@aura-stack/auth 0.1.0-rc.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Auth Stack Js
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,42 @@
+<div align="center">
+
+<h1><b>@aura-stack/auth</b></h1>
+
+**Core authentication library for the Aura Stack ecosystem**
+
+[![npm version](https://img.shields.io/npm/v/@aura-stack/auth.svg)](https://www.npmjs.com/package/@aura-stack/auth)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
+
+[Official Docs](https://aura-stack-auth.vercel.app/docs) · [Core Package Docs](https://aura-stack-auth.vercel.app/docs/packages/core)
+
+</div>
+
+## Overview
+
+`@aura-stack/auth` provides the **core logic and building blocks** for authentication and authorization within the **Aura Stack** ecosystem.
+
+It offers a **framework-agnostic**, **type-safe**, and **secure** solution to handle authentication flows such as OAuth 2.0 and OpenID Connect.  
+Inspired by [Auth.js](https://authjs.dev/), Aura Auth focuses on simplicity, developer experience, and strong security practices.
+
+## Features
+
+- **OAuth 2.0** — Native support for multiple OAuth providers.
+- **Type-safe by design** — First-class TypeScript support with complete type inference.
+- **Secure sessions** — Built-in JWT-based session management with encryption and signing.
+- **Cookie handling** — Secure, configurable cookies for session persistence.
+- **Extensible architecture** — Easily integrate with `@aura-stack/router` or custom routing layers.
+- **Framework-agnostic** — Works seamlessly in any environment that supports the Web Request/Response APIs.
+
+## Documentation
+
+Visit the [**official documentation website**](https://aura-stack-auth.vercel.app).
+
+## License
+
+Licensed under the [MIT License](LICENSE). © [Aura Stack](https://github.com/aura-stack-ts)
+
+---
+
+<p align="center">
+  Made with ❤️ by <a href="https://github.com/aura-stack-ts">Aura Stack team</a>
+</p>

package/dist/@types/index.cjs

@@ -0,0 +1,18 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/@types/index.ts
+var types_exports = {};
+module.exports = __toCommonJS(types_exports);

package/dist/@types/index.d.cts

@@ -0,0 +1,9 @@
+import 'zod/v4';
+import '../jose.cjs';
+import '../schemas.cjs';
+import '@aura-stack/router';
+import 'cookie';
+export { LiteralUnion, Prettify } from './utility.cjs';
+export { w as AccessTokenError, c as AuthConfig, A as AuthRuntimeConfig, v as AuthorizationError, C as CookieConfig, a as CookieConfigInternal, b as CookieName, t as CookieStrategyOptions, E as ErrorType, H as HostCookie, m as JWTStandardClaims, J as JoseInstance, u as OAuthError, p as OAuthProvider, o as OAuthProviderConfig, O as OAuthProviderCredentials, q as SecureCookie, n as Session, r as StandardCookie, T as TokenRevocationError, U as User } from '../index-B1vDUGwh.cjs';
+import '@aura-stack/jose/jose';
+import 'zod/v4/core';

package/dist/@types/index.d.ts

@@ -0,0 +1,9 @@
+import 'zod/v4';
+import '../jose.js';
+import '../schemas.js';
+import '@aura-stack/router';
+import 'cookie';
+export { LiteralUnion, Prettify } from './utility.js';
+export { w as AccessTokenError, c as AuthConfig, A as AuthRuntimeConfig, v as AuthorizationError, C as CookieConfig, a as CookieConfigInternal, b as CookieName, t as CookieStrategyOptions, E as ErrorType, H as HostCookie, m as JWTStandardClaims, J as JoseInstance, u as OAuthError, p as OAuthProvider, o as OAuthProviderConfig, O as OAuthProviderCredentials, q as SecureCookie, n as Session, r as StandardCookie, T as TokenRevocationError, U as User } from '../index-CGRZ0wrw.js';
+import '@aura-stack/jose/jose';
+import 'zod/v4/core';

package/dist/@types/index.js

@@ -0,0 +1 @@
+import "../chunk-PG7UYFG5.js";

package/dist/@types/router.d.cjs

@@ -0,0 +1 @@
+"use strict";

package/dist/@types/router.d.d.cts

@@ -0,0 +1,16 @@
+import { c as AuthConfig, d as createBuiltInOAuthProviders, J as JoseInstance } from '../index-B1vDUGwh.cjs';
+import 'zod/v4';
+import '../jose.cjs';
+import '@aura-stack/jose/jose';
+import '../schemas.cjs';
+import 'zod/v4/core';
+import '@aura-stack/router';
+import 'cookie';
+import './utility.cjs';
+
+declare module "@aura-stack/router" {
+    interface GlobalContext extends Required<Omit<AuthConfig, "secret" | "oauth">> {
+        oauth: ReturnType<typeof createBuiltInOAuthProviders>
+        jose: JoseInstance
+    }
+}

