firstly 0.0.1 → 0.0.3

package/esm/auth/RoleController.js

@@ -0,0 +1,57 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+import { BackendMethod, repo } from 'remult';
+import { cyan, green, Log, yellow } from '@kitql/helpers';
+import { KitAuthUser } from './Entities';
+/**
+ * will merge the roles and remove duplicates
+ * will return a new array & a status if the array was changed
+ */
+export const mergeRoles = (existing, newOnes) => {
+    const result = new Set(existing);
+    let changed = false;
+    for (const role of newOnes ?? []) {
+        if (!result.has(role)) {
+            result.add(role);
+            changed = true;
+        }
+    }
+    return { roles: Array.from(result), changed };
+};
+export class RoleController {
+    // @ts-ignore (for pnpm check)
+    static initRoleFromEnv = async (log, userEntity, envKey, role) => {
+        // @ts-ignore (for pnpm check)
+        const { env } = await import('$env/dynamic/private');
+        const names = env[envKey] === undefined ? [] : (env[envKey] ?? '').split(',');
+        for (let i = 0; i < names.length; i++) {
+            const name = names[i].trim();
+            if (name !== '') {
+                let user = await repo(userEntity).findFirst({ name });
+                if (!user) {
+                    user = repo(userEntity).create({ name, roles: [role] });
+                    await repo(userEntity).save(user);
+                }
+                else {
+                    if (!user.roles.includes(role)) {
+                        user.roles.push(role);
+                        await repo(userEntity).save(user);
+                    }
+                }
+            }
+        }
+        if (names.length > 0) {
+            log.info(`${cyan(role)}: ${names.map((c) => green(c.trim())).join(', ')} added via ${yellow(envKey)}.`);
+        }
+        else {
+            log.info(`${cyan(role)}: No users added via ${yellow(envKey)}.`);
+        }
+    };
+}
+__decorate([
+    BackendMethod({ allowed: false })
+], RoleController, "initRoleFromEnv", void 0);

package/esm/auth/helper.d.ts

@@ -0,0 +1 @@
+export declare function createSession(userId: string): Promise<void>;

package/esm/auth/helper.js

@@ -0,0 +1,7 @@
+import { remult } from 'remult';
+import { lucia } from '.';
+export async function createSession(userId) {
+    const session = await lucia.createSession(userId, {});
+    const sessionCookie = lucia.createSessionCookie(session.id);
+    remult.context.setCookie(sessionCookie.name, sessionCookie.value, { path: '/' });
+}

