@aura-stack/auth 0.4.0-rc.5 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (201) hide show
  1. package/dist/@types/index.d.ts +8 -3
  2. package/dist/@types/router.d.cjs +0 -17
  3. package/dist/@types/router.d.d.ts +7 -2
  4. package/dist/@types/router.d.js +0 -1
  5. package/dist/actions/callback/access-token.cjs +130 -71
  6. package/dist/actions/callback/access-token.d.ts +9 -4
  7. package/dist/actions/callback/access-token.js +3 -4
  8. package/dist/actions/callback/callback.cjs +428 -152
  9. package/dist/actions/callback/callback.d.ts +11 -3
  10. package/dist/actions/callback/callback.js +12 -10
  11. package/dist/actions/callback/userinfo.cjs +159 -65
  12. package/dist/actions/callback/userinfo.d.ts +8 -3
  13. package/dist/actions/callback/userinfo.js +7 -6
  14. package/dist/actions/csrfToken/csrfToken.cjs +70 -19
  15. package/dist/actions/csrfToken/csrfToken.js +8 -7
  16. package/dist/actions/index.cjs +780 -348
  17. package/dist/actions/index.d.ts +6 -2
  18. package/dist/actions/index.js +23 -18
  19. package/dist/actions/session/session.cjs +107 -26
  20. package/dist/actions/session/session.js +7 -5
  21. package/dist/actions/signIn/authorization-url.cjs +288 -0
  22. package/dist/actions/signIn/authorization-url.d.ts +31 -0
  23. package/dist/actions/signIn/authorization-url.js +16 -0
  24. package/dist/actions/signIn/authorization.cjs +209 -211
  25. package/dist/actions/signIn/authorization.d.ts +32 -21
  26. package/dist/actions/signIn/authorization.js +12 -9
  27. package/dist/actions/signIn/signIn.cjs +470 -235
  28. package/dist/actions/signIn/signIn.d.ts +12 -3
  29. package/dist/actions/signIn/signIn.js +11 -8
  30. package/dist/actions/signOut/signOut.cjs +376 -228
  31. package/dist/actions/signOut/signOut.d.ts +1 -1
  32. package/dist/actions/signOut/signOut.js +10 -9
  33. package/dist/api/createApi.cjs +750 -0
  34. package/dist/api/createApi.d.ts +12 -0
  35. package/dist/api/createApi.js +19 -0
  36. package/dist/api/getSession.cjs +141 -0
  37. package/dist/api/getSession.d.ts +16 -0
  38. package/dist/api/getSession.js +10 -0
  39. package/dist/api/signIn.cjs +549 -0
  40. package/dist/api/signIn.d.ts +26 -0
  41. package/dist/api/signIn.js +15 -0
  42. package/dist/api/signOut.cjs +279 -0
  43. package/dist/api/signOut.d.ts +16 -0
  44. package/dist/api/signOut.js +13 -0
  45. package/dist/assert.cjs +150 -5
  46. package/dist/assert.d.ts +26 -3
  47. package/dist/assert.js +17 -3
  48. package/dist/{chunk-YRCB5FLE.js → chunk-2A5B7GWR.js} +52 -6
  49. package/dist/chunk-2GQLSIJ2.js +40 -0
  50. package/dist/chunk-2IR674WX.js +44 -0
  51. package/dist/chunk-3J5TUH2I.js +50 -0
  52. package/dist/chunk-4RWSYUKX.js +98 -0
  53. package/dist/chunk-4YHJ4IEQ.js +25 -0
  54. package/dist/chunk-54CZPKR4.js +25 -0
  55. package/dist/chunk-5LZ7TOM3.js +25 -0
  56. package/dist/chunk-7BE46WWS.js +88 -0
  57. package/dist/chunk-7YYXFKLR.js +35 -0
  58. package/dist/chunk-C3A37LQC.js +33 -0
  59. package/dist/chunk-CITNGXDA.js +31 -0
  60. package/dist/chunk-CWX724AG.js +78 -0
  61. package/dist/chunk-D2CSIUKP.js +74 -0
  62. package/dist/chunk-E6G5YCI6.js +25 -0
  63. package/dist/chunk-EBAMFRB7.js +34 -0
  64. package/dist/chunk-EEE7UM5T.js +25 -0
  65. package/dist/{chunk-HT4YLL7N.js → chunk-FPCVZUVG.js} +10 -8
  66. package/dist/chunk-FW4W3REU.js +25 -0
  67. package/dist/chunk-GNNBM2WJ.js +83 -0
  68. package/dist/chunk-IPKO6UQN.js +25 -0
  69. package/dist/chunk-JOCGX3RP.js +59 -0
  70. package/dist/chunk-KBXWTD6E.js +94 -0
  71. package/dist/chunk-KMMAZFSJ.js +25 -0
  72. package/dist/chunk-LATR3NIV.js +117 -0
