@mulverse/mulguard-core 1.0.0

package/src/providers/click-up.ts

@@ -0,0 +1,104 @@
+/**
+ * <div class="provider" style={{backgroundColor: "#24292f", display: "flex", justifyContent: "space-between", color: "#fff", padding: 16}}>
+ * <span>Built-in <b>ClickUp</b> integration.</span>
+ * <a href="https://clickup.com">
+ *   <img style={{display: "block"}} src="https://authjs.dev/img/providers/click-up.svg" height="48" width="48"/>
+ * </a>
+ * </div>
+ *
+ * @module providers/click-up
+ */
+
+import type { OAuthConfig, OAuthUserConfig } from "./index.js"
+
+/** @see [Get the authenticated user](https://clickup.com/api/clickupreference/operation/GetAuthorizedUser/)*/
+export interface ClickUpProfile {
+  user: {
+    id: number
+    username: string
+    color: string
+    profilePicture: string
+  }
+}
+
+/**
+ * Add ClickUp login to your page and make requests to [ClickUp APIs](https://clickup.com/api/).
+ *
+ * ### Setup
+ *
+ * #### Callback URL
+ * ```
+ * https://example.com/api/auth/callback/clickup
+ * ```
+ *
+ * #### Configuration
+ * ```ts
+ * import { Auth } from "@auth/core"
+ * import ClickUp from "@auth/core/providers/click-up"
+ *
+ * const request = new Request(origin)
+ * const response = await Auth(request, {
+ *   providers: [
+ *     ClickUp({
+ *       clientId: CLICKUP_CLIENT_ID,
+ *       clientSecret: CLICKUP_CLIENT_SECRET,
+ *     }),
+ *   ],
+ * })
+ * ```
+ *
+ * ### Resources
+ *
+ * - [ClickUp - Authorizing OAuth Apps](https://clickup.com/api/developer-portal/authentication#oauth-flow)
+ * - [Source code](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/click-up.ts)
+ *
+ * ### Notes
+ *
+ * By default, Auth.js assumes that the ClickUp provider is
+ * based on the [OAuth 2](https://www.rfc-editor.org/rfc/rfc6749.html) specification.
+ *
+ * :::tip
+ *
+ * The ClickUp provider comes with a [default configuration](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/click-up.ts).
+ * To override the defaults for your use case, check out [customizing a built-in OAuth provider](https://authjs.dev/guides/configuring-oauth-providers).
+ *
+ * :::
+ *
+ * :::info **Disclaimer**
+ *
+ * If you think you found a bug in the default configuration, you can [open an issue](https://authjs.dev/new/provider-issue).
+ *
+ * Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from
+ * the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec,
+ * we might not pursue a resolution. You can ask for more help in [Discussions](https://authjs.dev/new/github-discussions).
+ *
+ * :::
+ */
+export default function ClickUp(
+  config: OAuthUserConfig<ClickUpProfile>
+): OAuthConfig<ClickUpProfile> {
+  return {
+    id: "click-up",
+    name: "ClickUp",
+    type: "oauth",
+    authorization: "https://app.clickup.com/api",
+    token: "https://api.clickup.com/api/v2/oauth/token",
+    userinfo: "https://api.clickup.com/api/v2/user",
+    clientId: config.clientId,
+    clientSecret: config.clientSecret,
+    checks: ["state"],
+    profile: (profile: ClickUpProfile) => {
+      return {
+        id: profile.user.id.toString(),
+        name: profile.user.username,
+        profilePicture: profile.user.profilePicture,
+        color: profile.user.color,
+      }
+    },
+    style: {
+      bg: "#24292f",
+      text: "#fff",
+    },
+    options: config,
+  }
+}

