authhero 5.21.1 → 7.0.0

package/dist/types/routes/universal-login/u2-routes.d.ts

@@ -170,7 +170,7 @@ export declare const u2Routes: OpenAPIHono<{
         $get: {
             input: {
                 param: {
-                    screen: "signup" | "login" | "reset-password" | "consent" | "enter-password" | "impersonate" | "reset-password/request" | "reset-password/code" | "account" | "try-connection-result" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
+                    screen: "signup" | "login" | "reset-password" | "consent" | "account" | "enter-password" | "impersonate" | "try-connection-result" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "reset-password/code" | "reset-password/request" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
                 };
             } & {
                 query: {
@@ -186,7 +186,7 @@ export declare const u2Routes: OpenAPIHono<{
         } | {
             input: {
                 param: {
-                    screen: "signup" | "login" | "reset-password" | "consent" | "enter-password" | "impersonate" | "reset-password/request" | "reset-password/code" | "account" | "try-connection-result" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
+                    screen: "signup" | "login" | "reset-password" | "consent" | "account" | "enter-password" | "impersonate" | "try-connection-result" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "reset-password/code" | "reset-password/request" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
                 };
             } & {
                 query: {
@@ -202,7 +202,7 @@ export declare const u2Routes: OpenAPIHono<{
         } | {
             input: {
                 param: {
-                    screen: "signup" | "login" | "reset-password" | "consent" | "enter-password" | "impersonate" | "reset-password/request" | "reset-password/code" | "account" | "try-connection-result" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
+                    screen: "signup" | "login" | "reset-password" | "consent" | "account" | "enter-password" | "impersonate" | "try-connection-result" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "reset-password/code" | "reset-password/request" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
                 };
             } & {
                 query: {
@@ -222,7 +222,7 @@ export declare const u2Routes: OpenAPIHono<{
         $post: {
             input: {
                 param: {
-                    screen: "signup" | "login" | "reset-password" | "consent" | "enter-password" | "impersonate" | "reset-password/request" | "reset-password/code" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
+                    screen: "signup" | "login" | "reset-password" | "consent" | "enter-password" | "impersonate" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "reset-password/code" | "reset-password/request" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
                 };
             } & {
                 query: {
@@ -240,7 +240,7 @@ export declare const u2Routes: OpenAPIHono<{
         } | {
             input: {
                 param: {
-                    screen: "signup" | "login" | "reset-password" | "consent" | "enter-password" | "impersonate" | "reset-password/request" | "reset-password/code" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
+                    screen: "signup" | "login" | "reset-password" | "consent" | "enter-password" | "impersonate" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "reset-password/code" | "reset-password/request" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
                 };
             } & {
                 query: {
@@ -258,7 +258,7 @@ export declare const u2Routes: OpenAPIHono<{
         } | {
             input: {
                 param: {
-                    screen: "signup" | "login" | "reset-password" | "consent" | "enter-password" | "impersonate" | "reset-password/request" | "reset-password/code" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
+                    screen: "signup" | "login" | "reset-password" | "consent" | "enter-password" | "impersonate" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "reset-password/code" | "reset-password/request" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
                 };
             } & {
                 query: {

package/dist/types/strategies/microsoft-entra.d.ts

@@ -0,0 +1,23 @@
+import { Context } from "hono";
+import { Connection } from "@authhero/adapter-interfaces";
+import { Bindings, Variables } from "../types";
+export declare function microsoftEntraRedirect(ctx: Context<{
+    Bindings: Bindings;
+    Variables: Variables;
+}>, connection: Connection, loginHint: string | undefined, defaultTenant: string): Promise<{
+    redirectUrl: string;
+    code: string;
+    codeVerifier: string;
+}>;
+export declare function microsoftEntraValidate(ctx: Context<{
+    Bindings: Bindings;
+    Variables: Variables;
+}>, connection: Connection, code: string, code_verifier: string | undefined, defaultTenant: string): Promise<{
+    sub: string;
+    email: string | undefined;
+    given_name: string | undefined;
+    family_name: string | undefined;
+    name: string | undefined;
+    picture: unknown;
+}>;
+export declare const microsoftLogoDataUri = "data:image/svg+xml,%3Csvg%20width%3D%2245%22%20height%3D%2245%22%20viewBox%3D%220%200%2045%2045%22%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%3Cpath%20fill%3D%22%23F25022%22%20d%3D%22M0%200H21.43V21.43H0V0Z%22%2F%3E%3Cpath%20fill%3D%22%237FBA00%22%20d%3D%22M23.57%200H45V21.43H23.57V0Z%22%2F%3E%3Cpath%20fill%3D%22%2300A4EF%22%20d%3D%22M0%2023.57H21.43V45H0V23.57Z%22%2F%3E%3Cpath%20fill%3D%22%23FFB900%22%20d%3D%22M23.57%2023.57H45V45H23.57V23.57Z%22%2F%3E%3C%2Fsvg%3E";

