@aura-stack/auth 0.5.0 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (215) hide show
  1. package/README.md +36 -1
  2. package/dist/@types/index.cjs +0 -18
  3. package/dist/@types/index.d.ts +2 -12
  4. package/dist/@types/index.js +0 -1
  5. package/dist/assert-B3iQSYlK.js +3 -0
  6. package/dist/assert-NJGroSJd.cjs +3 -0
  7. package/dist/client/index.cjs +1 -135
  8. package/dist/client/index.d.ts +11 -14
  9. package/dist/client/index.js +1 -10
  10. package/dist/crypto-Bz8nIciY.js +1 -0
  11. package/dist/crypto-CoXA5w_4.cjs +1 -0
  12. package/dist/env-bq387KyP.cjs +1 -0
  13. package/dist/env-nvh8QBNz.js +1 -0
  14. package/dist/errors-CCYPHuBO.cjs +1 -0
  15. package/dist/errors-DFWHOho6.js +1 -0
  16. package/dist/index-BkpwQ0l4.d.cts +2279 -0
  17. package/dist/index-nqLV2t91.d.ts +2279 -0
  18. package/dist/index.cjs +1 -2427
  19. package/dist/index.d.cts +2 -0
  20. package/dist/index.d.ts +2 -14
  21. package/dist/index.js +1 -59
  22. package/dist/logger-C59_CDMk.js +1 -0
  23. package/dist/logger-UnUhYL2V.cjs +1 -0
  24. package/dist/oauth/atlassian.cjs +1 -57
  25. package/dist/oauth/atlassian.d.ts +2 -12
  26. package/dist/oauth/atlassian.js +1 -6
  27. package/dist/oauth/bitbucket.cjs +1 -49
  28. package/dist/oauth/bitbucket.d.ts +2 -12
  29. package/dist/oauth/bitbucket.js +1 -6
  30. package/dist/oauth/discord.cjs +1 -57
  31. package/dist/oauth/discord.d.ts +2 -12
  32. package/dist/oauth/discord.js +1 -6
  33. package/dist/oauth/dropbox.cjs +1 -53
  34. package/dist/oauth/dropbox.d.ts +2 -12
  35. package/dist/oauth/dropbox.js +1 -6
  36. package/dist/oauth/figma.cjs +1 -49
  37. package/dist/oauth/figma.d.ts +2 -12
  38. package/dist/oauth/figma.js +1 -6
  39. package/dist/oauth/github.cjs +1 -49
  40. package/dist/oauth/github.d.ts +2 -12
  41. package/dist/oauth/github.js +1 -6
  42. package/dist/oauth/gitlab.cjs +1 -49
  43. package/dist/oauth/gitlab.d.ts +2 -12
  44. package/dist/oauth/gitlab.js +1 -6
  45. package/dist/oauth/index.cjs +1 -673
  46. package/dist/oauth/index.d.ts +2 -12
  47. package/dist/oauth/index.js +1 -68
  48. package/dist/oauth/mailchimp.cjs +1 -49
  49. package/dist/oauth/mailchimp.d.ts +2 -12
  50. package/dist/oauth/mailchimp.js +1 -6
  51. package/dist/oauth/notion.cjs +1 -131
  52. package/dist/oauth/notion.d.ts +2 -12
  53. package/dist/oauth/notion.js +1 -9
  54. package/dist/oauth/pinterest.cjs +1 -49
  55. package/dist/oauth/pinterest.d.ts +2 -12
  56. package/dist/oauth/pinterest.js +1 -6
  57. package/dist/oauth/spotify.cjs +1 -49
  58. package/dist/oauth/spotify.d.ts +2 -12
  59. package/dist/oauth/spotify.js +1 -6
  60. package/dist/oauth/strava.cjs +1 -49
  61. package/dist/oauth/strava.d.ts +2 -12
  62. package/dist/oauth/strava.js +1 -6
  63. package/dist/oauth/twitch.cjs +1 -95
  64. package/dist/oauth/twitch.d.ts +2 -12
  65. package/dist/oauth/twitch.js +1 -7
  66. package/dist/oauth/x.cjs +1 -49
  67. package/dist/oauth/x.d.ts +2 -12
  68. package/dist/oauth/x.js +1 -6
  69. package/dist/oauth-BntNm6aE.cjs +1 -0
  70. package/dist/oauth-DmHy9VrB.js +1 -0
  71. package/dist/shared/crypto.cjs +1 -0
  72. package/dist/shared/crypto.d.ts +47 -0
  73. package/dist/shared/crypto.js +1 -0
  74. package/dist/shared/identity.cjs +1 -0
  75. package/dist/shared/identity.d.ts +2 -0
  76. package/dist/shared/identity.js +1 -0
  77. package/dist/shared/index.cjs +1 -0
  78. package/dist/shared/index.d.ts +5 -0
  79. package/dist/shared/index.js +1 -0
  80. package/package.json +32 -9
  81. package/dist/@types/router.d.cjs +0 -1
  82. package/dist/@types/router.d.d.ts +0 -16
  83. package/dist/@types/router.d.js +0 -0
  84. package/dist/@types/utility.cjs +0 -18
  85. package/dist/@types/utility.d.ts +0 -6
  86. package/dist/@types/utility.js +0 -1
  87. package/dist/actions/callback/access-token.cjs +0 -250
  88. package/dist/actions/callback/access-token.d.ts +0 -33
  89. package/dist/actions/callback/access-token.js +0 -9
  90. package/dist/actions/callback/callback.cjs +0 -715
  91. package/dist/actions/callback/callback.d.ts +0 -42
  92. package/dist/actions/callback/callback.js +0 -18
  93. package/dist/actions/callback/userinfo.cjs +0 -283
  94. package/dist/actions/callback/userinfo.d.ts +0 -25
  95. package/dist/actions/callback/userinfo.js +0 -13
  96. package/dist/actions/csrfToken/csrfToken.cjs +0 -189
  97. package/dist/actions/csrfToken/csrfToken.d.ts +0 -7
  98. package/dist/actions/csrfToken/csrfToken.js +0 -13
  99. package/dist/actions/index.cjs +0 -1161
  100. package/dist/actions/index.d.ts +0 -17
  101. package/dist/actions/index.js +0 -39
  102. package/dist/actions/session/session.cjs +0 -188
  103. package/dist/actions/session/session.d.ts +0 -7
  104. package/dist/actions/session/session.js +0 -12
  105. package/dist/actions/signIn/authorization-url.cjs +0 -288
  106. package/dist/actions/signIn/authorization-url.d.ts +0 -31
  107. package/dist/actions/signIn/authorization-url.js +0 -16
  108. package/dist/actions/signIn/authorization.cjs +0 -281
  109. package/dist/actions/signIn/authorization.d.ts +0 -54
  110. package/dist/actions/signIn/authorization.js +0 -19
  111. package/dist/actions/signIn/signIn.cjs +0 -595
  112. package/dist/actions/signIn/signIn.d.ts +0 -42
  113. package/dist/actions/signIn/signIn.js +0 -16
  114. package/dist/actions/signOut/signOut.cjs +0 -492
  115. package/dist/actions/signOut/signOut.d.ts +0 -16
  116. package/dist/actions/signOut/signOut.js +0 -15
  117. package/dist/api/createApi.cjs +0 -750
  118. package/dist/api/createApi.d.ts +0 -12
  119. package/dist/api/createApi.js +0 -19
  120. package/dist/api/getSession.cjs +0 -141
  121. package/dist/api/getSession.d.ts +0 -16
  122. package/dist/api/getSession.js +0 -10
  123. package/dist/api/signIn.cjs +0 -549
  124. package/dist/api/signIn.d.ts +0 -26
  125. package/dist/api/signIn.js +0 -15
  126. package/dist/api/signOut.cjs +0 -279
  127. package/dist/api/signOut.d.ts +0 -16
  128. package/dist/api/signOut.js +0 -13
  129. package/dist/assert.cjs +0 -194
  130. package/dist/assert.d.ts +0 -37
  131. package/dist/assert.js +0 -26
  132. package/dist/chunk-2A5B7GWR.js +0 -125
  133. package/dist/chunk-2GQLSIJ2.js +0 -40
  134. package/dist/chunk-2IR674WX.js +0 -44
  135. package/dist/chunk-3J5TUH2I.js +0 -50
  136. package/dist/chunk-4RWSYUKX.js +0 -98
  137. package/dist/chunk-4YHJ4IEQ.js +0 -25
  138. package/dist/chunk-54CZPKR4.js +0 -25
  139. package/dist/chunk-5LZ7TOM3.js +0 -25
  140. package/dist/chunk-5X7JZMEF.js +0 -0
  141. package/dist/chunk-7BE46WWS.js +0 -88
  142. package/dist/chunk-7YYXFKLR.js +0 -35
  143. package/dist/chunk-C3A37LQC.js +0 -33
  144. package/dist/chunk-CITNGXDA.js +0 -31
  145. package/dist/chunk-CWX724AG.js +0 -78
  146. package/dist/chunk-D2CSIUKP.js +0 -74
  147. package/dist/chunk-E6G5YCI6.js +0 -25
  148. package/dist/chunk-EBAMFRB7.js +0 -34
  149. package/dist/chunk-EEE7UM5T.js +0 -25
  150. package/dist/chunk-FPCVZUVG.js +0 -37
  151. package/dist/chunk-FW4W3REU.js +0 -25
  152. package/dist/chunk-GNNBM2WJ.js +0 -83
  153. package/dist/chunk-IPKO6UQN.js +0 -25
  154. package/dist/chunk-ITQ7352M.js +0 -0
  155. package/dist/chunk-JOCGX3RP.js +0 -59
  156. package/dist/chunk-KBXWTD6E.js +0 -94
  157. package/dist/chunk-KMMAZFSJ.js +0 -25
  158. package/dist/chunk-LATR3NIV.js +0 -117
  159. package/dist/chunk-LAYPUDQF.js +0 -39
  160. package/dist/chunk-LDU7A2JE.js +0 -25
  161. package/dist/chunk-LX3TJ2TJ.js +0 -294
  162. package/dist/chunk-NHZBQNRR.js +0 -143
  163. package/dist/chunk-OVHNRULD.js +0 -33
  164. package/dist/chunk-PDP3PHB3.js +0 -127
  165. package/dist/chunk-PG7UYFG5.js +0 -0
  166. package/dist/chunk-PHYNROD4.js +0 -47
  167. package/dist/chunk-QQEKY4XP.js +0 -29
  168. package/dist/chunk-U4RK4LKJ.js +0 -348
  169. package/dist/chunk-U5663F2U.js +0 -70
  170. package/dist/chunk-UN7X6SU5.js +0 -53
  171. package/dist/chunk-UZQJJD6A.js +0 -100
  172. package/dist/chunk-V6LLEAR4.js +0 -80
  173. package/dist/chunk-WHNDRO3N.js +0 -50
  174. package/dist/chunk-XY5R3EHH.js +0 -204
  175. package/dist/chunk-ZNCZVF6U.js +0 -14
  176. package/dist/client/client.cjs +0 -135
  177. package/dist/client/client.d.ts +0 -85
  178. package/dist/client/client.js +0 -9
  179. package/dist/context.cjs +0 -1237
  180. package/dist/context.d.ts +0 -16
  181. package/dist/context.js +0 -28
  182. package/dist/cookie.cjs +0 -277
  183. package/dist/cookie.d.ts +0 -89
  184. package/dist/cookie.js +0 -30
  185. package/dist/createAuth.cjs +0 -2320
  186. package/dist/createAuth.d.ts +0 -12
  187. package/dist/createAuth.js +0 -48
  188. package/dist/env.cjs +0 -78
  189. package/dist/env.d.ts +0 -10
  190. package/dist/env.js +0 -12
  191. package/dist/errors.cjs +0 -102
  192. package/dist/errors.d.ts +0 -60
  193. package/dist/errors.js +0 -22
  194. package/dist/headers.cjs +0 -61
  195. package/dist/headers.d.ts +0 -33
  196. package/dist/headers.js +0 -12
  197. package/dist/index-_aXtxb_s.d.ts +0 -1377
  198. package/dist/jose.cjs +0 -166
  199. package/dist/jose.d.ts +0 -12
  200. package/dist/jose.js +0 -20
  201. package/dist/logger.cjs +0 -424
  202. package/dist/logger.d.ts +0 -12
  203. package/dist/logger.js +0 -17
  204. package/dist/request.cjs +0 -38
  205. package/dist/request.d.ts +0 -13
  206. package/dist/request.js +0 -6
  207. package/dist/schemas.cjs +0 -158
  208. package/dist/schemas.d.ts +0 -229
  209. package/dist/schemas.js +0 -24
  210. package/dist/secure.cjs +0 -170
  211. package/dist/secure.d.ts +0 -41
  212. package/dist/secure.js +0 -20
  213. package/dist/utils.cjs +0 -329
  214. package/dist/utils.d.ts +0 -35
  215. package/dist/utils.js +0 -36
@@ -0,0 +1,2279 @@
1
+ import { ZodObject, ZodRawShape, ZodTypeAny, z } from "zod/v4";
2
+ import { JWTPayload } from "@aura-stack/jose/jose";
3
+ import { DecodeJWTOptions, EncodeJWTOptions, JWEHeaderParameters, JWTDecryptOptions, JWTHeaderParameters, JWTVerifyOptions, Prettify, TypedJWTPayload, TypedJWTPayload as TypedJWTPayload$1 } from "@aura-stack/jose";
4
+ import * as _$_aura_stack_router0 from "@aura-stack/router";
5
+ import { ClientOptions, GlobalContext } from "@aura-stack/router";
6
+ import { SerializeOptions } from "@aura-stack/router/cookie";
7
+ import * as _$zod from "zod";
8
+ import * as _$zod_v4_core0 from "zod/v4/core";
9
+
10
+ //#region src/schemas.d.ts
11
+ /**
12
+ * Schema used in the callback action to validate the authorization error response when the resource owner
13
+ * has denied the authorization request.
14
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
15
+ */
16
+ declare const OAuthAuthorizationErrorResponse: z.ZodObject<{
17
+ error: z.ZodEnum<{
18
+ invalid_request: "invalid_request";
19
+ unauthorized_client: "unauthorized_client";
20
+ access_denied: "access_denied";
21
+ unsupported_response_type: "unsupported_response_type";
22
+ invalid_scope: "invalid_scope";
23
+ server_error: "server_error";
24
+ temporarily_unavailable: "temporarily_unavailable";
25
+ }>;
26
+ error_description: z.ZodOptional<z.ZodString>;
27
+ error_uri: z.ZodOptional<z.ZodString>;
28
+ state: z.ZodString;
29
+ }, z.core.$strip>;
30
+ /**
31
+ * Schema for OAuth Access Token Error Response
32
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
33
+ */
34
+ declare const OAuthAccessTokenErrorResponse: z.ZodObject<{
35
+ error: z.ZodEnum<{
36
+ invalid_request: "invalid_request";
37
+ unauthorized_client: "unauthorized_client";
38
+ invalid_scope: "invalid_scope";
39
+ invalid_client: "invalid_client";
40
+ invalid_grant: "invalid_grant";
41
+ unsupported_grant_type: "unsupported_grant_type";
42
+ }>;
43
+ error_description: z.ZodOptional<z.ZodString>;
44
+ error_uri: z.ZodOptional<z.ZodString>;
45
+ }, z.core.$strip>;
46
+ declare const OAuthEnvSchema: z.ZodObject<{
47
+ clientId: z.ZodString;
48
+ clientSecret: z.ZodString;
49
+ }, z.core.$strip>;
50
+ //#endregion
51
+ //#region src/jose.d.ts
52
+ /**
53
+ * Creates the JOSE instance used for signing and verifying tokens. It derives keys
54
+ * for session tokens and CSRF tokens. For security and determinism, it's required
55
+ * to set a salt value in `AURA_AUTH_SALT` or `AUTH_SALT` env.
