@blakearoberts/visage 0.0.1-rc.18 → 0.0.1-rc.20

package/README.md

@@ -27,7 +27,7 @@ Start Vite normally:
 vite
 ```
 
-By default, you can reach the app at [https://localhost:9001/](https://localhost:9001/). You will be redirected to Dex to sign in. The default username and password is `user@example.com` and `pass`.
+By default, you can reach the app at `https://localhost:9001`. You will be redirected to Dex to sign in. The default username and password is `user@example.com` and `pass`.
 
 ## Why Visage
 
@@ -72,17 +72,21 @@ visage({
 });
 ```
 
-Authenticated upstream locations forward the OIDC ID token as the upstream
-`Authorization` bearer value by default. Set `auth.forward` to `'access'` for
-legacy upstreams that explicitly expect the OAuth access token as
-`Authorization: Bearer ...`.
+Authenticated upstream locations do not forward bearer tokens by default. Set
+`auth.forward` to `true` to forward the default bearer token for the upstream
+kind: external upstreams receive the OAuth access token, while local service
+upstreams receive the OIDC ID token.
+
+Hosted backend APIs that validate bearer auth should generally receive the
+access token, provided the token is issued for that API's issuer, audience, and
+scopes. Use `'access'` or `'id'` when you need to force a specific token kind.
 
 ```ts
 visage({
   upstreams: {
     api: {
       locations: {
-        '/api/': { auth: { forward: 'access' } },
+        '/api/': { auth: { forward: true } },
       },
     },
   },
@@ -93,6 +97,20 @@ OAuth2 Proxy identity values can also be mapped explicitly through headers such
 as `$auth_user`, `$auth_email`, `$auth_groups`, and
 `$auth_preferred_username`.
 
+### External IdPs
+
+External OIDC providers use issuer discovery by default:
+
+```ts
+visage({
+  idp: { issuer: 'https://idp.example.test/oauth2/default' },
+});
+```
+
+Configure `authorization`, `token`, or `jwks` only when the provider endpoints
+must be rendered explicitly instead of discovered from the issuer. Configure
+`end_session_endpoint` when the provider supports OIDC end-session redirects.
+
 See [`VisageOptions`](src/types.ts) for the full option surface.
 
 ## Expected Local URLs
@@ -139,11 +157,11 @@ Visage downloads [`mkcert`](https://github.com/FiloSottile/mkcert) from `dl.fili
 
 Visage pulls these as needed based on configuration:
 
-| Service                                                      | Image                                                                                               | Source                    |
-| ------------------------------------------------------------ | --------------------------------------------------------------------------------------------------- | ------------------------- |
-| [NGINX](https://nginx.org/)                                  | [`nginx:1.30.0-alpine`](https://hub.docker.com/_/nginx)                                             | Docker Hub                |
-| [OAuth2 Proxy](https://oauth2-proxy.github.io/oauth2-proxy/) | [`quay.io/oauth2-proxy/oauth2-proxy:v7.15.2`](https://quay.io/repository/oauth2-proxy/oauth2-proxy) | Quay                      |
-| [Dex](https://dexidp.io/)                                    | [`ghcr.io/dexidp/dex:v2.45.1`](https://github.com/dexidp/dex/pkgs/container/dex)                    | GitHub Container Registry |
+| Service                                                      | Image                                                                                       | Pin                                   |
+| ------------------------------------------------------------ | ------------------------------------------------------------------------------------------- | ------------------------------------- |
+| [NGINX](https://nginx.org/)                                  | [`nginx`](https://hub.docker.com/_/nginx)                                                   | [manifest](docker-compose.images.yml) |
+| [OAuth2 Proxy](https://oauth2-proxy.github.io/oauth2-proxy/) | [`quay.io/oauth2-proxy/oauth2-proxy`](https://quay.io/repository/oauth2-proxy/oauth2-proxy) | [manifest](docker-compose.images.yml) |
+| [Dex](https://dexidp.io/)                                    | [`ghcr.io/dexidp/dex`](https://github.com/dexidp/dex/pkgs/container/dex)                    | [manifest](docker-compose.images.yml) |
 
 ## Security Notes
 
@@ -160,7 +178,7 @@ Do not treat the managed Dex and OAuth2 Proxy defaults as production auth infras
 
 ## TO-DO
 
-- [ ] Support OIDC auto-discovery with external IdP configuration.
+- [ ] Support CSRF (click-jacking) mitigations/projections.
 - [ ] Support configuring [Dex connectors](https://dexidp.io/docs/connectors/).
 - [ ] Support configuring Dex on a distinct subdomain, such as `auth.localhost`.
 - [ ] Support optional [HTTP mode without local TLS](docs/tls-http-mode.md).

package/dist/certs.d.ts

@@ -1,7 +1,3 @@
-type Options = {
-    certs: string;
-    hostname: string;
-};
-export declare function ensureCerts({ certs, hostname }: Options): Promise<void>;
-export {};
+import type { VisageConfig } from './config';
+export declare function ensureCerts(config: VisageConfig): Promise<void>;
 //# sourceMappingURL=certs.d.ts.map

package/dist/certs.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"certs.d.ts","sourceRoot":"","sources":["../src/certs.ts"],"names":[],"mappings":"AAcA,KAAK,OAAO,GAAG;IACb,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAIF,wBAAsB,WAAW,CAAC,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CA0C7E"}
+{"version":3,"file":"certs.d.ts","sourceRoot":"","sources":["../src/certs.ts"],"names":[],"mappings":"AAcA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAI7C,wBAAsB,WAAW,CAAC,MAAM,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAqCrE"}

package/dist/compose.d.ts

@@ -1,4 +1,5 @@
+import type { VisageConfig } from './config';
 type StopCompose = () => void;
-export declare function startCompose(file: string): StopCompose;
+export declare function startCompose(config: VisageConfig): StopCompose;
 export {};
 //# sourceMappingURL=compose.d.ts.map

package/dist/compose.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"compose.d.ts","sourceRoot":"","sources":["../src/compose.ts"],"names":[],"mappings":"AAIA,KAAK,WAAW,GAAG,MAAM,IAAI,CAAC;AAI9B,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,WAAW,CAwCtD"}
+{"version":3,"file":"compose.d.ts","sourceRoot":"","sources":["../src/compose.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAE7C,KAAK,WAAW,GAAG,MAAM,IAAI,CAAC;AAI9B,wBAAgB,YAAY,CAAC,MAAM,EAAE,YAAY,GAAG,WAAW,CAmC9D"}

package/dist/config.d.ts

@@ -27,21 +27,33 @@ type ResolvedVisageOptions = {
     readonly services: Readonly<Record<string, VisageService>>;
     readonly upstreams: Record<string, VisageUpstream>;
 };
-type ResolvedBaseIdpConfig = {
-    readonly upstream: string;
+type OIDCEndpointConfig = {
     readonly issuer: string;
+    readonly authorization?: string;
+    readonly token?: string;
+    readonly jwks?: string;
+    readonly end_session_endpoint?: string;
+};
+type ManualOIDCEndpointConfig = OIDCEndpointConfig & {
     readonly authorization: string;
     readonly token: string;
     readonly jwks: string;
 };
-type ResolvedDexIdpConfig = ResolvedBaseIdpConfig & {
+type ResolvedDexIdpConfig = {
     readonly dex: {
         readonly expiry?: VisageDexExpiry;
         readonly users: readonly VisageDexUser[];
     };
+    readonly oidc: ManualOIDCEndpointConfig;
+    readonly upstream: {
+        readonly dex: ResolvedUpstream;
+    };
 };
-type ResolvedExternalIdpConfig = ResolvedBaseIdpConfig & {
-    readonly dex?: never;
+type ResolvedExternalIdpConfig = {
+    readonly oidc: OIDCEndpointConfig;
+    readonly upstream: {
+        readonly idp: ResolvedUpstream;
+    };
 };
 type ResolvedIdpConfig = ResolvedDexIdpConfig | ResolvedExternalIdpConfig;
 type ResolvedService = Omit<VisageService, 'upstream'> & {
@@ -53,8 +65,13 @@ type ResolvedUpstream = {
     readonly port: number;
     readonly locations: Readonly<Record<string, VisageProxyPolicy>>;
