@aura-stack/auth 0.1.0 → 0.2.0

package/dist/actions/index.d.ts

@@ -4,10 +4,9 @@ export { sessionAction } from './session/session.js';
 export { signOutAction } from './signOut/signOut.js';
 export { csrfTokenAction } from './csrfToken/csrfToken.js';
 import '@aura-stack/router';
-import '../index-DpfbvTZ_.js';
+import '../index-EqsoyjrF.js';
 import 'zod/v4';
-import '@aura-stack/jose/jose';
 import '../schemas.js';
-import 'zod/v4/core';
-import 'cookie';
+import '@aura-stack/router/cookie';
+import '@aura-stack/jose/jose';
 import '../@types/utility.js';

package/dist/actions/index.js

@@ -1,30 +1,29 @@
 import "../chunk-ITQ7352M.js";
 import {
   csrfTokenAction
-} from "../chunk-SMQO5WD7.js";
-import {
-  sessionAction
-} from "../chunk-XXJKNKGQ.js";
+} from "../chunk-QDO2KSRJ.js";
 import {
   signInAction
-} from "../chunk-LLR722CL.js";
+} from "../chunk-2RXNXMCZ.js";
+import {
+  sessionAction
+} from "../chunk-PTJUYB33.js";
 import {
   signOutAction
-} from "../chunk-SJPDVKUS.js";
-import "../chunk-CAKJT3KS.js";
+} from "../chunk-NEVKX6K2.js";
+import "../chunk-QEZL7EYN.js";
 import {
   callbackAction
-} from "../chunk-HGJ4TXY4.js";
-import "../chunk-RLT4RFKV.js";
-import "../chunk-UJJ7R56J.js";
-import "../chunk-ZV4BH47P.js";
-import "../chunk-6SM22VVJ.js";
+} from "../chunk-UEH3LVON.js";
+import "../chunk-ZLR3LI6X.js";
+import "../chunk-4V4JNXVF.js";
+import "../chunk-IMICRJ5U.js";
 import "../chunk-STHEPPUZ.js";
-import "../chunk-GZU3RBTB.js";
-import "../chunk-256KIVJL.js";
-import "../chunk-FJUDBLCP.js";
-import "../chunk-JAPMIE6S.js";
-import "../chunk-HMRKN75I.js";
+import "../chunk-WD7AUHQ5.js";
+import "../chunk-N2APGLXA.js";
+import "../chunk-CXLATHS5.js";
+import "../chunk-EIL2FPSS.js";
+import "../chunk-RRLIF4PQ.js";
 export {
   callbackAction,
   csrfTokenAction,

package/dist/actions/session/session.cjs

@@ -28,12 +28,15 @@ var import_router2 = require("@aura-stack/router");
 // src/utils.ts
 var import_router = require("@aura-stack/router");
 
-// src/error.ts
-var AuthError = class extends Error {
-  constructor(type, message) {
-    super(message);
-    this.type = type;
-    this.name = "AuthError";
+// src/errors.ts
+var AuthInternalError = class extends Error {
+  type = "AUTH_INTERNAL_ERROR";
+  code;
+  constructor(code, message, options) {
+    super(message, options);
+    this.code = code;
+    this.name = new.target.name;
+    Error.captureStackTrace(this, new.target);
   }
 };
 
@@ -51,137 +54,50 @@ var cacheControl = {
 };
 
