@aura-stack/auth 0.1.0 → 0.2.0

package/dist/chunk-RRLIF4PQ.js

@@ -0,0 +1,55 @@
+// src/errors.ts
+var OAuthProtocolError = class extends Error {
+  type = "OAUTH_PROTOCOL_ERROR";
+  error;
+  errorURI;
+  constructor(error, description, errorURI, options) {
+    super(description, options);
+    this.error = error;
+    this.errorURI = errorURI;
+    this.name = new.target.name;
+    Error.captureStackTrace(this, new.target);
+  }
+};
+var AuthInternalError = class extends Error {
+  type = "AUTH_INTERNAL_ERROR";
+  code;
+  constructor(code, message, options) {
+    super(message, options);
+    this.code = code;
+    this.name = new.target.name;
+    Error.captureStackTrace(this, new.target);
+  }
+};
+var AuthSecurityError = class extends Error {
+  type = "AUTH_SECURITY_ERROR";
+  code;
+  constructor(code, message, options) {
+    super(message, options);
+    this.code = code;
+    this.name = new.target.name;
+    Error.captureStackTrace(this, new.target);
+  }
+};
+var isNativeError = (error) => {
+  return error instanceof Error;
+};
+var isOAuthProtocolError = (error) => {
+  return error instanceof OAuthProtocolError;
+};
+var isAuthInternalError = (error) => {
+  return error instanceof AuthInternalError;
+};
+var isAuthSecurityError = (error) => {
+  return error instanceof AuthSecurityError;
+};
+
+export {
+  OAuthProtocolError,
+  AuthInternalError,
+  AuthSecurityError,
+  isNativeError,
+  isOAuthProtocolError,
+  isAuthInternalError,
+  isAuthSecurityError
+};

package/dist/chunk-TLE4PXY3.js

@@ -0,0 +1,39 @@
+import {
+  createDerivedSalt
+} from "./chunk-N2APGLXA.js";
+import {
+  AuthInternalError
+} from "./chunk-RRLIF4PQ.js";
+
+// src/jose.ts
+import "dotenv/config";
+import { createJWT, createJWS, createJWE, createDeriveKey } from "@aura-stack/jose";
+var createJoseInstance = (secret) => {
+  const env = process.env;
+  secret ??= env.AURA_AUTH_SECRET ?? env.AUTH_SECRET;
+  if (!secret) {
+    throw new AuthInternalError(
+      "JOSE_INITIALIZATION_FAILED",
+      "AURA_AUTH_SECRET environment variable is not set and no secret was provided."
+    );
+  }
+  const salt = env.AURA_AUTH_SALT ?? env.AUTH_SALT ?? createDerivedSalt(secret);
+  const { derivedKey: derivedSigningKey } = createDeriveKey(secret, salt, "signing");
+  const { derivedKey: derivedEncryptionKey } = createDeriveKey(secret, salt, "encryption");
+  const { derivedKey: derivedCsrfTokenKey } = createDeriveKey(secret, salt, "csrfToken");
+  const { decodeJWT, encodeJWT } = createJWT({ jws: derivedSigningKey, jwe: derivedEncryptionKey });
+  const { signJWS, verifyJWS } = createJWS(derivedCsrfTokenKey);
+  const { encryptJWE, decryptJWE } = createJWE(derivedEncryptionKey);
+  return {
+    decodeJWT,
+    encodeJWT,
+    signJWS,
+    verifyJWS,
+    encryptJWE,
+    decryptJWE
+  };
+};
+
+export {
+  createJoseInstance
+};

