@aura-stack/auth 0.1.0-rc.1

package/dist/chunk-LLR722CL.js

@@ -0,0 +1,96 @@
+import {
+  createAuthorizationURL,
+  createRedirectTo,
+  createRedirectURI
+} from "./chunk-CAKJT3KS.js";
+import {
+  oauthCookie,
+  secureCookieOptions,
+  setCookie
+} from "./chunk-ZV4BH47P.js";
+import {
+  createPKCE,
+  generateSecure
+} from "./chunk-GZU3RBTB.js";
+import {
+  ERROR_RESPONSE,
+  isAuthError
+} from "./chunk-FJUDBLCP.js";
+import {
+  AuraResponse
+} from "./chunk-JAPMIE6S.js";
+
+// src/actions/signIn/signIn.ts
+import z from "zod";
+import { createEndpoint, createEndpointConfig, statusCode } from "@aura-stack/router";
+var signInConfig = (oauth) => {
+  return createEndpointConfig("/signIn/:oauth", {
+    schemas: {
+      params: z.object({
+        oauth: z.enum(Object.keys(oauth)),
+        redirectTo: z.string().optional()
+      })
+    }
+  });
+};
+var signInAction = (oauth) => {
+  return createEndpoint(
+    "GET",
+    "/signIn/:oauth",
+    async (ctx) => {
+      const {
+        request,
+        params: { oauth: oauth2, redirectTo },
+        context: { oauth: providers, cookies, trustedProxyHeaders, basePath }
+      } = ctx;
+      try {
+        const cookieOptions = secureCookieOptions(request, cookies, trustedProxyHeaders);
+        const state = generateSecure();
+        const redirectURI = createRedirectURI(request, oauth2, basePath, trustedProxyHeaders);
+        const stateCookie = setCookie("state", state, oauthCookie(cookieOptions));
+        const redirectURICookie = setCookie("redirect_uri", redirectURI, oauthCookie(cookieOptions));
+        const redirectToCookie = setCookie(
+          "redirect_to",
+          createRedirectTo(request, redirectTo, trustedProxyHeaders),
+          oauthCookie(cookieOptions)
+        );
+        const { codeVerifier, codeChallenge, method } = await createPKCE();
+        const codeVerifierCookie = setCookie("code_verifier", codeVerifier, oauthCookie(cookieOptions));
+        const authorization = createAuthorizationURL(providers[oauth2], redirectURI, state, codeChallenge, method);
+        const headers = new Headers();
+        headers.set("Location", authorization);
+        headers.append("Set-Cookie", stateCookie);
+        headers.append("Set-Cookie", redirectURICookie);
+        headers.append("Set-Cookie", redirectToCookie);
+        headers.append("Set-Cookie", codeVerifierCookie);
+        return Response.json(
+          { oauth: oauth2 },
+          {
+            status: 302,
+            headers
+          }
+        );
+      } catch (error) {
+        if (isAuthError(error)) {
+          const { type, message } = error;
+          return AuraResponse.json(
+            { error: type, error_description: message },
+            { status: statusCode.BAD_REQUEST }
+          );
+        }
+        return AuraResponse.json(
+          {
+            error: ERROR_RESPONSE.AUTHORIZATION.SERVER_ERROR,
+            error_description: "An unexpected error occurred"
+          },
+          { status: statusCode.INTERNAL_SERVER_ERROR }
+        );
+      }
+    },
+    signInConfig(oauth)
+  );
+};
+
+export {
+  signInAction
+};

package/dist/chunk-RLT4RFKV.js

@@ -0,0 +1,45 @@
+import {
+  generateSecure
+} from "./chunk-GZU3RBTB.js";
+import {
+  AuthError,
+  throwAuthError
+} from "./chunk-FJUDBLCP.js";
+import {
+  OAuthErrorResponse
+} from "./chunk-HMRKN75I.js";
+
+// src/actions/callback/userinfo.ts
+var getDefaultUserInfo = (profile) => {
+  const sub = generateSecure(16);
+  return {
+    sub: profile?.id ?? profile?.sub ?? sub,
+    email: profile?.email,
+    name: profile?.name ?? profile?.username ?? profile?.nickname,
+    image: profile?.image ?? profile?.picture
+  };
+};
+var getUserInfo = async (oauthConfig, accessToken) => {
+  const userinfoEndpoint = oauthConfig.userInfo;
+  try {
+    const response = await fetch(userinfoEndpoint, {
+      method: "GET",
+      headers: {
+        Accept: "application/json",
+        Authorization: `Bearer ${accessToken}`
+      }
+    });
+    const json = await response.json();
+    const { success, data } = OAuthErrorResponse.safeParse(json);
+    if (success) {
+      throw new AuthError(data.error, data?.error_description ?? "An error occurred while fetching user information.");
+    }
+    return oauthConfig?.profile ? oauthConfig.profile(json) : getDefaultUserInfo(json);
+  } catch (error) {
+    throw throwAuthError(error, "Failed to retrieve userinfo");
+  }
+};
+
+export {
+  getUserInfo
+};

