authhero 8.8.0 → 8.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/assets/u/widget/index.esm.js +1 -1
- package/dist/authhero.cjs +109 -107
- package/dist/authhero.d.ts +270 -242
- package/dist/authhero.mjs +11199 -10618
- package/dist/stats.html +1 -1
- package/dist/tsconfig.types.tsbuildinfo +1 -1
- package/dist/types/authentication-flows/passwordless.d.ts +6 -6
- package/dist/types/helpers/dcr/metadata-mapping.d.ts +1 -1
- package/dist/types/helpers/mutable-response.d.ts +15 -3
- package/dist/types/helpers/tenant-export-import/export.d.ts +21 -0
- package/dist/types/helpers/tenant-export-import/import.d.ts +12 -0
- package/dist/types/helpers/tenant-export-import/index.d.ts +4 -0
- package/dist/types/helpers/tenant-export-import/manifest.d.ts +12 -0
- package/dist/types/helpers/tenant-export-import/row-access.d.ts +20 -0
- package/dist/types/helpers/tenant-export-import/types.d.ts +53 -0
- package/dist/types/index.d.ts +266 -223
- package/dist/types/routes/auth-api/index.d.ts +28 -28
- package/dist/types/routes/auth-api/passwordless.d.ts +10 -10
- package/dist/types/routes/auth-api/register/index.d.ts +2 -2
- package/dist/types/routes/auth-api/revoke.d.ts +6 -6
- package/dist/types/routes/auth-api/token.d.ts +10 -10
- package/dist/types/routes/management-api/action-executions.d.ts +2 -2
- package/dist/types/routes/management-api/actions.d.ts +1 -1
- package/dist/types/routes/management-api/authentication-methods.d.ts +1 -1
- package/dist/types/routes/management-api/branding.d.ts +5 -5
- package/dist/types/routes/management-api/clients.d.ts +13 -13
- package/dist/types/routes/management-api/connections.d.ts +16 -16
- package/dist/types/routes/management-api/custom-domains.d.ts +6 -6
- package/dist/types/routes/management-api/failed-events.d.ts +1 -1
- package/dist/types/routes/management-api/forms.d.ts +126 -126
- package/dist/types/routes/management-api/guardian.d.ts +5 -5
- package/dist/types/routes/management-api/index.d.ts +231 -188
- package/dist/types/routes/management-api/log-streams.d.ts +6 -6
- package/dist/types/routes/management-api/organizations.d.ts +2 -2
- package/dist/types/routes/management-api/prompts.d.ts +4 -4
- package/dist/types/routes/management-api/tenant-export-import.d.ts +49 -0
- package/dist/types/routes/management-api/tenants.d.ts +3 -3
- package/dist/types/routes/management-api/themes.d.ts +3 -3
- package/dist/types/routes/universal-login/common.d.ts +10 -10
- package/dist/types/routes/universal-login/flow-api.d.ts +8 -8
- package/dist/types/routes/universal-login/identifier.d.ts +2 -2
- package/dist/types/routes/universal-login/index.d.ts +2 -2
- package/dist/types/routes/universal-login/u2-index.d.ts +5 -5
- package/dist/types/routes/universal-login/u2-routes.d.ts +5 -5
- package/dist/types/types/IdToken.d.ts +4 -4
- package/package.json +5 -5
|
@@ -367,7 +367,7 @@ export declare function passwordlessGrantUser(ctx: Context<{
|
|
|
367
367
|
active?: boolean | undefined;
|
|
368
368
|
} | undefined;
|
|
369
369
|
signup?: {
|
|
370
|
-
status?: "optional" | "
|
|
370
|
+
status?: "optional" | "disabled" | "required" | undefined;
|
|
371
371
|
verification?: {
|
|
372
372
|
active?: boolean | undefined;
|
|
373
373
|
} | undefined;
|
|
@@ -384,7 +384,7 @@ export declare function passwordlessGrantUser(ctx: Context<{
|
|
|
384
384
|
active?: boolean | undefined;
|
|
385
385
|
} | undefined;
|
|
386
386
|
signup?: {
|
|
387
|
-
status?: "optional" | "
|
|
387
|
+