 };
+type ResolvedAuthPolicy = {
+    readonly enabled: boolean;
+    readonly forward: false | 'id' | 'access';
+    readonly redirect: boolean;
+};
 type ResolvedProxyPolicy = {
-    readonly auth: Required<VisageProxyPolicy['auth']>;
+    readonly auth: ResolvedAuthPolicy;
     readonly headers: Readonly<Record<string, string>>;
     readonly directives: Readonly<Record<string, readonly string[]>>;
 };
@@ -78,6 +95,10 @@ export type VisageConfig = {
         readonly clientSecret: Volume;
         readonly cookieSecret: Volume;
     };
+    readonly network: {
+        readonly name: string;
+        readonly trustedProxyIps: readonly string[];
+    };
     readonly services: Readonly<Record<string, ResolvedService>>;
     readonly upstreams: Readonly<Record<string, ResolvedConfigUpstream>>;
 };

package/dist/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,eAAe,EACf,gBAAgB,EAChB,aAAa,EACb,wBAAwB,EACxB,aAAa,EACb,iBAAiB,EACjB,aAAa,EACb,cAAc,EACf,MAAM,SAAS,CAAC;AAEjB,KAAK,MAAM,GAAG,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC;AAElD,KAAK,oBAAoB,GAAG;IAC1B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,cAAc,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC5C,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,kBAAkB,EAAE,MAAM,CAAC;CACrC,CAAC;AAEF,KAAK,iBAAiB,GAClB;IACE,QAAQ,CAAC,GAAG,EAAE,gBAAgB,CAAC;CAChC,GACD,wBAAwB,CAAC;AAE7B,KAAK,oBAAoB,GAAG;IAC1B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,CAAC;IACnC,QAAQ,CAAC,YAAY,EAAE,SAAS,MAAM,EAAE,CAAC;IACzC,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC;CAC1B,CAAC;AAEF,KAAK,qBAAqB,GAAG;IAC3B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,oBAAoB,CAAC;IACtC,QAAQ,CAAC,GAAG,EAAE,iBAAiB,CAAC;IAChC,QAAQ,CAAC,MAAM,EAAE,oBAAoB,CAAC;IACtC,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC,CAAC;IAC3D,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;CACpD,CAAC;AAEF,KAAK,qBAAqB,GAAG;IAC3B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB,CAAC;AACF,KAAK,oBAAoB,GAAG,qBAAqB,GAAG;IAClD,QAAQ,CAAC,GAAG,EAAE;QACZ,QAAQ,CAAC,MAAM,CAAC,EAAE,eAAe,CAAC;QAClC,QAAQ,CAAC,KAAK,EAAE,SAAS,aAAa,EAAE,CAAC;KAC1C,CAAC;CACH,CAAC;AACF,KAAK,yBAAyB,GAAG,qBAAqB,GAAG;IACvD,QAAQ,CAAC,GAAG,CAAC,EAAE,KAAK,CAAC;CACtB,CAAC;AACF,KAAK,iBAAiB,GAAG,oBAAoB,GAAG,yBAAyB,CAAC;AAE1E,KAAK,eAAe,GAAG,IAAI,CAAC,aAAa,EAAE,UAAU,CAAC,GAAG;IACvD,QAAQ,CAAC,OAAO,EAAE,WAAW,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC,CAAC;CACzD,CAAC;AAEF,KAAK,gBAAgB,GAAG;IACtB,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC;IAClC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,SAAS,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC,CAAC;CACjE,CAAC;AAEF,KAAK,mBAAmB,GAAG;IACzB,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC;IACnD,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IACnD,QAAQ,CAAC,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,CAAC,CAAC,CAAC;CAClE,CAAC;AAEF,KAAK,sBAAsB,GAAG,IAAI,CAAC,gBAAgB,EAAE,WAAW,CAAC,GAAG;IAClE,QAAQ,CAAC,SAAS,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC,CAAC;IAClE,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;CAC5B,CAAC;AAEF,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,oBAAoB,CAAC;IACtC,QAAQ,CAAC,GAAG,EAAE,iBAAiB,CAAC;IAChC,QAAQ,CAAC,MAAM,EAAE,oBAAoB,CAAC;IAEtC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,KAAK,EAAE;QACd,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;QACvB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;QACzB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;QACvB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;QAC7B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;QAC9B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;KAC/B,CAAC;IAEF,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC,CAAC;IAC7D,QAAQ,CAAC,SAAS,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,sBAAsB,CAAC,CAAC,CAAC;CACtE,CAAC;AA0FF,wBAAgB,cAAc,CAAC,OAAO,EAAE,aAAa,GAAG,qBAAqB,CAuC5E;AAwJD,wBAAgB,aAAa,CAC3B,OAAO,EAAE,qBAAqB,EAC9B,KAAK,EAAE,MAAM,GACZ,YAAY,CAmEd;AAqBD,wBAAgB,mBAAmB,CACjC,IAAI,GAAE,cAAkC,GACvC,cAAc,CAwBhB"}
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EACV,eAAe,EACf,gBAAgB,EAChB,aAAa,EACb,wBAAwB,EACxB,aAAa,EACb,iBAAiB,EACjB,aAAa,EACb,cAAc,EACf,MAAM,SAAS,CAAC;AAEjB,KAAK,MAAM,GAAG,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC;AAElD,KAAK,oBAAoB,GAAG;IAC1B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,cAAc,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC5C,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,kBAAkB,EAAE,MAAM,CAAC;CACrC,CAAC;AAEF,KAAK,iBAAiB,GAClB;IAAE,QAAQ,CAAC,GAAG,EAAE,gBAAgB,CAAA;CAAE,GAClC,wBAAwB,CAAC;AAE7B,KAAK,oBAAoB,GAAG;IAC1B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,CAAC;IACnC,QAAQ,CAAC,YAAY,EAAE,SAAS,MAAM,EAAE,CAAC;IACzC,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC;CAC1B,CAAC;AAEF,KAAK,qBAAqB,GAAG;IAC3B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,oBAAoB,CAAC;IACtC,QAAQ,CAAC,GAAG,EAAE,iBAAiB,CAAC;IAChC,QAAQ,CAAC,MAAM,EAAE,oBAAoB,CAAC;IACtC,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC,CAAC;IAC3D,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;CACpD,CAAC;AAEF,KAAK,kBAAkB,GAAG;IACxB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,oBAAoB,CAAC,EAAE,MAAM,CAAC;CACxC,CAAC;AAEF,KAAK,wBAAwB,GAAG,kBAAkB,GAAG;IACnD,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF,KAAK,oBAAoB,GAAG;IAC1B,QAAQ,CAAC,GAAG,EAAE;QACZ,QAAQ,CAAC,MAAM,CAAC,EAAE,eAAe,CAAC;QAClC,QAAQ,CAAC,KAAK,EAAE,SAAS,aAAa,EAAE,CAAC;KAC1C,CAAC;IACF,QAAQ,CAAC,IAAI,EAAE,wBAAwB,CAAC;IACxC,QAAQ,CAAC,QAAQ,EAAE;QAAE,QAAQ,CAAC,GAAG,EAAE,gBAAgB,CAAA;KAAE,CAAC;CACvD,CAAC;AACF,KAAK,yBAAyB,GAAG;IAC/B,QAAQ,CAAC,IAAI,EAAE,kBAAkB,CAAC;IAClC,QAAQ,CAAC,QAAQ,EAAE;QAAE,QAAQ,CAAC,GAAG,EAAE,gBAAgB,CAAA;KAAE,CAAC;CACvD,CAAC;AACF,KAAK,iBAAiB,GAAG,oBAAoB,GAAG,yBAAyB,CAAC;AAE1E,KAAK,eAAe,GAAG,IAAI,CAAC,aAAa,EAAE,UAAU,CAAC,GAAG;IACvD,QAAQ,CAAC,OAAO,EAAE,WAAW,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC,CAAC;CACzD,CAAC;AAEF,KAAK,gBAAgB,GAAG;IACtB,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC;IAClC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,SAAS,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC,CAAC;CACjE,CAAC;AAEF,KAAK,kBAAkB,GAAG;IACxB,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,OAAO,EAAE,KAAK,GAAG,IAAI,GAAG,QAAQ,CAAC;IAC1C,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;CAC5B,CAAC;AAEF,KAAK,mBAAmB,GAAG;IACzB,QAAQ,CAAC,IAAI,EAAE,kBAAkB,CAAC;IAClC,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IACnD,QAAQ,CAAC,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,CAAC,CAAC,CAAC;CAClE,CAAC;AAEF,KAAK,sBAAsB,GAAG,IAAI,CAAC,gBAAgB,EAAE,WAAW,CAAC,GAAG;IAClE,QAAQ,CAAC,SAAS,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC,CAAC;IAClE,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;CAC5B,CAAC;AAEF,MAAM,MAAM,YAAY,GAAG;IACzB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,oBAAoB,CAAC;IACtC,QAAQ,CAAC,GAAG,EAAE,iBAAiB,CAAC;IAChC,QAAQ,CAAC,MAAM,EAAE,oBAAoB,CAAC;IAEtC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,KAAK,EAAE;QACd,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;QACvB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;QACzB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;QACvB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;QAC7B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;QAC9B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;KAC/B,CAAC;IACF,QAAQ,CAAC,OAAO,EAAE;QAChB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;QACtB,QAAQ,CAAC,eAAe,EAAE,SAAS,MAAM,EAAE,CAAC;KAC7C,CAAC;IAEF,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC,CAAC;IAC7D,QAAQ,CAAC,SAAS,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,sBAAsB,CAAC,CAAC,CAAC;CACtE,CAAC;AAuFF,wBAAgB,cAAc,CAAC,OAAO,EAAE,aAAa,GAAG,qBAAqB,CA0D5E;AAuED,wBAAgB,aAAa,CAC3B,OAAO,EAAE,qBAAqB,EAC9B,KAAK,EAAE,MAAM,GACZ,YAAY,CAoGd;AAiGD,wBAAgB,mBAAmB,CACjC,IAAI,GAAE,cAAkC,GACvC,cAAc,CAwBhB"}

package/dist/hosts.d.ts

@@ -1,2 +1,3 @@
-export declare function ensureHostEntry(hostname: string): void;
+import type { VisageConfig } from './config';