  73. package/dist/chunk-LAYPUDQF.js +39 -0
  74. package/dist/chunk-LDU7A2JE.js +25 -0
  75. package/dist/chunk-LX3TJ2TJ.js +294 -0
  76. package/dist/chunk-NHZBQNRR.js +143 -0
  77. package/dist/chunk-OVHNRULD.js +33 -0
  78. package/dist/chunk-PDP3PHB3.js +127 -0
  79. package/dist/chunk-PHYNROD4.js +47 -0
  80. package/dist/chunk-QQEKY4XP.js +29 -0
  81. package/dist/chunk-U4RK4LKJ.js +348 -0
  82. package/dist/{chunk-RRLIF4PQ.js → chunk-U5663F2U.js} +16 -1
  83. package/dist/chunk-UN7X6SU5.js +53 -0
  84. package/dist/chunk-UZQJJD6A.js +100 -0
  85. package/dist/chunk-V6LLEAR4.js +80 -0
  86. package/dist/chunk-WHNDRO3N.js +50 -0
  87. package/dist/{chunk-W6LG7BFW.js → chunk-XY5R3EHH.js} +30 -23
  88. package/dist/client/client.cjs +135 -0
  89. package/dist/client/client.d.ts +85 -0
  90. package/dist/client/client.js +9 -0
  91. package/dist/client/index.cjs +135 -0
  92. package/dist/client/index.d.ts +14 -0
  93. package/dist/client/index.js +10 -0
  94. package/dist/context.cjs +1237 -0
  95. package/dist/context.d.ts +16 -0
  96. package/dist/context.js +28 -0
  97. package/dist/cookie.cjs +57 -22
  98. package/dist/cookie.d.ts +11 -6
  99. package/dist/cookie.js +3 -2
  100. package/dist/createAuth.cjs +2320 -0
  101. package/dist/createAuth.d.ts +12 -0
  102. package/dist/createAuth.js +48 -0
  103. package/dist/env.cjs +78 -0
  104. package/dist/env.d.ts +10 -0
  105. package/dist/env.js +12 -0
  106. package/dist/errors.cjs +17 -0
  107. package/dist/errors.d.ts +15 -4
  108. package/dist/errors.js +5 -1
  109. package/dist/headers.cjs +28 -2
  110. package/dist/headers.d.ts +25 -1
  111. package/dist/headers.js +9 -3
  112. package/dist/index-_aXtxb_s.d.ts +1377 -0
  113. package/dist/index.cjs +1843 -610
  114. package/dist/index.d.ts +11 -92
  115. package/dist/index.js +53 -85
  116. package/dist/jose.cjs +113 -38
  117. package/dist/jose.d.ts +12 -23
  118. package/dist/jose.js +17 -7
  119. package/dist/logger.cjs +424 -0
  120. package/dist/logger.d.ts +12 -0
  121. package/dist/logger.js +17 -0
  122. package/dist/oauth/atlassian.cjs +57 -0
  123. package/dist/oauth/atlassian.d.ts +12 -0
  124. package/dist/oauth/atlassian.js +6 -0
  125. package/dist/oauth/bitbucket.cjs +19 -15
  126. package/dist/oauth/bitbucket.d.ts +7 -2
  127. package/dist/oauth/bitbucket.js +1 -1
  128. package/dist/oauth/discord.cjs +27 -24
  129. package/dist/oauth/discord.d.ts +7 -2
  130. package/dist/oauth/discord.js +1 -1
  131. package/dist/oauth/dropbox.cjs +53 -0
  132. package/dist/oauth/dropbox.d.ts +12 -0
  133. package/dist/oauth/dropbox.js +6 -0
  134. package/dist/oauth/figma.cjs +19 -16
  135. package/dist/oauth/figma.d.ts +7 -2
  136. package/dist/oauth/figma.js +1 -1
  137. package/dist/oauth/github.cjs +19 -8
  138. package/dist/oauth/github.d.ts +7 -2
  139. package/dist/oauth/github.js +1 -1
  140. package/dist/oauth/gitlab.cjs +19 -16
  141. package/dist/oauth/gitlab.d.ts +7 -2
  142. package/dist/oauth/gitlab.js +1 -1
  143. package/dist/oauth/index.cjs +529 -239
  144. package/dist/oauth/index.d.ts +7 -2
  145. package/dist/oauth/index.js +39 -22
  146. package/dist/oauth/mailchimp.cjs +19 -16
  147. package/dist/oauth/mailchimp.d.ts +7 -2
  148. package/dist/oauth/mailchimp.js +1 -1
  149. package/dist/oauth/notion.cjs +131 -0
  150. package/dist/oauth/notion.d.ts +12 -0
  151. package/dist/oauth/notion.js +9 -0
  152. package/dist/oauth/pinterest.cjs +19 -16
  153. package/dist/oauth/pinterest.d.ts +7 -2
  154. package/dist/oauth/pinterest.js +1 -1
  155. package/dist/oauth/spotify.cjs +19 -16
  156. package/dist/oauth/spotify.d.ts +7 -2
