authhero 8.2.1 → 8.4.0

package/dist/types/types/AuthHeroConfig.d.ts

@@ -3,7 +3,7 @@ import type { RolePermissionHooks, Hooks } from "./Hooks";
 import type { SamlSigner } from "@authhero/saml/core";
 import type { OpenAPIHono } from "@hono/zod-openapi";
 import type { Handler } from "hono";
-import type { ManagementAudienceResolver } from "../middlewares/authentication";
+import type { ManagementAudienceResolver, IssuerResolver } from "../middlewares/authentication";
 import { EntityHooks } from "./Hooks";
 /**
  * Parameters passed to a custom webhook invoker function.
@@ -495,4 +495,29 @@ export interface AuthHeroConfig {
      * ```
      */
     additionalManagementAudiences?: ManagementAudienceResolver;
+    /**
+     * Resolver returning the list of issuers accepted by the bearer-JWT issuer
+     * check **in addition to** the deployment's own
+     * `getIssuer(env, custom_domain)`. The token's `tenant_id` is passed in, so a
+     * per-tenant or control-plane issuer can be constructed at request time.
+     *
+     * This is needed when control-plane-minted admin tokens are forwarded to a
+     * per-tenant worker: the token's `iss` is the control-plane issuer while the
+     * worker's `env.ISSUER` is per-tenant, so the strict single-issuer check
+     * would otherwise reject it. The signature is still verified normally; this
+     * only widens which `iss` values are accepted.
+     *
+     * authhero stays generic — it never derives or hardcodes any issuer. Scoping
+     * (e.g. only accepting the control-plane issuer for control-plane tokens) is
+     * the host app's job: the resolver receives `tenant_id` and can return `[]`
+     * to refuse. The default issuer is always accepted; the resolver is purely
+     * additive.
+     *
+     * @example
+     * ```ts
+     * additionalIssuers: ({ tenant_id }) =>
+     *   tenant_id ? ["https://token.example.com/"] : [];
+     * ```
+     */
+    additionalIssuers?: IssuerResolver;
 }

package/dist/types/types/IdToken.d.ts

@@ -19,10 +19,10 @@ export declare const idTokenSchema: z.ZodObject<{
 }, z.core.$loose>;
 export declare const userInfoSchema: z.ZodObject<{
     name: z.ZodOptional<z.ZodString>;
-    given_name: z.ZodOptional<z.ZodString>;
-    family_name: z.ZodOptional<z.ZodString>;
     email: z.ZodOptional<z.ZodString>;
     sub: z.ZodString;
+    given_name: z.ZodOptional<z.ZodString>;
+    family_name: z.ZodOptional<z.ZodString>;
     iss: z.ZodString;
     aud: z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>;
     exp: z.ZodNumber;

package/dist/types/utils/field-encryption.d.ts

@@ -1,6 +1,24 @@
 declare const PREFIX = "enc:v1:";
 export type EncryptedField = `${typeof PREFIX}${string}`;
 export declare function isEncrypted(value: string): value is EncryptedField;
+/**
+ * A set of AES-256-GCM keys addressable by id. `default` decrypts (and by
+ * default encrypts) legacy unkeyed `enc:v1:` values; `keys[id]` handles values
+ * tagged with that id (`enc:v1:<id>:`).
+ *
+ * This is what lets a single database hold ciphertext under more than one key —
+ * e.g. a WFP tenant's own secrets under the tenant key and inherited control
+ * plane secrets under a control-plane-only key the tenant operator never holds.
+ */
+export interface KeyRing {
+    default: CryptoKey;
+    keys?: Record<string, CryptoKey>;
+}
+/**
+ * The key id a keyed value was encrypted under, or `undefined` for a legacy
+ * unkeyed value (or a non-encrypted plaintext).
+ */
+export declare function parseKeyId(value: string): string | undefined;
 /**
  * Imports a base64-encoded 32-byte key as an AES-256-GCM CryptoKey. Throws if
  * the decoded key is not exactly 32 bytes so a misconfigured secret fails loudly
@@ -18,4 +36,16 @@ export declare function encryptField(plaintext: string, key: CryptoKey): Promise
  * prefixed value cannot be decrypted (wrong key or corrupted ciphertext).
  */
 export declare function decryptField(value: string, key: CryptoKey): Promise<string>;
+/**
+ * Encrypts a value using a key ring, optionally tagging it with `keyId` so the
+ * same key is selected on read. With no `keyId` the value is encrypted under the
+ * ring's default key and is byte-compatible with `encryptField` (legacy form).
+ */
+export declare function encryptFieldWithRing(plaintext: string, ring: KeyRing, keyId?: string): Promise<EncryptedField>;
+/**
+ * Decrypts a value using a key ring, selecting the key from the id embedded in
+ * the ciphertext (or the default key for legacy unkeyed values). Plaintext
+ * values (no `enc:v1:` prefix) are returned unchanged.
+ */
+export declare function decryptFieldWithRing(value: string, ring: KeyRing): Promise<string>;
 export {};

