authhero 0.152.0 → 0.154.0

package/dist/authhero.d.ts

@@ -8194,6 +8194,7 @@ declare const ClientSchema: z.ZodObject<{
 			kid: z.ZodOptional<z.ZodString>;
 			team_id: z.ZodOptional<z.ZodString>;
 			realms: z.ZodOptional<z.ZodString>;
+			authentication_method: z.ZodOptional<z.ZodString>;
 			client_id: z.ZodOptional<z.ZodString>;
 			client_secret: z.ZodOptional<z.ZodString>;
 			app_secret: z.ZodOptional<z.ZodString>;
@@ -8217,6 +8218,7 @@ declare const ClientSchema: z.ZodObject<{
 			kid?: string | undefined;
 			team_id?: string | undefined;
 			realms?: string | undefined;
+			authentication_method?: string | undefined;
 			app_secret?: string | undefined;
 			authorization_endpoint?: string | undefined;
 			token_endpoint?: string | undefined;
@@ -8235,6 +8237,7 @@ declare const ClientSchema: z.ZodObject<{
 			kid?: string | undefined;
 			team_id?: string | undefined;
 			realms?: string | undefined;
+			authentication_method?: string | undefined;
 			app_secret?: string | undefined;
 			authorization_endpoint?: string | undefined;
 			token_endpoint?: string | undefined;
@@ -8258,6 +8261,7 @@ declare const ClientSchema: z.ZodObject<{
 			kid?: string | undefined;
 			team_id?: string | undefined;
 			realms?: string | undefined;
+			authentication_method?: string | undefined;
 			app_secret?: string | undefined;
 			authorization_endpoint?: string | undefined;
 			token_endpoint?: string | undefined;
@@ -8290,6 +8294,7 @@ declare const ClientSchema: z.ZodObject<{
 			kid?: string | undefined;
 			team_id?: string | undefined;
 			realms?: string | undefined;
+			authentication_method?: string | undefined;
 			app_secret?: string | undefined;
 			authorization_endpoint?: string | undefined;
 			token_endpoint?: string | undefined;
@@ -8443,6 +8448,7 @@ declare const ClientSchema: z.ZodObject<{
 			kid?: string | undefined;
 			team_id?: string | undefined;
 			realms?: string | undefined;
+			authentication_method?: string | undefined;
 			app_secret?: string | undefined;
 			authorization_endpoint?: string | undefined;
 			token_endpoint?: string | undefined;
@@ -8522,6 +8528,7 @@ declare const ClientSchema: z.ZodObject<{
 			kid?: string | undefined;
 			team_id?: string | undefined;
 			realms?: string | undefined;
+			authentication_method?: string | undefined;
 			app_secret?: string | undefined;
 			authorization_endpoint?: string | undefined;
 			token_endpoint?: string | undefined;
@@ -8595,6 +8602,8 @@ export declare const codeInsertSchema: z.ZodObject<{
 		"S256"
 	]>>;
 	redirect_uri: z.ZodOptional<z.ZodString>;
+	nonce: z.ZodOptional<z.ZodString>;
+	state: z.ZodOptional<z.ZodString>;
 	expires_at: z.ZodString;
 	used_at: z.ZodOptional<z.ZodString>;
 	user_id: z.ZodOptional<z.ZodString>;
@@ -8605,6 +8614,8 @@ export declare const codeInsertSchema: z.ZodObject<{
 	expires_at: string;
 	user_id?: string | undefined;
 	redirect_uri?: string | undefined;
+	state?: string | undefined;
+	nonce?: string | undefined;
 	code_challenge_method?: "S256" | "plain" | undefined;
 	code_challenge?: string | undefined;
 	connection_id?: string | undefined;
@@ -8617,6 +8628,8 @@ export declare const codeInsertSchema: z.ZodObject<{
 	expires_at: string;
 	user_id?: string | undefined;
 	redirect_uri?: string | undefined;
+	state?: string | undefined;
+	nonce?: string | undefined;
 	code_challenge_method?: "S256" | "plain" | undefined;
 	code_challenge?: string | undefined;
 	connection_id?: string | undefined;
@@ -8644,6 +8657,8 @@ export declare const codeSchema: z.ZodObject<{
 		"S256"
 	]>>;
 	redirect_uri: z.ZodOptional<z.ZodString>;
+	nonce: z.ZodOptional<z.ZodString>;
+	state: z.ZodOptional<z.ZodString>;
 	expires_at: z.ZodString;
