@aura-stack/auth 0.4.0 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (179) hide show
  1. package/README.md +36 -1
  2. package/dist/@types/index.cjs +0 -18
  3. package/dist/@types/index.d.ts +2 -8
  4. package/dist/@types/index.js +0 -1
  5. package/dist/assert-B3iQSYlK.js +3 -0
  6. package/dist/assert-NJGroSJd.cjs +3 -0
  7. package/dist/client/index.cjs +1 -0
  8. package/dist/client/index.d.ts +11 -0
  9. package/dist/client/index.js +1 -0
  10. package/dist/crypto-Bz8nIciY.js +1 -0
  11. package/dist/crypto-CoXA5w_4.cjs +1 -0
  12. package/dist/env-bq387KyP.cjs +1 -0
  13. package/dist/env-nvh8QBNz.js +1 -0
  14. package/dist/errors-CCYPHuBO.cjs +1 -0
  15. package/dist/errors-DFWHOho6.js +1 -0
  16. package/dist/index-BkpwQ0l4.d.cts +2279 -0
  17. package/dist/index-nqLV2t91.d.ts +2279 -0
  18. package/dist/index.cjs +1 -1839
  19. package/dist/index.d.cts +2 -0
  20. package/dist/index.d.ts +2 -35
  21. package/dist/index.js +1 -132
  22. package/dist/logger-C59_CDMk.js +1 -0
  23. package/dist/logger-UnUhYL2V.cjs +1 -0
  24. package/dist/oauth/atlassian.cjs +1 -0
  25. package/dist/oauth/atlassian.d.ts +2 -0
  26. package/dist/oauth/atlassian.js +1 -0
  27. package/dist/oauth/bitbucket.cjs +1 -49
  28. package/dist/oauth/bitbucket.d.ts +2 -8
  29. package/dist/oauth/bitbucket.js +1 -6
  30. package/dist/oauth/discord.cjs +1 -57
  31. package/dist/oauth/discord.d.ts +2 -8
  32. package/dist/oauth/discord.js +1 -6
  33. package/dist/oauth/dropbox.cjs +1 -0
  34. package/dist/oauth/dropbox.d.ts +2 -0
  35. package/dist/oauth/dropbox.js +1 -0
  36. package/dist/oauth/figma.cjs +1 -49
  37. package/dist/oauth/figma.d.ts +2 -8
  38. package/dist/oauth/figma.js +1 -6
  39. package/dist/oauth/github.cjs +1 -49
  40. package/dist/oauth/github.d.ts +2 -8
  41. package/dist/oauth/github.js +1 -6
  42. package/dist/oauth/gitlab.cjs +1 -49
  43. package/dist/oauth/gitlab.d.ts +2 -8
  44. package/dist/oauth/gitlab.js +1 -6
  45. package/dist/oauth/index.cjs +1 -483
  46. package/dist/oauth/index.d.ts +2 -8
  47. package/dist/oauth/index.js +1 -52
  48. package/dist/oauth/mailchimp.cjs +1 -49
  49. package/dist/oauth/mailchimp.d.ts +2 -8
  50. package/dist/oauth/mailchimp.js +1 -6
  51. package/dist/oauth/notion.cjs +1 -0
  52. package/dist/oauth/notion.d.ts +2 -0
  53. package/dist/oauth/notion.js +1 -0
  54. package/dist/oauth/pinterest.cjs +1 -49
  55. package/dist/oauth/pinterest.d.ts +2 -8
  56. package/dist/oauth/pinterest.js +1 -6
  57. package/dist/oauth/spotify.cjs +1 -49
  58. package/dist/oauth/spotify.d.ts +2 -8
  59. package/dist/oauth/spotify.js +1 -6
  60. package/dist/oauth/strava.cjs +1 -49
  61. package/dist/oauth/strava.d.ts +2 -8
  62. package/dist/oauth/strava.js +1 -6
  63. package/dist/oauth/twitch.cjs +1 -0
  64. package/dist/oauth/twitch.d.ts +2 -0
  65. package/dist/oauth/twitch.js +1 -0
  66. package/dist/oauth/x.cjs +1 -49
  67. package/dist/oauth/x.d.ts +2 -8
  68. package/dist/oauth/x.js +1 -6
  69. package/dist/oauth-BntNm6aE.cjs +1 -0
  70. package/dist/oauth-DmHy9VrB.js +1 -0
  71. package/dist/shared/crypto.cjs +1 -0
  72. package/dist/shared/crypto.d.ts +47 -0
  73. package/dist/shared/crypto.js +1 -0
  74. package/dist/shared/identity.cjs +1 -0
  75. package/dist/shared/identity.d.ts +2 -0
  76. package/dist/shared/identity.js +1 -0
  77. package/dist/shared/index.cjs +1 -0
  78. package/dist/shared/index.d.ts +5 -0
  79. package/dist/shared/index.js +1 -0
  80. package/package.json +39 -12
  81. package/dist/@types/router.d.cjs +0 -1
  82. package/dist/@types/router.d.d.ts +0 -12
  83. package/dist/@types/router.d.js +0 -0
  84. package/dist/@types/utility.cjs +0 -18
  85. package/dist/@types/utility.d.ts +0 -6
  86. package/dist/@types/utility.js +0 -1
  87. package/dist/actions/callback/access-token.cjs +0 -206
  88. package/dist/actions/callback/access-token.d.ts +0 -29
  89. package/dist/actions/callback/access-token.js +0 -9
  90. package/dist/actions/callback/callback.cjs +0 -649
  91. package/dist/actions/callback/callback.d.ts +0 -13
  92. package/dist/actions/callback/callback.js +0 -19
  93. package/dist/actions/callback/userinfo.cjs +0 -250
  94. package/dist/actions/callback/userinfo.d.ts +0 -21
  95. package/dist/actions/callback/userinfo.js +0 -14
  96. package/dist/actions/csrfToken/csrfToken.cjs +0 -197
  97. package/dist/actions/csrfToken/csrfToken.d.ts +0 -5
  98. package/dist/actions/csrfToken/csrfToken.js +0 -14
  99. package/dist/actions/index.cjs +0 -954
  100. package/dist/actions/index.d.ts +0 -14
  101. package/dist/actions/index.js +0 -36
  102. package/dist/actions/session/session.cjs +0 -136
  103. package/dist/actions/session/session.d.ts +0 -5
  104. package/dist/actions/session/session.js +0 -10
  105. package/dist/actions/signIn/authorization.cjs +0 -322
  106. package/dist/actions/signIn/authorization.d.ts +0 -53
  107. package/dist/actions/signIn/authorization.js +0 -18
  108. package/dist/actions/signIn/signIn.cjs +0 -467
  109. package/dist/actions/signIn/signIn.d.ts +0 -13
  110. package/dist/actions/signIn/signIn.js +0 -15
  111. package/dist/actions/signOut/signOut.cjs +0 -493
  112. package/dist/actions/signOut/signOut.d.ts +0 -8
  113. package/dist/actions/signOut/signOut.js +0 -16
  114. package/dist/assert.cjs +0 -161
  115. package/dist/assert.d.ts +0 -33
  116. package/dist/assert.js +0 -26
  117. package/dist/chunk-4EKY7655.js +0 -123
  118. package/dist/chunk-4MYWAOLG.js +0 -31
  119. package/dist/chunk-4YHJ4IEQ.js +0 -25
  120. package/dist/chunk-54CZPKR4.js +0 -25
  121. package/dist/chunk-5LZ7TOM3.js +0 -25
  122. package/dist/chunk-5W4BRQYG.js +0 -201
  123. package/dist/chunk-6MXFPFR3.js +0 -143
  124. package/dist/chunk-7QF22LHP.js +0 -67
  125. package/dist/chunk-ALG3GIV4.js +0 -95
  126. package/dist/chunk-E6G5YCI6.js +0 -25
  127. package/dist/chunk-EBAMFRB7.js +0 -34
  128. package/dist/chunk-EEE7UM5T.js +0 -25
  129. package/dist/chunk-FRJFWTOY.js +0 -70
  130. package/dist/chunk-FW4W3REU.js +0 -25
  131. package/dist/chunk-ICAZ4OVS.js +0 -37
  132. package/dist/chunk-IPKO6UQN.js +0 -25
  133. package/dist/chunk-ITQ7352M.js +0 -0
  134. package/dist/chunk-KJBAQZX2.js +0 -92
  135. package/dist/chunk-KMMAZFSJ.js +0 -25
  136. package/dist/chunk-LDU7A2JE.js +0 -25
  137. package/dist/chunk-NUDITUKX.js +0 -73
