@mulverse/mulguard-core 1.0.0

package/src/providers/azure-ad-b2c.ts

@@ -0,0 +1,124 @@
+/**
+ * <div class="provider" style={{backgroundColor: "#0072c6", display: "flex", justifyContent: "space-between", color: "#fff", padding: 16}}>
+ * <span>Built-in <b>Azure AD B2C</b> integration.</span>
+ * <a href="https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant">
+ *   <img style={{display: "block"}} src="https://authjs.dev/img/providers/azure.svg" height="48" width="48"/>
+ * </a>
+ * </div>
+ *
+ * @module providers/azure-ad-b2c
+ */
+
+import type { OIDCConfig, OIDCUserConfig } from "./index.js"
+
+/** @see [Claims](https://learn.microsoft.com/en-us/azure/active-directory-b2c/tokens-overview#claims) */
+export interface AzureADB2CProfile {
+  exp: number
+  nbf: number
+  ver: string
+  iss: string
+  sub: string
+  aud: string
+  iat: number
+  auth_time: number
+  oid: string
+  country: string
+  name: string
+  postalCode: string
+  emails: string[]
+  tfp: string
+  preferred_username: string
+}
+
+/**
+ * Add Azure AD B2C login to your page.
+ *
+ *
+ * ## Configuration
+ *
+ * ### Basic
+ *
+ * Basic configuration sets up Azure AD B2C to return an ID Token. This should be done as a prerequisite prior to running through the Advanced configuration.
+ *
+ * 1. [Azure AD B2C Tenant](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant)
+ * 2. [App Registration](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications)
+ * 3. [User Flow](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows)
+ *
+ * For the step "User attributes and token claims" set the following:
+ *
+ * - Collect attribute:
+ *   - Email Address
+ *   - Display Name
+ *   - Given Name
+ *   - Surname
+ * - Return claim:
+ *   - Email Addresses
+ *   - Display Name
+ *   - Given Name
+ *   - Surname
+ *   - Identity Provider
+ *   - Identity Provider Access Token
+ *   - User's Object ID
+ *
+ * @example
+ *
+ * ```ts
+ * import { Auth } from "@auth/core"
+ * import AzureADB2C from "@auth/core/providers/azure-ad-b2c"
+ *
+ * const request = new Request("https://example.com")
+ * const response = await AuthHandler(request, {
+ *   // optionally, you can pass `tenantId` and `primaryUserFlow` instead of `issuer`
+ *   providers: [AzureADB2C({ clientId: "", clientSecret: "", issuer: "" })],
+ * })
+ * ```
+ *
+ * ---
+ *
+ * ### Resources
+ *
+ * - [Azure Active Directory B2C documentation](https://learn.microsoft.com/en-us/azure/active-directory-b2c)
+ *
+ * ---
+ *
+ * ### Notes
+ *
+ * By default, Auth.js assumes that the Azure AD B2C provider is
+ * based on the [OIDC](https://openid.net/specs/openid-connect-core-1_0.html) specification.
+ *
+ * :::tip
+ *
+ * The Azure AD B2C provider comes with a [default configuration](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/azure-ad-b2c.ts).
+ * To override the defaults for your use case, check out [customizing a built-in OAuth provider](https://authjs.dev/guides/configuring-oauth-providers).
+ *
+ * :::
+ *
+ * :::info **Disclaimer**
+ *
+ * If you think you found a bug in the default configuration, you can [open an issue](https://authjs.dev/new/provider-issue).
+ *
+ * Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from
+ * the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec,
+ * we might not pursue a resolution. You can ask for more help in [Discussions](https://authjs.dev/new/github-discussions).
+ *
+ * :::
+ */
+export default function AzureADB2C(
+  options: OIDCUserConfig<AzureADB2CProfile>
+): OIDCConfig<AzureADB2CProfile> {
+  return {
+    id: "azure-ad-b2c",
+    name: "Azure AD B2C",
+    type: "oidc",
+    profile(profile) {
+      return {
+        id: profile.sub,
+        name: profile.name ?? profile.preferred_username,
+        email: profile?.emails?.[0],
+        image: null,
+      }
+    },
+    style: { text: "#fff", bg: "#0072c6" },
+    options,
+  }
+}

