@aura-stack/auth 0.1.0-rc.9 → 0.2.0

package/dist/{index-DpfbvTZ_.d.ts → index-EqsoyjrF.d.ts}

@@ -1,136 +1,213 @@
-import { z } from "zod/v4"
-import { JWTPayload } from "@aura-stack/jose/jose"
-import { OAuthAuthorizationErrorResponse, OAuthAccessTokenErrorResponse } from "./schemas.js"
-import { SerializeOptions } from "cookie"
-import { LiteralUnion, Prettify } from "./@types/utility.js"
+import { z } from 'zod/v4';
+import { OAuthAuthorizationErrorResponse, OAuthAccessTokenErrorResponse, OAuthEnvSchema } from './schemas.js';
+import { SerializeOptions } from '@aura-stack/router/cookie';
+import { JWTPayload } from '@aura-stack/jose/jose';
+import { LiteralUnion, Prettify } from './@types/utility.js';
+
+/**
+ * @see [Strava - SummaryClub](https://developers.strava.com/docs/reference/#api-models-SummaryClub)
+ */
+interface SummaryClub {
+    id: number;
+    resource_state: number;
+    name: string;
+    profile_medium: string;
+    cover_photo: string;
+    cover_photo_small: string;
+    sport_type: "cycling" | "running" | "triathlon" | "other";
+    activity_types: string[];
+    city: string;
+    state: string;
+    country: string;
+    private: boolean;
+    member_count: number;
+    featured: boolean;
+    verified: boolean;
+    url: string;
+}
+/**
+ * @see [Strava - SummaryGear](https://developers.strava.com/docs/reference/#api-models-SummaryGear)
+ */
+interface SummaryGear {
+    id: string;
+    resource_state: number;
+    primary: boolean;
+    name: string;
+    distance: number;
+}
+/**
+ * @see [Strava - DetailedAthlete](https://developers.strava.com/docs/reference/#api-models-DetailedAthlete)
+ */
+interface StravaProfile {
+    id: number;
+    resource_state: number;
+    firstname: string;
+    lastname: string;
+    bio: string | null;
+    profile: string;
+    profile_medium: string;
+    city: string;
+    state: string;
+    country: string;
+    sex: string;
+    premium: boolean;
+    summit: boolean;
+    created_at: Date;
+    updated_at: Date;
+    badge_type_id: number;
+    weight: number;
+    friend: null;
+    follower: null;
+    follower_count: number;
+    friend_count: number;
+    measurement_preference: string;
+    ftp: number;
+    clubs: SummaryClub[];
+    bikes: SummaryGear[];
+    shoes: SummaryGear[];
+}
+/**
+ * Strava OAuth Provider
+ * @see [Strava - Getting Started with the Strava API](https://developers.strava.com/docs/getting-started/)
+ * @see [Strava - My Applications](https://www.strava.com/settings/api)
+ * @see [Strava - Authentication](https://developers.strava.com/docs/authentication/)
+ * @see [Strava - API Application](https://www.strava.com/settings/api)
+ * @see [Strava - API Reference](https://developers.strava.com/docs/reference/)
+ */
+declare const strava: OAuthProviderConfig<StravaProfile>;
 
 /**
  * @see [X - Get my User](https://docs.x.com/x-api/users/get-my-user)
  */
 interface XProfile {
     data: {
-        id: string
-        name: string
-        username: string
-        profile_image_url: string
-    }
+        id: string;
+        name: string;
+        username: string;
+        profile_image_url: string;
+    };
 }
 /**
+ * X (Twitter) OAuth Provider
  * @see [X - Developer Portal](https://developer.x.com/en/portal/projects-and-apps)
  * @see [X - Get my User](https://docs.x.com/x-api/users/get-my-user)
  * @see [X - OAuth 2.0 Authorization Code Flow with PKCE](https://docs.x.com/fundamentals/authentication/oauth-2-0/authorization-code)
  * @see [X - OAuth 2.0 Scopes](https://docs.x.com/fundamentals/authentication/oauth-2-0/authorization-code#scopes)
  * @see [X - OAuth 2.0 Bearer Token](https://docs.x.com/fundamentals/authentication/oauth-2-0/application-only)
  */
-declare const x: OAuthProviderConfig<XProfile>
+declare const x: OAuthProviderConfig<XProfile>;
 
 interface Image {
-    url: string
-    height: number
-    width: number
+    url: string;
+    height: number;
+    width: number;
 }
 /**
  * @see [Spotify - User Object](https://developer.spotify.com/documentation/web-api/reference/object-model/#user-object-private)
  */
