@aura-stack/auth 0.1.0 → 0.2.0-rc.1

package/dist/index.cjs

@@ -36,58 +36,60 @@ module.exports = __toCommonJS(index_exports);
 var import_config2 = require("dotenv/config");
 var import_router7 = require("@aura-stack/router");
 
+// src/jose.ts
+var import_config = require("dotenv/config");
+var import_jose = require("@aura-stack/jose");
+
+// src/secure.ts
+var import_crypto = __toESM(require("crypto"), 1);
+
 // src/utils.ts
 var import_router = require("@aura-stack/router");
 
-// src/error.ts
-var AuthError = class extends Error {
-  constructor(type, message) {
-    super(message);
-    this.type = type;
-    this.name = "AuthError";
+// src/errors.ts
+var OAuthProtocolError = class extends Error {
+  type = "OAUTH_PROTOCOL_ERROR";
+  error;
+  errorURI;
+  constructor(error, description, errorURI, options2) {
+    super(description, options2);
+    this.error = error;
+    this.errorURI = errorURI;
+    this.name = new.target.name;
+    Error.captureStackTrace(this, new.target);
   }
 };
-var InvalidCsrfTokenError = class extends AuthError {
-  constructor(message = "The provided CSRF token is invalid or has expired") {
-    super("invalid_csrf_token", message);
-    this.name = "InvalidCsrfTokenError";
+var AuthInternalError = class extends Error {
+  type = "AUTH_INTERNAL_ERROR";
+  code;
+  constructor(code, message, options2) {
+    super(message, options2);
+    this.code = code;
+    this.name = new.target.name;
+    Error.captureStackTrace(this, new.target);
   }
 };
-var InvalidRedirectToError = class extends AuthError {
-  constructor(message = "The redirectTo parameter does not match the hosted origin.") {
-    super("invalid_redirect_to", message);
-    this.name = "InvalidRedirectToError";
+var AuthSecurityError = class extends Error {
+  type = "AUTH_SECURITY_ERROR";
+  code;
+  constructor(code, message, options2) {
+    super(message, options2);
+    this.code = code;
+    this.name = new.target.name;
+    Error.captureStackTrace(this, new.target);
   }
 };
-var isAuthError = (error) => {
-  return error instanceof AuthError;
+var isNativeError = (error) => {
+  return error instanceof Error;
 };
-var throwAuthError = (error, message) => {
-  if (error instanceof Error) {
-    if (isAuthError(error)) {
-      throw error;
-    }
-    throw new AuthError("invalid_request", error.message ?? message);
-  }
+var isOAuthProtocolError = (error) => {
+  return error instanceof OAuthProtocolError;
 };
-var ERROR_RESPONSE = {
-  AUTHORIZATION: {
-    INVALID_REQUEST: "invalid_request",
-    UNAUTHORIZED_CLIENT: "unauthorized_client",
-    ACCESS_DENIED: "access_denied",
-    UNSUPPORTED_RESPONSE_TYPE: "unsupported_response_type",
-    INVALID_SCOPE: "invalid_scope",
-    SERVER_ERROR: "server_error",
-    TEMPORARILY_UNAVAILABLE: "temporarily_unavailable"
-  },
-  ACCESS_TOKEN: {
-    INVALID_REQUEST: "invalid_request",
-    INVALID_CLIENT: "invalid_client",
-    INVALID_GRANT: "invalid_grant",
-    UNAUTHORIZED_CLIENT: "unauthorized_client",
-    UNSUPPORTED_GRANT_TYPE: "unsupported_grant_type",
-    INVALID_SCOPE: "invalid_scope"
-  }
+var isAuthInternalError = (error) => {
+  return error instanceof AuthInternalError;
+};
+var isAuthSecurityError = (error) => {
+  return error instanceof AuthSecurityError;
 };
 
 // src/utils.ts
@@ -107,9 +109,9 @@ var equals = (a, b) => {
   if (a === null || b === null || a === void 0 || b === void 0) return false;
   return a === b;
 };
-var sanitizeURL = (url2) => {
+var sanitizeURL = (url) => {
   try {
-    let decodedURL = decodeURIComponent(url2).trim();
+    let decodedURL = decodeURIComponent(url).trim();
     const protocolMatch = decodedURL.match(/^([a-zA-Z][a-zA-Z0-9+.-]*:\/\/)/);
     let protocol = "";
     let rest = decodedURL;
@@ -137,7 +139,7 @@ var sanitizeURL = (url2) => {
     }
     return sanitized;
   } catch {
-    return url2.trim();
+    return url.trim();
   }
 };
 var isValidRelativePath = (path) => {
@@ -151,20 +153,42 @@ var isValidRelativePath = (path) => {
 var onErrorHandler = (error) => {
   if ((0, import_router.isRouterError)(error)) {
     const { message, status, statusText } = error;
-    return Response.json({ error: "invalid_request", error_description: message }, { status, statusText });
+    return Response.json({ type: "ROUTER_ERROR", code: "ROUTER_INTERNAL_ERROR", message }, { status, statusText });
   }
-  if (isAuthError(error)) {
-    const { type, message } = error;
-    return Response.json({ error: type, error_description: message }, { status: 400 });
+  if ((0, import_router.isInvalidZodSchemaError)(error)) {
+    return Response.json({ type: "ROUTER_ERROR", code: "INVALID_REQUEST", message: error.errors }, { status: 422 });
+  }
+  if (isOAuthProtocolError(error)) {
+    const { error: errorCode, message, type, errorURI } = error;
+    return Response.json(
+      {
+        type,
+        error: errorCode,
+        error_description: message,
+        error_uri: errorURI
+      },
+      { status: 400 }
+    );
   }
-  return Response.json({ error: "server_error", error_description: "An unexpected error occurred" }, { status: 500 });
+  if (isAuthInternalError(error) || isAuthSecurityError(error)) {
+    const { type, code, message } = error;
+    return Response.json(
+      {
+        type,
+        code,
+        message
+      },
+      { status: 400 }
+    );
+  }
+  return Response.json({ type: "SERVER_ERROR", code: "server_error", message: "An unexpected error occurred" }, { status: 500 });
 };
 var getNormalizedOriginPath = (path) => {
   try {
-    const url2 = new URL(path);
-    url2.hash = "";
-    url2.search = "";
-    return `${url2.origin}${url2.pathname}`;
+    const url = new URL(path);
+    url.hash = "";
+    url.search = "";
+    return `${url.origin}${url.pathname}`;
   } catch {
     return sanitizeURL(path);
   }
@@ -172,18 +196,41 @@ var getNormalizedOriginPath = (path) => {
 var toISOString = (date) => {
   return new Date(date).toISOString();
 };
+var useSecureCookies = (request, trustedProxyHeaders) => {
+  return trustedProxyHeaders ? request.url.startsWith("https://") || request.headers.get("X-Forwarded-Proto") === "https" || (request.headers.get("Forwarded")?.includes("proto=https") ?? false) : request.url.startsWith("https://");
+};
+var formatZodError = (error) => {
+  if (!error.issues || error.issues.length === 0) {
+    return {};
+  }
+  return error.issues.reduce((previous, issue) => {
+    const key = issue.path.join(".");
+    return {
+      ...previous,
+      [key]: {
+        code: issue.code,
+        message: issue.message
+      }
+    };
+  }, {});
+};
 
