@ouim/logto-authkit 0.3.0

package/dist/navigation.d.ts

@@ -0,0 +1,10 @@
+import React from 'react';
+import type { NavigationOptions } from './types.js';
+type NavigateFunction = (url: string, options?: NavigationOptions) => void;
+interface NavigationProviderProps {
+    children: React.ReactNode;
+    customNavigate?: NavigateFunction;
+}
+export declare const NavigationProvider: ({ children, customNavigate }: NavigationProviderProps) => import("react/jsx-runtime").JSX.Element;
+export declare const useNavigation: () => NavigateFunction;
+export {};

package/dist/server/authorization.d.ts

@@ -0,0 +1,53 @@
+import type { AuthContext, AuthPayload } from './types.js';
+export type AuthorizationMode = 'all' | 'any';
+export interface ScopeCheckOptions {
+    mode?: AuthorizationMode;
+}
+export interface RoleCheckOptions {
+    claimKeys?: string[];
+}
+type AuthSubject = AuthContext | AuthPayload | null | undefined;
+/**
+ * Return `true` when the token payload contains the requested scopes.
+ *
+ * Accepts either a raw `AuthPayload` or a full `AuthContext`. Scope comparison is
+ * whitespace-delimited to match the standard OAuth `scope` claim shape used by Logto.
+ *
+ * @example
+ * hasScopes(auth.payload, ['read:profile', 'write:profile'])
+ * hasScopes(auth, ['read:profile', 'write:profile'], { mode: 'any' })
+ */
+export declare function hasScopes(subject: AuthSubject, scopes: string | string[], options?: ScopeCheckOptions): boolean;
+/**
+ * Assert that the token payload contains the requested scopes.
+ *
+ * Throws a descriptive error listing the missing scopes when the check fails.
+ *
+ * @example
+ * requireScopes(auth, ['read:profile', 'write:profile'])
+ * requireScopes(payload, ['admin:read', 'admin:write'], { mode: 'any' })
+ */
+export declare function requireScopes(subject: AuthSubject, scopes: string | string[], options?: ScopeCheckOptions): void;
+/**
+ * Return `true` when the token payload contains the requested role.
+ *
+ * By default the helper checks `roles` first and then `role`. Override
+ * `claimKeys` when your tenant emits roles under a custom claim name.
+ *
+ * @example
+ * hasRole(auth, 'admin')
+ * hasRole(auth.payload, 'support', { claimKeys: ['https://example.com/roles'] })
+ */
+export declare function hasRole(subject: AuthSubject, role: string, options?: RoleCheckOptions): boolean;
+/**
+ * Assert that the token payload contains the requested role.
+ *
+ * Throws a descriptive error when the role claim is missing or does not contain
+ * the required role.
+ *
+ * @example
+ * requireRole(auth, 'admin')
+ * requireRole(payload, 'tenant:owner', { claimKeys: ['https://example.com/roles'] })
+ */
+export declare function requireRole(subject: AuthSubject, role: string, options?: RoleCheckOptions): void;
+export {};

package/dist/server/csrf.d.ts

@@ -0,0 +1,247 @@
+/**
+ * CSRF Protection Helpers for `@ouim/logto-authkit`
+ *
+ * Implements the **Double-Submit Cookie** pattern — the most portable stateless
+ * CSRF defence that requires no server-side session storage.
+ *
+ * ─────────────────────────────────────────────────────────────────────────────
+ * THREAT MODEL
+ * ─────────────────────────────────────────────────────────────────────────────
+ *
+ * WHAT IS CSRF?
+ * A Cross-Site Request Forgery attack tricks a victim's authenticated browser
+ * into making a state-changing request (POST/PUT/DELETE) to your API.  Because
+ * browsers automatically include cookies with cross-origin requests, the server
+ * sees what appears to be a legitimate authenticated request even though the
+ * user never intended to make it.
+ *
+ * JWT cookies are NOT immune.  If `logto_authtoken` is a `SameSite=Lax` cookie
+ * (the browser default when `SameSite` is omitted), cross-site top-level
+ * navigations (e.g. a form POST from an attacker's page) will include it.
