@draftlab/auth 0.0.3 → 0.0.4

package/dist/ui/password.d.ts

@@ -1,6 +1,4 @@
-import "../storage-CxKerLlc.js";
-import "../provider-tndlqCzp.js";
-import { PasswordConfig } from "../password-C4KLmO0O.js";
+import { PasswordConfig } from "../provider/password.js";
 
 //#region src/ui/password.d.ts
 

package/dist/ui/password.js

@@ -1,6 +1,5 @@
-import "../theme-CswaLtbW.js";
-import { Layout } from "../base-DRutbxgL.js";
-import { FormAlert } from "../form-6XKM_cOk.js";
+import { Layout } from "./base.js";
+import { FormAlert } from "./form.js";
 
 //#region src/ui/password.ts
 /**

package/dist/ui/select.js

@@ -1,6 +1,280 @@
-import "../theme-CswaLtbW.js";
-import "../base-DRutbxgL.js";
-import "../icon-Ci5uqGB_.js";
-import { Select } from "../select-BjySLL8I.js";
+import { Layout } from "./base.js";
+import { ICON_GITHUB, ICON_GOOGLE } from "./icon.js";
 
+//#region src/ui/select.ts
+/**
+* Default copy text used throughout the select UI.
+* These values are used when no custom copy is provided.
+*/
+const DEFAULT_COPY = { button_provider: "Continue with" };
+/**
+* Default display names for all known provider types.
+* These provide consistent naming across the application and serve as fallbacks
+* when no custom display name is configured.
+*/
+const DEFAULT_DISPLAY = {
+	steam: "Steam",
+	twitch: "Twitch",
+	google: "Google",
+	github: "GitHub",
+	apple: "Apple",
+	code: "Code",
+	x: "X",
+	facebook: "Facebook",
+	microsoft: "Microsoft",
+	slack: "Slack",
+	password: "Password"
+};
+/**
+* Comprehensive icon mapping for all supported authentication providers.
+* Each icon is an optimized SVG component with proper accessibility attributes.
+*
+* Icons are designed to:
+* - Scale properly at different sizes
+* - Inherit text color for theming
+* - Include proper ARIA attributes
+* - Work with screen readers
+*/
+const ICON = {
+	steam: `
+		<svg
+			aria-hidden="true"
+			class="bi bi-steam"
+			fill="currentColor"
+			height="16"
+			viewBox="0 0 16 16"
+			width="16"
+			xmlns="http://www.w3.org/2000/svg"
+		>
+			<path d="M.329 10.333A8.01 8.01 0 0 0 7.99 16C12.414 16 16 12.418 16 8s-3.586-8-8.009-8A8.006 8.006 0 0 0 0 7.468l.003.006 4.304 1.769A2.2 2.2 0 0 1 5.62 8.88l1.96-2.844-.001-.04a3.046 3.046 0 0 1 3.042-3.043 3.046 3.046 0 0 1 3.042 3.043 3.047 3.047 0 0 1-3.111 3.044l-2.804 2a2.223 2.223 0 0 1-3.075 2.11 2.22 2.22 0 0 1-1.312-1.568L.33 10.333Z" />
+			<path d="M4.868 12.683a1.715 1.715 0 0 0 1.318-3.165 1.7 1.7 0 0 0-1.263-.02l1.023.424a1.261 1.261 0 1 1-.97 2.33l-.99-.41a1.7 1.7 0 0 0 .882.84Zm3.726-6.687a2.03 2.03 0 0 0 2.027 2.029 2.03 2.03 0 0 0 2.027-2.029 2.03 2.03 0 0 0-2.027-2.027 2.03 2.03 0 0 0-2.027 2.027m2.03-1.527a1.524 1.524 0 1 1-.002 3.048 1.524 1.524 0 0 1 .002-3.048" />
+		</svg>
+	`,
+	code: `
