authhero 5.8.1 → 5.9.0

package/dist/types/locales/index.d.ts

@@ -0,0 +1,9 @@
+import en from "./en/default.json";
+import it from "./it/default.json";
+import nb from "./nb/default.json";
+import sv from "./sv/default.json";
+import pl from "./pl/default.json";
+import cs from "./cs/default.json";
+import fi from "./fi/default.json";
+import da from "./da/default.json";
+export { en, it, nb, sv, pl, cs, fi, da };

package/dist/types/middlewares/apply-config.d.ts

@@ -0,0 +1,14 @@
+import { MiddlewareHandler } from "hono";
+import { AuthHeroConfig, Bindings, Variables } from "../types";
+/**
+ * Merges values from the user-supplied `AuthHeroConfig` into `ctx.env`. Must
+ * run before any code that reads `ctx.env.hooks`, `ctx.env.samlSigner`, etc.
+ *
+ * Applied both in the outer `init()` app and in each sub-app's middleware
+ * chain so that serving a sub-app (oauthApp, managementApp, ...) directly —
+ * without routing through the outer app — still sees the config.
+ */
+export declare function applyConfigMiddleware(config: AuthHeroConfig): MiddlewareHandler<{
+    Bindings: Bindings;
+    Variables: Variables;
+}>;

package/dist/types/middlewares/authentication.d.ts

@@ -0,0 +1,26 @@
+import { OpenAPIHono } from "@hono/zod-openapi";
+import { Context, Next } from "hono";
+import { Bindings, Variables } from "../types";
+/**
+ * Management API audience for cross-tenant operations.
+ * Used when managing tenants from the main tenant with org-scoped tokens.
+ */
+export declare const MANAGEMENT_API_AUDIENCE = "urn:authhero:management";
+/**
+ * This registeres the authentication middleware. As it needs to read the OpenAPI definition, it needs to have a reference to the app.
+ *
+ * `requireManagementAudience` enables the defense-in-depth check that the
+ * token's `aud` includes the management API audience. It must be enabled
+ * for the management API and left off for everything else (the `/userinfo`
+ * endpoint, for example, takes any access token issued by this tenant).
+ */
+export interface AuthMiddlewareOptions {
+    requireManagementAudience?: boolean;
+}
+export declare function createAuthMiddleware(app: OpenAPIHono<{
+    Bindings: Bindings;
+    Variables: Variables;
+}>, options?: AuthMiddlewareOptions): (ctx: Context<{
+    Bindings: Bindings;
+    Variables: any;
+}>, next: Next) => Promise<void>;

package/dist/types/middlewares/client-info.d.ts

@@ -0,0 +1,8 @@
+import { MiddlewareHandler } from "hono";
+import { Variables } from "../types/Variables";
+/**
+ * Middleware that extracts client information from the request and stores it in context variables
+ */
+export declare const clientInfoMiddleware: MiddlewareHandler<{
+    Variables: Variables;
+}>;

package/dist/types/middlewares/index.d.ts

@@ -0,0 +1,6 @@
+export { applyConfigMiddleware } from "./apply-config";
+export { createAuthMiddleware } from "./authentication";
+export { clientInfoMiddleware } from "./client-info";
+export { outboxMiddleware } from "./outbox";
+export { registerComponent } from "./register-component";
+export { tenantMiddleware } from "./tenant";

package/dist/types/middlewares/outbox.d.ts

@@ -0,0 +1,24 @@
+import { Context, MiddlewareHandler } from "hono";
+import { OutboxAdapter } from "@authhero/adapter-interfaces";
+import { Bindings, Variables } from "../types";
+import { EventDestination } from "../helpers/outbox-relay";
+type Ctx = Context<{
+    Bindings: Bindings;
+    Variables: Variables;
+}>;
+export interface OutboxMiddlewareOptions {
+    /**
+     * Resolve the OutboxAdapter for this request.
+     * Return undefined to skip outbox processing.
+     */
+    getOutbox: (ctx: Ctx) => OutboxAdapter | undefined;
+    /**
+     * Build the list of destinations for delivering outbox events.
+     */
+    getDestinations: (ctx: Ctx) => EventDestination[];
+}
+export declare function outboxMiddleware(options: OutboxMiddlewareOptions): MiddlewareHandler<{
+    Bindings: Bindings;
+    Variables: Variables;
+}>;
+export {};

