authhero 7.0.0 → 7.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/assets/u/widget/index.esm.js +1 -1
- package/dist/authhero.cjs +94 -94
- package/dist/authhero.d.ts +224 -244
- package/dist/authhero.mjs +7590 -7572
- package/dist/stats.html +1 -1
- package/dist/tsconfig.types.tsbuildinfo +1 -1
- package/dist/types/authentication-flows/passwordless.d.ts +3 -3
- package/dist/types/helpers/dcr/metadata-mapping.d.ts +1 -1
- package/dist/types/helpers/signing-keys.d.ts +1 -0
- package/dist/types/index.d.ts +203 -221
- package/dist/types/routes/auth-api/index.d.ts +32 -32
- package/dist/types/routes/auth-api/passwordless.d.ts +14 -14
- package/dist/types/routes/auth-api/register/index.d.ts +2 -2
- package/dist/types/routes/auth-api/revoke.d.ts +6 -6
- package/dist/types/routes/auth-api/token.d.ts +10 -10
- package/dist/types/routes/management-api/authentication-methods.d.ts +1 -1
- package/dist/types/routes/management-api/client-grants.d.ts +8 -8
- package/dist/types/routes/management-api/clients.d.ts +7 -7
- package/dist/types/routes/management-api/connections.d.ts +1 -1
- package/dist/types/routes/management-api/custom-domains.d.ts +7 -25
- package/dist/types/routes/management-api/failed-events.d.ts +1 -1
- package/dist/types/routes/management-api/forms.d.ts +119 -119
- package/dist/types/routes/management-api/guardian.d.ts +5 -5
- package/dist/types/routes/management-api/index.d.ts +165 -183
- package/dist/types/routes/management-api/logs.d.ts +3 -3
- package/dist/types/routes/management-api/migration-sources.d.ts +6 -6
- package/dist/types/routes/management-api/organizations.d.ts +1 -1
- package/dist/types/routes/management-api/prompts.d.ts +4 -4
- package/dist/types/routes/management-api/users.d.ts +2 -2
- package/dist/types/routes/proxy-control-plane/index.d.ts +10 -15
- package/dist/types/routes/proxy-control-plane/verify.d.ts +10 -5
- package/dist/types/routes/universal-login/common.d.ts +2 -2
- package/dist/types/routes/universal-login/flow-api.d.ts +8 -8
- package/dist/types/routes/universal-login/u2-index.d.ts +6 -6
- package/dist/types/routes/universal-login/u2-routes.d.ts +6 -6
- package/dist/types/types/AuthHeroConfig.d.ts +11 -13
- package/dist/types/types/Bindings.d.ts +0 -6
- package/dist/types/utils/jwks.d.ts +10 -11
- package/dist/types/utils/jwt.d.ts +21 -1
- package/package.json +5 -5
|
@@ -24,7 +24,7 @@ export declare const logRoutes: OpenAPIHono<{
|
|
|
24
24
|
};
|
|
25
25
|
};
|
|
26
26
|
output: {
|
|
27
|
-
type: "
|
|
27
|
+
type: "festft" | "acls_summary" | "actions_execution_failed" | "api_limit" | "api_limit_warning" | "appi" | "ciba_exchange_failed" | "ciba_exchange_succeeded" | "ciba_start_failed" | "ciba_start_succeeded" | "cls" | "cs" | "depnote" | "f" | "fc" | "fce" | "fco" | "fcoa" | "fcp" | "fcph" | "fcpn" | "fcpr" | "fcpro" | "fcu" | "fd" | "fdeac" | "fdeaz" | "fdecc" | "fdu" | "feacft" | "feccft" | "fecte" | "fede" | "federated_logout_failed" | "fens" | "feoobft" | "feotpft" | "fepft" | "fepotpft" | "fercft" | "ferrt" | "fertft" | "fh" | "fimp" | "fi" | "flo" | "flows_execution_completed" | "flows_execution_failed" | "fn" | "forms_submission_failed" | "forms_submission_succeeded" | "fp" | "fpar" | "fpurh" | "fs" | "fsa" | "fu" | "fui" | "fv" | "fvr" | "gd_auth_email_verification" | "gd_auth_fail_email_verification" | "gd_auth_failed" | "gd_auth_rejected" | "gd_auth_succeed" | "gd_enrollment_complete" | "gd_otp_rate_limit_exceed" | "gd_recovery_failed" | "gd_recovery_rate_limit_exceed" | "gd_recovery_succeed" | "gd_send_email" | "gd_send_email_verification" | "gd_send_email_verification_failure" | "gd_send_pn" | "gd_send_pn_failure" | "gd_send_sms" | "gd_send_sms_failure" | "gd_send_voice" | "gd_send_voice_failure" | "gd_start_auth" | "gd_start_enroll" | "gd_start_enroll_failed" | "gd_tenant_update" | "gd_unenroll" | "gd_update_device_account" | "gd_webauthn_challenge_failed" | "gd_webauthn_enrollment_failed" | "kms_key_management_failure" | "kms_key_management_success" | "kms_key_state_changed" | "limit_delegation" | "limit_mu" | "limit_sul" | "limit_wc" | "i" | "mfar" | "mgmt_api_read" | "my_account_authentication_method_failed" | "my_account_authentication_method_succeeded" | "oidc_backchannel_logout_failed" | "oidc_backchannel_logout_succeeded" | "organization_member_added" | "passkey_challenge_failed" | "passkey_challenge_started" | "pla" | "pwd_leak" | "reset_pwd_leak" | "resource_cleanup" | "rich_consents_access_error" | "s" | "sapi" | "fapi" | "sce" | "scoa" | "scp" | "scpn" | "scpr" | "scu" | "scv" | "sd" | "sdu" | "seacft" | "seccft" | "secte" | "sede" | "sens" | "seoobft" | "seotpft" | "sepotpft" | "sepft" | "sepkoobft" | "sepkotpft" | "sepkrcft" | "sercft" | "sertft" | "sestft" | "simp" | "si" | "signup_pwd_leak" | "slo" | "sh" | "spm" | "srrt" | "ss" | "ss_sso_failure" | "ss_sso_info" | "ss_sso_success" | "ssa" | "sscim" | "sui" | "sv" | "svr" | "too_many_records" | "ublkdu" | "universal_logout_failed" | "universal_logout_succeeded" | "w" | "wn" | "wum";
