@aura-stack/auth 0.1.0-rc.7 → 0.1.0-rc.9

package/dist/chunk-EBPE35JT.js

@@ -1,31 +1,29 @@
 // src/oauth/discord.ts
 var discord = {
-  id: "discord",
-  name: "Discord",
-  authorizeURL: "https://discord.com/oauth2/authorize",
-  accessToken: "https://discord.com/api/oauth2/token",
-  userInfo: "https://discord.com/api/users/@me",
-  scope: "identify email",
-  responseType: "code",
-  profile(profile) {
-    let image = "";
-    if (profile.avatar === null) {
-      const index = profile.discriminator === "0" ? (BigInt(profile.id) >> 22n) % 6n : Number(profile.discriminator) % 5;
-      image = `https://cdn.discordapp.com/embed/avatars/${index}.png`;
-    } else {
-      const format = profile.avatar.startsWith("a_") ? "gif" : "png";
-      image = `https://cdn.discordapp.com/avatars/${profile.id}/${profile.avatar}.${format}`;
-    }
-    return {
-      sub: profile.id,
-      // https://discord.com/developers/docs/change-log#display-names
-      name: profile.global_name ?? profile.username,
-      email: profile.email ?? "",
-      image
-    };
-  }
-};
+    id: "discord",
+    name: "Discord",
+    authorizeURL: "https://discord.com/oauth2/authorize",
+    accessToken: "https://discord.com/api/oauth2/token",
+    userInfo: "https://discord.com/api/users/@me",
+    scope: "identify email",
+    responseType: "code",
+    profile(profile) {
+        let image = ""
+        if (profile.avatar === null) {
+            const index = profile.discriminator === "0" ? (BigInt(profile.id) >> 22n) % 6n : Number(profile.discriminator) % 5
+            image = `https://cdn.discordapp.com/embed/avatars/${index}.png`
+        } else {
+            const format = profile.avatar.startsWith("a_") ? "gif" : "png"
+            image = `https://cdn.discordapp.com/avatars/${profile.id}/${profile.avatar}.${format}`
+        }
+        return {
+            sub: profile.id,
+            // https://discord.com/developers/docs/change-log#display-names
+            name: profile.global_name ?? profile.username,
+            email: profile.email ?? "",
+            image,
+        }
+    },
+}
 
-export {
-  discord
-};
+export { discord }

package/dist/chunk-FIPU4MLT.js

@@ -1,21 +1,19 @@
 // src/oauth/bitbucket.ts
 var bitbucket = {
-  id: "bitbucket",
-  name: "Bitbucket",
-  authorizeURL: "https://bitbucket.org/site/oauth2/authorize",
-  accessToken: "https://bitbucket.org/site/oauth2/access_token",
-  userInfo: "https://api.bitbucket.org/2.0/user",
-  scope: "account email",
-  responseType: "code",
-  profile(profile) {
-    return {
-      sub: profile.uuid ?? profile.account_id,
-      name: profile.display_name ?? profile.nickname,
-      image: profile.links.avatar.href
-    };
-  }
-};
+    id: "bitbucket",
+    name: "Bitbucket",
+    authorizeURL: "https://bitbucket.org/site/oauth2/authorize",
+    accessToken: "https://bitbucket.org/site/oauth2/access_token",
+    userInfo: "https://api.bitbucket.org/2.0/user",
+    scope: "account email",
+    responseType: "code",
+    profile(profile) {
+        return {
+            sub: profile.uuid ?? profile.account_id,
+            name: profile.display_name ?? profile.nickname,
+            image: profile.links.avatar.href,
+        }
+    },
+}
 
