authhero 8.1.0 → 8.2.1

package/dist/types/authentication-flows/common.d.ts

@@ -104,6 +104,11 @@ export interface AuthenticateLoginSessionParams {
     existingSessionId?: string;
     /** The connection name used for authentication (e.g., "email", "google-oauth2") */
     authConnection?: string;
+    /** Strategy metadata persisted so /authorize/resume can rehydrate it */
+    authStrategy?: {
+        strategy: string;
+        strategy_type: string;
+    };
 }
 /**
  * Authenticate a login session - transitions from PENDING to AUTHENTICATED
@@ -120,14 +125,8 @@ export interface AuthenticateLoginSessionParams {
 export declare function authenticateLoginSession(ctx: Context<{
     Bindings: Bindings;
     Variables: Variables;
-}>, { user, client, loginSession, existingSessionId, authConnection, }: AuthenticateLoginSessionParams): Promise<string>;
-export interface FinalizeAuthenticatedSessionParams extends AuthenticateLoginSessionParams {
-    /** Strategy metadata persisted so /authorize/resume can rehydrate it */
-    authStrategy?: {
-        strategy: string;
-        strategy_type: string;
-    };
-}
+}>, { user, client, loginSession, existingSessionId, authConnection, authStrategy, }: AuthenticateLoginSessionParams): Promise<string>;
+export type FinalizeAuthenticatedSessionParams = AuthenticateLoginSessionParams;
 /**
  * Persist an authenticated identity onto the login session and 302 the browser
  * to `/authorize/resume?state=…`. This is the terminal step for sub-flows
@@ -185,12 +184,15 @@ export declare function completeLoginSessionHook(ctx: Context<{
  * Mark a login session as completed (tokens issued)
  * This should be called when tokens are successfully returned to the client
  *
- * Uses optimistic concurrency: re-fetches current state to prevent stale overwrites
+ * Uses optimistic concurrency: re-fetches current state to prevent stale
+ * overwrites. Callers that fetched the session in the same request and have
+ * been the only writer since (e.g. createFrontChannelAuthResponse) can pass
+ * it as `freshSession` to skip the round-trip.
  */
 export declare function completeLoginSession(ctx: Context<{
     Bindings: Bindings;
     Variables: Variables;
-}>, tenantId: string, loginSession: LoginSession, auth_connection?: string): Promise<void>;
+}>, tenantId: string, loginSession: LoginSession, auth_connection?: string, freshSession?: LoginSession): Promise<void>;
 /**
  * Start a continuation - user is redirected to an account page (change-email, etc.)
  * This transitions to AWAITING_CONTINUATION and stores the allowed scope and return URL
@@ -253,6 +255,12 @@ export declare function completeLogin(ctx: Context<{
 }>, params: Omit<CreateAuthTokensParams, "client"> & {
     client: EnrichedClient;
     responseType?: AuthorizationResponseType;
+    /**
+     * Set when `loginSession` was fetched in this request and this call chain
+     * has been the only writer since — lets completeLoginSession skip its
+     * stale-overwrite re-fetch.
+     */
+    loginSessionIsCurrent?: boolean;
 }): Promise<TokenResponse | {
     code: string;
     state?: string;

package/dist/types/authentication-flows/connection.d.ts

@@ -1,11 +1,11 @@
 import { Context } from "hono";
-import { AuthParams } from "@authhero/adapter-interfaces";
+import { AuthParams, LoginSession } from "@authhero/adapter-interfaces";
 import { EnrichedClient } from "../helpers/client";
 import { Bindings, Variables } from "../types";
 export declare function connectionAuth(ctx: Context<{
     Bindings: Bindings;
     Variables: Variables;
-}>, client: EnrichedClient, connectionName: string, authParams: AuthParams): Promise<Response>;
+}>, client: EnrichedClient, connectionName: string, authParams: AuthParams, preloadedLoginSession?: LoginSession | null): Promise<Response>;
 interface SocialAuthCallbackParams {
     code: string;
     state: string;

