@aura-stack/auth 0.1.0 → 0.2.0

package/dist/{index-DpfbvTZ_.d.ts → index-EqsoyjrF.d.ts}

@@ -1,9 +1,81 @@
 import { z } from 'zod/v4';
+import { OAuthAuthorizationErrorResponse, OAuthAccessTokenErrorResponse, OAuthEnvSchema } from './schemas.js';
+import { SerializeOptions } from '@aura-stack/router/cookie';
 import { JWTPayload } from '@aura-stack/jose/jose';
-import { OAuthAuthorizationErrorResponse, OAuthAccessTokenErrorResponse } from './schemas.js';
-import { SerializeOptions } from 'cookie';
 import { LiteralUnion, Prettify } from './@types/utility.js';
 
+/**
+ * @see [Strava - SummaryClub](https://developers.strava.com/docs/reference/#api-models-SummaryClub)
+ */
+interface SummaryClub {
+    id: number;
+    resource_state: number;
+    name: string;
+    profile_medium: string;
+    cover_photo: string;
+    cover_photo_small: string;
+    sport_type: "cycling" | "running" | "triathlon" | "other";
+    activity_types: string[];
+    city: string;
+    state: string;
+    country: string;
+    private: boolean;
+    member_count: number;
+    featured: boolean;
+    verified: boolean;
+    url: string;
+}
+/**
+ * @see [Strava - SummaryGear](https://developers.strava.com/docs/reference/#api-models-SummaryGear)
+ */
+interface SummaryGear {
+    id: string;
+    resource_state: number;
+    primary: boolean;
+    name: string;
+    distance: number;
+}
+/**
+ * @see [Strava - DetailedAthlete](https://developers.strava.com/docs/reference/#api-models-DetailedAthlete)
+ */
+interface StravaProfile {
+    id: number;
+    resource_state: number;
+    firstname: string;
+    lastname: string;
+    bio: string | null;
+    profile: string;
+    profile_medium: string;
+    city: string;
+    state: string;
+    country: string;
+    sex: string;
+    premium: boolean;
+    summit: boolean;
+    created_at: Date;
+    updated_at: Date;
+    badge_type_id: number;
+    weight: number;
+    friend: null;
+    follower: null;
+    follower_count: number;
+    friend_count: number;
+    measurement_preference: string;
+    ftp: number;
+    clubs: SummaryClub[];
+    bikes: SummaryGear[];
+    shoes: SummaryGear[];
+}
+/**
+ * Strava OAuth Provider
+ * @see [Strava - Getting Started with the Strava API](https://developers.strava.com/docs/getting-started/)
+ * @see [Strava - My Applications](https://www.strava.com/settings/api)
+ * @see [Strava - Authentication](https://developers.strava.com/docs/authentication/)
+ * @see [Strava - API Application](https://www.strava.com/settings/api)
+ * @see [Strava - API Reference](https://developers.strava.com/docs/reference/)
+ */
+declare const strava: OAuthProviderConfig<StravaProfile>;
+
 /**
  * @see [X - Get my User](https://docs.x.com/x-api/users/get-my-user)
  */
@@ -16,6 +88,7 @@ interface XProfile {
     };
 }
 /**
+ * X (Twitter) OAuth Provider
  * @see [X - Developer Portal](https://developer.x.com/en/portal/projects-and-apps)
  * @see [X - Get my User](https://docs.x.com/x-api/users/get-my-user)
  * @see [X - OAuth 2.0 Authorization Code Flow with PKCE](https://docs.x.com/fundamentals/authentication/oauth-2-0/authorization-code)
@@ -55,6 +128,8 @@ interface SpotifyProfile {
     };
 }
 /**
+ * Spotify OAuth Provider
+ *
  * @see [Spotify - Spotify Developer Dashboard](https://developer.spotify.com/dashboard)
  * @see [Spotify - Getting started with Web API](https://developer.spotify.com/documentation/web-api/tutorials/getting-started)
  * @see [Spotify - Get Current User's Profile](https://developer.spotify.com/documentation/web-api/reference/get-current-users-profile)
@@ -116,6 +191,8 @@ interface GitLabProfile {
     scim_identities: unknown[];
 }
 /**
+ * GitLab OAuth Provider
+ *
  * @see [GitLab - Applications](https://gitlab.com/-/user_settings/applications)
  * @see [GitLab - OAuth 2.0 identify provider API](https://docs.gitlab.com/api/oauth2/)
  * @see [GitLab - Scopes](https://docs.gitlab.com/integration/oauth_provider/#view-all-authorized-applications)
