authhero 8.0.0 → 8.2.0

package/dist/types/authentication-flows/common.d.ts

@@ -104,6 +104,11 @@ export interface AuthenticateLoginSessionParams {
     existingSessionId?: string;
     /** The connection name used for authentication (e.g., "email", "google-oauth2") */
     authConnection?: string;
+    /** Strategy metadata persisted so /authorize/resume can rehydrate it */
+    authStrategy?: {
+        strategy: string;
+        strategy_type: string;
+    };
 }
 /**
  * Authenticate a login session - transitions from PENDING to AUTHENTICATED
@@ -120,14 +125,8 @@ export interface AuthenticateLoginSessionParams {
 export declare function authenticateLoginSession(ctx: Context<{
     Bindings: Bindings;
     Variables: Variables;
-}>, { user, client, loginSession, existingSessionId, authConnection, }: AuthenticateLoginSessionParams): Promise<string>;
-export interface FinalizeAuthenticatedSessionParams extends AuthenticateLoginSessionParams {
-    /** Strategy metadata persisted so /authorize/resume can rehydrate it */
-    authStrategy?: {
-        strategy: string;
-        strategy_type: string;
-    };
-}
+}>, { user, client, loginSession, existingSessionId, authConnection, authStrategy, }: AuthenticateLoginSessionParams): Promise<string>;
+export type FinalizeAuthenticatedSessionParams = AuthenticateLoginSessionParams;
 /**
  * Persist an authenticated identity onto the login session and 302 the browser
  * to `/authorize/resume?state=…`. This is the terminal step for sub-flows
@@ -185,12 +184,15 @@ export declare function completeLoginSessionHook(ctx: Context<{
  * Mark a login session as completed (tokens issued)
  * This should be called when tokens are successfully returned to the client
  *
- * Uses optimistic concurrency: re-fetches current state to prevent stale overwrites
+ * Uses optimistic concurrency: re-fetches current state to prevent stale
+ * overwrites. Callers that fetched the session in the same request and have
+ * been the only writer since (e.g. createFrontChannelAuthResponse) can pass
+ * it as `freshSession` to skip the round-trip.
  */
 export declare function completeLoginSession(ctx: Context<{
     Bindings: Bindings;
     Variables: Variables;
-}>, tenantId: string, loginSession: LoginSession, auth_connection?: string): Promise<void>;
+}>, tenantId: string, loginSession: LoginSession, auth_connection?: string, freshSession?: LoginSession): Promise<void>;
 /**
  * Start a continuation - user is redirected to an account page (change-email, etc.)
  * This transitions to AWAITING_CONTINUATION and stores the allowed scope and return URL
@@ -253,6 +255,12 @@ export declare function completeLogin(ctx: Context<{
 }>, params: Omit<CreateAuthTokensParams, "client"> & {
     client: EnrichedClient;
     responseType?: AuthorizationResponseType;
+    /**
+     * Set when `loginSession` was fetched in this request and this call chain
+     * has been the only writer since — lets completeLoginSession skip its
+     * stale-overwrite re-fetch.
+     */
+    loginSessionIsCurrent?: boolean;
 }): Promise<TokenResponse | {
     code: string;
     state?: string;

package/dist/types/authentication-flows/connection.d.ts

@@ -1,11 +1,11 @@
 import { Context } from "hono";
-import { AuthParams } from "@authhero/adapter-interfaces";
+import { AuthParams, LoginSession } from "@authhero/adapter-interfaces";
 import { EnrichedClient } from "../helpers/client";
 import { Bindings, Variables } from "../types";
 export declare function connectionAuth(ctx: Context<{
     Bindings: Bindings;
     Variables: Variables;
-}>, client: EnrichedClient, connectionName: string, authParams: AuthParams): Promise<Response>;
+}>, client: EnrichedClient, connectionName: string, authParams: AuthParams, preloadedLoginSession?: LoginSession | null): Promise<Response>;
 interface SocialAuthCallbackParams {
     code: string;
     state: string;