package/dist/types/strategies/waad.d.ts

@@ -0,0 +1,24 @@
+import { Context } from "hono";
+import { Connection } from "@authhero/adapter-interfaces";
+import { Bindings, Variables } from "../types";
+export declare const displayName = "Microsoft Azure AD";
+export declare const logoDataUri = "data:image/svg+xml,%3Csvg%20width%3D%2245%22%20height%3D%2245%22%20viewBox%3D%220%200%2045%2045%22%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%3Cpath%20fill%3D%22%23F25022%22%20d%3D%22M0%200H21.43V21.43H0V0Z%22%2F%3E%3Cpath%20fill%3D%22%237FBA00%22%20d%3D%22M23.57%200H45V21.43H23.57V0Z%22%2F%3E%3Cpath%20fill%3D%22%2300A4EF%22%20d%3D%22M0%2023.57H21.43V45H0V23.57Z%22%2F%3E%3Cpath%20fill%3D%22%23FFB900%22%20d%3D%22M23.57%2023.57H45V45H23.57V23.57Z%22%2F%3E%3C%2Fsvg%3E";
+export declare function getRedirect(ctx: Context<{
+    Bindings: Bindings;
+    Variables: Variables;
+}>, connection: Connection, loginHint?: string): Promise<{
+    redirectUrl: string;
+    code: string;
+    codeVerifier: string;
+}>;
+export declare function validateAuthorizationCodeAndGetUser(ctx: Context<{
+    Bindings: Bindings;
+    Variables: Variables;
+}>, connection: Connection, code: string, code_verifier?: string): Promise<{
+    sub: string;
+    email: string | undefined;
+    given_name: string | undefined;
+    family_name: string | undefined;
+    name: string | undefined;
+    picture: unknown;
+}>;

package/dist/types/strategies/windowslive.d.ts

@@ -0,0 +1,24 @@
+import { Context } from "hono";
+import { Connection } from "@authhero/adapter-interfaces";
+import { Bindings, Variables } from "../types";
+export declare const displayName = "Microsoft Account";
+export declare const logoDataUri = "data:image/svg+xml,%3Csvg%20width%3D%2245%22%20height%3D%2245%22%20viewBox%3D%220%200%2045%2045%22%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%3Cpath%20fill%3D%22%23F25022%22%20d%3D%22M0%200H21.43V21.43H0V0Z%22%2F%3E%3Cpath%20fill%3D%22%237FBA00%22%20d%3D%22M23.57%200H45V21.43H23.57V0Z%22%2F%3E%3Cpath%20fill%3D%22%2300A4EF%22%20d%3D%22M0%2023.57H21.43V45H0V23.57Z%22%2F%3E%3Cpath%20fill%3D%22%23FFB900%22%20d%3D%22M23.57%2023.57H45V45H23.57V23.57Z%22%2F%3E%3C%2Fsvg%3E";
+export declare function getRedirect(ctx: Context<{
+    Bindings: Bindings;
+    Variables: Variables;
+}>, connection: Connection, loginHint?: string): Promise<{
+    redirectUrl: string;
+    code: string;
+    codeVerifier: string;
+}>;
+export declare function validateAuthorizationCodeAndGetUser(ctx: Context<{
+    Bindings: Bindings;
+    Variables: Variables;
+}>, connection: Connection, code: string, code_verifier?: string): Promise<{
+    sub: string;
+    email: string | undefined;
+    given_name: string | undefined;
+    family_name: string | undefined;
+    name: string | undefined;
+    picture: unknown;
+}>;

