@aura-stack/auth 0.1.0-rc.1

package/dist/chunk-42XB3YCW.js

@@ -0,0 +1,22 @@
+// src/oauth/x.ts
+var x = {
+  id: "x",
+  name: "X",
+  authorizeURL: "https://x.com/i/oauth2/authorize",
+  accessToken: "https://api.x.com/2/oauth2/token",
+  userInfo: "https://api.x.com/2/users/me?user.fields=profile_image_url",
+  scope: "users.read users.email tweet.read offline.access",
+  responseType: "code",
+  profile({ data }) {
+    return {
+      sub: data.id,
+      name: data.name,
+      image: data.profile_image_url,
+      email: ""
+    };
+  }
+};
+
+export {
+  x
+};

package/dist/chunk-6SM22VVJ.js

@@ -0,0 +1,18 @@
+// src/assert.ts
+var isFalsy = (value) => {
+  return value === false || value === 0 || value === "" || value === null || value === void 0 || Number.isNaN(value);
+};
+var isRequest = (value) => {
+  return typeof Request !== "undefined" && value instanceof Request;
+};
+var isValidURL = (value) => {
+  if (value.includes("\r\n") || value.includes("\n") || value.includes("\r")) return false;
+  const regex = /^https?:\/\/(?:[a-zA-Z0-9._-]+|localhost|\[[0-9a-fA-F:]+\])(?::\d{1,5})?(?:\/[a-zA-Z0-9._~!$&'()*+,;=:@-]*)*\/?$/;
+  return regex.test(value);
+};
+
+export {
+  isFalsy,
+  isRequest,
+  isValidURL
+};

package/dist/chunk-CAKJT3KS.js

@@ -0,0 +1,92 @@
+import {
+  isValidURL
+} from "./chunk-6SM22VVJ.js";
+import {
+  equals,
+  getNormalizedOriginPath,
+  sanitizeURL,
+  toCastCase
+} from "./chunk-256KIVJL.js";
+import {
+  AuthError,
+  ERROR_RESPONSE,
+  InvalidRedirectToError,
+  isAuthError
+} from "./chunk-FJUDBLCP.js";
+import {
+  OAuthAuthorization
+} from "./chunk-HMRKN75I.js";
+
+// src/actions/signIn/authorization.ts
+var createAuthorizationURL = (oauthConfig, redirectURI, state, codeChallenge, codeChallengeMethod) => {
+  const parsed = OAuthAuthorization.safeParse({ ...oauthConfig, redirectURI, state, codeChallenge, codeChallengeMethod });
+  if (!parsed.success) {
+    throw new AuthError(ERROR_RESPONSE.AUTHORIZATION.SERVER_ERROR, "Invalid OAuth configuration");
+  }
+  const { authorizeURL, ...options } = parsed.data;
+  const { userInfo, accessToken, clientSecret, ...required } = options;
+  const searchParams = new URLSearchParams(toCastCase(required));
+  return `${authorizeURL}?${searchParams}`;
+};
+var getOriginURL = (request, trustedProxyHeaders) => {
+  const headers = request.headers;
+  if (trustedProxyHeaders) {
+    const protocol = headers.get("X-Forwarded-Proto") ?? headers.get("Forwarded")?.match(/proto=([^;]+)/i)?.[1] ?? "http";
+    const host = headers.get("X-Forwarded-Host") ?? headers.get("Host") ?? headers.get("Forwarded")?.match(/host=([^;]+)/i)?.[1] ?? null;
+    return new URL(`${protocol}://${host}${getNormalizedOriginPath(new URL(request.url).pathname)}`);
+  } else {
+    return new URL(getNormalizedOriginPath(request.url));
+  }
+};
+var createRedirectURI = (request, oauth, basePath, trustedProxyHeaders) => {
+  const url = getOriginURL(request, trustedProxyHeaders);
+  return `${url.origin}${basePath}/callback/${oauth}`;
+};
+var createRedirectTo = (request, redirectTo, trustedProxyHeaders) => {
+  try {
+    const headers = request.headers;
+    const origin = headers.get("Origin");
+    const referer = headers.get("Referer");
+    let hostedURL = getOriginURL(request, trustedProxyHeaders);
+    if (redirectTo) {
+      if (redirectTo.startsWith("/")) {
+        return sanitizeURL(redirectTo);
+      }
+      const redirectToURL = new URL(sanitizeURL(getNormalizedOriginPath(redirectTo)));
+      if (!isValidURL(redirectTo) || !equals(redirectToURL.origin, hostedURL.origin)) {
+        throw new InvalidRedirectToError();
+      }
+      return sanitizeURL(redirectToURL.pathname);
+    }
+    if (referer) {
+      const refererURL = new URL(sanitizeURL(referer));
+      if (!isValidURL(referer) || !equals(refererURL.origin, hostedURL.origin)) {
+        throw new AuthError(
+          ERROR_RESPONSE.AUTHORIZATION.INVALID_REQUEST,
+          "The referer of the request does not match the hosted origin."
+        );
+      }
+      return sanitizeURL(refererURL.pathname);
+    }
+    if (origin) {
+      const originURL = new URL(sanitizeURL(getNormalizedOriginPath(origin)));
+      if (!isValidURL(origin) || !equals(originURL.origin, hostedURL.origin)) {
+        throw new AuthError(ERROR_RESPONSE.AUTHORIZATION.INVALID_REQUEST, "Invalid origin (potential CSRF).");
+      }
+      return sanitizeURL(originURL.pathname);
+    }
+    return "/";
+  } catch (error) {
+    if (isAuthError(error)) {
+      throw error;
+    }
+    throw new AuthError(ERROR_RESPONSE.AUTHORIZATION.INVALID_REQUEST, "Invalid origin (potential CSRF).");
+  }
+};
+
+export {
+  createAuthorizationURL,
+  getOriginURL,
+  createRedirectURI,
+  createRedirectTo
+};

