authhero 8.14.1 → 8.16.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (37) hide show
  1. package/dist/assets/u/widget/index.esm.js +1 -1
  2. package/dist/authhero.cjs +109 -109
  3. package/dist/authhero.d.ts +159 -132
  4. package/dist/authhero.mjs +8675 -8363
  5. package/dist/tsconfig.types.tsbuildinfo +1 -1
  6. package/dist/types/authentication-flows/passwordless.d.ts +3 -3
  7. package/dist/types/constants.d.ts +1 -1
  8. package/dist/types/index.d.ts +121 -121
  9. package/dist/types/routes/auth-api/authorize.d.ts +14 -14
  10. package/dist/types/routes/auth-api/index.d.ts +51 -51
  11. package/dist/types/routes/auth-api/oidc-logout.d.ts +2 -2
  12. package/dist/types/routes/auth-api/passwordless.d.ts +2 -2
  13. package/dist/types/routes/management-api/action-executions.d.ts +1 -1
  14. package/dist/types/routes/management-api/actions.d.ts +1 -1
  15. package/dist/types/routes/management-api/branding.d.ts +3 -3
  16. package/dist/types/routes/management-api/clients.d.ts +6 -6
  17. package/dist/types/routes/management-api/connections.d.ts +16 -16
  18. package/dist/types/routes/management-api/forms.d.ts +126 -126
  19. package/dist/types/routes/management-api/index.d.ts +162 -162
  20. package/dist/types/routes/management-api/logs.d.ts +3 -3
  21. package/dist/types/routes/management-api/prompts.d.ts +4 -4
  22. package/dist/types/routes/management-api/tenant-operations.d.ts +128 -0
  23. package/dist/types/routes/management-api/tenants.d.ts +37 -28
  24. package/dist/types/routes/management-api/users.d.ts +2 -2
  25. package/dist/types/routes/universal-login/common.d.ts +6 -6
  26. package/dist/types/routes/universal-login/continue.d.ts +2 -2
  27. package/dist/types/routes/universal-login/flow-api.d.ts +12 -12
  28. package/dist/types/routes/universal-login/identifier.d.ts +4 -4
  29. package/dist/types/routes/universal-login/impersonate.d.ts +2 -2
  30. package/dist/types/routes/universal-login/index.d.ts +8 -8
  31. package/dist/types/routes/universal-login/u2-index.d.ts +2 -2
  32. package/dist/types/routes/universal-login/u2-routes.d.ts +2 -2
  33. package/dist/types/types/AuthHeroConfig.d.ts +35 -9
  34. package/dist/types/types/Bindings.d.ts +2 -1
  35. package/dist/types/utils/username-password-provider.d.ts +19 -5
  36. package/package.json +5 -5
  37. package/dist/stats.html +0 -4949
@@ -27,7 +27,7 @@ export default function create(config: AuthHeroConfig): OpenAPIHono<{
27
27
  };
28
28
  output: {};
29
29
  outputFormat: string;
30
- status: 302;
30
+ status: 400;
31
31
  } | {
32
32
  input: {
33
33
  query: {
@@ -36,7 +36,7 @@ export default function create(config: AuthHeroConfig): OpenAPIHono<{
36
36
  };
37
37
  output: {};
38
38
  outputFormat: string;
39
- status: 400;
39
+ status: 302;
40
40
  } | {
41
41
  input: {
42
42
  query: {
@@ -165,7 +165,7 @@ export default function create(config: AuthHeroConfig): OpenAPIHono<{
165
165
  };
166
166
  output: {};
167
167
  outputFormat: string;
168
- status: 302;
168
+ status: 400;
169
169
  } | {
170
170
  input: {
171
171
  query: {
@@ -178,7 +178,7 @@ export default function create(config: AuthHeroConfig): OpenAPIHono<{
178
178
  };
179
179
  output: {};
180
180
  outputFormat: string;
181
- status: 400;
181
+ status: 302;
182
182
  };
183
183
  };
184
184
  }, "/impersonate"> & import("hono/types").MergeSchemaPath<{
@@ -515,12 +515,12 @@ export default function create(config: AuthHeroConfig): OpenAPIHono<{
515
515
  } & {
516
516
  form: {
517
517
  username: string;
