npm - authhero - Versions diffs - 4.100.0 → 4.101.0 - Mend

authhero 4.100.0 → 4.101.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md +44 -0
package/dist/assets/u/widget/index.esm.js +1 -1
package/dist/authhero.cjs +85 -85
package/dist/authhero.d.ts +334 -7
package/dist/authhero.mjs +8244 -8021
package/dist/stats.html +1 -1
package/package.json +4 -4

package/dist/authhero.d.ts CHANGED Viewed

@@ -43006,6 +43006,22 @@ export declare enum LoginSessionState {
 export declare const loginSessionStateSchema: z.ZodNativeEnum<typeof LoginSessionState>;
 /** Continuation scope - which pages/actions are allowed during continuation */
 export type ContinuationScope = "change-email" | "account" | "custom";
+/**
+ * Strategy metadata persisted alongside the authenticated user so that
+ * `/authorize/resume` can re-hydrate everything `createFrontChannelAuthResponse`
+ * needs without the sub-flow having to keep that context in memory.
+ */
+export declare const loginSessionAuthStrategySchema: z.ZodObject<{
+	strategy: z.ZodString;
+	strategy_type: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+	strategy: string;
+	strategy_type: string;
+}, {
+	strategy: string;
+	strategy_type: string;
+}>;
+export type LoginSessionAuthStrategy = z.infer<typeof loginSessionAuthStrategySchema>;
 export declare const loginSessionInsertSchema: z.ZodObject<{
 	csrf_token: z.ZodString;
 	auth0Client: z.ZodOptional<z.ZodString>;
@@ -43078,6 +43094,17 @@ export declare const loginSessionInsertSchema: z.ZodObject<{
 	failure_reason: z.ZodOptional<z.ZodString>;
 	user_id: z.ZodOptional<z.ZodString>;
 	auth_connection: z.ZodOptional<z.ZodString>;
+	auth_strategy: z.ZodOptional<z.ZodObject<{
+		strategy: z.ZodString;
+		strategy_type: z.ZodString;
+	}, "strip", z.ZodTypeAny, {
+		strategy: string;
+		strategy_type: string;
+	}, {
+		strategy: string;
+		strategy_type: string;
+	}>>;
+	authenticated_at: z.ZodOptional<z.ZodString>;
 }, "strip", z.ZodTypeAny, {
 	state: LoginSessionState;
 	expires_at: string;
@@ -43112,6 +43139,11 @@ export declare const loginSessionInsertSchema: z.ZodObject<{
 	state_data?: string | undefined;
 	failure_reason?: string | undefined;
 	auth_connection?: string | undefined;
+	auth_strategy?: {
+		strategy: string;
+		strategy_type: string;
+	} | undefined;
+	authenticated_at?: string | undefined;
 }, {
 	expires_at: string;
 	csrf_token: string;
@@ -43146,6 +43178,11 @@ export declare const loginSessionInsertSchema: z.ZodObject<{
 	state_data?: string | undefined;
 	failure_reason?: string | undefined;
 	auth_connection?: string | undefined;
+	auth_strategy?: {
+		strategy: string;
+		strategy_type: string;
+	} | undefined;
+	authenticated_at?: string | undefined;
 }>;
 export type LoginSessionInsert = z.input<typeof loginSessionInsertSchema>;
 export declare const loginSessionSchema: z.ZodObject<{
@@ -43223,6 +43260,17 @@ export declare const loginSessionSchema: z.ZodObject<{
 	failure_reason: z.ZodOptional<z.ZodString>;
 	user_id: z.ZodOptional<z.ZodString>;
 	auth_connection: z.ZodOptional<z.ZodString>;
+	auth_strategy: z.ZodOptional<z.ZodObject<{
+		strategy: z.ZodString;
+		strategy_type: z.ZodString;
+	}, "strip", z.ZodTypeAny, {
+		strategy: string;
+		strategy_type: string;
+	}, {
+		strategy: string;
+		strategy_type: string;
+	}>>;
+	authenticated_at: z.ZodOptional<z.ZodString>;
 }, "strip", z.ZodTypeAny, {
 	created_at: string;
 	updated_at: string;
@@ -43260,6 +43308,11 @@ export declare const loginSessionSchema: z.ZodObject<{
 	state_data?: string | undefined;
 	failure_reason?: string | undefined;
 	auth_connection?: string | undefined;
+	auth_strategy?: {
+		strategy: string;
+		strategy_type: string;
+	} | undefined;
