@aura-stack/auth 0.1.0-rc.9 → 0.2.0

package/dist/actions/signOut/signOut.d.ts

@@ -1,8 +1,8 @@
-import * as _aura_stack_router from "@aura-stack/router"
+import * as _aura_stack_router from '@aura-stack/router';
 
 /**
  * @see https://datatracker.ietf.org/doc/html/rfc7009
  */
-declare const signOutAction: _aura_stack_router.RouteEndpoint<"POST", "/signOut", {}>
+declare const signOutAction: _aura_stack_router.RouteEndpoint<"POST", "/signOut", {}>;
 
-export { signOutAction }
+export { signOutAction };

package/dist/actions/signOut/signOut.js

@@ -1,11 +1,14 @@
-import { signOutAction } from "../../chunk-SJPDVKUS.js"
-import "../../chunk-CAKJT3KS.js"
-import "../../chunk-ZV4BH47P.js"
-import "../../chunk-6SM22VVJ.js"
-import "../../chunk-STHEPPUZ.js"
-import "../../chunk-GZU3RBTB.js"
-import "../../chunk-256KIVJL.js"
-import "../../chunk-FJUDBLCP.js"
-import "../../chunk-JAPMIE6S.js"
-import "../../chunk-HMRKN75I.js"
-export { signOutAction }
+import {
+  signOutAction
+} from "../../chunk-NEVKX6K2.js";
+import "../../chunk-QEZL7EYN.js";
+import "../../chunk-IMICRJ5U.js";
+import "../../chunk-STHEPPUZ.js";
+import "../../chunk-WD7AUHQ5.js";
+import "../../chunk-N2APGLXA.js";
+import "../../chunk-CXLATHS5.js";
+import "../../chunk-EIL2FPSS.js";
+import "../../chunk-RRLIF4PQ.js";
+export {
+  signOutAction
+};

package/dist/assert.cjs

@@ -1,45 +1,49 @@
-"use strict"
-var __defProp = Object.defineProperty
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor
-var __getOwnPropNames = Object.getOwnPropertyNames
-var __hasOwnProp = Object.prototype.hasOwnProperty
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
-    for (var name in all) __defProp(target, name, { get: all[name], enumerable: true })
-}
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
 var __copyProps = (to, from, except, desc) => {
-    if ((from && typeof from === "object") || typeof from === "function") {
-        for (let key of __getOwnPropNames(from))
-            if (!__hasOwnProp.call(to, key) && key !== except)
-                __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable })
-    }
-    return to
-}
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod)
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/assert.ts
-var assert_exports = {}
+var assert_exports = {};
 __export(assert_exports, {
-    isFalsy: () => isFalsy,
-    isRequest: () => isRequest,
-    isValidURL: () => isValidURL,
-})
-module.exports = __toCommonJS(assert_exports)
+  isFalsy: () => isFalsy,
+  isJWTPayloadWithToken: () => isJWTPayloadWithToken,
+  isRequest: () => isRequest,
+  isValidURL: () => isValidURL
+});
+module.exports = __toCommonJS(assert_exports);
 var isFalsy = (value) => {
-    return value === false || value === 0 || value === "" || value === null || value === void 0 || Number.isNaN(value)
-}
+  return value === false || value === 0 || value === "" || value === null || value === void 0 || Number.isNaN(value);
+};
 var isRequest = (value) => {
-    return typeof Request !== "undefined" && value instanceof Request
-}
+  return typeof Request !== "undefined" && value instanceof Request;
+};
 var isValidURL = (value) => {
-    if (value.includes("\r\n") || value.includes("\n") || value.includes("\r")) return false
-    const regex =
-        /^https?:\/\/(?:[a-zA-Z0-9._-]+|localhost|\[[0-9a-fA-F:]+\])(?::\d{1,5})?(?:\/[a-zA-Z0-9._~!$&'()*+,;=:@-]*)*\/?$/
-    return regex.test(value)
-}
+  if (value.includes("\r\n") || value.includes("\n") || value.includes("\r")) return false;
+  const regex = /^https?:\/\/(?:[a-zA-Z0-9._-]+|localhost|\[[0-9a-fA-F:]+\])(?::\d{1,5})?(?:\/[a-zA-Z0-9._~!$&'()*+,;=:@-]*)*\/?$/;
+  return regex.test(value);
+};
+var isJWTPayloadWithToken = (payload) => {
+  return typeof payload === "object" && payload !== null && "token" in payload && typeof payload?.token === "string";
+};
 // Annotate the CommonJS export names for ESM import in node:
-0 &&
-    (module.exports = {
-        isFalsy,
-        isRequest,
-        isValidURL,
-    })
+0 && (module.exports = {
+  isFalsy,
+  isJWTPayloadWithToken,
+  isRequest,
+  isValidURL
+});

