authhero 5.8.1 → 5.9.1

package/dist/types/routes/universal-login/info.d.ts

@@ -0,0 +1,20 @@
+import { OpenAPIHono } from "@hono/zod-openapi";
+import { Bindings, Variables } from "../../types";
+export declare const infoRoutes: OpenAPIHono<{
+    Bindings: Bindings;
+    Variables: Variables;
+}, {
+    "/": {
+        $get: {
+            input: {
+                query: {
+                    state: string;
+                    code: string;
+                };
+            };
+            output: {};
+            outputFormat: string;
+            status: 200;
+        };
+    };
+}, "/">;

package/dist/types/routes/universal-login/invalid-session.d.ts

@@ -0,0 +1,19 @@
+import { OpenAPIHono } from "@hono/zod-openapi";
+import { Bindings, Variables } from "../../types";
+export declare const invalidSessionRoutes: OpenAPIHono<{
+    Bindings: Bindings;
+    Variables: Variables;
+}, {
+    "/": {
+        $get: {
+            input: {
+                query: {
+                    state: string;
+                };
+            };
+            output: {};
+            outputFormat: string;
+            status: 200;
+        };
+    };
+}, "/">;

package/dist/types/routes/universal-login/otp-challenge.d.ts

@@ -0,0 +1,54 @@
+import { OpenAPIHono } from "@hono/zod-openapi";
+import { Bindings, Variables } from "../../types";
+export type SendType = "link" | "code";
+export declare function getSendParamFromAuth0ClientHeader(auth0ClientHeader?: string): SendType;
+export declare const enterCodeRoutes: OpenAPIHono<{
+    Bindings: Bindings;
+    Variables: Variables;
+}, {
+    "/": {
+        $get: {
+            input: {
+                query: {
+                    state: string;
+                    style?: "classic" | "shadcn" | undefined;
+                };
+            };
+            output: Response;
+            outputFormat: "json";
+            status: import("hono/utils/http-status").StatusCode;
+        };
+    };
+} & {
+    "/": {
+        $post: {
+            input: {
+                query: {
+                    state: string;
+                    style?: "classic" | "shadcn" | undefined;
+                };
+            } & {
+                form: {
+                    code: string;
+                };
+            };
+            output: Response;
+            outputFormat: "json";
+            status: import("hono/utils/http-status").StatusCode;
+        } | {
+            input: {
+                query: {
+                    state: string;
+                    style?: "classic" | "shadcn" | undefined;
+                };
+            } & {
+                form: {
+                    code: string;
+                };
+            };
+            output: {};
+            outputFormat: string;
+            status: 302;
+        };
+    };
+}, "/">;

package/dist/types/routes/universal-login/pre-signup-sent.d.ts

@@ -0,0 +1,19 @@
+import { OpenAPIHono } from "@hono/zod-openapi";
+import { Bindings, Variables } from "../../types";
+export declare const preSignupSentRoutes: OpenAPIHono<{
+    Bindings: Bindings;
+    Variables: Variables;
+}, {
+    "/": {
+        $get: {
+            input: {
+                query: {
+                    state: string;
+                };
+            };
+            output: {};
+            outputFormat: string;
+            status: 200;
+        };
+    };
+}, "/">;

package/dist/types/routes/universal-login/pre-signup.d.ts

@@ -0,0 +1,32 @@
+import { OpenAPIHono } from "@hono/zod-openapi";
+import { Bindings, Variables } from "../../types";
+export declare const preSignupRoutes: OpenAPIHono<{
+    Bindings: Bindings;
+    Variables: Variables;
+}, {
+    "/": {
+        $get: {
+            input: {
+                query: {
+                    state: string;
+                };
+            };
+            output: {};
+            outputFormat: string;
+            status: 200;
+        };
+    };
+} & {
+    "/": {
+        $post: {
+            input: {
+                query: {
+                    state: string;
+                };
+            };
+            output: {};
+            outputFormat: string;
+            status: 200;
+        };
+    };
+}, "/">;

package/dist/types/routes/universal-login/reset-password.d.ts

@@ -0,0 +1,39 @@
+import { OpenAPIHono } from "@hono/zod-openapi";
+import { Bindings, Variables } from "../../types";
+export declare const resetPasswordRoutes: OpenAPIHono<{
+    Bindings: Bindings;
+    Variables: Variables;
+}, {
+    "/": {
+        $get: {
+            input: {
+                query: {
+                    state: string;
+                    code: string;
+                };
+            };
+            output: {};
+            outputFormat: string;
+            status: 200;
+        };
+    };
+} & {
+    "/": {
+        $post: {
+            input: {
+                query: {
+                    state: string;
+                    code: string;
+                };
+            } & {
+                form: {
+                    password: string;
+                    "re-enter-password": string;
+                };
+            };
+            output: {};
+            outputFormat: string;
+            status: 200;
+        };
+    };
+}, "/">;

