@absolutejs/auth 0.27.0-beta.3 → 0.27.0-beta.4

package/dist/oidc/routes.d.ts

@@ -0,0 +1,138 @@
+import { Elysia } from 'elysia';
+import type { AuthSessionStore } from '../session/types';
+import { type OidcProviderConfig } from './config';
+export declare const oidcProviderRoutes: <UserType>(config: OidcProviderConfig<UserType> & {
+    authSessionStore?: AuthSessionStore<UserType>;
+}) => Elysia<"", {
+    decorator: {};
+    store: {
+        session: import("..").SessionRecord<UserType>;
+        unregisteredSession: import("..").UnregisteredSessionRecord;
+    };
+    derive: {};
+    resolve: {};
+}, {
+    typebox: {};
+    error: {};
+}, {
+    schema: {};
+    standaloneSchema: {};
+    macro: {};
+    macroFn: {};
+    parser: {};
+    response: {};
+}, {
+    [x: string]: {
+        get: {
+            body: unknown;
+            params: {};
+            query: {
+                nonce?: string | undefined;
+                client_id?: string | undefined;
+                scope?: string | undefined;
+                code_challenge?: string | undefined;
+                code_challenge_method?: string | undefined;
+                redirect_uri?: string | undefined;
+                response_type?: string | undefined;
+                state?: string | undefined;
+            };
+            headers: unknown;
+            response: {
+                200: Response;
+                422: {
+                    type: "validation";
+                    on: string;
+                    summary?: string;
+                    message?: string;
+                    found?: unknown;
+                    property?: string;
+                    expected?: string;
+                };
+            };
+        };
+    };
+} & {
+    [x: string]: {
+        post: {
+            body: {
+                client_id?: string | undefined;
+                scope?: string | undefined;
+                refresh_token?: string | undefined;
+                client_secret?: string | undefined;
+                grant_type?: string | undefined;
+                code?: string | undefined;
+                redirect_uri?: string | undefined;
+                code_verifier?: string | undefined;
+            };
+            params: {};
+            query: unknown;
+            headers: unknown;
+            response: {
+                200: Response;
+                422: {
+                    type: "validation";
+                    on: string;
+                    summary?: string;
+                    message?: string;
+                    found?: unknown;
+                    property?: string;
+                    expected?: string;
+                };
+            };
+        };
+    };
+} & {
+    [x: string]: {
+        get: {
+            body: unknown;
+            params: {};
+            query: unknown;
+            headers: unknown;
+            response: {
+                200: {
+                    keys: {
+                        alg: string;
+                        crv: string | undefined;
+                        kid: string;
+                        kty: string | undefined;
+                        use: string;
+                        x: string | undefined;
+                        y: string | undefined;
+                    }[];
+                };
+            };
+        };
+    };
+} & {
+    ".well-known": {
+        "openid-configuration": {
+            get: {
+                body: unknown;
+                params: {};
+                query: unknown;
+                headers: unknown;
+                response: {
+                    200: Record<string, string | string[]>;
+                };
+            };
+        };
+    };
+}, {
+    derive: {};
+    resolve: {};
+    schema: {};
+    standaloneSchema: {};
+    response: {};
+}, {
+    derive: {};
+    resolve: {};
+    schema: {};
+    standaloneSchema: {};
+    response: {};
+} & {
+    derive: {};
+    resolve: {};
+    schema: {};
+    standaloneSchema: {};
+    response: {};
+}>;

package/dist/oidc/types.d.ts

@@ -0,0 +1,42 @@
+export type OAuthClient = {
+    clientId: string;
+    hashedSecret?: string;
+    name: string;
+    redirectUris: string[];
+    scopes: string[];
+};
+export type OAuthClientStore = {
+    findClient: (clientId: string) => Promise<OAuthClient | undefined>;
+};
+export type AuthorizationCode = {
+    claims?: Record<string, unknown>;
+    clientId: string;
+    codeChallenge: string;
+    codeHash: string;
+    createdAt: number;
+    dpopJkt?: string;
+    expiresAt: number;
+    nonce?: string;
+    redirectUri: string;
+    scopes: string[];
+    userId: string;
+};
+export type AuthorizationCodeStore = {
+    consumeCode: (codeHash: string) => Promise<AuthorizationCode | undefined>;
+    saveCode: (code: AuthorizationCode) => Promise<void>;
+};
+export type OidcRefreshToken = {
+    claims?: Record<string, unknown>;
+    clientId: string;
+    createdAt: number;
+    dpopJkt?: string;
+    expiresAt: number;
+    scopes: string[];
+    tokenHash: string;
+    userId: string;
+};
+export type OidcRefreshTokenStore = {
+    consumeToken: (tokenHash: string) => Promise<OidcRefreshToken | undefined>;
+    deleteForUser: (userId: string) => Promise<void>;
+    saveToken: (token: OidcRefreshToken) => Promise<void>;
+};

package/dist/types.d.ts

@@ -10,6 +10,7 @@ import type { AuthIdentityConflict } from './errors';
 import type { AuthHtmxConfig, AuthHtmxUser } from './htmx/types';
 import type { LockoutConfig } from './lockout/config';
 import type { MfaConfig } from './mfa/config';
+import type { OidcProviderConfig } from './oidc/config';
 import type { OrganizationsConfig } from './organizations/config';
 import type { PasswordlessConfig } from './passwordless/config';
 import type { PortalConfig } from './portal/config';
@@ -234,6 +235,13 @@ export type AuthConfig<UserType> = {
      *  Pair with the exported `createApiKey` / `resolveApiPrincipal` / `hasScopes`
      *  helpers to issue and guard with static keys. */
     apikeys?: ApiKeysConfig;
+    /** OAuth2 / OIDC provider — makes your app an identity provider ("Sign in with
+     *  <yourapp>"). Mounts `{oidcRoute}/authorize` + `/token` + `/jwks` and
+     *  `/.well-known/openid-configuration`: authorization_code + mandatory PKCE, ES256
+     *  JWTs signed by a key you own (self-hosted JWKS), refresh-token rotation, and
+     *  optional DPoP (RFC 9449) sender-constrained tokens. The authorize endpoint reuses
+     *  the package session, so the IdP login gets passkeys / MFA / SSO for free. */
+    oidc?: OidcProviderConfig<UserType>;
     /** First-class multi-tenancy (the WorkOS model). When present, mounts organization +
      *  membership + invitation routes under `{organizationsRoute}`: list the caller's orgs, create
      *  one (caller becomes owner), invite/accept/revoke by email, and list/remove members. Ties the

package/package.json

@@ -1,5 +1,5 @@
 {
-	"version": "0.27.0-beta.3",
+	"version": "0.27.0-beta.4",
 	"name": "@absolutejs/auth",
 	"description": "An authorization library for absolutejs",
 	"repository": {