@aura-stack/auth 0.1.0-rc.9 → 0.2.0

package/dist/chunk-RRLIF4PQ.js

@@ -0,0 +1,55 @@
+// src/errors.ts
+var OAuthProtocolError = class extends Error {
+  type = "OAUTH_PROTOCOL_ERROR";
+  error;
+  errorURI;
+  constructor(error, description, errorURI, options) {
+    super(description, options);
+    this.error = error;
+    this.errorURI = errorURI;
+    this.name = new.target.name;
+    Error.captureStackTrace(this, new.target);
+  }
+};
+var AuthInternalError = class extends Error {
+  type = "AUTH_INTERNAL_ERROR";
+  code;
+  constructor(code, message, options) {
+    super(message, options);
+    this.code = code;
+    this.name = new.target.name;
+    Error.captureStackTrace(this, new.target);
+  }
+};
+var AuthSecurityError = class extends Error {
+  type = "AUTH_SECURITY_ERROR";
+  code;
+  constructor(code, message, options) {
+    super(message, options);
+    this.code = code;
+    this.name = new.target.name;
+    Error.captureStackTrace(this, new.target);
+  }
+};
+var isNativeError = (error) => {
+  return error instanceof Error;
+};
+var isOAuthProtocolError = (error) => {
+  return error instanceof OAuthProtocolError;
+};
+var isAuthInternalError = (error) => {
+  return error instanceof AuthInternalError;
+};
+var isAuthSecurityError = (error) => {
+  return error instanceof AuthSecurityError;
+};
+
+export {
+  OAuthProtocolError,
+  AuthInternalError,
+  AuthSecurityError,
+  isNativeError,
+  isOAuthProtocolError,
+  isAuthInternalError,
+  isAuthSecurityError
+};

package/dist/chunk-STHEPPUZ.js

@@ -1,9 +1,11 @@
 // src/headers.ts
 var cacheControl = {
-    "Cache-Control": "no-store",
-    Pragma: "no-cache",
-    Expires: "0",
-    Vary: "Cookie",
-}
+  "Cache-Control": "no-store",
+  Pragma: "no-cache",
+  Expires: "0",
+  Vary: "Cookie"
+};
 
-export { cacheControl }
+export {
+  cacheControl
+};

package/dist/chunk-TLE4PXY3.js

@@ -0,0 +1,39 @@
+import {
+  createDerivedSalt
+} from "./chunk-N2APGLXA.js";
+import {
+  AuthInternalError
+} from "./chunk-RRLIF4PQ.js";
+
+// src/jose.ts
+import "dotenv/config";
+import { createJWT, createJWS, createJWE, createDeriveKey } from "@aura-stack/jose";
+var createJoseInstance = (secret) => {
+  const env = process.env;
+  secret ??= env.AURA_AUTH_SECRET ?? env.AUTH_SECRET;
+  if (!secret) {
+    throw new AuthInternalError(
+      "JOSE_INITIALIZATION_FAILED",
+      "AURA_AUTH_SECRET environment variable is not set and no secret was provided."
+    );
+  }
+  const salt = env.AURA_AUTH_SALT ?? env.AUTH_SALT ?? createDerivedSalt(secret);
+  const { derivedKey: derivedSigningKey } = createDeriveKey(secret, salt, "signing");
+  const { derivedKey: derivedEncryptionKey } = createDeriveKey(secret, salt, "encryption");
+  const { derivedKey: derivedCsrfTokenKey } = createDeriveKey(secret, salt, "csrfToken");
+  const { decodeJWT, encodeJWT } = createJWT({ jws: derivedSigningKey, jwe: derivedEncryptionKey });
+  const { signJWS, verifyJWS } = createJWS(derivedCsrfTokenKey);
+  const { encryptJWE, decryptJWE } = createJWE(derivedEncryptionKey);
+  return {
+    decodeJWT,
+    encodeJWT,
+    signJWS,
+    verifyJWS,
+    encryptJWE,
+    decryptJWE
+  };
+};
+
+export {
+  createJoseInstance
+};

