@aura-stack/auth 0.1.0-rc.9 → 0.2.0-rc.1

package/dist/chunk-EMKJA2GJ.js

@@ -0,0 +1,89 @@
+import {
+  x
+} from "./chunk-42XB3YCW.js";
+import {
+  figma
+} from "./chunk-FKRDCWBF.js";
+import {
+  github
+} from "./chunk-IKHPGFCW.js";
+import {
+  gitlab
+} from "./chunk-KRNOMBXQ.js";
+import {
+  mailchimp
+} from "./chunk-B737EUJV.js";
+import {
+  pinterest
+} from "./chunk-HP34YGGJ.js";
+import {
+  spotify
+} from "./chunk-E3OXBRYF.js";
+import {
+  strava
+} from "./chunk-6R2YZ4AC.js";
+import {
+  bitbucket
+} from "./chunk-FIPU4MLT.js";
+import {
+  discord
+} from "./chunk-IUYZQTJV.js";
+import {
+  formatZodError
+} from "./chunk-CXLATHS5.js";
+import {
+  AuthInternalError
+} from "./chunk-RRLIF4PQ.js";
+import {
+  OAuthEnvSchema
+} from "./chunk-YRCB5FLE.js";
+
+// src/oauth/index.ts
+var builtInOAuthProviders = {
+  github,
+  bitbucket,
+  figma,
+  discord,
+  gitlab,
+  spotify,
+  x,
+  strava,
+  mailchimp,
+  pinterest
+};
+var defineOAuthEnvironment = (oauth) => {
+  const env = process.env;
+  const clientIdSuffix = `${oauth.toUpperCase()}_CLIENT_ID`;
+  const clientSecretSuffix = `${oauth.toUpperCase()}_CLIENT_SECRET`;
+  const loadEnvs = OAuthEnvSchema.safeParse({
+    clientId: env[`AURA_AUTH_${clientIdSuffix}`] ?? env[`AUTH_${clientIdSuffix}`] ?? env[`${clientIdSuffix}`],
+    clientSecret: env[`AURA_AUTH_${clientSecretSuffix}`] ?? env[`AUTH_${clientSecretSuffix}`] ?? env[`${clientSecretSuffix}`]
+  });
+  if (!loadEnvs.success) {
+    const msg = JSON.stringify(formatZodError(loadEnvs.error), null, 2);
+    throw new AuthInternalError("INVALID_ENVIRONMENT_CONFIGURATION", msg);
+  }
+  return loadEnvs.data;
+};
+var defineOAuthProviderConfig = (config) => {
+  if (typeof config === "string") {
+    const definition = defineOAuthEnvironment(config);
+    const oauthConfig = builtInOAuthProviders[config];
+    return {
+      ...oauthConfig,
+      ...definition
+    };
+  }
+  return config;
+};
+var createBuiltInOAuthProviders = (oauth = []) => {
+  return oauth.reduce((previous, config) => {
+    const oauthConfig = defineOAuthProviderConfig(config);
+    return { ...previous, [oauthConfig.id]: oauthConfig };
+  }, {});
+};
+
+export {
+  builtInOAuthProviders,
+  createBuiltInOAuthProviders
+};

package/dist/chunk-FIPU4MLT.js

@@ -1,19 +1,21 @@
 // src/oauth/bitbucket.ts
 var bitbucket = {
-    id: "bitbucket",
-    name: "Bitbucket",
-    authorizeURL: "https://bitbucket.org/site/oauth2/authorize",
-    accessToken: "https://bitbucket.org/site/oauth2/access_token",
-    userInfo: "https://api.bitbucket.org/2.0/user",
-    scope: "account email",
-    responseType: "code",
-    profile(profile) {
-        return {
-            sub: profile.uuid ?? profile.account_id,
-            name: profile.display_name ?? profile.nickname,
-            image: profile.links.avatar.href,
-        }
-    },
-}
+  id: "bitbucket",
+  name: "Bitbucket",
+  authorizeURL: "https://bitbucket.org/site/oauth2/authorize",
+  accessToken: "https://bitbucket.org/site/oauth2/access_token",
+  userInfo: "https://api.bitbucket.org/2.0/user",
+  scope: "account email",
+  responseType: "code",
+  profile(profile) {
+    return {
+      sub: profile.uuid ?? profile.account_id,
+      name: profile.display_name ?? profile.nickname,
+      image: profile.links.avatar.href
+    };
+  }
+};
 