+ * Even `SameSite=Strict` cookies are sent in some redirect flows and are not
+ * universally enforced across all browser versions.
+ *
+ * HOW THE DOUBLE-SUBMIT COOKIE PATTERN WORKS:
+ *   1. The server generates a random token and sets it in a **non-HttpOnly**
+ *      cookie (the browser's same-origin policy keeps it readable only to your
+ *      own JavaScript, not to scripts on other origins).
+ *   2. For every mutating request (POST, PUT, PATCH, DELETE), client-side JS
+ *      reads the CSRF cookie value and sends it as a custom request header
+ *      (e.g. `X-CSRF-Token`).
+ *   3. The server middleware compares the header value to the cookie value.
+ *      A mismatch → 403 Forbidden.
+ *
+ * WHY AN ATTACKER CAN'T FORGE THIS:
+ *   - Cross-origin JavaScript cannot read cookies from your domain
+ *     (same-origin policy).
+ *   - Cross-origin requests cannot set custom headers without a successful
+ *     CORS preflight, which your server controls.
+ *   - An attacker who can read your cookies has already achieved XSS on your
+ *     domain — CSRF is no longer the threat at that point.
+ *
+ * LIMITATIONS / NOTES:
+ *   - CSRF protection is complementary to, not a replacement for, a strict
+ *     Content-Security-Policy and XSS hardening.
+ *   - `SameSite=Strict` on the *auth* cookie provides strong CSRF protection
+ *     on its own for modern browsers: the browser withholds the cookie on all
+ *     cross-site requests, including cross-site form POSTs. The double-submit
+ *     pattern here is defence-in-depth for older browsers and programmatic
+ *     enforcement when you want to verify CSRF explicitly in middleware logic.
+ *   - The CSRF cookie is intentionally **not** `HttpOnly` — the client JS
+ *     must be able to read it.  Do not store anything sensitive in it.
+ *   - Safe HTTP methods (GET, HEAD, OPTIONS, TRACE) are exempt from CSRF
+ *     validation.  Ensure your API does not use GET for state changes.
+ *
+ * ─────────────────────────────────────────────────────────────────────────────
+ * QUICK-START — Express
+ * ─────────────────────────────────────────────────────────────────────────────
+ *
+ * ```ts
+ * import express from 'express';
+ * import { createExpressAuthMiddleware } from '@ouim/logto-authkit/server';
+ * import { createCsrfMiddleware, generateCsrfToken, buildCsrfCookieHeader } from '@ouim/logto-authkit/server';
+ *
+ * const app = express();
+ *
+ * // Mount CSRF middleware on all routes that mutate state.
+ * // The middleware sets the CSRF cookie on GET requests (if absent)
+ * // and validates it on POST/PUT/PATCH/DELETE.
+ * app.use(createCsrfMiddleware());
+ *
+ * // Auth middleware can be layered on top.