  157. package/dist/oauth/spotify.js +1 -1
  158. package/dist/oauth/strava.cjs +19 -16
  159. package/dist/oauth/strava.d.ts +7 -2
  160. package/dist/oauth/strava.js +1 -1
  161. package/dist/oauth/twitch.cjs +95 -0
  162. package/dist/oauth/twitch.d.ts +12 -0
  163. package/dist/oauth/twitch.js +7 -0
  164. package/dist/oauth/x.cjs +19 -16
  165. package/dist/oauth/x.d.ts +7 -2
  166. package/dist/oauth/x.js +1 -1
  167. package/dist/schemas.cjs +89 -42
  168. package/dist/schemas.d.ts +114 -18
  169. package/dist/schemas.js +5 -3
  170. package/dist/secure.cjs +73 -31
  171. package/dist/secure.d.ts +11 -11
  172. package/dist/secure.js +7 -6
  173. package/dist/utils.cjs +203 -90
  174. package/dist/utils.d.ts +21 -40
  175. package/dist/utils.js +21 -12
  176. package/package.json +9 -6
  177. package/dist/chunk-3EUWD5BB.js +0 -63
  178. package/dist/chunk-42XB3YCW.js +0 -22
  179. package/dist/chunk-6R2YZ4AC.js +0 -22
  180. package/dist/chunk-A3N4PVAT.js +0 -70
  181. package/dist/chunk-B737EUJV.js +0 -22
  182. package/dist/chunk-CXLATHS5.js +0 -143
  183. package/dist/chunk-E3OXBRYF.js +0 -22
  184. package/dist/chunk-EIL2FPSS.js +0 -22
  185. package/dist/chunk-EMKJA2GJ.js +0 -89
  186. package/dist/chunk-FIPU4MLT.js +0 -21
  187. package/dist/chunk-FKRDCWBF.js +0 -22
  188. package/dist/chunk-GA2SMTJO.js +0 -58
  189. package/dist/chunk-HP34YGGJ.js +0 -22
  190. package/dist/chunk-IKHPGFCW.js +0 -14
  191. package/dist/chunk-IUYZQTJV.js +0 -30
  192. package/dist/chunk-IVET23KF.js +0 -58
  193. package/dist/chunk-JVFTCTTE.js +0 -33
  194. package/dist/chunk-KRNOMBXQ.js +0 -22
  195. package/dist/chunk-KSWLO5ZU.js +0 -102
  196. package/dist/chunk-N2APGLXA.js +0 -71
  197. package/dist/chunk-N4SX7TZT.js +0 -96
  198. package/dist/chunk-STHEPPUZ.js +0 -11
  199. package/dist/chunk-TLE4PXY3.js +0 -39
  200. package/dist/index-B8jeIElf.d.ts +0 -679
  201. /package/dist/{chunk-DIVDFNAP.js → chunk-5X7JZMEF.js} +0 -0
@@ -0,0 +1,44 @@
1
+ import {
2
+ createBuiltInOAuthProviders
3
+ } from "./chunk-PDP3PHB3.js";
4
+ import {
5
+ createProxyLogger
6
+ } from "./chunk-U4RK4LKJ.js";
7
+ import {
8
+ createJoseInstance
9
+ } from "./chunk-UZQJJD6A.js";
10
+ import {
11
+ createCookieStore
12
+ } from "./chunk-XY5R3EHH.js";
13
+ import {
14
+ getEnv,
15
+ getEnvArray,
16
+ getEnvBoolean
17
+ } from "./chunk-WHNDRO3N.js";
18
+
19
+ // src/context.ts
20
+ var createContext = (config) => {
21
+ const trustedProxyHeadersEnv = getEnv("TRUSTED_PROXY_HEADERS");
22
+ const useProxyHeaders = trustedProxyHeadersEnv === void 0 ? config?.trustedProxyHeaders ?? false : getEnvBoolean("TRUSTED_PROXY_HEADERS");
23
+ const logger = createProxyLogger(config);
24
+ const cookiePrefix = config?.cookies?.prefix;
25
+ const cookieOverrides = config?.cookies?.overrides ?? {};
26
+ const secureCookieStore = createCookieStore(true, cookiePrefix, cookieOverrides, logger);
27
+ const standardCookieStore = createCookieStore(false, cookiePrefix, cookieOverrides, logger);
28
+ return {
29
+ oauth: createBuiltInOAuthProviders(config?.oauth),
30
+ cookies: standardCookieStore,
31
+ jose: createJoseInstance(config?.secret),
32
+ secret: config?.secret,
33
+ basePath: config?.basePath ?? "/auth",
34
+ trustedProxyHeaders: useProxyHeaders,
35
+ trustedOrigins: getEnvArray("TRUSTED_ORIGINS").length > 0 ? getEnvArray("TRUSTED_ORIGINS") : config?.trustedOrigins,
36
+ logger,
37
+ cookieConfig: { secure: secureCookieStore, standard: standardCookieStore },
38
+ baseURL: config?.baseURL
39
+ };
40
+ };
41
+
42
+ export {
43
+ createContext
44
+ };
@@ -0,0 +1,50 @@
1
+ import {
2