  138. package/dist/chunk-OVHNRULD.js +0 -33
  139. package/dist/chunk-PG7UYFG5.js +0 -0
  140. package/dist/chunk-PHFH2MGS.js +0 -36
  141. package/dist/chunk-QQVSRXGX.js +0 -149
  142. package/dist/chunk-RRLIF4PQ.js +0 -55
  143. package/dist/chunk-TM5IPSNF.js +0 -113
  144. package/dist/chunk-TZB6MUXN.js +0 -78
  145. package/dist/chunk-VNCNJKS2.js +0 -267
  146. package/dist/chunk-XGLBNXL4.js +0 -75
  147. package/dist/chunk-XUP6KKNG.js +0 -106
  148. package/dist/chunk-ZNCZVF6U.js +0 -14
  149. package/dist/cookie.cjs +0 -246
  150. package/dist/cookie.d.ts +0 -85
  151. package/dist/cookie.js +0 -29
  152. package/dist/env.cjs +0 -56
  153. package/dist/env.d.ts +0 -7
  154. package/dist/env.js +0 -6
  155. package/dist/errors.cjs +0 -85
  156. package/dist/errors.d.ts +0 -50
  157. package/dist/errors.js +0 -18
  158. package/dist/headers.cjs +0 -61
  159. package/dist/headers.d.ts +0 -33
  160. package/dist/headers.js +0 -12
  161. package/dist/index-CSyIJmCM.d.ts +0 -1007
  162. package/dist/jose.cjs +0 -128
  163. package/dist/jose.d.ts +0 -25
  164. package/dist/jose.js +0 -12
  165. package/dist/logger.cjs +0 -292
  166. package/dist/logger.d.ts +0 -8
  167. package/dist/logger.js +0 -8
  168. package/dist/request.cjs +0 -38
  169. package/dist/request.d.ts +0 -13
  170. package/dist/request.js +0 -6
  171. package/dist/schemas.cjs +0 -125
  172. package/dist/schemas.d.ts +0 -149
  173. package/dist/schemas.js +0 -24
  174. package/dist/secure.cjs +0 -170
  175. package/dist/secure.d.ts +0 -35
  176. package/dist/secure.js +0 -19
  177. package/dist/utils.cjs +0 -223
  178. package/dist/utils.d.ts +0 -24
  179. package/dist/utils.js +0 -29
@@ -1,1007 +0,0 @@
1
- import { z } from 'zod';
2
- import { OAuthAuthorizationErrorResponse, OAuthAccessTokenErrorResponse, OAuthEnvSchema } from './schemas.js';
3
- import { createJoseInstance } from './jose.js';
4
- import { SerializeOptions } from '@aura-stack/router/cookie';
5
- import { LiteralUnion, Prettify } from './@types/utility.js';
6
- import { JWTPayload } from '@aura-stack/jose/jose';
7
-
8
- /**
9
- * Log message definitions organized by category.
10
- * Each message includes facility, severity, msgId, and default message.
11
- */
12
- declare const logMessages: {
13
- readonly ROUTER_INTERNAL_ERROR: {
14
- readonly facility: 10;
15
- readonly severity: "error";
16
- readonly msgId: "ROUTER_INTERNAL_ERROR";
17
- readonly message: "Unhandled router error while processing the request";
18
- };
19
- readonly INVALID_REQUEST: {
20
- readonly facility: 10;
21
- readonly severity: "warning";
22
- readonly msgId: "INVALID_REQUEST";
23
- readonly message: "Request validation failed against the expected schema";
24
- };
25
- readonly SERVER_ERROR: {
26
- readonly facility: 10;
27
- readonly severity: "error";
28
- readonly msgId: "SERVER_ERROR";
29
- readonly message: "Unexpected internal server error during authentication";
30
- };
31
- readonly OAUTH_PROTOCOL_ERROR: {
32
- readonly facility: 10;
33
- readonly severity: "warning";
34
- readonly msgId: "OAUTH_PROTOCOL_ERROR";
35
- readonly message: "OAuth provider returned an invalid or unexpected protocol response";
36
- };
37
- readonly OAUTH_AUTHORIZATION_ERROR: {
38
- readonly facility: 10;
39
- readonly severity: "error";
40
- readonly msgId: "OAUTH_AUTHORIZATION_ERROR";
41
- readonly message: "OAuth authorization request was rejected or failed";
42
- };
43
- readonly INVALID_OAUTH_CONFIGURATION: {
44
- readonly facility: 10;
45
- readonly severity: "error";
46
- readonly msgId: "INVALID_OAUTH_CONFIGURATION";
47
- readonly message: "The OAuth provider configuration is invalid or incomplete";
48
- };
49
- readonly OAUTH_ACCESS_TOKEN_REQUEST_INITIATED: {
50
- readonly facility: 10;
51
- readonly severity: "debug";
52
- readonly msgId: "OAUTH_ACCESS_TOKEN_REQUEST_INITIATED";
53
- readonly message: "Starting OAuth access token request to the provider";
54
- };
55
- readonly INVALID_OAUTH_ACCESS_TOKEN_RESPONSE: {
56
- readonly facility: 10;
57
- readonly severity: "error";
58
- readonly msgId: "INVALID_OAUTH_ACCESS_TOKEN_RESPONSE";
59
- readonly message: "OAuth access token endpoint returned an invalid or malformed response";
60
- };
61
- readonly OAUTH_ACCESS_TOKEN_ERROR: {
62
- readonly facility: 10;
63
- readonly severity: "error";
64
- readonly msgId: "OAUTH_ACCESS_TOKEN_ERROR";
65
- readonly message: "OAuth access token endpoint returned an error response";
66
- };
67
- readonly OAUTH_ACCESS_TOKEN_SUCCESS: {
68
- readonly facility: 10;
69
- readonly severity: "info";
70
- readonly msgId: "OAUTH_ACCESS_TOKEN_SUCCESS";
71
- readonly message: "Successfully retrieved OAuth access token from the provider";
72
- };
73
- readonly OAUTH_ACCESS_TOKEN_REQUEST_FAILED: {
74
- readonly facility: 10;
75
- readonly severity: "error";
76
- readonly msgId: "OAUTH_ACCESS_TOKEN_REQUEST_FAILED";
77
- readonly message: "Network or server error while requesting OAuth access token";
78
- };
79
- readonly OAUTH_USERINFO_REQUEST_INITIATED: {
80
- readonly facility: 10;
81
- readonly severity: "debug";
82
- readonly msgId: "OAUTH_USERINFO_REQUEST_INITIATED";
83
- readonly message: "Starting OAuth userinfo request to the provider";
84
- };
85
- readonly OAUTH_USERINFO_INVALID_RESPONSE: {
86
- readonly facility: 10;
87
- readonly severity: "error";
88
- readonly msgId: "OAUTH_USERINFO_INVALID_RESPONSE";
89
- readonly message: "OAuth userinfo endpoint returned an invalid or malformed response";
90
- };
91
- readonly OAUTH_USERINFO_ERROR: {
92
- readonly facility: 10;
93
- readonly severity: "error";
94
- readonly msgId: "OAUTH_USERINFO_ERROR";
95
- readonly message: "OAuth userinfo endpoint returned an error response";
96
- };
97
- readonly OAUTH_USERINFO_SUCCESS: {
98
- readonly facility: 10;
99
- readonly severity: "info";
100
- readonly msgId: "OAUTH_USERINFO_SUCCESS";
101
- readonly message: "Successfully retrieved user information from the OAuth provider";
102
- };
103
- readonly OAUTH_USERINFO_REQUEST_FAILED: {
104
- readonly facility: 10;
105
- readonly severity: "error";
106
- readonly msgId: "OAUTH_USERINFO_REQUEST_FAILED";
107
- readonly message: "Network or server error while requesting user information from the OAuth provider";
108
- };
109
- readonly OAUTH_CALLBACK_SUCCESS: {
110
- readonly facility: 4;
111
- readonly severity: "info";