-// src/jose.ts
-var import_config = require("dotenv/config");
-var import_jose = require("@aura-stack/jose");
+// src/assert.ts
+var isValidURL = (value) => {
+  if (value.includes("\r\n") || value.includes("\n") || value.includes("\r")) return false;
+  const regex = /^https?:\/\/(?:[a-zA-Z0-9._-]+|localhost|\[[0-9a-fA-F:]+\])(?::\d{1,5})?(?:\/[a-zA-Z0-9._~!$&'()*+,;=:@-]*)*\/?$/;
+  return regex.test(value);
+};
+var isJWTPayloadWithToken = (payload) => {
+  return typeof payload === "object" && payload !== null && "token" in payload && typeof payload?.token === "string";
+};
 
 // src/secure.ts
-var import_node_crypto = __toESM(require("crypto"), 1);
 var generateSecure = (length = 32) => {
-  return import_node_crypto.default.randomBytes(length).toString("base64url");
+  return import_crypto.default.randomBytes(length).toString("base64url");
 };
 var createHash = (data, base = "hex") => {
-  return import_node_crypto.default.createHash("sha256").update(data).digest().toString(base);
+  return import_crypto.default.createHash("sha256").update(data).digest().toString(base);
 };
 var createPKCE = async (verifier) => {
   const codeVerifier = verifier ?? generateSecure(86);
@@ -205,59 +252,60 @@ var createCSRF = async (jose, csrfCookie) => {
 };
 var verifyCSRF = async (jose, cookie, header) => {
   try {
-    const { token: cookieToken } = await jose.verifyJWS(cookie);
-    const { token: headerToken } = await jose.verifyJWS(header);
-    const cookieBuffer = Buffer.from(cookieToken);
-    const headerBuffer = Buffer.from(headerToken);
+    const cookiePayload = await jose.verifyJWS(cookie);
+    const headerPayload = await jose.verifyJWS(header);
+    if (!isJWTPayloadWithToken(cookiePayload)) {
+      throw new AuthSecurityError("CSRF_TOKEN_INVALID", "Cookie payload missing token field.");
+    }
+    if (!isJWTPayloadWithToken(headerPayload)) {
+      throw new AuthSecurityError("CSRF_TOKEN_INVALID", "Header payload missing token field.");
+    }
+    const cookieBuffer = Buffer.from(cookiePayload.token);
+    const headerBuffer = Buffer.from(headerPayload.token);
     if (!equals(headerBuffer.length, cookieBuffer.length)) {
-      throw new InvalidCsrfTokenError();
+      throw new AuthSecurityError("CSRF_TOKEN_INVALID", "The CSRF tokens do not match.");
     }
-    if (!import_node_crypto.default.timingSafeEqual(cookieBuffer, headerBuffer)) {
-      throw new InvalidCsrfTokenError();
+    if (!import_crypto.default.timingSafeEqual(cookieBuffer, headerBuffer)) {
+      throw new AuthSecurityError("CSRF_TOKEN_INVALID", "The CSRF tokens do not match.");
     }
     return true;
   } catch {
-    throw new InvalidCsrfTokenError();
+    throw new AuthSecurityError("CSRF_TOKEN_INVALID", "The CSRF tokens do not match.");
   }
 };
 var createDerivedSalt = (secret) => {
-  return import_node_crypto.default.createHash("sha256").update(secret).update("aura-auth-salt").digest("hex");
+  return import_crypto.default.createHash("sha256").update(secret).update("aura-auth-salt").digest("hex");
 };
 
 // src/jose.ts
 var createJoseInstance = (secret) => {
-  secret ?? (secret = process.env.AURA_AUTH_SECRET);
+  const env = process.env;
+  secret ??= env.AURA_AUTH_SECRET ?? env.AUTH_SECRET;
   if (!secret) {
-    throw new AuthError("JOSE_INIT_ERROR", "AURA_AUTH_SECRET environment variable is not set and no secret was provided.");
+    throw new AuthInternalError(
+      "JOSE_INITIALIZATION_FAILED",
+      "AURA_AUTH_SECRET environment variable is not set and no secret was provided."
+    );
   }
-  const salt = process.env.AURA_AUTH_SALT ?? createDerivedSalt(secret);
-  const { derivedKey: derivedSessionKey } = (0, import_jose.createDeriveKey)(secret, salt, "session");
+  const salt = env.AURA_AUTH_SALT ?? env.AUTH_SALT ?? createDerivedSalt(secret);
+  const { derivedKey: derivedSigningKey } = (0, import_jose.createDeriveKey)(secret, salt, "signing");
+  const { derivedKey: derivedEncryptionKey } = (0, import_jose.createDeriveKey)(secret, salt, "encryption");
   const { derivedKey: derivedCsrfTokenKey } = (0, import_jose.createDeriveKey)(secret, salt, "csrfToken");
-  const { decodeJWT, encodeJWT } = (0, import_jose.createJWT)(derivedSessionKey);
+  const { decodeJWT, encodeJWT } = (0, import_jose.createJWT)({ jws: derivedSigningKey, jwe: derivedEncryptionKey });
   const { signJWS, verifyJWS } = (0, import_jose.createJWS)(derivedCsrfTokenKey);
+  const { encryptJWE, decryptJWE } = (0, import_jose.createJWE)(derivedEncryptionKey);
   return {
     decodeJWT,
     encodeJWT,
     signJWS,
-    verifyJWS
+    verifyJWS,
+    encryptJWE,
+    decryptJWE
   };
 };
 
