peta-auth 0.2.3 → 0.3.0

package/dist/{crypto-DR-ETdLZ.d.mts → crypto-BPawHril.d.mts}

@@ -9,13 +9,13 @@ type Password = string | Record<string, string>;
  * const sealed = await sealData({ userId: 1 }, { password: "my-secret-key" })
  * ```
  */
-declare const sealData: (data: unknown, {
+declare function sealData(data: unknown, {
   password,
   ttl
 }: {
   password: Password;
   ttl?: number;
-}) => Promise<string>;
+}): Promise<string>;
 /**
  * Unseal data previously sealed with {@link sealData}.
  *
@@ -24,12 +24,12 @@ declare const sealData: (data: unknown, {
  * const data = await unsealData<{ userId: number }>(sealed, { password: "my-secret-key" })
  * ```
  */
-declare const unsealData: <T>(seal: string, {
+declare function unsealData<T>(seal: string, {
   password,
   ttl
 }: {
   password: Password;
   ttl?: number;
-}) => Promise<T>;
+}): Promise<T>;
 //#endregion
 export { sealData as n, unsealData as r, Password as t };

package/dist/crypto-Bwut3uFR.mjs

@@ -0,0 +1,54 @@
+import { t as PetaAuthError } from "./errors-DxJ-WUJL.mjs";
+import { defaults, seal, unseal } from "iron-webcrypto";
+//#region src/crypto.ts
+const SEVEN_DAYS = 336 * 3600;
+function normalizePassword(password) {
+	return typeof password === "string" ? { 1: password } : password;
+}
+/**
+* Seal arbitrary data with a password (uses iron-webcrypto).
+*
+* @example
+* ```ts
+* const sealed = await sealData({ userId: 1 }, { password: "my-secret-key" })
+* ```
+*/
+async function sealData(data, { password, ttl = SEVEN_DAYS }) {
+	const map = normalizePassword(password);
+	const id = Math.max(...Object.keys(map).map(Number)).toString();
+	const secret = map[id];
+	if (secret.length < 32) throw new PetaAuthError("PASSWORD_TOO_SHORT", "peta-auth: password must be at least 32 characters");
+	return await seal(data, {
+		id,
+		secret
+	}, {
+		...defaults,
+		ttl: ttl * 1e3,
+		encode: JSON.stringify,
+		decode: JSON.parse
+	});
+}
+/**
+* Unseal data previously sealed with {@link sealData}.
+*
+* @example
+* ```ts
+* const data = await unsealData<{ userId: number }>(sealed, { password: "my-secret-key" })
+* ```
+*/
+async function unsealData(seal, { password, ttl = SEVEN_DAYS }) {
+	const map = normalizePassword(password);
+	try {
+		return await unseal(seal, map, {
+			...defaults,
+			ttl: ttl * 1e3,
+			encode: JSON.stringify,
+			decode: JSON.parse
+		});
+	} catch (err) {
+		if (err instanceof Error && /^(Expired seal|Bad hmac value|Cannot find password|Incorrect number of sealed components)/.test(err.message)) return {};
+		throw err;
+	}
+}
+//#endregion
+export { sealData as n, unsealData as r, normalizePassword as t };

package/dist/csrf.d.mts

@@ -1,4 +1,4 @@
-import { t as IronSession } from "./session-0bF8_7Ui.mjs";
+import { t as IronSession } from "./session-CrAg3ZdE.mjs";
 
 //#region src/csrf.d.ts
 /** Options for CSRF token generation / validation. */
@@ -21,7 +21,7 @@ declare function constantTimeEqual(a: string, b: string): boolean;
  * // send `token` to the client via form field or header
  * ```
  */
-declare function generateCsrf(session: IronSession, options?: CSRFOptions): Promise<string>;
+declare function generateCsrf(session: IronSession<Record<string, unknown>>, options?: CSRFOptions): Promise<string>;
 /**
  * Validate a CSRF token against the value stored in the session.
  *
@@ -34,6 +34,6 @@ declare function generateCsrf(session: IronSession, options?: CSRFOptions): Prom
  * }
  * ```
  */
-declare function validateCsrf(session: IronSession, token: string, options?: CSRFOptions): boolean;
+declare function validateCsrf(session: IronSession<Record<string, unknown>>, token: string, options?: CSRFOptions): boolean;
 //#endregion
 export { CSRFOptions, constantTimeEqual, generateCsrf, validateCsrf };

package/dist/elysia.d.mts

@@ -1,4 +1,4 @@
-import { r as SessionOptions, t as IronSession } from "./session-0bF8_7Ui.mjs";
+import { r as SessionOptions, t as IronSession } from "./session-CrAg3ZdE.mjs";
 import { Elysia } from "elysia";
 
