@aura-stack/auth 0.7.2 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (70) hide show
  1. package/dist/@types/index.cjs +1 -1
  2. package/dist/@types/index.d.ts +2 -2
  3. package/dist/@types/index.js +1 -1
  4. package/dist/client/index.cjs +1 -1
  5. package/dist/client/index.d.ts +3 -2
  6. package/dist/client/index.js +1 -1
  7. package/dist/crypto-BRrGB5wn.js +3 -0
  8. package/dist/crypto-Da-Q8hsP.cjs +3 -0
  9. package/dist/errors-BWpHquVG.js +1 -0
  10. package/dist/errors-BiBhdux1.cjs +1 -0
  11. package/dist/fetch-async-DL6uySSm.js +1 -0
  12. package/dist/fetch-async-DlbcIcRD.cjs +1 -0
  13. package/dist/{identity-n3aahaEr.cjs → identity-CAygUyH6.cjs} +1 -1
  14. package/dist/{index-1ADcIVGC.d.ts → index-DIcbmH1M.d.ts} +1050 -285
  15. package/dist/index.cjs +1 -1
  16. package/dist/index.d.ts +1 -1
  17. package/dist/index.js +1 -1
  18. package/dist/{logger-BfUjjtxf.js → logger-BleaYLUV.js} +1 -1
  19. package/dist/{logger-CVwkloPj.cjs → logger-DL-kEECn.cjs} +1 -1
  20. package/dist/oauth/atlassian.d.ts +1 -1
  21. package/dist/oauth/authentik.cjs +1 -0
  22. package/dist/oauth/authentik.d.ts +2 -0
  23. package/dist/oauth/authentik.js +1 -0
  24. package/dist/oauth/bitbucket.d.ts +1 -1
  25. package/dist/oauth/click-up.d.ts +1 -1
  26. package/dist/oauth/discord.d.ts +1 -1
  27. package/dist/oauth/dribbble.d.ts +1 -1
  28. package/dist/oauth/dropbox.d.ts +1 -1
  29. package/dist/oauth/figma.d.ts +1 -1
  30. package/dist/oauth/github.d.ts +1 -1
  31. package/dist/oauth/gitlab.d.ts +1 -1
  32. package/dist/oauth/google.cjs +1 -0
  33. package/dist/oauth/google.d.ts +2 -0
  34. package/dist/oauth/google.js +1 -0
  35. package/dist/oauth/hubspot.cjs +1 -0
  36. package/dist/oauth/hubspot.d.ts +2 -0
  37. package/dist/oauth/hubspot.js +1 -0
  38. package/dist/oauth/huggingface.cjs +1 -0
  39. package/dist/oauth/huggingface.d.ts +2 -0
  40. package/dist/oauth/huggingface.js +1 -0
  41. package/dist/oauth/index.cjs +1 -1
  42. package/dist/oauth/index.d.ts +2 -2
  43. package/dist/oauth/index.js +1 -1
  44. package/dist/oauth/mailchimp.d.ts +1 -1
  45. package/dist/oauth/notion.cjs +1 -1
  46. package/dist/oauth/notion.d.ts +1 -1
  47. package/dist/oauth/notion.js +1 -1
  48. package/dist/oauth/pinterest.d.ts +1 -1
  49. package/dist/oauth/spotify.d.ts +1 -1
  50. package/dist/oauth/strava.d.ts +1 -1
  51. package/dist/oauth/twitch.d.ts +1 -1
  52. package/dist/oauth/x.d.ts +1 -1
  53. package/dist/resolve-provider-C_clBCRg.cjs +1 -0
  54. package/dist/resolve-provider-CaDu98x6.js +1 -0
  55. package/dist/shared/crypto.cjs +1 -1
  56. package/dist/shared/crypto.d.ts +2 -2
  57. package/dist/shared/crypto.js +1 -1
  58. package/dist/shared/identity.cjs +1 -1
  59. package/dist/shared/identity.d.ts +1 -1
  60. package/dist/shared/identity.js +1 -1
  61. package/dist/shared/index.cjs +1 -1
  62. package/dist/shared/index.d.ts +16 -2
  63. package/dist/shared/index.js +1 -1
  64. package/package.json +5 -4
  65. package/dist/assert-DaZSf4SH.cjs +0 -3
  66. package/dist/assert-av6s0a6t.js +0 -3
  67. package/dist/crypto-BF4ETYC9.cjs +0 -1
  68. package/dist/crypto-D6aq4c8x.js +0 -1
  69. package/dist/errors-Czt_w1t_.js +0 -1
  70. package/dist/errors-DcK2ELlk.cjs +0 -1
@@ -1,17 +1,22 @@
1
1
  import * as _$_aura_stack_router0 from "@aura-stack/router";
2
- import { ClientOptions, GlobalContext } from "@aura-stack/router";
3
- import { ZodObject, ZodRawShape, ZodTypeAny, infer as __Infer, z } from "zod/v4";
2
+ import { ClientOptions, GlobalContext, InferSchema } from "@aura-stack/router";
3
+ import { RateLimiterConfig } from "@aura-stack/rate-limiter";
4
+ import { ZodObject, ZodOptional, ZodRawShape, ZodTypeAny, infer as __Infer, z } from "zod/v4";
5
+ import * as _$arktype from "arktype";
4
6
  import { Type } from "arktype";
5
7
  import { TObject, TProperties, TSchema, Type as Type$1 } from "typebox";
8
+ import { SerializeOptions } from "@aura-stack/router/cookie";
6
9
  import { JWK, JWTPayload } from "@aura-stack/jose/jose";
7
10
  import { DecodeJWTOptions, EncodeJWTOptions, JWEHeaderParameters, JWTDecryptOptions, JWTHeaderParameters, JWTVerifyOptions, TypedJWTPayload, TypedJWTPayload as TypedJWTPayload$1 } from "@aura-stack/jose";
8
- import { SerializeOptions } from "@aura-stack/router/cookie";
9
11
  import * as valibot from "valibot";
10
12
  import { AnySchema, BaseSchema, InferOutput, ObjectEntries, ObjectSchema } from "valibot";
13
+ import * as _$zod from "zod";
14
+ import { ZodObject as ZodObject$1, infer as infer$1 } from "zod";
11
15
  import * as _$arktype_internal_variants_object_ts0 from "arktype/internal/variants/object.ts";
12
16
  import * as _$zod_v4_core0 from "zod/v4/core";
13
- import { infer as infer$1 } from "zod/v4/core";
14
- import * as _$zod from "zod";
17
+ import { infer as infer$2 } from "zod/v4/core";
18
+ import { GetRouteParams } from "@aura-stack/router/types";
19
+ import { InferRules, RateLimiterRule } from "@aura-stack/rate-limiter/types";
15
20
 
16
21
  //#region src/schemas.d.ts
17
22
  /**
@@ -33,6 +38,18 @@ declare const OAuthAuthorizationErrorResponse: z.ZodObject<{
33
38
  error_uri: z.ZodOptional<z.ZodString>;
34
39
  state: z.ZodString;
35
40
  }, z.core.$strip>;
41
+ /**
42
+ * Schema for OAuth Access Token Response
43
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.1
44
+ * @see https://datatracker.ietf.org/doc/html/rfc7636#section-4
45
+ */
46
+ declare const OAuthAccessTokenResponse: z.ZodObject<{
47
+ access_token: z.ZodString;
48
+ token_type: z.ZodOptional<z.ZodString>;
49
+ expires_in: z.ZodOptional<z.ZodNumber>;
50
+ refresh_token: z.ZodOptional<z.ZodString>;
51
+ scope: z.ZodUnion<readonly [z.ZodUnion<[z.ZodOptional<z.ZodString>, z.ZodNull]>, z.ZodOptional<z.ZodArray<z.ZodString>>]>;
52
+ }, z.core.$strip>;
36
53
  /**
37
54
  * Schema for OAuth Access Token Error Response
38
55
  * @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
@@ -53,6 +70,14 @@ declare const OAuthEnvSchema: z.ZodObject<{
53
70
  clientId: z.ZodString;
54
71
  clientSecret: z.ZodString;
55
72
  }, z.core.$strip>;
73
+ declare const OIDCAccessTokenResponseSchema: z.ZodObject<{
74
+ access_token: z.ZodString;
75
+ token_type: z.ZodOptional<z.ZodString>;
76
+ expires_in: z.ZodOptional<z.ZodNumber>;
77
+ refresh_token: z.ZodOptional<z.ZodString>;
78
+ scope: z.ZodUnion<readonly [z.ZodUnion<[z.ZodOptional<z.ZodString>, z.ZodNull]>, z.ZodOptional<z.ZodArray<z.ZodString>>]>;
79
+ id_token: z.ZodOptional<z.ZodString>;
80
+ }, z.core.$strip>;
56
81
  //#endregion
57
82
  //#region src/jose.d.ts
58
83
  /**
@@ -78,8 +103,45 @@ declare const createJoseInstance: <DefaultUser extends User = User>(secret?: JWT
78
103
  decodeJWT: (token: string, options?: DecodeJWTOptions) => Promise<TypedJWTPayload<DefaultUser>>;
79
104
  };
80
105
  //#endregion
106
+ //#region src/shared/identity.d.ts
107
+ declare const UserIdentity: z.ZodObject<{
108
+ sub: z.ZodString;
109
+ name: z.ZodOptional<z.ZodNullable<z.ZodString>>;
110
+ image: z.ZodOptional<z.ZodNullable<z.ZodString>>;
111
+ email: z.ZodOptional<z.ZodNullable<z.ZodEmail>>;
112
+ }, z.core.$strip>;
113
+ declare const UserIdentityValibot: valibot.ObjectSchema<{
114
+ readonly sub: valibot.StringSchema<undefined>;
115
+ readonly name: valibot.OptionalSchema<valibot.NullableSchema<valibot.StringSchema<undefined>, undefined>, undefined>;
116
+ readonly image: valibot.OptionalSchema<valibot.NullableSchema<valibot.StringSchema<undefined>, undefined>, undefined>;
117
+ readonly email: valibot.OptionalSchema<valibot.NullableSchema<valibot.SchemaWithPipe<readonly [valibot.StringSchema<undefined>, valibot.EmailAction<string, undefined>]>, undefined>, undefined>;
118
+ }, undefined>;
119
+ declare const UserIdentityArkType: _$arktype_internal_variants_object_ts0.ObjectType<{
120
+ sub: string;
121
+ name?: string | null | undefined;
122
+ image?: string | null | undefined;
123
+ email?: string | null | undefined;
124
+ }, {}>;
125
+ declare const UserIdentityTypeBox: Type$1.TObject<{
126
+ sub: Type$1.TString;
127
+ name: Type$1.TOptional<Type$1.TUnion<[Type$1.TString, Type$1.TNull]>>;
128
+ image: Type$1.TOptional<Type$1.TUnion<[Type$1.TString, Type$1.TNull]>>;
129
+ email: Type$1.TOptional<Type$1.TUnion<[Type$1.TString, Type$1.TNull]>>;
130
+ }>;
131
+ type UserShape = typeof UserIdentity.shape;
132
+ type UserShapeValibot = typeof UserIdentityValibot.entries;
133
+ type UserShapeArkType = typeof UserIdentityArkType;
134
+ type UserShapeTypeBox = typeof UserIdentityTypeBox.properties;
135
+ type IsArkType<T extends Identities> = T extends EditableShapeArkType<UserShapeArkType> ? true : false;
136
+ type IsZod<T extends Identities> = T extends EditableShape<UserShape> ? true : false;
137
+ type IsValibot<T extends Identities> = T extends EditableShapeValibot<UserShapeValibot> ? true : false;
138
+ type SchemaTypes = ZodObject<any> | valibot.ObjectSchema<any, undefined> | Type<{}> | Type$1.TObject;
139
+ type Identities = EditableShape<UserShape> | EditableShapeValibot<UserShapeValibot> | EditableShapeArkType<UserShapeArkType> | EditableShapeTypebox<UserShapeTypeBox> | EditableUser;
140
+ type ReturnShapeType<T> = T extends EditableShape<UserShape> ? z.ZodObject<T> : T extends EditableShapeValibot<UserShapeValibot> ? valibot.ObjectSchema<T, undefined> : T extends EditableShapeArkType<UserShapeArkType> ? T : T extends EditableShapeTypebox<UserShapeTypeBox> ? Type$1.TObject<T> : T extends EditableUser ? z.ZodObject<T> : never;
141
+ declare const createIdentity: <S extends Identities>(shape: S) => ReturnShapeType<S>;
142
+ //#endregion
81
143
  //#region src/api/createApi.d.ts
82
- declare const createAuthAPI: <DefaultUser extends User = User>(ctx: GlobalContext) => {
144
+ declare const createAuthAPI: <DefaultUser extends User = User, SignUpSchema extends SchemaTypes = ZodObject$1<any>>(ctx: GlobalContext) => {
83
145
  /**
84
146
  * Retrieves the current session data from the server-side.
85
147
  *
@@ -119,6 +181,26 @@ declare const createAuthAPI: <DefaultUser extends User = User>(ctx: GlobalContex
119
181
  * })
120
182
  */
121
183
  signInCredentials: (options: SignInCredentialsAPIOptions) => Promise<SignInCredentialsAPIReturn>;
184
+ /**
185
+ * Signs up a new user on the server-side. It requires a `payload` with the necessary information for
186
+ * user creation and a callback function configured in `signUp.onCreateUser` to handle the actual user
187
+ * creation logic.
188
+ *
189
+ * @params options - Options for the API call, including the sign-up payload, headers, and redirect behavior.
