authhero 5.8.0 → 5.9.0

package/dist/types/helpers/dcr/metadata-mapping.d.ts

@@ -0,0 +1,83 @@
+import { z } from "@hono/zod-openapi";
+import type { Client, ClientInsert } from "@authhero/adapter-interfaces";
+/**
+ * RFC 7591 §2 client metadata accepted at the DCR endpoint. Auth0's
+ * Management API uses `callbacks`; we map from RFC-standard `redirect_uris`
+ * at the wire boundary and back on response.
+ *
+ * The schema is strict (not passthrough) — unknown fields in the request
+ * are ignored rather than being echoed to the response. Forward-compat for
+ * RFC 7591 unknown fields can be added later via a separate `extensions`
+ * field or a `.passthrough()` once the dts-bundle-generator config allows
+ * the wider type.
+ */
+export declare const dcrRequestSchema: z.ZodObject<{
+    redirect_uris: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    client_name: z.ZodOptional<z.ZodString>;
+    client_uri: z.ZodOptional<z.ZodString>;
+    logo_uri: z.ZodOptional<z.ZodString>;
+    tos_uri: z.ZodOptional<z.ZodString>;
+    policy_uri: z.ZodOptional<z.ZodString>;
+    contacts: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    scope: z.ZodOptional<z.ZodString>;
+    grant_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    response_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    token_endpoint_auth_method: z.ZodOptional<z.ZodEnum<{
+        none: "none";
+        client_secret_post: "client_secret_post";
+        client_secret_basic: "client_secret_basic";
+        client_secret_jwt: "client_secret_jwt";
+        private_key_jwt: "private_key_jwt";
+    }>>;
+    jwks_uri: z.ZodOptional<z.ZodString>;
+    jwks: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    software_id: z.ZodOptional<z.ZodString>;
+    software_version: z.ZodOptional<z.ZodString>;
+    client_id: z.ZodOptional<z.ZodString>;
+    client_secret: z.ZodOptional<z.ZodString>;
+    audience: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+export type DcrRequest = z.infer<typeof dcrRequestSchema>;
+export declare const dcrResponseSchema: z.ZodObject<{
+    client_id: z.ZodString;
+    client_secret: z.ZodOptional<z.ZodString>;
+    client_id_issued_at: z.ZodOptional<z.ZodNumber>;
+    client_secret_expires_at: z.ZodOptional<z.ZodNumber>;
+    registration_access_token: z.ZodOptional<z.ZodString>;
+    registration_client_uri: z.ZodString;
+    client_name: z.ZodOptional<z.ZodString>;
+    redirect_uris: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    grant_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    response_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    token_endpoint_auth_method: z.ZodOptional<z.ZodString>;
+    logo_uri: z.ZodOptional<z.ZodString>;
+    client_uri: z.ZodOptional<z.ZodString>;
+    tos_uri: z.ZodOptional<z.ZodString>;
+    policy_uri: z.ZodOptional<z.ZodString>;
+    contacts: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    scope: z.ZodOptional<z.ZodString>;
+    jwks_uri: z.ZodOptional<z.ZodString>;
+    software_id: z.ZodOptional<z.ZodString>;
+    software_version: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+export type DcrResponse = z.infer<typeof dcrResponseSchema>;
+export interface RegistrationMapping {
+    /** Fields suitable for ClientInsert (subset of Client). */
+    clientFields: Partial<ClientInsert>;
+    /** Additional metadata preserved on the client for round-trip. */
+    extraMetadata: Record<string, unknown>;
+}
+/**
+ * Map an RFC 7591 DCR request to internal Client fields.
+ */
+export declare function dcrRequestToClient(req: DcrRequest): RegistrationMapping;
+/**
+ * Build the RFC 7591 §3.2.1 response body from a stored Client plus the
+ * issuance artifacts generated at registration time.
+ */
+export declare function clientToDcrResponse(client: Client, opts: {
+    client_secret?: string;
+    registration_access_token?: string;
+    registration_client_uri: string;
+    include_client_secret: boolean;
+}): DcrResponse;