 //#region src/elysia.d.ts
@@ -28,13 +28,13 @@ declare function session<T extends Record<string, unknown> = Record<string, unkn
   response: {};
 }, {}, {
   derive: {
-    readonly session: T & IronSession;
+    readonly session: IronSession<T>;
   };
   resolve: {};
   schema: {};
   standaloneSchema: {};
   response: import("elysia").ExtractErrorFromHandle<{
-    readonly session: T & IronSession;
+    readonly session: IronSession<T>;
   }>;
 }, {
   derive: {};

package/dist/elysia.mjs

@@ -1,4 +1,4 @@
-import { n as sessionHasData, t as createSessionFromAdapter } from "./session-BGCQ1Z1Q.mjs";
+import { n as sessionHasData, t as createSessionFromAdapter } from "./session-C1USm4OA.mjs";
 import { parse } from "cookie";
 import { Elysia } from "elysia";
 //#region src/elysia.ts
@@ -23,13 +23,16 @@ function session(options) {
 	});
 }
 function requireSession(key) {
-	return (app) => app.onBeforeHandle((context) => {
-		const session = context.session;
-		if (!sessionHasData(session, key)) return new Response(JSON.stringify({ error: "unauthorized" }), {
-			status: 401,
-			headers: { "Content-Type": "application/json" }
+	return (app) => {
+		app.onBeforeHandle((context) => {
+			const session = context.session;
+			if (!sessionHasData(session, key)) return new Response(JSON.stringify({ error: "unauthorized" }), {
+				status: 401,
+				headers: { "Content-Type": "application/json" }
+			});
 		});
-	});
+		return app;
+	};
 }
 //#endregion
 export { requireSession, session };

package/dist/hono.d.mts

@@ -1,4 +1,4 @@
-import { r as SessionOptions, t as IronSession } from "./session-0bF8_7Ui.mjs";
+import { r as SessionOptions, t as IronSession } from "./session-CrAg3ZdE.mjs";
 import { MiddlewareHandler } from "hono";
 
 //#region src/hono.d.ts
@@ -14,7 +14,7 @@ import { MiddlewareHandler } from "hono";
  */
 declare function session<T extends Record<string, unknown> = Record<string, unknown>>(options: SessionOptions): MiddlewareHandler<{
   Variables: {
-    session: T & IronSession;
+    session: IronSession<T>;
   };
 }>;
 /**

package/dist/hono.mjs

@@ -1,4 +1,4 @@
-import { n as sessionHasData, t as createSessionFromAdapter } from "./session-BGCQ1Z1Q.mjs";
+import { n as sessionHasData, t as createSessionFromAdapter } from "./session-C1USm4OA.mjs";
 import { parse } from "cookie";
 import { createMiddleware } from "hono/factory";
 //#region src/hono.ts

package/dist/index.d.mts

@@ -1,5 +1,5 @@
-import { n as sealData, r as unsealData, t as Password } from "./crypto-DR-ETdLZ.mjs";
-import { i as createSessionFromAdapter, n as SessionAdapter, r as SessionOptions, t as IronSession } from "./session-0bF8_7Ui.mjs";
+import { n as sealData, r as unsealData, t as Password } from "./crypto-BPawHril.mjs";
+import { i as createSessionFromAdapter, n as SessionAdapter, r as SessionOptions, t as IronSession } from "./session-CrAg3ZdE.mjs";
 import { CSRFOptions, generateCsrf, validateCsrf } from "./csrf.mjs";
 import { JWTOptions, signJWT, verifyJWT } from "./jwt.mjs";
 