package/dist/types/routes/universal-login/sanitization-utils.d.ts

@@ -0,0 +1,55 @@
+/**
+ * Sanitization utilities for universal login routes
+ *
+ * These helpers provide XSS protection and input sanitization for
+ * rendering HTML pages with user-controlled or dynamic content.
+ */
+/**
+ * Escape HTML special characters to prevent XSS
+ */
+export declare function escapeHtml(str: string): string;
+/**
+ * Escape a string for use in JavaScript string literals
+ */
+export declare function escapeJs(str: string): string;
+/**
+ * Escape a URL for safe use inside CSS url("...") function.
+ * This prevents CSS injection by escaping characters that could
+ * break out of the url() context.
+ */
+export declare function escapeCssUrl(url: string): string;
+/**
+ * Sanitize URL for use in href/src attributes
+ */
+export declare function sanitizeUrl(url: string | undefined): string;
+/**
+ * Sanitize CSS color value
+ */
+export declare function sanitizeCssColor(color: string | undefined): string;
+/**
+ * Build CSS background from page_background (branding format)
+ */
+export declare function buildPageBackground(pageBackground: string | {
+    type?: string;
+    start?: string;
+    end?: string;
+    angle_deg?: number;
+} | undefined): string;
+/**
+ * Build CSS background from theme's page_background (supports background_image_url)
+ */
+export declare function buildThemePageBackground(themePageBackground: {
+    background_color?: string;
+    background_image_url?: string;
+    page_layout?: string;
+} | undefined, fallbackBrandingBackground: string | {
+    type?: string;
+    start?: string;
+    end?: string;
+    angle_deg?: number;
+} | undefined): string;
+/**
+ * Safely serialize JSON for embedding in <script> tags
+ * Escapes characters that could break out of script context
+ */
+export declare function safeJsonStringify(obj: unknown): string;

package/dist/types/routes/universal-login/screen-api.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Screen API - Unified endpoint for getting screen configurations
+ *
+ * This API serves screen configurations from two sources:
+ * 1. Built-in screens (from the registry in ./screens/registry.ts)
+ * 2. Database-defined forms (fallback)
+ *
+ * Built-in screen IDs: identifier, email-otp-challenge, sms-otp-challenge, enter-password, signup, forgot-password, reset-password
+ * Database forms: Any form stored in the database (typically prefixed with "form_" or custom IDs)
+ *
+ * Routes:
+ * - GET /u2/screen/:screenId?state=... - Get screen configuration
+ * - POST /u2/screen/:screenId?state=... - Submit form data and get next screen
+ */
+import { OpenAPIHono } from "@hono/zod-openapi";
+import { Bindings, Variables } from "../../types";
+export declare const screenApiRoutes: OpenAPIHono<{
+    Bindings: Bindings;
+    Variables: Variables;
+}, {}, "/">;

package/dist/types/routes/universal-login/screens/accept-invitation.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Accept-invitation screen — final step of an organization invitation.
+ *
+ * The route handler bootstraps a login session before this renders, so the
+ * screen always has a state. The session's state_data carries the invite id
+ * and organization id (set by the bootstrap route). On submit we create the
+ * user, mark email_verified (the invite itself is proof of email ownership),
+ * add them to the organization with the invite's roles, delete the invite,
+ * then sign in with the new password.
+ */
+import type { ScreenContext, ScreenResult, ScreenDefinition } from "./types";
+export declare function acceptInvitationScreen(context: ScreenContext): Promise<ScreenResult>;
+export declare const acceptInvitationScreenDefinition: ScreenDefinition;

package/dist/types/routes/universal-login/screens/account-delete.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Account Delete screen - confirm and delete account
+ *
+ * Corresponds to: /u2/account/delete
+ */
+import type { ScreenContext, ScreenResult, ScreenDefinition } from "./types";
+/**
+ * Create the account-delete screen
+ */
+export declare function accountDeleteScreen(context: ScreenContext): Promise<ScreenResult>;
+/**
+ * Screen definition for the account-delete screen
+ */
+export declare const accountDeleteScreenDefinition: ScreenDefinition;

package/dist/types/routes/universal-login/screens/account-helpers.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Shared helpers for account management screens
+ */
+import type { User, Session } from "@authhero/adapter-interfaces";
+import type { ScreenContext } from "./types";
+/**
+ * Resolve the authenticated user from the session cookie.
+ * Used by all account screens that need the current user.
+ */
+export declare function resolveAccountUser(context: ScreenContext): Promise<{
+    user: User;
+    session: Session;
+}>;