56
+ *
57
+ * The instance respects the `SessionConfig` to determine:
58
+ * - **mode**: `signed` (JWS only), `encrypted` (JWE only), or `sealed` (JWS + JWE)
59
+ * - **algorithms**: signing, key-wrapping, and content-encryption algorithms
60
+ * - **claims**: audience, issuer, maxAge
61
+ *
62
+ * @param secret the base secret for key derivation
63
+ * @param session the session configuration that drives algorithm and mode selection
64
+ * @returns jose instance with methods for encoding/decoding JWTs and signing/verifying JWSs
65
+ */
66
+ declare const createJoseInstance: <DefaultUser extends User = User>(secret?: JWTKey, session?: SessionConfig) => {
67
+ signJWS: (payload: TypedJWTPayload<Partial<DefaultUser>>, options?: JWTHeaderParameters) => Promise<string>;
68
+ verifyJWS: (token: string, options?: JWTVerifyOptions) => Promise<TypedJWTPayload<DefaultUser>>;
69
+ encryptJWE: (payload: TypedJWTPayload<Partial<DefaultUser>>, options?: JWEHeaderParameters) => Promise<string>;
70
+ decryptJWE: (token: string, options?: JWTDecryptOptions) => Promise<TypedJWTPayload<DefaultUser>>;
71
+ encodeJWT: (payload: TypedJWTPayload<Partial<DefaultUser>>, options?: EncodeJWTOptions) => Promise<string>;
72
+ decodeJWT: (token: string, options?: DecodeJWTOptions) => Promise<TypedJWTPayload<DefaultUser>>;
73
+ };
74
+ //#endregion
75
+ //#region src/shared/identity.d.ts
76
+ declare const UserIdentity: z.ZodObject<{
77
+ sub: z.ZodString;
78
+ name: z.ZodOptional<z.ZodNullable<z.ZodString>>;
79
+ image: z.ZodOptional<z.ZodNullable<z.ZodString>>;
80
+ email: z.ZodOptional<z.ZodNullable<z.ZodEmail>>;
81
+ }, z.core.$strip>;
82
+ type UserShape = (typeof UserIdentity)["shape"];
83
+ type UserIdentityType = z.infer<typeof UserIdentity>;
84
+ declare const createIdentity: <S extends EditableShape<UserShape>>(shape: S) => z.ZodObject<{ -readonly [P in keyof S]: S[P] }, z.core.$strip>;
85
+ //#endregion
86
+ //#region src/api/createApi.d.ts
87
+ declare const createAuthAPI: <DefaultUser extends User = User>(ctx: GlobalContext) => {
88
+ /**
89
+ * Retrieves the current session data from the server-side.
90
+ *
91
+ * @param options - Options for the API call, including headers to verify `session_token` cookie.
92
+ * @returns An object containing session data see {@link User}
93
+ */
94
+ getSession: (options: GetSessionAPIOptions) => Promise<GetSessionAPIReturn<DefaultUser>>;
95
+ /**
96
+ * Initiates the sign-in flow on the server-side. By default the redirect is automatic, but it can be
97
+ * disabled by setting the `redirect` option to `false`. When redirect is disabled, the API returns the
98
+ * `signInURL` in the response for the client to handle the redirect manually.
99
+ *
100
+ * @param oauth - The OAuth provider to use for sign-in (e.g., "github", "gitlab", "bitbucket").
101
+ * @param options - Optional parameters for the sign-in process, including headers and redirect behavior.
102
+ * @returns The object returned by the API call {@link SignInAPIReturn}
103
+ * @example
104
+ * const response = await api.signIn("github", {
105
+ * redirectTo: "/dashboard",
106
+ * request: await getRequest(),
107
+ * })
108
+ */
109
+ signIn: (oauth: LiteralUnion<BuiltInOAuthProvider>, options?: SignInAPIOptions) => Promise<SignInAPIReturn>;
110
+ /**
111
+ * Signs in a user using credentials (`username` and `password`) on the server-side. The credentials must
112
+ * be verified by the `authorize` function provided in the `credentials` configuration option.
113
+ *
114
+ * @param options - Options for the API call, including the credentials payload, headers, and redirect behavior.
115
+ * @returns The object returned by the API call {@link SignInCredentialsAPIReturn}
116
+ * @example
117
+ * const response = await api.signInCredentials({
118
+ * payload: {
119
+ * username: "johndoe",
120
+ * password: "1234567890"
121
+ * },
122
+ * redirectTo: "/dashboard",
123
+ * request: await getRequest(),
124
+ * })
125
+ */
126
+ signInCredentials: (options: SignInCredentialsAPIOptions) => Promise<SignInCredentialsAPIReturn>;
127
+ /**
128
+ * Updates the current session on the server-side. It allows partial updates to the session object, such as
129
+ * modifying user fields or extending the session expiry. It implements CSRF Protection by default, for
130
+ * server-side calls it only verifies and validates the CSRF Token, it also provides Double-Submit
131
+ * Cookie protection by requiring the `session_token` cookie to be included in the request headers.
132
+ *
133
+ * @param options - Options for the API call, including the session updates, headers, redirect behavior, and CSRF check bypass.
134
+ * @returns The object returned by the API call {@link UpdateSessionAPIReturn}
135
+ * @example
136
+ * const response = await api.updateSession({
137
+ * session: {
138
+ * user: {
139
+ * name: "John Doe",
140
+ * email: "john.doe@example.com"
141
+ * }
142
+ * },
143
+ * redirectTo: "/dashboard",
144
+ * request: await getRequest()
145
+ * })
146
+ */
147
+ updateSession: (options: UpdateSessionAPIOptions<DefaultUser>) => Promise<UpdateSessionAPIReturn<DefaultUser>>;
148
+ /**
149
+ * Signs out the current session on the server-side. It implements CSRF Protection by default, for
150
+ * server-side calls it only verifies and validates the CSRF Token, it also provides Double-Submit
151
+ * Cookie protection by requiring the `session_token` cookie to be included in the request headers.
152
+ *
153
+ * @param options - Options for the API call, including headers, redirect behavior, and CSRF check bypass.
154
+ * @returns The object returned by the API call {@link SignOutAPIReturn}
155
+ * @example
156
+ * const response = await api.signOut({
157
+ * redirectTo: "/goodbye",
158
+ * headers: {
159
+ * Cookie: "session_token=abc123; csrf_token=def456"
160
+ * },
161
+ * // Only set this to true for trusted server-side calls that have already verified the CSRF token
162
+ * skipCSRFCheck: true
163
+ * })
164
+ */
165
+ signOut: (options: SignOutAPIOptions) => Promise<SignOutAPIReturn>;
166
+ };
167
+ //#endregion
168
+ //#region src/shared/logger.d.ts
169
+ /**
170
+ * Log message definitions organized by category.
171
+ * Each message includes facility, severity, msgId, and default message.
172
+ */
173
+ declare const logMessages: {
174
+ readonly ROUTER_INTERNAL_ERROR: {
175
+ readonly facility: 10;
176
+ readonly severity: "error";
177
+ readonly msgId: "ROUTER_INTERNAL_ERROR";
178
+ readonly message: "Unhandled router error while processing the request";
179
+ };
180
+ readonly INVALID_REQUEST: {
181
+ readonly facility: 10;
182
+ readonly severity: "warning";
183
+ readonly msgId: "INVALID_REQUEST";
184
+ readonly message: "Request validation failed against the expected schema";
185
+ };
186
+ readonly SERVER_ERROR: {
187
+ readonly facility: 10;
188
+ readonly severity: "error";
189
+ readonly msgId: "SERVER_ERROR";
190
+ readonly message: "Unexpected internal server error during authentication";
191
+ };
192
+ readonly OAUTH_PROTOCOL_ERROR: {
193
+ readonly facility: 10;
194
+ readonly severity: "warning";
195
+ readonly msgId: "OAUTH_PROTOCOL_ERROR";
196
+ readonly message: "OAuth provider returned an invalid or unexpected protocol response";
197
+ };
198
+ readonly OAUTH_AUTHORIZATION_ERROR: {
199
+ readonly facility: 10;
200
+ readonly severity: "error";
201
+ readonly msgId: "OAUTH_AUTHORIZATION_ERROR";
202
+ readonly message: "OAuth authorization request was rejected or failed";
203
+ };
204
+ readonly INVALID_OAUTH_CONFIGURATION: {
205
+ readonly facility: 10;
206
+ readonly severity: "error";
207
+ readonly msgId: "INVALID_OAUTH_CONFIGURATION";
208
+ readonly message: "The OAuth provider configuration is invalid or incomplete";
209
+ };
210
+ readonly OAUTH_ACCESS_TOKEN_REQUEST_INITIATED: {
211
+ readonly facility: 10;
212
+ readonly severity: "debug";
213
+ readonly msgId: "OAUTH_ACCESS_TOKEN_REQUEST_INITIATED";
214
+ readonly message: "Starting OAuth access token request to the provider";
215
+ };
216
+ readonly INVALID_OAUTH_ACCESS_TOKEN_RESPONSE: {
217
+ readonly facility: 10;
218
+ readonly severity: "error";
219
+ readonly msgId: "INVALID_OAUTH_ACCESS_TOKEN_RESPONSE";
220
+ readonly message: "OAuth access token endpoint returned an invalid or malformed response";
221
+ };
222
+ readonly OAUTH_ACCESS_TOKEN_ERROR: {
223
+ readonly facility: 10;
224
+ readonly severity: "error";
225
+ readonly msgId: "OAUTH_ACCESS_TOKEN_ERROR";
226
+ readonly message: "OAuth access token endpoint returned an error response";
227
+ };
228
+ readonly OAUTH_ACCESS_TOKEN_SUCCESS: {
229
+ readonly facility: 10;
230
+ readonly severity: "info";
231
+ readonly msgId: "OAUTH_ACCESS_TOKEN_SUCCESS";
232
+ readonly message: "Successfully retrieved OAuth access token from the provider";
233
+ };
234
+ readonly OAUTH_ACCESS_TOKEN_REQUEST_FAILED: {
235
+ readonly facility: 10;
236
+ readonly severity: "error";
237
+ readonly msgId: "OAUTH_ACCESS_TOKEN_REQUEST_FAILED";
238
+ readonly message: "Network or server error while requesting OAuth access token";
239
+ };
240
+ readonly OAUTH_USERINFO_REQUEST_INITIATED: {
241
+ readonly facility: 10;
242
+ readonly severity: "debug";
243
+ readonly msgId: "OAUTH_USERINFO_REQUEST_INITIATED";
244
+ readonly message: "Starting OAuth userinfo request to the provider";
245
+ };
246
+ readonly OAUTH_USERINFO_INVALID_RESPONSE: {
247
+ readonly facility: 10;
248
+ readonly severity: "error";
249
+ readonly msgId: "OAUTH_USERINFO_INVALID_RESPONSE";
250
+ readonly message: "OAuth userinfo endpoint returned an invalid or malformed response";
251
+ };
252
+ readonly OAUTH_USERINFO_ERROR: {
253
+ readonly facility: 10;
254
+ readonly severity: "error";
255
+ readonly msgId: "OAUTH_USERINFO_ERROR";
256
+ readonly message: "OAuth userinfo endpoint returned an error response";
257
+ };
258
+ readonly OAUTH_USERINFO_SUCCESS: {
259
+ readonly facility: 10;
260
+ readonly severity: "info";
261
+ readonly msgId: "OAUTH_USERINFO_SUCCESS";
262
+ readonly message: "Successfully retrieved user information from the OAuth provider";
263
+ };
264
+ readonly OAUTH_USERINFO_REQUEST_FAILED: {
265
+ readonly facility: 10;
266
+ readonly severity: "error";
267
+ readonly msgId: "OAUTH_USERINFO_REQUEST_FAILED";
268
+ readonly message: "Network or server error while requesting user information from the OAuth provider";
269
+ };
270
+ readonly OAUTH_CALLBACK_SUCCESS: {
271
+ readonly facility: 4;
272
+ readonly severity: "info";
273
+ readonly msgId: "OAUTH_CALLBACK_SUCCESS";
274
+ readonly message: "OAuth callback completed successfully and session was created";
275
+ };
276
+ readonly MISMATCHING_STATE: {
277
+ readonly facility: 4;
278
+ readonly severity: "critical";
279
+ readonly msgId: "MISMATCHING_STATE";
280
+ readonly message: "OAuth response state parameter does not match the stored state value";
281
+ };
282
+ readonly POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED: {
283
+ readonly facility: 4;
284
+ readonly severity: "critical";
285
+ readonly msgId: "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED";
286
+ readonly message: "Blocked redirect to untrusted or external URL (potential open redirect attack)";
287
+ };
288
+ readonly OPEN_REDIRECT_ATTACK: {
289
+ readonly facility: 4;
290
+ readonly severity: "warning";
291
+ readonly msgId: "OPEN_REDIRECT_ATTACK";
292
+ readonly message: "Detected redirect target that does not match the trusted origin";
293
+ };
294
+ readonly SESSION_TOKEN_MISSING: {
295
+ readonly facility: 4;
296
+ readonly severity: "warning";
297
+ readonly msgId: "SESSION_TOKEN_MISSING";
298
+ readonly message: "Session cookie is missing from the request";
299
+ };
300
+ readonly CSRF_TOKEN_MISSING: {
301
+ readonly facility: 4;
302
+ readonly severity: "warning";
303
+ readonly msgId: "CSRF_TOKEN_MISSING";
304
+ readonly message: "CSRF token cookie is missing from the request";
305
+ };
306
+ readonly CSRF_HEADER_MISSING: {
307
+ readonly facility: 4;
308
+ readonly severity: "warning";
309
+ readonly msgId: "CSRF_HEADER_MISSING";
310
+ readonly message: "CSRF header is missing from the request";
311
+ };
312
+ readonly CSRF_TOKEN_INVALID: {
313
+ readonly facility: 4;
314
+ readonly severity: "error";
315
+ readonly msgId: "CSRF_TOKEN_INVALID";
316
+ readonly message: "CSRF token verification failed or token is invalid";
317
+ };
318
+ readonly SIGN_IN_INITIATED: {
319
+ readonly facility: 4;
320
+ readonly severity: "info";
321
+ readonly msgId: "SIGN_IN_INITIATED";
322
+ readonly message: "Starting OAuth sign-in flow for the selected provider";
323
+ };
324
+ readonly SIGN_OUT_ATTEMPT: {
325
+ readonly facility: 4;
326
+ readonly severity: "debug";
327
+ readonly msgId: "SIGN_OUT_ATTEMPT";
328
+ readonly message: "Received sign-out request from client";
329
+ };
330
+ readonly SIGN_OUT_CSRF_VERIFIED: {
331
+ readonly facility: 4;
332
+ readonly severity: "info";
333
+ readonly msgId: "SIGN_OUT_CSRF_VERIFIED";
334
+ readonly message: "CSRF token was successfully verified during sign-out";
335
+ };
336
+ readonly SIGN_OUT_SUCCESS: {
337
+ readonly facility: 4;
338
+ readonly severity: "info";
339
+ readonly msgId: "SIGN_OUT_SUCCESS";
340
+ readonly message: "User session was cleared and sign-out completed successfully";
341
+ };
342
+ readonly SIGN_OUT_REDIRECT: {
343
+ readonly facility: 4;
344
+ readonly severity: "debug";
345
+ readonly msgId: "SIGN_OUT_REDIRECT";
346
+ readonly message: "Redirecting client after successful sign-out";
347
+ };
348
+ readonly AUTH_SESSION_VALID: {
349
+ readonly facility: 4;
350
+ readonly severity: "info";
351
+ readonly msgId: "AUTH_SESSION_VALID";
352
+ readonly message: "Session token is valid and user session was returned";
353
+ };
354
+ readonly AUTH_SESSION_INVALID: {
355
+ readonly facility: 4;
356
+ readonly severity: "notice";
357
+ readonly msgId: "AUTH_SESSION_INVALID";
358
+ readonly message: "Session token is missing, expired, or invalid";
359
+ };
360
+ readonly INVALID_JWT_TOKEN: {
361
+ readonly facility: 4;
362
+ readonly severity: "warning";
363
+ readonly msgId: "INVALID_JWT_TOKEN";
364
+ readonly message: "JWT session token failed validation during sign-out";
365
+ };
366
+ readonly CSRF_TOKEN_REQUESTED: {
367
+ readonly facility: 4;
368
+ readonly severity: "debug";
369
+ readonly msgId: "CSRF_TOKEN_REQUESTED";
370
+ readonly message: "Client requested a CSRF token";
371
+ };
372
+ readonly CSRF_TOKEN_ISSUED: {
373
+ readonly facility: 4;
374
+ readonly severity: "debug";
375
+ readonly msgId: "CSRF_TOKEN_ISSUED";
376
+ readonly message: "Issued a new CSRF token to the client";
377
+ };
378
+ readonly INVALID_URL: {
379
+ readonly facility: 10;
380
+ readonly severity: "error";
381
+ readonly msgId: "INVALID_URL";
382
+ readonly message: "Derived origin URL is invalid or malformed";
383
+ };
384
+ readonly COOKIE_HTTPONLY_DISABLED: {
385
+ readonly facility: 10;
386
+ readonly severity: "critical";
387
+ readonly msgId: "COOKIE_HTTPONLY_DISABLED";
388
+ readonly message: "Cookie is configured without HttpOnly. This allows JavaScript access via document.cookie and increases XSS exposure.";
389
+ };
390
+ readonly COOKIE_WILDCARD_DOMAIN: {
391
+ readonly facility: 10;
392
+ readonly severity: "critical";
393
+ readonly msgId: "COOKIE_WILDCARD_DOMAIN";
394
+ readonly message: "Cookie 'Domain' is set to a wildcard, which is insecure and should be avoided.";