package/dist/chunk-E3OXBRYF.js

@@ -0,0 +1,22 @@
+// src/oauth/spotify.ts
+var spotify = {
+  id: "spotify",
+  name: "Spotify",
+  authorizeURL: "https://accounts.spotify.com/authorize",
+  accessToken: "https://accounts.spotify.com/api/token",
+  userInfo: "https://api.spotify.com/v1/me",
+  scope: "user-read-email user-read-private",
+  responseType: "token",
+  profile(profile) {
+    return {
+      sub: profile.id,
+      name: profile.display_name,
+      email: profile.email,
+      image: profile.images?.[0]?.url
+    };
+  }
+};
+
+export {
+  spotify
+};

package/dist/chunk-EBPE35JT.js

@@ -0,0 +1,31 @@
+// src/oauth/discord.ts
+var discord = {
+  id: "discord",
+  name: "Discord",
+  authorizeURL: "https://discord.com/oauth2/authorize",
+  accessToken: "https://discord.com/api/oauth2/token",
+  userInfo: "https://discord.com/api/users/@me",
+  scope: "identify email",
+  responseType: "code",
+  profile(profile) {
+    let image = "";
+    if (profile.avatar === null) {
+      const index = profile.discriminator === "0" ? (BigInt(profile.id) >> 22n) % 6n : Number(profile.discriminator) % 5;
+      image = `https://cdn.discordapp.com/embed/avatars/${index}.png`;
+    } else {
+      const format = profile.avatar.startsWith("a_") ? "gif" : "png";
+      image = `https://cdn.discordapp.com/avatars/${profile.id}/${profile.avatar}.${format}`;
+    }
+    return {
+      sub: profile.id,
+      // https://discord.com/developers/docs/change-log#display-names
+      name: profile.global_name ?? profile.username,
+      email: profile.email ?? "",
+      image
+    };
+  }
+};
+
+export {
+  discord
+};

package/dist/chunk-FIPU4MLT.js

@@ -0,0 +1,21 @@
+// src/oauth/bitbucket.ts
+var bitbucket = {
+  id: "bitbucket",
+  name: "Bitbucket",
+  authorizeURL: "https://bitbucket.org/site/oauth2/authorize",
+  accessToken: "https://bitbucket.org/site/oauth2/access_token",
+  userInfo: "https://api.bitbucket.org/2.0/user",
+  scope: "account email",
+  responseType: "code",
+  profile(profile) {
+    return {
+      sub: profile.uuid ?? profile.account_id,
+      name: profile.display_name ?? profile.nickname,
+      image: profile.links.avatar.href
+    };
+  }
+};
+
+export {
+  bitbucket
+};