package/src/providers/cognito.ts

@@ -0,0 +1,94 @@
+/**
+ * <div class="provider" style={{backgroundColor: "#000", display: "flex", justifyContent: "space-between", color: "#fff", padding: 16}}>
+ * <span>Built-in <b>Cognito</b> integration.</span>
+ * <a href="https://docs.aws.amazon.com/cognito">
+ *   <img style={{display: "block"}} src="https://authjs.dev/img/providers/cognito.svg" height="48" width="48"/>
+ * </a>
+ * </div>
+ *
+ * @module providers/cognito
+ */
+import type { OAuthConfig, OAuthUserConfig } from "./index.js"
+
+export interface CognitoProfile extends Record<string, any> {
+  sub: string
+  name: string
+  email: string
+  picture: string
+}
+
+/**
+ * Add Cognito login to your page.
+ *
+ * ### Setup
+ *
+ * #### Callback URL
+ * ```
+ * https://example.com/api/auth/callback/cognito
+ * ```
+ *
+ * #### Configuration
+ *```ts
+ * import { Auth } from "@auth/core"
+ * import Cognito from "@auth/core/providers/cognito"
+ *
+ * const request = new Request(origin)
+ * const response = await Auth(request, {
+ *   providers: [
+ *     Cognito({
+ *       clientId: COGNITO_CLIENT_ID,
+ *       clientSecret: COGNITO_CLIENT_SECRET,
+ *       issuer: COGNITO_ISSUER,
+ *     }),
+ *   ],
+ * })
+ * ```
+ *
+ * ### Resources
+ *
+ *  - [Cognito OAuth documentation](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-userpools-server-contract-reference.html)
+ *
+ * ### Notes
+ * You need to select your AWS region to go the the Cognito dashboard.
+ *
+ * :::tip
+ * The issuer is a URL, that looks like this: https://cognito-idp.{region}.amazonaws.com/{PoolId}
+ * :::
+ * `PoolId` is from General Settings in Cognito, not to be confused with the App Client ID.
+ * :::warning
+ * Make sure you select all the appropriate client settings or the OAuth flow will not work.
+ * :::
+ *
+ * By default, Auth.js assumes that the Cognito provider is
+ * based on the [Open ID Connect](https://openid.net/specs/openid-connect-core-1_0.html) specification.
+ *
+ * :::tip
+ *
+ * The Cognito provider comes with a [default configuration](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/cognito.ts).
+ * To override the defaults for your use case, check out [customizing a built-in OAuth provider](https://authjs.dev/guides/configuring-oauth-providers).
+ *
+ * :::
+ *
+ * :::info **Disclaimer**
+ *
+ * If you think you found a bug in the default configuration, you can [open an issue](https://authjs.dev/new/provider-issue).
+ *
+ * Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from
+ * the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec,
+ * we might not pursue a resolution. You can ask for more help in [Discussions](https://authjs.dev/new/github-discussions).
+ *
+ * :::
+ */
+export default function Cognito<P extends CognitoProfile>(
+  options: OAuthUserConfig<P>
+): OAuthConfig<P> {
+  return {
+    id: "cognito",
+    name: "Cognito",
+    type: "oidc",
+    style: {
+      brandColor: "#C17B9E",
+    },
+    options,
+  }
+}

