@draftlab/auth 0.2.6 → 0.4.0

package/dist/provider/discord.d.ts

@@ -0,0 +1,140 @@
+import { Provider } from "./provider.js";
+import { Oauth2UserData, Oauth2WrappedConfig } from "./oauth2.js";
+
+//#region src/provider/discord.d.ts
+
+/**
+ * Configuration options for Discord OAuth 2.0 provider.
+ * Extends the base OAuth 2.0 configuration with Discord-specific documentation.
+ */
+interface DiscordConfig extends Oauth2WrappedConfig {
+  /**
+   * Discord OAuth 2.0 client ID from Discord Developer Portal.
+   * Found in your Discord application settings.
+   *
+   * @example
+   * ```ts
+   * {
+   *   clientID: "1234567890123456789"
+   * }
+   * ```
+   */
+  readonly clientID: string;
+  /**
+   * Discord OAuth 2.0 client secret from Discord Developer Portal.
+   * Keep this secure and never expose it to client-side code.
+   *
+   * @example
+   * ```ts
+   * {
+   *   clientSecret: process.env.DISCORD_CLIENT_SECRET
+   * }
+   * ```
+   */
+  readonly clientSecret: string;
+  /**
+   * Discord OAuth scopes to request access for.
+   * Determines what data and actions your app can access.
+   *
+   * @example
+   * ```ts
+   * {
+   *   scopes: [
+   *     "identify",    // Basic user information
+   *     "email",       // Email address
+   *     "guilds",      // User's Discord servers
+   *     "connections"  // Connected accounts (Steam, etc.)
+   *   ]
+   * }
+   * ```
+   */
+  readonly scopes: string[];
+  /**
+   * Additional query parameters for Discord OAuth authorization.
+   * Useful for Discord-specific options like permissions.
+   *
+   * @example
+   * ```ts
+   * {
+   *   query: {
+   *     permissions: "8",        // Administrator permission
+   *     guild_id: "123456789",   // Pre-select specific guild
+   *     disable_guild_select: "true" // Disable guild selection
+   *   }
+   * }
+   * ```
+   */
+  readonly query?: Record<string, string>;
+}
+/**
+ * Creates a Discord OAuth 2.0 authentication provider.
+ * Use this when you need access tokens to call Discord APIs on behalf of the user.
+ *
+ * @param config - Discord OAuth 2.0 configuration
+ * @returns OAuth 2.0 provider configured for Discord
+ *
+ * @example
+ * ```ts
+ * // Basic Discord authentication
+ * const basicDiscord = DiscordProvider({
+ *   clientID: process.env.DISCORD_CLIENT_ID,
+ *   clientSecret: process.env.DISCORD_CLIENT_SECRET
+ * })
+ *
+ * // Discord with specific scopes
+ * const discordWithScopes = DiscordProvider({
+ *   clientID: process.env.DISCORD_CLIENT_ID,
+ *   clientSecret: process.env.DISCORD_CLIENT_SECRET,
+ *   scopes: [
+ *     "identify",
+ *     "email",
+ *     "guilds",
+ *     "connections"
+ *   ]
+ * })
+ *
+ * // Discord bot integration
+ * const discordBot = DiscordProvider({
+ *   clientID: process.env.DISCORD_CLIENT_ID,
+ *   clientSecret: process.env.DISCORD_CLIENT_SECRET,
+ *   scopes: ["bot", "guilds"],
+ *   query: {
+ *     permissions: "2048" // Send Messages permission
+ *   }
+ * })
+ *
+ * // Using the access token to fetch data
+ * export default issuer({
+ *   providers: { discord: discordWithScopes },
+ *   success: async (ctx, value) => {
+ *     if (value.provider === "discord") {
+ *       const token = value.tokenset.access
+ *
+ *       // Get user profile
+ *       const userRes = await fetch('https://discord.com/api/users/@me', {
+ *         headers: { Authorization: `Bearer ${token}` }
+ *       })
+ *       const user = await userRes.json()
+ *
+ *       // Get user guilds (if guilds scope granted)
+ *       const guildsRes = await fetch('https://discord.com/api/users/@me/guilds', {
+ *         headers: { Authorization: `Bearer ${token}` }
+ *       })
+ *       const guilds = await guildsRes.json()
+ *
+ *       return ctx.subject("user", {
+ *         discordId: user.id,
+ *         username: user.username,
+ *         discriminator: user.discriminator,
+ *         email: user.email,
+ *         avatar: user.avatar ? `https://cdn.discordapp.com/avatars/${user.id}/${user.avatar}.png` : null,
+ *         guildCount: guilds.length
+ *       })
+ *     }
+ *   }
+ * })
+ * ```
+ */
+declare const DiscordProvider: (config: DiscordConfig) => Provider<Oauth2UserData>;
+//#endregion
+export { DiscordConfig, DiscordProvider };