 // src/cookie.ts
-var import_cookie = require("cookie");
-
-// src/assert.ts
-var isRequest = (value) => {
-  return typeof Request !== "undefined" && value instanceof Request;
-};
-var isValidURL = (value) => {
-  if (value.includes("\r\n") || value.includes("\n") || value.includes("\r")) return false;
-  const regex = /^https?:\/\/(?:[a-zA-Z0-9._-]+|localhost|\[[0-9a-fA-F:]+\])(?::\d{1,5})?(?:\/[a-zA-Z0-9._~!$&'()*+,;=:@-]*)*\/?$/;
-  return regex.test(value);
-};
-
-// src/cookie.ts
-var import_cookie2 = require("cookie");
+var import_cookie = require("@aura-stack/router/cookie");
 var COOKIE_NAME = "aura-auth";
 var defaultCookieOptions = {
   httpOnly: true,
@@ -265,123 +313,162 @@ var defaultCookieOptions = {
   path: "/",
   maxAge: 60 * 60 * 24 * 15
 };
-var defaultCookieConfig = {
-  strategy: "standard",
-  name: COOKIE_NAME,
-  options: defaultCookieOptions
-};
 var defaultStandardCookieConfig = {
   secure: false,
-  httpOnly: true,
-  prefix: ""
+  httpOnly: true
 };
 var defaultSecureCookieConfig = {
   secure: true,
-  prefix: "__Secure-"
+  httpOnly: true
 };
 var defaultHostCookieConfig = {
   secure: true,
-  prefix: "__Host-",
+  httpOnly: true,
   path: "/",
   domain: void 0
 };
-var expiredCookieOptions = {
+var oauthCookieOptions = {
+  httpOnly: true,
+  maxAge: 5 * 60,
+  sameSite: "lax",
+  expires: new Date(Date.now() + 5 * 60 * 1e3)
+};
+var setCookie = (cookieName, value, options2) => {
+  return (0, import_cookie.serialize)(cookieName, value, options2);
+};
+var expiredCookieAttributes = {
   ...defaultCookieOptions,
   expires: /* @__PURE__ */ new Date(0),
   maxAge: 0
 };
-var defineDefaultCookieOptions = (options2) => {
-  return {
-    name: options2?.name ?? COOKIE_NAME,
-    prefix: options2?.prefix ?? (options2?.secure ? "__Secure-" : ""),
-    ...defaultCookieOptions,
-    ...options2
-  };
-};
-var setCookie = (cookieName, value, options2) => {
-  const { prefix, name } = defineDefaultCookieOptions(options2);
-  const cookieNameWithPrefix = `${prefix}${name}.${cookieName}`;
-  return (0, import_cookie.serialize)(cookieNameWithPrefix, value, {
-    ...defaultCookieOptions,
-    ...options2
-  });
-};
-var getCookie = (petition, cookie, options2, optional = false) => {
-  const cookies = isRequest(petition) ? petition.headers.get("Cookie") : petition.headers.getSetCookie().join("; ");
+var getCookie = (request, cookieName) => {
+  const cookies = request.headers.get("Cookie");
   if (!cookies) {
-    if (optional) {
-      return "";
-    }
-    throw new AuthError("invalid_request", "No cookies found. There is no active session");
+    throw new AuthInternalError("COOKIE_NOT_FOUND", "No cookies found. There is no active session");
   }
-  const { name, prefix } = defineDefaultCookieOptions(options2);
-  const parsedCookies = (0, import_cookie.parse)(cookies);
-  const value = parsedCookies[`${prefix}${name}.${cookie}`];
-  if (value === void 0) {
-    if (optional) {
-      return "";
-    }
-    throw new AuthError("invalid_request", `Cookie "${cookie}" not found. There is no active session`);
+  const value = (0, import_cookie.parse)(cookies)[cookieName];
+  if (!value) {
+    throw new AuthInternalError("COOKIE_NOT_FOUND", `Cookie "${cookieName}" not found. There is no active session`);
   }
   return value;
 };
-var createSessionCookie = async (session, cookieOptions, jose) => {
+var createSessionCookie = async (jose, session) => {
   try {
     const encoded = await jose.encodeJWT(session);
-    return setCookie("sessionToken", encoded, cookieOptions);
+    return encoded;
   } catch (error) {
-    throw new AuthError("server_error", "Failed to create session cookie", { cause: error });
+    throw new AuthInternalError("INVALID_JWT_TOKEN", "Failed to create session cookie", { cause: error });
   }
 };
-var secureCookieOptions = (request, cookieOptions, trustedProxyHeaders) => {
-  const name = cookieOptions.name ?? COOKIE_NAME;
-  const isSecure = trustedProxyHeaders ? request.url.startsWith("https://") || request.headers.get("X-Forwarded-Proto") === "https" || request.headers.get("Forwarded")?.includes("proto=https") : request.url.startsWith("https://");
-  if (!cookieOptions.options?.httpOnly) {
+var defineSecureCookieOptions = (useSecure, attributes, strategy) => {
+  if (!attributes.httpOnly) {
     console.warn(
       "[WARNING]: Cookie is configured without HttpOnly. This allows JavaScript access via document.cookie and increases XSS risk."
     );
   }
-  if (cookieOptions.options?.domain === "*") {
+  if (attributes.domain === "*") {
+    attributes.domain = void 0;
     console.warn("[WARNING]: Cookie 'Domain' is set to '*', which is insecure. Avoid wildcard domains.");
   }
-  if (!isSecure) {
-    const options2 = cookieOptions.options;
-    if (options2?.secure) {
+  if (!useSecure) {
+    if (attributes.secure) {
       console.warn(
         "[WARNING]: The 'Secure' attribute will be disabled for this cookie. Serve over HTTPS to enforce Secure cookies."
       );
     }
-    if (options2?.sameSite == "none") {
-      console.warn("[WARNING]: SameSite=None without a secure connection can be blocked by browsers.");
+    if (attributes.sameSite == "none") {
+      attributes.sameSite = "lax";
+      console.warn("[WARNING]: SameSite=None requires Secure attribute. Changing SameSite to 'Lax'.");
     }
     if (process.env.NODE_ENV === "production") {
       console.warn("[WARNING]: In production, ensure cookies are served over HTTPS to maintain security.");
     }
+    if (strategy === "host") {
+      console.warn("[WARNING]: __Host- cookies require a secure context. Falling back to standard cookie settings.");
+    }
     return {
       ...defaultCookieOptions,
-      ...cookieOptions.options,
-      sameSite: options2?.sameSite === "none" ? "lax" : options2?.sameSite ?? "lax",
-      ...defaultStandardCookieConfig,
-      name
+      ...attributes,
+      ...defaultStandardCookieConfig
     };
   }
-  return cookieOptions.strategy === "host" ? {
+  return strategy === "host" ? {
     ...defaultCookieOptions,
-    ...cookieOptions.options,
-    ...defaultHostCookieConfig,
-    name
-  } : { ...defaultCookieOptions, ...cookieOptions.options, ...defaultSecureCookieConfig, name };
-};
-var expireCookie = (name, options2) => {
-  return setCookie(name, "", { ...options2, ...expiredCookieOptions });
-};
-var oauthCookie = (options2) => {
+    ...attributes,
+    ...defaultHostCookieConfig
+  } : { ...defaultCookieOptions, ...attributes, ...defaultSecureCookieConfig };
+};
+var createCookieStore = (useSecure, prefix, overrides) => {
+  prefix ??= COOKIE_NAME;
+  const securePrefix = useSecure ? "__Secure-" : "";
+  const hostPrefix = useSecure ? "__Host-" : "";
   return {
-    ...options2,
-    secure: options2.secure,
-    httpOnly: options2.httpOnly,
-    maxAge: 5 * 60,
-    expires: new Date(Date.now() + 5 * 60 * 1e3)
+    sessionToken: {
+      name: `${securePrefix}${prefix}.${overrides?.sessionToken?.name ?? "session_token"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...defaultCookieOptions,
+          ...overrides?.sessionToken?.attributes
+        },
+        overrides?.sessionToken?.attributes?.strategy ?? "secure"
+      )
+    },
+    state: {
+      name: `${securePrefix}${prefix}.${overrides?.state?.name ?? "state"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...oauthCookieOptions,
+          ...overrides?.state?.attributes
+        },
+        overrides?.state?.attributes?.strategy ?? "secure"
+      )
+    },
+    csrfToken: {
+      name: `${hostPrefix}${prefix}.${overrides?.csrfToken?.name ?? "csrf_token"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...overrides?.csrfToken?.attributes,
+          ...defaultHostCookieConfig
+        },
+        overrides?.csrfToken?.attributes?.strategy ?? "host"
+      )
+    },
+    redirectTo: {
+      name: `${securePrefix}${prefix}.${overrides?.redirectTo?.name ?? "redirect_to"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...oauthCookieOptions,
+          ...overrides?.redirectTo?.attributes
+        },
+        overrides?.redirectTo?.attributes?.strategy ?? "secure"
+      )
+    },
+    redirectURI: {
+      name: `${securePrefix}${prefix}.${overrides?.redirectURI?.name ?? "redirect_uri"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...oauthCookieOptions,
+          ...overrides?.redirectURI?.attributes
+        },
+        overrides?.redirectURI?.attributes?.strategy ?? "secure"
+      )
+    },
+    codeVerifier: {
+      name: `${securePrefix}${prefix}.${overrides?.codeVerifier?.name ?? "code_verifier"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...oauthCookieOptions,
+          ...overrides?.codeVerifier?.attributes
+        },
+        overrides?.codeVerifier?.attributes?.strategy ?? "secure"
+      )
+    }
   };
 };
 
