authhero 5.17.0 → 5.17.1

package/dist/authhero.mjs

@@ -5076,7 +5076,7 @@ var $o = (e, t) => {
 }, ls = (e, t, n, r) => {
 	let i = cs(t, n, r);
 	e.header("Set-Cookie", i, { append: !0 });
-}, us = "mpv55hkq", ds = /* @__PURE__ */ p({
+}, us = "mpxp0lcu", ds = /* @__PURE__ */ p({
 	common: () => fs,
 	consent: () => ps,
 	default: () => xs,
@@ -23400,18 +23400,16 @@ var sO = {
 		grant_types: ["authorization_code", "refresh_token"]
 	},
 	regular_web: {
-		token_endpoint_auth_method: "client_secret_basic",
+		token_endpoint_auth_method: "client_secret_post",
 		grant_types: ["authorization_code", "refresh_token"]
 	},
 	non_interactive: {
-		token_endpoint_auth_method: "client_secret_basic",
+		token_endpoint_auth_method: "client_secret_post",
 		grant_types: ["client_credentials"]
 	}
 };
 function cO(e, t) {
-	let n = t.app_type;
-	if (typeof n != "string") return e;
-	let r = sO[n];
+	let n = t.app_type, r = sO[typeof n == "string" ? n : "regular_web"];
 	return r ? {
 		...e,
 		token_endpoint_auth_method: "token_endpoint_auth_method" in t ? e.token_endpoint_auth_method : r.token_endpoint_auth_method,
@@ -30035,23 +30033,23 @@ function mP(e, t, n) {
 	};
 }
 async function hP(e, t) {
-	let { authParams: n, user: r, client: i, session_id: a, organization: o, permissions: s, impersonatingUser: c } = t, l = t.auth_time;
-	if (l === void 0 && a && e.var.tenant_id) {
+	let { authParams: n, user: r, client: i, session_id: a, organization: o, permissions: s, impersonatingUser: c, grantType: l } = t, u = t.auth_time;
+	if (u === void 0 && a && e.var.tenant_id) {
 		let t = await e.env.data.sessions.get(e.var.tenant_id, a);
-		t?.authenticated_at && (l = Math.floor(new Date(t.authenticated_at).getTime() / 1e3));
+		t?.authenticated_at && (u = Math.floor(new Date(t.authenticated_at).getTime() / 1e3));
 	}
-	let u = e.var.tenant_id, d = (await AD(e.env.data.keys, u ?? "", u ? e.env.signingKeyMode : "control-plane", { purpose: "sign" }))[0];
-	if (!d?.pkcs7 || !d.cert) throw new B(500, { message: "No signing key available" });
-	let f = Ok(d.pkcs7), p = await Lk(d.cert), m = um(e.env, e.var.custom_domain), h = n.audience ?? i.tenant.default_audience ?? `${m}userinfo`, g = n.claims?.userinfo ? Object.keys(n.claims.userinfo) : void 0, v = {
-		aud: h,
+	let d = e.var.tenant_id, f = (await AD(e.env.data.keys, d ?? "", d ? e.env.signingKeyMode : "control-plane", { purpose: "sign" }))[0];
+	if (!f?.pkcs7 || !f.cert) throw new B(500, { message: "No signing key available" });
+	let p = Ok(f.pkcs7), m = await Lk(f.cert), h = um(e.env, e.var.custom_domain), g = n.audience ?? i.tenant.default_audience ?? `${h}userinfo`, v = n.claims?.userinfo ? Object.keys(n.claims.userinfo) : void 0, y = {
+		aud: g,
 		scope: n.scope || "",
 		sub: r?.user_id || n.client_id,
-		iss: m,
+		iss: h,
 		tenant_id: e.var.tenant_id,
 		sid: a,
 		act: c ? { sub: c.user_id } : void 0,
 		org_id: o ? o.id : void 0,
-		requested_userinfo_claims: g,
+		requested_userinfo_claims: v,
 		org_name: o && i.tenant.allow_organization_name_in_authentication_api ? o.name.toLowerCase() : void 0,
 		permissions: s,
 		...t.customClaims
@@ -30059,26 +30057,26 @@ async function hP(e, t) {
 	if (t.customClaims) {
 		for (let e of pP) if (e in t.customClaims) throw Error(`Cannot overwrite reserved claim '${e}'`);
 	}
-	let y = n.scope?.split(" ") || [], b = y.includes("openid"), x = (n.response_type ?? "").trim() === on.ID_TOKEN, S = i.auth0_conformant !== !1 || x, C = r && b ? {
+	let b = n.scope?.split(" ") || [], x = b.includes("openid"), S = (n.response_type ?? "").trim() === on.ID_TOKEN, C = i.auth0_conformant !== !1 || S, w = r && x ? {
 		aud: n.client_id,
 		sub: r.user_id,
-		iss: m,
+		iss: h,
 		sid: a,
 		nonce: n.nonce,
-		...l === void 0 ? {} : { auth_time: l },
+		...u === void 0 ? {} : { auth_time: u },
 		...n.acr_values ? { acr: n.acr_values.split(" ")[0] } : {},
-		...S ? Fj(r, y) : {},
+		...C ? Fj(r, b) : {},
 		...n.claims?.id_token ? Ij(r, Object.keys(n.claims.id_token)) : {},
