authhero 5.11.0 → 5.13.0

package/dist/types/routes/universal-login/index.d.ts

@@ -515,7 +515,7 @@ export default function create(config: AuthHeroConfig): OpenAPIHono<{
             } & {
                 form: {
                     username: string;
-                    login_selection?: "code" | "password" | undefined;
+                    login_selection?: "password" | "code" | undefined;
                 };
             };
             output: {};
@@ -529,7 +529,7 @@ export default function create(config: AuthHeroConfig): OpenAPIHono<{
             } & {
                 form: {
                     username: string;
-                    login_selection?: "code" | "password" | undefined;
+                    login_selection?: "password" | "code" | undefined;
                 };
             };
             output: {};

package/dist/types/routes/universal-login/u2-index.d.ts

@@ -149,7 +149,7 @@ export default function createU2App(config: AuthHeroConfig): OpenAPIHono<{
         $get: {
             input: {
                 param: {
-                    screen: "signup" | "login" | "reset-password" | "account" | "enter-password" | "impersonate" | "try-connection-result" | "reset-password/request" | "reset-password/code" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
+                    screen: "signup" | "account" | "login" | "reset-password" | "enter-password" | "impersonate" | "try-connection-result" | "reset-password/request" | "reset-password/code" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
                 };
             } & {
                 query: {
@@ -165,7 +165,7 @@ export default function createU2App(config: AuthHeroConfig): OpenAPIHono<{
         } | {
             input: {
                 param: {
-                    screen: "signup" | "login" | "reset-password" | "account" | "enter-password" | "impersonate" | "try-connection-result" | "reset-password/request" | "reset-password/code" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
+                    screen: "signup" | "account" | "login" | "reset-password" | "enter-password" | "impersonate" | "try-connection-result" | "reset-password/request" | "reset-password/code" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
                 };
             } & {
                 query: {
@@ -181,7 +181,7 @@ export default function createU2App(config: AuthHeroConfig): OpenAPIHono<{
         } | {
             input: {
                 param: {
-                    screen: "signup" | "login" | "reset-password" | "account" | "enter-password" | "impersonate" | "try-connection-result" | "reset-password/request" | "reset-password/code" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
+                    screen: "signup" | "account" | "login" | "reset-password" | "enter-password" | "impersonate" | "try-connection-result" | "reset-password/request" | "reset-password/code" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
                 };
             } & {
                 query: {

package/dist/types/routes/universal-login/u2-routes.d.ts

@@ -154,7 +154,7 @@ export declare const u2Routes: OpenAPIHono<{
         $get: {
             input: {
                 param: {
-                    screen: "signup" | "login" | "reset-password" | "account" | "enter-password" | "impersonate" | "try-connection-result" | "reset-password/request" | "reset-password/code" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
+                    screen: "signup" | "account" | "login" | "reset-password" | "enter-password" | "impersonate" | "try-connection-result" | "reset-password/request" | "reset-password/code" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
                 };
             } & {
                 query: {
@@ -170,7 +170,7 @@ export declare const u2Routes: OpenAPIHono<{
         } | {
             input: {
                 param: {
-                    screen: "signup" | "login" | "reset-password" | "account" | "enter-password" | "impersonate" | "try-connection-result" | "reset-password/request" | "reset-password/code" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
+                    screen: "signup" | "account" | "login" | "reset-password" | "enter-password" | "impersonate" | "try-connection-result" | "reset-password/request" | "reset-password/code" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
                 };
             } & {
                 query: {
@@ -186,7 +186,7 @@ export declare const u2Routes: OpenAPIHono<{
         } | {
             input: {
                 param: {
-                    screen: "signup" | "login" | "reset-password" | "account" | "enter-password" | "impersonate" | "try-connection-result" | "reset-password/request" | "reset-password/code" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
+                    screen: "signup" | "account" | "login" | "reset-password" | "enter-password" | "impersonate" | "try-connection-result" | "reset-password/request" | "reset-password/code" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
                 };
             } & {
                 query: {

