auth0-actions 0.0.1

package/dist/index.d.ts

@@ -0,0 +1,478 @@
+export interface PostLoginEvent<TSecret, TAppMetadata, TUserMetadata> {
+    authentication?: AuthenticationInfoWithRiskAssessment;
+    authorization?: AuthorizationInfo;
+    cancelable?: boolean;
+    client?: Client;
+    configuration?: Configuration;
+    connection?: Connection;
+    organization?: Organization;
+    request?: RequestBase;
+    resource_server?: ResourceServer;
+    secrets?: TSecret;
+    stats?: Stats;
+    tenant?: Tenant;
+    transaction?: Transaction;
+    user?: UserBase<TAppMetadata, TUserMetadata>;
+}
+/**
+ * Details about authentication signals obtained during the login flow.
+ */
+interface AuthenticationInfoWithRiskAssessment {
+    /** Contains the authentication methods a user has completed during their session. */
+    methods: AuthenticationMethod[];
+    riskAssessment?: RiskAssessmentInfo;
+}
+interface AuthenticationMethod {
+    /**
+     * The name of the first factor that was completed. Values include the following:
+     */
+    name: AuthenticationMethods | string;
+    timestamp: string;
+    type: string;
+}
+declare enum AuthenticationMethods {
+    /** A social or enterprise connection was used to authenticate the user as the first factor. */
+    federated = "federated",
+    /**  */
+    passkey = "passkey",
+    /** A database connection was used to authenticate the user as the first factor. */
+    pwd = "pwd",
+    /** A Passwordless SMS connection was used to authenticate the user as the first factor. */
+    sms = "sms",
+    /** A Passwordless Email connection was used to authenticate the user as the first factor or verify email for password reset. */
+    email = "email",
+    /**  */
+    mfa = "mfa",
+    mock = "mock"
+}
+interface AuthorizationInfo {
+    roles: string[];
+}
+interface Client {
+    clientId: string;
+    metadata: {
+        [additionalProperties: string]: string;
+    };
+    name: string;
+    strategy: string;
+}
+interface Configuration {
+}
+interface Connection {
+    /**
+     * The connection's identifier
+    */
+    id: string;
+    /**
+     * Metadata associated with the connection in the form of an object with string values (max 255 chars).  Maximum of 10 metadata properties allowed.
+     */
+    metadata: {
+        [key: string]: any;
+    };
+    /**
+     * The name of the connection
+     */
+    name: string;
+    /**
+     * The type of the connection, related to the identity provider
+     */
+    strategy: ConnectionStrategies;
+}
+declare enum ConnectionStrategies {
+    ad = "ad",
+    adfs = "adfs",
+    amazon = "amazon",
+    apple = "apple",
+    dropbox = "dropbox",
+    bitbucket = "bitbucket",
+    aol = "aol",
+    auth0_oidc = "auth0-oidc",
+    auth0 = "auth0",
+    baidu = "baidu",
+    bitly = "bitly",
+    box = "box",
+    custom = "custom",
+    daccount = "daccount",
+    dwolla = "dwolla",
+    email = "email",
+    evernote_sandbox = "evernote-sandbox",
+    evernote = "evernote",
+    exact = "exact",
+    facebook = "facebook",
+    fitbit = "fitbit",
+    flickr = "flickr",
+    github = "github",
+    google_apps = "google-apps",
+    google_oauth2 = "google-oauth2",
+    instagram = "instagram",
+    ip = "ip",
+    line = "line",
+    linkedin = "linkedin",
+    miicard = "miicard",
+    oauth1 = "oauth1",
+    oauth2 = "oauth2",
+    office365 = "office365",
+    oidc = "oidc",
+    okta = "okta",
+    paypal = "paypal",
+    paypal_sandbox = "paypal-sandbox",
+    pingfederate = "pingfederate",
+    planningcenter = "planningcenter",
+    renren = "renren",
+    salesforce_community = "salesforce-community",
+    salesforce_sandbox = "salesforce-sandbox",
+    salesforce = "salesforce",
+    samlp = "samlp",
+    sharepoint = "sharepoint",
+    shopify = "shopify",
+    sms = "sms",
+    soundcloud = "soundcloud",
+    thecity_sandbox = "thecity-sandbox",
+    thecity = "thecity",
+    thirtysevensignals = "thirtysevensignals",
+    twitter = "twitter",
+    untappd = "untappd",
+    vkontakte = "vkontakte",
+    waad = "waad",
+    weibo = "weibo",
+    windowslive = "windowslive",
+    wordpress = "wordpress",
+    yahoo = "yahoo",
+    yammer = "yammer",
+    yandex = "yandex"
+}
+interface GeoIP {
+    cityName: string;
+    continentCode: string;
+    countryCode3: string;
+    countryCode: string;
+    countryName: string;
+    latitude: number;
+    longitude: number;
+    subdivisionCode: string;
+    subdivisionName: string;
+    timeZone: string;
+}
+interface Identity {
+    connection: string;
+    isSocial: boolean;
+    provider: string;
+    userId: string;
+    user_id: string;
+}
+interface Organization {
+    display_name: string;
+    /**
+     * The Organization's identifier.
+    */
+    id: string;
+    /**
+     * Metadata associated with the Organization.
+     */
+    metadata: {
+        [key: string]: any;
+    };
+    /**
+     * The name of the Organization.
+     */
+    name: string;
+}
+interface Query {
+    audience: string;
+    client_id: string;
+    code_challenge: string;
+    code_challenge_method: string;
+    prompt: string;
+    redirect_uri: string;
+    response_mode: string;
+    response_type: string;
+    scope: string;
+    state: string;
+}
+interface RequestBase {
+    ip: string;
+    method: string;
+    query: Query;
+    body: RequestBody;
+    geoip: GeoIP;
+    hostname: string;
+    user_agent: string;
+}
+interface RequestBody {
+}
+interface ResourceServer {
+    identifier: string;
+}
+interface RiskAssessmentInfo {
+    confidence: "low" | "medium" | "high" | "neutral";
+    version: string;
+}
+interface Stats {
+    logins_count: number;
+}
+interface Tenant {
+    id: string;
+}
+interface Transaction {
+    acr_values: any[];
+    linking_id?: string;
+    locale: string;
+    login_hint?: string;
+    prompt: string[];
+    protocol?: TransactionProtocols;
+    redirect_uri?: string;
+    requested_scopes: string[];
+    response_mode?: string;
+    response_type?: string[];
+    state?: string;
+    ui_locales: string[];
+}
+declare enum TransactionProtocols {
+    oidc_basic = "oidc-basic-profile",
+    oidc_hybrid = "oidc-hybrid",
+    oidc_implicit = "oidc-implicit-profile",
+    samlp = "samlp",
+    wsfed = "wsfed",
+    wstrust_usernamemixed = "wstrust-usernamemixed",
+    oauth2_device_code = "oauth2-device-code",
+    oauth2_resource_owner = "oauth2-resource-owner",
+    oauth2_jwt_bearer = "oauth2-resource-owner-jwt-bearer",
+    oauth2_password = "oauth2-password",
+    oauth2_access_token = "oauth2-access-token",
+    oauth2_refresh_token = "oauth2-refresh-token",
+    oauth2_token_exchange = "oauth2-token-exchange"
+}
+export interface UserBase<AppMetadata, UserMetadata> {
+    app_metadata: AppMetadata;
+    created_at: string;
+    email: string;
+    email_verified: boolean;
+    family_name: string;
+    given_name: string;
+    identities: Identity[];
+    last_password_reset?: string;
+    multifactor?: string[];
+    name: string;
+    nickname: string;
+    phone_number?: string;
+    phone_verified?: boolean;
+    picture: string;
+    updated_at: string;
+    user_id: string;
+    user_metadata: UserMetadata;
+    username?: string;
+}
+export interface PostLoginApi {
+    /** Modify the user's login access, such as by rejecting the login attempt. */
+    access: LoginAccessManager;
+    /** Request changes to the access token being issued. */
+    accessToken: AccessTokenManager;
+    authentication: AuthenticationManager;
+    /** Store and retrieve data that persists across executions. */
+    cache: CacheManager;
+    /** Request changes to the ID token being issued. */
+    idToken: IdTokenManager;
+    /**  */
+    multifactor: MultifactorManager;
+    /**  */
+    redirect: RedirectManager;
+    /**  */
+    user: UserManager;
+}
+export interface AccessTokenManager {
+    /**
+     * Add a scope on the Access Token that will be issued upon completion of the login flow.
