@draftlab/auth 0.15.0 → 0.16.0

package/dist/provider/magiclink.mjs

@@ -1,143 +0,0 @@
-import { generateUnbiasedDigits, timingSafeCompare } from "../random.mjs";
-
-//#region src/provider/magiclink.ts
-/**
-* Magic Link authentication provider for Draft Auth.
-* Sends clickable links that authenticate users in one click.
-*
-* ## Quick Setup
-*
-* ```ts
-* import { MagicLinkUI } from "@draftlab/auth/ui/magiclink"
-* import { MagicLinkProvider } from "@draftlab/auth/provider/magiclink"
-*
-* export default issuer({
-*   providers: {
-*     magiclink: MagicLinkProvider(
-*       MagicLinkUI({
-*         sendLink: async (claims, magicUrl) => {
-*           await emailService.send({
-*             to: claims.email,
-*             subject: "Sign in to your account",
-*             html: `<a href="${magicUrl}">Sign In</a>`
-*           })
-*         }
-*       })
-*     )
-*   }
-* })
-* ```
-*
-* ## Custom Configuration
-*
-* ```ts
-* const customMagicLink = MagicLinkProvider({
-*   expiry: 600, // 10 minutes instead of default 15
-*
-*   request: async (req, state, form, error) => {
-*     return new Response(renderMagicLinkForm(state, form, error))
-*   },
-*
-*   sendLink: async (claims, magicUrl) => {
-*     try {
-*       if (claims.email) {
-*         await emailService.send(claims.email, {
-*           subject: "Your secure sign-in link",
-*           template: "magic-link",
-*           data: { magicUrl, userEmail: claims.email }
-*         })
-*       } else {
-*         return { type: "invalid_claim", key: "email", value: "Email is required" }
-*       }
-*     } catch {
-*       return { type: "invalid_claim", key: "delivery", value: "Failed to send magic link" }
-*     }
-*   }
-* })
-* ```
-*
-* @packageDocumentation
-*/
-/**
-* Creates a Magic Link authentication provider.
-* Implements a flexible claim-based authentication flow with magic link verification.
-*
-* @template Claims - Type of claims to collect (email, phone, username, etc.)
-* @param config - Magic Link provider configuration
-* @returns Provider instance implementing magic link authentication
-*/
-const MagicLinkProvider = (config) => {
-	/**
-	* Generates a cryptographically secure token.
-	*/
-	const generateToken = () => {
-		return generateUnbiasedDigits(32);
-	};
-	return {
-		type: "magiclink",
-		init(routes, ctx) {
-			/**
-			* Transitions between authentication states and renders the appropriate UI.
-			*/
-			const transition = async (c, nextState, formData, error) => {
-				await ctx.set(c, "provider", 3600 * 24, nextState);
-				const response = await config.request(c.request, nextState, formData, error);
-				return ctx.forward(c, response);
-			};
-			/**
-			* GET /authorize - Display initial claim collection form
-			*/
-			routes.get("/authorize", async (c) => {
-				return transition(c, { type: "start" });
-			});
-			/**
-			* POST /authorize - Handle form submissions and state transitions
-			*/
-			routes.post("/authorize", async (c) => {
-				const formData = await c.formData();
-				const action = formData.get("action")?.toString();
-				if (action === "request" || action === "resend") {
-					const token = generateToken();
-					const { action: _, ...claims } = Object.fromEntries(formData);
-					const baseUrl = new URL(c.request.url).origin;
-					const magicUrl = new URL(`/auth/${ctx.name}/verify`, baseUrl);
-					magicUrl.searchParams.set("token", token);
-					for (const [key, value] of Object.entries(claims)) if (typeof value === "string") magicUrl.searchParams.set(key, value);
-					const sendError = await config.sendLink(claims, magicUrl.toString());
-					if (sendError) return transition(c, { type: "start" }, formData, sendError);
