@aura-stack/auth 0.1.0 → 0.2.0-rc.1

package/dist/oauth/pinterest.cjs

@@ -0,0 +1,46 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/oauth/pinterest.ts
+var pinterest_exports = {};
+__export(pinterest_exports, {
+  pinterest: () => pinterest
+});
+module.exports = __toCommonJS(pinterest_exports);
+var pinterest = {
+  id: "pinterest",
+  name: "Pinterest",
+  authorizeURL: "https://api.pinterest.com/oauth/",
+  accessToken: "https://api.pinterest.com/v5/oauth/token",
+  userInfo: "https://api.pinterest.com/v5/user_account",
+  scope: "user_accounts:read",
+  responseType: "code",
+  profile(profile) {
+    return {
+      sub: profile.id,
+      name: profile.username,
+      email: null,
+      image: profile.profile_image
+    };
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  pinterest
+});

package/dist/oauth/pinterest.d.ts

@@ -0,0 +1,7 @@
+export { P as PinterestProfile, p as pinterest } from '../index-DkaLJFn8.js';
+import '../@types/utility.js';
+import 'zod';
+import '../schemas.js';
+import '@aura-stack/router/cookie';
+import '@aura-stack/jose';
+import '@aura-stack/jose/jose';

package/dist/oauth/pinterest.js

@@ -0,0 +1,6 @@
+import {
+  pinterest
+} from "../chunk-HP34YGGJ.js";
+export {
+  pinterest
+};

package/dist/oauth/spotify.d.ts

@@ -1,7 +1,7 @@
-export { g as SpotifyProfile, s as spotify } from '../index-DpfbvTZ_.js';
-import 'zod/v4';
-import '@aura-stack/jose/jose';
+export { I as Image, o as SpotifyProfile, q as spotify } from '../index-DkaLJFn8.js';
+import 'zod';
 import '../schemas.js';
-import 'zod/v4/core';
-import 'cookie';
+import '@aura-stack/router/cookie';
+import '@aura-stack/jose';
+import '@aura-stack/jose/jose';
 import '../@types/utility.js';

package/dist/oauth/strava.cjs

@@ -0,0 +1,46 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/oauth/strava.ts
+var strava_exports = {};
+__export(strava_exports, {
+  strava: () => strava
+});
+module.exports = __toCommonJS(strava_exports);
+var strava = {
+  id: "strava",
+  name: "Strava",
+  authorizeURL: "https://www.strava.com/oauth/authorize",
+  accessToken: "https://www.strava.com/oauth/token",
+  userInfo: "https://www.strava.com/api/v3/athlete",
+  scope: "read",
+  responseType: "code",
+  profile(profile) {
+    return {
+      sub: profile.id.toString(),
+      name: `${profile.firstname} ${profile.lastname}`,
+      image: profile.profile,
+      email: ""
+    };
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  strava
+});

package/dist/oauth/strava.d.ts

@@ -0,0 +1,7 @@
+export { n as StravaProfile, k as SummaryClub, l as SummaryGear, s as strava } from '../index-DkaLJFn8.js';
+import 'zod';
+import '../schemas.js';
+import '@aura-stack/router/cookie';
+import '@aura-stack/jose';
+import '@aura-stack/jose/jose';
+import '../@types/utility.js';

package/dist/oauth/strava.js

@@ -0,0 +1,6 @@
+import {
+  strava
+} from "../chunk-6R2YZ4AC.js";
+export {
+  strava
+};

package/dist/oauth/x.d.ts

@@ -1,7 +1,7 @@
-export { X as XProfile, x } from '../index-DpfbvTZ_.js';
-import 'zod/v4';
-import '@aura-stack/jose/jose';
+export { X as XProfile, x } from '../index-DkaLJFn8.js';
+import 'zod';
 import '../schemas.js';
-import 'zod/v4/core';
-import 'cookie';
+import '@aura-stack/router/cookie';
+import '@aura-stack/jose';
+import '@aura-stack/jose/jose';
 import '../@types/utility.js';

