@aura-stack/auth 0.1.0-rc.9 → 0.2.0

package/dist/chunk-FKRDCWBF.js

@@ -1,20 +1,22 @@
 // src/oauth/figma.ts
 var figma = {
-    id: "figma",
-    name: "Figma",
-    authorizeURL: "https://www.figma.com/oauth",
-    accessToken: "https://api.figma.com/v1/oauth/token",
-    userInfo: "https://api.figma.com/v1/me",
-    scope: "current_user:read",
-    responseType: "code",
-    profile(profile) {
-        return {
-            sub: profile.id,
-            name: profile.handle,
-            email: profile.email,
-            image: profile.img_url,
-        }
-    },
-}
+  id: "figma",
+  name: "Figma",
+  authorizeURL: "https://www.figma.com/oauth",
+  accessToken: "https://api.figma.com/v1/oauth/token",
+  userInfo: "https://api.figma.com/v1/me",
+  scope: "current_user:read",
+  responseType: "code",
+  profile(profile) {
+    return {
+      sub: profile.id,
+      name: profile.handle,
+      email: profile.email,
+      image: profile.img_url
+    };
+  }
+};
 
-export { figma }
+export {
+  figma
+};

package/dist/chunk-IKHPGFCW.js

@@ -1,12 +1,14 @@
 // src/oauth/github.ts
 var github = {
-    id: "github",
-    name: "GitHub",
-    authorizeURL: "https://github.com/login/oauth/authorize",
-    accessToken: "https://github.com/login/oauth/access_token",
-    userInfo: "https://api.github.com/user",
-    scope: "read:user user:email",
-    responseType: "code",
-}
+  id: "github",
+  name: "GitHub",
+  authorizeURL: "https://github.com/login/oauth/authorize",
+  accessToken: "https://github.com/login/oauth/access_token",
+  userInfo: "https://api.github.com/user",
+  scope: "read:user user:email",
+  responseType: "code"
+};
 
-export { github }
+export {
+  github
+};

