authhero 6.0.0 → 7.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/authhero.cjs +105 -105
- package/dist/authhero.d.ts +261 -210
- package/dist/authhero.mjs +12607 -9956
- package/dist/stats.html +1 -1
- package/dist/tsconfig.types.tsbuildinfo +1 -1
- package/dist/types/authentication-flows/passwordless.d.ts +3 -3
- package/dist/types/index.d.ts +204 -203
- package/dist/types/routes/auth-api/index.d.ts +31 -31
- package/dist/types/routes/auth-api/passwordless.d.ts +12 -12
- package/dist/types/routes/auth-api/register/index.d.ts +2 -2
- package/dist/types/routes/auth-api/revoke.d.ts +6 -6
- package/dist/types/routes/auth-api/token.d.ts +10 -10
- package/dist/types/routes/auth-api/well-known.d.ts +1 -1
- package/dist/types/routes/management-api/action-executions.d.ts +1 -1
- package/dist/types/routes/management-api/actions.d.ts +1 -1
- package/dist/types/routes/management-api/authentication-methods.d.ts +1 -1
- package/dist/types/routes/management-api/client-grants.d.ts +8 -8
- package/dist/types/routes/management-api/clients.d.ts +7 -7
- package/dist/types/routes/management-api/connections.d.ts +1 -1
- package/dist/types/routes/management-api/custom-domains.d.ts +7 -7
- package/dist/types/routes/management-api/failed-events.d.ts +1 -1
- package/dist/types/routes/management-api/forms.d.ts +119 -119
- package/dist/types/routes/management-api/guardian.d.ts +5 -5
- package/dist/types/routes/management-api/index.d.ts +166 -166
- package/dist/types/routes/management-api/logs.d.ts +3 -3
- package/dist/types/routes/management-api/migration-sources.d.ts +6 -6
- package/dist/types/routes/management-api/prompts.d.ts +4 -4
- package/dist/types/routes/management-api/users.d.ts +2 -2
- package/dist/types/routes/proxy-control-plane/index.d.ts +21 -7
- package/dist/types/routes/proxy-control-plane/verify.d.ts +39 -0
- package/dist/types/routes/universal-login/common.d.ts +2 -2
- package/dist/types/routes/universal-login/flow-api.d.ts +8 -8
- package/dist/types/routes/universal-login/u2-index.d.ts +6 -6
- package/dist/types/routes/universal-login/u2-routes.d.ts +6 -6
- package/dist/types/types/AuthHeroConfig.d.ts +17 -5
- package/dist/types/utils/jwks.d.ts +2 -2
- package/package.json +3 -3
|
@@ -24,7 +24,7 @@ export declare const logRoutes: OpenAPIHono<{
|
|
|
24
24
|
};
|
|
25
25
|
};
|
|
26
26
|
output: {
|
|
27
|
-
type: "
|
|
27
|
+
type: "fn" | "i" | "acls_summary" | "actions_execution_failed" | "api_limit" | "api_limit_warning" | "appi" | "ciba_exchange_failed" | "ciba_exchange_succeeded" | "ciba_start_failed" | "ciba_start_succeeded" | "cls" | "cs" | "depnote" | "f" | "fc" | "fce" | "fco" | "fcoa" | "fcp" | "fcph" | "fcpn" | "fcpr" | "fcpro" | "fcu" | "fd" | "fdeac" | "fdeaz" | "fdecc" | "fdu" | "feacft" | "feccft" | "fecte" | "fede" | "federated_logout_failed" | "fens" | "feoobft" | "feotpft" | "fepft" | "fepotpft" | "fercft" | "ferrt" | "fertft" | "festft" | "fh" | "fimp" | "fi" | "flo" | "flows_execution_completed" | "flows_execution_failed" | "forms_submission_failed" | "forms_submission_succeeded" | "fp" | "fpar" | "fpurh" | "fs" | "fsa" | "fu" | "fui" | "fv" | "fvr" | "gd_auth_email_verification" | "gd_auth_fail_email_verification" | "gd_auth_failed" | "gd_auth_rejected" | "gd_auth_succeed" | "gd_enrollment_complete" | "gd_otp_rate_limit_exceed" | "gd_recovery_failed" | "gd_recovery_rate_limit_exceed" | "gd_recovery_succeed" | "gd_send_email" | "gd_send_email_verification" | "gd_send_email_verification_failure" | "gd_send_pn" | "gd_send_pn_failure" | "gd_send_sms" | "gd_send_sms_failure" | "gd_send_voice" | "gd_send_voice_failure" | "gd_start_auth" | "gd_start_enroll" | "gd_start_enroll_failed" | "gd_tenant_update" | "gd_unenroll" | "gd_update_device_account" | "gd_webauthn_challenge_failed" | "gd_webauthn_enrollment_failed" | "kms_key_management_failure" | "kms_key_management_success" | "kms_key_state_changed" | "limit_delegation" | "limit_mu" | "limit_sul" | "limit_wc" | "mfar" | "mgmt_api_read" | "my_account_authentication_method_failed" | "my_account_authentication_method_succeeded" | "oidc_backchannel_logout_failed" | "oidc_backchannel_logout_succeeded" | "organization_member_added" | "passkey_challenge_failed" | "passkey_challenge_started" | "pla" | "pwd_leak" | "reset_pwd_leak" | "resource_cleanup" | "rich_consents_access_error" | "s" | "sapi" | "fapi" | "sce" | "scoa" | "scp" | "scpn" | "scpr" | "scu" | "scv" | "sd" | "sdu" | "seacft" | "seccft" | "secte" | "sede" | "sens" | "seoobft" | "seotpft" | "sepotpft" | "sepft" | "sepkoobft" | "sepkotpft" | "sepkrcft" | "sercft" | "sertft" | "sestft" | "simp" | "si" | "signup_pwd_leak" | "slo" | "sh" | "spm" | "srrt" | "ss" | "ss_sso_failure" | "ss_sso_info" | "ss_sso_success" | "ssa" | "sscim" | "sui" | "sv" | "svr" | "too_many_records" | "ublkdu" | "universal_logout_failed" | "universal_logout_succeeded" | "w" | "wn" | "wum";