+ * app.use('/api', createExpressAuthMiddleware({ logtoUrl: process.env.LOGTO_ENDPOINT }));
+ * ```
+ *
+ * Client-side fetch helper:
+ * ```ts
+ * function getCsrfToken(): string {
+ *   return document.cookie
+ *     .split('; ')
+ *     .find(c => c.startsWith('logto_csrf_token='))
+ *     ?.split('=')[1] ?? '';
+ * }
+ *
+ * // HTTP headers are case-insensitive; use lowercase to match CSRF_HEADER_NAME
+ * await fetch('/api/data', {
+ *   method: 'POST',
+ *   headers: { 'x-csrf-token': getCsrfToken(), 'Content-Type': 'application/json' },
+ *   body: JSON.stringify({ ... }),
+ * });
+ * ```
+ *
+ * ─────────────────────────────────────────────────────────────────────────────
+ * QUICK-START — Next.js
+ * ─────────────────────────────────────────────────────────────────────────────
+ *
+ * ```ts
+ * // app/api/data/route.ts
+ * import { NextRequest, NextResponse } from 'next/server';
+ * import { verifyCsrfToken, generateCsrfToken, buildCsrfCookieHeader } from '@ouim/logto-authkit/server';
+ *
+ * // GET — issue a fresh CSRF token
+ * export async function GET() {
+ *   const token = generateCsrfToken();
+ *   return new Response(JSON.stringify({ csrfToken: token }), {
+ *     headers: { 'Set-Cookie': buildCsrfCookieHeader(token) },
+ *   });
+ * }
+ *
+ * // POST — validate the CSRF token before processing
+ * export async function POST(request: NextRequest) {
+ *   const csrf = verifyCsrfToken(request);
+ *   if (!csrf.valid) {
+ *     return NextResponse.json({ error: csrf.error }, { status: 403 });
+ *   }
+ *   // ... process the request
+ * }
+ * ```
+ */
+import type { ExpressRequest, ExpressResponse, ExpressNext, NextRequest } from './types.js';
+/** Default name for the CSRF token cookie (non-HttpOnly, readable by JS). */
+export declare const CSRF_COOKIE_NAME = "logto_csrf_token";
+/** Default request header that clients must send the CSRF token in. */
+export declare const CSRF_HEADER_NAME = "x-csrf-token";
+/**
+ * Generate a cryptographically random CSRF token string.
+ *
+ * Uses `randomUUID` from `node:crypto` (available since Node.js 14.17,
+ * works in both CJS and ESM builds). Provides 122 bits of entropy —
+ * sufficient for CSRF tokens.
+ *
+ * @example
+ * import { generateCsrfToken } from '@ouim/logto-authkit/server';
+ *
+ * const csrfToken = generateCsrfToken();
+ * // Store it in a cookie or send it to the client in a bootstrap response
+ */
+export declare function generateCsrfToken(): string;
+/**
+ * Build a `Set-Cookie` header string for the CSRF token cookie.
+ *
+ * The cookie is deliberately **not** `HttpOnly` — client-side JavaScript must
+ * be able to read this value and send it as a request header.  An attacker on
+ * a different origin cannot read it because of the browser's same-origin policy.
+ *
+ * @param {string} token - The CSRF token value (from `generateCsrfToken()`).
+ * @param {object} [options]
+ * @param {string} [options.cookieName='logto_csrf_token'] - Cookie name.
+ * @param {number} [options.maxAge=86400] - Cookie lifetime in seconds (default: 1 day).
+ * @param {string} [options.domain] - Cookie domain (omit for current host).
+ * @param {string} [options.path='/'] - Cookie path.
+ * @param {'Strict'|'Lax'} [options.sameSite='Strict'] - SameSite policy.
+ *   `'None'` is intentionally excluded: CSRF cookies sent to third parties
+ *   defeat the purpose of the double-submit pattern.
+ *
+ * @returns {string} A complete `Set-Cookie` header value.
+ *
+ * @example
+ * import { generateCsrfToken, buildCsrfCookieHeader } from '@ouim/logto-authkit/server';
+ *
+ * const token = generateCsrfToken();
+ * const cookie = buildCsrfCookieHeader(token, { sameSite: 'Strict' });
+ * res.setHeader('Set-Cookie', cookie);
+ */
+export declare function buildCsrfCookieHeader(token: string, options?: {
+    cookieName?: string;
+    maxAge?: number;
+    domain?: string;
+    path?: string;
+    sameSite?: 'Strict' | 'Lax';
+}): string;
+/** Options for {@link createCsrfMiddleware}. */
+export interface CsrfMiddlewareOptions {
+    /** Cookie name to read/write the CSRF token. Default: `'logto_csrf_token'`. */
+    cookieName?: string;
+    /** Request header clients must send the CSRF token in. Default: `'x-csrf-token'`. */
+    headerName?: string;
+    /** Cookie domain to set when issuing a new CSRF token. */
+    domain?: string;
+    /** Cookie path. Default: `'/'`. */
+    path?: string;
+    /** Cookie `SameSite` policy. Default: `'Strict'`. */
+    sameSite?: 'Strict' | 'Lax';
+    /** Cookie lifetime in seconds. Default: `86400` (1 day). */
+    maxAge?: number;
+}
+/**
+ * Express middleware that implements CSRF double-submit cookie protection.
