create-apppaaaul 2.0.41 → 2.0.43

package/dist/templates/nextjs-ts-landing-prisma/project/node_modules/.pnpm/@auth+core@0.41.1_nodemailer@7.0.11/node_modules/@auth/core/lib/actions/callback/oauth/callback.js

@@ -0,0 +1,248 @@
+import * as checks from "./checks.js";
+import * as o from "oauth4webapi";
+import { OAuthCallbackError, OAuthProfileParseError, } from "../../../../errors.js";
+import { isOIDCProvider } from "../../../utils/providers.js";
+import { conformInternal, customFetch } from "../../../symbols.js";
+import { decodeJwt } from "jose";
+function formUrlEncode(token) {
+    return encodeURIComponent(token).replace(/%20/g, "+");
+}
+/**
+ * Formats client_id and client_secret as an HTTP Basic Authentication header as per the OAuth 2.0
+ * specified in RFC6749.
+ */
+function clientSecretBasic(clientId, clientSecret) {
+    const username = formUrlEncode(clientId);
+    const password = formUrlEncode(clientSecret);
+    const credentials = btoa(`${username}:${password}`);
+    return `Basic ${credentials}`;
+}
+/**
+ * Handles the following OAuth steps.
+ * https://www.rfc-editor.org/rfc/rfc6749#section-4.1.1
+ * https://www.rfc-editor.org/rfc/rfc6749#section-4.1.3
+ * https://openid.net/specs/openid-connect-core-1_0.html#UserInfoRequest
+ *
+ * @note Although requesting userinfo is not required by the OAuth2.0 spec,
+ * we fetch it anyway. This is because we always want a user profile.
+ */
+export async function handleOAuth(params, cookies, options) {
+    const { logger, provider } = options;
+    let as;
+    const { token, userinfo } = provider;
+    // Falls back to authjs.dev if the user only passed params
+    if ((!token?.url || token.url.host === "authjs.dev") &&
+        (!userinfo?.url || userinfo.url.host === "authjs.dev")) {
+        // We assume that issuer is always defined as this has been asserted earlier
+        const issuer = new URL(provider.issuer);
+        const discoveryResponse = await o.discoveryRequest(issuer, {
+            [o.allowInsecureRequests]: true,
+            [o.customFetch]: provider[customFetch],
+        });
+        as = await o.processDiscoveryResponse(issuer, discoveryResponse);
+        if (!as.token_endpoint)
+            throw new TypeError("TODO: Authorization server did not provide a token endpoint.");
+        if (!as.userinfo_endpoint)
+            throw new TypeError("TODO: Authorization server did not provide a userinfo endpoint.");
+    }
+    else {
+        as = {
+            issuer: provider.issuer ?? "https://authjs.dev", // TODO: review fallback issuer
+            token_endpoint: token?.url.toString(),
+            userinfo_endpoint: userinfo?.url.toString(),
+        };
+    }
+    const client = {
+        client_id: provider.clientId,
+        ...provider.client,
+    };
+    let clientAuth;
+    switch (client.token_endpoint_auth_method) {
+        // TODO: in the next breaking major version have undefined be `client_secret_post`
+        case undefined:
+        case "client_secret_basic":
+            // TODO: in the next breaking major version use o.ClientSecretBasic() here
+            clientAuth = (_as, _client, _body, headers) => {
+                headers.set("authorization", clientSecretBasic(provider.clientId, provider.clientSecret));
+            };
+            break;
+        case "client_secret_post":
+            clientAuth = o.ClientSecretPost(provider.clientSecret);
+            break;
+        case "client_secret_jwt":
+            clientAuth = o.ClientSecretJwt(provider.clientSecret);
+            break;
+        case "private_key_jwt":
+            clientAuth = o.PrivateKeyJwt(provider.token.clientPrivateKey, {
+                // TODO: review in the next breaking change
+                [o.modifyAssertion](_header, payload) {
