peta-auth 0.1.2 → 0.2.0

package/dist/session-BGCQ1Z1Q.mjs

@@ -0,0 +1,87 @@
+import { n as sealData, r as unsealData, t as normalizePassword } from "./crypto-WcFV83Nz.mjs";
+import { t as PetaAuthError } from "./errors-DxJ-WUJL.mjs";
+import { serialize } from "cookie";
+//#region src/session.ts
+const TIMESTAMP_SKEW_SECONDS = 60;
+const DEFAULTS = {
+	timeToLive: 336 * 3600,
+	cookieOptions: {
+		httpOnly: true,
+		sameSite: "lax",
+		path: "/"
+	}
+};
+function computeMaxAge(timeToLive) {
+	if (timeToLive === 0) return 2147483647;
+	return timeToLive - TIMESTAMP_SKEW_SECONDS;
+}
+/** Check whether a session has any user data keys beyond the built-in methods. */
+function sessionHasData(session, key) {
+	if (key) return !!session[key];
+	return Object.keys(session).some((k) => k !== "save" && k !== "destroy" && k !== "updateConfig");
+}
+/** @internal */
+function resolveConfig(options) {
+	const timeToLive = options.timeToLive ?? DEFAULTS.timeToLive;
+	const cookieOptions = {
+		...DEFAULTS.cookieOptions,
+		secure: process.env.NODE_ENV !== "development",
+		...options.cookieOptions
+	};
+	if (!("maxAge" in (options.cookieOptions ?? {}))) cookieOptions.maxAge = computeMaxAge(timeToLive);
+	const passwordsMap = normalizePassword(options.password);
+	for (const secret of Object.values(passwordsMap)) if (secret.length < 32) throw new PetaAuthError("PASSWORD_TOO_SHORT", "peta-auth: password must be at least 32 characters");
+	return {
+		timeToLive,
+		cookieName: options.cookieName,
+		password: options.password,
+		cookieOptions
+	};
+}
+/**
+* Create a session from a framework adapter.
+*
+* Reads the session cookie (if present), hydrates the data, and
+* returns a session object with {@link IronSession.save},
+* {@link IronSession.destroy}, and {@link IronSession.updateConfig}.
+*
+* @example
+* ```ts
+* const session = await createSessionFromAdapter(adapter, {
+*   password: "my-32-char-password...",
+*   cookieName: "my-session",
+* })
+* session.userId = 42
+* await session.save()
+* ```
+*/
+async function createSessionFromAdapter(adapter, options) {
+	let config = resolveConfig(options);
+	const seal = adapter.getCookie(config.cookieName);
+	const session = seal ? await unsealData(seal, {
+		password: config.password,
+		ttl: config.timeToLive
+	}) : {};
+	session.save = async () => {
+		const s = await sealData(session, {
+			password: config.password,
+			ttl: config.timeToLive
+		});
+		const cookieValue = serialize(config.cookieName, s, config.cookieOptions);
+		if (cookieValue.length > 4096) throw new PetaAuthError("COOKIE_TOO_LARGE", `peta-auth: cookie too large (${cookieValue.length} bytes)`);
+		adapter.setCookie(cookieValue);
+	};
+	session.destroy = () => {
+		for (const key of Object.keys(session)) if (key !== "save" && key !== "destroy" && key !== "updateConfig") delete session[key];
+		adapter.setCookie(serialize(config.cookieName, "", {
+			...config.cookieOptions,
+			maxAge: 0
+		}));
+	};
+	session.updateConfig = (updatedOptions) => {
+		config = resolveConfig(updatedOptions);
+	};
+	return session;
+}
+//#endregion
+export { sessionHasData as n, createSessionFromAdapter as t };