|
|
28
28
|
date: string;
|
|
29
29
|
isMobile: boolean;
|
|
30
30
|
log_id: string;
|
|
@@ -63,7 +63,7 @@ export declare const logRoutes: OpenAPIHono<{
|
|
|
63
63
|
limit: number;
|
|
64
64
|
length: number;
|
|
65
65
|
logs: {
|
|
66
|
-
type: "
|
|
66
|
+
type: "fn" | "i" | "acls_summary" | "actions_execution_failed" | "api_limit" | "api_limit_warning" | "appi" | "ciba_exchange_failed" | "ciba_exchange_succeeded" | "ciba_start_failed" | "ciba_start_succeeded" | "cls" | "cs" | "depnote" | "f" | "fc" | "fce" | "fco" | "fcoa" | "fcp" | "fcph" | "fcpn" | "fcpr" | "fcpro" | "fcu" | "fd" | "fdeac" | "fdeaz" | "fdecc" | "fdu" | "feacft" | "feccft" | "fecte" | "fede" | "federated_logout_failed" | "fens" | "feoobft" | "feotpft" | "fepft" | "fepotpft" | "fercft" | "ferrt" | "fertft" | "festft" | "fh" | "fimp" | "fi" | "flo" | "flows_execution_completed" | "flows_execution_failed" | "forms_submission_failed" | "forms_submission_succeeded" | "fp" | "fpar" | "fpurh" | "fs" | "fsa" | "fu" | "fui" | "fv" | "fvr" | "gd_auth_email_verification" | "gd_auth_fail_email_verification" | "gd_auth_failed" | "gd_auth_rejected" | "gd_auth_succeed" | "gd_enrollment_complete" | "gd_otp_rate_limit_exceed" | "gd_recovery_failed" | "gd_recovery_rate_limit_exceed" | "gd_recovery_succeed" | "gd_send_email" | "gd_send_email_verification" | "gd_send_email_verification_failure" | "gd_send_pn" | "gd_send_pn_failure" | "gd_send_sms" | "gd_send_sms_failure" | "gd_send_voice" | "gd_send_voice_failure" | "gd_start_auth" | "gd_start_enroll" | "gd_start_enroll_failed" | "gd_tenant_update" | "gd_unenroll" | "gd_update_device_account" | "gd_webauthn_challenge_failed" | "gd_webauthn_enrollment_failed" | "kms_key_management_failure" | "kms_key_management_success" | "kms_key_state_changed" | "limit_delegation" | "limit_mu" | "limit_sul" | "limit_wc" | "mfar" | "mgmt_api_read" | "my_account_authentication_method_failed" | "my_account_authentication_method_succeeded" | "oidc_backchannel_logout_failed" | "oidc_backchannel_logout_succeeded" | "organization_member_added" | "passkey_challenge_failed" | "passkey_challenge_started" | "pla" | "pwd_leak" | "reset_pwd_leak" | "resource_cleanup" | "rich_consents_access_error" | "s" | "sapi" | "fapi" | "sce" | "scoa" | "scp" | "scpn" | "scpr" | "scu" | "scv" | "sd" | "sdu" | "seacft" | "seccft" | "secte" | "sede" | "sens" | "seoobft" | "seotpft" | "sepotpft" | "sepft" | "sepkoobft" | "sepkotpft" | "sepkrcft" | "sercft" | "sertft" | "sestft" | "simp" | "si" | "signup_pwd_leak" | "slo" | "sh" | "spm" | "srrt" | "ss" | "ss_sso_failure" | "ss_sso_info" | "ss_sso_success" | "ssa" | "sscim" | "sui" | "sv" | "svr" | "too_many_records" | "ublkdu" | "universal_logout_failed" | "universal_logout_succeeded" | "w" | "wn" | "wum";
|
|
67
67
|
date: string;
|
|
68
68
|
isMobile: boolean;
|
|
69
69
|
log_id: string;
|
|
@@ -117,7 +117,7 @@ export declare const logRoutes: OpenAPIHono<{
|
|
|
117
117
|
};
|
|
118
118
|
};
|
|
119
119
|
output: {
|
|
120
|
-
type: "
|
|
120
|
+
type: "fn" | "i" | "acls_summary" | "actions_execution_failed" | "api_limit" | "api_limit_warning" | "appi" | "ciba_exchange_failed" | "ciba_exchange_succeeded" | "ciba_start_failed" | "ciba_start_succeeded" | "cls" | "cs" | "depnote" | "f" | "fc" | "fce" | "fco" | "fcoa" | "fcp" | "fcph" | "fcpn" | "fcpr" | "fcpro" | "fcu" | "fd" | "fdeac" | "fdeaz" | "fdecc" | "fdu" | "feacft" | "feccft" | "fecte" | "fede" | "federated_logout_failed" | "fens" | "feoobft" | "feotpft" | "fepft" | "fepotpft" | "fercft" | "ferrt" | "fertft" | "festft" | "fh" | "fimp" | "fi" | "flo" | "flows_execution_completed" | "flows_execution_failed" | "forms_submission_failed" | "forms_submission_succeeded" | "fp" | "fpar" | "fpurh" | "fs" | "fsa" | "fu" | "fui" | "fv" | "fvr" | "gd_auth_email_verification" | "gd_auth_fail_email_verification" | "gd_auth_failed" | "gd_auth_rejected" | "gd_auth_succeed" | "gd_enrollment_complete" | "gd_otp_rate_limit_exceed" | "gd_recovery_failed" | "gd_recovery_rate_limit_exceed" | "gd_recovery_succeed" | "gd_send_email" | "gd_send_email_verification" | "gd_send_email_verification_failure" | "gd_send_pn" | "gd_send_pn_failure" | "gd_send_sms" | "gd_send_sms_failure" | "gd_send_voice" | "gd_send_voice_failure" | "gd_start_auth" | "gd_start_enroll" | "gd_start_enroll_