112
- readonly msgId: "OAUTH_CALLBACK_SUCCESS";
113
- readonly message: "OAuth callback completed successfully and session was created";
114
- };
115
- readonly MISMATCHING_STATE: {
116
- readonly facility: 4;
117
- readonly severity: "critical";
118
- readonly msgId: "MISMATCHING_STATE";
119
- readonly message: "OAuth response state parameter does not match the stored state value";
120
- };
121
- readonly POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED: {
122
- readonly facility: 4;
123
- readonly severity: "critical";
124
- readonly msgId: "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED";
125
- readonly message: "Blocked redirect to untrusted or external URL (potential open redirect attack)";
126
- };
127
- readonly OPEN_REDIRECT_ATTACK: {
128
- readonly facility: 4;
129
- readonly severity: "warning";
130
- readonly msgId: "OPEN_REDIRECT_ATTACK";
131
- readonly message: "Detected redirect target that does not match the trusted origin";
132
- };
133
- readonly SESSION_TOKEN_MISSING: {
134
- readonly facility: 4;
135
- readonly severity: "warning";
136
- readonly msgId: "SESSION_TOKEN_MISSING";
137
- readonly message: "Session cookie is missing from the request";
138
- };
139
- readonly CSRF_TOKEN_MISSING: {
140
- readonly facility: 4;
141
- readonly severity: "warning";
142
- readonly msgId: "CSRF_TOKEN_MISSING";
143
- readonly message: "CSRF token cookie is missing from the request";
144
- };
145
- readonly CSRF_HEADER_MISSING: {
146
- readonly facility: 4;
147
- readonly severity: "warning";
148
- readonly msgId: "CSRF_HEADER_MISSING";
149
- readonly message: "CSRF header is missing from the request";
150
- };
151
- readonly CSRF_TOKEN_INVALID: {
152
- readonly facility: 4;
153
- readonly severity: "error";
154
- readonly msgId: "CSRF_TOKEN_INVALID";
155
- readonly message: "CSRF token verification failed or token is invalid";
156
- };
157
- readonly SIGN_IN_INITIATED: {
158
- readonly facility: 4;
159
- readonly severity: "info";
160
- readonly msgId: "SIGN_IN_INITIATED";
161
- readonly message: "Starting OAuth sign-in flow for the selected provider";
162
- };
163
- readonly SIGN_OUT_ATTEMPT: {
164
- readonly facility: 4;
165
- readonly severity: "debug";
166
- readonly msgId: "SIGN_OUT_ATTEMPT";
167
- readonly message: "Received sign-out request from client";
168
- };
169
- readonly SIGN_OUT_CSRF_VERIFIED: {
170
- readonly facility: 4;
171
- readonly severity: "info";
172
- readonly msgId: "SIGN_OUT_CSRF_VERIFIED";
173
- readonly message: "CSRF token was successfully verified during sign-out";
174
- };
175
- readonly SIGN_OUT_SUCCESS: {
176
- readonly facility: 4;
177
- readonly severity: "info";
178
- readonly msgId: "SIGN_OUT_SUCCESS";
179
- readonly message: "User session was cleared and sign-out completed successfully";
180
- };
181
- readonly SIGN_OUT_REDIRECT: {
182
- readonly facility: 4;
183
- readonly severity: "debug";
184
- readonly msgId: "SIGN_OUT_REDIRECT";
185
- readonly message: "Redirecting client after successful sign-out";
186
- };
187
- readonly AUTH_SESSION_VALID: {
188
- readonly facility: 4;
189
- readonly severity: "info";
190
- readonly msgId: "AUTH_SESSION_VALID";
191
- readonly message: "Session token is valid and user session was returned";
192
- };
193
- readonly AUTH_SESSION_INVALID: {
194
- readonly facility: 4;
195
- readonly severity: "notice";
196
- readonly msgId: "AUTH_SESSION_INVALID";
197
- readonly message: "Session token is missing, expired, or invalid";
198
- };
199
- readonly INVALID_JWT_TOKEN: {
200
- readonly facility: 4;
201
- readonly severity: "warning";
202
- readonly msgId: "INVALID_JWT_TOKEN";
203
- readonly message: "JWT session token failed validation during sign-out";
204
- };
205
- readonly CSRF_TOKEN_REQUESTED: {
206
- readonly facility: 4;
207
- readonly severity: "debug";
208
- readonly msgId: "CSRF_TOKEN_REQUESTED";
209
- readonly message: "Client requested a CSRF token";
210
- };
211
- readonly CSRF_TOKEN_ISSUED: {
212
- readonly facility: 4;
213
- readonly severity: "debug";
214
- readonly msgId: "CSRF_TOKEN_ISSUED";
215
- readonly message: "Issued a new CSRF token to the client";
216
- };
217
- readonly INVALID_URL: {
218
- readonly facility: 10;
219
- readonly severity: "error";
220
- readonly msgId: "INVALID_URL";
221
- readonly message: "Derived origin URL is invalid or malformed";
222
- };
223
- readonly COOKIE_HTTPONLY_DISABLED: {
224
- readonly facility: 10;
225
- readonly severity: "critical";
226
- readonly msgId: "COOKIE_HTTPONLY_DISABLED";
227
- readonly message: "Cookie is configured without HttpOnly. This allows JavaScript access via document.cookie and increases XSS exposure.";
228
- };
229
- readonly COOKIE_WILDCARD_DOMAIN: {
230
- readonly facility: 10;
231
- readonly severity: "critical";
232
- readonly msgId: "COOKIE_WILDCARD_DOMAIN";
233
- readonly message: "Cookie 'Domain' is set to a wildcard, which is insecure and should be avoided.";
234
- };
235
- readonly COOKIE_SECURE_DISABLED: {
236
- readonly facility: 10;
237
- readonly severity: "warning";
238
- readonly msgId: "COOKIE_SECURE_DISABLED";
239
- readonly message: "Cookie is configured with 'Secure' but the request is not HTTPS. The 'Secure' attribute will be ignored by the browser.";
240
- };
241
- readonly COOKIE_SAMESITE_NONE_WITHOUT_SECURE: {
242
- readonly facility: 10;
243
- readonly severity: "warning";
244
- readonly msgId: "COOKIE_SAMESITE_NONE_WITHOUT_SECURE";
245
- readonly message: "Cookie uses SameSite=None without Secure. Falling back to SameSite=Lax for safer defaults.";
246
- };
247
- readonly COOKIE_INSECURE_IN_PRODUCTION: {
248
- readonly facility: 10;
249
- readonly severity: "critical";
250
- readonly msgId: "COOKIE_INSECURE_IN_PRODUCTION";
251
- readonly message: "Cookies are being served over an insecure connection in production, which is a serious security risk.";
252
- };
253
- readonly COOKIE_HOST_STRATEGY_INSECURE: {
254
- readonly facility: 10;
255
- readonly severity: "critical";
256
- readonly msgId: "COOKIE_HOST_STRATEGY_INSECURE";
257
- readonly message: "__Host- cookies require a secure HTTPS context. Falling back to standard cookie settings.";
258
- };
259
- readonly UNTRUSTED_ORIGIN: {
260
- readonly facility: 10;
261
- readonly severity: "error";
262
- readonly msgId: "UNTRUSTED_ORIGIN";
263
