@mastra/auth-auth0 1.0.1-alpha.0 → 1.1.0

package/dist/index.js

@@ -1,162 +1,133 @@
+import { MastraAuthProvider } from '@mastra/core/server';
 import { createRemoteJWKSet, jwtVerify } from 'jose';
 
-// ../../packages/core/dist/chunk-X2WMFSPB.js
-var RegisteredLogger = {
-  LLM: "LLM"};
-var LogLevel = {
-  DEBUG: "debug",
-  INFO: "info",
-  WARN: "warn",
-  ERROR: "error"};
-var MastraLogger = class {
-  name;
-  level;
-  transports;
-  constructor(options = {}) {
-    this.name = options.name || "Mastra";
-    this.level = options.level || LogLevel.ERROR;
-    this.transports = new Map(Object.entries(options.transports || {}));
-  }
-  getTransports() {
-    return this.transports;
-  }
-  trackException(_error) {
-  }
-  async listLogs(transportId, params) {
-    if (!transportId || !this.transports.has(transportId)) {
-      return { logs: [], total: 0, page: params?.page ?? 1, perPage: params?.perPage ?? 100, hasMore: false };
-    }
-    return this.transports.get(transportId).listLogs(params) ?? {
-      logs: [],
-      total: 0,
-      page: params?.page ?? 1,
-      perPage: params?.perPage ?? 100,
-      hasMore: false
-    };
-  }
-  async listLogsByRunId({
-    transportId,
-    runId,
-    fromDate,
-    toDate,
-    logLevel,
-    filters,
-    page,
-    perPage
-  }) {
-    if (!transportId || !this.transports.has(transportId) || !runId) {
-      return { logs: [], total: 0, page: page ?? 1, perPage: perPage ?? 100, hasMore: false };
-    }
-    return this.transports.get(transportId).listLogsByRunId({ runId, fromDate, toDate, logLevel, filters, page, perPage }) ?? {
-      logs: [],
-      total: 0,
-      page: page ?? 1,
-      perPage: perPage ?? 100,
-      hasMore: false
-    };
-  }
-};
-var ConsoleLogger = class extends MastraLogger {
-  constructor(options = {}) {
-    super(options);
-  }
-  debug(message, ...args) {
-    if (this.level === LogLevel.DEBUG) {
-      console.info(message, ...args);
-    }
-  }
-  info(message, ...args) {
-    if (this.level === LogLevel.INFO || this.level === LogLevel.DEBUG) {
-      console.info(message, ...args);
-    }
+// src/index.ts
+var DEFAULT_COOKIE_NAME = "auth0_session";
+var DEFAULT_COOKIE_MAX_AGE = 86400;
+var DEFAULT_SCOPES = ["openid", "profile", "email"];
+var SALT_LENGTH = 16;
+var IV_LENGTH = 12;
+async function deriveKey(password, salt, usage) {
+  const encoder = new TextEncoder();
+  const keyMaterial = await crypto.subtle.importKey("raw", encoder.encode(password), "PBKDF2", false, [
+    "deriveBits",
+    "deriveKey"
+  ]);
+  return crypto.subtle.deriveKey(
+    { name: "PBKDF2", salt, iterations: 1e5, hash: "SHA-256" },
+    keyMaterial,
+    { name: "AES-GCM", length: 256 },
+    false,
+    [usage]
+  );
+}
+async function encryptSession(data, password) {
+  const encoder = new TextEncoder();
+  const salt = crypto.getRandomValues(new Uint8Array(SALT_LENGTH));
+  const key = await deriveKey(password, salt, "encrypt");
+  const iv = crypto.getRandomValues(new Uint8Array(IV_LENGTH));
+  const encrypted = await crypto.subtle.encrypt({ name: "AES-GCM", iv }, key, encoder.encode(JSON.stringify(data)));
