hono 4.1.7 → 4.2.0

package/dist/cjs/utils/jwt/jws.js

@@ -0,0 +1,212 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var jws_exports = {};
+__export(jws_exports, {
+  signing: () => signing,
+  verifying: () => verifying
+});
+module.exports = __toCommonJS(jws_exports);
+var import_helper = require("../../helper");
+var import_encode = require("../encode");
+var import_types = require("./types");
+var import_types2 = require("./types");
+var import_utf8 = require("./utf8");
+async function signing(privateKey, alg, data) {
+  const algorithm = getKeyAlgorithm(alg);
+  const cryptoKey = await importPrivateKey(privateKey, algorithm);
+  return await crypto.subtle.sign(algorithm, cryptoKey, data);
+}
+async function verifying(publicKey, alg, signature, data) {
+  const algorithm = getKeyAlgorithm(alg);
+  const cryptoKey = await importPublicKey(publicKey, algorithm);
+  return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
+}
+function pemToBinary(pem) {
+  return (0, import_encode.decodeBase64)(pem.replace(/-+(BEGIN|END).*/g, "").replace(/\s/g, ""));
+}
+async function importPrivateKey(key, alg) {
+  if (!crypto.subtle || !crypto.subtle.importKey) {
+    throw new Error("`crypto.subtle.importKey` is undefined. JWT auth middleware requires it.");
+  }
+  if (isCryptoKey(key)) {
+    if (key.type !== "private") {
+      throw new Error(`unexpected non private key: CryptoKey.type is ${key.type}`);
+    }
+    return key;
+  }
+  const usages = [import_types2.CryptoKeyUsage.Sign];
+  if (typeof key === "object") {
+    return await crypto.subtle.importKey("jwk", key, alg, false, usages);
+  }
+  if (key.includes("PRIVATE")) {
+    return await crypto.subtle.importKey("pkcs8", pemToBinary(key), alg, false, usages);
+  }
+  return await crypto.subtle.importKey("raw", import_utf8.utf8Encoder.encode(key), alg, false, usages);
+}
+async function importPublicKey(key, alg) {
+  if (!crypto.subtle || !crypto.subtle.importKey) {
+    throw new Error("`crypto.subtle.importKey` is undefined. JWT auth middleware requires it.");
+  }
+  if (isCryptoKey(key)) {
+    if (key.type === "public" || key.type === "secret") {
+      return key;
+    }
+    key = await exportPublicJwkFrom(key);
+  }
+  if (typeof key === "string" && key.includes("PRIVATE")) {
+    const privateKey = await crypto.subtle.importKey("pkcs8", pemToBinary(key), alg, true, [
+      import_types2.CryptoKeyUsage.Sign
+    ]);
+    key = await exportPublicJwkFrom(privateKey);
+  }
+  const usages = [import_types2.CryptoKeyUsage.Verify];
+  if (typeof key === "object") {
+    return await crypto.subtle.importKey("jwk", key, alg, false, usages);
+  }
+  if (key.includes("PUBLIC")) {
+    return await crypto.subtle.importKey("spki", pemToBinary(key), alg, false, usages);
+  }
+  return await crypto.subtle.importKey("raw", import_utf8.utf8Encoder.encode(key), alg, false, usages);
+}
+async function exportPublicJwkFrom(privateKey) {
+  if (privateKey.type !== "private") {
+    throw new Error(`unexpected key type: ${privateKey.type}`);
+  }
+  if (!privateKey.extractable) {
+    throw new Error("unexpected private key is unextractable");
+  }
+  const jwk = await crypto.subtle.exportKey("jwk", privateKey);
+  const { kty } = jwk;
+  const { alg, e, n } = jwk;
+  const { crv, x, y } = jwk;
+  return { kty, alg, e, n, crv, x, y, key_ops: [import_types2.CryptoKeyUsage.Verify] };
+}
+function getKeyAlgorithm(name) {
+  switch (name) {
+    case "HS256":
+      return {
+        name: "HMAC",
+        hash: {
+          name: "SHA-256"
+        }
+      };
+    case "HS384":
+      return {
+        name: "HMAC",
+        hash: {
+          name: "SHA-384"
+        }
+      };
+    case "HS512":
+      return {
+        name: "HMAC",
+        hash: {
+          name: "SHA-512"
+        }
+      };
+    case "RS256":
+      return {
+        name: "RSASSA-PKCS1-v1_5",
+        hash: {
+          name: "SHA-256"
+        }
+      };
+    case "RS384":
+      return {
+        name: "RSASSA-PKCS1-v1_5",
+        hash: {
+          name: "SHA-384"
+        }
+      };
+    case "RS512":
+      return {
+        name: "RSASSA-PKCS1-v1_5",
+        hash: {
+          name: "SHA-512"
+        }
+      };
+    case "PS256":
+      return {
+        name: "RSA-PSS",
+        hash: {
+          name: "SHA-256"
+        },
+        saltLength: 32
+      };
+    case "PS384":
+      return {
+        name: "RSA-PSS",
+        hash: {
+          name: "SHA-384"
+        },
+        saltLength: 48
+      };
+    case "PS512":
+      return {
+        name: "RSA-PSS",
+        hash: {
+          name: "SHA-512"
+        },
+        saltLength: 64
+      };
+    case "ES256":
+      return {
+        name: "ECDSA",
+        hash: {
+          name: "SHA-256"
+        },
+        namedCurve: "P-256"
+      };
+    case "ES384":
+      return {
+        name: "ECDSA",
+        hash: {
+          name: "SHA-384"
+        },
+        namedCurve: "P-384"
+      };
+    case "ES512":
+      return {
+        name: "ECDSA",
+        hash: {
+          name: "SHA-512"
+        },
+        namedCurve: "P-521"
+      };
+    case "EdDSA":
+      return {
+        name: "Ed25519",
+        namedCurve: "Ed25519"
+      };
+    default:
+      throw new import_types.JwtAlgorithmNotImplemented(name);
+  }
+}
+function isCryptoKey(key) {
+  const runtime = (0, import_helper.getRuntimeKey)();
+  if (runtime === "node" && !!crypto.webcrypto) {
+    return key instanceof crypto.webcrypto.CryptoKey;
+  }
+  return key instanceof CryptoKey;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  signing,
+  verifying
+});

