authhero 8.14.1 → 8.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -71,17 +71,9 @@ export declare const authorizeRoutes: OpenAPIHono<{
71
71
  request_uri?: string | undefined;
72
72
  };
73
73
  };
74
- output: string | {
75
- access_token: string;
76
- token_type: string;
77
- expires_in: number;
78
- id_token?: string | undefined;
79
- scope?: string | undefined;
80
- state?: string | undefined;
81
- refresh_token?: string | undefined;
82
- };
83
- outputFormat: "json";
84
- status: 200;
74
+ output: {};
75
+ outputFormat: string;
76
+ status: 302;
85
77
  } | {
86
78
  input: {
87
79
  query: {
@@ -113,9 +105,17 @@ export declare const authorizeRoutes: OpenAPIHono<{
113
105
  request_uri?: string | undefined;
114
106
  };
115
107
  };
116
- output: {};
117
- outputFormat: string;
118
- status: 302;
108
+ output: string | {
109
+ access_token: string;
110
+ token_type: string;
111
+ expires_in: number;
112
+ id_token?: string | undefined;
113
+ scope?: string | undefined;
114
+ state?: string | undefined;
115
+ refresh_token?: string | undefined;
116
+ };
117
+ outputFormat: "json";
118
+ status: 200;
119
119
  } | {
120
120
  input: {
121
121
  query: {
@@ -301,7 +301,7 @@ export default function create(config: AuthHeroConfig): OpenAPIHono<{
301
301
  scope?: string | undefined;
302
302
  grant_types?: string[] | undefined;
303
303
  response_types?: string[] | undefined;
304
- token_endpoint_auth_method?: "none" | "client_secret_post" | "client_secret_basic" | "client_secret_jwt" | "private_key_jwt" | undefined;
304
+ token_endpoint_auth_method?: "none" | "private_key_jwt" | "client_secret_post" | "client_secret_basic" | "client_secret_jwt" | undefined;
305
305
  jwks_uri?: string | undefined;
306
306
  jwks?: Record<string, unknown> | undefined;
307
307
  software_id?: string | undefined;
@@ -390,7 +390,7 @@ export default function create(config: AuthHeroConfig): OpenAPIHono<{
390
390
  scope?: string | undefined;
391
391
  grant_types?: string[] | undefined;
392
392
  response_types?: string[] | undefined;
393
- token_endpoint_auth_method?: "none" | "client_secret_post" | "client_secret_basic" | "client_secret_jwt" | "private_key_jwt" | undefined;
393
+ token_endpoint_auth_method?: "none" | "private_key_jwt" | "client_secret_post" | "client_secret_basic" | "client_secret_jwt" | undefined;
394
394
  jwks_uri?: string | undefined;
395
395
  jwks?: Record<string, unknown> | undefined;
396
396
  software_id?: string | undefined;
@@ -447,7 +447,7 @@ export default function create(config: AuthHeroConfig): OpenAPIHono<{
447
447
  client_id: string;
448
448
  redirect_url?: string | undefined;
449
449
  login_hint?: string | undefined;
450
- screen_hint?: "account" | "change-email" | "change-phone" | "change-password" | undefined;
450
+ screen_hint?: "change-email" | "account" | "change-phone" | "change-password" | undefined;
451
451
  };
452
452
  };
453
453
  output: {};
@@ -459,7 +459,7 @@ export default function create(config: AuthHeroConfig): OpenAPIHono<{
459
459
  client_id: string;
460
460
  redirect_url?: string | undefined;
461
461
  login_hint?: string | undefined;
462
- screen_hint?: "account" | "change-email" | "change-phone" | "change-password" | undefined;
462
+ screen_hint?: "change-email" | "account" | "change-phone" | "change-password" | undefined;
463
463
  };
464
464
  };
465
465
  output: {
@@ -536,17 +536,9 @@ export default function create(config: AuthHeroConfig): OpenAPIHono<{
