@aura-stack/auth 0.4.0-rc.5 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (143) hide show
  1. package/dist/@types/index.d.ts +4 -3
  2. package/dist/@types/router.d.cjs +0 -17
  3. package/dist/@types/router.d.d.ts +3 -2
  4. package/dist/@types/router.d.js +0 -1
  5. package/dist/actions/callback/access-token.cjs +40 -25
  6. package/dist/actions/callback/access-token.d.ts +4 -3
  7. package/dist/actions/callback/access-token.js +3 -4
  8. package/dist/actions/callback/callback.cjs +287 -77
  9. package/dist/actions/callback/callback.d.ts +5 -26
  10. package/dist/actions/callback/callback.js +13 -10
  11. package/dist/actions/callback/userinfo.cjs +68 -7
  12. package/dist/actions/callback/userinfo.d.ts +4 -3
  13. package/dist/actions/callback/userinfo.js +8 -6
  14. package/dist/actions/csrfToken/csrfToken.cjs +63 -4
  15. package/dist/actions/csrfToken/csrfToken.d.ts +1 -3
  16. package/dist/actions/csrfToken/csrfToken.js +8 -6
  17. package/dist/actions/index.cjs +400 -175
  18. package/dist/actions/index.d.ts +3 -2
  19. package/dist/actions/index.js +21 -19
  20. package/dist/actions/session/session.cjs +40 -11
  21. package/dist/actions/session/session.d.ts +1 -3
  22. package/dist/actions/session/session.js +4 -4
  23. package/dist/actions/signIn/authorization.cjs +171 -132
  24. package/dist/actions/signIn/authorization.d.ts +21 -11
  25. package/dist/actions/signIn/authorization.js +8 -6
  26. package/dist/actions/signIn/signIn.cjs +220 -113
  27. package/dist/actions/signIn/signIn.d.ts +5 -25
  28. package/dist/actions/signIn/signIn.js +9 -7
  29. package/dist/actions/signOut/signOut.cjs +268 -119
  30. package/dist/actions/signOut/signOut.d.ts +1 -9
  31. package/dist/actions/signOut/signOut.js +10 -8
  32. package/dist/assert.cjs +117 -5
  33. package/dist/assert.d.ts +22 -3
  34. package/dist/assert.js +17 -3
  35. package/dist/chunk-4EKY7655.js +123 -0
  36. package/dist/chunk-4MYWAOLG.js +31 -0
  37. package/dist/chunk-4YHJ4IEQ.js +25 -0
  38. package/dist/chunk-54CZPKR4.js +25 -0
  39. package/dist/chunk-5LZ7TOM3.js +25 -0
  40. package/dist/{chunk-W6LG7BFW.js → chunk-5W4BRQYG.js} +24 -20
  41. package/dist/chunk-6MXFPFR3.js +143 -0
  42. package/dist/{chunk-3EUWD5BB.js → chunk-7QF22LHP.js} +13 -9
  43. package/dist/chunk-ALG3GIV4.js +95 -0
  44. package/dist/chunk-E6G5YCI6.js +25 -0
  45. package/dist/chunk-EBAMFRB7.js +34 -0
  46. package/dist/chunk-EEE7UM5T.js +25 -0
  47. package/dist/{chunk-TLE4PXY3.js → chunk-FRJFWTOY.js} +38 -7
  48. package/dist/chunk-FW4W3REU.js +25 -0
  49. package/dist/{chunk-HT4YLL7N.js → chunk-ICAZ4OVS.js} +10 -8
  50. package/dist/chunk-IPKO6UQN.js +25 -0
  51. package/dist/{chunk-YRCB5FLE.js → chunk-KJBAQZX2.js} +13 -0
  52. package/dist/chunk-KMMAZFSJ.js +25 -0
  53. package/dist/chunk-LDU7A2JE.js +25 -0
  54. package/dist/{chunk-N2APGLXA.js → chunk-NUDITUKX.js} +18 -16
  55. package/dist/chunk-OVHNRULD.js +33 -0
  56. package/dist/{chunk-JVFTCTTE.js → chunk-PHFH2MGS.js} +12 -9
  57. package/dist/chunk-QQVSRXGX.js +149 -0
  58. package/dist/chunk-TM5IPSNF.js +113 -0
  59. package/dist/{chunk-GA2SMTJO.js → chunk-TZB6MUXN.js} +33 -13
  60. package/dist/chunk-VNCNJKS2.js +267 -0
  61. package/dist/{chunk-IVET23KF.js → chunk-XGLBNXL4.js} +31 -14
  62. package/dist/chunk-XUP6KKNG.js +106 -0
  63. package/dist/cookie.cjs +24 -20