+		<svg
+			aria-hidden="true"
+			data-name="Layer 1"
+			fill="currentColor"
+			viewBox="0 0 52 52"
+			xmlns="http://www.w3.org/2000/svg"
+		>
+			<path
+				d="M8.55,36.91A6.55,6.55,0,1,1,2,43.45,6.54,6.54,0,0,1,8.55,36.91Zm17.45,0a6.55,6.55,0,1,1-6.55,6.54A6.55,6.55,0,0,1,26,36.91Zm17.45,0a6.55,6.55,0,1,1-6.54,6.54A6.54,6.54,0,0,1,43.45,36.91ZM8.55,19.45A6.55,6.55,0,1,1,2,26,6.55,6.55,0,0,1,8.55,19.45Zm17.45,0A6.55,6.55,0,1,1,19.45,26,6.56,6.56,0,0,1,26,19.45Zm17.45,0A6.55,6.55,0,1,1,36.91,26,6.55,6.55,0,0,1,43.45,19.45ZM8.55,2A6.55,6.55,0,1,1,2,8.55,6.54,6.54,0,0,1,8.55,2ZM26,2a6.55,6.55,0,1,1-6.55,6.55A6.55,6.55,0,0,1,26,2ZM43.45,2a6.55,6.55,0,1,1-6.54,6.55A6.55,6.55,0,0,1,43.45,2Z"
+				fill-rule="evenodd"
+			/>
+		</svg>
+	`,
+	password: `
+		<svg
+			aria-hidden="true"
+			fill="currentColor"
+			viewBox="0 0 24 24"
+			xmlns="http://www.w3.org/2000/svg"
+		>
+			<path
+				clip-rule="evenodd"
+				d="M12 1.5a5.25 5.25 0 0 0-5.25 5.25v3a3 3 0 0 0-3 3v6.75a3 3 0 0 0 3 3h10.5a3 3 0 0 0 3-3v-6.75a3 3 0 0 0-3-3v-3c0-2.9-2.35-5.25-5.25-5.25Zm3.75 8.25v-3a3.75 3.75 0 1 0-7.5 0v3h7.5Z"
+				fill-rule="evenodd"
+			/>
+		</svg>
+	`,
+	twitch: `
+		<svg
+			aria-hidden="true"
+			role="img"
+			viewBox="0 0 448 512"
+			xmlns="http://www.w3.org/2000/svg"
+		>
+			<path
+				d="M40.1 32L10 108.9v314.3h107V480h60.2l56.8-56.8h87l117-117V32H40.1zm357.8 254.1L331 353H224l-56.8 56.8V353H76.9V72.1h321v214zM331 149v116.9h-40.1V149H331zm-107 0v116.9h-40.1V149H224z"
+				fill="currentColor"
+			/>
+		</svg>
+	`,
+	google: ICON_GOOGLE,
+	github: ICON_GITHUB,
+	apple: `
+		<svg
+			aria-hidden="true"
+			role="img"
+			viewBox="0 0 814 1000"
+			xmlns="http://www.w3.org/2000/svg"
+		>
+			<path
+				d="M788.1 340.9c-5.8 4.5-108.2 62.2-108.2 190.5 0 148.4 130.3 200.9 134.2 202.2-.6 3.2-20.7 71.9-68.7 141.9-42.8 61.6-87.5 123.1-155.5 123.1s-85.5-39.5-164-39.5c-76.5 0-103.7 40.8-165.9 40.8s-105.6-57-155.5-127C46.7 790.7 0 663 0 541.8c0-194.4 126.4-297.5 250.8-297.5 66.1 0 121.2 43.4 162.7 43.4 39.5 0 101.1-46 176.3-46 28.5 0 130.9 2.6 198.3 99.2zm-234-181.5c31.1-36.9 53.1-88.1 53.1-139.3 0-7.1-.6-14.3-1.9-20.1-50.6 1.9-110.8 33.7-147.1 75.8-28.5 32.4-55.1 83.6-55.1 135.5 0 7.8 1.3 15.6 1.9 18.1 3.2.6 8.4 1.3 13.6 1.3 45.4 0 102.5-30.4 135.5-71.3z "
+				fill="currentColor"
+			/>
+		</svg>
+	`,
+	x: `
+		<svg
+			aria-hidden="true"
+			role="img"
+			viewBox="0 0 1200 1227"
+			xmlns="http://www.w3.org/2000/svg"
+		>
+			<path
+				d="M714.163 519.284 1160.89 0h-105.86L667.137 450.887 357.328 0H0l468.492 681.821L0 1226.37h105.866l409.625-476.152 327.181 476.152H1200L714.137 519.284h.026ZM569.165 687.828l-47.468-67.894-377.686-540.24h162.604l304.797 435.991 47.468 67.894 396.2 566.721H892.476L569.165 687.854v-.026Z"
+				fill="currentColor"
