@aura-stack/auth 0.1.0-rc.9 → 0.2.0-rc.1

package/dist/utils.cjs

@@ -1,154 +1,216 @@
-"use strict"
-var __defProp = Object.defineProperty
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor
-var __getOwnPropNames = Object.getOwnPropertyNames
-var __hasOwnProp = Object.prototype.hasOwnProperty
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
-    for (var name in all) __defProp(target, name, { get: all[name], enumerable: true })
-}
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
 var __copyProps = (to, from, except, desc) => {
-    if ((from && typeof from === "object") || typeof from === "function") {
-        for (let key of __getOwnPropNames(from))
-            if (!__hasOwnProp.call(to, key) && key !== except)
-                __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable })
-    }
-    return to
-}
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod)
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/utils.ts
-var utils_exports = {}
+var utils_exports = {};
 __export(utils_exports, {
-    equals: () => equals,
-    getNormalizedOriginPath: () => getNormalizedOriginPath,
-    isValidRelativePath: () => isValidRelativePath,
-    onErrorHandler: () => onErrorHandler,
-    sanitizeURL: () => sanitizeURL,
-    toCastCase: () => toCastCase,
-    toISOString: () => toISOString,
-    toSnakeCase: () => toSnakeCase,
-    toUpperCase: () => toUpperCase,
-})
-module.exports = __toCommonJS(utils_exports)
-var import_router = require("@aura-stack/router")
+  equals: () => equals,
+  formatZodError: () => formatZodError,
+  getNormalizedOriginPath: () => getNormalizedOriginPath,
+  isValidRelativePath: () => isValidRelativePath,
+  onErrorHandler: () => onErrorHandler,
+  sanitizeURL: () => sanitizeURL,
+  toCastCase: () => toCastCase,
+  toISOString: () => toISOString,
+  toSnakeCase: () => toSnakeCase,
+  toUpperCase: () => toUpperCase,
+  useSecureCookies: () => useSecureCookies
+});
+module.exports = __toCommonJS(utils_exports);
+var import_router = require("@aura-stack/router");
 
-// src/error.ts
-var AuthError = class extends Error {
-    constructor(type, message) {
-        super(message)
-        this.type = type
-        this.name = "AuthError"
-    }
-}
-var isAuthError = (error) => {
-    return error instanceof AuthError
-}
+// src/errors.ts
+var OAuthProtocolError = class extends Error {
+  type = "OAUTH_PROTOCOL_ERROR";
+  error;
+  errorURI;
+  constructor(error, description, errorURI, options) {
+    super(description, options);
+    this.error = error;
+    this.errorURI = errorURI;
+    this.name = new.target.name;
+    Error.captureStackTrace(this, new.target);
+  }
+};
+var AuthInternalError = class extends Error {
+  type = "AUTH_INTERNAL_ERROR";
+  code;
+  constructor(code, message, options) {
+    super(message, options);
+    this.code = code;
+    this.name = new.target.name;
+    Error.captureStackTrace(this, new.target);
+  }
+};
+var AuthSecurityError = class extends Error {
+  type = "AUTH_SECURITY_ERROR";
+  code;
+  constructor(code, message, options) {
+    super(message, options);
+    this.code = code;
+    this.name = new.target.name;
+    Error.captureStackTrace(this, new.target);
+  }
+};
+var isOAuthProtocolError = (error) => {
+  return error instanceof OAuthProtocolError;
+};
+var isAuthInternalError = (error) => {
+  return error instanceof AuthInternalError;
+};
+var isAuthSecurityError = (error) => {
+  return error instanceof AuthSecurityError;
+};
 
