@aura-stack/auth 0.1.0-rc.1

package/dist/cookie.cjs

@@ -0,0 +1,201 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/cookie.ts
+var cookie_exports = {};
+__export(cookie_exports, {
+  COOKIE_NAME: () => COOKIE_NAME,
+  createSessionCookie: () => createSessionCookie,
+  defaultCookieConfig: () => defaultCookieConfig,
+  defaultCookieOptions: () => defaultCookieOptions,
+  defaultHostCookieConfig: () => defaultHostCookieConfig,
+  defaultSecureCookieConfig: () => defaultSecureCookieConfig,
+  defaultStandardCookieConfig: () => defaultStandardCookieConfig,
+  defineDefaultCookieOptions: () => defineDefaultCookieOptions,
+  expireCookie: () => expireCookie,
+  expiredCookieOptions: () => expiredCookieOptions,
+  getCookie: () => getCookie,
+  oauthCookie: () => oauthCookie,
+  parse: () => import_cookie2.parse,
+  secureCookieOptions: () => secureCookieOptions,
+  setCookie: () => setCookie
+});
+module.exports = __toCommonJS(cookie_exports);
+var import_cookie = require("cookie");
+
+// src/error.ts
+var AuthError = class extends Error {
+  constructor(type, message) {
+    super(message);
+    this.type = type;
+    this.name = "AuthError";
+  }
+};
+
+// src/assert.ts
+var isRequest = (value) => {
+  return typeof Request !== "undefined" && value instanceof Request;
+};
+
+// src/cookie.ts
+var import_cookie2 = require("cookie");
+var COOKIE_NAME = "aura-auth";
+var defaultCookieOptions = {
+  httpOnly: true,
+  sameSite: "lax",
+  path: "/",
+  maxAge: 60 * 60 * 24 * 15
+};
+var defaultCookieConfig = {
+  strategy: "standard",
+  name: COOKIE_NAME,
+  options: defaultCookieOptions
+};
+var defaultStandardCookieConfig = {
+  secure: false,
+  httpOnly: true,
+  prefix: ""
+};
+var defaultSecureCookieConfig = {
+  secure: true,
+  prefix: "__Secure-"
+};
+var defaultHostCookieConfig = {
+  secure: true,
+  prefix: "__Host-",
+  path: "/",
+  domain: void 0
+};
+var expiredCookieOptions = {
+  ...defaultCookieOptions,
+  expires: /* @__PURE__ */ new Date(0),
+  maxAge: 0
+};
+var defineDefaultCookieOptions = (options) => {
+  return {
+    name: options?.name ?? COOKIE_NAME,
+    prefix: options?.prefix ?? (options?.secure ? "__Secure-" : ""),
+    ...defaultCookieOptions,
+    ...options
+  };
+};
+var setCookie = (cookieName, value, options) => {
+  const { prefix, name } = defineDefaultCookieOptions(options);
+  const cookieNameWithPrefix = `${prefix}${name}.${cookieName}`;
+  return (0, import_cookie.serialize)(cookieNameWithPrefix, value, {
+    ...defaultCookieOptions,
+    ...options
+  });
+};
+var getCookie = (petition, cookie, options, optional = false) => {
+  const cookies = isRequest(petition) ? petition.headers.get("Cookie") : petition.headers.getSetCookie().join("; ");
+  if (!cookies) {
+    if (optional) {
+      return "";
+    }
+    throw new AuthError("invalid_request", "No cookies found. There is no active session");
+  }
+  const { name, prefix } = defineDefaultCookieOptions(options);
+  const parsedCookies = (0, import_cookie.parse)(cookies);
+  const value = parsedCookies[`${prefix}${name}.${cookie}`];
+  if (value === void 0) {
+    if (optional) {
+      return "";
+    }
+    throw new AuthError("invalid_request", `Cookie "${cookie}" not found. There is no active session`);
+  }
+  return value;
+};
+var createSessionCookie = async (session, cookieOptions, jose) => {
+  try {
+    const encoded = await jose.encodeJWT(session);
+    return setCookie("sessionToken", encoded, cookieOptions);
+  } catch (error) {
+    throw new AuthError("server_error", "Failed to create session cookie", { cause: error });
+  }
+};
+var secureCookieOptions = (request, cookieOptions, trustedProxyHeaders) => {
+  const name = cookieOptions.name ?? COOKIE_NAME;
+  const isSecure = trustedProxyHeaders ? request.url.startsWith("https://") || request.headers.get("X-Forwarded-Proto") === "https" || request.headers.get("Forwarded")?.includes("proto=https") : request.url.startsWith("https://");
+  if (!cookieOptions.options?.httpOnly) {
+    console.warn(
+      "[WARNING]: Cookie is configured without HttpOnly. This allows JavaScript access via document.cookie and increases XSS risk."
+    );
+  }
+  if (cookieOptions.options?.domain === "*") {
+    console.warn("[WARNING]: Cookie 'Domain' is set to '*', which is insecure. Avoid wildcard domains.");
+  }
+  if (!isSecure) {
+    const options = cookieOptions.options;
+    if (options?.secure) {
+      console.warn(
+        "[WARNING]: The 'Secure' attribute will be disabled for this cookie. Serve over HTTPS to enforce Secure cookies."
+      );
+    }
+    if (options?.sameSite == "none") {
+      console.warn("[WARNING]: SameSite=None without a secure connection can be blocked by browsers.");
+    }
+    if (process.env.NODE_ENV === "production") {
+      console.warn("[WARNING]: In production, ensure cookies are served over HTTPS to maintain security.");
+    }
+    return {
+      ...defaultCookieOptions,
+      ...cookieOptions.options,
+      sameSite: options?.sameSite === "none" ? "lax" : options?.sameSite ?? "lax",
+      ...defaultStandardCookieConfig,
+      name
+    };
+  }
+  return cookieOptions.strategy === "host" ? {
+    ...defaultCookieOptions,
+    ...cookieOptions.options,
+    ...defaultHostCookieConfig,
+    name
+  } : { ...defaultCookieOptions, ...cookieOptions.options, ...defaultSecureCookieConfig, name };
+};
+var expireCookie = (name, options) => {
+  return setCookie(name, "", { ...options, ...expiredCookieOptions });
+};
+var oauthCookie = (options) => {
+  return {
+    ...options,
+    secure: options.secure,
+    httpOnly: options.httpOnly,
+    maxAge: 5 * 60,
+    expires: new Date(Date.now() + 5 * 60 * 1e3)
+  };
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  COOKIE_NAME,
+  createSessionCookie,
+  defaultCookieConfig,
+  defaultCookieOptions,
+  defaultHostCookieConfig,
+  defaultSecureCookieConfig,
+  defaultStandardCookieConfig,
+  defineDefaultCookieOptions,
+  expireCookie,
+  expiredCookieOptions,
+  getCookie,
+  oauthCookie,
+  parse,
+  secureCookieOptions,
+  setCookie
+});

