@aura-stack/auth 0.4.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (149) hide show
  1. package/dist/@types/index.d.ts +6 -2
  2. package/dist/@types/router.d.d.ts +6 -2
  3. package/dist/actions/callback/access-token.cjs +103 -59
  4. package/dist/actions/callback/access-token.d.ts +7 -3
  5. package/dist/actions/callback/access-token.js +3 -3
  6. package/dist/actions/callback/callback.cjs +200 -134
  7. package/dist/actions/callback/callback.d.ts +32 -3
  8. package/dist/actions/callback/callback.js +11 -12
  9. package/dist/actions/callback/userinfo.cjs +103 -70
  10. package/dist/actions/callback/userinfo.d.ts +6 -2
  11. package/dist/actions/callback/userinfo.js +7 -8
  12. package/dist/actions/csrfToken/csrfToken.cjs +7 -15
  13. package/dist/actions/csrfToken/csrfToken.d.ts +3 -1
  14. package/dist/actions/csrfToken/csrfToken.js +7 -8
  15. package/dist/actions/index.cjs +502 -295
  16. package/dist/actions/index.d.ts +5 -2
  17. package/dist/actions/index.js +23 -20
  18. package/dist/actions/session/session.cjs +76 -24
  19. package/dist/actions/session/session.d.ts +3 -1
  20. package/dist/actions/session/session.js +6 -4
  21. package/dist/actions/signIn/authorization-url.cjs +288 -0
  22. package/dist/actions/signIn/authorization-url.d.ts +31 -0
  23. package/dist/actions/signIn/authorization-url.js +16 -0
  24. package/dist/actions/signIn/authorization.cjs +91 -132
  25. package/dist/actions/signIn/authorization.d.ts +17 -16
  26. package/dist/actions/signIn/authorization.js +8 -7
  27. package/dist/actions/signIn/signIn.cjs +319 -191
  28. package/dist/actions/signIn/signIn.d.ts +32 -3
  29. package/dist/actions/signIn/signIn.js +10 -9
  30. package/dist/actions/signOut/signOut.cjs +211 -212
  31. package/dist/actions/signOut/signOut.d.ts +9 -1
  32. package/dist/actions/signOut/signOut.js +9 -10
  33. package/dist/api/createApi.cjs +750 -0
  34. package/dist/api/createApi.d.ts +12 -0
  35. package/dist/api/createApi.js +19 -0
  36. package/dist/api/getSession.cjs +141 -0
  37. package/dist/api/getSession.d.ts +16 -0
  38. package/dist/api/getSession.js +10 -0
  39. package/dist/api/signIn.cjs +549 -0
  40. package/dist/api/signIn.d.ts +26 -0
  41. package/dist/api/signIn.js +15 -0
  42. package/dist/api/signOut.cjs +279 -0
  43. package/dist/api/signOut.d.ts +16 -0
  44. package/dist/api/signOut.js +13 -0
  45. package/dist/assert.cjs +42 -9
  46. package/dist/assert.d.ts +8 -4
  47. package/dist/assert.js +5 -5
  48. package/dist/{chunk-KJBAQZX2.js → chunk-2A5B7GWR.js} +44 -11
  49. package/dist/chunk-2GQLSIJ2.js +40 -0
  50. package/dist/chunk-2IR674WX.js +44 -0
  51. package/dist/chunk-3J5TUH2I.js +50 -0
  52. package/dist/chunk-4RWSYUKX.js +98 -0
  53. package/dist/chunk-5X7JZMEF.js +0 -0
  54. package/dist/{chunk-TZB6MUXN.js → chunk-7BE46WWS.js} +21 -11
  55. package/dist/chunk-7YYXFKLR.js +35 -0
  56. package/dist/chunk-C3A37LQC.js +33 -0
  57. package/dist/chunk-CITNGXDA.js +31 -0
  58. package/dist/chunk-CWX724AG.js +78 -0
  59. package/dist/chunk-D2CSIUKP.js +74 -0
  60. package/dist/{chunk-ICAZ4OVS.js → chunk-FPCVZUVG.js} +2 -2
  61. package/dist/{chunk-XGLBNXL4.js → chunk-GNNBM2WJ.js} +17 -9
  62. package/dist/chunk-JOCGX3RP.js +59 -0
  63. package/dist/chunk-KBXWTD6E.js +94 -0
  64. package/dist/{chunk-XUP6KKNG.js → chunk-LATR3NIV.js} +48 -37
  65. package/dist/chunk-LAYPUDQF.js +39 -0
  66. package/dist/chunk-LX3TJ2TJ.js +294 -0
  67. package/dist/{chunk-6MXFPFR3.js → chunk-NHZBQNRR.js} +19 -19
  68. package/dist/{chunk-TM5IPSNF.js → chunk-PDP3PHB3.js} +33 -19
  69. package/dist/chunk-PHYNROD4.js +47 -0
  70. package/dist/chunk-QQEKY4XP.js +29 -0
  71. package/dist/{chunk-VNCNJKS2.js → chunk-U4RK4LKJ.js} +82 -1
  72. package/dist/{chunk-RRLIF4PQ.js → chunk-U5663F2U.js} +16 -1
  73. package/dist/chunk-UN7X6SU5.js +53 -0
  74. package/dist/chunk-UZQJJD6A.js +100 -0
  75. package/dist/{chunk-NUDITUKX.js → chunk-V6LLEAR4.js} +22 -15
  76. package/dist/{chunk-4MYWAOLG.js → chunk-WHNDRO3N.js} +20 -1
