@aura-stack/auth 0.1.0 → 0.2.0

package/dist/@types/index.d.ts

@@ -1,7 +1,6 @@
 import 'zod/v4';
-import '@aura-stack/jose/jose';
 import '../schemas.js';
-import 'cookie';
+import '@aura-stack/router/cookie';
+import '@aura-stack/jose/jose';
+export { i as APIErrorMap, V as AccessTokenError, d as AuthConfig, e as AuthInstance, b as AuthInternalErrorCode, A as AuthRuntimeConfig, c as AuthSecurityErrorCode, T as AuthorizationError, C as CookieConfig, P as CookieName, a as CookieStoreConfig, M as CookieStrategyAttributes, E as ErrorType, K as HostCookie, J as JWTPayloadWithToken, z as JWTStandardClaims, f as JoseInstance, Y as OAuthEnv, Q as OAuthError, O as OAuthProvider, g as OAuthProviderConfig, h as OAuthProviderCredentials, R as RouterGlobalContext, H as SecureCookie, S as Session, L as StandardCookie, W as TokenRevocationError, U as User } from '../index-EqsoyjrF.js';
 export { LiteralUnion, Prettify } from './utility.js';
-export { y as AccessTokenError, c as AuthConfig, d as AuthInstance, A as AuthRuntimeConfig, w as AuthorizationError, C as CookieConfig, a as CookieConfigInternal, b as CookieName, u as CookieStrategyOptions, E as ErrorType, H as HostCookie, q as JWTStandardClaims, J as JoseInstance, v as OAuthError, O as OAuthProvider, e as OAuthProviderConfig, f as OAuthProviderCredentials, R as RouterGlobalContext, r as SecureCookie, S as Session, t as StandardCookie, T as TokenRevocationError, U as User } from '../index-DpfbvTZ_.js';
-import 'zod/v4/core';

package/dist/@types/router.d.d.ts

@@ -1,9 +1,8 @@
-import { R as RouterGlobalContext } from '../index-DpfbvTZ_.js';
+import { R as RouterGlobalContext } from '../index-EqsoyjrF.js';
 import 'zod/v4';
-import '@aura-stack/jose/jose';
 import '../schemas.js';
-import 'zod/v4/core';
-import 'cookie';
+import '@aura-stack/router/cookie';
+import '@aura-stack/jose/jose';
 import './utility.js';
 
 declare module "@aura-stack/router" {

package/dist/@types/utility.d.ts

@@ -1,10 +1,6 @@
 type Prettify<T> = {
     [K in keyof T]: T[K];
-} & {
-    __aura_auth_prettify_brand?: never;
-};
-type LiteralUnion<T extends U, U = string> = (T | (U & Record<never, never>)) & {
-    __aura_auth_literal_union_brand?: never;
 };
+type LiteralUnion<T extends U, U = string> = T | (U & Record<never, never>);
 
 export type { LiteralUnion, Prettify };

package/dist/actions/callback/access-token.cjs

@@ -24,52 +24,57 @@ __export(access_token_exports, {
 });
 module.exports = __toCommonJS(access_token_exports);
 