package/dist/types/routes/universal-login/screens/account-linked.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Account Linked screen - manage linked identities
+ *
+ * Corresponds to: /u2/account/linked
+ */
+import type { ScreenContext, ScreenResult, ScreenDefinition } from "./types";
+/**
+ * Create the account-linked screen
+ */
+export declare function accountLinkedScreen(context: ScreenContext): Promise<ScreenResult>;
+/**
+ * Screen definition for the account-linked screen
+ */
+export declare const accountLinkedScreenDefinition: ScreenDefinition;

package/dist/types/routes/universal-login/screens/account-mfa-phone-enrollment.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Account MFA Phone Enrollment screen - enroll SMS MFA from account settings
+ *
+ * Corresponds to: /u2/account/security/phone-enrollment
+ */
+import type { ScreenDefinition } from "./types";
+/**
+ * Screen definition for account MFA phone enrollment
+ */
+export declare const accountMfaPhoneEnrollmentScreenDefinition: ScreenDefinition;

package/dist/types/routes/universal-login/screens/account-mfa-totp-enrollment.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Account MFA TOTP Enrollment screen - enroll authenticator app from account settings
+ *
+ * Corresponds to: /u2/account/security/totp-enrollment
+ */
+import type { ScreenDefinition } from "./types";
+/**
+ * Screen definition for account MFA TOTP enrollment
+ */
+export declare const accountMfaTotpEnrollmentScreenDefinition: ScreenDefinition;

package/dist/types/routes/universal-login/screens/account-passkeys.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Account Passkeys screen - manage passkey credentials
+ *
+ * Corresponds to: /u2/account/passkeys
+ */
+import type { ScreenDefinition } from "./types";
+/**
+ * Screen definition for the account-passkeys screen
+ */
+export declare const accountPasskeysScreenDefinition: ScreenDefinition;

package/dist/types/routes/universal-login/screens/account-profile.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Account Profile screen - edit personal information
+ *
+ * Corresponds to: /u2/account/profile
+ */
+import type { ScreenContext, ScreenResult, ScreenDefinition } from "./types";
+/**
+ * Create the account-profile screen
+ */
+export declare function accountProfileScreen(context: ScreenContext): Promise<ScreenResult>;
+/**
+ * Screen definition for the account-profile screen
+ */
+export declare const accountProfileScreenDefinition: ScreenDefinition;

package/dist/types/routes/universal-login/screens/account-security.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Account Security screen - manage MFA enrollments
+ *
+ * Corresponds to: /u2/account/security
+ */
+import type { ScreenContext, ScreenResult, ScreenDefinition } from "./types";
+/**
+ * Create the account-security screen
+ */
+export declare function accountSecurityScreen(context: ScreenContext): Promise<ScreenResult>;
+/**
+ * Screen definition for the account-security screen
+ */
+export declare const accountSecurityScreenDefinition: ScreenDefinition;

package/dist/types/routes/universal-login/screens/account.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Account screen - main hub for account management
+ *
+ * Corresponds to: /u2/account
+ */
+import type { ScreenContext, ScreenResult, ScreenDefinition } from "./types";
+/**
+ * Create the account hub screen
+ */
+export declare function accountScreen(context: ScreenContext): Promise<ScreenResult>;
+/**
+ * Screen definition for the account hub screen
+ */
+export declare const accountScreenDefinition: ScreenDefinition;

package/dist/types/routes/universal-login/screens/connect-consent.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Connect Consent screen — AuthHero-specific consent flow that mints
+ * an Initial Access Token (RFC 7591 §3) bound to the consenting user.
+ *
+ * Corresponds to: /u2/connect/start
+ */
+import type { ScreenContext, ScreenResult, ScreenDefinition } from "./types";
+export declare function connectConsentScreen(context: ScreenContext): Promise<ScreenResult>;
+export declare const connectConsentScreenDefinition: ScreenDefinition;

package/dist/types/routes/universal-login/screens/connect-tenant-select.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Connect Tenant Select screen — control-plane-only step in the consent flow.
+ *
+ * When `/connect/start` is hit on the multi-tenancy control plane, the user
+ * picks which child tenant the IAT should be minted on. Each child tenant is
+ * represented by an organization on the control plane whose `name` matches
+ * the child tenant id (see @authhero/multi-tenancy provisioning hooks).
+ *
+ * Corresponds to: /u2/connect/select-tenant
+ */
+import type { ScreenContext, ScreenResult, ScreenDefinition } from "./types";
+export declare function connectTenantSelectScreen(context: ScreenContext): Promise<ScreenResult>;
+export declare const connectTenantSelectScreenDefinition: ScreenDefinition;

