@mastra/auth-workos 1.0.0 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (21) hide show
  1. package/CHANGELOG.md +76 -0
  2. package/LICENSE.md +15 -0
  3. package/dist/admin-portal.d.ts +77 -0
  4. package/dist/admin-portal.d.ts.map +1 -0
  5. package/dist/auth-provider.d.ts +137 -0
  6. package/dist/auth-provider.d.ts.map +1 -0
  7. package/dist/directory-sync.d.ts +129 -0
  8. package/dist/directory-sync.d.ts.map +1 -0
  9. package/dist/index.cjs +835 -130
  10. package/dist/index.cjs.map +1 -1
  11. package/dist/index.d.ts +42 -16
  12. package/dist/index.d.ts.map +1 -1
  13. package/dist/index.js +832 -132
  14. package/dist/index.js.map +1 -1
  15. package/dist/rbac-provider.d.ts +129 -0
  16. package/dist/rbac-provider.d.ts.map +1 -0
  17. package/dist/session-storage.d.ts +25 -0
  18. package/dist/session-storage.d.ts.map +1 -0
  19. package/dist/types.d.ts +196 -0
  20. package/dist/types.d.ts.map +1 -0
  21. package/package.json +16 -10
package/dist/index.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../../../packages/core/src/logger/constants.ts","../../../packages/core/src/logger/logger.ts","../../../packages/core/src/logger/default-logger.ts","../../../packages/core/src/base.ts","../../../packages/core/src/server/auth.ts","../src/index.ts"],"names":["WorkOS","verifyJwks","org"],"mappings":";;;;;;;;AACO,IAAM,gBAAA,GAAmB;EAM9B,GAAA,EAAK,KAYP,CAAA;AAIO,IAAM,QAAA,GAAW;EACtB,KAAA,EAAO,OAAA;EACP,IAAA,EAAM,MAAA;EACN,IAAA,EAAM,MAAA;EACN,KAAA,EAAO,OAET,CAAA;ACMO,IAAe,eAAf,MAAqD;AAChD,EAAA,IAAA;AACA,EAAA,KAAA;AACA,EAAA,UAAA;EAEV,WAAA,CACE,OAAA,GAII,EAAA,EACJ;AACA,IAAA,IAAA,CAAK,IAAA,GAAO,QAAQ,IAAA,IAAQ,QAAA;AAC5B,IAAA,IAAA,CAAK,KAAA,GAAQ,OAAA,CAAQ,KAAA,IAAS,QAAA,CAAS,KAAA;AACvC,IAAA,IAAA,CAAK,UAAA,GAAa,IAAI,GAAA,CAAI,MAAA,CAAO,QAAQ,OAAA,CAAQ,UAAA,IAAc,EAAE,CAAC,CAAA;AACpE,EAAA;EAOA,aAAA,GAAgB;AACd,IAAA,OAAO,IAAA,CAAK,UAAA;AACd,EAAA;AAEA,EAAA,cAAA,CAAe,MAAA,EAAqB;AAAC,EAAA;EAErC,MAAM,QAAA,CACJ,aACA,MAAA,EAQA;AACA,IAAA,IAAI,CAAC,WAAA,IAAe,CAAC,KAAK,UAAA,CAAW,GAAA,CAAI,WAAW,CAAA,EAAG;AACrD,MAAA,OAAO,EAAE,IAAA,EAAM,EAAA,EAAI,OAAO,CAAA,EAAG,IAAA,EAAM,MAAA,EAAQ,IAAA,IAAQ,GAAG,OAAA,EAAS,MAAA,EAAQ,OAAA,IAAW,GAAA,EAAK,SAAS,KAAA,EAAA;AAClG,IAAA;AAEA,IAAA,OACE,KAAK,UAAA,CAAW,GAAA,CAAI,WAAW,CAAA,CAAG,QAAA,CAAS,MAAM,CAAA,IAAK;AACpD,MAAA,IAAA,EAAM,EAAA;MACN,KAAA,EAAO,CAAA;AACP,MAAA,IAAA,EAAM,QAAQ,IAAA,IAAQ,CAAA;AACtB,MAAA,OAAA,EAAS,QAAQ,OAAA,IAAW,GAAA;MAC5B,OAAA,EAAS;AAAA,KAAA;AAGf,EAAA;AAEA,EAAA,MAAM,eAAA,CAAgB;AACpB,IAAA,WAAA;AACA,IAAA,KAAA;AACA,IAAA,QAAA;AACA,IAAA,MAAA;AACA,IAAA,QAAA;AACA,IAAA,OAAA;AACA,IAAA,IAAA;AACA,IAAA;GAAA,EAUC;AACD,IAAA,IAAI,CAAC,eAAe,CAAC,IAAA,CAAK,WAAW,GAAA,CAAI,WAAW,CAAA,IAAK,CAAC,KAAA,EAAO;AAC/D,MAAA,OAAO,EAAE,IAAA,EAAM,EAAA,EAAI,KAAA,EAAO,CAAA,EAAG,IAAA,EAAM,IAAA,IAAQ,CAAA,EAAG,OAAA,EAAS,OAAA,IAAW,GAAA,EAAK,SAAS,KAAA,EAAA;AAClF,IAAA;AAEA,IAAA,OACE,IAAA,CAAK,UAAA,CACF,GAAA,CAAI,WAAW,EACf,eAAA,CAAgB,EAAE,KAAA,EAAO,QAAA,EAAU,QAAQ,QAAA,EAAU,OAAA,EAAS,IAAA,EAAM,OAAA,EAAS,CAAA,IAAK;AACnF,MAAA,IAAA,EAAM,EAAA;MACN,KAAA,EAAO,CAAA;AACP,MAAA,IAAA,EAAM,IAAA,IAAQ,CAAA;AACd,MAAA,OAAA,EAAS,OAAA,IAAW,GAAA;MACpB,OAAA,EAAS;AAAA,KAAA;AAGf,EAAA;AACF,CAAA;AC5GO,IAAM,aAAA,GAAN,cAA4B,YAAA,CAAa;EAC9C,WAAA,CACE,OAAA,GAGI,EAAA,EACJ;AACA,IAAA,KAAA,CAAM,OAAO,CAAA;AACf,EAAA;AAEA,EAAA,KAAA,CAAM,YAAoB,IAAA,EAAmB;AAC3C,IAAA,IAAI,IAAA,CAAK,KAAA,KAAU,QAAA,CAAS,KAAA,EAAO;AACjC,MAAA,OAAA,CAAQ,IAAA,CAAK,OAAA,EAAS,GAAG,IAAI,CAAA;AAC/B,IAAA;AACF,EAAA;AAEA,EAAA,IAAA,CAAK,YAAoB,IAAA,EAAmB;AAC1C,IAAA,IAAI,KAAK,KAAA,KAAU,QAAA,CAAS,QAAQ,IAAA,CAAK,KAAA,KAAU,SAAS,KAAA,EAAO;AACjE,MAAA,OAAA,CAAQ,IAAA,CAAK,OAAA,EAAS,GAAG,IAAI,CAAA;AAC/B,IAAA;AACF,EAAA;AAEA,EAAA,IAAA,CAAK,YAAoB,IAAA,EAAmB;AAC1C,IAAA,IAAI,IAAA,CAAK,KAAA,KAAU,QAAA,CAAS,IAAA,IAAQ,IAAA,CAAK,KAAA,KAAU,QAAA,CAAS,IAAA,IAAQ,IAAA,CAAK,KAAA,KAAU,QAAA,CAAS,KAAA,EAAO;AACjG,MAAA,OAAA,CAAQ,IAAA,CAAK,OAAA,EAAS,GAAG,IAAI,CAAA;AAC/B,IAAA;AACF,EAAA;AAEA,EAAA,KAAA,CAAM,YAAoB,IAAA,EAAmB;AAC3C,IAAA,IACE,IAAA,CAAK,KAAA,KAAU,QAAA,CAAS,KAAA,IACxB,KAAK,KAAA,KAAU,QAAA,CAAS,IAAA,IACxB,IAAA,CAAK,UAAU,QAAA,CAAS,IAAA,IACxB,IAAA,CAAK,KAAA,KAAU,SAAS,KAAA,EACxB;AACA,MAAA,OAAA,CAAQ,KAAA,CAAM,OAAA,EAAS,GAAG,IAAI,CAAA;AAChC,IAAA;AACF,EAAA;EAEA,MAAM,QAAA,CACJ,cACA,OAAA,EAQA;AACA,IAAA,OAAO,EAAE,IAAA,EAAM,EAAA,EAAI,OAAO,CAAA,EAAG,IAAA,EAAM,OAAA,EAAS,IAAA,IAAQ,GAAG,OAAA,EAAS,OAAA,EAAS,OAAA,IAAW,GAAA,EAAK,SAAS,KAAA,EAAA;AACpG,EAAA;AAEA,EAAA,MAAM,gBAAgB,KAAA,EASnB;AACD,IAAA,OAAO,EAAE,IAAA,EAAM,EAAA,EAAI,OAAO,CAAA,EAAG,IAAA,EAAM,KAAA,CAAM,IAAA,IAAQ,GAAG,OAAA,EAAS,KAAA,CAAM,OAAA,IAAW,GAAA,EAAK,SAAS,KAAA,EAAA;AAC9F,EAAA;AACF,CAAA;;;AC7EO,IAAM,aAAN,MAAiB;AACtB,EAAA,SAAA,GAA8B,gBAAA,CAAiB,GAAA;AACrC,EAAA,MAAA;AACV,EAAA,IAAA;EAEA,WAAA,CAAY,EAAE,SAAA,EAAW,IAAA,EAAA,EAAyD;AAChF,IAAA,IAAA,CAAK,SAAA,GAAY,aAAa,gBAAA,CAAiB,GAAA;AAC/C,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,IAAA,CAAK,MAAA,GAAS,IAAI,aAAA,CAAc,EAAE,IAAA,EAAM,CAAA,EAAG,IAAA,CAAK,SAAS,CAAA,GAAA,EAAM,IAAA,CAAK,IAAI,CAAA,CAAA,EAAI,CAAA;AAC9E,EAAA;;;;;AAMA,EAAA,WAAA,CAAY,MAAA,EAAuB;AACjC,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AAEd,IAAA,IAAI,IAAA,CAAK,SAAA,KAAc,gBAAA,CAAiB,GAAA,EAAK;AAC3C,MAAA,IAAA,CAAK,MAAA,CAAO,MAAM,CAAA,0BAAA,EAA6B,IAAA,CAAK,SAAS,CAAA,QAAA,EAAW,IAAA,CAAK,IAAI,CAAA,CAAA,CAAG,CAAA;AACtF,IAAA;AACF,EAAA;AACF,CAAA;;;ACTO,IAAe,kBAAA,GAAf,cAA2D,UAAA,CAAW;AACpE,EAAA,SAAA;AACA,EAAA,MAAA;AAEP,EAAA,WAAA,CAAY,OAAA,EAA4C;AACtD,IAAA,KAAA,CAAM,EAAE,SAAA,EAAW,MAAA,EAAQ,IAAA,EAAM,OAAA,EAAS,MAAM,CAAA;AAEhD,IAAA,IAAI,SAAS,aAAA,EAAe;AAC1B,MAAA,IAAA,CAAK,aAAA,GAAgB,OAAA,CAAQ,aAAA,CAAc,IAAA,CAAK,IAAI,CAAA;AACtD,IAAA;AAEA,IAAA,IAAA,CAAK,YAAY,OAAA,EAAS,SAAA;AAC1B,IAAA,IAAA,CAAK,SAAS,OAAA,EAAS,MAAA;AACzB,EAAA;AAkBU,EAAA,eAAA,CAAgB,IAAA,EAAyC;AACjE,IAAA,IAAI,MAAM,aAAA,EAAe;AACvB,MAAA,IAAA,CAAK,aAAA,GAAgB,IAAA,CAAK,aAAA,CAAc,IAAA,CAAK,IAAI,CAAA;AACnD,IAAA;AACA,IAAA,IAAI,MAAM,SAAA,EAAW;AACnB,MAAA,IAAA,CAAK,YAAY,IAAA,CAAK,SAAA;AACxB,IAAA;AACA,IAAA,IAAI,MAAM,MAAA,EAAQ;AAChB,MAAA,IAAA,CAAK,SAAS,IAAA,CAAK,MAAA;AACrB,IAAA;AACF,EAAA;AACF,CAAA;AC9CO,IAAM,gBAAA,GAAN,cAA+B,kBAAA,CAA+B;AAAA,EACzD,MAAA;AAAA,EAEV,YAAY,OAAA,EAAmC;AAC7C,IAAA,KAAA,CAAM,EAAE,IAAA,EAAM,OAAA,EAAS,IAAA,IAAQ,UAAU,CAAA;AAEzC,IAAA,MAAM,MAAA,GAAS,OAAA,EAAS,MAAA,IAAU,OAAA,CAAQ,GAAA,CAAI,cAAA;AAC9C,IAAA,MAAM,QAAA,GAAW,OAAA,EAAS,QAAA,IAAY,OAAA,CAAQ,GAAA,CAAI,gBAAA;AAElD,IAAA,IAAI,CAAC,MAAA,IAAU,CAAC,QAAA,EAAU;AACxB,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAEA,IAAA,IAAA,CAAK,MAAA,GAAS,IAAIA,WAAA,CAAO,MAAA,EAAQ;AAAA,MAC/B;AAAA,KACD,CAAA;AAED,IAAA,IAAA,CAAK,gBAAgB,OAAO,CAAA;AAAA,EAC9B;AAAA,EAEA,MAAM,kBAAkB,KAAA,EAA2C;AACjE,IAAA,MAAM,UAAU,IAAA,CAAK,MAAA,CAAO,eAAe,UAAA,CAAW,OAAA,CAAQ,IAAI,gBAAiB,CAAA;AACnF,IAAA,MAAM,IAAA,GAAO,MAAMC,eAAA,CAAW,KAAA,EAAO,OAAO,CAAA;AAC5C,IAAA,OAAO,IAAA;AAAA,EACT;AAAA,EAEA,MAAM,cAAc,IAAA,EAAkB;AACpC,IAAA,IAAI,CAAC,IAAA,EAAM;AACT,MAAA,OAAO,KAAA;AAAA,IACT;AAEA,IAAA,MAAM,GAAA,GAAM,MAAM,IAAA,CAAK,MAAA,CAAO,eAAe,2BAAA,CAA4B;AAAA,MACvE,QAAQ,IAAA,CAAK;AAAA,KACd,CAAA;AAED,IAAA,MAAM,QAAQ,GAAA,CAAI,IAAA,CAAK,IAAI,CAAAC,IAAAA,KAAOA,KAAI,IAAI,CAAA;AAE1C,IAAA,MAAM,UAAU,KAAA,CAAM,IAAA,CAAK,CAAA,IAAA,KAAQ,IAAA,CAAK,SAAS,OAAO,CAAA;AAExD,IAAA,OAAO,OAAA;AAAA,EACT;AACF","file":"index.cjs","sourcesContent":["// Constants and Types (keeping from original implementation)\nexport const RegisteredLogger = {\n AGENT: 'AGENT',\n OBSERVABILITY: 'OBSERVABILITY',\n AUTH: 'AUTH',\n NETWORK: 'NETWORK',\n WORKFLOW: 'WORKFLOW',\n LLM: 'LLM',\n TTS: 'TTS',\n VOICE: 'VOICE',\n VECTOR: 'VECTOR',\n BUNDLER: 'BUNDLER',\n DEPLOYER: 'DEPLOYER',\n MEMORY: 'MEMORY',\n STORAGE: 'STORAGE',\n EMBEDDINGS: 'EMBEDDINGS',\n MCP_SERVER: 'MCP_SERVER',\n SERVER_CACHE: 'SERVER_CACHE',\n SERVER: 'SERVER',\n} as const;\n\nexport type RegisteredLogger = (typeof RegisteredLogger)[keyof typeof RegisteredLogger];\n\nexport const LogLevel = {\n DEBUG: 'debug',\n INFO: 'info',\n WARN: 'warn',\n ERROR: 'error',\n NONE: 'silent',\n} as const;\n\nexport type LogLevel = (typeof LogLevel)[keyof typeof LogLevel];\n","import type { MastraError } from '../error';\nimport { LogLevel } from './constants';\nimport type { BaseLogMessage, LoggerTransport } from './transport';\n\nexport interface IMastraLogger {\n debug(message: string, ...args: any[]): void;\n info(message: string, ...args: any[]): void;\n warn(message: string, ...args: any[]): void;\n error(message: string, ...args: any[]): void;\n trackException(error: MastraError): void;\n\n getTransports(): Map<string, LoggerTransport>;\n listLogs(\n _transportId: string,\n _params?: {\n fromDate?: Date;\n toDate?: Date;\n logLevel?: LogLevel;\n filters?: Record<string, any>;\n page?: number;\n perPage?: number;\n },\n ): Promise<{ logs: BaseLogMessage[]; total: number; page: number; perPage: number; hasMore: boolean }>;\n listLogsByRunId(_args: {\n transportId: string;\n runId: string;\n fromDate?: Date;\n toDate?: Date;\n logLevel?: LogLevel;\n filters?: Record<string, any>;\n page?: number;\n perPage?: number;\n }): Promise<{ logs: BaseLogMessage[]; total: number; page: number; perPage: number; hasMore: boolean }>;\n}\n\nexport abstract class MastraLogger implements IMastraLogger {\n protected name: string;\n protected level: LogLevel;\n protected transports: Map<string, LoggerTransport>;\n\n constructor(\n options: {\n name?: string;\n level?: LogLevel;\n transports?: Record<string, LoggerTransport>;\n } = {},\n ) {\n this.name = options.name || 'Mastra';\n this.level = options.level || LogLevel.ERROR;\n this.transports = new Map(Object.entries(options.transports || {}));\n }\n\n abstract debug(message: string, ...args: any[]): void;\n abstract info(message: string, ...args: any[]): void;\n abstract warn(message: string, ...args: any[]): void;\n abstract error(message: string, ...args: any[]): void;\n\n getTransports() {\n return this.transports;\n }\n\n trackException(_error: MastraError) {}\n\n async listLogs(\n transportId: string,\n params?: {\n fromDate?: Date;\n toDate?: Date;\n logLevel?: LogLevel;\n filters?: Record<string, any>;\n page?: number;\n perPage?: number;\n },\n ) {\n if (!transportId || !this.transports.has(transportId)) {\n return { logs: [], total: 0, page: params?.page ?? 1, perPage: params?.perPage ?? 100, hasMore: false };\n }\n\n return (\n this.transports.get(transportId)!.listLogs(params) ?? {\n logs: [],\n total: 0,\n page: params?.page ?? 1,\n perPage: params?.perPage ?? 100,\n hasMore: false,\n }\n );\n }\n\n async listLogsByRunId({\n transportId,\n runId,\n fromDate,\n toDate,\n logLevel,\n filters,\n page,\n perPage,\n }: {\n transportId: string;\n runId: string;\n fromDate?: Date;\n toDate?: Date;\n logLevel?: LogLevel;\n filters?: Record<string, any>;\n page?: number;\n perPage?: number;\n }) {\n if (!transportId || !this.transports.has(transportId) || !runId) {\n return { logs: [], total: 0, page: page ?? 