536
536
  request_uri?: string | undefined;
537
537
  };
538
538
  };
539
- output: string | {
540
- access_token: string;
541
- token_type: string;
542
- expires_in: number;
543
- id_token?: string | undefined;
544
- scope?: string | undefined;
545
- state?: string | undefined;
546
- refresh_token?: string | undefined;
547
- };
548
- outputFormat: "json";
549
- status: 200;
539
+ output: {};
540
+ outputFormat: string;
541
+ status: 302;
550
542
  } | {
551
543
  input: {
552
544
  query: {
@@ -578,9 +570,17 @@ export default function create(config: AuthHeroConfig): OpenAPIHono<{
578
570
  request_uri?: string | undefined;
579
571
  };
580
572
  };
581
- output: {};
582
- outputFormat: string;
583
- status: 302;
573
+ output: string | {
574
+ access_token: string;
575
+ token_type: string;
576
+ expires_in: number;
577
+ id_token?: string | undefined;
578
+ scope?: string | undefined;
579
+ state?: string | undefined;
580
+ refresh_token?: string | undefined;
581
+ };
582
+ outputFormat: "json";
583
+ status: 200;
584
584
  } | {
585
585
  input: {
586
586
  query: {
@@ -736,21 +736,22 @@ export default function create(config: AuthHeroConfig): OpenAPIHono<{
736
736
  email: string;
737
737
  send: "code" | "link";
738
738
  authParams: {
739
- vendor_id?: string | undefined;
740
- redirect_uri?: string | undefined;
741
- scope?: string | undefined;
739
+ username?: string | undefined;
742
740
  state?: string | undefined;
743
- prompt?: string | undefined;
744
- response_mode?: import("@authhero/adapter-interfaces").AuthorizationResponseMode | undefined;
745
- response_type?: import("@authhero/adapter-interfaces").AuthorizationResponseType | undefined;
746
741
  audience?: string | undefined;
742
+ response_type?: import("@authhero/adapter-interfaces").AuthorizationResponseType | undefined;
743
+ response_mode?: import("@authhero/adapter-interfaces").AuthorizationResponseMode | undefined;
744
+ scope?: string | undefined;
745
+ organization?: string | undefined;
747
746
  nonce?: string | undefined;
748
- max_age?: number | undefined;
749
- acr_values?: string | undefined;
747
+ redirect_uri?: string | undefined;
748
+ act_as?: string | undefined;
749
+ prompt?: string | undefined;
750
750
  code_challenge_method?: import("@authhero/adapter-interfaces").CodeChallengeMethod | undefined;
751
751
  code_challenge?: string | undefined;
752
- organization?: string | undefined;
753
752
  ui_locales?: string | undefined;
753
+ max_age?: number | undefined;
754
+ acr_values?: string | undefined;
754
755
  claims?: {
755
756
  userinfo?: Record<string, {
756
757
  essential?: boolean | undefined;
@@ -763,8 +764,7 @@ export default function create(config: AuthHeroConfig): OpenAPIHono<{
763
764
  values?: unknown[] | undefined;
764
765
  } | null> | undefined;
765
766
  } | undefined;
766
- act_as?: string | undefined;
767
- username?: string | undefined;
767
+ vendor_id?: string | undefined;
768
768
  };
769
769
  } | {
770
770
  client_id: string;
@@ -772,21 +772,22 @@ export default function create(config: AuthHeroConfig): OpenAPIHono<{
772
772
  phone_number: string;
773
773
  send: "code" | "link";
774
774
  authParams: {
775
- vendor_id?: string | undefined;
776
- redirect_uri?: string | undefined;
777
- scope?: string | undefined;
775
+ username?: string | undefined;
778
776
  state?: string | undefined;
779
- prompt?: string | undefined;
780