+                    payload.aud = [as.issuer, as.token_endpoint];
+                },
+            });
+            break;
+        case "none":
+            clientAuth = o.None();
+            break;
+        default:
+            throw new Error("unsupported client authentication method");
+    }
+    const resCookies = [];
+    const state = await checks.state.use(cookies, resCookies, options);
+    let codeGrantParams;
+    try {
+        codeGrantParams = o.validateAuthResponse(as, client, new URLSearchParams(params), provider.checks.includes("state") ? state : o.skipStateCheck);
+    }
+    catch (err) {
+        if (err instanceof o.AuthorizationResponseError) {
+            const cause = {
+                providerId: provider.id,
+                ...Object.fromEntries(err.cause.entries()),
+            };
+            logger.debug("OAuthCallbackError", cause);
+            throw new OAuthCallbackError("OAuth Provider returned an error", cause);
+        }
+        throw err;
+    }
+    const codeVerifier = await checks.pkce.use(cookies, resCookies, options);
+    let redirect_uri = provider.callbackUrl;
+    if (!options.isOnRedirectProxy && provider.redirectProxyUrl) {
+        redirect_uri = provider.redirectProxyUrl;
+    }
+    let codeGrantResponse = await o.authorizationCodeGrantRequest(as, client, clientAuth, codeGrantParams, redirect_uri, codeVerifier ?? "decoy", {
+        // TODO: move away from allowing insecure HTTP requests
+        [o.allowInsecureRequests]: true,
+        [o.customFetch]: (...args) => {
+            if (!provider.checks.includes("pkce")) {
+                args[1].body.delete("code_verifier");
+            }
+            return (provider[customFetch] ?? fetch)(...args);
+        },
+    });
+    if (provider.token?.conform) {
+        codeGrantResponse =
+            (await provider.token.conform(codeGrantResponse.clone())) ??
+                codeGrantResponse;
+    }
+    let profile = {};
+    const requireIdToken = isOIDCProvider(provider);
+    if (provider[conformInternal]) {
+        switch (provider.id) {
+            case "microsoft-entra-id":
+            case "azure-ad": {
+                /**
+                 * These providers return errors in the response body and
+                 * need the authorization server metadata to be re-processed
+                 * based on the `id_token`'s `tid` claim.
+                 * @see: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow#error-response-1
+                 */
+                const responseJson = await codeGrantResponse.clone().json();
+                if (responseJson.error) {
+                    const cause = {
+                        providerId: provider.id,
+                        ...responseJson,
+                    };
+                    throw new OAuthCallbackError(`OAuth Provider returned an error: ${responseJson.error}`, cause);
+                }
+                const { tid } = decodeJwt(responseJson.id_token);
+                if (typeof tid === "string") {
+                    const tenantRe = /microsoftonline\.com\/(\w+)\/v2\.0/;
+                    const tenantId = as.issuer?.match(tenantRe)?.[1] ?? "common";
+                    const issuer = new URL(as.issuer.replace(tenantId, tid));
+                    const discoveryResponse = await o.discoveryRequest(issuer, {
+                        [o.customFetch]: provider[customFetch],
+                    });
+                    as = await o.processDiscoveryResponse(issuer, discoveryResponse);
+                }
+                break;
+            }
+            default:
+                break;
+        }
+    }
+    const processedCodeResponse = await o.processAuthorizationCodeResponse(as, client, codeGrantResponse, {
