authhero 5.8.1 → 5.9.1

package/dist/types/types/Hooks.d.ts

@@ -0,0 +1,240 @@
+import { AuthorizationResponseMode, AuthorizationResponseType, DataAdapters, RolePermissionInsert, User } from "@authhero/adapter-interfaces";
+import { EnrichedClient } from "../helpers/client";
+import { Context } from "hono";
+import { Bindings } from "./Bindings";
+import { Variables } from "./Variables";
+/** Context passed to entity hooks */
+export interface EntityHookContext {
+    tenantId: string;
+    adapters: DataAdapters;
+}
+/** CRUD hooks for entity operations */
+export interface EntityHooks<TEntity, TInsert, TUpdate = Partial<TInsert>> {
+    beforeCreate?: (ctx: EntityHookContext, data: TInsert) => Promise<TInsert>;
+    afterCreate?: (ctx: EntityHookContext, entity: TEntity) => Promise<void>;
+    beforeUpdate?: (ctx: EntityHookContext, id: string, data: TUpdate) => Promise<TUpdate>;
+    afterUpdate?: (ctx: EntityHookContext, id: string, entity: TEntity) => Promise<void>;
+    beforeDelete?: (ctx: EntityHookContext, id: string) => Promise<void>;
+    afterDelete?: (ctx: EntityHookContext, id: string) => Promise<void>;
+}
+/** Hooks for role permission assign/remove operations */
+export interface RolePermissionHooks {
+    beforeAssign?: (ctx: EntityHookContext, roleId: string, permissions: RolePermissionInsert[]) => Promise<RolePermissionInsert[]>;
+    afterAssign?: (ctx: EntityHookContext, roleId: string, permissions: RolePermissionInsert[]) => Promise<void>;
+    beforeRemove?: (ctx: EntityHookContext, roleId: string, permissions: Pick<RolePermissionInsert, "resource_server_identifier" | "permission_name">[]) => Promise<Pick<RolePermissionInsert, "resource_server_identifier" | "permission_name">[]>;
+    afterRemove?: (ctx: EntityHookContext, roleId: string, permissions: Pick<RolePermissionInsert, "resource_server_identifier" | "permission_name">[]) => Promise<void>;
+}
+export type Transaction = {
+    id?: string;
+    locale: string;
+    login_hint?: string;
+    prompt?: string;
+    redirect_uri?: string;
+    requested_scopes?: string[];
+    response_mode?: AuthorizationResponseMode;
+    response_type?: AuthorizationResponseType;
+    state?: string;
+    ui_locales?: string;
+};
+export type HookRequest = {
+    asn?: string;
+    body?: Record<string, unknown>;
+    geoip?: {
+        cityName?: string;
+        continentCode?: string;
+        countryCode?: string;
+        latitude?: number;
+        longitude?: number;
+        subdivisionCode?: string;
+        subdivisionName?: string;
+        timeZone?: string;
+    };
+    hostname?: string;
+    ip: string;
+    language?: string;
+    method: string;
+    user_agent?: string;
+    url: string;
+};
+export type HookEvent = {
+    ctx: Context<{
+        Bindings: Bindings;
+        Variables: Variables;
+    }>;
+    client?: EnrichedClient;
+    request: HookRequest;
+    transaction?: Transaction;
+    user?: User;
+    scope?: string;
+    grant_type?: string;
+    audience?: string;
+    authentication?: {
+        methods: Array<{
+            name: string;
+            timestamp?: string;
+        }>;
+    };
+    authorization?: {
+        roles: string[];
+    };
+    connection?: {
+        id: string;
+        name: string;
+        strategy: string;
+        metadata?: Record<string, unknown>;
+    };
+    organization?: {
+        id: string;
+        name: string;
+        display_name: string;
+        metadata?: Record<string, unknown>;
+    };
+    resource_server?: {
+        identifier: string;
+    };
+    stats?: {
+        logins_count: number;
+    };
+    tenant?: {
+        id: string;
+    };
+    session?: {
+        id?: string;
+        created_at?: string;
+        authenticated_at?: string;
+        clients?: Array<{
+            client_id: string;
+        }>;
+        device?: {
+            initial_ip?: string;
+            initial_user_agent?: string;
+            last_ip?: string;
+            last_user_agent?: string;
+        };
+    };
+    security_context?: {
+        ja3?: string;
+        ja4?: string;
+    };
+};
+export type TokenAPI = {
+    createServiceToken: (params: {
+        scope: string;
+        expiresInSeconds?: number;
