@aura-stack/auth 0.4.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (149) hide show
  1. package/dist/@types/index.d.ts +6 -2
  2. package/dist/@types/router.d.d.ts +6 -2
  3. package/dist/actions/callback/access-token.cjs +103 -59
  4. package/dist/actions/callback/access-token.d.ts +7 -3
  5. package/dist/actions/callback/access-token.js +3 -3
  6. package/dist/actions/callback/callback.cjs +200 -134
  7. package/dist/actions/callback/callback.d.ts +32 -3
  8. package/dist/actions/callback/callback.js +11 -12
  9. package/dist/actions/callback/userinfo.cjs +103 -70
  10. package/dist/actions/callback/userinfo.d.ts +6 -2
  11. package/dist/actions/callback/userinfo.js +7 -8
  12. package/dist/actions/csrfToken/csrfToken.cjs +7 -15
  13. package/dist/actions/csrfToken/csrfToken.d.ts +3 -1
  14. package/dist/actions/csrfToken/csrfToken.js +7 -8
  15. package/dist/actions/index.cjs +502 -295
  16. package/dist/actions/index.d.ts +5 -2
  17. package/dist/actions/index.js +23 -20
  18. package/dist/actions/session/session.cjs +76 -24
  19. package/dist/actions/session/session.d.ts +3 -1
  20. package/dist/actions/session/session.js +6 -4
  21. package/dist/actions/signIn/authorization-url.cjs +288 -0
  22. package/dist/actions/signIn/authorization-url.d.ts +31 -0
  23. package/dist/actions/signIn/authorization-url.js +16 -0
  24. package/dist/actions/signIn/authorization.cjs +91 -132
  25. package/dist/actions/signIn/authorization.d.ts +17 -16
  26. package/dist/actions/signIn/authorization.js +8 -7
  27. package/dist/actions/signIn/signIn.cjs +319 -191
  28. package/dist/actions/signIn/signIn.d.ts +32 -3
  29. package/dist/actions/signIn/signIn.js +10 -9
  30. package/dist/actions/signOut/signOut.cjs +211 -212
  31. package/dist/actions/signOut/signOut.d.ts +9 -1
  32. package/dist/actions/signOut/signOut.js +9 -10
  33. package/dist/api/createApi.cjs +750 -0
  34. package/dist/api/createApi.d.ts +12 -0
  35. package/dist/api/createApi.js +19 -0
  36. package/dist/api/getSession.cjs +141 -0
  37. package/dist/api/getSession.d.ts +16 -0
  38. package/dist/api/getSession.js +10 -0
  39. package/dist/api/signIn.cjs +549 -0
  40. package/dist/api/signIn.d.ts +26 -0
  41. package/dist/api/signIn.js +15 -0
  42. package/dist/api/signOut.cjs +279 -0
  43. package/dist/api/signOut.d.ts +16 -0
  44. package/dist/api/signOut.js +13 -0
  45. package/dist/assert.cjs +42 -9
  46. package/dist/assert.d.ts +8 -4
  47. package/dist/assert.js +5 -5
  48. package/dist/{chunk-KJBAQZX2.js → chunk-2A5B7GWR.js} +44 -11
  49. package/dist/chunk-2GQLSIJ2.js +40 -0
  50. package/dist/chunk-2IR674WX.js +44 -0
  51. package/dist/chunk-3J5TUH2I.js +50 -0
  52. package/dist/chunk-4RWSYUKX.js +98 -0
  53. package/dist/chunk-5X7JZMEF.js +0 -0
  54. package/dist/{chunk-TZB6MUXN.js → chunk-7BE46WWS.js} +21 -11
  55. package/dist/chunk-7YYXFKLR.js +35 -0
  56. package/dist/chunk-C3A37LQC.js +33 -0
  57. package/dist/chunk-CITNGXDA.js +31 -0
  58. package/dist/chunk-CWX724AG.js +78 -0
  59. package/dist/chunk-D2CSIUKP.js +74 -0
  60. package/dist/{chunk-ICAZ4OVS.js → chunk-FPCVZUVG.js} +2 -2
  61. package/dist/{chunk-XGLBNXL4.js → chunk-GNNBM2WJ.js} +17 -9
  62. package/dist/chunk-JOCGX3RP.js +59 -0
  63. package/dist/chunk-KBXWTD6E.js +94 -0
  64. package/dist/{chunk-XUP6KKNG.js → chunk-LATR3NIV.js} +48 -37
  65. package/dist/chunk-LAYPUDQF.js +39 -0
  66. package/dist/chunk-LX3TJ2TJ.js +294 -0
  67. package/dist/{chunk-6MXFPFR3.js → chunk-NHZBQNRR.js} +19 -19
  68. package/dist/{chunk-TM5IPSNF.js → chunk-PDP3PHB3.js} +33 -19
  69. package/dist/chunk-PHYNROD4.js +47 -0
  70. package/dist/chunk-QQEKY4XP.js +29 -0
  71. package/dist/{chunk-VNCNJKS2.js → chunk-U4RK4LKJ.js} +82 -1
  72. package/dist/{chunk-RRLIF4PQ.js → chunk-U5663F2U.js} +16 -1
  73. package/dist/chunk-UN7X6SU5.js +53 -0
  74. package/dist/chunk-UZQJJD6A.js +100 -0
  75. package/dist/{chunk-NUDITUKX.js → chunk-V6LLEAR4.js} +22 -15
  76. package/dist/{chunk-4MYWAOLG.js → chunk-WHNDRO3N.js} +20 -1
  77. package/dist/{chunk-5W4BRQYG.js → chunk-XY5R3EHH.js} +6 -3