package/src/providers/azure-ad.ts

@@ -0,0 +1,30 @@
+/**
+ * <div class="provider" style={{backgroundColor: "#0072c6", display: "flex", justifyContent: "space-between", color: "#fff", padding: 16}}>
+ * <span>Built-in <b>Azure AD</b> integration.</span>
+ * <a href="https://learn.microsoft.com/en-us/azure/active-directory">
+ *   <img style={{display: "block"}} src="https://authjs.dev/img/providers/azure-ad.svg" height="48" width="48"/>
+ * </a>
+ * </div>
+ *
+ * @module providers/azure-ad
+ */
+import MicrosoftEntraID, {
+  MicrosoftEntraIDProfile,
+} from "./microsoft-entra-id.js"
+
+export type AzureADProfile = MicrosoftEntraIDProfile
+
+/**
+ * @deprecated
+ * Azure Active Directory has been renamed to [Microsoft Entra ID](/getting-started/providers/microsoft-entra-id).
+ * Import this provider from the `providers/microsoft-entra-id` submodule instead of `providers/azure-ad`.
+ */
+export default function AzureAD(
+  config: Parameters<typeof MicrosoftEntraID>[0]
+): ReturnType<typeof MicrosoftEntraID> {
+  return {
+    ...MicrosoftEntraID(config),
+    id: "azure-ad",
+    name: "Azure Active Directory",
+  }
+}

package/src/providers/azure-devops.ts

@@ -0,0 +1,184 @@
+import { OAuthConfig, OAuthUserConfig } from "./index.js"
+
+/** @see [Azure DevOps Services REST API 7.0 · Profiles · Get](https://learn.microsoft.com/en-us/rest/api/azure/devops/profile/profiles/get?view=azure-devops-rest-7.0&tabs=HTTP#examples) */
+export interface AzureDevOpsProfile extends Record<string, any> {
+  id: string
+  displayName: string
+  emailAddress: string
+  coreAttributes: { Avatar: { value: { value: string } } }
+}
+
+/**
+ *
+ * @deprecated
+ * While still available, Microsoft is [no longer supporting](https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops#available-oauth-models) Azure DevOps OAuth and recommends using [Microsoft Entra ID](/getting-started/providers/microsoft-entra-id) instead.
+ *
+ * ## Documentation
+ *
+ * [Microsoft Docs](https://docs.microsoft.com/en-us) · [Azure DevOps](https://docs.microsoft.com/en-us/azure/devops/) · [Authorize access to REST APIs with OAuth 2.0](https://docs.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops])
+ *
+ * ## Configuration
+ *
+ * ### Register application
+ *
+ * :::tip
+ * [`https://app.vsaex.visualstudio.com/app/register`](https://app.vsaex.visualstudio.com/app/register)
+ * :::
+ *
+ * Provide the required details:
+ *
+ * - Company name
+ * - Application name
+ * - Application website
+ * - Authorization callback URL
+ *   - `https://example.com/api/auth/callback/azure-devops` for production
+ *   - `https://localhost/api/auth/callback/azure-devops` for development
+ * - Authorized scopes
+ *   - Required minimum is `User profile (read)`
+ *
+ * Click ‘Create Application’
+ *
+ * :::warning
+ * You are required to use HTTPS even for the localhost
+ * :::
+ *
+ * :::warning
+ * You will have to delete and create a new application to change the scopes later
+ * :::
+ *
+ * The following data is relevant for the next step:
+ *
+ * - App ID
+ * - Client Secret (after clicking the ‘Show’ button, ignore App Secret entry above it)
+ * - Authorized Scopes
+ *
+ * ### Set up the environment variables
+ *
+ * In `.env.local` create the following entries:
+ *
+ * ```
+ * AZURE_DEVOPS_APP_ID=<copy App ID value here>
+ * AZURE_DEVOPS_CLIENT_SECRET=<copy generated client secret value here>
+ * AZURE_DEVOPS_SCOPE=<copy space separated Authorized Scopes list here>
+ * ```
+ *
+ * ## Example
+ *
+ * ```ts
+ * import AzureDevOps from "@auth/core/providers/azure-devops"
+ * ...
+ * providers: [