package/dist/assert.d.ts

@@ -1,5 +1,13 @@
-declare const isFalsy: (value: unknown) => boolean
-declare const isRequest: (value: unknown) => value is Request
-declare const isValidURL: (value: string) => boolean
+import { J as JWTPayloadWithToken } from './index-EqsoyjrF.js';
+import 'zod/v4';
+import './schemas.js';
+import '@aura-stack/router/cookie';
+import '@aura-stack/jose/jose';
+import './@types/utility.js';
 
-export { isFalsy, isRequest, isValidURL }
+declare const isFalsy: (value: unknown) => boolean;
+declare const isRequest: (value: unknown) => value is Request;
+declare const isValidURL: (value: string) => boolean;
+declare const isJWTPayloadWithToken: (payload: unknown) => payload is JWTPayloadWithToken;
+
+export { isFalsy, isJWTPayloadWithToken, isRequest, isValidURL };

package/dist/assert.js

@@ -1,2 +1,12 @@
-import { isFalsy, isRequest, isValidURL } from "./chunk-6SM22VVJ.js"
-export { isFalsy, isRequest, isValidURL }
+import {
+  isFalsy,
+  isJWTPayloadWithToken,
+  isRequest,
+  isValidURL
+} from "./chunk-EIL2FPSS.js";
+export {
+  isFalsy,
+  isJWTPayloadWithToken,
+  isRequest,
+  isValidURL
+};

package/dist/chunk-2RXNXMCZ.js

@@ -0,0 +1,55 @@
+import {
+  createAuthorizationURL,
+  createRedirectTo,
+  createRedirectURI
+} from "./chunk-QEZL7EYN.js";
+import {
+  createPKCE,
+  generateSecure
+} from "./chunk-N2APGLXA.js";
+
+// src/actions/signIn/signIn.ts
+import z from "zod";
+import { createEndpoint, createEndpointConfig } from "@aura-stack/router";
+var signInConfig = (oauth) => {
+  return createEndpointConfig("/signIn/:oauth", {
+    schemas: {
+      params: z.object({
+        oauth: z.enum(Object.keys(oauth), "The OAuth provider is not supported or invalid."),
+        redirectTo: z.string().optional()
+      })
+    }
+  });
+};
+var signInAction = (oauth) => {
+  return createEndpoint(
+    "GET",
+    "/signIn/:oauth",
+    async (ctx) => {
+      const {
+        request,
+        headers: headersBuilder,
+        params: { oauth: oauth2, redirectTo },
+        context: { oauth: providers, cookies, trustedProxyHeaders, basePath }
+      } = ctx;
+      const state = generateSecure();
+      const redirectURI = createRedirectURI(request, oauth2, basePath, trustedProxyHeaders);
+      const redirectToValue = createRedirectTo(request, redirectTo, trustedProxyHeaders);
+      const { codeVerifier, codeChallenge, method } = await createPKCE();
+      const authorization = createAuthorizationURL(providers[oauth2], redirectURI, state, codeChallenge, method);
+      const headers = headersBuilder.setHeader("Location", authorization).setCookie(cookies.state.name, state, cookies.state.attributes).setCookie(cookies.redirect_uri.name, redirectURI, cookies.redirect_uri.attributes).setCookie(cookies.redirect_to.name, redirectToValue, cookies.redirect_to.attributes).setCookie(cookies.code_verifier.name, codeVerifier, cookies.code_verifier.attributes).toHeaders();
+      return Response.json(
+        { oauth: oauth2 },
+        {
+          status: 302,
+          headers
+        }
+      );
+    },
+    signInConfig(oauth)
+  );
+};
+
+export {
+  signInAction
+};

