@aura-stack/auth 0.1.0-rc.7 → 0.1.0-rc.9

package/dist/index.cjs

@@ -1,1089 +1,1125 @@
-"use strict";
-var __create = Object.create;
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
+"use strict"
+var __create = Object.create
+var __defProp = Object.defineProperty
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor
+var __getOwnPropNames = Object.getOwnPropertyNames
+var __getProtoOf = Object.getPrototypeOf
+var __hasOwnProp = Object.prototype.hasOwnProperty
 var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
+    for (var name in all) __defProp(target, name, { get: all[name], enumerable: true })
+}
 var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+    if ((from && typeof from === "object") || typeof from === "function") {
+        for (let key of __getOwnPropNames(from))
+            if (!__hasOwnProp.call(to, key) && key !== except)
+                __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable })
+    }
+    return to
+}
+var __toESM = (mod, isNodeMode, target) => (
+    (target = mod != null ? __create(__getProtoOf(mod)) : {}),
+    __copyProps(
+        // If the importer is in node compatibility mode or this is not an ESM
+        // file that has been converted to a CommonJS file using a Babel-
+        // compatible transform (i.e. "__esModule" has not been set), then set
+        // "default" to the CommonJS "module.exports" for node compatibility.
+        isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+        mod
+    )
+)
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod)
 
 // src/index.ts
-var index_exports = {};
+var index_exports = {}
 __export(index_exports, {
-  createAuth: () => createAuth
-});
-module.exports = __toCommonJS(index_exports);
-var import_config2 = require("dotenv/config");
-var import_router7 = require("@aura-stack/router");
+    createAuth: () => createAuth,
+})
+module.exports = __toCommonJS(index_exports)
+var import_config2 = require("dotenv/config")
+var import_router7 = require("@aura-stack/router")
 
 // src/utils.ts
-var import_router = require("@aura-stack/router");
+var import_router = require("@aura-stack/router")
 
 // src/error.ts
 var AuthError = class extends Error {
-  constructor(type, message) {
-    super(message);
-    this.type = type;
-    this.name = "AuthError";
-  }
-};
+    constructor(type, message) {
+        super(message)
+        this.type = type
+        this.name = "AuthError"
+    }
+}
 var InvalidCsrfTokenError = class extends AuthError {
-  constructor(message = "The provided CSRF token is invalid or has expired") {
-    super("invalid_csrf_token", message);
-    this.name = "InvalidCsrfTokenError";
-  }
-};
+    constructor(message = "The provided CSRF token is invalid or has expired") {
+        super("invalid_csrf_token", message)
+        this.name = "InvalidCsrfTokenError"
+    }
+}
 var InvalidRedirectToError = class extends AuthError {
-  constructor(message = "The redirectTo parameter does not match the hosted origin.") {
-    super("invalid_redirect_to", message);
-    this.name = "InvalidRedirectToError";
-  }
-};
+    constructor(message = "The redirectTo parameter does not match the hosted origin.") {
+        super("invalid_redirect_to", message)
+        this.name = "InvalidRedirectToError"
+    }
+}
 var isAuthError = (error) => {
-  return error instanceof AuthError;
-};
+    return error instanceof AuthError
+}
 var throwAuthError = (error, message) => {
-  if (error instanceof Error) {
-    if (isAuthError(error)) {
-      throw error;
+    if (error instanceof Error) {
+        if (isAuthError(error)) {
+            throw error
+        }
+        throw new AuthError("invalid_request", error.message ?? message)
     }
-    throw new AuthError("invalid_request", error.message ?? message);
-  }
-};
+}
 var ERROR_RESPONSE = {
-  AUTHORIZATION: {
-    INVALID_REQUEST: "invalid_request",
-    UNAUTHORIZED_CLIENT: "unauthorized_client",
-    ACCESS_DENIED: "access_denied",
-    UNSUPPORTED_RESPONSE_TYPE: "unsupported_response_type",
-    INVALID_SCOPE: "invalid_scope",
-    SERVER_ERROR: "server_error",
-    TEMPORARILY_UNAVAILABLE: "temporarily_unavailable"
-  },
-  ACCESS_TOKEN: {
-    INVALID_REQUEST: "invalid_request",
-    INVALID_CLIENT: "invalid_client",
-    INVALID_GRANT: "invalid_grant",
-    UNAUTHORIZED_CLIENT: "unauthorized_client",
-    UNSUPPORTED_GRANT_TYPE: "unsupported_grant_type",
-    INVALID_SCOPE: "invalid_scope"
-  }
-};
+    AUTHORIZATION: {
+        INVALID_REQUEST: "invalid_request",
+        UNAUTHORIZED_CLIENT: "unauthorized_client",
+        ACCESS_DENIED: "access_denied",
+        UNSUPPORTED_RESPONSE_TYPE: "unsupported_response_type",
+        INVALID_SCOPE: "invalid_scope",
+        SERVER_ERROR: "server_error",
+        TEMPORARILY_UNAVAILABLE: "temporarily_unavailable",
+    },
+    ACCESS_TOKEN: {
+        INVALID_REQUEST: "invalid_request",
+        INVALID_CLIENT: "invalid_client",
+        INVALID_GRANT: "invalid_grant",
+        UNAUTHORIZED_CLIENT: "unauthorized_client",
+        UNSUPPORTED_GRANT_TYPE: "unsupported_grant_type",
+        INVALID_SCOPE: "invalid_scope",
+    },
+}
 
 // src/utils.ts
 var toSnakeCase = (str) => {
-  return str.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/([A-Z]+)([A-Z][a-z])/g, "$1_$2").toLowerCase().replace(/^_+/, "");
-};
+    return str
+        .replace(/([a-z0-9])([A-Z])/g, "$1_$2")
+        .replace(/([A-Z]+)([A-Z][a-z])/g, "$1_$2")
+        .toLowerCase()
+        .replace(/^_+/, "")
+}
 var toUpperCase = (str) => {
-  return str.toUpperCase();
-};
+    return str.toUpperCase()
+}
 var toCastCase = (obj, type = "snake") => {
-  return Object.entries(obj).reduce((previous, [key, value]) => {
-    const newKey = type === "snake" ? toSnakeCase(key) : toUpperCase(key);
-    return { ...previous, [newKey]: value };
-  }, {});
-};
+    return Object.entries(obj).reduce((previous, [key, value]) => {
+        const newKey = type === "snake" ? toSnakeCase(key) : toUpperCase(key)
+        return { ...previous, [newKey]: value }
+    }, {})
+}
 var equals = (a, b) => {
-  if (a === null || b === null || a === void 0 || b === void 0) return false;
-  return a === b;
-};
+    if (a === null || b === null || a === void 0 || b === void 0) return false
+    return a === b
+}
 var sanitizeURL = (url2) => {
-  try {
-    let decodedURL = decodeURIComponent(url2).trim();
-    const protocolMatch = decodedURL.match(/^([a-zA-Z][a-zA-Z0-9+.-]*:\/\/)/);
-    let protocol = "";
-    let rest = decodedURL;
-    if (protocolMatch) {
-      protocol = protocolMatch[1];
-      rest = decodedURL.slice(protocol.length);
-      const slashIndex = rest.indexOf("/");
-      if (slashIndex === -1) {
-        return protocol + rest;
-      }
-      const domain = rest.slice(0, slashIndex);
-      let path = rest.slice(slashIndex).replace(/\/\.\.\//g, "/").replace(/\/\.\.$/, "").replace(/\.{2,}/g, "").replace(/\/{2,}/g, "/");
-      if (path !== "/" && path.endsWith("/")) {
-        path = path.replace(/\/+$/, "/");
-      } else if (path !== "/") {
-        path = path.replace(/\/+$/, "");
-      }
-      return protocol + domain + path;
-    }
-    let sanitized = decodedURL.replace(/\/\.\.\//g, "/").replace(/\/\.\.$/, "").replace(/\.{2,}/g, "").replace(/\/{2,}/g, "/");
-    if (sanitized !== "/" && sanitized.endsWith("/")) {
-      sanitized = sanitized.replace(/\/+$/, "/");
-    } else if (sanitized !== "/") {
-      sanitized = sanitized.replace(/\/+$/, "");
+    try {
+        let decodedURL = decodeURIComponent(url2).trim()
+        const protocolMatch = decodedURL.match(/^([a-zA-Z][a-zA-Z0-9+.-]*:\/\/)/)
+        let protocol = ""
+        let rest = decodedURL
+        if (protocolMatch) {
+            protocol = protocolMatch[1]
+            rest = decodedURL.slice(protocol.length)
+            const slashIndex = rest.indexOf("/")
+            if (slashIndex === -1) {
+                return protocol + rest
+            }
+            const domain = rest.slice(0, slashIndex)
+            let path = rest
+                .slice(slashIndex)
+                .replace(/\/\.\.\//g, "/")
+                .replace(/\/\.\.$/, "")
+                .replace(/\.{2,}/g, "")
+                .replace(/\/{2,}/g, "/")
+            if (path !== "/" && path.endsWith("/")) {
+                path = path.replace(/\/+$/, "/")
+            } else if (path !== "/") {
+                path = path.replace(/\/+$/, "")
+            }
+            return protocol + domain + path
+        }
+        let sanitized = decodedURL
+            .replace(/\/\.\.\//g, "/")
+            .replace(/\/\.\.$/, "")
+            .replace(/\.{2,}/g, "")
+            .replace(/\/{2,}/g, "/")
+        if (sanitized !== "/" && sanitized.endsWith("/")) {
+            sanitized = sanitized.replace(/\/+$/, "/")
+        } else if (sanitized !== "/") {
+            sanitized = sanitized.replace(/\/+$/, "")
+        }
+        return sanitized
+    } catch {
+        return url2.trim()
     }
-    return sanitized;
-  } catch {
-    return url2.trim();
-  }
-};
+}
 var isValidRelativePath = (path) => {
-  if (!path || typeof path !== "string") return false;
-  if (!path.startsWith("/") || path.includes("://") || path.includes("\r") || path.includes("\n")) return false;
-  if (/[\x00-\x1F\x7F]/.test(path) || path.includes("\0")) return false;
-  const sanitized = sanitizeURL(path);
-  if (sanitized.includes("..")) return false;
-  return true;
-};
+    if (!path || typeof path !== "string") return false
+    if (!path.startsWith("/") || path.includes("://") || path.includes("\r") || path.includes("\n")) return false
+    if (/[\x00-\x1F\x7F]/.test(path) || path.includes("\0")) return false
+    const sanitized = sanitizeURL(path)
+    if (sanitized.includes("..")) return false
+    return true
+}
 var onErrorHandler = (error) => {
-  if ((0, import_router.isRouterError)(error)) {
-    const { message, status, statusText } = error;
-    return Response.json({ error: "invalid_request", error_description: message }, { status, statusText });
-  }
-  if (isAuthError(error)) {
-    const { type, message } = error;
-    return Response.json({ error: type, error_description: message }, { status: 400 });
-  }
-  return Response.json({ error: "server_error", error_description: "An unexpected error occurred" }, { status: 500 });
-};
+    if ((0, import_router.isRouterError)(error)) {
+        const { message, status, statusText } = error
+        return Response.json({ error: "invalid_request", error_description: message }, { status, statusText })
+    }
+    if (isAuthError(error)) {
+        const { type, message } = error
+        return Response.json({ error: type, error_description: message }, { status: 400 })
+    }
+    return Response.json({ error: "server_error", error_description: "An unexpected error occurred" }, { status: 500 })
+}
 var getNormalizedOriginPath = (path) => {
-  try {
-    const url2 = new URL(path);
-    url2.hash = "";
-    url2.search = "";
-    return `${url2.origin}${url2.pathname}`;
-  } catch {
-    return sanitizeURL(path);
-  }
-};
+    try {
+        const url2 = new URL(path)
+        url2.hash = ""
+        url2.search = ""
+        return `${url2.origin}${url2.pathname}`
+    } catch {
+        return sanitizeURL(path)
+    }
+}
 var toISOString = (date) => {
-  return new Date(date).toISOString();
-};
+    return new Date(date).toISOString()
+}
 