 	used_at: z.ZodOptional<z.ZodString>;
 	user_id: z.ZodOptional<z.ZodString>;
@@ -8655,6 +8670,8 @@ export declare const codeSchema: z.ZodObject<{
 	expires_at: string;
 	user_id?: string | undefined;
 	redirect_uri?: string | undefined;
+	state?: string | undefined;
+	nonce?: string | undefined;
 	code_challenge_method?: "S256" | "plain" | undefined;
 	code_challenge?: string | undefined;
 	connection_id?: string | undefined;
@@ -8668,6 +8685,8 @@ export declare const codeSchema: z.ZodObject<{
 	expires_at: string;
 	user_id?: string | undefined;
 	redirect_uri?: string | undefined;
+	state?: string | undefined;
+	nonce?: string | undefined;
 	code_challenge_method?: "S256" | "plain" | undefined;
 	code_challenge?: string | undefined;
 	connection_id?: string | undefined;
@@ -8679,6 +8698,7 @@ export declare const connectionOptionsSchema: z.ZodObject<{
 	kid: z.ZodOptional<z.ZodString>;
 	team_id: z.ZodOptional<z.ZodString>;
 	realms: z.ZodOptional<z.ZodString>;
+	authentication_method: z.ZodOptional<z.ZodString>;
 	client_id: z.ZodOptional<z.ZodString>;
 	client_secret: z.ZodOptional<z.ZodString>;
 	app_secret: z.ZodOptional<z.ZodString>;
@@ -8702,6 +8722,7 @@ export declare const connectionOptionsSchema: z.ZodObject<{
 	kid?: string | undefined;
 	team_id?: string | undefined;
 	realms?: string | undefined;
+	authentication_method?: string | undefined;
 	app_secret?: string | undefined;
 	authorization_endpoint?: string | undefined;
 	token_endpoint?: string | undefined;
@@ -8720,6 +8741,7 @@ export declare const connectionOptionsSchema: z.ZodObject<{
 	kid?: string | undefined;
 	team_id?: string | undefined;
 	realms?: string | undefined;
+	authentication_method?: string | undefined;
 	app_secret?: string | undefined;
 	authorization_endpoint?: string | undefined;
 	token_endpoint?: string | undefined;
@@ -8738,6 +8760,7 @@ export declare const connectionInsertSchema: z.ZodObject<{
 		kid: z.ZodOptional<z.ZodString>;
 		team_id: z.ZodOptional<z.ZodString>;
 		realms: z.ZodOptional<z.ZodString>;
+		authentication_method: z.ZodOptional<z.ZodString>;
 		client_id: z.ZodOptional<z.ZodString>;
 		client_secret: z.ZodOptional<z.ZodString>;
 		app_secret: z.ZodOptional<z.ZodString>;
@@ -8761,6 +8784,7 @@ export declare const connectionInsertSchema: z.ZodObject<{
 		kid?: string | undefined;
 		team_id?: string | undefined;
 		realms?: string | undefined;
+		authentication_method?: string | undefined;
 		app_secret?: string | undefined;
 		authorization_endpoint?: string | undefined;
 		token_endpoint?: string | undefined;
@@ -8779,6 +8803,7 @@ export declare const connectionInsertSchema: z.ZodObject<{
 		kid?: string | undefined;
 		team_id?: string | undefined;
 		realms?: string | undefined;
+		authentication_method?: string | undefined;
 		app_secret?: string | undefined;
 		authorization_endpoint?: string | undefined;
 		token_endpoint?: string | undefined;
@@ -8802,6 +8827,7 @@ export declare const connectionInsertSchema: z.ZodObject<{
 		kid?: string | undefined;
 		team_id?: string | undefined;
 		realms?: string | undefined;
+		authentication_method?: string | undefined;
 		app_secret?: string | undefined;
 		authorization_endpoint?: string | undefined;
 		token_endpoint?: string | undefined;
@@ -8830,6 +8856,7 @@ export declare const connectionInsertSchema: z.ZodObject<{
 		kid?: string | undefined;
 		team_id?: string | undefined;
 		realms?: string | undefined;
+		authentication_method?: string | undefined;
 		app_secret?: string | undefined;
 		authorization_endpoint?: string | undefined;
 		token_endpoint?: string | undefined;
@@ -8857,6 +8884,7 @@ export declare const connectionSchema: z.ZodObject<{
 		kid: z.ZodOptional<z.ZodString>;