package/dist/chunk-IMICRJ5U.js

@@ -0,0 +1,197 @@
+import {
+  AuthInternalError
+} from "./chunk-RRLIF4PQ.js";
+
+// src/cookie.ts
+import { parse, parseSetCookie, serialize } from "@aura-stack/router/cookie";
+var COOKIE_NAME = "aura-auth";
+var defaultCookieOptions = {
+  httpOnly: true,
+  sameSite: "lax",
+  path: "/",
+  maxAge: 60 * 60 * 24 * 15
+};
+var defaultStandardCookieConfig = {
+  secure: false,
+  httpOnly: true
+};
+var defaultSecureCookieConfig = {
+  secure: true,
+  httpOnly: true
+};
+var defaultHostCookieConfig = {
+  secure: true,
+  httpOnly: true,
+  path: "/",
+  domain: void 0
+};
+var oauthCookieOptions = {
+  httpOnly: true,
+  maxAge: 5 * 60,
+  sameSite: "lax",
+  expires: new Date(Date.now() + 5 * 60 * 1e3)
+};
+var setCookie = (cookieName, value, options) => {
+  return serialize(cookieName, value, options);
+};
+var expiredCookieAttributes = {
+  ...defaultCookieOptions,
+  expires: /* @__PURE__ */ new Date(0),
+  maxAge: 0
+};
+var getCookie = (request, cookieName) => {
+  const cookies = request.headers.get("Cookie");
+  if (!cookies) {
+    throw new AuthInternalError("COOKIE_NOT_FOUND", "No cookies found. There is no active session");
+  }
+  const value = parse(cookies)[cookieName];
+  if (!value) {
+    throw new AuthInternalError("COOKIE_NOT_FOUND", `Cookie "${cookieName}" not found. There is no active session`);
+  }
+  return value;
+};
+var getSetCookie = (response, cookieName) => {
+  const cookies = response.headers.getSetCookie();
+  if (!cookies) {
+    throw new AuthInternalError("COOKIE_NOT_FOUND", "No cookies found in response.");
+  }
+  const strCookie = cookies.find((cookie) => cookie.startsWith(`${cookieName}=`));
+  if (!strCookie) {
+    throw new AuthInternalError("COOKIE_NOT_FOUND", `Cookie "${cookieName}" not found in response.`);
+  }
+  return parseSetCookie(strCookie).value;
+};
+var createSessionCookie = async (jose, session) => {
+  try {
+    const encoded = await jose.encodeJWT(session);
+    return encoded;
+  } catch (error) {
+    throw new AuthInternalError("INVALID_JWT_TOKEN", "Failed to create session cookie", { cause: error });
+  }
+};
+var defineSecureCookieOptions = (useSecure, attributes, strategy) => {
+  if (!attributes.httpOnly) {
+    console.warn(
+      "[WARNING]: Cookie is configured without HttpOnly. This allows JavaScript access via document.cookie and increases XSS risk."
+    );
+  }
+  if (attributes.domain === "*") {
+    attributes.domain = void 0;
+    console.warn("[WARNING]: Cookie 'Domain' is set to '*', which is insecure. Avoid wildcard domains.");
+  }
+  if (!useSecure) {
+    if (attributes.secure) {
+      console.warn(
+        "[WARNING]: The 'Secure' attribute will be disabled for this cookie. Serve over HTTPS to enforce Secure cookies."
+      );
+    }
+    if (attributes.sameSite == "none") {
+      attributes.sameSite = "lax";
+      console.warn("[WARNING]: SameSite=None requires Secure attribute. Changing SameSite to 'Lax'.");
+    }
+    if (process.env.NODE_ENV === "production") {
+      console.warn("[WARNING]: In production, ensure cookies are served over HTTPS to maintain security.");
+    }
+    if (strategy === "host") {
+      console.warn("[WARNING]: __Host- cookies require a secure context. Falling back to standard cookie settings.");
+    }
+    return {
+      ...defaultCookieOptions,
+      ...attributes,
+      ...defaultStandardCookieConfig
+    };
+  }
+  return strategy === "host" ? {
+    ...defaultCookieOptions,
+    ...attributes,
+    ...defaultHostCookieConfig
+  } : { ...defaultCookieOptions, ...attributes, ...defaultSecureCookieConfig };
+};
+var createCookieStore = (useSecure, prefix, overrides) => {
+  prefix ??= COOKIE_NAME;
+  const securePrefix = useSecure ? "__Secure-" : "";
+  const hostPrefix = useSecure ? "__Host-" : "";
+  return {
+    sessionToken: {
+      name: `${securePrefix}${prefix}.${overrides?.sessionToken?.name ?? "sessionToken"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...defaultCookieOptions,
+          ...overrides?.sessionToken?.attributes
+        },
+        overrides?.sessionToken?.attributes?.strategy ?? "secure"
+      )
+    },
+    state: {
+      name: `${securePrefix}${prefix}.${overrides?.state?.name ?? "state"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...oauthCookieOptions,
+          ...overrides?.state?.attributes
+        },
+        overrides?.state?.attributes?.strategy ?? "secure"
+      )
+    },
+    csrfToken: {
+      name: `${hostPrefix}${prefix}.${overrides?.csrfToken?.name ?? "csrfToken"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...overrides?.csrfToken?.attributes,
+          ...defaultHostCookieConfig
+        },
+        overrides?.csrfToken?.attributes?.strategy ?? "host"
+      )
+    },
+    redirect_to: {
+      name: `${securePrefix}${prefix}.${overrides?.redirect_to?.name ?? "redirect_to"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...oauthCookieOptions,
+          ...overrides?.redirect_to?.attributes
+        },
+        overrides?.redirect_to?.attributes?.strategy ?? "secure"
+      )
+    },
+    redirect_uri: {
+      name: `${securePrefix}${prefix}.${overrides?.redirect_uri?.name ?? "redirect_uri"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...oauthCookieOptions,
+          ...overrides?.redirect_uri?.attributes
+        },
+        overrides?.redirect_uri?.attributes?.strategy ?? "secure"
+      )
+    },
+    code_verifier: {
+      name: `${securePrefix}${prefix}.${overrides?.code_verifier?.name ?? "code_verifier"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...oauthCookieOptions,
+          ...overrides?.code_verifier?.attributes
+        },
+        overrides?.code_verifier?.attributes?.strategy ?? "secure"
+      )
+    }
+  };
+};
+
+export {
+  COOKIE_NAME,
+  defaultCookieOptions,
+  defaultStandardCookieConfig,
+  defaultSecureCookieConfig,
+  defaultHostCookieConfig,
+  setCookie,
+  expiredCookieAttributes,
+  getCookie,
+  getSetCookie,
+  createSessionCookie,
+  defineSecureCookieOptions,
+  createCookieStore
+};

