alepha 0.9.2 → 0.9.4

package/react/auth.d.ts

@@ -1,187 +1,496 @@
-import * as _alepha_core0$1 from "alepha";
 import * as _alepha_core4 from "alepha";
-import * as _alepha_core0 from "alepha";
-import { Alepha, Async, Descriptor, KIND } from "alepha";
-import * as _alepha_server_cookies0 from "alepha/server/cookies";
+import { Alepha, AlephaError, Async, Descriptor, KIND, Static } from "alepha";
+import * as _alepha_server_cookies1 from "alepha/server/cookies";
 import { Cookies, ServerCookiesProvider } from "alepha/server/cookies";
+import { DateTimeProvider } from "alepha/datetime";
+import { AccessTokenResponse, RealmDescriptor, SecurityProvider, UserAccount, UserAccountToken } from "alepha/security";
+import { Configuration } from "openid-client";
+import * as _alepha_logger0 from "alepha/logger";
 import * as _alepha_server0 from "alepha/server";
 import { HttpClient } from "alepha/server";
-import { Configuration } from "openid-client";
-import { HttpVirtualClient } from "alepha/server/links";
-import { UserAccountToken } from "alepha/security";
-import * as _sinclair_typebox0 from "@sinclair/typebox";
+import { HttpVirtualClient, LinkProvider, ServerLinksProvider } from "alepha/server/links";
+import * as _sinclair_typebox156 from "@sinclair/typebox";
 
-//#region src/descriptors/$auth.d.ts
-declare const $auth: {
-  (options: AuthDescriptorOptions): AuthDescriptor;
-  [KIND]: typeof AuthDescriptor;
-};
-interface AuthDescriptorOptions {
-  name?: string;
-  fallback?: () => Async<AccessToken>;
-  oidc?: {
-    issuer: string;
-    clientId: string;
-    clientSecret?: string;
-    redirectUri?: string;
-    useIdToken?: boolean;
-    logoutUri?: string;
+//#region src/schemas/tokensSchema.d.ts
+declare const tokensSchema: _sinclair_typebox156.TObject<{
+  provider: _sinclair_typebox156.TString;
+  access_token: _sinclair_typebox156.TString;
+  issued_at: _sinclair_typebox156.TNumber;
+  expires_in: _sinclair_typebox156.TOptional<_sinclair_typebox156.TNumber>;
+  refresh_token: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+  refresh_token_expires_in: _sinclair_typebox156.TOptional<_sinclair_typebox156.TNumber>;
+  refresh_expires_in: _sinclair_typebox156.TOptional<_sinclair_typebox156.TNumber>;
+  id_token: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+  scope: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+  token: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+  realm: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+}>;
+type Tokens = Static<typeof tokensSchema>;
+//#endregion
+//#region src/services/ReactAuth.d.ts
+/**
+ * Browser, SSR friendly, service to handle authentication.
+ */
+declare class ReactAuth {
+  protected readonly log: _alepha_logger0.Logger;
+  protected readonly alepha: Alepha;
+  protected readonly linkProvider: LinkProvider;
+  protected readonly httpClient: HttpClient;
+  static path: {
+    login: string;
+    callback: string;
+    logout: string;
+    token: string;
+    refresh: string;
+    userinfo: string;
   };
+  protected readonly onBeginTransition: _alepha_core4.HookDescriptor<"react:transition:begin">;
+  csrfCookie: _alepha_server_cookies1.AbstractCookieDescriptor<_sinclair_typebox156.TString>;
+  protected readonly onFetchRequest: _alepha_core4.HookDescriptor<"client:onRequest">;
+  get user(): UserAccountToken | undefined;
+  ping(): Promise<{
+    name?: string | undefined;
+    email?: string | undefined;
+    username?: string | undefined;
+    picture?: string | undefined;
+    sessionId?: string | undefined;
+    organizations?: string[] | undefined;
+    roles?: string[] | undefined;
+    id: string;
+  } | undefined>;
+  login(provider: string, options: {
+    hostname?: string;
+    username?: string;
+    password?: string;
+    redirect?: string;
+    [extra: string]: any;
+  }): Promise<Tokens>;
+  logout(): void;
 }
-declare class AuthDescriptor extends Descriptor<AuthDescriptorOptions> {
-  get name(): string;
-  jwks(): string;
-}
-type AccessToken = string;
-//# sourceMappingURL=$auth.d.ts.map
 //#endregion
 //#region src/providers/ReactAuthProvider.d.ts
 declare class ReactAuthProvider {
-  protected readonly log: _alepha_core0$1.Logger;
+  protected readonly log: _alepha_logger0.Logger;
   protected readonly alepha: Alepha;