1, perPage: perPage ?? 100, hasMore: false };\n }\n\n return (\n this.transports\n .get(transportId)!\n .listLogsByRunId({ runId, fromDate, toDate, logLevel, filters, page, perPage }) ?? {\n logs: [],\n total: 0,\n page: page ?? 1,\n perPage: perPage ?? 100,\n hasMore: false,\n }\n );\n }\n}\n","import { LogLevel } from './constants';\nimport { MastraLogger } from './logger';\nimport type { LoggerTransport } from './transport';\n\nexport const createLogger = (options: {\n name?: string;\n level?: LogLevel;\n transports?: Record<string, LoggerTransport>;\n}) => {\n const logger = new ConsoleLogger(options);\n\n logger.warn(`createLogger is deprecated. Please use \"new ConsoleLogger()\" from \"@mastra/core/logger\" instead.`);\n\n return logger;\n};\n\nexport class ConsoleLogger extends MastraLogger {\n constructor(\n options: {\n name?: string;\n level?: LogLevel;\n } = {},\n ) {\n super(options);\n }\n\n debug(message: string, ...args: any[]): void {\n if (this.level === LogLevel.DEBUG) {\n console.info(message, ...args);\n }\n }\n\n info(message: string, ...args: any[]): void {\n if (this.level === LogLevel.INFO || this.level === LogLevel.DEBUG) {\n console.info(message, ...args);\n }\n }\n\n warn(message: string, ...args: any[]): void {\n if (this.level === LogLevel.WARN || this.level === LogLevel.INFO || this.level === LogLevel.DEBUG) {\n console.info(message, ...args);\n }\n }\n\n error(message: string, ...args: any[]): void {\n if (\n this.level === LogLevel.ERROR ||\n this.level === LogLevel.WARN ||\n this.level === LogLevel.INFO ||\n this.level === LogLevel.DEBUG\n ) {\n console.error(message, ...args);\n }\n }\n\n async listLogs(\n _transportId: string,\n _params?: {\n fromDate?: Date;\n toDate?: Date;\n logLevel?: LogLevel;\n filters?: Record<string, any>;\n page?: number;\n perPage?: number;\n },\n ) {\n return { logs: [], total: 0, page: _params?.page ?? 1, perPage: _params?.perPage ?? 100, hasMore: false };\n }\n\n async listLogsByRunId(_args: {\n transportId: string;\n runId: string;\n fromDate?: Date;\n toDate?: Date;\n logLevel?: LogLevel;\n filters?: Record<string, any>;\n page?: number;\n perPage?: number;\n }) {\n return { logs: [], total: 0, page: _args.page ?? 1, perPage: _args.perPage ?? 100, hasMore: false };\n }\n}\n","import type { IMastraLogger } from './logger';\nimport { RegisteredLogger } from './logger/constants';\nimport { ConsoleLogger } from './logger/default-logger';\n\nexport class MastraBase {\n component: RegisteredLogger = RegisteredLogger.LLM;\n protected logger: IMastraLogger;\n name?: string;\n\n constructor({ component, name }: { component?: RegisteredLogger; name?: string }) {\n this.component = component || RegisteredLogger.LLM;\n this.name = name;\n this.logger = new ConsoleLogger({ name: `${this.component} - ${this.name}` });\n }\n\n /**\n * Set the logger for the agent\n * @param logger\n */\n __setLogger(logger: IMastraLogger) {\n this.logger = logger;\n\n if (this.component !== RegisteredLogger.LLM) {\n this.logger.debug(`Logger updated [component=${this.component}] [name=${this.name}]`);\n }\n }\n}\n\nexport * from './types';\n","import type { HonoRequest } from 'hono';\nimport { MastraBase } from '../base';\nimport type { MastraAuthConfig } from './types';\n\nexport interface MastraAuthProviderOptions<TUser = unknown> {\n name?: string;\n authorizeUser?: (user: TUser, request: HonoRequest) => Promise<boolean> | boolean;\n /**\n * Protected paths for the auth provider\n */\n protected?: MastraAuthConfig['protected'];\n /**\n * Public paths for the auth provider\n */\n public?: MastraAuthConfig['public'];\n}\n\nexport abstract class MastraAuthProvider<TUser = unknown> extends MastraBase {\n public protected?: MastraAuthConfig['protected'];\n public public?: MastraAuthConfig['public'];\n\n constructor(options?: MastraAuthProviderOptions<TUser>) {\n super({ component: 'AUTH', name: options?.name });\n\n if (options?.authorizeUser) {\n this.authorizeUser = options.authorizeUser.bind(this);\n }\n\n this.protected = options?.protected;\n this.public = options?.public;\n }\n\n /**\n * Authenticate a token and return the payload\n * @param token - The token to authenticate\n * @param request - The request\n * @returns The payload\n */\n abstract authenticateToken(token: string, request: HonoRequest): Promise<TUser | null>;\n\n /**\n * Authorize a user for a path and method\n * @param user - The user to authorize\n * @param request - The request\n * @returns The authorization result\n */\n abstract authorizeUser(user: TUser, request: HonoRequest): Promise<boolean> | boolean;\n\n protected registerOptions(opts?: MastraAuthProviderOptions<TUser>) {\n if (opts?.authorizeUser) {\n this.authorizeUser = opts.authorizeUser.bind(this);\n }\n if (opts?.protected) {\n this.protected = opts.protected;\n }\n if (opts?.public) {\n this.public = opts.public;\n }\n }\n}\n","import { verifyJwks } from '@mastra/auth';\nimport type { JwtPayload } from '@mastra/auth';\nimport type { MastraAuthProviderOptions } from '@mastra/core/server';\nimport { MastraAuthProvider } from '@mastra/core/server';\nimport { WorkOS } from '@workos-inc/node';\n\ntype WorkosUser = JwtPayload;\n\ninterface MastraAuthWorkosOptions extends MastraAuthProviderOptions<WorkosUser> {\n apiKey?: string;\n clientId?: string;\n}\n\nexport class MastraAuthWorkos extends MastraAuthProvider<WorkosUser> {\n protected workos: WorkOS;\n\n constructor(options?: MastraAuthWorkosOptions) {\n super({ name: options?.name ?? 'workos' });\n\n const apiKey = options?.apiKey ?? process.env.WORKOS_API_KEY;\n const clientId = options?.clientId ?? process.env.WORKOS_CLIENT_ID;\n\n if (!apiKey || !clientId) {\n throw new Error(\n 'WorkOS API key and client ID are required, please provide them in the options or set the environment variables WORKOS_API_KEY and WORKOS_CLIENT_ID',\n );\n }\n\n this.workos = new WorkOS(apiKey, {\n clientId,\n });\n\n this.registerOptions(options);\n }\n\n async authenticateToken(token: string): Promise<WorkosUser | null> {\n const jwksUri = this.workos.userManagement.getJwksUrl(process.env.WORKOS_CLIENT_ID!);\n const user = await verifyJwks(token, jwksUri);\n return user;\n }\n\n async authorizeUser(user: WorkosUser) {\n if (!user) {\n return false;\n }\n\n const org = await this.workos.userManagement.listOrganizationMemberships({\n userId: user.sub,\n });\n\n const roles = org.data.map(org => org.role);\n\n const isAdmin = roles.some(role => role.slug === 'admin');\n\n return isAdmin;\n }\n}\n"]}
1
+ {"version":3,"sources":["../src/session-storage.ts","../src/types.ts","../src/auth-provider.ts","../src/rbac-provider.ts","../src/directory-sync.ts","../src/admin-portal.ts"],"names":["CookieSessionStorage","MastraAuthProvider","WorkOS","AuthService","sessionEncryption","auth","verifyJwks","LRUCache","resolvePermissionsFromMapping","matchesPermission","GeneratePortalLinkIntent"],"mappings":";;;;;;;;;;AAgBO,IAAM,iBAAA,GAAN,cAAgCA,mCAAA,CAAwC;AAAA,EAC7E,YAAY,MAAA,EAAuB;AACjC,IAAA,KAAA,CAAM,MAAM,CAAA;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,WAAW,OAAA,EAA0C;AACzD,IAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AACjD,IAAA,IAAI,CAAC,YAAA,EAAc;AACjB,MAAA,OAAO,IAAA;AAAA,IACT;AAGA,IAAA,MAAM,OAAA,GAAU,YAAA,CAAa,KAAA,CAAM,GAAG,CAAA,CAAE,MAAA;AAAA,MACtC,CAAC,KAAK,MAAA,KAAW;AACf,QAAA,MAAM,CAAC,MAAM,GAAG,UAAU,IAAI,MAAA,CAAO,IAAA,EAAK,CAAE,KAAA,CAAM,GAAG,CAAA;AACrD,QAAA,IAAI,IAAA,EAAM;AAER,UAAA,GAAA,CAAI,IAAI,CAAA,GAAI,kBAAA,CAAmB,UAAA,CAAW,IAAA,CAAK,GAAG,CAAC,CAAA;AAAA,QACrD;AACA,QAAA,OAAO,GAAA;AAAA,MACT,CAAA;AAAA,MACA;AAAC,KACH;AAEA,IAAA,OAAO,OAAA,CAAQ,IAAA,CAAK,UAAU,CAAA,IAAK,IAAA;AAAA,EACrC;AACF;;;ACtBO,SAAS,sBAAsB,IAAA,EAAoB;AACxD,EAAA,OAAO;AAAA,IACL,IAAI,IAAA,CAAK,EAAA;AAAA,IACT,OAAO,IAAA,CAAK,KAAA;AAAA,IACZ,IAAA,EAAM,IAAA,CAAK,SAAA,IAAa,IAAA,CAAK,WAAW,CAAA,EAAG,IAAA,CAAK,SAAS,CAAA,CAAA,EAAI,IAAA,CAAK,QAAQ,CAAA,CAAA,GAAK,IAAA,CAAK,aAAa,IAAA,CAAK,KAAA;AAAA,IACtG,SAAA,EAAW,KAAK,iBAAA,IAAqB,MAAA;AAAA,IACrC,QAAA,EAAU;AAAA,MACR,UAAU,IAAA,CAAK,EAAA;AAAA,MACf,eAAe,IAAA,CAAK,aAAA;AAAA,MACpB,WAAW,IAAA,CAAK;AAAA;AAClB,GACF;AACF;;;ACNA,IAAM,mBAAA,GAAsB,MAAA,CAAO,UAAA,EAAW,GAAI,OAAO,UAAA,EAAW;AAoB7D,IAAM,gBAAA,GAAN,cACGC,yBAAA,CAEV;AAAA,EACY,MAAA;AAAA,EACA,QAAA;AAAA,EACA,WAAA;AAAA,EACA,SAAA;AAAA,EACA,WAAA;AAAA,EACA,MAAA;AAAA,EAEV,YAAY,OAAA,EAAmC;AAC7C,IAAA,KAAA,CAAM,EAAE,IAAA,EAAM,OAAA,EAAS,IAAA,IAAQ,UAAU,CAAA;AAEzC,IAAA,MAAM,MAAA,GAAS,OAAA,EAAS,MAAA,IAAU,OAAA,CAAQ,GAAA,CAAI,cAAA;AAC9C,IAAA,MAAM,QAAA,GAAW,OAAA,EAAS,QAAA,IAAY,OAAA,CAAQ,GAAA,CAAI,gBAAA;AAClD,IAAA,MAAM,WAAA,GAAc,OAAA,EAAS,WAAA,IAAe,OAAA,CAAQ,GAAA,CAAI,mBAAA;AACxD,IAAA,MAAM,iBACJ,OAAA,EAAS,OAAA,EAAS,cAAA,IAAkB,OAAA,CAAQ,IAAI,sBAAA,IAA0B,mBAAA;AAE5E,IAAA,IAAI,CAAC,MAAA,IAAU,CAAC,QAAA,EAAU;AACxB,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OAEF;AAAA,IACF;AAEA,IAAA,IAAI,CAAC,WAAA,EAAa;AAChB,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OAEF;AAAA,IACF;AAEA,IAAA,IAAI,cAAA,CAAe,SAAS,EAAA,EAAI;AAC9B,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OAEF;AAAA,IACF;AAEA,IAAA,IAAA,CAAK,QAAA,GAAW,QAAA;AAChB,IAAA,IAAA,CAAK,WAAA,GAAc,WAAA;AACnB,IAAA,IAAA,CAAK,YAAY,OAAA,EAAS,GAAA;AAG1B,IAAA,IAAA,CAAK,SAAS,IAAIC,WAAA,CAAO,MAAA,EAAQ,EAAE,UAAU,CAAA;AAG7C,IAAA,IAAA,CAAK,MAAA,GAAS;AAAA,MACZ,QAAA;AAAA,MACA,MAAA;AAAA,MACA,WAAA;AAAA,MACA,cAAA;AAAA,MACA,UAAA,EAAY,OAAA,EAAS,OAAA,EAAS,UAAA,IAAc,aAAA;AAAA,MAC5C,cAAc,OAAA,EAAS,OAAA,EAAS,MAAA,IAAU,EAAA,GAAK,KAAK,EAAA,GAAK,GAAA;AAAA;AAAA,MACzD,cAAA,EAAgB,OAAA,EAAS,OAAA,EAAS,QAAA,EAAU,WAAA,EAAY;AAAA,MACxD,YAAA,EAAc,MAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACZ;AAGA,IAAA,MAAM,OAAA,GAAU,IAAI,iBAAA,CAAkB,IAAA,CAAK,MAAM,CAAA;AACjD,IAAA,IAAA,CAAK,WAAA,GAAc,IAAIC,0BAAA,CAAY,IAAA,CAAK,QAAQ,OAAA,EAAS,IAAA,CAAK,QAAQC,gCAAiB,CAAA;AAEvF,IAAA,IAAA,CAAK,gBAAgB,OAAgD,CAAA;AAErE,IAAA,IAAI,mBAAmB,mBAAA,EAAqB;AAC1C,MAAA,OAAA,CAAQ,IAAA;AAAA,QACN;AAAA,OAGF;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,iBAAA,CAAkB,KAAA,EAAe,OAAA,EAA4D;AACjG,IAAA,IAAI;AAEF,MAAA,MAAM,UAAA,GAAa,KAAA,IAAS,OAAA,GAAU,OAAA,CAAQ,GAAA,GAAM,OAAA;AAGpD,MAAA,MAAM,QAAEC,MAAA,EAAK,GAAI,MAAM,IAAA,CAAK,WAAA,CAAY,SAAS,UAAU,CAAA;AAE3D,MAAA,IAAIA,OAAK,IAAA,EAAM;AACb,QAAA,OAAO;AAAA,UACL,GAAG,qBAAA,CAAsBA,MAAA,CAAK,IAAI,CAAA;AAAA,UAClC,QAAA,EAAUA,OAAK,IAAA,CAAK,EAAA;AAAA,UACpB,gBAAgBA,MAAA,CAAK;AAAA;AAAA,SAEvB;AAAA,MACF;AAGA,MAAA,IAAI,KAAA,EAAO;AACT,QAAA,MAAM,UAAU,IAAA,CAAK,MAAA,CAAO,cAAA,CAAe,UAAA,CAAW,KAAK,QAAQ,CAAA;AACnE,QAAA,MAAM,OAAA,GAAU,MAAMC,eAAA,CAAW,KAAA,EAAO,OAAO,CAAA;AAE/C,QAAA,IAAI,SAAS,GAAA,EAAK;AAChB,UAAA,MAAM,OAAO,MAAM,IAAA,CAAK,OAAO,cAAA,CAAe,OAAA,CAAQ,QAAQ,GAAG,CAAA;AACjE,UAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,MAAA,CAAO,eAAe,2BAAA,CAA4B;AAAA,YAC/E,QAAQ,IAAA,CAAK;AAAA,WACd,CAAA;AAED,UAAA,OAAO;AAAA,YACL,GAAG,sBAAsB,IAAI,CAAA;AAAA,YAC7B,UAAU,IAAA,CAAK,EAAA;AAAA,YACf,cAAA,EAAgB,WAAA,CAAY,IAAA,CAAK,CAAC,CAAA,EAAG,cAAA;AAAA,YACrC,aAAa,WAAA,CAAY;AAAA,WAC3B;AAAA,QACF;AAAA,MACF;AAEA,MAAA,OAAO,IAAA;AAAA,IACT,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,cAAc,IAAA,EAAoC;AACtD,IAAA,OAAO,CAAC,CAAC,IAAA,EAAM,EAAA,IAAM,CAAC,CAAC,IAAA,EAAM,QAAA;AAAA,EAC/B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,eAAe,OAAA,EAA0C;AAC7D,IAAA,IAAI;AACF,MAAA,MAAM,EAAE,MAAM,oBAAA,EAAqB,GAAI,MAAM,IAAA,CAAK,WAAA,CAAY,SAAS,OAAO,CAAA;AAE9E,MAAA,IAAI,CAAC,KAAK,IAAA,EAAM;AACd,QAAA,OAAO,IAAA;AAAA,MACT;AAGA,MAAA,IAAI,iBAAiB,IAAA,CAAK,cAAA;AAC1B,MAAA,IAAI,CAAC,cAAA,EAAgB;AACnB,QAAA,IAAI;AACF,UAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,MAAA,CAAO,eAAe,2BAAA,CAA4B;AAAA,YAC/E,MAAA,EAAQ,KAAK,IAAA,CAAK;AAAA,WACnB,CAAA;AACD,UAAA,cAAA,GAAiB,WAAA,CAAY,IAAA,CAAK,CAAC,CAAA,EAAG,cAAA;AAAA,QACxC,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF;AAGA,MAAA,MAAM,IAAA,GAAmB;AAAA,QACvB,GAAG,qBAAA,CAAsB,IAAA,CAAK,IAAI,CAAA;AAAA,QAClC,QAAA,EAAU,KAAK,IAAA,CAAK,EAAA;AAAA,QACpB;AAAA,OACF;AAGA,MAAA,IAAI,oBAAA,EAAsB;AACxB,QAAC,KAAa,qBAAA,GAAwB,oBAAA;AAAA,MACxC;AAEA,MAAA,OAAO,IAAA;AAAA,IACT,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,QAAQ,MAAA,EAA4C;AACxD,IAAA,IAAI;AACF,MAAA,MAAM,OAAO,MAAM,IAAA,CAAK,MAAA,CAAO,cAAA,CAAe,QAAQ,MAAM,CAAA;AAC5D,MAAA,OAAO;AAAA,QACL,GAAG,sBAAsB,IAAI,CAAA;AAAA,QAC7B,UAAU,IAAA,CAAK;AAAA,OACjB;AAAA,IACF,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,kBAAkB,IAAA,EAAsB;AACtC,IAAA,OAAO,CAAA,SAAA,EAAY,KAAK,EAAE,CAAA,CAAA;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,WAAA,CAAY,aAAqB,KAAA,EAAuB;AACtD,IAAA,MAAM,WAAA,GAAc;AAAA,MAClB,UAAU,IAAA,CAAK,QAAA;AAAA,MACf,WAAA,EAAa,eAAe,IAAA,CAAK,WAAA;AAAA,MACjC;AAAA,KACF;AAEA,IAAA,IAAI,IAAA,CAAK,WAAW,UAAA,EAAY;AAC9B,MAAA,OAAO,IAAA,CAAK,MAAA,CAAO,cAAA,CAAe,mBAAA,CAAoB;AAAA,QACpD,GAAG,WAAA;AAAA,QACH,YAAA,EAAc,KAAK,SAAA,CAAU;AAAA,OAC9B,CAAA;AAAA,IACH,CAAA,MAAA,IAAW,IAAA,CAAK,SAAA,EAAW,QAAA,EAAU;AACnC,MAAA,OAAO,IAAA,CAAK,MAAA,CAAO,cAAA,CAAe,mBAAA,CAAoB;AAAA,QACpD,GAAG,WAAA;AAAA,QACH,QAAA,EAAU,KAAK,SAAA,CAAU;AAAA,OAC1B,CAAA;AAAA,IACH,CAAA,MAAA,IAAW,IAAA,CAAK,SAAA,EAAW,mBAAA,EAAqB;AAC9C,MAAA,OAAO,IAAA,CAAK,MAAA,CAAO,cAAA,CAAe,mBAAA,CAAoB;AAAA,QACpD,GAAG,WAAA;AAAA,QACH,cAAA,EAAgB,KAAK,SAAA,CAAU;AAAA,OAChC,CAAA;AAAA,IACH;AAEA,IAAA,OAAO,IAAA,CAAK,MAAA,CAAO,cAAA,CAAe,mBAAA,CAAoB;AAAA,MACpD,GAAG,WAAA;AAAA,MACH,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,cAAA,CAAe,IAAA,EAAc,MAAA,EAAoD;AAErF,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,WAAA,CAAY,cAAA;AAAA,MACpC,IAAI,QAAQ,kBAAkB,CAAA;AAAA;AAAA,MAC9B,IAAI,QAAA,EAAS;AAAA;AAAA,MACb,EAAE,IAAA,EAAM,KAAA,EAAO,MAAA;AAAO,KACxB;AAEA,IAAA,MAAM,IAAA,GAAmB;AAAA,MACvB,GAAG,qBAAA,CAAsB,MAAA,CAAO,YAAA,CAAa,IAAI,CAAA;AAAA,MACjD,QAAA,EAAU,MAAA,CAAO,YAAA,CAAa,IAAA,CAAK,EAAA;AAAA,MACnC,cAAA,EAAgB,OAAO,YAAA,CAAa;AAAA,KACtC;AAGA,IAAA,MAAM,aAAA,GAAgB,MAAA,CAAO,OAAA,GAAU,YAAY,CAAA;AACnD,IAAA,MAAM,OAAA,GAAU,gBAAiB,KAAA,CAAM,OAAA,CAAQ,aAAa,CAAA,GAAI,aAAA,GAAgB,CAAC,aAAa,CAAA,GAAK,MAAA;AAEnG,IAAA,OAAO;AAAA,MACL,IAAA;AAAA,MACA,MAAA,EAAQ;AAAA,QACN,WAAA,EAAa,OAAO,YAAA,CAAa,WAAA;AAAA,QACjC,YAAA,EAAc,OAAO,YAAA,CAAa;AAAA,OACpC;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,YAAA,CAAa,WAAA,EAAqB,OAAA,EAA2C;AAEjF,IAAA,IAAI,CAAC,OAAA,EAAS;AACZ,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,IAAI;AACF,MAAA,MAAM,EAAE,IAAA,EAAK,GAAI,MAAM,IAAA,CAAK,WAAA,CAAY,SAAS,OAAO,CAAA;AAGxD,MAAA,IAAI,CAAC,KAAK,IAAA,EAAM;AACd,QAAA,OAAO,IAAA;AAAA,MACT;AAGA,MAAA,MAAM,GAAG,aAAa,IAAI,IAAA,CAAK,WAAA,CAAY,MAAM,GAAG,CAAA;AACpD,MAAA,IAAI,CAAC,aAAA,EAAe;AAClB,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,MAAM,OAAA,GAAU,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,aAAa,CAAC,CAAA;AAC9C,MAAA,MAAM,YAAY,OAAA,CAAQ,GAAA;AAE1B,MAAA,IAAI,CAAC,SAAA,EAAW;AACd,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,OAAO,IAAA,CAAK,OAAO,cAAA,CAAe,YAAA,CAAa,EAAE,SAAA,EAAW,QAAA,EAAU,aAAa,CAAA;AAAA,IACrF,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,oBAAA,GAAuC;AACrC,IAAA,IAAI,IAAA,GAAO,SAAA;AACX,IAAA,IAAI,IAAA,CAAK,WAAW,QAAA,EAAU;AAC5B,MAAA,MAAM,aAAA,GAAwC;AAAA,QAC5C,WAAA,EAAa,QAAA;AAAA,QACb,cAAA,EAAgB,WAAA;AAAA,QAChB,WAAA,EAAa,QAAA;AAAA,QACb,UAAA,EAAY;AAAA,OACd;AACA,MAAA,MAAM,YAAA,GAAe,aAAA,CAAc,IAAA,CAAK,SAAA,CAAU,QAAQ,CAAA;AAC1D,MAAA,IAAI,YAAA,EAAc;AAChB,QAAA,IAAA,GAAO,gBAAgB,YAAY,CAAA,CAAA;AAAA,MACrC;AAAA,IACF;AAEA,IAAA,OAAO;AAAA,MACL,QAAA,EAAU,QAAA;AAAA,MACV;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,aAAA,CAAc,MAAA,EAAgB,QAAA,EAAsD;AACxF,IAAA,MAAM,SAAA,GAAY,OAAO,UAAA,EAAW;AACpC,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,MAAM,SAAA,GAAY,IAAI,IAAA,CAAK,GAAA,CAAI,SAAQ,GAAI,IAAA,CAAK,MAAA,CAAO,YAAA,GAAe,GAAI,CAAA;AAE1E,IAAA,OAAO;AAAA,MACL,EAAA,EAAI,SAAA;AAAA,MACJ,MAAA;AAAA,MACA,SAAA,EAAW,GAAA;AAAA,MACX,SAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,gBAAgB,UAAA,EAA6C;AAGjE,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,eAAe,UAAA,EAAmC;AAAA,EAGxD;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,eAAe,UAAA,EAA6C;AAEhE,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,wBAAwB,QAAA,EAAkC;AAGxD,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,kBAAkB,OAAA,EAA0C;AAG1D,IAAA,MAAM,gBAAiB,OAAA,CAAgB,cAAA;AACvC,IAAA,IAAI,aAAA,EAAe;AACjB,MAAA,OAAO,EAAE,cAAc,KAAA,CAAM,OAAA,CAAQ,aAAa,CAAA,GAAI,aAAA,CAAc,CAAC,CAAA,GAAI,aAAA,EAAc;AAAA,IACzF;AACA,IAAA,OAAO,EAAC;AAAA,EACV;AAAA;AAAA;AAAA;AAAA,EAKA,sBAAA,GAAiD;AAC/C,IAAA,MAAM,WAAA,GAAc,CAAC,CAAA,EAAG,IAAA,CAAK,OAAO,UAAU,CAAA,CAAA,CAAA,EAAK,QAAA,EAAU,WAAA,EAAa,UAAU,CAAA;AACpF,IAAA,OAAO,EAAE,YAAA,EAAc,WAAA,CAAY,IAAA,CAAK,IAAI,CAAA,EAAE;AAAA,EAChD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,SAAA,GAAoB;AAClB,IAAA,OAAO,IAAA,CAAK,MAAA;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,cAAA,GAAiD;AAC/C,IAAA,OAAO,IAAA,CAAK,WAAA;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,WAAA,GAAsB;AACpB,IAAA,OAAO,IAAA,CAAK,QAAA;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,cAAA,GAAyB;AACvB,IAAA,OAAO,IAAA,CAAK,WAAA;AAAA,EACd;AACF;ACrcA,IAAM,uBAAuB,EAAA,GAAK,GAAA;AAGlC,IAAM,sBAAA,GAAyB,GAAA;AAExB,IAAM,mBAAN,MAA4D;AAAA,EACzD,MAAA;AAAA,EACA,OAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,UAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOR,IAAI,WAAA,GAA2B;AAC7B,IAAA,OAAO,KAAK,OAAA,CAAQ,WAAA;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,YAAY,OAAA,EAAkC;AAC5C,IAAA,MAAM,MAAA,GAAS,OAAA,CAAQ,MAAA,IAAU,OAAA,CAAQ,GAAA,CAAI,cAAA;AAC7C,IAAA,MAAM,QAAA,GAAW,OAAA,CAAQ,QAAA,IAAY,OAAA,CAAQ,GAAA,CAAI,gBAAA;AAEjD,IAAA,IAAI,CAAC,MAAA,IAAU,CAAC,QAAA,EAAU;AACxB,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OAEF;AAAA,IACF;AAEA,IAAA,IAAA,CAAK,SAAS,IAAIJ,WAAAA,CAAO,MAAA,EAAQ,EAAE,UAAU,CAAA;AAC7C,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AAGf,IAAA,IAAA,CAAK,UAAA,GAAa,IAAIK,iBAAA,CAAoC;AAAA,MACxD,GAAA,EAAK,OAAA,CAAQ,KAAA,EAAO,OAAA,IAAW,sBAAA;AAAA,MAC/B,GAAA,EAAK,OAAA,CAAQ,KAAA,EAAO,KAAA,IAAS;AAAA,KAC9B,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,MAAM,SAAS,IAAA,EAAqC;AAElD,IAAA,IAAI,IAAA,CAAK,WAAA,IAAe,IAAA,CAAK,WAAA,CAAY,SAAS,CAAA,EAAG;AACnD,MAAA,OAAO,IAAA,CAAK,4BAA4B,IAAI,CAAA;AAAA,IAC9C;AAEA,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,QAAA,IAAY,IAAA,CAAK,EAAA;AAGvC,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,QAAQ,CAAA;AAC3C,IAAA,IAAI,MAAA,EAAQ;AACV,MAAA,OAAO,MAAA;AAAA,IACT;AAGA,IAAA,MAAM,YAAA,GAAe,IAAA,CAAK,oBAAA,CAAqB,IAAI,CAAA;AACnD,IAAA,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,QAAA,EAAU,YAAY,CAAA;AAE1C,IAAA,OAAO,YAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,qBAAqB,IAAA,EAAqC;AACtE,IAAA,IAAI;AACF,MAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,MAAA,CAAO,eAAe,2BAAA,CAA4B;AAAA,QAC/E,QAAQ,IAAA,CAAK;AAAA,OACd,CAAA;AAGD,MAAA,MAAM,mBAAA,GAAsB,IAAA,CAAK,OAAA,CAAQ,cAAA,GACrC,YAAY,IAAA,CAAK,MAAA,CAAO,CAAA,CAAA,KAAK,CAAA,CAAE,cAAA,KAAmB,IAAA,CAAK,OAAA,CAAQ,cAAc,IAC7E,WAAA,CAAY,IAAA;AAGhB,MAAA,OAAO,mBAAA,CAAoB,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,KAAK,IAAI,CAAA;AAAA,IACjD,CAAA,CAAA,MAAQ;AAEN,MAAA,OAAO,EAAC;AAAA,IACV;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,OAAA,CAAQ,IAAA,EAAkB,IAAA,EAAgC;AAC9D,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AACtC,IAAA,OAAO,KAAA,CAAM,SAAS,IAAI,CAAA;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAeA,MAAM,eAAe,IAAA,EAAqC;AACxD,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,QAAA,CAAS,IAAI,CAAA;AAEtC,IAAA,IAAI,KAAA,CAAM,WAAW,CAAA,EAAG;AACtB,MAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,WAAA,CAAY,UAAU,KAAK,EAAC;AAAA,IAClD;AAEA,IAAA,OAAOC,gCAAA,CAA8B,KAAA,EAAO,IAAA,CAAK,OAAA,CAAQ,WAAW,CAAA;AAAA,EACtE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,aAAA,CAAc,IAAA,EAAkB,UAAA,EAAsC;AAC1E,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AAClD,IAAA,OAAO,YAAY,IAAA,CAAK,CAAA,CAAA,KAAKC,oBAAA,CAAkB,CAAA,EAAG,UAAU,CAAC,CAAA;AAAA,EAC/D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,iBAAA,CAAkB,IAAA,EAAkB,WAAA,EAAyC;AACjF,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AACtD,IAAA,OAAO,WAAA,CAAY,KAAA,CAAM,CAAA,QAAA,KAAY,eAAA,CAAgB,IAAA,CAAK,OAAKA,oBAAA,CAAkB,CAAA,EAAG,QAAQ,CAAC,CAAC,CAAA;AAAA,EAChG;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,gBAAA,CAAiB,IAAA,EAAkB,WAAA,EAAyC;AAChF,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,cAAA,CAAe,IAAI,CAAA;AACtD,IAAA,OAAO,WAAA,CAAY,IAAA,CAAK,CAAA,QAAA,KAAY,eAAA,CAAgB,IAAA,CAAK,OAAKA,oBAAA,CAAkB,CAAA,EAAG,QAAQ,CAAC,CAAC,CAAA;AAAA,EAC/F;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,UAAA,GAAmB;AACjB,IAAA,IAAA,CAAK,WAAW,KAAA,EAAM;AAAA,EACxB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,eAAe,MAAA,EAAsB;AACnC,IAAA,IAAA,CAAK,UAAA,CAAW,OAAO,MAAM,CAAA;AAAA,EAC/B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,aAAA,GAAmD;AACjD,IAAA,OAAO;AAAA,MACL,IAAA,EAAM,KAAK,UAAA,CAAW,IAAA;AAAA,MACtB,OAAA,EAAS,KAAK,UAAA,CAAW;AAAA,KAC3B;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQQ,4BAA4B,IAAA,EAA4B;AAC9D,IAAA,IAAI,CAAC,KAAK,WAAA,EAAa;AACrB,MAAA,OAAO,EAAC;AAAA,IACV;AAGA,IAAA,MAAM,mBAAA,GAAsB,IAAA,CAAK,OAAA,CAAQ,cAAA,GACrC,KAAK,WAAA,CAAY,MAAA,CAAO,CAAA,CAAA,KAAK,CAAA,CAAE,cAAA,KAAmB,IAAA,CAAK,OAAA,CAAQ,cAAc,IAC7E,IAAA,CAAK,WAAA;AAET,IAAA,OAAO,mBAAA,CAAoB,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,KAAK,IAAI,CAAA;AAAA,EACjD;AACF;;;ACnNO,IAAM,sBAAN,MAA0B;AAAA,EACvB,MAAA;AAAA,EACA,aAAA;AAAA,EACA,QAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASR,WAAA,CAAY,QAAgB,OAAA,EAAqC;AAC/D,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AAEd,IAAA,MAAM,aAAA,GAAgB,OAAA,CAAQ,aAAA,IAAiB,OAAA,CAAQ,GAAA,CAAI,qBAAA;AAC3D,IAAA,IAAI,CAAC,aAAA