@aura-stack/auth 0.1.0-rc.9 → 0.2.0-rc.1

package/dist/index-DkaLJFn8.d.ts

@@ -0,0 +1,679 @@
+import { z } from 'zod';
+import { OAuthAuthorizationErrorResponse, OAuthAccessTokenErrorResponse, OAuthEnvSchema } from './schemas.js';
+import { SerializeOptions } from '@aura-stack/router/cookie';
+import { JWTVerifyOptions, EncryptOptions, JWTDecryptOptions } from '@aura-stack/jose';
+import { JWTPayload } from '@aura-stack/jose/jose';
+import { LiteralUnion, Prettify } from './@types/utility.js';
+
+/**
+ * @see [Pinterest - Get User Account](https://developers.pinterest.com/docs/api/v5/user_account-get)
+ */
+interface PinterestProfile {
+    account_type: LiteralUnion<"PINNER">;
+    id: string;
+    profile_image: string;
+    website_url: string;
+    username: string;
+    about: string;
+    business_name: string;
+    board_count: number;
+    pin_count: number;
+    follower_count: number;
+    following_count: number;
+    monthly_views: number;
+}
+/**
+ * @see [Pinterest - Connect App](https://developers.pinterest.com/docs/getting-started/connect-app/)
+ * @see [Pinterest - My Apps](https://developers.pinterest.com/apps/)
+ * @see [Pinterest - Get User Account](https://developers.pinterest.com/docs/api/v5/user_account-get)
+ */
+declare const pinterest: OAuthProviderConfig<PinterestProfile>;
+
+interface Login {
+    email: string;
+    avatar: string | null;
+    login_id: number;
+    login_name: string;
+    login_email: string;
+}
+interface MailchimpProfile {
+    dc: string;
+    role: string;
+    accountname: string;
+    user_id: string;
+    login: Login;
+    login_url: string;
+    api_endpoint: string;
+}
+/**
+ * @see [Mailchimp - Access Data on Behalf of Other Users with OAuth 2](https://mailchimp.com/developer/marketing/guides/access-user-data-oauth-2/)
+ */
+declare const mailchimp: OAuthProviderConfig<MailchimpProfile>;
+
+/**
+ * @see [Strava - SummaryClub](https://developers.strava.com/docs/reference/#api-models-SummaryClub)
+ */
+interface SummaryClub {
+    id: number;
+    resource_state: number;
+    name: string;
+    profile_medium: string;
+    cover_photo: string;
+    cover_photo_small: string;
+    sport_type: "cycling" | "running" | "triathlon" | "other";
+    activity_types: string[];
+    city: string;
+    state: string;
+    country: string;
+    private: boolean;
+    member_count: number;
+    featured: boolean;
+    verified: boolean;
+    url: string;
+}
+/**
+ * @see [Strava - SummaryGear](https://developers.strava.com/docs/reference/#api-models-SummaryGear)
+ */
+interface SummaryGear {
+    id: string;
+    resource_state: number;
+    primary: boolean;
+    name: string;
+    distance: number;
+}
+/**
+ * @see [Strava - DetailedAthlete](https://developers.strava.com/docs/reference/#api-models-DetailedAthlete)
+ */
+interface StravaProfile {
+    id: number;
+    resource_state: number;
+    firstname: string;
+    lastname: string;
+    bio: string | null;
+    profile: string;
+    profile_medium: string;
+    city: string;
+    state: string;
+    country: string;
+    sex: string;
+    premium: boolean;
+    summit: boolean;
+    created_at: Date;
+    updated_at: Date;
+    badge_type_id: number;
+    weight: number;
+    friend: null;
+    follower: null;
+    follower_count: number;
+    friend_count: number;
+    measurement_preference: string;
+    ftp: number;
+    clubs: SummaryClub[];
+    bikes: SummaryGear[];
+    shoes: SummaryGear[];
+}
+/**
+ * Strava OAuth Provider
+ * @see [Strava - Getting Started with the Strava API](https://developers.strava.com/docs/getting-started/)
+ * @see [Strava - My Applications](https://www.strava.com/settings/api)
+ * @see [Strava - Authentication](https://developers.strava.com/docs/authentication/)
+ * @see [Strava - API Application](https://www.strava.com/settings/api)
+ * @see [Strava - API Reference](https://developers.strava.com/docs/reference/)
+ */
+declare const strava: OAuthProviderConfig<StravaProfile>;
+
+/**
+ * @see [X - Get my User](https://docs.x.com/x-api/users/get-my-user)
+ */
+interface XProfile {
+    data: {
+        id: string;
+        name: string;
+        username: string;
+        profile_image_url: string;
+    };
