@aura-stack/auth 0.4.0-rc.5 → 0.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/@types/index.d.ts +4 -3
- package/dist/@types/router.d.cjs +0 -17
- package/dist/@types/router.d.d.ts +3 -2
- package/dist/@types/router.d.js +0 -1
- package/dist/actions/callback/access-token.cjs +40 -25
- package/dist/actions/callback/access-token.d.ts +4 -3
- package/dist/actions/callback/access-token.js +3 -4
- package/dist/actions/callback/callback.cjs +287 -77
- package/dist/actions/callback/callback.d.ts +5 -26
- package/dist/actions/callback/callback.js +13 -10
- package/dist/actions/callback/userinfo.cjs +68 -7
- package/dist/actions/callback/userinfo.d.ts +4 -3
- package/dist/actions/callback/userinfo.js +8 -6
- package/dist/actions/csrfToken/csrfToken.cjs +63 -4
- package/dist/actions/csrfToken/csrfToken.d.ts +1 -3
- package/dist/actions/csrfToken/csrfToken.js +8 -6
- package/dist/actions/index.cjs +400 -175
- package/dist/actions/index.d.ts +3 -2
- package/dist/actions/index.js +21 -19
- package/dist/actions/session/session.cjs +40 -11
- package/dist/actions/session/session.d.ts +1 -3
- package/dist/actions/session/session.js +4 -4
- package/dist/actions/signIn/authorization.cjs +171 -132
- package/dist/actions/signIn/authorization.d.ts +21 -11
- package/dist/actions/signIn/authorization.js +8 -6
- package/dist/actions/signIn/signIn.cjs +220 -113
- package/dist/actions/signIn/signIn.d.ts +5 -25
- package/dist/actions/signIn/signIn.js +9 -7
- package/dist/actions/signOut/signOut.cjs +268 -119
- package/dist/actions/signOut/signOut.d.ts +1 -9
- package/dist/actions/signOut/signOut.js +10 -8
- package/dist/assert.cjs +117 -5
- package/dist/assert.d.ts +22 -3
- package/dist/assert.js +17 -3
- package/dist/chunk-4EKY7655.js +123 -0
- package/dist/chunk-4MYWAOLG.js +31 -0
- package/dist/chunk-4YHJ4IEQ.js +25 -0
- package/dist/chunk-54CZPKR4.js +25 -0
- package/dist/chunk-5LZ7TOM3.js +25 -0
- package/dist/{chunk-W6LG7BFW.js → chunk-5W4BRQYG.js} +24 -20
- package/dist/chunk-6MXFPFR3.js +143 -0
- package/dist/{chunk-3EUWD5BB.js → chunk-7QF22LHP.js} +13 -9
- package/dist/chunk-ALG3GIV4.js +95 -0
- package/dist/chunk-E6G5YCI6.js +25 -0
- package/dist/chunk-EBAMFRB7.js +34 -0
- package/dist/chunk-EEE7UM5T.js +25 -0
- package/dist/{chunk-TLE4PXY3.js → chunk-FRJFWTOY.js} +38 -7
- package/dist/chunk-FW4W3REU.js +25 -0
- package/dist/{chunk-HT4YLL7N.js → chunk-ICAZ4OVS.js} +10 -8
- package/dist/chunk-IPKO6UQN.js +25 -0
- package/dist/{chunk-YRCB5FLE.js → chunk-KJBAQZX2.js} +13 -0
- package/dist/chunk-KMMAZFSJ.js +25 -0
- package/dist/chunk-LDU7A2JE.js +25 -0
- package/dist/{chunk-N2APGLXA.js → chunk-NUDITUKX.js} +18 -16
- package/dist/chunk-OVHNRULD.js +33 -0
- package/dist/{chunk-JVFTCTTE.js → chunk-PHFH2MGS.js} +12 -9
- package/dist/chunk-QQVSRXGX.js +149 -0
- package/dist/chunk-TM5IPSNF.js +113 -0
- package/dist/{chunk-GA2SMTJO.js → chunk-TZB6MUXN.js} +33 -13
- package/dist/chunk-VNCNJKS2.js +267 -0
- package/dist/{chunk-IVET23KF.js → chunk-XGLBNXL4.js} +31 -14
- package/dist/chunk-XUP6KKNG.js +106 -0
- package/dist/cookie.cjs +24 -20
- package/dist/cookie.d.ts +4 -3
- package/dist/cookie.js +1 -1
- package/dist/env.cjs +56 -0
- package/dist/env.d.ts +7 -0
- package/dist/env.js +6 -0
- package/dist/errors.d.ts +4 -3
- package/dist/headers.cjs +28 -2
- package/dist/headers.d.ts +25 -1
- package/dist/headers.js +9 -3
- package/dist/{index-B8jeIElf.d.ts → index-CSyIJmCM.d.ts} +373 -45
- package/dist/index.cjs +1128 -483
- package/dist/index.d.ts +7 -67
- package/dist/index.js +83 -42
- package/dist/jose.cjs +62 -25
- package/dist/jose.d.ts +7 -5
- package/dist/jose.js +8 -6
- package/dist/logger.cjs +292 -0
- package/dist/logger.d.ts +8 -0
- package/dist/logger.js +8 -0
- package/dist/oauth/bitbucket.cjs +19 -15