package/dist/chunk-FJUDBLCP.js

@@ -0,0 +1,59 @@
+// src/error.ts
+var AuthError = class extends Error {
+  constructor(type, message) {
+    super(message);
+    this.type = type;
+    this.name = "AuthError";
+  }
+};
+var InvalidCsrfTokenError = class extends AuthError {
+  constructor(message = "The provided CSRF token is invalid or has expired") {
+    super("invalid_csrf_token", message);
+    this.name = "InvalidCsrfTokenError";
+  }
+};
+var InvalidRedirectToError = class extends AuthError {
+  constructor(message = "The redirectTo parameter does not match the hosted origin.") {
+    super("invalid_redirect_to", message);
+    this.name = "InvalidRedirectToError";
+  }
+};
+var isAuthError = (error) => {
+  return error instanceof AuthError;
+};
+var throwAuthError = (error, message) => {
+  if (error instanceof Error) {
+    if (isAuthError(error)) {
+      throw error;
+    }
+    throw new AuthError("invalid_request", error.message ?? message);
+  }
+};
+var ERROR_RESPONSE = {
+  AUTHORIZATION: {
+    INVALID_REQUEST: "invalid_request",
+    UNAUTHORIZED_CLIENT: "unauthorized_client",
+    ACCESS_DENIED: "access_denied",
+    UNSUPPORTED_RESPONSE_TYPE: "unsupported_response_type",
+    INVALID_SCOPE: "invalid_scope",
+    SERVER_ERROR: "server_error",
+    TEMPORARILY_UNAVAILABLE: "temporarily_unavailable"
+  },
+  ACCESS_TOKEN: {
+    INVALID_REQUEST: "invalid_request",
+    INVALID_CLIENT: "invalid_client",
+    INVALID_GRANT: "invalid_grant",
+    UNAUTHORIZED_CLIENT: "unauthorized_client",
+    UNSUPPORTED_GRANT_TYPE: "unsupported_grant_type",
+    INVALID_SCOPE: "invalid_scope"
+  }
+};
+
+export {
+  AuthError,
+  InvalidCsrfTokenError,
+  InvalidRedirectToError,
+  isAuthError,
+  throwAuthError,
+  ERROR_RESPONSE
+};

package/dist/chunk-FKRDCWBF.js

@@ -0,0 +1,22 @@
+// src/oauth/figma.ts
+var figma = {
+  id: "figma",
+  name: "Figma",
+  authorizeURL: "https://www.figma.com/oauth",
+  accessToken: "https://api.figma.com/v1/oauth/token",
+  userInfo: "https://api.figma.com/v1/me",
+  scope: "current_user:read",
+  responseType: "code",
+  profile(profile) {
+    return {
+      sub: profile.id,
+      name: profile.handle,
+      email: profile.email,
+      image: profile.img_url
+    };
+  }
+};
+
+export {
+  figma
+};

package/dist/chunk-GZU3RBTB.js

@@ -0,0 +1,62 @@
+import {
+  equals
+} from "./chunk-256KIVJL.js";
+import {
+  InvalidCsrfTokenError
+} from "./chunk-FJUDBLCP.js";
+
+// src/secure.ts
+import crypto from "crypto";
+var generateSecure = (length = 32) => {
+  return crypto.randomBytes(length).toString("base64url");
+};
+var createHash = (data, base = "hex") => {
+  return crypto.createHash("sha256").update(data).digest().toString(base);
+};
+var createPKCE = async (verifier) => {
+  const codeVerifier = verifier ?? generateSecure(86);
+  const codeChallenge = createHash(codeVerifier, "base64url");
+  return { codeVerifier, codeChallenge, method: "S256" };
+};
+var createCSRF = async (jose, csrfCookie) => {
+  try {
+    const token = generateSecure(32);
+    if (csrfCookie) {
+      await jose.verifyJWS(csrfCookie);
+      return csrfCookie;
+    }
+    return jose.signJWS({ token });
+  } catch {
+    const token = generateSecure(32);
+    return jose.signJWS({ token });
+  }
+};
+var verifyCSRF = async (jose, cookie, header) => {
+  try {
+    const { token: cookieToken } = await jose.verifyJWS(cookie);
+    const { token: headerToken } = await jose.verifyJWS(header);
+    const cookieBuffer = Buffer.from(cookieToken);
+    const headerBuffer = Buffer.from(headerToken);
+    if (!equals(headerBuffer.length, cookieBuffer.length)) {
+      throw new InvalidCsrfTokenError();
+    }
+    if (!crypto.timingSafeEqual(cookieBuffer, headerBuffer)) {
+      throw new InvalidCsrfTokenError();
+    }
+    return true;
+  } catch {
+    throw new InvalidCsrfTokenError();
+  }
+};
+var createDerivedSalt = (secret) => {
+  return crypto.createHash("sha256").update(secret).update("aura-auth-salt").digest("hex");
+};
+
+export {
+  generateSecure,
+  createHash,
+  createPKCE,
+  createCSRF,
+  verifyCSRF,
+  createDerivedSalt
+};