package/dist/utils-CKT3C1Lq.mjs

@@ -0,0 +1,174 @@
+import { constantTimeEqual } from "./csrf.mjs";
+import { t as PetaAuthError } from "./errors-DxJ-WUJL.mjs";
+import { parse, serialize } from "cookie";
+//#region src/oauth/utils.ts
+const IS_DEVELOPMENT = process.env.NODE_ENV === "development";
+const OAUTH_COOKIE_MAX_AGE = 600;
+function encodeBase64Url(input) {
+	return btoa(String.fromCharCode(...input)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+function getRandomBytes(size = 32) {
+	return crypto.getRandomValues(new Uint8Array(size));
+}
+function oauthCookieOptions(maxAge) {
+	return {
+		path: "/",
+		httpOnly: true,
+		sameSite: "lax",
+		secure: !IS_DEVELOPMENT,
+		maxAge
+	};
+}
+/**
+* Extract the OAuth redirect URL from a request.
+*/
+function getOAuthRedirectURL(request) {
+	const url = new URL(request.url);
+	return `${url.protocol}//${url.host}${url.pathname}`;
+}
+/**
+* Handle PKCE (Proof Key for Code Exchange) for OAuth flows.
+*
+* On the initial redirect leg it generates a code verifier + challenge.
+* On the callback leg it extracts the stored verifier from the cookie.
+*/
+async function handlePKCE(request) {
+	const code = new URL(request.url).searchParams.get("code");
+	const cookies = parse(request.headers.get("cookie") ?? "");
+	if (code) return { codeVerifier: cookies["peta-auth-pkce"] };
+	const verifier = encodeBase64Url(getRandomBytes(32));
+	const encoder = new TextEncoder();
+	return {
+		codeChallenge: encodeBase64Url(new Uint8Array(await crypto.subtle.digest("SHA-256", encoder.encode(verifier)))),
+		codeChallengeMethod: "S256",
+		setCookie: serialize("peta-auth-pkce", verifier, oauthCookieOptions(OAUTH_COOKIE_MAX_AGE))
+	};
+}
+/**
+* Handle OAuth state parameter for CSRF protection.
+*/
+function handleState(request) {
+	const queryState = new URL(request.url).searchParams.get("state");
+	const cookies = parse(request.headers.get("cookie") ?? "");
+	if (queryState) return {
+		state: queryState,
+		expectedState: cookies["peta-auth-state"]
+	};
+	const state = encodeBase64Url(getRandomBytes(8));
+	return {
+		state,
+		setCookie: serialize("peta-auth-state", state, oauthCookieOptions(OAUTH_COOKIE_MAX_AGE))
+	};
+}
+/**
+* Exchange an authorization code for an access token.
+*/
+async function requestAccessToken(url, options) {
+	const headers = {
+		"Content-Type": "application/x-www-form-urlencoded",
+		...options.headers
+	};
+	const bodyParams = options.body ?? options.params ?? {};
+	const body = new URLSearchParams();
+	for (const [key, value] of Object.entries(bodyParams)) if (value !== void 0) body.append(key, value);
+	const response = await fetch(url, {
+		method: "POST",
+		headers,
+		body: body.toString()
+	});
+	if (!response.ok) {
+		if (response.status === 401) return response.json();
+		throw new PetaAuthError("OAUTH_TOKEN_FAILED", `OAuth token request failed: ${response.status} ${response.statusText}`);
+	}
+	return response.json();
+}
+/**
+* Create a 302 redirect response, optionally with a cookie.
+*/
+function redirect(url, cookie) {
+	const headers = new Headers({ Location: url });
+	if (cookie) headers.append("Set-Cookie", cookie);
+	return new Response(null, {
+		status: 302,
+		headers
+	});
+}
+/**
+* Create a JSON error response with the given status code.
+*/
+function jsonError(error, status) {
+	return new Response(JSON.stringify({ error: error.message }), {
+		status,
+		headers: { "Content-Type": "application/json" }
+	});
+}
+/**
+* Handle missing OAuth configuration.
+*/
+function handleMissingConfiguration(provider, missingKeys, onError) {
+	const envVars = missingKeys.map((key) => `PETA_OAUTH_${provider.toUpperCase()}_${key.replace(/([A-Z])/g, "_$1").toUpperCase()}`);
+	const error = /* @__PURE__ */ new Error(`Missing ${envVars.join(" or ")} env ${missingKeys.length > 1 ? "variables" : "variable"}.`);
+	if (onError) return onError(error);
+	return jsonError(error, 500);
+}
+/**
+* Handle OAuth access token errors.
+*/
+function handleAccessTokenError(provider, errorData, onError) {
+	const message = `${provider} login failed: ${errorData.error_description || errorData.error || "Unknown error"}`;
+	const error = new Error(message);
+	if (onError) return onError(error);
+	return jsonError(error, 401);
+}
+/**
+* Define an OAuth event handler using a provider-specific config.
+*
+* Handles the shared OAuth flow (redirect, callback, token exchange, user fetch)
+* while delegating provider-specific behavior to the config callbacks.
+*/
+function defineOAuthHandler(provider, options) {
+	const { config: userConfig = {}, onSuccess, onError } = options;
+	return async (request) => {
+		const config = provider.resolveConfig(userConfig);
+		const url = new URL(request.url);
+		const queryCode = url.searchParams.get("code");
+		const queryError = url.searchParams.get("error");
+		const queryState = url.searchParams.get("state");
+		if (queryError) {
+			const error = /* @__PURE__ */ new Error(`${provider.name} login failed: ${queryError}`);
+			if (onError) return onError(error);
+			return jsonError(error, 401);
+		}
+		if (!config.clientId || !config.clientSecret) {
+			const missing = [];
+			if (!config.clientId) missing.push("clientId");
+			if (!config.clientSecret) missing.push("clientSecret");
+			return handleMissingConfiguration(provider.name, missing, onError);
+		}
+		const redirectURL = config.redirectURL || getOAuthRedirectURL(request);
+		const state = handleState(request);
+		const pkce = await handlePKCE(request);
+		if (!queryCode) {
+			const { url: authUrl, cookies } = provider.buildAuthUrl(config, redirectURL, state, pkce);
+			return redirect(authUrl, cookies);
+		}
+		if (!queryState || !state.expectedState || !constantTimeEqual(queryState, state.expectedState)) return handleInvalidState(provider.name, onError);
+		const tokens = await requestAccessToken(config.tokenURL, { body: provider.requestTokenBody(config, redirectURL, queryCode, pkce) });
+		if (tokens.error) return handleAccessTokenError(provider.name, tokens, onError);
+		return onSuccess({
+			user: await provider.fetchUser(config, tokens, request),
+			tokens,
+			request
+		});
+	};
+}
+/**
+* Handle OAuth state mismatch.
+*/
+function handleInvalidState(provider, onError) {
+	const error = /* @__PURE__ */ new Error(`${provider} login failed: state mismatch`);
+	if (onError) return onError(error);
+	return jsonError(error, 500);
+}
+//#endregion
+export { defineOAuthHandler as t };