|
|
28
28
|
date: string;
|
|
29
29
|
isMobile: boolean;
|
|
30
30
|
log_id: string;
|
|
@@ -63,7 +63,7 @@ export declare const logRoutes: OpenAPIHono<{
|
|
|
63
63
|
limit: number;
|
|
64
64
|
length: number;
|
|
65
65
|
logs: {
|
|
66
|
-
type: "
|
|
66
|
+
type: "festft" | "acls_summary" | "actions_execution_failed" | "api_limit" | "api_limit_warning" | "appi" | "ciba_exchange_failed" | "ciba_exchange_succeeded" | "ciba_start_failed" | "ciba_start_succeeded" | "cls" | "cs" | "depnote" | "f" | "fc" | "fce" | "fco" | "fcoa" | "fcp" | "fcph" | "fcpn" | "fcpr" | "fcpro" | "fcu" | "fd" | "fdeac" | "fdeaz" | "fdecc" | "fdu" | "feacft" | "feccft" | "fecte" | "fede" | "federated_logout_failed" | "fens" | "feoobft" | "feotpft" | "fepft" | "fepotpft" | "fercft" | "ferrt" | "fertft" | "fh" | "fimp" | "fi" | "flo" | "flows_execution_completed" | "flows_execution_failed" | "fn" | "forms_submission_failed" | "forms_submission_succeeded" | "fp" | "fpar" | "fpurh" | "fs" | "fsa" | "fu" | "fui" | "fv" | "fvr" | "gd_auth_email_verification" | "gd_auth_fail_email_verification" | "gd_auth_failed" | "gd_auth_rejected" | "gd_auth_succeed" | "gd_enrollment_complete" | "gd_otp_rate_limit_exceed" | "gd_recovery_failed" | "gd_recovery_rate_limit_exceed" | "gd_recovery_succeed" | "gd_send_email" | "gd_send_email_verification" | "gd_send_email_verification_failure" | "gd_send_pn" | "gd_send_pn_failure" | "gd_send_sms" | "gd_send_sms_failure" | "gd_send_voice" | "gd_send_voice_failure" | "gd_start_auth" | "gd_start_enroll" | "gd_start_enroll_failed" | "gd_tenant_update" | "gd_unenroll" | "gd_update_device_account" | "gd_webauthn_challenge_failed" | "gd_webauthn_enrollment_failed" | "kms_key_management_failure" | "kms_key_management_success" | "kms_key_state_changed" | "limit_delegation" | "limit_mu" | "limit_sul" | "limit_wc" | "i" | "mfar" | "mgmt_api_read" | "my_account_authentication_method_failed" | "my_account_authentication_method_succeeded" | "oidc_backchannel_logout_failed" | "oidc_backchannel_logout_succeeded" | "organization_member_added" | "passkey_challenge_failed" | "passkey_challenge_started" | "pla" | "pwd_leak" | "reset_pwd_leak" | "resource_cleanup" | "rich_consents_access_error" | "s" | "sapi" | "fapi" | "sce" | "scoa" | "scp" | "scpn" | "scpr" | "scu" | "scv" | "sd" | "sdu" | "seacft" | "seccft" | "secte" | "sede" | "sens" | "seoobft" | "seotpft" | "sepotpft" | "sepft" | "sepkoobft" | "sepkotpft" | "sepkrcft" | "sercft" | "sertft" | "sestft" | "simp" | "si" | "signup_pwd_leak" | "slo" | "sh" | "spm" | "srrt" | "ss" | "ss_sso_failure" | "ss_sso_info" | "ss_sso_success" | "ssa" | "sscim" | "sui" | "sv" | "svr" | "too_many_records" | "ublkdu" | "universal_logout_failed" | "universal_logout_succeeded" | "w" | "wn" | "wum";
|
|
67
67
|
date: string;
|
|
68
68
|
isMobile: boolean;
|
|
69
69
|
log_id: string;
|
|
@@ -117,7 +117,7 @@ export declare const logRoutes: OpenAPIHono<{
|
|
|
117
117
|
};
|
|
118
118
|
};
|
|
119
119
|
output: {
|
|
120
|
-
type: "
|
|
120
|
+
type: "festft" | "acls_summary" | "actions_execution_failed" | "api_limit" | "api_limit_warning" | "appi" | "ciba_exchange_failed" | "ciba_exchange_succeeded" | "ciba_start_failed" | "ciba_start_succeeded" | "cls" | "cs" | "depnote" | "f" | "fc" | "fce" | "fco" | "fcoa" | "fcp" | "fcph" | "fcpn" | "fcpr" | "fcpro" | "fcu" | "fd" | "fdeac" | "fdeaz" | "fdecc" | "fdu" | "feacft" | "feccft" | "fecte" | "fede" | "federated_logout_failed" | "fens" | "feoobft" | "feotpft" | "fepft" | "fepotpft" | "fercft" | "ferrt" | "fertft" | "fh" | "fimp" | "fi" | "flo" | "flows_execution_completed" | "flows_execution_failed" | "fn" | "forms_submission_failed" | "forms_submission_succeeded" | "fp" | "fpar" | "fpurh" | "fs" | "fsa" | "fu" | "fui" | "fv" | "fvr" | "gd_auth_email_verification" | "gd_auth_fail_email_verification" | "gd_auth_failed" | "gd_auth_rejected" | "gd_auth_succeed" | "gd_enrollment_complete" | "gd_otp_rate_limit_exceed" | "gd_recovery_failed" | "gd_recovery_rate_limit_exceed" | "gd_recovery_succeed" | "gd_send_email" | "gd_send_email_verification" | "gd_send_