@aura-stack/auth 0.6.0 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (70) hide show
  1. package/dist/@types/index.d.ts +2 -2
  2. package/dist/assert-_fBNnaOk.js +3 -0
  3. package/dist/assert-hDwQ_SPO.cjs +3 -0
  4. package/dist/client/index.cjs +1 -1
  5. package/dist/client/index.d.ts +1 -1
  6. package/dist/client/index.js +1 -1
  7. package/dist/crypto-D6_SoGMH.cjs +1 -0
  8. package/dist/crypto-DyrRzBSQ.js +1 -0
  9. package/dist/env-7as-tgzO.cjs +1 -0
  10. package/dist/env-CJtSi1eX.js +1 -0
  11. package/dist/errors-Czt_w1t_.js +1 -0
  12. package/dist/errors-DcK2ELlk.cjs +1 -0
  13. package/dist/identity-b8FCr0Oa.cjs +1 -0
  14. package/dist/{index-BkpwQ0l4.d.cts → index-C9U6ICDT.d.ts} +792 -275
  15. package/dist/index.cjs +1 -1
  16. package/dist/index.d.ts +1 -1
  17. package/dist/index.js +1 -1
  18. package/dist/{logger-C59_CDMk.js → logger-DjXkgSn5.js} +1 -1
  19. package/dist/{logger-UnUhYL2V.cjs → logger-G5PinyEc.cjs} +1 -1
  20. package/dist/oauth/atlassian.d.ts +1 -1
  21. package/dist/oauth/bitbucket.d.ts +1 -1
  22. package/dist/oauth/click-up.cjs +1 -0
  23. package/dist/oauth/click-up.d.ts +2 -0
  24. package/dist/oauth/click-up.js +1 -0
  25. package/dist/oauth/discord.d.ts +1 -1
  26. package/dist/oauth/dribbble.cjs +1 -0
  27. package/dist/oauth/dribbble.d.ts +2 -0
  28. package/dist/oauth/dribbble.js +1 -0
  29. package/dist/oauth/dropbox.d.ts +1 -1
  30. package/dist/oauth/figma.d.ts +1 -1
  31. package/dist/oauth/github.d.ts +1 -1
  32. package/dist/oauth/gitlab.d.ts +1 -1
  33. package/dist/oauth/index.cjs +1 -1
  34. package/dist/oauth/index.d.ts +2 -2
  35. package/dist/oauth/index.js +1 -1
  36. package/dist/oauth/mailchimp.d.ts +1 -1
  37. package/dist/oauth/notion.cjs +1 -1
  38. package/dist/oauth/notion.d.ts +1 -1
  39. package/dist/oauth/notion.js +1 -1
  40. package/dist/oauth/pinterest.d.ts +1 -1
  41. package/dist/oauth/spotify.d.ts +1 -1
  42. package/dist/oauth/strava.d.ts +1 -1
  43. package/dist/oauth/twitch.cjs +1 -1
  44. package/dist/oauth/twitch.d.ts +1 -1
  45. package/dist/oauth/twitch.js +1 -1
  46. package/dist/oauth/x.d.ts +1 -1
  47. package/dist/oauth-D3_mnBOx.js +1 -0
  48. package/dist/oauth-gPiWxjBd.cjs +1 -0
  49. package/dist/shared/crypto.cjs +1 -1
  50. package/dist/shared/crypto.d.ts +26 -2
  51. package/dist/shared/crypto.js +1 -1
  52. package/dist/shared/identity.cjs +1 -1
  53. package/dist/shared/identity.d.ts +2 -2
  54. package/dist/shared/identity.js +1 -1
  55. package/dist/shared/index.cjs +1 -1
  56. package/dist/shared/index.d.ts +1 -1
  57. package/dist/shared/index.js +1 -1
  58. package/package.json +9 -6
  59. package/dist/assert-B3iQSYlK.js +0 -3
  60. package/dist/assert-NJGroSJd.cjs +0 -3
  61. package/dist/crypto-Bz8nIciY.js +0 -1
  62. package/dist/crypto-CoXA5w_4.cjs +0 -1
  63. package/dist/env-bq387KyP.cjs +0 -1
  64. package/dist/env-nvh8QBNz.js +0 -1
  65. package/dist/errors-CCYPHuBO.cjs +0 -1
  66. package/dist/errors-DFWHOho6.js +0 -1
  67. package/dist/index-nqLV2t91.d.ts +0 -2279
  68. package/dist/index.d.cts +0 -2
  69. package/dist/oauth-BntNm6aE.cjs +0 -1
  70. package/dist/oauth-DmHy9VrB.js +0 -1
@@ -1,11 +1,17 @@
1
- import { ZodObject, ZodRawShape, ZodTypeAny, z } from "zod/v4";
2
- import { JWTPayload } from "@aura-stack/jose/jose";
3
- import { DecodeJWTOptions, EncodeJWTOptions, JWEHeaderParameters, JWTDecryptOptions, JWTHeaderParameters, JWTVerifyOptions, Prettify, TypedJWTPayload, TypedJWTPayload as TypedJWTPayload$1 } from "@aura-stack/jose";
4
1
  import * as _$_aura_stack_router0 from "@aura-stack/router";
5
2
  import { ClientOptions, GlobalContext } from "@aura-stack/router";
3
+ import { ZodObject, ZodRawShape, ZodTypeAny, infer as __Infer, z } from "zod/v4";
4
+ import { JWK, JWTPayload } from "@aura-stack/jose/jose";
5
+ import { DecodeJWTOptions, EncodeJWTOptions, JWEHeaderParameters, JWTDecryptOptions, JWTHeaderParameters, JWTVerifyOptions, Prettify, TypedJWTPayload, TypedJWTPayload as TypedJWTPayload$1 } from "@aura-stack/jose";
6
6
  import { SerializeOptions } from "@aura-stack/router/cookie";
7
- import * as _$zod from "zod";
7
+ import * as valibot from "valibot";
8
+ import { AnySchema, BaseSchema, InferOutput, ObjectEntries, ObjectSchema } from "valibot";
9
+ import { Type } from "arktype";
10
+ import { Static, TObject, TProperties, TSchema, Type as Type$1 } from "typebox";
11
+ import * as _$arktype_internal_variants_object_ts0 from "arktype/internal/variants/object.ts";
8
12
  import * as _$zod_v4_core0 from "zod/v4/core";
13
+ import { infer as infer$1 } from "zod/v4/core";
14
+ import * as _$zod from "zod";
9
15
 
10
16
  //#region src/schemas.d.ts
11
17
  /**
@@ -72,17 +78,6 @@ declare const createJoseInstance: <DefaultUser extends User = User>(secret?: JWT
72
78
  decodeJWT: (token: string, options?: DecodeJWTOptions) => Promise<TypedJWTPayload<DefaultUser>>;
73
79
  };
74
80
  //#endregion
75
- //#region src/shared/identity.d.ts
76
- declare const UserIdentity: z.ZodObject<{
77
- sub: z.ZodString;
78
- name: z.ZodOptional<z.ZodNullable<z.ZodString>>;
79
- image: z.ZodOptional<z.ZodNullable<z.ZodString>>;
80
- email: z.ZodOptional<z.ZodNullable<z.ZodEmail>>;
81
- }, z.core.$strip>;
82
- type UserShape = (typeof UserIdentity)["shape"];
83
- type UserIdentityType = z.infer<typeof UserIdentity>;
84
- declare const createIdentity: <S extends EditableShape<UserShape>>(shape: S) => z.ZodObject<{ -readonly [P in keyof S]: S[P] }, z.core.$strip>;
85
- //#endregion
86
81
  //#region src/api/createApi.d.ts
87
82
  declare const createAuthAPI: <DefaultUser extends User = User>(ctx: GlobalContext) => {
88
83
  /**
@@ -165,6 +160,43 @@ declare const createAuthAPI: <DefaultUser extends User = User>(ctx: GlobalContex
165
160
  signOut: (options: SignOutAPIOptions) => Promise<SignOutAPIReturn>;
166
161
  };
167
162
  //#endregion
163
+ //#region src/shared/identity.d.ts
164
+ declare const UserIdentity: z.ZodObject<{
165
+ sub: z.ZodString;
166
+ name: z.ZodOptional<z.ZodNullable<z.ZodString>>;
167
+ image: z.ZodOptional<z.ZodNullable<z.ZodString>>;
168
+ email: z.ZodOptional<z.ZodNullable<z.ZodEmail>>;
169
+ }, z.core.$strip>;
170
+ declare const UserIdentityValibot: valibot.ObjectSchema<{
171
+ readonly sub: valibot.StringSchema<undefined>;
172
+ readonly name: valibot.OptionalSchema<valibot.NullableSchema<valibot.StringSchema<undefined>, undefined>, undefined>;
173
+ readonly image: valibot.OptionalSchema<valibot.NullableSchema<valibot.StringSchema<undefined>, undefined>, undefined>;
174
+ readonly email: valibot.OptionalSchema<valibot.NullableSchema<valibot.SchemaWithPipe<readonly [valibot.StringSchema<undefined>, valibot.EmailAction<string, undefined>]>, undefined>, undefined>;
175
+ }, undefined>;
176
+ declare const UserIdentityArkType: _$arktype_internal_variants_object_ts0.ObjectType<{
177
+ sub: string;
178
+ name?: string | null | undefined;
179
+ image?: string | null | undefined;
180
+ email?: string | null | undefined;
181
+ }, {}>;
182
+ declare const UserIdentityTypeBox: Type$1.TObject<{
183
+ sub: Type$1.TString;
184
+ name: Type$1.TOptional<Type$1.TUnion<[Type$1.TString, Type$1.TNull]>>;
185
+ image: Type$1.TOptional<Type$1.TUnion<[Type$1.TString, Type$1.TNull]>>;
186
+ email: Type$1.TOptional<Type$1.TUnion<[Type$1.TString, Type$1.TNull]>>;
187
+ }>;
188
+ type UserShape = typeof UserIdentity.shape;
189
+ type UserShapeValibot = typeof UserIdentityValibot.entries;
190
+ type UserShapeArkType = typeof UserIdentityArkType;
191
+ type UserShapeTypeBox = typeof UserIdentityTypeBox.properties;
192
+ type IsArkType<T extends Identities> = T extends EditableShapeArkType<UserShapeArkType> ? true : false;
193
+ type IsZod<T extends Identities> = T extends EditableShape<UserShape> ? true : false;
194
+ type IsValibot<T extends Identities> = T extends EditableShapeValibot<UserShapeValibot> ? true : false;
195
+ type SchemaTypes = ZodObject<any> | valibot.ObjectSchema<any, undefined> | Type<{}> | Type$1.TObject;
196
+ type Identities = EditableShape<UserShape> | EditableShapeValibot<UserShapeValibot> | EditableShapeArkType<UserShapeArkType> | EditableShapeTypebox<UserShapeTypeBox>;
197
+ type ReturnShapeType<T> = T extends EditableShape<UserShape> ? z.ZodObject<T> : T extends EditableShapeValibot<UserShapeValibot> ? valibot.ObjectSchema<T, undefined> : T extends EditableShapeArkType<UserShapeArkType> ? T : T extends EditableShapeTypebox<UserShapeTypeBox> ? Type$1.TObject<T> : never;
198
+ declare const createIdentity: <S extends Identities>(shape: S) => ReturnShapeType<S>;
199
+ //#endregion
168
200
  //#region src/shared/logger.d.ts
169
201
  /**
170
202
  * Log message definitions organized by category.
