@absolutejs/auth 0.27.0-beta.1 → 0.27.0-beta.11

package/dist/oidc/routes.d.ts

@@ -0,0 +1,142 @@
+import { Elysia } from 'elysia';
+import type { AuthSessionStore } from '../session/types';
+import { type OidcProviderConfig } from './config';
+export declare const oidcProviderRoutes: <UserType>(config: OidcProviderConfig<UserType> & {
+    authSessionStore?: AuthSessionStore<UserType>;
+}) => Elysia<"", {
+    decorator: {};
+    store: {
+        session: import("..").SessionRecord<UserType>;
+        unregisteredSession: import("..").UnregisteredSessionRecord;
+    };
+    derive: {};
+    resolve: {};
+}, {
+    typebox: {};
+    error: {};
+}, {
+    schema: {};
+    standaloneSchema: {};
+    macro: {};
+    macroFn: {};
+    parser: {};
+    response: {};
+}, {
+    [x: string]: {
+        get: {
+            body: unknown;
+            params: {};
+            query: {
+                client_id?: string | undefined;
+                scope?: string | undefined;
+                nonce?: string | undefined;
+                code_challenge?: string | undefined;
+                code_challenge_method?: string | undefined;
+                redirect_uri?: string | undefined;
+                response_type?: string | undefined;
+                state?: string | undefined;
+            };
+            headers: unknown;
+            response: {
+                200: Response;
+                422: {
+                    type: "validation";
+                    on: string;
+                    summary?: string;
+                    message?: string;
+                    found?: unknown;
+                    property?: string;
+                    expected?: string;
+                };
+            };
+        };
+    };
+} & {
+    [x: string]: {
+        post: {
+            body: {
+                client_id?: string | undefined;
+                scope?: string | undefined;
+                audience?: string | undefined;
+                resource?: string | undefined;
+                refresh_token?: string | undefined;
+                client_secret?: string | undefined;
+                grant_type?: string | undefined;
+                code?: string | undefined;
+                redirect_uri?: string | undefined;
+                code_verifier?: string | undefined;
+                subject_token?: string | undefined;
+                subject_token_type?: string | undefined;
+            };
+            params: {};
+            query: unknown;
+            headers: unknown;
+            response: {
+                200: Response;
+                422: {
+                    type: "validation";
+                    on: string;
+                    summary?: string;
+                    message?: string;
+                    found?: unknown;
+                    property?: string;
+                    expected?: string;
+                };
+            };
+        };
+    };
+} & {
+    [x: string]: {
+        get: {
+            body: unknown;
+            params: {};
+            query: unknown;
+            headers: unknown;
+            response: {
+                200: {
+                    keys: {
+                        alg: string;
+                        crv: string | undefined;
+                        kid: string;
+                        kty: string | undefined;
+                        use: string;
+                        x: string | undefined;
+                        y: string | undefined;
+                    }[];
+                };
+            };
+        };
+    };
+} & {
+    ".well-known": {
+        "openid-configuration": {
+            get: {
+                body: unknown;
+                params: {};
+                query: unknown;
+                headers: unknown;
+                response: {
+                    200: Record<string, string | string[]>;
+                };
+            };
+        };
+    };
+}, {
+    derive: {};
+    resolve: {};
+    schema: {};
+    standaloneSchema: {};
+    response: {};
+}, {
+    derive: {};
+    resolve: {};
+    schema: {};
+    standaloneSchema: {};
+    response: {};
+} & {
+    derive: {};
+    resolve: {};
+    schema: {};
+    standaloneSchema: {};
+    response: {};
+}>;

package/dist/oidc/types.d.ts

@@ -0,0 +1,42 @@
+export type OAuthClient = {
+    clientId: string;
+    hashedSecret?: string;
+    name: string;
+    redirectUris: string[];
+    scopes: string[];
+};
+export type OAuthClientStore = {
+    findClient: (clientId: string) => Promise<OAuthClient | undefined>;
+};
+export type AuthorizationCode = {
+    claims?: Record<string, unknown>;
+    clientId: string;
+    codeChallenge: string;
+    codeHash: string;
+    createdAt: number;
+    dpopJkt?: string;
+    expiresAt: number;
+    nonce?: string;
+    redirectUri: string;
+    scopes: string[];
+    userId: string;
+};
+export type AuthorizationCodeStore = {
+    consumeCode: (codeHash: string) => Promise<AuthorizationCode | undefined>;
+    saveCode: (code: AuthorizationCode) => Promise<void>;
+};
+export type OidcRefreshToken = {
+    claims?: Record<string, unknown>;
+    clientId: string;
+    createdAt: number;
+    dpopJkt?: string;
+    expiresAt: number;
+    scopes: string[];
+    tokenHash: string;
+    userId: string;
+};
+export type OidcRefreshTokenStore = {
+    consumeToken: (tokenHash: string) => Promise<OidcRefreshToken | undefined>;
+    deleteForUser: (userId: string) => Promise<void>;
+    saveToken: (token: OidcRefreshToken) => Promise<void>;
+};