@@ -16,14 +16,6 @@ declare class PetaAuthError extends Error {
 }
 //#endregion
 //#region src/password.d.ts
-interface HashOptions {
-  /** Memory cost in KiB (default: 19456 = 19 MiB). */
-  memoryCost?: number;
-  /** Time cost (iterations) (default: 2). */
-  timeCost?: number;
-  /** Parallelism (default: 1). */
-  parallelism?: number;
-}
 /**
  * Hash a password with argon2id.
  *
@@ -32,7 +24,11 @@ interface HashOptions {
  * const hash = await hashPassword("my-password")
  * ```
  */
-declare function hashPassword(password: string, options?: HashOptions): Promise<string>;
+declare function hashPassword(password: string, options?: {
+  memoryCost?: number;
+  timeCost?: number;
+  parallelism?: number;
+}): Promise<string>;
 /**
  * Verify a password against an argon2id hash.
  *

package/dist/index.mjs

@@ -1,8 +1,8 @@
-import { n as sealData, r as unsealData } from "./crypto-WcFV83Nz.mjs";
-import { generateCsrf, validateCsrf } from "./csrf.mjs";
 import { t as PetaAuthError } from "./errors-DxJ-WUJL.mjs";
+import { n as sealData, r as unsealData } from "./crypto-Bwut3uFR.mjs";
+import { generateCsrf, validateCsrf } from "./csrf.mjs";
 import { signJWT, verifyJWT } from "./jwt.mjs";
-import { t as createSessionFromAdapter } from "./session-BGCQ1Z1Q.mjs";
+import { t as createSessionFromAdapter } from "./session-C1USm4OA.mjs";
 import { hash, verify } from "@node-rs/argon2";
 //#region src/password.ts
 const ARGON2_MEMORY_COST = 19456;

package/dist/jwt.d.mts

@@ -1,4 +1,4 @@
-import { t as Password } from "./crypto-DR-ETdLZ.mjs";
+import { t as Password } from "./crypto-BPawHril.mjs";
 
 //#region src/jwt.d.ts
 /** Options for JWT sign / verify operations. */

package/dist/jwt.mjs

@@ -1,10 +1,6 @@
-import { t as normalizePassword } from "./crypto-WcFV83Nz.mjs";
 import { t as PetaAuthError } from "./errors-DxJ-WUJL.mjs";
-import * as jose from "jose";
+import { t as normalizePassword } from "./crypto-Bwut3uFR.mjs";
 //#region src/jwt.ts
-function toKey(secret) {
-	return new TextEncoder().encode(secret);
-}
 /**
 * Sign a JWT payload.
 *
@@ -17,10 +13,24 @@ async function signJWT(payload, options) {
 	const map = normalizePassword(options.password);
 	const secret = map[Math.max(...Object.keys(map).map(Number)).toString()];
 	if (!secret || secret.length < 32) throw new PetaAuthError("JWT_PASSWORD_TOO_SHORT", "peta-auth/jwt: password must be at least 32 characters");
-	const jwt = new jose.SignJWT(payload).setProtectedHeader({ alg: "HS256" }).setIssuedAt();
+	const header = {
+		alg: "HS256",
+		typ: "JWT"
+	};
+	const now = Math.floor(Date.now() / 1e3);
 	const ttl = options.expiresIn ?? 86400;
-	jwt.setExpirationTime(Math.floor(Date.now() / 1e3) + ttl);
-	return jwt.sign(toKey(secret));
+	const claims = {
+		...payload,
+		iat: now,
+		exp: now + ttl
+	};
+	const toSign = `${Buffer.from(JSON.stringify(header)).toString("base64url")}.${Buffer.from(JSON.stringify(claims)).toString("base64url")}`;
+	const key = await crypto.subtle.importKey("raw", new TextEncoder().encode(secret), {
+		name: "HMAC",
+		hash: "SHA-256"
+	}, false, ["sign"]);
+	const sig = await crypto.subtle.sign("HMAC", key, new TextEncoder().encode(toSign));
+	return `${toSign}.${Buffer.from(sig).toString("base64url")}`;
 }
 /**
 * Verify and decode a JWT.
@@ -33,16 +43,34 @@ async function signJWT(payload, options) {
 * ```
 */
 async function verifyJWT(token, options) {
-	let result = null;
+	let headerB64, payloadB64, sigB64;
+	try {
+		const parts = token.split(".");
+		if (parts.length !== 3) return null;
+		[headerB64, payloadB64, sigB64] = parts;
+		if (JSON.parse(Buffer.from(headerB64, "base64url").toString()).alg !== "HS256") return null;
+	} catch {
+		return null;
+	}
 	const passwords = normalizePassword(options.password);
+	const toSign = `${headerB64}.${payloadB64}`;
+	const sig = Buffer.from(sigB64, "base64url");
+	const data = new TextEncoder().encode(toSign);
 	for (const secret of Object.values(passwords)) {
 		if (!secret) continue;
 		try {
-			const { payload } = await jose.jwtVerify(token, toKey(secret));
-			if (!result) result = payload;
+			const key = await crypto.subtle.importKey("raw", new TextEncoder().encode(secret), {
+				name: "HMAC",
+				hash: "SHA-256"
+			}, false, ["verify"]);
+			if (!await crypto.subtle.verify("HMAC", key, sig, data)) continue;
+			const payload = JSON.parse(Buffer.from(payloadB64, "base64url").toString());
+			const exp = payload?.exp;
+			if (exp !== void 0 && exp < Math.floor(Date.now() / 1e3)) continue;
+			return payload;
 		} catch {}
 	}
-	return result;
+	return null;
 }
 //#endregion
 export { signJWT, verifyJWT };

