@aura-stack/auth 0.1.0 → 0.2.0-rc.1

package/dist/chunk-SMQO5WD7.js

@@ -1,30 +0,0 @@
-import {
-  getCookie,
-  secureCookieOptions,
-  setCookie
-} from "./chunk-ZV4BH47P.js";
-import {
-  cacheControl
-} from "./chunk-STHEPPUZ.js";
-import {
-  createCSRF
-} from "./chunk-GZU3RBTB.js";
-
-// src/actions/csrfToken/csrfToken.ts
-import { createEndpoint } from "@aura-stack/router";
-var csrfTokenAction = createEndpoint("GET", "/csrfToken", async (ctx) => {
-  const {
-    request,
-    context: { cookies, jose, trustedProxyHeaders }
-  } = ctx;
-  const cookieOptions = secureCookieOptions(request, { ...cookies, strategy: "host" }, trustedProxyHeaders);
-  const existingCSRFToken = getCookie(request, "csrfToken", cookieOptions, true);
-  const csrfToken = await createCSRF(jose, existingCSRFToken);
-  const headers = new Headers(cacheControl);
-  headers.set("Set-Cookie", setCookie("csrfToken", csrfToken, cookieOptions));
-  return Response.json({ csrfToken }, { headers });
-});
-
-export {
-  csrfTokenAction
-};

package/dist/chunk-UTDLUEEG.js

@@ -1,31 +0,0 @@
-import {
-  createDerivedSalt
-} from "./chunk-GZU3RBTB.js";
-import {
-  AuthError
-} from "./chunk-FJUDBLCP.js";
-
-// src/jose.ts
-import "dotenv/config";
-import { createJWT, createJWS, createDeriveKey } from "@aura-stack/jose";
-var createJoseInstance = (secret) => {
-  secret ?? (secret = process.env.AURA_AUTH_SECRET);
-  if (!secret) {
-    throw new AuthError("JOSE_INIT_ERROR", "AURA_AUTH_SECRET environment variable is not set and no secret was provided.");
-  }
-  const salt = process.env.AURA_AUTH_SALT ?? createDerivedSalt(secret);
-  const { derivedKey: derivedSessionKey } = createDeriveKey(secret, salt, "session");
-  const { derivedKey: derivedCsrfTokenKey } = createDeriveKey(secret, salt, "csrfToken");
-  const { decodeJWT, encodeJWT } = createJWT(derivedSessionKey);
-  const { signJWS, verifyJWS } = createJWS(derivedCsrfTokenKey);
-  return {
-    decodeJWT,
-    encodeJWT,
-    signJWS,
-    verifyJWS
-  };
-};
-
-export {
-  createJoseInstance
-};