+        customClaims?: Record<string, unknown>;
+    }) => Promise<string>;
+};
+export type OnExecuteCredentialsExchangeAPI = {
+    accessToken: {
+        setCustomClaim: (claim: string, value: any) => void;
+    };
+    idToken: {
+        setCustomClaim: (claim: string, value: any) => void;
+    };
+    access: {
+        deny: (code: string, reason?: string) => void;
+    };
+    token: TokenAPI;
+};
+export type OnExecuteCredentialsExchange = (event: HookEvent, access: OnExecuteCredentialsExchangeAPI) => Promise<void>;
+export type OnExecutePreUserRegistrationAPI = {
+    user: {
+        setUserMetadata: (key: string, value: any) => void;
+        setLinkedTo: (primaryUserId: string) => void;
+    };
+    access: {
+        deny: (code: string, reason?: string) => void;
+    };
+    token: TokenAPI;
+};
+export type OnExecutePostUserRegistrationAPI = {
+    user: {};
+    token: TokenAPI;
+};
+export type OnExecutePreUserRegistration = (event: HookEvent, api: OnExecutePreUserRegistrationAPI) => Promise<void>;
+export type OnExecutePostUserRegistration = (event: HookEvent, api: OnExecutePostUserRegistrationAPI) => Promise<void>;
+export type OnExecutePreUserUpdateAPI = {
+    user: {
+        setUserMetadata: (key: string, value: any) => void;
+    };
+    cancel: () => void;
+    token: TokenAPI;
+};
+export type OnExecutePreUserUpdate = (event: HookEvent & {
+    user_id: string;
+    updates: Partial<User>;
+}, api: OnExecutePreUserUpdateAPI) => Promise<void>;
+export type OnExecutePostLoginAPI = {
+    prompt: {
+        render: (formId: string) => void;
+    };
+    redirect: {
+        sendUserTo: (url: string, options?: {
+            query?: Record<string, string>;
+        }) => void;
+        encodeToken: (options: {
+            secret: string;
+            payload: Record<string, any>;
+            expiresInSeconds?: number;
+        }) => string;
+        validateToken: (options: {
+            secret: string;
+            tokenParameterName?: string;
+        }) => Record<string, any> | null;
+    };
+    token: TokenAPI;
+};
+export type OnExecutePostLogin = (event: HookEvent, api: OnExecutePostLoginAPI) => Promise<void>;
+export type OnExecutePreUserDeletionAPI = {
+    cancel: () => void;
+    token: TokenAPI;
+};
+export type OnExecutePreUserDeletion = (event: HookEvent & {
+    user_id: string;
+}, api: OnExecutePreUserDeletionAPI) => Promise<void>;
+export type OnExecutePostUserDeletionAPI = {
+    token: TokenAPI;
+};
+export type OnExecutePostUserDeletion = (event: HookEvent & {
+    user_id: string;
+}, api: OnExecutePostUserDeletionAPI) => Promise<void>;
+export type OnExecuteValidateRegistrationUsernameAPI = {
+    deny: (reason?: string) => void;
+    token: TokenAPI;
+};
+export type OnExecuteValidateRegistrationUsername = (event: Omit<HookEvent, "user"> & {
+    user: {
+        email: string;
+        connection: string;
+    };
+}, api: OnExecuteValidateRegistrationUsernameAPI) => Promise<void>;
+export type UserInfoEvent = {
+    ctx: Context<{
+        Bindings: Bindings;
+        Variables: Variables;
+    }>;
+    user: User;
+    tenant_id: string;
+    scopes: string[];
+};
+export type OnFetchUserInfoAPI = {
+    setCustomClaim: (claim: string, value: unknown) => void;
+};
+/** Called when /userinfo endpoint is accessed */
+export type OnFetchUserInfo = (event: UserInfoEvent, api: OnFetchUserInfoAPI) => Promise<void>;
+/**
+ * All available auth flow hooks.
+ * This type is shared between AuthHeroConfig and Bindings to ensure consistency.
+ */
+export type Hooks = {
+    onExecuteCredentialsExchange?: OnExecuteCredentialsExchange;
+    onExecutePreUserRegistration?: OnExecutePreUserRegistration;
+    onExecutePostUserRegistration?: OnExecutePostUserRegistration;
+    onExecutePreUserUpdate?: OnExecutePreUserUpdate;
+    onExecutePostLogin?: OnExecutePostLogin;
+    onExecutePreUserDeletion?: OnExecutePreUserDeletion;
+    onExecutePostUserDeletion?: OnExecutePostUserDeletion;
+    onExecuteValidateRegistrationUsername?: OnExecuteValidateRegistrationUsername;
+    /** Called when /userinfo endpoint is accessed to add custom claims */
+    onFetchUserInfo?: OnFetchUserInfo;
+};