+  const combined = new Uint8Array(salt.length + iv.length + new Uint8Array(encrypted).length);
+  combined.set(salt);
+  combined.set(iv, salt.length);
+  combined.set(new Uint8Array(encrypted), salt.length + iv.length);
+  return btoa(String.fromCharCode(...combined));
+}
+async function decryptSession(encrypted, password) {
+  const combined = Uint8Array.from(atob(encrypted), (c) => c.charCodeAt(0));
+  if (combined.length < SALT_LENGTH + IV_LENGTH + 1) {
+    throw new Error("Invalid encrypted session data");
   }
-  warn(message, ...args) {
-    if (this.level === LogLevel.WARN || this.level === LogLevel.INFO || this.level === LogLevel.DEBUG) {
-      console.info(message, ...args);
-    }
-  }
-  error(message, ...args) {
-    if (this.level === LogLevel.ERROR || this.level === LogLevel.WARN || this.level === LogLevel.INFO || this.level === LogLevel.DEBUG) {
-      console.error(message, ...args);
-    }
+  const salt = combined.slice(0, SALT_LENGTH);
+  const iv = combined.slice(SALT_LENGTH, SALT_LENGTH + IV_LENGTH);
+  const data = combined.slice(SALT_LENGTH + IV_LENGTH);
+  const key = await deriveKey(password, salt, "decrypt");
+  const decrypted = await crypto.subtle.decrypt({ name: "AES-GCM", iv }, key, data);
+  return JSON.parse(new TextDecoder().decode(decrypted));
+}
+var STATE_TOKEN_EXPIRY_MS = 10 * 60 * 1e3;
+function createStateToken(originalState, redirectUri, secret) {
+  const payload = {
+    s: originalState,
+    r: redirectUri,
+    e: Date.now() + STATE_TOKEN_EXPIRY_MS
+  };
+  const payloadB64 = btoa(JSON.stringify(payload));
+  const signature = hmacSign(payloadB64, secret);
+  return `${payloadB64}.${signature}`;
+}
+function verifyStateToken(stateToken, secret) {
+  const parts = stateToken.split(".");
+  if (parts.length !== 2) {
+    throw new Error("Invalid state token format");
   }
-  async listLogs(_transportId, _params) {
-    return { logs: [], total: 0, page: _params?.page ?? 1, perPage: _params?.perPage ?? 100, hasMore: false };
+  const [payloadB64, signature] = parts;
+  const expectedSig = hmacSign(payloadB64, secret);
+  if (!timingSafeEqual(signature, expectedSig)) {
+    throw new Error("Invalid or tampered state token");
   }
-  async listLogsByRunId(_args) {
-    return { logs: [], total: 0, page: _args.page ?? 1, perPage: _args.perPage ?? 100, hasMore: false };
-  }
-};
-
-// ../../packages/core/dist/chunk-WCAFTXGK.js
-var MastraBase = class {
-  component = RegisteredLogger.LLM;
-  logger;
-  name;
-  #rawConfig;
-  constructor({
-    component,
-    name,
-    rawConfig
-  }) {
-    this.component = component || RegisteredLogger.LLM;
-    this.name = name;
-    this.#rawConfig = rawConfig;
-    this.logger = new ConsoleLogger({ name: `${this.component} - ${this.name}` });
+  let payload;
+  try {
+    payload = JSON.parse(atob(payloadB64));
+  } catch {
+    throw new Error("Invalid state token payload");
   }
-  /**
-   * Returns the raw storage configuration this primitive was created from,
-   * or undefined if it was created from code.
-   */
-  toRawConfig() {
-    return this.#rawConfig;
-  }
-  /**
-   * Sets the raw storage configuration for this primitive.
