@aura-stack/auth 0.7.1 → 0.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/@types/index.cjs +1 -1
- package/dist/@types/index.d.ts +2 -2
- package/dist/@types/index.js +1 -1
- package/dist/client/index.cjs +1 -1
- package/dist/client/index.d.ts +3 -2
- package/dist/client/index.js +1 -1
- package/dist/crypto-BRrGB5wn.js +3 -0
- package/dist/crypto-Da-Q8hsP.cjs +3 -0
- package/dist/errors-BWpHquVG.js +1 -0
- package/dist/errors-BiBhdux1.cjs +1 -0
- package/dist/fetch-async-DL6uySSm.js +1 -0
- package/dist/fetch-async-DlbcIcRD.cjs +1 -0
- package/dist/{identity-n3aahaEr.cjs → identity-CAygUyH6.cjs} +1 -1
- package/dist/{index-1ADcIVGC.d.ts → index-DIcbmH1M.d.ts} +1050 -285
- package/dist/index.cjs +1 -1
- package/dist/index.d.ts +1 -1
- package/dist/index.js +1 -1
- package/dist/{logger-BfUjjtxf.js → logger-BleaYLUV.js} +1 -1
- package/dist/{logger-CVwkloPj.cjs → logger-DL-kEECn.cjs} +1 -1
- package/dist/oauth/atlassian.d.ts +1 -1
- package/dist/oauth/authentik.cjs +1 -0
- package/dist/oauth/authentik.d.ts +2 -0
- package/dist/oauth/authentik.js +1 -0
- package/dist/oauth/bitbucket.d.ts +1 -1
- package/dist/oauth/click-up.d.ts +1 -1
- package/dist/oauth/discord.d.ts +1 -1
- package/dist/oauth/dribbble.d.ts +1 -1
- package/dist/oauth/dropbox.d.ts +1 -1
- package/dist/oauth/figma.d.ts +1 -1
- package/dist/oauth/github.d.ts +1 -1
- package/dist/oauth/gitlab.d.ts +1 -1
- package/dist/oauth/google.cjs +1 -0
- package/dist/oauth/google.d.ts +2 -0
- package/dist/oauth/google.js +1 -0
- package/dist/oauth/hubspot.cjs +1 -0
- package/dist/oauth/hubspot.d.ts +2 -0
- package/dist/oauth/hubspot.js +1 -0
- package/dist/oauth/huggingface.cjs +1 -0
- package/dist/oauth/huggingface.d.ts +2 -0
- package/dist/oauth/huggingface.js +1 -0
- package/dist/oauth/index.cjs +1 -1
- package/dist/oauth/index.d.ts +2 -2
- package/dist/oauth/index.js +1 -1
- package/dist/oauth/mailchimp.d.ts +1 -1
- package/dist/oauth/notion.cjs +1 -1
- package/dist/oauth/notion.d.ts +1 -1
- package/dist/oauth/notion.js +1 -1
- package/dist/oauth/pinterest.d.ts +1 -1
- package/dist/oauth/spotify.d.ts +1 -1
- package/dist/oauth/strava.d.ts +1 -1
- package/dist/oauth/twitch.d.ts +1 -1
- package/dist/oauth/x.d.ts +1 -1
- package/dist/resolve-provider-C_clBCRg.cjs +1 -0
- package/dist/resolve-provider-CaDu98x6.js +1 -0
- package/dist/shared/crypto.cjs +1 -1
- package/dist/shared/crypto.d.ts +2 -2
- package/dist/shared/crypto.js +1 -1
- package/dist/shared/identity.cjs +1 -1
- package/dist/shared/identity.d.ts +1 -1
- package/dist/shared/identity.js +1 -1
- package/dist/shared/index.cjs +1 -1
- package/dist/shared/index.d.ts +16 -2
- package/dist/shared/index.js +1 -1
- package/package.json +7 -6
- package/dist/assert-DaZSf4SH.cjs +0 -3
- package/dist/assert-av6s0a6t.js +0 -3
- package/dist/crypto-BF4ETYC9.cjs +0 -1
- package/dist/crypto-D6aq4c8x.js +0 -1
- package/dist/errors-Czt_w1t_.js +0 -1
- package/dist/errors-DcK2ELlk.cjs +0 -1
|
@@ -1,17 +1,22 @@
|
|
|
1
1
|
import * as _$_aura_stack_router0 from "@aura-stack/router";
|
|
2
|
-
import { ClientOptions, GlobalContext } from "@aura-stack/router";
|
|
3
|
-
import {
|
|
2
|
+
import { ClientOptions, GlobalContext, InferSchema } from "@aura-stack/router";
|
|
3
|
+
import { RateLimiterConfig } from "@aura-stack/rate-limiter";
|
|
4
|
+
import { ZodObject, ZodOptional, ZodRawShape, ZodTypeAny, infer as __Infer, z } from "zod/v4";
|
|
5
|
+
import * as _$arktype from "arktype";
|
|
4
6
|
import { Type } from "arktype";
|
|
5
7
|
import { TObject, TProperties, TSchema, Type as Type$1 } from "typebox";
|
|
8
|
+
import { SerializeOptions } from "@aura-stack/router/cookie";
|
|
6
9
|
import { JWK, JWTPayload } from "@aura-stack/jose/jose";
|
|
7
10
|
import { DecodeJWTOptions, EncodeJWTOptions, JWEHeaderParameters, JWTDecryptOptions, JWTHeaderParameters, JWTVerifyOptions, TypedJWTPayload, TypedJWTPayload as TypedJWTPayload$1 } from "@aura-stack/jose";
|
|
8
|
-
import { SerializeOptions } from "@aura-stack/router/cookie";
|
|
9
11
|
import * as valibot from "valibot";
|
|
10
12
|
import { AnySchema, BaseSchema, InferOutput, ObjectEntries, ObjectSchema } from "valibot";
|
|
13
|
+
import * as _$zod from "zod";
|
|
14
|
+
import { ZodObject as ZodObject$1, infer as infer$1 } from "zod";
|
|
11
15
|
import * as _$arktype_internal_variants_object_ts0 from "arktype/internal/variants/object.ts";
|
|
12
16
|
import * as _$zod_v4_core0 from "zod/v4/core";
|
|
13
|
-
import { infer as infer$
|
|
14
|
-
import
|
|
17
|
+
import { infer as infer$2 } from "zod/v4/core";
|
|
18
|
+
import { GetRouteParams } from "@aura-stack/router/types";
|
|
19
|
+
import { InferRules, RateLimiterRule } from "@aura-stack/rate-limiter/types";
|
|
15
20
|
|
|
16
21
|
//#region src/schemas.d.ts
|
|
17
22
|
/**
|
|
@@ -33,6 +38,18 @@ declare const OAuthAuthorizationErrorResponse: z.ZodObject<{
|
|
|
33
38
|
error_uri: z.ZodOptional<z.ZodString>;
|
|
34
39
|
state: z.ZodString;
|
|
35
40
|
}, z.core.$strip>;
|
|
41
|
+
/**
|
|
42
|
+
* Schema for OAuth Access Token Response
|
|
43
|
+
* @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.1
|
|
44
|
+
* @see https://datatracker.ietf.org/doc/html/rfc7636#section-4
|
|
45
|
+
*/
|
|
46
|
+
declare const OAuthAccessTokenResponse: z.ZodObject<{
|
|
47
|
+
access_token: z.ZodString;
|
|
48
|
+
token_type: z.ZodOptional<z.ZodString>;
|
|
49
|
+
expires_in: z.ZodOptional<z.ZodNumber>;
|
|
50
|
+
refresh_token: z.ZodOptional<z.ZodString>;
|
|
51
|
+
scope: z.ZodUnion<readonly [z.ZodUnion<[z.ZodOptional<z.ZodString>, z.ZodNull]>, z.ZodOptional<z.ZodArray<z.ZodString>>]>;
|
|
52
|
+
}, z.core.$strip>;
|
|
36
53
|
/**
|
|
37
54
|
* Schema for OAuth Access Token Error Response
|
|
38
55
|
* @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
|
|
@@ -53,6 +70,14 @@ declare const OAuthEnvSchema: z.ZodObject<{
|
|
|
53
70
|
clientId: z.ZodString;
|
|
54
71
|
clientSecret: z.ZodString;
|
|
55
72
|
}, z.core.$strip>;
|
|
73
|
+
declare const OIDCAccessTokenResponseSchema: z.ZodObject<{
|
|
74
|
+
access_token: z.ZodString;
|
|
75
|
+
token_type: z.ZodOptional<z.ZodString>;
|
|
76
|
+
expires_in: z.ZodOptional<z.ZodNumber>;
|
|
77
|
+
refresh_token: z.ZodOptional<z.ZodString>;
|
|
78
|
+
scope: z.ZodUnion<readonly [z.ZodUnion<[z.ZodOptional<z.ZodString>, z.ZodNull]>, z.ZodOptional<z.ZodArray<z.ZodString>>]>;
|
|
79
|
+
id_token: z.ZodOptional<z.ZodString>;
|
|
80
|
+
}, z.core.$strip>;
|
|
56
81
|
//#endregion
|
|
57
82
|
//#region src/jose.d.ts
|
|
58
83
|
/**
|
|
@@ -78,8 +103,45 @@ declare const createJoseInstance: <DefaultUser extends User = User>(secret?: JWT
|
|
|
78
103
|
decodeJWT: (token: string, options?: DecodeJWTOptions) => Promise<TypedJWTPayload<DefaultUser>>;
|
|
79
104
|
};
|
|
80
105
|
//#endregion
|
|
106
|
+
//#region src/shared/identity.d.ts
|
|
107
|
+
declare const UserIdentity: z.ZodObject<{
|
|
108
|
+
sub: z.ZodString;
|
|
109
|
+
name: z.ZodOptional<z.ZodNullable<z.ZodString>>;
|
|
110
|
+
image: z.ZodOptional<z.ZodNullable<z.ZodString>>;
|
|
111
|
+
email: z.ZodOptional<z.ZodNullable<z.ZodEmail>>;
|
|
112
|
+
}, z.core.$strip>;
|
|
113
|
+
declare const UserIdentityValibot: valibot.ObjectSchema<{
|
|
114
|
+
readonly sub: valibot.StringSchema<undefined>;
|
|
115
|
+
readonly name: valibot.OptionalSchema<valibot.NullableSchema<valibot.StringSchema<undefined>, undefined>, undefined>;
|
|
116
|
+
readonly image: valibot.OptionalSchema<valibot.NullableSchema<valibot.StringSchema<undefined>, undefined>, undefined>;
|
|
117
|
+
readonly email: valibot.OptionalSchema<valibot.NullableSchema<valibot.SchemaWithPipe<readonly [valibot.StringSchema<undefined>, valibot.EmailAction<string, undefined>]>, undefined>, undefined>;
|
|
118
|
+
}, undefined>;
|
|
119
|
+
declare const UserIdentityArkType: _$arktype_internal_variants_object_ts0.ObjectType<{
|
|
120
|
+
sub: string;
|
|
121
|
+
name?: string | null | undefined;
|
|
122
|
+
image?: string | null | undefined;
|
|
123
|
+
email?: string | null | undefined;
|
|
124
|
+
}, {}>;
|
|
125
|
+
declare const UserIdentityTypeBox: Type$1.TObject<{
|
|
126
|
+
sub: Type$1.TString;
|
|
127
|
+
name: Type$1.TOptional<Type$1.TUnion<[Type$1.TString, Type$1.TNull]>>;
|
|
128
|
+
image: Type$1.TOptional<Type$1.TUnion<[Type$1.TString, Type$1.TNull]>>;
|
|
129
|
+
email: Type$1.TOptional<Type$1.TUnion<[Type$1.TString, Type$1.TNull]>>;
|
|
130
|
+
}>;
|
|
131
|
+
type UserShape = typeof UserIdentity.shape;
|
|
132
|
+
type UserShapeValibot = typeof UserIdentityValibot.entries;
|
|
133
|
+
type UserShapeArkType = typeof UserIdentityArkType;
|
|
134
|
+
type UserShapeTypeBox = typeof UserIdentityTypeBox.properties;
|
|
135
|
+
type IsArkType<T extends Identities> = T extends EditableShapeArkType<UserShapeArkType> ? true : false;
|
|
136
|
+
type IsZod<T extends Identities> = T extends EditableShape<UserShape> ? true : false;
|
|
137
|
+
type IsValibot<T extends Identities> = T extends EditableShapeValibot<UserShapeValibot> ? true : false;
|
|
138
|
+
type SchemaTypes = ZodObject<any> | valibot.ObjectSchema<any, undefined> | Type<{}> | Type$1.TObject;
|
|
139
|
+
type Identities = EditableShape<UserShape> | EditableShapeValibot<UserShapeValibot> | EditableShapeArkType<UserShapeArkType> | EditableShapeTypebox<UserShapeTypeBox> | EditableUser;
|
|
140
|
+
type ReturnShapeType<T> = T extends EditableShape<UserShape> ? z.ZodObject<T> : T extends EditableShapeValibot<UserShapeValibot> ? valibot.ObjectSchema<T, undefined> : T extends EditableShapeArkType<UserShapeArkType> ? T : T extends EditableShapeTypebox<UserShapeTypeBox> ? Type$1.TObject<T> : T extends EditableUser ? z.ZodObject<T> : never;
|
|
141
|
+
declare const createIdentity: <S extends Identities>(shape: S) => ReturnShapeType<S>;
|
|
142
|
+
//#endregion
|
|
81
143
|
//#region src/api/createApi.d.ts
|
|
82
|
-
declare const createAuthAPI: <DefaultUser extends User = User
|
|
144
|
+
declare const createAuthAPI: <DefaultUser extends User = User, SignUpSchema extends SchemaTypes = ZodObject$1<any>>(ctx: GlobalContext) => {
|
|
83
145
|
/**
|
|
84
146
|
* Retrieves the current session data from the server-side.
|
|
85
147
|
*
|
|
@@ -119,6 +181,26 @@ declare const createAuthAPI: <DefaultUser extends User = User>(ctx: GlobalContex
|
|
|
119
181
|
* })
|
|
120
182
|
*/
|
|
121
183
|
signInCredentials: (options: SignInCredentialsAPIOptions) => Promise<SignInCredentialsAPIReturn>;
|
|
184
|
+
/**
|
|
185
|
+
* Signs up a new user on the server-side. It requires a `payload` with the necessary information for
|
|
186
|
+
* user creation and a callback function configured in `signUp.onCreateUser` to handle the actual user
|
|
187
|
+
* creation logic.
|
|
188
|
+
*
|
|
189
|
+
* @params options - Options for the API call, including the sign-up payload, headers, and redirect behavior.