  77. package/dist/{chunk-5W4BRQYG.js → chunk-XY5R3EHH.js} +6 -3
  78. package/dist/client/client.cjs +135 -0
  79. package/dist/client/client.d.ts +85 -0
  80. package/dist/client/client.js +9 -0
  81. package/dist/client/index.cjs +135 -0
  82. package/dist/client/index.d.ts +14 -0
  83. package/dist/client/index.js +10 -0
  84. package/dist/context.cjs +1237 -0
  85. package/dist/context.d.ts +16 -0
  86. package/dist/context.js +28 -0
  87. package/dist/cookie.cjs +33 -2
  88. package/dist/cookie.d.ts +9 -5
  89. package/dist/cookie.js +3 -2
  90. package/dist/createAuth.cjs +2320 -0
  91. package/dist/createAuth.d.ts +12 -0
  92. package/dist/createAuth.js +48 -0
  93. package/dist/env.cjs +24 -2
  94. package/dist/env.d.ts +4 -1
  95. package/dist/env.js +9 -3
  96. package/dist/errors.cjs +17 -0
  97. package/dist/errors.d.ts +13 -3
  98. package/dist/errors.js +5 -1
  99. package/dist/{index-CSyIJmCM.d.ts → index-_aXtxb_s.d.ts} +383 -13
  100. package/dist/index.cjs +2135 -1547
  101. package/dist/index.d.ts +9 -30
  102. package/dist/index.js +46 -119
  103. package/dist/jose.cjs +52 -14
  104. package/dist/jose.d.ts +12 -25
  105. package/dist/jose.js +11 -3
  106. package/dist/logger.cjs +132 -0
  107. package/dist/logger.d.ts +6 -2
  108. package/dist/logger.js +10 -1
  109. package/dist/oauth/atlassian.cjs +57 -0
  110. package/dist/oauth/atlassian.d.ts +12 -0
  111. package/dist/oauth/atlassian.js +6 -0
  112. package/dist/oauth/bitbucket.d.ts +6 -2
  113. package/dist/oauth/discord.d.ts +6 -2
  114. package/dist/oauth/dropbox.cjs +53 -0
  115. package/dist/oauth/dropbox.d.ts +12 -0
  116. package/dist/oauth/dropbox.js +6 -0
  117. package/dist/oauth/figma.d.ts +6 -2
  118. package/dist/oauth/github.d.ts +6 -2
  119. package/dist/oauth/gitlab.d.ts +6 -2
  120. package/dist/oauth/index.cjs +278 -88
  121. package/dist/oauth/index.d.ts +6 -2
  122. package/dist/oauth/index.js +27 -11
  123. package/dist/oauth/mailchimp.d.ts +6 -2
  124. package/dist/oauth/notion.cjs +131 -0
  125. package/dist/oauth/notion.d.ts +12 -0
  126. package/dist/oauth/notion.js +9 -0
  127. package/dist/oauth/pinterest.d.ts +6 -2
  128. package/dist/oauth/spotify.d.ts +6 -2
  129. package/dist/oauth/strava.d.ts +6 -2
  130. package/dist/oauth/twitch.cjs +95 -0
  131. package/dist/oauth/twitch.d.ts +12 -0
  132. package/dist/oauth/twitch.js +7 -0
  133. package/dist/oauth/x.d.ts +6 -2
  134. package/dist/schemas.cjs +84 -51
  135. package/dist/schemas.d.ts +103 -23
  136. package/dist/schemas.js +1 -1
  137. package/dist/secure.cjs +36 -36
  138. package/dist/secure.d.ts +10 -4
  139. package/dist/secure.js +7 -6
  140. package/dist/utils.cjs +109 -3
  141. package/dist/utils.d.ts +15 -4
  142. package/dist/utils.js +11 -4
  143. package/package.json +9 -5
  144. package/dist/chunk-4EKY7655.js +0 -123
  145. package/dist/chunk-7QF22LHP.js +0 -67
  146. package/dist/chunk-ALG3GIV4.js +0 -95
  147. package/dist/chunk-FRJFWTOY.js +0 -70
  148. package/dist/chunk-PHFH2MGS.js +0 -36
  149. package/dist/chunk-QQVSRXGX.js +0 -149
@@ -1,9 +1,7 @@
1
1
  "use strict";
2
- var __create = Object.create;
3
2
  var __defProp = Object.defineProperty;
4
3
  var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
5
4
  var __getOwnPropNames = Object.getOwnPropertyNames;
6
- var __getProtoOf = Object.getPrototypeOf;
7
5
  var __hasOwnProp = Object.prototype.hasOwnProperty;
8
6
  var __export = (target, all) => {
9
7
  for (var name in all)
@@ -17,14 +15,6 @@ var __copyProps = (to, from, except, desc) => {
17
15
  }
18
16
  return to;
19
17
  };
20
- var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
21
- // If the importer is in node compatibility mode or this is not an ESM
22
- // file that has been converted to a CommonJS file using a Babel-
23
- // compatible transform (i.e. "__esModule" has not been set), then set
24
- // "default" to the CommonJS "module.exports" for node compatibility.