 // src/cookie.ts
-var import_cookie = require("cookie");
-
-// src/assert.ts
-var isRequest = (value) => {
-  return typeof Request !== "undefined" && value instanceof Request;
-};
-
-// src/cookie.ts
-var import_cookie2 = require("cookie");
-var COOKIE_NAME = "aura-auth";
+var import_cookie = require("@aura-stack/router/cookie");
 var defaultCookieOptions = {
   httpOnly: true,
   sameSite: "lax",
   path: "/",
   maxAge: 60 * 60 * 24 * 15
 };
-var defaultStandardCookieConfig = {
-  secure: false,
+var oauthCookieOptions = {
   httpOnly: true,
-  prefix: ""
-};
-var defaultSecureCookieConfig = {
-  secure: true,
-  prefix: "__Secure-"
-};
-var defaultHostCookieConfig = {
-  secure: true,
-  prefix: "__Host-",
-  path: "/",
-  domain: void 0
+  maxAge: 5 * 60,
+  sameSite: "lax",
+  expires: new Date(Date.now() + 5 * 60 * 1e3)
 };
-var expiredCookieOptions = {
+var expiredCookieAttributes = {
   ...defaultCookieOptions,
   expires: /* @__PURE__ */ new Date(0),
   maxAge: 0
 };
-var defineDefaultCookieOptions = (options) => {
-  return {
-    name: options?.name ?? COOKIE_NAME,
-    prefix: options?.prefix ?? (options?.secure ? "__Secure-" : ""),
-    ...defaultCookieOptions,
-    ...options
-  };
-};
-var setCookie = (cookieName, value, options) => {
-  const { prefix, name } = defineDefaultCookieOptions(options);
-  const cookieNameWithPrefix = `${prefix}${name}.${cookieName}`;
-  return (0, import_cookie.serialize)(cookieNameWithPrefix, value, {
-    ...defaultCookieOptions,
-    ...options
-  });
-};
-var getCookie = (petition, cookie, options, optional = false) => {
-  const cookies = isRequest(petition) ? petition.headers.get("Cookie") : petition.headers.getSetCookie().join("; ");
+var getCookie = (request, cookieName) => {
+  const cookies = request.headers.get("Cookie");
   if (!cookies) {
-    if (optional) {
-      return "";
-    }
-    throw new AuthError("invalid_request", "No cookies found. There is no active session");
+    throw new AuthInternalError("COOKIE_NOT_FOUND", "No cookies found. There is no active session");
   }
-  const { name, prefix } = defineDefaultCookieOptions(options);
-  const parsedCookies = (0, import_cookie.parse)(cookies);
-  const value = parsedCookies[`${prefix}${name}.${cookie}`];
-  if (value === void 0) {
-    if (optional) {
-      return "";
-    }
-    throw new AuthError("invalid_request", `Cookie "${cookie}" not found. There is no active session`);
+  const value = (0, import_cookie.parse)(cookies)[cookieName];
+  if (!value) {
+    throw new AuthInternalError("COOKIE_NOT_FOUND", `Cookie "${cookieName}" not found. There is no active session`);
   }
   return value;
 };
-var secureCookieOptions = (request, cookieOptions, trustedProxyHeaders) => {
-  const name = cookieOptions.name ?? COOKIE_NAME;
-  const isSecure = trustedProxyHeaders ? request.url.startsWith("https://") || request.headers.get("X-Forwarded-Proto") === "https" || request.headers.get("Forwarded")?.includes("proto=https") : request.url.startsWith("https://");
-  if (!cookieOptions.options?.httpOnly) {
-    console.warn(
-      "[WARNING]: Cookie is configured without HttpOnly. This allows JavaScript access via document.cookie and increases XSS risk."
-    );
-  }
-  if (cookieOptions.options?.domain === "*") {
-    console.warn("[WARNING]: Cookie 'Domain' is set to '*', which is insecure. Avoid wildcard domains.");
-  }
-  if (!isSecure) {
-    const options = cookieOptions.options;
-    if (options?.secure) {
-      console.warn(
-        "[WARNING]: The 'Secure' attribute will be disabled for this cookie. Serve over HTTPS to enforce Secure cookies."
-      );
-    }
-    if (options?.sameSite == "none") {
-      console.warn("[WARNING]: SameSite=None without a secure connection can be blocked by browsers.");
-    }
-    if (process.env.NODE_ENV === "production") {
-      console.warn("[WARNING]: In production, ensure cookies are served over HTTPS to maintain security.");
-    }
-    return {
-      ...defaultCookieOptions,
-      ...cookieOptions.options,
-      sameSite: options?.sameSite === "none" ? "lax" : options?.sameSite ?? "lax",
-      ...defaultStandardCookieConfig,
-      name
-    };
-  }
-  return cookieOptions.strategy === "host" ? {
-    ...defaultCookieOptions,
-    ...cookieOptions.options,
-    ...defaultHostCookieConfig,
-    name
-  } : { ...defaultCookieOptions, ...cookieOptions.options, ...defaultSecureCookieConfig, name };
-};
-var expireCookie = (name, options) => {
-  return setCookie(name, "", { ...options, ...expiredCookieOptions });
-};
 