package/dist/provider/discord.js

@@ -0,0 +1,85 @@
+import { Oauth2Provider } from "./oauth2.js";
+
+//#region src/provider/discord.ts
+/**
+* Creates a Discord OAuth 2.0 authentication provider.
+* Use this when you need access tokens to call Discord APIs on behalf of the user.
+*
+* @param config - Discord OAuth 2.0 configuration
+* @returns OAuth 2.0 provider configured for Discord
+*
+* @example
+* ```ts
+* // Basic Discord authentication
+* const basicDiscord = DiscordProvider({
+*   clientID: process.env.DISCORD_CLIENT_ID,
+*   clientSecret: process.env.DISCORD_CLIENT_SECRET
+* })
+*
+* // Discord with specific scopes
+* const discordWithScopes = DiscordProvider({
+*   clientID: process.env.DISCORD_CLIENT_ID,
+*   clientSecret: process.env.DISCORD_CLIENT_SECRET,
+*   scopes: [
+*     "identify",
+*     "email",
+*     "guilds",
+*     "connections"
+*   ]
+* })
+*
+* // Discord bot integration
+* const discordBot = DiscordProvider({
+*   clientID: process.env.DISCORD_CLIENT_ID,
+*   clientSecret: process.env.DISCORD_CLIENT_SECRET,
+*   scopes: ["bot", "guilds"],
+*   query: {
+*     permissions: "2048" // Send Messages permission
+*   }
+* })
+*
+* // Using the access token to fetch data
+* export default issuer({
+*   providers: { discord: discordWithScopes },
+*   success: async (ctx, value) => {
+*     if (value.provider === "discord") {
+*       const token = value.tokenset.access
+*
+*       // Get user profile
+*       const userRes = await fetch('https://discord.com/api/users/@me', {
+*         headers: { Authorization: `Bearer ${token}` }
+*       })
+*       const user = await userRes.json()
+*
+*       // Get user guilds (if guilds scope granted)
+*       const guildsRes = await fetch('https://discord.com/api/users/@me/guilds', {
+*         headers: { Authorization: `Bearer ${token}` }
+*       })
+*       const guilds = await guildsRes.json()
+*
+*       return ctx.subject("user", {
+*         discordId: user.id,
+*         username: user.username,
+*         discriminator: user.discriminator,
+*         email: user.email,
+*         avatar: user.avatar ? `https://cdn.discordapp.com/avatars/${user.id}/${user.avatar}.png` : null,
+*         guildCount: guilds.length
+*       })
+*     }
+*   }
+* })
+* ```
+*/
+const DiscordProvider = (config) => {
+	return Oauth2Provider({
+		...config,
+		type: "discord",
+		endpoint: {
+			authorization: "https://discord.com/oauth2/authorize",
+			token: "https://discord.com/api/oauth2/token"
+		}
+	});
+};
+
+//#endregion
+export { DiscordProvider };

