@run402/functions 3.0.0 → 3.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/auth/errors.d.ts +30 -1
- package/dist/auth/errors.d.ts.map +1 -1
- package/dist/auth/errors.js +56 -0
- package/dist/auth/errors.js.map +1 -1
- package/dist/auth/index.d.ts +61 -3
- package/dist/auth/index.d.ts.map +1 -1
- package/dist/auth/index.js +399 -25
- package/dist/auth/index.js.map +1 -1
- package/dist/auth/types.d.ts +67 -0
- package/dist/auth/types.d.ts.map +1 -1
- package/dist/index.d.ts +3 -2
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +6 -1
- package/dist/index.js.map +1 -1
- package/dist/lib/actor-context-verify.d.ts +17 -0
- package/dist/lib/actor-context-verify.d.ts.map +1 -1
- package/dist/lib/actor-context-verify.js +84 -5
- package/dist/lib/actor-context-verify.js.map +1 -1
- package/dist/runtime-context.d.ts +10 -1
- package/dist/runtime-context.d.ts.map +1 -1
- package/dist/runtime-context.js +47 -12
- package/dist/runtime-context.js.map +1 -1
- package/package.json +2 -2
package/dist/auth/errors.d.ts
CHANGED
|
@@ -9,7 +9,7 @@
|
|
|
9
9
|
* the right thing. But framework code, middleware, and test harnesses
|
|
10
10
|
* occasionally need typed catches; that's what these classes are for.
|
|
11
11
|
*/
|
|
12
|
-
export type Run402AuthCode = "R402_AUTH_REQUIRED" | "R402_AUTH_INSUFFICIENT_ROLE" | "R402_AUTH_INSUFFICIENT_MEMBERSHIP" | "R402_AUTH_FRESHNESS_REQUIRED" | "R402_AUTH_PRERENDERED" | "R402_AUTH_FETCH_ABSOLUTE_URL" | "R402_AUTH_UNKNOWN_EXPORT" | "R402_AUTH_SESSION_BRIDGE_UNVERIFIED" | "R402_AUTH_IDENTITY_LINK_CONFLICT" | "R402_AUTH_UNKNOWN_IDENTITY" | "R402_AUTH_TENANT_SUFFIX_REQUIRED" | "R402_AUTH_RETURN_TO_INVALID" | "R402_AUTH_REDUNDANT_USER_FILTER";
|
|
12
|
+
export type Run402AuthCode = "R402_AUTH_REQUIRED" | "R402_AUTH_INSUFFICIENT_ROLE" | "R402_AUTH_INSUFFICIENT_MEMBERSHIP" | "R402_AUTH_FRESHNESS_REQUIRED" | "R402_AUTH_PRERENDERED" | "R402_AUTH_FETCH_ABSOLUTE_URL" | "R402_AUTH_UNKNOWN_EXPORT" | "R402_AUTH_SESSION_BRIDGE_UNVERIFIED" | "R402_AUTH_IDENTITY_LINK_CONFLICT" | "R402_AUTH_UNKNOWN_IDENTITY" | "R402_AUTH_TENANT_SUFFIX_REQUIRED" | "R402_AUTH_RETURN_TO_INVALID" | "R402_AUTH_REDUNDANT_USER_FILTER" | "R402_AUTH_INVALID_CREDENTIALS" | "R402_AUTH_TENANT_SUBJECT_INVALID" | "R402_AUTH_UNTRUSTED_CONTEXT" | "R402_AUTH_RENAMED_EXPORT";
|
|
13
13
|
export declare class Run402AuthError extends Error {
|
|
14
14
|
readonly code: Run402AuthCode;
|
|
15
15
|
readonly status: number;
|
|
@@ -86,4 +86,33 @@ export declare class UnknownIdentityError extends Run402AuthError {
|
|
|
86
86
|
subject: string;
|
|
87
87
|
});
|
|
88
88
|
}
|
|
89
|
+
/** The canonical "your own credential check failed" error. Thrown via the
|
|
90
|
+
* `auth.invalidCredentials()` FUNCTION (not `new auth.InvalidCredentialsError()`)
|
|
91
|
+
* per D9 — agents fumble the constructor+import; `throw auth.invalidCredentials()`
|
|
92
|
+
* is one call and renders the canonical `R402_AUTH_INVALID_CREDENTIALS` envelope
|
|
93
|
+
* (distinct from `R402_AUTH_MAGIC_LINK_INVALID`). */
|
|
94
|
+
export declare class InvalidCredentialsError extends Run402AuthError {
|
|
95
|
+
constructor();
|
|
96
|
+