package/dist/chunk-42XB3YCW.js

@@ -1,20 +1,22 @@
 // src/oauth/x.ts
 var x = {
-    id: "x",
-    name: "X",
-    authorizeURL: "https://x.com/i/oauth2/authorize",
-    accessToken: "https://api.x.com/2/oauth2/token",
-    userInfo: "https://api.x.com/2/users/me?user.fields=profile_image_url",
-    scope: "users.read users.email tweet.read offline.access",
-    responseType: "code",
-    profile({ data }) {
-        return {
-            sub: data.id,
-            name: data.name,
-            image: data.profile_image_url,
-            email: "",
-        }
-    },
-}
+  id: "x",
+  name: "X",
+  authorizeURL: "https://x.com/i/oauth2/authorize",
+  accessToken: "https://api.x.com/2/oauth2/token",
+  userInfo: "https://api.x.com/2/users/me?user.fields=profile_image_url",
+  scope: "users.read users.email tweet.read offline.access",
+  responseType: "code",
+  profile({ data }) {
+    return {
+      sub: data.id,
+      name: data.name,
+      image: data.profile_image_url,
+      email: ""
+    };
+  }
+};
 
-export { x }
+export {
+  x
+};

package/dist/chunk-4V4JNXVF.js

@@ -0,0 +1,55 @@
+import {
+  OAuthAccessToken,
+  OAuthAccessTokenErrorResponse,
+  OAuthAccessTokenResponse
+} from "./chunk-WD7AUHQ5.js";
+import {
+  formatZodError
+} from "./chunk-CXLATHS5.js";
+import {
+  AuthInternalError,
+  OAuthProtocolError
+} from "./chunk-RRLIF4PQ.js";
+
+// src/actions/callback/access-token.ts
+var createAccessToken = async (oauthConfig, redirectURI, code, codeVerifier) => {
+  const parsed = OAuthAccessToken.safeParse({ ...oauthConfig, redirectURI, code, codeVerifier });
+  if (!parsed.success) {
+    const msg = JSON.stringify(formatZodError(parsed.error), null, 2);
+    throw new AuthInternalError("INVALID_OAUTH_CONFIGURATION", msg);
+  }
+  const { accessToken, clientId, clientSecret, code: codeParsed, redirectURI: redirectParsed } = parsed.data;
+  try {
+    const response = await fetch(accessToken, {
+      method: "POST",
+      headers: {
+        Accept: "application/json",
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: new URLSearchParams({
+        client_id: clientId,
+        client_secret: clientSecret,
+        code: codeParsed,
+        redirect_uri: redirectParsed,
+        grant_type: "authorization_code",
+        code_verifier: codeVerifier
+      }).toString()
+    });
+    const json = await response.json();
+    const token = OAuthAccessTokenResponse.safeParse(json);
+    if (!token.success) {
+      const { success, data } = OAuthAccessTokenErrorResponse.safeParse(json);
+      if (!success) {
+        throw new OAuthProtocolError("INVALID_REQUEST", "Invalid access token response format");
+      }
+      throw new OAuthProtocolError(data.error, data?.error_description ?? "Failed to retrieve access token");
+    }
+    return token.data;
+  } catch (error) {
+    throw error;
+  }
+};
+
+export {
+  createAccessToken
+};

package/dist/chunk-6R2YZ4AC.js

@@ -0,0 +1,22 @@
+// src/oauth/strava.ts
+var strava = {
+  id: "strava",
+  name: "Strava",
+  authorizeURL: "https://www.strava.com/oauth/authorize",
+  accessToken: "https://www.strava.com/oauth/token",
+  userInfo: "https://www.strava.com/api/v3/athlete",
+  scope: "read",
+  responseType: "code",
+  profile(profile) {
+    return {
+      sub: profile.id.toString(),
+      name: `${profile.firstname} ${profile.lastname}`,
+      image: profile.profile,
+      email: ""
+    };
+  }
+};
+
+export {
+  strava
+};