@@ -453,7 +540,6 @@ var discord = {
     }
     return {
       sub: profile.id,
-      // https://discord.com/developers/docs/change-log#display-names
       name: profile.global_name ?? profile.username,
       email: profile.email ?? "",
       image
@@ -518,75 +604,86 @@ var x = {
   }
 };
 
-// src/oauth/index.ts
-var builtInOAuthProviders = {
-  github,
-  bitbucket,
-  figma,
-  discord,
-  gitlab,
-  spotify,
-  x
-};
-var defineOAuthEnvironment = (oauth) => {
-  const env = process.env;
-  return {
-    clientId: env[`AURA_AUTH_${oauth.toUpperCase()}_CLIENT_ID`],
-    clientSecret: env[`AURA_AUTH_${oauth.toUpperCase()}_CLIENT_SECRET`]
-  };
-};
-var defineOAuthProviderConfig = (config2) => {
-  if (typeof config2 === "string") {
-    const definition = defineOAuthEnvironment(config2);
-    const oauthConfig = builtInOAuthProviders[config2];
+// src/oauth/strava.ts
+var strava = {
+  id: "strava",
+  name: "Strava",
+  authorizeURL: "https://www.strava.com/oauth/authorize",
+  accessToken: "https://www.strava.com/oauth/token",
+  userInfo: "https://www.strava.com/api/v3/athlete",
+  scope: "read",
+  responseType: "code",
+  profile(profile) {
     return {
-      ...oauthConfig,
-      ...definition
+      sub: profile.id.toString(),
+      name: `${profile.firstname} ${profile.lastname}`,
+      image: profile.profile,
+      email: ""
     };
   }
-  return config2;
-};
-var createBuiltInOAuthProviders = (oauth = []) => {
-  return oauth.reduce((previous, config2) => {
-    const oauthConfig = defineOAuthProviderConfig(config2);
-    return { ...previous, [oauthConfig.id]: oauthConfig };
-  }, {});
 };
 
-// src/actions/signIn/signIn.ts
-var import_zod = __toESM(require("zod"), 1);
-var import_router2 = require("@aura-stack/router");
+// src/oauth/mailchimp.ts
+var mailchimp = {
+  id: "mailchimp",
+  name: "Mailchimp",
+  authorizeURL: "https://login.mailchimp.com/oauth2/authorize",
+  accessToken: "https://login.mailchimp.com/oauth2/token",
+  userInfo: "https://login.mailchimp.com/oauth2/metadata",
+  scope: "",
+  responseType: "code",
+  profile(profile) {
+    return {
+      sub: profile.user_id,
+      name: profile.accountname,
+      email: profile.login.login_email,
+      image: null
+    };
+  }
+};
 
-// src/response.ts
-var AuraResponse = class extends Response {
-  static json(body, init) {
-    return Response.json(body, init);
+// src/oauth/pinterest.ts
+var pinterest = {
+  id: "pinterest",
+  name: "Pinterest",
+  authorizeURL: "https://api.pinterest.com/oauth/",
+  accessToken: "https://api.pinterest.com/v5/oauth/token",
+  userInfo: "https://api.pinterest.com/v5/user_account",
+  scope: "user_accounts:read",
+  responseType: "code",
+  profile(profile) {
+    return {
+      sub: profile.id,
+      name: profile.username,
+      email: null,
+      image: profile.profile_image
+    };
   }
 };
 
