authhero 5.0.0 → 5.1.0

package/dist/authhero.d.ts

@@ -45453,6 +45453,156 @@ export declare const logStreamSchema: z.ZodObject<{
 	isPriority?: boolean | undefined;
 }>;
 export type LogStream = z.infer<typeof logStreamSchema>;
+export declare const migrationProviderTypeSchema: z.ZodEnum<[
+	"auth0",
+	"cognito",
+	"okta",
+	"oidc"
+]>;
+export type MigrationProviderType = z.infer<typeof migrationProviderTypeSchema>;
+export declare const migrationSourceCredentialsSchema: z.ZodObject<{
+	domain: z.ZodString;
+	client_id: z.ZodString;
+	client_secret: z.ZodString;
+	audience: z.ZodOptional<z.ZodString>;
+	scope: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+	client_id: string;
+	client_secret: string;
+	domain: string;
+	audience?: string | undefined;
+	scope?: string | undefined;
+}, {
+	client_id: string;
+	client_secret: string;
+	domain: string;
+	audience?: string | undefined;
+	scope?: string | undefined;
+}>;
+export type MigrationSourceCredentials = z.infer<typeof migrationSourceCredentialsSchema>;
+export declare const migrationSourceInsertSchema: z.ZodObject<{
+	id: z.ZodOptional<z.ZodString>;
+	name: z.ZodString;
+	provider: z.ZodEnum<[
+		"auth0",
+		"cognito",
+		"okta",
+		"oidc"
+	]>;
+	connection: z.ZodString;
+	enabled: z.ZodDefault<z.ZodBoolean>;
+	credentials: z.ZodObject<{
+		domain: z.ZodString;
+		client_id: z.ZodString;
+		client_secret: z.ZodString;
+		audience: z.ZodOptional<z.ZodString>;
+		scope: z.ZodOptional<z.ZodString>;
+	}, "strip", z.ZodTypeAny, {
+		client_id: string;
+		client_secret: string;
+		domain: string;
+		audience?: string | undefined;
+		scope?: string | undefined;
+	}, {
+		client_id: string;
+		client_secret: string;
+		domain: string;
+		audience?: string | undefined;
+		scope?: string | undefined;
+	}>;
+}, "strip", z.ZodTypeAny, {
+	name: string;
+	connection: string;
+	provider: "auth0" | "cognito" | "okta" | "oidc";
+	enabled: boolean;
+	credentials: {
+		client_id: string;
+		client_secret: string;
+		domain: string;
+		audience?: string | undefined;
+		scope?: string | undefined;
+	};
+	id?: string | undefined;
+}, {
+	name: string;
+	connection: string;
+	provider: "auth0" | "cognito" | "okta" | "oidc";
+	credentials: {
+		client_id: string;
+		client_secret: string;
+		domain: string;
+		audience?: string | undefined;
+		scope?: string | undefined;
+	};
+	id?: string | undefined;
+	enabled?: boolean | undefined;
+}>;
+export type MigrationSourceInsert = z.infer<typeof migrationSourceInsertSchema>;
+export declare const migrationSourceSchema: z.ZodObject<{
+	created_at: z.ZodString;
+	updated_at: z.ZodString;
+} & {
+	id: z.ZodOptional<z.ZodString>;
+	name: z.ZodString;
+	provider: z.ZodEnum<[
+		"auth0",
+		"cognito",
+		"okta",
+		"oidc"
+	]>;
+	connection: z.ZodString;
+	enabled: z.ZodDefault<z.ZodBoolean>;
+	credentials: z.ZodObject<{
+		domain: z.ZodString;
+		client_id: z.ZodString;
+		client_secret: z.ZodString;
+		audience: z.ZodOptional<z.ZodString>;
+		scope: z.ZodOptional<z.ZodString>;
+	}, "strip", z.ZodTypeAny, {
+		client_id: string;
+		client_secret: string;
+		domain: string;
+		audience?: string | undefined;
+		scope?: string | undefined;
+	}, {
+		client_id: string;
+		client_secret: string;
+		domain: string;
+		audience?: string | undefined;
+		scope?: string | undefined;
+	}>;
+}, "strip", z.ZodTypeAny, {
+	created_at: string;
+	updated_at: string;
+	name: string;
+	connection: string;
+	provider: "auth0" | "cognito" | "okta" | "oidc";
+	enabled: boolean;
+	credentials: {
+		client_id: string;
+		client_secret: string;