package/dist/types/types/IdToken.d.ts

@@ -0,0 +1,30 @@
+import { z } from "@hono/zod-openapi";
+export declare const idTokenSchema: z.ZodObject<{
+    iss: z.ZodString;
+    sub: z.ZodString;
+    aud: z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>;
+    exp: z.ZodNumber;
+    email: z.ZodOptional<z.ZodString>;
+    given_name: z.ZodOptional<z.ZodString>;
+    family_name: z.ZodOptional<z.ZodString>;
+    name: z.ZodOptional<z.ZodString>;
+    iat: z.ZodNumber;
+    auth_time: z.ZodOptional<z.ZodNumber>;
+    nonce: z.ZodOptional<z.ZodString>;
+    acr: z.ZodOptional<z.ZodString>;
+    amr: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    azp: z.ZodOptional<z.ZodString>;
+    at_hash: z.ZodOptional<z.ZodString>;
+    c_hash: z.ZodOptional<z.ZodString>;
+}, z.core.$loose>;
+export declare const userInfoSchema: z.ZodObject<{
+    name: z.ZodOptional<z.ZodString>;
+    email: z.ZodOptional<z.ZodString>;
+    given_name: z.ZodOptional<z.ZodString>;
+    family_name: z.ZodOptional<z.ZodString>;
+    iss: z.ZodString;
+    sub: z.ZodString;
+    aud: z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>;
+    exp: z.ZodNumber;
+}, z.core.$loose>;
+export type IdToken = z.infer<typeof idTokenSchema>;

package/dist/types/types/UserInfo.d.ts

@@ -0,0 +1,8 @@
+import { z } from "@hono/zod-openapi";
+export declare const userInfoSchema: z.ZodObject<{
+    sub: z.ZodString;
+    email: z.ZodOptional<z.ZodString>;
+    family_name: z.ZodOptional<z.ZodString>;
+    given_name: z.ZodOptional<z.ZodString>;
+    email_verified: z.ZodBoolean;
+}, z.core.$strip>;

package/dist/types/types/Variables.d.ts

@@ -0,0 +1,33 @@
+import { LoginSession } from "@authhero/adapter-interfaces";
+import { CountryCode } from "libphonenumber-js";
+import { Auth0Client } from "./Auth0Client";
+export type Variables = {
+    tenant_id: string;
+    ip: string;
+    client_id?: string;
+    user_id?: string;
+    username?: string;
+    connection?: string;
+    body?: any;
+    log?: string;
+    custom_domain?: string;
+    host?: string;
+    user?: {
+        sub: string;
+        tenant_id: string;
+        org_name?: string;
+        org_id?: string;
+        scope?: string;
+    };
+    organization_id?: string;
+    org_name?: string;
+    loginSession?: LoginSession;
+    auth0_client?: Auth0Client;
+    useragent?: string;
+    countryCode?: CountryCode;
+    outboxEventPromises?: Promise<string>[];
+    backgroundPromises?: Promise<void>[];
+    client_authenticated_via_assertion?: boolean;
+    action_execution_id?: string;
+    is_lazy_migration?: boolean;
+};