+ *
+ * **Behaviour:**
+ * - **Safe methods** (GET, HEAD, OPTIONS, TRACE): if no CSRF cookie is present,
+ *   a new token is generated and set via `Set-Cookie`. The request is passed
+ *   through unconditionally.
+ * - **Unsafe methods** (POST, PUT, PATCH, DELETE, …): the `X-CSRF-Token` header
+ *   value is compared to the CSRF cookie value.  A mismatch returns `403 Forbidden`.
+ *
+ * Mount this middleware **before** your auth middleware so CSRF errors are caught
+ * even on unauthenticated requests (defence-in-depth).
+ *
+ * @example
+ * import { createCsrfMiddleware } from '@ouim/logto-authkit/server';
+ *
+ * // Apply globally
+ * app.use(createCsrfMiddleware());
+ *
+ * // Apply only to API routes
+ * app.use('/api', createCsrfMiddleware({ sameSite: 'Lax' }));
+ */
+export declare function createCsrfMiddleware(options?: CsrfMiddlewareOptions): (req: ExpressRequest, res: ExpressResponse, next: ExpressNext) => void;
+/** Result returned by {@link verifyCsrfToken}. */
+export interface CsrfVerifyResult {
+    /** `true` if the CSRF token is present and matches. */
+    valid: boolean;
+    /** Human-readable reason for failure (only set when `valid` is `false`). */
+    error?: string;
+}
+/**
+ * Verify the CSRF double-submit token for a Next.js request.
+ *
+ * Compares the value in the `X-CSRF-Token` request header against the
+ * `logto_csrf_token` cookie.  Returns `{ valid: true }` on success or
+ * `{ valid: false, error: '...' }` on failure.
+ *
+ * Intended for use in Next.js Route Handlers and Middleware for mutating
+ * endpoints (POST, PUT, PATCH, DELETE).
+ *
+ * @param {NextRequest} request - The incoming Next.js request object.
+ * @param {object} [options]
+ * @param {string} [options.cookieName='logto_csrf_token'] - Cookie name to read.
+ * @param {string} [options.headerName='x-csrf-token'] - Header name to read.
+ *
+ * @returns {CsrfVerifyResult}
+ *
+ * @example
+ * import { verifyCsrfToken } from '@ouim/logto-authkit/server';
+ *
+ * export async function POST(request: NextRequest) {
+ *   const csrf = verifyCsrfToken(request);
+ *   if (!csrf.valid) {
+ *     return NextResponse.json({ error: csrf.error }, { status: 403 });
+ *   }
+ *   // proceed with request handling
+ * }
+ */
+export declare function verifyCsrfToken(request: NextRequest, options?: {
+    cookieName?: string;
+    headerName?: string;
+}): CsrfVerifyResult;

package/dist/server/index.cjs

@@ -0,0 +1 @@
+"use strict";Object.defineProperty(exports,Symbol.toStringTag,{value:"Module"});const $=require("jose"),D=require("cookie-parser"),O=require("node:crypto");function x(e){return typeof e=="object"&&e!==null&&"get"in e&&typeof e.get=="function"}function K(e){return typeof e=="object"&&e!==null}function L(e){return typeof e=="object"&&e!