,EAAe;AAClB,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAEA,IAAA,IAAA,CAAK,aAAA,GAAgB,aAAA;AACrB,IAAA,IAAA,CAAK,WAAW,OAAA,CAAQ,QAAA;AAAA,EAC1B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,aAAA,CAAc,OAAA,EAA0B,SAAA,EAAkC;AAI9E,IAAA,MAAM,gBAAgB,OAAO,OAAA,KAAY,WAAW,IAAA,CAAK,KAAA,CAAM,OAAO,CAAA,GAAI,OAAA;AAC1E,IAAA,MAAM,KAAA,GAAS,MAAM,IAAA,CAAK,MAAA,CAAO,SAAS,cAAA,CAAe;AAAA,MACvD,OAAA,EAAS,aAAA;AAAA,MACT,SAAA,EAAW,SAAA;AAAA,MACX,QAAQ,IAAA,CAAK;AAAA,KACd,CAAA;AAGD,IAAA,IAAI;AACF,MAAA,MAAM,IAAA,CAAK,WAAW,KAAK,CAAA;AAAA,IAC7B,SAAS,KAAA,EAAO;AAEd,MAAA,OAAA,CAAQ,KAAA,CAAM,CAAA,2CAAA,EAA8C,KAAA,CAAM,KAAK,KAAK,KAAK,CAAA;AAAA,IACnF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAc,WAAW,KAAA,EAA0C;AACjE,IAAA,MAAM,EAAE,KAAA,EAAO,SAAA,EAAW,IAAA,EAAK,GAAI,KAAA;AAEnC,IAAA,QAAQ,SAAA;AAAW,MACjB,KAAK,oBAAA;AACH,QAAA,IAAI,IAAA,CAAK,SAAS,aAAA,EAAe;AAC/B,UAAA,MAAM,KAAK,QAAA,CAAS,aAAA,CAAc,IAAA,CAAK,WAAA,CAAY,IAAI,CAAC,CAAA;AAAA,QAC1D;AACA,QAAA;AAAA,MAEF,KAAK,oBAAA;AACH,QAAA,IAAI,IAAA,CAAK,SAAS,aAAA,EAAe;AAC/B,UAAA,MAAM,KAAK,QAAA,CAAS,aAAA,CAAc,IAAA,CAAK,WAAA,CAAY,IAAI,CAAC,CAAA;AAAA,QAC1D;AACA,QAAA;AAAA,MAEF,KAAK,oBAAA;AACH,QAAA,IAAI,IAAA,CAAK,SAAS,aAAA,EAAe;AAC/B,UAAA,MAAM,KAAK,QAAA,CAAS,aAAA,CAAc,IAAA,CAAK,WAAA,CAAY,IAAI,CAAC,CAAA;AAAA,QAC1D;AACA,QAAA;AAAA,MAEF,KAAK,qBAAA;AACH,QAAA,IAAI,IAAA,CAAK,SAAS,cAAA,EAAgB;AAChC,UAAA,MAAM,KAAK,QAAA,CAAS,cAAA,CAAe,IAAA,CAAK,YAAA,CAAa,IAAI,CAAC,CAAA;AAAA,QAC5D;AACA,QAAA;AAAA,MAEF,KAAK,qBAAA;AACH,QAAA,IAAI,IAAA,CAAK,SAAS,cAAA,EAAgB;AAChC,UAAA,MAAM,KAAK,QAAA,CAAS,cAAA,CAAe,IAAA,CAAK,YAAA,CAAa,IAAI,CAAC,CAAA;AAAA,QAC5D;AACA,QAAA;AAAA,MAEF,KAAK,qBAAA;AACH,QAAA,IAAI,IAAA,CAAK,SAAS,cAAA,EAAgB;AAChC,UAAA,MAAM,KAAK,QAAA,CAAS,cAAA,CAAe,IAAA,CAAK,YAAA,CAAa,IAAI,CAAC,CAAA;AAAA,QAC5D;AACA,QAAA;AAAA,MAEF,KAAK,wBAAA;AACH,QAAA,IAAI,IAAA,CAAK,SAAS,gBAAA,EAAkB;AAClC,UAAA,MAAM,IAAA,CAAK,SAAS,gBAAA,CAAiB;AAAA,YACnC,KAAA,EAAO,IAAA,CAAK,YAAA,CAAa,IAAA,CAAK,KAAgC,CAAA;AAAA,YAC9D,IAAA,EAAM,IAAA,CAAK,WAAA,CAAY,IAAA,CAAK,IAA+B;AAAA,WAC5D,CAAA;AAAA,QACH;AACA,QAAA;AAAA,MAEF,KAAK,0BAAA;AACH,QAAA,IAAI,IAAA,CAAK,SAAS,kBAAA,EAAoB;AACpC,UAAA,MAAM,IAAA,CAAK,SAAS,kBAAA,CAAmB;AAAA,YACrC,KAAA,EAAO,IAAA,CAAK,YAAA,CAAa,IAAA,CAAK,KAAgC,CAAA;AAAA,YAC9D,IAAA,EAAM,IAAA,CAAK,WAAA,CAAY,IAAA,CAAK,IAA+B;AAAA,WAC5D,CAAA;AAAA,QACH;AACA,QAAA;AAAA,MAEF;AAEE,QAAA,OAAA,CAAQ,IAAA,CAAK,CAAA,0CAAA,EAA6C,SAAS,CAAA,CAAE,CAAA;AAAA;AACzE,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQQ,YAAY,IAAA,EAAsD;AACxE,IAAA,OAAO;AAAA,MACL,IAAI,IAAA,CAAK,EAAA;AAAA,MACT,aAAa,IAAA,CAAK,YAAA;AAAA,MAClB,gBAAgB,IAAA,CAAK,eAAA;AAAA,MACrB,OAAO,IAAA,CAAK,MAAA;AAAA,MACZ,WAAW,IAAA,CAAK,UAAA;AAAA,MAChB,UAAU,IAAA,CAAK,SAAA;AAAA,MACf,UAAU,IAAA,CAAK,SAAA;AAAA,MACf,MAAA,EAAS,IAAA,CAAK,MAAA,IAAwE,EAAC;AAAA,MACvF,UAAU,IAAA,CAAK,QAAA;AAAA,MACf,MAAA,EAAS,IAAA,CAAK,MAAA,IAAkD,EAAC;AAAA,MACjE,OAAO,IAAA,CAAK,KAAA;AAAA,MACZ,aAAA,EAAgB,IAAA,CAAK,cAAA,IAA8C,EAAC;AAAA,MACpE,gBAAA,EAAmB,IAAA,CAAK,iBAAA,IAAiD,EAAC;AAAA,MAC1E,WAAW,IAAA,CAAK,UAAA;AAAA,MAChB,WAAW,IAAA,CAAK;AAAA,KAClB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQQ,aAAa,IAAA,EAAuD;AAC1E,IAAA,OAAO;AAAA,MACL,IAAI,IAAA,CAAK,EAAA;AAAA,MACT,aAAa,IAAA,CAAK,YAAA;AAAA,MAClB,gBAAgB,IAAA,CAAK,eAAA;AAAA,MACrB,OAAO,IAAA,CAAK,MAAA;AAAA,MACZ,MAAM,IAAA,CAAK,IAAA;AAAA,MACX,WAAW,IAAA,CAAK,UAAA;AAAA,MAChB,WAAW,IAAA,CAAK,UAAA;AAAA,MAChB,aAAA,EAAgB,IAAA,CAAK,cAAA,IAA8C;AAAC,KACtE;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAoBA,MAAM,gBAAgB,cAAA,EAA8C;AAClE,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,MAAA,CAAO,cAAc,eAAA,CAAgB;AAAA,MAC/D;AAAA,KACD,CAAA;AACD,IAAA,OAAO,QAAA,CAAS,IAAA;AAAA,EAClB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAgBA,MAAM,mBAAmB,WAAA,EAA+C;AACtE,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,MAAA,CAAO,cAAc,SAAA,CAAU;AAAA,MACzD,SAAA,EAAW;AAAA,KACZ,CAAA;AACD,IAAA,OAAO,QAAA,CAAS,IAAA;AAAA,EAClB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAgBA,MAAM,oBAAoB,WAAA,EAAgD;AACxE,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,MAAA,CAAO,cAAc,UAAA,CAAW;AAAA,MAC1D,SAAA,EAAW;AAAA,KACZ,CAAA;AACD,IAAA,OAAO,QAAA,CAAS,IAAA;AAAA,EAClB;AACF;AC9RA,IAAM,UAAA,GAAkE;AAAA,EACtE,KAAKC,6BAAA,CAAyB,GAAA;AAAA,EAC9B,OAAOA,6BAAA,CAAyB,KAAA;AAAA,EAChC,YAAYA,6BAAA,CAAyB,SAAA;AAAA,EACrC,aAAaA,6BAAA,CAAyB;AACxC,CAAA;AA2BO,IAAM,oBAAN,MAAwB;AAAA,EACrB,MAAA;AAAA,EACA,SAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQR,WAAA,CAAY,QAAgB,OAAA,EAAoC;AAC9D,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AACd,IAAA,IAAA,CAAK,SAAA,GAAY,SAAS,SAAA,IAAa,GAAA;AAAA,EACzC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA4BA,MAAM,aAAA,CAAc,cAAA,EAAwB,MAAA,EAA6C;AACvF,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,MAAA,CAAO,OAAO,YAAA,CAAa;AAAA,MACnD,YAAA,EAAc,cAAA;AAAA,MACd,MAAA,EAAQ,UAAA,CAAW,MAAA,IAAU,KAAK,CAAA;AAAA,MAClC,WAAW,IAAA,CAAK;AAAA,KACjB,CAAA;AAED,IAAA,OAAO,MAAA,CAAO,IAAA;AAAA,EAChB;AACF","file":"index.cjs","sourcesContent":["/**\n * Hono/Web Request session storage adapter for WorkOS AuthKit.\n *\n * Implements the SessionStorage interface for standard Web Request/Response\n * objects used by Hono and other modern frameworks.\n */\n\nimport { CookieSessionStorage } from '@workos/authkit-session';\nimport type { AuthKitConfig } from '@workos/authkit-session';\n\n/**\n * Session storage adapter for Web Request/Response (used by Hono).\n *\n * Extracts session cookies from standard Request objects and\n * builds Set-Cookie headers for Response objects.\n */\nexport class WebSessionStorage extends CookieSessionStorage<Request, Response> {\n constructor(config: AuthKitConfig) {\n super(config);\n }\n\n /**\n * Extract the encrypted session cookie from a Request.\n *\n * @param request - Standard Web Request object\n * @returns The encrypted session string or null if not present\n */\n async getSession(request: Request): Promise<string | null> {\n const cookieHeader = request.headers.get('Cookie');\n if (!cookieHeader) {\n return null;\n }\n\n // Parse cookies\n const cookies = cookieHeader.split(';').reduce(\n (acc, cookie) => {\n const [name, ...valueParts] = cookie.trim().split('=');\n if (name) {\n // Rejoin in case value contains '='\n acc[name] = decodeURIComponent(valueParts.join('='));\n }\n return acc;\n },\n {} as Record<string, string>,\n );\n\n return cookies[this.cookieName] || null;\n }\n}\n","/**\n * Shared types for WorkOS integration.\n */\n\nimport type { EEUser, RoleMapping } from '@mastra/core/auth/ee';\nimport type { User, OrganizationMembership } from '@workos-inc/node';\n\n// ============================================================================\n// User Types\n// ============================================================================\n\n/**\n * Extended EEUser with WorkOS-specific fields.\n */\nexport interface WorkOSUser extends EEUser {\n /** WorkOS user ID */\n workosId: string;\n /** Primary organization ID (if any) */\n organizationId?: string;\n /** Organization memberships with roles */\n memberships?: OrganizationMembership[];\n}\n\n/**\n * Maps a WorkOS User to EEUser format.\n */\nexport function mapWorkOSUserToEEUser(user: User): EEUser {\n return {\n id: user.id,\n email: user.email,\n name: user.firstName && user.lastName ? `${user.firstName} ${user.lastName}` : user.firstName || user.email,\n avatarUrl: user.profilePictureUrl ?? undefined,\n metadata: {\n workosId: user.id,\n emailVerified: user.emailVerified,\n createdAt: user.createdAt,\n },\n };\n}\n\n// ============================================================================\n// Auth Provider Options\n// ============================================================================\n\n/**\n * SSO configuration options.\n */\nexport interface WorkOSSSOConfig {\n /** Default organization for SSO (if not using org selector) */\n defaultOrganization?: string;\n /** Connection ID for direct SSO (bypasses org selector) */\n connection?: string;\n /** Identity provider for OAuth (e.g., 'GoogleOAuth', 'MicrosoftOAuth') */\n provider?: 'GoogleOAuth' | 'MicrosoftOAuth' | 'GitHubOAuth' | 'AppleOAuth';\n}\n\n/**\n * Session configuration options.\n */\nexport interface WorkOSSessionConfig {\n /** Cookie name for session storage */\n cookieName?: string;\n /**\n * Password for encrypting session cookies.\n * Must be at least 32 characters.\n * Defaults to WORKOS_COOKIE_PASSWORD env var.\n */\n cookiePassword?: string;\n /** Session duration in seconds (default: 400 days) */\n maxAge?: number;\n /** Use secure cookies (HTTPS only, default: true in production) */\n secure?: boolean;\n /** Cookie path (default: '/') */\n path?: string;\n /** SameSite attribute (default: 'Lax') */\n sameSite?: 'Strict' | 'Lax' | 'None';\n}\n\n/**\n * Options for MastraAuthWorkos.\n */\nexport interface MastraAuthWorkosOptions {\n /** WorkOS API key (defaults to WORKOS_API_KEY env var) */\n apiKey?: string;\n /** WorkOS Client ID (defaults to WORKOS_CLIENT_ID env var) */\n clientId?: string;\n /** OAuth redirect URI (defaults to WORKOS_REDIRECT_URI env var) */\n redirectUri?: string;\n /** SSO configuration */\n sso?: WorkOSSSOConfig;\n /** Session configuration */\n session?: WorkOSSessionConfig;\n /** Custom provider name (default: 'workos') */\n name?: string;\n}\n\n// ============================================================================\n// RBAC Provider Options\n// ============================================================================\n\n/**\n * Cache configuration options for RBAC permission caching.\n */\nexport interface PermissionCacheOptions {\n /** Maximum number of users to cache (default: 1000) */\n maxSize?: number;\n /** Time-to-live in milliseconds (default: 60000) */\n ttlMs?: number;\n}\n\n/**\n * Options for MastraRBACWorkos.\n */\nexport interface MastraRBACWorkosOptions {\n /** WorkOS API key (defaults to WORKOS_API_KEY env var) */\n apiKey?: string;\n /** WorkOS Client ID (defaults to WORKOS_CLIENT_ID env var) */\n clientId?: string;\n\n /**\n * Map WorkOS organization roles to Mastra permissions.\n *\n * @example\n * ```typescript\n * roleMapping: {\n * 'admin': ['*'],\n * 'member': ['agents:read', 'workflows:*'],\n * 'viewer': ['agents:read', 'workflows:read'],\n * '_default': [],\n * }\n * ```\n */\n roleMapping: RoleMapping;\n\n /**\n * Organization ID to check roles for.\n * If not provided, uses the first organization the user belongs to.\n */\n organizationId?: string;\n\n /** Permission cache configuration */\n cache?: PermissionCacheOptions;\n}\n\n// ============================================================================\n// Directory Sync Types\n// ============================================================================\n\n/**\n * Handlers for Directory Sync webhook events.