@aura-stack/auth 0.4.0 → 0.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/@types/index.d.ts +6 -2
- package/dist/@types/router.d.d.ts +6 -2
- package/dist/actions/callback/access-token.cjs +103 -59
- package/dist/actions/callback/access-token.d.ts +7 -3
- package/dist/actions/callback/access-token.js +3 -3
- package/dist/actions/callback/callback.cjs +200 -134
- package/dist/actions/callback/callback.d.ts +32 -3
- package/dist/actions/callback/callback.js +11 -12
- package/dist/actions/callback/userinfo.cjs +103 -70
- package/dist/actions/callback/userinfo.d.ts +6 -2
- package/dist/actions/callback/userinfo.js +7 -8
- package/dist/actions/csrfToken/csrfToken.cjs +7 -15
- package/dist/actions/csrfToken/csrfToken.d.ts +3 -1
- package/dist/actions/csrfToken/csrfToken.js +7 -8
- package/dist/actions/index.cjs +502 -295
- package/dist/actions/index.d.ts +5 -2
- package/dist/actions/index.js +23 -20
- package/dist/actions/session/session.cjs +76 -24
- package/dist/actions/session/session.d.ts +3 -1
- package/dist/actions/session/session.js +6 -4
- package/dist/actions/signIn/authorization-url.cjs +288 -0
- package/dist/actions/signIn/authorization-url.d.ts +31 -0
- package/dist/actions/signIn/authorization-url.js +16 -0
- package/dist/actions/signIn/authorization.cjs +91 -132
- package/dist/actions/signIn/authorization.d.ts +17 -16
- package/dist/actions/signIn/authorization.js +8 -7
- package/dist/actions/signIn/signIn.cjs +319 -191
- package/dist/actions/signIn/signIn.d.ts +32 -3
- package/dist/actions/signIn/signIn.js +10 -9
- package/dist/actions/signOut/signOut.cjs +211 -212
- package/dist/actions/signOut/signOut.d.ts +9 -1
- package/dist/actions/signOut/signOut.js +9 -10
- package/dist/api/createApi.cjs +750 -0
- package/dist/api/createApi.d.ts +12 -0
- package/dist/api/createApi.js +19 -0
- package/dist/api/getSession.cjs +141 -0
- package/dist/api/getSession.d.ts +16 -0
- package/dist/api/getSession.js +10 -0
- package/dist/api/signIn.cjs +549 -0
- package/dist/api/signIn.d.ts +26 -0
- package/dist/api/signIn.js +15 -0
- package/dist/api/signOut.cjs +279 -0
- package/dist/api/signOut.d.ts +16 -0
- package/dist/api/signOut.js +13 -0
- package/dist/assert.cjs +42 -9
- package/dist/assert.d.ts +8 -4
- package/dist/assert.js +5 -5
- package/dist/{chunk-KJBAQZX2.js → chunk-2A5B7GWR.js} +44 -11
- package/dist/chunk-2GQLSIJ2.js +40 -0
- package/dist/chunk-2IR674WX.js +44 -0
- package/dist/chunk-3J5TUH2I.js +50 -0
- package/dist/chunk-4RWSYUKX.js +98 -0
- package/dist/chunk-5X7JZMEF.js +0 -0
- package/dist/{chunk-TZB6MUXN.js → chunk-7BE46WWS.js} +21 -11
- package/dist/chunk-7YYXFKLR.js +35 -0
- package/dist/chunk-C3A37LQC.js +33 -0
- package/dist/chunk-CITNGXDA.js +31 -0
- package/dist/chunk-CWX724AG.js +78 -0
- package/dist/chunk-D2CSIUKP.js +74 -0
- package/dist/{chunk-ICAZ4OVS.js → chunk-FPCVZUVG.js} +2 -2
- package/dist/{chunk-XGLBNXL4.js → chunk-GNNBM2WJ.js} +17 -9
- package/dist/chunk-JOCGX3RP.js +59 -0
- package/dist/chunk-KBXWTD6E.js +94 -0
- package/dist/{chunk-XUP6KKNG.js → chunk-LATR3NIV.js} +48 -37
- package/dist/chunk-LAYPUDQF.js +39 -0
- package/dist/chunk-LX3TJ2TJ.js +294 -0
- package/dist/{chunk-6MXFPFR3.js → chunk-NHZBQNRR.js} +19 -19
- package/dist/{chunk-TM5IPSNF.js → chunk-PDP3PHB3.js} +33 -19
- package/dist/chunk-PHYNROD4.js +47 -0
- package/dist/chunk-QQEKY4XP.js +29 -0
- package/dist/{chunk-VNCNJKS2.js → chunk-U4RK4LKJ.js} +82 -1
- package/dist/{chunk-RRLIF4PQ.js → chunk-U5663F2U.js} +16 -1
- package/dist/chunk-UN7X6SU5.js +53 -0
- package/dist/chunk-UZQJJD6A.js +100 -0
- package/dist/{chunk-NUDITUKX.js → chunk-V6LLEAR4.js} +22 -15
- package/dist/{chunk-4MYWAOLG.js → chunk-WHNDRO3N.js} +20 -1
- package/dist/{chunk-5W4BRQYG.js → chunk-XY5R3EHH.js} +6 -3
- package/dist/client/client.cjs +135 -0
- package/dist/client/client.d.ts +85 -0
- package/dist/client/client.js +9 -0
- package/dist/client/index.cjs +135 -0
- package/dist/client/index.d.ts +14 -0
- package/dist/client/index.js +10 -0
- package/dist/context.cjs +1237 -0
- package/dist/context.d.ts +16 -0
- package/dist/context.js +28 -0
- package/dist/cookie.cjs +33 -2
- package/dist/cookie.d.ts +9 -5
- package/dist/cookie.js +3 -2
- package/dist/createAuth.cjs +2320 -0
