@aura-stack/auth 0.4.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (149) hide show
  1. package/dist/@types/index.d.ts +6 -2
  2. package/dist/@types/router.d.d.ts +6 -2
  3. package/dist/actions/callback/access-token.cjs +103 -59
  4. package/dist/actions/callback/access-token.d.ts +7 -3
  5. package/dist/actions/callback/access-token.js +3 -3
  6. package/dist/actions/callback/callback.cjs +200 -134
  7. package/dist/actions/callback/callback.d.ts +32 -3
  8. package/dist/actions/callback/callback.js +11 -12
  9. package/dist/actions/callback/userinfo.cjs +103 -70
  10. package/dist/actions/callback/userinfo.d.ts +6 -2
  11. package/dist/actions/callback/userinfo.js +7 -8
  12. package/dist/actions/csrfToken/csrfToken.cjs +7 -15
  13. package/dist/actions/csrfToken/csrfToken.d.ts +3 -1
  14. package/dist/actions/csrfToken/csrfToken.js +7 -8
  15. package/dist/actions/index.cjs +502 -295
  16. package/dist/actions/index.d.ts +5 -2
  17. package/dist/actions/index.js +23 -20
  18. package/dist/actions/session/session.cjs +76 -24
  19. package/dist/actions/session/session.d.ts +3 -1
  20. package/dist/actions/session/session.js +6 -4
  21. package/dist/actions/signIn/authorization-url.cjs +288 -0
  22. package/dist/actions/signIn/authorization-url.d.ts +31 -0
  23. package/dist/actions/signIn/authorization-url.js +16 -0
  24. package/dist/actions/signIn/authorization.cjs +91 -132
  25. package/dist/actions/signIn/authorization.d.ts +17 -16
  26. package/dist/actions/signIn/authorization.js +8 -7
  27. package/dist/actions/signIn/signIn.cjs +319 -191
  28. package/dist/actions/signIn/signIn.d.ts +32 -3
  29. package/dist/actions/signIn/signIn.js +10 -9
  30. package/dist/actions/signOut/signOut.cjs +211 -212
  31. package/dist/actions/signOut/signOut.d.ts +9 -1
  32. package/dist/actions/signOut/signOut.js +9 -10
  33. package/dist/api/createApi.cjs +750 -0
  34. package/dist/api/createApi.d.ts +12 -0
  35. package/dist/api/createApi.js +19 -0
  36. package/dist/api/getSession.cjs +141 -0
  37. package/dist/api/getSession.d.ts +16 -0
  38. package/dist/api/getSession.js +10 -0
  39. package/dist/api/signIn.cjs +549 -0
  40. package/dist/api/signIn.d.ts +26 -0
  41. package/dist/api/signIn.js +15 -0
  42. package/dist/api/signOut.cjs +279 -0
  43. package/dist/api/signOut.d.ts +16 -0
  44. package/dist/api/signOut.js +13 -0
  45. package/dist/assert.cjs +42 -9
  46. package/dist/assert.d.ts +8 -4
  47. package/dist/assert.js +5 -5
  48. package/dist/{chunk-KJBAQZX2.js → chunk-2A5B7GWR.js} +44 -11
  49. package/dist/chunk-2GQLSIJ2.js +40 -0
  50. package/dist/chunk-2IR674WX.js +44 -0
  51. package/dist/chunk-3J5TUH2I.js +50 -0
  52. package/dist/chunk-4RWSYUKX.js +98 -0
  53. package/dist/chunk-5X7JZMEF.js +0 -0
  54. package/dist/{chunk-TZB6MUXN.js → chunk-7BE46WWS.js} +21 -11
  55. package/dist/chunk-7YYXFKLR.js +35 -0
  56. package/dist/chunk-C3A37LQC.js +33 -0
  57. package/dist/chunk-CITNGXDA.js +31 -0
  58. package/dist/chunk-CWX724AG.js +78 -0
  59. package/dist/chunk-D2CSIUKP.js +74 -0
  60. package/dist/{chunk-ICAZ4OVS.js → chunk-FPCVZUVG.js} +2 -2
  61. package/dist/{chunk-XGLBNXL4.js → chunk-GNNBM2WJ.js} +17 -9
  62. package/dist/chunk-JOCGX3RP.js +59 -0
  63. package/dist/chunk-KBXWTD6E.js +94 -0
  64. package/dist/{chunk-XUP6KKNG.js → chunk-LATR3NIV.js} +48 -37
  65. package/dist/chunk-LAYPUDQF.js +39 -0
  66. package/dist/chunk-LX3TJ2TJ.js +294 -0
  67. package/dist/{chunk-6MXFPFR3.js → chunk-NHZBQNRR.js} +19 -19
  68. package/dist/{chunk-TM5IPSNF.js → chunk-PDP3PHB3.js} +33 -19
  69. package/dist/chunk-PHYNROD4.js +47 -0
  70. package/dist/chunk-QQEKY4XP.js +29 -0
  71. package/dist/{chunk-VNCNJKS2.js → chunk-U4RK4LKJ.js} +82 -1
  72. package/dist/{chunk-RRLIF4PQ.js → chunk-U5663F2U.js} +16 -1
  73. package/dist/chunk-UN7X6SU5.js +53 -0
  74. package/dist/chunk-UZQJJD6A.js +100 -0
  75. package/dist/{chunk-NUDITUKX.js → chunk-V6LLEAR4.js} +22 -15
  76. package/dist/{chunk-4MYWAOLG.js → chunk-WHNDRO3N.js} +20 -1