-// src/error.ts
-var AuthError = class extends Error {
-  constructor(type, message) {
-    super(message);
-    this.type = type;
-    this.name = "AuthError";
+// src/utils.ts
+var import_router = require("@aura-stack/router");
+
+// src/errors.ts
+var OAuthProtocolError = class extends Error {
+  type = "OAUTH_PROTOCOL_ERROR";
+  error;
+  errorURI;
+  constructor(error, description, errorURI, options2) {
+    super(description, options2);
+    this.error = error;
+    this.errorURI = errorURI;
+    this.name = new.target.name;
+    Error.captureStackTrace(this, new.target);
   }
 };
-var isAuthError = (error) => {
-  return error instanceof AuthError;
-};
-var throwAuthError = (error, message) => {
-  if (error instanceof Error) {
-    if (isAuthError(error)) {
-      throw error;
-    }
-    throw new AuthError("invalid_request", error.message ?? message);
+var AuthInternalError = class extends Error {
+  type = "AUTH_INTERNAL_ERROR";
+  code;
+  constructor(code, message, options2) {
+    super(message, options2);
+    this.code = code;
+    this.name = new.target.name;
+    Error.captureStackTrace(this, new.target);
   }
 };
-var ERROR_RESPONSE = {
-  AUTHORIZATION: {
-    INVALID_REQUEST: "invalid_request",
-    UNAUTHORIZED_CLIENT: "unauthorized_client",
-    ACCESS_DENIED: "access_denied",
-    UNSUPPORTED_RESPONSE_TYPE: "unsupported_response_type",
-    INVALID_SCOPE: "invalid_scope",
-    SERVER_ERROR: "server_error",
-    TEMPORARILY_UNAVAILABLE: "temporarily_unavailable"
-  },
-  ACCESS_TOKEN: {
-    INVALID_REQUEST: "invalid_request",
-    INVALID_CLIENT: "invalid_client",
-    INVALID_GRANT: "invalid_grant",
-    UNAUTHORIZED_CLIENT: "unauthorized_client",
-    UNSUPPORTED_GRANT_TYPE: "unsupported_grant_type",
-    INVALID_SCOPE: "invalid_scope"
+
+// src/utils.ts
+var formatZodError = (error) => {
+  if (!error.issues || error.issues.length === 0) {
+    return {};
   }
+  return error.issues.reduce((previous, issue) => {
+    const key = issue.path.join(".");
+    return {
+      ...previous,
+      [key]: {
+        code: issue.code,
+        message: issue.message
+      }
+    };
+  }, {});
 };
 
 // src/schemas.ts
 var import_v4 = require("zod/v4");
 var OAuthProviderConfigSchema = (0, import_v4.object)({
-  authorizeURL: (0, import_v4.url)(),
-  accessToken: (0, import_v4.url)(),
+  authorizeURL: (0, import_v4.httpUrl)(),
+  accessToken: (0, import_v4.httpUrl)(),
   scope: (0, import_v4.string)().optional(),
-  userInfo: (0, import_v4.url)(),
+  userInfo: (0, import_v4.httpUrl)(),
   responseType: (0, import_v4.enum)(["code", "token", "id_token"]),
   clientId: (0, import_v4.string)(),
   clientSecret: (0, import_v4.string)()
@@ -81,8 +86,8 @@ var OAuthAuthorization = OAuthProviderConfigSchema.extend({
   codeChallengeMethod: (0, import_v4.enum)(["plain", "S256"])
 });
 var OAuthAuthorizationResponse = (0, import_v4.object)({
-  state: (0, import_v4.string)(),
-  code: (0, import_v4.string)()
+  state: (0, import_v4.string)("Missing state parameter in the OAuth authorization response."),
+  code: (0, import_v4.string)("Missing code parameter in the OAuth authorization response.")
 });
 var OAuthAuthorizationErrorResponse = (0, import_v4.object)({
   error: (0, import_v4.enum)([
@@ -126,12 +131,17 @@ var OAuthErrorResponse = (0, import_v4.object)({
   error: (0, import_v4.string)(),
   error_description: (0, import_v4.string)().optional()
 });
+var OAuthEnvSchema = (0, import_v4.object)({
+  clientId: import_v4.z.string().min(1, "OAuth Client ID is required in the environment variables."),
+  clientSecret: import_v4.z.string().min(1, "OAuth Client Secret is required in the environment variables.")
+});
 
 // src/actions/callback/access-token.ts
 var createAccessToken = async (oauthConfig, redirectURI, code, codeVerifier) => {
   const parsed = OAuthAccessToken.safeParse({ ...oauthConfig, redirectURI, code, codeVerifier });
   if (!parsed.success) {
-    throw new AuthError(ERROR_RESPONSE.ACCESS_TOKEN.INVALID_REQUEST, "Invalid OAuth configuration");
+    const msg = JSON.stringify(formatZodError(parsed.error), null, 2);
+    throw new AuthInternalError("INVALID_OAUTH_CONFIGURATION", msg);
   }
   const { accessToken, clientId, clientSecret, code: codeParsed, redirectURI: redirectParsed } = parsed.data;
   try {
@@ -155,13 +165,13 @@ var createAccessToken = async (oauthConfig, redirectURI, code, codeVerifier) =>
     if (!token.success) {
       const { success, data } = OAuthAccessTokenErrorResponse.safeParse(json);
       if (!success) {
-        throw new AuthError(ERROR_RESPONSE.ACCESS_TOKEN.INVALID_GRANT, "Invalid access token response format");
+        throw new OAuthProtocolError("INVALID_REQUEST", "Invalid access token response format");
       }
-      throw new AuthError(data.error, data?.error_description ?? "Failed to retrieve access token");
+      throw new OAuthProtocolError(data.error, data?.error_description ?? "Failed to retrieve access token");
     }
     return token.data;
   } catch (error) {
-    throw throwAuthError(error, "Failed to create access token");
+    throw error;
   }
 };
 // Annotate the CommonJS export names for ESM import in node:

package/dist/actions/callback/access-token.d.ts

@@ -1,9 +1,8 @@
-import { f as OAuthProviderCredentials } from '../../index-DpfbvTZ_.js';
+import { h as OAuthProviderCredentials } from '../../index-EqsoyjrF.js';
 import 'zod/v4';
-import '@aura-stack/jose/jose';
 import '../../schemas.js';
-import 'zod/v4/core';
-import 'cookie';
+import '@aura-stack/router/cookie';
+import '@aura-stack/jose/jose';
 import '../../@types/utility.js';
 
 /**

package/dist/actions/callback/access-token.js

@@ -1,8 +1,9 @@
 import {
   createAccessToken
-} from "../../chunk-UJJ7R56J.js";
-import "../../chunk-FJUDBLCP.js";
-import "../../chunk-HMRKN75I.js";
+} from "../../chunk-4V4JNXVF.js";
+import "../../chunk-WD7AUHQ5.js";
+import "../../chunk-CXLATHS5.js";
+import "../../chunk-RRLIF4PQ.js";
 export {
   createAccessToken
 };

package/dist/actions/callback/callback.cjs

@@ -42,53 +42,54 @@ var import_node_crypto = __toESM(require("crypto"), 1);
 // src/utils.ts
 var import_router = require("@aura-stack/router");
 
-// src/error.ts
-var AuthError = class extends Error {
-  constructor(type, message) {
-    super(message);
-    this.type = type;
-    this.name = "AuthError";
+// src/errors.ts
+var OAuthProtocolError = class extends Error {
+  type = "OAUTH_PROTOCOL_ERROR";
+  error;
+  errorURI;
+  constructor(error, description, errorURI, options2) {
+    super(description, options2);
+    this.error = error;
+    this.errorURI = errorURI;
+    this.name = new.target.name;
+    Error.captureStackTrace(this, new.target);
   }
 };
-var isAuthError = (error) => {
-  return error instanceof AuthError;
-};
-var throwAuthError = (error, message) => {
-  if (error instanceof Error) {
-    if (isAuthError(error)) {
-      throw error;
-    }
-    throw new AuthError("invalid_request", error.message ?? message);
+var AuthInternalError = class extends Error {
+  type = "AUTH_INTERNAL_ERROR";
+  code;
+  constructor(code, message, options2) {
+    super(message, options2);
+    this.code = code;
+    this.name = new.target.name;
+    Error.captureStackTrace(this, new.target);
   }
 };
-var ERROR_RESPONSE = {
-  AUTHORIZATION: {
-    INVALID_REQUEST: "invalid_request",
-    UNAUTHORIZED_CLIENT: "unauthorized_client",
-    ACCESS_DENIED: "access_denied",
-    UNSUPPORTED_RESPONSE_TYPE: "unsupported_response_type",
-    INVALID_SCOPE: "invalid_scope",
-    SERVER_ERROR: "server_error",
-    TEMPORARILY_UNAVAILABLE: "temporarily_unavailable"
-  },
-  ACCESS_TOKEN: {
-    INVALID_REQUEST: "invalid_request",
-    INVALID_CLIENT: "invalid_client",
-    INVALID_GRANT: "invalid_grant",
-    UNAUTHORIZED_CLIENT: "unauthorized_client",
-    UNSUPPORTED_GRANT_TYPE: "unsupported_grant_type",
-    INVALID_SCOPE: "invalid_scope"
+var AuthSecurityError = class extends Error {
+  type = "AUTH_SECURITY_ERROR";
+  code;
+  constructor(code, message, options2) {
+    super(message, options2);
+    this.code = code;
+    this.name = new.target.name;
+    Error.captureStackTrace(this, new.target);
   }
 };
+var isNativeError = (error) => {
+  return error instanceof Error;
+};
+var isOAuthProtocolError = (error) => {
+  return error instanceof OAuthProtocolError;
+};
 