518
- login_selection?: "code" | "password" | undefined;
518
+ login_selection?: "password" | "code" | undefined;
519
519
  };
520
520
  };
521
521
  output: {};
522
522
  outputFormat: string;
523
- status: 302;
523
+ status: 400;
524
524
  } | {
525
525
  input: {
526
526
  query: {
@@ -529,12 +529,12 @@ export default function create(config: AuthHeroConfig): OpenAPIHono<{
529
529
  } & {
530
530
  form: {
531
531
  username: string;
532
- login_selection?: "code" | "password" | undefined;
532
+ login_selection?: "password" | "code" | undefined;
533
533
  };
534
534
  };
535
535
  output: {};
536
536
  outputFormat: string;
537
- status: 400;
537
+ status: 302;
538
538
  };
539
539
  };
540
540
  }, "/login/identifier"> & import("hono/types").MergeSchemaPath<{
@@ -193,7 +193,7 @@ export default function createU2App(config: AuthHeroConfig): OpenAPIHono<{
193
193
  };
194
194
  output: {};
195
195
  outputFormat: string;
196
- status: 302;
196
+ status: 400;
197
197
  } | {
198
198
  input: {
199
199
  param: {
@@ -209,7 +209,7 @@ export default function createU2App(config: AuthHeroConfig): OpenAPIHono<{
209
209
  };
210
210
  output: {};
211
211
  outputFormat: string;
212
- status: 400;
212
+ status: 302;
213
213
  };
214
214
  };
215
215
  } & {
@@ -198,7 +198,7 @@ export declare const u2Routes: OpenAPIHono<{
198
198
  };
199
199
  output: {};
200
200
  outputFormat: string;
201
- status: 302;
201
+ status: 400;
202
202
  } | {
203
203
  input: {
204
204
  param: {
@@ -214,7 +214,7 @@ export declare const u2Routes: OpenAPIHono<{
214
214
  };
215
215
  output: {};
216
216
  outputFormat: string;
217
- status: 400;
217
+ status: 302;
218
218
  };
219
219
  };
220
220
  } & {
@@ -1,4 +1,4 @@
1
- import { CodeExecutor, Connection, ConnectionInsert, CreateTenantParams, DataAdapters, Hook, ResourceServer, ResourceServerInsert, Role, RoleInsert, Tenant } from "@authhero/adapter-interfaces";
1
+ import { CodeExecutor, Connection, ConnectionInsert, CreateTenantParams, DataAdapters, Hook, ResourceServer, ResourceServerInsert, Role, RoleInsert, Tenant, TenantOperation, TenantOperationKind } from "@authhero/adapter-interfaces";
2
2
  import type { RolePermissionHooks, Hooks } from "./Hooks";
3
3
  import type { SamlSigner } from "@authhero/saml/core";
4
4
  import type { OpenAPIHono } from "@hono/zod-openapi";
@@ -99,6 +99,21 @@ export interface ManagementApiExtension {
99
99
  */
100
100
  router: OpenAPIHono<any, any, any>;
101
101
  }
102
+ /**
103
+ * Enqueues a durable tenant lifecycle operation (issue #1026): creates
104
+ * the `tenant_operations` row and starts execution on the configured
105
+ * engine. The inline engine resolves with a terminal row; durable engines
106
+ * resolve as soon as the run is enqueued — clients poll
107
+ * `GET /api/v2/operations/{id}`.
108
+ */
109
+ export interface TenantOperationExecutorBinding {
110
+ engine: string;
111
+ enqueue(params: {
112
+ kind: TenantOperationKind;
113
+ tenant_id: string | null;
114
+ initiated_by?: string;
115
+ }): Promise<TenantOperation>;
116
+ }
102
117
  /**
103
118
  * Configuration for the transactional outbox pattern.
104
119
  * When enabled, audit events are written atomically with entity mutations
@@ -146,11 +161,11 @@ export type UserLinkingModeOption = UserLinkingMode | UserLinkingModeResolver;
146
161
  /**
147
162
  * Resolver for the per-tenant username/password provider value.
148
163
  *
149
- * The native database provider has historically been written as `"auth2"`.