  77. package/dist/{chunk-5W4BRQYG.js → chunk-XY5R3EHH.js} +6 -3
  78. package/dist/client/client.cjs +135 -0
  79. package/dist/client/client.d.ts +85 -0
  80. package/dist/client/client.js +9 -0
  81. package/dist/client/index.cjs +135 -0
  82. package/dist/client/index.d.ts +14 -0
  83. package/dist/client/index.js +10 -0
  84. package/dist/context.cjs +1237 -0
  85. package/dist/context.d.ts +16 -0
  86. package/dist/context.js +28 -0
  87. package/dist/cookie.cjs +33 -2
  88. package/dist/cookie.d.ts +9 -5
  89. package/dist/cookie.js +3 -2
  90. package/dist/createAuth.cjs +2320 -0
  91. package/dist/createAuth.d.ts +12 -0
  92. package/dist/createAuth.js +48 -0
  93. package/dist/env.cjs +24 -2
  94. package/dist/env.d.ts +4 -1
  95. package/dist/env.js +9 -3
  96. package/dist/errors.cjs +17 -0
  97. package/dist/errors.d.ts +13 -3
  98. package/dist/errors.js +5 -1
  99. package/dist/{index-CSyIJmCM.d.ts → index-_aXtxb_s.d.ts} +383 -13
  100. package/dist/index.cjs +2135 -1547
  101. package/dist/index.d.ts +9 -30
  102. package/dist/index.js +46 -119
  103. package/dist/jose.cjs +52 -14
  104. package/dist/jose.d.ts +12 -25
  105. package/dist/jose.js +11 -3
  106. package/dist/logger.cjs +132 -0
  107. package/dist/logger.d.ts +6 -2
  108. package/dist/logger.js +10 -1
  109. package/dist/oauth/atlassian.cjs +57 -0
  110. package/dist/oauth/atlassian.d.ts +12 -0
  111. package/dist/oauth/atlassian.js +6 -0
  112. package/dist/oauth/bitbucket.d.ts +6 -2
  113. package/dist/oauth/discord.d.ts +6 -2
  114. package/dist/oauth/dropbox.cjs +53 -0
  115. package/dist/oauth/dropbox.d.ts +12 -0
  116. package/dist/oauth/dropbox.js +6 -0
  117. package/dist/oauth/figma.d.ts +6 -2
  118. package/dist/oauth/github.d.ts +6 -2
  119. package/dist/oauth/gitlab.d.ts +6 -2
  120. package/dist/oauth/index.cjs +278 -88
  121. package/dist/oauth/index.d.ts +6 -2
  122. package/dist/oauth/index.js +27 -11
  123. package/dist/oauth/mailchimp.d.ts +6 -2
  124. package/dist/oauth/notion.cjs +131 -0
  125. package/dist/oauth/notion.d.ts +12 -0
  126. package/dist/oauth/notion.js +9 -0
  127. package/dist/oauth/pinterest.d.ts +6 -2
  128. package/dist/oauth/spotify.d.ts +6 -2
  129. package/dist/oauth/strava.d.ts +6 -2
  130. package/dist/oauth/twitch.cjs +95 -0
  131. package/dist/oauth/twitch.d.ts +12 -0
  132. package/dist/oauth/twitch.js +7 -0
  133. package/dist/oauth/x.d.ts +6 -2
  134. package/dist/schemas.cjs +84 -51
  135. package/dist/schemas.d.ts +103 -23
  136. package/dist/schemas.js +1 -1
  137. package/dist/secure.cjs +36 -36
  138. package/dist/secure.d.ts +10 -4
  139. package/dist/secure.js +7 -6
  140. package/dist/utils.cjs +109 -3
  141. package/dist/utils.d.ts +15 -4
  142. package/dist/utils.js +11 -4
  143. package/package.json +9 -5
  144. package/dist/chunk-4EKY7655.js +0 -123
  145. package/dist/chunk-7QF22LHP.js +0 -67
  146. package/dist/chunk-ALG3GIV4.js +0 -95
  147. package/dist/chunk-FRJFWTOY.js +0 -70
  148. package/dist/chunk-PHFH2MGS.js +0 -36
  149. package/dist/chunk-QQVSRXGX.js +0 -149
@@ -1,9 +1,7 @@
1
1
  "use strict";
2
- var __create = Object.create;
3
2
  var __defProp = Object.defineProperty;
4
3
  var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
5
4
  var __getOwnPropNames = Object.getOwnPropertyNames;
6
- var __getProtoOf = Object.getPrototypeOf;
7
5
  var __hasOwnProp = Object.prototype.hasOwnProperty;
8
6
  var __export = (target, all) => {
9
7
  for (var name in all)
@@ -17,14 +15,6 @@ var __copyProps = (to, from, except, desc) => {
17
15
  }
18
16
  return to;
19
17
  };
20
- var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
21
- // If the importer is in node compatibility mode or this is not an ESM
22
- // file that has been converted to a CommonJS file using a Babel-
23
- // compatible transform (i.e. "__esModule" has not been set), then set
24
- // "default" to the CommonJS "module.exports" for node compatibility.