-export { bitbucket }
+export {
+  bitbucket
+};

package/dist/chunk-FKRDCWBF.js

@@ -1,20 +1,22 @@
 // src/oauth/figma.ts
 var figma = {
-    id: "figma",
-    name: "Figma",
-    authorizeURL: "https://www.figma.com/oauth",
-    accessToken: "https://api.figma.com/v1/oauth/token",
-    userInfo: "https://api.figma.com/v1/me",
-    scope: "current_user:read",
-    responseType: "code",
-    profile(profile) {
-        return {
-            sub: profile.id,
-            name: profile.handle,
-            email: profile.email,
-            image: profile.img_url,
-        }
-    },
-}
+  id: "figma",
+  name: "Figma",
+  authorizeURL: "https://www.figma.com/oauth",
+  accessToken: "https://api.figma.com/v1/oauth/token",
+  userInfo: "https://api.figma.com/v1/me",
+  scope: "current_user:read",
+  responseType: "code",
+  profile(profile) {
+    return {
+      sub: profile.id,
+      name: profile.handle,
+      email: profile.email,
+      image: profile.img_url
+    };
+  }
+};
 
-export { figma }
+export {
+  figma
+};

package/dist/chunk-GA2SMTJO.js

@@ -0,0 +1,58 @@
+import {
+  formatZodError
+} from "./chunk-CXLATHS5.js";
+import {
+  AuthInternalError,
+  OAuthProtocolError
+} from "./chunk-RRLIF4PQ.js";
+import {
+  fetchAsync
+} from "./chunk-ZNCZVF6U.js";
+import {
+  OAuthAccessToken,
+  OAuthAccessTokenErrorResponse,
+  OAuthAccessTokenResponse
+} from "./chunk-YRCB5FLE.js";
+
+// src/actions/callback/access-token.ts
+var createAccessToken = async (oauthConfig, redirectURI, code, codeVerifier) => {
+  const parsed = OAuthAccessToken.safeParse({ ...oauthConfig, redirectURI, code, codeVerifier });
+  if (!parsed.success) {
+    const msg = JSON.stringify(formatZodError(parsed.error), null, 2);
+    throw new AuthInternalError("INVALID_OAUTH_CONFIGURATION", msg);
+  }
+  const { accessToken, clientId, clientSecret, code: codeParsed, redirectURI: redirectParsed } = parsed.data;
+  try {
+    const response = await fetchAsync(accessToken, {
+      method: "POST",
+      headers: {
+        Accept: "application/json",
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: new URLSearchParams({
+        client_id: clientId,
+        client_secret: clientSecret,
+        code: codeParsed,
+        redirect_uri: redirectParsed,
+        grant_type: "authorization_code",
+        code_verifier: codeVerifier
+      }).toString()
+    });
+    const json = await response.json();
+    const token = OAuthAccessTokenResponse.safeParse(json);
+    if (!token.success) {
+      const { success, data } = OAuthAccessTokenErrorResponse.safeParse(json);
+      if (!success) {
+        throw new OAuthProtocolError("INVALID_REQUEST", "Invalid access token response format");
+      }
+      throw new OAuthProtocolError(data.error, data?.error_description ?? "Failed to retrieve access token");
+    }
+    return token.data;
+  } catch (error) {
+    throw error;
+  }
+};
+
+export {
+  createAccessToken
+};

package/dist/chunk-HP34YGGJ.js

@@ -0,0 +1,22 @@
+// src/oauth/pinterest.ts
+var pinterest = {
+  id: "pinterest",
+  name: "Pinterest",
+  authorizeURL: "https://api.pinterest.com/oauth/",
+  accessToken: "https://api.pinterest.com/v5/oauth/token",
+  userInfo: "https://api.pinterest.com/v5/user_account",
+  scope: "user_accounts:read",
+  responseType: "code",
+  profile(profile) {
+    return {
+      sub: profile.id,
+      name: profile.username,
+      email: null,
+      image: profile.profile_image
+    };
+  }
+};
+
+export {
+  pinterest
+};

package/dist/chunk-HT4YLL7N.js

@@ -0,0 +1,35 @@
+import {
+  getCookie,
+  setCookie
+} from "./chunk-W6LG7BFW.js";
+import {
+  cacheControl
+} from "./chunk-STHEPPUZ.js";
+import {
+  createCSRF
+} from "./chunk-N2APGLXA.js";
+
+// src/actions/csrfToken/csrfToken.ts
+import { createEndpoint } from "@aura-stack/router";
+var getCSRFToken = (request, cookieName) => {
+  try {
+    return getCookie(request, cookieName);
+  } catch {
+    return void 0;
+  }
+};
+var csrfTokenAction = createEndpoint("GET", "/csrfToken", async (ctx) => {
+  const {
+    request,
+    context: { jose, cookies }
+  } = ctx;
+  const token = getCSRFToken(request, cookies.csrfToken.name);
+  const csrfToken = await createCSRF(jose, token);
+  const headers = new Headers(cacheControl);
+  headers.append("Set-Cookie", setCookie(cookies.csrfToken.name, csrfToken, cookies.csrfToken.attributes));
+  return Response.json({ csrfToken }, { headers });
+});
+
+export {
+  csrfTokenAction
+};