==null}const l=new Map,P=300*1e3;function J(e){return`${e.replace(/\/+$/,"")}/oidc`}function f(e,t="guest_logto_authtoken"){if(x(e)){const n=e.get(t);return(n==null?void 0:n.value)??void 0}else if(K(e))return e[t]??void 0}function m(e,t="logto_authtoken"){if(x(e)){const n=e.get(t);return(n==null?void 0:n.value)||null}else if(K(e))return e[t]||null;return null}function A(e){if(!L(e))return null;const t=typeof e.get=="function"?e.get("authorization"):e.authorization;return typeof t=="string"&&t.startsWith("Bearer ")?t.slice(7):null}function z(e){let t=e.replace(/-/g,"+").replace(/_/g,"/");const n=t.length%4;return n&&(t+="=".repeat(4-n)),typeof atob<"u"?atob(t):Buffer.from(t,"base64").toString()}async function b(e){const{logtoUrl:t,jwksCacheTtlMs:n=P,skipJwksCache:o=!1}=e,r=E(t),i=Date.now(),s=l.get(r);if(!o&&s&&s.expires>i)return s.keys;try{const a=await fetch(r);if(!a.ok)throw new Error(`Failed to fetch JWKS: ${a.status} ${a.statusText}`);const c=(await a.json()).keys||[];return!o&&n>0?l.set(r,{keys:c,expires:i+n}):l.delete(r),c}catch(a){throw new Error(`Failed to fetch JWKS from ${r}: ${a instanceof Error?a.message:"Unknown error"}`)}}function E(e){return`${J(e)}/jwks`}function B(e){l.delete(E(e))}function V(){l.clear()}function Y(e,t,n){if(!e||e.length===0)throw new Error("No keys found in JWKS");if(t){const r=e.find(i=>i.kid===t);if(r)return r;throw new Error(`Key with kid "${t}" not found in JWKS`)}if(n){const r=e.find(i=>i.alg===n);if(r)return r}const o=e.find(r=>r.kty==="RSA"&&(r.use==="sig"||!r.use));return o||e[0]}function q(e,t){const{logtoUrl:n,audience:o,requiredScope:r}=t,i=typeof e.exp=="number"?e.exp:void 0,s=typeof e.nbf=="number"?e.nbf:void 0,a=J(n);if(e.iss!==a)throw new Error(`Invalid issuer. Expected: ${a}, Got: ${e.iss}`);if(o){const c=e.aud,d=Array.isArray(o)?o:[o];if(!(Array.isArray(c)?c:c!==void 0?[c]:[]).some(y=>d.includes(y)))throw new Error(`Invalid audience. Expected one of: ${JSON.stringify(d)}, Got: ${Array.isArray(c)?JSON.stringify(c):c}`)}const u=Math.floor(Date.now()/1e3);if(i!==void 0&&i<u)throw new Error("Token has expired");if(s!==void 0&&s>u)throw new Error("Token is not yet valid");if(r&&(!e.scope||!e.scope.includes(r)))throw new Error(`Missing required scope: ${r}`)}function Q(e){if(typeof e!="object"||e===null)throw new Error("JWT payload is missing or not an object");const t=e;if(typeof t.sub!="string"||t.sub.trim()==="")throw new Error('JWT payload is missing required field "sub" (user ID)');if(typeof t.iss!="string"||t.iss.trim()==="")throw new Error('JWT payload is missing required field "iss" (issuer)');if(t.exp!==void 0&&typeof t.exp!="number")throw new Error('JWT payload field "exp" must be a number');if(t.nbf!==void 0&&typeof t.nbf!="number")throw new Error('JWT payload field "nbf" must be a number');if(t.aud!==void 0){const n=t.aud;if(!(typeof n=="string"||Array.isArray(n)&&n.every(r=>typeof r=="string")))throw new Error('JWT payload field "aud" must be a string or string[]')}if(t.scope!==void 0&&typeof t.scope!="string")throw new Error('JWT payload field "scope" must be a string')}function X(e){if(!