package/dist/{response.cjs → request.cjs}

@@ -17,18 +17,22 @@ var __copyProps = (to, from, except, desc) => {
 };
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
-// src/response.ts
-var response_exports = {};
-__export(response_exports, {
-  AuraResponse: () => AuraResponse
+// src/request.ts
+var request_exports = {};
+__export(request_exports, {
+  fetchAsync: () => fetchAsync
 });
-module.exports = __toCommonJS(response_exports);
-var AuraResponse = class extends Response {
-  static json(body, init) {
-    return Response.json(body, init);
-  }
+module.exports = __toCommonJS(request_exports);
+var fetchAsync = async (url, options = {}, timeout = 5e3) => {
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), timeout);
+  const response = await fetch(url, {
+    ...options,
+    signal: controller.signal
+  }).finally(() => clearTimeout(timeoutId));
+  return response;
 };
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
-  AuraResponse
+  fetchAsync
 });

package/dist/request.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Fetches a resource with a timeout mechanism.
+ *
+ * @param url - The URL or Request object to fetch
+ * @param options - Optional RequestInit configuration object
+ * @param timeout - Timeout duration in milliseconds (default: 5000ms)
+ * @returns A promise that resolves to the Response object
+ * @example
+ * const response = await fetchAsync('https://api.example.com/data', {}, 3000);
+ */
+declare const fetchAsync: (url: string | Request, options?: RequestInit, timeout?: number) => Promise<Response>;
+
+export { fetchAsync };

package/dist/request.js

@@ -0,0 +1,6 @@
+import {
+  fetchAsync
+} from "./chunk-ZNCZVF6U.js";
+export {
+  fetchAsync
+};

package/dist/schemas.cjs

@@ -26,32 +26,33 @@ __export(schemas_exports, {
   OAuthAuthorization: () => OAuthAuthorization,
   OAuthAuthorizationErrorResponse: () => OAuthAuthorizationErrorResponse,
   OAuthAuthorizationResponse: () => OAuthAuthorizationResponse,
+  OAuthEnvSchema: () => OAuthEnvSchema,
   OAuthErrorResponse: () => OAuthErrorResponse,
   OAuthProviderConfigSchema: () => OAuthProviderConfigSchema
 });
 module.exports = __toCommonJS(schemas_exports);
-var import_v4 = require("zod/v4");
-var OAuthProviderConfigSchema = (0, import_v4.object)({
-  authorizeURL: (0, import_v4.url)(),
-  accessToken: (0, import_v4.url)(),
-  scope: (0, import_v4.string)().optional(),
-  userInfo: (0, import_v4.url)(),
-  responseType: (0, import_v4.enum)(["code", "token", "id_token"]),
-  clientId: (0, import_v4.string)(),
-  clientSecret: (0, import_v4.string)()
+var import_zod = require("zod");
+var OAuthProviderConfigSchema = (0, import_zod.object)({
+  authorizeURL: (0, import_zod.string)().url(),
+  accessToken: (0, import_zod.string)().url(),
+  scope: (0, import_zod.string)().optional(),
+  userInfo: (0, import_zod.string)().url(),
+  responseType: (0, import_zod.enum)(["code", "token", "id_token"]),
+  clientId: (0, import_zod.string)(),
+  clientSecret: (0, import_zod.string)()
 });
 var OAuthAuthorization = OAuthProviderConfigSchema.extend({
-  redirectURI: (0, import_v4.string)(),
-  state: (0, import_v4.string)(),
-  codeChallenge: (0, import_v4.string)(),
-  codeChallengeMethod: (0, import_v4.enum)(["plain", "S256"])
+  redirectURI: (0, import_zod.string)(),
+  state: (0, import_zod.string)(),
+  codeChallenge: (0, import_zod.string)(),
+  codeChallengeMethod: (0, import_zod.enum)(["plain", "S256"])
 });
-var OAuthAuthorizationResponse = (0, import_v4.object)({
-  state: (0, import_v4.string)(),
-  code: (0, import_v4.string)()
+var OAuthAuthorizationResponse = (0, import_zod.object)({
+  state: (0, import_zod.string)({ message: "Missing state parameter in the OAuth authorization response." }),
+  code: (0, import_zod.string)({ message: "Missing code parameter in the OAuth authorization response." })
 });
-var OAuthAuthorizationErrorResponse = (0, import_v4.object)({
-  error: (0, import_v4.enum)([
+var OAuthAuthorizationErrorResponse = (0, import_zod.object)({
+  error: (0, import_zod.enum)([
     "invalid_request",
     "unauthorized_client",
     "access_denied",
@@ -60,24 +61,24 @@ var OAuthAuthorizationErrorResponse = (0, import_v4.object)({
     "server_error",
     "temporarily_unavailable"
   ]),
-  error_description: (0, import_v4.string)().optional(),
-  error_uri: (0, import_v4.string)().optional(),
-  state: (0, import_v4.string)()
+  error_description: (0, import_zod.string)().optional(),
+  error_uri: (0, import_zod.string)().optional(),
+  state: (0, import_zod.string)()
 });
 var OAuthAccessToken = OAuthProviderConfigSchema.extend({
-  redirectURI: (0, import_v4.string)(),
-  code: (0, import_v4.string)(),
-  codeVerifier: (0, import_v4.string)().min(43).max(128)
+  redirectURI: (0, import_zod.string)(),
+  code: (0, import_zod.string)(),
+  codeVerifier: (0, import_zod.string)().min(43).max(128)
 });
-var OAuthAccessTokenResponse = (0, import_v4.object)({
-  access_token: (0, import_v4.string)(),
-  token_type: (0, import_v4.string)(),
-  expires_in: (0, import_v4.number)().optional(),
-  refresh_token: (0, import_v4.string)().optional(),
-  scope: (0, import_v4.string)().optional()
+var OAuthAccessTokenResponse = (0, import_zod.object)({
+  access_token: (0, import_zod.string)(),
+  token_type: (0, import_zod.string)().optional(),
+  expires_in: (0, import_zod.number)().optional(),
+  refresh_token: (0, import_zod.string)().optional(),
+  scope: (0, import_zod.string)().optional().or((0, import_zod.null)())
 });
-var OAuthAccessTokenErrorResponse = (0, import_v4.object)({
-  error: (0, import_v4.enum)([
+var OAuthAccessTokenErrorResponse = (0, import_zod.object)({
+  error: (0, import_zod.enum)([
     "invalid_request",
     "invalid_client",
     "invalid_grant",
@@ -85,12 +86,16 @@ var OAuthAccessTokenErrorResponse = (0, import_v4.object)({
     "unsupported_grant_type",
     "invalid_scope"
   ]),
-  error_description: (0, import_v4.string)().optional(),
-  error_uri: (0, import_v4.string)().optional()
+  error_description: (0, import_zod.string)().optional(),
+  error_uri: (0, import_zod.string)().optional()
 });
-var OAuthErrorResponse = (0, import_v4.object)({
-  error: (0, import_v4.string)(),
-  error_description: (0, import_v4.string)().optional()
+var OAuthErrorResponse = (0, import_zod.object)({
+  error: (0, import_zod.string)(),
+  error_description: (0, import_zod.string)().optional()
+});
+var OAuthEnvSchema = (0, import_zod.object)({
+  clientId: import_zod.z.string().min(1, "OAuth Client ID is required in the environment variables."),
+  clientSecret: import_zod.z.string().min(1, "OAuth Client Secret is required in the environment variables.")
 });
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
@@ -100,6 +105,7 @@ var OAuthErrorResponse = (0, import_v4.object)({
   OAuthAuthorization,
   OAuthAuthorizationErrorResponse,
   OAuthAuthorizationResponse,
+  OAuthEnvSchema,
   OAuthErrorResponse,
   OAuthProviderConfigSchema
 });