+}
+/**
+ * X (Twitter) OAuth Provider
+ * @see [X - Developer Portal](https://developer.x.com/en/portal/projects-and-apps)
+ * @see [X - Get my User](https://docs.x.com/x-api/users/get-my-user)
+ * @see [X - OAuth 2.0 Authorization Code Flow with PKCE](https://docs.x.com/fundamentals/authentication/oauth-2-0/authorization-code)
+ * @see [X - OAuth 2.0 Scopes](https://docs.x.com/fundamentals/authentication/oauth-2-0/authorization-code#scopes)
+ * @see [X - OAuth 2.0 Bearer Token](https://docs.x.com/fundamentals/authentication/oauth-2-0/application-only)
+ */
+declare const x: OAuthProviderConfig<XProfile>;
+
+interface Image {
+    url: string;
+    height: number;
+    width: number;
+}
+/**
+ * @see [Spotify - User Object](https://developer.spotify.com/documentation/web-api/reference/object-model/#user-object-private)
+ */
+interface SpotifyProfile {
+    id: string;
+    display_name: string;
+    email: string;
+    type: string;
+    uri: string;
+    country: string;
+    href: string;
+    images: Image[];
+    product: string;
+    explicit_content: {
+        filter_enabled: boolean;
+        filter_locked: boolean;
+    };
+    external_urls: {
+        spotify: string;
+    };
+    followers: {
+        href: string;
+        total: number;
+    };
+}
+/**
+ * Spotify OAuth Provider
+ *
+ * @see [Spotify - Spotify Developer Dashboard](https://developer.spotify.com/dashboard)
+ * @see [Spotify - Getting started with Web API](https://developer.spotify.com/documentation/web-api/tutorials/getting-started)
+ * @see [Spotify - Get Current User's Profile](https://developer.spotify.com/documentation/web-api/reference/get-current-users-profile)
+ * @see [Spotify - Scopes](https://developer.spotify.com/documentation/web-api/concepts/scopes)
+ * @see [Spotify - Redirect URIs](https://developer.spotify.com/documentation/web-api/concepts/redirect_uri)
+ */
+declare const spotify: OAuthProviderConfig<SpotifyProfile>;
+
+/**
+ * @see [GitLab - Get the current user](https://docs.gitlab.com/api/users/#get-the-current-user)
+ */
+interface GitLabProfile {
+    id: number;
+    username: string;
+    email: string;
+    name: string;
+    state: string;
+    locked: boolean;
+    avatar_url: string;
+    web_url: string;
+    created_at: string;
+    bio: string;
+    location: string | null;
+    public_email: string;
+    linkedin: string;
+    twitter: string;
+    discord: string;
+    github: string;
+    website_url: string;
+    organization: string;
+    job_title: string;
+    pronouns: string;
+    bot: boolean;
+    work_information: string | null;
+    followers: number;
+    following: number;
+    local_time: string;
+    last_sign_in_at: string;
+    confirmed_at: string;
+    theme_id: number;
+    last_activity_on: string;
+    color_scheme_id: number;
+    projects_limit: number;
+    current_sign_in_at: string;
+    identities: {
+        provider: string;
+        extern_uid: string;
+        saml_provider_id: number | null;
+    }[];
+    can_create_group: boolean;
+    can_create_project: boolean;
+    two_factor_enabled: boolean;
+    external: boolean;
+    private_profile: boolean;
+    commit_email: string;
+    preferred_language: string;
+    shared_runners_minutes_limit: number | null;
+    extra_shared_runners_minutes_limit: number | null;
+    scim_identities: unknown[];
+}
+/**
+ * GitLab OAuth Provider
+ *
+ * @see [GitLab - Applications](https://gitlab.com/-/user_settings/applications)
+ * @see [GitLab - OAuth 2.0 identify provider API](https://docs.gitlab.com/api/oauth2/)
+ * @see [GitLab - Scopes](https://docs.gitlab.com/integration/oauth_provider/#view-all-authorized-applications)
+ * @see [GitLab - Get current user](https://docs.gitlab.com/api/users/#get-the-current-user)
+ */
+declare const gitlab: OAuthProviderConfig<GitLabProfile>;
+
+/**
+ * @see [Discord - Nameplate Object](https://discord.com/developers/docs/resources/user#nameplate-nameplate-structure)
+ */
+interface Nameplate {
+    sku_id: string;
+    asset: string;
+    label: string;
+    palette: string;
+}
+/**
+ * The `snowflake` type is a string type. The attributes defined with this type are:
+ * - `id`: The unique identifier for the object.