-   * @internal
-   */
-  __setRawConfig(rawConfig) {
-    this.#rawConfig = rawConfig;
+  if (payload.e < Date.now()) {
+    throw new Error("State token has expired");
   }
-  /**
-   * Set the logger for the agent
-   * @param logger
-   */
-  __setLogger(logger) {
-    this.logger = logger;
-    if (this.component !== RegisteredLogger.LLM) {
-      this.logger.debug(`Logger updated [component=${this.component}] [name=${this.name}]`);
-    }
+  return {
+    originalState: payload.s,
+    redirectUri: payload.r
+  };
+}
+function hmacSign(data, secret) {
+  const encoder = new TextEncoder();
+  const keyBytes = encoder.encode(secret);
+  const dataBytes = encoder.encode(data);
+  const combined = new Uint8Array(keyBytes.length + dataBytes.length + keyBytes.length);
+  combined.set(keyBytes);
+  combined.set(dataBytes, keyBytes.length);
+  combined.set(keyBytes, keyBytes.length + dataBytes.length);
+  let h1 = 2166136261;
+  let h2 = 16777619;
+  for (let i = 0; i < combined.length; i++) {
+    h1 ^= combined[i];
+    h1 = Math.imul(h1, 16777619);
+    h2 ^= combined[i];
+    h2 = Math.imul(h2, 2246822507);
   }
-};
-
-// ../../packages/core/dist/server/index.js
-var MastraAuthProvider = class extends MastraBase {
-  protected;
-  public;
-  constructor(options) {
-    super({ component: "AUTH", name: options?.name });
-    if (options?.authorizeUser) {
-      this.authorizeUser = options.authorizeUser.bind(this);
-    }
-    this.protected = options?.protected;
-    this.public = options?.public;
+  const sigBytes = new Uint8Array(8);
+  const view = new DataView(sigBytes.buffer);
+  view.setUint32(0, h1 >>> 0);
+  view.setUint32(4, h2 >>> 0);
+  return btoa(String.fromCharCode(...sigBytes)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+function timingSafeEqual(a, b) {
+  if (a.length !== b.length) {
+    return false;
   }
-  registerOptions(opts) {
-    if (opts?.authorizeUser) {
-      this.authorizeUser = opts.authorizeUser.bind(this);
-    }
-    if (opts?.protected) {
-      this.protected = opts.protected;
-    }
-    if (opts?.public) {
-      this.public = opts.public;
-    }
+  let result = 0;
+  for (let i = 0; i < a.length; i++) {
+    result |= a.charCodeAt(i) ^ b.charCodeAt(i);
   }
-};
+  return result === 0;
+}
+function escapeRegex(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
 var MastraAuthAuth0 = class extends MastraAuthProvider {
   domain;
   audience;
+  // SSO fields
+  clientId;
+  clientSecret;
+  _redirectUri;
+  scopes;
+  cookieName;
+  cookieMaxAge;
+  cookiePassword;
+  secureCookies;
+  ssoEnabled;
   constructor(options) {
     super({ name: options?.name ?? "auth0" });
     const domain = options?.domain ?? process.env.AUTH0_DOMAIN;
@@ -168,9 +139,43 @@ var MastraAuthAuth0 = class extends MastraAuthProvider {
     }
     this.domain = domain;
     this.audience = audience;
+    const clientId = options?.clientId ?? process.env.AUTH0_CLIENT_ID;
+    const clientSecret = options?.clientSecret ?? process.env.AUTH0_CLIENT_SECRET;
+    const redirectUri = options?.redirectUri ?? process.env.AUTH0_REDIRECT_URI;
+    const cookiePassword = options?.session?.cookiePassword ?? process.env.AUTH0_COOKIE_PASSWORD ?? crypto.randomUUID() + crypto.randomUUID();
+    this.clientId = clientId ?? null;
+    this.clientSecret = clientSecret ?? null;
+    this._redirectUri = redirectUri ?? null;
+    this.scopes = options?.scopes ?? DEFAULT_SCOPES;
+    this.cookieName = options?.session?.cookieName ?? DEFAULT_COOKIE_NAME;
+    this.cookieMaxAge = options?.session?.cookieMaxAge ?? DEFAULT_COOKIE_MAX_AGE;
+    this.cookiePassword = cookiePassword;
+    this.secureCookies = options?.session?.secureCookies ?? process.env.NODE_ENV === "production";
+    this.ssoEnabled = !!(clientId && clientSecret);
+    if (this.ssoEnabled) {
+      if (cookiePassword.length < 32) {
+        throw new Error(
+          "Cookie password must be at least 32 characters for SSO. Set AUTH0_COOKIE_PASSWORD environment variable."
+        );
+      }
+      if (!options?.session?.cookiePassword && !process.env.AUTH0_COOKIE_PASSWORD) {
+        console.warn(
+          "[MastraAuthAuth0] No cookie password set \u2014 using auto-generated value. Sessions will not survive restarts. Set AUTH0_COOKIE_PASSWORD for production use."
+        );
+      }
+      this._attachSSOProvider();
+      this._attachSessionProvider();
+    }
     this.registerOptions(options);
   }
-  async authenticateToken(token) {
+  // ============================================================================
+  // MastraAuthProvider Implementation
+  // ============================================================================
+  async authenticateToken(token, request) {
+    if (this.ssoEnabled && request) {
+      const sessionUser = await this.getUserFromSessionCookie(request);
+      if (sessionUser) return sessionUser;
+    }
     if (!token || typeof token !== "string") {
       return null;
     }
@@ -187,12 +192,249 @@ var MastraAuthAuth0 = class extends MastraAuthProvider {
     }
   }
   async authorizeUser(user) {
-    if (!user || !user.sub) return false;
+    if (!user || !(user.sub || user.id)) return false;
     if (user.exp && user.exp * 1e3 < Date.now()) {
       return false;
     }
     return true;
   }
+  // ============================================================================
+  // IUserProvider Implementation
+  // ============================================================================
+  /**
+   * Extract the bearer token from the request's Authorization header.