  64. package/dist/cookie.d.ts +4 -3
  65. package/dist/cookie.js +1 -1
  66. package/dist/env.cjs +56 -0
  67. package/dist/env.d.ts +7 -0
  68. package/dist/env.js +6 -0
  69. package/dist/errors.d.ts +4 -3
  70. package/dist/headers.cjs +28 -2
  71. package/dist/headers.d.ts +25 -1
  72. package/dist/headers.js +9 -3
  73. package/dist/{index-B8jeIElf.d.ts → index-CSyIJmCM.d.ts} +373 -45
  74. package/dist/index.cjs +1128 -483
  75. package/dist/index.d.ts +7 -67
  76. package/dist/index.js +83 -42
  77. package/dist/jose.cjs +62 -25
  78. package/dist/jose.d.ts +7 -5
  79. package/dist/jose.js +8 -6
  80. package/dist/logger.cjs +292 -0
  81. package/dist/logger.d.ts +8 -0
  82. package/dist/logger.js +8 -0
  83. package/dist/oauth/bitbucket.cjs +19 -15
  84. package/dist/oauth/bitbucket.d.ts +3 -2
  85. package/dist/oauth/bitbucket.js +1 -1
  86. package/dist/oauth/discord.cjs +27 -24
  87. package/dist/oauth/discord.d.ts +3 -2
  88. package/dist/oauth/discord.js +1 -1
  89. package/dist/oauth/figma.cjs +19 -16
  90. package/dist/oauth/figma.d.ts +3 -2
  91. package/dist/oauth/figma.js +1 -1
  92. package/dist/oauth/github.cjs +19 -8
  93. package/dist/oauth/github.d.ts +3 -2
  94. package/dist/oauth/github.js +1 -1
  95. package/dist/oauth/gitlab.cjs +19 -16
  96. package/dist/oauth/gitlab.d.ts +3 -2
  97. package/dist/oauth/gitlab.js +1 -1
  98. package/dist/oauth/index.cjs +266 -166
  99. package/dist/oauth/index.d.ts +3 -2
  100. package/dist/oauth/index.js +22 -21
  101. package/dist/oauth/mailchimp.cjs +19 -16
  102. package/dist/oauth/mailchimp.d.ts +3 -2
  103. package/dist/oauth/mailchimp.js +1 -1
  104. package/dist/oauth/pinterest.cjs +19 -16
  105. package/dist/oauth/pinterest.d.ts +3 -2
  106. package/dist/oauth/pinterest.js +1 -1
  107. package/dist/oauth/spotify.cjs +19 -16
  108. package/dist/oauth/spotify.d.ts +3 -2
  109. package/dist/oauth/spotify.js +1 -1
  110. package/dist/oauth/strava.cjs +19 -16
  111. package/dist/oauth/strava.d.ts +3 -2
  112. package/dist/oauth/strava.js +1 -1
  113. package/dist/oauth/x.cjs +19 -16
  114. package/dist/oauth/x.d.ts +3 -2
  115. package/dist/oauth/x.js +1 -1
  116. package/dist/schemas.cjs +16 -2
  117. package/dist/schemas.d.ts +17 -1
  118. package/dist/schemas.js +5 -3
  119. package/dist/secure.cjs +58 -16
  120. package/dist/secure.d.ts +4 -10
  121. package/dist/secure.js +5 -5
  122. package/dist/utils.cjs +94 -87
  123. package/dist/utils.d.ts +9 -39
  124. package/dist/utils.js +11 -9
  125. package/package.json +3 -4
  126. package/dist/chunk-42XB3YCW.js +0 -22
  127. package/dist/chunk-6R2YZ4AC.js +0 -22
  128. package/dist/chunk-A3N4PVAT.js +0 -70
  129. package/dist/chunk-B737EUJV.js +0 -22
  130. package/dist/chunk-CXLATHS5.js +0 -143
  131. package/dist/chunk-DIVDFNAP.js +0 -0
  132. package/dist/chunk-E3OXBRYF.js +0 -22
  133. package/dist/chunk-EIL2FPSS.js +0 -22
  134. package/dist/chunk-EMKJA2GJ.js +0 -89
  135. package/dist/chunk-FIPU4MLT.js +0 -21
  136. package/dist/chunk-FKRDCWBF.js +0 -22
  137. package/dist/chunk-HP34YGGJ.js +0 -22
  138. package/dist/chunk-IKHPGFCW.js +0 -14
  139. package/dist/chunk-IUYZQTJV.js +0 -30
  140. package/dist/chunk-KRNOMBXQ.js +0 -22
  141. package/dist/chunk-KSWLO5ZU.js +0 -102
  142. package/dist/chunk-N4SX7TZT.js +0 -96