package/dist/types/types/auth0/Query.d.ts

@@ -0,0 +1,12 @@
+import { z } from "@hono/zod-openapi";
+export declare const querySchema: z.ZodObject<{
+    page: z.ZodPipe<z.ZodDefault<z.ZodOptional<z.ZodString>>, z.ZodTransform<number, string>>;
+    per_page: z.ZodPipe<z.ZodDefault<z.ZodOptional<z.ZodString>>, z.ZodTransform<number, string>>;
+    include_totals: z.ZodPipe<z.ZodDefault<z.ZodOptional<z.ZodString>>, z.ZodTransform<boolean, string>>;
+    from: z.ZodOptional<z.ZodString>;
+    take: z.ZodPipe<z.ZodOptional<z.ZodString>, z.ZodTransform<number | undefined, string | undefined>>;
+    sort: z.ZodOptional<z.ZodString>;
+    q: z.ZodOptional<z.ZodString>;
+    from_date: z.ZodPreprocess<z.ZodOptional<z.ZodNumber>>;
+    to_date: z.ZodPreprocess<z.ZodOptional<z.ZodNumber>>;
+}, z.core.$strip>;

package/dist/types/types/auth0/Totals.d.ts

@@ -0,0 +1,11 @@
+import { z } from "@hono/zod-openapi";
+export declare const totalsSchema: z.ZodObject<{
+    start: z.ZodNumber;
+    limit: z.ZodNumber;
+    length: z.ZodNumber;
+}, z.core.$strip>;
+export interface Totals {
+    start: number;
+    limit: number;
+    length: number;
+}

package/dist/types/types/auth0/UserResponse.d.ts

@@ -0,0 +1,46 @@
+import { BaseUser } from "@authhero/adapter-interfaces";
+import { z } from "@hono/zod-openapi";
+export interface PostUsersBody extends BaseUser {
+    password?: string;
+    verify_email?: boolean;
+    username?: string;
+    connection?: string;
+    email_verified?: boolean;
+}
+export declare const userResponseSchema: z.ZodObject<{
+    username: z.ZodOptional<z.ZodString>;
+    phone_number: z.ZodOptional<z.ZodString>;
+    phone_verified: z.ZodOptional<z.ZodBoolean>;
+    given_name: z.ZodOptional<z.ZodString>;
+    family_name: z.ZodOptional<z.ZodString>;
+    nickname: z.ZodOptional<z.ZodString>;
+    name: z.ZodOptional<z.ZodString>;
+    picture: z.ZodOptional<z.ZodString>;
+    locale: z.ZodOptional<z.ZodString>;
+    linked_to: z.ZodOptional<z.ZodString>;
+    profileData: z.ZodOptional<z.ZodString>;
+    app_metadata: z.ZodOptional<z.ZodDefault<z.ZodAny>>;
+    user_metadata: z.ZodOptional<z.ZodDefault<z.ZodAny>>;
+    middle_name: z.ZodOptional<z.ZodString>;
+    preferred_username: z.ZodOptional<z.ZodString>;
+    profile: z.ZodOptional<z.ZodString>;
+    website: z.ZodOptional<z.ZodString>;
+    gender: z.ZodOptional<z.ZodString>;
+    birthdate: z.ZodOptional<z.ZodString>;
+    zoneinfo: z.ZodOptional<z.ZodString>;
+    address: z.ZodOptional<z.ZodObject<{
+        formatted: z.ZodOptional<z.ZodString>;
+        street_address: z.ZodOptional<z.ZodString>;
+        locality: z.ZodOptional<z.ZodString>;
+        region: z.ZodOptional<z.ZodString>;
+        postal_code: z.ZodOptional<z.ZodString>;
+        country: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>;
+    email: z.ZodString;
+    login_count: z.ZodNumber;
+    multifactor: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    last_ip: z.ZodOptional<z.ZodString>;
+    last_login: z.ZodOptional<z.ZodString>;
+    user_id: z.ZodString;
+}, z.core.$catchall<z.ZodAny>>;
+export type UserResponse = z.infer<typeof userResponseSchema>;

