@aura-stack/auth 0.4.0 → 0.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/@types/index.d.ts +6 -2
- package/dist/@types/router.d.d.ts +6 -2
- package/dist/actions/callback/access-token.cjs +103 -59
- package/dist/actions/callback/access-token.d.ts +7 -3
- package/dist/actions/callback/access-token.js +3 -3
- package/dist/actions/callback/callback.cjs +200 -134
- package/dist/actions/callback/callback.d.ts +32 -3
- package/dist/actions/callback/callback.js +11 -12
- package/dist/actions/callback/userinfo.cjs +103 -70
- package/dist/actions/callback/userinfo.d.ts +6 -2
- package/dist/actions/callback/userinfo.js +7 -8
- package/dist/actions/csrfToken/csrfToken.cjs +7 -15
- package/dist/actions/csrfToken/csrfToken.d.ts +3 -1
- package/dist/actions/csrfToken/csrfToken.js +7 -8
- package/dist/actions/index.cjs +502 -295
- package/dist/actions/index.d.ts +5 -2
- package/dist/actions/index.js +23 -20
- package/dist/actions/session/session.cjs +76 -24
- package/dist/actions/session/session.d.ts +3 -1
- package/dist/actions/session/session.js +6 -4
- package/dist/actions/signIn/authorization-url.cjs +288 -0
- package/dist/actions/signIn/authorization-url.d.ts +31 -0
- package/dist/actions/signIn/authorization-url.js +16 -0
- package/dist/actions/signIn/authorization.cjs +91 -132
- package/dist/actions/signIn/authorization.d.ts +17 -16
- package/dist/actions/signIn/authorization.js +8 -7
- package/dist/actions/signIn/signIn.cjs +319 -191
- package/dist/actions/signIn/signIn.d.ts +32 -3
- package/dist/actions/signIn/signIn.js +10 -9
- package/dist/actions/signOut/signOut.cjs +211 -212
- package/dist/actions/signOut/signOut.d.ts +9 -1
- package/dist/actions/signOut/signOut.js +9 -10
- package/dist/api/createApi.cjs +750 -0
- package/dist/api/createApi.d.ts +12 -0
- package/dist/api/createApi.js +19 -0
- package/dist/api/getSession.cjs +141 -0
- package/dist/api/getSession.d.ts +16 -0
- package/dist/api/getSession.js +10 -0
- package/dist/api/signIn.cjs +549 -0
- package/dist/api/signIn.d.ts +26 -0
- package/dist/api/signIn.js +15 -0
- package/dist/api/signOut.cjs +279 -0
- package/dist/api/signOut.d.ts +16 -0
- package/dist/api/signOut.js +13 -0
- package/dist/assert.cjs +42 -9
- package/dist/assert.d.ts +8 -4
- package/dist/assert.js +5 -5
- package/dist/{chunk-KJBAQZX2.js → chunk-2A5B7GWR.js} +44 -11
- package/dist/chunk-2GQLSIJ2.js +40 -0
- package/dist/chunk-2IR674WX.js +44 -0
- package/dist/chunk-3J5TUH2I.js +50 -0
- package/dist/chunk-4RWSYUKX.js +98 -0
- package/dist/chunk-5X7JZMEF.js +0 -0
- package/dist/{chunk-TZB6MUXN.js → chunk-7BE46WWS.js} +21 -11
- package/dist/chunk-7YYXFKLR.js +35 -0
- package/dist/chunk-C3A37LQC.js +33 -0
- package/dist/chunk-CITNGXDA.js +31 -0
- package/dist/chunk-CWX724AG.js +78 -0
- package/dist/chunk-D2CSIUKP.js +74 -0
- package/dist/{chunk-ICAZ4OVS.js → chunk-FPCVZUVG.js} +2 -2
- package/dist/{chunk-XGLBNXL4.js → chunk-GNNBM2WJ.js} +17 -9
- package/dist/chunk-JOCGX3RP.js +59 -0
- package/dist/chunk-KBXWTD6E.js +94 -0
- package/dist/{chunk-XUP6KKNG.js → chunk-LATR3NIV.js} +48 -37
- package/dist/chunk-LAYPUDQF.js +39 -0
- package/dist/chunk-LX3TJ2TJ.js +294 -0
- package/dist/{chunk-6MXFPFR3.js → chunk-NHZBQNRR.js} +19 -19
- package/dist/{chunk-TM5IPSNF.js → chunk-PDP3PHB3.js} +33 -19
- package/dist/chunk-PHYNROD4.js +47 -0
- package/dist/chunk-QQEKY4XP.js +29 -0