package/dist/cookie.d.ts

@@ -0,0 +1,95 @@
+import { SerializeOptions } from 'cookie';
+export { parse } from 'cookie';
+import { JWTPayload } from '@aura-stack/jose/jose';
+import { C as CookieConfig, a as CookieConfigInternal, b as CookieName, A as AuthRuntimeConfig } from './index-CGRZ0wrw.js';
+import { LiteralUnion } from './@types/utility.js';
+import 'zod/v4';
+import './jose.js';
+import './schemas.js';
+import 'zod/v4/core';
+import '@aura-stack/router';
+
+/**
+ * Prefix for all cookies set by Aura Auth.
+ */
+declare const COOKIE_NAME = "aura-auth";
+/**
+ * Default cookie options used by Aura Auth.
+ */
+declare const defaultCookieOptions: SerializeOptions;
+/**
+ * Default cookie options for "standard" cookies.
+ */
+declare const defaultCookieConfig: CookieConfig;
+declare const defaultStandardCookieConfig: CookieConfigInternal;
+/**
+ * Default cookie options for "secure" cookies.
+ * @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__secure-prefix
+ */
+declare const defaultSecureCookieConfig: CookieConfigInternal;
+/**
+ * Default cookie options for "host" cookies.
+ * @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__host-prefix
+ */
+declare const defaultHostCookieConfig: CookieConfigInternal;
+/**
+ * Cookie options for expired cookies.
+ */
+declare const expiredCookieOptions: SerializeOptions;
+declare const defineDefaultCookieOptions: (options?: CookieConfigInternal) => CookieConfigInternal;
+/**
+ * Set a cookie with the given name, value and `CookieOptionsInternal`; supports secure
+ * cookies with the `__Secure-` and `__Host-` prefixes.
+ *
+ * Cookie attributes are serialized in the following order:
+ * Expires, Max-Age, Domain, Path, Secure, HttpOnly, SameSite, Partitioned, Priority.
+ */
+declare const setCookie: (cookieName: LiteralUnion<CookieName>, value: string, options?: CookieConfigInternal) => string;
+/**
+ * Get a cookie by name from the request.
+ *
+ * @param request The incoming request object
+ * @param cookie Cookie name to retrieve
+ * @param options Cookie options to define the prefix and other attributes
+ * @param optional If true, returns an empty string instead of throwing an error when the cookie is not found
+ * @returns The value of the cookie or undefined if not found
+ */
+declare const getCookie: (petition: Request | Response, cookie: LiteralUnion<CookieName>, options?: CookieConfigInternal, optional?: boolean) => string;
+/**
+ * Create a session cookie containing a signed and encrypted JWT, using the
+ * `@aura-stack/jose` package for the encoding.
+ *
+ * @param session - The JWT payload to be encoded in the session cookie
+ * @returns The serialized session cookie string
+ */
+declare const createSessionCookie: (session: JWTPayload, cookieOptions: CookieConfigInternal, jose: AuthRuntimeConfig["jose"]) => Promise<string>;
+/**
+ * Defines the cookie configuration based on the request security and cookie options passed
+ * in the Aura Auth configuration (`createAuth` function). This function ensures the correct
+ * cookie prefixes and security attributes are applied based on whether the request is secure
+ * (HTTPS) or not.
+ *
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Forwarded-Proto
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Forwarded
+ * @param request The incoming request object
+ * @param cookieOptions Cookie options from the Aura Auth configuration
+ * @returns The finalized cookie options to be used for setting cookies
+ */
+declare const secureCookieOptions: (request: Request, cookieOptions: CookieConfig, trustedProxyHeaders?: boolean) => CookieConfigInternal;
+/**
+ * Expire a cookie by setting its value to an empty string and applying expired cookie options.
+ *
+ * @param name The name of the cookie to expire
+ * @param options cookie options obtained from secureCookieOptions
+ * @returns formatted cookie options for an expired cookie
+ */
+declare const expireCookie: (name: LiteralUnion<CookieName>, options: CookieConfigInternal) => string;
+/**
+ * Set OAuth-specific cookie options, including a short maxAge of 5 minutes.
+ *
+ * @param options cookie options obtained from secureCookieOptions
+ * @returns formatted cookie options for OAuth cookies
+ */
+declare const oauthCookie: (options: CookieConfigInternal) => CookieConfigInternal;
+
+export { COOKIE_NAME, createSessionCookie, defaultCookieConfig, defaultCookieOptions, defaultHostCookieConfig, defaultSecureCookieConfig, defaultStandardCookieConfig, defineDefaultCookieOptions, expireCookie, expiredCookieOptions, getCookie, oauthCookie, secureCookieOptions, setCookie };

