@draftlab/auth 0.0.3 → 0.0.4

package/dist/allow.d.ts

@@ -1,2 +1,59 @@
-import { AllowCheckInput, defaultAllowCheck } from "./allow-CixonwTW.js";
+//#region src/allow.d.ts
+/**
+ * Client authorization validation utilities.
+ * Provides security checks to determine if OAuth authorization requests should be permitted
+ * based on redirect URI validation and domain matching policies.
+ */
+/**
+ * Input parameters for authorization allow checks.
+ * Contains all necessary information to validate if a client request should be permitted.
+ */
+interface AllowCheckInput {
+  /** The client ID of the application requesting authorization */
+  readonly clientID: string;
+  /** The redirect URI where the user will be sent after authorization */
+  readonly redirectURI: string;
+  /** Optional audience parameter for the authorization request */
+  readonly audience?: string;
+}
+/**
+ * Default authorization check that validates client requests based on redirect URI security.
+ *
+ * ## Security Policy
+ * - **Localhost**: Always allowed (for development)
+ * - **Same domain**: Redirect URI must match request origin at TLD+1 level
+ * - **Cross-domain**: Rejected for security
+ *
+ * This prevents unauthorized applications from hijacking authorization codes by using
+ * malicious redirect URIs that don't belong to the legitimate client application.
+ *
+ * @param input - Client request details including ID and redirect URI
+ * @param req - The original HTTP request for domain comparison
+ * @returns Promise resolving to true if the request should be allowed
+ *
+ * @example
+ * ```ts
+ * // Allowed: localhost development
+ * await defaultAllowCheck({
+ *   clientID: "dev-app",
+ *   redirectURI: "http://localhost:3000/callback"
+ * }, request) // → true
+ *
+ * // Allowed: same domain
+ * // Request from: https://myapp.com
+ * await defaultAllowCheck({
+ *   clientID: "web-app",
+ *   redirectURI: "https://auth.myapp.com/callback"
+ * }, request) // → true
+ *
+ * // Rejected: different domain
+ * // Request from: https://myapp.com
+ * await defaultAllowCheck({
+ *   clientID: "malicious-app",
+ *   redirectURI: "https://evil.com/steal-codes"
+ * }, request) // → false
+ * ```
+ */
+declare const defaultAllowCheck: (input: AllowCheckInput, req: Request) => Promise<boolean>;
+//#endregion
 export { AllowCheckInput, defaultAllowCheck };

package/dist/allow.js

@@ -1,4 +1,63 @@
-import "./util-CSdHUFOo.js";
-import { defaultAllowCheck } from "./allow-DX5cehSc.js";
+import { isDomainMatch } from "./util.js";
 
+//#region src/allow.ts
+/**
+* Default authorization check that validates client requests based on redirect URI security.
+*
+* ## Security Policy
+* - **Localhost**: Always allowed (for development)
+* - **Same domain**: Redirect URI must match request origin at TLD+1 level
+* - **Cross-domain**: Rejected for security
+*
+* This prevents unauthorized applications from hijacking authorization codes by using
+* malicious redirect URIs that don't belong to the legitimate client application.
+*
+* @param input - Client request details including ID and redirect URI
+* @param req - The original HTTP request for domain comparison
+* @returns Promise resolving to true if the request should be allowed
+*
+* @example
+* ```ts
+* // Allowed: localhost development
+* await defaultAllowCheck({
+*   clientID: "dev-app",
+*   redirectURI: "http://localhost:3000/callback"
+* }, request) // → true
+*
+* // Allowed: same domain
+* // Request from: https://myapp.com
+* await defaultAllowCheck({
+*   clientID: "web-app",
+*   redirectURI: "https://auth.myapp.com/callback"
+* }, request) // → true
+*
+* // Rejected: different domain
+* // Request from: https://myapp.com
+* await defaultAllowCheck({
+*   clientID: "malicious-app",
+*   redirectURI: "https://evil.com/steal-codes"
+* }, request) // → false
+* ```
+*/
+const defaultAllowCheck = (input, req) => {
+	return Promise.resolve((() => {
+		let redirectHostname;
+		try {
+			redirectHostname = new URL(input.redirectURI).hostname;
+		} catch {
+			return false;
+		}
+		if (redirectHostname === "localhost" || redirectHostname === "127.0.0.1") return true;
+		let currentHostname;
+		try {
+			const forwardedHost = req.headers.get("x-forwarded-host");
+			currentHostname = forwardedHost ? new URL(`https://${forwardedHost}`).hostname : new URL(req.url).hostname;
+		} catch {
+			return false;
+		}
+		return isDomainMatch(redirectHostname, currentHostname);
+	})());
+};
+
+//#endregion
 export { defaultAllowCheck };

package/dist/client.d.ts

@@ -1,6 +1,5 @@
-import { InvalidAccessTokenError, InvalidAuthorizationCodeError, InvalidRefreshTokenError, InvalidSubjectError } from "./error-CWAdNAzm.js";
-import "./util-DbSKG1Xm.js";
-import { SubjectSchema } from "./subject-DMIMVtaT.js";
+import { InvalidAccessTokenError, InvalidAuthorizationCodeError, InvalidRefreshTokenError, InvalidSubjectError } from "./error.js";
+import { SubjectSchema } from "./subject.js";
 import { StandardSchemaV1 } from "@standard-schema/spec";
 