  143. package/dist/chunk-STHEPPUZ.js +0 -11
@@ -1,17 +1,17 @@
1
+ import {
2
+ fetchAsync
3
+ } from "./chunk-ZNCZVF6U.js";
4
+ import {
5
+ OAuthErrorResponse
6
+ } from "./chunk-KJBAQZX2.js";
1
7
  import {
2
8
  generateSecure
3
- } from "./chunk-N2APGLXA.js";
9
+ } from "./chunk-NUDITUKX.js";
4
10
  import {
5
11
  OAuthProtocolError,
6
12
  isNativeError,
7
13
  isOAuthProtocolError
8
14
  } from "./chunk-RRLIF4PQ.js";
9
- import {
10
- fetchAsync
11
- } from "./chunk-ZNCZVF6U.js";
12
- import {
13
- OAuthErrorResponse
14
- } from "./chunk-YRCB5FLE.js";
15
15
 
16
16
  // src/actions/callback/userinfo.ts
17
17
  var getDefaultUserInfo = (profile) => {
@@ -23,9 +23,14 @@ var getDefaultUserInfo = (profile) => {
23
23
  image: profile?.image ?? profile?.picture
24
24
  };
25
25
  };
26
- var getUserInfo = async (oauthConfig, accessToken) => {
26
+ var getUserInfo = async (oauthConfig, accessToken, logger) => {
27
27
  const userinfoEndpoint = oauthConfig.userInfo;
28
28
  try {
29
+ logger?.log("OAUTH_USERINFO_REQUEST_INITIATED", {
30
+ structuredData: {
31
+ endpoint: userinfoEndpoint
32
+ }
33
+ });
29
34
  const response = await fetchAsync(userinfoEndpoint, {
30
35
  method: "GET",
31
36
  headers: {
@@ -33,23 +38,35 @@ var getUserInfo = async (oauthConfig, accessToken) => {
33
38
  Authorization: `Bearer ${accessToken}`
34
39
  }
35
40
  });
41
+ if (!response.ok) {
42
+ logger?.log("OAUTH_USERINFO_INVALID_RESPONSE");
43
+ throw new OAuthProtocolError("INVALID_REQUEST", "Invalid userinfo response format");
44
+ }
36
45
  const json = await response.json();
37
46
  const { success, data } = OAuthErrorResponse.safeParse(json);
38
47
  if (success) {
39
- throw new OAuthProtocolError(
40
- data.error,
41
- data?.error_description ?? "An error occurred while fetching user information."
42
- );
48
+ logger?.log("OAUTH_USERINFO_ERROR", {
49
+ message: "Error response received from OAuth userinfo endpoint",
50
+ structuredData: {
51
+ error: data.error,
52
+ error_description: data.error_description ?? ""
53
+ }
54
+ });
55
+ throw new OAuthProtocolError("INVALID_REQUEST", "An error was received from the OAuth userinfo endpoint.");
43
56
  }
57
+ logger?.log("OAUTH_USERINFO_SUCCESS");
44
58
  return oauthConfig?.profile ? oauthConfig.profile(json) : getDefaultUserInfo(json);
45
59
  } catch (error) {
46
60
  if (isOAuthProtocolError(error)) {
47
61
  throw error;
48
62
  }
63
+ logger?.log("OAUTH_USERINFO_REQUEST_FAILED");
49
64
  if (isNativeError(error)) {
50
- throw new OAuthProtocolError("invalid_request", error.message, "", { cause: error });
65
+ throw new OAuthProtocolError("SERVER_ERROR", "Failed to fetch user information from OAuth provider", "", {
66
+ cause: error
67
+ });
51
68
  }
52
- throw new OAuthProtocolError("invalid_request", "Failed to fetch user information.", "", { cause: error });
69
+ throw new OAuthProtocolError("SERVER_ERROR", "Failed to fetch user information", "", { cause: error });
53
70
  }
54
71
  };
55
72
 
@@ -0,0 +1,106 @@
1
+ import {
2
+ OAuthAuthorization
3
+ } from "./chunk-KJBAQZX2.js";
4
+ import {
5
+ isRelativeURL,
6
+ isSameOrigin,
7
+ isTrustedOrigin,
8
+ isValidURL,
9
+ patternToRegex
10
+ } from "./chunk-4EKY7655.js";
11
+ import {
12
+ equals,
13
+ extractPath,
14
+ toCastCase
15
+ } from "./chunk-QQVSRXGX.js";
16
+ import {
17