package/dist/types/utils/jwks.d.ts

@@ -8,7 +8,7 @@ import { SigningKeyModeOption } from "../types/AuthHeroConfig";
  */
 export declare function getJwksForPublication(data: DataAdapters, tenantId: string, modeOption: SigningKeyModeOption | undefined): Promise<{
     alg: "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512" | "HS256" | "HS384" | "HS512";
-    kty: "EC" | "RSA" | "oct";
+    kty: "RSA" | "EC" | "oct";
     kid?: string | undefined;
     use?: "sig" | "enc" | undefined;
     n?: string | undefined;
@@ -27,7 +27,7 @@ export declare function getJwksForPublication(data: DataAdapters, tenantId: stri
  */
 export declare function getJwksForVerification(data: DataAdapters, tenantId: string | undefined, modeOption: SigningKeyModeOption | undefined): Promise<{
     alg: "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512" | "HS256" | "HS384" | "HS512";
-    kty: "EC" | "RSA" | "oct";
+    kty: "RSA" | "EC" | "oct";
     kid?: string | undefined;
     use?: "sig" | "enc" | undefined;
     n?: string | undefined;

package/dist/types/utils/jwt.d.ts

@@ -25,6 +25,15 @@ export interface ValidateJwtTokenOptions {
      * for iss mismatch rather than the 401 this function would raise.
      */
     skipIssuerCheck?: boolean;
+    /**
+     * Additional issuers accepted **in addition to**
+     * `getIssuer(env, custom_domain)`. A token whose `iss` matches the expected
+     * issuer OR any value in this list passes the issuer check. The host app
+     * resolves this list (e.g. from a control-plane issuer) and threads it in;
+     * authhero never derives or hardcodes any issuer itself. Defaults to the
+     * strict single-issuer check when omitted.
+     */
+    additionalIssuers?: string[];
 }
 /**
  * Raised when the subject JWT carried a past `exp`. Extends JSONHTTPException

package/package.json

@@ -11,7 +11,7 @@
     "type": "git",
     "url": "https://github.com/markusahlstrand/authhero"
   },
-  "version": "8.2.1",
+  "version": "8.4.0",
   "files": [
     "dist"
   ],
@@ -63,8 +63,8 @@
     "vite": "^8.0.14",
     "vite-plugin-dts": "^4.5.4",
     "vitest": "^4.1.7",
-    "@authhero/kysely-adapter": "11.8.9",
-    "@authhero/widget": "0.32.41"
+    "@authhero/widget": "0.32.41",
+    "@authhero/kysely-adapter": "11.8.9"
   },
   "dependencies": {
     "@peculiar/x509": "^1.14.0",
@@ -83,8 +83,8 @@
     "sanitize-html": "^2.17.4",
     "xstate": "^5.31.1",
     "@authhero/adapter-interfaces": "3.1.1",
-    "@authhero/saml": "0.4.2",
-    "@authhero/proxy": "0.7.1"
+    "@authhero/proxy": "0.7.1",
+    "@authhero/saml": "0.4.2"
   },
   "peerDependencies": {
     "@authhero/widget": "^0.1.0",