package/esm/auth/index.d.ts

@@ -0,0 +1,153 @@
+import type { OAuth2Provider as ArcticOAuth2Provider, OAuth2ProviderWithPKCE as ArcticOAuth2ProviderWithPKCE } from 'arctic';
+import { Lucia, type SessionCookieOptions } from 'lucia';
+import type { ClassType, UserInfo } from 'remult';
+import { Log } from '@kitql/helpers';
+import type { Module } from '../api';
+import type { ResolvedType } from '../utils/types';
+import { KitAuthAccount, KitAuthUser, KitAuthUserSession } from './Entities';
+import type { firstlyData } from './types';
+export type { firstlyData };
+export { KitAuthUser, KitAuthAccount, AuthProvider, KitAuthUserSession } from './Entities';
+export { AuthController } from './AuthController';
+export type AuthorizationURLOptions = Record<string, {
+    scopes?: string[];
+}>;
+export type DynamicAuthorizationURLOptions<T extends KitOAuth2Provider[] = KitOAuth2Provider[]> = T extends Array<infer O> ? O extends KitOAuth2Provider ? {
+    [P in O['name']]: ReturnType<O['authorizationURLOptions']>;
+} : never : never;
+export declare const logAuth: Log;
+export { KitAuthRole } from './Entities';
+type OAuth2UserInfo = {
+    raw?: any;
+    providerUserId: string;
+    /** Will take the first option available */
+    nameOptions: string[];
+};
+export type KitOAuth2Provider<LitName extends string = string, T extends ArcticOAuth2Provider | ArcticOAuth2ProviderWithPKCE = ArcticOAuth2Provider> = {
+    name: LitName;
+    getArcticProvider: () => T;
+    isPKCE: T extends ArcticOAuth2Provider ? false : T extends ArcticOAuth2ProviderWithPKCE ? true : never;
+    authorizationURLOptions: () => T extends ArcticOAuth2Provider ? Parameters<T['createAuthorizationURL']>[1] : T extends ArcticOAuth2ProviderWithPKCE ? Parameters<T['createAuthorizationURL']>[2] : never;
+    getUserInfo(tokens: ResolvedType<ReturnType<T['validateAuthorizationCode']>>): Promise<OAuth2UserInfo>;
+};
+type AuthOptions<TUserEntity extends KitAuthUser = KitAuthUser, TSessionEntity extends KitAuthUserSession = KitAuthUserSession, TAccountEntity extends KitAuthAccount = KitAuthAccount> = {
+    customEntities?: {
+        User?: ClassType<TUserEntity>;
+        Session?: ClassType<TSessionEntity>;
+        Account?: ClassType<TAccountEntity>;
+    };
+    ui?: {
+        paths?: {
+            base?: string;
+        };
+    } | false;
+    /** in secondes @default 15 days */
+    sessionExpiresIn?: number;
+    sessionCookie?: SessionCookieOptions;
+    defaultRedirect?: string;
+    /**
+     * Can a user sign up by itself? Or we can join only by invitation ?
+     * If false, no one can sign up alone.
+     * @default true
+     **/
+    signUp?: boolean;
+    /**
+     * To be able to sign in user needs to be verified or not?
+     * ```
+     *  `Auto` =>  noting will be checked
+     *  `Email` => users needs to click a link in an email
+     *  `Manual` => an admin needs to verify the user and set verifiedAt in the database
+     * ```
+     * @default auto
+     **/
+    verifiedMethod?: 'auto' | 'email' | 'manual';
+    invitationSend?: (args: {
+        email: string;
+        url: string;
+    }) => Promise<void>;
+    providers?: {
+        demo?: {
+            name: string;
+            roles?: string[];
+        }[];
+        password?: {
+            /**
+             * Reseting the password
+             */
+            resetPasswordSend?: (args: {
+                email: string;
+                url: string;
+            }) => Promise<void>;
+            /** in secondes @default 5 minutes */
+            resetPasswordExpiresIn?: number;
+            /**
+             * Verify the Mail
+             */
+            verifyMailSend?: (args: {
+                email: string;
+                url: string;
+            }) => Promise<void>;
+            /** in secondes @default 5 minutes */
+            verifyMailExpiresIn?: number;
+            /**
+             * Some settings for the password hashing algorithm _(using argon2 under the hood)_
+             */
+            argon2Settings?: {
+                memorySize?: number | undefined;
+                iterations?: number | undefined;
+                tagLength?: number | undefined;
+                parallelism?: number | undefined;
+                secret?: ArrayBuffer | undefined;
+            };
+        };
+        otp?: {
+            issuer?: string;
+            /** in secondes @default 30 seconds */
+            expiresIn?: number;
+            /** Number of digits @default 6 */
+            digits?: number;
+            send?: (data: {
+                name: string;
+                otp: string;
+                uri: string;
+            }) => Promise<void>;
+        };
+        oAuths?: KitOAuth2Provider[];
+    };
+};
+export declare let AUTH_OPTIONS: AuthOptions;
+export declare const getSafeOptions: () => {
+    User: ClassType<KitAuthUser>;
+    Session: ClassType<KitAuthUserSession>;
+    Account: ClassType<KitAuthAccount>;
+    signUp: boolean;
+    password_enabled: boolean;
+    otp_enabled: boolean;
+    verifiedMethod: "email" | "auto" | "manual";
+    redirectUrl: string;
+    firstlyData: firstlyData;
+};
+/**
+ * To enable authentication in your app in a few lines of code.
+ * _Info: index: -777_
+ */
+export declare const auth: (o: AuthOptions) => Module;
+export declare const lucia: Lucia<Record<any, any>, UserInfo>;
+declare module 'lucia' {
+    interface Register {
+        Lucia: typeof lucia;
+        DatabaseSessionAttributes: DatabaseSessionAttributes;
+        DatabaseUserAttributes: DatabaseUserAttributes;
+    }
+    interface DatabaseSessionAttributes {
+    }
+}
+interface DatabaseUserAttributes {
+    id: string;
+    name: string;
+    roles: string[];
+    session: {
+        id: string;
+        expiresAt: Date;
+    };
+}