|
|
190
|
+
* @return The object returned by the API call {@link SignUpAPIReturn}
|
|
191
|
+
* @example
|
|
192
|
+
* const response = await api.signUp({
|
|
193
|
+
* payload: {
|
|
194
|
+
* name: "John",
|
|
195
|
+
* lastName: "Doe",
|
|
196
|
+
* email: "john.doe@example.com",
|
|
197
|
+
* password: "1234567890"
|
|
198
|
+
* },
|
|
199
|
+
* redirectTo: "/dashboard",
|
|
200
|
+
* request: await getRequest()
|
|
201
|
+
* })
|
|
202
|
+
*/
|
|
203
|
+
signUp: <Payload extends Record<string, any> = Wrap<RemoveIndexSignature<InferSchema<SignUpSchema, _$_aura_stack_router0.SchemaKind<SignUpSchema>>>>>(options: SignUpAPIOptions<Payload>) => Promise<SignUpAPIReturn>;
|
|
122
204
|
/**
|
|
123
205
|
* Updates the current session on the server-side. It allows partial updates to the session object, such as
|
|
124
206
|
* modifying user fields or extending the session expiry. It implements CSRF Protection by default, for
|
|
@@ -160,43 +242,6 @@ declare const createAuthAPI: <DefaultUser extends User = User>(ctx: GlobalContex
|
|
|
160
242
|
signOut: (options: SignOutAPIOptions) => Promise<SignOutAPIReturn>;
|
|
161
243
|
};
|
|
162
244
|
//#endregion
|
|
163
|
-
//#region src/shared/identity.d.ts
|
|
164
|
-
declare const UserIdentity: z.ZodObject<{
|
|
165
|
-
sub: z.ZodString;
|
|
166
|
-
name: z.ZodOptional<z.ZodNullable<z.ZodString>>;
|
|
167
|
-
image: z.ZodOptional<z.ZodNullable<z.ZodString>>;
|
|
168
|
-
email: z.ZodOptional<z.ZodNullable<z.ZodEmail>>;
|
|
169
|
-
}, z.core.$strip>;
|
|
170
|
-
declare const UserIdentityValibot: valibot.ObjectSchema<{
|
|
171
|
-
readonly sub: valibot.StringSchema<undefined>;
|
|
172
|
-
readonly name: valibot.OptionalSchema<valibot.NullableSchema<valibot.StringSchema<undefined>, undefined>, undefined>;
|
|
173
|
-
readonly image: valibot.OptionalSchema<valibot.NullableSchema<valibot.StringSchema<undefined>, undefined>, undefined>;
|
|
174
|
-
readonly email: valibot.OptionalSchema<valibot.NullableSchema<valibot.SchemaWithPipe<readonly [valibot.StringSchema<undefined>, valibot.EmailAction<string, undefined>]>, undefined>, undefined>;
|
|
175
|
-
}, undefined>;
|
|
176
|
-
declare const UserIdentityArkType: _$arktype_internal_variants_object_ts0.ObjectType<{
|
|
177
|
-
sub: string;
|
|
178
|
-
name?: string | null | undefined;
|
|
179
|
-
image?: string | null | undefined;
|
|
180
|
-
email?: string | null | undefined;
|
|
181
|
-
}, {}>;
|
|
182
|
-
declare const UserIdentityTypeBox: Type$1.TObject<{
|
|
183
|
-
sub: Type$1.TString;
|
|
184
|
-
name: Type$1.TOptional<Type$1.TUnion<[Type$1.TString, Type$1.TNull]>>;
|
|
185
|
-
image: Type$1.TOptional<Type$1.TUnion<[Type$1.TString, Type$1.TNull]>>;
|
|
186
|
-
email: Type$1.TOptional<Type$1.TUnion<[Type$1.TString, Type$1.TNull]>>;
|
|
187
|
-
}>;
|
|
188
|
-
type UserShape = typeof UserIdentity.shape;
|
|
189
|
-
type UserShapeValibot = typeof UserIdentityValibot.entries;
|
|
190
|
-
type UserShapeArkType = typeof UserIdentityArkType;
|
|
191
|
-
type UserShapeTypeBox = typeof UserIdentityTypeBox.properties;
|
|
192
|
-
type IsArkType<T extends Identities> = T extends EditableShapeArkType<UserShapeArkType> ? true : false;
|
|
193
|
-
type IsZod<T extends Identities> = T extends EditableShape<UserShape> ? true : false;
|
|
194
|
-
type IsValibot<T extends Identities> = T extends EditableShapeValibot<UserShapeValibot> ? true : false;
|
|
195
|
-
type SchemaTypes = ZodObject<any> | valibot.ObjectSchema<any, undefined> | Type<{}> | Type$1.TObject;
|
|
196
|
-
type Identities = EditableShape<UserShape> | EditableShapeValibot<UserShapeValibot> | EditableShapeArkType<UserShapeArkType> | EditableShapeTypebox<UserShapeTypeBox> | EditableUser;
|
|
197
|
-
type ReturnShapeType<T> = T extends EditableShape<UserShape> ? z.ZodObject<T> : T extends EditableShapeValibot<UserShapeValibot> ? valibot.ObjectSchema<T, undefined> : T extends EditableShapeArkType<UserShapeArkType> ? T : T extends EditableShapeTypebox<UserShapeTypeBox> ? Type$1.TObject<T> : T extends EditableUser ? z.ZodObject<T> : never;
|
|
198
|
-
declare const createIdentity: <S extends Identities>(shape: S) => ReturnShapeType<S>;
|
|
199
|
-
//#endregion
|
|
200
245
|
//#region src/shared/logger.d.ts
|
|
201
246
|
/**
|
|
202
247
|
* Log message definitions organized by category.
|
|
@@ -503,6 +548,36 @@ declare const logMessages: {
|
|
|
503
548
|
readonly msgId: "CREDENTIALS_SIGN_IN_FAILED";
|
|
504
549
|
readonly message: "An error occurred during credentials sign-in";
|
|
505
550
|
};
|
|
551
|
+
readonly SIGN_UP_SUCCESS: {
|
|
552
|
+
readonly facility: 4;
|
|
553
|
+
readonly severity: "info";
|
|
554
|
+
readonly msgId: "SIGN_UP_SUCCESS";
|
|
555
|
+
readonly message: "User successfully signed up and authenticated";
|
|
556
|
+
};
|
|
557
|
+
readonly SESSION_NOT_FOUND: {
|
|
558
|
+
readonly facility: 4;
|
|
559
|
+
readonly severity: "error";
|
|
560
|
+
readonly msgId: "SESSION_NOT_FOUND";
|
|
561
|
+
readonly message: "Session token was not found in the request cookies";
|
|
562
|
+
};
|
|
563
|
+
readonly OAUTH_INVALID_CONTENT_TYPE: {
|
|
564
|
+
readonly facility: 10;
|
|
565
|
+
readonly severity: "error";
|
|
566
|
+
readonly msgId: "OAUTH_INVALID_CONTENT_TYPE";
|
|
567
|
+
readonly message: "OAuth endpoint returned an invalid Content-Type header";
|
|
568
|
+
};
|
|
569
|
+
readonly SIGN_IN_PROVIDER_TYPE_DETECTED: {
|
|
570
|
+
readonly facility: 4;
|
|
571
|
+
readonly severity: "info";
|
|
572
|
+
readonly msgId: "SIGN_IN_PROVIDER_TYPE_DETECTED";
|
|
573
|
+
readonly message: "Detected OAuth provider type (OIDC or standard)";
|
|
574
|
+
};
|
|
575
|
+
readonly OIDC_PROVIDER_RESOLVED: {
|
|
576
|
+
readonly facility: 4;
|
|
577
|
+
readonly severity: "info";
|
|
578
|
+
readonly msgId: "OIDC_PROVIDER_RESOLVED";
|
|
579
|
+
readonly message: "OIDC provider configuration resolved successfully";
|
|
580
|
+
};
|
|
506
581
|
};
|
|
507
582
|
declare const createLogEntry: <T extends keyof typeof logMessages>(key: T, overrides?: Partial<SyslogOptions>) => SyslogOptions;
|
|
508
583
|
declare const createSyslogMessage: (options: SyslogOptions) => string;
|
|
@@ -1153,6 +1228,661 @@ interface DribbbleProfile extends DribbbleDefault {
|
|
|
1153
1228
|
*/
|
|
1154
1229
|
declare const dribbble: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<DribbbleProfile, DefaultUser>>) => OAuthProviderCredentials<DribbbleProfile, DefaultUser>;
|
|
1155
1230
|
//#endregion
|
|
1231
|
+
//#region src/oauth/hubspot.d.ts
|
|
1232
|
+
interface HubSportSignedAccessToken {
|
|
1233
|
+
appId: number;
|
|
1234
|
+
appInstallId: number;
|
|
1235
|
+
audience: string;
|
|
1236
|
+
expiresAt: string;
|
|
1237
|
+
hubId: number;
|
|
1238
|
+
hublet: string;
|
|
1239
|
+
installingUserId: number;
|
|
1240
|
+
isPrivateDistribution: boolean;
|
|
1241
|
+
isServiceAccount: boolean;
|
|
1242
|
+
isUserLevel: boolean;
|
|
1243
|
+
newSignature: string;
|
|
1244
|
+
scopeToScopeGroupPks: string;
|
|
1245
|
+
scopes: string;
|
|
1246
|
+
signature: string;
|
|
1247
|
+
trialScopeToScopeGroupPks: string;
|
|
1248
|
+
trialScopes: string;
|
|
1249
|
+
userId: number;
|
|
1250
|
+
}
|
|
1251
|
+
/**
|
|
1252
|
+
* @see [HubSpot - Retrieve OAuth token metadata](https://developers.hubspot.com/docs/api-reference/legacy/authentication/oauth-tokens/v1/get-oauth-token-metadata)
|
|
1253
|
+
*/
|
|
1254
|
+
interface HubSpotProfile {
|
|
1255
|
+
/**
|
|
1256
|
+
* The ID of the application associated with the access token.
|
|
1257
|
+
*/
|
|
1258
|
+
app_id: number;
|
|
1259
|
+
/**
|
|
1260
|
+
* The time in seconds until the access token expires.
|
|
1261
|
+
*/
|
|
1262
|
+
expires_in: number;
|
|
1263
|
+
/**
|
|
1264
|
+
* The ID of the HubSpot account associated with the access token.
|
|
1265
|
+
*/
|
|
1266
|
+
hub_id: number;
|
|
1267
|
+
/**
|
|
1268
|
+
* An array of strings indicating the scopes
|
|
1269
|
+
*/
|
|
1270
|
+
scopes: string[];
|
|
1271
|
+
/**
|
|
1272
|
+
* The access token string used to make API calls.
|
|
1273
|
+
*/
|
|
1274
|
+
token: string;
|
|
1275
|
+
/**
|
|
1276
|
+
* The type of token, typically indicating the authentication scheme.
|
|
1277
|
+
* @default `bearer`
|
|
1278
|
+
*/
|
|
1279
|
+
token_type: string;
|
|
1280
|
+
/**
|
|
1281
|
+
* The ID of the hubspot user for whom the access token was created.
|
|
1282
|
+
*/
|
|
1283
|
+
user_id: number;
|
|
1284
|
+
/**
|
|
1285
|
+
* The domain of the HubSpot account associated with the access token.
|
|
1286
|
+
*/
|
|
1287
|
+
hub_domain: string;
|
|
1288
|
+
/**
|
|
1289
|
+
* Indicates whether the token is for a privately distributed application. If false, it is marketplace distributed.
|
|
1290
|
+
*/
|
|
1291
|
+
is_private_distribution: boolean;
|
|
1292
|
+
signed_access_token: HubSportSignedAccessToken;
|
|
1293
|
+
/**
|
|
1294
|
+
* The email address of the hubspot user for whom the access token was created.
|
|
1295
|
+
*/
|
|
1296
|
+
user: string;
|
|
1297
|
+
}
|
|
1298
|
+
/**
|
|
1299
|
+
* HubSpot OAuth provider
|
|
1300
|
+
* Profile Type {@link HubSpotProfile}
|
|
1301
|
+
*
|
|
1302
|
+
* @see [HubSpot - Working with OAuth](https://developers.hubspot.com/docs/apps/legacy-apps/authentication/oauth-quickstart-guide#getting-oauth-tokens)
|
|
1303
|
+
* @see [HubSpot - Scopes](https://developers.hubspot.com/docs/apps/legacy-apps/authentication/scopes)
|
|
1304
|
+
* @see [HubSpot - Retrieve OAuth token metadata](https://developers.hubspot.com/docs/api-reference/legacy/authentication/oauth-tokens/v1/get-oauth-token-metadata)
|
|
1305
|
+
*/
|
|
1306
|
+
declare const hubspot: <DefaultUser extends User = User>(options?: OAuthProviderConfig<HubSpotProfile, DefaultUser>) => OAuthProviderConfig<HubSpotProfile, DefaultUser>;
|
|
1307
|
+
//#endregion
|
|
1308
|
+
//#region src/oauth/google.d.ts
|
|
1309
|
+
/**
|
|
1310
|
+
* @see [Google - ID Token (Claims)](https://developers.google.com/identity/openid-connect/reference#id_token_claims)
|
|
1311
|
+
*/
|
|
1312
|
+
interface GoogleProfile {
|
|
1313
|
+
/**
|
|
1314
|
+
* The issuer identifier for the issuer of the response.
|
|
1315
|
+
* Typically `https://accounts.google.com` or `accounts.google.com`
|
|
1316
|
+
*/
|
|
1317
|
+
iss: string;
|
|
1318
|
+
/**
|
|
1319
|
+
* The subject identifier for the user. This is a unique and immutable
|
|
1320
|
+
* identifier for the user.
|
|
1321
|
+
*/
|
|
1322
|
+
sub: string;
|
|
1323
|
+
/**
|
|
1324
|
+
* The audience for which the ID token is intended.
|
|
1325
|
+
*/
|
|
1326
|
+
aud: string;
|
|
1327
|
+
/**
|
|
1328
|
+
* The time of the ID token was issued.
|
|
1329
|
+
*/
|
|
1330
|
+
iat: number;
|
|
1331
|
+
/**
|
|
1332
|
+
* Expiration time on or after which the ID token must not be accepted.
|
|
1333
|
+
*/
|
|
1334
|
+
exp: string;
|
|
1335
|
+
/**
|
|
1336
|
+
* The client Identifier for the authorized presenter, obtained from
|
|
1337
|
+
* the Google Cloud Console.
|
|
1338
|
+
*/
|
|
1339
|
+
azp?: string;
|
|
1340
|
+
/**
|
|
1341
|
+
* The value of the `nonce` supplied by the client.
|
|
1342
|
+
*/
|
|
1343
|
+
nonce?: string;
|
|
1344
|
+
/**
|
|
1345
|
+
* The time user authentication took placea JSON number representing
|
|
1346
|
+
* the number of seconds.
|
|
1347
|
+
*/
|
|
1348
|
+
auth_time?: number;
|
|
1349
|
+
/**
|
|
1350
|
+
* Access token hash. Provides validation that the Access Token is tied
|
|
1351
|
+
* to the identity token.
|
|
1352
|
+
*/
|
|
1353
|
+
at_hash?: string;
|
|
1354
|
+
/**
|
|
1355
|
+
* The domain associated with the Google Workspace or Cloud organization of the user.
|
|
1356
|
+
*/
|
|
1357
|
+
hd?: string;
|
|
1358
|
+
/**
|
|
1359
|
+
* The user's email address.
|
|
1360
|
+
* > Note: Provided only if you included the `email` scope in your request.
|
|
1361
|
+
*
|
|
1362
|
+
* > Warning: Don't use email address as an identifier because a Google
|
|
1363
|
+
* Account can have multiple email addresses at different points in time.
|
|
1364
|
+
* Always use the `sub` field as the identifier for the user.
|
|
1365
|
+
*/
|
|
1366
|
+
email: string;
|
|
1367
|
+
/**
|
|
1368
|
+
* `True` if the user's email address has been verified.
|
|
1369
|
+
*/
|
|
1370
|
+
email_verified?: boolean;
|
|
1371
|
+
/**
|
|
1372
|
+
* The user's full name.
|
|
1373
|
+
* > Note: Provided only if you included the `profile` scope in your request.
|
|
1374
|
+
*/
|
|
1375
|
+
name: string;
|
|
1376
|
+
/**
|
|
1377
|
+
* The URL of the user's profile picture.
|
|
1378
|
+
* > Note: Provided only if you included the `profile` scope in your request.
|
|
1379
|
+
*/
|
|
1380
|
+
picture: string;
|
|
1381
|
+
/**
|
|
1382
|
+
* The user's give name(s) or first name(s).
|
|
1383
|
+
*/
|
|
1384
|
+
given_name?: string;
|
|
1385
|
+
/**
|
|
1386
|
+
* The user's family name(s) or last name(s).
