create-authhero 0.41.2 → 0.42.0

package/dist/cloudflare/copy-assets.js

@@ -86,12 +86,12 @@ try {
     );
   }
 
-  // Copy admin UI files from @authhero/react-admin package
+  // Copy admin UI files from @authhero/admin package
   const adminSourceDir = path.join(
     __dirname,
     "node_modules",
     "@authhero",
-    "react-admin",
+    "admin",
     "dist",
   );
 

package/dist/create-authhero.js

@@ -2,7 +2,7 @@
 import { Command as R } from "commander";
 import m from "inquirer";
 import i from "fs";
-import s from "path";
+import a from "path";
 import { fileURLToPath as O } from "url";
 import { spawn as U } from "child_process";
 const N = new R(), p = {
@@ -10,10 +10,10 @@ const N = new R(), p = {
     name: "Local (SQLite)",
     description: "Local development setup with SQLite database - great for getting started",
     templateDir: "local",
-    packageJson: (a, e, o, r, n) => {
+    packageJson: (s, e, o, r, n) => {
       const t = r ? "workspace:*" : "latest";
       return {
-        name: a,
+        name: s,
         version: "1.0.0",
         type: "module",
         scripts: {
@@ -24,7 +24,7 @@ const N = new R(), p = {
         },
         dependencies: {
           "@authhero/kysely-adapter": t,
-          ...n && { "@authhero/react-admin": t },
+          ...n && { "@authhero/admin": t },
           "@authhero/widget": t,
           "@hono/swagger-ui": "^0.5.0",
           "@hono/zod-openapi": "^0.19.0",
@@ -50,10 +50,10 @@ const N = new R(), p = {
     name: "Cloudflare Workers (D1)",
     description: "Cloudflare Workers setup with D1 database",
     templateDir: "cloudflare",
-    packageJson: (a, e, o, r, n) => {
+    packageJson: (s, e, o, r, n) => {
       const t = r ? "workspace:*" : "latest";
       return {
-        name: a,
+        name: s,
         version: "1.0.0",
         type: "module",
         scripts: {
@@ -73,7 +73,7 @@ const N = new R(), p = {
         dependencies: {
           "@authhero/drizzle": t,
           "@authhero/kysely-adapter": t,
-          ...n && { "@authhero/react-admin": t },
+          ...n && { "@authhero/admin": t },
           "@authhero/widget": t,
           "@hono/swagger-ui": "^0.5.0",
           "@hono/zod-openapi": "^0.19.0",
@@ -99,10 +99,10 @@ const N = new R(), p = {
     name: "AWS SST (Lambda + DynamoDB)",
     description: "Serverless AWS deployment with Lambda, DynamoDB, and SST",
     templateDir: "aws-sst",
-    packageJson: (a, e, o, r, n) => {
+    packageJson: (s, e, o, r, n) => {
       const t = r ? "workspace:*" : "latest";
       return {
-        name: a,
+        name: s,
         version: "1.0.0",
         type: "module",
         scripts: {
@@ -114,7 +114,7 @@ const N = new R(), p = {
         },
         dependencies: {
           "@authhero/aws": t,
-          ...n && { "@authhero/react-admin": t },
+          ...n && { "@authhero/admin": t },
           "@authhero/widget": t,
           "@aws-sdk/client-dynamodb": "^3.0.0",
           "@aws-sdk/lib-dynamodb": "^3.0.0",
@@ -137,14 +137,14 @@ const N = new R(), p = {
     seedFile: "seed.ts"
   }
 };
-function P(a, e) {
-  i.readdirSync(a).forEach((r) => {
-    const n = s.join(a, r), t = s.join(e, r);
+function P(s, e) {
+  i.readdirSync(s).forEach((r) => {
+    const n = a.join(s, r), t = a.join(e, r);
     i.lstatSync(n).isDirectory() ? (i.mkdirSync(t, { recursive: !0 }), P(n, t)) : i.copyFileSync(n, t);
   });
 }
-function $(a, e = !1, o = "authhero-local", r) {
-  const n = a ? "control_plane" : "main", t = a ? "Control Plane" : "Main", c = [
+function $(s, e = !1, o = "authhero-local", r) {
+  const n = s ? "control_plane" : "main", t = s ? "Control Plane" : "Main", c = [
     "https://manage.authhero.net/auth-callback",
     "https://local.authhero.net/auth-callback",
     "http://localhost:5173/auth-callback",
@@ -166,15 +166,19 @@ function $(a, e = !1, o = "authhero-local", r) {
   // requires either an explicit audience or a tenant default_audience to mint
   // an access token, so set one here for the conformance setup.
   // enable_dynamic_client_registration is required by the OIDCC dynamic plan,
-  // which has the suite register its own client via /oidc/register. Existing
-  // flags (e.g. inherit_global_permissions_in_organizations set by seed for
-  // the control-plane tenant) are merged in so the update doesn't clobber.
+  // which has the suite register its own client via /oidc/register. The
+  // OIDCC dynamic_client variant uses open DCR (no Initial Access Token), so
+  // dcr_require_initial_access_token must be flipped off — the AuthHero
+  // default is to require an IAT. Existing flags (e.g.
+  // inherit_global_permissions_in_organizations set by seed for the
+  // control-plane tenant) are merged in so the update doesn't clobber.
   const existingTenant = await adapters.tenants.get("${n}");
   await adapters.tenants.update("${n}", {
     default_audience: "urn:authhero:management",
     flags: {
       ...(existingTenant?.flags ?? {}),
       enable_dynamic_client_registration: true,
+      dcr_require_initial_access_token: false,
     },
   });
   console.log("✅ Set tenant default_audience and enabled DCR for conformance");
@@ -192,39 +196,44 @@ function $(a, e = !1, o = "authhero-local", r) {
     "https://localhost.emobix.co.uk:8443",
   ];
 