-		...x && n.claims?.userinfo ? Ij(r, Object.keys(n.claims.userinfo)) : {},
+		...S && n.claims?.userinfo ? Ij(r, Object.keys(n.claims.userinfo)) : {},
 		act: c ? { sub: c.user_id } : void 0,
 		org_id: o?.id,
 		org_name: o?.name.toLowerCase()
-	} : void 0, w = bj({
+	} : void 0, T = bj({
 		loginSession: t.loginSession,
 		authConnection: t.authConnection,
 		ctxConnection: e.var.connection,
 		user: r
-	}), T = await xj(e, e.var.tenant_id, w, r);
+	}), ee = await xj(e, e.var.tenant_id, T, r);
 	e.env.hooks?.onExecuteCredentialsExchange && await e.env.hooks.onExecuteCredentialsExchange({
 		ctx: e,
 		client: i,
@@ -30090,29 +30088,30 @@ async function hP(e, t) {
 			url: e.req.url
 		},
 		scope: n.scope || "",
-		grant_type: "",
-		connection: T || (w ? {
-			id: w,
-			name: w,
+		grant_type: l ?? "",
+		organization: o,
+		connection: ee || (T ? {
+			id: T,
+			name: T,
 			strategy: r?.provider || "auth0"
 		} : void 0)
-	}, mP(e, v, C));
+	}, mP(e, y, w));
 	{
 		let { hooks: t } = await e.env.data.hooks.list(e.var.tenant_id, {
 			q: "trigger_id:credentials-exchange",
 			page: 0,
 			per_page: 100,
 			include_totals: !1
-		}), a = t.filter((e) => e.enabled && ZA(e)), o = mP(e, v, C);
+		}), a = t.filter((e) => e.enabled && ZA(e)), s = mP(e, y, w);
 		if (r) {
 			for (let t of a) if (ZA(t)) try {
-				await $A(e, t.template_id, r, o);
+				await $A(e, t.template_id, r, s);
 			} catch (e) {
 				if (e instanceof _) throw e;
 				console.warn(`[credentials-exchange] Failed to execute template hook: ${t.template_id}`, e);
 			}
 		}
-		let s = mP(e, v, C), c = await zA(e, t, {
+		let c = mP(e, y, w), u = await zA(e, t, {
 			ctx: e,
 			client: i,
 			user: r,
@@ -30123,31 +30122,32 @@ async function hP(e, t) {
 				url: e.req?.url || ""
 			},
 			scope: n.scope || "",
-			grant_type: "",
-			connection: T || (w ? {
-				id: w,
-				name: w,
+			grant_type: l ?? "",
+			organization: o,
+			connection: ee || (T ? {
+				id: T,
+				name: T,
 				strategy: r?.provider || "auth0"
 			} : void 0)
-		}, s);
-		c && e.set("action_execution_id", c);
+		}, c);
+		u && e.set("action_execution_id", u);
 	}
-	let ee = c ? 3600 : t.token_lifetime ?? 86400, E = {
+	let E = c ? 3600 : t.token_lifetime ?? 86400, te = {
 		includeIssuedTimestamp: !0,
-		expiresIn: new ap(ee, "s"),
-		headers: { kid: d.kid }
-	}, te = await op(p, f, v, E);
-	if (C) {
+		expiresIn: new ap(E, "s"),
+		headers: { kid: f.kid }
+	}, ne = await op(m, p, y, te);
+	if (w) {
 		let e = (n.response_type ?? "").split(" ");
-		t.code && e.includes("code") && (C.c_hash = await zk(t.code, p)), e.includes("id_token") && e.includes("token") && (C.at_hash = await zk(te, p));
+		t.code && e.includes("code") && (w.c_hash = await zk(t.code, m)), e.includes("id_token") && e.includes("token") && (w.at_hash = await zk(ne, m));
 	}
-	let ne = C ? await op(p, f, C, E) : void 0;
+	let D = w ? await op(m, p, w, te) : void 0;
 	return {
-		access_token: te,
+		access_token: ne,
 		refresh_token: t.refresh_token,
-		id_token: ne,
+		id_token: D,
 		token_type: "Bearer",
-		expires_in: ee
+		expires_in: E
 	};
 }
 async function gP(e, t) {
@@ -69166,7 +69166,7 @@ var Une = {
 				password: o,
 				username: l.authParams.username
 			});
-			if ("success" in d) return { redirect: `/u2/login/identifier?state=${encodeURIComponent(i)}&message=password_reset_success` };
+			if ("success" in d) return { redirect: `${e.routePrefix}/login/identifier?state=${encodeURIComponent(i)}&message=password_reset_success` };
 			let f = d.error === "code_expired" ? c.codeExpired() : d.error;
 			return {
 				error: f,
@@ -69366,7 +69366,7 @@ var Wne = {
 				password: s,
 				username: l.authParams.username
 			});
-			if ("success" in u) return { redirect: `/u2/login/identifier?state=${encodeURIComponent(i)}&message=password_reset_success` };
+			if ("success" in u) return { redirect: `${e.routePrefix}/login/identifier?state=${encodeURIComponent(i)}&message=password_reset_success` };
 			let d = u.error === "code_expired" ? a.invalidCode() : u.error;
 			return {
 				error: d,