- package/dist/oauth/bitbucket.d.ts +3 -2
- package/dist/oauth/bitbucket.js +1 -1
- package/dist/oauth/discord.cjs +27 -24
- package/dist/oauth/discord.d.ts +3 -2
- package/dist/oauth/discord.js +1 -1
- package/dist/oauth/figma.cjs +19 -16
- package/dist/oauth/figma.d.ts +3 -2
- package/dist/oauth/figma.js +1 -1
- package/dist/oauth/github.cjs +19 -8
- package/dist/oauth/github.d.ts +3 -2
- package/dist/oauth/github.js +1 -1
- package/dist/oauth/gitlab.cjs +19 -16
- package/dist/oauth/gitlab.d.ts +3 -2
- package/dist/oauth/gitlab.js +1 -1
- package/dist/oauth/index.cjs +266 -166
- package/dist/oauth/index.d.ts +3 -2
- package/dist/oauth/index.js +22 -21
- package/dist/oauth/mailchimp.cjs +19 -16
- package/dist/oauth/mailchimp.d.ts +3 -2
- package/dist/oauth/mailchimp.js +1 -1
- package/dist/oauth/pinterest.cjs +19 -16
- package/dist/oauth/pinterest.d.ts +3 -2
- package/dist/oauth/pinterest.js +1 -1
- package/dist/oauth/spotify.cjs +19 -16
- package/dist/oauth/spotify.d.ts +3 -2
- package/dist/oauth/spotify.js +1 -1
- package/dist/oauth/strava.cjs +19 -16
- package/dist/oauth/strava.d.ts +3 -2
- package/dist/oauth/strava.js +1 -1
- package/dist/oauth/x.cjs +19 -16
- package/dist/oauth/x.d.ts +3 -2
- package/dist/oauth/x.js +1 -1
- package/dist/schemas.cjs +16 -2
- package/dist/schemas.d.ts +17 -1
- package/dist/schemas.js +5 -3
- package/dist/secure.cjs +58 -16
- package/dist/secure.d.ts +4 -10
- package/dist/secure.js +5 -5
- package/dist/utils.cjs +94 -87
- package/dist/utils.d.ts +9 -39
- package/dist/utils.js +11 -9
- package/package.json +3 -4
- package/dist/chunk-42XB3YCW.js +0 -22
- package/dist/chunk-6R2YZ4AC.js +0 -22
- package/dist/chunk-A3N4PVAT.js +0 -70
- package/dist/chunk-B737EUJV.js +0 -22
- package/dist/chunk-CXLATHS5.js +0 -143
- package/dist/chunk-DIVDFNAP.js +0 -0
- package/dist/chunk-E3OXBRYF.js +0 -22
- package/dist/chunk-EIL2FPSS.js +0 -22
- package/dist/chunk-EMKJA2GJ.js +0 -89
- package/dist/chunk-FIPU4MLT.js +0 -21
- package/dist/chunk-FKRDCWBF.js +0 -22
- package/dist/chunk-HP34YGGJ.js +0 -22
- package/dist/chunk-IKHPGFCW.js +0 -14
- package/dist/chunk-IUYZQTJV.js +0 -30
- package/dist/chunk-KRNOMBXQ.js +0 -22
- package/dist/chunk-KSWLO5ZU.js +0 -102
- package/dist/chunk-N4SX7TZT.js +0 -96
- package/dist/chunk-STHEPPUZ.js +0 -11
|
@@ -1,17 +1,17 @@
|
|
|
1
|
+
import {
|
|
2
|
+
fetchAsync
|
|
3
|
+
} from "./chunk-ZNCZVF6U.js";
|
|
4
|
+
import {
|
|
5
|
+
OAuthErrorResponse
|
|
6
|
+
} from "./chunk-KJBAQZX2.js";
|
|
1
7
|
import {
|
|
2
8
|
generateSecure
|
|
3
|
-
} from "./chunk-
|
|
9
|
+
} from "./chunk-NUDITUKX.js";
|
|
4
10
|
import {
|
|
5
11
|
OAuthProtocolError,
|
|
6
12
|
isNativeError,
|
|
7
13
|
isOAuthProtocolError
|
|
8
14
|
} from "./chunk-RRLIF4PQ.js";
|
|
9
|
-
import {
|
|
10
|
-
fetchAsync
|
|
11
|
-
} from "./chunk-ZNCZVF6U.js";
|
|
12
|
-
import {
|
|
13
|
-
OAuthErrorResponse
|
|
14
|
-
} from "./chunk-YRCB5FLE.js";
|
|
15
15
|
|
|
16
16
|
// src/actions/callback/userinfo.ts
|
|
17
17
|
var getDefaultUserInfo = (profile) => {
|
|
@@ -23,9 +23,14 @@ var getDefaultUserInfo = (profile) => {
|
|
|
23
23
|
image: profile?.image ?? profile?.picture
|
|
24
24
|
};
|
|
25
25
|
};
|
|
26
|
-
var getUserInfo = async (oauthConfig, accessToken) => {
|
|
26
|
+
var getUserInfo = async (oauthConfig, accessToken, logger) => {
|
|
27
27
|
const userinfoEndpoint = oauthConfig.userInfo;
|
|
28
28
|
try {
|
|
29
|
+
logger?.log("OAUTH_USERINFO_REQUEST_INITIATED", {
|
|
30
|
+
structuredData: {
|
|
31
|
+
endpoint: userinfoEndpoint
|
|
32
|
+
}
|
|
33
|
+
});
|
|
29
34
|
const response = await fetchAsync(userinfoEndpoint, {
|
|
30
35
|
method: "GET",
|
|
31
36
|
headers: {
|
|
@@ -33,23 +38,35 @@ var getUserInfo = async (oauthConfig, accessToken) => {
