@aura-stack/auth 0.4.0 → 0.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/@types/index.d.ts +6 -2
- package/dist/@types/router.d.d.ts +6 -2
- package/dist/actions/callback/access-token.cjs +103 -59
- package/dist/actions/callback/access-token.d.ts +7 -3
- package/dist/actions/callback/access-token.js +3 -3
- package/dist/actions/callback/callback.cjs +200 -134
- package/dist/actions/callback/callback.d.ts +32 -3
- package/dist/actions/callback/callback.js +11 -12
- package/dist/actions/callback/userinfo.cjs +103 -70
- package/dist/actions/callback/userinfo.d.ts +6 -2
- package/dist/actions/callback/userinfo.js +7 -8
- package/dist/actions/csrfToken/csrfToken.cjs +7 -15
- package/dist/actions/csrfToken/csrfToken.d.ts +3 -1
- package/dist/actions/csrfToken/csrfToken.js +7 -8
- package/dist/actions/index.cjs +502 -295
- package/dist/actions/index.d.ts +5 -2
- package/dist/actions/index.js +23 -20
- package/dist/actions/session/session.cjs +76 -24
- package/dist/actions/session/session.d.ts +3 -1
- package/dist/actions/session/session.js +6 -4
- package/dist/actions/signIn/authorization-url.cjs +288 -0
- package/dist/actions/signIn/authorization-url.d.ts +31 -0
- package/dist/actions/signIn/authorization-url.js +16 -0
- package/dist/actions/signIn/authorization.cjs +91 -132
- package/dist/actions/signIn/authorization.d.ts +17 -16
- package/dist/actions/signIn/authorization.js +8 -7
- package/dist/actions/signIn/signIn.cjs +319 -191
- package/dist/actions/signIn/signIn.d.ts +32 -3
- package/dist/actions/signIn/signIn.js +10 -9
- package/dist/actions/signOut/signOut.cjs +211 -212
- package/dist/actions/signOut/signOut.d.ts +9 -1
- package/dist/actions/signOut/signOut.js +9 -10
- package/dist/api/createApi.cjs +750 -0
- package/dist/api/createApi.d.ts +12 -0
- package/dist/api/createApi.js +19 -0
- package/dist/api/getSession.cjs +141 -0
- package/dist/api/getSession.d.ts +16 -0
- package/dist/api/getSession.js +10 -0
- package/dist/api/signIn.cjs +549 -0
- package/dist/api/signIn.d.ts +26 -0
- package/dist/api/signIn.js +15 -0
- package/dist/api/signOut.cjs +279 -0
- package/dist/api/signOut.d.ts +16 -0
- package/dist/api/signOut.js +13 -0
- package/dist/assert.cjs +42 -9
- package/dist/assert.d.ts +8 -4
- package/dist/assert.js +5 -5
- package/dist/{chunk-KJBAQZX2.js → chunk-2A5B7GWR.js} +44 -11
- package/dist/chunk-2GQLSIJ2.js +40 -0
- package/dist/chunk-2IR674WX.js +44 -0
- package/dist/chunk-3J5TUH2I.js +50 -0
- package/dist/chunk-4RWSYUKX.js +98 -0
- package/dist/chunk-5X7JZMEF.js +0 -0
- package/dist/{chunk-TZB6MUXN.js → chunk-7BE46WWS.js} +21 -11
- package/dist/chunk-7YYXFKLR.js +35 -0
- package/dist/chunk-C3A37LQC.js +33 -0
- package/dist/chunk-CITNGXDA.js +31 -0
- package/dist/chunk-CWX724AG.js +78 -0
- package/dist/chunk-D2CSIUKP.js +74 -0
- package/dist/{chunk-ICAZ4OVS.js → chunk-FPCVZUVG.js} +2 -2
- package/dist/{chunk-XGLBNXL4.js → chunk-GNNBM2WJ.js} +17 -9
- package/dist/chunk-JOCGX3RP.js +59 -0
- package/dist/chunk-KBXWTD6E.js +94 -0
- package/dist/{chunk-XUP6KKNG.js → chunk-LATR3NIV.js} +48 -37
- package/dist/chunk-LAYPUDQF.js +39 -0
- package/dist/chunk-LX3TJ2TJ.js +294 -0
- package/dist/{chunk-6MXFPFR3.js → chunk-NHZBQNRR.js} +19 -19
- package/dist/{chunk-TM5IPSNF.js → chunk-PDP3PHB3.js} +33 -19
- package/dist/chunk-PHYNROD4.js +47 -0
- package/dist/chunk-QQEKY4XP.js +29 -0
- package/dist/{chunk-VNCNJKS2.js → chunk-U4RK4LKJ.js} +82 -1
- package/dist/{chunk-RRLIF4PQ.js → chunk-U5663F2U.js} +16 -1
- package/dist/chunk-UN7X6SU5.js +53 -0
- package/dist/chunk-UZQJJD6A.js +100 -0
- package/dist/{chunk-NUDITUKX.js → chunk-V6LLEAR4.js} +22 -15
- package/dist/{chunk-4MYWAOLG.js → chunk-WHNDRO3N.js} +20 -1
- package/dist/{chunk-5W4BRQYG.js → chunk-XY5R3EHH.js} +6 -3
- package/dist/client/client.cjs +135 -0
- package/dist/client/client.d.ts +85 -0
- package/dist/client/client.js +9 -0
- package/dist/client/index.cjs +135 -0
- package/dist/client/index.d.ts +14 -0
- package/dist/client/index.js +10 -0
- package/dist/context.cjs +1237 -0
- package/dist/context.d.ts +16 -0
- package/dist/context.js +28 -0
- package/dist/cookie.cjs +33 -2
- package/dist/cookie.d.ts +9 -5
- package/dist/cookie.js +3 -2
- package/dist/createAuth.cjs +2320 -0
- package/dist/createAuth.d.ts +12 -0
- package/dist/createAuth.js +48 -0
