@aura-stack/auth 0.1.0 → 0.2.0-rc.1

package/dist/{chunk-GZU3RBTB.js → chunk-N2APGLXA.js}

@@ -1,9 +1,12 @@
 import {
   equals
-} from "./chunk-256KIVJL.js";
+} from "./chunk-CXLATHS5.js";
 import {
-  InvalidCsrfTokenError
-} from "./chunk-FJUDBLCP.js";
+  isJWTPayloadWithToken
+} from "./chunk-EIL2FPSS.js";
+import {
+  AuthSecurityError
+} from "./chunk-RRLIF4PQ.js";
 
 // src/secure.ts
 import crypto from "crypto";
@@ -33,19 +36,25 @@ var createCSRF = async (jose, csrfCookie) => {
 };
 var verifyCSRF = async (jose, cookie, header) => {
   try {
-    const { token: cookieToken } = await jose.verifyJWS(cookie);
-    const { token: headerToken } = await jose.verifyJWS(header);
-    const cookieBuffer = Buffer.from(cookieToken);
-    const headerBuffer = Buffer.from(headerToken);
+    const cookiePayload = await jose.verifyJWS(cookie);
+    const headerPayload = await jose.verifyJWS(header);
+    if (!isJWTPayloadWithToken(cookiePayload)) {
+      throw new AuthSecurityError("CSRF_TOKEN_INVALID", "Cookie payload missing token field.");
+    }
+    if (!isJWTPayloadWithToken(headerPayload)) {
+      throw new AuthSecurityError("CSRF_TOKEN_INVALID", "Header payload missing token field.");
+    }
+    const cookieBuffer = Buffer.from(cookiePayload.token);
+    const headerBuffer = Buffer.from(headerPayload.token);
     if (!equals(headerBuffer.length, cookieBuffer.length)) {
-      throw new InvalidCsrfTokenError();
+      throw new AuthSecurityError("CSRF_TOKEN_INVALID", "The CSRF tokens do not match.");
     }
     if (!crypto.timingSafeEqual(cookieBuffer, headerBuffer)) {
-      throw new InvalidCsrfTokenError();
+      throw new AuthSecurityError("CSRF_TOKEN_INVALID", "The CSRF tokens do not match.");
     }
     return true;
   } catch {
-    throw new InvalidCsrfTokenError();
+    throw new AuthSecurityError("CSRF_TOKEN_INVALID", "The CSRF tokens do not match.");
   }
 };
 var createDerivedSalt = (secret) => {

package/dist/{chunk-CAKJT3KS.js → chunk-N4SX7TZT.js}

@@ -1,27 +1,28 @@
-import {
-  isValidURL
-} from "./chunk-6SM22VVJ.js";
 import {
   equals,
+  formatZodError,
   getNormalizedOriginPath,
   sanitizeURL,
   toCastCase
-} from "./chunk-256KIVJL.js";
+} from "./chunk-CXLATHS5.js";
 import {
-  AuthError,
-  ERROR_RESPONSE,
-  InvalidRedirectToError,
-  isAuthError
-} from "./chunk-FJUDBLCP.js";
+  isValidURL
+} from "./chunk-EIL2FPSS.js";
+import {
+  AuthInternalError,
+  AuthSecurityError,
+  isAuthSecurityError
+} from "./chunk-RRLIF4PQ.js";
 import {
   OAuthAuthorization
-} from "./chunk-HMRKN75I.js";
+} from "./chunk-YRCB5FLE.js";
 