+export declare function ensureHostEntry({ host }: VisageConfig): void;
 //# sourceMappingURL=hosts.d.ts.map

package/dist/hosts.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"hosts.d.ts","sourceRoot":"","sources":["../src/hosts.ts"],"names":[],"mappings":"AAKA,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAyDtD"}
+{"version":3,"file":"hosts.d.ts","sourceRoot":"","sources":["../src/hosts.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAI7C,wBAAgB,eAAe,CAAC,EAAE,IAAI,EAAE,EAAE,YAAY,GAAG,IAAI,CAyD5D"}

package/dist/index.d.ts

@@ -1,6 +1,4 @@
-import type { Plugin } from 'vite';
-import type { VisageOptions, VisageServer } from './types';
 export type { VisageCookiePolicy, VisageDexExpiry, VisageDexOptions, VisageDexUser, VisageExternalIdpOptions, VisageOAuth2Client, VisageOptions, VisageProxyPolicy, VisageServer, VisageService, VisageUpstream, } from './types';
-export declare function createVisageServer(options: VisageOptions): VisageServer;
-export default function visage(options?: VisageOptions): Plugin;
+export { default, visage } from './plugin';
+export { createVisageServer } from './server';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,MAAM,CAAC;AAOnC,OAAO,KAAK,EAAE,aAAa,EAAE,YAAY,EAAkB,MAAM,SAAS,CAAC;AAE3E,YAAY,EACV,kBAAkB,EAClB,eAAe,EACf,gBAAgB,EAChB,aAAa,EACb,wBAAwB,EACxB,kBAAkB,EAClB,aAAa,EACb,iBAAiB,EACjB,YAAY,EACZ,aAAa,EACb,cAAc,GACf,MAAM,SAAS,CAAC;AAEjB,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,aAAa,GAAG,YAAY,CAgCvE;AAED,MAAM,CAAC,OAAO,UAAU,MAAM,CAAC,OAAO,GAAE,aAAkB,GAAG,MAAM,CA4ElE"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EACV,kBAAkB,EAClB,eAAe,EACf,gBAAgB,EAChB,aAAa,EACb,wBAAwB,EACxB,kBAAkB,EAClB,aAAa,EACb,iBAAiB,EACjB,YAAY,EACZ,aAAa,EACb,cAAc,GACf,MAAM,SAAS,CAAC;AAEjB,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,UAAU,CAAC;AAC3C,OAAO,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC"}

package/dist/index.js

@@ -1,111 +1,14 @@
-import { mkdirSync, chmodSync, openSync, rmSync, existsSync, createWriteStream, readFileSync, appendFileSync, writeFileSync } from 'node:fs';
-import { join, dirname } from 'node:path';
+import { join } from 'node:path';
+import { readFileSync, mkdirSync, chmodSync, openSync, rmSync, existsSync, createWriteStream, appendFileSync, writeFileSync } from 'node:fs';
+import { parse, stringify } from 'yaml';
 import { spawnSync, spawn } from 'node:child_process';
 import { homedir } from 'node:os';
 import { Readable } from 'node:stream';
 import { pipeline } from 'node:stream/promises';
-import { stringify } from 'yaml';
 import { hashSync } from 'bcryptjs';
 import { Eta } from 'eta';
 import { randomBytes } from 'node:crypto';
 
-const CACHE_HOME = process.env.XDG_CACHE_HOME || join(homedir(), '.cache');
-async function ensureCerts({ certs, hostname }) {
-    const CAROOT = join(CACHE_HOME, 'visage/ca');
-    mkdirSync(CAROOT, { recursive: true, mode: 0o700 });
-    chmodSync(CAROOT, 0o700);
-    const mkcert = await ensureMkCert();
-    const logs = join(dirname(certs), 'logs');
-    mkdirSync(logs, { recursive: true });
-    const log = join(logs, 'mkcert.log');
-    const output = openSync(log, 'w');
-    const env = { CAROOT, TRUST_STORES: 'system', ...process.env };
-    const tty = process.stdin.isTTY;
-    const stdio = [
-        tty ? 'inherit' : 'ignore',
-        output,
-        output,
-    ];
-    if (process.env.CI !== 'true') {
-        // mkcert -install is idempotent; CA files alone do not prove trust-store state.
-        const result = spawnSync(mkcert, ['-install'], { env, stdio });
-        if (result.error)
-            throw result.error;
-        if (result.status !== 0) {
-            throw new Error('Failed to install CA');
-        }
-    }
-    const cert = join(certs, 'tls.crt');
-    const key = join(certs, 'tls.key');
-    mkdirSync(certs, { recursive: true });
-    rmSync(cert, { force: true });
-    rmSync(key, { force: true });
-    const names = [...new Set([hostname, 'localhost', '127.0.0.1', '::1'])];
-    const args = ['-cert-file', cert, '-key-file', key, ...names];
-    const result = spawnSync(mkcert, args, { env, stdio });
-    if (result.error)
-        throw result.error;
-    if (result.status !== 0) {
-        throw new Error('Failed to generate TLS certificates');
-    }
-}
-async function ensureMkCert() {
-    const bin = join(CACHE_HOME, 'visage/bin');
-    const file = join(bin, `mkcert-${process.platform}-${process.arch}`);
-    if (existsSync(file))
-        return file;
-    mkdirSync(bin, { recursive: true });
-    const base = 'https://dl.filippo.io/mkcert/latest';
-    const arch = process.arch === 'x64' ? 'amd64' : process.arch;
-    const params = `?for=${process.platform}/${arch}`;
-    const url = new URL(params, base);
-    const response = await fetch(url);
-    if (!response.ok || !response.body) {
-        throw new Error('Failed to download mkcert');
-    }
-    await pipeline(Readable.fromWeb(response.body), createWriteStream(file));
-    chmodSync(file, 0o755);
-    return file;
-}
-
-let stopRef;
-function startCompose(file) {
-    stopRef?.();
-    stopRef = undefined;
-    const logs = join(dirname(file), 'logs');
-    mkdirSync(logs, { recursive: true });
-    const output = openSync(join(logs, 'compose.log'), 'w');
-    const compose = [
-        'compose',
-        '--ansi=never',
-        `--file=${file}`,
-        `--project-name=${process.env.COMPOSE_PROJECT_NAME ?? 'visage'}`,
-    ];
-    const env = { ...process.env, COMPOSE_MENU: 'false' };
-    const opts = {
-        cwd: dirname(file),
-        stdio: ['ignore', output, output],
-        env,
-    };
-    const up = [
-        ...compose,
-        'up',
-        '--abort-on-container-failure',
-        '--remove-orphans',
-    ];
-    const child = spawn('docker', up, opts);
-    const stop = () => {
-        if (stopRef !== stop)
-            return;
-        stopRef = undefined;
-        child.kill();
-        const down = [...compose, 'down', '--remove-orphans'];
-        spawnSync('docker', down, opts);
-    };
-    stopRef = stop;
-    return stop;
-}
-
 const BaseFiles = {
     certs: ['./certs', '/etc/nginx/certs'],
     compose: './compose.yaml',
@@ -115,29 +18,24 @@ const BaseFiles = {
     clientSecret: ['./oauth2-client-secret', '/etc/oauth2-proxy/client-secret'],
     cookieSecret: ['./oauth2-cookie-secret', '/etc/oauth2-proxy/cookie-secret'],
 };
+const DockerImages = parse(readFileSync(new URL('../docker-compose.images.yml', import.meta.url), 'utf8')).services;
 const BaseServiceDex = {
-    image: 'ghcr.io/dexidp/dex:v2.45.1',
+    image: DockerImages.dex.image,
     command: ['dex', 'serve', '/etc/dex/dex.yml'],
     restart: 'always',
 };
 const BaseServiceNginx = {
-    image: 'nginx:1.30.0-alpine',
+    image: DockerImages.nginx.image,
     depends_on: ['oauth2_proxy'],
     extra_hosts: ['host.docker.internal:host-gateway'],
     restart: 'always',
 };
 const BaseServiceOAuth2Proxy = {
-    image: 'quay.io/oauth2-proxy/oauth2-proxy:v7.15.2',
+    image: DockerImages.oauth2_proxy.image,
     command: ['--config', '/etc/oauth2-proxy/config.yml'],
     extra_hosts: ['host.docker.internal:host-gateway'],
     restart: 'always',
 };
-const BaseUpstreamDex = {
-    host: 'dex',
-    scheme: 'http',
-    port: 5556,
-    locations: { '/dex/': { auth: { enabled: false } } },
-};
 const BaseUpstreamOauth2Proxy = {
     host: 'oauth2_proxy',
     scheme: 'http',
@@ -159,10 +57,7 @@ const DefaultCookiePolicy = {
     cookie_secret_file: BaseFiles.cookieSecret[1],
 };
 const DefaultDexUsers = [
-    {
-        email: 'user@example.com',
-        password: 'pass',
-    },
+    { email: 'user@example.com', password: 'pass' },
 ];
 const DefaultOAuth2Client = {
     id: 'visage',
@@ -170,7 +65,6 @@ const DefaultOAuth2Client = {
     scopes: ['openid', 'email', 'profile', 'offline_access'],
     emailDomains: ['example.com']};
 const DefaultProxyPolicy = {
-    auth: { enabled: true, forward: 'id', redirect: false },
     headers: {
         Cookie: '""', // Don't forward session cookie.