package/dist/schemas.d.ts

@@ -1,63 +1,62 @@
-import * as zod_v4_core from 'zod/v4/core';
-import * as zod_v4 from 'zod/v4';
+import { z } from 'zod';
 
 /**
  * Schema for OAuth Provider Configuration
  */
-declare const OAuthProviderConfigSchema: zod_v4.ZodObject<{
-    authorizeURL: zod_v4.ZodURL;
-    accessToken: zod_v4.ZodURL;
-    scope: zod_v4.ZodOptional<zod_v4.ZodString>;
-    userInfo: zod_v4.ZodURL;
-    responseType: zod_v4.ZodEnum<{
+declare const OAuthProviderConfigSchema: z.ZodObject<{
+    authorizeURL: z.ZodString;
+    accessToken: z.ZodString;
+    scope: z.ZodOptional<z.ZodString>;
+    userInfo: z.ZodString;
+    responseType: z.ZodEnum<{
         token: "token";
         code: "code";
         id_token: "id_token";
     }>;
-    clientId: zod_v4.ZodString;
-    clientSecret: zod_v4.ZodString;
-}, zod_v4_core.$strip>;
+    clientId: z.ZodString;
+    clientSecret: z.ZodString;
+}, z.core.$strip>;
 /**
  * Schema used to create the authorization URL for the OAuth flow and verify the
  * OAuth configuration.
  * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
  */
-declare const OAuthAuthorization: zod_v4.ZodObject<{
-    authorizeURL: zod_v4.ZodURL;
-    accessToken: zod_v4.ZodURL;
-    scope: zod_v4.ZodOptional<zod_v4.ZodString>;
-    userInfo: zod_v4.ZodURL;
-    responseType: zod_v4.ZodEnum<{
+declare const OAuthAuthorization: z.ZodObject<{
+    authorizeURL: z.ZodString;
+    accessToken: z.ZodString;
+    scope: z.ZodOptional<z.ZodString>;
+    userInfo: z.ZodString;
+    responseType: z.ZodEnum<{
         token: "token";
         code: "code";
         id_token: "id_token";
     }>;
-    clientId: zod_v4.ZodString;
-    clientSecret: zod_v4.ZodString;
-    redirectURI: zod_v4.ZodString;
-    state: zod_v4.ZodString;
-    codeChallenge: zod_v4.ZodString;
-    codeChallengeMethod: zod_v4.ZodEnum<{
-        S256: "S256";
+    clientId: z.ZodString;
+    clientSecret: z.ZodString;
+    redirectURI: z.ZodString;
+    state: z.ZodString;
+    codeChallenge: z.ZodString;
+    codeChallengeMethod: z.ZodEnum<{
         plain: "plain";
+        S256: "S256";
     }>;
-}, zod_v4_core.$strip>;
+}, z.core.$strip>;
 /**
  * Schema used in the callback action to validate the authorization response when the resource owner
  * has granted.
  * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2
  */
-declare const OAuthAuthorizationResponse: zod_v4.ZodObject<{
-    state: zod_v4.ZodString;
-    code: zod_v4.ZodString;
-}, zod_v4_core.$strip>;
+declare const OAuthAuthorizationResponse: z.ZodObject<{
+    state: z.ZodString;
+    code: z.ZodString;
+}, z.core.$strip>;
 /**
  * Schema used in the callback action to validate the authorization error response when the resource owner
  * has denied the authorization request.
  * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
  */
-declare const OAuthAuthorizationErrorResponse: zod_v4.ZodObject<{
-    error: zod_v4.ZodEnum<{
+declare const OAuthAuthorizationErrorResponse: z.ZodObject<{
+    error: z.ZodEnum<{
         invalid_request: "invalid_request";
         unauthorized_client: "unauthorized_client";
         access_denied: "access_denied";
@@ -66,48 +65,48 @@ declare const OAuthAuthorizationErrorResponse: zod_v4.ZodObject<{
         server_error: "server_error";
         temporarily_unavailable: "temporarily_unavailable";
     }>;
-    error_description: zod_v4.ZodOptional<zod_v4.ZodString>;
-    error_uri: zod_v4.ZodOptional<zod_v4.ZodString>;
