authhero 5.17.1 → 5.19.0

package/dist/types/authentication-flows/passwordless.d.ts

@@ -448,7 +448,7 @@ export declare function passwordlessGrantUser(ctx: Context<{
         custom_login_page_preview?: string | undefined;
         form_template?: string | undefined;
         addons?: Record<string, any> | undefined;
-        token_endpoint_auth_method?: "none" | "client_secret_post" | "client_secret_basic" | "client_secret_jwt" | "private_key_jwt" | undefined;
+        token_endpoint_auth_method?: "none" | "private_key_jwt" | "client_secret_post" | "client_secret_basic" | "client_secret_jwt" | undefined;
         client_metadata?: Record<string, string> | undefined;
         hide_sign_up_disabled_error?: boolean | undefined;
         mobile?: Record<string, any> | undefined;
@@ -531,8 +531,8 @@ export declare function passwordlessGrantUser(ctx: Context<{
         } | undefined;
         authenticated_at?: string | undefined;
     };
-    connectionType: "username" | "email" | "sms";
-    authConnection: "username" | "email" | "sms";
+    connectionType: "username" | "sms" | "email";
+    authConnection: "username" | "sms" | "email";
     session_id: string | undefined;
     authParams: {
         client_id: string;

package/dist/types/emails/defaults/Layout.d.ts

@@ -4,9 +4,9 @@ interface LayoutProps {
     children: ReactNode;
 }
 /**
- * Shared frame for all built-in email defaults. Liquid placeholders
- * (`{{ branding.logo }}`, `{{ tenant.support_url }}`, etc.) are emitted as
- * raw strings; the runtime Liquid pass interpolates them per-send.
+ * Shared frame for all built-in email defaults. Every visual token
+ * (logo, colors, signature, address) is emitted as a raw Liquid placeholder
+ * and resolved at send time from the tenant's branding + per-send vars.
  */
 export declare function Layout({ preview, children }: LayoutProps): import("react").JSX.Element;
 export {};

package/dist/types/emails/defaults/PrimaryButton.d.ts

@@ -4,8 +4,11 @@ interface PrimaryButtonProps {
     children: ReactNode;
 }
 /**
- * Liquid-friendly button. The background color is a Liquid placeholder so the
- * runtime pass can substitute the tenant's `branding.primary_color`.
+ * Liquid-friendly button. Background, text color, and border radius are
+ * emitted as raw Liquid placeholders; `sendTemplatedEmail` is responsible
+ * for resolving defaults before render. Inlining `| default: '...'` here
+ * would not survive React Email's HTML escaping — single quotes become
+ * `'`, which liquidjs cannot parse as a string literal.
  */
 export declare function PrimaryButton({ href, children }: PrimaryButtonProps): import("react").JSX.Element;
 export {};

package/dist/types/helpers/consent.d.ts

@@ -0,0 +1,31 @@
+import { Context } from "hono";
+import { Bindings, Variables } from "../types";
+/**
+ * OIDC basic scopes — these are exempt from the third-party consent gate
+ * because they only authorize the standard ID-token / userinfo claims that
+ * are implicit in any OIDC sign-in.
+ */
+export declare const BASIC_OIDC_SCOPES: Set<string>;
+/**
+ * Return the scopes in `requested` that are not in `consented` and are not
+ * basic OIDC scopes. An empty result means the existing consent record (if
+ * any) covers everything the client asked for.
+ */
+export declare function computeMissingConsentScopes(requested: string[], consented: string[]): string[];
+/**
+ * Load the user's stored consent for (tenant, user, client) and compute the
+ * scopes that still need explicit consent. Returns an empty array if the
+ * consent gate should pass.
+ *
+ * Fail-closed when the adapter isn't configured: the function treats every
+ * non-basic requested scope as missing so the caller blocks the auth flow.
+ */
+export declare function getMissingConsentScopes(ctx: Context<{
+    Bindings: Bindings;
+    Variables: Variables;
+}>, params: {
+    tenantId: string;
+    userId: string;
+    clientId: string;
+    requestedScopes: string[];
+}): Promise<string[]>;

