@aura-stack/auth 0.1.0 → 0.2.0-rc.1

package/dist/secure.js

@@ -5,9 +5,10 @@ import {
   createPKCE,
   generateSecure,
   verifyCSRF
-} from "./chunk-GZU3RBTB.js";
-import "./chunk-256KIVJL.js";
-import "./chunk-FJUDBLCP.js";
+} from "./chunk-N2APGLXA.js";
+import "./chunk-CXLATHS5.js";
+import "./chunk-EIL2FPSS.js";
+import "./chunk-RRLIF4PQ.js";
 export {
   createCSRF,
   createDerivedSalt,

package/dist/utils.cjs

@@ -21,6 +21,7 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 var utils_exports = {};
 __export(utils_exports, {
   equals: () => equals,
+  formatZodError: () => formatZodError,
   getNormalizedOriginPath: () => getNormalizedOriginPath,
   isValidRelativePath: () => isValidRelativePath,
   onErrorHandler: () => onErrorHandler,
@@ -28,21 +29,53 @@ __export(utils_exports, {
   toCastCase: () => toCastCase,
   toISOString: () => toISOString,
   toSnakeCase: () => toSnakeCase,
-  toUpperCase: () => toUpperCase
+  toUpperCase: () => toUpperCase,
+  useSecureCookies: () => useSecureCookies
 });
 module.exports = __toCommonJS(utils_exports);
 var import_router = require("@aura-stack/router");
 
-// src/error.ts
-var AuthError = class extends Error {
-  constructor(type, message) {
-    super(message);
-    this.type = type;
-    this.name = "AuthError";
+// src/errors.ts
+var OAuthProtocolError = class extends Error {
+  type = "OAUTH_PROTOCOL_ERROR";
+  error;
+  errorURI;
+  constructor(error, description, errorURI, options) {
+    super(description, options);
+    this.error = error;
+    this.errorURI = errorURI;
+    this.name = new.target.name;
+    Error.captureStackTrace(this, new.target);
   }
 };
-var isAuthError = (error) => {
-  return error instanceof AuthError;
+var AuthInternalError = class extends Error {
+  type = "AUTH_INTERNAL_ERROR";
+  code;
+  constructor(code, message, options) {
+    super(message, options);
+    this.code = code;
+    this.name = new.target.name;
+    Error.captureStackTrace(this, new.target);
+  }
+};
+var AuthSecurityError = class extends Error {
+  type = "AUTH_SECURITY_ERROR";
+  code;
+  constructor(code, message, options) {
+    super(message, options);
+    this.code = code;
+    this.name = new.target.name;
+    Error.captureStackTrace(this, new.target);
+  }
+};
+var isOAuthProtocolError = (error) => {
+  return error instanceof OAuthProtocolError;
+};
+var isAuthInternalError = (error) => {
+  return error instanceof AuthInternalError;
+};
+var isAuthSecurityError = (error) => {
+  return error instanceof AuthSecurityError;
 };
 
