@logto/core-kit 2.6.0 → 2.7.0

package/lib/regex.d.ts

@@ -1,11 +1,27 @@
 export declare const emailRegEx: RegExp;
+/** Validates full email address or email domain. */
+export declare const emailOrEmailDomainRegEx: RegExp;
 export declare const phoneRegEx: RegExp;
 export declare const phoneInputRegEx: RegExp;
 export declare const usernameRegEx: RegExp;
 export declare const webRedirectUriProtocolRegEx: RegExp;
 export declare const mobileUriSchemeProtocolRegEx: RegExp;
 export declare const hexColorRegEx: RegExp;
-export declare const dateRegex: RegExp;
+export declare const dateRegEx: RegExp;
 export declare const noSpaceRegEx: RegExp;
 /** Full domain that consists of at least 3 parts, e.g. foo.bar.com or example-foo.bar.com */
 export declare const domainRegEx: RegExp;
+export declare const numberAndAlphabetRegEx: RegExp;
+/**
+ * Custom tenant ID validation rules.
+ * Used when creating tenants with custom IDs in private cloud regions.
+ */
+/** Maximum length for custom tenant ID */
+export declare const customTenantIdMaxLength = 21;
+/** Pattern for custom tenant ID: lowercase letters, numbers, and hyphens only */
+export declare const customTenantIdRegEx: RegExp;
+/**
+ * Validates a custom tenant ID format.
+ * @returns `true` if valid, `false` otherwise
+ */
+export declare const isValidCustomTenantId: (id: string) => boolean;

package/lib/regex.js

@@ -1,11 +1,29 @@
 export const emailRegEx = /^\S+@\S+\.\S+$/;
+/** Validates full email address or email domain. */
+export const emailOrEmailDomainRegEx = /^\S+@\S+\.\S+|^@\S+\.\S+$/;
 export const phoneRegEx = /^\d+$/;
 export const phoneInputRegEx = /^\+?[\d-( )]+$/;
 export const usernameRegEx = /^[A-Z_a-z]\w*$/;
 export const webRedirectUriProtocolRegEx = /^https?:$/;
 export const mobileUriSchemeProtocolRegEx = /^(?!http(s)?:)[a-z][\d+_a-z-]*(\.[\d+_a-z-]+)*:$/;
 export const hexColorRegEx = /^#[\da-f]{3}([\da-f]{3})?$/i;
-export const dateRegex = /^\d{4}(-\d{2}){2}/;
+export const dateRegEx = /^\d{4}(-\d{2}){2}/;
 export const noSpaceRegEx = /^\S+$/;
 /** Full domain that consists of at least 3 parts, e.g. foo.bar.com or example-foo.bar.com */
 export const domainRegEx = /^[\dA-Za-z](?:[\dA-Za-z-]*[\dA-Za-z])?(?:\.[\dA-Za-z](?:[\dA-Za-z-]*[\dA-Za-z])?){2,}$/;
+export const numberAndAlphabetRegEx = /^[\dA-Za-z]+$/;
+/**
+ * Custom tenant ID validation rules.
+ * Used when creating tenants with custom IDs in private cloud regions.
+ */
+/** Maximum length for custom tenant ID */
+export const customTenantIdMaxLength = 21;
+/** Pattern for custom tenant ID: lowercase letters, numbers, and hyphens only */
+export const customTenantIdRegEx = /^[\da-z-]+$/;
+/**
+ * Validates a custom tenant ID format.
+ * @returns `true` if valid, `false` otherwise
+ */
+export const isValidCustomTenantId = (id) => {
+    return id.length <= customTenantIdMaxLength && customTenantIdRegEx.test(id);
+};

