@aura-stack/auth 0.1.0 → 0.2.0

package/dist/chunk-HGJ4TXY4.js

@@ -1,137 +0,0 @@
-import {
-  getUserInfo
-} from "./chunk-RLT4RFKV.js";
-import {
-  createAccessToken
-} from "./chunk-UJJ7R56J.js";
-import {
-  createSessionCookie,
-  expireCookie,
-  getCookie,
-  secureCookieOptions,
-  setCookie
-} from "./chunk-ZV4BH47P.js";
-import {
-  cacheControl
-} from "./chunk-STHEPPUZ.js";
-import {
-  createCSRF
-} from "./chunk-GZU3RBTB.js";
-import {
-  equals,
-  isValidRelativePath,
-  sanitizeURL
-} from "./chunk-256KIVJL.js";
-import {
-  AuthError,
-  ERROR_RESPONSE,
-  isAuthError
-} from "./chunk-FJUDBLCP.js";
-import {
-  AuraResponse
-} from "./chunk-JAPMIE6S.js";
-import {
-  OAuthAuthorizationErrorResponse,
-  OAuthAuthorizationResponse
-} from "./chunk-HMRKN75I.js";
-
-// src/actions/callback/callback.ts
-import z from "zod";
-import { createEndpoint, createEndpointConfig, statusCode } from "@aura-stack/router";
-var callbackConfig = (oauth) => {
-  return createEndpointConfig("/callback/:oauth", {
-    schemas: {
-      searchParams: OAuthAuthorizationResponse,
-      params: z.object({
-        oauth: z.enum(Object.keys(oauth))
-      })
-    },
-    middlewares: [
-      (ctx) => {
-        const response = OAuthAuthorizationErrorResponse.safeParse(ctx.searchParams);
-        if (response.success) {
-          const { error, error_description } = response.data;
-          throw new AuthError(error, error_description ?? "OAuth Authorization Error");
-        }
-        return ctx;
-      }
-    ]
-  });
-};
-var callbackAction = (oauth) => {
-  return createEndpoint(
-    "GET",
-    "/callback/:oauth",
-    async (ctx) => {
-      const {
-        request,
-        params: { oauth: oauth2 },
-        searchParams: { code, state },
-        context: { oauth: providers, cookies, jose, trustedProxyHeaders }
-      } = ctx;
-      try {
-        const oauthConfig = providers[oauth2];
-        const cookieOptions = secureCookieOptions(request, cookies, trustedProxyHeaders);
-        const cookieState = getCookie(request, "state", cookieOptions);
-        const cookieRedirectTo = getCookie(request, "redirect_to", cookieOptions);
-        const cookieRedirectURI = getCookie(request, "redirect_uri", cookieOptions);
-        const codeVerifier = getCookie(request, "code_verifier", cookieOptions);
-        if (!equals(cookieState, state)) {
-          throw new AuthError(ERROR_RESPONSE.ACCESS_TOKEN.INVALID_REQUEST, "Mismatching state");
-        }
-        const accessToken = await createAccessToken(oauthConfig, cookieRedirectURI, code, codeVerifier);
-        const sanitized = sanitizeURL(cookieRedirectTo);
-        if (!isValidRelativePath(sanitized)) {
-          throw new AuthError(
-            ERROR_RESPONSE.ACCESS_TOKEN.INVALID_REQUEST,
-            "Invalid redirect path. Potential open redirect attack detected."
-          );
-        }
-        const headers = new Headers(cacheControl);
-        headers.set("Location", sanitized);
-        const userInfo = await getUserInfo(oauthConfig, accessToken.access_token);
-        const sessionCookie = await createSessionCookie(userInfo, cookieOptions, jose);
-        const csrfToken = await createCSRF(jose);
-        const csrfCookie = setCookie(
-          "csrfToken",
-          csrfToken,
-          secureCookieOptions(
-            request,
-            {
-              ...cookies,
-              strategy: "host"
-            },
-            trustedProxyHeaders
-          )
-        );
-        headers.set("Set-Cookie", sessionCookie);
-        headers.append("Set-Cookie", expireCookie("state", cookieOptions));
-        headers.append("Set-Cookie", expireCookie("redirect_uri", cookieOptions));
-        headers.append("Set-Cookie", expireCookie("redirect_to", cookieOptions));
-        headers.append("Set-Cookie", expireCookie("code_verifier", cookieOptions));
-        headers.append("Set-Cookie", csrfCookie);
-        return Response.json({ oauth: oauth2 }, { status: 302, headers });
-      } catch (error) {
-        if (isAuthError(error)) {
-          const { type, message } = error;
-          return AuraResponse.json(
-            { error: type, error_description: message },
-            { status: statusCode.BAD_REQUEST }
-          );
-        }
-        return AuraResponse.json(
-          {
-            error: ERROR_RESPONSE.ACCESS_TOKEN.INVALID_CLIENT,
-            error_description: "An unexpected error occurred"
-          },
-          { status: statusCode.INTERNAL_SERVER_ERROR }
-        );
-      }
-    },
-    callbackConfig(oauth)
-  );
-};
-
-export {
-  callbackAction
-};