+   */
+  extractToken(request) {
+    const authHeader = request.headers.get("Authorization");
+    if (authHeader) {
+      const token = authHeader.replace(/^Bearer\s+/i, "").trim();
+      if (token) return token;
+    }
+    return null;
+  }
+  async getCurrentUser(request) {
+    if (this.ssoEnabled) {
+      const sessionUser = await this.getUserFromSessionCookie(request);
+      if (sessionUser) return sessionUser;
+    }
+    const token = this.extractToken(request);
+    if (!token) return null;
+    try {
+      const payload = await this.authenticateToken(token);
+      if (!payload?.sub) return null;
+      return {
+        id: payload.sub,
+        email: payload.email ?? void 0,
+        name: payload.name ?? void 0,
+        avatarUrl: payload.picture ?? void 0
+      };
+    } catch {
+      return null;
+    }
+  }
+  async getUser(userId) {
+    return {
+      id: userId
+    };
+  }
+  getUserProfileUrl(user) {
+    return `/user/${user.id}`;
+  }
+  // ============================================================================
+  // Helper Methods
+  // ============================================================================
+  /**
+   * Check if SSO is enabled (OAuth credentials are configured).
+   */
+  isSSOEnabled() {
+    return this.ssoEnabled;
+  }
+  /**
+   * Build consistent cookie attribute string for set/clear operations.
+   */
+  cookieFlags(maxAge) {
+    const flags = `Path=/; HttpOnly; SameSite=Lax; Max-Age=${maxAge}`;
+    return this.secureCookies ? `${flags}; Secure` : flags;
+  }
+  /**
+   * Extract user from the encrypted SSO session cookie.
+   */
+  async getUserFromSessionCookie(request) {
+    const cookie = "header" in request && typeof request.header === "function" ? request.header("cookie") : request.headers?.get("cookie");
+    if (!cookie) return null;
+    const match = cookie.match(new RegExp(`(?:^|;\\s*)${escapeRegex(this.cookieName)}=([^;]+)`));
+    if (!match?.[1]) return null;
+    try {
+      const sessionData = await decryptSession(decodeURIComponent(match[1]), this.cookiePassword);
+      if (sessionData.expiresAt < Date.now()) {
+        return null;
+      }
+      return sessionData.user;
+    } catch {
+      return null;
+    }
+  }
+  // ============================================================================
+  // Dynamic ISSOProvider attachment (only when OAuth is configured)
+  // ============================================================================
+  /**
+   * Dynamically attach ISSOProvider methods to this instance.
+   * This ensures duck-typing detection only finds these methods when SSO is configured.