 // src/actions/signIn/authorization.ts
 var createAuthorizationURL = (oauthConfig, redirectURI, state, codeChallenge, codeChallengeMethod) => {
   const parsed = OAuthAuthorization.safeParse({ ...oauthConfig, redirectURI, state, codeChallenge, codeChallengeMethod });
   if (!parsed.success) {
-    throw new AuthError(ERROR_RESPONSE.AUTHORIZATION.SERVER_ERROR, "Invalid OAuth configuration");
+    const msg = JSON.stringify(formatZodError(parsed.error), null, 2);
+    throw new AuthInternalError("INVALID_OAUTH_CONFIGURATION", msg);
   }
   const { authorizeURL, ...options } = parsed.data;
   const { userInfo, accessToken, clientSecret, ...required } = options;
@@ -54,15 +55,18 @@ var createRedirectTo = (request, redirectTo, trustedProxyHeaders) => {
       }
       const redirectToURL = new URL(sanitizeURL(getNormalizedOriginPath(redirectTo)));
       if (!isValidURL(redirectTo) || !equals(redirectToURL.origin, hostedURL.origin)) {
-        throw new InvalidRedirectToError();
+        throw new AuthSecurityError(
+          "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED",
+          "The redirectTo parameter does not match the hosted origin."
+        );
       }
       return sanitizeURL(redirectToURL.pathname);
     }
     if (referer) {
       const refererURL = new URL(sanitizeURL(referer));
       if (!isValidURL(referer) || !equals(refererURL.origin, hostedURL.origin)) {
-        throw new AuthError(
-          ERROR_RESPONSE.AUTHORIZATION.INVALID_REQUEST,
+        throw new AuthSecurityError(
+          "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED",
           "The referer of the request does not match the hosted origin."
         );
       }
@@ -71,16 +75,16 @@ var createRedirectTo = (request, redirectTo, trustedProxyHeaders) => {
     if (origin) {
       const originURL = new URL(sanitizeURL(getNormalizedOriginPath(origin)));
       if (!isValidURL(origin) || !equals(originURL.origin, hostedURL.origin)) {
-        throw new AuthError(ERROR_RESPONSE.AUTHORIZATION.INVALID_REQUEST, "Invalid origin (potential CSRF).");
+        throw new AuthSecurityError("POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED", "Invalid origin (potential CSRF).");
       }
       return sanitizeURL(originURL.pathname);
     }
     return "/";
   } catch (error) {
-    if (isAuthError(error)) {
+    if (isAuthSecurityError(error)) {
       throw error;
     }
-    throw new AuthError(ERROR_RESPONSE.AUTHORIZATION.INVALID_REQUEST, "Invalid origin (potential CSRF).");
+    throw new AuthSecurityError("POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED", "Invalid origin (potential CSRF).");
   }
 };
 

package/dist/chunk-RRLIF4PQ.js

@@ -0,0 +1,55 @@
+// src/errors.ts
+var OAuthProtocolError = class extends Error {
+  type = "OAUTH_PROTOCOL_ERROR";
+  error;
+  errorURI;
+  constructor(error, description, errorURI, options) {
+    super(description, options);
+    this.error = error;
+    this.errorURI = errorURI;
+    this.name = new.target.name;
+    Error.captureStackTrace(this, new.target);
+  }
+};
+var AuthInternalError = class extends Error {
+  type = "AUTH_INTERNAL_ERROR";
+  code;
+  constructor(code, message, options) {
+    super(message, options);
+    this.code = code;
+    this.name = new.target.name;
+    Error.captureStackTrace(this, new.target);
+  }
+};
+var AuthSecurityError = class extends Error {
+  type = "AUTH_SECURITY_ERROR";
+  code;
+  constructor(code, message, options) {
+    super(message, options);
+    this.code = code;
+    this.name = new.target.name;
+    Error.captureStackTrace(this, new.target);
+  }
+};
+var isNativeError = (error) => {
+  return error instanceof Error;
+};
+var isOAuthProtocolError = (error) => {
+  return error instanceof OAuthProtocolError;
+};
+var isAuthInternalError = (error) => {
+  return error instanceof AuthInternalError;
+};
+var isAuthSecurityError = (error) => {
+  return error instanceof AuthSecurityError;
+};
+
+export {
+  OAuthProtocolError,
+  AuthInternalError,
+  AuthSecurityError,
+  isNativeError,
+  isOAuthProtocolError,
+  isAuthInternalError,
+  isAuthSecurityError
+};

package/dist/chunk-TLE4PXY3.js

@@ -0,0 +1,39 @@
+import {
+  createDerivedSalt
+} from "./chunk-N2APGLXA.js";
+import {
+  AuthInternalError
+} from "./chunk-RRLIF4PQ.js";
+
+// src/jose.ts
+import "dotenv/config";
+import { createJWT, createJWS, createJWE, createDeriveKey } from "@aura-stack/jose";
+var createJoseInstance = (secret) => {
+  const env = process.env;
+  secret ??= env.AURA_AUTH_SECRET ?? env.AUTH_SECRET;
+  if (!secret) {
+    throw new AuthInternalError(
+      "JOSE_INITIALIZATION_FAILED",
+      "AURA_AUTH_SECRET environment variable is not set and no secret was provided."
+    );
+  }
+  const salt = env.AURA_AUTH_SALT ?? env.AUTH_SALT ?? createDerivedSalt(secret);
+  const { derivedKey: derivedSigningKey } = createDeriveKey(secret, salt, "signing");
+  const { derivedKey: derivedEncryptionKey } = createDeriveKey(secret, salt, "encryption");
+  const { derivedKey: derivedCsrfTokenKey } = createDeriveKey(secret, salt, "csrfToken");
+  const { decodeJWT, encodeJWT } = createJWT({ jws: derivedSigningKey, jwe: derivedEncryptionKey });
+  const { signJWS, verifyJWS } = createJWS(derivedCsrfTokenKey);
+  const { encryptJWE, decryptJWE } = createJWE(derivedEncryptionKey);
+  return {
+    decodeJWT,
+    encodeJWT,
+    signJWS,
+    verifyJWS,
+    encryptJWE,
+    decryptJWE
+  };
+};
+
+export {
+  createJoseInstance
+};

