@aura-stack/auth 0.1.0-rc.9 → 0.2.0-rc.1

package/dist/chunk-N4SX7TZT.js

@@ -0,0 +1,96 @@
+import {
+  equals,
+  formatZodError,
+  getNormalizedOriginPath,
+  sanitizeURL,
+  toCastCase
+} from "./chunk-CXLATHS5.js";
+import {
+  isValidURL
+} from "./chunk-EIL2FPSS.js";
+import {
+  AuthInternalError,
+  AuthSecurityError,
+  isAuthSecurityError
+} from "./chunk-RRLIF4PQ.js";
+import {
+  OAuthAuthorization
+} from "./chunk-YRCB5FLE.js";
+
+// src/actions/signIn/authorization.ts
+var createAuthorizationURL = (oauthConfig, redirectURI, state, codeChallenge, codeChallengeMethod) => {
+  const parsed = OAuthAuthorization.safeParse({ ...oauthConfig, redirectURI, state, codeChallenge, codeChallengeMethod });
+  if (!parsed.success) {
+    const msg = JSON.stringify(formatZodError(parsed.error), null, 2);
+    throw new AuthInternalError("INVALID_OAUTH_CONFIGURATION", msg);
+  }
+  const { authorizeURL, ...options } = parsed.data;
+  const { userInfo, accessToken, clientSecret, ...required } = options;
+  const searchParams = new URLSearchParams(toCastCase(required));
+  return `${authorizeURL}?${searchParams}`;
+};
+var getOriginURL = (request, trustedProxyHeaders) => {
+  const headers = request.headers;
+  if (trustedProxyHeaders) {
+    const protocol = headers.get("X-Forwarded-Proto") ?? headers.get("Forwarded")?.match(/proto=([^;]+)/i)?.[1] ?? "http";
+    const host = headers.get("X-Forwarded-Host") ?? headers.get("Host") ?? headers.get("Forwarded")?.match(/host=([^;]+)/i)?.[1] ?? null;
+    return new URL(`${protocol}://${host}${getNormalizedOriginPath(new URL(request.url).pathname)}`);
+  } else {
+    return new URL(getNormalizedOriginPath(request.url));
+  }
+};
+var createRedirectURI = (request, oauth, basePath, trustedProxyHeaders) => {
+  const url = getOriginURL(request, trustedProxyHeaders);
+  return `${url.origin}${basePath}/callback/${oauth}`;
+};
+var createRedirectTo = (request, redirectTo, trustedProxyHeaders) => {
+  try {
+    const headers = request.headers;
+    const origin = headers.get("Origin");
+    const referer = headers.get("Referer");
+    let hostedURL = getOriginURL(request, trustedProxyHeaders);
+    if (redirectTo) {
+      if (redirectTo.startsWith("/")) {
+        return sanitizeURL(redirectTo);
+      }
+      const redirectToURL = new URL(sanitizeURL(getNormalizedOriginPath(redirectTo)));
+      if (!isValidURL(redirectTo) || !equals(redirectToURL.origin, hostedURL.origin)) {
+        throw new AuthSecurityError(
+          "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED",
+          "The redirectTo parameter does not match the hosted origin."
+        );
+      }
+      return sanitizeURL(redirectToURL.pathname);
+    }
+    if (referer) {
+      const refererURL = new URL(sanitizeURL(referer));
+      if (!isValidURL(referer) || !equals(refererURL.origin, hostedURL.origin)) {
+        throw new AuthSecurityError(
+          "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED",
+          "The referer of the request does not match the hosted origin."
+        );
+      }
+      return sanitizeURL(refererURL.pathname);
+    }
+    if (origin) {
+      const originURL = new URL(sanitizeURL(getNormalizedOriginPath(origin)));
+      if (!isValidURL(origin) || !equals(originURL.origin, hostedURL.origin)) {
+        throw new AuthSecurityError("POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED", "Invalid origin (potential CSRF).");
+      }
+      return sanitizeURL(originURL.pathname);
+    }
+    return "/";
+  } catch (error) {
+    if (isAuthSecurityError(error)) {
+      throw error;
+    }
+    throw new AuthSecurityError("POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED", "Invalid origin (potential CSRF).");
+  }
+};
+
+export {
+  createAuthorizationURL,
+  getOriginURL,
+  createRedirectURI,
+  createRedirectTo
+};

