@aura-stack/auth 0.1.0-rc.1

package/dist/actions/index.d.cts

@@ -0,0 +1,14 @@
+export { signInAction } from './signIn/signIn.cjs';
+export { callbackAction } from './callback/callback.cjs';
+export { sessionAction } from './session/session.cjs';
+export { signOutAction } from './signOut/signOut.cjs';
+export { csrfTokenAction } from './csrfToken/csrfToken.cjs';
+import '@aura-stack/router';
+import '../index-B1vDUGwh.cjs';
+import 'zod/v4';
+import '../jose.cjs';
+import '@aura-stack/jose/jose';
+import '../schemas.cjs';
+import 'zod/v4/core';
+import 'cookie';
+import '../@types/utility.cjs';

package/dist/actions/index.d.ts

@@ -0,0 +1,14 @@
+export { signInAction } from './signIn/signIn.js';
+export { callbackAction } from './callback/callback.js';
+export { sessionAction } from './session/session.js';
+export { signOutAction } from './signOut/signOut.js';
+export { csrfTokenAction } from './csrfToken/csrfToken.js';
+import '@aura-stack/router';
+import '../index-CGRZ0wrw.js';
+import 'zod/v4';
+import '../jose.js';
+import '@aura-stack/jose/jose';
+import '../schemas.js';
+import 'zod/v4/core';
+import 'cookie';
+import '../@types/utility.js';

package/dist/actions/index.js

@@ -0,0 +1,34 @@
+import "../chunk-ITQ7352M.js";
+import {
+  csrfTokenAction
+} from "../chunk-SMQO5WD7.js";
+import {
+  sessionAction
+} from "../chunk-XXJKNKGQ.js";
+import {
+  signInAction
+} from "../chunk-LLR722CL.js";
+import {
+  signOutAction
+} from "../chunk-SJPDVKUS.js";
+import "../chunk-CAKJT3KS.js";
+import {
+  callbackAction
+} from "../chunk-HGJ4TXY4.js";
+import "../chunk-RLT4RFKV.js";
+import "../chunk-UJJ7R56J.js";
+import "../chunk-ZV4BH47P.js";
+import "../chunk-6SM22VVJ.js";
+import "../chunk-STHEPPUZ.js";
+import "../chunk-GZU3RBTB.js";
+import "../chunk-256KIVJL.js";
+import "../chunk-FJUDBLCP.js";
+import "../chunk-JAPMIE6S.js";
+import "../chunk-HMRKN75I.js";
+export {
+  callbackAction,
+  csrfTokenAction,
+  sessionAction,
+  signInAction,
+  signOutAction
+};

