npm - authhero - Versions diffs - 5.16.0 → 5.17.1 - Mend

authhero 5.16.0 → 5.17.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (50) hide show

package/dist/authhero.cjs +70 -70
package/dist/authhero.d.ts +315 -265
package/dist/authhero.mjs +4304 -4265
package/dist/stats.html +1 -1
package/dist/tsconfig.types.tsbuildinfo +1 -1
package/dist/types/authentication-flows/passwordless.d.ts +2 -2
package/dist/types/emails/defaults/Layout.d.ts +1 -1
package/dist/types/emails/defaults/PrimaryButton.d.ts +1 -1
package/dist/types/emails/defaults/ResetEmail.d.ts +1 -1
package/dist/types/emails/defaults/ResetEmailByCode.d.ts +1 -1
package/dist/types/emails/defaults/UserInvitation.d.ts +1 -1
package/dist/types/emails/defaults/VerifyEmail.d.ts +1 -1
package/dist/types/emails/defaults/VerifyEmailByCode.d.ts +1 -1
package/dist/types/emails/defaults/WelcomeEmail.d.ts +1 -1
package/dist/types/index.d.ts +239 -238
package/dist/types/middlewares/authentication.d.ts +17 -0
package/dist/types/routes/auth-api/authorize.d.ts +12 -12
package/dist/types/routes/auth-api/index.d.ts +54 -54
package/dist/types/routes/auth-api/oidc-logout.d.ts +3 -3
package/dist/types/routes/auth-api/passwordless.d.ts +18 -18
package/dist/types/routes/auth-api/token.d.ts +21 -21
package/dist/types/routes/management-api/action-executions.d.ts +2 -2
package/dist/types/routes/management-api/actions.d.ts +1 -1
package/dist/types/routes/management-api/authentication-methods.d.ts +1 -1
package/dist/types/routes/management-api/branding.d.ts +8 -8
package/dist/types/routes/management-api/connections.d.ts +1 -1
package/dist/types/routes/management-api/email-templates.d.ts +14 -14
package/dist/types/routes/management-api/failed-events.d.ts +1 -1
package/dist/types/routes/management-api/forms.d.ts +119 -119
package/dist/types/routes/management-api/guardian.d.ts +5 -5
package/dist/types/routes/management-api/index.d.ts +169 -169
package/dist/types/routes/management-api/logs.d.ts +3 -3
package/dist/types/routes/management-api/migration-sources.d.ts +6 -6
package/dist/types/routes/management-api/organizations.d.ts +2 -2
package/dist/types/routes/management-api/prompts.d.ts +4 -4
package/dist/types/routes/management-api/themes.d.ts +3 -3
package/dist/types/routes/management-api/users.d.ts +2 -2
package/dist/types/routes/universal-login/common.d.ts +4 -4
package/dist/types/routes/universal-login/continue.d.ts +2 -2
package/dist/types/routes/universal-login/flow-api.d.ts +12 -12
package/dist/types/routes/universal-login/identifier.d.ts +2 -2
package/dist/types/routes/universal-login/impersonate.d.ts +4 -4
package/dist/types/routes/universal-login/index.d.ts +8 -8
package/dist/types/routes/universal-login/u2-index.d.ts +7 -7
package/dist/types/routes/universal-login/u2-routes.d.ts +7 -7
package/dist/types/types/AuthHeroConfig.d.ts +33 -0
package/dist/types/types/Hooks.d.ts +1 -1
package/dist/types/types/IdToken.d.ts +1 -1
package/dist/types/types/Variables.d.ts +1 -0
package/package.json +3 -3

package/dist/types/routes/universal-login/u2-routes.d.ts CHANGED Viewed

@@ -170,7 +170,7 @@ export declare const u2Routes: OpenAPIHono<{
         $get: {
             input: {
                 param: {
-                    screen: "signup" | "login" | "reset-password" | "account" | "enter-password" | "impersonate" | "try-connection-result" | "reset-password/request" | "reset-password/code" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
+                    screen: "signup" | "account" | "login" | "reset-password" | "enter-password" | "impersonate" | "try-connection-result" | "reset-password/request" | "reset-password/code" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
                 };
             } & {
                 query: {
@@ -186,7 +186,7 @@ export declare const u2Routes: OpenAPIHono<{
         } | {
             input: {
                 param: {
-                    screen: "signup" | "login" | "reset-password" | "account" | "enter-password" | "impersonate" | "try-connection-result" | "reset-password/request" | "reset-password/code" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
+                    screen: "signup" | "account" | "login" | "reset-password" | "enter-password" | "impersonate" | "try-connection-result" | "reset-password/request" | "reset-password/code" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
                 };
             } & {
                 query: {
@@ -198,11 +198,11 @@ export declare const u2Routes: OpenAPIHono<{
             };
             output: {};
             outputFormat: string;
-            status: 400;
+            status: 302;
         } | {
             input: {
                 param: {
-                    screen: "signup" | "login" | "reset-password" | "account" | "enter-password" | "impersonate" | "try-connection-result" | "reset-password/request" | "reset-password/code" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
+                    screen: "signup" | "account" | "login" | "reset-password" | "enter-password" | "impersonate" | "try-connection-result" | "reset-password/request" | "reset-password/code" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
                 };
             } & {
                 query: {
@@ -214,7 +214,7 @@ export declare const u2Routes: OpenAPIHono<{
             };
             output: {};
             outputFormat: string;
-            status: 302;
+            status: 400;
         };
     };
 } & {
@@ -254,7 +254,7 @@ export declare const u2Routes: OpenAPIHono<{
             };
             output: {};
             outputFormat: string;
-            status: 400;
+            status: 302;
         } | {
             input: {
                 param: {
@@ -272,7 +272,7 @@ export declare const u2Routes: OpenAPIHono<{
             };
             output: {};
             outputFormat: string;
-            status: 302;
+            status: 400;
         };
     };
 }, "/">;

