@aura-stack/auth 0.5.0 → 0.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +36 -1
- package/dist/@types/index.cjs +0 -18
- package/dist/@types/index.d.ts +2 -12
- package/dist/@types/index.js +0 -1
- package/dist/assert-_fBNnaOk.js +3 -0
- package/dist/assert-hDwQ_SPO.cjs +3 -0
- package/dist/client/index.cjs +1 -135
- package/dist/client/index.d.ts +11 -14
- package/dist/client/index.js +1 -10
- package/dist/crypto-D6_SoGMH.cjs +1 -0
- package/dist/crypto-DyrRzBSQ.js +1 -0
- package/dist/env-7as-tgzO.cjs +1 -0
- package/dist/env-CJtSi1eX.js +1 -0
- package/dist/errors-Czt_w1t_.js +1 -0
- package/dist/errors-DcK2ELlk.cjs +1 -0
- package/dist/identity-b8FCr0Oa.cjs +1 -0
- package/dist/index-C9U6ICDT.d.ts +2796 -0
- package/dist/index.cjs +1 -2427
- package/dist/index.d.ts +2 -14
- package/dist/index.js +1 -59
- package/dist/logger-DjXkgSn5.js +1 -0
- package/dist/logger-G5PinyEc.cjs +1 -0
- package/dist/oauth/atlassian.cjs +1 -57
- package/dist/oauth/atlassian.d.ts +2 -12
- package/dist/oauth/atlassian.js +1 -6
- package/dist/oauth/bitbucket.cjs +1 -49
- package/dist/oauth/bitbucket.d.ts +2 -12
- package/dist/oauth/bitbucket.js +1 -6
- package/dist/oauth/click-up.cjs +1 -0
- package/dist/oauth/click-up.d.ts +2 -0
- package/dist/oauth/click-up.js +1 -0
- package/dist/oauth/discord.cjs +1 -57
- package/dist/oauth/discord.d.ts +2 -12
- package/dist/oauth/discord.js +1 -6
- package/dist/oauth/dribbble.cjs +1 -0
- package/dist/oauth/dribbble.d.ts +2 -0
- package/dist/oauth/dribbble.js +1 -0
- package/dist/oauth/dropbox.cjs +1 -53
- package/dist/oauth/dropbox.d.ts +2 -12
- package/dist/oauth/dropbox.js +1 -6
- package/dist/oauth/figma.cjs +1 -49
- package/dist/oauth/figma.d.ts +2 -12
- package/dist/oauth/figma.js +1 -6
- package/dist/oauth/github.cjs +1 -49
- package/dist/oauth/github.d.ts +2 -12
- package/dist/oauth/github.js +1 -6
- package/dist/oauth/gitlab.cjs +1 -49
- package/dist/oauth/gitlab.d.ts +2 -12
- package/dist/oauth/gitlab.js +1 -6
- package/dist/oauth/index.cjs +1 -673
- package/dist/oauth/index.d.ts +2 -12
- package/dist/oauth/index.js +1 -68
- package/dist/oauth/mailchimp.cjs +1 -49
- package/dist/oauth/mailchimp.d.ts +2 -12
- package/dist/oauth/mailchimp.js +1 -6
- package/dist/oauth/notion.cjs +1 -131
- package/dist/oauth/notion.d.ts +2 -12
- package/dist/oauth/notion.js +1 -9
- package/dist/oauth/pinterest.cjs +1 -49
- package/dist/oauth/pinterest.d.ts +2 -12
- package/dist/oauth/pinterest.js +1 -6
- package/dist/oauth/spotify.cjs +1 -49
- package/dist/oauth/spotify.d.ts +2 -12
- package/dist/oauth/spotify.js +1 -6
- package/dist/oauth/strava.cjs +1 -49
- package/dist/oauth/strava.d.ts +2 -12
- package/dist/oauth/strava.js +1 -6
- package/dist/oauth/twitch.cjs +1 -95
- package/dist/oauth/twitch.d.ts +2 -12
- package/dist/oauth/twitch.js +1 -7
- package/dist/oauth/x.cjs +1 -49
- package/dist/oauth/x.d.ts +2 -12
- package/dist/oauth/x.js +1 -6
- package/dist/oauth-D3_mnBOx.js +1 -0
- package/dist/oauth-gPiWxjBd.cjs +1 -0
- package/dist/shared/crypto.cjs +1 -0
- package/dist/shared/crypto.d.ts +71 -0
- package/dist/shared/crypto.js +1 -0
- package/dist/shared/identity.cjs +1 -0
- package/dist/shared/identity.d.ts +2 -0
- package/dist/shared/identity.js +1 -0
- package/dist/shared/index.cjs +1 -0
- package/dist/shared/index.d.ts +5 -0
- package/dist/shared/index.js +1 -0
- package/package.json +37 -11
- package/dist/@types/router.d.cjs +0 -1
- package/dist/@types/router.d.d.ts +0 -16
- package/dist/@types/router.d.js +0 -0
- package/dist/@types/utility.cjs +0 -18
- package/dist/@types/utility.d.ts +0 -6
- package/dist/@types/utility.js +0 -1
- package/dist/actions/callback/access-token.cjs +0 -250
- package/dist/actions/callback/access-token.d.ts +0 -33
- package/dist/actions/callback/access-token.js +0 -9
- package/dist/actions/callback/callback.cjs +0 -715
- package/dist/actions/callback/callback.d.ts +0 -42
- package/dist/actions/callback/callback.js +0 -18
- package/dist/actions/callback/userinfo.cjs +0 -283
- package/dist/actions/callback/userinfo.d.ts +0 -25
- package/dist/actions/callback/userinfo.js +0 -13
- package/dist/actions/csrfToken/csrfToken.cjs +0 -189
- package/dist/actions/csrfToken/csrfToken.d.ts +0 -7
- package/dist/actions/csrfToken/csrfToken.js +0 -13
- package/dist/actions/index.cjs +0 -1161
- package/dist/actions/index.d.ts +0 -17
- package/dist/actions/index.js +0 -39
- package/dist/actions/session/session.cjs +0 -188
- package/dist/actions/session/session.d.ts +0 -7
- package/dist/actions/session/session.js +0 -12
- package/dist/actions/signIn/authorization-url.cjs +0 -288
- package/dist/actions/signIn/authorization-url.d.ts +0 -31
- package/dist/actions/signIn/authorization-url.js +0 -16
- package/dist/actions/signIn/authorization.cjs +0 -281
- package/dist/actions/signIn/authorization.d.ts +0 -54
- package/dist/actions/signIn/authorization.js +0 -19
- package/dist/actions/signIn/signIn.cjs +0 -595
- package/dist/actions/signIn/signIn.d.ts +0 -42
- package/dist/actions/signIn/signIn.js +0 -16
- package/dist/actions/signOut/signOut.cjs +0 -492
- package/dist/actions/signOut/signOut.d.ts +0 -16
- package/dist/actions/signOut/signOut.js +0 -15
- package/dist/api/createApi.cjs +0 -750
- package/dist/api/createApi.d.ts +0 -12
- package/dist/api/createApi.js +0 -19
- package/dist/api/getSession.cjs +0 -141
- package/dist/api/getSession.d.ts +0 -16
- package/dist/api/getSession.js +0 -10
- package/dist/api/signIn.cjs +0 -549
- package/dist/api/signIn.d.ts +0 -26
- package/dist/api/signIn.js +0 -15
- package/dist/api/signOut.cjs +0 -279
- package/dist/api/signOut.d.ts +0 -16
- package/dist/api/signOut.js +0 -13
- package/dist/assert.cjs +0 -194
- package/dist/assert.d.ts +0 -37
- package/dist/assert.js +0 -26
- package/dist/chunk-2A5B7GWR.js +0 -125
- package/dist/chunk-2GQLSIJ2.js +0 -40
- package/dist/chunk-2IR674WX.js +0 -44
- package/dist/chunk-3J5TUH2I.js +0 -50
- package/dist/chunk-4RWSYUKX.js +0 -98
- package/dist/chunk-4YHJ4IEQ.js +0 -25
- package/dist/chunk-54CZPKR4.js +0 -25
- package/dist/chunk-5LZ7TOM3.js +0 -25
- package/dist/chunk-5X7JZMEF.js +0 -0
- package/dist/chunk-7BE46WWS.js +0 -88
- package/dist/chunk-7YYXFKLR.js +0 -35
- package/dist/chunk-C3A37LQC.js +0 -33
- package/dist/chunk-CITNGXDA.js +0 -31
- package/dist/chunk-CWX724AG.js +0 -78
- package/dist/chunk-D2CSIUKP.js +0 -74
- package/dist/chunk-E6G5YCI6.js +0 -25
- package/dist/chunk-EBAMFRB7.js +0 -34
- package/dist/chunk-EEE7UM5T.js +0 -25
- package/dist/chunk-FPCVZUVG.js +0 -37
- package/dist/chunk-FW4W3REU.js +0 -25
- package/dist/chunk-GNNBM2WJ.js +0 -83
- package/dist/chunk-IPKO6UQN.js +0 -25
- package/dist/chunk-ITQ7352M.js +0 -0
- package/dist/chunk-JOCGX3RP.js +0 -59
- package/dist/chunk-KBXWTD6E.js +0 -94
- package/dist/chunk-KMMAZFSJ.js +0 -25
- package/dist/chunk-LATR3NIV.js +0 -117
- package/dist/chunk-LAYPUDQF.js +0 -39
- package/dist/chunk-LDU7A2JE.js +0 -25
- package/dist/chunk-LX3TJ2TJ.js +0 -294
- package/dist/chunk-NHZBQNRR.js +0 -143
- package/dist/chunk-OVHNRULD.js +0 -33
- package/dist/chunk-PDP3PHB3.js +0 -127
- package/dist/chunk-PG7UYFG5.js +0 -0
- package/dist/chunk-PHYNROD4.js +0 -47
- package/dist/chunk-QQEKY4XP.js +0 -29
- package/dist/chunk-U4RK4LKJ.js +0 -348
- package/dist/chunk-U5663F2U.js +0 -70
- package/dist/chunk-UN7X6SU5.js +0 -53
- package/dist/chunk-UZQJJD6A.js +0 -100
- package/dist/chunk-V6LLEAR4.js +0 -80
- package/dist/chunk-WHNDRO3N.js +0 -50
- package/dist/chunk-XY5R3EHH.js +0 -204
- package/dist/chunk-ZNCZVF6U.js +0 -14
- package/dist/client/client.cjs +0 -135
- package/dist/client/client.d.ts +0 -85
- package/dist/client/client.js +0 -9
- package/dist/context.cjs +0 -1237
- package/dist/context.d.ts +0 -16
- package/dist/context.js +0 -28
- package/dist/cookie.cjs +0 -277
- package/dist/cookie.d.ts +0 -89
- package/dist/cookie.js +0 -30
- package/dist/createAuth.cjs +0 -2320
- package/dist/createAuth.d.ts +0 -12
- package/dist/createAuth.js +0 -48
- package/dist/env.cjs +0 -78
- package/dist/env.d.ts +0 -10
- package/dist/env.js +0 -12
- package/dist/errors.cjs +0 -102
- package/dist/errors.d.ts +0 -60
- package/dist/errors.js +0 -22
- package/dist/headers.cjs +0 -61
- package/dist/headers.d.ts +0 -33
- package/dist/headers.js +0 -12
- package/dist/index-_aXtxb_s.d.ts +0 -1377
- package/dist/jose.cjs +0 -166
- package/dist/jose.d.ts +0 -12
- package/dist/jose.js +0 -20
- package/dist/logger.cjs +0 -424
- package/dist/logger.d.ts +0 -12
- package/dist/logger.js +0 -17
- package/dist/request.cjs +0 -38
- package/dist/request.d.ts +0 -13
- package/dist/request.js +0 -6
- package/dist/schemas.cjs +0 -158
- package/dist/schemas.d.ts +0 -229
- package/dist/schemas.js +0 -24
- package/dist/secure.cjs +0 -170
- package/dist/secure.d.ts +0 -41
- package/dist/secure.js +0 -20
- package/dist/utils.cjs +0 -329
- package/dist/utils.d.ts +0 -35
- package/dist/utils.js +0 -36
|
@@ -0,0 +1,2796 @@
|
|
|
1
|
+
import * as _$_aura_stack_router0 from "@aura-stack/router";
|
|
2
|
+
import { ClientOptions, GlobalContext } from "@aura-stack/router";
|
|
3
|
+
import { ZodObject, ZodRawShape, ZodTypeAny, infer as __Infer, z } from "zod/v4";
|
|
4
|
+
import { JWK, JWTPayload } from "@aura-stack/jose/jose";
|
|
5
|
+
import { DecodeJWTOptions, EncodeJWTOptions, JWEHeaderParameters, JWTDecryptOptions, JWTHeaderParameters, JWTVerifyOptions, Prettify, TypedJWTPayload, TypedJWTPayload as TypedJWTPayload$1 } from "@aura-stack/jose";
|
|
6
|
+
import { SerializeOptions } from "@aura-stack/router/cookie";
|
|
7
|
+
import * as valibot from "valibot";
|
|
8
|
+
import { AnySchema, BaseSchema, InferOutput, ObjectEntries, ObjectSchema } from "valibot";
|
|
9
|
+
import { Type } from "arktype";
|
|
10
|
+
import { Static, TObject, TProperties, TSchema, Type as Type$1 } from "typebox";
|
|
11
|
+
import * as _$arktype_internal_variants_object_ts0 from "arktype/internal/variants/object.ts";
|
|
12
|
+
import * as _$zod_v4_core0 from "zod/v4/core";
|
|
13
|
+
import { infer as infer$1 } from "zod/v4/core";
|
|
14
|
+
import * as _$zod from "zod";
|
|
15
|
+
|
|
16
|
+
//#region src/schemas.d.ts
|
|
17
|
+
/**
|
|
18
|
+
* Schema used in the callback action to validate the authorization error response when the resource owner
|
|
19
|
+
* has denied the authorization request.
|
|
20
|
+
* @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
|
|
21
|
+
*/
|
|
22
|
+
declare const OAuthAuthorizationErrorResponse: z.ZodObject<{
|
|
23
|
+
error: z.ZodEnum<{
|
|
24
|
+
invalid_request: "invalid_request";
|
|
25
|
+
unauthorized_client: "unauthorized_client";
|
|
26
|
+
access_denied: "access_denied";
|
|
27
|
+
unsupported_response_type: "unsupported_response_type";
|
|
28
|
+
invalid_scope: "invalid_scope";
|
|
29
|
+
server_error: "server_error";
|
|
30
|
+
temporarily_unavailable: "temporarily_unavailable";
|
|
31
|
+
}>;
|
|
32
|
+
error_description: z.ZodOptional<z.ZodString>;
|
|
33
|
+
error_uri: z.ZodOptional<z.ZodString>;
|
|
34
|
+
state: z.ZodString;
|
|
35
|
+
}, z.core.$strip>;
|
|
36
|
+
/**
|
|
37
|
+
* Schema for OAuth Access Token Error Response
|
|
38
|
+
* @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
|
|
39
|
+
*/
|
|
40
|
+
declare const OAuthAccessTokenErrorResponse: z.ZodObject<{
|
|
41
|
+
error: z.ZodEnum<{
|
|
42
|
+
invalid_request: "invalid_request";
|
|
43
|
+
unauthorized_client: "unauthorized_client";
|
|
44
|
+
invalid_scope: "invalid_scope";
|
|
45
|
+
invalid_client: "invalid_client";
|
|
46
|
+
invalid_grant: "invalid_grant";
|
|
47
|
+
unsupported_grant_type: "unsupported_grant_type";
|
|
48
|
+
}>;
|
|
49
|
+
error_description: z.ZodOptional<z.ZodString>;
|
|
50
|
+
error_uri: z.ZodOptional<z.ZodString>;
|
|
51
|
+
}, z.core.$strip>;
|
|
52
|
+
declare const OAuthEnvSchema: z.ZodObject<{
|
|
53
|
+
clientId: z.ZodString;
|
|
54
|
+
clientSecret: z.ZodString;
|
|
55
|
+
}, z.core.$strip>;
|
|
56
|
+
//#endregion
|
|
57
|
+
//#region src/jose.d.ts
|
|
58
|
+
/**
|
|
59
|
+
* Creates the JOSE instance used for signing and verifying tokens. It derives keys
|
|
60
|
+
* for session tokens and CSRF tokens. For security and determinism, it's required
|
|
61
|
+
* to set a salt value in `AURA_AUTH_SALT` or `AUTH_SALT` env.
|
|
62
|
+
*
|
|
63
|
+
* The instance respects the `SessionConfig` to determine:
|
|
64
|
+
* - **mode**: `signed` (JWS only), `encrypted` (JWE only), or `sealed` (JWS + JWE)
|
|
65
|
+
* - **algorithms**: signing, key-wrapping, and content-encryption algorithms
|
|
66
|
+
* - **claims**: audience, issuer, maxAge
|
|
67
|
+
*
|
|
68
|
+
* @param secret the base secret for key derivation
|
|
69
|
+
* @param session the session configuration that drives algorithm and mode selection
|
|
70
|
+
* @returns jose instance with methods for encoding/decoding JWTs and signing/verifying JWSs
|
|
71
|
+
*/
|
|
72
|
+
declare const createJoseInstance: <DefaultUser extends User = User>(secret?: JWTKey, session?: SessionConfig) => {
|
|
73
|
+
signJWS: (payload: TypedJWTPayload<Partial<DefaultUser>>, options?: JWTHeaderParameters) => Promise<string>;
|
|
74
|
+
verifyJWS: (token: string, options?: JWTVerifyOptions) => Promise<TypedJWTPayload<DefaultUser>>;
|
|
75
|
+
encryptJWE: (payload: TypedJWTPayload<Partial<DefaultUser>>, options?: JWEHeaderParameters) => Promise<string>;
|
|
76
|
+
decryptJWE: (token: string, options?: JWTDecryptOptions) => Promise<TypedJWTPayload<DefaultUser>>;
|
|
77
|
+
encodeJWT: (payload: TypedJWTPayload<Partial<DefaultUser>>, options?: EncodeJWTOptions) => Promise<string>;
|
|
78
|
+
decodeJWT: (token: string, options?: DecodeJWTOptions) => Promise<TypedJWTPayload<DefaultUser>>;
|
|
79
|
+
};
|
|
80
|
+
//#endregion
|
|
81
|
+
//#region src/api/createApi.d.ts
|
|
82
|
+
declare const createAuthAPI: <DefaultUser extends User = User>(ctx: GlobalContext) => {
|
|
83
|
+
/**
|
|
84
|
+
* Retrieves the current session data from the server-side.
|
|
85
|
+
*
|
|
86
|
+
* @param options - Options for the API call, including headers to verify `session_token` cookie.
|
|
87
|
+
* @returns An object containing session data see {@link User}
|
|
88
|
+
*/
|
|
89
|
+
getSession: (options: GetSessionAPIOptions) => Promise<GetSessionAPIReturn<DefaultUser>>;
|
|
90
|
+
/**
|
|
91
|
+
* Initiates the sign-in flow on the server-side. By default the redirect is automatic, but it can be
|
|
92
|
+
* disabled by setting the `redirect` option to `false`. When redirect is disabled, the API returns the
|
|
93
|
+
* `signInURL` in the response for the client to handle the redirect manually.
|
|
94
|
+
*
|
|
95
|
+
* @param oauth - The OAuth provider to use for sign-in (e.g., "github", "gitlab", "bitbucket").
|
|
96
|
+
* @param options - Optional parameters for the sign-in process, including headers and redirect behavior.
|
|
97
|
+
* @returns The object returned by the API call {@link SignInAPIReturn}
|
|
98
|
+
* @example
|
|
99
|
+
* const response = await api.signIn("github", {
|
|
100
|
+
* redirectTo: "/dashboard",
|
|
101
|
+
* request: await getRequest(),
|
|
102
|
+
* })
|
|
103
|
+
*/
|
|
104
|
+
signIn: (oauth: LiteralUnion<BuiltInOAuthProvider>, options?: SignInAPIOptions) => Promise<SignInAPIReturn>;
|
|
105
|
+
/**
|
|
106
|
+
* Signs in a user using credentials (`username` and `password`) on the server-side. The credentials must
|
|
107
|
+
* be verified by the `authorize` function provided in the `credentials` configuration option.
|
|
108
|
+
*
|
|
109
|
+
* @param options - Options for the API call, including the credentials payload, headers, and redirect behavior.
|
|
110
|
+
* @returns The object returned by the API call {@link SignInCredentialsAPIReturn}
|
|
111
|
+
* @example
|
|
112
|
+
* const response = await api.signInCredentials({
|
|
113
|
+
* payload: {
|
|
114
|
+
* username: "johndoe",
|
|
115
|
+
* password: "1234567890"
|
|
116
|
+
* },
|
|
117
|
+
* redirectTo: "/dashboard",
|
|
118
|
+
* request: await getRequest(),
|
|
119
|
+
* })
|
|
120
|
+
*/
|
|
121
|
+
signInCredentials: (options: SignInCredentialsAPIOptions) => Promise<SignInCredentialsAPIReturn>;
|
|
122
|
+
/**
|
|
123
|
+
* Updates the current session on the server-side. It allows partial updates to the session object, such as
|
|
124
|
+
* modifying user fields or extending the session expiry. It implements CSRF Protection by default, for
|
|
125
|
+
* server-side calls it only verifies and validates the CSRF Token, it also provides Double-Submit
|
|
126
|
+
* Cookie protection by requiring the `session_token` cookie to be included in the request headers.
|
|
127
|
+
*
|
|
128
|
+
* @param options - Options for the API call, including the session updates, headers, redirect behavior, and CSRF check bypass.
|
|
129
|
+
* @returns The object returned by the API call {@link UpdateSessionAPIReturn}
|
|
130
|
+
* @example
|
|
131
|
+
* const response = await api.updateSession({
|
|
132
|
+
* session: {
|
|
133
|
+
* user: {
|
|
134
|
+
* name: "John Doe",
|
|
135
|
+
* email: "john.doe@example.com"
|
|
136
|
+
* }
|
|
137
|
+
* },
|
|
138
|
+
* redirectTo: "/dashboard",
|
|
139
|
+
* request: await getRequest()
|
|
140
|
+
* })
|
|
141
|
+
*/
|
|
142
|
+
updateSession: (options: UpdateSessionAPIOptions<DefaultUser>) => Promise<UpdateSessionAPIReturn<DefaultUser>>;
|
|
143
|
+
/**
|
|
144
|
+
* Signs out the current session on the server-side. It implements CSRF Protection by default, for
|
|
145
|
+
* server-side calls it only verifies and validates the CSRF Token, it also provides Double-Submit
|
|
146
|
+
* Cookie protection by requiring the `session_token` cookie to be included in the request headers.
|
|
147
|
+
*
|
|
148
|
+
* @param options - Options for the API call, including headers, redirect behavior, and CSRF check bypass.
