@holo-js/auth-social 0.1.3 → 0.1.5

package/dist/index.d.ts

@@ -36,11 +36,40 @@ interface SocialProviderRuntime {
         readonly tokens: SocialProviderTokens;
     }>;
 }
+type SocialRequestHeaders = Headers | ReadonlyArray<readonly [string, string]> | Record<string, string | readonly string[] | undefined> | {
+    readonly get?: (name: string) => string | null | undefined;
+    readonly forEach?: (callback: (value: string, key: string) => void) => void;
+    readonly entries?: () => Iterable<readonly [string, string]>;
+};
+type SocialRequestLike = {
+    readonly method?: string;
+    readonly path?: string;
+    readonly url?: string | URL;
+    readonly headers?: SocialRequestHeaders;
+    readonly request?: Request;
+    readonly req?: Request | {
+        readonly method?: string;
+        readonly url?: string;
+        readonly headers?: SocialRequestHeaders;
+    };
+    readonly node?: {
+        readonly req?: {
+            readonly method?: string;
+            readonly url?: string;
+            readonly headers?: SocialRequestHeaders;
+        };
+    };
+    readonly web?: {
+        readonly request?: Request;
+    };
+};
+type SocialRequestInput = Request | SocialRequestLike;
 interface SocialPendingStateRecord {
     readonly provider: string;
     readonly state: string;
     readonly codeVerifier: string;
     readonly guard: string;
+    readonly browserBinding?: string;
     readonly createdAt: Date;
 }
 interface SocialPendingStateStore {
@@ -72,8 +101,21 @@ interface SocialAuthBindings {
     readonly encryptionKey?: string;
 }
 interface SocialAuthFacade {
-    redirect(provider: string, request: Request): Promise<Response>;
-    callback(provider: string, request: Request): Promise<Response>;
+    redirect(provider: string, request: SocialRequestInput): Promise<Response>;
+    callback(provider: string, request: SocialRequestInput): Promise<SocialCallbackResult>;
+}
+type SocialCallbackResult = SocialCallbackSuccess | SocialCallbackFailure;
+interface SocialCallbackSuccess {
+    readonly ok: true;
+    readonly guard: string;
+    readonly authProvider: string;
+    readonly provider: string;
+    readonly user: AuthUserLike;
+}
+interface SocialCallbackFailure {
+    readonly ok: false;
+    readonly status: 400;
+    readonly message: string;
 }
 declare function getBindings(): SocialAuthBindings;
 declare function createState(): string;
@@ -89,8 +131,8 @@ declare function resolveLinkedUser(provider: string, profile: SocialProviderProf
     readonly authProvider: string;
     readonly user: AuthUserLike;
 }>;
-declare function redirect(provider: string, request: Request): Promise<Response>;
-declare function callback(provider: string, request: Request): Promise<Response>;
+declare function redirect(provider: string, input: SocialRequestInput): Promise<Response>;
+declare function callback(provider: string, input: SocialRequestInput): Promise<SocialCallbackResult>;
 declare function configureSocialAuthRuntime(bindings?: SocialAuthBindings): void;
 declare function resetSocialAuthRuntime(): void;
 declare const socialAuth: Readonly<{
@@ -108,4 +150,4 @@ declare const socialAuthInternals: {
     resolveLinkedUser: typeof resolveLinkedUser;
 };
 
-export { type SocialAuthBindings, type SocialAuthFacade, type SocialCallbackContext, type SocialIdentityRecord, type SocialIdentityStore, type SocialPendingStateRecord, type SocialPendingStateStore, type SocialProviderProfile, type SocialProviderRuntime, type SocialProviderTokens, type SocialRedirectContext, callback, configureSocialAuthRuntime, decryptTokens, redirect, resetSocialAuthRuntime, socialAuth, socialAuthInternals };
