npm - @draftlab/auth - Versions diffs - 0.15.0 → 0.16.0 - Mend

@draftlab/auth 0.15.0 → 0.16.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (272) hide show

package/dist/esm/allow.js +26 -0
package/dist/esm/client.js +254 -0
package/dist/esm/core.js +597 -0
package/dist/esm/css.d.js +0 -0
package/dist/esm/error.js +88 -0
package/dist/esm/index.js +5 -0
package/dist/esm/keys.js +126 -0
package/dist/esm/mutex.js +53 -0
package/dist/esm/pkce.js +87 -0
package/dist/esm/provider/apple.js +15 -0
package/dist/esm/provider/code.js +62 -0
package/dist/esm/provider/discord.js +15 -0
package/dist/esm/provider/facebook.js +15 -0
package/dist/esm/provider/github.js +15 -0
package/dist/esm/provider/gitlab.js +15 -0
package/dist/esm/provider/google.js +16 -0
package/dist/esm/provider/linkedin.js +15 -0
package/dist/esm/provider/magiclink.js +83 -0
package/dist/esm/provider/microsoft.js +15 -0
package/dist/esm/provider/oauth2.js +130 -0
package/dist/esm/provider/password.js +331 -0
package/dist/esm/provider/provider.js +18 -0
package/dist/esm/provider/reddit.js +15 -0
package/dist/esm/provider/slack.js +15 -0
package/dist/esm/provider/spotify.js +15 -0
package/dist/esm/provider/twitch.js +15 -0
package/dist/esm/provider/vercel.js +17 -0
package/dist/esm/random.js +40 -0
package/dist/esm/revocation.js +27 -0
package/dist/esm/storage/memory.js +110 -0
package/dist/esm/storage/storage.js +56 -0
package/dist/esm/storage/turso.js +93 -0
package/dist/esm/storage/unstorage.js +78 -0
package/dist/esm/subject.js +7 -0
package/dist/esm/themes/theme.js +115 -0
package/dist/esm/toolkit/client.js +119 -0
package/dist/esm/toolkit/index.js +25 -0
package/dist/esm/toolkit/providers/facebook.js +11 -0
package/dist/esm/toolkit/providers/github.js +11 -0
package/dist/esm/toolkit/providers/google.js +11 -0
package/dist/esm/toolkit/providers/strategy.js +0 -0
package/dist/esm/toolkit/storage.js +81 -0
package/dist/esm/toolkit/utils.js +18 -0
package/dist/esm/types.js +0 -0
package/dist/esm/ui/base.js +478 -0
package/dist/esm/ui/code.js +186 -0
package/dist/esm/ui/form.js +46 -0
package/dist/esm/ui/icon.js +242 -0
package/dist/esm/ui/magiclink.js +158 -0
package/dist/esm/ui/password.js +435 -0
package/dist/esm/ui/select.js +102 -0
package/dist/esm/util.js +59 -0
package/dist/{allow.d.mts → types/allow.d.ts} +9 -11
package/dist/types/allow.d.ts.map +1 -0
package/dist/types/client.d.ts +462 -0
package/dist/types/client.d.ts.map +1 -0
package/dist/types/core.d.ts +113 -0
package/dist/types/core.d.ts.map +1 -0
package/dist/{error.d.mts → types/error.d.ts} +95 -97
package/dist/types/error.d.ts.map +1 -0
package/dist/types/index.d.ts +2 -0
package/dist/types/index.d.ts.map +1 -0
package/dist/{keys.d.mts → types/keys.d.ts} +20 -24
package/dist/types/keys.d.ts.map +1 -0
package/dist/types/mutex.d.ts +42 -0
package/dist/types/mutex.d.ts.map +1 -0
package/dist/{pkce.d.mts → types/pkce.d.ts} +10 -11
package/dist/types/pkce.d.ts.map +1 -0
package/dist/types/provider/apple.d.ts +197 -0
package/dist/types/provider/apple.d.ts.map +1 -0
package/dist/types/provider/code.d.ts +288 -0
package/dist/types/provider/code.d.ts.map +1 -0
package/dist/types/provider/discord.d.ts +206 -0
package/dist/types/provider/discord.d.ts.map +1 -0
package/dist/types/provider/facebook.d.ts +200 -0
package/dist/types/provider/facebook.d.ts.map +1 -0
package/dist/types/provider/github.d.ts +220 -0
package/dist/types/provider/github.d.ts.map +1 -0
package/dist/types/provider/gitlab.d.ts +180 -0
package/dist/types/provider/gitlab.d.ts.map +1 -0
package/dist/types/provider/google.d.ts +158 -0
package/dist/types/provider/google.d.ts.map +1 -0
package/dist/types/provider/linkedin.d.ts +190 -0
package/dist/types/provider/linkedin.d.ts.map +1 -0
package/dist/types/provider/magiclink.d.ts +141 -0
package/dist/types/provider/magiclink.d.ts.map +1 -0
