authhero 4.112.0 → 4.114.0

package/dist/authhero.d.ts

@@ -11397,7 +11397,7 @@ export interface Auth0FlowInsert {
 export declare enum AuthorizationResponseType {
 	TOKEN = "token",
 	ID_TOKEN = "id_token",
-	TOKEN_ID_TOKEN = "token id_token",
+	TOKEN_ID_TOKEN = "id_token token",
 	CODE = "code"
 }
 export declare enum AuthorizationResponseMode {
@@ -43361,9 +43361,7 @@ export declare const openIDConfigurationSchema: z.ZodObject<{
 	issuer: z.ZodString;
 	authorization_endpoint: z.ZodString;
 	token_endpoint: z.ZodString;
-	device_authorization_endpoint: z.ZodString;
 	userinfo_endpoint: z.ZodString;
-	mfa_challenge_endpoint: z.ZodString;
 	jwks_uri: z.ZodString;
 	registration_endpoint: z.ZodOptional<z.ZodString>;
 	revocation_endpoint: z.ZodString;
@@ -43387,8 +43385,6 @@ export declare const openIDConfigurationSchema: z.ZodObject<{
 	userinfo_endpoint: string;
 	jwks_uri: string;
 	issuer: string;
-	device_authorization_endpoint: string;
-	mfa_challenge_endpoint: string;
 	revocation_endpoint: string;
 	scopes_supported: string[];
 	response_types_supported: string[];
@@ -43411,8 +43407,6 @@ export declare const openIDConfigurationSchema: z.ZodObject<{
 	userinfo_endpoint: string;
 	jwks_uri: string;
 	issuer: string;
-	device_authorization_endpoint: string;
-	mfa_challenge_endpoint: string;
 	revocation_endpoint: string;
 	scopes_supported: string[];
 	response_types_supported: string[];
@@ -45012,6 +45006,7 @@ export declare const sessionSchema: z.ZodObject<{
 export type Session = z.infer<typeof sessionSchema>;
 export declare const signingKeySchema: z.ZodObject<{
 	kid: z.ZodString;
+	tenant_id: z.ZodOptional<z.ZodString>;
 	cert: z.ZodString;
 	fingerprint: z.ZodString;
 	thumbprint: z.ZodString;
@@ -45034,6 +45029,7 @@ export declare const signingKeySchema: z.ZodObject<{
 	cert: string;
 	fingerprint: string;
 	thumbprint: string;
+	tenant_id?: string | undefined;
 	connection?: string | undefined;
 	revoked_at?: string | undefined;
 	pkcs7?: string | undefined;
@@ -45049,6 +45045,7 @@ export declare const signingKeySchema: z.ZodObject<{
 	cert: string;
 	fingerprint: string;
 	thumbprint: string;
+	tenant_id?: string | undefined;
 	connection?: string | undefined;
 	revoked_at?: string | undefined;
 	pkcs7?: string | undefined;
@@ -48205,6 +48202,66 @@ export declare const emailProviderSchema: z.ZodObject<{
 	settings?: {} | undefined;
 }>;
 export type EmailProvider = z.infer<typeof emailProviderSchema>;
+export declare const emailTemplateNameSchema: z.ZodEnum<[
+	"verify_email",
+	"verify_email_by_code",
+	"reset_email",
+	"reset_email_by_code",
+	"welcome_email",
+	"blocked_account",
+	"stolen_credentials",
+	"enrollment_email",
+	"mfa_oob_code",
+	"change_password",
+	"password_reset",
+	"user_invitation"
+]>;
+export type EmailTemplateName = z.infer<typeof emailTemplateNameSchema>;
+export declare const emailTemplateSchema: z.ZodObject<{
+	template: z.ZodEnum<[
+		"verify_email",
+		"verify_email_by_code",
+		"reset_email",
+		"reset_email_by_code",
+		"welcome_email",
+		"blocked_account",
+		"stolen_credentials",
+		"enrollment_email",
+		"mfa_oob_code",
+		"change_password",
+		"password_reset",
+		"user_invitation"
+	]>;
+	body: z.ZodString;
+	from: z.ZodString;
+	subject: z.ZodString;
+	syntax: z.ZodDefault<z.ZodLiteral<"liquid">>;
+	resultUrl: z.ZodOptional<z.ZodString>;