395
+ };
396
+ readonly COOKIE_SECURE_DISABLED: {
397
+ readonly facility: 10;
398
+ readonly severity: "warning";
399
+ readonly msgId: "COOKIE_SECURE_DISABLED";
400
+ readonly message: "Cookie is configured with 'Secure' but the request is not HTTPS. The 'Secure' attribute will be ignored by the browser.";
401
+ };
402
+ readonly COOKIE_SAMESITE_NONE_WITHOUT_SECURE: {
403
+ readonly facility: 10;
404
+ readonly severity: "warning";
405
+ readonly msgId: "COOKIE_SAMESITE_NONE_WITHOUT_SECURE";
406
+ readonly message: "Cookie uses SameSite=None without Secure. Falling back to SameSite=Lax for safer defaults.";
407
+ };
408
+ readonly COOKIE_INSECURE_IN_PRODUCTION: {
409
+ readonly facility: 10;
410
+ readonly severity: "critical";
411
+ readonly msgId: "COOKIE_INSECURE_IN_PRODUCTION";
412
+ readonly message: "Cookies are being served over an insecure connection in production, which is a serious security risk.";
413
+ };
414
+ readonly COOKIE_HOST_STRATEGY_INSECURE: {
415
+ readonly facility: 10;
416
+ readonly severity: "critical";
417
+ readonly msgId: "COOKIE_HOST_STRATEGY_INSECURE";
418
+ readonly message: "__Host- cookies require a secure HTTPS context. Falling back to standard cookie settings.";
419
+ };
420
+ readonly UNTRUSTED_ORIGIN: {
421
+ readonly facility: 10;
422
+ readonly severity: "error";
423
+ readonly msgId: "UNTRUSTED_ORIGIN";
424
+ readonly message: "The constructed origin URL is not trusted.";
425
+ };
426
+ readonly SESSION_REFRESHED: {
427
+ readonly facility: 4;
428
+ readonly severity: "info";
429
+ readonly msgId: "SESSION_REFRESHED";
430
+ readonly message: "User session was refreshed with a new expiration time";
431
+ };
432
+ readonly AUTH_SECURITY_ERROR: {
433
+ readonly facility: 10;
434
+ readonly severity: "error";
435
+ readonly msgId: "AUTH_SECURITY_ERROR";
436
+ readonly message: "An authentication security error occurred";
437
+ };
438
+ readonly CSRF_TOKEN_VERIFIED: {
439
+ readonly facility: 4;
440
+ readonly severity: "info";
441
+ readonly msgId: "CSRF_TOKEN_VERIFIED";
442
+ readonly message: "CSRF token verification succeeded";
443
+ };
444
+ readonly IDENTITY_VALIDATION_DISABLED: {
445
+ readonly facility: 4;
446
+ readonly severity: "warning";
447
+ readonly msgId: "IDENTITY_VALIDATION_DISABLED";
448
+ readonly message: "Identity validation is disabled. User data will not be validated against a schema.";
449
+ };
450
+ readonly IDENTITY_VALIDATION_FAILED: {
451
+ readonly facility: 4;
452
+ readonly severity: "error";
453
+ readonly msgId: "IDENTITY_VALIDATION_FAILED";
454
+ readonly message: "User identity validation against the schema failed";
455
+ };
456
+ readonly CREDENTIALS_SIGN_IN_SUCCESS: {
457
+ readonly facility: 4;
458
+ readonly severity: "info";
459
+ readonly msgId: "CREDENTIALS_SIGN_IN_SUCCESS";
460
+ readonly message: "User successfully authenticated with credentials";
461
+ };
462
+ readonly INVALID_CREDENTIALS: {
463
+ readonly facility: 4;
464
+ readonly severity: "warning";
465
+ readonly msgId: "INVALID_CREDENTIALS";
466
+ readonly message: "Authentication failed due to invalid credentials";
467
+ };
468
+ readonly CREDENTIALS_SIGN_IN_FAILED: {
469
+ readonly facility: 4;
470
+ readonly severity: "error";
471
+ readonly msgId: "CREDENTIALS_SIGN_IN_FAILED";
472
+ readonly message: "An error occurred during credentials sign-in";
473
+ };
474
+ };
475
+ declare const createLogEntry: <T extends keyof typeof logMessages>(key: T, overrides?: Partial<SyslogOptions>) => SyslogOptions;
476
+ declare const createSyslogMessage: (options: SyslogOptions) => string;
477
+ //#endregion
478
+ //#region src/oauth/github.d.ts
479
+ /**
480
+ * @see [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user)
481
+ */
482
+ interface GitHubProfile {
483
+ login: string;
484
+ id: number;
485
+ user_view_type: string;
486
+ node_id: string;
487
+ avatar_url: string;
488
+ gravatar_id: string | null;
489
+ url: string;
490
+ html_url: string;
491
+ followers_url: string;
492
+ following_url: string;
493
+ gists_url: string;
494
+ starred_url: string;
495
+ subscriptions_url: string;
496
+ organizations_url: string;
497
+ repos_url: string;
498
+ events_url: string;
499
+ received_events_url: string;
500
+ type: string;
501
+ site_admin: boolean;
502
+ name: string | null;
503
+ company: string | null;
504
+ blog: string | null;
505
+ location: string | null;
506
+ email: string | null;
507
+ notification_email: string | null;
508
+ hireable: boolean | null;
509
+ bio: string | null;
510
+ twitter_username?: string | null;
511
+ public_repos: number;
512
+ public_gists: number;
513
+ followers: number;
514
+ following: number;
515
+ created_at: string;
516
+ updated_at: string;
517
+ private_gists?: number;
518
+ total_private_repos?: number;
519
+ owned_private_repos?: number;
520
+ disk_usage?: number;
521
+ collaborators?: number;
522
+ two_factor_authentication: boolean;
523
+ plan?: {
524
+ collaborators: number;
525
+ name: string;
526
+ space: number;
527
+ private_repos: number;
528
+ };
529
+ }
530
+ /**
531
+ * GitHub OAuth Provider
532
+ *
533
+ * @see [GitHub - Creating an OAuth App](https://docs.github.com/en/developers/apps/building-oauth-apps/creating-an-oauth-app)
534
+ * @see [GitHub - Authorizing OAuth Apps](https://docs.github.com/en/developers/apps/building-oauth-apps/authorizing-oauth-apps)
535
+ * @see [GitHub - Configure your GitHub OAuth Apps](https://github.com/settings/developers)
536
+ * @see [Github - Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user)
537
+ */
538
+ declare const github: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<GitHubProfile, DefaultUser>>) => OAuthProviderCredentials<GitHubProfile, DefaultUser>;
539
+ //#endregion
540
+ //#region src/oauth/bitbucket.d.ts
541
+ /**
542
+ * @see [Get current user](https://developer.atlassian.com/cloud/bitbucket/rest/api-group-users/#api-user-get)
543
+ */
544
+ interface BitbucketProfile {
545
+ display_name: string;
546
+ links: Record<LiteralUnion<"self" | "avatar" | "repositories" | "snippets" | "html" | "hooks">, {
547
+ href?: string;
548
+ }>;
549
+ created_on: string;
550
+ type: string;
551
+ uuid: string;
552
+ has_2fa_enabled: boolean;
553
+ username: string;
554
+ nickname: string;
555
+ is_staff: boolean;
556
+ account_id: string;
557
+ account_status: LiteralUnion<"active" | "inactive" | "closed">;
558
+ location: string | null;
559
+ }
560
+ /**
561
+ * Bitbucket OAuth Provider
562
+ *
563
+ * @see [Bitbucket - Official App](https://bitbucket.org/)
564
+ * @see [Bitbucket - Workspaces](https://bitbucket.org/account/workspaces/)
565
+ * @see [Bitbucket - Workspace Settings](https://bitbucket.org/{workspace-name}/workspace/settings/)
566
+ * @see [Bitbucket - OAuth 2.0](https://developer.atlassian.com/cloud/bitbucket/oauth-2/)
567
+ * @see [Bitbucket - Use OAuth on Bitbucket Cloud](https://support.atlassian.com/bitbucket-cloud/docs/use-oauth-on-bitbucket-cloud/)
568
+ * @see [Bitbucket - Cloud REST API](https://developer.atlassian.com/cloud/bitbucket/rest/intro/)
569
+ * @see [Bitbucket - User Endpoint](https://developer.atlassian.com/cloud/bitbucket/rest/api-group-users/#api-users-endpoint)
570
+ */
571
+ declare const bitbucket: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<BitbucketProfile, DefaultUser>>) => OAuthProviderCredentials<BitbucketProfile, DefaultUser>;
572
+ //#endregion
573
+ //#region src/oauth/figma.d.ts
574
+ /**
575
+ * @see [Figma API - Users](https://developers.figma.com/docs/rest-api/users-types/)
576
+ */
577
+ interface FigmaProfile {
578
+ id: string;
579
+ handle: string;
580
+ img_url: string;
581
+ email: string;
582
+ }
583
+ /**
584
+ * Figma OAuth Provider
585
+ * @see [Figma - REST API Introduction](https://developers.figma.com/docs/rest-api/)
586
+ * @see [Figma - OAuth App](https://www.figma.com/developers/apps/)
587
+ * @see [Figma - Create an OAuth App](https://developers.figma.com/docs/rest-api/authentication/#create-an-oauth-app)
588
+ * @see [Figma - OAuth Scopes](https://developers.figma.com/docs/rest-api/scopes/)
589
+ */
590
+ declare const figma: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<FigmaProfile, DefaultUser>>) => OAuthProviderCredentials<FigmaProfile, DefaultUser>;
591
+ //#endregion
592
+ //#region src/oauth/discord.d.ts
593
+ /**
594
+ * @see [Discord - Nameplate Object](https://discord.com/developers/docs/resources/user#nameplate-nameplate-structure)
595
+ */
596
+ interface Nameplate {
597
+ sku_id: string;
598
+ asset: string;
599
+ label: string;
600
+ palette: string;
601
+ }
602
+ /**
603
+ * The `snowflake` type is a string type. The attributes defined with this type are:
604
+ * - `id`: The unique identifier for the object.
605
+ * - `primary_guild.identity_guild_id`: The unique identifier for the guild.
606
+ * - `avatar_decoration_data.sku_id`: The unique identifier for the SKU.
607
+ *
608
+ * @see [Discord - User Object](https://discord.com/developers/docs/resources/user#user-object)
609
+ */
610
+ interface DiscordProfile {
611
+ id: string;
612
+ username: string;
613
+ discriminator: string;
614
+ global_name: string | null;
615
+ avatar: string | null;
616
+ bot?: boolean;
617
+ system?: boolean;
618
+ mfa_enabled?: boolean;
619
+ banner?: string | null;
620
+ accent_color?: number | null;
621
+ locale?: string;
622
+ verified?: boolean;
623
+ email?: string | null;
624
+ flags?: number;
625
+ premium_type?: number;
626
+ public_flags?: number;
627
+ avatar_decoration_data?: {
628
+ asset: string;
629
+ sku_id: string;
630
+ };
631
+ collections?: Record<string, Nameplate>;
632
+ primary_guild?: {
633
+ identity_guild_id: string;
634
+ identity_enabled: boolean | null;
635
+ tag: string | null;
636
+ badge: string | null;
637
+ };
638
+ }
639
+ /**
640
+ * Discord OAuth Provider
641
+ *
642
+ * @see [Discord - Applications](https://discord.com/developers/applications)
643
+ * @see [Discord - OAuth2](https://discord.com/developers/docs/topics/oauth2)
644
+ * @see [Discord - Get Current User](https://discord.com/developers/docs/resources/user#get-current-user)
645
+ * @see [Discord - User Object](https://discord.com/developers/docs/resources/user#user-object)
646
+ * @see [Discord - OAuth2 Scopes](https://discord.com/developers/docs/topics/oauth2#shared-resources-oauth2-scopes)
647
+ * @see [Discord - Image Formatting](https://discord.com/developers/docs/reference#image-formatting)
648
+ * @see [Discord - Display Names](https://discord.com/developers/docs/change-log#display-names)
649
+ */
650
+ declare const discord: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<DiscordProfile, DefaultUser>>) => OAuthProviderCredentials<DiscordProfile, DefaultUser>;
651
+ //#endregion
652
+ //#region src/oauth/gitlab.d.ts
653
+ /**
654
+ * @see [GitLab - User Structure](https://docs.gitlab.com/ee/api/users.html#external-user-structure)
655
+ */
656
+ interface GitLabProfile {
657
+ id: number;
658
+ username: string;
659
+ email: string;
660
+ name: string;
661
+ state: string;
662
+ locked: boolean;
663
+ avatar_url: string;
664
+ web_url: string;
665
+ created_at: string;
666
+ bio: string;
667
+ location: string | null;
668
+ public_email: string;
669
+ linkedin: string;
670
+ twitter: string;
671
+ discord: string;
672
+ github: string;
673
+ website_url: string;
674
+ organization: string;
675
+ job_title: string;
676
+ pronouns: string;
677
+ bot: boolean;
678
+ work_information: string | null;
679
+ followers: number;
680
+ following: number;
681
+ local_time: string;
682
+ last_sign_in_at: string;
683
+ confirmed_at: string;
684
+ theme_id: number;
685
+ last_activity_on: string;
686
+ color_scheme_id: number;
687
+ projects_limit: number;
688
+ current_sign_in_at: string;
689
+ identities: {
690
+ provider: string;
691
+ extern_uid: string;
692
+ saml_provider_id: number | null;
693
+ }[];
694
+ can_create_group: boolean;
695
+ can_create_project: boolean;
696
+ two_factor_enabled: boolean;
697
+ external: boolean;
698
+ private_profile: boolean;
699
+ commit_email: string;
700
+ preferred_language: string;
701
+ shared_runners_minutes_limit: number | null;
702
+ extra_shared_runners_minutes_limit: number | null;
703
+ scim_identities: unknown[];
704
+ }
705
+ /**
706
+ * GitLab OAuth Provider
707
+ *
708
+ * @see [GitLab - Applications](https://gitlab.com/-/user_settings/applications)
709
+ * @see [GitLab - OAuth 2.0 identify provider API](https://docs.gitlab.com/api/oauth2/)
710
+ * @see [GitLab - Scopes](https://docs.gitlab.com/integration/oauth_provider/#view-all-authorized-applications)
711
+ * @see [GitLab - Get current user](https://docs.gitlab.com/api/users/#get-the-current-user)
712
+ */
713
+ declare const gitlab: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<GitLabProfile, DefaultUser>>) => OAuthProviderCredentials<GitLabProfile, DefaultUser>;
714
+ //#endregion
715
+ //#region src/oauth/spotify.d.ts
716
+ interface SpotifyImage {
717
+ url: string;
718
+ height: number;
719
+ width: number;
720
+ }
721
+ /**
722
+ * @see [Spotify - User Object](https://developer.spotify.com/documentation/web-api/reference/object-model/#user-object-private)
723
+ */
724
+ interface SpotifyProfile {
725
+ id: string;
726
+ display_name: string;
727
+ email: string;
728
+ type: string;
729
+ uri: string;
730
+ country: string;
731
+ href: string;
732
+ images: SpotifyImage[];
733
+ product: string;
734
+ explicit_content: {
735
+ filter_enabled: boolean;
736
+ filter_locked: boolean;
737
+ };
738
+ external_urls: {
739
+ spotify: string;
740
+ };
741
+ followers: {
742
+ href: string;
743
+ total: number;
744
+ };
745
+ }
746
+ /**
747
+ * Spotify OAuth Provider
748
+ *
749
+ * @see [Spotify - Spotify Developer Dashboard](https://developer.spotify.com/dashboard)
750
+ * @see [Spotify - Getting started with Web API](https://developer.spotify.com/documentation/web-api/tutorials/getting-started)
751
+ * @see [Spotify - Get Current User's Profile](https://developer.spotify.com/documentation/web-api/reference/get-current-users-profile)
752
+ * @see [Spotify - Scopes](https://developer.spotify.com/documentation/web-api/concepts/scopes)
753
+ * @see [Spotify - Redirect URIs](https://developer.spotify.com/documentation/web-api/concepts/redirect_uri)
754
+ */
755
+ declare const spotify: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<SpotifyProfile, DefaultUser>>) => OAuthProviderCredentials<SpotifyProfile, DefaultUser>;
756
+ //#endregion
757
+ //#region src/oauth/x.d.ts
758
+ /**
759
+ * @see [X - Get my User](https://docs.x.com/x-api/users/get-my-user)
760
+ */
761
+ interface XProfile {
762
+ data: {
763
+ id: string;
764
+ name: string;
765
+ username: string;
766
+ profile_image_url: string;
767
+ };
768
+ }
769
+ /**
770
+ * X (Twitter) OAuth Provider
771
+ * @see [X - Developer Portal](https://developer.x.com/en/portal/projects-and-apps)
772
+ * @see [X - Get my User](https://docs.x.com/x-api/users/get-my-user)
773
+ * @see [X - OAuth 2.0 Authorization Code Flow with PKCE](https://docs.x.com/fundamentals/authentication/oauth-2-0/authorization-code)
774
+ * @see [X - OAuth 2.0 Scopes](https://docs.x.com/fundamentals/authentication/oauth-2-0/authorization-code#scopes)
775
+ * @see [X - OAuth 2.0 Bearer Token](https://docs.x.com/fundamentals/authentication/oauth-2-0/application-only)
776
+ */
777