         Host: '$host',
@@ -183,7 +77,7 @@ const DefaultProxyPolicy = {
     },
 };
 function resolveOptions(options) {
-    const { host = 'localhost', port = 9001, cookie = {}, oauth2 = {} } = options;
+    const { host = 'localhost', port = 9001, cookie = {}, idp = {}, oauth2 = {}, } = options;
     const cookieName = cookie.name ?? 'sess';
     const publicClient = oauth2.clientSecret === null;
     const services = resolveServicesOptions(options.services);
@@ -207,7 +101,19 @@ function resolveOptions(options) {
                 : { cookie_domains: cookie.domains }),
             ...(cookie.path === undefined ? {} : { cookie_path: cookie.path }),
         },
-        idp: resolveIdpOption(options.idp),
+        idp: 'issuer' in idp
+            ? idp
+            : {
+                dex: {
+                    ...(idp.expiry ? { expiry: idp.expiry } : {}),
+                    users: (idp.users ?? DefaultDexUsers).map((user) => ({
+                        email: user.email,
+                        password: user.password,
+                        username: user.username ?? user.email.split('@', 1)[0],
+                        userID: user.userID ?? user.email,
+                    })),
+                },
+            },
         oauth2: {
             id: oauth2.clientId ?? DefaultOAuth2Client.id,
             ...(publicClient
@@ -274,78 +180,28 @@ function resolveUpstreamsOptions(services, upstreams = {}) {
         ])),
     };
 }
-function resolveIdpOption(idp) {
-    if (idp && 'issuer' in idp) {
-        return {
-            issuer: idp.issuer,
-            authorization: idp.authorization ?? '/auth',
-            token: idp.token ?? '/token',
-            jwks: idp.jwks ?? '/keys',
-        };
-    }
-    return {
-        dex: {
-            ...(idp?.expiry ? { expiry: idp.expiry } : {}),
-            users: (idp?.users ?? DefaultDexUsers).map((user) => ({
-                email: user.email,
-                password: user.password,
-                username: user.username ?? user.email.split('@', 1)[0],
-                userID: user.userID ?? user.email,
-            })),
-        },
-    };
-}
-function resolveDirectives(directives = {}) {
-    return Object.fromEntries(Object.entries(directives).map(([name, value]) => [
-        name,
-        Array.isArray(value) ? value : [value],
-    ]));
-}
-function resolveIdpConfig({ host, port, idp, }) {
-    if ('dex' in idp) {
-        const issuer = `https://${host}:${port}/dex`;
-        const upstream = `http://dex:5556/dex`;
-        return {
-            upstream: 'dex',
-            issuer,
-            authorization: `${issuer}/auth`,
-            token: `${upstream}/token`,
-            jwks: `${upstream}/keys`,
-            dex: {
-                expiry: idp.dex.expiry,
-                users: (idp.dex?.users ?? DefaultDexUsers).map((user) => ({
-                    email: user.email,
-                    password: user.password,
-                    username: user.username ?? user.email.split('@', 1)[0],
-                    userID: user.userID ?? user.email,
-                })),
-            },
-        };
-    }
-    return {
-        upstream: 'idp',
-        issuer: idp.issuer,
-        authorization: idp.issuer + (idp.authorization ?? '/auth'),
-        token: idp.issuer + (idp.token ?? '/token'),
-        jwks: idp.issuer + (idp.jwks ?? '/keys'),
-    };
-}
-function resolveExternalIdpUpstream(idp) {
-    const issuer = new URL(idp.issuer);
-    return {
-        host: issuer.hostname,
-        locations: {},
-        scheme: issuer.protocol === 'https:' ? 'https' : 'http',
-        port: Number(issuer.port) || (issuer.protocol === 'https:' ? 443 : 80),
-    };
-}
 function resolveConfig(options, cache) {
     const idp = resolveIdpConfig(options);
     const upstreams = {
-        oauth2_proxy: BaseUpstreamOauth2Proxy,
-        ...(idp.dex === undefined
-            ? { idp: resolveExternalIdpUpstream(idp) }
-            : { dex: BaseUpstreamDex }),
+        oauth2_proxy: {
+            ...BaseUpstreamOauth2Proxy,
+            locations: {
+                ...BaseUpstreamOauth2Proxy.locations,
+                '/oauth2/sign_out': {
+                    auth: { enabled: false },
+                    headers: {
+                        Cookie: '$http_cookie', // Forward session cookie.