150
- * Returning `"auth0"` for selected tenants lets you migrate them onto the
151
- * `"auth0"` provider value (matching what the legacy Auth0 import format
152
- * used) one tenant at a time. Reads always accept both values, so existing
153
- * `auth2|*` rows keep resolving during and after the cutover.
164
+ * The native database provider has historically been written as `"auth2"`;
165
+ * new rows now default to `"auth0"`. Returning `"auth2"` for selected
166
+ * tenants pins them on the legacy value during a staged cutover. Reads
167
+ * always accept both values, so existing `auth2|*` rows keep resolving
168
+ * during and after the cutover.
154
169
  *
155
170
  * TRANSITIONAL: this resolver and the dual-read fallback can be removed
156
171
  * once every tenant has been migrated to a single value.
@@ -380,6 +395,16 @@ export interface AuthHeroConfig {
380
395
  * ```
381
396
  */
382
397
  tenantUpgrade?: (tenantId: string) => Promise<void>;
398
+ /**
399
+ * Optional executor for durable tenant lifecycle operations (issue
400
+ * #1026). When set together with the `tenantOperations` /
401
+ * `tenantOperationEvents` adapters, `POST /api/v2/tenants/{id}/operations`
402
+ * enqueues operations through it. Kept structural so authhero core
403
+ * depends on neither `@authhero/multi-tenancy` nor any engine —
404
+ * `@authhero/multi-tenancy`'s `enqueueTenantOperation` + executors
405
+ * satisfy this shape.
406
+ */
407
+ tenantOperationExecutor?: TenantOperationExecutorBinding;
383
408
  /**
384
409
  * Optional powered-by logo to display at the bottom left of the login widget.
385
410
  * This is only configurable in code, not stored in the database.
@@ -489,11 +514,12 @@ export interface AuthHeroConfig {
489
514
  userLinkingMode?: UserLinkingModeOption;
490
515
  /**
491
516
  * Per-tenant override for the username/password provider value used on
492
- * NEW user rows. Returning `"auth0"` for a tenant migrates new signups,
493
- * password resets, etc. onto the `auth0|*` user_id format. Existing
517
+ * NEW user rows. Omit to write `"auth0"` for every tenant new signups,
518
+ * password resets, etc. use the `auth0|*` user_id format. Existing
494
519
  * `auth2|*` rows keep working — reads accept either value.
495
520
  *
496
- * Omit to keep the legacy `"auth2"` value for every tenant.
521
+ * Returning `"auth2"` pins a tenant on the legacy value during a staged
522
+ * cutover.
497
523
  *
498
524
  * TRANSITIONAL: this hook and the dual-read fallback in the password
499
525
  * flows can be removed once all tenants have been backfilled.
@@ -1,7 +1,7 @@
1
1
  import { CodeExecutor, DataAdapters } from "@authhero/adapter-interfaces";
2
2
  import type { SamlSigner } from "@authhero/saml/core";
3
3
  import { Hooks } from "./Hooks";
4
- import { EntityHooksConfig, OutboxConfig, SigningKeyModeOption, UserLinkingModeOption, UsernamePasswordProviderResolver, WebhookInvoker } from "./AuthHeroConfig";
4
+ import { EntityHooksConfig, OutboxConfig, SigningKeyModeOption, TenantOperationExecutorBinding, UserLinkingModeOption, UsernamePasswordProviderResolver, WebhookInvoker } from "./AuthHeroConfig";
5
5
  import { StrategyHandler } from "../strategies";
6
6
  export type Bindings = {
7
7
  ENVIRONMENT: string;
@@ -34,6 +34,7 @@ export type Bindings = {
34
34
  codeExecutor?: CodeExecutor;
35
35
  webhookInvoker?: WebhookInvoker;
36
36
  tenantUpgrade?: (tenantId: string) => Promise<void>;
37
+ tenantOperationExecutor?: TenantOperationExecutorBinding;
37
38
  outbox?: OutboxConfig;
38
39
  userLinkingMode?: UserLinkingModeOption;
39
40
  usernamePasswordProvider?: UsernamePasswordProviderResolver;
@@ -6,15 +6,15 @@ import { EnrichedClient } from "../helpers/client";
6
6
  * TRANSITIONAL helpers for the auth2 → auth0 provider migration.