\n */\nexport interface DirectorySyncHandlers {\n /** Called when a user is created in the directory */\n onUserCreated?: (data: DirectorySyncUserData) => Promise<void>;\n /** Called when a user is updated in the directory */\n onUserUpdated?: (data: DirectorySyncUserData) => Promise<void>;\n /** Called when a user is deleted from the directory */\n onUserDeleted?: (data: DirectorySyncUserData) => Promise<void>;\n /** Called when a group is created */\n onGroupCreated?: (data: DirectorySyncGroupData) => Promise<void>;\n /** Called when a group is updated */\n onGroupUpdated?: (data: DirectorySyncGroupData) => Promise<void>;\n /** Called when a group is deleted */\n onGroupDeleted?: (data: DirectorySyncGroupData) => Promise<void>;\n /** Called when a user is added to a group */\n onGroupUserAdded?: (data: { group: DirectorySyncGroupData; user: DirectorySyncUserData }) => Promise<void>;\n /** Called when a user is removed from a group */\n onGroupUserRemoved?: (data: { group: DirectorySyncGroupData; user: DirectorySyncUserData }) => Promise<void>;\n}\n\n/**\n * User data from Directory Sync events.\n */\nexport interface DirectorySyncUserData {\n id: string;\n directoryId: string;\n organizationId?: string;\n idpId: string;\n firstName?: string;\n lastName?: string;\n jobTitle?: string;\n emails: Array<{ primary: boolean; type?: string; value: string }>;\n username?: string;\n groups: Array<{ id: string; name: string }>;\n state: 'active' | 'inactive';\n rawAttributes: Record<string, unknown>;\n customAttributes: Record<string, unknown>;\n createdAt: string;\n updatedAt: string;\n}\n\n/**\n * Group data from Directory Sync events.\n */\nexport interface DirectorySyncGroupData {\n id: string;\n directoryId: string;\n organizationId?: string;\n idpId: string;\n name: string;\n createdAt: string;\n updatedAt: string;\n rawAttributes: Record<string, unknown>;\n}\n\n/**\n * Options for WorkOSDirectorySync.\n */\nexport interface WorkOSDirectorySyncOptions {\n /** Webhook secret for signature verification (defaults to WORKOS_WEBHOOK_SECRET env var) */\n webhookSecret?: string;\n /** Event handlers */\n handlers: DirectorySyncHandlers;\n}\n\n// ============================================================================\n// Admin Portal Types\n// ============================================================================\n\n/**\n * Admin Portal intent - what the user wants to configure.\n */\nexport type AdminPortalIntent = 'sso' | 'dsync' | 'audit_logs' | 'log_streams';\n\n/**\n * Options for WorkOSAdminPortal.\n */\nexport interface WorkOSAdminPortalOptions {\n /** Return URL after portal configuration is complete */\n returnUrl?: string;\n}\n","/**\n * MastraAuthWorkos - WorkOS authentication provider for Mastra.\n *\n * Uses @workos/authkit-session for session management with encrypted\n * cookie-based sessions that persist across server restarts.\n */\n\nimport { verifyJwks } from '@mastra/auth';\nimport type {\n IUserProvider,\n ISSOProvider,\n ISessionProvider,\n Session,\n SSOCallbackResult,\n SSOLoginConfig,\n} from '@mastra/core/auth';\nimport type { EEUser } from '@mastra/core/auth/ee';\nimport type { MastraAuthProviderOptions } from '@mastra/core/server';\nimport { MastraAuthProvider } from '@mastra/core/server';\nimport { AuthService, sessionEncryption } from '@workos/authkit-session';\nimport type { AuthKitConfig } from '@workos/authkit-session';\nimport { WorkOS } from '@workos-inc/node';\nimport type { HonoRequest } from 'hono';\n\nimport { WebSessionStorage } from './session-storage.js';\nimport type { WorkOSUser, MastraAuthWorkosOptions } from './types.js';\nimport { mapWorkOSUserToEEUser } from './types.js';\n\n/**\n * Default cookie password for development (MUST be overridden in production).\n * Generated once per process to ensure consistency during dev.\n */\nconst DEV_COOKIE_PASSWORD = crypto.randomUUID() + crypto.randomUUID(); // 72 chars\n\n/**\n * Mastra authentication provider for WorkOS.\n *\n * Uses WorkOS AuthKit with encrypted cookie-based sessions.\n * Sessions are stored in cookies, so they persist across server restarts.\n *\n * @example Basic usage with SSO\n * ```typescript\n * import { MastraAuthWorkos } from '@mastra/auth-workos';\n *\n * const auth = new MastraAuthWorkos({\n * apiKey: process.env.WORKOS_API_KEY,\n * clientId: process.env.WORKOS_CLIENT_ID,\n * redirectUri: 'https://myapp.com/auth/callback',\n * cookiePassword: process.env.WORKOS_COOKIE_PASSWORD, // min 32 chars\n * });\n * ```\n */\nexport class MastraAuthWorkos\n extends MastraAuthProvider<WorkOSUser>\n implements IUserProvider<EEUser>, ISSOProvider<EEUser>, ISessionProvider<Session>\n{\n protected workos: WorkOS;\n protected clientId: string;\n protected redirectUri: string;\n protected ssoConfig: MastraAuthWorkosOptions['sso'];\n protected authService: AuthService<Request, Response>;\n protected config: AuthKitConfig;\n\n constructor(options?: MastraAuthWorkosOptions) {\n super({ name: options?.name ?? 'workos' });\n\n const apiKey = options?.apiKey ?? process.env.WORKOS_API_KEY;\n const clientId = options?.clientId ?? process.env.WORKOS_CLIENT_ID;\n const redirectUri = options?.redirectUri ?? process.env.WORKOS_REDIRECT_URI;\n const cookiePassword =\n options?.session?.cookiePassword ?? process.env.WORKOS_COOKIE_PASSWORD ?? DEV_COOKIE_PASSWORD;\n\n if (!apiKey || !clientId) {\n throw new Error(\n 'WorkOS API key and client ID are required. ' +\n 'Provide them in the options or set WORKOS_API_KEY and WORKOS_CLIENT_ID environment variables.',\n );\n }\n\n if (!redirectUri) {\n throw new Error(\n 'WorkOS redirect URI is required. ' +\n 'Provide it in the options or set WORKOS_REDIRECT_URI environment variable.',\n );\n }\n\n if (cookiePassword.length < 32) {\n throw new Error(\n 'Cookie password must be at least 32 characters. ' +\n 'Set WORKOS_COOKIE_PASSWORD environment variable or provide session.cookiePassword option.',\n );\n }\n\n this.clientId = clientId;\n this.redirectUri = redirectUri;\n this.ssoConfig = options?.sso;\n\n // Create WorkOS client\n this.workos = new WorkOS(apiKey, { clientId });\n\n // Create AuthKit config\n this.config = {\n clientId,\n apiKey,\n redirectUri,\n cookiePassword,\n cookieName: options?.session?.cookieName ?? 'wos_session',\n cookieMaxAge: options?.session?.maxAge ?? 60 * 60 * 24 * 400, // 400 days\n cookieSameSite: options?.session?.sameSite?.toLowerCase() as 'lax' | 'strict' | 'none' | undefined,\n cookieDomain: undefined,\n apiHttps: true,\n };\n\n // Create session storage and auth service\n const storage = new WebSessionStorage(this.config);\n this.authService = new AuthService(this.config, storage, this.workos, sessionEncryption);\n\n this.registerOptions(options as MastraAuthProviderOptions<WorkOSUser>);\n\n if (cookiePassword === DEV_COOKIE_PASSWORD) {\n console.warn(\n '[WorkOS] Using auto-generated cookie password for development. ' +\n 'Sessions will not persist across server restarts. ' +\n 'Set WORKOS_COOKIE_PASSWORD for persistent sessions.',\n );\n }\n }\n\n // ============================================================================\n // MastraAuthProvider Implementation\n // ============================================================================\n\n /**\n * Authenticate a bearer token or session cookie.\n *\n * Uses AuthKit's withAuth() for cookie-based sessions, falls back to\n * JWT verification for bearer tokens.\n */\n async authenticateToken(token: string, request: HonoRequest | Request): Promise<WorkOSUser | null> {\n try {\n // Get the raw Request object - handle both HonoRequest and plain Request\n const rawRequest = 'raw' in request ? request.raw : request;\n\n // First try session-based auth via AuthKit\n const { auth } = await this.authService.withAuth(rawRequest);\n\n if (auth.user) {\n return {\n ...mapWorkOSUserToEEUser(auth.user),\n workosId: auth.user.id,\n organizationId: auth.organizationId,\n // Note: memberships not available from session, fetch if needed\n };\n }\n\n // Fall back to JWT verification for bearer tokens\n if (token) {\n const jwksUri = this.workos.userManagement.getJwksUrl(this.clientId);\n const payload = await verifyJwks(token, jwksUri);\n\n if (payload?.sub) {\n const user = await this.workos.userManagement.getUser(payload.sub);\n const memberships = await this.workos.userManagement.listOrganizationMemberships({\n userId: user.id,\n });\n\n return {\n ...mapWorkOSUserToEEUser(user),\n workosId: user.id,\n organizationId: memberships.data[0]?.organizationId,\n memberships: memberships.data,\n };\n }\n }\n\n return null;\n } catch {\n return null;\n }\n }\n\n /**\n * Authorize a user for access.\n */\n async authorizeUser(user: WorkOSUser): Promise<boolean> {\n return !!user?.id && !!user?.workosId;\n }\n\n // ============================================================================\n // IUserProvider Implementation\n // ============================================================================\n\n /**\n * Get the current user from the request using AuthKit session.\n */\n async getCurrentUser(request: Request): Promise<EEUser | null> {\n try {\n const { auth, refreshedSessionData } = await this.authService.withAuth(request);\n\n if (!auth.user) {\n return null;\n }\n\n // Get organizationId from JWT claims, or fall back to fetching from memberships\n let organizationId = auth.organizationId;\n if (!organizationId) {\n try {\n const memberships = await this.workos.userManagement.listOrganizationMemberships({\n userId: auth.user.id,\n });\n organizationId = memberships.data[0]?.organizationId;\n } catch {\n // Ignore membership fetch errors\n }\n }\n\n // Build user with session data\n const user: WorkOSUser = {\n ...mapWorkOSUserToEEUser(auth.user),\n workosId: auth.user.id,\n organizationId,\n };\n\n // If session was refreshed, attach to user object for caller to save\n if (refreshedSessionData) {\n (user as any)._refreshedSessionData = refreshedSessionData;\n }\n\n return user;\n } catch {\n return null;\n }\n }\n\n /**\n * Get a user by their ID.\n */\n async getUser(userId: string): Promise<WorkOSUser | null> {\n try {\n const user = await this.workos.userManagement.getUser(userId);\n return {\n ...mapWorkOSUserToEEUser(user),\n workosId: user.id,\n };\n } catch {\n return null;\n }\n }\n\n /**\n * Get the URL to the user's profile page.\n */\n getUserProfileUrl(user: EEUser): string {\n return `/profile/${user.id}`;\n }\n\n // ============================================================================\n // ISSOProvider Implementation\n // ============================================================================\n\n /**\n * Get the URL to redirect users to for SSO login.