- readonly message: "The constructed origin URL is not trusted.";
264
- };
265
- };
266
- declare const createLogEntry: <T extends keyof typeof logMessages>(key: T, overrides?: Partial<SyslogOptions>) => SyslogOptions;
267
-
268
- /**
269
- * @see [Pinterest - Get User Account](https://developers.pinterest.com/docs/api/v5/user_account-get)
270
- */
271
- interface PinterestProfile {
272
- account_type: LiteralUnion<"PINNER">;
273
- id: string;
274
- profile_image: string;
275
- website_url: string;
276
- username: string;
277
- about: string;
278
- business_name: string;
279
- board_count: number;
280
- pin_count: number;
281
- follower_count: number;
282
- following_count: number;
283
- monthly_views: number;
284
- }
285
- /**
286
- * @see [Pinterest - Connect App](https://developers.pinterest.com/docs/getting-started/connect-app/)
287
- * @see [Pinterest - My Apps](https://developers.pinterest.com/apps/)
288
- * @see [Pinterest - Get User Account](https://developers.pinterest.com/docs/api/v5/user_account-get)
289
- */
290
- declare const pinterest: (options?: Partial<OAuthProviderCredentials<PinterestProfile>>) => OAuthProviderCredentials<PinterestProfile>;
291
-
292
- interface Login {
293
- email: string;
294
- avatar: string | null;
295
- login_id: number;
296
- login_name: string;
297
- login_email: string;
298
- }
299
- /**
300
- * @see [Mailchimp - API Root](https://mailchimp.com/developer/marketing/api/authentication/)
301
- */
302
- interface MailchimpProfile {
303
- dc: string;
304
- role: string;
305
- accountname: string;
306
- user_id: string;
307
- login: Login;
308
- login_url: string;
309
- api_endpoint: string;
310
- }
311
- /**
312
- * Mailchimp OAuth Provider
313
- * @see [Mailchimp - Marketing API](https://mailchimp.com/developer/marketing/api/)
314
- * @see [Mailchimp - Apps](https://us1.admin.mailchimp.com/account/oauth2/)
315
- * @see [Mailchimp - Create an Application](https://mailchimp.com/developer/marketing/guides/access-user-data-oauth-2/#register-your-app)
316
- * @see [Mailchimp - OAuth 2.0 Docs](https://mailchimp.com/developer/marketing/guides/access-user-data-oauth-2/)
317
- * @see [Mailchimp - API Root](https://mailchimp.com/developer/marketing/api/root/)
318
- */
319
- declare const mailchimp: (options?: Partial<OAuthProviderCredentials<MailchimpProfile>>) => OAuthProviderCredentials<MailchimpProfile>;
320
-
321
- /**
322
- * @see [Strava - SummaryClub](https://developers.strava.com/docs/reference/#api-models-SummaryClub)
323
- */
324
- interface SummaryClub {
325
- id: number;
326
- resource_state: number;
327
- name: string;
328
- profile_medium: string;
329
- cover_photo: string;
330
- cover_photo_small: string;
331
- sport_type: "cycling" | "running" | "triathlon" | "other";
332
- activity_types: string[];
333
- city: string;
334
- state: string;
335
- country: string;
336
- private: boolean;
337
- member_count: number;
338
- featured: boolean;
339
- verified: boolean;
340
- url: string;
341
- }
342
- /**
343
- * @see [Strava - SummaryGear](https://developers.strava.com/docs/reference/#api-models-SummaryGear)
344
- */
345
- interface SummaryGear {
346
- id: string;
347
- resource_state: number;
348
- primary: boolean;
349
- name: string;
350
- distance: number;
351
- }
352
- /**
353
- * @see [Strava - DetailedAthlete](https://developers.strava.com/docs/reference/#api-models-DetailedAthlete)
354
- */
355
- interface StravaProfile {
356
- id: number;
357
- resource_state: number;
358
- firstname: string;
359
- lastname: string;
360
- bio: string | null;
361
- profile: string;
362
- profile_medium: string;
363
- city: string;
364
- state: string;
365
- country: string;
366
- sex: string;
367
- premium: boolean;
368
- summit: boolean;
369
- created_at: Date;
370
- updated_at: Date;
371
- badge_type_id: number;
372
- weight: number;
373
- friend: null;
374
- follower: null;
375
- follower_count: number;
376
- friend_count: number;
377
- measurement_preference: string;
378
- ftp: number;
379
- clubs: SummaryClub[];
380
- bikes: SummaryGear[];
381
- shoes: SummaryGear[];
382
- }
383
- /**
384
- * Strava OAuth Provider
385
- * @see [Strava - Getting Started with the Strava API](https://developers.strava.com/docs/getting-started/)
386
- * @see [Strava - My Applications](https://www.strava.com/settings/api)
387
- * @see [Strava - Authentication](https://developers.strava.com/docs/authentication/)
388
- * @see [Strava - API Application](https://www.strava.com/settings/api)
389
- * @see [Strava - API Reference](https://developers.strava.com/docs/reference/)
390
- */
391
- declare const strava: (options?: Partial<OAuthProviderCredentials<StravaProfile>>) => OAuthProviderCredentials<StravaProfile>;
392
-
393
- /**
394
- * @see [X - Get my User](https://docs.x.com/x-api/users/get-my-user)
395
- */
396
- interface XProfile {
397
- data: {
398
- id: string;
399
- name: string;
400
- username: string;
401
- profile_image_url: string;
402
- };
403
- }
404
- /**
405
- * X (Twitter) OAuth Provider
406
- * @see [X - Developer Portal](https://developer.x.com/en/portal/projects-and-apps)
407
- * @see [X - Get my User](https://docs.x.com/x-api/users/get-my-user)
408
- * @see [X - OAuth 2.0 Authorization Code Flow with PKCE](https://docs.x.com/fundamentals/authentication/oauth-2-0/authorization-code)
409
- * @see [X - OAuth 2.0 Scopes](https://docs.x.com/fundamentals/authentication/oauth-2-0/authorization-code#scopes)
410
- * @see [X - OAuth 2.0 Bearer Token](https://docs.x.com/fundamentals/authentication/oauth-2-0/application-only)
411
- */
412
- declare const x: (options?: Partial<OAuthProviderCredentials<XProfile>>) => OAuthProviderCredentials<XProfile>;
413
-
414
- interface SpotifyImage {
415
- url: string;
416
- height: number;
417
- width: number;
418
- }
419
- /**
420
- * @see [Spotify - User Object](https://developer.spotify.com/documentation/web-api/reference/object-model/#user-object-private)
421
- */
422
- interface SpotifyProfile {
423
- id: string;
424
- display_name: string;
425
- email: string;
426
- type: string;
427
- uri: string;
428
- country: string;
429
- href: string;
430
- images: SpotifyImage[];
431
- product: string;
432
- explicit_content: {
433
- filter_enabled: boolean;
434
- filter_locked: boolean;
435
- };
436
- external_urls: {
437
- spotify: string;
438
- };
439
- followers: {
440
