@aura-stack/auth 0.4.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (149) hide show
  1. package/dist/@types/index.d.ts +6 -2
  2. package/dist/@types/router.d.d.ts +6 -2
  3. package/dist/actions/callback/access-token.cjs +103 -59
  4. package/dist/actions/callback/access-token.d.ts +7 -3
  5. package/dist/actions/callback/access-token.js +3 -3
  6. package/dist/actions/callback/callback.cjs +200 -134
  7. package/dist/actions/callback/callback.d.ts +32 -3
  8. package/dist/actions/callback/callback.js +11 -12
  9. package/dist/actions/callback/userinfo.cjs +103 -70
  10. package/dist/actions/callback/userinfo.d.ts +6 -2
  11. package/dist/actions/callback/userinfo.js +7 -8
  12. package/dist/actions/csrfToken/csrfToken.cjs +7 -15
  13. package/dist/actions/csrfToken/csrfToken.d.ts +3 -1
  14. package/dist/actions/csrfToken/csrfToken.js +7 -8
  15. package/dist/actions/index.cjs +502 -295
  16. package/dist/actions/index.d.ts +5 -2
  17. package/dist/actions/index.js +23 -20
  18. package/dist/actions/session/session.cjs +76 -24
  19. package/dist/actions/session/session.d.ts +3 -1
  20. package/dist/actions/session/session.js +6 -4
  21. package/dist/actions/signIn/authorization-url.cjs +288 -0
  22. package/dist/actions/signIn/authorization-url.d.ts +31 -0
  23. package/dist/actions/signIn/authorization-url.js +16 -0
  24. package/dist/actions/signIn/authorization.cjs +91 -132
  25. package/dist/actions/signIn/authorization.d.ts +17 -16
  26. package/dist/actions/signIn/authorization.js +8 -7
  27. package/dist/actions/signIn/signIn.cjs +319 -191
  28. package/dist/actions/signIn/signIn.d.ts +32 -3
  29. package/dist/actions/signIn/signIn.js +10 -9
  30. package/dist/actions/signOut/signOut.cjs +211 -212
  31. package/dist/actions/signOut/signOut.d.ts +9 -1
  32. package/dist/actions/signOut/signOut.js +9 -10
  33. package/dist/api/createApi.cjs +750 -0
  34. package/dist/api/createApi.d.ts +12 -0
  35. package/dist/api/createApi.js +19 -0
  36. package/dist/api/getSession.cjs +141 -0
  37. package/dist/api/getSession.d.ts +16 -0
  38. package/dist/api/getSession.js +10 -0
  39. package/dist/api/signIn.cjs +549 -0
  40. package/dist/api/signIn.d.ts +26 -0
  41. package/dist/api/signIn.js +15 -0
  42. package/dist/api/signOut.cjs +279 -0
  43. package/dist/api/signOut.d.ts +16 -0
  44. package/dist/api/signOut.js +13 -0
  45. package/dist/assert.cjs +42 -9
  46. package/dist/assert.d.ts +8 -4
  47. package/dist/assert.js +5 -5
  48. package/dist/{chunk-KJBAQZX2.js → chunk-2A5B7GWR.js} +44 -11
  49. package/dist/chunk-2GQLSIJ2.js +40 -0
  50. package/dist/chunk-2IR674WX.js +44 -0
  51. package/dist/chunk-3J5TUH2I.js +50 -0
  52. package/dist/chunk-4RWSYUKX.js +98 -0
  53. package/dist/chunk-5X7JZMEF.js +0 -0
  54. package/dist/{chunk-TZB6MUXN.js → chunk-7BE46WWS.js} +21 -11
  55. package/dist/chunk-7YYXFKLR.js +35 -0
  56. package/dist/chunk-C3A37LQC.js +33 -0
  57. package/dist/chunk-CITNGXDA.js +31 -0
  58. package/dist/chunk-CWX724AG.js +78 -0
  59. package/dist/chunk-D2CSIUKP.js +74 -0
  60. package/dist/{chunk-ICAZ4OVS.js → chunk-FPCVZUVG.js} +2 -2
  61. package/dist/{chunk-XGLBNXL4.js → chunk-GNNBM2WJ.js} +17 -9
  62. package/dist/chunk-JOCGX3RP.js +59 -0
  63. package/dist/chunk-KBXWTD6E.js +94 -0
  64. package/dist/{chunk-XUP6KKNG.js → chunk-LATR3NIV.js} +48 -37
  65. package/dist/chunk-LAYPUDQF.js +39 -0
  66. package/dist/chunk-LX3TJ2TJ.js +294 -0
  67. package/dist/{chunk-6MXFPFR3.js → chunk-NHZBQNRR.js} +19 -19
  68. package/dist/{chunk-TM5IPSNF.js → chunk-PDP3PHB3.js} +33 -19
  69. package/dist/chunk-PHYNROD4.js +47 -0
  70. package/dist/chunk-QQEKY4XP.js +29 -0
  71. package/dist/{chunk-VNCNJKS2.js → chunk-U4RK4LKJ.js} +82 -1