 		team_id: z.ZodOptional<z.ZodString>;
 		realms: z.ZodOptional<z.ZodString>;
+		authentication_method: z.ZodOptional<z.ZodString>;
 		client_id: z.ZodOptional<z.ZodString>;
 		client_secret: z.ZodOptional<z.ZodString>;
 		app_secret: z.ZodOptional<z.ZodString>;
@@ -8880,6 +8908,7 @@ export declare const connectionSchema: z.ZodObject<{
 		kid?: string | undefined;
 		team_id?: string | undefined;
 		realms?: string | undefined;
+		authentication_method?: string | undefined;
 		app_secret?: string | undefined;
 		authorization_endpoint?: string | undefined;
 		token_endpoint?: string | undefined;
@@ -8898,6 +8927,7 @@ export declare const connectionSchema: z.ZodObject<{
 		kid?: string | undefined;
 		team_id?: string | undefined;
 		realms?: string | undefined;
+		authentication_method?: string | undefined;
 		app_secret?: string | undefined;
 		authorization_endpoint?: string | undefined;
 		token_endpoint?: string | undefined;
@@ -8921,6 +8951,7 @@ export declare const connectionSchema: z.ZodObject<{
 		kid?: string | undefined;
 		team_id?: string | undefined;
 		realms?: string | undefined;
+		authentication_method?: string | undefined;
 		app_secret?: string | undefined;
 		authorization_endpoint?: string | undefined;
 		token_endpoint?: string | undefined;
@@ -8953,6 +8984,7 @@ export declare const connectionSchema: z.ZodObject<{
 		kid?: string | undefined;
 		team_id?: string | undefined;
 		realms?: string | undefined;
+		authentication_method?: string | undefined;
 		app_secret?: string | undefined;
 		authorization_endpoint?: string | undefined;
 		token_endpoint?: string | undefined;
@@ -15135,6 +15167,7 @@ export declare function init(config: AuthHeroConfig): {
 						kid?: string | undefined | undefined;
 						team_id?: string | undefined | undefined;
 						realms?: string | undefined | undefined;
+						authentication_method?: string | undefined | undefined;
 						app_secret?: string | undefined | undefined;
 						authorization_endpoint?: string | undefined | undefined;
 						token_endpoint?: string | undefined | undefined;
@@ -15167,6 +15200,7 @@ export declare function init(config: AuthHeroConfig): {
 							kid?: string | undefined | undefined;
 							team_id?: string | undefined | undefined;
 							realms?: string | undefined | undefined;
+							authentication_method?: string | undefined | undefined;
 							app_secret?: string | undefined | undefined;
 							authorization_endpoint?: string | undefined | undefined;
 							token_endpoint?: string | undefined | undefined;
@@ -15213,6 +15247,7 @@ export declare function init(config: AuthHeroConfig): {
 						kid?: string | undefined | undefined;
 						team_id?: string | undefined | undefined;
 						realms?: string | undefined | undefined;
+						authentication_method?: string | undefined | undefined;
 						app_secret?: string | undefined | undefined;
 						authorization_endpoint?: string | undefined | undefined;
 						token_endpoint?: string | undefined | undefined;
@@ -15276,6 +15311,7 @@ export declare function init(config: AuthHeroConfig): {
 							kid?: string | undefined;
 							team_id?: string | undefined;
 							realms?: string | undefined;
+							authentication_method?: string | undefined;
 							app_secret?: string | undefined;
 							authorization_endpoint?: string | undefined;
 							token_endpoint?: string | undefined;
@@ -15303,6 +15339,7 @@ export declare function init(config: AuthHeroConfig): {
 						kid?: string | undefined | undefined;
 						team_id?: string | undefined | undefined;
 						realms?: string | undefined | undefined;
+						authentication_method?: string | undefined | undefined;
 						app_secret?: string | undefined | undefined;