+     * @param scope The scope to be added.
+     */
+    addScope(scope: string): PostLoginApi;
+    /**
+     * Remove a scope on the Access Token that will be issued upon completion of the login flow.
+     * @param scope The scope to be removed.
+     */
+    removeScope(scope: string): PostLoginApi;
+    /**
+     * Set a custom claim on the Access Token that will be issued upon completion of the login flow.
+     * @param name Name of the claim (note that this may need to be a fully-qualified URL).
+     * @param value The value of the claim.
+     */
+    setCustomClaim(name: string, value: any): PostLoginApi;
+}
+export interface AuthenticationManager {
+    /**
+     * Indicate that a custom authentication method has been completed in the current session. This method will then be available in the
+     * `event.authentication.methods` array in subsequent logins.
+     *
+     * Important: This API is only available from within the onContinuePostLogin function for PostLogin Actions. In other words, this may
+     * be used to record the completion of a custom authentication method after redirecting the user via api.redirect.sendUserTo().
+     *
+     * @param provider_url
+     */
+    recordMethod(provider_url: string): PostLoginApi;
+    /**
+     * Challenge the user with one or more specified multifactor authentication factors. This method presents the default challenge first,
+     * then allows the user to select a different option if additional factors have been supplied. If the user has not enrolled in any of
+     * the factors supplied (including both the default and any additional factors), the command fails.
+     *
+     * Note: This method overrides existing policies and rules that enable or disable MFA in a tenant.
+     * @param factor Used to specify the default MFA factor or factors used to challenge the user.
+     * @param options An object containing the optional additionalFactors field.
+     */
+    challengeWith(factor: ChallengeFactor, options: ChallengeOptions): void;
+    /**
+     * Trigger an MFA challenge and allow the user to select their preferred factor from the supplied list. This method presents a factor picker to the user rather than a specific challenge, in accordance with the following conditions:
+     * - If two or more factors are specified, a factor picker displays to the user.
+     * - If the user has only enrolled in one of the specified factors (or only one factor is specified), the factor picker is skipped.
+     * - If the user has not enrolled in any of the specified factors, the challenge command fails.
+     * Note: This method overrides existing policies and rules that enable or disable MFA in a tenant.
+     * @param factors
+     */
+    challengeWithAny(factors: ChallengeFactor[]): void;
+}
+export interface CacheManager {
+    /**
+     * Delete a record describing a cached value at the supplied key if it exists.
+     * @param key
+     */
+    delete(key: string): CacheWriteResult;
+    /**
+     * Retrieve a record describing a cached value at the supplied key, if it exists. If a record is found, the cached value can be found at the value
+     * property of the returned object.
+     * @param key The key of the record stored in the cache.
+     */
+    get(key: string): CacheRecord;
+    /**
+     *
+     * @param key The value of the record to be stored.
+     * @param value The value of the record to be stored.
+     * @param options Options for adjusting cache behavior.
+     */
+    set(key: string, value: any, options?: CacheOptions): void;
+}
+export interface CacheWriteResult {
+    type: 'success' | 'error';
+    code: string;
+}
+export interface CacheRecord {
+    /** The object stored in the Cache. */
+    value: any;
+    /** The maximum expiry of the record in milliseconds since the Unix epoch. */
+    expires_at: number;
+}
+export interface CacheOptions {
+    /**
+     * The absolute expiry time in milliseconds since the unix epoch. While cached records may be evicted earlier, they will never remain beyond the the supplied expires_at.
+     * NOTE: This value should not be supplied if a value was also provided for ttl. If both options are supplied, the earlier expiry of the two will be used.
+     */
+    expires_at?: number;
+    /**
+     * The time-to-live value of this cache entry in milliseconds. While cached values may be evicted earlier, they will never remain beyond the the supplied ttl.
+     * NOTE: This value should not be supplied if a value was also provided for expires_at. If both options are supplied, the earlier expiry of the two will be used.
+     */
+    ttl?: number;
+}
+export interface ChallengeFactor {
+    type: ChallengeTypes;
+    /**
+     * When set to true, the user cannot use the OTP fallback option of the push notification factor. (Developer's note: This makes no sense.)
+     * Only used for @see ChallengeTypes.push_notification.
+     */
+    otpFallback?: boolean;
+    /**
+     * Only used for @see ChallengeTypes.phone.
+     */
+    preferredMethod?: 'voice' | 'phone' | 'both';
+}
+export interface ChallengeOptions {
+    additionalFactors: ChallengeFactor[];
+}
+export declare enum ChallengeTypes {
+    otp = "otp",
+    email = "email",
+    phone = "phone",
+    push_notification = "push-notification",
+    webauthn_platform = "webauthn-platform",
+    webauthn_roaming = "webauthn-roaming"
+}
+export interface DuoMultifactorOptions {
+    host: string;
+    ikey: string;
+    skey: string;
+}
+export interface EncodeTokenOptions {
+    expiresInSeconds: number;
+    payload: any;
+    /**
+     * A secret that will be used to sign a JWT that is shared with the redirect target.
+     * The secret value should be stored as a secret and retrieved using event.secrets['SECRET_NAME']
+     */
+    secret: string;
+}
+export interface IdTokenManager {
+    /**
+     * Set a custom claim on the ID token that will be issued upon completion of the login flow.
+     * @param name Name of the claim (note that this may need to be a fully-qualified URL).
+     * @param value The value of the claim.
+     */
+    setCustomClaim(name: string, value: any): PostLoginApi;
+}
+export interface LoginAccessManager {
+    /**
+     * Mark the current login attempt as denied. This will prevent the end-user from completing the login flow. This will NOT cancel other user-related
+     * side effects (such as metadata changes) requested by this Action. The login flow will immediately stop following the completion of this action
+     * and no further Actions will be executed.
+     * @param reason A human-readable explanation for rejecting the login. This may be presented directly in end-user interfaces.