|
|
1387
|
+
*/
|
|
1388
|
+
family_name?: string;
|
|
1389
|
+
}
|
|
1390
|
+
/**
|
|
1391
|
+
* Google OpenID Connect Provider
|
|
1392
|
+
*
|
|
1393
|
+
* @see [Google - Using OAuth 2.0 to Access Google APIs](https://developers.google.com/identity/protocols/oauth2)
|
|
1394
|
+
* @see [Google - OpenID Connect](https://developers.google.com/identity/openid-connect/openid-connect)
|
|
1395
|
+
* @see [Google - OpenID Connect API Reference](https://developers.google.com/identity/openid-connect/reference)
|
|
1396
|
+
* @see [Google - Client Credentials](https://console.cloud.google.com/auth/clients)
|
|
1397
|
+
*/
|
|
1398
|
+
declare const google: <DefaultUser extends User = User>(options?: Partial<OpenIDProvider<GoogleProfile, DefaultUser>>) => OpenIDProvider<GoogleProfile, DefaultUser>;
|
|
1399
|
+
//#endregion
|
|
1400
|
+
//#region src/oauth/huggingface.d.ts
|
|
1401
|
+
interface HuggingFaceResourceGroup {
|
|
1402
|
+
sub: string;
|
|
1403
|
+
name: string;
|
|
1404
|
+
role: "admin" | "write" | "contributor" | "read" | "no_access";
|
|
1405
|
+
}
|
|
1406
|
+
interface HuggingFaceOrg {
|
|
1407
|
+
sub: string;
|
|
1408
|
+
name: string;
|
|
1409
|
+
picture: string;
|
|
1410
|
+
preferred_username: string;
|
|
1411
|
+
plan?: "team" | "enterprise" | "plus" | "academia";
|
|
1412
|
+
canPay?: boolean;
|
|
1413
|
+
billingMode?: "prepaid" | "postpaid";
|
|
1414
|
+
roleInOrg?: "admin" | "write" | "contributor" | "read" | "no_access";
|
|
1415
|
+
pendingSSO?: boolean;
|
|
1416
|
+
missingMFA?: boolean;
|
|
1417
|
+
securityRestrictions?: ("mfa" | "token-policy" | "token-revoked" | "sso" | "ip")[];
|
|
1418
|
+
resourceGroups?: HuggingFaceResourceGroup;
|
|
1419
|
+
}
|
|
1420
|
+
/**
|
|
1421
|
+
* @see [Hugging Face - Open API Metadata](https://huggingface.co/.well-known/openapi.json)
|
|
1422
|
+
*/
|
|
1423
|
+
interface HuggingFaceProfile {
|
|
1424
|
+
sub: string;
|
|
1425
|
+
isPro: boolean;
|
|
1426
|
+
orgs: HuggingFaceOrg[];
|
|
1427
|
+
name?: string;
|
|
1428
|
+
preferred_username?: string;
|
|
1429
|
+
picture?: string;
|
|
1430
|
+
profile?: string;
|
|
1431
|
+
website?: string;
|
|
1432
|
+
email?: string;
|
|
1433
|
+
email_verified?: boolean;
|
|
1434
|
+
canPay?: boolean;
|
|
1435
|
+
billingMode?: "prepaid" | "postpaid";
|
|
1436
|
+
}
|
|
1437
|
+
/**
|
|
1438
|
+
* Hugging Face OpenID Connect Provider
|
|
1439
|
+
*
|
|
1440
|
+
* @see [Hugging Face - Sign in with Hugging Face](https://huggingface.co/docs/hub/en/oauth)
|
|
1441
|
+
* @see [Hugging Face - Create an OAuth App](https://huggingface.co/settings/applications/new)
|
|
1442
|
+
* @see [Hugging Face - OpenID Metadata](https://huggingface.co/.well-known/openid-configuration)
|
|
1443
|
+
*/
|
|
1444
|
+
declare const huggingface: <DefaultUser extends User = User>(options?: Partial<OpenIDProvider<HuggingFaceProfile, DefaultUser>>) => OpenIDProvider<HuggingFaceProfile, DefaultUser>;
|
|
1445
|
+
//#endregion
|
|
1446
|
+
//#region src/oauth/authentik.d.ts
|
|
1447
|
+
interface AuthentikProfile {
|
|
1448
|
+
iss: string;
|
|
1449
|
+
sub: string;
|
|
1450
|
+
aud: string;
|
|
1451
|
+
exp: number;
|
|
1452
|
+
iat: number;
|
|
1453
|
+
auth_time: number;
|
|
1454
|
+
acr: string;
|
|
1455
|
+
c_hash: string;
|
|
1456
|
+
nonce: string;
|
|
1457
|
+
at_hash: string;
|
|
1458
|
+
email: string;
|
|
1459
|
+
email_verified: boolean;
|
|
1460
|
+
name: string;
|
|
1461
|
+
given_name: string;
|
|
1462
|
+
family_name: string;
|
|
1463
|
+
preferred_username: string;
|
|
1464
|
+
nickname: string;
|
|
1465
|
+
}
|
|
1466
|
+
/**
|
|
1467
|
+
* Authentik OpenID Connect Provider
|
|
1468
|
+
*
|
|
1469
|
+
* @see [Authentik - OAuth 2.0 Provider](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/)
|
|
1470
|
+
* @see [Authentik - Create an OAuth2 Provider](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/create-oauth2-provider/)
|
|
1471
|
+
*/
|
|
1472
|
+
declare const authentik: <DefaultUser extends User = User>(options?: Partial<OpenIDProvider<AuthentikProfile, DefaultUser>>) => OpenIDProvider<AuthentikProfile, DefaultUser>;
|
|
1473
|
+
//#endregion
|
|
1474
|
+
//#region src/@types/session.d.ts
|
|
1475
|
+
/** Application user type, inferred from the configured identity schema (defaults to the built-in user shape). */
|
|
1476
|
+
type User = infer$2<typeof UserIdentity>;
|
|
1477
|
+
/**
|
|
1478
|
+
* Session data returned by the session endpoint.
|
|
1479
|
+
*/
|
|
1480
|
+
interface Session<DefaultUser extends User = User> {
|
|
1481
|
+
user: DefaultUser;
|
|
1482
|
+
expires: string;
|
|
1483
|
+
}
|
|
1484
|
+
interface CryptoSecret {
|
|
1485
|
+
sign: CryptoKey | CryptoKeyPair | JWK | JsonWebKey | AsymmetricKeyPair;
|
|
1486
|
+
encrypt: CryptoKey | CryptoKeyPair | JWK | JsonWebKey | AsymmetricKeyPair;
|
|
1487
|
+
}
|
|
1488
|
+
interface AsymmetricKeyPairFromEnv {
|
|
1489
|
+
publicKey: string;
|
|
1490
|
+
privateKey: string;
|
|
1491
|
+
}
|
|
1492
|
+
interface AsymmetricKeyPair {
|
|
1493
|
+
publicKey: CryptoKey | JWK;
|
|
1494
|
+
privateKey: CryptoKey | JWK;
|
|
1495
|
+
}
|
|
1496
|
+
/**
|
|
1497
|
+
* A symmetric secret or asymmetric key pair used for JWT operations.
|
|
1498
|
+
*
|
|
1499
|
+
* - string / Uint8Array: used as-is for HMAC (signed) or AES (encrypted)
|
|
1500
|
+
* - CryptoKey: Web Crypto API key, for environments that support it
|
|
1501
|
+
* - CryptoKeyPair: asymmetric signing/encryption (RS256, ES256, EdDSA, RSA-OAEP, etc.)
|
|
1502
|
+
*/
|
|
1503
|
+
type SecretKey = string | Uint8Array | CryptoKey | CryptoKeyPair | CryptoSecret | JWK | AsymmetricKeyPair;
|
|
1504
|
+
/**
|
|
1505
|
+
* @todo: add key rotation support for "SecretKey | CryptoKeyPair | [SecretKey | CryptoKeyPair, ...(SecretKey | CryptoKeyPair)[]]"
|
|
1506
|
+
*/
|
|
1507
|
+
type JWTKey = SecretKey;
|
|
1508
|
+
/**
|
|
1509
|
+
* - "signed" → standard JWS (e.g. HS256, RS256, ES256).
|
|
1510
|
+
* - "encrypted" → JWE only. (e.g. A256GCM with RSA-OAEP key wrapping).
|
|
1511
|
+
* - "sealed" → JWS nested inside JWE (signed then encrypted).
|
|
1512
|
+
*/
|
|
1513
|
+
type JWTMode = "signed" | "encrypted" | "sealed";
|
|
1514
|
+
/**
|
|
1515
|
+
* Signing algorithms for "signed" and "sealed" modes.
|
|
1516
|
+
* Symmetric: HS256 | HS384 | HS512
|
|
1517
|
+
* Asymmetric: RS256 | RS384 | RS512 | ES256 | ES384 | ES512 | EdDSA | PS256
|
|
1518
|
+
*/
|
|
1519
|
+
type JWTSigningAlgorithm = "HS256" | "HS384" | "HS512" | "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512" | "EdDSA" | "PS256";
|
|
1520
|
+
/**
|
|
1521
|
+
* Key-wrapping algorithms for "encrypted" and "sealed" modes.
|
|
1522
|
+
* Symmetric: A128KW | A192KW | A256KW | dir (direct)
|
|
1523
|
+
* ECDH: ECDH-ES | ECDH-ES+A128KW | ECDH-ES+A256KW
|
|
1524
|
+
* RSA: RSA-OAEP | RSA-OAEP-256
|
|
1525
|
+
*/
|
|
1526
|
+
type JWTKeyAlgorithm = "A128KW" | "A192KW" | "A256KW" | "dir" | "ECDH-ES" | "ECDH-ES+A128KW" | "ECDH-ES+A256KW" | "RSA-OAEP" | "RSA-OAEP-256";
|
|
1527
|
+
/** Content-encryption algorithms for JWE. */
|
|
1528
|
+
type JWTEncryptionAlgorithm = "A128CBC-HS256" | "A192CBC-HS384" | "A256CBC-HS512" | "A128GCM" | "A192GCM" | "A256GCM";
|
|
1529
|
+
/** Signed JWT mode configuration. */
|
|
1530
|
+
type JWTSignedMode = {
|
|
1531
|
+
mode: "signed";
|
|
1532
|
+
signingAlgorithm?: JWTSigningAlgorithm;
|
|
1533
|
+
};
|
|
1534
|
+
/** Encrypted JWT mode configuration. */
|
|
1535
|
+
type JWTEncryptedMode = {
|
|
1536
|
+
mode: "encrypted";
|
|
1537
|
+
keyAlgorithm?: JWTKeyAlgorithm;
|
|
1538
|
+
encryptionAlgorithm?: JWTEncryptionAlgorithm;
|
|
1539
|
+
};
|
|
1540
|
+
/** Signed and Encrypted JWT mode configuration. */
|
|
1541
|
+
type JWTSealedMode = {
|
|
1542
|
+
mode?: "sealed";
|
|
1543
|
+
signingAlgorithm?: JWTSigningAlgorithm;
|
|
1544
|
+
keyAlgorithm?: JWTKeyAlgorithm;
|
|
1545
|
+
encryptionAlgorithm?: JWTEncryptionAlgorithm;
|
|
1546
|
+
};
|
|
1547
|
+
/** Discriminated union of JWT wire format: signed JWS, encrypted JWE, or nested sealed (JWS in JWE). */
|
|
1548
|
+
type JWTConfigBase = JWTSignedMode | JWTEncryptedMode | JWTSealedMode;
|
|
1549
|
+
/** How session/JWT lifetime is enforced relative to `iat`, absolute caps, and sliding windows. */
|
|
1550
|
+
type JWTExpirationStrategy = "fixed" | "rolling" | "absolute" | "sliding";
|
|
1551
|
+
type JWTConfig = Prettify<{
|
|
1552
|
+
/**
|
|
1553
|
+
* Token lifetime.
|
|
1554
|
+
*/
|
|
1555
|
+
maxAge?: number;
|
|
1556
|
+
/**
|
|
1557
|
+
* JWT `iss` (issuer) claim. Set this to your app's canonical URL.
|
|
1558
|
+
* @example "https://auth.example.com"
|
|
1559
|
+
*/
|
|
1560
|
+
issuer?: string;
|
|
1561
|
+
/**
|
|
1562
|
+
* JWT `aud` claim. Single value or array for multi-audience tokens.
|
|
1563
|
+
* @example ["https://api.example.com", "https://app.example.com"]
|
|
1564
|
+
*/
|
|
1565
|
+
audience?: string | string[];
|
|
1566
|
+
/**
|
|
1567
|
+
* Maximum absolute session duration in seconds.
|
|
1568
|
+
* Required for "absolute" and "sliding" strategies.
|
|
1569
|
+
* Enforced via jose's maxTokenAge against the iat claim.
|
|
1570
|
+
*/
|
|
1571
|
+
maxExpiration?: number;
|
|
1572
|
+
/**
|
|
1573
|
+
* Policy for renewing or capping token lifetime (pairs with `maxExpiration` where applicable).
|
|
1574
|
+
*/
|
|
1575
|
+
expirationStrategy?: JWTExpirationStrategy;
|
|
1576
|
+
} & JWTConfigBase>;
|
|
1577
|
+
/**
|
|
1578
|
+
* Stateless JWT strategy.
|
|
1579
|
+
* No database required. Tokens are self-contained and cannot be revoked
|
|
1580
|
+
* before they expire — keep `jwt.maxAge` short or enable refresh tokens.
|
|
1581
|
+
*
|
|
1582
|
+
* @example
|
|
1583
|
+
* {
|
|
1584
|
+
* strategy: "jwt",
|
|
1585
|
+
* jwt: { mode: "sealed", maxAge: "15m", issuer: "https://auth.example.com" },
|
|
1586
|
+
* refreshToken: { enabled: true, maxAge: "7d" },
|
|
1587
|
+
* }
|
|
1588
|
+
*/
|
|
1589
|
+
type StatelessStrategyConfig = {
|
|
1590
|
+
strategy?: "jwt";
|
|
1591
|
+
jwt?: JWTConfig;
|
|
1592
|
+
};
|
|
1593
|
+
/**
|
|
1594
|
+
* The session strategy. Determines which fields below are required.
|
|
1595
|
+
*
|
|
1596
|
+
* - "jwt": stateless. No database needed. JWTs are self-contained.
|
|
1597
|
+
* - "database": stateful. Every request hits the DB to validate the session.
|
|
1598
|
+
* - "hybrid": JWT transport + DB revocation. Best of both for most apps.
|
|
1599
|
+
*
|
|
1600
|
+
* @default "jwt"
|
|
1601
|
+
*/
|
|
1602
|
+
type SessionConfig = StatelessStrategyConfig;
|
|
1603
|
+
/** Result of reading a stateless (JWT) session from a request: session payload and outgoing header mutations. */
|
|
1604
|
+
interface GetStatelessSessionReturn<DefaultUser extends User = User> {
|
|
1605
|
+
session: Session<DefaultUser> | null;
|
|
1606
|
+
headers: Headers;
|
|
1607
|
+
}
|
|
1608
|
+
/**
|
|
1609
|
+
* Abstraction layer for session management.
|
|
1610
|
+
*/
|
|
1611
|
+
interface SessionStrategy<DefaultUser extends User = User> {
|
|
1612
|
+
/**
|
|
1613
|
+
* Read and validate the session from an incoming request.
|
|
1614
|
+
* Returns null if absent, invalid, or expired. Never throws on auth failure.
|
|
1615
|
+
*/
|
|
1616
|
+
getSession(request: Headers): Promise<GetStatelessSessionReturn<DefaultUser>>;
|
|
1617
|
+
/**
|
|
1618
|
+
* Create a session after successful authentication.
|
|
1619
|
+
* Signs the JWT / writes the DB row / sets cookies.
|
|
1620
|
+
*/
|
|
1621
|
+
createSession(session: User): Promise<string>;
|
|
1622
|
+
/**
|
|
1623
|
+
* Attempt to refresh using the refresh token cookie.
|
|
1624
|
+
* Returns null session + cookie-clearing response on any failure.
|
|
1625
|
+
*/
|
|
1626
|
+
refreshSession(headers: Headers, session: DeepPartial<Session<DefaultUser>>, skipCSRFCheck?: boolean): Promise<{
|
|
1627
|
+
session: Session<DefaultUser> | null;
|
|
1628
|
+
headers: Headers;
|
|
1629
|
+
}>;
|
|
1630
|
+
/**
|
|
1631
|
+
* Revoke a session by ID.
|
|
1632
|
+
* JWT strategy: best-effort (clears cookies, no server state).
