@aura-stack/auth 0.4.0-rc.5 → 0.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/@types/index.d.ts +8 -3
- package/dist/@types/router.d.cjs +0 -17
- package/dist/@types/router.d.d.ts +7 -2
- package/dist/@types/router.d.js +0 -1
- package/dist/actions/callback/access-token.cjs +130 -71
- package/dist/actions/callback/access-token.d.ts +9 -4
- package/dist/actions/callback/access-token.js +3 -4
- package/dist/actions/callback/callback.cjs +428 -152
- package/dist/actions/callback/callback.d.ts +11 -3
- package/dist/actions/callback/callback.js +12 -10
- package/dist/actions/callback/userinfo.cjs +159 -65
- package/dist/actions/callback/userinfo.d.ts +8 -3
- package/dist/actions/callback/userinfo.js +7 -6
- package/dist/actions/csrfToken/csrfToken.cjs +70 -19
- package/dist/actions/csrfToken/csrfToken.js +8 -7
- package/dist/actions/index.cjs +780 -348
- package/dist/actions/index.d.ts +6 -2
- package/dist/actions/index.js +23 -18
- package/dist/actions/session/session.cjs +107 -26
- package/dist/actions/session/session.js +7 -5
- package/dist/actions/signIn/authorization-url.cjs +288 -0
- package/dist/actions/signIn/authorization-url.d.ts +31 -0
- package/dist/actions/signIn/authorization-url.js +16 -0
- package/dist/actions/signIn/authorization.cjs +209 -211
- package/dist/actions/signIn/authorization.d.ts +32 -21
- package/dist/actions/signIn/authorization.js +12 -9
- package/dist/actions/signIn/signIn.cjs +470 -235
- package/dist/actions/signIn/signIn.d.ts +12 -3
- package/dist/actions/signIn/signIn.js +11 -8
- package/dist/actions/signOut/signOut.cjs +376 -228
- package/dist/actions/signOut/signOut.d.ts +1 -1
- package/dist/actions/signOut/signOut.js +10 -9
- package/dist/api/createApi.cjs +750 -0
- package/dist/api/createApi.d.ts +12 -0
- package/dist/api/createApi.js +19 -0
- package/dist/api/getSession.cjs +141 -0
- package/dist/api/getSession.d.ts +16 -0
- package/dist/api/getSession.js +10 -0
- package/dist/api/signIn.cjs +549 -0
- package/dist/api/signIn.d.ts +26 -0
- package/dist/api/signIn.js +15 -0
- package/dist/api/signOut.cjs +279 -0
- package/dist/api/signOut.d.ts +16 -0
- package/dist/api/signOut.js +13 -0
- package/dist/assert.cjs +150 -5
- package/dist/assert.d.ts +26 -3
- package/dist/assert.js +17 -3
- package/dist/{chunk-YRCB5FLE.js → chunk-2A5B7GWR.js} +52 -6
- package/dist/chunk-2GQLSIJ2.js +40 -0
- package/dist/chunk-2IR674WX.js +44 -0
- package/dist/chunk-3J5TUH2I.js +50 -0
- package/dist/chunk-4RWSYUKX.js +98 -0
- package/dist/chunk-4YHJ4IEQ.js +25 -0
- package/dist/chunk-54CZPKR4.js +25 -0
- package/dist/chunk-5LZ7TOM3.js +25 -0
- package/dist/chunk-7BE46WWS.js +88 -0
- package/dist/chunk-7YYXFKLR.js +35 -0
- package/dist/chunk-C3A37LQC.js +33 -0
- package/dist/chunk-CITNGXDA.js +31 -0
- package/dist/chunk-CWX724AG.js +78 -0
- package/dist/chunk-D2CSIUKP.js +74 -0
- package/dist/chunk-E6G5YCI6.js +25 -0
- package/dist/chunk-EBAMFRB7.js +34 -0
- package/dist/chunk-EEE7UM5T.js +25 -0
- package/dist/{chunk-HT4YLL7N.js → chunk-FPCVZUVG.js} +10 -8
- package/dist/chunk-FW4W3REU.js +25 -0
- package/dist/chunk-GNNBM2WJ.js +83 -0
- package/dist/chunk-IPKO6UQN.js +25 -0
- package/dist/chunk-JOCGX3RP.js +59 -0
- package/dist/chunk-KBXWTD6E.js +94 -0
- package/dist/chunk-KMMAZFSJ.js +25 -0
- package/dist/chunk-LATR3NIV.js +117 -0
- package/dist/chunk-LAYPUDQF.js +39 -0
- package/dist/chunk-LDU7A2JE.js +25 -0
- package/dist/chunk-LX3TJ2TJ.js +294 -0
- package/dist/chunk-NHZBQNRR.js +143 -0
- package/dist/chunk-OVHNRULD.js +33 -0
- package/dist/chunk-PDP3PHB3.js +127 -0
- package/dist/chunk-PHYNROD4.js +47 -0
- package/dist/chunk-QQEKY4XP.js +29 -0
- package/dist/chunk-U4RK4LKJ.js +348 -0
- package/dist/{chunk-RRLIF4PQ.js → chunk-U5663F2U.js} +16 -1
- package/dist/chunk-UN7X6SU5.js +53 -0
- package/dist/chunk-UZQJJD6A.js +100 -0
- package/dist/chunk-V6LLEAR4.js +80 -0
- package/dist/chunk-WHNDRO3N.js +50 -0
- package/dist/{chunk-W6LG7BFW.js → chunk-XY5R3EHH.js} +30 -23
- package/dist/client/client.cjs +135 -0
- package/dist/client/client.d.ts +85 -0