package/esm/auth/index.js

@@ -0,0 +1,280 @@
+import { redirect } from '@sveltejs/kit';
+import { DEV } from 'esm-env';
+import { Lucia, TimeSpan } from 'lucia';
+import { remult } from 'remult';
+import { Log, red } from '@kitql/helpers';
+import { read } from '@kitql/internals';
+import { KitRole } from '../';
+import { RemultLuciaAdapter } from './Adapter';
+import { AuthController } from './AuthController';
+import { AuthProvider, KitAuthAccount, KitAuthRole, KitAuthUser, KitAuthUserSession, } from './Entities';
+import { createSession } from './helper';
+import { RoleController } from './RoleController';
+export { KitAuthUser, KitAuthAccount, AuthProvider, KitAuthUserSession } from './Entities';
+export { AuthController } from './AuthController';
+export const logAuth = new Log('firstly | auth');
+export { KitAuthRole } from './Entities';
+export let AUTH_OPTIONS = {};
+export const getSafeOptions = () => {
+    const signUp = AUTH_OPTIONS.signUp ?? true;
+    const base = AUTH_OPTIONS.ui === false ? 'NO_BASE_PATH' : AUTH_OPTIONS.ui?.paths?.base ?? '/kit/auth';
+    const oAuths = AUTH_OPTIONS.providers?.oAuths?.map((o) => {
+        return o.name;
+    }) ?? [];
+    const firstlyData = {
+        module: 'auth',
+        props: {
+            ui: {
+                paths: {
+                    base,
+                },
+                providers: {
+                    password: {
+                        dico: {
+                            email: 'Email',
+                            email_placeholder: 'Your email address',
+                            password: 'Password',
+                            btn_sign_up: 'Sign up',
+                            btn_sign_in: 'Sign in',
+                            forgot_password: 'Forgot your password?',
+                            send_password_reset_instructions: 'Send password reset instructions',
+                            back_to_sign_in: 'Back to sign in',
+                        },
+                        paths: {
+                            sign_up: signUp ? `${base}/sign-up` : false,
+                            sign_in: `${base}/sign-in`,
+                            forgot_password: `${base}/forgot-password`,
+                            reset_password: `${base}/reset-password`,
+                            verify_email: `${base}/verify-email`,
+                        },
+                    },
+                    oAuths,
+                },
+            },
+        },
+    };
+    let redirectUrl = AUTH_OPTIONS.defaultRedirect ?? '/';
+    if (!redirectUrl.startsWith('/')) {
+        logAuth.error(`Invalid redirect url ${red(redirectUrl)} (it should be a local one starting with /)`);
+        redirectUrl = '/';
+    }
+    return {
+        User: AUTH_OPTIONS.customEntities?.User ?? KitAuthUser,
+        Session: AUTH_OPTIONS.customEntities?.Session ?? KitAuthUserSession,
+        Account: AUTH_OPTIONS.customEntities?.Account ?? KitAuthAccount,
+        signUp,
+        password_enabled: AUTH_OPTIONS.providers?.password ? true : false,
+        otp_enabled: AUTH_OPTIONS.providers?.otp ? true : false,
+        verifiedMethod: AUTH_OPTIONS.verifiedMethod ?? 'auto',
+        redirectUrl,
+        firstlyData,
+    };
+};
+/**
+ * To enable authentication in your app in a few lines of code.
+ * _Info: index: -777_
+ */
+export const auth = (o) => {
+    AUTH_OPTIONS = o;
+    const oSafe = getSafeOptions();
+    return {
+        name: 'auth',
+        index: -777,
+        entities: [oSafe.User, oSafe.Session, oSafe.Account],
+        controllers: [AuthController],
+        initRequest: async (event) => {
+            // std session
+            const sessionId = event.cookies.get(lucia.sessionCookieName);
+            if (sessionId) {
+                const { session, user } = await lucia.validateSession(sessionId);
+                if (session && session.fresh) {
+                    const sessionCookie = lucia.createSessionCookie(session.id);
+                    event.cookies.set(sessionCookie.name, sessionCookie.value, {
+                        path: '/',
+                        ...sessionCookie.attributes,
+                    });
+                }
+                remult.user = user ?? undefined;
+            }
+        },
+        earlyReturn: async ({ event, resolve }) => {