package/dist/chunk-7H3OR6UU.js

@@ -0,0 +1,81 @@
+import {
+  github
+} from "./chunk-IKHPGFCW.js";
+import {
+  gitlab
+} from "./chunk-KRNOMBXQ.js";
+import {
+  spotify
+} from "./chunk-E3OXBRYF.js";
+import {
+  strava
+} from "./chunk-6R2YZ4AC.js";
+import {
+  x
+} from "./chunk-42XB3YCW.js";
+import {
+  bitbucket
+} from "./chunk-FIPU4MLT.js";
+import {
+  discord
+} from "./chunk-IUYZQTJV.js";
+import {
+  figma
+} from "./chunk-FKRDCWBF.js";
+import {
+  OAuthEnvSchema
+} from "./chunk-WD7AUHQ5.js";
+import {
+  formatZodError
+} from "./chunk-CXLATHS5.js";
+import {
+  AuthInternalError
+} from "./chunk-RRLIF4PQ.js";
+
+// src/oauth/index.ts
+var builtInOAuthProviders = {
+  github,
+  bitbucket,
+  figma,
+  discord,
+  gitlab,
+  spotify,
+  x,
+  strava
+};
+var defineOAuthEnvironment = (oauth) => {
+  const env = process.env;
+  const clientIdSuffix = `${oauth.toUpperCase()}_CLIENT_ID`;
+  const clientSecretSuffix = `${oauth.toUpperCase()}_CLIENT_SECRET`;
+  const loadEnvs = OAuthEnvSchema.safeParse({
+    clientId: env[`AURA_AUTH_${clientIdSuffix}`] ?? env[`AUTH_${clientIdSuffix}`] ?? env[`${clientIdSuffix}`],
+    clientSecret: env[`AURA_AUTH_${clientSecretSuffix}`] ?? env[`AUTH_${clientSecretSuffix}`] ?? env[`${clientSecretSuffix}`]
+  });
+  if (!loadEnvs.success) {
+    const msg = JSON.stringify(formatZodError(loadEnvs.error), null, 2);
+    throw new AuthInternalError("INVALID_ENVIRONMENT_CONFIGURATION", msg);
+  }
+  return loadEnvs.data;
+};
+var defineOAuthProviderConfig = (config) => {
+  if (typeof config === "string") {
+    const definition = defineOAuthEnvironment(config);
+    const oauthConfig = builtInOAuthProviders[config];
+    return {
+      ...oauthConfig,
+      ...definition
+    };
+  }
+  return config;
+};
+var createBuiltInOAuthProviders = (oauth = []) => {
+  return oauth.reduce((previous, config) => {
+    const oauthConfig = defineOAuthProviderConfig(config);
+    return { ...previous, [oauthConfig.id]: oauthConfig };
+  }, {});
+};
+
+export {
+  builtInOAuthProviders,
+  createBuiltInOAuthProviders
+};