package/dist/types/types/AuthHeroConfig.d.ts CHANGED Viewed

@@ -3,6 +3,7 @@ import type { RolePermissionHooks, Hooks } from "./Hooks";
 import type { SamlSigner } from "@authhero/saml/core";
 import type { OpenAPIHono } from "@hono/zod-openapi";
 import type { Handler } from "hono";
+import type { ManagementAudienceResolver } from "../middlewares/authentication";
 import { EntityHooks } from "./Hooks";
 /**
  * Parameters passed to a custom webhook invoker function.
@@ -426,4 +427,36 @@ export interface AuthHeroConfig {
      * @default "control-plane"
      */
     signingKeyMode?: SigningKeyModeOption;
+    /**
+     * Relax the management API audience check from a hard 403 to a
+     * `console.warn`. Tokens issued for any other audience will still be
+     * accepted as long as they carry a matching scope/permission string.
+     *
+     * TRANSITIONAL: enable only while migrating clients to request the
+     * `urn:authhero:management` audience. Watch the warn logs to identify
+     * the remaining offenders, then flip this back off — the audience check
+     * is a defense-in-depth control against tokens minted with
+     * attacker-chosen scopes for an unregistered audience.
+     *
+     * @default false
+     */
+    relaxManagementAudience?: boolean;
+    /**
+     * Resolver returning the list of audiences accepted by the management
+     * API audience check **in addition to** the built-in
+     * `urn:authhero:management`. The token's `tenant_id` is passed in, so a
+     * per-tenant identifier can be constructed at request time alongside any
+     * global legacy identifiers.
+     *
+     * The default audience is always accepted; the resolver is purely additive.
+     *
+     * @example
+     * ```ts
+     * additionalManagementAudiences: ({ tenant_id }) => [
+     *   "https://token.example.com/v2/api/",
+     *   `https://${tenant_id}.token.example.com/v2/api/`,
+     * ];
+     * ```
+     */
+    additionalManagementAudiences?: ManagementAudienceResolver;
 }

package/dist/types/types/Hooks.d.ts CHANGED Viewed

@@ -86,7 +86,7 @@ export type HookEvent = {
     organization?: {
         id: string;
         name: string;
-        display_name: string;
+        display_name?: string;
         metadata?: Record<string, unknown>;
     };
     resource_server?: {

package/dist/types/types/IdToken.d.ts CHANGED Viewed

@@ -18,9 +18,9 @@ export declare const idTokenSchema: z.ZodObject<{
     c_hash: z.ZodOptional<z.ZodString>;
 }, z.core.$loose>;
 export declare const userInfoSchema: z.ZodObject<{
+    sub: z.ZodString;
     name: z.ZodOptional<z.ZodString>;
     email: z.ZodOptional<z.ZodString>;
-    sub: z.ZodString;
     given_name: z.ZodOptional<z.ZodString>;
     family_name: z.ZodOptional<z.ZodString>;
     iss: z.ZodString;

package/dist/types/types/Variables.d.ts CHANGED Viewed

@@ -18,6 +18,7 @@ export type Variables = {
         org_name?: string;
         org_id?: string;
         scope?: string;
+        aud?: string | string[];
     };
     organization_id?: string;
     org_name?: string;

package/package.json CHANGED Viewed

@@ -11,7 +11,7 @@
     "type": "git",
     "url": "https://github.com/markusahlstrand/authhero"
   },
-  "version": "5.16.0",
+  "version": "5.17.1",
   "files": [
     "dist"
   ],
@@ -62,7 +62,7 @@
     "vite": "^8.0.14",
     "vite-plugin-dts": "^4.5.4",
     "vitest": "^4.1.7",
-    "@authhero/kysely-adapter": "11.5.3",
+    "@authhero/kysely-adapter": "11.5.4",
     "@authhero/widget": "0.32.33"
   },
   "dependencies": {
@@ -82,7 +82,7 @@
     "sanitize-html": "^2.17.4",
     "xstate": "^5.31.1",
     "@authhero/adapter-interfaces": "2.10.0",
-    "@authhero/proxy": "0.3.3",
+    "@authhero/proxy": "0.4.0",
     "@authhero/saml": "0.4.1"
   },
   "peerDependencies": {