+        expectedNonce: await checks.nonce.use(cookies, resCookies, options),
+        requireIdToken,
+    });
+    const tokens = processedCodeResponse;
+    if (requireIdToken) {
+        const idTokenClaims = o.getValidatedIdTokenClaims(processedCodeResponse);
+        profile = idTokenClaims;
+        // Apple sends some of the user information in a `user` parameter as a stringified JSON.
+        // It also only does so the first time the user consents to share their information.
+        if (provider[conformInternal] && provider.id === "apple") {
+            try {
+                profile.user = JSON.parse(params?.user);
+            }
+            catch { }
+        }
+        if (provider.idToken === false) {
+            const userinfoResponse = await o.userInfoRequest(as, client, processedCodeResponse.access_token, {
+                [o.customFetch]: provider[customFetch],
+                // TODO: move away from allowing insecure HTTP requests
+                [o.allowInsecureRequests]: true,
+            });
+            profile = await o.processUserInfoResponse(as, client, idTokenClaims.sub, userinfoResponse);
+        }
+    }
+    else {
+        if (userinfo?.request) {
+            const _profile = await userinfo.request({ tokens, provider });
+            if (_profile instanceof Object)
+                profile = _profile;
+        }
+        else if (userinfo?.url) {
+            const userinfoResponse = await o.userInfoRequest(as, client, processedCodeResponse.access_token, {
+                [o.customFetch]: provider[customFetch],
+                // TODO: move away from allowing insecure HTTP requests
+                [o.allowInsecureRequests]: true,
+            });
+            profile = await userinfoResponse.json();
+        }
+        else {
+            throw new TypeError("No userinfo endpoint configured");
+        }
+    }
+    if (tokens.expires_in) {
+        tokens.expires_at =
+            Math.floor(Date.now() / 1000) + Number(tokens.expires_in);
+    }
+    const profileResult = await getUserAndAccount(profile, provider, tokens, logger);
+    return { ...profileResult, profile, cookies: resCookies };
+}
+/**
+ * Returns the user and account that is going to be created in the database.
+ * @internal
+ */
+export async function getUserAndAccount(OAuthProfile, provider, tokens, logger) {
+    try {
+        const userFromProfile = await provider.profile(OAuthProfile, tokens);
+        const user = {
+            ...userFromProfile,
+            // The user's id is intentionally not set based on the profile id, as
+            // the user should remain independent of the provider and the profile id
+            // is saved on the Account already, as `providerAccountId`.
+            id: crypto.randomUUID(),
+            email: userFromProfile.email?.toLowerCase(),
+        };
+        return {
+            user,
+            account: {
+                ...tokens,
+                provider: provider.id,
+                type: provider.type,
+                providerAccountId: userFromProfile.id ?? crypto.randomUUID(),
+            },
+        };
+    }
+    catch (e) {
+        // If we didn't get a response either there was a problem with the provider
+        // response *or* the user cancelled the action with the provider.
+        //
+        // Unfortunately, we can't tell which - at least not in a way that works for
+        // all providers, so we return an empty object; the user should then be
+        // redirected back to the sign up page. We log the error to help developers
+        // who might be trying to debug this when configuring a new provider.
+        logger.debug("getProfile error details", OAuthProfile);
+        logger.error(new OAuthProfileParseError(e, { provider: provider.id }));
+    }
+}