 // src/utils.ts
 var toSnakeCase = (str) => {
-    return str
-        .replace(/([a-z0-9])([A-Z])/g, "$1_$2")
-        .replace(/([A-Z]+)([A-Z][a-z])/g, "$1_$2")
-        .toLowerCase()
-        .replace(/^_+/, "")
-}
+  return str.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/([A-Z]+)([A-Z][a-z])/g, "$1_$2").toLowerCase().replace(/^_+/, "");
+};
 var toUpperCase = (str) => {
-    return str.toUpperCase()
-}
+  return str.toUpperCase();
+};
 var toCastCase = (obj, type = "snake") => {
-    return Object.entries(obj).reduce((previous, [key, value]) => {
-        const newKey = type === "snake" ? toSnakeCase(key) : toUpperCase(key)
-        return { ...previous, [newKey]: value }
-    }, {})
-}
+  return Object.entries(obj).reduce((previous, [key, value]) => {
+    const newKey = type === "snake" ? toSnakeCase(key) : toUpperCase(key);
+    return { ...previous, [newKey]: value };
+  }, {});
+};
 var equals = (a, b) => {
-    if (a === null || b === null || a === void 0 || b === void 0) return false
-    return a === b
-}
+  if (a === null || b === null || a === void 0 || b === void 0) return false;
+  return a === b;
+};
 var sanitizeURL = (url) => {
-    try {
-        let decodedURL = decodeURIComponent(url).trim()
-        const protocolMatch = decodedURL.match(/^([a-zA-Z][a-zA-Z0-9+.-]*:\/\/)/)
-        let protocol = ""
-        let rest = decodedURL
-        if (protocolMatch) {
-            protocol = protocolMatch[1]
-            rest = decodedURL.slice(protocol.length)
-            const slashIndex = rest.indexOf("/")
-            if (slashIndex === -1) {
-                return protocol + rest
-            }
-            const domain = rest.slice(0, slashIndex)
-            let path = rest
-                .slice(slashIndex)
-                .replace(/\/\.\.\//g, "/")
-                .replace(/\/\.\.$/, "")
-                .replace(/\.{2,}/g, "")
-                .replace(/\/{2,}/g, "/")
-            if (path !== "/" && path.endsWith("/")) {
-                path = path.replace(/\/+$/, "/")
-            } else if (path !== "/") {
-                path = path.replace(/\/+$/, "")
-            }
-            return protocol + domain + path
-        }
-        let sanitized = decodedURL
-            .replace(/\/\.\.\//g, "/")
-            .replace(/\/\.\.$/, "")
-            .replace(/\.{2,}/g, "")
-            .replace(/\/{2,}/g, "/")
-        if (sanitized !== "/" && sanitized.endsWith("/")) {
-            sanitized = sanitized.replace(/\/+$/, "/")
-        } else if (sanitized !== "/") {
-            sanitized = sanitized.replace(/\/+$/, "")
-        }
-        return sanitized
-    } catch {
-        return url.trim()
+  try {
+    let decodedURL = decodeURIComponent(url).trim();
+    const protocolMatch = decodedURL.match(/^([a-zA-Z][a-zA-Z0-9+.-]*:\/\/)/);
+    let protocol = "";
+    let rest = decodedURL;
+    if (protocolMatch) {
+      protocol = protocolMatch[1];
+      rest = decodedURL.slice(protocol.length);
+      const slashIndex = rest.indexOf("/");
+      if (slashIndex === -1) {
+        return protocol + rest;
+      }
+      const domain = rest.slice(0, slashIndex);
+      let path = rest.slice(slashIndex).replace(/\/\.\.\//g, "/").replace(/\/\.\.$/, "").replace(/\.{2,}/g, "").replace(/\/{2,}/g, "/");
+      if (path !== "/" && path.endsWith("/")) {
+        path = path.replace(/\/+$/, "/");
+      } else if (path !== "/") {
+        path = path.replace(/\/+$/, "");
+      }
+      return protocol + domain + path;
+    }
+    let sanitized = decodedURL.replace(/\/\.\.\//g, "/").replace(/\/\.\.$/, "").replace(/\.{2,}/g, "").replace(/\/{2,}/g, "/");
+    if (sanitized !== "/" && sanitized.endsWith("/")) {
+      sanitized = sanitized.replace(/\/+$/, "/");
+    } else if (sanitized !== "/") {
+      sanitized = sanitized.replace(/\/+$/, "");
     }
-}
+    return sanitized;
+  } catch {
+    return url.trim();
+  }
+};
 var isValidRelativePath = (path) => {
-    if (!path || typeof path !== "string") return false