package/dist/organizations/operations.d.ts

@@ -5,6 +5,13 @@ export declare const acceptInvitation: ({ organizationStore, token, userId }: {
     token: string;
     userId: string;
 }) => Promise<OrganizationMembership | undefined>;
+export declare const autoAssignOrgsByEmail: ({ email, getOrgsForDomain, organizationStore, roles, userId }: {
+    email: string;
+    getOrgsForDomain: (domain: string) => Promise<OrganizationId[]> | OrganizationId[];
+    organizationStore: OrganizationStore;
+    roles?: string[];
+    userId: string;
+}) => Promise<string[]>;
 export declare const createOrganization: ({ metadata, name, organizationStore, ownerRoles, ownerUserId }: {
     metadata?: Record<string, unknown>;
     name: string;

package/dist/session/anonymous.d.ts

@@ -0,0 +1,11 @@
+import type { Cookie } from 'elysia';
+import type { SessionData, SessionRecord, UserSessionId } from '../types';
+import type { AuthSessionStore } from './types';
+export declare const createAnonymousSession: <UserType>({ authSessionStore, cookie, guestUser, inMemorySession, sessionDurationMs }: {
+    authSessionStore?: AuthSessionStore<UserType>;
+    cookie: Cookie<UserSessionId | undefined>;
+    guestUser: UserType;
+    inMemorySession: SessionRecord<UserType>;
+    sessionDurationMs?: number;
+}) => Promise<`${string}-${string}-${string}-${string}-${string}`>;
+export declare const isAnonymousSession: <UserType>(session: SessionData<UserType> | undefined) => boolean;

package/dist/session/impersonation.d.ts

@@ -0,0 +1,29 @@
+import type { Cookie } from 'elysia';
+import type { AuditEvent } from '../audit/types';
+import type { SessionData, SessionRecord, UserSessionId } from '../types';
+import type { AuthSessionStore } from './types';
+type Emit = (event: AuditEvent) => Promise<void> | void;
+export declare const endImpersonation: <UserType>({ authSessionStore, cookie, emit, inMemorySession }: {
+    authSessionStore?: AuthSessionStore<UserType>;
+    cookie: Cookie<UserSessionId | undefined>;
+    emit?: Emit;
+    inMemorySession: SessionRecord<UserType>;
+}) => Promise<{
+    restored: boolean;
+}>;
+export declare const isImpersonating: <UserType>(session: SessionData<UserType> | undefined) => boolean;
+export declare const startImpersonation: <UserType>({ authSessionStore, cookie, emit, getUserId, impersonator, inMemorySession, sessionDurationMs, user }: {
+    authSessionStore?: AuthSessionStore<UserType>;
+    cookie: Cookie<UserSessionId | undefined>;
+    emit?: Emit;
+    getUserId?: (user: UserType) => string;
+    impersonator: {
+        actorEmail?: string;
+        actorId: string;
+        reason: string;
+    };
+    inMemorySession: SessionRecord<UserType>;
+    sessionDurationMs?: number;
+    user: UserType;
+}) => Promise<`${string}-${string}-${string}-${string}-${string}`>;
+export {};

package/dist/session/multiSession.d.ts

@@ -0,0 +1,25 @@
+import type { Cookie } from 'elysia';
+import type { SessionRecord, UserSessionId } from '../types';
+import type { AuthSessionStore } from './types';
+export declare const addToSessionRing: (ring: Cookie<string | undefined>, sessionId: UserSessionId) => Cookie<string | undefined>;
+export declare const listRingSessions: <UserType>({ authSessionStore, inMemorySession, ring }: {
+    authSessionStore?: AuthSessionStore<UserType>;
+    inMemorySession?: SessionRecord<UserType>;
+    ring: Cookie<string | undefined>;
+}) => Promise<{
+    sessionId: UserSessionId;
+    user: UserType;
+}[]>;
+export declare const readSessionRing: (ring: Cookie<string | undefined>) => `${string}-${string}-${string}-${string}-${string}`[];
+export declare const removeFromSessionRing: <UserType>({ activeCookie, authSessionStore, inMemorySession, ring, sessionId }: {
+    activeCookie?: Cookie<UserSessionId | undefined>;
+    authSessionStore?: AuthSessionStore<UserType>;
+    inMemorySession?: SessionRecord<UserType>;
+    ring: Cookie<string | undefined>;
+    sessionId: UserSessionId;
+}) => Promise<void>;
+export declare const switchActiveSession: ({ activeCookie, ring, sessionId }: {
+    activeCookie: Cookie<UserSessionId | undefined>;
+    ring: Cookie<string | undefined>;
+    sessionId: UserSessionId;
+}) => boolean;