|
|
|
33
38
|
Authorization: `Bearer ${accessToken}`
|
|
34
39
|
}
|
|
35
40
|
});
|
|
41
|
+
if (!response.ok) {
|
|
42
|
+
logger?.log("OAUTH_USERINFO_INVALID_RESPONSE");
|
|
43
|
+
throw new OAuthProtocolError("INVALID_REQUEST", "Invalid userinfo response format");
|
|
44
|
+
}
|
|
36
45
|
const json = await response.json();
|
|
37
46
|
const { success, data } = OAuthErrorResponse.safeParse(json);
|
|
38
47
|
if (success) {
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
48
|
+
logger?.log("OAUTH_USERINFO_ERROR", {
|
|
49
|
+
message: "Error response received from OAuth userinfo endpoint",
|
|
50
|
+
structuredData: {
|
|
51
|
+
error: data.error,
|
|
52
|
+
error_description: data.error_description ?? ""
|
|
53
|
+
}
|
|
54
|
+
});
|
|
55
|
+
throw new OAuthProtocolError("INVALID_REQUEST", "An error was received from the OAuth userinfo endpoint.");
|
|
43
56
|
}
|
|
57
|
+
logger?.log("OAUTH_USERINFO_SUCCESS");
|
|
44
58
|
return oauthConfig?.profile ? oauthConfig.profile(json) : getDefaultUserInfo(json);
|
|
45
59
|
} catch (error) {
|
|
46
60
|
if (isOAuthProtocolError(error)) {
|
|
47
61
|
throw error;
|
|
48
62
|
}
|
|
63
|
+
logger?.log("OAUTH_USERINFO_REQUEST_FAILED");
|
|
49
64
|
if (isNativeError(error)) {
|
|
50
|
-
throw new OAuthProtocolError("
|
|
65
|
+
throw new OAuthProtocolError("SERVER_ERROR", "Failed to fetch user information from OAuth provider", "", {
|
|
66
|
+
cause: error
|
|
67
|
+
});
|
|
51
68
|
}
|
|
52
|
-
throw new OAuthProtocolError("
|
|
69
|
+
throw new OAuthProtocolError("SERVER_ERROR", "Failed to fetch user information", "", { cause: error });
|
|
53
70
|
}
|
|
54
71
|
};
|
|
55
72
|
|
|
@@ -0,0 +1,106 @@
|
|
|
1
|
+
import {
|
|
2
|
+
OAuthAuthorization
|
|
3
|
+
} from "./chunk-KJBAQZX2.js";
|
|
4
|
+
import {
|
|
5
|
+
isRelativeURL,
|
|
6
|
+
isSameOrigin,
|
|
7
|
+
isTrustedOrigin,
|
|
8
|
+
isValidURL,
|
|
9
|
+
patternToRegex
|
|
10
|
+
} from "./chunk-4EKY7655.js";
|
|
11
|
+
import {
|
|
12
|
+
equals,
|
|
13
|
+
extractPath,
|
|
14
|
+
toCastCase
|
|
15
|
+
} from "./chunk-QQVSRXGX.js";
|
|
16
|
+
import {
|
|
17
|
+
AuthInternalError
|
|
18
|
+
} from "./chunk-RRLIF4PQ.js";
|
|
19
|
+
|
|
20
|
+
// src/actions/signIn/authorization.ts
|
|
21
|
+
var createAuthorizationURL = (oauthConfig, redirectURI, state, codeChallenge, codeChallengeMethod, logger) => {
|
|
22
|
+
const parsed = OAuthAuthorization.safeParse({ ...oauthConfig, redirectURI, state, codeChallenge, codeChallengeMethod });
|
|
23
|
+
if (!parsed.success) {
|
|
24
|
+
logger?.log("INVALID_OAUTH_CONFIGURATION", {
|
|
25
|
+
structuredData: {
|
|
26
|
+
scope: oauthConfig.scope,
|
|
27
|
+
redirect_uri: redirectURI,
|
|
28
|
+
has_state: Boolean(state),
|
|
29
|
+
has_code_challenge: Boolean(codeChallenge),
|
|
30
|
+
code_challenge_method: codeChallengeMethod
|
|
31
|
+
}
|
|
32
|
+
});
|
|
33
|
+
throw new AuthInternalError("INVALID_OAUTH_CONFIGURATION", "The OAuth provider configuration is invalid.");
|
|
34
|
+
}
|
|
35
|
+
const { authorizeURL, ...options } = parsed.data;
|
|
36
|
+
const { userInfo, accessToken, clientSecret, ...required } = options;
|
|
37
|
+
const searchParams = new URLSearchParams(toCastCase(required));
|
|
38
|
+
return `${authorizeURL}?${searchParams}`;
|
|
39
|
+
};
|
|
40
|
+
var getTrustedOrigins = async (request, trustedOrigins) => {
|
|
41
|
+
if (!trustedOrigins) return [];
|
|
42
|
+
const raw = typeof trustedOrigins === "function" ? await trustedOrigins(request) : trustedOrigins;
|
|
43
|
+
return Array.isArray(raw) ? raw : typeof raw === "string" ? [raw] : [];
|
|
44
|
+
};
|
|
45
|
+
var getOriginURL = async (request, context) => {
|
|
46
|
+
const headers = request.headers;
|
|
47
|
+
let origin = new URL(request.url).origin;