package/dist/chunk-UEH3LVON.js

@@ -0,0 +1,97 @@
+import {
+  getUserInfo
+} from "./chunk-ZLR3LI6X.js";
+import {
+  createAccessToken
+} from "./chunk-4V4JNXVF.js";
+import {
+  createSessionCookie,
+  expiredCookieAttributes,
+  getCookie
+} from "./chunk-IMICRJ5U.js";
+import {
+  cacheControl
+} from "./chunk-STHEPPUZ.js";
+import {
+  OAuthAuthorizationErrorResponse,
+  OAuthAuthorizationResponse
+} from "./chunk-WD7AUHQ5.js";
+import {
+  createCSRF
+} from "./chunk-N2APGLXA.js";
+import {
+  equals,
+  isValidRelativePath,
+  sanitizeURL
+} from "./chunk-CXLATHS5.js";
+import {
+  AuthSecurityError,
+  OAuthProtocolError
+} from "./chunk-RRLIF4PQ.js";
+
+// src/actions/callback/callback.ts
+import z from "zod";
+import { createEndpoint, createEndpointConfig, HeadersBuilder } from "@aura-stack/router";
+var callbackConfig = (oauth) => {
+  return createEndpointConfig("/callback/:oauth", {
+    schemas: {
+      searchParams: OAuthAuthorizationResponse,
+      params: z.object({
+        oauth: z.enum(Object.keys(oauth), "The OAuth provider is not supported or invalid.")
+      })
+    },
+    middlewares: [
+      (ctx) => {
+        const response = OAuthAuthorizationErrorResponse.safeParse(ctx.searchParams);
+        if (response.success) {
+          const { error, error_description } = response.data;
+          throw new OAuthProtocolError(error, error_description ?? "OAuth Authorization Error");
+        }
+        return ctx;
+      }
+    ]
+  });
+};
+var callbackAction = (oauth) => {
+  return createEndpoint(
+    "GET",
+    "/callback/:oauth",
+    async (ctx) => {
+      const {
+        request,
+        params: { oauth: oauth2 },
+        searchParams: { code, state },
+        context: { oauth: providers, cookies, jose }
+      } = ctx;
+      const oauthConfig = providers[oauth2];
+      const cookieState = getCookie(request, cookies.state.name);
+      const cookieRedirectTo = getCookie(request, cookies.redirect_to.name);
+      const cookieRedirectURI = getCookie(request, cookies.redirect_uri.name);
+      const codeVerifier = getCookie(request, cookies.code_verifier.name);
+      if (!equals(cookieState, state)) {
+        throw new AuthSecurityError(
+          "MISMATCHING_STATE",
+          "The provided state passed in the OAuth response does not match the stored state."
+        );
+      }
+      const accessToken = await createAccessToken(oauthConfig, cookieRedirectURI, code, codeVerifier);
+      const sanitized = sanitizeURL(cookieRedirectTo);
+      if (!isValidRelativePath(sanitized)) {
+        throw new AuthSecurityError(
+          "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED",
+          "Invalid redirect path. Potential open redirect attack detected."
+        );
+      }
+      const userInfo = await getUserInfo(oauthConfig, accessToken.access_token);
+      const sessionCookie = await createSessionCookie(jose, userInfo);
+      const csrfToken = await createCSRF(jose);
+      const headers = new HeadersBuilder(cacheControl).setHeader("Location", sanitized).setCookie(cookies.sessionToken.name, sessionCookie, cookies.sessionToken.attributes).setCookie(cookies.csrfToken.name, csrfToken, cookies.csrfToken.attributes).setCookie(cookies.state.name, "", expiredCookieAttributes).setCookie(cookies.redirect_uri.name, "", expiredCookieAttributes).setCookie(cookies.redirect_to.name, "", expiredCookieAttributes).setCookie(cookies.code_verifier.name, "", expiredCookieAttributes).toHeaders();
+      return Response.json({ oauth: oauth2 }, { status: 302, headers });
+    },
+    callbackConfig(oauth)
+  );
+};
+
+export {
+  callbackAction
+};