package/dist/chunk-SJPDVKUS.js

@@ -0,0 +1,112 @@
+import {
+  createRedirectTo
+} from "./chunk-CAKJT3KS.js";
+import {
+  expireCookie,
+  getCookie,
+  secureCookieOptions
+} from "./chunk-ZV4BH47P.js";
+import {
+  cacheControl
+} from "./chunk-STHEPPUZ.js";
+import {
+  verifyCSRF
+} from "./chunk-GZU3RBTB.js";
+import {
+  getNormalizedOriginPath
+} from "./chunk-256KIVJL.js";
+import {
+  InvalidCsrfTokenError,
+  InvalidRedirectToError
+} from "./chunk-FJUDBLCP.js";
+import {
+  AuraResponse
+} from "./chunk-JAPMIE6S.js";
+
+// src/actions/signOut/signOut.ts
+import z from "zod";
+import { createEndpoint, createEndpointConfig, statusCode } from "@aura-stack/router";
+var config = createEndpointConfig({
+  schemas: {
+    searchParams: z.object({
+      token_type_hint: z.literal("session_token"),
+      redirectTo: z.string().optional()
+    })
+  }
+});
+var signOutAction = createEndpoint(
+  "POST",
+  "/signOut",
+  async (ctx) => {
+    const {
+      request,
+      headers,
+      searchParams: { redirectTo },
+      context: { cookies, jose, trustedProxyHeaders }
+    } = ctx;
+    try {
+      const cookiesOptions = secureCookieOptions(request, cookies, trustedProxyHeaders);
+      const session = getCookie(request, "sessionToken", cookiesOptions);
+      const csrfToken = getCookie(request, "csrfToken", {
+        ...cookiesOptions,
+        prefix: cookiesOptions.secure ? "__Host-" : ""
+      });
+      const header = headers.get("X-CSRF-Token");
+      if (!header || !session || !csrfToken) {
+        throw new Error("Missing CSRF token or session token");
+      }
+      await verifyCSRF(jose, csrfToken, header);
+      await jose.decodeJWT(session);
+      const normalizedOriginPath = getNormalizedOriginPath(request.url);
+      const location = createRedirectTo(
+        new Request(normalizedOriginPath, {
+          headers
+        }),
+        redirectTo
+      );
+      const responseHeaders = new Headers(cacheControl);
+      responseHeaders.append("Set-Cookie", expireCookie("sessionToken", cookiesOptions));
+      responseHeaders.append(
+        "Set-Cookie",
+        expireCookie("csrfToken", { ...cookiesOptions, prefix: cookiesOptions.secure ? "__Host-" : "" })
+      );
+      responseHeaders.append("Location", location);
+      return Response.json(
+        { message: "Signed out successfully" },
+        { status: statusCode.ACCEPTED, headers: responseHeaders }
+      );
+    } catch (error) {
+      if (error instanceof InvalidCsrfTokenError) {
+        return AuraResponse.json(
+          {
+            error: "invalid_csrf_token",
+            error_description: "The provided CSRF token is invalid or has expired"
+          },
+          { status: statusCode.UNAUTHORIZED }
+        );
+      }
+      if (error instanceof InvalidRedirectToError) {
+        const { type, message } = error;
+        return AuraResponse.json(
+          {
+            error: type,
+            error_description: message
+          },
+          { status: statusCode.BAD_REQUEST }
+        );
+      }
+      return AuraResponse.json(
+        {
+          error: "invalid_session_token",
+          error_description: "The provided sessionToken is invalid or has already expired"
+        },
+        { status: statusCode.UNAUTHORIZED }
+      );
+    }
+  },
+  config
+);
+
+export {
+  signOutAction
+};