- package/dist/{chunk-VNCNJKS2.js → chunk-U4RK4LKJ.js} +82 -1
- package/dist/{chunk-RRLIF4PQ.js → chunk-U5663F2U.js} +16 -1
- package/dist/chunk-UN7X6SU5.js +53 -0
- package/dist/chunk-UZQJJD6A.js +100 -0
- package/dist/{chunk-NUDITUKX.js → chunk-V6LLEAR4.js} +22 -15
- package/dist/{chunk-4MYWAOLG.js → chunk-WHNDRO3N.js} +20 -1
- package/dist/{chunk-5W4BRQYG.js → chunk-XY5R3EHH.js} +6 -3
- package/dist/client/client.cjs +135 -0
- package/dist/client/client.d.ts +85 -0
- package/dist/client/client.js +9 -0
- package/dist/client/index.cjs +135 -0
- package/dist/client/index.d.ts +14 -0
- package/dist/client/index.js +10 -0
- package/dist/context.cjs +1237 -0
- package/dist/context.d.ts +16 -0
- package/dist/context.js +28 -0
- package/dist/cookie.cjs +33 -2
- package/dist/cookie.d.ts +9 -5
- package/dist/cookie.js +3 -2
- package/dist/createAuth.cjs +2320 -0
- package/dist/createAuth.d.ts +12 -0
- package/dist/createAuth.js +48 -0
- package/dist/env.cjs +24 -2
- package/dist/env.d.ts +4 -1
- package/dist/env.js +9 -3
- package/dist/errors.cjs +17 -0
- package/dist/errors.d.ts +13 -3
- package/dist/errors.js +5 -1
- package/dist/{index-CSyIJmCM.d.ts → index-_aXtxb_s.d.ts} +383 -13
- package/dist/index.cjs +2135 -1547
- package/dist/index.d.ts +9 -30
- package/dist/index.js +46 -119
- package/dist/jose.cjs +52 -14
- package/dist/jose.d.ts +12 -25
- package/dist/jose.js +11 -3
- package/dist/logger.cjs +132 -0
- package/dist/logger.d.ts +6 -2
- package/dist/logger.js +10 -1
- package/dist/oauth/atlassian.cjs +57 -0
- package/dist/oauth/atlassian.d.ts +12 -0
- package/dist/oauth/atlassian.js +6 -0
- package/dist/oauth/bitbucket.d.ts +6 -2
- package/dist/oauth/discord.d.ts +6 -2
- package/dist/oauth/dropbox.cjs +53 -0
- package/dist/oauth/dropbox.d.ts +12 -0
- package/dist/oauth/dropbox.js +6 -0
- package/dist/oauth/figma.d.ts +6 -2
- package/dist/oauth/github.d.ts +6 -2
- package/dist/oauth/gitlab.d.ts +6 -2
- package/dist/oauth/index.cjs +278 -88
- package/dist/oauth/index.d.ts +6 -2
- package/dist/oauth/index.js +27 -11
- package/dist/oauth/mailchimp.d.ts +6 -2
- package/dist/oauth/notion.cjs +131 -0
- package/dist/oauth/notion.d.ts +12 -0
- package/dist/oauth/notion.js +9 -0
- package/dist/oauth/pinterest.d.ts +6 -2
- package/dist/oauth/spotify.d.ts +6 -2
- package/dist/oauth/strava.d.ts +6 -2
- package/dist/oauth/twitch.cjs +95 -0
- package/dist/oauth/twitch.d.ts +12 -0
- package/dist/oauth/twitch.js +7 -0
- package/dist/oauth/x.d.ts +6 -2
- package/dist/schemas.cjs +84 -51
- package/dist/schemas.d.ts +103 -23
- package/dist/schemas.js +1 -1
- package/dist/secure.cjs +36 -36
- package/dist/secure.d.ts +10 -4
- package/dist/secure.js +7 -6
- package/dist/utils.cjs +109 -3
- package/dist/utils.d.ts +15 -4
- package/dist/utils.js +11 -4
- package/package.json +9 -5
- package/dist/chunk-4EKY7655.js +0 -123
- package/dist/chunk-7QF22LHP.js +0 -67
- package/dist/chunk-ALG3GIV4.js +0 -95
- package/dist/chunk-FRJFWTOY.js +0 -70
- package/dist/chunk-PHFH2MGS.js +0 -36
- package/dist/chunk-QQVSRXGX.js +0 -149
package/dist/chunk-4EKY7655.js
DELETED
|
@@ -1,123 +0,0 @@
|
|
|
1
|
-
import {
|
|
2
|
-
equals
|
|
3
|
-
} from "./chunk-QQVSRXGX.js";
|
|
4
|
-
|
|
5
|
-
// src/assert.ts
|
|
6
|
-
import { timingSafeEqual } from "crypto";
|
|
7
|
-
var isFalsy = (value) => {
|
|
8
|
-
return value === false || value === 0 || value === "" || value === null || value === void 0 || Number.isNaN(value);
