npm - oauth.do - Versions diffs - 0.1.15 → 0.2.1 - Mend

oauth.do 0.1.15 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (27) hide show

package/dist/react.js ADDED Viewed

@@ -0,0 +1,67 @@
+import { WorkOsWidgets, ApiKeys as ApiKeys$1, UsersManagement as UsersManagement$1, UserProfile as UserProfile$1 } from '@workos-inc/widgets';
+import { AuthKitProvider, useAuth as useAuth$1 } from '@workos-inc/authkit-react';
+import React, { createContext, useContext } from 'react';
+var OAUTH_DO_CONFIG = {
+  clientId: "client_01JQYTRXK9ZPD8JPJTKDCRB656",
+  apiUrl: "https://apis.do",
+  authKitDomain: "login.oauth.do"
+};
+var OAuthDoContext = createContext(OAUTH_DO_CONFIG);
+function useOAuthDoConfig() {
+  return useContext(OAuthDoContext);
+}
+function OAuthDoProvider({
+  children,
+  clientId = OAUTH_DO_CONFIG.clientId,
+  apiUrl = OAUTH_DO_CONFIG.apiUrl,
+  authKitDomain = OAUTH_DO_CONFIG.authKitDomain
+}) {
+  const config = { clientId, apiUrl, authKitDomain };
+  return /* @__PURE__ */ React.createElement(OAuthDoContext.Provider, { value: config }, /* @__PURE__ */ React.createElement(AuthKitProvider, { clientId }, /* @__PURE__ */ React.createElement(WorkOsWidgets, null, children)));
+}
+function useAuth() {
+  return useAuth$1();
+}
+function ApiKeys({ authToken }) {
+  return /* @__PURE__ */ React.createElement(ApiKeys$1, { authToken });
+}
+function UsersManagement({ authToken }) {
+  return /* @__PURE__ */ React.createElement(UsersManagement$1, { authToken });
+}
+function UserProfile({ authToken }) {
+  return /* @__PURE__ */ React.createElement(UserProfile$1, { authToken });
+}
+function SignInButton({
+  children = "Sign In",
+  className,
+  redirectTo = typeof window !== "undefined" ? window.location.href : "/"
+}) {
+  const { authKitDomain, clientId } = useOAuthDoConfig();
+  const handleClick = () => {
+    const url = new URL(`https://${authKitDomain}`);
+    url.searchParams.set("client_id", clientId);
+    url.searchParams.set("redirect_uri", redirectTo);
+    url.searchParams.set("response_type", "code");
+    window.location.href = url.toString();
+  };
+  return /* @__PURE__ */ React.createElement("button", { onClick: handleClick, className }, children);
+}
+function SignOutButton({
+  children = "Sign Out",
+  className,
+  redirectTo = "/"
+}) {
+  const { signOut } = useAuth();
+  const handleClick = () => {
+    signOut();
+    if (redirectTo !== "/" && typeof window !== "undefined") {
+      window.location.href = redirectTo;
+    }
+  };
+  return /* @__PURE__ */ React.createElement("button", { onClick: handleClick, className }, children);
+}
+export { ApiKeys, OAuthDoProvider, SignInButton, SignOutButton, UserProfile, UsersManagement, useAuth, useOAuthDoConfig };
+//# sourceMappingURL=react.js.map
+//# sourceMappingURL=react.js.map

package/dist/react.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/react.tsx"],"names":["WorkOSAuthKitProvider","useWorkOSAuth","WorkOSApiKeys","WorkOSUsersManagement","WorkOSUserProfile"],"mappings":";;;;AAsEA,IAAM,eAAA,GAAkB;AAAA,EACtB,QAAA,EAAU,mCAAA;AAAA,EACV,MAAA,EAAQ,iBAAA;AAAA,EACR,aAAA,EAAe;AACjB,CAAA;AAYA,IAAM,cAAA,GAAiB,cAAmC,eAAe,CAAA;AAElE,SAAS,gBAAA,GAAwC;AACtD,EAAA,OAAO,WAAW,cAAc,CAAA;AAClC;AAgCO,SAAS,eAAA,CAAgB;AAAA,EAC9B,QAAA;AAAA,EACA,WAAW,eAAA,CAAgB,QAAA;AAAA,EAC3B,SAAS,eAAA,CAAgB,MAAA;AAAA,EACzB,gBAAgB,eAAA,CAAgB;AAClC,CAAA,EAAsC;AACpC,EAAA,MAAM,MAAA,GAAS,EAAE,QAAA,EAAU,MAAA,EAAQ,aAAA,EAAc;AAEjD,EAAA,uBACE,KAAA,CAAA,aAAA,CAAC,cAAA,CAAe,QAAA,EAAf,EAAwB,KAAA,EAAO,MAAA,EAAA,kBAC9B,KAAA,CAAA,aAAA,CAACA,