 interface SpotifyProfile {
-    id: string
-    display_name: string
-    email: string
-    type: string
-    uri: string
-    country: string
-    href: string
-    images: Image[]
-    product: string
+    id: string;
+    display_name: string;
+    email: string;
+    type: string;
+    uri: string;
+    country: string;
+    href: string;
+    images: Image[];
+    product: string;
     explicit_content: {
-        filter_enabled: boolean
-        filter_locked: boolean
-    }
+        filter_enabled: boolean;
+        filter_locked: boolean;
+    };
     external_urls: {
-        spotify: string
-    }
+        spotify: string;
+    };
     followers: {
-        href: string
-        total: number
-    }
+        href: string;
+        total: number;
+    };
 }
 /**
+ * Spotify OAuth Provider
+ *
  * @see [Spotify - Spotify Developer Dashboard](https://developer.spotify.com/dashboard)
  * @see [Spotify - Getting started with Web API](https://developer.spotify.com/documentation/web-api/tutorials/getting-started)
  * @see [Spotify - Get Current User's Profile](https://developer.spotify.com/documentation/web-api/reference/get-current-users-profile)
  * @see [Spotify - Scopes](https://developer.spotify.com/documentation/web-api/concepts/scopes)
  * @see [Spotify - Redirect URIs](https://developer.spotify.com/documentation/web-api/concepts/redirect_uri)
  */
-declare const spotify: OAuthProviderConfig<SpotifyProfile>
+declare const spotify: OAuthProviderConfig<SpotifyProfile>;
 
 /**
  * @see [GitLab - Get the current user](https://docs.gitlab.com/api/users/#get-the-current-user)
  */
 interface GitLabProfile {
-    id: number
-    username: string
-    email: string
-    name: string
-    state: string
-    locked: boolean
-    avatar_url: string
-    web_url: string
-    created_at: string
-    bio: string
-    location: string | null
-    public_email: string
-    linkedin: string
-    twitter: string
-    discord: string
-    github: string
-    website_url: string
-    organization: string
-    job_title: string
-    pronouns: string
-    bot: boolean
-    work_information: string | null
-    followers: number
-    following: number
-    local_time: string
-    last_sign_in_at: string
-    confirmed_at: string
-    theme_id: number
-    last_activity_on: string
-    color_scheme_id: number
-    projects_limit: number
-    current_sign_in_at: string
+    id: number;
+    username: string;
+    email: string;
+    name: string;
+    state: string;
+    locked: boolean;
+    avatar_url: string;
+    web_url: string;
+    created_at: string;
+    bio: string;
+    location: string | null;
+    public_email: string;
+    linkedin: string;
+    twitter: string;
+    discord: string;
+    github: string;
+    website_url: string;
+    organization: string;
+    job_title: string;
+    pronouns: string;
+    bot: boolean;
+    work_information: string | null;
+    followers: number;
+    following: number;
+    local_time: string;
+    last_sign_in_at: string;
+    confirmed_at: string;
+    theme_id: number;
+    last_activity_on: string;
+    color_scheme_id: number;
+    projects_limit: number;
+    current_sign_in_at: string;
     identities: {
-        provider: string
-        extern_uid: string
-        saml_provider_id: number | null
-    }[]
-    can_create_group: boolean
-    can_create_project: boolean
-    two_factor_enabled: boolean
-    external: boolean
-    private_profile: boolean
-    commit_email: string
-    preferred_language: string
-    shared_runners_minutes_limit: number | null
-    extra_shared_runners_minutes_limit: number | null
-    scim_identities: unknown[]
+        provider: string;
+        extern_uid: string;
+        saml_provider_id: number | null;
+    }[];
+    can_create_group: boolean;
+    can_create_project: boolean;
+    two_factor_enabled: boolean;
+    external: boolean;
+    private_profile: boolean;
+    commit_email: string;
+    preferred_language: string;
+    shared_runners_minutes_limit: number | null;
+    extra_shared_runners_minutes_limit: number | null;
+    scim_identities: unknown[];
 }
 /**