package/dist/types/provider/microsoft.d.ts +247 -0
package/dist/types/provider/microsoft.d.ts.map +1 -0
package/dist/types/provider/oauth2.d.ts +229 -0
package/dist/types/provider/oauth2.d.ts.map +1 -0
package/dist/types/provider/password.d.ts +408 -0
package/dist/types/provider/password.d.ts.map +1 -0
package/dist/types/provider/provider.d.ts +226 -0
package/dist/types/provider/provider.d.ts.map +1 -0
package/dist/types/provider/reddit.d.ts +159 -0
package/dist/types/provider/reddit.d.ts.map +1 -0
package/dist/types/provider/slack.d.ts +171 -0
package/dist/types/provider/slack.d.ts.map +1 -0
package/dist/types/provider/spotify.d.ts +168 -0
package/dist/types/provider/spotify.d.ts.map +1 -0
package/dist/types/provider/twitch.d.ts +163 -0
package/dist/types/provider/twitch.d.ts.map +1 -0
package/dist/types/provider/vercel.d.ts +294 -0
package/dist/types/provider/vercel.d.ts.map +1 -0
package/dist/{random.d.mts → types/random.d.ts} +4 -6
package/dist/types/random.d.ts.map +1 -0
package/dist/types/revocation.d.ts +76 -0
package/dist/types/revocation.d.ts.map +1 -0
package/dist/{storage/memory.d.mts → types/storage/memory.d.ts} +17 -21
package/dist/types/storage/memory.d.ts.map +1 -0
package/dist/types/storage/storage.d.ts +177 -0
package/dist/types/storage/storage.d.ts.map +1 -0
package/dist/{storage/turso.d.mts → types/storage/turso.d.ts} +4 -8
package/dist/types/storage/turso.d.ts.map +1 -0
package/dist/{storage/unstorage.d.mts → types/storage/unstorage.d.ts} +12 -11
package/dist/types/storage/unstorage.d.ts.map +1 -0
package/dist/types/subject.d.ts +115 -0
package/dist/types/subject.d.ts.map +1 -0
package/dist/types/themes/theme.d.ts +207 -0
package/dist/types/themes/theme.d.ts.map +1 -0
package/dist/types/toolkit/client.d.ts +235 -0
package/dist/types/toolkit/client.d.ts.map +1 -0
package/dist/types/toolkit/index.d.ts +45 -0
package/dist/types/toolkit/index.d.ts.map +1 -0
package/dist/types/toolkit/providers/facebook.d.ts +8 -0
package/dist/types/toolkit/providers/facebook.d.ts.map +1 -0
package/dist/types/toolkit/providers/github.d.ts +8 -0
package/dist/types/toolkit/providers/github.d.ts.map +1 -0
package/dist/types/toolkit/providers/google.d.ts +8 -0
package/dist/types/toolkit/providers/google.d.ts.map +1 -0
package/dist/types/toolkit/providers/strategy.d.ts +38 -0
package/dist/types/toolkit/providers/strategy.d.ts.map +1 -0
package/dist/{toolkit/storage.d.mts → types/toolkit/storage.d.ts} +37 -39
package/dist/types/toolkit/storage.d.ts.map +1 -0
package/dist/{toolkit/utils.d.mts → types/toolkit/utils.d.ts} +2 -4
package/dist/types/toolkit/utils.d.ts.map +1 -0
package/dist/types/types.d.ts +92 -0
package/dist/types/types.d.ts.map +1 -0
package/dist/types/ui/base.d.ts +18 -0
package/dist/types/ui/base.d.ts.map +1 -0
package/dist/types/ui/code.d.ts +43 -0
package/dist/types/ui/code.d.ts.map +1 -0
package/dist/types/ui/form.d.ts +24 -0
package/dist/types/ui/form.d.ts.map +1 -0
package/dist/types/ui/icon.d.ts +60 -0
package/dist/types/ui/icon.d.ts.map +1 -0
package/dist/types/ui/magiclink.d.ts +41 -0
package/dist/types/ui/magiclink.d.ts.map +1 -0
package/dist/types/ui/password.d.ts +43 -0
package/dist/types/ui/password.d.ts.map +1 -0
package/dist/types/ui/select.d.ts +33 -0
package/dist/types/ui/select.d.ts.map +1 -0
package/dist/{util.d.mts → types/util.d.ts} +11 -13
package/dist/types/util.d.ts.map +1 -0
package/package.json +10 -16
package/dist/adapters/node.d.mts +0 -18
package/dist/adapters/node.mjs +0 -69
package/dist/allow.mjs +0 -63
package/dist/client.d.mts +0 -456
package/dist/client.mjs +0 -283
package/dist/core.d.mts +0 -110
package/dist/core.mjs +0 -595
package/dist/error.mjs +0 -237
package/dist/index.d.mts +0 -2
package/dist/index.mjs +0 -3
package/dist/keys.mjs +0 -146
package/dist/mutex.d.mts +0 -44
package/dist/mutex.mjs +0 -110
package/dist/pkce.mjs +0 -157
package/dist/provider/apple.d.mts +0 -111