+ createRedirectTo
3
+ } from "./chunk-LATR3NIV.js";
4
+ import {
5
+ signOut
6
+ } from "./chunk-KBXWTD6E.js";
7
+ import {
8
+ getBaseURL
9
+ } from "./chunk-LX3TJ2TJ.js";
10
+
11
+ // src/actions/signOut/signOut.ts
12
+ import { z } from "zod/v4";
13
+ import { createEndpoint, createEndpointConfig } from "@aura-stack/router";
14
+ var config = createEndpointConfig({
15
+ schemas: {
16
+ searchParams: z.object({
17
+ token_type_hint: z.literal("session_token"),
18
+ redirectTo: z.string().optional()
19
+ })
20
+ }
21
+ });
22
+ var signOutAction = createEndpoint(
23
+ "POST",
24
+ "/signOut",
25
+ async (ctx) => {
26
+ const {
27
+ request,
28
+ searchParams: { redirectTo },
29
+ context
30
+ } = ctx;
31
+ const baseURL = getBaseURL(request);
32
+ const location = await createRedirectTo(
33
+ new Request(baseURL, {
34
+ headers: request.headers
35
+ }),
36
+ redirectTo,
37
+ context
38
+ );
39
+ return await signOut({
40
+ ctx: context,
41
+ headers: request.headers,
42
+ redirectTo: location
43
+ });
44
+ },
45
+ config
46
+ );
47
+
48
+ export {
49
+ signOutAction
50
+ };
@@ -0,0 +1,98 @@
1
+ import {
2
+ AuthClientError,
3
+ isNativeError
4
+ } from "./chunk-U5663F2U.js";
5
+
6
+ // src/client/client.ts
7
+ import { createClient as createClientAPI } from "@aura-stack/router";
8
+ var createClient = createClientAPI;
9
+ var createAuthClient = (options) => {
10
+ if (typeof window === "undefined" && !options.baseURL) {
11
+ throw new AuthClientError("`baseURL` is required when createAuthClient is used outside the browser.");
12
+ }
13
+ const client = createClient({
14
+ cache: "no-store",
15
+ credentials: "include",
16
+ baseURL: options.baseURL ?? window.location.origin,
17
+ ...options
18
+ });
19
+ const getCSRFToken = async () => {
20
+ try {
21
+ const response = await client.get("/csrfToken");
22
+ if (!response.ok) return null;
23
+ const data = await response.json();
24
+ return data.csrfToken;
25
+ } catch (error) {
26
+ console.error("Error fetching CSRF token:", error);
27
+ return null;
28
+ }
29
+ };
30
+ const getSession = async () => {
31
+ try {
32
+ const response = await client.get("/session");
33
+ if (!response.ok) return null;
34
+ const session = await response.json();
35
+ if (!session?.authenticated) return null;
36
+ return session.session;
37
+ } catch (error) {
38
+ console.error("Error fetching session:", error);
39
+ return null;
40
+ }
41
+ };
42
+ const signIn = async (oauth, options2) => {
43
+ try {
44
+ const response = await client.get("/signIn/:oauth", {
45
+ params: {
46
+ oauth
47
+ },
48
+ searchParams: {
49
+ ...options2,
50
+ redirect: false
51
+ }
52
+ });
53
+ const json = await response.json();
54
+ if ((options2?.redirect ?? true) && typeof window !== "undefined" && json?.signInURL) {
55
+ window.location.assign(json.signInURL);
56
+ }
57
+ return json;
58
+ } catch (error) {
59
+ console.error("Error during sign-in:", error);
60
+ return { redirect: false, signInURL: "/" };
61
+ }
62
+ };
63
+ const signOut = async (options2) => {
64
+ try {
65
+ const csrfToken = await getCSRFToken();
66
+ if (!csrfToken) {
67
+ throw new AuthClientError("Failed to fetch CSRF token for sign-out.");
68
+ }
69
+ const response = await client.post("/signOut", {
70
+ searchParams: {
71
+ redirectTo: options2?.redirectTo ?? "/",
72
+ token_type_hint: "session_token"
73
+ },
74
+ headers: {
75
+ "X-CSRF-Token": csrfToken
76
+ }
77
+ });
78
+ const json = await response.json();
79
+ if ((options2?.redirect ?? true) && typeof window !== "undefined" && json?.url) {
80
+ window.location.assign(json.url);
81
+ }
82
+ return json;