- package/dist/client/client.js +9 -0
- package/dist/client/index.cjs +135 -0
- package/dist/client/index.d.ts +14 -0
- package/dist/client/index.js +10 -0
- package/dist/context.cjs +1237 -0
- package/dist/context.d.ts +16 -0
- package/dist/context.js +28 -0
- package/dist/cookie.cjs +57 -22
- package/dist/cookie.d.ts +11 -6
- package/dist/cookie.js +3 -2
- package/dist/createAuth.cjs +2320 -0
- package/dist/createAuth.d.ts +12 -0
- package/dist/createAuth.js +48 -0
- package/dist/env.cjs +78 -0
- package/dist/env.d.ts +10 -0
- package/dist/env.js +12 -0
- package/dist/errors.cjs +17 -0
- package/dist/errors.d.ts +15 -4
- package/dist/errors.js +5 -1
- package/dist/headers.cjs +28 -2
- package/dist/headers.d.ts +25 -1
- package/dist/headers.js +9 -3
- package/dist/index-_aXtxb_s.d.ts +1377 -0
- package/dist/index.cjs +1843 -610
- package/dist/index.d.ts +11 -92
- package/dist/index.js +53 -85
- package/dist/jose.cjs +113 -38
- package/dist/jose.d.ts +12 -23
- package/dist/jose.js +17 -7
- package/dist/logger.cjs +424 -0
- package/dist/logger.d.ts +12 -0
- package/dist/logger.js +17 -0
- package/dist/oauth/atlassian.cjs +57 -0
- package/dist/oauth/atlassian.d.ts +12 -0
- package/dist/oauth/atlassian.js +6 -0
- package/dist/oauth/bitbucket.cjs +19 -15
- package/dist/oauth/bitbucket.d.ts +7 -2
- package/dist/oauth/bitbucket.js +1 -1
- package/dist/oauth/discord.cjs +27 -24
- package/dist/oauth/discord.d.ts +7 -2
- package/dist/oauth/discord.js +1 -1
- package/dist/oauth/dropbox.cjs +53 -0
- package/dist/oauth/dropbox.d.ts +12 -0
- package/dist/oauth/dropbox.js +6 -0
- package/dist/oauth/figma.cjs +19 -16
- package/dist/oauth/figma.d.ts +7 -2
- package/dist/oauth/figma.js +1 -1
- package/dist/oauth/github.cjs +19 -8
- package/dist/oauth/github.d.ts +7 -2
- package/dist/oauth/github.js +1 -1
- package/dist/oauth/gitlab.cjs +19 -16
- package/dist/oauth/gitlab.d.ts +7 -2
- package/dist/oauth/gitlab.js +1 -1
- package/dist/oauth/index.cjs +529 -239
- package/dist/oauth/index.d.ts +7 -2
- package/dist/oauth/index.js +39 -22
- package/dist/oauth/mailchimp.cjs +19 -16
- package/dist/oauth/mailchimp.d.ts +7 -2
- package/dist/oauth/mailchimp.js +1 -1
- package/dist/oauth/notion.cjs +131 -0
- package/dist/oauth/notion.d.ts +12 -0
- package/dist/oauth/notion.js +9 -0
- package/dist/oauth/pinterest.cjs +19 -16
- package/dist/oauth/pinterest.d.ts +7 -2
- package/dist/oauth/pinterest.js +1 -1
- package/dist/oauth/spotify.cjs +19 -16
- package/dist/oauth/spotify.d.ts +7 -2
- package/dist/oauth/spotify.js +1 -1
- package/dist/oauth/strava.cjs +19 -16
- package/dist/oauth/strava.d.ts +7 -2
- package/dist/oauth/strava.js +1 -1
- package/dist/oauth/twitch.cjs +95 -0
- package/dist/oauth/twitch.d.ts +12 -0
- package/dist/oauth/twitch.js +7 -0
- package/dist/oauth/x.cjs +19 -16
- package/dist/oauth/x.d.ts +7 -2
- package/dist/oauth/x.js +1 -1
- package/dist/schemas.cjs +89 -42
- package/dist/schemas.d.ts +114 -18
- package/dist/schemas.js +5 -3
- package/dist/secure.cjs +73 -31
- package/dist/secure.d.ts +11 -11
- package/dist/secure.js +7 -6
- package/dist/utils.cjs +203 -90
- package/dist/utils.d.ts +21 -40
- package/dist/utils.js +21 -12
- package/package.json +9 -6
- package/dist/chunk-3EUWD5BB.js +0 -63
- package/dist/chunk-42XB3YCW.js +0 -22
- package/dist/chunk-6R2YZ4AC.js +0 -22
- package/dist/chunk-A3N4PVAT.js +0 -70
- package/dist/chunk-B737EUJV.js +0 -22
- package/dist/chunk-CXLATHS5.js +0 -143
- package/dist/chunk-E3OXBRYF.js +0 -22
- package/dist/chunk-EIL2FPSS.js +0 -22
- package/dist/chunk-EMKJA2GJ.js +0 -89
- package/dist/chunk-FIPU4MLT.js +0 -21
- package/dist/chunk-FKRDCWBF.js +0 -22
- package/dist/chunk-GA2SMTJO.js +0 -58
- package/dist/chunk-HP34YGGJ.js +0 -22
- package/dist/chunk-IKHPGFCW.js +0 -14
- package/dist/chunk-IUYZQTJV.js +0 -30
- package/dist/chunk-IVET23KF.js +0 -58
- package/dist/chunk-JVFTCTTE.js +0 -33
- package/dist/chunk-KRNOMBXQ.js +0 -22
- package/dist/chunk-KSWLO5ZU.js +0 -102
- package/dist/chunk-N2APGLXA.js +0 -71
- package/dist/chunk-N4SX7TZT.js +0 -96