- response_mode?: import("@authhero/adapter-interfaces").AuthorizationResponseMode | undefined;
781
- response_type?: import("@authhero/adapter-interfaces").AuthorizationResponseType | undefined;
782
777
  audience?: string | undefined;
778
+ response_type?: import("@authhero/adapter-interfaces").AuthorizationResponseType | undefined;
779
+ response_mode?: import("@authhero/adapter-interfaces").AuthorizationResponseMode | undefined;
780
+ scope?: string | undefined;
781
+ organization?: string | undefined;
783
782
  nonce?: string | undefined;
784
- max_age?: number | undefined;
785
- acr_values?: string | undefined;
783
+ redirect_uri?: string | undefined;
784
+ act_as?: string | undefined;
785
+ prompt?: string | undefined;
786
786
  code_challenge_method?: import("@authhero/adapter-interfaces").CodeChallengeMethod | undefined;
787
787
  code_challenge?: string | undefined;
788
- organization?: string | undefined;
789
788
  ui_locales?: string | undefined;
789
+ max_age?: number | undefined;
790
+ acr_values?: string | undefined;
790
791
  claims?: {
791
792
  userinfo?: Record<string, {
792
793
  essential?: boolean | undefined;
@@ -799,8 +800,7 @@ export default function create(config: AuthHeroConfig): OpenAPIHono<{
799
800
  values?: unknown[] | undefined;
800
801
  } | null> | undefined;
801
802
  } | undefined;
802
- act_as?: string | undefined;
803
- username?: string | undefined;
803
+ vendor_id?: string | undefined;
804
804
  };
805
805
  };
806
806
  };
@@ -916,14 +916,14 @@ export default function create(config: AuthHeroConfig): OpenAPIHono<{
916
916
  input: {
917
917
  form: {
918
918
  token: string;
919
- token_type_hint?: "access_token" | "refresh_token" | undefined;
919
+ token_type_hint?: "refresh_token" | "access_token" | undefined;
920
920
  client_id?: string | undefined;
921
921
  client_secret?: string | undefined;
922
922
  };
923
923
  } & {
924
924
  json: {
925
925
  token: string;
926
- token_type_hint?: "access_token" | "refresh_token" | undefined;
926
+ token_type_hint?: "refresh_token" | "access_token" | undefined;
927
927
  client_id?: string | undefined;
928
928
  client_secret?: string | undefined;
929
929
  };
@@ -935,14 +935,14 @@ export default function create(config: AuthHeroConfig): OpenAPIHono<{
935
935
  input: {
936
936
  form: {
937
937
  token: string;
938
- token_type_hint?: "access_token" | "refresh_token" | undefined;
938
+ token_type_hint?: "refresh_token" | "access_token" | undefined;
939
939
  client_id?: string | undefined;
940
940
  client_secret?: string | undefined;
941
941
  };
942
942
  } & {
943
943
  json: {
944
944
  token: string;
945
- token_type_hint?: "access_token" | "refresh_token" | undefined;
945
+ token_type_hint?: "refresh_token" | "access_token" | undefined;
946
946
  client_id?: string | undefined;
947
947
  client_secret?: string | undefined;
948
948
  };
@@ -957,14 +957,14 @@ export default function create(config: AuthHeroConfig): OpenAPIHono<{
957
957
  input: {
958
958
  form: {
959
959
  token: string;
960
- token_type_hint?: "access_token" | "refresh_token" | undefined;
960
+ token_type_hint?: "refresh_token" | "access_token" | undefined;
961
961
  client_id?: string | undefined;
962
962
  client_secret?: string | undefined;
963
963
  };
964
964
  } & {
965
965
  json: {
966
966
  token: string;
967
- token_type_hint?: "access_token" | "refresh_token" | undefined;
967
+ token_type_hint?: "refresh_token" | "access_token" | undefined;
968
968