package/dist/chunk-UEH3LVON.js

@@ -0,0 +1,97 @@
+import {
+  getUserInfo
+} from "./chunk-ZLR3LI6X.js";
+import {
+  createAccessToken
+} from "./chunk-4V4JNXVF.js";
+import {
+  createSessionCookie,
+  expiredCookieAttributes,
+  getCookie
+} from "./chunk-IMICRJ5U.js";
+import {
+  cacheControl
+} from "./chunk-STHEPPUZ.js";
+import {
+  OAuthAuthorizationErrorResponse,
+  OAuthAuthorizationResponse
+} from "./chunk-WD7AUHQ5.js";
+import {
+  createCSRF
+} from "./chunk-N2APGLXA.js";
+import {
+  equals,
+  isValidRelativePath,
+  sanitizeURL
+} from "./chunk-CXLATHS5.js";
+import {
+  AuthSecurityError,
+  OAuthProtocolError
+} from "./chunk-RRLIF4PQ.js";
+
+// src/actions/callback/callback.ts
+import z from "zod";
+import { createEndpoint, createEndpointConfig, HeadersBuilder } from "@aura-stack/router";
+var callbackConfig = (oauth) => {
+  return createEndpointConfig("/callback/:oauth", {
+    schemas: {
+      searchParams: OAuthAuthorizationResponse,
+      params: z.object({
+        oauth: z.enum(Object.keys(oauth), "The OAuth provider is not supported or invalid.")
+      })
+    },
+    middlewares: [
+      (ctx) => {
+        const response = OAuthAuthorizationErrorResponse.safeParse(ctx.searchParams);
+        if (response.success) {
+          const { error, error_description } = response.data;
+          throw new OAuthProtocolError(error, error_description ?? "OAuth Authorization Error");
+        }
+        return ctx;
+      }
+    ]
+  });
+};
+var callbackAction = (oauth) => {
+  return createEndpoint(
+    "GET",
+    "/callback/:oauth",
+    async (ctx) => {
+      const {
+        request,
+        params: { oauth: oauth2 },
+        searchParams: { code, state },
+        context: { oauth: providers, cookies, jose }
+      } = ctx;
+      const oauthConfig = providers[oauth2];
+      const cookieState = getCookie(request, cookies.state.name);
+      const cookieRedirectTo = getCookie(request, cookies.redirect_to.name);
+      const cookieRedirectURI = getCookie(request, cookies.redirect_uri.name);
+      const codeVerifier = getCookie(request, cookies.code_verifier.name);
+      if (!equals(cookieState, state)) {
+        throw new AuthSecurityError(
+          "MISMATCHING_STATE",
+          "The provided state passed in the OAuth response does not match the stored state."
+        );
+      }
+      const accessToken = await createAccessToken(oauthConfig, cookieRedirectURI, code, codeVerifier);
+      const sanitized = sanitizeURL(cookieRedirectTo);
+      if (!isValidRelativePath(sanitized)) {
+        throw new AuthSecurityError(
+          "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED",
+          "Invalid redirect path. Potential open redirect attack detected."
+        );
+      }
+      const userInfo = await getUserInfo(oauthConfig, accessToken.access_token);
+      const sessionCookie = await createSessionCookie(jose, userInfo);
+      const csrfToken = await createCSRF(jose);
+      const headers = new HeadersBuilder(cacheControl).setHeader("Location", sanitized).setCookie(cookies.sessionToken.name, sessionCookie, cookies.sessionToken.attributes).setCookie(cookies.csrfToken.name, csrfToken, cookies.csrfToken.attributes).setCookie(cookies.state.name, "", expiredCookieAttributes).setCookie(cookies.redirect_uri.name, "", expiredCookieAttributes).setCookie(cookies.redirect_to.name, "", expiredCookieAttributes).setCookie(cookies.code_verifier.name, "", expiredCookieAttributes).toHeaders();
+      return Response.json({ oauth: oauth2 }, { status: 302, headers });
+    },
+    callbackConfig(oauth)
+  );
+};
+
+export {
+  callbackAction
+};