-  try {
-    await adapters.clients.create("${n}", {
+  // Strict OIDC 5.4: scope-driven claims (profile/email/address/phone) belong
+  // in /userinfo whenever an access_token is co-issued at /authorize. The OIDF
+  // suite enforces this via EnsureIdTokenDoesNotContainEmailForScopeEmail;
+  // running the conformance tenant under Auth0-compatible defaults would WARN.
+  const conformanceClientSpecs = [
+    {
       client_id: "conformance-test",
       client_secret: "conformanceTestSecret123",
       name: "Conformance Test Client",
-      callbacks: conformanceCallbacks,
-      allowed_logout_urls: conformanceLogoutUrls,
-      web_origins: conformanceWebOrigins,
-    });
-    console.log("✅ Created conformance-test client");
-  } catch (e: any) {
-    if (e.message?.includes("UNIQUE constraint")) {
-      console.log("ℹ️  conformance-test client already exists");
-    } else {
-      throw e;
-    }
-  }
-
-  try {
-    await adapters.clients.create("${n}", {
+    },
+    {
       client_id: "conformance-test2",
       client_secret: "conformanceTestSecret456",
       name: "Conformance Test Client 2",
+    },
+  ];
+  for (const spec of conformanceClientSpecs) {
+    const desired = {
+      name: spec.name,
+      client_secret: spec.client_secret,
       callbacks: conformanceCallbacks,
       allowed_logout_urls: conformanceLogoutUrls,
       web_origins: conformanceWebOrigins,
-    });
-    console.log("✅ Created conformance-test2 client");
-  } catch (e: any) {
-    if (e.message?.includes("UNIQUE constraint")) {
-      console.log("ℹ️  conformance-test2 client already exists");
+      auth0_conformant: false,
+    };
+    // Idempotent reconcile: prior runs may have created the client with stale
+    // callbacks/web_origins after this seed file was changed. Update existing
+    // records in place rather than just logging "already exists".
+    const existing = await adapters.clients.get("${n}", spec.client_id);
+    if (existing) {
+      await adapters.clients.update("${n}", spec.client_id, desired);
+      console.log(\`🔄 Updated \${spec.client_id} client\`);
     } else {
-      throw e;
+      await adapters.clients.create("${n}", {
+        client_id: spec.client_id,
+        ...desired,
+      });
+      console.log(\`✅ Created \${spec.client_id} client\`);
     }
   }
 
