@aura-stack/auth 0.1.0 → 0.2.0

package/dist/{chunk-VFTYH33W.js → chunk-7H3OR6UU.js}

@@ -1,6 +1,3 @@
-import {
-  figma
-} from "./chunk-FKRDCWBF.js";
 import {
   github
 } from "./chunk-IKHPGFCW.js";
@@ -10,6 +7,9 @@ import {
 import {
   spotify
 } from "./chunk-E3OXBRYF.js";
+import {
+  strava
+} from "./chunk-6R2YZ4AC.js";
 import {
   x
 } from "./chunk-42XB3YCW.js";
@@ -18,7 +18,19 @@ import {
 } from "./chunk-FIPU4MLT.js";
 import {
   discord
-} from "./chunk-EBPE35JT.js";
+} from "./chunk-IUYZQTJV.js";
+import {
+  figma
+} from "./chunk-FKRDCWBF.js";
+import {
+  OAuthEnvSchema
+} from "./chunk-WD7AUHQ5.js";
+import {
+  formatZodError
+} from "./chunk-CXLATHS5.js";
+import {
+  AuthInternalError
+} from "./chunk-RRLIF4PQ.js";
 
 // src/oauth/index.ts
 var builtInOAuthProviders = {
@@ -28,14 +40,22 @@ var builtInOAuthProviders = {
   discord,
   gitlab,
   spotify,
-  x
+  x,
+  strava
 };
 var defineOAuthEnvironment = (oauth) => {
   const env = process.env;
-  return {
-    clientId: env[`AURA_AUTH_${oauth.toUpperCase()}_CLIENT_ID`],
-    clientSecret: env[`AURA_AUTH_${oauth.toUpperCase()}_CLIENT_SECRET`]
-  };
+  const clientIdSuffix = `${oauth.toUpperCase()}_CLIENT_ID`;
+  const clientSecretSuffix = `${oauth.toUpperCase()}_CLIENT_SECRET`;
+  const loadEnvs = OAuthEnvSchema.safeParse({
+    clientId: env[`AURA_AUTH_${clientIdSuffix}`] ?? env[`AUTH_${clientIdSuffix}`] ?? env[`${clientIdSuffix}`],
+    clientSecret: env[`AURA_AUTH_${clientSecretSuffix}`] ?? env[`AUTH_${clientSecretSuffix}`] ?? env[`${clientSecretSuffix}`]
+  });
+  if (!loadEnvs.success) {
+    const msg = JSON.stringify(formatZodError(loadEnvs.error), null, 2);
+    throw new AuthInternalError("INVALID_ENVIRONMENT_CONFIGURATION", msg);
+  }
+  return loadEnvs.data;
 };
 var defineOAuthProviderConfig = (config) => {
   if (typeof config === "string") {

package/dist/{chunk-256KIVJL.js → chunk-CXLATHS5.js}

@@ -1,9 +1,11 @@
 import {
-  isAuthError
-} from "./chunk-FJUDBLCP.js";
+  isAuthInternalError,
+  isAuthSecurityError,
+  isOAuthProtocolError
+} from "./chunk-RRLIF4PQ.js";
 