package/src/providers/coinbase.ts

@@ -0,0 +1,93 @@
+/**
+ * <div class="provider" style={{backgroundColor: "#000", display: "flex", justifyContent: "space-between", color: "#fff", padding: 16}}>
+ * <span>Built-in <b>Coinbase</b> integration.</span>
+ * <a href="https://coinbase.com/">
+ *   <img style={{display: "block"}} src="https://authjs.dev/img/providers/coinbase.svg" height="48" width="48"/>
+ * </a>
+ * </div>
+ *
+ * @module providers/coinbase
+ */
+import type { OAuthConfig, OAuthUserConfig } from "./index.js"
+
+/**
+ * Add Coinbase login to your page.
+ *
+ * ### Setup
+ *
+ * #### Callback URL
+ * ```
+ * https://example.com/api/auth/callback/coinbase
+ * ```
+ *
+ * #### Configuration
+ *```ts
+ * import { Auth } from "@auth/core"
+ * import Coinbase from "@auth/core/providers/coinbase"
+ *
+ * const request = new Request(origin)
+ * const response = await Auth(request, {
+ *   providers: [
+ *     Coinbase({
+ *       clientId: COINBASE_CLIENT_ID,
+ *       clientSecret: COINBASE_CLIENT_SECRET,
+ *     }),
+ *   ],
+ * })
+ * ```
+ *
+ * ### Resources
+ *
+ *  - [Coinbase OAuth documentation](https://developers.coinbase.com/api/v2)
+ *
+ * ### Notes
+ *
+ * :::tip
+ * This Provider template has a 2 hour access token to it. A refresh token is also returned.
+ * :::
+ *
+ * By default, Auth.js assumes that the Coinbase provider is
+ * based on the [OAuth 2](https://www.rfc-editor.org/rfc/rfc6749.html) specification.
+ *
+ * :::tip
+ *
+ * The Coinbase provider comes with a [default configuration](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/coinbase.ts).
+ * To override the defaults for your use case, check out [customizing a built-in OAuth provider](https://authjs.dev/guides/configuring-oauth-providers).
+ *
+ * :::
+ *
+ * :::info **Disclaimer**
+ *
+ * If you think you found a bug in the default configuration, you can [open an issue](https://authjs.dev/new/provider-issue).
+ *
+ * Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from
+ * the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec,
+ * we might not pursue a resolution. You can ask for more help in [Discussions](https://authjs.dev/new/github-discussions).
+ *
+ * :::
+ */
+export default function Coinbase(
+  options: OAuthUserConfig<Record<string, any>>
+): OAuthConfig<Record<string, any>> {
+  return {
+    id: "coinbase",
+    name: "Coinbase",
+    type: "oauth",
+    authorization:
+      "https://login.coinbase.com/oauth2/auth?scope=wallet:user:email+wallet:user:read",
+    token: "https://login.coinbase.com/oauth2/token",
+    userinfo: "https://api.coinbase.com/v2/user",
+    profile(profile) {
+      return {
+        id: profile.data.id,
+        name: profile.data.name,
+        email: profile.data.email,
+        image: profile.data.avatar_url,
+      }
+    },
+    style: {
+      brandColor: "#0052ff",
+    },
+    options,
+  }
+}