-    state: zod_v4.ZodString;
-}, zod_v4_core.$strip>;
+    error_description: z.ZodOptional<z.ZodString>;
+    error_uri: z.ZodOptional<z.ZodString>;
+    state: z.ZodString;
+}, z.core.$strip>;
 /**
  * Schema for OAuth Access Token Request and OAuth Configuration
  * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3
  */
-declare const OAuthAccessToken: zod_v4.ZodObject<{
-    authorizeURL: zod_v4.ZodURL;
-    accessToken: zod_v4.ZodURL;
-    scope: zod_v4.ZodOptional<zod_v4.ZodString>;
-    userInfo: zod_v4.ZodURL;
-    responseType: zod_v4.ZodEnum<{
+declare const OAuthAccessToken: z.ZodObject<{
+    authorizeURL: z.ZodString;
+    accessToken: z.ZodString;
+    scope: z.ZodOptional<z.ZodString>;
+    userInfo: z.ZodString;
+    responseType: z.ZodEnum<{
         token: "token";
         code: "code";
         id_token: "id_token";
     }>;
-    clientId: zod_v4.ZodString;
-    clientSecret: zod_v4.ZodString;
-    redirectURI: zod_v4.ZodString;
-    code: zod_v4.ZodString;
-    codeVerifier: zod_v4.ZodString;
-}, zod_v4_core.$strip>;
+    clientId: z.ZodString;
+    clientSecret: z.ZodString;
+    redirectURI: z.ZodString;
+    code: z.ZodString;
+    codeVerifier: z.ZodString;
+}, z.core.$strip>;
 /**
  * Schema for OAuth Access Token Response
  * @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.1
  * @see https://datatracker.ietf.org/doc/html/rfc7636#section-4
  */
-declare const OAuthAccessTokenResponse: zod_v4.ZodObject<{
-    access_token: zod_v4.ZodString;
-    token_type: zod_v4.ZodString;
-    expires_in: zod_v4.ZodOptional<zod_v4.ZodNumber>;
-    refresh_token: zod_v4.ZodOptional<zod_v4.ZodString>;
-    scope: zod_v4.ZodOptional<zod_v4.ZodString>;
-}, zod_v4_core.$strip>;
+declare const OAuthAccessTokenResponse: z.ZodObject<{
+    access_token: z.ZodString;
+    token_type: z.ZodOptional<z.ZodString>;
+    expires_in: z.ZodOptional<z.ZodNumber>;
+    refresh_token: z.ZodOptional<z.ZodString>;
+    scope: z.ZodUnion<[z.ZodOptional<z.ZodString>, z.ZodNull]>;
+}, z.core.$strip>;
 /**
  * Schema for OAuth Access Token Error Response
  * @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
  */
-declare const OAuthAccessTokenErrorResponse: zod_v4.ZodObject<{
-    error: zod_v4.ZodEnum<{
+declare const OAuthAccessTokenErrorResponse: z.ZodObject<{
+    error: z.ZodEnum<{
         invalid_request: "invalid_request";
         unauthorized_client: "unauthorized_client";
         invalid_scope: "invalid_scope";
@@ -115,16 +114,20 @@ declare const OAuthAccessTokenErrorResponse: zod_v4.ZodObject<{
         invalid_grant: "invalid_grant";
         unsupported_grant_type: "unsupported_grant_type";
     }>;
-    error_description: zod_v4.ZodOptional<zod_v4.ZodString>;
-    error_uri: zod_v4.ZodOptional<zod_v4.ZodString>;
-}, zod_v4_core.$strip>;
+    error_description: z.ZodOptional<z.ZodString>;
+    error_uri: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
 /**
  * @todo: verify if this schema is still needed
  * @deprecated
  */
-declare const OAuthErrorResponse: zod_v4.ZodObject<{
-    error: zod_v4.ZodString;
-    error_description: zod_v4.ZodOptional<zod_v4.ZodString>;
-}, zod_v4_core.$strip>;
+declare const OAuthErrorResponse: z.ZodObject<{
+    error: z.ZodString;
+    error_description: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+declare const OAuthEnvSchema: z.ZodObject<{
+    clientId: z.ZodString;
+    clientSecret: z.ZodString;
+}, z.core.$strip>;
 
