@aura-stack/auth 0.4.0-rc.5 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (201) hide show
  1. package/dist/@types/index.d.ts +8 -3
  2. package/dist/@types/router.d.cjs +0 -17
  3. package/dist/@types/router.d.d.ts +7 -2
  4. package/dist/@types/router.d.js +0 -1
  5. package/dist/actions/callback/access-token.cjs +130 -71
  6. package/dist/actions/callback/access-token.d.ts +9 -4
  7. package/dist/actions/callback/access-token.js +3 -4
  8. package/dist/actions/callback/callback.cjs +428 -152
  9. package/dist/actions/callback/callback.d.ts +11 -3
  10. package/dist/actions/callback/callback.js +12 -10
  11. package/dist/actions/callback/userinfo.cjs +159 -65
  12. package/dist/actions/callback/userinfo.d.ts +8 -3
  13. package/dist/actions/callback/userinfo.js +7 -6
  14. package/dist/actions/csrfToken/csrfToken.cjs +70 -19
  15. package/dist/actions/csrfToken/csrfToken.js +8 -7
  16. package/dist/actions/index.cjs +780 -348
  17. package/dist/actions/index.d.ts +6 -2
  18. package/dist/actions/index.js +23 -18
  19. package/dist/actions/session/session.cjs +107 -26
  20. package/dist/actions/session/session.js +7 -5
  21. package/dist/actions/signIn/authorization-url.cjs +288 -0
  22. package/dist/actions/signIn/authorization-url.d.ts +31 -0
  23. package/dist/actions/signIn/authorization-url.js +16 -0
  24. package/dist/actions/signIn/authorization.cjs +209 -211
  25. package/dist/actions/signIn/authorization.d.ts +32 -21
  26. package/dist/actions/signIn/authorization.js +12 -9
  27. package/dist/actions/signIn/signIn.cjs +470 -235
  28. package/dist/actions/signIn/signIn.d.ts +12 -3
  29. package/dist/actions/signIn/signIn.js +11 -8
  30. package/dist/actions/signOut/signOut.cjs +376 -228
  31. package/dist/actions/signOut/signOut.d.ts +1 -1
  32. package/dist/actions/signOut/signOut.js +10 -9
  33. package/dist/api/createApi.cjs +750 -0
  34. package/dist/api/createApi.d.ts +12 -0
  35. package/dist/api/createApi.js +19 -0
  36. package/dist/api/getSession.cjs +141 -0
  37. package/dist/api/getSession.d.ts +16 -0
  38. package/dist/api/getSession.js +10 -0
  39. package/dist/api/signIn.cjs +549 -0
  40. package/dist/api/signIn.d.ts +26 -0
  41. package/dist/api/signIn.js +15 -0
  42. package/dist/api/signOut.cjs +279 -0
  43. package/dist/api/signOut.d.ts +16 -0
  44. package/dist/api/signOut.js +13 -0
  45. package/dist/assert.cjs +150 -5
  46. package/dist/assert.d.ts +26 -3
  47. package/dist/assert.js +17 -3
  48. package/dist/{chunk-YRCB5FLE.js → chunk-2A5B7GWR.js} +52 -6
  49. package/dist/chunk-2GQLSIJ2.js +40 -0
  50. package/dist/chunk-2IR674WX.js +44 -0
  51. package/dist/chunk-3J5TUH2I.js +50 -0
  52. package/dist/chunk-4RWSYUKX.js +98 -0
  53. package/dist/chunk-4YHJ4IEQ.js +25 -0
  54. package/dist/chunk-54CZPKR4.js +25 -0
  55. package/dist/chunk-5LZ7TOM3.js +25 -0
  56. package/dist/chunk-7BE46WWS.js +88 -0
  57. package/dist/chunk-7YYXFKLR.js +35 -0
  58. package/dist/chunk-C3A37LQC.js +33 -0
  59. package/dist/chunk-CITNGXDA.js +31 -0
  60. package/dist/chunk-CWX724AG.js +78 -0
  61. package/dist/chunk-D2CSIUKP.js +74 -0
  62. package/dist/chunk-E6G5YCI6.js +25 -0
  63. package/dist/chunk-EBAMFRB7.js +34 -0
  64. package/dist/chunk-EEE7UM5T.js +25 -0
  65. package/dist/{chunk-HT4YLL7N.js → chunk-FPCVZUVG.js} +10 -8
  66. package/dist/chunk-FW4W3REU.js +25 -0
  67. package/dist/chunk-GNNBM2WJ.js +83 -0
  68. package/dist/chunk-IPKO6UQN.js +25 -0
  69. package/dist/chunk-JOCGX3RP.js +59 -0
  70. package/dist/chunk-KBXWTD6E.js +94 -0
  71. package/dist/chunk-KMMAZFSJ.js +25 -0
  72. package/dist/chunk-LATR3NIV.js +117 -0
  73. package/dist/chunk-LAYPUDQF.js +39 -0
  74. package/dist/chunk-LDU7A2JE.js +25 -0
  75. package/dist/chunk-LX3TJ2TJ.js +294 -0
  76. package/dist/chunk-NHZBQNRR.js +143 -0
  77. package/dist/chunk-OVHNRULD.js +33 -0
  78. package/dist/chunk-PDP3PHB3.js +127 -0
  79. package/dist/chunk-PHYNROD4.js +47 -0
  80. package/dist/chunk-QQEKY4XP.js +29 -0
  81. package/dist/chunk-U4RK4LKJ.js +348 -0
  82. package/dist/{chunk-RRLIF4PQ.js → chunk-U5663F2U.js} +16 -1
  83. package/dist/chunk-UN7X6SU5.js +53 -0
  84. package/dist/chunk-UZQJJD6A.js +100 -0
  85. package/dist/chunk-V6LLEAR4.js +80 -0
  86. package/dist/chunk-WHNDRO3N.js +50 -0
  87. package/dist/{chunk-W6LG7BFW.js → chunk-XY5R3EHH.js} +30 -23
  88. package/dist/client/client.cjs +135 -0
  89. package/dist/client/client.d.ts +85 -0
  90. package/dist/client/client.js +9 -0
  91. package/dist/client/index.cjs +135 -0
  92. package/dist/client/index.d.ts +14 -0
  93. package/dist/client/index.js +10 -0
  94. package/dist/context.cjs +1237 -0
  95. package/dist/context.d.ts +16 -0
  96. package/dist/context.js +28 -0
  97. package/dist/cookie.cjs +57 -22
  98. package/dist/cookie.d.ts +11 -6
  99. package/dist/cookie.js +3 -2
  100. package/dist/createAuth.cjs +2320 -0
  101. package/dist/createAuth.d.ts +12 -0
  102. package/dist/createAuth.js +48 -0
  103. package/dist/env.cjs +78 -0
  104. package/dist/env.d.ts +10 -0
  105. package/dist/env.js +12 -0
  106. package/dist/errors.cjs +17 -0
  107. package/dist/errors.d.ts +15 -4
  108. package/dist/errors.js +5 -1
  109. package/dist/headers.cjs +28 -2
  110. package/dist/headers.d.ts +25 -1
  111. package/dist/headers.js +9 -3
  112. package/dist/index-_aXtxb_s.d.ts +1377 -0
  113. package/dist/index.cjs +1843 -610
  114. package/dist/index.d.ts +11 -92
  115. package/dist/index.js +53 -85
  116. package/dist/jose.cjs +113 -38
  117. package/dist/jose.d.ts +12 -23
  118. package/dist/jose.js +17 -7
  119. package/dist/logger.cjs +424 -0
  120. package/dist/logger.d.ts +12 -0
  121. package/dist/logger.js +17 -0
  122. package/dist/oauth/atlassian.cjs +57 -0
  123. package/dist/oauth/atlassian.d.ts +12 -0
  124. package/dist/oauth/atlassian.js +6 -0
  125. package/dist/oauth/bitbucket.cjs +19 -15
  126. package/dist/oauth/bitbucket.d.ts +7 -2
  127. package/dist/oauth/bitbucket.js +1 -1
  128. package/dist/oauth/discord.cjs +27 -24
  129. package/dist/oauth/discord.d.ts +7 -2
  130. package/dist/oauth/discord.js +1 -1
  131. package/dist/oauth/dropbox.cjs +53 -0
  132. package/dist/oauth/dropbox.d.ts +12 -0
  133. package/dist/oauth/dropbox.js +6 -0
  134. package/dist/oauth/figma.cjs +19 -16
  135. package/dist/oauth/figma.d.ts +7 -2
  136. package/dist/oauth/figma.js +1 -1
  137. package/dist/oauth/github.cjs +19 -8
  138. package/dist/oauth/github.d.ts +7 -2
  139. package/dist/oauth/github.js +1 -1
  140. package/dist/oauth/gitlab.cjs +19 -16
  141. package/dist/oauth/gitlab.d.ts +7 -2
  142. package/dist/oauth/gitlab.js +1 -1
  143. package/dist/oauth/index.cjs +529 -239
  144. package/dist/oauth/index.d.ts +7 -2
  145. package/dist/oauth/index.js +39 -22
  146. package/dist/oauth/mailchimp.cjs +19 -16
  147. package/dist/oauth/mailchimp.d.ts +7 -2
  148. package/dist/oauth/mailchimp.js +1 -1
  149. package/dist/oauth/notion.cjs +131 -0
  150. package/dist/oauth/notion.d.ts +12 -0
  151. package/dist/oauth/notion.js +9 -0
  152. package/dist/oauth/pinterest.cjs +19 -16
  153. package/dist/oauth/pinterest.d.ts +7 -2
  154. package/dist/oauth/pinterest.js +1 -1
  155. package/dist/oauth/spotify.cjs +19 -16
  156. package/dist/oauth/spotify.d.ts +7 -2
  157. package/dist/oauth/spotify.js +1 -1
  158. package/dist/oauth/strava.cjs +19 -16
  159. package/dist/oauth/strava.d.ts +7 -2
  160. package/dist/oauth/strava.js +1 -1
  161. package/dist/oauth/twitch.cjs +95 -0
  162. package/dist/oauth/twitch.d.ts +12 -0
  163. package/dist/oauth/twitch.js +7 -0
  164. package/dist/oauth/x.cjs +19 -16
  165. package/dist/oauth/x.d.ts +7 -2
  166. package/dist/oauth/x.js +1 -1
  167. package/dist/schemas.cjs +89 -42
  168. package/dist/schemas.d.ts +114 -18
  169. package/dist/schemas.js +5 -3
  170. package/dist/secure.cjs +73 -31
  171. package/dist/secure.d.ts +11 -11
  172. package/dist/secure.js +7 -6
  173. package/dist/utils.cjs +203 -90
  174. package/dist/utils.d.ts +21 -40
  175. package/dist/utils.js +21 -12
  176. package/package.json +9 -6
  177. package/dist/chunk-3EUWD5BB.js +0 -63
  178. package/dist/chunk-42XB3YCW.js +0 -22
  179. package/dist/chunk-6R2YZ4AC.js +0 -22
  180. package/dist/chunk-A3N4PVAT.js +0 -70
  181. package/dist/chunk-B737EUJV.js +0 -22
  182. package/dist/chunk-CXLATHS5.js +0 -143
  183. package/dist/chunk-E3OXBRYF.js +0 -22
  184. package/dist/chunk-EIL2FPSS.js +0 -22
  185. package/dist/chunk-EMKJA2GJ.js +0 -89
  186. package/dist/chunk-FIPU4MLT.js +0 -21
  187. package/dist/chunk-FKRDCWBF.js +0 -22