@@ -170,12 +247,15 @@ interface DiscordProfile {
     };
 }
 /**
+ * Discord OAuth Provider
+ *
  * @see [Discord - Applications](https://discord.com/developers/applications)
  * @see [Discord - OAuth2](https://discord.com/developers/docs/topics/oauth2)
  * @see [Discord - Get Current User](https://discord.com/developers/docs/resources/user#get-current-user)
  * @see [Discord - User Object](https://discord.com/developers/docs/resources/user#user-object)
  * @see [Discord - OAuth2 Scopes](https://discord.com/developers/docs/topics/oauth2#shared-resources-oauth2-scopes)
  * @see [Discord - Image Formatting](https://discord.com/developers/docs/reference#image-formatting)
+ * @see [Discord - Display Names](https://discord.com/developers/docs/change-log#display-names)
  */
 declare const discord: OAuthProviderConfig<DiscordProfile>;
 
@@ -189,6 +269,7 @@ interface FigmaProfile {
     email: string;
 }
 /**
+ * Figma OAuth Provider
  * @see [Figma - REST API Introduction](https://developers.figma.com/docs/rest-api/)
  * @see [Figma - OAuth App](https://www.figma.com/developers/apps/)
  * @see [Figma - Create an OAuth App](https://developers.figma.com/docs/rest-api/authentication/#create-an-oauth-app)
@@ -281,6 +362,7 @@ interface GitHubProfile {
 }
 /**
  * GitHub OAuth Provider
+ *
  * @see [GitHub - Creating an OAuth App](https://docs.github.com/en/developers/apps/building-oauth-apps/creating-an-oauth-app)
  * @see [GitHub - Authorizing OAuth Apps](https://docs.github.com/en/developers/apps/building-oauth-apps/authorizing-oauth-apps)
  * @see [GitHub - Configure your GitHub OAuth Apps](https://github.com/settings/developers)
@@ -289,13 +371,14 @@ interface GitHubProfile {
 declare const github: OAuthProviderConfig<GitHubProfile>;
 
 declare const builtInOAuthProviders: {
-    github: OAuthProviderConfig<GitHubProfile>;
-    bitbucket: OAuthProviderConfig<BitbucketProfile>;
-    figma: OAuthProviderConfig<FigmaProfile>;
-    discord: OAuthProviderConfig<DiscordProfile>;
-    gitlab: OAuthProviderConfig<GitLabProfile>;
-    spotify: OAuthProviderConfig<SpotifyProfile>;
-    x: OAuthProviderConfig<XProfile>;
+    readonly github: OAuthProviderConfig<GitHubProfile>;
+    readonly bitbucket: OAuthProviderConfig<BitbucketProfile>;
+    readonly figma: OAuthProviderConfig<FigmaProfile>;
+    readonly discord: OAuthProviderConfig<DiscordProfile>;
+    readonly gitlab: OAuthProviderConfig<GitLabProfile>;
+    readonly spotify: OAuthProviderConfig<SpotifyProfile>;
+    readonly x: OAuthProviderConfig<XProfile>;
+    readonly strava: OAuthProviderConfig<StravaProfile>;
 };
 /**
  * Constructs OAuth provider configurations from an array of provider names or configurations.
@@ -312,15 +395,21 @@ type BuiltInOAuthProvider = keyof typeof builtInOAuthProviders;
  * These fields are typically filtered out before returning user data.
  */
 type JWTStandardClaims = Pick<JWTPayload, "exp" | "iat" | "jti" | "nbf" | "sub" | "aud" | "iss">;
+/**
+ * JWT payload structure that includes a mandatory `token` field used to verify CSRF Tokens
+ */
+type JWTPayloadWithToken = JWTPayload & {
+    token: string;
+};
 /**
  * Standardized user profile returned by OAuth providers after fetching user information
  * and mapping the response to this format by default or via the `profile` custom function.
  */
 interface User {
     sub: string;
-    name?: string;
-    email?: string;
-    image?: string;
+    name?: string | null;
+    email?: string | null;
+    image?: string | null;
 }
 /**
  * Session data returned by the session endpoint.
@@ -340,70 +429,49 @@ interface OAuthProviderConfig<Profile extends object = {}> {
     accessToken: string;
     userInfo: string;
     scope: string;
-    responseType: string;
+    responseType: "code" | "token" | "refresh_token" | "id_token";
     profile?: (profile: Profile) => User | Promise<User>;
 }
 /**
  * OAuth provider configuration with client credentials.
  * Extends OAuthProviderConfig with clientId and clientSecret.