+		domain: string;
+		audience?: string | undefined;
+		scope?: string | undefined;
+	};
+	id?: string | undefined;
+}, {
+	created_at: string;
+	updated_at: string;
+	name: string;
+	connection: string;
+	provider: "auth0" | "cognito" | "okta" | "oidc";
+	credentials: {
+		client_id: string;
+		client_secret: string;
+		domain: string;
+		audience?: string | undefined;
+		scope?: string | undefined;
+	};
+	id?: string | undefined;
+	enabled?: boolean | undefined;
+}>;
+export type MigrationSource = z.infer<typeof migrationSourceSchema>;
 export declare const breachedPasswordDetectionSchema: z.ZodObject<{
 	enabled: z.ZodOptional<z.ZodBoolean>;
 	shields: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
@@ -51130,6 +51280,150 @@ export declare const dailyStatsSchema: z.ZodObject<{
 export type DailyStats = z.infer<typeof dailyStatsSchema>;
 export declare const activeUsersResponseSchema: z.ZodNumber;
 export type ActiveUsersResponse = z.infer<typeof activeUsersResponseSchema>;
+export declare const analyticsResourceSchema: z.ZodEnum<[
+	"active-users",
+	"logins",
+	"signups",
+	"refresh-tokens",
+	"sessions"
+]>;
+export type AnalyticsResource = z.infer<typeof analyticsResourceSchema>;
+export declare const analyticsIntervalSchema: z.ZodEnum<[
+	"hour",
+	"day",
+	"week",
+	"month"
+]>;
+export type AnalyticsInterval = z.infer<typeof analyticsIntervalSchema>;
+export declare const analyticsGroupBySchema: z.ZodEnum<[
+	"time",
+	"connection",
+	"client_id",
+	"user_type",
+	"event"
+]>;
+export type AnalyticsGroupBy = z.infer<typeof analyticsGroupBySchema>;
+export declare const analyticsUserTypeSchema: z.ZodEnum<[
+	"password",
+	"social",
+	"passwordless",
+	"enterprise"
+]>;
+export type AnalyticsUserType = z.infer<typeof analyticsUserTypeSchema>;
+export interface AnalyticsFilters {
+	connection?: string[];
+	client_id?: string[];
+	user_type?: AnalyticsUserType[];
+	user_id?: string[];
+}
+export interface AnalyticsQueryParams {
+	/** Inclusive lower bound, ISO 8601 datetime in UTC */
+	from: string;
+	/** Exclusive upper bound, ISO 8601 datetime in UTC */
+	to: string;
+	interval: AnalyticsInterval;
+	/** IANA timezone for bucket boundaries */
+	tz: string;
+	filters: AnalyticsFilters;
+	group_by: AnalyticsGroupBy[];
+	limit: number;
+	offset: number;
+	/** Column name, prefix with `-` for descending */
+	order_by?: string;
+}
+export interface AnalyticsColumnMeta {
+	name: string;
+	/** ClickHouse-style type label (e.g. "Date", "String", "UInt64", "DateTime") */
+	type: string;
+}
+export interface AnalyticsQueryResponse {
+	meta: AnalyticsColumnMeta[];
+	data: Array<Record<string, unknown>>;
+	rows: number;
+	rows_before_limit_at_least?: number;
+	statistics?: {
+		elapsed: number;
+		rows_read?: number;
+		bytes_read?: number;
+	};
+}
+export declare const analyticsColumnMetaSchema: z.ZodObject<{
+	name: z.ZodString;
+	type: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+	type: string;
+	name: string;
+}, {
+	type: string;
+	name: string;
+}>;
+export declare const analyticsStatisticsSchema: z.ZodObject<{
+	elapsed: z.ZodNumber;
+	rows_read: z.ZodOptional<z.ZodNumber>;
+	bytes_read: z.ZodOptional<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+	elapsed: number;
+	rows_read?: number | undefined;
+	bytes_read?: number | undefined;
+}, {
+	elapsed: number;
+	rows_read?: number | undefined;
+	bytes_read?: number | undefined;
+}>;
+export declare const analyticsQueryResponseSchema: z.ZodObject<{
+	meta: z.ZodArray<z.ZodObject<{
+		name: z.ZodString;
+		type: z.ZodString;