package/dist/chunk-JAPMIE6S.js

@@ -1,10 +0,0 @@
-// src/response.ts
-var AuraResponse = class extends Response {
-  static json(body, init) {
-    return Response.json(body, init);
-  }
-};
-
-export {
-  AuraResponse
-};

package/dist/chunk-LLR722CL.js

@@ -1,96 +0,0 @@
-import {
-  createAuthorizationURL,
-  createRedirectTo,
-  createRedirectURI
-} from "./chunk-CAKJT3KS.js";
-import {
-  oauthCookie,
-  secureCookieOptions,
-  setCookie
-} from "./chunk-ZV4BH47P.js";
-import {
-  createPKCE,
-  generateSecure
-} from "./chunk-GZU3RBTB.js";
-import {
-  ERROR_RESPONSE,
-  isAuthError
-} from "./chunk-FJUDBLCP.js";
-import {
-  AuraResponse
-} from "./chunk-JAPMIE6S.js";
-
-// src/actions/signIn/signIn.ts
-import z from "zod";
-import { createEndpoint, createEndpointConfig, statusCode } from "@aura-stack/router";
-var signInConfig = (oauth) => {
-  return createEndpointConfig("/signIn/:oauth", {
-    schemas: {
-      params: z.object({
-        oauth: z.enum(Object.keys(oauth)),
-        redirectTo: z.string().optional()
-      })
-    }
-  });
-};
-var signInAction = (oauth) => {
-  return createEndpoint(
-    "GET",
-    "/signIn/:oauth",
-    async (ctx) => {
-      const {
-        request,
-        params: { oauth: oauth2, redirectTo },
-        context: { oauth: providers, cookies, trustedProxyHeaders, basePath }
-      } = ctx;
-      try {
-        const cookieOptions = secureCookieOptions(request, cookies, trustedProxyHeaders);
-        const state = generateSecure();
-        const redirectURI = createRedirectURI(request, oauth2, basePath, trustedProxyHeaders);
-        const stateCookie = setCookie("state", state, oauthCookie(cookieOptions));
-        const redirectURICookie = setCookie("redirect_uri", redirectURI, oauthCookie(cookieOptions));
-        const redirectToCookie = setCookie(
-          "redirect_to",
-          createRedirectTo(request, redirectTo, trustedProxyHeaders),
-          oauthCookie(cookieOptions)
-        );
-        const { codeVerifier, codeChallenge, method } = await createPKCE();
-        const codeVerifierCookie = setCookie("code_verifier", codeVerifier, oauthCookie(cookieOptions));
-        const authorization = createAuthorizationURL(providers[oauth2], redirectURI, state, codeChallenge, method);
-        const headers = new Headers();
-        headers.set("Location", authorization);
-        headers.append("Set-Cookie", stateCookie);
-        headers.append("Set-Cookie", redirectURICookie);
-        headers.append("Set-Cookie", redirectToCookie);
-        headers.append("Set-Cookie", codeVerifierCookie);
-        return Response.json(
-          { oauth: oauth2 },
-          {
-            status: 302,
-            headers
-          }
-        );
-      } catch (error) {
-        if (isAuthError(error)) {
-          const { type, message } = error;
-          return AuraResponse.json(
-            { error: type, error_description: message },
-            { status: statusCode.BAD_REQUEST }
-          );
-        }
-        return AuraResponse.json(
-          {
-            error: ERROR_RESPONSE.AUTHORIZATION.SERVER_ERROR,
-            error_description: "An unexpected error occurred"
-          },
-          { status: statusCode.INTERNAL_SERVER_ERROR }
-        );
-      }
-    },
-    signInConfig(oauth)
-  );
-};
-
-export {
-  signInAction
-};