83
+ } catch (error) {
84
+ console.error("Error during sign-out:", error);
85
+ throw isNativeError(error) ? error : new AuthClientError("Sign-out failed.", "The sign-out request failed.", { cause: error });
86
+ }
87
+ };
88
+ return {
89
+ getSession,
90
+ signIn,
91
+ signOut
92
+ };
93
+ };
94
+
95
+ export {
96
+ createClient,
97
+ createAuthClient
98
+ };
@@ -0,0 +1,25 @@
1
+ // src/oauth/bitbucket.ts
2
+ var bitbucket = (options) => {
3
+ return {
4
+ id: "bitbucket",
5
+ name: "Bitbucket",
6
+ authorizeURL: "https://bitbucket.org/site/oauth2/authorize",
7
+ accessToken: "https://bitbucket.org/site/oauth2/access_token",
8
+ userInfo: "https://api.bitbucket.org/2.0/user",
9
+ scope: "account email",
10
+ responseType: "code",
11
+ profile(profile) {
12
+ return {
13
+ sub: profile.uuid ?? profile.account_id,
14
+ name: profile.display_name ?? profile.nickname,
15
+ image: profile.links.avatar?.href,
16
+ email: void 0
17
+ };
18
+ },
19
+ ...options
20
+ };
21
+ };
22
+
23
+ export {
24
+ bitbucket
25
+ };
@@ -0,0 +1,25 @@
1
+ // src/oauth/strava.ts
2
+ var strava = (options) => {
3
+ return {
4
+ id: "strava",
5
+ name: "Strava",
6
+ authorizeURL: "https://www.strava.com/oauth/authorize",
7
+ accessToken: "https://www.strava.com/oauth/token",
8
+ userInfo: "https://www.strava.com/api/v3/athlete",
9
+ scope: "read",
10
+ responseType: "code",
11
+ profile(profile) {
12
+ return {
13
+ sub: profile.id.toString(),
14
+ name: `${profile.firstname} ${profile.lastname}`,
15
+ image: profile.profile,
16
+ email: void 0
17
+ };
18
+ },
19
+ ...options
20
+ };
21
+ };
22
+
23
+ export {
24
+ strava
25
+ };
@@ -0,0 +1,25 @@
1
+ // src/oauth/gitlab.ts
2
+ var gitlab = (options) => {
3
+ return {
4
+ id: "gitlab",
5
+ name: "GitLab",
6
+ authorizeURL: "https://gitlab.com/oauth/authorize",
7
+ accessToken: "https://gitlab.com/oauth/token",
8
+ userInfo: "https://gitlab.com/api/v4/user",
9
+ scope: "read_user",
10
+ responseType: "code",
11
+ profile(profile) {
12
+ return {
13
+ sub: profile.id.toString(),
14
+ name: profile.name ?? profile.username,
15
+ email: profile.email,
16
+ image: profile.avatar_url
17
+ };
18
+ },
19
+ ...options
20
+ };
21
+ };
22
+
23
+ export {
24
+ gitlab
25
+ };
@@ -0,0 +1,88 @@
1
+ import {
2
+ fetchAsync
3
+ } from "./chunk-ZNCZVF6U.js";
4
+ import {
5
+ OAuthAccessTokenErrorResponse,
6
+ OAuthAccessTokenResponse
7
+ } from "./chunk-2A5B7GWR.js";
8
+ import {
9
+ AuthInternalError,
10
+ OAuthProtocolError
11
+ } from "./chunk-U5663F2U.js";
12
+
13
+ // src/actions/callback/access-token.ts
14
+ var createAccessToken = async (oauthConfig, redirectURI, code, codeVerifier, logger) => {
15
+ const { accessToken, clientId, clientSecret } = oauthConfig;
16
+ if (!clientId || !clientSecret || !redirectURI || !code || !codeVerifier || !accessToken) {
17
+ logger?.log("INVALID_OAUTH_CONFIGURATION", {
18
+ structuredData: {
19
+ has_client_id: Boolean(clientId),
20
+ has_client_secret: Boolean(clientSecret),
21
+ has_access_token: Boolean(accessToken),
22
+ has_redirect_uri: Boolean(redirectURI),
23
+ has_code: Boolean(code),
24
+ has_code_verifier: Boolean(codeVerifier)
25
+ }
26
+ });
27
+ throw new AuthInternalError("INVALID_OAUTH_CONFIGURATION", "The OAuth provider configuration is invalid.");
28
+ }
29
+ const tokenURL = typeof accessToken === "string" ? accessToken : accessToken.url;
30
+ const extraHeaders = typeof accessToken === "string" ? void 0 : accessToken.headers;
31
+ try {
32
+ logger?.log("OAUTH_ACCESS_TOKEN_REQUEST_INITIATED", {
33
+ structuredData: {
34
+ has_client_id: Boolean(clientId),
35
+ redirect_uri: redirectURI,
