@aura-stack/auth 0.1.0-rc.9 → 0.2.0-rc.1

package/dist/secure.cjs

@@ -1,123 +1,128 @@
-"use strict"
-var __create = Object.create
-var __defProp = Object.defineProperty
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor
-var __getOwnPropNames = Object.getOwnPropertyNames
-var __getProtoOf = Object.getPrototypeOf
-var __hasOwnProp = Object.prototype.hasOwnProperty
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
-    for (var name in all) __defProp(target, name, { get: all[name], enumerable: true })
-}
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
 var __copyProps = (to, from, except, desc) => {
-    if ((from && typeof from === "object") || typeof from === "function") {
-        for (let key of __getOwnPropNames(from))
-            if (!__hasOwnProp.call(to, key) && key !== except)
-                __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable })
-    }
-    return to
-}
-var __toESM = (mod, isNodeMode, target) => (
-    (target = mod != null ? __create(__getProtoOf(mod)) : {}),
-    __copyProps(
-        // If the importer is in node compatibility mode or this is not an ESM
-        // file that has been converted to a CommonJS file using a Babel-
-        // compatible transform (i.e. "__esModule" has not been set), then set
-        // "default" to the CommonJS "module.exports" for node compatibility.
-        isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-        mod
-    )
-)
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod)
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/secure.ts
-var secure_exports = {}
+var secure_exports = {};
 __export(secure_exports, {
-    createCSRF: () => createCSRF,
-    createDerivedSalt: () => createDerivedSalt,
-    createHash: () => createHash,
-    createPKCE: () => createPKCE,
-    generateSecure: () => generateSecure,
-    verifyCSRF: () => verifyCSRF,
-})
-module.exports = __toCommonJS(secure_exports)
-var import_node_crypto = __toESM(require("crypto"), 1)
+  createCSRF: () => createCSRF,
+  createDerivedSalt: () => createDerivedSalt,
+  createHash: () => createHash,
+  createPKCE: () => createPKCE,
+  generateSecure: () => generateSecure,
+  verifyCSRF: () => verifyCSRF
+});
+module.exports = __toCommonJS(secure_exports);
+var import_crypto = __toESM(require("crypto"), 1);
 
 // src/utils.ts
-var import_router = require("@aura-stack/router")
+var import_router = require("@aura-stack/router");
 
-// src/error.ts
-var AuthError = class extends Error {
-    constructor(type, message) {
-        super(message)
-        this.type = type
-        this.name = "AuthError"
-    }
-}
-var InvalidCsrfTokenError = class extends AuthError {
-    constructor(message = "The provided CSRF token is invalid or has expired") {
-        super("invalid_csrf_token", message)
-        this.name = "InvalidCsrfTokenError"
-    }
-}
+// src/errors.ts
+var AuthSecurityError = class extends Error {
+  type = "AUTH_SECURITY_ERROR";
+  code;
+  constructor(code, message, options) {
+    super(message, options);
+    this.code = code;
+    this.name = new.target.name;
+    Error.captureStackTrace(this, new.target);
+  }
+};
 
 // src/utils.ts
 var equals = (a, b) => {
-    if (a === null || b === null || a === void 0 || b === void 0) return false
-    return a === b
-}
+  if (a === null || b === null || a === void 0 || b === void 0) return false;
+  return a === b;
+};
+
+// src/assert.ts
+var isJWTPayloadWithToken = (payload) => {
+  return typeof payload === "object" && payload !== null && "token" in payload && typeof payload?.token === "string";
+};
 
 // src/secure.ts
 var generateSecure = (length = 32) => {
-    return import_node_crypto.default.randomBytes(length).toString("base64url")
-}
+  return import_crypto.default.randomBytes(length).toString("base64url");
+};
 var createHash = (data, base = "hex") => {
-    return import_node_crypto.default.createHash("sha256").update(data).digest().toString(base)
-}
+  return import_crypto.default.createHash("sha256").update(data).digest().toString(base);
+};
 var createPKCE = async (verifier) => {
-    const codeVerifier = verifier ?? generateSecure(86)
-    const codeChallenge = createHash(codeVerifier, "base64url")
-    return { codeVerifier, codeChallenge, method: "S256" }
-}
+  const codeVerifier = verifier ?? generateSecure(86);
+  const codeChallenge = createHash(codeVerifier, "base64url");
+  return { codeVerifier, codeChallenge, method: "S256" };
+};
 var createCSRF = async (jose, csrfCookie) => {
-    try {
-        const token = generateSecure(32)
-        if (csrfCookie) {
-            await jose.verifyJWS(csrfCookie)
-            return csrfCookie
-        }
-        return jose.signJWS({ token })
-    } catch {
-        const token = generateSecure(32)
-        return jose.signJWS({ token })
+  try {
+    const token = generateSecure(32);
+    if (csrfCookie) {
+      await jose.verifyJWS(csrfCookie);
+      return csrfCookie;
     }
-}
+    return jose.signJWS({ token });
+  } catch {
+    const token = generateSecure(32);
+    return jose.signJWS({ token });
+  }
+};
 var verifyCSRF = async (jose, cookie, header) => {
-    try {
-        const { token: cookieToken } = await jose.verifyJWS(cookie)
-        const { token: headerToken } = await jose.verifyJWS(header)
-        const cookieBuffer = Buffer.from(cookieToken)
-        const headerBuffer = Buffer.from(headerToken)
-        if (!equals(headerBuffer.length, cookieBuffer.length)) {
-            throw new InvalidCsrfTokenError()
-        }
-        if (!import_node_crypto.default.timingSafeEqual(cookieBuffer, headerBuffer)) {
-            throw new InvalidCsrfTokenError()
-        }
-        return true
-    } catch {
-        throw new InvalidCsrfTokenError()
+  try {
+    const cookiePayload = await jose.verifyJWS(cookie);
+    const headerPayload = await jose.verifyJWS(header);
+    if (!isJWTPayloadWithToken(cookiePayload)) {
+      throw new AuthSecurityError("CSRF_TOKEN_INVALID", "Cookie payload missing token field.");
+    }
+    if (!isJWTPayloadWithToken(headerPayload)) {
+      throw new AuthSecurityError("CSRF_TOKEN_INVALID", "Header payload missing token field.");
+    }
+    const cookieBuffer = Buffer.from(cookiePayload.token);
+    const headerBuffer = Buffer.from(headerPayload.token);
+    if (!equals(headerBuffer.length, cookieBuffer.length)) {
+      throw new AuthSecurityError("CSRF_TOKEN_INVALID", "The CSRF tokens do not match.");
+    }
+    if (!import_crypto.default.timingSafeEqual(cookieBuffer, headerBuffer)) {
+      throw new AuthSecurityError("CSRF_TOKEN_INVALID", "The CSRF tokens do not match.");
     }
-}
+    return true;
+  } catch {
+    throw new AuthSecurityError("CSRF_TOKEN_INVALID", "The CSRF tokens do not match.");
+  }
+};
 var createDerivedSalt = (secret) => {
-    return import_node_crypto.default.createHash("sha256").update(secret).update("aura-auth-salt").digest("hex")
-}
+  return import_crypto.default.createHash("sha256").update(secret).update("aura-auth-salt").digest("hex");
+};
 // Annotate the CommonJS export names for ESM import in node:
-0 &&
-    (module.exports = {
-        createCSRF,
-        createDerivedSalt,
-        createHash,
-        createPKCE,
-        generateSecure,
-        verifyCSRF,
-    })
+0 && (module.exports = {
+  createCSRF,
+  createDerivedSalt,
+  createHash,
+  createPKCE,
+  generateSecure,
+  verifyCSRF
+});