190
+ * @return The object returned by the API call {@link SignUpAPIReturn}
191
+ * @example
192
+ * const response = await api.signUp({
193
+ * payload: {
194
+ * name: "John",
195
+ * lastName: "Doe",
196
+ * email: "john.doe@example.com",
197
+ * password: "1234567890"
198
+ * },
199
+ * redirectTo: "/dashboard",
200
+ * request: await getRequest()
201
+ * })
202
+ */
203
+ signUp: <Payload extends Record<string, any> = Wrap<RemoveIndexSignature<InferSchema<SignUpSchema, _$_aura_stack_router0.SchemaKind<SignUpSchema>>>>>(options: SignUpAPIOptions<Payload>) => Promise<SignUpAPIReturn>;
122
204
  /**
123
205
  * Updates the current session on the server-side. It allows partial updates to the session object, such as
124
206
  * modifying user fields or extending the session expiry. It implements CSRF Protection by default, for
@@ -160,43 +242,6 @@ declare const createAuthAPI: <DefaultUser extends User = User>(ctx: GlobalContex
160
242
  signOut: (options: SignOutAPIOptions) => Promise<SignOutAPIReturn>;
161
243
  };
162
244
  //#endregion
163
- //#region src/shared/identity.d.ts
164
- declare const UserIdentity: z.ZodObject<{
165
- sub: z.ZodString;
166
- name: z.ZodOptional<z.ZodNullable<z.ZodString>>;
167
- image: z.ZodOptional<z.ZodNullable<z.ZodString>>;
168
- email: z.ZodOptional<z.ZodNullable<z.ZodEmail>>;
169
- }, z.core.$strip>;
170
- declare const UserIdentityValibot: valibot.ObjectSchema<{
171
- readonly sub: valibot.StringSchema<undefined>;
172
- readonly name: valibot.OptionalSchema<valibot.NullableSchema<valibot.StringSchema<undefined>, undefined>, undefined>;
173
- readonly image: valibot.OptionalSchema<valibot.NullableSchema<valibot.StringSchema<undefined>, undefined>, undefined>;
174
- readonly email: valibot.OptionalSchema<valibot.NullableSchema<valibot.SchemaWithPipe<readonly [valibot.StringSchema<undefined>, valibot.EmailAction<string, undefined>]>, undefined>, undefined>;
175
- }, undefined>;
176
- declare const UserIdentityArkType: _$arktype_internal_variants_object_ts0.ObjectType<{
177
- sub: string;
178
- name?: string | null | undefined;
179
- image?: string | null | undefined;
180
- email?: string | null | undefined;
181
- }, {}>;
182
- declare const UserIdentityTypeBox: Type$1.TObject<{
183
- sub: Type$1.TString;
184
- name: Type$1.TOptional<Type$1.TUnion<[Type$1.TString, Type$1.TNull]>>;
185
- image: Type$1.TOptional<Type$1.TUnion<[Type$1.TString, Type$1.TNull]>>;
186
- email: Type$1.TOptional<Type$1.TUnion<[Type$1.TString, Type$1.TNull]>>;
187
- }>;
188
- type UserShape = typeof UserIdentity.shape;
189
- type UserShapeValibot = typeof UserIdentityValibot.entries;
190
- type UserShapeArkType = typeof UserIdentityArkType;
191
- type UserShapeTypeBox = typeof UserIdentityTypeBox.properties;
192
- type IsArkType<T extends Identities> = T extends EditableShapeArkType<UserShapeArkType> ? true : false;
193
- type IsZod<T extends Identities> = T extends EditableShape<UserShape> ? true : false;
194
- type IsValibot<T extends Identities> = T extends EditableShapeValibot<UserShapeValibot> ? true : false;
195
- type SchemaTypes = ZodObject<any> | valibot.ObjectSchema<any, undefined> | Type<{}> | Type$1.TObject;
196
- type Identities = EditableShape<UserShape> | EditableShapeValibot<UserShapeValibot> | EditableShapeArkType<UserShapeArkType> | EditableShapeTypebox<UserShapeTypeBox> | EditableUser;
197
- type ReturnShapeType<T> = T extends EditableShape<UserShape> ? z.ZodObject<T> : T extends EditableShapeValibot<UserShapeValibot> ? valibot.ObjectSchema<T, undefined> : T extends EditableShapeArkType<UserShapeArkType> ? T : T extends EditableShapeTypebox<UserShapeTypeBox> ? Type$1.TObject<T> : T extends EditableUser ? z.ZodObject<T> : never;
198
- declare const createIdentity: <S extends Identities>(shape: S) => ReturnShapeType<S>;
199
- //#endregion
200
245
  //#region src/shared/logger.d.ts
201
246
  /**
202
247
  * Log message definitions organized by category.
@@ -503,6 +548,36 @@ declare const logMessages: {
503
548
  readonly msgId: "CREDENTIALS_SIGN_IN_FAILED";
504
549
  readonly message: "An error occurred during credentials sign-in";
505
550
  };
551
+ readonly SIGN_UP_SUCCESS: {
552
+ readonly facility: 4;
553
+ readonly severity: "info";
554
+ readonly msgId: "SIGN_UP_SUCCESS";
555
+ readonly message: "User successfully signed up and authenticated";
556
+ };
557
+ readonly SESSION_NOT_FOUND: {
558
+ readonly facility: 4;
559
+ readonly severity: "error";
560
+ readonly msgId: "SESSION_NOT_FOUND";
561
+ readonly message: "Session token was not found in the request cookies";
562
+ };
563
+ readonly OAUTH_INVALID_CONTENT_TYPE: {
564
+ readonly facility: 10;
565
+ readonly severity: "error";
566
+ readonly msgId: "OAUTH_INVALID_CONTENT_TYPE";
567
+ readonly message: "OAuth endpoint returned an invalid Content-Type header";
568
+ };
569
+ readonly SIGN_IN_PROVIDER_TYPE_DETECTED: {
570
+ readonly facility: 4;
571
+ readonly severity: "info";
572
+ readonly msgId: "SIGN_IN_PROVIDER_TYPE_DETECTED";
573
+ readonly message: "Detected OAuth provider type (OIDC or standard)";
574
+ };
575
+ readonly OIDC_PROVIDER_RESOLVED: {
576
+ readonly facility: 4;
577
+ readonly severity: "info";
578
+ readonly msgId: "OIDC_PROVIDER_RESOLVED";
579
+ readonly message: "OIDC provider configuration resolved successfully";
580
+ };
506
581
  };
507
582
  declare const createLogEntry: <T extends keyof typeof logMessages>(key: T, overrides?: Partial<SyslogOptions>) => SyslogOptions;
508
583
  declare const createSyslogMessage: (options: SyslogOptions) => string;
@@ -1153,6 +1228,661 @@ interface DribbbleProfile extends DribbbleDefault {
1153
1228
  */
1154
1229
  declare const dribbble: <DefaultUser extends User = User>(options?: Partial<OAuthProviderCredentials<DribbbleProfile, DefaultUser>>) => OAuthProviderCredentials<DribbbleProfile, DefaultUser>;
1155
1230
  //#endregion
1231
+ //#region src/oauth/hubspot.d.ts
1232
+ interface HubSportSignedAccessToken {
1233
+ appId: number;
1234
+ appInstallId: number;
1235
+ audience: string;
1236
+ expiresAt: string;
1237
+ hubId: number;
1238
+ hublet: string;
1239
+ installingUserId: number;
1240
+ isPrivateDistribution: boolean;
1241
+ isServiceAccount: boolean;
1242
+ isUserLevel: boolean;
1243
+ newSignature: string;
1244
+ scopeToScopeGroupPks: string;
1245
+ scopes: string;
1246
+ signature: string;
1247
+ trialScopeToScopeGroupPks: string;
1248
+ trialScopes: string;
1249
+ userId: number;
1250
+ }
1251
+ /**
1252
+ * @see [HubSpot - Retrieve OAuth token metadata](https://developers.hubspot.com/docs/api-reference/legacy/authentication/oauth-tokens/v1/get-oauth-token-metadata)
1253
+ */
1254
+ interface HubSpotProfile {
1255
+ /**
1256
+ * The ID of the application associated with the access token.
1257
+ */
1258
+ app_id: number;
1259
+ /**
1260
+ * The time in seconds until the access token expires.
1261
+ */
1262
+ expires_in: number;
1263
+ /**
1264
+ * The ID of the HubSpot account associated with the access token.
1265
+ */
1266
+ hub_id: number;
1267
+ /**
1268
+ * An array of strings indicating the scopes
1269
+ */
1270
+ scopes: string[];
1271
+ /**
1272
+ * The access token string used to make API calls.
1273
+ */
1274
+ token: string;
1275
+ /**
1276
+ * The type of token, typically indicating the authentication scheme.
1277
+ * @default `bearer`
1278
+ */
1279
+ token_type: string;
1280
+ /**
1281
+ * The ID of the hubspot user for whom the access token was created.
1282
+ */
1283
+ user_id: number;
1284
+ /**
1285
+ * The domain of the HubSpot account associated with the access token.
1286
+ */
1287
+ hub_domain: string;
1288
+ /**
1289
+ * Indicates whether the token is for a privately distributed application. If false, it is marketplace distributed.
1290
+ */
1291
+ is_private_distribution: boolean;
1292
+ signed_access_token: HubSportSignedAccessToken;
1293
+ /**
1294
+ * The email address of the hubspot user for whom the access token was created.
1295
+ */
1296
+ user: string;
1297
+ }
1298
+ /**
1299
+ * HubSpot OAuth provider
1300
+ * Profile Type {@link HubSpotProfile}
1301
+ *
1302
+ * @see [HubSpot - Working with OAuth](https://developers.hubspot.com/docs/apps/legacy-apps/authentication/oauth-quickstart-guide#getting-oauth-tokens)
1303
+ * @see [HubSpot - Scopes](https://developers.hubspot.com/docs/apps/legacy-apps/authentication/scopes)
1304
+ * @see [HubSpot - Retrieve OAuth token metadata](https://developers.hubspot.com/docs/api-reference/legacy/authentication/oauth-tokens/v1/get-oauth-token-metadata)
1305
+ */
1306
+ declare const hubspot: <DefaultUser extends User = User>(options?: OAuthProviderConfig<HubSpotProfile, DefaultUser>) => OAuthProviderConfig<HubSpotProfile, DefaultUser>;
1307
+ //#endregion
1308
+ //#region src/oauth/google.d.ts
1309
+ /**
1310
+ * @see [Google - ID Token (Claims)](https://developers.google.com/identity/openid-connect/reference#id_token_claims)
1311
+ */
1312
+ interface GoogleProfile {
1313
+ /**
1314
+ * The issuer identifier for the issuer of the response.
1315
+ * Typically `https://accounts.google.com` or `accounts.google.com`
1316
+ */
1317
+ iss: string;
1318
+ /**
1319
+ * The subject identifier for the user. This is a unique and immutable
1320
+ * identifier for the user.
1321
+ */
1322
+ sub: string;
1323
+ /**
1324
+ * The audience for which the ID token is intended.
1325
+ */
1326
+ aud: string;
1327
+ /**
1328
+ * The time of the ID token was issued.
1329
+ */
1330
+ iat: number;
1331
+ /**
1332
+ * Expiration time on or after which the ID token must not be accepted.
1333
+ */
1334
+ exp: string;
1335
+ /**
1336
+ * The client Identifier for the authorized presenter, obtained from
1337
+ * the Google Cloud Console.
1338
+ */
1339
+ azp?: string;
1340
+ /**
1341
+ * The value of the `nonce` supplied by the client.
1342
+ */
1343
+ nonce?: string;
1344
+ /**
1345
+ * The time user authentication took placea JSON number representing
1346
+ * the number of seconds.
1347
+ */
1348
+ auth_time?: number;
1349
+ /**
1350
+ * Access token hash. Provides validation that the Access Token is tied
1351
+ * to the identity token.
1352
+ */
1353
+ at_hash?: string;
1354
+ /**
1355
+ * The domain associated with the Google Workspace or Cloud organization of the user.
1356
+ */
1357
+ hd?: string;
1358
+ /**
1359
+ * The user's email address.
1360
+ * > Note: Provided only if you included the `email` scope in your request.
1361
+ *
1362
+ * > Warning: Don't use email address as an identifier because a Google
1363
+ * Account can have multiple email addresses at different points in time.
1364
+ * Always use the `sub` field as the identifier for the user.
1365
+ */
1366
+ email: string;
1367
+ /**
1368
+ * `True` if the user's email address has been verified.
1369
+ */
1370
+ email_verified?: boolean;
1371
+ /**
1372
+ * The user's full name.
1373
+ * > Note: Provided only if you included the `profile` scope in your request.
1374
+ */
1375
+ name: string;
1376
+ /**
1377
+ * The URL of the user's profile picture.
1378
+ * > Note: Provided only if you included the `profile` scope in your request.
1379
+ */
1380
+ picture: string;
1381
+ /**
1382
+ * The user's give name(s) or first name(s).
1383
+ */
1384
+ given_name?: string;
1385
+ /**
1386
+ * The user's family name(s) or last name(s).