 // src/jose.ts
-var import_config = require("dotenv/config");
-var import_jose = require("@aura-stack/jose");
+var import_config = require("dotenv/config")
+var import_jose = require("@aura-stack/jose")
 
 // src/secure.ts
-var import_node_crypto = __toESM(require("crypto"), 1);
+var import_node_crypto = __toESM(require("crypto"), 1)
 var generateSecure = (length = 32) => {
-  return import_node_crypto.default.randomBytes(length).toString("base64url");
-};
+    return import_node_crypto.default.randomBytes(length).toString("base64url")
+}
 var createHash = (data, base = "hex") => {
-  return import_node_crypto.default.createHash("sha256").update(data).digest().toString(base);
-};
+    return import_node_crypto.default.createHash("sha256").update(data).digest().toString(base)
+}
 var createPKCE = async (verifier) => {
-  const codeVerifier = verifier ?? generateSecure(86);
-  const codeChallenge = createHash(codeVerifier, "base64url");
-  return { codeVerifier, codeChallenge, method: "S256" };
-};
+    const codeVerifier = verifier ?? generateSecure(86)
+    const codeChallenge = createHash(codeVerifier, "base64url")
+    return { codeVerifier, codeChallenge, method: "S256" }
+}
 var createCSRF = async (jose, csrfCookie) => {
-  try {
-    const token = generateSecure(32);
-    if (csrfCookie) {
-      await jose.verifyJWS(csrfCookie);
-      return csrfCookie;
+    try {
+        const token = generateSecure(32)
+        if (csrfCookie) {
+            await jose.verifyJWS(csrfCookie)
+            return csrfCookie
+        }
+        return jose.signJWS({ token })
+    } catch {
+        const token = generateSecure(32)
+        return jose.signJWS({ token })
     }
-    return jose.signJWS({ token });
-  } catch {
-    const token = generateSecure(32);
-    return jose.signJWS({ token });
-  }
-};
+}
 var verifyCSRF = async (jose, cookie, header) => {
-  try {
-    const { token: cookieToken } = await jose.verifyJWS(cookie);
-    const { token: headerToken } = await jose.verifyJWS(header);
-    const cookieBuffer = Buffer.from(cookieToken);
-    const headerBuffer = Buffer.from(headerToken);
-    if (!equals(headerBuffer.length, cookieBuffer.length)) {
-      throw new InvalidCsrfTokenError();
-    }
-    if (!import_node_crypto.default.timingSafeEqual(cookieBuffer, headerBuffer)) {
-      throw new InvalidCsrfTokenError();
+    try {
+        const { token: cookieToken } = await jose.verifyJWS(cookie)
+        const { token: headerToken } = await jose.verifyJWS(header)
+        const cookieBuffer = Buffer.from(cookieToken)
+        const headerBuffer = Buffer.from(headerToken)
+        if (!equals(headerBuffer.length, cookieBuffer.length)) {
+            throw new InvalidCsrfTokenError()
+        }
+        if (!import_node_crypto.default.timingSafeEqual(cookieBuffer, headerBuffer)) {
+            throw new InvalidCsrfTokenError()
+        }
+        return true
+    } catch {
+        throw new InvalidCsrfTokenError()
     }
-    return true;
-  } catch {
-    throw new InvalidCsrfTokenError();
-  }
-};
+}
 var createDerivedSalt = (secret) => {
-  return import_node_crypto.default.createHash("sha256").update(secret).update("aura-auth-salt").digest("hex");
-};
+    return import_node_crypto.default.createHash("sha256").update(secret).update("aura-auth-salt").digest("hex")
+}
 
 // src/jose.ts
 var createJoseInstance = (secret) => {
-  secret ?? (secret = process.env.AURA_AUTH_SECRET);
-  const salt = process.env.AURA_AUTH_SALT ?? createDerivedSalt(secret);
-  const { derivedKey: derivedSessionKey } = (0, import_jose.createDeriveKey)(secret, salt, "session");
-  const { derivedKey: derivedCsrfTokenKey } = (0, import_jose.createDeriveKey)(secret, salt, "csrfToken");
-  const { decodeJWT, encodeJWT } = (0, import_jose.createJWT)(derivedSessionKey);
-  const { signJWS, verifyJWS } = (0, import_jose.createJWS)(derivedCsrfTokenKey);
-  return {
-    decodeJWT,
-    encodeJWT,
-    signJWS,
-    verifyJWS
-  };
-};
+    secret ?? (secret = process.env.AURA_AUTH_SECRET)
+    if (!secret) {
+        throw new AuthError("JOSE_INIT_ERROR", "AURA_AUTH_SECRET environment variable is not set and no secret was provided.")
+    }
+    const salt = process.env.AURA_AUTH_SALT ?? createDerivedSalt(secret)
+    const { derivedKey: derivedSessionKey } = (0, import_jose.createDeriveKey)(secret, salt, "session")
+    const { derivedKey: derivedCsrfTokenKey } = (0, import_jose.createDeriveKey)(secret, salt, "csrfToken")
+    const { decodeJWT, encodeJWT } = (0, import_jose.createJWT)(derivedSessionKey)
+    const { signJWS, verifyJWS } = (0, import_jose.createJWS)(derivedCsrfTokenKey)
+    return {
+        decodeJWT,
+        encodeJWT,
+        signJWS,
+        verifyJWS,
+    }
+}
 
 // src/cookie.ts
-var import_cookie = require("cookie");
+var import_cookie = require("cookie")
 
 // src/assert.ts
 var isRequest = (value) => {
-  return typeof Request !== "undefined" && value instanceof Request;
-};
+    return typeof Request !== "undefined" && value instanceof Request
+}
 var isValidURL = (value) => {
-  if (value.includes("\r\n") || value.includes("\n") || value.includes("\r")) return false;
-  const regex = /^https?:\/\/(?:[a-zA-Z0-9._-]+|localhost|\[[0-9a-fA-F:]+\])(?::\d{1,5})?(?:\/[a-zA-Z0-9._~!$&'()*+,;=:@-]*)*\/?$/;
-  return regex.test(value);
-};
+    if (value.includes("\r\n") || value.includes("\n") || value.includes("\r")) return false
+    const regex =
+        /^https?:\/\/(?:[a-zA-Z0-9._-]+|localhost|\[[0-9a-fA-F:]+\])(?::\d{1,5})?(?:\/[a-zA-Z0-9._~!$&'()*+,;=:@-]*)*\/?$/
+    return regex.test(value)
+}
 