failed" | "gd_tenant_update" | "gd_unenroll" | "gd_update_device_account" | "gd_webauthn_challenge_failed" | "gd_webauthn_enrollment_failed" | "kms_key_management_failure" | "kms_key_management_success" | "kms_key_state_changed" | "limit_delegation" | "limit_mu" | "limit_sul" | "limit_wc" | "mfar" | "mgmt_api_read" | "my_account_authentication_method_failed" | "my_account_authentication_method_succeeded" | "oidc_backchannel_logout_failed" | "oidc_backchannel_logout_succeeded" | "organization_member_added" | "passkey_challenge_failed" | "passkey_challenge_started" | "pla" | "pwd_leak" | "reset_pwd_leak" | "resource_cleanup" | "rich_consents_access_error" | "s" | "sapi" | "fapi" | "sce" | "scoa" | "scp" | "scpn" | "scpr" | "scu" | "scv" | "sd" | "sdu" | "seacft" | "seccft" | "secte" | "sede" | "sens" | "seoobft" | "seotpft" | "sepotpft" | "sepft" | "sepkoobft" | "sepkotpft" | "sepkrcft" | "sercft" | "sertft" | "sestft" | "simp" | "si" | "signup_pwd_leak" | "slo" | "sh" | "spm" | "srrt" | "ss" | "ss_sso_failure" | "ss_sso_info" | "ss_sso_success" | "ssa" | "sscim" | "sui" | "sv" | "svr" | "too_many_records" | "ublkdu" | "universal_logout_failed" | "universal_logout_succeeded" | "w" | "wn" | "wum";
|
|
121
121
|
date: string;
|
|
122
122
|
isMobile: boolean;
|
|
123
123
|
log_id: string;
|
|
@@ -15,7 +15,7 @@ export declare const migrationSourcesRoutes: OpenAPIHono<{
|
|
|
15
15
|
created_at: string;
|
|
16
16
|
updated_at: string;
|
|
17
17
|
name: string;
|
|
18
|
-
provider: "auth0" | "
|
|
18
|
+
provider: "auth0" | "cognito" | "okta" | "oidc";
|
|
19
19
|
connection: string;
|
|
20
20
|
enabled: boolean;
|
|
21
21
|
credentials: {
|
|
@@ -47,7 +47,7 @@ export declare const migrationSourcesRoutes: OpenAPIHono<{
|
|
|
47
47
|
created_at: string;
|
|
48
48
|
updated_at: string;
|
|
49
49
|
name: string;
|
|
50
|
-
provider: "auth0" | "
|
|
50
|
+
provider: "auth0" | "cognito" | "okta" | "oidc";
|
|
51
51
|
connection: string;
|
|
52
52
|
enabled: boolean;
|
|
53
53
|
credentials: {
|
|
@@ -73,7 +73,7 @@ export declare const migrationSourcesRoutes: OpenAPIHono<{
|
|
|
73
73
|
} & {
|
|
74
74
|
json: {
|
|
75
75
|
name: string;
|
|
76
|
-
provider: "auth0" | "
|
|
76
|
+
provider: "auth0" | "cognito" | "okta" | "oidc";
|
|
77
77
|
connection: string;
|
|
78
78
|
credentials: {
|
|
79
79
|
domain: string;
|
|
@@ -90,7 +90,7 @@ export declare const migrationSourcesRoutes: OpenAPIHono<{
|
|
|
90
90
|
created_at: string;
|
|
91
91
|
updated_at: string;
|
|
92
92
|
name: string;
|
|
93
|
-
provider: "auth0" | "
|
|
93
|
+
provider: "auth0" | "cognito" | "okta" | "oidc";
|
|
94
94
|
connection: string;
|
|
95
95
|
enabled: boolean;
|
|
96
96
|
credentials: {
|
|
@@ -121,7 +121,7 @@ export declare const migrationSourcesRoutes: OpenAPIHono<{
|
|
|
121
121
|
json: {
|
|
122
122
|
id?: string | undefined;
|
|
123
123
|
name?: string | undefined;
|
|
124
|
-
provider?: "auth0" | "
|
|
124
|
+
provider?: "auth0" | "cognito" | "okta" | "oidc" | undefined;
|
|
125
125
|
connection?: string | undefined;
|
|
126
126
|
enabled?: boolean | undefined;
|
|
127
127
|
credentials?: {
|
|
@@ -137,7 +137,7 @@ export declare const migrationSourcesRoutes: OpenAPIHono<{
|
|
|
137
137
|
created_at: string;
|
|
138
138
|
updated_at: string;
|
|
139
139
|
name: string;
|
|
140
|
-
provider: "auth0" | "
|
|
140
|
+
provider: "auth0" | "cognito" | "okta" | "oidc";
|
|
141
141
|
connection: string;
|
|
142
142
|
enabled: boolean;
|
|
143
143
|
credentials: {
|
|
@@ -50,7 +50,7 @@ export declare const promptsRoutes: OpenAPIHono<{
|
|
|
50
50
|
};
|
|
51
51
|
};
|
|
52
52
|
output: {
|
|
53
|
-
prompt: "
|
|
53
|
+
prompt: "signup" | "status" | "mfa" | "organizations" | "login" | "login-id" | "login-password" | "signup-id" | "signup-password" | "reset-password" | "consent" | "mfa-push" | "mfa-otp" | "mfa-voice" | "mfa-phone" | "mfa-webauthn" | "mfa-email" | "mfa-recovery-code" | "device-flow" | "email-verification" | "email-otp-challenge" | "invitation" | "common" | "passkeys" | "captcha" | "custom-form" | "login-passwordless" | "mfa-login-options";
|
|
54
54
|
language: string;
|
|
55
55
|
}[];
|
|
56
56
|
outputFormat: "json";
|
|
@@ -88,7 +88,7 @@ export declare const promptsRoutes: OpenAPIHono<{
|
|
|
88
88
|
$get: {
|
|
89
89
|
input: {
|
|
90
90
|
param: {
|
|
91
|
-
prompt: "
|
|
91
|
+
prompt: "signup" | "status" | "mfa" | "organizations" | "login" | "login-id" | "login-password" | "signup-id" | "signup-password" | "reset-password" | "consent" | "mfa-push" | "mfa-otp" | "mfa-voice" | "mfa-phone" | "mfa-webauthn" | "mfa-email" | "mfa-recovery-code" | "device-flow" | "email-verification" | "email-otp-challenge" | "invitation" | "common" | "passkeys" | "captcha" | "custom-form" | "login-passwordless" | "mfa-login-options";
