authhero 5.11.0 → 5.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (45) hide show
  1. package/dist/assets/u/widget/index.esm.js +1 -1
  2. package/dist/authhero.cjs +125 -125
  3. package/dist/authhero.d.ts +272 -221
  4. package/dist/authhero.mjs +10547 -10122
  5. package/dist/stats.html +1 -1
  6. package/dist/tsconfig.types.tsbuildinfo +1 -1
  7. package/dist/types/adapters/createEncryptedDataAdapter.d.ts +14 -0
  8. package/dist/types/adapters/index.d.ts +2 -0
  9. package/dist/types/authentication-flows/passwordless.d.ts +6 -6
  10. package/dist/types/helpers/custom-domain.d.ts +8 -0
  11. package/dist/types/helpers/dcr/metadata-mapping.d.ts +1 -1
  12. package/dist/types/helpers/users.d.ts +28 -0
  13. package/dist/types/index.d.ts +220 -220
  14. package/dist/types/routes/auth-api/index.d.ts +22 -22
  15. package/dist/types/routes/auth-api/passwordless.d.ts +14 -14
  16. package/dist/types/routes/auth-api/register/index.d.ts +2 -2
  17. package/dist/types/routes/auth-api/revoke.d.ts +6 -6
  18. package/dist/types/routes/management-api/action-executions.d.ts +2 -2
  19. package/dist/types/routes/management-api/actions.d.ts +1 -1
  20. package/dist/types/routes/management-api/authentication-methods.d.ts +1 -1
  21. package/dist/types/routes/management-api/clients.d.ts +13 -13
  22. package/dist/types/routes/management-api/connections.d.ts +16 -16
  23. package/dist/types/routes/management-api/custom-domains.d.ts +6 -6
  24. package/dist/types/routes/management-api/email-templates.d.ts +14 -14
  25. package/dist/types/routes/management-api/failed-events.d.ts +1 -1
  26. package/dist/types/routes/management-api/forms.d.ts +119 -119
  27. package/dist/types/routes/management-api/guardian.d.ts +5 -5
  28. package/dist/types/routes/management-api/index.d.ts +193 -193
  29. package/dist/types/routes/management-api/logs.d.ts +3 -3
  30. package/dist/types/routes/management-api/migration-sources.d.ts +6 -6
  31. package/dist/types/routes/management-api/prompts.d.ts +4 -4
  32. package/dist/types/routes/management-api/proxy-routes.d.ts +221 -0
  33. package/dist/types/routes/management-api/users.d.ts +2 -2
  34. package/dist/types/routes/proxy-control-plane/index.d.ts +22 -0
  35. package/dist/types/routes/universal-login/common.d.ts +8 -8
  36. package/dist/types/routes/universal-login/flow-api.d.ts +8 -8
  37. package/dist/types/routes/universal-login/identifier.d.ts +2 -2
  38. package/dist/types/routes/universal-login/index.d.ts +2 -2
  39. package/dist/types/routes/universal-login/u2-index.d.ts +3 -3
  40. package/dist/types/routes/universal-login/u2-routes.d.ts +3 -3
  41. package/dist/types/types/AuthHeroConfig.d.ts +14 -0
  42. package/dist/types/types/Bindings.d.ts +1 -0
  43. package/dist/types/types/IdToken.d.ts +3 -3
  44. package/dist/types/utils/field-encryption.d.ts +21 -0
  45. package/package.json +6 -5
package/dist/types/adapters/createEncryptedDataAdapter.d.ts ADDED
@@ -0,0 +1,14 @@
1
+ import { DataAdapters } from "@authhero/adapter-interfaces";
2
+ /**
3
+ * Wraps a DataAdapters instance so that sensitive credential fields are
4
+ * transparently encrypted on write and decrypted on read. Only the adapters
5
+ * that hold secrets are wrapped; everything else passes through unchanged.
6
+ *
7
+ * Encrypted columns: clients.client_secret, connections.options
8
+ * (client_secret/app_secret/twilio_token/configuration.client_secret),
9
+ * email_providers.credentials, authentication_methods.totp_secret,
10
+ * migration_sources.credentials.client_secret.
11
+ *
12
+ * Private keys (keys.pkcs7, dkim_private_key) are intentionally NOT covered.
