@aura-stack/auth 0.1.0-rc.1

package/dist/actions/callback/userinfo.cjs

@@ -0,0 +1,165 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/actions/callback/userinfo.ts
+var userinfo_exports = {};
+__export(userinfo_exports, {
+  getUserInfo: () => getUserInfo
+});
+module.exports = __toCommonJS(userinfo_exports);
+
+// src/secure.ts
+var import_node_crypto = __toESM(require("crypto"), 1);
+
+// src/utils.ts
+var import_router = require("@aura-stack/router");
+
+// src/error.ts
+var AuthError = class extends Error {
+  constructor(type, message) {
+    super(message);
+    this.type = type;
+    this.name = "AuthError";
+  }
+};
+var isAuthError = (error) => {
+  return error instanceof AuthError;
+};
+var throwAuthError = (error, message) => {
+  if (error instanceof Error) {
+    if (isAuthError(error)) {
+      throw error;
+    }
+    throw new AuthError("invalid_request", error.message ?? message);
+  }
+};
+
+// src/secure.ts
+var generateSecure = (length = 32) => {
+  return import_node_crypto.default.randomBytes(length).toString("base64url");
+};
+
+// src/schemas.ts
+var import_v4 = require("zod/v4");
+var OAuthProviderConfigSchema = (0, import_v4.object)({
+  authorizeURL: (0, import_v4.url)(),
+  accessToken: (0, import_v4.url)(),
+  scope: (0, import_v4.string)().optional(),
+  userInfo: (0, import_v4.url)(),
+  responseType: (0, import_v4.enum)(["code", "token", "id_token"]),
+  clientId: (0, import_v4.string)(),
+  clientSecret: (0, import_v4.string)()
+});
+var OAuthAuthorization = OAuthProviderConfigSchema.extend({
+  redirectURI: (0, import_v4.string)(),
+  state: (0, import_v4.string)(),
+  codeChallenge: (0, import_v4.string)(),
+  codeChallengeMethod: (0, import_v4.enum)(["plain", "S256"])
+});
+var OAuthAuthorizationResponse = (0, import_v4.object)({
+  state: (0, import_v4.string)(),
+  code: (0, import_v4.string)()
+});
+var OAuthAuthorizationErrorResponse = (0, import_v4.object)({
+  error: (0, import_v4.enum)([
+    "invalid_request",
+    "unauthorized_client",
+    "access_denied",
+    "unsupported_response_type",
+    "invalid_scope",
+    "server_error",
+    "temporarily_unavailable"
+  ]),
+  error_description: (0, import_v4.string)().optional(),
+  error_uri: (0, import_v4.string)().optional(),
+  state: (0, import_v4.string)()
+});
+var OAuthAccessToken = OAuthProviderConfigSchema.extend({
+  redirectURI: (0, import_v4.string)(),
+  code: (0, import_v4.string)(),
+  codeVerifier: (0, import_v4.string)().min(43).max(128)
+});
+var OAuthAccessTokenResponse = (0, import_v4.object)({
+  access_token: (0, import_v4.string)(),
+  token_type: (0, import_v4.string)(),
+  expires_in: (0, import_v4.number)().optional(),
+  refresh_token: (0, import_v4.string)().optional(),
+  scope: (0, import_v4.string)().optional()
+});
+var OAuthAccessTokenErrorResponse = (0, import_v4.object)({
+  error: (0, import_v4.enum)([
+    "invalid_request",
+    "invalid_client",
+    "invalid_grant",
+    "unauthorized_client",
+    "unsupported_grant_type",
+    "invalid_scope"
+  ]),
+  error_description: (0, import_v4.string)().optional(),
+  error_uri: (0, import_v4.string)().optional()
+});
+var OAuthErrorResponse = (0, import_v4.object)({
+  error: (0, import_v4.string)(),
+  error_description: (0, import_v4.string)().optional()
+});
+
+// src/actions/callback/userinfo.ts
+var getDefaultUserInfo = (profile) => {
+  const sub = generateSecure(16);
+  return {
+    sub: profile?.id ?? profile?.sub ?? sub,
+    email: profile?.email,
+    name: profile?.name ?? profile?.username ?? profile?.nickname,
+    image: profile?.image ?? profile?.picture
+  };
+};
+var getUserInfo = async (oauthConfig, accessToken) => {
+  const userinfoEndpoint = oauthConfig.userInfo;
+  try {
+    const response = await fetch(userinfoEndpoint, {
+      method: "GET",
+      headers: {
+        Accept: "application/json",
+        Authorization: `Bearer ${accessToken}`
+      }
+    });
+    const json = await response.json();
+    const { success, data } = OAuthErrorResponse.safeParse(json);
+    if (success) {
+      throw new AuthError(data.error, data?.error_description ?? "An error occurred while fetching user information.");
+    }
+    return oauthConfig?.profile ? oauthConfig.profile(json) : getDefaultUserInfo(json);
+  } catch (error) {
+    throw throwAuthError(error, "Failed to retrieve userinfo");
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  getUserInfo
+});