  188. package/dist/chunk-GA2SMTJO.js +0 -58
  189. package/dist/chunk-HP34YGGJ.js +0 -22
  190. package/dist/chunk-IKHPGFCW.js +0 -14
  191. package/dist/chunk-IUYZQTJV.js +0 -30
  192. package/dist/chunk-IVET23KF.js +0 -58
  193. package/dist/chunk-JVFTCTTE.js +0 -33
  194. package/dist/chunk-KRNOMBXQ.js +0 -22
  195. package/dist/chunk-KSWLO5ZU.js +0 -102
  196. package/dist/chunk-N2APGLXA.js +0 -71
  197. package/dist/chunk-N4SX7TZT.js +0 -96
  198. package/dist/chunk-STHEPPUZ.js +0 -11
  199. package/dist/chunk-TLE4PXY3.js +0 -39
  200. package/dist/index-B8jeIElf.d.ts +0 -679
  201. /package/dist/{chunk-DIVDFNAP.js → chunk-5X7JZMEF.js} +0 -0
@@ -0,0 +1,1377 @@
1
+ import * as zod from 'zod';
2
+ import { z } from 'zod';
3
+ import { OAuthAuthorizationErrorResponse, OAuthAccessTokenErrorResponse, OAuthEnvSchema } from './schemas.js';
4
+ import * as _aura_stack_jose from '@aura-stack/jose';
5
+ import { DecodedJWTPayloadOptions, TypedJWTPayload, JWTVerifyOptions } from '@aura-stack/jose';
6
+ import * as _aura_stack_jose_jose from '@aura-stack/jose/jose';
7
+ import { JWTPayload } from '@aura-stack/jose/jose';
8
+ import '@aura-stack/jose/crypto';
9
+ import { SerializeOptions } from '@aura-stack/router/cookie';
10
+ import { LiteralUnion, Prettify } from './@types/utility.js';
11
+ import * as jose from 'jose';
12
+ import * as _aura_stack_router from '@aura-stack/router';
13
+ import { GlobalContext, ClientOptions } from '@aura-stack/router';
14
+ import * as zod_v4_core from 'zod/v4/core';
15
+
16
+ /**
17
+ * Log message definitions organized by category.
18
+ * Each message includes facility, severity, msgId, and default message.
19
+ */
20
+ declare const logMessages: {
21
+ readonly ROUTER_INTERNAL_ERROR: {
22
+ readonly facility: 10;
23
+ readonly severity: "error";
24
+ readonly msgId: "ROUTER_INTERNAL_ERROR";
25
+ readonly message: "Unhandled router error while processing the request";
26
+ };
27
+ readonly INVALID_REQUEST: {
28
+ readonly facility: 10;
29
+ readonly severity: "warning";
30
+ readonly msgId: "INVALID_REQUEST";
31
+ readonly message: "Request validation failed against the expected schema";
32
+ };
33
+ readonly SERVER_ERROR: {
34
+ readonly facility: 10;
35
+ readonly severity: "error";
36
+ readonly msgId: "SERVER_ERROR";
37
+ readonly message: "Unexpected internal server error during authentication";
38
+ };
39
+ readonly OAUTH_PROTOCOL_ERROR: {
40
+ readonly facility: 10;
41
+ readonly severity: "warning";
42
+ readonly msgId: "OAUTH_PROTOCOL_ERROR";
43
+ readonly message: "OAuth provider returned an invalid or unexpected protocol response";
44
+ };
45
+ readonly OAUTH_AUTHORIZATION_ERROR: {
46
+ readonly facility: 10;
47
+ readonly severity: "error";
48
+ readonly msgId: "OAUTH_AUTHORIZATION_ERROR";
49
+ readonly message: "OAuth authorization request was rejected or failed";
50
+ };
51
+ readonly INVALID_OAUTH_CONFIGURATION: {
52
+ readonly facility: 10;
53
+ readonly severity: "error";
54
+ readonly msgId: "INVALID_OAUTH_CONFIGURATION";
55
+ readonly message: "The OAuth provider configuration is invalid or incomplete";
56
+ };
57
+ readonly OAUTH_ACCESS_TOKEN_REQUEST_INITIATED: {
58
+ readonly facility: 10;
59
+ readonly severity: "debug";
60
+ readonly msgId: "OAUTH_ACCESS_TOKEN_REQUEST_INITIATED";
61
+ readonly message: "Starting OAuth access token request to the provider";
62
+ };
63
+ readonly INVALID_OAUTH_ACCESS_TOKEN_RESPONSE: {
64
+ readonly facility: 10;
65
+ readonly severity: "error";
66
+ readonly msgId: "INVALID_OAUTH_ACCESS_TOKEN_RESPONSE";
67
+ readonly message: "OAuth access token endpoint returned an invalid or malformed response";
68
+ };
69
+ readonly OAUTH_ACCESS_TOKEN_ERROR: {
70
+ readonly facility: 10;
71
+ readonly severity: "error";
72
+ readonly msgId: "OAUTH_ACCESS_TOKEN_ERROR";
73
+ readonly message: "OAuth access token endpoint returned an error response";
74
+ };
75
+ readonly OAUTH_ACCESS_TOKEN_SUCCESS: {
76
+ readonly facility: 10;
77
+ readonly severity: "info";
78
+ readonly msgId: "OAUTH_ACCESS_TOKEN_SUCCESS";
79
+ readonly message: "Successfully retrieved OAuth access token from the provider";
80
+ };
81
+ readonly OAUTH_ACCESS_TOKEN_REQUEST_FAILED: {
82
+ readonly facility: 10;
83
+ readonly severity: "error";
84
+ readonly msgId: "OAUTH_ACCESS_TOKEN_REQUEST_FAILED";
85
+ readonly message: "Network or server error while requesting OAuth access token";
86
+ };
87
+ readonly OAUTH_USERINFO_REQUEST_INITIATED: {
88
+ readonly facility: 10;
89
+ readonly severity: "debug";
90
+ readonly msgId: "OAUTH_USERINFO_REQUEST_INITIATED";
91
+ readonly message: "Starting OAuth userinfo request to the provider";
92
+ };
93
+ readonly OAUTH_USERINFO_INVALID_RESPONSE: {
94
+ readonly facility: 10;
95
+ readonly severity: "error";
96
+ readonly msgId: "OAUTH_USERINFO_INVALID_RESPONSE";
97
+ readonly message: "OAuth userinfo endpoint returned an invalid or malformed response";
98
+ };
99
+ readonly OAUTH_USERINFO_ERROR: {
100
+ readonly facility: 10;
101
+ readonly severity: "error";
102
+ readonly msgId: "OAUTH_USERINFO_ERROR";
103
+ readonly message: "OAuth userinfo endpoint returned an error response";
104
+ };
105
+ readonly OAUTH_USERINFO_SUCCESS: {
106
+ readonly facility: 10;
107
+ readonly severity: "info";
108
+ readonly msgId: "OAUTH_USERINFO_SUCCESS";
109
+ readonly message: "Successfully retrieved user information from the OAuth provider";
110
+ };
111
+ readonly OAUTH_USERINFO_REQUEST_FAILED: {
112
+ readonly facility: 10;
113
+ readonly severity: "error";
114
+ readonly msgId: "OAUTH_USERINFO_REQUEST_FAILED";
115
+ readonly message: "Network or server error while requesting user information from the OAuth provider";
116
+ };
117
+ readonly OAUTH_CALLBACK_SUCCESS: {
118
+ readonly facility: 4;
119
+ readonly severity: "info";
120
+ readonly msgId: "OAUTH_CALLBACK_SUCCESS";
121
+ readonly message: "OAuth callback completed successfully and session was created";
122
+ };
123
+ readonly MISMATCHING_STATE: {
124
+ readonly facility: 4;
125
+ readonly severity: "critical";
126
+ readonly msgId: "MISMATCHING_STATE";
127
+ readonly message: "OAuth response state parameter does not match the stored state value";
128
+ };
129
+ readonly POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED: {
130
+ readonly facility: 4;
131
+ readonly severity: "critical";
132
+ readonly msgId: "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED";
133
+ readonly message: "Blocked redirect to untrusted or external URL (potential open redirect attack)";
134
+ };
135
+ readonly OPEN_REDIRECT_ATTACK: {
136
+ readonly facility: 4;
137
+ readonly severity: "warning";
138
+ readonly msgId: "OPEN_REDIRECT_ATTACK";
139
+ readonly message: "Detected redirect target that does not match the trusted origin";
140
+ };
141
+ readonly SESSION_TOKEN_MISSING: {
142
+ readonly facility: 4;
143
+ readonly severity: "warning";
144
+ readonly msgId: "SESSION_TOKEN_MISSING";
145
+ readonly message: "Session cookie is missing from the request";
146
+ };
147
+ readonly CSRF_TOKEN_MISSING: {
148
+ readonly facility: 4;
149
+ readonly severity: "warning";
150
+ readonly msgId: "CSRF_TOKEN_MISSING";
151
+ readonly message: "CSRF token cookie is missing from the request";
152
+ };
153
+ readonly CSRF_HEADER_MISSING: {
154
+ readonly facility: 4;
155
+ readonly severity: "warning";
156
+ readonly msgId: "CSRF_HEADER_MISSING";
157
+ readonly message: "CSRF header is missing from the request";
158
+ };
159
+ readonly CSRF_TOKEN_INVALID: {
160
+ readonly facility: 4;
161
+ readonly severity: "error";
162
+ readonly msgId: "CSRF_TOKEN_INVALID";
163
+ readonly message: "CSRF token verification failed or token is invalid";
164
+ };
165
+ readonly SIGN_IN_INITIATED: {
166
+ readonly facility: 4;
167
+ readonly severity: "info";
168
+ readonly msgId: "SIGN_IN_INITIATED";
169
+ readonly message: "Starting OAuth sign-in flow for the selected provider";
170
+ };
171
+ readonly SIGN_OUT_ATTEMPT: {
172
+ readonly facility: 4;
173
+ readonly severity: "debug";
174
+ readonly msgId: "SIGN_OUT_ATTEMPT";
175
+ readonly message: "Received sign-out request from client";
176
+ };
177
+ readonly SIGN_OUT_CSRF_VERIFIED: {
178
+ readonly facility: 4;
179
+ readonly severity: "info";
180
+ readonly msgId: "SIGN_OUT_CSRF_VERIFIED";
181
+ readonly message: "CSRF token was successfully verified during sign-out";
182
+ };
183
+ readonly SIGN_OUT_SUCCESS: {
184
+ readonly facility: 4;
185
+ readonly severity: "info";
186
+ readonly msgId: "SIGN_OUT_SUCCESS";
187
+ readonly message: "User session was cleared and sign-out completed successfully";