package/dist/provider/linkedin.d.ts

@@ -0,0 +1,126 @@
+import { Provider } from "./provider.js";
+import { Oauth2UserData, Oauth2WrappedConfig } from "./oauth2.js";
+
+//#region src/provider/linkedin.d.ts
+
+/**
+ * Configuration options for LinkedIn OAuth 2.0 provider.
+ * Extends the base OAuth 2.0 configuration with LinkedIn-specific documentation.
+ */
+interface LinkedInConfig extends Oauth2WrappedConfig {
+  /**
+   * LinkedIn OAuth 2.0 client ID from LinkedIn Developer Console.
+   * Found in your LinkedIn app settings.
+   *
+   * @example
+   * ```ts
+   * {
+   *   clientID: "78abc123456789"
+   * }
+   * ```
+   */
+  readonly clientID: string;
+  /**
+   * LinkedIn OAuth 2.0 client secret from LinkedIn Developer Console.
+   * Keep this secure and never expose it to client-side code.
+   *
+   * @example
+   * ```ts
+   * {
+   *   clientSecret: process.env.LINKEDIN_CLIENT_SECRET
+   * }
+   * ```
+   */
+  readonly clientSecret: string;
+  /**
+   * LinkedIn OAuth scopes to request access for.
+   * Determines what data and actions your app can access.
+   *
+   * @example
+   * ```ts
+   * {
+   *   scopes: [
+   *     "r_liteprofile",    // Basic profile information
+   *     "r_emailaddress",   // Email address
+   *     "w_member_social",  // Share content on behalf of user
+   *     "r_organization_social" // Organization content access
+   *   ]
+   * }
+   * ```
+   */
+  readonly scopes: string[];
+  /**
+   * Additional query parameters for LinkedIn OAuth authorization.
+   * Useful for LinkedIn-specific options.
+   *
+   * @example
+   * ```ts
+   * {
+   *   query: {
+   *     state: "custom-state-value" // Custom state parameter
+   *   }
+   * }
+   * ```
+   */
+  readonly query?: Record<string, string>;
+}
+/**
+ * Creates a LinkedIn OAuth 2.0 authentication provider.
+ * Use this when you need access tokens to call LinkedIn APIs on behalf of the user.
+ *
+ * @param config - LinkedIn OAuth 2.0 configuration
+ * @returns OAuth 2.0 provider configured for LinkedIn
+ *
+ * @example
+ * ```ts
+ * // Basic LinkedIn authentication
+ * const basicLinkedIn = LinkedInProvider({
+ *   clientID: process.env.LINKEDIN_CLIENT_ID,
+ *   clientSecret: process.env.LINKEDIN_CLIENT_SECRET
+ * })
+ *
+ * // LinkedIn with specific scopes
+ * const linkedInWithScopes = LinkedInProvider({
+ *   clientID: process.env.LINKEDIN_CLIENT_ID,
+ *   clientSecret: process.env.LINKEDIN_CLIENT_SECRET,
+ *   scopes: [
+ *     "r_liteprofile",
+ *     "r_emailaddress",
+ *     "w_member_social"
+ *   ]
+ * })
+ *
+ * // Using the access token to fetch data
+ * export default issuer({
+ *   providers: { linkedin: linkedInWithScopes },
+ *   success: async (ctx, value) => {
+ *     if (value.provider === "linkedin") {
+ *       const token = value.tokenset.access
+ *
+ *       // Get user profile
+ *       const profileRes = await fetch('https://api.linkedin.com/v2/people/~', {
+ *         headers: { Authorization: `Bearer ${token}` }
+ *       })
+ *       const profile = await profileRes.json()
+ *
+ *       // Get user email
+ *       const emailRes = await fetch('https://api.linkedin.com/v2/emailAddress?q=members&projection=(elements*(handle~))', {
+ *         headers: { Authorization: `Bearer ${token}` }
+ *       })
+ *       const emailData = await emailRes.json()
+ *
+ *       return ctx.subject("user", {
+ *         linkedinId: profile.id,
+ *         firstName: profile.localizedFirstName,
+ *         lastName: profile.localizedLastName,
+ *         email: emailData.elements[0]['handle~'].emailAddress,
+ *         profileUrl: `https://www.linkedin.com/in/${profile.vanityName || profile.id}`
+ *       })
+ *     }
+ *   }
+ * })
+ * ```
+ */
+declare const LinkedInProvider: (config: LinkedInConfig) => Provider<Oauth2UserData>;
+//#endregion
+export { LinkedInConfig, LinkedInProvider };

package/dist/provider/linkedin.js

@@ -0,0 +1,73 @@
+import { Oauth2Provider } from "./oauth2.js";
+
+//#region src/provider/linkedin.ts
+/**
+* Creates a LinkedIn OAuth 2.0 authentication provider.
+* Use this when you need access tokens to call LinkedIn APIs on behalf of the user.
+*
+* @param config - LinkedIn OAuth 2.0 configuration
+* @returns OAuth 2.0 provider configured for LinkedIn
+*
+* @example
+* ```ts
+* // Basic LinkedIn authentication
+* const basicLinkedIn = LinkedInProvider({
+*   clientID: process.env.LINKEDIN_CLIENT_ID,
+*   clientSecret: process.env.LINKEDIN_CLIENT_SECRET
+* })
+*
+* // LinkedIn with specific scopes
+* const linkedInWithScopes = LinkedInProvider({
+*   clientID: process.env.LINKEDIN_CLIENT_ID,
+*   clientSecret: process.env.LINKEDIN_CLIENT_SECRET,
+*   scopes: [
+*     "r_liteprofile",
+*     "r_emailaddress",
+*     "w_member_social"
+*   ]
+* })
+*
+* // Using the access token to fetch data
+* export default issuer({
+*   providers: { linkedin: linkedInWithScopes },
+*   success: async (ctx, value) => {
+*     if (value.provider === "linkedin") {
+*       const token = value.tokenset.access
+*
+*       // Get user profile
+*       const profileRes = await fetch('https://api.linkedin.com/v2/people/~', {
+*         headers: { Authorization: `Bearer ${token}` }
+*       })
+*       const profile = await profileRes.json()
+*
+*       // Get user email
+*       const emailRes = await fetch('https://api.linkedin.com/v2/emailAddress?q=members&projection=(elements*(handle~))', {
+*         headers: { Authorization: `Bearer ${token}` }
+*       })
+*       const emailData = await emailRes.json()
+*
+*       return ctx.subject("user", {
+*         linkedinId: profile.id,
+*         firstName: profile.localizedFirstName,
+*         lastName: profile.localizedLastName,
+*         email: emailData.elements[0]['handle~'].emailAddress,
+*         profileUrl: `https://www.linkedin.com/in/${profile.vanityName || profile.id}`
+*       })
+*     }
+*   }
+* })
+* ```
+*/
+const LinkedInProvider = (config) => {
+	return Oauth2Provider({
+		...config,
+		type: "linkedin",
+		endpoint: {
+			authorization: "https://www.linkedin.com/oauth/v2/authorization",
+			token: "https://www.linkedin.com/oauth/v2/accessToken"
+		}
+	});
+};
+
+//#endregion
+export { LinkedInProvider };