36
+ grant_type: "authorization_code"
37
+ }
38
+ });
39
+ const response = await fetchAsync(tokenURL, {
40
+ method: "POST",
41
+ headers: {
42
+ ...extraHeaders ?? {},
43
+ Accept: "application/json",
44
+ "Content-Type": "application/x-www-form-urlencoded"
45
+ },
46
+ body: new URLSearchParams({
47
+ client_id: clientId,
48
+ client_secret: clientSecret,
49
+ code,
50
+ redirect_uri: redirectURI,
51
+ grant_type: "authorization_code",
52
+ code_verifier: codeVerifier
53
+ }).toString()
54
+ });
55
+ if (!response.ok) {
56
+ logger?.log("INVALID_OAUTH_ACCESS_TOKEN_RESPONSE");
57
+ throw new OAuthProtocolError("invalid_request", "Invalid access token response");
58
+ }
59
+ const json = await response.json();
60
+ const token = OAuthAccessTokenResponse.safeParse(json);
61
+ if (!token.success) {
62
+ const { success, data } = OAuthAccessTokenErrorResponse.safeParse(json);
63
+ if (!success) {
64
+ logger?.log("INVALID_OAUTH_ACCESS_TOKEN_RESPONSE");
65
+ throw new OAuthProtocolError("invalid_request", "Invalid access token response format");
66
+ }
67
+ logger?.log("OAUTH_ACCESS_TOKEN_ERROR", {
68
+ structuredData: {
69
+ error: data.error,
70
+ error_description: data.error_description ?? ""
71
+ }
72
+ });
73
+ throw new OAuthProtocolError("INVALID_ACCESS_TOKEN", "Failed to retrieve access token");
74
+ }
75
+ logger?.log("OAUTH_ACCESS_TOKEN_SUCCESS");
76
+ return token.data;
77
+ } catch (error) {
78
+ logger?.log("OAUTH_ACCESS_TOKEN_REQUEST_FAILED");
79
+ if (error instanceof Error) {
80
+ throw new OAuthProtocolError("server_error", "Failed to communicate with OAuth provider", "", { cause: error });
81
+ }
82
+ throw error;
83
+ }
84
+ };
85
+
86
+ export {
87
+ createAccessToken
88
+ };
@@ -0,0 +1,35 @@
1
+ import {
2
+ getSession
3
+ } from "./chunk-CITNGXDA.js";
4
+ import {
5
+ expiredCookieAttributes
6
+ } from "./chunk-XY5R3EHH.js";
7
+ import {
8
+ AuthInternalError
9
+ } from "./chunk-U5663F2U.js";
10
+ import {
11
+ secureApiHeaders
12
+ } from "./chunk-EBAMFRB7.js";
13
+
14
+ // src/actions/session/session.ts
15
+ import { createEndpoint, HeadersBuilder } from "@aura-stack/router";
16
+ var sessionAction = createEndpoint("GET", "/session", async (ctx) => {
17
+ const {
18
+ request,
19
+ context: { cookies }
20
+ } = ctx;
21
+ try {
22
+ const session = await getSession({ ctx: ctx.context, headers: request.headers });
23
+ if (!session.authenticated) {
24
+ throw new AuthInternalError("INVALID_JWT_TOKEN", "Session not authenticated");
25
+ }
26
+ return Response.json(session, { headers: secureApiHeaders });
27
+ } catch (error) {
28
+ const headers = new HeadersBuilder(secureApiHeaders).setCookie(cookies.sessionToken.name, "", expiredCookieAttributes).toHeaders();
29
+ return Response.json({ session: null, authenticated: false }, { status: 401, headers });
30
+ }
31
+ });
32
+
33
+ export {
34
+ sessionAction
35
+ };
@@ -0,0 +1,33 @@
1
+ // src/oauth/atlassian.ts
2
+ var atlassian = (options) => {
3
+ return {
4
+ id: "atlassian",
5
+ name: "Atlassian",
6
+ authorize: {
7
+ url: "https://auth.atlassian.com/authorize",
8
+ params: {
9
+ audience: "api.atlassian.com",
10
+ scope: "read:me read:account",
11
+ prompt: "consent"
12
+ }
13
+ },
14
+ authorizeURL: "https://auth.atlassian.com/authorize",
15
+ accessToken: "https://auth.atlassian.com/oauth/token",
16
+ userInfo: "https://api.atlassian.com/me",
17
+ scope: "read:me read:account",
18
+ responseType: "code",
19
+ profile(profile) {
20
+ return {
21
+ sub: profile.account_id,
22
+ name: profile.name,
23
+ email: profile.email,
24
+ image: profile.picture
25
+ };
26
+ },
27