188
+ };
189
+ readonly SIGN_OUT_REDIRECT: {
190
+ readonly facility: 4;
191
+ readonly severity: "debug";
192
+ readonly msgId: "SIGN_OUT_REDIRECT";
193
+ readonly message: "Redirecting client after successful sign-out";
194
+ };
195
+ readonly AUTH_SESSION_VALID: {
196
+ readonly facility: 4;
197
+ readonly severity: "info";
198
+ readonly msgId: "AUTH_SESSION_VALID";
199
+ readonly message: "Session token is valid and user session was returned";
200
+ };
201
+ readonly AUTH_SESSION_INVALID: {
202
+ readonly facility: 4;
203
+ readonly severity: "notice";
204
+ readonly msgId: "AUTH_SESSION_INVALID";
205
+ readonly message: "Session token is missing, expired, or invalid";
206
+ };
207
+ readonly INVALID_JWT_TOKEN: {
208
+ readonly facility: 4;
209
+ readonly severity: "warning";
210
+ readonly msgId: "INVALID_JWT_TOKEN";
211
+ readonly message: "JWT session token failed validation during sign-out";
212
+ };
213
+ readonly CSRF_TOKEN_REQUESTED: {
214
+ readonly facility: 4;
215
+ readonly severity: "debug";
216
+ readonly msgId: "CSRF_TOKEN_REQUESTED";
217
+ readonly message: "Client requested a CSRF token";
218
+ };
219
+ readonly CSRF_TOKEN_ISSUED: {
220
+ readonly facility: 4;
221
+ readonly severity: "debug";
222
+ readonly msgId: "CSRF_TOKEN_ISSUED";
223
+ readonly message: "Issued a new CSRF token to the client";
224
+ };
225
+ readonly INVALID_URL: {
226
+ readonly facility: 10;
227
+ readonly severity: "error";
228
+ readonly msgId: "INVALID_URL";
229
+ readonly message: "Derived origin URL is invalid or malformed";
230
+ };
231
+ readonly COOKIE_HTTPONLY_DISABLED: {
232
+ readonly facility: 10;
233
+ readonly severity: "critical";
234
+ readonly msgId: "COOKIE_HTTPONLY_DISABLED";
235
+ readonly message: "Cookie is configured without HttpOnly. This allows JavaScript access via document.cookie and increases XSS exposure.";
236
+ };
237
+ readonly COOKIE_WILDCARD_DOMAIN: {
238
+ readonly facility: 10;
239
+ readonly severity: "critical";
240
+ readonly msgId: "COOKIE_WILDCARD_DOMAIN";
241
+ readonly message: "Cookie 'Domain' is set to a wildcard, which is insecure and should be avoided.";
242
+ };
243
+ readonly COOKIE_SECURE_DISABLED: {
244
+ readonly facility: 10;
245
+ readonly severity: "warning";
246
+ readonly msgId: "COOKIE_SECURE_DISABLED";
247
+ readonly message: "Cookie is configured with 'Secure' but the request is not HTTPS. The 'Secure' attribute will be ignored by the browser.";
248
+ };
249
+ readonly COOKIE_SAMESITE_NONE_WITHOUT_SECURE: {
250
+ readonly facility: 10;
251
+ readonly severity: "warning";
252
+ readonly msgId: "COOKIE_SAMESITE_NONE_WITHOUT_SECURE";
253
+ readonly message: "Cookie uses SameSite=None without Secure. Falling back to SameSite=Lax for safer defaults.";
254
+ };
255
+ readonly COOKIE_INSECURE_IN_PRODUCTION: {
256
+ readonly facility: 10;
257
+ readonly severity: "critical";
258
+ readonly msgId: "COOKIE_INSECURE_IN_PRODUCTION";
259
+ readonly message: "Cookies are being served over an insecure connection in production, which is a serious security risk.";
260
+ };
261
+ readonly COOKIE_HOST_STRATEGY_INSECURE: {
262
+ readonly facility: 10;
263
+ readonly severity: "critical";
264
+ readonly msgId: "COOKIE_HOST_STRATEGY_INSECURE";
265
+ readonly message: "__Host- cookies require a secure HTTPS context. Falling back to standard cookie settings.";
266
+ };
267
+ readonly UNTRUSTED_ORIGIN: {
268
+ readonly facility: 10;
269
+ readonly severity: "error";
270
+ readonly msgId: "UNTRUSTED_ORIGIN";
271
+ readonly message: "The constructed origin URL is not trusted.";
272
+ };
273
+ };
274
+ declare const createLogEntry: <T extends keyof typeof logMessages>(key: T, overrides?: Partial<SyslogOptions>) => SyslogOptions;
275
+ declare const createSyslogMessage: (options: SyslogOptions) => string;
276
+ declare const createLogger: (logger?: Required<Logger>) => InternalLogger | undefined;
277
+ /**
278
+ * Creates the logger instance based on the provided configuration and environment variables.
279
+ * Priority: config.logger, LOG_LEVEL env, DEBUG env and defaults to undefined if logging is not enabled.
280
+ *
281
+ */
282
+ declare const createProxyLogger: (config?: AuthConfig) => InternalLogger | undefined;
283
+
284
+ /**
285
+ * Creates the JOSE instance used for signing and verifying tokens. It derives keys
286
+ * for session tokens and CSRF tokens. For security and determinism, it's required
287
+ * to set a salt value in `AURA_AUTH_SALT` or `AUTH_SALT` env.
288
+ *
289
+ * @param secret the base secret for key derivation
290
+ * @returns jose instance with methods for encoding/decoding JWTs and signing/verifying JWSs
291
+ */
292
+ declare const createJoseInstance: (secret?: string) => {
293
+ decodeJWT: (token: string, options?: DecodedJWTPayloadOptions) => Promise<TypedJWTPayload<User>>;
294
+ encodeJWT: (payload: TypedJWTPayload<Partial<User>>) => Promise<string>;
295
+ signJWS: (payload: TypedJWTPayload<Partial<_aura_stack_jose_jose.JWTPayload>>) => Promise<string>;
296
+ verifyJWS: (payload: string, options?: JWTVerifyOptions | undefined) => Promise<_aura_stack_jose_jose.JWTPayload>;
297
+ encryptJWE: (payload: string, options?: _aura_stack_jose.EncryptOptions | undefined) => Promise<string>;
298
+ decryptJWE: (payload: string, options?: _aura_stack_jose.JWTDecryptOptions | undefined) => Promise<string>;
299
+ };
300
+ declare const jwtVerificationOptions: JWTVerifyOptions;
301
+ declare const decodeJWTOptions: DecodedJWTPayloadOptions;
302
+
303
+ interface ExtendedProfile {
304
+ job_title: string;
305
+ organization: string;
306
+ department: string;
307
+ location: string;
308
+ }
309
+ interface AtlassianProfile {
310
+ account_id: string;
311
+ account_type: string;
312
+ account_status: LiteralUnion<"active">;
313
+ email: string;
314
+ email_verified: boolean;
315
+ name: string;
316
+ picture: string;
317
+ nickname: string;
318
+ zoneinfo: string;
319
+ locale: string;
320
+ extended_profile: ExtendedProfile;
321
+ last_updated: string;
322
+ created_at: string;
323
+ }
324
+ /**
325
+ * @see [Atlassian - OAuth Apps](https://developer.atlassian.com/cloud/jira/platform/oauth-2-3lo-apps/)
326
+ * @see [Atlassian - My Apps](https://developer.atlassian.com/console/myapps/)
327
+ * @see [Atlassian - Retrieve Authenticated User](https://developer.atlassian.com/cloud/jira/software/oauth-2-3lo-apps/#how-do-i-retrieve-the-public-profile-of-the-authenticated-user-)
328
+ */
329
+ declare const atlassian: (options?: Partial<OAuthProviderCredentials<AtlassianProfile>>) => OAuthProviderCredentials<AtlassianProfile>;
330
+
331
+ type AccountType = "basic" | "pro" | "business";
332
+ interface Name {
333
+ given_name: string;
334
+ surname: string;
335
+ familiar_name: string;
336
+ display_name: string;
337
+ abbreviated_name: string;
338
+ }
339
+ interface RootInfo {
340
+ team: RootInfo;
341
+ user: RootInfo;
342
+ }
343
+ interface FullTeam {
344
+ id: string;
345
+ name: string;
346
+ sharing_policies: Record<string, unknown>;
347
+ office_addin_policy: unknown;
348
+ top_level_content_policy: unknown;
349
+ }
350
+ interface DropboxProfile {
351
+ account_id: string;
352
+ name: Name;
353
+ email: string;
354
+ email_verified: boolean;
355
+ disabled: boolean;
356
+ locale: string;
357
+ referral_link: string;
358
+ is_paired: boolean;
359
+ account_type: AccountType;
360
+ root_info: unknown;
361
+ profile_photo_url?: string;
362
+ country: string;
363
+ team?: unknown;
364
+ team_member_id?: string;
365
+ }
366
+ /**
367
+ * @see [Dropbox - OAuth Guide](https://developers.dropbox.com/oauth-guide)
368
+ * @see [Dropbox - API v2](https://www.dropbox.com/developers/documentation/http/documentation)
369
+ * @see [Dropbox - Get Current Account](https://www.dropbox.com/developers/documentation/http/documentation#users-get_current_account)
370
+ * @see [Dropbox - My Apps](https://www.dropbox.com/developers/apps)
371
+ * @see [Dropbox - Developer Guide](https://www.dropbox.com/developers/reference/developer-guide)
372
+ */
373
+ declare const dropbox: (options?: Partial<OAuthProviderCredentials<DropboxProfile>>) => OAuthProviderCredentials<DropboxProfile>;
374
+
375
+ interface Person {
376
+ email: string;
377
+ }
378
+ interface User$1 {
379
+ object: "user";
380
+ id: string;
381
+ name: string;
382
+ avatar_url: string | null;
383
+ type: "person";
384
+ person: Person;
385
+ }
386
+ interface Owner {
387
+ type: "user";
388
+ user: User$1;
389
+ }
390
+ interface Bot {
391
+ owner: Owner;
392
+ }
393
+ /**
394
