peta-auth 0.1.2 → 0.2.0

package/dist/jwt.mjs

@@ -1,28 +1,48 @@
+import { t as normalizePassword } from "./crypto-WcFV83Nz.mjs";
+import { t as PetaAuthError } from "./errors-DxJ-WUJL.mjs";
 import * as jose from "jose";
 //#region src/jwt.ts
-function toPasswordMap(password) {
-	return typeof password === "string" ? { 1: password } : password;
-}
 function toKey(secret) {
 	return new TextEncoder().encode(secret);
 }
+/**
+* Sign a JWT payload.
+*
+* @example
+* ```ts
+* const token = await signJWT({ userId: "abc" }, { password: "my-32-char-secret...", expiresIn: 3600 })
+* ```
+*/
 async function signJWT(payload, options) {
-	const map = toPasswordMap(options.password);
+	const map = normalizePassword(options.password);
 	const secret = map[Math.max(...Object.keys(map).map(Number)).toString()];
-	if (!secret || secret.length < 32) throw new Error("peta-auth/jwt: password must be at least 32 characters");
+	if (!secret || secret.length < 32) throw new PetaAuthError("JWT_PASSWORD_TOO_SHORT", "peta-auth/jwt: password must be at least 32 characters");
 	const jwt = new jose.SignJWT(payload).setProtectedHeader({ alg: "HS256" }).setIssuedAt();
-	if (options.exp !== void 0) jwt.setExpirationTime(Math.floor(Date.now() / 1e3) + options.exp);
+	const ttl = options.expiresIn ?? 86400;
+	jwt.setExpirationTime(Math.floor(Date.now() / 1e3) + ttl);
 	return jwt.sign(toKey(secret));
 }
+/**
+* Verify and decode a JWT.
+*
+* Returns `null` when the token is invalid or expired.
+*
+* @example
+* ```ts
+* const payload = await verifyJWT<{ userId: string }>(token, { password: "my-32-char-secret..." })
+* ```
+*/
 async function verifyJWT(token, options) {
-	for (const secret of Object.values(toPasswordMap(options.password))) {
+	let result = null;
+	const passwords = normalizePassword(options.password);
+	for (const secret of Object.values(passwords)) {
 		if (!secret) continue;
 		try {
 			const { payload } = await jose.jwtVerify(token, toKey(secret));
-			return payload;
+			if (!result) result = payload;
 		} catch {}
 	}
-	return null;
+	return result;
 }
 //#endregion
 export { signJWT, verifyJWT };

package/dist/nuxt.d.mts

@@ -1,8 +1,32 @@
-import { r as SessionOptions, t as IronSession } from "./session-z20gaFVT.mjs";
+import { r as SessionOptions, t as IronSession } from "./session-0bF8_7Ui.mjs";
 import { H3Event } from "h3";
 
 //#region src/nuxt.d.ts
+/**
+ * Create a session from an h3 event (Nuxt / h3).
+ *
+ * @example
+ * ```ts
+ * // In a Nuxt server handler:
+ * const session = await useSession(event, { password: process.env.NUXT_SESSION_PASSWORD })
+ * session.userId = 42
+ * await session.save()
+ * ```
+ */
 declare function useSession<T extends Record<string, unknown> = Record<string, unknown>>(event: H3Event, options: SessionOptions): Promise<T & IronSession>;
-declare function requireSession(_event: H3Event, session: IronSession): void;
+/**
+ * Guard that requires session data.
+ *
+ * Throws a 401 h3 error when the session is empty.
+ *
+ * @example
+ * ```ts
+ * const session = await useSession(event, options)
+ * requireSession(event, session)
+ * requireSession(event, session, "role") // require specific key
+ * ```
+ */
+declare function requireSession(event: H3Event, session: IronSession): void;
+declare function requireSession<K extends string>(event: H3Event, session: IronSession, key: K): void;
 //#endregion
 export { requireSession, useSession };