eAAA,EAAA,EAAsB,QAAA,EAAA,kBACrB,KAAA,CAAA,aAAA,CAAC,aAAA,EAAA,IAAA,EACE,QACH,CACF,CACF,CAAA;AAEJ;AAuBO,SAAS,OAAA,GAAqB;AACnC,EAAA,OAAOC,SAAA,EAAc;AACvB;AA4BO,SAAS,OAAA,CAAQ,EAAE,SAAA,EAAU,EAA8B;AAChE,EAAA,uBAAO,KAAA,CAAA,aAAA,CAACC,aAAc,SAAA,EAAsB,CAAA;AAC9C;AAsBO,SAAS,eAAA,CAAgB,EAAE,SAAA,EAAU,EAAsC;AAChF,EAAA,uBAAO,KAAA,CAAA,aAAA,CAACC,qBAAsB,SAAA,EAAsB,CAAA;AACtD;AAsBO,SAAS,WAAA,CAAY,EAAE,SAAA,EAAU,EAAkC;AACxE,EAAA,uBAAO,KAAA,CAAA,aAAA,CAACC,iBAAkB,SAAA,EAAsB,CAAA;AAClD;AAwBO,SAAS,YAAA,CAAa;AAAA,EAC3B,QAAA,GAAW,SAAA;AAAA,EACX,SAAA;AAAA,EACA,aAAa,OAAO,MAAA,KAAW,WAAA,GAAc,MAAA,CAAO,SAAS,IAAA,GAAO;AACtE,CAAA,EAAmC;AACjC,EAAA,MAAM,EAAE,aAAA,EAAe,QAAA,EAAS,GAAI,gBAAA,EAAiB;AAErD,EAAA,MAAM,cAAc,MAAM;AACxB,IAAA,MAAM,GAAA,GAAM,IAAI,GAAA,CAAI,CAAA,QAAA,EAAW,aAAa,CAAA,CAAE,CAAA;AAC9C,IAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,WAAA,EAAa,QAAQ,CAAA;AAC1C,IAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,cAAA,EAAgB,UAAU,CAAA;AAC/C,IAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,eAAA,EAAiB,MAAM,CAAA;AAC5C,IAAA,MAAA,CAAO,QAAA,CAAS,IAAA,GAAO,GAAA,CAAI,QAAA,EAAS;AAAA,EACtC,CAAA;AAEA,EAAA,uBACE,KAAA,CAAA,aAAA,CAAC,QAAA,EAAA,EAAO,OAAA,EAAS,WAAA,EAAa,aAC3B,QACH,CAAA;AAEJ;AAoBO,SAAS,aAAA,CAAc;AAAA,EAC5B,QAAA,GAAW,UAAA;AAAA,EACX,SAAA;AAAA,EACA,UAAA,GAAa;AACf,CAAA,EAAoC;AAClC,EAAA,MAAM,EAAE,OAAA,EAAQ,GAAI,OAAA,EAAQ;AAE5B,EAAA,MAAM,cAAc,MAAM;AACxB,IAAA,OAAA,EAAQ;AAER,IAAA,IAAI,UAAA,KAAe,GAAA,IAAO,OAAO,MAAA,KAAW,WAAA,EAAa;AACvD,MAAA,MAAA,CAAO,SAAS,IAAA,GAAO,UAAA;AAAA,IACzB;AAAA,EACF,CAAA;AAEA,EAAA,uBACE,KAAA,CAAA,aAAA,CAAC,QAAA,EAAA,EAAO,OAAA,EAAS,WAAA,EAAa,aAC3B,QACH,CAAA;AAEJ","file":"react.js","sourcesContent":["/**\n * oauth.do/react - React components for authentication\n *\n * Wraps WorkOS AuthKit widgets with oauth.do configuration.\n * Pre-configured with oauth.do WorkOS client ID.\n *\n * @packageDocumentation\n */\n\n'use client'\n\nimport {\n WorkOsWidgets,\n ApiKeys as WorkOSApiKeys,\n UsersManagement as WorkOSUsersManagement,\n UserProfile as WorkOSUserProfile\n} from '@workos-inc/widgets'\nimport {\n AuthKitProvider as WorkOSAuthKitProvider,\n useAuth as useWorkOSAuth,\n type Impersonator,\n type User,\n type AuthenticationMethod\n} from '@workos-inc/authkit-react'\n\n/**\n * Auth token can be a string or a function that returns a Promise<string>\n */\nexport type AuthToken = string | (() => Promise<string>)\nimport React, { createContext, useContext, type ReactNode } from 'react'\n\n// ═══════════════════════════════════════════════════════════════════════════\n// Auth Types (re-exported from authkit-react context)\n// ═══════════════════════════════════════════════════════════════════════════\n\n/**\n * Options for switching organization\n */\nexport interface SwitchToOrganizationOptions {\n organizationId: string\n signInOpts?: {\n screenHint?: 'sign-in' | 'sign-up'\n loginHint?: string\n }\n}\n\n/**\n * Auth state and methods returned by useAuth hook\n */\nexport interface AuthState {\n isLoading: boolean\n user: User | null\n role: string | null\n roles: string[] | null\n organizationId: string | null\n permissions: string[]\n featureFlags: string[]\n impersonator: Impersonator | null\n authenticationMethod: AuthenticationMethod | null\n signIn: () => void\n signUp: () => void\n getUser: () => User | null\n getAccessToken: () => Promise<string>\n signOut: () => void\n switchToOrganization: (options: SwitchToOrganizationOptions) => Promise<void>\n getSignInUrl: () => Promise<string>\n getSignUpUrl: () => Promise<string>\n}\n\n// oauth.do default configuration\nconst