|
|
1633
|
+
* Database / hybrid: marks row inactive.
|
|
1634
|
+
*/
|
|
1635
|
+
revokeSession(sessionId: string): Promise<void>;
|
|
1636
|
+
/**
|
|
1637
|
+
* Destroy the session attached to this request (logout).
|
|
1638
|
+
* Returns a response that clears cookies.
|
|
1639
|
+
*/
|
|
1640
|
+
destroySession(request: Headers, skipCSRFCheck?: boolean): Promise<Headers>;
|
|
1641
|
+
}
|
|
1642
|
+
/** Inputs for constructing a session strategy implementation for a given identity schema. */
|
|
1643
|
+
interface CreateSessionStrategyOptions<Identity extends Identities> {
|
|
1644
|
+
config?: SessionConfig;
|
|
1645
|
+
jose: JoseInstance<FromShapeToObject<Identity> & User>;
|
|
1646
|
+
cookies: () => CookieStoreConfig;
|
|
1647
|
+
logger?: InternalLogger;
|
|
1648
|
+
identity: SchemaRegistryContext;
|
|
1649
|
+
}
|
|
1650
|
+
/** Options specialized for the JWT-backed session strategy. */
|
|
1651
|
+
interface JWTStrategyOptions<DefaultUser extends User = User> {
|
|
1652
|
+
config?: StatelessStrategyConfig;
|
|
1653
|
+
jose: JoseInstance<DefaultUser>;
|
|
1654
|
+
logger?: InternalLogger;
|
|
1655
|
+
cookies: () => CookieStoreConfig;
|
|
1656
|
+
identity: SchemaRegistryContext;
|
|
1657
|
+
}
|
|
1658
|
+
/** Minimal token issue/verify surface used by session code paths. */
|
|
1659
|
+
type JWTManager<DefaultUser extends User = User> = {
|
|
1660
|
+
createToken(user: TypedJWTPayload<Partial<DefaultUser>>): Promise<string>;
|
|
1661
|
+
verifyToken(token: string): Promise<TypedJWTPayload<DefaultUser>>;
|
|
1662
|
+
};
|
|
1663
|
+
//#endregion
|
|
1664
|
+
//#region src/@types/oidc.d.ts
|
|
1665
|
+
/**
|
|
1666
|
+
* @link https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
|
|
1667
|
+
*/
|
|
1668
|
+
interface OpenIDMetadata {
|
|
1669
|
+
/**
|
|
1670
|
+
* URL using the https scheme with no query or fragment component that the
|
|
1671
|
+
* OP asserts as its Issuer Identifier.
|
|
1672
|
+
*/
|
|
1673
|
+
issuer: string;
|
|
1674
|
+
/**
|
|
1675
|
+
* URL of the OP's OAuth 2.0 Authorization Endpoint
|
|
1676
|
+
*/
|
|
1677
|
+
authorization_endpoint: string;
|
|
1678
|
+
/**
|
|
1679
|
+
* URL of the OP's OAuth 2.0 Token Endpoint
|
|
1680
|
+
*/
|
|
1681
|
+
token_endpoint: string;
|
|
1682
|
+
/**
|
|
1683
|
+
* URL of the OP's UserInfo Endpoint.
|
|
1684
|
+
*/
|
|
1685
|
+
userinfo_endpoint: string;
|
|
1686
|
+
/**
|
|
1687
|
+
* URL of the OP's JSON Web Key Set [JWK] document. This contains the signing keys
|
|
1688
|
+
* used by the OP to sign tokens issued, which may be used by the RP to validate
|
|
1689
|
+
* signatures.
|
|
1690
|
+
*/
|
|
1691
|
+
jwks_uri: string;
|
|
1692
|
+
/**
|
|
1693
|
+
* URL of the OP's Dynamic Client Registration Endpoint. This is REQUIRED unless
|
|
1694
|
+
* the OP does not support dynamic client registration, in which case it MUST NOT
|
|
1695
|
+
* be included.
|
|
1696
|
+
*/
|
|
1697
|
+
registration_endpoint?: string;
|
|
1698
|
+
/**
|
|
1699
|
+
* JSON arry containing a list of the OP's supported Subject Identifier types.
|
|
1700
|
+
* Valid types include pairwise and public.
|
|
1701
|
+
*/
|
|
1702
|
+
scopes_supported?: string[];
|
|
1703
|
+
/**
|
|
1704
|
+
* Json array containing a list of the OP's supported response types. Valid response
|
|
1705
|
+
* types include code, id_token, and token. The OP MUST support the code response type.
|
|
1706
|
+
*/
|
|
1707
|
+
response_types_supported?: string[];
|
|
1708
|
+
/**
|
|
1709
|
+
* JSON array containing a list of the OP's supported response modes. Valid response
|
|
1710
|
+
* modes include query, fragment, and form_post. If omitted, the default is that the
|
|
1711
|
+
* OP supports only the query response mode.
|
|
1712
|
+
*/
|
|
1713
|
+
response_modes_supported?: string[];
|
|
1714
|
+
/**
|
|
1715
|
+
* JSON array containing a list of the OP's supported grant types. Valid grant types
|
|
1716
|
+
* include authorization_code, implicit, refresh_token, and client_credentials.
|
|
1717
|
+
* If omitted, the default is that the OP supports only the authorization_code
|
|
1718
|
+
* grant type.
|
|
1719
|
+
*/
|
|
1720
|
+
grant_types_supported?: string[];
|
|
1721
|
+
/**
|
|
1722
|
+
* JSON array containing a list of the OP's supported ACR values. If omitted, the
|
|
1723
|
+
* default is that the OP does not support any ACR values.
|
|
1724
|
+
*/
|
|
1725
|
+
acr_values_supported?: string[];
|
|
1726
|
+
/**
|
|
1727
|
+
* JSON array containing a list of the OP's supported Subject Identifier types.
|
|
1728
|
+
* Valid types include pairwise and public.
|
|
1729
|
+
*/
|
|
1730
|
+
subject_types_supported: string[];
|
|
1731
|
+
/**
|
|
1732
|
+
* JSON array containing a list of the OP's supported ID Token signing algorithms.
|
|
1733
|
+
* The only algorithm that MUST be supported is RS256. The OP SHOULD support
|
|
1734
|
+
* additional algorithms, such as ES256.
|
|
1735
|
+
*/
|
|
1736
|
+
id_token_signing_alg_values_supported: string[];
|
|
1737
|
+
/**
|
|
1738
|
+
* JSON array containing a list of the OP's supported ID Token encryption algorithms.
|
|
1739
|
+
* The OP MUST support the RSA1_5 algorithm. The OP SHOULD support additional
|
|
1740
|
+
* algorithms, such as A128KW and A256KW.
|
|
1741
|
+
*/
|
|
1742
|
+
id_token_encryption_alg_values_supported?: string[];
|
|
1743
|
+
/**
|
|
1744
|
+
* JSON array containing a list of the OP's supported ID Token encryption encodings.
|
|
1745
|
+
* The OP MUST support the A128CBC-HS256 encoding. The OP SHOULD support additional
|
|
1746
|
+
* encodings, such as A256CBC-HS512 and A128GCM.
|
|
1747
|
+
*/
|
|
1748
|
+
id_token_encryption_enc_values_supported?: string[];
|
|
1749
|
+
/**
|
|
1750
|
+
* JSON array containing a list of the OP's supported UserInfo signing algorithms.
|
|
1751
|
+
* The OP SHOULD support RS256 or ES256, or both. The OP SHOULD support none, one,
|
|
1752
|
+
* or more additional signing algorithms.
|
|
1753
|
+
*/
|
|
1754
|
+
userinfo_signing_alg_values_supported?: string[];
|
|
1755
|
+
/**
|
|
1756
|
+
* JSON array containing a list of the OP's supported UserInfo encryption algorithms.
|
|
1757
|
+
* The OP SHOULD support the RSA1_5 algorithm. The OP SHOULD support additional
|
|
1758
|
+
* algorithms, such as A128KW and A256KW.
|
|
1759
|
+
*/
|
|
1760
|
+
userinfo_encryption_alg_values_supported?: string[];
|
|
1761
|
+
/**
|
|
1762
|
+
* JSON array containing a list of the OP's supported UserInfo encryption encodings.
|
|
1763
|
+
* The OP SHOULD support the A128CBC-HS256 encoding. The OP SHOULD support additional
|
|
1764
|
+
* encodings, such as A256CBC-HS512 and A128GCM.
|
|
1765
|
+
*/
|
|
1766
|
+
userinfo_encryption_enc_values_supported?: string[];
|
|
1767
|
+
/**
|
|
1768
|
+
* JSON array containing a list of the OP's supported Request Object signing algorithms.
|
|
1769
|
+
* The OP SHOULD support RS256 or ES256, or both. The OP SHOULD support none, one, or
|
|
1770
|
+
* more additional signing algorithms.
|
|
1771
|
+
*/
|
|
1772
|
+
request_object_signing_alg_values_supported?: string[];
|
|
1773
|
+
/**
|
|
1774
|
+
* JSON array containing a list of the OP's supported Request Object encryption algorithms.
|
|
1775
|
+
* The OP SHOULD support the RSA1_5 algorithm. The OP SHOULD support additional algorithms,
|
|
1776
|
+
* such as A128KW and A256KW.
|
|
1777
|
+
*/
|
|
1778
|
+
request_object_encryption_alg_values_supported?: string[];
|
|
1779
|
+
/**
|
|
1780
|
+
* JSON array containing a list of the OP's supported Request Object encryption encodings.
|
|
1781
|
+
* The OP SHOULD support the A128CBC-HS256 encoding. The OP SHOULD support additional
|
|
1782
|
+
* encodings, such as A256CBC-HS512 and A128GCM.
|
|
1783
|
+
*/
|
|
1784
|
+
request_object_encryption_enc_values_supported?: string[];
|
|
1785
|
+
/**
|
|
1786
|
+
* JSON array containing a list of the OP's supported Token Endpoint authentication methods.
|
|
1787
|
+
* Valid methods include client_secret_post, client_secret_basic, client_secret_jwt, and
|
|
1788
|
+
* private_key_jwt. The OP MUST support client_secret_basic and client_secret_post.
|
|
1789
|
+
*/
|
|
1790
|
+
token_endpoint_auth_methods_supported?: string[];
|
|
1791
|
+
/**
|
|
1792
|
+
* JSON array containing a list of the OP's supported Token Endpoint authentication signing
|
|
1793
|
+
* algorithms. The OP MUST support RS256. The OP SHOULD support additional algorithms, such
|
|
1794
|
+
* as ES256.
|
|
1795
|
+
*/
|
|
1796
|
+
token_endpoint_auth_signing_alg_values_supported?: string[];
|
|
1797
|
+
/**
|
|
1798
|
+
* JSON array containing a list of the OP's supported display parameter values. Valid values
|
|
1799
|
+
* include page, popup, touch, and wap. If omitted, the default is that the OP supports only
|
|
1800
|
+
* the page display parameter value.
|
|
1801
|
+
*/
|
|
1802
|
+
display_values_supported?: string[];
|
|
1803
|
+
/**
|
|
1804
|
+
* JSON array containing a list of the OP's supported claim types. Valid types include normal
|
|
1805
|
+
* and aggregated. If omitted, the default is that the OP supports only the normal claim type.
|
|
1806
|
+
*/
|
|
1807
|
+
claim_types_supported?: string[];
|
|
1808
|
+
/**
|
|
1809
|
+
* JSON array containing a list of the OP's supported claims. These are the claims that the
|
|
1810
|
+
* OP may be able to supply values for. Note that the individual claims supported by the OP
|
|
1811
|
+
* need not be listed here, and that this element is intended primarily to provide a mechanism
|
|
1812
|
+
* for listing those claims that are typically returned by the OP's UserInfo Endpoint.
|
|
1813
|
+
*/
|
|
1814
|
+
claims_supported?: string[];
|
|
1815
|
+
/**
|
|
1816
|
+
* URL of a page containing human-readable information that developers might want or need to
|
|
1817
|
+
* know when using the OP. In particular, if the OP does not support dynamic client registration,
|
|
1818
|
+
* then information on how to register clients needs to be provided in this documentation.
|
|
1819
|
+
*/
|
|
1820
|
+
service_documentation?: string;
|
|
1821
|
+
/**
|
|
1822
|
+
* Languages and scripts supported for values in Claims
|
|
1823
|
+
*/
|
|
1824
|
+
claims_locales_supported?: string[];
|
|
1825
|
+
/**
|
|
1826
|
+
* Languages and scripts supported for the user interface, represented as a JSON array of
|
|
1827
|
+
* BCP47 [RFC5646] language tag values. If omitted, the default is that the OP supports
|
|
1828
|
+
* only the en-US locale.
|
|
1829
|
+
*/
|
|
1830
|
+
ui_locales_supported?: string[];
|
|
1831
|
+
/**
|
|
1832
|
+
* Boolean value specifying whether the OP supports use of the claims parameter, with true
|
|
1833
|
+
* indicating support. If omitted, the default is that the OP does not support use of the
|
|
1834
|
+
* claims parameter.
|
|
1835
|
+
*/
|
|
1836
|
+
claims_parameter_supported?: boolean;
|
|
1837
|
+
/**
|
|
1838
|
+
* Boolean value specifying whether the OP supports use of the request parameter, with true
|
|
1839
|
+
* indicating support. If omitted, the default is that the OP does not support use of the
|
|
1840
|
+
* request parameter.
|
|
1841
|
+
*/
|
|
1842
|
+
request_parameter_supported?: boolean;
|
|
1843
|
+
/**
|
|
1844
|
+
* Boolean value specifying whether the OP supports use of the request_uri parameter, with
|
|
1845
|
+
* true indicating support. If omitted, the default is that the OP does not support use of
|
|
1846
|
+
* the request_uri parameter.
|
|
1847
|
+
*/
|
|
1848
|
+
request_uri_parameter_supported?: boolean;
|
|
1849
|
+
/**
|
|
1850
|
+
* Boolean value specifying whether the OP requires any request_uri values used to be
|
|
1851
|
+
* pre-registered using the request_uris registration parameter, with true indicating
|
|
1852
|
+
* that any such request_uri values need to be pre-registered. If omitted, the default
|
|
1853
|
+
* is that the OP does not require pre-registration of request_uri values.
|
|
1854
|
+
*/
|
|
1855
|
+
require_request_uri_registration?: boolean;
|
|
1856
|
+
/**
|
|
1857
|
+
* URL that the OpenID Provider provides to the person registering the Client to read
|
|
1858
|
+
* about the OP's requirements on how the client can use the request_uri parameter. The
|
|
1859
|
+
* registration process SHOULD display this URL to the person registering the Client if
|
|
1860
|
+
* the OP requires pre-registration of request_uri values.
|
|
1861
|
+
*/
|
|
1862
|
+
op_policy_uri?: string;
|
|
1863
|
+
/**
|
|
1864
|
+
* URL that the OpenID Provider provides to the person registering the Client to read
|
|
1865
|
+
* about the OP's terms of service. The registration process SHOULD display this URL to
|
|
1866
|
+
* the person registering the Client if the OP provides such a URL.
|
|
1867
|
+
*/
|
|
1868
|
+
op_tos_uri?: string;
|
|
1869
|
+
}
|
|
1870
|
+
type OpenIDProvider<Profile extends object = Record<string, any>, DefaultUser = User, Issuer extends string = string> = {
|
|
1871
|
+
id: string;
|
|
1872
|
+
name: string;
|
|
1873
|
+
/**
|
|
1874
|
+
* URL to concatenating the string /.well-known/openid-configuration to the Issuer.
|
|
1875
|
+
*/
|
|
1876
|
+
issuer: Issuer;
|
|
1877
|
+
clientId?: string;
|
|
1878
|
+
clientSecret?: string;
|
|
1879
|
+
/**
|
|
1880
|
+
* Override the default OIDC scope (`openid profile email`).
