@aura-stack/auth 0.1.0-rc.9 → 0.2.0-rc.1

package/dist/index.cjs

@@ -1,1125 +1,1192 @@
-"use strict"
-var __create = Object.create
-var __defProp = Object.defineProperty
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor
-var __getOwnPropNames = Object.getOwnPropertyNames
-var __getProtoOf = Object.getPrototypeOf
-var __hasOwnProp = Object.prototype.hasOwnProperty
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
-    for (var name in all) __defProp(target, name, { get: all[name], enumerable: true })
-}
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
 var __copyProps = (to, from, except, desc) => {
-    if ((from && typeof from === "object") || typeof from === "function") {
-        for (let key of __getOwnPropNames(from))
-            if (!__hasOwnProp.call(to, key) && key !== except)
-                __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable })
-    }
-    return to
-}
-var __toESM = (mod, isNodeMode, target) => (
-    (target = mod != null ? __create(__getProtoOf(mod)) : {}),
-    __copyProps(
-        // If the importer is in node compatibility mode or this is not an ESM
-        // file that has been converted to a CommonJS file using a Babel-
-        // compatible transform (i.e. "__esModule" has not been set), then set
-        // "default" to the CommonJS "module.exports" for node compatibility.
-        isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-        mod
-    )
-)
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod)
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/index.ts
-var index_exports = {}
+var index_exports = {};
 __export(index_exports, {
-    createAuth: () => createAuth,
-})
-module.exports = __toCommonJS(index_exports)
-var import_config2 = require("dotenv/config")
-var import_router7 = require("@aura-stack/router")
+  createAuth: () => createAuth
+});
+module.exports = __toCommonJS(index_exports);
+var import_config2 = require("dotenv/config");
+var import_router7 = require("@aura-stack/router");
+
+// src/jose.ts
+var import_config = require("dotenv/config");
+var import_jose = require("@aura-stack/jose");
+
+// src/secure.ts
+var import_crypto = __toESM(require("crypto"), 1);
 
 // src/utils.ts
-var import_router = require("@aura-stack/router")
+var import_router = require("@aura-stack/router");
 
-// src/error.ts
-var AuthError = class extends Error {
-    constructor(type, message) {
-        super(message)
-        this.type = type
-        this.name = "AuthError"
-    }
-}
-var InvalidCsrfTokenError = class extends AuthError {
-    constructor(message = "The provided CSRF token is invalid or has expired") {
-        super("invalid_csrf_token", message)
-        this.name = "InvalidCsrfTokenError"
-    }
-}
-var InvalidRedirectToError = class extends AuthError {
-    constructor(message = "The redirectTo parameter does not match the hosted origin.") {
-        super("invalid_redirect_to", message)
-        this.name = "InvalidRedirectToError"
-    }
-}
-var isAuthError = (error) => {
-    return error instanceof AuthError
-}
-var throwAuthError = (error, message) => {
-    if (error instanceof Error) {
-        if (isAuthError(error)) {
-            throw error
-        }
-        throw new AuthError("invalid_request", error.message ?? message)
-    }
-}
-var ERROR_RESPONSE = {
-    AUTHORIZATION: {
-        INVALID_REQUEST: "invalid_request",
-        UNAUTHORIZED_CLIENT: "unauthorized_client",
-        ACCESS_DENIED: "access_denied",
-        UNSUPPORTED_RESPONSE_TYPE: "unsupported_response_type",
-        INVALID_SCOPE: "invalid_scope",
-        SERVER_ERROR: "server_error",
-        TEMPORARILY_UNAVAILABLE: "temporarily_unavailable",
-    },
-    ACCESS_TOKEN: {
-        INVALID_REQUEST: "invalid_request",
-        INVALID_CLIENT: "invalid_client",
-        INVALID_GRANT: "invalid_grant",
-        UNAUTHORIZED_CLIENT: "unauthorized_client",
-        UNSUPPORTED_GRANT_TYPE: "unsupported_grant_type",
-        INVALID_SCOPE: "invalid_scope",
-    },
-}
+// src/errors.ts
+var OAuthProtocolError = class extends Error {
+  type = "OAUTH_PROTOCOL_ERROR";
+  error;
+  errorURI;
+  constructor(error, description, errorURI, options2) {
+    super(description, options2);
+    this.error = error;
+    this.errorURI = errorURI;
+    this.name = new.target.name;
+    Error.captureStackTrace(this, new.target);
+  }
+};
+var AuthInternalError = class extends Error {
+  type = "AUTH_INTERNAL_ERROR";
+  code;
+  constructor(code, message, options2) {
+    super(message, options2);
+    this.code = code;
+    this.name = new.target.name;
+    Error.captureStackTrace(this, new.target);
+  }
+};
+var AuthSecurityError = class extends Error {
+  type = "AUTH_SECURITY_ERROR";
+  code;
+  constructor(code, message, options2) {
+    super(message, options2);
+    this.code = code;
+    this.name = new.target.name;
+    Error.captureStackTrace(this, new.target);
+  }
+};
+var isNativeError = (error) => {
+  return error instanceof Error;
+};
+var isOAuthProtocolError = (error) => {
+  return error instanceof OAuthProtocolError;
+};
+var isAuthInternalError = (error) => {
+  return error instanceof AuthInternalError;
+};
+var isAuthSecurityError = (error) => {
+  return error instanceof AuthSecurityError;
+};
 
 // src/utils.ts
 var toSnakeCase = (str) => {
-    return str
-        .replace(/([a-z0-9])([A-Z])/g, "$1_$2")
-        .replace(/([A-Z]+)([A-Z][a-z])/g, "$1_$2")
-        .toLowerCase()
-        .replace(/^_+/, "")
-}
+  return str.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/([A-Z]+)([A-Z][a-z])/g, "$1_$2").toLowerCase().replace(/^_+/, "");
+};
 var toUpperCase = (str) => {
-    return str.toUpperCase()
-}
+  return str.toUpperCase();
+};
 var toCastCase = (obj, type = "snake") => {
-    return Object.entries(obj).reduce((previous, [key, value]) => {
-        const newKey = type === "snake" ? toSnakeCase(key) : toUpperCase(key)
-        return { ...previous, [newKey]: value }
-    }, {})
-}
+  return Object.entries(obj).reduce((previous, [key, value]) => {
+    const newKey = type === "snake" ? toSnakeCase(key) : toUpperCase(key);
+    return { ...previous, [newKey]: value };
+  }, {});
+};
 var equals = (a, b) => {
-    if (a === null || b === null || a === void 0 || b === void 0) return false
-    return a === b
-}
-var sanitizeURL = (url2) => {
-    try {
-        let decodedURL = decodeURIComponent(url2).trim()
-        const protocolMatch = decodedURL.match(/^([a-zA-Z][a-zA-Z0-9+.-]*:\/\/)/)
-        let protocol = ""
-        let rest = decodedURL
-        if (protocolMatch) {
-            protocol = protocolMatch[1]
-            rest = decodedURL.slice(protocol.length)
-            const slashIndex = rest.indexOf("/")
-            if (slashIndex === -1) {
-                return protocol + rest
-            }
-            const domain = rest.slice(0, slashIndex)
-            let path = rest
-                .slice(slashIndex)
-                .replace(/\/\.\.\//g, "/")
-                .replace(/\/\.\.$/, "")
-                .replace(/\.{2,}/g, "")
-                .replace(/\/{2,}/g, "/")
-            if (path !== "/" && path.endsWith("/")) {
-                path = path.replace(/\/+$/, "/")
-            } else if (path !== "/") {
-                path = path.replace(/\/+$/, "")
-            }
-            return protocol + domain + path
-        }
-        let sanitized = decodedURL
-            .replace(/\/\.\.\//g, "/")
-            .replace(/\/\.\.$/, "")
-            .replace(/\.{2,}/g, "")
-            .replace(/\/{2,}/g, "/")
-        if (sanitized !== "/" && sanitized.endsWith("/")) {
-            sanitized = sanitized.replace(/\/+$/, "/")
-        } else if (sanitized !== "/") {
-            sanitized = sanitized.replace(/\/+$/, "")
-        }
-        return sanitized
-    } catch {
-        return url2.trim()
+  if (a === null || b === null || a === void 0 || b === void 0) return false;
+  return a === b;
+};
+var sanitizeURL = (url) => {
+  try {
+    let decodedURL = decodeURIComponent(url).trim();
+    const protocolMatch = decodedURL.match(/^([a-zA-Z][a-zA-Z0-9+.-]*:\/\/)/);
+    let protocol = "";
+    let rest = decodedURL;
+    if (protocolMatch) {
+      protocol = protocolMatch[1];
+      rest = decodedURL.slice(protocol.length);
+      const slashIndex = rest.indexOf("/");
+      if (slashIndex === -1) {
+        return protocol + rest;
+      }
+      const domain = rest.slice(0, slashIndex);
+      let path = rest.slice(slashIndex).replace(/\/\.\.\//g, "/").replace(/\/\.\.$/, "").replace(/\.{2,}/g, "").replace(/\/{2,}/g, "/");
+      if (path !== "/" && path.endsWith("/")) {
+        path = path.replace(/\/+$/, "/");
+      } else if (path !== "/") {
+        path = path.replace(/\/+$/, "");
+      }
+      return protocol + domain + path;
     }
-}
+    let sanitized = decodedURL.replace(/\/\.\.\//g, "/").replace(/\/\.\.$/, "").replace(/\.{2,}/g, "").replace(/\/{2,}/g, "/");
+    if (sanitized !== "/" && sanitized.endsWith("/")) {
+      sanitized = sanitized.replace(/\/+$/, "/");
+    } else if (sanitized !== "/") {
+      sanitized = sanitized.replace(/\/+$/, "");
+    }
+    return sanitized;
+  } catch {
+    return url.trim();
+  }
+};
 var isValidRelativePath = (path) => {
-    if (!path || typeof path !== "string") return false
-    if (!path.startsWith("/") || path.includes("://") || path.includes("\r") || path.includes("\n")) return false
-    if (/[\x00-\x1F\x7F]/.test(path) || path.includes("\0")) return false
-    const sanitized = sanitizeURL(path)
-    if (sanitized.includes("..")) return false
-    return true
-}
+  if (!path || typeof path !== "string") return false;
+  if (!path.startsWith("/") || path.includes("://") || path.includes("\r") || path.includes("\n")) return false;
+  if (/[\x00-\x1F\x7F]/.test(path) || path.includes("\0")) return false;
+  const sanitized = sanitizeURL(path);
+  if (sanitized.includes("..")) return false;
+  return true;
+};
 var onErrorHandler = (error) => {
-    if ((0, import_router.isRouterError)(error)) {
-        const { message, status, statusText } = error
-        return Response.json({ error: "invalid_request", error_description: message }, { status, statusText })
-    }
-    if (isAuthError(error)) {
-        const { type, message } = error
-        return Response.json({ error: type, error_description: message }, { status: 400 })
-    }
-    return Response.json({ error: "server_error", error_description: "An unexpected error occurred" }, { status: 500 })
-}
+  if ((0, import_router.isRouterError)(error)) {
+    const { message, status, statusText } = error;
+    return Response.json({ type: "ROUTER_ERROR", code: "ROUTER_INTERNAL_ERROR", message }, { status, statusText });
+  }
+  if ((0, import_router.isInvalidZodSchemaError)(error)) {
+    return Response.json({ type: "ROUTER_ERROR", code: "INVALID_REQUEST", message: error.errors }, { status: 422 });
+  }
+  if (isOAuthProtocolError(error)) {
+    const { error: errorCode, message, type, errorURI } = error;
+    return Response.json(
+      {
+        type,
+        error: errorCode,
+        error_description: message,
+        error_uri: errorURI
+      },
+      { status: 400 }
+    );
+  }
+  if (isAuthInternalError(error) || isAuthSecurityError(error)) {
+    const { type, code, message } = error;
+    return Response.json(
+      {
+        type,
+        code,
+        message
+      },
+      { status: 400 }
+    );
+  }
+  return Response.json({ type: "SERVER_ERROR", code: "server_error", message: "An unexpected error occurred" }, { status: 500 });
+};
 var getNormalizedOriginPath = (path) => {
-    try {
-        const url2 = new URL(path)
-        url2.hash = ""
-        url2.search = ""
-        return `${url2.origin}${url2.pathname}`
-    } catch {
-        return sanitizeURL(path)
-    }
-}
+  try {
+    const url = new URL(path);
+    url.hash = "";
+    url.search = "";
+    return `${url.origin}${url.pathname}`;
+  } catch {
+    return sanitizeURL(path);
+  }
+};
 var toISOString = (date) => {
-    return new Date(date).toISOString()
-}
+  return new Date(date).toISOString();
+};
+var useSecureCookies = (request, trustedProxyHeaders) => {
+  return trustedProxyHeaders ? request.url.startsWith("https://") || request.headers.get("X-Forwarded-Proto") === "https" || (request.headers.get("Forwarded")?.includes("proto=https") ?? false) : request.url.startsWith("https://");
+};
+var formatZodError = (error) => {
+  if (!error.issues || error.issues.length === 0) {
+    return {};
+  }
+  return error.issues.reduce((previous, issue) => {
+    const key = issue.path.join(".");
+    return {
+      ...previous,
+      [key]: {
+        code: issue.code,
+        message: issue.message
+      }
+    };
+  }, {});
+};
 