- package/dist/createAuth.d.ts +12 -0
- package/dist/createAuth.js +48 -0
- package/dist/env.cjs +24 -2
- package/dist/env.d.ts +4 -1
- package/dist/env.js +9 -3
- package/dist/errors.cjs +17 -0
- package/dist/errors.d.ts +13 -3
- package/dist/errors.js +5 -1
- package/dist/{index-CSyIJmCM.d.ts → index-_aXtxb_s.d.ts} +383 -13
- package/dist/index.cjs +2135 -1547
- package/dist/index.d.ts +9 -30
- package/dist/index.js +46 -119
- package/dist/jose.cjs +52 -14
- package/dist/jose.d.ts +12 -25
- package/dist/jose.js +11 -3
- package/dist/logger.cjs +132 -0
- package/dist/logger.d.ts +6 -2
- package/dist/logger.js +10 -1
- package/dist/oauth/atlassian.cjs +57 -0
- package/dist/oauth/atlassian.d.ts +12 -0
- package/dist/oauth/atlassian.js +6 -0
- package/dist/oauth/bitbucket.d.ts +6 -2
- package/dist/oauth/discord.d.ts +6 -2
- package/dist/oauth/dropbox.cjs +53 -0
- package/dist/oauth/dropbox.d.ts +12 -0
- package/dist/oauth/dropbox.js +6 -0
- package/dist/oauth/figma.d.ts +6 -2
- package/dist/oauth/github.d.ts +6 -2
- package/dist/oauth/gitlab.d.ts +6 -2
- package/dist/oauth/index.cjs +278 -88
- package/dist/oauth/index.d.ts +6 -2
- package/dist/oauth/index.js +27 -11
- package/dist/oauth/mailchimp.d.ts +6 -2
- package/dist/oauth/notion.cjs +131 -0
- package/dist/oauth/notion.d.ts +12 -0
- package/dist/oauth/notion.js +9 -0
- package/dist/oauth/pinterest.d.ts +6 -2
- package/dist/oauth/spotify.d.ts +6 -2
- package/dist/oauth/strava.d.ts +6 -2
- package/dist/oauth/twitch.cjs +95 -0
- package/dist/oauth/twitch.d.ts +12 -0
- package/dist/oauth/twitch.js +7 -0
- package/dist/oauth/x.d.ts +6 -2
- package/dist/schemas.cjs +84 -51
- package/dist/schemas.d.ts +103 -23
- package/dist/schemas.js +1 -1
- package/dist/secure.cjs +36 -36
- package/dist/secure.d.ts +10 -4
- package/dist/secure.js +7 -6
- package/dist/utils.cjs +109 -3
- package/dist/utils.d.ts +15 -4
- package/dist/utils.js +11 -4
- package/package.json +9 -5
- package/dist/chunk-4EKY7655.js +0 -123
- package/dist/chunk-7QF22LHP.js +0 -67
- package/dist/chunk-ALG3GIV4.js +0 -95
- package/dist/chunk-FRJFWTOY.js +0 -70
- package/dist/chunk-PHFH2MGS.js +0 -36
- package/dist/chunk-QQVSRXGX.js +0 -149
package/dist/schemas.d.ts
CHANGED
|
@@ -1,17 +1,37 @@
|
|
|
1
|
-
import { z } from 'zod';
|
|
1
|
+
import { z } from 'zod/v4';
|
|
2
2
|
|
|
3
3
|
declare const OAuthProviderCredentialsSchema: z.ZodObject<{
|
|
4
4
|
id: z.ZodString;
|
|
5
5
|
name: z.ZodString;
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
6
|
+
authorize: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodObject<{
|
|
7
|
+
url: z.ZodString;
|
|
8
|
+
params: z.ZodObject<{
|
|
9
|
+
responseType: z.ZodOptional<z.ZodEnum<{
|
|
10
|
+
token: "token";
|
|
11
|
+
code: "code";
|
|
12
|
+
id_token: "id_token";
|
|
13
|
+
refresh_token: "refresh_token";
|
|
14
|
+
}>>;
|
|
15
|
+
scope: z.ZodOptional<z.ZodString>;
|
|
16
|
+
}, z.core.$strip>;
|
|
17
|
+
}, z.core.$strip>]>>;
|
|
18
|
+
authorizeURL: z.ZodOptional<z.ZodString>;
|
|
19
|
+
accessToken: z.ZodUnion<readonly [z.ZodString, z.ZodObject<{
|
|
20
|
+
url: z.ZodString;
|
|
21
|
+
headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
|
|
22
|
+
}, z.core.$strip>]>;
|
|
23
|
+
scope: z.ZodOptional<z.ZodString>;
|
|
24
|
+
userInfo: z.ZodUnion<readonly [z.ZodString, z.ZodObject<{
|
|
25
|
+
url: z.ZodString;
|
|
26
|
+
headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
|
|
27
|
+
method: z.ZodOptional<z.ZodString>;
|
|
28
|
+
}, z.core.$strip>]>;
|
|
29
|
+
responseType: z.ZodOptional<z.ZodEnum<{
|
|
11
30
|
token: "token";
|
|
12
31
|
code: "code";
|
|
13
32
|
id_token: "id_token";
|
|
14
|
-
|
|
33
|
+
refresh_token: "refresh_token";
|
|
34
|
+
}>>;
|
|
15
35
|
clientId: z.ZodString;
|
|
16
36
|
clientSecret: z.ZodString;
|
|
17
37
|
profile: z.ZodOptional<z.ZodFunction<z.core.$ZodFunctionArgs, z.core.$ZodFunctionOut>>;
|
|
@@ -20,15 +40,35 @@ declare const OAuthProviderCredentialsSchema: z.ZodObject<{
|
|
|
20
40
|
* Schema for OAuth Provider Configuration
|
|
21
41
|
*/
|
|
22
42
|
declare const OAuthProviderConfigSchema: z.ZodObject<{
|
|
23
|
-
|
|
24
|
-
|
|
43
|
+
authorize: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodObject<{
|
|
44
|
