authhero 5.13.0 → 5.14.0

package/dist/types/authentication-flows/passwordless.d.ts

@@ -160,6 +160,7 @@ export declare function passwordlessGrantUser(ctx: Context<{
                 allow_legacy_ro_grant_types?: boolean | undefined;
                 allow_legacy_tokeninfo_endpoint?: boolean | undefined;
                 change_pwd_flow_v1?: boolean | undefined;
+                client_id_metadata_document_registration?: boolean | undefined;
                 custom_domains_provisioning?: boolean | undefined;
                 dashboard_insights_view?: boolean | undefined;
                 dashboard_log_streams_next?: boolean | undefined;
@@ -355,7 +356,7 @@ export declare function passwordlessGrantUser(ctx: Context<{
                             active?: boolean | undefined;
                         } | undefined;
                         signup?: {
-                            status?: "optional" | "disabled" | "required" | undefined;
+                            status?: "optional" | "required" | "disabled" | undefined;
                             verification?: {
                                 active?: boolean | undefined;
                             } | undefined;
@@ -372,7 +373,7 @@ export declare function passwordlessGrantUser(ctx: Context<{
                             active?: boolean | undefined;
                         } | undefined;
                         signup?: {
-                            status?: "optional" | "disabled" | "required" | undefined;
+                            status?: "optional" | "required" | "disabled" | undefined;
                         } | undefined;
                         validation?: {
                             max_length?: number | undefined;
@@ -389,7 +390,7 @@ export declare function passwordlessGrantUser(ctx: Context<{
                             active?: boolean | undefined;
                         } | undefined;
                         signup?: {
-                            status?: "optional" | "disabled" | "required" | undefined;
+                            status?: "optional" | "required" | "disabled" | undefined;
                         } | undefined;
                     } | undefined;
                 } | undefined;
@@ -446,7 +447,7 @@ export declare function passwordlessGrantUser(ctx: Context<{
         custom_login_page_preview?: string | undefined;
         form_template?: string | undefined;
         addons?: Record<string, any> | undefined;
-        token_endpoint_auth_method?: "client_secret_post" | "client_secret_basic" | "none" | "client_secret_jwt" | "private_key_jwt" | undefined;
+        token_endpoint_auth_method?: "none" | "private_key_jwt" | "client_secret_post" | "client_secret_basic" | "client_secret_jwt" | undefined;
         client_metadata?: Record<string, string> | undefined;
         hide_sign_up_disabled_error?: boolean | undefined;
         mobile?: Record<string, any> | undefined;
@@ -529,8 +530,8 @@ export declare function passwordlessGrantUser(ctx: Context<{
         } | undefined;
         authenticated_at?: string | undefined;
     };
-    connectionType: "email" | "username" | "sms";
-    authConnection: "email" | "username" | "sms";
+    connectionType: "sms" | "email" | "username";
+    authConnection: "sms" | "email" | "username";
     session_id: string | undefined;
     authParams: {
         client_id: string;

package/dist/types/helpers/cimd.d.ts

@@ -0,0 +1,32 @@
+import { z } from "@hono/zod-openapi";
+import { Client } from "@authhero/adapter-interfaces";
+import { SsrfFetchOptions } from "../utils/ssrf-fetch";
+/**
+ * Cheap guard: a CIMD client_id is an absolute https/http URL. Full validation
+ * (length, path, fetch, document shape) happens in {@link resolveCimdClient}.
+ */
+export declare function isCimdClientId(clientId: string): boolean;
+export declare const cimdDocumentSchema: z.ZodObject<{
+    client_id: z.ZodString;
+    client_name: z.ZodString;
+    grant_types: z.ZodArray<z.ZodString>;
+    redirect_uris: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    application_type: z.ZodOptional<z.ZodEnum<{
+        native: "native";
+        web: "web";
+    }>>;
+    token_endpoint_auth_method: z.ZodOptional<z.ZodEnum<{
+        none: "none";
+        private_key_jwt: "private_key_jwt";
+    }>>;
+    jwks_uri: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+export type CimdDocument = z.infer<typeof cimdDocumentSchema>;
+/**
+ * Fetch, validate, and map a CIMD document into a synthesized (un-persisted)
+ * Client. The caller is responsible for the per-tenant flag check and for
+ * composing tenant + connections into an EnrichedClient.
+ *
+ * @throws JSONHTTPException(400) on any URL, fetch, or document validation error.
+ */
+export declare function resolveCimdClient(rawUrl: string, fetchOpts?: SsrfFetchOptions): Promise<Client>;