-    if (!path.startsWith("/") || path.includes("://") || path.includes("\r") || path.includes("\n")) return false
-    if (/[\x00-\x1F\x7F]/.test(path) || path.includes("\0")) return false
-    const sanitized = sanitizeURL(path)
-    if (sanitized.includes("..")) return false
-    return true
-}
+  if (!path || typeof path !== "string") return false;
+  if (!path.startsWith("/") || path.includes("://") || path.includes("\r") || path.includes("\n")) return false;
+  if (/[\x00-\x1F\x7F]/.test(path) || path.includes("\0")) return false;
+  const sanitized = sanitizeURL(path);
+  if (sanitized.includes("..")) return false;
+  return true;
+};
 var onErrorHandler = (error) => {
-    if ((0, import_router.isRouterError)(error)) {
-        const { message, status, statusText } = error
-        return Response.json({ error: "invalid_request", error_description: message }, { status, statusText })
-    }
-    if (isAuthError(error)) {
-        const { type, message } = error
-        return Response.json({ error: type, error_description: message }, { status: 400 })
-    }
-    return Response.json({ error: "server_error", error_description: "An unexpected error occurred" }, { status: 500 })
-}
+  if ((0, import_router.isRouterError)(error)) {
+    const { message, status, statusText } = error;
+    return Response.json({ type: "ROUTER_ERROR", code: "ROUTER_INTERNAL_ERROR", message }, { status, statusText });
+  }
+  if ((0, import_router.isInvalidZodSchemaError)(error)) {
+    return Response.json({ type: "ROUTER_ERROR", code: "INVALID_REQUEST", message: error.errors }, { status: 422 });
+  }
+  if (isOAuthProtocolError(error)) {
+    const { error: errorCode, message, type, errorURI } = error;
+    return Response.json(
+      {
+        type,
+        error: errorCode,
+        error_description: message,
+        error_uri: errorURI
+      },
+      { status: 400 }
+    );
+  }
+  if (isAuthInternalError(error) || isAuthSecurityError(error)) {
+    const { type, code, message } = error;
+    return Response.json(
+      {
+        type,
+        code,
+        message
+      },
+      { status: 400 }
+    );
+  }
+  return Response.json({ type: "SERVER_ERROR", code: "server_error", message: "An unexpected error occurred" }, { status: 500 });
+};
 var getNormalizedOriginPath = (path) => {
-    try {
-        const url = new URL(path)
-        url.hash = ""
-        url.search = ""
-        return `${url.origin}${url.pathname}`
-    } catch {
-        return sanitizeURL(path)
-    }
-}
+  try {
+    const url = new URL(path);
+    url.hash = "";
+    url.search = "";
+    return `${url.origin}${url.pathname}`;
+  } catch {
+    return sanitizeURL(path);
+  }
+};
 var toISOString = (date) => {
-    return new Date(date).toISOString()
-}
+  return new Date(date).toISOString();
+};
+var useSecureCookies = (request, trustedProxyHeaders) => {
+  return trustedProxyHeaders ? request.url.startsWith("https://") || request.headers.get("X-Forwarded-Proto") === "https" || (request.headers.get("Forwarded")?.includes("proto=https") ?? false) : request.url.startsWith("https://");
+};
+var formatZodError = (error) => {
+  if (!error.issues || error.issues.length === 0) {
+    return {};
+  }
+  return error.issues.reduce((previous, issue) => {
+    const key = issue.path.join(".");
+    return {
+      ...previous,
+      [key]: {
+        code: issue.code,
+        message: issue.message
+      }
+    };
+  }, {});
+};
 // Annotate the CommonJS export names for ESM import in node:
-0 &&
-    (module.exports = {
-        equals,
-        getNormalizedOriginPath,
-        isValidRelativePath,
-        onErrorHandler,
-        sanitizeURL,
-        toCastCase,
-        toISOString,
-        toSnakeCase,
-        toUpperCase,
-    })
+0 && (module.exports = {
+  equals,
+  formatZodError,
+  getNormalizedOriginPath,
+  isValidRelativePath,
+  onErrorHandler,
+  sanitizeURL,
+  toCastCase,
+  toISOString,
+  toSnakeCase,
+  toUpperCase,
+  useSecureCookies
+});