   protected readonly serverCookiesProvider: ServerCookiesProvider;
-  protected authProviders: AuthProvider[];
-  protected readonly authorizationCode: _alepha_server_cookies0.CookieDescriptor<_sinclair_typebox0.TObject<{
-    codeVerifier: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-    redirectUri: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+  protected readonly dateTimeProvider: DateTimeProvider;
+  protected readonly serverLinksProvider: ServerLinksProvider;
+  protected readonly reactAuth: ReactAuth;
+  protected readonly authorizationCode: _alepha_server_cookies1.AbstractCookieDescriptor<_sinclair_typebox156.TObject<{
+    provider: _sinclair_typebox156.TString;
+    codeVerifier: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+    redirectUri: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+    state: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+    nonce: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
   }>>;
-  readonly tokens: _alepha_server_cookies0.CookieDescriptor<_sinclair_typebox0.TObject<{
-    provider: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-    access_token: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-    expires_in: _sinclair_typebox0.TOptional<_sinclair_typebox0.TNumber>;
-    refresh_token: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-    id_token: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-    scope: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-    issued_at: _sinclair_typebox0.TOptional<_sinclair_typebox0.TNumber>;
+  readonly tokens: _alepha_server_cookies1.AbstractCookieDescriptor<_sinclair_typebox156.TObject<{
+    provider: _sinclair_typebox156.TString;
+    access_token: _sinclair_typebox156.TString;
+    issued_at: _sinclair_typebox156.TNumber;
+    expires_in: _sinclair_typebox156.TOptional<_sinclair_typebox156.TNumber>;
+    refresh_token: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+    refresh_token_expires_in: _sinclair_typebox156.TOptional<_sinclair_typebox156.TNumber>;
+    refresh_expires_in: _sinclair_typebox156.TOptional<_sinclair_typebox156.TNumber>;
+    id_token: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+    scope: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+    token: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+    realm: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
   }>>;
-  readonly user: _alepha_server_cookies0.CookieDescriptor<_sinclair_typebox0.TObject<{
-    id: _sinclair_typebox0.TString;
-    name: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-    email: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-    picture: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-  }>>;
-  readonly onRender: _alepha_core0$1.HookDescriptor<"react:server:render:begin">;
-  protected readonly configure: _alepha_core0$1.HookDescriptor<"configure">;
-  protected getAccessTokenFromCookies(tokens: SessionTokens): Promise<string | undefined>;
+  readonly onRender: _alepha_core4.HookDescriptor<"react:server:render:begin">;
+  get identities(): Array<AuthDescriptor>;
+  protected readonly configure: _alepha_core4.HookDescriptor<"configure">;
+  protected getAccessTokens(tokens: Tokens): string | undefined;
   /**
-   * Configure Fastify to forward Session Access Token to Header Authorization.
+   * Fill request headers with access token from cookies or fallback to provider's fallback function.
    */
-  protected readonly onRequest: _alepha_core0$1.HookDescriptor<"server:onRequest">;
+  protected readonly onRequest: _alepha_core4.HookDescriptor<"server:onRequest">;
   /**
-   *
-   * @param cookies
-   * @protected
+   * Convert cookies to tokens.
+   * If the tokens are expired, try to refresh them using the refresh token.
    */
-  protected refresh(cookies: Cookies): Promise<SessionTokens | undefined>;
-  readonly login: _alepha_server0.RouteDescriptor<{
-    query: _sinclair_typebox0.TObject<{
-      redirect: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-      provider: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+  protected cookiesToTokens(cookies: Cookies): Promise<Tokens | undefined>;
+  protected checkCsrf(cookies: Cookies, csrfHeader: string): Promise<void>;
+  protected refreshTokens(tokens: Tokens): Promise<Tokens | undefined>;
+  /**
+   * Get user information.