- package/dist/chunk-STHEPPUZ.js +0 -11
- package/dist/chunk-TLE4PXY3.js +0 -39
- package/dist/index-B8jeIElf.d.ts +0 -679
- /package/dist/{chunk-DIVDFNAP.js → chunk-5X7JZMEF.js} +0 -0
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
import {
|
|
2
|
+
createBuiltInOAuthProviders
|
|
3
|
+
} from "./chunk-PDP3PHB3.js";
|
|
4
|
+
import {
|
|
5
|
+
createProxyLogger
|
|
6
|
+
} from "./chunk-U4RK4LKJ.js";
|
|
7
|
+
import {
|
|
8
|
+
createJoseInstance
|
|
9
|
+
} from "./chunk-UZQJJD6A.js";
|
|
10
|
+
import {
|
|
11
|
+
createCookieStore
|
|
12
|
+
} from "./chunk-XY5R3EHH.js";
|
|
13
|
+
import {
|
|
14
|
+
getEnv,
|
|
15
|
+
getEnvArray,
|
|
16
|
+
getEnvBoolean
|
|
17
|
+
} from "./chunk-WHNDRO3N.js";
|
|
18
|
+
|
|
19
|
+
// src/context.ts
|
|
20
|
+
var createContext = (config) => {
|
|
21
|
+
const trustedProxyHeadersEnv = getEnv("TRUSTED_PROXY_HEADERS");
|
|
22
|
+
const useProxyHeaders = trustedProxyHeadersEnv === void 0 ? config?.trustedProxyHeaders ?? false : getEnvBoolean("TRUSTED_PROXY_HEADERS");
|
|
23
|
+
const logger = createProxyLogger(config);
|
|
24
|
+
const cookiePrefix = config?.cookies?.prefix;
|
|
25
|
+
const cookieOverrides = config?.cookies?.overrides ?? {};
|
|
26
|
+
const secureCookieStore = createCookieStore(true, cookiePrefix, cookieOverrides, logger);
|
|
27
|
+
const standardCookieStore = createCookieStore(false, cookiePrefix, cookieOverrides, logger);
|
|
28
|
+
return {
|
|
29
|
+
oauth: createBuiltInOAuthProviders(config?.oauth),
|
|
30
|
+
cookies: standardCookieStore,
|
|
31
|
+
jose: createJoseInstance(config?.secret),
|
|
32
|
+
secret: config?.secret,
|
|
33
|
+
basePath: config?.basePath ?? "/auth",
|
|
34
|
+
trustedProxyHeaders: useProxyHeaders,
|
|
35
|
+
trustedOrigins: getEnvArray("TRUSTED_ORIGINS").length > 0 ? getEnvArray("TRUSTED_ORIGINS") : config?.trustedOrigins,
|
|
36
|
+
logger,
|
|
37
|
+
cookieConfig: { secure: secureCookieStore, standard: standardCookieStore },
|
|
38
|
+
baseURL: config?.baseURL
|
|
39
|
+
};
|
|
40
|
+
};
|
|
41
|
+
|
|
42
|
+
export {
|
|
43
|
+
createContext
|
|
44
|
+
};
|
|
@@ -0,0 +1,50 @@
|
|
|
1
|
+
import {
|
|
2
|
+
createRedirectTo
|
|
3
|
+
} from "./chunk-LATR3NIV.js";
|
|
4
|
+
import {
|
|
5
|
+
signOut
|
|
6
|
+
} from "./chunk-KBXWTD6E.js";
|
|
7
|
+
import {
|
|
8
|
+
getBaseURL
|
|
9
|
+
} from "./chunk-LX3TJ2TJ.js";
|
|
10
|
+
|
|
11
|
+
// src/actions/signOut/signOut.ts
|
|
12
|
+
import { z } from "zod/v4";
|
|
13
|
+
import { createEndpoint, createEndpointConfig } from "@aura-stack/router";
|
|
14
|
+
var config = createEndpointConfig({
|
|
15
|
+
schemas: {
|
|
16
|
+
searchParams: z.object({
|
|
17
|
+
token_type_hint: z.literal("session_token"),
|
|
18
|
+
redirectTo: z.string().optional()
|
|
19
|
+
})
|
|
20
|
+
}
|
|
21
|
+
});
|
|
22
|
+
var signOutAction = createEndpoint(
|
|
23
|
+
"POST",
|
|
24
|
+
"/signOut",
|
|
25
|
+
async (ctx) => {
|
|
26
|
+
const {
|
|
27
|
+
request,
|
|
28
|
+
searchParams: { redirectTo },
|
|
29
|
+
context
|
|
30
|
+
} = ctx;
|
|
31
|
+
const baseURL = getBaseURL(request);
|
|
32
|
+
const location = await createRedirectTo(
|
|
33
|
+
new Request(baseURL, {
|
|
34
|
+
headers: request.headers
|
|
35
|
+
}),
|
|
36
|
+
redirectTo,
|
|
37
|
+
context
|
|
38
|
+
);
|
|
39
|
+
return await signOut({
|
|
40
|
+
ctx: context,
|
|
41
|
+
headers: request.headers,
|
|
42
|
+
redirectTo: location
|
|
43
|
+
});
|
|
44
|
+
},
|
|
45
|
+
config
|
|
46
|
+
);
|
|
47
|
+
|
|
48
|
+
export {
|
|
49
|
+
signOutAction
|
|
50
|
+
};
|
|
@@ -0,0 +1,98 @@
|
|
|
1
|
+
import {
|
|
2
|
+
AuthClientError,
|
|
3
|
+
isNativeError
|
|
4
|
+
} from "./chunk-U5663F2U.js";
|
|
5
|
+
|
|
6
|
+
// src/client/client.ts
|
|
7
|
+
import { createClient as createClientAPI } from "@aura-stack/router";
|
|
8
|
+
var createClient = createClientAPI;
|
|
9
|
+
var createAuthClient = (options) => {
|
|
10
|
+
if (typeof window === "undefined" && !options.baseURL) {
|
|
11
|
+
throw new AuthClientError("`baseURL` is required when createAuthClient is used outside the browser.");
