authhero 0.194.0 → 0.195.0

package/dist/authhero.d.ts

@@ -11513,9 +11513,9 @@ export declare const openIDConfigurationSchema: z.ZodObject<{
 	token_endpoint_auth_signing_alg_values_supported: string[];
 }>;
 export interface ListParams {
-	page: number;
-	per_page: number;
-	include_totals: boolean;
+	page?: number;
+	per_page?: number;
+	include_totals?: boolean;
 	q?: string;
 	sort?: {
 		sort_by: string;
@@ -12252,11 +12252,18 @@ export declare const signingKeySchema: z.ZodObject<{
 	current_until: z.ZodOptional<z.ZodString>;
 	revoked: z.ZodOptional<z.ZodBoolean>;
 	revoked_at: z.ZodOptional<z.ZodString>;
+	connection: z.ZodOptional<z.ZodString>;
+	type: z.ZodEnum<[
+		"jwt_signing",
+		"saml_encryption"
+	]>;
 }, "strip", z.ZodTypeAny, {
+	type: "jwt_signing" | "saml_encryption";
 	kid: string;
 	cert: string;
 	fingerprint: string;
 	thumbprint: string;
+	connection?: string | undefined;
 	revoked_at?: string | undefined;
 	pkcs7?: string | undefined;
 	current?: boolean | undefined;
@@ -12266,10 +12273,12 @@ export declare const signingKeySchema: z.ZodObject<{
 	current_until?: string | undefined;
 	revoked?: boolean | undefined;
 }, {
+	type: "jwt_signing" | "saml_encryption";
 	kid: string;
 	cert: string;
 	fingerprint: string;
 	thumbprint: string;
+	connection?: string | undefined;
 	revoked_at?: string | undefined;
 	pkcs7?: string | undefined;
 	current?: boolean | undefined;
@@ -14623,9 +14632,12 @@ export interface CustomDomainsAdapter {
 	remove: (tenant_id: string, id: string) => Promise<boolean>;
 	update: (tenant_id: string, id: string, custom_domain: Partial<CustomDomain>) => Promise<boolean>;
 }
+export interface ListKeysResponse extends Totals {
+	signingKeys: SigningKey[];
+}
 export interface KeysAdapter {
 	create: (key: SigningKey) => Promise<void>;
-	list: () => Promise<SigningKey[]>;
+	list: (params?: ListParams) => Promise<ListKeysResponse>;
 	update: (kid: string, key: Partial<Omit<SigningKey, "kid">>) => Promise<boolean>;
 }
 export interface BrandingAdapter {
@@ -14706,12 +14718,8 @@ export interface UserPermissionsAdapter {
 	remove(tenant_id: string, user_id: string, permissions: Pick<UserPermissionInsert, "resource_server_identifier" | "permission_name">[]): Promise<boolean>;
 	list(tenant_id: string, user_id: string, params?: ListParams): Promise<UserPermissionWithDetailsList>;
 }
-export interface ListRolesResponse {
+export interface ListRolesResponse extends Totals {
 	roles: Role[];
-	totals?: Totals;
-	start: number;
-	limit: number;
-	length: number;
 }
 export interface RolesAdapter {
 	create(tenantId: string, role: RoleInsert): Promise<Role>;
@@ -17964,10 +17972,12 @@ export declare function init(config: AuthHeroConfig): {
 					};
 				};
 				output: {
+					type: "jwt_signing" | "saml_encryption";
 					kid: string;
 					cert: string;
 					fingerprint: string;
 					thumbprint: string;
+					connection?: string | undefined | undefined;
 					revoked_at?: string | undefined | undefined;
 					pkcs7?: string | undefined | undefined;
 					current?: boolean | undefined | undefined;
@@ -17994,10 +18004,12 @@ export declare function init(config: AuthHeroConfig): {
 					};
 				};
 				output: {
+					type: "jwt_signing" | "saml_encryption";
 					kid: string;
 					cert: string;
 					fingerprint: string;
 					thumbprint: string;
+					connection?: string | undefined | undefined;
 					revoked_at?: string | undefined | undefined;
 					pkcs7?: string | undefined | undefined;
 					current?: boolean | undefined | undefined;

package/dist/authhero.mjs

@@ -2363,7 +2363,13 @@ const ow = o.enum([
     description: "The date and time when the current key was rotated"
   }),
   revoked: o.boolean().optional().openapi({ description: "True if the key is revoked" }),
-  revoked_at: o.string().optional().openapi({ description: "The date and time when the key was revoked" })
+  revoked_at: o.string().optional().openapi({ description: "The date and time when the key was revoked" }),
