authhero 5.13.1 → 5.14.1

package/dist/types/authentication-flows/password.d.ts

@@ -21,4 +21,4 @@ export declare function changePassword(ctx: Context<{
 export declare function requestPasswordReset(ctx: Context<{
     Bindings: Bindings;
     Variables: Variables;
-}>, client: EnrichedClient, email: string, state: string, verification_method?: "link" | "code"): Promise<void>;
+}>, client: EnrichedClient, email: string, state: string, verification_method?: "link" | "code", routePrefix?: string): Promise<void>;

package/dist/types/authentication-flows/passwordless.d.ts

@@ -160,6 +160,7 @@ export declare function passwordlessGrantUser(ctx: Context<{
                 allow_legacy_ro_grant_types?: boolean | undefined;
                 allow_legacy_tokeninfo_endpoint?: boolean | undefined;
                 change_pwd_flow_v1?: boolean | undefined;
+                client_id_metadata_document_registration?: boolean | undefined;
                 custom_domains_provisioning?: boolean | undefined;
                 dashboard_insights_view?: boolean | undefined;
                 dashboard_log_streams_next?: boolean | undefined;

package/dist/types/emails/index.d.ts

@@ -27,7 +27,7 @@ export declare function sendSms(ctx: Context<{
 export declare function sendResetPassword(ctx: Context<{
     Bindings: Bindings;
     Variables: Variables;
-}>, to: string, code: string, state?: string, language?: string): Promise<void>;
+}>, to: string, code: string, state?: string, language?: string, routePrefix?: string): Promise<void>;
 export declare function sendResetPasswordCode(ctx: Context<{
     Bindings: Bindings;
     Variables: Variables;

package/dist/types/helpers/cimd.d.ts

@@ -0,0 +1,32 @@
+import { z } from "@hono/zod-openapi";
+import { Client } from "@authhero/adapter-interfaces";
+import { SsrfFetchOptions } from "../utils/ssrf-fetch";
+/**
+ * Cheap guard: a CIMD client_id is an absolute https/http URL. Full validation
+ * (length, path, fetch, document shape) happens in {@link resolveCimdClient}.
+ */
+export declare function isCimdClientId(clientId: string): boolean;
+export declare const cimdDocumentSchema: z.ZodObject<{
+    client_id: z.ZodString;
+    client_name: z.ZodString;
+    grant_types: z.ZodArray<z.ZodString>;
+    redirect_uris: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    application_type: z.ZodOptional<z.ZodEnum<{
+        native: "native";
+        web: "web";
+    }>>;
+    token_endpoint_auth_method: z.ZodOptional<z.ZodEnum<{
+        none: "none";
+        private_key_jwt: "private_key_jwt";
+    }>>;
+    jwks_uri: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+export type CimdDocument = z.infer<typeof cimdDocumentSchema>;
+/**
+ * Fetch, validate, and map a CIMD document into a synthesized (un-persisted)
+ * Client. The caller is responsible for the per-tenant flag check and for
+ * composing tenant + connections into an EnrichedClient.
+ *
+ * @throws JSONHTTPException(400) on any URL, fetch, or document validation error.
+ */
+export declare function resolveCimdClient(rawUrl: string, fetchOpts?: SsrfFetchOptions): Promise<Client>;

