@aura-stack/auth 0.7.2 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (70) hide show
  1. package/dist/@types/index.cjs +1 -1
  2. package/dist/@types/index.d.ts +2 -2
  3. package/dist/@types/index.js +1 -1
  4. package/dist/client/index.cjs +1 -1
  5. package/dist/client/index.d.ts +3 -2
  6. package/dist/client/index.js +1 -1
  7. package/dist/crypto-BRrGB5wn.js +3 -0
  8. package/dist/crypto-Da-Q8hsP.cjs +3 -0
  9. package/dist/errors-BWpHquVG.js +1 -0
  10. package/dist/errors-BiBhdux1.cjs +1 -0
  11. package/dist/fetch-async-DL6uySSm.js +1 -0
  12. package/dist/fetch-async-DlbcIcRD.cjs +1 -0
  13. package/dist/{identity-n3aahaEr.cjs → identity-CAygUyH6.cjs} +1 -1
  14. package/dist/{index-1ADcIVGC.d.ts → index-DIcbmH1M.d.ts} +1050 -285
  15. package/dist/index.cjs +1 -1
  16. package/dist/index.d.ts +1 -1
  17. package/dist/index.js +1 -1
  18. package/dist/{logger-BfUjjtxf.js → logger-BleaYLUV.js} +1 -1
  19. package/dist/{logger-CVwkloPj.cjs → logger-DL-kEECn.cjs} +1 -1
  20. package/dist/oauth/atlassian.d.ts +1 -1
  21. package/dist/oauth/authentik.cjs +1 -0
  22. package/dist/oauth/authentik.d.ts +2 -0
  23. package/dist/oauth/authentik.js +1 -0
  24. package/dist/oauth/bitbucket.d.ts +1 -1
  25. package/dist/oauth/click-up.d.ts +1 -1
  26. package/dist/oauth/discord.d.ts +1 -1
  27. package/dist/oauth/dribbble.d.ts +1 -1
  28. package/dist/oauth/dropbox.d.ts +1 -1
  29. package/dist/oauth/figma.d.ts +1 -1
  30. package/dist/oauth/github.d.ts +1 -1
  31. package/dist/oauth/gitlab.d.ts +1 -1
  32. package/dist/oauth/google.cjs +1 -0
  33. package/dist/oauth/google.d.ts +2 -0
  34. package/dist/oauth/google.js +1 -0
  35. package/dist/oauth/hubspot.cjs +1 -0
  36. package/dist/oauth/hubspot.d.ts +2 -0
  37. package/dist/oauth/hubspot.js +1 -0
  38. package/dist/oauth/huggingface.cjs +1 -0
  39. package/dist/oauth/huggingface.d.ts +2 -0
  40. package/dist/oauth/huggingface.js +1 -0
  41. package/dist/oauth/index.cjs +1 -1
  42. package/dist/oauth/index.d.ts +2 -2
  43. package/dist/oauth/index.js +1 -1
  44. package/dist/oauth/mailchimp.d.ts +1 -1
  45. package/dist/oauth/notion.cjs +1 -1
  46. package/dist/oauth/notion.d.ts +1 -1
  47. package/dist/oauth/notion.js +1 -1
  48. package/dist/oauth/pinterest.d.ts +1 -1
  49. package/dist/oauth/spotify.d.ts +1 -1
  50. package/dist/oauth/strava.d.ts +1 -1
  51. package/dist/oauth/twitch.d.ts +1 -1
  52. package/dist/oauth/x.d.ts +1 -1
  53. package/dist/resolve-provider-C_clBCRg.cjs +1 -0
  54. package/dist/resolve-provider-CaDu98x6.js +1 -0
  55. package/dist/shared/crypto.cjs +1 -1
  56. package/dist/shared/crypto.d.ts +2 -2
  57. package/dist/shared/crypto.js +1 -1
  58. package/dist/shared/identity.cjs +1 -1
  59. package/dist/shared/identity.d.ts +1 -1
  60. package/dist/shared/identity.js +1 -1
  61. package/dist/shared/index.cjs +1 -1
  62. package/dist/shared/index.d.ts +16 -2
  63. package/dist/shared/index.js +1 -1
  64. package/package.json +5 -4
  65. package/dist/assert-DaZSf4SH.cjs +0 -3
  66. package/dist/assert-av6s0a6t.js +0 -3
  67. package/dist/crypto-BF4ETYC9.cjs +0 -1
  68. package/dist/crypto-D6aq4c8x.js +0 -1
  69. package/dist/errors-Czt_w1t_.js +0 -1
  70. package/dist/errors-DcK2ELlk.cjs +0 -1
@@ -1,2 +1,2 @@
1
- import { Jn as SummaryGear, Kn as StravaProfile, Yn as strava, qn as SummaryClub } from "../index-1ADcIVGC.js";
1
+ import { Dr as SummaryGear, Er as SummaryClub, Or as strava, Tr as StravaProfile } from "../index-DIcbmH1M.js";
2
2
  export { StravaProfile, SummaryClub, SummaryGear, strava };
@@ -1,2 +1,2 @@
1
- import { Bn as twitch, zn as TwitchProfile } from "../index-1ADcIVGC.js";
1
+ import { vr as TwitchProfile, yr as twitch } from "../index-DIcbmH1M.js";
2
2
  export { TwitchProfile, twitch };
package/dist/oauth/x.d.ts CHANGED
@@ -1,2 +1,2 @@
1
- import { Xn as XProfile, Zn as x } from "../index-1ADcIVGC.js";
1
+ import { Ar as x, kr as XProfile } from "../index-DIcbmH1M.js";
2
2
  export { XProfile, x };
@@ -0,0 +1 @@
1
+ const e=require(`./errors-BiBhdux1.cjs`),t=require(`./env-BhQ2k7jj.cjs`),n=require(`./crypto-Da-Q8hsP.cjs`),r=require(`./fetch-async-DlbcIcRD.cjs`),i=require(`./@types/index.cjs`),a=require(`./oauth/github.cjs`),o=require(`./oauth/bitbucket.cjs`),s=require(`./oauth/figma.cjs`),c=require(`./oauth/discord.cjs`),l=require(`./oauth/gitlab.cjs`),u=require(`./oauth/spotify.cjs`),d=require(`./oauth/x.cjs`),f=require(`./oauth/strava.cjs`),p=require(`./oauth/mailchimp.cjs`),m=require(`./oauth/pinterest.cjs`),h=require(`./oauth/twitch.cjs`),g=require(`./oauth/notion.cjs`),_=require(`./oauth/dropbox.cjs`),v=require(`./oauth/atlassian.cjs`),y=require(`./oauth/click-up.cjs`),b=require(`./oauth/dribbble.cjs`),x=require(`./oauth/hubspot.cjs`),S=require(`./oauth/google.cjs`),C=require(`./oauth/huggingface.cjs`),w=require(`./oauth/authentik.cjs`),T=e=>e.replace(/\/$/,``),E=async t=>{let a;try{a=await r.t(`${T(t)}/.well-known/openid-configuration`,{headers:{Accept:`application/json`}}),n.d(a)}catch(t){throw new e.t({code:`OIDC_DISCOVERY_NETWORK_FAILED`,cause:t})}if(!a.ok)throw new e.t({code:`OIDC_DISCOVERY_INVALID_RESPONSE`});let o;try{o=await a.json()}catch(t){throw new e.t({code:`OIDC_DISCOVERY_INVALID_FORMAT_RESPONSE`,cause:t})}let s=i.f.safeParse(o);if(!s.success)throw new e.t({code:`OIDC_DISCOVERY_INVALID_SCHEMA`,cause:s.error});let c=s.data;if(T(c.issuer)!==T(t))throw new e.t({code:`OIDC_DISCOVERY_ISSUER_MISMATCH`});return c},D={github:a.github,bitbucket:o.bitbucket,figma:s.figma,discord:c.discord,gitlab:l.gitlab,spotify:u.spotify,x:d.x,strava:f.strava,mailchimp:p.mailchimp,pinterest:m.pinterest,twitch:h.twitch,notion:g.notion,dropbox:_.dropbox,atlassian:v.atlassian,clickUp:y.clickUp,dribbble:b.dribbble,hubspot:x.hubspot,google:S.google,huggingface:C.huggingface,authentik:w.authentik},O=n=>{let r=i.s.safeParse({clientId:t.n(`${n.replace(`-`,`_`).toUpperCase()}_CLIENT_ID`),clientSecret:t.n(`${n.replace(`-`,`_`).toUpperCase()}_CLIENT_SECRET`)});if(!r.success)throw new e.t({code:`INVALID_ENVIRONMENT_CONFIGURATION`,cause:r.error});return r.data},k=e=>typeof e==`object`&&`issuer`in e&&!(`accessToken`in e),A=(t,n)=>t.replace(/(^|\/):([A-Za-z_][A-Za-z0-9_]*)/g,(t,r,i)=>{let a=n[i];if(a==null)throw new e.t({code:`OIDC_INVALID_ISSUER_PARAMS`});return`${r}${encodeURIComponent(String(a))}`}),j=t=>{let n=i.p.safeParse(t);if(!n.success)throw new e.t({code:`INVALID_OAUTH_PROVIDER_SCHEMA_CONFIG`,cause:n.error});let r=!t.clientId||!t.clientSecret?O(t.id):void 0;return t.issuer=A(t.issuer,t),R(t,{clientId:t.clientId||r.clientId,clientSecret:t.clientSecret||r.clientSecret})},M=t=>{if(typeof t==`string`){let n=O(t),r=D[t](),a=i.l.safeParse({...r,...n});if(!a.success){let t=i.p.safeParse({...r,...n});if(t.success)return j(t.data);throw new e.t({code:`INVALID_OAUTH_PROVIDER_SCHEMA_CONFIG`,cause:a.error})}return a.data}if(k(t))return j(t);let n=t.clientId&&t.clientSecret?