+ ...options
28
+ };
29
+ };
30
+
31
+ export {
32
+ atlassian
33
+ };
@@ -0,0 +1,31 @@
1
+ import {
2
+ getErrorName,
3
+ toISOString
4
+ } from "./chunk-LX3TJ2TJ.js";
5
+ import {
6
+ getCookie
7
+ } from "./chunk-XY5R3EHH.js";
8
+
9
+ // src/api/getSession.ts
10
+ var getSession = async ({ ctx, headers }) => {
11
+ try {
12
+ const session = getCookie(new Headers(headers), ctx.cookies.sessionToken.name);
13
+ const decoded = await ctx.jose.decodeJWT(session);
14
+ ctx?.logger?.log("AUTH_SESSION_VALID");
15
+ const { exp, iat, jti, nbf, aud, iss, ...user } = decoded;
16
+ return {
17
+ session: {
18
+ user,
19
+ expires: toISOString(exp * 1e3)
20
+ },
21
+ authenticated: true
22
+ };
23
+ } catch (error) {
24
+ ctx?.logger?.log("AUTH_SESSION_INVALID", { structuredData: { error_type: getErrorName(error) } });
25
+ return { session: null, authenticated: false };
26
+ }
27
+ };
28
+
29
+ export {
30
+ getSession
31
+ };
@@ -0,0 +1,78 @@
1
+ import {
2
+ callbackAction
3
+ } from "./chunk-NHZBQNRR.js";
4
+ import {
5
+ csrfTokenAction
6
+ } from "./chunk-FPCVZUVG.js";
7
+ import {
8
+ signInAction
9
+ } from "./chunk-UN7X6SU5.js";
10
+ import {
11
+ sessionAction
12
+ } from "./chunk-7YYXFKLR.js";
13
+ import {
14
+ signOutAction
15
+ } from "./chunk-3J5TUH2I.js";
16
+ import {
17
+ createAuthAPI
18
+ } from "./chunk-LAYPUDQF.js";
19
+ import {
20
+ createContext
21
+ } from "./chunk-2IR674WX.js";
22
+ import {
23
+ createErrorHandler,
24
+ useSecureCookies
25
+ } from "./chunk-LX3TJ2TJ.js";
26
+
27
+ // src/createAuth.ts
28
+ import { createRouter } from "@aura-stack/router";
29
+ var createInternalConfig = (authConfig) => {
30
+ const context = createContext(authConfig);
31
+ return {
32
+ basePath: authConfig?.basePath ?? "/auth",
33
+ onError: createErrorHandler(context.logger),
34
+ context,
35
+ use: [
36
+ (ctx) => {
37
+ const useSecure = useSecureCookies(ctx.request, ctx.context.trustedProxyHeaders);
38
+ ctx.context.cookies = useSecure ? context.cookieConfig.secure : context.cookieConfig.standard;
39
+ return ctx;
40
+ }
41
+ ]
42
+ };
43
+ };
44
+ var createAuthInstance = (authConfig) => {
45
+ const config = createInternalConfig(authConfig);
46
+ const router = createRouter(
47
+ [signInAction(config.context.oauth), callbackAction(config.context.oauth), sessionAction, signOutAction, csrfTokenAction],
48
+ config
49
+ );
50
+ return {
51
+ handlers: router,
52
+ jose: config.context.jose,
53
+ api: createAuthAPI(config.context)
54
+ };
55
+ };
56
+ var createAuth = (config) => {
57
+ const authInstance = createAuthInstance(config);
58
+ authInstance.handlers.ALL = async (request) => {
59
+ const method = request.method.toUpperCase();
60
+ const methodHandlers = {
61
+ GET: authInstance.handlers.GET,
62
+ POST: authInstance.handlers.POST
63
+ };
64
+ if (method in methodHandlers) {
65
+ return await methodHandlers[method](request);
66
+ }
67
+ return new Response("Method Not Allowed", {
68
+ status: 405,
69
+ headers: { Allow: Object.keys(methodHandlers).join(", ") }
70
+ });
71
+ };
72
+ return authInstance;
73
+ };
74
+
75
+ export {
76
+ createAuthInstance,
77
+ createAuth
78
+ };
@@ -0,0 +1,74 @@
1
+ import {
2
+ createPKCE,
3
+ createSecretValue
4
+ } from "./chunk-V6LLEAR4.js";
5
+ import {
6
+ OAuthAuthorization
7
+ } from "./chunk-2A5B7GWR.js";
8
+ import {
9
+ AuthInternalError
10
+ } from "./chunk-U5663F2U.js";
11
+
12
+ // src/actions/signIn/authorization-url.ts
13
+ var setSearchParams = (url, params) => {
14
+ for (const [key, value] of Object.entries(params)) {
15
+ if (value !== void 0 && value !== "") {
16
+ url.searchParams.set(key, value);