package/dist/chunk-HGJ4TXY4.js

@@ -0,0 +1,137 @@
+import {
+  getUserInfo
+} from "./chunk-RLT4RFKV.js";
+import {
+  createAccessToken
+} from "./chunk-UJJ7R56J.js";
+import {
+  createSessionCookie,
+  expireCookie,
+  getCookie,
+  secureCookieOptions,
+  setCookie
+} from "./chunk-ZV4BH47P.js";
+import {
+  cacheControl
+} from "./chunk-STHEPPUZ.js";
+import {
+  createCSRF
+} from "./chunk-GZU3RBTB.js";
+import {
+  equals,
+  isValidRelativePath,
+  sanitizeURL
+} from "./chunk-256KIVJL.js";
+import {
+  AuthError,
+  ERROR_RESPONSE,
+  isAuthError
+} from "./chunk-FJUDBLCP.js";
+import {
+  AuraResponse
+} from "./chunk-JAPMIE6S.js";
+import {
+  OAuthAuthorizationErrorResponse,
+  OAuthAuthorizationResponse
+} from "./chunk-HMRKN75I.js";
+
+// src/actions/callback/callback.ts
+import z from "zod";
+import { createEndpoint, createEndpointConfig, statusCode } from "@aura-stack/router";
+var callbackConfig = (oauth) => {
+  return createEndpointConfig("/callback/:oauth", {
+    schemas: {
+      searchParams: OAuthAuthorizationResponse,
+      params: z.object({
+        oauth: z.enum(Object.keys(oauth))
+      })
+    },
+    middlewares: [
+      (ctx) => {
+        const response = OAuthAuthorizationErrorResponse.safeParse(ctx.searchParams);
+        if (response.success) {
+          const { error, error_description } = response.data;
+          throw new AuthError(error, error_description ?? "OAuth Authorization Error");
+        }
+        return ctx;
+      }
+    ]
+  });
+};
+var callbackAction = (oauth) => {
+  return createEndpoint(
+    "GET",
+    "/callback/:oauth",
+    async (ctx) => {
+      const {
+        request,
+        params: { oauth: oauth2 },
+        searchParams: { code, state },
+        context: { oauth: providers, cookies, jose, trustedProxyHeaders }
+      } = ctx;
+      try {
+        const oauthConfig = providers[oauth2];
+        const cookieOptions = secureCookieOptions(request, cookies, trustedProxyHeaders);
+        const cookieState = getCookie(request, "state", cookieOptions);
+        const cookieRedirectTo = getCookie(request, "redirect_to", cookieOptions);
+        const cookieRedirectURI = getCookie(request, "redirect_uri", cookieOptions);
+        const codeVerifier = getCookie(request, "code_verifier", cookieOptions);
+        if (!equals(cookieState, state)) {
+          throw new AuthError(ERROR_RESPONSE.ACCESS_TOKEN.INVALID_REQUEST, "Mismatching state");
+        }
+        const accessToken = await createAccessToken(oauthConfig, cookieRedirectURI, code, codeVerifier);
+        const sanitized = sanitizeURL(cookieRedirectTo);
+        if (!isValidRelativePath(sanitized)) {
+          throw new AuthError(
+            ERROR_RESPONSE.ACCESS_TOKEN.INVALID_REQUEST,
+            "Invalid redirect path. Potential open redirect attack detected."
+          );
+        }
+        const headers = new Headers(cacheControl);
+        headers.set("Location", sanitized);
+        const userInfo = await getUserInfo(oauthConfig, accessToken.access_token);
+        const sessionCookie = await createSessionCookie(userInfo, cookieOptions, jose);
+        const csrfToken = await createCSRF(jose);
+        const csrfCookie = setCookie(
+          "csrfToken",
+          csrfToken,
+          secureCookieOptions(
+            request,
+            {
+              ...cookies,
+              strategy: "host"
+            },
+            trustedProxyHeaders
+          )
+        );
+        headers.set("Set-Cookie", sessionCookie);
+        headers.append("Set-Cookie", expireCookie("state", cookieOptions));
+        headers.append("Set-Cookie", expireCookie("redirect_uri", cookieOptions));
+        headers.append("Set-Cookie", expireCookie("redirect_to", cookieOptions));
+        headers.append("Set-Cookie", expireCookie("code_verifier", cookieOptions));
+        headers.append("Set-Cookie", csrfCookie);
+        return Response.json({ oauth: oauth2 }, { status: 302, headers });
+      } catch (error) {
+        if (isAuthError(error)) {
+          const { type, message } = error;
+          return AuraResponse.json(
+            { error: type, error_description: message },
+            { status: statusCode.BAD_REQUEST }
+          );
+        }
+        return AuraResponse.json(
+          {
+            error: ERROR_RESPONSE.ACCESS_TOKEN.INVALID_CLIENT,
+            error_description: "An unexpected error occurred"
+          },
+          { status: statusCode.INTERNAL_SERVER_ERROR }
+        );
+      }
+    },
+    callbackConfig(oauth)
+  );
+};
+
+export {
+  callbackAction
+};