+	authenticated_at?: string | undefined;
 }, {
 	created_at: string;
 	updated_at: string;
@@ -43297,6 +43350,11 @@ export declare const loginSessionSchema: z.ZodObject<{
 	state_data?: string | undefined;
 	failure_reason?: string | undefined;
 	auth_connection?: string | undefined;
+	auth_strategy?: {
+		strategy: string;
+		strategy_type: string;
+	} | undefined;
+	authenticated_at?: string | undefined;
 }>;
 export type LoginSession = z.infer<typeof loginSessionSchema>;
 export declare const LogTypes: {
@@ -43934,6 +43992,7 @@ export declare const sessionSchema: z.ZodObject<{
 	updated_at: string;
 	id: string;
 	user_id: string;
+	authenticated_at: string;
 	login_session_id: string;
 	device: {
 		last_ip: string;
@@ -43944,7 +44003,6 @@ export declare const sessionSchema: z.ZodObject<{
 		last_asn: string;
 	};
 	clients: string[];
-	authenticated_at: string;
 	last_interaction_at: string;
 	expires_at?: string | undefined;
 	used_at?: string | undefined;
@@ -43955,6 +44013,7 @@ export declare const sessionSchema: z.ZodObject<{
 	updated_at: string;
 	id: string;
 	user_id: string;
+	authenticated_at: string;
 	login_session_id: string;
 	device: {
 		last_ip: string;
@@ -43965,7 +44024,6 @@ export declare const sessionSchema: z.ZodObject<{
 		last_asn: string;
 	};
 	clients: string[];
-	authenticated_at: string;
 	last_interaction_at: string;
 	expires_at?: string | undefined;
 	used_at?: string | undefined;
@@ -52498,6 +52556,126 @@ export interface OutboxCleanupParams {
  * Intended for use in a scheduled handler / cron job.
  */
 export declare function cleanupOutbox(outbox: OutboxAdapter, params?: OutboxCleanupParams): Promise<number>;
+export interface CreateDefaultDestinationsConfig {
+	/**
+	 * Data adapter — only the `logs`, `hooks`, and `users` adapters are used
+	 * by the built-in destinations.
+	 */
+	dataAdapter: Pick<DataAdapters, "logs" | "hooks" | "users">;
+	/**
+	 * Produces a Bearer access token for the given tenant, used when POSTing
+	 * `hook.*` events to the configured webhook URLs.
+	 *
+	 * Required if you want `hook.*` events to be drained. Omit for cron
+	 * drains that only need to sweep up log events.
+	 */
+	getServiceToken?: (tenantId: string) => Promise<string>;
+	/** Webhook HTTP request timeout in ms (default: 10_000). */
+	webhookTimeoutMs?: number;
+}
+/**
+ * Build the same array of outbox destinations that authhero's per-request
+ * `outboxMiddleware` constructs internally. Intended for consumers that want
+ * to run `drainOutbox` from a cron / scheduled handler as a safety net for
+ * events that failed per-request delivery.
+ *
+ * Without this helper, consumers would have to instantiate the destination
+ * classes themselves and stay in sync with their ordering and filtering
+ * rules (e.g. `RegistrationFinalizerDestination` must come AFTER
+ * `WebhookDestination`).
+ *
+ * @example
+ * ```ts
+ * // Cloudflare Workers scheduled handler
+ * async scheduled(_event, env) {
+ *   const destinations = createDefaultDestinations({
+ *     dataAdapter,
+ *     getServiceToken: async (tenantId) =>
+ *       (await mintServiceToken(tenantId, "webhook")).access_token,
+ *   });
+ *   await drainOutbox(dataAdapter.outbox, destinations);
+ *   await cleanupOutbox(dataAdapter.outbox, { retentionDays: 7 });
+ * }
+ * ```
+ */
+export declare function createDefaultDestinations(config: CreateDefaultDestinationsConfig): EventDestination[];
+export declare class LogsDestination implements EventDestination {
+	name: string;
+	private logs;
+	constructor(logs: LogsDataAdapter);
+	/**
+	 * Only accept log-shaped events. `hook.*` events are dispatch tasks for
+	 * webhook / code-hook destinations and are not audit log entries.