package/dist/session/promote.d.ts

@@ -9,12 +9,14 @@ type ClearSessionProps<UserType> = {
 export declare const clearSession: <UserType>({ authSessionStore, cookie, inMemorySession }: ClearSessionProps<UserType>) => Promise<void>;
 export declare const persistWhen: (shouldPersist: boolean, persist: () => Promise<void>) => Promise<void>;
 type PromoteToSessionProps<UserType> = {
+    anonymous?: boolean;
     authSessionStore?: AuthSessionStore<UserType>;
     cookie: Cookie<UserSessionId | undefined>;
+    impersonator?: SessionData<UserType>['impersonator'];
     inMemorySession: SessionRecord<UserType>;
     samlLogout?: SessionData<UserType>['samlLogout'];
     sessionDurationMs: number;
     user: UserType;
 };
-export declare const promoteToSession: <UserType>({ authSessionStore, cookie, inMemorySession, samlLogout, sessionDurationMs, user }: PromoteToSessionProps<UserType>) => Promise<`${string}-${string}-${string}-${string}-${string}`>;
+export declare const promoteToSession: <UserType>({ anonymous, authSessionStore, cookie, impersonator, inMemorySession, samlLogout, sessionDurationMs, user }: PromoteToSessionProps<UserType>) => Promise<`${string}-${string}-${string}-${string}-${string}`>;
 export {};

package/dist/types.d.ts

@@ -10,6 +10,7 @@ import type { AuthIdentityConflict } from './errors';
 import type { AuthHtmxConfig, AuthHtmxUser } from './htmx/types';
 import type { LockoutConfig } from './lockout/config';
 import type { MfaConfig } from './mfa/config';
+import type { OidcProviderConfig } from './oidc/config';
 import type { OrganizationsConfig } from './organizations/config';
 import type { PasswordlessConfig } from './passwordless/config';
 import type { PortalConfig } from './portal/config';
@@ -34,6 +35,17 @@ export type OAuth2ConfigurationOptions = {
     [Provider in ProviderOption]?: OAuth2ProviderConfiguration<Provider>;
 };
 export type UserSessionId = `${string}-${string}-${string}-${string}-${string}`;
+/** Stamped on a session created via admin impersonation (`startImpersonation`). RFC 8693
+ *  actor semantics: `actorId`/`actorEmail` are the admin acting as the user, `reason` is
+ *  required and audited, `returnToSessionId` is the admin's own session to restore on exit.
+ *  Surfaced by userStatus so your UI can show an "impersonating" banner. */
+export type Impersonator = {
+    actorEmail?: string;
+    actorId: string;
+    reason: string;
+    returnToSessionId?: UserSessionId;
+    startedAt: number;
+};
 export type SessionData<UserType> = {
     user: UserType;
     /** OAuth provider access token. Optional: credential / SSO sessions are not backed
@@ -53,6 +65,11 @@ export type SessionData<UserType> = {
         nameId: string;
         sessionIndex?: string;
     };
+    /** Present only when this session was created via admin impersonation. */
+    impersonator?: Impersonator;
+    /** True for a guest/anonymous session (createAnonymousSession) that can later be
+     *  upgraded by a real login. */
+    anonymous?: boolean;
 };
 export type SessionRecord<UserType> = Record<UserSessionId, SessionData<UserType>>;
 export type UnregisteredSessionData = {
@@ -221,6 +238,13 @@ export type AuthConfig<UserType> = {
      *  Pair with the exported `createApiKey` / `resolveApiPrincipal` / `hasScopes`
      *  helpers to issue and guard with static keys. */
     apikeys?: ApiKeysConfig;
+    /** OAuth2 / OIDC provider — makes your app an identity provider ("Sign in with
+     *  <yourapp>"). Mounts `{oidcRoute}/authorize` + `/token` + `/jwks` and
+     *  `/.well-known/openid-configuration`: authorization_code + mandatory PKCE, ES256
+     *  JWTs signed by a key you own (self-hosted JWKS), refresh-token rotation, and
+     *  optional DPoP (RFC 9449) sender-constrained tokens. The authorize endpoint reuses
+     *  the package session, so the IdP login gets passkeys / MFA / SSO for free. */
+    oidc?: OidcProviderConfig<UserType>;
     /** First-class multi-tenancy (the WorkOS model). When present, mounts organization +
      *  membership + invitation routes under `{organizationsRoute}`: list the caller's orgs, create
      *  one (caller becomes owner), invite/accept/revoke by email, and list/remove members. Ties the

