@aura-stack/auth 0.4.0-rc.5 → 0.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/@types/index.d.ts +8 -3
- package/dist/@types/router.d.cjs +0 -17
- package/dist/@types/router.d.d.ts +7 -2
- package/dist/@types/router.d.js +0 -1
- package/dist/actions/callback/access-token.cjs +130 -71
- package/dist/actions/callback/access-token.d.ts +9 -4
- package/dist/actions/callback/access-token.js +3 -4
- package/dist/actions/callback/callback.cjs +428 -152
- package/dist/actions/callback/callback.d.ts +11 -3
- package/dist/actions/callback/callback.js +12 -10
- package/dist/actions/callback/userinfo.cjs +159 -65
- package/dist/actions/callback/userinfo.d.ts +8 -3
- package/dist/actions/callback/userinfo.js +7 -6
- package/dist/actions/csrfToken/csrfToken.cjs +70 -19
- package/dist/actions/csrfToken/csrfToken.js +8 -7
- package/dist/actions/index.cjs +780 -348
- package/dist/actions/index.d.ts +6 -2
- package/dist/actions/index.js +23 -18
- package/dist/actions/session/session.cjs +107 -26
- package/dist/actions/session/session.js +7 -5
- package/dist/actions/signIn/authorization-url.cjs +288 -0
- package/dist/actions/signIn/authorization-url.d.ts +31 -0
- package/dist/actions/signIn/authorization-url.js +16 -0
- package/dist/actions/signIn/authorization.cjs +209 -211
- package/dist/actions/signIn/authorization.d.ts +32 -21
- package/dist/actions/signIn/authorization.js +12 -9
- package/dist/actions/signIn/signIn.cjs +470 -235
- package/dist/actions/signIn/signIn.d.ts +12 -3
- package/dist/actions/signIn/signIn.js +11 -8
- package/dist/actions/signOut/signOut.cjs +376 -228
- package/dist/actions/signOut/signOut.d.ts +1 -1
- package/dist/actions/signOut/signOut.js +10 -9
- package/dist/api/createApi.cjs +750 -0
- package/dist/api/createApi.d.ts +12 -0
- package/dist/api/createApi.js +19 -0
- package/dist/api/getSession.cjs +141 -0
- package/dist/api/getSession.d.ts +16 -0
- package/dist/api/getSession.js +10 -0
- package/dist/api/signIn.cjs +549 -0
- package/dist/api/signIn.d.ts +26 -0
- package/dist/api/signIn.js +15 -0
- package/dist/api/signOut.cjs +279 -0
- package/dist/api/signOut.d.ts +16 -0
- package/dist/api/signOut.js +13 -0
- package/dist/assert.cjs +150 -5
- package/dist/assert.d.ts +26 -3
- package/dist/assert.js +17 -3
- package/dist/{chunk-YRCB5FLE.js → chunk-2A5B7GWR.js} +52 -6
- package/dist/chunk-2GQLSIJ2.js +40 -0
- package/dist/chunk-2IR674WX.js +44 -0
- package/dist/chunk-3J5TUH2I.js +50 -0
- package/dist/chunk-4RWSYUKX.js +98 -0
- package/dist/chunk-4YHJ4IEQ.js +25 -0
- package/dist/chunk-54CZPKR4.js +25 -0
- package/dist/chunk-5LZ7TOM3.js +25 -0
- package/dist/chunk-7BE46WWS.js +88 -0
- package/dist/chunk-7YYXFKLR.js +35 -0
- package/dist/chunk-C3A37LQC.js +33 -0
- package/dist/chunk-CITNGXDA.js +31 -0
- package/dist/chunk-CWX724AG.js +78 -0
- package/dist/chunk-D2CSIUKP.js +74 -0
- package/dist/chunk-E6G5YCI6.js +25 -0
- package/dist/chunk-EBAMFRB7.js +34 -0
- package/dist/chunk-EEE7UM5T.js +25 -0
- package/dist/{chunk-HT4YLL7N.js → chunk-FPCVZUVG.js} +10 -8
- package/dist/chunk-FW4W3REU.js +25 -0
- package/dist/chunk-GNNBM2WJ.js +83 -0
- package/dist/chunk-IPKO6UQN.js +25 -0
- package/dist/chunk-JOCGX3RP.js +59 -0
- package/dist/chunk-KBXWTD6E.js +94 -0
- package/dist/chunk-KMMAZFSJ.js +25 -0
- package/dist/chunk-LATR3NIV.js +117 -0
- package/dist/chunk-LAYPUDQF.js +39 -0
- package/dist/chunk-LDU7A2JE.js +25 -0
- package/dist/chunk-LX3TJ2TJ.js +294 -0
- package/dist/chunk-NHZBQNRR.js +143 -0
- package/dist/chunk-OVHNRULD.js +33 -0
- package/dist/chunk-PDP3PHB3.js +127 -0
- package/dist/chunk-PHYNROD4.js +47 -0
- package/dist/chunk-QQEKY4XP.js +29 -0
- package/dist/chunk-U4RK4LKJ.js +348 -0
- package/dist/{chunk-RRLIF4PQ.js → chunk-U5663F2U.js} +16 -1
- package/dist/chunk-UN7X6SU5.js +53 -0