package/dist/cjs/utils/jwt/jwt.js

@@ -19,91 +19,40 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 var jwt_exports = {};
 __export(jwt_exports, {
   decode: () => decode,
+  isTokenHeader: () => isTokenHeader,
   sign: () => sign,
   verify: () => verify
 });
 module.exports = __toCommonJS(jwt_exports);
 var import_encode = require("../../utils/encode");
+var import_jwa = require("./jwa");
+var import_jws = require("./jws");
 var import_types = require("./types");
 var import_types2 = require("./types");
-var CryptoKeyFormat = /* @__PURE__ */ ((CryptoKeyFormat2) => {
-  CryptoKeyFormat2["RAW"] = "raw";
-  CryptoKeyFormat2["PKCS8"] = "pkcs8";
-  CryptoKeyFormat2["SPKI"] = "spki";
-  CryptoKeyFormat2["JWK"] = "jwk";
-  return CryptoKeyFormat2;
-})(CryptoKeyFormat || {});
-var CryptoKeyUsage = /* @__PURE__ */ ((CryptoKeyUsage2) => {
-  CryptoKeyUsage2["Ecrypt"] = "encrypt";
-  CryptoKeyUsage2["Decrypt"] = "decrypt";
-  CryptoKeyUsage2["Sign"] = "sign";
-  CryptoKeyUsage2["Verify"] = "verify";
-  CryptoKeyUsage2["Deriverkey"] = "deriveKey";
-  CryptoKeyUsage2["DeriveBits"] = "deriveBits";
-  CryptoKeyUsage2["WrapKey"] = "wrapKey";
-  CryptoKeyUsage2["UnwrapKey"] = "unwrapKey";
-  return CryptoKeyUsage2;
-})(CryptoKeyUsage || {});
-const utf8Encoder = new TextEncoder();
-const utf8Decoder = new TextDecoder();
-const encodeJwtPart = (part) => (0, import_encode.encodeBase64Url)(utf8Encoder.encode(JSON.stringify(part))).replace(/=/g, "");
+var import_utf8 = require("./utf8");
+const encodeJwtPart = (part) => (0, import_encode.encodeBase64Url)(import_utf8.utf8Encoder.encode(JSON.stringify(part))).replace(/=/g, "");
 const encodeSignaturePart = (buf) => (0, import_encode.encodeBase64Url)(buf).replace(/=/g, "");
-const decodeJwtPart = (part) => JSON.parse(utf8Decoder.decode((0, import_encode.decodeBase64Url)(part)));
-const param = (name) => {
-  switch (name.toUpperCase()) {
-    case "HS256":
-      return {
-        name: "HMAC",
-        hash: {
-          name: "SHA-256"
-        }
-      };
-    case "HS384":
-      return {
-        name: "HMAC",
-        hash: {
-          name: "SHA-384"
-        }
-      };
-    case "HS512":
-      return {
-        name: "HMAC",
-        hash: {
-          name: "SHA-512"
-        }
-      };
-    default:
-      throw new import_types2.JwtAlgorithmNotImplemented(name);
-  }
-};
-const signing = async (data, secret, alg = "HS256") => {
-  if (!crypto.subtle || !crypto.subtle.importKey) {
-    throw new Error("`crypto.subtle.importKey` is undefined. JWT auth middleware requires it.");
-  }
-  const utf8Encoder2 = new TextEncoder();
-  const cryptoKey = await crypto.subtle.importKey(
-    "raw" /* RAW */,
