peta-auth 0.1.3 → 0.2.1

package/package.json

@@ -1,7 +1,12 @@
 {
   "name": "peta-auth",
-  "version": "0.1.3",
+  "version": "0.2.1",
   "description": "Encrypted cookie sessions for Bun — Hono, ElysiaJS & Nuxt adapters",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/zfadhli/peta-stack.git"
+  },
   "type": "module",
   "module": "./dist/index.mjs",
   "types": "./dist/index.d.mts",
@@ -51,9 +56,9 @@
     "typecheck": "tsc --noEmit"
   },
   "dependencies": {
-    "bcryptjs": "^3.0.3",
-    "cookie": "^1.0.2",
-    "iron-webcrypto": "^1.2.1",
+    "@node-rs/argon2": "^2.0.2",
+    "cookie": "^1.1.1",
+    "iron-webcrypto": "^2.0.0",
     "jose": "^6.2.3"
   },
   "peerDependencies": {
@@ -74,9 +79,8 @@
     }
   },
   "devDependencies": {
-    "@biomejs/biome": "^2.4.16",
-    "@types/bcryptjs": "^3.0.0",
-    "@types/bun": "latest",
+    "@biomejs/biome": "^2.5.0",
+    "@types/bun": "^1.3.14",
     "elysia": "latest",
     "h3": "latest",
     "hono": "latest",

package/dist/crypto-Ln_Mj_zp.d.mts

@@ -1,19 +0,0 @@
-//#region src/crypto.d.ts
-type PasswordsMap = Record<string, string>;
-type Password = PasswordsMap | string;
-declare const sealData: (data: unknown, {
-  password,
-  ttl
-}: {
-  password: Password;
-  ttl?: number;
-}) => Promise<string>;
-declare const unsealData: <T>(seal: string, {
-  password,
-  ttl
-}: {
-  password: Password;
-  ttl?: number;
-}) => Promise<T>;
-//#endregion
-export { sealData as n, unsealData as r, Password as t };

package/dist/oauth/index.d.mts

@@ -1,25 +0,0 @@
-//#region src/oauth/index.d.ts
-declare function getOAuthRedirectURL(request: Request): string;
-declare function handlePKCE(request: Request): Promise<{
-  codeChallenge?: string;
-  codeChallengeMethod?: string;
-  codeVerifier?: string;
-  setCookie?: string;
-}>;
-declare function handleState(request: Request): {
-  state?: string;
-  expectedState?: string;
-  setCookie?: string;
-};
-interface RequestAccessTokenOptions {
-  body?: Record<string, string | undefined>;
-  params?: Record<string, string | undefined>;
-  headers?: Record<string, string>;
-}
-declare function requestAccessToken<T = unknown>(url: string, options: RequestAccessTokenOptions): Promise<T>;
-declare function redirect(url: string, cookie?: string): Response;
-declare function handleMissingConfiguration(provider: string, missingKeys: string[], onError?: (err: Error) => Response | Promise<Response>): Response | Promise<Response>;
-declare function handleAccessTokenError(provider: string, errorData: Record<string, string>, onError?: (err: Error) => Response | Promise<Response>): Response | Promise<Response>;
-declare function handleInvalidState(provider: string, onError?: (err: Error) => Response | Promise<Response>): Response | Promise<Response>;
-//#endregion
-export { RequestAccessTokenOptions, getOAuthRedirectURL, handleAccessTokenError, handleInvalidState, handleMissingConfiguration, handlePKCE, handleState, redirect, requestAccessToken };