package/dist/chunk-HMRKN75I.js

@@ -0,0 +1,74 @@
+// src/schemas.ts
+import { object, string, enum as options, number, url } from "zod/v4";
+var OAuthProviderConfigSchema = object({
+  authorizeURL: url(),
+  accessToken: url(),
+  scope: string().optional(),
+  userInfo: url(),
+  responseType: options(["code", "token", "id_token"]),
+  clientId: string(),
+  clientSecret: string()
+});
+var OAuthAuthorization = OAuthProviderConfigSchema.extend({
+  redirectURI: string(),
+  state: string(),
+  codeChallenge: string(),
+  codeChallengeMethod: options(["plain", "S256"])
+});
+var OAuthAuthorizationResponse = object({
+  state: string(),
+  code: string()
+});
+var OAuthAuthorizationErrorResponse = object({
+  error: options([
+    "invalid_request",
+    "unauthorized_client",
+    "access_denied",
+    "unsupported_response_type",
+    "invalid_scope",
+    "server_error",
+    "temporarily_unavailable"
+  ]),
+  error_description: string().optional(),
+  error_uri: string().optional(),
+  state: string()
+});
+var OAuthAccessToken = OAuthProviderConfigSchema.extend({
+  redirectURI: string(),
+  code: string(),
+  codeVerifier: string().min(43).max(128)
+});
+var OAuthAccessTokenResponse = object({
+  access_token: string(),
+  token_type: string(),
+  expires_in: number().optional(),
+  refresh_token: string().optional(),
+  scope: string().optional()
+});
+var OAuthAccessTokenErrorResponse = object({
+  error: options([
+    "invalid_request",
+    "invalid_client",
+    "invalid_grant",
+    "unauthorized_client",
+    "unsupported_grant_type",
+    "invalid_scope"
+  ]),
+  error_description: string().optional(),
+  error_uri: string().optional()
+});
+var OAuthErrorResponse = object({
+  error: string(),
+  error_description: string().optional()
+});
+
+export {
+  OAuthProviderConfigSchema,
+  OAuthAuthorization,
+  OAuthAuthorizationResponse,
+  OAuthAuthorizationErrorResponse,
+  OAuthAccessToken,
+  OAuthAccessTokenResponse,
+  OAuthAccessTokenErrorResponse,
+  OAuthErrorResponse
+};

package/dist/chunk-IKHPGFCW.js

@@ -0,0 +1,14 @@
+// src/oauth/github.ts
+var github = {
+  id: "github",
+  name: "GitHub",
+  authorizeURL: "https://github.com/login/oauth/authorize",
+  accessToken: "https://github.com/login/oauth/access_token",
+  userInfo: "https://api.github.com/user",
+  scope: "read:user user:email",
+  responseType: "code"
+};
+
+export {
+  github
+};

package/dist/chunk-JAPMIE6S.js

@@ -0,0 +1,10 @@
+// src/response.ts
+var AuraResponse = class extends Response {
+  static json(body, init) {
+    return Response.json(body, init);
+  }
+};
+
+export {
+  AuraResponse
+};

package/dist/chunk-KRNOMBXQ.js

@@ -0,0 +1,22 @@
+// src/oauth/gitlab.ts
+var gitlab = {
+  id: "gitlab",
+  name: "GitLab",
+  authorizeURL: "https://gitlab.com/oauth/authorize",
+  accessToken: "https://gitlab.com/oauth/token",
+  userInfo: "https://gitlab.com/api/v4/user",
+  scope: "read_user",
+  responseType: "code",
+  profile(profile) {
+    return {
+      sub: profile.id.toString(),
+      name: profile.name ?? profile.username,
+      email: profile.email,
+      avatar: profile.avatar_url
+    };
+  }
+};
+
+export {
+  gitlab
+};