  78. package/dist/client/client.cjs +135 -0
  79. package/dist/client/client.d.ts +85 -0
  80. package/dist/client/client.js +9 -0
  81. package/dist/client/index.cjs +135 -0
  82. package/dist/client/index.d.ts +14 -0
  83. package/dist/client/index.js +10 -0
  84. package/dist/context.cjs +1237 -0
  85. package/dist/context.d.ts +16 -0
  86. package/dist/context.js +28 -0
  87. package/dist/cookie.cjs +33 -2
  88. package/dist/cookie.d.ts +9 -5
  89. package/dist/cookie.js +3 -2
  90. package/dist/createAuth.cjs +2320 -0
  91. package/dist/createAuth.d.ts +12 -0
  92. package/dist/createAuth.js +48 -0
  93. package/dist/env.cjs +24 -2
  94. package/dist/env.d.ts +4 -1
  95. package/dist/env.js +9 -3
  96. package/dist/errors.cjs +17 -0
  97. package/dist/errors.d.ts +13 -3
  98. package/dist/errors.js +5 -1
  99. package/dist/{index-CSyIJmCM.d.ts → index-_aXtxb_s.d.ts} +383 -13
  100. package/dist/index.cjs +2135 -1547
  101. package/dist/index.d.ts +9 -30
  102. package/dist/index.js +46 -119
  103. package/dist/jose.cjs +52 -14
  104. package/dist/jose.d.ts +12 -25
  105. package/dist/jose.js +11 -3
  106. package/dist/logger.cjs +132 -0
  107. package/dist/logger.d.ts +6 -2
  108. package/dist/logger.js +10 -1
  109. package/dist/oauth/atlassian.cjs +57 -0
  110. package/dist/oauth/atlassian.d.ts +12 -0
  111. package/dist/oauth/atlassian.js +6 -0
  112. package/dist/oauth/bitbucket.d.ts +6 -2
  113. package/dist/oauth/discord.d.ts +6 -2
  114. package/dist/oauth/dropbox.cjs +53 -0
  115. package/dist/oauth/dropbox.d.ts +12 -0
  116. package/dist/oauth/dropbox.js +6 -0
  117. package/dist/oauth/figma.d.ts +6 -2
  118. package/dist/oauth/github.d.ts +6 -2
  119. package/dist/oauth/gitlab.d.ts +6 -2
  120. package/dist/oauth/index.cjs +278 -88
  121. package/dist/oauth/index.d.ts +6 -2
  122. package/dist/oauth/index.js +27 -11
  123. package/dist/oauth/mailchimp.d.ts +6 -2
  124. package/dist/oauth/notion.cjs +131 -0
  125. package/dist/oauth/notion.d.ts +12 -0
  126. package/dist/oauth/notion.js +9 -0
  127. package/dist/oauth/pinterest.d.ts +6 -2
  128. package/dist/oauth/spotify.d.ts +6 -2
  129. package/dist/oauth/strava.d.ts +6 -2
  130. package/dist/oauth/twitch.cjs +95 -0
  131. package/dist/oauth/twitch.d.ts +12 -0
  132. package/dist/oauth/twitch.js +7 -0
  133. package/dist/oauth/x.d.ts +6 -2
  134. package/dist/schemas.cjs +84 -51
  135. package/dist/schemas.d.ts +103 -23
  136. package/dist/schemas.js +1 -1
  137. package/dist/secure.cjs +36 -36
  138. package/dist/secure.d.ts +10 -4
  139. package/dist/secure.js +7 -6
  140. package/dist/utils.cjs +109 -3
  141. package/dist/utils.d.ts +15 -4
  142. package/dist/utils.js +11 -4
  143. package/package.json +9 -5
  144. package/dist/chunk-4EKY7655.js +0 -123
  145. package/dist/chunk-7QF22LHP.js +0 -67
  146. package/dist/chunk-ALG3GIV4.js +0 -95
  147. package/dist/chunk-FRJFWTOY.js +0 -70
  148. package/dist/chunk-PHFH2MGS.js +0 -36
  149. package/dist/chunk-QQVSRXGX.js +0 -149
@@ -1,9 +1,17 @@
1
+ import * as zod from 'zod';
1
2
  import { z } from 'zod';
2
3
  import { OAuthAuthorizationErrorResponse, OAuthAccessTokenErrorResponse, OAuthEnvSchema } from './schemas.js';
3
- import { createJoseInstance } from './jose.js';
4
+ import * as _aura_stack_jose from '@aura-stack/jose';
5
+ import { DecodedJWTPayloadOptions, TypedJWTPayload, JWTVerifyOptions } from '@aura-stack/jose';
6
+ import * as _aura_stack_jose_jose from '@aura-stack/jose/jose';
7
+ import { JWTPayload } from '@aura-stack/jose/jose';
8
+ import '@aura-stack/jose/crypto';
4
9
  import { SerializeOptions } from '@aura-stack/router/cookie';
5
10
  import { LiteralUnion, Prettify } from './@types/utility.js';
6
- import { JWTPayload } from '@aura-stack/jose/jose';
11
+ import * as jose from 'jose';
12
+ import * as _aura_stack_router from '@aura-stack/router';
13
+ import { GlobalContext, ClientOptions } from '@aura-stack/router';
14
+ import * as zod_v4_core from 'zod/v4/core';
7
15
 
8
16
  /**
9
17
  * Log message definitions organized by category.