+ * GitLab OAuth Provider
+ *
  * @see [GitLab - Applications](https://gitlab.com/-/user_settings/applications)
  * @see [GitLab - OAuth 2.0 identify provider API](https://docs.gitlab.com/api/oauth2/)
  * @see [GitLab - Scopes](https://docs.gitlab.com/integration/oauth_provider/#view-all-authorized-applications)
  * @see [GitLab - Get current user](https://docs.gitlab.com/api/users/#get-the-current-user)
  */
-declare const gitlab: OAuthProviderConfig<GitLabProfile>
+declare const gitlab: OAuthProviderConfig<GitLabProfile>;
 
 /**
  * @see [Discord - Nameplate Object](https://discord.com/developers/docs/resources/user#nameplate-nameplate-structure)
  */
 interface Nameplate {
-    sku_id: string
-    asset: string
-    label: string
-    palette: string
+    sku_id: string;
+    asset: string;
+    label: string;
+    palette: string;
 }
 /**
  * The `snowflake` type is a string type. The attributes defined with this type are:
@@ -141,82 +218,83 @@ interface Nameplate {
  * @see [Discord - User Object](https://discord.com/developers/docs/resources/user#user-object)
  */
 interface DiscordProfile {
-    id: string
-    username: string
-    discriminator: string
-    global_name: string | null
-    avatar: string | null
-    bot?: boolean
-    system?: boolean
-    mfa_enabled?: boolean
-    banner?: string | null
-    accent_color?: number | null
-    locale?: string
-    verified?: boolean
-    email?: string | null
-    flags?: number
-    premium_type?: number
-    public_flags?: number
+    id: string;
+    username: string;
+    discriminator: string;
+    global_name: string | null;
+    avatar: string | null;
+    bot?: boolean;
+    system?: boolean;
+    mfa_enabled?: boolean;
+    banner?: string | null;
+    accent_color?: number | null;
+    locale?: string;
+    verified?: boolean;
+    email?: string | null;
+    flags?: number;
+    premium_type?: number;
+    public_flags?: number;
     avatar_decoration_data?: {
-        asset: string
-        sku_id: string
-    }
-    collections?: Record<string, Nameplate>
+        asset: string;
+        sku_id: string;
+    };
+    collections?: Record<string, Nameplate>;
     primary_guild?: {
-        identity_guild_id: string
-        identity_enabled: boolean | null
-        tag: string | null
-        badge: string | null
-    }
+        identity_guild_id: string;
+        identity_enabled: boolean | null;
+        tag: string | null;
+        badge: string | null;
+    };
 }
 /**
+ * Discord OAuth Provider
+ *
  * @see [Discord - Applications](https://discord.com/developers/applications)
  * @see [Discord - OAuth2](https://discord.com/developers/docs/topics/oauth2)
  * @see [Discord - Get Current User](https://discord.com/developers/docs/resources/user#get-current-user)
  * @see [Discord - User Object](https://discord.com/developers/docs/resources/user#user-object)
  * @see [Discord - OAuth2 Scopes](https://discord.com/developers/docs/topics/oauth2#shared-resources-oauth2-scopes)
  * @see [Discord - Image Formatting](https://discord.com/developers/docs/reference#image-formatting)
+ * @see [Discord - Display Names](https://discord.com/developers/docs/change-log#display-names)
  */
-declare const discord: OAuthProviderConfig<DiscordProfile>
+declare const discord: OAuthProviderConfig<DiscordProfile>;
 
 /**
  * @see [Figma API - Users](https://developers.figma.com/docs/rest-api/users-types/)
  */
 interface FigmaProfile {
-    id: string
-    handle: string
-    img_url: string
-    email: string
+    id: string;
+    handle: string;
+    img_url: string;
+    email: string;
 }
 /**
+ * Figma OAuth Provider
  * @see [Figma - REST API Introduction](https://developers.figma.com/docs/rest-api/)
  * @see [Figma - OAuth App](https://www.figma.com/developers/apps/)
  * @see [Figma - Create an OAuth App](https://developers.figma.com/docs/rest-api/authentication/#create-an-oauth-app)
  * @see [Figma - OAuth Scopes](https://developers.figma.com/docs/rest-api/scopes/)
  */
-declare const figma: OAuthProviderConfig<FigmaProfile>
+declare const figma: OAuthProviderConfig<FigmaProfile>;
 
 /**