package/dist/actions/session/session.cjs

@@ -0,0 +1,191 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/actions/session/session.ts
+var session_exports = {};
+__export(session_exports, {
+  sessionAction: () => sessionAction
+});
+module.exports = __toCommonJS(session_exports);
+var import_router2 = require("@aura-stack/router");
+
+// src/utils.ts
+var import_router = require("@aura-stack/router");
+
+// src/error.ts
+var AuthError = class extends Error {
+  constructor(type, message) {
+    super(message);
+    this.type = type;
+    this.name = "AuthError";
+  }
+};
+
+// src/utils.ts
+var toISOString = (date) => {
+  return new Date(date).toISOString();
+};
+
+// src/headers.ts
+var cacheControl = {
+  "Cache-Control": "no-store",
+  Pragma: "no-cache",
+  Expires: "0",
+  Vary: "Cookie"
+};
+
+// src/cookie.ts
+var import_cookie = require("cookie");
+
+// src/assert.ts
+var isRequest = (value) => {
+  return typeof Request !== "undefined" && value instanceof Request;
+};
+
+// src/cookie.ts
+var import_cookie2 = require("cookie");
+var COOKIE_NAME = "aura-auth";
+var defaultCookieOptions = {
+  httpOnly: true,
+  sameSite: "lax",
+  path: "/",
+  maxAge: 60 * 60 * 24 * 15
+};
+var defaultStandardCookieConfig = {
+  secure: false,
+  httpOnly: true,
+  prefix: ""
+};
+var defaultSecureCookieConfig = {
+  secure: true,
+  prefix: "__Secure-"
+};
+var defaultHostCookieConfig = {
+  secure: true,
+  prefix: "__Host-",
+  path: "/",
+  domain: void 0
+};
+var expiredCookieOptions = {
+  ...defaultCookieOptions,
+  expires: /* @__PURE__ */ new Date(0),
+  maxAge: 0
+};
+var defineDefaultCookieOptions = (options) => {
+  return {
+    name: options?.name ?? COOKIE_NAME,
+    prefix: options?.prefix ?? (options?.secure ? "__Secure-" : ""),
+    ...defaultCookieOptions,
+    ...options
+  };
+};
+var setCookie = (cookieName, value, options) => {
+  const { prefix, name } = defineDefaultCookieOptions(options);
+  const cookieNameWithPrefix = `${prefix}${name}.${cookieName}`;
+  return (0, import_cookie.serialize)(cookieNameWithPrefix, value, {
+    ...defaultCookieOptions,
+    ...options
+  });
+};
+var getCookie = (petition, cookie, options, optional = false) => {
+  const cookies = isRequest(petition) ? petition.headers.get("Cookie") : petition.headers.getSetCookie().join("; ");
+  if (!cookies) {
+    if (optional) {
+      return "";
+    }
+    throw new AuthError("invalid_request", "No cookies found. There is no active session");
+  }
+  const { name, prefix } = defineDefaultCookieOptions(options);
+  const parsedCookies = (0, import_cookie.parse)(cookies);
+  const value = parsedCookies[`${prefix}${name}.${cookie}`];
+  if (value === void 0) {
+    if (optional) {
+      return "";
+    }
+    throw new AuthError("invalid_request", `Cookie "${cookie}" not found. There is no active session`);
+  }
+  return value;
+};
+var secureCookieOptions = (request, cookieOptions, trustedProxyHeaders) => {
+  const name = cookieOptions.name ?? COOKIE_NAME;
+  const isSecure = trustedProxyHeaders ? request.url.startsWith("https://") || request.headers.get("X-Forwarded-Proto") === "https" || request.headers.get("Forwarded")?.includes("proto=https") : request.url.startsWith("https://");
+  if (!cookieOptions.options?.httpOnly) {
+    console.warn(
+      "[WARNING]: Cookie is configured without HttpOnly. This allows JavaScript access via document.cookie and increases XSS risk."
+    );
+  }
+  if (cookieOptions.options?.domain === "*") {
+    console.warn("[WARNING]: Cookie 'Domain' is set to '*', which is insecure. Avoid wildcard domains.");
+  }
+  if (!isSecure) {
+    const options = cookieOptions.options;
+    if (options?.secure) {
+      console.warn(
+        "[WARNING]: The 'Secure' attribute will be disabled for this cookie. Serve over HTTPS to enforce Secure cookies."
+      );
+    }
+    if (options?.sameSite == "none") {
+      console.warn("[WARNING]: SameSite=None without a secure connection can be blocked by browsers.");
+    }
+    if (process.env.NODE_ENV === "production") {
+      console.warn("[WARNING]: In production, ensure cookies are served over HTTPS to maintain security.");
+    }
+    return {
+      ...defaultCookieOptions,
+      ...cookieOptions.options,
+      sameSite: options?.sameSite === "none" ? "lax" : options?.sameSite ?? "lax",
+      ...defaultStandardCookieConfig,
+      name
+    };
+  }
+  return cookieOptions.strategy === "host" ? {
+    ...defaultCookieOptions,
+    ...cookieOptions.options,
+    ...defaultHostCookieConfig,
+    name
+  } : { ...defaultCookieOptions, ...cookieOptions.options, ...defaultSecureCookieConfig, name };
+};
+var expireCookie = (name, options) => {
+  return setCookie(name, "", { ...options, ...expiredCookieOptions });
+};
+
+// src/actions/session/session.ts
+var sessionAction = (0, import_router2.createEndpoint)("GET", "/session", async (ctx) => {
+  const {
+    request,
+    context: { cookies, jose, trustedProxyHeaders }
+  } = ctx;
+  const cookieOptions = secureCookieOptions(request, cookies, trustedProxyHeaders);
+  try {
+    const session = getCookie(request, "sessionToken", cookieOptions);
+    const decoded = await jose.decodeJWT(session);
+    const { exp, iat, jti, nbf, ...user } = decoded;
+    const headers = new Headers(cacheControl);
+    return Response.json({ user, expires: toISOString(exp * 1e3) }, { headers });
+  } catch {
+    const headers = new Headers(cacheControl);
+    const sessionCookie = expireCookie("sessionToken", cookieOptions);
+    headers.set("Set-Cookie", sessionCookie);
+    return Response.json({ authenticated: false, message: "Unauthorized" }, { status: 401, headers });
+  }
+});
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  sessionAction
+});