 // src/schemas.ts
-var import_v4 = require("zod/v4");
-var OAuthProviderConfigSchema = (0, import_v4.object)({
-  authorizeURL: (0, import_v4.url)(),
-  accessToken: (0, import_v4.url)(),
-  scope: (0, import_v4.string)().optional(),
-  userInfo: (0, import_v4.url)(),
-  responseType: (0, import_v4.enum)(["code", "token", "id_token"]),
-  clientId: (0, import_v4.string)(),
-  clientSecret: (0, import_v4.string)()
+var import_zod = require("zod");
+var OAuthProviderConfigSchema = (0, import_zod.object)({
+  authorizeURL: (0, import_zod.string)().url(),
+  accessToken: (0, import_zod.string)().url(),
+  scope: (0, import_zod.string)().optional(),
+  userInfo: (0, import_zod.string)().url(),
+  responseType: (0, import_zod.enum)(["code", "token", "id_token"]),
+  clientId: (0, import_zod.string)(),
+  clientSecret: (0, import_zod.string)()
 });
 var OAuthAuthorization = OAuthProviderConfigSchema.extend({
-  redirectURI: (0, import_v4.string)(),
-  state: (0, import_v4.string)(),
-  codeChallenge: (0, import_v4.string)(),
-  codeChallengeMethod: (0, import_v4.enum)(["plain", "S256"])
+  redirectURI: (0, import_zod.string)(),
+  state: (0, import_zod.string)(),
+  codeChallenge: (0, import_zod.string)(),
+  codeChallengeMethod: (0, import_zod.enum)(["plain", "S256"])
 });
-var OAuthAuthorizationResponse = (0, import_v4.object)({
-  state: (0, import_v4.string)(),
-  code: (0, import_v4.string)()
+var OAuthAuthorizationResponse = (0, import_zod.object)({
+  state: (0, import_zod.string)({ message: "Missing state parameter in the OAuth authorization response." }),
+  code: (0, import_zod.string)({ message: "Missing code parameter in the OAuth authorization response." })
 });
-var OAuthAuthorizationErrorResponse = (0, import_v4.object)({
-  error: (0, import_v4.enum)([
+var OAuthAuthorizationErrorResponse = (0, import_zod.object)({
+  error: (0, import_zod.enum)([
     "invalid_request",
     "unauthorized_client",
     "access_denied",
@@ -595,24 +692,24 @@ var OAuthAuthorizationErrorResponse = (0, import_v4.object)({
     "server_error",
     "temporarily_unavailable"
   ]),
-  error_description: (0, import_v4.string)().optional(),
-  error_uri: (0, import_v4.string)().optional(),
-  state: (0, import_v4.string)()
+  error_description: (0, import_zod.string)().optional(),
+  error_uri: (0, import_zod.string)().optional(),
+  state: (0, import_zod.string)()
 });
 var OAuthAccessToken = OAuthProviderConfigSchema.extend({
-  redirectURI: (0, import_v4.string)(),
-  code: (0, import_v4.string)(),
-  codeVerifier: (0, import_v4.string)().min(43).max(128)
+  redirectURI: (0, import_zod.string)(),
+  code: (0, import_zod.string)(),
+  codeVerifier: (0, import_zod.string)().min(43).max(128)
 });
-var OAuthAccessTokenResponse = (0, import_v4.object)({
-  access_token: (0, import_v4.string)(),
-  token_type: (0, import_v4.string)(),
-  expires_in: (0, import_v4.number)().optional(),
-  refresh_token: (0, import_v4.string)().optional(),
-  scope: (0, import_v4.string)().optional()
+var OAuthAccessTokenResponse = (0, import_zod.object)({
+  access_token: (0, import_zod.string)(),
+  token_type: (0, import_zod.string)().optional(),
+  expires_in: (0, import_zod.number)().optional(),
+  refresh_token: (0, import_zod.string)().optional(),
+  scope: (0, import_zod.string)().optional().or((0, import_zod.null)())
 });
-var OAuthAccessTokenErrorResponse = (0, import_v4.object)({
-  error: (0, import_v4.enum)([
+var OAuthAccessTokenErrorResponse = (0, import_zod.object)({
+  error: (0, import_zod.enum)([
     "invalid_request",
     "invalid_client",
     "invalid_grant",
@@ -620,19 +717,81 @@ var OAuthAccessTokenErrorResponse = (0, import_v4.object)({
     "unsupported_grant_type",
     "invalid_scope"
   ]),
-  error_description: (0, import_v4.string)().optional(),
-  error_uri: (0, import_v4.string)().optional()
+  error_description: (0, import_zod.string)().optional(),
+  error_uri: (0, import_zod.string)().optional()
 });
-var OAuthErrorResponse = (0, import_v4.object)({
-  error: (0, import_v4.string)(),
-  error_description: (0, import_v4.string)().optional()
+var OAuthErrorResponse = (0, import_zod.object)({
+  error: (0, import_zod.string)(),
+  error_description: (0, import_zod.string)().optional()
 });
+var OAuthEnvSchema = (0, import_zod.object)({
+  clientId: import_zod.z.string().min(1, "OAuth Client ID is required in the environment variables."),
+  clientSecret: import_zod.z.string().min(1, "OAuth Client Secret is required in the environment variables.")
+});
+
+// src/oauth/index.ts
+var builtInOAuthProviders = {
+  github,
+  bitbucket,
+  figma,
+  discord,
+  gitlab,
+  spotify,
+  x,
+  strava,
+  mailchimp,
+  pinterest
+};
+var defineOAuthEnvironment = (oauth) => {
+  const env = process.env;
+  const clientIdSuffix = `${oauth.toUpperCase()}_CLIENT_ID`;
+  const clientSecretSuffix = `${oauth.toUpperCase()}_CLIENT_SECRET`;
+  const loadEnvs = OAuthEnvSchema.safeParse({
+    clientId: env[`AURA_AUTH_${clientIdSuffix}`] ?? env[`AUTH_${clientIdSuffix}`] ?? env[`${clientIdSuffix}`],
+    clientSecret: env[`AURA_AUTH_${clientSecretSuffix}`] ?? env[`AUTH_${clientSecretSuffix}`] ?? env[`${clientSecretSuffix}`]
+  });
+  if (!loadEnvs.success) {
+    const msg = JSON.stringify(formatZodError(loadEnvs.error), null, 2);
+    throw new AuthInternalError("INVALID_ENVIRONMENT_CONFIGURATION", msg);
+  }
+  return loadEnvs.data;
+};
+var defineOAuthProviderConfig = (config2) => {
+  if (typeof config2 === "string") {
+    const definition = defineOAuthEnvironment(config2);
+    const oauthConfig = builtInOAuthProviders[config2];
+    return {
+      ...oauthConfig,
+      ...definition
+    };
+  }
+  return config2;
+};
+var createBuiltInOAuthProviders = (oauth = []) => {
+  return oauth.reduce((previous, config2) => {
+    const oauthConfig = defineOAuthProviderConfig(config2);
+    return { ...previous, [oauthConfig.id]: oauthConfig };
+  }, {});
+};
+
+// src/actions/signIn/signIn.ts
+var import_zod2 = require("zod");
+var import_router2 = require("@aura-stack/router");
+
+// src/headers.ts
+var cacheControl = {
+  "Cache-Control": "no-store",
+  Pragma: "no-cache",
+  Expires: "0",
+  Vary: "Cookie"
+};
 
 // src/actions/signIn/authorization.ts
 var createAuthorizationURL = (oauthConfig, redirectURI, state, codeChallenge, codeChallengeMethod) => {
   const parsed = OAuthAuthorization.safeParse({ ...oauthConfig, redirectURI, state, codeChallenge, codeChallengeMethod });
   if (!parsed.success) {
-    throw new AuthError(ERROR_RESPONSE.AUTHORIZATION.SERVER_ERROR, "Invalid OAuth configuration");
+    const msg = JSON.stringify(formatZodError(parsed.error), null, 2);
+    throw new AuthInternalError("INVALID_OAUTH_CONFIGURATION", msg);
   }
   const { authorizeURL, ...options2 } = parsed.data;
   const { userInfo, accessToken, clientSecret, ...required } = options2;
@@ -650,8 +809,8 @@ var getOriginURL = (request, trustedProxyHeaders) => {
   }
 };
 var createRedirectURI = (request, oauth, basePath, trustedProxyHeaders) => {
-  const url2 = getOriginURL(request, trustedProxyHeaders);
-  return `${url2.origin}${basePath}/callback/${oauth}`;
+  const url = getOriginURL(request, trustedProxyHeaders);
+  return `${url.origin}${basePath}/callback/${oauth}`;
 };
 var createRedirectTo = (request, redirectTo, trustedProxyHeaders) => {
   try {
@@ -665,15 +824,18 @@ var createRedirectTo = (request, redirectTo, trustedProxyHeaders) => {
       }
       const redirectToURL = new URL(sanitizeURL(getNormalizedOriginPath(redirectTo)));
       if (!isValidURL(redirectTo) || !equals(redirectToURL.origin, hostedURL.origin)) {
-        throw new InvalidRedirectToError();
+        throw new AuthSecurityError(
+          "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED",
+          "The redirectTo parameter does not match the hosted origin."
+        );
       }
       return sanitizeURL(redirectToURL.pathname);
     }
     if (referer) {
       const refererURL = new URL(sanitizeURL(referer));
       if (!isValidURL(referer) || !equals(refererURL.origin, hostedURL.origin)) {
-        throw new AuthError(
-          ERROR_RESPONSE.AUTHORIZATION.INVALID_REQUEST,
+        throw new AuthSecurityError(
+          "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED",
           "The referer of the request does not match the hosted origin."
         );
       }
@@ -682,16 +844,16 @@ var createRedirectTo = (request, redirectTo, trustedProxyHeaders) => {
     if (origin) {
       const originURL = new URL(sanitizeURL(getNormalizedOriginPath(origin)));
       if (!isValidURL(origin) || !equals(originURL.origin, hostedURL.origin)) {
-        throw new AuthError(ERROR_RESPONSE.AUTHORIZATION.INVALID_REQUEST, "Invalid origin (potential CSRF).");
+        throw new AuthSecurityError("POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED", "Invalid origin (potential CSRF).");
       }
       return sanitizeURL(originURL.pathname);
     }
     return "/";
   } catch (error) {
-    if (isAuthError(error)) {
+    if (isAuthSecurityError(error)) {
       throw error;
     }
-    throw new AuthError(ERROR_RESPONSE.AUTHORIZATION.INVALID_REQUEST, "Invalid origin (potential CSRF).");
+    throw new AuthSecurityError("POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED", "Invalid origin (potential CSRF).");
   }
 };
 