package/dist/chunk-IKHPGFCW.js

@@ -1,12 +1,14 @@
 // src/oauth/github.ts
 var github = {
-    id: "github",
-    name: "GitHub",
-    authorizeURL: "https://github.com/login/oauth/authorize",
-    accessToken: "https://github.com/login/oauth/access_token",
-    userInfo: "https://api.github.com/user",
-    scope: "read:user user:email",
-    responseType: "code",
-}
+  id: "github",
+  name: "GitHub",
+  authorizeURL: "https://github.com/login/oauth/authorize",
+  accessToken: "https://github.com/login/oauth/access_token",
+  userInfo: "https://api.github.com/user",
+  scope: "read:user user:email",
+  responseType: "code"
+};
 
-export { github }
+export {
+  github
+};

package/dist/chunk-IUYZQTJV.js

@@ -0,0 +1,30 @@
+// src/oauth/discord.ts
+var discord = {
+  id: "discord",
+  name: "Discord",
+  authorizeURL: "https://discord.com/oauth2/authorize",
+  accessToken: "https://discord.com/api/oauth2/token",
+  userInfo: "https://discord.com/api/users/@me",
+  scope: "identify email",
+  responseType: "code",
+  profile(profile) {
+    let image = "";
+    if (profile.avatar === null) {
+      const index = profile.discriminator === "0" ? (BigInt(profile.id) >> 22n) % 6n : Number(profile.discriminator) % 5;
+      image = `https://cdn.discordapp.com/embed/avatars/${index}.png`;
+    } else {
+      const format = profile.avatar.startsWith("a_") ? "gif" : "png";
+      image = `https://cdn.discordapp.com/avatars/${profile.id}/${profile.avatar}.${format}`;
+    }
+    return {
+      sub: profile.id,
+      name: profile.global_name ?? profile.username,
+      email: profile.email ?? "",
+      image
+    };
+  }
+};
+
+export {
+  discord
+};

package/dist/chunk-IVET23KF.js

@@ -0,0 +1,58 @@
+import {
+  generateSecure
+} from "./chunk-N2APGLXA.js";
+import {
+  OAuthProtocolError,
+  isNativeError,
+  isOAuthProtocolError
+} from "./chunk-RRLIF4PQ.js";
+import {
+  fetchAsync
+} from "./chunk-ZNCZVF6U.js";
+import {
+  OAuthErrorResponse
+} from "./chunk-YRCB5FLE.js";
+
+// src/actions/callback/userinfo.ts
+var getDefaultUserInfo = (profile) => {
+  const sub = generateSecure(16);
+  return {
+    sub: profile?.id ?? profile?.sub ?? sub,
+    email: profile?.email,
+    name: profile?.name ?? profile?.username ?? profile?.nickname,
+    image: profile?.image ?? profile?.picture
+  };
+};
+var getUserInfo = async (oauthConfig, accessToken) => {
+  const userinfoEndpoint = oauthConfig.userInfo;
+  try {
+    const response = await fetchAsync(userinfoEndpoint, {
+      method: "GET",
+      headers: {
+        Accept: "application/json",
+        Authorization: `Bearer ${accessToken}`
+      }
+    });
+    const json = await response.json();
+    const { success, data } = OAuthErrorResponse.safeParse(json);
+    if (success) {
+      throw new OAuthProtocolError(
+        data.error,
+        data?.error_description ?? "An error occurred while fetching user information."
+      );
+    }
+    return oauthConfig?.profile ? oauthConfig.profile(json) : getDefaultUserInfo(json);
+  } catch (error) {
+    if (isOAuthProtocolError(error)) {
+      throw error;
+    }
+    if (isNativeError(error)) {
+      throw new OAuthProtocolError("invalid_request", error.message, "", { cause: error });
+    }
+    throw new OAuthProtocolError("invalid_request", "Failed to fetch user information.", "", { cause: error });
+  }
+};
+
+export {
+  getUserInfo
+};

