@aura-stack/auth 0.1.0-rc.9 → 0.2.0-rc.1

package/dist/actions/signOut/signOut.d.ts

@@ -1,8 +1,8 @@
-import * as _aura_stack_router from "@aura-stack/router"
+import * as _aura_stack_router from '@aura-stack/router';
 
 /**
  * @see https://datatracker.ietf.org/doc/html/rfc7009
  */
-declare const signOutAction: _aura_stack_router.RouteEndpoint<"POST", "/signOut", {}>
+declare const signOutAction: _aura_stack_router.RouteEndpoint<"POST", "/signOut", {}>;
 
-export { signOutAction }
+export { signOutAction };

package/dist/actions/signOut/signOut.js

@@ -1,11 +1,14 @@
-import { signOutAction } from "../../chunk-SJPDVKUS.js"
-import "../../chunk-CAKJT3KS.js"
-import "../../chunk-ZV4BH47P.js"
-import "../../chunk-6SM22VVJ.js"
-import "../../chunk-STHEPPUZ.js"
-import "../../chunk-GZU3RBTB.js"
-import "../../chunk-256KIVJL.js"
-import "../../chunk-FJUDBLCP.js"
-import "../../chunk-JAPMIE6S.js"
-import "../../chunk-HMRKN75I.js"
-export { signOutAction }
+import {
+  signOutAction
+} from "../../chunk-A3N4PVAT.js";
+import "../../chunk-N4SX7TZT.js";
+import "../../chunk-W6LG7BFW.js";
+import "../../chunk-STHEPPUZ.js";
+import "../../chunk-N2APGLXA.js";
+import "../../chunk-CXLATHS5.js";
+import "../../chunk-EIL2FPSS.js";
+import "../../chunk-RRLIF4PQ.js";
+import "../../chunk-YRCB5FLE.js";
+export {
+  signOutAction
+};

package/dist/assert.cjs

@@ -1,45 +1,49 @@
-"use strict"
-var __defProp = Object.defineProperty
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor
-var __getOwnPropNames = Object.getOwnPropertyNames
-var __hasOwnProp = Object.prototype.hasOwnProperty
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
-    for (var name in all) __defProp(target, name, { get: all[name], enumerable: true })
-}
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
 var __copyProps = (to, from, except, desc) => {
-    if ((from && typeof from === "object") || typeof from === "function") {
-        for (let key of __getOwnPropNames(from))
-            if (!__hasOwnProp.call(to, key) && key !== except)
-                __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable })
-    }
-    return to
-}
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod)
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/assert.ts
-var assert_exports = {}
+var assert_exports = {};
 __export(assert_exports, {
-    isFalsy: () => isFalsy,
-    isRequest: () => isRequest,
-    isValidURL: () => isValidURL,
-})
-module.exports = __toCommonJS(assert_exports)
+  isFalsy: () => isFalsy,
+  isJWTPayloadWithToken: () => isJWTPayloadWithToken,
+  isRequest: () => isRequest,
+  isValidURL: () => isValidURL
+});
+module.exports = __toCommonJS(assert_exports);
 var isFalsy = (value) => {
-    return value === false || value === 0 || value === "" || value === null || value === void 0 || Number.isNaN(value)
-}
+  return value === false || value === 0 || value === "" || value === null || value === void 0 || Number.isNaN(value);
+};
 var isRequest = (value) => {
-    return typeof Request !== "undefined" && value instanceof Request
-}
+  return typeof Request !== "undefined" && value instanceof Request;
+};
 var isValidURL = (value) => {
-    if (value.includes("\r\n") || value.includes("\n") || value.includes("\r")) return false
-    const regex =
-        /^https?:\/\/(?:[a-zA-Z0-9._-]+|localhost|\[[0-9a-fA-F:]+\])(?::\d{1,5})?(?:\/[a-zA-Z0-9._~!$&'()*+,;=:@-]*)*\/?$/
-    return regex.test(value)
-}
+  if (value.includes("\r\n") || value.includes("\n") || value.includes("\r")) return false;
+  const regex = /^https?:\/\/(?:[a-zA-Z0-9._-]+|localhost|\[[0-9a-fA-F:]+\])(?::\d{1,5})?(?:\/[a-zA-Z0-9._~!$&'()*+,;=:@-]*)*\/?$/;
+  return regex.test(value);
+};
+var isJWTPayloadWithToken = (payload) => {
+  return typeof payload === "object" && payload !== null && "token" in payload && typeof payload?.token === "string";
+};
 // Annotate the CommonJS export names for ESM import in node:
-0 &&
-    (module.exports = {
-        isFalsy,
-        isRequest,
-        isValidURL,
-    })
+0 && (module.exports = {
+  isFalsy,
+  isJWTPayloadWithToken,
+  isRequest,
+  isValidURL
+});