25
- isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
26
- mod
27
- ));
28
18
  var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
29
19
 
30
20
  // src/actions/callback/callback.ts
@@ -33,12 +23,9 @@ __export(callback_exports, {
33
23
  callbackAction: () => callbackAction
34
24
  });
35
25
  module.exports = __toCommonJS(callback_exports);
36
- var import_zod2 = require("zod");
26
+ var import_v42 = require("zod/v4");
37
27
  var import_router2 = require("@aura-stack/router");
38
28
 
39
- // src/secure.ts
40
- var import_crypto2 = __toESM(require("crypto"), 1);
41
-
42
29
  // src/utils.ts
43
30
  var import_router = require("@aura-stack/router");
44
31
 
@@ -82,14 +69,41 @@ var isOAuthProtocolError = (error) => {
82
69
  return error instanceof OAuthProtocolError;
83
70
  };
84
71
 
85
- // src/utils.ts
86
- var equals = (a, b) => {
87
- if (a === null || b === null || a === void 0 || b === void 0) return false;
88
- return a === b;
72
+ // src/env.ts
73
+ var import_meta = {};
74
+ var env = new Proxy({}, {
75
+ get(_, prop) {
76
+ if (typeof prop !== "string") return void 0;
77
+ const hasProperty = (process2) => {
78
+ return process2 && Object.prototype.hasOwnProperty.call(process2, prop);
79
+ };
80
+ try {
81
+ if (typeof process !== "undefined" && hasProperty(process.env)) {
82
+ return process.env[prop];
83
+ }
84
+ if (typeof import_meta !== "undefined" && hasProperty(import_meta.env)) {
85
+ return import_meta.env[prop];
86
+ }
87
+ if (typeof Deno !== "undefined" && Deno.env?.get) {
88
+ return Deno.env.get(prop);
89
+ }
90
+ if (typeof Bun !== "undefined" && hasProperty(Bun.env)) {
91
+ return Bun.env[prop];
92
+ }
93
+ const globalValue = globalThis[prop];
94
+ return typeof globalValue === "string" ? globalValue : void 0;
95
+ } catch {
96
+ return void 0;
97
+ }
98
+ }
99
+ });
100
+ var getEnv = (key) => {
101
+ const keys = [`AURA_AUTH_${key.toUpperCase()}`, `AURA_${key.toUpperCase()}`, `AUTH_${key.toUpperCase()}`, key.toUpperCase()];
102
+ return env[keys.find((k) => env[k]) ?? ""];
89
103
  };
90
104
 
91
105
  // src/assert.ts
92
- var import_crypto = require("crypto");
106
+ var import_crypto = require("@aura-stack/jose/crypto");
93
107
  var unsafeChars = [
94
108
  "<",
95
109
  ">",
@@ -177,46 +191,28 @@ var isTrustedOrigin = (url, trustedOrigins) => {
177
191
  }
178
192
  return false;
179
193
  };
180
- var safeEquals = (a, b) => {
181
- const bufferA = Buffer.from(a);
182
- const bufferB = Buffer.from(b);
183
- if (bufferA.length !== bufferB.length) {
184
- return false;
194
+ var timingSafeEqual = (a, b) => {
195
+ const bufferA = import_crypto.encoder.encode(a);
196
+ const bufferB = import_crypto.encoder.encode(b);
197
+ const len = Math.max(bufferA.length, bufferB.length);
198
+ let diff = 0;
199
+ for (let i = 0; i < len; i++) {
200
+ diff |= (bufferA[i] ?? 0) ^ (bufferB[i] ?? 0);
185
201
  }
186
- return (0, import_crypto.timingSafeEqual)(bufferA, bufferB);
202
+ return diff === 0 && bufferA.length === bufferB.length;
187
203
  };
188
204
 
189
- // src/env.ts
190
- var import_meta = {};
191
- var env = new Proxy({}, {
192
- get(_, prop) {
193
- if (typeof prop !== "string") return void 0;
194
- const hasProperty = (process2) => {
195
- return process2 && Object.prototype.hasOwnProperty.call(process2, prop);
196
- };
197
- try {
198
- if (typeof process !== "undefined" && hasProperty(process.env)) {
199
- return process.env[prop];
200
- }
201
- if (typeof import_meta !== "undefined" && hasProperty(import_meta.env)) {
202
- return import_meta.env[prop];
203
- }
204
- if (typeof Deno !== "undefined" && Deno.env?.get) {
205
- return Deno.env.get(prop);
206
- }
207
- if (typeof Bun !== "undefined" && hasProperty(Bun.env)) {
208
- return Bun.env[prop];
209
- }
210
- const globalValue = globalThis[prop];
211
- return typeof globalValue === "string" ? globalValue : void 0;
212
- } catch {
213
- return void 0;
214
- }
215
- }
216
- });
205
+ // src/utils.ts
206
+ var AURA_AUTH_VERSION = "0.4.0";
207
+ var equals = (a, b) => {
208
+ if (a === null || b === null || a === void 0 || b === void 0) return false;
209
+ return a === b;
210
+ };
217
211
 
218
212
  // src/jose.ts
219
213