package/dist/chunk-IUYZQTJV.js

@@ -0,0 +1,30 @@
+// src/oauth/discord.ts
+var discord = {
+  id: "discord",
+  name: "Discord",
+  authorizeURL: "https://discord.com/oauth2/authorize",
+  accessToken: "https://discord.com/api/oauth2/token",
+  userInfo: "https://discord.com/api/users/@me",
+  scope: "identify email",
+  responseType: "code",
+  profile(profile) {
+    let image = "";
+    if (profile.avatar === null) {
+      const index = profile.discriminator === "0" ? (BigInt(profile.id) >> 22n) % 6n : Number(profile.discriminator) % 5;
+      image = `https://cdn.discordapp.com/embed/avatars/${index}.png`;
+    } else {
+      const format = profile.avatar.startsWith("a_") ? "gif" : "png";
+      image = `https://cdn.discordapp.com/avatars/${profile.id}/${profile.avatar}.${format}`;
+    }
+    return {
+      sub: profile.id,
+      name: profile.global_name ?? profile.username,
+      email: profile.email ?? "",
+      image
+    };
+  }
+};
+
+export {
+  discord
+};

package/dist/chunk-KRNOMBXQ.js

@@ -1,20 +1,22 @@
 // src/oauth/gitlab.ts
 var gitlab = {
-    id: "gitlab",
-    name: "GitLab",
-    authorizeURL: "https://gitlab.com/oauth/authorize",
-    accessToken: "https://gitlab.com/oauth/token",
-    userInfo: "https://gitlab.com/api/v4/user",
-    scope: "read_user",
-    responseType: "code",
-    profile(profile) {
-        return {
-            sub: profile.id.toString(),
-            name: profile.name ?? profile.username,
-            email: profile.email,
-            avatar: profile.avatar_url,
-        }
-    },
-}
+  id: "gitlab",
+  name: "GitLab",
+  authorizeURL: "https://gitlab.com/oauth/authorize",
+  accessToken: "https://gitlab.com/oauth/token",
+  userInfo: "https://gitlab.com/api/v4/user",
+  scope: "read_user",
+  responseType: "code",
+  profile(profile) {
+    return {
+      sub: profile.id.toString(),
+      name: profile.name ?? profile.username,
+      email: profile.email,
+      avatar: profile.avatar_url
+    };
+  }
+};
 
-export { gitlab }
+export {
+  gitlab
+};