package/dist/types/helpers/dcr/mint-iat.d.ts

@@ -0,0 +1,14 @@
+import type { ClientRegistrationToken, ClientRegistrationTokensAdapter } from "@authhero/adapter-interfaces";
+export interface MintIatOptions {
+    sub?: string;
+    constraints?: Record<string, unknown>;
+    expires_in_seconds?: number;
+    single_use?: boolean;
+}
+export interface MintedIat {
+    id: string;
+    token: string;
+    expires_at: string;
+    record: ClientRegistrationToken;
+}
+export declare function mintIat(adapter: ClientRegistrationTokensAdapter, tenant_id: string, opts?: MintIatOptions): Promise<MintedIat>;

package/dist/types/helpers/dcr/mint-token.d.ts

@@ -0,0 +1,7 @@
+export interface GeneratedRegistrationToken {
+    id: string;
+    token: string;
+    token_hash: string;
+}
+export declare function hashRegistrationToken(token: string): Promise<string>;
+export declare function mintRegistrationToken(): Promise<GeneratedRegistrationToken>;

package/dist/types/helpers/dcr/validate-connect-origin.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Validates an origin (scheme + host + port) supplied to `/connect/start`.
+ *
+ * HTTPS origins are always permitted. HTTP origins are permitted only when
+ * the host is loopback (RFC 8252 §7.3) or the exact origin appears in the
+ * tenant's `allow_http_return_to` allowlist.
+ */
+export type ValidConnectOrigin = {
+    ok: true;
+    origin: string;
+    isLoopback: boolean;
+    isAllowlisted: boolean;
+    isHttp: boolean;
+};
+export type InvalidConnectOrigin = {
+    ok: false;
+    reason: string;
+};
+export type ConnectOriginResult = ValidConnectOrigin | InvalidConnectOrigin;
+export declare function validateConnectOrigin(raw: string, allowHttp?: readonly string[]): ConnectOriginResult;

package/dist/types/helpers/dcr/verify-token.d.ts

@@ -0,0 +1,8 @@
+import type { ClientRegistrationToken, ClientRegistrationTokensAdapter } from "@authhero/adapter-interfaces";
+export type VerifyFailure = "not_found" | "wrong_type" | "expired" | "revoked" | "already_used";
+export interface VerifyResult {
+    ok: boolean;
+    token?: ClientRegistrationToken;
+    failure?: VerifyFailure;
+}
+export declare function verifyRegistrationToken(adapter: ClientRegistrationTokensAdapter, tenant_id: string, plaintextToken: string, expectedType: "iat" | "rat"): Promise<VerifyResult>;

package/dist/types/helpers/default-destinations.d.ts

@@ -0,0 +1,55 @@
+import { DataAdapters } from "@authhero/adapter-interfaces";
+import { EventDestination } from "./outbox-relay";
+import { type GetServiceToken } from "./outbox-destinations/webhooks";
+import type { WebhookInvoker } from "../types/AuthHeroConfig";
+export interface CreateDefaultDestinationsConfig {
+    /**
+     * Data adapter — only the `logs`, `hooks`, `users`, and `logStreams`
+     * adapters are used by the built-in destinations.
+     */
+    dataAdapter: Pick<DataAdapters, "logs" | "hooks" | "users" | "logStreams">;
+    /**
+     * Produces a Bearer access token for the given tenant, used when POSTing
+     * `hook.*` events to the configured webhook URLs.
+     *
+     * Required if you want `hook.*` events to be drained. Omit for cron
+     * drains that only need to sweep up log events.
+     */
+    getServiceToken?: GetServiceToken;
+    /** Webhook HTTP request timeout in ms (default: 10_000). */
+    webhookTimeoutMs?: number;
+    /**
+     * Custom webhook invoker — same shape as the `webhookInvoker` option on
+     * `init()`. When provided, `hook.*` events are dispatched by calling this
+     * function instead of issuing a raw `fetch` with a Bearer token. Use this
+     * to match a consumer-configured invoker exactly, so cron-drained
+     * deliveries don't diverge from inline per-request ones.
+     */
+    webhookInvoker?: WebhookInvoker;
+}
+/**
+ * Build the same array of outbox destinations that authhero's per-request
+ * `outboxMiddleware` constructs internally. Intended for consumers that want
+ * to run `drainOutbox` from a cron / scheduled handler as a safety net for
+ * events that failed per-request delivery.
+ *
+ * Without this helper, consumers would have to instantiate the destination
+ * classes themselves and stay in sync with their ordering and filtering
+ * rules (e.g. `RegistrationFinalizerDestination` must come AFTER
+ * `WebhookDestination`).
+ *
+ * @example
+ * ```ts
+ * // Cloudflare Workers scheduled handler
+ * async scheduled(_event, env) {
+ *   const destinations = createDefaultDestinations({
+ *     dataAdapter,
+ *     getServiceToken: async (tenantId) =>
+ *       (await mintServiceToken(tenantId, "webhook")).access_token,
+ *   });
+ *   await drainOutbox(dataAdapter.outbox, destinations);
+ *   await cleanupOutbox(dataAdapter.outbox, { retentionDays: 7 });
+ * }
+ * ```
+ */
+export declare function createDefaultDestinations(config: CreateDefaultDestinationsConfig): EventDestination[];