+ declare const x: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<XProfile, DefaultUser>>) => OAuthProviderCredentials<XProfile, DefaultUser>;
778
+ //#endregion
779
+ //#region src/oauth/strava.d.ts
780
+ /**
781
+ * @see [Strava - SummaryClub](https://developers.strava.com/docs/reference/#api-models-SummaryClub)
782
+ */
783
+ interface SummaryClub {
784
+ id: number;
785
+ resource_state: number;
786
+ name: string;
787
+ profile_medium: string;
788
+ cover_photo: string;
789
+ cover_photo_small: string;
790
+ sport_type: "cycling" | "running" | "triathlon" | "other";
791
+ activity_types: string[];
792
+ city: string;
793
+ state: string;
794
+ country: string;
795
+ private: boolean;
796
+ member_count: number;
797
+ featured: boolean;
798
+ verified: boolean;
799
+ url: string;
800
+ }
801
+ /**
802
+ * @see [Strava - SummaryGear](https://developers.strava.com/docs/reference/#api-models-SummaryGear)
803
+ */
804
+ interface SummaryGear {
805
+ id: string;
806
+ resource_state: number;
807
+ primary: boolean;
808
+ name: string;
809
+ distance: number;
810
+ }
811
+ /**
812
+ * @see [Strava - DetailedAthlete](https://developers.strava.com/docs/reference/#api-models-DetailedAthlete)
813
+ */
814
+ interface StravaProfile {
815
+ id: number;
816
+ resource_state: number;
817
+ firstname: string;
818
+ lastname: string;
819
+ bio: string | null;
820
+ profile: string;
821
+ profile_medium: string;
822
+ city: string;
823
+ state: string;
824
+ country: string;
825
+ sex: string;
826
+ premium: boolean;
827
+ summit: boolean;
828
+ created_at: Date;
829
+ updated_at: Date;
830
+ badge_type_id: number;
831
+ weight: number;
832
+ friend: null;
833
+ follower: null;
834
+ follower_count: number;
835
+ friend_count: number;
836
+ measurement_preference: string;
837
+ ftp: number;
838
+ clubs: SummaryClub[];
839
+ bikes: SummaryGear[];
840
+ shoes: SummaryGear[];
841
+ }
842
+ /**
843
+ * Strava OAuth Provider
844
+ * @see [Strava - Getting Started with the Strava API](https://developers.strava.com/docs/getting-started/)
845
+ * @see [Strava - My Applications](https://www.strava.com/settings/api)
846
+ * @see [Strava - Authentication](https://developers.strava.com/docs/authentication/)
847
+ * @see [Strava - API Application](https://www.strava.com/settings/api)
848
+ * @see [Strava - API Reference](https://developers.strava.com/docs/reference/)
849
+ */
850
+ declare const strava: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<StravaProfile, DefaultUser>>) => OAuthProviderCredentials<StravaProfile, DefaultUser>;
851
+ //#endregion
852
+ //#region src/oauth/mailchimp.d.ts
853
+ interface Login {
854
+ email: string;
855
+ avatar: string | null;
856
+ login_id: number;
857
+ login_name: string;
858
+ login_email: string;
859
+ }
860
+ /**
861
+ * @see [Mailchimp - API Root](https://mailchimp.com/developer/marketing/api/authentication/)
862
+ */
863
+ interface MailchimpProfile {
864
+ dc: string;
865
+ role: string;
866
+ accountname: string;
867
+ user_id: string;
868
+ login: Login;
869
+ login_url: string;
870
+ api_endpoint: string;
871
+ }
872
+ /**
873
+ * Mailchimp OAuth Provider
874
+ * @see [Mailchimp - Marketing API](https://mailchimp.com/developer/marketing/api/)
875
+ * @see [Mailchimp - Apps](https://us1.admin.mailchimp.com/account/oauth2/)
876
+ * @see [Mailchimp - Create an Application](https://mailchimp.com/developer/marketing/guides/access-user-data-oauth-2/#register-your-app)
877
+ * @see [Mailchimp - OAuth 2.0 Docs](https://mailchimp.com/developer/marketing/guides/access-user-data-oauth-2/)
878
+ * @see [Mailchimp - API Root](https://mailchimp.com/developer/marketing/api/root/)
879
+ */
880
+ declare const mailchimp: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<MailchimpProfile, DefaultUser>>) => OAuthProviderCredentials<MailchimpProfile, DefaultUser>;
881
+ //#endregion
882
+ //#region src/oauth/pinterest.d.ts
883
+ /**
884
+ * @see [Pinterest - Get User Account](https://developers.pinterest.com/docs/api/v5/user_account-get)
885
+ */
886
+ interface PinterestProfile {
887
+ account_type: LiteralUnion<"PINNER">;
888
+ id: string;
889
+ profile_image: string;
890
+ website_url: string;
891
+ username: string;
892
+ about: string;
893
+ business_name: string;
894
+ board_count: number;
895
+ pin_count: number;
896
+ follower_count: number;
897
+ following_count: number;
898
+ monthly_views: number;
899
+ }
900
+ /**
901
+ * @see [Pinterest - Connect App](https://developers.pinterest.com/docs/getting-started/connect-app/)
902
+ * @see [Pinterest - My Apps](https://developers.pinterest.com/apps/)
903
+ * @see [Pinterest - Get User Account](https://developers.pinterest.com/docs/api/v5/user_account-get)
904
+ */
905
+ declare const pinterest: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<PinterestProfile, DefaultUser>>) => OAuthProviderCredentials<PinterestProfile, DefaultUser>;
906
+ //#endregion
907
+ //#region src/oauth/twitch.d.ts
908
+ /**
909
+ * @see [Twitch - Get Users](https://dev.twitch.tv/docs/api/reference#get-users)
910
+ */
911
+ interface TwitchProfile {
912
+ id: string;
913
+ login: string;
914
+ display_name: string;
915
+ type: string;
916
+ broadcaster_type: string;
917
+ description: string;
918
+ profile_image_url: string;
919
+ offline_image_url: string;
920
+ view_count: number;
921
+ email?: string;
922
+ created_at: string;
923
+ }
924
+ /**
925
+ * @see [Twitch - Get Started with the Twitch API](https://dev.twitch.tv/docs/api/get-started/)
926
+ * @see [Twitch - Authorization code grant flow](https://dev.twitch.tv/docs/authentication/getting-tokens-oauth/#authorization-code-grant-flow)
927
+ * @see [Twitch - Register Your App](https://dev.twitch.tv/docs/authentication/register-app)
928
+ * @see [Twitch - Setting up Two-Factor Authentication (2FA)](https://help.twitch.tv/s/article/two-factor-authentication?language=en_US)
929
+ * @see [Twitch - Security and Privacy](https://www.twitch.tv/settings/security)
930
+ * @see [Twitch - Get Users](https://dev.twitch.tv/docs/api/reference#get-users)
931
+ * @see [Twitch - Scopes](https://dev.twitch.tv/docs/authentication/scopes/)
932
+ */
933
+ declare const twitch: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<TwitchProfile, DefaultUser>>) => OAuthProviderCredentials<TwitchProfile, DefaultUser>;
934
+ //#endregion
935
+ //#region src/oauth/notion.d.ts
936
+ interface Person {
937
+ email: string;
938
+ }
939
+ interface NotionUser {
940
+ object: "user";
941
+ id: string;
942
+ name: string;
943
+ avatar_url: string | null;
944
+ type: "person";
945
+ person: Person;
946
+ }
947
+ interface Owner {
948
+ type: "user";
949
+ user: NotionUser;
950
+ }
951
+ interface Bot {
952
+ owner: Owner;
953
+ }
954
+ /**
955
+ * @see [Notion - Retrieve your token's bot user](https://developers.notion.com/reference/get-self)
956
+ */
957
+ interface NotionProfile {
958
+ object: "user";
959
+ id: string;
960
+ name: string;
961
+ avatar_url: string | null;
962
+ type: "bot";
963
+ bot: Bot;
964
+ }
965
+ /**
966
+ * @see [Notion - Developer Documentation](https://developers.notion.com/)
967
+ * @see [Notion - Authorization](https://developers.notion.com/docs/authorization)
968
+ * @see [Notion - Authentication](https://developers.notion.com/reference/authentication)
969
+ * @see [Notion - Retrieve your token's bot user](https://developers.notion.com/reference/get-self)
970
+ */
971
+ declare const notion: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<NotionProfile, DefaultUser>>) => OAuthProviderCredentials<NotionProfile, DefaultUser>;
972
+ //#endregion
973
+ //#region src/oauth/dropbox.d.ts
974
+ type AccountType = "basic" | "pro" | "business";
975
+ interface Name {
976
+ given_name: string;
977
+ surname: string;
978
+ familiar_name: string;
979
+ display_name: string;
980
+ abbreviated_name: string;
981
+ }
982
+ interface RootInfo {
983
+ team: RootInfo;
984
+ user: RootInfo;
985
+ }
986
+ interface FullTeam {
987
+ id: string;
988
+ name: string;
989
+ sharing_policies: Record<string, unknown>;
990
+ office_addin_policy: unknown;
991
+ top_level_content_policy: unknown;
992
+ }
993
+ interface DropboxProfile {
994
+ account_id: string;
995
+ name: Name;
996
+ email: string;
997
+ email_verified: boolean;
998
+ disabled: boolean;
999
+ locale: string;
1000
+ referral_link: string;
1001
+ is_paired: boolean;
1002
+ account_type: AccountType;
1003
+ root_info: unknown;
1004
+ profile_photo_url?: string;
1005
+ country: string;
1006
+ team?: unknown;
1007
+ team_member_id?: string;
1008
+ }
1009
+ /**
1010
+ * @see [Dropbox - OAuth Guide](https://developers.dropbox.com/oauth-guide)
1011
+ * @see [Dropbox - API v2](https://www.dropbox.com/developers/documentation/http/documentation)
1012
+ * @see [Dropbox - Get Current Account](https://www.dropbox.com/developers/documentation/http/documentation#users-get_current_account)
1013
+ * @see [Dropbox - My Apps](https://www.dropbox.com/developers/apps)
1014
+ * @see [Dropbox - Developer Guide](https://www.dropbox.com/developers/reference/developer-guide)
1015
+ */
1016
+ declare const dropbox: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<DropboxProfile, DefaultUser>>) => OAuthProviderCredentials<DropboxProfile, DefaultUser>;
1017
+ //#endregion
1018
+ //#region src/oauth/atlassian.d.ts
1019
+ interface ExtendedProfile {
1020
+ job_title: string;
1021
+ organization: string;
1022
+ department: string;
1023
+ location: string;
1024
+ }
1025
+ interface AtlassianProfile {
1026
+ account_id: string;
1027
+ account_type: string;
1028
+ account_status: LiteralUnion<"active">;
1029
+ email: string;
1030
+ email_verified: boolean;
1031
+ name: string;
1032
+ picture: string;
1033
+ nickname: string;
1034
+ zoneinfo: string;
1035
+ locale: string;
1036
+ extended_profile: ExtendedProfile;
1037
+ last_updated: string;
1038
+ created_at: string;
1039
+ }
1040
+ /**
1041
+ * @see [Atlassian - OAuth Apps](https://developer.atlassian.com/cloud/jira/platform/oauth-2-3lo-apps/)
1042
+ * @see [Atlassian - My Apps](https://developer.atlassian.com/console/myapps/)
1043
+ * @see [Atlassian - Retrieve Authenticated User](https://developer.atlassian.com/cloud/jira/software/oauth-2-3lo-apps/#how-do-i-retrieve-the-public-profile-of-the-authenticated-user-)
1044
+ */
1045
+ declare const atlassian: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<AtlassianProfile, DefaultUser>>) => OAuthProviderCredentials<AtlassianProfile, DefaultUser>;
1046
+ //#endregion
1047
+ //#region src/oauth/index.d.ts
1048
+ declare const builtInOAuthProviders: {
1049
+ readonly github: <DefaultUser extends User = {
1050
+ sub: string;
1051
+ name?: string | null | undefined;
1052
+ image?: string | null | undefined;
1053
+ email?: string | null | undefined;
1054
+ }>(options?: Partial<OAuthProviderCredentials<GitHubProfile, DefaultUser>>) => OAuthProviderCredentials<GitHubProfile, DefaultUser>;
1055
+ readonly bitbucket: <DefaultUser extends User = {
1056
+ sub: string;
1057
+ name?: string | null | undefined;
1058
+ image?: string | null | undefined;
1059
+ email?: string | null | undefined;
1060
+ }>(options?: Partial<OAuthProviderCredentials<BitbucketProfile, DefaultUser>>) => OAuthProviderCredentials<BitbucketProfile, DefaultUser>;
1061
+ readonly figma: <DefaultUser extends User = {
1062
+ sub: string;
1063
+ name?: string | null | undefined;
1064
+ image?: string | null | undefined;
1065
+ email?: string | null | undefined;
1066
+ }>(options?: Partial<OAuthProviderCredentials<FigmaProfile, DefaultUser>>) => OAuthProviderCredentials<FigmaProfile, DefaultUser>;
1067
+ readonly discord: <DefaultUser extends User = {
1068
+ sub: string;
1069
+ name?: string | null | undefined;
1070
+ image?: string | null | undefined;
1071
+ email?: string | null | undefined;
1072
+ }>(options?: Partial<OAuthProviderCredentials<DiscordProfile, DefaultUser>>) => OAuthProviderCredentials<DiscordProfile, DefaultUser>;
1073
+ readonly gitlab: <DefaultUser extends User = {
1074
+ sub: string;
1075
+ name?: string | null | undefined;
1076
+ image?: string | null | undefined;
1077
+ email?: string | null | undefined;
1078
+ }>(options?: Partial<OAuthProviderCredentials<GitLabProfile, DefaultUser>>) => OAuthProviderCredentials<GitLabProfile, DefaultUser>;
1079
+ readonly spotify: <DefaultUser extends User = {
1080
+ sub: string;
1081
+ name?: string | null | undefined;
1082
+ image?: string | null | undefined;
1083
+ email?: string | null | undefined;
1084
+ }>(options?: Partial<OAuthProviderCredentials<SpotifyProfile, DefaultUser>>) => OAuthProviderCredentials<SpotifyProfile, DefaultUser>;
1085
+ readonly x: <DefaultUser extends User = {
1086
+ sub: string;
1087
+ name?: string | null | undefined;
1088
+ image?: string | null | undefined;
1089
+ email?: string | null | undefined;
1090
+ }>(options?: Partial<OAuthProviderCredentials<XProfile, DefaultUser>>) => OAuthProviderCredentials<XProfile, DefaultUser>;
1091
+ readonly strava: <DefaultUser extends User = {
1092
+ sub: string;
1093
+ name?: string | null | undefined;
1094
+ image?: string | null | undefined;
1095
+ email?: string | null | undefined;
1096
+ }>(options?: Partial<OAuthProviderCredentials<StravaProfile, DefaultUser>>) => OAuthProviderCredentials<StravaProfile, DefaultUser>;
1097
+ readonly mailchimp: <DefaultUser extends User = {
1098
+ sub: string;
1099
+ name?: string | null | undefined;
1100
+ image?: string | null | undefined;
1101
+ email?: string | null | undefined;
1102
+ }>(options?: Partial<OAuthProviderCredentials<MailchimpProfile, DefaultUser>>) => OAuthProviderCredentials<MailchimpProfile, DefaultUser>;
1103
+ readonly pinterest: <DefaultUser extends User = {
1104
+ sub: string;
1105
+ name?: string | null | undefined;
1106
+ image?: string | null | undefined;
1107
+ email?: string | null | undefined;
1108
+ }>(options?: Partial<OAuthProviderCredentials<PinterestProfile, DefaultUser>>) => OAuthProviderCredentials<PinterestProfile, DefaultUser>;
1109
+ readonly twitch: <DefaultUser extends User = {
1110
+ sub: string;
1111
+ name?: string | null | undefined;
1112
+ image?: string | null | undefined;
1113
+ email?: string | null | undefined;
1114
+ }>(options?: Partial<OAuthProviderCredentials<TwitchProfile, DefaultUser>>) => OAuthProviderCredentials<TwitchProfile, DefaultUser>;
1115
+ readonly notion: <DefaultUser extends User = {
1116
+ sub: string;
1117
+ name?: string | null | undefined;
1118
+ image?: string | null | undefined;
1119
+ email?: string | null | undefined;
1120
+ }>(options?: Partial<OAuthProviderCredentials<NotionProfile, DefaultUser>>) => OAuthProviderCredentials<NotionProfile, DefaultUser>;
1121
+ readonly dropbox: <DefaultUser extends User = {
1122
+ sub: string;
1123
+ name?: string | null | undefined;
1124
+ image?: string | null | undefined;
1125
+ email?: string | null | undefined;
1126
+ }>(options?: Partial<OAuthProviderCredentials<DropboxProfile, DefaultUser>>) => OAuthProviderCredentials<DropboxProfile, DefaultUser>;
1127
+ readonly atlassian: <DefaultUser extends User = {
1128
+ sub: string;
1129
+ name?: string | null | undefined;
1130
+ image?: string | null | undefined;
1131
+ email?: string | null | undefined;
1132
+ }>(options?: Partial<OAuthProviderCredentials<AtlassianProfile, DefaultUser>>) => OAuthProviderCredentials<AtlassianProfile, DefaultUser>;
1133
+ };
1134
+ /**
1135
+ * Constructs OAuth provider configurations from an array of provider names or configurations.