(e instanceof Error))return!1;if(e.message.startsWith("No keys found in JWKS")||e.message.startsWith("Key with kid"))return!0;const t=e.code;return t==="ERR_JWKS_NO_MATCHING_KEY"||t==="ERR_JWS_SIGNATURE_VERIFICATION_FAILED"}async function _(e,t,n,o){const r=typeof t.kid=="string"?t.kid:void 0,i=typeof t.alg=="string"?t.alg:void 0,s=Y(n,r,i),a=await $.importJWK(s,i||"RS256"),{payload:u}=await $.jwtVerify(e,a);return Q(u),q(u,o),{userId:u.sub,isAuthenticated:!0,payload:u,isGuest:!1}}async function w(e,t){const{logtoUrl:n}=t,o=E(n);try{const[r]=e.split(".");if(!r)throw new Error("Invalid JWT format");const i=z(r),s=JSON.parse(i),a=await b(t);try{return await _(e,s,a,t)}catch(u){if(!X(u))throw u;console.warn("[verifyLogtoToken] Key/signature error — invalidating JWKS cache and retrying with fresh keys"),l.delete(o);const c=await b(t);return await _(e,s,c,t)}}catch(r){throw new Error(`Token verification failed: ${r instanceof Error?r.message:"Unknown error"}`)}}function Z(e){const t=D(),n=async(o,r,i)=>{try{let s=m(o.cookies,e.cookieName);if(s||(s=A(o.headers)),!s){if(e.allowGuest){const u=f(o.cookies);return o.auth={userId:null,isAuthenticated:!1,payload:null,isGuest:!0,guestId:u},i()}return r.status(401).json({error:"Authentication required",message:"No token found in cookies or Authorization header"})}const a=await w(s,e);return o.auth=a,i()}catch(s){if(e.allowGuest){const a=f(o.cookies);return o.auth={userId:null,isAuthenticated:!1,payload:null,isGuest:!0,guestId:a||void 0},i()}return r.status(401).json({error:"Authentication failed",message:s instanceof Error?s.message:"Unknown error"})}};return async(o,r,i)=>{o.cookies?await n(o,r,i):t(o,r,async s=>{if(s)return i(s);await n(o,r,i)})}}async function ee(e,t){try{let n=m(e.cookies,t.cookieName);return n||(n=A(e.headers)),n?{success:!0,auth:await w(n,t)}:t.allowGuest?{success:!0,auth:{userId:null,isAuthenticated:!1,payload:null,isGuest:!0,guestId:f(e.cookies)||void 0}}:{success:!1,error:"No token found in cookies or Authorization header"}}catch(n){if(t.allowGuest){const o=f(e.cookies),r=n instanceof Error?n.message:"Unknown error";return console.warn(`[verifyNextAuth] Token verification failed, falling back to guest: ${r}`),{success:!0,auth:{userId:null,isAuthenticated:!1,payload:null,isGuest:!0,guestId:o||void 0}}}return{success:!1,error:n instanceof Error?n.message:"Unknown error"}}}async function te(e,t){let n;if(typeof e=="string")n=e;else{const o=m(e.cookies,t.cookieName)||A(e.headers);if(!o){if(t.allowGuest)return{userId:null,isAuthenticated:!1,payload:null,isGuest:!0,guestId:f(e.cookies)||void 0};throw new Error("No token found in request")}n=o}try{return await w(n,t)}catch(o){if(t.allowGuest&&typeof e=="object")return{userId:null,isAuthenticated:!1,payload:null,isGuest:!0,guestId:f(e.cookies)||void 0};throw o}}function re(e,t={}){const{cookieName:n="logto_authtoken",maxAge:o=10080*60,domain:r,path:i="/",sameSite:s="Strict"}=t;let a=`${n}=${e}; Max-Age=${o}; Path=${i}; HttpOnly; Secure; SameSite=${s}`;return r&&(a+=`; Domain=${r}`),a}const k="logto_csrf_token",v="x-csrf-token",ne=new Set(["GET","HEAD","OPTIONS","TRACE"]);function N(){return O.randomUUID()}function M(e,t={}){const{cookieName:n=k,maxAge:o=1440*60,domain:r,path:i="/",sameSite:s="Strict"}=t;if(/[\r\n;]/.test(e))throw new Error("CSRF token contains invalid characters (newline or semicolon)");let a=`${n}=${e}; Max-Age=${o}; Path=${i}; Secure; SameSite=${s}`;return r&&(a+=`; Domain=${r}`),a}function oe(e={}){const{cookieName:t=k,headerName:n=v,domain:o,path:r="/",sameSite:i="Strict",maxAge:s=1440*60}=e;return(a,u,c)=>{var T,C,I;const d=(a.method??"GET").toUpperCase();if(ne.has(d)){if(!