npm - authhero - Versions diffs - 8.3.0 → 8.4.0 - Mend

authhero 8.3.0 → 8.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (45) hide show

package/dist/assets/u/js/client.js +3 -3
package/dist/authhero.cjs +6 -6
package/dist/authhero.d.ts +140 -97
package/dist/authhero.mjs +40 -27
package/dist/client.js +3 -3
package/dist/stats.html +1 -1
package/dist/tsconfig.types.tsbuildinfo +1 -1
package/dist/types/authentication-flows/passwordless.d.ts +3 -3
package/dist/types/client/client-bundle.d.ts +1 -1
package/dist/types/client/loading-link-handler.d.ts +14 -0
package/dist/types/components/Button.d.ts +2 -1
package/dist/types/helpers/dcr/metadata-mapping.d.ts +1 -1
package/dist/types/index.d.ts +96 -96
package/dist/types/middlewares/authentication.d.ts +17 -0
package/dist/types/routes/auth-api/index.d.ts +21 -21
package/dist/types/routes/auth-api/passwordless.d.ts +18 -18
package/dist/types/routes/auth-api/register/index.d.ts +2 -2
package/dist/types/routes/auth-api/well-known.d.ts +1 -1
package/dist/types/routes/management-api/action-executions.d.ts +1 -1
package/dist/types/routes/management-api/actions.d.ts +1 -1
package/dist/types/routes/management-api/authentication-methods.d.ts +1 -1
package/dist/types/routes/management-api/branding.d.ts +6 -6
package/dist/types/routes/management-api/client-grants.d.ts +8 -8
package/dist/types/routes/management-api/clients.d.ts +7 -7
package/dist/types/routes/management-api/connections.d.ts +1 -1
package/dist/types/routes/management-api/custom-domains.d.ts +6 -6
package/dist/types/routes/management-api/email-templates.d.ts +18 -18
package/dist/types/routes/management-api/forms.d.ts +119 -119
package/dist/types/routes/management-api/guardian.d.ts +5 -5
package/dist/types/routes/management-api/index.d.ts +190 -190
package/dist/types/routes/management-api/log-streams.d.ts +6 -6
package/dist/types/routes/management-api/logs.d.ts +3 -3
package/dist/types/routes/management-api/organizations.d.ts +2 -2
package/dist/types/routes/management-api/prompts.d.ts +4 -4
package/dist/types/routes/management-api/themes.d.ts +3 -3
package/dist/types/routes/management-api/users.d.ts +2 -2
package/dist/types/routes/universal-login/common.d.ts +6 -6
package/dist/types/routes/universal-login/flow-api.d.ts +12 -12
package/dist/types/routes/universal-login/u2-index.d.ts +6 -6
package/dist/types/routes/universal-login/u2-routes.d.ts +6 -6
package/dist/types/types/AuthHeroConfig.d.ts +26 -1
package/dist/types/types/IdToken.d.ts +2 -2
package/dist/types/utils/jwks.d.ts +2 -2
package/dist/types/utils/jwt.d.ts +9 -0
package/package.json +3 -3

package/dist/types/types/AuthHeroConfig.d.ts CHANGED Viewed

@@ -3,7 +3,7 @@ import type { RolePermissionHooks, Hooks } from "./Hooks";
 import type { SamlSigner } from "@authhero/saml/core";
 import type { OpenAPIHono } from "@hono/zod-openapi";
 import type { Handler } from "hono";
-import type { ManagementAudienceResolver } from "../middlewares/authentication";
+import type { ManagementAudienceResolver, IssuerResolver } from "../middlewares/authentication";
 import { EntityHooks } from "./Hooks";
 /**
  * Parameters passed to a custom webhook invoker function.
@@ -495,4 +495,29 @@ export interface AuthHeroConfig {
      * ```
      */
     additionalManagementAudiences?: ManagementAudienceResolver;
+    /**
+     * Resolver returning the list of issuers accepted by the bearer-JWT issuer
+     * check **in addition to** the deployment's own
+     * `getIssuer(env, custom_domain)`. The token's `tenant_id` is passed in, so a
+     * per-tenant or control-plane issuer can be constructed at request time.
+     *
+     * This is needed when control-plane-minted admin tokens are forwarded to a
+     * per-tenant worker: the token's `iss` is the control-plane issuer while the
+     * worker's `env.ISSUER` is per-tenant, so the strict single-issuer check
+     * would otherwise reject it. The signature is still verified normally; this
+     * only widens which `iss` values are accepted.
+     *
+     * authhero stays generic — it never derives or hardcodes any issuer. Scoping
+     * (e.g. only accepting the control-plane issuer for control-plane tokens) is
+     * the host app's job: the resolver receives `tenant_id` and can return `[]`
+     * to refuse. The default issuer is always accepted; the resolver is purely
+     * additive.
+     *
+     * @example
+     * ```ts
+     * additionalIssuers: ({ tenant_id }) =>
+     *   tenant_id ? ["https://token.example.com/"] : [];
+     * ```
+     */
+    additionalIssuers?: IssuerResolver;
 }