status?: "optional" | "disabled" | "required" | undefined;
|
|
388
388
|
} | undefined;
|
|
389
389
|
validation?: {
|
|
390
390
|
max_length?: number | undefined;
|
|
@@ -401,7 +401,7 @@ export declare function passwordlessGrantUser(ctx: Context<{
|
|
|
401
401
|
active?: boolean | undefined;
|
|
402
402
|
} | undefined;
|
|
403
403
|
signup?: {
|
|
404
|
-
status?: "optional" | "
|
|
404
|
+
status?: "optional" | "disabled" | "required" | undefined;
|
|
405
405
|
} | undefined;
|
|
406
406
|
} | undefined;
|
|
407
407
|
} | undefined;
|
|
@@ -458,7 +458,7 @@ export declare function passwordlessGrantUser(ctx: Context<{
|
|
|
458
458
|
custom_login_page_preview?: string | undefined;
|
|
459
459
|
form_template?: string | undefined;
|
|
460
460
|
addons?: Record<string, any> | undefined;
|
|
461
|
-
token_endpoint_auth_method?: "
|
|
461
|
+
token_endpoint_auth_method?: "none" | "client_secret_post" | "client_secret_basic" | "client_secret_jwt" | "private_key_jwt" | undefined;
|
|
462
462
|
client_metadata?: Record<string, string> | undefined;
|
|
463
463
|
hide_sign_up_disabled_error?: boolean | undefined;
|
|
464
464
|
mobile?: Record<string, any> | undefined;
|
|
@@ -541,8 +541,8 @@ export declare function passwordlessGrantUser(ctx: Context<{
|
|
|
541
541
|
} | undefined;
|
|
542
542
|
authenticated_at?: string | undefined;
|
|
543
543
|
};
|
|
544
|
-
connectionType: "
|
|
545
|
-
authConnection: "
|
|
544
|
+
connectionType: "sms" | "email" | "username";
|
|
545
|
+
authConnection: "sms" | "email" | "username";
|
|
546
546
|
session_id: string | undefined;
|
|
547
547
|
authParams: {
|
|
548
548
|
client_id: string;
|
|
@@ -23,9 +23,9 @@ export declare const dcrRequestSchema: z.ZodObject<{
|
|
|
23
23
|
grant_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
24
24
|
response_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
25
25
|
token_endpoint_auth_method: z.ZodOptional<z.ZodEnum<{
|
|
26
|
+
none: "none";
|
|
26
27
|
client_secret_post: "client_secret_post";
|
|
27
28
|
client_secret_basic: "client_secret_basic";
|
|
28
|
-
none: "none";
|
|
29
29
|
client_secret_jwt: "client_secret_jwt";
|
|
30
30
|
private_key_jwt: "private_key_jwt";
|
|
31
31
|
}>>;
|
|
@@ -13,15 +13,27 @@
|
|
|
13
13
|
* (the body stream is passed through, not copied) and deterministic, so there is
|
|
14
14
|
* nothing to detect.
|
|
15
15
|
*/
|
|
16
|
+
/**
|
|
17
|
+
* True only for a live WebSocket upgrade — a `101 Switching Protocols` response
|
|
18
|
+
* that carries a non-null `webSocket` handle.
|
|
19
|
+
*
|
|
20
|
+
* The check must NOT be `"webSocket" in res`: the Cloudflare Workers runtime
|
|
21
|
+
* defines a `webSocket` property on *every* `Response` (it is `null` for an
|
|
22
|
+
* ordinary response), so the `in` operator is always true there and would
|
|
23
|
+
* misclassify every response as an upgrade. (In Node / the test runtime the
|
|
24
|
+
* property is absent, so the bug stays invisible to tests.) A real upgrade has
|
|
25
|
+
* a non-null handle, which is what we detect here.
|
|
26
|
+
*/
|
|
27
|
+
export declare function isWebSocketUpgrade(res: Response): boolean;
|
|
16
28
|
/**
|
|
17
29
|
* Return a response whose headers are mutable. A received response is re-wrapped
|
|
18
30
|
* into a fresh `Response` (which has the mutable "response" header guard); an
|
|
19
31
|
* already-mutable response is re-wrapped too, harmlessly, preserving every header
|
|
20
32
|
* already set on it.