+ * @see [Notion - Retrieve your token's bot user](https://developers.notion.com/reference/get-self)
395
+ */
396
+ interface NotionProfile {
397
+ object: "user";
398
+ id: string;
399
+ name: string;
400
+ avatar_url: string | null;
401
+ type: "bot";
402
+ bot: Bot;
403
+ }
404
+ /**
405
+ * @see [Notion - Developer Documentation](https://developers.notion.com/)
406
+ * @see [Notion - Authorization](https://developers.notion.com/docs/authorization)
407
+ * @see [Notion - Authentication](https://developers.notion.com/reference/authentication)
408
+ * @see [Notion - Retrieve your token's bot user](https://developers.notion.com/reference/get-self)
409
+ */
410
+ declare const notion: (options?: Partial<OAuthProviderCredentials<NotionProfile>>) => OAuthProviderCredentials<NotionProfile>;
411
+
412
+ /**
413
+ * @see [Twitch - Get Users](https://dev.twitch.tv/docs/api/reference#get-users)
414
+ */
415
+ interface TwitchProfile {
416
+ id: string;
417
+ login: string;
418
+ display_name: string;
419
+ type: string;
420
+ broadcaster_type: string;
421
+ description: string;
422
+ profile_image_url: string;
423
+ offline_image_url: string;
424
+ view_count: number;
425
+ email?: string;
426
+ created_at: string;
427
+ }
428
+ /**
429
+ * @see [Twitch - Get Started with the Twitch API](https://dev.twitch.tv/docs/api/get-started/)
430
+ * @see [Twitch - Authorization code grant flow](https://dev.twitch.tv/docs/authentication/getting-tokens-oauth/#authorization-code-grant-flow)
431
+ * @see [Twitch - Register Your App](https://dev.twitch.tv/docs/authentication/register-app)
432
+ * @see [Twitch - Setting up Two-Factor Authentication (2FA)](https://help.twitch.tv/s/article/two-factor-authentication?language=en_US)
433
+ * @see [Twitch - Security and Privacy](https://www.twitch.tv/settings/security)
434
+ * @see [Twitch - Get Users](https://dev.twitch.tv/docs/api/reference#get-users)
435
+ * @see [Twitch - Scopes](https://dev.twitch.tv/docs/authentication/scopes/)
436
+ */
437
+ declare const twitch: (options?: Partial<OAuthProviderCredentials<TwitchProfile>>) => OAuthProviderCredentials<TwitchProfile>;
438
+
439
+ /**
440
+ * @see [Pinterest - Get User Account](https://developers.pinterest.com/docs/api/v5/user_account-get)
441
+ */
442
+ interface PinterestProfile {
443
+ account_type: LiteralUnion<"PINNER">;
444
+ id: string;
445
+ profile_image: string;
446
+ website_url: string;
447
+ username: string;
448
+ about: string;
449
+ business_name: string;
450
+ board_count: number;
451
+ pin_count: number;
452
+ follower_count: number;
453
+ following_count: number;
454
+ monthly_views: number;
455
+ }
456
+ /**
457
+ * @see [Pinterest - Connect App](https://developers.pinterest.com/docs/getting-started/connect-app/)
458
+ * @see [Pinterest - My Apps](https://developers.pinterest.com/apps/)
459
+ * @see [Pinterest - Get User Account](https://developers.pinterest.com/docs/api/v5/user_account-get)
460
+ */
461
+ declare const pinterest: (options?: Partial<OAuthProviderCredentials<PinterestProfile>>) => OAuthProviderCredentials<PinterestProfile>;
462
+
463
+ interface Login {
464
+ email: string;
465
+ avatar: string | null;
466
+ login_id: number;
467
+ login_name: string;
468
+ login_email: string;
469
+ }
470
+ /**
471
+ * @see [Mailchimp - API Root](https://mailchimp.com/developer/marketing/api/authentication/)
472
+ */
473
+ interface MailchimpProfile {
474
+ dc: string;
475
+ role: string;
476
+ accountname: string;
477
+ user_id: string;
478
+ login: Login;
479
+ login_url: string;
480
+ api_endpoint: string;
481
+ }
482
+ /**
483
+ * Mailchimp OAuth Provider
484
+ * @see [Mailchimp - Marketing API](https://mailchimp.com/developer/marketing/api/)
485
+ * @see [Mailchimp - Apps](https://us1.admin.mailchimp.com/account/oauth2/)
486
+ * @see [Mailchimp - Create an Application](https://mailchimp.com/developer/marketing/guides/access-user-data-oauth-2/#register-your-app)
487
+ * @see [Mailchimp - OAuth 2.0 Docs](https://mailchimp.com/developer/marketing/guides/access-user-data-oauth-2/)
488
+ * @see [Mailchimp - API Root](https://mailchimp.com/developer/marketing/api/root/)
489
+ */
490
+ declare const mailchimp: (options?: Partial<OAuthProviderCredentials<MailchimpProfile>>) => OAuthProviderCredentials<MailchimpProfile>;
491
+
492
+ /**
493
+ * @see [Strava - SummaryClub](https://developers.strava.com/docs/reference/#api-models-SummaryClub)
494
+ */
495
+ interface SummaryClub {
496
+ id: number;
497
+ resource_state: number;
498
+ name: string;
499
+ profile_medium: string;
500
+ cover_photo: string;
501
+ cover_photo_small: string;
502
+ sport_type: "cycling" | "running" | "triathlon" | "other";
503
+ activity_types: string[];
504
+ city: string;
505
+ state: string;
506
+ country: string;
507
+ private: boolean;
508
+ member_count: number;
509
+ featured: boolean;
510
+ verified: boolean;
511
+ url: string;
512
+ }
513
+ /**
514
+ * @see [Strava - SummaryGear](https://developers.strava.com/docs/reference/#api-models-SummaryGear)
515
+ */
516
+ interface SummaryGear {
517
+ id: string;
518
+ resource_state: number;
519
+ primary: boolean;
520
+ name: string;
521
+ distance: number;
522
+ }
523
+ /**
524
+ * @see [Strava - DetailedAthlete](https://developers.strava.com/docs/reference/#api-models-DetailedAthlete)
525
+ */
526
+ interface StravaProfile {
527
+ id: number;
528
+ resource_state: number;
529
+ firstname: string;
530
+ lastname: string;
531
+ bio: string | null;
532
+ profile: string;
533
+ profile_medium: string;
534
+ city: string;
535
+ state: string;
536
+ country: string;
537
+ sex: string;
538
+ premium: boolean;
539
+ summit: boolean;
540
+ created_at: Date;
541
+ updated_at: Date;
542
+ badge_type_id: number;
543
+ weight: number;
544
+ friend: null;
545
+ follower: null;
546
+ follower_count: number;
547
+ friend_count: number;
548
+ measurement_preference: string;
549
+ ftp: number;
550
+ clubs: SummaryClub[];
551
+ bikes: SummaryGear[];
552
+ shoes: SummaryGear[];
553
+ }
554
+ /**
555
+ * Strava OAuth Provider
556
+ * @see [Strava - Getting Started with the Strava API](https://developers.strava.com/docs/getting-started/)
557
+ * @see [Strava - My Applications](https://www.strava.com/settings/api)
558
+ * @see [Strava - Authentication](https://developers.strava.com/docs/authentication/)
559
+ * @see [Strava - API Application](https://www.strava.com/settings/api)
560
+ * @see [Strava - API Reference](https://developers.strava.com/docs/reference/)
561
+ */
562
+ declare const strava: (options?: Partial<OAuthProviderCredentials<StravaProfile>>) => OAuthProviderCredentials<StravaProfile>;
563
+
564
+ /**
565
+ * @see [X - Get my User](https://docs.x.com/x-api/users/get-my-user)
566
+ */
567
+ interface XProfile {
568
+ data: {
569
+ id: string;
570
+ name: string;
571
+ username: string;
572
+ profile_image_url: string;
573
+ };
574
+ }
575
+ /**
576
+ * X (Twitter) OAuth Provider
577
+ * @see [X - Developer Portal](https://developer.x.com/en/portal/projects-and-apps)
578
+ * @see [X - Get my User](https://docs.x.com/x-api/users/get-my-user)
579
+ * @see [X - OAuth 2.0 Authorization Code Flow with PKCE](https://docs.x.com/fundamentals/authentication/oauth-2-0/authorization-code)
580
+ * @see [X - OAuth 2.0 Scopes](https://docs.x.com/fundamentals/authentication/oauth-2-0/authorization-code#scopes)
581
+ * @see [X - OAuth 2.0 Bearer Token](https://docs.x.com/fundamentals/authentication/oauth-2-0/application-only)
582
+ */
583
+ declare const x: (options?: Partial<OAuthProviderCredentials<XProfile>>) => OAuthProviderCredentials<XProfile>;
584
+
585
+ interface SpotifyImage {
586
+ url: string;
587
+ height: number;
588
+ width: number;
589
+ }
590
+ /**
591
+ * @see [Spotify - User Object](https://developer.spotify.com/documentation/web-api/reference/object-model/#user-object-private)
592
+ */
593
+ interface SpotifyProfile {
594
+ id: string;
595
+ display_name: string;
596
+ email: string;
597
+ type: string;
598
+ uri: string;
599
+ country: string;
600
+ href: string;
601
+ images: SpotifyImage[];
602
+ product: string;
603
+ explicit_content: {
604
+ filter_enabled: boolean;
605
+ filter_locked: boolean;
606
+ };
607
+ external_urls: {
608
+ spotify: string;
609
+ };
610
+ followers: {
611
+ href: string;
612
+ total: number;
613
+ };
614
+ }
615
+ /**
616
+ * Spotify OAuth Provider
617
+ *
618
+ * @see [Spotify - Spotify Developer Dashboard](https://developer.spotify.com/dashboard)
619
+ * @see [Spotify - Getting started with Web API](https://developer.spotify.com/documentation/web-api/tutorials/getting-started)