}
|
|
97
|
+
/** A shipped export that has been renamed/moved. Distinct from
|
|
98
|
+
* `UnknownExportError` (never-existed names): this one teaches the specific
|
|
99
|
+
* move for a name that used to work. Used for `auth.identities.link` →
|
|
100
|
+
* `auth.account.identities.startLink`. */
|
|
101
|
+
export declare class RenamedExportError extends Run402AuthError {
|
|
102
|
+
readonly oldName: string;
|
|
103
|
+
readonly newName: string;
|
|
104
|
+
constructor(opts: {
|
|
105
|
+
oldName: string;
|
|
106
|
+
newName: string;
|
|
107
|
+
});
|
|
108
|
+
}
|
|
109
|
+
/** Rejects a tenant-assertion mint whose `user` lacks a stable `id` (e.g. a
|
|
110
|
+
* bare email). The `fix` shows the required `{ tenant, user: { id, email, ... },
|
|
111
|
+
* method }` shape. SDK-side fast-feedback twin of the gateway's
|
|
112
|
+
* `R402_AUTH_TENANT_SUBJECT_INVALID` envelope. */
|
|
113
|
+
export declare class TenantSubjectInvalidError extends Run402AuthError {
|
|
114
|
+
constructor(opts: {
|
|
115
|
+
reason: string;
|
|
116
|
+
});
|
|
117
|
+
}
|
|
89
118
|
//# sourceMappingURL=errors.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/auth/errors.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,MAAM,MAAM,cAAc,GACtB,oBAAoB,GACpB,6BAA6B,GAC7B,mCAAmC,GACnC,8BAA8B,GAC9B,uBAAuB,GACvB,8BAA8B,GAC9B,0BAA0B,GAC1B,qCAAqC,GACrC,kCAAkC,GAClC,4BAA4B,GAC5B,kCAAkC,GAClC,6BAA6B,GAC7B,iCAAiC,CAAC;
|
|
1
|
+
{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/auth/errors.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,MAAM,MAAM,cAAc,GACtB,oBAAoB,GACpB,6BAA6B,GAC7B,mCAAmC,GACnC,8BAA8B,GAC9B,uBAAuB,GACvB,8BAA8B,GAC9B,0BAA0B,GAC1B,qCAAqC,GACrC,kCAAkC,GAClC,4BAA4B,GAC5B,kCAAkC,GAClC,6BAA6B,GAC7B,iCAAiC,GACjC,+BAA+B,GAC/B,kCAAkC,GAClC,6BAA6B,GAC7B,0BAA0B,CAAC;AAE/B,qBAAa,eAAgB,SAAQ,KAAK;IACxC,QAAQ,CAAC,IAAI,EAAE,cAAc,CAAC;IAC9B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC1C,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;gBAEX,IAAI,EAAE;QAChB,IAAI,EAAE,cAAc,CAAC;QACrB,MAAM,EAAE,MAAM,CAAC;QACf,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAClC,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,IAAI,CAAC,EAAE,MAAM,CAAC;KACf;CASF;AAED;;kEAEkE;AAClE,qBAAa,iBAAkB,SAAQ,eAAe;gBACxC,IAAI,GAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAO;CAW7C;AAED,qBAAa,qBAAsB,SAAQ,eAAe;IACxD,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;gBAClB,YAAY,EAAE,MAAM;CAUjC;AAED,qBAAa,2BAA4B,SAAQ,eAAe;IAC9D,QAAQ,CAAC,kBAAkB,EAAE,MAAM,CAAC;gBACxB,kBAAkB,EAAE,MAAM;CAUvC;AAED,qBAAa,sBAAuB,SAAQ,eAAe;IACzD,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,GAAG,EAAE,MAAM,EAAE,CAAC;gBACX,IAAI,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,EAAE,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE;CAWvE;AAED,qBAAa,qBAAsB,SAAQ,eAAe;gBAC5C,IAAI,EAAE;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE;CAWxD;AAED,qBAAa,gBAAiB,SAAQ,eAAe;gBACvC,IAAI,EAAE;QAAE,WAAW,EAAE,MAAM,CAAA;KAAE;CAW1C;AAED,qBAAa,kBAAmB,SAAQ,eAAe;IACrD,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;gBACnB,IAAI,EAAE;QAAE,aAAa,EAAE,MAAM,CAAC;QAAC,aAAa,EAAE,MAAM,CAAA;KAAE;CAiBnE;AAED,qBAAa,4BAA6B,SAAQ,eAAe;gBACnD,IAAI,EAAE;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE;CAWrC;AAED,qBAAa,yBAA0B,SAAQ,eAAe;gBAChD,IAAI,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE;CASxD;AAED,qBAAa,oBAAqB,SAAQ,eAAe;gBAC3C,IAAI,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE;CAUxD;AAED;;;;sDAIsD;AACtD,qBAAa,uBAAwB,SAAQ,eAAe;;CAa3D;AAED;;;2CAG2C;AAC3C,qBAAa,kBAAmB,SAAQ,eAAe;IACrD,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;gBACb,IAAI,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE;CAavD;AAED;;;mDAGmD;AACnD,qBAAa,yBAA0B,SAAQ,eAAe;gBAChD,IAAI,EAAE;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE;CAYrC"}
|
package/dist/auth/errors.js
CHANGED
|
@@ -167,4 +167,60 @@ export class UnknownIdentityError extends Run402AuthError {
|
|
|
167
167
|
this.name = "UnknownIdentityError";
|
|
168
168
|
}
|
|
169
169
|
}
|
|
170
|
+
/** The canonical "your own credential check failed" error. Thrown via the
|
|
171
|
+
* `auth.invalidCredentials()` FUNCTION (not `new auth.InvalidCredentialsError()`)
|
|
172
|
+
* per D9 — agents fumble the constructor+import; `throw auth.invalidCredentials()`
|
|
173
|
+
* is one call and renders the canonical `R402_AUTH_INVALID_CREDENTIALS` envelope
|
|
174
|
+
* (distinct from `R402_AUTH_MAGIC_LINK_INVALID`). */
|
|
175
|
+
export class InvalidCredentialsError extends Run402AuthError {
|
|
176
|
+
constructor() {
|
|
177
|
+
super({
|
|
178
|
+
code: "R402_AUTH_INVALID_CREDENTIALS",
|
|
179
|
+
status: 401,
|
|
180
|
+
message: "Invalid credentials.",
|
|
181
|
+
details: {},
|
|
182
|
+
suggestedFix: 'After your own credential check fails, use: throw auth.invalidCredentials()',
|
|
183
|
+
docs: "https://run402.com/errors/#R402_AUTH_INVALID_CREDENTIALS",
|
|
184
|
+
});
|
|
185
|
+
this.name = "InvalidCredentialsError";
|
|
186
|
+
}
|
|
187
|
+
}
|
|
188
|
+
/** A shipped export that has been renamed/moved. Distinct from
|
|
189
|
+
* `UnknownExportError` (never-existed names): this one teaches the specific
|
|
190
|
+
* move for a name that used to work. Used for `auth.identities.link` →
|
|
191
|
+
* `auth.account.identities.startLink`. */
|
|
192
|
+
export class RenamedExportError extends Run402AuthError {
|
|
193
|
+
oldName;
|
|
194
|
+
newName;
|
|
195
|
+
constructor(opts) {
|
|
196
|
+
super({
|
|
197
|
+
code: "R402_AUTH_RENAMED_EXPORT",
|
|
198
|
+
status: 400,
|
|
199
|
+
message: `${opts.oldName} has moved to ${opts.newName}.`,
|
|
200
|
+
details: { old_name: opts.oldName, new_name: opts.newName },
|
|
201
|
+
suggestedFix: `Use: ${opts.newName}`,
|
|
202
|
+
docs: "https://run402.com/errors/#R402_AUTH_RENAMED_EXPORT",
|
|
203
|
+
});
|
|
204
|
+
this.name = "RenamedExportError";
|
|
205
|
+
this.oldName = opts.oldName;
|
|
206
|
+
this.newName = opts.newName;
|
|
207
|
+
}
|
|
208
|
+
}
|
|
209
|
+
/** Rejects a tenant-assertion mint whose `user` lacks a stable `id` (e.g. a
|
|
210
|
+
* bare email). The `fix` shows the required `{ tenant, user: { id, email, ... },
|
|
211
|
+
* method }` shape. SDK-side fast-feedback twin of the gateway's
|
|
212
|
+
* `R402_AUTH_TENANT_SUBJECT_INVALID` envelope. */
|
|
213
|
+