|
|
9
|
-
};
|
|
10
|
-
var isRequest = (value) => {
|
|
11
|
-
return typeof Request !== "undefined" && value instanceof Request;
|
|
12
|
-
};
|
|
13
|
-
var unsafeChars = [
|
|
14
|
-
"<",
|
|
15
|
-
">",
|
|
16
|
-
'"',
|
|
17
|
-
"`",
|
|
18
|
-
" ",
|
|
19
|
-
"\r",
|
|
20
|
-
"\n",
|
|
21
|
-
" ",
|
|
22
|
-
"\\",
|
|
23
|
-
"%2F",
|
|
24
|
-
"%5C",
|
|
25
|
-
"%2f",
|
|
26
|
-
"%5c",
|
|
27
|
-
"\r\n",
|
|
28
|
-
"%0A",
|
|
29
|
-
"%0D",
|
|
30
|
-
"%0a",
|
|
31
|
-
"%0d",
|
|
32
|
-
"..",
|
|
33
|
-
"//",
|
|
34
|
-
"///",
|
|
35
|
-
"...",
|
|
36
|
-
"%20",
|
|
37
|
-
"\0"
|
|
38
|
-
];
|
|
39
|
-
var isValidURL = (value) => {
|
|
40
|
-
if (!new RegExp(/^https?:\/\/[^/]/).test(value)) {
|
|
41
|
-
return false;
|
|
42
|
-
}
|
|
43
|
-
const match = value.match(/^(https?:\/\/)(.*)$/);
|
|
44
|
-
if (!match) return false;
|
|
45
|
-
const rest = match[2];
|
|
46
|
-
for (const char of unsafeChars) {
|
|
47
|
-
if (rest.includes(char)) return false;
|
|
48
|
-
}
|
|
49
|
-
const regex = /^https?:\/\/(?:[a-zA-Z0-9._-]+|localhost|\[[0-9a-fA-F:]+\])(?::\d{1,5})?(?:\/[a-zA-Z0-9._~!$&'()?#*+,;=:@-]*)*\/?$/;
|
|
50
|
-
return regex.test(match[0]);
|
|
51
|
-
};
|
|
52
|
-
var isJWTPayloadWithToken = (payload) => {
|
|
53
|
-
return typeof payload === "object" && payload !== null && "token" in payload && typeof payload?.token === "string";
|
|
54
|
-
};
|
|
55
|
-
var isRelativeURL = (value) => {
|
|
56
|
-
if (value.length > 100) return false;
|
|
57
|
-
for (const char of unsafeChars) {
|
|
58
|
-
if (value.includes(char)) return false;
|
|
59
|
-
}
|
|
60
|
-
const regex = /^\/[a-zA-Z0-9\-_\/.?&=#]*\/?$/;
|
|
61
|
-
return regex.test(value);
|
|
62
|
-
};
|
|
63
|
-
var isSameOrigin = (origin, expected) => {
|
|
64
|
-
const originURL = new URL(origin);
|
|
65
|
-
const expectedURL = new URL(expected);
|
|
66
|
-
return equals(originURL.origin, expectedURL.origin);
|
|
67
|
-
};
|
|
68
|
-
var patternToRegex = (pattern) => {
|
|
69
|
-
try {
|
|
70
|
-
if (pattern.length > 2048) return null;
|
|
71
|
-
pattern = pattern.replace(/\\/g, "");
|
|
72
|
-
const match = pattern.match(/^(https?):\/\/([a-zA-Z0-9.*-]{1,253})(?::(\d{1,5}|\*))?(?:\/.*)?$/);
|
|
73
|
-
if (!match) return null;
|
|
74
|
-
const [, protocol, host, port] = match;
|
|
75
|
-
const hasWildcard = host.includes("*");
|
|
76
|
-
if (hasWildcard && !host.startsWith("*.")) return null;
|
|
77
|
-
if (hasWildcard && host.slice(2).includes("*")) return null;
|
|
78
|
-
const domain = hasWildcard ? host.slice(2) : host;
|
|
79
|
-
const escapedDomain = domain.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
|
|
80
|
-
const hostRegex = hasWildcard ? `[^.]+\\.${escapedDomain}` : escapedDomain;
|
|
81
|
-
const portRegex = port === "*" ? ":\\d{1,5}" : port ? `:${port}` : "";
|
|
82
|
-
return new RegExp(`^${protocol}:\\/\\/${hostRegex}${portRegex}$`);
|
|
83
|
-
} catch {
|
|
84
|
-
return null;
|
|
85
|
-
}
|
|
86
|
-
};
|
|
87
|
-
var isTrustedOrigin = (url, trustedOrigins) => {
|
|
88
|
-
if (!isValidURL(url) || trustedOrigins.length === 0) return false;
|
|
89
|
-
try {
|
|
90
|
-
const urlOrigin = new URL(url).origin;
|
|
91
|
-
for (const pattern of trustedOrigins) {
|
|
92
|
-
const regex = patternToRegex(pattern);
|
|
93
|
-
if (regex?.test(urlOrigin)) return true;
|
|
94
|
-
try {
|
|