-					return transition(c, {
-						type: "sent",
-						resend: action === "resend",
-						claims,
-						token
-					}, formData);
-				}
-				return transition(c, { type: "start" });
-			});
-			/**
-			* GET /verify - Handle magic link clicks
-			*/
-			routes.get("/verify", async (c) => {
-				const url = new URL(c.request.url);
-				const token = url.searchParams.get("token");
-				const storedState = await ctx.get(c, "provider");
-				if (!token || !storedState || storedState.type !== "sent") return transition(c, { type: "start" }, void 0, { type: "invalid_link" });
-				if (!timingSafeCompare(storedState.token, token)) return transition(c, { type: "start" }, void 0, { type: "invalid_link" });
-				const urlClaims = {};
-				for (const [key, value] of url.searchParams) if (key !== "token" && value) urlClaims[key] = value;
-				if (!Object.keys(storedState.claims).every((key) => {
-					const urlValue = urlClaims[key];
-					const storedValue = storedState.claims[key];
-					if (!urlValue || !storedValue) return false;
-					return timingSafeCompare(storedValue, urlValue);
-				})) return transition(c, { type: "start" }, void 0, { type: "invalid_link" });
-				if (!await ctx.get(c, "authorization")) return transition(c, { type: "start" }, void 0, { type: "invalid_link" });
-				await ctx.unset(c, "provider");
-				return await ctx.success(c, { claims: storedState.claims });
-			});
-		}
-	};
-};
-
-//#endregion
-export { MagicLinkProvider };

package/dist/provider/microsoft.d.mts

@@ -1,178 +0,0 @@
-import { Provider } from "./provider.mjs";
-import { Oauth2UserData, Oauth2WrappedConfig } from "./oauth2.mjs";
-
-//#region src/provider/microsoft.d.ts
-
-/**
- * Configuration options for Microsoft OAuth 2.0 provider.
- * Extends the base OAuth 2.0 configuration with Microsoft-specific documentation.
- */
-interface MicrosoftConfig extends Oauth2WrappedConfig {
-  /**
-   * Microsoft Azure AD tenant ID or tenant type.
-   * Determines which types of accounts can sign in.
-   *
-   * @example
-   * ```ts
-   * {
-   *   tenant: "common"        // Personal + work/school accounts
-   *   // or
-   *   tenant: "organizations" // Work/school accounts only
-   *   // or
-   *   tenant: "consumers"     // Personal accounts only
-   *   // or
-   *   tenant: "12345678-1234-1234-1234-123456789012" // Specific tenant
-   * }
-   * ```
-   */
-  readonly tenant: string;
-  /**
-   * Microsoft OAuth 2.0 client ID from Azure App Registration.
-   * Found in your Azure portal app registration.
-   *
-   * @example
-   * ```ts
-   * {
-   *   clientID: "12345678-1234-1234-1234-123456789012"
-   * }
-   * ```
-   */
-  readonly clientID: string;
-  /**
-   * Microsoft OAuth 2.0 client secret from Azure App Registration.
-   * Keep this secure and never expose it to client-side code.
-   *
-   * @example
-   * ```ts
-   * {
-   *   clientSecret: process.env.MICROSOFT_CLIENT_SECRET
-   * }
-   * ```
-   */
-  readonly clientSecret: string;
-  /**
-   * Microsoft OAuth scopes to request access for.
-   * Determines what data and actions your app can access via Microsoft Graph.
-   *
-   * @example
-   * ```ts
-   * {
-   *   scopes: [
-   *     "openid",           // OpenID Connect sign-in
-   *     "profile",          // Basic profile
-   *     "email",            // Email address
-   *     "User.Read",        // Read user profile
-   *     "Mail.Read",        // Read user mail
-   *     "Calendars.Read"    // Read user calendars
-   *   ]
-   * }
-   * ```
-   */
-  readonly scopes: string[];
-  /**
-   * Additional query parameters for Microsoft OAuth authorization.
-   * Useful for Microsoft-specific options like domain hints.