- package/dist/env.cjs +24 -2
- package/dist/env.d.ts +4 -1
- package/dist/env.js +9 -3
- package/dist/errors.cjs +17 -0
- package/dist/errors.d.ts +13 -3
- package/dist/errors.js +5 -1
- package/dist/{index-CSyIJmCM.d.ts → index-_aXtxb_s.d.ts} +383 -13
- package/dist/index.cjs +2135 -1547
- package/dist/index.d.ts +9 -30
- package/dist/index.js +46 -119
- package/dist/jose.cjs +52 -14
- package/dist/jose.d.ts +12 -25
- package/dist/jose.js +11 -3
- package/dist/logger.cjs +132 -0
- package/dist/logger.d.ts +6 -2
- package/dist/logger.js +10 -1
- package/dist/oauth/atlassian.cjs +57 -0
- package/dist/oauth/atlassian.d.ts +12 -0
- package/dist/oauth/atlassian.js +6 -0
- package/dist/oauth/bitbucket.d.ts +6 -2
- package/dist/oauth/discord.d.ts +6 -2
- package/dist/oauth/dropbox.cjs +53 -0
- package/dist/oauth/dropbox.d.ts +12 -0
- package/dist/oauth/dropbox.js +6 -0
- package/dist/oauth/figma.d.ts +6 -2
- package/dist/oauth/github.d.ts +6 -2
- package/dist/oauth/gitlab.d.ts +6 -2
- package/dist/oauth/index.cjs +278 -88
- package/dist/oauth/index.d.ts +6 -2
- package/dist/oauth/index.js +27 -11
- package/dist/oauth/mailchimp.d.ts +6 -2
- package/dist/oauth/notion.cjs +131 -0
- package/dist/oauth/notion.d.ts +12 -0
- package/dist/oauth/notion.js +9 -0
- package/dist/oauth/pinterest.d.ts +6 -2
- package/dist/oauth/spotify.d.ts +6 -2
- package/dist/oauth/strava.d.ts +6 -2
- package/dist/oauth/twitch.cjs +95 -0
- package/dist/oauth/twitch.d.ts +12 -0
- package/dist/oauth/twitch.js +7 -0
- package/dist/oauth/x.d.ts +6 -2
- package/dist/schemas.cjs +84 -51
- package/dist/schemas.d.ts +103 -23
- package/dist/schemas.js +1 -1
- package/dist/secure.cjs +36 -36
- package/dist/secure.d.ts +10 -4
- package/dist/secure.js +7 -6
- package/dist/utils.cjs +109 -3
- package/dist/utils.d.ts +15 -4
- package/dist/utils.js +11 -4
- package/package.json +9 -5
- package/dist/chunk-4EKY7655.js +0 -123
- package/dist/chunk-7QF22LHP.js +0 -67
- package/dist/chunk-ALG3GIV4.js +0 -95
- package/dist/chunk-FRJFWTOY.js +0 -70
- package/dist/chunk-PHFH2MGS.js +0 -36
- package/dist/chunk-QQVSRXGX.js +0 -149
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
// src/oauth/dropbox.ts
|
|
2
|
+
var dropbox = (options) => {
|
|
3
|
+
return {
|
|
4
|
+
id: "dropbox",
|
|
5
|
+
name: "Dropbox",
|
|
6
|
+
authorize: {
|
|
7
|
+
url: "https://www.dropbox.com/oauth2/authorize",
|
|
8
|
+
params: { scope: "account_info.read" }
|
|
9
|
+
},
|
|
10
|
+
accessToken: "https://api.dropboxapi.com/oauth2/token",
|
|
11
|
+
userInfo: {
|
|
12
|
+
method: "POST",
|
|
13
|
+
url: "https://api.dropboxapi.com/2/users/get_current_account"
|
|
14
|
+
},
|
|
15
|
+
profile(profile) {
|
|
16
|
+
return {
|
|
17
|
+
sub: profile.account_id,
|
|
18
|
+
name: profile.name.display_name,
|
|
19
|
+
email: profile.email,
|
|
20
|
+
image: profile.profile_photo_url
|
|
21
|
+
};
|
|
22
|
+
},
|
|
23
|
+
...options
|
|
24
|
+
};
|
|
25
|
+
};
|
|
26
|
+
|
|
27
|
+
export {
|
|
28
|
+
dropbox
|
|
29
|
+
};
|
|
@@ -1,3 +1,11 @@
|
|
|
1
|
+
import {
|
|
2
|
+
createStructuredData
|
|
3
|
+
} from "./chunk-LX3TJ2TJ.js";
|
|
4
|
+
import {
|
|
5
|
+
getEnv,
|
|
6
|
+
getEnvBoolean
|
|
7
|
+
} from "./chunk-WHNDRO3N.js";
|
|
8
|
+
|
|
1
9
|
// src/logger.ts
|
|
2
10
|
var logMessages = {
|
|
3
11
|
ROUTER_INTERNAL_ERROR: {
|
|
@@ -257,11 +265,84 @@ var createLogEntry = (key, overrides) => {
|
|
|
257
265
|
const message = logMessages[key];
|
|
258
266
|
return {
|
|
259
267
|
...message,
|
|
268
|
+
timestamp: (/* @__PURE__ */ new Date()).toISOString(),
|
|
269
|
+
hostname: "aura-auth",
|
|
270
|
+
procId: typeof process !== "undefined" && process.pid ? process.pid.toString() : "-",
|
|
260
271
|
...overrides
|
|
261
272
|
};
|
|
262
273
|
};
|
|
274
|
+
var logLevelToSeverity = {
|
|
275
|
+
debug: ["debug", "info", "notice", "warning", "error", "critical", "alert", "emergency"],
|
|
276
|
+
info: ["info", "notice", "warning", "error", "critical", "alert", "emergency"],
|
|
277
|
+
warn: ["warning", "error", "critical", "alert", "emergency"],
|
|
278
|
+
error: ["error", "critical", "alert", "emergency"]
|
|
279
|
+
};
|
|
280
|
+
var isValidLogLevel = (value) => {
|
|
281
|
+
return value === "debug" || value === "info" || value === "warn" || value === "error";
|
|
282
|
+
};
|
|
283
|
+
var getSeverityLevel = (severity) => {