@@ -264,6 +272,169 @@ declare const logMessages: {
264
272
  };
265
273
  };
266
274
  declare const createLogEntry: <T extends keyof typeof logMessages>(key: T, overrides?: Partial<SyslogOptions>) => SyslogOptions;
275
+ declare const createSyslogMessage: (options: SyslogOptions) => string;
276
+ declare const createLogger: (logger?: Required<Logger>) => InternalLogger | undefined;
277
+ /**
278
+ * Creates the logger instance based on the provided configuration and environment variables.
279
+ * Priority: config.logger, LOG_LEVEL env, DEBUG env and defaults to undefined if logging is not enabled.
280
+ *
281
+ */
282
+ declare const createProxyLogger: (config?: AuthConfig) => InternalLogger | undefined;
283
+
284
+ /**
285
+ * Creates the JOSE instance used for signing and verifying tokens. It derives keys
286
+ * for session tokens and CSRF tokens. For security and determinism, it's required
287
+ * to set a salt value in `AURA_AUTH_SALT` or `AUTH_SALT` env.
288
+ *
289
+ * @param secret the base secret for key derivation
290
+ * @returns jose instance with methods for encoding/decoding JWTs and signing/verifying JWSs
291
+ */
292
+ declare const createJoseInstance: (secret?: string) => {
293
+ decodeJWT: (token: string, options?: DecodedJWTPayloadOptions) => Promise<TypedJWTPayload<User>>;
294
+ encodeJWT: (payload: TypedJWTPayload<Partial<User>>) => Promise<string>;
295
+ signJWS: (payload: TypedJWTPayload<Partial<_aura_stack_jose_jose.JWTPayload>>) => Promise<string>;
296
+ verifyJWS: (payload: string, options?: JWTVerifyOptions | undefined) => Promise<_aura_stack_jose_jose.JWTPayload>;
297
+ encryptJWE: (payload: string, options?: _aura_stack_jose.EncryptOptions | undefined) => Promise<string>;
298
+ decryptJWE: (payload: string, options?: _aura_stack_jose.JWTDecryptOptions | undefined) => Promise<string>;
299
+ };
300
+ declare const jwtVerificationOptions: JWTVerifyOptions;
301
+ declare const decodeJWTOptions: DecodedJWTPayloadOptions;
302
+
303
+ interface ExtendedProfile {
304
+ job_title: string;
305
+ organization: string;
306
+ department: string;
307
+ location: string;
308
+ }
309
+ interface AtlassianProfile {
310
+ account_id: string;
311
+ account_type: string;
312
+ account_status: LiteralUnion<"active">;
313
+ email: string;
314
+ email_verified: boolean;
315
+ name: string;
316
+ picture: string;
317
+ nickname: string;
318
+ zoneinfo: string;
319
+ locale: string;
320
+ extended_profile: ExtendedProfile;
321
+ last_updated: string;
322
+ created_at: string;
323
+ }
324
+ /**
325
+ * @see [Atlassian - OAuth Apps](https://developer.atlassian.com/cloud/jira/platform/oauth-2-3lo-apps/)
326
+ * @see [Atlassian - My Apps](https://developer.atlassian.com/console/myapps/)
327
+ * @see [Atlassian - Retrieve Authenticated User](https://developer.atlassian.com/cloud/jira/software/oauth-2-3lo-apps/#how-do-i-retrieve-the-public-profile-of-the-authenticated-user-)
328
+ */
329
+ declare const atlassian: (options?: Partial<OAuthProviderCredentials<AtlassianProfile>>) => OAuthProviderCredentials<AtlassianProfile>;
330
+
331
+ type AccountType = "basic" | "pro" | "business";
332
+ interface Name {
333
+ given_name: string;
334
+ surname: string;
335
+ familiar_name: string;
336
+ display_name: string;
337
+ abbreviated_name: string;
338
+ }
339
+ interface RootInfo {
340
+ team: RootInfo;
341
+ user: RootInfo;
342
+ }
343
+ interface FullTeam {
344
+ id: string;
345
+ name: string;
346
+ sharing_policies: Record<string, unknown>;
347
+ office_addin_policy: unknown;
348
+ top_level_content_policy: unknown;
349
+ }
350
+ interface DropboxProfile {
351
+ account_id: string;
352
+ name: Name;
353
+ email: string;
354
+ email_verified: boolean;
355
+ disabled: boolean;
356
+ locale: string;
357
+ referral_link: string;
358
+ is_paired: boolean;
359
+ account_type: AccountType;
360
+ root_info: unknown;
361
+ profile_photo_url?: string;
362
+ country: string;
363
+ team?: unknown;
364
+ team_member_id?: string;
365
+ }
366
+ /**
367
+ * @see [Dropbox - OAuth Guide](https://developers.dropbox.com/oauth-guide)
368
+ * @see [Dropbox - API v2](https://www.dropbox.com/developers/documentation/http/documentation)
369