|
|
92
92
|
language: string;
|
|
93
93
|
};
|
|
94
94
|
} & {
|
|
@@ -110,7 +110,7 @@ export declare const promptsRoutes: OpenAPIHono<{
|
|
|
110
110
|
$put: {
|
|
111
111
|
input: {
|
|
112
112
|
param: {
|
|
113
|
-
prompt: "
|
|
113
|
+
prompt: "signup" | "status" | "mfa" | "organizations" | "login" | "login-id" | "login-password" | "signup-id" | "signup-password" | "reset-password" | "consent" | "mfa-push" | "mfa-otp" | "mfa-voice" | "mfa-phone" | "mfa-webauthn" | "mfa-email" | "mfa-recovery-code" | "device-flow" | "email-verification" | "email-otp-challenge" | "invitation" | "common" | "passkeys" | "captcha" | "custom-form" | "login-passwordless" | "mfa-login-options";
|
|
114
114
|
language: string;
|
|
115
115
|
};
|
|
116
116
|
} & {
|
|
@@ -134,7 +134,7 @@ export declare const promptsRoutes: OpenAPIHono<{
|
|
|
134
134
|
$delete: {
|
|
135
135
|
input: {
|
|
136
136
|
param: {
|
|
137
|
-
prompt: "
|
|
137
|
+
prompt: "signup" | "status" | "mfa" | "organizations" | "login" | "login-id" | "login-password" | "signup-id" | "signup-password" | "reset-password" | "consent" | "mfa-push" | "mfa-otp" | "mfa-voice" | "mfa-phone" | "mfa-webauthn" | "mfa-email" | "mfa-recovery-code" | "device-flow" | "email-verification" | "email-otp-challenge" | "invitation" | "common" | "passkeys" | "captcha" | "custom-form" | "login-passwordless" | "mfa-login-options";
|
|
138
138
|
language: string;
|
|
139
139
|
};
|
|
140
140
|
} & {
|
|
@@ -737,7 +737,7 @@ export declare const userRoutes: OpenAPIHono<{
|
|
|
737
737
|
};
|
|
738
738
|
};
|
|
739
739
|
output: {
|
|
740
|
-
type: "
|
|
740
|
+
type: "fn" | "i" | "acls_summary" | "actions_execution_failed" | "api_limit" | "api_limit_warning" | "appi" | "ciba_exchange_failed" | "ciba_exchange_succeeded" | "ciba_start_failed" | "ciba_start_succeeded" | "cls" | "cs" | "depnote" | "f" | "fc" | "fce" | "fco" | "fcoa" | "fcp" | "fcph" | "fcpn" | "fcpr" | "fcpro" | "fcu" | "fd" | "fdeac" | "fdeaz" | "fdecc" | "fdu" | "feacft" | "feccft" | "fecte" | "fede" | "federated_logout_failed" | "fens" | "feoobft" | "feotpft" | "fepft" | "fepotpft" | "fercft" | "ferrt" | "fertft" | "festft" | "fh" | "fimp" | "fi" | "flo" | "flows_execution_completed" | "flows_execution_failed" | "forms_submission_failed" | "forms_submission_succeeded" | "fp" | "fpar" | "fpurh" | "fs" | "fsa" | "fu" | "fui" | "fv" | "fvr" | "gd_auth_email_verification" | "gd_auth_fail_email_verification" | "gd_auth_failed" | "gd_auth_rejected" | "gd_auth_succeed" | "gd_enrollment_complete" | "gd_otp_rate_limit_exceed" | "gd_recovery_failed" | "gd_recovery_rate_limit_exceed" | "gd_recovery_succeed" | "gd_send_email" | "gd_send_email_verification" | "gd_send_email_verification_failure" | "gd_send_pn" | "gd_send_pn_failure" | "gd_send_sms" | "gd_send_sms_failure" | "gd_send_voice" | "gd_send_voice_failure" | "gd_start_auth" | "gd_start_enroll" | "gd_start_enroll_failed" | "gd_tenant_update" | "gd_unenroll" | "gd_update_device_account" | "gd_webauthn_challenge_failed" | "gd_webauthn_enrollment_failed" | "kms_key_management_failure" | "kms_key_management_success" | "kms_key_state_changed" | "limit_delegation" | "limit_mu" | "limit_sul" | "limit_wc" | "mfar" | "mgmt_api_read" | "my_account_authentication_method_failed" | "my_account_authentication_method_succeeded" | "oidc_backchannel_logout_failed" | "oidc_backchannel_logout_succeeded" | "organization_member_added" | "passkey_challenge_failed" | "passkey_challenge_started" | "pla" | "pwd_leak" | "reset_pwd_leak" | "resource_cleanup" | "rich_consents_access_error" | "s" | "sapi" | "fapi" | "sce" | "scoa" | "scp" | "scpn" | "scpr" | "scu" | "scv" | "sd" | "sdu" | "seacft" | "seccft" | "secte" | "sede" | "sens" | "seoobft" | "seotpft" | "sepotpft" | "sepft" | "sepkoobft" | "sepkotpft" | "sepkrcft" | "sercft" | "sertft" | "sestft" | "simp" | "si" | "signup_pwd_leak" | "slo" | "sh" | "spm" | "srrt" | "ss" | "ss_sso_failure" | "ss_sso_info" | "ss_sso_success" | "ssa" | "sscim" | "sui" | "sv" | "svr" | "too_many_records" | "ublkdu" | "universal_logout_failed" | "universal_logout_succeeded" | "w" | "wn" | "wum";
|
|
741
741
|
date: string;
|
|
742
742
|
isMobile: boolean;
|
|
743
743
|
log_id: string;
|
|
@@ -776,7 +776,7 @@ export declare const userRoutes: OpenAPIHono<{
|
|
|
776
776
|
limit: number;
|
|
777
777
|
length: number;
|
|
778
778
|
logs: {
|
|
779
|
-
type: "
|
|
779
|
+