|
|
284
|
+
const severities = {
|
|
285
|
+
emergency: 0,
|
|
286
|
+
alert: 1,
|
|
287
|
+
critical: 2,
|
|
288
|
+
error: 3,
|
|
289
|
+
warning: 4,
|
|
290
|
+
notice: 5,
|
|
291
|
+
info: 6,
|
|
292
|
+
debug: 7
|
|
293
|
+
};
|
|
294
|
+
return severities[severity] ?? 6;
|
|
295
|
+
};
|
|
296
|
+
var createSyslogMessage = (options) => {
|
|
297
|
+
const { timestamp, hostname, appName = "aura-auth", procId = "-", msgId, structuredData, message } = options;
|
|
298
|
+
const pri = (options.facility ?? 16) * 8 + getSeverityLevel(options.severity);
|
|
299
|
+
const structuredDataStr = createStructuredData(structuredData ?? {});
|
|
300
|
+
return `<${pri}>1 ${timestamp} ${hostname} ${appName} ${procId} ${msgId} ${structuredDataStr} ${message}`;
|
|
301
|
+
};
|
|
302
|
+
var createLogger = (logger) => {
|
|
303
|
+
if (!logger) return void 0;
|
|
304
|
+
const level = logger.level;
|
|
305
|
+
const allowedSeverities = logLevelToSeverity[level] ?? [];
|
|
306
|
+
return {
|
|
307
|
+
level,
|
|
308
|
+
log(key, overrides) {
|
|
309
|
+
const entry = createLogEntry(key, overrides);
|
|
310
|
+
if (!allowedSeverities.includes(entry.severity)) return entry;
|
|
311
|
+
logger.log({
|
|
312
|
+
timestamp: entry.timestamp,
|
|
313
|
+
appName: entry.appName ?? "aura-auth",
|
|
314
|
+
hostname: entry.hostname ?? "aura-auth",
|
|
315
|
+
...entry
|
|
316
|
+
});
|
|
317
|
+
return entry;
|
|
318
|
+
}
|
|
319
|
+
};
|
|
320
|
+
};
|
|
321
|
+
var createProxyLogger = (config) => {
|
|
322
|
+
const level = getEnv("LOG_LEVEL");
|
|
323
|
+
const debug = getEnvBoolean("DEBUG");
|
|
324
|
+
if (typeof config?.logger === "object") {
|
|
325
|
+
return createLogger({
|
|
326
|
+
log: config.logger?.log || createSyslogMessage,
|
|
327
|
+
level: isValidLogLevel(config.logger?.level) ? config.logger?.level : isValidLogLevel(level) ? level : "error"
|
|
328
|
+
});
|
|
329
|
+
}
|
|
330
|
+
if (debug || config?.logger === true || level) {
|
|
331
|
+
return createLogger({
|
|
332
|
+
level: isValidLogLevel(level) ? level : "debug",
|
|
333
|
+
log: (options) => {
|
|
334
|
+
const message = createSyslogMessage(options);
|
|
335
|
+
console.log(message);
|
|
336
|
+
}
|
|
337
|
+
});
|
|
338
|
+
}
|
|
339
|
+
return void 0;
|
|
340
|
+
};
|
|
263
341
|
|
|
264
342
|
export {
|
|
265
343
|
logMessages,
|
|
266
|
-
createLogEntry
|
|
344
|
+
createLogEntry,
|
|
345
|
+
createSyslogMessage,
|
|
346
|
+
createLogger,
|
|
347
|
+
createProxyLogger
|
|
267
348
|
};
|
|
@@ -31,6 +31,16 @@ var AuthSecurityError = class extends Error {
|
|
|
31
31
|
Error.captureStackTrace(this, new.target);
|
|
32
32
|
}
|
|
33
33
|
};
|
|
34
|
+
var AuthClientError = class extends Error {
|
|
35
|
+
type = "AUTH_CLIENT_ERROR";
|
|
36
|
+
code;
|
|
37
|
+
constructor(code, message, options) {
|
|
38
|
+
super(message, options);
|
|
39
|
+
this.code = code;
|
|
40
|
+
this.name = new.target.name;
|
|
41
|
+
Error.captureStackTrace(this, new.target);
|
|
42
|
+
}
|
|
43
|
+
};
|
|
34
44
|
var isNativeError = (error) => {
|
|
35
45
|
return error instanceof Error;
|
|
36
46
|
};
|
|
@@ -43,13 +53,18 @@ var isAuthInternalError = (error) => {
|
|
|
43
53
|
var isAuthSecurityError = (error) => {
|
|
44
54
|
return error instanceof AuthSecurityError;
|
|
45
55
|
};
|
|
56
|
+
var isAuthClientError = (error) => {
|
|
57
|
+
return error instanceof AuthClientError;
|
|
58
|
+
};
|
|
46
59
|
|
|
47
60
|
export {
|
|
48
61
|
OAuthProtocolError,
|
|
49
62
|
AuthInternalError,
|
|
50
63
|
AuthSecurityError,
|
|
64
|
+
AuthClientError,
|
|
51
65
|
isNativeError,
|
|
52
66
|
isOAuthProtocolError,
|
|
53
67
|
isAuthInternalError,
|
|
54
|
-
isAuthSecurityError
|
|
68
|
+
isAuthSecurityError,
|
|
69
|
+
isAuthClientError
|
|
55
70
|
};
|
|
@@ -0,0 +1,53 @@
|
|
|
1
|
+
import {
|
|
2
|
+
signIn
|
|
3
|
+
} from "./chunk-JOCGX3RP.js";
|
|
4
|
+
|
|
5
|
+
// src/actions/signIn/signIn.ts
|
|
6
|
+
import { z } from "zod/v4";
|
|
7
|
+
import { createEndpoint, createEndpointConfig } from "@aura-stack/router";
|
|
8
|
+
var signInConfig = (oauth) => {
|
|
9
|
+
return createEndpointConfig("/signIn/:oauth", {
|
|
10
|
+
schemas: {
|
|
11
|
+
params: z.object({
|
|
12
|
+
oauth: z.enum(
|
|
13
|
+
Object.keys(oauth),
|
|
14
|
+
"The OAuth provider is not supported or invalid."