+	}, "strip", z.ZodTypeAny, {
+		type: string;
+		name: string;
+	}, {
+		type: string;
+		name: string;
+	}>, "many">;
+	data: z.ZodArray<z.ZodRecord<z.ZodString, z.ZodAny>, "many">;
+	rows: z.ZodNumber;
+	rows_before_limit_at_least: z.ZodOptional<z.ZodNumber>;
+	statistics: z.ZodOptional<z.ZodObject<{
+		elapsed: z.ZodNumber;
+		rows_read: z.ZodOptional<z.ZodNumber>;
+		bytes_read: z.ZodOptional<z.ZodNumber>;
+	}, "strip", z.ZodTypeAny, {
+		elapsed: number;
+		rows_read?: number | undefined;
+		bytes_read?: number | undefined;
+	}, {
+		elapsed: number;
+		rows_read?: number | undefined;
+		bytes_read?: number | undefined;
+	}>>;
+}, "strip", z.ZodTypeAny, {
+	meta: {
+		type: string;
+		name: string;
+	}[];
+	data: Record<string, any>[];
+	rows: number;
+	rows_before_limit_at_least?: number | undefined;
+	statistics?: {
+		elapsed: number;
+		rows_read?: number | undefined;
+		bytes_read?: number | undefined;
+	} | undefined;
+}, {
+	meta: {
+		type: string;
+		name: string;
+	}[];
+	data: Record<string, any>[];
+	rows: number;
+	rows_before_limit_at_least?: number | undefined;
+	statistics?: {
+		elapsed: number;
+		rows_read?: number | undefined;
+		bytes_read?: number | undefined;
+	} | undefined;
+}>;
 /**
  * Available prompt screens that can be customized
  * Based on Auth0's prompt customization options
@@ -51772,6 +52066,13 @@ export interface LogStreamsAdapter {
 	update(tenant_id: string, id: string, params: Partial<LogStream>): Promise<boolean>;
 	remove(tenant_id: string, id: string): Promise<boolean>;
 }
+export interface MigrationSourcesAdapter {
+	create: (tenant_id: string, migration_source: MigrationSourceInsert) => Promise<MigrationSource>;
+	get: (tenant_id: string, id: string) => Promise<MigrationSource | null>;
+	list: (tenant_id: string) => Promise<MigrationSource[]>;
+	remove: (tenant_id: string, id: string) => Promise<boolean>;
+	update: (tenant_id: string, id: string, migration_source: Partial<MigrationSourceInsert>) => Promise<boolean>;
+}
 export interface ListConnectionsResponse extends Totals {
 	connections: Connection[];
 }
@@ -52021,6 +52322,14 @@ export interface StatsAdapter {
 	 */
 	getActiveUsers(tenantId: string): Promise<number>;
 }
+export interface AnalyticsAdapter {
+	/**
+	 * Run an analytics query for a tenant. The adapter is responsible for
+	 * injecting the tenant_id predicate; the route handler never trusts a
+	 * tenant value from a client-controlled source.
+	 */
+	query(tenantId: string, resource: AnalyticsResource, params: AnalyticsQueryParams): Promise<AnalyticsQueryResponse>;
+}
 export interface UniversalLoginTemplate {
 	body: string;
 }
@@ -52239,6 +52548,12 @@ export interface DataAdapters {
 	loginSessions: LoginSessionsAdapter;
 	logs: LogsDataAdapter;
 	logStreams?: LogStreamsAdapter;
+	/**
+	 * Optional tenant-level migration sources for lazy refresh-token re-mint
+	 * against upstream IdPs (Auth0, Cognito, Okta, generic OIDC). When unset,
+	 * unrecognized refresh tokens fail with `invalid_grant` as usual.
+	 */
+	migrationSources?: MigrationSourcesAdapter;
 	passwords: PasswordsAdapter;
 	promptSettings: PromptSettingsAdapter;
 	refreshTokens: RefreshTokensAdapter;
@@ -52248,6 +52563,12 @@ export interface DataAdapters {
 	roles: RolesAdapter;
 	sessions: SessionsAdapter;
 	stats?: StatsAdapter;
+	/**
+	 * Optional richer analytics surface, exposed via `/api/v2/analytics/*`.
+	 * Returns ClickHouse-style `{ meta, data }` responses with filtering and
+	 * grouping. Unlike `stats`, this is not Auth0 wire-compatible.