package/dist/actions/callback/userinfo.d.cts

@@ -0,0 +1,22 @@
+import { O as OAuthProviderCredentials, U as User } from '../../index-B1vDUGwh.cjs';
+import 'zod/v4';
+import '../../jose.cjs';
+import '@aura-stack/jose/jose';
+import '../../schemas.cjs';
+import 'zod/v4/core';
+import '@aura-stack/router';
+import 'cookie';
+import '../../@types/utility.cjs';
+
+/**
+ * Get user information from the OAuth provider's userinfo endpoint using the provided access token.
+ * The response by default is mapped to the standardized `User` format unless a custom
+ * `profile` function is provided in the `oauthConfig`.
+ *
+ * @param oauthConfig - OAuth provider configuration
+ * @param accessToken - Access Token to access the userinfo endpoint
+ * @returns The user information retrieved from the userinfo endpoint
+ */
+declare const getUserInfo: (oauthConfig: OAuthProviderCredentials, accessToken: string) => Promise<User>;
+
+export { getUserInfo };

package/dist/actions/callback/userinfo.d.ts

@@ -0,0 +1,22 @@
+import { O as OAuthProviderCredentials, U as User } from '../../index-CGRZ0wrw.js';
+import 'zod/v4';
+import '../../jose.js';
+import '@aura-stack/jose/jose';
+import '../../schemas.js';
+import 'zod/v4/core';
+import '@aura-stack/router';
+import 'cookie';
+import '../../@types/utility.js';
+
+/**
+ * Get user information from the OAuth provider's userinfo endpoint using the provided access token.
+ * The response by default is mapped to the standardized `User` format unless a custom
+ * `profile` function is provided in the `oauthConfig`.
+ *
+ * @param oauthConfig - OAuth provider configuration
+ * @param accessToken - Access Token to access the userinfo endpoint
+ * @returns The user information retrieved from the userinfo endpoint
+ */
+declare const getUserInfo: (oauthConfig: OAuthProviderCredentials, accessToken: string) => Promise<User>;
+
+export { getUserInfo };

package/dist/actions/callback/userinfo.js

@@ -0,0 +1,10 @@
+import {
+  getUserInfo
+} from "../../chunk-RLT4RFKV.js";
+import "../../chunk-GZU3RBTB.js";
+import "../../chunk-256KIVJL.js";
+import "../../chunk-FJUDBLCP.js";
+import "../../chunk-HMRKN75I.js";
+export {
+  getUserInfo
+};