  * @see [Get current user](https://developer.atlassian.com/cloud/bitbucket/rest/api-group-users/#api-user-get)
  */
 interface BitbucketProfile {
-    display_name: string
-    links: Record<
-        LiteralUnion<"self" | "avatar" | "repositories" | "snippets" | "html" | "hooks">,
-        {
-            href?: string
-        }
-    >
-    created_on: string
-    type: string
-    uuid: string
-    has_2fa_enabled: boolean
-    username: string
-    nickname: string
-    is_staff: boolean
-    account_id: string
-    account_status: LiteralUnion<"active" | "inactive" | "closed">
-    location: string | null
+    display_name: string;
+    links: Record<LiteralUnion<"self" | "avatar" | "repositories" | "snippets" | "html" | "hooks">, {
+        href?: string;
+    }>;
+    created_on: string;
+    type: string;
+    uuid: string;
+    has_2fa_enabled: boolean;
+    username: string;
+    nickname: string;
+    is_staff: boolean;
+    account_id: string;
+    account_status: LiteralUnion<"active" | "inactive" | "closed">;
+    location: string | null;
 }
 /**
  * Bitbucket OAuth Provider
@@ -229,77 +307,79 @@ interface BitbucketProfile {
  * @see [Bitbucket - Cloud REST API](https://developer.atlassian.com/cloud/bitbucket/rest/intro/)
  * @see [Bitbucket - User Endpoint](https://developer.atlassian.com/cloud/bitbucket/rest/api-group-users/#api-users-endpoint)
  */
-declare const bitbucket: OAuthProviderConfig<BitbucketProfile>
+declare const bitbucket: OAuthProviderConfig<BitbucketProfile>;
 
 /**
  * @see [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user)
  */
 interface GitHubProfile {
-    login: string
-    id: number
-    user_view_type: string
-    node_id: string
-    avatar_url: string
-    gravatar_id: string | null
-    url: string
-    html_url: string
-    followers_url: string
-    following_url: string
-    gists_url: string
-    starred_url: string
-    subscriptions_url: string
-    organizations_url: string
-    repos_url: string
-    events_url: string
-    received_events_url: string
-    type: string
-    site_admin: boolean
-    name: string | null
-    company: string | null
-    blog: string | null
-    location: string | null
-    email: string | null
-    notification_email: string | null
-    hireable: boolean | null
-    bio: string | null
-    twitter_username?: string | null
-    public_repos: number
-    public_gists: number
-    followers: number
-    following: number
-    created_at: string
-    updated_at: string
-    private_gists?: number
-    total_private_repos?: number
-    owned_private_repos?: number
-    disk_usage?: number
-    collaborators?: number
-    two_factor_authentication: boolean
+    login: string;
+    id: number;
+    user_view_type: string;
+    node_id: string;
+    avatar_url: string;
+    gravatar_id: string | null;
+    url: string;
+    html_url: string;
+    followers_url: string;
+    following_url: string;
+    gists_url: string;
+    starred_url: string;
+    subscriptions_url: string;
+    organizations_url: string;
+    repos_url: string;
+    events_url: string;
+    received_events_url: string;
+    type: string;
+    site_admin: boolean;
+    name: string | null;
+    company: string | null;
+    blog: string | null;
+    location: string | null;
+    email: string | null;
+    notification_email: string | null;
+    hireable: boolean | null;
+    bio: string | null;
+    twitter_username?: string | null;
+    public_repos: number;
+    public_gists: number;
+    followers: number;
+    following: number;
+    created_at: string;
+    updated_at: string;
+    private_gists?: number;
+    total_private_repos?: number;
+    owned_private_repos?: number;
+    disk_usage?: number;
+    collaborators?: number;
+    two_factor_authentication: boolean;
     plan?: {
-        collaborators: number
-        name: string
-        space: number
-        private_repos: number
-    }
+        collaborators: number;
+        name: string;
+        space: number;
+        private_repos: number;
+    };
 }
 /**
  * GitHub OAuth Provider
+ *