package/dist/assert.d.ts

@@ -1,5 +1,14 @@
-declare const isFalsy: (value: unknown) => boolean
-declare const isRequest: (value: unknown) => value is Request
-declare const isValidURL: (value: string) => boolean
+import { J as JWTPayloadWithToken } from './index-DkaLJFn8.js';
+import 'zod';
+import './schemas.js';
+import '@aura-stack/router/cookie';
+import '@aura-stack/jose';
+import '@aura-stack/jose/jose';
+import './@types/utility.js';
 
-export { isFalsy, isRequest, isValidURL }
+declare const isFalsy: (value: unknown) => boolean;
+declare const isRequest: (value: unknown) => value is Request;
+declare const isValidURL: (value: string) => boolean;
+declare const isJWTPayloadWithToken: (payload: unknown) => payload is JWTPayloadWithToken;
+
+export { isFalsy, isJWTPayloadWithToken, isRequest, isValidURL };

package/dist/assert.js

@@ -1,2 +1,12 @@
-import { isFalsy, isRequest, isValidURL } from "./chunk-6SM22VVJ.js"
-export { isFalsy, isRequest, isValidURL }
+import {
+  isFalsy,
+  isJWTPayloadWithToken,
+  isRequest,
+  isValidURL
+} from "./chunk-EIL2FPSS.js";
+export {
+  isFalsy,
+  isJWTPayloadWithToken,
+  isRequest,
+  isValidURL
+};

package/dist/chunk-3EUWD5BB.js

@@ -0,0 +1,63 @@
+import {
+  createAuthorizationURL,
+  createRedirectTo,
+  createRedirectURI
+} from "./chunk-N4SX7TZT.js";
+import {
+  cacheControl
+} from "./chunk-STHEPPUZ.js";
+import {
+  createPKCE,
+  generateSecure
+} from "./chunk-N2APGLXA.js";
+
+// src/actions/signIn/signIn.ts
+import { z } from "zod";
+import { createEndpoint, createEndpointConfig, HeadersBuilder } from "@aura-stack/router";
+var signInConfig = (oauth) => {
+  return createEndpointConfig("/signIn/:oauth", {
+    schemas: {
+      params: z.object({
+        oauth: z.enum(
+          Object.keys(oauth),
+          "The OAuth provider is not supported or invalid."
+        )
+      }),
+      searchParams: z.object({
+        redirectTo: z.string().optional()
+      })
+    }
+  });
+};
+var signInAction = (oauth) => {
+  return createEndpoint(
+    "GET",
+    "/signIn/:oauth",
+    async (ctx) => {
+      const {
+        request,
+        params: { oauth: oauth2 },
+        searchParams: { redirectTo },
+        context: { oauth: providers, cookies, trustedProxyHeaders, basePath }
+      } = ctx;
+      const state = generateSecure();
+      const redirectURI = createRedirectURI(request, oauth2, basePath, trustedProxyHeaders);
+      const redirectToValue = createRedirectTo(request, redirectTo, trustedProxyHeaders);
+      const { codeVerifier, codeChallenge, method } = await createPKCE();
+      const authorization = createAuthorizationURL(providers[oauth2], redirectURI, state, codeChallenge, method);
+      const headers = new HeadersBuilder(cacheControl).setHeader("Location", authorization).setCookie(cookies.state.name, state, cookies.state.attributes).setCookie(cookies.redirectURI.name, redirectURI, cookies.redirectURI.attributes).setCookie(cookies.redirectTo.name, redirectToValue, cookies.redirectTo.attributes).setCookie(cookies.codeVerifier.name, codeVerifier, cookies.codeVerifier.attributes).toHeaders();
+      return Response.json(
+        { oauth: oauth2 },
+        {
+          status: 302,
+          headers
+        }
+      );
+    },
+    signInConfig(oauth)
+  );
+};
+
+export {
+  signInAction
+};