package/dist/provider/magiclink.d.ts

@@ -0,0 +1,89 @@
+import { Provider } from "./provider.js";
+
+//#region src/provider/magiclink.d.ts
+
+/**
+ * Configuration options for the Magic Link authentication provider.
+ *
+ * @template Claims - Type of claims collected during authentication (email, phone, etc.)
+ */
+interface MagicLinkConfig<Claims extends Record<string, string> = Record<string, string>> {
+  /**
+   * Token expiration time in seconds.
+   * After this time, the magic link becomes invalid.
+   *
+   * @default 900 (15 minutes)
+   */
+  readonly expiry?: number;
+  /**
+   * Request handler for rendering the magic link UI.
+   * Handles both the initial claim collection and "check your email" screens.
+   *
+   * @param req - The HTTP request object
+   * @param state - Current authentication state
+   * @param form - Form data from POST requests (if any)
+   * @param error - Authentication error to display (if any)
+   * @returns Promise resolving to the authentication page response
+   */
+  request: (req: Request, state: MagicLinkState, form?: FormData, error?: MagicLinkError) => Promise<Response>;
+  /**
+   * Callback for sending magic links to users.
+   * Should handle delivery via email, SMS, or other communication channels.
+   *
+   * @param claims - User claims containing contact information
+   * @param magicUrl - The magic link URL to send
+   * @returns Promise resolving to undefined on success, or error object on failure
+   */
+  sendLink: (claims: Claims, magicUrl: string) => Promise<MagicLinkError | undefined>;
+}
+/**
+ * Authentication flow states for the magic link provider.
+ * The provider transitions between these states during authentication.
+ */
+type MagicLinkState = {
+  /** Initial state: user enters their claims (email, phone, etc.) */
+  readonly type: "start";
+} | {
+  /** Link sent state: user checks their email/phone */
+  readonly type: "sent";
+  /** Whether this is a resend request */
+  readonly resend?: boolean;
+  /** The secure token for verification */
+  readonly token: string;
+  /** User claims collected during the start phase */
+  readonly claims: Record<string, string>;
+};
+/**
+ * Possible errors during magic link authentication.
+ */
+type MagicLinkError = {
+  /** The magic link is invalid or expired */
+  readonly type: "invalid_link";
+} | {
+  /** A user claim is invalid or missing */
+  readonly type: "invalid_claim";
+  /** The claim field that failed validation */
+  readonly key: string;
+  /** The invalid value or error description */
+  readonly value: string;
+};
+/**
+ * User data returned by successful magic link authentication.
+ *
+ * @template Claims - Type of claims collected during authentication
+ */
+interface MagicLinkUserData<Claims extends Record<string, string> = Record<string, string>> {
+  /** The verified claims collected during authentication */
+  readonly claims: Claims;
+}
+/**
+ * Creates a Magic Link authentication provider.
+ * Implements a flexible claim-based authentication flow with magic link verification.
+ *
+ * @template Claims - Type of claims to collect (email, phone, username, etc.)
+ * @param config - Magic Link provider configuration
+ * @returns Provider instance implementing magic link authentication
+ */
+declare const MagicLinkProvider: <Claims extends Record<string, string> = Record<string, string>>(config: MagicLinkConfig<Claims>) => Provider<MagicLinkUserData<Claims>>;
+//#endregion
+export { MagicLinkConfig, MagicLinkError, MagicLinkProvider, MagicLinkState, MagicLinkUserData };