25
- isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
26
- mod
27
- ));
28
18
  var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
29
19
 
30
20
  // src/actions/signIn/signIn.ts
@@ -33,8 +23,7 @@ __export(signIn_exports, {
33
23
  signInAction: () => signInAction
34
24
  });
35
25
  module.exports = __toCommonJS(signIn_exports);
36
- var import_zod2 = require("zod");
37
- var import_router2 = require("@aura-stack/router");
26
+ var import_v42 = require("zod/v4");
38
27
 
39
28
  // src/headers.ts
40
29
  var cacheControl = {
@@ -64,12 +53,6 @@ var secureApiHeaders = {
64
53
  ...secureHeaders
65
54
  };
66
55
 
67
- // src/secure.ts
68
- var import_crypto = __toESM(require("crypto"), 1);
69
-
70
- // src/utils.ts
71
- var import_router = require("@aura-stack/router");
72
-
73
56
  // src/errors.ts
74
57
  var AuthInternalError = class extends Error {
75
58
  type = "AUTH_INTERNAL_ERROR";
@@ -92,30 +75,160 @@ var AuthSecurityError = class extends Error {
92
75
  }
93
76
  };
94
77
 
78
+ // src/api/signIn.ts
79
+ var import_router2 = require("@aura-stack/router");
80
+
81
+ // src/schemas.ts
82
+ var import_v4 = require("zod/v4");
83
+ var AuthorizeConfigSchema = import_v4.z.union([
84
+ (0, import_v4.string)().url(),
85
+ (0, import_v4.object)({
86
+ url: (0, import_v4.string)().url(),
87
+ params: (0, import_v4.object)({
88
+ responseType: (0, import_v4.enum)(["code", "token", "id_token", "refresh_token"]).optional(),
89
+ scope: (0, import_v4.string)().optional()
90
+ })
91
+ })
92
+ ]);
93
+ var AccessTokenConfigSchema = import_v4.z.union([
94
+ (0, import_v4.string)().url(),
95
+ (0, import_v4.object)({
96
+ url: (0, import_v4.string)().url(),
97
+ headers: import_v4.z.record((0, import_v4.string)(), (0, import_v4.string)()).optional()
98
+ })
99
+ ]);
100
+ var UserInfoConfigSchema = import_v4.z.union([
101
+ (0, import_v4.string)().url(),
102
+ (0, import_v4.object)({
103
+ url: (0, import_v4.string)().url(),
104
+ headers: import_v4.z.record((0, import_v4.string)(), (0, import_v4.string)()).optional(),
105
+ method: (0, import_v4.string)().optional()
106
+ })
107
+ ]);
108
+ var OAuthProviderCredentialsSchema = (0, import_v4.object)({
109
+ id: (0, import_v4.string)(),
110
+ name: (0, import_v4.string)(),
111
+ authorize: AuthorizeConfigSchema.optional(),
112
+ /** @deprecated */
113
+ authorizeURL: (0, import_v4.string)().url().optional(),
114
+ accessToken: AccessTokenConfigSchema,
115
+ /** @deprecated */
116
+ scope: (0, import_v4.string)().optional(),
117
+ userInfo: UserInfoConfigSchema,
118
+ /** @deprecated */
119
+ responseType: (0, import_v4.enum)(["code", "token", "id_token", "refresh_token"]).optional(),
120
+ clientId: (0, import_v4.string)(),
121
+ clientSecret: (0, import_v4.string)(),
122
+ profile: import_v4.z.function().optional()
123
+ });
124
+ var OAuthProviderConfigSchema = (0, import_v4.object)({
125
+ authorize: AuthorizeConfigSchema.optional(),
126
+ /** @deprecated */
127
+ authorizeURL: (0, import_v4.string)().url().optional(),
128
+ accessToken: AccessTokenConfigSchema,
129
+ /** @deprecated */
130
+ scope: (0, import_v4.string)().optional(),
131
+ userInfo: UserInfoConfigSchema,
132
+ /** @deprecated */
133
+ responseType: (0, import_v4.enum)(["code", "token", "id_token", "refresh_token"]).optional(),
134
+ clientId: (0, import_v4.string)(),
135
+ clientSecret: (0, import_v4.string)()
136
+ });
137
+ var OAuthAuthorization = OAuthProviderConfigSchema.extend({
138
+ redirectURI: (0, import_v4.string)(),
139
+ state: (0, import_v4.string)(),
140
+ codeChallenge: (0, import_v4.string)(),
141
+ codeChallengeMethod: (0, import_v4.enum)(["plain", "S256"])
142
+ });
143
+ var OAuthAuthorizationResponse = (0, import_v4.object)({
144
+ state: (0, import_v4.string)({ message: "Missing state parameter in the OAuth authorization response." }),
145
+ code: (0, import_v4.string)({ message: "Missing code parameter in the OAuth authorization response." })
146
+ });
147
+ var OAuthAuthorizationErrorResponse = (0, import_v4.object)({
148
+ error: (0, import_v4.enum)([
149
+ "invalid_request",
150
+ "unauthorized_client",
151
+ "access_denied",
152
+ "unsupported_response_type",
153
+ "invalid_scope",
154
+ "server_error",
155
+ "temporarily_unavailable"
156
+ ]),
157
+ error_description: (0, import_v4.string)().optional(),
158
+ error_uri: (0, import_v4.string)().optional(),
159
+ state: (0, import_v4.string)()
160
+ });
161
+ var OAuthAccessToken = OAuthProviderConfigSchema.extend({
162
+ redirectURI: (0, import_v4.string)(),
163
+ code: (0, import_v4.string)(),
164
+ codeVerifier: (0, import_v4.string)().min(43).max(128)
165
+ });
166
+ var OAuthAccessTokenResponse = (0, import_v4.object)({
167
+ access_token: (0, import_v4.string)(),
168
+ token_type: (0, import_v4.string)().optional(),
169
+ expires_in: (0, import_v4.number)().optional(),
170
+ refresh_token: (0, import_v4.string)().optional(),
171
+ scope: (0, import_v4.union)([(0, import_v4.string)().optional().or((0, import_v4.null)()), (0, import_v4.array)((0, import_v4.string)()).optional()])
172
+ });
173
+ var OAuthAccessTokenErrorResponse = (0, import_v4.object)({
174
+ error: (0, import_v4.enum)([
175
+ "invalid_request",
176
+ "invalid_client",
177
+ "invalid_grant",
178
+ "unauthorized_client",
179
+ "unsupported_grant_type",
180
+ "invalid_scope"
181
+ ]),
182
+ error_description: (0, import_v4.string)().optional(),
183
+ error_uri: (0, import_v4.string)().optional()
184
+ });
185
+ var OAuthErrorResponse = (0, import_v4.object)({
186
+ error: (0, import_v4.string)(),
187
+ error_description: (0, import_v4.string)().optional()
188
+ });
189
+ var OAuthEnvSchema = (0, import_v4.object)({
190
+ clientId: import_v4.z.string().min(1, "OAuth Client ID is required in the environment variables."),
191
+ clientSecret: import_v4.z.string().min(1, "OAuth Client Secret is required in the environment variables.")