package/dist/chunk-CXLATHS5.js

@@ -0,0 +1,143 @@
+import {
+  isAuthInternalError,
+  isAuthSecurityError,
+  isOAuthProtocolError
+} from "./chunk-RRLIF4PQ.js";
+
+// src/utils.ts
+import { isInvalidZodSchemaError, isRouterError } from "@aura-stack/router";
+var toSnakeCase = (str) => {
+  return str.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/([A-Z]+)([A-Z][a-z])/g, "$1_$2").toLowerCase().replace(/^_+/, "");
+};
+var toUpperCase = (str) => {
+  return str.toUpperCase();
+};
+var toCastCase = (obj, type = "snake") => {
+  return Object.entries(obj).reduce((previous, [key, value]) => {
+    const newKey = type === "snake" ? toSnakeCase(key) : toUpperCase(key);
+    return { ...previous, [newKey]: value };
+  }, {});
+};
+var equals = (a, b) => {
+  if (a === null || b === null || a === void 0 || b === void 0) return false;
+  return a === b;
+};
+var sanitizeURL = (url) => {
+  try {
+    let decodedURL = decodeURIComponent(url).trim();
+    const protocolMatch = decodedURL.match(/^([a-zA-Z][a-zA-Z0-9+.-]*:\/\/)/);
+    let protocol = "";
+    let rest = decodedURL;
+    if (protocolMatch) {
+      protocol = protocolMatch[1];
+      rest = decodedURL.slice(protocol.length);
+      const slashIndex = rest.indexOf("/");
+      if (slashIndex === -1) {
+        return protocol + rest;
+      }
+      const domain = rest.slice(0, slashIndex);
+      let path = rest.slice(slashIndex).replace(/\/\.\.\//g, "/").replace(/\/\.\.$/, "").replace(/\.{2,}/g, "").replace(/\/{2,}/g, "/");
+      if (path !== "/" && path.endsWith("/")) {
+        path = path.replace(/\/+$/, "/");
+      } else if (path !== "/") {
+        path = path.replace(/\/+$/, "");
+      }
+      return protocol + domain + path;
+    }
+    let sanitized = decodedURL.replace(/\/\.\.\//g, "/").replace(/\/\.\.$/, "").replace(/\.{2,}/g, "").replace(/\/{2,}/g, "/");
+    if (sanitized !== "/" && sanitized.endsWith("/")) {
+      sanitized = sanitized.replace(/\/+$/, "/");
+    } else if (sanitized !== "/") {
+      sanitized = sanitized.replace(/\/+$/, "");
+    }
+    return sanitized;
+  } catch {
+    return url.trim();
+  }
+};
+var isValidRelativePath = (path) => {
+  if (!path || typeof path !== "string") return false;
+  if (!path.startsWith("/") || path.includes("://") || path.includes("\r") || path.includes("\n")) return false;
+  if (/[\x00-\x1F\x7F]/.test(path) || path.includes("\0")) return false;
+  const sanitized = sanitizeURL(path);
+  if (sanitized.includes("..")) return false;
+  return true;
+};
+var onErrorHandler = (error) => {
+  if (isRouterError(error)) {
+    const { message, status, statusText } = error;
+    return Response.json({ type: "ROUTER_ERROR", code: "ROUTER_INTERNAL_ERROR", message }, { status, statusText });
+  }
+  if (isInvalidZodSchemaError(error)) {
+    return Response.json({ type: "ROUTER_ERROR", code: "INVALID_REQUEST", message: error.errors }, { status: 422 });
+  }
+  if (isOAuthProtocolError(error)) {
+    const { error: errorCode, message, type, errorURI } = error;
+    return Response.json(
+      {
+        type,
+        error: errorCode,
+        error_description: message,
+        error_uri: errorURI
+      },
+      { status: 400 }
+    );
+  }
+  if (isAuthInternalError(error) || isAuthSecurityError(error)) {
+    const { type, code, message } = error;
+    return Response.json(
+      {
+        type,
+        code,
+        message
+      },
+      { status: 400 }
+    );
+  }
+  return Response.json({ type: "SERVER_ERROR", code: "server_error", message: "An unexpected error occurred" }, { status: 500 });
+};
+var getNormalizedOriginPath = (path) => {
+  try {
+    const url = new URL(path);
+    url.hash = "";
+    url.search = "";
+    return `${url.origin}${url.pathname}`;
+  } catch {
+    return sanitizeURL(path);
+  }
+};
+var toISOString = (date) => {
+  return new Date(date).toISOString();
+};
+var useSecureCookies = (request, trustedProxyHeaders) => {
+  return trustedProxyHeaders ? request.url.startsWith("https://") || request.headers.get("X-Forwarded-Proto") === "https" || (request.headers.get("Forwarded")?.includes("proto=https") ?? false) : request.url.startsWith("https://");
+};
+var formatZodError = (error) => {
+  if (!error.issues || error.issues.length === 0) {
+    return {};
+  }
+  return error.issues.reduce((previous, issue) => {
+    const key = issue.path.join(".");
+    return {
+      ...previous,
+      [key]: {
+        code: issue.code,
+        message: issue.message
+      }
+    };
+  }, {});
+};
+
+export {
+  toSnakeCase,
+  toUpperCase,
+  toCastCase,
+  equals,
+  sanitizeURL,
+  isValidRelativePath,
+  onErrorHandler,
+  getNormalizedOriginPath,
+  toISOString,
+  useSecureCookies,
+  formatZodError
+};