package/dist/vault/config.d.ts

@@ -0,0 +1,20 @@
+import { type SecretCipher } from '../compliance/cipher';
+import type { VaultStore } from './types';
+export type Vault = {
+    delete: (ownerId: string, name: string) => Promise<void>;
+    get: (ownerId: string, name: string) => Promise<string | undefined>;
+    list: (ownerId: string) => Promise<string[]>;
+    put: (ownerId: string, name: string, value: string) => Promise<void>;
+};
+export declare const createVault: ({ cipher, store }: {
+    cipher: SecretCipher;
+    store: VaultStore;
+}) => Vault;
+export type VaultKeyRotationResult = {
+    rotated: number;
+};
+export declare const rotateVaultKey: ({ newKey, oldKey, store }: {
+    newKey: string;
+    oldKey: string;
+    store: VaultStore;
+}) => Promise<VaultKeyRotationResult>;

package/dist/vault/inMemoryVaultStore.d.ts

@@ -0,0 +1,2 @@
+import type { VaultStore } from './types';
+export declare const createInMemoryVaultStore: () => VaultStore;

package/dist/vault/postgresVaultStore.d.ts

@@ -0,0 +1,100 @@
+import { type AnyPgDatabase } from '../stores/postgres';
+import type { VaultStore } from './types';
+export declare const vaultEntriesTable: import("drizzle-orm/pg-core").PgTableWithColumns<{
+    name: "auth_vault_entries";
+    schema: undefined;
+    columns: {
+        created_at_ms: import("drizzle-orm/pg-core").PgColumn<{
+            name: "created_at_ms";
+            tableName: "auth_vault_entries";
+            dataType: "number";
+            columnType: "PgBigInt53";
+            data: number;
+            driverParam: string | number;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        encrypted_value: import("drizzle-orm/pg-core").PgColumn<{
+            name: "encrypted_value";
+            tableName: "auth_vault_entries";
+            dataType: "string";
+            columnType: "PgText";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        name: import("drizzle-orm/pg-core").PgColumn<{
+            name: "name";
+            tableName: "auth_vault_entries";
+            dataType: "string";
+            columnType: "PgVarchar";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: 255;
+        }>;
+        owner_id: import("drizzle-orm/pg-core").PgColumn<{
+            name: "owner_id";
+            tableName: "auth_vault_entries";
+            dataType: "string";
+            columnType: "PgVarchar";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: 255;
+        }>;
+        updated_at_ms: import("drizzle-orm/pg-core").PgColumn<{
+            name: "updated_at_ms";
+            tableName: "auth_vault_entries";
+            dataType: "number";
+            columnType: "PgBigInt53";
+            data: number;
+            driverParam: string | number;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+    };
+    dialect: "pg";
+}>;
+export declare const createNeonVaultStore: (databaseUrl: string) => VaultStore;
+export declare const createPostgresVaultStore: (db: AnyPgDatabase) => VaultStore;

package/dist/vault/types.d.ts

@@ -0,0 +1,14 @@
+export type VaultEntry = {
+    createdAt: number;
+    encryptedValue: string;
+    name: string;
+    ownerId: string;
+    updatedAt: number;
+};
+export type VaultStore = {
+    deleteEntry: (ownerId: string, name: string) => Promise<void>;
+    getEntry: (ownerId: string, name: string) => Promise<VaultEntry | undefined>;
+    listAllEntries: () => Promise<VaultEntry[]>;
+    listEntries: (ownerId: string) => Promise<VaultEntry[]>;
+    saveEntry: (entry: VaultEntry) => Promise<void>;
+};

package/package.json

@@ -1,5 +1,5 @@
 {
-	"version": "0.27.0-beta.1",
+	"version": "0.27.0-beta.11",
 	"name": "@absolutejs/auth",
 	"description": "An authorization library for absolutejs",
 	"repository": {