@@ -699,9 +861,14 @@ var createRedirectTo = (request, redirectTo, trustedProxyHeaders) => {
 var signInConfig = (oauth) => {
   return (0, import_router2.createEndpointConfig)("/signIn/:oauth", {
     schemas: {
-      params: import_zod.default.object({
-        oauth: import_zod.default.enum(Object.keys(oauth)),
-        redirectTo: import_zod.default.string().optional()
+      params: import_zod2.z.object({
+        oauth: import_zod2.z.enum(
+          Object.keys(oauth),
+          "The OAuth provider is not supported or invalid."
+        )
+      }),
+      searchParams: import_zod2.z.object({
+        redirectTo: import_zod2.z.string().optional()
       })
     }
   });
@@ -713,67 +880,41 @@ var signInAction = (oauth) => {
     async (ctx) => {
       const {
         request,
-        params: { oauth: oauth2, redirectTo },
+        params: { oauth: oauth2 },
+        searchParams: { redirectTo },
         context: { oauth: providers, cookies, trustedProxyHeaders, basePath }
       } = ctx;
-      try {
-        const cookieOptions = secureCookieOptions(request, cookies, trustedProxyHeaders);
-        const state = generateSecure();
-        const redirectURI = createRedirectURI(request, oauth2, basePath, trustedProxyHeaders);
-        const stateCookie = setCookie("state", state, oauthCookie(cookieOptions));
-        const redirectURICookie = setCookie("redirect_uri", redirectURI, oauthCookie(cookieOptions));
-        const redirectToCookie = setCookie(
-          "redirect_to",
-          createRedirectTo(request, redirectTo, trustedProxyHeaders),
-          oauthCookie(cookieOptions)
-        );
-        const { codeVerifier, codeChallenge, method } = await createPKCE();
-        const codeVerifierCookie = setCookie("code_verifier", codeVerifier, oauthCookie(cookieOptions));
-        const authorization = createAuthorizationURL(providers[oauth2], redirectURI, state, codeChallenge, method);
-        const headers = new Headers();
-        headers.set("Location", authorization);
-        headers.append("Set-Cookie", stateCookie);
-        headers.append("Set-Cookie", redirectURICookie);
-        headers.append("Set-Cookie", redirectToCookie);
-        headers.append("Set-Cookie", codeVerifierCookie);
-        return Response.json(
-          { oauth: oauth2 },
-          {
-            status: 302,
-            headers
-          }
-        );
-      } catch (error) {
-        if (isAuthError(error)) {
-          const { type, message } = error;
-          return AuraResponse.json(
-            { error: type, error_description: message },
-            { status: import_router2.statusCode.BAD_REQUEST }
-          );
+      const state = generateSecure();
+      const redirectURI = createRedirectURI(request, oauth2, basePath, trustedProxyHeaders);
+      const redirectToValue = createRedirectTo(request, redirectTo, trustedProxyHeaders);
+      const { codeVerifier, codeChallenge, method } = await createPKCE();
+      const authorization = createAuthorizationURL(providers[oauth2], redirectURI, state, codeChallenge, method);
+      const headers = new import_router2.HeadersBuilder(cacheControl).setHeader("Location", authorization).setCookie(cookies.state.name, state, cookies.state.attributes).setCookie(cookies.redirectURI.name, redirectURI, cookies.redirectURI.attributes).setCookie(cookies.redirectTo.name, redirectToValue, cookies.redirectTo.attributes).setCookie(cookies.codeVerifier.name, codeVerifier, cookies.codeVerifier.attributes).toHeaders();
+      return Response.json(
+        { oauth: oauth2 },
+        {
+          status: 302,
+          headers
         }
-        return AuraResponse.json(
-          {
-            error: ERROR_RESPONSE.AUTHORIZATION.SERVER_ERROR,
-            error_description: "An unexpected error occurred"
-          },
-          { status: import_router2.statusCode.INTERNAL_SERVER_ERROR }
-        );
-      }
+      );
     },
     signInConfig(oauth)
   );
 };
 
 // src/actions/callback/callback.ts
-var import_zod2 = __toESM(require("zod"), 1);
+var import_zod3 = require("zod");
 var import_router3 = require("@aura-stack/router");
 
-// src/headers.ts
-var cacheControl = {
-  "Cache-Control": "no-store",
-  Pragma: "no-cache",
-  Expires: "0",
-  Vary: "Cookie"
+// src/request.ts
+var fetchAsync = async (url, options2 = {}, timeout = 5e3) => {
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), timeout);
+  const response = await fetch(url, {
+    ...options2,
+    signal: controller.signal
+  }).finally(() => clearTimeout(timeoutId));
+  return response;
 };
 
 // src/actions/callback/userinfo.ts
@@ -789,7 +930,7 @@ var getDefaultUserInfo = (profile) => {
 var getUserInfo = async (oauthConfig, accessToken) => {
   const userinfoEndpoint = oauthConfig.userInfo;
   try {
-    const response = await fetch(userinfoEndpoint, {
+    const response = await fetchAsync(userinfoEndpoint, {
       method: "GET",
       headers: {
         Accept: "application/json",
@@ -799,11 +940,20 @@ var getUserInfo = async (oauthConfig, accessToken) => {
     const json = await response.json();
     const { success, data } = OAuthErrorResponse.safeParse(json);
     if (success) {
-      throw new AuthError(data.error, data?.error_description ?? "An error occurred while fetching user information.");
+      throw new OAuthProtocolError(
+        data.error,
+        data?.error_description ?? "An error occurred while fetching user information."
+      );
     }
     return oauthConfig?.profile ? oauthConfig.profile(json) : getDefaultUserInfo(json);
   } catch (error) {
-    throw throwAuthError(error, "Failed to retrieve userinfo");
+    if (isOAuthProtocolError(error)) {
+      throw error;
+    }
+    if (isNativeError(error)) {
+      throw new OAuthProtocolError("invalid_request", error.message, "", { cause: error });
+    }
+    throw new OAuthProtocolError("invalid_request", "Failed to fetch user information.", "", { cause: error });
   }
 };
 
@@ -811,11 +961,12 @@ var getUserInfo = async (oauthConfig, accessToken) => {
 var createAccessToken = async (oauthConfig, redirectURI, code, codeVerifier) => {
   const parsed = OAuthAccessToken.safeParse({ ...oauthConfig, redirectURI, code, codeVerifier });
   if (!parsed.success) {
-    throw new AuthError(ERROR_RESPONSE.ACCESS_TOKEN.INVALID_REQUEST, "Invalid OAuth configuration");
+    const msg = JSON.stringify(formatZodError(parsed.error), null, 2);
+    throw new AuthInternalError("INVALID_OAUTH_CONFIGURATION", msg);
   }
   const { accessToken, clientId, clientSecret, code: codeParsed, redirectURI: redirectParsed } = parsed.data;
   try {
-    const response = await fetch(accessToken, {
+    const response = await fetchAsync(accessToken, {
       method: "POST",
       headers: {
         Accept: "application/json",
@@ -835,13 +986,13 @@ var createAccessToken = async (oauthConfig, redirectURI, code, codeVerifier) =>
     if (!token.success) {
       const { success, data } = OAuthAccessTokenErrorResponse.safeParse(json);
       if (!success) {
-        throw new AuthError(ERROR_RESPONSE.ACCESS_TOKEN.INVALID_GRANT, "Invalid access token response format");
+        throw new OAuthProtocolError("INVALID_REQUEST", "Invalid access token response format");
       }
-      throw new AuthError(data.error, data?.error_description ?? "Failed to retrieve access token");
+      throw new OAuthProtocolError(data.error, data?.error_description ?? "Failed to retrieve access token");
     }
     return token.data;
   } catch (error) {
-    throw throwAuthError(error, "Failed to create access token");
+    throw error;
   }
 };
 