package/dist/chunk-E3OXBRYF.js

@@ -1,20 +1,22 @@
 // src/oauth/spotify.ts
 var spotify = {
-    id: "spotify",
-    name: "Spotify",
-    authorizeURL: "https://accounts.spotify.com/authorize",
-    accessToken: "https://accounts.spotify.com/api/token",
-    userInfo: "https://api.spotify.com/v1/me",
-    scope: "user-read-email user-read-private",
-    responseType: "token",
-    profile(profile) {
-        return {
-            sub: profile.id,
-            name: profile.display_name,
-            email: profile.email,
-            image: profile.images?.[0]?.url,
-        }
-    },
-}
+  id: "spotify",
+  name: "Spotify",
+  authorizeURL: "https://accounts.spotify.com/authorize",
+  accessToken: "https://accounts.spotify.com/api/token",
+  userInfo: "https://api.spotify.com/v1/me",
+  scope: "user-read-email user-read-private",
+  responseType: "token",
+  profile(profile) {
+    return {
+      sub: profile.id,
+      name: profile.display_name,
+      email: profile.email,
+      image: profile.images?.[0]?.url
+    };
+  }
+};
 
-export { spotify }
+export {
+  spotify
+};

package/dist/chunk-EIL2FPSS.js

@@ -0,0 +1,22 @@
+// src/assert.ts
+var isFalsy = (value) => {
+  return value === false || value === 0 || value === "" || value === null || value === void 0 || Number.isNaN(value);
+};
+var isRequest = (value) => {
+  return typeof Request !== "undefined" && value instanceof Request;
+};
+var isValidURL = (value) => {
+  if (value.includes("\r\n") || value.includes("\n") || value.includes("\r")) return false;
+  const regex = /^https?:\/\/(?:[a-zA-Z0-9._-]+|localhost|\[[0-9a-fA-F:]+\])(?::\d{1,5})?(?:\/[a-zA-Z0-9._~!$&'()*+,;=:@-]*)*\/?$/;
+  return regex.test(value);
+};
+var isJWTPayloadWithToken = (payload) => {
+  return typeof payload === "object" && payload !== null && "token" in payload && typeof payload?.token === "string";
+};
+
+export {
+  isFalsy,
+  isRequest,
+  isValidURL,
+  isJWTPayloadWithToken
+};

package/dist/chunk-FIPU4MLT.js

@@ -1,19 +1,21 @@
 // src/oauth/bitbucket.ts
 var bitbucket = {
-    id: "bitbucket",
-    name: "Bitbucket",
-    authorizeURL: "https://bitbucket.org/site/oauth2/authorize",
-    accessToken: "https://bitbucket.org/site/oauth2/access_token",
-    userInfo: "https://api.bitbucket.org/2.0/user",
-    scope: "account email",
-    responseType: "code",
-    profile(profile) {
-        return {
-            sub: profile.uuid ?? profile.account_id,
-            name: profile.display_name ?? profile.nickname,
-            image: profile.links.avatar.href,
-        }
-    },
-}
+  id: "bitbucket",
+  name: "Bitbucket",
+  authorizeURL: "https://bitbucket.org/site/oauth2/authorize",
+  accessToken: "https://bitbucket.org/site/oauth2/access_token",
+  userInfo: "https://api.bitbucket.org/2.0/user",
+  scope: "account email",
+  responseType: "code",
+  profile(profile) {
+    return {
+      sub: profile.uuid ?? profile.account_id,
+      name: profile.display_name ?? profile.nickname,
+      image: profile.links.avatar.href
+    };
+  }
+};
 
-export { bitbucket }
+export {
+  bitbucket
+};