+
url: z.ZodString;
|
|
45
|
+
params: z.ZodObject<{
|
|
46
|
+
responseType: z.ZodOptional<z.ZodEnum<{
|
|
47
|
+
token: "token";
|
|
48
|
+
code: "code";
|
|
49
|
+
id_token: "id_token";
|
|
50
|
+
refresh_token: "refresh_token";
|
|
51
|
+
}>>;
|
|
52
|
+
scope: z.ZodOptional<z.ZodString>;
|
|
53
|
+
}, z.core.$strip>;
|
|
54
|
+
}, z.core.$strip>]>>;
|
|
55
|
+
authorizeURL: z.ZodOptional<z.ZodString>;
|
|
56
|
+
accessToken: z.ZodUnion<readonly [z.ZodString, z.ZodObject<{
|
|
57
|
+
url: z.ZodString;
|
|
58
|
+
headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
|
|
59
|
+
}, z.core.$strip>]>;
|
|
25
60
|
scope: z.ZodOptional<z.ZodString>;
|
|
26
|
-
userInfo: z.ZodString
|
|
27
|
-
|
|
61
|
+
userInfo: z.ZodUnion<readonly [z.ZodString, z.ZodObject<{
|
|
62
|
+
url: z.ZodString;
|
|
63
|
+
headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
|
|
64
|
+
method: z.ZodOptional<z.ZodString>;
|
|
65
|
+
}, z.core.$strip>]>;
|
|
66
|
+
responseType: z.ZodOptional<z.ZodEnum<{
|
|
28
67
|
token: "token";
|
|
29
68
|
code: "code";
|
|
30
69
|
id_token: "id_token";
|
|
31
|
-
|
|
70
|
+
refresh_token: "refresh_token";
|
|
71
|
+
}>>;
|
|
32
72
|
clientId: z.ZodString;
|
|
33
73
|
clientSecret: z.ZodString;
|
|
34
74
|
}, z.core.$strip>;
|
|
@@ -38,15 +78,35 @@ declare const OAuthProviderConfigSchema: z.ZodObject<{
|
|
|
38
78
|
* @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
|
|
39
79
|
*/
|
|
40
80
|
declare const OAuthAuthorization: z.ZodObject<{
|
|
41
|
-
|
|
42
|
-
|
|
81
|
+
authorize: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodObject<{
|
|
82
|
+
url: z.ZodString;
|
|
83
|
+
params: z.ZodObject<{
|
|
84
|
+
responseType: z.ZodOptional<z.ZodEnum<{
|
|
85
|
+
token: "token";
|
|
86
|
+
code: "code";
|
|
87
|
+
id_token: "id_token";
|
|
88
|
+
refresh_token: "refresh_token";
|
|
89
|
+
}>>;
|
|
90
|
+
scope: z.ZodOptional<z.ZodString>;
|
|
91
|
+
}, z.core.$strip>;
|
|
92
|
+
}, z.core.$strip>]>>;
|
|
93
|
+
authorizeURL: z.ZodOptional<z.ZodString>;
|
|
94
|
+
accessToken: z.ZodUnion<readonly [z.ZodString, z.ZodObject<{
|
|
95
|
+
url: z.ZodString;
|
|
96
|
+
headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
|
|
97
|
+
}, z.core.$strip>]>;
|
|
43
98
|
scope: z.ZodOptional<z.ZodString>;
|
|
44
|
-
userInfo: z.ZodString
|
|
45
|
-
|
|
99
|
+
userInfo: z.ZodUnion<readonly [z.ZodString, z.ZodObject<{
|
|
100
|
+
url: z.ZodString;
|
|
101
|
+
headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
|
|
102
|
+
method: z.ZodOptional<z.ZodString>;
|
|
103
|
+
}, z.core.$strip>]>;
|
|
104
|
+
responseType: z.ZodOptional<z.ZodEnum<{
|
|
46
105
|
token: "token";
|
|
47
106
|
code: "code";
|
|
48
107
|
id_token: "id_token";
|
|
49
|
-
|
|
108
|
+
refresh_token: "refresh_token";
|
|
109
|
+
}>>;
|
|
50
110
|
clientId: z.ZodString;
|
|
51
111
|
clientSecret: z.ZodString;
|
|
52
112
|
redirectURI: z.ZodString;
|
|
@@ -90,15 +150,35 @@ declare const OAuthAuthorizationErrorResponse: z.ZodObject<{
|
|
|
90
150
|
* @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3
|
|
91
151
|
*/
|
|
92
152
|
declare const OAuthAccessToken: z.ZodObject<{
|
|
93
|
-
|
|
94
|
-
|
|
153
|
+
authorize: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodObject<{
|
|
154
|
+
url: z.ZodString;
|
|
155
|
+
params: z.ZodObject<{
|
|
156
|
+
responseType: z.ZodOptional<z.ZodEnum<{
|
|
157
|
+
token: "token";
|
|
158
|
+
code: "code";
|
|
159
|
+
id_token: "id_token";
|
|
160
|
+
refresh_token: "refresh_token";
|
|
161
|
+
}>>;
|
|
162
|
+
scope: z.ZodOptional<z.ZodString>;
|
|
163
|
+
}, z.core.$strip>;
|
|
164
|
+
}, z.core.$strip>]>>;
|
|
165
|
+
authorizeURL: z.ZodOptional<z.ZodString>;
|
|
166
|
+
accessToken: z.ZodUnion<readonly [z.ZodString, z.ZodObject<{
|
|
167
|
+
url: z.ZodString;
|
|
168
|
+
headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
|
|
169
|
+
}, z.core.$strip>]>;
|
|
95
170
|
scope: z.ZodOptional<z.ZodString>;
|
|
96
|
-
userInfo: z.ZodString
|
|
97
|
-
|
|
171
|
+
userInfo: z.ZodUnion<readonly [z.ZodString, z.ZodObject<{
|
|
172
|
+
url: z.ZodString;
|
|
173
|
+
headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
|
|
174
|
+
method: z.ZodOptional<z.ZodString>;
|
|
175
|
+
}, z.core.$strip>]>;
|
|
176
|