7
7
  *
8
8
  * Historically every native database user has been stored with
9
- * `provider = "auth2"` and `user_id = "auth2|<id>"`. We're moving onto the
10
- * `"auth0"` provider value, one tenant at a time, by setting
11
- * `init({ usernamePasswordProvider })` to return `"auth0"` for the
12
- * migrated tenants.
9
+ * `provider = "auth2"` and `user_id = "auth2|<id>"`. New rows are now
10
+ * written with the `"auth0"` provider value everywhere; the
11
+ * `init({ usernamePasswordProvider })` resolver only exists to pin a
12
+ * tenant back onto `"auth2"` during a staged cutover.
13
13
  *
14
14
  * Two surfaces are exposed:
15
15
  *
16
16
  * - {@link resolveUsernamePasswordProvider} — used at WRITE sites to pick
17
- * the value to stamp on a new row. Defaults to `"auth2"`.
17
+ * the value to stamp on a new row. Defaults to `"auth0"`.
18
18
  * - {@link isUsernamePasswordProvider} / {@link getUsernamePasswordUser} /
19
19
  * {@link getPrimaryUsernamePasswordUser} — used at READ sites to match
20
20
  * existing rows under EITHER value, so a tenant can have a mix of
@@ -25,7 +25,21 @@ import { EnrichedClient } from "../helpers/client";
25
25
  */
26
26
  declare const LEGACY_PROVIDER = "auth2";
27
27
  declare const TARGET_PROVIDER = "auth0";
28
+ /**
29
+ * True when a connection's `strategy` field marks it as a native database
30
+ * (username/password) connection. Legacy tenants persist the provider
31
+ * literal ("auth2") in the strategy field instead of the canonical Auth0
32
+ * strategy name, and either provider literal must never leak into new
33
+ * user rows as the provider — write sites go through
34
+ * {@link resolveUsernamePasswordProvider} instead.
35
+ */
36
+ export declare function isDatabaseConnectionStrategy(strategy: string | undefined | null): boolean;
28
37
  export type UsernamePasswordProviderValue = typeof LEGACY_PROVIDER | typeof TARGET_PROVIDER;
38
+ /**
39
+ * Both native database provider values, legacy first — for read sites
40
+ * that need to enumerate rather than predicate-match.
41
+ */
42
+ export declare const USERNAME_PASSWORD_PROVIDERS: readonly UsernamePasswordProviderValue[];
29
43
  export declare function resolveUsernamePasswordProvider(env: Bindings, tenant_id: string): Promise<UsernamePasswordProviderValue>;
30
44
  export declare function isUsernamePasswordProvider(provider: string | undefined | null): boolean;
31
45
  interface DualReadParams {
package/package.json CHANGED
@@ -11,7 +11,7 @@
11
11
  "type": "git",
12
12
  "url": "https://github.com/markusahlstrand/authhero"
13
13
  },
14
- "version": "8.14.1",
14
+ "version": "8.16.0",
15
15
  "files": [
16
16
  "dist"
17
17
  ],
@@ -63,8 +63,8 @@
63
63
  "vite": "^8.0.14",
64
64
  "vite-plugin-dts": "^4.5.4",
65
65
  "vitest": "^4.1.7",
66
- "@authhero/widget": "0.34.5",
67
- "@authhero/kysely-adapter": "11.12.0"
66
+ "@authhero/kysely-adapter": "11.13.1",
67
+ "@authhero/widget": "0.34.7"
68
68
  },
69
69
  "dependencies": {
70
70
  "@peculiar/x509": "^1.14.0",
@@ -82,8 +82,8 @@
82
82
  "qrcode": "^1.5.4",
83
83
  "sanitize-html": "^2.17.4",
84
84
  "xstate": "^5.31.1",
85
- "@authhero/adapter-interfaces": "3.5.0",
86
- "@authhero/proxy": "0.8.1",
85
+ "@authhero/adapter-interfaces": "3.7.0",
86
+ "@authhero/proxy": "0.8.3",
87
87
  "@authhero/saml": "0.4.2"
88
88
  },
89
89
  "peerDependencies": {