 // src/actions/session/session.ts
 var sessionAction = (0, import_router2.createEndpoint)("GET", "/session", async (ctx) => {
   const {
     request,
-    context: { cookies, jose, trustedProxyHeaders }
+    context: { jose, cookies }
   } = ctx;
-  const cookieOptions = secureCookieOptions(request, cookies, trustedProxyHeaders);
   try {
-    const session = getCookie(request, "sessionToken", cookieOptions);
+    const session = getCookie(request, cookies.sessionToken.name);
     const decoded = await jose.decodeJWT(session);
     const { exp, iat, jti, nbf, ...user } = decoded;
     const headers = new Headers(cacheControl);
     return Response.json({ user, expires: toISOString(exp * 1e3) }, { headers });
-  } catch {
-    const headers = new Headers(cacheControl);
-    const sessionCookie = expireCookie("sessionToken", cookieOptions);
-    headers.set("Set-Cookie", sessionCookie);
+  } catch (error) {
+    const headers = new import_router2.HeadersBuilder(cacheControl).setCookie(cookies.sessionToken.name, "", expiredCookieAttributes).toHeaders();
     return Response.json({ authenticated: false, message: "Unauthorized" }, { status: 401, headers });
   }
 });

package/dist/actions/session/session.js

@@ -1,11 +1,10 @@
 import {
   sessionAction
-} from "../../chunk-XXJKNKGQ.js";
-import "../../chunk-ZV4BH47P.js";
-import "../../chunk-6SM22VVJ.js";
+} from "../../chunk-PTJUYB33.js";
+import "../../chunk-IMICRJ5U.js";
 import "../../chunk-STHEPPUZ.js";
-import "../../chunk-256KIVJL.js";
-import "../../chunk-FJUDBLCP.js";
+import "../../chunk-CXLATHS5.js";
+import "../../chunk-RRLIF4PQ.js";
 export {
   sessionAction
 };

package/dist/actions/signIn/authorization.cjs

@@ -37,10 +37,10 @@ var isValidURL = (value) => {
 // src/schemas.ts
 var import_v4 = require("zod/v4");
 var OAuthProviderConfigSchema = (0, import_v4.object)({
-  authorizeURL: (0, import_v4.url)(),
-  accessToken: (0, import_v4.url)(),
+  authorizeURL: (0, import_v4.httpUrl)(),
+  accessToken: (0, import_v4.httpUrl)(),
   scope: (0, import_v4.string)().optional(),
-  userInfo: (0, import_v4.url)(),
+  userInfo: (0, import_v4.httpUrl)(),
   responseType: (0, import_v4.enum)(["code", "token", "id_token"]),
   clientId: (0, import_v4.string)(),
   clientSecret: (0, import_v4.string)()
@@ -52,8 +52,8 @@ var OAuthAuthorization = OAuthProviderConfigSchema.extend({
   codeChallengeMethod: (0, import_v4.enum)(["plain", "S256"])
 });
 var OAuthAuthorizationResponse = (0, import_v4.object)({
-  state: (0, import_v4.string)(),
-  code: (0, import_v4.string)()
+  state: (0, import_v4.string)("Missing state parameter in the OAuth authorization response."),
+  code: (0, import_v4.string)("Missing code parameter in the OAuth authorization response.")
 });
 var OAuthAuthorizationErrorResponse = (0, import_v4.object)({
   error: (0, import_v4.enum)([
@@ -97,48 +97,38 @@ var OAuthErrorResponse = (0, import_v4.object)({
   error: (0, import_v4.string)(),
   error_description: (0, import_v4.string)().optional()
 });
+var OAuthEnvSchema = (0, import_v4.object)({
+  clientId: import_v4.z.string().min(1, "OAuth Client ID is required in the environment variables."),
+  clientSecret: import_v4.z.string().min(1, "OAuth Client Secret is required in the environment variables.")
+});
 