+   */
+  readonly userinfo: _alepha_server0.RouteDescriptor<{
+    response: _sinclair_typebox156.TObject<{
+      user: _sinclair_typebox156.TOptional<_sinclair_typebox156.TObject<{
+        id: _sinclair_typebox156.TString;
+        name: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+        email: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+        username: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+        picture: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+        sessionId: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+        organizations: _sinclair_typebox156.TOptional<_sinclair_typebox156.TArray<_sinclair_typebox156.TString>>;
+        roles: _sinclair_typebox156.TOptional<_sinclair_typebox156.TArray<_sinclair_typebox156.TString>>;
+      }>>;
+      api: _sinclair_typebox156.TObject<{
+        prefix: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+        links: _sinclair_typebox156.TArray<_sinclair_typebox156.TObject<{
+          name: _sinclair_typebox156.TString;
+          group: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+          path: _sinclair_typebox156.TString;
+          method: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+          requestBodyType: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+          service: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+        }>>;
+      }>;
     }>;
   }>;
-  readonly callback: _alepha_server0.RouteDescriptor<{
-    query: _sinclair_typebox0.TObject<{
-      provider: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+  /**
+   * Refresh a token for internal providers.
+   */
+  readonly refresh: _alepha_server0.RouteDescriptor<{
+    query: _sinclair_typebox156.TObject<{
+      provider: _sinclair_typebox156.TString;
+    }>;
+    body: _sinclair_typebox156.TObject<{
+      refresh_token: _sinclair_typebox156.TString;
+      access_token: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+    }>;
+    response: _sinclair_typebox156.TObject<{
+      provider: _sinclair_typebox156.TString;
+      access_token: _sinclair_typebox156.TString;
+      issued_at: _sinclair_typebox156.TNumber;
+      expires_in: _sinclair_typebox156.TOptional<_sinclair_typebox156.TNumber>;
+      refresh_token: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+      refresh_token_expires_in: _sinclair_typebox156.TOptional<_sinclair_typebox156.TNumber>;
+      refresh_expires_in: _sinclair_typebox156.TOptional<_sinclair_typebox156.TNumber>;
+      id_token: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+      scope: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+      token: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+      realm: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
     }>;
   }>;
   /**
-   *
-   * @param accessToken
-   * @protected
-   */
-  protected userFromAccessToken(accessToken: string): {
-    id: any;
-    name: any;
-    email: any;
-    picture: any;
-  } | undefined;
-  readonly logout: _alepha_server0.RouteDescriptor<{
-    query: _sinclair_typebox0.TObject<{
-      redirect: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-      provider: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+   * Login for local password-based authentication.
+   */
+  readonly token: _alepha_server0.RouteDescriptor<{
+    query: _sinclair_typebox156.TObject<{
+      provider: _sinclair_typebox156.TString;
+    }>;
+    body: _sinclair_typebox156.TObject<{
+      username: _sinclair_typebox156.TString;
+      password: _sinclair_typebox156.TString;
+    }>;
+    response: _sinclair_typebox156.TObject<{
+      provider: _sinclair_typebox156.TString;
+      access_token: _sinclair_typebox156.TString;
+      issued_at: _sinclair_typebox156.TNumber;
+      expires_in: _sinclair_typebox156.TOptional<_sinclair_typebox156.TNumber>;
+      refresh_token: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+      refresh_token_expires_in: _sinclair_typebox156.TOptional<_sinclair_typebox156.TNumber>;
+      refresh_expires_in: _sinclair_typebox156.TOptional<_sinclair_typebox156.TNumber>;
+      id_token: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+      scope: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+      token: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+      realm: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+      user: _sinclair_typebox156.TObject<{
+        id: _sinclair_typebox156.TString;
+        name: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+        email: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+        username: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+        picture: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+        sessionId: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+        organizations: _sinclair_typebox156.TOptional<_sinclair_typebox156.TArray<_sinclair_typebox156.TString>>;
+        roles: _sinclair_typebox156.TOptional<_sinclair_typebox156.TArray<_sinclair_typebox156.TString>>;
+      }>;
+      api: _sinclair_typebox156.TObject<{
+        prefix: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+        links: _sinclair_typebox156.TArray<_sinclair_typebox156.TObject<{
+          name: _sinclair_typebox156.TString;
+          group: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+          path: _sinclair_typebox156.TString;
+          method: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+          requestBodyType: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+          service: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+        }>>;
+      }>;
     }>;
   }>;
   /**
-   *
-   * @param name
-   * @protected
-   */
-  protected provider(name?: string): Promise<{
-    client: Configuration;
-    name: string;
-    redirectUri: string;
-    fallback?: () => Async<AccessToken>;
-    useIdToken?: boolean;
-    logoutUri?: string;
+   * Oauth2/OIDC login route.