package/dist/types/helpers/entity-hooks-wrapper.d.ts

@@ -0,0 +1,43 @@
+import { DataAdapters } from "@authhero/adapter-interfaces";
+import { EntityHooksConfig } from "../types/AuthHeroConfig";
+/**
+ * Options for the entity hooks wrapper
+ */
+export interface EntityHooksWrapperOptions {
+    /** The tenant ID for the hook context */
+    tenantId: string;
+    /** Entity hooks configuration */
+    entityHooks?: EntityHooksConfig;
+}
+/**
+ * Adds entity hooks to data adapters.
+ * This wraps each entity adapter's CRUD methods to call the configured hooks.
+ *
+ * Hooks must be provided as arrays. Multiple hooks are chained together with
+ * proper return value handling for "before" hooks.
+ *
+ * @example Single hook
+ * ```typescript
+ * const wrappedData = addEntityHooks(data, {
+ *   tenantId: ctx.var.tenant_id,
+ *   entityHooks: {
+ *     roles: [{
+ *       afterCreate: async (ctx, role) => {
+ *         await syncToChildTenants(ctx, role);
+ *       },
+ *     }],
+ *   },
+ * });
+ * ```
+ *
+ * @example Chaining multiple hooks
+ * ```typescript
+ * const wrappedData = addEntityHooks(data, {
+ *   tenantId: ctx.var.tenant_id,
+ *   entityHooks: {
+ *     roles: [syncHooks, auditHooks], // Called in order
+ *   },
+ * });
+ * ```
+ */
+export declare function addEntityHooks(data: DataAdapters, options: EntityHooksWrapperOptions): DataAdapters;

package/dist/types/helpers/hook-events.d.ts

@@ -0,0 +1,20 @@
+import { Context } from "hono";
+import { User } from "@authhero/adapter-interfaces";
+import { Bindings, Variables } from "../types";
+/**
+ * Enqueue a `hook.{triggerId}` event to the outbox so the `WebhookDestination`
+ * (and future `CodeHookDestination`) can dispatch the hook asynchronously with
+ * retries instead of firing inline while the request is being served.
+ *
+ * Mirrors the synchronous-push pattern used by `logMessage`: the promise from
+ * `outbox.create` is pushed onto `ctx.var.outboxEventPromises` so the outbox
+ * middleware can await it in its finally block and then relay the resulting
+ * event IDs.
+ *
+ * When the outbox is not configured, falls back to inline webhook invocation
+ * (via `waitUntil`) so tenants without outbox still receive webhook calls.
+ */
+export declare function enqueuePostHookEvent(ctx: Context<{
+    Bindings: Bindings;
+    Variables: Variables;
+}>, tenantId: string, triggerId: string, user: User): void;

package/dist/types/helpers/hook-user-payload.d.ts

@@ -0,0 +1,8 @@
+import { User } from "@authhero/adapter-interfaces";
+export type ExternalUser = Omit<User, "registration_completed_at">;
+/**
+ * Remove fields that are tracked internally for self-healing/bookkeeping
+ * but must never reach customer-facing payloads (webhooks, code hooks,
+ * `onExecutePostLogin` event, outbox `target.after`, etc.).
+ */
+export declare function stripInternalUserFields(user: User): ExternalUser;