  72. package/dist/{chunk-RRLIF4PQ.js → chunk-U5663F2U.js} +16 -1
  73. package/dist/chunk-UN7X6SU5.js +53 -0
  74. package/dist/chunk-UZQJJD6A.js +100 -0
  75. package/dist/{chunk-NUDITUKX.js → chunk-V6LLEAR4.js} +22 -15
  76. package/dist/{chunk-4MYWAOLG.js → chunk-WHNDRO3N.js} +20 -1
  77. package/dist/{chunk-5W4BRQYG.js → chunk-XY5R3EHH.js} +6 -3
  78. package/dist/client/client.cjs +135 -0
  79. package/dist/client/client.d.ts +85 -0
  80. package/dist/client/client.js +9 -0
  81. package/dist/client/index.cjs +135 -0
  82. package/dist/client/index.d.ts +14 -0
  83. package/dist/client/index.js +10 -0
  84. package/dist/context.cjs +1237 -0
  85. package/dist/context.d.ts +16 -0
  86. package/dist/context.js +28 -0
  87. package/dist/cookie.cjs +33 -2
  88. package/dist/cookie.d.ts +9 -5
  89. package/dist/cookie.js +3 -2
  90. package/dist/createAuth.cjs +2320 -0
  91. package/dist/createAuth.d.ts +12 -0
  92. package/dist/createAuth.js +48 -0
  93. package/dist/env.cjs +24 -2
  94. package/dist/env.d.ts +4 -1
  95. package/dist/env.js +9 -3
  96. package/dist/errors.cjs +17 -0
  97. package/dist/errors.d.ts +13 -3
  98. package/dist/errors.js +5 -1
  99. package/dist/{index-CSyIJmCM.d.ts → index-_aXtxb_s.d.ts} +383 -13
  100. package/dist/index.cjs +2135 -1547
  101. package/dist/index.d.ts +9 -30
  102. package/dist/index.js +46 -119
  103. package/dist/jose.cjs +52 -14
  104. package/dist/jose.d.ts +12 -25
  105. package/dist/jose.js +11 -3
  106. package/dist/logger.cjs +132 -0
  107. package/dist/logger.d.ts +6 -2
  108. package/dist/logger.js +10 -1
  109. package/dist/oauth/atlassian.cjs +57 -0
  110. package/dist/oauth/atlassian.d.ts +12 -0
  111. package/dist/oauth/atlassian.js +6 -0
  112. package/dist/oauth/bitbucket.d.ts +6 -2
  113. package/dist/oauth/discord.d.ts +6 -2
  114. package/dist/oauth/dropbox.cjs +53 -0
  115. package/dist/oauth/dropbox.d.ts +12 -0
  116. package/dist/oauth/dropbox.js +6 -0
  117. package/dist/oauth/figma.d.ts +6 -2
  118. package/dist/oauth/github.d.ts +6 -2
  119. package/dist/oauth/gitlab.d.ts +6 -2
  120. package/dist/oauth/index.cjs +278 -88
  121. package/dist/oauth/index.d.ts +6 -2
  122. package/dist/oauth/index.js +27 -11
  123. package/dist/oauth/mailchimp.d.ts +6 -2
  124. package/dist/oauth/notion.cjs +131 -0
  125. package/dist/oauth/notion.d.ts +12 -0
  126. package/dist/oauth/notion.js +9 -0
  127. package/dist/oauth/pinterest.d.ts +6 -2
  128. package/dist/oauth/spotify.d.ts +6 -2
  129. package/dist/oauth/strava.d.ts +6 -2
  130. package/dist/oauth/twitch.cjs +95 -0
  131. package/dist/oauth/twitch.d.ts +12 -0
  132. package/dist/oauth/twitch.js +7 -0
  133. package/dist/oauth/x.d.ts +6 -2
  134. package/dist/schemas.cjs +84 -51
  135. package/dist/schemas.d.ts +103 -23
  136. package/dist/schemas.js +1 -1
  137. package/dist/secure.cjs +36 -36
  138. package/dist/secure.d.ts +10 -4
  139. package/dist/secure.js +7 -6
  140. package/dist/utils.cjs +109 -3
  141. package/dist/utils.d.ts +15 -4
  142. package/dist/utils.js +11 -4
  143. package/package.json +9 -5
  144. package/dist/chunk-4EKY7655.js +0 -123
  145. package/dist/chunk-7QF22LHP.js +0 -67
  146. package/dist/chunk-ALG3GIV4.js +0 -95
  147. package/dist/chunk-FRJFWTOY.js +0 -70
  148. package/dist/chunk-PHFH2MGS.js +0 -36
  149. package/dist/chunk-QQVSRXGX.js +0 -149
package/dist/schemas.d.ts CHANGED
@@ -1,17 +1,37 @@
1
- import { z } from 'zod';
1
+ import { z } from 'zod/v4';
2
2
 
3
3
  declare const OAuthProviderCredentialsSchema: z.ZodObject<{
4
4
  id: z.ZodString;
5
5
  name: z.ZodString;
6
- authorizeURL: z.ZodString;
7
- accessToken: z.ZodString;
8
- scope: z.ZodString;
9
- userInfo: z.ZodString;