package/dist/chunk-N2APGLXA.js

@@ -0,0 +1,71 @@
+import {
+  equals
+} from "./chunk-CXLATHS5.js";
+import {
+  isJWTPayloadWithToken
+} from "./chunk-EIL2FPSS.js";
+import {
+  AuthSecurityError
+} from "./chunk-RRLIF4PQ.js";
+
+// src/secure.ts
+import crypto from "crypto";
+var generateSecure = (length = 32) => {
+  return crypto.randomBytes(length).toString("base64url");
+};
+var createHash = (data, base = "hex") => {
+  return crypto.createHash("sha256").update(data).digest().toString(base);
+};
+var createPKCE = async (verifier) => {
+  const codeVerifier = verifier ?? generateSecure(86);
+  const codeChallenge = createHash(codeVerifier, "base64url");
+  return { codeVerifier, codeChallenge, method: "S256" };
+};
+var createCSRF = async (jose, csrfCookie) => {
+  try {
+    const token = generateSecure(32);
+    if (csrfCookie) {
+      await jose.verifyJWS(csrfCookie);
+      return csrfCookie;
+    }
+    return jose.signJWS({ token });
+  } catch {
+    const token = generateSecure(32);
+    return jose.signJWS({ token });
+  }
+};
+var verifyCSRF = async (jose, cookie, header) => {
+  try {
+    const cookiePayload = await jose.verifyJWS(cookie);
+    const headerPayload = await jose.verifyJWS(header);
+    if (!isJWTPayloadWithToken(cookiePayload)) {
+      throw new AuthSecurityError("CSRF_TOKEN_INVALID", "Cookie payload missing token field.");
+    }
+    if (!isJWTPayloadWithToken(headerPayload)) {
+      throw new AuthSecurityError("CSRF_TOKEN_INVALID", "Header payload missing token field.");
+    }
+    const cookieBuffer = Buffer.from(cookiePayload.token);
+    const headerBuffer = Buffer.from(headerPayload.token);
+    if (!equals(headerBuffer.length, cookieBuffer.length)) {
+      throw new AuthSecurityError("CSRF_TOKEN_INVALID", "The CSRF tokens do not match.");
+    }
+    if (!crypto.timingSafeEqual(cookieBuffer, headerBuffer)) {
+      throw new AuthSecurityError("CSRF_TOKEN_INVALID", "The CSRF tokens do not match.");
+    }
+    return true;
+  } catch {
+    throw new AuthSecurityError("CSRF_TOKEN_INVALID", "The CSRF tokens do not match.");
+  }
+};
+var createDerivedSalt = (secret) => {
+  return crypto.createHash("sha256").update(secret).update("aura-auth-salt").digest("hex");
+};
+
+export {
+  generateSecure,
+  createHash,
+  createPKCE,
+  createCSRF,
+  verifyCSRF,
+  createDerivedSalt
+};

package/dist/chunk-NEVKX6K2.js

@@ -0,0 +1,70 @@
+import {
+  createRedirectTo
+} from "./chunk-QEZL7EYN.js";
+import {
+  expiredCookieAttributes
+} from "./chunk-IMICRJ5U.js";
+import {
+  cacheControl
+} from "./chunk-STHEPPUZ.js";
+import {
+  verifyCSRF
+} from "./chunk-N2APGLXA.js";
+import {
+  getNormalizedOriginPath
+} from "./chunk-CXLATHS5.js";
+import {
+  AuthSecurityError
+} from "./chunk-RRLIF4PQ.js";
+
+// src/actions/signOut/signOut.ts
+import z from "zod";
+import { createEndpoint, createEndpointConfig, HeadersBuilder, statusCode } from "@aura-stack/router";
+var config = createEndpointConfig({
+  schemas: {
+    searchParams: z.object({
+      token_type_hint: z.literal("session_token"),
+      redirectTo: z.string().optional()
+    })
+  }
+});
+var signOutAction = createEndpoint(
+  "POST",
+  "/signOut",
+  async (ctx) => {
+    const {
+      request,
+      headers,
+      searchParams: { redirectTo },
+      context: { jose, cookies }
+    } = ctx;
+    const session = headers.getCookie(cookies.sessionToken.name);
+    const csrfToken = headers.getCookie(cookies.csrfToken.name);
+    const header = headers.getHeader("X-CSRF-Token");
+    if (!session) {
+      throw new AuthSecurityError("SESSION_TOKEN_MISSING", "The sessionToken is missing.");
+    }
+    if (!csrfToken) {
+      throw new AuthSecurityError("CSRF_TOKEN_MISSING", "The CSRF token is missing.");
+    }
+    if (!header) {
+      throw new AuthSecurityError("CSRF_TOKEN_MISSING", "The CSRF header is missing.");
+    }
+    await verifyCSRF(jose, csrfToken, header);
+    await jose.decodeJWT(session);
+    const normalizedOriginPath = getNormalizedOriginPath(request.url);
+    const location = createRedirectTo(
+      new Request(normalizedOriginPath, {
+        headers: headers.toHeaders()
+      }),
+      redirectTo
+    );
+    const headersList = new HeadersBuilder(cacheControl).setHeader("Location", location).setCookie(cookies.csrfToken.name, "", expiredCookieAttributes).setCookie(cookies.sessionToken.name, "", expiredCookieAttributes).toHeaders();
+    return Response.json({ message: "Signed out successfully" }, { status: statusCode.ACCEPTED, headers: headersList });
+  },
+  config
+);
+
+export {
+  signOutAction
+};