620
+ * @see [Spotify - Get Current User's Profile](https://developer.spotify.com/documentation/web-api/reference/get-current-users-profile)
621
+ * @see [Spotify - Scopes](https://developer.spotify.com/documentation/web-api/concepts/scopes)
622
+ * @see [Spotify - Redirect URIs](https://developer.spotify.com/documentation/web-api/concepts/redirect_uri)
623
+ */
624
+ declare const spotify: (options?: Partial<OAuthProviderCredentials<SpotifyProfile>>) => OAuthProviderCredentials<SpotifyProfile>;
625
+
626
+ /**
627
+ * @see [GitLab - User Structure](https://docs.gitlab.com/ee/api/users.html#external-user-structure)
628
+ */
629
+ interface GitLabProfile {
630
+ id: number;
631
+ username: string;
632
+ email: string;
633
+ name: string;
634
+ state: string;
635
+ locked: boolean;
636
+ avatar_url: string;
637
+ web_url: string;
638
+ created_at: string;
639
+ bio: string;
640
+ location: string | null;
641
+ public_email: string;
642
+ linkedin: string;
643
+ twitter: string;
644
+ discord: string;
645
+ github: string;
646
+ website_url: string;
647
+ organization: string;
648
+ job_title: string;
649
+ pronouns: string;
650
+ bot: boolean;
651
+ work_information: string | null;
652
+ followers: number;
653
+ following: number;
654
+ local_time: string;
655
+ last_sign_in_at: string;
656
+ confirmed_at: string;
657
+ theme_id: number;
658
+ last_activity_on: string;
659
+ color_scheme_id: number;
660
+ projects_limit: number;
661
+ current_sign_in_at: string;
662
+ identities: {
663
+ provider: string;
664
+ extern_uid: string;
665
+ saml_provider_id: number | null;
666
+ }[];
667
+ can_create_group: boolean;
668
+ can_create_project: boolean;
669
+ two_factor_enabled: boolean;
670
+ external: boolean;
671
+ private_profile: boolean;
672
+ commit_email: string;
673
+ preferred_language: string;
674
+ shared_runners_minutes_limit: number | null;
675
+ extra_shared_runners_minutes_limit: number | null;
676
+ scim_identities: unknown[];
677
+ }
678
+ /**
679
+ * GitLab OAuth Provider
680
+ *
681
+ * @see [GitLab - Applications](https://gitlab.com/-/user_settings/applications)
682
+ * @see [GitLab - OAuth 2.0 identify provider API](https://docs.gitlab.com/api/oauth2/)
683
+ * @see [GitLab - Scopes](https://docs.gitlab.com/integration/oauth_provider/#view-all-authorized-applications)
684
+ * @see [GitLab - Get current user](https://docs.gitlab.com/api/users/#get-the-current-user)
685
+ */
686
+ declare const gitlab: (options?: Partial<OAuthProviderCredentials<GitLabProfile>>) => OAuthProviderCredentials<GitLabProfile>;
687
+
688
+ /**
689
+ * @see [Discord - Nameplate Object](https://discord.com/developers/docs/resources/user#nameplate-nameplate-structure)
690
+ */
691
+ interface Nameplate {
692
+ sku_id: string;
693
+ asset: string;
694
+ label: string;
695
+ palette: string;
696
+ }
697
+ /**
698
+ * The `snowflake` type is a string type. The attributes defined with this type are:
699
+ * - `id`: The unique identifier for the object.
700
+ * - `primary_guild.identity_guild_id`: The unique identifier for the guild.
701
+ * - `avatar_decoration_data.sku_id`: The unique identifier for the SKU.
702
+ *
703
+ * @see [Discord - User Object](https://discord.com/developers/docs/resources/user#user-object)
704
+ */
705
+ interface DiscordProfile {
706
+ id: string;
707
+ username: string;
708
+ discriminator: string;
709
+ global_name: string | null;
710
+ avatar: string | null;
711
+ bot?: boolean;
712
+ system?: boolean;
713
+ mfa_enabled?: boolean;
714
+ banner?: string | null;
715
+ accent_color?: number | null;
716
+ locale?: string;
717
+ verified?: boolean;
718
+ email?: string | null;
719
+ flags?: number;
720
+ premium_type?: number;
721
+ public_flags?: number;
722
+ avatar_decoration_data?: {
723
+ asset: string;
724
+ sku_id: string;
725
+ };
726
+ collections?: Record<string, Nameplate>;
727
+ primary_guild?: {
728
+ identity_guild_id: string;
729
+ identity_enabled: boolean | null;
730
+ tag: string | null;
731
+ badge: string | null;
732
+ };
733
+ }
734
+ /**
735
+ * Discord OAuth Provider
736
+ *
737
+ * @see [Discord - Applications](https://discord.com/developers/applications)
738
+ * @see [Discord - OAuth2](https://discord.com/developers/docs/topics/oauth2)
739
+ * @see [Discord - Get Current User](https://discord.com/developers/docs/resources/user#get-current-user)
740
+ * @see [Discord - User Object](https://discord.com/developers/docs/resources/user#user-object)
741
+ * @see [Discord - OAuth2 Scopes](https://discord.com/developers/docs/topics/oauth2#shared-resources-oauth2-scopes)
742
+ * @see [Discord - Image Formatting](https://discord.com/developers/docs/reference#image-formatting)
743
+ * @see [Discord - Display Names](https://discord.com/developers/docs/change-log#display-names)
744
+ */
745
+ declare const discord: (options?: Partial<OAuthProviderCredentials<DiscordProfile>>) => OAuthProviderCredentials<DiscordProfile>;
746
+
747
+ /**
748
+ * @see [Figma API - Users](https://developers.figma.com/docs/rest-api/users-types/)
749
+ */
750
+ interface FigmaProfile {
751
+ id: string;
752
+ handle: string;
753
+ img_url: string;
754
+ email: string;
755
+ }
756
+ /**
757
+ * Figma OAuth Provider
758
+ * @see [Figma - REST API Introduction](https://developers.figma.com/docs/rest-api/)
759
+ * @see [Figma - OAuth App](https://www.figma.com/developers/apps/)
760
+ * @see [Figma - Create an OAuth App](https://developers.figma.com/docs/rest-api/authentication/#create-an-oauth-app)
761
+ * @see [Figma - OAuth Scopes](https://developers.figma.com/docs/rest-api/scopes/)
762
+ */
763
+ declare const figma: (options?: Partial<OAuthProviderCredentials<FigmaProfile>>) => OAuthProviderCredentials<FigmaProfile>;
764
+
765
+ /**
766
+ * @see [Get current user](https://developer.atlassian.com/cloud/bitbucket/rest/api-group-users/#api-user-get)
767
+ */
768
+ interface BitbucketProfile {
769
+ display_name: string;
770
+ links: Record<LiteralUnion<"self" | "avatar" | "repositories" | "snippets" | "html" | "hooks">, {
771
+ href?: string;
772
+ }>;
773
+ created_on: string;
774
+ type: string;
775
+ uuid: string;
776
+ has_2fa_enabled: boolean;
777
+ username: string;
778
+ nickname: string;
779
+ is_staff: boolean;
780
+ account_id: string;
781
+ account_status: LiteralUnion<"active" | "inactive" | "closed">;
782
+ location: string | null;
783
+ }
784
+ /**
785
+ * Bitbucket OAuth Provider
786
+ *
787
+ * @see [Bitbucket - Official App](https://bitbucket.org/)
788
+ * @see [Bitbucket - Workspaces](https://bitbucket.org/account/workspaces/)
789
+ * @see [Bitbucket - Workspace Settings](https://bitbucket.org/{workspace-name}/workspace/settings/)
790
+ * @see [Bitbucket - OAuth 2.0](https://developer.atlassian.com/cloud/bitbucket/oauth-2/)
791
+ * @see [Bitbucket - Use OAuth on Bitbucket Cloud](https://support.atlassian.com/bitbucket-cloud/docs/use-oauth-on-bitbucket-cloud/)
792
+ * @see [Bitbucket - Cloud REST API](https://developer.atlassian.com/cloud/bitbucket/rest/intro/)
793
+ * @see [Bitbucket - User Endpoint](https://developer.atlassian.com/cloud/bitbucket/rest/api-group-users/#api-users-endpoint)
794
+ */
795
+ declare const bitbucket: (options?: Partial<OAuthProviderCredentials<BitbucketProfile>>) => OAuthProviderCredentials<BitbucketProfile>;
796
+
797
+ /**
798
+ * @see [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user)
799
+ */
800
+ interface GitHubProfile {
801
+ login: string;
802
+ id: number;
803
+ user_view_type: string;
804
+ node_id: string;
805
+ avatar_url: string;
806
+ gravatar_id: string | null;
807
+ url: string;
808
+ html_url: string;
809
+ followers_url: string;
810
+ following_url: string;
811
+ gists_url: string;
812
+ starred_url: string;
813
+ subscriptions_url: string;
814
+ organizations_url: string;
815
+ repos_url: string;
816
+ events_url: string;
817
+ received_events_url: string;
818
+ type: string;
819
+ site_admin: boolean;
820
+ name: string | null;
821
+ company: string | null;
822
+ blog: string | null;
823
+ location: string | null;
824
+ email: string | null;
825
+ notification_email: string | null;
826
+ hireable: boolean | null;
827
+ bio: string | null;
828
+ twitter_username?: string | null;
829
+ public_repos: number;
830
+ public_gists: number;
831
+ followers: number;
832
+ following: number;
833
+ created_at: string;
834
+ updated_at: string;
835
+ private_gists?: number;
836
+ total_private_repos?: number;
837
+ owned_private_repos?: number;
838
+ disk_usage?: number;
839
+ collaborators?: number;
840