package/dist/templates/nextjs-ts-landing-prisma/project/node_modules/.pnpm/@auth+core@0.41.1_nodemailer@7.0.11/node_modules/@auth/core/lib/actions/callback/oauth/checks.d.ts

@@ -0,0 +1,70 @@
+import type { InternalOptions, RequestInternal, User } from "../../../../types.js";
+import type { Cookie } from "../../../utils/cookie.js";
+import type { WebAuthnProviderType } from "../../../../providers/webauthn.js";
+/**
+ * @see https://www.rfc-editor.org/rfc/rfc7636
+ * @see https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/#pkce
+ */
+export declare const pkce: {
+    /** Creates a PKCE code challenge and verifier pair. The verifier in stored in the cookie. */
+    create(options: InternalOptions<"oauth">): Promise<{
+        cookie: Cookie;
+        value: string;
+    }>;
+    /**
+     * Returns code_verifier if the provider is configured to use PKCE,
+     * and clears the container cookie afterwards.
+     * An error is thrown if the code_verifier is missing or invalid.
+     */
+    use: (cookies: RequestInternal["cookies"], resCookies: Cookie[], options: InternalOptions<"oidc">) => Promise<string | undefined>;
+};
+interface EncodedState {
+    origin?: string;
+    random: string;
+}
+/**
+ * @see https://www.rfc-editor.org/rfc/rfc6749#section-10.12
+ * @see https://www.rfc-editor.org/rfc/rfc6749#section-4.1.1
+ */
+export declare const state: {
+    /** Creates a state cookie with an optionally encoded body. */
+    create(options: InternalOptions<"oauth">, origin?: string): Promise<{
+        cookie: Cookie;
+        value: string;
+    } | undefined>;
+    /**
+     * Returns state if the provider is configured to use state,
+     * and clears the container cookie afterwards.
+     * An error is thrown if the state is missing or invalid.
+     */
+    use: (cookies: RequestInternal["cookies"], resCookies: Cookie[], options: InternalOptions<"oidc">) => Promise<string | undefined>;
+    /** Decodes the state. If it could not be decoded, it throws an error. */
+    decode(state: string, options: InternalOptions): Promise<EncodedState>;
+};
+export declare const nonce: {
+    create(options: InternalOptions<"oidc">): Promise<{
+        cookie: Cookie;
+        value: string;
+    } | undefined>;
+    /**
+     * Returns nonce if the provider is configured to use nonce,
+     * and clears the container cookie afterwards.
+     * An error is thrown if the nonce is missing or invalid.
+     * @see https://openid.net/specs/openid-connect-core-1_0.html#NonceNotes
+     * @see https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/#nonce
+     */
+    use: (cookies: RequestInternal["cookies"], resCookies: Cookie[], options: InternalOptions<"oidc">) => Promise<string | undefined>;
+};
+interface WebAuthnChallengePayload {
+    challenge: string;
+    registerData?: User;
+}
+export declare const webauthnChallenge: {
+    create(options: InternalOptions<WebAuthnProviderType>, challenge: string, registerData?: User): Promise<{
+        cookie: Cookie;
+    }>;
+    /** Returns WebAuthn challenge if present. */
+    use(options: InternalOptions<WebAuthnProviderType>, cookies: RequestInternal["cookies"], resCookies: Cookie[]): Promise<WebAuthnChallengePayload>;
+};
+export {};
+//# sourceMappingURL=checks.d.ts.map

package/dist/templates/nextjs-ts-landing-prisma/project/node_modules/.pnpm/@auth+core@0.41.1_nodemailer@7.0.11/node_modules/@auth/core/lib/actions/callback/oauth/checks.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"checks.d.ts","sourceRoot":"","sources":["../../../../src/lib/actions/callback/oauth/checks.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAEV,eAAe,EACf,eAAe,EACf,IAAI,EACL,MAAM,sBAAsB,CAAA;AAC7B,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,0BAA0B,CAAA;AACtD,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,mCAAmC,CAAA;AA8F7E;;;GAGG;AACH,eAAO,MAAM,IAAI;IACf,6FAA6F;oBACvE,gBAAgB,OAAO,CAAC;;;;IAM9C;;;;OAIG;mBA9BQ,eAAe,CAAC,SAAS,CAAC,cACvB,MAAM,EAAE,WACX,gBAAgB,MAAM,CAAC;CA8BnC,CAAA;AAED,UAAU,YAAY;IACpB,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,MAAM,EAAE,MAAM,CAAA;CACf;AAKD;;;GAGG;AACH,eAAO,MAAM,KAAK;IAChB,8DAA8D;oBACxC,gBAAgB,OAAO,CAAC,WAAW,MAAM;;;;IA0B/D;;;;OAIG;mBA9EQ,eAAe,CAAC,SAAS,CAAC,cACvB,MAAM,EAAE,WACX,gBAAgB,MAAM,CAAC;IA8ElC,yEAAyE;kBACrD,MAAM,WAAW,eAAe;CAcrD,CAAA;AAED,eAAO,MAAM,KAAK;oBACM,gBAAgB,MAAM,CAAC;;;;IAM7C;;;;;;OAMG;mBA9GQ,eAAe,CAAC,SAAS,CAAC,cACvB,MAAM,EAAE,WACX,gBAAgB,MAAM,CAAC;CA8GnC,CAAA;AAID,UAAU,wBAAwB;IAChC,SAAS,EAAE,MAAM,CAAA;IACjB,YAAY,CAAC,EAAE,IAAI,CAAA;CACpB;AAGD,eAAO,MAAM,iBAAiB;oBAEjB,gBAAgB,oBAAoB,CAAC,aACnC,MAAM,iBACF,IAAI;;;IAerB,6CAA6C;iBAElC,gBAAgB,oBAAoB,CAAC,WACrC,eAAe,CAAC,SAAS,CAAC,cACvB,MAAM,EAAE,GACnB,QAAQ,wBAAwB,CAAC;CAkBrC,CAAA"}