  var import_jose = require("@aura-stack/jose");
214
+ var import_jose2 = require("@aura-stack/jose/jose");
215
+ var import_crypto2 = require("@aura-stack/jose/crypto");
220
216
  var jwtVerificationOptions = {
221
217
  algorithms: ["HS256"],
222
218
  typ: "JWT"
@@ -224,7 +220,7 @@ var jwtVerificationOptions = {
224
220
 
225
221
  // src/secure.ts
226
222
  var generateSecure = (length = 32) => {
227
- return import_crypto2.default.randomBytes(length).toString("base64url");
223
+ return import_jose2.base64url.encode((0, import_crypto2.getRandomBytes)(length));
228
224
  };
229
225
  var createCSRF = async (jose, csrfCookie) => {
230
226
  try {
@@ -280,40 +276,73 @@ var fetchAsync = async (url, options2 = {}, timeout = 5e3) => {
280
276
  };
281
277
 
282
278
  // src/schemas.ts
283
- var import_zod = require("zod");
284
- var OAuthProviderCredentialsSchema = (0, import_zod.object)({
285
- id: (0, import_zod.string)(),
286
- name: (0, import_zod.string)(),
287
- authorizeURL: (0, import_zod.string)().url(),
288
- accessToken: (0, import_zod.string)().url(),
289
- scope: (0, import_zod.string)(),
290
- userInfo: (0, import_zod.string)().url(),
291
- responseType: (0, import_zod.enum)(["code", "token", "id_token"]),
292
- clientId: (0, import_zod.string)(),
293
- clientSecret: (0, import_zod.string)(),
294
- profile: import_zod.z.function().optional()
279
+ var import_v4 = require("zod/v4");
280
+ var AuthorizeConfigSchema = import_v4.z.union([
281
+ (0, import_v4.string)().url(),
282
+ (0, import_v4.object)({
283
+ url: (0, import_v4.string)().url(),
284
+ params: (0, import_v4.object)({
285
+ responseType: (0, import_v4.enum)(["code", "token", "id_token", "refresh_token"]).optional(),
286
+ scope: (0, import_v4.string)().optional()
287
+ })
288
+ })
289
+ ]);
290
+ var AccessTokenConfigSchema = import_v4.z.union([
291
+ (0, import_v4.string)().url(),
292
+ (0, import_v4.object)({
293
+ url: (0, import_v4.string)().url(),
294
+ headers: import_v4.z.record((0, import_v4.string)(), (0, import_v4.string)()).optional()
295
+ })
296
+ ]);
297
+ var UserInfoConfigSchema = import_v4.z.union([
298
+ (0, import_v4.string)().url(),
299
+ (0, import_v4.object)({
300
+ url: (0, import_v4.string)().url(),
301
+ headers: import_v4.z.record((0, import_v4.string)(), (0, import_v4.string)()).optional(),
302
+ method: (0, import_v4.string)().optional()
303
+ })
304
+ ]);
305
+ var OAuthProviderCredentialsSchema = (0, import_v4.object)({
306
+ id: (0, import_v4.string)(),
307
+ name: (0, import_v4.string)(),
308
+ authorize: AuthorizeConfigSchema.optional(),
309
+ /** @deprecated */
310
+ authorizeURL: (0, import_v4.string)().url().optional(),
311
+ accessToken: AccessTokenConfigSchema,
312
+ /** @deprecated */
313
+ scope: (0, import_v4.string)().optional(),
314
+ userInfo: UserInfoConfigSchema,
315
+ /** @deprecated */
316
+ responseType: (0, import_v4.enum)(["code", "token", "id_token", "refresh_token"]).optional(),
317
+ clientId: (0, import_v4.string)(),
318
+ clientSecret: (0, import_v4.string)(),
319
+ profile: import_v4.z.function().optional()
295
320
  });
296
- var OAuthProviderConfigSchema = (0, import_zod.object)({
297
- authorizeURL: (0, import_zod.string)().url(),
298
- accessToken: (0, import_zod.string)().url(),
299
- scope: (0, import_zod.string)().optional(),
300
- userInfo: (0, import_zod.string)().url(),
301
- responseType: (0, import_zod.enum)(["code", "token", "id_token"]),
302
- clientId: (0, import_zod.string)(),
303
- clientSecret: (0, import_zod.string)()
321
+ var OAuthProviderConfigSchema = (0, import_v4.object)({
322
+ authorize: AuthorizeConfigSchema.optional(),
323
+ /** @deprecated */
324
+ authorizeURL: (0, import_v4.string)().url().optional(),
325
+ accessToken: AccessTokenConfigSchema,
326
+ /** @deprecated */
327
+ scope: (0, import_v4.string)().optional(),
328
+ userInfo: UserInfoConfigSchema,
329
+ /** @deprecated */
330
+ responseType: (0, import_v4.enum)(["code", "token", "id_token", "refresh_token"]).optional(),
331
+ clientId: (0, import_v4.string)(),
332
+ clientSecret: (0, import_v4.string)()
304
333
  });
305
334
  var OAuthAuthorization = OAuthProviderConfigSchema.extend({
306