+ two_factor_authentication: boolean;
841
+ plan?: {
842
+ collaborators: number;
843
+ name: string;
844
+ space: number;
845
+ private_repos: number;
846
+ };
847
+ }
848
+ /**
849
+ * GitHub OAuth Provider
850
+ *
851
+ * @see [GitHub - Creating an OAuth App](https://docs.github.com/en/developers/apps/building-oauth-apps/creating-an-oauth-app)
852
+ * @see [GitHub - Authorizing OAuth Apps](https://docs.github.com/en/developers/apps/building-oauth-apps/authorizing-oauth-apps)
853
+ * @see [GitHub - Configure your GitHub OAuth Apps](https://github.com/settings/developers)
854
+ * @see [Github - Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user)
855
+ */
856
+ declare const github: (options?: Partial<OAuthProviderCredentials<GitHubProfile>>) => OAuthProviderCredentials<GitHubProfile>;
857
+
858
+ declare const builtInOAuthProviders: {
859
+ readonly github: (options?: Partial<OAuthProviderCredentials<GitHubProfile>>) => OAuthProviderCredentials<GitHubProfile>;
860
+ readonly bitbucket: (options?: Partial<OAuthProviderCredentials<BitbucketProfile>>) => OAuthProviderCredentials<BitbucketProfile>;
861
+ readonly figma: (options?: Partial<OAuthProviderCredentials<FigmaProfile>>) => OAuthProviderCredentials<FigmaProfile>;
862
+ readonly discord: (options?: Partial<OAuthProviderCredentials<DiscordProfile>>) => OAuthProviderCredentials<DiscordProfile>;
863
+ readonly gitlab: (options?: Partial<OAuthProviderCredentials<GitLabProfile>>) => OAuthProviderCredentials<GitLabProfile>;
864
+ readonly spotify: (options?: Partial<OAuthProviderCredentials<SpotifyProfile>>) => OAuthProviderCredentials<SpotifyProfile>;
865
+ readonly x: (options?: Partial<OAuthProviderCredentials<XProfile>>) => OAuthProviderCredentials<XProfile>;
866
+ readonly strava: (options?: Partial<OAuthProviderCredentials<StravaProfile>>) => OAuthProviderCredentials<StravaProfile>;
867
+ readonly mailchimp: (options?: Partial<OAuthProviderCredentials<MailchimpProfile>>) => OAuthProviderCredentials<MailchimpProfile>;
868
+ readonly pinterest: (options?: Partial<OAuthProviderCredentials<PinterestProfile>>) => OAuthProviderCredentials<PinterestProfile>;
869
+ readonly twitch: (options?: Partial<OAuthProviderCredentials<TwitchProfile>>) => OAuthProviderCredentials<TwitchProfile>;
870
+ readonly notion: (options?: Partial<OAuthProviderCredentials<NotionProfile>>) => OAuthProviderCredentials<NotionProfile>;
871
+ readonly dropbox: (options?: Partial<OAuthProviderCredentials<DropboxProfile>>) => OAuthProviderCredentials<DropboxProfile>;
872
+ readonly atlassian: (options?: Partial<OAuthProviderCredentials<AtlassianProfile>>) => OAuthProviderCredentials<AtlassianProfile>;
873
+ };
874
+ /**
875
+ * Constructs OAuth provider configurations from an array of provider names or configurations.
876
+ * It loads the client ID and client secret from environment variables if only the provider name is provided.
877
+ *
878
+ * @param oauth - Array of OAuth provider configurations or provider names to be defined from environment variables
879
+ * @returns A record of OAuth provider configurations
880
+ * @example
881
+ * // Using built-in provider with env variables
882
+ * createBuiltInOAuthProviders(["github"])
883
+ *
884
+ * // Using built-in provider with explicit credentials via factory
885
+ * createBuiltInOAuthProviders([github({ clientId: "...", clientSecret: "..." })])
886
+ */
887
+ declare const createBuiltInOAuthProviders: (oauth?: (BuiltInOAuthProvider | OAuthProviderCredentials<any>)[]) => Record<LiteralUnion<BuiltInOAuthProvider>, OAuthProviderCredentials<any>>;
888
+ type BuiltInOAuthProvider = keyof typeof builtInOAuthProviders;
889
+
890
+ /**
891
+ * Creates the authentication instance with the configuration provided for OAuth provider.
892
+ * > NOTE: The handlers returned by this function should be used in the server to handle the authentication routes
893
+ * and within the `/auth` base path
894
+ *
895
+ * @param authConfig - Authentication configuration including OAuth provider
896
+ * @returns Authentication instance with handlers to be used in the server
897
+ * @example
898
+ * const auth = createAuth({
899
+ * oauth: ["github", {
900
+ * id: "custom-oauth",
901
+ * name: "custom-oauth",
902
+ * authorizationURL: "https://custom-oauth.com/oauth/authorize",
903
+ * accessToken: "https://custom-oauth.com/oauth/token",
904
+ * scope: "profile email",
905
+ * responseType: "code",
906
+ * userInfo: "https://custom-oauth.com/api/userinfo",
907
+ * clientId: process.env.AURA_AUTH_CUSTOM_OAUTH_CLIENT_ID!,
908
+ * clientSecret: process.env.AURA_AUTH_CUSTOM_OAUTH_CLIENT_SECRET!,
909
+ * }]
910
+ * })
911
+ */
912
+ declare const createAuthInstance: (authConfig: AuthConfig) => {
913
+ handlers: _aura_stack_router.Router<[_aura_stack_router.RouteEndpoint<"GET", "/signIn/:oauth", {
914
+ schemas?: {
915
+ params: zod.ZodObject<{
916
+ oauth: zod.ZodEnum<{
917
+ [x: string & Record<never, never>]: string & Record<never, never>;
918
+ github: "github";
919
+ bitbucket: "bitbucket";
920
+ figma: "figma";
921
+ discord: "discord";
922
+ gitlab: "gitlab";
923
+ spotify: "spotify";
924
+ x: "x";
925
+ strava: "strava";
926
+ mailchimp: "mailchimp";
927
+ pinterest: "pinterest";
928
+ twitch: "twitch";
929
+ notion: "notion";
930
+ dropbox: "dropbox";
931
+ atlassian: "atlassian";
932
+ }>;
933
+ }, zod_v4_core.$strip>;
934
+ searchParams: zod.ZodObject<{
935
+ redirect: zod.ZodDefault<zod.ZodOptional<zod.ZodCodec<zod.ZodString, zod.ZodBoolean>>>;
936
+ redirectTo: zod.ZodOptional<zod.ZodString>;
937
+ }, zod_v4_core.$strip>;
938
+ } | undefined;
939
+ }>, _aura_stack_router.RouteEndpoint<"GET", "/callback/:oauth", {
940
+ schemas?: {
941
+ params: zod.ZodObject<{
942
+ oauth: zod.ZodEnum<{
943
+ [x: string & Record<never, never>]: string & Record<never, never>;
944
+ github: "github";
945
+ bitbucket: "bitbucket";
946
+ figma: "figma";
947
+ discord: "discord";
948
+ gitlab: "gitlab";
949
+ spotify: "spotify";
950
+ x: "x";
951
+ strava: "strava";
952
+ mailchimp: "mailchimp";
953
+ pinterest: "pinterest";
954
+ twitch: "twitch";
955
+ notion: "notion";
956
+ dropbox: "dropbox";
957
+ atlassian: "atlassian";
958
+ }>;
959
+ }, zod_v4_core.$strip>;
960
+ searchParams: zod.ZodObject<{
961
+ code: zod.ZodString;
962
+ state: zod.ZodString;
963
+ }, zod_v4_core.$strip>;
964
+ } | undefined;
965
+ }>, _aura_stack_router.RouteEndpoint<"GET", "/session", {
966
+ schemas?: _aura_stack_router.EndpointSchemas | undefined;
967
+ }>, _aura_stack_router.RouteEndpoint<"POST", "/signOut", {
968
+ schemas?: {
969
+ searchParams: zod.ZodObject<{
970
+ token_type_hint: zod.ZodLiteral<"session_token">;
971
+ redirectTo: zod.ZodOptional<zod.ZodString>;
972
+ }, zod_v4_core.$strip>;
973
+ } | undefined;
974
+ }>, _aura_stack_router.RouteEndpoint<"GET", "/csrfToken", {
975
+ schemas?: _aura_stack_router.EndpointSchemas | undefined;
976
+ }>]>;
977
+ jose: {
978
+ decodeJWT: (token: string, options?: _aura_stack_jose.DecodedJWTPayloadOptions) => Promise<_aura_stack_jose.TypedJWTPayload<User>>;
979
+ encodeJWT: (payload: _aura_stack_jose.TypedJWTPayload<Partial<User>>) => Promise<string>;
980
+ signJWS: (payload: _aura_stack_jose.TypedJWTPayload<Partial<jose.JWTPayload>>) => Promise<string>;
981
+ verifyJWS: (payload: string, options?: jose.JWTVerifyOptions | undefined) => Promise<jose.JWTPayload>;
982
+ encryptJWE: (payload: string, options?: _aura_stack_jose.EncryptOptions | undefined) => Promise<string>;
983
+ decryptJWE: (payload: string, options?: jose.JWTDecryptOptions | undefined) => Promise<string>;
984
+ };
985
+ api: {
986
+ getSession: (options: GetSessionAPIOptions) => Promise<SessionResponse>;
987
+ signIn: <Redirect extends boolean = true>(oauth: LiteralUnion<BuiltInOAuthProvider>, options?: SignInAPIOptions<Redirect>) => Promise<SignInReturn<Redirect>>;
988
+ signOut: (options: SignOutAPIOptions) => Promise<Response>;
989
+ };
990
+ };
991
+ declare const createAuth: (config: AuthConfig) => AuthInstance;
992
+
993
+ declare const createAuthAPI: (ctx: GlobalContext) => {
994
+ getSession: (options: GetSessionAPIOptions) => Promise<SessionResponse>;
995
+ signIn: <Redirect extends boolean = true>(oauth: LiteralUnion<BuiltInOAuthProvider>, options?: SignInAPIOptions<Redirect>) => Promise<SignInReturn<Redirect>>;
996
+ signOut: (options: SignOutAPIOptions) => Promise<Response>;
997
+ };
998
+
999
+ /**
1000
+ * Standard JWT claims that are managed internally by the token system.
1001
+ * These fields are typically filtered out before returning user data.