package/dist/types/helpers/hrd.d.ts

@@ -0,0 +1,3 @@
+import { type Connection } from "@authhero/adapter-interfaces";
+import { type StrategyHandler } from "../strategies";
+export declare function findHrdConnection(email: string, connections: readonly Connection[], envStrategies?: Record<string, StrategyHandler>): Connection | undefined;

package/dist/types/helpers/logging.d.ts

@@ -0,0 +1,65 @@
+import { Context } from "hono";
+import { DataAdapters, LogType } from "@authhero/adapter-interfaces";
+import { Variables, Bindings } from "../types";
+export type LogParams = {
+    type: LogType;
+    description?: string;
+    userId?: string;
+    /**
+     * Identifier of the actor when it differs from the subject `userId`
+     * (e.g. impersonation). When set, audit events attribute `actor.id` to
+     * this value and `target.id` to `userId`, and the event is categorised as
+     * `admin_action`.
+     */
+    actorUserId?: string;
+    body?: unknown;
+    strategy?: string;
+    strategy_type?: string;
+    connection?: string;
+    audience?: string;
+    scope?: string;
+    /**
+     * Response details to include in the log (for Management API operations)
+     */
+    response?: {
+        statusCode: number;
+        body?: unknown;
+    };
+    /**
+     * When provided, replaces the auto-generated details object entirely.
+     * Use this to store a compact, pre-built details payload (e.g. for webhook logs)
+     * that fits within storage limits (Analytics Engine blob: 1024 bytes).
+     */
+    details?: Record<string, unknown>;
+    /**
+     * If true, wait for the log to complete before returning.
+     * If false (default), execute logging asynchronously in the background.
+     * @default false
+     */
+    waitForCompletion?: boolean;
+    /** Entity state before the mutation (for audit events) */
+    beforeState?: Record<string, unknown>;
+    /** Entity state after the mutation (for audit events) */
+    afterState?: Record<string, unknown>;
+    /** Entity type being mutated (e.g. 'user', 'client', 'connection') */
+    targetType?: string;
+    /** Entity ID being mutated */
+    targetId?: string;
+};
+export declare function logMessage(ctx: Context<{
+    Bindings: Bindings;
+    Variables: Variables;
+}>, tenantId: string, params: LogParams): Promise<void>;
+/**
+ * Transactional variant of {@link logMessage}. Writes the audit event to the
+ * outbox through the caller-provided `trxData` so the insert commits (or rolls
+ * back) with the surrounding business write. Returns the event id so the
+ * caller can hand it to the outbox middleware for destination delivery.
+ *
+ * Only intended for outbox-enabled deployments; callers should fall back to
+ * `logMessage` when `ctx.env.outbox?.enabled` is false.
+ */
+export declare function logMessageInTx(ctx: Context<{
+    Bindings: Bindings;
+    Variables: Variables;
+}>, trxData: DataAdapters, tenantId: string, params: LogParams): Promise<string | undefined>;

package/dist/types/helpers/outbox-cleanup.d.ts

@@ -0,0 +1,10 @@
+import { OutboxAdapter } from "@authhero/adapter-interfaces";
+export interface OutboxCleanupParams {
+    /** Days to keep processed (and dead-lettered) events. Defaults to 7. */
+    retentionDays?: number;
+}
+/**
+ * Delete processed outbox events older than the retention window.
+ * Intended for use in a scheduled handler / cron job.
+ */
+export declare function cleanupOutbox(outbox: OutboxAdapter, params?: OutboxCleanupParams): Promise<number>;

package/dist/types/helpers/outbox-destinations/index.d.ts

@@ -0,0 +1,2 @@
+export { LogsDestination } from "./logs";
+export { LogStreamDestination } from "./log-streams";