- package/dist/chunk-UZQJJD6A.js +100 -0
- package/dist/chunk-V6LLEAR4.js +80 -0
- package/dist/chunk-WHNDRO3N.js +50 -0
- package/dist/{chunk-W6LG7BFW.js → chunk-XY5R3EHH.js} +30 -23
- package/dist/client/client.cjs +135 -0
- package/dist/client/client.d.ts +85 -0
- package/dist/client/client.js +9 -0
- package/dist/client/index.cjs +135 -0
- package/dist/client/index.d.ts +14 -0
- package/dist/client/index.js +10 -0
- package/dist/context.cjs +1237 -0
- package/dist/context.d.ts +16 -0
- package/dist/context.js +28 -0
- package/dist/cookie.cjs +57 -22
- package/dist/cookie.d.ts +11 -6
- package/dist/cookie.js +3 -2
- package/dist/createAuth.cjs +2320 -0
- package/dist/createAuth.d.ts +12 -0
- package/dist/createAuth.js +48 -0
- package/dist/env.cjs +78 -0
- package/dist/env.d.ts +10 -0
- package/dist/env.js +12 -0
- package/dist/errors.cjs +17 -0
- package/dist/errors.d.ts +15 -4
- package/dist/errors.js +5 -1
- package/dist/headers.cjs +28 -2
- package/dist/headers.d.ts +25 -1
- package/dist/headers.js +9 -3
- package/dist/index-_aXtxb_s.d.ts +1377 -0
- package/dist/index.cjs +1843 -610
- package/dist/index.d.ts +11 -92
- package/dist/index.js +53 -85
- package/dist/jose.cjs +113 -38
- package/dist/jose.d.ts +12 -23
- package/dist/jose.js +17 -7
- package/dist/logger.cjs +424 -0
- package/dist/logger.d.ts +12 -0
- package/dist/logger.js +17 -0
- package/dist/oauth/atlassian.cjs +57 -0
- package/dist/oauth/atlassian.d.ts +12 -0
- package/dist/oauth/atlassian.js +6 -0
- package/dist/oauth/bitbucket.cjs +19 -15
- package/dist/oauth/bitbucket.d.ts +7 -2
- package/dist/oauth/bitbucket.js +1 -1
- package/dist/oauth/discord.cjs +27 -24
- package/dist/oauth/discord.d.ts +7 -2
- package/dist/oauth/discord.js +1 -1
- package/dist/oauth/dropbox.cjs +53 -0
- package/dist/oauth/dropbox.d.ts +12 -0
- package/dist/oauth/dropbox.js +6 -0
- package/dist/oauth/figma.cjs +19 -16
- package/dist/oauth/figma.d.ts +7 -2
- package/dist/oauth/figma.js +1 -1
- package/dist/oauth/github.cjs +19 -8
- package/dist/oauth/github.d.ts +7 -2
- package/dist/oauth/github.js +1 -1
- package/dist/oauth/gitlab.cjs +19 -16
- package/dist/oauth/gitlab.d.ts +7 -2
- package/dist/oauth/gitlab.js +1 -1
- package/dist/oauth/index.cjs +529 -239
- package/dist/oauth/index.d.ts +7 -2
- package/dist/oauth/index.js +39 -22
- package/dist/oauth/mailchimp.cjs +19 -16
- package/dist/oauth/mailchimp.d.ts +7 -2
- package/dist/oauth/mailchimp.js +1 -1
- package/dist/oauth/notion.cjs +131 -0
- package/dist/oauth/notion.d.ts +12 -0
- package/dist/oauth/notion.js +9 -0
- package/dist/oauth/pinterest.cjs +19 -16
- package/dist/oauth/pinterest.d.ts +7 -2
- package/dist/oauth/pinterest.js +1 -1
- package/dist/oauth/spotify.cjs +19 -16
- package/dist/oauth/spotify.d.ts +7 -2
- package/dist/oauth/spotify.js +1 -1
- package/dist/oauth/strava.cjs +19 -16
- package/dist/oauth/strava.d.ts +7 -2
- package/dist/oauth/strava.js +1 -1
- package/dist/oauth/twitch.cjs +95 -0
- package/dist/oauth/twitch.d.ts +12 -0
- package/dist/oauth/twitch.js +7 -0
- package/dist/oauth/x.cjs +19 -16
- package/dist/oauth/x.d.ts +7 -2
- package/dist/oauth/x.js +1 -1
- package/dist/schemas.cjs +89 -42
- package/dist/schemas.d.ts +114 -18
- package/dist/schemas.js +5 -3
- package/dist/secure.cjs +73 -31
- package/dist/secure.d.ts +11 -11
- package/dist/secure.js +7 -6
- package/dist/utils.cjs +203 -90
- package/dist/utils.d.ts +21 -40
- package/dist/utils.js +21 -12
- package/package.json +9 -6
- package/dist/chunk-3EUWD5BB.js +0 -63
- package/dist/chunk-42XB3YCW.js +0 -22
- package/dist/chunk-6R2YZ4AC.js +0 -22
- package/dist/chunk-A3N4PVAT.js +0 -70
- package/dist/chunk-B737EUJV.js +0 -22
- package/dist/chunk-CXLATHS5.js +0 -143
- package/dist/chunk-E3OXBRYF.js +0 -22