+            if (AUTH_OPTIONS.ui === false) {
+                return { early: false };
+            }
+            const oSafe = getSafeOptions();
+            if (event.url.pathname === oSafe.firstlyData.props.ui.providers.password.paths.verify_email) {
+                // TODO need to verify the token and set the verifiedAt in the database and we are good.
+                // It's 2 minutes, but I'll be it later :D
+                const token = event.url.searchParams.get('token') ?? '';
+                if (!oSafe.password_enabled) {
+                    throw Error('Password is not enabled!');
+                }
+                const account = await remult
+                    .repo(oSafe.Account)
+                    .findFirst({ token, provider: AuthProvider.PASSWORD.id });
+                if (!account) {
+                    throw new Error('Invalid token');
+                }
+                if (account.expiresAt && account.expiresAt < new Date()) {
+                    throw new Error('token expired');
+                }
+                await lucia.invalidateUserSessions(account.userId);
+                // update elements
+                account.token = undefined;
+                account.expiresAt = undefined;
+                account.lastVerifiedAt = new Date();
+                await remult.repo(oSafe.Account).save(account);
+                await createSession(account.userId);
+                redirect(302, oSafe.redirectUrl);
+            }
+            if (event.url.pathname.startsWith(oSafe.firstlyData.props.ui.paths.base)) {
+                const content = read('src/lib/auth/static/index.html') ??
+                    read('node_modules/firstly/esm/auth/static/index.html');
+                return {
+                    early: true,
+                    resolve: new Response(content + `<script>const firstlyData = ${JSON.stringify(oSafe.firstlyData)}</script>`, {
+                        headers: { 'content-type': 'text/html' },
+                    }),
+                };
+            }
+            if (event.url.pathname.startsWith('/api/static')) {
+                const content = read(`src/lib/auth/static/${event.url.pathname.replaceAll('/api/static/', '')}`);
+                if (content) {
+                    const seg = event.url.pathname.split('.');
+                    const map = {
+                        js: 'text/javascript',
+                        css: 'text/css',
+                        svg: 'image/svg+xml',
+                    };
+                    return {
+                        early: true,
+                        resolve: new Response(content, {
+                            headers: { 'content-type': map[seg[seg.length - 1]] ?? 'text/plain' },
+                        }),
+                    };
+                }
+            }
+            if (event.url.pathname === '/api/auth_callback') {
+                const code = event.url.searchParams.get('code');
+                const state = event.url.searchParams.get('state');
+                const keys = AUTH_OPTIONS.providers?.oAuths?.map((c) => c.name) ?? [];
+                let storedState = null;
+                let keyState = null;
+                for (const key of keys) {
+                    storedState = event.cookies.get(`${key}_oauth_state`) ?? null;
+                    if (storedState) {
+                        keyState = key;
+                        break;
+                    }
+                }
+                const redirectUrlCookie = event.cookies.get(`remult_redirect`);
+                if (redirectUrlCookie) {
+                    event.cookies.delete(`remult_redirect`, { path: '/' });
+                }
+                const redirectUrl = redirectUrlCookie ?? oSafe.redirectUrl;
+                if (!code || !state || !storedState || state !== storedState || !keyState) {
+                    redirect(302, redirectUrl);
+                }
+                const selectedOAuth = AUTH_OPTIONS.providers?.oAuths?.find((c) => c.name === keyState);
+                if (selectedOAuth && code) {
+                    const tokens = await selectedOAuth.getArcticProvider().validateAuthorizationCode(code);
+                    let info;
+                    try {
+                        info = await selectedOAuth.getUserInfo(tokens);