{}:O(t.id),r=i.l.safeParse({...n,...t});if(!r.success)throw new e.t({code:`INVALID_OAUTH_PROVIDER_SCHEMA_CONFIG`,cause:r.error});return r.data},N=(t=[])=>t.reduce((t,n)=>{let r=M(n);if(r.id in t)throw new e.t({code:`DUPLICATED_OAUTH_PROVIDER_ID`,cause:Error(`Duplicate OAuth provider id "${r.id}" found. Each provider must have a unique id.`)});return{...t,[r.id]:r}},{}),P=`openid profile email`,F=new Map,I=e=>e.oidc!==void 0,L=async e=>{let t=F.get(e.id);if(t)return t;let n=e.oidc?.issuer;if(!n)throw Error(`OIDC provider is missing issuer configuration: `+e.id);n=A(n,e);let r=await E(n),i=typeof e.authorize==`object`&&e.authorize.params?.scope?e.authorize.params.scope:P,a={...e,clientId:e.clientId,clientSecret:e.clientSecret,authorize:{url:r.authorization_endpoint,params:{responseType:`code`,scope:i}},accessToken:r.token_endpoint,userInfo:r.userinfo_endpoint,oidc:{issuer:r.issuer,jwks_uri:r.jwks_uri}};return F.set(e.id,a),a},R=(e,t)=>{let n=e.scope??P;return{id:e.id,name:e.name,clientId:t.clientId,clientSecret:t.clientSecret,profile:e.profile,authorize:{url:``,params:{responseType:`code`,scope:n}},accessToken:``,userInfo:``,oidc:{issuer:A(e.issuer,e)}}};Object.defineProperty(exports,`a`,{enumerable:!0,get:function(){return j}}),Object.defineProperty(exports,`i`,{enumerable:!0,get:function(){return N}}),Object.defineProperty(exports,`n`,{enumerable:!0,get:function(){return L}}),Object.defineProperty(exports,`o`,{enumerable:!0,get:function(){return A}}),Object.defineProperty(exports,`r`,{enumerable:!0,get:function(){return D}}),Object.defineProperty(exports,`s`,{enumerable:!0,get:function(){return T}}),Object.defineProperty(exports,`t`,{enumerable:!0,get:function(){return I}});
@@ -0,0 +1 @@
1
+ import{t as e}from"./errors-BWpHquVG.js";import{n as t}from"./env-BG1x-kSX.js";import{f as n}from"./crypto-BRrGB5wn.js";import{t as r}from"./fetch-async-DL6uySSm.js";import{f as i,l as a,p as o,s}from"./@types/index.js";import{github as c}from"./oauth/github.js";import{bitbucket as l}from"./oauth/bitbucket.js";import{figma as u}from"./oauth/figma.js";import{discord as d}from"./oauth/discord.js";import{gitlab as f}from"./oauth/gitlab.js";import{spotify as p}from"./oauth/spotify.js";import{x as m}from"./oauth/x.js";import{strava as h}from"./oauth/strava.js";import{mailchimp as g}from"./oauth/mailchimp.js";import{pinterest as _}from"./oauth/pinterest.js";import{twitch as v}from"./oauth/twitch.js";import{notion as y}from"./oauth/notion.js";import{dropbox as b}from"./oauth/dropbox.js";import{atlassian as x}from"./oauth/atlassian.js";import{clickUp as S}from"./oauth/click-up.js";import{dribbble as C}from"./oauth/dribbble.js";import{hubspot as w}from"./oauth/hubspot.js";import{google as T}from"./oauth/google.js";import{huggingface as E}from"./oauth/huggingface.js";import{authentik as D}from"./oauth/authentik.js";const O=e=>e.replace(/\/$/,``),k=async t=>{let a;try{a=await r(`${O(t)}/.well-known/openid-configuration`,{headers:{Accept:`application/json`}}),n(a)}catch(t){throw new e({code:`OIDC_DISCOVERY_NETWORK_FAILED`,cause:t})}if(!a.ok)throw new e({code:`OIDC_DISCOVERY_INVALID_RESPONSE`});let o;try{o=await a.json()}catch(t){throw new e({code:`OIDC_DISCOVERY_INVALID_FORMAT_RESPONSE`,cause:t})}let s=i.safeParse(o);if(!s.success)throw new e({code:`OIDC_DISCOVERY_INVALID_SCHEMA`,cause:s.error});let c=s.data;if(O(c.issuer)!==O(t))throw new e({code:`OIDC_DISCOVERY_ISSUER_MISMATCH`});return c},A={github:c,bitbucket:l,figma:u,discord:d,gitlab:f,spotify:p,x:m,strava:h,mailchimp:g,pinterest:_,twitch:v,notion:y,dropbox:b,atlassian:x,clickUp:S,dribbble:C,hubspot:w,google:T,huggingface:E,authentik:D},j=n=>{let r=s.safeParse({clientId:t(`${n.replace(`-`,`_`).toUpperCase()}_CLIENT_ID`),clientSecret:t(`${n.replace(`-`,`_`).toUpperCase()}_CLIENT_SECRET`)});if(!r.success)throw new e({code:`INVALID_ENVIRONMENT_CONFIGURATION`,cause:r.error});return r.data},M=e=>typeof e==`object`&&`issuer`in e&&!(`accessToken`in e),N=(t,n)=>t.replace(/(^|\/):([A-Za-z_][A-Za-z0-9_]*)/g,(t,r,i)=>{let a=n[i];if(a==null)throw new e({code:`OIDC_INVALID_ISSUER_PARAMS`});return`${r}${encodeURIComponent(String(a))}`}),P=t=>{let n=o.safeParse(t);if(!n.success)throw new e({code:`INVALID_OAUTH_PROVIDER_SCHEMA_CONFIG`,cause:n.error});let r=!t.clientId||!t.clientSecret?j(t.id):void 0;return t.issuer=N(t.issuer,t),V(t,{clientId:t.clientId||r.clientId,clientSecret:t.clientSecret||r.clientSecret})},F=t=>{if(typeof t==`string`){let n=j(t),r=A[t](),i=a.safeParse({...r,...n});if(!i.success){let t=o.safeParse({...r,...n});if(t.success)return P(t.data);throw new e({code:`INVALID_OAUTH_PROVIDER_SCHEMA_CONFIG`,cause:i.error})}return i.data}if(M(t))return P(t);let n=t.clientId&&t.clientSecret?{}:j(t.id),r=a.safeParse({...n,...t});if(!r.success)throw new e({code:`INVALID_OAUTH_PROVIDER_SCHEMA_CONFIG`,cause:r.error});return r.data},I=(t=[])=>t.reduce((t,n)=>{let r=F(n);if(r.id in t)throw new e({code:`DUPLICATED_OAUTH_PROVIDER_ID`,cause:Error(`Duplicate OAuth provider id "${r.id}" found. Each provider must have a unique id.`)});return{...t,[r.id]:r}},{}),L=`openid profile email`,R=new Map,z=e=>e.oidc!==void 0,B=async e=>{let t=R.get(e.id);if(t)return t;let n=e.oidc?.issuer;if(!n)throw Error(`OIDC provider is missing issuer configuration: `+e.id);n=N(n,e);let r=await k(n),i=typeof e.authorize==`object`&&e.authorize.params?.scope?e.authorize.params.scope:L,a={...e,clientId:e.clientId,clientSecret:e.clientSecret,authorize:{url:r.authorization_endpoint,params:{responseType:`code`,scope:i}},accessToken:r.token_endpoint,userInfo:r.userinfo_endpoint,oidc:{issuer:r.issuer,jwks_uri:r.jwks_uri}};return R.set(e.id,a),a},V=(e,t)=>{let n=e.scope??L;return{id:e.id,name:e.name,clientId:t.clientId,clientSecret:t.clientSecret,profile:e.profile,authorize:{url:``,params:{responseType:`code`,scope:n}},accessToken:``,userInfo:``,oidc:{issuer:N(e.issuer,e)}}};export{P as a,I as i,B as n,N as o,A as r,O as s,z as t};
@@ -1 +1 @@
1
- Object.defineProperty(exports,Symbol.toStringTag,{value:`Module`}),require(`../identity-n3aahaEr.cjs`);const e=require(`../crypto-BF4ETYC9.cjs`);let t=require(`@aura-stack/jose/jose`);exports.createCSRF=e.t,exports.createHash=e.n,Object.defineProperty(exports,`createKeyPair`,{enumerable:!0,get:function(){return t.generateKeyPair}}),exports.createPKCE=e.r,exports.createSecretValue=e.i,exports.exportJWKKeyPair=e.a,exports.hashPassword=e.o,exports.importPEMKeyPair=e.s,exports.verifyCSRF=e.c,exports.verifyPassword=e.l;
1
+ Object.defineProperty(exports,Symbol.toStringTag,{value:`Module`}),require(`../identity-CAygUyH6.cjs`);const e=require(`../crypto-Da-Q8hsP.cjs`);let t=require(`@aura-stack/jose/jose`);exports.createCSRF=e.t,exports.createHash=e.n,Object.defineProperty(exports,`createKeyPair`,{enumerable:!0,get:function(){return t.generateKeyPair}}),exports.createPKCE=e.r,exports.createSecretValue=e.i,exports.exportJWKKeyPair=e.a,exports.hashPassword=e.o,exports.importPEMKeyPair=e.s,exports.verifyCSRF=e.c,exports.verifyPassword=e.l;