package/dist/types/helpers/outbox-destinations/log-streams.d.ts

@@ -0,0 +1,66 @@
+import { AuditEvent, LogStreamsAdapter } from "@authhero/adapter-interfaces";
+import { EventDestination } from "../outbox-relay";
+interface LogStreamData {
+    date: string;
+    type: string;
+    description?: string;
+    tenant_name: string;
+    ip: string;
+    user_agent?: string;
+    user_id?: string;
+    user_name?: string;
+    client_id?: string;
+    connection?: string;
+    strategy?: string;
+    strategy_type?: string;
+    audience?: string;
+    scope?: string;
+    hostname?: string;
+    auth0_client?: unknown;
+    location_info?: unknown;
+    details: {
+        request: {
+            method: string;
+            path: string;
+            qs?: Record<string, string>;
+            body?: unknown;
+        };
+        response?: {
+            statusCode: number;
+            body?: unknown;
+        };
+    };
+}
+interface LogStreamPayload {
+    log_id: string;
+    description?: string;
+    data: LogStreamData;
+}
+interface StreamDelivery {
+    tenantId: string;
+    logType: string;
+    payload: LogStreamPayload;
+}
+/**
+ * Delivers audit events to tenant-configured HTTP log streams. Mirrors
+ * Auth0's log_stream wire shape so Loki / Logstash / Datadog sinks
+ * configured for an Auth0 tenant can be pointed at authhero unchanged.
+ *
+ * One delivery per (event, stream) — does not batch events into a single
+ * POST because the outbox relay invokes `deliver` per-event. JSONARRAY is
+ * therefore a single-element array; consumers expecting batched arrays
+ * should still parse correctly.
+ */
+export declare class LogStreamDestination implements EventDestination {
+    name: string;
+    private logStreams;
+    private timeoutMs;
+    constructor(logStreams: LogStreamsAdapter, options?: {
+        timeoutMs?: number;
+    });
+    accepts(event: AuditEvent): boolean;
+    transform(event: AuditEvent): StreamDelivery;
+    deliver(events: StreamDelivery[]): Promise<void>;
+    private deliverToStream;
+}
+export {};

package/dist/types/helpers/outbox-destinations/logs.d.ts

@@ -0,0 +1,20 @@
+import { AuditEvent, LogInsert, LogsDataAdapter } from "@authhero/adapter-interfaces";
+import { EventDestination } from "../outbox-relay";
+export declare class LogsDestination implements EventDestination {
+    name: string;
+    private logs;
+    constructor(logs: LogsDataAdapter);
+    /**
+     * Only accept log-shaped events. `hook.*` events are dispatch tasks for
+     * webhook / code-hook destinations and are not audit log entries.
+     */
+    accepts(event: AuditEvent): boolean;
+    transform(event: AuditEvent): {
+        tenantId: string;
+        log: LogInsert;
+    };
+    deliver(events: {
+        tenantId: string;
+        log: LogInsert;
+    }[]): Promise<void>;
+}

package/dist/types/helpers/outbox-destinations/registration-finalizer.d.ts

@@ -0,0 +1,29 @@
+import { AuditEvent, UserDataAdapter } from "@authhero/adapter-interfaces";
+import { EventDestination } from "../outbox-relay";
+interface FinalizationTask {
+    tenantId: string;
+    userId: string;
+    timestamp: string;
+}
+/**
+ * Side-effect destination that flips `user.registration_completed_at` once
+ * the upstream hook destinations (webhooks, code hooks) have all succeeded
+ * for a `hook.post-user-registration` event.
+ *
+ * Must be listed AFTER the destinations that actually deliver the hook so
+ * that a delivery failure aborts the loop before the flag is set — the
+ * relay then retries the entire event, and on a subsequent successful pass
+ * the finalizer sets the flag.
+ *
+ * The flag is read by `postUserLoginHook` to decide whether to re-enqueue
+ * the event on the next login (self-healing recovery).
+ */
+export declare class RegistrationFinalizerDestination implements EventDestination {
+    name: string;
+    private users;
+    constructor(users: UserDataAdapter);
+    accepts(event: AuditEvent): boolean;
+    transform(event: AuditEvent): FinalizationTask;
+    deliver(tasks: FinalizationTask[]): Promise<void>;
+}
+export {};