+			/>
+		</svg>
+	`,
+	microsoft: `
+		<svg
+			aria-hidden="true"
+			preserveAspectRatio="xMidYMid"
+			role="img"
+			viewBox="0 0 256 256"
+			xmlns="http://www.w3.org/2000/svg"
+		>
+			<path d="M121.666 121.666H0V0h121.666z" fill="#F1511B" />
+			<path d="M256 121.666H134.335V0H256z" fill="#80CC28" />
+			<path d="M121.663 256.002H0V134.336h121.663z" fill="#00ADEF" />
+			<path d="M256 256.002H134.335V134.336H256z" fill="#FBBC09" />
+		</svg>
+	`,
+	facebook: `
+		<svg
+			aria-hidden="true"
+			fill="url(#a)"
+			role="img"
+			viewBox="0 0 36 36"
+			xmlns="http://www.w3.org/2000/svg"
+		>
+			<defs>
+				<linearGradient id="a" x1="50%" x2="50%" y1="97.078%" y2="0%">
+					<stop offset="0%" stop-color="#0062E0" />
+					<stop offset="100%" stop-color="#19AFFF" />
+				</linearGradient>
+			</defs>
+			<path d="M15 35.8C6.5 34.3 0 26.9 0 18 0 8.1 8.1 0 18 0s18 8.1 18 18c0 8.9-6.5 16.3-15 17.8l-1-.8h-4l-1 .8z" />
+			<path
+				d="m25 23 .8-5H21v-3.5c0-1.4.5-2.5 2.7-2.5H26V7.4c-1.3-.2-2.7-.4-4-.4-4.1 0-7 2.5-7 7v4h-4.5v5H15v12.7c1 .2 2 .3 3 .3s2-.1 3-.3V23h4z"
+				fill="#FFF"
+			/>
+		</svg>
+	`,
+	slack: `
+		<svg
+			aria-hidden="true"
+			enable-background="new 0 0 2447.6 2452.5"
+			role="img"
+			viewBox="0 0 2447.6 2452.5"
+			xmlns="http://www.w3.org/2000/svg"
+		>
+			<g clip-rule="evenodd" fill-rule="evenodd">
+				<path
+					d="m897.4 0c-135.3.1-244.8 109.9-244.7 245.2-.1 135.3 109.5 245.1 244.8 245.2h244.8v-245.1c.1-135.3-109.5-245.1-244.9-245.3.1 0 .1 0 0 0m0 654h-652.6c-135.3.1-244.9 109.9-244.8 245.2-.2 135.3 109.4 245.1 244.7 245.3h652.7c135.3-.1 244.9-109.9 244.8-245.2.1-135.4-109.5-245.2-244.8-245.3z"
+					fill="#36c5f0"
+				/>
+				<path
+					d="m2447.6 899.2c.1-135.3-109.5-245.1-244.8-245.2-135.3.1-244.9 109.9-244.8 245.2v245.3h244.8c135.3-.1 244.9-109.9 244.8-245.3zm-652.7 0v-654c.1-135.2-109.4-245-244.7-245.2-135.3.1-244.9 109.9-244.8 245.2v654c-.2 135.3 109.4 245.1 244.7 245.3 135.3-.1 244.9-109.9 244.8-245.3z"
+					fill="#2eb67d"
+				/>
+				<path
+					d="m1550.1 2452.5c135.3-.1 244.9-109.9 244.8-245.2.1-135.3-109.5-245.1-244.8-245.2h-244.8v245.2c-.1 135.2 109.5 245 244.8 245.2zm0-654.1h652.7c135.3-.1 244.9-109.9 244.8-245.2.2-135.3-109.4-245.1-244.7-245.3h-652.7c-135.3.1-244.9 109.9-244.8 245.2-.1 135.4 109.4 245.2 244.7 245.3z"
+					fill="#ecb22e"
+				/>
+				<path
+					d="m0 1553.2c-.1 135.3 109.5 245.1 244.8 245.2 135.3-.1 244.9-109.9 244.8-245.2v-245.2h-244.8c-135.3.1-244.9 109.9-244.8 245.2zm652.7 0v654c-.2 135.3 109.4 245.1 244.7 245.3 135.3-.1 244.9-109.9 244.8-245.2v-653.9c.2-135.3-109.4-245.1-244.7-245.3-135.4 0-244.9 109.8-244.8 245.1 0 0 0 .1 0 0"
+					fill="#e01e5a"
+				/>
+			</g>
+		</svg>
+	`
+};
+/**
+* Creates a provider selection UI component for OAuth authentication.