-    utf8Encoder2.encode(secret),
-    param(alg),
-    false,
-    ["sign" /* Sign */]
-  );
-  return await crypto.subtle.sign(param(alg), cryptoKey, utf8Encoder2.encode(data));
-};
-const sign = async (payload, secret, alg = "HS256") => {
+const decodeJwtPart = (part) => JSON.parse(import_utf8.utf8Decoder.decode((0, import_encode.decodeBase64Url)(part)));
+function isTokenHeader(obj) {
+  return typeof obj === "object" && obj !== null && "alg" in obj && Object.values(import_jwa.AlgorithmTypes).includes(obj.alg) && "typ" in obj && obj.typ === "JWT";
+}
+const sign = async (payload, privateKey, alg = "HS256") => {
   const encodedPayload = encodeJwtPart(payload);
   const encodedHeader = encodeJwtPart({ alg, typ: "JWT" });
   const partialToken = `${encodedHeader}.${encodedPayload}`;
-  const signaturePart = await signing(partialToken, secret, alg);
+  const signaturePart = await (0, import_jws.signing)(privateKey, alg, import_utf8.utf8Encoder.encode(partialToken));
   const signature = encodeSignaturePart(signaturePart);
   return `${partialToken}.${signature}`;
 };
-const verify = async (token, secret, alg = "HS256") => {
+const verify = async (token, publicKey, alg = "HS256") => {
   const tokenParts = token.split(".");
   if (tokenParts.length !== 3) {
     throw new import_types2.JwtTokenInvalid(token);
   }
-  const { payload } = decode(token);
+  const { header, payload } = decode(token);
+  if (!isTokenHeader(header)) {
+    throw new import_types.JwtHeaderInvalid(header);
+  }
   const now = Math.floor(Date.now() / 1e3);
   if (payload.nbf && payload.nbf > now) {
     throw new import_types2.JwtTokenNotBefore(token);
@@ -112,12 +61,16 @@ const verify = async (token, secret, alg = "HS256") => {
     throw new import_types2.JwtTokenExpired(token);
   }
   if (payload.iat && now < payload.iat) {
-    throw new import_types.JwtTokenIssuedAt(now, payload.iat);
+    throw new import_types2.JwtTokenIssuedAt(now, payload.iat);
   }
-  const signaturePart = tokenParts.slice(0, 2).join(".");
-  const signature = await signing(signaturePart, secret, alg);
-  const encodedSignature = encodeSignaturePart(signature);
-  if (encodedSignature !== tokenParts[2]) {
+  const headerPayload = token.substring(0, token.lastIndexOf("."));
+  const verified = await (0, import_jws.verifying)(
+    publicKey,
+    alg,
+    (0, import_encode.decodeBase64Url)(tokenParts[2]),
+    import_utf8.utf8Encoder.encode(headerPayload)
+  );
+  if (!verified) {
     throw new import_types2.JwtTokenSignatureMismatched(token);
   }
   return payload;
@@ -138,6 +91,7 @@ const decode = (token) => {
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   decode,
+  isTokenHeader,
   sign,
   verify
 });