package/dist/actions/session/session.d.cts

@@ -0,0 +1,5 @@
+import * as _aura_stack_router from '@aura-stack/router';
+
+declare const sessionAction: _aura_stack_router.RouteEndpoint<"GET", "/session", {}>;
+
+export { sessionAction };

package/dist/actions/session/session.d.ts

@@ -0,0 +1,5 @@
+import * as _aura_stack_router from '@aura-stack/router';
+
+declare const sessionAction: _aura_stack_router.RouteEndpoint<"GET", "/session", {}>;
+
+export { sessionAction };

package/dist/actions/session/session.js

@@ -0,0 +1,11 @@
+import {
+  sessionAction
+} from "../../chunk-XXJKNKGQ.js";
+import "../../chunk-ZV4BH47P.js";
+import "../../chunk-6SM22VVJ.js";
+import "../../chunk-STHEPPUZ.js";
+import "../../chunk-256KIVJL.js";
+import "../../chunk-FJUDBLCP.js";
+export {
+  sessionAction
+};

package/dist/actions/signIn/authorization.cjs

@@ -0,0 +1,274 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/actions/signIn/authorization.ts
+var authorization_exports = {};
+__export(authorization_exports, {
+  createAuthorizationURL: () => createAuthorizationURL,
+  createRedirectTo: () => createRedirectTo,
+  createRedirectURI: () => createRedirectURI,
+  getOriginURL: () => getOriginURL
+});
+module.exports = __toCommonJS(authorization_exports);
+
+// src/assert.ts
+var isValidURL = (value) => {
+  if (value.includes("\r\n") || value.includes("\n") || value.includes("\r")) return false;
+  const regex = /^https?:\/\/(?:[a-zA-Z0-9._-]+|localhost|\[[0-9a-fA-F:]+\])(?::\d{1,5})?(?:\/[a-zA-Z0-9._~!$&'()*+,;=:@-]*)*\/?$/;
+  return regex.test(value);
+};
+
+// src/schemas.ts
+var import_v4 = require("zod/v4");
+var OAuthProviderConfigSchema = (0, import_v4.object)({
+  authorizeURL: (0, import_v4.url)(),
+  accessToken: (0, import_v4.url)(),
+  scope: (0, import_v4.string)().optional(),
+  userInfo: (0, import_v4.url)(),
+  responseType: (0, import_v4.enum)(["code", "token", "id_token"]),
+  clientId: (0, import_v4.string)(),
+  clientSecret: (0, import_v4.string)()
+});
+var OAuthAuthorization = OAuthProviderConfigSchema.extend({
+  redirectURI: (0, import_v4.string)(),
+  state: (0, import_v4.string)(),
+  codeChallenge: (0, import_v4.string)(),
+  codeChallengeMethod: (0, import_v4.enum)(["plain", "S256"])
+});
+var OAuthAuthorizationResponse = (0, import_v4.object)({
+  state: (0, import_v4.string)(),
+  code: (0, import_v4.string)()
+});
+var OAuthAuthorizationErrorResponse = (0, import_v4.object)({
+  error: (0, import_v4.enum)([
+    "invalid_request",
+    "unauthorized_client",
+    "access_denied",
+    "unsupported_response_type",
+    "invalid_scope",
+    "server_error",
+    "temporarily_unavailable"
+  ]),
+  error_description: (0, import_v4.string)().optional(),
+  error_uri: (0, import_v4.string)().optional(),
+  state: (0, import_v4.string)()
+});
+var OAuthAccessToken = OAuthProviderConfigSchema.extend({
+  redirectURI: (0, import_v4.string)(),
+  code: (0, import_v4.string)(),
+  codeVerifier: (0, import_v4.string)().min(43).max(128)
+});
+var OAuthAccessTokenResponse = (0, import_v4.object)({
+  access_token: (0, import_v4.string)(),
+  token_type: (0, import_v4.string)(),
+  expires_in: (0, import_v4.number)().optional(),
+  refresh_token: (0, import_v4.string)().optional(),
+  scope: (0, import_v4.string)().optional()
+});
+var OAuthAccessTokenErrorResponse = (0, import_v4.object)({
+  error: (0, import_v4.enum)([
+    "invalid_request",
+    "invalid_client",