type: "fn" | "i" | "acls_summary" | "actions_execution_failed" | "api_limit" | "api_limit_warning" | "appi" | "ciba_exchange_failed" | "ciba_exchange_succeeded" | "ciba_start_failed" | "ciba_start_succeeded" | "cls" | "cs" | "depnote" | "f" | "fc" | "fce" | "fco" | "fcoa" | "fcp" | "fcph" | "fcpn" | "fcpr" | "fcpro" | "fcu" | "fd" | "fdeac" | "fdeaz" | "fdecc" | "fdu" | "feacft" | "feccft" | "fecte" | "fede" | "federated_logout_failed" | "fens" | "feoobft" | "feotpft" | "fepft" | "fepotpft" | "fercft" | "ferrt" | "fertft" | "festft" | "fh" | "fimp" | "fi" | "flo" | "flows_execution_completed" | "flows_execution_failed" | "forms_submission_failed" | "forms_submission_succeeded" | "fp" | "fpar" | "fpurh" | "fs" | "fsa" | "fu" | "fui" | "fv" | "fvr" | "gd_auth_email_verification" | "gd_auth_fail_email_verification" | "gd_auth_failed" | "gd_auth_rejected" | "gd_auth_succeed" | "gd_enrollment_complete" | "gd_otp_rate_limit_exceed" | "gd_recovery_failed" | "gd_recovery_rate_limit_exceed" | "gd_recovery_succeed" | "gd_send_email" | "gd_send_email_verification" | "gd_send_email_verification_failure" | "gd_send_pn" | "gd_send_pn_failure" | "gd_send_sms" | "gd_send_sms_failure" | "gd_send_voice" | "gd_send_voice_failure" | "gd_start_auth" | "gd_start_enroll" | "gd_start_enroll_failed" | "gd_tenant_update" | "gd_unenroll" | "gd_update_device_account" | "gd_webauthn_challenge_failed" | "gd_webauthn_enrollment_failed" | "kms_key_management_failure" | "kms_key_management_success" | "kms_key_state_changed" | "limit_delegation" | "limit_mu" | "limit_sul" | "limit_wc" | "mfar" | "mgmt_api_read" | "my_account_authentication_method_failed" | "my_account_authentication_method_succeeded" | "oidc_backchannel_logout_failed" | "oidc_backchannel_logout_succeeded" | "organization_member_added" | "passkey_challenge_failed" | "passkey_challenge_started" | "pla" | "pwd_leak" | "reset_pwd_leak" | "resource_cleanup" | "rich_consents_access_error" | "s" | "sapi" | "fapi" | "sce" | "scoa" | "scp" | "scpn" | "scpr" | "scu" | "scv" | "sd" | "sdu" | "seacft" | "seccft" | "secte" | "sede" | "sens" | "seoobft" | "seotpft" | "sepotpft" | "sepft" | "sepkoobft" | "sepkotpft" | "sepkrcft" | "sercft" | "sertft" | "sestft" | "simp" | "si" | "signup_pwd_leak" | "slo" | "sh" | "spm" | "srrt" | "ss" | "ss_sso_failure" | "ss_sso_info" | "ss_sso_success" | "ssa" | "sscim" | "sui" | "sv" | "svr" | "too_many_records" | "ublkdu" | "universal_logout_failed" | "universal_logout_succeeded" | "w" | "wn" | "wum";
|
|
780
780
|
date: string;
|
|
781
781
|
isMobile: boolean;
|
|
782
782
|
log_id: string;
|
|
@@ -2,6 +2,7 @@ import { Hono } from "hono";
|
|
|
2
2
|
import type { ResolvedHost } from "@authhero/proxy";
|
|
3
3
|
import { CustomDomain, CustomDomainsAdapter, ProxyRoute, ProxyRoutesAdapter } from "@authhero/adapter-interfaces";
|
|
4
4
|
import { SyncEvent } from "../../helpers/control-plane-sync-events";
|
|
5
|
+
import { Bindings } from "../../types";
|
|
5
6
|
export interface ProxyControlPlaneOptions {
|
|
6
7
|
/**
|
|
7
8
|
* Cross-tenant host resolver. Typically delegated to a database adapter's
|
|
@@ -9,13 +10,20 @@ export interface ProxyControlPlaneOptions {
|
|
|
9
10
|
*/
|
|
10
11
|
resolveHost: (host: string) => Promise<ResolvedHost | null>;
|
|
11
12
|
/**
|
|
12
|
-
*
|
|
13
|
-
*
|
|
14
|
-
*
|
|
15
|
-
*
|
|
16
|
-
*
|
|
13
|
+
* URL of the JWKS document used to verify control-plane bearer tokens.
|
|
14
|
+
*
|
|
15
|
+
* Tokens MUST be signed by a key in this JWKS, carry an `iss` matching
|
|
16
|
+
* the runtime `env.ISSUER` (strict URL equality after trailing-slash
|
|
17
|
+
* normalization), and include the `proxy:resolve_host` scope.
|
|
18
|
+
*/
|
|
19
|
+
jwksUrl: string;
|
|
20
|
+
/**
|
|
21
|
+
* Optional fetch override for `jwksUrl`. Defaults to global `fetch`.
|
|
22
|
+
* Hosts on Cloudflare Workers can pass
|
|
23
|
+
* `(url) => env.JWKS_SERVICE.fetch(url)` to route through a service
|
|
24
|
+
* binding instead of the public network.
|
|
17
25
|
*/
|
|
18
|
-
|
|
26
|
+
jwksFetch?: (url: string) => Promise<Response>;
|
|
19
27
|
/**
|
|
20
28
|
* Optional handler for `POST /sync` — receives `controlplane.sync.*` events
|
|
21
29
|
* emitted by tenant shards via `ControlPlaneSyncDestination` and replicates
|
|
@@ -34,8 +42,14 @@ export interface ProxyControlPlaneOptions {
|
|
|
34
42
|
* `GET /hosts/:host`. When `applySyncEvents` is provided, also exposes
|
|
35
43
|
* `POST /sync` for tenant shards to replicate custom_domains / proxy_routes
|
|
36
44
|
* mutations. Mount under `/api/v2/proxy/control-plane`.