 // src/utils.ts
 var equals = (a, b) => {
   if (a === null || b === null || a === void 0 || b === void 0) return false;
   return a === b;
 };
-var sanitizeURL = (url2) => {
+var sanitizeURL = (url) => {
   try {
-    let decodedURL = decodeURIComponent(url2).trim();
+    let decodedURL = decodeURIComponent(url).trim();
     const protocolMatch = decodedURL.match(/^([a-zA-Z][a-zA-Z0-9+.-]*:\/\/)/);
     let protocol = "";
     let rest = decodedURL;
@@ -116,7 +117,7 @@ var sanitizeURL = (url2) => {
     }
     return sanitized;
   } catch {
-    return url2.trim();
+    return url.trim();
   }
 };
 var isValidRelativePath = (path) => {
@@ -127,6 +128,21 @@ var isValidRelativePath = (path) => {
   if (sanitized.includes("..")) return false;
   return true;
 };
+var formatZodError = (error) => {
+  if (!error.issues || error.issues.length === 0) {
+    return {};
+  }
+  return error.issues.reduce((previous, issue) => {
+    const key = issue.path.join(".");
+    return {
+      ...previous,
+      [key]: {
+        code: issue.code,
+        message: issue.message
+      }
+    };
+  }, {});
+};
 
 // src/secure.ts
 var generateSecure = (length = 32) => {
@@ -157,10 +173,10 @@ var cacheControl = {
 // src/schemas.ts
 var import_v4 = require("zod/v4");
 var OAuthProviderConfigSchema = (0, import_v4.object)({
-  authorizeURL: (0, import_v4.url)(),
-  accessToken: (0, import_v4.url)(),
+  authorizeURL: (0, import_v4.httpUrl)(),
+  accessToken: (0, import_v4.httpUrl)(),
   scope: (0, import_v4.string)().optional(),
-  userInfo: (0, import_v4.url)(),
+  userInfo: (0, import_v4.httpUrl)(),
   responseType: (0, import_v4.enum)(["code", "token", "id_token"]),
   clientId: (0, import_v4.string)(),
   clientSecret: (0, import_v4.string)()
@@ -172,8 +188,8 @@ var OAuthAuthorization = OAuthProviderConfigSchema.extend({
   codeChallengeMethod: (0, import_v4.enum)(["plain", "S256"])
 });
 var OAuthAuthorizationResponse = (0, import_v4.object)({
-  state: (0, import_v4.string)(),
-  code: (0, import_v4.string)()
+  state: (0, import_v4.string)("Missing state parameter in the OAuth authorization response."),
+  code: (0, import_v4.string)("Missing code parameter in the OAuth authorization response.")
 });
 var OAuthAuthorizationErrorResponse = (0, import_v4.object)({
   error: (0, import_v4.enum)([
@@ -217,6 +233,10 @@ var OAuthErrorResponse = (0, import_v4.object)({
   error: (0, import_v4.string)(),
   error_description: (0, import_v4.string)().optional()
 });
+var OAuthEnvSchema = (0, import_v4.object)({
+  clientId: import_v4.z.string().min(1, "OAuth Client ID is required in the environment variables."),
+  clientSecret: import_v4.z.string().min(1, "OAuth Client Secret is required in the environment variables.")
+});
 
 // src/actions/callback/userinfo.ts
 var getDefaultUserInfo = (profile) => {
@@ -241,18 +261,20 @@ var getUserInfo = async (oauthConfig, accessToken) => {
     const json = await response.json();
     const { success, data } = OAuthErrorResponse.safeParse(json);
     if (success) {
-      throw new AuthError(data.error, data?.error_description ?? "An error occurred while fetching user information.");
+      throw new OAuthProtocolError(
+        data.error,
+        data?.error_description ?? "An error occurred while fetching user information."
+      );
     }
     return oauthConfig?.profile ? oauthConfig.profile(json) : getDefaultUserInfo(json);
   } catch (error) {
-    throw throwAuthError(error, "Failed to retrieve userinfo");
-  }
-};
-
-// src/response.ts
-var AuraResponse = class extends Response {
-  static json(body, init) {
-    return Response.json(body, init);
+    if (isOAuthProtocolError(error)) {
+      throw error;
+    }
+    if (isNativeError(error)) {
+      throw new OAuthProtocolError("invalid_request", error.message, "", { cause: error });
+    }
+    throw new OAuthProtocolError("invalid_request", "Failed to fetch user information.", "", { cause: error });
   }
 };
 