package/dist/types/types/auth0/index.d.ts

@@ -0,0 +1,3 @@
+export * from "./Totals";
+export * from "./UserResponse";
+export * from "./Query";

package/dist/types/types/index.d.ts

@@ -0,0 +1,6 @@
+export * from "./Variables";
+export * from "./Bindings";
+export * from "./auth0";
+export * from "./AuthHeroConfig";
+export * from "./GrantFlowResult";
+export * from "./Hooks";

package/dist/types/types/saml.d.ts

@@ -0,0 +1 @@
+export * from "@authhero/saml";

package/dist/types/utils/append-log.d.ts

@@ -0,0 +1,10 @@
+import { Context } from "hono";
+import { Bindings, Variables } from "../types";
+/**
+ * Appends a message to the ctx.var.log variable.
+ * If a log already exists, the new message is appended with a newline separator.
+ */
+export declare function appendLog(ctx: Context<{
+    Bindings: Bindings;
+    Variables: Variables;
+}>, message: string): void;

package/dist/types/utils/auth-header.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Parse an HTTP `Authorization` header and return the bearer token payload
+ * if and only if the scheme is `Bearer` (case-insensitive).
+ *
+ * Returns `undefined` for missing header, wrong scheme, or empty token.
+ */
+export declare function extractBearerToken(authHeader?: string): string | undefined;
+/**
+ * Parse an HTTP `Authorization: Basic` header into `{ client_id, client_secret }`
+ * for OAuth 2.0 client_secret_basic authentication (RFC 6749 §2.3.1).
+ *
+ * Returns an empty object when the header is missing, uses a non-Basic scheme,
+ * or fails to decode.
+ */
+export declare function parseBasicAuthHeader(authHeader?: string): {
+    client_id?: string;
+    client_secret?: string;
+};

package/dist/types/utils/auth0-upstream.d.ts

@@ -0,0 +1,60 @@
+/**
+ * Helpers that call an upstream Auth0 tenant during lazy migration.
+ *
+ * Used by:
+ * - password.ts: ROPG (password-realm grant) on missed local password lookup,
+ *   followed by /userinfo to read the profile.
+ * - refresh-token.ts: forward `grant_type=refresh_token` for tokens that don't
+ *   match any local row.
+ *
+ * No M2M token is required: ROPG uses the configured client_id/client_secret,
+ * and /userinfo is called with the access_token returned by ROPG.
+ */
+export type Auth0UpstreamErrorCode = "invalid_grant" | "invalid_request" | "unauthorized_client" | "mfa_required" | "access_denied" | "network_error" | "malformed_response" | string;
+export declare class Auth0UpstreamError extends Error {
+    readonly status: number;
+    readonly code: Auth0UpstreamErrorCode;
+    readonly description?: string;
+    constructor(status: number, code: Auth0UpstreamErrorCode, description?: string);
+}
+export interface Auth0TokenResponse {
+    access_token: string;
+    id_token?: string;
+    refresh_token?: string;
+    expires_in?: number;
+    token_type?: string;
+    scope?: string;
+}
+export interface Auth0UserInfo {
+    sub: string;
+    email?: string;
+    email_verified?: boolean;
+    name?: string;
+    given_name?: string;
+    family_name?: string;
+    nickname?: string;
+    picture?: string;
+    locale?: string;
+    [key: string]: unknown;
+}
+export interface PasswordRealmGrantParams {
+    tokenEndpoint: string;
+    clientId: string;
+    clientSecret: string;
+    realm: string;
+    username: string;
+    password: string;
+    audience?: string;
+    scope?: string;
+}
+export declare function passwordRealmGrant(params: PasswordRealmGrantParams): Promise<Auth0TokenResponse>;
+export interface UpstreamRefreshTokenGrantParams {
+    tokenEndpoint: string;
+    clientId: string;
+    clientSecret: string;
+    refreshToken: string;
+    audience?: string;
+    scope?: string;
+}
+export declare function upstreamRefreshTokenGrant(params: UpstreamRefreshTokenGrantParams): Promise<Auth0TokenResponse>;
+export declare function fetchUserInfo(userinfoEndpoint: string, accessToken: string): Promise<Auth0UserInfo>;