@@ -475,6 +507,16 @@ declare const logMessages: {
475
507
  declare const createLogEntry: <T extends keyof typeof logMessages>(key: T, overrides?: Partial<SyslogOptions>) => SyslogOptions;
476
508
  declare const createSyslogMessage: (options: SyslogOptions) => string;
477
509
  //#endregion
510
+ //#region src/validator/registry.d.ts
511
+ declare const createSchemaRegistry: <Identity extends SchemaTypes>(config: IdentityConfig<Identity>) => {
512
+ parse: (data?: unknown) => Promise<any>;
513
+ parseAsPartial: (data?: unknown) => Promise<any>;
514
+ parseWithJWT: (data?: unknown) => Promise<any>;
515
+ schema: any;
516
+ schemaAsPartial: any;
517
+ schemaWithJWT: any;
518
+ };
519
+ //#endregion
478
520
  //#region src/oauth/github.d.ts
479
521
  /**
480
522
  * @see [Get the authenticated user](https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user)
@@ -1044,6 +1086,73 @@ interface AtlassianProfile {
1044
1086
  */
1045
1087
  declare const atlassian: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<AtlassianProfile, DefaultUser>>) => OAuthProviderCredentials<AtlassianProfile, DefaultUser>;
1046
1088
  //#endregion
1089
+ //#region src/oauth/click-up.d.ts
1090
+ /**
1091
+ * @see [Click Up - Get Authorized User](https://developer.clickup.com/reference/getauthorizeduser)
1092
+ */
1093
+ interface ClickUpProfile {
1094
+ user: {
1095
+ id: number;
1096
+ username: string;
1097
+ email: string;
1098
+ color: string;
1099
+ profilePicture: string;
1100
+ initials: string;
1101
+ week_start_day: number;
1102
+ global_font_support: boolean;
1103
+ timezone: string;
1104
+ };
1105
+ }
1106
+ /**
1107
+ * ClickUp OAuth Provider
1108
+ *
1109
+ * @see [Click Up - Create your own app](https://help.clickup.com/hc/en-us/articles/6303422883095-Create-your-own-app-with-the-ClickUp-API)
1110
+ * @see [Click Up - Authentication](https://developer.clickup.com/docs/authentication)
1111
+ * @see [Click UP - Get Access Token](https://developer.clickup.com/reference/getaccesstoken)
1112
+ * @see [Click Up - Get Authorized User](https://developer.clickup.com/reference/getauthorizeduser)
1113
+ */
1114
+ declare const clickUp: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<ClickUpProfile, DefaultUser>>) => OAuthProviderCredentials<ClickUpProfile, DefaultUser>;
1115
+ //#endregion
1116
+ //#region src/oauth/dribbble.d.ts
1117
+ /**
1118
+ * @see [Dribble - User](https://developer.dribbble.com/v2/user/)
1119
+ */
1120
+ interface DribbbleDefault {
1121
+ id: number;
1122
+ name: string;
1123
+ login: string;
1124
+ html_url: string;
1125
+ avatar_url: string;
1126
+ bio: string;
1127
+ location: string;
1128
+ links?: {
1129
+ web?: string;
1130
+ twitter?: string;
1131
+ };
1132
+ created_at: string;
1133
+ }
1134
+ interface DribbbleTeams extends DribbbleDefault {
1135
+ type: "Team";
1136
+ updated_at: string;
1137
+ }
1138
+ interface DribbbleProfile extends DribbbleDefault {
1139
+ type: "User";
1140
+ /** Not documented but available in the API response */
1141
+ email: string | null;
1142
+ can_upload_shot: boolean;
1143
+ pro: boolean;
1144
+ followers_count: number;
1145
+ teams: DribbbleTeams[];
1146
+ }
1147
+ /**
1148
+ * Dribbble OAuth provider
1149
+ *
1150
+ * @see [Dribbble - Register Application](https://dribbble.com/account/applications/new)
1151
+ * @see [Dribbble - OAuth](https://developer.dribbble.com/v2/oauth/)
1152
+ * @see [Dribbble - User](https://developer.dribbble.com/v2/user/)
1153
+ */
1154
+ declare const dribbble: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<DribbbleProfile, DefaultUser>>) => OAuthProviderCredentials<DribbbleProfile, DefaultUser>;
1155
+ //#endregion
1047
1156
  //#region src/oauth/index.d.ts
1048
1157
  declare const builtInOAuthProviders: {
1049
1158
  readonly github: <DefaultUser extends User = {
@@ -1130,6 +1239,18 @@ declare const builtInOAuthProviders: {
1130
1239
  image?: string | null | undefined;
1131
1240
  email?: string | null | undefined;
1132
1241
  }>(options?: Partial<OAuthProviderCredentials<AtlassianProfile, DefaultUser>>) => OAuthProviderCredentials<AtlassianProfile, DefaultUser>;
1242
+ readonly clickUp: <DefaultUser extends User = {
1243
+ sub: string;
1244
+ name?: string | null | undefined;
1245
+ image?: string | null | undefined;
1246
+ email?: string | null | undefined;
1247
+ }>(options?: Partial<OAuthProviderCredentials<ClickUpProfile, DefaultUser>>) => OAuthProviderCredentials<ClickUpProfile, DefaultUser>;
1248
+ readonly dribbble: <DefaultUser extends User = {
1249
+ sub: string;
1250
+ name?: string | null | undefined;
1251
+ image?: string | null | undefined;
1252
+ email?: string | null | undefined;
1253
+ }>(options?: Partial<OAuthProviderCredentials<DribbbleProfile, DefaultUser>>) => OAuthProviderCredentials<DribbbleProfile, DefaultUser>;
1133
1254
  };
1134
1255
  /**
1135
1256
  * Constructs OAuth provider configurations from an array of provider names or configurations.
@@ -1147,6 +1268,196 @@ declare const builtInOAuthProviders: {
1147
1268
  declare const createBuiltInOAuthProviders: (oauth?: (BuiltInOAuthProvider | OAuthProviderCredentials<any>)[]) => Record<LiteralUnion<BuiltInOAuthProvider>, OAuthProviderCredentials<any>>;
1148
1269
  type BuiltInOAuthProvider = keyof typeof builtInOAuthProviders;
1149
1270
  //#endregion
1271
+ //#region src/@types/session.d.ts
1272
+ /** Application user type, inferred from the configured identity schema (defaults to the built-in user shape). */
1273
+ type User = infer$1<typeof UserIdentity>;
1274
+ /**
1275
+ * Session data returned by the session endpoint.
1276
+ */
1277
+ interface Session<DefaultUser extends User = User> {
1278
+ user: DefaultUser;
1279
+ expires: string;
1280
+ }
1281
+ interface CryptoSecret {
1282
+ sign: CryptoKey | CryptoKeyPair | JWK | JsonWebKey | AsymmetricKeyPair;
1283
+ encrypt: CryptoKey | CryptoKeyPair | JWK | JsonWebKey | AsymmetricKeyPair;
1284
+ }
1285
+ interface AsymmetricKeyPairFromEnv {
1286
+ publicKey: string;
1287
+ privateKey: string;
1288
+ }
1289
+ interface AsymmetricKeyPair {
1290
+ publicKey: CryptoKey | JWK;
1291
+ privateKey: CryptoKey | JWK;
1292
+ }
1293
+ /**
1294
+ * A symmetric secret or asymmetric key pair used for JWT operations.
1295
+ *
1296
+ * - string / Uint8Array: used as-is for HMAC (signed) or AES (encrypted)
1297
+ * - CryptoKey: Web Crypto API key, for environments that support it
1298
+ * - CryptoKeyPair: asymmetric signing/encryption (RS256, ES256, EdDSA, RSA-OAEP, etc.)
1299
+ */
1300
+ type SecretKey = string | Uint8Array | CryptoKey | CryptoKeyPair | CryptoSecret | JWK | AsymmetricKeyPair;
1301
+ /**
1302
+ * @todo: add key rotation support for "SecretKey | CryptoKeyPair | [SecretKey | CryptoKeyPair, ...(SecretKey | CryptoKeyPair)[]]"
1303
+ */
1304
+ type JWTKey = SecretKey;
1305
+ /**
1306
+ * - "signed" → standard JWS (e.g. HS256, RS256, ES256).
1307
+ * - "encrypted" → JWE only. (e.g. A256GCM with RSA-OAEP key wrapping).
1308
+ * - "sealed" → JWS nested inside JWE (signed then encrypted).
1309
+ */
1310
+ type JWTMode = "signed" | "encrypted" | "sealed";
1311
+ /**
1312
+ * Signing algorithms for "signed" and "sealed" modes.
1313
+ * Symmetric: HS256 | HS384 | HS512
1314
+ * Asymmetric: RS256 | RS384 | RS512 | ES256 | ES384 | ES512 | EdDSA | PS256
1315
+ */
1316
+ type JWTSigningAlgorithm = "HS256" | "HS384" | "HS512" | "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512" | "EdDSA" | "PS256";
1317
+ /**
1318
+ * Key-wrapping algorithms for "encrypted" and "sealed" modes.
1319
+ * Symmetric: A128KW | A192KW | A256KW | dir (direct)
1320
+ * ECDH: ECDH-ES | ECDH-ES+A128KW | ECDH-ES+A256KW
1321
+ * RSA: RSA-OAEP | RSA-OAEP-256
1322
+ */
1323
+ type JWTKeyAlgorithm = "A128KW" | "A192KW" | "A256KW" | "dir" | "ECDH-ES" | "ECDH-ES+A128KW" | "ECDH-ES+A256KW" | "RSA-OAEP" | "RSA-OAEP-256";
1324
+ /** Content-encryption algorithms for JWE. */
1325
+ type JWTEncryptionAlgorithm = "A128CBC-HS256" | "A192CBC-HS384" | "A256CBC-HS512" | "A128GCM" | "A192GCM" | "A256GCM";
1326
+ /** Signed JWT mode configuration. */
1327
+ type JWTSignedMode = {
1328
+ mode: "signed";
1329
+ signingAlgorithm?: JWTSigningAlgorithm;
1330
+ };
1331
+ /** Encrypted JWT mode configuration. */
1332
+ type JWTEncryptedMode = {
1333
+ mode: "encrypted";
1334
+ keyAlgorithm?: JWTKeyAlgorithm;
1335
+ encryptionAlgorithm?: JWTEncryptionAlgorithm;
1336
+ };
1337
+ /** Signed and Encrypted JWT mode configuration. */
1338
+ type JWTSealedMode = {
1339
+ mode?: "sealed";
1340
+ signingAlgorithm?: JWTSigningAlgorithm;
1341
+ keyAlgorithm?: JWTKeyAlgorithm;
1342
+ encryptionAlgorithm?: JWTEncryptionAlgorithm;
1343
+ };
1344
+ /** Discriminated union of JWT wire format: signed JWS, encrypted JWE, or nested sealed (JWS in JWE). */
1345
+ type JWTConfigBase = JWTSignedMode | JWTEncryptedMode | JWTSealedMode;
1346
+ /** How session/JWT lifetime is enforced relative to `iat`, absolute caps, and sliding windows. */
1347
+ type JWTExpirationStrategy = "fixed" | "rolling" | "absolute" | "sliding";
1348
+ type JWTConfig = Prettify$1<{
1349
+ /**
1350
+ * Token lifetime.