+   */
+  _attachSSOProvider() {
+    const self = this;
+    this.getLoginUrl = function(redirectUri, state) {
+      const actualRedirectUri = redirectUri ?? self._redirectUri;
+      if (!actualRedirectUri) {
+        throw new Error("Redirect URI is required for SSO. Set AUTH0_REDIRECT_URI or pass redirectUri option.");
+      }
+      const signedState = createStateToken(state, actualRedirectUri, self.cookiePassword);
+      const params = new URLSearchParams({
+        client_id: self.clientId,
+        response_type: "code",
+        scope: self.scopes.join(" "),
+        redirect_uri: actualRedirectUri,
+        state: signedState
+      });
+      return `https://${self.domain}/authorize?${params.toString()}`;
+    };
+    this.handleCallback = async function(code, signedState) {
+      const { redirectUri } = verifyStateToken(signedState, self.cookiePassword);
+      const tokenResponse = await fetch(`https://${self.domain}/oauth/token`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          grant_type: "authorization_code",
+          client_id: self.clientId,
+          client_secret: self.clientSecret,
+          code,
+          redirect_uri: redirectUri
+        }),
+        signal: AbortSignal.timeout(1e4)
+        // 10 second timeout
+      });
+      if (!tokenResponse.ok) {
+        const error = await tokenResponse.text();
+        throw new Error(`Token exchange failed: ${error}`);
+      }
+      const tokens = await tokenResponse.json();
+      let user;
+      if (tokens.id_token) {
+        try {
+          const JWKS = createRemoteJWKSet(new URL(`https://${self.domain}/.well-known/jwks.json`));
+          const { payload } = await jwtVerify(tokens.id_token, JWKS, {
+            issuer: `https://${self.domain}/`,
+            audience: self.clientId
+            // Validate token was issued for this client
+          });
+          user = {
+            id: payload.sub,
+            email: payload.email ?? void 0,
+            name: payload.name ?? void 0,
+            avatarUrl: payload.picture ?? void 0
+          };
+        } catch {
+          user = await self._fetchUserInfo(tokens.access_token);
+        }
+      } else {
+        user = await self._fetchUserInfo(tokens.access_token);
+      }
+      const sessionData = {
+        user,
+        expiresAt: Date.now() + self.cookieMaxAge * 1e3
+      };
+      const encryptedSession = await encryptSession(sessionData, self.cookiePassword);
+      const cookieValue = `${self.cookieName}=${encodeURIComponent(encryptedSession)}; ${self.cookieFlags(self.cookieMaxAge)}`;
+      return {
+        user,
+        tokens: {
+          accessToken: tokens.access_token,
+          refreshToken: tokens.refresh_token,
+          idToken: tokens.id_token,
+          expiresAt: new Date(Date.now() + tokens.expires_in * 1e3)
+        },
+        cookies: [cookieValue]
+      };
+    };
+    this.getLoginButtonConfig = function() {
+      return {
+        provider: "auth0",
+        text: "Sign in with Auth0",
+        description: "Sign in using your Auth0 account"
+      };
+    };
+    this.getLoginCookies = function(_state) {
+      return [];
+    };
+    this.getLogoutUrl = async function(redirectUri, _request) {
+      const params = new URLSearchParams({
+        client_id: self.clientId,
+        returnTo: redirectUri
+      });
+      return `https://${self.domain}/v2/logout?${params.toString()}`;
+    };
+  }
+  /**
+   * Fetch user info from Auth0's /userinfo endpoint.
+   */
+  async _fetchUserInfo(accessToken) {
+    const userInfoResponse = await fetch(`https://${this.domain}/userinfo`, {
+      headers: { Authorization: `Bearer ${accessToken}` },
+      signal: AbortSignal.timeout(1e4)
+      // 10 second timeout
+    });
+    if (!userInfoResponse.ok) {
+      throw new Error("Failed to fetch user info from Auth0");
+    }
+    const userInfo = await userInfoResponse.json();
+    return {
+      id: userInfo.sub,
+      email: userInfo.email,
+      name: userInfo.name,
+      avatarUrl: userInfo.picture
+    };
+  }
+  // ============================================================================
+  // Dynamic ISessionProvider attachment (only when OAuth is configured)
+  // ============================================================================
+  /**
+   * Dynamically attach ISessionProvider methods to this instance.
+   */
+  _attachSessionProvider() {
+    const self = this;
+    this.createSession = async function(userId, metadata) {
+      const now = /* @__PURE__ */ new Date();
+      return {
+        id: crypto.randomUUID(),
+        userId,
+        createdAt: now,
+        expiresAt: new Date(now.getTime() + self.cookieMaxAge * 1e3),
+        metadata
+      };
+    };
+    this.validateSession = async function(_sessionId) {
+      return null;
+    };
+    this.destroySession = async function(_sessionId) {
+    };
+    this.refreshSession = async function(_sessionId) {
+      return null;
+    };
+    this.getSessionIdFromRequest = function(request) {
+      const cookie = request.headers.get("Cookie");
+      if (!cookie) return null;
+      const match = cookie.match(new RegExp(`(?:^|;\\s*)${escapeRegex(self.cookieName)}=([^;]+)`));
+      return match?.[1] ? decodeURIComponent(match[1]) : null;
+    };
+    this.getSessionHeaders = function(_session) {
+      return {};
+    };
+    this.getClearSessionHeaders = function() {
+      return {
+        "Set-Cookie": `${self.cookieName}=; ${self.cookieFlags(0)}`
+      };
+    };
+  }
 };
 
 export { MastraAuthAuth0 };