10
- responseType: z.ZodEnum<{
6
+ authorize: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodObject<{
7
+ url: z.ZodString;
8
+ params: z.ZodObject<{
9
+ responseType: z.ZodOptional<z.ZodEnum<{
10
+ token: "token";
11
+ code: "code";
12
+ id_token: "id_token";
13
+ refresh_token: "refresh_token";
14
+ }>>;
15
+ scope: z.ZodOptional<z.ZodString>;
16
+ }, z.core.$strip>;
17
+ }, z.core.$strip>]>>;
18
+ authorizeURL: z.ZodOptional<z.ZodString>;
19
+ accessToken: z.ZodUnion<readonly [z.ZodString, z.ZodObject<{
20
+ url: z.ZodString;
21
+ headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
22
+ }, z.core.$strip>]>;
23
+ scope: z.ZodOptional<z.ZodString>;
24
+ userInfo: z.ZodUnion<readonly [z.ZodString, z.ZodObject<{
25
+ url: z.ZodString;
26
+ headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
27
+ method: z.ZodOptional<z.ZodString>;
28
+ }, z.core.$strip>]>;
29
+ responseType: z.ZodOptional<z.ZodEnum<{
11
30
  token: "token";
12
31
  code: "code";
13
32
  id_token: "id_token";
14
- }>;
33
+ refresh_token: "refresh_token";
34
+ }>>;
15
35
  clientId: z.ZodString;
16
36
  clientSecret: z.ZodString;
17
37
  profile: z.ZodOptional<z.ZodFunction<z.core.$ZodFunctionArgs, z.core.$ZodFunctionOut>>;
@@ -20,15 +40,35 @@ declare const OAuthProviderCredentialsSchema: z.ZodObject<{
20
40
  * Schema for OAuth Provider Configuration
21
41
  */
22
42
  declare const OAuthProviderConfigSchema: z.ZodObject<{
23
- authorizeURL: z.ZodString;
24
- accessToken: z.ZodString;
43
+ authorize: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodObject<{
44
+ url: z.ZodString;
45
+ params: z.ZodObject<{
46
+ responseType: z.ZodOptional<z.ZodEnum<{
47
+ token: "token";
48
+ code: "code";
49
+ id_token: "id_token";
50
+ refresh_token: "refresh_token";
51
+ }>>;
52
+ scope: z.ZodOptional<z.ZodString>;
53
+ }, z.core.$strip>;
54
+ }, z.core.$strip>]>>;
55
+ authorizeURL: z.ZodOptional<z.ZodString>;
56
+ accessToken: z.ZodUnion<readonly [z.ZodString, z.ZodObject<{
57
+ url: z.ZodString;
58
+ headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
59
+ }, z.core.$strip>]>;
25
60
  scope: z.ZodOptional<z.ZodString>;
26
- userInfo: z.ZodString;
27
- responseType: z.ZodEnum<{
61
+ userInfo: z.ZodUnion<readonly [z.ZodString, z.ZodObject<{
62
+ url: z.ZodString;
63
+ headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
64
+ method: z.ZodOptional<z.ZodString>;
65
+ }, z.core.$strip>]>;
66
+ responseType: z.ZodOptional<z.ZodEnum<{
28
67
  token: "token";
29
68
  code: "code";
30
69
  id_token: "id_token";
31
- }>;
70
+ refresh_token: "refresh_token";
71
+ }>>;
32
72
  clientId: z.ZodString;
33
73
  clientSecret: z.ZodString;
34
74
  }, z.core.$strip>;
@@ -38,15 +78,35 @@ declare const OAuthProviderConfigSchema: z.ZodObject<{
38
78
  * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
39
79
  */
40
80
  declare const OAuthAuthorization: z.ZodObject<{
41
- authorizeURL: z.ZodString;
42
- accessToken: z.ZodString;
81
+ authorize: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodObject<{
82
+ url: z.ZodString;
83
+ params: z.ZodObject<{
84
+ responseType: z.ZodOptional<z.ZodEnum<{
85
+ token: "token";
86
+ code: "code";
87
+ id_token: "id_token";
88
+ refresh_token: "refresh_token";
89
+ }>>;
90
+ scope: z.ZodOptional<z.ZodString>;
91
+ }, z.core.$strip>;
92
+ }, z.core.$strip>]>>;
93
+ authorizeURL: z.ZodOptional<z.ZodString>;
94
+ accessToken: z.ZodUnion<readonly [z.ZodString, z.ZodObject<{
95
+ url: z.ZodString;
96
+ headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
97
+ }, z.core.$strip>]>;
43
98
  scope: z.ZodOptional<z.ZodString>;
44
- userInfo: z.ZodString;
45
- responseType: z.ZodEnum<{
99
+ userInfo: z.ZodUnion<readonly [z.ZodString, z.ZodObject<{