- package/dist/chunk-EIL2FPSS.js +0 -22
- package/dist/chunk-EMKJA2GJ.js +0 -89
- package/dist/chunk-FIPU4MLT.js +0 -21
- package/dist/chunk-FKRDCWBF.js +0 -22
- package/dist/chunk-GA2SMTJO.js +0 -58
- package/dist/chunk-HP34YGGJ.js +0 -22
- package/dist/chunk-IKHPGFCW.js +0 -14
- package/dist/chunk-IUYZQTJV.js +0 -30
- package/dist/chunk-IVET23KF.js +0 -58
- package/dist/chunk-JVFTCTTE.js +0 -33
- package/dist/chunk-KRNOMBXQ.js +0 -22
- package/dist/chunk-KSWLO5ZU.js +0 -102
- package/dist/chunk-N2APGLXA.js +0 -71
- package/dist/chunk-N4SX7TZT.js +0 -96
- package/dist/chunk-STHEPPUZ.js +0 -11
- package/dist/chunk-TLE4PXY3.js +0 -39
- package/dist/index-B8jeIElf.d.ts +0 -679
- /package/dist/{chunk-DIVDFNAP.js → chunk-5X7JZMEF.js} +0 -0
|
@@ -20,264 +20,262 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
|
|
|
20
20
|
// src/actions/signIn/authorization.ts
|
|
21
21
|
var authorization_exports = {};
|
|
22
22
|
__export(authorization_exports, {
|
|
23
|
-
createAuthorizationURL: () => createAuthorizationURL,
|
|
24
23
|
createRedirectTo: () => createRedirectTo,
|
|
25
24
|
createRedirectURI: () => createRedirectURI,
|
|
26
|
-
|
|
25
|
+
createSignInURL: () => createSignInURL,
|
|
26
|
+
getBaseURL: () => getBaseURL,
|
|
27
|
+
getOriginURL: () => getOriginURL,
|
|
28
|
+
getTrustedOrigins: () => getTrustedOrigins
|
|
27
29
|
});
|
|
28
30
|
module.exports = __toCommonJS(authorization_exports);
|
|
29
31
|
|
|
30
|
-
// src/
|
|
31
|
-
var
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
}
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
}
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
});
|
|
58
|
-
var OAuthAuthorizationErrorResponse = (0, import_zod.object)({
|
|
59
|
-
error: (0, import_zod.enum)([
|
|
60
|
-
"invalid_request",
|
|
61
|
-
"unauthorized_client",
|
|
62
|
-
"access_denied",
|
|
63
|
-
"unsupported_response_type",
|
|
64
|
-
"invalid_scope",
|
|
65
|
-
"server_error",
|
|
66
|
-
"temporarily_unavailable"
|
|
67
|
-
]),
|
|
68
|
-
error_description: (0, import_zod.string)().optional(),
|
|
69
|
-
error_uri: (0, import_zod.string)().optional(),
|
|
70
|
-
state: (0, import_zod.string)()
|
|
71
|
-
});
|
|
72
|
-
var OAuthAccessToken = OAuthProviderConfigSchema.extend({
|
|
73
|
-
redirectURI: (0, import_zod.string)(),
|
|
74
|
-
code: (0, import_zod.string)(),
|
|
75
|
-
codeVerifier: (0, import_zod.string)().min(43).max(128)
|
|
76
|
-
});
|
|
77
|
-
var OAuthAccessTokenResponse = (0, import_zod.object)({
|
|
78
|
-
access_token: (0, import_zod.string)(),
|
|
79
|
-
token_type: (0, import_zod.string)().optional(),
|
|
80
|
-
expires_in: (0, import_zod.number)().optional(),
|
|
81
|
-
refresh_token: (0, import_zod.string)().optional(),
|
|
82
|
-
scope: (0, import_zod.string)().optional().or((0, import_zod.null)())
|
|
83
|
-
});
|
|
84
|
-
var OAuthAccessTokenErrorResponse = (0, import_zod.object)({
|
|
85
|
-
error: (0, import_zod.enum)([
|
|
86
|
-
"invalid_request",
|
|
87
|
-
"invalid_client",
|
|
88
|
-
"invalid_grant",
|
|
89
|
-
"unauthorized_client",
|
|
90
|
-
"unsupported_grant_type",
|
|
91
|
-
"invalid_scope"
|
|
92
|
-
]),
|
|
93
|
-
error_description: (0, import_zod.string)().optional(),
|
|
94
|
-
error_uri: (0, import_zod.string)().optional()
|
|
95
|
-
});
|
|
96
|
-
var OAuthErrorResponse = (0, import_zod.object)({
|
|
97
|
-
error: (0, import_zod.string)(),
|
|
98
|
-
error_description: (0, import_zod.string)().optional()
|
|
99
|
-
});
|
|
100
|
-
var OAuthEnvSchema = (0, import_zod.object)({
|
|
101
|
-
clientId: import_zod.z.string().min(1, "OAuth Client ID is required in the environment variables."),
|
|
102
|
-
clientSecret: import_zod.z.string().min(1, "OAuth Client Secret is required in the environment variables.")
