@draftlab/auth 0.15.0 → 0.16.0

package/package.json

@@ -1,22 +1,22 @@
 {
   "name": "@draftlab/auth",
-  "version": "0.15.0",
+  "version": "0.16.0",
   "type": "module",
   "description": "Core implementation for @draftlab/auth",
   "author": "Matheus Pergoli",
-  "main": "dist/index.mjs",
-  "typings": "dist/index.d.mts",
+  "main": "dist/esm/index.js",
+  "typings": "dist/types/index.d.ts",
   "files": [
     "dist"
   ],
   "exports": {
     ".": {
-      "import": "./dist/index.mjs",
-      "types": "./dist/index.d.mts"
+      "import": "./dist/esm/index.js",
+      "types": "./dist/types/index.d.ts"
     },
     "./*": {
-      "import": "./dist/*.mjs",
-      "types": "./dist/*.d.mts"
+      "import": "./dist/esm/*.js",
+      "types": "./dist/types/*.d.ts"
     }
   },
   "sideEffects": false,
@@ -37,14 +37,12 @@
   ],
   "license": "MIT",
   "devDependencies": {
-    "@types/node": "^25.0.3",
-    "@types/qrcode": "^1.5.6",
-    "tsdown": "0.19.0-beta.5",
     "typescript": "^5.9.3",
     "@draftlab/tsconfig": "0.1.0"
   },
   "peerDependencies": {
     "@libsql/client": "^0.15.0",
+    "hono": "^4.0.0",
     "unstorage": "^1.0.0"
   },
   "peerDependenciesMeta": {
@@ -56,13 +54,9 @@
     }
   },
   "dependencies": {
-    "@simplewebauthn/server": "^13.2.2",
     "@standard-schema/spec": "^1.1.0",
     "jose": "^6.1.3",
-    "otpauth": "^9.4.1",
-    "preact": "^10.28.2",
-    "preact-render-to-string": "^6.6.5",
-    "qrcode": "^1.5.4"
+    "zod": "^4.3.6"
   },
   "engines": {
     "node": ">=18"
@@ -71,7 +65,7 @@
     "access": "public"
   },
   "scripts": {
-    "build": "tsdown",
+    "build": "bun run scripts/build.ts",
     "typecheck": "tsc --noEmit --emitDeclarationOnly false",
     "clean": "rm -rf dist .turbo node_modules"
   }

package/dist/adapters/node.d.mts

@@ -1,18 +0,0 @@
-import { IncomingMessage, ServerResponse } from "node:http";
-
-//#region src/adapters/node.d.ts
-
-/**
- * Converts Node.js IncomingMessage to Web Standards Request
- */
-declare const nodeRequestAdapter: (req: IncomingMessage) => Request;
-/**
- * Writes Web Standards Response to Node.js ServerResponse
- */
-declare const nodeResponseAdapter: (response: Response, res: ServerResponse) => Promise<void>;
-/**
- * Creates a Node.js HTTP handler from a Web Standards fetch function
- */
-declare const createNodeHandler: (fetchHandler: (request: Request) => Promise<Response>) => ((req: IncomingMessage, res: ServerResponse) => void);
-//#endregion
-export { createNodeHandler, nodeRequestAdapter, nodeResponseAdapter };