 // src/cookie.ts
-var import_cookie2 = require("cookie");
-var COOKIE_NAME = "aura-auth";
+var import_cookie2 = require("cookie")
+var COOKIE_NAME = "aura-auth"
 var defaultCookieOptions = {
-  httpOnly: true,
-  sameSite: "lax",
-  path: "/",
-  maxAge: 60 * 60 * 24 * 15
-};
+    httpOnly: true,
+    sameSite: "lax",
+    path: "/",
+    maxAge: 60 * 60 * 24 * 15,
+}
 var defaultCookieConfig = {
-  strategy: "standard",
-  name: COOKIE_NAME,
-  options: defaultCookieOptions
-};
+    strategy: "standard",
+    name: COOKIE_NAME,
+    options: defaultCookieOptions,
+}
 var defaultStandardCookieConfig = {
-  secure: false,
-  httpOnly: true,
-  prefix: ""
-};
+    secure: false,
+    httpOnly: true,
+    prefix: "",
+}
 var defaultSecureCookieConfig = {
-  secure: true,
-  prefix: "__Secure-"
-};
+    secure: true,
+    prefix: "__Secure-",
+}
 var defaultHostCookieConfig = {
-  secure: true,
-  prefix: "__Host-",
-  path: "/",
-  domain: void 0
-};
+    secure: true,
+    prefix: "__Host-",
+    path: "/",
+    domain: void 0,
+}
 var expiredCookieOptions = {
-  ...defaultCookieOptions,
-  expires: /* @__PURE__ */ new Date(0),
-  maxAge: 0
-};
-var defineDefaultCookieOptions = (options2) => {
-  return {
-    name: options2?.name ?? COOKIE_NAME,
-    prefix: options2?.prefix ?? (options2?.secure ? "__Secure-" : ""),
     ...defaultCookieOptions,
-    ...options2
-  };
-};
+    expires: /* @__PURE__ */ new Date(0),
+    maxAge: 0,
+}
+var defineDefaultCookieOptions = (options2) => {
+    return {
+        name: options2?.name ?? COOKIE_NAME,
+        prefix: options2?.prefix ?? (options2?.secure ? "__Secure-" : ""),
+        ...defaultCookieOptions,
+        ...options2,
+    }
+}
 var setCookie = (cookieName, value, options2) => {
-  const { prefix, name } = defineDefaultCookieOptions(options2);
-  const cookieNameWithPrefix = `${prefix}${name}.${cookieName}`;
-  return (0, import_cookie.serialize)(cookieNameWithPrefix, value, {
-    ...defaultCookieOptions,
-    ...options2
-  });
-};
+    const { prefix, name } = defineDefaultCookieOptions(options2)
+    const cookieNameWithPrefix = `${prefix}${name}.${cookieName}`
+    return (0, import_cookie.serialize)(cookieNameWithPrefix, value, {
+        ...defaultCookieOptions,
+        ...options2,
+    })
+}
 var getCookie = (petition, cookie, options2, optional = false) => {
-  const cookies = isRequest(petition) ? petition.headers.get("Cookie") : petition.headers.getSetCookie().join("; ");
-  if (!cookies) {
-    if (optional) {
-      return "";
+    const cookies = isRequest(petition) ? petition.headers.get("Cookie") : petition.headers.getSetCookie().join("; ")
+    if (!cookies) {
+        if (optional) {
+            return ""
+        }
+        throw new AuthError("invalid_request", "No cookies found. There is no active session")
     }
-    throw new AuthError("invalid_request", "No cookies found. There is no active session");
-  }
-  const { name, prefix } = defineDefaultCookieOptions(options2);
-  const parsedCookies = (0, import_cookie.parse)(cookies);
-  const value = parsedCookies[`${prefix}${name}.${cookie}`];
-  if (value === void 0) {
-    if (optional) {
-      return "";
+    const { name, prefix } = defineDefaultCookieOptions(options2)
+    const parsedCookies = (0, import_cookie.parse)(cookies)
+    const value = parsedCookies[`${prefix}${name}.${cookie}`]
+    if (value === void 0) {
+        if (optional) {
+            return ""
+        }
+        throw new AuthError("invalid_request", `Cookie "${cookie}" not found. There is no active session`)
     }
-    throw new AuthError("invalid_request", `Cookie "${cookie}" not found. There is no active session`);
-  }
-  return value;
-};
+    return value
+}
 var createSessionCookie = async (session, cookieOptions, jose) => {
-  try {
-    const encoded = await jose.encodeJWT(session);
-    return setCookie("sessionToken", encoded, cookieOptions);
-  } catch (error) {
-    throw new AuthError("server_error", "Failed to create session cookie", { cause: error });
-  }
-};
+    try {
+        const encoded = await jose.encodeJWT(session)
+        return setCookie("sessionToken", encoded, cookieOptions)
+    } catch (error) {
+        throw new AuthError("server_error", "Failed to create session cookie", { cause: error })
+    }
+}
 var secureCookieOptions = (request, cookieOptions, trustedProxyHeaders) => {
-  const name = cookieOptions.name ?? COOKIE_NAME;
-  const isSecure = trustedProxyHeaders ? request.url.startsWith("https://") || request.headers.get("X-Forwarded-Proto") === "https" || request.headers.get("Forwarded")?.includes("proto=https") : request.url.startsWith("https://");
-  if (!cookieOptions.options?.httpOnly) {
-    console.warn(
-      "[WARNING]: Cookie is configured without HttpOnly. This allows JavaScript access via document.cookie and increases XSS risk."
-    );
-  }
-  if (cookieOptions.options?.domain === "*") {
-    console.warn("[WARNING]: Cookie 'Domain' is set to '*', which is insecure. Avoid wildcard domains.");
-  }
-  if (!isSecure) {
-    const options2 = cookieOptions.options;
-    if (options2?.secure) {
-      console.warn(
-        "[WARNING]: The 'Secure' attribute will be disabled for this cookie. Serve over HTTPS to enforce Secure cookies."
-      );
+    const name = cookieOptions.name ?? COOKIE_NAME
+    const isSecure = trustedProxyHeaders
+        ? request.url.startsWith("https://") ||
+          request.headers.get("X-Forwarded-Proto") === "https" ||
+          request.headers.get("Forwarded")?.includes("proto=https")
+        : request.url.startsWith("https://")
+    if (!cookieOptions.options?.httpOnly) {
+        console.warn(
+            "[WARNING]: Cookie is configured without HttpOnly. This allows JavaScript access via document.cookie and increases XSS risk."
+        )
     }
-    if (options2?.sameSite == "none") {
-      console.warn("[WARNING]: SameSite=None without a secure connection can be blocked by browsers.");
+    if (cookieOptions.options?.domain === "*") {
+        console.warn("[WARNING]: Cookie 'Domain' is set to '*', which is insecure. Avoid wildcard domains.")
     }
-    if (process.env.NODE_ENV === "production") {
-      console.warn("[WARNING]: In production, ensure cookies are served over HTTPS to maintain security.");
+    if (!isSecure) {
+        const options2 = cookieOptions.options
+        if (options2?.secure) {
+            console.warn(
+                "[WARNING]: The 'Secure' attribute will be disabled for this cookie. Serve over HTTPS to enforce Secure cookies."
+            )
+        }
+        if (options2?.sameSite == "none") {
+            console.warn("[WARNING]: SameSite=None without a secure connection can be blocked by browsers.")
+        }
+        if (process.env.NODE_ENV === "production") {
+            console.warn("[WARNING]: In production, ensure cookies are served over HTTPS to maintain security.")
+        }
+        return {
+            ...defaultCookieOptions,
+            ...cookieOptions.options,
+            sameSite: options2?.sameSite === "none" ? "lax" : (options2?.sameSite ?? "lax"),
+            ...defaultStandardCookieConfig,
+            name,
+        }
     }
-    return {
-      ...defaultCookieOptions,
-      ...cookieOptions.options,
-      sameSite: options2?.sameSite === "none" ? "lax" : options2?.sameSite ?? "lax",
-      ...defaultStandardCookieConfig,
-      name
-    };
-  }
-  return cookieOptions.strategy === "host" ? {
-    ...defaultCookieOptions,
-    ...cookieOptions.options,
-    ...defaultHostCookieConfig,
-    name
-  } : { ...defaultCookieOptions, ...cookieOptions.options, ...defaultSecureCookieConfig, name };
-};
+    return cookieOptions.strategy === "host"
+        ? {
+              ...defaultCookieOptions,
+              ...cookieOptions.options,
+              ...defaultHostCookieConfig,
+              name,
+          }
+        : { ...defaultCookieOptions, ...cookieOptions.options, ...defaultSecureCookieConfig, name }
+}
 var expireCookie = (name, options2) => {
-  return setCookie(name, "", { ...options2, ...expiredCookieOptions });
-};
+    return setCookie(name, "", { ...options2, ...expiredCookieOptions })
+}
 var oauthCookie = (options2) => {
-  return {
-    ...options2,
-    secure: options2.secure,
-    httpOnly: options2.httpOnly,
-    maxAge: 5 * 60,
-    expires: new Date(Date.now() + 5 * 60 * 1e3)
-  };
-};
+    return {
+        ...options2,
+        secure: options2.secure,
+        httpOnly: options2.httpOnly,
+        maxAge: 5 * 60,
+        expires: new Date(Date.now() + 5 * 60 * 1e3),
+    }
+}
 
 // src/oauth/github.ts
 var github = {
-  id: "github",
-  name: "GitHub",
-  authorizeURL: "https://github.com/login/oauth/authorize",
-  accessToken: "https://github.com/login/oauth/access_token",
-  userInfo: "https://api.github.com/user",
-  scope: "read:user user:email",
-  responseType: "code"
-};
+    id: "github",
+    name: "GitHub",
+    authorizeURL: "https://github.com/login/oauth/authorize",
+    accessToken: "https://github.com/login/oauth/access_token",
+    userInfo: "https://api.github.com/user",
+    scope: "read:user user:email",
+    responseType: "code",
+}
 
 // src/oauth/bitbucket.ts
 var bitbucket = {
-  id: "bitbucket",
-  name: "Bitbucket",
-  authorizeURL: "https://bitbucket.org/site/oauth2/authorize",
-  accessToken: "https://bitbucket.org/site/oauth2/access_token",
-  userInfo: "https://api.bitbucket.org/2.0/user",
-  scope: "account email",
-  responseType: "code",
-  profile(profile) {
-    return {
-      sub: profile.uuid ?? profile.account_id,
-      name: profile.display_name ?? profile.nickname,
-      image: profile.links.avatar.href
-    };
-  }
-};
+    id: "bitbucket",
+    name: "Bitbucket",
+    authorizeURL: "https://bitbucket.org/site/oauth2/authorize",
+    accessToken: "https://bitbucket.org/site/oauth2/access_token",
+    userInfo: "https://api.bitbucket.org/2.0/user",
+    scope: "account email",
+    responseType: "code",
+    profile(profile) {
+        return {
+            sub: profile.uuid ?? profile.account_id,
+            name: profile.display_name ?? profile.nickname,
+            image: profile.links.avatar.href,
+        }
+    },
+}
 