package/dist/types/routes/universal-login/screens/email-otp-challenge.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Email OTP Challenge screen - for email OTP verification
+ *
+ * Corresponds to: /u/login/email-otp-challenge
+ */
+import type { ScreenContext, ScreenResult, ScreenDefinition } from "./types";
+/**
+ * Create the email-otp-challenge screen
+ */
+export declare function emailOtpChallengeScreen(context: ScreenContext): Promise<ScreenResult>;
+/**
+ * Screen definition for the email-otp-challenge screen
+ */
+export declare const emailOtpChallengeScreenDefinition: ScreenDefinition;

package/dist/types/routes/universal-login/screens/enter-password.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Enter Password screen - for password authentication
+ *
+ * Corresponds to: /u/enter-password
+ */
+import type { ScreenContext, ScreenResult, ScreenDefinition } from "./types";
+/**
+ * Create the enter-password screen
+ */
+export declare function enterPasswordScreen(context: ScreenContext): Promise<ScreenResult>;
+/**
+ * Screen definition for the enter-password screen
+ */
+export declare const enterPasswordScreenDefinition: ScreenDefinition;

package/dist/types/routes/universal-login/screens/forgot-password.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Forgot Password screen - initiate password reset
+ *
+ * Corresponds to: /u2/reset-password/request
+ */
+import type { ScreenContext, ScreenResult, ScreenDefinition } from "./types";
+/**
+ * Create the forgot-password screen
+ */
+export declare function forgotPasswordScreen(context: ScreenContext): Promise<ScreenResult>;
+export declare const forgotPasswordScreenDefinition: ScreenDefinition;

package/dist/types/routes/universal-login/screens/identifier.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Identifier screen - the first screen in the login flow
+ *
+ * Corresponds to: /u/login/identifier
+ */
+import type { ScreenContext, ScreenResult, ScreenDefinition } from "./types";
+/**
+ * Create the identifier screen
+ */
+export declare function identifierScreen(context: ScreenContext): Promise<ScreenResult>;
+/**
+ * Screen definition for the identifier screen
+ */
+export declare const identifierScreenDefinition: ScreenDefinition;

package/dist/types/routes/universal-login/screens/impersonate.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Impersonate screen - allows users with impersonation permission to
+ * continue as themselves or switch to another user
+ *
+ * Corresponds to: /u2/impersonate
+ */
+import type { ScreenContext, ScreenResult, ScreenDefinition } from "./types";
+/**
+ * Create the impersonate screen
+ */
+export declare function impersonateScreen(context: ScreenContext): Promise<ScreenResult>;
+/**
+ * Screen definition for the impersonate screen
+ */
+export declare const impersonateScreenDefinition: ScreenDefinition;

package/dist/types/routes/universal-login/screens/index.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Built-in screens for Universal Login
+ *
+ * These screens are defined in code and match the existing universal login routes.
+ * They can be rendered by the widget component either client-side or server-side (SSR).
+ *
+ * Screen IDs match the existing route paths:
+ * - identifier: /u/login/identifier
+ * - email-otp-challenge: /u/login/email-otp-challenge
+ * - sms-otp-challenge: /u/login/sms-otp-challenge
+ * - enter-password: /u/enter-password
+ * - signup: /u/signup
+ * - forgot-password: /u/forgot-password
+ * - reset-password: /u/reset-password
+ * - impersonate: /u/impersonate
+ * - pre-signup: /u/pre-signup
+ * - pre-signup-sent: /u/pre-signup-sent
+ */
+export { identifierScreen } from "./identifier";
+export { emailOtpChallengeScreen } from "./email-otp-challenge";
+export { smsOtpChallengeScreen } from "./sms-otp-challenge";
+export { enterPasswordScreen } from "./enter-password";
+export { signupScreen } from "./signup";
+export { forgotPasswordScreen } from "./forgot-password";
+export { resetPasswordScreen } from "./reset-password";
+export { impersonateScreen } from "./impersonate";
+export type { ScreenContext, ScreenFactory, ScreenResult } from "./types";
+export { getScreen, screenRegistry } from "./registry";
+export { createTranslation, type TranslationMap, type ScreenMap, type Locale, } from "../../../i18n";