+	urlLifetimeInSeconds: z.ZodOptional<z.ZodNumber>;
+	includeEmailInRedirect: z.ZodDefault<z.ZodBoolean>;
+	enabled: z.ZodDefault<z.ZodBoolean>;
+}, "strip", z.ZodTypeAny, {
+	body: string;
+	from: string;
+	enabled: boolean;
+	template: "verify_email" | "password_reset" | "change_password" | "verify_email_by_code" | "reset_email" | "reset_email_by_code" | "welcome_email" | "blocked_account" | "stolen_credentials" | "enrollment_email" | "mfa_oob_code" | "user_invitation";
+	subject: string;
+	syntax: "liquid";
+	includeEmailInRedirect: boolean;
+	resultUrl?: string | undefined;
+	urlLifetimeInSeconds?: number | undefined;
+}, {
+	body: string;
+	from: string;
+	template: "verify_email" | "password_reset" | "change_password" | "verify_email_by_code" | "reset_email" | "reset_email_by_code" | "welcome_email" | "blocked_account" | "stolen_credentials" | "enrollment_email" | "mfa_oob_code" | "user_invitation";
+	subject: string;
+	enabled?: boolean | undefined;
+	syntax?: "liquid" | undefined;
+	resultUrl?: string | undefined;
+	urlLifetimeInSeconds?: number | undefined;
+	includeEmailInRedirect?: boolean | undefined;
+}>;
+export type EmailTemplate = z.infer<typeof emailTemplateSchema>;
 export declare const refreshTokenInsertSchema: z.ZodObject<{
 	id: z.ZodString;
 	login_id: z.ZodString;
@@ -50140,6 +50197,7 @@ export declare const Strategy: {
 	readonly SAMLP: "samlp";
 	readonly WAAD: "waad";
 	readonly ADFS: "adfs";
+	readonly AUTH0: "auth0";
 };
 export declare const StrategyType: {
 	readonly DATABASE: "database";
@@ -50725,6 +50783,13 @@ export interface EmailProvidersAdapter {
 	get: (tenant_id: string) => Promise<EmailProvider | null>;
 	remove: (tenant_id: string) => Promise<void>;
 }
+export interface EmailTemplatesAdapter {
+	get: (tenant_id: string, templateName: EmailTemplateName) => Promise<EmailTemplate | null>;
+	list: (tenant_id: string) => Promise<EmailTemplate[]>;
+	create: (tenant_id: string, template: EmailTemplate) => Promise<EmailTemplate>;
+	update: (tenant_id: string, templateName: EmailTemplateName, template: Partial<EmailTemplate>) => Promise<boolean>;
+	remove: (tenant_id: string, templateName: EmailTemplateName) => Promise<boolean>;
+}
 export interface ListRefreshTokenResponse extends Totals {
 	refresh_tokens: RefreshToken[];
 }
@@ -51104,6 +51169,7 @@ export interface DataAdapters {
 	connections: ConnectionsAdapter;
 	customDomains: CustomDomainsAdapter;
 	emailProviders: EmailProvidersAdapter;
+	emailTemplates: EmailTemplatesAdapter;
 	flows: FlowsAdapter;
 	forms: FormsAdapter;
 	geo?: GeoAdapter;
@@ -54173,6 +54239,44 @@ export type UserLinkingModeResolver = (params: {
 	client_id?: string;
 }) => UserLinkingMode | Promise<UserLinkingMode>;
 export type UserLinkingModeOption = UserLinkingMode | UserLinkingModeResolver;
+/**
+ * Resolver for the per-tenant username/password provider value.
+ *
+ * The native database provider has historically been written as `"auth2"`.
+ * Returning `"auth0"` for selected tenants lets you migrate them onto the
+ * `"auth0"` provider value (matching what the legacy Auth0 import format
+ * used) one tenant at a time. Reads always accept both values, so existing
+ * `auth2|*` rows keep resolving during and after the cutover.
+ *
+ * TRANSITIONAL: this resolver and the dual-read fallback can be removed
+ * once every tenant has been migrated to a single value.