package/package.json

@@ -1,7 +1,12 @@
 {
   "name": "peta-auth",
-  "version": "0.1.2",
+  "version": "0.2.0",
   "description": "Encrypted cookie sessions for Bun — Hono, ElysiaJS & Nuxt adapters",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/zfadhli/peta-stack.git"
+  },
   "type": "module",
   "module": "./dist/index.mjs",
   "types": "./dist/index.d.mts",
@@ -51,9 +56,9 @@
     "typecheck": "tsc --noEmit"
   },
   "dependencies": {
-    "bcryptjs": "^3.0.3",
-    "cookie": "^1.0.2",
-    "iron-webcrypto": "^1.2.1",
+    "@node-rs/argon2": "^2.0.2",
+    "cookie": "^1.1.1",
+    "iron-webcrypto": "^2.0.0",
     "jose": "^6.2.3"
   },
   "peerDependencies": {
@@ -74,9 +79,8 @@
     }
   },
   "devDependencies": {
-    "@biomejs/biome": "^2.4.16",
-    "@types/bcryptjs": "^3.0.0",
-    "@types/bun": "latest",
+    "@biomejs/biome": "^2.5.0",
+    "@types/bun": "^1.3.14",
     "elysia": "latest",
     "h3": "latest",
     "hono": "latest",