|
|
32
|
+
// src/env.ts
|
|
33
|
+
var import_meta = {};
|
|
34
|
+
var env = new Proxy({}, {
|
|
35
|
+
get(_, prop) {
|
|
36
|
+
if (typeof prop !== "string") return void 0;
|
|
37
|
+
const hasProperty = (process2) => {
|
|
38
|
+
return process2 && Object.prototype.hasOwnProperty.call(process2, prop);
|
|
39
|
+
};
|
|
40
|
+
try {
|
|
41
|
+
if (typeof process !== "undefined" && hasProperty(process.env)) {
|
|
42
|
+
return process.env[prop];
|
|
43
|
+
}
|
|
44
|
+
if (typeof import_meta !== "undefined" && hasProperty(import_meta.env)) {
|
|
45
|
+
return import_meta.env[prop];
|
|
46
|
+
}
|
|
47
|
+
if (typeof Deno !== "undefined" && Deno.env?.get) {
|
|
48
|
+
return Deno.env.get(prop);
|
|
49
|
+
}
|
|
50
|
+
if (typeof Bun !== "undefined" && hasProperty(Bun.env)) {
|
|
51
|
+
return Bun.env[prop];
|
|
52
|
+
}
|
|
53
|
+
const globalValue = globalThis[prop];
|
|
54
|
+
return typeof globalValue === "string" ? globalValue : void 0;
|
|
55
|
+
} catch {
|
|
56
|
+
return void 0;
|
|
57
|
+
}
|
|
58
|
+
}
|
|
103
59
|
});
|
|
60
|
+
var getEnv = (key) => {
|
|
61
|
+
const keys = [`AURA_AUTH_${key.toUpperCase()}`, `AURA_${key.toUpperCase()}`, `AUTH_${key.toUpperCase()}`, key.toUpperCase()];
|
|
62
|
+
return env[keys.find((k) => env[k]) ?? ""];
|
|
63
|
+
};
|
|
104
64
|
|
|
105
65
|
// src/errors.ts
|
|
106
66
|
var AuthInternalError = class extends Error {
|
|
107
67
|
type = "AUTH_INTERNAL_ERROR";
|
|
108
68
|
code;
|
|
109
|
-
constructor(code, message,
|
|
110
|
-
super(message,
|
|
69
|
+
constructor(code, message, options) {
|
|
70
|
+
super(message, options);
|
|
111
71
|
this.code = code;
|
|
112
72
|
this.name = new.target.name;
|
|
113
73
|
Error.captureStackTrace(this, new.target);
|
|
114
74
|
}
|
|
115
75
|
};
|
|
116
|
-
var AuthSecurityError = class extends Error {
|
|
117
|
-
type = "AUTH_SECURITY_ERROR";
|
|
118
|
-
code;
|
|
119
|
-
constructor(code, message, options2) {
|
|
120
|
-
super(message, options2);
|
|
121
|
-
this.code = code;
|
|
122
|
-
this.name = new.target.name;
|
|
123
|
-
Error.captureStackTrace(this, new.target);
|
|
124
|
-
}
|
|
125
|
-
};
|
|
126
|
-
var isAuthSecurityError = (error) => {
|
|
127
|
-
return error instanceof AuthSecurityError;
|
|
128
|
-
};
|
|
129
76
|
|
|
130
77
|
// src/utils.ts
|
|
131
78
|
var import_router = require("@aura-stack/router");
|
|
132
|
-
|
|
133
|
-
|
|
134
|
-
|
|
135
|
-
var
|
|
136
|
-
|
|
79
|
+
|
|
80
|
+
// src/assert.ts
|
|
81
|
+
var import_crypto = require("@aura-stack/jose/crypto");
|
|
82
|
+
var unsafeChars = [
|
|
83
|
+
"<",
|
|
84
|
+
">",
|
|
85
|
+
'"',
|
|
86
|
+
"`",
|
|
87
|
+
" ",
|
|
88
|
+
"\r",
|
|
89
|
+
"\n",
|
|
90
|
+
" ",
|
|
91
|
+
"\\",
|
|
92
|
+
"%2F",
|
|
93
|
+
"%5C",
|
|
94
|
+
"%2f",
|
|
95
|
+
"%5c",
|
|
96
|
+
"\r\n",
|
|
97
|
+
"%0A",
|
|
98
|
+
"%0D",
|
|
99
|
+
"%0a",
|
|
100
|
+
"%0d",
|
|
101
|
+
"..",
|
|
102
|
+
"//",
|
|
103
|
+
"///",
|
|
104
|
+
"...",
|
|
105
|
+
"%20",
|
|
106
|
+
"\0"
|
|
107
|
+
];
|
|
108
|
+
var isValidURL = (value) => {
|
|
109
|
+
if (!new RegExp(/^https?:\/\/[^/]/).test(value)) {
|
|
110
|
+
return false;
|
|
111
|
+
}
|
|
112
|
+
const match = value.match(/^(https?:\/\/)(.*)$/);
|
|
113
|
+
if (!match) return false;
|
|
114
|
+
const rest = match[2];
|
|
115
|
+
for (const char of unsafeChars) {
|
|
116
|
+
if (rest.includes(char)) return false;
|
|
117
|
+
}
|
|
118
|
+
const regex = /^https?:\/\/(?:[a-zA-Z0-9._-]+|localhost|\[[0-9a-fA-F:]+\])(?::\d{1,5})?(?:\/[a-zA-Z0-9._~!$&'()?#*+,;=:@-]*)*\/?$/;
|
|
119
|
+
return regex.test(match[0]);
|
|
137
120
|
};
|
|
138
|
-
var
|
|
139
|
-
|
|
140
|
-
|
|
141
|
-
|
|
142
|
-
}
|
|
121
|
+
var isRelativeURL = (value) => {
|
|
122
|
+
if (value.length > 100) return false;
|
|
123
|
+
for (const char of unsafeChars) {
|
|
124
|
+