@@ -849,9 +1000,15 @@ var createAccessToken = async (oauthConfig, redirectURI, code, codeVerifier) =>
 var callbackConfig = (oauth) => {
   return (0, import_router3.createEndpointConfig)("/callback/:oauth", {
     schemas: {
-      searchParams: OAuthAuthorizationResponse,
-      params: import_zod2.default.object({
-        oauth: import_zod2.default.enum(Object.keys(oauth))
+      params: import_zod3.z.object({
+        oauth: import_zod3.z.enum(
+          Object.keys(oauth),
+          "The OAuth provider is not supported or invalid."
+        )
+      }),
+      searchParams: import_zod3.z.object({
+        code: import_zod3.z.string("Missing code parameter in the OAuth authorization response."),
+        state: import_zod3.z.string("Missing state parameter in the OAuth authorization response.")
       })
     },
     middlewares: [
@@ -859,7 +1016,7 @@ var callbackConfig = (oauth) => {
         const response = OAuthAuthorizationErrorResponse.safeParse(ctx.searchParams);
         if (response.success) {
           const { error, error_description } = response.data;
-          throw new AuthError(error, error_description ?? "OAuth Authorization Error");
+          throw new OAuthProtocolError(error, error_description ?? "OAuth Authorization Error");
         }
         return ctx;
       }
@@ -875,66 +1032,32 @@ var callbackAction = (oauth) => {
         request,
         params: { oauth: oauth2 },
         searchParams: { code, state },
-        context: { oauth: providers, cookies, jose, trustedProxyHeaders }
+        context: { oauth: providers, cookies, jose }
       } = ctx;
-      try {
-        const oauthConfig = providers[oauth2];
-        const cookieOptions = secureCookieOptions(request, cookies, trustedProxyHeaders);
-        const cookieState = getCookie(request, "state", cookieOptions);
-        const cookieRedirectTo = getCookie(request, "redirect_to", cookieOptions);
-        const cookieRedirectURI = getCookie(request, "redirect_uri", cookieOptions);
-        const codeVerifier = getCookie(request, "code_verifier", cookieOptions);
-        if (!equals(cookieState, state)) {
-          throw new AuthError(ERROR_RESPONSE.ACCESS_TOKEN.INVALID_REQUEST, "Mismatching state");
-        }
-        const accessToken = await createAccessToken(oauthConfig, cookieRedirectURI, code, codeVerifier);
-        const sanitized = sanitizeURL(cookieRedirectTo);
-        if (!isValidRelativePath(sanitized)) {
-          throw new AuthError(
-            ERROR_RESPONSE.ACCESS_TOKEN.INVALID_REQUEST,
-            "Invalid redirect path. Potential open redirect attack detected."
-          );
-        }
-        const headers = new Headers(cacheControl);
-        headers.set("Location", sanitized);
-        const userInfo = await getUserInfo(oauthConfig, accessToken.access_token);
-        const sessionCookie = await createSessionCookie(userInfo, cookieOptions, jose);
-        const csrfToken = await createCSRF(jose);
-        const csrfCookie = setCookie(
-          "csrfToken",
-          csrfToken,
-          secureCookieOptions(
-            request,
-            {
-              ...cookies,
-              strategy: "host"
-            },
-            trustedProxyHeaders
-          )
+      const oauthConfig = providers[oauth2];
+      const cookieState = getCookie(request, cookies.state.name);
+      const cookieRedirectTo = getCookie(request, cookies.redirectTo.name);
+      const cookieRedirectURI = getCookie(request, cookies.redirectURI.name);
+      const codeVerifier = getCookie(request, cookies.codeVerifier.name);
+      if (!equals(cookieState, state)) {
+        throw new AuthSecurityError(
+          "MISMATCHING_STATE",
+          "The provided state passed in the OAuth response does not match the stored state."
         );
-        headers.set("Set-Cookie", sessionCookie);
-        headers.append("Set-Cookie", expireCookie("state", cookieOptions));
-        headers.append("Set-Cookie", expireCookie("redirect_uri", cookieOptions));
-        headers.append("Set-Cookie", expireCookie("redirect_to", cookieOptions));
-        headers.append("Set-Cookie", expireCookie("code_verifier", cookieOptions));
-        headers.append("Set-Cookie", csrfCookie);
-        return Response.json({ oauth: oauth2 }, { status: 302, headers });
-      } catch (error) {
-        if (isAuthError(error)) {
-          const { type, message } = error;
-          return AuraResponse.json(
-            { error: type, error_description: message },
-            { status: import_router3.statusCode.BAD_REQUEST }
-          );
-        }
-        return AuraResponse.json(
-          {
-            error: ERROR_RESPONSE.ACCESS_TOKEN.INVALID_CLIENT,
-            error_description: "An unexpected error occurred"
-          },
-          { status: import_router3.statusCode.INTERNAL_SERVER_ERROR }
+      }
+      const accessToken = await createAccessToken(oauthConfig, cookieRedirectURI, code, codeVerifier);
+      const sanitized = sanitizeURL(cookieRedirectTo);
+      if (!isValidRelativePath(sanitized)) {
+        throw new AuthSecurityError(
+          "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED",
+          "Invalid redirect path. Potential open redirect attack detected."
         );
       }
+      const userInfo = await getUserInfo(oauthConfig, accessToken.access_token);
+      const sessionCookie = await createSessionCookie(jose, userInfo);
+      const csrfToken = await createCSRF(jose);
+      const headers = new import_router3.HeadersBuilder(cacheControl).setHeader("Location", sanitized).setCookie(cookies.sessionToken.name, sessionCookie, cookies.sessionToken.attributes).setCookie(cookies.csrfToken.name, csrfToken, cookies.csrfToken.attributes).setCookie(cookies.state.name, "", expiredCookieAttributes).setCookie(cookies.redirectURI.name, "", expiredCookieAttributes).setCookie(cookies.redirectTo.name, "", expiredCookieAttributes).setCookie(cookies.codeVerifier.name, "", expiredCookieAttributes).toHeaders();
+      return Response.json({ oauth: oauth2 }, { status: 302, headers });
     },
     callbackConfig(oauth)
   );
@@ -945,31 +1068,28 @@ var import_router4 = require("@aura-stack/router");
 var sessionAction = (0, import_router4.createEndpoint)("GET", "/session", async (ctx) => {
   const {
     request,
-    context: { cookies, jose, trustedProxyHeaders }
+    context: { jose, cookies }
   } = ctx;
-  const cookieOptions = secureCookieOptions(request, cookies, trustedProxyHeaders);
   try {
-    const session = getCookie(request, "sessionToken", cookieOptions);
+    const session = getCookie(request, cookies.sessionToken.name);
     const decoded = await jose.decodeJWT(session);
     const { exp, iat, jti, nbf, ...user } = decoded;
     const headers = new Headers(cacheControl);
     return Response.json({ user, expires: toISOString(exp * 1e3) }, { headers });
-  } catch {
-    const headers = new Headers(cacheControl);
-    const sessionCookie = expireCookie("sessionToken", cookieOptions);
-    headers.set("Set-Cookie", sessionCookie);
+  } catch (error) {
+    const headers = new import_router4.HeadersBuilder(cacheControl).setCookie(cookies.sessionToken.name, "", expiredCookieAttributes).toHeaders();
     return Response.json({ authenticated: false, message: "Unauthorized" }, { status: 401, headers });
   }
 });
 