@@ -343,7 +352,7 @@ async function main() {
     adminPassword,
     tenantId: "${n}",
     tenantName: "${t}",
-    isControlPlane: ${!!a},
+    isControlPlane: ${!!s},
     clientId: "default",
     callbacks: ${JSON.stringify(f)},
     allowedLogoutUrls: ${JSON.stringify(y)},
@@ -385,12 +394,12 @@ main().catch((err) => {
 });
 `;
 }
-function L(a, e) {
+function L(s, e) {
   const o = e ? `import fs from "fs";
 ` : "", r = e ? `
 const adminDistPath = path.resolve(
   __dirname,
-  "../node_modules/@authhero/react-admin/dist",
+  "../node_modules/@authhero/admin/dist",
 );
 const adminIndexPath = path.join(adminDistPath, "index.html");
 ` : "", n = e ? `
@@ -403,7 +412,7 @@ const adminIndexPath = path.join(adminDistPath, "index.html");
       .replace(/href="\\.\\//g, 'href="/admin/');
     const configJson = JSON.stringify({
       domain: issuer.replace(/\\/$/, ""),
-      clientId: ${a ? "CONTROL_PLANE_CLIENT_ID," : '"default",'}
+      clientId: ${s ? "CONTROL_PLANE_CLIENT_ID," : '"default",'}
       basePath: "/admin",
     }).replace(/</g, "\\\\u003c");
     configWithHandlers.adminIndexHtml = rawHtml.replace(
@@ -416,7 +425,7 @@ const adminIndexPath = path.join(adminDistPath, "index.html");
     });
   }
 ` : "";
-  return a ? `import { Context } from "hono";
+  return s ? `import { Context } from "hono";
 import { swaggerUI } from "@hono/swagger-ui";
 import { AuthHeroConfig, DataAdapters } from "authhero";
 import { serveStatic } from "@hono/node-server/serve-static";
@@ -521,7 +530,7 @@ ${n}
 }
 `;
 }
-function j(a) {
+function j(s) {
   return `import { D1Dialect } from "kysely-d1";
 import { Kysely } from "kysely";
 import createAdapters from "@authhero/kysely-adapter";
@@ -548,9 +557,9 @@ export default {
         adminUsername,
         adminPassword,
         issuer,
-        tenantId: "${a ? "control_plane" : "main"}",
-        tenantName: "${a ? "Control Plane" : "Main"}",
-        isControlPlane: ${!!a},
+        tenantId: "${s ? "control_plane" : "main"}",
+        tenantName: "${s ? "Control Plane" : "Main"}",
+        isControlPlane: ${!!s},
         clientId: "default",
       });
 
@@ -582,11 +591,11 @@ export default {
 };
 `;
 }
-function H(a, e) {
+function H(s, e) {
   const o = e ? `import adminIndexHtml from "./admin-index-html";
 ` : "", r = e ? `    adminIndexHtml,
 ` : "";
-  return a ? `import { Context } from "hono";
+  return s ? `import { Context } from "hono";
 import { swaggerUI } from "@hono/swagger-ui";
 import { AuthHeroConfig, DataAdapters } from "authhero";
 import { initMultiTenant } from "@authhero/multi-tenancy";
@@ -667,8 +676,8 @@ ${r}  });
 }
 `;
 }
-function M(a) {
-  return a ? `import { Context } from "hono";
+function F(s) {
+  return s ? `import { Context } from "hono";
 import { swaggerUI } from "@hono/swagger-ui";
 import { AuthHeroConfig, DataAdapters } from "authhero";
 import { initMultiTenant } from "@authhero/multi-tenancy";
@@ -773,7 +782,7 @@ export default function createApp(config: AppConfig) {
 }
 `;
 }
-function F(a) {
+function M(s) {
   return `import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
 import { DynamoDBDocumentClient } from "@aws-sdk/lib-dynamodb";
 import createAdapters from "@authhero/aws";
@@ -802,9 +811,9 @@ async function main() {
   await seed(adapters, {
     adminUsername,
     adminPassword,
-    tenantId: "${a ? "control_plane" : "main"}",
-    tenantName: "${a ? "Control Plane" : "Main"}",
-    isControlPlane: ${!!a},
+    tenantId: "${s ? "control_plane" : "main"}",
+    tenantName: "${s ? "Control Plane" : "Main"}",
+    isControlPlane: ${!!s},
   });
 