package/dist/chunk-42XB3YCW.js

@@ -1,20 +1,22 @@
 // src/oauth/x.ts
 var x = {
-    id: "x",
-    name: "X",
-    authorizeURL: "https://x.com/i/oauth2/authorize",
-    accessToken: "https://api.x.com/2/oauth2/token",
-    userInfo: "https://api.x.com/2/users/me?user.fields=profile_image_url",
-    scope: "users.read users.email tweet.read offline.access",
-    responseType: "code",
-    profile({ data }) {
-        return {
-            sub: data.id,
-            name: data.name,
-            image: data.profile_image_url,
-            email: "",
-        }
-    },
-}
+  id: "x",
+  name: "X",
+  authorizeURL: "https://x.com/i/oauth2/authorize",
+  accessToken: "https://api.x.com/2/oauth2/token",
+  userInfo: "https://api.x.com/2/users/me?user.fields=profile_image_url",
+  scope: "users.read users.email tweet.read offline.access",
+  responseType: "code",
+  profile({ data }) {
+    return {
+      sub: data.id,
+      name: data.name,
+      image: data.profile_image_url,
+      email: ""
+    };
+  }
+};
 
-export { x }
+export {
+  x
+};

package/dist/chunk-6R2YZ4AC.js

@@ -0,0 +1,22 @@
+// src/oauth/strava.ts
+var strava = {
+  id: "strava",
+  name: "Strava",
+  authorizeURL: "https://www.strava.com/oauth/authorize",
+  accessToken: "https://www.strava.com/oauth/token",
+  userInfo: "https://www.strava.com/api/v3/athlete",
+  scope: "read",
+  responseType: "code",
+  profile(profile) {
+    return {
+      sub: profile.id.toString(),
+      name: `${profile.firstname} ${profile.lastname}`,
+      image: profile.profile,
+      email: ""
+    };
+  }
+};
+
+export {
+  strava
+};

package/dist/chunk-A3N4PVAT.js

@@ -0,0 +1,70 @@
+import {
+  createRedirectTo
+} from "./chunk-N4SX7TZT.js";
+import {
+  expiredCookieAttributes
+} from "./chunk-W6LG7BFW.js";
+import {
+  cacheControl
+} from "./chunk-STHEPPUZ.js";
+import {
+  verifyCSRF
+} from "./chunk-N2APGLXA.js";
+import {
+  getNormalizedOriginPath
+} from "./chunk-CXLATHS5.js";
+import {
+  AuthSecurityError
+} from "./chunk-RRLIF4PQ.js";
+
+// src/actions/signOut/signOut.ts
+import { z } from "zod";
+import { createEndpoint, createEndpointConfig, HeadersBuilder, statusCode } from "@aura-stack/router";
+var config = createEndpointConfig({
+  schemas: {
+    searchParams: z.object({
+      token_type_hint: z.literal("session_token"),
+      redirectTo: z.string().optional()
+    })
+  }
+});
+var signOutAction = createEndpoint(
+  "POST",
+  "/signOut",
+  async (ctx) => {
+    const {
+      request,
+      headers,
+      searchParams: { redirectTo },
+      context: { jose, cookies }
+    } = ctx;
+    const session = headers.getCookie(cookies.sessionToken.name);
+    const csrfToken = headers.getCookie(cookies.csrfToken.name);
+    const header = headers.getHeader("X-CSRF-Token");
+    if (!session) {
+      throw new AuthSecurityError("SESSION_TOKEN_MISSING", "The sessionToken is missing.");
+    }
+    if (!csrfToken) {
+      throw new AuthSecurityError("CSRF_TOKEN_MISSING", "The CSRF token is missing.");
+    }
+    if (!header) {
+      throw new AuthSecurityError("CSRF_TOKEN_MISSING", "The CSRF header is missing.");
+    }
+    await verifyCSRF(jose, csrfToken, header);
+    await jose.decodeJWT(session);
+    const normalizedOriginPath = getNormalizedOriginPath(request.url);
+    const location = createRedirectTo(
+      new Request(normalizedOriginPath, {
+        headers: headers.toHeaders()
+      }),
+      redirectTo
+    );
+    const headersList = new HeadersBuilder(cacheControl).setHeader("Location", location).setCookie(cookies.csrfToken.name, "", expiredCookieAttributes).setCookie(cookies.sessionToken.name, "", expiredCookieAttributes).toHeaders();
+    return Response.json({ message: "Signed out successfully" }, { status: statusCode.ACCEPTED, headers: headersList });
+  },
+  config
+);
+
+export {
+  signOutAction
+};