package/dist/adapters/node.mjs

@@ -1,69 +0,0 @@
-import { Readable } from "node:stream";
-
-//#region src/adapters/node.ts
-/**
-* Converts Node.js IncomingMessage to Web Standards Request
-*/
-const nodeRequestAdapter = (req) => {
-	const sanitizedHost = (req.headers.host || "localhost").split(",")[0]?.trim();
-	const url = new URL(req.url || "/", `http://${sanitizedHost}`);
-	const headers = new Headers();
-	for (const [key, value] of Object.entries(req.headers)) if (value !== void 0) if (Array.isArray(value)) for (const v of value) headers.append(key, v);
-	else headers.set(key, value);
-	let body;
-	if (req.method !== "GET" && req.method !== "HEAD") body = Readable.toWeb(req);
-	return new Request(url.toString(), {
-		method: req.method || "GET",
-		headers,
-		body,
-		duplex: "half"
-	});
-};
-/**
-* Writes Web Standards Response to Node.js ServerResponse
-*/
-const nodeResponseAdapter = async (response, res) => {
-	res.statusCode = response.status;
-	res.statusMessage = response.statusText;
-	response.headers.forEach((value, key) => {
-		res.setHeader(key, value);
-	});
-	if (response.body) {
-		const reader = response.body.getReader();
-		try {
-			while (true) {
-				const { done, value } = await reader.read();
-				if (done) break;
-				if (!res.write(value)) await new Promise((resolve) => res.once("drain", resolve));
-			}
-		} finally {
-			reader.releaseLock();
-		}
-	}
-	res.end();
-};
-/**
-* Creates a Node.js HTTP handler from a Web Standards fetch function
-*/
-const createNodeHandler = (fetchHandler) => {
-	return (req, res) => {
-		try {
-			fetchHandler(nodeRequestAdapter(req)).then((response) => nodeResponseAdapter(response, res)).catch((error) => {
-				console.error("Handler error:", error instanceof Error ? error.message : "Unknown error");
-				if (!res.headersSent) {
-					res.statusCode = 500;
-					res.end("Internal Server Error");
-				}
-			});
-		} catch (error) {
-			console.error("Request adapter error:", error instanceof Error ? error.message : "Unknown error");
-			if (!res.headersSent) {
-				res.statusCode = 400;
-				res.end("Bad Request");
-			}
-		}
-	};
-};
-
-//#endregion
-export { createNodeHandler, nodeRequestAdapter, nodeResponseAdapter };

package/dist/allow.mjs

@@ -1,63 +0,0 @@
-import { isDomainMatch } from "./util.mjs";
-
-//#region src/allow.ts
-/**
-* Default authorization check that validates client requests based on redirect URI security.
-*
-* ## Security Policy
-* - **Localhost**: Always allowed (for development)
-* - **Same domain**: Redirect URI must match request origin at TLD+1 level
-* - **Cross-domain**: Rejected for security
-*
-* This prevents unauthorized applications from hijacking authorization codes by using
-* malicious redirect URIs that don't belong to the legitimate client application.
-*
-* @param input - Client request details including ID and redirect URI
-* @param req - The original HTTP request for domain comparison
-* @returns Promise resolving to true if the request should be allowed
-*
-* @example
-* ```ts
-* // Allowed: localhost development
-* await defaultAllowCheck({
-*   clientID: "dev-app",
-*   redirectURI: "http://localhost:3000/callback"
-* }, request) // → true
-*
-* // Allowed: same domain
-* // Request from: https://myapp.com
-* await defaultAllowCheck({
-*   clientID: "web-app",
-*   redirectURI: "https://auth.myapp.com/callback"
-* }, request) // → true
-*
-* // Rejected: different domain
-* // Request from: https://myapp.com
-* await defaultAllowCheck({
-*   clientID: "malicious-app",
-*   redirectURI: "https://evil.com/steal-codes"
-* }, request) // → false
-* ```
-*/
-const defaultAllowCheck = (input, req) => {
-	return Promise.resolve((() => {
-		let redirectHostname;
-		try {
-			redirectHostname = new URL(input.redirectURI).hostname;
-		} catch {
-			return false;
-		}
-		if (redirectHostname === "localhost" || redirectHostname === "127.0.0.1") return true;
-		let currentHostname;
-		try {
-			const forwardedHost = req.headers.get("x-forwarded-host");
-			currentHostname = forwardedHost ? new URL(`https://${forwardedHost}`).hostname : new URL(req.url).hostname;
-		} catch {
-			return false;
-		}
-		return isDomainMatch(redirectHostname, currentHostname);
-	})());
-};
-
-//#endregion
-export { defaultAllowCheck };