+export { type SocialAuthBindings, type SocialAuthFacade, type SocialCallbackContext, type SocialCallbackFailure, type SocialCallbackResult, type SocialCallbackSuccess, type SocialIdentityRecord, type SocialIdentityStore, type SocialPendingStateRecord, type SocialPendingStateStore, type SocialProviderProfile, type SocialProviderRuntime, type SocialProviderTokens, type SocialRedirectContext, type SocialRequestHeaders, type SocialRequestInput, type SocialRequestLike, callback, configureSocialAuthRuntime, decryptTokens, redirect, resetSocialAuthRuntime, socialAuth, socialAuthInternals };

package/dist/index.mjs

@@ -1,8 +1,116 @@
 // src/index.ts
-import { createCipheriv, createDecipheriv, createHash, randomBytes } from "crypto";
+import { createCipheriv, createDecipheriv, createHash, randomBytes, timingSafeEqual } from "crypto";
 import { authRuntimeInternals } from "@holo-js/auth";
-var socialBindings;
+var SOCIAL_BINDINGS_KEY = "__holoAuthSocialBindings__";
 var AUTH_PROVIDER_MARKER = /* @__PURE__ */ Symbol.for("holo-js.auth.provider");
+var GET_ONLY_REQUEST_HEADER_NAMES = ["authorization", "cookie", "host", "x-forwarded-host", "x-forwarded-proto"];
+function getSocialRuntimeGlobal() {
+  return globalThis;
+}
+function isPlainHeaderRecord(value) {
+  return Boolean(value) && typeof value === "object" && Object.getPrototypeOf(value) === Object.prototype;
+}
+function appendKnownHeaders(headers, input) {
+  for (const name of GET_ONLY_REQUEST_HEADER_NAMES) {
+    const value = input.get?.(name);
+    if (typeof value === "string" && value) {
+      headers.set(name, value);
+    }
+  }
+}
+function hasHeaderForEach(input) {
+  return !Array.isArray(input) && "forEach" in input && typeof input.forEach === "function";
+}
+function hasHeaderEntries(input) {
+  return !Array.isArray(input) && "entries" in input && typeof input.entries === "function";
+}
+function hasHeaderGet(input) {
+  return !Array.isArray(input) && "get" in input && typeof input.get === "function";
+}
+function normalizeRequestHeaders(input) {
+  const headers = new Headers();
+  if (!input) {
+    return headers;
+  }
+  if (input instanceof Headers || Array.isArray(input)) {
+    new Headers(input).forEach((value, name) => headers.append(name, value));
+    return headers;
+  }
+  if (hasHeaderForEach(input)) {
+    input.forEach((value, name) => headers.append(name, value));
+    return headers;
+  }
+  if (hasHeaderEntries(input)) {
+    for (const [name, value] of input.entries()) {
+      headers.append(name, value);
+    }
+    return headers;
+  }
+  if (hasHeaderGet(input)) {
+    appendKnownHeaders(headers, input);
+    return headers;
+  }
+  if (isPlainHeaderRecord(input)) {
+    for (const [name, value] of Object.entries(input)) {
+      if (typeof value === "string") {
+        headers.append(name, value);
+        continue;
+      }
+      if (Array.isArray(value)) {
+        const separator = name.toLowerCase() === "cookie" ? "; " : ",";
+        const joined = value.filter((entry) => typeof entry === "string").join(separator);
+        if (joined) {
+          headers.append(name, joined);
+        }
+      }
+    }
+  }
+  return headers;
+}
+function getRequestFromLikeInput(input) {
+  return input.request ?? input.web?.request ?? (input.req instanceof Request ? input.req : void 0);
+}
+function getRequestLikeHeaders(input) {
+  return input.headers ?? (typeof input.req === "object" && !(input.req instanceof Request) ? input.req.headers : void 0) ?? input.node?.req?.headers;
+}
+function getRequestLikeMethod(input) {
+  return input.method ?? (typeof input.req === "object" && !(input.req instanceof Request) ? input.req.method : void 0) ?? input.node?.req?.method ?? "GET";
+}
+function isProductionRuntime() {
+  return process.env.NODE_ENV === "production";
+}
+function createRelativeRequestBaseUrl(headers) {
+  const forwardedProtocol = headers.get("x-forwarded-proto");
+  const forwardedHost = headers.get("x-forwarded-host");