+ AuthInternalError
18
+ } from "./chunk-RRLIF4PQ.js";
19
+
20
+ // src/actions/signIn/authorization.ts
21
+ var createAuthorizationURL = (oauthConfig, redirectURI, state, codeChallenge, codeChallengeMethod, logger) => {
22
+ const parsed = OAuthAuthorization.safeParse({ ...oauthConfig, redirectURI, state, codeChallenge, codeChallengeMethod });
23
+ if (!parsed.success) {
24
+ logger?.log("INVALID_OAUTH_CONFIGURATION", {
25
+ structuredData: {
26
+ scope: oauthConfig.scope,
27
+ redirect_uri: redirectURI,
28
+ has_state: Boolean(state),
29
+ has_code_challenge: Boolean(codeChallenge),
30
+ code_challenge_method: codeChallengeMethod
31
+ }
32
+ });
33
+ throw new AuthInternalError("INVALID_OAUTH_CONFIGURATION", "The OAuth provider configuration is invalid.");
34
+ }
35
+ const { authorizeURL, ...options } = parsed.data;
36
+ const { userInfo, accessToken, clientSecret, ...required } = options;
37
+ const searchParams = new URLSearchParams(toCastCase(required));
38
+ return `${authorizeURL}?${searchParams}`;
39
+ };
40
+ var getTrustedOrigins = async (request, trustedOrigins) => {
41
+ if (!trustedOrigins) return [];
42
+ const raw = typeof trustedOrigins === "function" ? await trustedOrigins(request) : trustedOrigins;
43
+ return Array.isArray(raw) ? raw : typeof raw === "string" ? [raw] : [];
44
+ };
45
+ var getOriginURL = async (request, context) => {
46
+ const headers = request.headers;
47
+ let origin = new URL(request.url).origin;
48
+ const trustedOrigins = await getTrustedOrigins(request, context?.trustedOrigins);
49
+ trustedOrigins.push(origin);
50
+ if (context?.trustedProxyHeaders) {
51
+ const protocol = headers.get("Forwarded")?.match(/proto=([^;]+)/i)?.[1] ?? headers.get("X-Forwarded-Proto") ?? "http";
52
+ const host = headers.get("Host") ?? headers.get("Forwarded")?.match(/host=([^;]+)/i)?.[1] ?? headers.get("X-Forwarded-Host") ?? null;
53
+ origin = `${protocol}://${host}`;
54
+ }
55
+ if (!isTrustedOrigin(origin, trustedOrigins)) {
56
+ context?.logger?.log("UNTRUSTED_ORIGIN", { structuredData: { origin } });
57
+ throw new AuthInternalError("UNTRUSTED_ORIGIN", "The constructed origin URL is not trusted.");
58
+ }
59
+ return origin;
60
+ };
61
+ var createRedirectURI = async (request, oauth, context) => {
62
+ const origin = await getOriginURL(request, context);
63
+ return `${origin}${context.basePath}/callback/${oauth}`;
64
+ };
65
+ var createRedirectTo = async (request, redirectTo, context) => {
66
+ try {
67
+ const headers = request.headers;
68
+ const requestOrigin = await getOriginURL(request, context);
69
+ const origins = await getTrustedOrigins(request, context?.trustedOrigins);
70
+ const validateURL = (url) => {
71
+ if (!isRelativeURL(url) && !isValidURL(url)) return "/";
72
+ if (isRelativeURL(url)) return url;
73
+ if (origins.length > 0) {
74
+ if (isTrustedOrigin(url, origins)) {
75
+ const urlOrigin = new URL(url).origin;
76
+ for (const pattern of origins) {
77
+ const regex = patternToRegex(pattern);
78
+ if (regex?.test(urlOrigin)) {
79
+ return isSameOrigin(url, request.url) ? extractPath(url) : url;
80
+ }
81
+ if (isValidURL(pattern) && equals(new URL(pattern).origin, urlOrigin)) return url;
82
+ }
83
+ }
84
+ context?.logger?.log("OPEN_REDIRECT_ATTACK");
85
+ return "/";
86
+ }
87
+ if (isSameOrigin(url, requestOrigin)) {
88