email_verification_failure" | "gd_send_pn" | "gd_send_pn_failure" | "gd_send_sms" | "gd_send_sms_failure" | "gd_send_voice" | "gd_send_voice_failure" | "gd_start_auth" | "gd_start_enroll" | "gd_start_enroll_failed" | "gd_tenant_update" | "gd_unenroll" | "gd_update_device_account" | "gd_webauthn_challenge_failed" | "gd_webauthn_enrollment_failed" | "kms_key_management_failure" | "kms_key_management_success" | "kms_key_state_changed" | "limit_delegation" | "limit_mu" | "limit_sul" | "limit_wc" | "i" | "mfar" | "mgmt_api_read" | "my_account_authentication_method_failed" | "my_account_authentication_method_succeeded" | "oidc_backchannel_logout_failed" | "oidc_backchannel_logout_succeeded" | "organization_member_added" | "passkey_challenge_failed" | "passkey_challenge_started" | "pla" | "pwd_leak" | "reset_pwd_leak" | "resource_cleanup" | "rich_consents_access_error" | "s" | "sapi" | "fapi" | "sce" | "scoa" | "scp" | "scpn" | "scpr" | "scu" | "scv" | "sd" | "sdu" | "seacft" | "seccft" | "secte" | "sede" | "sens" | "seoobft" | "seotpft" | "sepotpft" | "sepft" | "sepkoobft" | "sepkotpft" | "sepkrcft" | "sercft" | "sertft" | "sestft" | "simp" | "si" | "signup_pwd_leak" | "slo" | "sh" | "spm" | "srrt" | "ss" | "ss_sso_failure" | "ss_sso_info" | "ss_sso_success" | "ssa" | "sscim" | "sui" | "sv" | "svr" | "too_many_records" | "ublkdu" | "universal_logout_failed" | "universal_logout_succeeded" | "w" | "wn" | "wum";
|
|
121
121
|
date: string;
|
|
122
122
|
isMobile: boolean;
|
|
123
123
|
log_id: string;
|
|
@@ -15,7 +15,7 @@ export declare const migrationSourcesRoutes: OpenAPIHono<{
|
|
|
15
15
|
created_at: string;
|
|
16
16
|
updated_at: string;
|
|
17
17
|
name: string;
|
|
18
|
-
provider: "auth0" | "
|
|
18
|
+
provider: "auth0" | "oidc" | "okta" | "cognito";
|
|
19
19
|
connection: string;
|
|
20
20
|
enabled: boolean;
|
|
21
21
|
credentials: {
|
|
@@ -47,7 +47,7 @@ export declare const migrationSourcesRoutes: OpenAPIHono<{
|
|
|
47
47
|
created_at: string;
|
|
48
48
|
updated_at: string;
|
|
49
49
|
name: string;
|
|
50
|
-
provider: "auth0" | "
|
|
50
|
+
provider: "auth0" | "oidc" | "okta" | "cognito";
|
|
51
51
|
connection: string;
|
|
52
52
|
enabled: boolean;
|
|
53
53
|
credentials: {
|
|
@@ -73,7 +73,7 @@ export declare const migrationSourcesRoutes: OpenAPIHono<{
|
|
|
73
73
|
} & {
|
|
74
74
|
json: {
|
|
75
75
|
name: string;
|
|
76
|
-
provider: "auth0" | "
|
|
76
|
+
provider: "auth0" | "oidc" | "okta" | "cognito";
|
|
77
77
|
connection: string;
|
|
78
78
|
credentials: {
|
|
79
79
|
domain: string;
|
|
@@ -90,7 +90,7 @@ export declare const migrationSourcesRoutes: OpenAPIHono<{
|
|
|
90
90
|
created_at: string;
|
|
91
91
|
updated_at: string;
|
|
92
92
|
name: string;
|
|
93
|
-
provider: "auth0" | "
|
|
93
|
+
provider: "auth0" | "oidc" | "okta" | "cognito";
|
|
94
94
|
connection: string;
|
|
95
95
|
enabled: boolean;
|
|
96
96
|
credentials: {
|
|
@@ -121,7 +121,7 @@ export declare const migrationSourcesRoutes: OpenAPIHono<{
|
|
|
121
121
|
json: {
|
|
122
122
|
id?: string | undefined;
|
|
123
123
|
name?: string | undefined;
|
|
124
|
-
provider?: "auth0" | "
|
|
124
|
+
provider?: "auth0" | "oidc" | "okta" | "cognito" | undefined;
|
|
125
125
|
connection?: string | undefined;
|
|
126
126
|
enabled?: boolean | undefined;
|
|
127
127
|
credentials?: {
|
|
@@ -137,7 +137,7 @@ export declare const migrationSourcesRoutes: OpenAPIHono<{
|
|
|
137
137
|
created_at: string;
|
|
138
138
|
updated_at: string;
|
|
139
139
|
name: string;
|
|
140
|
-
provider: "auth0" | "
|
|
140
|
+
provider: "auth0" | "oidc" | "okta" | "cognito";
|
|
141
141
|
connection: string;
|
|
142
142
|
enabled: boolean;
|
|
143
143
|
credentials: {
|
|
@@ -890,8 +890,8 @@ export declare const organizationRoutes: OpenAPIHono<{
|
|
|
890
890
|
};
|
|
891
891
|
} & {
|
|
892
892
|
json: {
|
|
893
|
-
show_as_button?: boolean | undefined;
|
|
894
893
|
assign_membership_on_login?: boolean | undefined;
|
|
894
|
+
show_as_button?: boolean | undefined;
|
|
895
895
|
is_signup_enabled?: boolean | undefined;
|
|
896
896
|
};
|
|
897
897
|
};
|
|
@@ -50,7 +50,7 @@ export declare const promptsRoutes: OpenAPIHono<{
|
|
|
50
50
|
};
|
|
51
51
|
};
|
|
52
52
|
output: {
|
|
53
|
-
prompt: "
|
|
53
|
+
prompt: "mfa" | "organizations" | "status" | "signup" | "common" | "consent" | "device-flow" | "email-otp-challenge" | "email-verification" | "invitation" | "login" | "login-id" | "login-password" | "login-passwordless" | "mfa-email" | "mfa-otp" | "mfa-phone" | "mfa-login-options" | "mfa-push" | "mfa-recovery-code" | "mfa-voice" | "mfa-webauthn" | "passkeys" | "reset-password" | "signup-id" | "signup-password" | "captcha" | "custom-form";