+ * - `primary_guild.identity_guild_id`: The unique identifier for the guild.
+ * - `avatar_decoration_data.sku_id`: The unique identifier for the SKU.
+ *
+ * @see [Discord - User Object](https://discord.com/developers/docs/resources/user#user-object)
+ */
+interface DiscordProfile {
+    id: string;
+    username: string;
+    discriminator: string;
+    global_name: string | null;
+    avatar: string | null;
+    bot?: boolean;
+    system?: boolean;
+    mfa_enabled?: boolean;
+    banner?: string | null;
+    accent_color?: number | null;
+    locale?: string;
+    verified?: boolean;
+    email?: string | null;
+    flags?: number;
+    premium_type?: number;
+    public_flags?: number;
+    avatar_decoration_data?: {
+        asset: string;
+        sku_id: string;
+    };
+    collections?: Record<string, Nameplate>;
+    primary_guild?: {
+        identity_guild_id: string;
+        identity_enabled: boolean | null;
+        tag: string | null;
+        badge: string | null;
+    };
+}
+/**
+ * Discord OAuth Provider
+ *
+ * @see [Discord - Applications](https://discord.com/developers/applications)
+ * @see [Discord - OAuth2](https://discord.com/developers/docs/topics/oauth2)
+ * @see [Discord - Get Current User](https://discord.com/developers/docs/resources/user#get-current-user)
+ * @see [Discord - User Object](https://discord.com/developers/docs/resources/user#user-object)
+ * @see [Discord - OAuth2 Scopes](https://discord.com/developers/docs/topics/oauth2#shared-resources-oauth2-scopes)
+ * @see [Discord - Image Formatting](https://discord.com/developers/docs/reference#image-formatting)
+ * @see [Discord - Display Names](https://discord.com/developers/docs/change-log#display-names)
+ */
+declare const discord: OAuthProviderConfig<DiscordProfile>;
+
+/**
+ * @see [Figma API - Users](https://developers.figma.com/docs/rest-api/users-types/)
+ */
+interface FigmaProfile {
+    id: string;
+    handle: string;
+    img_url: string;
+    email: string;
+}
+/**
+ * Figma OAuth Provider
+ * @see [Figma - REST API Introduction](https://developers.figma.com/docs/rest-api/)
+ * @see [Figma - OAuth App](https://www.figma.com/developers/apps/)
+ * @see [Figma - Create an OAuth App](https://developers.figma.com/docs/rest-api/authentication/#create-an-oauth-app)
+ * @see [Figma - OAuth Scopes](https://developers.figma.com/docs/rest-api/scopes/)
+ */
+declare const figma: OAuthProviderConfig<FigmaProfile>;
+
+/**
+ * @see [Get current user](https://developer.atlassian.com/cloud/bitbucket/rest/api-group-users/#api-user-get)
+ */
+interface BitbucketProfile {
+    display_name: string;
+    links: Record<LiteralUnion<"self" | "avatar" | "repositories" | "snippets" | "html" | "hooks">, {
+        href?: string;
+    }>;
+    created_on: string;
+    type: string;
+    uuid: string;
+    has_2fa_enabled: boolean;
+    username: string;
+    nickname: string;
+    is_staff: boolean;
+    account_id: string;
+    account_status: LiteralUnion<"active" | "inactive" | "closed">;
+    location: string | null;
+}
+/**
+ * Bitbucket OAuth Provider
+ *
+ * @see [Bitbucket - Official App](https://bitbucket.org/)
+ * @see [Bitbucket - Workspaces](https://bitbucket.org/account/workspaces/)
+ * @see [Bitbucket - Workspace Settings](https://bitbucket.org/{workspace-name}/workspace/settings/)