package/dist/provider/apple.mjs +0 -164
package/dist/provider/code.d.mts +0 -228
package/dist/provider/code.mjs +0 -246
package/dist/provider/discord.d.mts +0 -146
package/dist/provider/discord.mjs +0 -156
package/dist/provider/facebook.d.mts +0 -142
package/dist/provider/facebook.mjs +0 -150
package/dist/provider/github.d.mts +0 -140
package/dist/provider/github.mjs +0 -169
package/dist/provider/gitlab.d.mts +0 -106
package/dist/provider/gitlab.mjs +0 -147
package/dist/provider/google.d.mts +0 -112
package/dist/provider/google.mjs +0 -109
package/dist/provider/linkedin.d.mts +0 -132
package/dist/provider/linkedin.mjs +0 -142
package/dist/provider/magiclink.d.mts +0 -89
package/dist/provider/magiclink.mjs +0 -143
package/dist/provider/microsoft.d.mts +0 -178
package/dist/provider/microsoft.mjs +0 -177
package/dist/provider/oauth2.d.mts +0 -176
package/dist/provider/oauth2.mjs +0 -222
package/dist/provider/passkey.d.mts +0 -104
package/dist/provider/passkey.mjs +0 -320
package/dist/provider/password.d.mts +0 -412
package/dist/provider/password.mjs +0 -363
package/dist/provider/provider.d.mts +0 -227
package/dist/provider/provider.mjs +0 -44
package/dist/provider/reddit.d.mts +0 -107
package/dist/provider/reddit.mjs +0 -127
package/dist/provider/slack.d.mts +0 -114
package/dist/provider/slack.mjs +0 -138
package/dist/provider/spotify.d.mts +0 -113
package/dist/provider/spotify.mjs +0 -135
package/dist/provider/totp.d.mts +0 -112
package/dist/provider/totp.mjs +0 -191
package/dist/provider/twitch.d.mts +0 -108
package/dist/provider/twitch.mjs +0 -131
package/dist/provider/vercel.d.mts +0 -177
package/dist/provider/vercel.mjs +0 -230
package/dist/random.mjs +0 -86
package/dist/revocation.d.mts +0 -55
package/dist/revocation.mjs +0 -63
package/dist/router/context.d.mts +0 -21
package/dist/router/context.mjs +0 -193
package/dist/router/cookies.d.mts +0 -8
package/dist/router/cookies.mjs +0 -13
package/dist/router/index.d.mts +0 -21
package/dist/router/index.mjs +0 -107
package/dist/router/matcher.d.mts +0 -15
package/dist/router/matcher.mjs +0 -76
package/dist/router/middleware/cors.d.mts +0 -15
package/dist/router/middleware/cors.mjs +0 -114
package/dist/router/safe-request.d.mts +0 -52
package/dist/router/safe-request.mjs +0 -160
package/dist/router/types.d.mts +0 -67
package/dist/router/types.mjs +0 -1
package/dist/router/variables.d.mts +0 -12
package/dist/router/variables.mjs +0 -20
package/dist/storage/memory.mjs +0 -125
package/dist/storage/storage.d.mts +0 -179
package/dist/storage/storage.mjs +0 -104
package/dist/storage/turso.mjs +0 -117
package/dist/storage/unstorage.mjs +0 -103
package/dist/subject.d.mts +0 -62
package/dist/subject.mjs +0 -36
package/dist/themes/theme.d.mts +0 -209
package/dist/themes/theme.mjs +0 -120
package/dist/toolkit/client.d.mts +0 -169
package/dist/toolkit/client.mjs +0 -209
package/dist/toolkit/index.d.mts +0 -9
package/dist/toolkit/index.mjs +0 -9
package/dist/toolkit/providers/facebook.d.mts +0 -12
package/dist/toolkit/providers/facebook.mjs +0 -16
package/dist/toolkit/providers/github.d.mts +0 -12
package/dist/toolkit/providers/github.mjs +0 -16
package/dist/toolkit/providers/google.d.mts +0 -12
package/dist/toolkit/providers/google.mjs +0 -20
package/dist/toolkit/providers/strategy.d.mts +0 -40
package/dist/toolkit/providers/strategy.mjs +0 -1
package/dist/toolkit/storage.mjs +0 -157
package/dist/toolkit/utils.mjs +0 -30
package/dist/types.d.mts +0 -94
package/dist/types.mjs +0 -1
package/dist/ui/base.d.mts +0 -30
package/dist/ui/base.mjs +0 -407
package/dist/ui/code.d.mts +0 -43
package/dist/ui/code.mjs +0 -173
package/dist/ui/form.d.mts +0 -32
package/dist/ui/form.mjs +0 -49
package/dist/ui/icon.d.mts +0 -58
package/dist/ui/icon.mjs +0 -247
package/dist/ui/magiclink.d.mts +0 -41
package/dist/ui/magiclink.mjs +0 -152
package/dist/ui/passkey.d.mts +0 -27