|
|
54
54
|
language: string;
|
|
55
55
|
}[];
|
|
56
56
|
outputFormat: "json";
|
|
@@ -88,7 +88,7 @@ export declare const promptsRoutes: OpenAPIHono<{
|
|
|
88
88
|
$get: {
|
|
89
89
|
input: {
|
|
90
90
|
param: {
|
|
91
|
-
prompt: "
|
|
91
|
+
prompt: "mfa" | "organizations" | "status" | "signup" | "common" | "consent" | "device-flow" | "email-otp-challenge" | "email-verification" | "invitation" | "login" | "login-id" | "login-password" | "login-passwordless" | "mfa-email" | "mfa-otp" | "mfa-phone" | "mfa-login-options" | "mfa-push" | "mfa-recovery-code" | "mfa-voice" | "mfa-webauthn" | "passkeys" | "reset-password" | "signup-id" | "signup-password" | "captcha" | "custom-form";
|
|
92
92
|
language: string;
|
|
93
93
|
};
|
|
94
94
|
} & {
|
|
@@ -110,7 +110,7 @@ export declare const promptsRoutes: OpenAPIHono<{
|
|
|
110
110
|
$put: {
|
|
111
111
|
input: {
|
|
112
112
|
param: {
|
|
113
|
-
prompt: "
|
|
113
|
+
prompt: "mfa" | "organizations" | "status" | "signup" | "common" | "consent" | "device-flow" | "email-otp-challenge" | "email-verification" | "invitation" | "login" | "login-id" | "login-password" | "login-passwordless" | "mfa-email" | "mfa-otp" | "mfa-phone" | "mfa-login-options" | "mfa-push" | "mfa-recovery-code" | "mfa-voice" | "mfa-webauthn" | "passkeys" | "reset-password" | "signup-id" | "signup-password" | "captcha" | "custom-form";
|
|
114
114
|
language: string;
|
|
115
115
|
};
|
|
116
116
|
} & {
|
|
@@ -134,7 +134,7 @@ export declare const promptsRoutes: OpenAPIHono<{
|
|
|
134
134
|
$delete: {
|
|
135
135
|
input: {
|
|
136
136
|
param: {
|
|
137
|
-
prompt: "
|
|
137
|
+
prompt: "mfa" | "organizations" | "status" | "signup" | "common" | "consent" | "device-flow" | "email-otp-challenge" | "email-verification" | "invitation" | "login" | "login-id" | "login-password" | "login-passwordless" | "mfa-email" | "mfa-otp" | "mfa-phone" | "mfa-login-options" | "mfa-push" | "mfa-recovery-code" | "mfa-voice" | "mfa-webauthn" | "passkeys" | "reset-password" | "signup-id" | "signup-password" | "captcha" | "custom-form";
|
|
138
138
|
language: string;
|
|
139
139
|
};
|
|
140
140
|
} & {
|
|
@@ -737,7 +737,7 @@ export declare const userRoutes: OpenAPIHono<{
|
|
|
737
737
|
};
|
|
738
738
|
};
|
|
739
739
|
output: {
|
|
740
|
-
type: "
|
|
740
|
+
type: "festft" | "acls_summary" | "actions_execution_failed" | "api_limit" | "api_limit_warning" | "appi" | "ciba_exchange_failed" | "ciba_exchange_succeeded" | "ciba_start_failed" | "ciba_start_succeeded" | "cls" | "cs" | "depnote" | "f" | "fc" | "fce" | "fco" | "fcoa" | "fcp" | "fcph" | "fcpn" | "fcpr" | "fcpro" | "fcu" | "fd" | "fdeac" | "fdeaz" | "fdecc" | "fdu" | "feacft" | "feccft" | "fecte" | "fede" | "federated_logout_failed" | "fens" | "feoobft" | "feotpft" | "fepft" | "fepotpft" | "fercft" | "ferrt" | "fertft" | "fh" | "fimp" | "fi" | "flo" | "flows_execution_completed" | "flows_execution_failed" | "fn" | "forms_submission_failed" | "forms_submission_succeeded" | "fp" | "fpar" | "fpurh" | "fs" | "fsa" | "fu" | "fui" | "fv" | "fvr" | "gd_auth_email_verification" | "gd_auth_fail_email_verification" | "gd_auth_failed" | "gd_auth_rejected" | "gd_auth_succeed" | "gd_enrollment_complete" | "gd_otp_rate_limit_exceed" | "gd_recovery_failed" | "gd_recovery_rate_limit_exceed" | "gd_recovery_succeed" | "gd_send_email" | "gd_send_email_verification" | "gd_send_email_verification_failure" | "gd_send_pn" | "gd_send_pn_failure" | "gd_send_sms" | "gd_send_sms_failure" | "gd_send_voice" | "gd_send_voice_failure" | "gd_start_auth" | "gd_start_enroll" | "gd_start_enroll_failed" | "gd_tenant_update" | "gd_unenroll" | "gd_update_device_account" | "gd_webauthn_challenge_failed" | "gd_webauthn_enrollment_failed" | "kms_key_management_failure" | "kms_key_management_success" | "kms_key_state_changed" | "limit_delegation" | "limit_mu" | "limit_sul" | "limit_wc" | "i" | "mfar" | "mgmt_api_read" | "my_account_authentication_method_failed" | "my_account_authentication_method_succeeded" | "oidc_backchannel_logout_failed" | "oidc_backchannel_logout_succeeded" | "organization_member_added" | "passkey_challenge_failed" | "passkey_challenge_started" | "pla" | "pwd_leak" | "reset_pwd_leak" | "resource_cleanup" | "rich_consents_access_error" | "s" | "sapi" | "fapi" | "sce" | "scoa" | "scp" | "scpn" | "scpr" | "scu" | "scv" | "sd" | "sdu" | "seacft" | "seccft" | "secte" | "sede" | "sens" | "seoobft" | "seotpft" | "sepotpft" | "sepft" | "sepkoobft" | "sepkotpft" | "sepkrcft" | "sercft" | "sertft" | "sestft" | "simp" | "si" | "signup_pwd_leak" | "slo" | "sh" | "spm" | "srrt" | "ss" | "ss_sso_failure" | "ss_sso_info" | "ss_sso_success" | "ssa" | "sscim" | "sui" | "sv" | "svr" | "too_many_records" | "ublkdu" | "universal_logout_failed" | "universal_logout_succeeded" | "w" | "wn" | "wum";