package/dist/crypto-Ln_Mj_zp.d.mts

@@ -1,19 +0,0 @@
-//#region src/crypto.d.ts
-type PasswordsMap = Record<string, string>;
-type Password = PasswordsMap | string;
-declare const sealData: (data: unknown, {
-  password,
-  ttl
-}: {
-  password: Password;
-  ttl?: number;
-}) => Promise<string>;
-declare const unsealData: <T>(seal: string, {
-  password,
-  ttl
-}: {
-  password: Password;
-  ttl?: number;
-}) => Promise<T>;
-//#endregion
-export { sealData as n, unsealData as r, Password as t };

package/dist/oauth/index.d.mts

@@ -1,25 +0,0 @@
-//#region src/oauth/index.d.ts
-declare function getOAuthRedirectURL(request: Request): string;
-declare function handlePKCE(request: Request): Promise<{
-  codeChallenge?: string;
-  codeChallengeMethod?: string;
-  codeVerifier?: string;
-  setCookie?: string;
-}>;
-declare function handleState(request: Request): {
-  state?: string;
-  expectedState?: string;
-  setCookie?: string;
-};
-interface RequestAccessTokenOptions {
-  body?: Record<string, string | undefined>;
-  params?: Record<string, string | undefined>;
-  headers?: Record<string, string>;
-}
-declare function requestAccessToken<T = unknown>(url: string, options: RequestAccessTokenOptions): Promise<T>;
-declare function redirect(url: string, cookie?: string): Response;
-declare function handleMissingConfiguration(provider: string, missingKeys: string[], onError?: (err: Error) => Response | Promise<Response>): Response | Promise<Response>;
-declare function handleAccessTokenError(provider: string, errorData: Record<string, string>, onError?: (err: Error) => Response | Promise<Response>): Response | Promise<Response>;
-declare function handleInvalidState(provider: string, onError?: (err: Error) => Response | Promise<Response>): Response | Promise<Response>;
-//#endregion
-export { RequestAccessTokenOptions, getOAuthRedirectURL, handleAccessTokenError, handleInvalidState, handleMissingConfiguration, handlePKCE, handleState, redirect, requestAccessToken };

