@aura-stack/auth 0.4.0-rc.5 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (143) hide show
  1. package/dist/@types/index.d.ts +4 -3
  2. package/dist/@types/router.d.cjs +0 -17
  3. package/dist/@types/router.d.d.ts +3 -2
  4. package/dist/@types/router.d.js +0 -1
  5. package/dist/actions/callback/access-token.cjs +40 -25
  6. package/dist/actions/callback/access-token.d.ts +4 -3
  7. package/dist/actions/callback/access-token.js +3 -4
  8. package/dist/actions/callback/callback.cjs +287 -77
  9. package/dist/actions/callback/callback.d.ts +5 -26
  10. package/dist/actions/callback/callback.js +13 -10
  11. package/dist/actions/callback/userinfo.cjs +68 -7
  12. package/dist/actions/callback/userinfo.d.ts +4 -3
  13. package/dist/actions/callback/userinfo.js +8 -6
  14. package/dist/actions/csrfToken/csrfToken.cjs +63 -4
  15. package/dist/actions/csrfToken/csrfToken.d.ts +1 -3
  16. package/dist/actions/csrfToken/csrfToken.js +8 -6
  17. package/dist/actions/index.cjs +400 -175
  18. package/dist/actions/index.d.ts +3 -2
  19. package/dist/actions/index.js +21 -19
  20. package/dist/actions/session/session.cjs +40 -11
  21. package/dist/actions/session/session.d.ts +1 -3
  22. package/dist/actions/session/session.js +4 -4
  23. package/dist/actions/signIn/authorization.cjs +171 -132
  24. package/dist/actions/signIn/authorization.d.ts +21 -11
  25. package/dist/actions/signIn/authorization.js +8 -6
  26. package/dist/actions/signIn/signIn.cjs +220 -113
  27. package/dist/actions/signIn/signIn.d.ts +5 -25
  28. package/dist/actions/signIn/signIn.js +9 -7
  29. package/dist/actions/signOut/signOut.cjs +268 -119
  30. package/dist/actions/signOut/signOut.d.ts +1 -9
  31. package/dist/actions/signOut/signOut.js +10 -8
  32. package/dist/assert.cjs +117 -5
  33. package/dist/assert.d.ts +22 -3
  34. package/dist/assert.js +17 -3
  35. package/dist/chunk-4EKY7655.js +123 -0
  36. package/dist/chunk-4MYWAOLG.js +31 -0
  37. package/dist/chunk-4YHJ4IEQ.js +25 -0
  38. package/dist/chunk-54CZPKR4.js +25 -0
  39. package/dist/chunk-5LZ7TOM3.js +25 -0
  40. package/dist/{chunk-W6LG7BFW.js → chunk-5W4BRQYG.js} +24 -20
  41. package/dist/chunk-6MXFPFR3.js +143 -0
  42. package/dist/{chunk-3EUWD5BB.js → chunk-7QF22LHP.js} +13 -9
  43. package/dist/chunk-ALG3GIV4.js +95 -0
  44. package/dist/chunk-E6G5YCI6.js +25 -0
  45. package/dist/chunk-EBAMFRB7.js +34 -0
  46. package/dist/chunk-EEE7UM5T.js +25 -0
  47. package/dist/{chunk-TLE4PXY3.js → chunk-FRJFWTOY.js} +38 -7
  48. package/dist/chunk-FW4W3REU.js +25 -0
  49. package/dist/{chunk-HT4YLL7N.js → chunk-ICAZ4OVS.js} +10 -8
  50. package/dist/chunk-IPKO6UQN.js +25 -0
  51. package/dist/{chunk-YRCB5FLE.js → chunk-KJBAQZX2.js} +13 -0
  52. package/dist/chunk-KMMAZFSJ.js +25 -0
  53. package/dist/chunk-LDU7A2JE.js +25 -0
  54. package/dist/{chunk-N2APGLXA.js → chunk-NUDITUKX.js} +18 -16
  55. package/dist/chunk-OVHNRULD.js +33 -0
  56. package/dist/{chunk-JVFTCTTE.js → chunk-PHFH2MGS.js} +12 -9
  57. package/dist/chunk-QQVSRXGX.js +149 -0
  58. package/dist/chunk-TM5IPSNF.js +113 -0
  59. package/dist/{chunk-GA2SMTJO.js → chunk-TZB6MUXN.js} +33 -13
  60. package/dist/chunk-VNCNJKS2.js +267 -0
  61. package/dist/{chunk-IVET23KF.js → chunk-XGLBNXL4.js} +31 -14
  62. package/dist/chunk-XUP6KKNG.js +106 -0
  63. package/dist/cookie.cjs +24 -20
  64. package/dist/cookie.d.ts +4 -3
  65. package/dist/cookie.js +1 -1
  66. package/dist/env.cjs +56 -0
  67. package/dist/env.d.ts +7 -0
  68. package/dist/env.js +6 -0
  69. package/dist/errors.d.ts +4 -3
  70. package/dist/headers.cjs +28 -2
  71. package/dist/headers.d.ts +25 -1
  72. package/dist/headers.js +9 -3