OAUTH_DO_CONFIG = {\n clientId: 'client_01JQYTRXK9ZPD8JPJTKDCRB656',\n apiUrl: 'https://apis.do',\n authKitDomain: 'login.oauth.do',\n}\n\n// ═══════════════════════════════════════════════════════════════════════════\n// Context\n// ═══════════════════════════════════════════════════════════════════════════\n\ninterface OAuthDoContextValue {\n clientId: string\n apiUrl: string\n authKitDomain: string\n}\n\nconst OAuthDoContext = createContext<OAuthDoContextValue>(OAUTH_DO_CONFIG)\n\nexport function useOAuthDoConfig(): OAuthDoContextValue {\n return useContext(OAuthDoContext)\n}\n\n// ═══════════════════════════════════════════════════════════════════════════\n// Provider\n// ═══════════════════════════════════════════════════════════════════════════\n\nexport interface OAuthDoProviderProps {\n children: ReactNode\n /** Override the default client ID */\n clientId?: string\n /** Override the API URL */\n apiUrl?: string\n /** Override the AuthKit domain */\n authKitDomain?: string\n}\n\n/**\n * OAuth.do Provider - wraps your app with authentication context\n *\n * @example\n * ```tsx\n * import { OAuthDoProvider } from 'oauth.do/react'\n *\n * export default function App({ children }) {\n * return (\n * <OAuthDoProvider>\n * {children}\n * </OAuthDoProvider>\n * )\n * }\n * ```\n */\nexport function OAuthDoProvider({\n children,\n clientId = OAUTH_DO_CONFIG.clientId,\n apiUrl = OAUTH_DO_CONFIG.apiUrl,\n authKitDomain = OAUTH_DO_CONFIG.authKitDomain,\n}: OAuthDoProviderProps): JSX.Element {\n const config = { clientId, apiUrl, authKitDomain }\n\n return (\n <OAuthDoContext.Provider value={config}>\n <WorkOSAuthKitProvider clientId={clientId}>\n <WorkOsWidgets>\n {children}\n </WorkOsWidgets>\n </WorkOSAuthKitProvider>\n </OAuthDoContext.Provider>\n )\n}\n\n// ═══════════════════════════════════════════════════════════════════════════\n// Hooks\n// ═══════════════════════════════════════════════════════════════════════════\n\n/**\n * useAuth hook - access current user and auth state\n *\n * @example\n * ```tsx\n * import { useAuth } from 'oauth.do/react'\n *\n * function UserGreeting() {\n * const { user, isLoading } = useAuth()\n *\n * if (isLoading) return <span>Loading...</span>\n * if (!user) return <span>Please sign in</span>\n *\n * return <span>Hello, {user.firstName}!</span>\n * }\n * ```\n */\nexport function useAuth(): AuthState {\n return useWorkOSAuth() as AuthState\n}\n\n// ═══════════════════════════════════════════════════════════════════════════\n// Widgets\n// ═══════════════════════════════════════════════════════════════════════════\n\nexport interface ApiKeysProps {\n /** Auth token for the widget (from useAuth().getAccessToken or server-generated) */\n authToken: AuthToken\n}\n\n/**\n * API Keys Widget - manage API keys for your organization\n *\n * Requires the `widgets:api-keys:manage` permission.\n *\n * @example\n * ```tsx\n * import { ApiKeys, useAuth } from 'oauth.do/react'\n *\n * function ApiKeysPage() {\n * const { user, getAccessToken } = useAuth()\n * if (!user) return <p>Please sign in</p>\n *\n * return <ApiKeys authToken={getAccessToken} />\n * }\n * ```\n */\nexport function ApiKeys({ authToken }: ApiKeysProps): JSX.Element {\n return <WorkOSApiKeys authToken={authToken} />\n}\n\nexport interface UsersManagementProps {\n /** Auth token for the widget */\n authToken: AuthToken\n}\n\n/**\n * Users Management Widget - invite, remove, and manage users\n *\n * @example\n * ```tsx\n * import { UsersManagement, useAuth } from 'oauth.do/react'\n *\n * function UsersPage() {\n * const { user, getAccessToken } = useAuth()\n * if (!user) return <p>Please sign in</p>\n *\n * return <UsersManagement authToken={getAccessToken} />\n * }\n * ```\n */\nexport function UsersManagement({ authToken }: UsersManagementProps): JSX.Element {\n return <WorkOSUsersManagement authToken={authToken} />\n}\n\nexport interface UserProfileProps {\n /** Auth token for the widget */\n authToken: AuthToken\n}\n\n/**\n * User Profile Widget - view and edit user profile\n *\n * @example\n * ```tsx\n * import { UserProfile, useAuth } from 'oauth.do/react'\n *\n * function ProfilePage() {\n * const { user, getAccessToken } = useAuth()\n * if (!user) return <p>Please sign in</p>\n *\n * return <UserProfile authToken={getAccessToken} />\n * }\n * ```\n */\nexport function UserProfile({ authToken }: UserProfileProps): JSX.Element {\n return <WorkOSUserProfile authToken={authToken} />\n}\n\n// ═══════════════════════════════════════════════════════════════════════════\n// Login Components\n// ═══════════════════════════════════════════════════════════════════════════\n\nexport interface SignInButtonProps {\n children?: ReactNode\n className?: string\n redirectTo?: string\n}\n\n/**\n * Sign In Button - redirects to oauth.do login\n *\n * @example\n * ```tsx\n * import { SignInButton } from 'oauth.do/react'\n *\n * function Header() {\n * return <SignInButton>Sign In</SignInButton>\n * }\n * ```\n */\nexport function SignInButton({\n children = 'Sign In',\n className,\n redirectTo = typeof window !== 'undefined' ? window.location.href : '/',\n}: SignInButtonProps): JSX.Element {\n const { authKitDomain, clientId } = useOAuthDoConfig()\n\n const handleClick = () => {\n const url = new URL(`https://${authKitDomain}`)\n url.searchParams.set('client_id', clientId)\n url.searchParams.set('redirect_uri', redirectTo)\n url.searchParams.set('response_type', 'code')\n window.location.href = url.toString()\n }\n\n return (\n <button onClick={handleClick} className={className}>\n {children}\n </button>\n )\n}\n\nexport interface SignOutButtonProps {\n children?: ReactNode\n className?: string\n redirectTo?: string\n}\n\n/**\n * Sign Out Button - clears auth state and optionally redirects\n *\n * @example\n * ```tsx\n * import { SignOutButton } from 'oauth.do/react'\n *\n * function Header() {\n * return <SignOutButton>Sign Out</SignOutButton>\n * }\n * ```\n */\nexport function SignOutButton({\n children = 'Sign Out',\n className,\n redirectTo = '/',\n}: SignOutButtonProps): JSX.Element {\n const { signOut } = useAuth()\n\n const handleClick = () => {\n signOut()\n // Redirect after signOut if a custom redirectTo is provided\n if (redirectTo !== '/' && typeof window !== 'undefined') {\n window.location.href = redirectTo\n }\n }\n\n return (\n <button onClick={handleClick} className={className}>\n {children}\n </button>\n )\n}\n\n// ═══════════════════════════════════════════════════════════════════════════\n// Re-exports\n// ═══════════════════════════════════════════════════════════════════════════\n\nexport type { User, Impersonator, AuthenticationMethod }\n"]}

package/dist/session-hono.d.ts ADDED Viewed

@@ -0,0 +1,143 @@
+import { Context, Hono, MiddlewareHandler } from 'hono';
+import { SessionData, SessionConfig } from './session.js';
+/**
+ * oauth.do/session-hono - Hono middleware for cookie-based session auth
+ *
+ * Provides session-based authentication as an alternative to JWT middleware.
+ * Uses AES-GCM encrypted cookies for secure, stateless sessions.