|
|
12
|
+
}
|
|
13
|
+
const client = createClient({
|
|
14
|
+
cache: "no-store",
|
|
15
|
+
credentials: "include",
|
|
16
|
+
baseURL: options.baseURL ?? window.location.origin,
|
|
17
|
+
...options
|
|
18
|
+
});
|
|
19
|
+
const getCSRFToken = async () => {
|
|
20
|
+
try {
|
|
21
|
+
const response = await client.get("/csrfToken");
|
|
22
|
+
if (!response.ok) return null;
|
|
23
|
+
const data = await response.json();
|
|
24
|
+
return data.csrfToken;
|
|
25
|
+
} catch (error) {
|
|
26
|
+
console.error("Error fetching CSRF token:", error);
|
|
27
|
+
return null;
|
|
28
|
+
}
|
|
29
|
+
};
|
|
30
|
+
const getSession = async () => {
|
|
31
|
+
try {
|
|
32
|
+
const response = await client.get("/session");
|
|
33
|
+
if (!response.ok) return null;
|
|
34
|
+
const session = await response.json();
|
|
35
|
+
if (!session?.authenticated) return null;
|
|
36
|
+
return session.session;
|
|
37
|
+
} catch (error) {
|
|
38
|
+
console.error("Error fetching session:", error);
|
|
39
|
+
return null;
|
|
40
|
+
}
|
|
41
|
+
};
|
|
42
|
+
const signIn = async (oauth, options2) => {
|
|
43
|
+
try {
|
|
44
|
+
const response = await client.get("/signIn/:oauth", {
|
|
45
|
+
params: {
|
|
46
|
+
oauth
|
|
47
|
+
},
|
|
48
|
+
searchParams: {
|
|
49
|
+
...options2,
|
|
50
|
+
redirect: false
|
|
51
|
+
}
|
|
52
|
+
});
|
|
53
|
+
const json = await response.json();
|
|
54
|
+
if ((options2?.redirect ?? true) && typeof window !== "undefined" && json?.signInURL) {
|
|
55
|
+
window.location.assign(json.signInURL);
|
|
56
|
+
}
|
|
57
|
+
return json;
|
|
58
|
+
} catch (error) {
|
|
59
|
+
console.error("Error during sign-in:", error);
|
|
60
|
+
return { redirect: false, signInURL: "/" };
|
|
61
|
+
}
|
|
62
|
+
};
|
|
63
|
+
const signOut = async (options2) => {
|
|
64
|
+
try {
|
|
65
|
+
const csrfToken = await getCSRFToken();
|
|
66
|
+
if (!csrfToken) {
|
|
67
|
+
throw new AuthClientError("Failed to fetch CSRF token for sign-out.");
|
|
68
|
+
}
|
|
69
|
+
const response = await client.post("/signOut", {
|
|
70
|
+
searchParams: {
|
|
71
|
+
redirectTo: options2?.redirectTo ?? "/",
|
|
72
|
+
token_type_hint: "session_token"
|
|
73
|
+
},
|
|
74
|
+
headers: {
|
|
75
|
+
"X-CSRF-Token": csrfToken
|
|
76
|
+
}
|
|
77
|
+
});
|
|
78
|
+
const json = await response.json();
|
|
79
|
+
if ((options2?.redirect ?? true) && typeof window !== "undefined" && json?.url) {
|
|
80
|
+
window.location.assign(json.url);
|
|
81
|
+
}
|
|
82
|
+
return json;
|
|
83
|
+
} catch (error) {
|
|
84
|
+
console.error("Error during sign-out:", error);
|
|
85
|
+
throw isNativeError(error) ? error : new AuthClientError("Sign-out failed.", "The sign-out request failed.", { cause: error });
|
|
86
|
+
}
|
|
87
|
+
};
|
|
88
|
+
return {
|
|
89
|
+
getSession,
|
|
90
|
+
signIn,
|
|
91
|
+
signOut
|
|
92
|
+
};
|
|
93
|
+
};
|
|
94
|
+
|
|
95
|
+
export {
|
|
96
|
+
createClient,
|
|
97
|
+
createAuthClient
|
|
98
|
+
};
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
// src/oauth/bitbucket.ts
|
|
2
|
+
var bitbucket = (options) => {
|
|
3
|
+
return {
|
|
4
|
+
id: "bitbucket",
|
|
5
|
+
name: "Bitbucket",
|
|
6
|
+
authorizeURL: "https://bitbucket.org/site/oauth2/authorize",
|
|
7
|
+
accessToken: "https://bitbucket.org/site/oauth2/access_token",
|
|
8
|
+
userInfo: "https://api.bitbucket.org/2.0/user",
|
|
9
|
+
scope: "account email",
|
|
10
|
+
responseType: "code",
|
|
11
|
+
profile(profile) {
|
|
12
|
+
return {
|
|
13
|
+
sub: profile.uuid ?? profile.account_id,
|
|
14
|
+
name: profile.display_name ?? profile.nickname,
|
|
15
|
+
image: profile.links.avatar?.href,
|
|
16
|
+
email: void 0
|
|
17
|
+
};
|
|
18
|
+
},
|
|
19
|
+
...options
|
|
20
|
+
};
|
|
21
|
+
};
|
|
22
|
+
|
|
23
|
+
export {
|
|
24
|
+
bitbucket
|
|
25
|
+
};
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
// src/oauth/strava.ts
|
|
2
|
+
var strava = (options) => {
|
|
3
|
+
return {
|
|
4
|
+
id: "strava",
|
|
5
|
+
name: "Strava",
|
|
6
|
+