  */
-interface OAuthProviderCredentials extends OAuthProviderConfig {
+interface OAuthProviderCredentials<Profile extends object = {}> extends OAuthProviderConfig<Profile> {
     clientId: string;
     clientSecret: string;
 }
 /**
  * Complete OAuth provider type combining configuration and credentials.
  */
-type OAuthProvider<Profile extends Record<string, unknown> = {}> = OAuthProviderConfig<Profile> & OAuthProviderCredentials;
+type OAuthProvider<Profile extends object = {}> = OAuthProviderCredentials<Profile>;
 /**
  * Cookie type with __Secure- prefix, must be Secure.
  * @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__secure-prefix
  */
 type SecureCookie = {
     strategy: "secure";
-} & {
-    options?: Prettify<Omit<SerializeOptions, "secure" | "encode">>;
-};
+} & Prettify<Omit<SerializeOptions, "secure" | "encode">>;
 /**
  * Cookie type with __Host- prefix, must be Secure, Path=/, no Domain attribute.
  * @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__host-prefix
  */
 type HostCookie = {
     strategy: "host";
-} & {
-    options?: Prettify<Omit<SerializeOptions, "secure" | "path" | "domain" | "encode">>;
-};
+} & Prettify<Omit<SerializeOptions, "secure" | "path" | "domain" | "encode">>;
 /**
  * Standard cookie type without security prefixes.
  * Can be sent over both HTTP and HTTPS connections (default in development).
  */
 type StandardCookie = {
     strategy?: "standard";
-} & {
-    options?: Prettify<Omit<SerializeOptions, "encode">>;
-};
+} & Prettify<Omit<SerializeOptions, "encode">>;
 /**
  * Union type for cookie options based on the specified strategy.
  * - `secure`: Cookies are only sent over HTTPS connections
  * - `host`: Cookies use the __Host- prefix and are only sent over HTTPS connections
  * - `standard`: Cookies can be sent over both HTTP and HTTPS connections (default in development)
  */
-type CookieStrategyOptions = StandardCookie | SecureCookie | HostCookie;
-/**
- * Configuration options for cookies used in Aura Auth.
- * @see {@link AuthConfig.cookies}
- */
-type CookieConfig = Prettify<{
-    name?: string;
-} & CookieStrategyOptions>;
-/**
- * Internal representation of cookie configuration with all options resolved.
- * @internal
- */
-type CookieConfigInternal = {
-    name?: string;
-    prefix?: string;
-} & SerializeOptions;
+type CookieStrategyAttributes = StandardCookie | SecureCookie | HostCookie;
 /**
  * Names of cookies used by Aura Auth for session management and OAuth flows.
  * - `sessionToken`: User session JWT
@@ -414,7 +482,18 @@ type CookieConfigInternal = {
  * - `redirect_to`: Post-authentication redirect path
  * - `nonce`: OpenID Connect nonce parameter
  */
-type CookieName = "sessionToken" | "csrfToken" | "state" | "nonce" | "code_verifier" | "redirect_to" | "redirect_uri";
+type CookieName = "sessionToken" | "csrfToken" | "state" | "code_verifier" | "redirect_to" | "redirect_uri";
+type CookieStoreConfig = Record<CookieName, {
+    name: string;
+    attributes: CookieStrategyAttributes;
+}>;
+interface CookieConfig {
+    /**
+     * Prefix to be added to all cookie names. By default "aura-stack".
+     */
+    prefix?: string;
+    overrides?: Partial<CookieStoreConfig>;
+}
 /**
  * Main configuration interface for Aura Auth.
  * This is the user-facing configuration object passed to `createAuth()`.
@@ -462,7 +541,7 @@ interface AuthConfig {
      * @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__secure-prefix
      * @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__host-prefix
      */
-    cookies?: CookieConfig;
+    cookies?: Partial<CookieConfig>;
     /**
      * Secret used to sign and verify JWT tokens for session and csrf protection.
      * If not provided, it will load from the environment variable `AURA_AUTH_SECRET`, but if it
@@ -494,26 +573,22 @@ interface JoseInstance {
     encodeJWT: (payload: JWTPayload) => Promise<string>;
     signJWS: (payload: JWTPayload) => Promise<string>;
     verifyJWS: (payload: string) => Promise<JWTPayload>;
-}
-/**
- * Internal runtime configuration used within Aura Auth after initialization.
- * All optional fields from AuthConfig are resolved to their default values.
- * @internal
- * @todo: is this needed?