package/dist/types/helpers/client.d.ts

@@ -1,5 +1,6 @@
 import { z } from "@hono/zod-openapi";
 import { Bindings } from "../types";
+import { SsrfFetchOptions } from "../utils/ssrf-fetch";
 /**
  * EnrichedClient combines a Client with its associated Tenant and Connections.
  *
@@ -165,6 +166,7 @@ export declare const enrichedClientSchema: z.ZodObject<{
             allow_legacy_ro_grant_types: z.ZodOptional<z.ZodBoolean>;
             allow_legacy_tokeninfo_endpoint: z.ZodOptional<z.ZodBoolean>;
             change_pwd_flow_v1: z.ZodOptional<z.ZodBoolean>;
+            client_id_metadata_document_registration: z.ZodOptional<z.ZodBoolean>;
             custom_domains_provisioning: z.ZodOptional<z.ZodBoolean>;
             dashboard_insights_view: z.ZodOptional<z.ZodBoolean>;
             dashboard_log_streams_next: z.ZodOptional<z.ZodBoolean>;
@@ -476,21 +478,4 @@ export declare const enrichedClientSchema: z.ZodObject<{
     }, z.core.$strip>>;
 }, z.core.$strip>;
 export type EnrichedClient = z.infer<typeof enrichedClientSchema>;
-/**
- * Fetches a client along with its tenant and connections by making separate
- * adapter calls. This composites the data into an EnrichedClient.
- *
- * When tenantId is provided, all fetches happen in parallel for better performance.
- * When tenantId is not provided, we first fetch the client to get the tenant_id,
- * then fetch tenant and connections in parallel.
- *
- * If no connections are explicitly enabled for the client, falls back to all
- * connections available in the tenant.
- *
- * @param env - The environment bindings containing data adapters
- * @param clientId - The client ID to fetch
- * @param tenantId - Optional tenant ID (if known, enables parallel fetching)
- * @returns EnrichedClient with client, tenant, and connections data
- * @throws JSONHTTPException if client or tenant is not found
- */
-export declare function getEnrichedClient(env: Bindings, clientId: string, tenantId?: string): Promise<EnrichedClient>;
+export declare function getEnrichedClient(env: Bindings, clientId: string, tenantId?: string, fetchOpts?: SsrfFetchOptions): Promise<EnrichedClient>;

package/dist/types/helpers/connection.d.ts

@@ -0,0 +1,40 @@
+import { Context } from "hono";
+import { LoginSession, User } from "@authhero/adapter-interfaces";
+import { Bindings, Variables } from "../types";
+import { HookEvent } from "../types/Hooks";
+export type ConnectionInfo = NonNullable<HookEvent["connection"]>;
+export interface ConnectionNameSources {
+    /** The login session's stored auth_connection — the exact connection captured
+     *  at authentication time. Correct even for linked users. */
+    loginSession?: Pick<LoginSession, "auth_connection"> | null;
+    /** An explicitly resolved connection name passed down a flow. */
+    authConnection?: string | null;
+    /** The request-scoped ctx.var.connection (set during interactive flows). */
+    ctxConnection?: string | null;
+    /** The authenticated user. Pass ONLY where guessing from the user record is
+     *  acceptable (read-time hook events) — omit when persisting the authoritative
+     *  auth_connection, so a linked user's primary connection is never stored. */
+    user?: Pick<User, "connection"> | null;
+}
+/**
+ * Resolve the connection name used for authentication, in priority order:
+ *  1. the login session's stored `auth_connection`
+ *  2. an explicitly passed connection name
+ *  3. the request-scoped `ctx.var.connection`
+ *  4. the user's own `connection` (last resort — only when `user` is supplied)
+ *
+ * Supplying `user` is what populates `event.connection` on token-exchange and
+ * refresh requests that carry no session connection, matching Auth0's contract
+ * that the connection is available whenever it can be derived.
+ */
+export declare function resolveConnectionName(sources: ConnectionNameSources): string | undefined;
+/**
+ * Look up a connection by name and build the Auth0-compatible object exposed to
+ * hooks (`event.connection`). Matches by exact name first, then case-insensitively.
+ * Returns `undefined` when the name is empty or doesn't resolve to a known
+ * connection — callers decide whether to synthesize a fallback.
+ */
+export declare function getConnectionInfo(ctx: Context<{
+    Bindings: Bindings;
+    Variables: Variables;
+}>, tenantId: string, connectionName: string | undefined, user?: Pick<User, "provider"> | null): Promise<ConnectionInfo | undefined>;

package/dist/types/helpers/dcr/metadata-mapping.d.ts

@@ -23,11 +23,11 @@ export declare const dcrRequestSchema: z.ZodObject<{
     grant_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
     response_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
     token_endpoint_auth_method: z.ZodOptional<z.ZodEnum<{
+        none: "none";
+        private_key_jwt: "private_key_jwt";
         client_secret_post: "client_secret_post";
         client_secret_basic: "client_secret_basic";
-        none: "none";
         client_secret_jwt: "client_secret_jwt";
-        private_key_jwt: "private_key_jwt";
     }>>;
     jwks_uri: z.ZodOptional<z.ZodString>;
     jwks: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;