package/dist/{chunk-HMRKN75I.js → chunk-WD7AUHQ5.js}

@@ -1,10 +1,10 @@
 // src/schemas.ts
-import { object, string, enum as options, number, url } from "zod/v4";
+import { object, string, enum as options, number, httpUrl, z } from "zod/v4";
 var OAuthProviderConfigSchema = object({
-  authorizeURL: url(),
-  accessToken: url(),
+  authorizeURL: httpUrl(),
+  accessToken: httpUrl(),
   scope: string().optional(),
-  userInfo: url(),
+  userInfo: httpUrl(),
   responseType: options(["code", "token", "id_token"]),
   clientId: string(),
   clientSecret: string()
@@ -16,8 +16,8 @@ var OAuthAuthorization = OAuthProviderConfigSchema.extend({
   codeChallengeMethod: options(["plain", "S256"])
 });
 var OAuthAuthorizationResponse = object({
-  state: string(),
-  code: string()
+  state: string("Missing state parameter in the OAuth authorization response."),
+  code: string("Missing code parameter in the OAuth authorization response.")
 });
 var OAuthAuthorizationErrorResponse = object({
   error: options([
@@ -61,6 +61,10 @@ var OAuthErrorResponse = object({
   error: string(),
   error_description: string().optional()
 });
+var OAuthEnvSchema = object({
+  clientId: z.string().min(1, "OAuth Client ID is required in the environment variables."),
+  clientSecret: z.string().min(1, "OAuth Client Secret is required in the environment variables.")
+});
 
 export {
   OAuthProviderConfigSchema,
@@ -70,5 +74,6 @@ export {
   OAuthAccessToken,
   OAuthAccessTokenResponse,
   OAuthAccessTokenErrorResponse,
-  OAuthErrorResponse
+  OAuthErrorResponse,
+  OAuthEnvSchema
 };

package/dist/{chunk-RLT4RFKV.js → chunk-ZLR3LI6X.js}

@@ -1,13 +1,14 @@
 import {
-  generateSecure
-} from "./chunk-GZU3RBTB.js";
+  OAuthErrorResponse
+} from "./chunk-WD7AUHQ5.js";
 import {
-  AuthError,
-  throwAuthError
-} from "./chunk-FJUDBLCP.js";
+  generateSecure
+} from "./chunk-N2APGLXA.js";
 import {
-  OAuthErrorResponse
-} from "./chunk-HMRKN75I.js";
+  OAuthProtocolError,
+  isNativeError,
+  isOAuthProtocolError
+} from "./chunk-RRLIF4PQ.js";
 
 // src/actions/callback/userinfo.ts
 var getDefaultUserInfo = (profile) => {
@@ -32,11 +33,20 @@ var getUserInfo = async (oauthConfig, accessToken) => {
     const json = await response.json();
     const { success, data } = OAuthErrorResponse.safeParse(json);
     if (success) {
-      throw new AuthError(data.error, data?.error_description ?? "An error occurred while fetching user information.");
+      throw new OAuthProtocolError(
+        data.error,
+        data?.error_description ?? "An error occurred while fetching user information."
+      );
     }
     return oauthConfig?.profile ? oauthConfig.profile(json) : getDefaultUserInfo(json);
   } catch (error) {
-    throw throwAuthError(error, "Failed to retrieve userinfo");
+    if (isOAuthProtocolError(error)) {
+      throw error;
+    }
+    if (isNativeError(error)) {
+      throw new OAuthProtocolError("invalid_request", error.message, "", { cause: error });
+    }
+    throw new OAuthProtocolError("invalid_request", "Failed to fetch user information.", "", { cause: error });
   }
 };
 

