authhero 5.12.0 → 5.13.1

package/dist/types/adapters/createEncryptedDataAdapter.d.ts

@@ -0,0 +1,14 @@
+import { DataAdapters } from "@authhero/adapter-interfaces";
+/**
+ * Wraps a DataAdapters instance so that sensitive credential fields are
+ * transparently encrypted on write and decrypted on read. Only the adapters
+ * that hold secrets are wrapped; everything else passes through unchanged.
+ *
+ * Encrypted columns: clients.client_secret, connections.options
+ * (client_secret/app_secret/twilio_token/configuration.client_secret),
+ * email_providers.credentials, authentication_methods.totp_secret,
+ * migration_sources.credentials.client_secret.
+ *
+ * Private keys (keys.pkcs7, dkim_private_key) are intentionally NOT covered.
+ */
+export declare function createEncryptedDataAdapter(data: DataAdapters, key: CryptoKey): DataAdapters;

package/dist/types/adapters/index.d.ts

@@ -1 +1,3 @@
 export * from "./cache";
+export { createEncryptedDataAdapter } from "./createEncryptedDataAdapter";
+export { loadEncryptionKey, encryptField, decryptField, isEncrypted, } from "../utils/field-encryption";

package/dist/types/authentication-flows/passwordless.d.ts

@@ -446,7 +446,7 @@ export declare function passwordlessGrantUser(ctx: Context<{
         custom_login_page_preview?: string | undefined;
         form_template?: string | undefined;
         addons?: Record<string, any> | undefined;
-        token_endpoint_auth_method?: "client_secret_post" | "client_secret_basic" | "none" | "client_secret_jwt" | "private_key_jwt" | undefined;
+        token_endpoint_auth_method?: "none" | "client_secret_post" | "client_secret_basic" | "client_secret_jwt" | "private_key_jwt" | undefined;
         client_metadata?: Record<string, string> | undefined;
         hide_sign_up_disabled_error?: boolean | undefined;
         mobile?: Record<string, any> | undefined;
@@ -529,8 +529,8 @@ export declare function passwordlessGrantUser(ctx: Context<{
         } | undefined;
         authenticated_at?: string | undefined;
     };
-    connectionType: "email" | "username" | "sms";
-    authConnection: "email" | "username" | "sms";
+    connectionType: "email" | "sms" | "username";
+    authConnection: "email" | "sms" | "username";
     session_id: string | undefined;
     authParams: {
         client_id: string;

package/dist/types/helpers/custom-domain.d.ts

@@ -0,0 +1,8 @@
+import { Bindings } from "../types";
+/**
+ * Resolve the hostname of a tenant's usable custom domain, if one exists.
+ *
+ * Only domains whose verification has completed ("ready") can serve traffic,
+ * so others are ignored. A primary domain wins over a non-primary one.
+ */
+export declare function getTenantCustomDomain(env: Bindings, tenantId: string): Promise<string | undefined>;

package/dist/types/helpers/service-token.d.ts

@@ -58,6 +58,16 @@ export interface CreateClientServiceTokenParams {
     expiresInSeconds?: number;
     customClaims?: Record<string, unknown>;
 }
+export interface CreateClientServiceTokenOptions {
+    /**
+     * When the client isn't found in the request tenant, resolve it against the
+     * configured control-plane tenant and mint there instead. Off by default so
+     * that the hook-facing token API (`createTokenAPI`) cannot reach across the
+     * tenant boundary into control-plane clients — only trusted internal callers
+     * (e.g. the auth service's own email/SMS senders) opt in.
+     */
+    allowControlPlaneFallback?: boolean;
+}
 /**
  * In-process mint of a grant-bounded access token for a DB-registered M2M
  * client. The caller is trusted (running inside the Worker) so no client
@@ -71,5 +81,5 @@ export interface CreateClientServiceTokenParams {
 export declare function createClientServiceToken(ctx: Context<{
     Bindings: Bindings;
     Variables: Variables;
-}>, tenantId: string, params: CreateClientServiceTokenParams): Promise<ServiceTokenResponse>;
+}>, tenantId: string, params: CreateClientServiceTokenParams, options?: CreateClientServiceTokenOptions): Promise<ServiceTokenResponse>;
 export { AUTH_SERVICE_CLIENT_ID };