package/src/providers/concept2.ts

@@ -0,0 +1,108 @@
+/**
+ * <div class="provider" style={{backgroundColor: "#000", display: "flex", justifyContent: "space-between", color: "#fff", padding: 16}}>
+ * <span>Built-in <b>Concept2</b> integration.</span>
+ * <a href="https://concept2.com">
+ *   <img style={{display: "block"}} src="https://authjs.dev/img/providers/concept2.svg" height="48" width="48"/>
+ * </a>
+ * </div>
+ *
+ * @module providers/concept2
+ */
+
+import type { OAuthConfig, OAuthUserConfig } from "./index.js"
+
+export interface Concept2Profile extends Record<string, any> {
+  id: number
+  username: string
+  first_name: string
+  last_name: string
+  gender: string
+  dob: string
+  email: string
+  country: string
+  profile_image: string
+  age_restricted: boolean
+  email_permission: boolean | null
+  max_heart_rate: number | null
+  weight: number | null
+  logbook_privacy: string | null
+}
+
+/**
+ * Add Concept2 login to your page.
+ *
+ * ### Setup
+ *
+ * #### Callback URL
+ * ```
+ * https://example.com/api/auth/callback/concept2
+ * ```
+ *
+ * #### Configuration
+ *```js
+ * import { Auth } from "@auth/core"
+ * import Concept2 from "@auth/core/providers/concept2"
+ *
+ * const request = new Request(origin)
+ * const response = await Auth(request, {
+ *   providers: [
+ *     Concept2({
+ *       clientId: CONCEPT2_CLIENT_ID,
+ *       clientSecret: CONCEPT2_CLIENT_SECRET
+ *     }),
+ *   ],
+ * })
+ * ```
+ *
+ * ### Resources
+ *
+ *  - [Concept2 OAuth documentation](https://log.concept2.com/developers/documentation/)
+ *
+ * ### Notes
+ *
+ * By default, Auth.js assumes that the Concept2 provider is
+ * based on the [OAuth 2](https://www.rfc-editor.org/rfc/rfc6749.html) specification.
+ *
+ * :::tip
+ *
+ * The Concept2 provider comes with a [default configuration](https://github.com/mulguard/mulguard/blob/main/packages/mulguard/src/providers/concept2.ts).
+ * To override the defaults for your use case, check out [customizing a built-in OAuth provider](https://authjs.dev/guides/providers/custom-provider#override-default-options).
+ *
+ * :::
+ *
+ * :::info **Disclaimer**
+ *
+ * If you think you found a bug in the default configuration, you can [open an issue](https://authjs.dev/new/provider-issue).
+ *
+ * Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from
+ * the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec,
+ * we might not pursue a resolution. You can ask for more help in [Discussions](https://authjs.dev/new/github-discussions).
+ *
+ * :::
+ */
+export default function Concept2(
+  options: OAuthUserConfig<Concept2Profile>
+): OAuthConfig<Concept2Profile> {
+  return {
+    id: "concept2",
+    name: "Concept2",
+    type: "oauth",
+    authorization: {
+      url: "https://log.concept2.com/oauth/authorize",
+      params: {
+        scope: "user:read,results:write",
+      },
+    },
+    token: "https://log.concept2.com/oauth/access_token",
+    userinfo: "https://log.concept2.com/api/users/me",
+    profile(profile) {
+      return {
+        id: profile.data.id,
+        name: profile.data.username,
+        email: profile.data.email,
+        image: profile.data.profile_image,
+      }
+    },
+    options,
+  }
+}