|
|
741
741
|
date: string;
|
|
742
742
|
isMobile: boolean;
|
|
743
743
|
log_id: string;
|
|
@@ -776,7 +776,7 @@ export declare const userRoutes: OpenAPIHono<{
|
|
|
776
776
|
limit: number;
|
|
777
777
|
length: number;
|
|
778
778
|
logs: {
|
|
779
|
-
type: "
|
|
779
|
+
type: "festft" | "acls_summary" | "actions_execution_failed" | "api_limit" | "api_limit_warning" | "appi" | "ciba_exchange_failed" | "ciba_exchange_succeeded" | "ciba_start_failed" | "ciba_start_succeeded" | "cls" | "cs" | "depnote" | "f" | "fc" | "fce" | "fco" | "fcoa" | "fcp" | "fcph" | "fcpn" | "fcpr" | "fcpro" | "fcu" | "fd" | "fdeac" | "fdeaz" | "fdecc" | "fdu" | "feacft" | "feccft" | "fecte" | "fede" | "federated_logout_failed" | "fens" | "feoobft" | "feotpft" | "fepft" | "fepotpft" | "fercft" | "ferrt" | "fertft" | "fh" | "fimp" | "fi" | "flo" | "flows_execution_completed" | "flows_execution_failed" | "fn" | "forms_submission_failed" | "forms_submission_succeeded" | "fp" | "fpar" | "fpurh" | "fs" | "fsa" | "fu" | "fui" | "fv" | "fvr" | "gd_auth_email_verification" | "gd_auth_fail_email_verification" | "gd_auth_failed" | "gd_auth_rejected" | "gd_auth_succeed" | "gd_enrollment_complete" | "gd_otp_rate_limit_exceed" | "gd_recovery_failed" | "gd_recovery_rate_limit_exceed" | "gd_recovery_succeed" | "gd_send_email" | "gd_send_email_verification" | "gd_send_email_verification_failure" | "gd_send_pn" | "gd_send_pn_failure" | "gd_send_sms" | "gd_send_sms_failure" | "gd_send_voice" | "gd_send_voice_failure" | "gd_start_auth" | "gd_start_enroll" | "gd_start_enroll_failed" | "gd_tenant_update" | "gd_unenroll" | "gd_update_device_account" | "gd_webauthn_challenge_failed" | "gd_webauthn_enrollment_failed" | "kms_key_management_failure" | "kms_key_management_success" | "kms_key_state_changed" | "limit_delegation" | "limit_mu" | "limit_sul" | "limit_wc" | "i" | "mfar" | "mgmt_api_read" | "my_account_authentication_method_failed" | "my_account_authentication_method_succeeded" | "oidc_backchannel_logout_failed" | "oidc_backchannel_logout_succeeded" | "organization_member_added" | "passkey_challenge_failed" | "passkey_challenge_started" | "pla" | "pwd_leak" | "reset_pwd_leak" | "resource_cleanup" | "rich_consents_access_error" | "s" | "sapi" | "fapi" | "sce" | "scoa" | "scp" | "scpn" | "scpr" | "scu" | "scv" | "sd" | "sdu" | "seacft" | "seccft" | "secte" | "sede" | "sens" | "seoobft" | "seotpft" | "sepotpft" | "sepft" | "sepkoobft" | "sepkotpft" | "sepkrcft" | "sercft" | "sertft" | "sestft" | "simp" | "si" | "signup_pwd_leak" | "slo" | "sh" | "spm" | "srrt" | "ss" | "ss_sso_failure" | "ss_sso_info" | "ss_sso_success" | "ssa" | "sscim" | "sui" | "sv" | "svr" | "too_many_records" | "ublkdu" | "universal_logout_failed" | "universal_logout_succeeded" | "w" | "wn" | "wum";
|
|
780
780
|
date: string;
|
|
781
781
|
isMobile: boolean;
|
|
782
782
|
log_id: string;
|
|
@@ -10,18 +10,10 @@ export interface ProxyControlPlaneOptions {
|
|
|
10
10
|
*/
|
|
11
11
|
resolveHost: (host: string) => Promise<ResolvedHost | null>;
|
|
12
12
|
/**
|
|
13
|
-
*
|
|
14
|
-
*
|
|
15
|
-
*
|
|
16
|
-
*
|
|
17
|
-
* normalization), and include the `proxy:resolve_host` scope.
|
|
18
|
-
*/
|
|
19
|
-
jwksUrl: string;
|
|
20
|
-
/**
|
|
21
|
-
* Optional fetch override for `jwksUrl`. Defaults to global `fetch`.
|
|
22
|
-
* Hosts on Cloudflare Workers can pass
|
|
23
|
-
* `(url) => env.JWKS_SERVICE.fetch(url)` to route through a service
|
|
24
|
-
* binding instead of the public network.
|
|
13
|
+
* Optional fetch override for the per-issuer JWKS document. Called with
|
|
14
|
+
* the derived URL (`<iss>/.well-known/jwks.json`); defaults to global
|
|
15
|
+
* `fetch`. Hosts on Cloudflare Workers can route specific hosts through a
|
|
16
|
+
* service binding by inspecting the URL and dispatching accordingly.
|
|
25
17
|
*/
|
|
26
18
|
jwksFetch?: (url: string) => Promise<Response>;
|
|
27
19
|
/**
|
|
@@ -43,9 +35,12 @@ export interface ProxyControlPlaneOptions {
|
|
|
43
35
|
* `POST /sync` for tenant shards to replicate custom_domains / proxy_routes
|
|
44
36
|
* mutations. Mount under `/api/v2/proxy/control-plane`.