+	 */
+	accepts(event: AuditEvent): boolean;
+	transform(event: AuditEvent): {
+		tenantId: string;
+		log: LogInsert;
+	};
+	deliver(events: {
+		tenantId: string;
+		log: LogInsert;
+	}[]): Promise<void>;
+}
+export type GetServiceToken = (tenantId: string) => Promise<string>;
+export interface WebhookInvocation {
+	eventId: string;
+	tenantId: string;
+	triggerId: string;
+	payload: {
+		tenant_id: string;
+		trigger_id: string;
+		user?: unknown;
+		request?: unknown;
+	};
+}
+/**
+ * Delivers `hook.*` outbox events to HTTP webhooks configured for the matching
+ * trigger_id. Each POST includes `Idempotency-Key: {event.id}` so downstream
+ * webhook handlers can dedupe if the outbox retries.
+ *
+ * The destination is constructed per-request (via `outboxMiddleware`'s
+ * `getDestinations(ctx)` factory) so it can close over a ctx-bound service
+ * token generator.
+ */
+export declare class WebhookDestination implements EventDestination {
+	name: string;
+	private hooks;
+	private getServiceToken;
+	private timeoutMs;
+	constructor(hooks: HooksAdapter, getServiceToken: GetServiceToken, options?: {
+		timeoutMs?: number;
+	});
+	accepts(event: AuditEvent): boolean;
+	transform(event: AuditEvent): WebhookInvocation;
+	deliver(events: WebhookInvocation[]): Promise<void>;
+}
+export interface FinalizationTask {
+	tenantId: string;
+	userId: string;
+	timestamp: string;
+}
+/**
+ * Side-effect destination that flips `user.registration_completed_at` once
+ * the upstream hook destinations (webhooks, code hooks) have all succeeded
+ * for a `hook.post-user-registration` event.
+ *
+ * Must be listed AFTER the destinations that actually deliver the hook so
+ * that a delivery failure aborts the loop before the flag is set — the
+ * relay then retries the entire event, and on a subsequent successful pass
+ * the finalizer sets the flag.
+ *
+ * The flag is read by `postUserLoginHook` to decide whether to re-enqueue
+ * the event on the next login (self-healing recovery).
+ */
+export declare class RegistrationFinalizerDestination implements EventDestination {
+	name: string;
+	private users;
+	constructor(users: UserDataAdapter);
+	accepts(event: AuditEvent): boolean;
+	transform(event: AuditEvent): FinalizationTask;
+	deliver(tasks: FinalizationTask[]): Promise<void>;
+}
 /**
  * Options for the entity hooks wrapper
  */
@@ -53827,8 +54005,8 @@ export declare function init(config: AuthHeroConfig): {
 						};
 						app_metadata?: Record<string, any> | undefined;
 						user_metadata?: Record<string, any> | undefined;
-						roles?: string[] | undefined;
 						connection_id?: string | undefined;
+						roles?: string[] | undefined;
 						ttl_sec?: number | undefined;
 						send_invitation_email?: boolean | undefined;
 					};
@@ -59030,6 +59208,7 @@ export declare function init(config: AuthHeroConfig): {
 					updated_at: string;
 					id: string;
 					user_id: string;
+					authenticated_at: string;
 					login_session_id: string;
 					device: {
 						last_ip: string;
@@ -59040,7 +59219,6 @@ export declare function init(config: AuthHeroConfig): {
 						last_asn: string;
 					};
 					clients: string[];
-					authenticated_at: string;
 					last_interaction_at: string;
 					expires_at?: string | undefined | undefined;
 					used_at?: string | undefined | undefined;
@@ -59748,9 +59926,9 @@ export declare function init(config: AuthHeroConfig): {
 						response_type?: AuthorizationResponseType | undefined;
 						id?: string | undefined;