|
|
48
|
+
const trustedOrigins = await getTrustedOrigins(request, context?.trustedOrigins);
|
|
49
|
+
trustedOrigins.push(origin);
|
|
50
|
+
if (context?.trustedProxyHeaders) {
|
|
51
|
+
const protocol = headers.get("Forwarded")?.match(/proto=([^;]+)/i)?.[1] ?? headers.get("X-Forwarded-Proto") ?? "http";
|
|
52
|
+
const host = headers.get("Host") ?? headers.get("Forwarded")?.match(/host=([^;]+)/i)?.[1] ?? headers.get("X-Forwarded-Host") ?? null;
|
|
53
|
+
origin = `${protocol}://${host}`;
|
|
54
|
+
}
|
|
55
|
+
if (!isTrustedOrigin(origin, trustedOrigins)) {
|
|
56
|
+
context?.logger?.log("UNTRUSTED_ORIGIN", { structuredData: { origin } });
|
|
57
|
+
throw new AuthInternalError("UNTRUSTED_ORIGIN", "The constructed origin URL is not trusted.");
|
|
58
|
+
}
|
|
59
|
+
return origin;
|
|
60
|
+
};
|
|
61
|
+
var createRedirectURI = async (request, oauth, context) => {
|
|
62
|
+
const origin = await getOriginURL(request, context);
|
|
63
|
+
return `${origin}${context.basePath}/callback/${oauth}`;
|
|
64
|
+
};
|
|
65
|
+
var createRedirectTo = async (request, redirectTo, context) => {
|
|
66
|
+
try {
|
|
67
|
+
const headers = request.headers;
|
|
68
|
+
const requestOrigin = await getOriginURL(request, context);
|
|
69
|
+
const origins = await getTrustedOrigins(request, context?.trustedOrigins);
|
|
70
|
+
const validateURL = (url) => {
|
|
71
|
+
if (!isRelativeURL(url) && !isValidURL(url)) return "/";
|
|
72
|
+
if (isRelativeURL(url)) return url;
|
|
73
|
+
if (origins.length > 0) {
|
|
74
|
+
if (isTrustedOrigin(url, origins)) {
|
|
75
|
+
const urlOrigin = new URL(url).origin;
|
|
76
|
+
for (const pattern of origins) {
|
|
77
|
+
const regex = patternToRegex(pattern);
|
|
78
|
+
if (regex?.test(urlOrigin)) {
|
|
79
|
+
return isSameOrigin(url, request.url) ? extractPath(url) : url;
|
|
80
|
+
}
|
|
81
|
+
if (isValidURL(pattern) && equals(new URL(pattern).origin, urlOrigin)) return url;
|
|
82
|
+
}
|
|
83
|
+
}
|
|
84
|
+
context?.logger?.log("OPEN_REDIRECT_ATTACK");
|
|
85
|
+
return "/";
|
|
86
|
+
}
|
|
87
|
+
if (isSameOrigin(url, requestOrigin)) {
|
|
88
|
+
return extractPath(url);
|
|
89
|
+
}
|
|
90
|
+
context?.logger?.log("OPEN_REDIRECT_ATTACK");
|
|
91
|
+
return "/";
|
|
92
|
+
};
|
|
93
|
+
return validateURL(redirectTo ?? headers.get("Referer") ?? headers.get("Origin") ?? "/");
|
|
94
|
+
} catch (error) {
|
|
95
|
+
context?.logger?.log("POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED");
|
|
96
|
+
return "/";
|
|
97
|
+
}
|
|
98
|
+
};
|
|
99
|
+
|
|
100
|
+
export {
|
|
101
|
+
createAuthorizationURL,
|
|
102
|
+
getTrustedOrigins,
|
|
103
|
+
getOriginURL,
|
|
104
|
+
createRedirectURI,
|
|
105
|
+
createRedirectTo
|
|
106
|
+
};
|
package/dist/cookie.cjs
CHANGED
|
@@ -82,7 +82,8 @@ var setCookie = (cookieName, value, options) => {
|
|
|
82
82
|
var expiredCookieAttributes = {
|
|
83
83
|
...defaultCookieOptions,
|
|
84
84
|
expires: /* @__PURE__ */ new Date(0),
|
|
85
|
-
maxAge: 0
|
|
85
|
+
maxAge: 0,
|
|
86
|
+
secure: true
|
|
86
87
|
};
|
|
87
88
|
var getCookie = (request, cookieName) => {
|
|
88
89
|
const cookies = request.headers.get("Cookie");
|
|
@@ -114,31 +115,27 @@ var createSessionCookie = async (jose, session) => {
|
|
|
114
115
|
throw new AuthInternalError("INVALID_JWT_TOKEN", "Failed to create session cookie", { cause: error });
|
|
115
116
|
}
|
|
116
117
|
};
|
|
117
|
-
var defineSecureCookieOptions = (useSecure, attributes, strategy) => {
|
|
118
|
+
var defineSecureCookieOptions = (useSecure, attributes, strategy, logger) => {
|
|
118
119
|
if (!attributes.httpOnly) {
|
|
119
|
-
|
|
120
|
-
"[WARNING]: Cookie is configured without HttpOnly. This allows JavaScript access via document.cookie and increases XSS risk."