package/dist/types/utils/authIframe.d.ts

@@ -0,0 +1,11 @@
+import { Context } from "hono";
+import { Bindings, Variables } from "../types";
+/**
+ * Renders an iframe response for authentication flows.
+ * The Server-Timing header prevents Cloudflare from adding the beacon script
+ * which might interfere with Safari ITP.
+ */
+export default function renderAuthIframe(ctx: Context<{
+    Bindings: Bindings;
+    Variables: Variables;
+}>, targetOrigin: string, response: string, additionalHeaders?: Headers): Response;

package/dist/types/utils/client-info.d.ts

@@ -0,0 +1,47 @@
+import { CountryCode } from "libphonenumber-js";
+import { Variables } from "../types/Variables";
+import { Context } from "hono";
+/**
+ * Get client information from Hono context (when using clientInfoMiddleware)
+ * @param c - Hono context
+ * @returns Client information object
+ */
+export declare function getClientInfoFromContext(c: Context<{
+    Variables: Variables;
+}>): {
+    auth0_client?: {
+        name: string;
+        version: string;
+        env?: {
+            node?: string | undefined;
+        } | undefined;
+    } | undefined;
+    ip?: string;
+    useragent?: string;
+    countryCode?: CountryCode;
+};
+/**
+ * Convert structured auth0_client object back to string format for storage
+ * @param auth0_client - Structured auth0 client object
+ * @returns String representation of auth0 client
+ */
+export declare function stringifyAuth0Client(auth0_client?: {
+    name: string;
+    version: string;
+    env?: {
+        node?: string | undefined;
+    } | undefined;
+}): string | undefined;
+/**
+ * Get client information from context with auth0Client as string (for backward compatibility)
+ * @param c - Hono context
+ * @returns Client information object with stringified auth0Client
+ */
+export declare function getClientInfoWithStringAuth0Client(c: Context<{
+    Variables: Variables;
+}>): {
+    auth0Client?: string;
+    ip?: string;
+    useragent?: string;
+    countryCode?: CountryCode;
+};

package/dist/types/utils/color.d.ts

@@ -0,0 +1,23 @@
+export declare const lighten: (hex: string, percent: number) => string;
+export declare const darken: (hex: string, percent: number) => string;
+/**
+ * WCAG relative luminance (0 = black, 1 = white)
+ */
+export declare function relativeLuminance(hex: string): number;
+/**
+ * WCAG contrast ratio between two colors (1–21)
+ */
+export declare function contrastRatio(hex1: string, hex2: string): number;
+/**
+ * Returns "#ffffff" or "#000000" based on which has better contrast
+ * against the given background color.
+ *
+ * In light mode, white text is slightly favored for borderline colors
+ * (e.g. pure red gets white text). In dark mode, black text is favored.
+ */
+export declare function getContrastTextColor(backgroundHex: string, mode?: "light" | "dark"): string;
+/**
+ * Adjusts a color to ensure it meets WCAG AA contrast (4.5:1)
+ * against the given background. Darkens or lightens in steps.
+ */
+export declare function ensureContrast(foregroundHex: string, backgroundHex: string, minRatio?: number): string;