package/dist/chunk-WD7AUHQ5.js

@@ -0,0 +1,79 @@
+// src/schemas.ts
+import { object, string, enum as options, number, httpUrl, z } from "zod/v4";
+var OAuthProviderConfigSchema = object({
+  authorizeURL: httpUrl(),
+  accessToken: httpUrl(),
+  scope: string().optional(),
+  userInfo: httpUrl(),
+  responseType: options(["code", "token", "id_token"]),
+  clientId: string(),
+  clientSecret: string()
+});
+var OAuthAuthorization = OAuthProviderConfigSchema.extend({
+  redirectURI: string(),
+  state: string(),
+  codeChallenge: string(),
+  codeChallengeMethod: options(["plain", "S256"])
+});
+var OAuthAuthorizationResponse = object({
+  state: string("Missing state parameter in the OAuth authorization response."),
+  code: string("Missing code parameter in the OAuth authorization response.")
+});
+var OAuthAuthorizationErrorResponse = object({
+  error: options([
+    "invalid_request",
+    "unauthorized_client",
+    "access_denied",
+    "unsupported_response_type",
+    "invalid_scope",
+    "server_error",
+    "temporarily_unavailable"
+  ]),
+  error_description: string().optional(),
+  error_uri: string().optional(),
+  state: string()
+});
+var OAuthAccessToken = OAuthProviderConfigSchema.extend({
+  redirectURI: string(),
+  code: string(),
+  codeVerifier: string().min(43).max(128)
+});
+var OAuthAccessTokenResponse = object({
+  access_token: string(),
+  token_type: string(),
+  expires_in: number().optional(),
+  refresh_token: string().optional(),
+  scope: string().optional()
+});
+var OAuthAccessTokenErrorResponse = object({
+  error: options([
+    "invalid_request",
+    "invalid_client",
+    "invalid_grant",
+    "unauthorized_client",
+    "unsupported_grant_type",
+    "invalid_scope"
+  ]),
+  error_description: string().optional(),
+  error_uri: string().optional()
+});
+var OAuthErrorResponse = object({
+  error: string(),
+  error_description: string().optional()
+});
+var OAuthEnvSchema = object({
+  clientId: z.string().min(1, "OAuth Client ID is required in the environment variables."),
+  clientSecret: z.string().min(1, "OAuth Client Secret is required in the environment variables.")
+});
+
+export {
+  OAuthProviderConfigSchema,
+  OAuthAuthorization,
+  OAuthAuthorizationResponse,
+  OAuthAuthorizationErrorResponse,
+  OAuthAccessToken,
+  OAuthAccessTokenResponse,
+  OAuthAccessTokenErrorResponse,
+  OAuthErrorResponse,
+  OAuthEnvSchema
+};

package/dist/chunk-ZLR3LI6X.js

@@ -0,0 +1,55 @@
+import {
+  OAuthErrorResponse
+} from "./chunk-WD7AUHQ5.js";
+import {
+  generateSecure
+} from "./chunk-N2APGLXA.js";
+import {
+  OAuthProtocolError,
+  isNativeError,
+  isOAuthProtocolError
+} from "./chunk-RRLIF4PQ.js";
+
+// src/actions/callback/userinfo.ts
+var getDefaultUserInfo = (profile) => {
+  const sub = generateSecure(16);
+  return {
+    sub: profile?.id ?? profile?.sub ?? sub,
+    email: profile?.email,
+    name: profile?.name ?? profile?.username ?? profile?.nickname,
+    image: profile?.image ?? profile?.picture
+  };
+};
+var getUserInfo = async (oauthConfig, accessToken) => {
+  const userinfoEndpoint = oauthConfig.userInfo;
+  try {
+    const response = await fetch(userinfoEndpoint, {
+      method: "GET",
+      headers: {
+        Accept: "application/json",
+        Authorization: `Bearer ${accessToken}`
+      }
+    });
+    const json = await response.json();
+    const { success, data } = OAuthErrorResponse.safeParse(json);
+    if (success) {
+      throw new OAuthProtocolError(
+        data.error,
+        data?.error_description ?? "An error occurred while fetching user information."
+      );
+    }
+    return oauthConfig?.profile ? oauthConfig.profile(json) : getDefaultUserInfo(json);
+  } catch (error) {
+    if (isOAuthProtocolError(error)) {
+      throw error;
+    }
+    if (isNativeError(error)) {
+      throw new OAuthProtocolError("invalid_request", error.message, "", { cause: error });
+    }
+    throw new OAuthProtocolError("invalid_request", "Failed to fetch user information.", "", { cause: error });
+  }
+};
+
+export {
+  getUserInfo
+};