authhero 5.18.0 → 5.20.0

package/dist/types/authentication-flows/common.d.ts

@@ -39,6 +39,14 @@ export interface CreateAuthTokensParams {
     permissions?: string[];
     grantType?: GrantType;
     impersonatingUser?: User;
+    /**
+     * RFC 8693 §4.1 — when the token was minted via a delegated flow (e.g.
+     * token-exchange) where the *acting party* is a client rather than a user,
+     * pass its client_id here so the `act` claim records the actor.
+     */
+    actClient?: {
+        client_id: string;
+    };
     auth_time?: number;
     /** Custom claims to add to the access token payload (cannot override reserved claims) */
     customClaims?: Record<string, unknown>;

package/dist/types/authentication-flows/passwordless.d.ts

@@ -404,7 +404,7 @@ export declare function passwordlessGrantUser(ctx: Context<{
                     } | undefined;
                 } | undefined;
                 passkey_options?: {
-                    challenge_ui?: "button" | "both" | "autofill" | undefined;
+                    challenge_ui?: "both" | "autofill" | "button" | undefined;
                     local_enrollment_enabled?: boolean | undefined;
                     progressive_enrollment_enabled?: boolean | undefined;
                 } | undefined;

package/dist/types/authentication-flows/token-exchange.d.ts

@@ -0,0 +1,19 @@
+import { Context } from "hono";
+import { z } from "@hono/zod-openapi";
+import { Bindings, Variables, GrantFlowUserResult } from "../types";
+export declare const TOKEN_EXCHANGE_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:token-exchange";
+export declare const tokenExchangeParamsSchema: z.ZodObject<{
+    grant_type: z.ZodLiteral<"urn:ietf:params:oauth:grant-type:token-exchange">;
+    client_id: z.ZodString;
+    client_secret: z.ZodOptional<z.ZodString>;
+    subject_token: z.ZodString;
+    subject_token_type: z.ZodLiteral<"urn:ietf:params:oauth:token-type:access_token">;
+    organization: z.ZodString;
+    audience: z.ZodOptional<z.ZodString>;
+    scope: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+export type TokenExchangeParams = z.infer<typeof tokenExchangeParamsSchema>;
+export declare function tokenExchangeGrant(ctx: Context<{
+    Bindings: Bindings;
+    Variables: Variables;
+}>, params: TokenExchangeParams): Promise<GrantFlowUserResult>;

package/dist/types/emails/defaults/BlockedAccount.d.ts

@@ -0,0 +1 @@
+export declare function BlockedAccount(): import("react").JSX.Element;

package/dist/types/emails/defaults/ChangePassword.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Legacy Auth0 template name. Same shape as `reset_email` — kept for
+ * Auth0-import compatibility. authhero never sends this; the active path is
+ * `reset_email` / `reset_email_by_code`.
+ */
+export declare function ChangePassword(): import("react").JSX.Element;

package/dist/types/emails/defaults/EnrollmentEmail.d.ts

@@ -0,0 +1 @@
+export declare function EnrollmentEmail(): import("react").JSX.Element;

package/dist/types/emails/defaults/MfaOobCode.d.ts

@@ -0,0 +1 @@
+export declare function MfaOobCode(): import("react").JSX.Element;

package/dist/types/emails/defaults/PasswordReset.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Legacy Auth0 template name. Notification that a password was changed (no
+ * call-to-action). Kept for Auth0-import compatibility.
+ */
+export declare function PasswordReset(): import("react").JSX.Element;

package/dist/types/emails/defaults/StolenCredentials.d.ts

@@ -0,0 +1 @@
+export declare function StolenCredentials(): import("react").JSX.Element;