+
responseType: z.ZodOptional<z.ZodEnum<{
|
|
98
177
|
token: "token";
|
|
99
178
|
code: "code";
|
|
100
179
|
id_token: "id_token";
|
|
101
|
-
|
|
180
|
+
refresh_token: "refresh_token";
|
|
181
|
+
}>>;
|
|
102
182
|
clientId: z.ZodString;
|
|
103
183
|
clientSecret: z.ZodString;
|
|
104
184
|
redirectURI: z.ZodString;
|
|
@@ -115,7 +195,7 @@ declare const OAuthAccessTokenResponse: z.ZodObject<{
|
|
|
115
195
|
token_type: z.ZodOptional<z.ZodString>;
|
|
116
196
|
expires_in: z.ZodOptional<z.ZodNumber>;
|
|
117
197
|
refresh_token: z.ZodOptional<z.ZodString>;
|
|
118
|
-
scope: z.ZodUnion<[z.ZodOptional<z.ZodString>, z.ZodNull]>;
|
|
198
|
+
scope: z.ZodUnion<readonly [z.ZodUnion<[z.ZodOptional<z.ZodString>, z.ZodNull]>, z.ZodOptional<z.ZodArray<z.ZodString>>]>;
|
|
119
199
|
}, z.core.$strip>;
|
|
120
200
|
/**
|
|
121
201
|
* Schema for OAuth Access Token Error Response
|
package/dist/schemas.js
CHANGED
package/dist/secure.cjs
CHANGED
|
@@ -1,9 +1,7 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
-
var __create = Object.create;
|
|
3
2
|
var __defProp = Object.defineProperty;
|
|
4
3
|
var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
|
|
5
4
|
var __getOwnPropNames = Object.getOwnPropertyNames;
|
|
6
|
-
var __getProtoOf = Object.getPrototypeOf;
|
|
7
5
|
var __hasOwnProp = Object.prototype.hasOwnProperty;
|
|
8
6
|
var __export = (target, all) => {
|
|
9
7
|
for (var name in all)
|
|
@@ -17,14 +15,6 @@ var __copyProps = (to, from, except, desc) => {
|
|
|
17
15
|
}
|
|
18
16
|
return to;
|
|
19
17
|
};
|
|
20
|
-
var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
|
|
21
|
-
// If the importer is in node compatibility mode or this is not an ESM
|
|
22
|
-
// file that has been converted to a CommonJS file using a Babel-
|
|
23
|
-
// compatible transform (i.e. "__esModule" has not been set), then set
|
|
24
|
-
// "default" to the CommonJS "module.exports" for node compatibility.
|
|
25
|
-
isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
|
|
26
|
-
mod
|
|
27
|
-
));
|
|
28
18
|
var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
|
|
29
19
|
|
|
30
20
|
// src/secure.ts
|
|
@@ -33,11 +23,11 @@ __export(secure_exports, {
|
|
|
33
23
|
createCSRF: () => createCSRF,
|
|
34
24
|
createHash: () => createHash,
|
|
35
25
|
createPKCE: () => createPKCE,
|
|
26
|
+
createSecretValue: () => createSecretValue,
|
|
36
27
|
generateSecure: () => generateSecure,
|
|
37
28
|
verifyCSRF: () => verifyCSRF
|
|
38
29
|
});
|
|
39
30
|
module.exports = __toCommonJS(secure_exports);
|
|
40
|
-
var import_crypto2 = __toESM(require("crypto"), 1);
|
|
41
31
|
|
|
42
32
|
// src/utils.ts
|
|
43
33
|
var import_router = require("@aura-stack/router");
|
|
@@ -54,26 +44,6 @@ var AuthSecurityError = class extends Error {
|
|
|
54
44
|
}
|
|
55
45
|
};
|
|
56
46
|
|
|
57
|
-
// src/utils.ts
|
|
58
|
-
var equals = (a, b) => {
|
|
59
|
-
if (a === null || b === null || a === void 0 || b === void 0) return false;
|
|
60
|
-
return a === b;
|
|
61
|
-
};
|
|
62
|
-
|
|
63
|
-
// src/assert.ts
|
|
64
|
-
var import_crypto = require("crypto");
|
|
65
|
-
var isJWTPayloadWithToken = (payload) => {
|
|
66
|
-
return typeof payload === "object" && payload !== null && "token" in payload && typeof payload?.token === "string";
|
|
67
|
-
};
|
|
68
|
-
var safeEquals = (a, b) => {
|
|
69
|
-
const bufferA = Buffer.from(a);
|
|
70
|
-
const bufferB = Buffer.from(b);
|
|
71
|
-
if (bufferA.length !== bufferB.length) {
|
|
72
|
-
return false;
|
|
73
|
-
}
|
|
74
|
-
return (0, import_crypto.timingSafeEqual)(bufferA, bufferB);
|
|
75
|
-
};
|
|
76
|
-
|
|
77
47
|
// src/env.ts
|
|
78
48
|
var import_meta = {};
|
|
79
49
|
var env = new Proxy({}, {
|
|
@@ -103,8 +73,32 @@ var env = new Proxy({}, {
|
|
|
103
73
|
}
|
|
104
74
|
});
|
|
105
75
|
|
|
76
|
+
// src/assert.ts
|
|
77
|
+
var import_crypto = require("@aura-stack/jose/crypto");
|
|
78
|
+
var isJWTPayloadWithToken = (payload) => {
|
|
79
|
+
return typeof payload === "object" && payload !== null && "token" in payload && typeof payload?.token === "string";
|
|
80
|
+
};
|
|
81
|
+
var timingSafeEqual = (a, b) => {
|
|
82
|
+
const bufferA = import_crypto.encoder.encode(a);
|
|
83
|
+