-   *
-   * @example
-   * ```ts
-   * {
-   *   query: {
-   *     domain_hint: "contoso.com",    // Pre-fill domain
-   *     login_hint: "user@contoso.com", // Pre-fill username
-   *     prompt: "consent"              // Force consent screen
-   *   }
-   * }
-   * ```
-   */
-  readonly query?: Record<string, string>;
-}
-/**
- * Creates a Microsoft OAuth 2.0 authentication provider.
- * Use this when you need access tokens to call Microsoft Graph APIs on behalf of the user.
- *
- * @param config - Microsoft OAuth 2.0 configuration
- * @returns OAuth 2.0 provider configured for Microsoft
- *
- * @example
- * ```ts
- * // Basic Microsoft authentication (all account types)
- * const basicMicrosoft = MicrosoftProvider({
- *   tenant: "common",
- *   clientID: process.env.MICROSOFT_CLIENT_ID,
- *   clientSecret: process.env.MICROSOFT_CLIENT_SECRET
- * })
- *
- * // Work/school accounts only
- * const workMicrosoft = MicrosoftProvider({
- *   tenant: "organizations",
- *   clientID: process.env.MICROSOFT_CLIENT_ID,
- *   clientSecret: process.env.MICROSOFT_CLIENT_SECRET,
- *   scopes: [
- *     "openid",
- *     "profile",
- *     "email",
- *     "User.Read",
- *     "Mail.Read"
- *   ]
- * })
- *
- * // Specific tenant with advanced scopes
- * const enterpriseMicrosoft = MicrosoftProvider({
- *   tenant: "12345678-1234-1234-1234-123456789012",
- *   clientID: process.env.MICROSOFT_CLIENT_ID,
- *   clientSecret: process.env.MICROSOFT_CLIENT_SECRET,
- *   scopes: [
- *     "openid",
- *     "profile",
- *     "email",
- *     "User.Read",
- *     "Directory.Read.All",
- *     "Sites.Read.All"
- *   ],
- *   query: {
- *     domain_hint: "contoso.com"
- *   }
- * })
- *
- * // Using the access token to fetch data
- * export default issuer({
- *   providers: { microsoft: workMicrosoft },
- *   success: async (ctx, value) => {
- *     if (value.provider === "microsoft") {
- *       const token = value.tokenset.access
- *
- *       // Get user profile from Microsoft Graph
- *       const userRes = await fetch('https://graph.microsoft.com/v1.0/me', {
- *         headers: { Authorization: `Bearer ${token}` }
- *       })
- *       const user = await userRes.json()
- *
- *       // Get user's manager (if available)
- *       const managerRes = await fetch('https://graph.microsoft.com/v1.0/me/manager', {
- *         headers: { Authorization: `Bearer ${token}` }
- *       })
- *       const manager = await managerRes.json()
- *
- *       return ctx.subject("user", {
- *         microsoftId: user.id,
- *         displayName: user.displayName,
- *         email: user.mail || user.userPrincipalName,
- *         jobTitle: user.jobTitle,
- *         department: user.department,
- *         officeLocation: user.officeLocation,
- *         managerName: manager?.displayName
- *       })
- *     }
- *   }
- * })
- * ```
- *
- * **Callback URL Pattern**: `{baseURL}{basePath}/{provider}/callback`
- * - Development: `http://localhost:3000/auth/microsoft/callback`
- * - Production: `https://yourapp.com/auth/microsoft/callback`
- *
- * Register this URL in your Azure Portal App Registration.
- */
-declare const MicrosoftProvider: (config: MicrosoftConfig) => Provider<Oauth2UserData>;
-//#endregion
-export { MicrosoftConfig, MicrosoftProvider };

package/dist/provider/microsoft.mjs

@@ -1,177 +0,0 @@
-import { Oauth2Provider } from "./oauth2.mjs";
-
-//#region src/provider/microsoft.ts
-/**
-* Microsoft OAuth 2.0 authentication provider for Draft Auth.
-* Supports Microsoft personal accounts, work accounts, and Azure AD.