package/dist/chunk-JVFTCTTE.js

@@ -0,0 +1,33 @@
+import {
+  expiredCookieAttributes,
+  getCookie
+} from "./chunk-W6LG7BFW.js";
+import {
+  cacheControl
+} from "./chunk-STHEPPUZ.js";
+import {
+  toISOString
+} from "./chunk-CXLATHS5.js";
+
+// src/actions/session/session.ts
+import { createEndpoint, HeadersBuilder } from "@aura-stack/router";
+var sessionAction = createEndpoint("GET", "/session", async (ctx) => {
+  const {
+    request,
+    context: { jose, cookies }
+  } = ctx;
+  try {
+    const session = getCookie(request, cookies.sessionToken.name);
+    const decoded = await jose.decodeJWT(session);
+    const { exp, iat, jti, nbf, ...user } = decoded;
+    const headers = new Headers(cacheControl);
+    return Response.json({ user, expires: toISOString(exp * 1e3) }, { headers });
+  } catch (error) {
+    const headers = new HeadersBuilder(cacheControl).setCookie(cookies.sessionToken.name, "", expiredCookieAttributes).toHeaders();
+    return Response.json({ authenticated: false, message: "Unauthorized" }, { status: 401, headers });
+  }
+});
+
+export {
+  sessionAction
+};

package/dist/chunk-KRNOMBXQ.js

@@ -1,20 +1,22 @@
 // src/oauth/gitlab.ts
 var gitlab = {
-    id: "gitlab",
-    name: "GitLab",
-    authorizeURL: "https://gitlab.com/oauth/authorize",
-    accessToken: "https://gitlab.com/oauth/token",
-    userInfo: "https://gitlab.com/api/v4/user",
-    scope: "read_user",
-    responseType: "code",
-    profile(profile) {
-        return {
-            sub: profile.id.toString(),
-            name: profile.name ?? profile.username,
-            email: profile.email,
-            avatar: profile.avatar_url,
-        }
-    },
-}
+  id: "gitlab",
+  name: "GitLab",
+  authorizeURL: "https://gitlab.com/oauth/authorize",
+  accessToken: "https://gitlab.com/oauth/token",
+  userInfo: "https://gitlab.com/api/v4/user",
+  scope: "read_user",
+  responseType: "code",
+  profile(profile) {
+    return {
+      sub: profile.id.toString(),
+      name: profile.name ?? profile.username,
+      email: profile.email,
+      avatar: profile.avatar_url
+    };
+  }
+};
 
-export { gitlab }
+export {
+  gitlab
+};

package/dist/chunk-KSWLO5ZU.js

@@ -0,0 +1,102 @@
+import {
+  createAccessToken
+} from "./chunk-GA2SMTJO.js";
+import {
+  getUserInfo
+} from "./chunk-IVET23KF.js";
+import {
+  createSessionCookie,
+  expiredCookieAttributes,
+  getCookie
+} from "./chunk-W6LG7BFW.js";
+import {
+  cacheControl
+} from "./chunk-STHEPPUZ.js";
+import {
+  createCSRF
+} from "./chunk-N2APGLXA.js";
+import {
+  equals,
+  isValidRelativePath,
+  sanitizeURL
+} from "./chunk-CXLATHS5.js";
+import {
+  AuthSecurityError,
+  OAuthProtocolError
+} from "./chunk-RRLIF4PQ.js";
+import {
+  OAuthAuthorizationErrorResponse
+} from "./chunk-YRCB5FLE.js";
+
+// src/actions/callback/callback.ts
+import { z } from "zod";
+import { createEndpoint, createEndpointConfig, HeadersBuilder } from "@aura-stack/router";
+var callbackConfig = (oauth) => {
+  return createEndpointConfig("/callback/:oauth", {
+    schemas: {
+      params: z.object({
+        oauth: z.enum(
+          Object.keys(oauth),
+          "The OAuth provider is not supported or invalid."
+        )
+      }),
+      searchParams: z.object({
+        code: z.string("Missing code parameter in the OAuth authorization response."),
+        state: z.string("Missing state parameter in the OAuth authorization response.")
+      })
+    },
+    middlewares: [
+      (ctx) => {
+        const response = OAuthAuthorizationErrorResponse.safeParse(ctx.searchParams);
+        if (response.success) {
+          const { error, error_description } = response.data;
+          throw new OAuthProtocolError(error, error_description ?? "OAuth Authorization Error");
+        }
+        return ctx;
+      }
+    ]
+  });
+};
+var callbackAction = (oauth) => {
+  return createEndpoint(
+    "GET",
+    "/callback/:oauth",
+    async (ctx) => {
+      const {
+        request,
+        params: { oauth: oauth2 },
+        searchParams: { code, state },
+        context: { oauth: providers, cookies, jose }
+      } = ctx;
+      const oauthConfig = providers[oauth2];
+      const cookieState = getCookie(request, cookies.state.name);
+      const cookieRedirectTo = getCookie(request, cookies.redirectTo.name);
+      const cookieRedirectURI = getCookie(request, cookies.redirectURI.name);
+      const codeVerifier = getCookie(request, cookies.codeVerifier.name);
+      if (!equals(cookieState, state)) {
+        throw new AuthSecurityError(
+          "MISMATCHING_STATE",
+          "The provided state passed in the OAuth response does not match the stored state."
+        );
+      }
+      const accessToken = await createAccessToken(oauthConfig, cookieRedirectURI, code, codeVerifier);
+      const sanitized = sanitizeURL(cookieRedirectTo);
+      if (!isValidRelativePath(sanitized)) {
+        throw new AuthSecurityError(
+          "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED",
+          "Invalid redirect path. Potential open redirect attack detected."
+        );
+      }
+      const userInfo = await getUserInfo(oauthConfig, accessToken.access_token);
+      const sessionCookie = await createSessionCookie(jose, userInfo);
+      const csrfToken = await createCSRF(jose);
+      const headers = new HeadersBuilder(cacheControl).setHeader("Location", sanitized).setCookie(cookies.sessionToken.name, sessionCookie, cookies.sessionToken.attributes).setCookie(cookies.csrfToken.name, csrfToken, cookies.csrfToken.attributes).setCookie(cookies.state.name, "", expiredCookieAttributes).setCookie(cookies.redirectURI.name, "", expiredCookieAttributes).setCookie(cookies.redirectTo.name, "", expiredCookieAttributes).setCookie(cookies.codeVerifier.name, "", expiredCookieAttributes).toHeaders();
+      return Response.json({ oauth: oauth2 }, { status: 302, headers });
+    },
+    callbackConfig(oauth)
+  );
+};
+
+export {
+  callbackAction
+};