-export { OAuthAccessToken, OAuthAccessTokenErrorResponse, OAuthAccessTokenResponse, OAuthAuthorization, OAuthAuthorizationErrorResponse, OAuthAuthorizationResponse, OAuthErrorResponse, OAuthProviderConfigSchema };
+export { OAuthAccessToken, OAuthAccessTokenErrorResponse, OAuthAccessTokenResponse, OAuthAuthorization, OAuthAuthorizationErrorResponse, OAuthAuthorizationResponse, OAuthEnvSchema, OAuthErrorResponse, OAuthProviderConfigSchema };

package/dist/schemas.js

@@ -5,9 +5,10 @@ import {
   OAuthAuthorization,
   OAuthAuthorizationErrorResponse,
   OAuthAuthorizationResponse,
+  OAuthEnvSchema,
   OAuthErrorResponse,
   OAuthProviderConfigSchema
-} from "./chunk-HMRKN75I.js";
+} from "./chunk-YRCB5FLE.js";
 export {
   OAuthAccessToken,
   OAuthAccessTokenErrorResponse,
@@ -15,6 +16,7 @@ export {
   OAuthAuthorization,
   OAuthAuthorizationErrorResponse,
   OAuthAuthorizationResponse,
+  OAuthEnvSchema,
   OAuthErrorResponse,
   OAuthProviderConfigSchema
 };

package/dist/secure.cjs

@@ -38,23 +38,20 @@ __export(secure_exports, {
   verifyCSRF: () => verifyCSRF
 });
 module.exports = __toCommonJS(secure_exports);
-var import_node_crypto = __toESM(require("crypto"), 1);
+var import_crypto = __toESM(require("crypto"), 1);
 