 // src/oauth/figma.ts
 var figma = {
-  id: "figma",
-  name: "Figma",
-  authorizeURL: "https://www.figma.com/oauth",
-  accessToken: "https://api.figma.com/v1/oauth/token",
-  userInfo: "https://api.figma.com/v1/me",
-  scope: "current_user:read",
-  responseType: "code",
-  profile(profile) {
-    return {
-      sub: profile.id,
-      name: profile.handle,
-      email: profile.email,
-      image: profile.img_url
-    };
-  }
-};
+    id: "figma",
+    name: "Figma",
+    authorizeURL: "https://www.figma.com/oauth",
+    accessToken: "https://api.figma.com/v1/oauth/token",
+    userInfo: "https://api.figma.com/v1/me",
+    scope: "current_user:read",
+    responseType: "code",
+    profile(profile) {
+        return {
+            sub: profile.id,
+            name: profile.handle,
+            email: profile.email,
+            image: profile.img_url,
+        }
+    },
+}
 
 // src/oauth/discord.ts
 var discord = {
-  id: "discord",
-  name: "Discord",
-  authorizeURL: "https://discord.com/oauth2/authorize",
-  accessToken: "https://discord.com/api/oauth2/token",
-  userInfo: "https://discord.com/api/users/@me",
-  scope: "identify email",
-  responseType: "code",
-  profile(profile) {
-    let image = "";
-    if (profile.avatar === null) {
-      const index = profile.discriminator === "0" ? (BigInt(profile.id) >> 22n) % 6n : Number(profile.discriminator) % 5;
-      image = `https://cdn.discordapp.com/embed/avatars/${index}.png`;
-    } else {
-      const format = profile.avatar.startsWith("a_") ? "gif" : "png";
-      image = `https://cdn.discordapp.com/avatars/${profile.id}/${profile.avatar}.${format}`;
-    }
-    return {
-      sub: profile.id,
-      // https://discord.com/developers/docs/change-log#display-names
-      name: profile.global_name ?? profile.username,
-      email: profile.email ?? "",
-      image
-    };
-  }
-};
+    id: "discord",
+    name: "Discord",
+    authorizeURL: "https://discord.com/oauth2/authorize",
+    accessToken: "https://discord.com/api/oauth2/token",
+    userInfo: "https://discord.com/api/users/@me",
+    scope: "identify email",
+    responseType: "code",
+    profile(profile) {
+        let image = ""
+        if (profile.avatar === null) {
+            const index = profile.discriminator === "0" ? (BigInt(profile.id) >> 22n) % 6n : Number(profile.discriminator) % 5
+            image = `https://cdn.discordapp.com/embed/avatars/${index}.png`
+        } else {
+            const format = profile.avatar.startsWith("a_") ? "gif" : "png"
+            image = `https://cdn.discordapp.com/avatars/${profile.id}/${profile.avatar}.${format}`
+        }
+        return {
+            sub: profile.id,
+            // https://discord.com/developers/docs/change-log#display-names
+            name: profile.global_name ?? profile.username,
+            email: profile.email ?? "",
+            image,
+        }
+    },
+}
 
 // src/oauth/gitlab.ts
 var gitlab = {
-  id: "gitlab",
-  name: "GitLab",
-  authorizeURL: "https://gitlab.com/oauth/authorize",
-  accessToken: "https://gitlab.com/oauth/token",
-  userInfo: "https://gitlab.com/api/v4/user",
-  scope: "read_user",
-  responseType: "code",
-  profile(profile) {
-    return {
-      sub: profile.id.toString(),
-      name: profile.name ?? profile.username,
-      email: profile.email,
-      avatar: profile.avatar_url
-    };
-  }
-};
+    id: "gitlab",
+    name: "GitLab",
+    authorizeURL: "https://gitlab.com/oauth/authorize",
+    accessToken: "https://gitlab.com/oauth/token",
+    userInfo: "https://gitlab.com/api/v4/user",
+    scope: "read_user",
+    responseType: "code",
+    profile(profile) {
+        return {
+            sub: profile.id.toString(),
+            name: profile.name ?? profile.username,
+            email: profile.email,
+            avatar: profile.avatar_url,
+        }
+    },
+}
 
 // src/oauth/spotify.ts
 var spotify = {
-  id: "spotify",
-  name: "Spotify",
-  authorizeURL: "https://accounts.spotify.com/authorize",
-  accessToken: "https://accounts.spotify.com/api/token",
-  userInfo: "https://api.spotify.com/v1/me",
-  scope: "user-read-email user-read-private",
-  responseType: "token",
-  profile(profile) {
-    return {
-      sub: profile.id,
-      name: profile.display_name,
-      email: profile.email,
-      image: profile.images?.[0]?.url
-    };
-  }
-};
+    id: "spotify",
+    name: "Spotify",
+    authorizeURL: "https://accounts.spotify.com/authorize",
+    accessToken: "https://accounts.spotify.com/api/token",
+    userInfo: "https://api.spotify.com/v1/me",
+    scope: "user-read-email user-read-private",
+    responseType: "token",
+    profile(profile) {
+        return {
+            sub: profile.id,
+            name: profile.display_name,
+            email: profile.email,
+            image: profile.images?.[0]?.url,
+        }
+    },
+}
 
 // src/oauth/x.ts
 var x = {
-  id: "x",
-  name: "X",
-  authorizeURL: "https://x.com/i/oauth2/authorize",
-  accessToken: "https://api.x.com/2/oauth2/token",
-  userInfo: "https://api.x.com/2/users/me?user.fields=profile_image_url",
-  scope: "users.read users.email tweet.read offline.access",
-  responseType: "code",
-  profile({ data }) {
-    return {
-      sub: data.id,
-      name: data.name,
-      image: data.profile_image_url,
-      email: ""
-    };
-  }
-};
+    id: "x",
+    name: "X",
+    authorizeURL: "https://x.com/i/oauth2/authorize",
+    accessToken: "https://api.x.com/2/oauth2/token",
+    userInfo: "https://api.x.com/2/users/me?user.fields=profile_image_url",
+    scope: "users.read users.email tweet.read offline.access",
+    responseType: "code",
+    profile({ data }) {
+        return {
+            sub: data.id,
+            name: data.name,
+            image: data.profile_image_url,
+            email: "",
+        }
+    },
+}
 
 // src/oauth/index.ts
 var builtInOAuthProviders = {
-  github,
-  bitbucket,
-  figma,
-  discord,
-  gitlab,
-  spotify,
-  x
-};
+    github,
+    bitbucket,
+    figma,
+    discord,
+    gitlab,
+    spotify,
+    x,
+}
 var defineOAuthEnvironment = (oauth) => {
-  const env = process.env;
-  return {
-    clientId: env[`AURA_AUTH_${oauth.toUpperCase()}_CLIENT_ID`],
-    clientSecret: env[`AURA_AUTH_${oauth.toUpperCase()}_CLIENT_SECRET`]
-  };
-};
-var defineOAuthProviderConfig = (config2) => {
-  if (typeof config2 === "string") {
-    const definition = defineOAuthEnvironment(config2);
-    const oauthConfig = builtInOAuthProviders[config2];
+    const env = process.env
     return {
-      ...oauthConfig,
-      ...definition
-    };
-  }
-  return config2;
-};
+        clientId: env[`AURA_AUTH_${oauth.toUpperCase()}_CLIENT_ID`],
+        clientSecret: env[`AURA_AUTH_${oauth.toUpperCase()}_CLIENT_SECRET`],
+    }
+}
+var defineOAuthProviderConfig = (config2) => {
+    if (typeof config2 === "string") {
+        const definition = defineOAuthEnvironment(config2)
+        const oauthConfig = builtInOAuthProviders[config2]
+        return {
+            ...oauthConfig,
+            ...definition,
+        }
+    }
+    return config2
+}
 var createBuiltInOAuthProviders = (oauth = []) => {
-  return oauth.reduce((previous, config2) => {
-    const oauthConfig = defineOAuthProviderConfig(config2);
-    return { ...previous, [oauthConfig.id]: oauthConfig };
-  }, {});
-};
+    return oauth.reduce((previous, config2) => {
+        const oauthConfig = defineOAuthProviderConfig(config2)
+        return { ...previous, [oauthConfig.id]: oauthConfig }
+    }, {})
+}
 
 // src/actions/signIn/signIn.ts
-var import_zod = __toESM(require("zod"), 1);
-var import_router2 = require("@aura-stack/router");
+var import_zod = __toESM(require("zod"), 1)
+var import_router2 = require("@aura-stack/router")
 
 // src/response.ts
 var AuraResponse = class extends Response {
-  static json(body, init) {
-    return Response.json(body, init);
-  }
-};
+    static json(body, init) {
+        return Response.json(body, init)
+    }
+}
 