   console.log("✅ Database seeded successfully!");
@@ -813,21 +822,21 @@ async function main() {
 main().catch(console.error);
 `;
 }
-function W(a, e) {
-  const o = s.join(a, "src");
+function W(s, e) {
+  const o = a.join(s, "src");
   i.writeFileSync(
-    s.join(o, "app.ts"),
-    M(e)
-  ), i.writeFileSync(
-    s.join(o, "seed.ts"),
+    a.join(o, "app.ts"),
     F(e)
+  ), i.writeFileSync(
+    a.join(o, "seed.ts"),
+    M(e)
   );
 }
 function k() {
   console.log("\\n" + "─".repeat(50)), console.log("🔐 AuthHero deployed to AWS!"), console.log("📚 Check SST output for your API URL"), console.log("🚀 Open your server URL /setup to complete initial setup"), console.log("🌐 Portal available at https://local.authhero.net"), console.log("─".repeat(50) + "\\n");
 }
-function q(a) {
-  const e = s.join(a, ".github", "workflows");
+function q(s) {
+  const e = a.join(s, ".github", "workflows");
   i.mkdirSync(e, { recursive: !0 });
   const o = `name: Unit tests
 
@@ -915,9 +924,9 @@ jobs:
           apiToken: \${{ secrets.PROD_CLOUDFLARE_API_TOKEN }}
           command: deploy --env production
 `;
-  i.writeFileSync(s.join(e, "unit-tests.yml"), o), i.writeFileSync(s.join(e, "deploy-dev.yml"), r), i.writeFileSync(s.join(e, "release.yml"), n), console.log("\\n📦 GitHub CI workflows created!");
+  i.writeFileSync(a.join(e, "unit-tests.yml"), o), i.writeFileSync(a.join(e, "deploy-dev.yml"), r), i.writeFileSync(a.join(e, "release.yml"), n), console.log("\\n📦 GitHub CI workflows created!");
 }
-function J(a) {
+function J(s) {
   const e = {
     branches: ["main"],
     plugins: [
@@ -927,10 +936,10 @@ function J(a) {
     ]
   };
   i.writeFileSync(
-    s.join(a, ".releaserc.json"),
+    a.join(s, ".releaserc.json"),
     JSON.stringify(e, null, 2)
   );
-  const o = s.join(a, "package.json"), r = JSON.parse(i.readFileSync(o, "utf-8"));
+  const o = a.join(s, "package.json"), r = JSON.parse(i.readFileSync(o, "utf-8"));
   r.devDependencies = {
     ...r.devDependencies,
     "semantic-release": "^24.0.0"
@@ -940,9 +949,9 @@ function J(a) {
     "type-check": "tsc --noEmit"
   }, i.writeFileSync(o, JSON.stringify(r, null, 2));
 }
-function A(a, e) {
+function A(s, e) {
   return new Promise((o, r) => {
-    const n = U(a, [], {
+    const n = U(s, [], {
       cwd: e,
       shell: !0,
       stdio: "inherit"
@@ -952,13 +961,13 @@ function A(a, e) {
     }), n.on("error", r);
   });
 }
-function z(a, e, o) {
-  const r = s.join(a, "src");
+function z(s, e, o) {
+  const r = a.join(s, "src");
   i.writeFileSync(
-    s.join(r, "app.ts"),
+    a.join(r, "app.ts"),
     H(e, o)
   ), i.writeFileSync(
-    s.join(r, "seed.ts"),
+    a.join(r, "seed.ts"),
     j(e)
   );
 }
@@ -981,12 +990,12 @@ N.version("1.0.0").description("Create a new AuthHero project").argument("[proje
 ).option(
   "--workspace",
   "use workspace:* dependencies for local monorepo development"
-).option("-y, --yes", "skip all prompts and use defaults/provided options").action(async (a, e) => {
+).option("-y, --yes", "skip all prompts and use defaults/provided options").action(async (s, e) => {
   const o = e.yes === !0;
   console.log(`
 🔐 Welcome to AuthHero!
 `);
-  let r = a;
+  let r = s;
   r || (o ? (r = "auth-server", console.log(`Using default project name: ${r}`)) : r = (await m.prompt([
     {
       type: "input",
@@ -996,7 +1005,7 @@ N.version("1.0.0").description("Create a new AuthHero project").argument("[proje
       validate: (u) => u !== "" || "Project name cannot be empty"
     }
   ])).projectName);
-  const n = s.join(process.cwd(), r);
+  const n = a.join(process.cwd(), r);
   i.existsSync(n) && (console.error(`❌ Project "${r}" already exists.`), process.exit(1));