+	 */
+	analytics?: AnalyticsAdapter;
 	tenants: TenantsDataAdapter;
 	themes: ThemesAdapter;
 	universalLoginTemplates: UniversalLoginTemplatesAdapter;
@@ -56905,7 +57226,7 @@ export declare function init(config: AuthHeroConfig): {
 				status: 200;
 			};
 		};
-	}, "/guardian"> & import("hono/types").MergeSchemaPath<{
+	}, "/guardian"> & import("hono/types").MergeSchemaPath<{}, "/analytics"> & import("hono/types").MergeSchemaPath<{
 		"/daily": {
 			$get: {
 				input: {
@@ -64842,6 +65163,173 @@ export declare function init(config: AuthHeroConfig): {
 			};
 		};
 	}, "/attack-protection"> & import("hono/types").MergeSchemaPath<{
+		"/": {
+			$get: {
+				input: {
+					header: {
+						"tenant-id"?: string | undefined;
+					};
+				};
+				output: {
+					name: string;
+					created_at: string;
+					updated_at: string;
+					connection: string;
+					credentials: {
+						client_id: string;
+						client_secret: string;
+						domain: string;
+						scope?: string | undefined;
+						audience?: string | undefined;
+					};
+					provider: "auth0" | "oidc" | "cognito" | "okta";
+					enabled: boolean;
+					id?: string | undefined;
+				}[];
+				outputFormat: "json";
+				status: 200;
+			};
+		};
+	} & {
+		"/:id": {
+			$get: {
+				input: {
+					param: {
+						id: string;
+					};
+				} & {
+					header: {
+						"tenant-id"?: string | undefined;
+					};
+				};
+				output: {
+					name: string;
+					created_at: string;
+					updated_at: string;
+					connection: string;
+					credentials: {
+						client_id: string;
+						client_secret: string;
+						domain: string;
+						scope?: string | undefined;
+						audience?: string | undefined;
+					};
+					provider: "auth0" | "oidc" | "cognito" | "okta";
+					enabled: boolean;
+					id?: string | undefined;
+				};
+				outputFormat: "json";
+				status: 200;
+			};
+		};
+	} & {
+		"/": {
+			$post: {
+				input: {
+					header: {
+						"tenant-id"?: string | undefined;
+					};
+				} & {
+					json: {
+						name: string;
+						connection: string;
+						credentials: {
+							client_id: string;
+							client_secret: string;
+							domain: string;
+							audience?: string | undefined;
+							scope?: string | undefined;
+						};
+						provider: "auth0" | "oidc" | "cognito" | "okta";
+						id?: string | undefined;
+						enabled?: boolean | undefined;
+					};
+				};
+				output: {
+					name: string;
+					created_at: string;
+					updated_at: string;
+					connection: string;
+					credentials: {
+						client_id: string;
+						client_secret: string;
+						domain: string;
+						scope?: string | undefined;
+						audience?: string | undefined;
+					};
+					provider: "auth0" | "oidc" | "cognito" | "okta";
+					enabled: boolean;
+					id?: string | undefined;
+				};
+				outputFormat: "json";
+				status: 201;
+			};
+		};
+	} & {
+		"/:id": {
+			$patch: {
+				input: {
+					param: {
+						id: string;
+					};
+				} & {
+					header: {
+						"tenant-id"?: string | undefined;
+					};
+				} & {
+					json: {
+						name?: string | undefined;
+						connection?: string | undefined;
+						credentials?: {
+							client_id: string;
+							client_secret: string;
+							domain: string;
+							audience?: string | undefined;
+							scope?: string | undefined;
+						} | undefined;
+						id?: string | undefined;
+						provider?: "auth0" | "oidc" | "cognito" | "okta" | undefined;
+						enabled?: boolean | undefined;
+					};
+				};
+				output: {
+					name: string;
+					created_at: string;
+					updated_at: string;
+					connection: string;
+					credentials: {
+						client_id: string;
+						client_secret: string;
+						domain: string;
+						scope?: string | undefined;
+						audience?: string | undefined;
+					};
+					provider: "auth0" | "oidc" | "cognito" | "okta";
+					enabled: boolean;
+					id?: string | undefined;
+				};
+				outputFormat: "json";
+				status: 200;
+			};
+		};
+	} & {
+		"/:id": {
+			$delete: {
+				input: {
+					param: {
+						id: string;
+					};
+				} & {
+					header: {
+						"tenant-id"?: string | undefined;
+					};
+				};
+				output: {};
+				outputFormat: string;
+				status: 204;
+			};
+		};
+	}, "/migration-sources"> & import("hono/types").MergeSchemaPath<{
 		"/": {
 			$get: {
 				input: {