package/dist/secure.d.ts

@@ -1,13 +1,13 @@
-import { A as AuthRuntimeConfig } from "./index-DpfbvTZ_.js"
-import "zod/v4"
-import "@aura-stack/jose/jose"
-import "./schemas.js"
-import "zod/v4/core"
-import "cookie"
-import "./@types/utility.js"
+import { A as AuthRuntimeConfig } from './index-DkaLJFn8.js';
+import 'zod';
+import './schemas.js';
+import '@aura-stack/router/cookie';
+import '@aura-stack/jose';
+import '@aura-stack/jose/jose';
+import './@types/utility.js';
 
-declare const generateSecure: (length?: number) => string
-declare const createHash: (data: string, base?: "hex" | "base64" | "base64url") => string
+declare const generateSecure: (length?: number) => string;
+declare const createHash: (data: string, base?: "hex" | "base64" | "base64url") => string;
 /**
  * Creates the code challenge flow for PKCE OAuth flow. It generates a code verifier and its corresponding
  * code challenge using SHA-256 hashing.
@@ -18,24 +18,24 @@ declare const createHash: (data: string, base?: "hex" | "base64" | "base64url")
  * @see https://datatracker.ietf.org/doc/html/rfc7636#section-4.1
  */
 declare const createPKCE: (verifier?: string) => Promise<{
-    codeVerifier: string
-    codeChallenge: string
-    method: string
-}>
+    codeVerifier: string;
+    codeChallenge: string;
+    method: string;
+}>;
 /**
  * Creates a CSRF token to be used in OAuth flows to prevent cross-site request forgery attacks.
  *
  * @param csrfCookie - Optional existing CSRF cookie to verify and reuse
  * @returns Signed CSRF token
  */
-declare const createCSRF: (jose: AuthRuntimeConfig["jose"], csrfCookie?: string) => Promise<string>
-declare const verifyCSRF: (jose: AuthRuntimeConfig["jose"], cookie: string, header: string) => Promise<boolean>
+declare const createCSRF: (jose: AuthRuntimeConfig["jose"], csrfCookie?: string) => Promise<string>;
+declare const verifyCSRF: (jose: AuthRuntimeConfig["jose"], cookie: string, header: string) => Promise<boolean>;
 /**
  * Creates a deterministic derived salt from the provided secret.
  *
  * @param secret the base secret to derive the salt from
  * @returns the derived salt as a hexadecimal string
  */
-declare const createDerivedSalt: (secret: string) => string
+declare const createDerivedSalt: (secret: string) => string;
 
-export { createCSRF, createDerivedSalt, createHash, createPKCE, generateSecure, verifyCSRF }
+export { createCSRF, createDerivedSalt, createHash, createPKCE, generateSecure, verifyCSRF };

package/dist/secure.js

@@ -1,4 +1,19 @@
-import { createCSRF, createDerivedSalt, createHash, createPKCE, generateSecure, verifyCSRF } from "./chunk-GZU3RBTB.js"
-import "./chunk-256KIVJL.js"
-import "./chunk-FJUDBLCP.js"
-export { createCSRF, createDerivedSalt, createHash, createPKCE, generateSecure, verifyCSRF }
+import {
+  createCSRF,
+  createDerivedSalt,
+  createHash,
+  createPKCE,
+  generateSecure,
+  verifyCSRF
+} from "./chunk-N2APGLXA.js";
+import "./chunk-CXLATHS5.js";
+import "./chunk-EIL2FPSS.js";
+import "./chunk-RRLIF4PQ.js";
+export {
+  createCSRF,
+  createDerivedSalt,
+  createHash,
+  createPKCE,
+  generateSecure,
+  verifyCSRF
+};