@@ -1,4 +1,4 @@
1
- import { Kt as AsymmetricKeyPairFromEnv, Ot as JoseInstance, gt as AuthRuntimeConfig, mn as User } from "../index-1ADcIVGC.js";
1
+ import { Lt as JoseInstance, Tt as AuthRuntimeConfig, _n as AsymmetricKeyPairFromEnv, zn as User } from "../index-DIcbmH1M.js";
2
2
  import * as _$_aura_stack_jose_jose0 from "@aura-stack/jose/jose";
3
3
  import { GenerateKeyPairOptions, generateKeyPair as createKeyPair } from "@aura-stack/jose/jose";
4
4
 
@@ -33,7 +33,7 @@ declare const verifyCSRF: <DefaultUser extends User = User>(jose: JoseInstance<D
33
33
  *
34
34
  * @param password - The password to hash.
35
35
  * @param salt - Optional salt (base64url encoded). If not provided, a random salt will be generated.
36
- * @param iterations - The number of PBKDF2 iterations. Default is 100,000.
36
+ * @param iterations - The number of PBKDF2 iterations. Default is 600,000.
37
37
  * @returns The hashed password in the format `iterations:salt:hash` (all segments base64url encoded).
38
38
  */
39
39
  declare const hashPassword: (password: string, salt?: string, iterations?: number) => Promise<string>;
@@ -1 +1 @@
1
- import{a as e,c as t,i as n,l as r,n as i,o as a,r as o,s,t as c,u as l}from"../crypto-D6aq4c8x.js";export{c as createCSRF,i as createHash,o as createKeyPair,n as createPKCE,e as createSecretValue,a as exportJWKKeyPair,s as hashPassword,t as importPEMKeyPair,r as verifyCSRF,l as verifyPassword};
1
+ import{a as e,c as t,i as n,l as r,n as i,o as a,r as o,s,t as c,u as l}from"../crypto-BRrGB5wn.js";export{c as createCSRF,i as createHash,o as createKeyPair,n as createPKCE,e as createSecretValue,a as exportJWKKeyPair,s as hashPassword,t as importPEMKeyPair,r as verifyCSRF,l as verifyPassword};
@@ -1 +1 @@
1
- Object.defineProperty(exports,Symbol.toStringTag,{value:`Module`});const e=require(`../identity-n3aahaEr.cjs`);exports.UserIdentity=e.t,exports.UserIdentityArkType=e.n,exports.UserIdentityTypeBox=e.r,exports.UserIdentityValibot=e.i,exports.createIdentity=e.a;
1
+ Object.defineProperty(exports,Symbol.toStringTag,{value:`Module`});const e=require(`../identity-CAygUyH6.cjs`);exports.UserIdentity=e.t,exports.UserIdentityArkType=e.n,exports.UserIdentityTypeBox=e.r,exports.UserIdentityValibot=e.i,exports.createIdentity=e.a;
@@ -1,2 +1,2 @@
1
- import { $ as FromShapeToObject, Cr as UserShapeArkType, Er as createIdentity, H as ArktypeShapeToObject, Sr as UserShape, Tr as UserShapeValibot, _r as SchemaTypes, br as UserIdentityTypeBox, ct as TypeboxShapeToObject, et as InferSession, ft as ZodShapeToObject, gr as IsZod, hr as IsValibot, lt as UserFrom, mr as IsArkType, nt as InferZodShape, pr as Identities, q as EditableShape, st as SessionFrom, tt as InferUser, ut as ValibotShapeToObject, vr as UserIdentity, wr as UserShapeTypeBox, xr as UserIdentityValibot, yr as UserIdentityArkType } from "../index-1ADcIVGC.js";
1
+ import { $r as UserIdentityTypeBox, Jr as IsValibot, Kr as Identities, Q as EditableShape, Qr as UserIdentityArkType, Xr as SchemaTypes, Yr as IsZod, Zr as UserIdentity, _t as TypeboxShapeToObject, ai as createIdentity, at as FromShapeToObject, ct as InferUser, ei as UserIdentityValibot, gt as SessionFrom, ii as UserShapeValibot, lt as InferZodShape, ni as UserShapeArkType, ot as InferSession, q as ArktypeShapeToObject, qr as IsArkType, ri as UserShapeTypeBox, ti as UserShape, vt as UserFrom, xt as ZodShapeToObject, yt as ValibotShapeToObject } from "../index-DIcbmH1M.js";
2
2
  export { ArktypeShapeToObject, EditableShape, FromShapeToObject, Identities, InferSession, InferUser, InferZodShape, IsArkType, IsValibot, IsZod, SchemaTypes, SessionFrom, TypeboxShapeToObject, UserFrom, UserIdentity, UserIdentityArkType, UserIdentityTypeBox, UserIdentityValibot, UserShape, UserShapeArkType, UserShapeTypeBox, UserShapeValibot, ValibotShapeToObject, ZodShapeToObject, createIdentity };
@@ -1 +1 @@
1
- import{g as e,h as t,t as n,y as r}from"../assert-av6s0a6t.js";import{z as i}from"zod/v4";import{type as a}from"arktype";import{Type as o}from"typebox";import*as s from"valibot";const c=i.object({sub:i.string(),name:i.string().nullable().optional(),image:i.string().nullable().optional(),email:i.email().nullable().optional()}),l=s.object({sub:s.string(),name:s.optional(s.nullable(s.string())),image:s.optional(s.nullable(s.string())),email:s.optional(s.nullable(s.pipe(s.string(),s.email())))}),u=a({sub:`string`,name:`string | null?`,image:`string | null?`,email:`string.email | null?`}),d=o.Object({sub:o.String(),name:o.Optional(o.Union([o.String(),o.Null()])),image:o.Optional(o.Union([o.String(),o.Null()])),email:o.Optional(o.Union([o.String({format:`email`}),o.Null()]))}),f=a=>n(a)?a:e(a)?s.object(a):r(a)?i.object(a):t(a)?o.Object(a):i.object(a);export{c as UserIdentity,u as UserIdentityArkType,d as UserIdentityTypeBox,l as UserIdentityValibot,f as createIdentity};
1
+ import{S as e,p as t,v as n,y as r}from"../crypto-BRrGB5wn.js";import{z as i}from"zod/v4";import{type as a}from"arktype";import{Type as o}from"typebox";import*as s from"valibot";const c=i.object({sub:i.string(),name:i.string().nullable().optional(),image:i.string().nullable().optional(),email:i.email().nullable().optional()}),l=s.object({sub:s.string(),name:s.optional(s.nullable(s.string())),image:s.optional(s.nullable(s.string())),email:s.optional(s.nullable(s.pipe(s.string(),s.email())))}),u=a({sub:`string`,name:`string | null?`,image:`string | null?`,email:`string.email | null?`}),d=o.Object({sub:o.String(),name:o.Optional(o.Union([o.String(),o.Null()])),image:o.Optional(o.Union([o.String(),o.Null()])),email:o.Optional(o.Union([o.String({format:`email`}),o.Null()]))}),f=a=>t(a)?a:r(a)?s.object(a):e(a)?i.object(a):n(a)?o.Object(a):i.object(a);export{c as UserIdentity,u as UserIdentityArkType,d as UserIdentityTypeBox,l as UserIdentityValibot,f as createIdentity};
@@ -1 +1 @@
1
- Object.defineProperty(exports,Symbol.toStringTag,{value:`Module`});const e=require(`../assert-DaZSf4SH.cjs`),t=require(`../logger-CVwkloPj.cjs`);exports.createBasicAuthHeader=e.S,exports.createSyslogMessage=t.n;
1
+ Object.defineProperty(exports,Symbol.toStringTag,{value:`Module`});const e=require(`../crypto-Da-Q8hsP.cjs`),t=require(`../fetch-async-DlbcIcRD.cjs`),n=require(`../logger-DL-kEECn.cjs`);exports.createBasicAuthHeader=e.w,exports.createSyslogMessage=n.n,exports.fetchAsync=t.t;
@@ -1,5 +1,19 @@
1
- import { fr as createSyslogMessage } from "../index-1ADcIVGC.js";
1
+ import { Gr as createSyslogMessage } from "../index-DIcbmH1M.js";
2
+
2
3
  //#region src/shared/utils.d.ts
3
4
  declare const createBasicAuthHeader: (username: string, password: string) => string;
4
5
  //#endregion
5
- export { createBasicAuthHeader, createSyslogMessage };
6
+ //#region src/shared/fetch-async.d.ts
7
+ /**
8
+ * Fetches a resource with a timeout mechanism.