package/dist/actions/csrfToken/csrfToken.cjs

@@ -0,0 +1,207 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/actions/csrfToken/csrfToken.ts
+var csrfToken_exports = {};
+__export(csrfToken_exports, {
+  csrfTokenAction: () => csrfTokenAction
+});
+module.exports = __toCommonJS(csrfToken_exports);
+var import_router2 = require("@aura-stack/router");
+
+// src/secure.ts
+var import_node_crypto = __toESM(require("crypto"), 1);
+
+// src/utils.ts
+var import_router = require("@aura-stack/router");
+
+// src/error.ts
+var AuthError = class extends Error {
+  constructor(type, message) {
+    super(message);
+    this.type = type;
+    this.name = "AuthError";
+  }
+};
+
+// src/secure.ts
+var generateSecure = (length = 32) => {
+  return import_node_crypto.default.randomBytes(length).toString("base64url");
+};
+var createCSRF = async (jose, csrfCookie) => {
+  try {
+    const token = generateSecure(32);
+    if (csrfCookie) {
+      await jose.verifyJWS(csrfCookie);
+      return csrfCookie;
+    }
+    return jose.signJWS({ token });
+  } catch {
+    const token = generateSecure(32);
+    return jose.signJWS({ token });
+  }
+};
+
+// src/headers.ts
+var cacheControl = {
+  "Cache-Control": "no-store",
+  Pragma: "no-cache",
+  Expires: "0",
+  Vary: "Cookie"
+};
+
+// src/cookie.ts
+var import_cookie = require("cookie");
+
+// src/assert.ts
+var isRequest = (value) => {
+  return typeof Request !== "undefined" && value instanceof Request;
+};
+
+// src/cookie.ts
+var import_cookie2 = require("cookie");
+var COOKIE_NAME = "aura-auth";
+var defaultCookieOptions = {
+  httpOnly: true,
+  sameSite: "lax",
+  path: "/",
+  maxAge: 60 * 60 * 24 * 15
+};
+var defaultStandardCookieConfig = {
+  secure: false,
+  httpOnly: true,
+  prefix: ""
+};
+var defaultSecureCookieConfig = {
+  secure: true,
+  prefix: "__Secure-"
+};
+var defaultHostCookieConfig = {
+  secure: true,
+  prefix: "__Host-",
+  path: "/",
+  domain: void 0
+};
+var expiredCookieOptions = {
+  ...defaultCookieOptions,
+  expires: /* @__PURE__ */ new Date(0),
+  maxAge: 0
+};
+var defineDefaultCookieOptions = (options) => {
+  return {
+    name: options?.name ?? COOKIE_NAME,
+    prefix: options?.prefix ?? (options?.secure ? "__Secure-" : ""),
+    ...defaultCookieOptions,
+    ...options
+  };
+};
+var setCookie = (cookieName, value, options) => {
+  const { prefix, name } = defineDefaultCookieOptions(options);
+  const cookieNameWithPrefix = `${prefix}${name}.${cookieName}`;
+  return (0, import_cookie.serialize)(cookieNameWithPrefix, value, {
+    ...defaultCookieOptions,
+    ...options
+  });
+};
+var getCookie = (petition, cookie, options, optional = false) => {
+  const cookies = isRequest(petition) ? petition.headers.get("Cookie") : petition.headers.getSetCookie().join("; ");
+  if (!cookies) {
+    if (optional) {
+      return "";
+    }
+    throw new AuthError("invalid_request", "No cookies found. There is no active session");
+  }
+  const { name, prefix } = defineDefaultCookieOptions(options);
+  const parsedCookies = (0, import_cookie.parse)(cookies);
+  const value = parsedCookies[`${prefix}${name}.${cookie}`];
+  if (value === void 0) {
+    if (optional) {
+      return "";
+    }
+    throw new AuthError("invalid_request", `Cookie "${cookie}" not found. There is no active session`);
+  }
+  return value;
+};
+var secureCookieOptions = (request, cookieOptions, trustedProxyHeaders) => {
+  const name = cookieOptions.name ?? COOKIE_NAME;
+  const isSecure = trustedProxyHeaders ? request.url.startsWith("https://") || request.headers.get("X-Forwarded-Proto") === "https" || request.headers.get("Forwarded")?.includes("proto=https") : request.url.startsWith("https://");
+  if (!cookieOptions.options?.httpOnly) {
+    console.warn(
+      "[WARNING]: Cookie is configured without HttpOnly. This allows JavaScript access via document.cookie and increases XSS risk."
+    );
+  }
+  if (cookieOptions.options?.domain === "*") {
+    console.warn("[WARNING]: Cookie 'Domain' is set to '*', which is insecure. Avoid wildcard domains.");
+  }
+  if (!isSecure) {
+    const options = cookieOptions.options;
+    if (options?.secure) {
+      console.warn(
+        "[WARNING]: The 'Secure' attribute will be disabled for this cookie. Serve over HTTPS to enforce Secure cookies."
+      );
+    }
+    if (options?.sameSite == "none") {
+      console.warn("[WARNING]: SameSite=None without a secure connection can be blocked by browsers.");
+    }
+    if (process.env.NODE_ENV === "production") {
+      console.warn("[WARNING]: In production, ensure cookies are served over HTTPS to maintain security.");
+    }
+    return {
+      ...defaultCookieOptions,
+      ...cookieOptions.options,
+      sameSite: options?.sameSite === "none" ? "lax" : options?.sameSite ?? "lax",
+      ...defaultStandardCookieConfig,
+      name
+    };
+  }
+  return cookieOptions.strategy === "host" ? {
+    ...defaultCookieOptions,
+    ...cookieOptions.options,
+    ...defaultHostCookieConfig,
+    name
+  } : { ...defaultCookieOptions, ...cookieOptions.options, ...defaultSecureCookieConfig, name };
+};
+
+// src/actions/csrfToken/csrfToken.ts
+var csrfTokenAction = (0, import_router2.createEndpoint)("GET", "/csrfToken", async (ctx) => {
+  const {
+    request,
+    context: { cookies, jose, trustedProxyHeaders }
+  } = ctx;
+  const cookieOptions = secureCookieOptions(request, { ...cookies, strategy: "host" }, trustedProxyHeaders);
+  const existingCSRFToken = getCookie(request, "csrfToken", cookieOptions, true);
+  const csrfToken = await createCSRF(jose, existingCSRFToken);
+  const headers = new Headers(cacheControl);
+  headers.set("Set-Cookie", setCookie("csrfToken", csrfToken, cookieOptions));
+  return Response.json({ csrfToken }, { headers });
+});
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  csrfTokenAction
+});

package/dist/actions/csrfToken/csrfToken.d.cts

@@ -0,0 +1,5 @@
+import * as _aura_stack_router from '@aura-stack/router';
+
+declare const csrfTokenAction: _aura_stack_router.RouteEndpoint<"GET", "/csrfToken", {}>;
+
+export { csrfTokenAction };

package/dist/actions/csrfToken/csrfToken.d.ts

@@ -0,0 +1,5 @@
+import * as _aura_stack_router from '@aura-stack/router';
+
+declare const csrfTokenAction: _aura_stack_router.RouteEndpoint<"GET", "/csrfToken", {}>;
+
+export { csrfTokenAction };

package/dist/actions/csrfToken/csrfToken.js

@@ -0,0 +1,12 @@
+import {
+  csrfTokenAction
+} from "../../chunk-SMQO5WD7.js";
+import "../../chunk-ZV4BH47P.js";
+import "../../chunk-6SM22VVJ.js";
+import "../../chunk-STHEPPUZ.js";
+import "../../chunk-GZU3RBTB.js";
+import "../../chunk-256KIVJL.js";
+import "../../chunk-FJUDBLCP.js";
+export {
+  csrfTokenAction
+};