|
|
1881
|
+
*/
|
|
1882
|
+
scope?: string;
|
|
1883
|
+
profile?: (profile: Profile) => DefaultUser | Promise<DefaultUser>;
|
|
1884
|
+
} & GetRouteParams<`/${Issuer}`>;
|
|
1885
|
+
//#endregion
|
|
1156
1886
|
//#region src/oauth/index.d.ts
|
|
1157
1887
|
declare const builtInOAuthProviders: {
|
|
1158
1888
|
readonly github: <DefaultUser extends User = {
|
|
@@ -1238,20 +1968,46 @@ declare const builtInOAuthProviders: {
|
|
|
1238
1968
|
name?: string | null | undefined;
|
|
1239
1969
|
image?: string | null | undefined;
|
|
1240
1970
|
email?: string | null | undefined;
|
|
1241
|
-
}>(options?: Partial<OAuthProviderCredentials<AtlassianProfile, DefaultUser>>) => OAuthProviderCredentials<AtlassianProfile, DefaultUser>;
|
|
1242
|
-
readonly clickUp: <DefaultUser extends User = {
|
|
1971
|
+
}>(options?: Partial<OAuthProviderCredentials<AtlassianProfile, DefaultUser>>) => OAuthProviderCredentials<AtlassianProfile, DefaultUser>;
|
|
1972
|
+
readonly clickUp: <DefaultUser extends User = {
|
|
1973
|
+
sub: string;
|
|
1974
|
+
name?: string | null | undefined;
|
|
1975
|
+
image?: string | null | undefined;
|
|
1976
|
+
email?: string | null | undefined;
|
|
1977
|
+
}>(options?: Partial<OAuthProviderCredentials<ClickUpProfile, DefaultUser>>) => OAuthProviderCredentials<ClickUpProfile, DefaultUser>;
|
|
1978
|
+
readonly dribbble: <DefaultUser extends User = {
|
|
1979
|
+
sub: string;
|
|
1980
|
+
name?: string | null | undefined;
|
|
1981
|
+
image?: string | null | undefined;
|
|
1982
|
+
email?: string | null | undefined;
|
|
1983
|
+
}>(options?: Partial<OAuthProviderCredentials<DribbbleProfile, DefaultUser>>) => OAuthProviderCredentials<DribbbleProfile, DefaultUser>;
|
|
1984
|
+
readonly hubspot: <DefaultUser extends User = {
|
|
1985
|
+
sub: string;
|
|
1986
|
+
name?: string | null | undefined;
|
|
1987
|
+
image?: string | null | undefined;
|
|
1988
|
+
email?: string | null | undefined;
|
|
1989
|
+
}>(options?: OAuthProviderConfig<HubSpotProfile, DefaultUser>) => OAuthProviderConfig<HubSpotProfile, DefaultUser>;
|
|
1990
|
+
readonly google: <DefaultUser extends User = {
|
|
1991
|
+
sub: string;
|
|
1992
|
+
name?: string | null | undefined;
|
|
1993
|
+
image?: string | null | undefined;
|
|
1994
|
+
email?: string | null | undefined;
|
|
1995
|
+
}>(options?: Partial<OpenIDProvider<GoogleProfile, DefaultUser>>) => OpenIDProvider<GoogleProfile, DefaultUser>;
|
|
1996
|
+
readonly huggingface: <DefaultUser extends User = {
|
|
1243
1997
|
sub: string;
|
|
1244
1998
|
name?: string | null | undefined;
|
|
1245
1999
|
image?: string | null | undefined;
|
|
1246
2000
|
email?: string | null | undefined;
|
|
1247
|
-
}>(options?: Partial<
|
|
1248
|
-
readonly
|
|
2001
|
+
}>(options?: Partial<OpenIDProvider<HuggingFaceProfile, DefaultUser>>) => OpenIDProvider<HuggingFaceProfile, DefaultUser>;
|
|
2002
|
+
readonly authentik: <DefaultUser extends User = {
|
|
1249
2003
|
sub: string;
|
|
1250
2004
|
name?: string | null | undefined;
|
|
1251
2005
|
image?: string | null | undefined;
|
|
1252
2006
|
email?: string | null | undefined;
|
|
1253
|
-
}>(options?: Partial<
|
|
2007
|
+
}>(options?: Partial<OpenIDProvider<AuthentikProfile, DefaultUser>>) => OpenIDProvider<AuthentikProfile, DefaultUser>;
|
|
1254
2008
|
};
|
|
2009
|
+
declare const setDynamicParams: <const T extends string, P extends Record<string, unknown>>(template: T, params: P) => string;
|
|
2010
|
+
declare const defineOpenIDProviderConfig: (config: OpenIDProvider) => RuntimeOAuthProvider;
|
|
1255
2011
|
/**
|
|
1256
2012
|
* Constructs OAuth provider configurations from an array of provider names or configurations.
|
|
1257
2013
|
* It loads the client ID and client secret from environment variables if only the provider name is provided.
|
|
@@ -1265,200 +2021,50 @@ declare const builtInOAuthProviders: {
|
|
|
1265
2021
|
* // Using built-in provider with explicit credentials via factory
|
|
1266
2022
|
* createBuiltInOAuthProviders([github({ clientId: "...", clientSecret: "..." })])
|
|
1267
2023
|
*/
|
|
1268
|
-
declare const createBuiltInOAuthProviders: (oauth?: (BuiltInOAuthProvider |
|
|
2024
|
+
declare const createBuiltInOAuthProviders: (oauth?: (BuiltInOAuthProvider | RuntimeOAuthProvider<any> | OpenIDProvider)[]) => Record<LiteralUnion<BuiltInOAuthProvider>, RuntimeOAuthProvider<any>>;
|
|
1269
2025
|
type BuiltInOAuthProvider = keyof typeof builtInOAuthProviders;
|
|
1270
2026
|
//#endregion
|
|
1271
|
-
//#region src/@types/
|
|
1272
|
-
|
|
1273
|
-
type
|
|
1274
|
-
|
|
1275
|
-
|
|
1276
|
-
|
|
1277
|
-
interface Session<DefaultUser extends User = User> {
|
|
1278
|
-
user: DefaultUser;
|
|
1279
|
-
expires: string;
|
|
1280
|
-
}
|
|
1281
|
-
interface CryptoSecret {
|
|
1282
|
-
sign: CryptoKey | CryptoKeyPair | JWK | JsonWebKey | AsymmetricKeyPair;
|
|
1283
|
-
encrypt: CryptoKey | CryptoKeyPair | JWK | JsonWebKey | AsymmetricKeyPair;
|
|
1284
|
-
}
|
|
1285
|
-
interface AsymmetricKeyPairFromEnv {
|
|
1286
|
-
publicKey: string;
|
|
1287
|
-
privateKey: string;
|
|
1288
|
-
}
|
|
1289
|
-
interface AsymmetricKeyPair {
|
|
1290
|
-
publicKey: CryptoKey | JWK;
|
|
1291
|
-
privateKey: CryptoKey | JWK;
|
|
1292
|
-
}
|
|
1293
|
-
/**
|
|
1294
|
-
* A symmetric secret or asymmetric key pair used for JWT operations.
|
|
1295
|
-
*
|
|
1296
|
-
* - string / Uint8Array: used as-is for HMAC (signed) or AES (encrypted)
|
|
1297
|
-
* - CryptoKey: Web Crypto API key, for environments that support it
|
|
1298
|
-
* - CryptoKeyPair: asymmetric signing/encryption (RS256, ES256, EdDSA, RSA-OAEP, etc.)
|
|
1299
|
-
*/
|
|
1300
|
-
type SecretKey = string | Uint8Array | CryptoKey | CryptoKeyPair | CryptoSecret | JWK | AsymmetricKeyPair;
|
|
1301
|
-
/**
|
|
1302
|
-
* @todo: add key rotation support for "SecretKey | CryptoKeyPair | [SecretKey | CryptoKeyPair, ...(SecretKey | CryptoKeyPair)[]]"
|
|
1303
|
-
*/
|
|
1304
|
-
type JWTKey = SecretKey;
|
|
1305
|
-
/**
|
|
1306
|
-
* - "signed" → standard JWS (e.g. HS256, RS256, ES256).
|
|
1307
|
-
* - "encrypted" → JWE only. (e.g. A256GCM with RSA-OAEP key wrapping).
|
|
1308
|
-
* - "sealed" → JWS nested inside JWE (signed then encrypted).
|
|
1309
|
-
*/
|
|
1310
|
-
type JWTMode = "signed" | "encrypted" | "sealed";
|
|
1311
|
-
/**
|
|
1312
|
-
* Signing algorithms for "signed" and "sealed" modes.
|
|
1313
|
-
* Symmetric: HS256 | HS384 | HS512
|
|
1314
|
-
* Asymmetric: RS256 | RS384 | RS512 | ES256 | ES384 | ES512 | EdDSA | PS256
|
|
1315
|
-
*/
|
|
1316
|
-
type JWTSigningAlgorithm = "HS256" | "HS384" | "HS512" | "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512" | "EdDSA" | "PS256";
|
|
1317
|
-
/**
|
|
1318
|
-
* Key-wrapping algorithms for "encrypted" and "sealed" modes.
|
|
1319
|
-
* Symmetric: A128KW | A192KW | A256KW | dir (direct)
|
|
1320
|
-
* ECDH: ECDH-ES | ECDH-ES+A128KW | ECDH-ES+A256KW
|
|
1321
|
-
* RSA: RSA-OAEP | RSA-OAEP-256
|
|
1322
|
-
*/
|
|
1323
|
-
type JWTKeyAlgorithm = "A128KW" | "A192KW" | "A256KW" | "dir" | "ECDH-ES" | "ECDH-ES+A128KW" | "ECDH-ES+A256KW" | "RSA-OAEP" | "RSA-OAEP-256";
|
|
1324
|
-
/** Content-encryption algorithms for JWE. */
|
|
1325
|
-
type JWTEncryptionAlgorithm = "A128CBC-HS256" | "A192CBC-HS384" | "A256CBC-HS512" | "A128GCM" | "A192GCM" | "A256GCM";
|
|
1326
|
-
/** Signed JWT mode configuration. */
|
|
1327
|
-
type JWTSignedMode = {
|
|
1328
|
-
mode: "signed";
|
|
1329
|
-
signingAlgorithm?: JWTSigningAlgorithm;
|
|
1330
|
-
};
|
|
1331
|
-
/** Encrypted JWT mode configuration. */
|
|
1332
|
-
type JWTEncryptedMode = {
|
|
1333
|
-
mode: "encrypted";
|
|
1334
|
-
keyAlgorithm?: JWTKeyAlgorithm;
|
|
1335
|
-
encryptionAlgorithm?: JWTEncryptionAlgorithm;
|
|
2027
|
+
//#region src/@types/oauth.d.ts
|
|
2028
|
+
type OAuthAccessTokenResponseType = infer$1<typeof OAuthAccessTokenResponse>;
|
|
2029
|
+
type OIDCAccessTokenResponseType = infer$1<typeof OIDCAccessTokenResponseSchema>;
|
|
2030
|
+
type OIDCProviderContext = {
|
|
2031
|
+
issuer: string;
|
|
2032
|
+
jwks_uri?: string;
|
|
1336
2033
|
};
|
|
1337
|
-
|
|
1338
|
-
|
|
1339
|
-
mode?: "sealed";
|
|
1340
|
-
signingAlgorithm?: JWTSigningAlgorithm;
|
|
1341
|
-
keyAlgorithm?: JWTKeyAlgorithm;
|
|
1342
|
-
encryptionAlgorithm?: JWTEncryptionAlgorithm;
|
|
2034
|
+
type RuntimeOAuthProvider<Profile extends object = Record<string, any>, DefaultUser extends User = User> = OAuthProviderCredentials<Profile, DefaultUser> & {
|
|
2035
|
+
oidc?: OIDCProviderContext;
|
|
1343
2036
|
};
|
|
1344
|
-
|
|
1345
|
-
type JWTConfigBase = JWTSignedMode | JWTEncryptedMode | JWTSealedMode;
|
|
1346
|
-
/** How session/JWT lifetime is enforced relative to `iat`, absolute caps, and sliding windows. */
|
|
1347
|
-
type JWTExpirationStrategy = "fixed" | "rolling" | "absolute" | "sliding";
|
|
1348
|
-
type JWTConfig = Prettify<{
|
|
1349
|
-
/**
|
|
1350
|
-
* Token lifetime.
|
|
1351
|
-
*/
|
|
1352
|
-
maxAge?: number;
|
|
1353
|
-
/**
|
|
1354
|
-
* JWT `iss` (issuer) claim. Set this to your app's canonical URL.
|
|
1355
|
-
* @example "https://auth.example.com"
|
|
1356
|
-
*/
|
|
1357
|
-
issuer?: string;
|
|
1358
|
-
/**
|
|
1359
|
-
* JWT `aud` claim. Single value or array for multi-audience tokens.
|
|
1360
|
-
* @example ["https://api.example.com", "https://app.example.com"]
|
|
1361
|
-
*/
|
|
1362
|
-
audience?: string | string[];
|
|
2037
|
+
type AccessTokenContext = {
|
|
1363
2038
|
/**
|
|
1364
|
-
*
|
|
1365
|
-
*
|
|
1366
|
-
* Enforced via jose's maxTokenAge against the iat claim.
|
|
1367
|
-
*/
|
|
1368
|
-
maxExpiration?: number;
|
|
1369
|
-
/**
|
|
1370
|
-
* Policy for renewing or capping token lifetime (pairs with `maxExpiration` where applicable).
|
|
2039
|
+
* Access token string returned by the OAuth provider's token endpoint. The token
|
|
2040
|
+
* must be used to exchange for user information from the provider's userinfo endpoint.
|
|
1371
2041
|
*/
|
|
1372
|
-
|
|
1373
|
-
} & JWTConfigBase>;
|
|
1374
|
-
/**
|
|
1375
|
-
* Stateless JWT strategy.
|
|
1376
|
-
* No database required. Tokens are self-contained and cannot be revoked
|
|
1377
|
-
* before they expire — keep `jwt.maxAge` short or enable refresh tokens.
|
|
1378
|
-
*
|
|
1379
|
-
* @example
|
|
1380
|
-
* {
|
|
1381
|
-
* strategy: "jwt",
|
|
1382
|
-
* jwt: { mode: "sealed", maxAge: "15m", issuer: "https://auth.example.com" },
|
|
1383
|
-
* refreshToken: { enabled: true, maxAge: "7d" },
|
|
1384
|
-
* }
|
|
1385
|
-
*/
|
|
1386
|
-
type StatelessStrategyConfig = {
|
|
1387
|
-
strategy?: "jwt";
|
|
1388
|
-
jwt?: JWTConfig;
|
|
1389
|
-
};
|
|
1390
|
-
/**
|
|
1391
|
-
* The session strategy. Determines which fields below are required.
|
|
1392
|
-
*
|
|
1393
|
-
* - "jwt": stateless. No database needed. JWTs are self-contained.
|
|
1394
|
-
* - "database": stateful. Every request hits the DB to validate the session.
|
|
1395
|
-
* - "hybrid": JWT transport + DB revocation. Best of both for most apps.
|
|
1396
|
-
*
|
|
1397
|
-
* @default "jwt"
|
|
1398
|
-
*/
|
|
1399
|
-
type SessionConfig = StatelessStrategyConfig;
|
|
1400
|
-
/** Result of reading a stateless (JWT) session from a request: session payload and outgoing header mutations. */
|
|
1401
|
-
interface GetStatelessSessionReturn<DefaultUser extends User = User> {
|
|
1402
|
-
session: Session<DefaultUser> | null;
|
|
1403
|
-
headers: Headers;
|
|
1404
|
-
}
|
|
1405
|
-
/**
|
|
1406
|
-
* Abstraction layer for session management.
|
|
1407
|
-
*/
|
|
1408
|
-
interface SessionStrategy<DefaultUser extends User = User> {
|
|
2042
|
+
accessToken: string;
|
|
1409
2043
|
/**
|
|
1410
|
-
*
|
|
1411
|
-
* Returns null if absent, invalid, or expired. Never throws on auth failure.
|
|
2044
|
+
* The access token type returned by the OAuth provider's token endpoint, typically "Bearer".