- href: string;
441
- total: number;
442
- };
443
- }
444
- /**
445
- * Spotify OAuth Provider
446
- *
447
- * @see [Spotify - Spotify Developer Dashboard](https://developer.spotify.com/dashboard)
448
- * @see [Spotify - Getting started with Web API](https://developer.spotify.com/documentation/web-api/tutorials/getting-started)
449
- * @see [Spotify - Get Current User's Profile](https://developer.spotify.com/documentation/web-api/reference/get-current-users-profile)
450
- * @see [Spotify - Scopes](https://developer.spotify.com/documentation/web-api/concepts/scopes)
451
- * @see [Spotify - Redirect URIs](https://developer.spotify.com/documentation/web-api/concepts/redirect_uri)
452
- */
453
- declare const spotify: (options?: Partial<OAuthProviderCredentials<SpotifyProfile>>) => OAuthProviderCredentials<SpotifyProfile>;
454
-
455
- /**
456
- * @see [GitLab - User Structure](https://docs.gitlab.com/ee/api/users.html#external-user-structure)
457
- */
458
- interface GitLabProfile {
459
- id: number;
460
- username: string;
461
- email: string;
462
- name: string;
463
- state: string;
464
- locked: boolean;
465
- avatar_url: string;
466
- web_url: string;
467
- created_at: string;
468
- bio: string;
469
- location: string | null;
470
- public_email: string;
471
- linkedin: string;
472
- twitter: string;
473
- discord: string;
474
- github: string;
475
- website_url: string;
476
- organization: string;
477
- job_title: string;
478
- pronouns: string;
479
- bot: boolean;
480
- work_information: string | null;
481
- followers: number;
482
- following: number;
483
- local_time: string;
484
- last_sign_in_at: string;
485
- confirmed_at: string;
486
- theme_id: number;
487
- last_activity_on: string;
488
- color_scheme_id: number;
489
- projects_limit: number;
490
- current_sign_in_at: string;
491
- identities: {
492
- provider: string;
493
- extern_uid: string;
494
- saml_provider_id: number | null;
495
- }[];
496
- can_create_group: boolean;
497
- can_create_project: boolean;
498
- two_factor_enabled: boolean;
499
- external: boolean;
500
- private_profile: boolean;
501
- commit_email: string;
502
- preferred_language: string;
503
- shared_runners_minutes_limit: number | null;
504
- extra_shared_runners_minutes_limit: number | null;
505
- scim_identities: unknown[];
506
- }
507
- /**
508
- * GitLab OAuth Provider
509
- *
510
- * @see [GitLab - Applications](https://gitlab.com/-/user_settings/applications)
511
- * @see [GitLab - OAuth 2.0 identify provider API](https://docs.gitlab.com/api/oauth2/)
512
- * @see [GitLab - Scopes](https://docs.gitlab.com/integration/oauth_provider/#view-all-authorized-applications)
513
- * @see [GitLab - Get current user](https://docs.gitlab.com/api/users/#get-the-current-user)
514
- */
515
- declare const gitlab: (options?: Partial<OAuthProviderCredentials<GitLabProfile>>) => OAuthProviderCredentials<GitLabProfile>;
516
-
517
- /**
518
- * @see [Discord - Nameplate Object](https://discord.com/developers/docs/resources/user#nameplate-nameplate-structure)
519
- */
520
- interface Nameplate {
521
- sku_id: string;
522
- asset: string;
523
- label: string;
524
- palette: string;
525
- }
526
- /**
527
- * The `snowflake` type is a string type. The attributes defined with this type are:
528
- * - `id`: The unique identifier for the object.
529
- * - `primary_guild.identity_guild_id`: The unique identifier for the guild.
530
- * - `avatar_decoration_data.sku_id`: The unique identifier for the SKU.
531
- *
532
- * @see [Discord - User Object](https://discord.com/developers/docs/resources/user#user-object)
533
- */
534
- interface DiscordProfile {
535
- id: string;
536
- username: string;
537
- discriminator: string;
538
- global_name: string | null;
539
- avatar: string | null;
540
- bot?: boolean;
541
- system?: boolean;
542
- mfa_enabled?: boolean;
543
- banner?: string | null;
544
- accent_color?: number | null;
545
- locale?: string;
546
- verified?: boolean;
547
- email?: string | null;
548
- flags?: number;
549
- premium_type?: number;
550
- public_flags?: number;
551
- avatar_decoration_data?: {
552
- asset: string;
553
- sku_id: string;
554
- };
555
- collections?: Record<string, Nameplate>;
556
- primary_guild?: {
557
- identity_guild_id: string;
558
- identity_enabled: boolean | null;
559
- tag: string | null;
560
- badge: string | null;
561
- };
562
- }
563
- /**
564
- * Discord OAuth Provider
565
- *
566
- * @see [Discord - Applications](https://discord.com/developers/applications)
567
- * @see [Discord - OAuth2](https://discord.com/developers/docs/topics/oauth2)
568
- * @see [Discord - Get Current User](https://discord.com/developers/docs/resources/user#get-current-user)
569
- * @see [Discord - User Object](https://discord.com/developers/docs/resources/user#user-object)
570
- * @see [Discord - OAuth2 Scopes](https://discord.com/developers/docs/topics/oauth2#shared-resources-oauth2-scopes)
571
- * @see [Discord - Image Formatting](https://discord.com/developers/docs/reference#image-formatting)
572
- * @see [Discord - Display Names](https://discord.com/developers/docs/change-log#display-names)
573
- */
574
- declare const discord: (options?: Partial<OAuthProviderCredentials<DiscordProfile>>) => OAuthProviderCredentials<DiscordProfile>;
575
-
576
- /**
577
- * @see [Figma API - Users](https://developers.figma.com/docs/rest-api/users-types/)
578
- */
579
- interface FigmaProfile {
580
- id: string;
581
- handle: string;
582
- img_url: string;
583
- email: string;
584
- }
585
- /**
586
- * Figma OAuth Provider
587
- * @see [Figma - REST API Introduction](https://developers.figma.com/docs/rest-api/)
588
- * @see [Figma - OAuth App](https://www.figma.com/developers/apps/)
589
- * @see [Figma - Create an OAuth App](https://developers.figma.com/docs/rest-api/authentication/#create-an-oauth-app)
590
- * @see [Figma - OAuth Scopes](https://developers.figma.com/docs/rest-api/scopes/)
591
- */
592
- declare const figma: (options?: Partial<OAuthProviderCredentials<FigmaProfile>>) => OAuthProviderCredentials<FigmaProfile>;
593
-
594
- /**
595
- * @see [Get current user](https://developer.atlassian.com/cloud/bitbucket/rest/api-group-users/#api-user-get)
596
- */
597
- interface BitbucketProfile {
598
- display_name: string;
599
- links: Record<LiteralUnion<"self" | "avatar" | "repositories" | "snippets" | "html" | "hooks">, {
