@absolutejs/auth 0.27.0-beta.4 → 0.27.0-beta.6

package/dist/credentials/emailValidation.d.ts

@@ -0,0 +1,9 @@
+export type EmailValidationResult = {
+    ok: boolean;
+    reason?: 'disposable' | 'invalid_format' | 'no_mx';
+};
+export declare const isDisposableEmail: (email: string, extraDomains?: Iterable<string>) => boolean;
+export declare const validateEmailDeliverability: (email: string, options?: {
+    checkMx?: boolean;
+    disposableDomains?: Iterable<string>;
+}) => Promise<EmailValidationResult>;

package/dist/credentials/passwordPolicy.d.ts

@@ -12,3 +12,4 @@ export type PasswordPolicyResult = {
     violations: PasswordPolicyViolation[];
 };
 export declare const evaluatePassword: (password: string, policy?: PasswordPolicy) => Promise<PasswordPolicyResult>;
+export declare const isPasswordCompromised: (password: string) => Promise<boolean>;

package/dist/index.d.ts

@@ -13477,6 +13477,8 @@ export declare const auth: <UserType>({ providersConfiguration, authorizeRoute,
     [x: string]: {
         post: {
             body: {
+                audience?: string | undefined;
+                resource?: string | undefined;
                 client_id?: string | undefined;
                 scope?: string | undefined;
                 refresh_token?: string | undefined;
@@ -13485,6 +13487,8 @@ export declare const auth: <UserType>({ providersConfiguration, authorizeRoute,
                 code?: string | undefined;
                 redirect_uri?: string | undefined;
                 code_verifier?: string | undefined;
+                subject_token?: string | undefined;
+                subject_token_type?: string | undefined;
             };
             params: {};
             query: unknown;
@@ -14648,6 +14652,8 @@ export { sessionRoutes } from './routes/sessions';
 export { stepUpPlugin } from './routes/stepUp';
 export * from './session/sessionsConfig';
 export { endImpersonation, isImpersonating, startImpersonation } from './session/impersonation';
+export { createAnonymousSession, isAnonymousSession } from './session/anonymous';
+export { addToSessionRing, listRingSessions, readSessionRing, removeFromSessionRing, switchActiveSession } from './session/multiSession';
 export { listUserSessions, revokeUserSessions } from './session/userSessions';
 export type { UserSession } from './session/userSessions';
 export { sessionCleanup } from './session/cleanup';
@@ -14662,6 +14668,7 @@ export * from './crypto';
 export * from './tenancy';
 export * from './credentials/config';
 export * from './credentials/passwordPolicy';
+export * from './credentials/emailValidation';
 export * from './credentials/types';
 export { credentialRoutes } from './credentials/routes';
 export { credentialsEmailVerification } from './credentials/emailVerification';

package/dist/index.js

@@ -3213,6 +3213,7 @@ var persistWhen = async (shouldPersist, persist) => {
     await persist();
 };
 var promoteToSession = async ({
+  anonymous,
   authSessionStore,
   cookie,
   impersonator,
@@ -3236,6 +3237,8 @@ var promoteToSession = async ({
     data.samlLogout = samlLogout;
   if (impersonator !== undefined)
     data.impersonator = impersonator;
+  if (anonymous === true)
+    data.anonymous = true;
   targetSession[userSessionId] = data;
   cookie.set({
     httpOnly: true,
@@ -3512,6 +3515,7 @@ var evaluatePassword = async (password, policy = {}) => {
   }
   return { ok: violations.length === 0, violations };
 };
+var isPasswordCompromised = (password) => isPasswordBreached(password);
 