package/dist/chunk-ZV4BH47P.js

@@ -1,154 +0,0 @@
-import {
-  isRequest
-} from "./chunk-6SM22VVJ.js";
-import {
-  AuthError
-} from "./chunk-FJUDBLCP.js";
-
-// src/cookie.ts
-import { parse, serialize } from "cookie";
-import { parse as parse2 } from "cookie";
-var COOKIE_NAME = "aura-auth";
-var defaultCookieOptions = {
-  httpOnly: true,
-  sameSite: "lax",
-  path: "/",
-  maxAge: 60 * 60 * 24 * 15
-};
-var defaultCookieConfig = {
-  strategy: "standard",
-  name: COOKIE_NAME,
-  options: defaultCookieOptions
-};
-var defaultStandardCookieConfig = {
-  secure: false,
-  httpOnly: true,
-  prefix: ""
-};
-var defaultSecureCookieConfig = {
-  secure: true,
-  prefix: "__Secure-"
-};
-var defaultHostCookieConfig = {
-  secure: true,
-  prefix: "__Host-",
-  path: "/",
-  domain: void 0
-};
-var expiredCookieOptions = {
-  ...defaultCookieOptions,
-  expires: /* @__PURE__ */ new Date(0),
-  maxAge: 0
-};
-var defineDefaultCookieOptions = (options) => {
-  return {
-    name: options?.name ?? COOKIE_NAME,
-    prefix: options?.prefix ?? (options?.secure ? "__Secure-" : ""),
-    ...defaultCookieOptions,
-    ...options
-  };
-};
-var setCookie = (cookieName, value, options) => {
-  const { prefix, name } = defineDefaultCookieOptions(options);
-  const cookieNameWithPrefix = `${prefix}${name}.${cookieName}`;
-  return serialize(cookieNameWithPrefix, value, {
-    ...defaultCookieOptions,
-    ...options
-  });
-};
-var getCookie = (petition, cookie, options, optional = false) => {
-  const cookies = isRequest(petition) ? petition.headers.get("Cookie") : petition.headers.getSetCookie().join("; ");
-  if (!cookies) {
-    if (optional) {
-      return "";
-    }
-    throw new AuthError("invalid_request", "No cookies found. There is no active session");
-  }
-  const { name, prefix } = defineDefaultCookieOptions(options);
-  const parsedCookies = parse(cookies);
-  const value = parsedCookies[`${prefix}${name}.${cookie}`];
-  if (value === void 0) {
-    if (optional) {
-      return "";
-    }
-    throw new AuthError("invalid_request", `Cookie "${cookie}" not found. There is no active session`);
-  }
-  return value;
-};
-var createSessionCookie = async (session, cookieOptions, jose) => {
-  try {
-    const encoded = await jose.encodeJWT(session);
-    return setCookie("sessionToken", encoded, cookieOptions);
-  } catch (error) {
-    throw new AuthError("server_error", "Failed to create session cookie", { cause: error });
-  }
-};
-var secureCookieOptions = (request, cookieOptions, trustedProxyHeaders) => {
-  const name = cookieOptions.name ?? COOKIE_NAME;
-  const isSecure = trustedProxyHeaders ? request.url.startsWith("https://") || request.headers.get("X-Forwarded-Proto") === "https" || request.headers.get("Forwarded")?.includes("proto=https") : request.url.startsWith("https://");
-  if (!cookieOptions.options?.httpOnly) {
-    console.warn(
-      "[WARNING]: Cookie is configured without HttpOnly. This allows JavaScript access via document.cookie and increases XSS risk."
-    );
-  }
-  if (cookieOptions.options?.domain === "*") {
-    console.warn("[WARNING]: Cookie 'Domain' is set to '*', which is insecure. Avoid wildcard domains.");
-  }
-  if (!isSecure) {
-    const options = cookieOptions.options;
-    if (options?.secure) {
-      console.warn(
-        "[WARNING]: The 'Secure' attribute will be disabled for this cookie. Serve over HTTPS to enforce Secure cookies."
-      );
-    }
-    if (options?.sameSite == "none") {
-      console.warn("[WARNING]: SameSite=None without a secure connection can be blocked by browsers.");
-    }
-    if (process.env.NODE_ENV === "production") {
-      console.warn("[WARNING]: In production, ensure cookies are served over HTTPS to maintain security.");
-    }
-    return {
-      ...defaultCookieOptions,
-      ...cookieOptions.options,
-      sameSite: options?.sameSite === "none" ? "lax" : options?.sameSite ?? "lax",
-      ...defaultStandardCookieConfig,
-      name
-    };
-  }
-  return cookieOptions.strategy === "host" ? {
-    ...defaultCookieOptions,
-    ...cookieOptions.options,
-    ...defaultHostCookieConfig,
-    name
-  } : { ...defaultCookieOptions, ...cookieOptions.options, ...defaultSecureCookieConfig, name };
-};
-var expireCookie = (name, options) => {
-  return setCookie(name, "", { ...options, ...expiredCookieOptions });
-};
-var oauthCookie = (options) => {
-  return {
-    ...options,
-    secure: options.secure,
-    httpOnly: options.httpOnly,
-    maxAge: 5 * 60,
-    expires: new Date(Date.now() + 5 * 60 * 1e3)
-  };
-};
-
-export {
-  COOKIE_NAME,
-  defaultCookieOptions,
-  defaultCookieConfig,
-  defaultStandardCookieConfig,
-  defaultSecureCookieConfig,
-  defaultHostCookieConfig,
-  expiredCookieOptions,
-  defineDefaultCookieOptions,
-  setCookie,
-  getCookie,
-  createSessionCookie,
-  secureCookieOptions,
-  expireCookie,
-  oauthCookie,
-  parse2 as parse
-};