  73. package/dist/{index-B8jeIElf.d.ts → index-CSyIJmCM.d.ts} +373 -45
  74. package/dist/index.cjs +1128 -483
  75. package/dist/index.d.ts +7 -67
  76. package/dist/index.js +83 -42
  77. package/dist/jose.cjs +62 -25
  78. package/dist/jose.d.ts +7 -5
  79. package/dist/jose.js +8 -6
  80. package/dist/logger.cjs +292 -0
  81. package/dist/logger.d.ts +8 -0
  82. package/dist/logger.js +8 -0
  83. package/dist/oauth/bitbucket.cjs +19 -15
  84. package/dist/oauth/bitbucket.d.ts +3 -2
  85. package/dist/oauth/bitbucket.js +1 -1
  86. package/dist/oauth/discord.cjs +27 -24
  87. package/dist/oauth/discord.d.ts +3 -2
  88. package/dist/oauth/discord.js +1 -1
  89. package/dist/oauth/figma.cjs +19 -16
  90. package/dist/oauth/figma.d.ts +3 -2
  91. package/dist/oauth/figma.js +1 -1
  92. package/dist/oauth/github.cjs +19 -8
  93. package/dist/oauth/github.d.ts +3 -2
  94. package/dist/oauth/github.js +1 -1
  95. package/dist/oauth/gitlab.cjs +19 -16
  96. package/dist/oauth/gitlab.d.ts +3 -2
  97. package/dist/oauth/gitlab.js +1 -1
  98. package/dist/oauth/index.cjs +266 -166
  99. package/dist/oauth/index.d.ts +3 -2
  100. package/dist/oauth/index.js +22 -21
  101. package/dist/oauth/mailchimp.cjs +19 -16
  102. package/dist/oauth/mailchimp.d.ts +3 -2
  103. package/dist/oauth/mailchimp.js +1 -1
  104. package/dist/oauth/pinterest.cjs +19 -16
  105. package/dist/oauth/pinterest.d.ts +3 -2
  106. package/dist/oauth/pinterest.js +1 -1
  107. package/dist/oauth/spotify.cjs +19 -16
  108. package/dist/oauth/spotify.d.ts +3 -2
  109. package/dist/oauth/spotify.js +1 -1
  110. package/dist/oauth/strava.cjs +19 -16
  111. package/dist/oauth/strava.d.ts +3 -2
  112. package/dist/oauth/strava.js +1 -1
  113. package/dist/oauth/x.cjs +19 -16
  114. package/dist/oauth/x.d.ts +3 -2
  115. package/dist/oauth/x.js +1 -1
  116. package/dist/schemas.cjs +16 -2
  117. package/dist/schemas.d.ts +17 -1
  118. package/dist/schemas.js +5 -3
  119. package/dist/secure.cjs +58 -16
  120. package/dist/secure.d.ts +4 -10
  121. package/dist/secure.js +5 -5
  122. package/dist/utils.cjs +94 -87
  123. package/dist/utils.d.ts +9 -39
  124. package/dist/utils.js +11 -9
  125. package/package.json +3 -4
  126. package/dist/chunk-42XB3YCW.js +0 -22
  127. package/dist/chunk-6R2YZ4AC.js +0 -22
  128. package/dist/chunk-A3N4PVAT.js +0 -70
  129. package/dist/chunk-B737EUJV.js +0 -22
  130. package/dist/chunk-CXLATHS5.js +0 -143
  131. package/dist/chunk-DIVDFNAP.js +0 -0
  132. package/dist/chunk-E3OXBRYF.js +0 -22
  133. package/dist/chunk-EIL2FPSS.js +0 -22
  134. package/dist/chunk-EMKJA2GJ.js +0 -89
  135. package/dist/chunk-FIPU4MLT.js +0 -21
  136. package/dist/chunk-FKRDCWBF.js +0 -22
  137. package/dist/chunk-HP34YGGJ.js +0 -22
  138. package/dist/chunk-IKHPGFCW.js +0 -14
  139. package/dist/chunk-IUYZQTJV.js +0 -30
  140. package/dist/chunk-KRNOMBXQ.js +0 -22
  141. package/dist/chunk-KSWLO5ZU.js +0 -102
  142. package/dist/chunk-N4SX7TZT.js +0 -96
  143. package/dist/chunk-STHEPPUZ.js +0 -11
@@ -1,9 +1,269 @@
1
1
  import { z } from 'zod';
2
2
  import { OAuthAuthorizationErrorResponse, OAuthAccessTokenErrorResponse, OAuthEnvSchema } from './schemas.js';
3
+ import { createJoseInstance } from './jose.js';
3
4
  import { SerializeOptions } from '@aura-stack/router/cookie';
4
- import { JWTVerifyOptions, EncryptOptions, JWTDecryptOptions } from '@aura-stack/jose';
5
- import { JWTPayload } from '@aura-stack/jose/jose';
6
5
  import { LiteralUnion, Prettify } from './@types/utility.js';
6
+ import { JWTPayload } from '@aura-stack/jose/jose';
7
+
8
+ /**
9
+ * Log message definitions organized by category.
10
+ * Each message includes facility, severity, msgId, and default message.