600
- href?: string;
601
- }>;
602
- created_on: string;
603
- type: string;
604
- uuid: string;
605
- has_2fa_enabled: boolean;
606
- username: string;
607
- nickname: string;
608
- is_staff: boolean;
609
- account_id: string;
610
- account_status: LiteralUnion<"active" | "inactive" | "closed">;
611
- location: string | null;
612
- }
613
- /**
614
- * Bitbucket OAuth Provider
615
- *
616
- * @see [Bitbucket - Official App](https://bitbucket.org/)
617
- * @see [Bitbucket - Workspaces](https://bitbucket.org/account/workspaces/)
618
- * @see [Bitbucket - Workspace Settings](https://bitbucket.org/{workspace-name}/workspace/settings/)
619
- * @see [Bitbucket - OAuth 2.0](https://developer.atlassian.com/cloud/bitbucket/oauth-2/)
620
- * @see [Bitbucket - Use OAuth on Bitbucket Cloud](https://support.atlassian.com/bitbucket-cloud/docs/use-oauth-on-bitbucket-cloud/)
621
- * @see [Bitbucket - Cloud REST API](https://developer.atlassian.com/cloud/bitbucket/rest/intro/)
622
- * @see [Bitbucket - User Endpoint](https://developer.atlassian.com/cloud/bitbucket/rest/api-group-users/#api-users-endpoint)
623
- */
624
- declare const bitbucket: (options?: Partial<OAuthProviderCredentials<BitbucketProfile>>) => OAuthProviderCredentials<BitbucketProfile>;
625
-
626
- /**
627
- * @see [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user)
628
- */
629
- interface GitHubProfile {
630
- login: string;
631
- id: number;
632
- user_view_type: string;
633
- node_id: string;
634
- avatar_url: string;
635
- gravatar_id: string | null;
636
- url: string;
637
- html_url: string;
638
- followers_url: string;
639
- following_url: string;
640
- gists_url: string;
641
- starred_url: string;
642
- subscriptions_url: string;
643
- organizations_url: string;
644
- repos_url: string;
645
- events_url: string;
646
- received_events_url: string;
647
- type: string;
648
- site_admin: boolean;
649
- name: string | null;
650
- company: string | null;
651
- blog: string | null;
652
- location: string | null;
653
- email: string | null;
654
- notification_email: string | null;
655
- hireable: boolean | null;
656
- bio: string | null;
657
- twitter_username?: string | null;
658
- public_repos: number;
659
- public_gists: number;
660
- followers: number;
661
- following: number;
662
- created_at: string;
663
- updated_at: string;
664
- private_gists?: number;
665
- total_private_repos?: number;
666
- owned_private_repos?: number;
667
- disk_usage?: number;
668
- collaborators?: number;
669
- two_factor_authentication: boolean;
670
- plan?: {
671
- collaborators: number;
672
- name: string;
673
- space: number;
674
- private_repos: number;
675
- };
676
- }
677
- /**
678
- * GitHub OAuth Provider
679
- *
680
- * @see [GitHub - Creating an OAuth App](https://docs.github.com/en/developers/apps/building-oauth-apps/creating-an-oauth-app)
681
- * @see [GitHub - Authorizing OAuth Apps](https://docs.github.com/en/developers/apps/building-oauth-apps/authorizing-oauth-apps)
682
- * @see [GitHub - Configure your GitHub OAuth Apps](https://github.com/settings/developers)
683
- * @see [Github - Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user)
684
- */
685
- declare const github: (options?: Partial<OAuthProviderCredentials<GitHubProfile>>) => OAuthProviderCredentials<GitHubProfile>;
686
-
687
- declare const builtInOAuthProviders: {
688
- readonly github: (options?: Partial<OAuthProviderCredentials<GitHubProfile>>) => OAuthProviderCredentials<GitHubProfile>;
689
- readonly bitbucket: (options?: Partial<OAuthProviderCredentials<BitbucketProfile>>) => OAuthProviderCredentials<BitbucketProfile>;
690
- readonly figma: (options?: Partial<OAuthProviderCredentials<FigmaProfile>>) => OAuthProviderCredentials<FigmaProfile>;
691
- readonly discord: (options?: Partial<OAuthProviderCredentials<DiscordProfile>>) => OAuthProviderCredentials<DiscordProfile>;
692
- readonly gitlab: (options?: Partial<OAuthProviderCredentials<GitLabProfile>>) => OAuthProviderCredentials<GitLabProfile>;
693
- readonly spotify: (options?: Partial<OAuthProviderCredentials<SpotifyProfile>>) => OAuthProviderCredentials<SpotifyProfile>;
694
- readonly x: (options?: Partial<OAuthProviderCredentials<XProfile>>) => OAuthProviderCredentials<XProfile>;
695
- readonly strava: (options?: Partial<OAuthProviderCredentials<StravaProfile>>) => OAuthProviderCredentials<StravaProfile>;
696
- readonly mailchimp: (options?: Partial<OAuthProviderCredentials<MailchimpProfile>>) => OAuthProviderCredentials<MailchimpProfile>;
697
- readonly pinterest: (options?: Partial<OAuthProviderCredentials<PinterestProfile>>) => OAuthProviderCredentials<PinterestProfile>;
698
- };
699
- /**
700
- * Constructs OAuth provider configurations from an array of provider names or configurations.
701
- * It loads the client ID and client secret from environment variables if only the provider name is provided.
702
- *
703
- * @param oauth - Array of OAuth provider configurations or provider names to be defined from environment variables
704
- * @returns A record of OAuth provider configurations
705
- * @example
706
- * // Using built-in provider with env variables
707
- * createBuiltInOAuthProviders(["github"])
708
- *
709
- * // Using built-in provider with explicit credentials via factory
710
- * createBuiltInOAuthProviders([github({ clientId: "...", clientSecret: "..." })])
711
- */
712
- declare const createBuiltInOAuthProviders: (oauth?: (BuiltInOAuthProvider | OAuthProviderCredentials<any>)[]) => Record<LiteralUnion<BuiltInOAuthProvider>, OAuthProviderCredentials<any>>;
713
- type BuiltInOAuthProvider = keyof typeof builtInOAuthProviders;
714
-
715
- /**
716
- * Standard JWT claims that are managed internally by the token system.
717
- * These fields are typically filtered out before returning user data.
718
- */
719
- type JWTStandardClaims = Pick<JWTPayload, "exp" | "iat" | "jti" | "nbf" | "sub" | "aud" | "iss">;
720
- /**
721
- * JWT payload structure that includes a mandatory `token` field used to verify CSRF Tokens
722
- */
723
- type JWTPayloadWithToken = JWTPayload & {
724
- token: string;
725
- };
726
- /**
727
- * Standardized user profile returned by OAuth providers after fetching user information
728
- * and mapping the response to this format by default or via the `profile` custom function.