package/dist/utils.d.ts

@@ -1,14 +1,16 @@
-import { RouterConfig } from "@aura-stack/router"
+import { RouterConfig } from '@aura-stack/router';
+import { i as APIErrorMap } from './index-DkaLJFn8.js';
+import { ZodError } from 'zod';
+import './schemas.js';
+import '@aura-stack/router/cookie';
+import '@aura-stack/jose';
+import '@aura-stack/jose/jose';
+import './@types/utility.js';
 
-declare const toSnakeCase: (str: string) => string
-declare const toUpperCase: (str: string) => string
-declare const toCastCase: <Obj extends Record<string, any>, Type extends "snake" | "upper">(
-    obj: Obj,
-    type?: Type
-) => Type extends "snake"
-    ? { [K in keyof Obj as `${string & K}`]: Obj[K] }
-    : { [K in keyof Obj as Uppercase<string & K>]: Obj[K] }
-declare const equals: (a: string | number | undefined | null, b: string | number | undefined | null) => boolean
+declare const toSnakeCase: (str: string) => string;
+declare const toUpperCase: (str: string) => string;
+declare const toCastCase: <Obj extends Record<string, string>, Type extends "snake" | "upper">(obj: Obj, type?: Type) => Type extends "snake" ? { [K in keyof Obj as `${string & K}`]: Obj[K]; } : { [K in keyof Obj as Uppercase<string & K>]: Obj[K]; };
+declare const equals: (a: string | number | undefined | null, b: string | number | undefined | null) => boolean;
 /**
  * Sanitizes a URL by removing dangerous patterns that could be used for path traversal
  * or other attacks. This function:
@@ -21,7 +23,7 @@ declare const equals: (a: string | number | undefined | null, b: string | number
  * @param url - The URL or path to sanitize
  * @returns The sanitized URL or path
  */
-declare const sanitizeURL: (url: string) => string
+declare const sanitizeURL: (url: string) => string;
 /**
  * Validates that a path is a safe relative path to prevent open redirect attacks.
  * A safe relative path must:
@@ -34,8 +36,8 @@ declare const sanitizeURL: (url: string) => string
  * @param path - The path to validate
  * @returns true if the path is safe, false otherwise
  */
-declare const isValidRelativePath: (path: string | undefined | null) => boolean
-declare const onErrorHandler: RouterConfig["onError"]
+declare const isValidRelativePath: (path: string | undefined | null) => boolean;
+declare const onErrorHandler: RouterConfig["onError"];
 /**
  * Extracts and normalizes the origin and pathname from a URL string.
  * Removes query parameters and hash fragments for a clean path.
@@ -44,17 +46,9 @@ declare const onErrorHandler: RouterConfig["onError"]
  * @param path - The URL or path string to process
  * @returns The normalized URL with origin and pathname, or the original path
  */
-declare const getNormalizedOriginPath: (path: string) => string
-declare const toISOString: (date: Date | string | number) => string
+declare const getNormalizedOriginPath: (path: string) => string;
+declare const toISOString: (date: Date | string | number) => string;
+declare const useSecureCookies: (request: Request, trustedProxyHeaders: boolean) => boolean;
+declare const formatZodError: <T extends Record<string, unknown> = Record<string, unknown>>(error: ZodError<T>) => APIErrorMap;
 