-* Provides access tokens for calling Microsoft Graph APIs on behalf of users.
-*
-* ## Quick Setup
-*
-* ```ts
-* import { MicrosoftProvider } from "@draftlab/auth/provider/microsoft"
-*
-* export default issuer({
-*   basePath: "/auth", // Important for callback URL
-*   providers: {
-*     microsoft: MicrosoftProvider({
-*       tenant: "common", // or specific tenant ID
-*       clientID: process.env.MICROSOFT_CLIENT_ID,
-*       clientSecret: process.env.MICROSOFT_CLIENT_SECRET,
-*       scopes: ["openid", "profile", "email", "User.Read"]
-*     })
-*   }
-* })
-* ```
-*
-* **Callback URL Pattern**: `{baseURL}{basePath}/{provider}/callback`
-* - Development: `http://localhost:3000/auth/microsoft/callback`
-* - Production: `https://yourapp.com/auth/microsoft/callback`
-*
-* Register this URL in your Azure Portal App Registration.
-*
-* ## Tenant Configuration
-*
-* - `common` - Both personal and work/school accounts
-* - `organizations` - Work/school accounts only
-* - `consumers` - Personal Microsoft accounts only
-* - `{tenant-id}` - Specific Azure AD tenant only
-*
-* ## Common Scopes
-*
-* - `openid` - Basic OpenID Connect sign-in
-* - `profile` - User's basic profile information
-* - `email` - User's email address
-* - `User.Read` - Read user's profile via Microsoft Graph
-* - `Mail.Read` - Read user's mail
-* - `Calendars.Read` - Read user's calendars
-* - `Files.Read` - Read user's files in OneDrive
-* - `Sites.Read.All` - Read SharePoint sites
-* - `Directory.Read.All` - Read directory data (requires admin consent)
-*
-* ## User Data Access
-*
-* ```ts
-* success: async (ctx, value) => {
-*   if (value.provider === "microsoft") {
-*     const accessToken = value.tokenset.access
-*
-*     // Fetch user profile via Microsoft Graph
-*     const userResponse = await fetch('https://graph.microsoft.com/v1.0/me', {
-*       headers: { Authorization: `Bearer ${accessToken}` }
-*     })
-*     const user = await userResponse.json()
-*
-*     // Fetch user photo (requires User.Read scope)
-*     const photoResponse = await fetch('https://graph.microsoft.com/v1.0/me/photo/$value', {
-*       headers: { Authorization: `Bearer ${accessToken}` }
-*     })
-*     const photoBlob = await photoResponse.blob()
-*
-*     // User info: user.displayName, user.mail, user.userPrincipalName
-*   }
-* }
-* ```
-*
-* @packageDocumentation
-*/
-/**
-* Creates a Microsoft OAuth 2.0 authentication provider.
-* Use this when you need access tokens to call Microsoft Graph APIs on behalf of the user.