+ * @see [Dropbox - Get Current Account](https://www.dropbox.com/developers/documentation/http/documentation#users-get_current_account)
370
+ * @see [Dropbox - My Apps](https://www.dropbox.com/developers/apps)
371
+ * @see [Dropbox - Developer Guide](https://www.dropbox.com/developers/reference/developer-guide)
372
+ */
373
+ declare const dropbox: (options?: Partial<OAuthProviderCredentials<DropboxProfile>>) => OAuthProviderCredentials<DropboxProfile>;
374
+
375
+ interface Person {
376
+ email: string;
377
+ }
378
+ interface User$1 {
379
+ object: "user";
380
+ id: string;
381
+ name: string;
382
+ avatar_url: string | null;
383
+ type: "person";
384
+ person: Person;
385
+ }
386
+ interface Owner {
387
+ type: "user";
388
+ user: User$1;
389
+ }
390
+ interface Bot {
391
+ owner: Owner;
392
+ }
393
+ /**
394
+ * @see [Notion - Retrieve your token's bot user](https://developers.notion.com/reference/get-self)
395
+ */
396
+ interface NotionProfile {
397
+ object: "user";
398
+ id: string;
399
+ name: string;
400
+ avatar_url: string | null;
401
+ type: "bot";
402
+ bot: Bot;
403
+ }
404
+ /**
405
+ * @see [Notion - Developer Documentation](https://developers.notion.com/)
406
+ * @see [Notion - Authorization](https://developers.notion.com/docs/authorization)
407
+ * @see [Notion - Authentication](https://developers.notion.com/reference/authentication)
408
+ * @see [Notion - Retrieve your token's bot user](https://developers.notion.com/reference/get-self)
409
+ */
410
+ declare const notion: (options?: Partial<OAuthProviderCredentials<NotionProfile>>) => OAuthProviderCredentials<NotionProfile>;
411
+
412
+ /**
413
+ * @see [Twitch - Get Users](https://dev.twitch.tv/docs/api/reference#get-users)
414
+ */
415
+ interface TwitchProfile {
416
+ id: string;
417
+ login: string;
418
+ display_name: string;
419
+ type: string;
420
+ broadcaster_type: string;
421
+ description: string;
422
+ profile_image_url: string;
423
+ offline_image_url: string;
424
+ view_count: number;
425
+ email?: string;
426
+ created_at: string;
427
+ }
428
+ /**
429
+ * @see [Twitch - Get Started with the Twitch API](https://dev.twitch.tv/docs/api/get-started/)
430
+ * @see [Twitch - Authorization code grant flow](https://dev.twitch.tv/docs/authentication/getting-tokens-oauth/#authorization-code-grant-flow)
431
+ * @see [Twitch - Register Your App](https://dev.twitch.tv/docs/authentication/register-app)
432
+ * @see [Twitch - Setting up Two-Factor Authentication (2FA)](https://help.twitch.tv/s/article/two-factor-authentication?language=en_US)
433
+ * @see [Twitch - Security and Privacy](https://www.twitch.tv/settings/security)
434
+ * @see [Twitch - Get Users](https://dev.twitch.tv/docs/api/reference#get-users)
435
+ * @see [Twitch - Scopes](https://dev.twitch.tv/docs/authentication/scopes/)
436
+ */
437
+ declare const twitch: (options?: Partial<OAuthProviderCredentials<TwitchProfile>>) => OAuthProviderCredentials<TwitchProfile>;
267
438
 
268
439
  /**
269
440
  * @see [Pinterest - Get User Account](https://developers.pinterest.com/docs/api/v5/user_account-get)
@@ -695,6 +866,10 @@ declare const builtInOAuthProviders: {
695
866
  readonly strava: (options?: Partial<OAuthProviderCredentials<StravaProfile>>) => OAuthProviderCredentials<StravaProfile>;
696
867
  readonly mailchimp: (options?: Partial<OAuthProviderCredentials<MailchimpProfile>>) => OAuthProviderCredentials<MailchimpProfile>;
697
868
  readonly pinterest: (options?: Partial<OAuthProviderCredentials<PinterestProfile>>) => OAuthProviderCredentials<PinterestProfile>;
869
+ readonly twitch: (options?: Partial<OAuthProviderCredentials<TwitchProfile>>) => OAuthProviderCredentials<TwitchProfile>;
870
+ readonly notion: (options?: Partial<OAuthProviderCredentials<NotionProfile>>) => OAuthProviderCredentials<NotionProfile>;
871
+ readonly dropbox: (options?: Partial<OAuthProviderCredentials<DropboxProfile>>) => OAuthProviderCredentials<DropboxProfile>;
872
+ readonly atlassian: (options?: Partial<OAuthProviderCredentials<AtlassianProfile>>) => OAuthProviderCredentials<AtlassianProfile>;
698
873
  };
699
874
  /**
700
875
  * Constructs OAuth provider configurations from an array of provider names or configurations.