((T=a.cookies)!=null&&T[t])){const U=N(),H=M(U,{cookieName:t,maxAge:s,domain:o,path:r,sameSite:i});typeof u.setHeader=="function"&&u.setHeader("Set-Cookie",H)}return c()}const p=(C=a.cookies)==null?void 0:C[t],h=(I=a.headers)==null?void 0:I[n],y=Array.isArray(h)?h[0]:h;if(!p||!y||p!==y){u.status(403).json({error:"CSRF validation failed",message:`Include the '${n}' request header with the value from the '${t}' cookie.`});return}return c()}}function ie(e,t={}){var s,a;const{cookieName:n=k,headerName:o=v}=t,r=(a=(s=e.cookies)==null?void 0:s.get(n))==null?void 0:a.value,i=e.headers.get(o);return r?i?r!==i?{valid:!1,error:"CSRF token mismatch. The header value does not match the cookie value."}:{valid:!0}:{valid:!1,error:`Missing '${o}' request header. Read the '${n}' cookie value and send it in this header.`}:{valid:!1,error:`CSRF cookie '${n}' not found. Ensure GET requests are made first to receive the CSRF cookie.`}}const R=["roles","role"];function se(e){return typeof e=="object"&&e!==null&&"isAuthenticated"in e}function j(e){return e?se(e)?e.payload:e:null}function S(e){return(Array.isArray(e)?e:[e]).flatMap(t=>t.split(/\s+/)).map(t=>t.trim()).filter(Boolean)}function g(e){return(Array.isArray(e)?e:[e]).flatMap(t=>t.split(/[,\s]+/)).map(t=>t.trim()).filter(Boolean)}function W(e){const t=j(e);return t!=null&&t.scope?S(t.scope):[]}function G(e,t){const n=j(e);if(!n)return[];for(const o of t){const r=n[o];if(Array.isArray(r)&&r.every(i=>typeof i=="string")||typeof r=="string")return g(r)}return[]}function F(e,t,n={}){const o=S(t);if(o.length===0)return!0;const r=W(e),{mode:i="all"}=n;return i==="any"?o.some(s=>r.includes(s)):o.every(s=>r.includes(s))}function ae(e,t,n={}){const o=S(t);if(o.length===0)return;const r=W(e),{mode:i="all"}=n;if(F(e,o,{mode:i}))return;const s=o.filter(u=>!r.includes(u)),a=i==="any"?"at least one of":"all of";throw new Error(`Missing required scopes (${a}: ${o.join(", ")}). Token scopes: ${r.join(", ")||"(none)"}. Missing: ${s.join(", ")||o.join(", ")}`)}function ue(e,t,n={}){var s;const o=g(t);if(o.length===0)return!0;const r=(s=n.claimKeys)!=null&&s.length?n.claimKeys:R,i=G(e,r);return o.every(a=>i.includes(a))}function ce(e,t,n={}){var s;const o=g(t);if(o.length===0)return;const r=(s=n.claimKeys)!=null&&s.length?n.claimKeys:R,i=G(e,r);if(!o.every(a=>i.includes(a)))throw new Error(`Missing required role: ${o.join(", ")}. Checked claims: ${r.join(", ")}. Token roles: ${i.join(", ")||"(none)"}`)}exports.CSRF_COOKIE_NAME=k;exports.CSRF_HEADER_NAME=v;exports.buildAuthCookieHeader=re;exports.buildCsrfCookieHeader=M;exports.clearJwksCache=V;exports.createCsrfMiddleware=oe;exports.createExpressAuthMiddleware=Z;exports.generateCsrfToken=N;exports.hasRole=ue;exports.hasScopes=F;exports.invalidateJwksCache=B;exports.requireRole=ce;exports.requireScopes=ae;exports.verifyAuth=te;exports.verifyCsrfToken=ie;exports.verifyLogtoToken=w;exports.verifyNextAuth=ee;

package/dist/server/index.d.ts

@@ -0,0 +1,4 @@
+export * from './verify-auth.js';
+export * from './csrf.js';
+export * from './authorization.js';
+export * from './types.js';