+ */
+export type UsernamePasswordProviderResolver = (params: {
+	tenant_id: string;
+}) => "auth0" | "auth2" | Promise<"auth0" | "auth2">;
+/**
+ * Mode for which signing-key bucket a tenant uses when minting and
+ * publishing JWTs.
+ *
+ * - `"control-plane"` — tenant uses the shared control-plane keys (rows
+ *   with `tenant_id IS NULL`). This matches the legacy single-key-pool
+ *   behavior; existing data needs no migration.
+ * - `"tenant"` — tenant uses its own keys (rows with `tenant_id =
+ *   tenantId`). Falls back to the control-plane bucket if the tenant has
+ *   no non-revoked key yet, so flipping a tenant on is safe even before
+ *   a tenant key has been minted. JWKS for that tenant publishes the
+ *   union of tenant + control-plane keys so tokens signed by either set
+ *   keep verifying during rotation.
+ */
+export type SigningKeyMode = "control-plane" | "tenant";
+/**
+ * Resolver form for the per-tenant signing-key mode. Receives the
+ * resolved `tenant_id` and returns which bucket to use. May be async.
+ */
+export type SigningKeyModeResolver = (params: {
+	tenant_id: string;
+}) => SigningKeyMode | Promise<SigningKeyMode>;
+export type SigningKeyModeOption = SigningKeyMode | SigningKeyModeResolver;
 export interface AuthHeroConfig {
 	dataAdapter: DataAdapters;
 	/**
@@ -54376,6 +54480,35 @@ export interface AuthHeroConfig {
 	 * @default "builtin"
 	 */
 	userLinkingMode?: UserLinkingModeOption;
+	/**
+	 * Per-tenant override for the username/password provider value used on
+	 * NEW user rows. Returning `"auth0"` for a tenant migrates new signups,
+	 * password resets, etc. onto the `auth0|*` user_id format. Existing
+	 * `auth2|*` rows keep working — reads accept either value.
+	 *
+	 * Omit to keep the legacy `"auth2"` value for every tenant.
+	 *
+	 * TRANSITIONAL: this hook and the dual-read fallback in the password
+	 * flows can be removed once all tenants have been backfilled.
+	 */
+	usernamePasswordProvider?: UsernamePasswordProviderResolver;
+	/**
+	 * Per-tenant control over which signing-key bucket a tenant uses.
+	 *
+	 * Accepts either a static value or a resolver that receives
+	 * `{ tenant_id }` and returns the mode. Use the resolver form to
+	 * migrate tenants onto their own keys one at a time.
+	 *
+	 * Omit (or set to `"control-plane"`) to preserve the legacy behavior
+	 * where every tenant shares the control-plane keys.
+	 *
+	 * TRANSITIONAL: once every tenant is on `"tenant"` and the
+	 * control-plane bucket has been retired, this option and the
+	 * fallback path can be removed.
+	 *
+	 * @default "control-plane"
+	 */
+	signingKeyMode?: SigningKeyModeOption;
 }
 export type UserInfo = {
 	sub: string;
@@ -54437,6 +54570,8 @@ export type Bindings = {
 	webhookInvoker?: WebhookInvoker;
 	outbox?: OutboxConfig;
 	userLinkingMode?: UserLinkingModeOption;
+	usernamePasswordProvider?: UsernamePasswordProviderResolver;
+	signingKeyMode?: SigningKeyModeOption;
 	/**
 	 * Allow outbound fetches (jwks_uri, request_uri) to localhost / private IP
 	 * ranges and over plain http. Intended for tests and local development;
@@ -65098,6 +65233,7 @@ export declare function init(config: AuthHeroConfig): {
 					cert: string;
 					fingerprint: string;
 					thumbprint: string;
+					tenant_id?: string | undefined | undefined;
 					connection?: string | undefined | undefined;
 					revoked_at?: string | undefined | undefined;
 					pkcs7?: string | undefined | undefined;
@@ -65130,6 +65266,7 @@ export declare function init(config: AuthHeroConfig): {
 					cert: string;
 					fingerprint: string;
 					thumbprint: string;
+					tenant_id?: string | undefined | undefined;
 					connection?: string | undefined | undefined;
 					revoked_at?: string | undefined | undefined;
 					pkcs7?: string | undefined | undefined;
@@ -66243,20 +66380,219 @@ export declare function init(config: AuthHeroConfig): {