|
|
45
37
|
*
|
|
46
|
-
* Authentication is built in: requests must carry a `Bearer` JWT
|
|
47
|
-
*
|
|
48
|
-
* `
|
|
38
|
+
* Authentication is built in: requests must carry a `Bearer` JWT whose `iss`
|
|
39
|
+
* is either the runtime `env.ISSUER` or the host the request actually
|
|
40
|
+
* arrived on (`x-forwarded-host` or the request URL's host). The verifier
|
|
41
|
+
* then fetches `<iss>/.well-known/jwks.json` to validate the signature, so
|
|
42
|
+
* each accepted host must publish its own JWKS at that path. Tokens must
|
|
43
|
+
* also carry the `proxy:resolve_host` scope.
|
|
49
44
|
*/
|
|
50
45
|
export declare function createProxyControlPlaneApp(options: ProxyControlPlaneOptions): Hono<{
|
|
51
46
|
Bindings: Bindings;
|
|
@@ -16,12 +16,15 @@ export type VerifyControlPlaneTokenResult = {
|
|
|
16
16
|
export interface VerifyControlPlaneTokenOptions {
|
|
17
17
|
/** Compact JWS to verify. */
|
|
18
18
|
token: string;
|
|
19
|
-
/** JWKS document URL. */
|
|
20
|
-
jwksUrl: string;
|
|
21
19
|
/** Optional fetch override — defaults to global `fetch`. */
|
|
22
20
|
jwksFetch?: (url: string) => Promise<Response>;
|
|
23
|
-
/**
|
|
24
|
-
|
|
21
|
+
/**
|
|
22
|
+
* Set of acceptable `iss` claim values. Comparison is strict URL equality
|
|
23
|
+
* (after trailing-slash normalization) via {@link isAllowedIssuer}. The
|
|
24
|
+
* verifier fetches the per-issuer JWKS from `<iss>/.well-known/jwks.json`,
|
|
25
|
+
* so any host you list here must publish its own JWKS at that path.
|
|
26
|
+
*/
|
|
27
|
+
expectedIssuers: string[];
|
|
25
28
|
/** Required `scope` (space-separated). Defaults to `proxy:resolve_host`. */
|
|
26
29
|
requiredScope?: string;
|
|
27
30
|
}
|
|
@@ -33,7 +36,9 @@ export interface VerifyControlPlaneTokenOptions {
|
|
|
33
36
|
* Accepted algs: RS256/384/512, ES256/384/512. The JWK's `alg` must match
|
|
34
37
|
* the token header's `alg`. The token must carry the configured required
|
|
35
38
|
* scope (`proxy:resolve_host` by default) and an `iss` that strictly equals
|
|
36
|
-
* `
|
|
39
|
+
* one of `expectedIssuers` after URL normalization. The JWKS document is
|
|
40
|
+
* fetched from `<iss>/.well-known/jwks.json` AFTER the `iss` is allow-listed,
|
|
41
|
+
* so an attacker cannot redirect the verifier to a JWKS they control.
|
|
37
42
|
*/
|
|
38
43
|
export declare function verifyControlPlaneToken(options: VerifyControlPlaneTokenOptions): Promise<VerifyControlPlaneTokenResult>;
|
|
39
44
|
export { PROXY_RESOLVE_HOST_SCOPE };
|
|
@@ -447,7 +447,7 @@ export declare function initJSXRoute(ctx: Context<{
|
|
|
447
447
|
custom_login_page_preview?: string | undefined;
|
|
448
448
|
form_template?: string | undefined;
|
|
449
449
|
addons?: Record<string, any> | undefined;
|
|
450
|
-
token_endpoint_auth_method?: "
|
|
450
|
+
token_endpoint_auth_method?: "none" | "client_secret_post" | "client_secret_basic" | "client_secret_jwt" | "private_key_jwt" | undefined;
|
|
451
451
|
client_metadata?: Record<string, string> | undefined;
|
|
452
452
|
hide_sign_up_disabled_error?: boolean | undefined;
|
|
453
453
|
mobile?: Record<string, any> | undefined;
|
|
@@ -1166,7 +1166,7 @@ export declare function initJSXRouteWithSession(ctx: Context<{
|
|
|
1166
1166
|
custom_login_page_preview?: string | undefined;
|
|
1167
1167
|
form_template?: string | undefined;
|
|
1168
1168
|
addons?: Record<string, any> | undefined;
|
|
1169
|
-
token_endpoint_auth_method?: "
|
|
1169
|
+
token_endpoint_auth_method?: "none" | "client_secret_post" | "client_secret_basic" | "client_secret_jwt" | "private_key_jwt" | undefined;
|
|
1170
1170
|
client_metadata?: Record<string, string> | undefined;
|
|
1171
1171
|
hide_sign_up_disabled_error?: boolean | undefined;
|
|
1172
1172
|
mobile?: Record<string, any> | undefined;
|
|
@@ -43,7 +43,7 @@ export declare const flowApiRoutes: OpenAPIHono<{
|
|
|
43
43
|
hint?: string | undefined;
|
|
44
44
|
messages?: {
|
|
45
45
|
text: string;
|
|
46
|
-
type: "
|
|
46
|
+
type: "error" | "success" | "info" | "warning";
|
|
47
47
|
id?: number | undefined;
|
|
48
48
|
}[] | undefined;
|
|
49
49
|
}[];
|
|
@@ -51,7 +51,7 @@ export declare const flowApiRoutes: OpenAPIHono<{
|
|
|
51
51
|
description?: string | undefined;
|
|
52
52
|
messages?: {
|
|
53
53
|
text: string;
|
|
54
|
-
type: "
|
|
54
|
+
type: "error" | "success" | "info" | "warning";
|
|
55
55
|
id?: number | undefined;
|
|
56
56
|
}[] | undefined;
|
|
57
57
|
links?: {
|
|
@@ -123,7 +123,7 @@ export declare const flowApiRoutes: OpenAPIHono<{
|
|
|
123
123
|
hint?: string | undefined;
|
|
124
124
|
messages?: {
|
|
125
125
|
text: string;
|
|
126
|
-
type: "
|
|
126
|
+
type: "error" | "success" | "info" | "warning";
|
|
127
127
|
id?: number | undefined;
|
|
128
128
|
}[] | undefined;
|
|
129
129
|
}[];
|
|
@@ -131,7 +131,7 @@ export declare const flowApiRoutes: OpenAPIHono<{