package/src/providers/credentials.ts

@@ -0,0 +1,157 @@
+import type { CommonProviderOptions } from "./index.js"
+import type { Awaitable, User } from "../types.js"
+import type { JSX } from "preact"
+
+/**
+ * Besides providing type safety inside {@link CredentialsConfig.authorize}
+ * it also determines how the credentials input fields will be rendered
+ * on the default sign in page.
+ */
+export interface CredentialInput
+  extends Partial<JSX.IntrinsicElements["input"]> {
+  label?: string
+}
+
+/** The Credentials Provider needs to be configured. */
+export interface CredentialsConfig<
+  CredentialsInputs extends Record<string, CredentialInput> = Record<
+    string,
+    CredentialInput
+  >,
+> extends CommonProviderOptions {
+  type: "credentials"
+  credentials: CredentialsInputs
+  /**
+   * Gives full control over how you handle the credentials received from the user.
+   *
+   * :::warning
+   * There is no validation on the user inputs by default, so make sure you do so
+   * by a popular library like [Zod](https://zod.dev)
+   * :::
+   *
+   * This method expects a `User` object to be returned for a successful login.
+   *
+   * If an `CredentialsSignin` is thrown or `null` is returned, two things can happen:
+   * 1. The user is redirected to the login page, with `error=CredentialsSignin&code=credentials` in the URL. `code` is configurable, see below.
+   * 2. If you throw this error in a framework that handles form actions server-side, this error is thrown by the login form action, so you'll need to handle it there.
+   *
+   * In case of 1., generally, we recommend not hinting if the user for example gave a wrong username or password specifically,
+   * try rather something like "invalid-credentials". Try to be as generic with client-side errors as possible.
+   *
+   * To customize the error code, you can create a custom error that extends {@link CredentialsSignin} and throw it in `authorize`.
+   *
+   * @example
+   * ```ts
+   * class CustomError extends CredentialsSignin {
+   *  code = "custom_error"
+   * }
+   * // URL will contain `error=CredentialsSignin&code=custom_error`
+   * ```
+   *
+   * @example
+   * ```ts
+   * async authorize(credentials, request) { // you have access to the original request as well
+   *   if(!isValidCredentials(credentials)) {
+   *      throw new CustomError()
+   *   }
+   *   return await getUser(credentials) // assuming it returns a User or null
+   * }
+   * ```
+   */
+  authorize: (
+    /**
+     * The available keys are determined by {@link CredentialInput}.
+     *
+     * @note The existence/correctness of a field cannot be guaranteed at compile time,
+     * so you should always validate the input before using it.
+     *
+     * You can add basic validation depending on your use case,
+     * or you can use a popular library like [Zod](https://zod.dev) for example.
+     */
+    credentials: Partial<Record<keyof CredentialsInputs, unknown>>,
+    /** The original request. */
+    request: Request
+  ) => Awaitable<User | null>
+}
+
+export type CredentialsProviderId = "credentials"
+
+/**
+ * The Credentials provider allows you to handle signing in with arbitrary credentials,
+ * such as a username and password, domain, or two factor authentication or hardware device (e.g. YubiKey U2F / FIDO).
+ *
+ * It is intended to support use cases where you have an existing system you need to authenticate users against.
+ *
+ * It comes with the constraint that users authenticated in this manner are not persisted in the database,
+ * and consequently that the Credentials provider can only be used if JSON Web Tokens are enabled for sessions.
+ *
+ * :::caution
+ * The functionality provided for credentials-based authentication is intentionally limited to discourage the use of passwords due to the inherent security risks of the username-password model.
+ *
+ * OAuth providers spend significant amounts of money, time, and engineering effort to build:
+ *
+ * - abuse detection (bot-protection, rate-limiting)
+ * - password management (password reset, credential stuffing, rotation)
+ * - data security (encryption/salting, strength validation)
+ *
+ * and much more for authentication solutions. It is likely that your application would benefit from leveraging these battle-tested solutions rather than try to rebuild them from scratch.
+ *
+ * If you'd still like to build password-based authentication for your application despite these risks, Auth.js gives you full control to do so.
+ *
+ * :::
+ *
+ * See the [callbacks documentation](/reference/core#authconfig#callbacks) for more information on how to interact with the token. For example, you can add additional information to the token by returning an object from the `jwt()` callback:
+ *
+ * ```ts
+ * callbacks: {
+ *   async jwt({ token, user, account, profile, isNewUser }) {
+ *     if (user) {
+ *       token.id = user.id
+ *     }
+ *     return token
+ *   }
+ * }
+ * ```
+ *
+ * @example
+ * ```ts
+ * import { Auth } from "@auth/core"
+ * import Credentials from "@auth/core/providers/credentials"
+ *
+ * const request = new Request("https://example.com")
+ * const response = await AuthHandler(request, {
+ *   providers: [
+ *     Credentials({
+ *       credentials: {
+ *         username: { label: "Username" },
+ *         password: {  label: "Password", type: "password" }
+ *       },
+ *       async authorize({ request }) {
+ *         const response = await fetch(request)
+ *         if(!response.ok) return null
+ *         return await response.json() ?? null
+ *       }
+ *     })
+ *   ],
+ *   secret: "...",
+ *   trustHost: true,
+ * })
+ * ```
+ * @see [Username/Password Example](https://authjs.dev/getting-started/authentication/credentials)
+ */
+export default function Credentials<
+  CredentialsInputs extends Record<string, CredentialInput> = Record<
+    string,
+    CredentialInput
+  >,
+>(config: Partial<CredentialsConfig<CredentialsInputs>>): CredentialsConfig {
+  return {
+    id: "credentials",
+    name: "Credentials",
+    type: "credentials",
+    credentials: {},
+    authorize: () => null,
+    // @ts-expect-error
+    options: config,
+  }
+}