package/dist/templates/nextjs-ts-landing-prisma/project/node_modules/.pnpm/@auth+core@0.41.1_nodemailer@7.0.11/node_modules/@auth/core/lib/actions/callback/oauth/checks.js

@@ -0,0 +1,188 @@
+import * as o from "oauth4webapi";
+import { InvalidCheck } from "../../../../errors.js";
+// NOTE: We use the default JWT methods here because they encrypt/decrypt the payload, not just sign it.
+import { decode, encode } from "../../../../jwt.js";
+const COOKIE_TTL = 60 * 15; // 15 minutes
+/** Returns a cookie with a JWT encrypted payload. */
+async function sealCookie(name, payload, options) {
+    const { cookies, logger } = options;
+    const cookie = cookies[name];
+    const expires = new Date();
+    expires.setTime(expires.getTime() + COOKIE_TTL * 1000);
+    logger.debug(`CREATE_${name.toUpperCase()}`, {
+        name: cookie.name,
+        payload,
+        COOKIE_TTL,
+        expires,
+    });
+    const encoded = await encode({
+        ...options.jwt,
+        maxAge: COOKIE_TTL,
+        token: { value: payload },
+        salt: cookie.name,
+    });
+    const cookieOptions = { ...cookie.options, expires };
+    return { name: cookie.name, value: encoded, options: cookieOptions };
+}
+async function parseCookie(name, value, options) {
+    try {
+        const { logger, cookies, jwt } = options;
+        logger.debug(`PARSE_${name.toUpperCase()}`, { cookie: value });
+        if (!value)
+            throw new InvalidCheck(`${name} cookie was missing`);
+        const parsed = await decode({
+            ...jwt,
+            token: value,
+            salt: cookies[name].name,
+        });
+        if (parsed?.value)
+            return parsed.value;
+        throw new Error("Invalid cookie");
+    }
+    catch (error) {
+        throw new InvalidCheck(`${name} value could not be parsed`, {
+            cause: error,
+        });
+    }
+}
+function clearCookie(name, options, resCookies) {
+    const { logger, cookies } = options;
+    const cookie = cookies[name];
+    logger.debug(`CLEAR_${name.toUpperCase()}`, { cookie });
+    resCookies.push({
+        name: cookie.name,
+        value: "",
+        options: { ...cookies[name].options, maxAge: 0 },
+    });
+}
+function useCookie(check, name) {
+    return async function (cookies, resCookies, options) {
+        const { provider, logger } = options;
+        if (!provider?.checks?.includes(check))
+            return;
+        const cookieValue = cookies?.[options.cookies[name].name];
+        logger.debug(`USE_${name.toUpperCase()}`, { value: cookieValue });
+        const parsed = await parseCookie(name, cookieValue, options);
+        clearCookie(name, options, resCookies);
+        return parsed;
+    };
+}
+/**
+ * @see https://www.rfc-editor.org/rfc/rfc7636
+ * @see https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/#pkce
+ */
+export const pkce = {
+    /** Creates a PKCE code challenge and verifier pair. The verifier in stored in the cookie. */
+    async create(options) {
+        const code_verifier = o.generateRandomCodeVerifier();
+        const value = await o.calculatePKCECodeChallenge(code_verifier);
+        const cookie = await sealCookie("pkceCodeVerifier", code_verifier, options);
+        return { cookie, value };
+    },
+    /**
+     * Returns code_verifier if the provider is configured to use PKCE,
+     * and clears the container cookie afterwards.
+     * An error is thrown if the code_verifier is missing or invalid.
+     */
+    use: useCookie("pkce", "pkceCodeVerifier"),
+};
+const STATE_MAX_AGE = 60 * 15; // 15 minutes in seconds
+const encodedStateSalt = "encodedState";
+/**
+ * @see https://www.rfc-editor.org/rfc/rfc6749#section-10.12