192
+ });
193
+
95
194
  // src/utils.ts
96
- var toSnakeCase = (str) => {
97
- return str.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/([A-Z]+)([A-Z][a-z])/g, "$1_$2").toLowerCase().replace(/^_+/, "");
98
- };
99
- var toUpperCase = (str) => {
100
- return str.toUpperCase();
101
- };
102
- var toCastCase = (obj, type = "snake") => {
103
- return Object.entries(obj).reduce((previous, [key, value]) => {
104
- const newKey = type === "snake" ? toSnakeCase(key) : toUpperCase(key);
105
- return { ...previous, [newKey]: value };
106
- }, {});
107
- };
108
- var equals = (a, b) => {
109
- if (a === null || b === null || a === void 0 || b === void 0) return false;
110
- return a === b;
111
- };
112
- var extractPath = (url) => {
113
- const pathRegex = /^https?:\/\/[a-zA-Z0-9_\-\.]+(:\d+)?(\/.*)$/;
114
- const match = url.match(pathRegex);
115
- return match && match[2] ? match[2] : "/";
195
+ var import_router = require("@aura-stack/router");
196
+
197
+ // src/env.ts
198
+ var import_meta = {};
199
+ var env = new Proxy({}, {
200
+ get(_, prop) {
201
+ if (typeof prop !== "string") return void 0;
202
+ const hasProperty = (process2) => {
203
+ return process2 && Object.prototype.hasOwnProperty.call(process2, prop);
204
+ };
205
+ try {
206
+ if (typeof process !== "undefined" && hasProperty(process.env)) {
207
+ return process.env[prop];
208
+ }
209
+ if (typeof import_meta !== "undefined" && hasProperty(import_meta.env)) {
210
+ return import_meta.env[prop];
211
+ }
212
+ if (typeof Deno !== "undefined" && Deno.env?.get) {
213
+ return Deno.env.get(prop);
214
+ }
215
+ if (typeof Bun !== "undefined" && hasProperty(Bun.env)) {
216
+ return Bun.env[prop];
217
+ }
218
+ const globalValue = globalThis[prop];
219
+ return typeof globalValue === "string" ? globalValue : void 0;
220
+ } catch {
221
+ return void 0;
222
+ }
223
+ }
224
+ });
225
+ var getEnv = (key) => {
226
+ const keys = [`AURA_AUTH_${key.toUpperCase()}`, `AURA_${key.toUpperCase()}`, `AUTH_${key.toUpperCase()}`, key.toUpperCase()];
227
+ return env[keys.find((k) => env[k]) ?? ""];
116
228
  };
117
229
 
118
230
  // src/assert.ts
231
+ var import_crypto = require("@aura-stack/jose/crypto");
119
232
  var unsafeChars = [
120
233
  "<",
121
234
  ">",
@@ -204,44 +317,33 @@ var isTrustedOrigin = (url, trustedOrigins) => {
204
317
  return false;
205
318
  };
206
319
 
207
- // src/env.ts
208
- var import_meta = {};
209
- var env = new Proxy({}, {
210
- get(_, prop) {
211
- if (typeof prop !== "string") return void 0;
212
- const hasProperty = (process2) => {
213
- return process2 && Object.prototype.hasOwnProperty.call(process2, prop);
214
- };
215
- try {
216
- if (typeof process !== "undefined" && hasProperty(process.env)) {
217
- return process.env[prop];
218
- }
219
- if (typeof import_meta !== "undefined" && hasProperty(import_meta.env)) {
220
- return import_meta.env[prop];
221
- }
222
- if (typeof Deno !== "undefined" && Deno.env?.get) {
223
- return Deno.env.get(prop);
224
- }
225
- if (typeof Bun !== "undefined" && hasProperty(Bun.env)) {
226
- return Bun.env[prop];
227
- }
228
- const globalValue = globalThis[prop];
229
- return typeof globalValue === "string" ? globalValue : void 0;
230
- } catch {
231
- return void 0;
232
- }
233
- }
234
- });
320
+ // src/utils.ts
321
+ var equals = (a, b) => {
322
+ if (a === null || b === null || a === void 0 || b === void 0) return false;
323
+ return a === b;
324
+ };
325
+ var extractPath = (url) => {
326
+ const pathRegex = /^https?:\/\/[a-zA-Z0-9_\-\.]+(:\d+)?(\/.*)$/;
327
+ const match = url.match(pathRegex);
328
+ return match && match[2] ? match[2] : "/";
329
+ };
235
330
 
236
331
  // src/jose.ts
237
332
  var import_jose = require("@aura-stack/jose");
333
+ var import_jose2 = require("@aura-stack/jose/jose");
334
+ var import_crypto2 = require("@aura-stack/jose/crypto");
238
335
 
239
336
  // src/secure.ts
240
337
  var generateSecure = (length = 32) => {
241
- return import_crypto.default.randomBytes(length).toString("base64url");
338
+ return import_jose2.base64url.encode((0, import_crypto2.getRandomBytes)(length));
339
+ };
340
+ var createSecretValue = (length = 32) => {
341
+ return import_jose2.base64url.encode((0, import_crypto2.getRandomBytes)(length));
242
342
  };
243
- var createHash = (data, base = "hex") => {
244
- return import_crypto.default.createHash("sha256").update(data).digest().toString(base);