package/dist/types/helpers/control-plane-sync-events.d.ts

@@ -0,0 +1,67 @@
+import { Context } from "hono";
+import { CustomDomain, ProxyRoute } from "@authhero/adapter-interfaces";
+import { Bindings, Variables } from "../types";
+export declare const CONTROL_PLANE_SYNC_EVENT_PREFIX = "controlplane.sync.";
+export type SyncEntity = "custom_domain" | "proxy_route";
+export type SyncOp = "created" | "updated" | "deleted";
+/**
+ * Wire shape posted from the tenant shard to the control plane. The destination
+ * serializes one event per HTTP request; the receiver accepts a batch
+ * (`{ events: [...] }`) for forward compatibility with a future
+ * batched-delivery destination.
+ */
+export type SyncEvent = {
+    event_id: string;
+    tenant_id: string;
+    entity: "custom_domain";
+    op: "created" | "updated";
+    aggregate_id: string;
+    payload: CustomDomain;
+    occurred_at: string;
+} | {
+    event_id: string;
+    tenant_id: string;
+    entity: "custom_domain";
+    op: "deleted";
+    aggregate_id: string;
+    payload: CustomDomain;
+    occurred_at: string;
+} | {
+    event_id: string;
+    tenant_id: string;
+    entity: "proxy_route";
+    op: "created" | "updated";
+    aggregate_id: string;
+    payload: ProxyRoute;
+    occurred_at: string;
+} | {
+    event_id: string;
+    tenant_id: string;
+    entity: "proxy_route";
+    op: "deleted";
+    aggregate_id: string;
+    payload: ProxyRoute;
+    occurred_at: string;
+};
+interface EnqueueArgs {
+    tenantId: string;
+    entity: SyncEntity;
+    op: SyncOp;
+    aggregateId: string;
+    payload: CustomDomain | ProxyRoute;
+}
+/**
+ * Enqueue a `controlplane.sync.*` event to the outbox so the
+ * `ControlPlaneSyncDestination` can replicate the mutation to the global
+ * control-plane data store.
+ *
+ * Mirrors the pattern used by `enqueuePostHookEvent`: pushes the
+ * `outbox.create` promise onto `ctx.var.outboxEventPromises` so the outbox
+ * middleware awaits it in its finally block. No-op when the outbox is not
+ * configured — single-DB deployments don't need sync.
+ */
+export declare function enqueueControlPlaneSyncEvent(ctx: Context<{
+    Bindings: Bindings;
+    Variables: Variables;
+}>, args: EnqueueArgs): void;
+export {};

package/dist/types/helpers/dcr/metadata-mapping.d.ts

@@ -24,10 +24,10 @@ export declare const dcrRequestSchema: z.ZodObject<{
     response_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
     token_endpoint_auth_method: z.ZodOptional<z.ZodEnum<{
         none: "none";
+        private_key_jwt: "private_key_jwt";
         client_secret_post: "client_secret_post";
         client_secret_basic: "client_secret_basic";
         client_secret_jwt: "client_secret_jwt";
-        private_key_jwt: "private_key_jwt";
     }>>;
     jwks_uri: z.ZodOptional<z.ZodString>;
     jwks: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;

package/dist/types/helpers/default-destinations.d.ts

@@ -18,6 +18,17 @@ export interface CreateDefaultDestinationsConfig {
     getServiceToken?: GetServiceToken;
     /** Webhook HTTP request timeout in ms (default: 10_000). */
     webhookTimeoutMs?: number;
+    /**
+     * When set, drains `controlplane.sync.*` events to the control-plane
+     * authhero instance at the given base URL. Mirrors the per-request
+     * `ControlPlaneSyncDestination` wired in the management API, so cron-drain
+     * deliveries don't lose events that missed per-request processing.
+     * Requires `getServiceToken`.
+     */
+    controlPlaneSync?: {
+        baseUrl: string;
+        timeoutMs?: number;
+    };
     /**
      * Custom webhook invoker — same shape as the `webhookInvoker` option on
      * `init()`. When provided, `hook.*` events are dispatched by calling this

package/dist/types/helpers/outbox-destinations/control-plane-sync.d.ts

@@ -0,0 +1,35 @@
+import { AuditEvent } from "@authhero/adapter-interfaces";
+import { EventDestination } from "../outbox-relay";
+import { SyncEvent } from "../control-plane-sync-events";
+import type { GetServiceToken } from "./webhooks";
+export interface ControlPlaneSyncDestinationOptions {
+    /** Base URL of the control-plane authhero instance, e.g. `https://controlplane.example.com`. */
+    baseUrl: string;
+    /** Mints a bearer token to authenticate the sync POST. */
+    getServiceToken: GetServiceToken;
+    /** Per-request timeout (default: 10s). */
+    timeoutMs?: number;
+    /** Override for tests. */
+    fetchImpl?: typeof fetch;
+}
+/**
+ * Delivers `controlplane.sync.*` outbox events to the global control-plane
+ * `POST /api/v2/proxy/control-plane/sync` endpoint. Each POST carries one event
+ * with `Idempotency-Key: {event.id}` so the receiver can dedupe retries.
+ *
+ * The receiver MUST be idempotent: the outbox retries on network failure even
+ * after a successful write, so a `created` may arrive twice and a stale
+ * `updated` may arrive after a newer `deleted`. The default receiver in
+ * `proxy-control-plane/index.ts` handles both cases.
+ */
+export declare class ControlPlaneSyncDestination implements EventDestination {
+    name: string;
+    private baseUrl;
+    private getServiceToken;
+    private timeoutMs;
+    private fetchImpl;
+    constructor(options: ControlPlaneSyncDestinationOptions);
+    accepts(event: AuditEvent): boolean;
+    transform(event: AuditEvent): SyncEvent;
+    deliver(events: SyncEvent[]): Promise<void>;
+}

package/dist/types/helpers/outbox-destinations/logs.d.ts

@@ -7,6 +7,8 @@ export declare class LogsDestination implements EventDestination {
     /**
      * Only accept log-shaped events. `hook.*` events are dispatch tasks for
      * webhook / code-hook destinations and are not audit log entries.
+     * `controlplane.sync.*` events are replication tasks for the
+     * ControlPlaneSyncDestination and likewise shouldn't appear in audit logs.
      */
     accepts(event: AuditEvent): boolean;
     transform(event: AuditEvent): {