1351
+ */
1352
+ maxAge?: number;
1353
+ /**
1354
+ * JWT `iss` (issuer) claim. Set this to your app's canonical URL.
1355
+ * @example "https://auth.example.com"
1356
+ */
1357
+ issuer?: string;
1358
+ /**
1359
+ * JWT `aud` claim. Single value or array for multi-audience tokens.
1360
+ * @example ["https://api.example.com", "https://app.example.com"]
1361
+ */
1362
+ audience?: string | string[];
1363
+ /**
1364
+ * Maximum absolute session duration in seconds.
1365
+ * Required for "absolute" and "sliding" strategies.
1366
+ * Enforced via jose's maxTokenAge against the iat claim.
1367
+ */
1368
+ maxExpiration?: number;
1369
+ /**
1370
+ * Policy for renewing or capping token lifetime (pairs with `maxExpiration` where applicable).
1371
+ */
1372
+ expirationStrategy?: JWTExpirationStrategy;
1373
+ } & JWTConfigBase>;
1374
+ /**
1375
+ * Stateless JWT strategy.
1376
+ * No database required. Tokens are self-contained and cannot be revoked
1377
+ * before they expire — keep `jwt.maxAge` short or enable refresh tokens.
1378
+ *
1379
+ * @example
1380
+ * {
1381
+ * strategy: "jwt",
1382
+ * jwt: { mode: "sealed", maxAge: "15m", issuer: "https://auth.example.com" },
1383
+ * refreshToken: { enabled: true, maxAge: "7d" },
1384
+ * }
1385
+ */
1386
+ type StatelessStrategyConfig = {
1387
+ strategy?: "jwt";
1388
+ jwt?: JWTConfig;
1389
+ };
1390
+ /**
1391
+ * The session strategy. Determines which fields below are required.
1392
+ *
1393
+ * - "jwt": stateless. No database needed. JWTs are self-contained.
1394
+ * - "database": stateful. Every request hits the DB to validate the session.
1395
+ * - "hybrid": JWT transport + DB revocation. Best of both for most apps.
1396
+ *
1397
+ * @default "jwt"
1398
+ */
1399
+ type SessionConfig = StatelessStrategyConfig;
1400
+ /** Result of reading a stateless (JWT) session from a request: session payload and outgoing header mutations. */
1401
+ interface GetStatelessSessionReturn<DefaultUser extends User = User> {
1402
+ session: Session<DefaultUser> | null;
1403
+ headers: Headers;
1404
+ }
1405
+ /**
1406
+ * Abstraction layer for session management.
1407
+ */
1408
+ interface SessionStrategy<DefaultUser extends User = User> {
1409
+ /**
1410
+ * Read and validate the session from an incoming request.
1411
+ * Returns null if absent, invalid, or expired. Never throws on auth failure.
1412
+ */
1413
+ getSession(request: Headers): Promise<GetStatelessSessionReturn<DefaultUser>>;
1414
+ /**
1415
+ * Create a session after successful authentication.
1416
+ * Signs the JWT / writes the DB row / sets cookies.
1417
+ */
1418
+ createSession(session: User): Promise<string>;
1419
+ /**
1420
+ * Attempt to refresh using the refresh token cookie.
1421
+ * Returns null session + cookie-clearing response on any failure.
1422
+ */
1423
+ refreshSession(headers: Headers, session: DeepPartial<Session<DefaultUser>>, skipCSRFCheck?: boolean): Promise<{
1424
+ session: Session<DefaultUser> | null;
1425
+ headers: Headers;
1426
+ }>;
1427
+ /**
1428
+ * Revoke a session by ID.
1429
+ * JWT strategy: best-effort (clears cookies, no server state).
1430
+ * Database / hybrid: marks row inactive.
1431
+ */
1432
+ revokeSession(sessionId: string): Promise<void>;
1433
+ /**
1434
+ * Destroy the session attached to this request (logout).
1435
+ * Returns a response that clears cookies.
1436
+ */
1437
+ destroySession(request: Headers, skipCSRFCheck?: boolean): Promise<Headers>;
1438
+ }
1439
+ /** Inputs for constructing a session strategy implementation for a given identity schema. */
1440
+ interface CreateSessionStrategyOptions<Identity extends Identities> {
1441
+ config?: SessionConfig;
1442
+ jose: JoseInstance<FromShapeToObject<Identity> & User>;
1443
+ cookies: () => CookieStoreConfig;
1444
+ logger?: InternalLogger;
1445
+ identity: SchemaRegistryContext;
1446
+ }
1447
+ /** Options specialized for the JWT-backed session strategy. */
1448
+ interface JWTStrategyOptions<DefaultUser extends User = User> {
1449
+ config?: StatelessStrategyConfig;
1450
+ jose: JoseInstance<DefaultUser>;
1451
+ logger?: InternalLogger;
1452
+ cookies: () => CookieStoreConfig;
1453
+ identity: SchemaRegistryContext;
1454
+ }
1455
+ /** Minimal token issue/verify surface used by session code paths. */
1456
+ type JWTManager<DefaultUser extends User = User> = {
1457
+ createToken(user: TypedJWTPayload<Partial<DefaultUser>>): Promise<string>;
1458
+ verifyToken(token: string): Promise<TypedJWTPayload<DefaultUser>>;
1459
+ };
1460
+ //#endregion
1150
1461
  //#region src/@types/oauth.d.ts
1151
1462
  /** Known query parameter names supported when building an OAuth authorization URL. */
1152
1463
  type AuthorizeParams = LiteralUnion<"clientId" | "prompt" | "scope" | "responseMode" | "audience" | "loginHint" | "nonce" | "display">;
@@ -1214,7 +1525,7 @@ type OAuthProviderRecord<DefaultUser extends User = User> = Record<LiteralUnion<
1214
1525
  * Main configuration interface for Aura Auth.
1215
1526
  * This is the user-facing configuration object passed to `createAuth()`.
1216
1527
  */
1217
- interface AuthConfig<Identity extends EditableShape<UserShape> = EditableShape<UserShape>> {
1528
+ type AuthConfig<Identity extends Identities> = {
1218
1529
  /**
1219
1530
  * OAuth providers available in the authentication and authorization flows. It provides a type-inference
1220
1531
  * for the OAuth providers that are supported by Aura Stack Auth; alternatively, you can provide a custom
@@ -1245,7 +1556,7 @@ interface AuthConfig<Identity extends EditableShape<UserShape> = EditableShape<U
1245
1556
  * ]
1246
1557
  * ```
1247
1558
  */
1248
- oauth: (BuiltInOAuthProvider | OAuthProviderCredentials<any, ShapeToObject<Identity>>)[];
1559
+ oauth: (BuiltInOAuthProvider | OAuthProviderCredentials<any, FromShapeToObject<Identity>>)[];
1249
1560
  /**
1250
1561
  * Cookie options defines the configuration for cookies used in Aura Auth.
1251
1562
  * It includes a prefix for cookie names and flag options to determine
@@ -1269,6 +1580,27 @@ interface AuthConfig<Identity extends EditableShape<UserShape> = EditableShape<U
1269
1580
  * Secret used to sign and verify JWT tokens for session and csrf protection.
1270
1581
  * If not provided, it will load from the environment variable `AURA_AUTH_SECRET` or `AUTH_SECRET`, but if it
1271
1582
  * doesn't exist, it will throw an error during the initialization of the Auth module.
1583
+ *
1584
+ * > It can be a string, a Uint8Array, a CryptoKey, a CryptoKeyPair, or an object containing separate keys for
1585
+ * signing and encryption. It depends on the JWT mode and algorithms you choose in the session configuration.
1586
+ * The default mode is "sealed" (signing + encryption), so if the secret is a string or Uint8Array, it will derive
1587
+ * separate keys for signing and encryption using HKDF, but if you provide a CryptoKeyPair, it will required to
1588
+ * pass separate keys for signing and encryption in the `CryptoSecret` format.
1589
+ * @example
1590
+ * import { createSecretValue } from "@aura-stack/auth/crypto"
1591
+ *
1592
+ * secret: createSecretValue(32)
1593
+ *
1594
+ * // For asymmetric keys, generate a key pair and pass the private
1595
+ * import { createKeyPair } from "@aura-stack/auth/crypto"
1596
+ *
1597
+ * const signing = await createKeyPair("RS256", { extractable: true })
1598
+ * const encryption = await createKeyPair("RSA-OAEP-256", { extractable: true })
1599
+ *
1600
+ * secret: {
1601
+ * sign: signing,
1602
+ * encrypt: encryption,
1603
+ * }
1272
1604
  */
1273
1605
  secret?: JWTKey;
1274
1606
  /**
@@ -1279,45 +1611,11 @@ interface AuthConfig<Identity extends EditableShape<UserShape> = EditableShape<U
1279
1611
  * Base path for all authentication routes. Default is `/auth`.
1280
1612
  */
1281
1613
  basePath?: `/${string}`;
1282
- /**
1283
- * Enable trusted proxy headers for scenarios where the application is behind a reverse proxy or load balancer.
1284
- * This setting allows Aura Auth to correctly interpret headers like `X-Forwarded-For` and `X-Forwarded-Proto`
1285
- * to determine the original client IP address and protocol.
1286
- *
1287
- * Default is `false`. Enable this option only if you are certain that your application is behind a trusted proxy.
1288
- * Misconfiguration can lead to security vulnerabilities, such as incorrect handling of secure cookies or
1289
- * inaccurate client IP logging.
1290
- *
1291
- * This value can also be set via environment variable as `AURA_AUTH_TRUSTED_PROXY_HEADERS`
1292
- *
1293
- * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
1294
- * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
1295
- * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
1296
- * @experimental
1297
- */
1298
- trustedProxyHeaders?: boolean;
1299
1614
  /**
1300
1615
  * Logger configuration for handling authentication-related logs and errors. It can be set to `true`,
1301
1616
  * `DEBUG=true`, `LOG_LEVEL=debug`, or a custom logger. It implements the syslog format.
1302
1617
  */
1303
1618
  logger?: boolean | Logger;
1304
- /**
1305
- * Defines trusted origins for your application to prevent open redirect attacks.
1306
- * URLs from the Referer header, Origin header, request URL, and redirectTo option
1307
- * are validated against this list before redirecting.
1308
- *
1309
- * - **Exact URL**: `https://example.com` matches only that origin.
1310
- * - **Subdomain wildcard**: `https://*.example.com` matches `https://app.example.com`, `https://api.example.com`, etc.