authorizeURL: "https://www.strava.com/oauth/authorize",
|
|
7
|
+
accessToken: "https://www.strava.com/oauth/token",
|
|
8
|
+
userInfo: "https://www.strava.com/api/v3/athlete",
|
|
9
|
+
scope: "read",
|
|
10
|
+
responseType: "code",
|
|
11
|
+
profile(profile) {
|
|
12
|
+
return {
|
|
13
|
+
sub: profile.id.toString(),
|
|
14
|
+
name: `${profile.firstname} ${profile.lastname}`,
|
|
15
|
+
image: profile.profile,
|
|
16
|
+
email: void 0
|
|
17
|
+
};
|
|
18
|
+
},
|
|
19
|
+
...options
|
|
20
|
+
};
|
|
21
|
+
};
|
|
22
|
+
|
|
23
|
+
export {
|
|
24
|
+
strava
|
|
25
|
+
};
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
// src/oauth/gitlab.ts
|
|
2
|
+
var gitlab = (options) => {
|
|
3
|
+
return {
|
|
4
|
+
id: "gitlab",
|
|
5
|
+
name: "GitLab",
|
|
6
|
+
authorizeURL: "https://gitlab.com/oauth/authorize",
|
|
7
|
+
accessToken: "https://gitlab.com/oauth/token",
|
|
8
|
+
userInfo: "https://gitlab.com/api/v4/user",
|
|
9
|
+
scope: "read_user",
|
|
10
|
+
responseType: "code",
|
|
11
|
+
profile(profile) {
|
|
12
|
+
return {
|
|
13
|
+
sub: profile.id.toString(),
|
|
14
|
+
name: profile.name ?? profile.username,
|
|
15
|
+
email: profile.email,
|
|
16
|
+
image: profile.avatar_url
|
|
17
|
+
};
|
|
18
|
+
},
|
|
19
|
+
...options
|
|
20
|
+
};
|
|
21
|
+
};
|
|
22
|
+
|
|
23
|
+
export {
|
|
24
|
+
gitlab
|
|
25
|
+
};
|
|
@@ -0,0 +1,88 @@
|
|
|
1
|
+
import {
|
|
2
|
+
fetchAsync
|
|
3
|
+
} from "./chunk-ZNCZVF6U.js";
|
|
4
|
+
import {
|
|
5
|
+
OAuthAccessTokenErrorResponse,
|
|
6
|
+
OAuthAccessTokenResponse
|
|
7
|
+
} from "./chunk-2A5B7GWR.js";
|
|
8
|
+
import {
|
|
9
|
+
AuthInternalError,
|
|
10
|
+
OAuthProtocolError
|
|
11
|
+
} from "./chunk-U5663F2U.js";
|
|
12
|
+
|
|
13
|
+
// src/actions/callback/access-token.ts
|
|
14
|
+
var createAccessToken = async (oauthConfig, redirectURI, code, codeVerifier, logger) => {
|
|
15
|
+
const { accessToken, clientId, clientSecret } = oauthConfig;
|
|
16
|
+
if (!clientId || !clientSecret || !redirectURI || !code || !codeVerifier || !accessToken) {
|
|
17
|
+
logger?.log("INVALID_OAUTH_CONFIGURATION", {
|
|
18
|
+
structuredData: {
|
|
19
|
+
has_client_id: Boolean(clientId),
|
|
20
|
+
has_client_secret: Boolean(clientSecret),
|
|
21
|
+
has_access_token: Boolean(accessToken),
|
|
22
|
+
has_redirect_uri: Boolean(redirectURI),
|
|
23
|
+
has_code: Boolean(code),
|
|
24
|
+
has_code_verifier: Boolean(codeVerifier)
|
|
25
|
+
}
|
|
26
|
+
});
|
|
27
|
+
throw new AuthInternalError("INVALID_OAUTH_CONFIGURATION", "The OAuth provider configuration is invalid.");
|
|
28
|
+
}
|
|
29
|
+
const tokenURL = typeof accessToken === "string" ? accessToken : accessToken.url;
|
|
30
|
+
const extraHeaders = typeof accessToken === "string" ? void 0 : accessToken.headers;
|
|
31
|
+
try {
|
|
32
|
+
logger?.log("OAUTH_ACCESS_TOKEN_REQUEST_INITIATED", {
|
|
33
|
+
structuredData: {
|
|
34
|
+
has_client_id: Boolean(clientId),
|
|
35
|
+
redirect_uri: redirectURI,
|
|
36
|
+
grant_type: "authorization_code"
|
|
37
|
+
}
|
|
38
|
+
});
|
|
39
|
+
const response = await fetchAsync(tokenURL, {
|
|
40
|
+
method: "POST",
|
|
41
|
+
headers: {
|
|
42
|
+
...extraHeaders ?? {},
|
|
43
|
+
Accept: "application/json",
|
|
44
|
+
"Content-Type": "application/x-www-form-urlencoded"
|
|
45
|
+
},
|
|
46
|
+
body: new URLSearchParams({
|
|
47
|
+
client_id: clientId,
|
|
48
|
+
client_secret: clientSecret,
|
|
49
|
+
code,
|
|
50
|
+
redirect_uri: redirectURI,
|
|
51
|
+
grant_type: "authorization_code",
|
|
52
|
+
code_verifier: codeVerifier
|
|
53
|
+
}).toString()
|
|
54
|
+
});
|
|
55
|
+
if (!response.ok) {
|
|
56
|
+
logger?.log("INVALID_OAUTH_ACCESS_TOKEN_RESPONSE");
|
|
57
|
+
throw new OAuthProtocolError("invalid_request", "Invalid access token response");
|
|
58
|
+
}
|
|
59
|
+
const json = await response.json();
|
|
60
|
+
const token = OAuthAccessTokenResponse.safeParse(json);
|
|
61
|
+
if (!token.success) {
|
|
62
|
+
const { success, data } = OAuthAccessTokenErrorResponse.safeParse(json);
|
|
63
|
+
if (!success) {