1136
+ * It loads the client ID and client secret from environment variables if only the provider name is provided.
1137
+ *
1138
+ * @param oauth - Array of OAuth provider configurations or provider names to be defined from environment variables
1139
+ * @returns A record of OAuth provider configurations
1140
+ * @example
1141
+ * // Using built-in provider with env variables
1142
+ * createBuiltInOAuthProviders(["github"])
1143
+ *
1144
+ * // Using built-in provider with explicit credentials via factory
1145
+ * createBuiltInOAuthProviders([github({ clientId: "...", clientSecret: "..." })])
1146
+ */
1147
+ declare const createBuiltInOAuthProviders: (oauth?: (BuiltInOAuthProvider | OAuthProviderCredentials<any>)[]) => Record<LiteralUnion<BuiltInOAuthProvider>, OAuthProviderCredentials<any>>;
1148
+ type BuiltInOAuthProvider = keyof typeof builtInOAuthProviders;
1149
+ //#endregion
1150
+ //#region src/@types/oauth.d.ts
1151
+ /** Known query parameter names supported when building an OAuth authorization URL. */
1152
+ type AuthorizeParams = LiteralUnion<"clientId" | "prompt" | "scope" | "responseMode" | "audience" | "loginHint" | "nonce" | "display">;
1153
+ /** OAuth 2.0 `response_type` values used in authorization requests. */
1154
+ type ResponseType = LiteralUnion<"code" | "token" | "refresh_token" | "id_token">;
1155
+ /**
1156
+ * Configuration for an OAuth provider without credentials.
1157
+ * Use this type when defining provider metadata and endpoints.
1158
+ */
1159
+ interface OAuthProviderConfig<Profile extends object = Record<string, any>, DefaultUser = User> {
1160
+ id: string;
1161
+ name: string;
1162
+ /**
1163
+ * @deprecated
1164
+ * use `authorize` instead of `authorizeURL`
1165
+ */
1166
+ authorizeURL?: string;
1167
+ authorize: string | {
1168
+ url: string;
1169
+ params?: Partial<Record<AuthorizeParams, string> & {
1170
+ responseType: ResponseType;
1171
+ }>;
1172
+ };
1173
+ accessToken: string | {
1174
+ url: string;
1175
+ headers?: Record<string, string>;
1176
+ };
1177
+ userInfo: string | {
1178
+ url: string;
1179
+ headers?: Record<string, string>;
1180
+ method?: string;
1181
+ };
1182
+ /**
1183
+ * @deprecated
1184
+ * use `authorize.params.scope` instead of `scope`
1185
+ */
1186
+ scope?: string;
1187
+ /**
1188
+ * @deprecated
1189
+ * use `authorize.params.responseType` instead of `responseType`
1190
+ */
1191
+ responseType?: ResponseType;
1192
+ profile?: (profile: Profile) => DefaultUser | Promise<DefaultUser>;
1193
+ }
1194
+ /**
1195
+ * OAuth provider configuration with client credentials.
1196
+ * Extends OAuthProviderConfig with clientId and clientSecret.
1197
+ */
1198
+ interface OAuthProviderCredentials<Profile extends object = Record<string, any>, DefaultUser extends User = User> extends OAuthProviderConfig<Profile, DefaultUser> {
1199
+ clientId?: string;
1200
+ clientSecret?: string;
1201
+ }
1202
+ /**
1203
+ * Complete OAuth provider type combining configuration and credentials.
1204
+ */
1205
+ type OAuthProvider<Profile extends object = Record<string, any>, DefaultUser extends User = User> = OAuthProviderCredentials<Profile, DefaultUser>;
1206
+ /**
1207
+ * Lookup table of configured OAuth providers keyed by built-in id or custom id.
1208
+ * Values are full credential configs used at runtime for authorize/token/userinfo.
1209
+ */
1210
+ type OAuthProviderRecord<DefaultUser extends User = User> = Record<LiteralUnion<BuiltInOAuthProvider>, OAuthProviderCredentials<any, DefaultUser>>;
1211
+ //#endregion
1212
+ //#region src/@types/config.d.ts
1213
+ /**
1214
+ * Main configuration interface for Aura Auth.
1215
+ * This is the user-facing configuration object passed to `createAuth()`.
1216
+ */
1217
+ interface AuthConfig<Identity extends EditableShape<UserShape> = EditableShape<UserShape>> {
1218
+ /**
1219
+ * OAuth providers available in the authentication and authorization flows. It provides a type-inference
1220
+ * for the OAuth providers that are supported by Aura Stack Auth; alternatively, you can provide a custom
1221
+ * OAuth third-party authorization service by implementing the `OAuthProviderCredentials` interface.
1222
+ *
1223
+ * Built-in OAuth providers:
1224
+ * ```ts
1225
+ * oauth: ["github", "google"]
1226
+ * ```
1227
+ * Custom credentials via factory:
1228
+ * ```ts
1229
+ * oauth: [github({ clientId: "...", clientSecret: "..." })]
1230
+ * ```
1231
+ * Custom OAuth providers:
1232
+ * ```ts
1233
+ * oauth: [
1234
+ * {
1235
+ * id: "oauth-providers",
1236
+ * name: "OAuth",
1237
+ * authorizeURL: "https://example.com/oauth/authorize",
1238
+ * accessToken: "https://example.com/oauth/token",
1239
+ * scope: "profile email",
1240
+ * responseType: "code",
1241
+ * userInfo: "https://example.com/oauth/userinfo",
1242
+ * clientId: process.env.AURA_AUTH_PROVIDER_CLIENT_ID,
1243
+ * clientSecret: process.env.AURA_AUTH_PROVIDER_CLIENT_SECRET,
1244
+ * }
1245
+ * ]
1246
+ * ```
1247
+ */
1248
+ oauth: (BuiltInOAuthProvider | OAuthProviderCredentials<any, ShapeToObject<Identity>>)[];
1249
+ /**
1250
+ * Cookie options defines the configuration for cookies used in Aura Auth.
1251
+ * It includes a prefix for cookie names and flag options to determine
1252
+ * the security and scope of the cookies.
1253
+ *
1254
+ * **⚠️ WARNING:** Ensure that the cookie options are configured correctly to
1255
+ * maintain the security and integrity of the authentication process. `Aura Auth`
1256
+ * is not responsible for misconfigured cookies that may lead to security vulnerabilities.
1257
+ *
1258
+ * - prefix: A string prefix to be added to all cookie names, by default "aura-stack".
1259
+ * - flag options (This attributes help to define the security level of the cookies):
1260
+ * - secure: Cookies use the __Secure- prefix and are only sent over HTTPS connections.
1261
+ * - host: Cookies use the __Host- prefix and are only sent over HTTPS connections.
1262
+ * - standard: Cookies can be sent over both HTTP and HTTPS connections. (default in development)
1263
+ *
1264
+ * @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__secure-prefix
1265
+ * @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__host-prefix
1266
+ */
1267
+ cookies?: Partial<CookieConfig>;
1268
+ /**
1269
+ * Secret used to sign and verify JWT tokens for session and csrf protection.
1270
+ * If not provided, it will load from the environment variable `AURA_AUTH_SECRET` or `AUTH_SECRET`, but if it
1271
+ * doesn't exist, it will throw an error during the initialization of the Auth module.
1272
+ */
1273
+ secret?: JWTKey;
1274
+ /**
1275
+ * Base URL of the application, used to construct the incoming request's origin.
1276
+ */
1277
+ baseURL?: string;
1278
+ /**
1279
+ * Base path for all authentication routes. Default is `/auth`.
1280
+ */
1281
+ basePath?: `/${string}`;
1282
+ /**
1283
+ * Enable trusted proxy headers for scenarios where the application is behind a reverse proxy or load balancer.
1284
+ * This setting allows Aura Auth to correctly interpret headers like `X-Forwarded-For` and `X-Forwarded-Proto`
1285
+ * to determine the original client IP address and protocol.
1286
+ *
1287
+ * Default is `false`. Enable this option only if you are certain that your application is behind a trusted proxy.
1288
+ * Misconfiguration can lead to security vulnerabilities, such as incorrect handling of secure cookies or
1289
+ * inaccurate client IP logging.
1290
+ *
1291
+ * This value can also be set via environment variable as `AURA_AUTH_TRUSTED_PROXY_HEADERS`
1292
+ *
1293
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
1294
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
1295
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
1296
+ * @experimental
1297
+ */
1298
+ trustedProxyHeaders?: boolean;
1299
+ /**
1300
+ * Logger configuration for handling authentication-related logs and errors. It can be set to `true`,
1301
+ * `DEBUG=true`, `LOG_LEVEL=debug`, or a custom logger. It implements the syslog format.
1302
+ */
1303
+ logger?: boolean | Logger;
1304
+ /**
1305
+ * Defines trusted origins for your application to prevent open redirect attacks.
1306
+ * URLs from the Referer header, Origin header, request URL, and redirectTo option
1307
+ * are validated against this list before redirecting.
1308
+ *
1309
+ * - **Exact URL**: `https://example.com` matches only that origin.
1310
+ * - **Subdomain wildcard**: `https://*.example.com` matches `https://app.example.com`, `https://api.example.com`, etc.
1311
+ * @example
1312
+ * trustedOrigins: ["https://example.com", "https://*.example.com", "http://localhost:3000"]
1313
+ *
1314
+ *
1315
+ * trustedOrigins: async (request) => {
1316
+ * const origin = new URL(request.url).origin
1317
+ * return [origin, "https://admin.example.com"]
1318
+ * }
1319
+ */
1320
+ trustedOrigins?: TrustedOrigin[] | ((request: Request) => Promise<TrustedOrigin[]> | TrustedOrigin[]);
1321
+ /**
1322
+ * Defines the session management strategy for Aura Auth. It determines how sessions are created, stored, and validated.
1323
+ */
1324
+ session?: SessionConfig;
1325
+ /**
1326
+ * Identity schema configuration for user data validation.
1327
+ * Allows you to define a custom Zod schema that will be used to validate:
1328
+ * - OAuth provider profile data
1329
+ * - Session user data
1330
+ * - JWT payload data
1331
+ *
1332
+ * If not provided, the default `UserIdentity` schema will be used.
1333
+ *
1334
+ * @example
1335
+ * identity: {
1336
+ * schema: z.object({
1337
+ * sub: z.string(),
1338
+ * email: z.string().email(),
1339
+ * name: z.string().optional(),
1340
+ * custom_field: z.string().optional(),
1341
+ * }),
1342
+ * skipValidation: false,
1343
+ * unknownKeys: "strip",
1344
+ * }
1345
+ */
1346
+ identity?: Partial<{
1347
+ skipValidation: boolean;
1348
+ schema: ZodObject<Identity>;
1349
+ unknownKeys: "passthrough" | "strict" | "strip";
1350
+ }>;
1351
+ /**
1352
+ * Credentials provider for username/password or similar authentication.
1353
+ */
1354
+ credentials?: CredentialsProvider<Identity>;
1355
+ }
1356
+ /**
1357
+ * Cookie type with __Secure- prefix, must be Secure.
1358
+ * @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__secure-prefix
1359
+ */
1360
+ type SecureCookie = {
1361
+ strategy: "secure";
1362
+ } & Prettify$1<Omit<SerializeOptions, "secure" | "encode">>;
1363
+ /**
1364
+ * Cookie type with __Host- prefix, must be Secure, Path=/, no Domain attribute.
1365
+ * @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__host-prefix
1366
+ */
1367
+ type HostCookie = {
1368
+ strategy: "host";
1369
+ } & Prettify$1<Omit<SerializeOptions, "secure" | "path" | "domain" | "encode">>;
1370
+ /**
1371
+ * Standard cookie type without security prefixes.
1372
+ * Can be sent over both HTTP and HTTPS connections (default in development).
1373
+ */
1374
+ type StandardCookie = {
1375
+ strategy?: "standard";
1376
+ } & Prettify$1<Omit<SerializeOptions, "encode">>;
1377
+ /**
1378
+ * Union type for cookie options based on the specified strategy.
1379
+ * - `secure`: Cookies are only sent over HTTPS connections
1380
+ * - `host`: Cookies use the __Host- prefix and are only sent over HTTPS connections
1381
+ * - `standard`: Cookies can be sent over both HTTP and HTTPS connections (default in development)
1382
+ */
1383
+ type CookieStrategyAttributes = StandardCookie | SecureCookie | HostCookie;
1384
+ /**
1385
+ * Names of cookies used by Aura Auth for session management and OAuth flows.