package/dist/ui/passkey.mjs +0 -323
package/dist/ui/password.d.mts +0 -42
package/dist/ui/password.mjs +0 -402
package/dist/ui/select.d.mts +0 -34
package/dist/ui/select.mjs +0 -98
package/dist/ui/totp.d.mts +0 -34
package/dist/ui/totp.mjs +0 -270
package/dist/util.mjs +0 -128

package/dist/core.mjs DELETED Viewed

@@ -1,595 +0,0 @@
-import { getRelativeUrl, lazy } from "./util.mjs";
-import { defaultAllowCheck } from "./allow.mjs";
-import { MissingParameterError, OauthError, UnauthorizedClientError, UnknownStateError } from "./error.mjs";
-import { validatePKCE } from "./pkce.mjs";
-import { generateSecureToken } from "./random.mjs";
-import { Storage } from "./storage/storage.mjs";
-import { encryptionKeys, signingKeys } from "./keys.mjs";
-import { Revocation } from "./revocation.mjs";
-import { Router } from "./router/index.mjs";
-import { deleteCookie, getCookie, setCookie } from "./router/cookies.mjs";
-import { cors } from "./router/middleware/cors.mjs";
-import { setTheme } from "./themes/theme.mjs";
-import { Select } from "./ui/select.mjs";
-import { CompactEncrypt, SignJWT, compactDecrypt } from "jose";
-//#region src/core.ts
-/**
-* Core issuer implementation.
-*/
-/**
-* Performs an operation with guaranteed minimum execution time.
-* Adds random jitter to prevent timing-based attacks even if operation completes quickly.
-*
-* Used for validating sensitive data where timing differences could leak information
-* (e.g., authorization codes, refresh tokens).
-*
-* @param fn - Async function to execute
-* @param minTimeMs - Minimum execution time in milliseconds (default: 100ms)
-* @returns Result of the function, guaranteed to take at least minTimeMs
-*/
-const normalizeTimingAsync = async (fn, minTimeMs = 100) => {
-	const startTime = performance.now();
-	const result = await fn();
-	const elapsed = performance.now() - startTime;
-	const remainingTime = Math.max(0, minTimeMs - elapsed);
-	if (remainingTime > 0) {
-		const jitterBuffer = new Uint32Array(1);
-		crypto.getRandomValues(jitterBuffer);
-		const totalDelay = remainingTime + (jitterBuffer[0] ?? 0) / 4294967295 * 20;
-		await new Promise((resolve) => setTimeout(resolve, totalDelay));
-	}
-	return result;
-};
-/**
-* Determines if the incoming request is using HTTPS protocol.
-* Checks multiple proxy headers to handle load balancers and reverse proxies.
-*
-* @param ctx - Router context containing request headers and URL
-* @returns True if request is HTTPS, false otherwise
-*
-* @example
-* ```ts
-* if (isHttpsRequest(ctx)) {
-*   setCookie(ctx, 'secure-cookie', value, { secure: true })
-* }
-* ```
-*/
-const isHttpsRequest = (ctx) => {
-	return ctx.header("x-forwarded-proto") === "https" || ctx.header("x-forwarded-ssl") === "on" || ctx.request.url.startsWith("https://");
-};
-/**
-* Create an Draft Auth server, a Router app that handles OAuth 2.0 flows.
-*/
-const issuer = (input) => {
-	const error = input.error ?? ((err) => {
-		return new Response(err.message, {
-			status: 400,
-			headers: { "Content-Type": "text/plain" }
-		});
-	});
-	const ttlAccess = input.ttl?.access ?? 3600 * 24 * 30;
-	const ttlRefresh = input.ttl?.refresh ?? 3600 * 24 * 365;
-	const ttlRefreshReuse = input.ttl?.reuse ?? 60;
-	const ttlRefreshRetention = input.ttl?.retention ?? 0;
-	if (input.theme) setTheme(input.theme);
-	const storage = input.storage;
-	const select = lazy(() => input.select ?? Select());
-	const allSigning = lazy(() => signingKeys(storage));
-	const allEncryption = lazy(() => encryptionKeys(storage));
-	const allow = lazy(() => input.allow ?? defaultAllowCheck);
-	const signingKey = lazy(() => allSigning().then((all) => all[0]));
-	const encryptionKey = lazy(() => allEncryption().then((all) => all[0]));
-	/**
-	* Resolves issuer URL from context.
-	* Returns the base URL for the OAuth issuer, considering basePath configuration.