 //#region src/client.d.ts

package/dist/client.js

@@ -1,5 +1,5 @@
-import { InvalidAccessTokenError, InvalidAuthorizationCodeError, InvalidRefreshTokenError, InvalidSubjectError } from "./error-DgAKK7b2.js";
-import { generatePKCE } from "./pkce-276Za_rZ.js";
+import { InvalidAccessTokenError, InvalidAuthorizationCodeError, InvalidRefreshTokenError, InvalidSubjectError } from "./error.js";
+import { generatePKCE } from "./pkce.js";
 import { createLocalJWKSet, errors, jwtVerify } from "jose";
 
 //#region src/client.ts

package/dist/core.d.ts

@@ -1,9 +1,129 @@
-import "./allow-CixonwTW.js";
-import "./error-CWAdNAzm.js";
-import "./util-DbSKG1Xm.js";
-import "./subject-DMIMVtaT.js";
-import "./storage-CxKerLlc.js";
-import "./provider-tndlqCzp.js";
-import "./theme-C9by7VXf.js";
-import { AuthorizationState, OnSuccessResponder, issuer } from "./core-BZHEAefX.js";
+import { AllowCheckInput } from "./allow.js";
+import { UnknownStateError } from "./error.js";
+import { Prettify } from "./util.js";
+import { SubjectPayload, SubjectSchema } from "./subject.js";
+import { StorageAdapter } from "./storage/storage.js";
+import { Provider } from "./provider/provider.js";
+import { Theme } from "./themes/theme.js";
+import { Router } from "@draftlab/auth-router";
+
+//#region src/core.d.ts
+
+/**
+ * Sets the subject payload in the JWT token and returns the response.
+ */
+interface OnSuccessResponder<T extends {
+  type: string;
+  properties: unknown;
+}> {
+  subject<Type extends T["type"]>(type: Type, properties: Extract<T, {
+    type: Type;
+  }>["properties"], opts?: {
+    ttl?: {
+      access?: number;
+      refresh?: number;
+    };
+    subject?: string;
+  }): Promise<Response>;
+}
+/**
+ * Authorization state for OAuth 2.0 flows.
+ */
+interface AuthorizationState {
+  /** OAuth redirect URI */
+  redirect_uri: string;
+  /** OAuth response type */
+  response_type: string;
+  /** OAuth state parameter for CSRF protection */
+  state: string;
+  /** OAuth client identifier */
+  client_id: string;
+  /** OAuth audience parameter */
+  audience: string;
+  /** PKCE challenge data for code verification */
+  pkce?: {
+    challenge: string;
+    method: "S256";
+  };
+}
+/**
+ * Main issuer input configuration interface.
+ */
+interface IssuerInput<Providers extends Record<string, Provider<unknown>>, Subjects extends SubjectSchema, Result = { [Key in keyof Providers]: Prettify<{
+  provider: Key;
+} & (Providers[Key] extends Provider<infer T> ? T : Record<string, unknown>)> }[keyof Providers]> {
+  /** The storage adapter for persisting tokens and sessions */
+  storage: StorageAdapter;
+  /** Auth providers configuration */
+  providers: Providers;
+  /** Subject schemas for token validation */
+  subjects: Subjects;
+  /** Base path for embedded scenarios */
+  basePath?: string;
+  /** Success callback for completed authentication */
+  success(response: OnSuccessResponder<SubjectPayload<Subjects>>, input: Result, req: Request, clientID: string): Promise<Response>;
+  /** Theme configuration for UI */
+  theme?: Theme;
+  /** TTL configuration for tokens and sessions */
+  ttl?: {
+    access?: number;
+    refresh?: number;
+    reuse?: number;
+    retention?: number;
+  };
+  /** Provider selection UI function */
+  select?(providers: Record<string, string>, req: Request): Promise<Response>;
+  /** Optional start callback */
+  start?(req: Request): Promise<void>;
+  /** Error handling callback */
+  error?(error: UnknownStateError, req: Request): Promise<Response>;
+  /** Client authorization check function */
+  allow?(input: AllowCheckInput, req: Request): Promise<boolean>;
+  /**
+   * Refresh callback for updating user claims.
+   *
+   * @example
+   * ```typescript
+   * refresh: async (payload, req) => {
+   *   const user = await getUserBySubject(payload.subject)
+   *   if (!user || !user.active) {
+   *     return undefined // Revoke the token
+   *   }
+   *
+   *   return {
+   *     type: payload.type,
+   *     properties: {
+   *       userID: user.id,
+   *       role: user.role,
+   *       permissions: user.permissions,
+   *       lastLogin: new Date().toISOString()
+   *     }
+   *   }
+   * }
+   * ```
+   */
+  refresh?(payload: {
+    type: SubjectPayload<Subjects>["type"];
+    properties: SubjectPayload<Subjects>["properties"];
+    subject: string;
+    clientID: string;
+    scopes?: string[];
+  }, req: Request): Promise<{
+    type: SubjectPayload<Subjects>["type"];
+    properties: SubjectPayload<Subjects>["properties"];
+    subject?: string;
+    scopes?: string[];
+  } | undefined>;
+}
+/**
+ * Create an Draft Auth server, a Router app that handles OAuth 2.0 flows.
+ */
+declare const issuer: <Providers extends Record<string, Provider<unknown>>, Subjects extends SubjectSchema, Result = { [key in keyof Providers]: {
+  provider: key;
+} & (Providers[key] extends Provider<infer T> ? T : Record<string, unknown>) }[keyof Providers]>(input: IssuerInput<Providers, Subjects, Result>) => Router<{
+  Variables: {
+    authorization: AuthorizationState;
+  };
+}>;
+//#endregion
 export { AuthorizationState, OnSuccessResponder, issuer };