package/dist/chunk-SJPDVKUS.js

@@ -1,112 +0,0 @@
-import {
-  createRedirectTo
-} from "./chunk-CAKJT3KS.js";
-import {
-  expireCookie,
-  getCookie,
-  secureCookieOptions
-} from "./chunk-ZV4BH47P.js";
-import {
-  cacheControl
-} from "./chunk-STHEPPUZ.js";
-import {
-  verifyCSRF
-} from "./chunk-GZU3RBTB.js";
-import {
-  getNormalizedOriginPath
-} from "./chunk-256KIVJL.js";
-import {
-  InvalidCsrfTokenError,
-  InvalidRedirectToError
-} from "./chunk-FJUDBLCP.js";
-import {
-  AuraResponse
-} from "./chunk-JAPMIE6S.js";
-
-// src/actions/signOut/signOut.ts
-import z from "zod";
-import { createEndpoint, createEndpointConfig, statusCode } from "@aura-stack/router";
-var config = createEndpointConfig({
-  schemas: {
-    searchParams: z.object({
-      token_type_hint: z.literal("session_token"),
-      redirectTo: z.string().optional()
-    })
-  }
-});
-var signOutAction = createEndpoint(
-  "POST",
-  "/signOut",
-  async (ctx) => {
-    const {
-      request,
-      headers,
-      searchParams: { redirectTo },
-      context: { cookies, jose, trustedProxyHeaders }
-    } = ctx;
-    try {
-      const cookiesOptions = secureCookieOptions(request, cookies, trustedProxyHeaders);
-      const session = getCookie(request, "sessionToken", cookiesOptions);
-      const csrfToken = getCookie(request, "csrfToken", {
-        ...cookiesOptions,
-        prefix: cookiesOptions.secure ? "__Host-" : ""
-      });
-      const header = headers.get("X-CSRF-Token");
-      if (!header || !session || !csrfToken) {
-        throw new Error("Missing CSRF token or session token");
-      }
-      await verifyCSRF(jose, csrfToken, header);
-      await jose.decodeJWT(session);
-      const normalizedOriginPath = getNormalizedOriginPath(request.url);
-      const location = createRedirectTo(
-        new Request(normalizedOriginPath, {
-          headers
-        }),
-        redirectTo
-      );
-      const responseHeaders = new Headers(cacheControl);
-      responseHeaders.append("Set-Cookie", expireCookie("sessionToken", cookiesOptions));
-      responseHeaders.append(
-        "Set-Cookie",
-        expireCookie("csrfToken", { ...cookiesOptions, prefix: cookiesOptions.secure ? "__Host-" : "" })
-      );
-      responseHeaders.append("Location", location);
-      return Response.json(
-        { message: "Signed out successfully" },
-        { status: statusCode.ACCEPTED, headers: responseHeaders }
-      );
-    } catch (error) {
-      if (error instanceof InvalidCsrfTokenError) {
-        return AuraResponse.json(
-          {
-            error: "invalid_csrf_token",
-            error_description: "The provided CSRF token is invalid or has expired"
-          },
-          { status: statusCode.UNAUTHORIZED }
-        );
-      }
-      if (error instanceof InvalidRedirectToError) {
-        const { type, message } = error;
-        return AuraResponse.json(
-          {
-            error: type,
-            error_description: message
-          },
-          { status: statusCode.BAD_REQUEST }
-        );
-      }
-      return AuraResponse.json(
-        {
-          error: "invalid_session_token",
-          error_description: "The provided sessionToken is invalid or has already expired"
-        },
-        { status: statusCode.UNAUTHORIZED }
-      );
-    }
-  },
-  config
-);
-
-export {
-  signOutAction
-};