-// src/jose.ts
-var import_config = require("dotenv/config")
-var import_jose = require("@aura-stack/jose")
+// src/assert.ts
+var isValidURL = (value) => {
+  if (value.includes("\r\n") || value.includes("\n") || value.includes("\r")) return false;
+  const regex = /^https?:\/\/(?:[a-zA-Z0-9._-]+|localhost|\[[0-9a-fA-F:]+\])(?::\d{1,5})?(?:\/[a-zA-Z0-9._~!$&'()*+,;=:@-]*)*\/?$/;
+  return regex.test(value);
+};
+var isJWTPayloadWithToken = (payload) => {
+  return typeof payload === "object" && payload !== null && "token" in payload && typeof payload?.token === "string";
+};
 
 // src/secure.ts
-var import_node_crypto = __toESM(require("crypto"), 1)
 var generateSecure = (length = 32) => {
-    return import_node_crypto.default.randomBytes(length).toString("base64url")
-}
+  return import_crypto.default.randomBytes(length).toString("base64url");
+};
 var createHash = (data, base = "hex") => {
-    return import_node_crypto.default.createHash("sha256").update(data).digest().toString(base)
-}
+  return import_crypto.default.createHash("sha256").update(data).digest().toString(base);
+};
 var createPKCE = async (verifier) => {
-    const codeVerifier = verifier ?? generateSecure(86)
-    const codeChallenge = createHash(codeVerifier, "base64url")
-    return { codeVerifier, codeChallenge, method: "S256" }
-}
+  const codeVerifier = verifier ?? generateSecure(86);
+  const codeChallenge = createHash(codeVerifier, "base64url");
+  return { codeVerifier, codeChallenge, method: "S256" };
+};
 var createCSRF = async (jose, csrfCookie) => {
-    try {
-        const token = generateSecure(32)
-        if (csrfCookie) {
-            await jose.verifyJWS(csrfCookie)
-            return csrfCookie
-        }
-        return jose.signJWS({ token })
-    } catch {
-        const token = generateSecure(32)
-        return jose.signJWS({ token })
+  try {
+    const token = generateSecure(32);
+    if (csrfCookie) {
+      await jose.verifyJWS(csrfCookie);
+      return csrfCookie;
     }
-}
+    return jose.signJWS({ token });
+  } catch {
+    const token = generateSecure(32);
+    return jose.signJWS({ token });
+  }
+};
 var verifyCSRF = async (jose, cookie, header) => {
-    try {
-        const { token: cookieToken } = await jose.verifyJWS(cookie)
-        const { token: headerToken } = await jose.verifyJWS(header)
-        const cookieBuffer = Buffer.from(cookieToken)
-        const headerBuffer = Buffer.from(headerToken)
-        if (!equals(headerBuffer.length, cookieBuffer.length)) {
-            throw new InvalidCsrfTokenError()
-        }
-        if (!import_node_crypto.default.timingSafeEqual(cookieBuffer, headerBuffer)) {
-            throw new InvalidCsrfTokenError()
-        }
-        return true
-    } catch {
-        throw new InvalidCsrfTokenError()
+  try {
+    const cookiePayload = await jose.verifyJWS(cookie);
+    const headerPayload = await jose.verifyJWS(header);
+    if (!isJWTPayloadWithToken(cookiePayload)) {
+      throw new AuthSecurityError("CSRF_TOKEN_INVALID", "Cookie payload missing token field.");
+    }
+    if (!isJWTPayloadWithToken(headerPayload)) {
+      throw new AuthSecurityError("CSRF_TOKEN_INVALID", "Header payload missing token field.");
+    }
+    const cookieBuffer = Buffer.from(cookiePayload.token);
+    const headerBuffer = Buffer.from(headerPayload.token);
+    if (!equals(headerBuffer.length, cookieBuffer.length)) {
+      throw new AuthSecurityError("CSRF_TOKEN_INVALID", "The CSRF tokens do not match.");
     }
-}
+    if (!import_crypto.default.timingSafeEqual(cookieBuffer, headerBuffer)) {
+      throw new AuthSecurityError("CSRF_TOKEN_INVALID", "The CSRF tokens do not match.");
+    }
+    return true;
+  } catch {
+    throw new AuthSecurityError("CSRF_TOKEN_INVALID", "The CSRF tokens do not match.");
+  }
+};
 var createDerivedSalt = (secret) => {
-    return import_node_crypto.default.createHash("sha256").update(secret).update("aura-auth-salt").digest("hex")
-}
+  return import_crypto.default.createHash("sha256").update(secret).update("aura-auth-salt").digest("hex");
+};
 
 // src/jose.ts
 var createJoseInstance = (secret) => {
-    secret ?? (secret = process.env.AURA_AUTH_SECRET)
-    if (!secret) {
-        throw new AuthError("JOSE_INIT_ERROR", "AURA_AUTH_SECRET environment variable is not set and no secret was provided.")
-    }
-    const salt = process.env.AURA_AUTH_SALT ?? createDerivedSalt(secret)
-    const { derivedKey: derivedSessionKey } = (0, import_jose.createDeriveKey)(secret, salt, "session")
-    const { derivedKey: derivedCsrfTokenKey } = (0, import_jose.createDeriveKey)(secret, salt, "csrfToken")
-    const { decodeJWT, encodeJWT } = (0, import_jose.createJWT)(derivedSessionKey)
-    const { signJWS, verifyJWS } = (0, import_jose.createJWS)(derivedCsrfTokenKey)
-    return {
-        decodeJWT,
-        encodeJWT,
-        signJWS,
-        verifyJWS,
-    }
-}
+  const env = process.env;
+  secret ??= env.AURA_AUTH_SECRET ?? env.AUTH_SECRET;
+  if (!secret) {
+    throw new AuthInternalError(
+      "JOSE_INITIALIZATION_FAILED",
+      "AURA_AUTH_SECRET environment variable is not set and no secret was provided."
+    );
+  }
+  const salt = env.AURA_AUTH_SALT ?? env.AUTH_SALT ?? createDerivedSalt(secret);
+  const { derivedKey: derivedSigningKey } = (0, import_jose.createDeriveKey)(secret, salt, "signing");
+  const { derivedKey: derivedEncryptionKey } = (0, import_jose.createDeriveKey)(secret, salt, "encryption");
+  const { derivedKey: derivedCsrfTokenKey } = (0, import_jose.createDeriveKey)(secret, salt, "csrfToken");
+  const { decodeJWT, encodeJWT } = (0, import_jose.createJWT)({ jws: derivedSigningKey, jwe: derivedEncryptionKey });
+  const { signJWS, verifyJWS } = (0, import_jose.createJWS)(derivedCsrfTokenKey);
+  const { encryptJWE, decryptJWE } = (0, import_jose.createJWE)(derivedEncryptionKey);
+  return {
+    decodeJWT,
+    encodeJWT,
+    signJWS,
+    verifyJWS,
+    encryptJWE,
+    decryptJWE
+  };
+};
 