+ return extractPath(url);
89
+ }
90
+ context?.logger?.log("OPEN_REDIRECT_ATTACK");
91
+ return "/";
92
+ };
93
+ return validateURL(redirectTo ?? headers.get("Referer") ?? headers.get("Origin") ?? "/");
94
+ } catch (error) {
95
+ context?.logger?.log("POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED");
96
+ return "/";
97
+ }
98
+ };
99
+
100
+ export {
101
+ createAuthorizationURL,
102
+ getTrustedOrigins,
103
+ getOriginURL,
104
+ createRedirectURI,
105
+ createRedirectTo
106
+ };
package/dist/cookie.cjs CHANGED
@@ -82,7 +82,8 @@ var setCookie = (cookieName, value, options) => {
82
82
  var expiredCookieAttributes = {
83
83
  ...defaultCookieOptions,
84
84
  expires: /* @__PURE__ */ new Date(0),
85
- maxAge: 0
85
+ maxAge: 0,
86
+ secure: true
86
87
  };
87
88
  var getCookie = (request, cookieName) => {
88
89
  const cookies = request.headers.get("Cookie");
@@ -114,31 +115,27 @@ var createSessionCookie = async (jose, session) => {
114
115
  throw new AuthInternalError("INVALID_JWT_TOKEN", "Failed to create session cookie", { cause: error });
115
116
  }
116
117
  };
117
- var defineSecureCookieOptions = (useSecure, attributes, strategy) => {
118
+ var defineSecureCookieOptions = (useSecure, attributes, strategy, logger) => {
118
119
  if (!attributes.httpOnly) {
119
- console.warn(
120
- "[WARNING]: Cookie is configured without HttpOnly. This allows JavaScript access via document.cookie and increases XSS risk."
121
- );
120
+ logger?.log("COOKIE_HTTPONLY_DISABLED");
122
121
  }
123
122
  if (attributes.domain === "*") {
124
123
  attributes.domain = void 0;
125
- console.warn("[WARNING]: Cookie 'Domain' is set to '*', which is insecure. Avoid wildcard domains.");
124
+ logger?.log("COOKIE_WILDCARD_DOMAIN");
126
125
  }
127
126
  if (!useSecure) {
128
127
  if (attributes.secure) {
129
- console.warn(
130
- "[WARNING]: The 'Secure' attribute will be disabled for this cookie. Serve over HTTPS to enforce Secure cookies."
131
- );
128
+ logger?.log("COOKIE_SECURE_DISABLED");
132
129
  }
133
130
  if (attributes.sameSite == "none") {
134
131
  attributes.sameSite = "lax";
135
- console.warn("[WARNING]: SameSite=None requires Secure attribute. Changing SameSite to 'Lax'.");
132
+ logger?.log("COOKIE_SAMESITE_NONE_WITHOUT_SECURE");
136
133
  }
137
134
  if (process.env.NODE_ENV === "production") {
138
- console.warn("[WARNING]: In production, ensure cookies are served over HTTPS to maintain security.");
135
+ logger?.log("COOKIE_INSECURE_IN_PRODUCTION");
139
136
  }
140
137
  if (strategy === "host") {
141
- console.warn("[WARNING]: __Host- cookies require a secure context. Falling back to standard cookie settings.");
138
+ logger?.log("COOKIE_HOST_STRATEGY_INSECURE");
142
139
  }
143
140
  return {
144
141
  ...defaultCookieOptions,
@@ -152,7 +149,7 @@ var defineSecureCookieOptions = (useSecure, attributes, strategy) => {
152
149
  ...defaultHostCookieConfig
153
150
  } : { ...defaultCookieOptions, ...attributes, ...defaultSecureCookieConfig };
154
151
  };
155
- var createCookieStore = (useSecure, prefix, overrides) => {
152
+ var createCookieStore = (useSecure, prefix, overrides, logger) => {
156
153
  prefix ??= COOKIE_NAME;
157
154
  const securePrefix = useSecure ? "__Secure-" : "";
158
155
  const hostPrefix = useSecure ? "__Host-" : "";