const bufferB = import_crypto.encoder.encode(b);
|
|
84
|
+
const len = Math.max(bufferA.length, bufferB.length);
|
|
85
|
+
let diff = 0;
|
|
86
|
+
for (let i = 0; i < len; i++) {
|
|
87
|
+
diff |= (bufferA[i] ?? 0) ^ (bufferB[i] ?? 0);
|
|
88
|
+
}
|
|
89
|
+
return diff === 0 && bufferA.length === bufferB.length;
|
|
90
|
+
};
|
|
91
|
+
|
|
92
|
+
// src/utils.ts
|
|
93
|
+
var equals = (a, b) => {
|
|
94
|
+
if (a === null || b === null || a === void 0 || b === void 0) return false;
|
|
95
|
+
return a === b;
|
|
96
|
+
};
|
|
97
|
+
|
|
106
98
|
// src/jose.ts
|
|
107
99
|
var import_jose = require("@aura-stack/jose");
|
|
100
|
+
var import_jose2 = require("@aura-stack/jose/jose");
|
|
101
|
+
var import_crypto2 = require("@aura-stack/jose/crypto");
|
|
108
102
|
var jwtVerificationOptions = {
|
|
109
103
|
algorithms: ["HS256"],
|
|
110
104
|
typ: "JWT"
|
|
@@ -112,10 +106,15 @@ var jwtVerificationOptions = {
|
|
|
112
106
|
|
|
113
107
|
// src/secure.ts
|
|
114
108
|
var generateSecure = (length = 32) => {
|
|
115
|
-
return
|
|
109
|
+
return import_jose2.base64url.encode((0, import_crypto2.getRandomBytes)(length));
|
|
110
|
+
};
|
|
111
|
+
var createSecretValue = (length = 32) => {
|
|
112
|
+
return import_jose2.base64url.encode((0, import_crypto2.getRandomBytes)(length));
|
|
116
113
|
};
|
|
117
|
-
var createHash = (data
|
|
118
|
-
|
|
114
|
+
var createHash = async (data) => {
|
|
115
|
+
const subtle = (0, import_crypto2.getSubtleCrypto)();
|
|
116
|
+
const digest = await subtle.digest("SHA-256", import_crypto2.encoder.encode(data));
|
|
117
|
+
return import_jose2.base64url.encode(new Uint8Array(digest));
|
|
119
118
|
};
|
|
120
119
|
var createPKCE = async (verifier) => {
|
|
121
120
|
const byteLength = verifier ? void 0 : Math.floor(Math.random() * (96 - 32 + 1) + 32);
|
|
@@ -123,7 +122,7 @@ var createPKCE = async (verifier) => {
|
|
|
123
122
|
if (codeVerifier.length < 43 || codeVerifier.length > 128) {
|
|
124
123
|
throw new AuthSecurityError("PKCE_VERIFIER_INVALID", "The code verifier must be between 43 and 128 characters in length.");
|
|
125
124
|
}
|
|
126
|
-
const codeChallenge = createHash(codeVerifier
|
|
125
|
+
const codeChallenge = await createHash(codeVerifier);
|
|
127
126
|
return { codeVerifier, codeChallenge, method: "S256" };
|
|
128
127
|
};
|
|
129
128
|
var createCSRF = async (jose, csrfCookie) => {
|
|
@@ -152,7 +151,7 @@ var verifyCSRF = async (jose, cookie, header) => {
|
|
|
152
151
|
if (!equals(cookiePayload.token.length, headerPayload.token.length)) {
|
|
153
152
|
throw new AuthSecurityError("CSRF_TOKEN_INVALID", "The CSRF tokens do not match.");
|
|
154
153
|
}
|
|
155
|
-
if (!
|
|
154
|
+
if (!timingSafeEqual(cookiePayload.token, headerPayload.token)) {
|
|
156
155
|
throw new AuthSecurityError("CSRF_TOKEN_INVALID", "The CSRF tokens do not match.");
|
|
157
156
|
}
|
|
158
157
|
return true;
|
|
@@ -165,6 +164,7 @@ var verifyCSRF = async (jose, cookie, header) => {
|
|
|
165
164
|
createCSRF,
|
|
166
165
|
createHash,
|
|
167
166
|
createPKCE,
|
|
167
|
+
createSecretValue,
|
|
168
168
|
generateSecure,
|
|
169
169
|
verifyCSRF
|
|
170
170
|
});
|
package/dist/secure.d.ts
CHANGED
|
@@ -1,14 +1,20 @@
|
|
|
1
|
-
import {
|
|
1
|
+
import { c as AuthRuntimeConfig } from './index-_aXtxb_s.js';
|
|
2
2
|
import 'zod';
|
|
3
3
|
import './schemas.js';
|
|
4
|
-
import '
|
|
4
|
+
import 'zod/v4';
|
|
5
5
|
import '@aura-stack/jose';
|
|
6
6
|
import '@aura-stack/jose/jose';
|
|
7
|
+
import '@aura-stack/jose/crypto';
|
|
7
8
|
import '@aura-stack/router/cookie';
|
|
8
9
|
import './@types/utility.js';
|
|
10
|
+
import 'jose';
|
|
11
|
+
import '@aura-stack/router';
|
|
12
|
+
import 'zod/v4/core';
|
|
9
13
|
|
|
14
|
+
/** @deprecated use `createSecretValue` instead */
|
|
10
15
|
declare const generateSecure: (length?: number) => string;
|
|
11
|
-
declare const
|
|
16
|
+
declare const createSecretValue: (length?: number) => string;
|
|
17
|
+
declare const createHash: (data: string) => Promise<string>;
|
|
12
18
|
/**
|
|
13
19
|
* Creates the code challenge flow for PKCE OAuth flow. It generates a code verifier and its corresponding
|
|
14
20
|
* code challenge using SHA-256 hashing.