package/src/providers/descope.ts

@@ -0,0 +1,105 @@
+/**
+ * <div class="provider" style={{display: "flex", justifyContent: "space-between", alignItems: "center"}}>
+ * <span style={{fontSize: "1.35rem" }}>
+ *  Built-in sign in with <b>Descope</b> integration.
+ * </span>
+ * <a href="https://descope.com" style={{backgroundColor: "#000000", padding: "12px", borderRadius: "100%" }}>
+ *   <img style={{display: "block"}} src="https://authjs.dev/img/providers/descope.svg" width="24"/>
+ * </a>
+ * </div>
+ *
+ * @module providers/descope
+ */
+
+import type { OIDCConfig, OIDCUserConfig } from "./index.js"
+
+/** The returned user profile from Descope when using the profile callback.
+ * [See Load User](https://docs.descope.com/api/openapi/usermanagement/operation/LoadUser/)
+ */
+export interface DescopeProfile {
+  /** The user's unique Descope ID */
+  sub: string
+  /** The user's name */
+  name: string
+  /** The user's email */
+  email: string
+  /** A boolean indicating if the user's email is verified */
+  email_verified: boolean
+  /** The user's phone number */
+  phone_number: string
+  /** A boolean indicating if the user's phone number is verified */
+  phone_number_verified: boolean
+  /** The user's picture */
+  picture: string
+  /** The user's custom attributes */
+  [claim: string]: unknown
+}
+
+/**
+ *
+ * ### Setup
+ *
+ * #### Callback URL
+ * ```
+ * https://example.com/api/auth/callback/descope
+ * ```
+ *
+ * #### Configuration
+ * ```ts
+ * import { Auth } from "@auth/core"
+ * import Descope from "@auth/core/providers/descope"
+ *
+ * const request = new Request(origin)
+ * const response = await Auth(request, { providers: [Descope({ clientId: AUTH_DESCOPE_ID, clientSecret: AUTH_DESCOPE_SECRET, issuer: AUTH_DESCOPE_ISSUER })] })
+ * ```
+ *
+ * ### Configuring Descope
+ *
+ * Follow these steps:
+ *
+ * 1. Log into the [Descope console](https://app.descope.com)
+ * 2. Follow the [OIDC instructions](https://docs.descope.com/customize/auth/oidc)
+ *
+ * Then, create a `.env.local` file in the project root add the following entries:
+ *
+ * Get the following from the Descope's console:
+ * ```
+ * AUTH_DESCOPE_ID="<Descope Issuer's last url segment>" # Descope's Issuer can be found in "Authentication Methods > SSO > Identity Provider" (Can also be taken from "Project > Project ID")
+ * AUTH_DESCOPE_SECRET="<Descope Access Key>" # Manage > Access Keys
+ * AUTH_DESCOPE_ISSUER="<Descope Issuer URL>" # Applications -> OIDC Application -> Issuer
+ * ```
+ *
+ * ### Resources
+ *
+ * - [Descope OIDC](https://docs.descope.com/customize/auth/oidc)
+ * - [Descope Flows](https://docs.descope.com/customize/flows)
+ *
+ * ### Notes
+ *
+ * The Descope provider comes with a [default configuration](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/descope.ts). To override the defaults for your use case, check out [customizing a built-in OAuth provider](https://authjs.dev/guides/configuring-oauth-providers).
+ *
+ * :::info
+ * By default, Auth.js assumes that the Descope provider is based on the [OIDC](https://openid.net/specs/openid-connect-core-1_0.html) spec
+ * :::
+ *
+ * ## Help
+ *
+ * If you think you found a bug in the default configuration, you can [open an issue](https://authjs.dev/new/provider-issue).
+ *
+ * Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from
+ * the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec,
+ * we might not pursue a resolution. You can ask for more help in [Discussions](https://authjs.dev/new/github-discussions).
+ */
+export default function Descope(
+  config: OIDCUserConfig<DescopeProfile>
+): OIDCConfig<DescopeProfile> {
+  config.issuer ??= `https://api.descope.com/${config.clientId}`
+  return {
+    id: "descope",
+    name: "Descope",
+    type: "oidc",
+    style: { bg: "#1C1C23", text: "#ffffff" },
+    checks: ["pkce", "state"],
+    options: config,
+  }
+}