+ * @see [Bitbucket - OAuth 2.0](https://developer.atlassian.com/cloud/bitbucket/oauth-2/)
+ * @see [Bitbucket - Use OAuth on Bitbucket Cloud](https://support.atlassian.com/bitbucket-cloud/docs/use-oauth-on-bitbucket-cloud/)
+ * @see [Bitbucket - Cloud REST API](https://developer.atlassian.com/cloud/bitbucket/rest/intro/)
+ * @see [Bitbucket - User Endpoint](https://developer.atlassian.com/cloud/bitbucket/rest/api-group-users/#api-users-endpoint)
+ */
+declare const bitbucket: OAuthProviderConfig<BitbucketProfile>;
+
+/**
+ * @see [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user)
+ */
+interface GitHubProfile {
+    login: string;
+    id: number;
+    user_view_type: string;
+    node_id: string;
+    avatar_url: string;
+    gravatar_id: string | null;
+    url: string;
+    html_url: string;
+    followers_url: string;
+    following_url: string;
+    gists_url: string;
+    starred_url: string;
+    subscriptions_url: string;
+    organizations_url: string;
+    repos_url: string;
+    events_url: string;
+    received_events_url: string;
+    type: string;
+    site_admin: boolean;
+    name: string | null;
+    company: string | null;
+    blog: string | null;
+    location: string | null;
+    email: string | null;
+    notification_email: string | null;
+    hireable: boolean | null;
+    bio: string | null;
+    twitter_username?: string | null;
+    public_repos: number;
+    public_gists: number;
+    followers: number;
+    following: number;
+    created_at: string;
+    updated_at: string;
+    private_gists?: number;
+    total_private_repos?: number;
+    owned_private_repos?: number;
+    disk_usage?: number;
+    collaborators?: number;
+    two_factor_authentication: boolean;
+    plan?: {
+        collaborators: number;
+        name: string;
+        space: number;
+        private_repos: number;
+    };
+}
+/**
+ * GitHub OAuth Provider
+ *
+ * @see [GitHub - Creating an OAuth App](https://docs.github.com/en/developers/apps/building-oauth-apps/creating-an-oauth-app)
+ * @see [GitHub - Authorizing OAuth Apps](https://docs.github.com/en/developers/apps/building-oauth-apps/authorizing-oauth-apps)
+ * @see [GitHub - Configure your GitHub OAuth Apps](https://github.com/settings/developers)
+ * @see [Github - Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user)
+ */
+declare const github: OAuthProviderConfig<GitHubProfile>;
+
+declare const builtInOAuthProviders: {
+    readonly github: OAuthProviderConfig<GitHubProfile>;
+    readonly bitbucket: OAuthProviderConfig<BitbucketProfile>;
+    readonly figma: OAuthProviderConfig<FigmaProfile>;
+    readonly discord: OAuthProviderConfig<DiscordProfile>;
+    readonly gitlab: OAuthProviderConfig<GitLabProfile>;
+    readonly spotify: OAuthProviderConfig<SpotifyProfile>;
+    readonly x: OAuthProviderConfig<XProfile>;
+    readonly strava: OAuthProviderConfig<StravaProfile>;
+    readonly mailchimp: OAuthProviderConfig<MailchimpProfile>;
+    readonly pinterest: OAuthProviderConfig<PinterestProfile>;
+};
+/**
+ * Constructs OAuth provider configurations from an array of provider names or configurations.
+ * It loads the client ID and client secret from environment variables if only the provider name is provided.