729
- */
730
- interface User {
731
- sub: string;
732
- name?: string | null;
733
- email?: string | null;
734
- image?: string | null;
735
- }
736
- /**
737
- * Session data returned by the session endpoint.
738
- */
739
- interface Session {
740
- user: User;
741
- expires: string;
742
- }
743
- /**
744
- * Configuration for an OAuth provider without credentials.
745
- * Use this type when defining provider metadata and endpoints.
746
- */
747
- interface OAuthProviderConfig<Profile extends object = Record<string, any>> {
748
- id: string;
749
- name: string;
750
- authorizeURL: string;
751
- accessToken: string;
752
- userInfo: string;
753
- scope: string;
754
- responseType: "code" | "token" | "refresh_token" | "id_token";
755
- profile?: (profile: Profile) => User | Promise<User>;
756
- }
757
- /**
758
- * OAuth provider configuration with client credentials.
759
- * Extends OAuthProviderConfig with clientId and clientSecret.
760
- */
761
- interface OAuthProviderCredentials<Profile extends object = Record<string, any>> extends OAuthProviderConfig<Profile> {
762
- clientId?: string;
763
- clientSecret?: string;
764
- }
765
- /**
766
- * Complete OAuth provider type combining configuration and credentials.
767
- */
768
- type OAuthProvider<Profile extends object = Record<string, any>> = OAuthProviderCredentials<Profile>;
769
- /**
770
- * Cookie type with __Secure- prefix, must be Secure.
771
- * @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__secure-prefix
772
- */
773
- type SecureCookie = {
774
- strategy: "secure";
775
- } & Prettify<Omit<SerializeOptions, "secure" | "encode">>;
776
- /**
777
- * Cookie type with __Host- prefix, must be Secure, Path=/, no Domain attribute.
778
- * @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__host-prefix
779
- */
780
- type HostCookie = {
781
- strategy: "host";
782
- } & Prettify<Omit<SerializeOptions, "secure" | "path" | "domain" | "encode">>;
783
- /**
784
- * Standard cookie type without security prefixes.
785
- * Can be sent over both HTTP and HTTPS connections (default in development).
786
- */
787
- type StandardCookie = {
788
- strategy?: "standard";
789
- } & Prettify<Omit<SerializeOptions, "encode">>;
790
- /**
791
- * Union type for cookie options based on the specified strategy.
792
- * - `secure`: Cookies are only sent over HTTPS connections
793
- * - `host`: Cookies use the __Host- prefix and are only sent over HTTPS connections
794
- * - `standard`: Cookies can be sent over both HTTP and HTTPS connections (default in development)
795
- */
796
- type CookieStrategyAttributes = StandardCookie | SecureCookie | HostCookie;
797
- /**
798
- * Names of cookies used by Aura Auth for session management and OAuth flows.
799
- * - `sessionToken`: User session JWT
800
- * - `csrfToken`: CSRF protection token
801
- * - `state`: OAuth state parameter for CSRF protection
802
- * - `code_verifier`: PKCE code verifier for authorization code flow
803
- * - `redirect_uri`: OAuth callback URI
804
- * - `redirect_to`: Post-authentication redirect path
805
- * - `nonce`: OpenID Connect nonce parameter
806
- */
807
- type CookieName = "sessionToken" | "csrfToken" | "state" | "codeVerifier" | "redirectTo" | "redirectURI";
808
- type CookieStoreConfig = Record<CookieName, {
809
- name: string;
810
- attributes: CookieStrategyAttributes;
811
- }>;
812
- interface CookieConfig {
813
- /**
814
- * Prefix to be added to all cookie names. By default "aura-stack".
815
- */
816
- prefix?: string;
817
- overrides?: Partial<CookieStoreConfig>;
818
- }
819
- /**
820
- * Main configuration interface for Aura Auth.
821
- * This is the user-facing configuration object passed to `createAuth()`.
822
- */
823
- interface AuthConfig {
824
- /**
825
- * OAuth providers available in the authentication and authorization flows. It provides a type-inference
826
- * for the OAuth providers that are supported by Aura Stack Auth; alternatively, you can provide a custom
827
- * OAuth third-party authorization service by implementing the `OAuthProviderCredentials` interface.
828
- *
829
- * Built-in OAuth providers:
830
- * oauth: ["github", "google"]
831
- *
832
- * Custom credentials via factory:
833
- * oauth: [github({ clientId: "...", clientSecret: "..." })]
834
- *
835
- * Custom OAuth providers:
836
- * oauth: [
837
- * {
838
- * id: "oauth-providers",
839
- * name: "OAuth",
840
- * authorizeURL: "https://example.com/oauth/authorize",
841
- * accessToken: "https://example.com/oauth/token",
842
- * scope: "profile email",
843
- * responseType: "code",
844
- * userInfo: "https://example.com/oauth/userinfo",
845
- * clientId: process.env.AURA_AUTH_PROVIDER_CLIENT_ID,
846
- * clientSecret: process.env.AURA_AUTH_PROVIDER_CLIENT_SECRET,
847
- * }
848
- * ]
849
- */
850
- oauth: (BuiltInOAuthProvider | OAuthProviderCredentials<any>)[];
851
- /**
852
- * Cookie options defines the configuration for cookies used in Aura Auth.
853
- * It includes a prefix for cookie names and flag options to determine
854
- * the security and scope of the cookies.
855
- *
856
- * **⚠️ WARNING:** Ensure that the cookie options are configured correctly to
857
- * maintain the security and integrity of the authentication process. `Aura Auth`
858
- * is not responsible for misconfigured cookies that may lead to security vulnerabilities.
859
- *
860
- * - prefix: A string prefix to be added to all cookie names, by default "aura-stack".
861
- * - flag options (This attributes help to define the security level of the cookies):
862
- * - secure: Cookies use the __Secure- prefix and are only sent over HTTPS connections.
863
- * - host: Cookies use the __Host- prefix and are only sent over HTTPS connections.
864
- * - standard: Cookies can be sent over both HTTP and HTTPS connections. (default in development)
865
- *
866
- * @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__secure-prefix
867
- * @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__host-prefix
868
- */
869
- cookies?: Partial<CookieConfig>;
870
- /**
871
- * Secret used to sign and verify JWT tokens for session and csrf protection.
872
- * If not provided, it will load from the environment variable `AURA_AUTH_SECRET` or `AUTH_SECRET`, but if it
873
- * doesn't exist, it will throw an error during the initialization of the Auth module.
874
- */
875
- secret?: string;
876
- /**
877
- * Base path for all authentication routes. Default is `/auth`.
878
- */
879
- basePath?: `/${string}`;
880
- /**
881
- * Enable trusted proxy headers for scenarios where the application is behind a reverse proxy or load balancer.
882
- * This setting allows Aura Auth to correctly interpret headers like `X-Forwarded-For` and `X-Forwarded-Proto`
883
- * to determine the original client IP address and protocol.
884
- *
885
- * Default is `false`. Enable this option only if you are certain that your application is behind a trusted proxy.
886
- * Misconfiguration can lead to security vulnerabilities, such as incorrect handling of secure cookies or
887
- * inaccurate client IP logging.