-// src/utils.ts
-var import_router = require("@aura-stack/router");
-
-// src/error.ts
-var AuthError = class extends Error {
-  constructor(type, message) {
-    super(message);
-    this.type = type;
-    this.name = "AuthError";
+// src/errors.ts
+var AuthInternalError = class extends Error {
+  type = "AUTH_INTERNAL_ERROR";
+  code;
+  constructor(code, message, options2) {
+    super(message, options2);
+    this.code = code;
+    this.name = new.target.name;
+    Error.captureStackTrace(this, new.target);
   }
 };
-var InvalidRedirectToError = class extends AuthError {
-  constructor(message = "The redirectTo parameter does not match the hosted origin.") {
-    super("invalid_redirect_to", message);
-    this.name = "InvalidRedirectToError";
+var AuthSecurityError = class extends Error {
+  type = "AUTH_SECURITY_ERROR";
+  code;
+  constructor(code, message, options2) {
+    super(message, options2);
+    this.code = code;
+    this.name = new.target.name;
+    Error.captureStackTrace(this, new.target);
   }
 };
-var isAuthError = (error) => {
-  return error instanceof AuthError;
-};
-var ERROR_RESPONSE = {
-  AUTHORIZATION: {
-    INVALID_REQUEST: "invalid_request",
-    UNAUTHORIZED_CLIENT: "unauthorized_client",
-    ACCESS_DENIED: "access_denied",
-    UNSUPPORTED_RESPONSE_TYPE: "unsupported_response_type",
-    INVALID_SCOPE: "invalid_scope",
-    SERVER_ERROR: "server_error",
-    TEMPORARILY_UNAVAILABLE: "temporarily_unavailable"
-  },
-  ACCESS_TOKEN: {
-    INVALID_REQUEST: "invalid_request",
-    INVALID_CLIENT: "invalid_client",
-    INVALID_GRANT: "invalid_grant",
-    UNAUTHORIZED_CLIENT: "unauthorized_client",
-    UNSUPPORTED_GRANT_TYPE: "unsupported_grant_type",
-    INVALID_SCOPE: "invalid_scope"
-  }
+var isAuthSecurityError = (error) => {
+  return error instanceof AuthSecurityError;
 };
 
 // src/utils.ts
+var import_router = require("@aura-stack/router");
 var toSnakeCase = (str) => {
   return str.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/([A-Z]+)([A-Z][a-z])/g, "$1_$2").toLowerCase().replace(/^_+/, "");
 };
@@ -155,9 +145,9 @@ var equals = (a, b) => {
   if (a === null || b === null || a === void 0 || b === void 0) return false;
   return a === b;
 };
-var sanitizeURL = (url2) => {
+var sanitizeURL = (url) => {
   try {
-    let decodedURL = decodeURIComponent(url2).trim();
+    let decodedURL = decodeURIComponent(url).trim();
     const protocolMatch = decodedURL.match(/^([a-zA-Z][a-zA-Z0-9+.-]*:\/\/)/);
     let protocol = "";
     let rest = decodedURL;
@@ -185,25 +175,41 @@ var sanitizeURL = (url2) => {
     }
     return sanitized;
   } catch {
-    return url2.trim();
+    return url.trim();
   }
 };
 var getNormalizedOriginPath = (path) => {
   try {
-    const url2 = new URL(path);
-    url2.hash = "";
-    url2.search = "";
-    return `${url2.origin}${url2.pathname}`;
+    const url = new URL(path);
+    url.hash = "";
+    url.search = "";
+    return `${url.origin}${url.pathname}`;
   } catch {
     return sanitizeURL(path);
   }
 };
+var formatZodError = (error) => {
+  if (!error.issues || error.issues.length === 0) {
+    return {};
+  }
+  return error.issues.reduce((previous, issue) => {
+    const key = issue.path.join(".");
+    return {
+      ...previous,
+      [key]: {
+        code: issue.code,
+        message: issue.message
+      }
+    };
+  }, {});
+};
 