package/dist/cjs/utils/jwt/types.js

@@ -18,8 +18,9 @@ var __copyProps = (to, from, except, desc) => {
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 var types_exports = {};
 __export(types_exports, {
-  AlgorithmTypes: () => AlgorithmTypes,
+  CryptoKeyUsage: () => CryptoKeyUsage,
   JwtAlgorithmNotImplemented: () => JwtAlgorithmNotImplemented,
+  JwtHeaderInvalid: () => JwtHeaderInvalid,
   JwtTokenExpired: () => JwtTokenExpired,
   JwtTokenInvalid: () => JwtTokenInvalid,
   JwtTokenIssuedAt: () => JwtTokenIssuedAt,
@@ -57,22 +58,34 @@ class JwtTokenIssuedAt extends Error {
     this.name = "JwtTokenIssuedAt";
   }
 }
+class JwtHeaderInvalid extends Error {
+  constructor(header) {
+    super(`jwt header is invalid: ${JSON.stringify(header)}`);
+    this.name = "JwtHeaderInvalid";
+  }
+}
 class JwtTokenSignatureMismatched extends Error {
   constructor(token) {
     super(`token(${token}) signature mismatched`);
     this.name = "JwtTokenSignatureMismatched";
   }
 }
-var AlgorithmTypes = /* @__PURE__ */ ((AlgorithmTypes2) => {
-  AlgorithmTypes2["HS256"] = "HS256";
-  AlgorithmTypes2["HS384"] = "HS384";
-  AlgorithmTypes2["HS512"] = "HS512";
-  return AlgorithmTypes2;
-})(AlgorithmTypes || {});
+var CryptoKeyUsage = /* @__PURE__ */ ((CryptoKeyUsage2) => {
+  CryptoKeyUsage2["Encrypt"] = "encrypt";
+  CryptoKeyUsage2["Decrypt"] = "decrypt";
+  CryptoKeyUsage2["Sign"] = "sign";
+  CryptoKeyUsage2["Verify"] = "verify";
+  CryptoKeyUsage2["DeriveKey"] = "deriveKey";
+  CryptoKeyUsage2["DeriveBits"] = "deriveBits";
+  CryptoKeyUsage2["WrapKey"] = "wrapKey";
+  CryptoKeyUsage2["UnwrapKey"] = "unwrapKey";
+  return CryptoKeyUsage2;
+})(CryptoKeyUsage || {});
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
-  AlgorithmTypes,
+  CryptoKeyUsage,
   JwtAlgorithmNotImplemented,
+  JwtHeaderInvalid,
   JwtTokenExpired,
   JwtTokenInvalid,
   JwtTokenIssuedAt,

package/dist/cjs/utils/jwt/utf8.js

@@ -0,0 +1,31 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var utf8_exports = {};
+__export(utf8_exports, {
+  utf8Decoder: () => utf8Decoder,
+  utf8Encoder: () => utf8Encoder
+});
+module.exports = __toCommonJS(utf8_exports);
+const utf8Encoder = new TextEncoder();
+const utf8Decoder = new TextDecoder();
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  utf8Decoder,
+  utf8Encoder
+});