package/dist/chunk-N2APGLXA.js

@@ -0,0 +1,71 @@
+import {
+  equals
+} from "./chunk-CXLATHS5.js";
+import {
+  isJWTPayloadWithToken
+} from "./chunk-EIL2FPSS.js";
+import {
+  AuthSecurityError
+} from "./chunk-RRLIF4PQ.js";
+
+// src/secure.ts
+import crypto from "crypto";
+var generateSecure = (length = 32) => {
+  return crypto.randomBytes(length).toString("base64url");
+};
+var createHash = (data, base = "hex") => {
+  return crypto.createHash("sha256").update(data).digest().toString(base);
+};
+var createPKCE = async (verifier) => {
+  const codeVerifier = verifier ?? generateSecure(86);
+  const codeChallenge = createHash(codeVerifier, "base64url");
+  return { codeVerifier, codeChallenge, method: "S256" };
+};
+var createCSRF = async (jose, csrfCookie) => {
+  try {
+    const token = generateSecure(32);
+    if (csrfCookie) {
+      await jose.verifyJWS(csrfCookie);
+      return csrfCookie;
+    }
+    return jose.signJWS({ token });
+  } catch {
+    const token = generateSecure(32);
+    return jose.signJWS({ token });
+  }
+};
+var verifyCSRF = async (jose, cookie, header) => {
+  try {
+    const cookiePayload = await jose.verifyJWS(cookie);
+    const headerPayload = await jose.verifyJWS(header);
+    if (!isJWTPayloadWithToken(cookiePayload)) {
+      throw new AuthSecurityError("CSRF_TOKEN_INVALID", "Cookie payload missing token field.");
+    }
+    if (!isJWTPayloadWithToken(headerPayload)) {
+      throw new AuthSecurityError("CSRF_TOKEN_INVALID", "Header payload missing token field.");
+    }
+    const cookieBuffer = Buffer.from(cookiePayload.token);
+    const headerBuffer = Buffer.from(headerPayload.token);
+    if (!equals(headerBuffer.length, cookieBuffer.length)) {
+      throw new AuthSecurityError("CSRF_TOKEN_INVALID", "The CSRF tokens do not match.");
+    }
+    if (!crypto.timingSafeEqual(cookieBuffer, headerBuffer)) {
+      throw new AuthSecurityError("CSRF_TOKEN_INVALID", "The CSRF tokens do not match.");
+    }
+    return true;
+  } catch {
+    throw new AuthSecurityError("CSRF_TOKEN_INVALID", "The CSRF tokens do not match.");
+  }
+};
+var createDerivedSalt = (secret) => {
+  return crypto.createHash("sha256").update(secret).update("aura-auth-salt").digest("hex");
+};
+
+export {
+  generateSecure,
+  createHash,
+  createPKCE,
+  createCSRF,
+  verifyCSRF,
+  createDerivedSalt
+};