+ *
+ * @example
+ * ```ts
+ * import { Hono } from 'hono'
+ * import { sessionAuth, requireSession, createOAuthRoutes } from 'oauth.do/hono'
+ *
+ * const app = new Hono()
+ * app.use('*', sessionAuth())
+ * app.route('/auth', createOAuthRoutes({
+ *   workosApiKey: env.WORKOS_API_KEY,
+ *   clientId: env.WORKOS_CLIENT_ID,
+ * }))
+ * ```
+ */
+/**
+ * User info extracted from session
+ */
+interface SessionUser {
+    id: string;
+    email?: string;
+    name?: string;
+    organizationId?: string;
+}
+declare module 'hono' {
+    interface ContextVariableMap {
+        session: SessionData | null;
+        sessionUser: SessionUser | null;
+    }
+}
+/**
+ * Options for session auth middleware
+ */
+interface SessionAuthOptions {
+    /** Session configuration (cookie name, secret, etc.) */
+    config?: Partial<SessionConfig>;
+}
+/**
+ * Options for creating OAuth routes
+ */
+interface OAuthRoutesOptions {
+    /** WorkOS API Key */
+    workosApiKey?: string;
+    /** WorkOS Client ID */
+    clientId?: string;
+    /** Session configuration */
+    session?: Partial<SessionConfig>;
+    /** Base URL for OAuth redirects (derived from request if not set) */
+    redirectBaseUrl?: string;
+    /** Path prefix for auth routes (default: '') */
+    pathPrefix?: string;
+    /** Callback after successful login */
+    onLogin?: (session: SessionData, c: Context) => void | Promise<void>;
+    /** Callback after logout */
+    onLogout?: (c: Context) => void | Promise<void>;
+    /** Enable debug logging */
+    debug?: boolean;
+}
+/**
+ * Environment bindings for session auth
+ */
+interface SessionEnv {
+    WORKOS_API_KEY?: string;
+    WORKOS_CLIENT_ID?: string;
+    SESSION_SECRET?: string;
+    SESSION_COOKIE_NAME?: string;
+    SESSION_COOKIE_MAX_AGE?: string;
+    SESSION_COOKIE_SECURE?: string;
+    SESSION_COOKIE_SAME_SITE?: string;
+    AUTH_REDIRECT_BASE_URL?: string;
+    DEBUG?: string;
+}
+/**
+ * Set session cookie with encrypted session data
+ */
+declare function setSessionCookie(c: Context, session: SessionData, config?: SessionConfig): Promise<void>;
+/**
+ * Clear session cookie
+ */
+declare function clearSessionCookie(c: Context, config?: SessionConfig): void;
+/**
+ * Get session from cookie
+ */
+declare function getSessionFromCookie(c: Context, config?: SessionConfig): Promise<SessionData | null>;
+/**
+ * Session auth middleware - populates c.var.session and c.var.sessionUser
+ *
+ * Non-blocking: sets null if no session exists. Use requireSession() for guarded access.
+ *
+ * @example
+ * ```ts
+ * app.use('*', sessionAuth())
+ * app.get('/me', (c) => {
+ *   if (!c.var.session) return c.json({ error: 'Not authenticated' }, 401)
+ *   return c.json(c.var.sessionUser)
+ * })
+ * ```
+ */
+declare function sessionAuth(options?: SessionAuthOptions): MiddlewareHandler;
+/**
+ * Require session middleware - returns 401 if no valid session
+ *
+ * @example
+ * ```ts
+ * app.use('/api/*', requireSession())
+ * ```
+ */
+declare function requireSession(options?: SessionAuthOptions): MiddlewareHandler;
+/**
+ * Create mountable OAuth routes for login, callback, logout, me, and refresh.
+ *
+ * @example
+ * ```ts
+ * import { Hono } from 'hono'
+ * import { createOAuthRoutes } from 'oauth.do/hono'
+ *
+ * const app = new Hono()
+ * app.route('/auth', createOAuthRoutes({
+ *   workosApiKey: env.WORKOS_API_KEY,
+ *   clientId: env.WORKOS_CLIENT_ID,
+ *   session: { secret: env.SESSION_SECRET },
+ * }))
+ * ```
+ *
+ * Routes:
+ * - GET /login - Redirect to WorkOS authorization
+ * - GET /callback - Handle OAuth callback, set session cookie
+ * - GET /logout - Clear cookie, redirect
+ * - POST /logout - Clear cookie, JSON response
+ * - GET /me - Return session user info
+ * - POST /refresh - Refresh access token
+ */
+declare function createOAuthRoutes(options?: OAuthRoutesOptions): Hono;
+export { type OAuthRoutesOptions, type SessionAuthOptions, type SessionEnv, type SessionUser, clearSessionCookie, createOAuthRoutes, getSessionFromCookie, requireSession, sessionAuth, setSessionCookie };

package/dist/session-hono.js ADDED Viewed

@@ -0,0 +1,406 @@
+import { Hono } from 'hono';
+import { setCookie, deleteCookie, getCookie } from 'hono/cookie';
+// src/session-hono.ts
+// src/session.ts
+var defaultSessionConfig = {
+  cookieName: "session",
+  cookieMaxAge: 60 * 60 * 24 * 7,
+  // 7 days
+  cookieSecure: true,
+  cookieSameSite: "lax",
+  secret: "oauth-do-dev-secret-change-in-production"
+};
+var ALGORITHM = "AES-GCM";
+var IV_LENGTH = 12;
+var TAG_LENGTH = 128;
+async function getEncryptionKey(secret) {
+  const encoder = new TextEncoder();
+  return crypto.subtle.importKey(
+    "raw",
+    encoder.encode(secret.padEnd(32, "0").slice(0, 32)),
+    { name: ALGORITHM },