1387
+ */
1388
+ family_name?: string;
1389
+ }
1390
+ /**
1391
+ * Google OpenID Connect Provider
1392
+ *
1393
+ * @see [Google - Using OAuth 2.0 to Access Google APIs](https://developers.google.com/identity/protocols/oauth2)
1394
+ * @see [Google - OpenID Connect](https://developers.google.com/identity/openid-connect/openid-connect)
1395
+ * @see [Google - OpenID Connect API Reference](https://developers.google.com/identity/openid-connect/reference)
1396
+ * @see [Google - Client Credentials](https://console.cloud.google.com/auth/clients)
1397
+ */
1398
+ declare const google: <DefaultUser extends User = User>(options?: Partial<OpenIDProvider<GoogleProfile, DefaultUser>>) => OpenIDProvider<GoogleProfile, DefaultUser>;
1399
+ //#endregion
1400
+ //#region src/oauth/huggingface.d.ts
1401
+ interface HuggingFaceResourceGroup {
1402
+ sub: string;
1403
+ name: string;
1404
+ role: "admin" | "write" | "contributor" | "read" | "no_access";
1405
+ }
1406
+ interface HuggingFaceOrg {
1407
+ sub: string;
1408
+ name: string;
1409
+ picture: string;
1410
+ preferred_username: string;
1411
+ plan?: "team" | "enterprise" | "plus" | "academia";
1412
+ canPay?: boolean;
1413
+ billingMode?: "prepaid" | "postpaid";
1414
+ roleInOrg?: "admin" | "write" | "contributor" | "read" | "no_access";
1415
+ pendingSSO?: boolean;
1416
+ missingMFA?: boolean;
1417
+ securityRestrictions?: ("mfa" | "token-policy" | "token-revoked" | "sso" | "ip")[];
1418
+ resourceGroups?: HuggingFaceResourceGroup;
1419
+ }
1420
+ /**
1421
+ * @see [Hugging Face - Open API Metadata](https://huggingface.co/.well-known/openapi.json)
1422
+ */
1423
+ interface HuggingFaceProfile {
1424
+ sub: string;
1425
+ isPro: boolean;
1426
+ orgs: HuggingFaceOrg[];
1427
+ name?: string;
1428
+ preferred_username?: string;
1429
+ picture?: string;
1430
+ profile?: string;
1431
+ website?: string;
1432
+ email?: string;
1433
+ email_verified?: boolean;
1434
+ canPay?: boolean;
1435
+ billingMode?: "prepaid" | "postpaid";
1436
+ }
1437
+ /**
1438
+ * Hugging Face OpenID Connect Provider
1439
+ *
1440
+ * @see [Hugging Face - Sign in with Hugging Face](https://huggingface.co/docs/hub/en/oauth)
1441
+ * @see [Hugging Face - Create an OAuth App](https://huggingface.co/settings/applications/new)
1442
+ * @see [Hugging Face - OpenID Metadata](https://huggingface.co/.well-known/openid-configuration)
1443
+ */
1444
+ declare const huggingface: <DefaultUser extends User = User>(options?: Partial<OpenIDProvider<HuggingFaceProfile, DefaultUser>>) => OpenIDProvider<HuggingFaceProfile, DefaultUser>;
1445
+ //#endregion
1446
+ //#region src/oauth/authentik.d.ts
1447
+ interface AuthentikProfile {
1448
+ iss: string;
1449
+ sub: string;
1450
+ aud: string;
1451
+ exp: number;
1452
+ iat: number;
1453
+ auth_time: number;
1454
+ acr: string;
1455
+ c_hash: string;
1456
+ nonce: string;
1457
+ at_hash: string;
1458
+ email: string;
1459
+ email_verified: boolean;
1460
+ name: string;
1461
+ given_name: string;
1462
+ family_name: string;
1463
+ preferred_username: string;
1464
+ nickname: string;
1465
+ }
1466
+ /**
1467
+ * Authentik OpenID Connect Provider
1468
+ *
1469
+ * @see [Authentik - OAuth 2.0 Provider](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/)
1470
+ * @see [Authentik - Create an OAuth2 Provider](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/create-oauth2-provider/)
1471
+ */
1472
+ declare const authentik: <DefaultUser extends User = User>(options?: Partial<OpenIDProvider<AuthentikProfile, DefaultUser>>) => OpenIDProvider<AuthentikProfile, DefaultUser>;
1473
+ //#endregion
1474
+ //#region src/@types/session.d.ts
1475
+ /** Application user type, inferred from the configured identity schema (defaults to the built-in user shape). */
1476
+ type User = infer$2<typeof UserIdentity>;
1477
+ /**
1478
+ * Session data returned by the session endpoint.
1479
+ */
1480
+ interface Session<DefaultUser extends User = User> {
1481
+ user: DefaultUser;
1482
+ expires: string;
1483
+ }
1484
+ interface CryptoSecret {
1485
+ sign: CryptoKey | CryptoKeyPair | JWK | JsonWebKey | AsymmetricKeyPair;
1486
+ encrypt: CryptoKey | CryptoKeyPair | JWK | JsonWebKey | AsymmetricKeyPair;
1487
+ }
1488
+ interface AsymmetricKeyPairFromEnv {
1489
+ publicKey: string;
1490
+ privateKey: string;
1491
+ }
1492
+ interface AsymmetricKeyPair {
1493
+ publicKey: CryptoKey | JWK;
1494
+ privateKey: CryptoKey | JWK;
1495
+ }
1496
+ /**
1497
+ * A symmetric secret or asymmetric key pair used for JWT operations.
1498
+ *
1499
+ * - string / Uint8Array: used as-is for HMAC (signed) or AES (encrypted)
1500
+ * - CryptoKey: Web Crypto API key, for environments that support it
1501
+ * - CryptoKeyPair: asymmetric signing/encryption (RS256, ES256, EdDSA, RSA-OAEP, etc.)
1502
+ */
1503
+ type SecretKey = string | Uint8Array | CryptoKey | CryptoKeyPair | CryptoSecret | JWK | AsymmetricKeyPair;
1504
+ /**
1505
+ * @todo: add key rotation support for "SecretKey | CryptoKeyPair | [SecretKey | CryptoKeyPair, ...(SecretKey | CryptoKeyPair)[]]"
1506
+ */
1507
+ type JWTKey = SecretKey;
1508
+ /**
1509
+ * - "signed" → standard JWS (e.g. HS256, RS256, ES256).
1510
+ * - "encrypted" → JWE only. (e.g. A256GCM with RSA-OAEP key wrapping).
1511
+ * - "sealed" → JWS nested inside JWE (signed then encrypted).
1512
+ */
1513
+ type JWTMode = "signed" | "encrypted" | "sealed";
1514
+ /**
1515
+ * Signing algorithms for "signed" and "sealed" modes.
1516
+ * Symmetric: HS256 | HS384 | HS512
1517
+ * Asymmetric: RS256 | RS384 | RS512 | ES256 | ES384 | ES512 | EdDSA | PS256
1518
+ */
1519
+ type JWTSigningAlgorithm = "HS256" | "HS384" | "HS512" | "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512" | "EdDSA" | "PS256";
1520
+ /**
1521
+ * Key-wrapping algorithms for "encrypted" and "sealed" modes.
1522
+ * Symmetric: A128KW | A192KW | A256KW | dir (direct)
1523
+ * ECDH: ECDH-ES | ECDH-ES+A128KW | ECDH-ES+A256KW
1524
+ * RSA: RSA-OAEP | RSA-OAEP-256
1525
+ */
1526
+ type JWTKeyAlgorithm = "A128KW" | "A192KW" | "A256KW" | "dir" | "ECDH-ES" | "ECDH-ES+A128KW" | "ECDH-ES+A256KW" | "RSA-OAEP" | "RSA-OAEP-256";
1527
+ /** Content-encryption algorithms for JWE. */
1528
+ type JWTEncryptionAlgorithm = "A128CBC-HS256" | "A192CBC-HS384" | "A256CBC-HS512" | "A128GCM" | "A192GCM" | "A256GCM";
1529
+ /** Signed JWT mode configuration. */
1530
+ type JWTSignedMode = {
1531
+ mode: "signed";
1532
+ signingAlgorithm?: JWTSigningAlgorithm;
1533
+ };
1534
+ /** Encrypted JWT mode configuration. */
1535
+ type JWTEncryptedMode = {
1536
+ mode: "encrypted";
1537
+ keyAlgorithm?: JWTKeyAlgorithm;
1538
+ encryptionAlgorithm?: JWTEncryptionAlgorithm;
1539
+ };
1540
+ /** Signed and Encrypted JWT mode configuration. */
1541
+ type JWTSealedMode = {
1542
+ mode?: "sealed";
1543
+ signingAlgorithm?: JWTSigningAlgorithm;
1544
+ keyAlgorithm?: JWTKeyAlgorithm;
1545
+ encryptionAlgorithm?: JWTEncryptionAlgorithm;
1546
+ };
1547
+ /** Discriminated union of JWT wire format: signed JWS, encrypted JWE, or nested sealed (JWS in JWE). */
1548
+ type JWTConfigBase = JWTSignedMode | JWTEncryptedMode | JWTSealedMode;
1549
+ /** How session/JWT lifetime is enforced relative to `iat`, absolute caps, and sliding windows. */
1550
+ type JWTExpirationStrategy = "fixed" | "rolling" | "absolute" | "sliding";
1551
+ type JWTConfig = Prettify<{
1552
+ /**
1553
+ * Token lifetime.
1554
+ */
1555
+ maxAge?: number;
1556
+ /**
1557
+ * JWT `iss` (issuer) claim. Set this to your app's canonical URL.
1558
+ * @example "https://auth.example.com"
1559
+ */
1560
+ issuer?: string;
1561
+ /**
1562
+ * JWT `aud` claim. Single value or array for multi-audience tokens.
1563
+ * @example ["https://api.example.com", "https://app.example.com"]
1564
+ */
1565
+ audience?: string | string[];
1566
+ /**
1567
+ * Maximum absolute session duration in seconds.
1568
+ * Required for "absolute" and "sliding" strategies.
1569
+ * Enforced via jose's maxTokenAge against the iat claim.
1570
+ */
1571
+ maxExpiration?: number;
1572
+ /**
1573
+ * Policy for renewing or capping token lifetime (pairs with `maxExpiration` where applicable).
1574
+ */
1575
+ expirationStrategy?: JWTExpirationStrategy;
1576
+ } & JWTConfigBase>;
1577
+ /**
1578
+ * Stateless JWT strategy.
1579
+ * No database required. Tokens are self-contained and cannot be revoked
1580
+ * before they expire — keep `jwt.maxAge` short or enable refresh tokens.
1581
+ *
1582
+ * @example
1583
+ * {
1584
+ * strategy: "jwt",
1585
+ * jwt: { mode: "sealed", maxAge: "15m", issuer: "https://auth.example.com" },
1586
+ * refreshToken: { enabled: true, maxAge: "7d" },
1587
+ * }
1588
+ */
1589
+ type StatelessStrategyConfig = {
1590
+ strategy?: "jwt";
1591
+ jwt?: JWTConfig;
1592
+ };
1593
+ /**
1594
+ * The session strategy. Determines which fields below are required.
1595
+ *
1596
+ * - "jwt": stateless. No database needed. JWTs are self-contained.
1597
+ * - "database": stateful. Every request hits the DB to validate the session.
1598
+ * - "hybrid": JWT transport + DB revocation. Best of both for most apps.
1599
+ *
1600
+ * @default "jwt"
1601
+ */
1602
+ type SessionConfig = StatelessStrategyConfig;
1603
+ /** Result of reading a stateless (JWT) session from a request: session payload and outgoing header mutations. */
1604
+ interface GetStatelessSessionReturn<DefaultUser extends User = User> {
1605
+ session: Session<DefaultUser> | null;
1606
+ headers: Headers;
1607
+ }
1608
+ /**
1609
+ * Abstraction layer for session management.
1610
+ */
1611
+ interface SessionStrategy<DefaultUser extends User = User> {
1612
+ /**
1613
+ * Read and validate the session from an incoming request.
1614
+ * Returns null if absent, invalid, or expired. Never throws on auth failure.
1615
+ */
1616
+ getSession(request: Headers): Promise<GetStatelessSessionReturn<DefaultUser>>;
1617
+ /**
1618
+ * Create a session after successful authentication.
1619
+ * Signs the JWT / writes the DB row / sets cookies.
1620
+ */
1621
+ createSession(session: User): Promise<string>;
1622
+ /**
1623
+ * Attempt to refresh using the refresh token cookie.
1624
+ * Returns null session + cookie-clearing response on any failure.
1625
+ */
1626
+ refreshSession(headers: Headers, session: DeepPartial<Session<DefaultUser>>, skipCSRFCheck?: boolean): Promise<{
1627
+ session: Session<DefaultUser> | null;
1628
+ headers: Headers;
1629
+ }>;
1630
+ /**
1631
+ * Revoke a session by ID.
1632
+ * JWT strategy: best-effort (clears cookies, no server state).
1633
+ * Database / hybrid: marks row inactive.
1634
+ */
1635
+ revokeSession(sessionId: string): Promise<void>;
1636
+ /**
1637
+ * Destroy the session attached to this request (logout).
1638
+ * Returns a response that clears cookies.
1639
+ */
1640
+ destroySession(request: Headers, skipCSRFCheck?: boolean): Promise<Headers>;
1641
+ }
1642
+ /** Inputs for constructing a session strategy implementation for a given identity schema. */
1643
+ interface CreateSessionStrategyOptions<Identity extends Identities> {
1644
+ config?: SessionConfig;
1645
+ jose: JoseInstance<FromShapeToObject<Identity> & User>;
1646
+ cookies: () => CookieStoreConfig;
1647
+ logger?: InternalLogger;
1648
+ identity: SchemaRegistryContext;
1649
+ }
1650
+ /** Options specialized for the JWT-backed session strategy. */
1651
+ interface JWTStrategyOptions<DefaultUser extends User = User> {
1652
+ config?: StatelessStrategyConfig;
1653
+ jose: JoseInstance<DefaultUser>;
1654
+ logger?: InternalLogger;
1655
+ cookies: () => CookieStoreConfig;
1656
+ identity: SchemaRegistryContext;
1657
+ }
1658
+ /** Minimal token issue/verify surface used by session code paths. */
1659
+ type JWTManager<DefaultUser extends User = User> = {
1660
+ createToken(user: TypedJWTPayload<Partial<DefaultUser>>): Promise<string>;
1661
+ verifyToken(token: string): Promise<TypedJWTPayload<DefaultUser>>;
1662
+ };
1663
+ //#endregion
1664
+ //#region src/@types/oidc.d.ts
1665
+ /**
1666
+ * @link https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
1667
+ */
1668
+ interface OpenIDMetadata {
1669
+ /**
1670
+ * URL using the https scheme with no query or fragment component that the
1671
+ * OP asserts as its Issuer Identifier.
1672
+ */
1673
+ issuer: string;
1674
+ /**
1675
+ * URL of the OP's OAuth 2.0 Authorization Endpoint
1676
+ */
1677
+ authorization_endpoint: string;
1678
+ /**
1679
+ * URL of the OP's OAuth 2.0 Token Endpoint
1680
+ */
1681
+ token_endpoint: string;
1682
+ /**
1683
+ * URL of the OP's UserInfo Endpoint.
1684
+ */
1685
+ userinfo_endpoint: string;
1686
+ /**
1687
+ * URL of the OP's JSON Web Key Set [JWK] document. This contains the signing keys
1688
+ * used by the OP to sign tokens issued, which may be used by the RP to validate
1689
+ * signatures.
1690
+ */
1691
+ jwks_uri: string;
1692
+ /**
1693
+ * URL of the OP's Dynamic Client Registration Endpoint. This is REQUIRED unless
1694
+ * the OP does not support dynamic client registration, in which case it MUST NOT
1695
+ * be included.
1696
+ */
1697
+ registration_endpoint?: string;
1698
+ /**
1699
+ * JSON arry containing a list of the OP's supported Subject Identifier types.