1386
+ * - `sessionToken`: User session JWT
1387
+ * - `csrfToken`: CSRF protection token
1388
+ * - `state`: OAuth state parameter for CSRF protection
1389
+ * - `code_verifier`: PKCE code verifier for authorization code flow
1390
+ * - `redirect_uri`: OAuth callback URI
1391
+ * - `redirect_to`: Post-authentication redirect path
1392
+ * - `nonce`: OpenID Connect nonce parameter
1393
+ */
1394
+ type CookieName = "sessionToken" | "csrfToken" | "state" | "codeVerifier" | "redirectTo" | "redirectURI";
1395
+ /** Resolved cookie names and serialization attributes for each logical auth cookie. */
1396
+ type CookieStoreConfig = Record<CookieName, {
1397
+ name: string;
1398
+ attributes: CookieStrategyAttributes;
1399
+ }>;
1400
+ interface CookieConfig {
1401
+ /**
1402
+ * Prefix to be added to all cookie names. By default "aura-stack".
1403
+ */
1404
+ prefix?: string;
1405
+ overrides?: Partial<CookieStoreConfig>;
1406
+ }
1407
+ /**
1408
+ * A trusted origin URL or pattern. Supports:
1409
+ * - Exact: `https://example.com`
1410
+ * - Subdomain wildcard: `https://*.example.com`
1411
+ */
1412
+ type TrustedOrigin = string;
1413
+ /**
1414
+ * Log level for logger messages.
1415
+ */
1416
+ type LogLevel = "warn" | "error" | "debug" | "info";
1417
+ /** Defines the Severity between 0 to 7 */
1418
+ type Severity = "emergency" | "alert" | "critical" | "error" | "warning" | "notice" | "info" | "debug";
1419
+ /**
1420
+ * @see https://datatracker.ietf.org/doc/html/rfc5424
1421
+ */
1422
+ type SyslogOptions = {
1423
+ facility: 4 | 10;
1424
+ severity: Severity;
1425
+ timestamp?: string;
1426
+ hostname?: string;
1427
+ appName?: string;
1428
+ procId?: string;
1429
+ msgId: string;
1430
+ message: string;
1431
+ structuredData?: Record<string, string | number | boolean>;
1432
+ };
1433
+ /**
1434
+ * Logger function interface for structured logging.
1435
+ * Called when errors or warnings occur during authentication flows.
1436
+ */
1437
+ interface Logger {
1438
+ level?: LogLevel;
1439
+ log?: (args: SyslogOptions) => void;
1440
+ }
1441
+ /**
1442
+ * Programmatic auth API returned with the auth instance: `getSession`, `signIn`, `signInCredentials`, `signOut`, `updateSession`.
1443
+ * Each method returns a result object plus `headers` and `toResponse()` for HTTP responses.
1444
+ */
1445
+ type AuthAPI<DefaultUser extends User = User> = ReturnType<typeof createAuthAPI<DefaultUser>>;
1446
+ /** JWT and crypto helpers bound to the configured identity schema (sign, verify, claims). */
1447
+ type JoseInstance<DefaultUser extends User = User> = ReturnType<typeof createJoseInstance<DefaultUser>>;
1448
+ /** Normalized internal logger with resolved level and structured log function. */
1449
+ interface InternalLogger {
1450
+ level: LogLevel;
1451
+ log: typeof createLogEntry;
1452
+ }
1453
+ /**
1454
+ * Identity validation settings used when building session strategy and OAuth profile mapping.
1455
+ * Controls the Zod schema and how unknown keys are handled on user objects.
1456
+ */
1457
+ interface IdentityConfig<Schema extends ZodObject<any> = typeof UserIdentity> {
1458
+ schema?: Schema;
1459
+ skipValidation?: boolean;
1460
+ unknownKeys?: "passthrough" | "strict" | "strip";
1461
+ }
1462
+ /** Payload sent to the credentials sign-in endpoint (username/password flow). */
1463
+ interface CredentialsPayload {
1464
+ username: string;
1465
+ password: string;
1466
+ }
1467
+ /**
1468
+ * Context provided to the credentials provider's authorize function.
1469
+ * It includes the credentials sent by the user and hashing utilities.
1470
+ */
1471
+ interface CredentialsProviderContext<T> {
1472
+ /**
1473
+ * User-provided credentials (e.g., email, password).
1474
+ */
1475
+ credentials: T;
1476
+ /**
1477
+ * Hashes a password using the internal hashing algorithm (PBKDF2).
1478
+ */
1479
+ deriveSecret: (password: string, salt?: string, iterations?: number) => Promise<string>;
1480
+ /**
1481
+ * Verifies a password against a hashed value.
1482
+ */
1483
+ verifySecret: (password: string, hashedPassword: string) => Promise<boolean>;
1484
+ }
1485
+ /**
1486
+ * Interface for the credentials provider.
1487
+ */
1488
+ interface CredentialsProvider<Identity extends EditableShape<UserShape> = EditableShape<UserShape>> {
1489
+ hash?: (password: string, salt?: string, iterations?: number) => Promise<string>;
1490
+ verify?: (password: string, hashedPassword: string) => Promise<boolean>;
1491
+ /**
1492
+ * Authenticates a user using credentials.
1493
+ * Must return a User object or the identity type if the identity schema is provided.
1494
+ */
1495
+ authorize: (ctx: CredentialsProviderContext<CredentialsPayload>) => Promise<ShapeToObject<Identity> | null> | ShapeToObject<Identity> | null;
1496
+ }
1497
+ /**
1498
+ * Runtime context passed into auth actions and API handlers: OAuth map, cookies, JWT, session strategy, trusted origins, etc.
1499
+ * This is the fully resolved configuration surface after `createAuth` initializes defaults.
1500
+ */
1501
+ interface RouterGlobalContext<DefaultUser extends User = User> {
1502
+ oauth: OAuthProviderRecord;
1503
+ credentials?: CredentialsProvider<any>;
1504
+ cookies: CookieStoreConfig;
1505
+ jose: JoseInstance<DefaultUser>;
1506
+ secret?: JWTKey;
1507
+ baseURL?: string;
1508
+ basePath: string;
1509
+ trustedProxyHeaders: boolean;
1510
+ trustedOrigins?: TrustedOrigin[] | ((request: Request) => Promise<TrustedOrigin[]> | TrustedOrigin[]);
1511
+ logger?: InternalLogger;
1512
+ sessionStrategy: SessionStrategy<DefaultUser>;
1513
+ identity: {
1514
+ unknownKeys: "passthrough" | "strict" | "strip";
1515
+ schema: ZodObject<any>;
1516
+ skipValidation?: boolean;
1517
+ };
1518
+ }
1519
+ /**
1520
+ * Internal runtime configuration used within Aura Auth after initialization.
1521
+ * All optional fields from AuthConfig are resolved to their default values.
1522
+ */
1523
+ type AuthRuntimeConfig<DefaultUser extends User = User> = RouterGlobalContext<DefaultUser>;
1524
+ /**
1525
+ * Public auth instance: programmatic {@link AuthAPI}, {@link JoseInstance}, and HTTP {@link AuthClient} handlers.
1526
+ */
1527
+ interface AuthInstance<DefaultUser extends User = User> {
1528
+ api: AuthAPI<DefaultUser>;
1529
+ jose: JoseInstance<DefaultUser>;
1530
+ handlers: {
1531
+ GET: (request: Request) => Response | Promise<Response>;
1532
+ POST: (request: Request) => Response | Promise<Response>;
1533
+ PATCH: (request: Request) => Response | Promise<Response>;
1534
+ ALL: (request: Request) => Response | Promise<Response>;
1535
+ };
1536
+ }
1537
+ /**
1538
+ * Extended context used inside the library with both secure and standard cookie materializations.
1539
+ */
1540
+ type InternalContext<Identity extends EditableShape<UserShape>> = RouterGlobalContext<ShapeToObject<Identity> & User> & {
1541
+ cookieConfig: {
1542
+ secure: CookieStoreConfig;
1543
+ standard: CookieStoreConfig;
1544
+ };
1545
+ };
1546
+ //#endregion
1547
+ //#region src/@types/session.d.ts
1548
+ /** Application user type, inferred from the configured identity schema (defaults to the built-in user shape). */
1549
+ type User = UserIdentityType;
1550
+ /**
1551
+ * Session data returned by the session endpoint.
1552
+ */
1553
+ interface Session<DefaultUser extends User = User> {
1554
+ user: DefaultUser;
1555
+ expires: string;
1556
+ }
1557
+ /**
1558
+ * A symmetric secret or asymmetric key pair used for JWT operations.
1559
+ *
1560
+ * - string / Uint8Array: used as-is for HMAC (signed) or AES (encrypted)
1561
+ * - CryptoKey: Web Crypto API key, for environments that support it
1562
+ * - KeyPair: asymmetric signing (RS256, ES256, EdDSA, etc.)
1563
+ */
1564
+ type SecretKey = string | Uint8Array | CryptoKey;
1565
+ /** Asymmetric key pair for signing or key agreement (Web Crypto `CryptoKey` pair). */
1566
+ interface KeyPair {
1567
+ privateKey: CryptoKey;
1568
+ publicKey: CryptoKey;
1569
+ }
1570
+ /**
1571
+ * @todo: add key rotation support for "SecretKey | KeyPair | [SecretKey | KeyPair, ...(SecretKey | KeyPair)[]]"
1572
+ */
1573
+ type JWTKey = SecretKey;
1574
+ /**
1575
+ * - "signed" → standard JWS (e.g. HS256, RS256, ES256).
1576
+ * - "encrypted" → JWE only. (e.g. A256GCM with RSA-OAEP key wrapping).
1577
+ * - "sealed" → JWS nested inside JWE (signed then encrypted).
1578
+ */
1579
+ type JWTMode = "signed" | "encrypted" | "sealed";
1580
+ /**
1581
+ * Signing algorithms for "signed" and "sealed" modes.
1582
+ * Symmetric: HS256 | HS384 | HS512
1583
+ * Asymmetric: RS256 | RS384 | RS512 | ES256 | ES384 | ES512 | EdDSA | PS256
1584
+ */
1585
+ type JWTSigningAlgorithm = "HS256" | "HS384" | "HS512" | "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512" | "EdDSA" | "PS256";
1586
+ /**
1587
+ * Key-wrapping algorithms for "encrypted" and "sealed" modes.
1588
+ * Symmetric: A128KW | A192KW | A256KW | dir (direct)
1589
+ * ECDH: ECDH-ES | ECDH-ES+A128KW | ECDH-ES+A256KW
1590
+ * RSA: RSA-OAEP | RSA-OAEP-256
1591
+ */
1592
+ type JWTKeyAlgorithm = "A128KW" | "A192KW" | "A256KW" | "dir" | "ECDH-ES" | "ECDH-ES+A128KW" | "ECDH-ES+A256KW" | "RSA-OAEP" | "RSA-OAEP-256";
1593
+ /** Content-encryption algorithms for JWE. */
1594
+ type JWTEncryptionAlgorithm = "A128CBC-HS256" | "A192CBC-HS384" | "A256CBC-HS512" | "A128GCM" | "A192GCM" | "A256GCM";
1595
+ /** Signed JWT mode configuration. */
1596
+ type JWTSignedMode = {
1597
+ mode: "signed";
1598
+ signingAlgorithm?: JWTSigningAlgorithm;
1599
+ };
1600
+ /** Encrypted JWT mode configuration. */
1601
+ type JWTEncryptedMode = {
1602
+ mode: "encrypted";
1603
+ keyAlgorithm?: JWTKeyAlgorithm;
1604
+ encryptionAlgorithm?: JWTEncryptionAlgorithm;
1605
+ };
1606
+ /** Signed and Encrypted JWT mode configuration. */
1607
+ type JWTSealedMode = {
1608
+ mode?: "sealed";
1609
+ signingAlgorithm?: JWTSigningAlgorithm;
1610
+ keyAlgorithm?: JWTKeyAlgorithm;
1611
+ encryptionAlgorithm?: JWTEncryptionAlgorithm;
1612
+ };
1613
+ /** Discriminated union of JWT wire format: signed JWS, encrypted JWE, or nested sealed (JWS in JWE). */
1614
+ type JWTConfigBase = JWTSignedMode | JWTEncryptedMode | JWTSealedMode;
1615
+ /** How session/JWT lifetime is enforced relative to `iat`, absolute caps, and sliding windows. */
1616
+ type JWTExpirationStrategy = "fixed" | "rolling" | "absolute" | "sliding";
1617
+ type JWTConfig = {
1618
+ /**
1619
+ * Token lifetime.
1620
+ */
1621
+ maxAge?: number;
1622
+ /**
1623
+ * JWT `iss` (issuer) claim. Set this to your app's canonical URL.
1624
+ * @example "https://auth.example.com"
1625
+ */
1626
+ issuer?: string;
1627
+ /**
1628
+ * JWT `aud` claim. Single value or array for multi-audience tokens.
1629
+ * @example ["https://api.example.com", "https://app.example.com"]
1630
+ */
1631
+ audience?: string | string[];
1632
+ /**
1633
+ * Maximum absolute session duration in seconds.
1634
+ * Required for "absolute" and "sliding" strategies.
1635
+ * Enforced via jose's maxTokenAge against the iat claim.
1636
+ */
1637
+ maxExpiration?: number;
1638
+ /**
1639
+ * Policy for renewing or capping token lifetime (pairs with `maxExpiration` where applicable).
1640
+ */
1641
+ expirationStrategy?: JWTExpirationStrategy;
1642
+ } & JWTConfigBase;
1643
+ /**
1644
+ * Stateless JWT strategy.
1645
+ * No database required. Tokens are self-contained and cannot be revoked
1646
+ * before they expire — keep `jwt.maxAge` short or enable refresh tokens.
1647
+ *
1648
+ * @example
1649
+ * {
1650
+ * strategy: "jwt",
1651
+ * jwt: { mode: "sealed", maxAge: "15m", issuer: "https://auth.example.com" },
1652
+ * refreshToken: { enabled: true, maxAge: "7d" },
1653
+ * }
1654
+ */
1655
+ type StatelessStrategyConfig = {
1656
+ strategy?: "jwt";
1657
+ jwt?: JWTConfig;
1658
+ };
1659
+ /**
1660
+ * The session strategy. Determines which fields below are required.
1661
+ *
1662
+ * - "jwt": stateless. No database needed. JWTs are self-contained.
1663
+ * - "database": stateful. Every request hits the DB to validate the session.
1664
+ * - "hybrid": JWT transport + DB revocation. Best of both for most apps.
1665
+ *
1666
+ * @default "jwt"
1667
+ */
1668
+ type SessionConfig = StatelessStrategyConfig;
1669
+ /** Result of reading a stateless (JWT) session from a request: session payload and outgoing header mutations. */
1670
+ interface GetStatelessSessionReturn<DefaultUser extends User = User> {
1671
+ session: Session<DefaultUser> | null;
1672
+ headers: Headers;
1673
+ }
1674
+ /**
1675
+ * Abstraction layer for session management.
1676
+ */
1677
+ interface SessionStrategy<DefaultUser extends User = User> {
1678
+ /**
1679
+ * Read and validate the session from an incoming request.
1680
+ * Returns null if absent, invalid, or expired. Never throws on auth failure.
1681
+ */
1682
+ getSession(request: Headers): Promise<GetStatelessSessionReturn<DefaultUser>>;
1683
+ /**
1684
+ * Create a session after successful authentication.
1685
+ * Signs the JWT / writes the DB row / sets cookies.
1686
+ */
1687
+ createSession(session: User): Promise<string>;
1688
+ /**
1689
+ * Attempt to refresh using the refresh token cookie.
1690
+ * Returns null session + cookie-clearing response on any failure.
1691
+ */
1692
+ refreshSession(headers: Headers, session: DeepPartial<Session<DefaultUser>>, skipCSRFCheck?: boolean): Promise<{
1693
+ session: Session<DefaultUser> | null;
1694
+ headers: Headers;
1695
+ }>;
1696
+ /**
1697
+ * Revoke a session by ID.
1698
+ * JWT strategy: best-effort (clears cookies, no server state).
1699
+ * Database / hybrid: marks row inactive.
1700
+ */
1701
+ revokeSession(sessionId: string): Promise<void>;
1702
+ /**
1703
+ * Destroy the session attached to this request (logout).
1704
+ * Returns a response that clears cookies.