+     */
+    deny(reason: string): PostLoginApi;
+}
+export interface MultifactorManager {
+    /**
+     *
+     * @param provider
+     * @param options
+     */
+    enable(provider: 'any' | 'duo' | 'google-authenticator' | 'guardian' | 'none', options: MultifactorOptions): PostLoginApi;
+}
+export interface MultifactorOptions {
+    allowRememberBrowser?: boolean;
+    providerOptions?: DuoMultifactorOptions;
+}
+export interface RedirectManager {
+    /**
+     *
+     * @param options
+     */
+    encodeToken(options: EncodeTokenOptions): string;
+    /**
+     *
+     * @param url
+     * @param options
+     */
+    sendUserTo(url: string, options: {
+        query: string;
+    }): PostLoginApi;
+    /**
+     *
+     * @param options
+     */
+    validateToken(options: ValidateTokenOptions): string;
+}
+export interface UserManager {
+    /**
+     *
+     * @param name
+     * @param value
+     */
+    setAppMetadata(name: string, value: any): PostLoginApi;
+    /**
+     *
+     * @param name
+     * @param value
+     */
+    setUserMetadata(name: string, value: any): PostLoginApi;
+}
+export interface ValidateTokenOptions {
+    secret: string;
+    tokenParameterName: string;
+}
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,cAAc,CAAC,OAAO,EAAE,YAAY,EAAE,aAAa;IAEhE,cAAc,CAAC,EAAE,oCAAoC,CAAA;IAErD,aAAa,CAAC,EAAE,iBAAiB,CAAC;IAElC,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,aAAa,CAAC,EAAE,aAAa,CAAC;IAC9B,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,OAAO,CAAC,EAAE,WAAW,CAAC;IACtB,eAAe,CAAC,EAAE,cAAc,CAAC;IACjC,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,KAAK,CAAC,EAAE,KAAK,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,IAAI,CAAC,EAAE,QAAQ,CAAC,YAAY,EAAE,aAAa,CAAC,CAAC;CAChD;AAID;;GAEG;AACH,UAAU,oCAAoC;IAE1C,qFAAqF;IACrF,OAAO,EAAE,oBAAoB,EAAE,CAAC;IAEhC,cAAc,CAAC,EAAE,kBAAkB,CAAC;CACvC;AAED,UAAU,oBAAoB;IAC1B;;OAEG;IACH,IAAI,EAAE,qBAAqB,GAAG,MAAM,CAAC;IAErC,SAAS,EAAE,MAAM,CAAC;IAGlB,IAAI,EAAE,MAAM,CAAC;CAChB;AAED,aAAK,qBAAqB;IAEtB,+FAA+F;IAC/F,SAAS,cAAc;IAEvB,OAAO;IACP,OAAO,YAAY;IAEnB,mFAAmF;IACnF,GAAG,QAAQ;IAEX,2FAA2F;IAC3F,GAAG,QAAQ;IAEX,gIAAgI;IAChI,KAAK,UAAU;IAEf,OAAO;IACP,GAAG,QAAQ;IAGX,IAAI,SAAS;CAChB;AAED,UAAU,iBAAiB;IACvB,KAAK,EAAE,MAAM,EAAE,CAAC;CACnB;AAED,UAAU,MAAM;IAGZ,QAAQ,EAAE,MAAM,CAAC;IAGjB,QAAQ,EAAE;QAAE,CAAC,oBAAoB,EAAE,MAAM,GAAG,MAAM,CAAC;KAAE,CAAC;IAGtD,IAAI,EAAE,MAAM,CAAC;IAEb,QAAQ,EAAE,MAAM,CAAC;CACpB;AAED,UAAU,aAAa;CAEtB;AAED,UAAU,UAAU;IAEhB;;MAEE;IACF,EAAE,EAAE,MAAM,CAAC;IAEX;;OAEG;IACH,QAAQ,EAAE;QAAE,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAA;KAAE,CAAC;IAEjC;;OAEG;IACH,IAAI,EAAE,MAAM,CAAC;IAEb;;OAEG;IACH,QAAQ,EAAE,oBAAoB,CAAC;CAElC;AAED,aAAK,oBAAoB;IACrB,EAAE,OAAO;IACT,IAAI,SAAS;IACb,MAAM,WAAW;IACjB,KAAK,UAAU;IACf,OAAO,YAAY;IACnB,SAAS,cAAc;IACvB,GAAG,QAAQ;IACX,UAAU,eAAe;IACzB,KAAK,UAAU;IACf,KAAK,UAAU;IACf,KAAK,UAAU;IACf,GAAG,QAAQ;IACX,MAAM,WAAW;IACjB,QAAQ,aAAa;IACrB,MAAM,WAAW;IACjB,KAAK,UAAU;IACf,gBAAgB,qBAAqB;IACrC,QAAQ,aAAa;IACrB,KAAK,UAAU;IACf,QAAQ,aAAa;IACrB,MAAM,WAAW;IACjB,MAAM,WAAW;IACjB,MAAM,WAAW;IACjB,WAAW,gBAAgB;IAC3B,aAAa,kBAAkB;IAC/B,SAAS,cAAc;IACvB,EAAE,OAAO;IACT,IAAI,SAAS;IACb,QAAQ,aAAa;IACrB,OAAO,YAAY;IACnB,MAAM,WAAW;IACjB,MAAM,WAAW;IACjB,SAAS,cAAc;IACvB,IAAI,SAAS;IACb,IAAI,SAAS;IACb,MAAM,WAAW;IACjB,cAAc,mBAAmB;IACjC,YAAY,iBAAiB;IAC7B,cAAc,mBAAmB;IACjC,MAAM,WAAW;IACjB,oBAAoB,yBAAyB;IAC7C,kBAAkB,uBAAuB;IACzC,UAAU,eAAe;IACzB,KAAK,UAAU;IACf,UAAU,eAAe;IACzB,OAAO,YAAY;IACnB,GAAG,QAAQ;IACX,UAAU,eAAe;IACzB,eAAe,oBAAoB;IACnC,OAAO,YAAY;IACnB,kBAAkB,uBAAuB;IACzC,OAAO,YAAY;IACnB,OAAO,YAAY;IACnB,SAAS,cAAc;IACvB,IAAI,SAAS;IACb,KAAK,UAAU;IACf,WAAW,gBAAgB;IAC3B,SAAS,cAAc;IACvB,KAAK,UAAU;IACf,MAAM,WAAW;IACjB,MAAM,WAAW;CACpB;AAED,UAAU,KAAK;IACX,QAAQ,EAAE,MAAM,CAAA;IAChB,aAAa,EAAE,MAAM,CAAA;IACrB,YAAY,EAAE,MAAM,CAAA;IACpB,WAAW,EAAE,MAAM,CAAA;IACnB,WAAW,EAAE,MAAM,CAAA;IACnB,QAAQ,EAAE,MAAM,CAAA;IAChB,SAAS,EAAE,MAAM,CAAA;IACjB,eAAe,EAAE,MAAM,CAAA;IACvB,eAAe,EAAE,MAAM,CAAA;IACvB,QAAQ,EAAE,MAAM,CAAA;CACnB;AAED,UAAU,QAAQ;IACd,UAAU,EAAE,MAAM,CAAA;IAClB,QAAQ,EAAE,OAAO,CAAA;IACjB,QAAQ,EAAE,MAAM,CAAA;IAChB,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,EAAE,MAAM,CAAA;CAClB;AAED,UAAU,YAAY;IAGlB,YAAY,EAAE,MAAM,CAAC;IAErB;;MAEE;IACF,EAAE,EAAE,MAAM,CAAC;IAEX;;OAEG;IACH,QAAQ,EAAE;QAAE,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAA;KAAE,CAAC;IAEjC;;OAEG;IACH,IAAI,EAAE,MAAM,CAAC;CAEhB;AAED,UAAU,KAAK;IACX,QAAQ,EAAE,MAAM,CAAA;IAChB,SAAS,EAAE,MAAM,CAAA;IACjB,cAAc,EAAE,MAAM,CAAA;IACtB,qBAAqB,EAAE,MAAM,CAAA;IAC7B,MAAM,EAAE,MAAM,CAAA;IACd,YAAY,EAAE,MAAM,CAAA;IACpB,aAAa,EAAE,MAAM,CAAA;IACrB,aAAa,EAAE,MAAM,CAAA;IACrB,KAAK,EAAE,MAAM,CAAA;IACb,KAAK,EAAE,MAAM,CAAA;CAChB;AAED,UAAU,WAAW;IACjB,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,KAAK,CAAC;IACb,IAAI,EAAE,WAAW,CAAC;IAClB,KAAK,EAAE,KAAK,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;CACtB;AAED,UAAU,WAAW;CAAI;AAEzB,UAAU,cAAc;IACpB,UAAU,EAAE,MAAM,CAAA;CACrB;AAED,UAAU,kBAAkB;IACxB,UAAU,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,SAAS,CAAC;IAClD,OAAO,EAAE,MAAM,CAAC;CACnB;AAED,UAAU,KAAK;IACX,YAAY,EAAE,MAAM,CAAA;CACvB;AAED,UAAU,MAAM;IACZ,EAAE,EAAE,MAAM,CAAA;CACb;AACD,UAAU,WAAW;IACjB,UAAU,EAAE,GAAG,EAAE,CAAA;IACjB,