|
|
1412
2045
|
*/
|
|
1413
|
-
|
|
2046
|
+
tokenType?: string | undefined;
|
|
1414
2047
|
/**
|
|
1415
|
-
*
|
|
1416
|
-
*
|
|
2048
|
+
* The number of seconds until the access token expires, as returned by the OAuth provider's
|
|
2049
|
+
* token endpoint.
|
|
1417
2050
|
*/
|
|
1418
|
-
|
|
2051
|
+
expiresIn?: number | undefined;
|
|
1419
2052
|
/**
|
|
1420
|
-
*
|
|
1421
|
-
*
|
|
2053
|
+
* Optional refresh token returned by the OAuth provider's token endpoint, which can be
|
|
2054
|
+
* used to obtain a new access token when the current one expires.
|
|
1422
2055
|
*/
|
|
1423
|
-
|
|
1424
|
-
session: Session<DefaultUser> | null;
|
|
1425
|
-
headers: Headers;
|
|
1426
|
-
}>;
|
|
2056
|
+
refreshToken?: string | undefined;
|
|
1427
2057
|
/**
|
|
1428
|
-
*
|
|
1429
|
-
*
|
|
1430
|
-
* Database / hybrid: marks row inactive.
|
|
2058
|
+
* The scopes granted by the user for the access token, as returned by the OAuth provider's
|
|
2059
|
+
* token endpoint.
|
|
1431
2060
|
*/
|
|
1432
|
-
|
|
2061
|
+
scope?: string | string[] | null | undefined;
|
|
1433
2062
|
/**
|
|
1434
|
-
*
|
|
1435
|
-
*
|
|
2063
|
+
* The userinfo endpoint URL of the OAuth provider. This is required to fetch user
|
|
2064
|
+
* information using the access token.
|
|
1436
2065
|
*/
|
|
1437
|
-
|
|
1438
|
-
}
|
|
1439
|
-
/** Inputs for constructing a session strategy implementation for a given identity schema. */
|
|
1440
|
-
interface CreateSessionStrategyOptions<Identity extends Identities> {
|
|
1441
|
-
config?: SessionConfig;
|
|
1442
|
-
jose: JoseInstance<FromShapeToObject<Identity> & User>;
|
|
1443
|
-
cookies: () => CookieStoreConfig;
|
|
1444
|
-
logger?: InternalLogger;
|
|
1445
|
-
identity: SchemaRegistryContext;
|
|
1446
|
-
}
|
|
1447
|
-
/** Options specialized for the JWT-backed session strategy. */
|
|
1448
|
-
interface JWTStrategyOptions<DefaultUser extends User = User> {
|
|
1449
|
-
config?: StatelessStrategyConfig;
|
|
1450
|
-
jose: JoseInstance<DefaultUser>;
|
|
1451
|
-
logger?: InternalLogger;
|
|
1452
|
-
cookies: () => CookieStoreConfig;
|
|
1453
|
-
identity: SchemaRegistryContext;
|
|
1454
|
-
}
|
|
1455
|
-
/** Minimal token issue/verify surface used by session code paths. */
|
|
1456
|
-
type JWTManager<DefaultUser extends User = User> = {
|
|
1457
|
-
createToken(user: TypedJWTPayload<Partial<DefaultUser>>): Promise<string>;
|
|
1458
|
-
verifyToken(token: string): Promise<TypedJWTPayload<DefaultUser>>;
|
|
2066
|
+
userInfoURL: string;
|
|
1459
2067
|
};
|
|
1460
|
-
//#endregion
|
|
1461
|
-
//#region src/@types/oauth.d.ts
|
|
1462
2068
|
/** Known query parameter names supported when building an OAuth authorization URL. */
|
|
1463
2069
|
type AuthorizeParams = LiteralUnion<"clientId" | "prompt" | "scope" | "responseMode" | "audience" | "loginHint" | "nonce" | "display">;
|
|
1464
2070
|
/** OAuth 2.0 `response_type` values used in authorization requests. */
|
|
@@ -1489,6 +2095,9 @@ interface OAuthProviderConfig<Profile extends object = Record<string, any>, Defa
|
|
|
1489
2095
|
url: string;
|
|
1490
2096
|
headers?: Record<string, string>;
|
|
1491
2097
|
method?: string;
|
|
2098
|
+
} | {
|
|
2099
|
+
url: string;
|
|
2100
|
+
request: (context: AccessTokenContext) => Profile | Promise<Profile>;
|
|
1492
2101
|
};
|
|
1493
2102
|
/**
|
|
1494
2103
|
* @deprecated
|
|
@@ -1518,14 +2127,17 @@ type OAuthProvider<Profile extends object = Record<string, any>, DefaultUser ext
|
|
|
1518
2127
|
* Lookup table of configured OAuth providers keyed by built-in id or custom id.
|
|
1519
2128
|
* Values are full credential configs used at runtime for authorize/token/userinfo.
|
|
1520
2129
|
*/
|
|
1521
|
-
type OAuthProviderRecord<DefaultUser extends User = User> = Record<LiteralUnion<BuiltInOAuthProvider>,
|
|
2130
|
+
type OAuthProviderRecord<DefaultUser extends User = User> = Record<LiteralUnion<BuiltInOAuthProvider>, RuntimeOAuthProvider<any, DefaultUser>>;
|
|
2131
|
+
type CustomUserInfoFunction = Extract<OAuthProviderConfig["userInfo"], {
|
|
2132
|
+
request: (context: AccessTokenContext) => any;
|
|
2133
|
+
}>;
|
|
1522
2134
|
//#endregion
|
|
1523
2135
|
//#region src/@types/config.d.ts
|
|
1524
2136
|
/**
|
|
1525
2137
|
* Main configuration interface for Aura Auth.
|
|
1526
2138
|
* This is the user-facing configuration object passed to `createAuth()`.
|
|
1527
2139
|
*/
|
|
1528
|
-
type AuthConfig<Identity extends Identities
|
|
2140
|
+
type AuthConfig<Identity extends Identities, SignUpSchema extends SchemaTypes = ZodObject$1<any>> = {
|
|
1529
2141
|
/**
|
|
1530
2142
|
* OAuth providers available in the authentication and authorization flows. It provides a type-inference
|
|
1531
2143
|
* for the OAuth providers that are supported by Aura Stack Auth; alternatively, you can provide a custom
|
|
@@ -1556,7 +2168,7 @@ type AuthConfig<Identity extends Identities> = {
|
|
|
1556
2168
|
* ]
|
|
1557
2169
|
* ```
|
|
1558
2170
|
*/
|
|
1559
|
-
oauth: (BuiltInOAuthProvider | OAuthProviderCredentials<any, FromShapeToObject<Identity>>)[];
|
|
2171
|
+
oauth: (BuiltInOAuthProvider | OAuthProviderCredentials<any, FromShapeToObject<Identity>> | OpenIDProvider<any, FromShapeToObject<Identity>>)[];
|
|
1560
2172
|
/**
|
|
1561
2173
|
* Cookie options defines the configuration for cookies used in Aura Auth.
|
|
1562
2174
|
* It includes a prefix for cookie names and flag options to determine
|
|
@@ -1667,6 +2279,15 @@ type AuthConfig<Identity extends Identities> = {
|
|
|
1667
2279
|
* Credentials provider for username/password or similar authentication.
|
|
1668
2280
|
*/
|
|
1669
2281
|
credentials?: CredentialsProvider<Identity>;
|
|
2282
|
+
/**
|
|
2283
|
+
* Configuration for the signUp process, including the schema for validation
|
|
2284
|
+
* and required callback for user creation.
|
|
2285
|
+
*/
|
|
2286
|
+
signUp?: SignUpConfig<Identity, SignUpSchema>;
|
|
2287
|
+
/**
|
|
2288
|
+
* Rate limiter configuration to protect authentication endpoints from DoS/DDoS attacks.
|
|
2289
|
+
*/
|
|
2290
|
+
rateLimiter?: RateLimiterConfig$1;
|
|
1670
2291
|
} & TrustedProxyHeadersConfig;
|
|
1671
2292
|
type TrustedProxyHeadersConfig = {
|
|
1672
2293
|
/**
|
|
@@ -1783,7 +2404,7 @@ type CookieStrategyAttributes = StandardCookie | SecureCookie | HostCookie;
|
|
|
1783
2404
|
* - `redirectURI`: OAuth callback URI
|
|
1784
2405
|
* - `redirectTo`: Post-authentication redirect path
|
|
1785
2406
|
*/
|
|
1786
|
-
type CookieName = "sessionToken" | "csrfToken" | "state" | "codeVerifier" | "redirectTo" | "redirectURI";
|
|
2407
|
+
type CookieName = "sessionToken" | "csrfToken" | "state" | "codeVerifier" | "redirectTo" | "redirectURI" | "nonce";
|
|
1787
2408
|
/** Resolved cookie names and serialization attributes for each logical auth cookie. */
|
|
1788
2409
|
type CookieStoreConfig = Record<CookieName, {
|
|
1789
2410
|
name: string;
|
|
@@ -1838,7 +2459,7 @@ interface Logger {
|
|
|
1838
2459
|
* Programmatic auth API returned with the auth instance: `getSession`, `signIn`, `signInCredentials`, `signOut`, `updateSession`.
|
|
1839
2460
|
* Each method returns a result object plus `headers` and `toResponse()` for HTTP responses.
|
|
1840
2461
|
*/
|
|
1841
|
-
type AuthAPI<DefaultUser extends User = User
|
|
2462
|
+
type AuthAPI<DefaultUser extends User = User, SignUpSchema extends SchemaTypes = ZodObject$1<any>> = ReturnType<typeof createAuthAPI<DefaultUser, SignUpSchema>>;
|
|
1842
2463
|
/** JWT and crypto helpers bound to the configured identity schema (sign, verify, claims). */
|
|
1843
2464
|
type JoseInstance<DefaultUser extends User = User> = ReturnType<typeof createJoseInstance<DefaultUser>>;
|
|
1844
2465
|
/** Normalized internal logger with resolved level and structured log function. */
|
|
@@ -1895,7 +2516,7 @@ interface CredentialsProvider<Identity extends Identities> {
|
|
|
1895
2516
|
* Runtime context passed into auth actions and API handlers: OAuth map, cookies, JWT, session strategy, trusted origins, etc.
|
|
1896
2517
|
* This is the fully resolved configuration surface after `createAuth` initializes defaults.
|
|
1897
2518
|
*/
|
|
1898
|
-
interface RouterGlobalContext<DefaultUser extends User = User
|
|
2519
|
+
interface RouterGlobalContext<DefaultUser extends User = User, SignUpSchema extends SchemaTypes = ZodObject$1<any>> {
|
|
1899
2520
|
oauth: OAuthProviderRecord;
|
|
1900
2521
|
credentials?: CredentialsProvider<any>;
|
|
1901
2522
|
cookies: CookieStoreConfig;
|
|
@@ -1908,6 +2529,9 @@ interface RouterGlobalContext<DefaultUser extends User = User> {
|
|
|
1908
2529
|
logger?: InternalLogger;
|
|
1909
2530
|
sessionStrategy: SessionStrategy<DefaultUser>;
|
|
1910
2531
|
identity: SchemaRegistryContext;
|
|
2532
|
+
signUp?: SignUpConfig<DefaultUser, SignUpSchema>;
|
|
2533
|
+
jwtManager: JWTManager<DefaultUser>;
|
|
2534
|
+
rateLimiters: InferRules<Required<RateLimiterConfig$1>>;
|
|
1911
2535
|
}
|
|
1912
2536
|
interface SchemaRegistryContext {
|
|
1913
2537
|
schemaRegistry: ReturnType<typeof createSchemaRegistry>;
|
|
@@ -1922,11 +2546,11 @@ type AuthRuntimeConfig<DefaultUser extends User = User> = RouterGlobalContext<De
|
|
|
1922
2546
|
/**
|
|
1923
2547
|
* Public auth instance: programmatic {@link AuthAPI}, {@link JoseInstance}, and HTTP {@link AuthClient} handlers.
|
|
1924
2548
|
*/
|
|
1925
|
-
interface AuthInstance<DefaultUser extends User = User
|
|
2549
|
+
interface AuthInstance<DefaultUser extends User = User, SignUpSchema extends SchemaTypes = ZodObject$1<any>> {
|
|
1926
2550
|
/**
|
|
1927
2551
|
* Programmatic API for authentication actions (getSession, signIn, signOut, etc.) that can be used in server-side contexts or API routes.
|
|
1928
2552
|
*/
|
|
1929
|
-
api: AuthAPI<DefaultUser>;
|
|
2553
|
+
api: AuthAPI<DefaultUser, SignUpSchema>;
|
|
1930
2554
|
/**
|
|
1931
2555
|
* JOSE helper functions for signin, encryption and verification of JWTs.
|
|
1932
2556
|
*/
|
|
@@ -1944,12 +2568,32 @@ interface AuthInstance<DefaultUser extends User = User> {
|
|
|
1944
2568
|
/**
|
|
1945
2569
|
* Extended context used inside the library with both secure and standard cookie materializations.
|
|
1946
2570
|
*/
|
|
1947
|
-
type InternalContext<Identity extends Identities> = RouterGlobalContext<FromShapeToObject<Identity
|
|
2571
|
+
type InternalContext<Identity extends Identities, SignUpSchema extends SchemaTypes> = RouterGlobalContext<FromShapeToObject<Identity>, SignUpSchema> & {
|
|
1948
2572
|
cookieConfig: {
|
|
1949
2573
|
secure: CookieStoreConfig;
|
|
1950
2574
|
standard: CookieStoreConfig;
|
|
1951
2575
|
};
|
|
1952
2576
|
};
|
|
2577
|
+
interface OnCreateUserContext<Schema extends SchemaTypes> {
|
|
2578
|
+
payload: InferSchema<Schema>;
|
|
2579
|
+
}
|
|
2580
|
+
/**
|
|
2581
|
+
* Configuration for the signUp process, including the schema for validation
|
|
2582
|
+
* and required callback for user creation.
|
|
2583
|
+
*/
|
|
2584
|
+
interface SignUpConfig<Identity extends Identities, SignUpSchema extends SchemaTypes> {
|
|
2585
|
+
/**
|
|
2586
|
+
* Optional schema for validating the sign-up payload. It supports any
|
|
2587
|
+
* Zod, Arktype, Valibot or Typebox schema.
|
|
2588
|
+
*/
|
|
2589
|
+
schema?: SignUpSchema;
|
|
2590
|
+
/**
|
|
2591
|
+
* Callback function that is called when a new user signs up. It receives the validated
|
|
2592
|
+
* sign-up payload and must handle the user creation.