package/dist/chunk-RRLIF4PQ.js

@@ -0,0 +1,55 @@
+// src/errors.ts
+var OAuthProtocolError = class extends Error {
+  type = "OAUTH_PROTOCOL_ERROR";
+  error;
+  errorURI;
+  constructor(error, description, errorURI, options) {
+    super(description, options);
+    this.error = error;
+    this.errorURI = errorURI;
+    this.name = new.target.name;
+    Error.captureStackTrace(this, new.target);
+  }
+};
+var AuthInternalError = class extends Error {
+  type = "AUTH_INTERNAL_ERROR";
+  code;
+  constructor(code, message, options) {
+    super(message, options);
+    this.code = code;
+    this.name = new.target.name;
+    Error.captureStackTrace(this, new.target);
+  }
+};
+var AuthSecurityError = class extends Error {
+  type = "AUTH_SECURITY_ERROR";
+  code;
+  constructor(code, message, options) {
+    super(message, options);
+    this.code = code;
+    this.name = new.target.name;
+    Error.captureStackTrace(this, new.target);
+  }
+};
+var isNativeError = (error) => {
+  return error instanceof Error;
+};
+var isOAuthProtocolError = (error) => {
+  return error instanceof OAuthProtocolError;
+};
+var isAuthInternalError = (error) => {
+  return error instanceof AuthInternalError;
+};
+var isAuthSecurityError = (error) => {
+  return error instanceof AuthSecurityError;
+};
+
+export {
+  OAuthProtocolError,
+  AuthInternalError,
+  AuthSecurityError,
+  isNativeError,
+  isOAuthProtocolError,
+  isAuthInternalError,
+  isAuthSecurityError
+};

package/dist/chunk-STHEPPUZ.js

@@ -1,9 +1,11 @@
 // src/headers.ts
 var cacheControl = {
-    "Cache-Control": "no-store",
-    Pragma: "no-cache",
-    Expires: "0",
-    Vary: "Cookie",
-}
+  "Cache-Control": "no-store",
+  Pragma: "no-cache",
+  Expires: "0",
+  Vary: "Cookie"
+};
 
-export { cacheControl }
+export {
+  cacheControl
+};

package/dist/chunk-TLE4PXY3.js

@@ -0,0 +1,39 @@
+import {
+  createDerivedSalt
+} from "./chunk-N2APGLXA.js";
+import {
+  AuthInternalError
+} from "./chunk-RRLIF4PQ.js";
+
+// src/jose.ts
+import "dotenv/config";
+import { createJWT, createJWS, createJWE, createDeriveKey } from "@aura-stack/jose";
+var createJoseInstance = (secret) => {
+  const env = process.env;
+  secret ??= env.AURA_AUTH_SECRET ?? env.AUTH_SECRET;
+  if (!secret) {
+    throw new AuthInternalError(
+      "JOSE_INITIALIZATION_FAILED",
+      "AURA_AUTH_SECRET environment variable is not set and no secret was provided."
+    );
+  }
+  const salt = env.AURA_AUTH_SALT ?? env.AUTH_SALT ?? createDerivedSalt(secret);
+  const { derivedKey: derivedSigningKey } = createDeriveKey(secret, salt, "signing");
+  const { derivedKey: derivedEncryptionKey } = createDeriveKey(secret, salt, "encryption");
+  const { derivedKey: derivedCsrfTokenKey } = createDeriveKey(secret, salt, "csrfToken");
+  const { decodeJWT, encodeJWT } = createJWT({ jws: derivedSigningKey, jwe: derivedEncryptionKey });
+  const { signJWS, verifyJWS } = createJWS(derivedCsrfTokenKey);
+  const { encryptJWE, decryptJWE } = createJWE(derivedEncryptionKey);
+  return {
+    decodeJWT,
+    encodeJWT,
+    signJWS,
+    verifyJWS,
+    encryptJWE,
+    decryptJWE
+  };
+};
+
+export {
+  createJoseInstance
+};