+*
+* This component generates a complete authentication provider selection interface that:
+* - Displays available OAuth providers as clickable buttons
+* - Includes appropriate icons for recognized providers
+* - Supports custom theming and internationalization
+* - Provides accessible markup with proper ARIA attributes
+* - Handles provider visibility and custom display names
+*
+* @param props - Configuration options for customizing the select UI
+* @returns An async function that generates the HTML response for the selection interface
+*
+* @example
+* ```ts
+* // Basic usage with defaults
+* const selectUI = Select()
+*
+* // Customized with provider configuration
+* const selectUI = Select({
+*   copy: {
+*     button_provider: "Sign in with"
+*   },
+*   displays: {
+*     github: "GitHub Account",
+*     code: "Email Code"
+*   },
+*   providers: {
+*     facebook: { hide: true },
+*     google: { display: "Google Workspace" }
+*   }
+* })
+*
+* // Use in issuer configuration
+* export default issuer({
+*   select: selectUI,
+*   // ... other configuration
+* })
+* ```
+*
+* ## Provider Resolution Logic
+*
+* Display names are resolved in the following priority order:
+* 1. Provider-specific `display` property
+* 2. Global `displays` type override
+* 3. Default display name from `DEFAULT_DISPLAY`
+* 4. Provider type string as final fallback
+*
+* ## Accessibility Features
+*
+* The generated UI includes:
+* - Semantic HTML structure
+* - Proper button roles and keyboard navigation
+* - Icon accessibility with `aria-hidden="true"`
+* - Screen reader friendly provider names
+*/
+const Select = (props) => {
+	return async (providers, _req) => {
+		const copy = {
+			...DEFAULT_COPY,
+			...props?.copy
+		};
+		const displays = {
+			...DEFAULT_DISPLAY,
+			...props?.displays
+		};
+		const providerButtons = Object.entries(providers).map(([providerKey, providerType]) => {
+			const providerConfig = props?.providers?.[providerKey];
+			if (providerConfig?.hide) return "";
+			const displayName = providerConfig?.display || displays[providerType] || providerType;
+			const icon = ICON[providerKey];
+			return `
+					<a
+						aria-label="${copy.button_provider} ${displayName}"
+						data-color="ghost"
+						data-component="button"
+						href="./${providerKey}/authorize"
+					>
+						${icon ? `<i data-slot="icon">${icon}</i>` : ""}
+						${copy.button_provider} ${displayName}
+					</a>
+				`;
+		}).filter((button) => button !== "").join("");
+		const formContent = `
+			<div data-component="form">
+				${providerButtons}
+			</div>
+		`;
+		const html = Layout({ children: formContent });
+		return new Response(html, { headers: { "Content-Type": "text/html" } });
+	};
+};
+
+//#endregion
 export { Select };