|
|
121
|
-
);
|
|
120
|
+
logger?.log("COOKIE_HTTPONLY_DISABLED");
|
|
122
121
|
}
|
|
123
122
|
if (attributes.domain === "*") {
|
|
124
123
|
attributes.domain = void 0;
|
|
125
|
-
|
|
124
|
+
logger?.log("COOKIE_WILDCARD_DOMAIN");
|
|
126
125
|
}
|
|
127
126
|
if (!useSecure) {
|
|
128
127
|
if (attributes.secure) {
|
|
129
|
-
|
|
130
|
-
"[WARNING]: The 'Secure' attribute will be disabled for this cookie. Serve over HTTPS to enforce Secure cookies."
|
|
131
|
-
);
|
|
128
|
+
logger?.log("COOKIE_SECURE_DISABLED");
|
|
132
129
|
}
|
|
133
130
|
if (attributes.sameSite == "none") {
|
|
134
131
|
attributes.sameSite = "lax";
|
|
135
|
-
|
|
132
|
+
logger?.log("COOKIE_SAMESITE_NONE_WITHOUT_SECURE");
|
|
136
133
|
}
|
|
137
134
|
if (process.env.NODE_ENV === "production") {
|
|
138
|
-
|
|
135
|
+
logger?.log("COOKIE_INSECURE_IN_PRODUCTION");
|
|
139
136
|
}
|
|
140
137
|
if (strategy === "host") {
|
|
141
|
-
|
|
138
|
+
logger?.log("COOKIE_HOST_STRATEGY_INSECURE");
|
|
142
139
|
}
|
|
143
140
|
return {
|
|
144
141
|
...defaultCookieOptions,
|
|
@@ -152,7 +149,7 @@ var defineSecureCookieOptions = (useSecure, attributes, strategy) => {
|
|
|
152
149
|
...defaultHostCookieConfig
|
|
153
150
|
} : { ...defaultCookieOptions, ...attributes, ...defaultSecureCookieConfig };
|
|
154
151
|
};
|
|
155
|
-
var createCookieStore = (useSecure, prefix, overrides) => {
|
|
152
|
+
var createCookieStore = (useSecure, prefix, overrides, logger) => {
|
|
156
153
|
prefix ??= COOKIE_NAME;
|
|
157
154
|
const securePrefix = useSecure ? "__Secure-" : "";
|
|
158
155
|
const hostPrefix = useSecure ? "__Host-" : "";
|
|
@@ -165,7 +162,8 @@ var createCookieStore = (useSecure, prefix, overrides) => {
|
|
|
165
162
|
...defaultCookieOptions,
|
|
166
163
|
...overrides?.sessionToken?.attributes
|
|
167
164
|
},
|
|
168
|
-
overrides?.sessionToken?.attributes?.strategy ?? "secure"
|
|
165
|
+
overrides?.sessionToken?.attributes?.strategy ?? "secure",
|
|
166
|
+
logger
|
|
169
167
|
)
|
|
170
168
|
},
|
|
171
169
|
state: {
|
|
@@ -176,7 +174,8 @@ var createCookieStore = (useSecure, prefix, overrides) => {
|
|
|
176
174
|
...oauthCookieOptions,
|
|
177
175
|
...overrides?.state?.attributes
|
|
178
176
|
},
|
|
179
|
-
overrides?.state?.attributes?.strategy ?? "secure"
|
|
177
|
+
overrides?.state?.attributes?.strategy ?? "secure",
|
|
178
|
+
logger
|
|
180
179
|
)
|
|
181
180
|
},
|
|
182
181
|
csrfToken: {
|
|
@@ -185,9 +184,11 @@ var createCookieStore = (useSecure, prefix, overrides) => {
|
|
|
185
184
|
useSecure,
|
|
186
185
|
{
|
|
187
186
|
...overrides?.csrfToken?.attributes,
|
|
188
|
-
...defaultHostCookieConfig
|
|
187
|
+
...defaultHostCookieConfig,
|
|
188
|
+
sameSite: "strict"
|
|
189
189
|
},
|
|
190
|
-
overrides?.csrfToken?.attributes?.strategy ?? "host"
|
|
190
|
+
overrides?.csrfToken?.attributes?.strategy ?? "host",
|
|
191
|
+
logger
|
|
191
192
|
)
|
|
192
193
|
},
|
|
193
194
|
redirectTo: {
|
|
@@ -198,7 +199,8 @@ var createCookieStore = (useSecure, prefix, overrides) => {
|
|
|
198
199
|
...oauthCookieOptions,
|
|
199
200
|
...overrides?.redirectTo?.attributes
|
|
200
201
|
},
|
|
201
|
-
overrides?.redirectTo?.attributes?.strategy ?? "secure"
|
|
202
|
+
overrides?.redirectTo?.attributes?.strategy ?? "secure",
|
|
203
|
+
logger
|
|
202
204
|
)
|
|
203
205
|
},
|
|
204
206
|
redirectURI: {
|
|