+ *
+ * @param oauth - Array of OAuth provider configurations or provider names to be defined from environment variables
+ * @returns A record of OAuth provider configurations
+ */
+declare const createBuiltInOAuthProviders: (oauth?: (BuiltInOAuthProvider | OAuthProviderCredentials)[]) => Record<LiteralUnion<BuiltInOAuthProvider>, OAuthProviderCredentials>;
+type BuiltInOAuthProvider = keyof typeof builtInOAuthProviders;
+
+/**
+ * Standard JWT claims that are managed internally by the token system.
+ * These fields are typically filtered out before returning user data.
+ */
+type JWTStandardClaims = Pick<JWTPayload, "exp" | "iat" | "jti" | "nbf" | "sub" | "aud" | "iss">;
+/**
+ * JWT payload structure that includes a mandatory `token` field used to verify CSRF Tokens
+ */
+type JWTPayloadWithToken = JWTPayload & {
+    token: string;
+};
+/**
+ * Standardized user profile returned by OAuth providers after fetching user information
+ * and mapping the response to this format by default or via the `profile` custom function.
+ */
+interface User {
+    sub: string;
+    name?: string | null;
+    email?: string | null;
+    image?: string | null;
+}
+/**
+ * Session data returned by the session endpoint.
+ */
+interface Session {
+    user: User;
+    expires: string;
+}
+/**
+ * Configuration for an OAuth provider without credentials.
+ * Use this type when defining provider metadata and endpoints.
+ */
+interface OAuthProviderConfig<Profile extends object = {}> {
+    id: string;
+    name: string;
+    authorizeURL: string;
+    accessToken: string;
+    userInfo: string;
+    scope: string;
+    responseType: "code" | "token" | "refresh_token" | "id_token";
+    profile?: (profile: Profile) => User | Promise<User>;
+}
+/**
+ * OAuth provider configuration with client credentials.
+ * Extends OAuthProviderConfig with clientId and clientSecret.
+ */
+interface OAuthProviderCredentials<Profile extends object = {}> extends OAuthProviderConfig<Profile> {
+    clientId: string;
+    clientSecret: string;
+}
+/**
+ * Complete OAuth provider type combining configuration and credentials.
+ */
+type OAuthProvider<Profile extends object = {}> = OAuthProviderCredentials<Profile>;
+/**
+ * Cookie type with __Secure- prefix, must be Secure.
+ * @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__secure-prefix
+ */
+type SecureCookie = {
+    strategy: "secure";
+} & Prettify<Omit<SerializeOptions, "secure" | "encode">>;
+/**
+ * Cookie type with __Host- prefix, must be Secure, Path=/, no Domain attribute.
+ * @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__host-prefix
+ */
+type HostCookie = {
+    strategy: "host";
+} & Prettify<Omit<SerializeOptions, "secure" | "path" | "domain" | "encode">>;
+/**
+ * Standard cookie type without security prefixes.
+ * Can be sent over both HTTP and HTTPS connections (default in development).
+ */
+type StandardCookie = {
+    strategy?: "standard";
+} & Prettify<Omit<SerializeOptions, "encode">>;
+/**
+ * Union type for cookie options based on the specified strategy.
+ * - `secure`: Cookies are only sent over HTTPS connections
+ * - `host`: Cookies use the __Host- prefix and are only sent over HTTPS connections
+ * - `standard`: Cookies can be sent over both HTTP and HTTPS connections (default in development)
+ */
+type CookieStrategyAttributes = StandardCookie | SecureCookie | HostCookie;
+/**
+ * Names of cookies used by Aura Auth for session management and OAuth flows.
+ * - `sessionToken`: User session JWT
+ * - `csrfToken`: CSRF protection token
+ * - `state`: OAuth state parameter for CSRF protection
+ * - `code_verifier`: PKCE code verifier for authorization code flow
+ * - `redirect_uri`: OAuth callback URI
+ * - `redirect_to`: Post-authentication redirect path
+ * - `nonce`: OpenID Connect nonce parameter
+ */
+type CookieName = "sessionToken" | "csrfToken" | "state" | "codeVerifier" | "redirectTo" | "redirectURI";
+type CookieStoreConfig = Record<CookieName, {
+    name: string;
+    attributes: CookieStrategyAttributes;
+}>;
+interface CookieConfig {
+    /**
+     * Prefix to be added to all cookie names. By default "aura-stack".