 // src/cookie.ts
-var import_cookie = require("cookie")
-
-// src/assert.ts
-var isRequest = (value) => {
-    return typeof Request !== "undefined" && value instanceof Request
-}
-var isValidURL = (value) => {
-    if (value.includes("\r\n") || value.includes("\n") || value.includes("\r")) return false
-    const regex =
-        /^https?:\/\/(?:[a-zA-Z0-9._-]+|localhost|\[[0-9a-fA-F:]+\])(?::\d{1,5})?(?:\/[a-zA-Z0-9._~!$&'()*+,;=:@-]*)*\/?$/
-    return regex.test(value)
-}
-
-// src/cookie.ts
-var import_cookie2 = require("cookie")
-var COOKIE_NAME = "aura-auth"
+var import_cookie = require("@aura-stack/router/cookie");
+var COOKIE_NAME = "aura-auth";
 var defaultCookieOptions = {
-    httpOnly: true,
-    sameSite: "lax",
-    path: "/",
-    maxAge: 60 * 60 * 24 * 15,
-}
-var defaultCookieConfig = {
-    strategy: "standard",
-    name: COOKIE_NAME,
-    options: defaultCookieOptions,
-}
+  httpOnly: true,
+  sameSite: "lax",
+  path: "/",
+  maxAge: 60 * 60 * 24 * 15
+};
 var defaultStandardCookieConfig = {
-    secure: false,
-    httpOnly: true,
-    prefix: "",
-}
+  secure: false,
+  httpOnly: true
+};
 var defaultSecureCookieConfig = {
-    secure: true,
-    prefix: "__Secure-",
-}
+  secure: true,
+  httpOnly: true
+};
 var defaultHostCookieConfig = {
-    secure: true,
-    prefix: "__Host-",
-    path: "/",
-    domain: void 0,
-}
-var expiredCookieOptions = {
-    ...defaultCookieOptions,
-    expires: /* @__PURE__ */ new Date(0),
-    maxAge: 0,
-}
-var defineDefaultCookieOptions = (options2) => {
-    return {
-        name: options2?.name ?? COOKIE_NAME,
-        prefix: options2?.prefix ?? (options2?.secure ? "__Secure-" : ""),
-        ...defaultCookieOptions,
-        ...options2,
-    }
-}
+  secure: true,
+  httpOnly: true,
+  path: "/",
+  domain: void 0
+};
+var oauthCookieOptions = {
+  httpOnly: true,
+  maxAge: 5 * 60,
+  sameSite: "lax",
+  expires: new Date(Date.now() + 5 * 60 * 1e3)
+};
 var setCookie = (cookieName, value, options2) => {
-    const { prefix, name } = defineDefaultCookieOptions(options2)
-    const cookieNameWithPrefix = `${prefix}${name}.${cookieName}`
-    return (0, import_cookie.serialize)(cookieNameWithPrefix, value, {
-        ...defaultCookieOptions,
-        ...options2,
-    })
-}
-var getCookie = (petition, cookie, options2, optional = false) => {
-    const cookies = isRequest(petition) ? petition.headers.get("Cookie") : petition.headers.getSetCookie().join("; ")
-    if (!cookies) {
-        if (optional) {
-            return ""
-        }
-        throw new AuthError("invalid_request", "No cookies found. There is no active session")
+  return (0, import_cookie.serialize)(cookieName, value, options2);
+};
+var expiredCookieAttributes = {
+  ...defaultCookieOptions,
+  expires: /* @__PURE__ */ new Date(0),
+  maxAge: 0
+};
+var getCookie = (request, cookieName) => {
+  const cookies = request.headers.get("Cookie");
+  if (!cookies) {
+    throw new AuthInternalError("COOKIE_NOT_FOUND", "No cookies found. There is no active session");
+  }
+  const value = (0, import_cookie.parse)(cookies)[cookieName];
+  if (!value) {
+    throw new AuthInternalError("COOKIE_NOT_FOUND", `Cookie "${cookieName}" not found. There is no active session`);
+  }
+  return value;
+};
+var createSessionCookie = async (jose, session) => {
+  try {
+    const encoded = await jose.encodeJWT(session);
+    return encoded;
+  } catch (error) {
+    throw new AuthInternalError("INVALID_JWT_TOKEN", "Failed to create session cookie", { cause: error });
+  }
+};
+var defineSecureCookieOptions = (useSecure, attributes, strategy) => {
+  if (!attributes.httpOnly) {
+    console.warn(
+      "[WARNING]: Cookie is configured without HttpOnly. This allows JavaScript access via document.cookie and increases XSS risk."
+    );
+  }
+  if (attributes.domain === "*") {
+    attributes.domain = void 0;
+    console.warn("[WARNING]: Cookie 'Domain' is set to '*', which is insecure. Avoid wildcard domains.");
+  }
+  if (!useSecure) {
+    if (attributes.secure) {
+      console.warn(
+        "[WARNING]: The 'Secure' attribute will be disabled for this cookie. Serve over HTTPS to enforce Secure cookies."
+      );
     }
-    const { name, prefix } = defineDefaultCookieOptions(options2)
-    const parsedCookies = (0, import_cookie.parse)(cookies)
-    const value = parsedCookies[`${prefix}${name}.${cookie}`]
-    if (value === void 0) {
-        if (optional) {
-            return ""
-        }
-        throw new AuthError("invalid_request", `Cookie "${cookie}" not found. There is no active session`)
+    if (attributes.sameSite == "none") {
+      attributes.sameSite = "lax";
+      console.warn("[WARNING]: SameSite=None requires Secure attribute. Changing SameSite to 'Lax'.");
     }
-    return value
-}
-var createSessionCookie = async (session, cookieOptions, jose) => {
-    try {
-        const encoded = await jose.encodeJWT(session)
-        return setCookie("sessionToken", encoded, cookieOptions)
-    } catch (error) {
-        throw new AuthError("server_error", "Failed to create session cookie", { cause: error })
+    if (process.env.NODE_ENV === "production") {
+      console.warn("[WARNING]: In production, ensure cookies are served over HTTPS to maintain security.");
     }
-}
-var secureCookieOptions = (request, cookieOptions, trustedProxyHeaders) => {
-    const name = cookieOptions.name ?? COOKIE_NAME
-    const isSecure = trustedProxyHeaders
-        ? request.url.startsWith("https://") ||
-          request.headers.get("X-Forwarded-Proto") === "https" ||
-          request.headers.get("Forwarded")?.includes("proto=https")
-        : request.url.startsWith("https://")
-    if (!cookieOptions.options?.httpOnly) {
-        console.warn(
-            "[WARNING]: Cookie is configured without HttpOnly. This allows JavaScript access via document.cookie and increases XSS risk."
-        )
-    }
-    if (cookieOptions.options?.domain === "*") {
-        console.warn("[WARNING]: Cookie 'Domain' is set to '*', which is insecure. Avoid wildcard domains.")
+    if (strategy === "host") {
+      console.warn("[WARNING]: __Host- cookies require a secure context. Falling back to standard cookie settings.");
     }
-    if (!isSecure) {
-        const options2 = cookieOptions.options
-        if (options2?.secure) {
-            console.warn(
-                "[WARNING]: The 'Secure' attribute will be disabled for this cookie. Serve over HTTPS to enforce Secure cookies."
-            )
-        }
-        if (options2?.sameSite == "none") {
-            console.warn("[WARNING]: SameSite=None without a secure connection can be blocked by browsers.")
-        }
-        if (process.env.NODE_ENV === "production") {
-            console.warn("[WARNING]: In production, ensure cookies are served over HTTPS to maintain security.")
-        }
-        return {
-            ...defaultCookieOptions,
-            ...cookieOptions.options,
-            sameSite: options2?.sameSite === "none" ? "lax" : (options2?.sameSite ?? "lax"),
-            ...defaultStandardCookieConfig,
-            name,
-        }
-    }
-    return cookieOptions.strategy === "host"
-        ? {
-              ...defaultCookieOptions,
-              ...cookieOptions.options,
-              ...defaultHostCookieConfig,
-              name,
-          }
-        : { ...defaultCookieOptions, ...cookieOptions.options, ...defaultSecureCookieConfig, name }
-}
-var expireCookie = (name, options2) => {
-    return setCookie(name, "", { ...options2, ...expiredCookieOptions })
-}
-var oauthCookie = (options2) => {
     return {
-        ...options2,
-        secure: options2.secure,
-        httpOnly: options2.httpOnly,
-        maxAge: 5 * 60,
-        expires: new Date(Date.now() + 5 * 60 * 1e3),
+      ...defaultCookieOptions,
+      ...attributes,
+      ...defaultStandardCookieConfig
+    };
+  }
+  return strategy === "host" ? {
+    ...defaultCookieOptions,
+    ...attributes,
+    ...defaultHostCookieConfig
+  } : { ...defaultCookieOptions, ...attributes, ...defaultSecureCookieConfig };
+};
+var createCookieStore = (useSecure, prefix, overrides) => {
+  prefix ??= COOKIE_NAME;
+  const securePrefix = useSecure ? "__Secure-" : "";
+  const hostPrefix = useSecure ? "__Host-" : "";
+  return {
+    sessionToken: {
+      name: `${securePrefix}${prefix}.${overrides?.sessionToken?.name ?? "session_token"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...defaultCookieOptions,
+          ...overrides?.sessionToken?.attributes
+        },
+        overrides?.sessionToken?.attributes?.strategy ?? "secure"
+      )
+    },
+    state: {
+      name: `${securePrefix}${prefix}.${overrides?.state?.name ?? "state"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...oauthCookieOptions,
+          ...overrides?.state?.attributes
+        },
+        overrides?.state?.attributes?.strategy ?? "secure"
+      )
+    },
+    csrfToken: {
+      name: `${hostPrefix}${prefix}.${overrides?.csrfToken?.name ?? "csrf_token"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...overrides?.csrfToken?.attributes,
+          ...defaultHostCookieConfig
+        },
+        overrides?.csrfToken?.attributes?.strategy ?? "host"
+      )
+    },
+    redirectTo: {
+      name: `${securePrefix}${prefix}.${overrides?.redirectTo?.name ?? "redirect_to"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...oauthCookieOptions,
+          ...overrides?.redirectTo?.attributes
+        },
+        overrides?.redirectTo?.attributes?.strategy ?? "secure"
+      )
+    },
+    redirectURI: {
+      name: `${securePrefix}${prefix}.${overrides?.redirectURI?.name ?? "redirect_uri"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...oauthCookieOptions,
+          ...overrides?.redirectURI?.attributes
+        },
+        overrides?.redirectURI?.attributes?.strategy ?? "secure"
+      )
+    },
+    codeVerifier: {
+      name: `${securePrefix}${prefix}.${overrides?.codeVerifier?.name ?? "code_verifier"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...oauthCookieOptions,
+          ...overrides?.codeVerifier?.attributes
+        },
+        overrides?.codeVerifier?.attributes?.strategy ?? "secure"
+      )
     }
-}
+  };
+};
 
 // src/oauth/github.ts
 var github = {
-    id: "github",
-    name: "GitHub",
-    authorizeURL: "https://github.com/login/oauth/authorize",
-    accessToken: "https://github.com/login/oauth/access_token",
-    userInfo: "https://api.github.com/user",
-    scope: "read:user user:email",
-    responseType: "code",
-}
+  id: "github",
+  name: "GitHub",
+  authorizeURL: "https://github.com/login/oauth/authorize",
+  accessToken: "https://github.com/login/oauth/access_token",
+  userInfo: "https://api.github.com/user",
+  scope: "read:user user:email",
+  responseType: "code"
+};
 