package/dist/nuxt.mjs

@@ -1,21 +1,33 @@
-import { t as createSessionFromAdapter } from "./session-DSwf3XPH.mjs";
+import { t as PetaAuthError } from "./errors-DxJ-WUJL.mjs";
+import { n as sessionHasData, t as createSessionFromAdapter } from "./session-BGCQ1Z1Q.mjs";
 import { appendHeader, createError, getCookie } from "h3";
 //#region src/nuxt.ts
+/**
+* Create a session from an h3 event (Nuxt / h3).
+*
+* @example
+* ```ts
+* // In a Nuxt server handler:
+* const session = await useSession(event, { password: process.env.NUXT_SESSION_PASSWORD })
+* session.userId = 42
+* await session.save()
+* ```
+*/
 function useSession(event, options) {
 	const password = options.password ?? process.env.NUXT_SESSION_PASSWORD;
-	if (!password) throw new Error("peta-auth/nuxt: NUXT_SESSION_PASSWORD is required");
+	if (!password) throw new PetaAuthError("MISSING_PASSWORD", "peta-auth/nuxt: NUXT_SESSION_PASSWORD is required");
 	return createSessionFromAdapter({
 		getCookie: (name) => getCookie(event, name),
 		setCookie: (value) => appendHeader(event, "Set-Cookie", value)
 	}, {
 		password,
-		cookieName: options?.cookieName ?? "nuxt-session",
-		ttl: options?.ttl,
-		cookieOptions: options?.cookieOptions
+		cookieName: options.cookieName ?? "nuxt-session",
+		timeToLive: options.timeToLive,
+		cookieOptions: options.cookieOptions
 	});
 }
-function requireSession(_event, session) {
-	if (!Object.keys(session).some((k) => k !== "save" && k !== "destroy" && k !== "updateConfig")) throw createError({
+function requireSession(_event, session, key) {
+	if (!sessionHasData(session, key)) throw createError({
 		statusCode: 401,
 		statusMessage: "unauthorized"
 	});

package/dist/oauth/github.d.mts

@@ -1,4 +1,5 @@
 //#region src/oauth/github.d.ts
+/** Configuration for GitHub OAuth. */
 interface OAuthGitHubConfig {
   clientId?: string;
   clientSecret?: string;
@@ -10,6 +11,11 @@ interface OAuthGitHubConfig {
   authorizationParams?: Record<string, string>;
   redirectURL?: string;
 }
+interface GitHubTokens {
+  access_token: string;
+  scope: string;
+  token_type: string;
+}
 interface GitHubUser {
   login: string;
   id: number;
@@ -19,11 +25,18 @@ interface GitHubUser {
   email: string | null;
   email_verified?: boolean;
 }
-interface GitHubTokens {
-  access_token: string;
-  scope: string;
-  token_type: string;
-}
+/**
+ * Define a GitHub OAuth event handler.
+ *
+ * @example
+ * ```ts
+ * const handle = defineOAuthGitHubEventHandler({
+ *   onSuccess: async ({ user, tokens }) =>
+ *     new Response(`Welcome ${user.login}!`),
+ * })
+ * serve(handle)
+ * ```
+ */
 declare function defineOAuthGitHubEventHandler(options: {
   config?: OAuthGitHubConfig;
   onSuccess: (event: {