package/dist/types/routes/universal-login/screens/login-passwordless-identifier.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Login Passwordless Identifier screen
+ *
+ * Collects email or phone number for passwordless (code-based) login.
+ * Shown when the user clicks "Sign in with a code" from the password-first login screen.
+ *
+ * Corresponds to: /u2/login/login-passwordless-identifier
+ */
+import type { ScreenContext, ScreenResult, ScreenDefinition } from "./types";
+/**
+ * Create the login passwordless identifier screen
+ */
+export declare function loginPasswordlessIdentifierScreen(context: ScreenContext): Promise<ScreenResult>;
+/**
+ * Screen definition for the login passwordless identifier screen
+ */
+export declare const loginPasswordlessIdentifierScreenDefinition: ScreenDefinition;

package/dist/types/routes/universal-login/screens/login.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Login screen - combined identifier + password screen (Identifier + Password flow)
+ *
+ * This screen shows email/username input, password input, and social login buttons
+ * all on a single page. Used when identifier_first is set to false.
+ *
+ * Corresponds to: /u2/login
+ */
+import type { ScreenContext, ScreenResult, ScreenDefinition } from "./types";
+/**
+ * Create the login screen (combined identifier + password)
+ */
+export declare function loginScreen(context: ScreenContext): Promise<ScreenResult>;
+/**
+ * Screen definition for the login screen
+ */
+export declare const loginScreenDefinition: ScreenDefinition;

package/dist/types/routes/universal-login/screens/magic-link-sent.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Magic Link Sent screen
+ *
+ * Shown after a magic link has been sent to the user's email.
+ * Tells the user to check their email and click the link to log in.
+ */
+import type { ScreenContext, ScreenResult } from "./types";
+/**
+ * Create the magic-link-sent screen
+ */
+export declare function magicLinkSentScreen(context: ScreenContext): Promise<ScreenResult>;

package/dist/types/routes/universal-login/screens/mfa-login-options.d.ts

@@ -0,0 +1,21 @@
+/**
+ * MFA Login Options screen - factor selection when multiple MFA methods are available
+ *
+ * Corresponds to: /u2/mfa/login-options
+ */
+import type { ScreenContext, ScreenResult, ScreenDefinition } from "./types";
+interface MfaOption {
+    id: string;
+    type: "totp" | "phone" | "passkey";
+    label: string;
+    description: string;
+}
+/**
+ * Create the mfa-login-options screen
+ */
+export declare function mfaLoginOptionsScreen(context: ScreenContext, options: MfaOption[]): Promise<ScreenResult>;
+/**
+ * Screen definition for the mfa-login-options screen
+ */
+export declare const mfaLoginOptionsScreenDefinition: ScreenDefinition;
+export {};

package/dist/types/routes/universal-login/screens/mfa-phone-challenge.d.ts

@@ -0,0 +1,14 @@
+/**
+ * MFA Phone Challenge screen - for verifying SMS MFA code
+ *
+ * Corresponds to: /u2/mfa/phone-challenge
+ */
+import type { ScreenContext, ScreenResult, ScreenDefinition } from "./types";
+/**
+ * Create the mfa-phone-challenge screen
+ */
+export declare function mfaPhoneChallengeScreen(context: ScreenContext): Promise<ScreenResult>;
+/**
+ * Screen definition for the mfa-phone-challenge screen
+ */
+export declare const mfaPhoneChallengeScreenDefinition: ScreenDefinition;

package/dist/types/routes/universal-login/screens/mfa-phone-enrollment.d.ts

@@ -0,0 +1,14 @@
+/**
+ * MFA Phone Enrollment screen - for setting up SMS MFA
+ *
+ * Corresponds to: /u2/mfa/phone-enrollment
+ */
+import type { ScreenContext, ScreenResult, ScreenDefinition } from "./types";
+/**
+ * Create the mfa-phone-enrollment screen
+ */
+export declare function mfaPhoneEnrollmentScreen(context: ScreenContext): Promise<ScreenResult>;
+/**
+ * Screen definition for the mfa-phone-enrollment screen
+ */
+export declare const mfaPhoneEnrollmentScreenDefinition: ScreenDefinition;

package/dist/types/routes/universal-login/screens/mfa-totp-challenge.d.ts

@@ -0,0 +1,14 @@
+/**
+ * MFA TOTP Challenge screen - for verifying authenticator app MFA code
+ *
+ * Corresponds to: /u2/mfa/totp-challenge
+ */
+import type { ScreenContext, ScreenResult, ScreenDefinition } from "./types";
+/**
+ * Create the mfa-totp-challenge screen
+ */
+export declare function mfaTotpChallengeScreen(context: ScreenContext): Promise<ScreenResult>;
+/**
+ * Screen definition for the mfa-totp-challenge screen
+ */
+export declare const mfaTotpChallengeScreenDefinition: ScreenDefinition;