1705
+ */
1706
+ destroySession(request: Headers, skipCSRFCheck?: boolean): Promise<Headers>;
1707
+ }
1708
+ /** Inputs for constructing a session strategy implementation for a given identity schema. */
1709
+ interface CreateSessionStrategyOptions<Identity extends EditableShape<UserShape>> {
1710
+ config?: SessionConfig;
1711
+ jose: JoseInstance<ShapeToObject<Identity> & User>;
1712
+ cookies: () => CookieStoreConfig;
1713
+ logger?: InternalLogger;
1714
+ identity: IdentityConfig;
1715
+ }
1716
+ /** Options specialized for the JWT-backed session strategy. */
1717
+ interface JWTStrategyOptions<DefaultUser extends User = User> {
1718
+ config?: StatelessStrategyConfig;
1719
+ jose: JoseInstance<DefaultUser>;
1720
+ logger?: InternalLogger;
1721
+ cookies: () => CookieStoreConfig;
1722
+ identity: IdentityConfig;
1723
+ }
1724
+ /** Minimal token issue/verify surface used by session code paths. */
1725
+ type JWTManager<DefaultUser extends User = User> = {
1726
+ createToken(user: TypedJWTPayload<Partial<DefaultUser>>): Promise<string>;
1727
+ verifyToken(token: string): Promise<TypedJWTPayload<DefaultUser>>;
1728
+ };
1729
+ //#endregion
1730
+ //#region src/@types/utility.d.ts
1731
+ /** Expands intersection types into a single flat object type for readable editor hints. */
1732
+ type Prettify$1<T> = { [K in keyof T]: T[K] };
1733
+ /**
1734
+ * A string that must be one of the literals in `T`, or any other string (`U`).
1735
+ * Useful for autocomplete on known keys while still allowing custom values.
1736
+ */
1737
+ type LiteralUnion<T extends U, U = string> = T | (U & Record<never, never>);
1738
+ /**
1739
+ * Transforms a Zod raw shape so nested `ZodObject` fields become editable (same structure, for config authoring).
1740
+ */
1741
+ type EditableShape<T extends ZodRawShape> = { [K in keyof T]: T[K] extends ZodObject<infer Inner extends ZodRawShape> ? ZodObject<EditableShape<Inner>> : ZodTypeAny };
1742
+ /** Merges type `B` over `A`, replacing overlapping keys with `B`. */
1743
+ type Merge<A, B> = Omit<A, keyof B> & B;
1744
+ /**
1745
+ * Infers the runtime object type from a Zod `shape` and intersects it with {@link User}
1746
+ * so identity fields always include the base user contract.
1747
+ */
1748
+ type ShapeToObject<S extends ZodRawShape = ZodRawShape> = Merge<{ [K in keyof S]: z.infer<S[K]> }, User>;
1749
+ /** Recursively makes every property required. */
1750
+ type DeepRequired<T> = { [K in keyof T]-?: T[K] extends object ? DeepRequired<T[K]> : T[K] };
1751
+ /** Recursively makes every property optional. */
1752
+ type DeepPartial<T> = { [P in keyof T]?: T[P] extends object ? DeepPartial<T[P]> : T[P] };
1753
+ /** Resolves the user identity type from an {@link AuthInstance} config, or falls back to {@link User}. */
1754
+ type InferAuthIdentity<Config> = Config extends AuthInstance<infer Identity> ? Prettify$1<Identity> : User;
1755
+ /** Shorthand for a Zod object’s `.shape` property. */
1756
+ type InferShape<T extends ZodObject> = T["shape"];
1757
+ /** Runtime user object type inferred from a Zod identity schema. */
1758
+ type InferIdentity<T extends ZodObject> = ShapeToObject<InferShape<T>>;
1759
+ /**
1760
+ * HTTP `Response` with `json()` typed to resolve to `Body` (defaults to `unknown`).
1761
+ */
1762
+ type AuthResponse<Body = unknown> = Prettify$1<Omit<Response, "json"> & {
1763
+ json(): Promise<Body>;
1764
+ }>;
1765
+ //#endregion
1766
+ //#region src/createAuth.d.ts
1767
+ declare const createAuthInstance: <Identity extends EditableShape<UserShape>>(authConfig: AuthConfig<Identity>) => {
1768
+ handlers: _$_aura_stack_router0.Router<[_$_aura_stack_router0.RouteEndpoint<"GET", "/signIn/:oauth", {
1769
+ schemas?: {
1770
+ params: _$zod.ZodObject<{
1771
+ oauth: _$zod.ZodEnum<{
1772
+ [x: string & Record<never, never>]: string & Record<never, never>;
1773
+ github: "github";
1774
+ bitbucket: "bitbucket";
1775
+ figma: "figma";
1776
+ discord: "discord";
1777
+ gitlab: "gitlab";
1778
+ spotify: "spotify";
1779
+ x: "x";
1780
+ strava: "strava";
1781
+ mailchimp: "mailchimp";
1782
+ pinterest: "pinterest";
1783
+ twitch: "twitch";
1784
+ notion: "notion";
1785
+ dropbox: "dropbox";
1786
+ atlassian: "atlassian";
1787
+ }>;
1788
+ }, _$zod_v4_core0.$strip>;
1789
+ searchParams: _$zod.ZodObject<{
1790
+ redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
1791
+ redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
1792
+ }, _$zod_v4_core0.$strip>;
1793
+ } | undefined;
1794
+ }>, _$_aura_stack_router0.RouteEndpoint<"POST", "/signIn/credentials", {
1795
+ schemas?: {
1796
+ body: _$zod.ZodObject<{
1797
+ username: _$zod.ZodString;
1798
+ password: _$zod.ZodString;
1799
+ }, _$zod_v4_core0.$strip>;
1800
+ searchParams: _$zod.ZodObject<{
1801
+ redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
1802
+ }, _$zod_v4_core0.$strip>;
1803
+ } | undefined;
1804
+ }>, _$_aura_stack_router0.RouteEndpoint<"GET", "/callback/:oauth", {
1805
+ schemas?: {
1806
+ params: _$zod.ZodObject<{
1807
+ oauth: _$zod.ZodEnum<{
1808
+ [x: string & Record<never, never>]: string & Record<never, never>;
1809
+ github: "github";
1810
+ bitbucket: "bitbucket";
1811
+ figma: "figma";
1812
+ discord: "discord";
1813
+ gitlab: "gitlab";
1814
+ spotify: "spotify";
1815
+ x: "x";
1816
+ strava: "strava";
1817
+ mailchimp: "mailchimp";
1818
+ pinterest: "pinterest";
1819
+ twitch: "twitch";
1820
+ notion: "notion";
1821
+ dropbox: "dropbox";
1822
+ atlassian: "atlassian";
1823
+ }>;
1824
+ }, _$zod_v4_core0.$strip>;
1825
+ searchParams: _$zod.ZodObject<{
1826
+ code: _$zod.ZodString;
1827
+ state: _$zod.ZodString;
1828
+ }, _$zod_v4_core0.$strip>;
1829
+ } | undefined;
1830
+ }>, _$_aura_stack_router0.RouteEndpoint<"GET", "/session", {
1831
+ schemas?: _$_aura_stack_router0.EndpointSchemas | undefined;
1832
+ }>, _$_aura_stack_router0.RouteEndpoint<"POST", "/signOut", {
1833
+ schemas?: {
1834
+ searchParams: _$zod.ZodObject<{
1835
+ token_type_hint: _$zod.ZodLiteral<"session_token">;
1836
+ redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
1837
+ }, _$zod_v4_core0.$strip>;
1838
+ } | undefined;
1839
+ }>, _$_aura_stack_router0.RouteEndpoint<"GET", "/csrfToken", {
1840
+ schemas?: _$_aura_stack_router0.EndpointSchemas | undefined;
1841
+ }>, _$_aura_stack_router0.RouteEndpoint<"PATCH", "/session", {
1842
+ schemas?: {
1843
+ body: _$zod.ZodObject<{
1844
+ user: _$zod.ZodOptional<_$zod.ZodObject<{
1845
+ sub: _$zod.ZodOptional<_$zod.ZodString>;
1846
+ name: _$zod.ZodOptional<_$zod.ZodOptional<_$zod.ZodNullable<_$zod.ZodString>>>;
1847
+ image: _$zod.ZodOptional<_$zod.ZodOptional<_$zod.ZodNullable<_$zod.ZodString>>>;
1848
+ email: _$zod.ZodOptional<_$zod.ZodOptional<_$zod.ZodNullable<_$zod.ZodEmail>>>;
1849
+ }, _$zod_v4_core0.$strip>> | undefined;
1850
+ expires: _$zod.ZodOptional<_$zod.ZodCoercedDate<unknown>>;
1851
+ }, _$zod_v4_core0.$strip>;
1852
+ } | undefined;
1853
+ }>]>;
1854
+ jose: any;
1855
+ api: {
1856
+ getSession: (options: GetSessionAPIOptions) => Promise<GetSessionAPIReturn<{
1857
+ sub: string;
1858
+ name?: string | null | undefined;
1859
+ image?: string | null | undefined;
1860
+ email?: string | null | undefined;
1861
+ }>>;
1862
+ signIn: (oauth: LiteralUnion<BuiltInOAuthProvider>, options?: SignInAPIOptions) => Promise<SignInAPIReturn>;
1863
+ signInCredentials: (options: SignInCredentialsAPIOptions) => Promise<SignInCredentialsAPIReturn>;
1864
+ updateSession: (options: UpdateSessionAPIOptions<{
1865
+ sub: string;
1866
+ name?: string | null | undefined;
1867
+ image?: string | null | undefined;
1868
+ email?: string | null | undefined;
1869
+ }>) => Promise<UpdateSessionAPIReturn<{
1870
+ sub: string;
1871
+ name?: string | null | undefined;
1872
+ image?: string | null | undefined;
1873
+ email?: string | null | undefined;
1874
+ }>>;
1875
+ signOut: (options: SignOutAPIOptions) => Promise<SignOutAPIReturn>;
1876
+ };
1877
+ };
1878
+ /**
1879
+ * Creates the authentication instance with the configuration provided for OAuth provider.
1880
+ * > NOTE: The handlers returned by this function should be used in the server to handle the authentication routes
1881
+ * and within the `/auth` base path
1882
+ *
1883
+ * @param authConfig - Authentication configuration including OAuth provider
1884
+ * @returns Authentication instance with handlers to be used in the server
1885
+ * @example
1886
+ * const auth = createAuth({
1887
+ * oauth: ["github", {
1888
+ * id: "custom-oauth",
1889
+ * name: "custom-oauth",
1890
+ * authorize: {
1891
+ * url: "https://custom-oauth.com/oauth/authorize",
1892
+ * params: { responseType: "code", scope: "profile email" },
1893
+ * },
1894
+ * accessToken: "https://custom-oauth.com/oauth/token",
1895
+ * userInfo: "https://custom-oauth.com/api/userinfo",
1896
+ * clientId: process.env.AURA_AUTH_CUSTOM_OAUTH_CLIENT_ID!,
1897
+ * clientSecret: process.env.AURA_AUTH_CUSTOM_OAUTH_CLIENT_SECRET!,
1898
+ * }]
1899
+ * })
1900
+ */
1901
+ declare const createAuth: <Identity extends EditableShape<UserShape>>(config: AuthConfig<Identity>) => AuthInstance<ShapeToObject<Identity>>;
1902
+ //#endregion
1903
+ //#region src/@types/errors.d.ts
1904
+ /** Map of field or logical keys to API validation error payloads (code + message). */
1905
+ type APIErrorMap = Record<string, {
1906
+ code: string;
1907
+ message: string;
1908
+ }>;
1909
+ /**
1910
+ * Base OAuth error response structure.
1911
+ */
1912
+ interface OAuthError<T extends string> {
1913
+ error: T;
1914
+ error_description?: string;
1915
+ }
1916
+ /**
1917
+ * OAuth 2.0 Authorization Error Response Types
1918
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
1919
+ */
1920
+ type AuthorizationError = OAuthError<z.infer<typeof OAuthAuthorizationErrorResponse>["error"]>;
1921
+ /**
1922
+ * OAuth 2.0 Access Token Error Response Types
1923
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
1924
+ */
1925
+ type AccessTokenError = OAuthError<z.infer<typeof OAuthAccessTokenErrorResponse>["error"]>;
1926
+ /**
1927
+ * OAuth 2.0 Token Revocation Error Response Types
1928
+ * @see https://datatracker.ietf.org/doc/html/rfc7009#section-2.2.1
1929
+ */
1930
+ type TokenRevocationError = OAuthError<"invalid_session_token">;
1931
+ /** Union of all OAuth-related `error` string values exposed by this package. */
1932
+ type ErrorType = AuthorizationError["error"] | AccessTokenError["error"] | TokenRevocationError["error"];
1933
+ /**
1934
+ * Machine-readable codes for internal auth failures (configuration, crypto, environment, etc.).
1935
+ * Used with {@link AuthInternalError} and logging.
1936
+ */
1937
+ type AuthInternalErrorCode = "INVALID_OAUTH_CONFIGURATION" | "INVALID_JWT_TOKEN" | "JOSE_INITIALIZATION_FAILED" | "SESSION_STORE_NOT_INITIALIZED" | "COOKIE_STORE_NOT_INITIALIZED" | "COOKIE_PARSING_FAILED" | "COOKIE_NOT_FOUND" | "INVALID_ENVIRONMENT_CONFIGURATION" | "INVALID_URL" | "INVALID_SALT_SECRET_VALUE" | "UNTRUSTED_ORIGIN" | "INVALID_OAUTH_PROVIDER_CONFIGURATION" | "DUPLICATED_OAUTH_PROVIDER_ID" | "CREDENTIALS_PROVIDER_NOT_CONFIGURED" | "IDENTITY_VALIDATION_FAILED";
1938
+ /**
1939
+ * Machine-readable codes for security-sensitive failures (CSRF, session, open redirect, OAuth state).
1940
+ */
1941
+ type AuthSecurityErrorCode = "INVALID_STATE" | "MISMATCHING_STATE" | "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED" | "CSRF_TOKEN_INVALID" | "CSRF_TOKEN_MISSING" | "SESSION_TOKEN_MISSING";
1942
+ //#endregion
1943
+ //#region src/@types/api.d.ts
1944
+ /**
1945
+ * Canonical return shape for server/programmatic API functions.
1946
+ *
1947
+ * - Success branch includes the payload fields from `Body` plus response metadata.
1948
+ * - Failure branch includes `error` metadata and `toResponse()` for framework adapters.
1949
+ * - Both branches expose `headers` so callers can forward cookies and auth-related headers.
1950
+ *
1951
+ * @typeParam Body - Union of success/failure payload variants.
1952
+ * @typeParam ErrorCodes - Error code union for the failure branch (`error.code`).
1953
+ */
1954
+ type AuthActionAPIReturn<Body extends object, ErrorCodes = any> = (Extract<Body, {
1955
+ success: true;
1956
+ }> & {
1957
+ headers: Headers;
1958
+ toResponse: () => AuthResponse<Exclude<Body, {
1959
+ success: false;
1960
+ }>>;
1961
+ }) | (Extract<Body, {
1962
+ success: false;
1963
+ }> & {
1964
+ success: false;
1965
+ headers: Headers; /** @todo: Add `docs` property */
1966
+ error: {
1967
+ code: ErrorCodes;
1968
+ message: string;
1969
+ };
1970
+ toResponse: () => AuthResponse<Exclude<Body, {
1971
+ success: true;
1972
+ }>>;
1973
+ });
1974
+ /**
1975
+ * Utility to merge the internal router global context (`ctx`) with per-function options.
1976
+ * Used by implementation-level API functions in `src/api/*`.
1977
+ */
1978
+ type FunctionAPIContext<Options extends object> = Prettify<{
1979
+ ctx: RouterGlobalContext;
1980
+ } & Options>;
1981
+ interface OptionsWithRedirectTo {
1982
+ /**
1983
+ * Optional `redirect` flag used by `createAuthClient` to control client-side navigation behavior.
1984
+ *
1985
+ * By default, navigation is performed with `location.assign()`.
1986
+ * When set to `false`, the API returns `redirectURL` so the caller can handle navigation manually.
1987
+ * @default `true`
1988
+ * @example
1989
+ * redirect: true
1990
+ */
1991
+ redirect?: boolean;
1992
+ /**
1993
+ * Optional destination after a successful action.