+ *   AzureDevOps({
+ *     clientId: process.env.AZURE_DEVOPS_APP_ID,
+ *     clientSecret: process.env.AZURE_DEVOPS_CLIENT_SECRET,
+ *     scope: process.env.AZURE_DEVOPS_SCOPE,
+ *   }),
+ * ]
+ * ...
+ * ```
+ *
+ * ### Refresh token rotation
+ *
+ * Use the [main guide](/guides/basics/refresh-token-rotation) as your starting point with the following considerations:
+ *
+ * ```ts
+ * async jwt({ token, user, account }) {
+ *   ...
+ *   // The token has an absolute expiration time
+ *   const accessTokenExpires = account.expires_at * 1000
+ *   ...
+ * }
+ *
+ * async function refreshAccessToken(token) {
+ *   ...
+ *   const response = await fetch(
+ *     "https://app.vssps.visualstudio.com/oauth2/token",
+ *     {
+ *       headers: { "Content-Type": "application/x-www-form-urlencoded" },
+ *       method: "POST",
+ *       body: new URLSearchParams({
+ *         client_assertion_type:
+ *           "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
+ *         client_assertion: process.env.AZURE_DEVOPS_CLIENT_SECRET,
+ *         grant_type: "refresh_token",
+ *         assertion: token.refreshToken,
+ *         redirect_uri:
+ *           process.env.NEXTAUTH_URL + "/api/auth/callback/azure-devops",
+ *       }),
+ *     }
+ *   )
+ *   ...
+ *   // The refreshed token comes with a relative expiration time
+ *   const accessTokenExpires = Date.now() + newToken.expires_in * 1000
+ *   ...
+ * }
+ * ```
+ */
+export default function AzureDevOpsProvider<P extends AzureDevOpsProfile>(
+  options: OAuthUserConfig<P> & {
+    /**
+     * https://docs.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops#scopes
+     * @default vso.profile
+     */
+    scope?: string
+  }
+): OAuthConfig<P> {
+  const scope = options.scope ?? "vso.profile"
+  const tokenEndpointUrl = "https://app.vssps.visualstudio.com/oauth2/authorize"
+  const userInfoEndpointUrl =
+    "https://app.vssps.visualstudio.com/_apis/profile/profiles/me?details=true&coreAttributes=Avatar&api-version=6.0"
+
+  return {
+    id: "azure-devops",
+    name: "Azure DevOps",
+    type: "oauth",
+
+    authorization: {
+      url: "https://app.vssps.visualstudio.com/oauth2/authorize",
+      params: { response_type: "Assertion", scope },
+    },
+
+    token: {
+      url: tokenEndpointUrl,
+      async request(context) {
+        const response = await fetch(tokenEndpointUrl, {
+          headers: { "Content-Type": "application/x-www-form-urlencoded" },
+          method: "POST",
+          body: new URLSearchParams({
+            client_assertion_type:
+              "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
+            client_assertion: context.provider.clientSecret as string,
+            grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
+            assertion: context.params.code as string,
+            redirect_uri: context.provider.callbackUrl,
+          }),
+        })
+        return { tokens: await response.json() }
+      },
+    },
+
+    userinfo: {
+      url: userInfoEndpointUrl,
+      async request(context) {
+        const accessToken = context.tokens.access_token as string
+        const response = await fetch(userInfoEndpointUrl, {
+          headers: {
+            Authorization: `Bearer ${accessToken}`,
+          },
+        })
+        return response.json()
+      },
+    },
+
+    profile(profile) {
+      return {
+        id: profile.id,
+        name: profile.displayName,
+        email: profile.emailAddress,
+        image: `data:image/jpeg;base64,${profile.coreAttributes.Avatar.value.value}`,
+      }
+    },
+
+    options,
+  }
+}