 						display_name?: string | undefined;
+						strategy?: string | undefined;
 						is_system?: boolean | undefined;
 						metadata?: Record<string, any> | undefined;
-						strategy?: string | undefined;
 						enabled_clients?: string[] | undefined;
 						is_domain_connection?: boolean | undefined;
 						show_as_button?: boolean | undefined;
@@ -62694,6 +62872,7 @@ export declare function init(config: AuthHeroConfig): {
 					updated_at: string;
 					id: string;
 					user_id: string;
+					authenticated_at: string;
 					login_session_id: string;
 					device: {
 						last_ip: string;
@@ -62704,7 +62883,6 @@ export declare function init(config: AuthHeroConfig): {
 						last_asn: string;
 					};
 					clients: string[];
-					authenticated_at: string;
 					last_interaction_at: string;
 					expires_at?: string | undefined | undefined;
 					used_at?: string | undefined | undefined;
@@ -62719,6 +62897,7 @@ export declare function init(config: AuthHeroConfig): {
 						updated_at: string;
 						id: string;
 						user_id: string;
+						authenticated_at: string;
 						login_session_id: string;
 						device: {
 							last_ip: string;
@@ -62729,7 +62908,6 @@ export declare function init(config: AuthHeroConfig): {
 							last_asn: string;
 						};
 						clients: string[];
-						authenticated_at: string;
 						last_interaction_at: string;
 						expires_at?: string | undefined | undefined;
 						used_at?: string | undefined | undefined;
@@ -62742,6 +62920,109 @@ export declare function init(config: AuthHeroConfig): {
 				status: 200;
 			};
 		};
+	} & {
+		"/:user_id/logs": {
+			$get: {
+				input: {
+					param: {
+						user_id: string;
+					};
+				} & {
+					query: {
+						sort?: string | undefined;
+						page?: string | undefined;
+						per_page?: string | undefined;
+						include_totals?: string | undefined;
+						from?: string | undefined;
+						take?: string | undefined;
+						q?: string | undefined;
+					};
+				} & {
+					header: {
+						"tenant-id"?: string | undefined;
+					};
+				};
+				output: {
+					type: "acls_summary" | "actions_execution_failed" | "api_limit" | "api_limit_warning" | "appi" | "ciba_exchange_failed" | "ciba_exchange_succeeded" | "ciba_start_failed" | "ciba_start_succeeded" | "cls" | "cs" | "depnote" | "f" | "fc" | "fce" | "fco" | "fcoa" | "fcp" | "fcph" | "fcpn" | "fcpr" | "fcpro" | "fcu" | "fd" | "fdeac" | "fdeaz" | "fdecc" | "fdu" | "feacft" | "feccft" | "fecte" | "fede" | "federated_logout_failed" | "fens" | "feoobft" | "feotpft" | "fepft" | "fepotpft" | "fercft" | "ferrt" | "fertft" | "fh" | "fimp" | "fi" | "flo" | "flows_execution_completed" | "flows_execution_failed" | "fn" | "forms_submission_failed" | "forms_submission_succeeded" | "fp" | "fpar" | "fpurh" | "fs" | "fsa" | "fu" | "fui" | "fv" | "fvr" | "gd_auth_email_verification" | "gd_auth_fail_email_verification" | "gd_auth_failed" | "gd_auth_rejected" | "gd_auth_succeed" | "gd_enrollment_complete" | "gd_otp_rate_limit_exceed" | "gd_recovery_failed" | "gd_recovery_rate_limit_exceed" | "gd_recovery_succeed" | "gd_send_email" | "gd_send_email_verification" | "gd_send_email_verification_failure" | "gd_send_pn" | "gd_send_pn_failure" | "gd_send_sms" | "gd_send_sms_failure" | "gd_send_voice" | "gd_send_voice_failure" | "gd_start_auth" | "gd_start_enroll" | "gd_start_enroll_failed" | "gd_tenant_update" | "gd_unenroll" | "gd_update_device_account" | "gd_webauthn_challenge_failed" | "gd_webauthn_enrollment_