 // src/oauth/bitbucket.ts
 var bitbucket = {
-    id: "bitbucket",
-    name: "Bitbucket",
-    authorizeURL: "https://bitbucket.org/site/oauth2/authorize",
-    accessToken: "https://bitbucket.org/site/oauth2/access_token",
-    userInfo: "https://api.bitbucket.org/2.0/user",
-    scope: "account email",
-    responseType: "code",
-    profile(profile) {
-        return {
-            sub: profile.uuid ?? profile.account_id,
-            name: profile.display_name ?? profile.nickname,
-            image: profile.links.avatar.href,
-        }
-    },
-}
+  id: "bitbucket",
+  name: "Bitbucket",
+  authorizeURL: "https://bitbucket.org/site/oauth2/authorize",
+  accessToken: "https://bitbucket.org/site/oauth2/access_token",
+  userInfo: "https://api.bitbucket.org/2.0/user",
+  scope: "account email",
+  responseType: "code",
+  profile(profile) {
+    return {
+      sub: profile.uuid ?? profile.account_id,
+      name: profile.display_name ?? profile.nickname,
+      image: profile.links.avatar.href
+    };
+  }
+};
 
 // src/oauth/figma.ts
 var figma = {
-    id: "figma",
-    name: "Figma",
-    authorizeURL: "https://www.figma.com/oauth",
-    accessToken: "https://api.figma.com/v1/oauth/token",
-    userInfo: "https://api.figma.com/v1/me",
-    scope: "current_user:read",
-    responseType: "code",
-    profile(profile) {
-        return {
-            sub: profile.id,
-            name: profile.handle,
-            email: profile.email,
-            image: profile.img_url,
-        }
-    },
-}
+  id: "figma",
+  name: "Figma",
+  authorizeURL: "https://www.figma.com/oauth",
+  accessToken: "https://api.figma.com/v1/oauth/token",
+  userInfo: "https://api.figma.com/v1/me",
+  scope: "current_user:read",
+  responseType: "code",
+  profile(profile) {
+    return {
+      sub: profile.id,
+      name: profile.handle,
+      email: profile.email,
+      image: profile.img_url
+    };
+  }
+};
 
 // src/oauth/discord.ts
 var discord = {
-    id: "discord",
-    name: "Discord",
-    authorizeURL: "https://discord.com/oauth2/authorize",
-    accessToken: "https://discord.com/api/oauth2/token",
-    userInfo: "https://discord.com/api/users/@me",
-    scope: "identify email",
-    responseType: "code",
-    profile(profile) {
-        let image = ""
-        if (profile.avatar === null) {
-            const index = profile.discriminator === "0" ? (BigInt(profile.id) >> 22n) % 6n : Number(profile.discriminator) % 5
-            image = `https://cdn.discordapp.com/embed/avatars/${index}.png`
-        } else {
-            const format = profile.avatar.startsWith("a_") ? "gif" : "png"
-            image = `https://cdn.discordapp.com/avatars/${profile.id}/${profile.avatar}.${format}`
-        }
-        return {
-            sub: profile.id,
-            // https://discord.com/developers/docs/change-log#display-names
-            name: profile.global_name ?? profile.username,
-            email: profile.email ?? "",
-            image,
-        }
-    },
-}
+  id: "discord",
+  name: "Discord",
+  authorizeURL: "https://discord.com/oauth2/authorize",
+  accessToken: "https://discord.com/api/oauth2/token",
+  userInfo: "https://discord.com/api/users/@me",
+  scope: "identify email",
+  responseType: "code",
+  profile(profile) {
+    let image = "";
+    if (profile.avatar === null) {
+      const index = profile.discriminator === "0" ? (BigInt(profile.id) >> 22n) % 6n : Number(profile.discriminator) % 5;
+      image = `https://cdn.discordapp.com/embed/avatars/${index}.png`;
+    } else {
+      const format = profile.avatar.startsWith("a_") ? "gif" : "png";
+      image = `https://cdn.discordapp.com/avatars/${profile.id}/${profile.avatar}.${format}`;
+    }
+    return {
+      sub: profile.id,
+      name: profile.global_name ?? profile.username,
+      email: profile.email ?? "",
+      image
+    };
+  }
+};
 
 // src/oauth/gitlab.ts
 var gitlab = {
-    id: "gitlab",
-    name: "GitLab",
-    authorizeURL: "https://gitlab.com/oauth/authorize",
-    accessToken: "https://gitlab.com/oauth/token",
-    userInfo: "https://gitlab.com/api/v4/user",
-    scope: "read_user",
-    responseType: "code",
-    profile(profile) {
-        return {
-            sub: profile.id.toString(),
-            name: profile.name ?? profile.username,
-            email: profile.email,
-            avatar: profile.avatar_url,
-        }
-    },
-}
+  id: "gitlab",
+  name: "GitLab",
+  authorizeURL: "https://gitlab.com/oauth/authorize",
+  accessToken: "https://gitlab.com/oauth/token",
+  userInfo: "https://gitlab.com/api/v4/user",
+  scope: "read_user",
+  responseType: "code",
+  profile(profile) {
+    return {
+      sub: profile.id.toString(),
+      name: profile.name ?? profile.username,
+      email: profile.email,
+      avatar: profile.avatar_url
+    };
+  }
+};
 
 // src/oauth/spotify.ts
 var spotify = {
-    id: "spotify",
-    name: "Spotify",
-    authorizeURL: "https://accounts.spotify.com/authorize",
-    accessToken: "https://accounts.spotify.com/api/token",
-    userInfo: "https://api.spotify.com/v1/me",
-    scope: "user-read-email user-read-private",
-    responseType: "token",
-    profile(profile) {
-        return {
-            sub: profile.id,
-            name: profile.display_name,
-            email: profile.email,
-            image: profile.images?.[0]?.url,
-        }
-    },
-}
+  id: "spotify",
+  name: "Spotify",
+  authorizeURL: "https://accounts.spotify.com/authorize",
+  accessToken: "https://accounts.spotify.com/api/token",
+  userInfo: "https://api.spotify.com/v1/me",
+  scope: "user-read-email user-read-private",
+  responseType: "token",
+  profile(profile) {
+    return {
+      sub: profile.id,
+      name: profile.display_name,
+      email: profile.email,
+      image: profile.images?.[0]?.url
+    };
+  }
+};
 
 // src/oauth/x.ts
 var x = {
-    id: "x",
-    name: "X",
-    authorizeURL: "https://x.com/i/oauth2/authorize",
-    accessToken: "https://api.x.com/2/oauth2/token",
-    userInfo: "https://api.x.com/2/users/me?user.fields=profile_image_url",
-    scope: "users.read users.email tweet.read offline.access",
-    responseType: "code",
-    profile({ data }) {
-        return {
-            sub: data.id,
-            name: data.name,
-            image: data.profile_image_url,
-            email: "",
-        }
-    },
-}
+  id: "x",
+  name: "X",
+  authorizeURL: "https://x.com/i/oauth2/authorize",
+  accessToken: "https://api.x.com/2/oauth2/token",
+  userInfo: "https://api.x.com/2/users/me?user.fields=profile_image_url",
+  scope: "users.read users.email tweet.read offline.access",
+  responseType: "code",
+  profile({ data }) {
+    return {
+      sub: data.id,
+      name: data.name,
+      image: data.profile_image_url,
+      email: ""
+    };
+  }
+};
+
+// src/oauth/strava.ts
+var strava = {
+  id: "strava",
+  name: "Strava",
+  authorizeURL: "https://www.strava.com/oauth/authorize",
+  accessToken: "https://www.strava.com/oauth/token",
+  userInfo: "https://www.strava.com/api/v3/athlete",
+  scope: "read",
+  responseType: "code",
+  profile(profile) {
+    return {
+      sub: profile.id.toString(),
+      name: `${profile.firstname} ${profile.lastname}`,
+      image: profile.profile,
+      email: ""
+    };
+  }
+};
+
+// src/oauth/mailchimp.ts
+var mailchimp = {
+  id: "mailchimp",
+  name: "Mailchimp",
+  authorizeURL: "https://login.mailchimp.com/oauth2/authorize",
+  accessToken: "https://login.mailchimp.com/oauth2/token",
+  userInfo: "https://login.mailchimp.com/oauth2/metadata",
+  scope: "",
+  responseType: "code",
+  profile(profile) {
+    return {
+      sub: profile.user_id,
+      name: profile.accountname,
+      email: profile.login.login_email,
+      image: null
+    };
+  }
+};
+
+// src/oauth/pinterest.ts
+var pinterest = {
+  id: "pinterest",
+  name: "Pinterest",
+  authorizeURL: "https://api.pinterest.com/oauth/",
+  accessToken: "https://api.pinterest.com/v5/oauth/token",
+  userInfo: "https://api.pinterest.com/v5/user_account",
+  scope: "user_accounts:read",
+  responseType: "code",
+  profile(profile) {
+    return {
+      sub: profile.id,
+      name: profile.username,
+      email: null,
+      image: profile.profile_image
+    };
+  }
+};
+
+// src/schemas.ts
+var import_zod = require("zod");
+var OAuthProviderConfigSchema = (0, import_zod.object)({
+  authorizeURL: (0, import_zod.string)().url(),
+  accessToken: (0, import_zod.string)().url(),
+  scope: (0, import_zod.string)().optional(),
+  userInfo: (0, import_zod.string)().url(),
+  responseType: (0, import_zod.enum)(["code", "token", "id_token"]),
+  clientId: (0, import_zod.string)(),
+  clientSecret: (0, import_zod.string)()
+});
+var OAuthAuthorization = OAuthProviderConfigSchema.extend({
+  redirectURI: (0, import_zod.string)(),
+  state: (0, import_zod.string)(),
+  codeChallenge: (0, import_zod.string)(),
+  codeChallengeMethod: (0, import_zod.enum)(["plain", "S256"])
+});
+var OAuthAuthorizationResponse = (0, import_zod.object)({
+  state: (0, import_zod.string)({ message: "Missing state parameter in the OAuth authorization response." }),
+  code: (0, import_zod.string)({ message: "Missing code parameter in the OAuth authorization response." })
+});
+var OAuthAuthorizationErrorResponse = (0, import_zod.object)({
+  error: (0, import_zod.enum)([
+    "invalid_request",
+    "unauthorized_client",
+    "access_denied",
+    "unsupported_response_type",
+    "invalid_scope",
+    "server_error",
+    "temporarily_unavailable"
+  ]),
+  error_description: (0, import_zod.string)().optional(),
+  error_uri: (0, import_zod.string)().optional(),
+  state: (0, import_zod.string)()
+});
+var OAuthAccessToken = OAuthProviderConfigSchema.extend({
+  redirectURI: (0, import_zod.string)(),
+  code: (0, import_zod.string)(),
+  codeVerifier: (0, import_zod.string)().min(43).max(128)
+});
+var OAuthAccessTokenResponse = (0, import_zod.object)({
+  access_token: (0, import_zod.string)(),
+  token_type: (0, import_zod.string)().optional(),
+  expires_in: (0, import_zod.number)().optional(),
+  refresh_token: (0, import_zod.string)().optional(),
+  scope: (0, import_zod.string)().optional().or((0, import_zod.null)())
+});
+var OAuthAccessTokenErrorResponse = (0, import_zod.object)({
+  error: (0, import_zod.enum)([
+    "invalid_request",
+    "invalid_client",
+    "invalid_grant",
+    "unauthorized_client",
+    "unsupported_grant_type",
+    "invalid_scope"
+  ]),
+  error_description: (0, import_zod.string)().optional(),
+  error_uri: (0, import_zod.string)().optional()
+});
+var OAuthErrorResponse = (0, import_zod.object)({
+  error: (0, import_zod.string)(),
+  error_description: (0, import_zod.string)().optional()
+});
+var OAuthEnvSchema = (0, import_zod.object)({
+  clientId: import_zod.z.string().min(1, "OAuth Client ID is required in the environment variables."),
+  clientSecret: import_zod.z.string().min(1, "OAuth Client Secret is required in the environment variables.")
+});
 