 // src/schemas.ts
-var import_v4 = require("zod/v4");
+var import_v4 = require("zod/v4")
 var OAuthProviderConfigSchema = (0, import_v4.object)({
-  authorizeURL: (0, import_v4.url)(),
-  accessToken: (0, import_v4.url)(),
-  scope: (0, import_v4.string)().optional(),
-  userInfo: (0, import_v4.url)(),
-  responseType: (0, import_v4.enum)(["code", "token", "id_token"]),
-  clientId: (0, import_v4.string)(),
-  clientSecret: (0, import_v4.string)()
-});
+    authorizeURL: (0, import_v4.url)(),
+    accessToken: (0, import_v4.url)(),
+    scope: (0, import_v4.string)().optional(),
+    userInfo: (0, import_v4.url)(),
+    responseType: (0, import_v4.enum)(["code", "token", "id_token"]),
+    clientId: (0, import_v4.string)(),
+    clientSecret: (0, import_v4.string)(),
+})
 var OAuthAuthorization = OAuthProviderConfigSchema.extend({
-  redirectURI: (0, import_v4.string)(),
-  state: (0, import_v4.string)(),
-  codeChallenge: (0, import_v4.string)(),
-  codeChallengeMethod: (0, import_v4.enum)(["plain", "S256"])
-});
+    redirectURI: (0, import_v4.string)(),
+    state: (0, import_v4.string)(),
+    codeChallenge: (0, import_v4.string)(),
+    codeChallengeMethod: (0, import_v4.enum)(["plain", "S256"]),
+})
 var OAuthAuthorizationResponse = (0, import_v4.object)({
-  state: (0, import_v4.string)(),
-  code: (0, import_v4.string)()
-});
+    state: (0, import_v4.string)(),
+    code: (0, import_v4.string)(),
+})
 var OAuthAuthorizationErrorResponse = (0, import_v4.object)({
-  error: (0, import_v4.enum)([
-    "invalid_request",
-    "unauthorized_client",
-    "access_denied",
-    "unsupported_response_type",
-    "invalid_scope",
-    "server_error",
-    "temporarily_unavailable"
-  ]),
-  error_description: (0, import_v4.string)().optional(),
-  error_uri: (0, import_v4.string)().optional(),
-  state: (0, import_v4.string)()
-});
+    error: (0, import_v4.enum)([
+        "invalid_request",
+        "unauthorized_client",
+        "access_denied",
+        "unsupported_response_type",
+        "invalid_scope",
+        "server_error",
+        "temporarily_unavailable",
+    ]),
+    error_description: (0, import_v4.string)().optional(),
+    error_uri: (0, import_v4.string)().optional(),
+    state: (0, import_v4.string)(),
+})
 var OAuthAccessToken = OAuthProviderConfigSchema.extend({
-  redirectURI: (0, import_v4.string)(),
-  code: (0, import_v4.string)(),
-  codeVerifier: (0, import_v4.string)().min(43).max(128)
-});
+    redirectURI: (0, import_v4.string)(),
+    code: (0, import_v4.string)(),
+    codeVerifier: (0, import_v4.string)().min(43).max(128),
+})
 var OAuthAccessTokenResponse = (0, import_v4.object)({
-  access_token: (0, import_v4.string)(),
-  token_type: (0, import_v4.string)(),
-  expires_in: (0, import_v4.number)().optional(),
-  refresh_token: (0, import_v4.string)().optional(),
-  scope: (0, import_v4.string)().optional()
-});
+    access_token: (0, import_v4.string)(),
+    token_type: (0, import_v4.string)(),
+    expires_in: (0, import_v4.number)().optional(),
+    refresh_token: (0, import_v4.string)().optional(),
+    scope: (0, import_v4.string)().optional(),
+})
 var OAuthAccessTokenErrorResponse = (0, import_v4.object)({
-  error: (0, import_v4.enum)([
-    "invalid_request",
-    "invalid_client",
-    "invalid_grant",
-    "unauthorized_client",
-    "unsupported_grant_type",
-    "invalid_scope"
-  ]),
-  error_description: (0, import_v4.string)().optional(),
-  error_uri: (0, import_v4.string)().optional()
-});
+    error: (0, import_v4.enum)([
+        "invalid_request",
+        "invalid_client",
+        "invalid_grant",
+        "unauthorized_client",
+        "unsupported_grant_type",
+        "invalid_scope",
+    ]),
+    error_description: (0, import_v4.string)().optional(),
+    error_uri: (0, import_v4.string)().optional(),
+})
 var OAuthErrorResponse = (0, import_v4.object)({
-  error: (0, import_v4.string)(),
-  error_description: (0, import_v4.string)().optional()
-});
+    error: (0, import_v4.string)(),
+    error_description: (0, import_v4.string)().optional(),
+})
 
 // src/actions/signIn/authorization.ts
 var createAuthorizationURL = (oauthConfig, redirectURI, state, codeChallenge, codeChallengeMethod) => {
-  const parsed = OAuthAuthorization.safeParse({ ...oauthConfig, redirectURI, state, codeChallenge, codeChallengeMethod });
-  if (!parsed.success) {
-    throw new AuthError(ERROR_RESPONSE.AUTHORIZATION.SERVER_ERROR, "Invalid OAuth configuration");
-  }
-  const { authorizeURL, ...options2 } = parsed.data;
-  const { userInfo, accessToken, clientSecret, ...required } = options2;
-  const searchParams = new URLSearchParams(toCastCase(required));
-  return `${authorizeURL}?${searchParams}`;
-};
+    const parsed = OAuthAuthorization.safeParse({ ...oauthConfig, redirectURI, state, codeChallenge, codeChallengeMethod })
+    if (!parsed.success) {
+        throw new AuthError(ERROR_RESPONSE.AUTHORIZATION.SERVER_ERROR, "Invalid OAuth configuration")
+    }
+    const { authorizeURL, ...options2 } = parsed.data
+    const { userInfo, accessToken, clientSecret, ...required } = options2
+    const searchParams = new URLSearchParams(toCastCase(required))
+    return `${authorizeURL}?${searchParams}`
+}
 var getOriginURL = (request, trustedProxyHeaders) => {
-  const headers = request.headers;
-  if (trustedProxyHeaders) {
-    const protocol = headers.get("X-Forwarded-Proto") ?? headers.get("Forwarded")?.match(/proto=([^;]+)/i)?.[1] ?? "http";
-    const host = headers.get("X-Forwarded-Host") ?? headers.get("Host") ?? headers.get("Forwarded")?.match(/host=([^;]+)/i)?.[1] ?? null;
-    return new URL(`${protocol}://${host}${getNormalizedOriginPath(new URL(request.url).pathname)}`);
-  } else {
-    return new URL(getNormalizedOriginPath(request.url));
-  }
-};
+    const headers = request.headers
+    if (trustedProxyHeaders) {
+        const protocol = headers.get("X-Forwarded-Proto") ?? headers.get("Forwarded")?.match(/proto=([^;]+)/i)?.[1] ?? "http"
+        const host =
+            headers.get("X-Forwarded-Host") ??
+            headers.get("Host") ??
+            headers.get("Forwarded")?.match(/host=([^;]+)/i)?.[1] ??
+            null
+        return new URL(`${protocol}://${host}${getNormalizedOriginPath(new URL(request.url).pathname)}`)
+    } else {
+        return new URL(getNormalizedOriginPath(request.url))
+    }
+}
 var createRedirectURI = (request, oauth, basePath, trustedProxyHeaders) => {
-  const url2 = getOriginURL(request, trustedProxyHeaders);
-  return `${url2.origin}${basePath}/callback/${oauth}`;
-};
+    const url2 = getOriginURL(request, trustedProxyHeaders)
+    return `${url2.origin}${basePath}/callback/${oauth}`
+}
 var createRedirectTo = (request, redirectTo, trustedProxyHeaders) => {
-  try {
-    const headers = request.headers;
-    const origin = headers.get("Origin");
-    const referer = headers.get("Referer");
-    let hostedURL = getOriginURL(request, trustedProxyHeaders);
-    if (redirectTo) {
-      if (redirectTo.startsWith("/")) {
-        return sanitizeURL(redirectTo);
-      }
-      const redirectToURL = new URL(sanitizeURL(getNormalizedOriginPath(redirectTo)));
-      if (!isValidURL(redirectTo) || !equals(redirectToURL.origin, hostedURL.origin)) {
-        throw new InvalidRedirectToError();
-      }
-      return sanitizeURL(redirectToURL.pathname);
-    }
-    if (referer) {
-      const refererURL = new URL(sanitizeURL(referer));
-      if (!isValidURL(referer) || !equals(refererURL.origin, hostedURL.origin)) {
-        throw new AuthError(
-          ERROR_RESPONSE.AUTHORIZATION.INVALID_REQUEST,
-          "The referer of the request does not match the hosted origin."
-        );
-      }
-      return sanitizeURL(refererURL.pathname);
-    }
-    if (origin) {
-      const originURL = new URL(sanitizeURL(getNormalizedOriginPath(origin)));
-      if (!isValidURL(origin) || !equals(originURL.origin, hostedURL.origin)) {
-        throw new AuthError(ERROR_RESPONSE.AUTHORIZATION.INVALID_REQUEST, "Invalid origin (potential CSRF).");
-      }
-      return sanitizeURL(originURL.pathname);
-    }
-    return "/";
-  } catch (error) {
-    if (isAuthError(error)) {
-      throw error;
+    try {
+        const headers = request.headers
+        const origin = headers.get("Origin")
+        const referer = headers.get("Referer")
+        let hostedURL = getOriginURL(request, trustedProxyHeaders)
+        if (redirectTo) {
+            if (redirectTo.startsWith("/")) {
+                return sanitizeURL(redirectTo)
+            }
+            const redirectToURL = new URL(sanitizeURL(getNormalizedOriginPath(redirectTo)))
+            if (!isValidURL(redirectTo) || !equals(redirectToURL.origin, hostedURL.origin)) {
+                throw new InvalidRedirectToError()
+            }
+            return sanitizeURL(redirectToURL.pathname)
+        }
+        if (referer) {
+            const refererURL = new URL(sanitizeURL(referer))
+            if (!isValidURL(referer) || !equals(refererURL.origin, hostedURL.origin)) {
+                throw new AuthError(
+                    ERROR_RESPONSE.AUTHORIZATION.INVALID_REQUEST,
+                    "The referer of the request does not match the hosted origin."
+                )
+            }
+            return sanitizeURL(refererURL.pathname)
+        }
+        if (origin) {
+            const originURL = new URL(sanitizeURL(getNormalizedOriginPath(origin)))
+            if (!isValidURL(origin) || !equals(originURL.origin, hostedURL.origin)) {
+                throw new AuthError(ERROR_RESPONSE.AUTHORIZATION.INVALID_REQUEST, "Invalid origin (potential CSRF).")
+            }
+            return sanitizeURL(originURL.pathname)
+        }
+        return "/"
+    } catch (error) {
+        if (isAuthError(error)) {
+            throw error
+        }
+        throw new AuthError(ERROR_RESPONSE.AUTHORIZATION.INVALID_REQUEST, "Invalid origin (potential CSRF).")
     }
-    throw new AuthError(ERROR_RESPONSE.AUTHORIZATION.INVALID_REQUEST, "Invalid origin (potential CSRF).");
-  }
-};
+}
 