package/dist/client.d.mts

@@ -1,456 +0,0 @@
-import { InvalidAccessTokenError, InvalidAuthorizationCodeError, InvalidRefreshTokenError, InvalidSubjectError } from "./error.mjs";
-import { SubjectSchema } from "./subject.mjs";
-import { StandardSchemaV1 } from "@standard-schema/spec";
-
-//#region src/client.d.ts
-
-/**
- * Result type for operations that can succeed or fail.
- *
- * @template T - The success data type
- * @template E - The error type
- *
- * @example
- * ```ts
- * const result = await client.exchange(code, redirectUri)
- * if (result.success) {
- *   // Access token available: result.data.access
- * } else {
- *   // Handle error: result.error.message
- * }
- * ```
- */
-type Result<T, E = Error> = {
-  success: true;
-  data: T;
-} | {
-  success: false;
-  error: E;
-};
-interface FetchResponse {
-  ok: boolean;
-  text(): Promise<string>;
-  json(): Promise<unknown>;
-}
-type FetchLike = (url: string, init?: RequestInit) => Promise<FetchResponse>;
-/**
- * Authorization server metadata from well-known endpoints.
- */
-interface WellKnown {
-  /**
-   * URI to the JWKS endpoint for token verification.
-   */
-  jwks_uri: string;
-  /**
-   * URI to the token endpoint for authorization code exchange.
-   */
-  token_endpoint: string;
-  /**
-   * URI to the authorization endpoint for starting flows.
-   */
-  authorization_endpoint: string;
-}
-/**
- * Tokens returned by the authorization server.
- */
-interface Tokens {
-  /**
-   * Access token for making authenticated API requests.
-   */
-  access: string;
-  /**
-   * Refresh token for obtaining new access tokens.
-   */
-  refresh: string;
-  /**
-   * Number of seconds until the access token expires.
-   */
-  expiresIn: number;
-}
-/**
- * Challenge data for PKCE flows.
- */
-type Challenge = {
-  /**
-   * State parameter for CSRF protection.
-   */
-  state: string;
-  /**
-   * PKCE code verifier for token exchange.
-   */
-  verifier?: string;
-};
-/**
- * Client configuration options.
- */
-interface ClientInput {
-  /**
-   * Client ID that identifies your application.
-   *
-   * @example
-   * ```ts
-   * {
-   *   clientID: "my-web-app"
-   * }
-   * ```
-   */
-  clientID: string;
-  /**
-   * Base URL of your Draft Auth server.
-   *
-   * @example
-   * ```ts
-   * {
-   *   issuer: "https://auth.myserver.com"
-   * }
-   * ```
-   */
-  issuer: string;
-  /**
-   * Optionally, override the internally used fetch function.
-   *
-   * @example
-   * ```ts
-   * {
-   *   fetch: customFetch
-   * }
-   * ```
-   */
-  fetch?: FetchLike;
-}
-/**
- * Options for starting an authorization flow.
- */
-interface AuthorizeOptions {
-  /**
-   * Enable PKCE flow for enhanced security.
-   *
-   * Recommended for single-page applications and mobile apps.
-   *
-   * @default false
-   * @example
-   * ```ts
-   * {
-   *   pkce: true
-   * }
-   * ```
-   */
-  pkce?: boolean;
-  /**
-   * Specific authentication provider to use.
-   *
-   * If not specified, users see a provider selection screen
-   * or are redirected to the single configured provider.
-   *
-   * @example
-   * ```ts
-   * {
-   *   provider: "google"
-   * }
-   * ```
-   */
-  provider?: string;
-}
-/**
- * Result of starting an authorization flow.
- */
-interface AuthorizeResult {
-  /**
-   * Challenge data needed for PKCE flows.
-   *
-   * Store this securely and use when exchanging the code.
-   *
-   * @example
-   * ```ts
-   * sessionStorage.setItem("challenge", JSON.stringify(challenge))
-   * ```
-   */
-  challenge: Challenge;
-  /**
-   * Authorization URL to redirect the user to.
-   *
-   * @example
-   * ```ts
-   * window.location.href = url
-   * ```
-   */
-  url: string;
-}
-/**
- * Options for token refresh operations.
- */
-interface RefreshOptions {
-  /**
-   * Current access token to check before refreshing.
-   *
-   * Helps avoid unnecessary refresh requests.