-	*/
-	const issuer$1 = (ctx) => {
-		const baseUrl = new URL(getRelativeUrl(ctx, "/"));
-		if (input.basePath) {
-			baseUrl.pathname = (input.basePath.startsWith("/") ? input.basePath : `/${input.basePath}`).replace(/\/$/, "");
-			return baseUrl.href;
-		}
-		return baseUrl.origin;
-	};
-	/**
-	* Encrypts value for secure cookie storage.
-	*/
-	const encrypt = async (value) => {
-		const key = await encryptionKey();
-		if (!key) throw new Error("Encryption key not available");
-		return await new CompactEncrypt(new TextEncoder().encode(JSON.stringify(value))).setProtectedHeader({
-			alg: "RSA-OAEP-512",
-			enc: "A256GCM"
-		}).encrypt(key.public);
-	};
-	/**
-	* Decrypts value from secure cookie storage.
-	*/
-	const decrypt = async (value) => {
-		const key = await encryptionKey();
-		if (!key) throw new Error("Encryption key not available");
-		return JSON.parse(new TextDecoder().decode(await compactDecrypt(value, key.private).then((result) => result.plaintext)));
-	};
-	/**
-	* Resolves unique subject identifier from type and properties.
-	*/
-	const resolveSubject = async (type, properties) => {
-		const jsonString = JSON.stringify(properties);
-		const data = new TextEncoder().encode(jsonString);
-		const hashBuffer = await crypto.subtle.digest("SHA-256", data);
-		return `${type}:${Array.from(new Uint8Array(hashBuffer)).map((b) => b.toString(16).padStart(2, "0")).join("").slice(0, 16)}`;
-	};
-	/**
-	* Generates access and refresh tokens for OAuth 2.0.
-	*/
-	const generateTokens = async (ctx, value, opts) => {
-		const refreshToken = value.nextToken ?? generateSecureToken();
-		if (opts?.generateRefreshToken ?? true) {
-			/**
-			* Generate and store the next refresh token after the one we are currently returning.
-			* Reserving these in advance avoids concurrency issues with multiple refreshes.
-			* Similar treatment should be given to any other values that may have race conditions,
-			* for example if a jti claim was added to the access token.
-			*/
-			const refreshPayload = {
-				type: value.type,
-				properties: value.properties,
-				clientID: value.clientID,
-				subject: value.subject,
-				ttl: value.ttl,
-				nextToken: generateSecureToken(),
-				timeUsed: value.timeUsed
-			};
-			const refreshKey = [
-				"oauth:refresh",
-				value.subject,
-				refreshToken
-			];
-			await Storage.set(storage, refreshKey, refreshPayload, value.ttl.refresh);
-		}
-		const signingKeyData = await signingKey();
-		if (!signingKeyData) throw new Error("Signing key not available");
-		const now = Math.floor(Date.now() / 1e3);
-		if (!value.clientID.trim()) throw new Error("Invalid audience: client ID cannot be empty");
-		return {
-			access: await new SignJWT({
-				type: value.type,
-				properties: value.properties,
-				sub: value.subject,
-				aud: value.clientID,
-				iss: issuer$1(ctx),
-				exp: now + value.ttl.access,
-				iat: now,
-				mode: "access"
-			}).setExpirationTime(Math.floor(now + value.ttl.access)).setProtectedHeader({
-				alg: signingKeyData.alg,
-				kid: signingKeyData.id,
-				typ: "JWT"
-			}).sign(signingKeyData.private),
-			refresh: [value.subject, refreshToken].join(":"),
-			expiresIn: Math.floor(now + value.ttl.access - Date.now() / 1e3)
-		};
-	};
-	/**
-	* Gets authorization state from context.
-	*/
-	const getAuthorization = async (ctx) => {
-		const match = await auth.get(ctx, "authorization") || ctx.get("authorization");
-		if (!match) throw new UnknownStateError();
-		return match;
-	};
-	/**
-	* Authentication utilities for providers.