11
+ */
12
+ declare const logMessages: {
13
+ readonly ROUTER_INTERNAL_ERROR: {
14
+ readonly facility: 10;
15
+ readonly severity: "error";
16
+ readonly msgId: "ROUTER_INTERNAL_ERROR";
17
+ readonly message: "Unhandled router error while processing the request";
18
+ };
19
+ readonly INVALID_REQUEST: {
20
+ readonly facility: 10;
21
+ readonly severity: "warning";
22
+ readonly msgId: "INVALID_REQUEST";
23
+ readonly message: "Request validation failed against the expected schema";
24
+ };
25
+ readonly SERVER_ERROR: {
26
+ readonly facility: 10;
27
+ readonly severity: "error";
28
+ readonly msgId: "SERVER_ERROR";
29
+ readonly message: "Unexpected internal server error during authentication";
30
+ };
31
+ readonly OAUTH_PROTOCOL_ERROR: {
32
+ readonly facility: 10;
33
+ readonly severity: "warning";
34
+ readonly msgId: "OAUTH_PROTOCOL_ERROR";
35
+ readonly message: "OAuth provider returned an invalid or unexpected protocol response";
36
+ };
37
+ readonly OAUTH_AUTHORIZATION_ERROR: {
38
+ readonly facility: 10;
39
+ readonly severity: "error";
40
+ readonly msgId: "OAUTH_AUTHORIZATION_ERROR";
41
+ readonly message: "OAuth authorization request was rejected or failed";
42
+ };
43
+ readonly INVALID_OAUTH_CONFIGURATION: {
44
+ readonly facility: 10;
45
+ readonly severity: "error";
46
+ readonly msgId: "INVALID_OAUTH_CONFIGURATION";
47
+ readonly message: "The OAuth provider configuration is invalid or incomplete";
48
+ };
49
+ readonly OAUTH_ACCESS_TOKEN_REQUEST_INITIATED: {
50
+ readonly facility: 10;
51
+ readonly severity: "debug";
52
+ readonly msgId: "OAUTH_ACCESS_TOKEN_REQUEST_INITIATED";
53
+ readonly message: "Starting OAuth access token request to the provider";
54
+ };
55
+ readonly INVALID_OAUTH_ACCESS_TOKEN_RESPONSE: {
56
+ readonly facility: 10;
57
+ readonly severity: "error";
58
+ readonly msgId: "INVALID_OAUTH_ACCESS_TOKEN_RESPONSE";
59
+ readonly message: "OAuth access token endpoint returned an invalid or malformed response";
60
+ };
61
+ readonly OAUTH_ACCESS_TOKEN_ERROR: {
62
+ readonly facility: 10;
63
+ readonly severity: "error";
64
+ readonly msgId: "OAUTH_ACCESS_TOKEN_ERROR";
65
+ readonly message: "OAuth access token endpoint returned an error response";
66
+ };
67
+ readonly OAUTH_ACCESS_TOKEN_SUCCESS: {
68
+ readonly facility: 10;
69
+ readonly severity: "info";
70
+ readonly msgId: "OAUTH_ACCESS_TOKEN_SUCCESS";
71
+ readonly message: "Successfully retrieved OAuth access token from the provider";
72
+ };
73
+ readonly OAUTH_ACCESS_TOKEN_REQUEST_FAILED: {
74
+ readonly facility: 10;
75
+ readonly severity: "error";
76
+ readonly msgId: "OAUTH_ACCESS_TOKEN_REQUEST_FAILED";
77
+ readonly message: "Network or server error while requesting OAuth access token";
78
+ };
79
+ readonly OAUTH_USERINFO_REQUEST_INITIATED: {
80
+ readonly facility: 10;
81
+ readonly severity: "debug";
82
+ readonly msgId: "OAUTH_USERINFO_REQUEST_INITIATED";
83
+ readonly message: "Starting OAuth userinfo request to the provider";
84
+ };
85
+ readonly OAUTH_USERINFO_INVALID_RESPONSE: {
86
+ readonly facility: 10;
87
+ readonly severity: "error";
88
+ readonly msgId: "OAUTH_USERINFO_INVALID_RESPONSE";
89
+ readonly message: "OAuth userinfo endpoint returned an invalid or malformed response";
90
+ };
91
+ readonly OAUTH_USERINFO_ERROR: {
92
+ readonly facility: 10;
93
+ readonly severity: "error";
94
+ readonly msgId: "OAUTH_USERINFO_ERROR";
95
+ readonly message: "OAuth userinfo endpoint returned an error response";
96
+ };
97
+ readonly OAUTH_USERINFO_SUCCESS: {
98
+ readonly facility: 10;
99
+ readonly severity: "info";
100
+ readonly msgId: "OAUTH_USERINFO_SUCCESS";
101
+ readonly message: "Successfully retrieved user information from the OAuth provider";
102
+ };
103
+ readonly OAUTH_USERINFO_REQUEST_FAILED: {
104
+ readonly facility: 10;
105
+ readonly severity: "error";
106
+ readonly msgId: "OAUTH_USERINFO_REQUEST_FAILED";
107
+ readonly message: "Network or server error while requesting user information from the OAuth provider";
108
+ };
109
+ readonly OAUTH_CALLBACK_SUCCESS: {
110
+ readonly facility: 4;
111
+ readonly severity: "info";
112
+ readonly msgId: "OAUTH_CALLBACK_SUCCESS";
113
+ readonly message: "OAuth callback completed successfully and session was created";
114
+ };
115
+ readonly MISMATCHING_STATE: {
116
+ readonly facility: 4;
117
+ readonly severity: "critical";
118
+ readonly msgId: "MISMATCHING_STATE";
119
+ readonly message: "OAuth response state parameter does not match the stored state value";
120
+ };
121
+ readonly POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED: {
122
+ readonly facility: 4;
123
+ readonly severity: "critical";
124
+ readonly msgId: "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED";
125
+ readonly message: "Blocked redirect to untrusted or external URL (potential open redirect attack)";
126
+ };
127
+ readonly OPEN_REDIRECT_ATTACK: {
128
+ readonly facility: 4;
129
+ readonly severity: "warning";
130
+ readonly msgId: "OPEN_REDIRECT_ATTACK";
131
+ readonly message: "Detected redirect target that does not match the trusted origin";
132
+ };
133
+ readonly SESSION_TOKEN_MISSING: {
134
+ readonly facility: 4;
135
+ readonly severity: "warning";
136
+ readonly msgId: "SESSION_TOKEN_MISSING";
137
