string}-${string}`>;
 export {};

package/dist/types.d.ts

@@ -1,6 +1,7 @@
 import { CredentialsFor, NonEmptyArray, OAuth2Client, OAuth2TokenResponse, ProviderOption, ProvidersMap } from 'citra';
 import { Cookie, status as statusType, redirect as redirectType } from 'elysia';
 import { ElysiaCustomStatusResponse } from 'elysia/error';
+import type { ApiKeysConfig } from './apikeys/config';
 import type { AuditConfig } from './audit/config';
 import type { AuthorizationConfig } from './authorization/config';
 import type { ComplianceConfig } from './compliance/config';
@@ -9,6 +10,7 @@ import type { AuthIdentityConflict } from './errors';
 import type { AuthHtmxConfig, AuthHtmxUser } from './htmx/types';
 import type { LockoutConfig } from './lockout/config';
 import type { MfaConfig } from './mfa/config';
+import type { OidcProviderConfig } from './oidc/config';
 import type { OrganizationsConfig } from './organizations/config';
 import type { PasswordlessConfig } from './passwordless/config';
 import type { PortalConfig } from './portal/config';
@@ -33,6 +35,17 @@ export type OAuth2ConfigurationOptions = {
     [Provider in ProviderOption]?: OAuth2ProviderConfiguration<Provider>;
 };
 export type UserSessionId = `${string}-${string}-${string}-${string}-${string}`;
+/** Stamped on a session created via admin impersonation (`startImpersonation`). RFC 8693
+ *  actor semantics: `actorId`/`actorEmail` are the admin acting as the user, `reason` is
+ *  required and audited, `returnToSessionId` is the admin's own session to restore on exit.
+ *  Surfaced by userStatus so your UI can show an "impersonating" banner. */
+export type Impersonator = {
+    actorEmail?: string;
+    actorId: string;
+    reason: string;
+    returnToSessionId?: UserSessionId;
+    startedAt: number;
+};
 export type SessionData<UserType> = {
     user: UserType;
     /** OAuth provider access token. Optional: credential / SSO sessions are not backed
@@ -52,6 +65,11 @@ export type SessionData<UserType> = {
         nameId: string;
         sessionIndex?: string;
     };
+    /** Present only when this session was created via admin impersonation. */
+    impersonator?: Impersonator;
+    /** True for a guest/anonymous session (createAnonymousSession) that can later be
+     *  upgraded by a real login. */
+    anonymous?: boolean;
 };
 export type SessionRecord<UserType> = Record<UserSessionId, SessionData<UserType>>;
 export type UnregisteredSessionData = {
@@ -213,6 +231,20 @@ export type AuthConfig<UserType> = {
      *  mounts `{scimRoute}/Users` (+ `/ServiceProviderConfig`) with per-org bearer-token auth via
      *  `scimTokenStore`, and maps SCIM resources to the consumer's user store through hooks. */
     scim?: ScimConfig;
+    /** Machine-to-machine authentication: static API keys (`sk_…`) + the OAuth2
+     *  client_credentials grant. When `apiClientStore` + `accessTokenStore` are set,
+     *  mounts `{tokenRoute}` (defaults `/oauth2/token`) so registered clients can
+     *  exchange `client_id`/`client_secret` for short-lived `at_…` access tokens.
+     *  Pair with the exported `createApiKey` / `resolveApiPrincipal` / `hasScopes`
+     *  helpers to issue and guard with static keys. */
+    apikeys?: ApiKeysConfig;
+    /** OAuth2 / OIDC provider — makes your app an identity provider ("Sign in with
+     *  <yourapp>"). Mounts `{oidcRoute}/authorize` + `/token` + `/jwks` and
+     *  `/.well-known/openid-configuration`: authorization_code + mandatory PKCE, ES256
+     *  JWTs signed by a key you own (self-hosted JWKS), refresh-token rotation, and
+     *  optional DPoP (RFC 9449) sender-constrained tokens. The authorize endpoint reuses
+     *  the package session, so the IdP login gets passkeys / MFA / SSO for free. */
+    oidc?: OidcProviderConfig<UserType>;
     /** First-class multi-tenancy (the WorkOS model). When present, mounts organization +
      *  membership + invitation routes under `{organizationsRoute}`: list the caller's orgs, create
      *  one (caller becomes owner), invite/accept/revoke by email, and list/remove members. Ties the

package/package.json

@@ -1,5 +1,5 @@
 {
-	"version": "0.27.0-beta.0",
+	"version": "0.27.0-beta.10",
 	"name": "@absolutejs/auth",
 	"description": "An authorization library for absolutejs",
 	"repository": {