package/dist/oauth/index.mjs

@@ -1,103 +0,0 @@
-import { parse, serialize } from "cookie";
-//#region src/oauth/index.ts
-const isDevelopment = process.env.NODE_ENV === "development";
-const OAUTH_COOKIE_MAX_AGE = 600;
-function encodeBase64Url(input) {
-	return btoa(String.fromCharCode(...input)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
-}
-function getRandomBytes(size = 32) {
-	return crypto.getRandomValues(new Uint8Array(size));
-}
-function oauthCookieOptions(maxAge) {
-	return {
-		path: "/",
-		httpOnly: true,
-		sameSite: "lax",
-		secure: !isDevelopment,
-		maxAge
-	};
-}
-function getOAuthRedirectURL(request) {
-	const url = new URL(request.url);
-	return `${url.protocol}//${url.host}${url.pathname}`;
-}
-async function handlePKCE(request) {
-	const code = new URL(request.url).searchParams.get("code");
-	const cookies = parse(request.headers.get("cookie") ?? "");
-	if (code) return { codeVerifier: cookies["peta-auth-pkce"] };
-	const verifier = encodeBase64Url(getRandomBytes(32));
-	const encoder = new TextEncoder();
-	return {
-		codeChallenge: encodeBase64Url(new Uint8Array(await crypto.subtle.digest("SHA-256", encoder.encode(verifier)))),
-		codeChallengeMethod: "S256",
-		setCookie: serialize("peta-auth-pkce", verifier, oauthCookieOptions(OAUTH_COOKIE_MAX_AGE))
-	};
-}
-function handleState(request) {
-	const queryState = new URL(request.url).searchParams.get("state");
-	const cookies = parse(request.headers.get("cookie") ?? "");
-	if (queryState) return {
-		state: queryState,
-		expectedState: cookies["peta-auth-state"]
-	};
-	const state = encodeBase64Url(getRandomBytes(8));
-	return {
-		state,
-		setCookie: serialize("peta-auth-state", state, oauthCookieOptions(OAUTH_COOKIE_MAX_AGE))
-	};
-}
-async function requestAccessToken(url, options) {
-	const headers = {
-		"Content-Type": "application/x-www-form-urlencoded",
-		...options.headers
-	};
-	const bodyParams = options.body ?? options.params ?? {};
-	const body = new URLSearchParams();
-	for (const [key, value] of Object.entries(bodyParams)) if (value !== void 0) body.append(key, value);
-	const response = await fetch(url, {
-		method: "POST",
-		headers,
-		body: body.toString()
-	});
-	if (!response.ok) {
-		if (response.status === 401) return response.json();
-		throw new Error(`OAuth token request failed: ${response.status} ${response.statusText}`);
-	}
-	return response.json();
-}
-function redirect(url, cookie) {
-	const headers = new Headers({ Location: url });
-	if (cookie) headers.append("Set-Cookie", cookie);
-	return new Response(null, {
-		status: 302,
-		headers
-	});
-}
-function handleMissingConfiguration(provider, missingKeys, onError) {
-	const envVars = missingKeys.map((k) => `PETA_OAUTH_${provider.toUpperCase()}_${k.replace(/([A-Z])/g, "_$1").toUpperCase()}`);
-	const err = /* @__PURE__ */ new Error(`Missing ${envVars.join(" or ")} env ${missingKeys.length > 1 ? "variables" : "variable"}.`);
-	if (onError) return onError(err);
-	return new Response(JSON.stringify({ error: err.message }), {
-		status: 500,
-		headers: { "Content-Type": "application/json" }
-	});
-}
-function handleAccessTokenError(provider, errorData, onError) {
-	const message = `${provider} login failed: ${errorData.error_description || errorData.error || "Unknown error"}`;
-	const err = new Error(message);
-	if (onError) return onError(err);
-	return new Response(JSON.stringify({ error: err.message }), {
-		status: 401,
-		headers: { "Content-Type": "application/json" }
-	});
-}
-function handleInvalidState(provider, onError) {
-	const err = /* @__PURE__ */ new Error(`${provider} login failed: state mismatch`);
-	if (onError) return onError(err);
-	return new Response(JSON.stringify({ error: err.message }), {
-		status: 500,
-		headers: { "Content-Type": "application/json" }
-	});
-}
-//#endregion
-export { getOAuthRedirectURL, handleAccessTokenError, handleInvalidState, handleMissingConfiguration, handlePKCE, handleState, redirect, requestAccessToken };