-	*/
-	const auth = {
-		async success(ctx, properties, successOpts) {
-			const authorization = await getAuthorization(ctx);
-			const currentProvider = ctx.get("provider") || "unknown";
-			if (!authorization.client_id) throw new Error("client_id is required");
-			return await input.success({ async subject(type, properties$1, subjectOpts) {
-				const subject = subjectOpts?.subject ?? await resolveSubject(type, properties$1);
-				await successOpts?.invalidate?.(await resolveSubject(type, properties$1));
-				if (authorization.response_type === "token") {
-					if (!authorization.redirect_uri) throw new Error("redirect_uri is required");
-					const location$1 = new URL(authorization.redirect_uri);
-					if (!authorization.client_id) throw new Error("client_id is required");
-					const tokens = await generateTokens(ctx, {
-						type,
-						subject,
-						properties: properties$1,
-						clientID: authorization.client_id,
-						ttl: {
-							access: subjectOpts?.ttl?.access ?? ttlAccess,
-							refresh: subjectOpts?.ttl?.refresh ?? ttlRefresh
-						}
-					});
-					location$1.hash = new URLSearchParams({
-						access_token: tokens.access,
-						token_type: "Bearer",
-						expires_in: tokens.expiresIn.toString(),
-						...authorization.state && { state: authorization.state }
-					}).toString();
-					await auth.unset(ctx, "authorization");
-					return ctx.redirect(location$1.toString(), 302);
-				}
-				if (!authorization.redirect_uri) throw new Error("redirect_uri is required");
-				if (!authorization.client_id) throw new Error("client_id is required");
-				const code = generateSecureToken();
-				const codePayload = {
-					type,
-					properties: properties$1,
-					subject,
-					redirectURI: authorization.redirect_uri,
-					clientID: authorization.client_id,
-					scopes: authorization.scopes,
-					pkce: authorization.pkce,
-					ttl: {
-						access: subjectOpts?.ttl?.access ?? ttlAccess,
-						refresh: subjectOpts?.ttl?.refresh ?? ttlRefresh
-					}
-				};
-				await Storage.set(storage, ["oauth:code", code], codePayload, 60);
-				if (!authorization.redirect_uri) throw new Error("redirect_uri is required");
-				const location = new URL(authorization.redirect_uri);
-				location.searchParams.set("code", code);
-				if (authorization.state) location.searchParams.set("state", authorization.state);
-				await auth.unset(ctx, "authorization");
-				return ctx.redirect(location.toString(), 302);
-			} }, {
-				provider: currentProvider,
-				...properties && typeof properties === "object" ? properties : {}
-			}, ctx.request, authorization.client_id);
-		},
-		forward(ctx, response) {
-			return ctx.newResponse(response.body ?? void 0, {
-				status: response.status,
-				statusText: response.statusText,
-				headers: response.headers
-			});
-		},
-		async set(ctx, key, maxAge, value) {
-			const isHttps = isHttpsRequest(ctx);
-			setCookie(ctx, key, await encrypt(value), {
-				maxAge,
-				httpOnly: true,
-				secure: isHttps,
-				sameSite: isHttps ? "None" : "Lax",
-				path: input.basePath || "/"
-			});
-		},
-		async get(ctx, key) {
-			const raw = getCookie(ctx, key);
-			if (!raw) return;
-			try {
-				return await decrypt(raw);
-			} catch {
-				deleteCookie(ctx, key, { path: input.basePath || "/" });
-				return;
-			}
-		},
-		async unset(ctx, key) {
-			deleteCookie(ctx, key, { path: input.basePath || "/" });
-		},
-		async invalidate(subject) {
-			for await (const [key] of Storage.scan(storage, ["oauth:refresh", subject])) await Storage.remove(storage, key);
-		},
-		storage
-	};
-	const app = new Router({ basePath: input.basePath });
-	for (const [name, value] of Object.entries(input.providers)) {
-		const route = new Router();
-		route.use(async (c, next) => {
-			c.set("provider", name);
-			return await next();
-		});
-		value.init(route, {
-			name,
-			...auth
-		});
-		app.mount(`/${name}`, route);
-	}
-	app.get("/.well-known/jwks.json", {
-		middleware: [cors({
-			origin: "*",
-			allowHeaders: ["*"],
-			allowMethods: ["GET"],
-			credentials: false
-		})],
-		handler: async (c) => {
-			const jwksDocument = { keys: (await allSigning()).map((keyInfo) => ({
-				...keyInfo.jwk,
-				alg: keyInfo.alg,
-				exp: keyInfo.expired ? Math.floor(keyInfo.expired.getTime() / 1e3) : void 0
-			})) };
-			return c.json(jwksDocument);
-		}
-	});
-	app.get("/.well-known/oauth-authorization-server", {
-		middleware: [cors({
-			origin: "*",
-			allowHeaders: ["*"],
-			allowMethods: ["GET"],
-			credentials: false
-		})],
-		handler: (c) => {
-			const iss = issuer$1(c);
-			const oauth2Document = {
-				issuer: iss,
-				authorization_endpoint: `${iss}/authorize`,
-				token_endpoint: `${iss}/token`,
-				jwks_uri: `${iss}/.well-known/jwks.json`,
-				response_types_supported: ["code", "token"]
-			};
-			return c.json(oauth2Document);
-		}
-	});
-	app.post("/token", {
-		middleware: [cors({