if (value.includes(char)) return false;
|
|
125
|
+
}
|
|
126
|
+
const regex = /^\/[a-zA-Z0-9\-_\/.?&=#]*\/?$/;
|
|
127
|
+
return regex.test(value);
|
|
143
128
|
};
|
|
144
|
-
var
|
|
145
|
-
|
|
146
|
-
|
|
129
|
+
var isSameOrigin = (origin, expected) => {
|
|
130
|
+
const originURL = new URL(origin);
|
|
131
|
+
const expectedURL = new URL(expected);
|
|
132
|
+
return equals(originURL.origin, expectedURL.origin);
|
|
147
133
|
};
|
|
148
|
-
var
|
|
134
|
+
var patternToRegex = (pattern) => {
|
|
149
135
|
try {
|
|
150
|
-
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
|
|
154
|
-
|
|
155
|
-
|
|
156
|
-
|
|
157
|
-
|
|
158
|
-
|
|
159
|
-
|
|
160
|
-
|
|
161
|
-
|
|
162
|
-
|
|
163
|
-
if (path !== "/" && path.endsWith("/")) {
|
|
164
|
-
path = path.replace(/\/+$/, "/");
|
|
165
|
-
} else if (path !== "/") {
|
|
166
|
-
path = path.replace(/\/+$/, "");
|
|
167
|
-
}
|
|
168
|
-
return protocol + domain + path;
|
|
169
|
-
}
|
|
170
|
-
let sanitized = decodedURL.replace(/\/\.\.\//g, "/").replace(/\/\.\.$/, "").replace(/\.{2,}/g, "").replace(/\/{2,}/g, "/");
|
|
171
|
-
if (sanitized !== "/" && sanitized.endsWith("/")) {
|
|
172
|
-
sanitized = sanitized.replace(/\/+$/, "/");
|
|
173
|
-
} else if (sanitized !== "/") {
|
|
174
|
-
sanitized = sanitized.replace(/\/+$/, "");
|
|
175
|
-
}
|
|
176
|
-
return sanitized;
|
|
136
|
+
if (pattern.length > 2048) return null;
|
|
137
|
+
pattern = pattern.replace(/\\/g, "");
|
|
138
|
+
const match = pattern.match(/^(https?):\/\/([a-zA-Z0-9.*-]{1,253})(?::(\d{1,5}|\*))?(?:\/.*)?$/);
|
|
139
|
+
if (!match) return null;
|
|
140
|
+
const [, protocol, host, port] = match;
|
|
141
|
+
const hasWildcard = host.includes("*");
|
|
142
|
+
if (hasWildcard && !host.startsWith("*.")) return null;
|
|
143
|
+
if (hasWildcard && host.slice(2).includes("*")) return null;
|
|
144
|
+
const domain = hasWildcard ? host.slice(2) : host;
|
|
145
|
+
const escapedDomain = domain.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
|
|
146
|
+
const hostRegex = hasWildcard ? `[^.]+\\.${escapedDomain}` : escapedDomain;
|
|
147
|
+
const portRegex = port === "*" ? ":\\d{1,5}" : port ? `:${port}` : "";
|
|
148
|
+
return new RegExp(`^${protocol}:\\/\\/${hostRegex}${portRegex}$`);
|
|
177
149
|
} catch {
|
|
178
|
-
return
|
|
150
|
+
return null;
|
|
179
151
|
}
|
|
180
152
|
};
|
|
181
|
-
var
|
|
153
|
+
var isTrustedOrigin = (url, trustedOrigins) => {
|
|
154
|
+
if (!isValidURL(url) || trustedOrigins.length === 0) return false;
|
|
182
155
|
try {
|
|
183
|
-
const
|
|
184
|
-
|
|
185
|
-
|
|
186
|
-
|
|
156
|
+
const urlOrigin = new URL(url).origin;
|
|
157
|
+
for (const pattern of trustedOrigins) {
|
|
158
|
+
const regex = patternToRegex(pattern);
|
|
159
|
+
if (regex?.test(urlOrigin)) return true;
|
|
160
|
+
try {
|
|
161
|
+
if (isValidURL(pattern) && equals(new URL(pattern).origin, urlOrigin)) return true;
|
|
162
|
+
} catch {
|
|
163
|
+
}
|
|
164
|
+
}
|
|
187
165
|
} catch {
|
|
188
|
-
return sanitizeURL(path);
|
|
189
166
|
}
|
|
167
|
+
return false;
|
|
190
168
|
};
|
|
191
|
-
|
|
192
|
-
|
|
193
|
-
|
|
194
|
-
|
|
195
|
-
return
|
|
196
|
-
|
|
197
|
-
|
|
198
|
-
|
|
199
|
-
|
|
200
|
-
|
|
201
|
-
message: issue.message
|
|
202
|
-
}
|
|
203
|
-
};
|
|
204
|
-
}, {});
|
|
169
|
+
|
|
170
|
+
// src/utils.ts
|
|
171
|
+
var equals = (a, b) => {
|
|
172
|
+
if (a === null || b === null || a === void 0 || b === void 0) return false;
|
|
173
|
+
return a === b;
|
|
174
|
+
};
|
|
175
|
+
var extractPath = (url) => {
|
|
176
|
+
const pathRegex = /^https?:\/\/[a-zA-Z0-9_\-\.]+(:\d+)?(\/.*)$/;
|
|
177
|
+
const match = url.match(pathRegex);
|
|
178
|
+
return match && match[2] ? match[2] : "/";
|
|
205
179
|
};
|
|
206
180
|
|
|
207
181
|
// src/actions/signIn/authorization.ts
|