+                        'X-Auth-Request-Redirect': idp.oidc.end_session_endpoint
+                            ? JSON.stringify(idp.oidc.end_session_endpoint +
+                                (idp.oidc.end_session_endpoint.includes('?') ? '&' : '?') +
+                                'id_token_hint={id_token}&post_logout_redirect_uri=' +
+                                encodeURIComponent(`https://${options.host}:${options.port}/`))
+                            : '/',
+                    },
+                },
+            },
+        },
+        ...idp.upstream,
         ...options.upstreams,
     };
     return {
@@ -355,15 +211,19 @@ function resolveConfig(options, cache) {
         idp,
         oauth2: options.oauth2,
         cache,
-        files: { ...BaseFiles },
+        files: BaseFiles,
+        network: {
+            name: `${process.env.COMPOSE_PROJECT_NAME ?? 'visage'}_nginx`,
+            trustedProxyIps: [],
+        },
         services: {
-            ...(idp.dex === undefined
-                ? { nginx: BaseServiceNginx, oauth2_proxy: BaseServiceOAuth2Proxy }
-                : {
+            ...('dex' in idp
+                ? {
                     dex: BaseServiceDex,
                     nginx: { ...BaseServiceNginx, depends_on: ['dex', 'oauth2_proxy'] },
                     oauth2_proxy: { ...BaseServiceOAuth2Proxy, depends_on: ['dex'] },
-                }),
+                }
+                : { nginx: BaseServiceNginx, oauth2_proxy: BaseServiceOAuth2Proxy }),
             ...Object.fromEntries(Object.entries(options.services).map(([name, { upstream: _upstream, ...service }]) => [
                 name,
                 { restart: 'on-failure', ...service },
@@ -380,7 +240,7 @@ function resolveConfig(options, cache) {
                     locations: Object.fromEntries(Object.entries(upstream.locations ?? {}).map(([path, policy]) => [
                         path,
                         {
-                            auth: { ...DefaultProxyPolicy.auth, ...policy.auth },
+                            auth: resolveAuthPolicy(policy.auth, external && name !== 'vite'),
                             headers: {
                                 ...(external
                                     ? { ...DefaultProxyPolicy.headers, Host: upstream.host }
@@ -389,7 +249,10 @@ function resolveConfig(options, cache) {
                             },
                             directives: {
                                 ...DefaultProxyPolicy.directives,
-                                ...resolveDirectives(policy.directives),
+                                ...Object.fromEntries(Object.entries(policy.directives ?? {}).map(([name, value]) => [
+                                    name,
+                                    Array.isArray(value) ? value : [value],
+                                ])),
                             },
                         },
                     ])),
@@ -398,12 +261,77 @@ function resolveConfig(options, cache) {
         })),
     };
 }
+function resolveIdpConfig({ host, port, idp, }) {
+    if ('dex' in idp) {
+        return {
+            dex: {
+                expiry: idp.dex.expiry,
+                users: (idp.dex?.users ?? DefaultDexUsers).map((user) => ({
+                    email: user.email,
+                    password: user.password,
+                    username: user.username ?? user.email.split('@', 1)[0],
+                    userID: user.userID ?? user.email,
+                })),
+            },
+            oidc: {
+                issuer: `https://${host}:${port}/dex`,
+                authorization: `https://${host}:${port}/dex/auth`,
+                token: 'http://dex:5556/dex/token',
+                jwks: 'http://dex:5556/dex/keys',
+            },
+            upstream: {
+                dex: {
+                    host: 'dex',
+                    scheme: 'http',
+                    port: 5556,
+                    locations: { '/dex/': { auth: { enabled: false } } },
+                },
+            },
+        };
+    }
+    const issuer = new URL(idp.issuer);
+    const oidc = {
+        issuer: idp.issuer,
+        ...(idp.end_session_endpoint === undefined
+            ? {}
+            : { end_session_endpoint: idp.end_session_endpoint }),
+    };
+    return {
+        oidc: !idp.authorization && !idp.token && !idp.jwks
+            ? oidc
+            : {
+                ...oidc,
+                authorization: idp.issuer + (idp.authorization ?? '/auth'),
+                token: idp.issuer + (idp.token ?? '/token'),
+                jwks: idp.issuer + (idp.jwks ?? '/keys'),
+            },
+        upstream: {
+            idp: {
+                scheme: issuer.protocol === 'https:' ? 'https' : 'http',
+                host: issuer.hostname,
+                port: Number(issuer.port) || (issuer.protocol === 'https:' ? 443 : 80),
+                locations: {},
+            },
+        },
+    };
+}
+function resolveAuthPolicy(auth = {}, external) {
+    return {
+        enabled: auth.enabled ?? true,
+        forward: auth.forward === true
+            ? external
+                ? 'access'
+                : 'id'
+            : (auth.forward ?? false),
+        redirect: auth.redirect ?? false,
+    };
+}
 const BaseViteUpstream = {
     host: 'host.docker.internal',
     scheme: 'http',
     locations: {
         '/': {
-            auth: { forward: undefined, redirect: true },
+            auth: { redirect: true },
             headers: {
                 Host: '$host',
                 Upgrade: '$http_upgrade',
@@ -441,12 +369,99 @@ function resolveViteUpstream(vite = { locations: {} }) {
     };
 }
 
+const CACHE_HOME = process.env.XDG_CACHE_HOME || join(homedir(), '.cache');
+async function ensureCerts(config) {
+    const CAROOT = join(CACHE_HOME, 'visage/ca');
+    mkdirSync(CAROOT, { recursive: true, mode: 0o700 });
+    chmodSync(CAROOT, 0o700);
+    const mkcert = await ensureMkCert();
+    mkdirSync(join(config.cache, 'logs'), { recursive: true });
+    const out = openSync(join(config.cache, 'logs', 'mkcert.log'), 'w');
+    const env = { CAROOT, TRUST_STORES: 'system', ...process.env };
+    const tty = process.stdin.isTTY;
+    const stdio = [tty ? 'inherit' : 'ignore', out, out];
+    if (process.env.CI !== 'true') {
+        // mkcert -install is idempotent; CA files alone do not prove trust-store state.
+        const result = spawnSync(mkcert, ['-install'], { env, stdio });
+        if (result.error)
+            throw result.error;
+        if (result.status !== 0) {
+            throw new Error('Failed to install CA');
+        }
+    }
+    const certs = join(config.cache, config.files.certs[0]);
+    const cert = join(certs, 'tls.crt');
+    const key = join(certs, 'tls.key');
+    mkdirSync(certs, { recursive: true });
+    rmSync(cert, { force: true });
+    rmSync(key, { force: true });
+    const names = [...new Set([config.host, 'localhost', '127.0.0.1', '::1'])];
+    const args = ['-cert-file', cert, '-key-file', key, ...names];
+    const result = spawnSync(mkcert, args, { env, stdio });
+    if (result.error)
+        throw result.error;
+    if (result.status !== 0) {
+        throw new Error('Failed to generate TLS certificates');
+    }
+}
+async function ensureMkCert() {
+    const bin = join(CACHE_HOME, 'visage/bin');
+    const file = join(bin, `mkcert-${process.platform}-${process.arch}`);
+    if (existsSync(file))
+        return file;
+    mkdirSync(bin, { recursive: true });
+    const base = 'https://dl.filippo.io/mkcert/latest';
+    const arch = process.arch === 'x64' ? 'amd64' : process.arch;
+    const params = `?for=${process.platform}/${arch}`;
+    const url = new URL(params, base);
+    const response = await fetch(url);
+    if (!response.ok || !response.body) {
+        throw new Error('Failed to download mkcert');
+    }
+    await pipeline(Readable.fromWeb(response.body), createWriteStream(file));
+    chmodSync(file, 0o755);
+    return file;
+}
+
+let stopRef;
+function startCompose(config) {
+    stopRef?.();
+    stopRef = undefined;
+    const file = join(config.cache, config.files.compose);
+    const logs = join(config.cache, 'logs');
+    const output = openSync(join(logs, 'compose.log'), 'w');
+    const compose = [
+        'compose',
+        '--ansi=never',
+        `--file=${file}`,
+        `--project-name=${process.env.COMPOSE_PROJECT_NAME ?? 'visage'}`,
+    ];
+    const env = { ...process.env, COMPOSE_MENU: 'false' };
+    const opts = {
+        cwd: config.cache,
+        stdio: ['ignore', output, output],
+        env,
+    };
+    const up = [...compose, 'up', '--remove-orphans'];
+    const child = spawn('docker', up, opts);
+    const stop = () => {
+        if (stopRef !== stop)
+            return;
+        stopRef = undefined;
+        child.kill();
+        const down = [...compose, 'down', '--remove-orphans'];