package/dist/types/emails/index.d.ts

@@ -1,6 +1,6 @@
 import { Context } from "hono";
 import { Bindings, Variables } from "../types";
-import { AuthParams, User } from "@authhero/adapter-interfaces";
+import { AuthParams, EmailTemplateName, User } from "@authhero/adapter-interfaces";
 export type SendEmailParams = {
     to: string;
     subject: string;
@@ -68,3 +68,23 @@ export declare function sendInvitation(ctx: Context<{
     Bindings: Bindings;
     Variables: Variables;
 }>, { to, invitationUrl, inviterName, organizationName, ttlSec, language, }: SendInvitationParams): Promise<void>;
+export interface SendTestEmailParams {
+    to: string;
+    templateName: EmailTemplateName;
+    /** Optional override for the body — defaults to stored override or bundled default. */
+    body?: string;
+    /** Optional override for the subject — defaults to stored override or bundled default. */
+    subject?: string;
+    /** Optional override for the from address. */
+    from?: string;
+    language?: string;
+}
+/**
+ * Send a test email using the provided body/subject (or the stored / bundled
+ * default), with realistic-looking sample data. Used by the admin UI's
+ * "Send test" button so customizations can be validated before saving.
+ */
+export declare function sendTestEmail(ctx: Context<{
+    Bindings: Bindings;
+    Variables: Variables;
+}>, params: SendTestEmailParams): Promise<void>;

package/dist/types/helpers/consent.d.ts

@@ -0,0 +1,31 @@
+import { Context } from "hono";
+import { Bindings, Variables } from "../types";
+/**
+ * OIDC basic scopes — these are exempt from the third-party consent gate
+ * because they only authorize the standard ID-token / userinfo claims that
+ * are implicit in any OIDC sign-in.
+ */
+export declare const BASIC_OIDC_SCOPES: Set<string>;
+/**
+ * Return the scopes in `requested` that are not in `consented` and are not
+ * basic OIDC scopes. An empty result means the existing consent record (if
+ * any) covers everything the client asked for.
+ */
+export declare function computeMissingConsentScopes(requested: string[], consented: string[]): string[];
+/**
+ * Load the user's stored consent for (tenant, user, client) and compute the
+ * scopes that still need explicit consent. Returns an empty array if the
+ * consent gate should pass.
+ *
+ * Fail-closed when the adapter isn't configured: the function treats every
+ * non-basic requested scope as missing so the caller blocks the auth flow.
+ */
+export declare function getMissingConsentScopes(ctx: Context<{
+    Bindings: Bindings;
+    Variables: Variables;
+}>, params: {
+    tenantId: string;
+    userId: string;
+    clientId: string;
+    requestedScopes: string[];
+}): Promise<string[]>;

package/dist/types/helpers/control-plane-sync-events.d.ts

@@ -0,0 +1,67 @@
+import { Context } from "hono";
+import { CustomDomain, ProxyRoute } from "@authhero/adapter-interfaces";
+import { Bindings, Variables } from "../types";
+export declare const CONTROL_PLANE_SYNC_EVENT_PREFIX = "controlplane.sync.";
+export type SyncEntity = "custom_domain" | "proxy_route";
+export type SyncOp = "created" | "updated" | "deleted";
+/**
+ * Wire shape posted from the tenant shard to the control plane. The destination
+ * serializes one event per HTTP request; the receiver accepts a batch
+ * (`{ events: [...] }`) for forward compatibility with a future
+ * batched-delivery destination.
+ */
+export type SyncEvent = {
+    event_id: string;
+    tenant_id: string;
+    entity: "custom_domain";
+    op: "created" | "updated";
+    aggregate_id: string;
+    payload: CustomDomain;
+    occurred_at: string;
+} | {
+    event_id: string;
+    tenant_id: string;
+    entity: "custom_domain";
+    op: "deleted";
+    aggregate_id: string;
+    payload: CustomDomain;
+    occurred_at: string;
+} | {
+    event_id: string;
+    tenant_id: string;
+    entity: "proxy_route";
+    op: "created" | "updated";
+    aggregate_id: string;
+    payload: ProxyRoute;
+    occurred_at: string;
+} | {
+    event_id: string;
+    tenant_id: string;
+    entity: "proxy_route";
+    op: "deleted";
+    aggregate_id: string;
+    payload: ProxyRoute;
+    occurred_at: string;
+};
+interface EnqueueArgs {
+    tenantId: string;
+    entity: SyncEntity;
+    op: SyncOp;
+    aggregateId: string;
+    payload: CustomDomain | ProxyRoute;
+}
+/**
+ * Enqueue a `controlplane.sync.*` event to the outbox so the
+ * `ControlPlaneSyncDestination` can replicate the mutation to the global
+ * control-plane data store.
+ *
+ * Mirrors the pattern used by `enqueuePostHookEvent`: pushes the
+ * `outbox.create` promise onto `ctx.var.outboxEventPromises` so the outbox
+ * middleware awaits it in its finally block. No-op when the outbox is not
+ * configured — single-DB deployments don't need sync.
+ */
+export declare function enqueueControlPlaneSyncEvent(ctx: Context<{
+    Bindings: Bindings;
+    Variables: Variables;
+}>, args: EnqueueArgs): void;
+export {};