+   */
+  readonly login: _alepha_server0.RouteDescriptor<{
+    query: _sinclair_typebox156.TObject<{
+      provider: _sinclair_typebox156.TString;
+      redirect_uri: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+    }>;
   }>;
   /**
-   *
-   * @param file
-   * @protected
+   * Callback for OAuth2/OIDC providers.
+   * It handles the authorization code flow and retrieves the access token.
    */
-  protected isViteFile(file: string): boolean;
-}
-interface SessionTokens {
-  access_token?: string;
-  expires_in?: number;
-  refresh_token?: string;
-  id_token?: string;
-  scope?: string;
-  issued_at?: number;
-  provider?: string;
+  readonly callback: _alepha_server0.RouteDescriptor<_alepha_server0.RequestConfigSchema>;
+  /**
+   * Logout route for OAuth2/OIDC providers.
+   */
+  readonly logout: _alepha_server0.RouteDescriptor<{
+    query: _sinclair_typebox156.TObject<{
+      post_logout_redirect_uri: _sinclair_typebox156.TOptional<_sinclair_typebox156.TString>;
+    }>;
+  }>;
+  protected provider(opts: string | {
+    provider: string;
+  }): AuthDescriptor;
+  protected setTokens(tokens: Tokens, cookies?: Cookies): void;
 }
-interface AuthProvider {
-  name: string;
-  redirectUri: string;
-  client: {
-    get: () => Promise<Configuration>;
+interface OAuth2Profile {
+  sub: string;
+  email?: string;
+  name?: string;
+  given_name?: string;
+  family_name?: string;
+  middle_name?: string;
+  nickname?: string;
+  preferred_username?: string;
+  profile?: string;
+  picture?: string;
+  website?: string;
+  email_verified?: boolean;
+  gender?: string;
+  birthdate?: string;
+  zoneinfo?: string;
+  locale?: string;
+  phone_number?: string;
+  phone_number_verified?: boolean;
+  address?: {
+    formatted?: string;
+    street_address?: string;
+    locality?: string;
+    region?: string;
+    postal_code?: string;
+    country?: string;
   };
+  updated_at?: number;
+  [key: string]: unknown;
+}
+//#endregion
+//#region src/descriptors/$auth.d.ts
+declare const $auth: {
+  (options: AuthDescriptorOptions): AuthDescriptor;
+  [KIND]: typeof AuthDescriptor;
+};
+type AuthDescriptorOptions = {
+  /**
+   * Name of the identity provider.
+   * If not provided, it will be derived from the property key.
+   */
+  name?: string;
+  /**
+   * If true, auth provider will be skipped.
+   */
+  disabled?: boolean;
+} & (AuthExternal | AuthInternal);
+/**
+ * When you let an external service handle authentication. (e.g. Keycloak, Auth0, etc.)
+ */
+type AuthExternal = {
+  /**
+   * Only OIDC is supported for external authentication.
+   */
+  oidc: OidcOptions;
+  /**
+   * For anonymous access, this will expect a service account access token.
+   *
+   * ```ts
+   * class App {
+   *   anonymous = $serviceAccount(...);
+   *   auth = $auth({
+   *     // ... config ...