+        spawnSync('docker', down, opts);
+    };
+    stopRef = stop;
+    return stop;
+}
+
 const HOSTS_FILE = '/etc/hosts';
-function ensureHostEntry(hostname) {
-    if (!hostname ||
-        hostname.trim() !== hostname ||
-        hostname.includes('/') ||
-        hostname.includes(':')) {
+function ensureHostEntry({ host }) {
+    if (!host ||
+        host.trim() !== host ||
+        host.includes('/') ||
+        host.includes(':')) {
         throw new Error('Invalid hostname');
     }
     const contents = readFileSync(HOSTS_FILE, 'utf8');
@@ -456,7 +471,7 @@ function ensureHostEntry(hostname) {
             continue;
         }
         const [address, ...names] = uncommented.split(/\s+/);
-        if (!names.includes(hostname)) {
+        if (!names.includes(host)) {
             continue;
         }
         if (address === '127.0.0.1' || address === '::1') {
@@ -466,7 +481,7 @@ function ensureHostEntry(hostname) {
         throw new Error('Hosts file contains a conflicting entry');
     }
     const prefix = contents.endsWith('\n') ? '' : '\n';
-    const entry = `${prefix}127.0.0.1\t${hostname} # visage\n`;
+    const entry = `${prefix}127.0.0.1\t${host} # visage\n`;
     try {
         appendFileSync(HOSTS_FILE, entry);
         return;
@@ -486,6 +501,65 @@ function ensureHostEntry(hostname) {
     }
 }
 
+function ensureNginxNetwork(config) {
+    const exists = spawnSync('docker', [
+        'network',
+        'ls',
+        '--filter',
+        `name=${config.network.name}`,
+        '--format',
+        '{{ .Name }}',
+    ], { encoding: 'utf-8' });
+    if (exists.error)
+        throw exists.error;
+    if (exists.status !== 0) {
+        console.error(exists.stderr);
+        throw new Error('Failed to list Docker network');
+    }
+    if (exists.stdout) {
+        return {
+            ...config,
+            network: {
+                ...config.network,
+                trustedProxyIps: inspectNetwork(config.network.name),
+            },
+        };
+    }
+    const create = spawnSync('docker', ['network', 'create', '--driver', 'bridge', config.network.name], { encoding: 'utf-8' });
+    if (create.error)
+        throw create.error;
+    if (create.status !== 0) {
+        console.error(create.stderr);
+        throw new Error('Failed to create Docker network');
+    }
+    return {
+        ...config,
+        network: {
+            ...config.network,
+            trustedProxyIps: inspectNetwork(config.network.name),
+        },
+    };
+}
+function inspectNetwork(name) {
+    const result = spawnSync('docker', [
+        'network',
+        'inspect',
+        '--format',
+        '{{range .IPAM.Config}}{{println .Subnet}}{{end}}',
+        name,
+    ], { encoding: 'utf-8' });
+    if (result.error)
+        throw result.error;
+    if (result.status !== 0) {
+        console.error(result.stderr);
+        throw new Error('Failed to inspect Docker network');
+    }
+    return result.stdout
+        .split(/\r?\n/)
+        .map((line) => line.trim())
+        .filter(Boolean);
+}
+
 function writeComposeConfig(config) {
     const file = join(config.cache, config.files.compose);
     const render = renderComposeConfig(config);
@@ -494,8 +568,9 @@ function writeComposeConfig(config) {
 function renderComposeConfig(config) {
     const { dex, nginx, oauth2_proxy, ...services } = config.services;
     return stringify({
+        networks: { default: { external: true, name: config.network.name } },
         services: {
-            ...(config.idp.dex !== undefined
+            ...('dex' in config.idp
                 ? {
                     dex: {
                         ...config.services.dex,
@@ -526,38 +601,34 @@ function renderComposeConfig(config) {
 }
 
 function writeDexConfig(config) {
-    const file = join(config.cache, config.files.dex[0]);
     const render = renderDexConfig(config);
+    const file = join(config.cache, config.files.dex[0]);
     writeFileSync(file, render, 'utf-8');
 }
 function renderDexConfig(config) {
-    const { idp } = config;
-    if (idp.dex === undefined) {
-        throw new Error('Dex config is required to render Dex');
-    }
-    const origin = `https://${config.host}:${config.port}`;
-    const redirect = `${origin}/oauth2/callback`;
-    const upstream = config.upstreams[idp.upstream];
+    if (!('dex' in config.idp))
+        throw new Error('Dex config missing');
+    const { host, port, oauth2, idp: { dex: { expiry, users }, oidc, upstream, }, } = config;
     return stringify({
-        issuer: idp.issuer,
+        issuer: oidc.issuer,
         storage: { type: 'memory' },
-        web: { http: `0.0.0.0:${upstream.port}` },
+        web: { http: `0.0.0.0:${upstream.dex.port}` },
         oauth2: { skipApprovalScreen: true },
         staticClients: [
             {
-                id: config.oauth2.id,
+                id: oauth2.id,
                 name: 'Visage',
-                ...(config.oauth2.secret === undefined
+                ...(oauth2.secret === undefined
                     ? { public: true }
-                    : { secret: config.oauth2.secret }),
-                redirectURIs: [redirect],
+                    : { secret: oauth2.secret }),
+                redirectURIs: [`https://${host}:${port}/oauth2/callback`],
             },
         ],
         enablePasswordDB: true,
-        ...(idp.dex.expiry === undefined ? {} : { expiry: idp.dex.expiry }),
-        staticPasswords: idp.dex.users.map(({ password, ...user }) => ({
+        ...(expiry === undefined ? {} : { expiry }),
+        staticPasswords: users.map(({ password, ...user }) => ({
             ...user,
-            hash: hashSync(password, 10),
+            hash: hashSync(password),
         })),
     });
 }
@@ -703,11 +774,15 @@ function renderOauth2ProxyConfig(config) {
     const data = {
         http_address: `0.0.0.0:${config.upstreams.oauth2_proxy.port}`,
         provider: 'oidc',
-        oidc_issuer_url: config.idp.issuer,
-        skip_oidc_discovery: true,
-        login_url: config.idp.authorization,
-        redeem_url: config.idp.token,
-        oidc_jwks_url: config.idp.jwks,
+        oidc_issuer_url: config.idp.oidc.issuer,
+        ...('authorization' in config.idp.oidc
+            ? {
+                skip_oidc_discovery: true,
+                login_url: config.idp.oidc.authorization,
+                redeem_url: config.idp.oidc.token,
+                oidc_jwks_url: config.idp.oidc.jwks,
+            }
+            : {}),
         redirect_url: `https://${config.host}:${config.port}/oauth2/callback`,
         client_id: config.oauth2.id,
         ...(config.oauth2.secret === undefined
@@ -723,9 +798,16 @@ function renderOauth2ProxyConfig(config) {
         cookie_csrf_per_request: true,
         cookie_csrf_per_request_limit: 16,
         email_domains: config.oauth2.emailDomains,
-        whitelist_domains: [config.host, `${config.host}:${config.port}`],
+        whitelist_domains: [
+            config.host,
+            `${config.host}:${config.port}`,
+            ...(!('dex' in config.idp) && config.idp.oidc.end_session_endpoint
+                ? [new URL(config.idp.oidc.end_session_endpoint).host]
+                : []),
+        ],
         scope: config.oauth2.scopes.join(' '),
         reverse_proxy: true,
+        trusted_proxy_ips: config.network.trustedProxyIps,
         set_xauthrequest: true,
         set_authorization_header: true,
         pass_access_token: true,
@@ -746,36 +828,19 @@ function renderOauth2ProxyConfig(config) {
         .join('\n')}\n`;
 }
 
-function render(config) {
-    writeComposeConfig(config);
-    if (config.idp.dex !== undefined) {
-        writeDexConfig(config);
-    }
-    writeNginxConfig(config);
-    writeOauth2ProxyConfig(config);
-}
-
 function createVisageServer(options) {
+    const cache = join(process.cwd(), '.visage');
     const config = resolveConfig(resolveOptions({
         ...options,
         upstreams: {
             ...options.upstreams,
             vite: resolveViteUpstream(options.upstreams?.vite),
         },
-    }), join(process.cwd(), '.visage'));
+    }), cache);
     let stop;
     return {
         async listen() {
-            if (stop)
-                return;
-            rmSync(join(config.cache, 'logs'), { recursive: true, force: true });
-            await ensureCerts({
-                certs: join(config.cache, config.files.certs[0]),
-                hostname: config.host,
-            });
-            ensureHostEntry(config.host);
-            render(config);
-            stop = await startCompose(join(config.cache, config.files.compose));
+            stop ??= await startVisageServer(config);
         },
         close() {
             stop?.();
@@ -783,6 +848,22 @@ function createVisageServer(options) {
         },
     };
 }
+async function startVisageServer(config) {
+    const logs = join(config.cache, 'logs');