1311
- * @example
1312
- * trustedOrigins: ["https://example.com", "https://*.example.com", "http://localhost:3000"]
1313
- *
1314
- *
1315
- * trustedOrigins: async (request) => {
1316
- * const origin = new URL(request.url).origin
1317
- * return [origin, "https://admin.example.com"]
1318
- * }
1319
- */
1320
- trustedOrigins?: TrustedOrigin[] | ((request: Request) => Promise<TrustedOrigin[]> | TrustedOrigin[]);
1321
1619
  /**
1322
1620
  * Defines the session management strategy for Aura Auth. It determines how sessions are created, stored, and validated.
1323
1621
  */
@@ -1344,15 +1642,110 @@ interface AuthConfig<Identity extends EditableShape<UserShape> = EditableShape<U
1344
1642
  * }
1345
1643
  */
1346
1644
  identity?: Partial<{
1645
+ /**
1646
+ * Skip schema validation for session data, JWT payloads, and OAuth profiles.
1647
+ * This can be useful for performance optimization if you are certain that the
1648
+ * data is valid, but it can lead to security vulnerabilities if misused.
1649
+ * > ⚠️ WARNING: Use this option with caution.
1650
+ */
1347
1651
  skipValidation: boolean;
1348
- schema: ZodObject<Identity>;
1652
+ /**
1653
+ * Custom schema validation for user identity data. It supports any Zod, Arktype,
1654
+ * Valibot or Typebox schema. Use `createIdentity` helper function to create a schema
1655
+ * with the correct shape and inference.
1656
+ */
1657
+ schema: ConfigSchema<Identity>;
1658
+ /**
1659
+ * Defines how unknown keys are handled during schema validation. It can be set to:
1660
+ * - `passthrough`: Unknown keys are allowed and included in the validated data.
1661
+ * - `strict`: Unknown keys will cause validation to fail with an error.
1662
+ * - `strip`: Unknown keys are removed from the validated data.
1663
+ */
1349
1664
  unknownKeys: "passthrough" | "strict" | "strip";
1350
1665
  }>;
1351
1666
  /**
1352
1667
  * Credentials provider for username/password or similar authentication.
1353
1668
  */
1354
1669
  credentials?: CredentialsProvider<Identity>;
1355
- }
1670
+ } & TrustedProxyHeadersConfig;
1671
+ type TrustedProxyHeadersConfig = {
1672
+ /**
1673
+ * Enable trusted proxy headers for scenarios where the application is behind a reverse proxy or load balancer.
1674
+ * This setting allows Aura Auth to correctly interpret headers like `X-Forwarded-For` and `X-Forwarded-Proto`
1675
+ * to determine the original client IP address and protocol.
1676
+ *
1677
+ * Default is `false`. Enable this option only if you are certain that your application is behind a trusted proxy.
1678
+ * Misconfiguration can lead to security vulnerabilities, such as incorrect handling of secure cookies or
1679
+ * inaccurate client IP logging.
1680
+ *
1681
+ * This value can also be set via environment variable as `AURA_AUTH_TRUSTED_PROXY_HEADERS`
1682
+ *
1683
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
1684
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
1685
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
1686
+ * @experimental
1687
+ */
1688
+ trustedProxyHeaders: true;
1689
+ /**
1690
+ * Defines trusted origins for your application to prevent open redirect attacks.
1691
+ * URLs from the Referer header, Origin header, request URL, and redirectTo option
1692
+ * are validated against this list before redirecting.
1693
+ *
1694
+ * - **Exact URL**: `https://example.com` matches only that origin.
1695
+ * - **Subdomain wildcard**: `https://*.example.com` matches `https://app.example.com`, `https://api.example.com`, etc.
1696
+ *
1697
+ * > **⚠️ WARNING:** Ensure that the trusted origins are configured correctly to prevent open redirect vulnerabilities.
1698
+ * Only include origins that you control and trust.
1699
+ *
1700
+ * @example
1701
+ * trustedOrigins: ["https://example.com", "https://*.example.com", "http://localhost:3000"]
1702
+ *
1703
+ * trustedOrigins: async (request) => {
1704
+ * const origin = new URL(request.url).origin
1705
+ * return [origin, "https://admin.example.com"]
1706
+ * }
1707
+ */
1708
+ trustedOrigins: TrustedOrigin[] | ((request: Request) => Promise<TrustedOrigin[]> | TrustedOrigin[]);
1709
+ } | {
1710
+ /**
1711
+ * Enable trusted proxy headers for scenarios where the application is behind a reverse proxy or load balancer.
1712
+ * This setting allows Aura Auth to correctly interpret headers like `X-Forwarded-For` and `X-Forwarded-Proto`
1713
+ * to determine the original client IP address and protocol.
1714
+ *
1715
+ * Default is `false`. Enable this option only if you are certain that your application is behind a trusted proxy.
1716
+ * Misconfiguration can lead to security vulnerabilities, such as incorrect handling of secure cookies or
1717
+ * inaccurate client IP logging.
1718
+ *
1719
+ * This value can also be set via environment variable as `AURA_AUTH_TRUSTED_PROXY_HEADERS`
1720
+ *
1721
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
1722
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
1723
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
1724
+ * @experimental
1725
+ */
1726
+ trustedProxyHeaders?: false;
1727
+ /**
1728
+ * Defines trusted origins for your application to prevent open redirect attacks.
1729
+ * URLs from the Referer header, Origin header, request URL, and redirectTo option
1730
+ * are validated against this list before redirecting.
1731
+ *
1732
+ * - **Exact URL**: `https://example.com` matches only that origin.
1733
+ * - **Subdomain wildcard**: `https://*.example.com` matches `https://app.example.com`, `https://api.example.com`, etc.
1734
+ *
1735
+ * > **⚠️ WARNING:** Ensure that the trusted origins are configured correctly to prevent open redirect vulnerabilities.
1736
+ * Only include origins that you control and trust.
1737
+ *
1738
+ * @example
1739
+ * trustedOrigins: ["https://example.com", "https://*.example.com", "http://localhost:3000"]
1740
+ *
1741
+ * trustedOrigins: async (request) => {
1742
+ * const origin = new URL(request.url).origin
1743
+ * return [origin, "https://admin.example.com"]
1744
+ * }
1745
+ *
1746
+ */
1747
+ trustedOrigins?: TrustedOrigin[] | ((request: Request) => Promise<TrustedOrigin[]> | TrustedOrigin[]);
1748
+ };
1356
1749
  /**
1357
1750
  * Cookie type with __Secure- prefix, must be Secure.
1358
1751
  * @see https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-__secure-prefix
@@ -1386,10 +1779,9 @@ type CookieStrategyAttributes = StandardCookie | SecureCookie | HostCookie;
1386
1779
  * - `sessionToken`: User session JWT
1387
1780
  * - `csrfToken`: CSRF protection token
1388
1781
  * - `state`: OAuth state parameter for CSRF protection
1389
- * - `code_verifier`: PKCE code verifier for authorization code flow
1390
- * - `redirect_uri`: OAuth callback URI
1391
- * - `redirect_to`: Post-authentication redirect path
1392
- * - `nonce`: OpenID Connect nonce parameter
1782
+ * - `codeVerifier`: PKCE code verifier for authorization code flow
1783
+ * - `redirectURI`: OAuth callback URI
1784
+ * - `redirectTo`: Post-authentication redirect path
1393
1785
  */
1394
1786
  type CookieName = "sessionToken" | "csrfToken" | "state" | "codeVerifier" | "redirectTo" | "redirectURI";
1395
1787
  /** Resolved cookie names and serialization attributes for each logical auth cookie. */
@@ -1402,6 +1794,10 @@ interface CookieConfig {
1402
1794
  * Prefix to be added to all cookie names. By default "aura-stack".
1403
1795
  */
1404
1796
  prefix?: string;
1797
+ /**
1798
+ * Overrides for individual cookie configurations.
1799
+ * @see {@link CookieStoreConfig} for the structure of each cookie configuration.
1800
+ */
1405
1801
  overrides?: Partial<CookieStoreConfig>;
1406
1802
  }
1407
1803
  /**
@@ -1454,8 +1850,9 @@ interface InternalLogger {
1454
1850
  * Identity validation settings used when building session strategy and OAuth profile mapping.
1455
1851
  * Controls the Zod schema and how unknown keys are handled on user objects.
1456
1852
  */
1457
- interface IdentityConfig<Schema extends ZodObject<any> = typeof UserIdentity> {
1853
+ interface IdentityConfig<Schema extends SchemaTypes = typeof UserIdentity> {
1458
1854
  schema?: Schema;
1855
+ schemaAsPartial?: Schema;
1459
1856
  skipValidation?: boolean;
1460
1857
  unknownKeys?: "passthrough" | "strict" | "strip";
1461
1858
  }
@@ -1485,14 +1882,14 @@ interface CredentialsProviderContext<T> {
1485
1882
  /**
1486
1883
  * Interface for the credentials provider.
1487
1884
  */
1488
- interface CredentialsProvider<Identity extends EditableShape<UserShape> = EditableShape<UserShape>> {
1885
+ interface CredentialsProvider<Identity extends Identities> {
1489
1886
  hash?: (password: string, salt?: string, iterations?: number) => Promise<string>;
1490
1887
  verify?: (password: string, hashedPassword: string) => Promise<boolean>;
1491
1888
  /**
1492
1889
  * Authenticates a user using credentials.
1493
1890
  * Must return a User object or the identity type if the identity schema is provided.
1494
1891
  */
1495
- authorize: (ctx: CredentialsProviderContext<CredentialsPayload>) => Promise<ShapeToObject<Identity> | null> | ShapeToObject<Identity> | null;
1892
+ authorize: (ctx: CredentialsProviderContext<CredentialsPayload>) => Promise<FromShapeToObject<Identity> | null> | FromShapeToObject<Identity> | null;
1496
1893
  }
1497
1894
  /**
1498
1895
  * Runtime context passed into auth actions and API handlers: OAuth map, cookies, JWT, session strategy, trusted origins, etc.
@@ -1510,11 +1907,12 @@ interface RouterGlobalContext<DefaultUser extends User = User> {
1510
1907
  trustedOrigins?: TrustedOrigin[] | ((request: Request) => Promise<TrustedOrigin[]> | TrustedOrigin[]);
1511
1908
  logger?: InternalLogger;
1512
1909
  sessionStrategy: SessionStrategy<DefaultUser>;
1513
- identity: {
1514
- unknownKeys: "passthrough" | "strict" | "strip";
1515
- schema: ZodObject<any>;
1516
- skipValidation?: boolean;
1517
- };
1910
+ identity: SchemaRegistryContext;
1911
+ }
1912
+ interface SchemaRegistryContext {
1913
+ schemaRegistry: ReturnType<typeof createSchemaRegistry>;
1914
+ skipValidation?: boolean;
1915
+ unknownKeys: "passthrough" | "strict" | "strip";
1518
1916
  }
1519
1917
  /**
1520
1918
  * Internal runtime configuration used within Aura Auth after initialization.
@@ -1525,8 +1923,17 @@ type AuthRuntimeConfig<DefaultUser extends User = User> = RouterGlobalContext<De
1525
1923
  * Public auth instance: programmatic {@link AuthAPI}, {@link JoseInstance}, and HTTP {@link AuthClient} handlers.