- redirectURI: (0, import_zod.string)(),
307
- state: (0, import_zod.string)(),
308
- codeChallenge: (0, import_zod.string)(),
309
- codeChallengeMethod: (0, import_zod.enum)(["plain", "S256"])
335
+ redirectURI: (0, import_v4.string)(),
336
+ state: (0, import_v4.string)(),
337
+ codeChallenge: (0, import_v4.string)(),
338
+ codeChallengeMethod: (0, import_v4.enum)(["plain", "S256"])
310
339
  });
311
- var OAuthAuthorizationResponse = (0, import_zod.object)({
312
- state: (0, import_zod.string)({ message: "Missing state parameter in the OAuth authorization response." }),
313
- code: (0, import_zod.string)({ message: "Missing code parameter in the OAuth authorization response." })
340
+ var OAuthAuthorizationResponse = (0, import_v4.object)({
341
+ state: (0, import_v4.string)({ message: "Missing state parameter in the OAuth authorization response." }),
342
+ code: (0, import_v4.string)({ message: "Missing code parameter in the OAuth authorization response." })
314
343
  });
315
- var OAuthAuthorizationErrorResponse = (0, import_zod.object)({
316
- error: (0, import_zod.enum)([
344
+ var OAuthAuthorizationErrorResponse = (0, import_v4.object)({
345
+ error: (0, import_v4.enum)([
317
346
  "invalid_request",
318
347
  "unauthorized_client",
319
348
  "access_denied",
@@ -322,24 +351,24 @@ var OAuthAuthorizationErrorResponse = (0, import_zod.object)({
322
351
  "server_error",
323
352
  "temporarily_unavailable"
324
353
  ]),
325
- error_description: (0, import_zod.string)().optional(),
326
- error_uri: (0, import_zod.string)().optional(),
327
- state: (0, import_zod.string)()
354
+ error_description: (0, import_v4.string)().optional(),
355
+ error_uri: (0, import_v4.string)().optional(),
356
+ state: (0, import_v4.string)()
328
357
  });
329
358
  var OAuthAccessToken = OAuthProviderConfigSchema.extend({
330
- redirectURI: (0, import_zod.string)(),
331
- code: (0, import_zod.string)(),
332
- codeVerifier: (0, import_zod.string)().min(43).max(128)
359
+ redirectURI: (0, import_v4.string)(),
360
+ code: (0, import_v4.string)(),
361
+ codeVerifier: (0, import_v4.string)().min(43).max(128)
333
362
  });
334
- var OAuthAccessTokenResponse = (0, import_zod.object)({
335
- access_token: (0, import_zod.string)(),
336
- token_type: (0, import_zod.string)().optional(),
337
- expires_in: (0, import_zod.number)().optional(),
338
- refresh_token: (0, import_zod.string)().optional(),
339
- scope: (0, import_zod.string)().optional().or((0, import_zod.null)())
363
+ var OAuthAccessTokenResponse = (0, import_v4.object)({
364
+ access_token: (0, import_v4.string)(),
365
+ token_type: (0, import_v4.string)().optional(),
366
+ expires_in: (0, import_v4.number)().optional(),
367
+ refresh_token: (0, import_v4.string)().optional(),
368
+ scope: (0, import_v4.union)([(0, import_v4.string)().optional().or((0, import_v4.null)()), (0, import_v4.array)((0, import_v4.string)()).optional()])
340
369
  });
341
- var OAuthAccessTokenErrorResponse = (0, import_zod.object)({
342
- error: (0, import_zod.enum)([
370
+ var OAuthAccessTokenErrorResponse = (0, import_v4.object)({
371
+ error: (0, import_v4.enum)([
343
372
  "invalid_request",
344
373
  "invalid_client",
345
374
  "invalid_grant",
@@ -347,16 +376,16 @@ var OAuthAccessTokenErrorResponse = (0, import_zod.object)({
347
376
  "unsupported_grant_type",
348
377
  "invalid_scope"
349
378
  ]),
350
- error_description: (0, import_zod.string)().optional(),
351
- error_uri: (0, import_zod.string)().optional()
379
+ error_description: (0, import_v4.string)().optional(),
380
+ error_uri: (0, import_v4.string)().optional()
352
381
  });
353
- var OAuthErrorResponse = (0, import_zod.object)({
354
- error: (0, import_zod.string)(),
355
- error_description: (0, import_zod.string)().optional()
382
+ var OAuthErrorResponse = (0, import_v4.object)({
383
+ error: (0, import_v4.string)(),
384
+ error_description: (0, import_v4.string)().optional()
356
385
  });
357
- var OAuthEnvSchema = (0, import_zod.object)({
358
- clientId: import_zod.z.string().min(1, "OAuth Client ID is required in the environment variables."),
359
- clientSecret: import_zod.z.string().min(1, "OAuth Client Secret is required in the environment variables.")