\n */\n getLoginUrl(redirectUri: string, state: string): string {\n const baseOptions = {\n clientId: this.clientId,\n redirectUri: redirectUri || this.redirectUri,\n state,\n };\n\n if (this.ssoConfig?.connection) {\n return this.workos.userManagement.getAuthorizationUrl({\n ...baseOptions,\n connectionId: this.ssoConfig.connection,\n });\n } else if (this.ssoConfig?.provider) {\n return this.workos.userManagement.getAuthorizationUrl({\n ...baseOptions,\n provider: this.ssoConfig.provider,\n });\n } else if (this.ssoConfig?.defaultOrganization) {\n return this.workos.userManagement.getAuthorizationUrl({\n ...baseOptions,\n organizationId: this.ssoConfig.defaultOrganization,\n });\n }\n\n return this.workos.userManagement.getAuthorizationUrl({\n ...baseOptions,\n provider: 'authkit',\n });\n }\n\n /**\n * Handle the OAuth callback from WorkOS.\n *\n * Uses AuthKit's handleCallback for proper session creation.\n */\n async handleCallback(code: string, _state: string): Promise<SSOCallbackResult<EEUser>> {\n // Use AuthService's handleCallback for session creation\n const result = await this.authService.handleCallback(\n new Request('http://localhost'), // Dummy request, not used\n new Response(), // Dummy response to get headers\n { code, state: _state },\n );\n\n const user: WorkOSUser = {\n ...mapWorkOSUserToEEUser(result.authResponse.user),\n workosId: result.authResponse.user.id,\n organizationId: result.authResponse.organizationId,\n };\n\n // Extract session cookie from headers\n const sessionCookie = result.headers?.['Set-Cookie'];\n const cookies = sessionCookie ? (Array.isArray(sessionCookie) ? sessionCookie : [sessionCookie]) : undefined;\n\n return {\n user,\n tokens: {\n accessToken: result.authResponse.accessToken,\n refreshToken: result.authResponse.refreshToken,\n },\n cookies,\n };\n }\n\n /**\n * Get the URL to redirect users to for logout.\n * Extracts session ID from the request's JWT to build a valid WorkOS logout URL.\n *\n * @param redirectUri - URL to redirect to after logout\n * @param request - Request containing session cookie (needed to extract sid)\n * @returns Logout URL or null if no active session\n */\n async getLogoutUrl(redirectUri: string, request?: Request): Promise<string | null> {\n // WorkOS logout requires session_id from the JWT's sid claim\n if (!request) {\n return null;\n }\n\n try {\n const { auth } = await this.authService.withAuth(request);\n\n // No active session\n if (!auth.user) {\n return null;\n }\n\n // Decode JWT to extract sid claim (don't verify, just decode)\n const [, payloadBase64] = auth.accessToken.split('.');\n if (!payloadBase64) {\n return null;\n }\n\n const payload = JSON.parse(atob(payloadBase64));\n const sessionId = payload.sid;\n\n if (!sessionId) {\n return null;\n }\n\n return this.workos.userManagement.getLogoutUrl({ sessionId, returnTo: redirectUri });\n } catch {\n return null;\n }\n }\n\n /**\n * Get the configuration for rendering the login button.\n */\n getLoginButtonConfig(): SSOLoginConfig {\n let text = 'Sign in';\n if (this.ssoConfig?.provider) {\n const providerNames: Record<string, string> = {\n GoogleOAuth: 'Google',\n MicrosoftOAuth: 'Microsoft',\n GitHubOAuth: 'GitHub',\n AppleOAuth: 'Apple',\n };\n const providerName = providerNames[this.ssoConfig.provider];\n if (providerName) {\n text = `Sign in with ${providerName}`;\n }\n }\n\n return {\n provider: 'workos',\n text,\n };\n }\n\n // ============================================================================\n // ISessionProvider Implementation\n // ============================================================================\n\n /**\n * Create a new session for a user.\n *\n * Note: With AuthKit, sessions are created via handleCallback.\n * This method is kept for interface compatibility.\n */\n async createSession(userId: string, metadata?: Record<string, unknown>): Promise<Session> {\n const sessionId = crypto.randomUUID();\n const now = new Date();\n const expiresAt = new Date(now.getTime() + this.config.cookieMaxAge * 1000);\n\n return {\n id: sessionId,\n userId,\n createdAt: now,\n expiresAt,\n metadata,\n };\n }\n\n /**\n * Validate a session.\n *\n * With AuthKit, sessions are validated via withAuth().\n */\n async validateSession(_sessionId: string): Promise<Session | null> {\n // AuthKit handles validation internally via withAuth()\n // This method is kept for interface compatibility\n return null;\n }\n\n /**\n * Destroy a session.\n */\n async destroySession(_sessionId: string): Promise<void> {\n // AuthKit handles session clearing via signOut()\n // The actual cookie clearing happens in the response headers\n }\n\n /**\n * Refresh a session.\n */\n async refreshSession(_sessionId: string): Promise<Session | null> {\n // AuthKit handles refresh automatically in withAuth()\n return null;\n }\n\n /**\n * Extract session ID from a request.\n */\n getSessionIdFromRequest(_request: Request): string | null {\n // With AuthKit, we don't expose the session ID directly\n // The session is managed via encrypted cookies\n return null;\n }\n\n /**\n * Get response headers to set the session cookie.\n */\n getSessionHeaders(session: Session): Record<string, string> {\n // AuthKit handles cookie setting via saveSession()\n // Check for _sessionCookie from handleCallback\n const sessionCookie = (session as any)._sessionCookie;\n if (sessionCookie) {\n return { 'Set-Cookie': Array.isArray(sessionCookie) ? sessionCookie[0] : sessionCookie };\n }\n return {};\n }\n\n /**\n * Get response headers to clear the session cookie.\n */\n getClearSessionHeaders(): Record<string, string> {\n const cookieParts = [`${this.config.cookieName}=`, 'Path=/', 'Max-Age=0', 'HttpOnly'];\n return { 'Set-Cookie': cookieParts.join('; ') };\n }\n\n // ============================================================================\n // Helper Methods\n // ============================================================================\n\n /**\n * Get the underlying WorkOS client.\n */\n getWorkOS(): WorkOS {\n return this.workos;\n }\n\n /**\n * Get the AuthKit AuthService.\n */\n getAuthService(): AuthService<Request, Response> {\n return this.authService;\n }\n\n /**\n * Get the configured client ID.\n */\n getClientId(): string {\n return this.clientId;\n }\n\n /**\n * Get the configured redirect URI.\n */\n getRedirectUri(): string {\n return this.redirectUri;\n }\n}\n","/**\n * WorkOS RBAC provider for Mastra.\n *\n * Integrates WorkOS organization memberships and roles with Mastra's\n * permission-based access control system.\n */\n\nimport type { IRBACProvider, RoleMapping } from '@mastra/core/auth/ee';\nimport { resolvePermissionsFromMapping, matchesPermission } from '@mastra/core/auth/ee';\nimport { WorkOS } from '@workos-inc/node';\nimport { LRUCache } from 'lru-cache';\n\nimport type { WorkOSUser, MastraRBACWorkosOptions } from './types';\n\n/**\n * WorkOS RBAC provider that maps organization roles to Mastra permissions.\n *\n * This provider fetches organization memberships from WorkOS and translates\n * role slugs into Mastra permissions using a configurable role mapping.\n *\n * @example Basic usage\n * ```typescript\n * import { MastraRBACWorkos } from '@mastra/auth-workos';\n *\n * const rbac = new MastraRBACWorkos({\n * apiKey: process.env.WORKOS_API_KEY,\n * clientId: process.env.WORKOS_CLIENT_ID,\n * roleMapping: {\n * admin: ['*'],\n * member: ['agents:read', 'workflows:*'],\n * viewer: ['agents:read', 'workflows:read'],\n * _default: [],\n * },\n * });\n * ```\n *\n * @example With specific organization\n * ```typescript\n * const rbac = new MastraRBACWorkos({\n * apiKey: process.env.WORKOS_API_KEY,\n * clientId: process.env.WORKOS_CLIENT_ID,\n * organizationId: 'org_123456',\n * roleMapping: {\n * admin: ['*'],\n * member: ['agents:*'],\n * },\n * });\n * ```\n */\n/** Default cache TTL in milliseconds (60 seconds) */\nconst DEFAULT_CACHE_TTL_MS = 60 * 1000;\n\n/** Default max cache size (number of users) */\nconst DEFAULT_CACHE_MAX_SIZE = 1000;\n\nexport class MastraRBACWorkos implements IRBACProvider<WorkOSUser> {\n private workos: WorkOS;\n private options: MastraRBACWorkosOptions;\n /**\n * Single cache for roles (the expensive WorkOS API call).\n * Permissions are derived from roles on-the-fly (cheap, synchronous).\n * Storing promises handles concurrent request deduplication.\n */\n private rolesCache: LRUCache<string, Promise<string[]>>;\n\n /**\n * Expose roleMapping for middleware access.\n * This allows the authorization middleware to resolve permissions\n * without needing to call the async methods.\n */\n get roleMapping(): RoleMapping {\n return this.options.roleMapping;\n }\n\n /**\n * Create a new WorkOS RBAC provider.\n *\n * @param options - RBAC configuration options\n */\n constructor(options: MastraRBACWorkosOptions) {\n const apiKey = options.apiKey ?? process.env.WORKOS_API_KEY;\n const clientId = options.clientId ?? process.env.WORKOS_CLIENT_ID;\n\n if (!apiKey || !clientId) {\n throw new Error(\n 'WorkOS API key and client ID are required. ' +\n 'Provide them in the options or set WORKOS_API_KEY and WORKOS_CLIENT_ID environment variables.',\n );\n }\n\n this.workos = new WorkOS(apiKey, { clientId });\n this.options = options;\n\n // Initialize LRU cache with configurable size and TTL\n this.rolesCache = new LRUCache<string, Promise<string[]>>({\n max: options.cache?.maxSize ?? DEFAULT_CACHE_MAX_SIZE,\n ttl: options.cache?.ttlMs ?? DEFAULT_CACHE_TTL_MS,\n });\n }\n\n /**\n * Get all roles for a user from their WorkOS organization memberships.\n *\n * Fetches organization memberships from WorkOS and extracts role slugs.\n * If an organizationId is configured, only returns roles from that organization.\n * Otherwise, returns roles from all organizations the user belongs to.\n *\n * Results are cached and concurrent requests are deduplicated.\n *\n * @param user - WorkOS user to get roles for\n * @returns Array of role slugs\n */\n async getRoles(user: WorkOSUser): Promise<string[]> {\n // If memberships are already present on the user object, use them\n if (user.memberships && user.memberships.length > 0) {\n return this.extractRolesFromMemberships(user);\n }\n\n const cacheKey = user.workosId ?? user.id;\n\n // Check cache - returns existing promise (resolved or in-flight)\n const cached = this.rolesCache.get(cacheKey);\n if (cached) {\n return cached;\n }\n\n // Create and cache the role fetch promise\n const rolesPromise = this.fetchRolesFromWorkOS(user);\n this.rolesCache.set(cacheKey, rolesPromise);\n\n return rolesPromise;\n }\n\n /**\n * Fetch roles from WorkOS API.