@@ -712,6 +887,115 @@ declare const builtInOAuthProviders: {
712
887
  declare const createBuiltInOAuthProviders: (oauth?: (BuiltInOAuthProvider | OAuthProviderCredentials<any>)[]) => Record<LiteralUnion<BuiltInOAuthProvider>, OAuthProviderCredentials<any>>;
713
888
  type BuiltInOAuthProvider = keyof typeof builtInOAuthProviders;
714
889
 
890
+ /**
891
+ * Creates the authentication instance with the configuration provided for OAuth provider.
892
+ * > NOTE: The handlers returned by this function should be used in the server to handle the authentication routes
893
+ * and within the `/auth` base path
894
+ *
895
+ * @param authConfig - Authentication configuration including OAuth provider
896
+ * @returns Authentication instance with handlers to be used in the server
897
+ * @example
898
+ * const auth = createAuth({
899
+ * oauth: ["github", {
900
+ * id: "custom-oauth",
901
+ * name: "custom-oauth",
902
+ * authorizationURL: "https://custom-oauth.com/oauth/authorize",
903
+ * accessToken: "https://custom-oauth.com/oauth/token",
904
+ * scope: "profile email",
905
+ * responseType: "code",
906
+ * userInfo: "https://custom-oauth.com/api/userinfo",
907
+ * clientId: process.env.AURA_AUTH_CUSTOM_OAUTH_CLIENT_ID!,
908
+ * clientSecret: process.env.AURA_AUTH_CUSTOM_OAUTH_CLIENT_SECRET!,
909
+ * }]
910
+ * })
911
+ */
912
+ declare const createAuthInstance: (authConfig: AuthConfig) => {
913
+ handlers: _aura_stack_router.Router<[_aura_stack_router.RouteEndpoint<"GET", "/signIn/:oauth", {
914
+ schemas?: {
915
+ params: zod.ZodObject<{
916
+ oauth: zod.ZodEnum<{
917
+ [x: string & Record<never, never>]: string & Record<never, never>;
918
+ github: "github";
919
+ bitbucket: "bitbucket";
920
+ figma: "figma";
921
+ discord: "discord";
922
+ gitlab: "gitlab";
923
+ spotify: "spotify";
924
+ x: "x";
925
+ strava: "strava";
926
+ mailchimp: "mailchimp";
927
+ pinterest: "pinterest";
928
+ twitch: "twitch";
929
+ notion: "notion";
930
+ dropbox: "dropbox";
931
+ atlassian: "atlassian";
932
+ }>;
933
+ }, zod_v4_core.$strip>;
934
+ searchParams: zod.ZodObject<{
935
+ redirect: zod.ZodDefault<zod.ZodOptional<zod.ZodCodec<zod.ZodString, zod.ZodBoolean>>>;
936
+ redirectTo: zod.ZodOptional<zod.ZodString>;
937
+ }, zod_v4_core.$strip>;
938
+ } | undefined;
939
+ }>, _aura_stack_router.RouteEndpoint<"GET", "/callback/:oauth", {
940
+ schemas?: {
941
+ params: zod.ZodObject<{
942
+ oauth: zod.ZodEnum<{
943
+ [x: string & Record<never, never>]: string & Record<never, never>;
944
+ github: "github";
945
+ bitbucket: "bitbucket";
946
+ figma: "figma";
947
+ discord: "discord";
948
+ gitlab: "gitlab";
949
+ spotify: "spotify";
950
+ x: "x";
951
+ strava: "strava";
952
+ mailchimp: "mailchimp";
953
+ pinterest: "pinterest";
954
+ twitch: "twitch";
955
+ notion: "notion";
956
+ dropbox: "dropbox";
957
+ atlassian: "atlassian";
958
+ }>;
959
+ }, zod_v4_core.$strip>;
960
+ searchParams: zod.ZodObject<{
961
+ code: zod.ZodString;
962
+ state: zod.ZodString;
963
+ }, zod_v4_core.$strip>;
964
+ } | undefined;
965
+ }>, _aura_stack_router.RouteEndpoint<"GET", "/session", {
966
+ schemas?: _aura_stack_router.EndpointSchemas | undefined;
967
+ }>, _aura_stack_router.RouteEndpoint<"POST", "/signOut", {
968
+ schemas?: {
969
+ searchParams: zod.ZodObject<{
970
+ token_type_hint: zod.ZodLiteral<"session_token">;
971
+ redirectTo: zod.ZodOptional<zod.ZodString>;
972
+ }, zod_v4_core.$strip>;
973
+ } | undefined;
974
+ }>, _aura_stack_router.RouteEndpoint<"GET", "/csrfToken", {
975
+ schemas?: _aura_stack_router.EndpointSchemas | undefined;
976
+ }>]>;
977
+ jose: {
978
+ decodeJWT: (token: string, options?: _aura_stack_jose.DecodedJWTPayloadOptions) => Promise<_aura_stack_jose.TypedJWTPayload<User>>;
979