package/dist/chunk-PTJUYB33.js

@@ -0,0 +1,33 @@
+import {
+  expiredCookieAttributes,
+  getCookie
+} from "./chunk-IMICRJ5U.js";
+import {
+  cacheControl
+} from "./chunk-STHEPPUZ.js";
+import {
+  toISOString
+} from "./chunk-CXLATHS5.js";
+
+// src/actions/session/session.ts
+import { createEndpoint, HeadersBuilder } from "@aura-stack/router";
+var sessionAction = createEndpoint("GET", "/session", async (ctx) => {
+  const {
+    request,
+    context: { jose, cookies }
+  } = ctx;
+  try {
+    const session = getCookie(request, cookies.sessionToken.name);
+    const decoded = await jose.decodeJWT(session);
+    const { exp, iat, jti, nbf, ...user } = decoded;
+    const headers = new Headers(cacheControl);
+    return Response.json({ user, expires: toISOString(exp * 1e3) }, { headers });
+  } catch (error) {
+    const headers = new HeadersBuilder(cacheControl).setCookie(cookies.sessionToken.name, "", expiredCookieAttributes).toHeaders();
+    return Response.json({ authenticated: false, message: "Unauthorized" }, { status: 401, headers });
+  }
+});
+
+export {
+  sessionAction
+};

package/dist/chunk-QDO2KSRJ.js

@@ -0,0 +1,35 @@
+import {
+  getCookie,
+  setCookie
+} from "./chunk-IMICRJ5U.js";
+import {
+  cacheControl
+} from "./chunk-STHEPPUZ.js";
+import {
+  createCSRF
+} from "./chunk-N2APGLXA.js";
+
+// src/actions/csrfToken/csrfToken.ts
+import { createEndpoint } from "@aura-stack/router";
+var getCSRFToken = (request, cookieName) => {
+  try {
+    return getCookie(request, cookieName);
+  } catch {
+    return void 0;
+  }
+};
+var csrfTokenAction = createEndpoint("GET", "/csrfToken", async (ctx) => {
+  const {
+    request,
+    context: { jose, cookies }
+  } = ctx;
+  const token = getCSRFToken(request, cookies.csrfToken.name);
+  const csrfToken = await createCSRF(jose, token);
+  const headers = new Headers(cacheControl);
+  headers.append("Set-Cookie", setCookie(cookies.csrfToken.name, csrfToken, cookies.csrfToken.attributes));
+  return Response.json({ csrfToken }, { headers });
+});
+
+export {
+  csrfTokenAction
+};