package/dist/cookie.js

@@ -0,0 +1,36 @@
+import {
+  COOKIE_NAME,
+  createSessionCookie,
+  defaultCookieConfig,
+  defaultCookieOptions,
+  defaultHostCookieConfig,
+  defaultSecureCookieConfig,
+  defaultStandardCookieConfig,
+  defineDefaultCookieOptions,
+  expireCookie,
+  expiredCookieOptions,
+  getCookie,
+  oauthCookie,
+  parse,
+  secureCookieOptions,
+  setCookie
+} from "./chunk-ZV4BH47P.js";
+import "./chunk-6SM22VVJ.js";
+import "./chunk-FJUDBLCP.js";
+export {
+  COOKIE_NAME,
+  createSessionCookie,
+  defaultCookieConfig,
+  defaultCookieOptions,
+  defaultHostCookieConfig,
+  defaultSecureCookieConfig,
+  defaultStandardCookieConfig,
+  defineDefaultCookieOptions,
+  expireCookie,
+  expiredCookieOptions,
+  getCookie,
+  oauthCookie,
+  parse,
+  secureCookieOptions,
+  setCookie
+};

package/dist/error.cjs

@@ -0,0 +1,88 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/error.ts
+var error_exports = {};
+__export(error_exports, {
+  AuthError: () => AuthError,
+  ERROR_RESPONSE: () => ERROR_RESPONSE,
+  InvalidCsrfTokenError: () => InvalidCsrfTokenError,
+  InvalidRedirectToError: () => InvalidRedirectToError,
+  isAuthError: () => isAuthError,
+  throwAuthError: () => throwAuthError
+});
+module.exports = __toCommonJS(error_exports);
+var AuthError = class extends Error {
+  constructor(type, message) {
+    super(message);
+    this.type = type;
+    this.name = "AuthError";
+  }
+};
+var InvalidCsrfTokenError = class extends AuthError {
+  constructor(message = "The provided CSRF token is invalid or has expired") {
+    super("invalid_csrf_token", message);
+    this.name = "InvalidCsrfTokenError";
+  }
+};
+var InvalidRedirectToError = class extends AuthError {
+  constructor(message = "The redirectTo parameter does not match the hosted origin.") {
+    super("invalid_redirect_to", message);
+    this.name = "InvalidRedirectToError";
+  }
+};
+var isAuthError = (error) => {
+  return error instanceof AuthError;
+};
+var throwAuthError = (error, message) => {
+  if (error instanceof Error) {
+    if (isAuthError(error)) {
+      throw error;
+    }
+    throw new AuthError("invalid_request", error.message ?? message);
+  }
+};
+var ERROR_RESPONSE = {
+  AUTHORIZATION: {
+    INVALID_REQUEST: "invalid_request",
+    UNAUTHORIZED_CLIENT: "unauthorized_client",
+    ACCESS_DENIED: "access_denied",
+    UNSUPPORTED_RESPONSE_TYPE: "unsupported_response_type",
+    INVALID_SCOPE: "invalid_scope",
+    SERVER_ERROR: "server_error",
+    TEMPORARILY_UNAVAILABLE: "temporarily_unavailable"
+  },
+  ACCESS_TOKEN: {
+    INVALID_REQUEST: "invalid_request",
+    INVALID_CLIENT: "invalid_client",
+    INVALID_GRANT: "invalid_grant",
+    UNAUTHORIZED_CLIENT: "unauthorized_client",
+    UNSUPPORTED_GRANT_TYPE: "unsupported_grant_type",
+    INVALID_SCOPE: "invalid_scope"
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  AuthError,
+  ERROR_RESPONSE,
+  InvalidCsrfTokenError,
+  InvalidRedirectToError,
+  isAuthError,
+  throwAuthError
+});