100
+ url: z.ZodString;
101
+ headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
102
+ method: z.ZodOptional<z.ZodString>;
103
+ }, z.core.$strip>]>;
104
+ responseType: z.ZodOptional<z.ZodEnum<{
46
105
  token: "token";
47
106
  code: "code";
48
107
  id_token: "id_token";
49
- }>;
108
+ refresh_token: "refresh_token";
109
+ }>>;
50
110
  clientId: z.ZodString;
51
111
  clientSecret: z.ZodString;
52
112
  redirectURI: z.ZodString;
@@ -90,15 +150,35 @@ declare const OAuthAuthorizationErrorResponse: z.ZodObject<{
90
150
  * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3
91
151
  */
92
152
  declare const OAuthAccessToken: z.ZodObject<{
93
- authorizeURL: z.ZodString;
94
- accessToken: z.ZodString;
153
+ authorize: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodObject<{
154
+ url: z.ZodString;
155
+ params: z.ZodObject<{
156
+ responseType: z.ZodOptional<z.ZodEnum<{
157
+ token: "token";
158
+ code: "code";
159
+ id_token: "id_token";
160
+ refresh_token: "refresh_token";
161
+ }>>;
162
+ scope: z.ZodOptional<z.ZodString>;
163
+ }, z.core.$strip>;
164
+ }, z.core.$strip>]>>;
165
+ authorizeURL: z.ZodOptional<z.ZodString>;
166
+ accessToken: z.ZodUnion<readonly [z.ZodString, z.ZodObject<{
167
+ url: z.ZodString;
168
+ headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
169
+ }, z.core.$strip>]>;
95
170
  scope: z.ZodOptional<z.ZodString>;
96
- userInfo: z.ZodString;
97
- responseType: z.ZodEnum<{
171
+ userInfo: z.ZodUnion<readonly [z.ZodString, z.ZodObject<{
172
+ url: z.ZodString;
173
+ headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
174
+ method: z.ZodOptional<z.ZodString>;
175
+ }, z.core.$strip>]>;
176
+ responseType: z.ZodOptional<z.ZodEnum<{
98
177
  token: "token";
99
178
  code: "code";
100
179
  id_token: "id_token";
101
- }>;
180
+ refresh_token: "refresh_token";
181
+ }>>;
102
182
  clientId: z.ZodString;
103
183
  clientSecret: z.ZodString;
104
184
  redirectURI: z.ZodString;
@@ -115,7 +195,7 @@ declare const OAuthAccessTokenResponse: z.ZodObject<{
115
195
  token_type: z.ZodOptional<z.ZodString>;
116
196
  expires_in: z.ZodOptional<z.ZodNumber>;
117
197
  refresh_token: z.ZodOptional<z.ZodString>;
118
- scope: z.ZodUnion<[z.ZodOptional<z.ZodString>, z.ZodNull]>;
198
+ scope: z.ZodUnion<readonly [z.ZodUnion<[z.ZodOptional<z.ZodString>, z.ZodNull]>, z.ZodOptional<z.ZodArray<z.ZodString>>]>;
119
199
  }, z.core.$strip>;
120
200
  /**
121
201
  * Schema for OAuth Access Token Error Response
package/dist/schemas.js CHANGED
@@ -9,7 +9,7 @@ import {
9
9
  OAuthErrorResponse,
10
10
  OAuthProviderConfigSchema,
11
11
  OAuthProviderCredentialsSchema
12
- } from "./chunk-KJBAQZX2.js";
12
+ } from "./chunk-2A5B7GWR.js";
13
13
  export {
14
14
  OAuthAccessToken,
15
15
  OAuthAccessTokenErrorResponse,
package/dist/secure.cjs CHANGED
@@ -1,9 +1,7 @@
1
1
  "use strict";
2
- var __create = Object.create;
3
2
  var __defProp = Object.defineProperty;
4
3
  var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
5
4
  var __getOwnPropNames = Object.getOwnPropertyNames;
6
- var __getProtoOf = Object.getPrototypeOf;
7
5
  var __hasOwnProp = Object.prototype.hasOwnProperty;
8
6
  var __export = (target, all) => {
9
7
  for (var name in all)
@@ -17,14 +15,6 @@ var __copyProps = (to, from, except, desc) => {
17
15
  }
18
16
  return to;
19
17
  };
20
- var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
21
- // If the importer is in node compatibility mode or this is not an ESM
22
- // file that has been converted to a CommonJS file using a Babel-
23
- // compatible transform (i.e. "__esModule" has not been set), then set
24
- // "default" to the CommonJS "module.exports" for node compatibility.