 // src/utils.ts
-import { isRouterError } from "@aura-stack/router";
+import { isInvalidZodSchemaError, isRouterError } from "@aura-stack/router";
 var toSnakeCase = (str) => {
   return str.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/([A-Z]+)([A-Z][a-z])/g, "$1_$2").toLowerCase().replace(/^_+/, "");
 };
@@ -64,13 +66,35 @@ var isValidRelativePath = (path) => {
 var onErrorHandler = (error) => {
   if (isRouterError(error)) {
     const { message, status, statusText } = error;
-    return Response.json({ error: "invalid_request", error_description: message }, { status, statusText });
+    return Response.json({ type: "ROUTER_ERROR", code: "ROUTER_INTERNAL_ERROR", message }, { status, statusText });
   }
-  if (isAuthError(error)) {
-    const { type, message } = error;
-    return Response.json({ error: type, error_description: message }, { status: 400 });
+  if (isInvalidZodSchemaError(error)) {
+    return Response.json({ type: "ROUTER_ERROR", code: "INVALID_REQUEST", message: error.errors }, { status: 422 });
   }
-  return Response.json({ error: "server_error", error_description: "An unexpected error occurred" }, { status: 500 });
+  if (isOAuthProtocolError(error)) {
+    const { error: errorCode, message, type, errorURI } = error;
+    return Response.json(
+      {
+        type,
+        error: errorCode,
+        error_description: message,
+        error_uri: errorURI
+      },
+      { status: 400 }
+    );
+  }
+  if (isAuthInternalError(error) || isAuthSecurityError(error)) {
+    const { type, code, message } = error;
+    return Response.json(
+      {
+        type,
+        code,
+        message
+      },
+      { status: 400 }
+    );
+  }
+  return Response.json({ type: "SERVER_ERROR", code: "server_error", message: "An unexpected error occurred" }, { status: 500 });
 };
 var getNormalizedOriginPath = (path) => {
   try {
@@ -85,6 +109,24 @@ var getNormalizedOriginPath = (path) => {
 var toISOString = (date) => {
   return new Date(date).toISOString();
 };
+var useSecureCookies = (request, trustedProxyHeaders) => {
+  return trustedProxyHeaders ? request.url.startsWith("https://") || request.headers.get("X-Forwarded-Proto") === "https" || (request.headers.get("Forwarded")?.includes("proto=https") ?? false) : request.url.startsWith("https://");
+};
+var formatZodError = (error) => {
+  if (!error.issues || error.issues.length === 0) {
+    return {};
+  }
+  return error.issues.reduce((previous, issue) => {
+    const key = issue.path.join(".");
+    return {
+      ...previous,
+      [key]: {
+        code: issue.code,
+        message: issue.message
+      }
+    };
+  }, {});
+};
 
 export {
   toSnakeCase,
@@ -95,5 +137,7 @@ export {
   isValidRelativePath,
   onErrorHandler,
   getNormalizedOriginPath,
-  toISOString
+  toISOString,
+  useSecureCookies,
+  formatZodError
 };

package/dist/{chunk-6SM22VVJ.js → chunk-EIL2FPSS.js}

@@ -10,9 +10,13 @@ var isValidURL = (value) => {
   const regex = /^https?:\/\/(?:[a-zA-Z0-9._-]+|localhost|\[[0-9a-fA-F:]+\])(?::\d{1,5})?(?:\/[a-zA-Z0-9._~!$&'()*+,;=:@-]*)*\/?$/;
   return regex.test(value);
 };
+var isJWTPayloadWithToken = (payload) => {
+  return typeof payload === "object" && payload !== null && "token" in payload && typeof payload?.token === "string";
+};
 
 export {
   isFalsy,
   isRequest,
-  isValidURL
+  isValidURL,
+  isJWTPayloadWithToken
 };