  * @see [GitHub - Creating an OAuth App](https://docs.github.com/en/developers/apps/building-oauth-apps/creating-an-oauth-app)
  * @see [GitHub - Authorizing OAuth Apps](https://docs.github.com/en/developers/apps/building-oauth-apps/authorizing-oauth-apps)
  * @see [GitHub - Configure your GitHub OAuth Apps](https://github.com/settings/developers)
  * @see [Github - Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user)
  */
-declare const github: OAuthProviderConfig<GitHubProfile>
+declare const github: OAuthProviderConfig<GitHubProfile>;
 
 declare const builtInOAuthProviders: {
-    github: OAuthProviderConfig<GitHubProfile>
-    bitbucket: OAuthProviderConfig<BitbucketProfile>
-    figma: OAuthProviderConfig<FigmaProfile>
-    discord: OAuthProviderConfig<DiscordProfile>
-    gitlab: OAuthProviderConfig<GitLabProfile>
-    spotify: OAuthProviderConfig<SpotifyProfile>
-    x: OAuthProviderConfig<XProfile>
-}
+    readonly github: OAuthProviderConfig<GitHubProfile>;
+    readonly bitbucket: OAuthProviderConfig<BitbucketProfile>;
+    readonly figma: OAuthProviderConfig<FigmaProfile>;
+    readonly discord: OAuthProviderConfig<DiscordProfile>;
+    readonly gitlab: OAuthProviderConfig<GitLabProfile>;
+    readonly spotify: OAuthProviderConfig<SpotifyProfile>;
+    readonly x: OAuthProviderConfig<XProfile>;
+    readonly strava: OAuthProviderConfig<StravaProfile>;
+};
 /**
  * Constructs OAuth provider configurations from an array of provider names or configurations.
  * It loads the client ID and client secret from environment variables if only the provider name is provided.
@@ -307,110 +387,91 @@ declare const builtInOAuthProviders: {
  * @param oauth - Array of OAuth provider configurations or provider names to be defined from environment variables
  * @returns A record of OAuth provider configurations
  */
-declare const createBuiltInOAuthProviders: (
-    oauth?: (BuiltInOAuthProvider | OAuthProviderCredentials)[]
-) => Record<LiteralUnion<BuiltInOAuthProvider>, OAuthProviderCredentials>
-type BuiltInOAuthProvider = keyof typeof builtInOAuthProviders
+declare const createBuiltInOAuthProviders: (oauth?: (BuiltInOAuthProvider | OAuthProviderCredentials)[]) => Record<LiteralUnion<BuiltInOAuthProvider>, OAuthProviderCredentials>;
+type BuiltInOAuthProvider = keyof typeof builtInOAuthProviders;
 
 /**
  * Standard JWT claims that are managed internally by the token system.
  * These fields are typically filtered out before returning user data.
  */
-type JWTStandardClaims = Pick<JWTPayload, "exp" | "iat" | "jti" | "nbf" | "sub" | "aud" | "iss">
+type JWTStandardClaims = Pick<JWTPayload, "exp" | "iat" | "jti" | "nbf" | "sub" | "aud" | "iss">;
+/**
+ * JWT payload structure that includes a mandatory `token` field used to verify CSRF Tokens
+ */
+type JWTPayloadWithToken = JWTPayload & {
+    token: string;
+};
 /**
  * Standardized user profile returned by OAuth providers after fetching user information
  * and mapping the response to this format by default or via the `profile` custom function.
  */
 interface User {
-    sub: string
-    name?: string
-    email?: string
-    image?: string
+    sub: string;
+    name?: string | null;
+    email?: string | null;
+    image?: string | null;
 }
 /**
  * Session data returned by the session endpoint.
  */
 interface Session {
-    user: User
-    expires: string
+    user: User;
+    expires: string;
 }
 /**
  * Configuration for an OAuth provider without credentials.
  * Use this type when defining provider metadata and endpoints.
  */
 interface OAuthProviderConfig<Profile extends object = {}> {
-    id: string
-    name: string
-    authorizeURL: string
-    accessToken: string
-    userInfo: string
-    scope: string
-    responseType: string
-    profile?: (profile: Profile) => User | Promise<User>
+    id: string;
+    name: string;
+    authorizeURL: string;
+    accessToken: string;
+    userInfo: string;
+    scope: string;
+    responseType: "code" | "token" | "refresh_token" | "id_token";
+    profile?: (profile: Profile) => User | Promise<User>;
 }
 /**
  * OAuth provider configuration with client credentials.