package/dist/oauth/github.mjs

@@ -1,92 +1,83 @@
-import { getOAuthRedirectURL, handleAccessTokenError, handleInvalidState, handleMissingConfiguration, handleState, redirect, requestAccessToken } from "./index.mjs";
+import { t as defineOAuthHandler } from "../utils-CKT3C1Lq.mjs";
 //#region src/oauth/github.ts
-function resolveGitHubConfig(config) {
-	return {
-		authorizationURL: config.authorizationURL ?? "https://github.com/login/oauth/authorize",
-		tokenURL: config.tokenURL ?? "https://github.com/login/oauth/access_token",
-		apiURL: config.apiURL ?? "https://api.github.com",
-		clientId: config.clientId ?? process.env.PETA_OAUTH_GITHUB_CLIENT_ID ?? "",
-		clientSecret: config.clientSecret ?? process.env.PETA_OAUTH_GITHUB_CLIENT_SECRET ?? "",
-		scope: config.scope ?? [],
-		emailRequired: config.emailRequired ?? false,
-		authorizationParams: config.authorizationParams ?? {},
-		redirectURL: config.redirectURL
-	};
-}
-function defineOAuthGitHubEventHandler(options) {
-	const { config: userConfig = {}, onSuccess, onError } = options;
-	return async (request) => {
-		const config = resolveGitHubConfig(userConfig);
-		const url = new URL(request.url);
-		const queryCode = url.searchParams.get("code");
-		const queryError = url.searchParams.get("error");
-		const queryState = url.searchParams.get("state");
-		if (queryError) {
-			const err = /* @__PURE__ */ new Error(`GitHub login failed: ${queryError}`);
-			if (onError) return onError(err);
-			return new Response(JSON.stringify({ error: err.message }), {
-				status: 401,
-				headers: { "Content-Type": "application/json" }
-			});
-		}
-		if (!config.clientId || !config.clientSecret) {
-			const missing = [];
-			if (!config.clientId) missing.push("clientId");
-			if (!config.clientSecret) missing.push("clientSecret");
-			return handleMissingConfiguration("github", missing, onError);
-		}
-		const redirectURL = config.redirectURL || getOAuthRedirectURL(request);
-		const state = handleState(request);
-		if (!queryCode) {
-			if (config.emailRequired && !config.scope.includes("user:email")) config.scope.push("user:email");
-			const authUrl = new URL(config.authorizationURL);
-			authUrl.searchParams.set("client_id", config.clientId);
-			authUrl.searchParams.set("redirect_uri", redirectURL);
-			authUrl.searchParams.set("scope", config.scope.join(" "));
-			authUrl.searchParams.set("state", state.state ?? "");
-			for (const [k, v] of Object.entries(config.authorizationParams)) authUrl.searchParams.set(k, v);
-			return redirect(authUrl.toString(), state.setCookie);
-		}
-		if (!queryState || queryState !== state.expectedState) return handleInvalidState("github", onError);
-		const tokens = await requestAccessToken(config.tokenURL, { body: {
+const githubProvider = {
+	name: "github",
+	resolveConfig(config) {
+		const c = config;
+		return {
+			authorizationURL: c.authorizationURL ?? "https://github.com/login/oauth/authorize",
+			tokenURL: c.tokenURL ?? "https://github.com/login/oauth/access_token",
+			apiURL: c.apiURL ?? "https://api.github.com",
+			clientId: c.clientId ?? process.env.PETA_OAUTH_GITHUB_CLIENT_ID ?? "",
+			clientSecret: c.clientSecret ?? process.env.PETA_OAUTH_GITHUB_CLIENT_SECRET ?? "",
+			scope: c.scope ?? [],
+			emailRequired: c.emailRequired ?? false,
+			authorizationParams: c.authorizationParams ?? {},
+			redirectURL: c.redirectURL
+		};
+	},
+	buildAuthUrl(config, redirectURL, state, _pkce) {
+		const c = config;
+		if (c.emailRequired && !c.scope.includes("user:email")) c.scope.push("user:email");
+		const authUrl = new URL(c.authorizationURL);
+		authUrl.searchParams.set("client_id", c.clientId);
+		authUrl.searchParams.set("redirect_uri", redirectURL);
+		authUrl.searchParams.set("scope", c.scope.join(" "));
+		authUrl.searchParams.set("state", state.state ?? "");
+		for (const [key, value] of Object.entries(c.authorizationParams)) authUrl.searchParams.set(key, value);
+		return {
+			url: authUrl.toString(),
+			cookies: state.setCookie
+		};
+	},
+	requestTokenBody(config, redirectURL, code, _pkce) {
+		return {
 			grant_type: "authorization_code",
 			client_id: config.clientId,
 			client_secret: config.clientSecret,
 			redirect_uri: redirectURL,
-			code: queryCode
-		} });
-		const tokensRecord = tokens;
-		if (tokensRecord.error) return handleAccessTokenError("github", tokensRecord, onError);
+			code
+		};
+	},
+	async fetchUser(config, tokens, _request) {
+		const c = config;
 		const accessToken = tokens.access_token;
-		const userResponse = await fetch(`${config.apiURL}/user`, { headers: {
-			"User-Agent": `GitHub-OAuth-${config.clientId}`,
+		const userResponse = await fetch(`${c.apiURL}/user`, { headers: {
+			"User-Agent": `GitHub-OAuth-${c.clientId}`,
 			Authorization: `token ${accessToken}`
 		} });
-		if (!userResponse.ok) {
-			const err = /* @__PURE__ */ new Error(`GitHub user fetch failed: ${userResponse.status}`);
-			if (onError) return onError(err);
-			throw err;
-		}
+		if (!userResponse.ok) throw new Error(`GitHub user fetch failed: ${userResponse.status}`);
 		const user = await userResponse.json();
-		if (!user.email && config.emailRequired) {
-			const emailsResponse = await fetch(`${config.apiURL}/user/emails`, { headers: {
-				"User-Agent": `GitHub-OAuth-${config.clientId}`,
+		if (!user.email && c.emailRequired) {
+			const emailsResponse = await fetch(`${c.apiURL}/user/emails`, { headers: {
+				"User-Agent": `GitHub-OAuth-${c.clientId}`,
 				Authorization: `token ${accessToken}`
 			} });
 			if (emailsResponse.ok) {
-				const primaryEmail = (await emailsResponse.json()).find((e) => e.primary);
+				const primaryEmail = (await emailsResponse.json()).find((entry) => entry.primary);
 				if (primaryEmail) {
 					user.email = primaryEmail.email;
 					user.email_verified = primaryEmail.verified;
 				}
 			}
 		}
-		return onSuccess({
-			user,
-			tokens,
-			request
-		});
-	};
+		return user;
+	}
+};
+/**
+* Define a GitHub OAuth event handler.
+*
+* @example
+* ```ts
+* const handle = defineOAuthGitHubEventHandler({
+*   onSuccess: async ({ user, tokens }) =>
+*     new Response(`Welcome ${user.login}!`),
+* })
+* serve(handle)
+* ```
+*/
+function defineOAuthGitHubEventHandler(options) {
+	return defineOAuthHandler(githubProvider, options);
 }
 //#endregion
 export { defineOAuthGitHubEventHandler };