 // src/credentials/passwordReset.ts
 var credentialsPasswordReset = ({
@@ -4134,6 +4138,72 @@ var DEFAULT_ACCESS_TOKEN_TTL_MS2 = MILLISECONDS_IN_AN_HOUR;
 var DEFAULT_ID_TOKEN_TTL_MS = MILLISECONDS_IN_AN_HOUR;
 var DEFAULT_REFRESH_TOKEN_TTL_MS = MILLISECONDS_IN_A_DAY * REFRESH_TTL_DAYS;
 var nowSeconds = (milliseconds) => Math.floor(milliseconds / MS_PER_SECOND);
+var narrowScopes = (available, requested) => requested === undefined || requested.length === 0 ? available : requested.filter((scope) => available.includes(scope));
+var buildAccessClaims = ({
+  act,
+  audience,
+  clientId,
+  dpopJkt,
+  issuer,
+  now,
+  scopes,
+  sub,
+  ttl
+}) => {
+  const claims = {
+    aud: audience ?? clientId,
+    client_id: clientId,
+    exp: nowSeconds(now + ttl),
+    iat: nowSeconds(now),
+    iss: issuer,
+    jti: crypto.randomUUID(),
+    scope: scopes.join(" "),
+    sub,
+    token_use: "access"
+  };
+  if (act !== undefined)
+    claims.act = act;
+  if (dpopJkt !== undefined)
+    claims.cnf = { jkt: dpopJkt };
+  return claims;
+};
+var exchangeToken = async ({
+  actorClientId,
+  audience,
+  config,
+  dpopJkt,
+  now = Date.now(),
+  requestedScopes,
+  subjectToken
+}) => {
+  const verified = await verifyJwt(subjectToken, config.signingKey.publicJwk);
+  const payload = verified?.payload;
+  if (payload === undefined || typeof payload.sub !== "string" || typeof payload.exp !== "number" || payload.exp <= nowSeconds(now)) {
+    return { error: "invalid_grant", ok: false };
+  }
+  const available = typeof payload.scope === "string" ? payload.scope.split(" ") : [];
+  if (requestedScopes?.some((scope) => !available.includes(scope)) === true) {
+    return { error: "invalid_scope", ok: false };
+  }
+  const scopes = narrowScopes(available, requestedScopes);
+  const ttl = config.accessTokenTtlMs ?? DEFAULT_ACCESS_TOKEN_TTL_MS2;
+  return {
+    accessToken: await signJwt(buildAccessClaims({
+      act: { sub: actorClientId },
+      audience,
+      clientId: actorClientId,
+      dpopJkt,
+      issuer: config.issuer,
+      now,
+      scopes,
+      sub: payload.sub,
+      ttl
+    }), config.signingKey),
+    expiresIn: Math.floor(ttl / MS_PER_SECOND),
+    ok: true,
+    scope: scopes.join(" ")
+  };
+};
 var issueTokenSet = async ({
   claims,
   clientId,
@@ -4147,19 +4217,15 @@ var issueTokenSet = async ({
   const accessTtl = config.accessTokenTtlMs ?? DEFAULT_ACCESS_TOKEN_TTL_MS2;
   const idTtl = config.idTokenTtlMs ?? DEFAULT_ID_TOKEN_TTL_MS;
   const refreshTtl = config.refreshTokenTtlMs ?? DEFAULT_REFRESH_TOKEN_TTL_MS;
-  const accessPayload = {
-    aud: clientId,
-    client_id: clientId,
-    exp: nowSeconds(now + accessTtl),
-    iat: nowSeconds(now),
-    iss: config.issuer,
-    jti: crypto.randomUUID(),
-    scope: scopes.join(" "),
+  const accessPayload = buildAccessClaims({
+    clientId,
+    dpopJkt,
+    issuer: config.issuer,
+    now,
+    scopes,
     sub,
-    token_use: "access"
-  };
-  if (dpopJkt !== undefined)
-    accessPayload.cnf = { jkt: dpopJkt };
+    ttl: accessTtl
+  });
   const idPayload = {
     ...claims,
     aud: clientId,
@@ -4190,6 +4256,15 @@ var issueTokenSet = async ({
     token_type: dpopJkt === undefined ? "Bearer" : "DPoP"
   };
 };
+var mcpProtectedResourceMetadata = ({
+  issuer,
+  resource,
+  scopes
+}) => ({
+  authorization_servers: [issuer],
+  resource,
+  scopes_supported: scopes ?? []
+});
 var verifyPkce = async (codeVerifier, codeChallenge) => await hashToken(codeVerifier) === codeChallenge;
 