package/dist/types/authentication-flows/passwordless.d.ts

@@ -457,7 +457,7 @@ export declare function passwordlessGrantUser(ctx: Context<{
         custom_login_page_preview?: string | undefined;
         form_template?: string | undefined;
         addons?: Record<string, any> | undefined;
-        token_endpoint_auth_method?: "none" | "private_key_jwt" | "client_secret_post" | "client_secret_basic" | "client_secret_jwt" | undefined;
+        token_endpoint_auth_method?: "client_secret_post" | "client_secret_basic" | "none" | "client_secret_jwt" | "private_key_jwt" | undefined;
         client_metadata?: Record<string, string> | undefined;
         hide_sign_up_disabled_error?: boolean | undefined;
         mobile?: Record<string, any> | undefined;
@@ -540,8 +540,8 @@ export declare function passwordlessGrantUser(ctx: Context<{
         } | undefined;
         authenticated_at?: string | undefined;
     };
-    connectionType: "username" | "sms" | "email";
-    authConnection: "username" | "sms" | "email";
+    connectionType: "username" | "email" | "sms";
+    authConnection: "username" | "email" | "sms";
     session_id: string | undefined;
     authParams: {
         client_id: string;

package/dist/types/helpers/client-bundle.d.ts

@@ -1,4 +1,4 @@
-import { CacheAdapter, Client, Connection, ClientWithTenantId, DataAdapters, ListConnectionsResponse, ListResourceServersResponse, ListHooksResponse, Branding, PromptSetting, Tenant } from "@authhero/adapter-interfaces";
+import { CacheAdapter, Client, Connection, ClientWithTenantId, DataAdapters, ListConnectionsResponse, ListResourceServersResponse, ListHooksResponse, Branding, PromptSetting, Tenant, Theme } from "@authhero/adapter-interfaces";
 /**
  * One snapshot of every per-(tenant, client) read that the request path
  * touches outside of user-specific data. Loaded once per request and held
@@ -17,6 +17,11 @@ export interface ClientBundle {
     resourceServers: ListResourceServersResponse;
     promptSettings: PromptSetting | null;
     hooks: ListHooksResponse;
+    /** The tenant's default theme. Universal-login routes always fetch this
+     * one ("default") key, so bundling it saves a round-trip on every UI
+     * render. Non-UI routes get the field for free; the payload is small.
+     */
+    defaultTheme: Theme | null;
 }
 export interface ClientBundleConfig {
     /** Seconds the bundle is served without a refresh. Default 300. */
@@ -27,6 +32,15 @@ export interface ClientBundleConfig {
     keyPrefix?: string;
 }
 export declare function clientBundleKey(tenantId: string, clientId: string, prefix?: string): string;
+/**
+ * Entity names covered by the {@link ClientBundle}. Single source of truth
+ * used by {@link composeAuthData} so individual apps don't need to enumerate
+ * the bundled entities themselves — they only declare their long-tail
+ * (non-bundle) entities.
+ *
+ * Keep in sync with {@link fetchBundle} above.
+ */
+export declare const BUNDLE_ENTITIES: readonly ["tenants", "clients", "connections", "clientConnections", "branding", "resourceServers", "promptSettings", "hooks", "themes"];
 /**
  * Look up — and on miss, populate — the per-(tenant, client) bundle.
  *