package/dist/provider/magiclink.js

@@ -0,0 +1,87 @@
+import { generateUnbiasedDigits, timingSafeCompare } from "../random.js";
+
+//#region src/provider/magiclink.ts
+/**
+* Creates a Magic Link authentication provider.
+* Implements a flexible claim-based authentication flow with magic link verification.
+*
+* @template Claims - Type of claims to collect (email, phone, username, etc.)
+* @param config - Magic Link provider configuration
+* @returns Provider instance implementing magic link authentication
+*/
+const MagicLinkProvider = (config) => {
+	/**
+	* Generates a cryptographically secure token.
+	*/
+	const generateToken = () => {
+		return generateUnbiasedDigits(32);
+	};
+	return {
+		type: "magiclink",
+		init(routes, ctx) {
+			/**
+			* Transitions between authentication states and renders the appropriate UI.
+			*/
+			const transition = async (c, nextState, formData, error) => {
+				await ctx.set(c, "provider", 3600 * 24, nextState);
+				const response = await config.request(c.request, nextState, formData, error);
+				return ctx.forward(c, response);
+			};
+			/**
+			* GET /authorize - Display initial claim collection form
+			*/
+			routes.get("/authorize", async (c) => {
+				return transition(c, { type: "start" });
+			});
+			/**
+			* POST /authorize - Handle form submissions and state transitions
+			*/
+			routes.post("/authorize", async (c) => {
+				const formData = await c.formData();
+				const action = formData.get("action")?.toString();
+				if (action === "request" || action === "resend") {
+					const token = generateToken();
+					const formEntries = Object.fromEntries(formData);
+					const { action: _,...claims } = formEntries;
+					const baseUrl = new URL(c.request.url).origin;
+					const magicUrl = new URL(`/auth/${ctx.name}/verify`, baseUrl);
+					magicUrl.searchParams.set("token", token);
+					for (const [key, value] of Object.entries(claims)) if (typeof value === "string") magicUrl.searchParams.set(key, value);
+					const sendError = await config.sendLink(claims, magicUrl.toString());
+					if (sendError) return transition(c, { type: "start" }, formData, sendError);
+					return transition(c, {
+						type: "sent",
+						resend: action === "resend",
+						claims,
+						token
+					}, formData);
+				}
+				return transition(c, { type: "start" });
+			});
+			/**
+			* GET /verify - Handle magic link clicks
+			*/
+			routes.get("/verify", async (c) => {
+				const url = new URL(c.request.url);
+				const token = url.searchParams.get("token");
+				const storedState = await ctx.get(c, "provider");
+				if (!token || !storedState || storedState.type !== "sent") return transition(c, { type: "start" }, void 0, { type: "invalid_link" });
+				if (!timingSafeCompare(storedState.token, token)) return transition(c, { type: "start" }, void 0, { type: "invalid_link" });
+				const urlClaims = {};
+				for (const [key, value] of url.searchParams) if (key !== "token" && value) urlClaims[key] = value;
+				const claimsMatch = Object.keys(storedState.claims).every((key) => {
+					const urlValue = urlClaims[key];
+					const storedValue = storedState.claims[key];
+					if (!urlValue || !storedValue) return false;
+					return timingSafeCompare(storedValue, urlValue);
+				});
+				if (!claimsMatch) return transition(c, { type: "start" }, void 0, { type: "invalid_link" });
+				await ctx.unset(c, "provider");
+				return await ctx.success(c, { claims: storedState.claims });
+			});
+		}
+	};
+};
+
+//#endregion
+export { MagicLinkProvider };