failed" | "kms_key_management_failure" | "kms_key_management_success" | "kms_key_state_changed" | "limit_delegation" | "limit_mu" | "limit_sul" | "limit_wc" | "mfar" | "mgmt_api_read" | "my_account_authentication_method_failed" | "my_account_authentication_method_succeeded" | "oidc_backchannel_logout_failed" | "oidc_backchannel_logout_succeeded" | "organization_member_added" | "passkey_challenge_failed" | "passkey_challenge_started" | "pla" | "pwd_leak" | "reset_pwd_leak" | "resource_cleanup" | "rich_consents_access_error" | "s" | "sapi" | "fapi" | "sce" | "scoa" | "scp" | "scpn" | "scpr" | "scu" | "scv" | "sd" | "sdu" | "seacft" | "seccft" | "secte" | "sede" | "sens" | "seoobft" | "seotpft" | "sepft" | "sepkoobft" | "sepkotpft" | "sepkrcft" | "sercft" | "sertft" | "simp" | "si" | "signup_pwd_leak" | "slo" | "srrt" | "ss" | "ss_sso_failure" | "ss_sso_info" | "ss_sso_success" | "ssa" | "sscim" | "sui" | "sv" | "svr" | "too_many_records" | "ublkdu" | "universal_logout_failed" | "universal_logout_succeeded" | "w" | "wn" | "wum";
+					date: string;
+					isMobile: boolean;
+					log_id: string;
+					description?: string | undefined | undefined;
+					client_id?: string | undefined | undefined;
+					ip?: string | undefined | undefined;
+					user_agent?: string | undefined | undefined;
+					connection?: string | undefined | undefined;
+					strategy?: string | undefined | undefined;
+					strategy_type?: string | undefined | undefined;
+					auth0_client?: {
+						version: string;
+						name: string;
+						env?: {
+							node?: string | undefined | undefined;
+						} | undefined;
+					} | undefined;
+					hostname?: string | undefined | undefined;
+					connection_id?: string | undefined | undefined;
+					user_id?: string | undefined | undefined;
+					audience?: string | undefined | undefined;
+					scope?: string | undefined | undefined;
+					details?: any;
+					user_name?: string | undefined | undefined;
+					client_name?: string | undefined | undefined;
+					location_info?: {
+						country_code: string;
+						city_name: string;
+						latitude: string;
+						longitude: string;
+						time_zone: string;
+						continent_code: string;
+					} | undefined;
+				}[] | {
+					length: number;
+					start: number;
+					limit: number;
+					logs: {
+						type: "acls_summary" | "actions_execution_failed" | "api_limit" | "api_limit_warning" | "appi" | "ciba_exchange_failed" | "ciba_exchange_succeeded" | "ciba_start_failed" | "ciba_start_succeeded" | "cls" | "cs" | "depnote" | "f" | "fc" | "fce" | "fco" | "fcoa" | "fcp" | "fcph" | "fcpn" | "fcpr" | "fcpro" | "fcu" | "fd" | "fdeac" | "fdeaz" | "fdecc" | "fdu" | "feacft" | "feccft" | "fecte" | "fede" | "federated_logout_failed" | "fens" | "feoobft" | "feotpft" | "fepft" | "fepotpft" | "fercft" | "ferrt" | "fertft" | "fh" | "fimp" | "fi" | "flo" | "flows_execution_completed" | "flows_execution_failed" | "fn" | "forms_submission_failed" | "forms_submission_succeeded" | "fp" | "fpar" | "fpurh" | "fs" | "fsa" | "fu" | "fui" | "fv" | "fvr" | "gd_auth_email_verification" | "gd_auth_fail_email_verification" | "gd_auth_failed" | "gd_auth_rejected" | "gd_auth_succeed" | "gd_enrollment_complete" | "gd_otp_rate_limit_exceed" | "gd_recovery_failed" | "gd_recovery_rate_limit_exceed" | "gd_recovery_succeed" | "gd_send_email" | "gd_send_email_verification" | "gd_send_email_verification_failure" | "gd_send_pn" | "gd_send_pn_failure" | "gd_send_sms" | "gd_send_sms_failure" | "gd_send_voice" | "gd_send_voice_failure" | "gd_start_auth" | "gd_start_enroll" | "gd_start_enroll_failed" | "gd_tenant_update" | "gd_unenroll" | "gd_update_device_account" | "gd_webauthn_challenge_failed" | "gd_webauthn_enrollment_failed" | "kms_key_management_failure" | "kms_key_management_success" | "kms_key_state_changed" | "limit_delegation" | "limit_mu" | "limit_sul" | "limit_wc" | "mfar" | "mgmt_api_read" | "my_account_authentication_method_failed" | "my_account_authentication_method_succeeded" | "oidc_backchannel_logout_failed" | "oidc_backchannel_logout_succeeded" | "organization_member_added" | "passkey_challenge_failed" | "passkey_challenge_started" | "pla" | "pwd_leak" | "reset_pwd_leak" | "resource_cleanup" | "rich_consents_access_error" | "s" | "sapi" | "fapi" | "sce" | "scoa" | "scp" | "scpn" | "scpr" | "scu" | "scv" | "sd" | "sdu" | "seacft" | "seccft" | "secte" | "sede" | "sens" | "seoobft" | "seotpft" | "sepft" | "sepkoobft" | "sepkotpft" | "sepkrcft" | "sercft" | "sertft" | "simp" | "si" | "signup_pwd_leak" | "slo" | "srrt" | "ss" | "ss_sso_failure" | "ss_sso_info" | "ss_sso_success" | "ssa" | "sscim" | "sui" | "sv" | "svr" | "too_many_records" | "ublkdu" | "universal_logout_failed" | "universal_logout_succeeded" | "w" | "wn" | "wum";
+						date: string;
+						isMobile: boolean;
+						log_id: string;
+						description?: string | undefined | undefined;
+						client_id?: string | undefined | undefined;
+						ip?: string | undefined | undefined;
+						user_agent?: string | undefined | undefined;
+						connection?: string | undefined | undefined;
+						strategy?: string | undefined | undefined;
+						strategy_type?: string | undefined | undefined;
+						auth0_client?: {
+							version: string;
+							name: string;
+							env?: {
+								node?: string | undefined | undefined;
+							} | undefined;
+						} | undefined;
+						hostname?: string | undefined | undefined;
+						connection_id?: string | undefined | undefined;
+						user_id?: string | undefined | undefined;
+						audience?: string | undefined | undefined;
+						scope?: string | undefined | undefined;
+						details?: any;
+						user_name?: string | undefined | undefined;
+						client_name?: string | undefined | undefined;
+						location_info?: {
+							country_code: string;
+							city_name: string;
+							latitude: string;
+							longitude: string;
+							time_zone: string;
+							continent_code: string;
+						} | undefined;
+					}[];
+					total?: number | undefined;
+				};
+				outputFormat: "json";
+				status: 200;
+			};
+		};
 	} & {
 		"/:user_id/permissions": {
 			$get: {
@@ -64564,6 +64845,52 @@ export declare function init(config: AuthHeroConfig): {
 				status: 403;
 			};
 		};
+	} & {
+		"/resume": {
+			$get: {
+				input: {
+					query: {
+						state: string;
+					};
+				};
+				output: {};
+				outputFormat: string;
+				status: 302;
+			} | {
+				input: {
+					query: {
+						state: string;
+					};
+				};
+				output: {
+					message: string;
+				};
+				outputFormat: "json";
+				status: 400;
+			} | {
+				input: {
+					query: {
+						state: string;
+					};
+				};
+				output: {
+					message: string;
+				};
+				outputFormat: "json";
+				status: 403;
+			} | {
+				input: {
+					query: {
+						state: string;
+					};
+				};
+				output: {
+					message: string;
+				};
+				outputFormat: "json";
+				status: 409;
+			};
+		};
 	}, "/authorize"> & import("hono/types").MergeSchemaPath<{
 		"/": {
 			$post: {