 // src/utils.ts
@@ -106,13 +139,35 @@ var isValidRelativePath = (path) => {
 var onErrorHandler = (error) => {
   if ((0, import_router.isRouterError)(error)) {
     const { message, status, statusText } = error;
-    return Response.json({ error: "invalid_request", error_description: message }, { status, statusText });
+    return Response.json({ type: "ROUTER_ERROR", code: "ROUTER_INTERNAL_ERROR", message }, { status, statusText });
+  }
+  if ((0, import_router.isInvalidZodSchemaError)(error)) {
+    return Response.json({ type: "ROUTER_ERROR", code: "INVALID_REQUEST", message: error.errors }, { status: 422 });
   }
-  if (isAuthError(error)) {
-    const { type, message } = error;
-    return Response.json({ error: type, error_description: message }, { status: 400 });
+  if (isOAuthProtocolError(error)) {
+    const { error: errorCode, message, type, errorURI } = error;
+    return Response.json(
+      {
+        type,
+        error: errorCode,
+        error_description: message,
+        error_uri: errorURI
+      },
+      { status: 400 }
+    );
   }
-  return Response.json({ error: "server_error", error_description: "An unexpected error occurred" }, { status: 500 });
+  if (isAuthInternalError(error) || isAuthSecurityError(error)) {
+    const { type, code, message } = error;
+    return Response.json(
+      {
+        type,
+        code,
+        message
+      },
+      { status: 400 }
+    );
+  }
+  return Response.json({ type: "SERVER_ERROR", code: "server_error", message: "An unexpected error occurred" }, { status: 500 });
 };
 var getNormalizedOriginPath = (path) => {
   try {
@@ -127,9 +182,28 @@ var getNormalizedOriginPath = (path) => {
 var toISOString = (date) => {
   return new Date(date).toISOString();
 };
+var useSecureCookies = (request, trustedProxyHeaders) => {
+  return trustedProxyHeaders ? request.url.startsWith("https://") || request.headers.get("X-Forwarded-Proto") === "https" || (request.headers.get("Forwarded")?.includes("proto=https") ?? false) : request.url.startsWith("https://");
+};
+var formatZodError = (error) => {
+  if (!error.issues || error.issues.length === 0) {
+    return {};
+  }
+  return error.issues.reduce((previous, issue) => {
+    const key = issue.path.join(".");
+    return {
+      ...previous,
+      [key]: {
+        code: issue.code,
+        message: issue.message
+      }
+    };
+  }, {});
+};
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   equals,
+  formatZodError,
   getNormalizedOriginPath,
   isValidRelativePath,
   onErrorHandler,
@@ -137,5 +211,6 @@ var toISOString = (date) => {
   toCastCase,
   toISOString,
   toSnakeCase,
-  toUpperCase
+  toUpperCase,
+  useSecureCookies
 });

package/dist/utils.d.ts

@@ -1,8 +1,15 @@
 import { RouterConfig } from '@aura-stack/router';
+import { i as APIErrorMap } from './index-DkaLJFn8.js';
+import { ZodError } from 'zod';
+import './schemas.js';
+import '@aura-stack/router/cookie';
+import '@aura-stack/jose';
+import '@aura-stack/jose/jose';
+import './@types/utility.js';
 
 declare const toSnakeCase: (str: string) => string;
 declare const toUpperCase: (str: string) => string;
-declare const toCastCase: <Obj extends Record<string, any>, Type extends "snake" | "upper">(obj: Obj, type?: Type) => Type extends "snake" ? { [K in keyof Obj as `${string & K}`]: Obj[K]; } : { [K in keyof Obj as Uppercase<string & K>]: Obj[K]; };
+declare const toCastCase: <Obj extends Record<string, string>, Type extends "snake" | "upper">(obj: Obj, type?: Type) => Type extends "snake" ? { [K in keyof Obj as `${string & K}`]: Obj[K]; } : { [K in keyof Obj as Uppercase<string & K>]: Obj[K]; };
 declare const equals: (a: string | number | undefined | null, b: string | number | undefined | null) => boolean;
 /**
  * Sanitizes a URL by removing dangerous patterns that could be used for path traversal
@@ -41,5 +48,7 @@ declare const onErrorHandler: RouterConfig["onError"];
  */
 declare const getNormalizedOriginPath: (path: string) => string;
 declare const toISOString: (date: Date | string | number) => string;
+declare const useSecureCookies: (request: Request, trustedProxyHeaders: boolean) => boolean;
+declare const formatZodError: <T extends Record<string, unknown> = Record<string, unknown>>(error: ZodError<T>) => APIErrorMap;
 
-export { equals, getNormalizedOriginPath, isValidRelativePath, onErrorHandler, sanitizeURL, toCastCase, toISOString, toSnakeCase, toUpperCase };
+export { equals, formatZodError, getNormalizedOriginPath, isValidRelativePath, onErrorHandler, sanitizeURL, toCastCase, toISOString, toSnakeCase, toUpperCase, useSecureCookies };