1700
+ * Valid types include pairwise and public.
1701
+ */
1702
+ scopes_supported?: string[];
1703
+ /**
1704
+ * Json array containing a list of the OP's supported response types. Valid response
1705
+ * types include code, id_token, and token. The OP MUST support the code response type.
1706
+ */
1707
+ response_types_supported?: string[];
1708
+ /**
1709
+ * JSON array containing a list of the OP's supported response modes. Valid response
1710
+ * modes include query, fragment, and form_post. If omitted, the default is that the
1711
+ * OP supports only the query response mode.
1712
+ */
1713
+ response_modes_supported?: string[];
1714
+ /**
1715
+ * JSON array containing a list of the OP's supported grant types. Valid grant types
1716
+ * include authorization_code, implicit, refresh_token, and client_credentials.
1717
+ * If omitted, the default is that the OP supports only the authorization_code
1718
+ * grant type.
1719
+ */
1720
+ grant_types_supported?: string[];
1721
+ /**
1722
+ * JSON array containing a list of the OP's supported ACR values. If omitted, the
1723
+ * default is that the OP does not support any ACR values.
1724
+ */
1725
+ acr_values_supported?: string[];
1726
+ /**
1727
+ * JSON array containing a list of the OP's supported Subject Identifier types.
1728
+ * Valid types include pairwise and public.
1729
+ */
1730
+ subject_types_supported: string[];
1731
+ /**
1732
+ * JSON array containing a list of the OP's supported ID Token signing algorithms.
1733
+ * The only algorithm that MUST be supported is RS256. The OP SHOULD support
1734
+ * additional algorithms, such as ES256.
1735
+ */
1736
+ id_token_signing_alg_values_supported: string[];
1737
+ /**
1738
+ * JSON array containing a list of the OP's supported ID Token encryption algorithms.
1739
+ * The OP MUST support the RSA1_5 algorithm. The OP SHOULD support additional
1740
+ * algorithms, such as A128KW and A256KW.
1741
+ */
1742
+ id_token_encryption_alg_values_supported?: string[];
1743
+ /**
1744
+ * JSON array containing a list of the OP's supported ID Token encryption encodings.
1745
+ * The OP MUST support the A128CBC-HS256 encoding. The OP SHOULD support additional
1746
+ * encodings, such as A256CBC-HS512 and A128GCM.
1747
+ */
1748
+ id_token_encryption_enc_values_supported?: string[];
1749
+ /**
1750
+ * JSON array containing a list of the OP's supported UserInfo signing algorithms.
1751
+ * The OP SHOULD support RS256 or ES256, or both. The OP SHOULD support none, one,
1752
+ * or more additional signing algorithms.
1753
+ */
1754
+ userinfo_signing_alg_values_supported?: string[];
1755
+ /**
1756
+ * JSON array containing a list of the OP's supported UserInfo encryption algorithms.
1757
+ * The OP SHOULD support the RSA1_5 algorithm. The OP SHOULD support additional
1758
+ * algorithms, such as A128KW and A256KW.
1759
+ */
1760
+ userinfo_encryption_alg_values_supported?: string[];
1761
+ /**
1762
+ * JSON array containing a list of the OP's supported UserInfo encryption encodings.
1763
+ * The OP SHOULD support the A128CBC-HS256 encoding. The OP SHOULD support additional
1764
+ * encodings, such as A256CBC-HS512 and A128GCM.
1765
+ */
1766
+ userinfo_encryption_enc_values_supported?: string[];
1767
+ /**
1768
+ * JSON array containing a list of the OP's supported Request Object signing algorithms.
1769
+ * The OP SHOULD support RS256 or ES256, or both. The OP SHOULD support none, one, or
1770
+ * more additional signing algorithms.
1771
+ */
1772
+ request_object_signing_alg_values_supported?: string[];
1773
+ /**
1774
+ * JSON array containing a list of the OP's supported Request Object encryption algorithms.
1775
+ * The OP SHOULD support the RSA1_5 algorithm. The OP SHOULD support additional algorithms,
1776
+ * such as A128KW and A256KW.
1777
+ */
1778
+ request_object_encryption_alg_values_supported?: string[];
1779
+ /**
1780
+ * JSON array containing a list of the OP's supported Request Object encryption encodings.
1781
+ * The OP SHOULD support the A128CBC-HS256 encoding. The OP SHOULD support additional
1782
+ * encodings, such as A256CBC-HS512 and A128GCM.
1783
+ */
1784
+ request_object_encryption_enc_values_supported?: string[];
1785
+ /**
1786
+ * JSON array containing a list of the OP's supported Token Endpoint authentication methods.
1787
+ * Valid methods include client_secret_post, client_secret_basic, client_secret_jwt, and
1788
+ * private_key_jwt. The OP MUST support client_secret_basic and client_secret_post.
1789
+ */
1790
+ token_endpoint_auth_methods_supported?: string[];
1791
+ /**
1792
+ * JSON array containing a list of the OP's supported Token Endpoint authentication signing
1793
+ * algorithms. The OP MUST support RS256. The OP SHOULD support additional algorithms, such
1794
+ * as ES256.
1795
+ */
1796
+ token_endpoint_auth_signing_alg_values_supported?: string[];
1797
+ /**
1798
+ * JSON array containing a list of the OP's supported display parameter values. Valid values
1799
+ * include page, popup, touch, and wap. If omitted, the default is that the OP supports only
1800
+ * the page display parameter value.
1801
+ */
1802
+ display_values_supported?: string[];
1803
+ /**
1804
+ * JSON array containing a list of the OP's supported claim types. Valid types include normal
1805
+ * and aggregated. If omitted, the default is that the OP supports only the normal claim type.
1806
+ */
1807
+ claim_types_supported?: string[];
1808
+ /**
1809
+ * JSON array containing a list of the OP's supported claims. These are the claims that the
1810
+ * OP may be able to supply values for. Note that the individual claims supported by the OP
1811
+ * need not be listed here, and that this element is intended primarily to provide a mechanism
1812
+ * for listing those claims that are typically returned by the OP's UserInfo Endpoint.
1813
+ */
1814
+ claims_supported?: string[];
1815
+ /**
1816
+ * URL of a page containing human-readable information that developers might want or need to
1817
+ * know when using the OP. In particular, if the OP does not support dynamic client registration,
1818
+ * then information on how to register clients needs to be provided in this documentation.
1819
+ */
1820
+ service_documentation?: string;
1821
+ /**
1822
+ * Languages and scripts supported for values in Claims
1823
+ */
1824
+ claims_locales_supported?: string[];
1825
+ /**
1826
+ * Languages and scripts supported for the user interface, represented as a JSON array of
1827
+ * BCP47 [RFC5646] language tag values. If omitted, the default is that the OP supports
1828
+ * only the en-US locale.
1829
+ */
1830
+ ui_locales_supported?: string[];
1831
+ /**
1832
+ * Boolean value specifying whether the OP supports use of the claims parameter, with true
1833
+ * indicating support. If omitted, the default is that the OP does not support use of the
1834
+ * claims parameter.
1835
+ */
1836
+ claims_parameter_supported?: boolean;
1837
+ /**
1838
+ * Boolean value specifying whether the OP supports use of the request parameter, with true
1839
+ * indicating support. If omitted, the default is that the OP does not support use of the
1840
+ * request parameter.
1841
+ */
1842
+ request_parameter_supported?: boolean;
1843
+ /**
1844
+ * Boolean value specifying whether the OP supports use of the request_uri parameter, with
1845
+ * true indicating support. If omitted, the default is that the OP does not support use of
1846
+ * the request_uri parameter.
1847
+ */
1848
+ request_uri_parameter_supported?: boolean;
1849
+ /**
1850
+ * Boolean value specifying whether the OP requires any request_uri values used to be
1851
+ * pre-registered using the request_uris registration parameter, with true indicating
1852
+ * that any such request_uri values need to be pre-registered. If omitted, the default
1853
+ * is that the OP does not require pre-registration of request_uri values.
1854
+ */
1855
+ require_request_uri_registration?: boolean;
1856
+ /**
1857
+ * URL that the OpenID Provider provides to the person registering the Client to read
1858
+ * about the OP's requirements on how the client can use the request_uri parameter. The
1859
+ * registration process SHOULD display this URL to the person registering the Client if
1860
+ * the OP requires pre-registration of request_uri values.
1861
+ */
1862
+ op_policy_uri?: string;
1863
+ /**
1864
+ * URL that the OpenID Provider provides to the person registering the Client to read
1865
+ * about the OP's terms of service. The registration process SHOULD display this URL to
1866
+ * the person registering the Client if the OP provides such a URL.
1867
+ */
1868
+ op_tos_uri?: string;
1869
+ }
1870
+ type OpenIDProvider<Profile extends object = Record<string, any>, DefaultUser = User, Issuer extends string = string> = {
1871
+ id: string;
1872
+ name: string;
1873
+ /**
1874
+ * URL to concatenating the string /.well-known/openid-configuration to the Issuer.
1875
+ */
1876
+ issuer: Issuer;
1877
+ clientId?: string;
1878
+ clientSecret?: string;
1879
+ /**
1880
+ * Override the default OIDC scope (`openid profile email`).
1881
+ */
1882
+ scope?: string;
1883
+ profile?: (profile: Profile) => DefaultUser | Promise<DefaultUser>;
1884
+ } & GetRouteParams<`/${Issuer}`>;
1885
+ //#endregion
1156
1886
  //#region src/oauth/index.d.ts
1157
1887
  declare const builtInOAuthProviders: {
1158
1888
  readonly github: <DefaultUser extends User = {
@@ -1238,20 +1968,46 @@ declare const builtInOAuthProviders: {
1238
1968
  name?: string | null | undefined;
1239
1969
  image?: string | null | undefined;
1240
1970
  email?: string | null | undefined;
1241
- }>(options?: Partial<OAuthProviderCredentials<AtlassianProfile, DefaultUser>>) => OAuthProviderCredentials<AtlassianProfile, DefaultUser>;
1242
- readonly clickUp: <DefaultUser extends User = {
1971
+ }>(options?: Partial<OAuthProviderCredentials<AtlassianProfile, DefaultUser>>) => OAuthProviderCredentials<AtlassianProfile, DefaultUser>;
1972
+ readonly clickUp: <DefaultUser extends User = {
1973
+ sub: string;
1974
+ name?: string | null | undefined;
1975
+ image?: string | null | undefined;
1976
+ email?: string | null | undefined;
1977
+ }>(options?: Partial<OAuthProviderCredentials<ClickUpProfile, DefaultUser>>) => OAuthProviderCredentials<ClickUpProfile, DefaultUser>;
1978
+ readonly dribbble: <DefaultUser extends User = {
1979
+ sub: string;
1980
+ name?: string | null | undefined;
1981
+ image?: string | null | undefined;
1982
+ email?: string | null | undefined;
1983
+ }>(options?: Partial<OAuthProviderCredentials<DribbbleProfile, DefaultUser>>) => OAuthProviderCredentials<DribbbleProfile, DefaultUser>;
1984
+ readonly hubspot: <DefaultUser extends User = {
1985
+ sub: string;
1986
+ name?: string | null | undefined;
1987
+ image?: string | null | undefined;
1988
+ email?: string | null | undefined;
1989
+ }>(options?: OAuthProviderConfig<HubSpotProfile, DefaultUser>) => OAuthProviderConfig<HubSpotProfile, DefaultUser>;
1990
+ readonly google: <DefaultUser extends User = {
1991
+ sub: string;
1992
+ name?: string | null | undefined;
1993
+ image?: string | null | undefined;
1994
+ email?: string | null | undefined;
1995
+ }>(options?: Partial<OpenIDProvider<GoogleProfile, DefaultUser>>) => OpenIDProvider<GoogleProfile, DefaultUser>;
1996
+ readonly huggingface: <DefaultUser extends User = {
1243
1997
  sub: string;
1244
1998
  name?: string | null | undefined;
1245
1999
  image?: string | null | undefined;
1246
2000
  email?: string | null | undefined;
1247
- }>(options?: Partial<OAuthProviderCredentials<ClickUpProfile, DefaultUser>>) => OAuthProviderCredentials<ClickUpProfile, DefaultUser>;
1248
- readonly dribbble: <DefaultUser extends User = {
2001
+ }>(options?: Partial<OpenIDProvider<HuggingFaceProfile, DefaultUser>>) => OpenIDProvider<HuggingFaceProfile, DefaultUser>;
2002
+ readonly authentik: <DefaultUser extends User = {
1249
2003
  sub: string;
1250
2004
  name?: string | null | undefined;
1251
2005
  image?: string | null | undefined;
1252
2006
  email?: string | null | undefined;
1253
- }>(options?: Partial<OAuthProviderCredentials<DribbbleProfile, DefaultUser>>) => OAuthProviderCredentials<DribbbleProfile, DefaultUser>;
2007
+ }>(options?: Partial<OpenIDProvider<AuthentikProfile, DefaultUser>>) => OpenIDProvider<AuthentikProfile, DefaultUser>;
1254
2008
  };
2009
+ declare const setDynamicParams: <const T extends string, P extends Record<string, unknown>>(template: T, params: P) => string;
2010
+ declare const defineOpenIDProviderConfig: (config: OpenIDProvider) => RuntimeOAuthProvider;
1255
2011
  /**
1256
2012
  * Constructs OAuth provider configurations from an array of provider names or configurations.
1257
2013
  * It loads the client ID and client secret from environment variables if only the provider name is provided.
@@ -1265,200 +2021,50 @@ declare const builtInOAuthProviders: {
1265
2021
  * // Using built-in provider with explicit credentials via factory
1266
2022
  * createBuiltInOAuthProviders([github({ clientId: "...", clientSecret: "..." })])
1267
2023
  */
1268
- declare const createBuiltInOAuthProviders: (oauth?: (BuiltInOAuthProvider | OAuthProviderCredentials<any>)[]) => Record<LiteralUnion<BuiltInOAuthProvider>, OAuthProviderCredentials<any>>;
2024
+ declare const createBuiltInOAuthProviders: (oauth?: (BuiltInOAuthProvider | RuntimeOAuthProvider<any> | OpenIDProvider)[]) => Record<LiteralUnion<BuiltInOAuthProvider>, RuntimeOAuthProvider<any>>;
1269
2025
  type BuiltInOAuthProvider = keyof typeof builtInOAuthProviders;
1270
2026
  //#endregion
1271
- //#region src/@types/session.d.ts
1272
- /** Application user type, inferred from the configured identity schema (defaults to the built-in user shape). */
1273
- type User = infer$1<typeof UserIdentity>;
1274
- /**
1275
- * Session data returned by the session endpoint.