@@ -260,7 +282,8 @@ var AuraResponse = class extends Response {
 var createAccessToken = async (oauthConfig, redirectURI, code, codeVerifier) => {
   const parsed = OAuthAccessToken.safeParse({ ...oauthConfig, redirectURI, code, codeVerifier });
   if (!parsed.success) {
-    throw new AuthError(ERROR_RESPONSE.ACCESS_TOKEN.INVALID_REQUEST, "Invalid OAuth configuration");
+    const msg = JSON.stringify(formatZodError(parsed.error), null, 2);
+    throw new AuthInternalError("INVALID_OAUTH_CONFIGURATION", msg);
   }
   const { accessToken, clientId, clientSecret, code: codeParsed, redirectURI: redirectParsed } = parsed.data;
   try {
@@ -284,137 +307,53 @@ var createAccessToken = async (oauthConfig, redirectURI, code, codeVerifier) =>
     if (!token.success) {
       const { success, data } = OAuthAccessTokenErrorResponse.safeParse(json);
       if (!success) {
-        throw new AuthError(ERROR_RESPONSE.ACCESS_TOKEN.INVALID_GRANT, "Invalid access token response format");
+        throw new OAuthProtocolError("INVALID_REQUEST", "Invalid access token response format");
       }
-      throw new AuthError(data.error, data?.error_description ?? "Failed to retrieve access token");
+      throw new OAuthProtocolError(data.error, data?.error_description ?? "Failed to retrieve access token");
     }
     return token.data;
   } catch (error) {
-    throw throwAuthError(error, "Failed to create access token");
+    throw error;
   }
 };
 