1002
+ */
1003
+ type JWTStandardClaims = Pick<JWTPayload, "exp" | "iat" | "jti" | "nbf" | "sub" | "aud" | "iss">;
1004
+ /**
1005
+ * JWT payload structure that includes a mandatory `token` field used to verify CSRF Tokens
1006
+ */
1007
+ type JWTPayloadWithToken = JWTPayload & {
1008
+ token: string;
1009
+ };
1010
+ /**
1011
+ * Standardized user profile returned by OAuth providers after fetching user information
1012
+ * and mapping the response to this format by default or via the `profile` custom function.
1013
+ */
1014
+ interface User extends Record<string, unknown> {
1015
+ sub: string;
1016
+ name?: string | null;
1017
+ email?: string | null;
1018
+ image?: string | null;
1019
+ }
1020
+ /**
1021
+ * Session data returned by the session endpoint.
1022
+ */
1023
+ interface Session {
1024
+ user: User;
1025
+ expires: string;
1026
+ }
1027
+ type AuthorizeParams = LiteralUnion<"clientId" | "prompt" | "scope" | "responseMode" | "audience" | "loginHint" | "nonce" | "display">;
1028
+ type ResponseType = LiteralUnion<"code" | "token" | "refresh_token" | "id_token">;
1029
+ /**
1030
+ * Configuration for an OAuth provider without credentials.
1031
+ * Use this type when defining provider metadata and endpoints.
1032
+ */
1033
+ interface OAuthProviderConfig<Profile extends object = Record<string, any>> {
1034
+ id: string;
1035
+ name: string;
1036
+ /**
1037
+ * @deprecated
1038
+ * use `authorize` instead of `authorizeURL`
1039
+ */
1040
+ authorizeURL?: string;
1041
+ authorize: string | {
1042
+ url: string;
1043
+ params?: Partial<Record<AuthorizeParams, string> & {
1044
+ responseType: ResponseType;
1045
+ }>;
1046
+ };
1047
+ accessToken: string | {
1048
+ url: string;
1049
+ headers?: Record<string, string>;
1050
+ };
1051
+ userInfo: string | {
1052
+ url: string;
1053
+ headers?: Record<string, string>;
1054
+ method?: string;
1055
+ };
1056
+ /**
1057
+ * @deprecated
1058
+ * use `authorize.params.scope` instead of `scope`
1059
+ */
1060
+ scope?: string;
1061
+ /**
1062
+ * @deprecated
1063
+ * use `authorize.params.response_type` instead of `responseType`
1064
+ */
1065
+ responseType?: ResponseType;
1066
+ profile?: (profile: Profile) => User | Promise<User>;
1067
+ }
1068
+ /**
1069
+ * OAuth provider configuration with client credentials.
1070
+ * Extends OAuthProviderConfig with clientId and clientSecret.
1071
+ */
1072
+ interface OAuthProviderCredentials<Profile extends object = Record<string, any>> extends OAuthProviderConfig<Profile> {
1073
+ clientId?: string;
1074
+ clientSecret?: string;
1075
+ }
1076
+ /**
1077
+ * Complete OAuth provider type combining configuration and credentials.
1078
+ */
1079
+ type OAuthProvider<Profile extends object = Record<string, any>> = OAuthProviderCredentials<Profile>;
1080
+ /**
1081
+ * Cookie type with __Secure- prefix, must be Secure.
1082
+ * @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__secure-prefix
1083
+ */
1084
+ type SecureCookie = {
1085
+ strategy: "secure";
1086
+ } & Prettify<Omit<SerializeOptions, "secure" | "encode">>;
1087
+ /**
1088
+ * Cookie type with __Host- prefix, must be Secure, Path=/, no Domain attribute.
1089
+ * @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__host-prefix
1090
+ */
1091
+ type HostCookie = {
1092
+ strategy: "host";
1093
+ } & Prettify<Omit<SerializeOptions, "secure" | "path" | "domain" | "encode">>;
1094
+ /**
1095
+ * Standard cookie type without security prefixes.
1096
+ * Can be sent over both HTTP and HTTPS connections (default in development).
1097
+ */
1098
+ type StandardCookie = {
1099
+ strategy?: "standard";
1100
+ } & Prettify<Omit<SerializeOptions, "encode">>;
1101
+ /**
1102
+ * Union type for cookie options based on the specified strategy.
1103
+ * - `secure`: Cookies are only sent over HTTPS connections
1104
+ * - `host`: Cookies use the __Host- prefix and are only sent over HTTPS connections
1105
+ * - `standard`: Cookies can be sent over both HTTP and HTTPS connections (default in development)
1106
+ */
1107
+ type CookieStrategyAttributes = StandardCookie | SecureCookie | HostCookie;
1108
+ /**
1109
+ * Names of cookies used by Aura Auth for session management and OAuth flows.
1110
+ * - `sessionToken`: User session JWT
1111
+ * - `csrfToken`: CSRF protection token
1112
+ * - `state`: OAuth state parameter for CSRF protection
1113
+ * - `code_verifier`: PKCE code verifier for authorization code flow
1114
+ * - `redirect_uri`: OAuth callback URI
1115
+ * - `redirect_to`: Post-authentication redirect path
1116
+ * - `nonce`: OpenID Connect nonce parameter
1117
+ */
1118
+ type CookieName = "sessionToken" | "csrfToken" | "state" | "codeVerifier" | "redirectTo" | "redirectURI";
1119
+ type CookieStoreConfig = Record<CookieName, {
1120
+ name: string;
1121
+ attributes: CookieStrategyAttributes;
1122
+ }>;
1123
+ interface CookieConfig {
1124
+ /**
1125
+ * Prefix to be added to all cookie names. By default "aura-stack".
1126
+ */
1127
+ prefix?: string;
1128
+ overrides?: Partial<CookieStoreConfig>;
1129
+ }
1130
+ /**
1131
+ * Main configuration interface for Aura Auth.
1132
+ * This is the user-facing configuration object passed to `createAuth()`.
1133
+ */
1134
+ interface AuthConfig {
1135
+ /**
1136
+ * OAuth providers available in the authentication and authorization flows. It provides a type-inference
1137
+ * for the OAuth providers that are supported by Aura Stack Auth; alternatively, you can provide a custom
1138
+ * OAuth third-party authorization service by implementing the `OAuthProviderCredentials` interface.
1139
+ *
1140
+ * Built-in OAuth providers:
1141
+ * oauth: ["github", "google"]
1142
+ *
1143
+ * Custom credentials via factory:
1144
+ * oauth: [github({ clientId: "...", clientSecret: "..." })]
1145
+ *
1146
+ * Custom OAuth providers:
1147
+ * oauth: [
1148
+ * {
1149
+ * id: "oauth-providers",
1150
+ * name: "OAuth",
1151
+ * authorizeURL: "https://example.com/oauth/authorize",
1152
+ * accessToken: "https://example.com/oauth/token",
1153
+ * scope: "profile email",
1154
+ * responseType: "code",
1155
+ * userInfo: "https://example.com/oauth/userinfo",
1156
+ * clientId: process.env.AURA_AUTH_PROVIDER_CLIENT_ID,
1157
+ * clientSecret: process.env.AURA_AUTH_PROVIDER_CLIENT_SECRET,
1158
+ * }
1159
+ * ]
1160
+ */
1161
+ oauth: (BuiltInOAuthProvider | OAuthProviderCredentials<any>)[];
1162
+ /**
1163
+ * Cookie options defines the configuration for cookies used in Aura Auth.
1164
+ * It includes a prefix for cookie names and flag options to determine
1165
+ * the security and scope of the cookies.
1166
+ *
1167
+ * **⚠️ WARNING:** Ensure that the cookie options are configured correctly to
1168
+ * maintain the security and integrity of the authentication process. `Aura Auth`
1169
+ * is not responsible for misconfigured cookies that may lead to security vulnerabilities.
1170
+ *
1171
+ * - prefix: A string prefix to be added to all cookie names, by default "aura-stack".
1172
+ * - flag options (This attributes help to define the security level of the cookies):
1173
+ * - secure: Cookies use the __Secure- prefix and are only sent over HTTPS connections.
1174
+ * - host: Cookies use the __Host- prefix and are only sent over HTTPS connections.
1175
+ * - standard: Cookies can be sent over both HTTP and HTTPS connections. (default in development)
1176
+ *
1177
+ * @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__secure-prefix
1178
+ * @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__host-prefix
1179
+ */
1180
+ cookies?: Partial<CookieConfig>;
1181
+ /**
1182
+ * Secret used to sign and verify JWT tokens for session and csrf protection.
1183
+ * If not provided, it will load from the environment variable `AURA_AUTH_SECRET` or `AUTH_SECRET`, but if it
1184
+ * doesn't exist, it will throw an error during the initialization of the Auth module.
1185
+ */
1186
+ secret?: string;
1187
+ /**
1188
+ * Base URL of the application, used to construct the incoming request's origin.
1189
+ */
1190
+ baseURL?: string;
1191
+ /**
1192
+ * Base path for all authentication routes. Default is `/auth`.
1193
+ */
1194
+ basePath?: `/${string}`;
1195
+ /**
1196
+ * Enable trusted proxy headers for scenarios where the application is behind a reverse proxy or load balancer.
1197
+ * This setting allows Aura Auth to correctly interpret headers like `X-Forwarded-For` and `X-Forwarded-Proto`
1198
+ * to determine the original client IP address and protocol.
1199
+ *
1200
+ * Default is `false`. Enable this option only if you are certain that your application is behind a trusted proxy.
1201
+ * Misconfiguration can lead to security vulnerabilities, such as incorrect handling of secure cookies or
1202
+ * inaccurate client IP logging.
1203
+ *
1204
+ * This value can also be set via environment variable as `AURA_AUTH_TRUSTED_PROXY_HEADERS`
1205
+ *
1206
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
1207
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
1208
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
1209
+ * @experimental
1210
+ */
1211
+ trustedProxyHeaders?: boolean;
1212
+ logger?: boolean | Logger;
1213
+ /**
1214
+ * Defines trusted origins for your application to prevent open redirect attacks.
1215
+ * URLs from the Referer header, Origin header, request URL, and redirectTo option
1216
+ * are validated against this list before redirecting.
1217
+ *
1218
+ * - **Exact URL**: `https://example.com` matches only that origin.
1219
+ * - **Subdomain wildcard**: `https://*.example.com` matches `https://app.example.com`, `https://api.example.com`, etc.