package/dist/cookie.cjs

@@ -21,40 +21,34 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 var cookie_exports = {};
 __export(cookie_exports, {
   COOKIE_NAME: () => COOKIE_NAME,
+  createCookieStore: () => createCookieStore,
   createSessionCookie: () => createSessionCookie,
-  defaultCookieConfig: () => defaultCookieConfig,
   defaultCookieOptions: () => defaultCookieOptions,
   defaultHostCookieConfig: () => defaultHostCookieConfig,
   defaultSecureCookieConfig: () => defaultSecureCookieConfig,
   defaultStandardCookieConfig: () => defaultStandardCookieConfig,
-  defineDefaultCookieOptions: () => defineDefaultCookieOptions,
-  expireCookie: () => expireCookie,
-  expiredCookieOptions: () => expiredCookieOptions,
+  defineSecureCookieOptions: () => defineSecureCookieOptions,
+  expiredCookieAttributes: () => expiredCookieAttributes,
   getCookie: () => getCookie,
-  oauthCookie: () => oauthCookie,
-  parse: () => import_cookie2.parse,
-  secureCookieOptions: () => secureCookieOptions,
+  getSetCookie: () => getSetCookie,
   setCookie: () => setCookie
 });
 module.exports = __toCommonJS(cookie_exports);
-var import_cookie = require("cookie");
+var import_cookie = require("@aura-stack/router/cookie");
 
-// src/error.ts
-var AuthError = class extends Error {
-  constructor(type, message) {
-    super(message);
-    this.type = type;
-    this.name = "AuthError";
+// src/errors.ts
+var AuthInternalError = class extends Error {
+  type = "AUTH_INTERNAL_ERROR";
+  code;
+  constructor(code, message, options) {
+    super(message, options);
+    this.code = code;
+    this.name = new.target.name;
+    Error.captureStackTrace(this, new.target);
   }
 };
 