25
- isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
26
- mod
27
- ));
28
18
  var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
29
19
 
30
20
  // src/secure.ts
@@ -33,11 +23,11 @@ __export(secure_exports, {
33
23
  createCSRF: () => createCSRF,
34
24
  createHash: () => createHash,
35
25
  createPKCE: () => createPKCE,
26
+ createSecretValue: () => createSecretValue,
36
27
  generateSecure: () => generateSecure,
37
28
  verifyCSRF: () => verifyCSRF
38
29
  });
39
30
  module.exports = __toCommonJS(secure_exports);
40
- var import_crypto2 = __toESM(require("crypto"), 1);
41
31
 
42
32
  // src/utils.ts
43
33
  var import_router = require("@aura-stack/router");
@@ -54,26 +44,6 @@ var AuthSecurityError = class extends Error {
54
44
  }
55
45
  };
56
46
 
57
- // src/utils.ts
58
- var equals = (a, b) => {
59
- if (a === null || b === null || a === void 0 || b === void 0) return false;
60
- return a === b;
61
- };
62
-
63
- // src/assert.ts
64
- var import_crypto = require("crypto");
65
- var isJWTPayloadWithToken = (payload) => {
66
- return typeof payload === "object" && payload !== null && "token" in payload && typeof payload?.token === "string";
67
- };
68
- var safeEquals = (a, b) => {
69
- const bufferA = Buffer.from(a);
70
- const bufferB = Buffer.from(b);
71
- if (bufferA.length !== bufferB.length) {
72
- return false;
73
- }
74
- return (0, import_crypto.timingSafeEqual)(bufferA, bufferB);
75
- };
76
-
77
47
  // src/env.ts
78
48
  var import_meta = {};
79
49
  var env = new Proxy({}, {
@@ -103,8 +73,32 @@ var env = new Proxy({}, {
103
73
  }
104
74
  });
105
75
 
76
+ // src/assert.ts
77
+ var import_crypto = require("@aura-stack/jose/crypto");
78
+ var isJWTPayloadWithToken = (payload) => {
79
+ return typeof payload === "object" && payload !== null && "token" in payload && typeof payload?.token === "string";
80
+ };
81
+ var timingSafeEqual = (a, b) => {
82
+ const bufferA = import_crypto.encoder.encode(a);
83
+ const bufferB = import_crypto.encoder.encode(b);
84
+ const len = Math.max(bufferA.length, bufferB.length);
85
+ let diff = 0;
86
+ for (let i = 0; i < len; i++) {
87
+ diff |= (bufferA[i] ?? 0) ^ (bufferB[i] ?? 0);
88
+ }
89
+ return diff === 0 && bufferA.length === bufferB.length;
90
+ };
91
+
92
+ // src/utils.ts
93
+ var equals = (a, b) => {
94
+ if (a === null || b === null || a === void 0 || b === void 0) return false;
95
+ return a === b;
96
+ };
97
+
106
98
  // src/jose.ts
107
99
  var import_jose = require("@aura-stack/jose");
100
+ var import_jose2 = require("@aura-stack/jose/jose");
101
+ var import_crypto2 = require("@aura-stack/jose/crypto");
108
102
  var jwtVerificationOptions = {
109
103
  algorithms: ["HS256"],
110
104
  typ: "JWT"
@@ -112,10 +106,15 @@ var jwtVerificationOptions = {
112
106
 
113
107
  // src/secure.ts
114
108
  var generateSecure = (length = 32) => {
115
- return import_crypto2.default.randomBytes(length).toString("base64url");
109
+ return import_jose2.base64url.encode((0, import_crypto2.getRandomBytes)(length));
110
+ };
111
+ var createSecretValue = (length = 32) => {
112
+ return import_jose2.base64url.encode((0, import_crypto2.getRandomBytes)(length));
116
113
  };
117
- var createHash = (data, base = "hex") => {
118
- return import_crypto2.default.createHash("sha256").update(data).digest().toString(base);
114
+ var createHash = async (data) => {
115
+ const subtle = (0, import_crypto2.getSubtleCrypto)();
116
+ const digest = await subtle.digest("SHA-256", import_crypto2.encoder.encode(data));
117
+ return import_jose2.base64url.encode(new Uint8Array(digest));
119
118
  };
120
119
  var createPKCE = async (verifier) => {
121
120
  const byteLength = verifier ? void 0 : Math.floor(Math.random() * (96 - 32 + 1) + 32);
@@ -123,7 +122,7 @@ var createPKCE = async (verifier) => {
123
122
  if (codeVerifier.length < 43 || codeVerifier.length > 128) {
124
123
  throw new AuthSecurityError("PKCE_VERIFIER_INVALID", "The code verifier must be between 43 and 128 characters in length.");
125
124
  }
126
- const codeChallenge = createHash(codeVerifier, "base64url");
125
+ const codeChallenge = await createHash(codeVerifier);
127
126
  return { codeVerifier, codeChallenge, method: "S256" };
128
127
  };
129
128
  var createCSRF = async (jose, csrfCookie) => {
@@ -152,7 +151,7 @@ var verifyCSRF = async (jose, cookie, header) => {
152
151
  if (!equals(cookiePayload.token.length, headerPayload.token.length)) {
153
152
  throw new AuthSecurityError("CSRF_TOKEN_INVALID", "The CSRF tokens do not match.");
154
153
  }
155
- if (!safeEquals(cookiePayload.token, headerPayload.token)) {
154
+ if (!timingSafeEqual(cookiePayload.token, headerPayload.token)) {
156
155
  throw new AuthSecurityError("CSRF_TOKEN_INVALID", "The CSRF tokens do not match.");
157
156
  }
158
157
  return true;
@@ -165,6 +164,7 @@ var verifyCSRF = async (jose, cookie, header) => {
165
164
  createCSRF,
166
165
  createHash,
167
166
  createPKCE,
167
+ createSecretValue,
168
168
  generateSecure,
169
169
  verifyCSRF
170
170
  });
package/dist/secure.d.ts CHANGED
@@ -1,14 +1,20 @@
1
- import { A as AuthRuntimeConfig } from './index-CSyIJmCM.js';
1
+ import { c as AuthRuntimeConfig } from './index-_aXtxb_s.js';
2
2
  import 'zod';
3
3
  import './schemas.js';
4
- import './jose.js';
4
+ import 'zod/v4';
5
5
  import '@aura-stack/jose';
6
6
  import '@aura-stack/jose/jose';
7
+ import '@aura-stack/jose/crypto';
7
8
  import '@aura-stack/router/cookie';
8
9
  import './@types/utility.js';
10
+ import 'jose';
11
+ import '@aura-stack/router';
12
+ import 'zod/v4/core';
9
13
 
14
+ /** @deprecated use `createSecretValue` instead */
10
15
  declare const generateSecure: (length?: number) => string;
11
- declare const createHash: (data: string, base?: "hex" | "base64" | "base64url") => string;
16
+ declare const createSecretValue: (length?: number) => string;
17
+ declare const createHash: (data: string) => Promise<string>;
12
18
  /**
13
19
  * Creates the code challenge flow for PKCE OAuth flow. It generates a code verifier and its corresponding
14
20
  * code challenge using SHA-256 hashing.