|
|
149
|
+
* @returns The object returned by the API call {@link SignOutAPIReturn}
|
|
150
|
+
* @example
|
|
151
|
+
* const response = await api.signOut({
|
|
152
|
+
* redirectTo: "/goodbye",
|
|
153
|
+
* headers: {
|
|
154
|
+
* Cookie: "session_token=abc123; csrf_token=def456"
|
|
155
|
+
* },
|
|
156
|
+
* // Only set this to true for trusted server-side calls that have already verified the CSRF token
|
|
157
|
+
* skipCSRFCheck: true
|
|
158
|
+
* })
|
|
159
|
+
*/
|
|
160
|
+
signOut: (options: SignOutAPIOptions) => Promise<SignOutAPIReturn>;
|
|
161
|
+
};
|
|
162
|
+
//#endregion
|
|
163
|
+
//#region src/shared/identity.d.ts
|
|
164
|
+
declare const UserIdentity: z.ZodObject<{
|
|
165
|
+
sub: z.ZodString;
|
|
166
|
+
name: z.ZodOptional<z.ZodNullable<z.ZodString>>;
|
|
167
|
+
image: z.ZodOptional<z.ZodNullable<z.ZodString>>;
|
|
168
|
+
email: z.ZodOptional<z.ZodNullable<z.ZodEmail>>;
|
|
169
|
+
}, z.core.$strip>;
|
|
170
|
+
declare const UserIdentityValibot: valibot.ObjectSchema<{
|
|
171
|
+
readonly sub: valibot.StringSchema<undefined>;
|
|
172
|
+
readonly name: valibot.OptionalSchema<valibot.NullableSchema<valibot.StringSchema<undefined>, undefined>, undefined>;
|
|
173
|
+
readonly image: valibot.OptionalSchema<valibot.NullableSchema<valibot.StringSchema<undefined>, undefined>, undefined>;
|
|
174
|
+
readonly email: valibot.OptionalSchema<valibot.NullableSchema<valibot.SchemaWithPipe<readonly [valibot.StringSchema<undefined>, valibot.EmailAction<string, undefined>]>, undefined>, undefined>;
|
|
175
|
+
}, undefined>;
|
|
176
|
+
declare const UserIdentityArkType: _$arktype_internal_variants_object_ts0.ObjectType<{
|
|
177
|
+
sub: string;
|
|
178
|
+
name?: string | null | undefined;
|
|
179
|
+
image?: string | null | undefined;
|
|
180
|
+
email?: string | null | undefined;
|
|
181
|
+
}, {}>;
|
|
182
|
+
declare const UserIdentityTypeBox: Type$1.TObject<{
|
|
183
|
+
sub: Type$1.TString;
|
|
184
|
+
name: Type$1.TOptional<Type$1.TUnion<[Type$1.TString, Type$1.TNull]>>;
|
|
185
|
+
image: Type$1.TOptional<Type$1.TUnion<[Type$1.TString, Type$1.TNull]>>;
|
|
186
|
+
email: Type$1.TOptional<Type$1.TUnion<[Type$1.TString, Type$1.TNull]>>;
|
|
187
|
+
}>;
|
|
188
|
+
type UserShape = typeof UserIdentity.shape;
|
|
189
|
+
type UserShapeValibot = typeof UserIdentityValibot.entries;
|
|
190
|
+
type UserShapeArkType = typeof UserIdentityArkType;
|
|
191
|
+
type UserShapeTypeBox = typeof UserIdentityTypeBox.properties;
|
|
192
|
+
type IsArkType<T extends Identities> = T extends EditableShapeArkType<UserShapeArkType> ? true : false;
|
|
193
|
+
type IsZod<T extends Identities> = T extends EditableShape<UserShape> ? true : false;
|
|
194
|
+
type IsValibot<T extends Identities> = T extends EditableShapeValibot<UserShapeValibot> ? true : false;
|
|
195
|
+
type SchemaTypes = ZodObject<any> | valibot.ObjectSchema<any, undefined> | Type<{}> | Type$1.TObject;
|
|
196
|
+
type Identities = EditableShape<UserShape> | EditableShapeValibot<UserShapeValibot> | EditableShapeArkType<UserShapeArkType> | EditableShapeTypebox<UserShapeTypeBox>;
|
|
197
|
+
type ReturnShapeType<T> = T extends EditableShape<UserShape> ? z.ZodObject<T> : T extends EditableShapeValibot<UserShapeValibot> ? valibot.ObjectSchema<T, undefined> : T extends EditableShapeArkType<UserShapeArkType> ? T : T extends EditableShapeTypebox<UserShapeTypeBox> ? Type$1.TObject<T> : never;
|
|
198
|
+
declare const createIdentity: <S extends Identities>(shape: S) => ReturnShapeType<S>;
|
|
199
|
+
//#endregion
|
|
200
|
+
//#region src/shared/logger.d.ts
|
|
201
|
+
/**
|
|
202
|
+
* Log message definitions organized by category.
|
|
203
|
+
* Each message includes facility, severity, msgId, and default message.
|
|
204
|
+
*/
|
|
205
|
+
declare const logMessages: {
|
|
206
|
+
readonly ROUTER_INTERNAL_ERROR: {
|
|
207
|
+
readonly facility: 10;
|
|
208
|
+
readonly severity: "error";
|
|
209
|
+
readonly msgId: "ROUTER_INTERNAL_ERROR";
|
|
210
|
+
readonly message: "Unhandled router error while processing the request";
|
|
211
|
+
};
|
|
212
|
+
readonly INVALID_REQUEST: {
|
|
213
|
+
readonly facility: 10;
|
|
214
|
+
readonly severity: "warning";
|
|
215
|
+
readonly msgId: "INVALID_REQUEST";
|
|
216
|
+
readonly message: "Request validation failed against the expected schema";
|
|
217
|
+
};
|
|
218
|
+
readonly SERVER_ERROR: {
|
|
219
|
+
readonly facility: 10;
|
|
220
|
+
readonly severity: "error";
|
|
221
|
+
readonly msgId: "SERVER_ERROR";
|
|
222
|
+
readonly message: "Unexpected internal server error during authentication";
|
|
223
|
+
};
|
|
224
|
+
readonly OAUTH_PROTOCOL_ERROR: {
|
|
225
|
+
readonly facility: 10;
|
|
226
|
+
readonly severity: "warning";
|
|
227
|
+
readonly msgId: "OAUTH_PROTOCOL_ERROR";
|
|
228
|
+
readonly message: "OAuth provider returned an invalid or unexpected protocol response";
|
|
229
|
+
};
|
|
230
|
+
readonly OAUTH_AUTHORIZATION_ERROR: {
|
|
231
|
+
readonly facility: 10;
|
|
232
|
+
readonly severity: "error";
|
|
233
|
+
readonly msgId: "OAUTH_AUTHORIZATION_ERROR";
|
|
234
|
+
readonly message: "OAuth authorization request was rejected or failed";
|
|
235
|
+
};
|
|
236
|
+
readonly INVALID_OAUTH_CONFIGURATION: {
|
|
237
|
+
readonly facility: 10;
|
|
238
|
+
readonly severity: "error";
|
|
239
|
+
readonly msgId: "INVALID_OAUTH_CONFIGURATION";
|
|
240
|
+
readonly message: "The OAuth provider configuration is invalid or incomplete";
|
|
241
|
+
};
|
|
242
|
+
readonly OAUTH_ACCESS_TOKEN_REQUEST_INITIATED: {
|
|
243
|
+
readonly facility: 10;
|
|
244
|
+
readonly severity: "debug";
|
|
245
|
+
readonly msgId: "OAUTH_ACCESS_TOKEN_REQUEST_INITIATED";
|
|
246
|
+
readonly message: "Starting OAuth access token request to the provider";
|
|
247
|
+
};
|
|
248
|
+
readonly INVALID_OAUTH_ACCESS_TOKEN_RESPONSE: {
|
|
249
|
+
readonly facility: 10;
|
|
250
|
+
readonly severity: "error";
|
|
251
|
+
readonly msgId: "INVALID_OAUTH_ACCESS_TOKEN_RESPONSE";
|
|
252
|
+
readonly message: "OAuth access token endpoint returned an invalid or malformed response";
|
|
253
|
+
};
|
|
254
|
+
readonly OAUTH_ACCESS_TOKEN_ERROR: {
|
|
255
|
+
readonly facility: 10;
|
|
256
|
+
readonly severity: "error";
|
|
257
|
+
readonly msgId: "OAUTH_ACCESS_TOKEN_ERROR";
|
|
258
|
+
readonly message: "OAuth access token endpoint returned an error response";
|
|
259
|
+
};
|
|
260
|
+
readonly OAUTH_ACCESS_TOKEN_SUCCESS: {
|
|
261
|
+
readonly facility: 10;
|
|
262
|
+
readonly severity: "info";
|
|
263
|
+
readonly msgId: "OAUTH_ACCESS_TOKEN_SUCCESS";
|
|
264
|
+
readonly message: "Successfully retrieved OAuth access token from the provider";
|
|
265
|
+
};
|
|
266
|
+
readonly OAUTH_ACCESS_TOKEN_REQUEST_FAILED: {
|
|
267
|
+
readonly facility: 10;
|
|
268
|
+
readonly severity: "error";
|
|
269
|
+
readonly msgId: "OAUTH_ACCESS_TOKEN_REQUEST_FAILED";
|
|
270
|
+
readonly message: "Network or server error while requesting OAuth access token";
|
|
271
|
+
};
|
|
272
|
+
readonly OAUTH_USERINFO_REQUEST_INITIATED: {
|
|
273
|
+
readonly facility: 10;
|
|
274
|
+
readonly severity: "debug";
|
|
275
|
+
readonly msgId: "OAUTH_USERINFO_REQUEST_INITIATED";
|
|
276
|
+
readonly message: "Starting OAuth userinfo request to the provider";
|
|
277
|
+
};
|
|
278
|
+
readonly OAUTH_USERINFO_INVALID_RESPONSE: {
|
|
279
|
+
readonly facility: 10;
|
|
280
|
+
readonly severity: "error";
|
|
281
|
+
readonly msgId: "OAUTH_USERINFO_INVALID_RESPONSE";
|
|
282
|
+
readonly message: "OAuth userinfo endpoint returned an invalid or malformed response";
|
|
283
|
+
};
|
|
284
|
+
readonly OAUTH_USERINFO_ERROR: {
|
|
285
|
+
readonly facility: 10;
|
|
286
|
+
readonly severity: "error";
|
|
287
|
+
readonly msgId: "OAUTH_USERINFO_ERROR";
|
|
288
|
+
readonly message: "OAuth userinfo endpoint returned an error response";
|
|
289
|
+
};
|
|
290
|
+
readonly OAUTH_USERINFO_SUCCESS: {
|
|
291
|
+
readonly facility: 10;
|
|
292
|
+
readonly severity: "info";
|
|
293
|
+
readonly msgId: "OAUTH_USERINFO_SUCCESS";
|
|
294
|
+
readonly message: "Successfully retrieved user information from the OAuth provider";
|
|
295
|
+
};
|
|
296
|
+
readonly OAUTH_USERINFO_REQUEST_FAILED: {
|
|
297
|
+
readonly facility: 10;
|
|
298
|
+
readonly severity: "error";
|
|
299
|
+
readonly msgId: "OAUTH_USERINFO_REQUEST_FAILED";
|
|
300
|
+
readonly message: "Network or server error while requesting user information from the OAuth provider";
|
|
301
|
+
};
|
|
302
|
+
readonly OAUTH_CALLBACK_SUCCESS: {
|
|
303
|
+
readonly facility: 4;
|
|
304
|
+
readonly severity: "info";
|
|
305
|
+
readonly msgId: "OAUTH_CALLBACK_SUCCESS";
|
|
306
|
+
readonly message: "OAuth callback completed successfully and session was created";
|
|
307
|
+
};
|
|
308
|
+
readonly MISMATCHING_STATE: {
|
|
309
|
+
readonly facility: 4;
|
|
310
|
+
readonly severity: "critical";
|
|
311
|
+
readonly msgId: "MISMATCHING_STATE";
|
|
312
|
+
readonly message: "OAuth response state parameter does not match the stored state value";
|
|
313
|
+
};
|
|
314
|
+
readonly POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED: {
|
|
315
|
+
readonly facility: 4;
|
|
316
|
+
readonly severity: "critical";
|
|
317
|
+
readonly msgId: "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED";
|
|
318
|
+
readonly message: "Blocked redirect to untrusted or external URL (potential open redirect attack)";
|
|
319
|
+
};
|
|
320
|
+
readonly OPEN_REDIRECT_ATTACK: {
|
|
321
|
+
readonly facility: 4;
|
|
322
|
+
readonly severity: "warning";
|
|
323
|
+
readonly msgId: "OPEN_REDIRECT_ATTACK";
|
|
324
|
+
readonly message: "Detected redirect target that does not match the trusted origin";
|
|
325
|
+
};
|
|
326
|
+
readonly SESSION_TOKEN_MISSING: {
|
|
327
|
+
readonly facility: 4;
|
|
328
|
+
readonly severity: "warning";
|
|
329
|
+
readonly msgId: "SESSION_TOKEN_MISSING";
|
|
330
|
+
readonly message: "Session cookie is missing from the request";
|
|
331
|
+
};
|
|
332
|
+
readonly CSRF_TOKEN_MISSING: {
|
|
333
|
+
readonly facility: 4;
|
|
334
|
+
readonly severity: "warning";
|
|
335
|
+
readonly msgId: "CSRF_TOKEN_MISSING";
|
|
336
|
+
readonly message: "CSRF token cookie is missing from the request";
|
|
337
|
+
};
|
|
338
|
+
readonly CSRF_HEADER_MISSING: {
|
|
339
|
+
readonly facility: 4;
|
|
340
|
+
readonly severity: "warning";
|
|
341
|
+
readonly msgId: "CSRF_HEADER_MISSING";
|
|
342
|
+
readonly message: "CSRF header is missing from the request";
|
|
343
|
+
};
|
|
344
|
+
readonly CSRF_TOKEN_INVALID: {
|
|
345
|
+
readonly facility: 4;
|
|
346
|
+
readonly severity: "error";
|
|
347
|
+
readonly msgId: "CSRF_TOKEN_INVALID";
|
|
348
|
+
readonly message: "CSRF token verification failed or token is invalid";
|
|
349
|
+
};
|
|
350
|
+
readonly SIGN_IN_INITIATED: {
|
|
351
|
+
readonly facility: 4;
|
|
352
|
+
readonly severity: "info";
|
|
353
|
+
readonly msgId: "SIGN_IN_INITIATED";
|
|
354
|
+
readonly message: "Starting OAuth sign-in flow for the selected provider";
|
|
355
|
+
};
|
|
356
|
+
readonly SIGN_OUT_ATTEMPT: {
|
|
357
|
+
readonly facility: 4;
|
|
358
|
+
readonly severity: "debug";
|
|
359
|
+
readonly msgId: "SIGN_OUT_ATTEMPT";
|
|
360
|
+
readonly message: "Received sign-out request from client";
|
|
361
|
+
};
|
|
362
|
+
readonly SIGN_OUT_CSRF_VERIFIED: {
|
|
363
|
+
readonly facility: 4;
|
|
364
|
+
readonly severity: "info";
|
|
365
|
+
readonly msgId: "SIGN_OUT_CSRF_VERIFIED";
|
|
366
|
+
readonly message: "CSRF token was successfully verified during sign-out";
|
|
367
|
+
};
|
|
368
|
+
readonly SIGN_OUT_SUCCESS: {
|
|
369
|
+
readonly facility: 4;
|
|
370
|
+
readonly severity: "info";
|
|
371
|
+
readonly msgId: "SIGN_OUT_SUCCESS";
|
|
372
|
+
readonly message: "User session was cleared and sign-out completed successfully";
|
|
373
|
+
};
|
|
374
|
+
readonly SIGN_OUT_REDIRECT: {
|
|
375
|
+
readonly facility: 4;
|
|
376
|
+
readonly severity: "debug";
|
|
377
|
+
readonly msgId: "SIGN_OUT_REDIRECT";
|
|
378
|
+
readonly message: "Redirecting client after successful sign-out";
|
|
379
|
+
};
|
|
380
|
+
readonly AUTH_SESSION_VALID: {
|
|
381
|
+
readonly facility: 4;
|
|
382
|
+
readonly severity: "info";
|
|
383
|
+
readonly msgId: "AUTH_SESSION_VALID";
|
|
384
|
+
readonly message: "Session token is valid and user session was returned";
|
|
385
|
+
};
|
|
386
|
+
readonly AUTH_SESSION_INVALID: {
|
|
387
|
+
readonly facility: 4;
|
|
388
|
+
readonly severity: "notice";
|
|
389
|
+
readonly msgId: "AUTH_SESSION_INVALID";
|
|
390
|
+
readonly message: "Session token is missing, expired, or invalid";
|
|
391
|
+
};
|
|
392
|
+
readonly INVALID_JWT_TOKEN: {
|
|
393
|
+
readonly facility: 4;
|
|
394
|
+
readonly severity: "warning";
|
|
395
|
+
readonly msgId: "INVALID_JWT_TOKEN";
|
|
396
|
+
readonly message: "JWT session token failed validation during sign-out";
|
|
397
|
+
};
|
|
398
|
+
readonly CSRF_TOKEN_REQUESTED: {
|
|
399
|
+
readonly facility: 4;
|
|
400
|
+
readonly severity: "debug";
|
|
401
|
+
readonly msgId: "CSRF_TOKEN_REQUESTED";
|
|
402
|
+
readonly message: "Client requested a CSRF token";
|
|
403
|
+
};
|
|
404
|
+
readonly CSRF_TOKEN_ISSUED: {
|
|
405
|
+
readonly facility: 4;
|
|
406
|
+
readonly severity: "debug";
|
|
407
|
+
readonly msgId: "CSRF_TOKEN_ISSUED";
|
|
408
|
+
readonly message: "Issued a new CSRF token to the client";
|
|
409
|
+
};
|
|
410
|
+
readonly INVALID_URL: {
|
|
411
|
+
readonly facility: 10;
|
|
412
|
+
readonly severity: "error";
|
|
413
|
+
readonly msgId: "INVALID_URL";
|
|
414
|
+
readonly message: "Derived origin URL is invalid or malformed";
|
|
415
|
+
};
|
|
416
|
+
readonly COOKIE_HTTPONLY_DISABLED: {
|
|
417
|
+
readonly facility: 10;
|
|
418
|
+
readonly severity: "critical";
|
|
419
|
+
readonly msgId: "COOKIE_HTTPONLY_DISABLED";
|
|
420
|
+
readonly message: "Cookie is configured without HttpOnly. This allows JavaScript access via document.cookie and increases XSS exposure.";
|
|
421
|
+
};
|
|
422
|
+
readonly COOKIE_WILDCARD_DOMAIN: {
|
|
423
|
+
readonly facility: 10;
|
|
424
|
+
readonly severity: "critical";
|
|
425
|
+
readonly msgId: "COOKIE_WILDCARD_DOMAIN";
|
|
426
|
+
readonly message: "Cookie 'Domain' is set to a wildcard, which is insecure and should be avoided.";
|
|
427
|
+
};
|
|
428
|
+
readonly COOKIE_SECURE_DISABLED: {
|
|
429
|
+
readonly facility: 10;
|
|
430
|
+
readonly severity: "warning";
|
|
431
|
+
readonly msgId: "COOKIE_SECURE_DISABLED";
|
|
432
|
+
readonly message: "Cookie is configured with 'Secure' but the request is not HTTPS. The 'Secure' attribute will be ignored by the browser.";
|
|
433
|
+
};
|
|
434
|
+
readonly COOKIE_SAMESITE_NONE_WITHOUT_SECURE: {
|
|
435
|
+
readonly facility: 10;
|
|
436
|
+
readonly severity: "warning";
|
|
437
|
+
readonly msgId: "COOKIE_SAMESITE_NONE_WITHOUT_SECURE";
|
|
438
|
+
readonly message: "Cookie uses SameSite=None without Secure. Falling back to SameSite=Lax for safer defaults.";
|
|
439
|
+
};
|
|
440
|
+
readonly COOKIE_INSECURE_IN_PRODUCTION: {
|
|
441
|
+
readonly facility: 10;
|
|
442
|
+
readonly severity: "critical";
|
|
443
|
+
readonly msgId: "COOKIE_INSECURE_IN_PRODUCTION";
|
|
444
|
+
readonly message: "Cookies are being served over an insecure connection in production, which is a serious security risk.";
|
|
445
|
+
};
|
|
446
|
+
readonly COOKIE_HOST_STRATEGY_INSECURE: {
|
|
447
|
+
readonly facility: 10;
|
|
448
|
+
readonly severity: "critical";
|
|
449
|
+
readonly msgId: "COOKIE_HOST_STRATEGY_INSECURE";
|
|
450
|
+
readonly message: "__Host- cookies require a secure HTTPS context. Falling back to standard cookie settings.";
|
|
451
|
+
};
|
|
452
|
+
readonly UNTRUSTED_ORIGIN: {
|
|
453
|
+
readonly facility: 10;
|
|
454
|
+
readonly severity: "error";
|
|
455
|
+
readonly msgId: "UNTRUSTED_ORIGIN";
|
|
456
|
+
readonly message: "The constructed origin URL is not trusted.";
|
|
457
|
+
};
|
|
458
|
+
readonly SESSION_REFRESHED: {
|
|
459
|
+
readonly facility: 4;
|
|
460
|
+
readonly severity: "info";
|
|
461
|
+
readonly msgId: "SESSION_REFRESHED";
|
|
462
|
+
readonly message: "User session was refreshed with a new expiration time";
|
|
463
|
+
};
|
|
464
|
+
readonly AUTH_SECURITY_ERROR: {
|
|
465
|
+
readonly facility: 10;
|
|
466
|
+
readonly severity: "error";
|
|
467
|
+
readonly msgId: "AUTH_SECURITY_ERROR";
|
|
468
|
+
readonly message: "An authentication security error occurred";
|
|
469
|
+
};
|
|
470
|
+
readonly CSRF_TOKEN_VERIFIED: {
|
|
471
|
+
readonly facility: 4;
|
|
472
|
+
readonly severity: "info";
|
|
473
|
+
readonly msgId: "CSRF_TOKEN_VERIFIED";
|
|
474
|
+
readonly message: "CSRF token verification succeeded";
|
|
475
|
+
};
|
|
476
|
+
readonly IDENTITY_VALIDATION_DISABLED: {
|
|
477
|
+
readonly facility: 4;
|
|
478
|
+
readonly severity: "warning";
|
|
479
|
+
readonly msgId: "IDENTITY_VALIDATION_DISABLED";
|
|
480
|
+
readonly message: "Identity validation is disabled. User data will not be validated against a schema.";
|
|
481
|
+
};
|
|
482
|
+
readonly IDENTITY_VALIDATION_FAILED: {
|
|
483
|
+
readonly facility: 4;
|
|
484
|
+
readonly severity: "error";
|
|
485
|
+
readonly msgId: "IDENTITY_VALIDATION_FAILED";
|
|
486
|
+
readonly message: "User identity validation against the schema failed";
|
|
487
|
+
};
|
|
488
|
+
readonly CREDENTIALS_SIGN_IN_SUCCESS: {
|
|
489
|
+
readonly facility: 4;
|
|
490
|
+
readonly severity: "info";
|
|
491
|
+
readonly msgId: "CREDENTIALS_SIGN_IN_SUCCESS";
|
|
492
|
+
readonly message: "User successfully authenticated with credentials";
|
|
493
|
+
};
|
|
494
|
+
readonly INVALID_CREDENTIALS: {
|
|
495
|
+
readonly facility: 4;
|
|
496
|
+
readonly severity: "warning";
|
|
497
|
+
readonly msgId: "INVALID_CREDENTIALS";
|
|
498
|
+
readonly message: "Authentication failed due to invalid credentials";
|
|
499
|
+
};
|
|
500
|
+
readonly CREDENTIALS_SIGN_IN_FAILED: {
|
|
501
|
+
readonly facility: 4;
|
|
502
|
+
readonly severity: "error";
|
|
503
|
+
readonly msgId: "CREDENTIALS_SIGN_IN_FAILED";
|
|
504
|
+
readonly message: "An error occurred during credentials sign-in";
|
|
505
|
+
};
|
|
506
|
+
};
|
|
507
|
+
declare const createLogEntry: <T extends keyof typeof logMessages>(key: T, overrides?: Partial<SyslogOptions>) => SyslogOptions;
|
|
508
|
+
declare const createSyslogMessage: (options: SyslogOptions) => string;
|
|
509
|
+
//#endregion
|
|
510
|
+
//#region src/validator/registry.d.ts
|
|
511
|
+
declare const createSchemaRegistry: <Identity extends SchemaTypes>(config: IdentityConfig<Identity>) => {
|
|
512
|
+
parse: (data?: unknown) => Promise<any>;
|
|
513
|
+
parseAsPartial: (data?: unknown) => Promise<any>;
|
|
514
|
+
parseWithJWT: (data?: unknown) => Promise<any>;
|
|
515
|
+
schema: any;
|
|
516
|
+
schemaAsPartial: any;
|
|
517
|
+
schemaWithJWT: any;
|
|
518
|
+
};
|
|
519
|
+
//#endregion
|
|
520
|
+
//#region src/oauth/github.d.ts
|
|
521
|
+
/**
|
|
522
|
+
* @see [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user)
|
|
523
|
+
*/
|
|
524
|
+
interface GitHubProfile {
|
|
525
|
+
login: string;
|
|
526
|
+
id: number;
|
|
527
|
+
user_view_type: string;
|
|
528
|
+
node_id: string;
|
|
529
|
+
avatar_url: string;
|
|
530
|
+
gravatar_id: string | null;
|
|
531
|
+
url: string;
|
|
532
|
+
html_url: string;
|
|
533
|
+
followers_url: string;
|
|
534
|
+
following_url: string;
|
|
535
|
+
gists_url: string;
|
|
536
|
+
starred_url: string;
|
|
537
|
+
subscriptions_url: string;
|
|
538
|
+
organizations_url: string;
|
|
539
|
+
repos_url: string;
|
|
540
|
+
events_url: string;
|
|
541
|
+
received_events_url: string;
|
|
542
|
+
type: string;
|
|
543
|
+
site_admin: boolean;
|
|
544
|
+
name: string | null;
|
|
545
|
+
company: string | null;
|
|
546
|
+
blog: string | null;
|
|
547
|
+
location: string | null;
|
|
548
|
+
email: string | null;
|
|
549
|
+
notification_email: string | null;
|
|
550
|
+
hireable: boolean | null;
|
|
551
|
+
bio: string | null;
|
|
552
|
+
twitter_username?: string | null;
|
|
553
|
+
public_repos: number;
|
|
554
|
+
public_gists: number;
|
|
555
|
+
followers: number;
|
|
556
|
+
following: number;
|
|
557
|
+
created_at: string;
|
|
558
|
+
updated_at: string;
|
|
559
|
+
private_gists?: number;
|
|
560
|
+
total_private_repos?: number;
|
|
561
|
+
owned_private_repos?: number;
|
|
562
|
+
disk_usage?: number;
|
|
563
|
+
collaborators?: number;
|
|
564
|
+
two_factor_authentication: boolean;
|
|
565
|
+
plan?: {
|
|
566
|
+
collaborators: number;
|
|
567
|
+
name: string;
|
|
568
|
+
space: number;
|
|
569
|
+
private_repos: number;
|
|
570
|
+
};
|
|
571
|
+
}
|
|
572
|
+
/**
|
|
573
|
+
* GitHub OAuth Provider
|
|
574
|
+
*
|
|
575
|
+
* @see [GitHub - Creating an OAuth App](https://docs.github.com/en/developers/apps/building-oauth-apps/creating-an-oauth-app)
|
|
576
|
+
* @see [GitHub - Authorizing OAuth Apps](https://docs.github.com/en/developers/apps/building-oauth-apps/authorizing-oauth-apps)
|
|
577
|
+
* @see [GitHub - Configure your GitHub OAuth Apps](https://github.com/settings/developers)
|
|
578
|
+
* @see [Github - Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user)
|
|
579
|
+
*/
|
|
580
|
+
declare const github: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<GitHubProfile, DefaultUser>>) => OAuthProviderCredentials<GitHubProfile, DefaultUser>;
|
|
581
|
+
//#endregion
|
|
582
|
+
//#region src/oauth/bitbucket.d.ts
|
|
583
|
+
/**
|
|
584
|
+
* @see [Get current user](https://developer.atlassian.com/cloud/bitbucket/rest/api-group-users/#api-user-get)
|
|
585
|
+
*/
|
|
586
|
+
interface BitbucketProfile {
|
|
587
|
+
display_name: string;
|
|
588
|
+
links: Record<LiteralUnion<"self" | "avatar" | "repositories" | "snippets" | "html" | "hooks">, {
|
|
589
|
+
href?: string;
|
|
590
|
+
}>;
|
|
591
|
+
created_on: string;
|
|
592
|
+
type: string;
|
|
593
|
+
uuid: string;
|
|
594
|
+
has_2fa_enabled: boolean;
|
|
595
|
+
username: string;
|
|
596
|
+
nickname: string;
|
|
597
|
+
is_staff: boolean;
|
|
598
|
+
account_id: string;
|
|
599
|
+
account_status: LiteralUnion<"active" | "inactive" | "closed">;
|
|
600
|
+
location: string | null;
|
|
601
|
+
}
|
|
602
|
+
/**
|
|
603
|
+
* Bitbucket OAuth Provider
|
|
604
|
+
*
|
|
605
|
+
* @see [Bitbucket - Official App](https://bitbucket.org/)
|
|
606
|
+
* @see [Bitbucket - Workspaces](https://bitbucket.org/account/workspaces/)
|
|
607
|
+
* @see [Bitbucket - Workspace Settings](https://bitbucket.org/{workspace-name}/workspace/settings/)
|
|
608
|
+
* @see [Bitbucket - OAuth 2.0](https://developer.atlassian.com/cloud/bitbucket/oauth-2/)
|
|
609
|
+
* @see [Bitbucket - Use OAuth on Bitbucket Cloud](https://support.atlassian.com/bitbucket-cloud/docs/use-oauth-on-bitbucket-cloud/)
|
|
610
|
+
* @see [Bitbucket - Cloud REST API](https://developer.atlassian.com/cloud/bitbucket/rest/intro/)
|
|
611
|
+
* @see [Bitbucket - User Endpoint](https://developer.atlassian.com/cloud/bitbucket/rest/api-group-users/#api-users-endpoint)
|
|
612
|
+
*/
|
|
613
|
+
declare const bitbucket: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<BitbucketProfile, DefaultUser>>) => OAuthProviderCredentials<BitbucketProfile, DefaultUser>;
|
|
614
|
+
//#endregion
|
|
615
|
+
//#region src/oauth/figma.d.ts
|
|
616
|
+
/**
|
|
617
|
+
* @see [Figma API - Users](https://developers.figma.com/docs/rest-api/users-types/)
|
|
618
|
+
*/
|
|
619
|
+
interface FigmaProfile {
|
|
620
|
+
id: string;
|
|
621
|
+
handle: string;
|
|
622
|
+
img_url: string;
|
|
623
|
+
email: string;
|
|
624
|
+
}
|
|
625
|
+
/**
|
|
626
|
+
* Figma OAuth Provider
|
|
627
|
+
* @see [Figma - REST API Introduction](https://developers.figma.com/docs/rest-api/)
|
|
628
|
+
* @see [Figma - OAuth App](https://www.figma.com/developers/apps/)
|
|
629
|
+
* @see [Figma - Create an OAuth App](https://developers.figma.com/docs/rest-api/authentication/#create-an-oauth-app)
|
|
630
|
+
* @see [Figma - OAuth Scopes](https://developers.figma.com/docs/rest-api/scopes/)
|
|
631
|
+
*/
|
|
632
|
+
declare const figma: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<FigmaProfile, DefaultUser>>) => OAuthProviderCredentials<FigmaProfile, DefaultUser>;
|
|
633
|
+
//#endregion
|
|
634
|
+
//#region src/oauth/discord.d.ts
|
|
635
|
+
/**
|
|
636
|
+
* @see [Discord - Nameplate Object](https://discord.com/developers/docs/resources/user#nameplate-nameplate-structure)
|
|
637
|
+
*/
|
|
638
|
+
interface Nameplate {
|
|
639
|
+
sku_id: string;
|
|
640
|
+
asset: string;
|
|
641
|
+
label: string;
|
|
642
|
+
palette: string;
|
|
643
|
+
}
|
|
644
|
+
/**
|
|
645
|
+
* The `snowflake` type is a string type. The attributes defined with this type are:
|
|
646
|
+
* - `id`: The unique identifier for the object.