|
|
15
|
+
)
|
|
16
|
+
}),
|
|
17
|
+
searchParams: z.object({
|
|
18
|
+
redirect: z.stringbool().optional().default(true),
|
|
19
|
+
redirectTo: z.string().optional()
|
|
20
|
+
})
|
|
21
|
+
}
|
|
22
|
+
});
|
|
23
|
+
};
|
|
24
|
+
var signInAction = (oauth) => {
|
|
25
|
+
return createEndpoint(
|
|
26
|
+
"GET",
|
|
27
|
+
"/signIn/:oauth",
|
|
28
|
+
async (ctx) => {
|
|
29
|
+
const {
|
|
30
|
+
request,
|
|
31
|
+
params: { oauth: oauth2 },
|
|
32
|
+
searchParams: { redirectTo, redirect },
|
|
33
|
+
context
|
|
34
|
+
} = ctx;
|
|
35
|
+
const signInResult = await signIn(oauth2, {
|
|
36
|
+
ctx: context,
|
|
37
|
+
headers: request.headers,
|
|
38
|
+
redirect,
|
|
39
|
+
redirectTo,
|
|
40
|
+
request
|
|
41
|
+
});
|
|
42
|
+
if (!redirect) {
|
|
43
|
+
return Response.json(signInResult, { status: 200 });
|
|
44
|
+
}
|
|
45
|
+
return signInResult;
|
|
46
|
+
},
|
|
47
|
+
signInConfig(oauth)
|
|
48
|
+
);
|
|
49
|
+
};
|
|
50
|
+
|
|
51
|
+
export {
|
|
52
|
+
signInAction
|
|
53
|
+
};
|
|
@@ -0,0 +1,100 @@
|
|
|
1
|
+
import {
|
|
2
|
+
getEnv
|
|
3
|
+
} from "./chunk-WHNDRO3N.js";
|
|
4
|
+
import {
|
|
5
|
+
AuthInternalError
|
|
6
|
+
} from "./chunk-U5663F2U.js";
|
|
7
|
+
|
|
8
|
+
// src/jose.ts
|
|
9
|
+
import {
|
|
10
|
+
createJWT,
|
|
11
|
+
createJWS,
|
|
12
|
+
createJWE,
|
|
13
|
+
createDeriveKey,
|
|
14
|
+
createSecret
|
|
15
|
+
} from "@aura-stack/jose";
|
|
16
|
+
import { base64url } from "@aura-stack/jose/jose";
|
|
17
|
+
import { encoder, getRandomBytes, getSubtleCrypto } from "@aura-stack/jose/crypto";
|
|
18
|
+
var createJoseInstance = (secret) => {
|
|
19
|
+
secret ??= getEnv("SECRET");
|
|
20
|
+
if (!secret) {
|
|
21
|
+
throw new AuthInternalError(
|
|
22
|
+
"JOSE_INITIALIZATION_FAILED",
|
|
23
|
+
"AURA_AUTH_SECRET environment variable is not set and no secret was provided."
|
|
24
|
+
);
|
|
25
|
+
}
|
|
26
|
+
const salt = getEnv("SALT");
|
|
27
|
+
if (!salt) {
|
|
28
|
+
throw new AuthInternalError(
|
|
29
|
+
"JOSE_INITIALIZATION_FAILED",
|
|
30
|
+
"AURA_AUTH_SALT or AUTH_SALT environment variable is not set. A salt value is required for key derivation."