386
+ var OAuthEnvSchema = (0, import_v4.object)({
387
+ clientId: import_v4.z.string().min(1, "OAuth Client ID is required in the environment variables."),
388
+ clientSecret: import_v4.z.string().min(1, "OAuth Client Secret is required in the environment variables.")
360
389
  });
361
390
 
362
391
  // src/actions/callback/userinfo.ts
@@ -370,18 +399,23 @@ var getDefaultUserInfo = (profile) => {
370
399
  };
371
400
  };
372
401
  var getUserInfo = async (oauthConfig, accessToken, logger) => {
373
- const userinfoEndpoint = oauthConfig.userInfo;
402
+ const userInfoConfig = oauthConfig.userInfo;
403
+ const userinfoURL = typeof userInfoConfig === "string" ? userInfoConfig : userInfoConfig.url;
404
+ const extraHeaders = typeof userInfoConfig === "string" ? void 0 : userInfoConfig.headers;
405
+ const method = typeof userInfoConfig === "string" ? "GET" : (userInfoConfig.method ?? "GET").toUpperCase();
374
406
  try {
375
407
  logger?.log("OAUTH_USERINFO_REQUEST_INITIATED", {
376
408
  structuredData: {
377
- endpoint: userinfoEndpoint
409
+ endpoint: userinfoURL
378
410
  }
379
411
  });
380
- const response = await fetchAsync(userinfoEndpoint, {
381
- method: "GET",
412
+ const response = await fetchAsync(userinfoURL, {
413
+ method,
382
414
  headers: {
415
+ "User-Agent": `Aura Auth/${AURA_AUTH_VERSION}`,
383
416
  Accept: "application/json",
384
- Authorization: `Bearer ${accessToken}`
417
+ Authorization: `Bearer ${accessToken}`,
418
+ ...extraHeaders ?? {}
385
419
  }
386
420
  });
387
421
  if (!response.ok) {
@@ -422,16 +456,37 @@ var getTrustedOrigins = async (request, trustedOrigins) => {
422
456
  const raw = typeof trustedOrigins === "function" ? await trustedOrigins(request) : trustedOrigins;
423
457
  return Array.isArray(raw) ? raw : typeof raw === "string" ? [raw] : [];
424
458
  };
459
+ var getBaseURL = async ({
460
+ ctx,
461
+ request,
462
+ headers: headersInit
463
+ }) => {
464
+ const origin = getEnv("BASE_URL") || ctx?.baseURL;
465
+ if (origin && origin !== "/") return origin;
466
+ if (ctx?.trustedProxyHeaders) {
467
+ const headers = headersInit && new Headers(headersInit) || request?.headers;
468
+ const protocol = headers?.get("Forwarded")?.match(/proto=([^;]+)/i)?.[1] ?? headers?.get("X-Forwarded-Proto") ?? "http";
469
+ const host = headers?.get("Host") ?? headers?.get("Forwarded")?.match(/host=([^;]+)/i)?.[1] ?? headers?.get("X-Forwarded-Host") ?? null;
470
+ if (host) return `${protocol}://${host}`;
471
+ throw new AuthInternalError(
472
+ "INVALID_OAUTH_CONFIGURATION",
473
+ "The URL cannot be constructed. Please set the BASE_URL environment variable or provide trusted proxy host headers."