package/dist/types/helpers/compose-auth-data.d.ts

@@ -8,12 +8,20 @@ import { Bindings, Variables } from "../types";
  * between layers — in one place so individual apps can't drift.
  *
  * Layering (outermost first; that's the order callers hit on each read):
- *   addTimingLogs        — server-timing instrumentation
  *   withClientBundle     — L0: per-(tenant_id, client_id) snapshot
  *   addBundleWritePurge  — local-edge bundle invalidation on writes
  *   addRequestScopedDedup — L1: in-request Promise memoization
  *   addCaching           — L2: cross-request cache (CF Cache API in prod)
  *   addDataHooks         — user lifecycle hooks
+ *   addTimingLogs        — server-timing instrumentation. Innermost on
+ *                          purpose: a read served by the bundle (L0), request
+ *                          dedup (L1), or cache (L2) is satisfied above this
+ *                          layer and never reaches it, so the Server-Timing
+ *                          header carries one line per genuine backend
+ *                          round-trip — with its true duration — instead of
+ *                          one line per surface call (cache/bundle hits
+ *                          included, the whole bundle's cost attributed to
+ *                          whichever call happened to trigger assembly).
  *   raw dataAdapter      — underlying DB
  *
  * Apps declare only their `nonBundleEntities` — the long-tail entities they

package/dist/types/helpers/dcr/metadata-mapping.d.ts

@@ -24,10 +24,10 @@ export declare const dcrRequestSchema: z.ZodObject<{
     response_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
     token_endpoint_auth_method: z.ZodOptional<z.ZodEnum<{
         none: "none";
-        private_key_jwt: "private_key_jwt";
         client_secret_post: "client_secret_post";
         client_secret_basic: "client_secret_basic";
         client_secret_jwt: "client_secret_jwt";
+        private_key_jwt: "private_key_jwt";
     }>>;
     jwks_uri: z.ZodOptional<z.ZodString>;
     jwks: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;

package/dist/types/helpers/server-timing.d.ts

@@ -1,6 +1,47 @@
-import { Context } from "hono";
-import { DataAdapters } from "@authhero/adapter-interfaces";
+import { Context, MiddlewareHandler } from "hono";
+import { CacheAdapter, DataAdapters } from "@authhero/adapter-interfaces";
 import { Bindings, Variables } from "../types";
+type TimingCtx = Context<{
+    Bindings: Bindings;
+    Variables: Variables;
+}>;
+/**
+ * Record one Server-Timing measurement on the request-scoped buffer
+ * (`ctx.var.serverTiming`). The measurement is NOT written to the response
+ * header here — {@link serverTimingMiddleware} decides at the end of the
+ * request whether to emit it to the client, log it server-side, or drop it.
+ * Used by the adapter wrappers below and by the webhook hook.
+ */
+export declare function recordServerTiming(ctx: TimingCtx, name: string, duration: number): void;
+/**
+ * Flushes the request-scoped Server-Timing buffer according to the
+ * `SERVER_TIMING` env. Mount this right after `applyConfigMiddleware` so that
+ * env is populated before it runs and the client `ip` is resolved by the time
+ * `next()` returns.
+ *
+ * Sinks (see {@link Bindings.SERVER_TIMING}):
+ *   - "off"/unset → drop the buffer (default; nothing reaches the client).
+ *   - "client"    → set the `Server-Timing` header, optionally gated to
+ *                   `SERVER_TIMING_IPS`.
+ *   - "log"       → emit a structured log line; never sent to the client.
+ *   - "both"      → both of the above.
+ *
+ * Off by default because per-operation timings on the public auth endpoints are
+ * a user-enumeration / side-channel surface.
+ */
+export declare const serverTimingMiddleware: MiddlewareHandler<{
+    Bindings: Bindings;
+    Variables: Variables;
+}>;
+/**
+ * Wraps a {@link CacheAdapter} so each operation appends a Server-Timing entry
+ * labelled by the key's prefix, e.g. `cache-get:client-bundle`,
+ * `cache-get:customText`. The cache layers call this adapter directly — not
+ * through the timed data stack — so on Workers the Cache API `match()` / `put()`
+ * round-trips would otherwise be invisible. This makes that latency observable
+ * without exposing the full (id-bearing) cache key.
+ */
+export declare function addCacheTimingLogs(ctx: TimingCtx, cache: CacheAdapter): CacheAdapter;
 /**
  * Adds server-timing middleware logging to all adapter methods
  * This wraps each method of the data adapter to measure its execution time
@@ -10,3 +51,4 @@ export declare function addTimingLogs(ctx: Context<{
     Bindings: Bindings;
     Variables: Variables;
 }>, data: DataAdapters): DataAdapters;
+export {};