-export {
-    equals,
-    getNormalizedOriginPath,
-    isValidRelativePath,
-    onErrorHandler,
-    sanitizeURL,
-    toCastCase,
-    toISOString,
-    toSnakeCase,
-    toUpperCase,
-}
+export { equals, formatZodError, getNormalizedOriginPath, isValidRelativePath, onErrorHandler, sanitizeURL, toCastCase, toISOString, toSnakeCase, toUpperCase, useSecureCookies };

package/dist/utils.js

@@ -1,23 +1,27 @@
 import {
-    equals,
-    getNormalizedOriginPath,
-    isValidRelativePath,
-    onErrorHandler,
-    sanitizeURL,
-    toCastCase,
-    toISOString,
-    toSnakeCase,
-    toUpperCase,
-} from "./chunk-256KIVJL.js"
-import "./chunk-FJUDBLCP.js"
+  equals,
+  formatZodError,
+  getNormalizedOriginPath,
+  isValidRelativePath,
+  onErrorHandler,
+  sanitizeURL,
+  toCastCase,
+  toISOString,
+  toSnakeCase,
+  toUpperCase,
+  useSecureCookies
+} from "./chunk-CXLATHS5.js";
+import "./chunk-RRLIF4PQ.js";
 export {
-    equals,
-    getNormalizedOriginPath,
-    isValidRelativePath,
-    onErrorHandler,
-    sanitizeURL,
-    toCastCase,
-    toISOString,
-    toSnakeCase,
-    toUpperCase,
-}
+  equals,
+  formatZodError,
+  getNormalizedOriginPath,
+  isValidRelativePath,
+  onErrorHandler,
+  sanitizeURL,
+  toCastCase,
+  toISOString,
+  toSnakeCase,
+  toUpperCase,
+  useSecureCookies
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aura-stack/auth",
-  "version": "0.1.0-rc.9",
+  "version": "0.2.0-rc.1",
   "private": false,
   "type": "module",
   "description": "Core auth for @aura-stack/auth",
@@ -44,15 +44,16 @@
   },
   "license": "MIT",
   "dependencies": {
-    "@aura-stack/router": "^0.4.0",
-    "cookie": "^1.0.2",
+    "@aura-stack/router": "^0.5.0",
     "dotenv": "^17.2.3",
-    "zod": "^4.1.12",
-    "@aura-stack/jose": "0.1.0-rc.1"
+    "zod": "^4.3.5",
+    "@aura-stack/jose": "0.2.0"
   },
   "devDependencies": {
-    "@aura-stack/tsconfig": "0.0.0",
-    "@aura-stack/tsup-config": "0.0.0"
+    "@types/node": "^24.9.2",
+    "typescript": "^5.9.2",
+    "@aura-stack/tsup-config": "0.0.0",
+    "@aura-stack/tsconfig": "0.0.0"
   },
   "scripts": {
     "dev": "tsup --watch",