1526
1924
  */
1527
1925
  interface AuthInstance<DefaultUser extends User = User> {
1926
+ /**
1927
+ * Programmatic API for authentication actions (getSession, signIn, signOut, etc.) that can be used in server-side contexts or API routes.
1928
+ */
1528
1929
  api: AuthAPI<DefaultUser>;
1930
+ /**
1931
+ * JOSE helper functions for signin, encryption and verification of JWTs.
1932
+ */
1529
1933
  jose: JoseInstance<DefaultUser>;
1934
+ /**
1935
+ * HTTP handlers for mounting on a router or server.
1936
+ */
1530
1937
  handlers: {
1531
1938
  GET: (request: Request) => Response | Promise<Response>;
1532
1939
  POST: (request: Request) => Response | Promise<Response>;
@@ -1537,196 +1944,13 @@ interface AuthInstance<DefaultUser extends User = User> {
1537
1944
  /**
1538
1945
  * Extended context used inside the library with both secure and standard cookie materializations.
1539
1946
  */
1540
- type InternalContext<Identity extends EditableShape<UserShape>> = RouterGlobalContext<ShapeToObject<Identity> & User> & {
1947
+ type InternalContext<Identity extends Identities> = RouterGlobalContext<FromShapeToObject<Identity> & User> & {
1541
1948
  cookieConfig: {
1542
1949
  secure: CookieStoreConfig;
1543
1950
  standard: CookieStoreConfig;
1544
1951
  };
1545
1952
  };
1546
1953
  //#endregion
1547
- //#region src/@types/session.d.ts
1548
- /** Application user type, inferred from the configured identity schema (defaults to the built-in user shape). */
1549
- type User = UserIdentityType;
1550
- /**
1551
- * Session data returned by the session endpoint.
1552
- */
1553
- interface Session<DefaultUser extends User = User> {
1554
- user: DefaultUser;
1555
- expires: string;
1556
- }
1557
- /**
1558
- * A symmetric secret or asymmetric key pair used for JWT operations.
1559
- *
1560
- * - string / Uint8Array: used as-is for HMAC (signed) or AES (encrypted)
1561
- * - CryptoKey: Web Crypto API key, for environments that support it
1562
- * - KeyPair: asymmetric signing (RS256, ES256, EdDSA, etc.)
1563
- */
1564
- type SecretKey = string | Uint8Array | CryptoKey;
1565
- /** Asymmetric key pair for signing or key agreement (Web Crypto `CryptoKey` pair). */
1566
- interface KeyPair {
1567
- privateKey: CryptoKey;
1568
- publicKey: CryptoKey;
1569
- }
1570
- /**
1571
- * @todo: add key rotation support for "SecretKey | KeyPair | [SecretKey | KeyPair, ...(SecretKey | KeyPair)[]]"
1572
- */
1573
- type JWTKey = SecretKey;
1574
- /**
1575
- * - "signed" → standard JWS (e.g. HS256, RS256, ES256).
1576
- * - "encrypted" → JWE only. (e.g. A256GCM with RSA-OAEP key wrapping).
1577
- * - "sealed" → JWS nested inside JWE (signed then encrypted).
1578
- */
1579
- type JWTMode = "signed" | "encrypted" | "sealed";
1580
- /**
1581
- * Signing algorithms for "signed" and "sealed" modes.
1582
- * Symmetric: HS256 | HS384 | HS512
1583
- * Asymmetric: RS256 | RS384 | RS512 | ES256 | ES384 | ES512 | EdDSA | PS256
1584
- */
1585
- type JWTSigningAlgorithm = "HS256" | "HS384" | "HS512" | "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512" | "EdDSA" | "PS256";
1586
- /**
1587
- * Key-wrapping algorithms for "encrypted" and "sealed" modes.
1588
- * Symmetric: A128KW | A192KW | A256KW | dir (direct)
1589
- * ECDH: ECDH-ES | ECDH-ES+A128KW | ECDH-ES+A256KW
1590
- * RSA: RSA-OAEP | RSA-OAEP-256
1591
- */
1592
- type JWTKeyAlgorithm = "A128KW" | "A192KW" | "A256KW" | "dir" | "ECDH-ES" | "ECDH-ES+A128KW" | "ECDH-ES+A256KW" | "RSA-OAEP" | "RSA-OAEP-256";
1593
- /** Content-encryption algorithms for JWE. */
1594
- type JWTEncryptionAlgorithm = "A128CBC-HS256" | "A192CBC-HS384" | "A256CBC-HS512" | "A128GCM" | "A192GCM" | "A256GCM";
1595
- /** Signed JWT mode configuration. */
1596
- type JWTSignedMode = {
1597
- mode: "signed";
1598
- signingAlgorithm?: JWTSigningAlgorithm;
1599
- };
1600
- /** Encrypted JWT mode configuration. */
1601
- type JWTEncryptedMode = {
1602
- mode: "encrypted";
1603
- keyAlgorithm?: JWTKeyAlgorithm;
1604
- encryptionAlgorithm?: JWTEncryptionAlgorithm;
1605
- };
1606
- /** Signed and Encrypted JWT mode configuration. */
1607
- type JWTSealedMode = {
1608
- mode?: "sealed";
1609
- signingAlgorithm?: JWTSigningAlgorithm;
1610
- keyAlgorithm?: JWTKeyAlgorithm;
1611
- encryptionAlgorithm?: JWTEncryptionAlgorithm;
1612
- };
1613
- /** Discriminated union of JWT wire format: signed JWS, encrypted JWE, or nested sealed (JWS in JWE). */
1614
- type JWTConfigBase = JWTSignedMode | JWTEncryptedMode | JWTSealedMode;
1615
- /** How session/JWT lifetime is enforced relative to `iat`, absolute caps, and sliding windows. */
1616
- type JWTExpirationStrategy = "fixed" | "rolling" | "absolute" | "sliding";
1617
- type JWTConfig = {
1618
- /**
1619
- * Token lifetime.
1620
- */
1621
- maxAge?: number;
1622
- /**
1623
- * JWT `iss` (issuer) claim. Set this to your app's canonical URL.
1624
- * @example "https://auth.example.com"
1625
- */
1626
- issuer?: string;
1627
- /**
1628
- * JWT `aud` claim. Single value or array for multi-audience tokens.
1629
- * @example ["https://api.example.com", "https://app.example.com"]
1630
- */
1631
- audience?: string | string[];
1632
- /**
1633
- * Maximum absolute session duration in seconds.
1634
- * Required for "absolute" and "sliding" strategies.
1635
- * Enforced via jose's maxTokenAge against the iat claim.
1636
- */
1637
- maxExpiration?: number;
1638
- /**
1639
- * Policy for renewing or capping token lifetime (pairs with `maxExpiration` where applicable).
1640
- */
1641
- expirationStrategy?: JWTExpirationStrategy;
1642
- } & JWTConfigBase;
1643
- /**
1644
- * Stateless JWT strategy.
1645
- * No database required. Tokens are self-contained and cannot be revoked
1646
- * before they expire — keep `jwt.maxAge` short or enable refresh tokens.
1647
- *
1648
- * @example
1649
- * {
1650
- * strategy: "jwt",
1651
- * jwt: { mode: "sealed", maxAge: "15m", issuer: "https://auth.example.com" },
1652
- * refreshToken: { enabled: true, maxAge: "7d" },
1653
- * }
1654
- */
1655
- type StatelessStrategyConfig = {
1656
- strategy?: "jwt";
1657
- jwt?: JWTConfig;
1658
- };
1659
- /**
1660
- * The session strategy. Determines which fields below are required.
1661
- *
1662
- * - "jwt": stateless. No database needed. JWTs are self-contained.
1663
- * - "database": stateful. Every request hits the DB to validate the session.
1664
- * - "hybrid": JWT transport + DB revocation. Best of both for most apps.
1665
- *
1666
- * @default "jwt"
1667
- */
1668
- type SessionConfig = StatelessStrategyConfig;
1669
- /** Result of reading a stateless (JWT) session from a request: session payload and outgoing header mutations. */
1670
- interface GetStatelessSessionReturn<DefaultUser extends User = User> {
1671
- session: Session<DefaultUser> | null;
1672
- headers: Headers;
1673
- }
1674
- /**
1675
- * Abstraction layer for session management.
1676
- */
1677
- interface SessionStrategy<DefaultUser extends User = User> {
1678
- /**
1679
- * Read and validate the session from an incoming request.
1680
- * Returns null if absent, invalid, or expired. Never throws on auth failure.
1681
- */
1682
- getSession(request: Headers): Promise<GetStatelessSessionReturn<DefaultUser>>;
1683
- /**
1684
- * Create a session after successful authentication.
1685
- * Signs the JWT / writes the DB row / sets cookies.
1686
- */
1687
- createSession(session: User): Promise<string>;
1688
- /**
1689
- * Attempt to refresh using the refresh token cookie.
1690
- * Returns null session + cookie-clearing response on any failure.
1691
- */
1692
- refreshSession(headers: Headers, session: DeepPartial<Session<DefaultUser>>, skipCSRFCheck?: boolean): Promise<{
1693
- session: Session<DefaultUser> | null;
1694
- headers: Headers;
1695
- }>;
1696
- /**
1697
- * Revoke a session by ID.
1698
- * JWT strategy: best-effort (clears cookies, no server state).
1699
- * Database / hybrid: marks row inactive.
1700
- */
1701
- revokeSession(sessionId: string): Promise<void>;
1702
- /**
1703
- * Destroy the session attached to this request (logout).
1704
- * Returns a response that clears cookies.
1705
- */
1706
- destroySession(request: Headers, skipCSRFCheck?: boolean): Promise<Headers>;
1707
- }
1708
- /** Inputs for constructing a session strategy implementation for a given identity schema. */
1709
- interface CreateSessionStrategyOptions<Identity extends EditableShape<UserShape>> {
1710
- config?: SessionConfig;
1711
- jose: JoseInstance<ShapeToObject<Identity> & User>;
1712
- cookies: () => CookieStoreConfig;
1713
- logger?: InternalLogger;
1714
- identity: IdentityConfig;
1715
- }
1716
- /** Options specialized for the JWT-backed session strategy. */
1717
- interface JWTStrategyOptions<DefaultUser extends User = User> {
1718
- config?: StatelessStrategyConfig;
1719
- jose: JoseInstance<DefaultUser>;
1720
- logger?: InternalLogger;
1721
- cookies: () => CookieStoreConfig;
1722
- identity: IdentityConfig;
1723
- }
1724
- /** Minimal token issue/verify surface used by session code paths. */
1725
- type JWTManager<DefaultUser extends User = User> = {
1726
- createToken(user: TypedJWTPayload<Partial<DefaultUser>>): Promise<string>;
1727
- verifyToken(token: string): Promise<TypedJWTPayload<DefaultUser>>;
1728
- };
1729
- //#endregion
1730
1954
  //#region src/@types/utility.d.ts
1731
1955
  /** Expands intersection types into a single flat object type for readable editor hints. */
1732
1956
  type Prettify$1<T> = { [K in keyof T]: T[K] };
@@ -1739,23 +1963,85 @@ type LiteralUnion<T extends U, U = string> = T | (U & Record<never, never>);
1739
1963
  * Transforms a Zod raw shape so nested `ZodObject` fields become editable (same structure, for config authoring).