package/dist/chunk-SMQO5WD7.js

@@ -0,0 +1,30 @@
+import {
+  getCookie,
+  secureCookieOptions,
+  setCookie
+} from "./chunk-ZV4BH47P.js";
+import {
+  cacheControl
+} from "./chunk-STHEPPUZ.js";
+import {
+  createCSRF
+} from "./chunk-GZU3RBTB.js";
+
+// src/actions/csrfToken/csrfToken.ts
+import { createEndpoint } from "@aura-stack/router";
+var csrfTokenAction = createEndpoint("GET", "/csrfToken", async (ctx) => {
+  const {
+    request,
+    context: { cookies, jose, trustedProxyHeaders }
+  } = ctx;
+  const cookieOptions = secureCookieOptions(request, { ...cookies, strategy: "host" }, trustedProxyHeaders);
+  const existingCSRFToken = getCookie(request, "csrfToken", cookieOptions, true);
+  const csrfToken = await createCSRF(jose, existingCSRFToken);
+  const headers = new Headers(cacheControl);
+  headers.set("Set-Cookie", setCookie("csrfToken", csrfToken, cookieOptions));
+  return Response.json({ csrfToken }, { headers });
+});
+
+export {
+  csrfTokenAction
+};

package/dist/chunk-STHEPPUZ.js

@@ -0,0 +1,11 @@
+// src/headers.ts
+var cacheControl = {
+  "Cache-Control": "no-store",
+  Pragma: "no-cache",
+  Expires: "0",
+  Vary: "Cookie"
+};
+
+export {
+  cacheControl
+};

package/dist/chunk-UJJ7R56J.js

@@ -0,0 +1,52 @@
+import {
+  AuthError,
+  ERROR_RESPONSE,
+  throwAuthError
+} from "./chunk-FJUDBLCP.js";
+import {
+  OAuthAccessToken,
+  OAuthAccessTokenErrorResponse,
+  OAuthAccessTokenResponse
+} from "./chunk-HMRKN75I.js";
+
+// src/actions/callback/access-token.ts
+var createAccessToken = async (oauthConfig, redirectURI, code, codeVerifier) => {
+  const parsed = OAuthAccessToken.safeParse({ ...oauthConfig, redirectURI, code, codeVerifier });
+  if (!parsed.success) {
+    throw new AuthError(ERROR_RESPONSE.ACCESS_TOKEN.INVALID_REQUEST, "Invalid OAuth configuration");
+  }
+  const { accessToken, clientId, clientSecret, code: codeParsed, redirectURI: redirectParsed } = parsed.data;
+  try {
+    const response = await fetch(accessToken, {
+      method: "POST",
+      headers: {
+        Accept: "application/json",
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: new URLSearchParams({
+        client_id: clientId,
+        client_secret: clientSecret,
+        code: codeParsed,
+        redirect_uri: redirectParsed,
+        grant_type: "authorization_code",
+        code_verifier: codeVerifier
+      }).toString()
+    });
+    const json = await response.json();
+    const token = OAuthAccessTokenResponse.safeParse(json);
+    if (!token.success) {
+      const { success, data } = OAuthAccessTokenErrorResponse.safeParse(json);
+      if (!success) {
+        throw new AuthError(ERROR_RESPONSE.ACCESS_TOKEN.INVALID_GRANT, "Invalid access token response format");
+      }
+      throw new AuthError(data.error, data?.error_description ?? "Failed to retrieve access token");
+    }
+    return token.data;
+  } catch (error) {
+    throw throwAuthError(error, "Failed to create access token");
+  }
+};
+
+export {
+  createAccessToken
+};

package/dist/chunk-VFTYH33W.js

@@ -0,0 +1,61 @@
+import {
+  figma
+} from "./chunk-FKRDCWBF.js";
+import {
+  github
+} from "./chunk-IKHPGFCW.js";
+import {
+  gitlab
+} from "./chunk-KRNOMBXQ.js";
+import {
+  spotify
+} from "./chunk-E3OXBRYF.js";
+import {
+  x
+} from "./chunk-42XB3YCW.js";
+import {
+  bitbucket
+} from "./chunk-FIPU4MLT.js";
+import {
+  discord
+} from "./chunk-EBPE35JT.js";
+
+// src/oauth/index.ts
+var builtInOAuthProviders = {
+  github,
+  bitbucket,
+  figma,
+  discord,
+  gitlab,
+  spotify,
+  x
+};
+var defineOAuthEnvironment = (oauth) => {
+  const env = process.env;
+  return {
+    clientId: env[`AURA_AUTH_${oauth.toUpperCase()}_CLIENT_ID`],
+    clientSecret: env[`AURA_AUTH_${oauth.toUpperCase()}_CLIENT_SECRET`]
+  };
+};
+var defineOAuthProviderConfig = (config) => {
+  if (typeof config === "string") {
+    const definition = defineOAuthEnvironment(config);
+    const oauthConfig = builtInOAuthProviders[config];
+    return {
+      ...oauthConfig,
+      ...definition
+    };
+  }
+  return config;
+};
+var createBuiltInOAuthProviders = (oauth = []) => {
+  return oauth.reduce((previous, config) => {
+    const oauthConfig = defineOAuthProviderConfig(config);
+    return { ...previous, [oauthConfig.id]: oauthConfig };
+  }, {});
+};
+
+export {
+  builtInOAuthProviders,
+  createBuiltInOAuthProviders
+};