17
+ }
18
+ }
19
+ };
20
+ var buildAuthorizationURL = (oauth, redirect_uri, state, code_challenge, code_challenge_method) => {
21
+ const authorizeConfig = oauth.authorize;
22
+ const baseURL = typeof authorizeConfig === "string" ? authorizeConfig : authorizeConfig?.url ?? oauth.authorizeURL;
23
+ if (!baseURL) {
24
+ throw new AuthInternalError("INVALID_OAUTH_CONFIGURATION", "Missing authorization URL in OAuth provider configuration.");
25
+ }
26
+ const url = new URL(baseURL);
27
+ const authorizeParams = typeof authorizeConfig === "string" ? void 0 : authorizeConfig?.params;
28
+ setSearchParams(url, {
29
+ response_type: authorizeParams?.responseType ?? oauth.responseType ?? "code",
30
+ client_id: oauth.clientId,
31
+ redirect_uri,
32
+ state,
33
+ code_challenge,
34
+ code_challenge_method,
35
+ scope: authorizeParams?.scope ?? oauth.scope,
36
+ prompt: authorizeParams?.prompt,
37
+ response_mode: authorizeParams?.responseMode,
38
+ login_hint: authorizeParams?.loginHint,
39
+ nonce: authorizeParams?.nonce,
40
+ display: authorizeParams?.display,
41
+ audience: authorizeParams?.audience
42
+ });
43
+ return url.toString();
44
+ };
45
+ var createAuthorizationURL = async (oauth, redirectURI, ctx) => {
46
+ const state = createSecretValue();
47
+ const { codeVerifier, codeChallenge, method } = await createPKCE();
48
+ const authorization = buildAuthorizationURL(oauth, redirectURI, state, codeChallenge, method);
49
+ const parsed = OAuthAuthorization.safeParse({ ...oauth, redirectURI, state, codeChallenge, codeChallengeMethod: method });
50
+ if (!parsed.success) {
51
+ ctx?.logger?.log("INVALID_OAUTH_CONFIGURATION", {
52
+ structuredData: {
53
+ scope: oauth?.scope ?? "",
54
+ redirect_uri: redirectURI,
55
+ has_state: Boolean(state),
56
+ has_code_challenge: Boolean(codeChallenge),
57
+ code_challenge_method: method
58
+ }
59
+ });
60
+ throw new AuthInternalError("INVALID_OAUTH_CONFIGURATION", "The OAuth provider configuration is invalid.");
61
+ }
62
+ return {
63
+ authorization,
64
+ state,
65
+ codeVerifier,
66
+ method
67
+ };
68
+ };
69
+
70
+ export {
71
+ setSearchParams,
72
+ buildAuthorizationURL,
73
+ createAuthorizationURL
74
+ };
@@ -0,0 +1,25 @@
1
+ // src/oauth/pinterest.ts
2
+ var pinterest = (options) => {
3
+ return {
4
+ id: "pinterest",
5
+ name: "Pinterest",
6
+ authorizeURL: "https://www.pinterest.com/oauth",
7
+ accessToken: "https://api.pinterest.com/v5/oauth/token",
8
+ userInfo: "https://api.pinterest.com/v5/user_account",
9
+ scope: "user_accounts:read",
10
+ responseType: "code",
11
+ profile(profile) {
12
+ return {
13
+ sub: profile.id,
14
+ name: profile.username,
15
+ image: profile.profile_image,
16
+ email: void 0
17
+ };
18
+ },
19
+ ...options
20
+ };
21
+ };
22
+
23
+ export {
24
+ pinterest
25
+ };
@@ -0,0 +1,34 @@
1
+ // src/headers.ts
2
+ var cacheControl = {
3
+ "Cache-Control": "no-store",
4
+ Pragma: "no-cache",
5
+ Expires: "0",
6
+ Vary: "Cookie"
7
+ };
8
+ var contentSecurityPolicy = {
9
+ "Content-Security-Policy": [
10
+ "default-src 'none'",
11
+ "script-src 'self'",
12
+ "frame-src 'none'",
13
+ "object-src 'none'",
14
+ "frame-ancestors 'none'",
15
+ "base-uri 'none'"
16
+ ].join("; ")
17
+ };
18
+ var secureHeaders = {
19
+ "X-Content-Type-Options": "nosniff",
20
+ "X-Frame-Options": "DENY",
21
+ "Referrer-Policy": "strict-origin-when-cross-origin"
22
+ };
23
+ var secureApiHeaders = {
24
+ ...cacheControl,
25
+ ...contentSecurityPolicy,
26
+ ...secureHeaders
27
+ };
28
+
29
+ export {
30
+ cacheControl,
31
+ contentSecurityPolicy,
32
+ secureHeaders,
33
+ secureApiHeaders
34
+ };