+    false,
+    ["encrypt", "decrypt"]
+  );
+}
+async function encodeSession(session, secret) {
+  const key = await getEncryptionKey(secret ?? defaultSessionConfig.secret);
+  const iv = crypto.getRandomValues(new Uint8Array(IV_LENGTH));
+  const encoder = new TextEncoder();
+  const data = encoder.encode(JSON.stringify(session));
+  const ciphertext = await crypto.subtle.encrypt(
+    { name: ALGORITHM, iv, tagLength: TAG_LENGTH },
+    key,
+    data
+  );
+  const combined = new Uint8Array(iv.length + ciphertext.byteLength);
+  combined.set(iv, 0);
+  combined.set(new Uint8Array(ciphertext), iv.length);
+  return btoa(String.fromCharCode(...combined));
+}
+async function decodeSession(encoded, secret) {
+  try {
+    const key = await getEncryptionKey(secret ?? defaultSessionConfig.secret);
+    const combined = Uint8Array.from(atob(encoded), (c) => c.charCodeAt(0));
+    const iv = combined.slice(0, IV_LENGTH);
+    const ciphertext = combined.slice(IV_LENGTH);
+    const decrypted = await crypto.subtle.decrypt(
+      { name: ALGORITHM, iv, tagLength: TAG_LENGTH },
+      key,
+      ciphertext
+    );
+    const decoder = new TextDecoder();
+    const parsed = JSON.parse(decoder.decode(decrypted));
+    if (!isValidSessionData(parsed)) {
+      return null;
+    }
+    return parsed;
+  } catch {
+    return null;
+  }
+}
+function isValidSessionData(data) {
+  if (data === null || typeof data !== "object") {
+    return false;
+  }
+  const session = data;
+  if (typeof session.userId !== "string" || session.userId.length === 0) {
+    return false;
+  }
+  if (typeof session.accessToken !== "string" || session.accessToken.length === 0) {
+    return false;
+  }
+  if (session.organizationId !== void 0 && typeof session.organizationId !== "string") {
+    return false;
+  }
+  if (session.email !== void 0 && typeof session.email !== "string") {
+    return false;
+  }
+  if (session.name !== void 0 && typeof session.name !== "string") {
+    return false;
+  }
+  if (session.refreshToken !== void 0 && typeof session.refreshToken !== "string") {
+    return false;
+  }
+  if (session.expiresAt !== void 0 && typeof session.expiresAt !== "number") {
+    return false;
+  }
+  return true;
+}
+function getSessionConfig(env) {
+  const validSameSite = ["strict", "lax", "none"];
+  let cookieSameSite = defaultSessionConfig.cookieSameSite;
+  if (env?.SESSION_COOKIE_SAME_SITE) {
+    const value = env.SESSION_COOKIE_SAME_SITE;
+    if (validSameSite.includes(value)) {
+      cookieSameSite = value;
+    }
+  }
+  let cookieMaxAge = defaultSessionConfig.cookieMaxAge;
+  if (env?.SESSION_COOKIE_MAX_AGE) {
+    const parsed = parseInt(env.SESSION_COOKIE_MAX_AGE, 10);
+    if (!Number.isNaN(parsed) && parsed > 0) {
+      cookieMaxAge = parsed;
+    }
+  }
+  return {
+    secret: env?.SESSION_SECRET ?? defaultSessionConfig.secret,
+    cookieName: env?.SESSION_COOKIE_NAME ?? defaultSessionConfig.cookieName,
+    cookieMaxAge,
+    cookieSecure: env?.SESSION_COOKIE_SECURE !== "false",
+    cookieSameSite
+  };
+}
+// src/session-hono.ts
+async function setSessionCookie(c, session, config = defaultSessionConfig) {
+  const encoded = await encodeSession(session, config.secret);
+  setCookie(c, config.cookieName, encoded, {
+    path: "/",
+    httpOnly: true,
+    secure: config.cookieSecure,
+    sameSite: config.cookieSameSite === "none" ? "None" : config.cookieSameSite === "strict" ? "Strict" : "Lax",
+    maxAge: config.cookieMaxAge
+  });
+}
+function clearSessionCookie(c, config = defaultSessionConfig) {
+  deleteCookie(c, config.cookieName, { path: "/" });
+}
+async function getSessionFromCookie(c, config = defaultSessionConfig) {
+  const encoded = getCookie(c, config.cookieName);
+  if (!encoded) return null;
+  return decodeSession(encoded, config.secret);
+}
+function sessionAuth(options = {}) {
+  return async (c, next) => {
+    const env = c.env ?? {};
+    const config = { ...getSessionConfig(env), ...options.config };
+    const session = await getSessionFromCookie(c, config);
+    c.set("session", session);
+    c.set("sessionUser", session ? {
+      id: session.userId,
+      email: session.email,
+      name: session.name,
+      organizationId: session.organizationId
+    } : null);
+    await next();
+  };
+}
+function requireSession(options = {}) {
+  return async (c, next) => {
+    const env = c.env ?? {};
+    const config = { ...getSessionConfig(env), ...options.config };
+    const session = await getSessionFromCookie(c, config);
+    if (!session) {
+      return c.json({ error: "Unauthorized", message: "Authentication required" }, 401);
+    }
+    if (session.expiresAt && Date.now() >= session.expiresAt) {
+      clearSessionCookie(c, config);
