authhero 7.0.0 → 7.2.0

package/dist/types/types/Bindings.d.ts

@@ -3,14 +3,9 @@ import type { SamlSigner } from "@authhero/saml/core";
 import { Hooks } from "./Hooks";
 import { EntityHooksConfig, OutboxConfig, SigningKeyModeOption, UserLinkingModeOption, UsernamePasswordProviderResolver, WebhookInvoker } from "./AuthHeroConfig";
 import { StrategyHandler } from "../strategies";
-declare type Fetcher = {
-    fetch: typeof fetch;
-};
 export type Bindings = {
     ENVIRONMENT: string;
     AUTH_URL: string;
-    JWKS_URL?: string;
-    JWKS_SERVICE?: Fetcher;
     ISSUER: string;
     UNIVERSAL_LOGIN_URL?: string;
     OAUTH_API_URL?: string;
@@ -49,4 +44,3 @@ export type Bindings = {
      */
     ALLOW_PRIVATE_OUTBOUND_FETCH?: boolean;
 };
-export {};

package/dist/types/utils/jwks.d.ts

@@ -1,13 +1,12 @@
 import { DataAdapters } from "@authhero/adapter-interfaces";
 import { SigningKeyModeOption } from "../types/AuthHeroConfig";
 /**
- * Helper function to fetch JWKS keys from the database for token *verification*.
- *
- * Returns every non-revoked `jwt_signing` key regardless of tenant scope so a
- * token signed by any key (control-plane or any tenant) can be matched by kid.
- * Use `getJwksForPublication` for the public `/.well-known/jwks.json` endpoint.
+ * JWKS for publication on a tenant's `/.well-known/jwks.json`. Honors the
+ * configured `signingKeyMode` and, in `"tenant"` mode, returns the union of
+ * the tenant's keys and the control-plane fallback so tokens signed by either
+ * still verify during the per-tenant key rollout.
  */
-export declare function getJwksFromDatabase(data: DataAdapters): Promise<{
+export declare function getJwksForPublication(data: DataAdapters, tenantId: string, modeOption: SigningKeyModeOption | undefined): Promise<{
     alg: "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512" | "HS256" | "HS384" | "HS512";
     kty: "RSA" | "EC" | "oct";
     kid?: string | undefined;
@@ -21,12 +20,12 @@ export declare function getJwksFromDatabase(data: DataAdapters): Promise<{
     x5c?: string[] | undefined;
 }[]>;
 /**
- * JWKS for publication on a tenant's `/.well-known/jwks.json`. Honors the
- * configured `signingKeyMode` and, in `"tenant"` mode, returns the union of
- * the tenant's keys and the control-plane fallback so tokens signed by either
- * still verify during the per-tenant key rollout.
+ * JWKS for verifying bearer tokens. Mirrors the publication set so any kid
+ * that appears in a tenant's published `/.well-known/jwks.json` will also
+ * verify. Without a resolved tenant (control-plane host with no tenant
+ * subdomain), only control-plane-signed tokens are accepted.
  */
-export declare function getJwksForPublication(data: DataAdapters, tenantId: string, modeOption: SigningKeyModeOption | undefined): Promise<{
+export declare function getJwksForVerification(data: DataAdapters, tenantId: string | undefined, modeOption: SigningKeyModeOption | undefined): Promise<{
     alg: "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512" | "HS256" | "HS384" | "HS512";
     kty: "RSA" | "EC" | "oct";
     kid?: string | undefined;

package/dist/types/utils/jwt.d.ts

@@ -1,4 +1,5 @@
 import { Context } from "hono";
+import { JSONHTTPException } from "../errors/json-http-exception";
 export interface JwtPayload {
     sub: string;
     iss: string;
@@ -16,4 +17,23 @@ export interface JwtPayload {
         client_id?: string;
     };
 }
-export declare function validateJwtToken(ctx: Context, token: string): Promise<JwtPayload>;
+export interface ValidateJwtTokenOptions {
+    /**
+     * Skip the `iss === getIssuer(env, custom_domain)` check. Use only when the
+     * caller will perform its own issuer check with caller-specific error
+     * semantics — e.g. RFC 8693 token-exchange returns `invalid_grant` (400/403)
+     * for iss mismatch rather than the 401 this function would raise.
+     */
+    skipIssuerCheck?: boolean;
+}
+/**
+ * Raised when the subject JWT carried a past `exp`. Extends JSONHTTPException
+ * with the same 403/"Invalid JWT signature" body the wrapper used to emit for
+ * any verify failure, so callers that only branch on `instanceof HTTPException`
+ * keep their current behavior. Token-exchange catches this class specifically
+ * to emit the RFC 8693 `invalid_grant` / "Subject token has expired" response.
+ */
+export declare class JwtExpiredError extends JSONHTTPException {
+    constructor();
+}
+export declare function validateJwtToken(ctx: Context, token: string, options?: ValidateJwtTokenOptions): Promise<JwtPayload>;

package/package.json

@@ -11,7 +11,7 @@
     "type": "git",
     "url": "https://github.com/markusahlstrand/authhero"
   },
-  "version": "7.0.0",
+  "version": "7.2.0",
   "files": [
     "dist"
   ],
@@ -62,8 +62,8 @@
     "vite": "^8.0.14",
     "vite-plugin-dts": "^4.5.4",
     "vitest": "^4.1.7",
-    "@authhero/kysely-adapter": "11.8.3",
-    "@authhero/widget": "0.32.39"
+    "@authhero/kysely-adapter": "11.8.6",
+    "@authhero/widget": "0.32.40"
   },
   "dependencies": {
     "@peculiar/x509": "^1.14.0",
@@ -81,8 +81,8 @@
     "qrcode": "^1.5.4",
     "sanitize-html": "^2.17.4",
     "xstate": "^5.31.1",
-    "@authhero/adapter-interfaces": "3.0.0",
-    "@authhero/proxy": "0.5.0",
+    "@authhero/adapter-interfaces": "3.1.0",
+    "@authhero/proxy": "0.5.1",
     "@authhero/saml": "0.4.1"
   },
   "peerDependencies": {