-			origin: "*",
-			allowHeaders: ["*"],
-			allowMethods: ["POST"],
-			credentials: false
-		})],
-		handler: async (c) => {
-			const form = await c.formData();
-			const grantType = form.get("grant_type");
-			if (grantType === "authorization_code") {
-				const code = form.get("code");
-				if (!code) {
-					const error$1 = new OauthError("invalid_request", "Missing code");
-					return c.json(error$1.toJSON(), { status: 400 });
-				}
-				const key = ["oauth:code", code.toString()];
-				const { isValid, payload } = await normalizeTimingAsync(async () => {
-					const data = await Storage.get(storage, key);
-					const redirectUri = form.get("redirect_uri");
-					const clientId = form.get("client_id");
-					const valid = !!(data && data.redirectURI === redirectUri && data.clientID === clientId);
-					return {
-						isValid: valid,
-						payload: valid ? data : void 0
-					};
-				});
-				if (!isValid || !payload) {
-					const error$1 = new OauthError("invalid_grant", "Authorization code has been used or expired");
-					return c.json(error$1.toJSON(), { status: 400 });
-				}
-				if (payload.pkce) {
-					const codeVerifier = form.get("code_verifier")?.toString();
-					if (!codeVerifier) {
-						const error$1 = new OauthError("invalid_grant", "Missing code_verifier");
-						return c.json(error$1.toJSON(), { status: 400 });
-					}
-					if (!await validatePKCE(codeVerifier, payload.pkce.challenge, payload.pkce.method)) {
-						const error$1 = new OauthError("invalid_grant", "Code verifier does not match");
-						return c.json(error$1.toJSON(), { status: 400 });
-					}
-				}
-				const tokens = await generateTokens(c, payload);
-				await Storage.remove(storage, key);
-				const response = {
-					access_token: tokens.access,
-					token_type: "Bearer",
-					expires_in: tokens.expiresIn,
-					refresh_token: tokens.refresh
-				};
-				return c.json(response);
-			}
-			if (grantType === "refresh_token") {
-				const refreshToken = form.get("refresh_token");
-				if (!refreshToken) {
-					const error$1 = new OauthError("invalid_request", "Missing refresh_token");
-					return c.json(error$1.toJSON(), { status: 400 });
-				}
-				const refreshTokenStr = refreshToken.toString();
-				if (await Revocation.isRevoked(storage, refreshTokenStr)) {
-					const error$1 = new OauthError("invalid_grant", "Refresh token has been revoked");
-					return c.json(error$1.toJSON(), { status: 400 });
-				}
-				const splits = refreshTokenStr.split(":");
-				const token = splits.pop();
-				if (!token) throw new Error("Invalid refresh token format");
-				const subject = splits.join(":");
-				const key = [
-					"oauth:refresh",
-					subject,
-					token
-				];
-				const payload = await Storage.get(storage, key);
-				if (!payload) {
-					const error$1 = new OauthError("invalid_grant", "Refresh token has been used or expired");
-					return c.json(error$1.toJSON(), { status: 400 });
-				}
-				if (input.refresh) try {
-					const refreshResult = await input.refresh({
-						type: payload.type,
-						properties: payload.properties,
-						subject: payload.subject,
-						clientID: payload.clientID,
-						scopes: payload.scopes
-					}, c.request);
-					if (!refreshResult) {
-						await auth.invalidate(subject);
-						return c.json({
-							error: "invalid_grant",
-							error_description: "Refresh token is no longer valid"
-						}, { status: 400 });
-					}
-					payload.type = refreshResult.type;
-					payload.properties = refreshResult.properties;
-					if (refreshResult.subject) payload.subject = refreshResult.subject;
-					if (refreshResult.scopes) payload.scopes = refreshResult.scopes;
-				} catch {
-					return c.json({
-						error: "server_error",
-						error_description: "Internal server error during token refresh"
-					}, { status: 500 });
-				}
-				const generateRefreshToken = !payload.timeUsed;
-				if (ttlRefreshReuse <= 0) await Storage.remove(storage, key);
-				else if (!payload.timeUsed) {
-					payload.timeUsed = Date.now();
-					await Storage.set(storage, key, payload, ttlRefreshReuse + ttlRefreshRetention);
-				} else if (Date.now() > payload.timeUsed + ttlRefreshReuse * 1e3) {
-					await auth.invalidate(subject);
-					return c.json({
-						error: "invalid_grant",
-						error_description: "Refresh token has been used or expired"
-					}, { status: 400 });
-				}
-				const tokens = await generateTokens(c, {
-					type: payload.type,
-					properties: payload.properties,
-					subject: payload.subject,
-					clientID: payload.clientID,
-					ttl: {
-						access: ttlAccess,
-						refresh: ttlRefresh
-					}
-				}, { generateRefreshToken });
-				const response = {
-					access_token: tokens.access,
-					token_type: "Bearer",
-					refresh_token: tokens.refresh,
-					expires_in: tokens.expiresIn
-				};
-				return c.json(response);
-			}
-			return c.json({
-				error: "unsupported_grant_type",