package/dist/types/middlewares/register-component.d.ts

@@ -0,0 +1,10 @@
+import { OpenAPIHono } from "@hono/zod-openapi";
+import { Bindings, Variables } from "../types";
+/**
+ * This registers the security scheme for the application. As it uses an environment variable, it can only be registered once the first request arrives.
+ * @param app
+ */
+export declare function registerComponent(app: OpenAPIHono<{
+    Bindings: Bindings;
+    Variables: Variables;
+}>): void;

package/dist/types/middlewares/tenant.d.ts

@@ -0,0 +1,12 @@
+import { Context, Next } from "hono";
+import { Bindings, Variables } from "../types";
+/**
+ * Sets the tenant id in the context based on the url and headers
+ * @param ctx
+ * @param next
+ * @returns
+ */
+export declare function tenantMiddleware(ctx: Context<{
+    Bindings: Bindings;
+    Variables: Variables;
+}>, next: Next): Promise<void>;

package/dist/types/migration-providers/auth0.d.ts

@@ -0,0 +1,3 @@
+import { MigrationSource } from "@authhero/adapter-interfaces";
+import { MigrationProvider } from "./types";
+export declare function createAuth0Provider(source: MigrationSource): MigrationProvider;

package/dist/types/migration-providers/index.d.ts

@@ -0,0 +1,5 @@
+import { MigrationSource } from "@authhero/adapter-interfaces";
+import { MigrationProvider } from "./types";
+export { Auth0UpstreamError } from "../utils/auth0-upstream";
+export type { MigrationProvider, UpstreamTokenResponse, UpstreamUserInfo, } from "./types";
+export declare function createMigrationProvider(source: MigrationSource): MigrationProvider;

package/dist/types/migration-providers/types.d.ts

@@ -0,0 +1,32 @@
+import { MigrationSource } from "@authhero/adapter-interfaces";
+export interface UpstreamTokenResponse {
+    access_token: string;
+    id_token?: string;
+    expires_in?: number;
+    scope?: string;
+}
+export interface UpstreamUserInfo {
+    sub: string;
+    email?: string;
+    email_verified?: boolean;
+    name?: string;
+    given_name?: string;
+    family_name?: string;
+    nickname?: string;
+    picture?: string;
+    locale?: string;
+    [key: string]: unknown;
+}
+export interface MigrationProvider {
+    /**
+     * Redeem an upstream refresh token at the IdP and return its access token
+     * (and optionally id_token). Throws if the upstream rejects the token.
+     */
+    exchangeRefreshToken(refreshToken: string): Promise<UpstreamTokenResponse>;
+    /**
+     * Fetch profile info using the upstream access token. Returns at minimum the
+     * upstream `sub` so we can resolve or lazily create the local user.
+     */
+    fetchUserInfo(accessToken: string): Promise<UpstreamUserInfo>;
+}
+export type MigrationProviderFactory = (source: MigrationSource) => MigrationProvider;

package/dist/types/routes/auth-api/account.d.ts

@@ -0,0 +1,36 @@
+import { OpenAPIHono } from "@hono/zod-openapi";
+import { Bindings, Variables } from "../../types";
+export declare const accountRoutes: OpenAPIHono<{
+    Bindings: Bindings;
+    Variables: Variables;
+}, {
+    "/": {
+        $get: {
+            input: {
+                query: {
+                    client_id: string;
+                    redirect_url?: string | undefined;
+                    login_hint?: string | undefined;
+                    screen_hint?: "change-email" | "account" | "change-phone" | "change-password" | undefined;
+                };
+            };
+            output: {};
+            outputFormat: string;
+            status: 302;
+        } | {
+            input: {
+                query: {
+                    client_id: string;
+                    redirect_url?: string | undefined;
+                    login_hint?: string | undefined;
+                    screen_hint?: "change-email" | "account" | "change-phone" | "change-password" | undefined;
+                };
+            };
+            output: {
+                message: string;
+            };
+            outputFormat: "json";
+            status: 400;
+        };
+    };
+}, "/">;