package/src/providers/bankid-no.ts

@@ -0,0 +1,161 @@
+/**
+ * <div class="provider" style={{display: "flex", justifyContent: "space-between", alignItems: "center"}}>
+ * <span style={{fontSize: "1.35rem" }}>
+ *  Built-in sign in with <b>BankID Norway</b> integration.
+ * </span>
+ * <a href="https://bankid.no" style={{backgroundColor: "black", padding: "12px", borderRadius: "100%" }}>
+ *   <img style={{display: "block"}} src="https://authjs.dev/img/providers/bankid-no.svg" width="24"/>
+ * </a>
+ * </div>
+ *
+ * @module providers/bankid-no
+ */
+import type { OIDCConfig, OIDCUserConfig } from "./index.js"
+
+/**
+ * @see [Core conepts - ID Token](https://confluence.bankidnorge.no/confluence/pdoidcl/technical-documentation/core-concepts/id-token)
+ * @see [userinfo](https://confluence.bankidnorge.no/confluence/pdoidcl/technical-documentation/api/userinfo)
+ */
+export interface BankIDNorwayProfile {
+  exp: number
+  iat: number
+  /** Epoc time */
+  auth_time: number
+  jti: string
+  iss: string
+  /** Always client_id */
+  aud: string
+  sub: string
+  typ: "ID"
+  /** Equals client_id */
+  azp: string
+  session_state: string
+  at_hash: string
+  name: string
+  given_name: string
+  family_name: string
+  birthdate: string
+  updated_at: number
+  /**
+   * Uniform Resource Name for [IDP option](https://confluence.bankidnorge.no/confluence/pdoidcl/technical-documentation/core-concepts/identity-providers) being used,
+   * including Level of Assurance (LoA).
+   * @example
+   * ```
+   * urn:bankid:bid;LOA=4
+   * ```
+   */
+  acr: string
+  sid: string
+  /**
+   * Name of [IDP option](https://confluence.bankidnorge.no/confluence/pdoidcl/technical-documentation/core-concepts/identity-providers) being used to authenticate the end-user.
+   * If the end-user is subject to authentication step-up,
+   * note that this value may differ from any `amr` value specified
+   * in the `login_hint` parameter of the [authorize](https://confluence.bankidnorge.no/confluence/pdoidcl/technical-documentation/api/authorize) endpoint.
+   */
+  amr: "BID" | "BIM" | "BIS"
+  /** Personal Identifier (PID) / Serial Number) from associated BankID certificate. */
+  bankid_altsub: string
+  /**
+   * In case of BID or BIM, the issuer of the end user certificate is returned.
+   * @example
+   * ```
+   * CN=BankID Bankenes ID-tjeneste Bank CA 2,
+   * OU=988477052,
+   * O=Bankenes ID-tjeneste AS,*
+   * C=NO;OrginatorId=9775;OriginatorName=Gjensidige Bank RA 1
+   * ```
+   */
+  originator: string
+  additionalCertInfo: {
+    certValidFrom: number
+    serialNumber: string
+    keyAlgorithm: string
+    keySize: string
+    policyOid: string
+    certQualified: boolean
+    certValidTo: number
+    versionNumber: string
+    subjectName: string
+  }
+  /** Currently used as an input parameter for the [securityData](https://confluence.bankidnorge.no/confluence/pdoidcl/technical-documentation/api/securitydata) endpoint of the [Fraud Data](https://confluence.bankidnorge.no/confluence/pdoidcl/technical-documentation/advanced-topics/fraud-data) service */
+  tid: string
+  /** Only returned from the `userinfo_endpoint` */
+  email?: string
+  /**
+   * [Norwegian National Identity Number (fødselsnummer)](https://www.skatteetaten.no/en/person/foreign/norwegian-identification-number/national-identity-number). It can be an alternative to `sub`.
+   * Requires `nnin_altsub` scope at the [authorize](https://confluence.bankidnorge.no/confluence/pdoidcl/technical-documentation/api/authorize) endpoint.
+   * @example
+   * ```
+   * 181266*****
+   * ```
+   */
+  nnin_altsub?: string
+}
+
+/**
+ * ### Setup
+ *
+ * #### Callback URL
+ * ```
+ * https://example.com/api/auth/callback/bankid-no
+ * ```
+ *
+ * #### Configuration
+ * ```ts
+ * import { Auth } from "@auth/core"
+ * import BankIDNorge from "@auth/core/providers/bankid-no"
+ *
+ * const request = new Request(origin)
+ * const response = await Auth(request, {
+ *   providers: [
+ *     Auth0({
+ *       clientId: AUTH_BANKID_NO_ID,
+ *       clientSecret: AUTH_BANKID_NO_SECRET,
+ *     }),
+ *   ],
+ * })
+ * ```
+ *
+ * ### Resources
+ *
+ * - [OpenID Connect Provider from BankID](https://confluence.bankidnorge.no/confluence/pdoidcl)
+ *
+ * ### Notes
+ *
+ * The BankID Norge provider comes with a [default configuration](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/bankid-no.ts). To override the defaults for your use case, check out [customizing a built-in OAuth provider](https://authjs.dev/guides/configuring-oauth-providers).
+ *
+ * ## Help
+ *
+ * If you think you found a bug in the default configuration, you can [open an issue](https://authjs.dev/new/provider-issue).
+ *
+ * Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from
+ * the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec,
+ * we might not pursue a resolution. You can ask for more help in [Discussions](https://authjs.dev/new/github-discussions).
+ */
+export default function BankIDNorway(
+  config: OIDCUserConfig<BankIDNorwayProfile>
+): OIDCConfig<BankIDNorwayProfile> {
+  return {
+    id: "bankid-no",
+    name: "BankID Norge",
+    type: "oidc",
+    issuer: "https://auth.bankid.no/auth/realms/prod",
+    client: {
+      token_endpoint_auth_method: "client_secret_post",
+      userinfo_signed_response_alg: "RS256",
+    },
+    idToken: false,
+    authorization: { params: { ui_locales: "no", login_hint: "BIS" } },
+    profile(profile) {
+      return {
+        id: profile.sub,
+        name: profile.name,
+        email: profile.email ?? null,
+        image: null,
+      }
+    },
+    checks: ["pkce", "state", "nonce"],
+    style: { text: "#fff", bg: "#39134c" },
+    options: config,
+  }
+}