package/dist/utils.js

@@ -1,5 +1,6 @@
 import {
   equals,
+  formatZodError,
   getNormalizedOriginPath,
   isValidRelativePath,
   onErrorHandler,
@@ -7,11 +8,13 @@ import {
   toCastCase,
   toISOString,
   toSnakeCase,
-  toUpperCase
-} from "./chunk-256KIVJL.js";
-import "./chunk-FJUDBLCP.js";
+  toUpperCase,
+  useSecureCookies
+} from "./chunk-CXLATHS5.js";
+import "./chunk-RRLIF4PQ.js";
 export {
   equals,
+  formatZodError,
   getNormalizedOriginPath,
   isValidRelativePath,
   onErrorHandler,
@@ -19,5 +22,6 @@ export {
   toCastCase,
   toISOString,
   toSnakeCase,
-  toUpperCase
+  toUpperCase,
+  useSecureCookies
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aura-stack/auth",
-  "version": "0.1.0",
+  "version": "0.2.0-rc.1",
   "private": false,
   "type": "module",
   "description": "Core auth for @aura-stack/auth",
@@ -44,15 +44,16 @@
   },
   "license": "MIT",
   "dependencies": {
-    "@aura-stack/router": "^0.4.0",
-    "cookie": "^1.0.2",
+    "@aura-stack/router": "^0.5.0",
     "dotenv": "^17.2.3",
-    "zod": "^4.1.12",
-    "@aura-stack/jose": "0.1.0"
+    "zod": "^4.3.5",
+    "@aura-stack/jose": "0.2.0"
   },
   "devDependencies": {
-    "@aura-stack/tsconfig": "0.0.0",
-    "@aura-stack/tsup-config": "0.0.0"
+    "@types/node": "^24.9.2",
+    "typescript": "^5.9.2",
+    "@aura-stack/tsup-config": "0.0.0",
+    "@aura-stack/tsconfig": "0.0.0"
   },
   "scripts": {
     "dev": "tsup --watch",

package/dist/chunk-FJUDBLCP.js

@@ -1,59 +0,0 @@
-// src/error.ts
-var AuthError = class extends Error {
-  constructor(type, message) {
-    super(message);
-    this.type = type;
-    this.name = "AuthError";
-  }
-};
-var InvalidCsrfTokenError = class extends AuthError {
-  constructor(message = "The provided CSRF token is invalid or has expired") {
-    super("invalid_csrf_token", message);
-    this.name = "InvalidCsrfTokenError";
-  }
-};
-var InvalidRedirectToError = class extends AuthError {
-  constructor(message = "The redirectTo parameter does not match the hosted origin.") {
-    super("invalid_redirect_to", message);
-    this.name = "InvalidRedirectToError";
-  }
-};
-var isAuthError = (error) => {
-  return error instanceof AuthError;
-};
-var throwAuthError = (error, message) => {
-  if (error instanceof Error) {
-    if (isAuthError(error)) {
-      throw error;
-    }
-    throw new AuthError("invalid_request", error.message ?? message);
-  }
-};
-var ERROR_RESPONSE = {
-  AUTHORIZATION: {
-    INVALID_REQUEST: "invalid_request",
-    UNAUTHORIZED_CLIENT: "unauthorized_client",
-    ACCESS_DENIED: "access_denied",
-    UNSUPPORTED_RESPONSE_TYPE: "unsupported_response_type",
-    INVALID_SCOPE: "invalid_scope",
-    SERVER_ERROR: "server_error",
-    TEMPORARILY_UNAVAILABLE: "temporarily_unavailable"
-  },
-  ACCESS_TOKEN: {
-    INVALID_REQUEST: "invalid_request",
-    INVALID_CLIENT: "invalid_client",
-    INVALID_GRANT: "invalid_grant",
-    UNAUTHORIZED_CLIENT: "unauthorized_client",
-    UNSUPPORTED_GRANT_TYPE: "unsupported_grant_type",
-    INVALID_SCOPE: "invalid_scope"
-  }
-};
-
-export {
-  AuthError,
-  InvalidCsrfTokenError,
-  InvalidRedirectToError,
-  isAuthError,
-  throwAuthError,
-  ERROR_RESPONSE
-};