+    "invalid_grant",
+    "unauthorized_client",
+    "unsupported_grant_type",
+    "invalid_scope"
+  ]),
+  error_description: (0, import_v4.string)().optional(),
+  error_uri: (0, import_v4.string)().optional()
+});
+var OAuthErrorResponse = (0, import_v4.object)({
+  error: (0, import_v4.string)(),
+  error_description: (0, import_v4.string)().optional()
+});
+
+// src/utils.ts
+var import_router = require("@aura-stack/router");
+
+// src/error.ts
+var AuthError = class extends Error {
+  constructor(type, message) {
+    super(message);
+    this.type = type;
+    this.name = "AuthError";
+  }
+};
+var InvalidRedirectToError = class extends AuthError {
+  constructor(message = "The redirectTo parameter does not match the hosted origin.") {
+    super("invalid_redirect_to", message);
+    this.name = "InvalidRedirectToError";
+  }
+};
+var isAuthError = (error) => {
+  return error instanceof AuthError;
+};
+var ERROR_RESPONSE = {
+  AUTHORIZATION: {
+    INVALID_REQUEST: "invalid_request",
+    UNAUTHORIZED_CLIENT: "unauthorized_client",
+    ACCESS_DENIED: "access_denied",
+    UNSUPPORTED_RESPONSE_TYPE: "unsupported_response_type",
+    INVALID_SCOPE: "invalid_scope",
+    SERVER_ERROR: "server_error",
+    TEMPORARILY_UNAVAILABLE: "temporarily_unavailable"
+  },
+  ACCESS_TOKEN: {
+    INVALID_REQUEST: "invalid_request",
+    INVALID_CLIENT: "invalid_client",
+    INVALID_GRANT: "invalid_grant",
+    UNAUTHORIZED_CLIENT: "unauthorized_client",
+    UNSUPPORTED_GRANT_TYPE: "unsupported_grant_type",
+    INVALID_SCOPE: "invalid_scope"
+  }
+};
+
+// src/utils.ts
+var toSnakeCase = (str) => {
+  return str.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/([A-Z]+)([A-Z][a-z])/g, "$1_$2").toLowerCase().replace(/^_+/, "");
+};
+var toUpperCase = (str) => {
+  return str.toUpperCase();
+};
+var toCastCase = (obj, type = "snake") => {
+  return Object.entries(obj).reduce((previous, [key, value]) => {
+    const newKey = type === "snake" ? toSnakeCase(key) : toUpperCase(key);
+    return { ...previous, [newKey]: value };
+  }, {});
+};
+var equals = (a, b) => {
+  if (a === null || b === null || a === void 0 || b === void 0) return false;
+  return a === b;
+};
+var sanitizeURL = (url2) => {
+  try {
+    let decodedURL = decodeURIComponent(url2).trim();
+    const protocolMatch = decodedURL.match(/^([a-zA-Z][a-zA-Z0-9+.-]*:\/\/)/);
+    let protocol = "";
+    let rest = decodedURL;
+    if (protocolMatch) {
+      protocol = protocolMatch[1];
+      rest = decodedURL.slice(protocol.length);
+      const slashIndex = rest.indexOf("/");
+      if (slashIndex === -1) {
+        return protocol + rest;
+      }
+      const domain = rest.slice(0, slashIndex);
+      let path = rest.slice(slashIndex).replace(/\/\.\.\//g, "/").replace(/\/\.\.$/, "").replace(/\.{2,}/g, "").replace(/\/{2,}/g, "/");
+      if (path !== "/" && path.endsWith("/")) {
+        path = path.replace(/\/+$/, "/");
+      } else if (path !== "/") {
+        path = path.replace(/\/+$/, "");
+      }
+      return protocol + domain + path;
+    }
+    let sanitized = decodedURL.replace(/\/\.\.\//g, "/").replace(/\/\.\.$/, "").replace(/\.{2,}/g, "").replace(/\/{2,}/g, "/");
+    if (sanitized !== "/" && sanitized.endsWith("/")) {
+      sanitized = sanitized.replace(/\/+$/, "/");
+    } else if (sanitized !== "/") {
+      sanitized = sanitized.replace(/\/+$/, "");
+    }
+    return sanitized;
+  } catch {