  client_id?: string | undefined;
969
969
  client_secret?: string | undefined;
970
970
  };
@@ -1388,7 +1388,7 @@ export default function create(config: AuthHeroConfig): OpenAPIHono<{
1388
1388
  error_description?: string | undefined;
1389
1389
  };
1390
1390
  outputFormat: "json";
1391
- status: 403;
1391
+ status: 401;
1392
1392
  } | {
1393
1393
  input: {
1394
1394
  form: {
@@ -1490,7 +1490,7 @@ export default function create(config: AuthHeroConfig): OpenAPIHono<{
1490
1490
  error_description?: string | undefined;
1491
1491
  };
1492
1492
  outputFormat: "json";
1493
- status: 401;
1493
+ status: 403;
1494
1494
  };
1495
1495
  };
1496
1496
  }, "/oauth/token"> & import("hono/types").MergeSchemaPath<{
@@ -1689,7 +1689,7 @@ export default function create(config: AuthHeroConfig): OpenAPIHono<{
1689
1689
  };
1690
1690
  output: {};
1691
1691
  outputFormat: string;
1692
- status: 302;
1692
+ status: 200;
1693
1693
  } | {
1694
1694
  input: {
1695
1695
  query: {
@@ -1703,7 +1703,7 @@ export default function create(config: AuthHeroConfig): OpenAPIHono<{
1703
1703
  };
1704
1704
  output: {};
1705
1705
  outputFormat: string;
1706
- status: 200;
1706
+ status: 302;
1707
1707
  } | {
1708
1708
  input: {
1709
1709
  query: {
@@ -0,0 +1,128 @@
1
+ import { OpenAPIHono } from "@hono/zod-openapi";
2
+ import { Bindings, Variables } from "../../types";
3
+ export declare const operationRoutes: OpenAPIHono<{
4
+ Bindings: Bindings;
5
+ Variables: Variables;
6
+ }, {
7
+ "/:id": {
8
+ $get: {
9
+ input: {
10
+ param: {
11
+ id: string;
12
+ };
13
+ } & {
14
+ header: {
15
+ "tenant-id"?: string | undefined;
16
+ };
17
+ };
18
+ output: {
19
+ tenant_id: string | null;
20
+ kind: "provision" | "seed" | "upgrade" | "backup" | "deprovision";
21
+ engine: "inline" | "cloudflare-workflows";
22
+ id: string;
23
+ status: "pending" | "failed" | "running" | "succeeded" | "cancelled";
24
+ created_at: string;
25
+ updated_at: string;
26
+ events: {
27
+ operation_id: string;
28
+ step: string;
29
+ outcome: "failed" | "succeeded" | "started" | "retried" | "skipped" | "reconciled";
30
+ attempt: number;
31
+ id: string;
32
+ created_at: string;
33
+ detail?: {
34
+ [x: string]: import("hono/utils/types").JSONValue;
35
+ } | null | undefined;
36
+ }[];
37
+ rollout_id?: string | null | undefined;
38
+ engine_instance_id?: string | null | undefined;
39
+ target_worker_version?: string | null | undefined;
40
+ target_database_version?: string | null | undefined;
41
+ initiated_by?: string | null | undefined;
42
+ current_step?: string | null | undefined;
43
+ error?: string | null | undefined;
44
+ finished_at?: string | null | undefined;
45
+ };
46
+ outputFormat: "json";
47
+ status: 200;
48
+ };
49
+ };
50
+ }, "/">;
51
+ export declare const tenantOperationsRoutes: OpenAPIHono<{
52
+ Bindings: Bindings;
53
+ Variables: Variables;
54
+ }, {
55
+ "/": {
56
+ $get: {
57
+ input: {
58
+ query: {
59
+ page?: unknown;
60
+ per_page?: unknown;
61
+ kind?: "provision" | "seed" | "upgrade" | "backup" | "deprovision" | undefined;
62
+ status?: "pending" | "failed" | "running" | "succeeded" | "cancelled" | undefined;
63
+ };
64
+ } & {
65
+ header: {
66
+ "tenant-id"?: string | undefined;
67
+ };
68
+ };
69
+ output: {
70
+ operations: {
71
+ tenant_id: string | null;
72
+ kind: "provision" | "seed" | "upgrade" | "backup" | "deprovision";
73
+ engine: "inline" | "cloudflare-workflows";
74
+ id: string;
75