|
|
647
|
+
* - `primary_guild.identity_guild_id`: The unique identifier for the guild.
|
|
648
|
+
* - `avatar_decoration_data.sku_id`: The unique identifier for the SKU.
|
|
649
|
+
*
|
|
650
|
+
* @see [Discord - User Object](https://discord.com/developers/docs/resources/user#user-object)
|
|
651
|
+
*/
|
|
652
|
+
interface DiscordProfile {
|
|
653
|
+
id: string;
|
|
654
|
+
username: string;
|
|
655
|
+
discriminator: string;
|
|
656
|
+
global_name: string | null;
|
|
657
|
+
avatar: string | null;
|
|
658
|
+
bot?: boolean;
|
|
659
|
+
system?: boolean;
|
|
660
|
+
mfa_enabled?: boolean;
|
|
661
|
+
banner?: string | null;
|
|
662
|
+
accent_color?: number | null;
|
|
663
|
+
locale?: string;
|
|
664
|
+
verified?: boolean;
|
|
665
|
+
email?: string | null;
|
|
666
|
+
flags?: number;
|
|
667
|
+
premium_type?: number;
|
|
668
|
+
public_flags?: number;
|
|
669
|
+
avatar_decoration_data?: {
|
|
670
|
+
asset: string;
|
|
671
|
+
sku_id: string;
|
|
672
|
+
};
|
|
673
|
+
collections?: Record<string, Nameplate>;
|
|
674
|
+
primary_guild?: {
|
|
675
|
+
identity_guild_id: string;
|
|
676
|
+
identity_enabled: boolean | null;
|
|
677
|
+
tag: string | null;
|
|
678
|
+
badge: string | null;
|
|
679
|
+
};
|
|
680
|
+
}
|
|
681
|
+
/**
|
|
682
|
+
* Discord OAuth Provider
|
|
683
|
+
*
|
|
684
|
+
* @see [Discord - Applications](https://discord.com/developers/applications)
|
|
685
|
+
* @see [Discord - OAuth2](https://discord.com/developers/docs/topics/oauth2)
|
|
686
|
+
* @see [Discord - Get Current User](https://discord.com/developers/docs/resources/user#get-current-user)
|
|
687
|
+
* @see [Discord - User Object](https://discord.com/developers/docs/resources/user#user-object)
|
|
688
|
+
* @see [Discord - OAuth2 Scopes](https://discord.com/developers/docs/topics/oauth2#shared-resources-oauth2-scopes)
|
|
689
|
+
* @see [Discord - Image Formatting](https://discord.com/developers/docs/reference#image-formatting)
|
|
690
|
+
* @see [Discord - Display Names](https://discord.com/developers/docs/change-log#display-names)
|
|
691
|
+
*/
|
|
692
|
+
declare const discord: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<DiscordProfile, DefaultUser>>) => OAuthProviderCredentials<DiscordProfile, DefaultUser>;
|
|
693
|
+
//#endregion
|
|
694
|
+
//#region src/oauth/gitlab.d.ts
|
|
695
|
+
/**
|
|
696
|
+
* @see [GitLab - User Structure](https://docs.gitlab.com/ee/api/users.html#external-user-structure)
|
|
697
|
+
*/
|
|
698
|
+
interface GitLabProfile {
|
|
699
|
+
id: number;
|
|
700
|
+
username: string;
|
|
701
|
+
email: string;
|
|
702
|
+
name: string;
|
|
703
|
+
state: string;
|
|
704
|
+
locked: boolean;
|
|
705
|
+
avatar_url: string;
|
|
706
|
+
web_url: string;
|
|
707
|
+
created_at: string;
|
|
708
|
+
bio: string;
|
|
709
|
+
location: string | null;
|
|
710
|
+
public_email: string;
|
|
711
|
+
linkedin: string;
|
|
712
|
+
twitter: string;
|
|
713
|
+
discord: string;
|
|
714
|
+
github: string;
|
|
715
|
+
website_url: string;
|
|
716
|
+
organization: string;
|
|
717
|
+
job_title: string;
|
|
718
|
+
pronouns: string;
|
|
719
|
+
bot: boolean;
|
|
720
|
+
work_information: string | null;
|
|
721
|
+
followers: number;
|
|
722
|
+
following: number;
|
|
723
|
+
local_time: string;
|
|
724
|
+
last_sign_in_at: string;
|
|
725
|
+
confirmed_at: string;
|
|
726
|
+
theme_id: number;
|
|
727
|
+
last_activity_on: string;
|
|
728
|
+
color_scheme_id: number;
|
|
729
|
+
projects_limit: number;
|
|
730
|
+
current_sign_in_at: string;
|
|
731
|
+
identities: {
|
|
732
|
+
provider: string;
|
|
733
|
+
extern_uid: string;
|
|
734
|
+
saml_provider_id: number | null;
|
|
735
|
+
}[];
|
|
736
|
+
can_create_group: boolean;
|
|
737
|
+
can_create_project: boolean;
|
|
738
|
+
two_factor_enabled: boolean;
|
|
739
|
+
external: boolean;
|
|
740
|
+
private_profile: boolean;
|
|
741
|
+
commit_email: string;
|
|
742
|
+
preferred_language: string;
|
|
743
|
+
shared_runners_minutes_limit: number | null;
|
|
744
|
+
extra_shared_runners_minutes_limit: number | null;
|
|
745
|
+
scim_identities: unknown[];
|
|
746
|
+
}
|
|
747
|
+
/**
|
|
748
|
+
* GitLab OAuth Provider
|
|
749
|
+
*
|
|
750
|
+
* @see [GitLab - Applications](https://gitlab.com/-/user_settings/applications)
|
|
751
|
+
* @see [GitLab - OAuth 2.0 identify provider API](https://docs.gitlab.com/api/oauth2/)
|
|
752
|
+
* @see [GitLab - Scopes](https://docs.gitlab.com/integration/oauth_provider/#view-all-authorized-applications)
|
|
753
|
+
* @see [GitLab - Get current user](https://docs.gitlab.com/api/users/#get-the-current-user)
|
|
754
|
+
*/
|
|
755
|
+
declare const gitlab: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<GitLabProfile, DefaultUser>>) => OAuthProviderCredentials<GitLabProfile, DefaultUser>;
|
|
756
|
+
//#endregion
|
|
757
|
+
//#region src/oauth/spotify.d.ts
|
|
758
|
+
interface SpotifyImage {
|
|
759
|
+
url: string;
|
|
760
|
+
height: number;
|
|
761
|
+
width: number;
|
|
762
|
+
}
|
|
763
|
+
/**
|
|
764
|
+
* @see [Spotify - User Object](https://developer.spotify.com/documentation/web-api/reference/object-model/#user-object-private)
|
|
765
|
+
*/
|
|
766
|
+
interface SpotifyProfile {
|
|
767
|
+
id: string;
|
|
768
|
+
display_name: string;
|
|
769
|
+
email: string;
|
|
770
|
+
type: string;
|
|
771
|
+
uri: string;
|
|
772
|
+
country: string;
|
|
773
|
+
href: string;
|
|
774
|
+
images: SpotifyImage[];
|
|
775
|
+
product: string;
|
|
776
|
+
explicit_content: {
|
|
777
|
+
filter_enabled: boolean;
|
|
778
|
+
filter_locked: boolean;
|
|
779
|
+
};
|
|
780
|
+
external_urls: {
|
|
781
|
+
spotify: string;
|
|
782
|
+
};
|
|
783
|
+
followers: {
|
|
784
|
+
href: string;
|
|
785
|
+
total: number;
|
|
786
|
+
};
|
|
787
|
+
}
|
|
788
|
+
/**
|
|
789
|
+
* Spotify OAuth Provider
|
|
790
|
+
*
|
|
791
|
+
* @see [Spotify - Spotify Developer Dashboard](https://developer.spotify.com/dashboard)
|
|
792
|
+
* @see [Spotify - Getting started with Web API](https://developer.spotify.com/documentation/web-api/tutorials/getting-started)
|
|
793
|
+
* @see [Spotify - Get Current User's Profile](https://developer.spotify.com/documentation/web-api/reference/get-current-users-profile)
|
|
794
|
+
* @see [Spotify - Scopes](https://developer.spotify.com/documentation/web-api/concepts/scopes)
|
|
795
|
+
* @see [Spotify - Redirect URIs](https://developer.spotify.com/documentation/web-api/concepts/redirect_uri)
|
|
796
|
+
*/
|
|
797
|
+
declare const spotify: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<SpotifyProfile, DefaultUser>>) => OAuthProviderCredentials<SpotifyProfile, DefaultUser>;
|
|
798
|
+
//#endregion
|
|
799
|
+
//#region src/oauth/x.d.ts
|
|
800
|
+
/**
|
|
801
|
+
* @see [X - Get my User](https://docs.x.com/x-api/users/get-my-user)
|
|
802
|
+
*/
|
|
803
|
+
interface XProfile {
|
|
804
|
+
data: {
|
|
805
|
+
id: string;
|
|
806
|
+
name: string;
|
|
807
|
+
username: string;
|
|
808
|
+
profile_image_url: string;
|
|
809
|
+
};
|
|
810
|
+
}
|
|
811
|
+
/**
|
|
812
|
+
* X (Twitter) OAuth Provider
|
|
813
|
+
* @see [X - Developer Portal](https://developer.x.com/en/portal/projects-and-apps)
|
|
814
|
+
* @see [X - Get my User](https://docs.x.com/x-api/users/get-my-user)
|
|
815
|
+
* @see [X - OAuth 2.0 Authorization Code Flow with PKCE](https://docs.x.com/fundamentals/authentication/oauth-2-0/authorization-code)
|
|
816
|
+
* @see [X - OAuth 2.0 Scopes](https://docs.x.com/fundamentals/authentication/oauth-2-0/authorization-code#scopes)
|
|
817
|
+
* @see [X - OAuth 2.0 Bearer Token](https://docs.x.com/fundamentals/authentication/oauth-2-0/application-only)
|
|
818
|
+
*/
|
|
819
|
+
declare const x: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<XProfile, DefaultUser>>) => OAuthProviderCredentials<XProfile, DefaultUser>;
|
|
820
|
+
//#endregion
|
|
821
|
+
//#region src/oauth/strava.d.ts
|
|
822
|
+
/**
|
|
823
|
+
* @see [Strava - SummaryClub](https://developers.strava.com/docs/reference/#api-models-SummaryClub)
|
|
824
|
+
*/
|
|
825
|
+
interface SummaryClub {
|
|
826
|
+
id: number;
|
|
827
|
+
resource_state: number;
|
|
828
|
+
name: string;
|
|
829
|
+
profile_medium: string;
|
|
830
|
+
cover_photo: string;
|
|
831
|
+
cover_photo_small: string;
|
|
832
|
+
sport_type: "cycling" | "running" | "triathlon" | "other";
|
|
833
|
+
activity_types: string[];
|
|
834
|
+
city: string;
|
|
835
|
+
state: string;
|
|
836
|
+
country: string;
|
|
837
|
+
private: boolean;
|
|
838
|
+
member_count: number;
|
|
839
|
+
featured: boolean;
|
|
840
|
+
verified: boolean;
|
|
841
|
+
url: string;
|
|
842
|
+
}
|
|
843
|
+
/**
|
|
844
|
+
* @see [Strava - SummaryGear](https://developers.strava.com/docs/reference/#api-models-SummaryGear)
|
|
845
|
+
*/
|
|
846
|
+
interface SummaryGear {
|
|
847
|
+
id: string;
|
|
848
|
+
resource_state: number;
|
|
849
|
+
primary: boolean;
|
|
850
|
+
name: string;
|
|
851
|
+
distance: number;
|
|
852
|
+
}
|
|
853
|
+
/**
|
|
854
|
+
* @see [Strava - DetailedAthlete](https://developers.strava.com/docs/reference/#api-models-DetailedAthlete)
|
|
855
|
+
*/
|
|
856
|
+
interface StravaProfile {
|
|
857
|
+
id: number;
|
|
858
|
+
resource_state: number;
|
|
859
|
+
firstname: string;
|
|
860
|
+
lastname: string;
|
|
861
|
+
bio: string | null;
|
|
862
|
+
profile: string;
|
|
863
|
+
profile_medium: string;
|
|
864
|
+
city: string;
|
|
865
|
+
state: string;
|
|
866
|
+
country: string;
|
|
867
|
+
sex: string;
|
|
868
|
+
premium: boolean;
|
|
869
|
+
summit: boolean;
|
|
870
|
+
created_at: Date;
|
|
871
|
+
updated_at: Date;
|
|
872
|
+
badge_type_id: number;
|
|
873
|
+
weight: number;
|
|
874
|
+
friend: null;
|
|
875
|
+
follower: null;
|
|
876
|
+
follower_count: number;
|
|
877
|
+
friend_count: number;
|
|
878
|
+
measurement_preference: string;
|
|
879
|
+
ftp: number;
|
|
880
|
+
clubs: SummaryClub[];
|
|
881
|
+
bikes: SummaryGear[];
|
|
882
|
+
shoes: SummaryGear[];
|
|
883
|
+
}
|
|
884
|
+
/**
|
|
885
|
+
* Strava OAuth Provider
|
|
886
|
+
* @see [Strava - Getting Started with the Strava API](https://developers.strava.com/docs/getting-started/)
|
|
887
|
+
* @see [Strava - My Applications](https://www.strava.com/settings/api)
|
|
888
|
+
* @see [Strava - Authentication](https://developers.strava.com/docs/authentication/)
|
|
889
|
+
* @see [Strava - API Application](https://www.strava.com/settings/api)
|
|
890
|
+
* @see [Strava - API Reference](https://developers.strava.com/docs/reference/)
|
|
891
|
+
*/
|
|
892
|
+
declare const strava: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<StravaProfile, DefaultUser>>) => OAuthProviderCredentials<StravaProfile, DefaultUser>;
|
|
893
|
+
//#endregion
|
|
894
|
+
//#region src/oauth/mailchimp.d.ts
|
|
895
|
+
interface Login {
|
|
896
|
+
email: string;
|
|
897
|
+
avatar: string | null;
|
|
898
|
+
login_id: number;
|
|
899
|
+
login_name: string;
|
|
900
|
+
login_email: string;
|
|
901
|
+
}
|
|
902
|
+
/**
|
|
903
|
+
* @see [Mailchimp - API Root](https://mailchimp.com/developer/marketing/api/authentication/)
|
|
904
|
+
*/
|
|
905
|
+
interface MailchimpProfile {
|
|
906
|
+
dc: string;
|
|
907
|
+
role: string;
|
|
908
|
+
accountname: string;
|
|
909
|
+
user_id: string;
|
|
910
|
+
login: Login;
|
|
911
|
+
login_url: string;
|
|
912
|
+
api_endpoint: string;
|
|
913
|
+
}
|
|
914
|
+
/**
|
|
915
|
+
* Mailchimp OAuth Provider
|
|
916
|
+
* @see [Mailchimp - Marketing API](https://mailchimp.com/developer/marketing/api/)
|
|
917
|
+
* @see [Mailchimp - Apps](https://us1.admin.mailchimp.com/account/oauth2/)
|
|
918
|
+
* @see [Mailchimp - Create an Application](https://mailchimp.com/developer/marketing/guides/access-user-data-oauth-2/#register-your-app)
|
|
919
|
+
* @see [Mailchimp - OAuth 2.0 Docs](https://mailchimp.com/developer/marketing/guides/access-user-data-oauth-2/)
|
|
920
|
+
* @see [Mailchimp - API Root](https://mailchimp.com/developer/marketing/api/root/)
|
|
921
|
+
*/
|
|
922
|
+
declare const mailchimp: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<MailchimpProfile, DefaultUser>>) => OAuthProviderCredentials<MailchimpProfile, DefaultUser>;
|
|
923
|
+
//#endregion
|
|
924
|
+
//#region src/oauth/pinterest.d.ts
|
|
925
|
+
/**
|
|
926
|
+
* @see [Pinterest - Get User Account](https://developers.pinterest.com/docs/api/v5/user_account-get)
|
|
927
|
+
*/
|
|
928
|
+
interface PinterestProfile {
|
|
929
|
+
account_type: LiteralUnion<"PINNER">;
|
|
930
|
+
id: string;
|
|
931
|
+
profile_image: string;
|
|
932
|
+
website_url: string;
|
|
933
|
+
username: string;
|
|
934
|
+
about: string;
|
|
935
|
+
business_name: string;
|
|
936
|
+
board_count: number;
|
|
937
|
+
pin_count: number;
|
|
938
|
+
follower_count: number;
|
|
939
|
+
following_count: number;
|
|
940
|
+
monthly_views: number;
|
|
941
|
+
}
|
|
942
|
+
/**
|
|
943
|
+
* @see [Pinterest - Connect App](https://developers.pinterest.com/docs/getting-started/connect-app/)
|
|
944
|
+
* @see [Pinterest - My Apps](https://developers.pinterest.com/apps/)
|
|
945
|
+
* @see [Pinterest - Get User Account](https://developers.pinterest.com/docs/api/v5/user_account-get)
|
|
946
|
+
*/
|
|
947
|
+
declare const pinterest: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<PinterestProfile, DefaultUser>>) => OAuthProviderCredentials<PinterestProfile, DefaultUser>;
|
|
948
|
+
//#endregion
|
|
949
|
+
//#region src/oauth/twitch.d.ts
|
|
950
|
+
/**
|
|
951
|
+
* @see [Twitch - Get Users](https://dev.twitch.tv/docs/api/reference#get-users)
|
|
952
|
+
*/
|
|
953
|
+
interface TwitchProfile {
|
|
954
|
+
id: string;
|
|
955
|
+
login: string;
|
|
956
|
+
display_name: string;
|
|
957
|
+
type: string;
|
|
958
|
+
broadcaster_type: string;
|
|
959
|
+
description: string;
|
|
960
|
+
profile_image_url: string;
|
|
961
|
+
offline_image_url: string;
|
|
962
|
+
view_count: number;
|
|
963
|
+
email?: string;
|
|
964
|
+
created_at: string;
|
|
965
|
+
}
|
|
966
|
+
/**
|
|
967
|
+
* @see [Twitch - Get Started with the Twitch API](https://dev.twitch.tv/docs/api/get-started/)
|
|
968
|
+
* @see [Twitch - Authorization code grant flow](https://dev.twitch.tv/docs/authentication/getting-tokens-oauth/#authorization-code-grant-flow)
|
|
969
|
+
* @see [Twitch - Register Your App](https://dev.twitch.tv/docs/authentication/register-app)
|
|
970
|
+
* @see [Twitch - Setting up Two-Factor Authentication (2FA)](https://help.twitch.tv/s/article/two-factor-authentication?language=en_US)
|
|
971
|
+
* @see [Twitch - Security and Privacy](https://www.twitch.tv/settings/security)
|
|
972
|
+
* @see [Twitch - Get Users](https://dev.twitch.tv/docs/api/reference#get-users)
|
|
973
|
+
* @see [Twitch - Scopes](https://dev.twitch.tv/docs/authentication/scopes/)
|
|
974
|
+
*/
|
|
975
|
+
declare const twitch: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<TwitchProfile, DefaultUser>>) => OAuthProviderCredentials<TwitchProfile, DefaultUser>;
|
|
976
|
+
//#endregion
|
|
977
|
+
//#region src/oauth/notion.d.ts
|
|
978
|
+
interface Person {
|
|
979
|
+
email: string;
|
|
980
|
+
}
|
|
981
|
+
interface NotionUser {
|
|
982
|
+
object: "user";
|
|
983
|
+
id: string;
|
|
984
|
+
name: string;
|
|
985
|
+
avatar_url: string | null;
|
|
986
|
+
type: "person";
|
|
987
|
+
person: Person;
|
|
988
|
+
}
|
|
989
|
+
interface Owner {
|
|
990
|
+
type: "user";
|
|
991
|
+
user: NotionUser;
|
|
992
|
+
}
|
|
993
|
+
interface Bot {
|
|
994
|
+
owner: Owner;
|
|
995
|
+
}
|
|
996
|
+
/**
|
|
997
|
+
* @see [Notion - Retrieve your token's bot user](https://developers.notion.com/reference/get-self)
|
|
998
|
+
*/
|
|
999
|
+
interface NotionProfile {
|
|
1000
|
+
object: "user";
|
|
1001
|
+
id: string;
|
|
1002
|
+
name: string;
|
|
1003
|
+
avatar_url: string | null;
|
|
1004
|
+
type: "bot";
|
|
1005
|
+
bot: Bot;
|
|
1006
|
+
}
|
|
1007
|
+
/**
|
|
1008
|
+
* @see [Notion - Developer Documentation](https://developers.notion.com/)
|
|
1009
|
+
* @see [Notion - Authorization](https://developers.notion.com/docs/authorization)
|
|
1010
|
+
* @see [Notion - Authentication](https://developers.notion.com/reference/authentication)
|
|
1011
|
+
* @see [Notion - Retrieve your token's bot user](https://developers.notion.com/reference/get-self)
|
|
1012
|
+
*/
|