package/dist/types/utils/connections.d.ts

@@ -0,0 +1,11 @@
+import { Connection } from "@authhero/adapter-interfaces";
+import { Context } from "hono";
+import { Bindings, Variables } from "../types";
+/**
+ * Look up a connection by its `name`. Used to resolve the connection an
+ * existing user is registered under so we can read its options.
+ */
+export declare function findConnectionByName(ctx: Context<{
+    Bindings: Bindings;
+    Variables: Variables;
+}>, tenantId: string, name: string): Promise<Connection | null>;

package/dist/types/utils/cookies.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Get all values for a specific cookie name.
+ * The `cookie` package's parse() only returns the first value for duplicate cookies.
+ * This function returns all values to handle scenarios where users may have multiple
+ * cookies with the same name due to:
+ * - Domain conflicts (e.g., `.example.com` vs `auth.example.com`)
+ * - Path conflicts
+ * - Partitioned vs non-partitioned cookies (CHIPS)
+ * - Browser quirks in cookie ordering
+ */
+export declare function getAllAuthCookies(tenant_id: string, cookieHeaders?: string): string[];
+export declare function getAuthCookie(tenant_id: string, cookieHeaders?: string): string | undefined;
+/**
+ * TEMPORARY: Double-Clear mechanism for cookie migration
+ * This can be removed after February 28th, 2026
+ *
+ * Clears both non-partitioned and partitioned cookies to ensure clean migration.
+ * Returns an array of Set-Cookie headers.
+ */
+export declare function clearAuthCookie(tenant_id: string, hostname?: string): string[];
+/**
+ * TEMPORARY: Double-Clear mechanism for cookie migration
+ * This can be removed after February 28th, 2026
+ *
+ * First clears any non-partitioned cookie, then sets the new partitioned cookie.
+ * Returns an array of Set-Cookie headers.
+ */
+export declare function serializeAuthCookie(tenant_id: string, value: string, hostname?: string): string[];

package/dist/types/utils/crypto.d.ts

@@ -0,0 +1,2 @@
+export declare function pemToBuffer(pem: string): ArrayBuffer;
+export declare function computeCodeChallenge(codeVerifier: string, method: "plain" | "S256"): Promise<string>;

package/dist/types/utils/deep-merge.d.ts

@@ -0,0 +1,6 @@
+type Primitive = string | number | boolean | symbol | bigint | null | undefined;
+type DeepPartial<T> = {
+    [P in keyof T]?: T[P] extends Primitive ? T[P] : T[P] extends Array<infer U> ? Array<DeepPartial<U>> : DeepPartial<T[P]>;
+};
+export declare function deepMergePatch<T>(target: T, patch: DeepPartial<T>): T;
+export {};

package/dist/types/utils/define-route.d.ts

@@ -0,0 +1,20 @@
+import { OpenAPIRoute, RouteConfig } from "@hono/zod-openapi";
+import { Bindings, Variables } from "../types";
+/**
+ * Pin the handler context to the authhero app's `Bindings`/`Variables` so
+ * `ctx.var.tenant_id`, `ctx.env.data`, etc. are typed at the call site.
+ *
+ * Without this wrapper, `defineOpenAPIRoute`'s `E` generic defaults to the
+ * base `Env`, and every handler ends up with `ctx.var: object` and
+ * `ctx.env: object | undefined`.
+ *
+ * Each route file imports `defineRoute` and registers its routes via
+ * `new OpenAPIHono<{ Bindings; Variables }>().openapiRoutes([...] as const)`
+ * — replacing the pre-1.x chained `.openapi(...)` style.
+ */
+type AuthHeroEnv = {
+    Bindings: Bindings;
+    Variables: Variables;
+};
+export declare const defineRoute: <R extends RouteConfig, const AddRoute extends boolean | undefined = undefined>(def: OpenAPIRoute<R, AuthHeroEnv, AddRoute>) => OpenAPIRoute<R, AuthHeroEnv, AddRoute>;
+export {};