 // src/oauth/index.ts
 var builtInOAuthProviders = {
-    github,
-    bitbucket,
-    figma,
-    discord,
-    gitlab,
-    spotify,
-    x,
-}
+  github,
+  bitbucket,
+  figma,
+  discord,
+  gitlab,
+  spotify,
+  x,
+  strava,
+  mailchimp,
+  pinterest
+};
 var defineOAuthEnvironment = (oauth) => {
-    const env = process.env
-    return {
-        clientId: env[`AURA_AUTH_${oauth.toUpperCase()}_CLIENT_ID`],
-        clientSecret: env[`AURA_AUTH_${oauth.toUpperCase()}_CLIENT_SECRET`],
-    }
-}
+  const env = process.env;
+  const clientIdSuffix = `${oauth.toUpperCase()}_CLIENT_ID`;
+  const clientSecretSuffix = `${oauth.toUpperCase()}_CLIENT_SECRET`;
+  const loadEnvs = OAuthEnvSchema.safeParse({
+    clientId: env[`AURA_AUTH_${clientIdSuffix}`] ?? env[`AUTH_${clientIdSuffix}`] ?? env[`${clientIdSuffix}`],
+    clientSecret: env[`AURA_AUTH_${clientSecretSuffix}`] ?? env[`AUTH_${clientSecretSuffix}`] ?? env[`${clientSecretSuffix}`]
+  });
+  if (!loadEnvs.success) {
+    const msg = JSON.stringify(formatZodError(loadEnvs.error), null, 2);
+    throw new AuthInternalError("INVALID_ENVIRONMENT_CONFIGURATION", msg);
+  }
+  return loadEnvs.data;
+};
 var defineOAuthProviderConfig = (config2) => {
-    if (typeof config2 === "string") {
-        const definition = defineOAuthEnvironment(config2)
-        const oauthConfig = builtInOAuthProviders[config2]
-        return {
-            ...oauthConfig,
-            ...definition,
-        }
-    }
-    return config2
-}
+  if (typeof config2 === "string") {
+    const definition = defineOAuthEnvironment(config2);
+    const oauthConfig = builtInOAuthProviders[config2];
+    return {
+      ...oauthConfig,
+      ...definition
+    };
+  }
+  return config2;
+};
 var createBuiltInOAuthProviders = (oauth = []) => {
-    return oauth.reduce((previous, config2) => {
-        const oauthConfig = defineOAuthProviderConfig(config2)
-        return { ...previous, [oauthConfig.id]: oauthConfig }
-    }, {})
-}
+  return oauth.reduce((previous, config2) => {
+    const oauthConfig = defineOAuthProviderConfig(config2);
+    return { ...previous, [oauthConfig.id]: oauthConfig };
+  }, {});
+};
 
 // src/actions/signIn/signIn.ts
-var import_zod = __toESM(require("zod"), 1)
-var import_router2 = require("@aura-stack/router")
-
-// src/response.ts
-var AuraResponse = class extends Response {
-    static json(body, init) {
-        return Response.json(body, init)
-    }
-}
+var import_zod2 = require("zod");
+var import_router2 = require("@aura-stack/router");
 
-// src/schemas.ts
-var import_v4 = require("zod/v4")
-var OAuthProviderConfigSchema = (0, import_v4.object)({
-    authorizeURL: (0, import_v4.url)(),
-    accessToken: (0, import_v4.url)(),
-    scope: (0, import_v4.string)().optional(),
-    userInfo: (0, import_v4.url)(),
-    responseType: (0, import_v4.enum)(["code", "token", "id_token"]),
-    clientId: (0, import_v4.string)(),
-    clientSecret: (0, import_v4.string)(),
-})
-var OAuthAuthorization = OAuthProviderConfigSchema.extend({
-    redirectURI: (0, import_v4.string)(),
-    state: (0, import_v4.string)(),
-    codeChallenge: (0, import_v4.string)(),
-    codeChallengeMethod: (0, import_v4.enum)(["plain", "S256"]),
-})
-var OAuthAuthorizationResponse = (0, import_v4.object)({
-    state: (0, import_v4.string)(),
-    code: (0, import_v4.string)(),
-})
-var OAuthAuthorizationErrorResponse = (0, import_v4.object)({
-    error: (0, import_v4.enum)([
-        "invalid_request",
-        "unauthorized_client",
-        "access_denied",
-        "unsupported_response_type",
-        "invalid_scope",
-        "server_error",
-        "temporarily_unavailable",
-    ]),
-    error_description: (0, import_v4.string)().optional(),
-    error_uri: (0, import_v4.string)().optional(),
-    state: (0, import_v4.string)(),
-})
-var OAuthAccessToken = OAuthProviderConfigSchema.extend({
-    redirectURI: (0, import_v4.string)(),
-    code: (0, import_v4.string)(),
-    codeVerifier: (0, import_v4.string)().min(43).max(128),
-})
-var OAuthAccessTokenResponse = (0, import_v4.object)({
-    access_token: (0, import_v4.string)(),
-    token_type: (0, import_v4.string)(),
-    expires_in: (0, import_v4.number)().optional(),
-    refresh_token: (0, import_v4.string)().optional(),
-    scope: (0, import_v4.string)().optional(),
-})
-var OAuthAccessTokenErrorResponse = (0, import_v4.object)({
-    error: (0, import_v4.enum)([
-        "invalid_request",
-        "invalid_client",
-        "invalid_grant",
-        "unauthorized_client",
-        "unsupported_grant_type",
-        "invalid_scope",
-    ]),
-    error_description: (0, import_v4.string)().optional(),
-    error_uri: (0, import_v4.string)().optional(),
-})
-var OAuthErrorResponse = (0, import_v4.object)({
-    error: (0, import_v4.string)(),
-    error_description: (0, import_v4.string)().optional(),
-})
+// src/headers.ts
+var cacheControl = {
+  "Cache-Control": "no-store",
+  Pragma: "no-cache",
+  Expires: "0",
+  Vary: "Cookie"
+};
 