package/dist/oauth/index.mjs

@@ -1,103 +0,0 @@
-import { parse, serialize } from "cookie";
-//#region src/oauth/index.ts
-const isDevelopment = process.env.NODE_ENV === "development";
-const OAUTH_COOKIE_MAX_AGE = 600;
-function encodeBase64Url(input) {
-	return btoa(String.fromCharCode(...input)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
-}
-function getRandomBytes(size = 32) {
-	return crypto.getRandomValues(new Uint8Array(size));
-}
-function oauthCookieOptions(maxAge) {
-	return {
-		path: "/",
-		httpOnly: true,
-		sameSite: "lax",
-		secure: !isDevelopment,
-		maxAge
-	};
-}
-function getOAuthRedirectURL(request) {
-	const url = new URL(request.url);
-	return `${url.protocol}//${url.host}${url.pathname}`;
-}
-async function handlePKCE(request) {
-	const code = new URL(request.url).searchParams.get("code");
-	const cookies = parse(request.headers.get("cookie") ?? "");
-	if (code) return { codeVerifier: cookies["peta-auth-pkce"] };
-	const verifier = encodeBase64Url(getRandomBytes(32));
-	const encoder = new TextEncoder();
-	return {
-		codeChallenge: encodeBase64Url(new Uint8Array(await crypto.subtle.digest("SHA-256", encoder.encode(verifier)))),
-		codeChallengeMethod: "S256",
-		setCookie: serialize("peta-auth-pkce", verifier, oauthCookieOptions(OAUTH_COOKIE_MAX_AGE))
-	};
-}
-function handleState(request) {
-	const queryState = new URL(request.url).searchParams.get("state");
-	const cookies = parse(request.headers.get("cookie") ?? "");
-	if (queryState) return {
-		state: queryState,
-		expectedState: cookies["peta-auth-state"]
-	};
-	const state = encodeBase64Url(getRandomBytes(8));
-	return {
-		state,
-		setCookie: serialize("peta-auth-state", state, oauthCookieOptions(OAUTH_COOKIE_MAX_AGE))
-	};
-}
-async function requestAccessToken(url, options) {
-	const headers = {
-		"Content-Type": "application/x-www-form-urlencoded",
-		...options.headers
-	};
-	const bodyParams = options.body ?? options.params ?? {};
-	const body = new URLSearchParams();
-	for (const [key, value] of Object.entries(bodyParams)) if (value !== void 0) body.append(key, value);
-	const response = await fetch(url, {
-		method: "POST",
-		headers,
-		body: body.toString()
-	});
-	if (!response.ok) {
-		if (response.status === 401) return response.json();
-		throw new Error(`OAuth token request failed: ${response.status} ${response.statusText}`);
-	}
-	return response.json();
-}
-function redirect(url, cookie) {
-	const headers = new Headers({ Location: url });
-	if (cookie) headers.append("Set-Cookie", cookie);
-	return new Response(null, {
-		status: 302,
-		headers
-	});
-}
-function handleMissingConfiguration(provider, missingKeys, onError) {
-	const envVars = missingKeys.map((k) => `PETA_OAUTH_${provider.toUpperCase()}_${k.replace(/([A-Z])/g, "_$1").toUpperCase()}`);
-	const err = /* @__PURE__ */ new Error(`Missing ${envVars.join(" or ")} env ${missingKeys.length > 1 ? "variables" : "variable"}.`);
-	if (onError) return onError(err);
-	return new Response(JSON.stringify({ error: err.message }), {
-		status: 500,
-		headers: { "Content-Type": "application/json" }
-	});
-}
-function handleAccessTokenError(provider, errorData, onError) {
-	const message = `${provider} login failed: ${errorData.error_description || errorData.error || "Unknown error"}`;
-	const err = new Error(message);
-	if (onError) return onError(err);
-	return new Response(JSON.stringify({ error: err.message }), {
-		status: 401,
-		headers: { "Content-Type": "application/json" }
-	});
-}
-function handleInvalidState(provider, onError) {
-	const err = /* @__PURE__ */ new Error(`${provider} login failed: state mismatch`);
-	if (onError) return onError(err);
-	return new Response(JSON.stringify({ error: err.message }), {
-		status: 500,
-		headers: { "Content-Type": "application/json" }
-	});
-}
-//#endregion
-export { getOAuthRedirectURL, handleAccessTokenError, handleInvalidState, handleMissingConfiguration, handlePKCE, handleState, redirect, requestAccessToken };