package/dist/error.d.ts

@@ -0,0 +1,64 @@
+import { E as ErrorType } from './index-CGRZ0wrw.js';
+import { LiteralUnion } from './@types/utility.js';
+import 'zod/v4';
+import './jose.js';
+import '@aura-stack/jose/jose';
+import './schemas.js';
+import 'zod/v4/core';
+import '@aura-stack/router';
+import 'cookie';
+
+/**
+ * Error class for all Aura Auth errors.
+ */
+declare class AuthError extends Error {
+    readonly type: LiteralUnion<ErrorType>;
+    constructor(type: LiteralUnion<ErrorType>, message: string);
+}
+declare class InvalidCsrfTokenError extends AuthError {
+    constructor(message?: string);
+}
+declare class InvalidRedirectToError extends AuthError {
+    constructor(message?: string);
+}
+/**
+ * Verifies if the provided error is an instance of AuthError.
+ *
+ * @param error The error to be checked
+ * @returns True if the error is an instance of AuthError, false otherwise
+ */
+declare const isAuthError: (error: unknown) => error is AuthError;
+/**
+ * Captures and Error and verifies if it's an AuthError, rethrowing it if so.
+ * If it's a different type of error, it wraps it in a new AuthError with the provided message.
+ *
+ * @param error The error to be processed
+ * @param message The error message to be used if wrapping the error
+ */
+declare const throwAuthError: (error: unknown, message?: string) => void;
+/**
+ * Errores responses returned by the OAuth flows including Authorization and Access Token errors.
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
+ */
+declare const ERROR_RESPONSE: {
+    AUTHORIZATION: {
+        INVALID_REQUEST: string;
+        UNAUTHORIZED_CLIENT: string;
+        ACCESS_DENIED: string;
+        UNSUPPORTED_RESPONSE_TYPE: string;
+        INVALID_SCOPE: string;
+        SERVER_ERROR: string;
+        TEMPORARILY_UNAVAILABLE: string;
+    };
+    ACCESS_TOKEN: {
+        INVALID_REQUEST: string;
+        INVALID_CLIENT: string;
+        INVALID_GRANT: string;
+        UNAUTHORIZED_CLIENT: string;
+        UNSUPPORTED_GRANT_TYPE: string;
+        INVALID_SCOPE: string;
+    };
+};
+
+export { AuthError, ERROR_RESPONSE, InvalidCsrfTokenError, InvalidRedirectToError, isAuthError, throwAuthError };

package/dist/error.js

@@ -0,0 +1,16 @@
+import {
+  AuthError,
+  ERROR_RESPONSE,
+  InvalidCsrfTokenError,
+  InvalidRedirectToError,
+  isAuthError,
+  throwAuthError
+} from "./chunk-FJUDBLCP.js";
+export {
+  AuthError,
+  ERROR_RESPONSE,
+  InvalidCsrfTokenError,
+  InvalidRedirectToError,
+  isAuthError,
+  throwAuthError
+};

package/dist/headers.cjs

@@ -0,0 +1,35 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/headers.ts
+var headers_exports = {};
+__export(headers_exports, {
+  cacheControl: () => cacheControl
+});
+module.exports = __toCommonJS(headers_exports);
+var cacheControl = {
+  "Cache-Control": "no-store",
+  Pragma: "no-cache",
+  Expires: "0",
+  Vary: "Cookie"
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  cacheControl
+});

package/dist/headers.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Headers to prevent caching of responses. It includes Pragma header for HTTP/1.0 compatibility.
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cache-Control
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Pragma
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Vary
+ */
+declare const cacheControl: HeadersInit;
+
+export { cacheControl };

package/dist/headers.js

@@ -0,0 +1,6 @@
+import {
+  cacheControl
+} from "./chunk-STHEPPUZ.js";
+export {
+  cacheControl
+};