-// src/assert.ts
-var isRequest = (value) => {
-  return typeof Request !== "undefined" && value instanceof Request;
-};
-
 // src/cookie.ts
-var import_cookie2 = require("cookie");
 var COOKIE_NAME = "aura-auth";
 var defaultCookieOptions = {
   httpOnly: true,
@@ -62,140 +56,187 @@ var defaultCookieOptions = {
   path: "/",
   maxAge: 60 * 60 * 24 * 15
 };
-var defaultCookieConfig = {
-  strategy: "standard",
-  name: COOKIE_NAME,
-  options: defaultCookieOptions
-};
 var defaultStandardCookieConfig = {
   secure: false,
-  httpOnly: true,
-  prefix: ""
+  httpOnly: true
 };
 var defaultSecureCookieConfig = {
   secure: true,
-  prefix: "__Secure-"
+  httpOnly: true
 };
 var defaultHostCookieConfig = {
   secure: true,
-  prefix: "__Host-",
+  httpOnly: true,
   path: "/",
   domain: void 0
 };
-var expiredCookieOptions = {
+var oauthCookieOptions = {
+  httpOnly: true,
+  maxAge: 5 * 60,
+  sameSite: "lax",
+  expires: new Date(Date.now() + 5 * 60 * 1e3)
+};
+var setCookie = (cookieName, value, options) => {
+  return (0, import_cookie.serialize)(cookieName, value, options);
+};
+var expiredCookieAttributes = {
   ...defaultCookieOptions,
   expires: /* @__PURE__ */ new Date(0),
   maxAge: 0
 };
-var defineDefaultCookieOptions = (options) => {
-  return {
-    name: options?.name ?? COOKIE_NAME,
-    prefix: options?.prefix ?? (options?.secure ? "__Secure-" : ""),
-    ...defaultCookieOptions,
-    ...options
-  };
-};
-var setCookie = (cookieName, value, options) => {
-  const { prefix, name } = defineDefaultCookieOptions(options);
-  const cookieNameWithPrefix = `${prefix}${name}.${cookieName}`;
-  return (0, import_cookie.serialize)(cookieNameWithPrefix, value, {
-    ...defaultCookieOptions,
-    ...options
-  });
-};
-var getCookie = (petition, cookie, options, optional = false) => {
-  const cookies = isRequest(petition) ? petition.headers.get("Cookie") : petition.headers.getSetCookie().join("; ");
+var getCookie = (request, cookieName) => {
+  const cookies = request.headers.get("Cookie");
   if (!cookies) {
-    if (optional) {
-      return "";
-    }
-    throw new AuthError("invalid_request", "No cookies found. There is no active session");
+    throw new AuthInternalError("COOKIE_NOT_FOUND", "No cookies found. There is no active session");
   }
-  const { name, prefix } = defineDefaultCookieOptions(options);
-  const parsedCookies = (0, import_cookie.parse)(cookies);
-  const value = parsedCookies[`${prefix}${name}.${cookie}`];
-  if (value === void 0) {
-    if (optional) {
-      return "";
-    }
-    throw new AuthError("invalid_request", `Cookie "${cookie}" not found. There is no active session`);
+  const value = (0, import_cookie.parse)(cookies)[cookieName];
+  if (!value) {
+    throw new AuthInternalError("COOKIE_NOT_FOUND", `Cookie "${cookieName}" not found. There is no active session`);
   }
   return value;
 };
-var createSessionCookie = async (session, cookieOptions, jose) => {
+var getSetCookie = (response, cookieName) => {
+  const cookies = response.headers.getSetCookie();
+  if (!cookies) {
+    throw new AuthInternalError("COOKIE_NOT_FOUND", "No cookies found in response.");
+  }
+  const strCookie = cookies.find((cookie) => cookie.startsWith(`${cookieName}=`));
+  if (!strCookie) {
+    throw new AuthInternalError("COOKIE_NOT_FOUND", `Cookie "${cookieName}" not found in response.`);
+  }
+  return (0, import_cookie.parseSetCookie)(strCookie).value;
+};
+var createSessionCookie = async (jose, session) => {
   try {
     const encoded = await jose.encodeJWT(session);
-    return setCookie("sessionToken", encoded, cookieOptions);
+    return encoded;
   } catch (error) {
-    throw new AuthError("server_error", "Failed to create session cookie", { cause: error });
+    throw new AuthInternalError("INVALID_JWT_TOKEN", "Failed to create session cookie", { cause: error });
   }
 };
-var secureCookieOptions = (request, cookieOptions, trustedProxyHeaders) => {
-  const name = cookieOptions.name ?? COOKIE_NAME;
-  const isSecure = trustedProxyHeaders ? request.url.startsWith("https://") || request.headers.get("X-Forwarded-Proto") === "https" || request.headers.get("Forwarded")?.includes("proto=https") : request.url.startsWith("https://");
-  if (!cookieOptions.options?.httpOnly) {
+var defineSecureCookieOptions = (useSecure, attributes, strategy) => {
+  if (!attributes.httpOnly) {
     console.warn(
       "[WARNING]: Cookie is configured without HttpOnly. This allows JavaScript access via document.cookie and increases XSS risk."
     );
   }
-  if (cookieOptions.options?.domain === "*") {
+  if (attributes.domain === "*") {
+    attributes.domain = void 0;