1740
1964
  */
1741
1965
  type EditableShape<T extends ZodRawShape> = { [K in keyof T]: T[K] extends ZodObject<infer Inner extends ZodRawShape> ? ZodObject<EditableShape<Inner>> : ZodTypeAny };
1966
+ type EditableShapeZod<T extends ZodRawShape> = EditableShape<T>;
1967
+ type AnyShape = Record<string, AnySchema>;
1968
+ type EditableShapeValibot<T extends ObjectEntries> = { [K in keyof T]: T[K] extends ObjectSchema<infer Inner extends AnyShape, undefined> ? ObjectSchema<EditableShapeValibot<Inner>, undefined> : BaseSchema<any, any, any> };
1969
+ type EditableShapeTypebox<T extends TProperties> = { [K in keyof T]: T[K] extends TObject ? Wrap<EditableShapeTypebox<T[K]["properties"]>> : TSchema };
1970
+ type ConfigSchema<T extends Identities> = IsZod<T> extends true ? ZodObject<T & ZodRawShape> : T extends EditableShapeValibot<UserShapeValibot> ? ObjectSchema<T & ObjectEntries, undefined> : IsArkType<T> extends true ? T : T extends EditableShapeTypebox<UserShapeTypeBox> ? TObject<T & TProperties> : never;
1971
+ type ValibotShapeToObject<S extends ObjectEntries> = Merge<InferOutput<ObjectSchema<S, undefined>>, User>;
1972
+ type ArktypeShapeToObject<S extends Type> = S extends Type<infer Shape> ? Wrap<Merge<Shape, User>> : never;
1973
+ type TypeboxShapeToObject<S extends TProperties> = S extends TProperties ? Wrap<Merge<Static<TObject<S>>, User>> : never;
1974
+ type EditableShapeArkType<T extends Type> = T extends Type<infer Shape> ? Type<{ [K in keyof Shape]: any }> : never;
1742
1975
  /** Merges type `B` over `A`, replacing overlapping keys with `B`. */
1743
1976
  type Merge<A, B> = Omit<A, keyof B> & B;
1744
1977
  /**
1745
1978
  * Infers the runtime object type from a Zod `shape` and intersects it with {@link User}
1746
1979
  * so identity fields always include the base user contract.
1747
1980
  */
1748
- type ShapeToObject<S extends ZodRawShape = ZodRawShape> = Merge<{ [K in keyof S]: z.infer<S[K]> }, User>;
1981
+ type ZodShapeToObject<S extends ZodRawShape = ZodRawShape> = Merge<__Infer<ZodObject<S>>, User>;
1982
+ type FromShapeToObject<S> = S extends ZodRawShape ? ZodShapeToObject<S> : S extends ObjectEntries ? ValibotShapeToObject<S> : S extends Type ? ArktypeShapeToObject<S> : S extends TProperties ? TypeboxShapeToObject<S> : never;
1749
1983
  /** Recursively makes every property required. */
1750
1984
  type DeepRequired<T> = { [K in keyof T]-?: T[K] extends object ? DeepRequired<T[K]> : T[K] };
1751
1985
  /** Recursively makes every property optional. */
1752
1986
  type DeepPartial<T> = { [P in keyof T]?: T[P] extends object ? DeepPartial<T[P]> : T[P] };
1753
- /** Resolves the user identity type from an {@link AuthInstance} config, or falls back to {@link User}. */
1754
- type InferAuthIdentity<Config> = Config extends AuthInstance<infer Identity> ? Prettify$1<Identity> : User;
1755
- /** Shorthand for a Zod object’s `.shape` property. */
1756
- type InferShape<T extends ZodObject> = T["shape"];
1757
- /** Runtime user object type inferred from a Zod identity schema. */
1758
- type InferIdentity<T extends ZodObject> = ShapeToObject<InferShape<T>>;
1987
+ /** Wraps a type in an object with the same keys. */
1988
+ type Wrap<T> = T extends any ? { [K in keyof T]: T[K] } : never;
1989
+ /**
1990
+ * Infers the user type from an {@link AuthInstance} config, or falls back to {@link User}.
1991
+ * @example
1992
+ * const auth = createAuth({
1993
+ * oauth: [],
1994
+ * identity: UserIdentity.extend({
1995
+ * role: z.string().nullable().optional(),
1996
+ * username: z.string().optional(),
1997
+ * })
1998
+ * })
1999
+ *
2000
+ * type User = InferUser<typeof auth>
2001
+ */
2002
+ type InferUser<Config extends AuthInstance> = Config extends AuthInstance<infer Identity> ? Prettify$1<Identity> : User;
2003
+ /**
2004
+ * Infers the session type from an {@link AuthInstance} config.
2005
+ * @example
2006
+ * const auth = createAuth({
2007
+ * oauth: [],
2008
+ * identity: UserIdentity.extend({
2009
+ * role: z.string().nullable().optional(),
2010
+ * username: z.string().optional(),
2011
+ * })
2012
+ * })
2013
+ *
2014
+ * type Session = InferSession<typeof auth>
2015
+ */
2016
+ type InferSession<Config extends AuthInstance> = Prettify$1<Session<Wrap<InferUser<Config>>>>;
2017
+ /**
2018
+ * Shorthand for a Zod object’s `.shape` property.
2019
+ */
2020
+ type InferZodShape<T extends ZodObject> = T["shape"];
2021
+ /**
2022
+ * Infers the user type from a Zod identity schema, or falls back to {@link User}.
2023
+ * @example
2024
+ * const schema = z.object({
2025
+ * sub: z.string(),
2026
+ * role: z.string().nullable().optional(),
2027
+ * username: z.string().optional(),
2028
+ * })
2029
+ *
2030
+ * type User = UserFrom<typeof schema>
2031
+ */
2032
+ type UserFrom<T extends ZodObject> = Prettify$1<ZodShapeToObject<InferZodShape<T>>>;
2033
+ /**
2034
+ * Infers the session type from a Zod identity schema.
2035
+ * @example
2036
+ * const schema = z.object({
2037
+ * sub: z.string(),
2038
+ * role: z.string().nullable().optional(),
2039
+ * username: z.string().optional(),
2040
+ * })
2041
+ *
2042
+ * type Session = SessionFrom<typeof schema>
2043
+ */
2044
+ type SessionFrom<T extends ZodObject> = Wrap<Session<Wrap<UserFrom<T>>>>;
1759
2045
  /**
1760
2046
  * HTTP `Response` with `json()` typed to resolve to `Body` (defaults to `unknown`).
1761
2047
  */
@@ -1764,7 +2050,7 @@ type AuthResponse<Body = unknown> = Prettify$1<Omit<Response, "json"> & {
1764
2050
  }>;
1765
2051
  //#endregion
1766
2052
  //#region src/createAuth.d.ts
1767
- declare const createAuthInstance: <Identity extends EditableShape<UserShape>>(authConfig: AuthConfig<Identity>) => {
2053
+ declare const createAuthInstance: <Identity extends Identities>(authConfig: AuthConfig<Identity>) => {
1768
2054
  handlers: _$_aura_stack_router0.Router<[_$_aura_stack_router0.RouteEndpoint<"GET", "/signIn/:oauth", {
1769
2055
  schemas?: {
1770
2056
  params: _$zod.ZodObject<{
@@ -1784,6 +2070,8 @@ declare const createAuthInstance: <Identity extends EditableShape<UserShape>>(au
1784
2070
  notion: "notion";
1785
2071
  dropbox: "dropbox";
1786
2072
  atlassian: "atlassian";
2073
+ clickUp: "clickUp";
2074
+ dribbble: "dribbble";
1787
2075
  }>;
1788
2076
  }, _$zod_v4_core0.$strip>;
1789
2077
  searchParams: _$zod.ZodObject<{
@@ -1791,7 +2079,62 @@ declare const createAuthInstance: <Identity extends EditableShape<UserShape>>(au
1791
2079
  redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
1792
2080
  }, _$zod_v4_core0.$strip>;
1793
2081
  } | undefined;
1794
- }>, _$_aura_stack_router0.RouteEndpoint<"POST", "/signIn/credentials", {
2082
+ use?: _$_aura_stack_router0.MiddlewareFunction<"/signIn/:oauth", {
2083
+ params: _$zod.ZodObject<{
2084
+ oauth: _$zod.ZodEnum<{
2085
+ [x: string & Record<never, never>]: string & Record<never, never>;
2086
+ github: "github";
2087
+ bitbucket: "bitbucket";
2088
+ figma: "figma";
2089
+ discord: "discord";
2090
+ gitlab: "gitlab";
2091
+ spotify: "spotify";
2092
+ x: "x";
2093
+ strava: "strava";
2094
+ mailchimp: "mailchimp";
2095
+ pinterest: "pinterest";
2096
+ twitch: "twitch";
2097
+ notion: "notion";
2098
+ dropbox: "dropbox";
2099
+ atlassian: "atlassian";
2100
+ clickUp: "clickUp";
2101
+ dribbble: "dribbble";
2102
+ }>;
2103
+ }, _$zod_v4_core0.$strip>;
2104
+ searchParams: _$zod.ZodObject<{
2105
+ redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
2106
+ redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
2107
+ }, _$zod_v4_core0.$strip>;
2108
+ }>[] | undefined;
2109
+ }, (ctx: {
2110
+ params: {
2111
+ oauth: "github" | "bitbucket" | "figma" | "discord" | "gitlab" | "spotify" | "x" | "strava" | "mailchimp" | "pinterest" | "twitch" | "notion" | "dropbox" | "atlassian" | "clickUp" | "dribbble" | (string & Record<never, never>);
2112
+ };
2113
+ body: undefined;
2114
+ searchParams: {
2115
+ redirect: boolean;
2116
+ redirectTo?: string | undefined;
2117
+ };
2118
+ headers: _$_aura_stack_router0.HeadersBuilder;
2119
+ request: Request;
2120
+ url: URL;
2121
+ method: "GET";
2122
+ route: "/signIn/:oauth";
2123
+ context: _$_aura_stack_router0.GlobalContext;
2124
+ json: <T>(data: T, init?: ResponseInit) => _$_aura_stack_router0.JsonResponse<T>;
2125
+ }) => Promise<Prettify$1<Omit<Response, "json"> & {
2126
+ json(): Promise<{
2127
+ success: true;
2128
+ redirect: boolean;
2129
+ signInURL: string;
2130
+ }>;
2131
+ }> | Prettify$1<Omit<Response, "json"> & {
2132
+ json(): Promise<{
2133
+ success: false;
2134
+ redirect: false;
2135
+ signInURL: null;
2136
+ }>;
2137