 // src/actions/signIn/authorization.ts
 var createAuthorizationURL = (oauthConfig, redirectURI, state, codeChallenge, codeChallengeMethod) => {
   const parsed = OAuthAuthorization.safeParse({ ...oauthConfig, redirectURI, state, codeChallenge, codeChallengeMethod });
   if (!parsed.success) {
-    throw new AuthError(ERROR_RESPONSE.AUTHORIZATION.SERVER_ERROR, "Invalid OAuth configuration");
+    const msg = JSON.stringify(formatZodError(parsed.error), null, 2);
+    throw new AuthInternalError("INVALID_OAUTH_CONFIGURATION", msg);
   }
   const { authorizeURL, ...options2 } = parsed.data;
   const { userInfo, accessToken, clientSecret, ...required } = options2;
@@ -221,8 +227,8 @@ var getOriginURL = (request, trustedProxyHeaders) => {
   }
 };
 var createRedirectURI = (request, oauth, basePath, trustedProxyHeaders) => {
-  const url2 = getOriginURL(request, trustedProxyHeaders);
-  return `${url2.origin}${basePath}/callback/${oauth}`;
+  const url = getOriginURL(request, trustedProxyHeaders);
+  return `${url.origin}${basePath}/callback/${oauth}`;
 };
 var createRedirectTo = (request, redirectTo, trustedProxyHeaders) => {
   try {
@@ -236,15 +242,18 @@ var createRedirectTo = (request, redirectTo, trustedProxyHeaders) => {
       }
       const redirectToURL = new URL(sanitizeURL(getNormalizedOriginPath(redirectTo)));
       if (!isValidURL(redirectTo) || !equals(redirectToURL.origin, hostedURL.origin)) {
-        throw new InvalidRedirectToError();
+        throw new AuthSecurityError(
+          "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED",
+          "The redirectTo parameter does not match the hosted origin."
+        );
       }
       return sanitizeURL(redirectToURL.pathname);
     }
     if (referer) {
       const refererURL = new URL(sanitizeURL(referer));
       if (!isValidURL(referer) || !equals(refererURL.origin, hostedURL.origin)) {
-        throw new AuthError(
-          ERROR_RESPONSE.AUTHORIZATION.INVALID_REQUEST,
+        throw new AuthSecurityError(
+          "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED",
           "The referer of the request does not match the hosted origin."
         );
       }
@@ -253,16 +262,16 @@ var createRedirectTo = (request, redirectTo, trustedProxyHeaders) => {
     if (origin) {
       const originURL = new URL(sanitizeURL(getNormalizedOriginPath(origin)));
       if (!isValidURL(origin) || !equals(originURL.origin, hostedURL.origin)) {
-        throw new AuthError(ERROR_RESPONSE.AUTHORIZATION.INVALID_REQUEST, "Invalid origin (potential CSRF).");
+        throw new AuthSecurityError("POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED", "Invalid origin (potential CSRF).");
       }
       return sanitizeURL(originURL.pathname);
     }
     return "/";
   } catch (error) {
-    if (isAuthError(error)) {
+    if (isAuthSecurityError(error)) {
       throw error;
     }
-    throw new AuthError(ERROR_RESPONSE.AUTHORIZATION.INVALID_REQUEST, "Invalid origin (potential CSRF).");
+    throw new AuthSecurityError("POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED", "Invalid origin (potential CSRF).");
   }
 };
 // Annotate the CommonJS export names for ESM import in node:

package/dist/actions/signIn/authorization.d.ts

@@ -1,9 +1,8 @@
-import { f as OAuthProviderCredentials } from '../../index-DpfbvTZ_.js';
+import { h as OAuthProviderCredentials } from '../../index-EqsoyjrF.js';
 import 'zod/v4';
-import '@aura-stack/jose/jose';
 import '../../schemas.js';
-import 'zod/v4/core';
-import 'cookie';
+import '@aura-stack/router/cookie';
+import '@aura-stack/jose/jose';
 import '../../@types/utility.js';
 
 /**

package/dist/actions/signIn/authorization.js

@@ -3,11 +3,11 @@ import {
   createRedirectTo,
   createRedirectURI,
   getOriginURL
-} from "../../chunk-CAKJT3KS.js";
-import "../../chunk-6SM22VVJ.js";
-import "../../chunk-256KIVJL.js";
-import "../../chunk-FJUDBLCP.js";
-import "../../chunk-HMRKN75I.js";
+} from "../../chunk-QEZL7EYN.js";
+import "../../chunk-WD7AUHQ5.js";
+import "../../chunk-CXLATHS5.js";
+import "../../chunk-EIL2FPSS.js";
+import "../../chunk-RRLIF4PQ.js";
 export {
   createAuthorizationURL,
   createRedirectTo,