package/dist/types/helpers/client.d.ts

@@ -1,5 +1,6 @@
 import { z } from "@hono/zod-openapi";
 import { Bindings } from "../types";
+import { SsrfFetchOptions } from "../utils/ssrf-fetch";
 /**
  * EnrichedClient combines a Client with its associated Tenant and Connections.
  *
@@ -165,6 +166,7 @@ export declare const enrichedClientSchema: z.ZodObject<{
             allow_legacy_ro_grant_types: z.ZodOptional<z.ZodBoolean>;
             allow_legacy_tokeninfo_endpoint: z.ZodOptional<z.ZodBoolean>;
             change_pwd_flow_v1: z.ZodOptional<z.ZodBoolean>;
+            client_id_metadata_document_registration: z.ZodOptional<z.ZodBoolean>;
             custom_domains_provisioning: z.ZodOptional<z.ZodBoolean>;
             dashboard_insights_view: z.ZodOptional<z.ZodBoolean>;
             dashboard_log_streams_next: z.ZodOptional<z.ZodBoolean>;
@@ -476,21 +478,4 @@ export declare const enrichedClientSchema: z.ZodObject<{
     }, z.core.$strip>>;
 }, z.core.$strip>;
 export type EnrichedClient = z.infer<typeof enrichedClientSchema>;
-/**
- * Fetches a client along with its tenant and connections by making separate
- * adapter calls. This composites the data into an EnrichedClient.
- *
- * When tenantId is provided, all fetches happen in parallel for better performance.
- * When tenantId is not provided, we first fetch the client to get the tenant_id,
- * then fetch tenant and connections in parallel.
- *
- * If no connections are explicitly enabled for the client, falls back to all
- * connections available in the tenant.
- *
- * @param env - The environment bindings containing data adapters
- * @param clientId - The client ID to fetch
- * @param tenantId - Optional tenant ID (if known, enables parallel fetching)
- * @returns EnrichedClient with client, tenant, and connections data
- * @throws JSONHTTPException if client or tenant is not found
- */
-export declare function getEnrichedClient(env: Bindings, clientId: string, tenantId?: string): Promise<EnrichedClient>;
+export declare function getEnrichedClient(env: Bindings, clientId: string, tenantId?: string, fetchOpts?: SsrfFetchOptions): Promise<EnrichedClient>;

package/dist/types/helpers/connection.d.ts

@@ -0,0 +1,40 @@
+import { Context } from "hono";
+import { LoginSession, User } from "@authhero/adapter-interfaces";
+import { Bindings, Variables } from "../types";
+import { HookEvent } from "../types/Hooks";
+export type ConnectionInfo = NonNullable<HookEvent["connection"]>;
+export interface ConnectionNameSources {
+    /** The login session's stored auth_connection — the exact connection captured
+     *  at authentication time. Correct even for linked users. */
+    loginSession?: Pick<LoginSession, "auth_connection"> | null;
+    /** An explicitly resolved connection name passed down a flow. */
+    authConnection?: string | null;
+    /** The request-scoped ctx.var.connection (set during interactive flows). */
+    ctxConnection?: string | null;
+    /** The authenticated user. Pass ONLY where guessing from the user record is
+     *  acceptable (read-time hook events) — omit when persisting the authoritative
+     *  auth_connection, so a linked user's primary connection is never stored. */
+    user?: Pick<User, "connection"> | null;
+}
+/**
+ * Resolve the connection name used for authentication, in priority order:
+ *  1. the login session's stored `auth_connection`
+ *  2. an explicitly passed connection name
+ *  3. the request-scoped `ctx.var.connection`
+ *  4. the user's own `connection` (last resort — only when `user` is supplied)
+ *
+ * Supplying `user` is what populates `event.connection` on token-exchange and
+ * refresh requests that carry no session connection, matching Auth0's contract
+ * that the connection is available whenever it can be derived.
+ */
+export declare function resolveConnectionName(sources: ConnectionNameSources): string | undefined;
+/**
+ * Look up a connection by name and build the Auth0-compatible object exposed to
+ * hooks (`event.connection`). Matches by exact name first, then case-insensitively.
+ * Returns `undefined` when the name is empty or doesn't resolve to a known
+ * connection — callers decide whether to synthesize a fallback.
+ */
+export declare function getConnectionInfo(ctx: Context<{
+    Bindings: Bindings;
+    Variables: Variables;
+}>, tenantId: string, connectionName: string | undefined, user?: Pick<User, "provider"> | null): Promise<ConnectionInfo | undefined>;

package/dist/types/helpers/dcr/metadata-mapping.d.ts

@@ -23,11 +23,11 @@ export declare const dcrRequestSchema: z.ZodObject<{
     grant_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
     response_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
     token_endpoint_auth_method: z.ZodOptional<z.ZodEnum<{
+        none: "none";
+        private_key_jwt: "private_key_jwt";
         client_secret_post: "client_secret_post";
         client_secret_basic: "client_secret_basic";
-        none: "none";
         client_secret_jwt: "client_secret_jwt";
-        private_key_jwt: "private_key_jwt";
     }>>;
     jwks_uri: z.ZodOptional<z.ZodString>;
     jwks: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;

package/dist/types/helpers/service-token.d.ts

@@ -58,6 +58,16 @@ export interface CreateClientServiceTokenParams {
     expiresInSeconds?: number;
     customClaims?: Record<string, unknown>;
 }
+export interface CreateClientServiceTokenOptions {
+    /**
+     * When the client isn't found in the request tenant, resolve it against the
+     * configured control-plane tenant and mint there instead. Off by default so
+     * that the hook-facing token API (`createTokenAPI`) cannot reach across the
+     * tenant boundary into control-plane clients — only trusted internal callers
+     * (e.g. the auth service's own email/SMS senders) opt in.
+     */
+    allowControlPlaneFallback?: boolean;
+}
 /**
  * In-process mint of a grant-bounded access token for a DB-registered M2M
  * client. The caller is trusted (running inside the Worker) so no client
@@ -71,5 +81,5 @@ export interface CreateClientServiceTokenParams {
 export declare function createClientServiceToken(ctx: Context<{
     Bindings: Bindings;
     Variables: Variables;
-}>, tenantId: string, params: CreateClientServiceTokenParams): Promise<ServiceTokenResponse>;
+}>, tenantId: string, params: CreateClientServiceTokenParams, options?: CreateClientServiceTokenOptions): Promise<ServiceTokenResponse>;
 export { AUTH_SERVICE_CLIENT_ID };