+ status: "pending" | "failed" | "running" | "succeeded" | "cancelled";
76
+ created_at: string;
77
+ updated_at: string;
78
+ rollout_id?: string | null | undefined;
79
+ engine_instance_id?: string | null | undefined;
80
+ target_worker_version?: string | null | undefined;
81
+ target_database_version?: string | null | undefined;
82
+ initiated_by?: string | null | undefined;
83
+ current_step?: string | null | undefined;
84
+ error?: string | null | undefined;
85
+ finished_at?: string | null | undefined;
86
+ }[];
87
+ start: number;
88
+ limit: number;
89
+ length: number;
90
+ };
91
+ outputFormat: "json";
92
+ status: 200;
93
+ };
94
+ };
95
+ } & {
96
+ "/": {
97
+ $post: {
98
+ input: {
99
+ header: {
100
+ "tenant-id"?: string | undefined;
101
+ };
102
+ } & {
103
+ json: {
104
+ kind: "provision" | "seed" | "upgrade" | "backup" | "deprovision";
105
+ };
106
+ };
107
+ output: {
108
+ tenant_id: string | null;
109
+ kind: "provision" | "seed" | "upgrade" | "backup" | "deprovision";
110
+ engine: "inline" | "cloudflare-workflows";
111
+ id: string;
112
+ status: "pending" | "failed" | "running" | "succeeded" | "cancelled";
113
+ created_at: string;
114
+ updated_at: string;
115
+ rollout_id?: string | null | undefined;
116
+ engine_instance_id?: string | null | undefined;
117
+ target_worker_version?: string | null | undefined;
118
+ target_database_version?: string | null | undefined;
119
+ initiated_by?: string | null | undefined;
120
+ current_step?: string | null | undefined;
121
+ error?: string | null | undefined;
122
+ finished_at?: string | null | undefined;
123
+ };
124
+ outputFormat: "json";
125
+ status: 201;
126
+ };
127
+ };
128
+ }, "/">;
@@ -781,3 +781,12 @@ export declare const tenantRoutes: OpenAPIHono<{
781
781
  };
782
782
  };
783
783
  }, "/">;
784
+ export declare function isControlPlaneTenant(ctx: {
785
+ env: {
786
+ data: {
787
+ multiTenancyConfig?: {
788
+ controlPlaneTenantId?: string;
789
+ };
790
+ };
791
+ };
792
+ }, tenantId: string): boolean;
@@ -1,4 +1,4 @@
1
- import { CodeExecutor, Connection, ConnectionInsert, CreateTenantParams, DataAdapters, Hook, ResourceServer, ResourceServerInsert, Role, RoleInsert, Tenant } from "@authhero/adapter-interfaces";
1
+ import { CodeExecutor, Connection, ConnectionInsert, CreateTenantParams, DataAdapters, Hook, ResourceServer, ResourceServerInsert, Role, RoleInsert, Tenant, TenantOperation, TenantOperationKind } from "@authhero/adapter-interfaces";
2
2
  import type { RolePermissionHooks, Hooks } from "./Hooks";
3
3
  import type { SamlSigner } from "@authhero/saml/core";
4
4
  import type { OpenAPIHono } from "@hono/zod-openapi";
@@ -99,6 +99,21 @@ export interface ManagementApiExtension {
99
99
  */
100
100
  router: OpenAPIHono<any, any, any>;
101
101
  }
102
+ /**
103
+ * Enqueues a durable tenant lifecycle operation (issue #1026): creates
104
+ * the `tenant_operations` row and starts execution on the configured
105
+ * engine. The inline engine resolves with a terminal row; durable engines
106
+ * resolve as soon as the run is enqueued — clients poll
107
+ * `GET /api/v2/operations/{id}`.
108
+ */
109
+ export interface TenantOperationExecutorBinding {
110
+ engine: string;
111
+ enqueue(params: {
112
+ kind: TenantOperationKind;
113
+ tenant_id: string | null;
114
+ initiated_by?: string;
115
+ }): Promise<TenantOperation>;
116
+ }
102
117
  /**
103
118
  * Configuration for the transactional outbox pattern.