|
|
64
|
+
logger?.log("INVALID_OAUTH_ACCESS_TOKEN_RESPONSE");
|
|
65
|
+
throw new OAuthProtocolError("invalid_request", "Invalid access token response format");
|
|
66
|
+
}
|
|
67
|
+
logger?.log("OAUTH_ACCESS_TOKEN_ERROR", {
|
|
68
|
+
structuredData: {
|
|
69
|
+
error: data.error,
|
|
70
|
+
error_description: data.error_description ?? ""
|
|
71
|
+
}
|
|
72
|
+
});
|
|
73
|
+
throw new OAuthProtocolError("INVALID_ACCESS_TOKEN", "Failed to retrieve access token");
|
|
74
|
+
}
|
|
75
|
+
logger?.log("OAUTH_ACCESS_TOKEN_SUCCESS");
|
|
76
|
+
return token.data;
|
|
77
|
+
} catch (error) {
|
|
78
|
+
logger?.log("OAUTH_ACCESS_TOKEN_REQUEST_FAILED");
|
|
79
|
+
if (error instanceof Error) {
|
|
80
|
+
throw new OAuthProtocolError("server_error", "Failed to communicate with OAuth provider", "", { cause: error });
|
|
81
|
+
}
|
|
82
|
+
throw error;
|
|
83
|
+
}
|
|
84
|
+
};
|
|
85
|
+
|
|
86
|
+
export {
|
|
87
|
+
createAccessToken
|
|
88
|
+
};
|
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
import {
|
|
2
|
+
getSession
|
|
3
|
+
} from "./chunk-CITNGXDA.js";
|
|
4
|
+
import {
|
|
5
|
+
expiredCookieAttributes
|
|
6
|
+
} from "./chunk-XY5R3EHH.js";
|
|
7
|
+
import {
|
|
8
|
+
AuthInternalError
|
|
9
|
+
} from "./chunk-U5663F2U.js";
|
|
10
|
+
import {
|
|
11
|
+
secureApiHeaders
|
|
12
|
+
} from "./chunk-EBAMFRB7.js";
|
|
13
|
+
|
|
14
|
+
// src/actions/session/session.ts
|
|
15
|
+
import { createEndpoint, HeadersBuilder } from "@aura-stack/router";
|
|
16
|
+
var sessionAction = createEndpoint("GET", "/session", async (ctx) => {
|
|
17
|
+
const {
|
|
18
|
+
request,
|
|
19
|
+
context: { cookies }
|
|
20
|
+
} = ctx;
|
|
21
|
+
try {
|
|
22
|
+
const session = await getSession({ ctx: ctx.context, headers: request.headers });
|
|
23
|
+
if (!session.authenticated) {
|
|
24
|
+
throw new AuthInternalError("INVALID_JWT_TOKEN", "Session not authenticated");
|
|
25
|
+
}
|
|
26
|
+
return Response.json(session, { headers: secureApiHeaders });
|
|
27
|
+
} catch (error) {
|
|
28
|
+
const headers = new HeadersBuilder(secureApiHeaders).setCookie(cookies.sessionToken.name, "", expiredCookieAttributes).toHeaders();
|
|
29
|
+
return Response.json({ session: null, authenticated: false }, { status: 401, headers });
|
|
30
|
+
}
|
|
31
|
+
});
|
|
32
|
+
|
|
33
|
+
export {
|
|
34
|
+
sessionAction
|
|
35
|
+
};
|
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
// src/oauth/atlassian.ts
|
|
2
|
+
var atlassian = (options) => {
|
|
3
|
+
return {
|
|
4
|
+
id: "atlassian",
|
|
5
|
+
name: "Atlassian",
|
|
6
|
+
authorize: {
|
|
7
|
+
url: "https://auth.atlassian.com/authorize",
|
|
8
|
+
params: {
|
|
9
|
+
audience: "api.atlassian.com",
|
|
10
|
+
scope: "read:me read:account",
|
|
11
|
+
prompt: "consent"
|
|
12
|
+
}
|
|
13
|
+
},
|
|
14
|
+
authorizeURL: "https://auth.atlassian.com/authorize",
|
|
15
|
+
accessToken: "https://auth.atlassian.com/oauth/token",
|
|
16
|
+
userInfo: "https://api.atlassian.com/me",
|
|
17
|
+
scope: "read:me read:account",
|
|
18
|
+
responseType: "code",
|
|
19
|
+
profile(profile) {
|
|
20
|
+
return {
|
|
21
|
+
sub: profile.account_id,
|
|
22
|
+
name: profile.name,
|
|
23
|
+
email: profile.email,
|
|
24
|
+
image: profile.picture
|
|
25
|
+
};
|
|
26
|
+
},
|
|
27
|
+
...options
|
|
28
|
+
};
|
|
29
|
+
};
|
|
30
|
+
|
|
31
|
+
export {
|
|
32
|
+
atlassian
|
|
33
|
+
};
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
import {
|
|
2
|
+
getErrorName,
|
|
3
|
+
toISOString
|
|
4
|
+
} from "./chunk-LX3TJ2TJ.js";
|
|
5
|
+
import {
|
|
6
|
+
getCookie
|
|
7
|
+
} from "./chunk-XY5R3EHH.js";
|
|
8
|
+
|
|
9
|
+
// src/api/getSession.ts
|
|
10
|
+
var getSession = async ({ ctx, headers }) => {
|
|
11
|
+
try {
|
|
12
|
+
const session = getCookie(new Headers(headers), ctx.cookies.sessionToken.name);
|
|
13
|
+
const decoded = await ctx.jose.decodeJWT(session);
|
|
14
|
+
ctx?.logger?.log("AUTH_SESSION_VALID");
|
|
15
|
+
const { exp, iat, jti, nbf, aud, iss, ...user } = decoded;
|
|
16
|
+
return {