package/dist/provider/microsoft.d.ts

@@ -0,0 +1,172 @@
+import { Provider } from "./provider.js";
+import { Oauth2UserData, Oauth2WrappedConfig } from "./oauth2.js";
+
+//#region src/provider/microsoft.d.ts
+
+/**
+ * Configuration options for Microsoft OAuth 2.0 provider.
+ * Extends the base OAuth 2.0 configuration with Microsoft-specific documentation.
+ */
+interface MicrosoftConfig extends Oauth2WrappedConfig {
+  /**
+   * Microsoft Azure AD tenant ID or tenant type.
+   * Determines which types of accounts can sign in.
+   *
+   * @example
+   * ```ts
+   * {
+   *   tenant: "common"        // Personal + work/school accounts
+   *   // or
+   *   tenant: "organizations" // Work/school accounts only
+   *   // or
+   *   tenant: "consumers"     // Personal accounts only
+   *   // or
+   *   tenant: "12345678-1234-1234-1234-123456789012" // Specific tenant
+   * }
+   * ```
+   */
+  readonly tenant: string;
+  /**
+   * Microsoft OAuth 2.0 client ID from Azure App Registration.
+   * Found in your Azure portal app registration.
+   *
+   * @example
+   * ```ts
+   * {
+   *   clientID: "12345678-1234-1234-1234-123456789012"
+   * }
+   * ```
+   */
+  readonly clientID: string;
+  /**
+   * Microsoft OAuth 2.0 client secret from Azure App Registration.
+   * Keep this secure and never expose it to client-side code.
+   *
+   * @example
+   * ```ts
+   * {
+   *   clientSecret: process.env.MICROSOFT_CLIENT_SECRET
+   * }
+   * ```
+   */
+  readonly clientSecret: string;
+  /**
+   * Microsoft OAuth scopes to request access for.
+   * Determines what data and actions your app can access via Microsoft Graph.
+   *
+   * @example
+   * ```ts
+   * {
+   *   scopes: [
+   *     "openid",           // OpenID Connect sign-in
+   *     "profile",          // Basic profile
+   *     "email",            // Email address
+   *     "User.Read",        // Read user profile
+   *     "Mail.Read",        // Read user mail
+   *     "Calendars.Read"    // Read user calendars
+   *   ]
+   * }
+   * ```
+   */
+  readonly scopes: string[];
+  /**
+   * Additional query parameters for Microsoft OAuth authorization.
+   * Useful for Microsoft-specific options like domain hints.
+   *
+   * @example
+   * ```ts
+   * {
+   *   query: {
+   *     domain_hint: "contoso.com",    // Pre-fill domain
+   *     login_hint: "user@contoso.com", // Pre-fill username
+   *     prompt: "consent"              // Force consent screen
+   *   }
+   * }
+   * ```
+   */
+  readonly query?: Record<string, string>;
+}
+/**
+ * Creates a Microsoft OAuth 2.0 authentication provider.
+ * Use this when you need access tokens to call Microsoft Graph APIs on behalf of the user.
+ *
+ * @param config - Microsoft OAuth 2.0 configuration
+ * @returns OAuth 2.0 provider configured for Microsoft
+ *
+ * @example
+ * ```ts
+ * // Basic Microsoft authentication (all account types)
+ * const basicMicrosoft = MicrosoftProvider({
+ *   tenant: "common",
+ *   clientID: process.env.MICROSOFT_CLIENT_ID,
+ *   clientSecret: process.env.MICROSOFT_CLIENT_SECRET
+ * })
+ *
+ * // Work/school accounts only
+ * const workMicrosoft = MicrosoftProvider({
+ *   tenant: "organizations",
+ *   clientID: process.env.MICROSOFT_CLIENT_ID,
+ *   clientSecret: process.env.MICROSOFT_CLIENT_SECRET,
+ *   scopes: [
+ *     "openid",
+ *     "profile",
+ *     "email",
+ *     "User.Read",
+ *     "Mail.Read"
+ *   ]
+ * })
+ *
+ * // Specific tenant with advanced scopes
+ * const enterpriseMicrosoft = MicrosoftProvider({
+ *   tenant: "12345678-1234-1234-1234-123456789012",
+ *   clientID: process.env.MICROSOFT_CLIENT_ID,
+ *   clientSecret: process.env.MICROSOFT_CLIENT_SECRET,
+ *   scopes: [
+ *     "openid",
+ *     "profile",
+ *     "email",
+ *     "User.Read",
+ *     "Directory.Read.All",
+ *     "Sites.Read.All"
+ *   ],
+ *   query: {
+ *     domain_hint: "contoso.com"
+ *   }
+ * })
+ *
+ * // Using the access token to fetch data
+ * export default issuer({
+ *   providers: { microsoft: workMicrosoft },
+ *   success: async (ctx, value) => {
+ *     if (value.provider === "microsoft") {
+ *       const token = value.tokenset.access
+ *
+ *       // Get user profile from Microsoft Graph
+ *       const userRes = await fetch('https://graph.microsoft.com/v1.0/me', {
+ *         headers: { Authorization: `Bearer ${token}` }
+ *       })
+ *       const user = await userRes.json()
+ *
+ *       // Get user's manager (if available)
+ *       const managerRes = await fetch('https://graph.microsoft.com/v1.0/me/manager', {
+ *         headers: { Authorization: `Bearer ${token}` }
+ *       })
+ *       const manager = await managerRes.json()
+ *
+ *       return ctx.subject("user", {
+ *         microsoftId: user.id,
+ *         displayName: user.displayName,
+ *         email: user.mail || user.userPrincipalName,
+ *         jobTitle: user.jobTitle,
+ *         department: user.department,
+ *         officeLocation: user.officeLocation,
+ *         managerName: manager?.displayName
+ *       })
+ *     }
+ *   }
+ * })
+ * ```
+ */
+declare const MicrosoftProvider: (config: MicrosoftConfig) => Provider<Oauth2UserData>;
+//#endregion
+export { MicrosoftConfig, MicrosoftProvider };