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,MAAM,EAAE,MAAM,CAAA;IACd,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,MAAM,EAAE,MAAM,EAAE,CAAA;IAChB,QAAQ,CAAC,EAAE,oBAAoB,CAAA;IAC/B,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,gBAAgB,EAAE,MAAM,EAAE,CAAA;IAC1B,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAA;IACxB,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,UAAU,EAAE,MAAM,EAAE,CAAA;CACvB;AAED,aAAK,oBAAoB;IACrB,UAAU,uBAAuB;IAEjC,WAAW,gBAAgB;IAC3B,aAAa,0BAA0B;IACvC,KAAK,UAAU;IACf,KAAK,UAAU;IACf,qBAAqB,0BAA0B;IAC/C,kBAAkB,uBAAuB;IACzC,qBAAqB,0BAA0B;IAC/C,iBAAiB,qCAAqC;IACtD,eAAe,oBAAoB;IACnC,mBAAmB,wBAAwB;IAC3C,oBAAoB,yBAAyB;IAC7C,qBAAqB,0BAA0B;CAClD;AAGD,MAAM,WAAW,QAAQ,CAAC,WAAW,EAAE,YAAY;IAC/C,YAAY,EAAE,WAAW,CAAA;IACzB,UAAU,EAAE,MAAM,CAAA;IAClB,KAAK,EAAE,MAAM,CAAA;IACb,cAAc,EAAE,OAAO,CAAA;IACvB,WAAW,EAAE,MAAM,CAAA;IACnB,UAAU,EAAE,MAAM,CAAA;IAClB,UAAU,EAAE,QAAQ,EAAE,CAAA;IACtB,mBAAmB,CAAC,EAAE,MAAM,CAAA;IAC5B,WAAW,CAAC,EAAE,MAAM,EAAE,CAAA;IACtB,IAAI,EAAE,MAAM,CAAA;IACZ,QAAQ,EAAE,MAAM,CAAA;IAChB,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,cAAc,CAAC,EAAE,OAAO,CAAA;IACxB,OAAO,EAAE,MAAM,CAAA;IACf,UAAU,EAAE,MAAM,CAAA;IAClB,OAAO,EAAE,MAAM,CAAA;IACf,aAAa,EAAE,YAAY,CAAA;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAA;CACpB;AAMD,MAAM,WAAW,YAAY;IAEzB,8EAA8E;IAC9E,MAAM,EAAE,kBAAkB,CAAC;IAE3B,wDAAwD;IACxD,WAAW,EAAE,kBAAkB,CAAC;IAEhC,cAAc,EAAE,qBAAqB,CAAC;IAEtC,+DAA+D;IAC/D,KAAK,EAAE,YAAY,CAAC;IAEpB,oDAAoD;IACpD,OAAO,EAAE,cAAc,CAAC;IAExB,OAAO;IACP,WAAW,EAAE,kBAAkB,CAAC;IAEhC,OAAO;IACP,QAAQ,EAAE,eAAe,CAAC;IAE1B,OAAO;IACP,IAAI,EAAE,WAAW,CAAC;CACrB;AAED,MAAM,WAAW,kBAAkB;IAE/B;;;OAGG;IACH,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,CAAC;IAEtC;;;OAGG;IACH,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,CAAC;IAEzC;;;;OAIG;IACH,cAAc,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,GAAG,YAAY,CAAC;CAC1D;AAED,MAAM,WAAW,qBAAqB;IAElC;;;;;;;;OAQG;IACH,YAAY,CAAC,YAAY,EAAE,MAAM,GAAG,YAAY,CAAC;IAEjD;;;;;;;;OAQG;IACH,aAAa,CAAC,MAAM,EAAE,eAAe,EAAE,OAAO,EAAE,gBAAgB,GAAG,IAAI,CAAA;IAEvE;;;;;;;OAOG;IACH,gBAAgB,CAAC,OAAO,EAAE,eAAe,EAAE,GAAG,IAAI,CAAA;CACrD;AAED,MAAM,WAAW,YAAY;IAEzB;;;OAGG;IACH,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,gBAAgB,CAAC;IAEtC;;;;OAIG;IACH,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,WAAW,CAAA;IAE7B;;;;;OAKG;IACH,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,CAAC,EAAE,YAAY,GAAG,IAAI,CAAA;CAE7D;AAED,MAAM,WAAW,gBAAgB;IAC7B,IAAI,EAAE,SAAS,GAAG,OAAO,CAAA;IACzB,IAAI,EAAE,MAAM,CAAA;CACf;AAED,MAAM,WAAW,WAAW;IAExB,sCAAsC;IACtC,KAAK,EAAE,GAAG,CAAA;IAEV,6EAA6E;IAC7E,UAAU,EAAE,MAAM,CAAA;CACrB;AAED,MAAM,WAAW,YAAY;IAEzB;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IAEnB;;;OAGG;IACH,GAAG,CAAC,EAAE,MAAM,CAAA;CACf;AAED,MAAM,WAAW,eAAe;IAC5B,IAAI,EAAE,cAAc,CAAA;IAEpB;;;OAGG;IACH,WAAW,CAAC,EAAE,OAAO,CAAA;IAErB;;OAEG;IACH,eAAe,CAAC,EAAE,OAAO,GAAG,OAAO,GAAG,MAAM,CAAA;CAC/C;AAED,MAAM,WAAW,gBAAgB;IAC7B,iBAAiB,EAAE,eAAe,EAAE,CAAA;CACvC;AAED,oBAAY,cAAc;IACtB,GAAG,QAAQ;IACX,KAAK,UAAU;IACf,KAAK,UAAU;IACf,iBAAiB,sBAAsB;IACvC,iBAAiB,sBAAsB;IACvC,gBAAgB,qBAAqB;CACxC;AAED,MAAM,WAAW,qBAAqB;IAClC,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,MAAM,CAAA;CACf;AAED,MAAM,WAAW,kBAAkB;IAC/B,gBAAgB,EAAE,MAAM,CAAA;IACxB,OAAO,EAAE,GAAG,CAAC;IAEb;;;OAGG;IACH,MAAM,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,cAAc;IAE3B;;;;OAIG;IACH,cAAc,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,GAAG,YAAY,CAAA;CACzD;AAED,MAAM,WAAW,kBAAkB;IAE/B;;;;;OAKG;IACH,IAAI,CAAC,MAAM,EAAE,MAAM,GAAG,YAAY,CAAC;CACtC;AAED,MAAM,WAAW,kBAAkB;IAE/B;;;;OAIG;IACH,MAAM,CAAC,QAAQ,EAAE,KAAK,GAAG,KAAK,GAAG,sBAAsB,GAAG,UAAU,GAAG,MAAM,EAAE,OAAO,EAAE,kBAAkB,GAAG,YAAY,CAAA;CAC5H;AAED,MAAM,WAAW,kBAAkB;IAC/B,oBAAoB,CAAC,EAAE,OAAO,CAAA;IAC9B,eAAe,CAAC,EAAE,qBAAqB,CAAA;CAC1C;AAED,MAAM,WAAW,eAAe;IAE5B;;;OAGG;IACH,WAAW,CAAC,OAAO,EAAE,kBAAkB,GAAG,MAAM,CAAA;IAEhD;;;;OAIG;IACH,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE;QAAE,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,YAAY,CAAA;IAEjE;;;OAGG;IACH,aAAa,CAAC,OAAO,EAAE,oBAAoB,GAAG,MAAM,CAAA;CACvD;AAED,MAAM,WAAW,WAAW;IAExB;;;;OAIG;IACH,cAAc,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,GAAG,YAAY,CAAA;IAEtD;;;;OAIG;IACH,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,GAAG,YAAY,CAAA;CAC1D;AAED,MAAM,WAAW,oBAAoB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,kBAAkB,EAAE,MAAM,CAAC;CAC9B"}

package/dist/index.js

@@ -0,0 +1,114 @@
+"use strict";
+//#region Post-Login Event
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ChallengeTypes = void 0;
+var AuthenticationMethods;
+(function (AuthenticationMethods) {
+    /** A social or enterprise connection was used to authenticate the user as the first factor. */
+    AuthenticationMethods["federated"] = "federated";
+    /**  */
+    AuthenticationMethods["passkey"] = "passkey";
+    /** A database connection was used to authenticate the user as the first factor. */
+    AuthenticationMethods["pwd"] = "pwd";
+    /** A Passwordless SMS connection was used to authenticate the user as the first factor. */
+    AuthenticationMethods["sms"] = "sms";
+    /** A Passwordless Email connection was used to authenticate the user as the first factor or verify email for password reset. */