|
|
21
33
|
*
|
|
22
|
-
* A
|
|
23
|
-
*
|
|
24
|
-
*
|
|
34
|
+
* A WebSocket upgrade is returned untouched: it carries a `webSocket` handle
|
|
35
|
+
* that reconstruction would drop, breaking the upgrade. Its headers stay
|
|
36
|
+
* immutable, so callers must not write to an upgrade response.
|
|
25
37
|
*/
|
|
26
38
|
export declare function toMutableResponse(res: Response): Response;
|
|
27
39
|
/**
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
import { DataAdapters } from "@authhero/adapter-interfaces";
|
|
2
|
+
import { ExportLine, ExportOptions } from "./types";
|
|
3
|
+
/**
|
|
4
|
+
* Lazily yield an ordered stream of `{ entity, data }` lines covering all
|
|
5
|
+
* durable data for `tenant_id`. The order matches {@link EXPORT_ORDER} so a
|
|
6
|
+
* sequential importer satisfies foreign keys (parents before children).
|
|
7
|
+
*
|
|
8
|
+
* This is a generator so the HTTP layer can serialize each line straight to the
|
|
9
|
+
* response (and into gzip) without ever materializing the whole export in
|
|
10
|
+
* memory. Only bounded per-entity working sets (id lists, the hook buffer) are
|
|
11
|
+
* held at a time.
|
|
12
|
+
*
|
|
13
|
+
* Ephemeral/audit entities and the global key pool are never emitted.
|
|
14
|
+
*/
|
|
15
|
+
export declare function exportTenantLines(data: DataAdapters, tenant_id: string, opts: ExportOptions): AsyncGenerator<ExportLine>;
|
|
16
|
+
/**
|
|
17
|
+
* Collect {@link exportTenantLines} into an array. Convenience for callers
|
|
18
|
+
* (e.g. tests) that want the whole export in memory; the HTTP layer streams the
|
|
19
|
+
* generator directly instead.
|
|
20
|
+
*/
|
|
21
|
+
export declare function exportTenant(data: DataAdapters, tenant_id: string, opts: ExportOptions): Promise<ExportLine[]>;
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
import { DataAdapters } from "@authhero/adapter-interfaces";
|
|
2
|
+
import { ExportLine, ImportOptions, ImportResult } from "./types";
|
|
3
|
+
/**
|
|
4
|
+
* Recreate every row from an export stream under `tenant_id`, in the stream's
|
|
5
|
+
* FK-safe order, preserving ids/timestamps via `importMetadata`. Per-row
|
|
6
|
+
* failures are collected rather than aborting the whole run.
|
|
7
|
+
*
|
|
8
|
+
* The target tenant is created from the `tenants` line only when it does not
|
|
9
|
+
* already exist, and always under `tenant_id` (the source id is overridden) so
|
|
10
|
+
* an export can be loaded into a freshly-provisioned tenant.
|
|
11
|
+
*/
|
|
12
|
+
export declare function importTenant(data: DataAdapters, tenant_id: string, lines: ExportLine[], opts: ImportOptions): Promise<ImportResult>;
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* FK-safe import order: parents are listed before their children so a
|
|
3
|
+
* sequential importer can always satisfy foreign keys. The exporter emits
|
|
4
|
+
* lines in this same order.
|
|
5
|
+
*
|
|
6
|
+
* Excluded entirely (never exported or imported):
|
|
7
|
+
* - keys — global signing-key pool; the target generates its own.
|
|
8
|
+
* - ephemeral / audit: sessions, refresh_tokens, codes, login_sessions,
|
|
9
|
+
* logs, action_executions, outbox_events, grants.
|
|
10
|
+
*/
|
|
11
|
+
export declare const EXPORT_ORDER: readonly ["tenants", "clients", "connections", "resource_servers", "roles", "organizations", "users", "passwords", "authentication_methods", "user_roles", "user_permissions", "role_permissions", "organization_connections", "user_organizations", "client_grants", "invites", "actions", "action_versions", "hook_code", "hooks", "flows", "forms", "themes", "branding", "prompt_settings", "universal_login_templates", "custom_text", "email_providers", "email_templates", "custom_domains", "log_streams", "migration_sources", "proxy_routes"];
|
|
12
|
+
export type ExportEntity = (typeof EXPORT_ORDER)[number];
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Minimal, `as`-free helpers for reading fields off the `unknown` rows carried
|
|
3
|
+
* in an export stream. Import code only needs to pluck a handful of string
|
|
4
|
+
* fields (id columns + timestamps) to reconstruct `importMetadata`; the full
|
|
5
|
+
* row is forwarded to the adapter as the typed insert payload after a single
|
|
6
|
+
* narrowing step.