package/dist/chunk-IMICRJ5U.js

@@ -0,0 +1,197 @@
+import {
+  AuthInternalError
+} from "./chunk-RRLIF4PQ.js";
+
+// src/cookie.ts
+import { parse, parseSetCookie, serialize } from "@aura-stack/router/cookie";
+var COOKIE_NAME = "aura-auth";
+var defaultCookieOptions = {
+  httpOnly: true,
+  sameSite: "lax",
+  path: "/",
+  maxAge: 60 * 60 * 24 * 15
+};
+var defaultStandardCookieConfig = {
+  secure: false,
+  httpOnly: true
+};
+var defaultSecureCookieConfig = {
+  secure: true,
+  httpOnly: true
+};
+var defaultHostCookieConfig = {
+  secure: true,
+  httpOnly: true,
+  path: "/",
+  domain: void 0
+};
+var oauthCookieOptions = {
+  httpOnly: true,
+  maxAge: 5 * 60,
+  sameSite: "lax",
+  expires: new Date(Date.now() + 5 * 60 * 1e3)
+};
+var setCookie = (cookieName, value, options) => {
+  return serialize(cookieName, value, options);
+};
+var expiredCookieAttributes = {
+  ...defaultCookieOptions,
+  expires: /* @__PURE__ */ new Date(0),
+  maxAge: 0
+};
+var getCookie = (request, cookieName) => {
+  const cookies = request.headers.get("Cookie");
+  if (!cookies) {
+    throw new AuthInternalError("COOKIE_NOT_FOUND", "No cookies found. There is no active session");
+  }
+  const value = parse(cookies)[cookieName];
+  if (!value) {
+    throw new AuthInternalError("COOKIE_NOT_FOUND", `Cookie "${cookieName}" not found. There is no active session`);
+  }
+  return value;
+};
+var getSetCookie = (response, cookieName) => {
+  const cookies = response.headers.getSetCookie();
+  if (!cookies) {
+    throw new AuthInternalError("COOKIE_NOT_FOUND", "No cookies found in response.");
+  }
+  const strCookie = cookies.find((cookie) => cookie.startsWith(`${cookieName}=`));
+  if (!strCookie) {
+    throw new AuthInternalError("COOKIE_NOT_FOUND", `Cookie "${cookieName}" not found in response.`);
+  }
+  return parseSetCookie(strCookie).value;
+};
+var createSessionCookie = async (jose, session) => {
+  try {
+    const encoded = await jose.encodeJWT(session);
+    return encoded;
+  } catch (error) {
+    throw new AuthInternalError("INVALID_JWT_TOKEN", "Failed to create session cookie", { cause: error });
+  }
+};
+var defineSecureCookieOptions = (useSecure, attributes, strategy) => {
+  if (!attributes.httpOnly) {
+    console.warn(
+      "[WARNING]: Cookie is configured without HttpOnly. This allows JavaScript access via document.cookie and increases XSS risk."
+    );
+  }
+  if (attributes.domain === "*") {
+    attributes.domain = void 0;
+    console.warn("[WARNING]: Cookie 'Domain' is set to '*', which is insecure. Avoid wildcard domains.");
+  }
+  if (!useSecure) {
+    if (attributes.secure) {
+      console.warn(
+        "[WARNING]: The 'Secure' attribute will be disabled for this cookie. Serve over HTTPS to enforce Secure cookies."
+      );
+    }
+    if (attributes.sameSite == "none") {
+      attributes.sameSite = "lax";
+      console.warn("[WARNING]: SameSite=None requires Secure attribute. Changing SameSite to 'Lax'.");
+    }
+    if (process.env.NODE_ENV === "production") {
+      console.warn("[WARNING]: In production, ensure cookies are served over HTTPS to maintain security.");
+    }
+    if (strategy === "host") {
+      console.warn("[WARNING]: __Host- cookies require a secure context. Falling back to standard cookie settings.");
+    }
+    return {
+      ...defaultCookieOptions,
+      ...attributes,
+      ...defaultStandardCookieConfig
+    };
+  }
+  return strategy === "host" ? {
+    ...defaultCookieOptions,
+    ...attributes,
+    ...defaultHostCookieConfig
+  } : { ...defaultCookieOptions, ...attributes, ...defaultSecureCookieConfig };
+};
+var createCookieStore = (useSecure, prefix, overrides) => {
+  prefix ??= COOKIE_NAME;
+  const securePrefix = useSecure ? "__Secure-" : "";
+  const hostPrefix = useSecure ? "__Host-" : "";
+  return {
+    sessionToken: {
+      name: `${securePrefix}${prefix}.${overrides?.sessionToken?.name ?? "sessionToken"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...defaultCookieOptions,
+          ...overrides?.sessionToken?.attributes
+        },
+        overrides?.sessionToken?.attributes?.strategy ?? "secure"
+      )
+    },
+    state: {
+      name: `${securePrefix}${prefix}.${overrides?.state?.name ?? "state"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...oauthCookieOptions,
+          ...overrides?.state?.attributes
+        },
+        overrides?.state?.attributes?.strategy ?? "secure"
+      )
+    },
+    csrfToken: {
+      name: `${hostPrefix}${prefix}.${overrides?.csrfToken?.name ?? "csrfToken"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...overrides?.csrfToken?.attributes,
+          ...defaultHostCookieConfig
+        },
+        overrides?.csrfToken?.attributes?.strategy ?? "host"
+      )
+    },
+    redirect_to: {
+      name: `${securePrefix}${prefix}.${overrides?.redirect_to?.name ?? "redirect_to"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...oauthCookieOptions,
+          ...overrides?.redirect_to?.attributes
+        },
+        overrides?.redirect_to?.attributes?.strategy ?? "secure"
+      )
+    },
+    redirect_uri: {
+      name: `${securePrefix}${prefix}.${overrides?.redirect_uri?.name ?? "redirect_uri"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...oauthCookieOptions,
+          ...overrides?.redirect_uri?.attributes
+        },
+        overrides?.redirect_uri?.attributes?.strategy ?? "secure"
+      )
+    },
+    code_verifier: {
+      name: `${securePrefix}${prefix}.${overrides?.code_verifier?.name ?? "code_verifier"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...oauthCookieOptions,
+          ...overrides?.code_verifier?.attributes
+        },
+        overrides?.code_verifier?.attributes?.strategy ?? "secure"
+      )
+    }
+  };
+};
+
+export {
+  COOKIE_NAME,
+  defaultCookieOptions,
+  defaultStandardCookieConfig,
+  defaultSecureCookieConfig,
+  defaultHostCookieConfig,
+  setCookie,
+  expiredCookieAttributes,
+  getCookie,
+  getSetCookie,
+  createSessionCookie,
+  defineSecureCookieOptions,
+  createCookieStore
+};