package/dist/error.cjs

@@ -1,88 +0,0 @@
-"use strict";
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-
-// src/error.ts
-var error_exports = {};
-__export(error_exports, {
-  AuthError: () => AuthError,
-  ERROR_RESPONSE: () => ERROR_RESPONSE,
-  InvalidCsrfTokenError: () => InvalidCsrfTokenError,
-  InvalidRedirectToError: () => InvalidRedirectToError,
-  isAuthError: () => isAuthError,
-  throwAuthError: () => throwAuthError
-});
-module.exports = __toCommonJS(error_exports);
-var AuthError = class extends Error {
-  constructor(type, message) {
-    super(message);
-    this.type = type;
-    this.name = "AuthError";
-  }
-};
-var InvalidCsrfTokenError = class extends AuthError {
-  constructor(message = "The provided CSRF token is invalid or has expired") {
-    super("invalid_csrf_token", message);
-    this.name = "InvalidCsrfTokenError";
-  }
-};
-var InvalidRedirectToError = class extends AuthError {
-  constructor(message = "The redirectTo parameter does not match the hosted origin.") {
-    super("invalid_redirect_to", message);
-    this.name = "InvalidRedirectToError";
-  }
-};
-var isAuthError = (error) => {
-  return error instanceof AuthError;
-};
-var throwAuthError = (error, message) => {
-  if (error instanceof Error) {
-    if (isAuthError(error)) {
-      throw error;
-    }
-    throw new AuthError("invalid_request", error.message ?? message);
-  }
-};
-var ERROR_RESPONSE = {
-  AUTHORIZATION: {
-    INVALID_REQUEST: "invalid_request",
-    UNAUTHORIZED_CLIENT: "unauthorized_client",
-    ACCESS_DENIED: "access_denied",
-    UNSUPPORTED_RESPONSE_TYPE: "unsupported_response_type",
-    INVALID_SCOPE: "invalid_scope",
-    SERVER_ERROR: "server_error",
-    TEMPORARILY_UNAVAILABLE: "temporarily_unavailable"
-  },
-  ACCESS_TOKEN: {
-    INVALID_REQUEST: "invalid_request",
-    INVALID_CLIENT: "invalid_client",
-    INVALID_GRANT: "invalid_grant",
-    UNAUTHORIZED_CLIENT: "unauthorized_client",
-    UNSUPPORTED_GRANT_TYPE: "unsupported_grant_type",
-    INVALID_SCOPE: "invalid_scope"
-  }
-};
-// Annotate the CommonJS export names for ESM import in node:
-0 && (module.exports = {
-  AuthError,
-  ERROR_RESPONSE,
-  InvalidCsrfTokenError,
-  InvalidRedirectToError,
-  isAuthError,
-  throwAuthError
-});

package/dist/error.d.ts

@@ -1,62 +0,0 @@
-import { E as ErrorType } from './index-DpfbvTZ_.js';
-import { LiteralUnion } from './@types/utility.js';
-import 'zod/v4';
-import '@aura-stack/jose/jose';
-import './schemas.js';
-import 'zod/v4/core';
-import 'cookie';
-
-/**
- * Error class for all Aura Auth errors.
- */
-declare class AuthError extends Error {
-    readonly type: LiteralUnion<ErrorType>;
-    constructor(type: LiteralUnion<ErrorType>, message: string);
-}
-declare class InvalidCsrfTokenError extends AuthError {
-    constructor(message?: string);
-}
-declare class InvalidRedirectToError extends AuthError {
-    constructor(message?: string);
-}
-/**
- * Verifies if the provided error is an instance of AuthError.
- *
- * @param error The error to be checked
- * @returns True if the error is an instance of AuthError, false otherwise
- */
-declare const isAuthError: (error: unknown) => error is AuthError;
-/**
- * Captures and Error and verifies if it's an AuthError, rethrowing it if so.
- * If it's a different type of error, it wraps it in a new AuthError with the provided message.
- *
- * @param error The error to be processed
- * @param message The error message to be used if wrapping the error
- */
-declare const throwAuthError: (error: unknown, message?: string) => void;
-/**
- * Errores responses returned by the OAuth flows including Authorization and Access Token errors.
- * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
- * @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
- */
-declare const ERROR_RESPONSE: {
-    AUTHORIZATION: {
-        INVALID_REQUEST: string;
-        UNAUTHORIZED_CLIENT: string;
-        ACCESS_DENIED: string;
-        UNSUPPORTED_RESPONSE_TYPE: string;
-        INVALID_SCOPE: string;
-        SERVER_ERROR: string;
-        TEMPORARILY_UNAVAILABLE: string;
-    };
-    ACCESS_TOKEN: {
-        INVALID_REQUEST: string;
-        INVALID_CLIENT: string;
-        INVALID_GRANT: string;
-        UNAUTHORIZED_CLIENT: string;
-        UNSUPPORTED_GRANT_TYPE: string;
-        INVALID_SCOPE: string;
-    };
-};
-
-export { AuthError, ERROR_RESPONSE, InvalidCsrfTokenError, InvalidRedirectToError, isAuthError, throwAuthError };

package/dist/error.js

@@ -1,16 +0,0 @@
-import {
-  AuthError,
-  ERROR_RESPONSE,
-  InvalidCsrfTokenError,
-  InvalidRedirectToError,
-  isAuthError,
-  throwAuthError
-} from "./chunk-FJUDBLCP.js";
-export {
-  AuthError,
-  ERROR_RESPONSE,
-  InvalidCsrfTokenError,
-  InvalidRedirectToError,
-  isAuthError,
-  throwAuthError
-};

package/dist/response.d.ts

@@ -1,10 +0,0 @@
-/**
- * Custom Response class for Aura Auth.
- *
- * @experimental
- */
-declare class AuraResponse extends Response {
-    static json<T>(body: T, init?: ResponseInit): Response;
-}
-
-export { AuraResponse };

package/dist/response.js

@@ -1,6 +0,0 @@
-import {
-  AuraResponse
-} from "./chunk-JAPMIE6S.js";
-export {
-  AuraResponse
-};