export class TenantSubjectInvalidError extends Run402AuthError {
|
|
214
|
+
constructor(opts) {
|
|
215
|
+
super({
|
|
216
|
+
code: "R402_AUTH_TENANT_SUBJECT_INVALID",
|
|
217
|
+
status: 400,
|
|
218
|
+
message: `Tenant assertion subject invalid: ${opts.reason}`,
|
|
219
|
+
details: { reason: opts.reason },
|
|
220
|
+
suggestedFix: 'Pass a stable id: auth.sessions.createResponseFromTenantAssertion({ tenant, user: { id, email, emailVerified }, method: "password" })',
|
|
221
|
+
docs: "https://run402.com/errors/#R402_AUTH_TENANT_SUBJECT_INVALID",
|
|
222
|
+
});
|
|
223
|
+
this.name = "TenantSubjectInvalidError";
|
|
224
|
+
}
|
|
225
|
+
}
|
|
170
226
|
//# sourceMappingURL=errors.js.map
|
package/dist/auth/errors.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/auth/errors.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;
|
|
1
|
+
{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/auth/errors.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAqBH,MAAM,OAAO,eAAgB,SAAQ,KAAK;IAC/B,IAAI,CAAiB;IACrB,MAAM,CAAS;IACf,OAAO,CAA0B;IACjC,YAAY,CAAU;IACtB,IAAI,CAAU;IAEvB,YAAY,IAOX;QACC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACpB,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;QAC9B,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;QACtB,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;QAC1B,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC;QAClC,IAAI,IAAI,CAAC,YAAY;YAAE,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC;QAC7D,IAAI,IAAI,CAAC,IAAI;YAAE,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;IACvC,CAAC;CACF;AAED;;kEAEkE;AAClE,MAAM,OAAO,iBAAkB,SAAQ,eAAe;IACpD,YAAY,OAA8B,EAAE;QAC1C,KAAK,CAAC;YACJ,IAAI,EAAE,oBAAoB;YAC1B,MAAM,EAAE,GAAG;YACX,OAAO,EAAE,0BAA0B;YACnC,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE;YACzD,YAAY,EAAE,4CAA4C;YAC1D,IAAI,EAAE,+CAA+C;SACtD,CAAC,CAAC;QACH,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;IAClC,CAAC;CACF;AAED,MAAM,OAAO,qBAAsB,SAAQ,eAAe;IAC/C,YAAY,CAAS;IAC9B,YAAY,YAAoB;QAC9B,KAAK,CAAC;YACJ,IAAI,EAAE,6BAA6B;YACnC,MAAM,EAAE,GAAG;YACX,OAAO,EAAE,2CAA2C,YAAY,GAAG;YACnE,OAAO,EAAE,EAAE,aAAa,EAAE,YAAY,EAAE;SACzC,CAAC,CAAC;QACH,IAAI,CAAC,IAAI,GAAG,uBAAuB,CAAC;QACpC,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;IACnC,CAAC;CACF;AAED,MAAM,OAAO,2BAA4B,SAAQ,eAAe;IACrD,kBAAkB,CAAS;IACpC,YAAY,kBAA0B;QACpC,KAAK,CAAC;YACJ,IAAI,EAAE,mCAAmC;YACzC,MAAM,EAAE,GAAG;YACX,OAAO,EAAE,iDAAiD,kBAAkB,GAAG;YAC/E,OAAO,EAAE,EAAE,mBAAmB,EAAE,kBAAkB,EAAE;SACrD,CAAC,CAAC;QACH,IAAI,CAAC,IAAI,GAAG,6BAA6B,CAAC;QAC1C,IAAI,CAAC,kBAAkB,GAAG,kBAAkB,CAAC;IAC/C,CAAC;CACF;AAED,MAAM,OAAO,sBAAuB,SAAQ,eAAe;IAChD,MAAM,CAAS;IACf,GAAG,CAAW;IACvB,YAAY,IAA0D;QACpE,KAAK,CAAC;YACJ,IAAI,EAAE,8BAA8B;YACpC,MAAM,EAAE,GAAG;YACX,OAAO,EAAE,uCAAuC,IAAI,CAAC,MAAM,qBAAqB,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;YACtG,OAAO,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,IAAI,EAAE;SAClF,CAAC,CAAC;QACH,IAAI,CAAC,IAAI,GAAG,wBAAwB,CAAC;QACrC,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;QAC1B,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC;IACtB,CAAC;CACF;AAED,MAAM,OAAO,qBAAsB,SAAQ,eAAe;IACxD,YAAY,IAA2C;QACrD,KAAK,CAAC;YACJ,IAAI,EAAE,8BAA8B;YACpC,MAAM,EAAE,GAAG;YACX,OAAO,EAAE,2BAA2B,IAAI,CAAC,SAAS,MAAM,IAAI,CAAC,MAAM,EAAE;YACrE,OAAO,EAAE,EAAE,aAAa,EAAE,IAAI,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE;YAC/D,YAAY,EAAE,kGAAkG;YAChH,IAAI,EAAE,yDAAyD;SAChE,CAAC,CAAC;QACH,IAAI,CAAC,IAAI,GAAG,uBAAuB,CAAC;IACtC,CAAC;CACF;AAED,MAAM,OAAO,gBAAiB,SAAQ,eAAe;IACnD,YAAY,IAA6B;QACvC,KAAK,CAAC;YACJ,IAAI,EAAE,uBAAuB;YAC7B,MAAM,EAAE,GAAG;YACX,OAAO,EAAE,GAAG,IAAI,CAAC,WAAW,qCAAqC;YACjE,OAAO,EAAE,EAAE,YAAY,EAAE,IAAI,CAAC,WAAW,EAAE;YAC3C,YAAY,EAAE,8DAA8D;YAC5E,IAAI,EAAE,kDAAkD;SACzD,CAAC,CAAC;QACH,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;IACjC,CAAC;CACF;AAED,MAAM,OAAO,kBAAmB,SAAQ,eAAe;IAC5C,aAAa,CAAS;IACtB,aAAa,CAAS;IAC/B,YAAY,IAAsD;QAChE,KAAK,CAAC;YACJ,IAAI,EAAE,0BAA0B;YAChC,MAAM,EAAE,GAAG;YACX,OAAO,EAAE,uBAAuB,IAAI,CAAC,aAAa,SAAS,IAAI,CAAC,aAAa,WAAW;YACxF,OAAO,EAAE;gBACP,cAAc,EAAE,IAAI,CAAC,aAAa;gBAClC,cAAc,EAAE,IAAI,CAAC,aAAa;gBAClC,WAAW,EAAE,0CAA0C;aACxD;YACD,YAAY,EAAE,QAAQ,IAAI,CAAC,aAAa,EAAE;YAC1C,IAAI,EAAE,qDAAqD;SAC5D,CAAC,CAAC;QACH,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;QACjC,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,aAAa,CAAC;QACxC,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,aAAa,CAAC;IAC1C,CAAC;CACF;AAED,MAAM,OAAO,4BAA6B,SAAQ,eAAe;IAC/D,YAAY,IAAwB;QAClC,KAAK,CAAC;YACJ,IAAI,EAAE,qCAAqC;YAC3C,MAAM,EAAE,GAAG;YACX,OAAO,EAAE,4CAA4C,IAAI,CAAC,MAAM,EAAE;YAClE,OAAO,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE;YAChC,YAAY,EAAE,oHAAoH;YAClI,IAAI,EAAE,gEAAgE;SACvE,CAAC,CAAC;QACH,IAAI,CAAC,IAAI,GAAG,8BAA8B,CAAC;IAC7C,CAAC;CACF;AAED,MAAM,OAAO,yBAA0B,SAAQ,eAAe;IAC5D,YAAY,IAA2C;QACrD,KAAK,CAAC;YACJ,IAAI,EAAE,kCAAkC;YACxC,MAAM,EAAE,GAAG;YACX,OAAO,EAAE,aAAa,IAAI,CAAC,QAAQ,KAAK,IAAI,CAAC,OAAO,sCAAsC;YAC1F,OAAO,EAAE,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE;SAC5D,CAAC,CAAC;QACH,IAAI,CAAC,IAAI,GAAG,2BAA2B,CAAC;IAC1C,CAAC;CACF;AAED,MAAM,OAAO,oBAAqB,SAAQ,eAAe;IACvD,YAAY,IAA2C;QACrD,KAAK,CAAC;YACJ,IAAI,EAAE,4BAA4B;YAClC,MAAM,EAAE,GAAG;YACX,OAAO,EAAE,aAAa,IAAI,CAAC,QAAQ,KAAK,IAAI,CAAC,OAAO,cAAc;YAClE,OAAO,EAAE,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE;YAC3D,YAAY,EAAE,8GAA8G;SAC7H,CAAC,CAAC;QACH,IAAI,CAAC,IAAI,GAAG,sBAAsB,CAAC;IACrC,CAAC;CACF;AAED;;;;sDAIsD;AACtD,MAAM,OAAO,uBAAwB,SAAQ,eAAe;IAC1D;QACE,KAAK,CAAC;YACJ,IAAI,EAAE,+BAA+B;YACrC,MAAM,EAAE,GAAG;YACX,OAAO,EAAE,sBAAsB;YAC/B,OAAO,EAAE,EAAE;YACX,YAAY,EACV,6EAA6E;YAC/E,IAAI,EAAE,0DAA0D;SACjE,CAAC,CAAC;QACH,IAAI,CAAC,IAAI,GAAG,yBAAyB,CAAC;IACxC,CAAC;CACF;AAED;;;2CAG2C;AAC3C,MAAM,OAAO,kBAAmB,SAAQ,eAAe;IAC5C,OAAO,CAAS;IAChB,OAAO,CAAS;IACzB,YAAY,IAA0C;QACpD,KAAK,CAAC;YACJ,IAAI,EAAE,0BAA0B;YAChC,MAAM,EAAE,GAAG;YACX,OAAO,EAAE,GAAG,IAAI,CAAC,OAAO,iBAAiB,IAAI,CAAC,OAAO,GAAG;YACxD,OAAO,EAAE,EAAE,QAAQ,EAAE,IAAI,CAAC,OAAO,EAAE,QAAQ,EAAE,IAAI,CAAC,OAAO,EAAE;YAC3D,YAAY,EAAE,QAAQ,IAAI,CAAC,OAAO,EAAE;YACpC,IAAI,EAAE,qDAAqD;SAC5D,CAAC,CAAC;QACH,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;QACjC,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;QAC5B,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;IAC9B,CAAC;CACF;AAED;;;mDAGmD;AACnD,MAAM,OAAO,yBAA0B,SAAQ,eAAe;IAC5D,YAAY,IAAwB;QAClC,KAAK,CAAC;YACJ,IAAI,EAAE,kCAAkC;YACxC,MAAM,EAAE,GAAG;YACX,OAAO,EAAE,qCAAqC,IAAI,CAAC,MAAM,EAAE;YAC3D,OAAO,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE;YAChC,YAAY,EACV,uIAAuI;YACzI,IAAI,EAAE,6DAA6D;SACpE,CAAC,CAAC;QACH,IAAI,CAAC,IAAI,GAAG,2BAA2B,CAAC;IAC1C,CAAC;CACF"}