package/dist/nuxt.d.mts

@@ -1,4 +1,4 @@
-import { r as SessionOptions, t as IronSession } from "./session-0bF8_7Ui.mjs";
+import { r as SessionOptions, t as IronSession } from "./session-CrAg3ZdE.mjs";
 import { H3Event } from "h3";
 
 //#region src/nuxt.d.ts
@@ -13,7 +13,7 @@ import { H3Event } from "h3";
  * await session.save()
  * ```
  */
-declare function useSession<T extends Record<string, unknown> = Record<string, unknown>>(event: H3Event, options: SessionOptions): Promise<T & IronSession>;
+declare function useSession<T extends Record<string, unknown> = Record<string, unknown>>(event: H3Event, options: SessionOptions): Promise<IronSession<T>>;
 /**
  * Guard that requires session data.
  *
@@ -26,7 +26,7 @@ declare function useSession<T extends Record<string, unknown> = Record<string, u
  * requireSession(event, session, "role") // require specific key
  * ```
  */
-declare function requireSession(event: H3Event, session: IronSession): void;
-declare function requireSession<K extends string>(event: H3Event, session: IronSession, key: K): void;
+declare function requireSession(event: H3Event, session: IronSession<Record<string, unknown>>): void;
+declare function requireSession<K extends string>(event: H3Event, session: IronSession<Record<string, unknown>>, key: K): void;
 //#endregion
 export { requireSession, useSession };

package/dist/nuxt.mjs

@@ -1,5 +1,5 @@
 import { t as PetaAuthError } from "./errors-DxJ-WUJL.mjs";
-import { n as sessionHasData, t as createSessionFromAdapter } from "./session-BGCQ1Z1Q.mjs";
+import { n as sessionHasData, t as createSessionFromAdapter } from "./session-C1USm4OA.mjs";
 import { appendHeader, createError, getCookie } from "h3";
 //#region src/nuxt.ts
 /**

package/dist/oauth/github.mjs

@@ -1,4 +1,4 @@
-import { t as defineOAuthHandler } from "../utils-CKT3C1Lq.mjs";
+import { t as defineOAuthHandler } from "../utils-CJhYJE0C.mjs";
 //#region src/oauth/github.ts
 const githubProvider = {
 	name: "github",
@@ -18,11 +18,12 @@ const githubProvider = {
 	},
 	buildAuthUrl(config, redirectURL, state, _pkce) {
 		const c = config;
-		if (c.emailRequired && !c.scope.includes("user:email")) c.scope.push("user:email");
+		let scope = c.scope;
+		if (c.emailRequired && !scope.includes("user:email")) scope = [...c.scope, "user:email"];
 		const authUrl = new URL(c.authorizationURL);
 		authUrl.searchParams.set("client_id", c.clientId);
 		authUrl.searchParams.set("redirect_uri", redirectURL);
-		authUrl.searchParams.set("scope", c.scope.join(" "));
+		authUrl.searchParams.set("scope", scope.join(" "));
 		authUrl.searchParams.set("state", state.state ?? "");
 		for (const [key, value] of Object.entries(c.authorizationParams)) authUrl.searchParams.set(key, value);
 		return {

package/dist/oauth/google.mjs

@@ -1,4 +1,4 @@
-import { t as defineOAuthHandler } from "../utils-CKT3C1Lq.mjs";
+import { t as defineOAuthHandler } from "../utils-CJhYJE0C.mjs";
 //#region src/oauth/google.ts
 const googleProvider = {
 	name: "google",