package/dist/chunk-HGJ4TXY4.js

@@ -1,137 +0,0 @@
-import {
-  getUserInfo
-} from "./chunk-RLT4RFKV.js";
-import {
-  createAccessToken
-} from "./chunk-UJJ7R56J.js";
-import {
-  createSessionCookie,
-  expireCookie,
-  getCookie,
-  secureCookieOptions,
-  setCookie
-} from "./chunk-ZV4BH47P.js";
-import {
-  cacheControl
-} from "./chunk-STHEPPUZ.js";
-import {
-  createCSRF
-} from "./chunk-GZU3RBTB.js";
-import {
-  equals,
-  isValidRelativePath,
-  sanitizeURL
-} from "./chunk-256KIVJL.js";
-import {
-  AuthError,
-  ERROR_RESPONSE,
-  isAuthError
-} from "./chunk-FJUDBLCP.js";
-import {
-  AuraResponse
-} from "./chunk-JAPMIE6S.js";
-import {
-  OAuthAuthorizationErrorResponse,
-  OAuthAuthorizationResponse
-} from "./chunk-HMRKN75I.js";
-
-// src/actions/callback/callback.ts
-import z from "zod";
-import { createEndpoint, createEndpointConfig, statusCode } from "@aura-stack/router";
-var callbackConfig = (oauth) => {
-  return createEndpointConfig("/callback/:oauth", {
-    schemas: {
-      searchParams: OAuthAuthorizationResponse,
-      params: z.object({
-        oauth: z.enum(Object.keys(oauth))
-      })
-    },
-    middlewares: [
-      (ctx) => {
-        const response = OAuthAuthorizationErrorResponse.safeParse(ctx.searchParams);
-        if (response.success) {
-          const { error, error_description } = response.data;
-          throw new AuthError(error, error_description ?? "OAuth Authorization Error");
-        }
-        return ctx;
-      }
-    ]
-  });
-};
-var callbackAction = (oauth) => {
-  return createEndpoint(
-    "GET",
-    "/callback/:oauth",
-    async (ctx) => {
-      const {
-        request,
-        params: { oauth: oauth2 },
-        searchParams: { code, state },
-        context: { oauth: providers, cookies, jose, trustedProxyHeaders }
-      } = ctx;
-      try {
-        const oauthConfig = providers[oauth2];
-        const cookieOptions = secureCookieOptions(request, cookies, trustedProxyHeaders);
-        const cookieState = getCookie(request, "state", cookieOptions);
-        const cookieRedirectTo = getCookie(request, "redirect_to", cookieOptions);
-        const cookieRedirectURI = getCookie(request, "redirect_uri", cookieOptions);
-        const codeVerifier = getCookie(request, "code_verifier", cookieOptions);
-        if (!equals(cookieState, state)) {
-          throw new AuthError(ERROR_RESPONSE.ACCESS_TOKEN.INVALID_REQUEST, "Mismatching state");
-        }
-        const accessToken = await createAccessToken(oauthConfig, cookieRedirectURI, code, codeVerifier);
-        const sanitized = sanitizeURL(cookieRedirectTo);
-        if (!isValidRelativePath(sanitized)) {
-          throw new AuthError(
-            ERROR_RESPONSE.ACCESS_TOKEN.INVALID_REQUEST,
-            "Invalid redirect path. Potential open redirect attack detected."
-          );
-        }
-        const headers = new Headers(cacheControl);
-        headers.set("Location", sanitized);
-        const userInfo = await getUserInfo(oauthConfig, accessToken.access_token);
-        const sessionCookie = await createSessionCookie(userInfo, cookieOptions, jose);
-        const csrfToken = await createCSRF(jose);
-        const csrfCookie = setCookie(
-          "csrfToken",
-          csrfToken,
-          secureCookieOptions(
-            request,
-            {
-              ...cookies,
-              strategy: "host"
-            },
-            trustedProxyHeaders
-          )
-        );
-        headers.set("Set-Cookie", sessionCookie);
-        headers.append("Set-Cookie", expireCookie("state", cookieOptions));
-        headers.append("Set-Cookie", expireCookie("redirect_uri", cookieOptions));
-        headers.append("Set-Cookie", expireCookie("redirect_to", cookieOptions));
-        headers.append("Set-Cookie", expireCookie("code_verifier", cookieOptions));
-        headers.append("Set-Cookie", csrfCookie);
-        return Response.json({ oauth: oauth2 }, { status: 302, headers });
-      } catch (error) {
-        if (isAuthError(error)) {
-          const { type, message } = error;
-          return AuraResponse.json(
-            { error: type, error_description: message },
-            { status: statusCode.BAD_REQUEST }
-          );
-        }
-        return AuraResponse.json(
-          {
-            error: ERROR_RESPONSE.ACCESS_TOKEN.INVALID_CLIENT,
-            error_description: "An unexpected error occurred"
-          },
-          { status: statusCode.INTERNAL_SERVER_ERROR }
-        );
-      }
-    },
-    callbackConfig(oauth)
-  );
-};
-
-export {
-  callbackAction
-};