package/dist/types/types/IdToken.d.ts CHANGED Viewed

@@ -19,10 +19,10 @@ export declare const idTokenSchema: z.ZodObject<{
 }, z.core.$loose>;
 export declare const userInfoSchema: z.ZodObject<{
     name: z.ZodOptional<z.ZodString>;
-    given_name: z.ZodOptional<z.ZodString>;
-    family_name: z.ZodOptional<z.ZodString>;
     email: z.ZodOptional<z.ZodString>;
     sub: z.ZodString;
+    given_name: z.ZodOptional<z.ZodString>;
+    family_name: z.ZodOptional<z.ZodString>;
     iss: z.ZodString;
     aud: z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>;
     exp: z.ZodNumber;

package/dist/types/utils/jwks.d.ts CHANGED Viewed

@@ -8,7 +8,7 @@ import { SigningKeyModeOption } from "../types/AuthHeroConfig";
  */
 export declare function getJwksForPublication(data: DataAdapters, tenantId: string, modeOption: SigningKeyModeOption | undefined): Promise<{
     alg: "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512" | "HS256" | "HS384" | "HS512";
-    kty: "EC" | "RSA" | "oct";
+    kty: "RSA" | "EC" | "oct";
     kid?: string | undefined;
     use?: "sig" | "enc" | undefined;
     n?: string | undefined;
@@ -27,7 +27,7 @@ export declare function getJwksForPublication(data: DataAdapters, tenantId: stri
  */
 export declare function getJwksForVerification(data: DataAdapters, tenantId: string | undefined, modeOption: SigningKeyModeOption | undefined): Promise<{
     alg: "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512" | "HS256" | "HS384" | "HS512";
-    kty: "EC" | "RSA" | "oct";
+    kty: "RSA" | "EC" | "oct";
     kid?: string | undefined;
     use?: "sig" | "enc" | undefined;
     n?: string | undefined;

package/dist/types/utils/jwt.d.ts CHANGED Viewed

@@ -25,6 +25,15 @@ export interface ValidateJwtTokenOptions {
      * for iss mismatch rather than the 401 this function would raise.
      */
     skipIssuerCheck?: boolean;
+    /**
+     * Additional issuers accepted **in addition to**
+     * `getIssuer(env, custom_domain)`. A token whose `iss` matches the expected
+     * issuer OR any value in this list passes the issuer check. The host app
+     * resolves this list (e.g. from a control-plane issuer) and threads it in;
+     * authhero never derives or hardcodes any issuer itself. Defaults to the
+     * strict single-issuer check when omitted.
+     */
+    additionalIssuers?: string[];
 }
 /**
  * Raised when the subject JWT carried a past `exp`. Extends JSONHTTPException

package/package.json CHANGED Viewed

@@ -11,7 +11,7 @@
     "type": "git",
     "url": "https://github.com/markusahlstrand/authhero"
   },
-  "version": "8.3.0",
+  "version": "8.4.0",
   "files": [
     "dist"
   ],
@@ -63,8 +63,8 @@
     "vite": "^8.0.14",
     "vite-plugin-dts": "^4.5.4",
     "vitest": "^4.1.7",
-    "@authhero/kysely-adapter": "11.8.9",
-    "@authhero/widget": "0.32.41"
+    "@authhero/widget": "0.32.41",
+    "@authhero/kysely-adapter": "11.8.9"
   },
   "dependencies": {
     "@peculiar/x509": "^1.14.0",