 		};
 	}, "/users"> & import("hono/types").MergeSchemaPath<{
 		"/": {
+			$post: {
+				input: {
+					header: {
+						"tenant-id"?: string | undefined;
+					};
+				} & {
+					json: {
+						body: string;
+						from: string;
+						template: "verify_email" | "password_reset" | "change_password" | "verify_email_by_code" | "reset_email" | "reset_email_by_code" | "welcome_email" | "blocked_account" | "stolen_credentials" | "enrollment_email" | "mfa_oob_code" | "user_invitation";
+						subject: string;
+						enabled?: boolean | undefined;
+						syntax?: "liquid" | undefined;
+						resultUrl?: string | undefined;
+						urlLifetimeInSeconds?: number | undefined;
+						includeEmailInRedirect?: boolean | undefined;
+					};
+				};
+				output: {};
+				outputFormat: string;
+				status: 409;
+			} | {
+				input: {
+					header: {
+						"tenant-id"?: string | undefined;
+					};
+				} & {
+					json: {
+						body: string;
+						from: string;
+						template: "verify_email" | "password_reset" | "change_password" | "verify_email_by_code" | "reset_email" | "reset_email_by_code" | "welcome_email" | "blocked_account" | "stolen_credentials" | "enrollment_email" | "mfa_oob_code" | "user_invitation";
+						subject: string;
+						enabled?: boolean | undefined;
+						syntax?: "liquid" | undefined;
+						resultUrl?: string | undefined;
+						urlLifetimeInSeconds?: number | undefined;
+						includeEmailInRedirect?: boolean | undefined;
+					};
+				};
+				output: {
+					body: string;
+					from: string;
+					enabled: boolean;
+					template: "verify_email" | "password_reset" | "change_password" | "verify_email_by_code" | "reset_email" | "reset_email_by_code" | "welcome_email" | "blocked_account" | "stolen_credentials" | "enrollment_email" | "mfa_oob_code" | "user_invitation";
+					subject: string;
+					syntax: "liquid";
+					includeEmailInRedirect: boolean;
+					resultUrl?: string | undefined | undefined;
+					urlLifetimeInSeconds?: number | undefined | undefined;
+				};
+				outputFormat: "json";
+				status: 201;
+			};
+		};
+	} & {
+		"/:templateName": {
 			$get: {
 				input: {
+					param: {
+						templateName: "verify_email" | "change_password" | "verify_email_by_code" | "reset_email" | "reset_email_by_code" | "welcome_email" | "blocked_account" | "stolen_credentials" | "enrollment_email" | "mfa_oob_code" | "password_reset" | "user_invitation";
+					};
+				} & {
+					header: {
+						"tenant-id"?: string | undefined;
+					};
+				};
+				output: {};
+				outputFormat: string;
+				status: 404;
+			} | {
+				input: {
+					param: {
+						templateName: "verify_email" | "change_password" | "verify_email_by_code" | "reset_email" | "reset_email_by_code" | "welcome_email" | "blocked_account" | "stolen_credentials" | "enrollment_email" | "mfa_oob_code" | "password_reset" | "user_invitation";
+					};
+				} & {
 					header: {
 						"tenant-id"?: string | undefined;
 					};
 				};
 				output: {
-					name: string;
+					body: string;
+					from: string;
 					enabled: boolean;
-					credentials: {
-						[x: string]: import("hono/utils/types").JSONValue;
+					template: "verify_email" | "password_reset" | "change_password" | "verify_email_by_code" | "reset_email" | "reset_email_by_code" | "welcome_email" | "blocked_account" | "stolen_credentials" | "enrollment_email" | "mfa_oob_code" | "user_invitation";
+					subject: string;
+					syntax: "liquid";
+					includeEmailInRedirect: boolean;
+					resultUrl?: string | undefined | undefined;
+					urlLifetimeInSeconds?: number | undefined | undefined;
+				};
+				outputFormat: "json";
+				status: 200;
+			};
+		};
+	} & {
+		"/:templateName": {
+			$put: {
+				input: {
+					param: {
+						templateName: "verify_email" | "change_password" | "verify_email_by_code" | "reset_email" | "reset_email_by_code" | "welcome_email" | "blocked_account" | "stolen_credentials" | "enrollment_email" | "mfa_oob_code" | "password_reset" | "user_invitation";