package/dist/types/helpers/default-destinations.d.ts

@@ -18,6 +18,17 @@ export interface CreateDefaultDestinationsConfig {
     getServiceToken?: GetServiceToken;
     /** Webhook HTTP request timeout in ms (default: 10_000). */
     webhookTimeoutMs?: number;
+    /**
+     * When set, drains `controlplane.sync.*` events to the control-plane
+     * authhero instance at the given base URL. Mirrors the per-request
+     * `ControlPlaneSyncDestination` wired in the management API, so cron-drain
+     * deliveries don't lose events that missed per-request processing.
+     * Requires `getServiceToken`.
+     */
+    controlPlaneSync?: {
+        baseUrl: string;
+        timeoutMs?: number;
+    };
     /**
      * Custom webhook invoker — same shape as the `webhookInvoker` option on
      * `init()`. When provided, `hook.*` events are dispatched by calling this

package/dist/types/helpers/outbox-destinations/control-plane-sync.d.ts

@@ -0,0 +1,35 @@
+import { AuditEvent } from "@authhero/adapter-interfaces";
+import { EventDestination } from "../outbox-relay";
+import { SyncEvent } from "../control-plane-sync-events";
+import type { GetServiceToken } from "./webhooks";
+export interface ControlPlaneSyncDestinationOptions {
+    /** Base URL of the control-plane authhero instance, e.g. `https://controlplane.example.com`. */
+    baseUrl: string;
+    /** Mints a bearer token to authenticate the sync POST. */
+    getServiceToken: GetServiceToken;
+    /** Per-request timeout (default: 10s). */
+    timeoutMs?: number;
+    /** Override for tests. */
+    fetchImpl?: typeof fetch;
+}
+/**
+ * Delivers `controlplane.sync.*` outbox events to the global control-plane
+ * `POST /api/v2/proxy/control-plane/sync` endpoint. Each POST carries one event
+ * with `Idempotency-Key: {event.id}` so the receiver can dedupe retries.
+ *
+ * The receiver MUST be idempotent: the outbox retries on network failure even
+ * after a successful write, so a `created` may arrive twice and a stale
+ * `updated` may arrive after a newer `deleted`. The default receiver in
+ * `proxy-control-plane/index.ts` handles both cases.
+ */
+export declare class ControlPlaneSyncDestination implements EventDestination {
+    name: string;
+    private baseUrl;
+    private getServiceToken;
+    private timeoutMs;
+    private fetchImpl;
+    constructor(options: ControlPlaneSyncDestinationOptions);
+    accepts(event: AuditEvent): boolean;
+    transform(event: AuditEvent): SyncEvent;
+    deliver(events: SyncEvent[]): Promise<void>;
+}

package/dist/types/helpers/outbox-destinations/logs.d.ts

@@ -7,6 +7,8 @@ export declare class LogsDestination implements EventDestination {
     /**
      * Only accept log-shaped events. `hook.*` events are dispatch tasks for
      * webhook / code-hook destinations and are not audit log entries.
+     * `controlplane.sync.*` events are replication tasks for the
+     * ControlPlaneSyncDestination and likewise shouldn't appear in audit logs.
      */
     accepts(event: AuditEvent): boolean;
     transform(event: AuditEvent): {

package/dist/types/helpers/scopes-permissions.d.ts

@@ -13,7 +13,7 @@ interface ClientCredentialsScopesAndPermissionsParams extends BaseScopesAndPermi
     userId?: never;
 }
 interface UserBasedScopesAndPermissionsParams extends BaseScopesAndPermissionsParams {
-    grantType?: GrantType.AuthorizationCode | GrantType.RefreshToken | GrantType.Password | GrantType.Passwordless | GrantType.OTP | undefined;
+    grantType?: GrantType.AuthorizationCode | GrantType.RefreshToken | GrantType.Password | GrantType.Passwordless | GrantType.OTP | GrantType.TokenExchange | undefined;
     userId: string;
 }
 export type CalculateScopesAndPermissionsParams = ClientCredentialsScopesAndPermissionsParams | UserBasedScopesAndPermissionsParams;