+ encodeJWT: (payload: _aura_stack_jose.TypedJWTPayload<Partial<User>>) => Promise<string>;
980
+ signJWS: (payload: _aura_stack_jose.TypedJWTPayload<Partial<jose.JWTPayload>>) => Promise<string>;
981
+ verifyJWS: (payload: string, options?: jose.JWTVerifyOptions | undefined) => Promise<jose.JWTPayload>;
982
+ encryptJWE: (payload: string, options?: _aura_stack_jose.EncryptOptions | undefined) => Promise<string>;
983
+ decryptJWE: (payload: string, options?: jose.JWTDecryptOptions | undefined) => Promise<string>;
984
+ };
985
+ api: {
986
+ getSession: (options: GetSessionAPIOptions) => Promise<SessionResponse>;
987
+ signIn: <Redirect extends boolean = true>(oauth: LiteralUnion<BuiltInOAuthProvider>, options?: SignInAPIOptions<Redirect>) => Promise<SignInReturn<Redirect>>;
988
+ signOut: (options: SignOutAPIOptions) => Promise<Response>;
989
+ };
990
+ };
991
+ declare const createAuth: (config: AuthConfig) => AuthInstance;
992
+
993
+ declare const createAuthAPI: (ctx: GlobalContext) => {
994
+ getSession: (options: GetSessionAPIOptions) => Promise<SessionResponse>;
995
+ signIn: <Redirect extends boolean = true>(oauth: LiteralUnion<BuiltInOAuthProvider>, options?: SignInAPIOptions<Redirect>) => Promise<SignInReturn<Redirect>>;
996
+ signOut: (options: SignOutAPIOptions) => Promise<Response>;
997
+ };
998
+
715
999
  /**
716
1000
  * Standard JWT claims that are managed internally by the token system.
717
1001
  * These fields are typically filtered out before returning user data.
@@ -727,7 +1011,7 @@ type JWTPayloadWithToken = JWTPayload & {
727
1011
  * Standardized user profile returned by OAuth providers after fetching user information
728
1012
  * and mapping the response to this format by default or via the `profile` custom function.
729
1013
  */
730
- interface User {
1014
+ interface User extends Record<string, unknown> {
731
1015
  sub: string;
732
1016
  name?: string | null;
733
1017
  email?: string | null;
@@ -740,6 +1024,8 @@ interface Session {
740
1024
  user: User;
741
1025
  expires: string;
742
1026
  }
1027
+ type AuthorizeParams = LiteralUnion<"clientId" | "prompt" | "scope" | "responseMode" | "audience" | "loginHint" | "nonce" | "display">;
1028
+ type ResponseType = LiteralUnion<"code" | "token" | "refresh_token" | "id_token">;
743
1029
  /**
744
1030
  * Configuration for an OAuth provider without credentials.
745
1031
  * Use this type when defining provider metadata and endpoints.
@@ -747,11 +1033,36 @@ interface Session {
747
1033
  interface OAuthProviderConfig<Profile extends object = Record<string, any>> {
748
1034
  id: string;
749
1035
  name: string;
750
- authorizeURL: string;
751
- accessToken: string;
752
- userInfo: string;
753
- scope: string;
754
- responseType: "code" | "token" | "refresh_token" | "id_token";
1036
+ /**
1037
+ * @deprecated
1038
+ * use `authorize` instead of `authorizeURL`
1039
+ */
1040
+ authorizeURL?: string;
1041
+ authorize: string | {
1042
+ url: string;
1043
+ params?: Partial<Record<AuthorizeParams, string> & {
1044
+ responseType: ResponseType;
1045
+ }>;
1046
+ };
1047
+ accessToken: string | {
1048
+ url: string;
1049
+ headers?: Record<string, string>;
1050
+ };
1051
+ userInfo: string | {
1052
+ url: string;
1053
+ headers?: Record<string, string>;
1054
+ method?: string;
1055
+ };
1056
+ /**
1057
+ * @deprecated
1058
+ * use `authorize.params.scope` instead of `scope`
1059
+ */
1060
+ scope?: string;
1061
+ /**
1062
+ * @deprecated
1063
+ * use `authorize.params.response_type` instead of `responseType`
1064
+ */
1065
+ responseType?: ResponseType;
755
1066
  profile?: (profile: Profile) => User | Promise<User>;
756
1067
  }
757
1068
  /**
@@ -873,6 +1184,10 @@ interface AuthConfig {
873
1184
  * doesn't exist, it will throw an error during the initialization of the Auth module.