+ readonly message: "Session cookie is missing from the request";
138
+ };
139
+ readonly CSRF_TOKEN_MISSING: {
140
+ readonly facility: 4;
141
+ readonly severity: "warning";
142
+ readonly msgId: "CSRF_TOKEN_MISSING";
143
+ readonly message: "CSRF token cookie is missing from the request";
144
+ };
145
+ readonly CSRF_HEADER_MISSING: {
146
+ readonly facility: 4;
147
+ readonly severity: "warning";
148
+ readonly msgId: "CSRF_HEADER_MISSING";
149
+ readonly message: "CSRF header is missing from the request";
150
+ };
151
+ readonly CSRF_TOKEN_INVALID: {
152
+ readonly facility: 4;
153
+ readonly severity: "error";
154
+ readonly msgId: "CSRF_TOKEN_INVALID";
155
+ readonly message: "CSRF token verification failed or token is invalid";
156
+ };
157
+ readonly SIGN_IN_INITIATED: {
158
+ readonly facility: 4;
159
+ readonly severity: "info";
160
+ readonly msgId: "SIGN_IN_INITIATED";
161
+ readonly message: "Starting OAuth sign-in flow for the selected provider";
162
+ };
163
+ readonly SIGN_OUT_ATTEMPT: {
164
+ readonly facility: 4;
165
+ readonly severity: "debug";
166
+ readonly msgId: "SIGN_OUT_ATTEMPT";
167
+ readonly message: "Received sign-out request from client";
168
+ };
169
+ readonly SIGN_OUT_CSRF_VERIFIED: {
170
+ readonly facility: 4;
171
+ readonly severity: "info";
172
+ readonly msgId: "SIGN_OUT_CSRF_VERIFIED";
173
+ readonly message: "CSRF token was successfully verified during sign-out";
174
+ };
175
+ readonly SIGN_OUT_SUCCESS: {
176
+ readonly facility: 4;
177
+ readonly severity: "info";
178
+ readonly msgId: "SIGN_OUT_SUCCESS";
179
+ readonly message: "User session was cleared and sign-out completed successfully";
180
+ };
181
+ readonly SIGN_OUT_REDIRECT: {
182
+ readonly facility: 4;
183
+ readonly severity: "debug";
184
+ readonly msgId: "SIGN_OUT_REDIRECT";
185
+ readonly message: "Redirecting client after successful sign-out";
186
+ };
187
+ readonly AUTH_SESSION_VALID: {
188
+ readonly facility: 4;
189
+ readonly severity: "info";
190
+ readonly msgId: "AUTH_SESSION_VALID";
191
+ readonly message: "Session token is valid and user session was returned";
192
+ };
193
+ readonly AUTH_SESSION_INVALID: {
194
+ readonly facility: 4;
195
+ readonly severity: "notice";
196
+ readonly msgId: "AUTH_SESSION_INVALID";
197
+ readonly message: "Session token is missing, expired, or invalid";
198
+ };
199
+ readonly INVALID_JWT_TOKEN: {
200
+ readonly facility: 4;
201
+ readonly severity: "warning";
202
+ readonly msgId: "INVALID_JWT_TOKEN";
203
+ readonly message: "JWT session token failed validation during sign-out";
204
+ };
205
+ readonly CSRF_TOKEN_REQUESTED: {
206
+ readonly facility: 4;
207
+ readonly severity: "debug";
208
+ readonly msgId: "CSRF_TOKEN_REQUESTED";
209
+ readonly message: "Client requested a CSRF token";
210
+ };
211
+ readonly CSRF_TOKEN_ISSUED: {
212
+ readonly facility: 4;
213
+ readonly severity: "debug";
214
+ readonly msgId: "CSRF_TOKEN_ISSUED";
215
+ readonly message: "Issued a new CSRF token to the client";
216
+ };
217
+ readonly INVALID_URL: {
218
+ readonly facility: 10;
219
+ readonly severity: "error";
220
+ readonly msgId: "INVALID_URL";
221
+ readonly message: "Derived origin URL is invalid or malformed";
222
+ };
223
+ readonly COOKIE_HTTPONLY_DISABLED: {
224
+ readonly facility: 10;
225
+ readonly severity: "critical";
226
+ readonly msgId: "COOKIE_HTTPONLY_DISABLED";
227
+ readonly message: "Cookie is configured without HttpOnly. This allows JavaScript access via document.cookie and increases XSS exposure.";
228
+ };
229
+ readonly COOKIE_WILDCARD_DOMAIN: {
230
+ readonly facility: 10;
231
+ readonly severity: "critical";
232
+ readonly msgId: "COOKIE_WILDCARD_DOMAIN";
233
+ readonly message: "Cookie 'Domain' is set to a wildcard, which is insecure and should be avoided.";
234
+ };
235
+ readonly COOKIE_SECURE_DISABLED: {
236
+ readonly facility: 10;
237
+ readonly severity: "warning";
238
+ readonly msgId: "COOKIE_SECURE_DISABLED";
239
+ readonly message: "Cookie is configured with 'Secure' but the request is not HTTPS. The 'Secure' attribute will be ignored by the browser.";
240
+ };
241
+ readonly COOKIE_SAMESITE_NONE_WITHOUT_SECURE: {
242
+ readonly facility: 10;
243
+ readonly severity: "warning";
244
+ readonly msgId: "COOKIE_SAMESITE_NONE_WITHOUT_SECURE";
245
+ readonly message: "Cookie uses SameSite=None without Secure. Falling back to SameSite=Lax for safer defaults.";
246
+ };
247
+ readonly COOKIE_INSECURE_IN_PRODUCTION: {
248
+ readonly facility: 10;
249
+ readonly severity: "critical";
250
+ readonly msgId: "COOKIE_INSECURE_IN_PRODUCTION";
251
+ readonly message: "Cookies are being served over an insecure connection in production, which is a serious security risk.";
252
+ };
253
+ readonly COOKIE_HOST_STRATEGY_INSECURE: {
254
+ readonly facility: 10;
255
+ readonly severity: "critical";
256
+ readonly msgId: "COOKIE_HOST_STRATEGY_INSECURE";
257
+ readonly message: "__Host- cookies require a secure HTTPS context. Falling back to standard cookie settings.";
258
+ };
259
+ readonly UNTRUSTED_ORIGIN: {
260
+ readonly facility: 10;
261
+ readonly severity: "error";
262
+ readonly msgId: "UNTRUSTED_ORIGIN";
263
+ readonly message: "The constructed origin URL is not trusted.";
264
+ };
265
+ };
266
+ declare const createLogEntry: <T extends keyof typeof logMessages>(key: T, overrides?: Partial<SyslogOptions>) => SyslogOptions;