|
|
@@ -32,4 +38,4 @@ declare const createPKCE: (verifier?: string) => Promise<{
|
|
|
32
38
|
declare const createCSRF: (jose: AuthRuntimeConfig["jose"], csrfCookie?: string) => Promise<string>;
|
|
33
39
|
declare const verifyCSRF: (jose: AuthRuntimeConfig["jose"], cookie: string, header: string) => Promise<boolean>;
|
|
34
40
|
|
|
35
|
-
export { createCSRF, createHash, createPKCE, generateSecure, verifyCSRF };
|
|
41
|
+
export { createCSRF, createHash, createPKCE, createSecretValue, generateSecure, verifyCSRF };
|
package/dist/secure.js
CHANGED
|
@@ -2,18 +2,19 @@ import {
|
|
|
2
2
|
createCSRF,
|
|
3
3
|
createHash,
|
|
4
4
|
createPKCE,
|
|
5
|
+
createSecretValue,
|
|
5
6
|
generateSecure,
|
|
6
7
|
verifyCSRF
|
|
7
|
-
} from "./chunk-
|
|
8
|
-
import "./chunk-
|
|
9
|
-
import "./chunk-
|
|
10
|
-
import "./chunk-
|
|
11
|
-
import "./chunk-
|
|
12
|
-
import "./chunk-RRLIF4PQ.js";
|
|
8
|
+
} from "./chunk-V6LLEAR4.js";
|
|
9
|
+
import "./chunk-UZQJJD6A.js";
|
|
10
|
+
import "./chunk-LX3TJ2TJ.js";
|
|
11
|
+
import "./chunk-WHNDRO3N.js";
|
|
12
|
+
import "./chunk-U5663F2U.js";
|
|
13
13
|
export {
|
|
14
14
|
createCSRF,
|
|
15
15
|
createHash,
|
|
16
16
|
createPKCE,
|
|
17
|
+
createSecretValue,
|
|
17
18
|
generateSecure,
|
|
18
19
|
verifyCSRF
|
|
19
20
|
};
|
package/dist/utils.cjs
CHANGED
|
@@ -20,6 +20,8 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
|
|
|
20
20
|
// src/utils.ts
|
|
21
21
|
var utils_exports = {};
|
|
22
22
|
__export(utils_exports, {
|
|
23
|
+
AURA_AUTH_VERSION: () => AURA_AUTH_VERSION,
|
|
24
|
+
createBasicAuthHeader: () => createBasicAuthHeader,
|
|
23
25
|
createErrorHandler: () => createErrorHandler,
|
|
24
26
|
createStructuredData: () => createStructuredData,
|
|
25
27
|
equals: () => equals,
|
|
@@ -31,7 +33,8 @@ __export(utils_exports, {
|
|
|
31
33
|
toISOString: () => toISOString,
|
|
32
34
|
toSnakeCase: () => toSnakeCase,
|
|
33
35
|
toUpperCase: () => toUpperCase,
|
|
34
|
-
useSecureCookies: () => useSecureCookies
|
|
36
|
+
useSecureCookies: () => useSecureCookies,
|
|
37
|
+
validateRedirectTo: () => validateRedirectTo
|
|
35
38
|
});
|
|
36
39
|
module.exports = __toCommonJS(utils_exports);
|
|
37
40
|
var import_router = require("@aura-stack/router");
|
|
@@ -79,7 +82,91 @@ var isAuthSecurityError = (error) => {
|
|
|
79
82
|
return error instanceof AuthSecurityError;
|
|
80
83
|
};
|
|
81
84
|
|
|
85
|
+
// src/env.ts
|
|
86
|
+
var import_meta = {};
|
|
87
|
+
var env = new Proxy({}, {
|
|
88
|
+
get(_, prop) {
|
|
89
|
+
if (typeof prop !== "string") return void 0;
|
|
90
|
+
const hasProperty = (process2) => {
|
|
91
|
+
return process2 && Object.prototype.hasOwnProperty.call(process2, prop);
|
|
92
|
+
};
|
|
93
|
+
try {
|
|
94
|
+
if (typeof process !== "undefined" && hasProperty(process.env)) {
|
|
95
|
+
return process.env[prop];
|
|
96
|
+
}
|
|
97
|
+
if (typeof import_meta !== "undefined" && hasProperty(import_meta.env)) {
|
|
98
|
+
return import_meta.env[prop];
|
|
99
|
+
}
|
|
100
|
+
if (typeof Deno !== "undefined" && Deno.env?.get) {
|
|
101
|
+
return Deno.env.get(prop);
|
|
102
|
+
}
|
|
103
|
+
if (typeof Bun !== "undefined" && hasProperty(Bun.env)) {
|
|
104
|
+
return Bun.env[prop];
|
|
105
|
+
}
|
|
106
|
+
const globalValue = globalThis[prop];
|
|
107
|
+
return typeof globalValue === "string" ? globalValue : void 0;
|
|
108
|
+
} catch {
|
|
109
|
+
return void 0;
|
|
110
|
+
}
|
|
111
|
+
}
|
|
112
|
+
});
|
|
113
|
+
var getEnv = (key) => {
|
|
114
|
+
const keys = [`AURA_AUTH_${key.toUpperCase()}`, `AURA_${key.toUpperCase()}`, `AUTH_${key.toUpperCase()}`, key.toUpperCase()];
|
|
115
|
+
return env[keys.find((k) => env[k]) ?? ""];
|
|
116
|
+
};
|
|
117
|
+
|
|
118
|
+
// src/assert.ts
|
|
119
|
+
var import_crypto = require("@aura-stack/jose/crypto");
|
|
120
|
+
var unsafeChars = [
|
|
121
|
+
"<",
|
|
122
|
+
">",
|
|
123
|
+
'"',
|
|
124
|
+
"`",
|
|
125
|
+
" ",
|
|
126
|
+
"\r",
|
|
127
|
+
"\n",
|
|
128
|
+
" ",
|
|
129
|
+
"\\",
|
|
130
|
+
"%2F",
|
|
131
|
+
"%5C",
|
|
132
|
+
"%2f",
|
|
133
|
+
"%5c",
|
|
134
|
+
"\r\n",
|
|
135
|
+
"%0A",
|
|
136
|
+
"%0D",
|
|
137
|
+
"%0a",
|
|
138
|
+
"%0d",
|
|
139
|
+
"..",
|
|
140
|
+
"//",
|
|
141
|
+
"///",
|
|
142
|
+
"...",
|
|
143
|
+
"%20",
|
|
144
|
+
"\0"
|
|
145
|
+
];
|
|
146
|
+
var isValidURL = (value) => {
|
|
147
|
+
if (!new RegExp(/^https?:\/\/[^/]/).test(value)) {
|
|
148
|
+
return false;
|
|
149
|
+
}
|
|
150
|
+
const match = value.match(/^(https?:\/\/)(.*)$/);
|
|
151
|
+
if (!match) return false;
|
|
152
|
+
const rest = match[2];
|
|
153
|
+
for (const char of unsafeChars) {
|
|
154
|
+
if (rest.includes(char)) return false;
|
|
155
|
+
}
|
|
156
|
+
const regex = /^https?:\/\/(?:[a-zA-Z0-9._-]+|localhost|\[[0-9a-fA-F:]+\])(?::\d{1,5})?(?:\/[a-zA-Z0-9._~!$&'()?#*+,;=:@-]*)*\/?$/;
|
|
157
|
+
return regex.test(match[0]);
|
|
158
|
+
};
|
|
159
|
+
var isRelativeURL = (value) => {
|
|