package/dist/chunk-SMQO5WD7.js

@@ -1,30 +0,0 @@
-import {
-  getCookie,
-  secureCookieOptions,
-  setCookie
-} from "./chunk-ZV4BH47P.js";
-import {
-  cacheControl
-} from "./chunk-STHEPPUZ.js";
-import {
-  createCSRF
-} from "./chunk-GZU3RBTB.js";
-
-// src/actions/csrfToken/csrfToken.ts
-import { createEndpoint } from "@aura-stack/router";
-var csrfTokenAction = createEndpoint("GET", "/csrfToken", async (ctx) => {
-  const {
-    request,
-    context: { cookies, jose, trustedProxyHeaders }
-  } = ctx;
-  const cookieOptions = secureCookieOptions(request, { ...cookies, strategy: "host" }, trustedProxyHeaders);
-  const existingCSRFToken = getCookie(request, "csrfToken", cookieOptions, true);
-  const csrfToken = await createCSRF(jose, existingCSRFToken);
-  const headers = new Headers(cacheControl);
-  headers.set("Set-Cookie", setCookie("csrfToken", csrfToken, cookieOptions));
-  return Response.json({ csrfToken }, { headers });
-});
-
-export {
-  csrfTokenAction
-};

package/dist/chunk-UTDLUEEG.js

@@ -1,31 +0,0 @@
-import {
-  createDerivedSalt
-} from "./chunk-GZU3RBTB.js";
-import {
-  AuthError
-} from "./chunk-FJUDBLCP.js";
-
-// src/jose.ts
-import "dotenv/config";
-import { createJWT, createJWS, createDeriveKey } from "@aura-stack/jose";
-var createJoseInstance = (secret) => {
-  secret ?? (secret = process.env.AURA_AUTH_SECRET);
-  if (!secret) {
-    throw new AuthError("JOSE_INIT_ERROR", "AURA_AUTH_SECRET environment variable is not set and no secret was provided.");
-  }
-  const salt = process.env.AURA_AUTH_SALT ?? createDerivedSalt(secret);
-  const { derivedKey: derivedSessionKey } = createDeriveKey(secret, salt, "session");
-  const { derivedKey: derivedCsrfTokenKey } = createDeriveKey(secret, salt, "csrfToken");
-  const { decodeJWT, encodeJWT } = createJWT(derivedSessionKey);
-  const { signJWS, verifyJWS } = createJWS(derivedCsrfTokenKey);
-  return {
-    decodeJWT,
-    encodeJWT,
-    signJWS,
-    verifyJWS
-  };
-};
-
-export {
-  createJoseInstance
-};