package/dist/chunk-W6LG7BFW.js

@@ -0,0 +1,197 @@
+import {
+  AuthInternalError
+} from "./chunk-RRLIF4PQ.js";
+
+// src/cookie.ts
+import { parse, parseSetCookie, serialize } from "@aura-stack/router/cookie";
+var COOKIE_NAME = "aura-auth";
+var defaultCookieOptions = {
+  httpOnly: true,
+  sameSite: "lax",
+  path: "/",
+  maxAge: 60 * 60 * 24 * 15
+};
+var defaultStandardCookieConfig = {
+  secure: false,
+  httpOnly: true
+};
+var defaultSecureCookieConfig = {
+  secure: true,
+  httpOnly: true
+};
+var defaultHostCookieConfig = {
+  secure: true,
+  httpOnly: true,
+  path: "/",
+  domain: void 0
+};
+var oauthCookieOptions = {
+  httpOnly: true,
+  maxAge: 5 * 60,
+  sameSite: "lax",
+  expires: new Date(Date.now() + 5 * 60 * 1e3)
+};
+var setCookie = (cookieName, value, options) => {
+  return serialize(cookieName, value, options);
+};
+var expiredCookieAttributes = {
+  ...defaultCookieOptions,
+  expires: /* @__PURE__ */ new Date(0),
+  maxAge: 0
+};
+var getCookie = (request, cookieName) => {
+  const cookies = request.headers.get("Cookie");
+  if (!cookies) {
+    throw new AuthInternalError("COOKIE_NOT_FOUND", "No cookies found. There is no active session");
+  }
+  const value = parse(cookies)[cookieName];
+  if (!value) {
+    throw new AuthInternalError("COOKIE_NOT_FOUND", `Cookie "${cookieName}" not found. There is no active session`);
+  }
+  return value;
+};
+var getSetCookie = (response, cookieName) => {
+  const cookies = response.headers.getSetCookie();
+  if (!cookies) {
+    throw new AuthInternalError("COOKIE_NOT_FOUND", "No cookies found in response.");
+  }
+  const strCookie = cookies.find((cookie) => cookie.startsWith(`${cookieName}=`));
+  if (!strCookie) {
+    throw new AuthInternalError("COOKIE_NOT_FOUND", `Cookie "${cookieName}" not found in response.`);
+  }
+  return parseSetCookie(strCookie).value;
+};
+var createSessionCookie = async (jose, session) => {
+  try {
+    const encoded = await jose.encodeJWT(session);
+    return encoded;
+  } catch (error) {
+    throw new AuthInternalError("INVALID_JWT_TOKEN", "Failed to create session cookie", { cause: error });
+  }
+};
+var defineSecureCookieOptions = (useSecure, attributes, strategy) => {
+  if (!attributes.httpOnly) {
+    console.warn(
+      "[WARNING]: Cookie is configured without HttpOnly. This allows JavaScript access via document.cookie and increases XSS risk."
+    );
+  }
+  if (attributes.domain === "*") {
+    attributes.domain = void 0;
+    console.warn("[WARNING]: Cookie 'Domain' is set to '*', which is insecure. Avoid wildcard domains.");
+  }
+  if (!useSecure) {
+    if (attributes.secure) {
+      console.warn(
+        "[WARNING]: The 'Secure' attribute will be disabled for this cookie. Serve over HTTPS to enforce Secure cookies."
+      );
+    }
+    if (attributes.sameSite == "none") {
+      attributes.sameSite = "lax";
+      console.warn("[WARNING]: SameSite=None requires Secure attribute. Changing SameSite to 'Lax'.");
+    }
+    if (process.env.NODE_ENV === "production") {
+      console.warn("[WARNING]: In production, ensure cookies are served over HTTPS to maintain security.");
+    }
+    if (strategy === "host") {
+      console.warn("[WARNING]: __Host- cookies require a secure context. Falling back to standard cookie settings.");
+    }
+    return {
+      ...defaultCookieOptions,
+      ...attributes,
+      ...defaultStandardCookieConfig
+    };
+  }
+  return strategy === "host" ? {
+    ...defaultCookieOptions,
+    ...attributes,
+    ...defaultHostCookieConfig
+  } : { ...defaultCookieOptions, ...attributes, ...defaultSecureCookieConfig };
+};
+var createCookieStore = (useSecure, prefix, overrides) => {
+  prefix ??= COOKIE_NAME;
+  const securePrefix = useSecure ? "__Secure-" : "";
+  const hostPrefix = useSecure ? "__Host-" : "";
+  return {
+    sessionToken: {
+      name: `${securePrefix}${prefix}.${overrides?.sessionToken?.name ?? "session_token"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...defaultCookieOptions,
+          ...overrides?.sessionToken?.attributes
+        },
+        overrides?.sessionToken?.attributes?.strategy ?? "secure"
+      )
+    },
+    state: {
+      name: `${securePrefix}${prefix}.${overrides?.state?.name ?? "state"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...oauthCookieOptions,
+          ...overrides?.state?.attributes
+        },
+        overrides?.state?.attributes?.strategy ?? "secure"
+      )
+    },
+    csrfToken: {
+      name: `${hostPrefix}${prefix}.${overrides?.csrfToken?.name ?? "csrf_token"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...overrides?.csrfToken?.attributes,
+          ...defaultHostCookieConfig
+        },
+        overrides?.csrfToken?.attributes?.strategy ?? "host"
+      )
+    },
+    redirectTo: {
+      name: `${securePrefix}${prefix}.${overrides?.redirectTo?.name ?? "redirect_to"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...oauthCookieOptions,
+          ...overrides?.redirectTo?.attributes
+        },
+        overrides?.redirectTo?.attributes?.strategy ?? "secure"
+      )
+    },
+    redirectURI: {
+      name: `${securePrefix}${prefix}.${overrides?.redirectURI?.name ?? "redirect_uri"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...oauthCookieOptions,
+          ...overrides?.redirectURI?.attributes
+        },
+        overrides?.redirectURI?.attributes?.strategy ?? "secure"
+      )
+    },
+    codeVerifier: {
+      name: `${securePrefix}${prefix}.${overrides?.codeVerifier?.name ?? "code_verifier"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...oauthCookieOptions,
+          ...overrides?.codeVerifier?.attributes
+        },
+        overrides?.codeVerifier?.attributes?.strategy ?? "secure"
+      )
+    }
+  };
+};
+
+export {
+  COOKIE_NAME,
+  defaultCookieOptions,
+  defaultStandardCookieConfig,
+  defaultSecureCookieConfig,
+  defaultHostCookieConfig,
+  setCookie,
+  expiredCookieAttributes,
+  getCookie,
+  getSetCookie,
+  createSessionCookie,
+  defineSecureCookieOptions,
+  createCookieStore
+};