|
package/dist/auth/index.d.ts
CHANGED
|
@@ -17,7 +17,9 @@
|
|
|
17
17
|
* auth.csrfToken() → string
|
|
18
18
|
* auth.csrfField() → "<input type=hidden ...>"
|
|
19
19
|
* auth.sessions.createResponseFromIdentity({ ... }) → Response
|
|
20
|
+
* auth.sessions.createResponseFromTenantAssertion({ tenant, user, method }) → Response
|
|
20
21
|
* auth.sessions.endResponse() → Response
|
|
22
|
+
* auth.invalidCredentials() → InvalidCredentialsError (throw it)
|
|
21
23
|
*
|
|
22
24
|
* Behaviour notes baked into the helpers:
|
|
23
25
|
* - Calling any helper taints the cache (the response now depends on
|
|
@@ -37,7 +39,8 @@
|
|
|
37
39
|
*
|
|
38
40
|
* @see openspec/changes/auth-aware-ssr/specs/auth-sdk-namespace/spec.md
|
|
39
41
|
*/
|
|
40
|
-
import
|
|
42
|
+
import { InvalidCredentialsError } from "./errors.js";
|
|
43
|
+
import type { AccountSecurity, Actor, CreateResponseFromIdentityOptions, CreateResponseFromTenantAssertionOptions, IdentityLinkOptions } from "./types.js";
|
|
41
44
|
interface RequireFreshOptions {
|
|
42
45
|
/** Human-friendly window expression. Accepted forms: `"10m"`, `"1h"`,
|
|
43
46
|
* `"5m30s"`, integer seconds (`"600"`). Anything that fails to parse
|
|
@@ -48,6 +51,13 @@ interface RequireFreshOptions {
|
|
|
48
51
|
* satisfies. */
|
|
49
52
|
amr?: string[];
|
|
50
53
|
}
|
|
54
|
+
/** Header on the function's RETURNED Response that the gateway's routed-invoke
|
|
55
|
+
* post-processor materializes into a host-bound `Set-Cookie` — AFTER it
|
|
56
|
+
* checks the INVOKED function's declared `auth.sessionMint` capability
|
|
57
|
+
* (server-side; service-key presence is NOT sufficient). The gateway always
|
|
58
|
+
* strips this header before the client sees it. Kept in sync with the
|
|
59
|
+
* gateway constant of the same name. */
|
|
60
|
+
export declare const MINT_DIRECTIVE_HEADER = "x-run402-mint-directive";
|
|
51
61
|
interface AuthNamespace {
|
|
52
62
|
user(): Promise<Actor | null>;
|
|
53
63
|
requireUser(): Promise<Actor>;
|
|
@@ -63,11 +73,59 @@ interface AuthNamespace {
|
|
|
63
73
|
fetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response>;
|
|
64
74
|
csrfToken(): string;
|
|
65
75
|
csrfField(): string;
|
|
76
|
+
/** Canonical invalid-credentials failure for the tenant-owned credential
|
|
77
|
+
* case. A function (not a constructor): `throw auth.invalidCredentials()`. */
|
|
78
|
+
invalidCredentials(): InvalidCredentialsError;
|
|
79
|
+
/** Account security (§4). `getSecurity`/`requireSecurity` are the everyday
|
|
80
|
+
* rich read; the §4.4 advanced mutation tier (callee-enforced freshness,
|
|
81
|
+
* context-actor only) backs the same flows as `<AccountSecurity>`. */
|
|
82
|
+
account: {
|
|
83
|
+
getSecurity(): Promise<AccountSecurity | null>;
|
|
84
|
+
requireSecurity(): Promise<AccountSecurity>;
|
|
85
|
+
setPassword(newPassword: string, opts?: {