95
|
-
if (isValidURL(pattern) && equals(new URL(pattern).origin, urlOrigin)) return true;
|
|
96
|
-
} catch {
|
|
97
|
-
}
|
|
98
|
-
}
|
|
99
|
-
} catch {
|
|
100
|
-
}
|
|
101
|
-
return false;
|
|
102
|
-
};
|
|
103
|
-
var safeEquals = (a, b) => {
|
|
104
|
-
const bufferA = Buffer.from(a);
|
|
105
|
-
const bufferB = Buffer.from(b);
|
|
106
|
-
if (bufferA.length !== bufferB.length) {
|
|
107
|
-
return false;
|
|
108
|
-
}
|
|
109
|
-
return timingSafeEqual(bufferA, bufferB);
|
|
110
|
-
};
|
|
111
|
-
|
|
112
|
-
export {
|
|
113
|
-
isFalsy,
|
|
114
|
-
isRequest,
|
|
115
|
-
unsafeChars,
|
|
116
|
-
isValidURL,
|
|
117
|
-
isJWTPayloadWithToken,
|
|
118
|
-
isRelativeURL,
|
|
119
|
-
isSameOrigin,
|
|
120
|
-
patternToRegex,
|
|
121
|
-
isTrustedOrigin,
|
|
122
|
-
safeEquals
|
|
123
|
-
};
|
package/dist/chunk-7QF22LHP.js
DELETED
|
@@ -1,67 +0,0 @@
|
|
|
1
|
-
import {
|
|
2
|
-
createAuthorizationURL,
|
|
3
|
-
createRedirectTo,
|
|
4
|
-
createRedirectURI
|
|
5
|
-
} from "./chunk-XUP6KKNG.js";
|
|
6
|
-
import {
|
|
7
|
-
createPKCE,
|
|
8
|
-
generateSecure
|
|
9
|
-
} from "./chunk-NUDITUKX.js";
|
|
10
|
-
import {
|
|
11
|
-
cacheControl
|
|
12
|
-
} from "./chunk-EBAMFRB7.js";
|
|
13
|
-
|
|
14
|
-
// src/actions/signIn/signIn.ts
|
|
15
|
-
import { z } from "zod";
|
|
16
|
-
import { createEndpoint, createEndpointConfig, HeadersBuilder } from "@aura-stack/router";
|
|
17
|
-
var signInConfig = (oauth) => {
|
|
18
|
-
return createEndpointConfig("/signIn/:oauth", {
|
|
19
|
-
schemas: {
|
|
20
|
-
params: z.object({
|
|
21
|
-
oauth: z.enum(
|
|
22
|
-
Object.keys(oauth),
|
|
23
|
-
"The OAuth provider is not supported or invalid."
|
|
24
|
-
)
|
|
25
|
-
}),
|
|
26
|
-
searchParams: z.object({
|
|
27
|
-
redirectTo: z.string().optional()
|
|
28
|
-
})
|
|
29
|
-
}
|
|
30
|
-
});
|
|
31
|
-
};
|
|
32
|
-
var signInAction = (oauth) => {
|
|
33
|
-
return createEndpoint(
|
|
34
|
-
"GET",
|
|
35
|
-
"/signIn/:oauth",
|
|
36
|
-
async (ctx) => {
|
|
37
|
-
const {
|
|
38
|
-
request,
|
|
39
|
-
params: { oauth: oauth2 },
|
|
40
|
-
searchParams: { redirectTo },
|
|
41
|
-
context
|
|
42
|
-
} = ctx;
|
|
43
|
-
const { oauth: providers, cookies, logger } = context;
|
|
44
|
-
const state = generateSecure();
|
|
45
|
-
const redirectURI = await createRedirectURI(request, oauth2, context);
|
|
46
|
-
const redirectToValue = await createRedirectTo(request, redirectTo, context);
|
|
47
|
-
const { codeVerifier, codeChallenge, method } = await createPKCE();
|
|
48
|
-
const authorization = createAuthorizationURL(providers[oauth2], redirectURI, state, codeChallenge, method, logger);
|
|
49
|
-
logger?.log("SIGN_IN_INITIATED", {
|
|
50
|
-
structuredData: { oauth_provider: oauth2, code_challenge_method: method }
|
|
51
|
-
});
|
|
52
|
-
const headers = new HeadersBuilder(cacheControl).setHeader("Location", authorization).setCookie(cookies.state.name, state, cookies.state.attributes).setCookie(cookies.redirectURI.name, redirectURI, cookies.redirectURI.attributes).setCookie(cookies.redirectTo.name, redirectToValue, cookies.redirectTo.attributes).setCookie(cookies.codeVerifier.name, codeVerifier, cookies.codeVerifier.attributes).toHeaders();
|
|
53
|
-
return Response.json(
|
|
54
|
-
{ oauth: oauth2 },
|
|
55
|
-
{
|
|
56
|
-
status: 302,
|
|
57
|
-
headers
|
|
58
|
-
}
|
|
59
|
-
);
|
|
60
|
-
},
|
|