+      return c.json({ error: "Unauthorized", message: "Session expired" }, 401);
+    }
+    c.set("session", session);
+    c.set("sessionUser", {
+      id: session.userId,
+      email: session.email,
+      name: session.name,
+      organizationId: session.organizationId
+    });
+    await next();
+  };
+}
+function createWorkOSClient(apiKey) {
+  const baseUrl = "https://api.workos.com";
+  return {
+    getAuthorizationUrl(options) {
+      const params = new URLSearchParams({
+        client_id: options.clientId,
+        redirect_uri: options.redirectUri,
+        response_type: "code",
+        ...options.state && { state: options.state },
+        ...options.provider && { provider: options.provider }
+      });
+      return `https://api.workos.com/sso/authorize?${params.toString()}`;
+    },
+    async authenticateWithCode(options) {
+      const response = await fetch(`${baseUrl}/user_management/authenticate`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/x-www-form-urlencoded",
+          "Authorization": `Bearer ${apiKey}`
+        },
+        body: new URLSearchParams({
+          grant_type: "authorization_code",
+          client_id: options.clientId,
+          code: options.code,
+          redirect_uri: options.redirectUri
+        }).toString()
+      });
+      if (!response.ok) {
+        const error = await response.text();
+        throw new Error(`WorkOS authentication failed: ${response.status} - ${error}`);
+      }
+      return response.json();
+    },
+    async refreshToken(options) {
+      const response = await fetch(`${baseUrl}/user_management/authenticate`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/x-www-form-urlencoded",
+          "Authorization": `Bearer ${apiKey}`
+        },
+        body: new URLSearchParams({
+          grant_type: "refresh_token",
+          client_id: options.clientId,
+          refresh_token: options.refreshToken
+        }).toString()
+      });
+      if (!response.ok) {
+        const error = await response.text();
+        throw new Error(`Token refresh failed: ${response.status} - ${error}`);
+      }
+      return response.json();
+    }
+  };
+}
+function createOAuthRoutes(options = {}) {
+  const app = new Hono();
+  app.use("*", async (c, next) => {
+    await next();
+    const contentType = c.res.headers.get("content-type");
+    if (contentType?.includes("application/json") && !contentType.includes("charset")) {
+      c.res.headers.set("content-type", "application/json; charset=utf-8");
+    }
+  });
+  app.get("/login", (c) => {
+    const env = c.env ?? {};
+    const apiKey = options.workosApiKey ?? env.WORKOS_API_KEY;
+    const clientId = options.clientId ?? env.WORKOS_CLIENT_ID;
+    if (!apiKey) {
+      return c.json({ error: "Server configuration error", message: "WORKOS_API_KEY not configured" }, 500);
+    }
+    if (!clientId) {
+      return c.json({ error: "Server configuration error", message: "WORKOS_CLIENT_ID not configured" }, 500);
+    }
+    const workos = createWorkOSClient(apiKey);
+    const url = new URL(c.req.url);
+    const baseUrl = options.redirectBaseUrl ?? env.AUTH_REDIRECT_BASE_URL ?? `${url.protocol}//${url.host}`;
+    const intendedRedirect = c.req.query("redirect_uri") || "/";
+    const provider = c.req.query("provider");
+    const state = btoa(JSON.stringify({ redirect: intendedRedirect }));
+    const authUrl = workos.getAuthorizationUrl({
+      clientId,
+      redirectUri: `${baseUrl}/auth/callback`,
+      state,
+      provider
+    });
+    return c.redirect(authUrl);
+  });
+  app.get("/callback", async (c) => {
+    const env = c.env ?? {};
+    const apiKey = options.workosApiKey ?? env.WORKOS_API_KEY;
+    const clientId = options.clientId ?? env.WORKOS_CLIENT_ID;
+    const sessionConfig = { ...getSessionConfig(env), ...options.session };
+    const debug = options.debug ?? env.DEBUG === "true";
+    if (!apiKey) {
+      return c.json({ error: "Server configuration error", message: "WORKOS_API_KEY not configured" }, 500);
+    }
+    if (!clientId) {
+      return c.json({ error: "Server configuration error", message: "WORKOS_CLIENT_ID not configured" }, 500);
+    }
+    const code = c.req.query("code");
+    const state = c.req.query("state");
+    const error = c.req.query("error");
+    const errorDescription = c.req.query("error_description");
+    if (error) {
+      if (debug) console.error("[Auth] OAuth error:", error, errorDescription);
+      return c.json({ error: "Authentication failed", message: errorDescription || error }, 400);
+    }
+    if (!code) {
+      return c.json({ error: "Missing authorization code" }, 400);
+    }
+    const workos = createWorkOSClient(apiKey);
+    const url = new URL(c.req.url);