package/dist/util.d.ts

@@ -1,2 +1,72 @@
-import { Prettify, getRelativeUrl, isDomainMatch, lazy } from "./util-DbSKG1Xm.js";
+import { RouterContext } from "@draftlab/auth-router/types";
+
+//#region src/util.d.ts
+
+/**
+ * Utility type that flattens complex types for better IntelliSense display.
+ * Converts intersections and complex mapped types into cleaner object types.
+ *
+ * @template T - The type to prettify
+ *
+ * @example
+ * ```ts
+ * type Complex = { a: string } & { b: number }
+ * type Clean = Prettify<Complex> // { a: string; b: number }
+ * ```
+ */
+type Prettify<T> = { [K in keyof T]: T[K] } & {};
+/**
+ * Constructs a complete URL relative to the current request context.
+ * Handles proxy headers (x-forwarded-*) to ensure correct URL generation
+ * in containerized and load-balanced environments.
+ *
+ * @param ctx - Router context containing request information
+ * @param path - Relative path to append to the base URL
+ * @returns Complete URL string with proper protocol, host, and port
+ *
+ * @example
+ * ```ts
+ * const callbackUrl = getRelativeUrl(ctx, "/callback")
+ * // Returns: "https://myapp.com/auth/callback"
+ * ```
+ */
+declare const getRelativeUrl: (ctx: RouterContext, path: string) => string;
+/**
+ * Determines if two domain names are considered a match for security purposes.
+ * Uses effective TLD+1 matching to allow subdomains while preventing
+ * unauthorized cross-domain requests.
+ *
+ * @param a - First domain name to compare
+ * @param b - Second domain name to compare
+ * @returns True if domains are considered a security match
+ *
+ * @example
+ * ```ts
+ * isDomainMatch("app.example.com", "auth.example.com") // true
+ * isDomainMatch("example.com", "evil.com") // false
+ * isDomainMatch("app.co.uk", "auth.co.uk") // true (handles two-part TLD)
+ * ```
+ */
+declare const isDomainMatch: (a: string, b: string) => boolean;
+/**
+ * Creates a lazy-evaluated function that caches the result of the first execution.
+ * Subsequent calls return the cached value without re-executing the function.
+ *
+ * @template T - The return type of the lazy function
+ * @param fn - Function to execute lazily
+ * @returns Function that returns the cached result
+ *
+ * @example
+ * ```ts
+ * const expensiveOperation = lazy(() => {
+ *   // Computing... (only logs once)
+ *   return heavyComputation()
+ * })
+ *
+ * const result1 = expensiveOperation() // Executes and caches
+ * const result2 = expensiveOperation() // Returns cached value
+ * ```
+ */
+declare const lazy: <T>(fn: () => T) => (() => T);
+//#endregion
 export { Prettify, getRelativeUrl, isDomainMatch, lazy };