 					};
-					default_from_address?: string | undefined | undefined;
-					settings?: {} | undefined | undefined;
+				} & {
+					header: {
+						"tenant-id"?: string | undefined;
+					};
+				} & {
+					json: {
+						body: string;
+						from: string;
+						template: "verify_email" | "password_reset" | "change_password" | "verify_email_by_code" | "reset_email" | "reset_email_by_code" | "welcome_email" | "blocked_account" | "stolen_credentials" | "enrollment_email" | "mfa_oob_code" | "user_invitation";
+						subject: string;
+						enabled?: boolean | undefined;
+						syntax?: "liquid" | undefined;
+						resultUrl?: string | undefined;
+						urlLifetimeInSeconds?: number | undefined;
+						includeEmailInRedirect?: boolean | undefined;
+					};
+				};
+				output: {
+					body: string;
+					from: string;
+					enabled: boolean;
+					template: "verify_email" | "password_reset" | "change_password" | "verify_email_by_code" | "reset_email" | "reset_email_by_code" | "welcome_email" | "blocked_account" | "stolen_credentials" | "enrollment_email" | "mfa_oob_code" | "user_invitation";
+					subject: string;
+					syntax: "liquid";
+					includeEmailInRedirect: boolean;
+					resultUrl?: string | undefined | undefined;
+					urlLifetimeInSeconds?: number | undefined | undefined;
+				};
+				outputFormat: "json";
+				status: 200;
+			};
+		};
+	} & {
+		"/:templateName": {
+			$patch: {
+				input: {
+					param: {
+						templateName: "verify_email" | "change_password" | "verify_email_by_code" | "reset_email" | "reset_email_by_code" | "welcome_email" | "blocked_account" | "stolen_credentials" | "enrollment_email" | "mfa_oob_code" | "password_reset" | "user_invitation";
+					};
+				} & {
+					header: {
+						"tenant-id"?: string | undefined;
+					};
+				} & {
+					json: {
+						body?: string | undefined;
+						from?: string | undefined;
+						enabled?: boolean | undefined;
+						template?: "verify_email" | "change_password" | "verify_email_by_code" | "reset_email" | "reset_email_by_code" | "welcome_email" | "blocked_account" | "stolen_credentials" | "enrollment_email" | "mfa_oob_code" | "password_reset" | "user_invitation" | undefined;
+						subject?: string | undefined;
+						syntax?: "liquid" | undefined;
+						resultUrl?: string | undefined;
+						urlLifetimeInSeconds?: number | undefined;
+						includeEmailInRedirect?: boolean | undefined;
+					};
+				};
+				output: {};
+				outputFormat: string;
+				status: 404;
+			} | {
+				input: {
+					param: {
+						templateName: "verify_email" | "change_password" | "verify_email_by_code" | "reset_email" | "reset_email_by_code" | "welcome_email" | "blocked_account" | "stolen_credentials" | "enrollment_email" | "mfa_oob_code" | "password_reset" | "user_invitation";
+					};
+				} & {
+					header: {
+						"tenant-id"?: string | undefined;
+					};
+				} & {
+					json: {
+						body?: string | undefined;
+						from?: string | undefined;
+						enabled?: boolean | undefined;
+						template?: "verify_email" | "change_password" | "verify_email_by_code" | "reset_email" | "reset_email_by_code" | "welcome_email" | "blocked_account" | "stolen_credentials" | "enrollment_email" | "mfa_oob_code" | "password_reset" | "user_invitation" | undefined;
+						subject?: string | undefined;
+						syntax?: "liquid" | undefined;
+						resultUrl?: string | undefined;
+						urlLifetimeInSeconds?: number | undefined;
+						includeEmailInRedirect?: boolean | undefined;
+					};
+				};
+				output: {
+					body: string;
+					from: string;
+					enabled: boolean;
+					template: "verify_email" | "password_reset" | "change_password" | "verify_email_by_code" | "reset_email" | "reset_email_by_code" | "welcome_email" | "blocked_account" | "stolen_credentials" | "enrollment_email" | "mfa_oob_code" | "user_invitation";