474
+ );
475
+ }
476
+ try {
477
+ return new URL(request?.url ?? "not-found").origin;
478
+ } catch (error) {
479
+ throw new AuthInternalError(
480
+ "INVALID_OAUTH_CONFIGURATION",
481
+ "The URL cannot be constructed. Please set the BASE_URL environment variable or enable trustedProxyHeaders.",
482
+ { cause: error }
483
+ );
484
+ }
485
+ };
425
486
  var getOriginURL = async (request, context) => {
426
- const headers = request.headers;
427
- let origin = new URL(request.url).origin;
428
487
  const trustedOrigins = await getTrustedOrigins(request, context?.trustedOrigins);
429
- trustedOrigins.push(origin);
430
- if (context?.trustedProxyHeaders) {
431
- const protocol = headers.get("Forwarded")?.match(/proto=([^;]+)/i)?.[1] ?? headers.get("X-Forwarded-Proto") ?? "http";
432
- const host = headers.get("Host") ?? headers.get("Forwarded")?.match(/host=([^;]+)/i)?.[1] ?? headers.get("X-Forwarded-Host") ?? null;
433
- origin = `${protocol}://${host}`;
434
- }
488
+ trustedOrigins.push(new URL(request.url).origin);
489
+ const origin = await getBaseURL({ request, ctx: context });
435
490
  if (!isTrustedOrigin(origin, trustedOrigins)) {
436
491
  context?.logger?.log("UNTRUSTED_ORIGIN", { structuredData: { origin } });
437
492
  throw new AuthInternalError("UNTRUSTED_ORIGIN", "The constructed origin URL is not trusted.");
@@ -441,31 +496,42 @@ var getOriginURL = async (request, context) => {
441
496
 
442
497
  // src/actions/callback/access-token.ts
443
498
  var createAccessToken = async (oauthConfig, redirectURI, code, codeVerifier, logger) => {
444
- const parsed = OAuthAccessToken.safeParse({ ...oauthConfig, redirectURI, code, codeVerifier });
445
- if (!parsed.success) {
446
- logger?.log("INVALID_OAUTH_CONFIGURATION");
499
+ const { accessToken, clientId, clientSecret } = oauthConfig;
500
+ if (!clientId || !clientSecret || !redirectURI || !code || !codeVerifier || !accessToken) {
501
+ logger?.log("INVALID_OAUTH_CONFIGURATION", {
502
+ structuredData: {
503
+ has_client_id: Boolean(clientId),
504
+ has_client_secret: Boolean(clientSecret),
505
+ has_access_token: Boolean(accessToken),
506
+ has_redirect_uri: Boolean(redirectURI),
507
+ has_code: Boolean(code),
508
+ has_code_verifier: Boolean(codeVerifier)
509
+ }
510
+ });
447
511
  throw new AuthInternalError("INVALID_OAUTH_CONFIGURATION", "The OAuth provider configuration is invalid.");
448
512
  }
449
- const { accessToken, clientId, clientSecret, code: codeParsed, redirectURI: redirectParsed } = parsed.data;
513
+ const tokenURL = typeof accessToken === "string" ? accessToken : accessToken.url;
514
+ const extraHeaders = typeof accessToken === "string" ? void 0 : accessToken.headers;
450
515
  try {
451
516
  logger?.log("OAUTH_ACCESS_TOKEN_REQUEST_INITIATED", {
452
517
  structuredData: {
453
518
  has_client_id: Boolean(clientId),
454
- redirect_uri: redirectParsed,
519
+ redirect_uri: redirectURI,
455
520
  grant_type: "authorization_code"
456
521
  }
457
522
  });
458
- const response = await fetchAsync(accessToken, {
523
+ const response = await fetchAsync(tokenURL, {
459
524
  method: "POST",
460
525
  headers: {
526
+ ...extraHeaders ?? {},
461
527
  Accept: "application/json",
462
528
  "Content-Type": "application/x-www-form-urlencoded"
463
529
  },
464
530
  body: new URLSearchParams({
465
531
  client_id: clientId,
466
532
  client_secret: clientSecret,
467
- code: codeParsed,
468
- redirect_uri: redirectParsed,
533
+ code,
534
+ redirect_uri: redirectURI,
469
535
  grant_type: "authorization_code",
470
536
  code_verifier: codeVerifier
471
537
  }).toString()
@@ -522,7 +588,7 @@ var expiredCookieAttributes = {
522
588
  secure: true
523
589
  };
524
590
  var getCookie = (request, cookieName) => {
525
- const cookies = request.headers.get("Cookie");
591
+ const cookies = request instanceof Request ? request.headers.get("Cookie") : request.get("Cookie");
526
592
  if (!cookies) {
527
593
  throw new AuthInternalError("COOKIE_NOT_FOUND", "No cookies found. There is no active session");
528
594
  }
@@ -545,18 +611,18 @@ var createSessionCookie = async (jose, session) => {
545
611
  var callbackConfig = (oauth) => {
546
612
  return (0, import_router2.createEndpointConfig)("/callback/:oauth", {
547
613
  schemas: {
548
- params: import_zod2.z.object({
549
- oauth: import_zod2.z.enum(
614
+ params: import_v42.z.object({
615
+ oauth: import_v42.z.enum(
550
616
  Object.keys(oauth),
551
617
  "The OAuth provider is not supported or invalid."