104
119
  * When enabled, audit events are written atomically with entity mutations
@@ -380,6 +395,16 @@ export interface AuthHeroConfig {
380
395
  * ```
381
396
  */
382
397
  tenantUpgrade?: (tenantId: string) => Promise<void>;
398
+ /**
399
+ * Optional executor for durable tenant lifecycle operations (issue
400
+ * #1026). When set together with the `tenantOperations` /
401
+ * `tenantOperationEvents` adapters, `POST /api/v2/tenants/{id}/operations`
402
+ * enqueues operations through it. Kept structural so authhero core
403
+ * depends on neither `@authhero/multi-tenancy` nor any engine —
404
+ * `@authhero/multi-tenancy`'s `enqueueTenantOperation` + executors
405
+ * satisfy this shape.
406
+ */
407
+ tenantOperationExecutor?: TenantOperationExecutorBinding;
383
408
  /**
384
409
  * Optional powered-by logo to display at the bottom left of the login widget.
385
410
  * This is only configurable in code, not stored in the database.
@@ -1,7 +1,7 @@
1
1
  import { CodeExecutor, DataAdapters } from "@authhero/adapter-interfaces";
2
2
  import type { SamlSigner } from "@authhero/saml/core";
3
3
  import { Hooks } from "./Hooks";
4
- import { EntityHooksConfig, OutboxConfig, SigningKeyModeOption, UserLinkingModeOption, UsernamePasswordProviderResolver, WebhookInvoker } from "./AuthHeroConfig";
4
+ import { EntityHooksConfig, OutboxConfig, SigningKeyModeOption, TenantOperationExecutorBinding, UserLinkingModeOption, UsernamePasswordProviderResolver, WebhookInvoker } from "./AuthHeroConfig";
5
5
  import { StrategyHandler } from "../strategies";
6
6
  export type Bindings = {
7
7
  ENVIRONMENT: string;
@@ -34,6 +34,7 @@ export type Bindings = {
34
34
  codeExecutor?: CodeExecutor;
35
35
  webhookInvoker?: WebhookInvoker;
36
36
  tenantUpgrade?: (tenantId: string) => Promise<void>;
37
+ tenantOperationExecutor?: TenantOperationExecutorBinding;
37
38
  outbox?: OutboxConfig;
38
39
  userLinkingMode?: UserLinkingModeOption;
39
40
  usernamePasswordProvider?: UsernamePasswordProviderResolver;
package/package.json CHANGED
@@ -11,7 +11,7 @@
11
11
  "type": "git",
12
12
  "url": "https://github.com/markusahlstrand/authhero"
13
13
  },
14
- "version": "8.14.1",
14
+ "version": "8.15.0",
15
15
  "files": [
16
16
  "dist"
17
17
  ],
@@ -63,8 +63,8 @@
63
63
  "vite": "^8.0.14",
64
64
  "vite-plugin-dts": "^4.5.4",
65
65
  "vitest": "^4.1.7",
66
- "@authhero/widget": "0.34.5",
67
- "@authhero/kysely-adapter": "11.12.0"
66
+ "@authhero/kysely-adapter": "11.13.0",
67
+ "@authhero/widget": "0.34.6"
68
68
  },
69
69
  "dependencies": {
70
70
  "@peculiar/x509": "^1.14.0",
@@ -82,8 +82,8 @@
82
82
  "qrcode": "^1.5.4",
83
83
  "sanitize-html": "^2.17.4",
84
84
  "xstate": "^5.31.1",
85
- "@authhero/adapter-interfaces": "3.5.0",
86
- "@authhero/proxy": "0.8.1",
85
+ "@authhero/adapter-interfaces": "3.6.0",
86
+ "@authhero/proxy": "0.8.2",
87
87
  "@authhero/saml": "0.4.2"
88
88
  },
89
89
  "peerDependencies": {