1276
- */
1277
- interface Session<DefaultUser extends User = User> {
1278
- user: DefaultUser;
1279
- expires: string;
1280
- }
1281
- interface CryptoSecret {
1282
- sign: CryptoKey | CryptoKeyPair | JWK | JsonWebKey | AsymmetricKeyPair;
1283
- encrypt: CryptoKey | CryptoKeyPair | JWK | JsonWebKey | AsymmetricKeyPair;
1284
- }
1285
- interface AsymmetricKeyPairFromEnv {
1286
- publicKey: string;
1287
- privateKey: string;
1288
- }
1289
- interface AsymmetricKeyPair {
1290
- publicKey: CryptoKey | JWK;
1291
- privateKey: CryptoKey | JWK;
1292
- }
1293
- /**
1294
- * A symmetric secret or asymmetric key pair used for JWT operations.
1295
- *
1296
- * - string / Uint8Array: used as-is for HMAC (signed) or AES (encrypted)
1297
- * - CryptoKey: Web Crypto API key, for environments that support it
1298
- * - CryptoKeyPair: asymmetric signing/encryption (RS256, ES256, EdDSA, RSA-OAEP, etc.)
1299
- */
1300
- type SecretKey = string | Uint8Array | CryptoKey | CryptoKeyPair | CryptoSecret | JWK | AsymmetricKeyPair;
1301
- /**
1302
- * @todo: add key rotation support for "SecretKey | CryptoKeyPair | [SecretKey | CryptoKeyPair, ...(SecretKey | CryptoKeyPair)[]]"
1303
- */
1304
- type JWTKey = SecretKey;
1305
- /**
1306
- * - "signed" → standard JWS (e.g. HS256, RS256, ES256).
1307
- * - "encrypted" → JWE only. (e.g. A256GCM with RSA-OAEP key wrapping).
1308
- * - "sealed" → JWS nested inside JWE (signed then encrypted).
1309
- */
1310
- type JWTMode = "signed" | "encrypted" | "sealed";
1311
- /**
1312
- * Signing algorithms for "signed" and "sealed" modes.
1313
- * Symmetric: HS256 | HS384 | HS512
1314
- * Asymmetric: RS256 | RS384 | RS512 | ES256 | ES384 | ES512 | EdDSA | PS256
1315
- */
1316
- type JWTSigningAlgorithm = "HS256" | "HS384" | "HS512" | "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512" | "EdDSA" | "PS256";
1317
- /**
1318
- * Key-wrapping algorithms for "encrypted" and "sealed" modes.
1319
- * Symmetric: A128KW | A192KW | A256KW | dir (direct)
1320
- * ECDH: ECDH-ES | ECDH-ES+A128KW | ECDH-ES+A256KW
1321
- * RSA: RSA-OAEP | RSA-OAEP-256
1322
- */
1323
- type JWTKeyAlgorithm = "A128KW" | "A192KW" | "A256KW" | "dir" | "ECDH-ES" | "ECDH-ES+A128KW" | "ECDH-ES+A256KW" | "RSA-OAEP" | "RSA-OAEP-256";
1324
- /** Content-encryption algorithms for JWE. */
1325
- type JWTEncryptionAlgorithm = "A128CBC-HS256" | "A192CBC-HS384" | "A256CBC-HS512" | "A128GCM" | "A192GCM" | "A256GCM";
1326
- /** Signed JWT mode configuration. */
1327
- type JWTSignedMode = {
1328
- mode: "signed";
1329
- signingAlgorithm?: JWTSigningAlgorithm;
1330
- };
1331
- /** Encrypted JWT mode configuration. */
1332
- type JWTEncryptedMode = {
1333
- mode: "encrypted";
1334
- keyAlgorithm?: JWTKeyAlgorithm;
1335
- encryptionAlgorithm?: JWTEncryptionAlgorithm;
2027
+ //#region src/@types/oauth.d.ts
2028
+ type OAuthAccessTokenResponseType = infer$1<typeof OAuthAccessTokenResponse>;
2029
+ type OIDCAccessTokenResponseType = infer$1<typeof OIDCAccessTokenResponseSchema>;
2030
+ type OIDCProviderContext = {
2031
+ issuer: string;
2032
+ jwks_uri?: string;
1336
2033
  };
1337
- /** Signed and Encrypted JWT mode configuration. */
1338
- type JWTSealedMode = {
1339
- mode?: "sealed";
1340
- signingAlgorithm?: JWTSigningAlgorithm;
1341
- keyAlgorithm?: JWTKeyAlgorithm;
1342
- encryptionAlgorithm?: JWTEncryptionAlgorithm;
2034
+ type RuntimeOAuthProvider<Profile extends object = Record<string, any>, DefaultUser extends User = User> = OAuthProviderCredentials<Profile, DefaultUser> & {
2035
+ oidc?: OIDCProviderContext;
1343
2036
  };
1344
- /** Discriminated union of JWT wire format: signed JWS, encrypted JWE, or nested sealed (JWS in JWE). */
1345
- type JWTConfigBase = JWTSignedMode | JWTEncryptedMode | JWTSealedMode;
1346
- /** How session/JWT lifetime is enforced relative to `iat`, absolute caps, and sliding windows. */
1347
- type JWTExpirationStrategy = "fixed" | "rolling" | "absolute" | "sliding";
1348
- type JWTConfig = Prettify<{
1349
- /**
1350
- * Token lifetime.
1351
- */
1352
- maxAge?: number;
1353
- /**
1354
- * JWT `iss` (issuer) claim. Set this to your app's canonical URL.
1355
- * @example "https://auth.example.com"
1356
- */
1357
- issuer?: string;
1358
- /**
1359
- * JWT `aud` claim. Single value or array for multi-audience tokens.
1360
- * @example ["https://api.example.com", "https://app.example.com"]
1361
- */
1362
- audience?: string | string[];
2037
+ type AccessTokenContext = {
1363
2038
  /**
1364
- * Maximum absolute session duration in seconds.
1365
- * Required for "absolute" and "sliding" strategies.
1366
- * Enforced via jose's maxTokenAge against the iat claim.
1367
- */
1368
- maxExpiration?: number;
1369
- /**
1370
- * Policy for renewing or capping token lifetime (pairs with `maxExpiration` where applicable).
2039
+ * Access token string returned by the OAuth provider's token endpoint. The token
2040
+ * must be used to exchange for user information from the provider's userinfo endpoint.
1371
2041
  */
1372
- expirationStrategy?: JWTExpirationStrategy;
1373
- } & JWTConfigBase>;
1374
- /**
1375
- * Stateless JWT strategy.
1376
- * No database required. Tokens are self-contained and cannot be revoked
1377
- * before they expire — keep `jwt.maxAge` short or enable refresh tokens.
1378
- *
1379
- * @example
1380
- * {
1381
- * strategy: "jwt",
1382
- * jwt: { mode: "sealed", maxAge: "15m", issuer: "https://auth.example.com" },
1383
- * refreshToken: { enabled: true, maxAge: "7d" },
1384
- * }
1385
- */
1386
- type StatelessStrategyConfig = {
1387
- strategy?: "jwt";
1388
- jwt?: JWTConfig;
1389
- };
1390
- /**
1391
- * The session strategy. Determines which fields below are required.
1392
- *
1393
- * - "jwt": stateless. No database needed. JWTs are self-contained.
1394
- * - "database": stateful. Every request hits the DB to validate the session.
1395
- * - "hybrid": JWT transport + DB revocation. Best of both for most apps.
1396
- *
1397
- * @default "jwt"
1398
- */
1399
- type SessionConfig = StatelessStrategyConfig;
1400
- /** Result of reading a stateless (JWT) session from a request: session payload and outgoing header mutations. */
1401
- interface GetStatelessSessionReturn<DefaultUser extends User = User> {
1402
- session: Session<DefaultUser> | null;
1403
- headers: Headers;
1404
- }
1405
- /**
1406
- * Abstraction layer for session management.
1407
- */
1408
- interface SessionStrategy<DefaultUser extends User = User> {
2042
+ accessToken: string;
1409
2043
  /**
1410
- * Read and validate the session from an incoming request.
1411
- * Returns null if absent, invalid, or expired. Never throws on auth failure.
2044
+ * The access token type returned by the OAuth provider's token endpoint, typically "Bearer".
1412
2045
  */
1413
- getSession(request: Headers): Promise<GetStatelessSessionReturn<DefaultUser>>;
2046
+ tokenType?: string | undefined;
1414
2047
  /**
1415
- * Create a session after successful authentication.
1416
- * Signs the JWT / writes the DB row / sets cookies.
2048
+ * The number of seconds until the access token expires, as returned by the OAuth provider's
2049
+ * token endpoint.
1417
2050
  */
1418
- createSession(session: User): Promise<string>;
2051
+ expiresIn?: number | undefined;
1419
2052
  /**
1420
- * Attempt to refresh using the refresh token cookie.
1421
- * Returns null session + cookie-clearing response on any failure.
2053
+ * Optional refresh token returned by the OAuth provider's token endpoint, which can be
2054
+ * used to obtain a new access token when the current one expires.
1422
2055
  */
1423
- refreshSession(headers: Headers, session: DeepPartial<Session<DefaultUser>>, skipCSRFCheck?: boolean): Promise<{
1424
- session: Session<DefaultUser> | null;
1425
- headers: Headers;
1426
- }>;
2056
+ refreshToken?: string | undefined;
1427
2057
  /**
1428
- * Revoke a session by ID.
1429
- * JWT strategy: best-effort (clears cookies, no server state).
1430
- * Database / hybrid: marks row inactive.
2058
+ * The scopes granted by the user for the access token, as returned by the OAuth provider's
2059
+ * token endpoint.
1431
2060
  */
1432
- revokeSession(sessionId: string): Promise<void>;
2061
+ scope?: string | string[] | null | undefined;
1433
2062
  /**
1434
- * Destroy the session attached to this request (logout).
1435
- * Returns a response that clears cookies.
2063
+ * The userinfo endpoint URL of the OAuth provider. This is required to fetch user
2064
+ * information using the access token.
1436
2065
  */
1437
- destroySession(request: Headers, skipCSRFCheck?: boolean): Promise<Headers>;
1438
- }
1439
- /** Inputs for constructing a session strategy implementation for a given identity schema. */
1440
- interface CreateSessionStrategyOptions<Identity extends Identities> {
1441
- config?: SessionConfig;
1442
- jose: JoseInstance<FromShapeToObject<Identity> & User>;
1443
- cookies: () => CookieStoreConfig;
1444
- logger?: InternalLogger;
1445
- identity: SchemaRegistryContext;
1446
- }
1447
- /** Options specialized for the JWT-backed session strategy. */
1448
- interface JWTStrategyOptions<DefaultUser extends User = User> {
1449
- config?: StatelessStrategyConfig;
1450
- jose: JoseInstance<DefaultUser>;
1451
- logger?: InternalLogger;
1452
- cookies: () => CookieStoreConfig;
1453
- identity: SchemaRegistryContext;
1454
- }
1455
- /** Minimal token issue/verify surface used by session code paths. */
1456
- type JWTManager<DefaultUser extends User = User> = {
1457
- createToken(user: TypedJWTPayload<Partial<DefaultUser>>): Promise<string>;
1458
- verifyToken(token: string): Promise<TypedJWTPayload<DefaultUser>>;
2066
+ userInfoURL: string;
1459
2067
  };
1460
- //#endregion
1461
- //#region src/@types/oauth.d.ts
1462
2068
  /** Known query parameter names supported when building an OAuth authorization URL. */
1463
2069
  type AuthorizeParams = LiteralUnion<"clientId" | "prompt" | "scope" | "responseMode" | "audience" | "loginHint" | "nonce" | "display">;
1464
2070
  /** OAuth 2.0 `response_type` values used in authorization requests. */
@@ -1489,6 +2095,9 @@ interface OAuthProviderConfig<Profile extends object = Record<string, any>, Defa
1489
2095
  url: string;
1490
2096
  headers?: Record<string, string>;
1491
2097
  method?: string;
2098
+ } | {
2099
+ url: string;
2100
+ request: (context: AccessTokenContext) => Profile | Promise<Profile>;
1492
2101
  };
1493
2102
  /**
1494
2103
  * @deprecated
@@ -1518,14 +2127,17 @@ type OAuthProvider<Profile extends object = Record<string, any>, DefaultUser ext
1518
2127
  * Lookup table of configured OAuth providers keyed by built-in id or custom id.
1519
2128
  * Values are full credential configs used at runtime for authorize/token/userinfo.
1520
2129
  */
1521
- type OAuthProviderRecord<DefaultUser extends User = User> = Record<LiteralUnion<BuiltInOAuthProvider>, OAuthProviderCredentials<any, DefaultUser>>;
2130
+ type OAuthProviderRecord<DefaultUser extends User = User> = Record<LiteralUnion<BuiltInOAuthProvider>, RuntimeOAuthProvider<any, DefaultUser>>;
2131
+ type CustomUserInfoFunction = Extract<OAuthProviderConfig["userInfo"], {
2132
+ request: (context: AccessTokenContext) => any;
2133
+ }>;
1522
2134
  //#endregion
1523
2135
  //#region src/@types/config.d.ts
1524
2136
  /**
1525
2137
  * Main configuration interface for Aura Auth.
1526
2138
  * This is the user-facing configuration object passed to `createAuth()`.