 // src/oidc/dpop.ts
@@ -4356,11 +4431,45 @@ var oidcProviderRoutes = (config) => {
       sub: record.userId
     }));
   };
+  const grantTokenExchange = async (client, body, dpop) => {
+    if (body.subject_token === undefined) {
+      return oauthError2(HTTP_BAD_REQUEST2, "invalid_request");
+    }
+    const dpopResult = dpop === undefined ? undefined : await verifyDpopProof({
+      htm: "POST",
+      htu: tokenUrl,
+      proof: dpop
+    });
+    if (dpop !== undefined && dpopResult === undefined) {
+      return oauthError2(HTTP_BAD_REQUEST2, "invalid_dpop_proof");
+    }
+    const result = await exchangeToken({
+      actorClientId: client.clientId,
+      audience: body.resource ?? body.audience,
+      config,
+      dpopJkt: dpopResult?.jkt,
+      requestedScopes: body.scope === undefined || body.scope.length === 0 ? undefined : body.scope.split(" "),
+      subjectToken: body.subject_token
+    });
+    if (!result.ok)
+      return oauthError2(HTTP_BAD_REQUEST2, result.error);
+    return jsonResponse({
+      access_token: result.accessToken,
+      expires_in: result.expiresIn,
+      issued_token_type: "urn:ietf:params:oauth:token-type:access_token",
+      scope: result.scope,
+      token_type: dpopResult === undefined ? "Bearer" : "DPoP"
+    }, HTTP_OK2);
+  };
   const discovery = {
     authorization_endpoint: `${issuer}${authorizeRoute}`,
     code_challenge_methods_supported: ["S256"],
     dpop_signing_alg_values_supported: ["ES256"],
-    grant_types_supported: ["authorization_code", "refresh_token"],
+    grant_types_supported: [
+      "authorization_code",
+      "refresh_token",
+      "urn:ietf:params:oauth:grant-type:token-exchange"
+    ],
     id_token_signing_alg_values_supported: ["ES256"],
     issuer,
     jwks_uri: `${issuer}${jwksRoute}`,
@@ -4467,9 +4576,13 @@ var oidcProviderRoutes = (config) => {
     if (body.grant_type === "refresh_token") {
       return grantRefreshToken(client, body, headers.dpop);
     }
+    if (body.grant_type === "urn:ietf:params:oauth:grant-type:token-exchange") {
+      return grantTokenExchange(client, body, headers.dpop);
+    }
     return oauthError2(HTTP_BAD_REQUEST2, "unsupported_grant_type");
   }, {
     body: t12.Object({
+      audience: t12.Optional(t12.String()),
       client_id: t12.Optional(t12.String()),
       client_secret: t12.Optional(t12.String()),
       code: t12.Optional(t12.String()),
@@ -4477,7 +4590,10 @@ var oidcProviderRoutes = (config) => {
       grant_type: t12.Optional(t12.String()),
       redirect_uri: t12.Optional(t12.String()),
       refresh_token: t12.Optional(t12.String()),
-      scope: t12.Optional(t12.String())
+      resource: t12.Optional(t12.String()),
+      scope: t12.Optional(t12.String()),
+      subject_token: t12.Optional(t12.String()),
+      subject_token_type: t12.Optional(t12.String())
     })
   }).get(jwksRoute, () => ({ keys: [toPublicJwk(signingKey)] })).get("/.well-known/openid-configuration", () => discovery);
 };
@@ -18029,6 +18145,90 @@ var startImpersonation = async ({
   });
   return sessionId;
 };
+// src/session/anonymous.ts
+var DEFAULT_GUEST_TTL_MS = MILLISECONDS_IN_A_DAY;
+var createAnonymousSession = async ({
+  authSessionStore,
+  cookie,
+  guestUser,
+  inMemorySession,
+  sessionDurationMs = DEFAULT_GUEST_TTL_MS
+}) => promoteToSession({
+  anonymous: true,
+  authSessionStore,
+  cookie,
+  inMemorySession,
+  sessionDurationMs,
+  user: guestUser
+});
+var isAnonymousSession = (session) => session?.anonymous === true;
+// src/session/multiSession.ts
+var SEPARATOR = " ";
+var writeRing = (ring, ids) => ring.set({
+  httpOnly: true,
+  sameSite: "lax",
+  secure: true,
+  value: ids.join(SEPARATOR)
+});
+var readRing = (ring) => (ring.value ?? "").split(SEPARATOR).filter((entry) => isUserSessionId(entry));
+var addToSessionRing = (ring, sessionId) => writeRing(ring, [...new Set([...readRing(ring), sessionId])]);
+var listRingSessions = async ({
+  authSessionStore,
+  inMemorySession,
+  ring
+}) => {
+  const resolved = await Promise.all(readRing(ring).map(async (sessionId) => {
+    const session = await loadSessionFromSource({
+      authSessionStore,
+      session: inMemorySession,
+      userSessionId: sessionId
+    });
+    return session === undefined ? undefined : { sessionId, user: session.user };
+  }));
+  return resolved.filter((entry) => entry !== undefined);
+};
+var readSessionRing = (ring) => readRing(ring);
+var removeFromSessionRing = async ({
+  activeCookie,
+  authSessionStore,
+  inMemorySession,