|
|
45
|
+
*
|
|
46
|
+
* Authentication is built in: requests must carry a `Bearer` JWT signed by
|
|
47
|
+
* a key published at `options.jwksUrl`, with `iss` matching the runtime
|
|
48
|
+
* `env.ISSUER` and scope `proxy:resolve_host`.
|
|
37
49
|
*/
|
|
38
|
-
export declare function createProxyControlPlaneApp(options: ProxyControlPlaneOptions): Hono
|
|
50
|
+
export declare function createProxyControlPlaneApp(options: ProxyControlPlaneOptions): Hono<{
|
|
51
|
+
Bindings: Bindings;
|
|
52
|
+
}>;
|
|
39
53
|
export interface CreateApplySyncEventsOptions {
|
|
40
54
|
customDomains: CustomDomainsAdapter;
|
|
41
55
|
proxyRoutes?: ProxyRoutesAdapter;
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
import { PROXY_RESOLVE_HOST_SCOPE } from "@authhero/proxy";
|
|
2
|
+
/**
|
|
3
|
+
* Strict issuer equality: parse both `iss` and `expected` as URLs and compare
|
|
4
|
+
* the resulting hrefs after stripping any single trailing slash. No host-only
|
|
5
|
+
* match, no subdomain match — a token issued by `https://a.example.com/` and
|
|
6
|
+
* an expected `https://b.example.com/` (or `https://example.com/x/`) must NOT
|
|
7
|
+
* be treated as equivalent.
|
|
8
|
+
*/
|
|
9
|
+
export declare function isAllowedIssuer(iss: string, expected: string): boolean;
|
|
10
|
+
export type VerifyControlPlaneTokenResult = {
|
|
11
|
+
ok: true;
|
|
12
|
+
} | {
|
|
13
|
+
ok: false;
|
|
14
|
+
reason: string;
|
|
15
|
+
};
|
|
16
|
+
export interface VerifyControlPlaneTokenOptions {
|
|
17
|
+
/** Compact JWS to verify. */
|
|
18
|
+
token: string;
|
|
19
|
+
/** JWKS document URL. */
|
|
20
|
+
jwksUrl: string;
|
|
21
|
+
/** Optional fetch override — defaults to global `fetch`. */
|
|
22
|
+
jwksFetch?: (url: string) => Promise<Response>;
|
|
23
|
+
/** Expected `iss` claim (compared via {@link isAllowedIssuer}). */
|
|
24
|
+
expectedIssuer: string;
|
|
25
|
+
/** Required `scope` (space-separated). Defaults to `proxy:resolve_host`. */
|
|
26
|
+
requiredScope?: string;
|
|
27
|
+
}
|
|
28
|
+
/**
|
|
29
|
+
* Verify a bearer token for the proxy control plane. Returns `{ ok: true }`
|
|
30
|
+
* on success, `{ ok: false, reason }` on any failure — the reason is for
|
|
31
|
+
* logs only and must not be surfaced to the caller.
|
|
32
|
+
*
|
|
33
|
+
* Accepted algs: RS256/384/512, ES256/384/512. The JWK's `alg` must match
|
|
34
|
+
* the token header's `alg`. The token must carry the configured required
|
|
35
|
+
* scope (`proxy:resolve_host` by default) and an `iss` that strictly equals
|
|
36
|
+
* `expectedIssuer` after URL normalization.
|
|
37
|
+
*/
|
|
38
|
+
export declare function verifyControlPlaneToken(options: VerifyControlPlaneTokenOptions): Promise<VerifyControlPlaneTokenResult>;
|
|
39
|
+
export { PROXY_RESOLVE_HOST_SCOPE };
|
|
@@ -447,7 +447,7 @@ export declare function initJSXRoute(ctx: Context<{
|
|
|
447
447
|
custom_login_page_preview?: string | undefined;
|
|
448
448
|
form_template?: string | undefined;
|
|
449
449
|
addons?: Record<string, any> | undefined;
|
|
450
|
-
token_endpoint_auth_method?: "
|
|
450
|
+
token_endpoint_auth_method?: "client_secret_post" | "client_secret_basic" | "none" | "client_secret_jwt" | "private_key_jwt" | undefined;
|
|
451
451
|
client_metadata?: Record<string, string> | undefined;
|
|
452
452
|
hide_sign_up_disabled_error?: boolean | undefined;
|
|
453
453
|
mobile?: Record<string, any> | undefined;
|
|
@@ -1166,7 +1166,7 @@ export declare function initJSXRouteWithSession(ctx: Context<{
|
|
|
1166
1166
|
custom_login_page_preview?: string | undefined;
|
|
1167
1167
|
form_template?: string | undefined;
|
|
1168
1168
|
addons?: Record<string, any> | undefined;
|
|
1169
|
-
token_endpoint_auth_method?: "
|
|
1169
|
+
token_endpoint_auth_method?: "client_secret_post" | "client_secret_basic" | "none" | "client_secret_jwt" | "private_key_jwt" | undefined;
|
|
1170
1170
|
client_metadata?: Record<string, string> | undefined;
|
|
1171
1171
|
hide_sign_up_disabled_error?: boolean | undefined;
|
|
1172
1172
|
mobile?: Record<string, any> | undefined;
|
|
@@ -43,7 +43,7 @@ export declare const flowApiRoutes: OpenAPIHono<{
|
|
|
43
43
|
hint?: string | undefined;
|
|
44
44
|
messages?: {
|
|
45
45
|
text: string;
|
|
46
|
-
type: "
|
|
46
|
+
type: "success" | "error" | "info" | "warning";
|
|
47
47
|
id?: number | undefined;
|
|
48
48
|
}[] | undefined;
|
|
49
49
|
}[];
|
|
@@ -51,7 +51,7 @@ export declare const flowApiRoutes: OpenAPIHono<{
|
|
|
51
51
|
description?: string | undefined;
|
|
52
52
|
messages?: {
|
|
53
53
|
text: string;
|
|
54
|
-
type: "
|
|
54
|
+
type: "success" | "error" | "info" | "warning";
|
|
55
55
|
id?: number | undefined;
|
|
56
56
|
}[] | undefined;
|
|
57
57
|
links?: {
|
|
@@ -123,7 +123,7 @@ export declare const flowApiRoutes: OpenAPIHono<{
|
|
|
123
123
|
hint?: string | undefined;
|
|
124
124
|
messages?: {
|
|
125
125
|
text: string;
|
|
126
|
-
type: "