|
|
31
|
+
);
|
|
32
|
+
}
|
|
33
|
+
try {
|
|
34
|
+
createSecret(salt);
|
|
35
|
+
} catch (error) {
|
|
36
|
+
throw new AuthInternalError(
|
|
37
|
+
"INVALID_SALT_SECRET_VALUE",
|
|
38
|
+
"AURA_AUTH_SALT/AUTH_SALT is invalid. It must be at least 32 bytes long and meet entropy requirements.",
|
|
39
|
+
{ cause: error }
|
|
40
|
+
);
|
|
41
|
+
}
|
|
42
|
+
const jose = (async () => {
|
|
43
|
+
const derivedSigningKey = await createDeriveKey(secret, salt, "signing");
|
|
44
|
+
const derivedEncryptionKey = await createDeriveKey(secret, salt, "encryption");
|
|
45
|
+
const derivedCsrfTokenKey = await createDeriveKey(secret, salt, "csrfToken");
|
|
46
|
+
return {
|
|
47
|
+
jwt: createJWT({ jws: derivedSigningKey, jwe: derivedEncryptionKey }),
|
|
48
|
+
jws: createJWS(derivedCsrfTokenKey),
|
|
49
|
+
jwe: createJWE(derivedEncryptionKey)
|
|
50
|
+
};
|
|
51
|
+
})();
|
|
52
|
+
jose.catch(() => {
|
|
53
|
+
});
|
|
54
|
+
return {
|
|
55
|
+
decodeJWT: async (token, options) => {
|
|
56
|
+
const { jwt } = await jose;
|
|
57
|
+
return jwt.decodeJWT(token, options);
|
|
58
|
+
},
|
|
59
|
+
encodeJWT: async (payload) => {
|
|
60
|
+
const { jwt } = await jose;
|
|
61
|
+
return jwt.encodeJWT(payload);
|
|
62
|
+
},
|
|
63
|
+
signJWS: async (...args) => {
|
|
64
|
+
const { jws } = await jose;
|
|
65
|
+
return jws.signJWS(...args);
|
|
66
|
+
},
|
|
67
|
+
verifyJWS: async (...args) => {
|
|
68
|
+
const { jws } = await jose;
|
|
69
|
+
return jws.verifyJWS(...args);
|
|
70
|
+
},
|
|
71
|
+
encryptJWE: async (...args) => {
|
|
72
|
+
const { jwe } = await jose;
|
|
73
|
+
return jwe.encryptJWE(...args);
|
|
74
|
+
},
|
|
75
|
+
decryptJWE: async (...args) => {
|
|
76
|
+
const { jwe } = await jose;
|
|
77
|
+
return jwe.decryptJWE(...args);
|
|
78
|
+
}
|
|
79
|
+
};
|
|
80
|
+
};
|
|
81
|
+
var jwtVerificationOptions = {
|
|
82
|
+
algorithms: ["HS256"],
|
|
83
|
+
typ: "JWT"
|
|
84
|
+
};
|
|
85
|
+
var decodeJWTOptions = {
|
|
86
|
+
jws: jwtVerificationOptions,
|
|
87
|
+
jwt: {
|
|
88
|
+
typ: "JWT"
|
|
89
|
+
}
|
|
90
|
+
};
|
|
91
|
+
|
|
92
|
+
export {
|
|
93
|
+
createJoseInstance,
|
|
94
|
+
jwtVerificationOptions,
|
|
95
|
+
decodeJWTOptions,
|
|
96
|
+
base64url,
|
|
97
|
+
encoder,
|
|
98
|
+
getRandomBytes,
|
|
99
|
+
getSubtleCrypto
|
|
100
|
+
};
|
|
@@ -1,24 +1,30 @@
|
|
|
1
1
|
import {
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
equals
|
|
7
|
-
} from "./chunk-QQVSRXGX.js";
|
|
8
|
-
import {
|
|
2
|
+
base64url,
|
|
3
|
+
encoder,
|
|
4
|
+
getRandomBytes,
|
|
5
|
+
getSubtleCrypto,
|
|
9
6
|
jwtVerificationOptions
|
|
10
|
-
} from "./chunk-
|
|
7
|
+
} from "./chunk-UZQJJD6A.js";
|
|
8
|
+
import {
|
|
9
|
+
equals,
|
|
10
|
+
isJWTPayloadWithToken,
|
|
11
|
+
timingSafeEqual
|
|
12
|
+
} from "./chunk-LX3TJ2TJ.js";
|
|
11
13
|
import {
|
|
12
14
|
AuthSecurityError
|
|
13
|
-
} from "./chunk-
|
|
15
|
+
} from "./chunk-U5663F2U.js";
|
|
14
16
|
|
|
15
17
|
// src/secure.ts
|
|
16
|
-
import crypto from "crypto";
|
|
17
18
|
var generateSecure = (length = 32) => {
|
|
18
|
-
return
|
|
19
|
+
return base64url.encode(getRandomBytes(length));
|
|
20
|
+
};
|
|
21
|
+
var createSecretValue = (length = 32) => {
|
|
22
|
+
return base64url.encode(getRandomBytes(length));
|
|
19
23
|
};
|
|
20
|
-
var createHash = (data
|
|
21
|
-
|
|
24
|
+
var createHash = async (data) => {
|
|
25
|
+
const subtle = getSubtleCrypto();
|
|
26
|
+
const digest = await subtle.digest("SHA-256", encoder.encode(data));
|
|
27
|
+
return base64url.encode(new Uint8Array(digest));
|
|
22
28
|
};
|
|
23
29
|
var createPKCE = async (verifier) => {
|
|
24
30
|
const byteLength = verifier ? void 0 : Math.floor(Math.random() * (96 - 32 + 1) + 32);
|
|
@@ -26,7 +32,7 @@ var createPKCE = async (verifier) => {
|
|
|
26
32
|
if (codeVerifier.length < 43 || codeVerifier.length > 128) {
|
|
27
33
|
throw new AuthSecurityError("PKCE_VERIFIER_INVALID", "The code verifier must be between 43 and 128 characters in length.");
|
|
28
34
|
}
|
|
29
|
-
const codeChallenge = createHash(codeVerifier
|
|
35
|
+
const codeChallenge = await createHash(codeVerifier);
|
|
30
36
|
return { codeVerifier, codeChallenge, method: "S256" };
|
|
31
37
|
};
|
|
32
38
|
var createCSRF = async (jose, csrfCookie) => {
|
|
@@ -55,7 +61,7 @@ var verifyCSRF = async (jose, cookie, header) => {
|
|
|
55
61
|
if (!equals(cookiePayload.token.length, headerPayload.token.length)) {
|
|
56
62
|
throw new AuthSecurityError("CSRF_TOKEN_INVALID", "The CSRF tokens do not match.");
|
|
57
63
|
}
|
|
58
|
-
if (!