61
|
-
signInConfig(oauth)
|
|
62
|
-
);
|
|
63
|
-
};
|
|
64
|
-
|
|
65
|
-
export {
|
|
66
|
-
signInAction
|
|
67
|
-
};
|
package/dist/chunk-ALG3GIV4.js
DELETED
|
@@ -1,95 +0,0 @@
|
|
|
1
|
-
import {
|
|
2
|
-
createRedirectTo
|
|
3
|
-
} from "./chunk-XUP6KKNG.js";
|
|
4
|
-
import {
|
|
5
|
-
verifyCSRF
|
|
6
|
-
} from "./chunk-NUDITUKX.js";
|
|
7
|
-
import {
|
|
8
|
-
getBaseURL,
|
|
9
|
-
getErrorName
|
|
10
|
-
} from "./chunk-QQVSRXGX.js";
|
|
11
|
-
import {
|
|
12
|
-
expiredCookieAttributes
|
|
13
|
-
} from "./chunk-5W4BRQYG.js";
|
|
14
|
-
import {
|
|
15
|
-
secureApiHeaders
|
|
16
|
-
} from "./chunk-EBAMFRB7.js";
|
|
17
|
-
import {
|
|
18
|
-
AuthSecurityError
|
|
19
|
-
} from "./chunk-RRLIF4PQ.js";
|
|
20
|
-
|
|
21
|
-
// src/actions/signOut/signOut.ts
|
|
22
|
-
import { z } from "zod";
|
|
23
|
-
import { createEndpoint, createEndpointConfig, HeadersBuilder, statusCode } from "@aura-stack/router";
|
|
24
|
-
var config = createEndpointConfig({
|
|
25
|
-
schemas: {
|
|
26
|
-
searchParams: z.object({
|
|
27
|
-
token_type_hint: z.literal("session_token"),
|
|
28
|
-
redirectTo: z.string().optional()
|
|
29
|
-
})
|
|
30
|
-
}
|
|
31
|
-
});
|
|
32
|
-
var signOutAction = createEndpoint(
|
|
33
|
-
"POST",
|
|
34
|
-
"/signOut",
|
|
35
|
-
async (ctx) => {
|
|
36
|
-
const {
|
|
37
|
-
request,
|
|
38
|
-
headers,
|
|
39
|
-
searchParams: { redirectTo },
|
|
40
|
-
context
|
|
41
|
-
} = ctx;
|
|
42
|
-
const { jose, cookies, logger } = context;
|
|
43
|
-
const session = headers.getCookie(cookies.sessionToken.name);
|
|
44
|
-
const csrfToken = headers.getCookie(cookies.csrfToken.name);
|
|
45
|
-
const header = headers.getHeader("X-CSRF-Token");
|
|
46
|
-
logger?.log("SIGN_OUT_ATTEMPT", {
|
|
47
|
-
structuredData: {
|
|
48
|
-
has_session: Boolean(session),
|
|
49
|
-
has_csrf_token: Boolean(csrfToken),
|
|
50
|
-
has_csrf_header: Boolean(header)
|
|
51
|
-
}
|
|
52
|
-
});
|
|
53
|
-
if (!session) {
|
|
54
|
-
logger?.log("SESSION_TOKEN_MISSING");
|
|
55
|
-
throw new AuthSecurityError("SESSION_TOKEN_MISSING", "The sessionToken is missing.");
|
|
56
|
-
}
|
|
57
|
-
if (!csrfToken) {
|
|
58
|
-
logger?.log("CSRF_TOKEN_MISSING");
|
|
59
|
-
throw new AuthSecurityError("CSRF_TOKEN_MISSING", "The CSRF token is missing.");
|
|
60
|
-
}
|
|
61
|
-
if (!header) {
|
|
62
|
-
logger?.log("CSRF_HEADER_MISSING");
|
|
63
|
-
throw new AuthSecurityError("CSRF_HEADER_MISSING", "The CSRF header is missing.");
|
|
64
|
-
}
|
|
65
|
-
try {
|
|
66
|
-
await verifyCSRF(jose, csrfToken, header);
|
|
67
|
-
} catch (error) {
|
|
68
|
-
logger?.log("CSRF_TOKEN_INVALID", { structuredData: { error_type: getErrorName(error) } });
|
|
69
|
-
throw new AuthSecurityError("CSRF_TOKEN_INVALID", "CSRF token verification failed");
|
|
70
|
-
}
|
|
71
|
-
logger?.log("SIGN_OUT_CSRF_VERIFIED");
|
|
72
|
-
try {
|
|
73
|
-
await jose.decodeJWT(session);
|
|
74
|
-
logger?.log("SIGN_OUT_SUCCESS");
|
|
75
|
-
} catch (error) {
|
|
76
|
-
logger?.log("INVALID_JWT_TOKEN", { structuredData: { error_type: getErrorName(error) } });
|
|
77
|
-
}
|
|
78
|
-
const baseURL = getBaseURL(request);
|
|
79
|
-
const location = await createRedirectTo(
|
|
80
|
-
new Request(baseURL, {
|
|
81
|
-
headers: headers.toHeaders()
|
|
82
|
-
}),
|
|
83
|
-
redirectTo,
|
|
84
|
-
context
|
|
85
|
-
);
|
|
86
|
-