-   *
-   * @example
-   * ```ts
-   * {
-   *   access: currentAccessToken
-   * }
-   * ```
-   */
-  access?: string;
-}
-/**
- * Options for token verification.
- */
-interface VerifyOptions {
-  /**
-   * Refresh token for automatic refresh if access token is expired.
-   *
-   * If passed in, this will automatically refresh the access token if it has expired.
-   *
-   * @example
-   * ```ts
-   * {
-   *   refresh: refreshToken
-   * }
-   * ```
-   */
-  refresh?: string;
-  /**
-   * Expected issuer for validation.
-   * @internal
-   */
-  issuer?: string;
-  /**
-   * Expected audience for validation.
-   * Defaults to clientID for security. Override only if you know what you're doing.
-   * @internal
-   */
-  audience?: string;
-  /**
-   * Custom fetch for HTTP requests.
-   *
-   * Optionally, override the internally used fetch function.
-   */
-  fetch?: FetchLike;
-}
-/**
- * Result of successful token verification.
- */
-interface VerifyResult<T extends SubjectSchema> {
-  /**
-   * New tokens if access token was refreshed during verification.
-   */
-  tokens?: Tokens;
-  /**
-   * Audience (client ID) the token was issued for.
-   * @internal
-   */
-  aud: string;
-  /**
-   * Decoded subject information from the access token.
-   *
-   * Contains user data that was encoded when the token was issued.
-   */
-  subject: { [K in keyof T]: {
-    type: K;
-    properties: StandardSchemaV1.InferOutput<T[K]>;
-  } }[keyof T];
-}
-/**
- * Options for token revocation.
- */
-interface RevokeOptions {
-  /**
-   * Optional hint about the token type.
-   * Can be "access_token" or "refresh_token".
-   *
-   * Helps the server optimize token lookup.
-   *
-   * @example
-   * ```ts
-   * {
-   *   tokenTypeHint: "refresh_token"
-   * }
-   * ```
-   */
-  tokenTypeHint?: "access_token" | "refresh_token";
-}
-/**
- * Draft Auth client with OAuth 2.0 operations.
- */
-interface Client {
-  /**
-   * Start an OAuth authorization flow.
-   *
-   * @param redirectURI - Where users will be sent after authorization
-   * @param response - Response type ("code" or "token")
-   * @param opts - Additional authorization options
-   * @returns Authorization URL and challenge data
-   *
-   * @example Basic flow
-   * ```ts
-   * const result = await client.authorize(
-   *   "https://myapp.com/callback",
-   *   "code"
-   * )
-   * if (result.success) {
-   *   window.location.href = result.data.url
-   * }
-   * ```
-   *
-   * @example PKCE flow
-   * ```ts
-   * const result = await client.authorize(
-   *   "https://spa.example.com/callback",
-   *   "code",
-   *   { pkce: true, scopes: ["read", "write"] }
-   * )
-   * if (result.success) {
-   *   sessionStorage.setItem("challenge", JSON.stringify(result.data.challenge))
-   *   window.location.href = result.data.url
-   * }
-   * ```
-   */
-  authorize(redirectURI: string, response: "code" | "token", opts?: AuthorizeOptions): Promise<Result<AuthorizeResult>>;
-  /**
-   * Exchange authorization code for tokens.
-   *
-   * @param code - Authorization code from the callback
-   * @param redirectURI - Same redirect URI used in authorization
-   * @param verifier - PKCE code verifier (required for PKCE flows)
-   * @returns Access tokens and metadata
-   *
-   * @example Basic exchange
-   * ```ts
-   * const urlParams = new URLSearchParams(window.location.search)
-   * const code = urlParams.get('code')
-   *
-   * if (code) {
-   *   const result = await client.exchange(code, "https://myapp.com/callback")
-   *   if (result.success) {
-   *     const { access, refresh } = result.data
-   *     // Store tokens securely
-   *   }
-   * }
-   * ```
-   *
-   * @example PKCE exchange
-   * ```ts
-   * const challenge = JSON.parse(sessionStorage.getItem("challenge") || "{}")
-   * const code = new URLSearchParams(window.location.search).get('code')