package/dist/types/helpers/outbox-destinations/webhooks.d.ts

@@ -0,0 +1,57 @@
+import { AuditEvent, HooksAdapter } from "@authhero/adapter-interfaces";
+import { EventDestination } from "../outbox-relay";
+import type { WebhookInvoker } from "../../types/AuthHeroConfig";
+/**
+ * Mints a Bearer token for a given tenant. `scope` is forwarded so a custom
+ * `webhookInvoker` can request a non-default scope for its outbound call.
+ */
+export type GetServiceToken = (tenantId: string, scope?: string) => Promise<string>;
+interface WebhookInvocation {
+    eventId: string;
+    tenantId: string;
+    triggerId: string;
+    payload: {
+        tenant_id: string;
+        trigger_id: string;
+        user?: unknown;
+        request?: unknown;
+    };
+}
+export interface WebhookDestinationOptions {
+    timeoutMs?: number;
+    /**
+     * Replaces the default HTTP invoker. When set, each matching webhook is
+     * dispatched by calling `webhookInvoker({ hook, data, tenant_id,
+     * createServiceToken })` instead of issuing a raw `fetch` with a Bearer
+     * token. `createServiceToken(scope?)` lazily mints a token bound to the
+     * invocation's tenant, matching the shape passed to the legacy inline
+     * dispatcher in `hooks/webhooks.ts`.
+     */
+    webhookInvoker?: WebhookInvoker;
+}
+/**
+ * Delivers `hook.*` outbox events to HTTP webhooks configured for the matching
+ * trigger_id. Each POST includes `Idempotency-Key: {event.id}` so downstream
+ * webhook handlers can dedupe if the outbox retries.
+ *
+ * The destination is constructed per-request (via `outboxMiddleware`'s
+ * `getDestinations(ctx)` factory) so it can close over a ctx-bound service
+ * token generator. The same class is also used by the cron `runOutboxRelay`
+ * helper — a consumer's `webhookInvoker` configured via `init()` propagates
+ * to both paths so cron-drained deliveries don't diverge from per-request
+ * ones.
+ */
+export declare class WebhookDestination implements EventDestination {
+    name: string;
+    private hooks;
+    private getServiceToken;
+    private timeoutMs;
+    private webhookInvoker?;
+    constructor(hooks: HooksAdapter, getServiceToken: GetServiceToken, options?: WebhookDestinationOptions);
+    accepts(event: AuditEvent): boolean;
+    transform(event: AuditEvent): WebhookInvocation;
+    deliver(events: WebhookInvocation[]): Promise<void>;
+    private invokeCustom;
+    private invokeDefault;
+}
+export {};

package/dist/types/helpers/outbox-relay.d.ts

@@ -0,0 +1,34 @@
+import { OutboxAdapter, AuditEvent } from "@authhero/adapter-interfaces";
+/**
+ * Interface for outbox event destinations.
+ * Each destination transforms audit events into its own format and delivers them.
+ *
+ * Destinations may implement `accepts(event)` to filter which events they
+ * handle (e.g. the logs destination only accepts log-shaped events, while a
+ * webhook destination only accepts `hook.*` events). If `accepts` is absent,
+ * the destination receives every event.
+ */
+export interface EventDestination {
+    name: string;
+    accepts?(event: AuditEvent): boolean;
+    transform(event: AuditEvent): unknown;
+    deliver(events: unknown[]): Promise<void>;
+}
+/**
+ * Process specific outbox events by their IDs.
+ * Used by per-request processing where each request handles only its own events.
+ * Claims events first to prevent concurrent processing by drain workers.
+ */
+export declare function processOutboxEvents(outbox: OutboxAdapter, ids: string[], destinations: EventDestination[], options?: {
+    maxRetries?: number;
+}): Promise<void>;
+/**
+ * Drain unprocessed events from the outbox and deliver to all destinations.
+ * Intended for cron/scheduled use to sweep up events that failed per-request processing.
+ * Uses claim mechanism for safe multi-worker execution.
+ */
+export declare function drainOutbox(outbox: OutboxAdapter, destinations: EventDestination[], options?: {
+    batchSize?: number;
+    maxRetries?: number;
+    retentionDays?: number;
+}): Promise<void>;