+ }>>>, _$_aura_stack_router0.RouteEndpoint<"POST", `/${string}`, {
1795
2138
  schemas?: {
1796
2139
  body: _$zod.ZodObject<{
1797
2140
  username: _$zod.ZodString;
@@ -1801,7 +2144,42 @@ declare const createAuthInstance: <Identity extends EditableShape<UserShape>>(au
1801
2144
  redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
1802
2145
  }, _$zod_v4_core0.$strip>;
1803
2146
  } | undefined;
1804
- }>, _$_aura_stack_router0.RouteEndpoint<"GET", "/callback/:oauth", {
2147
+ use?: _$_aura_stack_router0.MiddlewareFunction<`/${string}`, {
2148
+ body: _$zod.ZodObject<{
2149
+ username: _$zod.ZodString;
2150
+ password: _$zod.ZodString;
2151
+ }, _$zod_v4_core0.$strip>;
2152
+ searchParams: _$zod.ZodObject<{
2153
+ redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
2154
+ }, _$zod_v4_core0.$strip>;
2155
+ }>[] | undefined;
2156
+ }, (ctx: {
2157
+ params: {};
2158
+ body: {
2159
+ username: string;
2160
+ password: string;
2161
+ };
2162
+ searchParams: {
2163
+ redirectTo?: string | undefined;
2164
+ };
2165
+ headers: _$_aura_stack_router0.HeadersBuilder;
2166
+ request: Request;
2167
+ url: URL;
2168
+ method: "POST";
2169
+ route: `/${string}`;
2170
+ context: _$_aura_stack_router0.GlobalContext;
2171
+ json: <T>(data: T, init?: ResponseInit) => _$_aura_stack_router0.JsonResponse<T>;
2172
+ }) => Promise<Prettify$1<Omit<Response, "json"> & {
2173
+ json(): Promise<{
2174
+ success: true;
2175
+ redirectURL: string;
2176
+ }>;
2177
+ }> | Prettify$1<Omit<Response, "json"> & {
2178
+ json(): Promise<{
2179
+ success: false;
2180
+ redirectURL: null;
2181
+ }>;
2182
+ }>>>, _$_aura_stack_router0.RouteEndpoint<"GET", "/callback/:oauth", {
1805
2183
  schemas?: {
1806
2184
  params: _$zod.ZodObject<{
1807
2185
  oauth: _$zod.ZodEnum<{
@@ -1820,6 +2198,8 @@ declare const createAuthInstance: <Identity extends EditableShape<UserShape>>(au
1820
2198
  notion: "notion";
1821
2199
  dropbox: "dropbox";
1822
2200
  atlassian: "atlassian";
2201
+ clickUp: "clickUp";
2202
+ dribbble: "dribbble";
1823
2203
  }>;
1824
2204
  }, _$zod_v4_core0.$strip>;
1825
2205
  searchParams: _$zod.ZodObject<{
@@ -1827,30 +2207,167 @@ declare const createAuthInstance: <Identity extends EditableShape<UserShape>>(au
1827
2207
  state: _$zod.ZodString;
1828
2208
  }, _$zod_v4_core0.$strip>;
1829
2209
  } | undefined;
1830
- }>, _$_aura_stack_router0.RouteEndpoint<"GET", "/session", {
2210
+ use?: _$_aura_stack_router0.MiddlewareFunction<"/callback/:oauth", {
2211
+ params: _$zod.ZodObject<{
2212
+ oauth: _$zod.ZodEnum<{
2213
+ [x: string & Record<never, never>]: string & Record<never, never>;
2214
+ github: "github";
2215
+ bitbucket: "bitbucket";
2216
+ figma: "figma";
2217
+ discord: "discord";
2218
+ gitlab: "gitlab";
2219
+ spotify: "spotify";
2220
+ x: "x";
2221
+ strava: "strava";
2222
+ mailchimp: "mailchimp";
2223
+ pinterest: "pinterest";
2224
+ twitch: "twitch";
2225
+ notion: "notion";
2226
+ dropbox: "dropbox";
2227
+ atlassian: "atlassian";
2228
+ clickUp: "clickUp";
2229
+ dribbble: "dribbble";
2230
+ }>;
2231
+ }, _$zod_v4_core0.$strip>;
2232
+ searchParams: _$zod.ZodObject<{
2233
+ code: _$zod.ZodString;
2234
+ state: _$zod.ZodString;
2235
+ }, _$zod_v4_core0.$strip>;
2236
+ }>[] | undefined;
2237
+ }, (ctx: {
2238
+ params: {
2239
+ oauth: "github" | "bitbucket" | "figma" | "discord" | "gitlab" | "spotify" | "x" | "strava" | "mailchimp" | "pinterest" | "twitch" | "notion" | "dropbox" | "atlassian" | "clickUp" | "dribbble" | (string & Record<never, never>);
2240
+ };
2241
+ body: undefined;
2242
+ searchParams: {
2243
+ code: string;
2244
+ state: string;
2245
+ };
2246
+ headers: _$_aura_stack_router0.HeadersBuilder;
2247
+ request: Request;
2248
+ url: URL;
2249
+ method: "GET";
2250
+ route: "/callback/:oauth";
2251
+ context: _$_aura_stack_router0.GlobalContext;
2252
+ json: <T>(data: T, init?: ResponseInit) => _$_aura_stack_router0.JsonResponse<T>;
2253
+ }) => Promise<Response>>, _$_aura_stack_router0.RouteEndpoint<"GET", "/session", {
1831
2254
  schemas?: _$_aura_stack_router0.EndpointSchemas | undefined;
1832
- }>, _$_aura_stack_router0.RouteEndpoint<"POST", "/signOut", {
2255
+ use?: _$_aura_stack_router0.MiddlewareFunction<"/session", _$_aura_stack_router0.EndpointSchemas>[] | undefined;
2256
+ }, (ctx: {
2257
+ params: {};
2258
+ body: undefined;
2259
+ searchParams: URLSearchParams;
2260
+ headers: _$_aura_stack_router0.HeadersBuilder;
2261
+ request: Request;
2262
+ url: URL;
2263
+ method: "GET";
2264
+ route: "/session";
2265
+ context: _$_aura_stack_router0.GlobalContext;
2266
+ json: <T>(data: T, init?: ResponseInit) => _$_aura_stack_router0.JsonResponse<T>;
2267
+ }) => Promise<Prettify$1<Omit<Response, "json"> & {
2268
+ json(): Promise<{
2269
+ success: true;
2270
+ session: Session<{
2271
+ sub: string;
2272
+ name?: string | null | undefined;
2273
+ image?: string | null | undefined;
2274
+ email?: string | null | undefined;
2275
+ }>;
2276
+ }>;
2277
+ }> | Prettify$1<Omit<Response, "json"> & {
2278
+ json(): Promise<{
2279
+ success: false;
2280
+ session: null;
2281
+ }>;
2282
+ }>>>, _$_aura_stack_router0.RouteEndpoint<"POST", `/${string}`, {
1833
2283
  schemas?: {
1834
2284
  searchParams: _$zod.ZodObject<{
1835
2285
  token_type_hint: _$zod.ZodLiteral<"session_token">;
1836
2286
  redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
1837
2287
  }, _$zod_v4_core0.$strip>;
1838
2288
  } | undefined;
1839
- }>, _$_aura_stack_router0.RouteEndpoint<"GET", "/csrfToken", {
2289
+ use?: _$_aura_stack_router0.MiddlewareFunction<`/${string}`, {
2290
+ searchParams: _$zod.ZodObject<{
2291
+ token_type_hint: _$zod.ZodLiteral<"session_token">;
2292
+ redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
2293
+ }, _$zod_v4_core0.$strip>;
2294
+ }>[] | undefined;
2295
+ }, (ctx: {
2296
+ params: {};
2297
+ body: undefined;
2298
+ searchParams: {
2299
+ token_type_hint: "session_token";
2300
+ redirectTo?: string | undefined;
2301
+ };
2302
+ headers: _$_aura_stack_router0.HeadersBuilder;
2303
+ request: Request;
2304
+ url: URL;
2305
+ method: "POST";
2306
+ route: `/${string}`;
2307
+ context: _$_aura_stack_router0.GlobalContext;
2308
+ json: <T>(data: T, init?: ResponseInit) => _$_aura_stack_router0.JsonResponse<T>;
2309
+ }) => Promise<Prettify$1<Omit<Response, "json"> & {
2310
+ json(): Promise<{
2311
+ success: true;
2312
+ redirect: boolean;
2313
+ redirectURL: string;
2314
+ }>;
2315
+ }> | Prettify$1<Omit<Response, "json"> & {
2316
+ json(): Promise<{
2317
+ success: false;
2318
+ redirect: boolean;
2319
+ redirectURL: null;
2320
+ }>;
2321
+ }>>>, _$_aura_stack_router0.RouteEndpoint<"GET", "/csrfToken", {
1840
2322
  schemas?: _$_aura_stack_router0.EndpointSchemas | undefined;
1841
- }>, _$_aura_stack_router0.RouteEndpoint<"PATCH", "/session", {
2323
+ use?: _$_aura_stack_router0.MiddlewareFunction<"/csrfToken", _$_aura_stack_router0.EndpointSchemas>[] | undefined;
2324
+ }, (ctx: {
2325
+ params: {};
2326
+ body: undefined;
2327
+ searchParams: URLSearchParams;
2328
+ headers: _$_aura_stack_router0.HeadersBuilder;
2329
+ request: Request;
2330
+ url: URL;
2331
+ method: "GET";
2332
+ route: "/csrfToken";
2333
+ context: _$_aura_stack_router0.GlobalContext;
2334
+ json: <T>(data: T, init?: ResponseInit) => _$_aura_stack_router0.JsonResponse<T>;
2335
+ }) => Promise<Response>>, _$_aura_stack_router0.RouteEndpoint<"PATCH", `/${string}`, {
1842
2336
  schemas?: {
1843
- body: _$zod.ZodObject<{
1844
- user: _$zod.ZodOptional<_$zod.ZodObject<{
1845
- sub: _$zod.ZodOptional<_$zod.ZodString>;
1846
- name: _$zod.ZodOptional<_$zod.ZodOptional<_$zod.ZodNullable<_$zod.ZodString>>>;
1847
- image: _$zod.ZodOptional<_$zod.ZodOptional<_$zod.ZodNullable<_$zod.ZodString>>>;
1848
- email: _$zod.ZodOptional<_$zod.ZodOptional<_$zod.ZodNullable<_$zod.ZodEmail>>>;
1849
- }, _$zod_v4_core0.$strip>> | undefined;
1850
- expires: _$zod.ZodOptional<_$zod.ZodCoercedDate<unknown>>;
1851
- }, _$zod_v4_core0.$strip>;
2337
+ body: any;
1852
2338
  } | undefined;
1853
- }>]>;
2339
+ use?: _$_aura_stack_router0.MiddlewareFunction<`/${string}`, {
2340
+ body: any;
2341
+ }>[] | undefined;
2342
+ }, (ctx: {
2343
+ params: {};
2344
+ body: any;
2345
+ searchParams: URLSearchParams;
2346
+ headers: _$_aura_stack_router0.HeadersBuilder;
2347
+ request: Request;
2348
+ url: URL;
2349
+ method: "PATCH";
2350
+ route: `/${string}`;
2351
+ context: _$_aura_stack_router0.GlobalContext;
2352
+ json: <T>(data: T, init?: ResponseInit) => _$_aura_stack_router0.JsonResponse<T>;
2353
+ }) => Promise<Prettify$1<Omit<Response, "json"> & {
2354
+ json(): Promise<{
2355