+                    }
+                    catch (error) {
+                        redirect(302, redirectUrl);
+                    }
+                    if (!info.providerUserId) {
+                        redirect(302, redirectUrl);
+                    }
+                    let account = await remult
+                        .repo(oSafe.Account)
+                        .findFirst({ provider: keyState, providerUserId: info.providerUserId });
+                    if (!account) {
+                        if (!oSafe.signUp) {
+                            // throw Error("You can't signup by yourself! Contact the administrator.")
+                            redirect(302, redirectUrl);
+                        }
+                        // for each info.name, we check if it exists take the first option
+                        // and add the providerUserId to the name if no option available
+                        let nameToUse = '';
+                        for (let i = 0; i < info.nameOptions.length; i++) {
+                            const existingUser = await remult
+                                .repo(oSafe.User)
+                                .findOne({ where: { name: info.nameOptions[i] } });
+                            if (existingUser) {
+                                // Don't do anything
+                            }
+                            else {
+                                nameToUse = info.nameOptions[i];
+                                break;
+                            }
+                        }
+                        if (nameToUse === '') {
+                            nameToUse = `${info.nameOptions[0]}-${info.providerUserId}`;
+                        }
+                        const user = remult.repo(oSafe.User).create();
+                        user.name = nameToUse;
+                        account = remult.repo(oSafe.Account).create();
+                        account.provider = keyState;
+                        account.providerUserId = info.providerUserId;
+                        account.token = tokens.accessToken;
+                        account.userId = user.id;
+                        account.lastVerifiedAt = new Date();
+                        await remult.repo(oSafe.User).save(user);
+                        await remult.repo(oSafe.Account).save(account);
+                    }
+                    else {
+                        account.token = tokens.accessToken;
+                        await remult.repo(oSafe.Account).save(account);
+                    }
+                    await createSession(account.userId);
+                    event.cookies.delete(`${keyState}_oauth_state`, { path: '/' });
+                    event.cookies.delete(`code_verifier`, { path: '/' });
+                }
+                redirect(302, redirectUrl);
+            }
+            return { early: false };
+        },
+        initApi: async () => {
+            await RoleController.initRoleFromEnv(logAuth, oSafe.User, 'KIT_ADMIN', KitRole.Admin);
+            await RoleController.initRoleFromEnv(logAuth, oSafe.User, 'KIT_AUTH_ADMIN', KitAuthRole.Admin);
+        },
+    };
+};
+const adapter = new RemultLuciaAdapter();
+const defaultExpiresIn = 60 * 60 * 24 * 15; // 15 days
+export const lucia = new Lucia(adapter, {
+    sessionExpiresIn: new TimeSpan(AUTH_OPTIONS.sessionExpiresIn ?? defaultExpiresIn, 's'),
+    sessionCookie: {
+        name: AUTH_OPTIONS.sessionCookie?.name ?? 'remult_auth_session',
+        expires: AUTH_OPTIONS.sessionCookie?.expires,
+        attributes: {
+            // set to `true` when using HTTPS
+            secure: !DEV,
+            ...AUTH_OPTIONS.sessionCookie?.attributes,
+        },
+    },
+    getSessionAttributes: (attributes) => {
+        return {
+            ...attributes,
+        };
+    },
+    getUserAttributes(attributes) {
+        // @ts-expect-error
+        delete attributes['createdAt'];
+        // @ts-expect-error
+        delete attributes['updatedAt'];
+        // to remove relations
+        for (const key in attributes) {
+            if (attributes[key] === undefined) {
+                delete attributes[key];
+            }
+        }
+        return attributes;
+        // return {
+        // 	...attributes,
+        // }
+    },
+});