 // src/cookie.ts
-var import_cookie = require("cookie");
-
-// src/assert.ts
-var isRequest = (value) => {
-  return typeof Request !== "undefined" && value instanceof Request;
-};
-
-// src/cookie.ts
-var import_cookie2 = require("cookie");
-var COOKIE_NAME = "aura-auth";
+var import_cookie = require("@aura-stack/router/cookie");
 var defaultCookieOptions = {
   httpOnly: true,
   sameSite: "lax",
   path: "/",
   maxAge: 60 * 60 * 24 * 15
 };
-var defaultStandardCookieConfig = {
-  secure: false,
+var oauthCookieOptions = {
   httpOnly: true,
-  prefix: ""
-};
-var defaultSecureCookieConfig = {
-  secure: true,
-  prefix: "__Secure-"
-};
-var defaultHostCookieConfig = {
-  secure: true,
-  prefix: "__Host-",
-  path: "/",
-  domain: void 0
+  maxAge: 5 * 60,
+  sameSite: "lax",
+  expires: new Date(Date.now() + 5 * 60 * 1e3)
 };
-var expiredCookieOptions = {
+var expiredCookieAttributes = {
   ...defaultCookieOptions,
   expires: /* @__PURE__ */ new Date(0),
   maxAge: 0
 };
-var defineDefaultCookieOptions = (options2) => {
-  return {
-    name: options2?.name ?? COOKIE_NAME,
-    prefix: options2?.prefix ?? (options2?.secure ? "__Secure-" : ""),
-    ...defaultCookieOptions,
-    ...options2
-  };
-};
-var setCookie = (cookieName, value, options2) => {
-  const { prefix, name } = defineDefaultCookieOptions(options2);
-  const cookieNameWithPrefix = `${prefix}${name}.${cookieName}`;
-  return (0, import_cookie.serialize)(cookieNameWithPrefix, value, {
-    ...defaultCookieOptions,
-    ...options2
-  });
-};
-var getCookie = (petition, cookie, options2, optional = false) => {
-  const cookies = isRequest(petition) ? petition.headers.get("Cookie") : petition.headers.getSetCookie().join("; ");
+var getCookie = (request, cookieName) => {
+  const cookies = request.headers.get("Cookie");
   if (!cookies) {
-    if (optional) {
-      return "";
-    }
-    throw new AuthError("invalid_request", "No cookies found. There is no active session");
+    throw new AuthInternalError("COOKIE_NOT_FOUND", "No cookies found. There is no active session");
   }
-  const { name, prefix } = defineDefaultCookieOptions(options2);
-  const parsedCookies = (0, import_cookie.parse)(cookies);
-  const value = parsedCookies[`${prefix}${name}.${cookie}`];
-  if (value === void 0) {
-    if (optional) {
-      return "";
-    }
-    throw new AuthError("invalid_request", `Cookie "${cookie}" not found. There is no active session`);
+  const value = (0, import_cookie.parse)(cookies)[cookieName];
+  if (!value) {
+    throw new AuthInternalError("COOKIE_NOT_FOUND", `Cookie "${cookieName}" not found. There is no active session`);
   }
   return value;
 };
-var createSessionCookie = async (session, cookieOptions, jose) => {
+var createSessionCookie = async (jose, session) => {
   try {
     const encoded = await jose.encodeJWT(session);
-    return setCookie("sessionToken", encoded, cookieOptions);
+    return encoded;
   } catch (error) {
-    throw new AuthError("server_error", "Failed to create session cookie", { cause: error });
-  }
-};
-var secureCookieOptions = (request, cookieOptions, trustedProxyHeaders) => {
-  const name = cookieOptions.name ?? COOKIE_NAME;
-  const isSecure = trustedProxyHeaders ? request.url.startsWith("https://") || request.headers.get("X-Forwarded-Proto") === "https" || request.headers.get("Forwarded")?.includes("proto=https") : request.url.startsWith("https://");
-  if (!cookieOptions.options?.httpOnly) {
-    console.warn(
-      "[WARNING]: Cookie is configured without HttpOnly. This allows JavaScript access via document.cookie and increases XSS risk."
-    );
-  }
-  if (cookieOptions.options?.domain === "*") {
-    console.warn("[WARNING]: Cookie 'Domain' is set to '*', which is insecure. Avoid wildcard domains.");
+    throw new AuthInternalError("INVALID_JWT_TOKEN", "Failed to create session cookie", { cause: error });
   }
-  if (!isSecure) {
-    const options2 = cookieOptions.options;
-    if (options2?.secure) {
-      console.warn(
-        "[WARNING]: The 'Secure' attribute will be disabled for this cookie. Serve over HTTPS to enforce Secure cookies."
-      );
-    }
-    if (options2?.sameSite == "none") {
-      console.warn("[WARNING]: SameSite=None without a secure connection can be blocked by browsers.");
-    }
-    if (process.env.NODE_ENV === "production") {
-      console.warn("[WARNING]: In production, ensure cookies are served over HTTPS to maintain security.");
-    }
-    return {
-      ...defaultCookieOptions,
-      ...cookieOptions.options,
-      sameSite: options2?.sameSite === "none" ? "lax" : options2?.sameSite ?? "lax",
-      ...defaultStandardCookieConfig,
-      name
-    };
-  }
-  return cookieOptions.strategy === "host" ? {
-    ...defaultCookieOptions,
-    ...cookieOptions.options,
-    ...defaultHostCookieConfig,
-    name
-  } : { ...defaultCookieOptions, ...cookieOptions.options, ...defaultSecureCookieConfig, name };
-};
-var expireCookie = (name, options2) => {
-  return setCookie(name, "", { ...options2, ...expiredCookieOptions });
 };
 