@@ -209,7 +211,8 @@ var createCookieStore = (useSecure, prefix, overrides) => {
|
|
|
209
211
|
...oauthCookieOptions,
|
|
210
212
|
...overrides?.redirectURI?.attributes
|
|
211
213
|
},
|
|
212
|
-
overrides?.redirectURI?.attributes?.strategy ?? "secure"
|
|
214
|
+
overrides?.redirectURI?.attributes?.strategy ?? "secure",
|
|
215
|
+
logger
|
|
213
216
|
)
|
|
214
217
|
},
|
|
215
218
|
codeVerifier: {
|
|
@@ -220,7 +223,8 @@ var createCookieStore = (useSecure, prefix, overrides) => {
|
|
|
220
223
|
...oauthCookieOptions,
|
|
221
224
|
...overrides?.codeVerifier?.attributes
|
|
222
225
|
},
|
|
223
|
-
overrides?.codeVerifier?.attributes?.strategy ?? "secure"
|
|
226
|
+
overrides?.codeVerifier?.attributes?.strategy ?? "secure",
|
|
227
|
+
logger
|
|
224
228
|
)
|
|
225
229
|
}
|
|
226
230
|
};
|
package/dist/cookie.d.ts
CHANGED
|
@@ -1,8 +1,9 @@
|
|
|
1
1
|
import { SerializeOptions } from '@aura-stack/router/cookie';
|
|
2
2
|
import { JWTPayload } from '@aura-stack/jose/jose';
|
|
3
|
-
import { A as AuthRuntimeConfig, C as CookieConfig, a as CookieStoreConfig } from './index-
|
|
3
|
+
import { A as AuthRuntimeConfig, I as InternalLogger, C as CookieConfig, a as CookieStoreConfig } from './index-CSyIJmCM.js';
|
|
4
4
|
import 'zod';
|
|
5
5
|
import './schemas.js';
|
|
6
|
+
import './jose.js';
|
|
6
7
|
import '@aura-stack/jose';
|
|
7
8
|
import './@types/utility.js';
|
|
8
9
|
|
|
@@ -72,13 +73,13 @@ declare const createSessionCookie: (jose: AuthRuntimeConfig["jose"], session: JW
|
|
|
72
73
|
* @param strategy The cookie strategy: "host", "secure", or "standard"
|
|
73
74
|
* @returns The finalized cookie options to be used for setting cookies
|
|
74
75
|
*/
|
|
75
|
-
declare const defineSecureCookieOptions: (useSecure: boolean, attributes: SerializeOptions, strategy: "host" | "secure" | "standard") => SerializeOptions;
|
|
76
|
+
declare const defineSecureCookieOptions: (useSecure: boolean, attributes: SerializeOptions, strategy: "host" | "secure" | "standard", logger?: InternalLogger) => SerializeOptions;
|
|
76
77
|
/**
|
|
77
78
|
* @param useSecure Whether the request is secure (HTTPS)
|
|
78
79
|
* @param prefix Optional prefix added to all cookie names
|
|
79
80
|
* @param overrides Optional overrides for individual cookie configurations
|
|
80
81
|
* @returns The complete cookie store configuration
|
|
81
82
|
*/
|
|
82
|
-
declare const createCookieStore: (useSecure: boolean, prefix?: string, overrides?: CookieConfig["overrides"]) => CookieStoreConfig;
|
|
83
|
+
declare const createCookieStore: (useSecure: boolean, prefix?: string, overrides?: CookieConfig["overrides"], logger?: InternalLogger) => CookieStoreConfig;
|
|
83
84
|
|
|
84
85
|
export { COOKIE_NAME, createCookieStore, createSessionCookie, defaultCookieOptions, defaultHostCookieConfig, defaultSecureCookieConfig, defaultStandardCookieConfig, defineSecureCookieOptions, expiredCookieAttributes, getCookie, getSetCookie, setCookie };
|
package/dist/cookie.js
CHANGED
package/dist/env.cjs
ADDED
|
@@ -0,0 +1,56 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __defProp = Object.defineProperty;
|
|
3
|
+
var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
|
|
4
|
+
var __getOwnPropNames = Object.getOwnPropertyNames;
|
|
5
|
+
var __hasOwnProp = Object.prototype.hasOwnProperty;
|
|
6
|
+
var __export = (target, all) => {
|
|
7
|
+
for (var name in all)
|
|
8
|
+