9
+ *
10
+ * @param url - The URL or Request object to fetch
11
+ * @param options - Optional RequestInit configuration object
12
+ * @param timeout - Timeout duration in milliseconds (default: 5000ms)
13
+ * @returns A promise that resolves to the Response object
14
+ * @example
15
+ * const response = await fetchAsync('https://api.example.com/data', {}, 3000);
16
+ */
17
+ declare const fetchAsync: (url: string | Request, options?: RequestInit, timeout?: number) => Promise<Response>;
18
+ //#endregion
19
+ export { createBasicAuthHeader, createSyslogMessage, fetchAsync };
@@ -1 +1 @@
1
- import{S as e}from"../assert-av6s0a6t.js";import{n as t}from"../logger-BfUjjtxf.js";export{e as createBasicAuthHeader,t as createSyslogMessage};
1
+ import{T as e}from"../crypto-BRrGB5wn.js";import{t}from"../fetch-async-DL6uySSm.js";import{n}from"../logger-BleaYLUV.js";export{e as createBasicAuthHeader,n as createSyslogMessage,t as fetchAsync};
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@aura-stack/auth",
3
- "version": "0.7.2",
3
+ "version": "0.8.0",
4
4
  "private": false,
5
5
  "type": "module",
6
6
  "description": "Open-source authentication and authorization library for modern TypeScript and JavaScript applications. Framework-agnostic, runtime-agnostic and built on web standards.",
@@ -89,15 +89,16 @@
89
89
  },
90
90
  "license": "MIT",
91
91
  "dependencies": {
92
- "@aura-stack/router": "^0.7.2",
92
+ "@aura-stack/router": "^0.9.0",
93
93
  "arktype": "^2.2.0",
94
94
  "typebox": "^1.1.38",
95
95
  "valibot": "^1.4.0",
96
96
  "zod": "4.3.5",
97
- "@aura-stack/jose": "0.6.0"
97
+ "@aura-stack/jose": "0.6.0",
98
+ "@aura-stack/rate-limiter": "0.0.0"
98
99
  },
99
100
  "devDependencies": {
100
- "typescript": "^5.9.2",
101
+ "typescript": "^5.9.3",
101
102
  "vitest": "4.1.4",
102
103
  "@aura-stack/tsdown-config": "0.0.0",
103
104
  "@aura-stack/tsconfig": "0.0.0"
@@ -1,3 +0,0 @@
1
- require(`./identity-n3aahaEr.cjs`);const e=require(`./errors-DcK2ELlk.cjs`),t=require(`./env-BhQ2k7jj.cjs`);require(`arktype`),require(`typebox`);let n=require(`@aura-stack/jose/crypto`);const r=(e,t)=>e===null||t===null||e===void 0||t===void 0?!1:e===t,i=(e,t)=>{let n=e instanceof Headers?e:e.headers,r=e instanceof Headers?null:e.url;return t?r?.startsWith(`https://`)||n.get(`X-Forwarded-Proto`)===`https`||(n.get(`Forwarded`)?.includes(`proto=https`)??!1):r?.startsWith(`https://`)??!1},a=e=>!e.issues||e.issues.length===0?{}:e.issues.reduce((e,t)=>{let n=t.path.join(`.`);return{...e,[n]:{code:t.code,message:t.message}}},{}),o=e=>{let t=e.match(/^https?:\/\/[a-zA-Z0-9_\-.]+(:\d+)?(\/.*)$/);return t&&t[2]?t[2]:`/`},s=e=>e instanceof Error?e.name:typeof e==`string`?e:`UnknownError`,c=e=>{try{if(e.length>2048)return null;e=e.replace(/\\/g,``);let t=e.match(/^(https?):\/\/([a-zA-Z0-9.*-]{1,253})(?::(\d{1,5}|\*))?(?:\/.*)?$/);if(!t)return null;let[,n,r,i]=t,a=r.includes(`*`);if(a&&!r.startsWith(`*.`)||a&&!r.startsWith(`*.`)||a&&r.slice(2).includes(`*`))return null;let o=(a?r.slice(2):r).replace(/[.*+?^${}()|[\]\\]/g,`\\$&`),s=a?`[^.]+\\.${o}`:o,c=i===`*`?`:\\d{1,5}`:i?`:${i}`:``;return RegExp(`^${n}:\\/\\/${s}${c}$`)}catch{return null}},l=(e,t)=>{let r=n.encoder.encode(e),i=n.encoder.encode(t),a=Math.max(r.length,i.length),o=0;for(let e=0;e<a;e++)o|=(r[e]??0)^(i[e]??0);return o===0&&r.length===i.length},u=(r,i)=>{let a=t.n(r)??r,o=t.n(i)??i;if(!a||!o)throw new e.n(`INVALID_OAUTH_CONFIGURATION`,`Missing client credentials for OAuth provider configuration.`);let s=`${a}:${o}`,c=String.fromCharCode.apply(null,Array.from(n.encoder.encode(s)));return`Basic ${btoa(c)}`},d=(e,t)=>(new Headers(t).forEach((t,n)=>{e.has(n)||(n.toLowerCase()===`set-cookie`?e.append(n,t):e.set(n,t))}),e),f=[`<`,`>`,`"`,"`",` `,`\r`,`
2
- `,` `,`\\`,`%2F`,`%5C`,`%2f`,`%5c`,`\r
3
- `,`%0A`,`%0D`,`%0a`,`%0d`,`..`,`//`,`///`,`...`,`%20`,`\0`],p=e=>{if(!new RegExp(/^https?:\/\/[^/]/).test(e))return!1;let t=e.match(/^(https?:\/\/)(.*)$/);if(!t)return!1;let n=t[2];for(let e of f)if(n.includes(e))return!1;return/^https?:\/\/(?:[a-zA-Z0-9._-]+|localhost|\[[0-9a-fA-F:]+\])(?::\d{1,5})?(?:\/[a-zA-Z0-9._~!$&'()?#*+,;=:@-]*)*\/?$/.test(t[0])},m=e=>typeof e==`object`&&!!e&&`token`in e&&typeof e?.token==`string`,h=e=>{if(e.length>100)return!1;for(let t of f)if(e.includes(t))return!1;return/^\/[a-zA-Z0-9\-_/.?&=#]*\/?$/.test(e)},g=(e,t)=>{let n=new URL(e),i=new URL(t);return r(n.origin,i.origin)},_=(e,t)=>{if(!p(e)||t.length===0)return!1;try{let n=new URL(e).origin;for(let e of t){if(c(e)?.test(n))return!0;try{if(p(e)&&r(new URL(e).origin,n))return!0}catch{}}}catch{}return!1},v=e=>e?.jwt?.mode??`sealed`,y=e=>v(e)===`signed`,b=e=>v(e)===`encrypted`,x=e=>v(e)===`sealed`,S=e=>typeof e==`object`&&!!e&&`publicKey`in e&&`privateKey`in e,C=e=>typeof e==`object`&&!!e&&`algorithm`in e&&`extractable`in e,w=e=>typeof e==`object`&&!!e&&`publicKey`in e&&`privateKey`in e,T=e=>typeof e==`object`&&!!e&&`sign`in e&&`encrypt`in e&&(C(e.sign)||S(e.sign))&&(C(e.encrypt)||S(e.encrypt)),E=e=>typeof e==`string`&&/-----BEGIN (PUBLIC|PRIVATE) KEY-----/.test(e),D=e=>typeof e==`object`&&!!e&&`publicKey`in e&&`privateKey`in e&&E(e.publicKey)&&E(e.privateKey),O=e=>typeof e==`object`&&!!e&&`sign`in e&&`encrypt`in e&&D(e.sign)&&D(e.encrypt),k=e=>typeof e==`object`&&!!e&&`~run`in e&&typeof e[`~run`]==`function`,A=e=>typeof e==`object`&&!!e&&!Array.isArray(e)&&Object.values(e).length>0&&Object.values(e).every(k),j=e=>typeof e==`object`&&!!e&&`_def`in e,M=e=>typeof e==`object`&&!!e&&!Array.isArray(e)&&Object.values(e).every(j),N=e=>typeof e==`function`&&e!