package/dist/{chunk-EBPE35JT.js → chunk-IUYZQTJV.js}

@@ -18,7 +18,6 @@ var discord = {
     }
     return {
       sub: profile.id,
-      // https://discord.com/developers/docs/change-log#display-names
       name: profile.global_name ?? profile.username,
       email: profile.email ?? "",
       image

package/dist/{chunk-GZU3RBTB.js → chunk-N2APGLXA.js}

@@ -1,9 +1,12 @@
 import {
   equals
-} from "./chunk-256KIVJL.js";
+} from "./chunk-CXLATHS5.js";
 import {
-  InvalidCsrfTokenError
-} from "./chunk-FJUDBLCP.js";
+  isJWTPayloadWithToken
+} from "./chunk-EIL2FPSS.js";
+import {
+  AuthSecurityError
+} from "./chunk-RRLIF4PQ.js";
 
 // src/secure.ts
 import crypto from "crypto";
@@ -33,19 +36,25 @@ var createCSRF = async (jose, csrfCookie) => {
 };
 var verifyCSRF = async (jose, cookie, header) => {
   try {
-    const { token: cookieToken } = await jose.verifyJWS(cookie);
-    const { token: headerToken } = await jose.verifyJWS(header);
-    const cookieBuffer = Buffer.from(cookieToken);
-    const headerBuffer = Buffer.from(headerToken);
+    const cookiePayload = await jose.verifyJWS(cookie);
+    const headerPayload = await jose.verifyJWS(header);
+    if (!isJWTPayloadWithToken(cookiePayload)) {
+      throw new AuthSecurityError("CSRF_TOKEN_INVALID", "Cookie payload missing token field.");
+    }
+    if (!isJWTPayloadWithToken(headerPayload)) {
+      throw new AuthSecurityError("CSRF_TOKEN_INVALID", "Header payload missing token field.");
+    }
+    const cookieBuffer = Buffer.from(cookiePayload.token);
+    const headerBuffer = Buffer.from(headerPayload.token);
     if (!equals(headerBuffer.length, cookieBuffer.length)) {
-      throw new InvalidCsrfTokenError();
+      throw new AuthSecurityError("CSRF_TOKEN_INVALID", "The CSRF tokens do not match.");
     }
     if (!crypto.timingSafeEqual(cookieBuffer, headerBuffer)) {
-      throw new InvalidCsrfTokenError();
+      throw new AuthSecurityError("CSRF_TOKEN_INVALID", "The CSRF tokens do not match.");
     }
     return true;
   } catch {
-    throw new InvalidCsrfTokenError();
+    throw new AuthSecurityError("CSRF_TOKEN_INVALID", "The CSRF tokens do not match.");
   }
 };
 var createDerivedSalt = (secret) => {