  * Extends OAuthProviderConfig with clientId and clientSecret.
  */
-interface OAuthProviderCredentials extends OAuthProviderConfig {
-    clientId: string
-    clientSecret: string
+interface OAuthProviderCredentials<Profile extends object = {}> extends OAuthProviderConfig<Profile> {
+    clientId: string;
+    clientSecret: string;
 }
 /**
  * Complete OAuth provider type combining configuration and credentials.
  */
-type OAuthProvider<Profile extends Record<string, unknown> = {}> = OAuthProviderConfig<Profile> & OAuthProviderCredentials
+type OAuthProvider<Profile extends object = {}> = OAuthProviderCredentials<Profile>;
 /**
  * Cookie type with __Secure- prefix, must be Secure.
  * @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__secure-prefix
  */
 type SecureCookie = {
-    strategy: "secure"
-} & {
-    options?: Prettify<Omit<SerializeOptions, "secure" | "encode">>
-}
+    strategy: "secure";
+} & Prettify<Omit<SerializeOptions, "secure" | "encode">>;
 /**
  * Cookie type with __Host- prefix, must be Secure, Path=/, no Domain attribute.
  * @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__host-prefix
  */
 type HostCookie = {
-    strategy: "host"
-} & {
-    options?: Prettify<Omit<SerializeOptions, "secure" | "path" | "domain" | "encode">>
-}
+    strategy: "host";
+} & Prettify<Omit<SerializeOptions, "secure" | "path" | "domain" | "encode">>;
 /**
  * Standard cookie type without security prefixes.
  * Can be sent over both HTTP and HTTPS connections (default in development).
  */
 type StandardCookie = {
-    strategy?: "standard"
-} & {
-    options?: Prettify<Omit<SerializeOptions, "encode">>
-}
+    strategy?: "standard";
+} & Prettify<Omit<SerializeOptions, "encode">>;
 /**
  * Union type for cookie options based on the specified strategy.
  * - `secure`: Cookies are only sent over HTTPS connections
  * - `host`: Cookies use the __Host- prefix and are only sent over HTTPS connections
  * - `standard`: Cookies can be sent over both HTTP and HTTPS connections (default in development)
  */
-type CookieStrategyOptions = StandardCookie | SecureCookie | HostCookie
-/**
- * Configuration options for cookies used in Aura Auth.
- * @see {@link AuthConfig.cookies}
- */
-type CookieConfig = Prettify<
-    {
-        name?: string
-    } & CookieStrategyOptions
->
-/**
- * Internal representation of cookie configuration with all options resolved.
- * @internal
- */
-type CookieConfigInternal = {
-    name?: string
-    prefix?: string
-} & SerializeOptions
+type CookieStrategyAttributes = StandardCookie | SecureCookie | HostCookie;
 /**
  * Names of cookies used by Aura Auth for session management and OAuth flows.
  * - `sessionToken`: User session JWT
@@ -421,7 +482,18 @@ type CookieConfigInternal = {
  * - `redirect_to`: Post-authentication redirect path
  * - `nonce`: OpenID Connect nonce parameter
  */
-type CookieName = "sessionToken" | "csrfToken" | "state" | "nonce" | "code_verifier" | "redirect_to" | "redirect_uri"
+type CookieName = "sessionToken" | "csrfToken" | "state" | "code_verifier" | "redirect_to" | "redirect_uri";
+type CookieStoreConfig = Record<CookieName, {
+    name: string;
+    attributes: CookieStrategyAttributes;
+}>;
+interface CookieConfig {
+    /**
+     * Prefix to be added to all cookie names. By default "aura-stack".
+     */
+    prefix?: string;
+    overrides?: Partial<CookieStoreConfig>;
+}
 /**
  * Main configuration interface for Aura Auth.
  * This is the user-facing configuration object passed to `createAuth()`.
@@ -450,7 +522,7 @@ interface AuthConfig {
      *   }
      * ]
      */
-    oauth: (BuiltInOAuthProvider | OAuthProviderCredentials)[]
+    oauth: (BuiltInOAuthProvider | OAuthProviderCredentials)[];
     /**
      * Cookie options defines the configuration for cookies used in Aura Auth.