\n */\n private async fetchRolesFromWorkOS(user: WorkOSUser): Promise<string[]> {\n try {\n const memberships = await this.workos.userManagement.listOrganizationMemberships({\n userId: user.workosId,\n });\n\n // Filter by organization if specified\n const relevantMemberships = this.options.organizationId\n ? memberships.data.filter(m => m.organizationId === this.options.organizationId)\n : memberships.data;\n\n // Extract role slugs\n return relevantMemberships.map(m => m.role.slug);\n } catch {\n // Return empty roles on error - _default permissions will be applied\n return [];\n }\n }\n\n /**\n * Check if a user has a specific role.\n *\n * @param user - WorkOS user to check\n * @param role - Role slug to check for\n * @returns True if user has the role\n */\n async hasRole(user: WorkOSUser, role: string): Promise<boolean> {\n const roles = await this.getRoles(user);\n return roles.includes(role);\n }\n\n /**\n * Get all permissions for a user by mapping their WorkOS roles.\n *\n * Uses the configured roleMapping to translate WorkOS role slugs\n * into Mastra permission strings. Roles are cached; permissions\n * are derived on-the-fly (cheap, synchronous operation).\n *\n * If the user has no roles (no organization memberships), the\n * _default permissions from the role mapping are applied.\n *\n * @param user - WorkOS user to get permissions for\n * @returns Array of permission strings\n */\n async getPermissions(user: WorkOSUser): Promise<string[]> {\n const roles = await this.getRoles(user);\n\n if (roles.length === 0) {\n return this.options.roleMapping['_default'] ?? [];\n }\n\n return resolvePermissionsFromMapping(roles, this.options.roleMapping);\n }\n\n /**\n * Check if a user has a specific permission.\n *\n * Uses wildcard matching to check if any of the user's permissions\n * grant access to the required permission.\n *\n * @param user - WorkOS user to check\n * @param permission - Permission to check for (e.g., 'agents:read')\n * @returns True if user has the permission\n */\n async hasPermission(user: WorkOSUser, permission: string): Promise<boolean> {\n const permissions = await this.getPermissions(user);\n return permissions.some(p => matchesPermission(p, permission));\n }\n\n /**\n * Check if a user has ALL of the specified permissions.\n *\n * @param user - WorkOS user to check\n * @param permissions - Array of permissions to check for\n * @returns True if user has all permissions\n */\n async hasAllPermissions(user: WorkOSUser, permissions: string[]): Promise<boolean> {\n const userPermissions = await this.getPermissions(user);\n return permissions.every(required => userPermissions.some(p => matchesPermission(p, required)));\n }\n\n /**\n * Check if a user has ANY of the specified permissions.\n *\n * @param user - WorkOS user to check\n * @param permissions - Array of permissions to check for\n * @returns True if user has at least one permission\n */\n async hasAnyPermission(user: WorkOSUser, permissions: string[]): Promise<boolean> {\n const userPermissions = await this.getPermissions(user);\n return permissions.some(required => userPermissions.some(p => matchesPermission(p, required)));\n }\n\n /**\n * Clear the roles cache.\n *\n * Call this when system-wide role changes occur.\n * For individual user changes, prefer clearUserCache() instead.\n */\n clearCache(): void {\n this.rolesCache.clear();\n }\n\n /**\n * Clear cached roles for a specific user.\n *\n * Call this when a user's roles change to ensure fresh permission resolution\n * on their next request. This is more efficient than clearing the entire cache.\n *\n * @param userId - The user ID to clear from cache\n */\n clearUserCache(userId: string): void {\n this.rolesCache.delete(userId);\n }\n\n /**\n * Get cache statistics for monitoring.\n *\n * @returns Object with cache size and max size\n */\n getCacheStats(): { size: number; maxSize: number } {\n return {\n size: this.rolesCache.size,\n maxSize: this.rolesCache.max,\n };\n }\n\n /**\n * Extract role slugs from memberships attached to the user object.\n *\n * @param user - WorkOS user with memberships\n * @returns Array of role slugs\n */\n private extractRolesFromMemberships(user: WorkOSUser): string[] {\n if (!user.memberships) {\n return [];\n }\n\n // Filter by organization if specified\n const relevantMemberships = this.options.organizationId\n ? user.memberships.filter(m => m.organizationId === this.options.organizationId)\n : user.memberships;\n\n return relevantMemberships.map(m => m.role.slug);\n }\n}\n","/**\n * WorkOS Directory Sync integration for automated user provisioning via SCIM.\n *\n * This class handles SCIM webhook events from WorkOS, enabling automated\n * user and group management when integrated with identity providers.\n */\n\nimport type { WorkOS, Directory, DirectoryUser, DirectoryGroup } from '@workos-inc/node';\n\nimport type {\n WorkOSDirectorySyncOptions,\n DirectorySyncHandlers,\n DirectorySyncUserData,\n DirectorySyncGroupData,\n} from './types.js';\n\n/**\n * Directory Sync event types from WorkOS webhooks.\n */\ntype DirectorySyncEventType =\n | 'dsync.user.created'\n | 'dsync.user.updated'\n | 'dsync.user.deleted'\n | 'dsync.group.created'\n | 'dsync.group.updated'\n | 'dsync.group.deleted'\n | 'dsync.group.user_added'\n | 'dsync.group.user_removed';\n\n/**\n * WorkOS webhook event structure for directory sync.\n */\ninterface DirectorySyncEvent {\n id: string;\n event: DirectorySyncEventType;\n data: Record<string, unknown>;\n created_at: string;\n}\n\n/**\n * WorkOSDirectorySync handles SCIM webhook events from WorkOS for automated\n * user provisioning and deprovisioning.\n *\n * @example\n * ```typescript\n * import { WorkOS } from '@workos-inc/node';\n * import { WorkOSDirectorySync } from '@mastra/auth-workos';\n *\n * const workos = new WorkOS(process.env.WORKOS_API_KEY);\n *\n * const directorySync = new WorkOSDirectorySync(workos, {\n * webhookSecret: process.env.WORKOS_WEBHOOK_SECRET,\n * handlers: {\n * onUserCreated: async (user) => {\n * await db.users.create({ email: user.emails[0]?.value });\n * },\n * onUserDeleted: async (user) => {\n * await db.users.delete({ id: user.id });\n * },\n * },\n * });\n *\n * // In your webhook endpoint:\n * app.post('/webhooks/workos', async (req, res) => {\n * const signature = req.headers['workos-signature'] as string;\n * await directorySync.handleWebhook(req.body, signature);\n * res.status(200).send('OK');\n * });\n * ```\n */\nexport class WorkOSDirectorySync {\n private workos: WorkOS;\n private webhookSecret: string;\n private handlers: DirectorySyncHandlers;\n\n /**\n * Creates a new WorkOSDirectorySync instance.\n *\n * @param workos - WorkOS client instance\n * @param options - Configuration options including webhook secret and event handlers\n * @throws Error if webhook secret is not provided\n */\n constructor(workos: WorkOS, options: WorkOSDirectorySyncOptions) {\n this.workos = workos;\n\n const webhookSecret = options.webhookSecret ?? process.env.WORKOS_WEBHOOK_SECRET;\n if (!webhookSecret) {\n throw new Error(\n 'WorkOS webhook secret is required. Provide it in options or set WORKOS_WEBHOOK_SECRET environment variable.',\n );\n }\n\n this.webhookSecret = webhookSecret;\n this.handlers = options.handlers;\n }\n\n /**\n * Handles incoming webhook events from WorkOS Directory Sync.\n *\n * This method verifies the webhook signature for security, parses the event,\n * and routes it to the appropriate handler based on the event type.\n *\n * @param payload - Raw webhook payload (string or object)\n * @param signature - WorkOS signature header for verification\n * @throws Error if signature verification fails\n */\n async handleWebhook(payload: string | object, signature: string): Promise<void> {\n // Verify the webhook signature and construct the event\n // Cast through unknown since WorkOS Event type is a union of many event types\n // Parse string payloads for the new SDK which expects objects\n const parsedPayload = typeof payload === 'string' ? JSON.parse(payload) : payload;\n const event = (await this.workos.webhooks.constructEvent({\n payload: parsedPayload as Record<string, unknown>,\n sigHeader: signature,\n secret: this.webhookSecret,\n })) as unknown as DirectorySyncEvent;\n\n // Route to appropriate handler based on event type\n try {\n await this.routeEvent(event);\n } catch (error) {\n // Log but don't crash - webhook handlers should be resilient\n console.error(`[WorkOSDirectorySync] Error handling event ${event.event}:`, error);\n }\n }\n\n /**\n * Routes a directory sync event to the appropriate handler.\n *\n * @param event - The verified webhook event\n */\n private async routeEvent(event: DirectorySyncEvent): Promise<void> {\n const { event: eventType, data } = event;\n\n switch (eventType) {\n case 'dsync.user.created':\n if (this.handlers.onUserCreated) {\n await this.handlers.onUserCreated(this.mapUserData(data));\n }\n break;\n\n case 'dsync.user.updated':\n if (this.handlers.onUserUpdated) {\n await this.handlers.onUserUpdated(this.mapUserData(data));\n }\n break;\n\n case 'dsync.user.deleted':\n if (this.handlers.onUserDeleted) {\n await this.handlers.onUserDeleted(this.mapUserData(data));\n }\n break;\n\n case 'dsync.group.created':\n if (this.handlers.onGroupCreated) {\n await this.handlers.onGroupCreated(this.mapGroupData(data));\n }\n break;\n\n case 'dsync.group.updated':\n if (this.handlers.onGroupUpdated) {\n await this.handlers.onGroupUpdated(this.mapGroupData(data));\n }\n break;\n\n case 'dsync.group.deleted':\n if (this.handlers.onGroupDeleted) {\n await this.handlers.onGroupDeleted(this.mapGroupData(data));\n }\n break;\n\n case 'dsync.group.user_added':\n if (this.handlers.onGroupUserAdded) {\n await this.handlers.onGroupUserAdded({\n group: this.mapGroupData(data.group as Record<string, unknown>),\n user: this.mapUserData(data.user as Record<string, unknown>),\n });\n }\n break;\n\n case 'dsync.group.user_removed':\n if (this.handlers.onGroupUserRemoved) {\n await this.handlers.onGroupUserRemoved({\n group: this.mapGroupData(data.group as Record<string, unknown>),\n user: this.mapUserData(data.user as Record<string, unknown>),\n });\n }\n break;\n\n default:\n // Unknown event type - log for debugging but don't fail\n console.warn(`[WorkOSDirectorySync] Unknown event type: ${eventType}`);\n }\n }\n\n /**\n * Maps raw webhook user data to the DirectorySyncUserData type.