package/dist/chunk-ZV4BH47P.js

@@ -1,154 +0,0 @@
-import {
-  isRequest
-} from "./chunk-6SM22VVJ.js";
-import {
-  AuthError
-} from "./chunk-FJUDBLCP.js";
-
-// src/cookie.ts
-import { parse, serialize } from "cookie";
-import { parse as parse2 } from "cookie";
-var COOKIE_NAME = "aura-auth";
-var defaultCookieOptions = {
-  httpOnly: true,
-  sameSite: "lax",
-  path: "/",
-  maxAge: 60 * 60 * 24 * 15
-};
-var defaultCookieConfig = {
-  strategy: "standard",
-  name: COOKIE_NAME,
-  options: defaultCookieOptions
-};
-var defaultStandardCookieConfig = {
-  secure: false,
-  httpOnly: true,
-  prefix: ""
-};
-var defaultSecureCookieConfig = {
-  secure: true,
-  prefix: "__Secure-"
-};
-var defaultHostCookieConfig = {
-  secure: true,
-  prefix: "__Host-",
-  path: "/",
-  domain: void 0
-};
-var expiredCookieOptions = {
-  ...defaultCookieOptions,
-  expires: /* @__PURE__ */ new Date(0),
-  maxAge: 0
-};
-var defineDefaultCookieOptions = (options) => {
-  return {
-    name: options?.name ?? COOKIE_NAME,
-    prefix: options?.prefix ?? (options?.secure ? "__Secure-" : ""),
-    ...defaultCookieOptions,
-    ...options
-  };
-};
-var setCookie = (cookieName, value, options) => {
-  const { prefix, name } = defineDefaultCookieOptions(options);
-  const cookieNameWithPrefix = `${prefix}${name}.${cookieName}`;
-  return serialize(cookieNameWithPrefix, value, {
-    ...defaultCookieOptions,
-    ...options
-  });
-};
-var getCookie = (petition, cookie, options, optional = false) => {
-  const cookies = isRequest(petition) ? petition.headers.get("Cookie") : petition.headers.getSetCookie().join("; ");
-  if (!cookies) {
-    if (optional) {
-      return "";
-    }
-    throw new AuthError("invalid_request", "No cookies found. There is no active session");
-  }
-  const { name, prefix } = defineDefaultCookieOptions(options);
-  const parsedCookies = parse(cookies);
-  const value = parsedCookies[`${prefix}${name}.${cookie}`];
-  if (value === void 0) {
-    if (optional) {
-      return "";
-    }
-    throw new AuthError("invalid_request", `Cookie "${cookie}" not found. There is no active session`);
-  }
-  return value;
-};
-var createSessionCookie = async (session, cookieOptions, jose) => {
-  try {
-    const encoded = await jose.encodeJWT(session);
-    return setCookie("sessionToken", encoded, cookieOptions);
-  } catch (error) {
-    throw new AuthError("server_error", "Failed to create session cookie", { cause: error });
-  }
-};
-var secureCookieOptions = (request, cookieOptions, trustedProxyHeaders) => {
-  const name = cookieOptions.name ?? COOKIE_NAME;
-  const isSecure = trustedProxyHeaders ? request.url.startsWith("https://") || request.headers.get("X-Forwarded-Proto") === "https" || request.headers.get("Forwarded")?.includes("proto=https") : request.url.startsWith("https://");
-  if (!cookieOptions.options?.httpOnly) {
-    console.warn(
-      "[WARNING]: Cookie is configured without HttpOnly. This allows JavaScript access via document.cookie and increases XSS risk."
-    );
-  }
-  if (cookieOptions.options?.domain === "*") {
-    console.warn("[WARNING]: Cookie 'Domain' is set to '*', which is insecure. Avoid wildcard domains.");
-  }
-  if (!isSecure) {
-    const options = cookieOptions.options;
-    if (options?.secure) {
-      console.warn(
-        "[WARNING]: The 'Secure' attribute will be disabled for this cookie. Serve over HTTPS to enforce Secure cookies."
-      );
-    }
-    if (options?.sameSite == "none") {
-      console.warn("[WARNING]: SameSite=None without a secure connection can be blocked by browsers.");
-    }
-    if (process.env.NODE_ENV === "production") {
-      console.warn("[WARNING]: In production, ensure cookies are served over HTTPS to maintain security.");
-    }
-    return {
-      ...defaultCookieOptions,
-      ...cookieOptions.options,
-      sameSite: options?.sameSite === "none" ? "lax" : options?.sameSite ?? "lax",
-      ...defaultStandardCookieConfig,
-      name
-    };
-  }
-  return cookieOptions.strategy === "host" ? {
-    ...defaultCookieOptions,
-    ...cookieOptions.options,
-    ...defaultHostCookieConfig,
-    name
-  } : { ...defaultCookieOptions, ...cookieOptions.options, ...defaultSecureCookieConfig, name };
-};
-var expireCookie = (name, options) => {
-  return setCookie(name, "", { ...options, ...expiredCookieOptions });
-};
-var oauthCookie = (options) => {
-  return {
-    ...options,
-    secure: options.secure,
-    httpOnly: options.httpOnly,
-    maxAge: 5 * 60,
-    expires: new Date(Date.now() + 5 * 60 * 1e3)
-  };
-};
-
-export {
-  COOKIE_NAME,
-  defaultCookieOptions,
-  defaultCookieConfig,
-  defaultStandardCookieConfig,
-  defaultSecureCookieConfig,
-  defaultHostCookieConfig,
-  expiredCookieOptions,
-  defineDefaultCookieOptions,
-  setCookie,
-  getCookie,
-  createSessionCookie,
-  secureCookieOptions,
-  expireCookie,
-  oauthCookie,
-  parse2 as parse
-};