package/dist/types/types/AuthHeroConfig.d.ts

@@ -283,14 +283,26 @@ export interface AuthHeroConfig {
      * data plane. When set, mounts `GET /api/v2/proxy/control-plane/hosts/:host`
      * which returns the cross-tenant `ResolvedHost` for the given hostname.
      *
-     * This endpoint is read by remote proxy deployments via
-     * `createHttpProxyAdapter`. It is **cross-tenant** — gate it with a
-     * dedicated credential (shared secret, mTLS, or a JWT scoped to
-     * `proxy:resolve_host`), never with a tenant token.
+     * Authentication is opinionated and built in: incoming requests must
+     * carry a `Bearer` JWT signed by a key in `jwksUrl`, with `iss` matching
+     * the runtime `env.ISSUER` (strict URL equality after trailing-slash
+     * normalization) and the `proxy:resolve_host` scope. The matching
+     * client-side helper is `createHttpProxyAdapter` in `@authhero/proxy`.
      */
     proxyControlPlane?: {
         resolveHost: (host: string) => Promise<import("@authhero/proxy").ResolvedHost | null>;
-        authenticate: (request: Request) => Promise<boolean> | boolean;
+        /**
+         * JWKS document URL used to verify the bearer token. On a single-shard
+         * deployment this is typically `${env.ISSUER}/.well-known/jwks.json`.
+         */
+        jwksUrl: string;
+        /**
+         * Optional fetch override for `jwksUrl`. Defaults to global `fetch`.
+         * Hosts on Cloudflare Workers can pass
+         * `(url) => env.JWKS_SERVICE.fetch(url)` to route through a service
+         * binding instead of the public network.
+         */
+        jwksFetch?: (url: string) => Promise<Response>;
         /**
          * Optional receiver for `POST /sync` events emitted by tenant shards via
          * the `ControlPlaneSyncDestination`. Mount on the control-plane authhero

package/dist/types/utils/jwks.d.ts

@@ -9,7 +9,7 @@ import { SigningKeyModeOption } from "../types/AuthHeroConfig";
  */
 export declare function getJwksFromDatabase(data: DataAdapters): Promise<{
     alg: "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512" | "HS256" | "HS384" | "HS512";
-    kty: "EC" | "RSA" | "oct";
+    kty: "RSA" | "EC" | "oct";
     kid?: string | undefined;
     use?: "sig" | "enc" | undefined;
     n?: string | undefined;
@@ -28,7 +28,7 @@ export declare function getJwksFromDatabase(data: DataAdapters): Promise<{
  */
 export declare function getJwksForPublication(data: DataAdapters, tenantId: string, modeOption: SigningKeyModeOption | undefined): Promise<{
     alg: "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512" | "HS256" | "HS384" | "HS512";
-    kty: "EC" | "RSA" | "oct";
+    kty: "RSA" | "EC" | "oct";
     kid?: string | undefined;
     use?: "sig" | "enc" | undefined;
     n?: string | undefined;

package/package.json

@@ -11,7 +11,7 @@
     "type": "git",
     "url": "https://github.com/markusahlstrand/authhero"
   },
-  "version": "5.21.1",
+  "version": "7.0.0",
   "files": [
     "dist"
   ],
@@ -62,8 +62,8 @@
     "vite": "^8.0.14",
     "vite-plugin-dts": "^4.5.4",
     "vitest": "^4.1.7",
-    "@authhero/kysely-adapter": "11.8.1",
-    "@authhero/widget": "0.32.38"
+    "@authhero/kysely-adapter": "11.8.3",
+    "@authhero/widget": "0.32.39"
   },
   "dependencies": {
     "@peculiar/x509": "^1.14.0",
@@ -81,8 +81,8 @@
     "qrcode": "^1.5.4",
     "sanitize-html": "^2.17.4",
     "xstate": "^5.31.1",
-    "@authhero/adapter-interfaces": "2.13.1",
-    "@authhero/proxy": "0.4.4",
+    "@authhero/adapter-interfaces": "3.0.0",
+    "@authhero/proxy": "0.5.0",
     "@authhero/saml": "0.4.1"
   },
   "peerDependencies": {