+    AuthenticationMethods["email"] = "email";
+    /**  */
+    AuthenticationMethods["mfa"] = "mfa";
+    /* "Used for internal testing. */
+    AuthenticationMethods["mock"] = "mock";
+})(AuthenticationMethods || (AuthenticationMethods = {}));
+var ConnectionStrategies;
+(function (ConnectionStrategies) {
+    ConnectionStrategies["ad"] = "ad";
+    ConnectionStrategies["adfs"] = "adfs";
+    ConnectionStrategies["amazon"] = "amazon";
+    ConnectionStrategies["apple"] = "apple";
+    ConnectionStrategies["dropbox"] = "dropbox";
+    ConnectionStrategies["bitbucket"] = "bitbucket";
+    ConnectionStrategies["aol"] = "aol";
+    ConnectionStrategies["auth0_oidc"] = "auth0-oidc";
+    ConnectionStrategies["auth0"] = "auth0";
+    ConnectionStrategies["baidu"] = "baidu";
+    ConnectionStrategies["bitly"] = "bitly";
+    ConnectionStrategies["box"] = "box";
+    ConnectionStrategies["custom"] = "custom";
+    ConnectionStrategies["daccount"] = "daccount";
+    ConnectionStrategies["dwolla"] = "dwolla";
+    ConnectionStrategies["email"] = "email";
+    ConnectionStrategies["evernote_sandbox"] = "evernote-sandbox";
+    ConnectionStrategies["evernote"] = "evernote";
+    ConnectionStrategies["exact"] = "exact";
+    ConnectionStrategies["facebook"] = "facebook";
+    ConnectionStrategies["fitbit"] = "fitbit";
+    ConnectionStrategies["flickr"] = "flickr";
+    ConnectionStrategies["github"] = "github";
+    ConnectionStrategies["google_apps"] = "google-apps";
+    ConnectionStrategies["google_oauth2"] = "google-oauth2";
+    ConnectionStrategies["instagram"] = "instagram";
+    ConnectionStrategies["ip"] = "ip";
+    ConnectionStrategies["line"] = "line";
+    ConnectionStrategies["linkedin"] = "linkedin";
+    ConnectionStrategies["miicard"] = "miicard";
+    ConnectionStrategies["oauth1"] = "oauth1";
+    ConnectionStrategies["oauth2"] = "oauth2";
+    ConnectionStrategies["office365"] = "office365";
+    ConnectionStrategies["oidc"] = "oidc";
+    ConnectionStrategies["okta"] = "okta";
+    ConnectionStrategies["paypal"] = "paypal";
+    ConnectionStrategies["paypal_sandbox"] = "paypal-sandbox";
+    ConnectionStrategies["pingfederate"] = "pingfederate";
+    ConnectionStrategies["planningcenter"] = "planningcenter";
+    ConnectionStrategies["renren"] = "renren";
+    ConnectionStrategies["salesforce_community"] = "salesforce-community";
+    ConnectionStrategies["salesforce_sandbox"] = "salesforce-sandbox";
+    ConnectionStrategies["salesforce"] = "salesforce";
+    ConnectionStrategies["samlp"] = "samlp";
+    ConnectionStrategies["sharepoint"] = "sharepoint";
+    ConnectionStrategies["shopify"] = "shopify";
+    ConnectionStrategies["sms"] = "sms";
+    ConnectionStrategies["soundcloud"] = "soundcloud";
+    ConnectionStrategies["thecity_sandbox"] = "thecity-sandbox";
+    ConnectionStrategies["thecity"] = "thecity";
+    ConnectionStrategies["thirtysevensignals"] = "thirtysevensignals";
+    ConnectionStrategies["twitter"] = "twitter";
+    ConnectionStrategies["untappd"] = "untappd";
+    ConnectionStrategies["vkontakte"] = "vkontakte";
+    ConnectionStrategies["waad"] = "waad";
+    ConnectionStrategies["weibo"] = "weibo";
+    ConnectionStrategies["windowslive"] = "windowslive";
+    ConnectionStrategies["wordpress"] = "wordpress";
+    ConnectionStrategies["yahoo"] = "yahoo";
+    ConnectionStrategies["yammer"] = "yammer";
+    ConnectionStrategies["yandex"] = "yandex";
+})(ConnectionStrategies || (ConnectionStrategies = {}));
+var TransactionProtocols;
+(function (TransactionProtocols) {
+    TransactionProtocols["oidc_basic"] = "oidc-basic-profile";
+    /*  Allows your application to have immediate access to an ID token while still providing for secure and safe retrieval of access and refresh tokens. */
+    TransactionProtocols["oidc_hybrid"] = "oidc-hybrid";
+    TransactionProtocols["oidc_implicit"] = "oidc-implicit-profile";
+    TransactionProtocols["samlp"] = "samlp";
+    TransactionProtocols["wsfed"] = "wsfed";
+    TransactionProtocols["wstrust_usernamemixed"] = "wstrust-usernamemixed";
+    TransactionProtocols["oauth2_device_code"] = "oauth2-device-code";
+    TransactionProtocols["oauth2_resource_owner"] = "oauth2-resource-owner";
+    TransactionProtocols["oauth2_jwt_bearer"] = "oauth2-resource-owner-jwt-bearer";
+    TransactionProtocols["oauth2_password"] = "oauth2-password";
+    TransactionProtocols["oauth2_access_token"] = "oauth2-access-token";
+    TransactionProtocols["oauth2_refresh_token"] = "oauth2-refresh-token";
+    TransactionProtocols["oauth2_token_exchange"] = "oauth2-token-exchange";
+})(TransactionProtocols || (TransactionProtocols = {}));
+var ChallengeTypes;
+(function (ChallengeTypes) {
+    ChallengeTypes["otp"] = "otp";
+    ChallengeTypes["email"] = "email";
+    ChallengeTypes["phone"] = "phone";
+    ChallengeTypes["push_notification"] = "push-notification";
+    ChallengeTypes["webauthn_platform"] = "webauthn-platform";
+    ChallengeTypes["webauthn_roaming"] = "webauthn-roaming";
+})(ChallengeTypes || (exports.ChallengeTypes = ChallengeTypes = {}));
+//#endregion
+//notes: make a C# version too.