package/dist/{session-BGCQ1Z1Q.mjs → session-C1USm4OA.mjs}

@@ -1,5 +1,5 @@
-import { n as sealData, r as unsealData, t as normalizePassword } from "./crypto-WcFV83Nz.mjs";
 import { t as PetaAuthError } from "./errors-DxJ-WUJL.mjs";
+import { n as sealData, r as unsealData, t as normalizePassword } from "./crypto-Bwut3uFR.mjs";
 import { serialize } from "cookie";
 //#region src/session.ts
 const TIMESTAMP_SKEW_SECONDS = 60;

package/dist/{session-0bF8_7Ui.d.mts → session-CrAg3ZdE.d.mts}

@@ -1,4 +1,4 @@
-import { t as Password } from "./crypto-DR-ETdLZ.mjs";
+import { t as Password } from "./crypto-BPawHril.mjs";
 import { SerializeOptions } from "cookie";
 
 //#region src/session.d.ts
@@ -13,17 +13,12 @@ interface SessionOptions {
   /** Extra cookie serialization options. */
   cookieOptions?: Omit<SerializeOptions, "encode">;
 }
-/** A session instance returned by {@link createSessionFromAdapter}. */
-interface IronSession {
-  /** Persist the session to the response cookie. */
+interface SessionMethods {
   save(): Promise<void>;
-  /** Clear the session cookie. */
   destroy(): void;
-  /** Update session config at runtime. */
   updateConfig(options: SessionOptions): void;
-  /** Arbitrary session data keys. */
-  [key: string]: unknown;
 }
+type IronSession<T extends Record<string, unknown> = Record<string, unknown>> = T & SessionMethods;
 /** An adapter between the framework and the session cookie store. */
 interface SessionAdapter {
   /** Read a cookie by name from the incoming request. */
@@ -48,6 +43,6 @@ interface SessionAdapter {
  * await session.save()
  * ```
  */
-declare function createSessionFromAdapter<T extends Record<string, unknown> = Record<string, unknown>>(adapter: SessionAdapter, options: SessionOptions): Promise<T & IronSession>;
+declare function createSessionFromAdapter<T extends Record<string, unknown> = Record<string, unknown>>(adapter: SessionAdapter, options: SessionOptions): Promise<IronSession<T>>;
 //#endregion
 export { createSessionFromAdapter as i, SessionAdapter as n, SessionOptions as r, IronSession as t };

package/dist/{utils-CKT3C1Lq.mjs → utils-CJhYJE0C.mjs}

@@ -1,24 +1,9 @@
-import { constantTimeEqual } from "./csrf.mjs";
 import { t as PetaAuthError } from "./errors-DxJ-WUJL.mjs";
+import { constantTimeEqual } from "./csrf.mjs";
 import { parse, serialize } from "cookie";
 //#region src/oauth/utils.ts
 const IS_DEVELOPMENT = process.env.NODE_ENV === "development";
 const OAUTH_COOKIE_MAX_AGE = 600;
-function encodeBase64Url(input) {
-	return btoa(String.fromCharCode(...input)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
-}
-function getRandomBytes(size = 32) {
-	return crypto.getRandomValues(new Uint8Array(size));
-}
-function oauthCookieOptions(maxAge) {
-	return {
-		path: "/",
-		httpOnly: true,
-		sameSite: "lax",
-		secure: !IS_DEVELOPMENT,
-		maxAge
-	};
-}
 /**
 * Extract the OAuth redirect URL from a request.
 */
@@ -36,12 +21,20 @@ async function handlePKCE(request) {
 	const code = new URL(request.url).searchParams.get("code");
 	const cookies = parse(request.headers.get("cookie") ?? "");
 	if (code) return { codeVerifier: cookies["peta-auth-pkce"] };
-	const verifier = encodeBase64Url(getRandomBytes(32));
+	const verifierBytes = crypto.getRandomValues(/* @__PURE__ */ new Uint8Array(32));
+	const verifier = Buffer.from(verifierBytes).toString("base64url");
 	const encoder = new TextEncoder();
+	const hash = new Uint8Array(await crypto.subtle.digest("SHA-256", encoder.encode(verifier)));
 	return {
-		codeChallenge: encodeBase64Url(new Uint8Array(await crypto.subtle.digest("SHA-256", encoder.encode(verifier)))),
+		codeChallenge: Buffer.from(hash).toString("base64url"),
 		codeChallengeMethod: "S256",