+   *     fallback: this.anonymous,
+   *   })
+   * }
+   * ```
+   */
   fallback?: () => Async<AccessToken>;
+};
+/**
+ * When using your own authentication system, e.g. using a database to store user accounts.
+ * This is usually used with a custom login form.
+ *
+ * This relies on the `realm`, which is used to create/verify the access token.
+ */
+type AuthInternal = {
+  realm: RealmDescriptor;
+} & ({
+  /**
+   * The common username/password authentication.
+   *
+   * - It uses the OAuth2 Client Credentials flow to obtain an access token.
+   *
+   * This is usually used with a custom login form on your website or mobile app.
+   */
+  credentials: CredentialsOptions;
+} | {
+  /**
+   * OAuth2 authentication. Delegates authentication to an OAuth2 provider. (e.g. Google, GitHub, etc.)
+   *
+   * - It uses the OAuth2 Authorization Code flow to obtain an access token and user information.
+   *
+   * This is usually used with a login button that redirects to the OAuth2 provider.
+   */
+  oauth: OAuth2Options;
+} | {
+  /**
+   * Like OAuth2, but uses OIDC (OpenID Connect) for authentication and user information retrieval.
+   * OIDC is an identity layer on top of OAuth2, providing user authentication and profile information.
+   *
+   * - It uses the OAuth2 Authorization Code flow to obtain an access token and user information.
+   * - PCKE (Proof Key for Code Exchange) is recommended for security.
+   *
+   * This is usually used with a login button that redirects to the OIDC provider.
+   */
+  oidc: OidcOptions;
+});
+type CredentialsOptions = {
+  account: (credentials: {
+    username: string;
+    password: string;
+  }) => Async<UserAccount>;
+};
+interface OidcOptions {
+  /**
+   * URL of the OIDC issuer.
+   */
+  issuer: string;
+  /**
+   * Client ID for the OIDC client.
+   */
+  clientId: string;
+  /**
+   * Client secret for the OIDC client.
+   * Optional if PKCE (Proof Key for Code Exchange) is used.
+   */
+  clientSecret?: string;
+  /**
+   * Redirect URI for the OIDC client.
+   * This is where the user will be redirected after authentication.
+   */
+  redirectUri?: string;
+  /**
+   * For external auth providers only.
+   * Take the ID token instead of the access token for validation.
+   */
   useIdToken?: boolean;
+  /**
+   * URI to redirect the user after logout.
+   */
   logoutUri?: string;
+  /**
+   * Optional scope for the OIDC client.
+   * @default "openid profile email".
+   */
+  scope?: string;
+  account?: (tokens: {
+    access_token: string;
+    user: OAuth2Profile;
+    id_token?: string;
+    expires_in?: number;
+    scope?: string;
+  }) => Async<UserAccount>;
 }
-interface ReactUser {
-  id: string;
-  name?: string;
-  email?: string;
+interface OAuth2Options {
+  /**
+   * URL of the OAuth2 authorization endpoint.
+   */
+  clientId: string;
+  /**
+   * Client secret for the OAuth2 client.
+   */
+  clientSecret: string;
+  /**
+   * URL of the OAuth2 authorization endpoint.
+   */
+  authorization: string;
+  /**
+   * URL of the OAuth2 token endpoint.
+   */
+  token: string;
+  /**
+   * Function to retrieve user profile information from the OAuth2 tokens.
+   */
+  userinfo: (tokens: Tokens) => Async<OAuth2Profile>;
+  account?: (tokens: {
+    access_token: string;
+    user: OAuth2Profile;
+    id_token?: string;
+    expires_in?: number;
+    scope?: string;
+  }) => Async<UserAccount>;
+  /**
+   * URL of the OAuth2 authorization endpoint.
+   */
+  redirectUri?: string;
+  /**
+   * URL of the OAuth2 authorization endpoint.