+     */
+    prefix?: string;
+    overrides?: Partial<CookieStoreConfig>;
+}
+/**
+ * Main configuration interface for Aura Auth.
+ * This is the user-facing configuration object passed to `createAuth()`.
+ */
+interface AuthConfig {
+    /**
+     * OAuth providers available in the authentication and authorization flows. It provides a type-inference
+     * for the OAuth providers that are supported by Aura Stack Auth; alternatively, you can provide a custom
+     * OAuth third-party authorization service by implementing the `OAuthProviderCredentials` interface.
+     *
+     * Built-in OAuth providers:
+     * oauth: ["github", "google"]
+     *
+     * Custom OAuth providers:
+     * oauth: [
+     *   {
+     *     id: "oauth-providers",
+     *     name: "OAuth",
+     *     authorizeURL: "https://example.com/oauth/authorize",
+     *     accessToken: "https://example.com/oauth/token",
+     *     scope: "profile email",
+     *     responseType: "code",
+     *     userInfo: "https://example.com/oauth/userinfo",
+     *     clientId: process.env.AURA_AUTH_OAUTH_PROVIDER_CLIENT_ID!,
+     *     clientSecret: process.env.AURA_AUTH_OAUTH_PROVIDER_CLIENT_SECRET!,
+     *   }
+     * ]
+     */
+    oauth: (BuiltInOAuthProvider | OAuthProviderCredentials)[];
+    /**
+     * Cookie options defines the configuration for cookies used in Aura Auth.
+     * It includes a prefix for cookie names and flag options to determine
+     * the security and scope of the cookies.
+     *
+     * **⚠️ WARNING:** Ensure that the cookie options are configured correctly to
+     * maintain the security and integrity of the authentication process. `Aura Auth`
+     * is not responsible for misconfigured cookies that may lead to security vulnerabilities.
+     *
+     * - prefix: A string prefix to be added to all cookie names, by default "aura-stack".
+     * - flag options (This attributes help to define the security level of the cookies):
+     *   - secure: Cookies use the __Secure- prefix and are only sent over HTTPS connections.
+     *   - host: Cookies use the __Host- prefix and are only sent over HTTPS connections.
+     *   - standard: Cookies can be sent over both HTTP and HTTPS connections. (default in development)
+     *
+     * @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__secure-prefix
+     * @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__host-prefix
+     */
+    cookies?: Partial<CookieConfig>;
+    /**
+     * Secret used to sign and verify JWT tokens for session and csrf protection.
+     * If not provided, it will load from the environment variable `AURA_AUTH_SECRET` or `AUTH_SECRET`, but if it
+     * doesn't exist, it will throw an error during the initialization of the Auth module.
+     */
+    secret?: string;
+    /**
+     * Base path for all authentication routes. Default is `/auth`.
+     */
+    basePath?: `/${string}`;
+    /**
+     * Enable trusted proxy headers for scenarios where the application is behind a reverse proxy or load balancer.
+     * This setting allows Aura Auth to correctly interpret headers like `X-Forwarded-For` and `X-Forwarded-Proto`
+     * to determine the original client IP address and protocol.
+     *
+     * Default is `false`. Enable this option only if you are certain that your application is behind a trusted proxy.
+     * Misconfiguration can lead to security vulnerabilities, such as incorrect handling of secure cookies or
+     * inaccurate client IP logging.
+     *
+     * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
+     * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
+     * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
+     * @experimental
+     */
+    trustedProxyHeaders?: boolean;
+}
+interface JoseInstance {
+    decodeJWT: (token: string) => Promise<JWTPayload>;
+    encodeJWT: (payload: JWTPayload) => Promise<string>;
+    signJWS: (payload: JWTPayload) => Promise<string>;
+    verifyJWS: (payload: string, options?: JWTVerifyOptions) => Promise<JWTPayload>;
+    encryptJWE: (payload: string, options?: EncryptOptions) => Promise<string>;
+    decryptJWE: (payload: string, options?: JWTDecryptOptions) => Promise<string>;
+}
+type OAuthProviderRecord = Record<LiteralUnion<BuiltInOAuthProvider>, OAuthProviderCredentials>;
+interface RouterGlobalContext {
+    oauth: OAuthProviderRecord;
+    cookies: CookieStoreConfig;
+    jose: JoseInstance;
+    secret?: string;
+    basePath: string;
+    trustedProxyHeaders: boolean;
+}
+/**
+ * Internal runtime configuration used within Aura Auth after initialization.