logger?.log("SIGN_OUT_REDIRECT", { structuredData: { location } });
|
|
87
|
-
const headersList = new HeadersBuilder(secureApiHeaders).setHeader("Location", location).setCookie(cookies.csrfToken.name, "", expiredCookieAttributes).setCookie(cookies.sessionToken.name, "", expiredCookieAttributes).toHeaders();
|
|
88
|
-
return Response.json({ message: "Signed out successfully" }, { status: statusCode.ACCEPTED, headers: headersList });
|
|
89
|
-
},
|
|
90
|
-
config
|
|
91
|
-
);
|
|
92
|
-
|
|
93
|
-
export {
|
|
94
|
-
signOutAction
|
|
95
|
-
};
|
package/dist/chunk-FRJFWTOY.js
DELETED
|
@@ -1,70 +0,0 @@
|
|
|
1
|
-
import {
|
|
2
|
-
env
|
|
3
|
-
} from "./chunk-4MYWAOLG.js";
|
|
4
|
-
import {
|
|
5
|
-
AuthInternalError
|
|
6
|
-
} from "./chunk-RRLIF4PQ.js";
|
|
7
|
-
|
|
8
|
-
// src/jose.ts
|
|
9
|
-
import {
|
|
10
|
-
createJWT,
|
|
11
|
-
createJWS,
|
|
12
|
-
createJWE,
|
|
13
|
-
createDeriveKey,
|
|
14
|
-
createSecret
|
|
15
|
-
} from "@aura-stack/jose";
|
|
16
|
-
var createJoseInstance = (secret) => {
|
|
17
|
-
secret ??= env.AURA_AUTH_SECRET ?? env.AUTH_SECRET;
|
|
18
|
-
if (!secret) {
|
|
19
|
-
throw new AuthInternalError(
|
|
20
|
-
"JOSE_INITIALIZATION_FAILED",
|
|
21
|
-
"AURA_AUTH_SECRET environment variable is not set and no secret was provided."
|
|
22
|
-
);
|
|
23
|
-
}
|
|
24
|
-
const salt = env.AURA_AUTH_SALT ?? env.AUTH_SALT;
|
|
25
|
-
if (!salt) {
|
|
26
|
-
throw new AuthInternalError(
|
|
27
|
-
"JOSE_INITIALIZATION_FAILED",
|
|
28
|
-
"AURA_AUTH_SALT or AUTH_SALT environment variable is not set. A salt value is required for key derivation."
|
|
29
|
-
);
|
|
30
|
-
}
|
|
31
|
-
try {
|
|
32
|
-
createSecret(salt);
|
|
33
|
-
} catch (error) {
|
|
34
|
-
throw new AuthInternalError(
|
|
35
|
-
"INVALID_SALT_SECRET_VALUE",
|
|
36
|
-
"AURA_AUTH_SALT/AUTH_SALT is invalid. It must be at least 32 bytes long and meet entropy requirements.",
|
|
37
|
-
{ cause: error }
|
|
38
|
-
);
|
|
39
|
-
}
|
|
40
|
-
const { derivedKey: derivedSigningKey } = createDeriveKey(secret, salt, "signing");
|
|
41
|
-
const { derivedKey: derivedEncryptionKey } = createDeriveKey(secret, salt, "encryption");
|
|
42
|
-
const { derivedKey: derivedCsrfTokenKey } = createDeriveKey(secret, salt, "csrfToken");
|
|
43
|
-
const { decodeJWT, encodeJWT } = createJWT({ jws: derivedSigningKey, jwe: derivedEncryptionKey });
|
|
44
|
-
const { signJWS, verifyJWS } = createJWS(derivedCsrfTokenKey);
|
|
45
|
-
const { encryptJWE, decryptJWE } = createJWE(derivedEncryptionKey);
|
|
46
|
-
return {
|
|
47
|
-
decodeJWT,
|
|
48
|
-
encodeJWT,
|
|
49
|
-
signJWS,
|
|
50
|
-
verifyJWS,
|
|
51
|
-
encryptJWE,
|
|
52
|
-
decryptJWE
|
|
53
|
-
};
|
|
54
|
-
};
|
|
55
|
-
var jwtVerificationOptions = {
|
|
56
|
-
algorithms: ["HS256"],
|
|
57
|
-
typ: "JWT"
|
|
58
|
-
};
|
|
59
|
-
var decodeJWTOptions = {
|
|
60
|
-
jws: jwtVerificationOptions,
|
|
61
|
-
jwt: {
|
|
62
|
-
typ: "JWT"
|
|
63
|
-
}
|
|
64
|
-
};
|
|
65
|
-
|
|
66
|
-
export {
|
|
67
|
-
createJoseInstance,
|
|
68
|
-
jwtVerificationOptions,
|
|
69
|
-
decodeJWTOptions
|
|
70
|
-
};
|
package/dist/chunk-PHFH2MGS.js
DELETED
|
@@ -1,36 +0,0 @@
|
|
|
1
|
-
import {
|
|
2
|
-
getErrorName,
|
|
3
|
-
toISOString
|
|
4
|
-
} from "./chunk-QQVSRXGX.js";
|
|
5
|
-
import {
|
|
6
|
-
expiredCookieAttributes,
|
|
7
|
-
getCookie
|
|
8
|
-
} from "./chunk-5W4BRQYG.js";
|
|
9
|
-
import {
|
|