343
+ var createHash = async (data) => {
344
+ const subtle = (0, import_crypto2.getSubtleCrypto)();
345
+ const digest = await subtle.digest("SHA-256", import_crypto2.encoder.encode(data));
346
+ return import_jose2.base64url.encode(new Uint8Array(digest));
245
347
  };
246
348
  var createPKCE = async (verifier) => {
247
349
  const byteLength = verifier ? void 0 : Math.floor(Math.random() * (96 - 32 + 1) + 32);
@@ -249,125 +351,105 @@ var createPKCE = async (verifier) => {
249
351
  if (codeVerifier.length < 43 || codeVerifier.length > 128) {
250
352
  throw new AuthSecurityError("PKCE_VERIFIER_INVALID", "The code verifier must be between 43 and 128 characters in length.");
251
353
  }
252
- const codeChallenge = createHash(codeVerifier, "base64url");
354
+ const codeChallenge = await createHash(codeVerifier);
253
355
  return { codeVerifier, codeChallenge, method: "S256" };
254
356
  };
255
357
 
256
- // src/schemas.ts
257
- var import_zod = require("zod");
258
- var OAuthProviderCredentialsSchema = (0, import_zod.object)({
259
- id: (0, import_zod.string)(),
260
- name: (0, import_zod.string)(),
261
- authorizeURL: (0, import_zod.string)().url(),
262
- accessToken: (0, import_zod.string)().url(),
263
- scope: (0, import_zod.string)(),
264
- userInfo: (0, import_zod.string)().url(),
265
- responseType: (0, import_zod.enum)(["code", "token", "id_token"]),
266
- clientId: (0, import_zod.string)(),
267
- clientSecret: (0, import_zod.string)(),
268
- profile: import_zod.z.function().optional()
269
- });
270
- var OAuthProviderConfigSchema = (0, import_zod.object)({
271
- authorizeURL: (0, import_zod.string)().url(),
272
- accessToken: (0, import_zod.string)().url(),
273
- scope: (0, import_zod.string)().optional(),
274
- userInfo: (0, import_zod.string)().url(),
275
- responseType: (0, import_zod.enum)(["code", "token", "id_token"]),
276
- clientId: (0, import_zod.string)(),
277
- clientSecret: (0, import_zod.string)()
278
- });
279
- var OAuthAuthorization = OAuthProviderConfigSchema.extend({
280
- redirectURI: (0, import_zod.string)(),
281
- state: (0, import_zod.string)(),
282
- codeChallenge: (0, import_zod.string)(),
283
- codeChallengeMethod: (0, import_zod.enum)(["plain", "S256"])
284
- });
285
- var OAuthAuthorizationResponse = (0, import_zod.object)({
286
- state: (0, import_zod.string)({ message: "Missing state parameter in the OAuth authorization response." }),
287
- code: (0, import_zod.string)({ message: "Missing code parameter in the OAuth authorization response." })
288
- });
289
- var OAuthAuthorizationErrorResponse = (0, import_zod.object)({
290
- error: (0, import_zod.enum)([
291
- "invalid_request",
292
- "unauthorized_client",
293
- "access_denied",
294
- "unsupported_response_type",
295
- "invalid_scope",
296
- "server_error",
297
- "temporarily_unavailable"
298
- ]),
299
- error_description: (0, import_zod.string)().optional(),
300
- error_uri: (0, import_zod.string)().optional(),
301
- state: (0, import_zod.string)()
302
- });
303
- var OAuthAccessToken = OAuthProviderConfigSchema.extend({
304
- redirectURI: (0, import_zod.string)(),
305
- code: (0, import_zod.string)(),
306
- codeVerifier: (0, import_zod.string)().min(43).max(128)
307
- });
308
- var OAuthAccessTokenResponse = (0, import_zod.object)({
309
- access_token: (0, import_zod.string)(),
310
- token_type: (0, import_zod.string)().optional(),
311
- expires_in: (0, import_zod.number)().optional(),
312
- refresh_token: (0, import_zod.string)().optional(),
313
- scope: (0, import_zod.string)().optional().or((0, import_zod.null)())
314
- });
315
- var OAuthAccessTokenErrorResponse = (0, import_zod.object)({
316
- error: (0, import_zod.enum)([
317
- "invalid_request",
318
- "invalid_client",
319
- "invalid_grant",
320
- "unauthorized_client",
321
- "unsupported_grant_type",
322
- "invalid_scope"
323
- ]),
324
- error_description: (0, import_zod.string)().optional(),
325
- error_uri: (0, import_zod.string)().optional()
326
- });
327
- var OAuthErrorResponse = (0, import_zod.object)({
328
- error: (0, import_zod.string)(),
329
- error_description: (0, import_zod.string)().optional()
330
- });
331
- var OAuthEnvSchema = (0, import_zod.object)({
332
- clientId: import_zod.z.string().min(1, "OAuth Client ID is required in the environment variables."),
333
- clientSecret: import_zod.z.string().min(1, "OAuth Client Secret is required in the environment variables.")