160
|
+
if (value.length > 100) return false;
|
|
161
|
+
for (const char of unsafeChars) {
|
|
162
|
+
if (value.includes(char)) return false;
|
|
163
|
+
}
|
|
164
|
+
const regex = /^\/[a-zA-Z0-9\-_\/.?&=#]*\/?$/;
|
|
165
|
+
return regex.test(value);
|
|
166
|
+
};
|
|
167
|
+
|
|
82
168
|
// src/utils.ts
|
|
169
|
+
var AURA_AUTH_VERSION = "0.4.0";
|
|
83
170
|
var toSnakeCase = (str) => {
|
|
84
171
|
return str.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/([A-Z]+)([A-Z][a-z])/g, "$1_$2").toLowerCase().replace(/^_+/, "");
|
|
85
172
|
};
|
|
@@ -172,7 +259,9 @@ var toISOString = (date) => {
|
|
|
172
259
|
return new Date(date).toISOString();
|
|
173
260
|
};
|
|
174
261
|
var useSecureCookies = (request, trustedProxyHeaders) => {
|
|
175
|
-
|
|
262
|
+
const headers = request instanceof Headers ? request : request.headers;
|
|
263
|
+
const url = request instanceof Headers ? null : request.url;
|
|
264
|
+
return trustedProxyHeaders ? url?.startsWith("https://") || headers.get("X-Forwarded-Proto") === "https" || (headers.get("Forwarded")?.includes("proto=https") ?? false) : url?.startsWith("https://") ?? false;
|
|
176
265
|
};
|
|
177
266
|
var formatZodError = (error) => {
|
|
178
267
|
if (!error.issues || error.issues.length === 0) {
|
|
@@ -206,8 +295,24 @@ var getErrorName = (error) => {
|
|
|
206
295
|
}
|
|
207
296
|
return typeof error === "string" ? error : "UnknownError";
|
|
208
297
|
};
|
|
298
|
+
var createBasicAuthHeader = (username, password) => {
|
|
299
|
+
const getUsername = getEnv(username.toUpperCase()) ?? username;
|
|
300
|
+
const getPassword = getEnv(password.toUpperCase()) ?? password;
|
|
301
|
+
if (!getUsername || !getPassword) {
|
|
302
|
+
throw new AuthInternalError("INVALID_OAUTH_CONFIGURATION", "Missing client credentials for OAuth provider configuration.");
|
|
303
|
+
}
|
|
304
|
+
const credentials = `${getUsername}:${getPassword}`;
|
|
305
|
+
return `Basic ${btoa(credentials)}`;
|
|
306
|
+
};
|
|
307
|
+
var validateRedirectTo = (url) => {
|
|
308
|
+
if (!isRelativeURL(url) && !isValidURL(url)) return "/";
|
|
309
|
+
if (isRelativeURL(url)) return url;
|
|
310
|
+
return "/";
|
|
311
|
+
};
|
|
209
312
|
// Annotate the CommonJS export names for ESM import in node:
|
|
210
313
|
0 && (module.exports = {
|
|
314
|
+
AURA_AUTH_VERSION,
|
|
315
|
+
createBasicAuthHeader,
|
|
211
316
|
createErrorHandler,
|
|
212
317
|
createStructuredData,
|
|
213
318
|
equals,
|
|
@@ -219,5 +324,6 @@ var getErrorName = (error) => {
|
|
|
219
324
|
toISOString,
|
|
220
325
|
toSnakeCase,
|
|
221
326
|
toUpperCase,
|
|
222
|
-
useSecureCookies
|
|
327
|
+
useSecureCookies,
|
|
328
|
+
validateRedirectTo
|
|
223
329
|
});
|
package/dist/utils.d.ts
CHANGED
|
@@ -1,13 +1,17 @@
|
|
|
1
1
|
import { RouterConfig } from '@aura-stack/router';
|
|
2
2
|
import { ZodError } from 'zod';
|
|
3
|
-
import {
|
|
3
|
+
import { a as InternalLogger, f as APIErrorMap } from './index-_aXtxb_s.js';
|
|
4
4
|
import './schemas.js';
|
|
5
|
-
import '
|
|
5
|
+
import 'zod/v4';
|
|
6
6
|
import '@aura-stack/jose';
|
|
7
7
|
import '@aura-stack/jose/jose';
|
|
8
|
+
import '@aura-stack/jose/crypto';
|
|
8
9
|
import '@aura-stack/router/cookie';
|
|
9
10
|
import './@types/utility.js';
|
|
11
|
+
import 'jose';
|
|
12
|
+
import 'zod/v4/core';
|
|
10
13
|
|
|
14
|
+
declare const AURA_AUTH_VERSION = "0.4.0";
|
|
11
15
|
declare const toSnakeCase: (str: string) => string;
|
|
12
16
|
declare const toUpperCase: (str: string) => string;
|
|
13
17
|
declare const toCastCase: <Obj extends Record<string, string>, Type extends "snake" | "upper">(obj: Obj, type?: Type) => Type extends "snake" ? { [K in keyof Obj as `${string & K}`]: Obj[K]; } : { [K in keyof Obj as Uppercase<string & K>]: Obj[K]; };
|
|
@@ -15,10 +19,17 @@ declare const equals: (a: string | number | undefined | null, b: string | number
|
|
|
15
19
|
declare const createErrorHandler: (logger?: InternalLogger) => RouterConfig["onError"];
|
|
16
20
|
declare const getBaseURL: (request: Request) => string;
|
|
17
21
|
declare const toISOString: (date: Date | string | number) => string;
|
|
18
|
-
declare const useSecureCookies: (request: Request, trustedProxyHeaders: boolean) => boolean;
|
|
22
|
+
declare const useSecureCookies: (request: Request | Headers, trustedProxyHeaders: boolean) => boolean;
|
|
19
23
|
declare const formatZodError: <T extends Record<string, unknown> = Record<string, unknown>>(error: ZodError<T>) => APIErrorMap;
|
|
20
24
|
declare const extractPath: (url: string) => string;
|
|
21
25
|
declare const createStructuredData: (data: Record<string, string | number | boolean>, sdID?: string) => string;
|
|
22
26
|
declare const getErrorName: (error: unknown) => string;
|
|
27
|
+
declare const createBasicAuthHeader: (username: string, password: string) => string;
|
|
28
|
+
/**
|
|
29
|
+
* Validates and sanitizes redirect URLs to prevent open redirect attacks.