+   */
+  scope?: string;
 }
-//# sourceMappingURL=ReactAuthProvider.d.ts.map
-//#endregion
-//#region src/hooks/useAuth.d.ts
-declare const useAuth: () => AuthHook;
-interface AuthHook {
-  user?: UserAccountToken;
-  logout: () => void;
-  login: (provider?: string) => void;
-  can: <T extends object>(name: keyof HttpVirtualClient<T>) => boolean;
+declare class AuthDescriptor extends Descriptor<AuthDescriptorOptions> {
+  protected readonly securityProvider: SecurityProvider;
+  protected readonly dateTimeProvider: DateTimeProvider;
+  oauth?: Configuration;
+  get name(): string;
+  get jwks_uri(): string;
+  get scope(): string | undefined;
+  get redirect_uri(): string | undefined;
+  /**
+   * Refreshes the access token using the refresh token.
+   * Can be used on oauth2, oidc or credentials auth providers.
+   */
+  refresh(refreshToken: string, accessToken?: string): Promise<AccessTokenResponse>;
+  /**
+   * Extracts user information from the access token.
+   * This is used to create a user account from the access token.
+   */
+  user(tokens: Tokens): Promise<UserAccount>;
+  protected getUserFromIdToken(idToken: string): OAuth2Profile;
+  prepare(): Promise<void>;
 }
-//# sourceMappingURL=useAuth.d.ts.map
+type AccessToken = string | {
+  token: () => Async<string>;
+};
 //#endregion
-//#region src/services/ReactAuth.d.ts
-declare class ReactAuth {
-  protected readonly log: _alepha_core4.Logger;
-  protected readonly alepha: Alepha;
-  protected readonly client: HttpClient;
-  static path: {
-    login: string;
-    callback: string;
-    logout: string;
-  };
-  readonly onRender: _alepha_core4.HookDescriptor<"react:transition:begin">;
-  get user(): UserAccountToken | undefined;
-  protected getUserFromCookies(): UserAccountToken | undefined;
-  login(): void;
-  logout(): void;
+//#region src/errors/SessionExpiredError.d.ts
+declare class SessionExpiredError extends AlephaError {
+  readonly name = "SessionExpiredError";
+  readonly status = 401;
 }
-//# sourceMappingURL=ReactAuth.d.ts.map
+//#endregion
+//#region src/hooks/useAuth.d.ts
+declare const useAuth: <T extends object = any>() => {
+  user: {
+    name?: string | undefined;
+    email?: string | undefined;
+    username?: string | undefined;
+    picture?: string | undefined;
+    sessionId?: string | undefined;
+    organizations?: string[] | undefined;
+    roles?: string[] | undefined;
+    id: string;
+  } | undefined;
+  logout: () => void;
+  login: (provider: keyof T, options?: {
+    username?: string;
+    password?: string;
+    redirect?: string;
+    [extra: string]: any;
+  }) => Promise<void>;
+  can: <Api extends object = any>(name: keyof HttpVirtualClient<Api>) => boolean;
+};
 //#endregion
 //#region src/index.d.ts
-declare module "alepha/react" {
-  interface PageReactContext {
-    user?: UserAccountToken;
+declare module "alepha" {
+  interface State {
+    user?: UserAccount;
   }
-  interface ReactHydrationState {
-    user?: ReactUser;
+}
+declare module "alepha/react" {
+  interface ReactRouterState {
+    user?: UserAccount;
   }
 }
 /**
@@ -190,9 +499,7 @@ declare module "alepha/react" {
  * @see {@link ReactAuthProvider}
  * @module alepha.react.auth
  */
-declare const AlephaReactAuth: _alepha_core0.ModuleDescriptor;
-//# sourceMappingURL=index.d.ts.map
-
+declare const AlephaReactAuth: _alepha_core4.Service<_alepha_core4.Module>;
 //#endregion
-export { $auth, AccessToken, AlephaReactAuth, AuthDescriptor, AuthDescriptorOptions, AuthHook, AuthProvider, ReactAuth, ReactAuthProvider, ReactUser, SessionTokens, useAuth };
+export { $auth, AccessToken, AlephaReactAuth, AuthDescriptor, AuthDescriptorOptions, AuthExternal, AuthInternal, CredentialsOptions, OAuth2Options, OAuth2Profile, OidcOptions, ReactAuth, ReactAuthProvider, SessionExpiredError, useAuth };
 //# sourceMappingURL=index.d.ts.map