10
|
-
secureApiHeaders
|
|
11
|
-
} from "./chunk-EBAMFRB7.js";
|
|
12
|
-
|
|
13
|
-
// src/actions/session/session.ts
|
|
14
|
-
import { createEndpoint, HeadersBuilder } from "@aura-stack/router";
|
|
15
|
-
var sessionAction = createEndpoint("GET", "/session", async (ctx) => {
|
|
16
|
-
const {
|
|
17
|
-
request,
|
|
18
|
-
context: { jose, cookies, logger }
|
|
19
|
-
} = ctx;
|
|
20
|
-
try {
|
|
21
|
-
const session = getCookie(request, cookies.sessionToken.name);
|
|
22
|
-
const decoded = await jose.decodeJWT(session);
|
|
23
|
-
logger?.log("AUTH_SESSION_VALID");
|
|
24
|
-
const { exp, iat, jti, nbf, ...user } = decoded;
|
|
25
|
-
const headers = new Headers(secureApiHeaders);
|
|
26
|
-
return Response.json({ user, expires: toISOString(exp * 1e3) }, { headers });
|
|
27
|
-
} catch (error) {
|
|
28
|
-
logger?.log("AUTH_SESSION_INVALID", { structuredData: { error_type: getErrorName(error) } });
|
|
29
|
-
const headers = new HeadersBuilder(secureApiHeaders).setCookie(cookies.sessionToken.name, "", expiredCookieAttributes).toHeaders();
|
|
30
|
-
return Response.json({ authenticated: false, message: "Unauthorized" }, { status: 401, headers });
|
|
31
|
-
}
|
|
32
|
-
});
|
|
33
|
-
|
|
34
|
-
export {
|
|
35
|
-
sessionAction
|
|
36
|
-
};
|
package/dist/chunk-QQVSRXGX.js
DELETED
|
@@ -1,149 +0,0 @@
|
|
|
1
|
-
import {
|
|
2
|
-
isAuthInternalError,
|
|
3
|
-
isAuthSecurityError,
|
|
4
|
-
isOAuthProtocolError
|
|
5
|
-
} from "./chunk-RRLIF4PQ.js";
|
|
6
|
-
|
|
7
|
-
// src/utils.ts
|
|
8
|
-
import { isInvalidZodSchemaError, isRouterError } from "@aura-stack/router";
|
|
9
|
-
var toSnakeCase = (str) => {
|
|
10
|
-
return str.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/([A-Z]+)([A-Z][a-z])/g, "$1_$2").toLowerCase().replace(/^_+/, "");
|
|
11
|
-
};
|
|
12
|
-
var toUpperCase = (str) => {
|
|
13
|
-
return str.toUpperCase();
|
|
14
|
-
};
|
|
15
|
-
var toCastCase = (obj, type = "snake") => {
|
|
16
|
-
return Object.entries(obj).reduce((previous, [key, value]) => {
|
|
17
|
-
const newKey = type === "snake" ? toSnakeCase(key) : toUpperCase(key);
|
|
18
|
-
return { ...previous, [newKey]: value };
|
|
19
|
-
}, {});
|
|
20
|
-
};
|
|
21
|
-
var equals = (a, b) => {
|
|
22
|
-
if (a === null || b === null || a === void 0 || b === void 0) return false;
|
|
23
|
-
return a === b;
|
|
24
|
-
};
|
|
25
|
-
var createErrorHandler = (logger) => {
|
|
26
|
-
return (error) => {
|
|
27
|
-
if (isRouterError(error)) {
|
|
28
|
-
const { message, status, statusText } = error;
|
|
29
|
-
logger?.log("ROUTER_INTERNAL_ERROR");
|
|
30
|
-
return Response.json({ type: "ROUTER_ERROR", code: "ROUTER_INTERNAL_ERROR", message }, { status, statusText });
|
|
31
|
-
}
|
|
32
|
-
if (isInvalidZodSchemaError(error)) {
|
|
33
|
-
logger?.log("INVALID_REQUEST");
|
|
34
|
-
return Response.json({ type: "ROUTER_ERROR", code: "INVALID_REQUEST", message: error.errors }, { status: 422 });
|
|
35
|
-
}
|
|
36
|
-
if (isOAuthProtocolError(error)) {
|
|
37
|
-
const { error: errorCode, message, type, errorURI } = error;
|
|
38
|
-
logger?.log("OAUTH_PROTOCOL_ERROR", {
|
|
39
|
-
structuredData: {
|
|
40
|
-
error: errorCode,
|
|
41
|
-
error_description: message,
|
|
42
|
-
error_uri: errorURI ?? ""
|
|
43
|
-
}
|
|
44
|
-
});
|
|
45
|
-
return Response.json(
|
|
46
|
-
{
|
|
47
|
-
type,
|
|
48
|
-
message
|
|
49