package/dist/chunk-JAPMIE6S.js

@@ -1,10 +0,0 @@
-// src/response.ts
-var AuraResponse = class extends Response {
-  static json(body, init) {
-    return Response.json(body, init);
-  }
-};
-
-export {
-  AuraResponse
-};

package/dist/chunk-LLR722CL.js

@@ -1,96 +0,0 @@
-import {
-  createAuthorizationURL,
-  createRedirectTo,
-  createRedirectURI
-} from "./chunk-CAKJT3KS.js";
-import {
-  oauthCookie,
-  secureCookieOptions,
-  setCookie
-} from "./chunk-ZV4BH47P.js";
-import {
-  createPKCE,
-  generateSecure
-} from "./chunk-GZU3RBTB.js";
-import {
-  ERROR_RESPONSE,
-  isAuthError
-} from "./chunk-FJUDBLCP.js";
-import {
-  AuraResponse
-} from "./chunk-JAPMIE6S.js";
-
-// src/actions/signIn/signIn.ts
-import z from "zod";
-import { createEndpoint, createEndpointConfig, statusCode } from "@aura-stack/router";
-var signInConfig = (oauth) => {
-  return createEndpointConfig("/signIn/:oauth", {
-    schemas: {
-      params: z.object({
-        oauth: z.enum(Object.keys(oauth)),
-        redirectTo: z.string().optional()
-      })
-    }
-  });
-};
-var signInAction = (oauth) => {
-  return createEndpoint(
-    "GET",
-    "/signIn/:oauth",
-    async (ctx) => {
-      const {
-        request,
-        params: { oauth: oauth2, redirectTo },
-        context: { oauth: providers, cookies, trustedProxyHeaders, basePath }
-      } = ctx;
-      try {
-        const cookieOptions = secureCookieOptions(request, cookies, trustedProxyHeaders);
-        const state = generateSecure();
-        const redirectURI = createRedirectURI(request, oauth2, basePath, trustedProxyHeaders);
-        const stateCookie = setCookie("state", state, oauthCookie(cookieOptions));
-        const redirectURICookie = setCookie("redirect_uri", redirectURI, oauthCookie(cookieOptions));
-        const redirectToCookie = setCookie(
-          "redirect_to",
-          createRedirectTo(request, redirectTo, trustedProxyHeaders),
-          oauthCookie(cookieOptions)
-        );
-        const { codeVerifier, codeChallenge, method } = await createPKCE();
-        const codeVerifierCookie = setCookie("code_verifier", codeVerifier, oauthCookie(cookieOptions));
-        const authorization = createAuthorizationURL(providers[oauth2], redirectURI, state, codeChallenge, method);
-        const headers = new Headers();
-        headers.set("Location", authorization);
-        headers.append("Set-Cookie", stateCookie);
-        headers.append("Set-Cookie", redirectURICookie);
-        headers.append("Set-Cookie", redirectToCookie);
-        headers.append("Set-Cookie", codeVerifierCookie);
-        return Response.json(
-          { oauth: oauth2 },
-          {
-            status: 302,
-            headers
-          }
-        );
-      } catch (error) {
-        if (isAuthError(error)) {
-          const { type, message } = error;
-          return AuraResponse.json(
-            { error: type, error_description: message },
-            { status: statusCode.BAD_REQUEST }
-          );
-        }
-        return AuraResponse.json(
-          {
-            error: ERROR_RESPONSE.AUTHORIZATION.SERVER_ERROR,
-            error_description: "An unexpected error occurred"
-          },
-          { status: statusCode.INTERNAL_SERVER_ERROR }
-        );
-      }
-    },
-    signInConfig(oauth)
-  );
-};
-
-export {
-  signInAction
-};