-export {
-  bitbucket
-};
+export { bitbucket }

package/dist/chunk-FJUDBLCP.js

@@ -1,59 +1,52 @@
 // src/error.ts
 var AuthError = class extends Error {
-  constructor(type, message) {
-    super(message);
-    this.type = type;
-    this.name = "AuthError";
-  }
-};
+    constructor(type, message) {
+        super(message)
+        this.type = type
+        this.name = "AuthError"
+    }
+}
 var InvalidCsrfTokenError = class extends AuthError {
-  constructor(message = "The provided CSRF token is invalid or has expired") {
-    super("invalid_csrf_token", message);
-    this.name = "InvalidCsrfTokenError";
-  }
-};
+    constructor(message = "The provided CSRF token is invalid or has expired") {
+        super("invalid_csrf_token", message)
+        this.name = "InvalidCsrfTokenError"
+    }
+}
 var InvalidRedirectToError = class extends AuthError {
-  constructor(message = "The redirectTo parameter does not match the hosted origin.") {
-    super("invalid_redirect_to", message);
-    this.name = "InvalidRedirectToError";
-  }
-};
+    constructor(message = "The redirectTo parameter does not match the hosted origin.") {
+        super("invalid_redirect_to", message)
+        this.name = "InvalidRedirectToError"
+    }
+}
 var isAuthError = (error) => {
-  return error instanceof AuthError;
-};
+    return error instanceof AuthError
+}
 var throwAuthError = (error, message) => {
-  if (error instanceof Error) {
-    if (isAuthError(error)) {
-      throw error;
+    if (error instanceof Error) {
+        if (isAuthError(error)) {
+            throw error
+        }
+        throw new AuthError("invalid_request", error.message ?? message)
     }
-    throw new AuthError("invalid_request", error.message ?? message);
-  }
-};
+}
 var ERROR_RESPONSE = {
-  AUTHORIZATION: {
-    INVALID_REQUEST: "invalid_request",
-    UNAUTHORIZED_CLIENT: "unauthorized_client",
-    ACCESS_DENIED: "access_denied",
-    UNSUPPORTED_RESPONSE_TYPE: "unsupported_response_type",
-    INVALID_SCOPE: "invalid_scope",
-    SERVER_ERROR: "server_error",
-    TEMPORARILY_UNAVAILABLE: "temporarily_unavailable"
-  },
-  ACCESS_TOKEN: {
-    INVALID_REQUEST: "invalid_request",
-    INVALID_CLIENT: "invalid_client",
-    INVALID_GRANT: "invalid_grant",
-    UNAUTHORIZED_CLIENT: "unauthorized_client",
-    UNSUPPORTED_GRANT_TYPE: "unsupported_grant_type",
-    INVALID_SCOPE: "invalid_scope"
-  }
-};
+    AUTHORIZATION: {
+        INVALID_REQUEST: "invalid_request",
+        UNAUTHORIZED_CLIENT: "unauthorized_client",
+        ACCESS_DENIED: "access_denied",
+        UNSUPPORTED_RESPONSE_TYPE: "unsupported_response_type",
+        INVALID_SCOPE: "invalid_scope",
+        SERVER_ERROR: "server_error",
+        TEMPORARILY_UNAVAILABLE: "temporarily_unavailable",
+    },
+    ACCESS_TOKEN: {
+        INVALID_REQUEST: "invalid_request",
+        INVALID_CLIENT: "invalid_client",
+        INVALID_GRANT: "invalid_grant",
+        UNAUTHORIZED_CLIENT: "unauthorized_client",
+        UNSUPPORTED_GRANT_TYPE: "unsupported_grant_type",
+        INVALID_SCOPE: "invalid_scope",
+    },
+}
 
-export {
-  AuthError,
-  InvalidCsrfTokenError,
-  InvalidRedirectToError,
-  isAuthError,
-  throwAuthError,
-  ERROR_RESPONSE
-};
+export { AuthError, InvalidCsrfTokenError, InvalidRedirectToError, isAuthError, throwAuthError, ERROR_RESPONSE }

package/dist/chunk-FKRDCWBF.js

@@ -1,22 +1,20 @@
 // src/oauth/figma.ts
 var figma = {
-  id: "figma",
-  name: "Figma",
-  authorizeURL: "https://www.figma.com/oauth",
-  accessToken: "https://api.figma.com/v1/oauth/token",
-  userInfo: "https://api.figma.com/v1/me",
-  scope: "current_user:read",
-  responseType: "code",
-  profile(profile) {
-    return {
-      sub: profile.id,
-      name: profile.handle,
-      email: profile.email,
-      image: profile.img_url
-    };
-  }
-};
+    id: "figma",
+    name: "Figma",
+    authorizeURL: "https://www.figma.com/oauth",
+    accessToken: "https://api.figma.com/v1/oauth/token",
+    userInfo: "https://api.figma.com/v1/me",
+    scope: "current_user:read",
+    responseType: "code",
+    profile(profile) {
+        return {
+            sub: profile.id,
+            name: profile.handle,
+            email: profile.email,
+            image: profile.img_url,
+        }
+    },
+}
 
-export {
-  figma
-};
+export { figma }

package/dist/chunk-GZU3RBTB.js

@@ -1,62 +1,51 @@
-import {
-  equals
-} from "./chunk-256KIVJL.js";
-import {
-  InvalidCsrfTokenError
-} from "./chunk-FJUDBLCP.js";
+import { equals } from "./chunk-256KIVJL.js"
+import { InvalidCsrfTokenError } from "./chunk-FJUDBLCP.js"
 