package/dist/chunk-B737EUJV.js

@@ -0,0 +1,22 @@
+// src/oauth/mailchimp.ts
+var mailchimp = {
+  id: "mailchimp",
+  name: "Mailchimp",
+  authorizeURL: "https://login.mailchimp.com/oauth2/authorize",
+  accessToken: "https://login.mailchimp.com/oauth2/token",
+  userInfo: "https://login.mailchimp.com/oauth2/metadata",
+  scope: "",
+  responseType: "code",
+  profile(profile) {
+    return {
+      sub: profile.user_id,
+      name: profile.accountname,
+      email: profile.login.login_email,
+      image: null
+    };
+  }
+};
+
+export {
+  mailchimp
+};

package/dist/chunk-CXLATHS5.js

@@ -0,0 +1,143 @@
+import {
+  isAuthInternalError,
+  isAuthSecurityError,
+  isOAuthProtocolError
+} from "./chunk-RRLIF4PQ.js";
+
+// src/utils.ts
+import { isInvalidZodSchemaError, isRouterError } from "@aura-stack/router";
+var toSnakeCase = (str) => {
+  return str.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/([A-Z]+)([A-Z][a-z])/g, "$1_$2").toLowerCase().replace(/^_+/, "");
+};
+var toUpperCase = (str) => {
+  return str.toUpperCase();
+};
+var toCastCase = (obj, type = "snake") => {
+  return Object.entries(obj).reduce((previous, [key, value]) => {
+    const newKey = type === "snake" ? toSnakeCase(key) : toUpperCase(key);
+    return { ...previous, [newKey]: value };
+  }, {});
+};
+var equals = (a, b) => {
+  if (a === null || b === null || a === void 0 || b === void 0) return false;
+  return a === b;
+};
+var sanitizeURL = (url) => {
+  try {
+    let decodedURL = decodeURIComponent(url).trim();
+    const protocolMatch = decodedURL.match(/^([a-zA-Z][a-zA-Z0-9+.-]*:\/\/)/);
+    let protocol = "";
+    let rest = decodedURL;
+    if (protocolMatch) {
+      protocol = protocolMatch[1];
+      rest = decodedURL.slice(protocol.length);
+      const slashIndex = rest.indexOf("/");
+      if (slashIndex === -1) {
+        return protocol + rest;
+      }
+      const domain = rest.slice(0, slashIndex);
+      let path = rest.slice(slashIndex).replace(/\/\.\.\//g, "/").replace(/\/\.\.$/, "").replace(/\.{2,}/g, "").replace(/\/{2,}/g, "/");
+      if (path !== "/" && path.endsWith("/")) {
+        path = path.replace(/\/+$/, "/");
+      } else if (path !== "/") {
+        path = path.replace(/\/+$/, "");
+      }
+      return protocol + domain + path;
+    }
+    let sanitized = decodedURL.replace(/\/\.\.\//g, "/").replace(/\/\.\.$/, "").replace(/\.{2,}/g, "").replace(/\/{2,}/g, "/");
+    if (sanitized !== "/" && sanitized.endsWith("/")) {
+      sanitized = sanitized.replace(/\/+$/, "/");
+    } else if (sanitized !== "/") {
+      sanitized = sanitized.replace(/\/+$/, "");
+    }
+    return sanitized;
+  } catch {
+    return url.trim();
+  }
+};
+var isValidRelativePath = (path) => {
+  if (!path || typeof path !== "string") return false;
+  if (!path.startsWith("/") || path.includes("://") || path.includes("\r") || path.includes("\n")) return false;
+  if (/[\x00-\x1F\x7F]/.test(path) || path.includes("\0")) return false;
+  const sanitized = sanitizeURL(path);
+  if (sanitized.includes("..")) return false;
+  return true;
+};
+var onErrorHandler = (error) => {
+  if (isRouterError(error)) {
+    const { message, status, statusText } = error;
+    return Response.json({ type: "ROUTER_ERROR", code: "ROUTER_INTERNAL_ERROR", message }, { status, statusText });
+  }
+  if (isInvalidZodSchemaError(error)) {
+    return Response.json({ type: "ROUTER_ERROR", code: "INVALID_REQUEST", message: error.errors }, { status: 422 });
+  }
+  if (isOAuthProtocolError(error)) {
+    const { error: errorCode, message, type, errorURI } = error;
+    return Response.json(
+      {
+        type,
+        error: errorCode,
+        error_description: message,
+        error_uri: errorURI
+      },
+      { status: 400 }
+    );
+  }
+  if (isAuthInternalError(error) || isAuthSecurityError(error)) {
+    const { type, code, message } = error;
+    return Response.json(
+      {
+        type,
+        code,
+        message
+      },
+      { status: 400 }
+    );
+  }
+  return Response.json({ type: "SERVER_ERROR", code: "server_error", message: "An unexpected error occurred" }, { status: 500 });
+};
+var getNormalizedOriginPath = (path) => {
+  try {
+    const url = new URL(path);
+    url.hash = "";
+    url.search = "";
+    return `${url.origin}${url.pathname}`;
+  } catch {
+    return sanitizeURL(path);
+  }
+};
+var toISOString = (date) => {
+  return new Date(date).toISOString();
+};
+var useSecureCookies = (request, trustedProxyHeaders) => {
+  return trustedProxyHeaders ? request.url.startsWith("https://") || request.headers.get("X-Forwarded-Proto") === "https" || (request.headers.get("Forwarded")?.includes("proto=https") ?? false) : request.url.startsWith("https://");
+};
+var formatZodError = (error) => {
+  if (!error.issues || error.issues.length === 0) {
+    return {};
+  }
+  return error.issues.reduce((previous, issue) => {
+    const key = issue.path.join(".");
+    return {
+      ...previous,
+      [key]: {
+        code: issue.code,
+        message: issue.message
+      }
+    };
+  }, {});
+};
+
+export {
+  toSnakeCase,
+  toUpperCase,
+  toCastCase,
+  equals,
+  sanitizeURL,
+  isValidRelativePath,
+  onErrorHandler,
+  getNormalizedOriginPath,
+  toISOString,
+  useSecureCookies,
+  formatZodError
+};