package/dist/chunk-SJPDVKUS.js

@@ -1,112 +0,0 @@
-import {
-  createRedirectTo
-} from "./chunk-CAKJT3KS.js";
-import {
-  expireCookie,
-  getCookie,
-  secureCookieOptions
-} from "./chunk-ZV4BH47P.js";
-import {
-  cacheControl
-} from "./chunk-STHEPPUZ.js";
-import {
-  verifyCSRF
-} from "./chunk-GZU3RBTB.js";
-import {
-  getNormalizedOriginPath
-} from "./chunk-256KIVJL.js";
-import {
-  InvalidCsrfTokenError,
-  InvalidRedirectToError
-} from "./chunk-FJUDBLCP.js";
-import {
-  AuraResponse
-} from "./chunk-JAPMIE6S.js";
-
-// src/actions/signOut/signOut.ts
-import z from "zod";
-import { createEndpoint, createEndpointConfig, statusCode } from "@aura-stack/router";
-var config = createEndpointConfig({
-  schemas: {
-    searchParams: z.object({
-      token_type_hint: z.literal("session_token"),
-      redirectTo: z.string().optional()
-    })
-  }
-});
-var signOutAction = createEndpoint(
-  "POST",
-  "/signOut",
-  async (ctx) => {
-    const {
-      request,
-      headers,
-      searchParams: { redirectTo },
-      context: { cookies, jose, trustedProxyHeaders }
-    } = ctx;
-    try {
-      const cookiesOptions = secureCookieOptions(request, cookies, trustedProxyHeaders);
-      const session = getCookie(request, "sessionToken", cookiesOptions);
-      const csrfToken = getCookie(request, "csrfToken", {
-        ...cookiesOptions,
-        prefix: cookiesOptions.secure ? "__Host-" : ""
-      });
-      const header = headers.get("X-CSRF-Token");
-      if (!header || !session || !csrfToken) {
-        throw new Error("Missing CSRF token or session token");
-      }
-      await verifyCSRF(jose, csrfToken, header);
-      await jose.decodeJWT(session);
-      const normalizedOriginPath = getNormalizedOriginPath(request.url);
-      const location = createRedirectTo(
-        new Request(normalizedOriginPath, {
-          headers
-        }),
-        redirectTo
-      );
-      const responseHeaders = new Headers(cacheControl);
-      responseHeaders.append("Set-Cookie", expireCookie("sessionToken", cookiesOptions));
-      responseHeaders.append(
-        "Set-Cookie",
-        expireCookie("csrfToken", { ...cookiesOptions, prefix: cookiesOptions.secure ? "__Host-" : "" })
-      );
-      responseHeaders.append("Location", location);
-      return Response.json(
-        { message: "Signed out successfully" },
-        { status: statusCode.ACCEPTED, headers: responseHeaders }
-      );
-    } catch (error) {
-      if (error instanceof InvalidCsrfTokenError) {
-        return AuraResponse.json(
-          {
-            error: "invalid_csrf_token",
-            error_description: "The provided CSRF token is invalid or has expired"
-          },
-          { status: statusCode.UNAUTHORIZED }
-        );
-      }
-      if (error instanceof InvalidRedirectToError) {
-        const { type, message } = error;
-        return AuraResponse.json(
-          {
-            error: type,
-            error_description: message
-          },
-          { status: statusCode.BAD_REQUEST }
-        );
-      }
-      return AuraResponse.json(
-        {
-          error: "invalid_session_token",
-          error_description: "The provided sessionToken is invalid or has already expired"
-        },
-        { status: statusCode.UNAUTHORIZED }
-      );
-    }
-  },
-  config
-);
-
-export {
-  signOutAction
-};