package/dist/chunk-256KIVJL.js

@@ -1,110 +0,0 @@
-import { isAuthError } from "./chunk-FJUDBLCP.js"
-
-// src/utils.ts
-import { isRouterError } from "@aura-stack/router"
-var toSnakeCase = (str) => {
-    return str
-        .replace(/([a-z0-9])([A-Z])/g, "$1_$2")
-        .replace(/([A-Z]+)([A-Z][a-z])/g, "$1_$2")
-        .toLowerCase()
-        .replace(/^_+/, "")
-}
-var toUpperCase = (str) => {
-    return str.toUpperCase()
-}
-var toCastCase = (obj, type = "snake") => {
-    return Object.entries(obj).reduce((previous, [key, value]) => {
-        const newKey = type === "snake" ? toSnakeCase(key) : toUpperCase(key)
-        return { ...previous, [newKey]: value }
-    }, {})
-}
-var equals = (a, b) => {
-    if (a === null || b === null || a === void 0 || b === void 0) return false
-    return a === b
-}
-var sanitizeURL = (url) => {
-    try {
-        let decodedURL = decodeURIComponent(url).trim()
-        const protocolMatch = decodedURL.match(/^([a-zA-Z][a-zA-Z0-9+.-]*:\/\/)/)
-        let protocol = ""
-        let rest = decodedURL
-        if (protocolMatch) {
-            protocol = protocolMatch[1]
-            rest = decodedURL.slice(protocol.length)
-            const slashIndex = rest.indexOf("/")
-            if (slashIndex === -1) {
-                return protocol + rest
-            }
-            const domain = rest.slice(0, slashIndex)
-            let path = rest
-                .slice(slashIndex)
-                .replace(/\/\.\.\//g, "/")
-                .replace(/\/\.\.$/, "")
-                .replace(/\.{2,}/g, "")
-                .replace(/\/{2,}/g, "/")
-            if (path !== "/" && path.endsWith("/")) {
-                path = path.replace(/\/+$/, "/")
-            } else if (path !== "/") {
-                path = path.replace(/\/+$/, "")
-            }
-            return protocol + domain + path
-        }
-        let sanitized = decodedURL
-            .replace(/\/\.\.\//g, "/")
-            .replace(/\/\.\.$/, "")
-            .replace(/\.{2,}/g, "")
-            .replace(/\/{2,}/g, "/")
-        if (sanitized !== "/" && sanitized.endsWith("/")) {
-            sanitized = sanitized.replace(/\/+$/, "/")
-        } else if (sanitized !== "/") {
-            sanitized = sanitized.replace(/\/+$/, "")
-        }
-        return sanitized
-    } catch {
-        return url.trim()
-    }
-}
-var isValidRelativePath = (path) => {
-    if (!path || typeof path !== "string") return false
-    if (!path.startsWith("/") || path.includes("://") || path.includes("\r") || path.includes("\n")) return false
-    if (/[\x00-\x1F\x7F]/.test(path) || path.includes("\0")) return false
-    const sanitized = sanitizeURL(path)
-    if (sanitized.includes("..")) return false
-    return true
-}
-var onErrorHandler = (error) => {
-    if (isRouterError(error)) {
-        const { message, status, statusText } = error
-        return Response.json({ error: "invalid_request", error_description: message }, { status, statusText })
-    }
-    if (isAuthError(error)) {
-        const { type, message } = error
-        return Response.json({ error: type, error_description: message }, { status: 400 })
-    }
-    return Response.json({ error: "server_error", error_description: "An unexpected error occurred" }, { status: 500 })
-}
-var getNormalizedOriginPath = (path) => {
-    try {
-        const url = new URL(path)
-        url.hash = ""
-        url.search = ""
-        return `${url.origin}${url.pathname}`
-    } catch {
-        return sanitizeURL(path)
-    }
-}
-var toISOString = (date) => {
-    return new Date(date).toISOString()
-}
-
-export {
-    toSnakeCase,
-    toUpperCase,
-    toCastCase,
-    equals,
-    sanitizeURL,
-    isValidRelativePath,
-    onErrorHandler,
-    getNormalizedOriginPath,
-    toISOString,
-}

package/dist/chunk-6SM22VVJ.js

@@ -1,15 +0,0 @@
-// src/assert.ts
-var isFalsy = (value) => {
-    return value === false || value === 0 || value === "" || value === null || value === void 0 || Number.isNaN(value)
-}
-var isRequest = (value) => {
-    return typeof Request !== "undefined" && value instanceof Request
-}
-var isValidURL = (value) => {
-    if (value.includes("\r\n") || value.includes("\n") || value.includes("\r")) return false
-    const regex =
-        /^https?:\/\/(?:[a-zA-Z0-9._-]+|localhost|\[[0-9a-fA-F:]+\])(?::\d{1,5})?(?:\/[a-zA-Z0-9._~!$&'()*+,;=:@-]*)*\/?$/
-    return regex.test(value)
-}
-
-export { isFalsy, isRequest, isValidURL }