-*
-* @param config - Microsoft OAuth 2.0 configuration
-* @returns OAuth 2.0 provider configured for Microsoft
-*
-* @example
-* ```ts
-* // Basic Microsoft authentication (all account types)
-* const basicMicrosoft = MicrosoftProvider({
-*   tenant: "common",
-*   clientID: process.env.MICROSOFT_CLIENT_ID,
-*   clientSecret: process.env.MICROSOFT_CLIENT_SECRET
-* })
-*
-* // Work/school accounts only
-* const workMicrosoft = MicrosoftProvider({
-*   tenant: "organizations",
-*   clientID: process.env.MICROSOFT_CLIENT_ID,
-*   clientSecret: process.env.MICROSOFT_CLIENT_SECRET,
-*   scopes: [
-*     "openid",
-*     "profile",
-*     "email",
-*     "User.Read",
-*     "Mail.Read"
-*   ]
-* })
-*
-* // Specific tenant with advanced scopes
-* const enterpriseMicrosoft = MicrosoftProvider({
-*   tenant: "12345678-1234-1234-1234-123456789012",
-*   clientID: process.env.MICROSOFT_CLIENT_ID,
-*   clientSecret: process.env.MICROSOFT_CLIENT_SECRET,
-*   scopes: [
-*     "openid",
-*     "profile",
-*     "email",
-*     "User.Read",
-*     "Directory.Read.All",
-*     "Sites.Read.All"
-*   ],
-*   query: {
-*     domain_hint: "contoso.com"
-*   }
-* })
-*
-* // Using the access token to fetch data
-* export default issuer({
-*   providers: { microsoft: workMicrosoft },
-*   success: async (ctx, value) => {
-*     if (value.provider === "microsoft") {
-*       const token = value.tokenset.access
-*
-*       // Get user profile from Microsoft Graph
-*       const userRes = await fetch('https://graph.microsoft.com/v1.0/me', {
-*         headers: { Authorization: `Bearer ${token}` }
-*       })
-*       const user = await userRes.json()
-*
-*       // Get user's manager (if available)
-*       const managerRes = await fetch('https://graph.microsoft.com/v1.0/me/manager', {
-*         headers: { Authorization: `Bearer ${token}` }
-*       })
-*       const manager = await managerRes.json()
-*
-*       return ctx.subject("user", {
-*         microsoftId: user.id,
-*         displayName: user.displayName,
-*         email: user.mail || user.userPrincipalName,
-*         jobTitle: user.jobTitle,
-*         department: user.department,
-*         officeLocation: user.officeLocation,
-*         managerName: manager?.displayName
-*       })
-*     }
-*   }
-* })
-* ```
-*
-* **Callback URL Pattern**: `{baseURL}{basePath}/{provider}/callback`
-* - Development: `http://localhost:3000/auth/microsoft/callback`
-* - Production: `https://yourapp.com/auth/microsoft/callback`
-*
-* Register this URL in your Azure Portal App Registration.
-*/
-const MicrosoftProvider = (config) => {
-	return Oauth2Provider({
-		...config,
-		type: "microsoft",
-		endpoint: {
-			authorization: `https://login.microsoftonline.com/${config.tenant}/oauth2/v2.0/authorize`,
-			token: `https://login.microsoftonline.com/${config.tenant}/oauth2/v2.0/token`
-		}
-	});
-};
-
-//#endregion
-export { MicrosoftProvider };

package/dist/provider/oauth2.d.mts

@@ -1,176 +0,0 @@
-import { Provider } from "./provider.mjs";
-
-//#region src/provider/oauth2.d.ts
-
-/**
- * Configuration options for the OAuth 2.0 provider.
- */
-interface Oauth2Config {
-  /**
-   * Provider type identifier for internal use.
-   * @internal
-   * @default "oauth2"
-   */
-  readonly type?: string;
-  /**
-   * The client ID registered with the OAuth 2.0 provider.
-   * This public identifier is used in authorization requests.
-   *
-   * @example
-   * ```ts
-   * {
-   *   clientID: "github-app-12345"
-   * }
-   * ```
-   */
-  readonly clientID: string;
-  /**
-   * The client secret for authenticating with the OAuth 2.0 provider.
-   * This private credential must be kept secure and not exposed to clients.
-   *
-   * @example
-   * ```ts
-   * {
-   *   clientSecret: process.env.OAUTH_CLIENT_SECRET
-   * }
-   * ```
-   */
-  readonly clientSecret: string;
-  /**
-   * OAuth 2.0 endpoint URLs for the authorization and token flows.
-   */
-  readonly endpoint: {
-    /**
-     * The authorization endpoint where users are redirected for authentication.
-     *
-     * @example "https://github.com/login/oauth/authorize"
-     */
-    readonly authorization: string;
-    /**
-     * The token endpoint for exchanging authorization codes for access tokens.
-     *
-     * @example "https://github.com/login/oauth/access_token"
-     */
-    readonly token: string;
-    /**
-     * Optional JWKS endpoint for verifying ID tokens.