|
|
64
|
+
if (!timingSafeEqual(cookiePayload.token, headerPayload.token)) {
|
|
59
65
|
throw new AuthSecurityError("CSRF_TOKEN_INVALID", "The CSRF tokens do not match.");
|
|
60
66
|
}
|
|
61
67
|
return true;
|
|
@@ -66,6 +72,7 @@ var verifyCSRF = async (jose, cookie, header) => {
|
|
|
66
72
|
|
|
67
73
|
export {
|
|
68
74
|
generateSecure,
|
|
75
|
+
createSecretValue,
|
|
69
76
|
createHash,
|
|
70
77
|
createPKCE,
|
|
71
78
|
createCSRF,
|
|
@@ -25,7 +25,26 @@ var env = new Proxy({}, {
|
|
|
25
25
|
}
|
|
26
26
|
}
|
|
27
27
|
});
|
|
28
|
+
var getEnv = (key) => {
|
|
29
|
+
const keys = [`AURA_AUTH_${key.toUpperCase()}`, `AURA_${key.toUpperCase()}`, `AUTH_${key.toUpperCase()}`, key.toUpperCase()];
|
|
30
|
+
return env[keys.find((k) => env[k]) ?? ""];
|
|
31
|
+
};
|
|
32
|
+
var getEnvBoolean = (key) => {
|
|
33
|
+
const value = getEnv(key);
|
|
34
|
+
if (value === void 0) return false;
|
|
35
|
+
const normalized = value.trim().toLowerCase();
|
|
36
|
+
if (["1", "true", "yes", "on", "debug"].includes(normalized)) return true;
|
|
37
|
+
return false;
|
|
38
|
+
};
|
|
39
|
+
var getEnvArray = (key, defaultValue = []) => {
|
|
40
|
+
const value = getEnv(key);
|
|
41
|
+
if (!value) return defaultValue;
|
|
42
|
+
return value.split(/[,;\n]+/).map((v) => v.trim()).filter(Boolean);
|
|
43
|
+
};
|
|
28
44
|
|
|
29
45
|
export {
|
|
30
|
-
env
|
|
46
|
+
env,
|
|
47
|
+
getEnv,
|
|
48
|
+
getEnvBoolean,
|
|
49
|
+
getEnvArray
|
|
31
50
|
};
|
|
@@ -1,6 +1,9 @@
|
|
|
1
|
+
import {
|
|
2
|
+
env
|
|
3
|
+
} from "./chunk-WHNDRO3N.js";
|
|
1
4
|
import {
|
|
2
5
|
AuthInternalError
|
|
3
|
-
} from "./chunk-
|
|
6
|
+
} from "./chunk-U5663F2U.js";
|
|
4
7
|
|
|
5
8
|
// src/cookie.ts
|
|
6
9
|
import { parse, parseSetCookie, serialize } from "@aura-stack/router/cookie";
|
|
@@ -41,7 +44,7 @@ var expiredCookieAttributes = {
|
|
|
41
44
|
secure: true
|
|
42
45
|
};
|
|
43
46
|
var getCookie = (request, cookieName) => {
|
|
44
|
-
const cookies = request.headers.get("Cookie");
|
|
47
|
+
const cookies = request instanceof Request ? request.headers.get("Cookie") : request.get("Cookie");
|
|
45
48
|
if (!cookies) {
|
|
46
49
|
throw new AuthInternalError("COOKIE_NOT_FOUND", "No cookies found. There is no active session");
|
|
47
50
|
}
|
|
@@ -86,7 +89,7 @@ var defineSecureCookieOptions = (useSecure, attributes, strategy, logger) => {
|
|
|
86
89
|
attributes.sameSite = "lax";
|
|
87
90
|
logger?.log("COOKIE_SAMESITE_NONE_WITHOUT_SECURE");
|
|
88
91
|
}
|
|
89
|
-
if (
|
|
92
|
+
if (env.NODE_ENV === "production") {
|
|
90
93
|
logger?.log("COOKIE_INSECURE_IN_PRODUCTION");
|
|
91
94
|
}
|
|
92
95
|
if (strategy === "host") {
|
|
@@ -0,0 +1,135 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __defProp = Object.defineProperty;
|
|
3
|
+
var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
|
|
4
|
+
var __getOwnPropNames = Object.getOwnPropertyNames;
|
|
5
|
+
var __hasOwnProp = Object.prototype.hasOwnProperty;
|
|
6
|
+
var __export = (target, all) => {
|
|
7
|
+
for (var name in all)
|
|
8
|
+
__defProp(target, name, { get: all[name], enumerable: true });
|
|
9
|
+
};
|
|
10
|
+
var __copyProps = (to, from, except, desc) => {
|
|
11
|
+
if (from && typeof from === "object" || typeof from === "function") {
|
|
12
|
+
for (let key of __getOwnPropNames(from))
|
|
13
|
+
if (!__hasOwnProp.call(to, key) && key !== except)
|
|
14
|
+
__defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
|
|
15
|
+
}
|
|
16
|
+
return to;
|
|
17
|
+
};
|
|
18
|
+
var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
|
|
19
|
+
|
|
20
|
+
// src/client/client.ts
|
|
21
|
+
var client_exports = {};
|
|
22
|
+
__export(client_exports, {
|
|
23
|
+
createAuthClient: () => createAuthClient,
|
|
24
|
+
createClient: () => createClient
|
|
25
|
+
});
|
|
26
|
+