package/dist/cjs/validator/validator.js

@@ -28,30 +28,14 @@ const validator = (target, validationFunc) => {
   return async (c, next) => {
     let value = {};
     const contentType = c.req.header("Content-Type");
-    const bodyTypes = ["text", "arrayBuffer", "blob"];
     switch (target) {
       case "json":
         if (!contentType || !contentType.startsWith("application/json")) {
           const message = `Invalid HTTP header: Content-Type=${contentType}`;
           throw new import_http_exception.HTTPException(400, { message });
         }
-        if (c.req.bodyCache.json) {
-          value = await c.req.bodyCache.json;
-          break;
-        }
         try {
-          let arrayBuffer = void 0;
-          for (const type of bodyTypes) {
-            const body = c.req.bodyCache[type];
-            if (body) {
-              arrayBuffer = await new Response(await body).arrayBuffer();
-              break;
-            }
-          }
-          arrayBuffer ??= await c.req.raw.arrayBuffer();
-          value = await new Response(arrayBuffer).json();
-          c.req.bodyCache.json = value;
-          c.req.bodyCache.arrayBuffer = arrayBuffer;
+          value = await c.req.json();
         } catch {
           const message = "Malformed JSON in request body";
           throw new import_http_exception.HTTPException(400, { message });
@@ -66,15 +50,7 @@ const validator = (target, validationFunc) => {
           break;
         }
         try {
-          let arrayBuffer = void 0;
-          for (const type of bodyTypes) {
-            const body = c.req.bodyCache[type];
-            if (body) {
-              arrayBuffer = await new Response(await body).arrayBuffer();
-              break;
-            }
-          }
-          arrayBuffer ??= await c.req.arrayBuffer();
+          const arrayBuffer = await c.req.arrayBuffer();
           const formData = await (0, import_buffer.bufferToFormData)(arrayBuffer, contentType);
           const form = {};
           formData.forEach((value2, key) => {
@@ -82,7 +58,6 @@ const validator = (target, validationFunc) => {
           });
           value = form;
           c.req.bodyCache.formData = formData;
-          c.req.bodyCache.arrayBuffer = arrayBuffer;
         } catch (e) {
           let message = "Malformed FormData request.";
           message += e instanceof Error ? ` ${e.message}` : ` ${String(e)}`;

package/dist/helper/ssg/ssg.js

@@ -5,8 +5,8 @@ import { getExtension } from "../../utils/mime.js";
 import { SSG_DISABLED_RESPONSE, SSG_CONTEXT } from "./middleware.js";
 import { joinPaths, dirname, filterStaticGenerateRoutes } from "./utils.js";
 var DEFAULT_CONCURRENCY = 2;
-var generateFilePath = (routePath, outDir, mimeType) => {
-  const extension = determineExtension(mimeType);
+var generateFilePath = (routePath, outDir, mimeType, extensionMap) => {
+  const extension = determineExtension(mimeType, extensionMap);
   if (routePath.endsWith(`.${extension}`)) {
     return joinPaths(outDir, routePath);
   }
@@ -32,17 +32,18 @@ var parseResponseContent = async (response) => {
     );
   }
 };
-var determineExtension = (mimeType) => {
-  switch (mimeType) {
-    case "text/html":
-      return "html";
-    case "text/xml":
-    case "application/xml":
-      return "xml";
-    default: {
-      return getExtension(mimeType) || "html";
-    }
+var defaultExtensionMap = {
+  "text/html": "html",
+  "text/xml": "xml",
+  "application/xml": "xml",
+  "application/yaml": "yaml"
+};
+var determineExtension = (mimeType, userExtensionMap) => {
+  const extensionMap = userExtensionMap || defaultExtensionMap;
+  if (mimeType in extensionMap) {
+    return extensionMap[mimeType];
   }
+  return getExtension(mimeType) || "html";
 };
 var fetchRoutesContent = function* (app, beforeRequestHook, afterResponseHook, concurrency) {
   const baseURL = "http://localhost";
@@ -119,13 +120,13 @@ var isDynamicRoute = (path) => {
   return path.split("/").some((segment) => segment.startsWith(":") || segment.includes("*"));
 };
 var createdDirs = /* @__PURE__ */ new Set();
-var saveContentToFile = async (data, fsModule, outDir) => {
+var saveContentToFile = async (data, fsModule, outDir, extensionMap) => {
   const awaitedData = await data;
   if (!awaitedData) {
     return;
   }
   const { routePath, content, mimeType } = awaitedData;
-  const filePath = generateFilePath(routePath, outDir, mimeType);
+  const filePath = generateFilePath(routePath, outDir, mimeType, extensionMap);
   const dirPath = dirname(filePath);
   if (!createdDirs.has(dirPath)) {
     await fsModule.mkdir(dirPath, { recursive: true });
@@ -182,6 +183,7 @@ var toSSG = async (app, fs, options) => {
   return result;
 };
 export {
+  defaultExtensionMap,
   fetchRoutesContent,
   saveContentToFile,
   toSSG