-     * Required only if the provider returns ID tokens that need verification.
-     *
-     * @example "https://provider.com/.well-known/jwks.json"
-     */
-    readonly jwks?: string;
-  };
-  /**
-   * OAuth 2.0 scopes to request during authorization.
-   * Scopes define the level of access being requested.
-   *
-   * @example
-   * ```ts
-   * {
-   *   scopes: ["user:email", "read:user", "repo"]
-   * }
-   * ```
-   */
-  readonly scopes: string[];
-  /**
-   * Whether to use PKCE (Proof Key for Code Exchange) for enhanced security.
-   * Recommended for public clients and required by some providers.
-   *
-   * @default false
-   *
-   * @example
-   * ```ts
-   * {
-   *   pkce: true // Required for Twitter/X, recommended for mobile apps
-   * }
-   * ```
-   */
-  readonly pkce?: boolean;
-  /**
-   * Additional query parameters to include in the authorization request.
-   * Useful for provider-specific parameters or customizing the auth flow.
-   *
-   * @example
-   * ```ts
-   * {
-   *   query: {
-   *     access_type: "offline",    // Request refresh token
-   *     prompt: "consent",         // Force consent screen
-   *     hd: "mycompany.com"       // Google Workspace domain
-   *   }
-   * }
-   * ```
-   */
-  readonly query?: Record<string, string>;
-}
-/**
- * OAuth 2.0 configuration without endpoint-specific fields.
- * Used internally for provider wrapping.
- * @internal
- */
-type Oauth2WrappedConfig = Omit<Oauth2Config, "endpoint" | "name">;
-/**
- * OAuth 2.0 token response containing access tokens and metadata.
- * Provides a structured interface for token data with lazy property access.
- * @internal
- */
-interface Oauth2Token {
-  /** Access token for making authenticated API requests */
-  readonly access: string;
-  /** Refresh token for obtaining new access tokens (if provided) */
-  readonly refresh: string;
-  /** Token expiration time in seconds (if provided) */
-  readonly expiry: number;
-  /** Raw token response from the provider */
-  readonly raw: Record<string, unknown>;
-}
-/**
- * User data returned by successful OAuth 2.0 authentication.
- */
-interface Oauth2UserData {
-  /** Token set containing access token, refresh token, and metadata */
-  readonly tokenset: Oauth2Token;
-  /** Client ID used for this authentication */
-  readonly clientID: string;
-}
-/**
- * Creates an OAuth 2.0 authentication provider.
- * Implements the Authorization Code Grant flow with optional PKCE support.
- *
- * @param config - OAuth 2.0 provider configuration
- * @returns Provider instance implementing OAuth 2.0 authentication
- *
- * @example
- * ```ts
- * // GitHub provider with basic configuration
- * const githubProvider = Oauth2Provider({
- *   clientID: process.env.GITHUB_CLIENT_ID,
- *   clientSecret: process.env.GITHUB_CLIENT_SECRET,
- *   endpoint: {
- *     authorization: "https://github.com/login/oauth/authorize",
- *     token: "https://github.com/login/oauth/access_token"
- *   },
- *   scopes: ["user:email", "read:user"]
- * })
- *
- * // Provider with PKCE and custom parameters
- * const customProvider = Oauth2Provider({
- *   clientID: "my-client-id",
- *   clientSecret: "my-client-secret",
- *   endpoint: {
- *     authorization: "https://provider.com/oauth/authorize",
- *     token: "https://provider.com/oauth/token",
- *     jwks: "https://provider.com/.well-known/jwks.json"
- *   },
- *   scopes: ["read", "write"],
- *   pkce: true,
- *   query: {
- *     prompt: "consent",
- *     access_type: "offline"
- *   }
- * })
- * ```
- */
-declare const Oauth2Provider: (config: Oauth2Config) => Provider<Oauth2UserData>;
-//#endregion
-export { Oauth2Config, Oauth2Provider, Oauth2Token, Oauth2UserData, Oauth2WrappedConfig };