-				error_description: "The authorization grant type is not supported by the authorization server"
-			}, { status: 400 });
-		}
-	});
-	app.post("/revoke", {
-		middleware: [cors({
-			origin: "*",
-			allowHeaders: ["Content-Type"],
-			allowMethods: ["POST"],
-			credentials: false
-		})],
-		handler: async (c) => {
-			const form = await c.formData();
-			const token = form.get("token")?.toString();
-			const tokenTypeHint = form.get("token_type_hint")?.toString();
-			if (!token) {
-				const error$1 = new OauthError("invalid_request", "Missing token parameter");
-				return c.json(error$1.toJSON(), { status: 400 });
-			}
-			try {
-				if (tokenTypeHint === "refresh_token") {
-					const splits$1 = token.split(":");
-					const tokenPart$1 = splits$1.pop();
-					if (tokenPart$1 && splits$1.length > 0) {
-						const key = [
-							"oauth:refresh",
-							splits$1.join(":"),
-							tokenPart$1
-						];
-						if (await Storage.get(storage, key)) {
-							await Storage.remove(storage, key);
-							const expiresAt$1 = Date.now() + ttlRefreshRetention * 1e3;
-							await Revocation.revoke(storage, token, expiresAt$1);
-							return c.json({});
-						}
-					}
-				} else if (tokenTypeHint === "access_token") {
-					const expiresAt$1 = Date.now() + ttlAccess * 1e3;
-					await Revocation.revoke(storage, token, expiresAt$1);
-					return c.json({});
-				}
-				const splits = token.split(":");
-				const tokenPart = splits.pop();
-				if (tokenPart && splits.length > 0) {
-					const key = [
-						"oauth:refresh",
-						splits.join(":"),
-						tokenPart
-					];
-					if (await Storage.get(storage, key)) {
-						await Storage.remove(storage, key);
-						const expiresAt$1 = Date.now() + ttlRefreshRetention * 1e3;
-						await Revocation.revoke(storage, token, expiresAt$1);
-						return c.json({});
-					}
-				}
-				const expiresAt = Date.now() + ttlAccess * 1e3;
-				await Revocation.revoke(storage, token, expiresAt);
-				return c.json({});
-			} catch (_err) {
-				return c.json({
-					error: "server_error",
-					error_description: "Token revocation failed"
-				}, { status: 500 });
-			}
-		}
-	});
-	app.get("/authorize", async (c) => {
-		const provider = c.query("provider");
-		const response_type = c.query("response_type");
-		const redirect_uri = c.query("redirect_uri");
-		const state = c.query("state");
-		const client_id = c.query("client_id");
-		const audience = c.query("audience");
-		const code_challenge = c.query("code_challenge");
-		const code_challenge_method = c.query("code_challenge_method");
-		const scope = c.query("scope");
-		const authorization = {
-			response_type,
-			redirect_uri,
-			state,
-			client_id,
-			audience,
-			scope,
-			scopes: scope ? scope.split(" ").filter(Boolean) : void 0,
-			...code_challenge && code_challenge_method && { pkce: {
-				challenge: code_challenge,
-				method: code_challenge_method
-			} }
-		};
-		c.set("authorization", authorization);
-		if (!redirect_uri) return c.text("Missing redirect_uri", { status: 400 });
-		try {
-			const uri = new URL(redirect_uri);
-			if (!uri.protocol || !uri.host) return c.text("Invalid redirect_uri format", { status: 400 });
-		} catch {
-			return c.text("Invalid redirect_uri format", { status: 400 });
-		}
-		if (!response_type) throw new MissingParameterError("response_type");
-		if (!client_id) throw new MissingParameterError("client_id");
-		if (input.start) await input.start(c.request);
-		if (!await allow()({
-			clientID: client_id,
-			redirectURI: redirect_uri,
-			audience
-		}, c.request)) throw new UnauthorizedClientError(client_id, redirect_uri);
-		await auth.set(c, "authorization", 900, authorization);
-		if (provider) return c.redirect(`${provider}/authorize`);
-		const availableProviders = Object.keys(input.providers);
-		if (availableProviders.length === 1) return c.redirect(`${availableProviders[0]}/authorize`);
-		return auth.forward(c, await select()(Object.fromEntries(Object.entries(input.providers).map(([key, value]) => [key, value.type])), c.request));
-	});
-	app.onError(async (err, c) => {
-		if (err instanceof UnknownStateError) return auth.forward(c, await error(err, c.request));
-		try {
-			const authorization = await getAuthorization(c);
-			if (!authorization.redirect_uri) throw new Error("redirect_uri is required");
-			const url = new URL(authorization.redirect_uri);
-			const oauth = err instanceof OauthError ? err : new OauthError("server_error", err.message);
-			url.searchParams.set("error", oauth.error);
-			url.searchParams.set("error_description", oauth.description);
-			if (authorization.state) url.searchParams.set("state", authorization.state);
-			return c.redirect(url.toString());
-		} catch {
-			return c.json({
-				error: "server_error",
-				error_description: err.message
-			}, { status: 500 });
-		}
-	});
-	return app;
-};
-//#endregion
-export { issuer };