+    rmSync(logs, { recursive: true, force: true });
+    mkdirSync(logs, { recursive: true });
+    await ensureCerts(config);
+    ensureHostEntry(config);
+    const renderConfig = ensureNginxNetwork(config);
+    writeComposeConfig(renderConfig);
+    if ('dex' in renderConfig.idp) {
+        writeDexConfig(renderConfig);
+    }
+    writeNginxConfig(renderConfig);
+    writeOauth2ProxyConfig(renderConfig);
+    return startCompose(renderConfig);
+}
+
 function visage(options = {}) {
     const resolvedOptions = resolveOptions(options);
     let stop;
@@ -813,21 +894,6 @@ function visage(options = {}) {
                 printUrls();
                 viteDevServer.config.logger.info(visageUrl ?? 'Visage failed to start');
             };
-            async function startVisage(vite) {
-                const config = resolveConfig(resolveOptions({
-                    ...options,
-                    upstreams: { ...options.upstreams, vite },
-                }), join(viteDevServer.config.cacheDir, 'visage'));
-                visageUrl = formatVisageUrlLog(config.host, config.port);
-                rmSync(join(config.cache, 'logs'), { recursive: true, force: true });
-                await ensureCerts({
-                    certs: join(config.cache, config.files.certs[0]),
-                    hostname: config.host,
-                });
-                ensureHostEntry(config.host);
-                render(config);
-                return startCompose(join(config.cache, config.files.compose));
-            }
             // monkey patch vite's listen to get vite's auto-resolved port
             const listen = viteDevServer.listen.bind(viteDevServer);
             viteDevServer.listen = async (port, isRestart) => {
@@ -836,11 +902,19 @@ function visage(options = {}) {
                 if (!address || typeof address === 'string') {
                     throw new Error('Failed to resolve port for Visage');
                 }
-                const vite = resolveViteUpstream({
-                    port: address.port,
-                    ...options.upstreams?.vite,
-                });
-                stop = await startVisage(vite);
+                const cache = join(viteDevServer.config.cacheDir, 'visage');
+                const config = resolveConfig(resolveOptions({
+                    ...options,
+                    upstreams: {
+                        ...options.upstreams,
+                        vite: resolveViteUpstream({
+                            port: address.port,
+                            ...options.upstreams?.vite,
+                        }),
+                    },
+                }), cache);
+                visageUrl = formatVisageUrlLog(config.host, config.port);
+                stop = await startVisageServer(config);
                 viteDevServer.httpServer?.once('close', closeBundle);
                 return result;
             };
@@ -856,4 +930,4 @@ function formatVisageUrlLog(host, port) {
     return `  ${AnsiGreen}➜${AnsiReset}  ${AnsiBold}Visage${AnsiReset}:  ${AnsiCyan}https://${host}:${AnsiBold}${port}${AnsiReset}${AnsiCyan}/${AnsiReset}`;
 }
 
-export { createVisageServer, visage as default };
+export { createVisageServer, visage as default, visage };

package/dist/network.d.ts

@@ -0,0 +1,3 @@
+import type { VisageConfig } from './config';
+export declare function ensureNginxNetwork(config: VisageConfig): VisageConfig;
+//# sourceMappingURL=network.d.ts.map

package/dist/network.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"network.d.ts","sourceRoot":"","sources":["../src/network.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAE7C,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,YAAY,GAAG,YAAY,CA6CrE"}

package/dist/plugin.d.ts

@@ -0,0 +1,5 @@
+import type { Plugin } from 'vite';
+import type { VisageOptions } from './types';
+export declare function visage(options?: VisageOptions): Plugin;
+export default visage;
+//# sourceMappingURL=plugin.d.ts.map

package/dist/plugin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"plugin.d.ts","sourceRoot":"","sources":["../src/plugin.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,MAAM,CAAC;AAInC,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAE7C,wBAAgB,MAAM,CAAC,OAAO,GAAE,aAAkB,GAAG,MAAM,CAoE1D;AAED,eAAe,MAAM,CAAC"}

package/dist/render/index.d.ts

@@ -1,3 +1,5 @@
-import type { VisageConfig } from '../config';
-export declare function render(config: VisageConfig): void;
+export { writeComposeConfig } from './compose';
+export { writeDexConfig } from './dex';
+export { writeNginxConfig } from './nginx';
+export { writeOauth2ProxyConfig } from './oauth2-proxy';
 //# sourceMappingURL=index.d.ts.map

package/dist/render/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/render/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAM9C,wBAAgB,MAAM,CAAC,MAAM,EAAE,YAAY,GAAG,IAAI,CAOjD"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/render/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AAC/C,OAAO,EAAE,cAAc,EAAE,MAAM,OAAO,CAAC;AACvC,OAAO,EAAE,gBAAgB,EAAE,MAAM,SAAS,CAAC;AAC3C,OAAO,EAAE,sBAAsB,EAAE,MAAM,gBAAgB,CAAC"}

package/dist/server.d.ts

@@ -0,0 +1,5 @@
+import { type VisageConfig } from './config';
+import type { VisageOptions, VisageServer } from './types';
+export declare function createVisageServer(options: VisageOptions): VisageServer;
+export declare function startVisageServer(config: VisageConfig): Promise<() => void>;
+//# sourceMappingURL=server.d.ts.map

package/dist/server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAKA,OAAO,EAIL,KAAK,YAAY,EAClB,MAAM,UAAU,CAAC;AASlB,OAAO,KAAK,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAE3D,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,aAAa,GAAG,YAAY,CAsBvE;AAED,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,YAAY,GACnB,OAAO,CAAC,MAAM,IAAI,CAAC,CAkBrB"}

package/dist/types.d.ts

@@ -100,11 +100,14 @@ export type VisageCookiePolicy = {
     readonly path?: string;
 };
 /**
- * Managed Dex identity provider options.
+ * Managed Dex identity provider options. Dex is the default identity provider
+ * for Visage.
  */
 export type VisageDexOptions = {
     /**
      * Token expiration and rotation settings rendered into the Dex config.
+     *
+     * @see {@link https://dexidp.io/docs/configuration/tokens/#expiration-and-rotation-settings}
      */
     readonly expiry?: VisageDexExpiry;
     /**
@@ -190,30 +193,36 @@ export type VisageDexUser = {
  */
 export type VisageExternalIdpOptions = {
     /**
-     * OIDC issuer URL used by OAuth2 Proxy.
+     * OIDC issuer URL used by OAuth2 Proxy. When no endpoint paths are
+     * configured, OAuth2 Proxy discovers provider endpoints from this issuer.
      */
     readonly issuer: string;
     /**
      * OIDC authorization path appended to
-     * {@link VisageExternalIdpOptions.issuer}.
-     *
-     * @defaultValue '/auth'
+     * {@link VisageExternalIdpOptions.issuer}. Configure this, `token`, or `jwks`
+     * to disable OIDC discovery and render explicit provider endpoints.
      */
     readonly authorization?: string;
     /**
      * OIDC token endpoint path appended to
-     * {@link VisageExternalIdpOptions.issuer}.
-     *
-     * @defaultValue '/token'
+     * {@link VisageExternalIdpOptions.issuer}. Configure this, `authorization`,
+     * or `jwks` to disable OIDC discovery and render explicit provider
+     * endpoints.
      */
     readonly token?: string;
     /**
      * OIDC JWKS endpoint path appended to
-     * {@link VisageExternalIdpOptions.issuer}.
-     *
-     * @defaultValue '/keys'
+     * {@link VisageExternalIdpOptions.issuer}. Configure this, `authorization`,
+     * or `token` to disable OIDC discovery and render explicit provider
+     * endpoints.
      */
     readonly jwks?: string;
+    /**
+     * OIDC end-session endpoint URL. When configured, Visage routes OAuth2 Proxy
+     * sign-out redirects through this endpoint so the provider session can be
+     * ended as part of the sign-out flow.
+     */
+    readonly end_session_endpoint?: string;
 };
 /**
  * OAuth2 client configuration used by OAuth2 Proxy and, for managed Dex, the
@@ -333,15 +342,16 @@ export type VisageProxyPolicy = {
          */
         readonly redirect?: boolean;
         /**
-         * Token forwarding behavior for the upstream `Authorization` header.
+         * Token forwarding behavior for the upstream `Authorization` header. Set
+         * to `false` to omit a bearer token. Set to `true` to forward the
+         * default bearer token for the upstream kind: an OAuth access token for
+         * external upstreams, or an OIDC ID token for local service upstreams.
          *
-         * `'id'` forwards the authenticated OIDC ID token. `'access'` forwards the
-         * OAuth access token for legacy/resource-server integrations that
-         * explicitly require it.
+         * Use `'id'` or `'access'` to force a specific token kind.