 						authorization_endpoint?: string | undefined | undefined;
 						token_endpoint?: string | undefined | undefined;
@@ -15346,6 +15383,7 @@ export declare function init(config: AuthHeroConfig): {
 							kid?: string | undefined;
 							team_id?: string | undefined;
 							realms?: string | undefined;
+							authentication_method?: string | undefined;
 							app_secret?: string | undefined;
 							authorization_endpoint?: string | undefined;
 							token_endpoint?: string | undefined;
@@ -15372,6 +15410,7 @@ export declare function init(config: AuthHeroConfig): {
 						kid?: string | undefined | undefined;
 						team_id?: string | undefined | undefined;
 						realms?: string | undefined | undefined;
+						authentication_method?: string | undefined | undefined;
 						app_secret?: string | undefined | undefined;
 						authorization_endpoint?: string | undefined | undefined;
 						token_endpoint?: string | undefined | undefined;

package/dist/authhero.mjs

@@ -1760,6 +1760,7 @@ const _s = o.object({
   kid: o.string().optional(),
   team_id: o.string().optional(),
   realms: o.string().optional(),
+  authentication_method: o.string().optional(),
   client_id: o.string().optional(),
   client_secret: o.string().optional(),
   app_secret: o.string().optional(),
@@ -1855,6 +1856,12 @@ const k1 = o.enum([
   redirect_uri: o.string().optional().openapi({
     description: "The redirect URI associated with the code"
   }),
+  nonce: o.string().optional().openapi({
+    description: "The nonce value used for security in OIDC flows"
+  }),
+  state: o.string().optional().openapi({
+    description: "The state parameter used for CSRF protection in OAuth flows"
+  }),
   expires_at: o.string(),
   used_at: o.string().optional(),
   user_id: o.string().optional()
@@ -5983,7 +5990,9 @@ async function Fh(t, e) {
       ).toISOString(),
       code_challenge: e.authParams.code_challenge,
       code_challenge_method: e.authParams.code_challenge_method,
-      redirect_uri: e.authParams.redirect_uri
+      redirect_uri: e.authParams.redirect_uri,
+      state: e.authParams.state,
+      nonce: e.authParams.nonce
     })).code_id,
     state: e.authParams.state
   };
@@ -6073,7 +6082,9 @@ async function Zt(t, e) {
       login_id: e.loginSession.id,
       expires_at: new Date(Date.now() + m_).toISOString(),
       code_verifier: [b, v].join("|"),
-      redirect_uri: n.redirect_uri
+      redirect_uri: n.redirect_uri,
+      state: n.state,
+      nonce: n.nonce
     });
     return t.json({
       login_ticket: E.code_id,
@@ -19845,6 +19856,9 @@ async function pb(t, e) {
     loginSession: i,
     authParams: {
       ...i.authParams,
+      // Use the state and nonce from the code as it might differ if it's a silent auth login
+      state: r.state,
+      nonce: r.nonce,
       // Ensure WEB_MESSAGE is explicitly passed, as createAuthResponse relies on it
       response_mode: an.WEB_MESSAGE,
       // Pass through other relevant authParams from the loginSession or original request if necessary
@@ -21534,7 +21548,7 @@ function hi(t, e = "US") {
   if (n.includes("@")) {
     const r = n.toLowerCase(), i = /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(r);
     return {
-      connection: "email",
+      connectionType: "email",
       normalized: i ? r : null,
       isValid: i
     };
@@ -21543,18 +21557,18 @@ function hi(t, e = "US") {
       defaultCountry: e
     });
     return r && r.isValid() ? {
-      connection: "sms",
+      connectionType: "sms",
       normalized: r.number,
       // E.164 format
       isValid: !0
     } : {
-      connection: "sms",
+      connectionType: "sms",
       normalized: null,