package/dist/chunk-W6LG7BFW.js

@@ -0,0 +1,197 @@
+import {
+  AuthInternalError
+} from "./chunk-RRLIF4PQ.js";
+
+// src/cookie.ts
+import { parse, parseSetCookie, serialize } from "@aura-stack/router/cookie";
+var COOKIE_NAME = "aura-auth";
+var defaultCookieOptions = {
+  httpOnly: true,
+  sameSite: "lax",
+  path: "/",
+  maxAge: 60 * 60 * 24 * 15
+};
+var defaultStandardCookieConfig = {
+  secure: false,
+  httpOnly: true
+};
+var defaultSecureCookieConfig = {
+  secure: true,
+  httpOnly: true
+};
+var defaultHostCookieConfig = {
+  secure: true,
+  httpOnly: true,
+  path: "/",
+  domain: void 0
+};
+var oauthCookieOptions = {
+  httpOnly: true,
+  maxAge: 5 * 60,
+  sameSite: "lax",
+  expires: new Date(Date.now() + 5 * 60 * 1e3)
+};
+var setCookie = (cookieName, value, options) => {
+  return serialize(cookieName, value, options);
+};
+var expiredCookieAttributes = {
+  ...defaultCookieOptions,
+  expires: /* @__PURE__ */ new Date(0),
+  maxAge: 0
+};
+var getCookie = (request, cookieName) => {
+  const cookies = request.headers.get("Cookie");
+  if (!cookies) {
+    throw new AuthInternalError("COOKIE_NOT_FOUND", "No cookies found. There is no active session");
+  }
+  const value = parse(cookies)[cookieName];
+  if (!value) {
+    throw new AuthInternalError("COOKIE_NOT_FOUND", `Cookie "${cookieName}" not found. There is no active session`);
+  }
+  return value;
+};
+var getSetCookie = (response, cookieName) => {
+  const cookies = response.headers.getSetCookie();
+  if (!cookies) {
+    throw new AuthInternalError("COOKIE_NOT_FOUND", "No cookies found in response.");
+  }
+  const strCookie = cookies.find((cookie) => cookie.startsWith(`${cookieName}=`));
+  if (!strCookie) {
+    throw new AuthInternalError("COOKIE_NOT_FOUND", `Cookie "${cookieName}" not found in response.`);
+  }
+  return parseSetCookie(strCookie).value;
+};
+var createSessionCookie = async (jose, session) => {
+  try {
+    const encoded = await jose.encodeJWT(session);
+    return encoded;
+  } catch (error) {
+    throw new AuthInternalError("INVALID_JWT_TOKEN", "Failed to create session cookie", { cause: error });
+  }
+};
+var defineSecureCookieOptions = (useSecure, attributes, strategy) => {
+  if (!attributes.httpOnly) {
+    console.warn(
+      "[WARNING]: Cookie is configured without HttpOnly. This allows JavaScript access via document.cookie and increases XSS risk."
+    );
+  }
+  if (attributes.domain === "*") {
+    attributes.domain = void 0;
+    console.warn("[WARNING]: Cookie 'Domain' is set to '*', which is insecure. Avoid wildcard domains.");
+  }
+  if (!useSecure) {
+    if (attributes.secure) {
+      console.warn(
+        "[WARNING]: The 'Secure' attribute will be disabled for this cookie. Serve over HTTPS to enforce Secure cookies."
+      );
+    }
+    if (attributes.sameSite == "none") {
+      attributes.sameSite = "lax";
+      console.warn("[WARNING]: SameSite=None requires Secure attribute. Changing SameSite to 'Lax'.");
+    }
+    if (process.env.NODE_ENV === "production") {
+      console.warn("[WARNING]: In production, ensure cookies are served over HTTPS to maintain security.");
+    }
+    if (strategy === "host") {
+      console.warn("[WARNING]: __Host- cookies require a secure context. Falling back to standard cookie settings.");
+    }
+    return {
+      ...defaultCookieOptions,
+      ...attributes,
+      ...defaultStandardCookieConfig
+    };
+  }
+  return strategy === "host" ? {
+    ...defaultCookieOptions,
+    ...attributes,
+    ...defaultHostCookieConfig
+  } : { ...defaultCookieOptions, ...attributes, ...defaultSecureCookieConfig };
+};
+var createCookieStore = (useSecure, prefix, overrides) => {
+  prefix ??= COOKIE_NAME;
+  const securePrefix = useSecure ? "__Secure-" : "";
+  const hostPrefix = useSecure ? "__Host-" : "";
+  return {
+    sessionToken: {
+      name: `${securePrefix}${prefix}.${overrides?.sessionToken?.name ?? "session_token"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...defaultCookieOptions,
+          ...overrides?.sessionToken?.attributes
+        },
+        overrides?.sessionToken?.attributes?.strategy ?? "secure"
+      )
+    },
+    state: {
+      name: `${securePrefix}${prefix}.${overrides?.state?.name ?? "state"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...oauthCookieOptions,
+          ...overrides?.state?.attributes
+        },
+        overrides?.state?.attributes?.strategy ?? "secure"
+      )
+    },
+    csrfToken: {
+      name: `${hostPrefix}${prefix}.${overrides?.csrfToken?.name ?? "csrf_token"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...overrides?.csrfToken?.attributes,
+          ...defaultHostCookieConfig
+        },
+        overrides?.csrfToken?.attributes?.strategy ?? "host"
+      )
+    },
+    redirectTo: {
+      name: `${securePrefix}${prefix}.${overrides?.redirectTo?.name ?? "redirect_to"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...oauthCookieOptions,
+          ...overrides?.redirectTo?.attributes
+        },
+        overrides?.redirectTo?.attributes?.strategy ?? "secure"
+      )
+    },
+    redirectURI: {
+      name: `${securePrefix}${prefix}.${overrides?.redirectURI?.name ?? "redirect_uri"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...oauthCookieOptions,
+          ...overrides?.redirectURI?.attributes
+        },
+        overrides?.redirectURI?.attributes?.strategy ?? "secure"
+      )
+    },
+    codeVerifier: {
+      name: `${securePrefix}${prefix}.${overrides?.codeVerifier?.name ?? "code_verifier"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...oauthCookieOptions,
+          ...overrides?.codeVerifier?.attributes
+        },
+        overrides?.codeVerifier?.attributes?.strategy ?? "secure"
+      )
+    }
+  };
+};
+
+export {
+  COOKIE_NAME,
+  defaultCookieOptions,
+  defaultStandardCookieConfig,
+  defaultSecureCookieConfig,
+  defaultHostCookieConfig,
+  setCookie,
+  expiredCookieAttributes,
+  getCookie,
+  getSetCookie,
+  createSessionCookie,
+  defineSecureCookieOptions,
+  createCookieStore
+};