package/dist/types/helpers/password-policy.d.ts

@@ -0,0 +1,54 @@
+import { Bindings } from "../types";
+export declare const PASSWORD_ERROR_CODES: {
+    readonly TOO_SHORT: "password_too_short";
+    readonly MISSING_LOWERCASE: "password_missing_lowercase";
+    readonly MISSING_UPPERCASE: "password_missing_uppercase";
+    readonly MISSING_NUMBER: "password_missing_number";
+    readonly MISSING_SPECIAL: "password_missing_special";
+    readonly REUSED: "password_reused";
+    readonly CONTAINS_PERSONAL_INFO: "password_contains_personal_info";
+    readonly CONTAINS_FORBIDDEN_WORD: "password_contains_forbidden_word";
+};
+export interface PasswordValidationError {
+    code: string;
+    message: string;
+    params?: Record<string, string | number>;
+}
+export declare class PasswordPolicyError extends Error {
+    code: string;
+    params?: Record<string, string | number>;
+    constructor(code: string, message: string, params?: Record<string, string | number>);
+}
+export interface PasswordPolicy {
+    passwordPolicy?: string;
+    password_complexity_options?: {
+        min_length?: number;
+    };
+    password_history?: {
+        enable?: boolean;
+        size?: number;
+    };
+    password_no_personal_info?: {
+        enable?: boolean;
+    };
+    password_dictionary?: {
+        enable?: boolean;
+        dictionary?: string[];
+    };
+}
+export interface PasswordValidationOptions {
+    tenantId: string;
+    userId: string;
+    newPassword: string;
+    userData?: any;
+    data: Bindings["data"];
+}
+export declare function validatePasswordPolicy(policy: PasswordPolicy, options: PasswordValidationOptions): Promise<void>;
+export declare function getPasswordPolicy(data: Bindings["data"], tenantId: string, connectionName: string): Promise<PasswordPolicy>;
+/**
+ * Hash a password using bcrypt with a cost factor of 10
+ */
+export declare function hashPassword(password: string): Promise<{
+    hash: string;
+    algorithm: "bcrypt";
+}>;

package/dist/types/helpers/request-object.d.ts

@@ -0,0 +1,40 @@
+import { LoadClientKeysOptions, ClientWithKeys } from "./client-keys";
+/**
+ * Narrow client shape used by the request-object verifier. Allows passing
+ * `EnrichedClient` (which redefines `connections`) without a structural
+ * mismatch against the wider `Client` type.
+ */
+export interface RequestObjectClient extends ClientWithKeys {
+    client_id: string;
+    client_secret?: string | undefined;
+}
+export declare class RequestObjectVerificationError extends Error {
+    code: "invalid_request_object" | "unsupported_alg" | "missing_keys" | "signature_invalid" | "claim_invalid";
+    constructor(code: "invalid_request_object" | "unsupported_alg" | "missing_keys" | "signature_invalid" | "claim_invalid", message: string);
+}
+export interface VerifyRequestObjectOptions extends LoadClientKeysOptions {
+    /**
+     * Issuer URL of this authorization server. The `aud` claim of the request
+     * object MUST match this (as a string or one element of an array). When
+     * unset, the audience check is skipped — only enable for testing.
+     */
+    issuer: string;
+    /** Optional clock-skew leeway in seconds for exp/nbf checks. Defaults to 30. */
+    leewaySeconds?: number;
+    /** Override Date.now() for tests (returns ms since epoch). */
+    now?: () => number;
+}
+/**
+ * Verify an OIDC Request Object (signed JWT, RFC 9101 / OIDC Core 6.1) sent
+ * via the `request=` parameter or fetched from `request_uri=`.
+ *
+ * Returns the parsed JWT claims when the signature is valid, the alg is
+ * supported, and basic temporal/audience checks pass. Throws
+ * RequestObjectVerificationError otherwise.
+ *
+ * `alg: none` (unsigned) request objects are rejected. The current `request=`
+ * pre-check in /authorize used to accept these unconditionally, which let any
+ * caller forge claims; closing that hole is the main motivator for this code
+ * path.
+ */
+export declare function verifyRequestObject(jwt: string, client: RequestObjectClient, opts: VerifyRequestObjectOptions): Promise<Record<string, unknown>>;