+    const baseUrl = options.redirectBaseUrl ?? env.AUTH_REDIRECT_BASE_URL ?? `${url.protocol}//${url.host}`;
+    try {
+      const result = await workos.authenticateWithCode({
+        clientId,
+        code,
+        redirectUri: `${baseUrl}/auth/callback`
+      });
+      const session = {
+        userId: result.user.id,
+        organizationId: result.user.organization_id,
+        email: result.user.email,
+        name: [result.user.first_name, result.user.last_name].filter(Boolean).join(" ") || void 0,
+        accessToken: result.access_token,
+        refreshToken: result.refresh_token,
+        expiresAt: result.expires_in ? Date.now() + result.expires_in * 1e3 : void 0
+      };
+      await setSessionCookie(c, session, sessionConfig);
+      await options.onLogin?.(session, c);
+      let redirectTo = "/";
+      if (state) {
+        try {
+          const stateData = JSON.parse(atob(state));
+          redirectTo = stateData.redirect || "/";
+        } catch {
+        }
+      }
+      if (!redirectTo.startsWith("/")) {
+        redirectTo = "/";
+      }
+      return c.redirect(redirectTo);
+    } catch (err) {
+      if (debug) console.error("[Auth] OAuth callback error:", err);
+      return c.json({
+        error: "Authentication failed",
+        message: err instanceof Error ? err.message : "Unknown error"
+      }, 500);
+    }
+  });
+  app.get("/logout", async (c) => {
+    const env = c.env ?? {};
+    const sessionConfig = { ...getSessionConfig(env), ...options.session };
+    clearSessionCookie(c, sessionConfig);
+    await options.onLogout?.(c);
+    const redirectTo = c.req.query("redirect_uri") || "/";
+    if (!redirectTo.startsWith("/")) {
+      return c.redirect("/");
+    }
+    return c.redirect(redirectTo);
+  });
+  app.post("/logout", async (c) => {
+    const env = c.env ?? {};
+    const sessionConfig = { ...getSessionConfig(env), ...options.session };
+    clearSessionCookie(c, sessionConfig);
+    await options.onLogout?.(c);
+    return c.json({ success: true, message: "Logged out successfully" });
+  });
+  app.get("/me", async (c) => {
+    const env = c.env ?? {};
+    const sessionConfig = { ...getSessionConfig(env), ...options.session };
+    const session = await getSessionFromCookie(c, sessionConfig);
+    if (!session) {
+      return c.json({ error: "Unauthorized", message: "Not authenticated" }, 401);
+    }
+    if (session.expiresAt && Date.now() >= session.expiresAt) {
+      clearSessionCookie(c, sessionConfig);
+      return c.json({ error: "Unauthorized", message: "Session expired" }, 401);
+    }
+    return c.json({
+      id: session.userId,
+      email: session.email,
+      name: session.name,
+      organizationId: session.organizationId
+    });
+  });
+  app.post("/refresh", async (c) => {
+    const env = c.env ?? {};
+    const apiKey = options.workosApiKey ?? env.WORKOS_API_KEY;
+    const clientId = options.clientId ?? env.WORKOS_CLIENT_ID;
+    const sessionConfig = { ...getSessionConfig(env), ...options.session };
+    const debug = options.debug ?? env.DEBUG === "true";
+    if (!apiKey) {
+      return c.json({ error: "Server configuration error", message: "WORKOS_API_KEY not configured" }, 500);
+    }
+    if (!clientId) {
+      return c.json({ error: "Server configuration error", message: "WORKOS_CLIENT_ID not configured" }, 500);
+    }
+    const session = await getSessionFromCookie(c, sessionConfig);
+    if (!session) {
+      return c.json({ error: "Unauthorized", message: "Not authenticated" }, 401);
+    }
+    if (!session.refreshToken) {
+      return c.json({ error: "Cannot refresh", message: "No refresh token available" }, 400);
+    }
+    const workos = createWorkOSClient(apiKey);
+    try {
+      const result = await workos.refreshToken({
+        clientId,
+        refreshToken: session.refreshToken
+      });
+      const updatedSession = {
+        ...session,
+        accessToken: result.access_token,
+        refreshToken: result.refresh_token || session.refreshToken,
+        expiresAt: result.expires_in ? Date.now() + result.expires_in * 1e3 : void 0
+      };
+      await setSessionCookie(c, updatedSession, sessionConfig);
+      return c.json({ success: true, expiresAt: updatedSession.expiresAt });
+    } catch (err) {
+      if (debug) console.error("[Auth] Token refresh error:", err);
+      clearSessionCookie(c, sessionConfig);
+      return c.json({
+        error: "Refresh failed",
+        message: err instanceof Error ? err.message : "Unknown error"
+      }, 401);
+    }
+  });
+  return app;
+}
+export { clearSessionCookie, createOAuthRoutes, getSessionFromCookie, requireSession, sessionAuth, setSessionCookie };
+//# sourceMappingURL=session-hono.js.map
+//# sourceMappingURL=session-hono.js.map