1527
2139
  */
1528
- type AuthConfig<Identity extends Identities> = {
2140
+ type AuthConfig<Identity extends Identities, SignUpSchema extends SchemaTypes = ZodObject$1<any>> = {
1529
2141
  /**
1530
2142
  * OAuth providers available in the authentication and authorization flows. It provides a type-inference
1531
2143
  * for the OAuth providers that are supported by Aura Stack Auth; alternatively, you can provide a custom
@@ -1556,7 +2168,7 @@ type AuthConfig<Identity extends Identities> = {
1556
2168
  * ]
1557
2169
  * ```
1558
2170
  */
1559
- oauth: (BuiltInOAuthProvider | OAuthProviderCredentials<any, FromShapeToObject<Identity>>)[];
2171
+ oauth: (BuiltInOAuthProvider | OAuthProviderCredentials<any, FromShapeToObject<Identity>> | OpenIDProvider<any, FromShapeToObject<Identity>>)[];
1560
2172
  /**
1561
2173
  * Cookie options defines the configuration for cookies used in Aura Auth.
1562
2174
  * It includes a prefix for cookie names and flag options to determine
@@ -1667,6 +2279,15 @@ type AuthConfig<Identity extends Identities> = {
1667
2279
  * Credentials provider for username/password or similar authentication.
1668
2280
  */
1669
2281
  credentials?: CredentialsProvider<Identity>;
2282
+ /**
2283
+ * Configuration for the signUp process, including the schema for validation
2284
+ * and required callback for user creation.
2285
+ */
2286
+ signUp?: SignUpConfig<Identity, SignUpSchema>;
2287
+ /**
2288
+ * Rate limiter configuration to protect authentication endpoints from DoS/DDoS attacks.
2289
+ */
2290
+ rateLimiter?: RateLimiterConfig$1;
1670
2291
  } & TrustedProxyHeadersConfig;
1671
2292
  type TrustedProxyHeadersConfig = {
1672
2293
  /**
@@ -1783,7 +2404,7 @@ type CookieStrategyAttributes = StandardCookie | SecureCookie | HostCookie;
1783
2404
  * - `redirectURI`: OAuth callback URI
1784
2405
  * - `redirectTo`: Post-authentication redirect path
1785
2406
  */
1786
- type CookieName = "sessionToken" | "csrfToken" | "state" | "codeVerifier" | "redirectTo" | "redirectURI";
2407
+ type CookieName = "sessionToken" | "csrfToken" | "state" | "codeVerifier" | "redirectTo" | "redirectURI" | "nonce";
1787
2408
  /** Resolved cookie names and serialization attributes for each logical auth cookie. */
1788
2409
  type CookieStoreConfig = Record<CookieName, {
1789
2410
  name: string;
@@ -1838,7 +2459,7 @@ interface Logger {
1838
2459
  * Programmatic auth API returned with the auth instance: `getSession`, `signIn`, `signInCredentials`, `signOut`, `updateSession`.
1839
2460
  * Each method returns a result object plus `headers` and `toResponse()` for HTTP responses.
1840
2461
  */
1841
- type AuthAPI<DefaultUser extends User = User> = ReturnType<typeof createAuthAPI<DefaultUser>>;
2462
+ type AuthAPI<DefaultUser extends User = User, SignUpSchema extends SchemaTypes = ZodObject$1<any>> = ReturnType<typeof createAuthAPI<DefaultUser, SignUpSchema>>;
1842
2463
  /** JWT and crypto helpers bound to the configured identity schema (sign, verify, claims). */
1843
2464
  type JoseInstance<DefaultUser extends User = User> = ReturnType<typeof createJoseInstance<DefaultUser>>;
1844
2465
  /** Normalized internal logger with resolved level and structured log function. */
@@ -1895,7 +2516,7 @@ interface CredentialsProvider<Identity extends Identities> {
1895
2516
  * Runtime context passed into auth actions and API handlers: OAuth map, cookies, JWT, session strategy, trusted origins, etc.
1896
2517
  * This is the fully resolved configuration surface after `createAuth` initializes defaults.
1897
2518
  */
1898
- interface RouterGlobalContext<DefaultUser extends User = User> {
2519
+ interface RouterGlobalContext<DefaultUser extends User = User, SignUpSchema extends SchemaTypes = ZodObject$1<any>> {
1899
2520
  oauth: OAuthProviderRecord;
1900
2521
  credentials?: CredentialsProvider<any>;
1901
2522
  cookies: CookieStoreConfig;
@@ -1908,6 +2529,9 @@ interface RouterGlobalContext<DefaultUser extends User = User> {
1908
2529
  logger?: InternalLogger;
1909
2530
  sessionStrategy: SessionStrategy<DefaultUser>;
1910
2531
  identity: SchemaRegistryContext;
2532
+ signUp?: SignUpConfig<DefaultUser, SignUpSchema>;
2533
+ jwtManager: JWTManager<DefaultUser>;
2534
+ rateLimiters: InferRules<Required<RateLimiterConfig$1>>;
1911
2535
  }
1912
2536
  interface SchemaRegistryContext {
1913
2537
  schemaRegistry: ReturnType<typeof createSchemaRegistry>;
@@ -1922,11 +2546,11 @@ type AuthRuntimeConfig<DefaultUser extends User = User> = RouterGlobalContext<De
1922
2546
  /**
1923
2547
  * Public auth instance: programmatic {@link AuthAPI}, {@link JoseInstance}, and HTTP {@link AuthClient} handlers.
1924
2548
  */
1925
- interface AuthInstance<DefaultUser extends User = User> {
2549
+ interface AuthInstance<DefaultUser extends User = User, SignUpSchema extends SchemaTypes = ZodObject$1<any>> {
1926
2550
  /**
1927
2551
  * Programmatic API for authentication actions (getSession, signIn, signOut, etc.) that can be used in server-side contexts or API routes.
1928
2552
  */
1929
- api: AuthAPI<DefaultUser>;
2553
+ api: AuthAPI<DefaultUser, SignUpSchema>;
1930
2554
  /**
1931
2555
  * JOSE helper functions for signin, encryption and verification of JWTs.
1932
2556
  */
@@ -1944,12 +2568,32 @@ interface AuthInstance<DefaultUser extends User = User> {
1944
2568
  /**
1945
2569
  * Extended context used inside the library with both secure and standard cookie materializations.
1946
2570
  */
1947
- type InternalContext<Identity extends Identities> = RouterGlobalContext<FromShapeToObject<Identity> & User> & {
2571
+ type InternalContext<Identity extends Identities, SignUpSchema extends SchemaTypes> = RouterGlobalContext<FromShapeToObject<Identity>, SignUpSchema> & {
1948
2572
  cookieConfig: {
1949
2573
  secure: CookieStoreConfig;
1950
2574
  standard: CookieStoreConfig;
1951
2575
  };
1952
2576
  };
2577
+ interface OnCreateUserContext<Schema extends SchemaTypes> {
2578
+ payload: InferSchema<Schema>;
2579
+ }
2580
+ /**
2581
+ * Configuration for the signUp process, including the schema for validation
2582
+ * and required callback for user creation.
2583
+ */
2584
+ interface SignUpConfig<Identity extends Identities, SignUpSchema extends SchemaTypes> {
2585
+ /**
2586
+ * Optional schema for validating the sign-up payload. It supports any
2587
+ * Zod, Arktype, Valibot or Typebox schema.
2588
+ */
2589
+ schema?: SignUpSchema;
2590
+ /**
2591
+ * Callback function that is called when a new user signs up. It receives the validated
2592
+ * sign-up payload and must handle the user creation.
2593
+ */
2594
+ onCreateUser: (context: OnCreateUserContext<SignUpSchema>) => Promise<FromShapeToObject<Identity> | null> | FromShapeToObject<Identity> | null;
2595
+ }
2596
+ type RateLimiterConfig$1 = Partial<RateLimiterConfig<Record<"signIn" | "signInCredentials" | "updateSession" | "signUp", RateLimiterRule>>["rules"]>;
1953
2597
  //#endregion
1954
2598
  //#region src/@types/utility.d.ts
1955
2599
  /** Expands intersection types into a single flat object type for readable editor hints. */
@@ -1981,6 +2625,20 @@ type Merge<A, B> = Omit<A, keyof B> & B;
1981
2625
  */
1982
2626
  type ZodShapeToObject<S extends ZodRawShape = ZodRawShape> = Merge<__Infer<ZodObject<S>>, User>;
1983
2627
  type FromShapeToObject<S> = S extends ZodRawShape ? ZodShapeToObject<S> : S extends ObjectEntries ? ValibotShapeToObject<S> : S extends Type ? ArktypeShapeToObject<S> : S extends TProperties ? TypeboxShapeToObject<S> : S extends User ? S : never;
2628
+ type EditableToSchema<T> = T extends EditableShape<infer S> ? ZodObject<S> : T extends EditableShapeValibot<infer S> ? ObjectSchema<S, undefined> : T extends EditableShapeTypebox<infer S> ? TObject<S> : T extends EditableShapeArkType<any> ? T : never;
2629
+ type ReturnUpdateSessionShape<T> = T extends EditableShape<infer S> ? ZodObject<{
2630
+ user?: ZodObject<S>;
2631
+ expires?: ZodOptional<ZodTypeAny>;
2632
+ }> : T extends EditableShapeValibot<infer S> ? ObjectSchema<{
2633
+ user?: ObjectSchema<S, undefined>;
2634
+ expires?: BaseSchema<any, any, any>;
2635
+ }, undefined> : T extends EditableShapeArkType<any> ? Type<{
2636
+ user?: T;
2637
+ expires?: Type<string>;
2638
+ }> : T extends EditableShapeTypebox<infer S> ? TObject<{
2639
+ user?: TObject<S>;
2640
+ expires?: TSchema;
2641
+ }> : never;
1984
2642
  /** Recursively makes every property required. */
1985
2643
  type DeepRequired<T> = { [K in keyof T]-?: T[K] extends object ? DeepRequired<T[K]> : T[K] };
1986
2644
  /** Recursively makes every property optional. */
@@ -2030,7 +2688,7 @@ type InferZodShape<T extends ZodObject> = T["shape"];
2030
2688
  *
2031
2689
  * type User = UserFrom<typeof schema>
2032
2690
  */
2033
- type UserFrom<T extends ZodObject> = Prettify<ZodShapeToObject<InferZodShape<T>>>;
2691
+ type UserFrom<T extends SchemaTypes> = Prettify<RemoveIndexSignature<InferSchema<T>>>;
2034
2692
  /**
2035
2693
  * Infers the session type from a Zod identity schema.
2036
2694
  * @example
@@ -2042,7 +2700,29 @@ type UserFrom<T extends ZodObject> = Prettify<ZodShapeToObject<InferZodShape<T>>
2042
2700
  *
2043
2701
  * type Session = SessionFrom<typeof schema>
2044
2702
  */
2045
- type SessionFrom<T extends ZodObject> = Wrap<Session<Wrap<UserFrom<T>>>>;
2703
+ type SessionFrom<T extends SchemaTypes> = Wrap<Session<Merge<UserFrom<T>, User>>>;
2704
+ /**
2705
+ * Infers the sign-up data type from an {@link AuthInstance} config's `signUp.schema`. It supports
2706
+ * Zod, Valibot and ArkType schemas.
2707
+ *
2708
+ * > For TypeBox its recommended to use the `Static` utility type directly to infer the schema.
2709
+ *
2710
+ * @example
2711
+ * const auth = createAuth({
2712
+ * oauth: [],
2713
+ * signUp: {
2714
+ * schema: z.object({
2715
+ * username: z.string(),
2716
+ * nickname: z.string(),
2717
+ * password: z.string(),
2718
+ * })
2719
+ * }
2720
+ * })
2721
+ *
2722
+ * type SignUp = InferSignUp<typeof auth>
2723
+ */
2724
+ type InferSignUp<Config extends AuthInstance> = Config extends AuthInstance<infer _, infer SignUpSchema> ? Wrap<RemoveIndexSignature<InferSchema<SignUpSchema>>> : Record<string, any>;
2725
+ type RemoveIndexSignature<T> = { [K in keyof T as string extends K ? never : number extends K ? never : symbol extends K ? never : K]: T[K] };
2046
2726
  /**
2047
2727
  * HTTP `Response` with `json()` typed to resolve to `Body` (defaults to `unknown`).