7
267
 
8
268
  /**
9
269
  * @see [Pinterest - Get User Account](https://developers.pinterest.com/docs/api/v5/user_account-get)
@@ -27,7 +287,7 @@ interface PinterestProfile {
27
287
  * @see [Pinterest - My Apps](https://developers.pinterest.com/apps/)
28
288
  * @see [Pinterest - Get User Account](https://developers.pinterest.com/docs/api/v5/user_account-get)
29
289
  */
30
- declare const pinterest: OAuthProviderConfig<PinterestProfile>;
290
+ declare const pinterest: (options?: Partial<OAuthProviderCredentials<PinterestProfile>>) => OAuthProviderCredentials<PinterestProfile>;
31
291
 
32
292
  interface Login {
33
293
  email: string;
@@ -36,6 +296,9 @@ interface Login {
36
296
  login_name: string;
37
297
  login_email: string;
38
298
  }
299
+ /**
300
+ * @see [Mailchimp - API Root](https://mailchimp.com/developer/marketing/api/authentication/)
301
+ */
39
302
  interface MailchimpProfile {
40
303
  dc: string;
41
304
  role: string;
@@ -46,9 +309,14 @@ interface MailchimpProfile {
46
309
  api_endpoint: string;
47
310
  }
48
311
  /**
49
- * @see [Mailchimp - Access Data on Behalf of Other Users with OAuth 2](https://mailchimp.com/developer/marketing/guides/access-user-data-oauth-2/)
312
+ * Mailchimp OAuth Provider
313
+ * @see [Mailchimp - Marketing API](https://mailchimp.com/developer/marketing/api/)
314
+ * @see [Mailchimp - Apps](https://us1.admin.mailchimp.com/account/oauth2/)
315
+ * @see [Mailchimp - Create an Application](https://mailchimp.com/developer/marketing/guides/access-user-data-oauth-2/#register-your-app)
316
+ * @see [Mailchimp - OAuth 2.0 Docs](https://mailchimp.com/developer/marketing/guides/access-user-data-oauth-2/)
317
+ * @see [Mailchimp - API Root](https://mailchimp.com/developer/marketing/api/root/)
50
318
  */
51
- declare const mailchimp: OAuthProviderConfig<MailchimpProfile>;
319
+ declare const mailchimp: (options?: Partial<OAuthProviderCredentials<MailchimpProfile>>) => OAuthProviderCredentials<MailchimpProfile>;
52
320
 
53
321
  /**
54
322
  * @see [Strava - SummaryClub](https://developers.strava.com/docs/reference/#api-models-SummaryClub)
@@ -120,7 +388,7 @@ interface StravaProfile {
120
388
  * @see [Strava - API Application](https://www.strava.com/settings/api)
121
389
  * @see [Strava - API Reference](https://developers.strava.com/docs/reference/)
122
390
  */
123
- declare const strava: OAuthProviderConfig<StravaProfile>;
391
+ declare const strava: (options?: Partial<OAuthProviderCredentials<StravaProfile>>) => OAuthProviderCredentials<StravaProfile>;
124
392
 
125
393
  /**
126
394
  * @see [X - Get my User](https://docs.x.com/x-api/users/get-my-user)
@@ -141,9 +409,9 @@ interface XProfile {
141
409
  * @see [X - OAuth 2.0 Scopes](https://docs.x.com/fundamentals/authentication/oauth-2-0/authorization-code#scopes)
142
410
  * @see [X - OAuth 2.0 Bearer Token](https://docs.x.com/fundamentals/authentication/oauth-2-0/application-only)
143
411
  */
144
- declare const x: OAuthProviderConfig<XProfile>;
412
+ declare const x: (options?: Partial<OAuthProviderCredentials<XProfile>>) => OAuthProviderCredentials<XProfile>;
145
413
 
146
- interface Image {
414
+ interface SpotifyImage {
147
415
  url: string;
148
416
  height: number;
149
417
  width: number;
@@ -159,7 +427,7 @@ interface SpotifyProfile {
159
427
  uri: string;
160
428
  country: string;
161
429
  href: string;
162
- images: Image[];
430
+ images: SpotifyImage[];
163
431
  product: string;
164
432
  explicit_content: {
165
433
  filter_enabled: boolean;
@@ -182,10 +450,10 @@ interface SpotifyProfile {
182
450
  * @see [Spotify - Scopes](https://developer.spotify.com/documentation/web-api/concepts/scopes)
183
451
  * @see [Spotify - Redirect URIs](https://developer.spotify.com/documentation/web-api/concepts/redirect_uri)
184
452
  */
185
- declare const spotify: OAuthProviderConfig<SpotifyProfile>;
453
+ declare const spotify: (options?: Partial<OAuthProviderCredentials<SpotifyProfile>>) => OAuthProviderCredentials<SpotifyProfile>;
186
454
 
187
455
  /**
188
- * @see [GitLab - Get the current user](https://docs.gitlab.com/api/users/#get-the-current-user)
456
+ * @see [GitLab - User Structure](https://docs.gitlab.com/ee/api/users.html#external-user-structure)
189
457
  */
190
458
  interface GitLabProfile {
191
459
  id: number;
@@ -244,7 +512,7 @@ interface GitLabProfile {
244
512
  * @see [GitLab - Scopes](https://docs.gitlab.com/integration/oauth_provider/#view-all-authorized-applications)
245
513
  * @see [GitLab - Get current user](https://docs.gitlab.com/api/users/#get-the-current-user)
246
514
  */
247
- declare const gitlab: OAuthProviderConfig<GitLabProfile>;
515
+ declare const gitlab: (options?: Partial<OAuthProviderCredentials<GitLabProfile>>) => OAuthProviderCredentials<GitLabProfile>;
248
516
 
249
517
  /**
250
518
  * @see [Discord - Nameplate Object](https://discord.com/developers/docs/resources/user#nameplate-nameplate-structure)
@@ -303,7 +571,7 @@ interface DiscordProfile {
303
571
  * @see [Discord - Image Formatting](https://discord.com/developers/docs/reference#image-formatting)
304
572
  * @see [Discord - Display Names](https://discord.com/developers/docs/change-log#display-names)
305
573
  */
306