package/lib/utils/url.js

@@ -1,5 +1,11 @@
 import { mobileUriSchemeProtocolRegEx, webRedirectUriProtocolRegEx } from '../regex.js';
 export const validateRedirectUrl = (url, type) => {
+    if (type === 'web' && url.includes('*')) {
+        return validateWildcardWebRedirectUrl(url);
+    }
+    if (type === 'web' && hasDotSegmentsInAbsoluteUrlPath(url)) {
+        return false;
+    }
     try {
         const { protocol } = new URL(url);
         const protocolRegEx = type === 'mobile' ? mobileUriSchemeProtocolRegEx : webRedirectUriProtocolRegEx;
@@ -9,6 +15,82 @@ export const validateRedirectUrl = (url, type) => {
         return false;
     }
 };
+const validateWildcardWebRedirectUrl = (url) => {
+    const schemeSeparatorIndex = url.indexOf('://');
+    if (schemeSeparatorIndex <= 0) {
+        return false;
+    }
+    if (hasWildcardInScheme(url, schemeSeparatorIndex)) {
+        return false;
+    }
+    if (hasWildcardInQueryOrHash(url)) {
+        return false;
+    }
+    const authority = getAuthorityFromUrl(url, schemeSeparatorIndex);
+    if (!isAuthorityAllowedForWildcardWebRedirect(authority)) {
+        return false;
+    }
+    if (hasDotSegmentsInAbsoluteUrlPath(url)) {
+        return false;
+    }
+    return isUrlProtocolAllowedAfterWildcardReplacement(url);
+};
+const hasWildcardInScheme = (url, schemeSeparatorIndex) => url.slice(0, schemeSeparatorIndex).includes('*');
+const hasWildcardInQueryOrHash = (url) => {
+    // Disallow wildcards in query/hash to keep matching deterministic and safer.
+    const queryIndex = url.indexOf('?');
+    if (queryIndex >= 0 && url.slice(queryIndex).includes('*')) {
+        return true;
+    }
+    const hashIndex = url.indexOf('#');
+    return hashIndex >= 0 && url.slice(hashIndex).includes('*');
+};
+const getAuthorityFromUrl = (url, schemeSeparatorIndex) => url.slice(schemeSeparatorIndex + 3).split(/[#/?]/)[0] ?? '';
+const hasDotSegmentsInAbsoluteUrlPath = (url) => {
+    const schemeSeparatorIndex = url.indexOf('://');
+    if (schemeSeparatorIndex <= 0) {
+        return false;
+    }
+    const authority = getAuthorityFromUrl(url, schemeSeparatorIndex);
+    const afterAuthorityIndex = schemeSeparatorIndex + 3 + authority.length;
+    const rest = url.slice(afterAuthorityIndex);
+    const path = rest.split(/[#?]/)[0] ?? '';
+    if (!path) {
+        return false;
+    }
+    const segments = path.split('/');
+    return segments.some((segment) => {
+        const normalized = segment.toLowerCase();
+        return segment === '.' || segment === '..' || normalized === '%2e' || normalized === '%2e%2e';
+    });
+};
+const isAuthorityAllowedForWildcardWebRedirect = (authority) => {
+    // Disallow credentials in authority part.
+    if (authority.includes('@')) {
+        return false;
+    }
+    if (authority.startsWith('[')) {
+        // IPv6 literals are not a typical use-case for wildcard redirect URIs; reject for simplicity.
+        return false;
+    }
+    const lastColonIndex = authority.lastIndexOf(':');
+    const hasPort = lastColonIndex > -1 && authority.indexOf(':') === lastColonIndex;
+    const hostname = hasPort ? authority.slice(0, lastColonIndex) : authority;
+    // When wildcard is used in hostname, require at least one dot to avoid overly broad patterns.
+    if (hostname.includes('*') && !hostname.includes('.')) {
+        return false;
+    }
+    return !(hasPort && authority.slice(lastColonIndex + 1).includes('*'));
+};
+const isUrlProtocolAllowedAfterWildcardReplacement = (url) => {
+    try {
+        const parsed = new URL(url.replaceAll('*', 'wildcard'));
+        return webRedirectUriProtocolRegEx.test(parsed.protocol);
+    }
+    catch {
+        return false;
+    }
+};
 export const validateUriOrigin = (url) => {
     try {
         return new URL(url).origin === url;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@logto/core-kit",
-  "version": "2.6.0",
+  "version": "2.7.0",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "homepage": "https://github.com/logto-io/toolkit#readme",
   "repository": {
@@ -12,15 +12,15 @@
   "main": "./lib/index.js",
   "exports": {
     ".": {
-      "default": "./lib/index.js",
       "types": "./lib/index.d.ts",
-      "import": "./lib/index.js"
+      "import": "./lib/index.js",
+      "default": "./lib/index.js"
     },
     "./declaration": "./declaration/index.ts",
     "./scss/*": "./scss/*.scss",
     "./custom-jwt": {
-      "node": "./lib/custom-jwt/index.js",
-      "types": "./lib/custom-jwt/index.d.ts"
+      "types": "./lib/custom-jwt/index.d.ts",
+      "node": "./lib/custom-jwt/index.js"
     }
   },
   "types": "./lib/index.d.ts",
@@ -33,13 +33,13 @@
     "node": "^22.14.0"
   },
   "dependencies": {
-    "@logto/language-kit": "^1.2.0",
-    "@logto/shared": "^3.2.0",
     "@silverhand/essentials": "^2.9.1",
-    "color": "^4.2.3"
+    "color": "^4.2.3",
+    "@logto/language-kit": "^1.2.0",
+    "@logto/shared": "^3.3.1"
   },
   "optionalDependencies": {
-    "zod": "^3.24.2"
+    "zod": "3.24.3"
   },
   "devDependencies": {
     "@silverhand/eslint-config": "6.0.1",