package/src/providers/battlenet.ts

@@ -0,0 +1,107 @@
+/**
+ * <div class="provider" style={{backgroundColor: "#000", display: "flex", justifyContent: "space-between", color: "#fff", padding: 16}}>
+ * <span>Built-in <b>Battle.net</b> integration.</span>
+ * <a href="https://Battle.net/">
+ *   <img style={{display: "block"}} src="https://authjs.dev/img/providers/battlenet.svg" height="48" width="48"/>
+ * </a>
+ * </div>
+ *
+ * @module providers/battlenet
+ */
+import type { OAuthConfig, OAuthUserConfig } from "./index.js"
+
+export interface BattleNetProfile extends Record<string, any> {
+  sub: string
+  battle_tag: string
+}
+
+/** See the [available regions](https://develop.battle.net/documentation/guides/regionality-and-apis) */
+export type BattleNetIssuer =
+  | "https://oauth.battle.net"
+  | "https://oauth.battlenet.com.cn"
+  | "https://www.battlenet.com.cn/oauth"
+  | `https://${"us" | "eu" | "kr" | "tw"}.battle.net/oauth`
+
+/**
+ * Add Battle.net login to your page.
+ *
+ * ### Setup
+ *
+ * #### Callback URL
+ * ```
+ * https://example.com/api/auth/callback/battlenet
+ * ```
+ *
+ * #### Configuration
+ *```ts
+ * import { Auth } from "@auth/core"
+ * import BattleNet from "@auth/core/providers/battlenet"
+ *
+ * const request = new Request(origin)
+ * const response = await Auth(request, {
+ *   providers: [
+ *     BattleNet({
+ *       clientId: BATTLENET_CLIENT_ID,
+ *       clientSecret: BATTLENET_CLIENT_SECRET,
+ *       issuer: BATTLENET_ISSUER,
+ *     }),
+ *   ],
+ * })
+ * ```
+ * issuer must be one of these values, based on the available regions:
+ * ```
+ * type BattleNetIssuer =
+ *   | "https://oauth.battle.net"
+ *   | "https://oauth.battlenet.com.cn"
+ *   | "https://www.battlenet.com.cn/oauth"
+ *   | "https://us.battle.net/oauth"
+ *   | "https://eu.battle.net/oauth"
+ *   | "https://kr.battle.net/oauth"
+ *   | "https://tw.battle.net/oauth"
+ * ```
+ *
+ * ### Resources
+ *
+ *  - [BattleNet OAuth documentation](https://develop.battle.net/documentation/guides/using-oauth)
+ *
+ * ### Notes
+ *
+ * By default, Auth.js assumes that the BattleNet provider is
+ * based on the [OAuth 2](https://www.rfc-editor.org/rfc/rfc6749.html) specification.
+ *
+ * :::tip
+ *
+ * The BattleNet provider comes with a [default configuration](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/battlenet.ts).
+ * To override the defaults for your use case, check out [customizing a built-in OAuth provider](https://authjs.dev/guides/configuring-oauth-providers).
+ *
+ * :::
+ *
+ * :::info **Disclaimer**
+ *
+ * If you think you found a bug in the default configuration, you can [open an issue](https://authjs.dev/new/provider-issue).
+ *
+ * Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from
+ * the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec,
+ * we might not pursue a resolution. You can ask for more help in [Discussions](https://authjs.dev/new/github-discussions).
+ *
+ * :::
+ */
+export default function BattleNet<P extends BattleNetProfile>(
+  options: OAuthUserConfig<P> & { issuer: BattleNetIssuer }
+): OAuthConfig<P> {
+  return {
+    id: "battlenet",
+    name: "Battle.net",
+    type: "oidc",
+    profile(profile) {
+      return {
+        id: profile.sub,
+        name: profile.battle_tag,
+        email: null,
+        image: null,
+      }
+    },
+    style: { bg: "#148eff", text: "#fff" },
+    options,
+  }
+}