package/dist/session-DSwf3XPH.mjs

@@ -1,119 +0,0 @@
-import { defaults, seal, unseal } from "iron-webcrypto";
-import { serialize } from "cookie";
-//#region src/crypto.ts
-const fourteenDays = 336 * 3600;
-const currentMajorVersion = 2;
-const versionDelimiter = "~";
-function normalizePassword(password) {
-	return typeof password === "string" ? { 1: password } : password;
-}
-function parseSeal(seal) {
-	const idx = seal.lastIndexOf(versionDelimiter);
-	if (idx === -1) return {
-		sealWithoutVersion: seal,
-		tokenVersion: null
-	};
-	return {
-		sealWithoutVersion: seal.slice(0, idx),
-		tokenVersion: parseInt(seal.slice(idx + 1), 10) || null
-	};
-}
-function createSealData(webcrypto) {
-	return async function sealData(data, { password, ttl = fourteenDays }) {
-		const map = normalizePassword(password);
-		const id = Math.max(...Object.keys(map).map(Number)).toString();
-		const pw = map[id];
-		return `${await seal(webcrypto, data, {
-			id,
-			secret: pw
-		}, {
-			...defaults,
-			ttl: ttl * 1e3
-		})}${versionDelimiter}${currentMajorVersion}`;
-	};
-}
-function createUnsealData(webcrypto) {
-	return async function unsealData(seal, { password, ttl = fourteenDays }) {
-		const map = normalizePassword(password);
-		const { sealWithoutVersion, tokenVersion } = parseSeal(seal);
-		try {
-			const data = await unseal(webcrypto, sealWithoutVersion, map, {
-				...defaults,
-				ttl: ttl * 1e3
-			}) ?? {};
-			if (tokenVersion === 2) return data;
-			const d = data;
-			return { ...d.persistent ? d.persistent : {} };
-		} catch (err) {
-			if (err instanceof Error && /^(Expired seal|Bad hmac value|Cannot find password|Incorrect number of sealed components)/.test(err.message)) return {};
-			throw err;
-		}
-	};
-}
-function getCrypto() {
-	return globalThis.crypto;
-}
-const sealData = createSealData(getCrypto());
-const unsealData = createUnsealData(getCrypto());
-//#endregion
-//#region src/session.ts
-const timestampSkewSec = 60;
-const defaults$1 = {
-	ttl: 336 * 3600,
-	cookieOptions: {
-		httpOnly: true,
-		secure: true,
-		sameSite: "lax",
-		path: "/"
-	}
-};
-function computeMaxAge(ttl) {
-	if (ttl === 0) return 2147483647;
-	return ttl - timestampSkewSec;
-}
-function resolveConfig(opts) {
-	const ttl = opts.ttl ?? defaults$1.ttl;
-	const cookieOptions = {
-		...defaults$1.cookieOptions,
-		...opts.cookieOptions
-	};
-	if (!("maxAge" in (opts.cookieOptions ?? {}))) cookieOptions.maxAge = computeMaxAge(ttl);
-	const passwordsMap = typeof opts.password === "string" ? { 1: opts.password } : opts.password;
-	for (const pw of Object.values(passwordsMap)) if (pw.length < 32) throw new Error("peta-auth: password must be at least 32 characters");
-	return {
-		ttl,
-		cookieName: opts.cookieName,
-		password: opts.password,
-		cookieOptions
-	};
-}
-async function createSessionFromAdapter(adapter, options) {
-	let config = resolveConfig(options);
-	const seal = adapter.getCookie(config.cookieName);
-	const session = seal ? await unsealData(seal, {
-		password: config.password,
-		ttl: config.ttl
-	}) : {};
-	session.save = async () => {
-		const s = await sealData(session, {
-			password: config.password,
-			ttl: config.ttl
-		});
-		const cookieValue = serialize(config.cookieName, s, config.cookieOptions);
-		if (cookieValue.length > 4096) throw new Error(`peta-auth: cookie too large (${cookieValue.length} bytes)`);
-		adapter.setCookie(cookieValue);
-	};
-	session.destroy = () => {
-		for (const key of Object.keys(session)) if (key !== "save" && key !== "destroy" && key !== "updateConfig") delete session[key];
-		adapter.setCookie(serialize(config.cookieName, "", {
-			...config.cookieOptions,
-			maxAge: 0
-		}));
-	};
-	session.updateConfig = (opts) => {
-		config = resolveConfig(opts);
-	};
-	return session;
-}
-//#endregion
-export { sealData as n, unsealData as r, createSessionFromAdapter as t };

package/dist/session-z20gaFVT.d.mts

@@ -1,23 +0,0 @@
-import { t as Password } from "./crypto-Ln_Mj_zp.mjs";
-import { SerializeOptions } from "cookie";
-
-//#region src/session.d.ts
-interface SessionOptions {
-  password: Password;
-  cookieName: string;
-  ttl?: number;
-  cookieOptions?: Omit<SerializeOptions, 'encode'>;
-}
-interface IronSession {
-  save(): Promise<void>;
-  destroy(): void;
-  updateConfig(options: SessionOptions): void;
-  [key: string]: unknown;
-}
-interface SessionAdapter {
-  getCookie(name: string): string | undefined;
-  setCookie(cookie: string): void;
-}
-declare function createSessionFromAdapter<T extends Record<string, unknown> = Record<string, unknown>>(adapter: SessionAdapter, options: SessionOptions): Promise<T & IronSession>;
-//#endregion
-export { createSessionFromAdapter as i, SessionAdapter as n, SessionOptions as r, IronSession as t };