|
208
|
-
var
|
|
209
|
-
|
|
210
|
-
|
|
211
|
-
|
|
212
|
-
|
|
182
|
+
var getTrustedOrigins = async (request, trustedOrigins) => {
|
|
183
|
+
if (!trustedOrigins) return [];
|
|
184
|
+
const raw = typeof trustedOrigins === "function" ? await trustedOrigins(request) : trustedOrigins;
|
|
185
|
+
return Array.isArray(raw) ? raw : typeof raw === "string" ? [raw] : [];
|
|
186
|
+
};
|
|
187
|
+
var getBaseURL = async ({
|
|
188
|
+
ctx,
|
|
189
|
+
request,
|
|
190
|
+
headers: headersInit
|
|
191
|
+
}) => {
|
|
192
|
+
const origin = getEnv("BASE_URL") || ctx?.baseURL;
|
|
193
|
+
if (origin && origin !== "/") return origin;
|
|
194
|
+
if (ctx?.trustedProxyHeaders) {
|
|
195
|
+
const headers = headersInit && new Headers(headersInit) || request?.headers;
|
|
196
|
+
const protocol = headers?.get("Forwarded")?.match(/proto=([^;]+)/i)?.[1] ?? headers?.get("X-Forwarded-Proto") ?? "http";
|
|
197
|
+
const host = headers?.get("Host") ?? headers?.get("Forwarded")?.match(/host=([^;]+)/i)?.[1] ?? headers?.get("X-Forwarded-Host") ?? null;
|
|
198
|
+
if (host) return `${protocol}://${host}`;
|
|
199
|
+
throw new AuthInternalError(
|
|
200
|
+
"INVALID_OAUTH_CONFIGURATION",
|
|
201
|
+
"The URL cannot be constructed. Please set the BASE_URL environment variable or provide trusted proxy host headers."
|
|
202
|
+
);
|
|
203
|
+
}
|
|
204
|
+
try {
|
|
205
|
+
return new URL(request?.url ?? "not-found").origin;
|
|
206
|
+
} catch (error) {
|
|
207
|
+
throw new AuthInternalError(
|
|
208
|
+
"INVALID_OAUTH_CONFIGURATION",
|
|
209
|
+
"The URL cannot be constructed. Please set the BASE_URL environment variable or enable trustedProxyHeaders.",
|
|
210
|
+
{ cause: error }
|
|
211
|
+
);
|
|
213
212
|
}
|
|
214
|
-
const { authorizeURL, ...options2 } = parsed.data;
|
|
215
|
-
const { userInfo, accessToken, clientSecret, ...required } = options2;
|
|
216
|
-
const searchParams = new URLSearchParams(toCastCase(required));
|
|
217
|
-
return `${authorizeURL}?${searchParams}`;
|
|
218
213
|
};
|
|
219
|
-
var getOriginURL = (request,
|
|
220
|
-
const
|
|
221
|
-
|
|
222
|
-
|
|
223
|
-
|
|
224
|
-
|
|
225
|
-
|
|
226
|
-
return new URL(getNormalizedOriginPath(request.url));
|
|
214
|
+
var getOriginURL = async (request, context) => {
|
|
215
|
+
const trustedOrigins = await getTrustedOrigins(request, context?.trustedOrigins);
|
|
216
|
+
trustedOrigins.push(new URL(request.url).origin);
|
|
217
|
+
const origin = await getBaseURL({ request, ctx: context });
|
|
218
|
+
if (!isTrustedOrigin(origin, trustedOrigins)) {
|
|
219
|
+
context?.logger?.log("UNTRUSTED_ORIGIN", { structuredData: { origin } });
|
|
220
|
+
throw new AuthInternalError("UNTRUSTED_ORIGIN", "The constructed origin URL is not trusted.");
|
|
227
221
|
}
|
|
222
|
+
return origin;
|
|
228
223
|
};
|
|
229
|
-
var createRedirectURI = (request, oauth,
|
|
230
|
-
const
|
|
231
|
-
return `${
|
|
224
|
+
var createRedirectURI = async (request, oauth, context) => {
|
|
225
|
+
const origin = await getOriginURL(request, context);
|
|
226
|
+
return `${origin}${context.basePath}/callback/${oauth}`;
|
|
232
227
|
};
|
|
233
|
-
var
|
|
228
|
+
var createSignInURL = async ({
|
|
229
|
+
request,
|
|
230
|
+
oauth,
|
|
231
|
+
ctx,
|
|
232
|
+
redirectTo
|
|
233
|
+
}) => {
|
|
234
|
+
const origin = await getOriginURL(request, ctx);
|
|
235
|
+
const searchParams = new URLSearchParams();
|
|
236
|
+
if (redirectTo !== void 0) searchParams.set("redirectTo", String(redirectTo));
|
|
237
|
+
return `${origin}${ctx.basePath}/signIn/${oauth}?${searchParams.toString()}`;
|
|
238
|
+
};
|
|
239
|
+
var createRedirectTo = async (request, redirectTo, context) => {
|
|
234
240
|
try {
|
|
235
241
|
const headers = request.headers;
|
|
236
|
-
const
|
|
237
|
-
const
|
|
238
|
-
|
|
239
|
-
|
|