|
1013
|
+
declare const notion: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<NotionProfile, DefaultUser>>) => OAuthProviderCredentials<NotionProfile, DefaultUser>;
|
|
1014
|
+
//#endregion
|
|
1015
|
+
//#region src/oauth/dropbox.d.ts
|
|
1016
|
+
type AccountType = "basic" | "pro" | "business";
|
|
1017
|
+
interface Name {
|
|
1018
|
+
given_name: string;
|
|
1019
|
+
surname: string;
|
|
1020
|
+
familiar_name: string;
|
|
1021
|
+
display_name: string;
|
|
1022
|
+
abbreviated_name: string;
|
|
1023
|
+
}
|
|
1024
|
+
interface RootInfo {
|
|
1025
|
+
team: RootInfo;
|
|
1026
|
+
user: RootInfo;
|
|
1027
|
+
}
|
|
1028
|
+
interface FullTeam {
|
|
1029
|
+
id: string;
|
|
1030
|
+
name: string;
|
|
1031
|
+
sharing_policies: Record<string, unknown>;
|
|
1032
|
+
office_addin_policy: unknown;
|
|
1033
|
+
top_level_content_policy: unknown;
|
|
1034
|
+
}
|
|
1035
|
+
interface DropboxProfile {
|
|
1036
|
+
account_id: string;
|
|
1037
|
+
name: Name;
|
|
1038
|
+
email: string;
|
|
1039
|
+
email_verified: boolean;
|
|
1040
|
+
disabled: boolean;
|
|
1041
|
+
locale: string;
|
|
1042
|
+
referral_link: string;
|
|
1043
|
+
is_paired: boolean;
|
|
1044
|
+
account_type: AccountType;
|
|
1045
|
+
root_info: unknown;
|
|
1046
|
+
profile_photo_url?: string;
|
|
1047
|
+
country: string;
|
|
1048
|
+
team?: unknown;
|
|
1049
|
+
team_member_id?: string;
|
|
1050
|
+
}
|
|
1051
|
+
/**
|
|
1052
|
+
* @see [Dropbox - OAuth Guide](https://developers.dropbox.com/oauth-guide)
|
|
1053
|
+
* @see [Dropbox - API v2](https://www.dropbox.com/developers/documentation/http/documentation)
|
|
1054
|
+
* @see [Dropbox - Get Current Account](https://www.dropbox.com/developers/documentation/http/documentation#users-get_current_account)
|
|
1055
|
+
* @see [Dropbox - My Apps](https://www.dropbox.com/developers/apps)
|
|
1056
|
+
* @see [Dropbox - Developer Guide](https://www.dropbox.com/developers/reference/developer-guide)
|
|
1057
|
+
*/
|
|
1058
|
+
declare const dropbox: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<DropboxProfile, DefaultUser>>) => OAuthProviderCredentials<DropboxProfile, DefaultUser>;
|
|
1059
|
+
//#endregion
|
|
1060
|
+
//#region src/oauth/atlassian.d.ts
|
|
1061
|
+
interface ExtendedProfile {
|
|
1062
|
+
job_title: string;
|
|
1063
|
+
organization: string;
|
|
1064
|
+
department: string;
|
|
1065
|
+
location: string;
|
|
1066
|
+
}
|
|
1067
|
+
interface AtlassianProfile {
|
|
1068
|
+
account_id: string;
|
|
1069
|
+
account_type: string;
|
|
1070
|
+
account_status: LiteralUnion<"active">;
|
|
1071
|
+
email: string;
|
|
1072
|
+
email_verified: boolean;
|
|
1073
|
+
name: string;
|
|
1074
|
+
picture: string;
|
|
1075
|
+
nickname: string;
|
|
1076
|
+
zoneinfo: string;
|
|
1077
|
+
locale: string;
|
|
1078
|
+
extended_profile: ExtendedProfile;
|
|
1079
|
+
last_updated: string;
|
|
1080
|
+
created_at: string;
|
|
1081
|
+
}
|
|
1082
|
+
/**
|
|
1083
|
+
* @see [Atlassian - OAuth Apps](https://developer.atlassian.com/cloud/jira/platform/oauth-2-3lo-apps/)
|
|
1084
|
+
* @see [Atlassian - My Apps](https://developer.atlassian.com/console/myapps/)
|
|
1085
|
+
* @see [Atlassian - Retrieve Authenticated User](https://developer.atlassian.com/cloud/jira/software/oauth-2-3lo-apps/#how-do-i-retrieve-the-public-profile-of-the-authenticated-user-)
|
|
1086
|
+
*/
|
|
1087
|
+
declare const atlassian: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<AtlassianProfile, DefaultUser>>) => OAuthProviderCredentials<AtlassianProfile, DefaultUser>;
|
|
1088
|
+
//#endregion
|
|
1089
|
+
//#region src/oauth/click-up.d.ts
|
|
1090
|
+
/**
|
|
1091
|
+
* @see [Click Up - Get Authorized User](https://developer.clickup.com/reference/getauthorizeduser)
|
|
1092
|
+
*/
|
|
1093
|
+
interface ClickUpProfile {
|
|
1094
|
+
user: {
|
|
1095
|
+
id: number;
|
|
1096
|
+
username: string;
|
|
1097
|
+
email: string;
|
|
1098
|
+
color: string;
|
|
1099
|
+
profilePicture: string;
|
|
1100
|
+
initials: string;
|
|
1101
|
+
week_start_day: number;
|
|
1102
|
+
global_font_support: boolean;
|
|
1103
|
+
timezone: string;
|
|
1104
|
+
};
|
|
1105
|
+
}
|
|
1106
|
+
/**
|
|
1107
|
+
* ClickUp OAuth Provider
|
|
1108
|
+
*
|
|
1109
|
+
* @see [Click Up - Create your own app](https://help.clickup.com/hc/en-us/articles/6303422883095-Create-your-own-app-with-the-ClickUp-API)
|
|
1110
|
+
* @see [Click Up - Authentication](https://developer.clickup.com/docs/authentication)
|
|
1111
|
+
* @see [Click UP - Get Access Token](https://developer.clickup.com/reference/getaccesstoken)
|
|
1112
|
+
* @see [Click Up - Get Authorized User](https://developer.clickup.com/reference/getauthorizeduser)
|
|
1113
|
+
*/
|
|
1114
|
+
declare const clickUp: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<ClickUpProfile, DefaultUser>>) => OAuthProviderCredentials<ClickUpProfile, DefaultUser>;
|
|
1115
|
+
//#endregion
|
|
1116
|
+
//#region src/oauth/dribbble.d.ts
|
|
1117
|
+
/**
|
|
1118
|
+
* @see [Dribble - User](https://developer.dribbble.com/v2/user/)
|
|
1119
|
+
*/
|
|
1120
|
+
interface DribbbleDefault {
|
|
1121
|
+
id: number;
|
|
1122
|
+
name: string;
|
|
1123
|
+
login: string;
|
|
1124
|
+
html_url: string;
|
|
1125
|
+
avatar_url: string;
|
|
1126
|
+
bio: string;
|
|
1127
|
+
location: string;
|
|
1128
|
+
links?: {
|
|
1129
|
+
web?: string;
|
|
1130
|
+
twitter?: string;
|
|
1131
|
+
};
|
|
1132
|
+
created_at: string;
|
|
1133
|
+
}
|
|
1134
|
+
interface DribbbleTeams extends DribbbleDefault {
|
|
1135
|
+
type: "Team";
|
|
1136
|
+
updated_at: string;
|
|
1137
|
+
}
|
|
1138
|
+
interface DribbbleProfile extends DribbbleDefault {
|
|
1139
|
+
type: "User";
|
|
1140
|
+
/** Not documented but available in the API response */
|
|
1141
|
+
email: string | null;
|
|
1142
|
+
can_upload_shot: boolean;
|
|
1143
|
+
pro: boolean;
|
|
1144
|
+
followers_count: number;
|
|
1145
|
+
teams: DribbbleTeams[];
|
|
1146
|
+
}
|
|
1147
|
+
/**
|
|
1148
|
+
* Dribbble OAuth provider
|
|
1149
|
+
*
|
|
1150
|
+
* @see [Dribbble - Register Application](https://dribbble.com/account/applications/new)
|
|
1151
|
+
* @see [Dribbble - OAuth](https://developer.dribbble.com/v2/oauth/)
|
|
1152
|
+
* @see [Dribbble - User](https://developer.dribbble.com/v2/user/)
|
|
1153
|
+
*/
|
|
1154
|
+
declare const dribbble: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<DribbbleProfile, DefaultUser>>) => OAuthProviderCredentials<DribbbleProfile, DefaultUser>;
|
|
1155
|
+
//#endregion
|
|
1156
|
+
//#region src/oauth/index.d.ts
|
|
1157
|
+
declare const builtInOAuthProviders: {
|
|
1158
|
+
readonly github: <DefaultUser extends User = {
|
|
1159
|
+
sub: string;
|
|
1160
|
+
name?: string | null | undefined;
|
|
1161
|
+
image?: string | null | undefined;
|
|
1162
|
+
email?: string | null | undefined;
|
|
1163
|
+
}>(options?: Partial<OAuthProviderCredentials<GitHubProfile, DefaultUser>>) => OAuthProviderCredentials<GitHubProfile, DefaultUser>;
|
|
1164
|
+
readonly bitbucket: <DefaultUser extends User = {
|
|
1165
|
+
sub: string;
|
|
1166
|
+
name?: string | null | undefined;
|
|
1167
|
+
image?: string | null | undefined;
|
|
1168
|
+
email?: string | null | undefined;
|
|
1169
|
+
}>(options?: Partial<OAuthProviderCredentials<BitbucketProfile, DefaultUser>>) => OAuthProviderCredentials<BitbucketProfile, DefaultUser>;
|
|
1170
|
+
readonly figma: <DefaultUser extends User = {
|
|
1171
|
+
sub: string;
|
|
1172
|
+
name?: string | null | undefined;
|
|
1173
|
+
image?: string | null | undefined;
|
|
1174
|
+
email?: string | null | undefined;
|
|
1175
|
+
}>(options?: Partial<OAuthProviderCredentials<FigmaProfile, DefaultUser>>) => OAuthProviderCredentials<FigmaProfile, DefaultUser>;
|
|
1176
|
+
readonly discord: <DefaultUser extends User = {
|
|
1177
|
+
sub: string;
|
|
1178
|
+
name?: string | null | undefined;
|
|
1179
|
+
image?: string | null | undefined;
|
|
1180
|
+
email?: string | null | undefined;
|
|
1181
|
+
}>(options?: Partial<OAuthProviderCredentials<DiscordProfile, DefaultUser>>) => OAuthProviderCredentials<DiscordProfile, DefaultUser>;
|
|
1182
|
+
readonly gitlab: <DefaultUser extends User = {
|
|
1183
|
+
sub: string;
|
|
1184
|
+
name?: string | null | undefined;
|
|
1185
|
+
image?: string | null | undefined;
|
|
1186
|
+
email?: string | null | undefined;
|
|
1187
|
+
}>(options?: Partial<OAuthProviderCredentials<GitLabProfile, DefaultUser>>) => OAuthProviderCredentials<GitLabProfile, DefaultUser>;
|
|
1188
|
+
readonly spotify: <DefaultUser extends User = {
|
|
1189
|
+
sub: string;
|
|
1190
|
+
name?: string | null | undefined;
|
|
1191
|
+
image?: string | null | undefined;
|
|
1192
|
+
email?: string | null | undefined;
|
|
1193
|
+
}>(options?: Partial<OAuthProviderCredentials<SpotifyProfile, DefaultUser>>) => OAuthProviderCredentials<SpotifyProfile, DefaultUser>;
|
|
1194
|
+
readonly x: <DefaultUser extends User = {
|
|
1195
|
+
sub: string;
|
|
1196
|
+
name?: string | null | undefined;
|
|
1197
|
+
image?: string | null | undefined;
|
|
1198
|
+
email?: string | null | undefined;
|
|
1199
|
+
}>(options?: Partial<OAuthProviderCredentials<XProfile, DefaultUser>>) => OAuthProviderCredentials<XProfile, DefaultUser>;
|
|
1200
|
+
readonly strava: <DefaultUser extends User = {
|
|
1201
|
+
sub: string;
|
|
1202
|
+
name?: string | null | undefined;
|
|
1203
|
+
image?: string | null | undefined;
|
|
1204
|
+
email?: string | null | undefined;
|
|
1205
|
+
}>(options?: Partial<OAuthProviderCredentials<StravaProfile, DefaultUser>>) => OAuthProviderCredentials<StravaProfile, DefaultUser>;
|
|
1206
|
+
readonly mailchimp: <DefaultUser extends User = {
|
|
1207
|
+
sub: string;
|
|
1208
|
+
name?: string | null | undefined;
|
|
1209
|
+
image?: string | null | undefined;
|
|
1210
|
+
email?: string | null | undefined;
|
|
1211
|
+
}>(options?: Partial<OAuthProviderCredentials<MailchimpProfile, DefaultUser>>) => OAuthProviderCredentials<MailchimpProfile, DefaultUser>;
|
|
1212
|
+
readonly pinterest: <DefaultUser extends User = {
|
|
1213
|
+
sub: string;
|
|
1214
|
+
name?: string | null | undefined;
|
|
1215
|
+
image?: string | null | undefined;
|
|
1216
|
+
email?: string | null | undefined;
|
|
1217
|
+
}>(options?: Partial<OAuthProviderCredentials<PinterestProfile, DefaultUser>>) => OAuthProviderCredentials<PinterestProfile, DefaultUser>;
|
|
1218
|
+
readonly twitch: <DefaultUser extends User = {
|
|
1219
|
+
sub: string;
|
|
1220
|
+
name?: string | null | undefined;
|
|
1221
|
+
image?: string | null | undefined;
|
|
1222
|
+
email?: string | null | undefined;
|
|
1223
|
+
}>(options?: Partial<OAuthProviderCredentials<TwitchProfile, DefaultUser>>) => OAuthProviderCredentials<TwitchProfile, DefaultUser>;
|
|
1224
|
+
readonly notion: <DefaultUser extends User = {
|
|
1225
|
+
sub: string;
|
|
1226
|
+
name?: string | null | undefined;
|
|
1227
|
+
image?: string | null | undefined;
|
|
1228
|
+
email?: string | null | undefined;
|
|
1229
|
+
}>(options?: Partial<OAuthProviderCredentials<NotionProfile, DefaultUser>>) => OAuthProviderCredentials<NotionProfile, DefaultUser>;
|
|
1230
|
+
readonly dropbox: <DefaultUser extends User = {
|
|
1231
|
+
sub: string;
|
|
1232
|
+
name?: string | null | undefined;
|
|
1233
|
+
image?: string | null | undefined;
|
|
1234
|
+
email?: string | null | undefined;
|
|
1235
|
+
}>(options?: Partial<OAuthProviderCredentials<DropboxProfile, DefaultUser>>) => OAuthProviderCredentials<DropboxProfile, DefaultUser>;
|
|
1236
|
+
readonly atlassian: <DefaultUser extends User = {
|
|
1237
|
+
sub: string;
|
|
1238
|
+
name?: string | null | undefined;
|
|
1239
|
+
image?: string | null | undefined;
|
|
1240
|
+
email?: string | null | undefined;
|
|
1241
|
+
}>(options?: Partial<OAuthProviderCredentials<AtlassianProfile, DefaultUser>>) => OAuthProviderCredentials<AtlassianProfile, DefaultUser>;
|
|
1242
|
+
readonly clickUp: <DefaultUser extends User = {
|
|
1243
|
+
sub: string;
|
|
1244
|
+
name?: string | null | undefined;
|
|
1245
|
+
image?: string | null | undefined;
|
|
1246
|
+
email?: string | null | undefined;
|
|
1247
|
+
}>(options?: Partial<OAuthProviderCredentials<ClickUpProfile, DefaultUser>>) => OAuthProviderCredentials<ClickUpProfile, DefaultUser>;
|
|
1248
|
+
readonly dribbble: <DefaultUser extends User = {
|
|
1249
|
+
sub: string;
|
|
1250
|
+
name?: string | null | undefined;
|
|
1251
|
+
image?: string | null | undefined;
|
|
1252
|
+
email?: string | null | undefined;
|
|
1253
|
+
}>(options?: Partial<OAuthProviderCredentials<DribbbleProfile, DefaultUser>>) => OAuthProviderCredentials<DribbbleProfile, DefaultUser>;
|
|
1254
|
+
};
|
|
1255
|
+
/**
|
|
1256
|
+
* Constructs OAuth provider configurations from an array of provider names or configurations.
|
|
1257
|
+
* It loads the client ID and client secret from environment variables if only the provider name is provided.
|
|
1258
|
+
*
|
|
1259
|
+
* @param oauth - Array of OAuth provider configurations or provider names to be defined from environment variables
|
|
1260
|
+
* @returns A record of OAuth provider configurations
|
|
1261
|
+
* @example
|
|
1262
|
+
* // Using built-in provider with env variables
|
|
1263
|
+
* createBuiltInOAuthProviders(["github"])
|
|
1264
|
+
*
|
|
1265
|
+
* // Using built-in provider with explicit credentials via factory
|
|
1266
|
+
* createBuiltInOAuthProviders([github({ clientId: "...", clientSecret: "..." })])
|
|
1267
|
+
*/
|
|
1268
|
+
declare const createBuiltInOAuthProviders: (oauth?: (BuiltInOAuthProvider | OAuthProviderCredentials<any>)[]) => Record<LiteralUnion<BuiltInOAuthProvider>, OAuthProviderCredentials<any>>;
|
|
1269
|
+
type BuiltInOAuthProvider = keyof typeof builtInOAuthProviders;
|
|
1270
|
+
//#endregion
|
|
1271
|
+
//#region src/@types/session.d.ts
|
|
1272
|
+
/** Application user type, inferred from the configured identity schema (defaults to the built-in user shape). */
|
|
1273
|
+
type User = infer$1<typeof UserIdentity>;
|
|
1274
|
+
/**
|
|
1275
|
+
* Session data returned by the session endpoint.
|
|
1276
|
+
*/
|
|
1277
|
+
interface Session<DefaultUser extends User = User> {
|
|
1278
|
+
user: DefaultUser;
|
|
1279
|
+
expires: string;
|
|
1280
|
+
}
|
|
1281
|
+
interface CryptoSecret {
|
|
1282
|
+
sign: CryptoKey | CryptoKeyPair | JWK | JsonWebKey | AsymmetricKeyPair;
|
|
1283
|
+
encrypt: CryptoKey | CryptoKeyPair | JWK | JsonWebKey | AsymmetricKeyPair;
|
|
1284
|
+
}
|
|
1285
|
+
interface AsymmetricKeyPairFromEnv {
|
|
1286
|
+
publicKey: string;
|
|
1287
|
+
privateKey: string;
|
|
1288
|
+
}
|
|
1289
|
+
interface AsymmetricKeyPair {
|
|
1290
|
+
publicKey: CryptoKey | JWK;
|
|
1291
|
+
privateKey: CryptoKey | JWK;
|
|
1292
|
+
}
|
|
1293
|
+
/**
|
|
1294
|
+
* A symmetric secret or asymmetric key pair used for JWT operations.
|
|
1295
|
+
*
|
|
1296
|
+
* - string / Uint8Array: used as-is for HMAC (signed) or AES (encrypted)
|
|
1297
|
+
* - CryptoKey: Web Crypto API key, for environments that support it
|
|
1298
|
+
* - CryptoKeyPair: asymmetric signing/encryption (RS256, ES256, EdDSA, RSA-OAEP, etc.)
|
|
1299
|
+
*/
|
|
1300
|
+
type SecretKey = string | Uint8Array | CryptoKey | CryptoKeyPair | CryptoSecret | JWK | AsymmetricKeyPair;
|
|
1301
|
+
/**
|
|
1302
|
+
* @todo: add key rotation support for "SecretKey | CryptoKeyPair | [SecretKey | CryptoKeyPair, ...(SecretKey | CryptoKeyPair)[]]"
|
|
1303
|
+
*/
|
|
1304
|
+
type JWTKey = SecretKey;
|
|
1305
|
+
/**
|
|
1306
|
+
* - "signed" → standard JWS (e.g. HS256, RS256, ES256).
|
|
1307
|
+
* - "encrypted" → JWE only. (e.g. A256GCM with RSA-OAEP key wrapping).
|
|
1308
|
+
* - "sealed" → JWS nested inside JWE (signed then encrypted).
|
|
1309
|
+
*/
|
|
1310
|
+
type JWTMode = "signed" | "encrypted" | "sealed";
|
|
1311
|
+
/**
|
|
1312
|
+
* Signing algorithms for "signed" and "sealed" modes.
|
|
1313
|
+
* Symmetric: HS256 | HS384 | HS512
|
|
1314
|
+
* Asymmetric: RS256 | RS384 | RS512 | ES256 | ES384 | ES512 | EdDSA | PS256
|
|
1315
|
+
*/
|
|
1316
|
+
type JWTSigningAlgorithm = "HS256" | "HS384" | "HS512" | "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512" | "EdDSA" | "PS256";
|
|
1317
|
+
/**
|
|
1318
|
+
* Key-wrapping algorithms for "encrypted" and "sealed" modes.