package/esm/auth/providers/github.d.ts

@@ -0,0 +1,25 @@
+import { GitHub } from 'arctic';
+import { type KitOAuth2Provider } from '../';
+/**
+ * GitHub OAuth2 provider
+ *
+ * In GitHub, set your callback url to
+ * - dev: `http://localhost:5173/api/auth_callback`
+ * - prod: `https://MY_SUPER_SITE/api/auth_callback`
+ *
+ * In your project add a `.env` file with the following:
+ *
+ * ```env
+ * GITHUB_CLIENT_ID= 'your-client-id'
+ * GITHUB_CLIENT_SECRET= 'your-client-secret'
+ * ```
+ *
+ * _FYI: GITHUB_REDIRECT_URI is optional as auth module will default to "${origin}/api/auth_callback"._
+ */
+export declare function github(options?: {
+    GITHUB_CLIENT_ID: string;
+    GITHUB_CLIENT_SECRET: string;
+    GITHUB_REDIRECT_URI?: string;
+    authorizationURLOptions?: ReturnType<KitOAuth2Provider<'github', GitHub>['authorizationURLOptions']>;
+    log?: boolean;
+}): KitOAuth2Provider<'github', GitHub>;

package/esm/auth/providers/github.js

@@ -0,0 +1,51 @@
+import { GitHub } from 'arctic';
+import { remult } from 'remult';
+import { checkOAuthConfig } from '.';
+import { logAuth } from '../';
+/**
+ * GitHub OAuth2 provider
+ *
+ * In GitHub, set your callback url to
+ * - dev: `http://localhost:5173/api/auth_callback`
+ * - prod: `https://MY_SUPER_SITE/api/auth_callback`
+ *
+ * In your project add a `.env` file with the following:
+ *
+ * ```env
+ * GITHUB_CLIENT_ID= 'your-client-id'
+ * GITHUB_CLIENT_SECRET= 'your-client-secret'
+ * ```
+ *
+ * _FYI: GITHUB_REDIRECT_URI is optional as auth module will default to "${origin}/api/auth_callback"._
+ */
+export function github(options) {
+    const name = 'github';
+    const clientID = options?.GITHUB_CLIENT_ID ?? '';
+    const secret = options?.GITHUB_CLIENT_SECRET ?? '';
+    const urlForKeys = 'https://github.com/settings/developers';
+    checkOAuthConfig(name, clientID, secret, urlForKeys, false);
+    return {
+        name,
+        isPKCE: false,
+        getArcticProvider: () => {
+            const redirectURI = options?.GITHUB_REDIRECT_URI || `${remult.context.url.origin}/api/auth_callback`;
+            checkOAuthConfig(name, clientID, secret, urlForKeys, true);
+            return new GitHub(clientID, secret, { redirectURI });
+        },
+        authorizationURLOptions: () => {
+            return options?.authorizationURLOptions ?? { scopes: [] };
+        },
+        getUserInfo: async (tokens) => {
+            const res = await fetch('https://api.github.com/user', {
+                headers: {
+                    Authorization: `Bearer ${tokens.accessToken}`,
+                },
+            });
+            const user = await res.json();
+            if (options?.log) {
+                logAuth.info(`user`, user);
+            }
+            return { raw: user, providerUserId: String(user.id), nameOptions: [user.login] };
+        },
+    };
+}

package/esm/auth/providers/index.d.ts

@@ -0,0 +1,3 @@
+export declare const checkOAuthConfig: (name: string, clientId: string, secret: string, urlForKeys: string, withThrow: boolean) => void;
+export { github } from './github';
+export { strava } from './strava';

package/esm/auth/providers/index.js

@@ -0,0 +1,26 @@
+import { cyan, gray, green, italic, yellow } from '@kitql/helpers';
+import { logAuth } from '..';
+import { mask } from '../../formats/strings';
+export const checkOAuthConfig = (name, clientId, secret, urlForKeys, withThrow) => {
+    if (!clientId || !secret) {
+        const msg = `Wrong configuration for ${green(name)} provider.
+  ${italic(`Config used ${gray(`(${'.env'} & ${'inferred'}):`)}`)}
+  ${yellow('--------------- .env ---------------')}
+  ${name.toUpperCase()}_CLIENT_ID = '${mask(clientId)}'
+  ${name.toUpperCase()}_CLIENT_SECRET = '${mask(secret)}'
+  ${yellow('------------------------------------')}
+  Update your configuration to fix this error. 
+  ${gray(`By default, we check ${name.toUpperCase()}_CLIENT_ID and ${name.toUpperCase()}_CLIENT_SECRET. 
+  But you can also pass your keys as parameters.`)}
+  Check ${cyan(urlForKeys)} to generate your keys.
+`;
+        if (withThrow) {
+            throw new Error(msg);
+        }
+        else {
+            logAuth.error(msg);
+        }
+    }
+};
+export { github } from './github';
+export { strava } from './strava';

package/esm/auth/providers/strava.d.ts

@@ -0,0 +1,25 @@
+import { Strava } from 'arctic';
+import { type KitOAuth2Provider } from '../';
+/**
+ * Strava OAuth2 provider
+ *
+ * In Strava, set your callback url to
+ * - dev: `http://localhost:5173/api/auth_callback`
+ * - prod: `https://MY_SUPER_SITE/api/auth_callback`
+ *
+ * In your project add a `.env` file with the following:
+ *
+ * ```env
+ * STRAVA_CLIENT_ID= 'your-client-id'
+ * STRAVA_CLIENT_SECRET= 'your-client-secret'
+ * ```
+ *
+ * _FYI: STRAVA_REDIRECT_URI is optional as auth module will default to "${origin}/api/auth_callback"._
+ */
+export declare function strava(options?: {
+    STRAVA_CLIENT_ID: string;
+    STRAVA_CLIENT_SECRET: string;
+    STRAVA_REDIRECT_URI?: string;
+    authorizationURLOptions?: ReturnType<KitOAuth2Provider<'strava', Strava>['authorizationURLOptions']>;
+    log?: boolean;
+}): KitOAuth2Provider<'strava', Strava>;