package/dist/oauth/google.d.mts

@@ -1,4 +1,5 @@
 //#region src/oauth/google.d.ts
+/** Configuration for Google OAuth. */
 interface OAuthGoogleConfig {
   clientId?: string;
   clientSecret?: string;
@@ -9,6 +10,13 @@ interface OAuthGoogleConfig {
   authorizationParams?: Record<string, string>;
   redirectURL?: string;
 }
+interface GoogleTokens {
+  access_token: string;
+  id_token: string;
+  scope: string;
+  token_type: string;
+  expires_in: number;
+}
 interface GoogleUser {
   sub: string;
   name: string;
@@ -19,13 +27,18 @@ interface GoogleUser {
   email_verified: boolean;
   locale: string;
 }
-interface GoogleTokens {
-  access_token: string;
-  id_token: string;
-  scope: string;
-  token_type: string;
-  expires_in: number;
-}
+/**
+ * Define a Google OAuth event handler.
+ *
+ * @example
+ * ```ts
+ * const handle = defineOAuthGoogleEventHandler({
+ *   onSuccess: async ({ user }) =>
+ *     new Response(`Welcome ${user.name}!`),
+ * })
+ * serve(handle)
+ * ```
+ */
 declare function defineOAuthGoogleEventHandler(options: {
   config?: OAuthGoogleConfig;
   onSuccess: (event: {