+ * @see https://www.rfc-editor.org/rfc/rfc6749#section-4.1.1
+ */
+export const state = {
+    /** Creates a state cookie with an optionally encoded body. */
+    async create(options, origin) {
+        const { provider } = options;
+        if (!provider.checks.includes("state")) {
+            if (origin) {
+                throw new InvalidCheck("State data was provided but the provider is not configured to use state");
+            }
+            return;
+        }
+        // IDEA: Allow the user to pass data to be stored in the state
+        const payload = {
+            origin,
+            random: o.generateRandomState(),
+        };
+        const value = await encode({
+            secret: options.jwt.secret,
+            token: payload,
+            salt: encodedStateSalt,
+            maxAge: STATE_MAX_AGE,
+        });
+        const cookie = await sealCookie("state", value, options);
+        return { cookie, value };
+    },
+    /**
+     * Returns state if the provider is configured to use state,
+     * and clears the container cookie afterwards.
+     * An error is thrown if the state is missing or invalid.
+     */
+    use: useCookie("state", "state"),
+    /** Decodes the state. If it could not be decoded, it throws an error. */
+    async decode(state, options) {
+        try {
+            options.logger.debug("DECODE_STATE", { state });
+            const payload = await decode({
+                secret: options.jwt.secret,
+                token: state,
+                salt: encodedStateSalt,
+            });
+            if (payload)
+                return payload;
+            throw new Error("Invalid state");
+        }
+        catch (error) {
+            throw new InvalidCheck("State could not be decoded", { cause: error });
+        }
+    },
+};
+export const nonce = {
+    async create(options) {
+        if (!options.provider.checks.includes("nonce"))
+            return;
+        const value = o.generateRandomNonce();
+        const cookie = await sealCookie("nonce", value, options);
+        return { cookie, value };
+    },
+    /**
+     * Returns nonce if the provider is configured to use nonce,
+     * and clears the container cookie afterwards.
+     * An error is thrown if the nonce is missing or invalid.
+     * @see https://openid.net/specs/openid-connect-core-1_0.html#NonceNotes
+     * @see https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/#nonce
+     */
+    use: useCookie("nonce", "nonce"),
+};
+const WEBAUTHN_CHALLENGE_MAX_AGE = 60 * 15; // 15 minutes in seconds
+const webauthnChallengeSalt = "encodedWebauthnChallenge";
+export const webauthnChallenge = {
+    async create(options, challenge, registerData) {
+        return {
+            cookie: await sealCookie("webauthnChallenge", await encode({
+                secret: options.jwt.secret,
+                token: { challenge, registerData },
+                salt: webauthnChallengeSalt,
+                maxAge: WEBAUTHN_CHALLENGE_MAX_AGE,
+            }), options),
+        };
+    },
+    /** Returns WebAuthn challenge if present. */
+    async use(options, cookies, resCookies) {
+        const cookieValue = cookies?.[options.cookies.webauthnChallenge.name];
+        const parsed = await parseCookie("webauthnChallenge", cookieValue, options);
+        const payload = await decode({
+            secret: options.jwt.secret,
+            token: parsed,
+            salt: webauthnChallengeSalt,
+        });
+        // Clear the WebAuthn challenge cookie after use
+        clearCookie("webauthnChallenge", options, resCookies);
+        if (!payload)
+            throw new InvalidCheck("WebAuthn challenge was missing");
+        return payload;
+    },
+};