package/dist/{chunk-HMRKN75I.js → chunk-YRCB5FLE.js}

@@ -1,10 +1,10 @@
 // src/schemas.ts
-import { object, string, enum as options, number, url } from "zod/v4";
+import { object, string, enum as options, number, z, null as nullable } from "zod";
 var OAuthProviderConfigSchema = object({
-  authorizeURL: url(),
-  accessToken: url(),
+  authorizeURL: string().url(),
+  accessToken: string().url(),
   scope: string().optional(),
-  userInfo: url(),
+  userInfo: string().url(),
   responseType: options(["code", "token", "id_token"]),
   clientId: string(),
   clientSecret: string()
@@ -16,8 +16,8 @@ var OAuthAuthorization = OAuthProviderConfigSchema.extend({
   codeChallengeMethod: options(["plain", "S256"])
 });
 var OAuthAuthorizationResponse = object({
-  state: string(),
-  code: string()
+  state: string({ message: "Missing state parameter in the OAuth authorization response." }),
+  code: string({ message: "Missing code parameter in the OAuth authorization response." })
 });
 var OAuthAuthorizationErrorResponse = object({
   error: options([
@@ -40,10 +40,10 @@ var OAuthAccessToken = OAuthProviderConfigSchema.extend({
 });
 var OAuthAccessTokenResponse = object({
   access_token: string(),
-  token_type: string(),
+  token_type: string().optional(),
   expires_in: number().optional(),
   refresh_token: string().optional(),
-  scope: string().optional()
+  scope: string().optional().or(nullable())
 });
 var OAuthAccessTokenErrorResponse = object({
   error: options([
@@ -61,6 +61,10 @@ var OAuthErrorResponse = object({
   error: string(),
   error_description: string().optional()
 });
+var OAuthEnvSchema = object({
+  clientId: z.string().min(1, "OAuth Client ID is required in the environment variables."),
+  clientSecret: z.string().min(1, "OAuth Client Secret is required in the environment variables.")
+});
 
 export {
   OAuthProviderConfigSchema,
@@ -70,5 +74,6 @@ export {
   OAuthAccessToken,
   OAuthAccessTokenResponse,
   OAuthAccessTokenErrorResponse,
-  OAuthErrorResponse
+  OAuthErrorResponse,
+  OAuthEnvSchema
 };

package/dist/chunk-ZNCZVF6U.js

@@ -0,0 +1,14 @@
+// src/request.ts
+var fetchAsync = async (url, options = {}, timeout = 5e3) => {
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), timeout);
+  const response = await fetch(url, {
+    ...options,
+    signal: controller.signal
+  }).finally(() => clearTimeout(timeoutId));
+  return response;
+};
+
+export {
+  fetchAsync
+};