874
1185
  */
875
1186
  secret?: string;
1187
+ /**
1188
+ * Base URL of the application, used to construct the incoming request's origin.
1189
+ */
1190
+ baseURL?: string;
876
1191
  /**
877
1192
  * Base path for all authentication routes. Default is `/auth`.
878
1193
  */
@@ -886,13 +1201,15 @@ interface AuthConfig {
886
1201
  * Misconfiguration can lead to security vulnerabilities, such as incorrect handling of secure cookies or
887
1202
  * inaccurate client IP logging.
888
1203
  *
1204
+ * This value can also be set via environment variable as `AURA_AUTH_TRUSTED_PROXY_HEADERS`
1205
+ *
889
1206
  * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
890
1207
  * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
891
1208
  * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
892
1209
  * @experimental
893
1210
  */
894
1211
  trustedProxyHeaders?: boolean;
895
- logger?: Logger;
1212
+ logger?: boolean | Logger;
896
1213
  /**
897
1214
  * Defines trusted origins for your application to prevent open redirect attacks.
898
1215
  * URLs from the Referer header, Origin header, request URL, and redirectTo option
@@ -923,11 +1240,23 @@ type InternalLogger = {
923
1240
  level: LogLevel;
924
1241
  log: typeof createLogEntry;
925
1242
  };
1243
+ type SessionResponse = {
1244
+ session: Session;
1245
+ authenticated: true;
1246
+ } | {
1247
+ session: null;
1248
+ authenticated: false;
1249
+ };
1250
+ type GetSessionAPI = (options: {
1251
+ headers: HeadersInit;
1252
+ }) => Promise<SessionResponse>;
1253
+ type AuthAPI = ReturnType<typeof createAuthAPI>;
926
1254
  interface RouterGlobalContext {
927
1255
  oauth: OAuthProviderRecord;
928
1256
  cookies: CookieStoreConfig;
929
1257
  jose: JoseInstance;
930
1258
  secret?: string;
1259
+ baseURL?: string;
931
1260
  basePath: string;
932
1261
  trustedProxyHeaders: boolean;
933
1262
  trustedOrigins?: TrustedOrigin[] | ((request: Request) => Promise<TrustedOrigin[]> | TrustedOrigin[]);
@@ -942,8 +1271,10 @@ interface AuthInstance {
942
1271
  handlers: {
943
1272
  GET: (request: Request) => Response | Promise<Response>;
944
1273
  POST: (request: Request) => Response | Promise<Response>;
1274
+ ALL: (request: Request) => Response | Promise<Response>;
945
1275
  };
946
1276
  jose: JoseInstance;
1277
+ api: AuthAPI;
947
1278
  }
948
1279
  /**
949
1280
  * Base OAuth error response structure.
@@ -999,9 +1330,48 @@ type SyslogOptions = {
999
1330
  * Logger function interface for structured logging.
1000
1331
  * Called when errors or warnings occur during authentication flows.