@@ -32,4 +38,4 @@ declare const createPKCE: (verifier?: string) => Promise<{
32
38
  declare const createCSRF: (jose: AuthRuntimeConfig["jose"], csrfCookie?: string) => Promise<string>;
33
39
  declare const verifyCSRF: (jose: AuthRuntimeConfig["jose"], cookie: string, header: string) => Promise<boolean>;
34
40
 
35
- export { createCSRF, createHash, createPKCE, generateSecure, verifyCSRF };
41
+ export { createCSRF, createHash, createPKCE, createSecretValue, generateSecure, verifyCSRF };
package/dist/secure.js CHANGED
@@ -2,18 +2,19 @@ import {
2
2
  createCSRF,
3
3
  createHash,
4
4
  createPKCE,
5
+ createSecretValue,
5
6
  generateSecure,
6
7
  verifyCSRF
7
- } from "./chunk-NUDITUKX.js";
8
- import "./chunk-4EKY7655.js";
9
- import "./chunk-QQVSRXGX.js";
10
- import "./chunk-FRJFWTOY.js";
11
- import "./chunk-4MYWAOLG.js";
12
- import "./chunk-RRLIF4PQ.js";
8
+ } from "./chunk-V6LLEAR4.js";
9
+ import "./chunk-UZQJJD6A.js";
10
+ import "./chunk-LX3TJ2TJ.js";
11
+ import "./chunk-WHNDRO3N.js";
12
+ import "./chunk-U5663F2U.js";
13
13
  export {
14
14
  createCSRF,
15
15
  createHash,
16
16
  createPKCE,
17
+ createSecretValue,
17
18
  generateSecure,
18
19
  verifyCSRF
19
20
  };
package/dist/utils.cjs CHANGED
@@ -20,6 +20,8 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
20
20
  // src/utils.ts
21
21
  var utils_exports = {};
22
22
  __export(utils_exports, {
23
+ AURA_AUTH_VERSION: () => AURA_AUTH_VERSION,
24
+ createBasicAuthHeader: () => createBasicAuthHeader,
23
25
  createErrorHandler: () => createErrorHandler,
24
26
  createStructuredData: () => createStructuredData,
25
27
  equals: () => equals,
@@ -31,7 +33,8 @@ __export(utils_exports, {
31
33
  toISOString: () => toISOString,
32
34
  toSnakeCase: () => toSnakeCase,
33
35
  toUpperCase: () => toUpperCase,
34
- useSecureCookies: () => useSecureCookies
36
+ useSecureCookies: () => useSecureCookies,
37
+ validateRedirectTo: () => validateRedirectTo
35
38
  });
36
39
  module.exports = __toCommonJS(utils_exports);
37
40
  var import_router = require("@aura-stack/router");
@@ -79,7 +82,91 @@ var isAuthSecurityError = (error) => {
79
82
  return error instanceof AuthSecurityError;
80
83
  };
81
84
 
85
+ // src/env.ts
86
+ var import_meta = {};
87
+ var env = new Proxy({}, {
88
+ get(_, prop) {
89
+ if (typeof prop !== "string") return void 0;
90
+ const hasProperty = (process2) => {
91
+ return process2 && Object.prototype.hasOwnProperty.call(process2, prop);
92
+ };
93
+ try {
94
+ if (typeof process !== "undefined" && hasProperty(process.env)) {
95
+ return process.env[prop];
96
+ }
97
+ if (typeof import_meta !== "undefined" && hasProperty(import_meta.env)) {
98
+ return import_meta.env[prop];
99
+ }
100
+ if (typeof Deno !== "undefined" && Deno.env?.get) {
101
+ return Deno.env.get(prop);
102
+ }
103
+ if (typeof Bun !== "undefined" && hasProperty(Bun.env)) {
104
+ return Bun.env[prop];
105
+ }
106
+ const globalValue = globalThis[prop];
107
+ return typeof globalValue === "string" ? globalValue : void 0;
108
+ } catch {
109
+ return void 0;
110
+ }
111
+ }
112
+ });
113
+ var getEnv = (key) => {
114
+ const keys = [`AURA_AUTH_${key.toUpperCase()}`, `AURA_${key.toUpperCase()}`, `AUTH_${key.toUpperCase()}`, key.toUpperCase()];
115
+ return env[keys.find((k) => env[k]) ?? ""];
116
+ };
117
+
118
+ // src/assert.ts
119
+ var import_crypto = require("@aura-stack/jose/crypto");
120
+ var unsafeChars = [
121
+ "<",
122
+ ">",
123
+ '"',
124
+ "`",
125
+ " ",
126
+ "\r",
127
+ "\n",
128
+ " ",
129
+ "\\",
130
+ "%2F",
131
+ "%5C",
132
+ "%2f",
133
+ "%5c",
134
+ "\r\n",
135
+ "%0A",
136
+ "%0D",
137
+ "%0a",
138
+ "%0d",
139
+ "..",
140
+ "//",
141
+ "///",
142
+ "...",
143
+ "%20",
144
+ "\0"
145
+ ];
146
+ var isValidURL = (value) => {
147
+ if (!new RegExp(/^https?:\/\/[^/]/).test(value)) {
148
+ return false;
149
+ }
150