|
|
1319
|
+
* Symmetric: A128KW | A192KW | A256KW | dir (direct)
|
|
1320
|
+
* ECDH: ECDH-ES | ECDH-ES+A128KW | ECDH-ES+A256KW
|
|
1321
|
+
* RSA: RSA-OAEP | RSA-OAEP-256
|
|
1322
|
+
*/
|
|
1323
|
+
type JWTKeyAlgorithm = "A128KW" | "A192KW" | "A256KW" | "dir" | "ECDH-ES" | "ECDH-ES+A128KW" | "ECDH-ES+A256KW" | "RSA-OAEP" | "RSA-OAEP-256";
|
|
1324
|
+
/** Content-encryption algorithms for JWE. */
|
|
1325
|
+
type JWTEncryptionAlgorithm = "A128CBC-HS256" | "A192CBC-HS384" | "A256CBC-HS512" | "A128GCM" | "A192GCM" | "A256GCM";
|
|
1326
|
+
/** Signed JWT mode configuration. */
|
|
1327
|
+
type JWTSignedMode = {
|
|
1328
|
+
mode: "signed";
|
|
1329
|
+
signingAlgorithm?: JWTSigningAlgorithm;
|
|
1330
|
+
};
|
|
1331
|
+
/** Encrypted JWT mode configuration. */
|
|
1332
|
+
type JWTEncryptedMode = {
|
|
1333
|
+
mode: "encrypted";
|
|
1334
|
+
keyAlgorithm?: JWTKeyAlgorithm;
|
|
1335
|
+
encryptionAlgorithm?: JWTEncryptionAlgorithm;
|
|
1336
|
+
};
|
|
1337
|
+
/** Signed and Encrypted JWT mode configuration. */
|
|
1338
|
+
type JWTSealedMode = {
|
|
1339
|
+
mode?: "sealed";
|
|
1340
|
+
signingAlgorithm?: JWTSigningAlgorithm;
|
|
1341
|
+
keyAlgorithm?: JWTKeyAlgorithm;
|
|
1342
|
+
encryptionAlgorithm?: JWTEncryptionAlgorithm;
|
|
1343
|
+
};
|
|
1344
|
+
/** Discriminated union of JWT wire format: signed JWS, encrypted JWE, or nested sealed (JWS in JWE). */
|
|
1345
|
+
type JWTConfigBase = JWTSignedMode | JWTEncryptedMode | JWTSealedMode;
|
|
1346
|
+
/** How session/JWT lifetime is enforced relative to `iat`, absolute caps, and sliding windows. */
|
|
1347
|
+
type JWTExpirationStrategy = "fixed" | "rolling" | "absolute" | "sliding";
|
|
1348
|
+
type JWTConfig = Prettify$1<{
|
|
1349
|
+
/**
|
|
1350
|
+
* Token lifetime.
|
|
1351
|
+
*/
|
|
1352
|
+
maxAge?: number;
|
|
1353
|
+
/**
|
|
1354
|
+
* JWT `iss` (issuer) claim. Set this to your app's canonical URL.
|
|
1355
|
+
* @example "https://auth.example.com"
|
|
1356
|
+
*/
|
|
1357
|
+
issuer?: string;
|
|
1358
|
+
/**
|
|
1359
|
+
* JWT `aud` claim. Single value or array for multi-audience tokens.
|
|
1360
|
+
* @example ["https://api.example.com", "https://app.example.com"]
|
|
1361
|
+
*/
|
|
1362
|
+
audience?: string | string[];
|
|
1363
|
+
/**
|
|
1364
|
+
* Maximum absolute session duration in seconds.
|
|
1365
|
+
* Required for "absolute" and "sliding" strategies.
|
|
1366
|
+
* Enforced via jose's maxTokenAge against the iat claim.
|
|
1367
|
+
*/
|
|
1368
|
+
maxExpiration?: number;
|
|
1369
|
+
/**
|
|
1370
|
+
* Policy for renewing or capping token lifetime (pairs with `maxExpiration` where applicable).
|
|
1371
|
+
*/
|
|
1372
|
+
expirationStrategy?: JWTExpirationStrategy;
|
|
1373
|
+
} & JWTConfigBase>;
|
|
1374
|
+
/**
|
|
1375
|
+
* Stateless JWT strategy.
|
|
1376
|
+
* No database required. Tokens are self-contained and cannot be revoked
|
|
1377
|
+
* before they expire — keep `jwt.maxAge` short or enable refresh tokens.
|
|
1378
|
+
*
|
|
1379
|
+
* @example
|
|
1380
|
+
* {
|
|
1381
|
+
* strategy: "jwt",
|
|
1382
|
+
* jwt: { mode: "sealed", maxAge: "15m", issuer: "https://auth.example.com" },
|
|
1383
|
+
* refreshToken: { enabled: true, maxAge: "7d" },
|
|
1384
|
+
* }
|
|
1385
|
+
*/
|
|
1386
|
+
type StatelessStrategyConfig = {
|
|
1387
|
+
strategy?: "jwt";
|
|
1388
|
+
jwt?: JWTConfig;
|
|
1389
|
+
};
|
|
1390
|
+
/**
|
|
1391
|
+
* The session strategy. Determines which fields below are required.
|
|
1392
|
+
*
|
|
1393
|
+
* - "jwt": stateless. No database needed. JWTs are self-contained.
|
|
1394
|
+
* - "database": stateful. Every request hits the DB to validate the session.
|
|
1395
|
+
* - "hybrid": JWT transport + DB revocation. Best of both for most apps.
|
|
1396
|
+
*
|
|
1397
|
+
* @default "jwt"
|
|
1398
|
+
*/
|
|
1399
|
+
type SessionConfig = StatelessStrategyConfig;
|
|
1400
|
+
/** Result of reading a stateless (JWT) session from a request: session payload and outgoing header mutations. */
|
|
1401
|
+
interface GetStatelessSessionReturn<DefaultUser extends User = User> {
|
|
1402
|
+
session: Session<DefaultUser> | null;
|
|
1403
|
+
headers: Headers;
|
|
1404
|
+
}
|
|
1405
|
+
/**
|
|
1406
|
+
* Abstraction layer for session management.
|
|
1407
|
+
*/
|
|
1408
|
+
interface SessionStrategy<DefaultUser extends User = User> {
|
|
1409
|
+
/**
|
|
1410
|
+
* Read and validate the session from an incoming request.
|
|
1411
|
+
* Returns null if absent, invalid, or expired. Never throws on auth failure.
|
|
1412
|
+
*/
|
|
1413
|
+
getSession(request: Headers): Promise<GetStatelessSessionReturn<DefaultUser>>;
|
|
1414
|
+
/**
|
|
1415
|
+
* Create a session after successful authentication.
|
|
1416
|
+
* Signs the JWT / writes the DB row / sets cookies.
|
|
1417
|
+
*/
|
|
1418
|
+
createSession(session: User): Promise<string>;
|
|
1419
|
+
/**
|
|
1420
|
+
* Attempt to refresh using the refresh token cookie.
|
|
1421
|
+
* Returns null session + cookie-clearing response on any failure.
|
|
1422
|
+
*/
|
|
1423
|
+
refreshSession(headers: Headers, session: DeepPartial<Session<DefaultUser>>, skipCSRFCheck?: boolean): Promise<{
|
|
1424
|
+
session: Session<DefaultUser> | null;
|
|
1425
|
+
headers: Headers;
|
|
1426
|
+
}>;
|
|
1427
|
+
/**
|
|
1428
|
+
* Revoke a session by ID.
|
|
1429
|
+
* JWT strategy: best-effort (clears cookies, no server state).
|
|
1430
|
+
* Database / hybrid: marks row inactive.
|
|
1431
|
+
*/
|
|
1432
|
+
revokeSession(sessionId: string): Promise<void>;
|
|
1433
|
+
/**
|
|
1434
|
+
* Destroy the session attached to this request (logout).
|
|
1435
|
+
* Returns a response that clears cookies.
|
|
1436
|
+
*/
|
|
1437
|
+
destroySession(request: Headers, skipCSRFCheck?: boolean): Promise<Headers>;
|
|
1438
|
+
}
|
|
1439
|
+
/** Inputs for constructing a session strategy implementation for a given identity schema. */
|
|
1440
|
+
interface CreateSessionStrategyOptions<Identity extends Identities> {
|
|
1441
|
+
config?: SessionConfig;
|
|
1442
|
+
jose: JoseInstance<FromShapeToObject<Identity> & User>;
|
|
1443
|
+
cookies: () => CookieStoreConfig;
|
|
1444
|
+
logger?: InternalLogger;
|
|
1445
|
+
identity: SchemaRegistryContext;
|
|
1446
|
+
}
|
|
1447
|
+
/** Options specialized for the JWT-backed session strategy. */
|
|
1448
|
+
interface JWTStrategyOptions<DefaultUser extends User = User> {
|
|
1449
|
+
config?: StatelessStrategyConfig;
|
|
1450
|
+
jose: JoseInstance<DefaultUser>;
|
|
1451
|
+
logger?: InternalLogger;
|
|
1452
|
+
cookies: () => CookieStoreConfig;
|
|
1453
|
+
identity: SchemaRegistryContext;
|
|
1454
|
+
}
|
|
1455
|
+
/** Minimal token issue/verify surface used by session code paths. */
|
|
1456
|
+
type JWTManager<DefaultUser extends User = User> = {
|
|
1457
|
+
createToken(user: TypedJWTPayload<Partial<DefaultUser>>): Promise<string>;
|
|
1458
|
+
verifyToken(token: string): Promise<TypedJWTPayload<DefaultUser>>;
|
|
1459
|
+
};
|
|
1460
|
+
//#endregion
|
|
1461
|
+
//#region src/@types/oauth.d.ts
|
|
1462
|
+
/** Known query parameter names supported when building an OAuth authorization URL. */
|
|
1463
|
+
type AuthorizeParams = LiteralUnion<"clientId" | "prompt" | "scope" | "responseMode" | "audience" | "loginHint" | "nonce" | "display">;
|
|
1464
|
+
/** OAuth 2.0 `response_type` values used in authorization requests. */
|
|
1465
|
+
type ResponseType = LiteralUnion<"code" | "token" | "refresh_token" | "id_token">;
|
|
1466
|
+
/**
|
|
1467
|
+
* Configuration for an OAuth provider without credentials.
|
|
1468
|
+
* Use this type when defining provider metadata and endpoints.
|
|
1469
|
+
*/
|
|
1470
|
+
interface OAuthProviderConfig<Profile extends object = Record<string, any>, DefaultUser = User> {
|
|
1471
|
+
id: string;
|
|
1472
|
+
name: string;
|
|
1473
|
+
/**
|
|
1474
|
+
* @deprecated
|
|
1475
|
+
* use `authorize` instead of `authorizeURL`
|
|
1476
|
+
*/
|
|
1477
|
+
authorizeURL?: string;
|
|
1478
|
+
authorize: string | {
|
|
1479
|
+
url: string;
|
|
1480
|
+
params?: Partial<Record<AuthorizeParams, string> & {
|
|
1481
|
+
responseType: ResponseType;
|
|
1482
|
+
}>;
|
|
1483
|
+
};
|
|
1484
|
+
accessToken: string | {
|
|
1485
|
+
url: string;
|
|
1486
|
+
headers?: Record<string, string>;
|
|
1487
|
+
};
|
|
1488
|
+
userInfo: string | {
|
|
1489
|
+
url: string;
|
|
1490
|
+
headers?: Record<string, string>;
|
|
1491
|
+
method?: string;
|
|
1492
|
+
};
|
|
1493
|
+
/**
|
|
1494
|
+
* @deprecated
|
|
1495
|
+
* use `authorize.params.scope` instead of `scope`
|
|
1496
|
+
*/
|
|
1497
|
+
scope?: string;
|
|
1498
|
+
/**
|
|
1499
|
+
* @deprecated
|
|
1500
|
+
* use `authorize.params.responseType` instead of `responseType`
|
|
1501
|
+
*/
|
|
1502
|
+
responseType?: ResponseType;
|
|
1503
|
+
profile?: (profile: Profile) => DefaultUser | Promise<DefaultUser>;
|
|
1504
|
+
}
|
|
1505
|
+
/**
|
|
1506
|
+
* OAuth provider configuration with client credentials.
|
|
1507
|
+
* Extends OAuthProviderConfig with clientId and clientSecret.
|
|
1508
|
+
*/
|
|
1509
|
+
interface OAuthProviderCredentials<Profile extends object = Record<string, any>, DefaultUser extends User = User> extends OAuthProviderConfig<Profile, DefaultUser> {
|
|
1510
|
+
clientId?: string;
|
|
1511
|
+
clientSecret?: string;
|
|
1512
|
+
}
|
|
1513
|
+
/**
|
|
1514
|
+
* Complete OAuth provider type combining configuration and credentials.
|
|
1515
|
+
*/
|
|
1516
|
+
type OAuthProvider<Profile extends object = Record<string, any>, DefaultUser extends User = User> = OAuthProviderCredentials<Profile, DefaultUser>;
|
|
1517
|
+
/**
|
|
1518
|
+
* Lookup table of configured OAuth providers keyed by built-in id or custom id.
|
|
1519
|
+
* Values are full credential configs used at runtime for authorize/token/userinfo.
|
|
1520
|
+
*/
|
|
1521
|
+
type OAuthProviderRecord<DefaultUser extends User = User> = Record<LiteralUnion<BuiltInOAuthProvider>, OAuthProviderCredentials<any, DefaultUser>>;
|
|
1522
|
+
//#endregion
|
|
1523
|
+
//#region src/@types/config.d.ts
|
|
1524
|
+
/**
|
|
1525
|
+
* Main configuration interface for Aura Auth.
|
|
1526
|
+
* This is the user-facing configuration object passed to `createAuth()`.
|
|
1527
|
+
*/
|
|
1528
|
+
type AuthConfig<Identity extends Identities> = {
|
|
1529
|
+
/**
|
|
1530
|
+
* OAuth providers available in the authentication and authorization flows. It provides a type-inference
|
|
1531
|
+
* for the OAuth providers that are supported by Aura Stack Auth; alternatively, you can provide a custom
|
|
1532
|
+
* OAuth third-party authorization service by implementing the `OAuthProviderCredentials` interface.
|
|
1533
|
+
*
|
|
1534
|
+
* Built-in OAuth providers:
|
|
1535
|
+
* ```ts
|
|
1536
|
+
* oauth: ["github", "google"]
|
|
1537
|
+
* ```
|
|
1538
|
+
* Custom credentials via factory:
|
|
1539
|
+
* ```ts
|
|
1540
|
+
* oauth: [github({ clientId: "...", clientSecret: "..." })]
|
|
1541
|
+
* ```
|
|
1542
|
+
* Custom OAuth providers:
|
|
1543
|
+
* ```ts
|
|
1544
|
+
* oauth: [
|
|
1545
|
+
* {
|
|
1546
|
+
* id: "oauth-providers",
|
|
1547
|
+
* name: "OAuth",
|
|
1548
|
+
* authorizeURL: "https://example.com/oauth/authorize",
|
|
1549
|
+
* accessToken: "https://example.com/oauth/token",
|
|
1550
|
+
* scope: "profile email",
|
|
1551
|
+
* responseType: "code",
|
|
1552
|
+
* userInfo: "https://example.com/oauth/userinfo",
|
|
1553
|
+
* clientId: process.env.AURA_AUTH_PROVIDER_CLIENT_ID,
|
|
1554
|
+
* clientSecret: process.env.AURA_AUTH_PROVIDER_CLIENT_SECRET,
|
|
1555
|
+
* }
|
|
1556
|
+
* ]
|
|
1557
|
+
* ```
|
|
1558
|
+
*/
|
|
1559
|
+
oauth: (BuiltInOAuthProvider | OAuthProviderCredentials<any, FromShapeToObject<Identity>>)[];
|
|
1560
|
+
/**
|
|
1561
|
+
* Cookie options defines the configuration for cookies used in Aura Auth.
|
|
1562
|
+
* It includes a prefix for cookie names and flag options to determine
|
|
1563
|
+
* the security and scope of the cookies.
|
|
1564
|
+
*
|
|
1565
|
+
* **⚠️ WARNING:** Ensure that the cookie options are configured correctly to
|
|
1566
|
+
* maintain the security and integrity of the authentication process. `Aura Auth`
|
|
1567
|
+
* is not responsible for misconfigured cookies that may lead to security vulnerabilities.
|
|
1568
|
+
*
|
|
1569
|
+
* - prefix: A string prefix to be added to all cookie names, by default "aura-stack".
|
|
1570
|
+
* - flag options (This attributes help to define the security level of the cookies):
|
|
1571
|
+
* - secure: Cookies use the __Secure- prefix and are only sent over HTTPS connections.
|
|
1572
|
+
* - host: Cookies use the __Host- prefix and are only sent over HTTPS connections.
|
|
1573
|
+
* - standard: Cookies can be sent over both HTTP and HTTPS connections. (default in development)
|
|
1574
|
+
*
|
|
1575
|
+
* @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__secure-prefix
|
|
1576
|
+
* @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__host-prefix
|
|
1577
|
+
*/
|
|
1578
|
+
cookies?: Partial<CookieConfig>;
|
|
1579
|
+
/**
|
|
1580
|
+
* Secret used to sign and verify JWT tokens for session and csrf protection.
|
|
1581
|
+
* If not provided, it will load from the environment variable `AURA_AUTH_SECRET` or `AUTH_SECRET`, but if it
|
|
1582
|
+
* doesn't exist, it will throw an error during the initialization of the Auth module.
|
|
1583
|
+
*
|
|
1584
|
+
* > It can be a string, a Uint8Array, a CryptoKey, a CryptoKeyPair, or an object containing separate keys for
|
|
1585
|
+
* signing and encryption. It depends on the JWT mode and algorithms you choose in the session configuration.
|
|
1586
|
+
* The default mode is "sealed" (signing + encryption), so if the secret is a string or Uint8Array, it will derive
|
|
1587
|
+
* separate keys for signing and encryption using HKDF, but if you provide a CryptoKeyPair, it will required to
|
|
1588
|
+
* pass separate keys for signing and encryption in the `CryptoSecret` format.
|
|
1589
|
+
* @example
|
|
1590
|
+
* import { createSecretValue } from "@aura-stack/auth/crypto"
|
|
1591
|
+
*
|
|
1592
|
+
* secret: createSecretValue(32)
|
|
1593
|
+
*
|
|
1594
|
+
* // For asymmetric keys, generate a key pair and pass the private
|
|
1595
|
+
* import { createKeyPair } from "@aura-stack/auth/crypto"
|
|
1596
|
+
*
|
|
1597
|
+
* const signing = await createKeyPair("RS256", { extractable: true })
|
|
1598
|
+
* const encryption = await createKeyPair("RSA-OAEP-256", { extractable: true })
|
|
1599
|
+
*
|
|
1600
|
+
* secret: {
|
|
1601
|
+
* sign: signing,
|
|
1602
|
+
* encrypt: encryption,
|
|
1603
|
+
* }
|
|
1604
|
+
*/
|
|
1605
|
+
secret?: JWTKey;
|
|
1606
|
+
/**
|
|
1607
|
+
* Base URL of the application, used to construct the incoming request's origin.
|
|
1608
|
+
*/
|
|
1609
|
+
baseURL?: string;
|
|
1610
|
+
/**
|
|
1611
|
+
* Base path for all authentication routes. Default is `/auth`.
|
|
1612
|
+
*/
|
|
1613
|
+
basePath?: `/${string}`;
|
|
1614
|
+
/**
|
|
1615
|
+
* Logger configuration for handling authentication-related logs and errors. It can be set to `true`,
|
|
1616
|
+
* `DEBUG=true`, `LOG_LEVEL=debug`, or a custom logger. It implements the syslog format.
|
|
1617
|
+
*/
|
|
1618
|
+
logger?: boolean | Logger;
|
|
1619
|
+
/**
|
|
1620
|
+
* Defines the session management strategy for Aura Auth. It determines how sessions are created, stored, and validated.
|
|
1621
|
+
*/
|
|
1622
|
+
session?: SessionConfig;
|
|
1623
|
+
/**
|
|
1624
|
+
* Identity schema configuration for user data validation.
|
|
1625
|
+
* Allows you to define a custom Zod schema that will be used to validate:
|
|
1626
|
+
* - OAuth provider profile data
|
|
1627
|
+
* - Session user data
|
|
1628
|
+
* - JWT payload data
|
|
1629
|
+
*
|
|
1630
|
+
* If not provided, the default `UserIdentity` schema will be used.
|
|
1631
|
+
*
|
|
1632
|
+
* @example
|
|
1633
|
+
* identity: {
|
|
1634
|
+
* schema: z.object({
|
|
1635
|
+
* sub: z.string(),
|
|
1636
|
+
* email: z.string().email(),
|
|
1637
|
+
* name: z.string().optional(),
|
|
1638
|
+
* custom_field: z.string().optional(),
|
|
1639
|
+
* }),
|
|
1640
|
+
* skipValidation: false,
|
|
1641
|
+
* unknownKeys: "strip",
|
|
1642
|
+
* }
|
|
1643
|
+
*/
|
|
1644
|
+
identity?: Partial<{
|
|
1645
|
+
/**
|
|
1646
|
+
* Skip schema validation for session data, JWT payloads, and OAuth profiles.
|
|
1647
|
+
* This can be useful for performance optimization if you are certain that the
|
|
1648
|
+
* data is valid, but it can lead to security vulnerabilities if misused.
|
|
1649
|
+
* > ⚠️ WARNING: Use this option with caution.
|
|
1650
|
+
*/
|
|
1651
|
+
skipValidation: boolean;
|
|
1652
|
+
/**
|
|
1653
|
+
* Custom schema validation for user identity data. It supports any Zod, Arktype,
|
|
1654
|
+
* Valibot or Typebox schema. Use `createIdentity` helper function to create a schema
|
|
1655
|
+
* with the correct shape and inference.
|
|
1656
|
+
*/
|
|
1657
|
+
schema: ConfigSchema<Identity>;
|
|
1658
|
+
/**
|
|
1659
|
+
* Defines how unknown keys are handled during schema validation. It can be set to:
|
|
1660
|
+
* - `passthrough`: Unknown keys are allowed and included in the validated data.
|
|
1661
|
+
* - `strict`: Unknown keys will cause validation to fail with an error.
|
|
1662
|
+
* - `strip`: Unknown keys are removed from the validated data.
|
|
1663
|
+
*/
|
|
1664
|
+
unknownKeys: "passthrough" | "strict" | "strip";
|
|
1665
|
+
}>;
|
|
1666
|
+
/**
|
|
1667
|
+
* Credentials provider for username/password or similar authentication.
|
|
1668
|
+
*/
|
|
1669
|
+
credentials?: CredentialsProvider<Identity>;
|
|
1670
|
+
} & TrustedProxyHeadersConfig;
|
|
1671
|
+
type TrustedProxyHeadersConfig = {
|
|
1672
|
+
/**
|
|
1673
|
+
* Enable trusted proxy headers for scenarios where the application is behind a reverse proxy or load balancer.
|
|
1674
|
+
* This setting allows Aura Auth to correctly interpret headers like `X-Forwarded-For` and `X-Forwarded-Proto`
|
|
1675
|
+
* to determine the original client IP address and protocol.
|
|
1676
|
+
*
|
|
1677
|
+
* Default is `false`. Enable this option only if you are certain that your application is behind a trusted proxy.
|
|
1678
|
+
* Misconfiguration can lead to security vulnerabilities, such as incorrect handling of secure cookies or
|
|
1679
|
+
* inaccurate client IP logging.
|
|
1680
|
+
*
|
|
1681
|
+
* This value can also be set via environment variable as `AURA_AUTH_TRUSTED_PROXY_HEADERS`
|
|
1682
|
+
*
|
|
1683
|
+
* @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
|
|
1684
|
+
* @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
|
|
1685
|
+
* @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
|
|
1686
|
+
* @experimental
|
|
1687
|
+
*/
|
|
1688
|
+
trustedProxyHeaders: true;
|
|
1689
|
+
/**
|
|
1690
|
+
* Defines trusted origins for your application to prevent open redirect attacks.
|
|
1691
|
+
* URLs from the Referer header, Origin header, request URL, and redirectTo option
|
|
1692
|
+
* are validated against this list before redirecting.
|
|
1693
|
+
*
|
|
1694
|
+
* - **Exact URL**: `https://example.com` matches only that origin.
|
|
1695
|
+
* - **Subdomain wildcard**: `https://*.example.com` matches `https://app.example.com`, `https://api.example.com`, etc.
|
|
1696
|
+
*
|
|
1697
|
+
* > **⚠️ WARNING:** Ensure that the trusted origins are configured correctly to prevent open redirect vulnerabilities.
|
|
1698
|
+
* Only include origins that you control and trust.
|
|
1699
|
+
*
|
|
1700
|
+
* @example
|
|
1701
|
+
* trustedOrigins: ["https://example.com", "https://*.example.com", "http://localhost:3000"]
|
|
1702
|
+
*
|
|
1703
|
+
* trustedOrigins: async (request) => {
|
|
1704
|
+
* const origin = new URL(request.url).origin
|
|
1705
|
+
* return [origin, "https://admin.example.com"]
|
|
1706
|
+
* }
|
|
1707
|
+
*/
|
|
1708
|
+
trustedOrigins: TrustedOrigin[] | ((request: Request) => Promise<TrustedOrigin[]> | TrustedOrigin[]);
|
|
1709
|
+
} | {
|
|
1710
|
+
/**
|
|
1711
|
+
* Enable trusted proxy headers for scenarios where the application is behind a reverse proxy or load balancer.