package/dist/chunk-YRCB5FLE.js

@@ -0,0 +1,79 @@
+// src/schemas.ts
+import { object, string, enum as options, number, z, null as nullable } from "zod";
+var OAuthProviderConfigSchema = object({
+  authorizeURL: string().url(),
+  accessToken: string().url(),
+  scope: string().optional(),
+  userInfo: string().url(),
+  responseType: options(["code", "token", "id_token"]),
+  clientId: string(),
+  clientSecret: string()
+});
+var OAuthAuthorization = OAuthProviderConfigSchema.extend({
+  redirectURI: string(),
+  state: string(),
+  codeChallenge: string(),
+  codeChallengeMethod: options(["plain", "S256"])
+});
+var OAuthAuthorizationResponse = object({
+  state: string({ message: "Missing state parameter in the OAuth authorization response." }),
+  code: string({ message: "Missing code parameter in the OAuth authorization response." })
+});
+var OAuthAuthorizationErrorResponse = object({
+  error: options([
+    "invalid_request",
+    "unauthorized_client",
+    "access_denied",
+    "unsupported_response_type",
+    "invalid_scope",
+    "server_error",
+    "temporarily_unavailable"
+  ]),
+  error_description: string().optional(),
+  error_uri: string().optional(),
+  state: string()
+});
+var OAuthAccessToken = OAuthProviderConfigSchema.extend({
+  redirectURI: string(),
+  code: string(),
+  codeVerifier: string().min(43).max(128)
+});
+var OAuthAccessTokenResponse = object({
+  access_token: string(),
+  token_type: string().optional(),
+  expires_in: number().optional(),
+  refresh_token: string().optional(),
+  scope: string().optional().or(nullable())
+});
+var OAuthAccessTokenErrorResponse = object({
+  error: options([
+    "invalid_request",
+    "invalid_client",
+    "invalid_grant",
+    "unauthorized_client",
+    "unsupported_grant_type",
+    "invalid_scope"
+  ]),
+  error_description: string().optional(),
+  error_uri: string().optional()
+});
+var OAuthErrorResponse = object({
+  error: string(),
+  error_description: string().optional()
+});
+var OAuthEnvSchema = object({
+  clientId: z.string().min(1, "OAuth Client ID is required in the environment variables."),
+  clientSecret: z.string().min(1, "OAuth Client Secret is required in the environment variables.")
+});
+
+export {
+  OAuthProviderConfigSchema,
+  OAuthAuthorization,
+  OAuthAuthorizationResponse,
+  OAuthAuthorizationErrorResponse,
+  OAuthAccessToken,
+  OAuthAccessTokenResponse,
+  OAuthAccessTokenErrorResponse,
+  OAuthErrorResponse,
+  OAuthEnvSchema
+};

package/dist/chunk-ZNCZVF6U.js

@@ -0,0 +1,14 @@
+// src/request.ts
+var fetchAsync = async (url, options = {}, timeout = 5e3) => {
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), timeout);
+  const response = await fetch(url, {
+    ...options,
+    signal: controller.signal
+  }).finally(() => clearTimeout(timeoutId));
+  return response;
+};
+
+export {
+  fetchAsync
+};