+  if (isProductionRuntime() && (!forwardedProtocol || !forwardedHost)) {
+    throw new Error("[@holo-js/auth-social] Relative request URLs require x-forwarded-proto and x-forwarded-host headers in production.");
+  }
+  const protocol = forwardedProtocol ?? "http";
+  const host = forwardedHost ?? headers.get("host") ?? "localhost";
+  return `${protocol}://${host}`;
+}
+function getRequestLikeUrl(input, headers) {
+  const url = (typeof input.url === "string" ? input.url : input.url?.toString()) ?? (typeof input.req === "object" && !(input.req instanceof Request) ? input.req.url : void 0) ?? input.node?.req?.url ?? input.path ?? "/";
+  try {
+    return new URL(url).toString();
+  } catch {
+    return new URL(url, createRelativeRequestBaseUrl(headers)).toString();
+  }
+}
+function normalizeSocialRequest(input) {
+  if (input instanceof Request) {
+    return input;
+  }
+  const request = getRequestFromLikeInput(input);
+  if (request) {
+    return request;
+  }
+  const headers = normalizeRequestHeaders(getRequestLikeHeaders(input));
+  return new Request(getRequestLikeUrl(input, headers), {
+    method: getRequestLikeMethod(input),
+    headers
+  });
+}
 function requireUserRecord(user, message) {
   if (user == null) {
     throw new Error(message);
@@ -37,6 +145,7 @@ function throwUnconfigured() {
   throw new Error("[@holo-js/auth-social] Social auth runtime is not configured yet.");
 }
 function getBindings() {
+  const socialBindings = getSocialRuntimeGlobal()[SOCIAL_BINDINGS_KEY];
   if (!socialBindings) {
     throwUnconfigured();
   }
@@ -45,12 +154,83 @@ function getBindings() {
 function createState() {
   return randomBytes(24).toString("base64url");
 }
+function createBrowserBindingNonce() {
+  return createState();
+}
+function hashBrowserBinding(nonce) {
+  return createHash("sha256").update(nonce).digest("base64url");
+}
 function createCodeVerifier() {
   return randomBytes(32).toString("base64url");
 }
 function createCodeChallenge(verifier) {
   return createHash("sha256").update(verifier).digest("base64url");
 }
+function getStateCookieName(provider) {
+  const suffix = provider.replace(/[^a-zA-Z0-9_-]/g, "_");
+  return `holo_oauth_state_${suffix}`;
+}
+function serializeStateCookie(provider, state, nonce, request) {
+  const secure = new URL(request.url).protocol === "https:";
+  const attributes = [
+    `${getStateCookieName(provider)}=${state}.${nonce}`,
+    "Path=/",
+    "HttpOnly",
+    "SameSite=Lax",
+    "Max-Age=600"
+  ];
+  if (secure) {
+    attributes.push("Secure");
+  }
+  return attributes.join("; ");
+}
+function readCookie(request, name) {
+  const header = request.headers.get("cookie");
+  if (!header) {
+    return void 0;
+  }
+  for (const entry of header.split(";")) {
+    const separatorIndex = entry.indexOf("=");
+    if (separatorIndex < 0) {
+      continue;
+    }
+    const cookieName = entry.slice(0, separatorIndex).trim();
+    if (cookieName !== name) {
+      continue;
+    }
+    return entry.slice(separatorIndex + 1).trim();
+  }
+  return void 0;
+}
+function readStateCookie(request, provider) {
+  const value = readCookie(request, getStateCookieName(provider));
+  if (!value) {
+    return null;
+  }
+  const separatorIndex = value.indexOf(".");
+  if (separatorIndex <= 0 || separatorIndex === value.length - 1) {
+    return null;
+  }
+  return {
+    state: value.slice(0, separatorIndex),
+    nonce: value.slice(separatorIndex + 1)
+  };
+}
+function timingSafeStringEqual(left, right) {
+  const leftBuffer = Buffer.from(left);
+  const rightBuffer = Buffer.from(right);
+  return leftBuffer.length === rightBuffer.length && timingSafeEqual(leftBuffer, rightBuffer);
+}
+function verifyBrowserBinding(provider, state, pending, request) {
+  if (!pending.browserBinding) {
+    return false;
+  }
+  const cookie = readStateCookie(request, provider);