module.exports = __toCommonJS(client_exports);
|
|
27
|
+
|
|
28
|
+
// src/errors.ts
|
|
29
|
+
var AuthClientError = class extends Error {
|
|
30
|
+
type = "AUTH_CLIENT_ERROR";
|
|
31
|
+
code;
|
|
32
|
+
constructor(code, message, options) {
|
|
33
|
+
super(message, options);
|
|
34
|
+
this.code = code;
|
|
35
|
+
this.name = new.target.name;
|
|
36
|
+
Error.captureStackTrace(this, new.target);
|
|
37
|
+
}
|
|
38
|
+
};
|
|
39
|
+
var isNativeError = (error) => {
|
|
40
|
+
return error instanceof Error;
|
|
41
|
+
};
|
|
42
|
+
|
|
43
|
+
// src/client/client.ts
|
|
44
|
+
var import_router = require("@aura-stack/router");
|
|
45
|
+
var createClient = import_router.createClient;
|
|
46
|
+
var createAuthClient = (options) => {
|
|
47
|
+
if (typeof window === "undefined" && !options.baseURL) {
|
|
48
|
+
throw new AuthClientError("`baseURL` is required when createAuthClient is used outside the browser.");
|
|
49
|
+
}
|
|
50
|
+
const client = createClient({
|
|
51
|
+
cache: "no-store",
|
|
52
|
+
credentials: "include",
|
|
53
|
+
baseURL: options.baseURL ?? window.location.origin,
|
|
54
|
+
...options
|
|
55
|
+
});
|
|
56
|
+
const getCSRFToken = async () => {
|
|
57
|
+
try {
|
|
58
|
+
const response = await client.get("/csrfToken");
|
|
59
|
+
if (!response.ok) return null;
|
|
60
|
+
const data = await response.json();
|
|
61
|
+
return data.csrfToken;
|
|
62
|
+
} catch (error) {
|
|
63
|
+
console.error("Error fetching CSRF token:", error);
|
|
64
|
+
return null;
|
|
65
|
+
}
|
|
66
|
+
};
|
|
67
|
+
const getSession = async () => {
|
|
68
|
+
try {
|
|
69
|
+
const response = await client.get("/session");
|
|
70
|
+
if (!response.ok) return null;
|
|
71
|
+
const session = await response.json();
|
|
72
|
+
if (!session?.authenticated) return null;
|
|
73
|
+
return session.session;
|
|
74
|
+
} catch (error) {
|
|
75
|
+
console.error("Error fetching session:", error);
|
|
76
|
+
return null;
|
|
77
|
+
}
|
|
78
|
+
};
|
|
79
|
+
const signIn = async (oauth, options2) => {
|
|
80
|
+
try {
|
|
81
|
+
const response = await client.get("/signIn/:oauth", {
|
|
82
|
+
params: {
|
|
83
|
+
oauth
|
|
84
|
+
},
|
|
85
|
+
searchParams: {
|
|
86
|
+
...options2,
|
|
87
|
+
redirect: false
|
|
88
|
+
}
|
|
89
|
+
});
|
|
90
|
+
const json = await response.json();
|
|
91
|
+
if ((options2?.redirect ?? true) && typeof window !== "undefined" && json?.signInURL) {
|
|
92
|
+
window.location.assign(json.signInURL);
|
|
93
|
+
}
|
|
94
|
+
return json;
|
|
95
|
+
} catch (error) {
|
|
96
|
+
console.error("Error during sign-in:", error);
|
|
97
|
+
return { redirect: false, signInURL: "/" };
|
|
98
|
+
}
|
|
99
|
+
};
|
|
100
|
+
const signOut = async (options2) => {
|
|
101
|
+
try {
|
|
102
|
+
const csrfToken = await getCSRFToken();
|
|
103
|
+
if (!csrfToken) {
|
|
104
|
+
throw new AuthClientError("Failed to fetch CSRF token for sign-out.");
|
|
105
|
+
}
|
|
106
|
+
const response = await client.post("/signOut", {
|
|
107
|
+
searchParams: {
|
|
108
|
+
redirectTo: options2?.redirectTo ?? "/",
|
|
109
|
+
token_type_hint: "session_token"
|
|
110
|
+
},
|
|
111
|
+
headers: {
|
|
112
|
+
"X-CSRF-Token": csrfToken
|
|
113
|
+
}
|
|
114
|
+
});
|
|
115
|
+
const json = await response.json();
|
|
116
|
+
if ((options2?.redirect ?? true) && typeof window !== "undefined" && json?.url) {
|
|
117
|
+
window.location.assign(json.url);
|
|
118
|
+
}
|
|
119
|
+
return json;
|
|
120
|
+
} catch (error) {
|
|
121
|
+
console.error("Error during sign-out:", error);
|
|
122
|
+
throw isNativeError(error) ? error : new AuthClientError("Sign-out failed.", "The sign-out request failed.", { cause: error });
|
|
123
|
+
}
|
|
124
|
+
};
|
|
125
|
+
return {
|
|
126
|
+
getSession,
|
|
127
|
+
signIn,
|
|
128
|
+
signOut
|
|
129
|
+
};
|
|
130
|
+
};
|
|
131
|
+