- declare const discord: OAuthProviderConfig<DiscordProfile>;
574
+ declare const discord: (options?: Partial<OAuthProviderCredentials<DiscordProfile>>) => OAuthProviderCredentials<DiscordProfile>;
307
575
 
308
576
  /**
309
577
  * @see [Figma API - Users](https://developers.figma.com/docs/rest-api/users-types/)
@@ -321,7 +589,7 @@ interface FigmaProfile {
321
589
  * @see [Figma - Create an OAuth App](https://developers.figma.com/docs/rest-api/authentication/#create-an-oauth-app)
322
590
  * @see [Figma - OAuth Scopes](https://developers.figma.com/docs/rest-api/scopes/)
323
591
  */
324
- declare const figma: OAuthProviderConfig<FigmaProfile>;
592
+ declare const figma: (options?: Partial<OAuthProviderCredentials<FigmaProfile>>) => OAuthProviderCredentials<FigmaProfile>;
325
593
 
326
594
  /**
327
595
  * @see [Get current user](https://developer.atlassian.com/cloud/bitbucket/rest/api-group-users/#api-user-get)
@@ -353,7 +621,7 @@ interface BitbucketProfile {
353
621
  * @see [Bitbucket - Cloud REST API](https://developer.atlassian.com/cloud/bitbucket/rest/intro/)
354
622
  * @see [Bitbucket - User Endpoint](https://developer.atlassian.com/cloud/bitbucket/rest/api-group-users/#api-users-endpoint)
355
623
  */
356
- declare const bitbucket: OAuthProviderConfig<BitbucketProfile>;
624
+ declare const bitbucket: (options?: Partial<OAuthProviderCredentials<BitbucketProfile>>) => OAuthProviderCredentials<BitbucketProfile>;
357
625
 
358
626
  /**
359
627
  * @see [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user)
@@ -414,19 +682,19 @@ interface GitHubProfile {
414
682
  * @see [GitHub - Configure your GitHub OAuth Apps](https://github.com/settings/developers)
415
683
  * @see [Github - Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user)
416
684
  */
417
- declare const github: OAuthProviderConfig<GitHubProfile>;
685
+ declare const github: (options?: Partial<OAuthProviderCredentials<GitHubProfile>>) => OAuthProviderCredentials<GitHubProfile>;
418
686
 
419
687
  declare const builtInOAuthProviders: {
420
- readonly github: OAuthProviderConfig<GitHubProfile>;
421
- readonly bitbucket: OAuthProviderConfig<BitbucketProfile>;
422
- readonly figma: OAuthProviderConfig<FigmaProfile>;
423
- readonly discord: OAuthProviderConfig<DiscordProfile>;
424
- readonly gitlab: OAuthProviderConfig<GitLabProfile>;
425
- readonly spotify: OAuthProviderConfig<SpotifyProfile>;
426
- readonly x: OAuthProviderConfig<XProfile>;
427
- readonly strava: OAuthProviderConfig<StravaProfile>;
428
- readonly mailchimp: OAuthProviderConfig<MailchimpProfile>;
429
- readonly pinterest: OAuthProviderConfig<PinterestProfile>;
688
+ readonly github: (options?: Partial<OAuthProviderCredentials<GitHubProfile>>) => OAuthProviderCredentials<GitHubProfile>;
689
+ readonly bitbucket: (options?: Partial<OAuthProviderCredentials<BitbucketProfile>>) => OAuthProviderCredentials<BitbucketProfile>;
690
+ readonly figma: (options?: Partial<OAuthProviderCredentials<FigmaProfile>>) => OAuthProviderCredentials<FigmaProfile>;
691
+ readonly discord: (options?: Partial<OAuthProviderCredentials<DiscordProfile>>) => OAuthProviderCredentials<DiscordProfile>;
692
+ readonly gitlab: (options?: Partial<OAuthProviderCredentials<GitLabProfile>>) => OAuthProviderCredentials<GitLabProfile>;
693
+ readonly spotify: (options?: Partial<OAuthProviderCredentials<SpotifyProfile>>) => OAuthProviderCredentials<SpotifyProfile>;
694
+ readonly x: (options?: Partial<OAuthProviderCredentials<XProfile>>) => OAuthProviderCredentials<XProfile>;
695
+ readonly strava: (options?: Partial<OAuthProviderCredentials<StravaProfile>>) => OAuthProviderCredentials<StravaProfile>;
696
+ readonly mailchimp: (options?: Partial<OAuthProviderCredentials<MailchimpProfile>>) => OAuthProviderCredentials<MailchimpProfile>;
697
+ readonly pinterest: (options?: Partial<OAuthProviderCredentials<PinterestProfile>>) => OAuthProviderCredentials<PinterestProfile>;
430
698
  };
431
699
  /**
432
700
  * Constructs OAuth provider configurations from an array of provider names or configurations.
@@ -434,8 +702,14 @@ declare const builtInOAuthProviders: {
434
702
  *
435
703
  * @param oauth - Array of OAuth provider configurations or provider names to be defined from environment variables
436
704
  * @returns A record of OAuth provider configurations
705
+ * @example
706
+ * // Using built-in provider with env variables
707
+ * createBuiltInOAuthProviders(["github"])
708
+ *
709
+ * // Using built-in provider with explicit credentials via factory
710
+ * createBuiltInOAuthProviders([github({ clientId: "...", clientSecret: "..." })])
437
711
  */
438
- declare const createBuiltInOAuthProviders: (oauth?: (BuiltInOAuthProvider | OAuthProviderCredentials)[]) => Record<LiteralUnion<BuiltInOAuthProvider>, OAuthProviderCredentials>;
712
+ declare const createBuiltInOAuthProviders: (oauth?: (BuiltInOAuthProvider | OAuthProviderCredentials<any>)[]) => Record<LiteralUnion<BuiltInOAuthProvider>, OAuthProviderCredentials<any>>;
439
713
  type BuiltInOAuthProvider = keyof typeof builtInOAuthProviders;
440
714
 
441
715
  /**
@@ -470,7 +744,7 @@ interface Session {
470
744
  * Configuration for an OAuth provider without credentials.
471
745
  * Use this type when defining provider metadata and endpoints.