552
618
  )
553
619
  }),
554
- searchParams: import_zod2.z.object({
555
- code: import_zod2.z.string("Missing code parameter in the OAuth authorization response."),
556
- state: import_zod2.z.string("Missing state parameter in the OAuth authorization response.")
620
+ searchParams: import_v42.z.object({
621
+ code: import_v42.z.string("Missing code parameter in the OAuth authorization response."),
622
+ state: import_v42.z.string("Missing state parameter in the OAuth authorization response.")
557
623
  })
558
624
  },
559
- middlewares: [
625
+ use: [
560
626
  (ctx) => {
561
627
  const {
562
628
  searchParams,
@@ -598,7 +664,7 @@ var callbackAction = (oauth) => {
598
664
  const codeVerifier = getCookie(request, cookies.codeVerifier.name);
599
665
  const cookieRedirectTo = getCookie(request, cookies.redirectTo.name);
600
666
  const cookieRedirectURI = getCookie(request, cookies.redirectURI.name);
601
- if (!safeEquals(cookieState, state)) {
667
+ if (!timingSafeEqual(cookieState, state)) {
602
668
  logger?.log("MISMATCHING_STATE", {
603
669
  structuredData: {
604
670
  oauth_provider: oauth2
@@ -1,13 +1,42 @@
1
1
  import * as _aura_stack_router from '@aura-stack/router';
2
- import { k as OAuthProviderRecord } from '../../index-CSyIJmCM.js';
2
+ import { z } from 'zod/v4';
3
+ import { O as OAuthProviderRecord } from '../../index-_aXtxb_s.js';
3
4
  import 'zod';
4
5
  import '../../schemas.js';
5
- import '../../jose.js';
6
6
  import '@aura-stack/jose';
7
7
  import '@aura-stack/jose/jose';
8
+ import '@aura-stack/jose/crypto';
8
9
  import '@aura-stack/router/cookie';
9
10
  import '../../@types/utility.js';
11
+ import 'jose';
12
+ import 'zod/v4/core';
10
13
 
11
- declare const callbackAction: (oauth: OAuthProviderRecord) => _aura_stack_router.RouteEndpoint<"GET", "/callback/:oauth", {}>;
14
+ declare const callbackAction: (oauth: OAuthProviderRecord) => _aura_stack_router.RouteEndpoint<"GET", "/callback/:oauth", {
15
+ schemas?: {
16
+ params: z.ZodObject<{
17
+ oauth: z.ZodEnum<{
18
+ [x: string & Record<never, never>]: string & Record<never, never>;
19
+ github: "github";
20
+ bitbucket: "bitbucket";
21
+ figma: "figma";
22
+ discord: "discord";
23
+ gitlab: "gitlab";
24
+ spotify: "spotify";
25
+ x: "x";
26
+ strava: "strava";
27
+ mailchimp: "mailchimp";
28
+ pinterest: "pinterest";
29
+ twitch: "twitch";
30
+ notion: "notion";
31
+ dropbox: "dropbox";
32
+ atlassian: "atlassian";
33
+ }>;
34
+ }, z.core.$strip>;
35
+ searchParams: z.ZodObject<{
36
+ code: z.ZodString;
37
+ state: z.ZodString;
38
+ }, z.core.$strip>;
39
+ } | undefined;
40
+ }>;
12
41
 
13
42
  export { callbackAction };
@@ -1,19 +1,18 @@
1
1
  import {
2
2
  callbackAction
3
- } from "../../chunk-6MXFPFR3.js";
4
- import "../../chunk-TZB6MUXN.js";
5
- import "../../chunk-XGLBNXL4.js";
6
- import "../../chunk-XUP6KKNG.js";
3
+ } from "../../chunk-NHZBQNRR.js";
4
+ import "../../chunk-GNNBM2WJ.js";
5
+ import "../../chunk-7BE46WWS.js";
6
+ import "../../chunk-LATR3NIV.js";
7
7
  import "../../chunk-ZNCZVF6U.js";
8
- import "../../chunk-KJBAQZX2.js";
9
- import "../../chunk-NUDITUKX.js";
10
- import "../../chunk-4EKY7655.js";
11
- import "../../chunk-QQVSRXGX.js";
12
- import "../../chunk-5W4BRQYG.js";
8
+ import "../../chunk-V6LLEAR4.js";
9
+ import "../../chunk-2A5B7GWR.js";
10
+ import "../../chunk-UZQJJD6A.js";
11
+ import "../../chunk-LX3TJ2TJ.js";
12
+ import "../../chunk-XY5R3EHH.js";
13
+ import "../../chunk-WHNDRO3N.js";
14
+ import "../../chunk-U5663F2U.js";
13
15
  import "../../chunk-EBAMFRB7.js";
14
- import "../../chunk-FRJFWTOY.js";
15
- import "../../chunk-4MYWAOLG.js";
16
- import "../../chunk-RRLIF4PQ.js";
17
16
  export {
18
17
  callbackAction
19
18
  };