     console.warn("[WARNING]: Cookie 'Domain' is set to '*', which is insecure. Avoid wildcard domains.");
   }
-  if (!isSecure) {
-    const options = cookieOptions.options;
-    if (options?.secure) {
+  if (!useSecure) {
+    if (attributes.secure) {
       console.warn(
         "[WARNING]: The 'Secure' attribute will be disabled for this cookie. Serve over HTTPS to enforce Secure cookies."
       );
     }
-    if (options?.sameSite == "none") {
-      console.warn("[WARNING]: SameSite=None without a secure connection can be blocked by browsers.");
+    if (attributes.sameSite == "none") {
+      attributes.sameSite = "lax";
+      console.warn("[WARNING]: SameSite=None requires Secure attribute. Changing SameSite to 'Lax'.");
     }
     if (process.env.NODE_ENV === "production") {
       console.warn("[WARNING]: In production, ensure cookies are served over HTTPS to maintain security.");
     }
+    if (strategy === "host") {
+      console.warn("[WARNING]: __Host- cookies require a secure context. Falling back to standard cookie settings.");
+    }
     return {
       ...defaultCookieOptions,
-      ...cookieOptions.options,
-      sameSite: options?.sameSite === "none" ? "lax" : options?.sameSite ?? "lax",
-      ...defaultStandardCookieConfig,
-      name
+      ...attributes,
+      ...defaultStandardCookieConfig
     };
   }
-  return cookieOptions.strategy === "host" ? {
+  return strategy === "host" ? {
     ...defaultCookieOptions,
-    ...cookieOptions.options,
-    ...defaultHostCookieConfig,
-    name
-  } : { ...defaultCookieOptions, ...cookieOptions.options, ...defaultSecureCookieConfig, name };
-};
-var expireCookie = (name, options) => {
-  return setCookie(name, "", { ...options, ...expiredCookieOptions });
-};
-var oauthCookie = (options) => {
+    ...attributes,
+    ...defaultHostCookieConfig
+  } : { ...defaultCookieOptions, ...attributes, ...defaultSecureCookieConfig };
+};
+var createCookieStore = (useSecure, prefix, overrides) => {
+  prefix ??= COOKIE_NAME;
+  const securePrefix = useSecure ? "__Secure-" : "";
+  const hostPrefix = useSecure ? "__Host-" : "";
   return {
-    ...options,
-    secure: options.secure,
-    httpOnly: options.httpOnly,
-    maxAge: 5 * 60,
-    expires: new Date(Date.now() + 5 * 60 * 1e3)
+    sessionToken: {
+      name: `${securePrefix}${prefix}.${overrides?.sessionToken?.name ?? "sessionToken"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...defaultCookieOptions,
+          ...overrides?.sessionToken?.attributes
+        },
+        overrides?.sessionToken?.attributes?.strategy ?? "secure"
+      )
+    },
+    state: {
+      name: `${securePrefix}${prefix}.${overrides?.state?.name ?? "state"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...oauthCookieOptions,
+          ...overrides?.state?.attributes
+        },
+        overrides?.state?.attributes?.strategy ?? "secure"
+      )
+    },
+    csrfToken: {
+      name: `${hostPrefix}${prefix}.${overrides?.csrfToken?.name ?? "csrfToken"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...overrides?.csrfToken?.attributes,
+          ...defaultHostCookieConfig
+        },
+        overrides?.csrfToken?.attributes?.strategy ?? "host"
+      )
+    },
+    redirect_to: {
+      name: `${securePrefix}${prefix}.${overrides?.redirect_to?.name ?? "redirect_to"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...oauthCookieOptions,
+          ...overrides?.redirect_to?.attributes
+        },
+        overrides?.redirect_to?.attributes?.strategy ?? "secure"
+      )
+    },
+    redirect_uri: {
+      name: `${securePrefix}${prefix}.${overrides?.redirect_uri?.name ?? "redirect_uri"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...oauthCookieOptions,
+          ...overrides?.redirect_uri?.attributes
+        },
+        overrides?.redirect_uri?.attributes?.strategy ?? "secure"
+      )
+    },
+    code_verifier: {
+      name: `${securePrefix}${prefix}.${overrides?.code_verifier?.name ?? "code_verifier"}`,
+      attributes: defineSecureCookieOptions(
+        useSecure,
+        {
+          ...oauthCookieOptions,
+          ...overrides?.code_verifier?.attributes
+        },
+        overrides?.code_verifier?.attributes?.strategy ?? "secure"
+      )
+    }
   };
 };
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   COOKIE_NAME,
+  createCookieStore,
   createSessionCookie,
-  defaultCookieConfig,
   defaultCookieOptions,
   defaultHostCookieConfig,
   defaultSecureCookieConfig,
   defaultStandardCookieConfig,
-  defineDefaultCookieOptions,
-  expireCookie,
-  expiredCookieOptions,
+  defineSecureCookieOptions,
+  expiredCookieAttributes,
   getCookie,
-  oauthCookie,
-  parse,
-  secureCookieOptions,
+  getSetCookie,
   setCookie
 });