|
|
|
131
131
|
description?: string | undefined;
|
|
132
132
|
messages?: {
|
|
133
133
|
text: string;
|
|
134
|
-
type: "
|
|
134
|
+
type: "error" | "success" | "info" | "warning";
|
|
135
135
|
id?: number | undefined;
|
|
136
136
|
}[] | undefined;
|
|
137
137
|
links?: {
|
|
@@ -220,7 +220,7 @@ export declare const flowApiRoutes: OpenAPIHono<{
|
|
|
220
220
|
hint?: string | undefined;
|
|
221
221
|
messages?: {
|
|
222
222
|
text: string;
|
|
223
|
-
type: "
|
|
223
|
+
type: "error" | "success" | "info" | "warning";
|
|
224
224
|
id?: number | undefined;
|
|
225
225
|
}[] | undefined;
|
|
226
226
|
}[];
|
|
@@ -228,7 +228,7 @@ export declare const flowApiRoutes: OpenAPIHono<{
|
|
|
228
228
|
description?: string | undefined;
|
|
229
229
|
messages?: {
|
|
230
230
|
text: string;
|
|
231
|
-
type: "
|
|
231
|
+
type: "error" | "success" | "info" | "warning";
|
|
232
232
|
id?: number | undefined;
|
|
233
233
|
}[] | undefined;
|
|
234
234
|
links?: {
|
|
@@ -335,7 +335,7 @@ export declare const flowApiRoutes: OpenAPIHono<{
|
|
|
335
335
|
hint?: string | undefined;
|
|
336
336
|
messages?: {
|
|
337
337
|
text: string;
|
|
338
|
-
type: "
|
|
338
|
+
type: "error" | "success" | "info" | "warning";
|
|
339
339
|
id?: number | undefined;
|
|
340
340
|
}[] | undefined;
|
|
341
341
|
}[];
|
|
@@ -343,7 +343,7 @@ export declare const flowApiRoutes: OpenAPIHono<{
|
|
|
343
343
|
description?: string | undefined;
|
|
344
344
|
messages?: {
|
|
345
345
|
text: string;
|
|
346
|
-
type: "
|
|
346
|
+
type: "error" | "success" | "info" | "warning";
|
|
347
347
|
id?: number | undefined;
|
|
348
348
|
}[] | undefined;
|
|
349
349
|
links?: {
|
|
@@ -165,7 +165,7 @@ export default function createU2App(config: AuthHeroConfig): OpenAPIHono<{
|
|
|
165
165
|
$get: {
|
|
166
166
|
input: {
|
|
167
167
|
param: {
|
|
168
|
-
screen: "signup" | "
|
|
168
|
+
screen: "signup" | "consent" | "login" | "reset-password" | "account" | "enter-password" | "impersonate" | "try-connection-result" | "reset-password/request" | "reset-password/code" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
|
|
169
169
|
};
|
|
170
170
|
} & {
|
|
171
171
|
query: {
|
|
@@ -181,7 +181,7 @@ export default function createU2App(config: AuthHeroConfig): OpenAPIHono<{
|
|
|
181
181
|
} | {
|
|
182
182
|
input: {
|
|
183
183
|
param: {
|
|
184
|
-
screen: "signup" | "
|
|
184
|
+
screen: "signup" | "consent" | "login" | "reset-password" | "account" | "enter-password" | "impersonate" | "try-connection-result" | "reset-password/request" | "reset-password/code" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
|
|
185
185
|
};
|
|
186
186
|
} & {
|
|
187
187
|
query: {
|
|
@@ -197,7 +197,7 @@ export default function createU2App(config: AuthHeroConfig): OpenAPIHono<{
|
|
|
197
197
|
} | {
|
|
198
198
|
input: {
|
|
199
199
|
param: {
|
|
200
|
-
screen: "signup" | "
|
|
200
|
+
screen: "signup" | "consent" | "login" | "reset-password" | "account" | "enter-password" | "impersonate" | "try-connection-result" | "reset-password/request" | "reset-password/code" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
|
|
201
201
|
};
|
|
202
202
|
} & {
|
|
203
203
|
query: {
|
|
@@ -217,7 +217,7 @@ export default function createU2App(config: AuthHeroConfig): OpenAPIHono<{
|
|
|
217
217
|
$post: {
|
|
218
218
|
input: {
|
|
219
219
|
param: {
|
|
220
|
-
screen: "signup" | "login" | "reset-password" | "
|
|
220
|
+
screen: "signup" | "consent" | "login" | "reset-password" | "enter-password" | "impersonate" | "reset-password/request" | "reset-password/code" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
|
|
221
221
|
};
|
|
222
222
|
} & {
|
|
223
223
|
query: {
|
|
@@ -235,7 +235,7 @@ export default function createU2App(config: AuthHeroConfig): OpenAPIHono<{
|
|
|
235
235
|
} | {
|
|
236
236
|
input: {
|
|
237
237
|
param: {
|
|
238
|
-
screen: "signup" | "login" | "reset-password" | "
|
|
238
|
+
screen: "signup" | "consent" | "login" | "reset-password" | "enter-password" | "impersonate" | "reset-password/request" | "reset-password/code" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
|
|
239
239
|
};
|
|
240
240
|
} & {
|
|
241
241
|
query: {
|
|
@@ -253,7 +253,7 @@ export default function createU2App(config: AuthHeroConfig): OpenAPIHono<{
|
|
|
253
253
|
} | {
|
|
254
254
|
input: {
|
|
255
255
|
param: {
|
|
256
|
-
screen: "signup" | "login" | "reset-password" | "
|
|
256
|
+
screen: "signup" | "consent" | "login" | "reset-password" | "enter-password" | "impersonate" | "reset-password/request" | "reset-password/code" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
|
|
257
257
|
};
|
|
258
258
|
} & {
|
|
259
259
|
query: {
|
|
@@ -170,7 +170,7 @@ export declare const u2Routes: OpenAPIHono<{
|
|
|
170
170
|
$get: {
|
|
171
171
|
input: {
|
|
172
172
|
param: {
|
|
173
|
-
screen: "signup" | "
|
|
173
|
+