|
|
1712
|
+
* This setting allows Aura Auth to correctly interpret headers like `X-Forwarded-For` and `X-Forwarded-Proto`
|
|
1713
|
+
* to determine the original client IP address and protocol.
|
|
1714
|
+
*
|
|
1715
|
+
* Default is `false`. Enable this option only if you are certain that your application is behind a trusted proxy.
|
|
1716
|
+
* Misconfiguration can lead to security vulnerabilities, such as incorrect handling of secure cookies or
|
|
1717
|
+
* inaccurate client IP logging.
|
|
1718
|
+
*
|
|
1719
|
+
* This value can also be set via environment variable as `AURA_AUTH_TRUSTED_PROXY_HEADERS`
|
|
1720
|
+
*
|
|
1721
|
+
* @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
|
|
1722
|
+
* @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
|
|
1723
|
+
* @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
|
|
1724
|
+
* @experimental
|
|
1725
|
+
*/
|
|
1726
|
+
trustedProxyHeaders?: false;
|
|
1727
|
+
/**
|
|
1728
|
+
* Defines trusted origins for your application to prevent open redirect attacks.
|
|
1729
|
+
* URLs from the Referer header, Origin header, request URL, and redirectTo option
|
|
1730
|
+
* are validated against this list before redirecting.
|
|
1731
|
+
*
|
|
1732
|
+
* - **Exact URL**: `https://example.com` matches only that origin.
|
|
1733
|
+
* - **Subdomain wildcard**: `https://*.example.com` matches `https://app.example.com`, `https://api.example.com`, etc.
|
|
1734
|
+
*
|
|
1735
|
+
* > **⚠️ WARNING:** Ensure that the trusted origins are configured correctly to prevent open redirect vulnerabilities.
|
|
1736
|
+
* Only include origins that you control and trust.
|
|
1737
|
+
*
|
|
1738
|
+
* @example
|
|
1739
|
+
* trustedOrigins: ["https://example.com", "https://*.example.com", "http://localhost:3000"]
|
|
1740
|
+
*
|
|
1741
|
+
* trustedOrigins: async (request) => {
|
|
1742
|
+
* const origin = new URL(request.url).origin
|
|
1743
|
+
* return [origin, "https://admin.example.com"]
|
|
1744
|
+
* }
|
|
1745
|
+
*
|
|
1746
|
+
*/
|
|
1747
|
+
trustedOrigins?: TrustedOrigin[] | ((request: Request) => Promise<TrustedOrigin[]> | TrustedOrigin[]);
|
|
1748
|
+
};
|
|
1749
|
+
/**
|
|
1750
|
+
* Cookie type with __Secure- prefix, must be Secure.
|
|
1751
|
+
* @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__secure-prefix
|
|
1752
|
+
*/
|
|
1753
|
+
type SecureCookie = {
|
|
1754
|
+
strategy: "secure";
|
|
1755
|
+
} & Prettify$1<Omit<SerializeOptions, "secure" | "encode">>;
|
|
1756
|
+
/**
|
|
1757
|
+
* Cookie type with __Host- prefix, must be Secure, Path=/, no Domain attribute.
|
|
1758
|
+
* @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__host-prefix
|
|
1759
|
+
*/
|
|
1760
|
+
type HostCookie = {
|
|
1761
|
+
strategy: "host";
|
|
1762
|
+
} & Prettify$1<Omit<SerializeOptions, "secure" | "path" | "domain" | "encode">>;
|
|
1763
|
+
/**
|
|
1764
|
+
* Standard cookie type without security prefixes.
|
|
1765
|
+
* Can be sent over both HTTP and HTTPS connections (default in development).
|
|
1766
|
+
*/
|
|
1767
|
+
type StandardCookie = {
|
|
1768
|
+
strategy?: "standard";
|
|
1769
|
+
} & Prettify$1<Omit<SerializeOptions, "encode">>;
|
|
1770
|
+
/**
|
|
1771
|
+
* Union type for cookie options based on the specified strategy.
|
|
1772
|
+
* - `secure`: Cookies are only sent over HTTPS connections
|
|
1773
|
+
* - `host`: Cookies use the __Host- prefix and are only sent over HTTPS connections
|
|
1774
|
+
* - `standard`: Cookies can be sent over both HTTP and HTTPS connections (default in development)
|
|
1775
|
+
*/
|
|
1776
|
+
type CookieStrategyAttributes = StandardCookie | SecureCookie | HostCookie;
|
|
1777
|
+
/**
|
|
1778
|
+
* Names of cookies used by Aura Auth for session management and OAuth flows.
|
|
1779
|
+
* - `sessionToken`: User session JWT
|
|
1780
|
+
* - `csrfToken`: CSRF protection token
|
|
1781
|
+
* - `state`: OAuth state parameter for CSRF protection
|
|
1782
|
+
* - `codeVerifier`: PKCE code verifier for authorization code flow
|
|
1783
|
+
* - `redirectURI`: OAuth callback URI
|
|
1784
|
+
* - `redirectTo`: Post-authentication redirect path
|
|
1785
|
+
*/
|
|
1786
|
+
type CookieName = "sessionToken" | "csrfToken" | "state" | "codeVerifier" | "redirectTo" | "redirectURI";
|
|
1787
|
+
/** Resolved cookie names and serialization attributes for each logical auth cookie. */
|
|
1788
|
+
type CookieStoreConfig = Record<CookieName, {
|
|
1789
|
+
name: string;
|
|
1790
|
+
attributes: CookieStrategyAttributes;
|
|
1791
|
+
}>;
|
|
1792
|
+
interface CookieConfig {
|
|
1793
|
+
/**
|
|
1794
|
+
* Prefix to be added to all cookie names. By default "aura-stack".
|
|
1795
|
+
*/
|
|
1796
|
+
prefix?: string;
|
|
1797
|
+
/**
|
|
1798
|
+
* Overrides for individual cookie configurations.
|
|
1799
|
+
* @see {@link CookieStoreConfig} for the structure of each cookie configuration.
|
|
1800
|
+
*/
|
|
1801
|
+
overrides?: Partial<CookieStoreConfig>;
|
|
1802
|
+
}
|
|
1803
|
+
/**
|
|
1804
|
+
* A trusted origin URL or pattern. Supports:
|
|
1805
|
+
* - Exact: `https://example.com`
|
|
1806
|
+
* - Subdomain wildcard: `https://*.example.com`
|
|
1807
|
+
*/
|
|
1808
|
+
type TrustedOrigin = string;
|
|
1809
|
+
/**
|
|
1810
|
+
* Log level for logger messages.
|
|
1811
|
+
*/
|
|
1812
|
+
type LogLevel = "warn" | "error" | "debug" | "info";
|
|
1813
|
+
/** Defines the Severity between 0 to 7 */
|
|
1814
|
+
type Severity = "emergency" | "alert" | "critical" | "error" | "warning" | "notice" | "info" | "debug";
|
|
1815
|
+
/**
|
|
1816
|
+
* @see https://datatracker.ietf.org/doc/html/rfc5424
|
|
1817
|
+
*/
|
|
1818
|
+
type SyslogOptions = {
|
|
1819
|
+
facility: 4 | 10;
|
|
1820
|
+
severity: Severity;
|
|
1821
|
+
timestamp?: string;
|
|
1822
|
+
hostname?: string;
|
|
1823
|
+
appName?: string;
|
|
1824
|
+
procId?: string;
|
|
1825
|
+
msgId: string;
|
|
1826
|
+
message: string;
|
|
1827
|
+
structuredData?: Record<string, string | number | boolean>;
|
|
1828
|
+
};
|
|
1829
|
+
/**
|
|
1830
|
+
* Logger function interface for structured logging.
|
|
1831
|
+
* Called when errors or warnings occur during authentication flows.
|
|
1832
|
+
*/
|
|
1833
|
+
interface Logger {
|
|
1834
|
+
level?: LogLevel;
|
|
1835
|
+
log?: (args: SyslogOptions) => void;
|
|
1836
|
+
}
|
|
1837
|
+
/**
|
|
1838
|
+
* Programmatic auth API returned with the auth instance: `getSession`, `signIn`, `signInCredentials`, `signOut`, `updateSession`.
|
|
1839
|
+
* Each method returns a result object plus `headers` and `toResponse()` for HTTP responses.
|
|
1840
|
+
*/
|
|
1841
|
+
type AuthAPI<DefaultUser extends User = User> = ReturnType<typeof createAuthAPI<DefaultUser>>;
|
|
1842
|
+
/** JWT and crypto helpers bound to the configured identity schema (sign, verify, claims). */
|
|
1843
|
+
type JoseInstance<DefaultUser extends User = User> = ReturnType<typeof createJoseInstance<DefaultUser>>;
|
|
1844
|
+
/** Normalized internal logger with resolved level and structured log function. */
|
|
1845
|
+
interface InternalLogger {
|
|
1846
|
+
level: LogLevel;
|
|
1847
|
+
log: typeof createLogEntry;
|
|
1848
|
+
}
|
|
1849
|
+
/**
|
|
1850
|
+
* Identity validation settings used when building session strategy and OAuth profile mapping.
|
|
1851
|
+
* Controls the Zod schema and how unknown keys are handled on user objects.
|
|
1852
|
+
*/
|
|
1853
|
+
interface IdentityConfig<Schema extends SchemaTypes = typeof UserIdentity> {
|
|
1854
|
+
schema?: Schema;
|
|
1855
|
+
schemaAsPartial?: Schema;
|
|
1856
|
+
skipValidation?: boolean;
|
|
1857
|
+
unknownKeys?: "passthrough" | "strict" | "strip";
|
|
1858
|
+
}
|
|
1859
|
+
/** Payload sent to the credentials sign-in endpoint (username/password flow). */
|
|
1860
|
+
interface CredentialsPayload {
|
|
1861
|
+
username: string;
|
|
1862
|
+
password: string;
|
|
1863
|
+
}
|
|
1864
|
+
/**
|
|
1865
|
+
* Context provided to the credentials provider's authorize function.
|
|
1866
|
+
* It includes the credentials sent by the user and hashing utilities.
|
|
1867
|
+
*/
|
|
1868
|
+
interface CredentialsProviderContext<T> {
|
|
1869
|
+
/**
|
|
1870
|
+
* User-provided credentials (e.g., email, password).
|
|
1871
|
+
*/
|
|
1872
|
+
credentials: T;
|
|
1873
|
+
/**
|
|
1874
|
+
* Hashes a password using the internal hashing algorithm (PBKDF2).
|
|
1875
|
+
*/
|
|
1876
|
+
deriveSecret: (password: string, salt?: string, iterations?: number) => Promise<string>;
|
|
1877
|
+
/**
|
|
1878
|
+
* Verifies a password against a hashed value.
|
|
1879
|
+
*/
|
|
1880
|
+
verifySecret: (password: string, hashedPassword: string) => Promise<boolean>;
|
|
1881
|
+
}
|
|
1882
|
+
/**
|
|
1883
|
+
* Interface for the credentials provider.
|
|
1884
|
+
*/
|
|
1885
|
+
interface CredentialsProvider<Identity extends Identities> {
|
|
1886
|
+
hash?: (password: string, salt?: string, iterations?: number) => Promise<string>;
|
|
1887
|
+
verify?: (password: string, hashedPassword: string) => Promise<boolean>;
|
|
1888
|
+
/**
|
|
1889
|
+
* Authenticates a user using credentials.
|
|
1890
|
+
* Must return a User object or the identity type if the identity schema is provided.
|
|
1891
|
+
*/
|
|
1892
|
+
authorize: (ctx: CredentialsProviderContext<CredentialsPayload>) => Promise<FromShapeToObject<Identity> | null> | FromShapeToObject<Identity> | null;
|
|
1893
|
+
}
|
|
1894
|
+
/**
|
|
1895
|
+
* Runtime context passed into auth actions and API handlers: OAuth map, cookies, JWT, session strategy, trusted origins, etc.
|
|
1896
|
+
* This is the fully resolved configuration surface after `createAuth` initializes defaults.
|
|
1897
|
+
*/
|
|
1898
|
+
interface RouterGlobalContext<DefaultUser extends User = User> {
|
|
1899
|
+
oauth: OAuthProviderRecord;
|
|
1900
|
+
credentials?: CredentialsProvider<any>;
|
|
1901
|
+
cookies: CookieStoreConfig;
|
|
1902
|
+
jose: JoseInstance<DefaultUser>;
|
|
1903
|
+
secret?: JWTKey;
|
|
1904
|
+
baseURL?: string;
|
|
1905
|
+
basePath: string;
|
|
1906
|
+
trustedProxyHeaders: boolean;
|
|
1907
|
+
trustedOrigins?: TrustedOrigin[] | ((request: Request) => Promise<TrustedOrigin[]> | TrustedOrigin[]);
|
|
1908
|
+
logger?: InternalLogger;
|
|
1909
|
+
sessionStrategy: SessionStrategy<DefaultUser>;
|
|
1910
|
+
identity: SchemaRegistryContext;
|
|
1911
|
+
}
|
|
1912
|
+
interface SchemaRegistryContext {
|
|
1913
|
+
schemaRegistry: ReturnType<typeof createSchemaRegistry>;
|
|
1914
|
+
skipValidation?: boolean;
|
|
1915
|
+
unknownKeys: "passthrough" | "strict" | "strip";
|
|
1916
|
+
}
|
|
1917
|
+
/**
|
|
1918
|
+
* Internal runtime configuration used within Aura Auth after initialization.
|
|
1919
|
+
* All optional fields from AuthConfig are resolved to their default values.
|
|
1920
|
+
*/
|
|
1921
|
+
type AuthRuntimeConfig<DefaultUser extends User = User> = RouterGlobalContext<DefaultUser>;
|
|
1922
|
+
/**
|
|
1923
|
+
* Public auth instance: programmatic {@link AuthAPI}, {@link JoseInstance}, and HTTP {@link AuthClient} handlers.
|
|
1924
|
+
*/
|
|
1925
|
+
interface AuthInstance<DefaultUser extends User = User> {
|
|
1926
|
+
/**
|
|
1927
|
+
* Programmatic API for authentication actions (getSession, signIn, signOut, etc.) that can be used in server-side contexts or API routes.
|
|
1928
|
+
*/
|
|
1929
|
+
api: AuthAPI<DefaultUser>;
|
|
1930
|
+
/**
|
|
1931
|
+
* JOSE helper functions for signin, encryption and verification of JWTs.
|
|
1932
|
+
*/
|
|
1933
|
+
jose: JoseInstance<DefaultUser>;
|
|
1934
|
+
/**
|
|
1935
|
+
* HTTP handlers for mounting on a router or server.
|
|
1936
|
+
*/
|
|
1937
|
+
handlers: {
|
|
1938
|
+
GET: (request: Request) => Response | Promise<Response>;
|
|
1939
|
+
POST: (request: Request) => Response | Promise<Response>;
|
|
1940
|
+
PATCH: (request: Request) => Response | Promise<Response>;
|
|
1941
|
+
ALL: (request: Request) => Response | Promise<Response>;
|
|
1942
|
+
};
|
|
1943
|
+
}
|
|
1944
|
+
/**
|
|
1945
|
+
* Extended context used inside the library with both secure and standard cookie materializations.
|
|
1946
|
+
*/
|
|
1947
|
+
type InternalContext<Identity extends Identities> = RouterGlobalContext<FromShapeToObject<Identity> & User> & {
|
|
1948
|
+
cookieConfig: {
|
|
1949
|
+
secure: CookieStoreConfig;
|
|
1950
|
+
standard: CookieStoreConfig;
|
|
1951
|
+
};
|
|
1952
|
+
};
|
|
1953
|
+
//#endregion
|
|
1954
|
+
//#region src/@types/utility.d.ts
|
|
1955
|
+
/** Expands intersection types into a single flat object type for readable editor hints. */
|
|
1956
|
+
type Prettify$1<T> = { [K in keyof T]: T[K] };
|
|
1957
|
+
/**
|
|
1958
|
+
* A string that must be one of the literals in `T`, or any other string (`U`).
|
|
1959
|
+
* Useful for autocomplete on known keys while still allowing custom values.
|
|
1960
|
+
*/
|
|
1961
|
+
type LiteralUnion<T extends U, U = string> = T | (U & Record<never, never>);
|
|
1962
|
+
/**
|
|
1963
|
+
* Transforms a Zod raw shape so nested `ZodObject` fields become editable (same structure, for config authoring).
|
|
1964
|
+
*/
|
|
1965
|
+
type EditableShape<T extends ZodRawShape> = { [K in keyof T]: T[K] extends ZodObject<infer Inner extends ZodRawShape> ? ZodObject<EditableShape<Inner>> : ZodTypeAny };
|
|
1966
|
+
type EditableShapeZod<T extends ZodRawShape> = EditableShape<T>;
|
|
1967
|
+
type AnyShape = Record<string, AnySchema>;
|
|
1968
|
+
type EditableShapeValibot<T extends ObjectEntries> = { [K in keyof T]: T[K] extends ObjectSchema<infer Inner extends AnyShape, undefined> ? ObjectSchema<EditableShapeValibot<Inner>, undefined> : BaseSchema<any, any, any> };
|
|
1969
|
+
type EditableShapeTypebox<T extends TProperties> = { [K in keyof T]: T[K] extends TObject ? Wrap<EditableShapeTypebox<T[K]["properties"]>> : TSchema };
|
|
1970
|
+
type ConfigSchema<T extends Identities> = IsZod<T> extends true ? ZodObject<T & ZodRawShape> : T extends EditableShapeValibot<UserShapeValibot> ? ObjectSchema<T & ObjectEntries, undefined> : IsArkType<T> extends true ? T : T extends EditableShapeTypebox<UserShapeTypeBox> ? TObject<T & TProperties> : never;
|
|
1971
|
+
type ValibotShapeToObject<S extends ObjectEntries> = Merge<InferOutput<ObjectSchema<S, undefined>>, User>;
|
|
1972
|
+
type ArktypeShapeToObject<S extends Type> = S extends Type<infer Shape> ? Wrap<Merge<Shape, User>> : never;
|
|
1973
|
+
type TypeboxShapeToObject<S extends TProperties> = S extends TProperties ? Wrap<Merge<Static<TObject<S>>, User>> : never;
|
|
1974
|
+
type EditableShapeArkType<T extends Type> = T extends Type<infer Shape> ? Type<{ [K in keyof Shape]: any }> : never;
|
|
1975
|
+
/** Merges type `B` over `A`, replacing overlapping keys with `B`. */
|
|
1976
|
+
type Merge<A, B> = Omit<A, keyof B> & B;
|
|
1977
|
+
/**
|
|
1978
|
+
* Infers the runtime object type from a Zod `shape` and intersects it with {@link User}
|
|
1979
|
+
* so identity fields always include the base user contract.
|
|
1980
|
+
*/
|
|
1981
|
+
type ZodShapeToObject<S extends ZodRawShape = ZodRawShape> = Merge<__Infer<ZodObject<S>>, User>;
|
|
1982
|
+
type FromShapeToObject<S> = S extends ZodRawShape ? ZodShapeToObject<S> : S extends ObjectEntries ? ValibotShapeToObject<S> : S extends Type ? ArktypeShapeToObject<S> : S extends TProperties ? TypeboxShapeToObject<S> : never;
|
|
1983
|
+
/** Recursively makes every property required. */
|
|
1984
|
+
type DeepRequired<T> = { [K in keyof T]-?: T[K] extends object ? DeepRequired<T[K]> : T[K] };
|
|
1985
|
+
/** Recursively makes every property optional. */
|
|
1986
|
+
type DeepPartial<T> = { [P in keyof T]?: T[P] extends object ? DeepPartial<T[P]> : T[P] };
|
|
1987
|
+
/** Wraps a type in an object with the same keys. */
|
|
1988
|
+
type Wrap<T> = T extends any ? { [K in keyof T]: T[K] } : never;
|
|
1989
|
+
/**
|
|
1990
|
+
* Infers the user type from an {@link AuthInstance} config, or falls back to {@link User}.
|
|
1991
|
+
* @example
|
|
1992
|
+
* const auth = createAuth({
|
|
1993
|
+
* oauth: [],
|
|
1994
|
+
* identity: UserIdentity.extend({
|
|
1995
|
+
* role: z.string().nullable().optional(),
|
|
1996
|
+
* username: z.string().optional(),
|
|
1997
|
+
* })
|
|
1998
|
+
* })
|
|
1999
|
+
*
|
|
2000
|
+
* type User = InferUser<typeof auth>
|
|
2001
|
+
*/
|
|
2002
|
+
type InferUser<Config extends AuthInstance> = Config extends AuthInstance<infer Identity> ? Prettify$1<Identity> : User;
|
|
2003
|
+
/**
|
|
2004
|
+
* Infers the session type from an {@link AuthInstance} config.
|
|
2005
|
+
* @example
|
|
2006
|
+
* const auth = createAuth({
|
|
2007
|
+
* oauth: [],
|
|
2008
|
+
* identity: UserIdentity.extend({
|
|
2009
|
+
* role: z.string().nullable().optional(),
|
|
2010
|
+
* username: z.string().optional(),
|
|
2011
|
+
* })
|
|
2012
|
+
* })
|
|
2013
|
+
*
|
|
2014
|
+
* type Session = InferSession<typeof auth>
|
|
2015
|
+
*/
|
|
2016
|
+
type InferSession<Config extends AuthInstance> = Prettify$1<Session<Wrap<InferUser<Config>>>>;
|
|
2017
|
+
/**
|
|
2018
|
+
* Shorthand for a Zod object’s `.shape` property.
|
|
2019
|
+
*/
|
|
2020
|
+
type InferZodShape<T extends ZodObject> = T["shape"];
|
|
2021
|
+
/**
|
|
2022
|
+
* Infers the user type from a Zod identity schema, or falls back to {@link User}.
|
|
2023
|
+
* @example
|
|
2024
|
+
* const schema = z.object({
|
|
2025
|
+
* sub: z.string(),
|
|
2026
|
+
* role: z.string().nullable().optional(),
|
|
2027
|
+
* username: z.string().optional(),
|
|
2028
|
+
* })
|
|
2029
|
+
*
|
|
2030
|
+
* type User = UserFrom<typeof schema>
|
|
2031
|
+
*/
|
|
2032
|
+
type UserFrom<T extends ZodObject> = Prettify$1<ZodShapeToObject<InferZodShape<T>>>;
|
|
2033
|
+
/**
|
|
2034
|
+
* Infers the session type from a Zod identity schema.
|
|
2035
|
+
* @example
|
|
2036
|
+
* const schema = z.object({
|
|
2037
|
+
* sub: z.string(),
|
|
2038
|
+
* role: z.string().nullable().optional(),
|
|
2039
|
+
* username: z.string().optional(),
|
|
2040
|
+
* })
|
|
2041
|
+
*
|
|
2042
|
+
* type Session = SessionFrom<typeof schema>
|
|
2043
|
+
*/
|
|
2044
|
+
type SessionFrom<T extends ZodObject> = Wrap<Session<Wrap<UserFrom<T>>>>;
|
|
2045
|
+
/**
|
|
2046
|
+
* HTTP `Response` with `json()` typed to resolve to `Body` (defaults to `unknown`).