+  connection: o.string().optional().openapi({
+    description: "The connection identifier associated with the key"
+  }),
+  type: o.enum(["jwt_signing", "saml_encryption"]).openapi({
+    description: "The type of the signing key"
+  })
 });
 var hs = /* @__PURE__ */ ((t) => (t.RefreshToken = "refresh_token", t.AuthorizationCode = "authorization_code", t.ClientCredential = "client_credentials", t.Passwordless = "passwordless", t.Password = "password", t.OTP = "http://auth0.com/oauth/grant-type/passwordless/otp", t))(hs || {});
 const bm = o.object({
@@ -5933,7 +5939,7 @@ function Ib(t, e, n) {
   });
 }
 async function Tb(t, e, n, r, i) {
-  var g, A, m;
+  var A, m, $;
   if (!n.redirect_uri)
     throw new O(400, {
       message: "Missing redirect_uri in authParams"
@@ -5942,38 +5948,40 @@ async function Tb(t, e, n, r, i) {
     throw new O(400, {
       message: "Missing email in user"
     });
-  const [s] = await t.env.data.keys.list();
-  if (!s)
+  const { signingKeys: s } = await t.env.data.keys.list({
+    q: "type:jwt_signing"
+  }), [a] = s;
+  if (!a)
     throw new O(500, {
       message: "No signing key found"
     });
-  if (!((g = e.addons) != null && g.samlp))
+  if (!((A = e.addons) != null && A.samlp))
     throw new O(400, {
       message: `SAML Addon is not enabled for client ${e.id}`
     });
-  const { recipient: a, audience: l } = e.addons.samlp, u = n.state || "";
-  if (!a || !u || !r || !n.state)
+  const { recipient: l, audience: u } = e.addons.samlp, d = n.state || "";
+  if (!l || !d || !r || !n.state)
     throw new O(400, {
       message: "Missing recipient or inResponseTo"
     });
-  const d = JSON.parse(n.state), p = new URL(n.redirect_uri), h = await Ob(t, {
+  const p = JSON.parse(n.state), h = new URL(n.redirect_uri), g = await Ob(t, {
     issuer: t.env.ISSUER,
-    audience: l || n.client_id,
-    destination: p.toString(),
-    inResponseTo: d.requestId,
-    userId: ((m = (A = r.app_metadata) == null ? void 0 : A.vimeo) == null ? void 0 : m.user_id) || r.user_id,
+    audience: u || n.client_id,
+    destination: h.toString(),
+    inResponseTo: p.requestId,
+    userId: (($ = (m = r.app_metadata) == null ? void 0 : m.vimeo) == null ? void 0 : $.user_id) || r.user_id,
     email: r.email,
     sessionIndex: i,
     signature: {
-      privateKeyPem: s.pkcs7,
-      cert: s.cert,
-      kid: s.kid
+      privateKeyPem: a.pkcs7,
+      cert: a.cert,
+      kid: a.kid
     }
   });
   return Ib(
-    p.toString(),
-    h,
-    d.relayState
+    h.toString(),
+    g,
+    p.relayState
   );
 }
 async function Ob(t, e) {
@@ -6313,7 +6321,9 @@ function _u(t, e) {
 const ch = ["sub", "iss", "aud", "exp", "nbf", "iat", "jti"];
 async function dc(t, e) {
   var k, S;
-  const { authParams: n, user: r, client: i, session_id: s } = e, l = (await t.env.data.keys.list()).filter(
+  const { authParams: n, user: r, client: i, session_id: s } = e, { signingKeys: a } = await t.env.data.keys.list({
+    q: "type:jwt_signing"
+  }), l = a.filter(
     (b) => !b.revoked_at || new Date(b.revoked_at) > /* @__PURE__ */ new Date()
   ), u = l[l.length - 1];
   if (!(u != null && u.pkcs7))
@@ -16848,7 +16858,8 @@ async function Pd(t) {
     cert: l,
     thumbprint: d,
     fingerprint: u,
-    pkcs7: p
+    pkcs7: p,
+    type: "jwt_signing"
   };
 }
 function U4(t, e) {
@@ -16893,7 +16904,9 @@ const q4 = 1e3 * 60 * 60 * 24, V4 = new Ae().openapi(
     }
   }),
   async (t) => {
-    const n = (await t.env.data.keys.list()).filter((r) => "cert" in r).map((r) => r);
+    const { signingKeys: e } = await t.env.data.keys.list({
+      q: "type:jwt_signing"
+    }), n = e.filter((r) => "cert" in r).map((r) => r);
     return t.json(n);
   }
 ).openapi(
@@ -16926,7 +16939,9 @@ const q4 = 1e3 * 60 * 60 * 24, V4 = new Ae().openapi(
     }
   }),
   async (t) => {
-    const { kid: e } = t.req.valid("param"), r = (await t.env.data.keys.list()).find((i) => i.kid === e);