+ const match = value.match(/^(https?:\/\/)(.*)$/);
151
+ if (!match) return false;
152
+ const rest = match[2];
153
+ for (const char of unsafeChars) {
154
+ if (rest.includes(char)) return false;
155
+ }
156
+ const regex = /^https?:\/\/(?:[a-zA-Z0-9._-]+|localhost|\[[0-9a-fA-F:]+\])(?::\d{1,5})?(?:\/[a-zA-Z0-9._~!$&'()?#*+,;=:@-]*)*\/?$/;
157
+ return regex.test(match[0]);
158
+ };
159
+ var isRelativeURL = (value) => {
160
+ if (value.length > 100) return false;
161
+ for (const char of unsafeChars) {
162
+ if (value.includes(char)) return false;
163
+ }
164
+ const regex = /^\/[a-zA-Z0-9\-_\/.?&=#]*\/?$/;
165
+ return regex.test(value);
166
+ };
167
+
82
168
  // src/utils.ts
169
+ var AURA_AUTH_VERSION = "0.4.0";
83
170
  var toSnakeCase = (str) => {
84
171
  return str.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/([A-Z]+)([A-Z][a-z])/g, "$1_$2").toLowerCase().replace(/^_+/, "");
85
172
  };
@@ -172,7 +259,9 @@ var toISOString = (date) => {
172
259
  return new Date(date).toISOString();
173
260
  };
174
261
  var useSecureCookies = (request, trustedProxyHeaders) => {
175
- return trustedProxyHeaders ? request.url.startsWith("https://") || request.headers.get("X-Forwarded-Proto") === "https" || (request.headers.get("Forwarded")?.includes("proto=https") ?? false) : request.url.startsWith("https://");
262
+ const headers = request instanceof Headers ? request : request.headers;
263
+ const url = request instanceof Headers ? null : request.url;
264
+ return trustedProxyHeaders ? url?.startsWith("https://") || headers.get("X-Forwarded-Proto") === "https" || (headers.get("Forwarded")?.includes("proto=https") ?? false) : url?.startsWith("https://") ?? false;
176
265
  };
177
266
  var formatZodError = (error) => {
178
267
  if (!error.issues || error.issues.length === 0) {
@@ -206,8 +295,24 @@ var getErrorName = (error) => {
206
295
  }
207
296
  return typeof error === "string" ? error : "UnknownError";
208
297
  };
298
+ var createBasicAuthHeader = (username, password) => {
299
+ const getUsername = getEnv(username.toUpperCase()) ?? username;
300
+ const getPassword = getEnv(password.toUpperCase()) ?? password;
301
+ if (!getUsername || !getPassword) {
302
+ throw new AuthInternalError("INVALID_OAUTH_CONFIGURATION", "Missing client credentials for OAuth provider configuration.");
303
+ }
304
+ const credentials = `${getUsername}:${getPassword}`;
305
+ return `Basic ${btoa(credentials)}`;
306
+ };
307
+ var validateRedirectTo = (url) => {
308
+ if (!isRelativeURL(url) && !isValidURL(url)) return "/";
309
+ if (isRelativeURL(url)) return url;
310
+ return "/";
311
+ };
209
312
  // Annotate the CommonJS export names for ESM import in node:
210
313
  0 && (module.exports = {
314
+ AURA_AUTH_VERSION,
315
+ createBasicAuthHeader,
211
316
  createErrorHandler,
212
317
  createStructuredData,
213
318
  equals,
@@ -219,5 +324,6 @@ var getErrorName = (error) => {
219
324
  toISOString,
220
325
  toSnakeCase,
221
326
  toUpperCase,
222
- useSecureCookies
327
+ useSecureCookies,
328
+ validateRedirectTo
223
329
  });
package/dist/utils.d.ts CHANGED
@@ -1,13 +1,17 @@
1
1
  import { RouterConfig } from '@aura-stack/router';
2
2
  import { ZodError } from 'zod';
3
- import { I as InternalLogger, j as APIErrorMap } from './index-CSyIJmCM.js';
3
+ import { a as InternalLogger, f as APIErrorMap } from './index-_aXtxb_s.js';
4
4
  import './schemas.js';
5
- import './jose.js';
5
+ import 'zod/v4';
6
6
  import '@aura-stack/jose';
7
7
  import '@aura-stack/jose/jose';
8
+ import '@aura-stack/jose/crypto';
8
9
  import '@aura-stack/router/cookie';
9
10
  import './@types/utility.js';
11
+ import 'jose';
12
+ import 'zod/v4/core';
10
13
 
14
+ declare const AURA_AUTH_VERSION = "0.4.0";
11
15
  declare const toSnakeCase: (str: string) => string;
12
16
  declare const toUpperCase: (str: string) => string;
13
17