package/dist/types/helpers/compose-auth-data.d.ts

@@ -0,0 +1,44 @@
+import { Context } from "hono";
+import { CacheAdapter, DataAdapters } from "@authhero/adapter-interfaces";
+import { Bindings, Variables } from "../types";
+/**
+ * Composes the per-request data-adapter wrapper stack used by every app
+ * that serves authenticated/tenant-scoped traffic (auth-api, universal-
+ * login v1/v2, saml). Keeps the layer order — and the safety constraints
+ * between layers — in one place so individual apps can't drift.
+ *
+ * Layering (outermost first; that's the order callers hit on each read):
+ *   addTimingLogs        — server-timing instrumentation
+ *   withClientBundle     — L0: per-(tenant_id, client_id) snapshot
+ *   addBundleWritePurge  — local-edge bundle invalidation on writes
+ *   addRequestScopedDedup — L1: in-request Promise memoization
+ *   addCaching           — L2: cross-request cache (CF Cache API in prod)
+ *   addDataHooks         — user lifecycle hooks
+ *   raw dataAdapter      — underlying DB
+ *
+ * Apps declare only their `nonBundleEntities` — the long-tail entities they
+ * read that aren't covered by {@link BUNDLE_ENTITIES}. Those get cross-
+ * request caching via L2 (`addCaching`). Bundle entities are intentionally
+ * NOT in L2 — the bundle (L0) is their cross-request cache, and double-
+ * caching them under per-entity keys would waste edge storage and create a
+ * second invalidation surface.
+ *
+ * L1 (`addRequestScopedDedup`) covers both sets, since in-request dedup is
+ * essentially free and a useful backstop for the rare bundle fall-through
+ * (mismatched ctx.var args, non-default list params).
+ *
+ * Transactional entities (sessions, codes, loginSessions, users, refresh-
+ * Tokens, clientGrants, logs, …) MUST NOT be included in `nonBundleEntities`
+ * — see request-scoped-dedup.ts for the rationale.
+ */
+export declare function composeAuthData(opts: {
+    ctx: Context<{
+        Bindings: Bindings;
+        Variables: Variables;
+    }>;
+    rawData: DataAdapters;
+    cacheAdapter: CacheAdapter;
+    defaultTtl: number;
+    /** Entities outside the ClientBundle that should still be cached cross-request. */
+    nonBundleEntities: string[];
+}): DataAdapters;

package/dist/types/helpers/dcr/metadata-mapping.d.ts

@@ -24,10 +24,10 @@ export declare const dcrRequestSchema: z.ZodObject<{
     response_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
     token_endpoint_auth_method: z.ZodOptional<z.ZodEnum<{
         none: "none";
-        private_key_jwt: "private_key_jwt";
         client_secret_post: "client_secret_post";
         client_secret_basic: "client_secret_basic";
         client_secret_jwt: "client_secret_jwt";
+        private_key_jwt: "private_key_jwt";
     }>>;
     jwks_uri: z.ZodOptional<z.ZodString>;
     jwks: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;

package/dist/types/helpers/prefetch-client-bundle.d.ts

@@ -0,0 +1,33 @@
+import { Context } from "hono";
+import { Client, Tenant } from "@authhero/adapter-interfaces";
+import { Bindings, Variables } from "../types";
+/**
+ * Explicit prefetch for the per-(tenant_id, client_id) bundle.
+ *
+ * Called once at the top of a route handler. Discovers tenant_id from
+ * client_id (if not provided), populates `ctx.var.{client_id, tenant_id}`,
+ * and warms the bundle so every downstream bundle-covered read in this
+ * request is served from one cache key.
+ *
+ * Why explicit instead of relying on the wrapper alone: the wrapper hooks
+ * via ctx.var, but several helpers (e.g. getEnrichedClient) need to read
+ * config BEFORE the route has resolved client_id/tenant_id. With this
+ * prefetch you set those upfront, so all the subsequent reads — including
+ * the ones inside getEnrichedClient's Promise.all — engage the bundle.
+ *
+ * Throws 403 if the client_id can't be resolved, 404 if its tenant is
+ * missing — matching the contract of getEnrichedClient. Does NOT handle
+ * CIMD clients (URL-based client_ids); callers that may receive a CIMD
+ * client_id should continue to use {@link getEnrichedClient} which has
+ * the CIMD-specific resolution path.
+ */
+export declare function prefetchClientBundle(ctx: Context<{
+    Bindings: Bindings;
+    Variables: Variables;
+}>, opts: {
+    client_id: string;
+    tenant_id?: string;
+}): Promise<{
+    tenant: Tenant;
+    client: Client;
+}>;

package/dist/types/hooks/webhooks.d.ts

@@ -1,6 +1,20 @@
 import { DataAdapters, Hook, User } from "@authhero/adapter-interfaces";
 import { Context } from "hono";
 import { Variables, Bindings } from "../types";
+export interface WebHookResult {
+    ok: boolean;
+    status?: number;
+    body?: string;
+    error?: string;
+}
+export declare function invokeWebHook(ctx: Context<{
+    Bindings: Bindings;
+    Variables: Variables;
+}>, hook: Hook & {
+    url: string;
+}, data: any & {
+    tenant_id: string;
+}): Promise<WebHookResult>;
 export declare function invokeHooks(ctx: Context<{
     Bindings: Bindings;
     Variables: Variables;