|
|
2593
|
+
*/
|
|
2594
|
+
onCreateUser: (context: OnCreateUserContext<SignUpSchema>) => Promise<FromShapeToObject<Identity> | null> | FromShapeToObject<Identity> | null;
|
|
2595
|
+
}
|
|
2596
|
+
type RateLimiterConfig$1 = Partial<RateLimiterConfig<Record<"signIn" | "signInCredentials" | "updateSession" | "signUp", RateLimiterRule>>["rules"]>;
|
|
1953
2597
|
//#endregion
|
|
1954
2598
|
//#region src/@types/utility.d.ts
|
|
1955
2599
|
/** Expands intersection types into a single flat object type for readable editor hints. */
|
|
@@ -1981,6 +2625,20 @@ type Merge<A, B> = Omit<A, keyof B> & B;
|
|
|
1981
2625
|
*/
|
|
1982
2626
|
type ZodShapeToObject<S extends ZodRawShape = ZodRawShape> = Merge<__Infer<ZodObject<S>>, User>;
|
|
1983
2627
|
type FromShapeToObject<S> = S extends ZodRawShape ? ZodShapeToObject<S> : S extends ObjectEntries ? ValibotShapeToObject<S> : S extends Type ? ArktypeShapeToObject<S> : S extends TProperties ? TypeboxShapeToObject<S> : S extends User ? S : never;
|
|
2628
|
+
type EditableToSchema<T> = T extends EditableShape<infer S> ? ZodObject<S> : T extends EditableShapeValibot<infer S> ? ObjectSchema<S, undefined> : T extends EditableShapeTypebox<infer S> ? TObject<S> : T extends EditableShapeArkType<any> ? T : never;
|
|
2629
|
+
type ReturnUpdateSessionShape<T> = T extends EditableShape<infer S> ? ZodObject<{
|
|
2630
|
+
user?: ZodObject<S>;
|
|
2631
|
+
expires?: ZodOptional<ZodTypeAny>;
|
|
2632
|
+
}> : T extends EditableShapeValibot<infer S> ? ObjectSchema<{
|
|
2633
|
+
user?: ObjectSchema<S, undefined>;
|
|
2634
|
+
expires?: BaseSchema<any, any, any>;
|
|
2635
|
+
}, undefined> : T extends EditableShapeArkType<any> ? Type<{
|
|
2636
|
+
user?: T;
|
|
2637
|
+
expires?: Type<string>;
|
|
2638
|
+
}> : T extends EditableShapeTypebox<infer S> ? TObject<{
|
|
2639
|
+
user?: TObject<S>;
|
|
2640
|
+
expires?: TSchema;
|
|
2641
|
+
}> : never;
|
|
1984
2642
|
/** Recursively makes every property required. */
|
|
1985
2643
|
type DeepRequired<T> = { [K in keyof T]-?: T[K] extends object ? DeepRequired<T[K]> : T[K] };
|
|
1986
2644
|
/** Recursively makes every property optional. */
|
|
@@ -2030,7 +2688,7 @@ type InferZodShape<T extends ZodObject> = T["shape"];
|
|
|
2030
2688
|
*
|
|
2031
2689
|
* type User = UserFrom<typeof schema>
|
|
2032
2690
|
*/
|
|
2033
|
-
type UserFrom<T extends
|
|
2691
|
+
type UserFrom<T extends SchemaTypes> = Prettify<RemoveIndexSignature<InferSchema<T>>>;
|
|
2034
2692
|
/**
|
|
2035
2693
|
* Infers the session type from a Zod identity schema.
|
|
2036
2694
|
* @example
|
|
@@ -2042,7 +2700,29 @@ type UserFrom<T extends ZodObject> = Prettify<ZodShapeToObject<InferZodShape<T>>
|
|
|
2042
2700
|
*
|
|
2043
2701
|
* type Session = SessionFrom<typeof schema>
|
|
2044
2702
|
*/
|
|
2045
|
-
type SessionFrom<T extends
|
|
2703
|
+
type SessionFrom<T extends SchemaTypes> = Wrap<Session<Merge<UserFrom<T>, User>>>;
|
|
2704
|
+
/**
|
|
2705
|
+
* Infers the sign-up data type from an {@link AuthInstance} config's `signUp.schema`. It supports
|
|
2706
|
+
* Zod, Valibot and ArkType schemas.
|
|
2707
|
+
*
|
|
2708
|
+
* > For TypeBox its recommended to use the `Static` utility type directly to infer the schema.
|
|
2709
|
+
*
|
|
2710
|
+
* @example
|
|
2711
|
+
* const auth = createAuth({
|
|
2712
|
+
* oauth: [],
|
|
2713
|
+
* signUp: {
|
|
2714
|
+
* schema: z.object({
|
|
2715
|
+
* username: z.string(),
|
|
2716
|
+
* nickname: z.string(),
|
|
2717
|
+
* password: z.string(),
|
|
2718
|
+
* })
|
|
2719
|
+
* }
|
|
2720
|
+
* })
|
|
2721
|
+
*
|
|
2722
|
+
* type SignUp = InferSignUp<typeof auth>
|
|
2723
|
+
*/
|
|
2724
|
+
type InferSignUp<Config extends AuthInstance> = Config extends AuthInstance<infer _, infer SignUpSchema> ? Wrap<RemoveIndexSignature<InferSchema<SignUpSchema>>> : Record<string, any>;
|
|
2725
|
+
type RemoveIndexSignature<T> = { [K in keyof T as string extends K ? never : number extends K ? never : symbol extends K ? never : K]: T[K] };
|
|
2046
2726
|
/**
|
|
2047
2727
|
* HTTP `Response` with `json()` typed to resolve to `Body` (defaults to `unknown`).
|
|
2048
2728
|
*/
|
|
@@ -2052,10 +2732,10 @@ type AuthResponse<Body = unknown> = Prettify<Omit<Response, "json"> & {
|
|
|
2052
2732
|
type RequiredKeys<Obj extends object, Keys extends keyof Obj = keyof Obj> = Wrap<{ [K in Keys]-?: Obj[K] } & Omit<Obj, Keys>>;
|
|
2053
2733
|
//#endregion
|
|
2054
2734
|
//#region src/createAuth.d.ts
|
|
2055
|
-
declare const createAuthInstance: <Identity extends Identities>(authConfig: AuthConfig<Identity>) => {
|
|
2056
|
-
handlers: _$_aura_stack_router0.Router<[_$_aura_stack_router0.RouteEndpoint<"/signIn/:oauth",
|
|
2735
|
+
declare const createAuthInstance: <Identity extends Identities, SignUpSchema extends SchemaTypes>(authConfig: AuthConfig<Identity, SignUpSchema>) => {
|
|
2736
|
+
handlers: _$_aura_stack_router0.Router<[_$_aura_stack_router0.RouteEndpoint<"/signIn/:oauth", "GET", {
|
|
2057
2737
|
schemas?: {
|
|
2058
|
-
params:
|
|
2738
|
+
params: ZodObject$1<{
|
|
2059
2739
|
oauth: _$zod.ZodEnum<{
|
|
2060
2740
|
[x: string & Record<never, never>]: string & Record<never, never>;
|
|
2061
2741
|
github: "github";
|
|
@@ -2074,15 +2754,19 @@ declare const createAuthInstance: <Identity extends Identities>(authConfig: Auth
|
|
|
2074
2754
|
atlassian: "atlassian";
|
|
2075
2755
|
clickUp: "clickUp";
|
|
2076
2756
|
dribbble: "dribbble";
|
|
2757
|
+
hubspot: "hubspot";
|
|
2758
|
+
google: "google";
|
|
2759
|
+
huggingface: "huggingface";
|
|
2760
|
+
authentik: "authentik";
|
|
2077
2761
|
}>;
|
|
2078
2762
|
}, _$zod_v4_core0.$strip>;
|
|
2079
|
-
searchParams:
|
|
2763
|
+
searchParams: ZodObject$1<{
|
|
2080
2764
|
redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
|
|
2081
2765
|
redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
|
|
2082
2766
|
}, _$zod_v4_core0.$strip>;
|
|
2083
2767
|
} | undefined;
|
|
2084
|
-
}, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<"/signIn/:oauth",
|
|
2085
|
-
params:
|
|
2768
|
+
}, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<"/signIn/:oauth", "GET", {
|
|
2769
|
+
params: ZodObject$1<{
|
|
2086
2770
|
oauth: _$zod.ZodEnum<{
|
|
2087
2771
|
[x: string & Record<never, never>]: string & Record<never, never>;
|
|
2088
2772
|
github: "github";
|
|
@@ -2101,9 +2785,13 @@ declare const createAuthInstance: <Identity extends Identities>(authConfig: Auth
|
|
|
2101
2785
|
atlassian: "atlassian";
|
|
2102
2786
|
clickUp: "clickUp";
|
|
2103
2787
|
dribbble: "dribbble";
|
|
2788
|
+
hubspot: "hubspot";
|
|
2789
|
+
google: "google";
|
|
2790
|
+
huggingface: "huggingface";
|
|
2791
|
+
authentik: "authentik";
|
|
2104
2792
|
}>;
|
|
2105
2793
|
}, _$zod_v4_core0.$strip>;
|
|
2106
|
-
searchParams:
|
|
2794
|
+
searchParams: ZodObject$1<{
|
|
2107
2795
|
redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
|
|
2108
2796
|
redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
|
|
2109
2797
|
}, _$zod_v4_core0.$strip>;
|
|
@@ -2119,23 +2807,23 @@ declare const createAuthInstance: <Identity extends Identities>(authConfig: Auth
|
|
|
2119
2807
|
redirect: false;
|
|
2120
2808
|
signInURL: null;
|
|
2121
2809
|
}>;
|
|
2122
|
-
}>>>, _$_aura_stack_router0.RouteEndpoint
|
|
2810
|
+
}>>>, _$_aura_stack_router0.RouteEndpoint<"/signIn/credentials", "POST", {
|
|
2123
2811
|
schemas?: {
|
|
2124
|
-
body:
|
|
2812
|
+
body: ZodObject$1<{
|
|
2125
2813
|
username: _$zod.ZodString;
|
|
2126
2814
|
password: _$zod.ZodString;
|
|
2127
2815
|
}, _$zod_v4_core0.$strip>;
|
|
2128
|
-
searchParams:
|
|
2816
|
+
searchParams: ZodObject$1<{
|
|
2129
2817
|
redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
|
|
2130
2818
|
redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
|
|
2131
2819
|
}, _$zod_v4_core0.$strip>;
|
|
2132
2820
|
} | undefined;
|
|
2133
|
-
}, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta
|
|
2134
|
-
body:
|
|
2821
|
+
}, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<"/signIn/credentials", "POST", {
|
|
2822
|
+
body: ZodObject$1<{
|
|
2135
2823
|
username: _$zod.ZodString;
|
|
2136
2824
|
password: _$zod.ZodString;
|
|
2137
2825
|
}, _$zod_v4_core0.$strip>;
|
|
2138
|
-
searchParams:
|
|
2826
|
+
searchParams: ZodObject$1<{
|
|
2139
2827
|
redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
|
|
2140
2828
|
redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
|
|
2141
2829
|
}, _$zod_v4_core0.$strip>;
|
|
@@ -2159,9 +2847,9 @@ declare const createAuthInstance: <Identity extends Identities>(authConfig: Auth
|
|
|
2159
2847
|
redirect: false;
|
|
2160
2848
|
redirectURL: null;
|
|
2161
2849
|
}>;
|
|
2162
|
-
}>>>, _$_aura_stack_router0.RouteEndpoint<"/callback/:oauth",
|
|
2850
|
+
}>>>, _$_aura_stack_router0.RouteEndpoint<"/callback/:oauth", "GET", {
|
|
2163
2851
|
schemas?: {
|
|
2164
|
-
params:
|
|
2852
|
+
params: ZodObject$1<{
|
|
2165
2853
|
oauth: _$zod.ZodEnum<{
|
|
2166
2854
|
[x: string & Record<never, never>]: string & Record<never, never>;
|
|
2167
2855
|
github: "github";
|
|
@@ -2180,15 +2868,19 @@ declare const createAuthInstance: <Identity extends Identities>(authConfig: Auth
|
|
|
2180
2868
|
atlassian: "atlassian";
|
|
2181
2869
|
clickUp: "clickUp";
|
|
2182
2870
|
dribbble: "dribbble";
|
|
2871
|
+
hubspot: "hubspot";
|
|
2872
|
+
google: "google";
|
|
2873
|
+
huggingface: "huggingface";
|
|
2874
|
+
authentik: "authentik";
|
|
2183
2875
|
}>;
|
|
2184
2876
|
}, _$zod_v4_core0.$strip>;
|
|
2185
|
-
searchParams:
|
|
2877
|
+
searchParams: ZodObject$1<{
|
|
2186
2878
|
code: _$zod.ZodString;
|
|
2187
2879
|
state: _$zod.ZodString;
|
|
2188
2880
|
}, _$zod_v4_core0.$strip>;
|
|
2189
2881
|
} | undefined;
|
|
2190
|
-
}, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<"/callback/:oauth",
|
|
2191
|
-
params:
|
|
2882
|
+
}, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<"/callback/:oauth", "GET", {
|
|
2883
|
+
params: ZodObject$1<{
|
|
2192
2884
|
oauth: _$zod.ZodEnum<{
|
|
2193
2885
|
[x: string & Record<never, never>]: string & Record<never, never>;
|
|
2194
2886
|
github: "github";
|
|
@@ -2207,9 +2899,13 @@ declare const createAuthInstance: <Identity extends Identities>(authConfig: Auth
|
|
|
2207
2899
|
atlassian: "atlassian";
|
|
2208
2900
|
clickUp: "clickUp";
|
|
2209
2901
|
dribbble: "dribbble";
|
|
2902
|
+
hubspot: "hubspot";
|
|
2903
|
+
google: "google";
|
|
2904
|
+
huggingface: "huggingface";
|
|
2905
|
+
authentik: "authentik";
|
|
2210
2906
|
}>;
|
|
2211
2907
|
}, _$zod_v4_core0.$strip>;
|
|
2212
|
-
searchParams:
|
|
2908
|
+
searchParams: ZodObject$1<{
|
|
2213
2909
|
code: _$zod.ZodString;
|
|
2214
2910
|
state: _$zod.ZodString;
|
|
2215
2911
|
}, _$zod_v4_core0.$strip>;
|
|
@@ -2230,16 +2926,16 @@ declare const createAuthInstance: <Identity extends Identities>(authConfig: Auth
|
|
|
2230
2926
|
success: false;
|
|
2231
2927
|
session: null;
|
|
2232
2928
|
}>;
|
|
2233
|
-
}>>>, _$_aura_stack_router0.RouteEndpoint
|
|
2929
|
+
}>>>, _$_aura_stack_router0.RouteEndpoint<"/signOut", "POST", {
|
|
2234
2930
|
schemas?: {
|
|
2235
|
-
searchParams:
|
|
2931
|
+
searchParams: ZodObject$1<{
|
|
2236
2932
|
redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
|
|
2237
2933
|
redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
|
|
2238
2934
|
token_type_hint: _$zod.ZodLiteral<"session_token">;
|
|
2239
2935
|
}, _$zod_v4_core0.$strip>;
|
|
2240
2936
|
} | undefined;
|
|
2241
|
-
}, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta
|
|
2242
|
-
searchParams:
|
|
2937
|
+
}, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<"/signOut", "POST", {
|
|
2938
|
+
searchParams: ZodObject$1<{
|
|
2243
2939
|
redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
|
|
2244
2940
|
redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
|
|
2245
2941
|
token_type_hint: _$zod.ZodLiteral<"session_token">;
|
|
@@ -2266,17 +2962,33 @@ declare const createAuthInstance: <Identity extends Identities>(authConfig: Auth
|
|
|
2266
2962
|
}>;
|
|
2267
2963
|
}>>>, _$_aura_stack_router0.RouteEndpoint<"/csrfToken", "GET", {
|
|
2268
2964
|
schemas?: _$_aura_stack_router0.EndpointSchemas | undefined;
|
|
2269
|
-
}, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<"/csrfToken", "GET", _$_aura_stack_router0.EndpointSchemas>>) => Promise<Response>>, _$_aura_stack_router0.RouteEndpoint
|
|
2965
|
+
}, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<"/csrfToken", "GET", _$_aura_stack_router0.EndpointSchemas>>) => Promise<Response>>, _$_aura_stack_router0.RouteEndpoint<"/session", "PATCH", {
|
|
2270
2966
|
schemas?: {
|
|
2271
|
-
body:
|
|
2272
|
-
|
|
2967
|
+
body: _$arktype_internal_variants_object_ts0.ObjectType<{
|
|
2968
|
+
user?: _$arktype_internal_variants_object_ts0.ObjectType<{
|
|
2969
|
+
sub: any;
|
|
2970
|
+
name?: any;
|
|
2971
|
+
image?: any;
|
|
2972
|
+
email?: any;
|
|
2973
|
+
}, {}> | undefined;