  declare const toCastCase: <Obj extends Record<string, string>, Type extends "snake" | "upper">(obj: Obj, type?: Type) => Type extends "snake" ? { [K in keyof Obj as `${string & K}`]: Obj[K]; } : { [K in keyof Obj as Uppercase<string & K>]: Obj[K]; };
@@ -15,10 +19,17 @@ declare const equals: (a: string | number | undefined | null, b: string | number
15
19
  declare const createErrorHandler: (logger?: InternalLogger) => RouterConfig["onError"];
16
20
  declare const getBaseURL: (request: Request) => string;
17
21
  declare const toISOString: (date: Date | string | number) => string;
18
- declare const useSecureCookies: (request: Request, trustedProxyHeaders: boolean) => boolean;
22
+ declare const useSecureCookies: (request: Request | Headers, trustedProxyHeaders: boolean) => boolean;
19
23
  declare const formatZodError: <T extends Record<string, unknown> = Record<string, unknown>>(error: ZodError<T>) => APIErrorMap;
20
24
  declare const extractPath: (url: string) => string;
21
25
  declare const createStructuredData: (data: Record<string, string | number | boolean>, sdID?: string) => string;
22
26
  declare const getErrorName: (error: unknown) => string;
27
+ declare const createBasicAuthHeader: (username: string, password: string) => string;
28
+ /**
29
+ * Validates and sanitizes redirect URLs to prevent open redirect attacks.
30
+ * Only relative URLs (starting with /) are allowed; absolute URLs are
31
+ * rejected and replaced with "/" to enforce same-origin redirects.
32
+ */
33
+ declare const validateRedirectTo: (url: string) => string;
23
34
 
24
- export { createErrorHandler, createStructuredData, equals, extractPath, formatZodError, getBaseURL, getErrorName, toCastCase, toISOString, toSnakeCase, toUpperCase, useSecureCookies };
35
+ export { AURA_AUTH_VERSION, createBasicAuthHeader, createErrorHandler, createStructuredData, equals, extractPath, formatZodError, getBaseURL, getErrorName, toCastCase, toISOString, toSnakeCase, toUpperCase, useSecureCookies, validateRedirectTo };
package/dist/utils.js CHANGED
@@ -1,4 +1,6 @@
1
1
  import {
2
+ AURA_AUTH_VERSION,
3
+ createBasicAuthHeader,
2
4
  createErrorHandler,
3
5
  createStructuredData,
4
6
  equals,
@@ -10,10 +12,14 @@ import {
10
12
  toISOString,
11
13
  toSnakeCase,
12
14
  toUpperCase,
13
- useSecureCookies
14
- } from "./chunk-QQVSRXGX.js";
15
- import "./chunk-RRLIF4PQ.js";
15
+ useSecureCookies,
16
+ validateRedirectTo
17
+ } from "./chunk-LX3TJ2TJ.js";
18
+ import "./chunk-WHNDRO3N.js";
19
+ import "./chunk-U5663F2U.js";
16
20
  export {
21
+ AURA_AUTH_VERSION,
22
+ createBasicAuthHeader,
17
23
  createErrorHandler,
18
24
  createStructuredData,
19
25
  equals,
@@ -25,5 +31,6 @@ export {
25
31
  toISOString,
26
32
  toSnakeCase,
27
33
  toUpperCase,
28
- useSecureCookies
34
+ useSecureCookies,
35
+ validateRedirectTo
29
36
  };
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@aura-stack/auth",
3
- "version": "0.4.0",
3
+ "version": "0.5.0",
4
4
  "private": false,
5
5
  "type": "module",
6
6
  "description": "Core auth for @aura-stack/auth",
@@ -30,6 +30,11 @@
30
30
  "types": "./dist/@types/index.d.ts",
31
31
  "import": "./dist/@types/index.js",
32
32
  "require": "./dist/@types/index.cjs"
33
+ },
34
+ "./client": {
35
+ "types": "./dist/client/index.d.ts",
36
+ "import": "./dist/client/index.js",
37
+ "require": "./dist/client/index.cjs"
33
38
  }
34
39
  },
35
40
  "keywords": [
@@ -44,12 +49,11 @@
44
49
  },
45
50
  "license": "MIT",
46
51
  "dependencies": {
47
- "@aura-stack/router": "^0.5.0",
48
- "zod": "^4.3.5",
49
- "@aura-stack/jose": "0.3.0"
52
+ "@aura-stack/router": "^0.6.0",
53
+ "zod": "4.3.5",
54
+ "@aura-stack/jose": "0.4.0"
50
55
  },
51
56
  "devDependencies": {
52
- "@types/node": "^24.9.2",
53
57
  "typescript": "^5.9.2",
54
58
  "@aura-stack/tsconfig": "0.0.0",
55
59
  "@aura-stack/tsup-config": "0.0.0"