package/dist/chunk-NEVKX6K2.js

@@ -0,0 +1,70 @@
+import {
+  createRedirectTo
+} from "./chunk-QEZL7EYN.js";
+import {
+  expiredCookieAttributes
+} from "./chunk-IMICRJ5U.js";
+import {
+  cacheControl
+} from "./chunk-STHEPPUZ.js";
+import {
+  verifyCSRF
+} from "./chunk-N2APGLXA.js";
+import {
+  getNormalizedOriginPath
+} from "./chunk-CXLATHS5.js";
+import {
+  AuthSecurityError
+} from "./chunk-RRLIF4PQ.js";
+
+// src/actions/signOut/signOut.ts
+import z from "zod";
+import { createEndpoint, createEndpointConfig, HeadersBuilder, statusCode } from "@aura-stack/router";
+var config = createEndpointConfig({
+  schemas: {
+    searchParams: z.object({
+      token_type_hint: z.literal("session_token"),
+      redirectTo: z.string().optional()
+    })
+  }
+});
+var signOutAction = createEndpoint(
+  "POST",
+  "/signOut",
+  async (ctx) => {
+    const {
+      request,
+      headers,
+      searchParams: { redirectTo },
+      context: { jose, cookies }
+    } = ctx;
+    const session = headers.getCookie(cookies.sessionToken.name);
+    const csrfToken = headers.getCookie(cookies.csrfToken.name);
+    const header = headers.getHeader("X-CSRF-Token");
+    if (!session) {
+      throw new AuthSecurityError("SESSION_TOKEN_MISSING", "The sessionToken is missing.");
+    }
+    if (!csrfToken) {
+      throw new AuthSecurityError("CSRF_TOKEN_MISSING", "The CSRF token is missing.");
+    }
+    if (!header) {
+      throw new AuthSecurityError("CSRF_TOKEN_MISSING", "The CSRF header is missing.");
+    }
+    await verifyCSRF(jose, csrfToken, header);
+    await jose.decodeJWT(session);
+    const normalizedOriginPath = getNormalizedOriginPath(request.url);
+    const location = createRedirectTo(
+      new Request(normalizedOriginPath, {
+        headers: headers.toHeaders()
+      }),
+      redirectTo
+    );
+    const headersList = new HeadersBuilder(cacheControl).setHeader("Location", location).setCookie(cookies.csrfToken.name, "", expiredCookieAttributes).setCookie(cookies.sessionToken.name, "", expiredCookieAttributes).toHeaders();
+    return Response.json({ message: "Signed out successfully" }, { status: statusCode.ACCEPTED, headers: headersList });
+  },
+  config
+);
+
+export {
+  signOutAction
+};

package/dist/{chunk-XXJKNKGQ.js → chunk-PTJUYB33.js}

@@ -1,33 +1,29 @@
 import {
-  expireCookie,
-  getCookie,
-  secureCookieOptions
-} from "./chunk-ZV4BH47P.js";
+  expiredCookieAttributes,
+  getCookie
+} from "./chunk-IMICRJ5U.js";
 import {
   cacheControl
 } from "./chunk-STHEPPUZ.js";
 import {
   toISOString
-} from "./chunk-256KIVJL.js";
+} from "./chunk-CXLATHS5.js";
 
 // src/actions/session/session.ts
-import { createEndpoint } from "@aura-stack/router";
+import { createEndpoint, HeadersBuilder } from "@aura-stack/router";
 var sessionAction = createEndpoint("GET", "/session", async (ctx) => {
   const {
     request,
-    context: { cookies, jose, trustedProxyHeaders }
+    context: { jose, cookies }
   } = ctx;
-  const cookieOptions = secureCookieOptions(request, cookies, trustedProxyHeaders);
   try {
-    const session = getCookie(request, "sessionToken", cookieOptions);
+    const session = getCookie(request, cookies.sessionToken.name);
     const decoded = await jose.decodeJWT(session);
     const { exp, iat, jti, nbf, ...user } = decoded;
     const headers = new Headers(cacheControl);
     return Response.json({ user, expires: toISOString(exp * 1e3) }, { headers });
-  } catch {
-    const headers = new Headers(cacheControl);
-    const sessionCookie = expireCookie("sessionToken", cookieOptions);
-    headers.set("Set-Cookie", sessionCookie);
+  } catch (error) {
+    const headers = new HeadersBuilder(cacheControl).setCookie(cookies.sessionToken.name, "", expiredCookieAttributes).toHeaders();
     return Response.json({ authenticated: false, message: "Unauthorized" }, { status: 401, headers });
   }
 });

package/dist/chunk-QDO2KSRJ.js

@@ -0,0 +1,35 @@
+import {
+  getCookie,
+  setCookie
+} from "./chunk-IMICRJ5U.js";
+import {
+  cacheControl
+} from "./chunk-STHEPPUZ.js";
+import {
+  createCSRF
+} from "./chunk-N2APGLXA.js";
+
+// src/actions/csrfToken/csrfToken.ts
+import { createEndpoint } from "@aura-stack/router";
+var getCSRFToken = (request, cookieName) => {
+  try {
+    return getCookie(request, cookieName);
+  } catch {
+    return void 0;
+  }
+};
+var csrfTokenAction = createEndpoint("GET", "/csrfToken", async (ctx) => {
+  const {
+    request,
+    context: { jose, cookies }
+  } = ctx;
+  const token = getCSRFToken(request, cookies.csrfToken.name);
+  const csrfToken = await createCSRF(jose, token);
+  const headers = new Headers(cacheControl);
+  headers.append("Set-Cookie", setCookie(cookies.csrfToken.name, csrfToken, cookies.csrfToken.attributes));
+  return Response.json({ csrfToken }, { headers });
+});
+
+export {
+  csrfTokenAction
+};