@@ -165,7 +162,8 @@ var createCookieStore = (useSecure, prefix, overrides) => {
165
162
  ...defaultCookieOptions,
166
163
  ...overrides?.sessionToken?.attributes
167
164
  },
168
- overrides?.sessionToken?.attributes?.strategy ?? "secure"
165
+ overrides?.sessionToken?.attributes?.strategy ?? "secure",
166
+ logger
169
167
  )
170
168
  },
171
169
  state: {
@@ -176,7 +174,8 @@ var createCookieStore = (useSecure, prefix, overrides) => {
176
174
  ...oauthCookieOptions,
177
175
  ...overrides?.state?.attributes
178
176
  },
179
- overrides?.state?.attributes?.strategy ?? "secure"
177
+ overrides?.state?.attributes?.strategy ?? "secure",
178
+ logger
180
179
  )
181
180
  },
182
181
  csrfToken: {
@@ -185,9 +184,11 @@ var createCookieStore = (useSecure, prefix, overrides) => {
185
184
  useSecure,
186
185
  {
187
186
  ...overrides?.csrfToken?.attributes,
188
- ...defaultHostCookieConfig
187
+ ...defaultHostCookieConfig,
188
+ sameSite: "strict"
189
189
  },
190
- overrides?.csrfToken?.attributes?.strategy ?? "host"
190
+ overrides?.csrfToken?.attributes?.strategy ?? "host",
191
+ logger
191
192
  )
192
193
  },
193
194
  redirectTo: {
@@ -198,7 +199,8 @@ var createCookieStore = (useSecure, prefix, overrides) => {
198
199
  ...oauthCookieOptions,
199
200
  ...overrides?.redirectTo?.attributes
200
201
  },
201
- overrides?.redirectTo?.attributes?.strategy ?? "secure"
202
+ overrides?.redirectTo?.attributes?.strategy ?? "secure",
203
+ logger
202
204
  )
203
205
  },
204
206
  redirectURI: {
@@ -209,7 +211,8 @@ var createCookieStore = (useSecure, prefix, overrides) => {
209
211
  ...oauthCookieOptions,
210
212
  ...overrides?.redirectURI?.attributes
211
213
  },
212
- overrides?.redirectURI?.attributes?.strategy ?? "secure"
214
+ overrides?.redirectURI?.attributes?.strategy ?? "secure",
215
+ logger
213
216
  )
214
217
  },
215
218
  codeVerifier: {
@@ -220,7 +223,8 @@ var createCookieStore = (useSecure, prefix, overrides) => {
220
223
  ...oauthCookieOptions,
221
224
  ...overrides?.codeVerifier?.attributes
222
225
  },
223
- overrides?.codeVerifier?.attributes?.strategy ?? "secure"
226
+ overrides?.codeVerifier?.attributes?.strategy ?? "secure",
227
+ logger
224
228
  )
225
229
  }
226
230
  };
package/dist/cookie.d.ts CHANGED
@@ -1,8 +1,9 @@
1
1
  import { SerializeOptions } from '@aura-stack/router/cookie';
2
2
  import { JWTPayload } from '@aura-stack/jose/jose';
3
- import { A as AuthRuntimeConfig, C as CookieConfig, a as CookieStoreConfig } from './index-B8jeIElf.js';
3
+ import { A as AuthRuntimeConfig, I as InternalLogger, C as CookieConfig, a as CookieStoreConfig } from './index-CSyIJmCM.js';
4
4
  import 'zod';
5
5
  import './schemas.js';
6
+ import './jose.js';
6
7
  import '@aura-stack/jose';
7
8
  import './@types/utility.js';
8
9
 
@@ -72,13 +73,13 @@ declare const createSessionCookie: (jose: AuthRuntimeConfig["jose"], session: JW
72
73
  * @param strategy The cookie strategy: "host", "secure", or "standard"
73
74
  * @returns The finalized cookie options to be used for setting cookies
74
75
  */
75
- declare const defineSecureCookieOptions: (useSecure: boolean, attributes: SerializeOptions, strategy: "host" | "secure" | "standard") => SerializeOptions;
76
+ declare const defineSecureCookieOptions: (useSecure: boolean, attributes: SerializeOptions, strategy: "host" | "secure" | "standard", logger?: InternalLogger) => SerializeOptions;
