authhero 8.2.0 → 8.3.0

package/dist/types/adapters/createEncryptedDataAdapter.d.ts

@@ -1,4 +1,19 @@
 import { DataAdapters } from "@authhero/adapter-interfaces";
+import { KeyRing } from "../utils/field-encryption";
+/**
+ * Resolves which key id (if any) a tenant's secrets are encrypted under.
+ * Returning `undefined` uses the ring's default key and produces legacy,
+ * untagged `enc:v1:` ciphertext — byte-compatible with the single-key adapter.
+ *
+ * The canonical use: tag rows owned by the control plane tenant with a
+ * control-plane-only key id, so the same database can hold a tenant's own
+ * secrets (default key) alongside inherited control plane secrets the tenant
+ * operator cannot decrypt.
+ */
+export type EncryptKeyIdResolver = (tenantId: string) => string | undefined;
+interface EncryptionOptions {
+    resolveEncryptKeyId?: EncryptKeyIdResolver;
+}
 /**
  * Wraps a DataAdapters instance so that sensitive credential fields are
  * transparently encrypted on write and decrypted on read. Only the adapters
@@ -16,3 +31,28 @@ import { DataAdapters } from "@authhero/adapter-interfaces";
  * Private keys (keys.pkcs7, dkim_private_key) are intentionally NOT covered.
  */
 export declare function createEncryptedDataAdapter(data: DataAdapters, key: CryptoKey): DataAdapters;
+/**
+ * Like {@link createEncryptedDataAdapter}, but encrypts each tenant's secrets
+ * under a key selected from a {@link KeyRing}. On read, the key is chosen from
+ * the id embedded in the ciphertext, so a single database can mix values
+ * encrypted under different keys.
+ *
+ * `options.resolveEncryptKeyId(tenantId)` decides which key id new ciphertext is
+ * tagged with. Return `undefined` for the ring's default key (legacy untagged
+ * form). The intended use is to tag control plane tenant rows with a
+ * control-plane-only key id so an inheriting tenant can hold the inherited
+ * secrets at rest without being able to decrypt them.
+ *
+ * @example
+ * ```typescript
+ * const adapters = createEncryptedDataAdapterWithKeyRing(base, {
+ *   default: tenantKey,
+ *   keys: { cp: controlPlaneKey },
+ * }, {
+ *   resolveEncryptKeyId: (tenantId) =>
+ *     tenantId === CONTROL_PLANE_TENANT_ID ? "cp" : undefined,
+ * });
+ * ```
+ */
+export declare function createEncryptedDataAdapterWithKeyRing(data: DataAdapters, ring: KeyRing, options?: EncryptionOptions): DataAdapters;
+export {};

package/dist/types/adapters/index.d.ts

@@ -1,3 +1,5 @@
 export * from "./cache";
-export { createEncryptedDataAdapter } from "./createEncryptedDataAdapter";
-export { loadEncryptionKey, encryptField, decryptField, isEncrypted, } from "../utils/field-encryption";
+export { createEncryptedDataAdapter, createEncryptedDataAdapterWithKeyRing, } from "./createEncryptedDataAdapter";
+export type { EncryptKeyIdResolver } from "./createEncryptedDataAdapter";
+export { loadEncryptionKey, encryptField, decryptField, encryptFieldWithRing, decryptFieldWithRing, parseKeyId, isEncrypted, } from "../utils/field-encryption";
+export type { KeyRing } from "../utils/field-encryption";

package/dist/types/authentication-flows/passwordless.d.ts

@@ -457,7 +457,7 @@ export declare function passwordlessGrantUser(ctx: Context<{
         custom_login_page_preview?: string | undefined;
         form_template?: string | undefined;
         addons?: Record<string, any> | undefined;
-        token_endpoint_auth_method?: "client_secret_post" | "client_secret_basic" | "none" | "client_secret_jwt" | "private_key_jwt" | undefined;
+        token_endpoint_auth_method?: "none" | "client_secret_post" | "client_secret_basic" | "client_secret_jwt" | "private_key_jwt" | undefined;
         client_metadata?: Record<string, string> | undefined;
         hide_sign_up_disabled_error?: boolean | undefined;
         mobile?: Record<string, any> | undefined;