package/dist/chunk-X7M4CQTN.js

@@ -0,0 +1,25 @@
+import {
+  createDerivedSalt
+} from "./chunk-GZU3RBTB.js";
+
+// src/jose.ts
+import "dotenv/config";
+import { createJWT, createJWS, createDeriveKey } from "@aura-stack/jose";
+var createJoseInstance = (secret) => {
+  secret ?? (secret = process.env.AURA_AUTH_SECRET);
+  const salt = process.env.AURA_AUTH_SALT ?? createDerivedSalt(secret);
+  const { derivedKey: derivedSessionKey } = createDeriveKey(secret, salt, "session");
+  const { derivedKey: derivedCsrfTokenKey } = createDeriveKey(secret, salt, "csrfToken");
+  const { decodeJWT, encodeJWT } = createJWT(derivedSessionKey);
+  const { signJWS, verifyJWS } = createJWS(derivedCsrfTokenKey);
+  return {
+    decodeJWT,
+    encodeJWT,
+    signJWS,
+    verifyJWS
+  };
+};
+
+export {
+  createJoseInstance
+};

package/dist/chunk-XXJKNKGQ.js

@@ -0,0 +1,37 @@
+import {
+  expireCookie,
+  getCookie,
+  secureCookieOptions
+} from "./chunk-ZV4BH47P.js";
+import {
+  cacheControl
+} from "./chunk-STHEPPUZ.js";
+import {
+  toISOString
+} from "./chunk-256KIVJL.js";
+
+// src/actions/session/session.ts
+import { createEndpoint } from "@aura-stack/router";
+var sessionAction = createEndpoint("GET", "/session", async (ctx) => {
+  const {
+    request,
+    context: { cookies, jose, trustedProxyHeaders }
+  } = ctx;
+  const cookieOptions = secureCookieOptions(request, cookies, trustedProxyHeaders);
+  try {
+    const session = getCookie(request, "sessionToken", cookieOptions);
+    const decoded = await jose.decodeJWT(session);
+    const { exp, iat, jti, nbf, ...user } = decoded;
+    const headers = new Headers(cacheControl);
+    return Response.json({ user, expires: toISOString(exp * 1e3) }, { headers });
+  } catch {
+    const headers = new Headers(cacheControl);
+    const sessionCookie = expireCookie("sessionToken", cookieOptions);
+    headers.set("Set-Cookie", sessionCookie);
+    return Response.json({ authenticated: false, message: "Unauthorized" }, { status: 401, headers });
+  }
+});
+
+export {
+  sessionAction
+};