==null&&`allows`in e&&`assert`in e,P=e=>typeof e==`object`&&!!e&&!Array.isArray(e)&&Object.values(e).every(e=>typeof e==`object`&&`type`in e);Object.defineProperty(exports,`A`,{enumerable:!0,get:function(){return d}}),Object.defineProperty(exports,`C`,{enumerable:!0,get:function(){return r}}),Object.defineProperty(exports,`D`,{enumerable:!0,get:function(){return i}}),Object.defineProperty(exports,`E`,{enumerable:!0,get:function(){return s}}),Object.defineProperty(exports,`O`,{enumerable:!0,get:function(){return c}}),Object.defineProperty(exports,`S`,{enumerable:!0,get:function(){return u}}),Object.defineProperty(exports,`T`,{enumerable:!0,get:function(){return a}}),Object.defineProperty(exports,`_`,{enumerable:!0,get:function(){return k}}),Object.defineProperty(exports,`a`,{enumerable:!0,get:function(){return b}}),Object.defineProperty(exports,`b`,{enumerable:!0,get:function(){return j}}),Object.defineProperty(exports,`c`,{enumerable:!0,get:function(){return w}}),Object.defineProperty(exports,`d`,{enumerable:!0,get:function(){return g}}),Object.defineProperty(exports,`f`,{enumerable:!0,get:function(){return x}}),Object.defineProperty(exports,`g`,{enumerable:!0,get:function(){return A}}),Object.defineProperty(exports,`h`,{enumerable:!0,get:function(){return P}}),Object.defineProperty(exports,`i`,{enumerable:!0,get:function(){return T}}),Object.defineProperty(exports,`k`,{enumerable:!0,get:function(){return l}}),Object.defineProperty(exports,`l`,{enumerable:!0,get:function(){return D}}),Object.defineProperty(exports,`m`,{enumerable:!0,get:function(){return _}}),Object.defineProperty(exports,`n`,{enumerable:!0,get:function(){return C}}),Object.defineProperty(exports,`o`,{enumerable:!0,get:function(){return O}}),Object.defineProperty(exports,`p`,{enumerable:!0,get:function(){return y}}),Object.defineProperty(exports,`r`,{enumerable:!0,get:function(){return S}}),Object.defineProperty(exports,`s`,{enumerable:!0,get:function(){return m}}),Object.defineProperty(exports,`t`,{enumerable:!0,get:function(){return N}}),Object.defineProperty(exports,`u`,{enumerable:!0,get:function(){return h}}),Object.defineProperty(exports,`v`,{enumerable:!0,get:function(){return p}}),Object.defineProperty(exports,`w`,{enumerable:!0,get:function(){return o}}),Object.defineProperty(exports,`x`,{enumerable:!0,get:function(){return`0.5.0`}}),Object.defineProperty(exports,`y`,{enumerable:!0,get:function(){return M}});
@@ -1,3 +0,0 @@
1
- import{n as e}from"./errors-Czt_w1t_.js";import{n as t}from"./env-BG1x-kSX.js";import"arktype";import"typebox";import{encoder as n}from"@aura-stack/jose/crypto";const r=`0.5.0`,i=(e,t)=>e===null||t===null||e===void 0||t===void 0?!1:e===t,a=(e,t)=>{let n=e instanceof Headers?e:e.headers,r=e instanceof Headers?null:e.url;return t?r?.startsWith(`https://`)||n.get(`X-Forwarded-Proto`)===`https`||(n.get(`Forwarded`)?.includes(`proto=https`)??!1):r?.startsWith(`https://`)??!1},o=e=>!e.issues||e.issues.length===0?{}:e.issues.reduce((e,t)=>{let n=t.path.join(`.`);return{...e,[n]:{code:t.code,message:t.message}}},{}),s=e=>{let t=e.match(/^https?:\/\/[a-zA-Z0-9_\-.]+(:\d+)?(\/.*)$/);return t&&t[2]?t[2]:`/`},c=e=>e instanceof Error?e.name:typeof e==`string`?e:`UnknownError`,l=e=>{try{if(e.length>2048)return null;e=e.replace(/\\/g,``);let t=e.match(/^(https?):\/\/([a-zA-Z0-9.*-]{1,253})(?::(\d{1,5}|\*))?(?:\/.*)?$/);if(!t)return null;let[,n,r,i]=t,a=r.includes(`*`);if(a&&!r.startsWith(`*.`)||a&&!r.startsWith(`*.`)||a&&r.slice(2).includes(`*`))return null;let o=(a?r.slice(2):r).replace(/[.*+?^${}()|[\]\\]/g,`\\$&`),s=a?`[^.]+\\.${o}`:o,c=i===`*`?`:\\d{1,5}`:i?`:${i}`:``;return RegExp(`^${n}:\\/\\/${s}${c}$`)}catch{return null}},u=(e,t)=>{let r=n.encode(e),i=n.encode(t),a=Math.max(r.length,i.length),o=0;for(let e=0;e<a;e++)o|=(r[e]??0)^(i[e]??0);return o===0&&r.length===i.length},d=(r,i)=>{let a=t(r)??r,o=t(i)??i;if(!a||!o)throw new e(`INVALID_OAUTH_CONFIGURATION`,`Missing client credentials for OAuth provider configuration.`);let s=`${a}:${o}`,c=String.fromCharCode.apply(null,Array.from(n.encode(s)));return`Basic ${btoa(c)}`},f=(e,t)=>(new Headers(t).forEach((t,n)=>{e.has(n)||(n.toLowerCase()===`set-cookie`?e.append(n,t):e.set(n,t))}),e),p=[`<`,`>`,`"`,"`",` `,`\r`,`
2
- `,` `,`\\`,`%2F`,`%5C`,`%2f`,`%5c`,`\r
3
- `,`%0A`,`%0D`,`%0a`,`%0d`,`..`,`//`,`///`,`...`,`%20`,`\0`],m=e=>{if(!new RegExp(/^https?:\/\/[^/]/).test(e))return!1;let t=e.match(/^(https?:\/\/)(.*)$/);if(!t)return!1;let n=t[2];for(let e of p)if(n.includes(e))return!1;return/^https?:\/\/(?:[a-zA-Z0-9._-]+|localhost|\[[0-9a-fA-F:]+\])(?::\d{1,5})?(?:\/[a-zA-Z0-9._~!$&'()?#*+,;=:@-]*)*\/?$/.test(t[0])},h=e=>typeof e==`object`&&!!e&&`token`in e&&typeof e?.token==`string`,g=e=>{if(e.length>100)return!1;for(let t of p)if(e.includes(t))return!1;return/^\/[a-zA-Z0-9\-_/.?&=#]*\/?$/.test(e)},_=(e,t)=>{let n=new URL(e),r=new URL(t);return i(n.origin,r.origin)},v=(e,t)=>{if(!m(e)||t.length===0)return!1;try{let n=new URL(e).origin;for(let e of t){if(l(e)?.test(n))return!0;try{if(m(e)&&i(new URL(e).origin,n))return!0}catch{}}}catch{}return!1},y=e=>e?.jwt?.mode??`sealed`,b=e=>y(e)===`signed`,x=e=>y(e)===`encrypted`,S=e=>y(e)===`sealed`,C=e=>typeof e==`object`&&!!e&&`publicKey`in e&&`privateKey`in e,w=e=>typeof e==`object`&&!!e&&`algorithm`in e&&`extractable`in e,T=e=>typeof e==`object`&&!!e&&`publicKey`in e&&`privateKey`in e,E=e=>typeof e==`object`&&!!e&&`sign`in e&&`encrypt`in e&&(w(e.sign)||C(e.sign))&&(w(e.encrypt)||C(e.encrypt)),D=e=>typeof e==`string`&&/-----BEGIN (PUBLIC|PRIVATE) KEY-----/.test(e),O=e=>typeof e==`object`&&!!e&&`publicKey`in e&&`privateKey`in e&&D(e.publicKey)&&D(e.privateKey),k=e=>typeof e==`object`&&!!e&&`sign`in e&&`encrypt`in e&&O(e.sign)&&O(e.encrypt),A=e=>typeof e==`object`&&!!e&&`~run`in e&&typeof e[`~run`]==`function`,j=e=>typeof e==`object`&&!!e&&!Array.isArray(e)&&Object.values(e).length>0&&Object.values(e).every(A),M=e=>typeof e==`object`&&!!e&&`_def`in e,N=e=>typeof e==`object`&&!!e&&!Array.isArray(e)&&Object.values(e).every(M),P=e=>typeof e==`function`&&e!==null&&`allows`in e&&`assert`in e,F=e=>typeof e==`object`&&!!e&&!Array.isArray(e)&&Object.values(e).every(e=>typeof e==`object`&&`type`in e);export{f as A,i as C,a as D,c as E,l as O,d as S,o as T,A as _,x as a,M as b,T as c,_ as d,S as f,j as g,F as h,E as i,u as k,O as l,v as m,w as n,k as o,b as p,C as r,h as s,P as t,g as u,m as v,s as w,r as x,N as y};