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":";AACA,0BAA0B;;;AA+C1B,IAAK,qBAsBJ;AAtBD,WAAK,qBAAqB;IAEtB,+FAA+F;IAC/F,gDAAuB,CAAA;IAEvB,OAAO;IACP,4CAAmB,CAAA;IAEnB,mFAAmF;IACnF,oCAAW,CAAA;IAEX,2FAA2F;IAC3F,oCAAW,CAAA;IAEX,gIAAgI;IAChI,wCAAe,CAAA;IAEf,OAAO;IACP,oCAAW,CAAA;IAEX,iCAAiC;IACjC,sCAAa,CAAA;AACjB,CAAC,EAtBI,qBAAqB,KAArB,qBAAqB,QAsBzB;AAgDD,IAAK,oBA8DJ;AA9DD,WAAK,oBAAoB;IACrB,iCAAS,CAAA;IACT,qCAAa,CAAA;IACb,yCAAiB,CAAA;IACjB,uCAAe,CAAA;IACf,2CAAmB,CAAA;IACnB,+CAAuB,CAAA;IACvB,mCAAW,CAAA;IACX,iDAAyB,CAAA;IACzB,uCAAe,CAAA;IACf,uCAAe,CAAA;IACf,uCAAe,CAAA;IACf,mCAAW,CAAA;IACX,yCAAiB,CAAA;IACjB,6CAAqB,CAAA;IACrB,yCAAiB,CAAA;IACjB,uCAAe,CAAA;IACf,6DAAqC,CAAA;IACrC,6CAAqB,CAAA;IACrB,uCAAe,CAAA;IACf,6CAAqB,CAAA;IACrB,yCAAiB,CAAA;IACjB,yCAAiB,CAAA;IACjB,yCAAiB,CAAA;IACjB,mDAA2B,CAAA;IAC3B,uDAA+B,CAAA;IAC/B,+CAAuB,CAAA;IACvB,iCAAS,CAAA;IACT,qCAAa,CAAA;IACb,6CAAqB,CAAA;IACrB,2CAAmB,CAAA;IACnB,yCAAiB,CAAA;IACjB,yCAAiB,CAAA;IACjB,+CAAuB,CAAA;IACvB,qCAAa,CAAA;IACb,qCAAa,CAAA;IACb,yCAAiB,CAAA;IACjB,yDAAiC,CAAA;IACjC,qDAA6B,CAAA;IAC7B,yDAAiC,CAAA;IACjC,yCAAiB,CAAA;IACjB,qEAA6C,CAAA;IAC7C,iEAAyC,CAAA;IACzC,iDAAyB,CAAA;IACzB,uCAAe,CAAA;IACf,iDAAyB,CAAA;IACzB,2CAAmB,CAAA;IACnB,mCAAW,CAAA;IACX,iDAAyB,CAAA;IACzB,2DAAmC,CAAA;IACnC,2CAAmB,CAAA;IACnB,iEAAyC,CAAA;IACzC,2CAAmB,CAAA;IACnB,2CAAmB,CAAA;IACnB,+CAAuB,CAAA;IACvB,qCAAa,CAAA;IACb,uCAAe,CAAA;IACf,mDAA2B,CAAA;IAC3B,+CAAuB,CAAA;IACvB,uCAAe,CAAA;IACf,yCAAiB,CAAA;IACjB,yCAAiB,CAAA;AACrB,CAAC,EA9DI,oBAAoB,KAApB,oBAAoB,QA8DxB;AAqGD,IAAK,oBAeJ;AAfD,WAAK,oBAAoB;IACrB,yDAAiC,CAAA;IACjC,wJAAwJ;IACxJ,mDAA2B,CAAA;IAC3B,+DAAuC,CAAA;IACvC,uCAAe,CAAA;IACf,uCAAe,CAAA;IACf,uEAA+C,CAAA;IAC/C,iEAAyC,CAAA;IACzC,uEAA+C,CAAA;IAC/C,8EAAsD,CAAA;IACtD,2DAAmC,CAAA;IACnC,mEAA2C,CAAA;IAC3C,qEAA6C,CAAA;IAC7C,uEAA+C,CAAA;AACnD,CAAC,EAfI,oBAAoB,KAApB,oBAAoB,QAexB;AAwLD,IAAY,cAOX;AAPD,WAAY,cAAc;IACtB,6BAAW,CAAA;IACX,iCAAe,CAAA;IACf,iCAAe,CAAA;IACf,yDAAuC,CAAA;IACvC,yDAAuC,CAAA;IACvC,uDAAqC,CAAA;AACzC,CAAC,EAPW,cAAc,8BAAd,cAAc,QAOzB;AAmGD,YAAY;AAGZ,+BAA+B"}

package/index.ts

@@ -0,0 +1,590 @@
+
+//#region Post-Login Event
+
+export interface PostLoginEvent<TSecret, TAppMetadata, TUserMetadata> {
+    /* Details about authentication signals obtained during the login flow. */
+    authentication?: AuthenticationInfoWithRiskAssessment
+    /* An object containing information describing the authorization granted to the user who is logging in. */
+    authorization?: AuthorizationInfo;
+    /* True if the event was created with the cancelable option */
+    cancelable?: boolean;
+    client?: Client;
+    configuration?: Configuration;
+    connection?: Connection;
+    organization?: Organization;
+    request?: RequestBase;
+    resource_server?: ResourceServer;
+    secrets?: TSecret;
+    stats?: Stats;
+    tenant?: Tenant;
+    transaction?: Transaction;
+    user?: UserBase<TAppMetadata, TUserMetadata>;
+}
+
+
+
+/**
+ * Details about authentication signals obtained during the login flow.
+ */
+interface AuthenticationInfoWithRiskAssessment {
+
+    /** Contains the authentication methods a user has completed during their session. */
+    methods: AuthenticationMethod[];
+
+    riskAssessment?: RiskAssessmentInfo;
+}
+
+interface AuthenticationMethod {
+    /**
+     * The name of the first factor that was completed. Values include the following:
+     */
+    name: AuthenticationMethods | string;
+
+    timestamp: string;
+
+    /* A specific MFA factor. Only present when name is set to 'mfa'. */
+    type: string;
+}
+
+enum AuthenticationMethods {
+
+    /** A social or enterprise connection was used to authenticate the user as the first factor. */
+    federated = 'federated',
+
+    /**  */
+    passkey = 'passkey',
+
+    /** A database connection was used to authenticate the user as the first factor. */
+    pwd = 'pwd',
+
+    /** A Passwordless SMS connection was used to authenticate the user as the first factor. */
+    sms = 'sms',
+
+    /** A Passwordless Email connection was used to authenticate the user as the first factor or verify email for password reset. */
+    email = 'email',
+
+    /**  */
+    mfa = 'mfa',
+
+    /* "Used for internal testing. */
+    mock = 'mock'
+}
+
+interface AuthorizationInfo {
+    roles: string[];
+}
+
+interface Client {
+
+    /* The client id of the application the user is logging in to. */
+    clientId: string;
+
+    /* An object for holding other application properties. */
+    metadata: { [additionalProperties: string]: string; };
+
+    /* The name of the application (as defined in the Dashboard). */
+    name: string;
+
+    strategy: string;
+}
+
+interface Configuration {
+
+}
+
+interface Connection {
+
+    /**
+     * The connection's identifier
+    */
+    id: string;
+
+    /**
+     * Metadata associated with the connection in the form of an object with string values (max 255 chars).  Maximum of 10 metadata properties allowed.