+					subject: string;
+					syntax: "liquid";
+					includeEmailInRedirect: boolean;
+					resultUrl?: string | undefined | undefined;
+					urlLifetimeInSeconds?: number | undefined | undefined;
+				};
+				outputFormat: "json";
+				status: 200;
+			};
+		};
+	}, "/email-templates"> & import("hono/types").MergeSchemaPath<{
+		"/": {
+			$get: {
+				input: {
+					header: {
+						"tenant-id"?: string | undefined;
+					};
+				};
+				output: {
+					name?: string | undefined;
+					credentials?: {
+						[x: string]: import("hono/utils/types").JSONValue;
+					} | undefined;
+					settings?: {} | undefined;
+					enabled?: boolean | undefined;
+					default_from_address?: string | undefined;
 				};
 				outputFormat: "json";
 				status: 200;
@@ -66368,13 +66704,13 @@ export declare function init(config: AuthHeroConfig): {
 					};
 				};
 				output: {
-					name: string;
-					enabled: boolean;
-					credentials: {
+					name?: string | undefined;
+					credentials?: {
 						[x: string]: import("hono/utils/types").JSONValue;
-					};
-					default_from_address?: string | undefined | undefined;
-					settings?: {} | undefined | undefined;
+					} | undefined;
+					settings?: {} | undefined;
+					enabled?: boolean | undefined;
+					default_from_address?: string | undefined;
 				};
 				outputFormat: "json";
 				status: 200;
@@ -68077,7 +68413,7 @@ export declare function init(config: AuthHeroConfig): {
 						organization?: string | undefined;
 						nonce?: string | undefined;
 						response_mode?: AuthorizationResponseMode | undefined;
-						response_type?: AuthorizationResponseType | undefined;
+						response_type?: unknown;
 						prompt?: string | undefined;
 						state?: string | undefined;
 						auth0Client?: string | undefined;
@@ -68110,7 +68446,7 @@ export declare function init(config: AuthHeroConfig): {
 						organization?: string | undefined;
 						nonce?: string | undefined;
 						response_mode?: AuthorizationResponseMode | undefined;
-						response_type?: AuthorizationResponseType | undefined;
+						response_type?: unknown;
 						prompt?: string | undefined;
 						state?: string | undefined;
 						auth0Client?: string | undefined;
@@ -68143,7 +68479,7 @@ export declare function init(config: AuthHeroConfig): {
 						organization?: string | undefined;
 						nonce?: string | undefined;
 						response_mode?: AuthorizationResponseMode | undefined;
-						response_type?: AuthorizationResponseType | undefined;
+						response_type?: unknown;
 						prompt?: string | undefined;
 						state?: string | undefined;
 						auth0Client?: string | undefined;
@@ -68184,7 +68520,7 @@ export declare function init(config: AuthHeroConfig): {
 						organization?: string | undefined;
 						nonce?: string | undefined;
 						response_mode?: AuthorizationResponseMode | undefined;
-						response_type?: AuthorizationResponseType | undefined;
+						response_type?: unknown;
 						prompt?: string | undefined;
 						state?: string | undefined;
 						auth0Client?: string | undefined;
@@ -68219,7 +68555,7 @@ export declare function init(config: AuthHeroConfig): {
 						organization?: string | undefined;
 						nonce?: string | undefined;
 						response_mode?: AuthorizationResponseMode | undefined;
-						response_type?: AuthorizationResponseType | undefined;
+						response_type?: unknown;
 						prompt?: string | undefined;
 						state?: string | undefined;
 						auth0Client?: string | undefined;
@@ -68981,8 +69317,6 @@ export declare function init(config: AuthHeroConfig): {
 					userinfo_endpoint: string;
 					jwks_uri: string;
 					issuer: string;
-					device_authorization_endpoint: string;
-					mfa_challenge_endpoint: string;
 					revocation_endpoint: string;
 					scopes_supported: string[];
 					response_types_supported: string[];