package/dist/types/routes/auth-api/authenticate.d.ts

@@ -0,0 +1,31 @@
+import { OpenAPIHono } from "@hono/zod-openapi";
+import { Bindings, Variables } from "../../types";
+export declare const authenticateRoutes: OpenAPIHono<{
+    Bindings: Bindings;
+    Variables: Variables;
+}, {
+    "/": {
+        $post: {
+            input: {
+                json: {
+                    credential_type: "http://auth0.com/oauth/grant-type/passwordless/otp";
+                    otp: string;
+                    client_id: string;
+                    username: string;
+                    realm: "email";
+                    scope?: string | undefined;
+                } | {
+                    credential_type: "http://auth0.com/oauth/grant-type/password-realm";
+                    client_id: string;
+                    username: string;
+                    password: string;
+                    realm: "Username-Password-Authentication";
+                    scope?: string | undefined;
+                };
+            };
+            output: {};
+            outputFormat: string;
+            status: 200;
+        };
+    };
+}, "/">;

package/dist/types/routes/auth-api/authorize.d.ts

@@ -0,0 +1,239 @@
+import { OpenAPIHono } from "@hono/zod-openapi";
+import { AuthorizationResponseMode, CodeChallengeMethod } from "@authhero/adapter-interfaces";
+import { Bindings, Variables } from "../../types";
+export declare const authorizeRoutes: OpenAPIHono<{
+    Bindings: Bindings;
+    Variables: Variables;
+}, {
+    "/": {
+        $get: {
+            input: {
+                query: {
+                    [x: string]: unknown;
+                    client_id: string;
+                    vendor_id?: string | undefined;
+                    redirect_uri?: string | undefined;
+                    scope?: string | undefined;
+                    state?: string | undefined;
+                    prompt?: string | undefined;
+                    response_mode?: AuthorizationResponseMode | undefined;
+                    response_type?: unknown;
+                    audience?: string | undefined;
+                    connection?: string | undefined;
+                    nonce?: string | undefined;
+                    max_age?: string | undefined;
+                    acr_values?: string | undefined;
+                    login_ticket?: string | undefined;
+                    code_challenge_method?: CodeChallengeMethod | undefined;
+                    code_challenge?: string | undefined;
+                    realm?: string | undefined;
+                    auth0Client?: string | undefined;
+                    organization?: string | undefined;
+                    login_hint?: string | undefined;
+                    ui_locales?: string | undefined;
+                    claims?: string | Record<string, any> | undefined;
+                    screen_hint?: string | undefined;
+                    request?: string | undefined;
+                    request_uri?: string | undefined;
+                };
+            };
+            output: Response;
+            outputFormat: "json";
+            status: import("hono/utils/http-status").StatusCode;
+        } | {
+            input: {
+                query: {
+                    [x: string]: unknown;
+                    client_id: string;
+                    vendor_id?: string | undefined;
+                    redirect_uri?: string | undefined;
+                    scope?: string | undefined;
+                    state?: string | undefined;
+                    prompt?: string | undefined;
+                    response_mode?: AuthorizationResponseMode | undefined;
+                    response_type?: unknown;
+                    audience?: string | undefined;
+                    connection?: string | undefined;
+                    nonce?: string | undefined;
+                    max_age?: string | undefined;
+                    acr_values?: string | undefined;
+                    login_ticket?: string | undefined;
+                    code_challenge_method?: CodeChallengeMethod | undefined;
+                    code_challenge?: string | undefined;
+                    realm?: string | undefined;
+                    auth0Client?: string | undefined;
+                    organization?: string | undefined;
+                    login_hint?: string | undefined;
+                    ui_locales?: string | undefined;
+                    claims?: string | Record<string, any> | undefined;
+                    screen_hint?: string | undefined;
+                    request?: string | undefined;
+                    request_uri?: string | undefined;
+                };
+            };
+            output: {};
+            outputFormat: string;
+            status: 302;
+        } | {
+            input: {
+                query: {
+                    [x: string]: unknown;
+                    client_id: string;
+                    vendor_id?: string | undefined;
+                    redirect_uri?: string | undefined;
+                    scope?: string | undefined;
+                    state?: string | undefined;
+                    prompt?: string | undefined;
+                    response_mode?: AuthorizationResponseMode | undefined;
+                    response_type?: unknown;
+                    audience?: string | undefined;
+                    connection?: string | undefined;
+                    nonce?: string | undefined;
+                    max_age?: string | undefined;
+                    acr_values?: string | undefined;