      * It includes a prefix for cookie names and flag options to determine
@@ -469,17 +541,17 @@ interface AuthConfig {
      * @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__secure-prefix
      * @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__host-prefix
      */
-    cookies?: CookieConfig
+    cookies?: Partial<CookieConfig>;
     /**
      * Secret used to sign and verify JWT tokens for session and csrf protection.
      * If not provided, it will load from the environment variable `AURA_AUTH_SECRET`, but if it
      * doesn't exist, it will throw an error during the initialization of the Auth module.
      */
-    secret?: string
+    secret?: string;
     /**
      * Base path for all authentication routes. Default is `/auth`.
      */
-    basePath?: `/${string}`
+    basePath?: `/${string}`;
     /**
      * Enable trusted proxy headers for scenarios where the application is behind a reverse proxy or load balancer.
      * This setting allows Aura Auth to correctly interpret headers like `X-Forwarded-For` and `X-Forwarded-Proto`
@@ -494,104 +566,65 @@ interface AuthConfig {
      * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
      * @experimental
      */
-    trustedProxyHeaders?: boolean
+    trustedProxyHeaders?: boolean;
 }
 interface JoseInstance {
-    decodeJWT: (token: string) => Promise<JWTPayload>
-    encodeJWT: (payload: JWTPayload) => Promise<string>
-    signJWS: (payload: JWTPayload) => Promise<string>
-    verifyJWS: (payload: string) => Promise<JWTPayload>
+    decodeJWT: (token: string) => Promise<JWTPayload>;
+    encodeJWT: (payload: JWTPayload) => Promise<string>;
+    signJWS: (payload: JWTPayload) => Promise<string>;
+    verifyJWS: (payload: string) => Promise<JWTPayload>;
+    encryptJWE: (payload: string) => Promise<string>;
+    decryptJWE: (payload: string) => Promise<string>;
+}
+interface RouterGlobalContext {
+    oauth: Record<LiteralUnion<BuiltInOAuthProvider>, OAuthProviderCredentials>;
+    cookies: CookieStoreConfig;
+    jose: JoseInstance;
+    secret?: string;
+    basePath: string;
+    trustedProxyHeaders: boolean;
 }
 /**
  * Internal runtime configuration used within Aura Auth after initialization.
  * All optional fields from AuthConfig are resolved to their default values.
- * @internal
- * @todo: is this needed?
- */
-interface AuthRuntimeConfig {
-    oauth: Record<LiteralUnion<BuiltInOAuthProvider>, OAuthProviderCredentials>
-    cookies: CookieConfig
-    secret: string
-    jose: JoseInstance
-}
-interface RouterGlobalContext {
-    oauth: Record<LiteralUnion<BuiltInOAuthProvider>, OAuthProviderCredentials>
-    cookies: CookieConfigInternal
-    jose: JoseInstance
-    basePath: string
-    trustedProxyHeaders: boolean
-}
+ */
+type AuthRuntimeConfig = RouterGlobalContext;
 interface AuthInstance {
     handlers: {
-        GET: (request: Request) => Response | Promise<Response>
-        POST: (request: Request) => Response | Promise<Response>
-    }
-    jose: JoseInstance
+        GET: (request: Request) => Response | Promise<Response>;
+        POST: (request: Request) => Response | Promise<Response>;
+    };
+    jose: JoseInstance;
 }
 /**
  * Base OAuth error response structure.