package/dist/chunk-QEZL7EYN.js

@@ -0,0 +1,96 @@
+import {
+  OAuthAuthorization
+} from "./chunk-WD7AUHQ5.js";
+import {
+  equals,
+  formatZodError,
+  getNormalizedOriginPath,
+  sanitizeURL,
+  toCastCase
+} from "./chunk-CXLATHS5.js";
+import {
+  isValidURL
+} from "./chunk-EIL2FPSS.js";
+import {
+  AuthInternalError,
+  AuthSecurityError,
+  isAuthSecurityError
+} from "./chunk-RRLIF4PQ.js";
+
+// src/actions/signIn/authorization.ts
+var createAuthorizationURL = (oauthConfig, redirectURI, state, codeChallenge, codeChallengeMethod) => {
+  const parsed = OAuthAuthorization.safeParse({ ...oauthConfig, redirectURI, state, codeChallenge, codeChallengeMethod });
+  if (!parsed.success) {
+    const msg = JSON.stringify(formatZodError(parsed.error), null, 2);
+    throw new AuthInternalError("INVALID_OAUTH_CONFIGURATION", msg);
+  }
+  const { authorizeURL, ...options } = parsed.data;
+  const { userInfo, accessToken, clientSecret, ...required } = options;
+  const searchParams = new URLSearchParams(toCastCase(required));
+  return `${authorizeURL}?${searchParams}`;
+};
+var getOriginURL = (request, trustedProxyHeaders) => {
+  const headers = request.headers;
+  if (trustedProxyHeaders) {
+    const protocol = headers.get("X-Forwarded-Proto") ?? headers.get("Forwarded")?.match(/proto=([^;]+)/i)?.[1] ?? "http";
+    const host = headers.get("X-Forwarded-Host") ?? headers.get("Host") ?? headers.get("Forwarded")?.match(/host=([^;]+)/i)?.[1] ?? null;
+    return new URL(`${protocol}://${host}${getNormalizedOriginPath(new URL(request.url).pathname)}`);
+  } else {
+    return new URL(getNormalizedOriginPath(request.url));
+  }
+};
+var createRedirectURI = (request, oauth, basePath, trustedProxyHeaders) => {
+  const url = getOriginURL(request, trustedProxyHeaders);
+  return `${url.origin}${basePath}/callback/${oauth}`;
+};
+var createRedirectTo = (request, redirectTo, trustedProxyHeaders) => {
+  try {
+    const headers = request.headers;
+    const origin = headers.get("Origin");
+    const referer = headers.get("Referer");
+    let hostedURL = getOriginURL(request, trustedProxyHeaders);
+    if (redirectTo) {
+      if (redirectTo.startsWith("/")) {
+        return sanitizeURL(redirectTo);
+      }
+      const redirectToURL = new URL(sanitizeURL(getNormalizedOriginPath(redirectTo)));
+      if (!isValidURL(redirectTo) || !equals(redirectToURL.origin, hostedURL.origin)) {
+        throw new AuthSecurityError(
+          "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED",
+          "The redirectTo parameter does not match the hosted origin."
+        );
+      }
+      return sanitizeURL(redirectToURL.pathname);
+    }
+    if (referer) {
+      const refererURL = new URL(sanitizeURL(referer));
+      if (!isValidURL(referer) || !equals(refererURL.origin, hostedURL.origin)) {
+        throw new AuthSecurityError(
+          "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED",
+          "The referer of the request does not match the hosted origin."
+        );
+      }
+      return sanitizeURL(refererURL.pathname);
+    }
+    if (origin) {
+      const originURL = new URL(sanitizeURL(getNormalizedOriginPath(origin)));
+      if (!isValidURL(origin) || !equals(originURL.origin, hostedURL.origin)) {
+        throw new AuthSecurityError("POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED", "Invalid origin (potential CSRF).");
+      }
+      return sanitizeURL(originURL.pathname);
+    }
+    return "/";
+  } catch (error) {
+    if (isAuthSecurityError(error)) {
+      throw error;
+    }
+    throw new AuthSecurityError("POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED", "Invalid origin (potential CSRF).");
+  }
+};
+
+export {
+  createAuthorizationURL,
+  getOriginURL,
+  createRedirectURI,
+  createRedirectTo
+};