+                    login_ticket?: string | undefined;
+                    code_challenge_method?: CodeChallengeMethod | undefined;
+                    code_challenge?: string | undefined;
+                    realm?: string | undefined;
+                    auth0Client?: string | undefined;
+                    organization?: string | undefined;
+                    login_hint?: string | undefined;
+                    ui_locales?: string | undefined;
+                    claims?: string | Record<string, any> | undefined;
+                    screen_hint?: string | undefined;
+                    request?: string | undefined;
+                    request_uri?: string | undefined;
+                };
+            };
+            output: string | {
+                access_token: string;
+                token_type: string;
+                expires_in: number;
+                id_token?: string | undefined;
+                scope?: string | undefined;
+                state?: string | undefined;
+                refresh_token?: string | undefined;
+            };
+            outputFormat: "json";
+            status: 200;
+        } | {
+            input: {
+                query: {
+                    [x: string]: unknown;
+                    client_id: string;
+                    vendor_id?: string | undefined;
+                    redirect_uri?: string | undefined;
+                    scope?: string | undefined;
+                    state?: string | undefined;
+                    prompt?: string | undefined;
+                    response_mode?: AuthorizationResponseMode | undefined;
+                    response_type?: unknown;
+                    audience?: string | undefined;
+                    connection?: string | undefined;
+                    nonce?: string | undefined;
+                    max_age?: string | undefined;
+                    acr_values?: string | undefined;
+                    login_ticket?: string | undefined;
+                    code_challenge_method?: CodeChallengeMethod | undefined;
+                    code_challenge?: string | undefined;
+                    realm?: string | undefined;
+                    auth0Client?: string | undefined;
+                    organization?: string | undefined;
+                    login_hint?: string | undefined;
+                    ui_locales?: string | undefined;
+                    claims?: string | Record<string, any> | undefined;
+                    screen_hint?: string | undefined;
+                    request?: string | undefined;
+                    request_uri?: string | undefined;
+                };
+            };
+            output: {
+                message: string;
+            };
+            outputFormat: "json";
+            status: 400;
+        } | {
+            input: {
+                query: {
+                    [x: string]: unknown;
+                    client_id: string;
+                    vendor_id?: string | undefined;
+                    redirect_uri?: string | undefined;
+                    scope?: string | undefined;
+                    state?: string | undefined;
+                    prompt?: string | undefined;
+                    response_mode?: AuthorizationResponseMode | undefined;
+                    response_type?: unknown;
+                    audience?: string | undefined;
+                    connection?: string | undefined;
+                    nonce?: string | undefined;
+                    max_age?: string | undefined;
+                    acr_values?: string | undefined;
+                    login_ticket?: string | undefined;
+                    code_challenge_method?: CodeChallengeMethod | undefined;
+                    code_challenge?: string | undefined;
+                    realm?: string | undefined;
+                    auth0Client?: string | undefined;
+                    organization?: string | undefined;
+                    login_hint?: string | undefined;
+                    ui_locales?: string | undefined;
+                    claims?: string | Record<string, any> | undefined;
+                    screen_hint?: string | undefined;
+                    request?: string | undefined;
+                    request_uri?: string | undefined;
+                };
+            };
+            output: {
+                message: string;
+            };
+            outputFormat: "json";
+            status: 403;
+        };
+    };
+} & {
+    "/resume": {
+        $get: {
+            input: {
+                query: {
+                    state: string;
+                };
+            };
+            output: {};
+            outputFormat: string;
+            status: 302;
+        } | {
+            input: {
+                query: {
+                    state: string;
+                };
+            };
+            output: {
+                message: string;
+            };
+            outputFormat: "json";
+            status: 400;
+        } | {
+            input: {
+                query: {
+                    state: string;
+                };
+            };
+            output: {
+                message: string;
+            };
+            outputFormat: "json";
+            status: 403;
+        } | {
+            input: {
+                query: {
+                    state: string;
+                };
+            };
+            output: {
+                message: string;
+            };
+            outputFormat: "json";
+            status: 409;
+        };
+    };
+}, "/">;