          *
-         * @defaultValue `'id'`
+         * @defaultValue `false`
          */
-        readonly forward?: 'id' | 'access';
+        readonly forward?: boolean | 'id' | 'access';
     };
     /**
      * Request headers to set when proxying to the upstream. Values may include

package/dist/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG;IACzB;;OAEG;IACH,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IACxB;;OAEG;IACH,KAAK,IAAI,IAAI,CAAC;CACf,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,aAAa,GAAG;IAC1B;;;;OAIG;IACH,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB;;;;OAIG;IACH,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB;;;OAGG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,kBAAkB,CAAC;IACrC;;;OAGG;IACH,QAAQ,CAAC,GAAG,CAAC,EAAE,gBAAgB,GAAG,wBAAwB,CAAC;IAC3D;;OAEG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,kBAAkB,CAAC;IACrC;;;OAGG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;IAClD;;OAEG;IACH,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;CACrD,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,MAAM,kBAAkB,GAAG;IAC/B;;;;;;OAMG;IACH,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB;;;;;;;OAOG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB;;;;;;;;OAQG;IACH,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B;;;OAGG;IACH,QAAQ,CAAC,OAAO,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACrC;;;;;OAKG;IACH,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG;IAC7B;;OAEG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,eAAe,CAAC;IAClC;;;;OAIG;IACH,QAAQ,CAAC,KAAK,CAAC,EAAE,SAAS,aAAa,EAAE,CAAC;CAC3C,CAAC;AAEF;;;;GAIG;AACH,MAAM,MAAM,eAAe,GAAG;IAC5B;;OAEG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B;;OAEG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B;;OAEG;IACH,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;IACjC;;OAEG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B;;OAEG;IACH,QAAQ,CAAC,aAAa,CAAC,EAAE;QACvB;;WAEG;QACH,QAAQ,CAAC,iBAAiB,CAAC,EAAE,MAAM,CAAC;QACpC;;WAEG;QACH,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAC;QACnC;;WAEG;QACH,QAAQ,CAAC,eAAe,CAAC,EAAE,OAAO,CAAC;QACnC;;WAEG;QACH,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;KACjC,CAAC;CACH,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,aAAa,GAAG;IAC1B;;;;OAIG;IACH,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB;;;;;OAKG;IACH,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B;;;OAGG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B;;OAEG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;CAC1B,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,wBAAwB,GAAG;IACrC;;OAEG;IACH,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB;;;;;OAKG;IACH,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IAChC;;;;;OAKG;IACH,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB;;;;;OAKG;IACH,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,kBAAkB,GAAG;IAC/B;;;;OAIG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B;;;;;;;OAOG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtC;;;;OAIG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACpC;;;;OAIG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAC3C,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,aAAa,GAAG;IAC1B;;;;OAIG;IACH,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB;;OAEG;IACH,QAAQ,CAAC,OAAO,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACrC;;OAEG;IACH,QAAQ,CAAC,UAAU,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACxC;;OAEG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACzC;;;OAGG;IACH,QAAQ,CAAC,OAAO,CAAC,EAAE,QAAQ,GAAG,IAAI,GAAG,YAAY,GAAG,gBAAgB,CAAC;IACrE;;;OAGG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,cAAc,CAAC;CACpC,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG;IAC3B;;;;OAIG;IACH,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB;;;;OAIG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC;IACnC;;;;OAIG;IACH,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB;;;;OAIG;IACH,QAAQ,CAAC,SAAS,CAAC,EAAE;QAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,GAAG,iBAAiB,CAAA;KAAE,CAAC;CACrE,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,iBAAiB,GAAG;IAC9B;;OAEG;IACH,QAAQ,CAAC,IAAI,CAAC,EAAE;QACd;;;;WAIG;QACH,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC;QAC3B;;;;WAIG;QACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,OAAO,CAAC;QAC5B;;;;;;;;WAQG;QACH,QAAQ,CAAC,OAAO,CAAC,EAAE,IAAI,GAAG,QAAQ,CAAC;KACpC,CAAC;IACF;;;;;;OAMG;IACH,QAAQ,CAAC,OAAO,CAAC,EAAE;QAAE,QAAQ,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,CAAC;IACtD;;;;OAIG;IACH,QAAQ,CAAC,UAAU,CAAC,EAAE;QACpB,QAAQ,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,MAAM,EAAE,CAAC;KACrD,CAAC;CACH,CAAC"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG;IACzB;;OAEG;IACH,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IACxB;;OAEG;IACH,KAAK,IAAI,IAAI,CAAC;CACf,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,aAAa,GAAG;IAC1B;;;;OAIG;IACH,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB;;;;OAIG;IACH,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB;;;OAGG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,kBAAkB,CAAC;IACrC;;;OAGG;IACH,QAAQ,CAAC,GAAG,CAAC,EAAE,gBAAgB,GAAG,wBAAwB,CAAC;IAC3D;;OAEG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,kBAAkB,CAAC;IACrC;;;OAGG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;IAClD;;OAEG;IACH,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;CACrD,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,MAAM,kBAAkB,GAAG;IAC/B;;;;;;OAMG;IACH,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB;;;;;;;OAOG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB;;;;;;;;OAQG;IACH,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B;;;OAGG;IACH,QAAQ,CAAC,OAAO,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACrC;;;;;OAKG;IACH,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,gBAAgB,GAAG;IAC7B;;;;OAIG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,eAAe,CAAC;IAClC;;;;OAIG;IACH,QAAQ,CAAC,KAAK,CAAC,EAAE,SAAS,aAAa,EAAE,CAAC;CAC3C,CAAC;AAEF;;;;GAIG;AACH,MAAM,MAAM,eAAe,GAAG;IAC5B;;OAEG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B;;OAEG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B;;OAEG;IACH,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;IACjC;;OAEG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B;;OAEG;IACH,QAAQ,CAAC,aAAa,CAAC,EAAE;QACvB;;WAEG;QACH,QAAQ,CAAC,iBAAiB,CAAC,EAAE,MAAM,CAAC;QACpC;;WAEG;QACH,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAC;QACnC;;WAEG;QACH,QAAQ,CAAC,eAAe,CAAC,EAAE,OAAO,CAAC;QACnC;;WAEG;QACH,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;KACjC,CAAC;CACH,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,aAAa,GAAG;IAC1B;;;;OAIG;IACH,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB;;;;;OAKG;IACH,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B;;;OAGG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B;;OAEG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;CAC1B,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,wBAAwB,GAAG;IACrC;;;OAGG;IACH,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB;;;;OAIG;IACH,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IAChC;;;;;OAKG;IACH,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB;;;;;OAKG;IACH,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB;;;;OAIG;IACH,QAAQ,CAAC,oBAAoB,CAAC,EAAE,MAAM,CAAC;CACxC,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,kBAAkB,GAAG;IAC/B;;;;OAIG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B;;;;;;;OAOG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtC;;;;OAIG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACpC;;;;OAIG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAC3C,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,aAAa,GAAG;IAC1B;;;;OAIG;IACH,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB;;OAEG;IACH,QAAQ,CAAC,OAAO,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACrC;;OAEG;IACH,QAAQ,CAAC,UAAU,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACxC;;OAEG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACzC;;;OAGG;IACH,QAAQ,CAAC,OAAO,CAAC,EAAE,QAAQ,GAAG,IAAI,GAAG,YAAY,GAAG,gBAAgB,CAAC;IACrE;;;OAGG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,cAAc,CAAC;CACpC,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG;IAC3B;;;;OAIG;IACH,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB;;;;OAIG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC;IACnC;;;;OAIG;IACH,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB;;;;OAIG;IACH,QAAQ,CAAC,SAAS,CAAC,EAAE;QAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,GAAG,iBAAiB,CAAA;KAAE,CAAC;CACrE,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,iBAAiB,GAAG;IAC9B;;OAEG;IACH,QAAQ,CAAC,IAAI,CAAC,EAAE;QACd;;;;WAIG;QACH,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC;QAC3B;;;;WAIG;QACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,OAAO,CAAC;QAC5B;;;;;;;;;WASG;QACH,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,GAAG,IAAI,GAAG,QAAQ,CAAC;KAC9C,CAAC;IACF;;;;;;OAMG;IACH,QAAQ,CAAC,OAAO,CAAC,EAAE;QAAE,QAAQ,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,CAAC;IACtD;;;;OAIG;IACH,QAAQ,CAAC,UAAU,CAAC,EAAE;QACpB,QAAQ,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,MAAM,EAAE,CAAC;KACrD,CAAC;CACH,CAAC"}

package/docker-compose.images.yml

@@ -0,0 +1,7 @@
+services:
+  dex:
+    image: ghcr.io/dexidp/dex:v2.45.1
+  nginx:
+    image: nginx:1.30.0-alpine
+  oauth2_proxy:
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blakearoberts/visage",
-  "version": "0.0.1-rc.18",
+  "version": "0.0.1-rc.20",
   "description": "Vite plugin for local development with HMR and OIDC session cookie lifecycle semantics.",
   "type": "module",
   "author": "Blake Roberts",
@@ -33,7 +33,8 @@
     }
   },
   "files": [
-    "dist"
+    "dist",
+    "docker-compose.images.yml"
   ],
   "engines": {
     "node": ">=20"
@@ -45,7 +46,8 @@
   "scripts": {
     "build": "npm run clean && rollup -c",
     "clean": "node -e \"require('node:fs').rmSync('dist', { recursive: true, force: true })\"",
-    "dev:example": "cd examples/simple && npm run dev",
+    "example": "npm run example:simple",
+    "example:simple": "cd examples/simple && npm run dev",
     "format": "prettier --write \"{docs,examples,src,test}/**/*.{ts,tsx,js,jsx,json,css,html,md}\" \"*.{json,md}\"",
     "format:check": "prettier --check \"{docs,examples,src,test}/**/*.{ts,tsx,js,jsx,json,css,html,md}\" \"*.{json,md}\"",
     "promote:codex": "scripts/promote-codex.sh",
@@ -63,7 +65,7 @@
     "rollup": "^4.60.4",
     "tslib": "^2.8.1",
     "typescript": "^5.9.3",
-    "vite": "^6.3.5"
+    "vite": "^8.0.13"
   },
   "dependencies": {
     "bcryptjs": "^3.0.3",