76
77
  /**
77
78
  * @param useSecure Whether the request is secure (HTTPS)
78
79
  * @param prefix Optional prefix added to all cookie names
79
80
  * @param overrides Optional overrides for individual cookie configurations
80
81
  * @returns The complete cookie store configuration
81
82
  */
82
- declare const createCookieStore: (useSecure: boolean, prefix?: string, overrides?: CookieConfig["overrides"]) => CookieStoreConfig;
83
+ declare const createCookieStore: (useSecure: boolean, prefix?: string, overrides?: CookieConfig["overrides"], logger?: InternalLogger) => CookieStoreConfig;
83
84
 
84
85
  export { COOKIE_NAME, createCookieStore, createSessionCookie, defaultCookieOptions, defaultHostCookieConfig, defaultSecureCookieConfig, defaultStandardCookieConfig, defineSecureCookieOptions, expiredCookieAttributes, getCookie, getSetCookie, setCookie };
package/dist/cookie.js CHANGED
@@ -11,7 +11,7 @@ import {
11
11
  getCookie,
12
12
  getSetCookie,
13
13
  setCookie
14
- } from "./chunk-W6LG7BFW.js";
14
+ } from "./chunk-5W4BRQYG.js";
15
15
  import "./chunk-RRLIF4PQ.js";
16
16
  export {
17
17
  COOKIE_NAME,
package/dist/env.cjs ADDED
@@ -0,0 +1,56 @@
1
+ "use strict";
2
+ var __defProp = Object.defineProperty;
3
+ var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
4
+ var __getOwnPropNames = Object.getOwnPropertyNames;
5
+ var __hasOwnProp = Object.prototype.hasOwnProperty;
6
+ var __export = (target, all) => {
7
+ for (var name in all)
8
+ __defProp(target, name, { get: all[name], enumerable: true });
9
+ };
10
+ var __copyProps = (to, from, except, desc) => {
11
+ if (from && typeof from === "object" || typeof from === "function") {
12
+ for (let key of __getOwnPropNames(from))
13
+ if (!__hasOwnProp.call(to, key) && key !== except)
14
+ __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
15
+ }
16
+ return to;
17
+ };
18
+ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
19
+
20
+ // src/env.ts
21
+ var env_exports = {};
22
+ __export(env_exports, {
23
+ env: () => env
24
+ });
25
+ module.exports = __toCommonJS(env_exports);
26
+ var import_meta = {};
27
+ var env = new Proxy({}, {
28
+ get(_, prop) {
29
+ if (typeof prop !== "string") return void 0;
30
+ const hasProperty = (process2) => {
31
+ return process2 && Object.prototype.hasOwnProperty.call(process2, prop);
32
+ };
33
+ try {
34
+ if (typeof process !== "undefined" && hasProperty(process.env)) {
35
+ return process.env[prop];
36
+ }
37
+ if (typeof import_meta !== "undefined" && hasProperty(import_meta.env)) {
38
+ return import_meta.env[prop];
39
+ }
40
+ if (typeof Deno !== "undefined" && Deno.env?.get) {
41
+ return Deno.env.get(prop);
42
+ }
43
+ if (typeof Bun !== "undefined" && hasProperty(Bun.env)) {
44
+ return Bun.env[prop];
45
+ }
46
+ const globalValue = globalThis[prop];
47
+ return typeof globalValue === "string" ? globalValue : void 0;
48
+ } catch {
49
+ return void 0;
50
+ }
51
+ }
52
+ });
53
+ // Annotate the CommonJS export names for ESM import in node:
54
+ 0 && (module.exports = {
55
+ env
56
+ });
package/dist/env.d.ts ADDED
@@ -0,0 +1,7 @@
1
+ /**
2
+ * A runtime-agnostic environment variable proxy.
3
+ * Checks multiple sources to ensure compatibility with Node, Bun, Deno, Vite, and Edge platforms.