2048
2728
  */
@@ -2052,10 +2732,10 @@ type AuthResponse<Body = unknown> = Prettify<Omit<Response, "json"> & {
2052
2732
  type RequiredKeys<Obj extends object, Keys extends keyof Obj = keyof Obj> = Wrap<{ [K in Keys]-?: Obj[K] } & Omit<Obj, Keys>>;
2053
2733
  //#endregion
2054
2734
  //#region src/createAuth.d.ts
2055
- declare const createAuthInstance: <Identity extends Identities>(authConfig: AuthConfig<Identity>) => {
2056
- handlers: _$_aura_stack_router0.Router<[_$_aura_stack_router0.RouteEndpoint<"/signIn/:oauth", _$_aura_stack_router0.HTTPMethod | _$_aura_stack_router0.HTTPMethod[], {
2735
+ declare const createAuthInstance: <Identity extends Identities, SignUpSchema extends SchemaTypes>(authConfig: AuthConfig<Identity, SignUpSchema>) => {
2736
+ handlers: _$_aura_stack_router0.Router<[_$_aura_stack_router0.RouteEndpoint<"/signIn/:oauth", "GET", {
2057
2737
  schemas?: {
2058
- params: _$zod.ZodObject<{
2738
+ params: ZodObject$1<{
2059
2739
  oauth: _$zod.ZodEnum<{
2060
2740
  [x: string & Record<never, never>]: string & Record<never, never>;
2061
2741
  github: "github";
@@ -2074,15 +2754,19 @@ declare const createAuthInstance: <Identity extends Identities>(authConfig: Auth
2074
2754
  atlassian: "atlassian";
2075
2755
  clickUp: "clickUp";
2076
2756
  dribbble: "dribbble";
2757
+ hubspot: "hubspot";
2758
+ google: "google";
2759
+ huggingface: "huggingface";
2760
+ authentik: "authentik";
2077
2761
  }>;
2078
2762
  }, _$zod_v4_core0.$strip>;
2079
- searchParams: _$zod.ZodObject<{
2763
+ searchParams: ZodObject$1<{
2080
2764
  redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
2081
2765
  redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
2082
2766
  }, _$zod_v4_core0.$strip>;
2083
2767
  } | undefined;
2084
- }, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<"/signIn/:oauth", _$_aura_stack_router0.HTTPMethod | _$_aura_stack_router0.HTTPMethod[], {
2085
- params: _$zod.ZodObject<{
2768
+ }, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<"/signIn/:oauth", "GET", {
2769
+ params: ZodObject$1<{
2086
2770
  oauth: _$zod.ZodEnum<{
2087
2771
  [x: string & Record<never, never>]: string & Record<never, never>;
2088
2772
  github: "github";
@@ -2101,9 +2785,13 @@ declare const createAuthInstance: <Identity extends Identities>(authConfig: Auth
2101
2785
  atlassian: "atlassian";
2102
2786
  clickUp: "clickUp";
2103
2787
  dribbble: "dribbble";
2788
+ hubspot: "hubspot";
2789
+ google: "google";
2790
+ huggingface: "huggingface";
2791
+ authentik: "authentik";
2104
2792
  }>;
2105
2793
  }, _$zod_v4_core0.$strip>;
2106
- searchParams: _$zod.ZodObject<{
2794
+ searchParams: ZodObject$1<{
2107
2795
  redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
2108
2796
  redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
2109
2797
  }, _$zod_v4_core0.$strip>;
@@ -2119,23 +2807,23 @@ declare const createAuthInstance: <Identity extends Identities>(authConfig: Auth
2119
2807
  redirect: false;
2120
2808
  signInURL: null;
2121
2809
  }>;
2122
- }>>>, _$_aura_stack_router0.RouteEndpoint<`/${string}`, _$_aura_stack_router0.HTTPMethod | _$_aura_stack_router0.HTTPMethod[], {
2810
+ }>>>, _$_aura_stack_router0.RouteEndpoint<"/signIn/credentials", "POST", {
2123
2811
  schemas?: {
2124
- body: _$zod.ZodObject<{
2812
+ body: ZodObject$1<{
2125
2813
  username: _$zod.ZodString;
2126
2814
  password: _$zod.ZodString;
2127
2815
  }, _$zod_v4_core0.$strip>;
2128
- searchParams: _$zod.ZodObject<{
2816
+ searchParams: ZodObject$1<{
2129
2817
  redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
2130
2818
  redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
2131
2819
  }, _$zod_v4_core0.$strip>;
2132
2820
  } | undefined;
2133
- }, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<`/${string}`, _$_aura_stack_router0.HTTPMethod | _$_aura_stack_router0.HTTPMethod[], {
2134
- body: _$zod.ZodObject<{
2821
+ }, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<"/signIn/credentials", "POST", {
2822
+ body: ZodObject$1<{
2135
2823
  username: _$zod.ZodString;
2136
2824
  password: _$zod.ZodString;
2137
2825
  }, _$zod_v4_core0.$strip>;
2138
- searchParams: _$zod.ZodObject<{
2826
+ searchParams: ZodObject$1<{
2139
2827
  redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
2140
2828
  redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
2141
2829
  }, _$zod_v4_core0.$strip>;
@@ -2159,9 +2847,9 @@ declare const createAuthInstance: <Identity extends Identities>(authConfig: Auth
2159
2847
  redirect: false;
2160
2848
  redirectURL: null;
2161
2849
  }>;
2162
- }>>>, _$_aura_stack_router0.RouteEndpoint<"/callback/:oauth", _$_aura_stack_router0.HTTPMethod | _$_aura_stack_router0.HTTPMethod[], {
2850
+ }>>>, _$_aura_stack_router0.RouteEndpoint<"/callback/:oauth", "GET", {
2163
2851
  schemas?: {
2164
- params: _$zod.ZodObject<{
2852
+ params: ZodObject$1<{
2165
2853
  oauth: _$zod.ZodEnum<{
2166
2854
  [x: string & Record<never, never>]: string & Record<never, never>;
2167
2855
  github: "github";
@@ -2180,15 +2868,19 @@ declare const createAuthInstance: <Identity extends Identities>(authConfig: Auth
2180
2868
  atlassian: "atlassian";
2181
2869
  clickUp: "clickUp";
2182
2870
  dribbble: "dribbble";
2871
+ hubspot: "hubspot";
2872
+ google: "google";
2873
+ huggingface: "huggingface";
2874
+ authentik: "authentik";
2183
2875
  }>;
2184
2876
  }, _$zod_v4_core0.$strip>;
2185
- searchParams: _$zod.ZodObject<{
2877
+ searchParams: ZodObject$1<{
2186
2878
  code: _$zod.ZodString;
2187
2879
  state: _$zod.ZodString;
2188
2880
  }, _$zod_v4_core0.$strip>;
2189
2881
  } | undefined;
2190
- }, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<"/callback/:oauth", _$_aura_stack_router0.HTTPMethod | _$_aura_stack_router0.HTTPMethod[], {
2191
- params: _$zod.ZodObject<{
2882
+ }, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<"/callback/:oauth", "GET", {
2883
+ params: ZodObject$1<{
2192
2884
  oauth: _$zod.ZodEnum<{
2193
2885
  [x: string & Record<never, never>]: string & Record<never, never>;
2194
2886
  github: "github";
@@ -2207,9 +2899,13 @@ declare const createAuthInstance: <Identity extends Identities>(authConfig: Auth
2207
2899
  atlassian: "atlassian";
2208
2900
  clickUp: "clickUp";
2209
2901
  dribbble: "dribbble";
2902
+ hubspot: "hubspot";
2903
+ google: "google";
2904
+ huggingface: "huggingface";
2905
+ authentik: "authentik";
2210
2906
  }>;
2211
2907
  }, _$zod_v4_core0.$strip>;
2212
- searchParams: _$zod.ZodObject<{
2908
+ searchParams: ZodObject$1<{
2213
2909
  code: _$zod.ZodString;
2214
2910
  state: _$zod.ZodString;
2215
2911
  }, _$zod_v4_core0.$strip>;
@@ -2230,16 +2926,16 @@ declare const createAuthInstance: <Identity extends Identities>(authConfig: Auth
2230
2926
  success: false;
2231
2927
  session: null;
2232
2928
  }>;
2233
- }>>>, _$_aura_stack_router0.RouteEndpoint<`/${string}`, _$_aura_stack_router0.HTTPMethod | _$_aura_stack_router0.HTTPMethod[], {
2929
+ }>>>, _$_aura_stack_router0.RouteEndpoint<"/signOut", "POST", {
2234
2930
  schemas?: {
2235
- searchParams: _$zod.ZodObject<{
2931
+ searchParams: ZodObject$1<{
2236
2932
  redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
2237
2933
  redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
2238
2934
  token_type_hint: _$zod.ZodLiteral<"session_token">;
2239
2935
  }, _$zod_v4_core0.$strip>;
2240
2936
  } | undefined;
2241
- }, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<`/${string}`, _$_aura_stack_router0.HTTPMethod | _$_aura_stack_router0.HTTPMethod[], {
2242
- searchParams: _$zod.ZodObject<{
2937
+ }, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<"/signOut", "POST", {
2938
+ searchParams: ZodObject$1<{
2243
2939
  redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
2244
2940
  redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
2245
2941
  token_type_hint: _$zod.ZodLiteral<"session_token">;
@@ -2266,17 +2962,33 @@ declare const createAuthInstance: <Identity extends Identities>(authConfig: Auth
2266
2962
  }>;
2267
2963
  }>>>, _$_aura_stack_router0.RouteEndpoint<"/csrfToken", "GET", {
2268
2964
  schemas?: _$_aura_stack_router0.EndpointSchemas | undefined;
2269
- }, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<"/csrfToken", "GET", _$_aura_stack_router0.EndpointSchemas>>) => Promise<Response>>, _$_aura_stack_router0.RouteEndpoint<`/${string}`, _$_aura_stack_router0.HTTPMethod | _$_aura_stack_router0.HTTPMethod[], {
2965
+ }, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<"/csrfToken", "GET", _$_aura_stack_router0.EndpointSchemas>>) => Promise<Response>>, _$_aura_stack_router0.RouteEndpoint<"/session", "PATCH", {
2270
2966
  schemas?: {
2271
- body: any;
2272
- searchParams: _$zod.ZodObject<{
2967
+ body: _$arktype_internal_variants_object_ts0.ObjectType<{
2968
+ user?: _$arktype_internal_variants_object_ts0.ObjectType<{
2969
+ sub: any;
2970
+ name?: any;
2971
+ image?: any;
2972
+ email?: any;
2973
+ }, {}> | undefined;
2974
+ expires?: _$arktype.Type<string>;
2975
+ }, {}>;
2976
+ searchParams: ZodObject$1<{
2273
2977
  redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
2274
2978
  redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
2275
2979
  }, _$zod_v4_core0.$strip>;
2276
2980
  } | undefined;
2277
- }, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<`/${string}`, _$_aura_stack_router0.HTTPMethod | _$_aura_stack_router0.HTTPMethod[], {
2278
- body: any;
2279
- searchParams: _$zod.ZodObject<{
2981
+ }, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<"/session", "PATCH", {
2982
+ body: _$arktype_internal_variants_object_ts0.ObjectType<{
2983
+ user?: _$arktype_internal_variants_object_ts0.ObjectType<{
2984
+ sub: any;
2985
+ name?: any;
2986
+ image?: any;
2987
+ email?: any;
2988
+ }, {}> | undefined;
2989
+ expires?: _$arktype.Type<string>;
2990
+ }, {}>;
2991
+ searchParams: ZodObject$1<{
2280
2992
  redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
2281
2993
  redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
2282
2994
  }, _$zod_v4_core0.$strip>;
@@ -2319,28 +3031,48 @@ declare const createAuthInstance: <Identity extends Identities>(authConfig: Auth
2319
3031
  redirect: false;
2320
3032
  redirectURL: null;
2321
3033
  }>;
3034
+ }>>>, _$_aura_stack_router0.RouteEndpoint<"/signUp", "POST", {
3035
+ schemas?: {
3036
+ body: SignUpSchema | undefined;
3037
+ searchParams: ZodObject$1<{
3038
+ redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
3039
+ redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
3040
+ }, _$zod_v4_core0.$strip>;
3041
+ } | undefined;
3042
+ }, (ctx: _$_aura_stack_router0.RequestContext<_$_aura_stack_router0.EndpointMeta<"/signUp", "POST", {
3043
+ body: SignUpSchema | undefined;
3044
+ searchParams: ZodObject$1<{
3045
+ redirect: _$zod.ZodDefault<_$zod.ZodOptional<_$zod.ZodCodec<_$zod.ZodString, _$zod.ZodBoolean>>>;
3046
+ redirectTo: _$zod.ZodOptional<_$zod.ZodString>;
3047
+ }, _$zod_v4_core0.$strip>;
3048
+ }>>) => Promise<Prettify<Omit<Response, "json"> & {
3049
+ json(): Promise<{
3050
+ success: true;
3051
+ redirect: true;
3052
+ redirectURL: null;
3053
+ } | {
3054
+ success: true;
3055
+ redirect: false;
3056
+ redirectURL: string;
3057
+ } | {
3058
+ success: true;
3059
+ redirect: false;
3060
+ redirectURL: null;
3061
+ }>;
3062
+ }> | Prettify<Omit<Response, "json"> & {
3063
+ json(): Promise<{
3064
+ success: false;
3065
+ redirect: false;
3066
+ redirectURL: null;
3067
+ }>;
2322
3068
  }>>>]>;
2323
3069
  jose: any;
2324
3070
  api: {
2325
- getSession: (options: GetSessionAPIOptions) => Promise<GetSessionAPIReturn<{
2326
- sub: string;
2327
- name?: string | null | undefined;
2328
- image?: string | null | undefined;
2329
- email?: string | null | undefined;
2330
- }>>;
3071
+ getSession: (options: GetSessionAPIOptions) => Promise<GetSessionAPIReturn<FromShapeToObject<Identity>>>;
2331
3072
  signIn: (oauth: LiteralUnion<BuiltInOAuthProvider>, options?: SignInAPIOptions) => Promise<SignInAPIReturn>;
2332
3073
  signInCredentials: (options: SignInCredentialsAPIOptions) => Promise<SignInCredentialsAPIReturn>;
2333
- updateSession: (options: UpdateSessionAPIOptions<{
2334
- sub: string;
2335
- name?: string | null | undefined;
2336
- image?: string | null | undefined;
2337
- email?: string | null | undefined;
2338
- }>) => Promise<UpdateSessionAPIReturn<{
2339
- sub: string;
2340
- name?: string | null | undefined;
2341
- image?: string | null | undefined;
2342
- email?: string | null | undefined;
2343
- }>>;
3074
+ signUp: <Payload extends Record<string, any> = Wrap<RemoveIndexSignature<_$_aura_stack_router0.InferSchema<SignUpSchema, _$_aura_stack_router0.SchemaKind<SignUpSchema>>>>>(options: SignUpAPIOptions<Payload>) => Promise<SignUpAPIReturn>;
3075
+ updateSession: (options: UpdateSessionAPIOptions<FromShapeToObject<Identity>>) => Promise<UpdateSessionAPIReturn<FromShapeToObject<Identity>>>;
2344
3076
  signOut: (options: SignOutAPIOptions) => Promise<SignOutAPIReturn>;
2345
3077
  };
2346
3078
  };
@@ -2367,7 +3099,7 @@ declare const createAuthInstance: <Identity extends Identities>(authConfig: Auth
2367
3099
  * }]
2368
3100
  * })
2369
3101
  */
2370
- declare const createAuth: <Identity extends Identities = EditableShape<UserShape>>(config: AuthConfig<Identity>) => AuthInstance<FromShapeToObject<Identity>>;
3102
+ declare const createAuth: <Identity extends Identities = EditableShape<UserShape>, SignUpSchema extends SchemaTypes = ZodObject$1<any>>(config: AuthConfig<Identity, SignUpSchema>) => AuthInstance<FromShapeToObject<Identity>, SignUpSchema>;
2371
3103
  //#endregion
2372
3104
  //#region src/@types/errors.d.ts
2373
3105
  /** Map of field or logical keys to API validation error payloads (code + message). */
@@ -2622,7 +3354,7 @@ type SignInCredentialsReturn<Options extends SignInCredentialsOptions> = Options
2622
3354
  redirect: false;
2623
3355
  }> : void;
2624
3356
  /** Server/programmatic credentials sign-in options. */
2625
- interface SignInCredentialsAPIOptions extends APIOptionsWithRedirectTo, APIOptionsWithRequest {
3357
+ interface SignInCredentialsAPIOptions extends APIOptionsWithRedirectTo, APIOptionsWithRequest, APIOptionsWithSkipCSRFCheck {
2626
3358
  /**
2627
3359
  * Credentials payload validated by the configured `credentials.authorize` function.