|
|
7
|
+
*/
|
|
8
|
+
/** Narrow an unknown value to a plain record, or `undefined` if it isn't one. */
|
|
9
|
+
export declare function asRecord(value: unknown): Record<string, unknown> | undefined;
|
|
10
|
+
/** Read a string field off an unknown row, or `undefined` when absent. */
|
|
11
|
+
export declare function getString(value: unknown, key: string): string | undefined;
|
|
12
|
+
/**
|
|
13
|
+
* Return a shallow copy of an unknown row with `null`/`undefined` top-level
|
|
14
|
+
* fields removed. Export rows are full entities whose optional enum/object
|
|
15
|
+
* columns are often serialized as `null`; the matching *Insert* zod schemas
|
|
16
|
+
* mark those fields optional (not nullable), so they reject a present-but-null
|
|
17
|
+
* value. Dropping nullish keys lets a faithful row parse cleanly while keeping
|
|
18
|
+
* every real value intact.
|
|
19
|
+
*/
|
|
20
|
+
export declare function withoutNullish(value: unknown): Record<string, unknown>;
|
|
@@ -0,0 +1,53 @@
|
|
|
1
|
+
import { DataAdapters, ImportMetadata } from "@authhero/adapter-interfaces";
|
|
2
|
+
/**
|
|
3
|
+
* A single JSON-lines record in a tenant export stream.
|
|
4
|
+
*
|
|
5
|
+
* `entity` is the durable entity name (see {@link EXPORT_ORDER}); `data` is the
|
|
6
|
+
* raw row as returned by the source adapter's read methods. The stream is
|
|
7
|
+
* ordered so that a sequential importer can recreate FK parents before their
|
|
8
|
+
* children.
|
|
9
|
+
*/
|
|
10
|
+
export interface ExportLine {
|
|
11
|
+
entity: string;
|
|
12
|
+
data: unknown;
|
|
13
|
+
}
|
|
14
|
+
export interface ExportOptions {
|
|
15
|
+
/**
|
|
16
|
+
* When false, the `passwords` entity is skipped entirely on export so the
|
|
17
|
+
* stream never carries password hashes. Defaults to false at the call sites
|
|
18
|
+
* that want a redacted export.
|
|
19
|
+
*/
|
|
20
|
+
includePasswordHashes: boolean;
|
|
21
|
+
}
|
|
22
|
+
export interface ImportOptions {
|
|
23
|
+
/**
|
|
24
|
+
* When false, any `passwords` lines present in the stream are ignored on
|
|
25
|
+
* import (defence in depth — a redacted export shouldn't contain them, but
|
|
26
|
+
* the importer refuses to write them regardless).
|
|
27
|
+
*/
|
|
28
|
+
includePasswordHashes: boolean;
|
|
29
|
+
}
|
|
30
|
+
/** One failed row during import, surfaced rather than aborting the whole run. */
|
|
31
|
+
export interface ImportError {
|
|
32
|
+
entity: string;
|
|
33
|
+
error: string;
|
|
34
|
+
}
|
|
35
|
+
export interface ImportResult {
|
|
36
|
+
/** Number of rows successfully written, keyed by entity name. */
|
|
37
|
+
counts: Record<string, number>;
|
|
38
|
+
/** Non-fatal per-row failures collected during the run. */
|
|
39
|
+
errors: ImportError[];
|
|
40
|
+
}
|
|
41
|
+
/**
|
|
42
|
+
* Build the `importMetadata` argument from a row, preserving id/timestamps.
|
|
43
|
+
* Returns `undefined` when none of the fields are present so callers can spread
|
|
44
|
+
* it without sending an empty object.
|
|
45
|
+
*/
|
|
46
|
+
export declare function buildImportMetadata(params: {
|
|
47
|
+
id?: string;
|
|
48
|
+
created_at?: string;
|
|
49
|
+
updated_at?: string;
|
|
50
|
+
}): {
|
|
51
|
+
importMetadata: ImportMetadata;
|
|
52
|
+
} | undefined;
|
|
53
|
+
export type { DataAdapters };
|