13
+ */
14
+ export declare function createEncryptedDataAdapter(data: DataAdapters, key: CryptoKey): DataAdapters;
package/dist/types/adapters/index.d.ts CHANGED
@@ -1 +1,3 @@
1
1
  export * from "./cache";
2
+ export { createEncryptedDataAdapter } from "./createEncryptedDataAdapter";
3
+ export { loadEncryptionKey, encryptField, decryptField, isEncrypted, } from "../utils/field-encryption";
package/dist/types/authentication-flows/passwordless.d.ts CHANGED
@@ -355,7 +355,7 @@ export declare function passwordlessGrantUser(ctx: Context<{
355
355
  active?: boolean | undefined;
356
356
  } | undefined;
357
357
  signup?: {
358
- status?: "optional" | "required" | "disabled" | undefined;
358
+ status?: "optional" | "disabled" | "required" | undefined;
359
359
  verification?: {
360
360
  active?: boolean | undefined;
361
361
  } | undefined;
@@ -372,7 +372,7 @@ export declare function passwordlessGrantUser(ctx: Context<{
372
372
  active?: boolean | undefined;
373
373
  } | undefined;
374
374
  signup?: {
375
- status?: "optional" | "required" | "disabled" | undefined;
375
+ status?: "optional" | "disabled" | "required" | undefined;
376
376
  } | undefined;
377
377
  validation?: {
378
378
  max_length?: number | undefined;
@@ -389,7 +389,7 @@ export declare function passwordlessGrantUser(ctx: Context<{
389
389
  active?: boolean | undefined;
390
390
  } | undefined;
391
391
  signup?: {
392
- status?: "optional" | "required" | "disabled" | undefined;
392
+ status?: "optional" | "disabled" | "required" | undefined;
393
393
  } | undefined;
394
394
  } | undefined;
395
395
  } | undefined;
@@ -446,7 +446,7 @@ export declare function passwordlessGrantUser(ctx: Context<{
446
446
  custom_login_page_preview?: string | undefined;
447
447
  form_template?: string | undefined;
448
448
  addons?: Record<string, any> | undefined;
449
- token_endpoint_auth_method?: "none" | "client_secret_post" | "client_secret_basic" | "client_secret_jwt" | "private_key_jwt" | undefined;
449
+ token_endpoint_auth_method?: "client_secret_post" | "client_secret_basic" | "none" | "client_secret_jwt" | "private_key_jwt" | undefined;
450
450
  client_metadata?: Record<string, string> | undefined;
451
451
  hide_sign_up_disabled_error?: boolean | undefined;
452
452
  mobile?: Record<string, any> | undefined;
@@ -529,8 +529,8 @@ export declare function passwordlessGrantUser(ctx: Context<{
529
529
  } | undefined;
530
530
  authenticated_at?: string | undefined;
531
531
  };
532
- connectionType: "email" | "sms" | "username";
533
- authConnection: "email" | "sms" | "username";
532
+ connectionType: "email" | "username" | "sms";
533
+ authConnection: "email" | "username" | "sms";
534
534
  session_id: string | undefined;
535
535
  authParams: {
536
536
  client_id: string;
package/dist/types/helpers/custom-domain.d.ts ADDED
@@ -0,0 +1,8 @@
1
+ import { Bindings } from "../types";
2
+ /**
3
+ * Resolve the hostname of a tenant's usable custom domain, if one exists.
4
+ *
5
+ * Only domains whose verification has completed ("ready") can serve traffic,
6
+ * so others are ignored. A primary domain wins over a non-primary one.
7
+ */
8
+ export declare function getTenantCustomDomain(env: Bindings, tenantId: string): Promise<string | undefined>;
package/dist/types/helpers/dcr/metadata-mapping.d.ts CHANGED
@@ -23,9 +23,9 @@ export declare const dcrRequestSchema: z.ZodObject<{
23
23
  grant_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
24
24
  response_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
25
25
  token_endpoint_auth_method: z.ZodOptional<z.ZodEnum<{
26
- none: "none";
27
26
  client_secret_post: "client_secret_post";
28
27
  client_secret_basic: "client_secret_basic";
28
+ none: "none";
29
29
  client_secret_jwt: "client_secret_jwt";
30
30
  private_key_jwt: "private_key_jwt";
31
31
  }>>;
package/dist/types/helpers/users.d.ts CHANGED
@@ -10,12 +10,40 @@ interface GetUserByProviderParams {
10
10
  provider: string;
11
11
  }
12
12
  export declare function getUserByProvider({ userAdapter, tenant_id, username, provider, }: GetUserByProviderParams): Promise<User | null>;
13
+ /**
14
+ * Order users by age (oldest first). When account-linking has to choose
15
+ * which of two matching users should remain primary, the older account
16
+ * wins — it has the longer history, accrued sessions, and is most likely
17
+ * the canonical identity the user expects to keep.
18
+ *
19
+ * Falls back to `user_id` so the ordering is fully deterministic when
20
+ * `created_at` is missing or identical (e.g. fixture rows seeded in the
21
+ * same millisecond).
22
+ */
23
+ export declare function compareUsersByAge(a: User, b: User): number;
13
24
  interface GetPrimaryUserByEmailParams {
14
25
  userAdapter: UserDataAdapter;
15
26
  tenant_id: string;
16
27
  email: string;
17
28
  }
18
29
  export declare function getPrimaryUserByEmail({ userAdapter, tenant_id, email, }: GetPrimaryUserByEmailParams): Promise<User | undefined>;
30
+ interface RepointPrimaryParams {
31
+ userAdapter: UserDataAdapter;
32
+ tenant_id: string;
33
+ formerPrimary: User;
34
+ newPrimaryId: string;
35
+ }
36
+ /**
37
+ * Demote `formerPrimary` to a secondary of `newPrimaryId`. Any users
38
+ * currently linked to `formerPrimary` are repointed first so the resulting
39
+ * graph remains a single hop deep — `getPrimaryUserByProvider` and similar
40
+ * resolvers only follow one `linked_to` step.
41
+ *
42
+ * Each write is a single-field `linked_to` update so the user-update
43
+ * decorator's fast-path bypasses the pre/post hooks and we don't re-enter
44
+ * the linking logic recursively.
45
+ */
46
+ export declare function repointPrimary({ userAdapter, tenant_id, formerPrimary, newPrimaryId, }: RepointPrimaryParams): Promise<void>;
19
47
  interface GetPrimaryUserByProviderParams {
20
48
  userAdapter: UserDataAdapter;
21
49
  tenant_id: string;