2628
3360
  * @example
@@ -2716,6 +3448,39 @@ interface UpdateSessionAPIOptions<DefaultUser extends User = User> extends Requi
2716
3448
  }
2717
3449
  /** Programmatic session update result with redirect metadata and `toResponse()`. */
2718
3450
  type UpdateSessionAPIReturn<DefaultUser extends User = User> = AuthActionAPIReturn<UpdateSessionReturnData<DefaultUser>>;
3451
+ interface SignUpAPIOptions<Payload extends Record<string, any> = Record<string, any>> extends APIOptionsWithRedirectTo, APIOptionsWithRequest, APIOptionsWithSkipCSRFCheck {
3452
+ payload: Payload;
3453
+ }
3454
+ type SignUpReturnData = /** redirect: true & redirectTo: string */{
3455
+ success: true;
3456
+ redirect: true;
3457
+ redirectURL: null;
3458
+ } /** redirect: false & redirectTo: string */ | {
3459
+ success: true;
3460
+ redirect: false;
3461
+ redirectURL: string;
3462
+ }
3463
+ /** redirect: false & redirectTo: null | undefined (not set) */
3464
+ /** redirect: true & redirectTo: null | undefined (not set) */
3465
+ | {
3466
+ success: true;
3467
+ redirect: false;
3468
+ redirectURL: null;
3469
+ } /** Failed sign-up */ | {
3470
+ success: false;
3471
+ redirect: false;
3472
+ redirectURL: null;
3473
+ };
3474
+ /** Programmatic sign-up result with redirect metadata and `toResponse()`. */
3475
+ type SignUpAPIReturn = AuthActionAPIReturn<SignUpReturnData>;
3476
+ type SignUpOptions<SignUpSchema extends Record<string, any> = Record<string, any>> = OptionsWithRedirectTo & {
3477
+ payload: SignUpSchema;
3478
+ };
3479
+ type SignUpReturn<Options extends SignUpOptions> = Options extends {
3480
+ redirect: false;
3481
+ } ? Extract<SignUpReturnData, {
3482
+ redirect: false;
3483
+ }> : void;
2719
3484
  //#endregion
2720
3485
  //#region src/@types/index.d.ts
2721
3486
  /**
@@ -2743,4 +3508,4 @@ type AuthClientOptions = Prettify<Omit<ClientOptions, "baseURL"> & {
2743
3508
  baseURL?: string;
2744
3509
  }>;
2745
3510
  //#endregion
2746
- export { FromShapeToObject as $, SpotifyProfile as $n, JWTEncryptionAlgorithm as $t, UpdateSessionOptions as A, Name as An, Logger as At, TokenRevocationError as B, twitch as Bn, OAuthProvider as Bt, SignOutAPIOptions as C, clickUp as Cn, UserShapeArkType as Cr, CredentialsProviderContext as Ct, SignOutReturnData as D, AccountType as Dn, InternalLogger as Dt, SignOutReturn as E, atlassian as En, createIdentity as Er, InternalContext as Et, AuthInternalErrorCode as F, NotionUser as Fn, StandardCookie as Ft, DeepPartial as G, mailchimp as Gn, AsymmetricKeyPair as Gt, ArktypeShapeToObject as H, pinterest as Hn, OAuthProviderCredentials as Ht, AuthSecurityErrorCode as I, Owner as In, SyslogOptions as It, EditableShapeArkType as J, SummaryGear as Jn, CryptoSecret as Jt, DeepRequired as K, StravaProfile as Kn, AsymmetricKeyPairFromEnv as Kt, AuthorizationError as L, Person as Ln, TrustedOrigin as Lt, UpdateSessionReturnData as M, dropbox as Mn, SchemaRegistryContext as Mt, APIErrorMap as N, Bot as Nn, SecureCookie as Nt, UpdateSessionAPIOptions as O, DropboxProfile as On, JoseInstance as Ot, AccessTokenError as P, NotionProfile as Pn, Severity as Pt, EditableUser as Q, SpotifyImage as Qn, JWTEncryptedMode as Qt, ErrorType as R, notion as Rn, TrustedProxyHeadersConfig as Rt, SignInReturn as S, ClickUpProfile as Sn, UserShape as Sr, CredentialsProvider as St, SignOutOptions as T, ExtendedProfile as Tn, UserShapeValibot as Tr, IdentityConfig as Tt, AuthResponse as U, Login as Un, OAuthProviderRecord as Ut, createAuth as V, PinterestProfile as Vn, OAuthProviderConfig as Vt, ConfigSchema as W, MailchimpProfile as Wn, ResponseType as Wt, EditableShapeValibot as X, XProfile as Xn, JWTConfig as Xt, EditableShapeTypebox as Y, strava as Yn, GetStatelessSessionReturn as Yt, EditableShapeZod as Z, x as Zn, JWTConfigBase as Zt, SignInCredentialsAPIReturn as _, createBuiltInOAuthProviders as _n, SchemaTypes as _r, CookieConfig as _t, OAuthEnv as a, JWTSealedMode as an, discord as ar, Prettify as at, SignInCredentialsReturnData as b, DribbbleTeams as bn, UserIdentityTypeBox as br, CookieStrategyAttributes as bt, APIOptionsWithRequest as c, JWTStrategyOptions as cn, BitbucketProfile as cr, TypeboxShapeToObject as ct, GetSessionAPIOptions as d, SessionConfig as dn, github as dr, Wrap as dt, JWTExpirationStrategy as en, spotify as er, InferSession as et, GetSessionAPIReturn as f, SessionStrategy as fn, createSyslogMessage as fr, ZodShapeToObject as ft, SignInCredentialsAPIOptions as g, builtInOAuthProviders as gn, IsZod as gr, AuthRuntimeConfig as gt, SignInAPIReturn as h, BuiltInOAuthProvider as hn, IsValibot as hr, AuthInstance as ht, JWTStandardClaims as i, JWTMode as in, Nameplate as ir, Merge as it, UpdateSessionReturn as j, RootInfo as jn, RouterGlobalContext as jt, UpdateSessionAPIReturn as k, FullTeam as kn, LogLevel as kt, APIOptionsWithSkipCSRFCheck as l, SecretKey as ln, bitbucket as lr, UserFrom as lt, SignInAPIOptions as m, User as mn, IsArkType as mr, AuthConfig as mt, AuthClientOptions as n, JWTKeyAlgorithm as nn, gitlab as nr, InferZodShape as nt, TypedJWTPayload$1 as o, JWTSignedMode as on, FigmaProfile as or, RequiredKeys as ot, OptionsWithRedirectTo as p, StatelessStrategyConfig as pn, Identities as pr, AuthAPI as pt, EditableShape as q, SummaryClub as qn, CreateSessionStrategyOptions as qt, JWTPayloadWithToken as r, JWTManager as rn, DiscordProfile as rr, LiteralUnion as rt, APIOptionsWithRedirectTo as s, JWTSigningAlgorithm as sn, figma as sr, SessionFrom as st, AuthClient as t, JWTKey as tn, GitLabProfile as tr, InferUser as tt, FunctionAPIContext as u, Session as un, GitHubProfile as ur, ValibotShapeToObject as ut, SignInCredentialsOptions as v, DribbbleDefault as vn, UserIdentity as vr, CookieName as vt, SignOutAPIReturn as w, AtlassianProfile as wn, UserShapeTypeBox as wr, HostCookie as wt, SignInOptions as x, dribbble as xn, UserIdentityValibot as xr, CredentialsPayload as xt, SignInCredentialsReturn as y, DribbbleProfile as yn, UserIdentityArkType as yr, CookieStoreConfig as yt, OAuthError as z, TwitchProfile as zn, AuthorizeParams as zt };
3511
+ export { EditableShapeArkType as $, DribbbleTeams as $n, UserIdentityTypeBox as $r, CustomUserInfoFunction as $t, SignUpOptions as A, JWTSealedMode as An, x as Ar, CredentialsPayload as At, AuthInternalErrorCode as B, AuthentikProfile as Bn, figma as Br, OnCreateUserContext as Bt, SignOutAPIOptions as C, JWTEncryptedMode as Cn, MailchimpProfile as Cr, AuthConfig as Ct, SignOutReturnData as D, JWTKeyAlgorithm as Dn, SummaryGear as Dr, CookieName as Dt, SignOutReturn as E, JWTKey as En, SummaryClub as Er, CookieConfig as Et, UpdateSessionOptions as F, Session as Fn, gitlab as Fr, InternalContext as Ft, TokenRevocationError as G, huggingface as Gn, createSyslogMessage as Gr, Severity as Gt, AuthorizationError as H, HuggingFaceOrg as Hn, bitbucket as Hr, RouterGlobalContext as Ht, UpdateSessionReturn as I, SessionConfig as In, DiscordProfile as Ir, InternalLogger as It, AuthResponse as J, HubSportSignedAccessToken as Jn, IsValibot as Jr, SyslogOptions as Jt, createAuth as K, GoogleProfile as Kn, Identities as Kr, SignUpConfig as Kt, UpdateSessionReturnData as L, SessionStrategy as Ln, Nameplate as Lr, JoseInstance as Lt, SignUpReturnData as M, JWTSigningAlgorithm as Mn, SpotifyProfile as Mr, CredentialsProviderContext as Mt, UpdateSessionAPIOptions as N, JWTStrategyOptions as Nn, spotify as Nr, HostCookie as Nt, SignUpAPIOptions as O, JWTManager as On, strava as Or, CookieStoreConfig as Ot, UpdateSessionAPIReturn as P, SecretKey as Pn, GitLabProfile as Pr, IdentityConfig as Pt, EditableShape as Q, DribbbleProfile as Qn, UserIdentityArkType as Qr, AuthorizeParams as Qt, APIErrorMap as R, StatelessStrategyConfig as Rn, discord as Rr, LogLevel as Rt, SignInReturn as S, JWTConfigBase as Sn, Login as Sr, AuthAPI as St, SignOutOptions as T, JWTExpirationStrategy as Tn, StravaProfile as Tr, AuthRuntimeConfig as Tt, ErrorType as U, HuggingFaceProfile as Un, GitHubProfile as Ur, SchemaRegistryContext as Ut, AuthSecurityErrorCode as V, authentik as Vn, BitbucketProfile as Vr, RateLimiterConfig$1 as Vt, OAuthError as W, HuggingFaceResourceGroup as Wn, github as Wr, SecureCookie as Wt, DeepPartial as X, hubspot as Xn, SchemaTypes as Xr, TrustedProxyHeadersConfig as Xt, ConfigSchema as Y, HubSpotProfile as Yn, IsZod as Yr, TrustedOrigin as Yt, DeepRequired as Z, DribbbleDefault as Zn, UserIdentity as Zr, AccessTokenContext as Zt, SignInCredentialsAPIReturn as _, AsymmetricKeyPairFromEnv as _n, notion as _r, TypeboxShapeToObject as _t, OAuthEnv as a, createIdentity as ai, OIDCAccessTokenResponseType as an, atlassian as ar, FromShapeToObject as at, SignInCredentialsReturnData as b, GetStatelessSessionReturn as bn, PinterestProfile as br, Wrap as bt, APIOptionsWithRequest as c, RuntimeOAuthProvider as cn, FullTeam as cr, InferUser as ct, GetSessionAPIOptions as d, createBuiltInOAuthProviders as dn, dropbox as dr, Merge as dt, UserIdentityValibot as ei, OAuthAccessTokenResponseType as en, dribbble as er, EditableShapeTypebox as et, GetSessionAPIReturn as f, defineOpenIDProviderConfig as fn, Bot as fr, Prettify as ft, SignInCredentialsAPIOptions as g, AsymmetricKeyPair as gn, Person as gr, SessionFrom as gt, SignInAPIReturn as h, OpenIDProvider as hn, Owner as hr, ReturnUpdateSessionShape as ht, JWTStandardClaims as i, UserShapeValibot as ii, OAuthProviderRecord as in, ExtendedProfile as ir, EditableUser as it, SignUpReturn as j, JWTSignedMode as jn, SpotifyImage as jr, CredentialsProvider as jt, SignUpAPIReturn as k, JWTMode as kn, XProfile as kr, CookieStrategyAttributes as kt, APIOptionsWithSkipCSRFCheck as l, BuiltInOAuthProvider as ln, Name as lr, InferZodShape as lt, SignInAPIOptions as m, OpenIDMetadata as mn, NotionUser as mr, RequiredKeys as mt, AuthClientOptions as n, UserShapeArkType as ni, OAuthProviderConfig as nn, clickUp as nr, EditableShapeZod as nt, TypedJWTPayload$1 as o, OIDCProviderContext as on, AccountType as or, InferSession as ot, OptionsWithRedirectTo as p, setDynamicParams as pn, NotionProfile as pr, RemoveIndexSignature as pt, ArktypeShapeToObject as q, google as qn, IsArkType as qr, StandardCookie as qt, JWTPayloadWithToken as r, UserShapeTypeBox as ri, OAuthProviderCredentials as rn, AtlassianProfile as rr, EditableToSchema as rt, APIOptionsWithRedirectTo as s, ResponseType as sn, DropboxProfile as sr, InferSignUp as st, AuthClient as t, UserShape as ti, OAuthProvider as tn, ClickUpProfile as tr, EditableShapeValibot as tt, FunctionAPIContext as u, builtInOAuthProviders as un, RootInfo as ur, LiteralUnion as ut, SignInCredentialsOptions as v, CreateSessionStrategyOptions as vn, TwitchProfile as vr, UserFrom as vt, SignOutAPIReturn as w, JWTEncryptionAlgorithm as wn, mailchimp as wr, AuthInstance as wt, SignInOptions as x, JWTConfig as xn, pinterest as xr, ZodShapeToObject as xt, SignInCredentialsReturn as y, CryptoSecret as yn, twitch as yr, ValibotShapeToObject as yt, AccessTokenError as z, User as zn, FigmaProfile as zr, Logger as zt };