-   *
-   * if (code && challenge.verifier) {
-   *   const result = await client.exchange(
-   *     code,
-   *     "https://spa.example.com/callback",
-   *     challenge.verifier
-   *   )
-   *   if (result.success) {
-   *     sessionStorage.removeItem("challenge")
-   *     // Handle tokens
-   *   }
-   * }
-   * ```
-   */
-  exchange(code: string, redirectURI: string, verifier?: string): Promise<Result<Tokens, InvalidAuthorizationCodeError>>;
-  /**
-   * Refresh an access token using a refresh token.
-   *
-   * @param refresh - Refresh token to use
-   * @param opts - Additional refresh options
-   * @returns New tokens if refresh was needed
-   *
-   * @example Basic refresh
-   * ```ts
-   * const result = await client.refresh(storedRefreshToken)
-   *
-   * if (result.success && result.data.tokens) {
-   *   const { access, refresh: newRefresh } = result.data.tokens
-   *   updateStoredTokens(access, newRefresh)
-   * } else if (result.success) {
-   *   // Token still valid
-   * } else {
-   *   redirectToLogin()
-   * }
-   * ```
-   */
-  refresh(refresh: string, opts?: RefreshOptions): Promise<Result<{
-    tokens?: Tokens;
-  }, InvalidRefreshTokenError | InvalidAccessTokenError>>;
-  /**
-   * Verify and decode an access token.
-   *
-   * @param subjects - Subject schema used when creating the issuer
-   * @param token - Access token to verify
-   * @param options - Additional verification options
-   * @returns Decoded token data and user information
-   *
-   * @example Basic verification
-   * ```ts
-   * const result = await client.verify(subjects, accessToken)
-   *
-   * if (result.success) {
-   *   const { subject, scopes } = result.data
-   *   // Access user ID: subject.properties.userID
-   *   // Access scopes: scopes?.join(', ')
-   * }
-   * ```
-   *
-   * @example With automatic refresh
-   * ```ts
-   * const result = await client.verify(subjects, accessToken, {
-   *   refresh: refreshToken
-   * })
-   *
-   * if (result.success) {
-   *   if (result.data.tokens) {
-   *     // Tokens were refreshed
-   *     updateStoredTokens(result.data.tokens.access, result.data.tokens.refresh)
-   *   }
-   *   // Use verified subject data
-   *   const user = result.data.subject.properties
-   * }
-   * ```
-   */
-  verify<T extends SubjectSchema>(subjects: T, token: string, options?: VerifyOptions): Promise<Result<VerifyResult<T>, InvalidRefreshTokenError | InvalidAccessTokenError | InvalidSubjectError>>;
-  /**
-   * Revoke a token (access or refresh token).
-   *
-   * Once revoked, the token cannot be used to access resources or refresh.
-   * Useful for implementing logout functionality.
-   *
-   * @param token - The token to revoke
-   * @param opts - Additional revocation options
-   * @returns Empty result on success
-   *
-   * @example Logout with refresh token revocation
-   * ```ts
-   * const result = await client.revoke(refreshToken, {
-   *   tokenTypeHint: "refresh_token"
-   * })
-   *
-   * if (result.success) {
-   *   // Token revoked successfully, user is logged out
-   *   clearStoredTokens()
-   *   redirectToHome()
-   * } else {
-   *   // Revocation failed, but still clear tokens on client
-   *   clearStoredTokens()
-   * }
-   * ```
-   */
-  revoke(token: string, opts?: RevokeOptions): Promise<Result<void>>;
-}
-/**
- * Create a Draft Auth client.
- *
- * @param input - Client configuration
- * @returns Configured client instance
- *
- * @example Basic setup
- * ```ts
- * const client = createClient({
- *   clientID: "my-web-app",
- *   issuer: "https://auth.mycompany.com"
- * })
- * ```
- */
-declare const createClient: (input: ClientInput) => Client;
-//#endregion
-export { AuthorizeOptions, AuthorizeResult, Challenge, Client, ClientInput, RefreshOptions, Result, RevokeOptions, Tokens, VerifyOptions, VerifyResult, WellKnown, createClient };