+ * All optional fields from AuthConfig are resolved to their default values.
+ */
+type AuthRuntimeConfig = RouterGlobalContext;
+interface AuthInstance {
+    handlers: {
+        GET: (request: Request) => Response | Promise<Response>;
+        POST: (request: Request) => Response | Promise<Response>;
+    };
+    jose: JoseInstance;
+}
+/**
+ * Base OAuth error response structure.
+ */
+interface OAuthError<T extends string> {
+    error: T;
+    error_description?: string;
+}
+/**
+ * OAuth 2.0 Authorization Error Response Types
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
+ */
+type AuthorizationError = OAuthError<z.infer<typeof OAuthAuthorizationErrorResponse>["error"]>;
+/**
+ * OAuth 2.0 Access Token Error Response Types
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
+ */
+type AccessTokenError = OAuthError<z.infer<typeof OAuthAccessTokenErrorResponse>["error"]>;
+/**
+ * OAuth 2.0 Token Revocation Error Response Types
+ * @see https://datatracker.ietf.org/doc/html/rfc7009#section-2.2.1
+ */
+type TokenRevocationError = OAuthError<"invalid_session_token">;
+type ErrorType = AuthorizationError["error"] | AccessTokenError["error"] | TokenRevocationError["error"];
+type AuthInternalErrorCode = "INVALID_OAUTH_CONFIGURATION" | "INVALID_JWT_TOKEN" | "JOSE_INITIALIZATION_FAILED" | "SESSION_STORE_NOT_INITIALIZED" | "COOKIE_STORE_NOT_INITIALIZED" | "COOKIE_PARSING_FAILED" | "COOKIE_NOT_FOUND" | "INVALID_ENVIRONMENT_CONFIGURATION";
+type AuthSecurityErrorCode = "INVALID_STATE" | "MISMATCHING_STATE" | "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED" | "CSRF_TOKEN_INVALID" | "CSRF_TOKEN_MISSING" | "SESSION_TOKEN_MISSING";
+type OAuthEnv = z.infer<typeof OAuthEnvSchema>;
+type APIErrorMap = Record<string, {
+    code: string;
+    message: string;
+}>;
+
+export { type AuthorizationError as $, type AuthRuntimeConfig as A, type BitbucketProfile as B, type CookieConfig as C, type DiscordProfile as D, type ErrorType as E, type FigmaProfile as F, type GitLabProfile as G, createBuiltInOAuthProviders as H, type Image as I, type JWTPayloadWithToken as J, type BuiltInOAuthProvider as K, type Login as L, type MailchimpProfile as M, type Nameplate as N, type OAuthProvider as O, type PinterestProfile as P, type JWTStandardClaims as Q, type RouterGlobalContext as R, type Session as S, type SecureCookie as T, type User as U, type HostCookie as V, type StandardCookie as W, type XProfile as X, type CookieStrategyAttributes as Y, type CookieName as Z, type OAuthError as _, type CookieStoreConfig as a, type AccessTokenError as a0, type TokenRevocationError as a1, type OAuthEnv as a2, type AuthInternalErrorCode as b, type AuthSecurityErrorCode as c, type AuthConfig as d, type AuthInstance as e, type JoseInstance as f, type OAuthProviderConfig as g, type OAuthProviderCredentials as h, type APIErrorMap as i, type OAuthProviderRecord as j, type SummaryClub as k, type SummaryGear as l, mailchimp as m, type StravaProfile as n, type SpotifyProfile as o, pinterest as p, spotify as q, gitlab as r, strava as s, discord as t, figma as u, bitbucket as v, type GitHubProfile as w, x, github as y, builtInOAuthProviders as z };