package/dist/types/types/AuthHeroConfig.d.ts

@@ -276,6 +276,20 @@ export interface AuthHeroConfig {
      * ```
      */
     managementApiExtensions?: ManagementApiExtension[];
+    /**
+     * Optional privileged control-plane endpoint for the `@authhero/proxy`
+     * data plane. When set, mounts `GET /api/v2/proxy/control-plane/hosts/:host`
+     * which returns the cross-tenant `ResolvedHost` for the given hostname.
+     *
+     * This endpoint is read by remote proxy deployments via
+     * `createHttpProxyAdapter`. It is **cross-tenant** — gate it with a
+     * dedicated credential (shared secret, mTLS, or a JWT scoped to
+     * `proxy:resolve_host`), never with a tenant token.
+     */
+    proxyControlPlane?: {
+        resolveHost: (host: string) => Promise<import("@authhero/proxy").ResolvedHost | null>;
+        authenticate: (request: Request) => Promise<boolean> | boolean;
+    };
     /**
      * Optional powered-by logo to display at the bottom left of the login widget.
      * This is only configurable in code, not stored in the database.

package/dist/types/types/Bindings.d.ts

@@ -14,6 +14,7 @@ export type Bindings = {
     ISSUER: string;
     UNIVERSAL_LOGIN_URL?: string;
     OAUTH_API_URL?: string;
+    ENCRYPTION_KEY?: string;
     data: DataAdapters;
     hooks?: Hooks;
     /**

package/dist/types/types/IdToken.d.ts

@@ -18,13 +18,13 @@ export declare const idTokenSchema: z.ZodObject<{
     c_hash: z.ZodOptional<z.ZodString>;
 }, z.core.$loose>;
 export declare const userInfoSchema: z.ZodObject<{
-    email: z.ZodOptional<z.ZodString>;
     name: z.ZodOptional<z.ZodString>;
+    email: z.ZodOptional<z.ZodString>;
+    given_name: z.ZodOptional<z.ZodString>;
+    family_name: z.ZodOptional<z.ZodString>;
     sub: z.ZodString;
     iss: z.ZodString;
     aud: z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>;
     exp: z.ZodNumber;
-    given_name: z.ZodOptional<z.ZodString>;
-    family_name: z.ZodOptional<z.ZodString>;
 }, z.core.$loose>;
 export type IdToken = z.infer<typeof idTokenSchema>;

package/dist/types/utils/field-encryption.d.ts

@@ -0,0 +1,21 @@
+declare const PREFIX = "enc:v1:";
+export type EncryptedField = `${typeof PREFIX}${string}`;
+export declare function isEncrypted(value: string): value is EncryptedField;
+/**
+ * Imports a base64-encoded 32-byte key as an AES-256-GCM CryptoKey. Throws if
+ * the decoded key is not exactly 32 bytes so a misconfigured secret fails loudly
+ * at boot rather than silently weakening encryption.
+ */
+export declare function loadEncryptionKey(b64: string): Promise<CryptoKey>;
+/**
+ * Encrypts a string with AES-256-GCM using a fresh random IV. The output is
+ * `enc:v1:<base64url(iv ‖ ciphertext ‖ tag)>`.
+ */
+export declare function encryptField(plaintext: string, key: CryptoKey): Promise<EncryptedField>;
+/**
+ * Decrypts a value produced by `encryptField`. Values without the `enc:v1:`
+ * prefix are assumed to be legacy plaintext and returned unchanged. Throws if a
+ * prefixed value cannot be decrypted (wrong key or corrupted ciphertext).
+ */
+export declare function decryptField(value: string, key: CryptoKey): Promise<string>;
+export {};

package/package.json

@@ -11,7 +11,7 @@
     "type": "git",
     "url": "https://github.com/markusahlstrand/authhero"
   },
-  "version": "5.11.0",
+  "version": "5.13.0",
   "files": [
     "dist"
   ],
@@ -62,8 +62,8 @@
     "vite": "^8.0.14",
     "vite-plugin-dts": "^4.5.4",
     "vitest": "^4.1.7",
-    "@authhero/kysely-adapter": "11.4.1",
-    "@authhero/widget": "0.32.29"
+    "@authhero/kysely-adapter": "11.5.0",
+    "@authhero/widget": "0.32.30"
   },
   "dependencies": {
     "@peculiar/x509": "^1.14.0",
@@ -81,8 +81,9 @@
     "qrcode": "^1.5.4",
     "sanitize-html": "^2.17.4",
     "xstate": "^5.31.1",
-    "@authhero/adapter-interfaces": "2.7.0",
-    "@authhero/saml": "0.4.1"
+    "@authhero/adapter-interfaces": "2.8.0",
+    "@authhero/saml": "0.4.1",
+    "@authhero/proxy": "0.3.0"
   },
   "peerDependencies": {
     "@authhero/widget": "^0.1.0",