+ success: true;
2356
+ session: Session<{
2357
+ sub: string;
2358
+ name?: string | null | undefined;
2359
+ image?: string | null | undefined;
2360
+ email?: string | null | undefined;
2361
+ }>;
2362
+ redirectURL: string;
2363
+ }>;
2364
+ }> | Prettify$1<Omit<Response, "json"> & {
2365
+ json(): Promise<{
2366
+ success: false;
2367
+ session: null;
2368
+ redirectURL: null;
2369
+ }>;
2370
+ }>>>]>;
1854
2371
  jose: any;
1855
2372
  api: {
1856
2373
  getSession: (options: GetSessionAPIOptions) => Promise<GetSessionAPIReturn<{
@@ -1898,7 +2415,7 @@ declare const createAuthInstance: <Identity extends EditableShape<UserShape>>(au
1898
2415
  * }]
1899
2416
  * })
1900
2417
  */
1901
- declare const createAuth: <Identity extends EditableShape<UserShape>>(config: AuthConfig<Identity>) => AuthInstance<ShapeToObject<Identity>>;
2418
+ declare const createAuth: <Identity extends Identities = EditableShape<UserShape>>(config: AuthConfig<Identity>) => AuthInstance<FromShapeToObject<Identity>>;
1902
2419
  //#endregion
1903
2420
  //#region src/@types/errors.d.ts
1904
2421
  /** Map of field or logical keys to API validation error payloads (code + message). */
@@ -2276,4 +2793,4 @@ type AuthClientOptions = Prettify$1<Omit<ClientOptions, "baseURL"> & {
2276
2793
  baseURL?: string;
2277
2794
  }>;
2278
2795
  //#endregion
2279
- export { JWTConfigBase as $, atlassian as $t, APIErrorMap as A, DiscordProfile as An, IdentityConfig as At, DeepPartial as B, UserIdentity as Bn, SyslogOptions as Bt, SignOutAPIReturn as C, XProfile as Cn, CookieName as Ct, UpdateSessionAPIReturn as D, spotify as Dn, CredentialsProvider as Dt, UpdateSessionAPIOptions as E, SpotifyProfile as En, CredentialsPayload as Et, ErrorType as F, BitbucketProfile as Fn, Logger as Ft, InferShape as G, OAuthProviderCredentials as Gt, EditableShape as H, UserShape as Hn, AuthorizeParams as Ht, OAuthError as I, bitbucket as In, RouterGlobalContext as It, Prettify$1 as J, BuiltInOAuthProvider as Jt, LiteralUnion as K, OAuthProviderRecord as Kt, TokenRevocationError as L, GitHubProfile as Ln, SecureCookie as Lt, AuthInternalErrorCode as M, discord as Mn, InternalLogger as Mt, AuthSecurityErrorCode as N, FigmaProfile as Nn, JoseInstance as Nt, UpdateSessionOptions as O, GitLabProfile as On, CredentialsProviderContext as Ot, AuthorizationError as P, figma as Pn, LogLevel as Pt, JWTConfig as Q, ExtendedProfile as Qt, createAuth as R, github as Rn, Severity as Rt, SignOutAPIOptions as S, strava as Sn, CookieConfig as St, SignOutReturn as T, SpotifyImage as Tn, CookieStrategyAttributes as Tt, InferAuthIdentity as U, createIdentity as Un, OAuthProvider as Ut, DeepRequired as V, UserIdentityType as Vn, TrustedOrigin as Vt, InferIdentity as W, OAuthProviderConfig as Wt, CreateSessionStrategyOptions as X, createBuiltInOAuthProviders as Xt, ShapeToObject as Y, builtInOAuthProviders as Yt, GetStatelessSessionReturn as Z, AtlassianProfile as Zt, SignInCredentialsAPIReturn as _, MailchimpProfile as _n, User as _t, OAuthEnv as a, dropbox as an, JWTManager as at, SignInOptions as b, SummaryClub as bn, AuthInstance as bt, APIOptionsWithRequest as c, NotionUser as cn, JWTSignedMode as ct, GetSessionAPIOptions as d, notion as dn, KeyPair as dt, AccountType as en, JWTEncryptedMode as et, GetSessionAPIReturn as f, TwitchProfile as fn, SecretKey as ft, SignInCredentialsAPIOptions as g, Login as gn, StatelessStrategyConfig as gt, SignInAPIReturn as h, pinterest as hn, SessionStrategy as ht, JWTStandardClaims as i, RootInfo as in, JWTKeyAlgorithm as it, AccessTokenError as j, Nameplate as jn, InternalContext as jt, UpdateSessionReturn as k, gitlab as kn, HostCookie as kt, APIOptionsWithSkipCSRFCheck as l, Owner as ln, JWTSigningAlgorithm as lt, SignInAPIOptions as m, PinterestProfile as mn, SessionConfig as mt, AuthClientOptions as n, FullTeam as nn, JWTExpirationStrategy as nt, TypedJWTPayload$1 as o, Bot as on, JWTMode as ot, OptionsWithRedirectTo as p, twitch as pn, Session as pt, Merge as q, ResponseType as qt, JWTPayloadWithToken as r, Name as rn, JWTKey as rt, APIOptionsWithRedirectTo as s, NotionProfile as sn, JWTSealedMode as st, AuthClient as t, DropboxProfile as tn, JWTEncryptionAlgorithm as tt, FunctionAPIContext as u, Person as un, JWTStrategyOptions as ut, SignInCredentialsOptions as v, mailchimp as vn, AuthAPI as vt, SignOutOptions as w, x as wn, CookieStoreConfig as wt, SignInReturn as x, SummaryGear as xn, AuthRuntimeConfig as xt, SignInCredentialsReturn as y, StravaProfile as yn, AuthConfig as yt, AuthResponse as z, createSyslogMessage as zn, StandardCookie as zt };
2796
+ export { LiteralUnion as $, Nameplate as $n, JWTMode as $t, APIErrorMap as A, NotionUser as An, StandardCookie as At, AuthResponse as B, mailchimp as Bn, AsymmetricKeyPair as Bt, SignOutAPIReturn as C, DropboxProfile as Cn, JoseInstance as Ct, UpdateSessionAPIReturn as D, dropbox as Dn, SchemaRegistryContext as Dt, UpdateSessionAPIOptions as E, RootInfo as En, RouterGlobalContext as Et, ErrorType as F, twitch as Fn, OAuthProvider as Ft, EditableShapeArkType as G, XProfile as Gn, JWTConfig as Gt, DeepPartial as H, SummaryClub as Hn, CreateSessionStrategyOptions as Ht, OAuthError as I, PinterestProfile as In, OAuthProviderConfig as It, EditableShapeZod as J, SpotifyProfile as Jn, JWTEncryptionAlgorithm as Jt, EditableShapeTypebox as K, x as Kn, JWTConfigBase as Kt, TokenRevocationError as L, pinterest as Ln, OAuthProviderCredentials as Lt, AuthInternalErrorCode as M, Person as Mn, TrustedOrigin as Mt, AuthSecurityErrorCode as N, notion as Nn, TrustedProxyHeadersConfig as Nt, UpdateSessionOptions as O, Bot as On, SecureCookie as Ot, AuthorizationError as P, TwitchProfile as Pn, AuthorizeParams as Pt, InferZodShape as Q, DiscordProfile as Qn, JWTManager as Qt, createAuth as R, Login as Rn, OAuthProviderRecord as Rt, SignOutAPIOptions as S, AccountType as Sn, InternalLogger as St, SignOutReturn as T, Name as Tn, Logger as Tt, DeepRequired as U, SummaryGear as Un, CryptoSecret as Ut, ConfigSchema as V, StravaProfile as Vn, AsymmetricKeyPairFromEnv as Vt, EditableShape as W, strava as Wn, GetStatelessSessionReturn as Wt, InferSession as X, GitLabProfile as Xn, JWTKey as Xt, FromShapeToObject as Y, spotify as Yn, JWTExpirationStrategy as Yt, InferUser as Z, gitlab as Zn, JWTKeyAlgorithm as Zt, SignInCredentialsAPIReturn as _, ClickUpProfile as _n, UserShape as _r, CredentialsProvider as _t, OAuthEnv as a, Session as an, GitHubProfile as ar, ValibotShapeToObject as at, SignInOptions as b, ExtendedProfile as bn, UserShapeValibot as br, IdentityConfig as bt, APIOptionsWithRequest as c, StatelessStrategyConfig as cn, Identities as cr, AuthAPI as ct, GetSessionAPIOptions as d, builtInOAuthProviders as dn, IsZod as dr, AuthRuntimeConfig as dt, JWTSealedMode as en, discord as er, Merge as et, GetSessionAPIReturn as f, createBuiltInOAuthProviders as fn, SchemaTypes as fr, CookieConfig as ft, SignInCredentialsAPIOptions as g, dribbble as gn, UserIdentityValibot as gr, CredentialsPayload as gt, SignInAPIReturn as h, DribbbleTeams as hn, UserIdentityTypeBox as hr, CookieStrategyAttributes as ht, JWTStandardClaims as i, SecretKey as in, bitbucket as ir, UserFrom as it, AccessTokenError as j, Owner as jn, SyslogOptions as jt, UpdateSessionReturn as k, NotionProfile as kn, Severity as kt, APIOptionsWithSkipCSRFCheck as l, User as ln, IsArkType as lr, AuthConfig as lt, SignInAPIOptions as m, DribbbleProfile as mn, UserIdentityArkType as mr, CookieStoreConfig as mt, AuthClientOptions as n, JWTSigningAlgorithm as nn, figma as nr, SessionFrom as nt, TypedJWTPayload$1 as o, SessionConfig as on, github as or, Wrap as ot, OptionsWithRedirectTo as p, DribbbleDefault as pn, UserIdentity as pr, CookieName as pt, EditableShapeValibot as q, SpotifyImage as qn, JWTEncryptedMode as qt, JWTPayloadWithToken as r, JWTStrategyOptions as rn, BitbucketProfile as rr, TypeboxShapeToObject as rt, APIOptionsWithRedirectTo as s, SessionStrategy as sn, createSyslogMessage as sr, ZodShapeToObject as st, AuthClient as t, JWTSignedMode as tn, FigmaProfile as tr, Prettify$1 as tt, FunctionAPIContext as u, BuiltInOAuthProvider as un, IsValibot as ur, AuthInstance as ut, SignInCredentialsOptions as v, clickUp as vn, UserShapeArkType as vr, CredentialsProviderContext as vt, SignOutOptions as w, FullTeam as wn, LogLevel as wt, SignInReturn as x, atlassian as xn, createIdentity as xr, InternalContext as xt, SignInCredentialsReturn as y, AtlassianProfile as yn, UserShapeTypeBox as yr, HostCookie as yt, ArktypeShapeToObject as z, MailchimpProfile as zn, ResponseType as zt };