 // src/actions/signIn/authorization.ts
 var createAuthorizationURL = (oauthConfig, redirectURI, state, codeChallenge, codeChallengeMethod) => {
-    const parsed = OAuthAuthorization.safeParse({ ...oauthConfig, redirectURI, state, codeChallenge, codeChallengeMethod })
-    if (!parsed.success) {
-        throw new AuthError(ERROR_RESPONSE.AUTHORIZATION.SERVER_ERROR, "Invalid OAuth configuration")
-    }
-    const { authorizeURL, ...options2 } = parsed.data
-    const { userInfo, accessToken, clientSecret, ...required } = options2
-    const searchParams = new URLSearchParams(toCastCase(required))
-    return `${authorizeURL}?${searchParams}`
-}
+  const parsed = OAuthAuthorization.safeParse({ ...oauthConfig, redirectURI, state, codeChallenge, codeChallengeMethod });
+  if (!parsed.success) {
+    const msg = JSON.stringify(formatZodError(parsed.error), null, 2);
+    throw new AuthInternalError("INVALID_OAUTH_CONFIGURATION", msg);
+  }
+  const { authorizeURL, ...options2 } = parsed.data;
+  const { userInfo, accessToken, clientSecret, ...required } = options2;
+  const searchParams = new URLSearchParams(toCastCase(required));
+  return `${authorizeURL}?${searchParams}`;
+};
 var getOriginURL = (request, trustedProxyHeaders) => {
-    const headers = request.headers
-    if (trustedProxyHeaders) {
-        const protocol = headers.get("X-Forwarded-Proto") ?? headers.get("Forwarded")?.match(/proto=([^;]+)/i)?.[1] ?? "http"
-        const host =
-            headers.get("X-Forwarded-Host") ??
-            headers.get("Host") ??
-            headers.get("Forwarded")?.match(/host=([^;]+)/i)?.[1] ??
-            null
-        return new URL(`${protocol}://${host}${getNormalizedOriginPath(new URL(request.url).pathname)}`)
-    } else {
-        return new URL(getNormalizedOriginPath(request.url))
-    }
-}
+  const headers = request.headers;
+  if (trustedProxyHeaders) {
+    const protocol = headers.get("X-Forwarded-Proto") ?? headers.get("Forwarded")?.match(/proto=([^;]+)/i)?.[1] ?? "http";
+    const host = headers.get("X-Forwarded-Host") ?? headers.get("Host") ?? headers.get("Forwarded")?.match(/host=([^;]+)/i)?.[1] ?? null;
+    return new URL(`${protocol}://${host}${getNormalizedOriginPath(new URL(request.url).pathname)}`);
+  } else {
+    return new URL(getNormalizedOriginPath(request.url));
+  }
+};
 var createRedirectURI = (request, oauth, basePath, trustedProxyHeaders) => {
-    const url2 = getOriginURL(request, trustedProxyHeaders)
-    return `${url2.origin}${basePath}/callback/${oauth}`
-}
+  const url = getOriginURL(request, trustedProxyHeaders);
+  return `${url.origin}${basePath}/callback/${oauth}`;
+};
 var createRedirectTo = (request, redirectTo, trustedProxyHeaders) => {
-    try {
-        const headers = request.headers
-        const origin = headers.get("Origin")
-        const referer = headers.get("Referer")
-        let hostedURL = getOriginURL(request, trustedProxyHeaders)
-        if (redirectTo) {
-            if (redirectTo.startsWith("/")) {
-                return sanitizeURL(redirectTo)
-            }
-            const redirectToURL = new URL(sanitizeURL(getNormalizedOriginPath(redirectTo)))
-            if (!isValidURL(redirectTo) || !equals(redirectToURL.origin, hostedURL.origin)) {
-                throw new InvalidRedirectToError()
-            }
-            return sanitizeURL(redirectToURL.pathname)
-        }
-        if (referer) {
-            const refererURL = new URL(sanitizeURL(referer))
-            if (!isValidURL(referer) || !equals(refererURL.origin, hostedURL.origin)) {
-                throw new AuthError(
-                    ERROR_RESPONSE.AUTHORIZATION.INVALID_REQUEST,
-                    "The referer of the request does not match the hosted origin."
-                )
-            }
-            return sanitizeURL(refererURL.pathname)
-        }
-        if (origin) {
-            const originURL = new URL(sanitizeURL(getNormalizedOriginPath(origin)))
-            if (!isValidURL(origin) || !equals(originURL.origin, hostedURL.origin)) {
-                throw new AuthError(ERROR_RESPONSE.AUTHORIZATION.INVALID_REQUEST, "Invalid origin (potential CSRF).")
-            }
-            return sanitizeURL(originURL.pathname)
-        }
-        return "/"
-    } catch (error) {
-        if (isAuthError(error)) {
-            throw error
-        }
-        throw new AuthError(ERROR_RESPONSE.AUTHORIZATION.INVALID_REQUEST, "Invalid origin (potential CSRF).")
+  try {
+    const headers = request.headers;
+    const origin = headers.get("Origin");
+    const referer = headers.get("Referer");
+    let hostedURL = getOriginURL(request, trustedProxyHeaders);
+    if (redirectTo) {
+      if (redirectTo.startsWith("/")) {
+        return sanitizeURL(redirectTo);
+      }
+      const redirectToURL = new URL(sanitizeURL(getNormalizedOriginPath(redirectTo)));
+      if (!isValidURL(redirectTo) || !equals(redirectToURL.origin, hostedURL.origin)) {
+        throw new AuthSecurityError(
+          "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED",
+          "The redirectTo parameter does not match the hosted origin."
+        );
+      }
+      return sanitizeURL(redirectToURL.pathname);
+    }
+    if (referer) {
+      const refererURL = new URL(sanitizeURL(referer));
+      if (!isValidURL(referer) || !equals(refererURL.origin, hostedURL.origin)) {
+        throw new AuthSecurityError(
+          "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED",
+          "The referer of the request does not match the hosted origin."
+        );
+      }
+      return sanitizeURL(refererURL.pathname);
+    }
+    if (origin) {
+      const originURL = new URL(sanitizeURL(getNormalizedOriginPath(origin)));
+      if (!isValidURL(origin) || !equals(originURL.origin, hostedURL.origin)) {
+        throw new AuthSecurityError("POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED", "Invalid origin (potential CSRF).");
+      }
+      return sanitizeURL(originURL.pathname);
+    }
+    return "/";
+  } catch (error) {
+    if (isAuthSecurityError(error)) {
+      throw error;
     }
-}
+    throw new AuthSecurityError("POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED", "Invalid origin (potential CSRF).");
+  }
+};
 
 // src/actions/signIn/signIn.ts
 var signInConfig = (oauth) => {
-    return (0, import_router2.createEndpointConfig)("/signIn/:oauth", {
-        schemas: {
-            params: import_zod.default.object({
-                oauth: import_zod.default.enum(Object.keys(oauth)),
-                redirectTo: import_zod.default.string().optional(),
-            }),
-        },
-    })
-}
+  return (0, import_router2.createEndpointConfig)("/signIn/:oauth", {
+    schemas: {
+      params: import_zod2.z.object({
+        oauth: import_zod2.z.enum(
+          Object.keys(oauth),
+          "The OAuth provider is not supported or invalid."
+        )
+      }),
+      searchParams: import_zod2.z.object({
+        redirectTo: import_zod2.z.string().optional()
+      })
+    }
+  });
+};
 var signInAction = (oauth) => {
-    return (0, import_router2.createEndpoint)(
-        "GET",
-        "/signIn/:oauth",
-        async (ctx) => {
-            const {
-                request,
-                params: { oauth: oauth2, redirectTo },
-                context: { oauth: providers, cookies, trustedProxyHeaders, basePath },
-            } = ctx
-            try {
-                const cookieOptions = secureCookieOptions(request, cookies, trustedProxyHeaders)
-                const state = generateSecure()
-                const redirectURI = createRedirectURI(request, oauth2, basePath, trustedProxyHeaders)
-                const stateCookie = setCookie("state", state, oauthCookie(cookieOptions))
-                const redirectURICookie = setCookie("redirect_uri", redirectURI, oauthCookie(cookieOptions))
-                const redirectToCookie = setCookie(
-                    "redirect_to",
-                    createRedirectTo(request, redirectTo, trustedProxyHeaders),
-                    oauthCookie(cookieOptions)
-                )
-                const { codeVerifier, codeChallenge, method } = await createPKCE()
-                const codeVerifierCookie = setCookie("code_verifier", codeVerifier, oauthCookie(cookieOptions))
-                const authorization = createAuthorizationURL(providers[oauth2], redirectURI, state, codeChallenge, method)
-                const headers = new Headers()
-                headers.set("Location", authorization)
-                headers.append("Set-Cookie", stateCookie)
-                headers.append("Set-Cookie", redirectURICookie)
-                headers.append("Set-Cookie", redirectToCookie)
-                headers.append("Set-Cookie", codeVerifierCookie)
-                return Response.json(
-                    { oauth: oauth2 },
-                    {
-                        status: 302,
-                        headers,
-                    }
-                )
-            } catch (error) {
-                if (isAuthError(error)) {
-                    const { type, message } = error
-                    return AuraResponse.json(
-                        { error: type, error_description: message },
-                        { status: import_router2.statusCode.BAD_REQUEST }
-                    )
-                }
-                return AuraResponse.json(
-                    {
-                        error: ERROR_RESPONSE.AUTHORIZATION.SERVER_ERROR,
-                        error_description: "An unexpected error occurred",
-                    },
-                    { status: import_router2.statusCode.INTERNAL_SERVER_ERROR }
-                )
-            }
-        },
-        signInConfig(oauth)
-    )
-}
+  return (0, import_router2.createEndpoint)(
+    "GET",
+    "/signIn/:oauth",
+    async (ctx) => {
+      const {
+        request,
+        params: { oauth: oauth2 },
+        searchParams: { redirectTo },
+        context: { oauth: providers, cookies, trustedProxyHeaders, basePath }
+      } = ctx;
+      const state = generateSecure();
+      const redirectURI = createRedirectURI(request, oauth2, basePath, trustedProxyHeaders);
+      const redirectToValue = createRedirectTo(request, redirectTo, trustedProxyHeaders);
+      const { codeVerifier, codeChallenge, method } = await createPKCE();
+      const authorization = createAuthorizationURL(providers[oauth2], redirectURI, state, codeChallenge, method);
+      const headers = new import_router2.HeadersBuilder(cacheControl).setHeader("Location", authorization).setCookie(cookies.state.name, state, cookies.state.attributes).setCookie(cookies.redirectURI.name, redirectURI, cookies.redirectURI.attributes).setCookie(cookies.redirectTo.name, redirectToValue, cookies.redirectTo.attributes).setCookie(cookies.codeVerifier.name, codeVerifier, cookies.codeVerifier.attributes).toHeaders();
+      return Response.json(
+        { oauth: oauth2 },
+        {
+          status: 302,
+          headers
+        }
+      );
+    },
+    signInConfig(oauth)
+  );
+};
 
 // src/actions/callback/callback.ts
-var import_zod2 = __toESM(require("zod"), 1)
-var import_router3 = require("@aura-stack/router")
+var import_zod3 = require("zod");
+var import_router3 = require("@aura-stack/router");
 
-// src/headers.ts
-var cacheControl = {
-    "Cache-Control": "no-store",
-    Pragma: "no-cache",
-    Expires: "0",
-    Vary: "Cookie",
-}
+// src/request.ts
+var fetchAsync = async (url, options2 = {}, timeout = 5e3) => {
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), timeout);
+  const response = await fetch(url, {
+    ...options2,
+    signal: controller.signal
+  }).finally(() => clearTimeout(timeoutId));
+  return response;
+};
 
 // src/actions/callback/userinfo.ts
 var getDefaultUserInfo = (profile) => {
-    const sub = generateSecure(16)
-    return {
-        sub: profile?.id ?? profile?.sub ?? sub,
-        email: profile?.email,
-        name: profile?.name ?? profile?.username ?? profile?.nickname,
-        image: profile?.image ?? profile?.picture,
-    }
-}
+  const sub = generateSecure(16);
+  return {
+    sub: profile?.id ?? profile?.sub ?? sub,
+    email: profile?.email,
+    name: profile?.name ?? profile?.username ?? profile?.nickname,
+    image: profile?.image ?? profile?.picture
+  };
+};
 var getUserInfo = async (oauthConfig, accessToken) => {
-    const userinfoEndpoint = oauthConfig.userInfo
-    try {
-        const response = await fetch(userinfoEndpoint, {
-            method: "GET",
-            headers: {
-                Accept: "application/json",
-                Authorization: `Bearer ${accessToken}`,
-            },
-        })
-        const json = await response.json()
-        const { success, data } = OAuthErrorResponse.safeParse(json)
-        if (success) {
-            throw new AuthError(data.error, data?.error_description ?? "An error occurred while fetching user information.")
-        }
-        return oauthConfig?.profile ? oauthConfig.profile(json) : getDefaultUserInfo(json)
-    } catch (error) {
-        throw throwAuthError(error, "Failed to retrieve userinfo")
+  const userinfoEndpoint = oauthConfig.userInfo;
+  try {
+    const response = await fetchAsync(userinfoEndpoint, {
+      method: "GET",
+      headers: {
+        Accept: "application/json",
+        Authorization: `Bearer ${accessToken}`
+      }
+    });
+    const json = await response.json();
+    const { success, data } = OAuthErrorResponse.safeParse(json);
+    if (success) {
+      throw new OAuthProtocolError(
+        data.error,
+        data?.error_description ?? "An error occurred while fetching user information."
+      );
+    }
+    return oauthConfig?.profile ? oauthConfig.profile(json) : getDefaultUserInfo(json);
+  } catch (error) {
+    if (isOAuthProtocolError(error)) {
+      throw error;
     }
-}
+    if (isNativeError(error)) {
+      throw new OAuthProtocolError("invalid_request", error.message, "", { cause: error });
+    }
+    throw new OAuthProtocolError("invalid_request", "Failed to fetch user information.", "", { cause: error });
+  }
+};
 