+  ring,
+  sessionId
+}) => {
+  const remaining = readRing(ring).filter((id) => id !== sessionId);
+  writeRing(ring, remaining);
+  if (authSessionStore)
+    await authSessionStore.removeSession(sessionId);
+  else if (inMemorySession)
+    delete inMemorySession[sessionId];
+  if (activeCookie?.value !== sessionId)
+    return;
+  const [fallback] = remaining;
+  if (fallback === undefined)
+    activeCookie.remove();
+  else
+    activeCookie.set({
+      httpOnly: true,
+      sameSite: "lax",
+      secure: true,
+      value: fallback
+    });
+};
+var switchActiveSession = ({
+  activeCookie,
+  ring,
+  sessionId
+}) => {
+  if (!readRing(ring).includes(sessionId))
+    return false;
+  activeCookie.set({
+    httpOnly: true,
+    sameSite: "lax",
+    secure: true,
+    value: sessionId
+  });
+  return true;
+};
 // src/utils.ts
 var defineAuthConfig = (configuration) => configuration;
 var defineAuthHtmxConfig = (htmxConfig) => htmxConfig;
@@ -18204,6 +18404,48 @@ var getUserSessionId = ({
 };
 // src/tenancy.ts
 var hasOrganizationScope = (value) => typeof value.organizationId === "string" && value.organizationId.length > 0;
+// src/credentials/emailValidation.ts
+import { resolveMx } from "dns/promises";
+var EMAIL_PATTERN = /^[^\s@]+@[^\s@]+\.[^\s@]+$/u;
+var DISPOSABLE_DOMAINS = new Set([
+  "10minutemail.com",
+  "fakeinbox.com",
+  "getnada.com",
+  "guerrillamail.com",
+  "mailinator.com",
+  "maildrop.cc",
+  "sharklasers.com",
+  "temp-mail.org",
+  "tempmail.com",
+  "throwaway.email",
+  "trashmail.com",
+  "yopmail.com"
+]);
+var domainOf = (email) => email.slice(email.lastIndexOf("@") + 1).toLowerCase();
+var hasMxRecord = async (domain) => {
+  try {
+    return (await resolveMx(domain)).length > 0;
+  } catch {
+    return false;
+  }
+};
+var isDisposableEmail = (email, extraDomains) => {
+  const domain = domainOf(email);
+  return DISPOSABLE_DOMAINS.has(domain) || extraDomains !== undefined && new Set(extraDomains).has(domain);
+};
+var validateEmailDeliverability = async (email, options) => {
+  const normalized = email.trim().toLowerCase();
+  if (!EMAIL_PATTERN.test(normalized)) {
+    return { ok: false, reason: "invalid_format" };
+  }
+  if (isDisposableEmail(normalized, options?.disposableDomains)) {
+    return { ok: false, reason: "disposable" };
+  }
+  if (options?.checkMx === true && !await hasMxRecord(domainOf(normalized))) {
+    return { ok: false, reason: "no_mx" };
+  }
+  return { ok: true };
+};
 // src/credentials/inMemoryCredentialStore.ts
 var cloneCredential = (value) => ({
   ...value
@@ -20468,9 +20710,11 @@ export {
   verifyApiKey,
   verifyAccessToken,
   validateSession,
+  validateEmailDeliverability,
   userSessionIdTypebox,
   trustDevice,
   toPublicJwk,
+  switchActiveSession,
   stepUpPlugin,
   startImpersonation,
   ssoDiscoveryRoute,
@@ -20500,8 +20744,10 @@ export {
   resolveClientProviderEntry,
   resolveAuthHtmxRenderers,
   resolveApiPrincipal,
+  removeFromSessionRing,
   refreshableProviderOptions,
   recordLoginAttempt,
+  readSessionRing,
   providers,
   providerOptions,
   protectRoutePlugin,
@@ -20524,11 +20770,13 @@ export {
   mfaRoutes,
   mfaEnrollmentsTable,
   mfaChallenge,
+  mcpProtectedResourceMetadata,
   loginHistoryTable,
   lockoutsTable,
   listUserSessions,
   listUserOrganizations,
   listSubjects,
+  listRingSessions,
   knownDevicesTable,
   jwkThumbprint,
   issueTokenSet,
@@ -20539,11 +20787,14 @@ export {
   isRevocableOAuth2Client,
   isRefreshableProviderOption,
   isRefreshableOAuth2Client,
+  isPasswordCompromised,
   isPKCEProviderOption,
   isOIDCProviderOption,
   isMfaEnrolled,
   isImpersonating,
+  isDisposableEmail,
   isAuthIntent,
+  isAnonymousSession,
   inviteToOrganization,
   instantiateUserSession,
   hashToken,
@@ -20560,6 +20811,7 @@ export {
   generateEncryptionKey,
   generateBackupCodes,
   extractPropFromIdentity,
+  exchangeToken,
   exchangeClientCredentials,
   evaluatePassword,
   endImpersonation,
@@ -20670,6 +20922,7 @@ export {
   createAuditEmitter,
   createApiKey,
   createApiClient,
+  createAnonymousSession,
   createAbuseGuard,
   consumeBackupCode,
   constantTimeEqual,
@@ -20688,6 +20941,7 @@ export {
   apiKeysTable,
   apiKeysRoutes,
   apiClientsTable,
+  addToSessionRing,
   accessTokensTable,
   acceptInvitation,
   WEBAUTHN_CHALLENGE_COOKIE,
@@ -20720,5 +20974,5 @@ export {
   AuthIdentityConflictError
 };
 
-//# debugId=C4383EA08F57C5E064756E2164756E21
+//# debugId=D6A51261327D341C64756E2164756E21
 //# sourceMappingURL=index.js.map