|
|
17
|
+
session: {
|
|
18
|
+
user,
|
|
19
|
+
expires: toISOString(exp * 1e3)
|
|
20
|
+
},
|
|
21
|
+
authenticated: true
|
|
22
|
+
};
|
|
23
|
+
} catch (error) {
|
|
24
|
+
ctx?.logger?.log("AUTH_SESSION_INVALID", { structuredData: { error_type: getErrorName(error) } });
|
|
25
|
+
return { session: null, authenticated: false };
|
|
26
|
+
}
|
|
27
|
+
};
|
|
28
|
+
|
|
29
|
+
export {
|
|
30
|
+
getSession
|
|
31
|
+
};
|
|
@@ -0,0 +1,78 @@
|
|
|
1
|
+
import {
|
|
2
|
+
callbackAction
|
|
3
|
+
} from "./chunk-NHZBQNRR.js";
|
|
4
|
+
import {
|
|
5
|
+
csrfTokenAction
|
|
6
|
+
} from "./chunk-FPCVZUVG.js";
|
|
7
|
+
import {
|
|
8
|
+
signInAction
|
|
9
|
+
} from "./chunk-UN7X6SU5.js";
|
|
10
|
+
import {
|
|
11
|
+
sessionAction
|
|
12
|
+
} from "./chunk-7YYXFKLR.js";
|
|
13
|
+
import {
|
|
14
|
+
signOutAction
|
|
15
|
+
} from "./chunk-3J5TUH2I.js";
|
|
16
|
+
import {
|
|
17
|
+
createAuthAPI
|
|
18
|
+
} from "./chunk-LAYPUDQF.js";
|
|
19
|
+
import {
|
|
20
|
+
createContext
|
|
21
|
+
} from "./chunk-2IR674WX.js";
|
|
22
|
+
import {
|
|
23
|
+
createErrorHandler,
|
|
24
|
+
useSecureCookies
|
|
25
|
+
} from "./chunk-LX3TJ2TJ.js";
|
|
26
|
+
|
|
27
|
+
// src/createAuth.ts
|
|
28
|
+
import { createRouter } from "@aura-stack/router";
|
|
29
|
+
var createInternalConfig = (authConfig) => {
|
|
30
|
+
const context = createContext(authConfig);
|
|
31
|
+
return {
|
|
32
|
+
basePath: authConfig?.basePath ?? "/auth",
|
|
33
|
+
onError: createErrorHandler(context.logger),
|
|
34
|
+
context,
|
|
35
|
+
use: [
|
|
36
|
+
(ctx) => {
|
|
37
|
+
const useSecure = useSecureCookies(ctx.request, ctx.context.trustedProxyHeaders);
|
|
38
|
+
ctx.context.cookies = useSecure ? context.cookieConfig.secure : context.cookieConfig.standard;
|
|
39
|
+
return ctx;
|
|
40
|
+
}
|
|
41
|
+
]
|
|
42
|
+
};
|
|
43
|
+
};
|
|
44
|
+
var createAuthInstance = (authConfig) => {
|
|
45
|
+
const config = createInternalConfig(authConfig);
|
|
46
|
+
const router = createRouter(
|
|
47
|
+
[signInAction(config.context.oauth), callbackAction(config.context.oauth), sessionAction, signOutAction, csrfTokenAction],
|
|
48
|
+
config
|
|
49
|
+
);
|
|
50
|
+
return {
|
|
51
|
+
handlers: router,
|
|
52
|
+
jose: config.context.jose,
|
|
53
|
+
api: createAuthAPI(config.context)
|
|
54
|
+
};
|
|
55
|
+
};
|
|
56
|
+
var createAuth = (config) => {
|
|
57
|
+
const authInstance = createAuthInstance(config);
|
|
58
|
+
authInstance.handlers.ALL = async (request) => {
|
|
59
|
+
const method = request.method.toUpperCase();
|
|
60
|
+
const methodHandlers = {
|
|
61
|
+
GET: authInstance.handlers.GET,
|
|
62
|
+
POST: authInstance.handlers.POST
|
|
63
|
+
};
|
|
64
|
+
if (method in methodHandlers) {
|
|
65
|
+
return await methodHandlers[method](request);
|
|
66
|
+
}
|
|
67
|
+
return new Response("Method Not Allowed", {
|
|
68
|
+
status: 405,
|
|
69
|
+
headers: { Allow: Object.keys(methodHandlers).join(", ") }
|
|
70
|
+
});
|
|
71
|
+
};
|
|
72
|
+
return authInstance;
|
|
73
|
+
};
|
|
74
|
+
|
|
75
|
+
export {
|
|
76
|
+
createAuthInstance,
|
|
77
|
+
createAuth
|
|
78
|
+
};
|
|
@@ -0,0 +1,74 @@
|
|
|
1
|
+
import {
|
|
2
|
+
createPKCE,
|
|
3
|
+
createSecretValue
|
|
4
|
+
} from "./chunk-V6LLEAR4.js";
|
|
5
|
+
import {
|
|
6
|
+
OAuthAuthorization
|
|
7
|
+
} from "./chunk-2A5B7GWR.js";
|
|
8
|
+
import {
|
|
9
|
+
AuthInternalError
|
|
10
|
+
} from "./chunk-U5663F2U.js";
|
|
11
|
+
|
|
12
|
+
// src/actions/signIn/authorization-url.ts
|
|
13
|
+
var setSearchParams = (url, params) => {
|
|
14
|
+
for (const [key, value] of Object.entries(params)) {
|
|
15
|
+
if (value !== void 0 && value !== "") {
|
|
16
|
+
url.searchParams.set(key, value);
|
|
17
|
+
}
|
|
18
|
+
}
|
|
19
|
+
};
|
|
20
|
+
var buildAuthorizationURL = (oauth, redirect_uri, state, code_challenge, code_challenge_method) => {
|
|
21
|
+
const authorizeConfig = oauth.authorize;
|
|
22
|
+
const baseURL = typeof authorizeConfig === "string" ? authorizeConfig : authorizeConfig?.url ?? oauth.authorizeURL;