240
|
-
if (
|
|
241
|
-
|
|
242
|
+
const requestOrigin = await getOriginURL(request, context);
|
|
243
|
+
const origins = await getTrustedOrigins(request, context?.trustedOrigins);
|
|
244
|
+
const validateURL = (url) => {
|
|
245
|
+
if (!isRelativeURL(url) && !isValidURL(url)) return "/";
|
|
246
|
+
if (isRelativeURL(url)) return url;
|
|
247
|
+
if (origins.length > 0) {
|
|
248
|
+
if (isTrustedOrigin(url, origins)) {
|
|
249
|
+
const urlOrigin = new URL(url).origin;
|
|
250
|
+
for (const pattern of origins) {
|
|
251
|
+
const regex = patternToRegex(pattern);
|
|
252
|
+
if (regex?.test(urlOrigin)) {
|
|
253
|
+
return isSameOrigin(url, request.url) ? extractPath(url) : url;
|
|
254
|
+
}
|
|
255
|
+
if (isValidURL(pattern) && equals(new URL(pattern).origin, urlOrigin)) return url;
|
|
256
|
+
}
|
|
257
|
+
}
|
|
258
|
+
context?.logger?.log("OPEN_REDIRECT_ATTACK");
|
|
259
|
+
return "/";
|
|
242
260
|
}
|
|
243
|
-
|
|
244
|
-
|
|
245
|
-
throw new AuthSecurityError(
|
|
246
|
-
"POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED",
|
|
247
|
-
"The redirectTo parameter does not match the hosted origin."
|
|
248
|
-
);
|
|
261
|
+
if (isSameOrigin(url, requestOrigin)) {
|
|
262
|
+
return extractPath(url);
|
|
249
263
|
}
|
|
250
|
-
|
|
251
|
-
|
|
252
|
-
|
|
253
|
-
|
|
254
|
-
if (!isValidURL(referer) || !equals(refererURL.origin, hostedURL.origin)) {
|
|
255
|
-
throw new AuthSecurityError(
|
|
256
|
-
"POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED",
|
|
257
|
-
"The referer of the request does not match the hosted origin."
|
|
258
|
-
);
|
|
259
|
-
}
|
|
260
|
-
return sanitizeURL(refererURL.pathname);
|
|
261
|
-
}
|
|
262
|
-
if (origin) {
|
|
263
|
-
const originURL = new URL(sanitizeURL(getNormalizedOriginPath(origin)));
|
|
264
|
-
if (!isValidURL(origin) || !equals(originURL.origin, hostedURL.origin)) {
|
|
265
|
-
throw new AuthSecurityError("POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED", "Invalid origin (potential CSRF).");
|
|
266
|
-
}
|
|
267
|
-
return sanitizeURL(originURL.pathname);
|
|
268
|
-
}
|
|
269
|
-
return "/";
|
|
264
|
+
context?.logger?.log("OPEN_REDIRECT_ATTACK");
|
|
265
|
+
return "/";
|
|
266
|
+
};
|
|
267
|
+
return validateURL(redirectTo ?? headers.get("Referer") ?? headers.get("Origin") ?? "/");
|
|
270
268
|
} catch (error) {
|
|
271
|
-
|
|
272
|
-
|
|
273
|
-
}
|
|
274
|
-
throw new AuthSecurityError("POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED", "Invalid origin (potential CSRF).");
|
|
269
|
+
context?.logger?.log("POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED");
|
|
270
|
+
return "/";
|
|
275
271
|
}
|
|
276
272
|
};
|
|
277
273
|
// Annotate the CommonJS export names for ESM import in node:
|
|
278
274
|
0 && (module.exports = {
|
|
279
|
-
createAuthorizationURL,
|
|
280
275
|
createRedirectTo,
|
|
281
276
|
createRedirectURI,
|
|
282
|
-
|
|
277
|
+
createSignInURL,
|
|
278
|
+
getBaseURL,
|
|
279
|
+
getOriginURL,
|
|
280
|
+
getTrustedOrigins
|
|
283
281
|
});
|
|
@@ -1,43 +1,54 @@
|
|
|
1
|
-
import {
|
|
1
|
+
import { A as AuthConfig } from '../../index-_aXtxb_s.js';
|
|
2
|
+
import { GlobalContext } from '@aura-stack/router';
|
|
2
3
|
import 'zod';
|
|
3
4
|
import '../../schemas.js';
|
|
4
|
-
import '
|
|
5
|
+
import 'zod/v4';
|
|
5
6
|
import '@aura-stack/jose';
|
|
6
7
|
import '@aura-stack/jose/jose';
|
|
8
|
+
import '@aura-stack/jose/crypto';
|
|
9
|
+
import '@aura-stack/router/cookie';
|
|
7
10
|
import '../../@types/utility.js';
|
|
11
|
+
import 'jose';
|
|
12
|
+
import 'zod/v4/core';
|
|
8
13
|
|
|
9
14
|
/**
|
|
10
|
-
*
|
|
11
|
-
* the necessary query parameters such as `client_id`, `redirect_uri`, `response_type`, `scope`, `state`,
|
|
12
|
-
* `code_challenge`, and `code_challenge_method`.