472
746
  */
473
- interface OAuthProviderConfig<Profile extends object = {}> {
747
+ interface OAuthProviderConfig<Profile extends object = Record<string, any>> {
474
748
  id: string;
475
749
  name: string;
476
750
  authorizeURL: string;
@@ -484,14 +758,14 @@ interface OAuthProviderConfig<Profile extends object = {}> {
484
758
  * OAuth provider configuration with client credentials.
485
759
  * Extends OAuthProviderConfig with clientId and clientSecret.
486
760
  */
487
- interface OAuthProviderCredentials<Profile extends object = {}> extends OAuthProviderConfig<Profile> {
488
- clientId: string;
489
- clientSecret: string;
761
+ interface OAuthProviderCredentials<Profile extends object = Record<string, any>> extends OAuthProviderConfig<Profile> {
762
+ clientId?: string;
763
+ clientSecret?: string;
490
764
  }
491
765
  /**
492
766
  * Complete OAuth provider type combining configuration and credentials.
493
767
  */
494
- type OAuthProvider<Profile extends object = {}> = OAuthProviderCredentials<Profile>;
768
+ type OAuthProvider<Profile extends object = Record<string, any>> = OAuthProviderCredentials<Profile>;
495
769
  /**
496
770
  * Cookie type with __Secure- prefix, must be Secure.
497
771
  * @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__secure-prefix
@@ -555,6 +829,9 @@ interface AuthConfig {
555
829
  * Built-in OAuth providers:
556
830
  * oauth: ["github", "google"]
557
831
  *
832
+ * Custom credentials via factory:
833
+ * oauth: [github({ clientId: "...", clientSecret: "..." })]
834
+ *
558
835
  * Custom OAuth providers:
559
836
  * oauth: [
560
837
  * {
@@ -565,12 +842,12 @@ interface AuthConfig {
565
842
  * scope: "profile email",
566
843
  * responseType: "code",
567
844
  * userInfo: "https://example.com/oauth/userinfo",
568
- * clientId: process.env.AURA_AUTH_OAUTH_PROVIDER_CLIENT_ID!,
569
- * clientSecret: process.env.AURA_AUTH_OAUTH_PROVIDER_CLIENT_SECRET!,
845
+ * clientId: process.env.AURA_AUTH_PROVIDER_CLIENT_ID,
846
+ * clientSecret: process.env.AURA_AUTH_PROVIDER_CLIENT_SECRET,
570
847
  * }
571
848
  * ]
572
849
  */
573
- oauth: (BuiltInOAuthProvider | OAuthProviderCredentials)[];
850
+ oauth: (BuiltInOAuthProvider | OAuthProviderCredentials<any>)[];
574
851
  /**
575
852
  * Cookie options defines the configuration for cookies used in Aura Auth.
576
853
  * It includes a prefix for cookie names and flag options to determine
@@ -615,16 +892,37 @@ interface AuthConfig {
615
892
  * @experimental
616
893
  */
617
894
  trustedProxyHeaders?: boolean;
895
+ logger?: Logger;
896
+ /**
897
+ * Defines trusted origins for your application to prevent open redirect attacks.
898
+ * URLs from the Referer header, Origin header, request URL, and redirectTo option
899
+ * are validated against this list before redirecting.
900
+ *
901
+ * - **Exact URL**: `https://example.com` matches only that origin.
902
+ * - **Subdomain wildcard**: `https://*.example.com` matches `https://app.example.com`, `https://api.example.com`, etc.
903
+ * @example
904
+ * trustedOrigins: ["https://example.com", "https://*.example.com", "http://localhost:3000"]
905
+ *
906
+ *
907
+ * trustedOrigins: async (request) => {
908
+ * const origin = new URL(request.url).origin
909
+ * return [origin, "https://admin.example.com"]
910
+ * }
911
+ */
912
+ trustedOrigins?: TrustedOrigin[] | ((request: Request) => Promise<TrustedOrigin[]> | TrustedOrigin[]);
618
913
  }
619
- interface JoseInstance {
620
- decodeJWT: (token: string) => Promise<JWTPayload>;
621
- encodeJWT: (payload: JWTPayload) => Promise<string>;
622
- signJWS: (payload: JWTPayload) => Promise<string>;
623
- verifyJWS: (payload: string, options?: JWTVerifyOptions) => Promise<JWTPayload>;
624
- encryptJWE: (payload: string, options?: EncryptOptions) => Promise<string>;
625
- decryptJWE: (payload: string, options?: JWTDecryptOptions) => Promise<string>;
626
- }
914
+ /**
915
+ * A trusted origin URL or pattern. Supports:
916
+ * - Exact: `https://example.com`
917
+ * - Subdomain wildcard: `https://*.example.com`
918
+ */
919
+ type TrustedOrigin = string;
920
+ type JoseInstance = ReturnType<typeof createJoseInstance>;
627
921
  type OAuthProviderRecord = Record<LiteralUnion<BuiltInOAuthProvider>, OAuthProviderCredentials>;
922
+ type InternalLogger = {
923
+ level: LogLevel;
924
+ log: typeof createLogEntry;
925
+ };
628
926
  interface RouterGlobalContext {
629
927
  oauth: OAuthProviderRecord;
630
928
  cookies: CookieStoreConfig;
@@ -632,6 +930,8 @@ interface RouterGlobalContext {
632
930
  secret?: string;
633
931
  basePath: string;
634
932
  trustedProxyHeaders: boolean;
933
+ trustedOrigins?: TrustedOrigin[] | ((request: Request) => Promise<TrustedOrigin[]> | TrustedOrigin[]);
934
+ logger?: InternalLogger;
635
935
  }
636
936
  /**
637
937
  * Internal runtime configuration used within Aura Auth after initialization.