+  if (!cookie || cookie.state !== state) {
+    return false;
+  }
+  return timingSafeStringEqual(hashBrowserBinding(cookie.nonce), pending.browserBinding);
+}
 function encryptTokens(value, encryptionKey) {
   if (typeof encryptionKey !== "string" || !encryptionKey.trim()) {
     throw new Error("[@holo-js/auth-social] encryptionKey is required when encryptTokens is enabled.");
@@ -113,9 +293,6 @@ function resolveGuardAndProvider(provider) {
   if (!guard) {
     throw new Error(`[@holo-js/auth-social] Guard "${guardName}" is not configured for social provider "${provider}".`);
   }
-  if (guard.driver !== "session") {
-    throw new Error(`[@holo-js/auth-social] Social sign-in requires auth guard "${guardName}" to use the session driver.`);
-  }
   const authProvider = providerConfig.mapToProvider ?? guard.provider;
   const adapter = authBindings.providers[authProvider];
   if (!adapter) {
@@ -161,19 +338,25 @@ function resolveEmailForCreation(provider, profile, options = {}) {
 }
 async function resolveLinkedUser(provider, profile, tokens) {
   const bindings = getBindings();
-  const { guard, authProvider, adapter } = resolveGuardAndProvider(provider);
   const existingIdentity = await bindings.identityStore.findByProviderUserId(provider, profile.id);
   const authBindings = authRuntimeInternals.getRuntimeBindings();
   const verificationRequired = authBindings.config.emailVerification.required === true;
   if (existingIdentity) {
+    if (!authBindings.config.guards[existingIdentity.guard]) {
+      throw new Error(`[@holo-js/auth-social] Guard "${existingIdentity.guard}" is not configured for linked social identity "${provider}:${profile.id}".`);
+    }
+    const storedAdapter = authBindings.providers[existingIdentity.authProvider];
+    if (!storedAdapter) {
+      throw new Error(`[@holo-js/auth-social] Auth provider runtime "${existingIdentity.authProvider}" is not configured for linked social identity "${provider}:${profile.id}".`);
+    }
     const linkedUser = resolveUserRecord(
-      await adapter.findById(existingIdentity.userId),
+      await storedAdapter.findById(existingIdentity.userId),
       `[@holo-js/auth-social] Linked social identity "${provider}:${profile.id}" references a missing local user.`
     );
     if (!linkedUser) {
       throw new Error(`[@holo-js/auth-social] Linked social identity "${provider}:${profile.id}" references a missing local user.`);
     }
-    const serialized2 = serializeLocalUser(adapter, linkedUser, authProvider);
+    const serialized2 = serializeLocalUser(storedAdapter, linkedUser, existingIdentity.authProvider);
     await bindings.identityStore.save({
       ...existingIdentity,
       email: profile.email,
@@ -187,8 +370,13 @@ async function resolveLinkedUser(provider, profile, tokens) {
       tokens: getConfiguredProviderConfig(provider).encryptTokens ? encryptTokens(tokens, bindings.encryptionKey) : tokens,
       updatedAt: /* @__PURE__ */ new Date()
     });
-    return { guard, authProvider, user: serialized2 };
+    return {
+      guard: existingIdentity.guard,
+      authProvider: existingIdentity.authProvider,
+      user: serialized2
+    };
   }
+  const { guard, authProvider, adapter } = resolveGuardAndProvider(provider);
   const hasVerifiedEmail = profile.emailVerified === true && typeof profile.email === "string" && profile.email.trim().length > 0;
   if (!hasVerifiedEmail && verificationRequired) {
     throw new Error(`[@holo-js/auth-social] Social sign-in with "${provider}" requires a verified email address.`);
@@ -231,11 +419,13 @@ async function resolveLinkedUser(provider, profile, tokens) {
     user: serialized
   };
 }
-async function redirect(provider, request) {
+async function redirect(provider, input) {
+  const request = normalizeSocialRequest(input);