+    const { kid: e } = t.req.valid("param"), { signingKeys: n } = await t.env.data.keys.list({
+      q: "type:jwt_signing"
+    }), r = n.find((i) => i.kid === e);
     if (!r)
       throw new O(404, { message: "Key not found" });
     return t.json(r);
@@ -16953,7 +16968,9 @@ const q4 = 1e3 * 60 * 60 * 24, V4 = new Ae().openapi(
     }
   }),
   async (t) => {
-    const e = await t.env.data.keys.list();
+    const { signingKeys: e } = await t.env.data.keys.list({
+      q: "type:jwt_signing"
+    });
     for await (const r of e)
       await t.env.data.keys.update(r.kid, {
         revoked_at: new Date(Date.now() + q4).toISOString()
@@ -16961,7 +16978,7 @@ const q4 = 1e3 * 60 * 60 * 24, V4 = new Ae().openapi(
     const n = await Pd({
       name: `CN=${t.env.ORGANIZATION_NAME}`
     });
-    return await t.env.data.keys.create(n), t.text("OK", { status: 201 });
+    return await t.env.data.keys.create({ ...n, type: "jwt_signing" }), t.text("OK", { status: 201 });
   }
 ).openapi(
   V({
@@ -16996,7 +17013,7 @@ const q4 = 1e3 * 60 * 60 * 24, V4 = new Ae().openapi(
     const r = await Pd({
       name: `CN=${t.env.ORGANIZATION_NAME}`
     });
-    return await t.env.data.keys.create(r), t.text("OK");
+    return await t.env.data.keys.create({ ...r, type: "jwt_signing" }), t.text("OK");
   }
 ), H4 = new Ae().openapi(
   V({
@@ -18296,7 +18313,9 @@ var gx = async (t, e, n = "HS256") => {
   return e.forEach((i) => i({ phase: yx.Stringify, buffer: n, context: r })), n[0];
 }, vx = V2.verify, bx = V2.decode;
 async function Ld(t) {
-  const e = await t.keys.list();
+  const { signingKeys: e } = await t.keys.list({
+    q: "type:jwt_signing"
+  });
   return await Promise.all(
     e.map(async (r) => {
       const s = await new nl(r.cert).publicKey.export(), a = await crypto.subtle.exportKey("jwk", s);
@@ -18950,7 +18969,10 @@ function Tx(t) {
 }
 const ol = async (t, e) => {
   var l, u, d, p;
-  const n = (l = t.req.query("auth0Client")) == null ? void 0 : l.slice(0, 255), r = (u = t.req.header("x-real-ip")) == null ? void 0 : u.slice(0, 45), i = (d = t.req.header("user-agent")) == null ? void 0 : d.slice(0, 512), s = (p = t.req.header("cf-ipcountry")) == null ? void 0 : p.slice(0, 2), a = n ? Tx(n) : void 0;
+  const n = (l = t.req.query("auth0Client")) == null ? void 0 : l.slice(0, 255), r = (
+    // If the request is proxied, use x-forwarded-for, otherwise use cf-connecting-ip or x-real-ip
+    (u = t.req.header("x-forwarded-host") && t.req.header("x-forwarded-for") ? t.req.header("x-forwarded-for") : t.req.header("cf-connecting-ip") || t.req.header("x-real-ip")) == null ? void 0 : u.slice(0, 45)
+  ), i = (d = t.req.header("user-agent")) == null ? void 0 : d.slice(0, 512), s = (p = t.req.header("cf-ipcountry")) == null ? void 0 : p.slice(0, 2), a = n ? Tx(n) : void 0;
   a && t.set("auth0_client", a), r && t.set("ip", r), i && t.set("useragent", i), s && t.set("countryCode", s), await e();
 }, Dr = class Dr {
   constructor() {
@@ -36839,8 +36861,10 @@ const YE = new Ae().openapi(
       throw new O(404, {
         message: "Client not found"
       });
-    const r = await t.env.data.keys.list();
-    if (!r.length)
+    const { signingKeys: r } = await t.env.data.keys.list({
+      q: "type:jwt_signing"
+    });
+    if (r.length === 0)
       throw new O(500, {
         message: "No signing key found"
       });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "authhero",
-  "version": "0.194.0",
+  "version": "0.195.0",
   "files": [
     "dist"
   ],
@@ -36,7 +36,7 @@
     "vite": "^5.4.11",
     "vite-plugin-dts": "^4.3.0",
     "vitest": "^2.1.5",
-    "@authhero/kysely-adapter": "^10.36.0"
+    "@authhero/kysely-adapter": "^10.37.0"
   },
   "dependencies": {
     "@peculiar/x509": "^1.12.3",
@@ -50,7 +50,7 @@
     "nanoid": "^5.0.8",
     "oslo": "^1.2.1",
     "xml-crypto": "^6.1.2",
-    "@authhero/adapter-interfaces": "^0.82.0"
+    "@authhero/adapter-interfaces": "^0.83.0"
   },
   "peerDependencies": {
     "@hono/zod-openapi": "^0.19.2",