-		setCookie: serialize("peta-auth-pkce", verifier, oauthCookieOptions(OAUTH_COOKIE_MAX_AGE))
+		setCookie: serialize("peta-auth-pkce", verifier, {
+			path: "/",
+			httpOnly: true,
+			sameSite: "strict",
+			secure: !IS_DEVELOPMENT,
+			maxAge: OAUTH_COOKIE_MAX_AGE
+		})
 	};
 }
 /**
@@ -54,10 +47,17 @@ function handleState(request) {
 		state: queryState,
 		expectedState: cookies["peta-auth-state"]
 	};
-	const state = encodeBase64Url(getRandomBytes(8));
+	const stateBytes = crypto.getRandomValues(/* @__PURE__ */ new Uint8Array(8));
+	const state = Buffer.from(stateBytes).toString("base64url");
 	return {
 		state,
-		setCookie: serialize("peta-auth-state", state, oauthCookieOptions(OAUTH_COOKIE_MAX_AGE))
+		setCookie: serialize("peta-auth-state", state, {
+			path: "/",
+			httpOnly: true,
+			sameSite: "strict",
+			secure: !IS_DEVELOPMENT,
+			maxAge: OAUTH_COOKIE_MAX_AGE
+		})
 	};
 }
 /**
@@ -68,7 +68,7 @@ async function requestAccessToken(url, options) {
 		"Content-Type": "application/x-www-form-urlencoded",
 		...options.headers
 	};
-	const bodyParams = options.body ?? options.params ?? {};
+	const bodyParams = options.body ?? {};
 	const body = new URLSearchParams();
 	for (const [key, value] of Object.entries(bodyParams)) if (value !== void 0) body.append(key, value);
 	const response = await fetch(url, {
@@ -103,24 +103,6 @@ function jsonError(error, status) {
 	});
 }
 /**
-* Handle missing OAuth configuration.
-*/
-function handleMissingConfiguration(provider, missingKeys, onError) {
-	const envVars = missingKeys.map((key) => `PETA_OAUTH_${provider.toUpperCase()}_${key.replace(/([A-Z])/g, "_$1").toUpperCase()}`);
-	const error = /* @__PURE__ */ new Error(`Missing ${envVars.join(" or ")} env ${missingKeys.length > 1 ? "variables" : "variable"}.`);
-	if (onError) return onError(error);
-	return jsonError(error, 500);
-}
-/**
-* Handle OAuth access token errors.
-*/
-function handleAccessTokenError(provider, errorData, onError) {
-	const message = `${provider} login failed: ${errorData.error_description || errorData.error || "Unknown error"}`;
-	const error = new Error(message);
-	if (onError) return onError(error);
-	return jsonError(error, 401);
-}
-/**
 * Define an OAuth event handler using a provider-specific config.
 *
 * Handles the shared OAuth flow (redirect, callback, token exchange, user fetch)
@@ -143,7 +125,10 @@ function defineOAuthHandler(provider, options) {
 			const missing = [];
 			if (!config.clientId) missing.push("clientId");
 			if (!config.clientSecret) missing.push("clientSecret");
-			return handleMissingConfiguration(provider.name, missing, onError);
+			const envVars = missing.map((key) => `PETA_OAUTH_${provider.name.toUpperCase()}_${key.replace(/([A-Z])/g, "_$1").toUpperCase()}`);
+			const err = /* @__PURE__ */ new Error(`Missing ${envVars.join(" or ")} env ${missing.length > 1 ? "variables" : "variable"}.`);
+			if (onError) return onError(err);
+			return jsonError(err, 500);
 		}
 		const redirectURL = config.redirectURL || getOAuthRedirectURL(request);
 		const state = handleState(request);
@@ -152,9 +137,19 @@ function defineOAuthHandler(provider, options) {
 			const { url: authUrl, cookies } = provider.buildAuthUrl(config, redirectURL, state, pkce);
 			return redirect(authUrl, cookies);
 		}
-		if (!queryState || !state.expectedState || !constantTimeEqual(queryState, state.expectedState)) return handleInvalidState(provider.name, onError);
+		if (!queryState || !state.expectedState || !constantTimeEqual(queryState, state.expectedState)) {
+			const err = /* @__PURE__ */ new Error(`${provider.name} login failed: state mismatch`);
+			if (onError) return onError(err);
+			return jsonError(err, 500);
+		}
 		const tokens = await requestAccessToken(config.tokenURL, { body: provider.requestTokenBody(config, redirectURL, queryCode, pkce) });