|
|
23
|
+
if (!baseURL) {
|
|
24
|
+
throw new AuthInternalError("INVALID_OAUTH_CONFIGURATION", "Missing authorization URL in OAuth provider configuration.");
|
|
25
|
+
}
|
|
26
|
+
const url = new URL(baseURL);
|
|
27
|
+
const authorizeParams = typeof authorizeConfig === "string" ? void 0 : authorizeConfig?.params;
|
|
28
|
+
setSearchParams(url, {
|
|
29
|
+
response_type: authorizeParams?.responseType ?? oauth.responseType ?? "code",
|
|
30
|
+
client_id: oauth.clientId,
|
|
31
|
+
redirect_uri,
|
|
32
|
+
state,
|
|
33
|
+
code_challenge,
|
|
34
|
+
code_challenge_method,
|
|
35
|
+
scope: authorizeParams?.scope ?? oauth.scope,
|
|
36
|
+
prompt: authorizeParams?.prompt,
|
|
37
|
+
response_mode: authorizeParams?.responseMode,
|
|
38
|
+
login_hint: authorizeParams?.loginHint,
|
|
39
|
+
nonce: authorizeParams?.nonce,
|
|
40
|
+
display: authorizeParams?.display,
|
|
41
|
+
audience: authorizeParams?.audience
|
|
42
|
+
});
|
|
43
|
+
return url.toString();
|
|
44
|
+
};
|
|
45
|
+
var createAuthorizationURL = async (oauth, redirectURI, ctx) => {
|
|
46
|
+
const state = createSecretValue();
|
|
47
|
+
const { codeVerifier, codeChallenge, method } = await createPKCE();
|
|
48
|
+
const authorization = buildAuthorizationURL(oauth, redirectURI, state, codeChallenge, method);
|
|
49
|
+
const parsed = OAuthAuthorization.safeParse({ ...oauth, redirectURI, state, codeChallenge, codeChallengeMethod: method });
|
|
50
|
+
if (!parsed.success) {
|
|
51
|
+
ctx?.logger?.log("INVALID_OAUTH_CONFIGURATION", {
|
|
52
|
+
structuredData: {
|
|
53
|
+
scope: oauth?.scope ?? "",
|
|
54
|
+
redirect_uri: redirectURI,
|
|
55
|
+
has_state: Boolean(state),
|
|
56
|
+
has_code_challenge: Boolean(codeChallenge),
|
|
57
|
+
code_challenge_method: method
|
|
58
|
+
}
|
|
59
|
+
});
|
|
60
|
+
throw new AuthInternalError("INVALID_OAUTH_CONFIGURATION", "The OAuth provider configuration is invalid.");
|
|
61
|
+
}
|
|
62
|
+
return {
|
|
63
|
+
authorization,
|
|
64
|
+
state,
|
|
65
|
+
codeVerifier,
|
|
66
|
+
method
|
|
67
|
+
};
|
|
68
|
+
};
|
|
69
|
+
|
|
70
|
+
export {
|
|
71
|
+
setSearchParams,
|
|
72
|
+
buildAuthorizationURL,
|
|
73
|
+
createAuthorizationURL
|
|
74
|
+
};
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
// src/oauth/pinterest.ts
|
|
2
|
+
var pinterest = (options) => {
|
|
3
|
+
return {
|
|
4
|
+
id: "pinterest",
|
|
5
|
+
name: "Pinterest",
|
|
6
|
+
authorizeURL: "https://www.pinterest.com/oauth",
|
|
7
|
+
accessToken: "https://api.pinterest.com/v5/oauth/token",
|
|
8
|
+
userInfo: "https://api.pinterest.com/v5/user_account",
|
|
9
|
+
scope: "user_accounts:read",
|
|
10
|
+
responseType: "code",
|
|
11
|
+
profile(profile) {
|
|
12
|
+
return {
|
|
13
|
+
sub: profile.id,
|
|
14
|
+
name: profile.username,
|
|
15
|
+
image: profile.profile_image,
|
|
16
|
+
email: void 0
|
|
17
|
+
};
|
|
18
|
+
},
|
|
19
|
+
...options
|
|
20
|
+
};
|
|
21
|
+
};
|
|
22
|
+
|
|
23
|
+
export {
|
|
24
|
+
pinterest
|
|
25
|
+
};
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
// src/headers.ts
|
|
2
|
+
var cacheControl = {
|
|
3
|
+
"Cache-Control": "no-store",
|
|
4
|
+
Pragma: "no-cache",
|
|
5
|
+
Expires: "0",
|
|
6
|
+
Vary: "Cookie"
|
|
7
|
+
};
|
|
8
|
+
var contentSecurityPolicy = {
|
|
9
|
+
"Content-Security-Policy": [
|
|
10
|
+
"default-src 'none'",
|
|
11
|
+
"script-src 'self'",
|
|
12
|
+
"frame-src 'none'",
|
|
13
|
+
"object-src 'none'",
|
|
14
|
+
"frame-ancestors 'none'",
|
|
15
|
+
"base-uri 'none'"
|
|
16
|
+
].join("; ")
|
|
17
|
+
};
|
|
18
|
+
var secureHeaders = {
|
|
19
|
+
"X-Content-Type-Options": "nosniff",
|
|
20
|
+
"X-Frame-Options": "DENY",
|
|
21
|
+
"Referrer-Policy": "strict-origin-when-cross-origin"
|
|
22
|
+
};
|
|
23
|
+
var secureApiHeaders = {
|
|
24
|
+
...cacheControl,
|
|
25
|
+
...contentSecurityPolicy,
|
|
26
|
+
...secureHeaders
|
|
27
|
+
};
|
|
28
|
+
|
|
29
|
+
export {
|
|
30
|
+
cacheControl,
|
|
31
|
+
contentSecurityPolicy,
|
|
32
|
+
secureHeaders,
|
|
33
|
+
secureApiHeaders
|
|
34
|
+
};
|