package/dist/templates/nextjs-ts-landing-prisma/project/node_modules/.pnpm/@auth+core@0.41.1_nodemailer@7.0.11/node_modules/@auth/core/lib/actions/callback/oauth/csrf-token.d.ts

@@ -0,0 +1,33 @@
+import type { AuthAction, InternalOptions } from "../../../../types.js";
+interface CreateCSRFTokenParams {
+    options: InternalOptions;
+    cookieValue?: string;
+    isPost: boolean;
+    bodyValue?: string;
+}
+/**
+ * Ensure CSRF Token cookie is set for any subsequent requests.
+ * Used as part of the strategy for mitigation for CSRF tokens.
+ *
+ * Creates a cookie like 'next-auth.csrf-token' with the value 'token|hash',
+ * where 'token' is the CSRF token and 'hash' is a hash made of the token and
+ * the secret, and the two values are joined by a pipe '|'. By storing the
+ * value and the hash of the value (with the secret used as a salt) we can
+ * verify the cookie was set by the server and not by a malicious attacker.
+ *
+ * For more details, see the following OWASP links:
+ * https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie
+ * https://owasp.org/www-chapter-london/assets/slides/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf
+ */
+export declare function createCSRFToken({ options, cookieValue, isPost, bodyValue, }: CreateCSRFTokenParams): Promise<{
+    csrfTokenVerified: boolean;
+    csrfToken: string;
+    cookie?: undefined;
+} | {
+    cookie: string;
+    csrfToken: string;
+    csrfTokenVerified?: undefined;
+}>;
+export declare function validateCSRF(action: AuthAction, verified?: boolean): void;
+export {};
+//# sourceMappingURL=csrf-token.d.ts.map

package/dist/templates/nextjs-ts-landing-prisma/project/node_modules/.pnpm/@auth+core@0.41.1_nodemailer@7.0.11/node_modules/@auth/core/lib/actions/callback/oauth/csrf-token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"csrf-token.d.ts","sourceRoot":"","sources":["../../../../src/lib/actions/callback/oauth/csrf-token.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAA;AAEvE,UAAU,qBAAqB;IAC7B,OAAO,EAAE,eAAe,CAAA;IACxB,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,MAAM,EAAE,OAAO,CAAA;IACf,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,eAAe,CAAC,EACpC,OAAO,EACP,WAAW,EACX,MAAM,EACN,SAAS,GACV,EAAE,qBAAqB;;;;;;;;GAwBvB;AAED,wBAAgB,YAAY,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,CAAC,EAAE,OAAO,QAGlE"}

package/dist/templates/nextjs-ts-landing-prisma/project/node_modules/.pnpm/@auth+core@0.41.1_nodemailer@7.0.11/node_modules/@auth/core/lib/actions/callback/oauth/csrf-token.js