+    return url2.trim();
+  }
+};
+var getNormalizedOriginPath = (path) => {
+  try {
+    const url2 = new URL(path);
+    url2.hash = "";
+    url2.search = "";
+    return `${url2.origin}${url2.pathname}`;
+  } catch {
+    return sanitizeURL(path);
+  }
+};
+
+// src/actions/signIn/authorization.ts
+var createAuthorizationURL = (oauthConfig, redirectURI, state, codeChallenge, codeChallengeMethod) => {
+  const parsed = OAuthAuthorization.safeParse({ ...oauthConfig, redirectURI, state, codeChallenge, codeChallengeMethod });
+  if (!parsed.success) {
+    throw new AuthError(ERROR_RESPONSE.AUTHORIZATION.SERVER_ERROR, "Invalid OAuth configuration");
+  }
+  const { authorizeURL, ...options2 } = parsed.data;
+  const { userInfo, accessToken, clientSecret, ...required } = options2;
+  const searchParams = new URLSearchParams(toCastCase(required));
+  return `${authorizeURL}?${searchParams}`;
+};
+var getOriginURL = (request, trustedProxyHeaders) => {
+  const headers = request.headers;
+  if (trustedProxyHeaders) {
+    const protocol = headers.get("X-Forwarded-Proto") ?? headers.get("Forwarded")?.match(/proto=([^;]+)/i)?.[1] ?? "http";
+    const host = headers.get("X-Forwarded-Host") ?? headers.get("Host") ?? headers.get("Forwarded")?.match(/host=([^;]+)/i)?.[1] ?? null;
+    return new URL(`${protocol}://${host}${getNormalizedOriginPath(new URL(request.url).pathname)}`);
+  } else {
+    return new URL(getNormalizedOriginPath(request.url));
+  }
+};
+var createRedirectURI = (request, oauth, basePath, trustedProxyHeaders) => {
+  const url2 = getOriginURL(request, trustedProxyHeaders);
+  return `${url2.origin}${basePath}/callback/${oauth}`;
+};
+var createRedirectTo = (request, redirectTo, trustedProxyHeaders) => {
+  try {
+    const headers = request.headers;
+    const origin = headers.get("Origin");
+    const referer = headers.get("Referer");
+    let hostedURL = getOriginURL(request, trustedProxyHeaders);
+    if (redirectTo) {
+      if (redirectTo.startsWith("/")) {
+        return sanitizeURL(redirectTo);
+      }
+      const redirectToURL = new URL(sanitizeURL(getNormalizedOriginPath(redirectTo)));
+      if (!isValidURL(redirectTo) || !equals(redirectToURL.origin, hostedURL.origin)) {
+        throw new InvalidRedirectToError();
+      }
+      return sanitizeURL(redirectToURL.pathname);
+    }
+    if (referer) {
+      const refererURL = new URL(sanitizeURL(referer));
+      if (!isValidURL(referer) || !equals(refererURL.origin, hostedURL.origin)) {
+        throw new AuthError(
+          ERROR_RESPONSE.AUTHORIZATION.INVALID_REQUEST,
+          "The referer of the request does not match the hosted origin."
+        );
+      }
+      return sanitizeURL(refererURL.pathname);
+    }
+    if (origin) {
+      const originURL = new URL(sanitizeURL(getNormalizedOriginPath(origin)));
+      if (!isValidURL(origin) || !equals(originURL.origin, hostedURL.origin)) {
+        throw new AuthError(ERROR_RESPONSE.AUTHORIZATION.INVALID_REQUEST, "Invalid origin (potential CSRF).");
+      }
+      return sanitizeURL(originURL.pathname);
+    }
+    return "/";
+  } catch (error) {
+    if (isAuthError(error)) {
+      throw error;
+    }
+    throw new AuthError(ERROR_RESPONSE.AUTHORIZATION.INVALID_REQUEST, "Invalid origin (potential CSRF).");
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createAuthorizationURL,
+  createRedirectTo,
+  createRedirectURI,
+  getOriginURL
+});