|
|
2974
|
+
expires?: _$arktype.Type<string>;
|
|
2975
|
+
}, {}>;
|
|
2976
|
+
searchParams: ZodObject$1<{
|
|
2273
2977
|
redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
|
|
2274
2978
|
redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
|
|
2275
2979
|
}, _$zod_v4_core0.$strip>;
|
|
2276
2980
|
} | undefined;
|
|
2277
|
-
}, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta
|
|
2278
|
-
body:
|
|
2279
|
-
|
|
2981
|
+
}, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<"/session", "PATCH", {
|
|
2982
|
+
body: _$arktype_internal_variants_object_ts0.ObjectType<{
|
|
2983
|
+
user?: _$arktype_internal_variants_object_ts0.ObjectType<{
|
|
2984
|
+
sub: any;
|
|
2985
|
+
name?: any;
|
|
2986
|
+
image?: any;
|
|
2987
|
+
email?: any;
|
|
2988
|
+
}, {}> | undefined;
|
|
2989
|
+
expires?: _$arktype.Type<string>;
|
|
2990
|
+
}, {}>;
|
|
2991
|
+
searchParams: ZodObject$1<{
|
|
2280
2992
|
redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
|
|
2281
2993
|
redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
|
|
2282
2994
|
}, _$zod_v4_core0.$strip>;
|
|
@@ -2319,28 +3031,48 @@ declare const createAuthInstance: <Identity extends Identities>(authConfig: Auth
|
|
|
2319
3031
|
redirect: false;
|
|
2320
3032
|
redirectURL: null;
|
|
2321
3033
|
}>;
|
|
3034
|
+
}>>>, _$_aura_stack_router0.RouteEndpoint<"/signUp", "POST", {
|
|
3035
|
+
schemas?: {
|
|
3036
|
+
body: SignUpSchema | undefined;
|
|
3037
|
+
searchParams: ZodObject$1<{
|
|
3038
|
+
redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
|
|
3039
|
+
redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
|
|
3040
|
+
}, _$zod_v4_core0.$strip>;
|
|
3041
|
+
} | undefined;
|
|
3042
|
+
}, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<"/signUp", "POST", {
|
|
3043
|
+
body: SignUpSchema | undefined;
|
|
3044
|
+
searchParams: ZodObject$1<{
|
|
3045
|
+
redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
|
|
3046
|
+
redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
|
|
3047
|
+
}, _$zod_v4_core0.$strip>;
|
|
3048
|
+
}>>) => Promise<Prettify<Omit<Response, "json"> & {
|
|
3049
|
+
json(): Promise<{
|
|
3050
|
+
success: true;
|
|
3051
|
+
redirect: true;
|
|
3052
|
+
redirectURL: null;
|
|
3053
|
+
} | {
|
|
3054
|
+
success: true;
|
|
3055
|
+
redirect: false;
|
|
3056
|
+
redirectURL: string;
|
|
3057
|
+
} | {
|
|
3058
|
+
success: true;
|
|
3059
|
+
redirect: false;
|
|
3060
|
+
redirectURL: null;
|
|
3061
|
+
}>;
|
|
3062
|
+
}> | Prettify<Omit<Response, "json"> & {
|
|
3063
|
+
json(): Promise<{
|
|
3064
|
+
success: false;
|
|
3065
|
+
redirect: false;
|
|
3066
|
+
redirectURL: null;
|
|
3067
|
+
}>;
|
|
2322
3068
|
}>>>]>;
|
|
2323
3069
|
jose: any;
|
|
2324
3070
|
api: {
|
|
2325
|
-
getSession: (options: GetSessionAPIOptions) => Promise<GetSessionAPIReturn<
|
|
2326
|
-
sub: string;
|
|
2327
|
-
name?: string | null | undefined;
|
|
2328
|
-
image?: string | null | undefined;
|
|
2329
|
-
email?: string | null | undefined;
|
|
2330
|
-
}>>;
|
|
3071
|
+
getSession: (options: GetSessionAPIOptions) => Promise<GetSessionAPIReturn<FromShapeToObject<Identity>>>;
|
|
2331
3072
|
signIn: (oauth: LiteralUnion<BuiltInOAuthProvider>, options?: SignInAPIOptions) => Promise<SignInAPIReturn>;
|
|
2332
3073
|
signInCredentials: (options: SignInCredentialsAPIOptions) => Promise<SignInCredentialsAPIReturn>;
|
|
2333
|
-
|
|
2334
|
-
|
|
2335
|
-
name?: string | null | undefined;
|
|
2336
|
-
image?: string | null | undefined;
|
|
2337
|
-
email?: string | null | undefined;
|
|
2338
|
-
}>) => Promise<UpdateSessionAPIReturn<{
|
|
2339
|
-
sub: string;
|
|
2340
|
-
name?: string | null | undefined;
|
|
2341
|
-
image?: string | null | undefined;
|
|
2342
|
-
email?: string | null | undefined;
|
|
2343
|
-
}>>;
|
|
3074
|
+
signUp: <Payload extends Record<string, any> = Wrap<RemoveIndexSignature<_$_aura_stack_router0.InferSchema<SignUpSchema, _$_aura_stack_router0.SchemaKind<SignUpSchema>>>>>(options: SignUpAPIOptions<Payload>) => Promise<SignUpAPIReturn>;
|
|
3075
|
+
updateSession: (options: UpdateSessionAPIOptions<FromShapeToObject<Identity>>) => Promise<UpdateSessionAPIReturn<FromShapeToObject<Identity>>>;
|
|
2344
3076
|
signOut: (options: SignOutAPIOptions) => Promise<SignOutAPIReturn>;
|
|
2345
3077
|
};
|
|
2346
3078
|
};
|
|
@@ -2367,7 +3099,7 @@ declare const createAuthInstance: <Identity extends Identities>(authConfig: Auth
|
|
|
2367
3099
|
* }]
|
|
2368
3100
|
* })
|
|
2369
3101
|
*/
|
|
2370
|
-
declare const createAuth: <Identity extends Identities = EditableShape<UserShape>>(config: AuthConfig<Identity>) => AuthInstance<FromShapeToObject<Identity
|
|
3102
|
+
declare const createAuth: <Identity extends Identities = EditableShape<UserShape>, SignUpSchema extends SchemaTypes = ZodObject$1<any>>(config: AuthConfig<Identity, SignUpSchema>) => AuthInstance<FromShapeToObject<Identity>, SignUpSchema>;
|
|
2371
3103
|
//#endregion
|
|
2372
3104
|
//#region src/@types/errors.d.ts
|
|
2373
3105
|
/** Map of field or logical keys to API validation error payloads (code + message). */
|
|
@@ -2622,7 +3354,7 @@ type SignInCredentialsReturn<Options extends SignInCredentialsOptions> = Options
|
|
|
2622
3354
|
redirect: false;
|
|
2623
3355
|
}> : void;
|
|
2624
3356
|
/** Server/programmatic credentials sign-in options. */
|
|
2625
|
-
interface SignInCredentialsAPIOptions extends APIOptionsWithRedirectTo, APIOptionsWithRequest {
|
|
3357
|
+
interface SignInCredentialsAPIOptions extends APIOptionsWithRedirectTo, APIOptionsWithRequest, APIOptionsWithSkipCSRFCheck {
|
|
2626
3358
|
/**
|
|
2627
3359
|
* Credentials payload validated by the configured `credentials.authorize` function.
|
|
2628
3360
|
* @example
|
|
@@ -2716,6 +3448,39 @@ interface UpdateSessionAPIOptions<DefaultUser extends User = User> extends Requi
|
|
|
2716
3448
|
}
|
|
2717
3449
|
/** Programmatic session update result with redirect metadata and `toResponse()`. */
|
|
2718
3450
|
type UpdateSessionAPIReturn<DefaultUser extends User = User> = AuthActionAPIReturn<UpdateSessionReturnData<DefaultUser>>;
|
|
3451
|
+
interface SignUpAPIOptions<Payload extends Record<string, any> = Record<string, any>> extends APIOptionsWithRedirectTo, APIOptionsWithRequest, APIOptionsWithSkipCSRFCheck {
|
|
3452
|
+
payload: Payload;
|
|
3453
|
+
}
|
|
3454
|
+
type SignUpReturnData = /** redirect: true & redirectTo: string */{
|
|
3455
|
+
success: true;
|
|
3456
|
+
redirect: true;
|
|
3457
|
+
redirectURL: null;
|
|
3458
|
+
} /** redirect: false & redirectTo: string */ | {
|
|
3459
|
+
success: true;
|
|
3460
|
+
redirect: false;
|
|
3461
|
+
redirectURL: string;
|
|
3462
|
+
}
|
|
3463
|
+
/** redirect: false & redirectTo: null | undefined (not set) */
|
|
3464
|
+
/** redirect: true & redirectTo: null | undefined (not set) */
|
|
3465
|
+
| {
|
|
3466
|
+
success: true;
|
|
3467
|
+
redirect: false;
|
|
3468
|
+
redirectURL: null;
|
|
3469
|
+
} /** Failed sign-up */ | {
|
|
3470
|
+
success: false;
|
|
3471
|
+
redirect: false;
|
|
3472
|
+
redirectURL: null;
|
|
3473
|
+
};
|
|
3474
|
+
/** Programmatic sign-up result with redirect metadata and `toResponse()`. */
|
|
3475
|
+
type SignUpAPIReturn = AuthActionAPIReturn<SignUpReturnData>;
|
|
3476
|
+
type SignUpOptions<SignUpSchema extends Record<string, any> = Record<string, any>> = OptionsWithRedirectTo & {
|
|
3477
|
+
payload: SignUpSchema;
|
|
3478
|
+
};
|
|
3479
|
+
type SignUpReturn<Options extends SignUpOptions> = Options extends {
|
|
3480
|
+
redirect: false;
|
|
3481
|
+
} ? Extract<SignUpReturnData, {
|
|
3482
|
+
redirect: false;
|
|
3483
|
+
}> : void;
|
|
2719
3484
|
//#endregion
|
|
2720
3485
|
//#region src/@types/index.d.ts
|
|
2721
3486
|
/**
|
|
@@ -2743,4 +3508,4 @@ type AuthClientOptions = Prettify<Omit<ClientOptions, "baseURL"> & {
|
|
|
2743
3508
|
baseURL?: string;
|
|
2744
3509
|
}>;
|
|
2745
3510
|
//#endregion
|
|
2746
|
-
export {
|
|
3511
|
+
export { EditableShapeArkType as $, DribbbleTeams as $n, UserIdentityTypeBox as $r, CustomUserInfoFunction as $t, SignUpOptions as A, JWTSealedMode as An, x as Ar, CredentialsPayload as At, AuthInternalErrorCode as B, AuthentikProfile as Bn, figma as Br, OnCreateUserContext as Bt, SignOutAPIOptions as C, JWTEncryptedMode as Cn, MailchimpProfile as Cr, AuthConfig as Ct, SignOutReturnData as D, JWTKeyAlgorithm as Dn, SummaryGear as Dr, CookieName as Dt, SignOutReturn as E, JWTKey as En, SummaryClub as Er, CookieConfig as Et, UpdateSessionOptions as F, Session as Fn, gitlab as Fr, InternalContext as Ft, TokenRevocationError as G, huggingface as Gn, createSyslogMessage as Gr, Severity as Gt, AuthorizationError as H, HuggingFaceOrg as Hn, bitbucket as Hr, RouterGlobalContext as Ht, UpdateSessionReturn as I, SessionConfig as In, DiscordProfile as Ir, InternalLogger as It, AuthResponse as J, HubSportSignedAccessToken as Jn, IsValibot as Jr, SyslogOptions as Jt, createAuth as K, GoogleProfile as Kn, Identities as Kr, SignUpConfig as Kt, UpdateSessionReturnData as L, SessionStrategy as Ln, Nameplate as Lr, JoseInstance as Lt, SignUpReturnData as M, JWTSigningAlgorithm as Mn, SpotifyProfile as Mr, CredentialsProviderContext as Mt, UpdateSessionAPIOptions as N, JWTStrategyOptions as Nn, spotify as Nr, HostCookie as Nt, SignUpAPIOptions as O, JWTManager as On, strava as Or, CookieStoreConfig as Ot, UpdateSessionAPIReturn as P, SecretKey as Pn, GitLabProfile as Pr, IdentityConfig as Pt, EditableShape as Q, DribbbleProfile as Qn, UserIdentityArkType as Qr, AuthorizeParams as Qt, APIErrorMap as R, StatelessStrategyConfig as Rn, discord as Rr, LogLevel as Rt, SignInReturn as S, JWTConfigBase as Sn, Login as Sr, AuthAPI as St, SignOutOptions as T, JWTExpirationStrategy as Tn, StravaProfile as Tr, AuthRuntimeConfig as Tt, ErrorType as U, HuggingFaceProfile as Un, GitHubProfile as Ur, SchemaRegistryContext as Ut, AuthSecurityErrorCode as V, authentik as Vn, BitbucketProfile as Vr, RateLimiterConfig$1 as Vt, OAuthError as W, HuggingFaceResourceGroup as Wn, github as Wr, SecureCookie as Wt, DeepPartial as X, hubspot as Xn, SchemaTypes as Xr, TrustedProxyHeadersConfig as Xt, ConfigSchema as Y, HubSpotProfile as Yn, IsZod as Yr, TrustedOrigin as Yt, DeepRequired as Z, DribbbleDefault as Zn, UserIdentity as Zr, AccessTokenContext as Zt, SignInCredentialsAPIReturn as _, AsymmetricKeyPairFromEnv as _n, notion as _r, TypeboxShapeToObject as _t, OAuthEnv as a, createIdentity as ai, OIDCAccessTokenResponseType as an, atlassian as ar, FromShapeToObject as at, SignInCredentialsReturnData as b, GetStatelessSessionReturn as bn, PinterestProfile as br, Wrap as bt, APIOptionsWithRequest as c, RuntimeOAuthProvider as cn, FullTeam as cr, InferUser as ct, GetSessionAPIOptions as d, createBuiltInOAuthProviders as dn, dropbox as dr, Merge as dt, UserIdentityValibot as ei, OAuthAccessTokenResponseType as en, dribbble as er, EditableShapeTypebox as et, GetSessionAPIReturn as f, defineOpenIDProviderConfig as fn, Bot as fr, Prettify as ft, SignInCredentialsAPIOptions as g, AsymmetricKeyPair as gn, Person as gr, SessionFrom as gt, SignInAPIReturn as h, OpenIDProvider as hn, Owner as hr, ReturnUpdateSessionShape as ht, JWTStandardClaims as i, UserShapeValibot as ii, OAuthProviderRecord as in, ExtendedProfile as ir, EditableUser as it, SignUpReturn as j, JWTSignedMode as jn, SpotifyImage as jr, CredentialsProvider as jt, SignUpAPIReturn as k, JWTMode as kn, XProfile as kr, CookieStrategyAttributes as kt, APIOptionsWithSkipCSRFCheck as l, BuiltInOAuthProvider as ln, Name as lr, InferZodShape as lt, SignInAPIOptions as m, OpenIDMetadata as mn, NotionUser as mr, RequiredKeys as mt, AuthClientOptions as n, UserShapeArkType as ni, OAuthProviderConfig as nn, clickUp as nr, EditableShapeZod as nt, TypedJWTPayload$1 as o, OIDCProviderContext as on, AccountType as or, InferSession as ot, OptionsWithRedirectTo as p, setDynamicParams as pn, NotionProfile as pr, RemoveIndexSignature as pt, ArktypeShapeToObject as q, google as qn, IsArkType as qr, StandardCookie as qt, JWTPayloadWithToken as r, UserShapeTypeBox as ri, OAuthProviderCredentials as rn, AtlassianProfile as rr, EditableToSchema as rt, APIOptionsWithRedirectTo as s, ResponseType as sn, DropboxProfile as sr, InferSignUp as st, AuthClient as t, UserShape as ti, OAuthProvider as tn, ClickUpProfile as tr, EditableShapeValibot as tt, FunctionAPIContext as u, builtInOAuthProviders as un, RootInfo as ur, LiteralUnion as ut, SignInCredentialsOptions as v, CreateSessionStrategyOptions as vn, TwitchProfile as vr, UserFrom as vt, SignOutAPIReturn as w, JWTEncryptionAlgorithm as wn, mailchimp as wr, AuthInstance as wt, SignInOptions as x, JWTConfig as xn, pinterest as xr, ZodShapeToObject as xt, SignInCredentialsReturn as y, CryptoSecret as yn, twitch as yr, ValibotShapeToObject as yt, AccessTokenError as z, User as zn, FigmaProfile as zr, Logger as zt };
|