 // src/utils.ts
 var import_router = require("@aura-stack/router");
 
-// src/error.ts
-var AuthError = class extends Error {
-  constructor(type, message) {
-    super(message);
-    this.type = type;
-    this.name = "AuthError";
-  }
-};
-var InvalidCsrfTokenError = class extends AuthError {
-  constructor(message = "The provided CSRF token is invalid or has expired") {
-    super("invalid_csrf_token", message);
-    this.name = "InvalidCsrfTokenError";
+// src/errors.ts
+var AuthSecurityError = class extends Error {
+  type = "AUTH_SECURITY_ERROR";
+  code;
+  constructor(code, message, options) {
+    super(message, options);
+    this.code = code;
+    this.name = new.target.name;
+    Error.captureStackTrace(this, new.target);
   }
 };
 
@@ -64,12 +61,17 @@ var equals = (a, b) => {
   return a === b;
 };
 
+// src/assert.ts
+var isJWTPayloadWithToken = (payload) => {
+  return typeof payload === "object" && payload !== null && "token" in payload && typeof payload?.token === "string";
+};
+
 // src/secure.ts
 var generateSecure = (length = 32) => {
-  return import_node_crypto.default.randomBytes(length).toString("base64url");
+  return import_crypto.default.randomBytes(length).toString("base64url");
 };
 var createHash = (data, base = "hex") => {
-  return import_node_crypto.default.createHash("sha256").update(data).digest().toString(base);
+  return import_crypto.default.createHash("sha256").update(data).digest().toString(base);
 };
 var createPKCE = async (verifier) => {
   const codeVerifier = verifier ?? generateSecure(86);
@@ -91,23 +93,29 @@ var createCSRF = async (jose, csrfCookie) => {
 };
 var verifyCSRF = async (jose, cookie, header) => {
   try {
-    const { token: cookieToken } = await jose.verifyJWS(cookie);
-    const { token: headerToken } = await jose.verifyJWS(header);
-    const cookieBuffer = Buffer.from(cookieToken);
-    const headerBuffer = Buffer.from(headerToken);
+    const cookiePayload = await jose.verifyJWS(cookie);
+    const headerPayload = await jose.verifyJWS(header);
+    if (!isJWTPayloadWithToken(cookiePayload)) {
+      throw new AuthSecurityError("CSRF_TOKEN_INVALID", "Cookie payload missing token field.");
+    }
+    if (!isJWTPayloadWithToken(headerPayload)) {
+      throw new AuthSecurityError("CSRF_TOKEN_INVALID", "Header payload missing token field.");
+    }
+    const cookieBuffer = Buffer.from(cookiePayload.token);
+    const headerBuffer = Buffer.from(headerPayload.token);
     if (!equals(headerBuffer.length, cookieBuffer.length)) {
-      throw new InvalidCsrfTokenError();
+      throw new AuthSecurityError("CSRF_TOKEN_INVALID", "The CSRF tokens do not match.");
     }
-    if (!import_node_crypto.default.timingSafeEqual(cookieBuffer, headerBuffer)) {
-      throw new InvalidCsrfTokenError();
+    if (!import_crypto.default.timingSafeEqual(cookieBuffer, headerBuffer)) {
+      throw new AuthSecurityError("CSRF_TOKEN_INVALID", "The CSRF tokens do not match.");
     }
     return true;
   } catch {
-    throw new InvalidCsrfTokenError();
+    throw new AuthSecurityError("CSRF_TOKEN_INVALID", "The CSRF tokens do not match.");
   }
 };
 var createDerivedSalt = (secret) => {
-  return import_node_crypto.default.createHash("sha256").update(secret).update("aura-auth-salt").digest("hex");
+  return import_crypto.default.createHash("sha256").update(secret).update("aura-auth-salt").digest("hex");
 };
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {

package/dist/secure.d.ts

@@ -1,9 +1,9 @@
-import { A as AuthRuntimeConfig } from './index-DpfbvTZ_.js';
-import 'zod/v4';
-import '@aura-stack/jose/jose';
+import { A as AuthRuntimeConfig } from './index-DkaLJFn8.js';
+import 'zod';
 import './schemas.js';
-import 'zod/v4/core';
-import 'cookie';
+import '@aura-stack/router/cookie';
+import '@aura-stack/jose';
+import '@aura-stack/jose/jose';
 import './@types/utility.js';
 
 declare const generateSecure: (length?: number) => string;