@@ -668,12 +968,40 @@ type AccessTokenError = OAuthError<z.infer<typeof OAuthAccessTokenErrorResponse>
668
968
  */
669
969
  type TokenRevocationError = OAuthError<"invalid_session_token">;
670
970
  type ErrorType = AuthorizationError["error"] | AccessTokenError["error"] | TokenRevocationError["error"];
671
- type AuthInternalErrorCode = "INVALID_OAUTH_CONFIGURATION" | "INVALID_JWT_TOKEN" | "JOSE_INITIALIZATION_FAILED" | "SESSION_STORE_NOT_INITIALIZED" | "COOKIE_STORE_NOT_INITIALIZED" | "COOKIE_PARSING_FAILED" | "COOKIE_NOT_FOUND" | "INVALID_ENVIRONMENT_CONFIGURATION";
971
+ type AuthInternalErrorCode = "INVALID_OAUTH_CONFIGURATION" | "INVALID_JWT_TOKEN" | "JOSE_INITIALIZATION_FAILED" | "SESSION_STORE_NOT_INITIALIZED" | "COOKIE_STORE_NOT_INITIALIZED" | "COOKIE_PARSING_FAILED" | "COOKIE_NOT_FOUND" | "INVALID_ENVIRONMENT_CONFIGURATION" | "INVALID_URL" | "INVALID_SALT_SECRET_VALUE" | "UNTRUSTED_ORIGIN" | "INVALID_OAUTH_PROVIDER_CONFIGURATION" | "DUPLICATED_OAUTH_PROVIDER_ID";
672
972
  type AuthSecurityErrorCode = "INVALID_STATE" | "MISMATCHING_STATE" | "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED" | "CSRF_TOKEN_INVALID" | "CSRF_TOKEN_MISSING" | "SESSION_TOKEN_MISSING";
673
973
  type OAuthEnv = z.infer<typeof OAuthEnvSchema>;
674
974
  type APIErrorMap = Record<string, {
675
975
  code: string;
676
976
  message: string;
677
977
  }>;
978
+ /**
979
+ * Log level for logger messages.
980
+ */
981
+ type LogLevel = "warn" | "error" | "debug" | "info";
982
+ /** Defines the Severity between 0 to 7 */
983
+ type Severity = "emergency" | "alert" | "critical" | "error" | "warning" | "notice" | "info" | "debug";
984
+ /**
985
+ * @see https://datatracker.ietf.org/doc/html/rfc5424
986
+ */
987
+ type SyslogOptions = {
988
+ facility: 4 | 10;
989
+ severity: Severity;
990
+ timestamp?: string;
991
+ hostname?: string;
992
+ appName?: string;
993
+ procId?: string;
994
+ msgId: string;
995
+ message: string;
996
+ structuredData?: Record<string, string | number | boolean>;
997
+ };
998
+ /**
999
+ * Logger function interface for structured logging.
1000
+ * Called when errors or warnings occur during authentication flows.
1001
+ */
1002
+ type Logger = {
1003
+ level: LogLevel;
1004
+ log: (args: SyslogOptions) => void;
1005
+ };
678
1006
 
679
- export { type AuthorizationError as $, type AuthRuntimeConfig as A, type BitbucketProfile as B, type CookieConfig as C, type DiscordProfile as D, type ErrorType as E, type FigmaProfile as F, type GitLabProfile as G, createBuiltInOAuthProviders as H, type Image as I, type JWTPayloadWithToken as J, type BuiltInOAuthProvider as K, type Login as L, type MailchimpProfile as M, type Nameplate as N, type OAuthProvider as O, type PinterestProfile as P, type JWTStandardClaims as Q, type RouterGlobalContext as R, type Session as S, type SecureCookie as T, type User as U, type HostCookie as V, type StandardCookie as W, type XProfile as X, type CookieStrategyAttributes as Y, type CookieName as Z, type OAuthError as _, type CookieStoreConfig as a, type AccessTokenError as a0, type TokenRevocationError as a1, type OAuthEnv as a2, type AuthInternalErrorCode as b, type AuthSecurityErrorCode as c, type AuthConfig as d, type JoseInstance as e, type AuthInstance as f, type OAuthProviderConfig as g, type OAuthProviderCredentials as h, type APIErrorMap as i, type OAuthProviderRecord as j, type SummaryClub as k, type SummaryGear as l, mailchimp as m, type StravaProfile as n, type SpotifyProfile as o, pinterest as p, spotify as q, gitlab as r, strava as s, discord as t, figma as u, bitbucket as v, type GitHubProfile as w, x, github as y, builtInOAuthProviders as z };
1007
+ export { type SecureCookie as $, type AuthRuntimeConfig as A, figma as B, type CookieConfig as C, type DiscordProfile as D, type ErrorType as E, type FigmaProfile as F, type GitLabProfile as G, type BitbucketProfile as H, type InternalLogger as I, type JWTPayloadWithToken as J, bitbucket as K, type Logger as L, type MailchimpProfile as M, type Nameplate as N, type OAuthProvider as O, type PinterestProfile as P, type GitHubProfile as Q, type RouterGlobalContext as R, type Session as S, type TrustedOrigin as T, type User as U, github as V, builtInOAuthProviders as W, type XProfile as X, createBuiltInOAuthProviders as Y, type BuiltInOAuthProvider as Z, type JWTStandardClaims as _, type CookieStoreConfig as a, type HostCookie as a0, type StandardCookie as a1, type CookieStrategyAttributes as a2, type CookieName as a3, type OAuthError as a4, type AuthorizationError as a5, type AccessTokenError as a6, type TokenRevocationError as a7, type OAuthEnv as a8, type Severity as a9, type SyslogOptions as aa, type AuthInternalErrorCode as b, type AuthSecurityErrorCode as c, type AuthConfig as d, type AuthInstance as e, type JoseInstance as f, type OAuthProviderConfig as g, type OAuthProviderCredentials as h, type LogLevel as i, type APIErrorMap as j, type OAuthProviderRecord as k, logMessages as l, createLogEntry as m, type Login as n, mailchimp as o, pinterest as p, type SummaryClub as q, type SummaryGear as r, type StravaProfile as s, strava as t, type SpotifyImage as u, type SpotifyProfile as v, spotify as w, x, gitlab as y, discord as z };