  */
 interface OAuthError<T extends string> {
-    error: T
-    error_description?: string
+    error: T;
+    error_description?: string;
 }
 /**
  * OAuth 2.0 Authorization Error Response Types
  * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
  */
-type AuthorizationError = OAuthError<z.infer<typeof OAuthAuthorizationErrorResponse>["error"]>
+type AuthorizationError = OAuthError<z.infer<typeof OAuthAuthorizationErrorResponse>["error"]>;
 /**
  * OAuth 2.0 Access Token Error Response Types
  * @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
  */
-type AccessTokenError = OAuthError<z.infer<typeof OAuthAccessTokenErrorResponse>["error"]>
+type AccessTokenError = OAuthError<z.infer<typeof OAuthAccessTokenErrorResponse>["error"]>;
 /**
  * OAuth 2.0 Token Revocation Error Response Types
  * @see https://datatracker.ietf.org/doc/html/rfc7009#section-2.2.1
  */
-type TokenRevocationError = OAuthError<"invalid_session_token" | "invalid_csrf_token" | "invalid_redirect_to">
-type ErrorType = AuthorizationError["error"] | AccessTokenError["error"] | TokenRevocationError["error"]
+type TokenRevocationError = OAuthError<"invalid_session_token">;
+type ErrorType = AuthorizationError["error"] | AccessTokenError["error"] | TokenRevocationError["error"];
+type AuthInternalErrorCode = "INVALID_OAUTH_CONFIGURATION" | "INVALID_JWT_TOKEN" | "JOSE_INITIALIZATION_FAILED" | "SESSION_STORE_NOT_INITIALIZED" | "COOKIE_STORE_NOT_INITIALIZED" | "COOKIE_PARSING_FAILED" | "COOKIE_NOT_FOUND" | "INVALID_ENVIRONMENT_CONFIGURATION";
+type AuthSecurityErrorCode = "INVALID_STATE" | "MISMATCHING_STATE" | "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED" | "CSRF_TOKEN_INVALID" | "CSRF_TOKEN_MISSING" | "SESSION_TOKEN_MISSING";
+type OAuthEnv = z.infer<typeof OAuthEnvSchema>;
+type APIErrorMap = Record<string, {
+    code: string;
+    message: string;
+}>;
 
-export {
-    type AuthRuntimeConfig as A,
-    type BitbucketProfile as B,
-    type CookieConfig as C,
-    type DiscordProfile as D,
-    type ErrorType as E,
-    type FigmaProfile as F,
-    type GitLabProfile as G,
-    type HostCookie as H,
-    type JoseInstance as J,
-    type Nameplate as N,
-    type OAuthProvider as O,
-    type RouterGlobalContext as R,
-    type Session as S,
-    type TokenRevocationError as T,
-    type User as U,
-    type XProfile as X,
-    type CookieConfigInternal as a,
-    type CookieName as b,
-    type AuthConfig as c,
-    type AuthInstance as d,
-    type OAuthProviderConfig as e,
-    type OAuthProviderCredentials as f,
-    type SpotifyProfile as g,
-    gitlab as h,
-    discord as i,
-    figma as j,
-    bitbucket as k,
-    type GitHubProfile as l,
-    github as m,
-    builtInOAuthProviders as n,
-    createBuiltInOAuthProviders as o,
-    type BuiltInOAuthProvider as p,
-    type JWTStandardClaims as q,
-    type SecureCookie as r,
-    spotify as s,
-    type StandardCookie as t,
-    type CookieStrategyOptions as u,
-    type OAuthError as v,
-    type AuthorizationError as w,
-    x,
-    type AccessTokenError as y,
-}
+export { type AuthRuntimeConfig as A, type BitbucketProfile as B, type CookieConfig as C, type DiscordProfile as D, type ErrorType as E, type FigmaProfile as F, type GitLabProfile as G, type SecureCookie as H, type Image as I, type JWTPayloadWithToken as J, type HostCookie as K, type StandardCookie as L, type CookieStrategyAttributes as M, type Nameplate as N, type OAuthProvider as O, type CookieName as P, type OAuthError as Q, type RouterGlobalContext as R, type Session as S, type AuthorizationError as T, type User as U, type AccessTokenError as V, type TokenRevocationError as W, type XProfile as X, type OAuthEnv as Y, type CookieStoreConfig as a, type AuthInternalErrorCode as b, type AuthSecurityErrorCode as c, type AuthConfig as d, type AuthInstance as e, type JoseInstance as f, type OAuthProviderConfig as g, type OAuthProviderCredentials as h, type APIErrorMap as i, type SummaryClub as j, type SummaryGear as k, type StravaProfile as l, type SpotifyProfile as m, spotify as n, gitlab as o, discord as p, figma as q, bitbucket as r, strava as s, type GitHubProfile as t, github as u, builtInOAuthProviders as v, createBuiltInOAuthProviders as w, x, type BuiltInOAuthProvider as y, type JWTStandardClaims as z };