// Annotate the CommonJS export names for ESM import in node:
|
|
132
|
+
0 && (module.exports = {
|
|
133
|
+
createAuthClient,
|
|
134
|
+
createClient
|
|
135
|
+
});
|
|
@@ -0,0 +1,85 @@
|
|
|
1
|
+
import { l as AuthClientOptions, m as Session, B as BuiltInOAuthProvider, n as SignInOptions, o as SignOutOptions } from '../index-_aXtxb_s.js';
|
|
2
|
+
import '@aura-stack/router/types';
|
|
3
|
+
import * as zod_v4_core from 'zod/v4/core';
|
|
4
|
+
import * as zod from 'zod';
|
|
5
|
+
import * as _aura_stack_router from '@aura-stack/router';
|
|
6
|
+
import { LiteralUnion } from '../@types/utility.js';
|
|
7
|
+
import '../schemas.js';
|
|
8
|
+
import 'zod/v4';
|
|
9
|
+
import '@aura-stack/jose';
|
|
10
|
+
import '@aura-stack/jose/jose';
|
|
11
|
+
import '@aura-stack/jose/crypto';
|
|
12
|
+
import '@aura-stack/router/cookie';
|
|
13
|
+
import 'jose';
|
|
14
|
+
|
|
15
|
+
declare const createClient: (options: _aura_stack_router.ClientOptions) => _aura_stack_router.Client<[_aura_stack_router.RouteEndpoint<"GET", "/signIn/:oauth", {
|
|
16
|
+
schemas?: {
|
|
17
|
+
params: zod.ZodObject<{
|
|
18
|
+
oauth: zod.ZodEnum<{
|
|
19
|
+
[x: string & Record<never, never>]: string & Record<never, never>;
|
|
20
|
+
github: "github";
|
|
21
|
+
bitbucket: "bitbucket";
|
|
22
|
+
figma: "figma";
|
|
23
|
+
discord: "discord";
|
|
24
|
+
gitlab: "gitlab";
|
|
25
|
+
spotify: "spotify";
|
|
26
|
+
x: "x";
|
|
27
|
+
strava: "strava";
|
|
28
|
+
mailchimp: "mailchimp";
|
|
29
|
+
pinterest: "pinterest";
|
|
30
|
+
twitch: "twitch";
|
|
31
|
+
notion: "notion";
|
|
32
|
+
dropbox: "dropbox";
|
|
33
|
+
atlassian: "atlassian";
|
|
34
|
+
}>;
|
|
35
|
+
}, zod_v4_core.$strip>;
|
|
36
|
+
searchParams: zod.ZodObject<{
|
|
37
|
+
redirect: zod.ZodDefault<zod.ZodOptional<zod.ZodCodec<zod.ZodString, zod.ZodBoolean>>>;
|
|
38
|
+
redirectTo: zod.ZodOptional<zod.ZodString>;
|
|
39
|
+
}, zod_v4_core.$strip>;
|
|
40
|
+
} | undefined;
|
|
41
|
+
}>, _aura_stack_router.RouteEndpoint<"GET", "/callback/:oauth", {
|
|
42
|
+
schemas?: {
|
|
43
|
+
params: zod.ZodObject<{
|
|
44
|
+
oauth: zod.ZodEnum<{
|
|
45
|
+
[x: string & Record<never, never>]: string & Record<never, never>;
|
|
46
|
+
github: "github";
|
|
47
|
+
bitbucket: "bitbucket";
|
|
48
|
+
figma: "figma";
|
|
49
|
+
discord: "discord";
|
|
50
|
+
gitlab: "gitlab";
|
|
51
|
+
spotify: "spotify";
|
|
52
|
+
x: "x";
|
|
53
|
+
strava: "strava";
|
|
54
|
+
mailchimp: "mailchimp";
|
|
55
|
+
pinterest: "pinterest";
|
|
56
|
+
twitch: "twitch";
|
|
57
|
+
notion: "notion";
|
|
58
|
+
dropbox: "dropbox";
|
|
59
|
+
atlassian: "atlassian";
|
|
60
|
+
}>;
|
|
61
|
+
}, zod_v4_core.$strip>;
|
|
62
|
+
searchParams: zod.ZodObject<{
|
|
63
|
+
code: zod.ZodString;
|
|
64
|
+
state: zod.ZodString;
|
|
65
|
+
}, zod_v4_core.$strip>;
|
|
66
|
+
} | undefined;
|
|
67
|
+
}>, _aura_stack_router.RouteEndpoint<"GET", "/session", {
|
|
68
|
+
schemas?: _aura_stack_router.EndpointSchemas | undefined;
|
|
69
|
+
}>, _aura_stack_router.RouteEndpoint<"POST", "/signOut", {
|
|
70
|
+
schemas?: {
|
|
71
|
+
searchParams: zod.ZodObject<{
|
|
72
|
+
token_type_hint: zod.ZodLiteral<"session_token">;
|
|
73
|
+
redirectTo: zod.ZodOptional<zod.ZodString>;
|
|
74
|
+
}, zod_v4_core.$strip>;
|
|
75
|
+
} | undefined;
|
|
76
|
+
}>, _aura_stack_router.RouteEndpoint<"GET", "/csrfToken", {
|
|
77
|
+
schemas?: _aura_stack_router.EndpointSchemas | undefined;
|
|
78
|
+
}>]>;
|
|
79
|
+
declare const createAuthClient: (options: AuthClientOptions) => {
|
|
80
|
+
getSession: () => Promise<Session | null>;
|
|
81
|
+
signIn: (oauth: LiteralUnion<BuiltInOAuthProvider>, options?: SignInOptions) => Promise<any>;
|
|
82
|
+
signOut: (options?: SignOutOptions) => Promise<any>;
|
|
83
|
+
};
|
|
84
|
+
|
|
85
|
+
export { createAuthClient, createClient };
|