package/dist/chunk-E3OXBRYF.js

@@ -1,20 +1,22 @@
 // src/oauth/spotify.ts
 var spotify = {
-    id: "spotify",
-    name: "Spotify",
-    authorizeURL: "https://accounts.spotify.com/authorize",
-    accessToken: "https://accounts.spotify.com/api/token",
-    userInfo: "https://api.spotify.com/v1/me",
-    scope: "user-read-email user-read-private",
-    responseType: "token",
-    profile(profile) {
-        return {
-            sub: profile.id,
-            name: profile.display_name,
-            email: profile.email,
-            image: profile.images?.[0]?.url,
-        }
-    },
-}
+  id: "spotify",
+  name: "Spotify",
+  authorizeURL: "https://accounts.spotify.com/authorize",
+  accessToken: "https://accounts.spotify.com/api/token",
+  userInfo: "https://api.spotify.com/v1/me",
+  scope: "user-read-email user-read-private",
+  responseType: "token",
+  profile(profile) {
+    return {
+      sub: profile.id,
+      name: profile.display_name,
+      email: profile.email,
+      image: profile.images?.[0]?.url
+    };
+  }
+};
 
-export { spotify }
+export {
+  spotify
+};

package/dist/chunk-EIL2FPSS.js

@@ -0,0 +1,22 @@
+// src/assert.ts
+var isFalsy = (value) => {
+  return value === false || value === 0 || value === "" || value === null || value === void 0 || Number.isNaN(value);
+};
+var isRequest = (value) => {
+  return typeof Request !== "undefined" && value instanceof Request;
+};
+var isValidURL = (value) => {
+  if (value.includes("\r\n") || value.includes("\n") || value.includes("\r")) return false;
+  const regex = /^https?:\/\/(?:[a-zA-Z0-9._-]+|localhost|\[[0-9a-fA-F:]+\])(?::\d{1,5})?(?:\/[a-zA-Z0-9._~!$&'()*+,;=:@-]*)*\/?$/;
+  return regex.test(value);
+};
+var isJWTPayloadWithToken = (payload) => {
+  return typeof payload === "object" && payload !== null && "token" in payload && typeof payload?.token === "string";
+};
+
+export {
+  isFalsy,
+  isRequest,
+  isValidURL,
+  isJWTPayloadWithToken
+};