__defProp(target, name, { get: all[name], enumerable: true });
|
|
9
|
+
};
|
|
10
|
+
var __copyProps = (to, from, except, desc) => {
|
|
11
|
+
if (from && typeof from === "object" || typeof from === "function") {
|
|
12
|
+
for (let key of __getOwnPropNames(from))
|
|
13
|
+
if (!__hasOwnProp.call(to, key) && key !== except)
|
|
14
|
+
__defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
|
|
15
|
+
}
|
|
16
|
+
return to;
|
|
17
|
+
};
|
|
18
|
+
var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
|
|
19
|
+
|
|
20
|
+
// src/env.ts
|
|
21
|
+
var env_exports = {};
|
|
22
|
+
__export(env_exports, {
|
|
23
|
+
env: () => env
|
|
24
|
+
});
|
|
25
|
+
module.exports = __toCommonJS(env_exports);
|
|
26
|
+
var import_meta = {};
|
|
27
|
+
var env = new Proxy({}, {
|
|
28
|
+
get(_, prop) {
|
|
29
|
+
if (typeof prop !== "string") return void 0;
|
|
30
|
+
const hasProperty = (process2) => {
|
|
31
|
+
return process2 && Object.prototype.hasOwnProperty.call(process2, prop);
|
|
32
|
+
};
|
|
33
|
+
try {
|
|
34
|
+
if (typeof process !== "undefined" && hasProperty(process.env)) {
|
|
35
|
+
return process.env[prop];
|
|
36
|
+
}
|
|
37
|
+
if (typeof import_meta !== "undefined" && hasProperty(import_meta.env)) {
|
|
38
|
+
return import_meta.env[prop];
|
|
39
|
+
}
|
|
40
|
+
if (typeof Deno !== "undefined" && Deno.env?.get) {
|
|
41
|
+
return Deno.env.get(prop);
|
|
42
|
+
}
|
|
43
|
+
if (typeof Bun !== "undefined" && hasProperty(Bun.env)) {
|
|
44
|
+
return Bun.env[prop];
|
|
45
|
+
}
|
|
46
|
+
const globalValue = globalThis[prop];
|
|
47
|
+
return typeof globalValue === "string" ? globalValue : void 0;
|
|
48
|
+
} catch {
|
|
49
|
+
return void 0;
|
|
50
|
+
}
|
|
51
|
+
}
|
|
52
|
+
});
|
|
53
|
+
// Annotate the CommonJS export names for ESM import in node:
|
|
54
|
+
0 && (module.exports = {
|
|
55
|
+
env
|
|
56
|
+
});
|
package/dist/env.d.ts
ADDED
package/dist/env.js
ADDED
package/dist/errors.d.ts
CHANGED
|
@@ -1,10 +1,11 @@
|
|
|
1
|
-
import { E as ErrorType, b as AuthInternalErrorCode, c as AuthSecurityErrorCode } from './index-
|
|
1
|
+
import { E as ErrorType, b as AuthInternalErrorCode, c as AuthSecurityErrorCode } from './index-CSyIJmCM.js';
|
|
2
2
|
import { LiteralUnion } from './@types/utility.js';
|
|
3
3
|
import 'zod';
|
|
4
4
|
import './schemas.js';
|
|
5
|
-
import '
|
|
5
|
+
import './jose.js';
|
|
6
6
|
import '@aura-stack/jose';
|
|
7
7
|
import '@aura-stack/jose/jose';
|
|
8
|
+
import '@aura-stack/router/cookie';
|
|
8
9
|
|
|
9
10
|
/**
|
|
10
11
|
* The object returned by the class to users its:
|
|
@@ -39,7 +40,7 @@ declare class AuthInternalError extends Error {
|
|
|
39
40
|
declare class AuthSecurityError extends Error {
|
|
40
41
|
readonly type = "AUTH_SECURITY_ERROR";
|
|
41
42
|
readonly code: string;
|
|
42
|
-
constructor(code: AuthSecurityErrorCode
|
|
43
|
+
constructor(code: LiteralUnion<AuthSecurityErrorCode>, message?: string, options?: ErrorOptions);
|
|
43
44
|
}
|
|
44
45
|
declare const isNativeError: (error: unknown) => error is Error;
|
|
45
46
|
declare const isOAuthProtocolError: (error: unknown) => error is OAuthProtocolError;
|
package/dist/headers.cjs
CHANGED
|
@@ -20,7 +20,10 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
|
|
|
20
20
|
// src/headers.ts
|
|
21
21
|
var headers_exports = {};
|
|
22
22
|
__export(headers_exports, {
|
|
23
|
-
cacheControl: () => cacheControl