package/dist/types/helpers/compose-auth-data.d.ts

@@ -8,12 +8,20 @@ import { Bindings, Variables } from "../types";
  * between layers — in one place so individual apps can't drift.
  *
  * Layering (outermost first; that's the order callers hit on each read):
- *   addTimingLogs        — server-timing instrumentation
  *   withClientBundle     — L0: per-(tenant_id, client_id) snapshot
  *   addBundleWritePurge  — local-edge bundle invalidation on writes
  *   addRequestScopedDedup — L1: in-request Promise memoization
  *   addCaching           — L2: cross-request cache (CF Cache API in prod)
  *   addDataHooks         — user lifecycle hooks
+ *   addTimingLogs        — server-timing instrumentation. Innermost on
+ *                          purpose: a read served by the bundle (L0), request
+ *                          dedup (L1), or cache (L2) is satisfied above this
+ *                          layer and never reaches it, so the Server-Timing
+ *                          header carries one line per genuine backend
+ *                          round-trip — with its true duration — instead of
+ *                          one line per surface call (cache/bundle hits
+ *                          included, the whole bundle's cost attributed to
+ *                          whichever call happened to trigger assembly).
  *   raw dataAdapter      — underlying DB
  *
  * Apps declare only their `nonBundleEntities` — the long-tail entities they

package/dist/types/helpers/server-timing.d.ts

@@ -1,6 +1,47 @@
-import { Context } from "hono";
-import { DataAdapters } from "@authhero/adapter-interfaces";
+import { Context, MiddlewareHandler } from "hono";
+import { CacheAdapter, DataAdapters } from "@authhero/adapter-interfaces";
 import { Bindings, Variables } from "../types";
+type TimingCtx = Context<{
+    Bindings: Bindings;
+    Variables: Variables;
+}>;
+/**
+ * Record one Server-Timing measurement on the request-scoped buffer
+ * (`ctx.var.serverTiming`). The measurement is NOT written to the response
+ * header here — {@link serverTimingMiddleware} decides at the end of the
+ * request whether to emit it to the client, log it server-side, or drop it.
+ * Used by the adapter wrappers below and by the webhook hook.
+ */
+export declare function recordServerTiming(ctx: TimingCtx, name: string, duration: number): void;
+/**
+ * Flushes the request-scoped Server-Timing buffer according to the
+ * `SERVER_TIMING` env. Mount this right after `applyConfigMiddleware` so that
+ * env is populated before it runs and the client `ip` is resolved by the time
+ * `next()` returns.
+ *
+ * Sinks (see {@link Bindings.SERVER_TIMING}):
+ *   - "off"/unset → drop the buffer (default; nothing reaches the client).
+ *   - "client"    → set the `Server-Timing` header, optionally gated to
+ *                   `SERVER_TIMING_IPS`.
+ *   - "log"       → emit a structured log line; never sent to the client.
+ *   - "both"      → both of the above.
+ *
+ * Off by default because per-operation timings on the public auth endpoints are
+ * a user-enumeration / side-channel surface.
+ */
+export declare const serverTimingMiddleware: MiddlewareHandler<{
+    Bindings: Bindings;
+    Variables: Variables;
+}>;
+/**
+ * Wraps a {@link CacheAdapter} so each operation appends a Server-Timing entry
+ * labelled by the key's prefix, e.g. `cache-get:client-bundle`,
+ * `cache-get:customText`. The cache layers call this adapter directly — not
+ * through the timed data stack — so on Workers the Cache API `match()` / `put()`
+ * round-trips would otherwise be invisible. This makes that latency observable
+ * without exposing the full (id-bearing) cache key.
+ */
+export declare function addCacheTimingLogs(ctx: TimingCtx, cache: CacheAdapter): CacheAdapter;
 /**
  * Adds server-timing middleware logging to all adapter methods
  * This wraps each method of the data adapter to measure its execution time
@@ -10,3 +51,4 @@ export declare function addTimingLogs(ctx: Context<{
     Bindings: Bindings;
     Variables: Variables;
 }>, data: DataAdapters): DataAdapters;
+export {};