 // src/secure.ts
-import crypto from "crypto";
+import crypto from "crypto"
 var generateSecure = (length = 32) => {
-  return crypto.randomBytes(length).toString("base64url");
-};
+    return crypto.randomBytes(length).toString("base64url")
+}
 var createHash = (data, base = "hex") => {
-  return crypto.createHash("sha256").update(data).digest().toString(base);
-};
+    return crypto.createHash("sha256").update(data).digest().toString(base)
+}
 var createPKCE = async (verifier) => {
-  const codeVerifier = verifier ?? generateSecure(86);
-  const codeChallenge = createHash(codeVerifier, "base64url");
-  return { codeVerifier, codeChallenge, method: "S256" };
-};
+    const codeVerifier = verifier ?? generateSecure(86)
+    const codeChallenge = createHash(codeVerifier, "base64url")
+    return { codeVerifier, codeChallenge, method: "S256" }
+}
 var createCSRF = async (jose, csrfCookie) => {
-  try {
-    const token = generateSecure(32);
-    if (csrfCookie) {
-      await jose.verifyJWS(csrfCookie);
-      return csrfCookie;
+    try {
+        const token = generateSecure(32)
+        if (csrfCookie) {
+            await jose.verifyJWS(csrfCookie)
+            return csrfCookie
+        }
+        return jose.signJWS({ token })
+    } catch {
+        const token = generateSecure(32)
+        return jose.signJWS({ token })
     }
-    return jose.signJWS({ token });
-  } catch {
-    const token = generateSecure(32);
-    return jose.signJWS({ token });
-  }
-};
+}
 var verifyCSRF = async (jose, cookie, header) => {
-  try {
-    const { token: cookieToken } = await jose.verifyJWS(cookie);
-    const { token: headerToken } = await jose.verifyJWS(header);
-    const cookieBuffer = Buffer.from(cookieToken);
-    const headerBuffer = Buffer.from(headerToken);
-    if (!equals(headerBuffer.length, cookieBuffer.length)) {
-      throw new InvalidCsrfTokenError();
+    try {
+        const { token: cookieToken } = await jose.verifyJWS(cookie)
+        const { token: headerToken } = await jose.verifyJWS(header)
+        const cookieBuffer = Buffer.from(cookieToken)
+        const headerBuffer = Buffer.from(headerToken)
+        if (!equals(headerBuffer.length, cookieBuffer.length)) {
+            throw new InvalidCsrfTokenError()
+        }
+        if (!crypto.timingSafeEqual(cookieBuffer, headerBuffer)) {
+            throw new InvalidCsrfTokenError()
+        }
+        return true
+    } catch {
+        throw new InvalidCsrfTokenError()
     }
-    if (!crypto.timingSafeEqual(cookieBuffer, headerBuffer)) {
-      throw new InvalidCsrfTokenError();
-    }
-    return true;
-  } catch {
-    throw new InvalidCsrfTokenError();
-  }
-};
+}
 var createDerivedSalt = (secret) => {
-  return crypto.createHash("sha256").update(secret).update("aura-auth-salt").digest("hex");
-};
+    return crypto.createHash("sha256").update(secret).update("aura-auth-salt").digest("hex")
+}
 
-export {
-  generateSecure,
-  createHash,
-  createPKCE,
-  createCSRF,
-  verifyCSRF,
-  createDerivedSalt
-};
+export { generateSecure, createHash, createPKCE, createCSRF, verifyCSRF, createDerivedSalt }