\n *\n * @param data - Raw user data from webhook\n * @returns Typed user data\n */\n private mapUserData(data: Record<string, unknown>): DirectorySyncUserData {\n return {\n id: data.id as string,\n directoryId: data.directory_id as string,\n organizationId: data.organization_id as string | undefined,\n idpId: data.idp_id as string,\n firstName: data.first_name as string | undefined,\n lastName: data.last_name as string | undefined,\n jobTitle: data.job_title as string | undefined,\n emails: (data.emails as Array<{ primary: boolean; type?: string; value: string }>) ?? [],\n username: data.username as string | undefined,\n groups: (data.groups as Array<{ id: string; name: string }>) ?? [],\n state: data.state as 'active' | 'inactive',\n rawAttributes: (data.raw_attributes as Record<string, unknown>) ?? {},\n customAttributes: (data.custom_attributes as Record<string, unknown>) ?? {},\n createdAt: data.created_at as string,\n updatedAt: data.updated_at as string,\n };\n }\n\n /**\n * Maps raw webhook group data to the DirectorySyncGroupData type.\n *\n * @param data - Raw group data from webhook\n * @returns Typed group data\n */\n private mapGroupData(data: Record<string, unknown>): DirectorySyncGroupData {\n return {\n id: data.id as string,\n directoryId: data.directory_id as string,\n organizationId: data.organization_id as string | undefined,\n idpId: data.idp_id as string,\n name: data.name as string,\n createdAt: data.created_at as string,\n updatedAt: data.updated_at as string,\n rawAttributes: (data.raw_attributes as Record<string, unknown>) ?? {},\n };\n }\n\n // ===========================================================================\n // Helper Methods for Directory Sync Operations\n // ===========================================================================\n\n /**\n * Lists all directories for an organization.\n *\n * @param organizationId - The WorkOS organization ID\n * @returns Array of directories\n *\n * @example\n * ```typescript\n * const directories = await directorySync.listDirectories('org_123');\n * for (const dir of directories) {\n * console.log(`Directory: ${dir.name} (${dir.type})`);\n * }\n * ```\n */\n async listDirectories(organizationId: string): Promise<Directory[]> {\n const response = await this.workos.directorySync.listDirectories({\n organizationId,\n });\n return response.data;\n }\n\n /**\n * Lists all users in a directory.\n *\n * @param directoryId - The directory ID\n * @returns Array of directory users\n *\n * @example\n * ```typescript\n * const users = await directorySync.listDirectoryUsers('directory_123');\n * for (const user of users) {\n * console.log(`User: ${user.firstName} ${user.lastName}`);\n * }\n * ```\n */\n async listDirectoryUsers(directoryId: string): Promise<DirectoryUser[]> {\n const response = await this.workos.directorySync.listUsers({\n directory: directoryId,\n });\n return response.data;\n }\n\n /**\n * Lists all groups in a directory.\n *\n * @param directoryId - The directory ID\n * @returns Array of directory groups\n *\n * @example\n * ```typescript\n * const groups = await directorySync.listDirectoryGroups('directory_123');\n * for (const group of groups) {\n * console.log(`Group: ${group.name}`);\n * }\n * ```\n */\n async listDirectoryGroups(directoryId: string): Promise<DirectoryGroup[]> {\n const response = await this.workos.directorySync.listGroups({\n directory: directoryId,\n });\n return response.data;\n }\n}\n","/**\n * WorkOS Admin Portal integration for customer self-service configuration.\n *\n * The Admin Portal allows enterprise customers to configure their own:\n * - SSO connections (SAML, OIDC)\n * - Directory Sync (SCIM)\n * - Audit log viewing and export\n * - Log streaming to SIEM systems\n *\n * @module\n */\n\nimport { GeneratePortalLinkIntent } from '@workos-inc/node';\nimport type { WorkOS } from '@workos-inc/node';\n\nimport type { AdminPortalIntent, WorkOSAdminPortalOptions } from './types.js';\n\n/**\n * Maps our AdminPortalIntent type to WorkOS GeneratePortalLinkIntent enum.\n */\nconst INTENT_MAP: Record<AdminPortalIntent, GeneratePortalLinkIntent> = {\n sso: GeneratePortalLinkIntent.SSO,\n dsync: GeneratePortalLinkIntent.DSync,\n audit_logs: GeneratePortalLinkIntent.AuditLogs,\n log_streams: GeneratePortalLinkIntent.LogStreams,\n};\n\n/**\n * Generates links to the WorkOS Admin Portal for customer self-service configuration.\n *\n * The Admin Portal provides a pre-built UI where enterprise customers can manage\n * their own identity configuration without developer intervention.\n *\n * @example\n * ```typescript\n * import { WorkOS } from '@workos-inc/node';\n * import { WorkOSAdminPortal } from '@mastra/workos';\n *\n * const workos = new WorkOS(process.env.WORKOS_API_KEY);\n * const adminPortal = new WorkOSAdminPortal(workos, {\n * returnUrl: 'https://app.example.com/settings',\n * });\n *\n * // Generate a link for SSO configuration\n * const ssoLink = await adminPortal.getPortalLink('org_01H...', 'sso');\n *\n * // Generate a link for Directory Sync configuration\n * const dsyncLink = await adminPortal.getPortalLink('org_01H...', 'dsync');\n *\n * // Redirect the user to the generated link\n * ```\n */\nexport class WorkOSAdminPortal {\n private workos: WorkOS;\n private returnUrl: string;\n\n /**\n * Creates a new WorkOSAdminPortal instance.\n *\n * @param workos - The WorkOS client instance\n * @param options - Configuration options for the Admin Portal\n */\n constructor(workos: WorkOS, options?: WorkOSAdminPortalOptions) {\n this.workos = workos;\n this.returnUrl = options?.returnUrl ?? '/';\n }\n\n /**\n * Generates a link to the WorkOS Admin Portal for a specific organization.\n *\n * The generated link is a one-time use URL that expires after a short period.\n * Users should be redirected to this link immediately after generation.\n *\n * @param organizationId - The WorkOS organization ID (e.g., 'org_01H...')\n * @param intent - The portal section to open. Determines what the user can configure:\n * - `'sso'`: Configure SSO connections (SAML, OIDC providers)\n * - `'dsync'`: Configure Directory Sync (SCIM provisioning)\n * - `'audit_logs'`: View and export audit logs\n * - `'log_streams'`: Configure log streaming to external SIEM systems\n * @returns A promise that resolves to the Admin Portal URL\n *\n * @example\n * ```typescript\n * // SSO configuration (default)\n * const link = await adminPortal.getPortalLink('org_01H...');\n *\n * // Directory Sync configuration\n * const link = await adminPortal.getPortalLink('org_01H...', 'dsync');\n *\n * // Audit logs viewing\n * const link = await adminPortal.getPortalLink('org_01H...', 'audit_logs');\n * ```\n */\n async getPortalLink(organizationId: string, intent?: AdminPortalIntent): Promise<string> {\n const result = await this.workos.portal.generateLink({\n organization: organizationId,\n intent: INTENT_MAP[intent ?? 'sso'],\n returnUrl: this.returnUrl,\n });\n\n return result.link;\n }\n}\n"]}
package/dist/index.d.ts CHANGED
@@ -1,17 +1,43 @@
1
- import type { JwtPayload } from '@mastra/auth';
2
- import type { MastraAuthProviderOptions } from '@mastra/core/server';
3
- import { MastraAuthProvider } from '@mastra/core/server';
4
- import { WorkOS } from '@workos-inc/node';
5
- type WorkosUser = JwtPayload;
6
- interface MastraAuthWorkosOptions extends MastraAuthProviderOptions<WorkosUser> {
7
- apiKey?: string;
8
- clientId?: string;
9
- }
10
- export declare class MastraAuthWorkos extends MastraAuthProvider<WorkosUser> {
11
- protected workos: WorkOS;
12
- constructor(options?: MastraAuthWorkosOptions);
13
- authenticateToken(token: string): Promise<WorkosUser | null>;
14
- authorizeUser(user: WorkosUser): Promise<boolean>;
15
- }
16
- export {};
1
+ /**
2
+ * @mastra/auth-workos
3
+ *
4
+ * Full WorkOS integration for Mastra, providing:
5
+ * - Enterprise SSO (SAML, OIDC) via AuthKit
6
+ * - User management with organization roles
7
+ * - Directory Sync (SCIM) for automated user provisioning
8
+ * - Audit log export to WorkOS for SIEM integration
9
+ * - Admin Portal for customer self-service configuration
10
+ *
11
+ * @example Basic setup with SSO and RBAC
12
+ * ```typescript
13
+ * import { MastraAuthWorkos, MastraRBACWorkos } from '@mastra/auth-workos';
14
+ *
15
+ * const mastra = new Mastra({
16
+ * server: {
17
+ * auth: new MastraAuthWorkos({
18
+ * apiKey: process.env.WORKOS_API_KEY,
19
+ * clientId: process.env.WORKOS_CLIENT_ID,
20
+ * }),
21
+ * rbac: new MastraRBACWorkos({
22
+ * apiKey: process.env.WORKOS_API_KEY,
23
+ * clientId: process.env.WORKOS_CLIENT_ID,
24
+ * roleMapping: {
25
+ * 'admin': ['*'],
26
+ * 'member': ['agents:read', 'workflows:*'],
27
+ * '_default': [],
28
+ * },
29
+ * }),
30
+ * },
31
+ * });
32
+ * ```
33
+ *
34
+ * @see https://workos.com/docs for WorkOS documentation
35
+ */
36
+ export { MastraAuthWorkos } from './auth-provider.js';
37
+ export { MastraRBACWorkos } from './rbac-provider.js';
38
+ export { WorkOSDirectorySync } from './directory-sync.js';
39
+ export { WorkOSAdminPortal } from './admin-portal.js';
40
+ export { WebSessionStorage } from './session-storage.js';
41
+ export type { WorkOSUser, MastraAuthWorkosOptions, WorkOSSSOConfig, WorkOSSessionConfig, MastraRBACWorkosOptions, PermissionCacheOptions, DirectorySyncHandlers, DirectorySyncUserData, DirectorySyncGroupData, WorkOSDirectorySyncOptions, AdminPortalIntent, WorkOSAdminPortalOptions, } from './types.js';
42
+ export { mapWorkOSUserToEEUser } from './types.js';
17
43
  //# sourceMappingURL=index.d.ts.map
package/dist/index.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAC/C,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,qBAAqB,CAAC;AACrE,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AACzD,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAE1C,KAAK,UAAU,GAAG,UAAU,CAAC;AAE7B,UAAU,uBAAwB,SAAQ,yBAAyB,CAAC,UAAU,CAAC;IAC7E,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,qBAAa,gBAAiB,SAAQ,kBAAkB,CAAC,UAAU,CAAC;IAClE,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC;gBAEb,OAAO,CAAC,EAAE,uBAAuB;IAmBvC,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAM5D,aAAa,CAAC,IAAI,EAAE,UAAU;CAerC"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAGH,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAGnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAGnD,OAAO,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAGvD,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AAGnD,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAGtD,YAAY,EAEV,UAAU,EAGV,uBAAuB,EACvB,eAAe,EACf,mBAAmB,EAGnB,uBAAuB,EACvB,sBAAsB,EAGtB,qBAAqB,EACrB,qBAAqB,EACrB,sBAAsB,EACtB,0BAA0B,EAG1B,iBAAiB,EACjB,wBAAwB,GACzB,MAAM,SAAS,CAAC;AAGjB,OAAO,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAC"}