package/dist/provider/microsoft.js

@@ -0,0 +1,97 @@
+import { Oauth2Provider } from "./oauth2.js";
+
+//#region src/provider/microsoft.ts
+/**
+* Creates a Microsoft OAuth 2.0 authentication provider.
+* Use this when you need access tokens to call Microsoft Graph APIs on behalf of the user.
+*
+* @param config - Microsoft OAuth 2.0 configuration
+* @returns OAuth 2.0 provider configured for Microsoft
+*
+* @example
+* ```ts
+* // Basic Microsoft authentication (all account types)
+* const basicMicrosoft = MicrosoftProvider({
+*   tenant: "common",
+*   clientID: process.env.MICROSOFT_CLIENT_ID,
+*   clientSecret: process.env.MICROSOFT_CLIENT_SECRET
+* })
+*
+* // Work/school accounts only
+* const workMicrosoft = MicrosoftProvider({
+*   tenant: "organizations",
+*   clientID: process.env.MICROSOFT_CLIENT_ID,
+*   clientSecret: process.env.MICROSOFT_CLIENT_SECRET,
+*   scopes: [
+*     "openid",
+*     "profile",
+*     "email",
+*     "User.Read",
+*     "Mail.Read"
+*   ]
+* })
+*
+* // Specific tenant with advanced scopes
+* const enterpriseMicrosoft = MicrosoftProvider({
+*   tenant: "12345678-1234-1234-1234-123456789012",
+*   clientID: process.env.MICROSOFT_CLIENT_ID,
+*   clientSecret: process.env.MICROSOFT_CLIENT_SECRET,
+*   scopes: [
+*     "openid",
+*     "profile",
+*     "email",
+*     "User.Read",
+*     "Directory.Read.All",
+*     "Sites.Read.All"
+*   ],
+*   query: {
+*     domain_hint: "contoso.com"
+*   }
+* })
+*
+* // Using the access token to fetch data
+* export default issuer({
+*   providers: { microsoft: workMicrosoft },
+*   success: async (ctx, value) => {
+*     if (value.provider === "microsoft") {
+*       const token = value.tokenset.access
+*
+*       // Get user profile from Microsoft Graph
+*       const userRes = await fetch('https://graph.microsoft.com/v1.0/me', {
+*         headers: { Authorization: `Bearer ${token}` }
+*       })
+*       const user = await userRes.json()
+*
+*       // Get user's manager (if available)
+*       const managerRes = await fetch('https://graph.microsoft.com/v1.0/me/manager', {
+*         headers: { Authorization: `Bearer ${token}` }
+*       })
+*       const manager = await managerRes.json()
+*
+*       return ctx.subject("user", {
+*         microsoftId: user.id,
+*         displayName: user.displayName,
+*         email: user.mail || user.userPrincipalName,
+*         jobTitle: user.jobTitle,
+*         department: user.department,
+*         officeLocation: user.officeLocation,
+*         managerName: manager?.displayName
+*       })
+*     }
+*   }
+* })
+* ```
+*/
+const MicrosoftProvider = (config) => {
+	return Oauth2Provider({
+		...config,
+		type: "microsoft",
+		endpoint: {
+			authorization: `https://login.microsoftonline.com/${config.tenant}/oauth2/v2.0/authorize`,
+			token: `https://login.microsoftonline.com/${config.tenant}/oauth2/v2.0/token`
+		}
+	});
+};
+
+//#endregion
+export { MicrosoftProvider };

package/dist/ui/magiclink.d.ts

@@ -0,0 +1,41 @@
+import { MagicLinkConfig } from "../provider/magiclink.js";
+
+//#region src/ui/magiclink.d.ts
+
+/**
+ * Type for customizable UI copy text
+ */
+interface MagicLinkUICopy {
+  readonly email_placeholder: string;
+  readonly email_invalid: string;
+  readonly button_continue: string;
+  readonly link_info: string;
+  readonly link_sent: string;
+  readonly link_resent: string;
+  readonly link_didnt_get: string;
+  readonly link_resend: string;
+}
+/**
+ * Input mode for the contact field
+ */
+type MagicLinkUIMode = "email" | "phone";
+/**
+ * Configuration options for the MagicLinkUI component
+ */
+interface MagicLinkUIOptions<Claims extends Record<string, string> = Record<string, string>> extends Pick<MagicLinkConfig<Claims>, "sendLink"> {
+  /**
+   * Input mode determining the type of contact information to collect
+   * @default "email"
+   */
+  readonly mode?: MagicLinkUIMode;
+  /**
+   * Custom text copy for UI labels, messages, and errors
+   */
+  readonly copy?: Partial<MagicLinkUICopy>;
+}
+/**
+ * Creates a complete UI configuration for Magic Link authentication
+ */
+declare const MagicLinkUI: <Claims extends Record<string, string> = Record<string, string>>(options: MagicLinkUIOptions<Claims>) => MagicLinkConfig<Claims>;
+//#endregion
+export { MagicLinkUI, MagicLinkUICopy, MagicLinkUIMode, MagicLinkUIOptions };