package/dist/oauth/google.mjs

@@ -1,84 +1,74 @@
-import { getOAuthRedirectURL, handleAccessTokenError, handleInvalidState, handleMissingConfiguration, handlePKCE, handleState, redirect, requestAccessToken } from "./index.mjs";
+import { t as defineOAuthHandler } from "../utils-CKT3C1Lq.mjs";
 //#region src/oauth/google.ts
-function resolveGoogleConfig(config) {
-	return {
-		authorizationURL: config.authorizationURL ?? "https://accounts.google.com/o/oauth2/v2/auth",
-		tokenURL: config.tokenURL ?? "https://oauth2.googleapis.com/token",
-		userInfoURL: config.userInfoURL ?? "https://www.googleapis.com/oauth2/v3/userinfo",
-		clientId: config.clientId ?? process.env.PETA_OAUTH_GOOGLE_CLIENT_ID ?? "",
-		clientSecret: config.clientSecret ?? process.env.PETA_OAUTH_GOOGLE_CLIENT_SECRET ?? "",
-		scope: config.scope ?? [
-			"openid",
-			"email",
-			"profile"
-		],
-		authorizationParams: config.authorizationParams ?? {},
-		redirectURL: config.redirectURL
-	};
-}
-function defineOAuthGoogleEventHandler(options) {
-	const { config: userConfig = {}, onSuccess, onError } = options;
-	return async (request) => {
-		const config = resolveGoogleConfig(userConfig);
-		const url = new URL(request.url);
-		const queryCode = url.searchParams.get("code");
-		const queryError = url.searchParams.get("error");
-		const queryState = url.searchParams.get("state");
-		if (queryError) {
-			const err = /* @__PURE__ */ new Error(`Google login failed: ${queryError}`);
-			if (onError) return onError(err);
-			return new Response(JSON.stringify({ error: err.message }), {
-				status: 401,
-				headers: { "Content-Type": "application/json" }
-			});
-		}
-		if (!config.clientId || !config.clientSecret) {
-			const missing = [];
-			if (!config.clientId) missing.push("clientId");
-			if (!config.clientSecret) missing.push("clientSecret");
-			return handleMissingConfiguration("google", missing, onError);
+const googleProvider = {
+	name: "google",
+	resolveConfig(config) {
+		const c = config;
+		return {
+			authorizationURL: c.authorizationURL ?? "https://accounts.google.com/o/oauth2/v2/auth",
+			tokenURL: c.tokenURL ?? "https://oauth2.googleapis.com/token",
+			userInfoURL: c.userInfoURL ?? "https://www.googleapis.com/oauth2/v3/userinfo",
+			clientId: c.clientId ?? process.env.PETA_OAUTH_GOOGLE_CLIENT_ID ?? "",
+			clientSecret: c.clientSecret ?? process.env.PETA_OAUTH_GOOGLE_CLIENT_SECRET ?? "",
+			scope: c.scope ?? [
+				"openid",
+				"email",
+				"profile"
+			],
+			authorizationParams: c.authorizationParams ?? {},
+			redirectURL: c.redirectURL
+		};
+	},
+	buildAuthUrl(config, redirectURL, state, pkce) {
+		const c = config;
+		const authUrl = new URL(c.authorizationURL);
+		authUrl.searchParams.set("client_id", c.clientId);
+		authUrl.searchParams.set("redirect_uri", redirectURL);
+		authUrl.searchParams.set("scope", c.scope.join(" "));
+		authUrl.searchParams.set("response_type", "code");
+		authUrl.searchParams.set("state", state.state ?? "");
+		if (pkce.codeChallenge) {
+			authUrl.searchParams.set("code_challenge", pkce.codeChallenge);
+			authUrl.searchParams.set("code_challenge_method", pkce.codeChallengeMethod ?? "S256");
 		}
-		const redirectURL = config.redirectURL || getOAuthRedirectURL(request);
-		const state = handleState(request);
-		const pkce = await handlePKCE(request);
-		if (!queryCode) {
-			const authUrl = new URL(config.authorizationURL);
-			authUrl.searchParams.set("client_id", config.clientId);
-			authUrl.searchParams.set("redirect_uri", redirectURL);
-			authUrl.searchParams.set("scope", config.scope.join(" "));
-			authUrl.searchParams.set("response_type", "code");
-			authUrl.searchParams.set("state", state.state ?? "");
-			if (pkce.codeChallenge) {
-				authUrl.searchParams.set("code_challenge", pkce.codeChallenge);
-				authUrl.searchParams.set("code_challenge_method", pkce.codeChallengeMethod ?? "S256");
-			}
-			for (const [k, v] of Object.entries(config.authorizationParams)) authUrl.searchParams.set(k, v);
-			const cookies = [state.setCookie, pkce.setCookie].filter(Boolean).join("; ");
-			return redirect(authUrl.toString(), cookies || void 0);
-		}
-		if (!queryState || queryState !== state.expectedState) return handleInvalidState("google", onError);
-		const tokens = await requestAccessToken(config.tokenURL, { body: {
+		for (const [key, value] of Object.entries(c.authorizationParams)) authUrl.searchParams.set(key, value);
+		const cookies = [state.setCookie, pkce.setCookie].filter(Boolean).join("; ");
+		return {
+			url: authUrl.toString(),
+			cookies: cookies || void 0
+		};
+	},
+	requestTokenBody(config, redirectURL, code, pkce) {
+		return {
 			grant_type: "authorization_code",
 			client_id: config.clientId,
 			client_secret: config.clientSecret,
 			redirect_uri: redirectURL,
-			code: queryCode,
-			code_verifier: pkce.codeVerifier
-		} });
-		const tokensRecord = tokens;
-		if (tokensRecord.error) return handleAccessTokenError("google", tokensRecord, onError);
-		const userResponse = await fetch(config.userInfoURL, { headers: { Authorization: `Bearer ${tokens.access_token}` } });
-		if (!userResponse.ok) {
-			const err = /* @__PURE__ */ new Error(`Google user fetch failed: ${userResponse.status}`);
-			if (onError) return onError(err);
-			throw err;
-		}
-		return onSuccess({
-			user: await userResponse.json(),
-			tokens,
-			request
-		});
-	};
+			code,
+			code_verifier: pkce.codeVerifier ?? ""
+		};
+	},
+	async fetchUser(config, tokens, _request) {
+		const userURL = config.userInfoURL ?? "https://www.googleapis.com/oauth2/v3/userinfo";
+		const userResponse = await fetch(userURL, { headers: { Authorization: `Bearer ${tokens.access_token}` } });
+		if (!userResponse.ok) throw new Error(`Google user fetch failed: ${userResponse.status}`);
+		return userResponse.json();
+	}
+};
+/**
+* Define a Google OAuth event handler.
+*
+* @example
+* ```ts
+* const handle = defineOAuthGoogleEventHandler({
+*   onSuccess: async ({ user }) =>
+*     new Response(`Welcome ${user.name}!`),
+* })
+* serve(handle)
+* ```
+*/
+function defineOAuthGoogleEventHandler(options) {
+	return defineOAuthHandler(googleProvider, options);
 }
 //#endregion
 export { defineOAuthGoogleEventHandler };