package/dist/chunk-HGJ4TXY4.js

@@ -1,137 +1,105 @@
-import {
-  getUserInfo
-} from "./chunk-RLT4RFKV.js";
-import {
-  createAccessToken
-} from "./chunk-UJJ7R56J.js";
-import {
-  createSessionCookie,
-  expireCookie,
-  getCookie,
-  secureCookieOptions,
-  setCookie
-} from "./chunk-ZV4BH47P.js";
-import {
-  cacheControl
-} from "./chunk-STHEPPUZ.js";
-import {
-  createCSRF
-} from "./chunk-GZU3RBTB.js";
-import {
-  equals,
-  isValidRelativePath,
-  sanitizeURL
-} from "./chunk-256KIVJL.js";
-import {
-  AuthError,
-  ERROR_RESPONSE,
-  isAuthError
-} from "./chunk-FJUDBLCP.js";
-import {
-  AuraResponse
-} from "./chunk-JAPMIE6S.js";
-import {
-  OAuthAuthorizationErrorResponse,
-  OAuthAuthorizationResponse
-} from "./chunk-HMRKN75I.js";
+import { getUserInfo } from "./chunk-RLT4RFKV.js"
+import { createAccessToken } from "./chunk-UJJ7R56J.js"
+import { createSessionCookie, expireCookie, getCookie, secureCookieOptions, setCookie } from "./chunk-ZV4BH47P.js"
+import { cacheControl } from "./chunk-STHEPPUZ.js"
+import { createCSRF } from "./chunk-GZU3RBTB.js"
+import { equals, isValidRelativePath, sanitizeURL } from "./chunk-256KIVJL.js"
+import { AuthError, ERROR_RESPONSE, isAuthError } from "./chunk-FJUDBLCP.js"
+import { AuraResponse } from "./chunk-JAPMIE6S.js"
+import { OAuthAuthorizationErrorResponse, OAuthAuthorizationResponse } from "./chunk-HMRKN75I.js"
 