|
|
86
|
+
maxAge?: string;
|
|
87
|
+
}): Promise<void>;
|
|
88
|
+
signOutEverywhere(): Promise<{
|
|
89
|
+
revoked_count: number;
|
|
90
|
+
}>;
|
|
91
|
+
passkeys: {
|
|
92
|
+
list(): Promise<unknown[]>;
|
|
93
|
+
remove(passkeyId: string): Promise<void>;
|
|
94
|
+
add(): never;
|
|
95
|
+
};
|
|
96
|
+
identities: {
|
|
97
|
+
list(): Promise<unknown[]>;
|
|
98
|
+
/** §4.5 — begin the OAuth link-to-existing-account ceremony for the
|
|
99
|
+
* context actor. Mints a short-lived actor JWT and asks the gateway
|
|
100
|
+
* (`intent:"link"`) for a provider authorization URL bound to the
|
|
101
|
+
* signed-in user; the caller redirects the browser there. After the
|
|
102
|
+
* provider round-trip the identity is written against THIS account
|
|
103
|
+
* (not a new sign-in). `redirectUrl` must be an allowed origin for the
|
|
104
|
+
* project. This is link-to-existing — distinct from sign-in-with. */
|
|
105
|
+
startLink(opts: {
|
|
106
|
+
provider: string;
|
|
107
|
+
redirectUrl: string;
|
|
108
|
+
mode?: "redirect" | "popup";
|
|
109
|
+
}): Promise<{
|
|
110
|
+
authorizationUrl: string;
|
|
111
|
+
expiresIn: number;
|
|
112
|
+
}>;
|
|
113
|
+
unlink(opts: {
|
|
114
|
+
provider: string;
|
|
115
|
+
subject: string;
|
|
116
|
+
}): Promise<void>;
|
|
117
|
+
};
|
|
118
|
+
sessions: {
|
|
119
|
+
list(): Promise<unknown[]>;
|
|
120
|
+
revoke(sessionId: string): Promise<void>;
|
|
121
|
+
};
|
|
122
|
+
};
|
|
66
123
|
identities: {
|
|
67
124
|
link(opts: IdentityLinkOptions): Promise<void>;
|
|
68
125
|
};
|
|
69
126
|
sessions: {
|
|
70
127
|
createResponseFromIdentity(opts: CreateResponseFromIdentityOptions): Promise<Response>;
|
|
128
|
+
createResponseFromTenantAssertion(opts: CreateResponseFromTenantAssertionOptions): Promise<Response>;
|
|
71
129
|
endResponse(): Promise<Response>;
|
|
72
130
|
};
|
|
73
131
|
}
|
|
@@ -93,6 +151,6 @@ export declare function currentUser(): never;
|
|
|
93
151
|
export declare function getCurrentUser(): never;
|
|
94
152
|
/** @deprecated Use `auth.user()`. */
|
|
95
153
|
export declare function getServerSession(): never;
|
|
96
|
-
export type { Actor, IdentityProof } from "./types.js";
|
|
97
|
-
export { AuthRequiredError, InsufficientRoleError, InsufficientMembershipError, FreshnessRequiredError, FetchAbsoluteUrlError, PrerenderedError, UnknownExportError, SessionBridgeUnverifiedError, IdentityLinkConflictError, UnknownIdentityError, Run402AuthError, } from "./errors.js";
|
|
154
|
+
export type { Actor, IdentityProof, TenantUser, CreateResponseFromTenantAssertionOptions, AccountSecurity, Run402Identity, TenantAssertionRef, } from "./types.js";
|
|
155
|
+
export { AuthRequiredError, InsufficientRoleError, InsufficientMembershipError, FreshnessRequiredError, FetchAbsoluteUrlError, PrerenderedError, UnknownExportError, SessionBridgeUnverifiedError, IdentityLinkConflictError, UnknownIdentityError, InvalidCredentialsError, TenantSubjectInvalidError, RenamedExportError, Run402AuthError, } from "./errors.js";
|
|
98
156
|
//# sourceMappingURL=index.d.ts.map
|