 // src/actions/signIn/signIn.ts
 var signInConfig = (oauth) => {
-  return (0, import_router2.createEndpointConfig)("/signIn/:oauth", {
-    schemas: {
-      params: import_zod.default.object({
-        oauth: import_zod.default.enum(Object.keys(oauth)),
-        redirectTo: import_zod.default.string().optional()
-      })
-    }
-  });
-};
+    return (0, import_router2.createEndpointConfig)("/signIn/:oauth", {
+        schemas: {
+            params: import_zod.default.object({
+                oauth: import_zod.default.enum(Object.keys(oauth)),
+                redirectTo: import_zod.default.string().optional(),
+            }),
+        },
+    })
+}
 var signInAction = (oauth) => {
-  return (0, import_router2.createEndpoint)(
-    "GET",
-    "/signIn/:oauth",
-    async (ctx) => {
-      const {
-        request,
-        params: { oauth: oauth2, redirectTo },
-        context: { oauth: providers, cookies, trustedProxyHeaders, basePath }
-      } = ctx;
-      try {
-        const cookieOptions = secureCookieOptions(request, cookies, trustedProxyHeaders);
-        const state = generateSecure();
-        const redirectURI = createRedirectURI(request, oauth2, basePath, trustedProxyHeaders);
-        const stateCookie = setCookie("state", state, oauthCookie(cookieOptions));
-        const redirectURICookie = setCookie("redirect_uri", redirectURI, oauthCookie(cookieOptions));
-        const redirectToCookie = setCookie(
-          "redirect_to",
-          createRedirectTo(request, redirectTo, trustedProxyHeaders),
-          oauthCookie(cookieOptions)
-        );
-        const { codeVerifier, codeChallenge, method } = await createPKCE();
-        const codeVerifierCookie = setCookie("code_verifier", codeVerifier, oauthCookie(cookieOptions));
-        const authorization = createAuthorizationURL(providers[oauth2], redirectURI, state, codeChallenge, method);
-        const headers = new Headers();
-        headers.set("Location", authorization);
-        headers.append("Set-Cookie", stateCookie);
-        headers.append("Set-Cookie", redirectURICookie);
-        headers.append("Set-Cookie", redirectToCookie);
-        headers.append("Set-Cookie", codeVerifierCookie);
-        return Response.json(
-          { oauth: oauth2 },
-          {
-            status: 302,
-            headers
-          }
-        );
-      } catch (error) {
-        if (isAuthError(error)) {
-          const { type, message } = error;
-          return AuraResponse.json(
-            { error: type, error_description: message },
-            { status: import_router2.statusCode.BAD_REQUEST }
-          );
-        }
-        return AuraResponse.json(
-          {
-            error: ERROR_RESPONSE.AUTHORIZATION.SERVER_ERROR,
-            error_description: "An unexpected error occurred"
-          },
-          { status: import_router2.statusCode.INTERNAL_SERVER_ERROR }
-        );
-      }
-    },
-    signInConfig(oauth)
-  );
-};
+    return (0, import_router2.createEndpoint)(
+        "GET",
+        "/signIn/:oauth",
+        async (ctx) => {
+            const {
+                request,
+                params: { oauth: oauth2, redirectTo },
+                context: { oauth: providers, cookies, trustedProxyHeaders, basePath },
+            } = ctx
+            try {
+                const cookieOptions = secureCookieOptions(request, cookies, trustedProxyHeaders)
+                const state = generateSecure()
+                const redirectURI = createRedirectURI(request, oauth2, basePath, trustedProxyHeaders)
+                const stateCookie = setCookie("state", state, oauthCookie(cookieOptions))
+                const redirectURICookie = setCookie("redirect_uri", redirectURI, oauthCookie(cookieOptions))
+                const redirectToCookie = setCookie(
+                    "redirect_to",
+                    createRedirectTo(request, redirectTo, trustedProxyHeaders),
+                    oauthCookie(cookieOptions)
+                )
+                const { codeVerifier, codeChallenge, method } = await createPKCE()
+                const codeVerifierCookie = setCookie("code_verifier", codeVerifier, oauthCookie(cookieOptions))
+                const authorization = createAuthorizationURL(providers[oauth2], redirectURI, state, codeChallenge, method)
+                const headers = new Headers()
+                headers.set("Location", authorization)
+                headers.append("Set-Cookie", stateCookie)
+                headers.append("Set-Cookie", redirectURICookie)
+                headers.append("Set-Cookie", redirectToCookie)
+                headers.append("Set-Cookie", codeVerifierCookie)
+                return Response.json(
+                    { oauth: oauth2 },
+                    {
+                        status: 302,
+                        headers,
+                    }
+                )
+            } catch (error) {
+                if (isAuthError(error)) {
+                    const { type, message } = error
+                    return AuraResponse.json(
+                        { error: type, error_description: message },
+                        { status: import_router2.statusCode.BAD_REQUEST }
+                    )
+                }
+                return AuraResponse.json(
+                    {
+                        error: ERROR_RESPONSE.AUTHORIZATION.SERVER_ERROR,
+                        error_description: "An unexpected error occurred",
+                    },
+                    { status: import_router2.statusCode.INTERNAL_SERVER_ERROR }
+                )
+            }
+        },
+        signInConfig(oauth)
+    )
+}
 
 // src/actions/callback/callback.ts
-var import_zod2 = __toESM(require("zod"), 1);
-var import_router3 = require("@aura-stack/router");
+var import_zod2 = __toESM(require("zod"), 1)
+var import_router3 = require("@aura-stack/router")
 
 // src/headers.ts
 var cacheControl = {
-  "Cache-Control": "no-store",
-  Pragma: "no-cache",
-  Expires: "0",
-  Vary: "Cookie"
-};
+    "Cache-Control": "no-store",
+    Pragma: "no-cache",
+    Expires: "0",
+    Vary: "Cookie",
+}
 
 // src/actions/callback/userinfo.ts
 var getDefaultUserInfo = (profile) => {
-  const sub = generateSecure(16);
-  return {
-    sub: profile?.id ?? profile?.sub ?? sub,
-    email: profile?.email,
-    name: profile?.name ?? profile?.username ?? profile?.nickname,
-    image: profile?.image ?? profile?.picture
-  };
-};
+    const sub = generateSecure(16)
+    return {
+        sub: profile?.id ?? profile?.sub ?? sub,
+        email: profile?.email,
+        name: profile?.name ?? profile?.username ?? profile?.nickname,
+        image: profile?.image ?? profile?.picture,
+    }
+}
 var getUserInfo = async (oauthConfig, accessToken) => {
-  const userinfoEndpoint = oauthConfig.userInfo;
-  try {
-    const response = await fetch(userinfoEndpoint, {
-      method: "GET",
-      headers: {
-        Accept: "application/json",
-        Authorization: `Bearer ${accessToken}`
-      }
-    });
-    const json = await response.json();
-    const { success, data } = OAuthErrorResponse.safeParse(json);
-    if (success) {
-      throw new AuthError(data.error, data?.error_description ?? "An error occurred while fetching user information.");
+    const userinfoEndpoint = oauthConfig.userInfo
+    try {
+        const response = await fetch(userinfoEndpoint, {
+            method: "GET",
+            headers: {
+                Accept: "application/json",
+                Authorization: `Bearer ${accessToken}`,
+            },
+        })
+        const json = await response.json()
+        const { success, data } = OAuthErrorResponse.safeParse(json)
+        if (success) {
+            throw new AuthError(data.error, data?.error_description ?? "An error occurred while fetching user information.")
+        }
+        return oauthConfig?.profile ? oauthConfig.profile(json) : getDefaultUserInfo(json)
+    } catch (error) {
+        throw throwAuthError(error, "Failed to retrieve userinfo")
     }
-    return oauthConfig?.profile ? oauthConfig.profile(json) : getDefaultUserInfo(json);
-  } catch (error) {
-    throw throwAuthError(error, "Failed to retrieve userinfo");
-  }
-};
+}
 
 // src/actions/callback/access-token.ts
 var createAccessToken = async (oauthConfig, redirectURI, code, codeVerifier) => {
-  const parsed = OAuthAccessToken.safeParse({ ...oauthConfig, redirectURI, code, codeVerifier });
-  if (!parsed.success) {
-    throw new AuthError(ERROR_RESPONSE.ACCESS_TOKEN.INVALID_REQUEST, "Invalid OAuth configuration");
-  }
-  const { accessToken, clientId, clientSecret, code: codeParsed, redirectURI: redirectParsed } = parsed.data;
-  try {
-    const response = await fetch(accessToken, {
-      method: "POST",
-      headers: {
-        Accept: "application/json",
-        "Content-Type": "application/x-www-form-urlencoded"
-      },
-      body: new URLSearchParams({
-        client_id: clientId,
-        client_secret: clientSecret,
-        code: codeParsed,
-        redirect_uri: redirectParsed,
-        grant_type: "authorization_code",
-        code_verifier: codeVerifier
-      }).toString()
-    });
-    const json = await response.json();
-    const token = OAuthAccessTokenResponse.safeParse(json);
-    if (!token.success) {
-      const { success, data } = OAuthAccessTokenErrorResponse.safeParse(json);
-      if (!success) {
-        throw new AuthError(ERROR_RESPONSE.ACCESS_TOKEN.INVALID_GRANT, "Invalid access token response format");
-      }
-      throw new AuthError(data.error, data?.error_description ?? "Failed to retrieve access token");
+    const parsed = OAuthAccessToken.safeParse({ ...oauthConfig, redirectURI, code, codeVerifier })
+    if (!parsed.success) {
+        throw new AuthError(ERROR_RESPONSE.ACCESS_TOKEN.INVALID_REQUEST, "Invalid OAuth configuration")
     }
-    return token.data;
-  } catch (error) {
-    throw throwAuthError(error, "Failed to create access token");
-  }
-};
+    const { accessToken, clientId, clientSecret, code: codeParsed, redirectURI: redirectParsed } = parsed.data
+    try {
+        const response = await fetch(accessToken, {
+            method: "POST",
+            headers: {
+                Accept: "application/json",
+                "Content-Type": "application/x-www-form-urlencoded",
+            },
+            body: new URLSearchParams({
+                client_id: clientId,
+                client_secret: clientSecret,
+                code: codeParsed,
+                redirect_uri: redirectParsed,
+                grant_type: "authorization_code",
+                code_verifier: codeVerifier,
+            }).toString(),
+        })
+        const json = await response.json()
+        const token = OAuthAccessTokenResponse.safeParse(json)
+        if (!token.success) {
+            const { success, data } = OAuthAccessTokenErrorResponse.safeParse(json)
+            if (!success) {
+                throw new AuthError(ERROR_RESPONSE.ACCESS_TOKEN.INVALID_GRANT, "Invalid access token response format")
+            }
+            throw new AuthError(data.error, data?.error_description ?? "Failed to retrieve access token")
+        }
+        return token.data
+    } catch (error) {
+        throw throwAuthError(error, "Failed to create access token")
+    }
+}
 