@@ -1 +0,0 @@
1
- require(`./identity-n3aahaEr.cjs`);const e=require(`./errors-DcK2ELlk.cjs`),t=require(`./env-BhQ2k7jj.cjs`),n=require(`./assert-DaZSf4SH.cjs`);let r=require(`@aura-stack/jose/crypto`),i=require(`@aura-stack/jose/jose`),a=require(`@aura-stack/jose`);const o=e=>e?.jwt,s=e=>{let t=o(e),n={};t?.audience&&(n.aud=t.audience),t?.issuer&&(n.iss=t.issuer);let r=Math.floor(Date.now()/1e3);return t?.maxAge&&(n.exp=r+t.maxAge),t?.maxExpiration&&(n.mexp=r+t.maxExpiration),n},c=(e,t)=>({...s(t),...e}),l=(e,t)=>{let r={};return(n.p(e)||n.f(e))&&e?.jwt?.signingAlgorithm&&(r.alg=e.jwt.signingAlgorithm),{...r,...t}},u=(e,t)=>{let r={};return(n.a(e)||n.f(e))&&(e?.jwt?.keyAlgorithm&&(r.alg=e.jwt.keyAlgorithm),e?.jwt?.encryptionAlgorithm&&(r.enc=e.jwt.encryptionAlgorithm)),{...r,...t}},d=(e,t)=>{let r={};return(n.p(e)||n.f(e))&&(e?.jwt?.signingAlgorithm&&(r.algorithms=[e.jwt.signingAlgorithm]),r.issuer=e?.jwt?.issuer,r.audience=e?.jwt?.audience),{...r,...t}},f=(e,t)=>{let r={};return(n.a(e)||n.f(e))&&(e?.jwt?.keyAlgorithm&&(r.keyManagementAlgorithms=[e.jwt.keyAlgorithm]),e?.jwt?.encryptionAlgorithm&&(r.contentEncryptionAlgorithms=[e.jwt.encryptionAlgorithm]),r.issuer=e?.jwt?.issuer,r.audience=e?.jwt?.audience),{...r,...t}},p=t=>{let n=Math.floor(Date.now()/1e3);if(t.mexp&&typeof t.mexp==`number`&&n>t.mexp)throw new e.a(`TOKEN_EXPIRED`,`The token has expired based on its maxExpiration (mexp) claim.`)},m=async(r,i,o)=>{if(n.o(r)){if(!n.f(o))throw new e.i(`INVALID_PEM_KEY_PAIR`,`Multiples PEM Key Pairs from environment variables require 'sealed' JWT mode. For 'signed' or 'encrypted' modes, provide a single PEM key pair or a combined key object.`);let{sign:i,encrypt:a}=r,s=t.n(`SIGNING_ALG`)||t.n(`SIGNING_ALGORITHM`)||o?.jwt.signingAlgorithm||`RS256`,c=t.n(`ENCRYPTION_ALG`)||t.n(`ENCRYPTION_ALGORITHM`)||o?.jwt.keyAlgorithm||`RSA-OAEP-256`,l=await T(i,s),u=await T(a,c);return{jwsSecret:l,jweSecret:u,jwtSecret:{sign:l,encrypt:u}}}if(n.l(r)){if(n.f(o))throw new e.i(`INVALID_PEM_KEY_PAIR`,`Single PEM key pairs from environment variables require 'signed' or 'encrypted' JWT mode. For 'sealed' mode, provide separate signing and encryption keys or a combined key object.`);let{publicKey:i,privateKey:a}=await T(r,t.n(`ALGORITHM`)||t.n(`ALG`)||(n.p(o)?o?.jwt?.signingAlgorithm:void 0)||(n.a(o)?o?.jwt?.keyAlgorithm:void 0)||`RS256`);return{jwsSecret:{publicKey:i,privateKey:a},jweSecret:{publicKey:i,privateKey:a},jwtSecret:{sign:{publicKey:i,privateKey:a},encrypt:{publicKey:i,privateKey:a}}}}if(n.i(r))return{jwsSecret:r.sign,jweSecret:r.encrypt,jwtSecret:{sign:r.sign,encrypt:r.encrypt}};if(n.n(r)||n.r(r)||n.c(r))return{jwsSecret:r,jweSecret:r,jwtSecret:{sign:r,encrypt:r}};let[s,c]=await Promise.all([(0,a.createDeriveKey)(r,i,`aura:signing`),(0,a.createDeriveKey)(r,i,`aura:encryption`)]);return{jwsSecret:s,jweSecret:c,jwtSecret:{sign:s,encrypt:c}}},h=e=>{let n=t.n(`${e}${e&&`_`}PUBLIC_KEY`),r=t.n(`${e}${e&&`_`}PRIVATE_KEY`);return n&&r?{publicKey:n,privateKey:r}:null},g=n=>{if(n??=t.n(`SECRET`),n)return n;let r=h(``);if(r)return r;let i=h(`SIGNING`),a=h(`ENCRYPTION`);if(i&&a)return{sign:i,encrypt:a};throw new e.n(`JOSE_INITIALIZATION_FAILED`,`AURA_AUTH_SECRET environment variable is not set and no secret was provided.`)},_=(n,r)=>{let i=g(n),o=t.n(`SALT`);if(!o)throw new e.n(`JOSE_INITIALIZATION_FAILED`,`AURA_AUTH_SALT or AUTH_SALT environment variable is not set. A salt value is required for key derivation.`);try{(0,a.createSecret)(o)}catch(t){throw new e.n(`INVALID_SALT_SECRET_VALUE`,`AURA_AUTH_SALT/AUTH_SALT is invalid. It must be at least 32 bytes long and meet entropy requirements.`,{cause:t})}let s=(async()=>{let{jwsSecret:e,jweSecret:t,jwtSecret:n}=await m(i,o,r);return{jwt:(0,a.createJWT)(n),jws:(0,a.createJWS)(e),jwe:(0,a.createJWE)(t)}})();return{signJWS:async(e,t)=>{let{jws:n}=await s;return n.signJWS(c(e,r),l(r,t))},verifyJWS:async(e,t)=>{let{jws:n}=await s,i=await n.verifyJWS(e,d(r,t));return p(i),i},encryptJWE:async(e,t)=>{let{jwe:n}=await s;return n.encryptJWE(c(e,r),u(r,t))},decryptJWE:async(e,t)=>{let{jwe:n}=await s,i=await n.decryptJWE(e,f(r,t));return p(i),i},encodeJWT:async(e,t)=>{let{jwt:n}=await s;return await n.encodeJWT(c(e,r),{sign:l(r,t?.sign),encrypt:u(r,t?.encrypt)})},decodeJWT:async(e,t)=>{let{jwt:n}=await s,i=await n.decodeJWT(e,{verify:d(r,t?.verify),decrypt:f(r,t?.decrypt)});return p(i),i}}},v=(e=32)=>i.base64url.encode((0,r.getRandomBytes)(e)),y=async e=>{let t=await(0,r.getSubtleCrypto)().digest(`SHA-256`,r.encoder.encode(e));return i.base64url.encode(new Uint8Array(t))},b=async t=>{let n=t?void 0:Math.floor(Math.random()*65+32),r=t??v(n??64);if(r.length<43||r.length>128)throw new e.a(`PKCE_VERIFIER_INVALID`,`The code verifier must be between 43 and 128 characters in length.`);return{codeVerifier:r,codeChallenge:await y(r),method:`S256`}},x=async(e,t)=>{try{if(t)return await e.verifyJWS(t),t;let n=v(32);return e.signJWS({token:n})}catch{let t=v(32);return e.signJWS({token:t})}},S=async(t,r,i)=>{try{let a=await t.verifyJWS(r),o=await t.verifyJWS(i);if(!n.s(a))throw new e.a(`CSRF_TOKEN_INVALID`,`Cookie payload missing token field.`);if(!n.s(o))throw new e.a(`CSRF_TOKEN_INVALID`,`Header payload missing token field.`);if(!n.C(a.token.length,o.token.length)||!n.k(a.token,o.token))throw new e.a(`CSRF_TOKEN_INVALID`,`The CSRF tokens do not match.`);return!0}catch{throw new e.a(`CSRF_TOKEN_INVALID`,`The CSRF tokens do not match.`)}},C=async(e,t,n=1e5)=>{let a=(0,r.getSubtleCrypto)(),o=t?i.base64url.decode(t):(0,r.getRandomBytes)(16),s=await a.importKey(`raw`,r.encoder.encode(e),`PBKDF2`,!1,[`deriveBits`]),c=await a.deriveBits({name:`PBKDF2`,salt:o,iterations:n,hash:`SHA-256`},s,256),l=new Uint8Array(c),u=i.base64url.encode(l);return`pbkdf2-sha256:${n}:${i.base64url.encode(o)}:${u}`},w=async(e,t)=>{try{let r=t.split(`:`);if(r.length!