   const providerConfig = getConfiguredProviderConfig(provider);
   const runtime = getProviderRuntime(provider);
   const { guard } = resolveGuardAndProvider(provider);
   const state = createState();
+  const browserNonce = createBrowserBindingNonce();
   const codeVerifier = createCodeVerifier();
   const codeChallenge = createCodeChallenge(codeVerifier);
   await getBindings().stateStore.create({
@@ -243,6 +433,7 @@ async function redirect(provider, request) {
     state,
     codeVerifier,
     guard,
+    browserBinding: hashBrowserBinding(browserNonce),
     createdAt: /* @__PURE__ */ new Date()
   });
   const authorizationUrl = await runtime.buildAuthorizationUrl({
@@ -253,11 +444,13 @@ async function redirect(provider, request) {
     codeChallenge,
     config: providerConfig
   });
+  const headers = new Headers({
+    location: authorizationUrl
+  });
+  headers.append("set-cookie", serializeStateCookie(provider, state, browserNonce, request));
   return new Response(null, {
     status: 302,
-    headers: {
-      location: authorizationUrl
-    }
+    headers
   });
 }
 async function readCallbackParameters(request) {
@@ -286,18 +479,30 @@ async function readCallbackParameters(request) {
     code: formCode ?? queryCode
   };
 }
-async function callback(provider, request) {
+async function callback(provider, input) {
+  const request = normalizeSocialRequest(input);
   const { state, code } = await readCallbackParameters(request);
   if (!state || !code) {
-    return Response.json({
+    return {
+      ok: false,
+      status: 400,
       message: "Missing OAuth state or code."
-    }, { status: 400 });
+    };
   }
   const pending = await getBindings().stateStore.read(provider, state);
   if (!pending) {
-    return Response.json({
+    return {
+      ok: false,
+      status: 400,
       message: "Invalid or expired OAuth state."
-    }, { status: 400 });
+    };
+  }
+  if (!verifyBrowserBinding(provider, state, pending, request)) {
+    return {
+      ok: false,
+      status: 400,
+      message: "Invalid or expired OAuth state."
+    };
   }
   await getBindings().stateStore.delete(provider, state);
   const runtime = getProviderRuntime(provider);
@@ -310,29 +515,19 @@ async function callback(provider, request) {
     config: providerConfig
   });
   const linked = await resolveLinkedUser(provider, exchanged.profile, exchanged.tokens);
-  const established = await authRuntimeInternals.establishSessionForUser(linked.user, {
-    guard: linked.guard,
-    provider: linked.authProvider
-  });
-  const headers = new Headers();
-  for (const cookie of established.cookies) {
-    headers.append("set-cookie", cookie);
-  }
-  return Response.json({
-    authenticated: true,
+  return {
+    ok: true,
     guard: linked.guard,
+    authProvider: linked.authProvider,
     provider,
     user: linked.user
-  }, {
-    status: 200,
-    headers
-  });
+  };
 }
 function configureSocialAuthRuntime(bindings) {
-  socialBindings = bindings;
+  getSocialRuntimeGlobal()[SOCIAL_BINDINGS_KEY] = bindings;
 }
 function resetSocialAuthRuntime() {
-  socialBindings = void 0;
+  delete getSocialRuntimeGlobal()[SOCIAL_BINDINGS_KEY];
 }
 var socialAuth = Object.freeze({
   redirect,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@holo-js/auth-social",
-  "version": "0.1.3",
+  "version": "0.1.5",
   "description": "Holo-JS Framework - social auth provider contracts",
   "type": "module",
   "license": "MIT",
@@ -23,13 +23,13 @@
     "test": "vitest --run"
   },
   "dependencies": {
-    "@holo-js/auth": "^0.1.3",
-    "@holo-js/config": "^0.1.3"
+    "@holo-js/auth": "^0.1.5",
+    "@holo-js/config": "^0.1.5"
   },
   "devDependencies": {
     "@types/node": "^22.10.2",
     "tsup": "^8.3.5",
     "typescript": "^5.7.2",
-    "vitest": "^2.1.8"
+    "vitest": "^4.1.5"
   }
 }