4
+ */
5
+ declare const env: Record<string, string | undefined>;
6
+
7
+ export { env };
package/dist/env.js ADDED
@@ -0,0 +1,6 @@
1
+ import {
2
+ env
3
+ } from "./chunk-4MYWAOLG.js";
4
+ export {
5
+ env
6
+ };
package/dist/errors.d.ts CHANGED
@@ -1,10 +1,11 @@
1
- import { E as ErrorType, b as AuthInternalErrorCode, c as AuthSecurityErrorCode } from './index-B8jeIElf.js';
1
+ import { E as ErrorType, b as AuthInternalErrorCode, c as AuthSecurityErrorCode } from './index-CSyIJmCM.js';
2
2
  import { LiteralUnion } from './@types/utility.js';
3
3
  import 'zod';
4
4
  import './schemas.js';
5
- import '@aura-stack/router/cookie';
5
+ import './jose.js';
6
6
  import '@aura-stack/jose';
7
7
  import '@aura-stack/jose/jose';
8
+ import '@aura-stack/router/cookie';
8
9
 
9
10
  /**
10
11
  * The object returned by the class to users its:
@@ -39,7 +40,7 @@ declare class AuthInternalError extends Error {
39
40
  declare class AuthSecurityError extends Error {
40
41
  readonly type = "AUTH_SECURITY_ERROR";
41
42
  readonly code: string;
42
- constructor(code: AuthSecurityErrorCode, message?: string, options?: ErrorOptions);
43
+ constructor(code: LiteralUnion<AuthSecurityErrorCode>, message?: string, options?: ErrorOptions);
43
44
  }
44
45
  declare const isNativeError: (error: unknown) => error is Error;
45
46
  declare const isOAuthProtocolError: (error: unknown) => error is OAuthProtocolError;
package/dist/headers.cjs CHANGED
@@ -20,7 +20,10 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
20
20
  // src/headers.ts
21
21
  var headers_exports = {};
22
22
  __export(headers_exports, {
23
- cacheControl: () => cacheControl
23
+ cacheControl: () => cacheControl,
24
+ contentSecurityPolicy: () => contentSecurityPolicy,
25
+ secureApiHeaders: () => secureApiHeaders,
26
+ secureHeaders: () => secureHeaders
24
27
  });
25
28
  module.exports = __toCommonJS(headers_exports);
26
29
  var cacheControl = {
@@ -29,7 +32,30 @@ var cacheControl = {
29
32
  Expires: "0",
30
33
  Vary: "Cookie"
31
34
  };
35
+ var contentSecurityPolicy = {
36
+ "Content-Security-Policy": [
37
+ "default-src 'none'",
38
+ "script-src 'self'",
39
+ "frame-src 'none'",
40
+ "object-src 'none'",
41
+ "frame-ancestors 'none'",
42
+ "base-uri 'none'"
43
+ ].join("; ")
44
+ };
45
+ var secureHeaders = {
46
+ "X-Content-Type-Options": "nosniff",
47
+ "X-Frame-Options": "DENY",
48
+ "Referrer-Policy": "strict-origin-when-cross-origin"
49
+ };
50
+ var secureApiHeaders = {
51
+ ...cacheControl,
52
+ ...contentSecurityPolicy,
53
+ ...secureHeaders
54
+ };
32
55
  // Annotate the CommonJS export names for ESM import in node:
33
56
  0 && (module.exports = {
34
- cacheControl
57
+ cacheControl,
58
+ contentSecurityPolicy,
59
+ secureApiHeaders,
60
+ secureHeaders
35
61
  });
package/dist/headers.d.ts CHANGED
@@ -5,5 +5,29 @@
5
5
  * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Vary
6
6
  */
7
7
  declare const cacheControl: HeadersInit;
8
+ /**
9
+ * Content Security Policy headers optimized for JSON API endpoints.
10
+ * Provides protection against XSS, clickjacking, and code injection attacks.
11
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
12
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy
13
+ */
14
+ declare const contentSecurityPolicy: HeadersInit;
15
+ /**
16
+ * X-Frame-Options is overridden by the frame-ancestors directive in CSP.
17
+ * However, it's included here for compatibility with older browsers that do not support CSP.
18
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Content-Type-Options
19
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Frame-Options
20
+ * @see https://developer.mozilla.org/es/docs/Web/HTTP/Reference/Headers/Referrer-Policy
21
+ */
22
+ declare const secureHeaders: {
23
+ "X-Content-Type-Options": string;
24
+ "X-Frame-Options": string;
25
+ "Referrer-Policy": string;
26
+ };
27
+ /**
28
+ * Combined security headers for JSON API responses.
29
+ * Includes cache control, CSP, and other security headers.
30
+ */
31
+ declare const secureApiHeaders: HeadersInit;
8
32
 
9
- export { cacheControl };
33
+ export { cacheControl, contentSecurityPolicy, secureApiHeaders, secureHeaders };
package/dist/headers.js CHANGED
@@ -1,6 +1,12 @@
1
1
  import {
2
- cacheControl
3
- } from "./chunk-STHEPPUZ.js";
2
+ cacheControl,
3
+ contentSecurityPolicy,
4
+ secureApiHeaders,
5
+ secureHeaders
6
+ } from "./chunk-EBAMFRB7.js";
4
7
  export {
5
- cacheControl
8
+ cacheControl,
9
+ contentSecurityPolicy,
10
+ secureApiHeaders,
11
+ secureHeaders
6
12
  };