334
- });
335
-
336
- // src/actions/signIn/authorization.ts
337
- var createAuthorizationURL = (oauthConfig, redirectURI, state, codeChallenge, codeChallengeMethod, logger) => {
338
- const parsed = OAuthAuthorization.safeParse({ ...oauthConfig, redirectURI, state, codeChallenge, codeChallengeMethod });
358
+ // src/actions/signIn/authorization-url.ts
359
+ var setSearchParams = (url, params) => {
360
+ for (const [key, value] of Object.entries(params)) {
361
+ if (value !== void 0 && value !== "") {
362
+ url.searchParams.set(key, value);
363
+ }
364
+ }
365
+ };
366
+ var buildAuthorizationURL = (oauth, redirect_uri, state, code_challenge, code_challenge_method) => {
367
+ const authorizeConfig = oauth.authorize;
368
+ const baseURL = typeof authorizeConfig === "string" ? authorizeConfig : authorizeConfig?.url ?? oauth.authorizeURL;
369
+ if (!baseURL) {
370
+ throw new AuthInternalError("INVALID_OAUTH_CONFIGURATION", "Missing authorization URL in OAuth provider configuration.");
371
+ }
372
+ const url = new URL(baseURL);
373
+ const authorizeParams = typeof authorizeConfig === "string" ? void 0 : authorizeConfig?.params;
374
+ setSearchParams(url, {
375
+ response_type: authorizeParams?.responseType ?? oauth.responseType ?? "code",
376
+ client_id: oauth.clientId,
377
+ redirect_uri,
378
+ state,
379
+ code_challenge,
380
+ code_challenge_method,
381
+ scope: authorizeParams?.scope ?? oauth.scope,
382
+ prompt: authorizeParams?.prompt,
383
+ response_mode: authorizeParams?.responseMode,
384
+ login_hint: authorizeParams?.loginHint,
385
+ nonce: authorizeParams?.nonce,
386
+ display: authorizeParams?.display,
387
+ audience: authorizeParams?.audience
388
+ });
389
+ return url.toString();
390
+ };
391
+ var createAuthorizationURL = async (oauth, redirectURI, ctx) => {
392
+ const state = createSecretValue();
393
+ const { codeVerifier, codeChallenge, method } = await createPKCE();
394
+ const authorization = buildAuthorizationURL(oauth, redirectURI, state, codeChallenge, method);
395
+ const parsed = OAuthAuthorization.safeParse({ ...oauth, redirectURI, state, codeChallenge, codeChallengeMethod: method });
339
396
  if (!parsed.success) {
340
- logger?.log("INVALID_OAUTH_CONFIGURATION", {
397
+ ctx?.logger?.log("INVALID_OAUTH_CONFIGURATION", {
341
398
  structuredData: {
342
- scope: oauthConfig.scope,
399
+ scope: oauth?.scope ?? "",
343
400
  redirect_uri: redirectURI,
344
401
  has_state: Boolean(state),
345
402
  has_code_challenge: Boolean(codeChallenge),
346
- code_challenge_method: codeChallengeMethod
403
+ code_challenge_method: method
347
404
  }
348
405
  });
349
406
  throw new AuthInternalError("INVALID_OAUTH_CONFIGURATION", "The OAuth provider configuration is invalid.");
350
407
  }
351
- const { authorizeURL, ...options2 } = parsed.data;
352
- const { userInfo, accessToken, clientSecret, ...required } = options2;
353
- const searchParams = new URLSearchParams(toCastCase(required));
354
- return `${authorizeURL}?${searchParams}`;
408
+ return {
409
+ authorization,
410
+ state,
411
+ codeVerifier,
412
+ method
413
+ };
355
414
  };
415
+
416
+ // src/actions/signIn/authorization.ts
356
417
  var getTrustedOrigins = async (request, trustedOrigins) => {
357
418
  if (!trustedOrigins) return [];
358
419
  const raw = typeof trustedOrigins === "function" ? await trustedOrigins(request) : trustedOrigins;
359
420
  return Array.isArray(raw) ? raw : typeof raw === "string" ? [raw] : [];
360
421
  };
422
+ var getBaseURL = async ({
423
+ ctx,
424
+ request,
425
+ headers: headersInit
426
+ }) => {
427
+ const origin = getEnv("BASE_URL") || ctx?.baseURL;
428
+ if (origin && origin !== "/") return origin;
429
+ if (ctx?.trustedProxyHeaders) {
430
+ const headers = headersInit && new Headers(headersInit) || request?.headers;
431
+ const protocol = headers?.get("Forwarded")?.match(/proto=([^;]+)/i)?.[1] ?? headers?.get("X-Forwarded-Proto") ?? "http";
432
+ const host = headers?.get("Host") ?? headers?.get("Forwarded")?.match(/host=([^;]+)/i)?.[1] ?? headers?.get("X-Forwarded-Host") ?? null;
433
+ if (host) return `${protocol}://${host}`;
434
+ throw new AuthInternalError(
435
+ "INVALID_OAUTH_CONFIGURATION",
436
+ "The URL cannot be constructed. Please set the BASE_URL environment variable or provide trusted proxy host headers."