+     */
+    metadata: { [key: string]: any };
+
+    /**
+     * The name of the connection
+     */
+    name: string;
+
+    /**
+     * The type of the connection, related to the identity provider
+     */
+    strategy: ConnectionStrategies;
+
+}
+
+enum ConnectionStrategies {
+    ad = 'ad',
+    adfs = 'adfs',
+    amazon = 'amazon',
+    apple = 'apple',
+    dropbox = 'dropbox',
+    bitbucket = 'bitbucket',
+    aol = 'aol',
+    auth0_oidc = 'auth0-oidc',
+    auth0 = 'auth0',
+    baidu = 'baidu',
+    bitly = 'bitly',
+    box = 'box',
+    custom = 'custom',
+    daccount = 'daccount',
+    dwolla = 'dwolla',
+    email = 'email',
+    evernote_sandbox = 'evernote-sandbox',
+    evernote = 'evernote',
+    exact = 'exact',
+    facebook = 'facebook',
+    fitbit = 'fitbit',
+    flickr = 'flickr',
+    github = 'github',
+    google_apps = 'google-apps',
+    google_oauth2 = 'google-oauth2',
+    instagram = 'instagram',
+    ip = 'ip',
+    line = 'line',
+    linkedin = 'linkedin',
+    miicard = 'miicard',
+    oauth1 = 'oauth1',
+    oauth2 = 'oauth2',
+    office365 = 'office365',
+    oidc = 'oidc',
+    okta = 'okta',
+    paypal = 'paypal',
+    paypal_sandbox = 'paypal-sandbox',
+    pingfederate = 'pingfederate',
+    planningcenter = 'planningcenter',
+    renren = 'renren',
+    salesforce_community = 'salesforce-community',
+    salesforce_sandbox = 'salesforce-sandbox',
+    salesforce = 'salesforce',
+    samlp = 'samlp',
+    sharepoint = 'sharepoint',
+    shopify = 'shopify',
+    sms = 'sms',
+    soundcloud = 'soundcloud',
+    thecity_sandbox = 'thecity-sandbox',
+    thecity = 'thecity',
+    thirtysevensignals = 'thirtysevensignals',
+    twitter = 'twitter',
+    untappd = 'untappd',
+    vkontakte = 'vkontakte',
+    waad = 'waad',
+    weibo = 'weibo',
+    windowslive = 'windowslive',
+    wordpress = 'wordpress',
+    yahoo = 'yahoo',
+    yammer = 'yammer',
+    yandex = 'yandex',
+}
+
+interface GeoIP {
+    cityName: string
+    continentCode: string
+    countryCode3: string
+    countryCode: string
+    countryName: string
+    latitude: number
+    longitude: number
+    subdivisionCode: string
+    subdivisionName: string
+    timeZone: string
+}
+
+interface Identity {
+    connection: string
+    isSocial: boolean
+    provider: string
+    userId: string
+    user_id: string
+}
+
+interface Organization {
+
+    /* The friendly name of the Organization. */
+    display_name: string;
+
+    /**
+     * The Organization's identifier.
+    */
+    id: string;
+
+    /**
+     * Metadata associated with the Organization.
+     */
+    metadata: { [key: string]: any };
+
+    /**
+     * The name of the Organization.
+     */
+    name: string;
+
+}
+
+interface Query {
+    audience: string
+    client_id: string
+    code_challenge: string
+    code_challenge_method: string
+    prompt: string
+    redirect_uri: string
+    response_mode: string
+    response_type: string
+    scope: string
+    state: string
+}
+
+interface RequestBase {
+    ip: string;
+    method: string;
+    query: Query;
+    body: RequestBody;
+    geoip: GeoIP;
+    hostname: string;
+    user_agent: string;
+}
+
+interface RequestBody { }
+
+interface ResourceServer {
+    identifier: string
+}
+
+interface RiskAssessmentInfo {
+    confidence: "low" | "medium" | "high" | "neutral";
+    version: string;
+}
+
+interface Stats {
+    logins_count: number
+}
+
+interface Tenant {
+    id: string
+}
+interface Transaction {
+    acr_values: any[]
+    linking_id?: string
+    locale: string
+    login_hint?: string
+    prompt: string[]
+    protocol?: TransactionProtocols
+    redirect_uri?: string
+    requested_scopes: string[]
+    response_mode?: string
+    response_type?: string[]
+    state?: string
+    ui_locales: string[]
+}
+
+enum TransactionProtocols {
+    oidc_basic = 'oidc-basic-profile',
+    /*  Allows your application to have immediate access to an ID token while still providing for secure and safe retrieval of access and refresh tokens. */
+    oidc_hybrid = 'oidc-hybrid',
+    oidc_implicit = 'oidc-implicit-profile',
+    samlp = 'samlp',
+    wsfed = 'wsfed',
+    wstrust_usernamemixed = 'wstrust-usernamemixed',
+    oauth2_device_code = 'oauth2-device-code',
+    oauth2_resource_owner = 'oauth2-resource-owner',
+    oauth2_jwt_bearer = 'oauth2-resource-owner-jwt-bearer',
+    oauth2_password = 'oauth2-password',
+    oauth2_access_token = 'oauth2-access-token',
+    oauth2_refresh_token = 'oauth2-refresh-token',
+    oauth2_token_exchange = 'oauth2-token-exchange',
+}
+
+
+export interface UserBase<AppMetadata, UserMetadata> {
+    app_metadata: AppMetadata
+    created_at: string
+    email: string
+    email_verified: boolean
+    family_name: string
+    given_name: string
+    identities: Identity[]
+    last_password_reset?: string
+    multifactor?: string[]
+    name: string
+    nickname: string
+    phone_number?: string
+    phone_verified?: boolean
+    picture: string
+    updated_at: string
+    user_id: string
+    user_metadata: UserMetadata
+    username?: string
+}
+
+//#endregion
+
+//#region Post-Login API
+
+export interface PostLoginApi {
+
+    /** Modify the user's login access, such as by rejecting the login attempt. */
+    access: LoginAccessManager;
+
+    /** Request changes to the access token being issued. */
+    accessToken: AccessTokenManager;
+
+    authentication: AuthenticationManager;
+
+    /** Store and retrieve data that persists across executions. */
+    cache: CacheManager;
+
+    /** Request changes to the ID token being issued. */
+    idToken: IdTokenManager;
+
+    /**  */
+    multifactor: MultifactorManager;
+
+    /**  */
+    redirect: RedirectManager;
+
+    /**  */
+    user: UserManager;
+}
+
+export interface AccessTokenManager {
+
+    /**
+     * Add a scope on the Access Token that will be issued upon completion of the login flow.
+     * @param scope The scope to be added.
+     */
+    addScope(scope: string): PostLoginApi;
+
+    /**
+     * Remove a scope on the Access Token that will be issued upon completion of the login flow.
+     * @param scope The scope to be removed.
+     */
+    removeScope(scope: string): PostLoginApi;
+
+    /**
+     * Set a custom claim on the Access Token that will be issued upon completion of the login flow.
+     * @param name Name of the claim (note that this may need to be a fully-qualified URL).
+     * @param value The value of the claim.