 // src/actions/callback/callback.ts
-import z from "zod";
-import { createEndpoint, createEndpointConfig, statusCode } from "@aura-stack/router";
+import z from "zod"
+import { createEndpoint, createEndpointConfig, statusCode } from "@aura-stack/router"
 var callbackConfig = (oauth) => {
-  return createEndpointConfig("/callback/:oauth", {
-    schemas: {
-      searchParams: OAuthAuthorizationResponse,
-      params: z.object({
-        oauth: z.enum(Object.keys(oauth))
-      })
-    },
-    middlewares: [
-      (ctx) => {
-        const response = OAuthAuthorizationErrorResponse.safeParse(ctx.searchParams);
-        if (response.success) {
-          const { error, error_description } = response.data;
-          throw new AuthError(error, error_description ?? "OAuth Authorization Error");
-        }
-        return ctx;
-      }
-    ]
-  });
-};
-var callbackAction = (oauth) => {
-  return createEndpoint(
-    "GET",
-    "/callback/:oauth",
-    async (ctx) => {
-      const {
-        request,
-        params: { oauth: oauth2 },
-        searchParams: { code, state },
-        context: { oauth: providers, cookies, jose, trustedProxyHeaders }
-      } = ctx;
-      try {
-        const oauthConfig = providers[oauth2];
-        const cookieOptions = secureCookieOptions(request, cookies, trustedProxyHeaders);
-        const cookieState = getCookie(request, "state", cookieOptions);
-        const cookieRedirectTo = getCookie(request, "redirect_to", cookieOptions);
-        const cookieRedirectURI = getCookie(request, "redirect_uri", cookieOptions);
-        const codeVerifier = getCookie(request, "code_verifier", cookieOptions);
-        if (!equals(cookieState, state)) {
-          throw new AuthError(ERROR_RESPONSE.ACCESS_TOKEN.INVALID_REQUEST, "Mismatching state");
-        }
-        const accessToken = await createAccessToken(oauthConfig, cookieRedirectURI, code, codeVerifier);
-        const sanitized = sanitizeURL(cookieRedirectTo);
-        if (!isValidRelativePath(sanitized)) {
-          throw new AuthError(
-            ERROR_RESPONSE.ACCESS_TOKEN.INVALID_REQUEST,
-            "Invalid redirect path. Potential open redirect attack detected."
-          );
-        }
-        const headers = new Headers(cacheControl);
-        headers.set("Location", sanitized);
-        const userInfo = await getUserInfo(oauthConfig, accessToken.access_token);
-        const sessionCookie = await createSessionCookie(userInfo, cookieOptions, jose);
-        const csrfToken = await createCSRF(jose);
-        const csrfCookie = setCookie(
-          "csrfToken",
-          csrfToken,
-          secureCookieOptions(
-            request,
-            {
-              ...cookies,
-              strategy: "host"
+    return createEndpointConfig("/callback/:oauth", {
+        schemas: {
+            searchParams: OAuthAuthorizationResponse,
+            params: z.object({
+                oauth: z.enum(Object.keys(oauth)),
+            }),
+        },
+        middlewares: [
+            (ctx) => {
+                const response = OAuthAuthorizationErrorResponse.safeParse(ctx.searchParams)
+                if (response.success) {
+                    const { error, error_description } = response.data
+                    throw new AuthError(error, error_description ?? "OAuth Authorization Error")
+                }
+                return ctx
             },
-            trustedProxyHeaders
-          )
-        );
-        headers.set("Set-Cookie", sessionCookie);
-        headers.append("Set-Cookie", expireCookie("state", cookieOptions));
-        headers.append("Set-Cookie", expireCookie("redirect_uri", cookieOptions));
-        headers.append("Set-Cookie", expireCookie("redirect_to", cookieOptions));
-        headers.append("Set-Cookie", expireCookie("code_verifier", cookieOptions));
-        headers.append("Set-Cookie", csrfCookie);
-        return Response.json({ oauth: oauth2 }, { status: 302, headers });
-      } catch (error) {
-        if (isAuthError(error)) {
-          const { type, message } = error;
-          return AuraResponse.json(
-            { error: type, error_description: message },
-            { status: statusCode.BAD_REQUEST }
-          );
-        }
-        return AuraResponse.json(
-          {
-            error: ERROR_RESPONSE.ACCESS_TOKEN.INVALID_CLIENT,
-            error_description: "An unexpected error occurred"
-          },
-          { status: statusCode.INTERNAL_SERVER_ERROR }
-        );
-      }
-    },
-    callbackConfig(oauth)
-  );
-};
+        ],
+    })
+}
+var callbackAction = (oauth) => {
+    return createEndpoint(
+        "GET",
+        "/callback/:oauth",
+        async (ctx) => {
+            const {
+                request,
+                params: { oauth: oauth2 },
+                searchParams: { code, state },
+                context: { oauth: providers, cookies, jose, trustedProxyHeaders },
+            } = ctx
+            try {
+                const oauthConfig = providers[oauth2]
+                const cookieOptions = secureCookieOptions(request, cookies, trustedProxyHeaders)
+                const cookieState = getCookie(request, "state", cookieOptions)
+                const cookieRedirectTo = getCookie(request, "redirect_to", cookieOptions)
+                const cookieRedirectURI = getCookie(request, "redirect_uri", cookieOptions)
+                const codeVerifier = getCookie(request, "code_verifier", cookieOptions)
+                if (!equals(cookieState, state)) {
+                    throw new AuthError(ERROR_RESPONSE.ACCESS_TOKEN.INVALID_REQUEST, "Mismatching state")
+                }
+                const accessToken = await createAccessToken(oauthConfig, cookieRedirectURI, code, codeVerifier)
+                const sanitized = sanitizeURL(cookieRedirectTo)
+                if (!isValidRelativePath(sanitized)) {
+                    throw new AuthError(
+                        ERROR_RESPONSE.ACCESS_TOKEN.INVALID_REQUEST,
+                        "Invalid redirect path. Potential open redirect attack detected."
+                    )
+                }
+                const headers = new Headers(cacheControl)
+                headers.set("Location", sanitized)
+                const userInfo = await getUserInfo(oauthConfig, accessToken.access_token)
+                const sessionCookie = await createSessionCookie(userInfo, cookieOptions, jose)
+                const csrfToken = await createCSRF(jose)
+                const csrfCookie = setCookie(
+                    "csrfToken",
+                    csrfToken,
+                    secureCookieOptions(
+                        request,
+                        {
+                            ...cookies,
+                            strategy: "host",
+                        },
+                        trustedProxyHeaders
+                    )
+                )
+                headers.set("Set-Cookie", sessionCookie)
+                headers.append("Set-Cookie", expireCookie("state", cookieOptions))
+                headers.append("Set-Cookie", expireCookie("redirect_uri", cookieOptions))
+                headers.append("Set-Cookie", expireCookie("redirect_to", cookieOptions))
+                headers.append("Set-Cookie", expireCookie("code_verifier", cookieOptions))
+                headers.append("Set-Cookie", csrfCookie)
+                return Response.json({ oauth: oauth2 }, { status: 302, headers })
+            } catch (error) {
+                if (isAuthError(error)) {
+                    const { type, message } = error
+                    return AuraResponse.json({ error: type, error_description: message }, { status: statusCode.BAD_REQUEST })
+                }
+                return AuraResponse.json(
+                    {
+                        error: ERROR_RESPONSE.ACCESS_TOKEN.INVALID_CLIENT,
+                        error_description: "An unexpected error occurred",
+                    },
+                    { status: statusCode.INTERNAL_SERVER_ERROR }
+                )
+            }
+        },
+        callbackConfig(oauth)
+    )
+}
 
-export {
-  callbackAction
-};
+export { callbackAction }