package/dist/actions/signIn/authorization.d.cts

@@ -0,0 +1,45 @@
+import { O as OAuthProviderCredentials } from '../../index-B1vDUGwh.cjs';
+import 'zod/v4';
+import '../../jose.cjs';
+import '@aura-stack/jose/jose';
+import '../../schemas.cjs';
+import 'zod/v4/core';
+import '@aura-stack/router';
+import 'cookie';
+import '../../@types/utility.cjs';
+
+/**
+ * Constructs the request URI for the Authorization Request to the third-party OAuth service. It includes
+ * the necessary query parameters such as `client_id`, `redirect_uri`, `response_type`, `scope`, `state`,
+ * `code_challenge`, and `code_challenge_method`.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
+ * @see https://datatracker.ietf.org/doc/html/rfc7636#section-4
+ *
+ * @param oauthConfig - The OAuth configuration for the third-party service.
+ * @param redirectURI - The redirect URI where the OAuth service will send the user after authorization.
+ * @param state - A unique string used to maintain state between the request and callback.
+ */
+declare const createAuthorizationURL: (oauthConfig: OAuthProviderCredentials, redirectURI: string, state: string, codeChallenge: string, codeChallengeMethod: string) => string;
+declare const getOriginURL: (request: Request, trustedProxyHeaders?: boolean) => URL;
+/**
+ * Creates the redirect URI for the OAuth callback based on the original request URL and the OAuth provider.
+ *
+ * @param requestURL - the original request URL
+ * @param oauth - OAuth provider name
+ * @returns The redirect URI for the OAuth callback.
+ */
+declare const createRedirectURI: (request: Request, oauth: string, basePath: string, trustedProxyHeaders?: boolean) => string;
+/**
+ * Verifies if the request's origin matches the expected origin. It accepts the redirectTo search
+ * parameter for redirection. It checks the 'Referer' header of the request with the origin where
+ * the authentication flow is hosted. If they do not match, it throws an AuthError to avoid
+ * potential `Open URL Redirection` attacks.
+ *
+ * @param request The incoming request object
+ * @param redirectTo Optional redirectTo parameter to override the referer
+ * @returns The pathname of the referer URL if origins match
+ */
+declare const createRedirectTo: (request: Request, redirectTo?: string, trustedProxyHeaders?: boolean) => string;
+
+export { createAuthorizationURL, createRedirectTo, createRedirectURI, getOriginURL };

package/dist/actions/signIn/authorization.d.ts

@@ -0,0 +1,45 @@
+import { O as OAuthProviderCredentials } from '../../index-CGRZ0wrw.js';
+import 'zod/v4';
+import '../../jose.js';
+import '@aura-stack/jose/jose';
+import '../../schemas.js';
+import 'zod/v4/core';
+import '@aura-stack/router';
+import 'cookie';
+import '../../@types/utility.js';
+
+/**
+ * Constructs the request URI for the Authorization Request to the third-party OAuth service. It includes
+ * the necessary query parameters such as `client_id`, `redirect_uri`, `response_type`, `scope`, `state`,
+ * `code_challenge`, and `code_challenge_method`.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
+ * @see https://datatracker.ietf.org/doc/html/rfc7636#section-4
+ *
+ * @param oauthConfig - The OAuth configuration for the third-party service.
+ * @param redirectURI - The redirect URI where the OAuth service will send the user after authorization.
+ * @param state - A unique string used to maintain state between the request and callback.
+ */
+declare const createAuthorizationURL: (oauthConfig: OAuthProviderCredentials, redirectURI: string, state: string, codeChallenge: string, codeChallengeMethod: string) => string;
+declare const getOriginURL: (request: Request, trustedProxyHeaders?: boolean) => URL;
+/**
+ * Creates the redirect URI for the OAuth callback based on the original request URL and the OAuth provider.
+ *
+ * @param requestURL - the original request URL
+ * @param oauth - OAuth provider name
+ * @returns The redirect URI for the OAuth callback.
+ */
+declare const createRedirectURI: (request: Request, oauth: string, basePath: string, trustedProxyHeaders?: boolean) => string;
+/**
+ * Verifies if the request's origin matches the expected origin. It accepts the redirectTo search
+ * parameter for redirection. It checks the 'Referer' header of the request with the origin where
+ * the authentication flow is hosted. If they do not match, it throws an AuthError to avoid
+ * potential `Open URL Redirection` attacks.
+ *
+ * @param request The incoming request object
+ * @param redirectTo Optional redirectTo parameter to override the referer
+ * @returns The pathname of the referer URL if origins match
+ */
+declare const createRedirectTo: (request: Request, redirectTo?: string, trustedProxyHeaders?: boolean) => string;
+
+export { createAuthorizationURL, createRedirectTo, createRedirectURI, getOriginURL };

package/dist/actions/signIn/authorization.js

@@ -0,0 +1,16 @@
+import {
+  createAuthorizationURL,
+  createRedirectTo,
+  createRedirectURI,
+  getOriginURL
+} from "../../chunk-CAKJT3KS.js";
+import "../../chunk-6SM22VVJ.js";
+import "../../chunk-256KIVJL.js";
+import "../../chunk-FJUDBLCP.js";
+import "../../chunk-HMRKN75I.js";
+export {
+  createAuthorizationURL,
+  createRedirectTo,
+  createRedirectURI,
+  getOriginURL
+};