+     */
+    setCustomClaim(name: string, value: any): PostLoginApi;
+}
+
+export interface AuthenticationManager {
+
+    /**
+     * Indicate that a custom authentication method has been completed in the current session. This method will then be available in the 
+     * `event.authentication.methods` array in subsequent logins.
+     * 
+     * Important: This API is only available from within the onContinuePostLogin function for PostLogin Actions. In other words, this may 
+     * be used to record the completion of a custom authentication method after redirecting the user via api.redirect.sendUserTo().
+     *
+     * @param provider_url
+     */
+    recordMethod(provider_url: string): PostLoginApi;
+
+    /**
+     * Challenge the user with one or more specified multifactor authentication factors. This method presents the default challenge first,
+     * then allows the user to select a different option if additional factors have been supplied. If the user has not enrolled in any of 
+     * the factors supplied (including both the default and any additional factors), the command fails.
+     * 
+     * Note: This method overrides existing policies and rules that enable or disable MFA in a tenant.
+     * @param factor Used to specify the default MFA factor or factors used to challenge the user.
+     * @param options An object containing the optional additionalFactors field.
+     */
+    challengeWith(factor: ChallengeFactor, options: ChallengeOptions): void
+
+    /**
+     * Trigger an MFA challenge and allow the user to select their preferred factor from the supplied list. This method presents a factor picker to the user rather than a specific challenge, in accordance with the following conditions:
+     * - If two or more factors are specified, a factor picker displays to the user.
+     * - If the user has only enrolled in one of the specified factors (or only one factor is specified), the factor picker is skipped.
+     * - If the user has not enrolled in any of the specified factors, the challenge command fails.
+     * Note: This method overrides existing policies and rules that enable or disable MFA in a tenant.
+     * @param factors
+     */
+    challengeWithAny(factors: ChallengeFactor[]): void
+}
+
+export interface CacheManager {
+
+    /**
+     * Delete a record describing a cached value at the supplied key if it exists.
+     * @param key
+     */
+    delete(key: string): CacheWriteResult;
+
+    /**
+     * Retrieve a record describing a cached value at the supplied key, if it exists. If a record is found, the cached value can be found at the value 
+     * property of the returned object.
+     * @param key The key of the record stored in the cache.
+     */
+    get(key: string): CacheRecord
+
+    /**
+     * 
+     * @param key The value of the record to be stored.
+     * @param value The value of the record to be stored.
+     * @param options Options for adjusting cache behavior.
+     */
+    set(key: string, value: any, options?: CacheOptions): void
+
+}
+
+export interface CacheWriteResult {
+    type: 'success' | 'error'
+    code: string
+}
+
+export interface CacheRecord {
+
+    /** The object stored in the Cache. */
+    value: any
+
+    /** The maximum expiry of the record in milliseconds since the Unix epoch. */
+    expires_at: number
+}
+
+export interface CacheOptions {
+
+    /**
+     * The absolute expiry time in milliseconds since the unix epoch. While cached records may be evicted earlier, they will never remain beyond the the supplied expires_at.
+     * NOTE: This value should not be supplied if a value was also provided for ttl. If both options are supplied, the earlier expiry of the two will be used.
+     */
+    expires_at?: number
+
+    /**
+     * The time-to-live value of this cache entry in milliseconds. While cached values may be evicted earlier, they will never remain beyond the the supplied ttl.
+     * NOTE: This value should not be supplied if a value was also provided for expires_at. If both options are supplied, the earlier expiry of the two will be used.
+     */
+    ttl?: number
+}
+
+export interface ChallengeFactor {
+    type: ChallengeTypes
+
+    /** 
+     * When set to true, the user cannot use the OTP fallback option of the push notification factor. (Developer's note: This makes no sense.)
+     * Only used for @see ChallengeTypes.push_notification.
+     */
+    otpFallback?: boolean
+
+    /**
+     * Only used for @see ChallengeTypes.phone.
+     */
+    preferredMethod?: 'voice' | 'phone' | 'both'
+}
+
+export interface ChallengeOptions {
+    additionalFactors: ChallengeFactor[]
+}
+
+export enum ChallengeTypes {
+    otp = 'otp',
+    email = 'email',
+    phone = 'phone',
+    push_notification = 'push-notification',
+    webauthn_platform = 'webauthn-platform',
+    webauthn_roaming = 'webauthn-roaming'
+}
+
+export interface DuoMultifactorOptions {
+    host: string
+    ikey: string
+    skey: string
+}
+
+export interface EncodeTokenOptions {
+    expiresInSeconds: number
+    payload: any;
+
+    /** 
+     * A secret that will be used to sign a JWT that is shared with the redirect target. 
+     * The secret value should be stored as a secret and retrieved using event.secrets['SECRET_NAME']
+     */
+    secret: string;
+}
+
+export interface IdTokenManager {
+
+    /**
+     * Set a custom claim on the ID token that will be issued upon completion of the login flow.
+     * @param name Name of the claim (note that this may need to be a fully-qualified URL).
+     * @param value The value of the claim.
+     */
+    setCustomClaim(name: string, value: any): PostLoginApi
+}
+
+export interface LoginAccessManager {
+
+    /**
+     * Mark the current login attempt as denied. This will prevent the end-user from completing the login flow. This will NOT cancel other user-related 
+     * side effects (such as metadata changes) requested by this Action. The login flow will immediately stop following the completion of this action 
+     * and no further Actions will be executed.
+     * @param reason A human-readable explanation for rejecting the login. This may be presented directly in end-user interfaces.
+     */
+    deny(reason: string): PostLoginApi;
+}
+
+export interface MultifactorManager {
+
+    /**
+     * 
+     * @param provider
+     * @param options
+     */
+    enable(provider: 'any' | 'duo' | 'google-authenticator' | 'guardian' | 'none', options: MultifactorOptions): PostLoginApi
+}
+
+export interface MultifactorOptions {
+    allowRememberBrowser?: boolean
+    providerOptions?: DuoMultifactorOptions
+}
+
+export interface RedirectManager {
+
+    /**
+     * 
+     * @param options
+     */
+    encodeToken(options: EncodeTokenOptions): string
+
+    /**
+     * 
+     * @param url
+     * @param options
+     */
+    sendUserTo(url: string, options: { query: string }): PostLoginApi
+
+    /**
+     * 
+     * @param options
+     */
+    validateToken(options: ValidateTokenOptions): string
+}
+
+export interface UserManager {
+
+    /**
+     * 
+     * @param name
+     * @param value
+     */
+    setAppMetadata(name: string, value: any): PostLoginApi
+
+    /**
+     * 
+     * @param name
+     * @param value
+     */
+    setUserMetadata(name: string, value: any): PostLoginApi
+}
+
+export interface ValidateTokenOptions {
+    secret: string;
+    tokenParameterName: string;
+}
+
+//#endregion
+
+
+//notes: make a C# version too.

package/package.json

@@ -0,0 +1,28 @@
+{
+  "name": "auth0-actions",
+  "version": "0.0.1",
+  "description": "Type definitions and utilities for building Auth0 Actions.",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1",
+    "build": "tsc --build",
+    "clean": "tsc --build --clean"
+  },
+  "keywords": [
+    "auth0",
+    "actions"
+  ],
+  "author": "CloudNimble, Inc. opensource@nimbleapps.cloud",
+  "license": "MIT",
+  "dependencies": {
+    "auth0": "^4.0.1"
+  },
+  "devDependencies": {
+    "@types/auth0": "^3.3.6",
+    "@typescript-eslint/eslint-plugin": "^6.7.2",
+    "@typescript-eslint/parser": "^6.7.2",
+    "eslint": "^8.50.0",
+    "typescript": "^5.2.2"
+  }
+}