437
+ );
438
+ }
439
+ try {
440
+ return new URL(request?.url ?? "not-found").origin;
441
+ } catch (error) {
442
+ throw new AuthInternalError(
443
+ "INVALID_OAUTH_CONFIGURATION",
444
+ "The URL cannot be constructed. Please set the BASE_URL environment variable or enable trustedProxyHeaders.",
445
+ { cause: error }
446
+ );
447
+ }
448
+ };
361
449
  var getOriginURL = async (request, context) => {
362
- const headers = request.headers;
363
- let origin = new URL(request.url).origin;
364
450
  const trustedOrigins = await getTrustedOrigins(request, context?.trustedOrigins);
365
- trustedOrigins.push(origin);
366
- if (context?.trustedProxyHeaders) {
367
- const protocol = headers.get("Forwarded")?.match(/proto=([^;]+)/i)?.[1] ?? headers.get("X-Forwarded-Proto") ?? "http";
368
- const host = headers.get("Host") ?? headers.get("Forwarded")?.match(/host=([^;]+)/i)?.[1] ?? headers.get("X-Forwarded-Host") ?? null;
369
- origin = `${protocol}://${host}`;
370
- }
451
+ trustedOrigins.push(new URL(request.url).origin);
452
+ const origin = await getBaseURL({ request, ctx: context });
371
453
  if (!isTrustedOrigin(origin, trustedOrigins)) {
372
454
  context?.logger?.log("UNTRUSTED_ORIGIN", { structuredData: { origin } });
373
455
  throw new AuthInternalError("UNTRUSTED_ORIGIN", "The constructed origin URL is not trusted.");
@@ -378,6 +460,17 @@ var createRedirectURI = async (request, oauth, context) => {
378
460
  const origin = await getOriginURL(request, context);
379
461
  return `${origin}${context.basePath}/callback/${oauth}`;
380
462
  };
463
+ var createSignInURL = async ({
464
+ request,
465
+ oauth,
466
+ ctx,
467
+ redirectTo
468
+ }) => {
469
+ const origin = await getOriginURL(request, ctx);
470
+ const searchParams = new URLSearchParams();
471
+ if (redirectTo !== void 0) searchParams.set("redirectTo", String(redirectTo));
472
+ return `${origin}${ctx.basePath}/signIn/${oauth}?${searchParams.toString()}`;
473
+ };
381
474
  var createRedirectTo = async (request, redirectTo, context) => {
382
475
  try {
383
476
  const headers = request.headers;
@@ -413,50 +506,85 @@ var createRedirectTo = async (request, redirectTo, context) => {
413
506
  }
414
507
  };
415
508
 
509
+ // src/api/signIn.ts
510
+ var signIn = async (oauth, {
511
+ ctx,
512
+ headers: headersInit,
513
+ redirectTo = "/",
514
+ redirect,
515
+ request: requestInit
516
+ }) => {
517
+ const headers = new Headers(headersInit);
518
+ const provider = ctx.oauth[oauth];
519
+ if (!provider) {
520
+ throw new AuthInternalError("INVALID_OAUTH_CONFIGURATION", `The OAuth provider "${oauth}" is not configured.`);
521
+ }
522
+ let request = requestInit;
523
+ if (!request) {
524
+ const origin = await getBaseURL({ ctx, headers });
525
+ const url = `${origin}${ctx.basePath}/signIn/${oauth}`;
526
+ request = new Request(url, { headers });
527
+ }
528
+ if (redirect === false) {
529
+ const signInURL = await createSignInURL({ request, oauth, ctx, redirectTo });
530
+ return { redirect: false, signInURL };
531
+ }
532
+ const redirectURI = await createRedirectURI(request, oauth, ctx);
533
+ const redirectToValue = await createRedirectTo(request, redirectTo, ctx);
534
+ const { authorization, state, codeVerifier } = await createAuthorizationURL(provider, redirectURI, ctx);
535
+ ctx?.logger?.log("SIGN_IN_INITIATED", {
536
+ structuredData: { oauth_provider: oauth }
537
+ });
538
+ const headersList = new import_router2.HeadersBuilder(cacheControl).setHeader("Location", authorization).setCookie(ctx.cookies.state.name, state, ctx.cookies.state.attributes).setCookie(ctx.cookies.redirectURI.name, redirectURI, ctx.cookies.redirectURI.attributes).setCookie(ctx.cookies.redirectTo.name, redirectToValue, ctx.cookies.redirectTo.attributes).setCookie(ctx.cookies.codeVerifier.name, codeVerifier, ctx.cookies.codeVerifier.attributes).toHeaders();
539
+ return Response.json(
540
+ { redirect: redirect ?? true, signInURL: authorization },
541
+ {
542
+ status: redirect ?? true ? 302 : 200,
543
+ headers: headersList
544
+ }
545
+ );
546
+ };
547
+
416
548
  // src/actions/signIn/signIn.ts
549
+ var import_router3 = require("@aura-stack/router");
417
550
  var signInConfig = (oauth) => {
418
- return (0, import_router2.createEndpointConfig)("/signIn/:oauth", {
551
+ return (0, import_router3.createEndpointConfig)("/signIn/:oauth", {
419
552
  schemas: {
420
- params: import_zod2.z.object({
421
- oauth: import_zod2.z.enum(
553
+ params: import_v42.z.object({
554
+ oauth: import_v42.z.enum(
422
555
  Object.keys(oauth),
423
556
  "The OAuth provider is not supported or invalid."