 // src/actions/callback/access-token.ts
 var createAccessToken = async (oauthConfig, redirectURI, code, codeVerifier) => {
-    const parsed = OAuthAccessToken.safeParse({ ...oauthConfig, redirectURI, code, codeVerifier })
-    if (!parsed.success) {
-        throw new AuthError(ERROR_RESPONSE.ACCESS_TOKEN.INVALID_REQUEST, "Invalid OAuth configuration")
-    }
-    const { accessToken, clientId, clientSecret, code: codeParsed, redirectURI: redirectParsed } = parsed.data
-    try {
-        const response = await fetch(accessToken, {
-            method: "POST",
-            headers: {
-                Accept: "application/json",
-                "Content-Type": "application/x-www-form-urlencoded",
-            },
-            body: new URLSearchParams({
-                client_id: clientId,
-                client_secret: clientSecret,
-                code: codeParsed,
-                redirect_uri: redirectParsed,
-                grant_type: "authorization_code",
-                code_verifier: codeVerifier,
-            }).toString(),
-        })
-        const json = await response.json()
-        const token = OAuthAccessTokenResponse.safeParse(json)
-        if (!token.success) {
-            const { success, data } = OAuthAccessTokenErrorResponse.safeParse(json)
-            if (!success) {
-                throw new AuthError(ERROR_RESPONSE.ACCESS_TOKEN.INVALID_GRANT, "Invalid access token response format")
-            }
-            throw new AuthError(data.error, data?.error_description ?? "Failed to retrieve access token")
-        }
-        return token.data
-    } catch (error) {
-        throw throwAuthError(error, "Failed to create access token")
+  const parsed = OAuthAccessToken.safeParse({ ...oauthConfig, redirectURI, code, codeVerifier });
+  if (!parsed.success) {
+    const msg = JSON.stringify(formatZodError(parsed.error), null, 2);
+    throw new AuthInternalError("INVALID_OAUTH_CONFIGURATION", msg);
+  }
+  const { accessToken, clientId, clientSecret, code: codeParsed, redirectURI: redirectParsed } = parsed.data;
+  try {
+    const response = await fetchAsync(accessToken, {
+      method: "POST",
+      headers: {
+        Accept: "application/json",
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: new URLSearchParams({
+        client_id: clientId,
+        client_secret: clientSecret,
+        code: codeParsed,
+        redirect_uri: redirectParsed,
+        grant_type: "authorization_code",
+        code_verifier: codeVerifier
+      }).toString()
+    });
+    const json = await response.json();
+    const token = OAuthAccessTokenResponse.safeParse(json);
+    if (!token.success) {
+      const { success, data } = OAuthAccessTokenErrorResponse.safeParse(json);
+      if (!success) {
+        throw new OAuthProtocolError("INVALID_REQUEST", "Invalid access token response format");
+      }
+      throw new OAuthProtocolError(data.error, data?.error_description ?? "Failed to retrieve access token");
     }
-}
+    return token.data;
+  } catch (error) {
+    throw error;
+  }
+};
 
 // src/actions/callback/callback.ts
 var callbackConfig = (oauth) => {
-    return (0, import_router3.createEndpointConfig)("/callback/:oauth", {
-        schemas: {
-            searchParams: OAuthAuthorizationResponse,
-            params: import_zod2.default.object({
-                oauth: import_zod2.default.enum(Object.keys(oauth)),
-            }),
-        },
-        middlewares: [
-            (ctx) => {
-                const response = OAuthAuthorizationErrorResponse.safeParse(ctx.searchParams)
-                if (response.success) {
-                    const { error, error_description } = response.data
-                    throw new AuthError(error, error_description ?? "OAuth Authorization Error")
-                }
-                return ctx
-            },
-        ],
-    })
-}
+  return (0, import_router3.createEndpointConfig)("/callback/:oauth", {
+    schemas: {
+      params: import_zod3.z.object({
+        oauth: import_zod3.z.enum(
+          Object.keys(oauth),
+          "The OAuth provider is not supported or invalid."
+        )
+      }),
+      searchParams: import_zod3.z.object({
+        code: import_zod3.z.string("Missing code parameter in the OAuth authorization response."),
+        state: import_zod3.z.string("Missing state parameter in the OAuth authorization response.")
+      })
+    },
+    middlewares: [
+      (ctx) => {
+        const response = OAuthAuthorizationErrorResponse.safeParse(ctx.searchParams);
+        if (response.success) {
+          const { error, error_description } = response.data;
+          throw new OAuthProtocolError(error, error_description ?? "OAuth Authorization Error");
+        }
+        return ctx;
+      }
+    ]
+  });
+};
 var callbackAction = (oauth) => {
-    return (0, import_router3.createEndpoint)(
-        "GET",
-        "/callback/:oauth",
-        async (ctx) => {
-            const {
-                request,
-                params: { oauth: oauth2 },
-                searchParams: { code, state },
-                context: { oauth: providers, cookies, jose, trustedProxyHeaders },
-            } = ctx
-            try {
-                const oauthConfig = providers[oauth2]
-                const cookieOptions = secureCookieOptions(request, cookies, trustedProxyHeaders)
-                const cookieState = getCookie(request, "state", cookieOptions)
-                const cookieRedirectTo = getCookie(request, "redirect_to", cookieOptions)
-                const cookieRedirectURI = getCookie(request, "redirect_uri", cookieOptions)
-                const codeVerifier = getCookie(request, "code_verifier", cookieOptions)
-                if (!equals(cookieState, state)) {
-                    throw new AuthError(ERROR_RESPONSE.ACCESS_TOKEN.INVALID_REQUEST, "Mismatching state")
-                }
-                const accessToken = await createAccessToken(oauthConfig, cookieRedirectURI, code, codeVerifier)
-                const sanitized = sanitizeURL(cookieRedirectTo)
-                if (!isValidRelativePath(sanitized)) {
-                    throw new AuthError(
-                        ERROR_RESPONSE.ACCESS_TOKEN.INVALID_REQUEST,
-                        "Invalid redirect path. Potential open redirect attack detected."
-                    )
-                }
-                const headers = new Headers(cacheControl)
-                headers.set("Location", sanitized)
-                const userInfo = await getUserInfo(oauthConfig, accessToken.access_token)
-                const sessionCookie = await createSessionCookie(userInfo, cookieOptions, jose)
-                const csrfToken = await createCSRF(jose)
-                const csrfCookie = setCookie(
-                    "csrfToken",
-                    csrfToken,
-                    secureCookieOptions(
-                        request,
-                        {
-                            ...cookies,
-                            strategy: "host",
-                        },
-                        trustedProxyHeaders
-                    )
-                )
-                headers.set("Set-Cookie", sessionCookie)
-                headers.append("Set-Cookie", expireCookie("state", cookieOptions))
-                headers.append("Set-Cookie", expireCookie("redirect_uri", cookieOptions))
-                headers.append("Set-Cookie", expireCookie("redirect_to", cookieOptions))
-                headers.append("Set-Cookie", expireCookie("code_verifier", cookieOptions))
-                headers.append("Set-Cookie", csrfCookie)
-                return Response.json({ oauth: oauth2 }, { status: 302, headers })
-            } catch (error) {
-                if (isAuthError(error)) {
-                    const { type, message } = error
-                    return AuraResponse.json(
-                        { error: type, error_description: message },
-                        { status: import_router3.statusCode.BAD_REQUEST }
-                    )
-                }
-                return AuraResponse.json(
-                    {
-                        error: ERROR_RESPONSE.ACCESS_TOKEN.INVALID_CLIENT,
-                        error_description: "An unexpected error occurred",
-                    },
-                    { status: import_router3.statusCode.INTERNAL_SERVER_ERROR }
-                )
-            }
-        },
-        callbackConfig(oauth)
-    )
-}
+  return (0, import_router3.createEndpoint)(
+    "GET",
+    "/callback/:oauth",
+    async (ctx) => {
+      const {
+        request,
+        params: { oauth: oauth2 },
+        searchParams: { code, state },
+        context: { oauth: providers, cookies, jose }
+      } = ctx;
+      const oauthConfig = providers[oauth2];
+      const cookieState = getCookie(request, cookies.state.name);
+      const cookieRedirectTo = getCookie(request, cookies.redirectTo.name);
+      const cookieRedirectURI = getCookie(request, cookies.redirectURI.name);
+      const codeVerifier = getCookie(request, cookies.codeVerifier.name);
+      if (!equals(cookieState, state)) {
+        throw new AuthSecurityError(
+          "MISMATCHING_STATE",
+          "The provided state passed in the OAuth response does not match the stored state."
+        );
+      }
+      const accessToken = await createAccessToken(oauthConfig, cookieRedirectURI, code, codeVerifier);
+      const sanitized = sanitizeURL(cookieRedirectTo);
+      if (!isValidRelativePath(sanitized)) {
+        throw new AuthSecurityError(
+          "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED",
+          "Invalid redirect path. Potential open redirect attack detected."
+        );
+      }
+      const userInfo = await getUserInfo(oauthConfig, accessToken.access_token);
+      const sessionCookie = await createSessionCookie(jose, userInfo);
+      const csrfToken = await createCSRF(jose);
+      const headers = new import_router3.HeadersBuilder(cacheControl).setHeader("Location", sanitized).setCookie(cookies.sessionToken.name, sessionCookie, cookies.sessionToken.attributes).setCookie(cookies.csrfToken.name, csrfToken, cookies.csrfToken.attributes).setCookie(cookies.state.name, "", expiredCookieAttributes).setCookie(cookies.redirectURI.name, "", expiredCookieAttributes).setCookie(cookies.redirectTo.name, "", expiredCookieAttributes).setCookie(cookies.codeVerifier.name, "", expiredCookieAttributes).toHeaders();
+      return Response.json({ oauth: oauth2 }, { status: 302, headers });
+    },
+    callbackConfig(oauth)
+  );
+};
 