1994
+ *
1995
+ * Supports relative paths and absolute URLs. The value is validated against `trustedOrigins`
1996
+ * to ensure redirects are allowed.
1997
+ * @example
1998
+ * redirectTo: "/dashboard"
1999
+ * redirectTo: "https://example.com/dashboard"
2000
+ */
2001
+ redirectTo?: string;
2002
+ }
2003
+ interface APIOptionsWithRedirectTo {
2004
+ /**
2005
+ * Optional redirect strategy for server/programmatic API functions.
2006
+ *
2007
+ * - `true`: the generated response is a redirect response.
2008
+ * - `false`: the API returns redirect data (`signInURL` or `redirectURL`) for custom handling.
2009
+ *
2010
+ * Defaults are action-specific; see each API option type.
2011
+ * @experimental
2012
+ */
2013
+ redirect?: boolean;
2014
+ /**
2015
+ * Optional destination after a successful action.
2016
+ *
2017
+ * Validation includes:
2018
+ * - same-origin checks using the URL derived from `request`/`headers` and configured base URL
2019
+ * - `trustedOrigins` checks from auth configuration
2020
+ * @experimental
2021
+ * @example
2022
+ * // with `request`
2023
+ * const response = await api.signIn("github", {
2024
+ * redirectTo: "/dashboard",
2025
+ * request: await getRequest(),
2026
+ * })
2027
+ *
2028
+ * // with `baseURL`
2029
+ * const { api: { signIn } } = await createAuth({
2030
+ * oauth: ["github"],
2031
+ * baseURL: "https://example.com"
2032
+ * })
2033
+ *
2034
+ * const response = await signIn("github", {
2035
+ * redirectTo: "https://example.com/dashboard",
2036
+ * })
2037
+ */
2038
+ redirectTo?: string;
2039
+ }
2040
+ interface APIOptionsWithRequest extends APIOptionsWithRedirectTo {
2041
+ /**
2042
+ * Optional `Request` object, useful for constructing the incoming URL on the server side.
2043
+ * This option is required when the `redirectTo` option is defined, to ensure the `redirectTo`
2044
+ * URL is same-origin or included in the `trustedOrigins` configuration option.
2045
+ */
2046
+ request?: Request;
2047
+ /**
2048
+ * Optional `HeadersInit` object, useful for constructing the incoming URL from proxy headers
2049
+ * such as `X-Forwarded-Host` and `X-Forwarded-Proto` when the auth instance is behind a proxy
2050
+ * or load balancer, or when the URL is built from headers instead of the `Request` object.
2051
+ * This option requires enabling the `trustedProxyHeaders` option in the global configuration.
2052
+ */
2053
+ headers?: HeadersInit;
2054
+ }
2055
+ interface APIOptionsWithSkipCSRFCheck {
2056
+ /**
2057
+ * Optional `skipCSRFCheck` flag to bypass the Double-Submit Cookie validation.
2058
+ *
2059
+ * The CSRF token is still required and validated to preserve request integrity.
2060
+ * Use this only for trusted server-side flows.
2061
+ * @default `false`
2062
+ */
2063
+ skipCSRFCheck?: boolean;
2064
+ }
2065
+ /** Options to get the current session. */
2066
+ interface GetSessionAPIOptions {
2067
+ /** The headers containing the `session_token` cookie */
2068
+ headers: HeadersInit;
2069
+ }
2070
+ /** Programmatic `getSession` result with session payload and `toResponse()` metadata. */
2071
+ type GetSessionAPIReturn<DefaultUser extends User = User> = AuthActionAPIReturn<{
2072
+ success: true;
2073
+ session: Session<DefaultUser>;
2074
+ } | {
2075
+ success: false;
2076
+ session: null;
2077
+ }>;
2078
+ /**
2079
+ * Client-side options for `createAuthClient().signIn(...)`.
2080
+ */
2081
+ interface SignInOptions extends OptionsWithRedirectTo {}
2082
+ /**
2083
+ * Client-side `signIn` return type.
2084
+ *
2085
+ * - Redirect mode (`redirect: true`): returns `void` because navigation is handled by the client.
2086
+ * - Manual mode (`redirect: false`): returns `signInURL` for caller-controlled navigation.
2087
+ */
2088
+ type SignInReturn<Options extends SignInOptions> = Options extends {
2089
+ redirect: false;
2090
+ } ? {
2091
+ success: true;
2092
+ redirect: false;
2093
+ signInURL: string;
2094
+ } | {
2095
+ success: false;
2096
+ redirect: false;
2097
+ signInURL: null;
2098
+ } : void;
2099
+ /**
2100
+ * Server/programmatic options for `signIn` API.
2101
+ */
2102
+ interface SignInAPIOptions extends APIOptionsWithRedirectTo, APIOptionsWithRequest {}
2103
+ /**
2104
+ * Server/programmatic `signIn` result.
2105
+ *
2106
+ * Includes `signInURL` and response metadata to support both framework-managed redirects
2107
+ * and custom response handling through `toResponse()`.
2108
+ */
2109
+ type SignInAPIReturn = AuthActionAPIReturn<{
2110
+ success: true;
2111
+ redirect: boolean;
2112
+ signInURL: string;
2113
+ } | {
2114
+ success: false;
2115
+ redirect: false;
2116
+ signInURL: null;
2117
+ }>;
2118
+ interface SignInCredentialsOptions extends OptionsWithRedirectTo {
2119
+ /**
2120
+ * Credentials payload validated by the configured `credentials.authorize` function.
2121
+ * @example
2122
+ * {
2123
+ * username: "johndoe",
2124
+ * password: "1234567890"
2125
+ * }
2126
+ */
2127
+ payload: CredentialsPayload;
2128
+ }
2129
+ /** Client-side credentials sign-in return type (redirect mode or manual redirect data). */
2130
+ type SignInCredentialsReturn<Options extends SignInCredentialsOptions> = Options extends {
2131
+ redirect: false;
2132
+ } ? {
2133
+ success: true;
2134
+ redirectURL: string;
2135
+ } | {
2136
+ success: false;
2137
+ redirectURL: null;
2138
+ } : void;
2139
+ /** Server/programmatic credentials sign-in options. */
2140
+ interface SignInCredentialsAPIOptions extends APIOptionsWithRedirectTo, APIOptionsWithRequest {
2141
+ /**
2142
+ * Credentials payload validated by the configured `credentials.authorize` function.
2143
+ * @example
2144
+ * {
2145
+ * username: "johndoe",
2146
+ * password: "1234567890"
2147
+ * }
2148
+ */
2149
+ payload: CredentialsPayload;
2150
+ }
2151
+ /** Programmatic credentials sign-in result with response metadata and `toResponse()`. */
2152
+ type SignInCredentialsAPIReturn = AuthActionAPIReturn<{
2153
+ success: true;
2154
+ redirectURL: string;
2155
+ } | {
2156
+ success: false;
2157
+ redirectURL: null;
2158
+ }>;
2159
+ /** Client-side sign-out options. */
2160
+ interface SignOutOptions extends OptionsWithRedirectTo {}
2161
+ /** Client-side sign-out return type (redirect mode or manual redirect data). */
2162
+ type SignOutReturn<Options extends SignOutOptions> = Options extends {
2163
+ redirect: false;
2164
+ } ? {
2165
+ success: true;
2166
+ redirect: false;
2167
+ redirectURL: string;
2168
+ } | {
2169
+ success: false;
2170
+ redirect: false;
2171
+ redirectURL: null;
2172
+ } : void;
2173
+ /** Server/programmatic options for `signOut` API. */
2174
+ interface SignOutAPIOptions extends APIOptionsWithRedirectTo, APIOptionsWithSkipCSRFCheck {
2175
+ /**
2176
+ * Required headers used to execute sign-out.
2177
+ * Must include `session_token` and `csrf_token` cookies for CSRF validation.
2178
+ * @example
2179
+ * {
2180
+ * Cookie: "session_token=abc123; csrf_token=def456"
2181
+ * }
2182
+ */
2183
+ headers: HeadersInit;
2184
+ /**
2185
+ * Optional `Request` object as an alternative to manually providing `headers`.
2186
+ */
2187
+ request?: Request;
2188
+ }
2189
+ /** Programmatic sign-out result with redirect metadata and `toResponse()`. */
2190
+ type SignOutAPIReturn = AuthActionAPIReturn<{
2191
+ success: true;
2192
+ redirect: boolean;
2193
+ redirectURL: string;
2194
+ } | {
2195
+ success: false;
2196
+ redirect: boolean;
2197
+ redirectURL: null;
2198
+ }>;
2199
+ /** Client-side `updateSession` options: partial session payload plus optional redirect behavior. */
2200
+ interface UpdateSessionOptions<DefaultUser extends User = User> extends OptionsWithRedirectTo {
2201
+ /** Partial session data to merge into the current session. */
2202
+ session: DeepPartial<Session<DefaultUser>>;
2203
+ }
2204
+ /** Client-side `updateSession` return type. */
2205
+ type UpdateSessionReturn<Options extends UpdateSessionOptions, DefaultUser extends User = User> = Options extends {
2206
+ redirect: false;
2207
+ } ? {
2208
+ success: true;
2209
+ session: Session<DefaultUser>;
2210
+ } | {
2211
+ success: false;
2212
+ session: null;
2213
+ } : void;
2214
+ /** Server/programmatic options for `updateSession` API. */
2215
+ interface UpdateSessionAPIOptions<DefaultUser extends User = User> extends APIOptionsWithRequest, APIOptionsWithSkipCSRFCheck {
2216
+ /**
2217
+ * Required headers used to execute session update.
2218
+ * Must include `session_token` and `csrf_token` cookies for CSRF validation.
2219
+ * @example
2220
+ * {
2221
+ * Cookie: "session_token=abc123; csrf_token=def456"
2222
+ * }
2223
+ */
2224
+ headers: HeadersInit;
2225
+ /**
2226
+ * Optional `Request` object as an alternative to manually providing `headers`.
2227
+ */
2228
+ request?: Request;
2229
+ /**
2230
+ * Partial session payload used to update the current session.
2231
+ * @see Session
2232
+ * @example
2233
+ * session: {
2234
+ * user: {
2235
+ * name: "John Doe",
2236
+ * email: "john.doe@example.com"
2237
+ * }
2238
+ * }
2239
+ */
2240
+ session: DeepPartial<Session<DefaultUser>>;
2241
+ }
2242
+ /** Programmatic session update result with redirect metadata and `toResponse()`. */
2243
+ type UpdateSessionAPIReturn<DefaultUser extends User = User> = AuthActionAPIReturn<{
2244
+ success: true;
2245
+ session: Session<DefaultUser>;
2246
+ redirectURL: string;
2247
+ } | {
2248
+ success: false;
2249
+ session: null;
2250
+ redirectURL: null;
2251
+ }>;
2252
+ //#endregion
2253
+ //#region src/@types/index.d.ts
2254
+ /**
2255
+ * Standard JWT claims that are managed internally by the token system.
2256
+ * These fields are typically filtered out before returning user data.
2257
+ */
2258
+ type JWTStandardClaims = Pick<JWTPayload, "exp" | "iat" | "jti" | "nbf" | "sub" | "aud" | "iss">;
2259
+ /**
2260
+ * JWT payload structure that includes a mandatory `token` field used to verify CSRF Tokens
2261
+ */
2262
+ type JWTPayloadWithToken = JWTPayload & {
2263
+ token: string;
2264
+ };
2265
+ /** Environment variables for OAuth client credentials, inferred from `OAuthEnvSchema`. */
2266
+ type OAuthEnv = z.infer<typeof OAuthEnvSchema>;
2267
+ /**
2268
+ * HTTP route handlers exposed by the auth instance (`GET`, `POST`, `PATCH`, `ALL`) for mounting on your app router.
2269
+ */
2270
+ type AuthClient = ReturnType<typeof createAuthInstance>["handlers"];
2271
+ /**
2272
+ * Options for {@link createAuthClient} (browser HTTP client). Extends the router client with an optional `baseURL`
2273
+ * when the client runs outside the browser (e.g. server-side fetch to your app origin).
2274
+ */
2275
+ type AuthClientOptions = Prettify$1<Omit<ClientOptions, "baseURL"> & {
2276
+ baseURL?: string;
2277
+ }>;
2278
+ //#endregion
2279
+ export { JWTConfigBase as $, atlassian as $t, APIErrorMap as A, DiscordProfile as An, IdentityConfig as At, DeepPartial as B, UserIdentity as Bn, SyslogOptions as Bt, SignOutAPIReturn as C, XProfile as Cn, CookieName as Ct, UpdateSessionAPIReturn as D, spotify as Dn, CredentialsProvider as Dt, UpdateSessionAPIOptions as E, SpotifyProfile as En, CredentialsPayload as Et, ErrorType as F, BitbucketProfile as Fn, Logger as Ft, InferShape as G, OAuthProviderCredentials as Gt, EditableShape as H, UserShape as Hn, AuthorizeParams as Ht, OAuthError as I, bitbucket as In, RouterGlobalContext as It, Prettify$1 as J, BuiltInOAuthProvider as Jt, LiteralUnion as K, OAuthProviderRecord as Kt, TokenRevocationError as L, GitHubProfile as Ln, SecureCookie as Lt, AuthInternalErrorCode as M, discord as Mn, InternalLogger as Mt, AuthSecurityErrorCode as N, FigmaProfile as Nn, JoseInstance as Nt, UpdateSessionOptions as O, GitLabProfile as On, CredentialsProviderContext as Ot, AuthorizationError as P, figma as Pn, LogLevel as Pt, JWTConfig as Q, ExtendedProfile as Qt, createAuth as R, github as Rn, Severity as Rt, SignOutAPIOptions as S, strava as Sn, CookieConfig as St, SignOutReturn as T, SpotifyImage as Tn, CookieStrategyAttributes as Tt, InferAuthIdentity as U, createIdentity as Un, OAuthProvider as Ut, DeepRequired as V, UserIdentityType as Vn, TrustedOrigin as Vt, InferIdentity as W, OAuthProviderConfig as Wt, CreateSessionStrategyOptions as X, createBuiltInOAuthProviders as Xt, ShapeToObject as Y, builtInOAuthProviders as Yt, GetStatelessSessionReturn as Z, AtlassianProfile as Zt, SignInCredentialsAPIReturn as _, MailchimpProfile as _n, User as _t, OAuthEnv as a, dropbox as an, JWTManager as at, SignInOptions as b, SummaryClub as bn, AuthInstance as bt, APIOptionsWithRequest as c, NotionUser as cn, JWTSignedMode as ct, GetSessionAPIOptions as d, notion as dn, KeyPair as dt, AccountType as en, JWTEncryptedMode as et, GetSessionAPIReturn as f, TwitchProfile as fn, SecretKey as ft, SignInCredentialsAPIOptions as g, Login as gn, StatelessStrategyConfig as gt, SignInAPIReturn as h, pinterest as hn, SessionStrategy as ht, JWTStandardClaims as i, RootInfo as in, JWTKeyAlgorithm as it, AccessTokenError as j, Nameplate as jn, InternalContext as jt, UpdateSessionReturn as k, gitlab as kn, HostCookie as kt, APIOptionsWithSkipCSRFCheck as l, Owner as ln, JWTSigningAlgorithm as lt, SignInAPIOptions as m, PinterestProfile as mn, SessionConfig as mt, AuthClientOptions as n, FullTeam as nn, JWTExpirationStrategy as nt, TypedJWTPayload$1 as o, Bot as on, JWTMode as ot, OptionsWithRedirectTo as p, twitch as pn, Session as pt, Merge as q, ResponseType as qt, JWTPayloadWithToken as r, Name as rn, JWTKey as rt, APIOptionsWithRedirectTo as s, NotionProfile as sn, JWTSealedMode as st, AuthClient as t, DropboxProfile as tn, JWTEncryptionAlgorithm as tt, FunctionAPIContext as u, Person as un, JWTStrategyOptions as ut, SignInCredentialsOptions as v, mailchimp as vn, AuthAPI as vt, SignOutOptions as w, x as wn, CookieStoreConfig as wt, SignInReturn as x, SummaryGear as xn, AuthRuntimeConfig as xt, SignInCredentialsReturn as y, StravaProfile as yn, AuthConfig as yt, AuthResponse as z, createSyslogMessage as zn, StandardCookie as zt };