424
557
  )
425
558
  }),
426
- searchParams: import_zod2.z.object({
427
- redirectTo: import_zod2.z.string().optional()
559
+ searchParams: import_v42.z.object({
560
+ redirect: import_v42.z.stringbool().optional().default(true),
561
+ redirectTo: import_v42.z.string().optional()
428
562
  })
429
563
  }
430
564
  });
431
565
  };
432
566
  var signInAction = (oauth) => {
433
- return (0, import_router2.createEndpoint)(
567
+ return (0, import_router3.createEndpoint)(
434
568
  "GET",
435
569
  "/signIn/:oauth",
436
570
  async (ctx) => {
437
571
  const {
438
572
  request,
439
573
  params: { oauth: oauth2 },
440
- searchParams: { redirectTo },
574
+ searchParams: { redirectTo, redirect },
441
575
  context
442
576
  } = ctx;
443
- const { oauth: providers, cookies, logger } = context;
444
- const state = generateSecure();
445
- const redirectURI = await createRedirectURI(request, oauth2, context);
446
- const redirectToValue = await createRedirectTo(request, redirectTo, context);
447
- const { codeVerifier, codeChallenge, method } = await createPKCE();
448
- const authorization = createAuthorizationURL(providers[oauth2], redirectURI, state, codeChallenge, method, logger);
449
- logger?.log("SIGN_IN_INITIATED", {
450
- structuredData: { oauth_provider: oauth2, code_challenge_method: method }
577
+ const signInResult = await signIn(oauth2, {
578
+ ctx: context,
579
+ headers: request.headers,
580
+ redirect,
581
+ redirectTo,
582
+ request
451
583
  });
452
- const headers = new import_router2.HeadersBuilder(cacheControl).setHeader("Location", authorization).setCookie(cookies.state.name, state, cookies.state.attributes).setCookie(cookies.redirectURI.name, redirectURI, cookies.redirectURI.attributes).setCookie(cookies.redirectTo.name, redirectToValue, cookies.redirectTo.attributes).setCookie(cookies.codeVerifier.name, codeVerifier, cookies.codeVerifier.attributes).toHeaders();
453
- return Response.json(
454
- { oauth: oauth2 },
455
- {
456
- status: 302,
457
- headers
458
- }
459
- );
584
+ if (!redirect) {
585
+ return Response.json(signInResult, { status: 200 });
586
+ }
587
+ return signInResult;
460
588
  },
461
589
  signInConfig(oauth)
462
590
  );
@@ -1,13 +1,42 @@
1
1
  import * as _aura_stack_router from '@aura-stack/router';
2
- import { k as OAuthProviderRecord } from '../../index-CSyIJmCM.js';
2
+ import { z } from 'zod/v4';
3
+ import { O as OAuthProviderRecord } from '../../index-_aXtxb_s.js';
3
4
  import 'zod';
4
5
  import '../../schemas.js';
5
- import '../../jose.js';
6
6
  import '@aura-stack/jose';
7
7
  import '@aura-stack/jose/jose';
8
+ import '@aura-stack/jose/crypto';
8
9
  import '@aura-stack/router/cookie';
9
10
  import '../../@types/utility.js';
11
+ import 'jose';
12
+ import 'zod/v4/core';
10
13
 
11
- declare const signInAction: (oauth: OAuthProviderRecord) => _aura_stack_router.RouteEndpoint<"GET", "/signIn/:oauth", {}>;
14
+ declare const signInAction: (oauth: OAuthProviderRecord) => _aura_stack_router.RouteEndpoint<"GET", "/signIn/:oauth", {
15
+ schemas?: {
16
+ params: z.ZodObject<{
17
+ oauth: z.ZodEnum<{
18
+ [x: string & Record<never, never>]: string & Record<never, never>;
19
+ github: "github";
20
+ bitbucket: "bitbucket";
21
+ figma: "figma";
22
+ discord: "discord";
23
+ gitlab: "gitlab";
24
+ spotify: "spotify";
25
+ x: "x";
26
+ strava: "strava";
27
+ mailchimp: "mailchimp";
28
+ pinterest: "pinterest";
29
+ twitch: "twitch";
30
+ notion: "notion";
31
+ dropbox: "dropbox";
32
+ atlassian: "atlassian";
33
+ }>;
34
+ }, z.core.$strip>;
35
+ searchParams: z.ZodObject<{
36
+ redirect: z.ZodDefault<z.ZodOptional<z.ZodCodec<z.ZodString, z.ZodBoolean>>>;
37
+ redirectTo: z.ZodOptional<z.ZodString>;
38
+ }, z.core.$strip>;
39
+ } | undefined;
40
+ }>;
12
41
 
13
42
  export { signInAction };