|
|
30
|
+
* Only relative URLs (starting with /) are allowed; absolute URLs are
|
|
31
|
+
* rejected and replaced with "/" to enforce same-origin redirects.
|
|
32
|
+
*/
|
|
33
|
+
declare const validateRedirectTo: (url: string) => string;
|
|
23
34
|
|
|
24
|
-
export { createErrorHandler, createStructuredData, equals, extractPath, formatZodError, getBaseURL, getErrorName, toCastCase, toISOString, toSnakeCase, toUpperCase, useSecureCookies };
|
|
35
|
+
export { AURA_AUTH_VERSION, createBasicAuthHeader, createErrorHandler, createStructuredData, equals, extractPath, formatZodError, getBaseURL, getErrorName, toCastCase, toISOString, toSnakeCase, toUpperCase, useSecureCookies, validateRedirectTo };
|
package/dist/utils.js
CHANGED
|
@@ -1,4 +1,6 @@
|
|
|
1
1
|
import {
|
|
2
|
+
AURA_AUTH_VERSION,
|
|
3
|
+
createBasicAuthHeader,
|
|
2
4
|
createErrorHandler,
|
|
3
5
|
createStructuredData,
|
|
4
6
|
equals,
|
|
@@ -10,10 +12,14 @@ import {
|
|
|
10
12
|
toISOString,
|
|
11
13
|
toSnakeCase,
|
|
12
14
|
toUpperCase,
|
|
13
|
-
useSecureCookies
|
|
14
|
-
|
|
15
|
-
|
|
15
|
+
useSecureCookies,
|
|
16
|
+
validateRedirectTo
|
|
17
|
+
} from "./chunk-LX3TJ2TJ.js";
|
|
18
|
+
import "./chunk-WHNDRO3N.js";
|
|
19
|
+
import "./chunk-U5663F2U.js";
|
|
16
20
|
export {
|
|
21
|
+
AURA_AUTH_VERSION,
|
|
22
|
+
createBasicAuthHeader,
|
|
17
23
|
createErrorHandler,
|
|
18
24
|
createStructuredData,
|
|
19
25
|
equals,
|
|
@@ -25,5 +31,6 @@ export {
|
|
|
25
31
|
toISOString,
|
|
26
32
|
toSnakeCase,
|
|
27
33
|
toUpperCase,
|
|
28
|
-
useSecureCookies
|
|
34
|
+
useSecureCookies,
|
|
35
|
+
validateRedirectTo
|
|
29
36
|
};
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@aura-stack/auth",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.5.0",
|
|
4
4
|
"private": false,
|
|
5
5
|
"type": "module",
|
|
6
6
|
"description": "Core auth for @aura-stack/auth",
|
|
@@ -30,6 +30,11 @@
|
|
|
30
30
|
"types": "./dist/@types/index.d.ts",
|
|
31
31
|
"import": "./dist/@types/index.js",
|
|
32
32
|
"require": "./dist/@types/index.cjs"
|
|
33
|
+
},
|
|
34
|
+
"./client": {
|
|
35
|
+
"types": "./dist/client/index.d.ts",
|
|
36
|
+
"import": "./dist/client/index.js",
|
|
37
|
+
"require": "./dist/client/index.cjs"
|
|
33
38
|
}
|
|
34
39
|
},
|
|
35
40
|
"keywords": [
|
|
@@ -44,12 +49,11 @@
|
|
|
44
49
|
},
|
|
45
50
|
"license": "MIT",
|
|
46
51
|
"dependencies": {
|
|
47
|
-
"@aura-stack/router": "^0.
|
|
48
|
-
"zod": "
|
|
49
|
-
"@aura-stack/jose": "0.
|
|
52
|
+
"@aura-stack/router": "^0.6.0",
|
|
53
|
+
"zod": "4.3.5",
|
|
54
|
+
"@aura-stack/jose": "0.4.0"
|
|
50
55
|
},
|
|
51
56
|
"devDependencies": {
|
|
52
|
-
"@types/node": "^24.9.2",
|
|
53
57
|
"typescript": "^5.9.2",
|
|
54
58
|
"@aura-stack/tsconfig": "0.0.0",
|
|
55
59
|
"@aura-stack/tsup-config": "0.0.0"
|