       isValid: !1
     };
   } else
     return {
-      connection: "username",
+      connectionType: "username",
       normalized: n,
       isValid: !0
     };
@@ -21571,7 +21585,7 @@ async function ua(t, {
   otp: r,
   authParams: i
 }) {
-  const s = jt(t.req), { connection: a, normalized: c } = hi(
+  const s = jt(t.req), { connectionType: a, normalized: c } = hi(
     n,
     s.countryCode
   );
@@ -21922,7 +21936,7 @@ async function im(t, { to: e, code: n }) {
   const r = await t.env.data.tenants.get(t.var.tenant_id);
   if (!r)
     throw new A(500, { message: "Tenant not found" });
-  const { connection: i } = hi(e), s = new URL(lt(t.env)), a = {
+  const { connectionType: i } = hi(e), s = new URL(lt(t.env)), a = {
     vendorName: r.name,
     vendorId: r.id,
     loginDomain: s.hostname,
@@ -21967,7 +21981,7 @@ async function Vl(t, { to: e, code: n, authParams: r }) {
     throw new A(500, { message: "Tenant not found" });
   if (!r.redirect_uri)
     throw new A(400, { message: "redirect_uri is required" });
-  const { connection: s } = hi(e), a = new URL(Re(t.env));
+  const { connectionType: s } = hi(e), a = new URL(Re(t.env));
   a.pathname = "passwordless/verify_redirect", a.searchParams.set("verification_code", n), a.searchParams.set("connection", s), a.searchParams.set("client_id", r.client_id), a.searchParams.set("redirect_uri", r.redirect_uri), a.searchParams.set("email", e), r.response_type && a.searchParams.set("response_type", r.response_type), r.scope && a.searchParams.set("scope", r.scope), r.state && a.searchParams.set("state", r.state), r.nonce && a.searchParams.set("nonce", r.nonce), r.code_challenge && a.searchParams.set("code_challenge", r.code_challenge), r.code_challenge_method && a.searchParams.set(
     "code_challenge_method",
     r.code_challenge_method
@@ -24184,11 +24198,11 @@ const g$ = new ae().openapi(
       try {
         await Zy(t, i, t.env.data, d);
       } catch {
-        const y = be(t, {
+        const v = be(t, {
           type: _e.FAILED_SIGNUP,
           description: "Public signup is disabled"
         });
-        return await t.env.data.logs.create(i.tenant.id, y), t.html(
+        return await t.env.data.logs.create(i.tenant.id, v), t.html(
           /* @__PURE__ */ _(
             La,
             {
@@ -24232,8 +24246,17 @@ const g$ = new ae().openapi(
       redirect_uri: s.authParams.redirect_uri
     }), w = h$(
       s.auth0Client
-    ), { connection: h } = hi(d);
-    return h === "email" && w === "link" && !d.includes("online.no") ? await Vl(t, {
+    ), { connectionType: h } = hi(d), y = i.connections.find(
+      (v) => v.strategy === h
+    );
+    if (!y)
+      throw new A(400, {
+        message: P.t("connection_not_found", {
+          connection: h
+        })
+      });
+    return h === "email" && w === "link" && // This is different to how it works in auth0
+    y.options.authentication_method === "magic_link" ? await Vl(t, {
       to: d,
       code: m.code_id,
       authParams: s.authParams

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "authhero",
-  "version": "0.152.0",
+  "version": "0.154.0",
   "files": [
     "dist"
   ],
@@ -36,7 +36,7 @@
     "vite": "^5.4.11",
     "vite-plugin-dts": "^4.3.0",
     "vitest": "^2.1.5",
-    "@authhero/kysely-adapter": "^10.19.0"
+    "@authhero/kysely-adapter": "^10.20.0"
   },
   "dependencies": {
     "@peculiar/x509": "^1.12.3",
@@ -49,7 +49,7 @@
     "libphonenumber-js": "^1.12.8",
     "nanoid": "^5.0.8",
     "oslo": "^1.2.1",
-    "@authhero/adapter-interfaces": "^0.69.0"
+    "@authhero/adapter-interfaces": "^0.71.0"
   },
   "peerDependencies": {
     "@hono/zod-openapi": "^0.19.2",