package/dist/error.cjs

@@ -1,88 +0,0 @@
-"use strict";
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-
-// src/error.ts
-var error_exports = {};
-__export(error_exports, {
-  AuthError: () => AuthError,
-  ERROR_RESPONSE: () => ERROR_RESPONSE,
-  InvalidCsrfTokenError: () => InvalidCsrfTokenError,
-  InvalidRedirectToError: () => InvalidRedirectToError,
-  isAuthError: () => isAuthError,
-  throwAuthError: () => throwAuthError
-});
-module.exports = __toCommonJS(error_exports);
-var AuthError = class extends Error {
-  constructor(type, message) {
-    super(message);
-    this.type = type;
-    this.name = "AuthError";
-  }
-};
-var InvalidCsrfTokenError = class extends AuthError {
-  constructor(message = "The provided CSRF token is invalid or has expired") {
-    super("invalid_csrf_token", message);
-    this.name = "InvalidCsrfTokenError";
-  }
-};
-var InvalidRedirectToError = class extends AuthError {
-  constructor(message = "The redirectTo parameter does not match the hosted origin.") {
-    super("invalid_redirect_to", message);
-    this.name = "InvalidRedirectToError";
-  }
-};
-var isAuthError = (error) => {
-  return error instanceof AuthError;
-};
-var throwAuthError = (error, message) => {
-  if (error instanceof Error) {
-    if (isAuthError(error)) {
-      throw error;
-    }
-    throw new AuthError("invalid_request", error.message ?? message);
-  }
-};
-var ERROR_RESPONSE = {
-  AUTHORIZATION: {
-    INVALID_REQUEST: "invalid_request",
-    UNAUTHORIZED_CLIENT: "unauthorized_client",
-    ACCESS_DENIED: "access_denied",
-    UNSUPPORTED_RESPONSE_TYPE: "unsupported_response_type",
-    INVALID_SCOPE: "invalid_scope",
-    SERVER_ERROR: "server_error",
-    TEMPORARILY_UNAVAILABLE: "temporarily_unavailable"
-  },
-  ACCESS_TOKEN: {
-    INVALID_REQUEST: "invalid_request",
-    INVALID_CLIENT: "invalid_client",
-    INVALID_GRANT: "invalid_grant",
-    UNAUTHORIZED_CLIENT: "unauthorized_client",
-    UNSUPPORTED_GRANT_TYPE: "unsupported_grant_type",
-    INVALID_SCOPE: "invalid_scope"
-  }
-};
-// Annotate the CommonJS export names for ESM import in node:
-0 && (module.exports = {
-  AuthError,
-  ERROR_RESPONSE,
-  InvalidCsrfTokenError,
-  InvalidRedirectToError,
-  isAuthError,
-  throwAuthError
-});