 // src/actions/callback/callback.ts
 var callbackConfig = (oauth) => {
-  return (0, import_router3.createEndpointConfig)("/callback/:oauth", {
-    schemas: {
-      searchParams: OAuthAuthorizationResponse,
-      params: import_zod2.default.object({
-        oauth: import_zod2.default.enum(Object.keys(oauth))
-      })
-    },
-    middlewares: [
-      (ctx) => {
-        const response = OAuthAuthorizationErrorResponse.safeParse(ctx.searchParams);
-        if (response.success) {
-          const { error, error_description } = response.data;
-          throw new AuthError(error, error_description ?? "OAuth Authorization Error");
-        }
-        return ctx;
-      }
-    ]
-  });
-};
-var callbackAction = (oauth) => {
-  return (0, import_router3.createEndpoint)(
-    "GET",
-    "/callback/:oauth",
-    async (ctx) => {
-      const {
-        request,
-        params: { oauth: oauth2 },
-        searchParams: { code, state },
-        context: { oauth: providers, cookies, jose, trustedProxyHeaders }
-      } = ctx;
-      try {
-        const oauthConfig = providers[oauth2];
-        const cookieOptions = secureCookieOptions(request, cookies, trustedProxyHeaders);
-        const cookieState = getCookie(request, "state", cookieOptions);
-        const cookieRedirectTo = getCookie(request, "redirect_to", cookieOptions);
-        const cookieRedirectURI = getCookie(request, "redirect_uri", cookieOptions);
-        const codeVerifier = getCookie(request, "code_verifier", cookieOptions);
-        if (!equals(cookieState, state)) {
-          throw new AuthError(ERROR_RESPONSE.ACCESS_TOKEN.INVALID_REQUEST, "Mismatching state");
-        }
-        const accessToken = await createAccessToken(oauthConfig, cookieRedirectURI, code, codeVerifier);
-        const sanitized = sanitizeURL(cookieRedirectTo);
-        if (!isValidRelativePath(sanitized)) {
-          throw new AuthError(
-            ERROR_RESPONSE.ACCESS_TOKEN.INVALID_REQUEST,
-            "Invalid redirect path. Potential open redirect attack detected."
-          );
-        }
-        const headers = new Headers(cacheControl);
-        headers.set("Location", sanitized);
-        const userInfo = await getUserInfo(oauthConfig, accessToken.access_token);
-        const sessionCookie = await createSessionCookie(userInfo, cookieOptions, jose);
-        const csrfToken = await createCSRF(jose);
-        const csrfCookie = setCookie(
-          "csrfToken",
-          csrfToken,
-          secureCookieOptions(
-            request,
-            {
-              ...cookies,
-              strategy: "host"
+    return (0, import_router3.createEndpointConfig)("/callback/:oauth", {
+        schemas: {
+            searchParams: OAuthAuthorizationResponse,
+            params: import_zod2.default.object({
+                oauth: import_zod2.default.enum(Object.keys(oauth)),
+            }),
+        },
+        middlewares: [
+            (ctx) => {
+                const response = OAuthAuthorizationErrorResponse.safeParse(ctx.searchParams)
+                if (response.success) {
+                    const { error, error_description } = response.data
+                    throw new AuthError(error, error_description ?? "OAuth Authorization Error")
+                }
+                return ctx
             },
-            trustedProxyHeaders
-          )
-        );
-        headers.set("Set-Cookie", sessionCookie);
-        headers.append("Set-Cookie", expireCookie("state", cookieOptions));
-        headers.append("Set-Cookie", expireCookie("redirect_uri", cookieOptions));
-        headers.append("Set-Cookie", expireCookie("redirect_to", cookieOptions));
-        headers.append("Set-Cookie", expireCookie("code_verifier", cookieOptions));
-        headers.append("Set-Cookie", csrfCookie);
-        return Response.json({ oauth: oauth2 }, { status: 302, headers });
-      } catch (error) {
-        if (isAuthError(error)) {
-          const { type, message } = error;
-          return AuraResponse.json(
-            { error: type, error_description: message },
-            { status: import_router3.statusCode.BAD_REQUEST }
-          );
-        }
-        return AuraResponse.json(
-          {
-            error: ERROR_RESPONSE.ACCESS_TOKEN.INVALID_CLIENT,
-            error_description: "An unexpected error occurred"
-          },
-          { status: import_router3.statusCode.INTERNAL_SERVER_ERROR }
-        );
-      }
-    },
-    callbackConfig(oauth)
-  );
-};
+        ],
+    })
+}
+var callbackAction = (oauth) => {
+    return (0, import_router3.createEndpoint)(
+        "GET",
+        "/callback/:oauth",
+        async (ctx) => {
+            const {
+                request,
+                params: { oauth: oauth2 },
+                searchParams: { code, state },
+                context: { oauth: providers, cookies, jose, trustedProxyHeaders },
+            } = ctx
+            try {
+                const oauthConfig = providers[oauth2]
+                const cookieOptions = secureCookieOptions(request, cookies, trustedProxyHeaders)
+                const cookieState = getCookie(request, "state", cookieOptions)
+                const cookieRedirectTo = getCookie(request, "redirect_to", cookieOptions)
+                const cookieRedirectURI = getCookie(request, "redirect_uri", cookieOptions)
+                const codeVerifier = getCookie(request, "code_verifier", cookieOptions)
+                if (!equals(cookieState, state)) {
+                    throw new AuthError(ERROR_RESPONSE.ACCESS_TOKEN.INVALID_REQUEST, "Mismatching state")
+                }
+                const accessToken = await createAccessToken(oauthConfig, cookieRedirectURI, code, codeVerifier)
+                const sanitized = sanitizeURL(cookieRedirectTo)
+                if (!isValidRelativePath(sanitized)) {
+                    throw new AuthError(
+                        ERROR_RESPONSE.ACCESS_TOKEN.INVALID_REQUEST,
+                        "Invalid redirect path. Potential open redirect attack detected."
+                    )
+                }
+                const headers = new Headers(cacheControl)
+                headers.set("Location", sanitized)
+                const userInfo = await getUserInfo(oauthConfig, accessToken.access_token)
+                const sessionCookie = await createSessionCookie(userInfo, cookieOptions, jose)
+                const csrfToken = await createCSRF(jose)
+                const csrfCookie = setCookie(
+                    "csrfToken",
+                    csrfToken,
+                    secureCookieOptions(
+                        request,
+                        {
+                            ...cookies,
+                            strategy: "host",
+                        },
+                        trustedProxyHeaders
+                    )
+                )
+                headers.set("Set-Cookie", sessionCookie)
+                headers.append("Set-Cookie", expireCookie("state", cookieOptions))
+                headers.append("Set-Cookie", expireCookie("redirect_uri", cookieOptions))
+                headers.append("Set-Cookie", expireCookie("redirect_to", cookieOptions))
+                headers.append("Set-Cookie", expireCookie("code_verifier", cookieOptions))
+                headers.append("Set-Cookie", csrfCookie)
+                return Response.json({ oauth: oauth2 }, { status: 302, headers })
+            } catch (error) {
+                if (isAuthError(error)) {
+                    const { type, message } = error
+                    return AuraResponse.json(
+                        { error: type, error_description: message },
+                        { status: import_router3.statusCode.BAD_REQUEST }
+                    )
+                }
+                return AuraResponse.json(
+                    {
+                        error: ERROR_RESPONSE.ACCESS_TOKEN.INVALID_CLIENT,
+                        error_description: "An unexpected error occurred",
+                    },
+                    { status: import_router3.statusCode.INTERNAL_SERVER_ERROR }
+                )
+            }
+        },
+        callbackConfig(oauth)
+    )
+}
 
 // src/actions/session/session.ts
-var import_router4 = require("@aura-stack/router");
+var import_router4 = require("@aura-stack/router")
 var sessionAction = (0, import_router4.createEndpoint)("GET", "/session", async (ctx) => {
-  const {
-    request,
-    context: { cookies, jose, trustedProxyHeaders }
-  } = ctx;
-  const cookieOptions = secureCookieOptions(request, cookies, trustedProxyHeaders);
-  try {
-    const session = getCookie(request, "sessionToken", cookieOptions);
-    const decoded = await jose.decodeJWT(session);
-    const { exp, iat, jti, nbf, ...user } = decoded;
-    const headers = new Headers(cacheControl);
-    return Response.json({ user, expires: toISOString(exp * 1e3) }, { headers });
-  } catch {
-    const headers = new Headers(cacheControl);
-    const sessionCookie = expireCookie("sessionToken", cookieOptions);
-    headers.set("Set-Cookie", sessionCookie);
-    return Response.json({ authenticated: false, message: "Unauthorized" }, { status: 401, headers });
-  }
-});
+    const {
+        request,
+        context: { cookies, jose, trustedProxyHeaders },
+    } = ctx
+    const cookieOptions = secureCookieOptions(request, cookies, trustedProxyHeaders)
+    try {
+        const session = getCookie(request, "sessionToken", cookieOptions)
+        const decoded = await jose.decodeJWT(session)
+        const { exp, iat, jti, nbf, ...user } = decoded
+        const headers = new Headers(cacheControl)
+        return Response.json({ user, expires: toISOString(exp * 1e3) }, { headers })
+    } catch {
+        const headers = new Headers(cacheControl)
+        const sessionCookie = expireCookie("sessionToken", cookieOptions)
+        headers.set("Set-Cookie", sessionCookie)
+        return Response.json({ authenticated: false, message: "Unauthorized" }, { status: 401, headers })
+    }
+})
 