|
|
126
|
+
type: "success" | "error" | "info" | "warning";
|
|
127
127
|
id?: number | undefined;
|
|
128
128
|
}[] | undefined;
|
|
129
129
|
}[];
|
|
@@ -131,7 +131,7 @@ export declare const flowApiRoutes: OpenAPIHono<{
|
|
|
131
131
|
description?: string | undefined;
|
|
132
132
|
messages?: {
|
|
133
133
|
text: string;
|
|
134
|
-
type: "
|
|
134
|
+
type: "success" | "error" | "info" | "warning";
|
|
135
135
|
id?: number | undefined;
|
|
136
136
|
}[] | undefined;
|
|
137
137
|
links?: {
|
|
@@ -220,7 +220,7 @@ export declare const flowApiRoutes: OpenAPIHono<{
|
|
|
220
220
|
hint?: string | undefined;
|
|
221
221
|
messages?: {
|
|
222
222
|
text: string;
|
|
223
|
-
type: "
|
|
223
|
+
type: "success" | "error" | "info" | "warning";
|
|
224
224
|
id?: number | undefined;
|
|
225
225
|
}[] | undefined;
|
|
226
226
|
}[];
|
|
@@ -228,7 +228,7 @@ export declare const flowApiRoutes: OpenAPIHono<{
|
|
|
228
228
|
description?: string | undefined;
|
|
229
229
|
messages?: {
|
|
230
230
|
text: string;
|
|
231
|
-
type: "
|
|
231
|
+
type: "success" | "error" | "info" | "warning";
|
|
232
232
|
id?: number | undefined;
|
|
233
233
|
}[] | undefined;
|
|
234
234
|
links?: {
|
|
@@ -335,7 +335,7 @@ export declare const flowApiRoutes: OpenAPIHono<{
|
|
|
335
335
|
hint?: string | undefined;
|
|
336
336
|
messages?: {
|
|
337
337
|
text: string;
|
|
338
|
-
type: "
|
|
338
|
+
type: "success" | "error" | "info" | "warning";
|
|
339
339
|
id?: number | undefined;
|
|
340
340
|
}[] | undefined;
|
|
341
341
|
}[];
|
|
@@ -343,7 +343,7 @@ export declare const flowApiRoutes: OpenAPIHono<{
|
|
|
343
343
|
description?: string | undefined;
|
|
344
344
|
messages?: {
|
|
345
345
|
text: string;
|
|
346
|
-
type: "
|
|
346
|
+
type: "success" | "error" | "info" | "warning";
|
|
347
347
|
id?: number | undefined;
|
|
348
348
|
}[] | undefined;
|
|
349
349
|
links?: {
|
|
@@ -165,7 +165,7 @@ export default function createU2App(config: AuthHeroConfig): OpenAPIHono<{
|
|
|
165
165
|
$get: {
|
|
166
166
|
input: {
|
|
167
167
|
param: {
|
|
168
|
-
screen: "signup" | "
|
|
168
|
+
screen: "signup" | "login" | "reset-password" | "consent" | "account" | "enter-password" | "impersonate" | "try-connection-result" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "reset-password/code" | "reset-password/request" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
|
|
169
169
|
};
|
|
170
170
|
} & {
|
|
171
171
|
query: {
|
|
@@ -181,7 +181,7 @@ export default function createU2App(config: AuthHeroConfig): OpenAPIHono<{
|
|
|
181
181
|
} | {
|
|
182
182
|
input: {
|
|
183
183
|
param: {
|
|
184
|
-
screen: "signup" | "
|
|
184
|
+
screen: "signup" | "login" | "reset-password" | "consent" | "account" | "enter-password" | "impersonate" | "try-connection-result" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "reset-password/code" | "reset-password/request" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
|
|
185
185
|
};
|
|
186
186
|
} & {
|
|
187
187
|
query: {
|
|
@@ -197,7 +197,7 @@ export default function createU2App(config: AuthHeroConfig): OpenAPIHono<{
|
|
|
197
197
|
} | {
|
|
198
198
|
input: {
|
|
199
199
|
param: {
|
|
200
|
-
screen: "signup" | "
|
|
200
|
+
screen: "signup" | "login" | "reset-password" | "consent" | "account" | "enter-password" | "impersonate" | "try-connection-result" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "reset-password/code" | "reset-password/request" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
|
|
201
201
|
};
|
|
202
202
|
} & {
|
|
203
203
|
query: {
|
|
@@ -217,7 +217,7 @@ export default function createU2App(config: AuthHeroConfig): OpenAPIHono<{
|
|
|
217
217
|
$post: {
|
|
218
218
|
input: {
|
|
219
219
|
param: {
|
|
220
|
-
screen: "signup" | "
|
|
220
|
+
screen: "signup" | "login" | "reset-password" | "consent" | "enter-password" | "impersonate" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "reset-password/code" | "reset-password/request" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
|
|
221
221
|
};
|
|
222
222
|
} & {
|
|
223
223
|
query: {
|
|
@@ -235,7 +235,7 @@ export default function createU2App(config: AuthHeroConfig): OpenAPIHono<{
|
|
|
235
235
|
} | {
|
|
236
236
|
input: {
|
|
237
237
|
param: {
|
|
238
|
-
screen: "signup" | "
|
|
238
|
+
screen: "signup" | "login" | "reset-password" | "consent" | "enter-password" | "impersonate" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "reset-password/code" | "reset-password/request" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
|
|
239
239
|
};
|
|
240
240
|
} & {
|
|
241
241
|
query: {
|
|
@@ -253,7 +253,7 @@ export default function createU2App(config: AuthHeroConfig): OpenAPIHono<{
|
|
|
253
253
|
} | {
|
|
254
254
|
input: {
|
|
255
255
|
param: {
|
|
256
|
-
screen: "signup" | "
|
|
256
|
+