- */
-interface AuthRuntimeConfig {
-    oauth: Record<LiteralUnion<BuiltInOAuthProvider>, OAuthProviderCredentials>;
-    cookies: CookieConfig;
-    secret: string;
-    jose: JoseInstance;
+    encryptJWE: (payload: string) => Promise<string>;
+    decryptJWE: (payload: string) => Promise<string>;
 }
 interface RouterGlobalContext {
     oauth: Record<LiteralUnion<BuiltInOAuthProvider>, OAuthProviderCredentials>;
-    cookies: CookieConfigInternal;
+    cookies: CookieStoreConfig;
     jose: JoseInstance;
+    secret?: string;
     basePath: string;
     trustedProxyHeaders: boolean;
 }
+/**
+ * Internal runtime configuration used within Aura Auth after initialization.
+ * All optional fields from AuthConfig are resolved to their default values.
+ */
+type AuthRuntimeConfig = RouterGlobalContext;
 interface AuthInstance {
     handlers: {
         GET: (request: Request) => Response | Promise<Response>;
@@ -542,7 +617,14 @@ type AccessTokenError = OAuthError<z.infer<typeof OAuthAccessTokenErrorResponse>
  * OAuth 2.0 Token Revocation Error Response Types
  * @see https://datatracker.ietf.org/doc/html/rfc7009#section-2.2.1
  */
-type TokenRevocationError = OAuthError<"invalid_session_token" | "invalid_csrf_token" | "invalid_redirect_to">;
+type TokenRevocationError = OAuthError<"invalid_session_token">;
 type ErrorType = AuthorizationError["error"] | AccessTokenError["error"] | TokenRevocationError["error"];
+type AuthInternalErrorCode = "INVALID_OAUTH_CONFIGURATION" | "INVALID_JWT_TOKEN" | "JOSE_INITIALIZATION_FAILED" | "SESSION_STORE_NOT_INITIALIZED" | "COOKIE_STORE_NOT_INITIALIZED" | "COOKIE_PARSING_FAILED" | "COOKIE_NOT_FOUND" | "INVALID_ENVIRONMENT_CONFIGURATION";
+type AuthSecurityErrorCode = "INVALID_STATE" | "MISMATCHING_STATE" | "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED" | "CSRF_TOKEN_INVALID" | "CSRF_TOKEN_MISSING" | "SESSION_TOKEN_MISSING";
+type OAuthEnv = z.infer<typeof OAuthEnvSchema>;
+type APIErrorMap = Record<string, {
+    code: string;
+    message: string;
+}>;
 
-export { type AuthRuntimeConfig as A, type BitbucketProfile as B, type CookieConfig as C, type DiscordProfile as D, type ErrorType as E, type FigmaProfile as F, type GitLabProfile as G, type HostCookie as H, type JoseInstance as J, type Nameplate as N, type OAuthProvider as O, type RouterGlobalContext as R, type Session as S, type TokenRevocationError as T, type User as U, type XProfile as X, type CookieConfigInternal as a, type CookieName as b, type AuthConfig as c, type AuthInstance as d, type OAuthProviderConfig as e, type OAuthProviderCredentials as f, type SpotifyProfile as g, gitlab as h, discord as i, figma as j, bitbucket as k, type GitHubProfile as l, github as m, builtInOAuthProviders as n, createBuiltInOAuthProviders as o, type BuiltInOAuthProvider as p, type JWTStandardClaims as q, type SecureCookie as r, spotify as s, type StandardCookie as t, type CookieStrategyOptions as u, type OAuthError as v, type AuthorizationError as w, x, type AccessTokenError as y };
+export { type AuthRuntimeConfig as A, type BitbucketProfile as B, type CookieConfig as C, type DiscordProfile as D, type ErrorType as E, type FigmaProfile as F, type GitLabProfile as G, type SecureCookie as H, type Image as I, type JWTPayloadWithToken as J, type HostCookie as K, type StandardCookie as L, type CookieStrategyAttributes as M, type Nameplate as N, type OAuthProvider as O, type CookieName as P, type OAuthError as Q, type RouterGlobalContext as R, type Session as S, type AuthorizationError as T, type User as U, type AccessTokenError as V, type TokenRevocationError as W, type XProfile as X, type OAuthEnv as Y, type CookieStoreConfig as a, type AuthInternalErrorCode as b, type AuthSecurityErrorCode as c, type AuthConfig as d, type AuthInstance as e, type JoseInstance as f, type OAuthProviderConfig as g, type OAuthProviderCredentials as h, type APIErrorMap as i, type SummaryClub as j, type SummaryGear as k, type StravaProfile as l, type SpotifyProfile as m, spotify as n, gitlab as o, discord as p, figma as q, bitbucket as r, strava as s, type GitHubProfile as t, github as u, builtInOAuthProviders as v, createBuiltInOAuthProviders as w, x, type BuiltInOAuthProvider as y, type JWTStandardClaims as z };