|
|
13
|
-
*
|
|
14
|
-
* @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
|
|
15
|
-
* @see https://datatracker.ietf.org/doc/html/rfc7636#section-4
|
|
16
|
-
*
|
|
17
|
-
* @param oauthConfig - The OAuth configuration for the third-party service.
|
|
18
|
-
* @param redirectURI - The redirect URI where the OAuth service will send the user after authorization.
|
|
19
|
-
* @param state - A unique string used to maintain state between the request and callback.
|
|
15
|
+
* Resolves trusted origins from config (array or function).
|
|
20
16
|
*/
|
|
21
|
-
declare const
|
|
22
|
-
declare const
|
|
17
|
+
declare const getTrustedOrigins: (request: Request, trustedOrigins: AuthConfig["trustedOrigins"]) => Promise<string[]>;
|
|
18
|
+
declare const getBaseURL: ({ ctx, request, headers: headersInit, }: {
|
|
19
|
+
ctx?: GlobalContext;
|
|
20
|
+
request?: Request;
|
|
21
|
+
headers?: HeadersInit;
|
|
22
|
+
}) => Promise<string>;
|
|
23
|
+
declare const getOriginURL: (request: Request, context?: GlobalContext) => Promise<string>;
|
|
23
24
|
/**
|
|
24
25
|
* Creates the redirect URI for the OAuth callback based on the original request URL and the OAuth provider.
|
|
25
26
|
*
|
|
26
27
|
* @param requestURL - the original request URL
|
|
27
28
|
* @param oauth - OAuth provider name
|
|
29
|
+
* @param context - Global context containing configuration and utilities
|
|
28
30
|
* @returns The redirect URI for the OAuth callback.
|
|
29
31
|
*/
|
|
30
|
-
declare const createRedirectURI: (request: Request, oauth: string,
|
|
32
|
+
declare const createRedirectURI: (request: Request, oauth: string, context: GlobalContext) => Promise<string>;
|
|
33
|
+
declare const createSignInURL: ({ request, oauth, ctx, redirectTo, }: {
|
|
34
|
+
request: Request;
|
|
35
|
+
oauth: string;
|
|
36
|
+
ctx: GlobalContext;
|
|
37
|
+
redirectTo?: string;
|
|
38
|
+
}) => Promise<string>;
|
|
31
39
|
/**
|
|
32
40
|
* Verifies if the request's origin matches the expected origin. It accepts the redirectTo search
|
|
33
|
-
* parameter for redirection. It checks the
|
|
34
|
-
* the
|
|
35
|
-
*
|
|
41
|
+
* parameter for redirection. It checks the Referer and Origin headers and the request URL against
|
|
42
|
+
* the trusted origins list. If they do not match, it returns "/" to avoid potential open redirect attacks.
|
|
43
|
+
*
|
|
44
|
+
* When `trustedOrigins` is provided, URLs are validated against that list. When not provided,
|
|
45
|
+
* the request's derived origin (from request.url or proxy headers) is used as the only trusted origin.
|
|
36
46
|
*
|
|
37
47
|
* @param request The incoming request object
|
|
38
48
|
* @param redirectTo Optional redirectTo parameter to override the referer
|
|
39
|
-
* @
|
|
49
|
+
* @param context Global context containing configuration and utilities
|
|
50
|
+
* @returns A safe URL to redirect to after authentication, or "/" if the URL is not considered safe.
|
|
40
51
|
*/
|
|
41
|
-
declare const createRedirectTo: (request: Request, redirectTo?: string,
|
|
52
|
+
declare const createRedirectTo: (request: Request, redirectTo?: string, context?: GlobalContext) => Promise<string>;
|
|
42
53
|
|
|
43
|
-
export {
|
|
54
|
+
export { createRedirectTo, createRedirectURI, createSignInURL, getBaseURL, getOriginURL, getTrustedOrigins };
|
|
@@ -1,16 +1,19 @@
|
|
|
1
1
|
import {
|
|
2
|
-
createAuthorizationURL,
|
|
3
2
|
createRedirectTo,
|
|
4
3
|
createRedirectURI,
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
import "../../chunk-
|
|
4
|
+
createSignInURL,
|
|
5
|
+
getBaseURL,
|
|
6
|
+
getOriginURL,
|
|
7
|
+
getTrustedOrigins
|
|
8
|
+
} from "../../chunk-LATR3NIV.js";
|
|
9
|
+
import "../../chunk-LX3TJ2TJ.js";
|
|
10
|
+
import "../../chunk-WHNDRO3N.js";
|
|
11
|
+
import "../../chunk-U5663F2U.js";
|
|
11
12
|
export {
|
|
12
|
-
createAuthorizationURL,
|
|
13
13
|
createRedirectTo,
|
|
14
14
|
createRedirectURI,
|
|
15
|
-
|
|
15
|
+
createSignInURL,
|
|
16
|
+
getBaseURL,
|
|
17
|
+
getOriginURL,
|
|
18
|
+
getTrustedOrigins
|
|
16
19
|
};
|