package/dist/jsx/dom/index.js

@@ -15,6 +15,7 @@ import {
   useMemo,
   useLayoutEffect,
   useReducer,
+  useId,
   useDebugValue
 } from "../hooks/index.js";
 import { Suspense, ErrorBoundary } from "./components.js";
@@ -55,6 +56,7 @@ var dom_default = {
   useMemo,
   useLayoutEffect,
   useReducer,
+  useId,
   useDebugValue,
   Suspense,
   ErrorBoundary,
@@ -84,6 +86,7 @@ export {
   useDebugValue,
   useDeferredValue,
   useEffect,
+  useId,
   useLayoutEffect,
   useMemo,
   useReducer,

package/dist/jsx/hooks/index.js

@@ -258,6 +258,8 @@ var useMemo = (factory, deps) => {
   }
   return memoArray[hookIndex][0];
 };
+var idCounter = 0;
+var useId = () => useMemo(() => `:r${(idCounter++).toString(32)}:`, []);
 var useDebugValue = (_value, _formatter) => {
 };
 export {
@@ -269,6 +271,7 @@ export {
   useDebugValue,
   useDeferredValue,
   useEffect,
+  useId,
   useLayoutEffect,
   useMemo,
   useReducer,

package/dist/jsx/index.js

@@ -16,6 +16,7 @@ import {
   useMemo,
   useLayoutEffect,
   useReducer,
+  useId,
   useDebugValue
 } from "./hooks/index.js";
 import { Suspense } from "./streaming.js";
@@ -34,6 +35,7 @@ var jsx_default = {
   useRef,
   useCallback,
   useReducer,
+  useId,
   useDebugValue,
   use,
   startTransition,
@@ -64,6 +66,7 @@ export {
   useDebugValue,
   useDeferredValue,
   useEffect,
+  useId,
   useLayoutEffect,
   useMemo,
   useReducer,

package/dist/middleware/basic-auth/index.js

@@ -21,25 +21,38 @@ var auth = (req) => {
   return { username: userPass[1], password: userPass[2] };
 };
 var basicAuth = (options, ...users) => {
-  if (!options) {
-    throw new Error('basic auth middleware requires options for "username and password"');
+  const usernamePasswordInOptions = "username" in options && "password" in options;
+  const verifyUserInOptions = "verifyUser" in options;
+  if (!(usernamePasswordInOptions || verifyUserInOptions)) {
+    throw new Error(
+      'basic auth middleware requires options for "username and password" or "verifyUser"'
+    );
   }
   if (!options.realm) {
     options.realm = "Secure Area";
   }
-  users.unshift({ username: options.username, password: options.password });
+  if (usernamePasswordInOptions) {
+    users.unshift({ username: options.username, password: options.password });
+  }
   return async function basicAuth2(ctx, next) {
     const requestUser = auth(ctx.req);
     if (requestUser) {
-      for (const user of users) {
-        const [usernameEqual, passwordEqual] = await Promise.all([
-          timingSafeEqual(user.username, requestUser.username, options.hashFunction),
-          timingSafeEqual(user.password, requestUser.password, options.hashFunction)
-        ]);
-        if (usernameEqual && passwordEqual) {
+      if (verifyUserInOptions) {
+        if (await options.verifyUser(requestUser.username, requestUser.password, ctx)) {
           await next();
           return;
         }
+      } else {
+        for (const user of users) {
+          const [usernameEqual, passwordEqual] = await Promise.all([
+            timingSafeEqual(user.username, requestUser.username, options.hashFunction),
+            timingSafeEqual(user.password, requestUser.password, options.hashFunction)
+          ]);
+          if (usernameEqual && passwordEqual) {
+            await next();
+            return;
+          }
+        }
       }
     }
     const res = new Response("Unauthorized", {