|
-
},
|
|
50
|
-
{ status: 400 }
|
|
51
|
-
);
|
|
52
|
-
}
|
|
53
|
-
if (isAuthInternalError(error)) {
|
|
54
|
-
const { type, code, message } = error;
|
|
55
|
-
logger?.log("INVALID_OAUTH_CONFIGURATION", {
|
|
56
|
-
structuredData: {
|
|
57
|
-
error: code,
|
|
58
|
-
error_description: message
|
|
59
|
-
}
|
|
60
|
-
});
|
|
61
|
-
return Response.json(
|
|
62
|
-
{
|
|
63
|
-
type,
|
|
64
|
-
message
|
|
65
|
-
},
|
|
66
|
-
{ status: 400 }
|
|
67
|
-
);
|
|
68
|
-
}
|
|
69
|
-
if (isAuthSecurityError(error)) {
|
|
70
|
-
const { type, code, message } = error;
|
|
71
|
-
logger?.log("INVALID_OAUTH_CONFIGURATION", {
|
|
72
|
-
structuredData: {
|
|
73
|
-
error: code,
|
|
74
|
-
error_description: message
|
|
75
|
-
}
|
|
76
|
-
});
|
|
77
|
-
return Response.json(
|
|
78
|
-
{
|
|
79
|
-
type,
|
|
80
|
-
code,
|
|
81
|
-
message
|
|
82
|
-
},
|
|
83
|
-
{ status: 400 }
|
|
84
|
-
);
|
|
85
|
-
}
|
|
86
|
-
logger?.log("SERVER_ERROR");
|
|
87
|
-
return Response.json(
|
|
88
|
-
{ type: "SERVER_ERROR", code: "SERVER_ERROR", message: "An unexpected error occurred" },
|
|
89
|
-
{ status: 500 }
|
|
90
|
-
);
|
|
91
|
-
};
|
|
92
|
-
};
|
|
93
|
-
var getBaseURL = (request) => {
|
|
94
|
-
const url = new URL(request.url);
|
|
95
|
-
return `${url.origin}${url.pathname}`;
|
|
96
|
-
};
|
|
97
|
-
var toISOString = (date) => {
|
|
98
|
-
return new Date(date).toISOString();
|
|
99
|
-
};
|
|
100
|
-
var useSecureCookies = (request, trustedProxyHeaders) => {
|
|
101
|
-
return trustedProxyHeaders ? request.url.startsWith("https://") || request.headers.get("X-Forwarded-Proto") === "https" || (request.headers.get("Forwarded")?.includes("proto=https") ?? false) : request.url.startsWith("https://");
|
|
102
|
-
};
|
|
103
|
-
var formatZodError = (error) => {
|
|
104
|
-
if (!error.issues || error.issues.length === 0) {
|
|
105
|
-
return {};
|
|
106
|
-
}
|
|
107
|
-
return error.issues.reduce((previous, issue) => {
|
|
108
|
-
const key = issue.path.join(".");
|
|
109
|
-
return {
|
|
110
|
-
...previous,
|
|
111
|
-
[key]: {
|
|
112
|
-
code: issue.code,
|
|
113
|
-
message: issue.message
|
|
114
|
-
}
|
|
115
|
-
};
|
|
116
|
-
}, {});
|
|
117
|
-
};
|
|
118
|
-
var extractPath = (url) => {
|
|
119
|
-
const pathRegex = /^https?:\/\/[a-zA-Z0-9_\-\.]+(:\d+)?(\/.*)$/;
|
|
120
|
-
const match = url.match(pathRegex);
|
|
121
|
-
return match && match[2] ? match[2] : "/";
|
|
122
|
-
};
|
|
123
|
-
var createStructuredData = (data, sdID = "metadata") => {
|
|
124
|
-
const entries = Object.entries(data);
|
|
125
|
-
if (entries.length === 0) return `[${sdID}]`;
|
|
126
|
-
const values = entries.map(([key, value]) => `${key}="${String(value).replace(/(["\\\]])/g, "\\$1")}"`).join(" ");
|
|
127
|
-
return `[${sdID} ${values}]`;
|
|
128
|
-
};
|
|
129
|
-
var getErrorName = (error) => {
|
|
130
|
-
if (error instanceof Error) {
|
|
131
|
-
return error.name;
|
|
132
|
-
}
|
|
133
|
-
return typeof error === "string" ? error : "UnknownError";
|
|
134
|
-
};
|
|
135
|
-
|
|
136
|
-
export {
|
|
137
|
-
toSnakeCase,
|
|
138
|
-
toUpperCase,
|
|
139
|
-
toCastCase,
|
|
140
|
-
equals,
|
|
141
|
-
createErrorHandler,
|
|
142
|
-
getBaseURL,
|
|
143
|
-
toISOString,
|
|
144
|
-
useSecureCookies,
|
|
145
|
-
formatZodError,
|
|
146
|
-
extractPath,
|
|
147
|
-
createStructuredData,
|
|
148
|
-
getErrorName
|
|
149
|
-
};
|