   let t;
   e.template ? (["local", "cloudflare", "aws-sst"].includes(e.template) || (console.error(`❌ Invalid template: ${e.template}`), console.error("Valid options: local, cloudflare, aws-sst"), process.exit(1)), t = e.template, console.log(`Using template: ${p[t].name}`)) : t = (await m.prompt([
@@ -1052,7 +1061,7 @@ N.version("1.0.0").description("Create a new AuthHero project").argument("[proje
   C && console.log("Workspace mode: enabled (using workspace:* dependencies)");
   const y = p[t];
   i.mkdirSync(n, { recursive: !0 }), i.writeFileSync(
-    s.join(n, "package.json"),
+    a.join(n, "package.json"),
     JSON.stringify(
       y.packageJson(
         r,
@@ -1065,18 +1074,18 @@ N.version("1.0.0").description("Create a new AuthHero project").argument("[proje
       2
     )
   );
-  const _ = y.templateDir, S = s.dirname(O(import.meta.url)), x = [
-    s.join(S, _),
-    s.join(S, "..", "templates", _)
+  const _ = y.templateDir, S = a.dirname(O(import.meta.url)), x = [
+    a.join(S, _),
+    a.join(S, "..", "templates", _)
   ], I = x.find((l) => i.existsSync(l));
   if (I ? P(I, n) : (console.error(
     `❌ Template directory not found. Looked in:
   ${x.join(`
   `)}`
   ), process.exit(1)), t === "cloudflare" && z(n, c, d), t === "cloudflare") {
-    const l = s.join(n, "wrangler.toml"), u = s.join(n, "wrangler.local.toml");
+    const l = a.join(n, "wrangler.toml"), u = a.join(n, "wrangler.local.toml");
     i.existsSync(l) && i.copyFileSync(l, u);
-    const g = s.join(n, ".dev.vars.example"), w = s.join(n, ".dev.vars");
+    const g = a.join(n, ".dev.vars.example"), w = a.join(n, ".dev.vars");
     i.existsSync(g) && i.copyFileSync(g, w), console.log(
       "📁 Created wrangler.local.toml and .dev.vars for local development"
     );
@@ -1096,9 +1105,9 @@ N.version("1.0.0").description("Create a new AuthHero project").argument("[proje
       h,
       d
     );
-    i.writeFileSync(s.join(n, "src/seed.ts"), l);
+    i.writeFileSync(a.join(n, "src/seed.ts"), l);
     const u = L(c, d);
-    i.writeFileSync(s.join(n, "src/app.ts"), u);
+    i.writeFileSync(a.join(n, "src/app.ts"), u);
   }
   if (t === "aws-sst" && W(n, c), f) {
     const l = {
@@ -1120,7 +1129,7 @@ N.version("1.0.0").description("Create a new AuthHero project").argument("[proje
       }
     };
     i.writeFileSync(
-      s.join(n, "conformance-config.json"),
+      a.join(n, "conformance-config.json"),
       JSON.stringify(l, null, 2)
     ), console.log(
       "📝 Created conformance-config.json for OpenID Conformance Suite"

package/dist/local/src/app.ts

@@ -16,7 +16,7 @@ const widgetPath = path.resolve(
 
 const adminDistPath = path.resolve(
   __dirname,
-  "../node_modules/@authhero/react-admin/dist",
+  "../node_modules/@authhero/admin/dist",
 );
 const adminIndexPath = path.join(adminDistPath, "index.html");
 

package/dist/local/src/index.ts

@@ -27,7 +27,14 @@ function ensureCertificates() {
       execFileSync("which", ["mkcert"], { stdio: "ignore" });
       execFileSync(
         "mkcert",
-        ["-key-file", keyPath, "-cert-file", certPath, "localhost", "127.0.0.1"],
+        [
+          "-key-file",
+          keyPath,
+          "-cert-file",
+          certPath,
+          "localhost",
+          "127.0.0.1",
+        ],
         { stdio: "inherit" },
       );
       console.log("✅ Certificates generated with mkcert");

package/package.json

@@ -5,7 +5,7 @@
     "type": "git",
     "url": "https://github.com/markusahlstrand/authhero"
   },
-  "version": "0.41.2",
+  "version": "0.42.0",
   "type": "module",
   "main": "dist/create-authhero.js",
   "bin": {