package/dist/session-0bF8_7Ui.d.mts

@@ -0,0 +1,53 @@
+import { t as Password } from "./crypto-DR-ETdLZ.mjs";
+import { SerializeOptions } from "cookie";
+
+//#region src/session.d.ts
+/** Options for creating a cookie session. */
+interface SessionOptions {
+  /** Password(s) used to encrypt the session cookie. */
+  password: Password;
+  /** Name of the cookie. */
+  cookieName: string;
+  /** Session lifetime in seconds (default 14 days). */
+  timeToLive?: number;
+  /** Extra cookie serialization options. */
+  cookieOptions?: Omit<SerializeOptions, "encode">;
+}
+/** A session instance returned by {@link createSessionFromAdapter}. */
+interface IronSession {
+  /** Persist the session to the response cookie. */
+  save(): Promise<void>;
+  /** Clear the session cookie. */
+  destroy(): void;
+  /** Update session config at runtime. */
+  updateConfig(options: SessionOptions): void;
+  /** Arbitrary session data keys. */
+  [key: string]: unknown;
+}
+/** An adapter between the framework and the session cookie store. */
+interface SessionAdapter {
+  /** Read a cookie by name from the incoming request. */
+  getCookie(name: string): string | undefined;
+  /** Set a cookie on the outgoing response. */
+  setCookie(cookie: string): void;
+}
+/**
+ * Create a session from a framework adapter.
+ *
+ * Reads the session cookie (if present), hydrates the data, and
+ * returns a session object with {@link IronSession.save},
+ * {@link IronSession.destroy}, and {@link IronSession.updateConfig}.
+ *
+ * @example
+ * ```ts
+ * const session = await createSessionFromAdapter(adapter, {
+ *   password: "my-32-char-password...",
+ *   cookieName: "my-session",
+ * })
+ * session.userId = 42
+ * await session.save()
+ * ```
+ */
+declare function createSessionFromAdapter<T extends Record<string, unknown> = Record<string, unknown>>(adapter: SessionAdapter, options: SessionOptions): Promise<T & IronSession>;
+//#endregion
+export { createSessionFromAdapter as i, SessionAdapter as n, SessionOptions as r, IronSession as t };