package/dist/session-DSwf3XPH.mjs

@@ -1,119 +0,0 @@
-import { defaults, seal, unseal } from "iron-webcrypto";
-import { serialize } from "cookie";
-//#region src/crypto.ts
-const fourteenDays = 336 * 3600;
-const currentMajorVersion = 2;
-const versionDelimiter = "~";
-function normalizePassword(password) {
-	return typeof password === "string" ? { 1: password } : password;
-}
-function parseSeal(seal) {
-	const idx = seal.lastIndexOf(versionDelimiter);
-	if (idx === -1) return {
-		sealWithoutVersion: seal,
-		tokenVersion: null
-	};
-	return {
-		sealWithoutVersion: seal.slice(0, idx),
-		tokenVersion: parseInt(seal.slice(idx + 1), 10) || null
-	};
-}
-function createSealData(webcrypto) {
-	return async function sealData(data, { password, ttl = fourteenDays }) {
-		const map = normalizePassword(password);
-		const id = Math.max(...Object.keys(map).map(Number)).toString();
-		const pw = map[id];
-		return `${await seal(webcrypto, data, {
-			id,
-			secret: pw
-		}, {
-			...defaults,
-			ttl: ttl * 1e3
-		})}${versionDelimiter}${currentMajorVersion}`;
-	};
-}
-function createUnsealData(webcrypto) {
-	return async function unsealData(seal, { password, ttl = fourteenDays }) {
-		const map = normalizePassword(password);
-		const { sealWithoutVersion, tokenVersion } = parseSeal(seal);
-		try {
-			const data = await unseal(webcrypto, sealWithoutVersion, map, {
-				...defaults,
-				ttl: ttl * 1e3
-			}) ?? {};
-			if (tokenVersion === 2) return data;
-			const d = data;
-			return { ...d.persistent ? d.persistent : {} };
-		} catch (err) {
-			if (err instanceof Error && /^(Expired seal|Bad hmac value|Cannot find password|Incorrect number of sealed components)/.test(err.message)) return {};
-			throw err;
-		}
-	};
-}
-function getCrypto() {
-	return globalThis.crypto;
-}
-const sealData = createSealData(getCrypto());
-const unsealData = createUnsealData(getCrypto());
-//#endregion
-//#region src/session.ts
-const timestampSkewSec = 60;
-const defaults$1 = {
-	ttl: 336 * 3600,
-	cookieOptions: {
-		httpOnly: true,
-		secure: true,
-		sameSite: "lax",
-		path: "/"
-	}
-};
-function computeMaxAge(ttl) {
-	if (ttl === 0) return 2147483647;
-	return ttl - timestampSkewSec;
-}
-function resolveConfig(opts) {
-	const ttl = opts.ttl ?? defaults$1.ttl;
-	const cookieOptions = {
-		...defaults$1.cookieOptions,
-		...opts.cookieOptions
-	};
-	if (!("maxAge" in (opts.cookieOptions ?? {}))) cookieOptions.maxAge = computeMaxAge(ttl);
-	const passwordsMap = typeof opts.password === "string" ? { 1: opts.password } : opts.password;
-	for (const pw of Object.values(passwordsMap)) if (pw.length < 32) throw new Error("peta-auth: password must be at least 32 characters");
-	return {
-		ttl,
-		cookieName: opts.cookieName,
-		password: opts.password,
-		cookieOptions
-	};
-}
-async function createSessionFromAdapter(adapter, options) {
-	let config = resolveConfig(options);
-	const seal = adapter.getCookie(config.cookieName);
-	const session = seal ? await unsealData(seal, {
-		password: config.password,
-		ttl: config.ttl
-	}) : {};
-	session.save = async () => {
-		const s = await sealData(session, {
-			password: config.password,
-			ttl: config.ttl
-		});
-		const cookieValue = serialize(config.cookieName, s, config.cookieOptions);
-		if (cookieValue.length > 4096) throw new Error(`peta-auth: cookie too large (${cookieValue.length} bytes)`);
-		adapter.setCookie(cookieValue);
-	};
-	session.destroy = () => {
-		for (const key of Object.keys(session)) if (key !== "save" && key !== "destroy" && key !== "updateConfig") delete session[key];
-		adapter.setCookie(serialize(config.cookieName, "", {
-			...config.cookieOptions,
-			maxAge: 0
-		}));
-	};
-	session.updateConfig = (opts) => {
-		config = resolveConfig(opts);
-	};
-	return session;
-}
-//#endregion
-export { sealData as n, unsealData as r, createSessionFromAdapter as t };

package/dist/session-z20gaFVT.d.mts

@@ -1,23 +0,0 @@
-import { t as Password } from "./crypto-Ln_Mj_zp.mjs";
-import { SerializeOptions } from "cookie";
-
-//#region src/session.d.ts
-interface SessionOptions {
-  password: Password;
-  cookieName: string;
-  ttl?: number;
-  cookieOptions?: Omit<SerializeOptions, 'encode'>;
-}
-interface IronSession {
-  save(): Promise<void>;
-  destroy(): void;
-  updateConfig(options: SessionOptions): void;
-  [key: string]: unknown;
-}
-interface SessionAdapter {
-  getCookie(name: string): string | undefined;
-  setCookie(cookie: string): void;
-}
-declare function createSessionFromAdapter<T extends Record<string, unknown> = Record<string, unknown>>(adapter: SessionAdapter, options: SessionOptions): Promise<T & IronSession>;
-//#endregion
-export { createSessionFromAdapter as i, SessionAdapter as n, SessionOptions as r, IronSession as t };