 // src/actions/session/session.ts
-var import_router4 = require("@aura-stack/router")
+var import_router4 = require("@aura-stack/router");
 var sessionAction = (0, import_router4.createEndpoint)("GET", "/session", async (ctx) => {
-    const {
-        request,
-        context: { cookies, jose, trustedProxyHeaders },
-    } = ctx
-    const cookieOptions = secureCookieOptions(request, cookies, trustedProxyHeaders)
-    try {
-        const session = getCookie(request, "sessionToken", cookieOptions)
-        const decoded = await jose.decodeJWT(session)
-        const { exp, iat, jti, nbf, ...user } = decoded
-        const headers = new Headers(cacheControl)
-        return Response.json({ user, expires: toISOString(exp * 1e3) }, { headers })
-    } catch {
-        const headers = new Headers(cacheControl)
-        const sessionCookie = expireCookie("sessionToken", cookieOptions)
-        headers.set("Set-Cookie", sessionCookie)
-        return Response.json({ authenticated: false, message: "Unauthorized" }, { status: 401, headers })
-    }
-})
+  const {
+    request,
+    context: { jose, cookies }
+  } = ctx;
+  try {
+    const session = getCookie(request, cookies.sessionToken.name);
+    const decoded = await jose.decodeJWT(session);
+    const { exp, iat, jti, nbf, ...user } = decoded;
+    const headers = new Headers(cacheControl);
+    return Response.json({ user, expires: toISOString(exp * 1e3) }, { headers });
+  } catch (error) {
+    const headers = new import_router4.HeadersBuilder(cacheControl).setCookie(cookies.sessionToken.name, "", expiredCookieAttributes).toHeaders();
+    return Response.json({ authenticated: false, message: "Unauthorized" }, { status: 401, headers });
+  }
+});
 
 // src/actions/signOut/signOut.ts
-var import_zod3 = __toESM(require("zod"), 1)
-var import_router5 = require("@aura-stack/router")
+var import_zod4 = require("zod");
+var import_router5 = require("@aura-stack/router");
 var config = (0, import_router5.createEndpointConfig)({
-    schemas: {
-        searchParams: import_zod3.default.object({
-            token_type_hint: import_zod3.default.literal("session_token"),
-            redirectTo: import_zod3.default.string().optional(),
-        }),
-    },
-})
+  schemas: {
+    searchParams: import_zod4.z.object({
+      token_type_hint: import_zod4.z.literal("session_token"),
+      redirectTo: import_zod4.z.string().optional()
+    })
+  }
+});
 var signOutAction = (0, import_router5.createEndpoint)(
-    "POST",
-    "/signOut",
-    async (ctx) => {
-        const {
-            request,
-            headers,
-            searchParams: { redirectTo },
-            context: { cookies, jose, trustedProxyHeaders },
-        } = ctx
-        try {
-            const cookiesOptions = secureCookieOptions(request, cookies, trustedProxyHeaders)
-            const session = getCookie(request, "sessionToken", cookiesOptions)
-            const csrfToken = getCookie(request, "csrfToken", {
-                ...cookiesOptions,
-                prefix: cookiesOptions.secure ? "__Host-" : "",
-            })
-            const header = headers.get("X-CSRF-Token")
-            if (!header || !session || !csrfToken) {
-                throw new Error("Missing CSRF token or session token")
-            }
-            await verifyCSRF(jose, csrfToken, header)
-            await jose.decodeJWT(session)
-            const normalizedOriginPath = getNormalizedOriginPath(request.url)
-            const location = createRedirectTo(
-                new Request(normalizedOriginPath, {
-                    headers,
-                }),
-                redirectTo
-            )
-            const responseHeaders = new Headers(cacheControl)
-            responseHeaders.append("Set-Cookie", expireCookie("sessionToken", cookiesOptions))
-            responseHeaders.append(
-                "Set-Cookie",
-                expireCookie("csrfToken", { ...cookiesOptions, prefix: cookiesOptions.secure ? "__Host-" : "" })
-            )
-            responseHeaders.append("Location", location)
-            return Response.json(
-                { message: "Signed out successfully" },
-                { status: import_router5.statusCode.ACCEPTED, headers: responseHeaders }
-            )
-        } catch (error) {
-            if (error instanceof InvalidCsrfTokenError) {
-                return AuraResponse.json(
-                    {
-                        error: "invalid_csrf_token",
-                        error_description: "The provided CSRF token is invalid or has expired",
-                    },
-                    { status: import_router5.statusCode.UNAUTHORIZED }
-                )
-            }
-            if (error instanceof InvalidRedirectToError) {
-                const { type, message } = error
-                return AuraResponse.json(
-                    {
-                        error: type,
-                        error_description: message,
-                    },
-                    { status: import_router5.statusCode.BAD_REQUEST }
-                )
-            }
-            return AuraResponse.json(
-                {
-                    error: "invalid_session_token",
-                    error_description: "The provided sessionToken is invalid or has already expired",
-                },
-                { status: import_router5.statusCode.UNAUTHORIZED }
-            )
-        }
-    },
-    config
-)
+  "POST",
+  "/signOut",
+  async (ctx) => {
+    const {
+      request,
+      headers,
+      searchParams: { redirectTo },
+      context: { jose, cookies }
+    } = ctx;
+    const session = headers.getCookie(cookies.sessionToken.name);
+    const csrfToken = headers.getCookie(cookies.csrfToken.name);
+    const header = headers.getHeader("X-CSRF-Token");
+    if (!session) {
+      throw new AuthSecurityError("SESSION_TOKEN_MISSING", "The sessionToken is missing.");
+    }
+    if (!csrfToken) {
+      throw new AuthSecurityError("CSRF_TOKEN_MISSING", "The CSRF token is missing.");
+    }
+    if (!header) {
+      throw new AuthSecurityError("CSRF_TOKEN_MISSING", "The CSRF header is missing.");
+    }
+    await verifyCSRF(jose, csrfToken, header);
+    await jose.decodeJWT(session);
+    const normalizedOriginPath = getNormalizedOriginPath(request.url);
+    const location = createRedirectTo(
+      new Request(normalizedOriginPath, {
+        headers: headers.toHeaders()
+      }),
+      redirectTo
+    );
+    const headersList = new import_router5.HeadersBuilder(cacheControl).setHeader("Location", location).setCookie(cookies.csrfToken.name, "", expiredCookieAttributes).setCookie(cookies.sessionToken.name, "", expiredCookieAttributes).toHeaders();
+    return Response.json({ message: "Signed out successfully" }, { status: import_router5.statusCode.ACCEPTED, headers: headersList });
+  },
+  config
+);
 
 // src/actions/csrfToken/csrfToken.ts
-var import_router6 = require("@aura-stack/router")
+var import_router6 = require("@aura-stack/router");
+var getCSRFToken = (request, cookieName) => {
+  try {
+    return getCookie(request, cookieName);
+  } catch {
+    return void 0;
+  }
+};
 var csrfTokenAction = (0, import_router6.createEndpoint)("GET", "/csrfToken", async (ctx) => {
-    const {
-        request,
-        context: { cookies, jose, trustedProxyHeaders },
-    } = ctx
-    const cookieOptions = secureCookieOptions(request, { ...cookies, strategy: "host" }, trustedProxyHeaders)
-    const existingCSRFToken = getCookie(request, "csrfToken", cookieOptions, true)
-    const csrfToken = await createCSRF(jose, existingCSRFToken)
-    const headers = new Headers(cacheControl)
-    headers.set("Set-Cookie", setCookie("csrfToken", csrfToken, cookieOptions))
-    return Response.json({ csrfToken }, { headers })
-})
+  const {
+    request,
+    context: { jose, cookies }
+  } = ctx;
+  const token = getCSRFToken(request, cookies.csrfToken.name);
+  const csrfToken = await createCSRF(jose, token);
+  const headers = new Headers(cacheControl);
+  headers.append("Set-Cookie", setCookie(cookies.csrfToken.name, csrfToken, cookies.csrfToken.attributes));
+  return Response.json({ csrfToken }, { headers });
+});
 
 // src/index.ts
 var createInternalConfig = (authConfig) => {
-    return {
-        basePath: authConfig?.basePath ?? "/auth",
-        onError: onErrorHandler,
-        context: {
-            oauth: createBuiltInOAuthProviders(authConfig?.oauth),
-            cookies: authConfig?.cookies ?? defaultCookieConfig,
-            jose: createJoseInstance(authConfig?.secret),
-            basePath: authConfig?.basePath ?? "/auth",
-            trustedProxyHeaders: !!authConfig?.trustedProxyHeaders,
-        },
-    }
-}
+  const useSecure = authConfig?.trustedProxyHeaders ?? false;
+  return {
+    basePath: authConfig?.basePath ?? "/auth",
+    onError: onErrorHandler,
+    context: {
+      oauth: createBuiltInOAuthProviders(authConfig?.oauth),
+      cookies: createCookieStore(useSecure, authConfig?.cookies?.prefix, authConfig?.cookies?.overrides ?? {}),
+      jose: createJoseInstance(authConfig?.secret),
+      secret: authConfig?.secret,
+      basePath: authConfig?.basePath ?? "/auth",
+      trustedProxyHeaders: useSecure
+    },
+    middlewares: [
+      (ctx) => {
+        const useSecure2 = useSecureCookies(ctx.request, ctx.context.trustedProxyHeaders);
+        const cookies = createCookieStore(useSecure2, authConfig?.cookies?.prefix, authConfig?.cookies?.overrides ?? {});
+        ctx.context.cookies = cookies;
+        return ctx;
+      }
+    ]
+  };
+};
 var createAuth = (authConfig) => {
-    const config2 = createInternalConfig(authConfig)
-    const router = (0, import_router7.createRouter)(
-        [
-            signInAction(config2.context.oauth),
-            callbackAction(config2.context.oauth),
-            sessionAction,
-            signOutAction,
-            csrfTokenAction,
-        ],
-        config2
-    )
-    return {
-        handlers: router,
-        jose: config2.context.jose,
-    }
-}
+  const config2 = createInternalConfig(authConfig);
+  const router = (0, import_router7.createRouter)(
+    [signInAction(config2.context.oauth), callbackAction(config2.context.oauth), sessionAction, signOutAction, csrfTokenAction],
+    config2
+  );
+  return {
+    handlers: router,
+    jose: config2.context.jose
+  };
+};
 // Annotate the CommonJS export names for ESM import in node:
-0 &&
-    (module.exports = {
-        createAuth,
-    })
+0 && (module.exports = {
+  createAuth
+});