888
- *
889
- * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
890
- * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
891
- * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
892
- * @experimental
893
- */
894
- trustedProxyHeaders?: boolean;
895
- logger?: Logger;
896
- /**
897
- * Defines trusted origins for your application to prevent open redirect attacks.
898
- * URLs from the Referer header, Origin header, request URL, and redirectTo option
899
- * are validated against this list before redirecting.
900
- *
901
- * - **Exact URL**: `https://example.com` matches only that origin.
902
- * - **Subdomain wildcard**: `https://*.example.com` matches `https://app.example.com`, `https://api.example.com`, etc.
903
- * @example
904
- * trustedOrigins: ["https://example.com", "https://*.example.com", "http://localhost:3000"]
905
- *
906
- *
907
- * trustedOrigins: async (request) => {
908
- * const origin = new URL(request.url).origin
909
- * return [origin, "https://admin.example.com"]
910
- * }
911
- */
912
- trustedOrigins?: TrustedOrigin[] | ((request: Request) => Promise<TrustedOrigin[]> | TrustedOrigin[]);
913
- }
914
- /**
915
- * A trusted origin URL or pattern. Supports:
916
- * - Exact: `https://example.com`
917
- * - Subdomain wildcard: `https://*.example.com`
918
- */
919
- type TrustedOrigin = string;
920
- type JoseInstance = ReturnType<typeof createJoseInstance>;
921
- type OAuthProviderRecord = Record<LiteralUnion<BuiltInOAuthProvider>, OAuthProviderCredentials>;
922
- type InternalLogger = {
923
- level: LogLevel;
924
- log: typeof createLogEntry;
925
- };
926
- interface RouterGlobalContext {
927
- oauth: OAuthProviderRecord;
928
- cookies: CookieStoreConfig;
929
- jose: JoseInstance;
930
- secret?: string;
931
- basePath: string;
932
- trustedProxyHeaders: boolean;
933
- trustedOrigins?: TrustedOrigin[] | ((request: Request) => Promise<TrustedOrigin[]> | TrustedOrigin[]);
934
- logger?: InternalLogger;
935
- }
936
- /**
937
- * Internal runtime configuration used within Aura Auth after initialization.
938
- * All optional fields from AuthConfig are resolved to their default values.
939
- */
940
- type AuthRuntimeConfig = RouterGlobalContext;
941
- interface AuthInstance {
942
- handlers: {
943
- GET: (request: Request) => Response | Promise<Response>;
944
- POST: (request: Request) => Response | Promise<Response>;
945
- };
946
- jose: JoseInstance;
947
- }
948
- /**
949
- * Base OAuth error response structure.
950
- */
951
- interface OAuthError<T extends string> {
952
- error: T;
953
- error_description?: string;
954
- }
955
- /**
956
- * OAuth 2.0 Authorization Error Response Types
957
- * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
958
- */
959
- type AuthorizationError = OAuthError<z.infer<typeof OAuthAuthorizationErrorResponse>["error"]>;
960
- /**
961
- * OAuth 2.0 Access Token Error Response Types
962
- * @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
963
- */
964
- type AccessTokenError = OAuthError<z.infer<typeof OAuthAccessTokenErrorResponse>["error"]>;
965
- /**
966
- * OAuth 2.0 Token Revocation Error Response Types
967
- * @see https://datatracker.ietf.org/doc/html/rfc7009#section-2.2.1
968
- */
969
- type TokenRevocationError = OAuthError<"invalid_session_token">;
970
- type ErrorType = AuthorizationError["error"] | AccessTokenError["error"] | TokenRevocationError["error"];
971
- type AuthInternalErrorCode = "INVALID_OAUTH_CONFIGURATION" | "INVALID_JWT_TOKEN" | "JOSE_INITIALIZATION_FAILED" | "SESSION_STORE_NOT_INITIALIZED" | "COOKIE_STORE_NOT_INITIALIZED" | "COOKIE_PARSING_FAILED" | "COOKIE_NOT_FOUND" | "INVALID_ENVIRONMENT_CONFIGURATION" | "INVALID_URL" | "INVALID_SALT_SECRET_VALUE" | "UNTRUSTED_ORIGIN" | "INVALID_OAUTH_PROVIDER_CONFIGURATION" | "DUPLICATED_OAUTH_PROVIDER_ID";
972
- type AuthSecurityErrorCode = "INVALID_STATE" | "MISMATCHING_STATE" | "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED" | "CSRF_TOKEN_INVALID" | "CSRF_TOKEN_MISSING" | "SESSION_TOKEN_MISSING";
973
- type OAuthEnv = z.infer<typeof OAuthEnvSchema>;
974
- type APIErrorMap = Record<string, {
975
- code: string;
976
- message: string;
977
- }>;
978
- /**
979
- * Log level for logger messages.
980
- */
981
- type LogLevel = "warn" | "error" | "debug" | "info";
982
- /** Defines the Severity between 0 to 7 */
983
- type Severity = "emergency" | "alert" | "critical" | "error" | "warning" | "notice" | "info" | "debug";
984
- /**
985
- * @see https://datatracker.ietf.org/doc/html/rfc5424
986
- */
987
- type SyslogOptions = {
988
- facility: 4 | 10;
989
- severity: Severity;
990
- timestamp?: string;
991
- hostname?: string;
992
- appName?: string;
993
- procId?: string;
994
- msgId: string;
995
- message: string;
996
- structuredData?: Record<string, string | number | boolean>;
997
- };
998
- /**
999
- * Logger function interface for structured logging.
1000
- * Called when errors or warnings occur during authentication flows.
1001
- */
1002
- type Logger = {
1003
- level: LogLevel;
1004
- log: (args: SyslogOptions) => void;
1005
- };
1006
-
1007
- export { type SecureCookie as $, type AuthRuntimeConfig as A, figma as B, type CookieConfig as C, type DiscordProfile as D, type ErrorType as E, type FigmaProfile as F, type GitLabProfile as G, type BitbucketProfile as H, type InternalLogger as I, type JWTPayloadWithToken as J, bitbucket as K, type Logger as L, type MailchimpProfile as M, type Nameplate as N, type OAuthProvider as O, type PinterestProfile as P, type GitHubProfile as Q, type RouterGlobalContext as R, type Session as S, type TrustedOrigin as T, type User as U, github as V, builtInOAuthProviders as W, type XProfile as X, createBuiltInOAuthProviders as Y, type BuiltInOAuthProvider as Z, type JWTStandardClaims as _, type CookieStoreConfig as a, type HostCookie as a0, type StandardCookie as a1, type CookieStrategyAttributes as a2, type CookieName as a3, type OAuthError as a4, type AuthorizationError as a5, type AccessTokenError as a6, type TokenRevocationError as a7, type OAuthEnv as a8, type Severity as a9, type SyslogOptions as aa, type AuthInternalErrorCode as b, type AuthSecurityErrorCode as c, type AuthConfig as d, type AuthInstance as e, type JoseInstance as f, type OAuthProviderConfig as g, type OAuthProviderCredentials as h, type LogLevel as i, type APIErrorMap as j, type OAuthProviderRecord as k, logMessages as l, createLogEntry as m, type Login as n, mailchimp as o, pinterest as p, type SummaryClub as q, type SummaryGear as r, type StravaProfile as s, strava as t, type SpotifyImage as u, type SpotifyProfile as v, spotify as w, x, gitlab as y, discord as z };