|
|
23
|
+
cacheControl: () => cacheControl,
|
|
24
|
+
contentSecurityPolicy: () => contentSecurityPolicy,
|
|
25
|
+
secureApiHeaders: () => secureApiHeaders,
|
|
26
|
+
secureHeaders: () => secureHeaders
|
|
24
27
|
});
|
|
25
28
|
module.exports = __toCommonJS(headers_exports);
|
|
26
29
|
var cacheControl = {
|
|
@@ -29,7 +32,30 @@ var cacheControl = {
|
|
|
29
32
|
Expires: "0",
|
|
30
33
|
Vary: "Cookie"
|
|
31
34
|
};
|
|
35
|
+
var contentSecurityPolicy = {
|
|
36
|
+
"Content-Security-Policy": [
|
|
37
|
+
"default-src 'none'",
|
|
38
|
+
"script-src 'self'",
|
|
39
|
+
"frame-src 'none'",
|
|
40
|
+
"object-src 'none'",
|
|
41
|
+
"frame-ancestors 'none'",
|
|
42
|
+
"base-uri 'none'"
|
|
43
|
+
].join("; ")
|
|
44
|
+
};
|
|
45
|
+
var secureHeaders = {
|
|
46
|
+
"X-Content-Type-Options": "nosniff",
|
|
47
|
+
"X-Frame-Options": "DENY",
|
|
48
|
+
"Referrer-Policy": "strict-origin-when-cross-origin"
|
|
49
|
+
};
|
|
50
|
+
var secureApiHeaders = {
|
|
51
|
+
...cacheControl,
|
|
52
|
+
...contentSecurityPolicy,
|
|
53
|
+
...secureHeaders
|
|
54
|
+
};
|
|
32
55
|
// Annotate the CommonJS export names for ESM import in node:
|
|
33
56
|
0 && (module.exports = {
|
|
34
|
-
cacheControl
|
|
57
|
+
cacheControl,
|
|
58
|
+
contentSecurityPolicy,
|
|
59
|
+
secureApiHeaders,
|
|
60
|
+
secureHeaders
|
|
35
61
|
});
|
package/dist/headers.d.ts
CHANGED
|
@@ -5,5 +5,29 @@
|
|
|
5
5
|
* @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Vary
|
|
6
6
|
*/
|
|
7
7
|
declare const cacheControl: HeadersInit;
|
|
8
|
+
/**
|
|
9
|
+
* Content Security Policy headers optimized for JSON API endpoints.
|
|
10
|
+
* Provides protection against XSS, clickjacking, and code injection attacks.
|
|
11
|
+
* @see https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
|
|
12
|
+
* @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy
|
|
13
|
+
*/
|
|
14
|
+
declare const contentSecurityPolicy: HeadersInit;
|
|
15
|
+
/**
|
|
16
|
+
* X-Frame-Options is overridden by the frame-ancestors directive in CSP.
|
|
17
|
+
* However, it's included here for compatibility with older browsers that do not support CSP.
|
|
18
|
+
* @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Content-Type-Options
|
|
19
|
+
* @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Frame-Options
|
|
20
|
+
* @see https://developer.mozilla.org/es/docs/Web/HTTP/Reference/Headers/Referrer-Policy
|
|
21
|
+
*/
|
|
22
|
+
declare const secureHeaders: {
|
|
23
|
+
"X-Content-Type-Options": string;
|
|
24
|
+
"X-Frame-Options": string;
|
|
25
|
+
"Referrer-Policy": string;
|
|
26
|
+
};
|
|
27
|
+
/**
|
|
28
|
+
* Combined security headers for JSON API responses.
|
|
29
|
+
* Includes cache control, CSP, and other security headers.
|
|
30
|
+
*/
|
|
31
|
+
declare const secureApiHeaders: HeadersInit;
|
|
8
32
|
|
|
9
|
-
export { cacheControl };
|
|
33
|
+
export { cacheControl, contentSecurityPolicy, secureApiHeaders, secureHeaders };
|
package/dist/headers.js
CHANGED
|
@@ -1,6 +1,12 @@
|
|
|
1
1
|
import {
|
|
2
|
-
cacheControl
|
|
3
|
-
|
|
2
|
+
cacheControl,
|
|
3
|
+
contentSecurityPolicy,
|
|
4
|
+
secureApiHeaders,
|
|
5
|
+
secureHeaders
|
|
6
|
+
} from "./chunk-EBAMFRB7.js";
|
|
4
7
|
export {
|
|
5
|
-
cacheControl
|
|
8
|
+
cacheControl,
|
|
9
|
+
contentSecurityPolicy,
|
|
10
|
+
secureApiHeaders,
|
|
11
|
+
secureHeaders
|
|
6
12
|
};
|