package/dist/auth/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AAUH,OAAO,EAML,uBAAuB,EAKxB,MAAM,aAAa,CAAC;AACrB,OAAO,KAAK,EACV,eAAe,EACf,KAAK,EACL,iCAAiC,EACjC,wCAAwC,EACxC,mBAAmB,EACpB,MAAM,YAAY,CAAC;AAsJpB,UAAU,mBAAmB;IAC3B;;2DAEuD;IACvD,MAAM,EAAE,MAAM,CAAC;IACf;;qBAEiB;IACjB,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;CAChB;AA8JD;;;;;yCAKyC;AACzC,eAAO,MAAM,qBAAqB,4BAA4B,CAAC;AAyb/D,UAAU,aAAa;IACrB,IAAI,IAAI,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC;IAC9B,WAAW,IAAI,OAAO,CAAC,KAAK,CAAC,CAAC;IAC9B,WAAW,CAAC,KAAK,CAAC,CAAC,SAAS,MAAM,EAAE,IAAI,EAAE,CAAC,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,KAAK,CAAC;QAAC,IAAI,EAAE,CAAC,CAAA;KAAE,CAAC,CAAC;IAChF,iBAAiB,CAAC,KAAK,CAAC,CAAC,SAAS,MAAM,EACtC,UAAU,EAAE,CAAC,GACZ,OAAO,CAAC;QAAE,IAAI,EAAE,KAAK,CAAC;QAAC,UAAU,EAAE,CAAC,CAAA;KAAE,CAAC,CAAC;IAC3C,YAAY,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACvD,KAAK,CAAC,KAAK,EAAE,WAAW,GAAG,GAAG,EAAE,IAAI,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IACvE,SAAS,IAAI,MAAM,CAAC;IACpB,SAAS,IAAI,MAAM,CAAC;IACpB;mFAC+E;IAC/E,kBAAkB,IAAI,uBAAuB,CAAC;IAC9C;;2EAEuE;IACvE,OAAO,EAAE;QACP,WAAW,IAAI,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC,CAAC;QAC/C,eAAe,IAAI,OAAO,CAAC,eAAe,CAAC,CAAC;QAC5C,WAAW,CAAC,WAAW,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE;YAAE,MAAM,CAAC,EAAE,MAAM,CAAA;SAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;QAC5E,iBAAiB,IAAI,OAAO,CAAC;YAAE,aAAa,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;QACxD,QAAQ,EAAE;YACR,IAAI,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;YAC3B,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;YACzC,GAAG,IAAI,KAAK,CAAC;SACd,CAAC;QACF,UAAU,EAAE;YACV,IAAI,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;YAC3B;;;;;;kFAMsE;YACtE,SAAS,CAAC,IAAI,EAAE;gBACd,QAAQ,EAAE,MAAM,CAAC;gBACjB,WAAW,EAAE,MAAM,CAAC;gBACpB,IAAI,CAAC,EAAE,UAAU,GAAG,OAAO,CAAC;aAC7B,GAAG,OAAO,CAAC;gBAAE,gBAAgB,EAAE,MAAM,CAAC;gBAAC,SAAS,EAAE,MAAM,CAAA;aAAE,CAAC,CAAC;YAC7D,MAAM,CAAC,IAAI,EAAE;gBAAE,QAAQ,EAAE,MAAM,CAAC;gBAAC,OAAO,EAAE,MAAM,CAAA;aAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;SACpE,CAAC;QACF,QAAQ,EAAE;YACR,IAAI,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;YAC3B,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;SAC1C,CAAC;KACH,CAAC;IACF,UAAU,EAAE;QACV,IAAI,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;KAChD,CAAC;IACF,QAAQ,EAAE;QACR,0BAA0B,CAAC,IAAI,EAAE,iCAAiC,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;QACvF,iCAAiC,CAC/B,IAAI,EAAE,wCAAwC,GAC7C,OAAO,CAAC,QAAQ,CAAC,CAAC;QACrB,WAAW,IAAI,OAAO,CAAC,QAAQ,CAAC,CAAC;KAClC,CAAC;CACH;AAqDD;;;gEAGgE;AAChE,eAAO,MAAM,IAAI,EAAE,aAiBjB,CAAC;AAEH;;;;;;;;GAQG;AAEH,6DAA6D;AAC7D,wBAAgB,UAAU,IAAI,KAAK,CAElC;AAED,qCAAqC;AACrC,wBAAgB,WAAW,IAAI,KAAK,CAEnC;AAED,qCAAqC;AACrC,wBAAgB,cAAc,IAAI,KAAK,CAEtC;AAED,qCAAqC;AACrC,wBAAgB,gBAAgB,IAAI,KAAK,CAKxC;AA8BD,YAAY,EACV,KAAK,EACL,aAAa,EACb,UAAU,EACV,wCAAwC,EACxC,eAAe,EACf,cAAc,EACd,kBAAkB,GACnB,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,iBAAiB,EACjB,qBAAqB,EACrB,2BAA2B,EAC3B,sBAAsB,EACtB,qBAAqB,EACrB,gBAAgB,EAChB,kBAAkB,EAClB,4BAA4B,EAC5B,yBAAyB,EACzB,oBAAoB,EACpB,uBAAuB,EACvB,yBAAyB,EACzB,kBAAkB,EAClB,eAAe,GAChB,MAAM,aAAa,CAAC"}
|