package/dist/util.js

@@ -1,3 +1,108 @@
-import { getRelativeUrl, isDomainMatch, lazy } from "./util-CSdHUFOo.js";
+//#region src/util.ts
+/**
+* Constructs a complete URL relative to the current request context.
+* Handles proxy headers (x-forwarded-*) to ensure correct URL generation
+* in containerized and load-balanced environments.
+*
+* @param ctx - Router context containing request information
+* @param path - Relative path to append to the base URL
+* @returns Complete URL string with proper protocol, host, and port
+*
+* @example
+* ```ts
+* const callbackUrl = getRelativeUrl(ctx, "/callback")
+* // Returns: "https://myapp.com/auth/callback"
+* ```
+*/
+const getRelativeUrl = (ctx, path) => {
+	const result = new URL(path, ctx.request.url);
+	result.host = ctx.header("x-forwarded-host") || result.host;
+	result.protocol = ctx.header("x-forwarded-proto") || result.protocol;
+	result.port = ctx.header("x-forwarded-port") || result.port;
+	return result.toString();
+};
+/**
+* List of known two-part top-level domains that require special handling
+* for domain matching. These domains have an additional level that should
+* be considered when determining effective domain boundaries.
+*/
+const twoPartTlds = [
+	"co.uk",
+	"co.jp",
+	"co.kr",
+	"co.nz",
+	"co.za",
+	"co.in",
+	"com.au",
+	"com.br",
+	"com.cn",
+	"com.mx",
+	"com.tw",
+	"net.au",
+	"org.uk",
+	"ne.jp",
+	"ac.uk",
+	"gov.uk",
+	"edu.au",
+	"gov.au"
+];
+/**
+* Determines if two domain names are considered a match for security purposes.
+* Uses effective TLD+1 matching to allow subdomains while preventing
+* unauthorized cross-domain requests.
+*
+* @param a - First domain name to compare
+* @param b - Second domain name to compare
+* @returns True if domains are considered a security match
+*
+* @example
+* ```ts
+* isDomainMatch("app.example.com", "auth.example.com") // true
+* isDomainMatch("example.com", "evil.com") // false
+* isDomainMatch("app.co.uk", "auth.co.uk") // true (handles two-part TLD)
+* ```
+*/
+const isDomainMatch = (a, b) => {
+	if (a === b) return true;
+	const partsA = a.split(".");
+	const partsB = b.split(".");
+	const hasTwoPartTld = twoPartTlds.some((tld) => a.endsWith(`.${tld}`) || b.endsWith(`.${tld}`));
+	const numParts = hasTwoPartTld ? -3 : -2;
+	const min = Math.min(partsA.length, partsB.length, numParts);
+	const tailA = partsA.slice(min).join(".");
+	const tailB = partsB.slice(min).join(".");
+	return tailA === tailB;
+};
+/**
+* Creates a lazy-evaluated function that caches the result of the first execution.
+* Subsequent calls return the cached value without re-executing the function.
+*
+* @template T - The return type of the lazy function
+* @param fn - Function to execute lazily
+* @returns Function that returns the cached result
+*
+* @example
+* ```ts
+* const expensiveOperation = lazy(() => {
+*   // Computing... (only logs once)
+*   return heavyComputation()
+* })
+*
+* const result1 = expensiveOperation() // Executes and caches
+* const result2 = expensiveOperation() // Returns cached value
+* ```
+*/
+const lazy = (fn) => {
+	let value;
+	let hasValue = false;
+	return () => {
+		if (!hasValue) {
+			value = fn();
+			hasValue = true;
+		}
+		return value;
+	};
+};
 
+//#endregion
 export { getRelativeUrl, isDomainMatch, lazy };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@draftlab/auth",
-  "version": "0.0.3",
+  "version": "0.0.4",
   "type": "module",
   "description": "Core implementation for @draftlab/auth",
   "author": "Matheus Pergoli",
@@ -57,7 +57,7 @@
   "dependencies": {
     "@standard-schema/spec": "^1.0.0",
     "jose": "^6.0.11",
-    "@draftlab/auth-router": "0.0.1"
+    "@draftlab/auth-router": "0.0.2"
   },
   "engines": {
     "node": ">=18"