package/dist/@types/router.d.d.ts

@@ -0,0 +1,16 @@
+import { c as AuthConfig, d as createBuiltInOAuthProviders, J as JoseInstance } from '../index-CGRZ0wrw.js';
+import 'zod/v4';
+import '../jose.js';
+import '@aura-stack/jose/jose';
+import '../schemas.js';
+import 'zod/v4/core';
+import '@aura-stack/router';
+import 'cookie';
+import './utility.js';
+
+declare module "@aura-stack/router" {
+    interface GlobalContext extends Required<Omit<AuthConfig, "secret" | "oauth">> {
+        oauth: ReturnType<typeof createBuiltInOAuthProviders>
+        jose: JoseInstance
+    }
+}

package/dist/@types/utility.cjs

@@ -0,0 +1,18 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/@types/utility.ts
+var utility_exports = {};
+module.exports = __toCommonJS(utility_exports);

package/dist/@types/utility.d.cts

@@ -0,0 +1,6 @@
+type Prettify<T> = {
+    [K in keyof T]: T[K];
+} & {};
+type LiteralUnion<T extends U, U = string> = T | (U & Record<never, never>);
+
+export type { LiteralUnion, Prettify };

package/dist/@types/utility.d.ts

@@ -0,0 +1,6 @@
+type Prettify<T> = {
+    [K in keyof T]: T[K];
+} & {};
+type LiteralUnion<T extends U, U = string> = T | (U & Record<never, never>);
+
+export type { LiteralUnion, Prettify };

package/dist/@types/utility.js

@@ -0,0 +1 @@
+import "../chunk-PG7UYFG5.js";

package/dist/actions/callback/access-token.cjs

@@ -0,0 +1,170 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/actions/callback/access-token.ts
+var access_token_exports = {};
+__export(access_token_exports, {
+  createAccessToken: () => createAccessToken
+});
+module.exports = __toCommonJS(access_token_exports);
+
+// src/error.ts
+var AuthError = class extends Error {
+  constructor(type, message) {
+    super(message);
+    this.type = type;
+    this.name = "AuthError";
+  }
+};
+var isAuthError = (error) => {
+  return error instanceof AuthError;
+};
+var throwAuthError = (error, message) => {
+  if (error instanceof Error) {
+    if (isAuthError(error)) {
+      throw error;
+    }
+    throw new AuthError("invalid_request", error.message ?? message);
+  }
+};
+var ERROR_RESPONSE = {
+  AUTHORIZATION: {
+    INVALID_REQUEST: "invalid_request",
+    UNAUTHORIZED_CLIENT: "unauthorized_client",
+    ACCESS_DENIED: "access_denied",
+    UNSUPPORTED_RESPONSE_TYPE: "unsupported_response_type",
+    INVALID_SCOPE: "invalid_scope",
+    SERVER_ERROR: "server_error",
+    TEMPORARILY_UNAVAILABLE: "temporarily_unavailable"
+  },
+  ACCESS_TOKEN: {
+    INVALID_REQUEST: "invalid_request",
+    INVALID_CLIENT: "invalid_client",
+    INVALID_GRANT: "invalid_grant",
+    UNAUTHORIZED_CLIENT: "unauthorized_client",
+    UNSUPPORTED_GRANT_TYPE: "unsupported_grant_type",
+    INVALID_SCOPE: "invalid_scope"
+  }
+};
+
+// src/schemas.ts
+var import_v4 = require("zod/v4");
+var OAuthProviderConfigSchema = (0, import_v4.object)({
+  authorizeURL: (0, import_v4.url)(),
+  accessToken: (0, import_v4.url)(),
+  scope: (0, import_v4.string)().optional(),
+  userInfo: (0, import_v4.url)(),
+  responseType: (0, import_v4.enum)(["code", "token", "id_token"]),
+  clientId: (0, import_v4.string)(),
+  clientSecret: (0, import_v4.string)()
+});
+var OAuthAuthorization = OAuthProviderConfigSchema.extend({
+  redirectURI: (0, import_v4.string)(),
+  state: (0, import_v4.string)(),
+  codeChallenge: (0, import_v4.string)(),
+  codeChallengeMethod: (0, import_v4.enum)(["plain", "S256"])
+});
+var OAuthAuthorizationResponse = (0, import_v4.object)({
+  state: (0, import_v4.string)(),
+  code: (0, import_v4.string)()
+});
+var OAuthAuthorizationErrorResponse = (0, import_v4.object)({
+  error: (0, import_v4.enum)([
+    "invalid_request",
+    "unauthorized_client",
+    "access_denied",
+    "unsupported_response_type",
+    "invalid_scope",
+    "server_error",
+    "temporarily_unavailable"
+  ]),
+  error_description: (0, import_v4.string)().optional(),
+  error_uri: (0, import_v4.string)().optional(),
+  state: (0, import_v4.string)()
+});
+var OAuthAccessToken = OAuthProviderConfigSchema.extend({
+  redirectURI: (0, import_v4.string)(),
+  code: (0, import_v4.string)(),
+  codeVerifier: (0, import_v4.string)().min(43).max(128)
+});
+var OAuthAccessTokenResponse = (0, import_v4.object)({
+  access_token: (0, import_v4.string)(),
+  token_type: (0, import_v4.string)(),
+  expires_in: (0, import_v4.number)().optional(),
+  refresh_token: (0, import_v4.string)().optional(),
+  scope: (0, import_v4.string)().optional()
+});
+var OAuthAccessTokenErrorResponse = (0, import_v4.object)({
+  error: (0, import_v4.enum)([
+    "invalid_request",
+    "invalid_client",
+    "invalid_grant",
+    "unauthorized_client",
+    "unsupported_grant_type",
+    "invalid_scope"
+  ]),
+  error_description: (0, import_v4.string)().optional(),
+  error_uri: (0, import_v4.string)().optional()
+});
+var OAuthErrorResponse = (0, import_v4.object)({
+  error: (0, import_v4.string)(),
+  error_description: (0, import_v4.string)().optional()
+});
+
+// src/actions/callback/access-token.ts
+var createAccessToken = async (oauthConfig, redirectURI, code, codeVerifier) => {
+  const parsed = OAuthAccessToken.safeParse({ ...oauthConfig, redirectURI, code, codeVerifier });
+  if (!parsed.success) {
+    throw new AuthError(ERROR_RESPONSE.ACCESS_TOKEN.INVALID_REQUEST, "Invalid OAuth configuration");
+  }
+  const { accessToken, clientId, clientSecret, code: codeParsed, redirectURI: redirectParsed } = parsed.data;
+  try {
+    const response = await fetch(accessToken, {
+      method: "POST",
+      headers: {
+        Accept: "application/json",
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: new URLSearchParams({
+        client_id: clientId,
+        client_secret: clientSecret,
+        code: codeParsed,
+        redirect_uri: redirectParsed,
+        grant_type: "authorization_code",
+        code_verifier: codeVerifier
+      }).toString()
+    });
+    const json = await response.json();
+    const token = OAuthAccessTokenResponse.safeParse(json);
+    if (!token.success) {
+      const { success, data } = OAuthAccessTokenErrorResponse.safeParse(json);
+      if (!success) {
+        throw new AuthError(ERROR_RESPONSE.ACCESS_TOKEN.INVALID_GRANT, "Invalid access token response format");
+      }
+      throw new AuthError(data.error, data?.error_description ?? "Failed to retrieve access token");
+    }
+    return token.data;
+  } catch (error) {
+    throw throwAuthError(error, "Failed to create access token");
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createAccessToken
+});