1001
1332
  */
1002
- type Logger = {
1003
- level: LogLevel;
1004
- log: (args: SyslogOptions) => void;
1333
+ interface Logger {
1334
+ level?: LogLevel;
1335
+ log?: (args: SyslogOptions) => void;
1336
+ }
1337
+ type AuthClient = ReturnType<typeof createAuthInstance>["handlers"];
1338
+ type AuthClientOptions = Prettify<Omit<ClientOptions, "baseURL"> & {
1339
+ baseURL?: string;
1340
+ }>;
1341
+ interface SignInOptions {
1342
+ redirect?: boolean;
1343
+ redirectTo?: string;
1344
+ }
1345
+ interface SignOutOptions {
1346
+ redirect?: boolean;
1347
+ redirectTo?: string;
1348
+ }
1349
+ interface GetSessionAPIOptions {
1350
+ headers: HeadersInit;
1351
+ }
1352
+ interface SignOutAPIOptions {
1353
+ headers: HeadersInit;
1354
+ redirectTo?: string;
1355
+ skipCSRFCheck?: boolean;
1356
+ }
1357
+ interface SignInAPIOptions<Redirect extends boolean = boolean> {
1358
+ headers?: HeadersInit;
1359
+ redirect?: Redirect;
1360
+ redirectTo?: string;
1361
+ request?: Request;
1362
+ }
1363
+ type FunctionAPIContext<Options extends object> = {
1364
+ ctx: RouterGlobalContext;
1365
+ } & Options;
1366
+ type SignInReturn<Redirect extends boolean = boolean> = Redirect extends true ? Response : {
1367
+ redirect: false;
1368
+ signInURL: string;
1369
+ };
1370
+ type InternalContext = RouterGlobalContext & {
1371
+ cookieConfig: {
1372
+ secure: CookieStoreConfig;
1373
+ standard: CookieStoreConfig;
1374
+ };
1005
1375
  };
1006
1376
 
1007
- export { type SecureCookie as $, type AuthRuntimeConfig as A, figma as B, type CookieConfig as C, type DiscordProfile as D, type ErrorType as E, type FigmaProfile as F, type GitLabProfile as G, type BitbucketProfile as H, type InternalLogger as I, type JWTPayloadWithToken as J, bitbucket as K, type Logger as L, type MailchimpProfile as M, type Nameplate as N, type OAuthProvider as O, type PinterestProfile as P, type GitHubProfile as Q, type RouterGlobalContext as R, type Session as S, type TrustedOrigin as T, type User as U, github as V, builtInOAuthProviders as W, type XProfile as X, createBuiltInOAuthProviders as Y, type BuiltInOAuthProvider as Z, type JWTStandardClaims as _, type CookieStoreConfig as a, type HostCookie as a0, type StandardCookie as a1, type CookieStrategyAttributes as a2, type CookieName as a3, type OAuthError as a4, type AuthorizationError as a5, type AccessTokenError as a6, type TokenRevocationError as a7, type OAuthEnv as a8, type Severity as a9, type SyslogOptions as aa, type AuthInternalErrorCode as b, type AuthSecurityErrorCode as c, type AuthConfig as d, type AuthInstance as e, type JoseInstance as f, type OAuthProviderConfig as g, type OAuthProviderCredentials as h, type LogLevel as i, type APIErrorMap as j, type OAuthProviderRecord as k, logMessages as l, createLogEntry as m, type Login as n, mailchimp as o, pinterest as p, type SummaryClub as q, type SummaryGear as r, type StravaProfile as s, strava as t, type SpotifyImage as u, type SpotifyProfile as v, spotify as w, x, gitlab as y, discord as z };
1377
+ export { dropbox as $, type AuthConfig as A, type BuiltInOAuthProvider as B, type CookieConfig as C, createProxyLogger as D, type ErrorType as E, type FunctionAPIContext as F, type GetSessionAPIOptions as G, logMessages as H, type InternalContext as I, type JWTPayloadWithToken as J, createJoseInstance as K, type LogLevel as L, decodeJWTOptions as M, jwtVerificationOptions as N, type OAuthProviderRecord as O, type AtlassianProfile as P, type ExtendedProfile as Q, type RouterGlobalContext as R, type SessionResponse as S, type TrustedOrigin as T, type User as U, atlassian as V, type AccountType as W, type DropboxProfile as X, type FullTeam as Y, type Name as Z, type RootInfo as _, type InternalLogger as a, type Bot as a0, type NotionProfile as a1, type Owner as a2, type Person as a3, type User$1 as a4, notion as a5, type TwitchProfile as a6, twitch as a7, type PinterestProfile as a8, pinterest as a9, type AccessTokenError as aA, type AuthorizationError as aB, type AuthorizeParams as aC, type CookieName as aD, type CookieStrategyAttributes as aE, type GetSessionAPI as aF, type HostCookie as aG, type JWTStandardClaims as aH, type OAuthEnv as aI, type OAuthError as aJ, type ResponseType as aK, type SecureCookie as aL, type Severity as aM, type StandardCookie as aN, type SyslogOptions as aO, type TokenRevocationError as aP, type Login as aa, type MailchimpProfile as ab, mailchimp as ac, type StravaProfile as ad, type SummaryClub as ae, type SummaryGear as af, strava as ag, type XProfile as ah, x as ai, type SpotifyImage as aj, type SpotifyProfile as ak, spotify as al, type GitLabProfile as am, gitlab as an, type DiscordProfile as ao, type Nameplate as ap, discord as aq, type FigmaProfile as ar, figma as as, type BitbucketProfile as at, bitbucket as au, type GitHubProfile as av, github as aw, createBuiltInOAuthProviders as ax, createAuthInstance as ay, createAuthAPI as az, type CookieStoreConfig as b, type AuthRuntimeConfig as c, type AuthInternalErrorCode as d, type AuthSecurityErrorCode as e, type APIErrorMap as f, type SignInAPIOptions as g, type SignInReturn as h, type SignOutAPIOptions as i, type OAuthProviderCredentials as j, type OAuthProvider as k, type AuthClientOptions as l, type Session as m, type SignInOptions as n, type SignOutOptions as o, type AuthClient as p, type AuthAPI as q, type AuthInstance as r, type JoseInstance as s, type Logger as t, type OAuthProviderConfig as u, builtInOAuthProviders as v, createAuth as w, createSyslogMessage as x, createLogEntry as y, createLogger as z };