 // src/actions/signOut/signOut.ts
-var import_zod3 = __toESM(require("zod"), 1);
-var import_router5 = require("@aura-stack/router");
+var import_zod3 = __toESM(require("zod"), 1)
+var import_router5 = require("@aura-stack/router")
 var config = (0, import_router5.createEndpointConfig)({
-  schemas: {
-    searchParams: import_zod3.default.object({
-      token_type_hint: import_zod3.default.literal("session_token"),
-      redirectTo: import_zod3.default.string().optional()
-    })
-  }
-});
-var signOutAction = (0, import_router5.createEndpoint)(
-  "POST",
-  "/signOut",
-  async (ctx) => {
-    const {
-      request,
-      headers,
-      searchParams: { redirectTo },
-      context: { cookies, jose, trustedProxyHeaders }
-    } = ctx;
-    try {
-      const cookiesOptions = secureCookieOptions(request, cookies, trustedProxyHeaders);
-      const session = getCookie(request, "sessionToken", cookiesOptions);
-      const csrfToken = getCookie(request, "csrfToken", {
-        ...cookiesOptions,
-        prefix: cookiesOptions.secure ? "__Host-" : ""
-      });
-      const header = headers.get("X-CSRF-Token");
-      if (!header || !session || !csrfToken) {
-        throw new Error("Missing CSRF token or session token");
-      }
-      await verifyCSRF(jose, csrfToken, header);
-      await jose.decodeJWT(session);
-      const normalizedOriginPath = getNormalizedOriginPath(request.url);
-      const location = createRedirectTo(
-        new Request(normalizedOriginPath, {
-          headers
+    schemas: {
+        searchParams: import_zod3.default.object({
+            token_type_hint: import_zod3.default.literal("session_token"),
+            redirectTo: import_zod3.default.string().optional(),
         }),
-        redirectTo
-      );
-      const responseHeaders = new Headers(cacheControl);
-      responseHeaders.append("Set-Cookie", expireCookie("sessionToken", cookiesOptions));
-      responseHeaders.append(
-        "Set-Cookie",
-        expireCookie("csrfToken", { ...cookiesOptions, prefix: cookiesOptions.secure ? "__Host-" : "" })
-      );
-      responseHeaders.append("Location", location);
-      return Response.json(
-        { message: "Signed out successfully" },
-        { status: import_router5.statusCode.ACCEPTED, headers: responseHeaders }
-      );
-    } catch (error) {
-      if (error instanceof InvalidCsrfTokenError) {
-        return AuraResponse.json(
-          {
-            error: "invalid_csrf_token",
-            error_description: "The provided CSRF token is invalid or has expired"
-          },
-          { status: import_router5.statusCode.UNAUTHORIZED }
-        );
-      }
-      if (error instanceof InvalidRedirectToError) {
-        const { type, message } = error;
-        return AuraResponse.json(
-          {
-            error: type,
-            error_description: message
-          },
-          { status: import_router5.statusCode.BAD_REQUEST }
-        );
-      }
-      return AuraResponse.json(
-        {
-          error: "invalid_session_token",
-          error_description: "The provided sessionToken is invalid or has already expired"
-        },
-        { status: import_router5.statusCode.UNAUTHORIZED }
-      );
-    }
-  },
-  config
-);
+    },
+})
+var signOutAction = (0, import_router5.createEndpoint)(
+    "POST",
+    "/signOut",
+    async (ctx) => {
+        const {
+            request,
+            headers,
+            searchParams: { redirectTo },
+            context: { cookies, jose, trustedProxyHeaders },
+        } = ctx
+        try {
+            const cookiesOptions = secureCookieOptions(request, cookies, trustedProxyHeaders)
+            const session = getCookie(request, "sessionToken", cookiesOptions)
+            const csrfToken = getCookie(request, "csrfToken", {
+                ...cookiesOptions,
+                prefix: cookiesOptions.secure ? "__Host-" : "",
+            })
+            const header = headers.get("X-CSRF-Token")
+            if (!header || !session || !csrfToken) {
+                throw new Error("Missing CSRF token or session token")
+            }
+            await verifyCSRF(jose, csrfToken, header)
+            await jose.decodeJWT(session)
+            const normalizedOriginPath = getNormalizedOriginPath(request.url)
+            const location = createRedirectTo(
+                new Request(normalizedOriginPath, {
+                    headers,
+                }),
+                redirectTo
+            )
+            const responseHeaders = new Headers(cacheControl)
+            responseHeaders.append("Set-Cookie", expireCookie("sessionToken", cookiesOptions))
+            responseHeaders.append(
+                "Set-Cookie",
+                expireCookie("csrfToken", { ...cookiesOptions, prefix: cookiesOptions.secure ? "__Host-" : "" })
+            )
+            responseHeaders.append("Location", location)
+            return Response.json(
+                { message: "Signed out successfully" },
+                { status: import_router5.statusCode.ACCEPTED, headers: responseHeaders }
+            )
+        } catch (error) {
+            if (error instanceof InvalidCsrfTokenError) {
+                return AuraResponse.json(
+                    {
+                        error: "invalid_csrf_token",
+                        error_description: "The provided CSRF token is invalid or has expired",
+                    },
+                    { status: import_router5.statusCode.UNAUTHORIZED }
+                )
+            }
+            if (error instanceof InvalidRedirectToError) {
+                const { type, message } = error
+                return AuraResponse.json(
+                    {
+                        error: type,
+                        error_description: message,
+                    },
+                    { status: import_router5.statusCode.BAD_REQUEST }
+                )
+            }
+            return AuraResponse.json(
+                {
+                    error: "invalid_session_token",
+                    error_description: "The provided sessionToken is invalid or has already expired",
+                },
+                { status: import_router5.statusCode.UNAUTHORIZED }
+            )
+        }
+    },
+    config
+)
 
 // src/actions/csrfToken/csrfToken.ts
-var import_router6 = require("@aura-stack/router");
+var import_router6 = require("@aura-stack/router")
 var csrfTokenAction = (0, import_router6.createEndpoint)("GET", "/csrfToken", async (ctx) => {
-  const {
-    request,
-    context: { cookies, jose, trustedProxyHeaders }
-  } = ctx;
-  const cookieOptions = secureCookieOptions(request, { ...cookies, strategy: "host" }, trustedProxyHeaders);
-  const existingCSRFToken = getCookie(request, "csrfToken", cookieOptions, true);
-  const csrfToken = await createCSRF(jose, existingCSRFToken);
-  const headers = new Headers(cacheControl);
-  headers.set("Set-Cookie", setCookie("csrfToken", csrfToken, cookieOptions));
-  return Response.json({ csrfToken }, { headers });
-});
+    const {
+        request,
+        context: { cookies, jose, trustedProxyHeaders },
+    } = ctx
+    const cookieOptions = secureCookieOptions(request, { ...cookies, strategy: "host" }, trustedProxyHeaders)
+    const existingCSRFToken = getCookie(request, "csrfToken", cookieOptions, true)
+    const csrfToken = await createCSRF(jose, existingCSRFToken)
+    const headers = new Headers(cacheControl)
+    headers.set("Set-Cookie", setCookie("csrfToken", csrfToken, cookieOptions))
+    return Response.json({ csrfToken }, { headers })
+})
 
 // src/index.ts
 var createInternalConfig = (authConfig) => {
-  return {
-    basePath: authConfig?.basePath ?? "/auth",
-    onError: onErrorHandler,
-    context: {
-      oauth: createBuiltInOAuthProviders(authConfig?.oauth),
-      cookies: authConfig?.cookies ?? defaultCookieConfig,
-      jose: createJoseInstance(authConfig?.secret),
-      basePath: authConfig?.basePath ?? "/auth",
-      trustedProxyHeaders: !!authConfig?.trustedProxyHeaders
+    return {
+        basePath: authConfig?.basePath ?? "/auth",
+        onError: onErrorHandler,
+        context: {
+            oauth: createBuiltInOAuthProviders(authConfig?.oauth),
+            cookies: authConfig?.cookies ?? defaultCookieConfig,
+            jose: createJoseInstance(authConfig?.secret),
+            basePath: authConfig?.basePath ?? "/auth",
+            trustedProxyHeaders: !!authConfig?.trustedProxyHeaders,
+        },
     }
-  };
-};
+}
 var createAuth = (authConfig) => {
-  const config2 = createInternalConfig(authConfig);
-  const router = (0, import_router7.createRouter)(
-    [signInAction(config2.context.oauth), callbackAction(config2.context.oauth), sessionAction, signOutAction, csrfTokenAction],
-    config2
-  );
-  return {
-    handlers: router,
-    jose: config2.context.jose
-  };
-};
+    const config2 = createInternalConfig(authConfig)
+    const router = (0, import_router7.createRouter)(
+        [
+            signInAction(config2.context.oauth),
+            callbackAction(config2.context.oauth),
+            sessionAction,
+            signOutAction,
+            csrfTokenAction,
+        ],
+        config2
+    )
+    return {
+        handlers: router,
+        jose: config2.context.jose,
+    }
+}
 // Annotate the CommonJS export names for ESM import in node:
-0 && (module.exports = {
-  createAuth
-});
+0 &&
+    (module.exports = {
+        createAuth,
+    })