package/dist/{chunk-CAKJT3KS.js → chunk-QEZL7EYN.js}

@@ -1,27 +1,28 @@
 import {
-  isValidURL
-} from "./chunk-6SM22VVJ.js";
+  OAuthAuthorization
+} from "./chunk-WD7AUHQ5.js";
 import {
   equals,
+  formatZodError,
   getNormalizedOriginPath,
   sanitizeURL,
   toCastCase
-} from "./chunk-256KIVJL.js";
+} from "./chunk-CXLATHS5.js";
 import {
-  AuthError,
-  ERROR_RESPONSE,
-  InvalidRedirectToError,
-  isAuthError
-} from "./chunk-FJUDBLCP.js";
+  isValidURL
+} from "./chunk-EIL2FPSS.js";
 import {
-  OAuthAuthorization
-} from "./chunk-HMRKN75I.js";
+  AuthInternalError,
+  AuthSecurityError,
+  isAuthSecurityError
+} from "./chunk-RRLIF4PQ.js";
 
 // src/actions/signIn/authorization.ts
 var createAuthorizationURL = (oauthConfig, redirectURI, state, codeChallenge, codeChallengeMethod) => {
   const parsed = OAuthAuthorization.safeParse({ ...oauthConfig, redirectURI, state, codeChallenge, codeChallengeMethod });
   if (!parsed.success) {
-    throw new AuthError(ERROR_RESPONSE.AUTHORIZATION.SERVER_ERROR, "Invalid OAuth configuration");
+    const msg = JSON.stringify(formatZodError(parsed.error), null, 2);
+    throw new AuthInternalError("INVALID_OAUTH_CONFIGURATION", msg);
   }
   const { authorizeURL, ...options } = parsed.data;
   const { userInfo, accessToken, clientSecret, ...required } = options;
@@ -54,15 +55,18 @@ var createRedirectTo = (request, redirectTo, trustedProxyHeaders) => {
       }
       const redirectToURL = new URL(sanitizeURL(getNormalizedOriginPath(redirectTo)));
       if (!isValidURL(redirectTo) || !equals(redirectToURL.origin, hostedURL.origin)) {
-        throw new InvalidRedirectToError();
+        throw new AuthSecurityError(
+          "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED",
+          "The redirectTo parameter does not match the hosted origin."
+        );
       }
       return sanitizeURL(redirectToURL.pathname);
     }
     if (referer) {
       const refererURL = new URL(sanitizeURL(referer));
       if (!isValidURL(referer) || !equals(refererURL.origin, hostedURL.origin)) {
-        throw new AuthError(
-          ERROR_RESPONSE.AUTHORIZATION.INVALID_REQUEST,
+        throw new AuthSecurityError(
+          "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED",
           "The referer of the request does not match the hosted origin."
         );
       }
@@ -71,16 +75,16 @@ var createRedirectTo = (request, redirectTo, trustedProxyHeaders) => {
     if (origin) {
       const originURL = new URL(sanitizeURL(getNormalizedOriginPath(origin)));
       if (!isValidURL(origin) || !equals(originURL.origin, hostedURL.origin)) {
-        throw new AuthError(ERROR_RESPONSE.AUTHORIZATION.INVALID_REQUEST, "Invalid origin (potential CSRF).");
+        throw new AuthSecurityError("POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED", "Invalid origin (potential CSRF).");
       }
       return sanitizeURL(originURL.pathname);
     }
     return "/";
   } catch (error) {
-    if (isAuthError(error)) {
+    if (isAuthSecurityError(error)) {
       throw error;
     }
-    throw new AuthError(ERROR_RESPONSE.AUTHORIZATION.INVALID_REQUEST, "Invalid origin (potential CSRF).");
+    throw new AuthSecurityError("POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED", "Invalid origin (potential CSRF).");
   }
 };