@@ -0,0 +1,39 @@
+import { createHash, randomString } from "../../../utils/web.js";
+import { MissingCSRF } from "../../../../errors.js";
+/**
+ * Ensure CSRF Token cookie is set for any subsequent requests.
+ * Used as part of the strategy for mitigation for CSRF tokens.
+ *
+ * Creates a cookie like 'next-auth.csrf-token' with the value 'token|hash',
+ * where 'token' is the CSRF token and 'hash' is a hash made of the token and
+ * the secret, and the two values are joined by a pipe '|'. By storing the
+ * value and the hash of the value (with the secret used as a salt) we can
+ * verify the cookie was set by the server and not by a malicious attacker.
+ *
+ * For more details, see the following OWASP links:
+ * https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie
+ * https://owasp.org/www-chapter-london/assets/slides/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf
+ */
+export async function createCSRFToken({ options, cookieValue, isPost, bodyValue, }) {
+    if (cookieValue) {
+        const [csrfToken, csrfTokenHash] = cookieValue.split("|");
+        const expectedCsrfTokenHash = await createHash(`${csrfToken}${options.secret}`);
+        if (csrfTokenHash === expectedCsrfTokenHash) {
+            // If hash matches then we trust the CSRF token value
+            // If this is a POST request and the CSRF Token in the POST request matches
+            // the cookie we have already verified is the one we have set, then the token is verified!
+            const csrfTokenVerified = isPost && csrfToken === bodyValue;
+            return { csrfTokenVerified, csrfToken };
+        }
+    }
+    // New CSRF token
+    const csrfToken = randomString(32);
+    const csrfTokenHash = await createHash(`${csrfToken}${options.secret}`);
+    const cookie = `${csrfToken}|${csrfTokenHash}`;
+    return { cookie, csrfToken };
+}
+export function validateCSRF(action, verified) {
+    if (verified)
+        return;
+    throw new MissingCSRF(`CSRF token was missing during an action ${action}`);
+}

package/dist/templates/nextjs-ts-landing-prisma/project/node_modules/.pnpm/@auth+core@0.41.1_nodemailer@7.0.11/node_modules/@auth/core/lib/actions/index.d.ts

@@ -0,0 +1,6 @@
+export { callback } from "./callback/index.js";
+export { session } from "./session.js";
+export { signIn } from "./signin/index.js";
+export { signOut } from "./signout.js";
+export { webAuthnOptions } from "./webauthn-options.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/templates/nextjs-ts-landing-prisma/project/node_modules/.pnpm/@auth+core@0.41.1_nodemailer@7.0.11/node_modules/@auth/core/lib/actions/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/actions/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAA;AAC9C,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AACtC,OAAO,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAA;AAC1C,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AACtC,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAA"}

package/dist/templates/nextjs-ts-landing-prisma/project/node_modules/.pnpm/@auth+core@0.41.1_nodemailer@7.0.11/node_modules/@auth/core/lib/actions/index.js

@@ -0,0 +1,5 @@
+export { callback } from "./callback/index.js";
+export { session } from "./session.js";
+export { signIn } from "./signin/index.js";
+export { signOut } from "./signout.js";
+export { webAuthnOptions } from "./webauthn-options.js";

package/dist/templates/nextjs-ts-landing-prisma/project/node_modules/.pnpm/@auth+core@0.41.1_nodemailer@7.0.11/node_modules/@auth/core/lib/actions/session.d.ts

@@ -0,0 +1,5 @@
+import type { InternalOptions, ResponseInternal, Session } from "../../types.js";
+import type { Cookie, SessionStore } from "../utils/cookie.js";
+/** Return a session object filtered via `callbacks.session` */
+export declare function session(options: InternalOptions, sessionStore: SessionStore, cookies: Cookie[], isUpdate?: boolean, newSession?: any): Promise<ResponseInternal<Session | null>>;
+//# sourceMappingURL=session.d.ts.map

package/dist/templates/nextjs-ts-landing-prisma/project/node_modules/.pnpm/@auth+core@0.41.1_nodemailer@7.0.11/node_modules/@auth/core/lib/actions/session.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../../src/lib/actions/session.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,eAAe,EAAE,gBAAgB,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAA;AAChF,OAAO,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AAE9D,+DAA+D;AAC/D,wBAAsB,OAAO,CAC3B,OAAO,EAAE,eAAe,EACxB,YAAY,EAAE,YAAY,EAC1B,OAAO,EAAE,MAAM,EAAE,EACjB,QAAQ,CAAC,EAAE,OAAO,EAClB,UAAU,CAAC,EAAE,GAAG,GACf,OAAO,CAAC,gBAAgB,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC,CAwJ3C"}