package/dist/ui/magiclink.js

@@ -0,0 +1,146 @@
+import { Layout, renderToHTML } from "./base.js";
+import { FormAlert } from "./form.js";
+import { jsx, jsxs } from "preact/jsx-runtime";
+
+//#region src/ui/magiclink.tsx
+/**
+* Default text copy for the Magic Link authentication UI
+*/
+const DEFAULT_COPY = {
+	email_placeholder: "Email",
+	email_invalid: "Email address is not valid",
+	button_continue: "Send Magic Link",
+	link_info: "We'll send a secure link to your email.",
+	link_sent: "Magic link sent to ",
+	link_resent: "Magic link resent to ",
+	link_didnt_get: "Didn't get the email?",
+	link_resend: "Resend Magic Link"
+};
+/**
+* Gets the appropriate error message for display
+*/
+const getErrorMessage = (error, copy) => {
+	if (!error?.type) return void 0;
+	switch (error.type) {
+		case "invalid_link": return "This magic link is invalid or expired";
+		case "invalid_claim": return copy.email_invalid;
+	}
+};
+/**
+* Gets the appropriate success message for display
+*/
+const getSuccessMessage = (state, copy, mode) => {
+	if (state.type === "start" || !state.claims) return void 0;
+	const contact = state.claims[mode] || "";
+	const prefix = state.resend ? copy.link_resent : copy.link_sent;
+	return {
+		message: `${prefix}${contact}`,
+		contact
+	};
+};
+/**
+* Creates a complete UI configuration for Magic Link authentication
+*/
+const MagicLinkUI = (options) => {
+	const copy = {
+		...DEFAULT_COPY,
+		...options.copy
+	};
+	const mode = options.mode || "email";
+	/**
+	* Renders the start form for collecting contact information
+	*/
+	const renderStart = (form, error, state) => {
+		const success = getSuccessMessage(state || { type: "start" }, copy, mode);
+		return /* @__PURE__ */ jsx(Layout, { children: /* @__PURE__ */ jsxs("form", {
+			"data-component": "form",
+			method: "post",
+			children: [
+				success ? /* @__PURE__ */ jsx(FormAlert, {
+					message: success.message,
+					color: "success"
+				}) : /* @__PURE__ */ jsx(FormAlert, { message: getErrorMessage(error, copy) }),
+				/* @__PURE__ */ jsx("input", {
+					"data-component": "input",
+					type: mode === "email" ? "email" : "tel",
+					name: mode,
+					placeholder: copy.email_placeholder,
+					value: form?.get(mode)?.toString() || "",
+					autoComplete: mode,
+					required: true
+				}),
+				/* @__PURE__ */ jsx("input", {
+					type: "hidden",
+					name: "action",
+					value: "request"
+				}),
+				/* @__PURE__ */ jsx("button", {
+					"data-component": "button",
+					type: "submit",
+					children: copy.button_continue
+				}),
+				/* @__PURE__ */ jsx("p", {
+					"data-component": "description",
+					children: copy.link_info
+				})
+			]
+		}) });
+	};
+	/**
+	* Renders the "check your email" page after magic link is sent
+	*/
+	const renderSent = (_form, error, state) => {
+		const success = getSuccessMessage(state, copy, mode);
+		const contact = state.type === "sent" ? state.claims?.[mode] || "" : "";
+		return /* @__PURE__ */ jsx(Layout, { children: /* @__PURE__ */ jsxs("form", {
+			"data-component": "form",
+			method: "post",
+			children: [
+				/* @__PURE__ */ jsx("h2", {
+					"data-component": "title",
+					children: "Check your email"
+				}),
+				success ? /* @__PURE__ */ jsx(FormAlert, {
+					message: success.message,
+					color: "success"
+				}) : /* @__PURE__ */ jsx(FormAlert, { message: getErrorMessage(error, copy) }),
+				/* @__PURE__ */ jsx("p", {
+					"data-component": "description",
+					children: "Click the link in your email to sign in."
+				}),
+				/* @__PURE__ */ jsx("input", {
+					name: "action",
+					type: "hidden",
+					value: "resend"
+				}),
+				/* @__PURE__ */ jsx("input", {
+					name: mode,
+					type: "hidden",
+					value: contact
+				}),
+				/* @__PURE__ */ jsx("div", {
+					"data-component": "form-footer",
+					children: /* @__PURE__ */ jsxs("span", { children: [
+						copy.link_didnt_get,
+						" ",
+						/* @__PURE__ */ jsx("button", {
+							type: "submit",
+							"data-component": "link",
+							children: copy.link_resend
+						})
+					] })
+				})
+			]
+		}) });
+	};
+	return {
+		sendLink: options.sendLink,
+		request: async (_req, state, form, error) => {
+			const html = renderToHTML(state.type === "start" ? renderStart(form, error, state) : renderSent(form, error, state));
+			return new Response(html, { headers: { "Content-Type": "text/html" } });
+		}
+	};
+};
+
+//#endregion
+export { MagicLinkUI };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@draftlab/auth",
-  "version": "0.2.6",
+  "version": "0.4.0",
   "type": "module",
   "description": "Core implementation for @draftlab/auth",
   "author": "Matheus Pergoli",