==4)return!1;let[i,a,o]=r;if(i!==`pbkdf2-sha256`)return!1;let s=parseInt(a,10);if(isNaN(s))return!1;let[,,,c]=(await C(e,o,s)).split(`:`),[,,,l]=t.split(`:`);return!c||!l?!1:n.k(c,l)}catch{return!1}},T=async(e,t)=>{let n=await(0,i.importPKCS8)(e.privateKey,t,{extractable:!0});return{publicKey:await(0,i.importSPKI)(e.publicKey,t,{extractable:!0}),privateKey:n}},E=async(e,t)=>{let{publicKey:n,privateKey:r}=await(0,i.generateKeyPair)(e,t);return{publicKey:await(0,i.exportJWK)(n),privateKey:await(0,i.exportJWK)(r)}};Object.defineProperty(exports,`a`,{enumerable:!0,get:function(){return E}}),Object.defineProperty(exports,`c`,{enumerable:!0,get:function(){return S}}),Object.defineProperty(exports,`i`,{enumerable:!0,get:function(){return v}}),Object.defineProperty(exports,`l`,{enumerable:!0,get:function(){return w}}),Object.defineProperty(exports,`n`,{enumerable:!0,get:function(){return y}}),Object.defineProperty(exports,`o`,{enumerable:!0,get:function(){return C}}),Object.defineProperty(exports,`r`,{enumerable:!0,get:function(){return b}}),Object.defineProperty(exports,`s`,{enumerable:!0,get:function(){return T}}),Object.defineProperty(exports,`t`,{enumerable:!0,get:function(){return x}}),Object.defineProperty(exports,`u`,{enumerable:!0,get:function(){return _}});
@@ -1 +0,0 @@
1
- import{a as e,i as t,n}from"./errors-Czt_w1t_.js";import{n as r}from"./env-BG1x-kSX.js";import{C as i,a,c as o,f as s,i as c,k as l,l as u,n as d,o as f,p,r as m,s as h}from"./assert-av6s0a6t.js";import{encoder as g,getRandomBytes as _,getSubtleCrypto as v}from"@aura-stack/jose/crypto";import{base64url as y,exportJWK as b,generateKeyPair as x,generateKeyPair as S,importPKCS8 as C,importSPKI as w}from"@aura-stack/jose/jose";import{createDeriveKey as T,createJWE as E,createJWS as D,createJWT as O,createSecret as k}from"@aura-stack/jose";const A=e=>e?.jwt,j=e=>{let t=A(e),n={};t?.audience&&(n.aud=t.audience),t?.issuer&&(n.iss=t.issuer);let r=Math.floor(Date.now()/1e3);return t?.maxAge&&(n.exp=r+t.maxAge),t?.maxExpiration&&(n.mexp=r+t.maxExpiration),n},M=(e,t)=>({...j(t),...e}),N=(e,t)=>{let n={};return(p(e)||s(e))&&e?.jwt?.signingAlgorithm&&(n.alg=e.jwt.signingAlgorithm),{...n,...t}},P=(e,t)=>{let n={};return(a(e)||s(e))&&(e?.jwt?.keyAlgorithm&&(n.alg=e.jwt.keyAlgorithm),e?.jwt?.encryptionAlgorithm&&(n.enc=e.jwt.encryptionAlgorithm)),{...n,...t}},F=(e,t)=>{let n={};return(p(e)||s(e))&&(e?.jwt?.signingAlgorithm&&(n.algorithms=[e.jwt.signingAlgorithm]),n.issuer=e?.jwt?.issuer,n.audience=e?.jwt?.audience),{...n,...t}},I=(e,t)=>{let n={};return(a(e)||s(e))&&(e?.jwt?.keyAlgorithm&&(n.keyManagementAlgorithms=[e.jwt.keyAlgorithm]),e?.jwt?.encryptionAlgorithm&&(n.contentEncryptionAlgorithms=[e.jwt.encryptionAlgorithm]),n.issuer=e?.jwt?.issuer,n.audience=e?.jwt?.audience),{...n,...t}},L=t=>{let n=Math.floor(Date.now()/1e3);if(t.mexp&&typeof t.mexp==`number`&&n>t.mexp)throw new e(`TOKEN_EXPIRED`,`The token has expired based on its maxExpiration (mexp) claim.`)},R=async(e,n,i)=>{if(f(e)){if(!s(i))throw new t(`INVALID_PEM_KEY_PAIR`,`Multiples PEM Key Pairs from environment variables require 'sealed' JWT mode. For 'signed' or 'encrypted' modes, provide a single PEM key pair or a combined key object.`);let{sign:n,encrypt:a}=e,o=r(`SIGNING_ALG`)||r(`SIGNING_ALGORITHM`)||i?.jwt.signingAlgorithm||`RS256`,c=r(`ENCRYPTION_ALG`)||r(`ENCRYPTION_ALGORITHM`)||i?.jwt.keyAlgorithm||`RSA-OAEP-256`,l=await Y(n,o),u=await Y(a,c);return{jwsSecret:l,jweSecret:u,jwtSecret:{sign:l,encrypt:u}}}if(u(e)){if(s(i))throw new t(`INVALID_PEM_KEY_PAIR`,`Single PEM key pairs from environment variables require 'signed' or 'encrypted' JWT mode. For 'sealed' mode, provide separate signing and encryption keys or a combined key object.`);let{publicKey:n,privateKey:o}=await Y(e,r(`ALGORITHM`)||r(`ALG`)||(p(i)?i?.jwt?.signingAlgorithm:void 0)||(a(i)?i?.jwt?.keyAlgorithm:void 0)||`RS256`);return{jwsSecret:{publicKey:n,privateKey:o},jweSecret:{publicKey:n,privateKey:o},jwtSecret:{sign:{publicKey:n,privateKey:o},encrypt:{publicKey:n,privateKey:o}}}}if(c(e))return{jwsSecret:e.sign,jweSecret:e.encrypt,jwtSecret:{sign:e.sign,encrypt:e.encrypt}};if(d(e)||m(e)||o(e))return{jwsSecret:e,jweSecret:e,jwtSecret:{sign:e,encrypt:e}};let[l,h]=await Promise.all([T(e,n,`aura:signing`),T(e,n,`aura:encryption`)]);return{jwsSecret:l,jweSecret:h,jwtSecret:{sign:l,encrypt:h}}},z=e=>{let t=r(`${e}${e&&`_`}PUBLIC_KEY`),n=r(`${e}${e&&`_`}PRIVATE_KEY`);return t&&n?{publicKey:t,privateKey:n}:null},B=e=>{if(e??=r(`SECRET`),e)return e;let t=z(``);if(t)return t;let i=z(`SIGNING`),a=z(`ENCRYPTION`);if(i&&a)return{sign:i,encrypt:a};throw new n(`JOSE_INITIALIZATION_FAILED`,`AURA_AUTH_SECRET environment variable is not set and no secret was provided.`)},V=(e,t)=>{let i=B(e),a=r(`SALT`);if(!a)throw new n(`JOSE_INITIALIZATION_FAILED`,`AURA_AUTH_SALT or AUTH_SALT environment variable is not set. A salt value is required for key derivation.`);try{k(a)}catch(e){throw new n(`INVALID_SALT_SECRET_VALUE`,`AURA_AUTH_SALT/AUTH_SALT is invalid. It must be at least 32 bytes long and meet entropy requirements.`,{cause:e})}let o=(async()=>{let{jwsSecret:e,jweSecret:n,jwtSecret:r}=await R(i,a,t);return{jwt:O(r),jws:D(e),jwe:E(n)}})();return{signJWS:async(e,n)=>{let{jws:r}=await o;return r.signJWS(M(e,t),N(t,n))},verifyJWS:async(e,n)=>{let{jws:r}=await o,i=await r.verifyJWS(e,F(t,n));return L(i),i},encryptJWE:async(e,n)=>{let{jwe:r}=await o;return r.encryptJWE(M(e,t),P(t,n))},decryptJWE:async(e,n)=>{let{jwe:r}=await o,i=await r.decryptJWE(e,I(t,n));return L(i),i},encodeJWT:async(e,n)=>{let{jwt:r}=await o;return await r.encodeJWT(M(e,t),{sign:N(t,n?.sign),encrypt:P(t,n?.encrypt)})},decodeJWT:async(e,n)=>{let{jwt:r}=await o,i=await r.decodeJWT(e,{verify:F(t,n?.verify),decrypt:I(t,n?.decrypt)});return L(i),i}}},H=(e=32)=>y.encode(_(e)),U=async e=>{let t=await v().digest(`SHA-256`,g.encode(e));return y.encode(new Uint8Array(t))},W=async t=>{let n=t?void 0:Math.floor(Math.random()*65+32),r=t??H(n??64);if(r.length<43||r.length>128)throw new e(`PKCE_VERIFIER_INVALID`,`The code verifier must be between 43 and 128 characters in length.