package/dist/chunk-ZV4BH47P.js

@@ -0,0 +1,154 @@
+import {
+  isRequest
+} from "./chunk-6SM22VVJ.js";
+import {
+  AuthError
+} from "./chunk-FJUDBLCP.js";
+
+// src/cookie.ts
+import { parse, serialize } from "cookie";
+import { parse as parse2 } from "cookie";
+var COOKIE_NAME = "aura-auth";
+var defaultCookieOptions = {
+  httpOnly: true,
+  sameSite: "lax",
+  path: "/",
+  maxAge: 60 * 60 * 24 * 15
+};
+var defaultCookieConfig = {
+  strategy: "standard",
+  name: COOKIE_NAME,
+  options: defaultCookieOptions
+};
+var defaultStandardCookieConfig = {
+  secure: false,
+  httpOnly: true,
+  prefix: ""
+};
+var defaultSecureCookieConfig = {
+  secure: true,
+  prefix: "__Secure-"
+};
+var defaultHostCookieConfig = {
+  secure: true,
+  prefix: "__Host-",
+  path: "/",
+  domain: void 0
+};
+var expiredCookieOptions = {
+  ...defaultCookieOptions,
+  expires: /* @__PURE__ */ new Date(0),
+  maxAge: 0
+};
+var defineDefaultCookieOptions = (options) => {
+  return {
+    name: options?.name ?? COOKIE_NAME,
+    prefix: options?.prefix ?? (options?.secure ? "__Secure-" : ""),
+    ...defaultCookieOptions,
+    ...options
+  };
+};
+var setCookie = (cookieName, value, options) => {
+  const { prefix, name } = defineDefaultCookieOptions(options);
+  const cookieNameWithPrefix = `${prefix}${name}.${cookieName}`;
+  return serialize(cookieNameWithPrefix, value, {
+    ...defaultCookieOptions,
+    ...options
+  });
+};
+var getCookie = (petition, cookie, options, optional = false) => {
+  const cookies = isRequest(petition) ? petition.headers.get("Cookie") : petition.headers.getSetCookie().join("; ");
+  if (!cookies) {
+    if (optional) {
+      return "";
+    }
+    throw new AuthError("invalid_request", "No cookies found. There is no active session");
+  }
+  const { name, prefix } = defineDefaultCookieOptions(options);
+  const parsedCookies = parse(cookies);
+  const value = parsedCookies[`${prefix}${name}.${cookie}`];
+  if (value === void 0) {
+    if (optional) {
+      return "";
+    }
+    throw new AuthError("invalid_request", `Cookie "${cookie}" not found. There is no active session`);
+  }
+  return value;
+};
+var createSessionCookie = async (session, cookieOptions, jose) => {
+  try {
+    const encoded = await jose.encodeJWT(session);
+    return setCookie("sessionToken", encoded, cookieOptions);
+  } catch (error) {
+    throw new AuthError("server_error", "Failed to create session cookie", { cause: error });
+  }
+};
+var secureCookieOptions = (request, cookieOptions, trustedProxyHeaders) => {
+  const name = cookieOptions.name ?? COOKIE_NAME;
+  const isSecure = trustedProxyHeaders ? request.url.startsWith("https://") || request.headers.get("X-Forwarded-Proto") === "https" || request.headers.get("Forwarded")?.includes("proto=https") : request.url.startsWith("https://");
+  if (!cookieOptions.options?.httpOnly) {
+    console.warn(
+      "[WARNING]: Cookie is configured without HttpOnly. This allows JavaScript access via document.cookie and increases XSS risk."
+    );
+  }
+  if (cookieOptions.options?.domain === "*") {
+    console.warn("[WARNING]: Cookie 'Domain' is set to '*', which is insecure. Avoid wildcard domains.");
+  }
+  if (!isSecure) {
+    const options = cookieOptions.options;
+    if (options?.secure) {
+      console.warn(
+        "[WARNING]: The 'Secure' attribute will be disabled for this cookie. Serve over HTTPS to enforce Secure cookies."
+      );
+    }
+    if (options?.sameSite == "none") {
+      console.warn("[WARNING]: SameSite=None without a secure connection can be blocked by browsers.");
+    }
+    if (process.env.NODE_ENV === "production") {
+      console.warn("[WARNING]: In production, ensure cookies are served over HTTPS to maintain security.");
+    }
+    return {
+      ...defaultCookieOptions,
+      ...cookieOptions.options,
+      sameSite: options?.sameSite === "none" ? "lax" : options?.sameSite ?? "lax",
+      ...defaultStandardCookieConfig,
+      name
+    };
+  }
+  return cookieOptions.strategy === "host" ? {
+    ...defaultCookieOptions,
+    ...cookieOptions.options,
+    ...defaultHostCookieConfig,
+    name
+  } : { ...defaultCookieOptions, ...cookieOptions.options, ...defaultSecureCookieConfig, name };
+};
+var expireCookie = (name, options) => {
+  return setCookie(name, "", { ...options, ...expiredCookieOptions });
+};
+var oauthCookie = (options) => {
+  return {
+    ...options,
+    secure: options.secure,
+    httpOnly: options.httpOnly,
+    maxAge: 5 * 60,
+    expires: new Date(Date.now() + 5 * 60 * 1e3)
+  };
+};
+
+export {
+  COOKIE_NAME,
+  defaultCookieOptions,
+  defaultCookieConfig,
+  defaultStandardCookieConfig,
+  defaultSecureCookieConfig,
+  defaultHostCookieConfig,
+  expiredCookieOptions,
+  defineDefaultCookieOptions,
+  setCookie,
+  getCookie,
+  createSessionCookie,
+  secureCookieOptions,
+  expireCookie,
+  oauthCookie,
+  parse2 as parse
+};