 // src/actions/callback/callback.ts
@@ -423,7 +362,7 @@ var callbackConfig = (oauth) => {
     schemas: {
       searchParams: OAuthAuthorizationResponse,
       params: import_zod.default.object({
-        oauth: import_zod.default.enum(Object.keys(oauth))
+        oauth: import_zod.default.enum(Object.keys(oauth), "The OAuth provider is not supported or invalid.")
       })
     },
     middlewares: [
@@ -431,7 +370,7 @@ var callbackConfig = (oauth) => {
         const response = OAuthAuthorizationErrorResponse.safeParse(ctx.searchParams);
         if (response.success) {
           const { error, error_description } = response.data;
-          throw new AuthError(error, error_description ?? "OAuth Authorization Error");
+          throw new OAuthProtocolError(error, error_description ?? "OAuth Authorization Error");
         }
         return ctx;
       }
@@ -447,66 +386,32 @@ var callbackAction = (oauth) => {
         request,
         params: { oauth: oauth2 },
         searchParams: { code, state },
-        context: { oauth: providers, cookies, jose, trustedProxyHeaders }
+        context: { oauth: providers, cookies, jose }
       } = ctx;
-      try {
-        const oauthConfig = providers[oauth2];
-        const cookieOptions = secureCookieOptions(request, cookies, trustedProxyHeaders);
-        const cookieState = getCookie(request, "state", cookieOptions);
-        const cookieRedirectTo = getCookie(request, "redirect_to", cookieOptions);
-        const cookieRedirectURI = getCookie(request, "redirect_uri", cookieOptions);
-        const codeVerifier = getCookie(request, "code_verifier", cookieOptions);
-        if (!equals(cookieState, state)) {
-          throw new AuthError(ERROR_RESPONSE.ACCESS_TOKEN.INVALID_REQUEST, "Mismatching state");
-        }
-        const accessToken = await createAccessToken(oauthConfig, cookieRedirectURI, code, codeVerifier);
-        const sanitized = sanitizeURL(cookieRedirectTo);
-        if (!isValidRelativePath(sanitized)) {
-          throw new AuthError(
-            ERROR_RESPONSE.ACCESS_TOKEN.INVALID_REQUEST,
-            "Invalid redirect path. Potential open redirect attack detected."
-          );
-        }
-        const headers = new Headers(cacheControl);
-        headers.set("Location", sanitized);
-        const userInfo = await getUserInfo(oauthConfig, accessToken.access_token);
-        const sessionCookie = await createSessionCookie(userInfo, cookieOptions, jose);
-        const csrfToken = await createCSRF(jose);
-        const csrfCookie = setCookie(
-          "csrfToken",
-          csrfToken,
-          secureCookieOptions(
-            request,
-            {
-              ...cookies,
-              strategy: "host"
-            },
-            trustedProxyHeaders
-          )
+      const oauthConfig = providers[oauth2];
+      const cookieState = getCookie(request, cookies.state.name);
+      const cookieRedirectTo = getCookie(request, cookies.redirect_to.name);
+      const cookieRedirectURI = getCookie(request, cookies.redirect_uri.name);
+      const codeVerifier = getCookie(request, cookies.code_verifier.name);
+      if (!equals(cookieState, state)) {
+        throw new AuthSecurityError(
+          "MISMATCHING_STATE",
+          "The provided state passed in the OAuth response does not match the stored state."
         );
-        headers.set("Set-Cookie", sessionCookie);
-        headers.append("Set-Cookie", expireCookie("state", cookieOptions));
-        headers.append("Set-Cookie", expireCookie("redirect_uri", cookieOptions));
-        headers.append("Set-Cookie", expireCookie("redirect_to", cookieOptions));
-        headers.append("Set-Cookie", expireCookie("code_verifier", cookieOptions));
-        headers.append("Set-Cookie", csrfCookie);
-        return Response.json({ oauth: oauth2 }, { status: 302, headers });
-      } catch (error) {
-        if (isAuthError(error)) {
-          const { type, message } = error;
-          return AuraResponse.json(
-            { error: type, error_description: message },
-            { status: import_router2.statusCode.BAD_REQUEST }
-          );
-        }
-        return AuraResponse.json(
-          {
-            error: ERROR_RESPONSE.ACCESS_TOKEN.INVALID_CLIENT,
-            error_description: "An unexpected error occurred"
-          },
-          { status: import_router2.statusCode.INTERNAL_SERVER_ERROR }
+      }
+      const accessToken = await createAccessToken(oauthConfig, cookieRedirectURI, code, codeVerifier);
+      const sanitized = sanitizeURL(cookieRedirectTo);
+      if (!isValidRelativePath(sanitized)) {
+        throw new AuthSecurityError(
+          "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED",
+          "Invalid redirect path. Potential open redirect attack detected."
         );
       }
+      const userInfo = await getUserInfo(oauthConfig, accessToken.access_token);
+      const sessionCookie = await createSessionCookie(jose, userInfo);
+      const csrfToken = await createCSRF(jose);
+      const headers = new import_router2.HeadersBuilder(cacheControl).setHeader("Location", sanitized).setCookie(cookies.sessionToken.name, sessionCookie, cookies.sessionToken.attributes).setCookie(cookies.csrfToken.name, csrfToken, cookies.csrfToken.attributes).setCookie(cookies.state.name, "", expiredCookieAttributes).setCookie(cookies.redirect_uri.name, "", expiredCookieAttributes).setCookie(cookies.redirect_to.name, "", expiredCookieAttributes).setCookie(cookies.code_verifier.name, "", expiredCookieAttributes).toHeaders();
+      return Response.json({ oauth: oauth2 }, { status: 302, headers });
     },
     callbackConfig(oauth)
   );