|
|
2047
|
+
*/
|
|
2048
|
+
type AuthResponse<Body = unknown> = Prettify$1<Omit<Response, "json"> & {
|
|
2049
|
+
json(): Promise<Body>;
|
|
2050
|
+
}>;
|
|
2051
|
+
//#endregion
|
|
2052
|
+
//#region src/createAuth.d.ts
|
|
2053
|
+
declare const createAuthInstance: <Identity extends Identities>(authConfig: AuthConfig<Identity>) => {
|
|
2054
|
+
handlers: _$_aura_stack_router0.Router<[_$_aura_stack_router0.RouteEndpoint<"GET", "/signIn/:oauth", {
|
|
2055
|
+
schemas?: {
|
|
2056
|
+
params: _$zod.ZodObject<{
|
|
2057
|
+
oauth: _$zod.ZodEnum<{
|
|
2058
|
+
[x: string & Record<never, never>]: string & Record<never, never>;
|
|
2059
|
+
github: "github";
|
|
2060
|
+
bitbucket: "bitbucket";
|
|
2061
|
+
figma: "figma";
|
|
2062
|
+
discord: "discord";
|
|
2063
|
+
gitlab: "gitlab";
|
|
2064
|
+
spotify: "spotify";
|
|
2065
|
+
x: "x";
|
|
2066
|
+
strava: "strava";
|
|
2067
|
+
mailchimp: "mailchimp";
|
|
2068
|
+
pinterest: "pinterest";
|
|
2069
|
+
twitch: "twitch";
|
|
2070
|
+
notion: "notion";
|
|
2071
|
+
dropbox: "dropbox";
|
|
2072
|
+
atlassian: "atlassian";
|
|
2073
|
+
clickUp: "clickUp";
|
|
2074
|
+
dribbble: "dribbble";
|
|
2075
|
+
}>;
|
|
2076
|
+
}, _$zod_v4_core0.$strip>;
|
|
2077
|
+
searchParams: _$zod.ZodObject<{
|
|
2078
|
+
redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
|
|
2079
|
+
redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
|
|
2080
|
+
}, _$zod_v4_core0.$strip>;
|
|
2081
|
+
} | undefined;
|
|
2082
|
+
use?: _$_aura_stack_router0.MiddlewareFunction<"/signIn/:oauth", {
|
|
2083
|
+
params: _$zod.ZodObject<{
|
|
2084
|
+
oauth: _$zod.ZodEnum<{
|
|
2085
|
+
[x: string & Record<never, never>]: string & Record<never, never>;
|
|
2086
|
+
github: "github";
|
|
2087
|
+
bitbucket: "bitbucket";
|
|
2088
|
+
figma: "figma";
|
|
2089
|
+
discord: "discord";
|
|
2090
|
+
gitlab: "gitlab";
|
|
2091
|
+
spotify: "spotify";
|
|
2092
|
+
x: "x";
|
|
2093
|
+
strava: "strava";
|
|
2094
|
+
mailchimp: "mailchimp";
|
|
2095
|
+
pinterest: "pinterest";
|
|
2096
|
+
twitch: "twitch";
|
|
2097
|
+
notion: "notion";
|
|
2098
|
+
dropbox: "dropbox";
|
|
2099
|
+
atlassian: "atlassian";
|
|
2100
|
+
clickUp: "clickUp";
|
|
2101
|
+
dribbble: "dribbble";
|
|
2102
|
+
}>;
|
|
2103
|
+
}, _$zod_v4_core0.$strip>;
|
|
2104
|
+
searchParams: _$zod.ZodObject<{
|
|
2105
|
+
redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
|
|
2106
|
+
redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
|
|
2107
|
+
}, _$zod_v4_core0.$strip>;
|
|
2108
|
+
}>[] | undefined;
|
|
2109
|
+
}, (ctx: {
|
|
2110
|
+
params: {
|
|
2111
|
+
oauth: "github" | "bitbucket" | "figma" | "discord" | "gitlab" | "spotify" | "x" | "strava" | "mailchimp" | "pinterest" | "twitch" | "notion" | "dropbox" | "atlassian" | "clickUp" | "dribbble" | (string & Record<never, never>);
|
|
2112
|
+
};
|
|
2113
|
+
body: undefined;
|
|
2114
|
+
searchParams: {
|
|
2115
|
+
redirect: boolean;
|
|
2116
|
+
redirectTo?: string | undefined;
|
|
2117
|
+
};
|
|
2118
|
+
headers: _$_aura_stack_router0.HeadersBuilder;
|
|
2119
|
+
request: Request;
|
|
2120
|
+
url: URL;
|
|
2121
|
+
method: "GET";
|
|
2122
|
+
route: "/signIn/:oauth";
|
|
2123
|
+
context: _$_aura_stack_router0.GlobalContext;
|
|
2124
|
+
json: <T>(data: T, init?: ResponseInit) => _$_aura_stack_router0.JsonResponse<T>;
|
|
2125
|
+
}) => Promise<Prettify$1<Omit<Response, "json"> & {
|
|
2126
|
+
json(): Promise<{
|
|
2127
|
+
success: true;
|
|
2128
|
+
redirect: boolean;
|
|
2129
|
+
signInURL: string;
|
|
2130
|
+
}>;
|
|
2131
|
+
}> | Prettify$1<Omit<Response, "json"> & {
|
|
2132
|
+
json(): Promise<{
|
|
2133
|
+
success: false;
|
|
2134
|
+
redirect: false;
|
|
2135
|
+
signInURL: null;
|
|
2136
|
+
}>;
|
|
2137
|
+
}>>>, _$_aura_stack_router0.RouteEndpoint<"POST", `/${string}`, {
|
|
2138
|
+
schemas?: {
|
|
2139
|
+
body: _$zod.ZodObject<{
|
|
2140
|
+
username: _$zod.ZodString;
|
|
2141
|
+
password: _$zod.ZodString;
|
|
2142
|
+
}, _$zod_v4_core0.$strip>;
|
|
2143
|
+
searchParams: _$zod.ZodObject<{
|
|
2144
|
+
redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
|
|
2145
|
+
}, _$zod_v4_core0.$strip>;
|
|
2146
|
+
} | undefined;
|
|
2147
|
+
use?: _$_aura_stack_router0.MiddlewareFunction<`/${string}`, {
|
|
2148
|
+
body: _$zod.ZodObject<{
|
|
2149
|
+
username: _$zod.ZodString;
|
|
2150
|
+
password: _$zod.ZodString;
|
|
2151
|
+
}, _$zod_v4_core0.$strip>;
|
|
2152
|
+
searchParams: _$zod.ZodObject<{
|
|
2153
|
+
redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
|
|
2154
|
+
}, _$zod_v4_core0.$strip>;
|
|
2155
|
+
}>[] | undefined;
|
|
2156
|
+
}, (ctx: {
|
|
2157
|
+
params: {};
|
|
2158
|
+
body: {
|
|
2159
|
+
username: string;
|
|
2160
|
+
password: string;
|
|
2161
|
+
};
|
|
2162
|
+
searchParams: {
|
|
2163
|
+
redirectTo?: string | undefined;
|
|
2164
|
+
};
|
|
2165
|
+
headers: _$_aura_stack_router0.HeadersBuilder;
|
|
2166
|
+
request: Request;
|
|
2167
|
+
url: URL;
|
|
2168
|
+
method: "POST";
|
|
2169
|
+
route: `/${string}`;
|
|
2170
|
+
context: _$_aura_stack_router0.GlobalContext;
|
|
2171
|
+
json: <T>(data: T, init?: ResponseInit) => _$_aura_stack_router0.JsonResponse<T>;
|
|
2172
|
+
}) => Promise<Prettify$1<Omit<Response, "json"> & {
|
|
2173
|
+
json(): Promise<{
|
|
2174
|
+
success: true;
|
|
2175
|
+
redirectURL: string;
|
|
2176
|
+
}>;
|
|
2177
|
+
}> | Prettify$1<Omit<Response, "json"> & {
|
|
2178
|
+
json(): Promise<{
|
|
2179
|
+
success: false;
|
|
2180
|
+
redirectURL: null;
|
|
2181
|
+
}>;
|
|
2182
|
+
}>>>, _$_aura_stack_router0.RouteEndpoint<"GET", "/callback/:oauth", {
|
|
2183
|
+
schemas?: {
|
|
2184
|
+
params: _$zod.ZodObject<{
|
|
2185
|
+
oauth: _$zod.ZodEnum<{
|
|
2186
|
+
[x: string & Record<never, never>]: string & Record<never, never>;
|
|
2187
|
+
github: "github";
|
|
2188
|
+
bitbucket: "bitbucket";
|
|
2189
|
+
figma: "figma";
|
|
2190
|
+
discord: "discord";
|
|
2191
|
+
gitlab: "gitlab";
|
|
2192
|
+
spotify: "spotify";
|
|
2193
|
+
x: "x";
|
|
2194
|
+
strava: "strava";
|
|
2195
|
+
mailchimp: "mailchimp";
|
|
2196
|
+
pinterest: "pinterest";
|
|
2197
|
+
twitch: "twitch";
|
|
2198
|
+
notion: "notion";
|
|
2199
|
+
dropbox: "dropbox";
|
|
2200
|
+
atlassian: "atlassian";
|
|
2201
|
+
clickUp: "clickUp";
|
|
2202
|
+
dribbble: "dribbble";
|
|
2203
|
+
}>;
|
|
2204
|
+
}, _$zod_v4_core0.$strip>;
|
|
2205
|
+
searchParams: _$zod.ZodObject<{
|
|
2206
|
+
code: _$zod.ZodString;
|
|
2207
|
+
state: _$zod.ZodString;
|
|
2208
|
+
}, _$zod_v4_core0.$strip>;
|
|
2209
|
+
} | undefined;
|
|
2210
|
+
use?: _$_aura_stack_router0.MiddlewareFunction<"/callback/:oauth", {
|
|
2211
|
+
params: _$zod.ZodObject<{
|
|
2212
|
+
oauth: _$zod.ZodEnum<{
|
|
2213
|
+
[x: string & Record<never, never>]: string & Record<never, never>;
|
|
2214
|
+
github: "github";
|
|
2215
|
+
bitbucket: "bitbucket";
|
|
2216
|
+
figma: "figma";
|
|
2217
|
+
discord: "discord";
|
|
2218
|
+
gitlab: "gitlab";
|
|
2219
|
+
spotify: "spotify";
|
|
2220
|
+
x: "x";
|
|
2221
|
+
strava: "strava";
|
|
2222
|
+
mailchimp: "mailchimp";
|
|
2223
|
+
pinterest: "pinterest";
|
|
2224
|
+
twitch: "twitch";
|
|
2225
|
+
notion: "notion";
|
|
2226
|
+
dropbox: "dropbox";
|
|
2227
|
+
atlassian: "atlassian";
|
|
2228
|
+
clickUp: "clickUp";
|
|
2229
|
+
dribbble: "dribbble";
|
|
2230
|
+
}>;
|
|
2231
|
+
}, _$zod_v4_core0.$strip>;
|
|
2232
|
+
searchParams: _$zod.ZodObject<{
|
|
2233
|
+
code: _$zod.ZodString;
|
|
2234
|
+
state: _$zod.ZodString;
|
|
2235
|
+
}, _$zod_v4_core0.$strip>;
|
|
2236
|
+
}>[] | undefined;
|
|
2237
|
+
}, (ctx: {
|
|
2238
|
+
params: {
|
|
2239
|
+
oauth: "github" | "bitbucket" | "figma" | "discord" | "gitlab" | "spotify" | "x" | "strava" | "mailchimp" | "pinterest" | "twitch" | "notion" | "dropbox" | "atlassian" | "clickUp" | "dribbble" | (string & Record<never, never>);
|
|
2240
|
+
};
|
|
2241
|
+
body: undefined;
|
|
2242
|
+
searchParams: {
|
|
2243
|
+
code: string;
|
|
2244
|
+
state: string;
|
|
2245
|
+
};
|
|
2246
|
+
headers: _$_aura_stack_router0.HeadersBuilder;
|
|
2247
|
+
request: Request;
|
|
2248
|
+
url: URL;
|
|
2249
|
+
method: "GET";
|
|
2250
|
+
route: "/callback/:oauth";
|
|
2251
|
+
context: _$_aura_stack_router0.GlobalContext;
|
|
2252
|
+
json: <T>(data: T, init?: ResponseInit) => _$_aura_stack_router0.JsonResponse<T>;
|
|
2253
|
+
}) => Promise<Response>>, _$_aura_stack_router0.RouteEndpoint<"GET", "/session", {
|
|
2254
|
+
schemas?: _$_aura_stack_router0.EndpointSchemas | undefined;
|
|
2255
|
+
use?: _$_aura_stack_router0.MiddlewareFunction<"/session", _$_aura_stack_router0.EndpointSchemas>[] | undefined;
|
|
2256
|
+
}, (ctx: {
|
|
2257
|
+
params: {};
|
|
2258
|
+
body: undefined;
|
|
2259
|
+
searchParams: URLSearchParams;
|
|
2260
|
+
headers: _$_aura_stack_router0.HeadersBuilder;
|
|
2261
|
+
request: Request;
|
|
2262
|
+
url: URL;
|
|
2263
|
+
method: "GET";
|
|
2264
|
+
route: "/session";
|
|
2265
|
+
context: _$_aura_stack_router0.GlobalContext;
|
|
2266
|
+
json: <T>(data: T, init?: ResponseInit) => _$_aura_stack_router0.JsonResponse<T>;
|
|
2267
|
+
}) => Promise<Prettify$1<Omit<Response, "json"> & {
|
|
2268
|
+
json(): Promise<{
|
|
2269
|
+
success: true;
|
|
2270
|
+
session: Session<{
|
|
2271
|
+
sub: string;
|
|
2272
|
+
name?: string | null | undefined;
|
|
2273
|
+
image?: string | null | undefined;
|
|
2274
|
+
email?: string | null | undefined;
|
|
2275
|
+
}>;
|
|
2276
|
+
}>;
|
|
2277
|
+
}> | Prettify$1<Omit<Response, "json"> & {
|
|
2278
|
+
json(): Promise<{
|
|
2279
|
+
success: false;
|
|
2280
|
+
session: null;
|
|
2281
|
+
}>;
|
|
2282
|
+
}>>>, _$_aura_stack_router0.RouteEndpoint<"POST", `/${string}`, {
|
|
2283
|
+
schemas?: {
|
|
2284
|
+
searchParams: _$zod.ZodObject<{
|
|
2285
|
+
token_type_hint: _$zod.ZodLiteral<"session_token">;
|
|
2286
|
+
redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
|
|
2287
|
+
}, _$zod_v4_core0.$strip>;
|
|
2288
|
+
} | undefined;
|
|
2289
|
+
use?: _$_aura_stack_router0.MiddlewareFunction<`/${string}`, {
|
|
2290
|
+
searchParams: _$zod.ZodObject<{
|
|
2291
|
+
token_type_hint: _$zod.ZodLiteral<"session_token">;
|
|
2292
|
+
redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
|
|
2293
|
+
}, _$zod_v4_core0.$strip>;
|
|
2294
|
+
}>[] | undefined;
|
|
2295
|
+
}, (ctx: {
|
|
2296
|
+
params: {};
|
|
2297
|
+
body: undefined;
|
|
2298
|
+
searchParams: {
|
|
2299
|
+
token_type_hint: "session_token";
|
|
2300
|
+
redirectTo?: string | undefined;
|
|
2301
|
+
};
|
|
2302
|
+
headers: _$_aura_stack_router0.HeadersBuilder;
|
|
2303
|
+
request: Request;
|
|
2304
|
+
url: URL;
|
|
2305
|
+
method: "POST";
|
|
2306
|
+
route: `/${string}`;
|
|
2307
|
+
context: _$_aura_stack_router0.GlobalContext;
|
|
2308
|
+
json: <T>(data: T, init?: ResponseInit) => _$_aura_stack_router0.JsonResponse<T>;
|
|
2309
|
+
}) => Promise<Prettify$1<Omit<Response, "json"> & {
|
|
2310
|
+
json(): Promise<{
|
|
2311
|
+
success: true;
|
|
2312
|
+
redirect: boolean;
|
|
2313
|
+
redirectURL: string;
|
|
2314
|
+
}>;
|
|
2315
|
+
}> | Prettify$1<Omit<Response, "json"> & {
|
|
2316
|
+
json(): Promise<{
|
|
2317
|
+
success: false;
|
|
2318
|
+
redirect: boolean;
|
|
2319
|
+
redirectURL: null;
|
|
2320
|
+
}>;
|
|
2321
|
+
}>>>, _$_aura_stack_router0.RouteEndpoint<"GET", "/csrfToken", {
|
|
2322
|
+
schemas?: _$_aura_stack_router0.EndpointSchemas | undefined;
|
|
2323
|
+
use?: _$_aura_stack_router0.MiddlewareFunction<"/csrfToken", _$_aura_stack_router0.EndpointSchemas>[] | undefined;
|
|
2324
|
+
}, (ctx: {
|
|
2325
|
+
params: {};
|
|
2326
|
+
body: undefined;
|
|
2327
|
+
searchParams: URLSearchParams;
|
|
2328
|
+
headers: _$_aura_stack_router0.HeadersBuilder;
|
|
2329
|
+
request: Request;
|
|
2330
|
+
url: URL;
|
|
2331
|
+
method: "GET";
|
|
2332
|
+
route: "/csrfToken";
|
|
2333
|
+
context: _$_aura_stack_router0.GlobalContext;
|
|
2334
|
+
json: <T>(data: T, init?: ResponseInit) => _$_aura_stack_router0.JsonResponse<T>;
|
|
2335
|
+
}) => Promise<Response>>, _$_aura_stack_router0.RouteEndpoint<"PATCH", `/${string}`, {
|
|
2336
|
+
schemas?: {
|
|
2337
|
+
body: any;
|
|
2338
|
+
} | undefined;
|
|
2339
|
+
use?: _$_aura_stack_router0.MiddlewareFunction<`/${string}`, {
|
|
2340
|
+
body: any;
|
|
2341
|
+
}>[] | undefined;
|
|
2342
|
+
}, (ctx: {
|
|
2343
|
+
params: {};
|
|
2344
|
+
body: any;
|
|
2345
|
+
searchParams: URLSearchParams;
|
|
2346
|
+
headers: _$_aura_stack_router0.HeadersBuilder;
|
|
2347
|
+
request: Request;
|
|
2348
|
+
url: URL;
|
|
2349
|
+
method: "PATCH";
|
|
2350
|
+
route: `/${string}`;
|
|
2351
|
+
context: _$_aura_stack_router0.GlobalContext;
|
|
2352
|
+
json: <T>(data: T, init?: ResponseInit) => _$_aura_stack_router0.JsonResponse<T>;
|
|
2353
|
+
}) => Promise<Prettify$1<Omit<Response, "json"> & {
|
|
2354
|
+
json(): Promise<{
|
|
2355
|
+
success: true;
|
|
2356
|
+
session: Session<{
|
|
2357
|
+
sub: string;
|
|
2358
|
+
name?: string | null | undefined;
|
|
2359
|
+
image?: string | null | undefined;
|
|
2360
|
+
email?: string | null | undefined;
|
|
2361
|
+
}>;
|
|
2362
|
+
redirectURL: string;
|
|
2363
|
+
}>;
|
|
2364
|
+
}> | Prettify$1<Omit<Response, "json"> & {
|
|
2365
|
+
json(): Promise<{
|
|
2366
|
+
success: false;
|
|
2367
|
+
session: null;
|
|
2368
|
+
redirectURL: null;
|
|
2369
|
+
}>;
|
|
2370
|
+
}>>>]>;
|
|
2371
|
+
jose: any;
|
|
2372
|
+
api: {
|
|
2373
|
+
getSession: (options: GetSessionAPIOptions) => Promise<GetSessionAPIReturn<{
|
|
2374
|
+
sub: string;
|
|
2375
|
+
name?: string | null | undefined;
|
|
2376
|
+
image?: string | null | undefined;
|
|
2377
|
+
email?: string | null | undefined;
|
|
2378
|
+
}>>;
|
|
2379
|
+
signIn: (oauth: LiteralUnion<BuiltInOAuthProvider>, options?: SignInAPIOptions) => Promise<SignInAPIReturn>;
|
|
2380
|
+
signInCredentials: (options: SignInCredentialsAPIOptions) => Promise<SignInCredentialsAPIReturn>;
|
|
2381
|
+
updateSession: (options: UpdateSessionAPIOptions<{
|
|
2382
|
+
sub: string;
|
|
2383
|
+
name?: string | null | undefined;
|
|
2384
|
+
image?: string | null | undefined;
|
|
2385
|
+
email?: string | null | undefined;
|
|
2386
|
+
}>) => Promise<UpdateSessionAPIReturn<{
|
|
2387
|
+
sub: string;
|
|
2388
|
+
name?: string | null | undefined;
|
|
2389
|
+
image?: string | null | undefined;
|
|
2390
|
+
email?: string | null | undefined;
|
|
2391
|
+
}>>;
|
|
2392
|
+
signOut: (options: SignOutAPIOptions) => Promise<SignOutAPIReturn>;
|
|
2393
|
+
};
|
|
2394
|
+
};
|
|
2395
|
+
/**
|
|
2396
|
+
* Creates the authentication instance with the configuration provided for OAuth provider.
|
|
2397
|
+
* > NOTE: The handlers returned by this function should be used in the server to handle the authentication routes
|
|
2398
|
+
* and within the `/auth` base path
|
|
2399
|
+
*
|
|
2400
|
+
* @param authConfig - Authentication configuration including OAuth provider
|
|
2401
|
+
* @returns Authentication instance with handlers to be used in the server
|
|
2402
|
+
* @example
|
|
2403
|
+
* const auth = createAuth({
|
|
2404
|
+
* oauth: ["github", {
|
|
2405
|
+
* id: "custom-oauth",
|
|
2406
|
+
* name: "custom-oauth",
|
|
2407
|
+
* authorize: {
|
|
2408
|
+
* url: "https://custom-oauth.com/oauth/authorize",
|
|
2409
|
+
* params: { responseType: "code", scope: "profile email" },
|
|
2410
|
+
* },
|
|
2411
|
+
* accessToken: "https://custom-oauth.com/oauth/token",
|
|
2412
|
+
* userInfo: "https://custom-oauth.com/api/userinfo",
|
|
2413
|
+
* clientId: process.env.AURA_AUTH_CUSTOM_OAUTH_CLIENT_ID!,
|
|
2414
|
+
* clientSecret: process.env.AURA_AUTH_CUSTOM_OAUTH_CLIENT_SECRET!,
|
|
2415
|
+
* }]
|
|
2416
|
+
* })
|
|
2417
|
+
*/
|
|
2418
|
+
declare const createAuth: <Identity extends Identities = EditableShape<UserShape>>(config: AuthConfig<Identity>) => AuthInstance<FromShapeToObject<Identity>>;
|
|
2419
|
+
//#endregion
|
|
2420
|
+
//#region src/@types/errors.d.ts
|
|
2421
|
+
/** Map of field or logical keys to API validation error payloads (code + message). */
|
|
2422
|
+
type APIErrorMap = Record<string, {
|
|
2423
|
+
code: string;
|
|
2424
|
+
message: string;
|
|
2425
|
+
}>;
|
|
2426
|
+
/**
|
|
2427
|
+
* Base OAuth error response structure.
|
|
2428
|
+
*/
|
|
2429
|
+
interface OAuthError<T extends string> {
|
|
2430
|
+
error: T;
|
|
2431
|
+
error_description?: string;
|
|
2432
|
+
}
|
|
2433
|
+
/**
|
|
2434
|
+
* OAuth 2.0 Authorization Error Response Types
|
|
2435
|
+
* @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
|
|
2436
|
+
*/
|
|
2437
|
+
type AuthorizationError = OAuthError<z.infer<typeof OAuthAuthorizationErrorResponse>["error"]>;
|
|
2438
|
+
/**
|
|
2439
|
+
* OAuth 2.0 Access Token Error Response Types
|
|
2440
|
+
* @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
|
|
2441
|
+
*/
|
|
2442
|
+
type AccessTokenError = OAuthError<z.infer<typeof OAuthAccessTokenErrorResponse>["error"]>;
|
|
2443
|
+
/**
|
|
2444
|
+
* OAuth 2.0 Token Revocation Error Response Types
|
|
2445
|
+
* @see https://datatracker.ietf.org/doc/html/rfc7009#section-2.2.1
|
|
2446
|
+
*/
|
|
2447
|
+
type TokenRevocationError = OAuthError<"invalid_session_token">;
|
|
2448
|
+
/** Union of all OAuth-related `error` string values exposed by this package. */
|
|
2449
|
+
type ErrorType = AuthorizationError["error"] | AccessTokenError["error"] | TokenRevocationError["error"];
|
|
2450
|
+
/**
|
|
2451
|
+
* Machine-readable codes for internal auth failures (configuration, crypto, environment, etc.).
|
|
2452
|
+
* Used with {@link AuthInternalError} and logging.
|
|
2453
|
+
*/
|
|
2454
|
+
type AuthInternalErrorCode = "INVALID_OAUTH_CONFIGURATION" | "INVALID_JWT_TOKEN" | "JOSE_INITIALIZATION_FAILED" | "SESSION_STORE_NOT_INITIALIZED" | "COOKIE_STORE_NOT_INITIALIZED" | "COOKIE_PARSING_FAILED" | "COOKIE_NOT_FOUND" | "INVALID_ENVIRONMENT_CONFIGURATION" | "INVALID_URL" | "INVALID_SALT_SECRET_VALUE" | "UNTRUSTED_ORIGIN" | "INVALID_OAUTH_PROVIDER_CONFIGURATION" | "DUPLICATED_OAUTH_PROVIDER_ID" | "CREDENTIALS_PROVIDER_NOT_CONFIGURED" | "IDENTITY_VALIDATION_FAILED";
|
|
2455
|
+
/**
|
|
2456
|
+
* Machine-readable codes for security-sensitive failures (CSRF, session, open redirect, OAuth state).