 // src/actions/signOut/signOut.ts
-var import_zod3 = __toESM(require("zod"), 1);
+var import_zod4 = require("zod");
 var import_router5 = require("@aura-stack/router");
 var config = (0, import_router5.createEndpointConfig)({
   schemas: {
-    searchParams: import_zod3.default.object({
-      token_type_hint: import_zod3.default.literal("session_token"),
-      redirectTo: import_zod3.default.string().optional()
+    searchParams: import_zod4.z.object({
+      token_type_hint: import_zod4.z.literal("session_token"),
+      redirectTo: import_zod4.z.string().optional()
     })
   }
 });
@@ -981,98 +1101,78 @@ var signOutAction = (0, import_router5.createEndpoint)(
       request,
       headers,
       searchParams: { redirectTo },
-      context: { cookies, jose, trustedProxyHeaders }
+      context: { jose, cookies }
     } = ctx;
-    try {
-      const cookiesOptions = secureCookieOptions(request, cookies, trustedProxyHeaders);
-      const session = getCookie(request, "sessionToken", cookiesOptions);
-      const csrfToken = getCookie(request, "csrfToken", {
-        ...cookiesOptions,
-        prefix: cookiesOptions.secure ? "__Host-" : ""
-      });
-      const header = headers.get("X-CSRF-Token");
-      if (!header || !session || !csrfToken) {
-        throw new Error("Missing CSRF token or session token");
-      }
-      await verifyCSRF(jose, csrfToken, header);
-      await jose.decodeJWT(session);
-      const normalizedOriginPath = getNormalizedOriginPath(request.url);
-      const location = createRedirectTo(
-        new Request(normalizedOriginPath, {
-          headers
-        }),
-        redirectTo
-      );
-      const responseHeaders = new Headers(cacheControl);
-      responseHeaders.append("Set-Cookie", expireCookie("sessionToken", cookiesOptions));
-      responseHeaders.append(
-        "Set-Cookie",
-        expireCookie("csrfToken", { ...cookiesOptions, prefix: cookiesOptions.secure ? "__Host-" : "" })
-      );
-      responseHeaders.append("Location", location);
-      return Response.json(
-        { message: "Signed out successfully" },
-        { status: import_router5.statusCode.ACCEPTED, headers: responseHeaders }
-      );
-    } catch (error) {
-      if (error instanceof InvalidCsrfTokenError) {
-        return AuraResponse.json(
-          {
-            error: "invalid_csrf_token",
-            error_description: "The provided CSRF token is invalid or has expired"
-          },
-          { status: import_router5.statusCode.UNAUTHORIZED }
-        );
-      }
-      if (error instanceof InvalidRedirectToError) {
-        const { type, message } = error;
-        return AuraResponse.json(
-          {
-            error: type,
-            error_description: message
-          },
-          { status: import_router5.statusCode.BAD_REQUEST }
-        );
-      }
-      return AuraResponse.json(
-        {
-          error: "invalid_session_token",
-          error_description: "The provided sessionToken is invalid or has already expired"
-        },
-        { status: import_router5.statusCode.UNAUTHORIZED }
-      );
+    const session = headers.getCookie(cookies.sessionToken.name);
+    const csrfToken = headers.getCookie(cookies.csrfToken.name);
+    const header = headers.getHeader("X-CSRF-Token");
+    if (!session) {
+      throw new AuthSecurityError("SESSION_TOKEN_MISSING", "The sessionToken is missing.");
     }
+    if (!csrfToken) {
+      throw new AuthSecurityError("CSRF_TOKEN_MISSING", "The CSRF token is missing.");
+    }
+    if (!header) {
+      throw new AuthSecurityError("CSRF_TOKEN_MISSING", "The CSRF header is missing.");
+    }
+    await verifyCSRF(jose, csrfToken, header);
+    await jose.decodeJWT(session);
+    const normalizedOriginPath = getNormalizedOriginPath(request.url);
+    const location = createRedirectTo(
+      new Request(normalizedOriginPath, {
+        headers: headers.toHeaders()
+      }),
+      redirectTo
+    );
+    const headersList = new import_router5.HeadersBuilder(cacheControl).setHeader("Location", location).setCookie(cookies.csrfToken.name, "", expiredCookieAttributes).setCookie(cookies.sessionToken.name, "", expiredCookieAttributes).toHeaders();
+    return Response.json({ message: "Signed out successfully" }, { status: import_router5.statusCode.ACCEPTED, headers: headersList });
   },
   config
 );
 
 // src/actions/csrfToken/csrfToken.ts
 var import_router6 = require("@aura-stack/router");
+var getCSRFToken = (request, cookieName) => {
+  try {
+    return getCookie(request, cookieName);
+  } catch {
+    return void 0;
+  }
+};
 var csrfTokenAction = (0, import_router6.createEndpoint)("GET", "/csrfToken", async (ctx) => {
   const {
     request,
-    context: { cookies, jose, trustedProxyHeaders }
+    context: { jose, cookies }
   } = ctx;
-  const cookieOptions = secureCookieOptions(request, { ...cookies, strategy: "host" }, trustedProxyHeaders);
-  const existingCSRFToken = getCookie(request, "csrfToken", cookieOptions, true);
-  const csrfToken = await createCSRF(jose, existingCSRFToken);
+  const token = getCSRFToken(request, cookies.csrfToken.name);
+  const csrfToken = await createCSRF(jose, token);
   const headers = new Headers(cacheControl);
-  headers.set("Set-Cookie", setCookie("csrfToken", csrfToken, cookieOptions));
+  headers.append("Set-Cookie", setCookie(cookies.csrfToken.name, csrfToken, cookies.csrfToken.attributes));
   return Response.json({ csrfToken }, { headers });
 });
 
 // src/index.ts
 var createInternalConfig = (authConfig) => {
+  const useSecure = authConfig?.trustedProxyHeaders ?? false;
   return {
     basePath: authConfig?.basePath ?? "/auth",
     onError: onErrorHandler,
     context: {
       oauth: createBuiltInOAuthProviders(authConfig?.oauth),
-      cookies: authConfig?.cookies ?? defaultCookieConfig,
+      cookies: createCookieStore(useSecure, authConfig?.cookies?.prefix, authConfig?.cookies?.overrides ?? {}),
       jose: createJoseInstance(authConfig?.secret),
+      secret: authConfig?.secret,
       basePath: authConfig?.basePath ?? "/auth",
-      trustedProxyHeaders: !!authConfig?.trustedProxyHeaders
-    }
+      trustedProxyHeaders: useSecure
+    },
+    middlewares: [
+      (ctx) => {
+        const useSecure2 = useSecureCookies(ctx.request, ctx.context.trustedProxyHeaders);
+        const cookies = createCookieStore(useSecure2, authConfig?.cookies?.prefix, authConfig?.cookies?.overrides ?? {});
+        ctx.context.cookies = cookies;
+        return ctx;
+      }
+    ]
   };
 };
 var createAuth = (authConfig) => {