screen: "signup" | "login" | "reset-password" | "consent" | "enter-password" | "impersonate" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "reset-password/code" | "reset-password/request" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
|
|
257
257
|
};
|
|
258
258
|
} & {
|
|
259
259
|
query: {
|
|
@@ -170,7 +170,7 @@ export declare const u2Routes: OpenAPIHono<{
|
|
|
170
170
|
$get: {
|
|
171
171
|
input: {
|
|
172
172
|
param: {
|
|
173
|
-
screen: "signup" | "
|
|
173
|
+
screen: "signup" | "login" | "reset-password" | "consent" | "account" | "enter-password" | "impersonate" | "try-connection-result" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "reset-password/code" | "reset-password/request" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
|
|
174
174
|
};
|
|
175
175
|
} & {
|
|
176
176
|
query: {
|
|
@@ -186,7 +186,7 @@ export declare const u2Routes: OpenAPIHono<{
|
|
|
186
186
|
} | {
|
|
187
187
|
input: {
|
|
188
188
|
param: {
|
|
189
|
-
screen: "signup" | "
|
|
189
|
+
screen: "signup" | "login" | "reset-password" | "consent" | "account" | "enter-password" | "impersonate" | "try-connection-result" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "reset-password/code" | "reset-password/request" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
|
|
190
190
|
};
|
|
191
191
|
} & {
|
|
192
192
|
query: {
|
|
@@ -202,7 +202,7 @@ export declare const u2Routes: OpenAPIHono<{
|
|
|
202
202
|
} | {
|
|
203
203
|
input: {
|
|
204
204
|
param: {
|
|
205
|
-
screen: "signup" | "
|
|
205
|
+
screen: "signup" | "login" | "reset-password" | "consent" | "account" | "enter-password" | "impersonate" | "try-connection-result" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "reset-password/code" | "reset-password/request" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
|
|
206
206
|
};
|
|
207
207
|
} & {
|
|
208
208
|
query: {
|
|
@@ -222,7 +222,7 @@ export declare const u2Routes: OpenAPIHono<{
|
|
|
222
222
|
$post: {
|
|
223
223
|
input: {
|
|
224
224
|
param: {
|
|
225
|
-
screen: "signup" | "
|
|
225
|
+
screen: "signup" | "login" | "reset-password" | "consent" | "enter-password" | "impersonate" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "reset-password/code" | "reset-password/request" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
|
|
226
226
|
};
|
|
227
227
|
} & {
|
|
228
228
|
query: {
|
|
@@ -240,7 +240,7 @@ export declare const u2Routes: OpenAPIHono<{
|
|
|
240
240
|
} | {
|
|
241
241
|
input: {
|
|
242
242
|
param: {
|
|
243
|
-
screen: "signup" | "
|
|
243
|
+
screen: "signup" | "login" | "reset-password" | "consent" | "enter-password" | "impersonate" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "reset-password/code" | "reset-password/request" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
|
|
244
244
|
};
|
|
245
245
|
} & {
|
|
246
246
|
query: {
|
|
@@ -258,7 +258,7 @@ export declare const u2Routes: OpenAPIHono<{
|
|
|
258
258
|
} | {
|
|
259
259
|
input: {
|
|
260
260
|
param: {
|
|
261
|
-
screen: "signup" | "
|
|
261
|
+
screen: "signup" | "login" | "reset-password" | "consent" | "enter-password" | "impersonate" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "reset-password/code" | "reset-password/request" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
|
|
262
262
|
};
|
|
263
263
|
} & {
|
|
264
264
|
query: {
|
|
@@ -283,14 +283,26 @@ export interface AuthHeroConfig {
|
|
|
283
283
|
* data plane. When set, mounts `GET /api/v2/proxy/control-plane/hosts/:host`
|
|
284
284
|
* which returns the cross-tenant `ResolvedHost` for the given hostname.
|
|
285
285
|
*
|
|
286
|
-
*
|
|
287
|
-
* `
|
|
288
|
-
*
|
|
289
|
-
* `proxy:resolve_host`
|
|
286
|
+
* Authentication is opinionated and built in: incoming requests must
|
|
287
|
+
* carry a `Bearer` JWT signed by a key in `jwksUrl`, with `iss` matching
|
|
288
|
+
* the runtime `env.ISSUER` (strict URL equality after trailing-slash
|
|
289
|
+
* normalization) and the `proxy:resolve_host` scope. The matching
|
|
290
|
+
* client-side helper is `createHttpProxyAdapter` in `@authhero/proxy`.
|
|
290
291
|
*/
|
|
291
292
|
proxyControlPlane?: {
|
|
292
293
|
resolveHost: (host: string) => Promise<import("@authhero/proxy").ResolvedHost | null>;
|
|
293
|
-
|
|
294
|
+
/**
|
|
295
|
+
* JWKS document URL used to verify the bearer token. On a single-shard
|
|
296
|
+
* deployment this is typically `${env.ISSUER}/.well-known/jwks.json`.
|
|
297
|
+
*/
|
|
298
|
+
jwksUrl: string;
|
|
299
|
+
/**
|
|
300
|
+
* Optional fetch override for `jwksUrl`. Defaults to global `fetch`.
|
|
301
|
+
* Hosts on Cloudflare Workers can pass
|
|
302
|
+
* `(url) => env.JWKS_SERVICE.fetch(url)` to route through a service
|
|
303
|
+
* binding instead of the public network.
|
|
304
|
+
*/
|
|
305
|
+
jwksFetch?: (url: string) => Promise<Response>;
|
|
294
306
|
/**
|
|
295
307
|
* Optional receiver for `POST /sync` events emitted by tenant shards via
|
|
296
308
|
* the `ControlPlaneSyncDestination`. Mount on the control-plane authhero
|