package/dist/actions/callback/access-token.d.cts

@@ -0,0 +1,30 @@
+import { O as OAuthProviderCredentials } from '../../index-B1vDUGwh.cjs';
+import 'zod/v4';
+import '../../jose.cjs';
+import '@aura-stack/jose/jose';
+import '../../schemas.cjs';
+import 'zod/v4/core';
+import '@aura-stack/router';
+import 'cookie';
+import '../../@types/utility.cjs';
+
+/**
+ * Make a request to the OAuth provider to the token endpoint to exchange the authorization code provided
+ * by the authorization server.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-5
+ * @param oauthConfig - OAuth provider configuration
+ * @param redirectURI - The redirect URI registered in the Resource Owner's authorization request and sent in the authorization code exchange
+ * @param code - The authorization code received from the OAuth server
+ * @returns The access token response from the OAuth server
+ */
+declare const createAccessToken: (oauthConfig: OAuthProviderCredentials, redirectURI: string, code: string, codeVerifier: string) => Promise<{
+    access_token: string;
+    token_type: string;
+    expires_in?: number | undefined;
+    refresh_token?: string | undefined;
+    scope?: string | undefined;
+}>;
+
+export { createAccessToken };

package/dist/actions/callback/access-token.d.ts

@@ -0,0 +1,30 @@
+import { O as OAuthProviderCredentials } from '../../index-CGRZ0wrw.js';
+import 'zod/v4';
+import '../../jose.js';
+import '@aura-stack/jose/jose';
+import '../../schemas.js';
+import 'zod/v4/core';
+import '@aura-stack/router';
+import 'cookie';
+import '../../@types/utility.js';
+
+/**
+ * Make a request to the OAuth provider to the token endpoint to exchange the authorization code provided
+ * by the authorization server.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-5
+ * @param oauthConfig - OAuth provider configuration
+ * @param redirectURI - The redirect URI registered in the Resource Owner's authorization request and sent in the authorization code exchange
+ * @param code - The authorization code received from the OAuth server
+ * @returns The access token response from the OAuth server
+ */
+declare const createAccessToken: (oauthConfig: OAuthProviderCredentials, redirectURI: string, code: string, codeVerifier: string) => Promise<{
+    access_token: string;
+    token_type: string;
+    expires_in?: number | undefined;
+    refresh_token?: string | undefined;
+    scope?: string | undefined;
+}>;
+
+export { createAccessToken };

package/dist/actions/callback/access-token.js

@@ -0,0 +1,8 @@
+import {
+  createAccessToken
+} from "../../chunk-UJJ7R56J.js";
+import "../../chunk-FJUDBLCP.js";
+import "../../chunk-HMRKN75I.js";
+export {
+  createAccessToken
+};