`);return{codeVerifier:r,codeChallenge:await U(r),method:`S256`}},G=async(e,t)=>{try{if(t)return await e.verifyJWS(t),t;let n=H(32);return e.signJWS({token:n})}catch{let t=H(32);return e.signJWS({token:t})}},K=async(t,n,r)=>{try{let a=await t.verifyJWS(n),o=await t.verifyJWS(r);if(!h(a))throw new e(`CSRF_TOKEN_INVALID`,`Cookie payload missing token field.`);if(!h(o))throw new e(`CSRF_TOKEN_INVALID`,`Header payload missing token field.`);if(!i(a.token.length,o.token.length)||!l(a.token,o.token))throw new e(`CSRF_TOKEN_INVALID`,`The CSRF tokens do not match.`);return!0}catch{throw new e(`CSRF_TOKEN_INVALID`,`The CSRF tokens do not match.`)}},q=async(e,t,n=1e5)=>{let r=v(),i=t?y.decode(t):_(16),a=await r.importKey(`raw`,g.encode(e),`PBKDF2`,!1,[`deriveBits`]),o=await r.deriveBits({name:`PBKDF2`,salt:i,iterations:n,hash:`SHA-256`},a,256),s=new Uint8Array(o),c=y.encode(s);return`pbkdf2-sha256:${n}:${y.encode(i)}:${c}`},J=async(e,t)=>{try{let n=t.split(`:`);if(n.length!==4)return!1;let[r,i,a]=n;if(r!==`pbkdf2-sha256`)return!1;let o=parseInt(i,10);if(isNaN(o))return!1;let[,,,s]=(await q(e,a,o)).split(`:`),[,,,c]=t.split(`:`);return!s||!c?!1:l(s,c)}catch{return!1}},Y=async(e,t)=>{let n=await C(e.privateKey,t,{extractable:!0});return{publicKey:await w(e.publicKey,t,{extractable:!0}),privateKey:n}},X=async(e,t)=>{let{publicKey:n,privateKey:r}=await x(e,t);return{publicKey:await b(n),privateKey:await b(r)}};export{H as a,Y as c,V as d,W as i,K as l,U as n,X as o,S as r,q as s,G as t,J as u};
@@ -1 +0,0 @@
1
- const e=e=>`captureStackTrace`in e&&typeof e.captureStackTrace==`function`;var t=class extends Error{type=`OAUTH_PROTOCOL_ERROR`;error;errorURI;constructor(t,n,r,i){super(n,i),this.error=t,this.errorURI=r,this.name=new.target.name,e(Error)&&Error.captureStackTrace(this,new.target)}},n=class extends Error{type=`AUTH_INTERNAL_ERROR`;code;constructor(t,n,r){super(n,r),this.code=t,this.name=new.target.name,e(Error)&&Error.captureStackTrace(this,new.target)}},r=class extends Error{type=`AUTH_SECURITY_ERROR`;code;constructor(t,n,r){super(n,r),this.code=t,this.name=new.target.name,e(Error)&&Error.captureStackTrace(this,new.target)}},i=class extends Error{type=`AUTH_CLIENT_ERROR`;code;constructor(t,n,r){super(n,r),this.code=t,this.name=new.target.name,e(Error)&&Error.captureStackTrace(this,new.target)}},a=class extends Error{type=`AUTH_INVALID_CONFIGURATION_ERROR`;constructor(t,n){super(t,n),this.name=new.target.name,e(Error)&&Error.captureStackTrace(this,new.target)}},o=class extends Error{type=`AUTH_VALIDATION_ERROR`;code;constructor(t,n,r){super(n,r),this.code=t,this.name=new.target.name,e(Error)&&Error.captureStackTrace(this,new.target)}},s=class extends Error{type=`JOSE_INITIALIZATION_FAILED`;code;constructor(t,n,r){super(n,r),this.code=t,this.name=new.target.name,e(Error)&&Error.captureStackTrace(this,new.target)}};const c=e=>e instanceof Error,l=e=>e instanceof t,u=e=>e instanceof n,d=e=>e instanceof r,f=e=>e instanceof i,p=e=>e instanceof o,m=e=>u(e)||d(e)||f(e)||p(e);export{r as a,m as c,p as d,c as f,s as i,u as l,n,o,l as p,a as r,t as s,i as t,d as u};
@@ -1 +0,0 @@
1
- const e=e=>`captureStackTrace`in e&&typeof e.captureStackTrace==`function`;var t=class extends Error{type=`OAUTH_PROTOCOL_ERROR`;error;errorURI;constructor(t,n,r,i){super(n,i),this.error=t,this.errorURI=r,this.name=new.target.name,e(Error)&&Error.captureStackTrace(this,new.target)}},n=class extends Error{type=`AUTH_INTERNAL_ERROR`;code;constructor(t,n,r){super(n,r),this.code=t,this.name=new.target.name,e(Error)&&Error.captureStackTrace(this,new.target)}},r=class extends Error{type=`AUTH_SECURITY_ERROR`;code;constructor(t,n,r){super(n,r),this.code=t,this.name=new.target.name,e(Error)&&Error.captureStackTrace(this,new.target)}},i=class extends Error{type=`AUTH_CLIENT_ERROR`;code;constructor(t,n,r){super(n,r),this.code=t,this.name=new.target.name,e(Error)&&Error.captureStackTrace(this,new.target)}},a=class extends Error{type=`AUTH_INVALID_CONFIGURATION_ERROR`;constructor(t,n){super(t,n),this.name=new.target.name,e(Error)&&Error.captureStackTrace(this,new.target)}},o=class extends Error{type=`AUTH_VALIDATION_ERROR`;code;constructor(t,n,r){super(n,r),this.code=t,this.name=new.target.name,e(Error)&&Error.captureStackTrace(this,new.target)}},s=class extends Error{type=`JOSE_INITIALIZATION_FAILED`;code;constructor(t,n,r){super(n,r),this.code=t,this.name=new.target.name,e(Error)&&Error.captureStackTrace(this,new.target)}};const c=e=>e instanceof Error,l=e=>e instanceof t,u=e=>e instanceof n,d=e=>e instanceof r,f=e=>e instanceof i,p=e=>e instanceof o,m=e=>u(e)||d(e)||f(e)||p(e);Object.defineProperty(exports,`a`,{enumerable:!0,get:function(){return r}}),Object.defineProperty(exports,`c`,{enumerable:!0,get:function(){return m}}),Object.defineProperty(exports,`d`,{enumerable:!0,get:function(){return p}}),Object.defineProperty(exports,`f`,{enumerable:!0,get:function(){return c}}),Object.defineProperty(exports,`i`,{enumerable:!0,get:function(){return s}}),Object.defineProperty(exports,`l`,{enumerable:!0,get:function(){return u}}),Object.defineProperty(exports,`n`,{enumerable:!0,get:function(){return n}}),Object.defineProperty(exports,`o`,{enumerable:!0,get:function(){return o}}),Object.defineProperty(exports,`p`,{enumerable:!0,get:function(){return l}}),Object.defineProperty(exports,`r`,{enumerable:!0,get:function(){return a}}),Object.defineProperty(exports,`s`,{enumerable:!0,get:function(){return t}}),Object.defineProperty(exports,`t`,{enumerable:!0,get:function(){return i}}),Object.defineProperty(exports,`u`,{enumerable:!0,get:function(){return d}});