|
|
2457
|
+
*/
|
|
2458
|
+
type AuthSecurityErrorCode = "INVALID_STATE" | "MISMATCHING_STATE" | "POTENTIAL_OPEN_REDIRECT_ATTACK_DETECTED" | "CSRF_TOKEN_INVALID" | "CSRF_TOKEN_MISSING" | "SESSION_TOKEN_MISSING";
|
|
2459
|
+
//#endregion
|
|
2460
|
+
//#region src/@types/api.d.ts
|
|
2461
|
+
/**
|
|
2462
|
+
* Canonical return shape for server/programmatic API functions.
|
|
2463
|
+
*
|
|
2464
|
+
* - Success branch includes the payload fields from `Body` plus response metadata.
|
|
2465
|
+
* - Failure branch includes `error` metadata and `toResponse()` for framework adapters.
|
|
2466
|
+
* - Both branches expose `headers` so callers can forward cookies and auth-related headers.
|
|
2467
|
+
*
|
|
2468
|
+
* @typeParam Body - Union of success/failure payload variants.
|
|
2469
|
+
* @typeParam ErrorCodes - Error code union for the failure branch (`error.code`).
|
|
2470
|
+
*/
|
|
2471
|
+
type AuthActionAPIReturn<Body extends object, ErrorCodes = any> = (Extract<Body, {
|
|
2472
|
+
success: true;
|
|
2473
|
+
}> & {
|
|
2474
|
+
headers: Headers;
|
|
2475
|
+
toResponse: () => AuthResponse<Exclude<Body, {
|
|
2476
|
+
success: false;
|
|
2477
|
+
}>>;
|
|
2478
|
+
}) | (Extract<Body, {
|
|
2479
|
+
success: false;
|
|
2480
|
+
}> & {
|
|
2481
|
+
success: false;
|
|
2482
|
+
headers: Headers; /** @todo: Add `docs` property */
|
|
2483
|
+
error: {
|
|
2484
|
+
code: ErrorCodes;
|
|
2485
|
+
message: string;
|
|
2486
|
+
};
|
|
2487
|
+
toResponse: () => AuthResponse<Exclude<Body, {
|
|
2488
|
+
success: true;
|
|
2489
|
+
}>>;
|
|
2490
|
+
});
|
|
2491
|
+
/**
|
|
2492
|
+
* Utility to merge the internal router global context (`ctx`) with per-function options.
|
|
2493
|
+
* Used by implementation-level API functions in `src/api/*`.
|
|
2494
|
+
*/
|
|
2495
|
+
type FunctionAPIContext<Options extends object> = Prettify<{
|
|
2496
|
+
ctx: RouterGlobalContext;
|
|
2497
|
+
} & Options>;
|
|
2498
|
+
interface OptionsWithRedirectTo {
|
|
2499
|
+
/**
|
|
2500
|
+
* Optional `redirect` flag used by `createAuthClient` to control client-side navigation behavior.
|
|
2501
|
+
*
|
|
2502
|
+
* By default, navigation is performed with `location.assign()`.
|
|
2503
|
+
* When set to `false`, the API returns `redirectURL` so the caller can handle navigation manually.
|
|
2504
|
+
* @default `true`
|
|
2505
|
+
* @example
|
|
2506
|
+
* redirect: true
|
|
2507
|
+
*/
|
|
2508
|
+
redirect?: boolean;
|
|
2509
|
+
/**
|
|
2510
|
+
* Optional destination after a successful action.
|
|
2511
|
+
*
|
|
2512
|
+
* Supports relative paths and absolute URLs. The value is validated against `trustedOrigins`
|
|
2513
|
+
* to ensure redirects are allowed.
|
|
2514
|
+
* @example
|
|
2515
|
+
* redirectTo: "/dashboard"
|
|
2516
|
+
* redirectTo: "https://example.com/dashboard"
|
|
2517
|
+
*/
|
|
2518
|
+
redirectTo?: string;
|
|
2519
|
+
}
|
|
2520
|
+
interface APIOptionsWithRedirectTo {
|
|
2521
|
+
/**
|
|
2522
|
+
* Optional redirect strategy for server/programmatic API functions.
|
|
2523
|
+
*
|
|
2524
|
+
* - `true`: the generated response is a redirect response.
|
|
2525
|
+
* - `false`: the API returns redirect data (`signInURL` or `redirectURL`) for custom handling.
|
|
2526
|
+
*
|
|
2527
|
+
* Defaults are action-specific; see each API option type.
|
|
2528
|
+
* @experimental
|
|
2529
|
+
*/
|
|
2530
|
+
redirect?: boolean;
|
|
2531
|
+
/**
|
|
2532
|
+
* Optional destination after a successful action.
|
|
2533
|
+
*
|
|
2534
|
+
* Validation includes:
|
|
2535
|
+
* - same-origin checks using the URL derived from `request`/`headers` and configured base URL
|
|
2536
|
+
* - `trustedOrigins` checks from auth configuration
|
|
2537
|
+
* @experimental
|
|
2538
|
+
* @example
|
|
2539
|
+
* // with `request`
|
|
2540
|
+
* const response = await api.signIn("github", {
|
|
2541
|
+
* redirectTo: "/dashboard",
|
|
2542
|
+
* request: await getRequest(),
|
|
2543
|
+
* })
|
|
2544
|
+
*
|
|
2545
|
+
* // with `baseURL`
|
|
2546
|
+
* const { api: { signIn } } = await createAuth({
|
|
2547
|
+
* oauth: ["github"],
|
|
2548
|
+
* baseURL: "https://example.com"
|
|
2549
|
+
* })
|
|
2550
|
+
*
|
|
2551
|
+
* const response = await signIn("github", {
|
|
2552
|
+
* redirectTo: "https://example.com/dashboard",
|
|
2553
|
+
* })
|
|
2554
|
+
*/
|
|
2555
|
+
redirectTo?: string;
|
|
2556
|
+
}
|
|
2557
|
+
interface APIOptionsWithRequest extends APIOptionsWithRedirectTo {
|
|
2558
|
+
/**
|
|
2559
|
+
* Optional `Request` object, useful for constructing the incoming URL on the server side.
|
|
2560
|
+
* This option is required when the `redirectTo` option is defined, to ensure the `redirectTo`
|
|
2561
|
+
* URL is same-origin or included in the `trustedOrigins` configuration option.
|
|
2562
|
+
*/
|
|
2563
|
+
request?: Request;
|
|
2564
|
+
/**
|
|
2565
|
+
* Optional `HeadersInit` object, useful for constructing the incoming URL from proxy headers
|
|
2566
|
+
* such as `X-Forwarded-Host` and `X-Forwarded-Proto` when the auth instance is behind a proxy
|
|
2567
|
+
* or load balancer, or when the URL is built from headers instead of the `Request` object.
|
|
2568
|
+
* This option requires enabling the `trustedProxyHeaders` option in the global configuration.
|
|
2569
|
+
*/
|
|
2570
|
+
headers?: HeadersInit;
|
|
2571
|
+
}
|
|
2572
|
+
interface APIOptionsWithSkipCSRFCheck {
|
|
2573
|
+
/**
|
|
2574
|
+
* Optional `skipCSRFCheck` flag to bypass the Double-Submit Cookie validation.
|
|
2575
|
+
*
|
|
2576
|
+
* The CSRF token is still required and validated to preserve request integrity.
|
|
2577
|
+
* Use this only for trusted server-side flows.
|
|
2578
|
+
* @default `false`
|
|
2579
|
+
*/
|
|
2580
|
+
skipCSRFCheck?: boolean;
|
|
2581
|
+
}
|
|
2582
|
+
/** Options to get the current session. */
|
|
2583
|
+
interface GetSessionAPIOptions {
|
|
2584
|
+
/** The headers containing the `session_token` cookie */
|
|
2585
|
+
headers: HeadersInit;
|
|
2586
|
+
}
|
|
2587
|
+
/** Programmatic `getSession` result with session payload and `toResponse()` metadata. */
|
|
2588
|
+
type GetSessionAPIReturn<DefaultUser extends User = User> = AuthActionAPIReturn<{
|
|
2589
|
+
success: true;
|
|
2590
|
+
session: Session<DefaultUser>;
|
|
2591
|
+
} | {
|
|
2592
|
+
success: false;
|
|
2593
|
+
session: null;
|
|
2594
|
+
}>;
|
|
2595
|
+
/**
|
|
2596
|
+
* Client-side options for `createAuthClient().signIn(...)`.
|
|
2597
|
+
*/
|
|
2598
|
+
interface SignInOptions extends OptionsWithRedirectTo {}
|
|
2599
|
+
/**
|
|
2600
|
+
* Client-side `signIn` return type.
|
|
2601
|
+
*
|
|
2602
|
+
* - Redirect mode (`redirect: true`): returns `void` because navigation is handled by the client.
|
|
2603
|
+
* - Manual mode (`redirect: false`): returns `signInURL` for caller-controlled navigation.
|
|
2604
|
+
*/
|
|
2605
|
+
type SignInReturn<Options extends SignInOptions> = Options extends {
|
|
2606
|
+
redirect: false;
|
|
2607
|
+
} ? {
|
|
2608
|
+
success: true;
|
|
2609
|
+
redirect: false;
|
|
2610
|
+
signInURL: string;
|
|
2611
|
+
} | {
|
|
2612
|
+
success: false;
|
|
2613
|
+
redirect: false;
|
|
2614
|
+
signInURL: null;
|
|
2615
|
+
} : void;
|
|
2616
|
+
/**
|
|
2617
|
+
* Server/programmatic options for `signIn` API.
|
|
2618
|
+
*/
|
|
2619
|
+
interface SignInAPIOptions extends APIOptionsWithRedirectTo, APIOptionsWithRequest {}
|
|
2620
|
+
/**
|
|
2621
|
+
* Server/programmatic `signIn` result.
|
|
2622
|
+
*
|
|
2623
|
+
* Includes `signInURL` and response metadata to support both framework-managed redirects
|
|
2624
|
+
* and custom response handling through `toResponse()`.
|
|
2625
|
+
*/
|
|
2626
|
+
type SignInAPIReturn = AuthActionAPIReturn<{
|
|
2627
|
+
success: true;
|
|
2628
|
+
redirect: boolean;
|
|
2629
|
+
signInURL: string;
|
|
2630
|
+
} | {
|
|
2631
|
+
success: false;
|
|
2632
|
+
redirect: false;
|
|
2633
|
+
signInURL: null;
|
|
2634
|
+
}>;
|
|
2635
|
+
interface SignInCredentialsOptions extends OptionsWithRedirectTo {
|
|
2636
|
+
/**
|
|
2637
|
+
* Credentials payload validated by the configured `credentials.authorize` function.
|
|
2638
|
+
* @example
|
|
2639
|
+
* {
|
|
2640
|
+
* username: "johndoe",
|
|
2641
|
+
* password: "1234567890"
|
|
2642
|
+
* }
|
|
2643
|
+
*/
|
|
2644
|
+
payload: CredentialsPayload;
|
|
2645
|
+
}
|
|
2646
|
+
/** Client-side credentials sign-in return type (redirect mode or manual redirect data). */
|
|
2647
|
+
type SignInCredentialsReturn<Options extends SignInCredentialsOptions> = Options extends {
|
|
2648
|
+
redirect: false;
|
|
2649
|
+
} ? {
|
|
2650
|
+
success: true;
|
|
2651
|
+
redirectURL: string;
|
|
2652
|
+
} | {
|
|
2653
|
+
success: false;
|
|
2654
|
+
redirectURL: null;
|
|
2655
|
+
} : void;
|
|
2656
|
+
/** Server/programmatic credentials sign-in options. */
|
|
2657
|
+
interface SignInCredentialsAPIOptions extends APIOptionsWithRedirectTo, APIOptionsWithRequest {
|
|
2658
|
+
/**
|
|
2659
|
+
* Credentials payload validated by the configured `credentials.authorize` function.
|
|
2660
|
+
* @example
|
|
2661
|
+
* {
|
|
2662
|
+
* username: "johndoe",
|
|
2663
|
+
* password: "1234567890"
|
|
2664
|
+
* }
|
|
2665
|
+
*/
|
|
2666
|
+
payload: CredentialsPayload;
|
|
2667
|
+
}
|
|
2668
|
+
/** Programmatic credentials sign-in result with response metadata and `toResponse()`. */
|
|
2669
|
+
type SignInCredentialsAPIReturn = AuthActionAPIReturn<{
|
|
2670
|
+
success: true;
|
|
2671
|
+
redirectURL: string;
|
|
2672
|
+
} | {
|
|
2673
|
+
success: false;
|
|
2674
|
+
redirectURL: null;
|
|
2675
|
+
}>;
|
|
2676
|
+
/** Client-side sign-out options. */
|
|
2677
|
+
interface SignOutOptions extends OptionsWithRedirectTo {}
|
|
2678
|
+
/** Client-side sign-out return type (redirect mode or manual redirect data). */
|
|
2679
|
+
type SignOutReturn<Options extends SignOutOptions> = Options extends {
|
|
2680
|
+
redirect: false;
|
|
2681
|
+
} ? {
|
|
2682
|
+
success: true;
|
|
2683
|
+
redirect: false;
|
|
2684
|
+
redirectURL: string;
|
|
2685
|
+
} | {
|
|
2686
|
+
success: false;
|
|
2687
|
+
redirect: false;
|
|
2688
|
+
redirectURL: null;
|
|
2689
|
+
} : void;
|
|
2690
|
+
/** Server/programmatic options for `signOut` API. */
|
|
2691
|
+
interface SignOutAPIOptions extends APIOptionsWithRedirectTo, APIOptionsWithSkipCSRFCheck {
|
|
2692
|
+
/**
|
|
2693
|
+
* Required headers used to execute sign-out.
|
|
2694
|
+
* Must include `session_token` and `csrf_token` cookies for CSRF validation.
|
|
2695
|
+
* @example
|
|
2696
|
+
* {
|
|
2697
|
+
* Cookie: "session_token=abc123; csrf_token=def456"
|
|
2698
|
+
* }
|
|
2699
|
+
*/
|
|
2700
|
+
headers: HeadersInit;
|
|
2701
|
+
/**
|
|
2702
|
+
* Optional `Request` object as an alternative to manually providing `headers`.
|
|
2703
|
+
*/
|
|
2704
|
+
request?: Request;
|
|
2705
|
+
}
|
|
2706
|
+
/** Programmatic sign-out result with redirect metadata and `toResponse()`. */
|
|
2707
|
+
type SignOutAPIReturn = AuthActionAPIReturn<{
|
|
2708
|
+
success: true;
|
|
2709
|
+
redirect: boolean;
|
|
2710
|
+
redirectURL: string;
|
|
2711
|
+
} | {
|
|
2712
|
+
success: false;
|
|
2713
|
+
redirect: boolean;
|
|
2714
|
+
redirectURL: null;
|
|
2715
|
+
}>;
|
|
2716
|
+
/** Client-side `updateSession` options: partial session payload plus optional redirect behavior. */
|
|
2717
|
+
interface UpdateSessionOptions<DefaultUser extends User = User> extends OptionsWithRedirectTo {
|
|
2718
|
+
/** Partial session data to merge into the current session. */
|
|
2719
|
+
session: DeepPartial<Session<DefaultUser>>;
|
|
2720
|
+
}
|
|
2721
|
+
/** Client-side `updateSession` return type. */
|
|
2722
|
+
type UpdateSessionReturn<Options extends UpdateSessionOptions, DefaultUser extends User = User> = Options extends {
|
|
2723
|
+
redirect: false;
|
|
2724
|
+
} ? {
|
|
2725
|
+
success: true;
|
|
2726
|
+
session: Session<DefaultUser>;
|
|
2727
|
+
} | {
|
|
2728
|
+
success: false;
|
|
2729
|
+
session: null;
|
|
2730
|
+
} : void;
|
|
2731
|
+
/** Server/programmatic options for `updateSession` API. */
|
|
2732
|
+
interface UpdateSessionAPIOptions<DefaultUser extends User = User> extends APIOptionsWithRequest, APIOptionsWithSkipCSRFCheck {
|
|
2733
|
+
/**
|
|
2734
|
+
* Required headers used to execute session update.
|
|
2735
|
+
* Must include `session_token` and `csrf_token` cookies for CSRF validation.
|
|
2736
|
+
* @example
|
|
2737
|
+
* {
|
|
2738
|
+
* Cookie: "session_token=abc123; csrf_token=def456"
|
|
2739
|
+
* }
|
|
2740
|
+
*/
|
|
2741
|
+
headers: HeadersInit;
|
|
2742
|
+
/**
|
|
2743
|
+
* Optional `Request` object as an alternative to manually providing `headers`.
|
|
2744
|
+
*/
|
|
2745
|
+
request?: Request;
|
|
2746
|
+
/**
|
|
2747
|
+
* Partial session payload used to update the current session.
|
|
2748
|
+
* @see Session
|
|
2749
|
+
* @example
|
|
2750
|
+
* session: {
|
|
2751
|
+
* user: {
|
|
2752
|
+
* name: "John Doe",
|
|
2753
|
+
* email: "john.doe@example.com"
|
|
2754
|
+
* }
|
|
2755
|
+
* }
|
|
2756
|
+
*/
|
|
2757
|
+
session: DeepPartial<Session<DefaultUser>>;
|
|
2758
|
+
}
|
|
2759
|
+
/** Programmatic session update result with redirect metadata and `toResponse()`. */
|
|
2760
|
+
type UpdateSessionAPIReturn<DefaultUser extends User = User> = AuthActionAPIReturn<{
|
|
2761
|
+
success: true;
|
|
2762
|
+
session: Session<DefaultUser>;
|
|
2763
|
+
redirectURL: string;
|
|
2764
|
+
} | {
|
|
2765
|
+
success: false;
|
|
2766
|
+
session: null;
|
|
2767
|
+
redirectURL: null;
|
|
2768
|
+
}>;
|
|
2769
|
+
//#endregion
|
|
2770
|
+
//#region src/@types/index.d.ts
|
|
2771
|
+
/**
|
|
2772
|
+
* Standard JWT claims that are managed internally by the token system.
|
|
2773
|
+
* These fields are typically filtered out before returning user data.
|
|
2774
|
+
*/
|
|
2775
|
+
type JWTStandardClaims = Pick<JWTPayload, "exp" | "iat" | "jti" | "nbf" | "sub" | "aud" | "iss">;
|
|
2776
|
+
/**
|
|
2777
|
+
* JWT payload structure that includes a mandatory `token` field used to verify CSRF Tokens
|
|
2778
|
+
*/
|
|
2779
|
+
type JWTPayloadWithToken = JWTPayload & {
|
|
2780
|
+
token: string;
|
|
2781
|
+
};
|
|
2782
|
+
/** Environment variables for OAuth client credentials, inferred from `OAuthEnvSchema`. */
|
|
2783
|
+
type OAuthEnv = z.infer<typeof OAuthEnvSchema>;
|
|
2784
|
+
/**
|
|
2785
|
+
* HTTP route handlers exposed by the auth instance (`GET`, `POST`, `PATCH`, `ALL`) for mounting on your app router.
|
|
2786
|
+
*/
|
|
2787
|
+
type AuthClient = ReturnType<typeof createAuthInstance>["handlers"];
|
|
2788
|
+
/**
|
|
2789
|
+
* Options for {@link createAuthClient} (browser HTTP client). Extends the router client with an optional `baseURL`
|
|
2790
|
+
* when the client runs outside the browser (e.g. server-side fetch to your app origin).
|
|
2791
|
+
*/
|
|
2792
|
+
type AuthClientOptions = Prettify$1<Omit<ClientOptions, "baseURL"> & {
|
|
2793
|
+
baseURL?: string;
|
|
2794
|
+
}>;
|
|
2795
|
+
//#endregion
|
|
2796
|
+
export { LiteralUnion as $, Nameplate as $n, JWTMode as $t, APIErrorMap as A, NotionUser as An, StandardCookie as At, AuthResponse as B, mailchimp as Bn, AsymmetricKeyPair as Bt, SignOutAPIReturn as C, DropboxProfile as Cn, JoseInstance as Ct, UpdateSessionAPIReturn as D, dropbox as Dn, SchemaRegistryContext as Dt, UpdateSessionAPIOptions as E, RootInfo as En, RouterGlobalContext as Et, ErrorType as F, twitch as Fn, OAuthProvider as Ft, EditableShapeArkType as G, XProfile as Gn, JWTConfig as Gt, DeepPartial as H, SummaryClub as Hn, CreateSessionStrategyOptions as Ht, OAuthError as I, PinterestProfile as In, OAuthProviderConfig as It, EditableShapeZod as J, SpotifyProfile as Jn, JWTEncryptionAlgorithm as Jt, EditableShapeTypebox as K, x as Kn, JWTConfigBase as Kt, TokenRevocationError as L, pinterest as Ln, OAuthProviderCredentials as Lt, AuthInternalErrorCode as M, Person as Mn, TrustedOrigin as Mt, AuthSecurityErrorCode as N, notion as Nn, TrustedProxyHeadersConfig as Nt, UpdateSessionOptions as O, Bot as On, SecureCookie as Ot, AuthorizationError as P, TwitchProfile as Pn, AuthorizeParams as Pt, InferZodShape as Q, DiscordProfile as Qn, JWTManager as Qt, createAuth as R, Login as Rn, OAuthProviderRecord as Rt, SignOutAPIOptions as S, AccountType as Sn, InternalLogger as St, SignOutReturn as T, Name as Tn, Logger as Tt, DeepRequired as U, SummaryGear as Un, CryptoSecret as Ut, ConfigSchema as V, StravaProfile as Vn, AsymmetricKeyPairFromEnv as Vt, EditableShape as W, strava as Wn, GetStatelessSessionReturn as Wt, InferSession as X, GitLabProfile as Xn, JWTKey as Xt, FromShapeToObject as Y, spotify as Yn, JWTExpirationStrategy as Yt, InferUser as Z, gitlab as Zn, JWTKeyAlgorithm as Zt, SignInCredentialsAPIReturn as _, ClickUpProfile as _n, UserShape as _r, CredentialsProvider as _t, OAuthEnv as a, Session as an, GitHubProfile as ar, ValibotShapeToObject as at, SignInOptions as b, ExtendedProfile as bn, UserShapeValibot as br, IdentityConfig as bt, APIOptionsWithRequest as c, StatelessStrategyConfig as cn, Identities as cr, AuthAPI as ct, GetSessionAPIOptions as d, builtInOAuthProviders as dn, IsZod as dr, AuthRuntimeConfig as dt, JWTSealedMode as en, discord as er, Merge as et, GetSessionAPIReturn as f, createBuiltInOAuthProviders as fn, SchemaTypes as fr, CookieConfig as ft, SignInCredentialsAPIOptions as g, dribbble as gn, UserIdentityValibot as gr, CredentialsPayload as gt, SignInAPIReturn as h, DribbbleTeams as hn, UserIdentityTypeBox as hr, CookieStrategyAttributes as ht, JWTStandardClaims as i, SecretKey as in, bitbucket as ir, UserFrom as it, AccessTokenError as j, Owner as jn, SyslogOptions as jt, UpdateSessionReturn as k, NotionProfile as kn, Severity as kt, APIOptionsWithSkipCSRFCheck as l, User as ln, IsArkType as lr, AuthConfig as lt, SignInAPIOptions as m, DribbbleProfile as mn, UserIdentityArkType as mr, CookieStoreConfig as mt, AuthClientOptions as n, JWTSigningAlgorithm as nn, figma as nr, SessionFrom as nt, TypedJWTPayload$1 as o, SessionConfig as on, github as or, Wrap as ot, OptionsWithRedirectTo as p, DribbbleDefault as pn, UserIdentity as pr, CookieName as pt, EditableShapeValibot as q, SpotifyImage as qn, JWTEncryptedMode as qt, JWTPayloadWithToken as r, JWTStrategyOptions as rn, BitbucketProfile as rr, TypeboxShapeToObject as rt, APIOptionsWithRedirectTo as s, SessionStrategy as sn, createSyslogMessage as sr, ZodShapeToObject as st, AuthClient as t, JWTSignedMode as tn, FigmaProfile as tr, Prettify$1 as tt, FunctionAPIContext as u, BuiltInOAuthProvider as un, IsValibot as ur, AuthInstance as ut, SignInCredentialsOptions as v, clickUp as vn, UserShapeArkType as vr, CredentialsProviderContext as vt, SignOutOptions as w, FullTeam as wn, LogLevel as wt, SignInReturn as x, atlassian as xn, createIdentity as xr, InternalContext as xt, SignInCredentialsReturn as y, AtlassianProfile as yn, UserShapeTypeBox as yr, HostCookie as yt, ArktypeShapeToObject as z, MailchimpProfile as zn, ResponseType as zt };
|