package/dist/allow-CixonwTW.d.ts

@@ -1,59 +0,0 @@
-//#region src/allow.d.ts
-/**
- * Client authorization validation utilities.
- * Provides security checks to determine if OAuth authorization requests should be permitted
- * based on redirect URI validation and domain matching policies.
- */
-/**
- * Input parameters for authorization allow checks.
- * Contains all necessary information to validate if a client request should be permitted.
- */
-interface AllowCheckInput {
-  /** The client ID of the application requesting authorization */
-  readonly clientID: string;
-  /** The redirect URI where the user will be sent after authorization */
-  readonly redirectURI: string;
-  /** Optional audience parameter for the authorization request */
-  readonly audience?: string;
-}
-/**
- * Default authorization check that validates client requests based on redirect URI security.
- *
- * ## Security Policy
- * - **Localhost**: Always allowed (for development)
- * - **Same domain**: Redirect URI must match request origin at TLD+1 level
- * - **Cross-domain**: Rejected for security
- *
- * This prevents unauthorized applications from hijacking authorization codes by using
- * malicious redirect URIs that don't belong to the legitimate client application.
- *
- * @param input - Client request details including ID and redirect URI
- * @param req - The original HTTP request for domain comparison
- * @returns Promise resolving to true if the request should be allowed
- *
- * @example
- * ```ts
- * // Allowed: localhost development
- * await defaultAllowCheck({
- *   clientID: "dev-app",
- *   redirectURI: "http://localhost:3000/callback"
- * }, request) // → true
- *
- * // Allowed: same domain
- * // Request from: https://myapp.com
- * await defaultAllowCheck({
- *   clientID: "web-app",
- *   redirectURI: "https://auth.myapp.com/callback"
- * }, request) // → true
- *
- * // Rejected: different domain
- * // Request from: https://myapp.com
- * await defaultAllowCheck({
- *   clientID: "malicious-app",
- *   redirectURI: "https://evil.com/steal-codes"
- * }, request) // → false
- * ```
- */
-declare const defaultAllowCheck: (input: AllowCheckInput, req: Request) => Promise<boolean>;
-//#endregion
-export { AllowCheckInput, defaultAllowCheck };

package/dist/allow-DX5cehSc.js

@@ -1,63 +0,0 @@
-import { isDomainMatch } from "./util-CSdHUFOo.js";
-
-//#region src/allow.ts
-/**
-* Default authorization check that validates client requests based on redirect URI security.
-*
-* ## Security Policy
-* - **Localhost**: Always allowed (for development)
-* - **Same domain**: Redirect URI must match request origin at TLD+1 level
-* - **Cross-domain**: Rejected for security
-*
-* This prevents unauthorized applications from hijacking authorization codes by using
-* malicious redirect URIs that don't belong to the legitimate client application.
-*
-* @param input - Client request details including ID and redirect URI
-* @param req - The original HTTP request for domain comparison
-* @returns Promise resolving to true if the request should be allowed
-*
-* @example
-* ```ts
-* // Allowed: localhost development
-* await defaultAllowCheck({
-*   clientID: "dev-app",
-*   redirectURI: "http://localhost:3000/callback"
-* }, request) // → true
-*
-* // Allowed: same domain
-* // Request from: https://myapp.com
-* await defaultAllowCheck({
-*   clientID: "web-app",
-*   redirectURI: "https://auth.myapp.com/callback"
-* }, request) // → true
-*
-* // Rejected: different domain
-* // Request from: https://myapp.com
-* await defaultAllowCheck({
-*   clientID: "malicious-app",
-*   redirectURI: "https://evil.com/steal-codes"
-* }, request) // → false
-* ```
-*/
-const defaultAllowCheck = (input, req) => {
-	return Promise.resolve((() => {
-		let redirectHostname;
-		try {
-			redirectHostname = new URL(input.redirectURI).hostname;
-		} catch {
-			return false;
-		}
-		if (redirectHostname === "localhost" || redirectHostname === "127.0.0.1") return true;
-		let currentHostname;
-		try {
-			const forwardedHost = req.headers.get("x-forwarded-host");
-			currentHostname = forwardedHost ? new URL(`https://${forwardedHost}`).hostname : new URL(req.url).hostname;
-		} catch {
-			return false;
-		}
-		return isDomainMatch(redirectHostname, currentHostname);
-	})());
-};
-
-//#endregion
-export { defaultAllowCheck };