1220
+ * @example
1221
+ * trustedOrigins: ["https://example.com", "https://*.example.com", "http://localhost:3000"]
1222
+ *
1223
+ *
1224
+ * trustedOrigins: async (request) => {
1225
+ * const origin = new URL(request.url).origin
1226
+ * return [origin, "https://admin.example.com"]
1227
+ * }
1228
+ */
1229
+ trustedOrigins?: TrustedOrigin[] | ((request: Request) => Promise<TrustedOrigin[]> | TrustedOrigin[]);
1230
+ }
1231
+ /**
1232
+ * A trusted origin URL or pattern. Supports:
1233
+ * - Exact: `https://example.com`
1234
+ * - Subdomain wildcard: `https://*.example.com`
1235
+ */
1236
+ type TrustedOrigin = string;
1237
+ type JoseInstance = ReturnType<typeof createJoseInstance>;
1238
+ type OAuthProviderRecord = Record<LiteralUnion<BuiltInOAuthProvider>, OAuthProviderCredentials>;
1239
+ type InternalLogger = {
1240
+ level: LogLevel;
1241
+ log: typeof createLogEntry;
1242
+ };
1243
+ type SessionResponse = {
1244
+ session: Session;
1245
+ authenticated: true;
1246
+ } | {
1247
+ session: null;
1248
+ authenticated: false;
1249
+ };
1250
+ type GetSessionAPI = (options: {
1251
+ headers: HeadersInit;
1252
+ }) => Promise<SessionResponse>;
1253
+ type AuthAPI = ReturnType<typeof createAuthAPI>;
1254
+ interface RouterGlobalContext {
1255
+ oauth: OAuthProviderRecord;
1256
+ cookies: CookieStoreConfig;
1257
+ jose: JoseInstance;
1258
+ secret?: string;
1259
+ baseURL?: string;
1260
+ basePath: string;
1261
+ trustedProxyHeaders: boolean;
1262
+ trustedOrigins?: TrustedOrigin[] | ((request: Request) => Promise<TrustedOrigin[]> | TrustedOrigin[]);
1263
+ logger?: InternalLogger;
1264
+ }
1265
+ /**
1266
+ * Internal runtime configuration used within Aura Auth after initialization.
1267
+ * All optional fields from AuthConfig are resolved to their default values.
1268
+ */
1269
+ type AuthRuntimeConfig = RouterGlobalContext;
1270
+ interface AuthInstance {
1271
+ handlers: {
1272
+ GET: (request: Request) => Response | Promise<Response>;
1273
+ POST: (request: Request) => Response | Promise<Response>;
1274
+ ALL: (request: Request) => Response | Promise<Response>;
1275
+ };
1276
+ jose: JoseInstance;
1277
+ api: AuthAPI;
1278
+ }
1279
+ /**
1280
+ * Base OAuth error response structure.
1281
+ */
1282
+ interface OAuthError<T extends string> {
1283
+ error: T;
1284
+ error_description?: string;
1285
+ }
1286
+ /**
1287
+ * OAuth 2.0 Authorization Error Response Types
1288
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
1289
+ */
1290
+ type AuthorizationError = OAuthError<z.infer<typeof OAuthAuthorizationErrorResponse>["error"]>;
1291
+ /**
1292
+ * OAuth 2.0 Access Token Error Response Types
1293
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
1294
+ */
1295
+ type AccessTokenError = OAuthError<z.infer<typeof OAuthAccessTokenErrorResponse>["error"]>;
1296
+ /**
1297
+ * OAuth 2.0 Token Revocation Error Response Types
1298
+ * @see https://datatracker.ietf.org/doc/html/rfc7009#section-2.2.1
1299
+ */
1300
+ type TokenRevocationError = OAuthError<"invalid_session_token">;
1301
+ type ErrorType = AuthorizationError["error"] | AccessTokenError["error"] | TokenRevocationError["error"];
1302
+ type AuthInternalErrorCode = "INVALID_OAUTH_CONFIGURATION" | "INVALID_JWT_TOKEN" | "JOSE_INITIALIZATION_FAILED" | "SESSION_STORE_NOT_INITIALIZED" | "COOKIE_STORE_NOT_INITIALIZED" | "COOKIE_PARSING_FAILED" | "COOKIE_NOT_FOUND" | "INVALID_ENVIRONMENT_CONFIGURATION" | "INVALID_URL" | "INVALID_SALT_SECRET_VALUE" | "UNTRUSTED_ORIGIN" | "INVALID_OAUTH_PROVIDER_CONFIGURATION" | "DUPLICATED_OAUTH_PROVIDER_ID";
1303
+ type AuthSecurityErrorCode = "INVALID_STATE" | "MISMATCHING_STATE" | "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED" | "CSRF_TOKEN_INVALID" | "CSRF_TOKEN_MISSING" | "SESSION_TOKEN_MISSING";
1304
+ type OAuthEnv = z.infer<typeof OAuthEnvSchema>;
1305
+ type APIErrorMap = Record<string, {
1306
+ code: string;
1307
+ message: string;
1308
+ }>;
1309
+ /**
1310
+ * Log level for logger messages.
1311
+ */
1312
+ type LogLevel = "warn" | "error" | "debug" | "info";
1313
+ /** Defines the Severity between 0 to 7 */
1314
+ type Severity = "emergency" | "alert" | "critical" | "error" | "warning" | "notice" | "info" | "debug";
1315
+ /**
1316
+ * @see https://datatracker.ietf.org/doc/html/rfc5424
1317
+ */
1318
+ type SyslogOptions = {
1319
+ facility: 4 | 10;
1320
+ severity: Severity;
1321
+ timestamp?: string;
1322
+ hostname?: string;
1323
+ appName?: string;
1324
+ procId?: string;
1325
+ msgId: string;
1326
+ message: string;
1327
+ structuredData?: Record<string, string | number | boolean>;
1328
+ };
1329
+ /**
1330
+ * Logger function interface for structured logging.
1331
+ * Called when errors or warnings occur during authentication flows.
1332
+ */
1333
+ interface Logger {
1334
+ level?: LogLevel;
1335
+ log?: (args: SyslogOptions) => void;
1336
+ }
1337
+ type AuthClient = ReturnType<typeof createAuthInstance>["handlers"];
1338
+ type AuthClientOptions = Prettify<Omit<ClientOptions, "baseURL"> & {
1339
+ baseURL?: string;
1340
+ }>;
1341
+ interface SignInOptions {
1342
+ redirect?: boolean;
1343
+ redirectTo?: string;
1344
+ }
1345
+ interface SignOutOptions {
1346
+ redirect?: boolean;
1347
+ redirectTo?: string;
1348
+ }
1349
+ interface GetSessionAPIOptions {
1350
+ headers: HeadersInit;
1351
+ }
1352
+ interface SignOutAPIOptions {
1353
+ headers: HeadersInit;
1354
+ redirectTo?: string;
1355
+ skipCSRFCheck?: boolean;
1356
+ }
1357
+ interface SignInAPIOptions<Redirect extends boolean = boolean> {
1358
+ headers?: HeadersInit;
1359
+ redirect?: Redirect;
1360
+ redirectTo?: string;
1361
+ request?: Request;
1362
+ }
1363
+ type FunctionAPIContext<Options extends object> = {
1364
+ ctx: RouterGlobalContext;
1365
+ } & Options;
1366
+ type SignInReturn<Redirect extends boolean = boolean> = Redirect extends true ? Response : {
1367
+ redirect: false;
1368
+ signInURL: string;
1369
+ };
1370
+ type InternalContext = RouterGlobalContext & {
1371
+ cookieConfig: {
1372
+ secure: CookieStoreConfig;
1373
+ standard: CookieStoreConfig;
1374
+ };
1375
+ };
1376
+
1377
+ export { dropbox as $, type AuthConfig as A, type BuiltInOAuthProvider as B, type CookieConfig as C, createProxyLogger as D, type ErrorType as E, type FunctionAPIContext as F, type GetSessionAPIOptions as G, logMessages as H, type InternalContext as I, type JWTPayloadWithToken as J, createJoseInstance as K, type LogLevel as L, decodeJWTOptions as M, jwtVerificationOptions as N, type OAuthProviderRecord as O, type AtlassianProfile as P, type ExtendedProfile as Q, type RouterGlobalContext as R, type SessionResponse as S, type TrustedOrigin as T, type User as U, atlassian as V, type AccountType as W, type DropboxProfile as X, type FullTeam as Y, type Name as Z, type RootInfo as _, type InternalLogger as a, type Bot as a0, type NotionProfile as a1, type Owner as a2, type Person as a3, type User$1 as a4, notion as a5, type TwitchProfile as a6, twitch as a7, type PinterestProfile as a8, pinterest as a9, type AccessTokenError as aA, type AuthorizationError as aB, type AuthorizeParams as aC, type CookieName as aD, type CookieStrategyAttributes as aE, type GetSessionAPI as aF, type HostCookie as aG, type JWTStandardClaims as aH, type OAuthEnv as aI, type OAuthError as aJ, type ResponseType as aK, type SecureCookie as aL, type Severity as aM, type StandardCookie as aN, type SyslogOptions as aO, type TokenRevocationError as aP, type Login as aa, type MailchimpProfile as ab, mailchimp as ac, type StravaProfile as ad, type SummaryClub as ae, type SummaryGear as af, strava as ag, type XProfile as ah, x as ai, type SpotifyImage as aj, type SpotifyProfile as ak, spotify as al, type GitLabProfile as am, gitlab as an, type DiscordProfile as ao, type Nameplate as ap, discord as aq, type FigmaProfile as ar, figma as as, type BitbucketProfile as at, bitbucket as au, type GitHubProfile as av, github as aw, createBuiltInOAuthProviders as ax, createAuthInstance as ay, createAuthAPI as az, type CookieStoreConfig as b, type AuthRuntimeConfig as c, type AuthInternalErrorCode as d, type AuthSecurityErrorCode as e, type APIErrorMap as f, type SignInAPIOptions as g, type SignInReturn as h, type SignOutAPIOptions as i, type OAuthProviderCredentials as j, type OAuthProvider as k, type AuthClientOptions as l, type Session as m, type SignInOptions as n, type SignOutOptions as o, type AuthClient as p, type AuthAPI as q, type AuthInstance as r, type JoseInstance as s, type Logger as t, type OAuthProviderConfig as u, builtInOAuthProviders as v, createAuth as w, createSyslogMessage as x, createLogEntry as y, createLogger as z };