screen: "signup" | "consent" | "login" | "reset-password" | "account" | "enter-password" | "impersonate" | "try-connection-result" | "reset-password/request" | "reset-password/code" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
|
|
174
174
|
};
|
|
175
175
|
} & {
|
|
176
176
|
query: {
|
|
@@ -186,7 +186,7 @@ export declare const u2Routes: OpenAPIHono<{
|
|
|
186
186
|
} | {
|
|
187
187
|
input: {
|
|
188
188
|
param: {
|
|
189
|
-
screen: "signup" | "
|
|
189
|
+
screen: "signup" | "consent" | "login" | "reset-password" | "account" | "enter-password" | "impersonate" | "try-connection-result" | "reset-password/request" | "reset-password/code" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
|
|
190
190
|
};
|
|
191
191
|
} & {
|
|
192
192
|
query: {
|
|
@@ -202,7 +202,7 @@ export declare const u2Routes: OpenAPIHono<{
|
|
|
202
202
|
} | {
|
|
203
203
|
input: {
|
|
204
204
|
param: {
|
|
205
|
-
screen: "signup" | "
|
|
205
|
+
screen: "signup" | "consent" | "login" | "reset-password" | "account" | "enter-password" | "impersonate" | "try-connection-result" | "reset-password/request" | "reset-password/code" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
|
|
206
206
|
};
|
|
207
207
|
} & {
|
|
208
208
|
query: {
|
|
@@ -222,7 +222,7 @@ export declare const u2Routes: OpenAPIHono<{
|
|
|
222
222
|
$post: {
|
|
223
223
|
input: {
|
|
224
224
|
param: {
|
|
225
|
-
screen: "signup" | "login" | "reset-password" | "
|
|
225
|
+
screen: "signup" | "consent" | "login" | "reset-password" | "enter-password" | "impersonate" | "reset-password/request" | "reset-password/code" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
|
|
226
226
|
};
|
|
227
227
|
} & {
|
|
228
228
|
query: {
|
|
@@ -240,7 +240,7 @@ export declare const u2Routes: OpenAPIHono<{
|
|
|
240
240
|
} | {
|
|
241
241
|
input: {
|
|
242
242
|
param: {
|
|
243
|
-
screen: "signup" | "login" | "reset-password" | "
|
|
243
|
+
screen: "signup" | "consent" | "login" | "reset-password" | "enter-password" | "impersonate" | "reset-password/request" | "reset-password/code" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
|
|
244
244
|
};
|
|
245
245
|
} & {
|
|
246
246
|
query: {
|
|
@@ -258,7 +258,7 @@ export declare const u2Routes: OpenAPIHono<{
|
|
|
258
258
|
} | {
|
|
259
259
|
input: {
|
|
260
260
|
param: {
|
|
261
|
-
screen: "signup" | "login" | "reset-password" | "
|
|
261
|
+
screen: "signup" | "consent" | "login" | "reset-password" | "enter-password" | "impersonate" | "reset-password/request" | "reset-password/code" | "login/identifier" | "login/email-otp-challenge" | "login/sms-otp-challenge" | "login/login-passwordless-identifier" | "mfa/login-options" | "mfa/totp-challenge" | "mfa/totp-enrollment" | "mfa/phone-challenge" | "mfa/phone-enrollment" | "passkey/challenge" | "passkey/enrollment" | "passkey/enrollment-nudge" | "account/profile" | "account/security" | "account/security/totp-enrollment" | "account/security/phone-enrollment" | "account/linked" | "account/delete" | "account/passkeys" | "connect/start" | "connect/select-tenant";
|
|
262
262
|
};
|
|
263
263
|
} & {
|
|
264
264
|
query: {
|
|
@@ -284,23 +284,21 @@ export interface AuthHeroConfig {
|
|
|
284
284
|
* which returns the cross-tenant `ResolvedHost` for the given hostname.
|
|
285
285
|
*
|
|
286
286
|
* Authentication is opinionated and built in: incoming requests must
|
|
287
|
-
* carry a `Bearer` JWT
|
|
288
|
-
* the
|
|
289
|
-
*
|
|
290
|
-
*
|
|
287
|
+
* carry a `Bearer` JWT whose `iss` is either the runtime `env.ISSUER`
|
|
288
|
+
* or the host the request landed on (tenant subdomain or registered
|
|
289
|
+
* custom domain). The verifier fetches `<iss>/.well-known/jwks.json` to
|
|
290
|
+
* validate the signature, so each accepted host must publish its own
|
|
291
|
+
* JWKS at that path. Tokens must also carry the `proxy:resolve_host`
|
|
292
|
+
* scope. The matching client-side helper is `createHttpProxyAdapter`
|
|
293
|
+
* in `@authhero/proxy`.
|
|
291
294
|
*/
|
|
292
295
|
proxyControlPlane?: {
|
|
293
296
|
resolveHost: (host: string) => Promise<import("@authhero/proxy").ResolvedHost | null>;
|
|
294
297
|
/**
|
|
295
|
-
*
|
|
296
|
-
*
|
|
297
|
-
|
|
298
|
-
|
|
299
|
-
/**
|
|
300
|
-
* Optional fetch override for `jwksUrl`. Defaults to global `fetch`.
|
|
301
|
-
* Hosts on Cloudflare Workers can pass
|
|
302
|
-
* `(url) => env.JWKS_SERVICE.fetch(url)` to route through a service
|
|
303
|
-
* binding instead of the public network.
|
|
298
|
+
* Optional fetch override for the per-issuer JWKS document. Called
|
|
299
|
+
* with the derived URL (`<iss>/.well-known/jwks.json`); defaults to
|
|
300
|
+
* global `fetch`. Hosts on Cloudflare Workers can route specific
|
|
301
|
+
* hosts through a service binding by inspecting the URL.
|
|
304
302
|
*/
|
|
305
303
|
jwksFetch?: (url: string) => Promise<Response>;
|
|
306
304
|
/**
|