-		if (tokens.error) return handleAccessTokenError(provider.name, tokens, onError);
+		if (tokens.error) {
+			const errorData = tokens;
+			const message = `${provider.name} login failed: ${errorData.error_description || errorData.error || "Unknown error"}`;
+			const err = new Error(message);
+			if (onError) return onError(err);
+			return jsonError(err, 401);
+		}
 		return onSuccess({
 			user: await provider.fetchUser(config, tokens, request),
 			tokens,
@@ -162,13 +157,5 @@ function defineOAuthHandler(provider, options) {
 		});
 	};
 }
-/**
-* Handle OAuth state mismatch.
-*/
-function handleInvalidState(provider, onError) {
-	const error = /* @__PURE__ */ new Error(`${provider} login failed: state mismatch`);
-	if (onError) return onError(error);
-	return jsonError(error, 500);
-}
 //#endregion
 export { defineOAuthHandler as t };

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "peta-auth",
   "private": false,
-  "version": "0.2.3",
+  "version": "0.3.0",
   "description": "Encrypted cookie sessions for Bun — Hono, ElysiaJS & Nuxt adapters",
   "license": "MIT",
   "repository": {
@@ -54,7 +54,6 @@
   "scripts": {
     "build": "tsdown",
     "lint": "biome check --write .",
-    "lint:ci": "biome ci .",
     "prepublishOnly": "bun run build",
     "test": "bun test",
     "typecheck": "tsc --noEmit"
@@ -62,8 +61,7 @@
   "dependencies": {
     "@node-rs/argon2": "^2.0.2",
     "cookie": "^1.1.1",
-    "iron-webcrypto": "^2.0.0",
-    "jose": "^6.2.3"
+    "iron-webcrypto": "^2.0.0"
   },
   "peerDependencies": {
     "elysia": ">=1.0.0",

package/dist/crypto-WcFV83Nz.mjs

@@ -1,84 +0,0 @@
-import { defaults, seal, unseal } from "iron-webcrypto";
-//#region src/crypto.ts
-const SEVEN_DAYS = 336 * 3600;
-const CURRENT_MAJOR_VERSION = 2;
-const VERSION_DELIMITER = "~";
-function normalizePassword(password) {
-	return typeof password === "string" ? { 1: password } : password;
-}
-function parseSeal(seal) {
-	const index = seal.lastIndexOf(VERSION_DELIMITER);
-	if (index === -1) return {
-		sealWithoutVersion: seal,
-		tokenVersion: null
-	};
-	return {
-		sealWithoutVersion: seal.slice(0, index),
-		tokenVersion: parseInt(seal.slice(index + 1), 10) || null
-	};
-}
-/**
-* Create a `sealData` function.
-*
-* @internal
-*/
-function createSealData() {
-	return async function sealData(data, { password, ttl = SEVEN_DAYS }) {
-		const map = normalizePassword(password);
-		const id = Math.max(...Object.keys(map).map(Number)).toString();
-		const secret = map[id];
-		return `${await seal(data, {
-			id,
-			secret
-		}, {
-			...defaults,
-			ttl: ttl * 1e3,
-			encode: JSON.stringify,
-			decode: JSON.parse
-		})}${VERSION_DELIMITER}${CURRENT_MAJOR_VERSION}`;
-	};
-}
-/**
-* Create an `unsealData` function.
-*
-* @internal
-*/
-function createUnsealData() {
-	return async function unsealData(seal, { password, ttl = SEVEN_DAYS }) {
-		const map = normalizePassword(password);
-		const { sealWithoutVersion, tokenVersion } = parseSeal(seal);
-		try {
-			const data = await unseal(sealWithoutVersion, map, {
-				...defaults,
-				ttl: ttl * 1e3,
-				encode: JSON.stringify,
-				decode: JSON.parse
-			});
-			if (tokenVersion === 2) return data;
-			return { ...data?.persistent ? { ...data.persistent } : {} };
-		} catch (err) {
-			if (err instanceof Error && /^(Expired seal|Bad hmac value|Cannot find password|Incorrect number of sealed components)/.test(err.message)) return {};
-			throw err;
-		}
-	};
-}
-/**
-* Seal arbitrary data with a password (uses iron-webcrypto).
-*
-* @example
-* ```ts
-* const sealed = await sealData({ userId: 1 }, { password: "my-secret-key" })
-* ```
-*/
-const sealData = createSealData();
-/**
-* Unseal data previously sealed with {@link sealData}.
-*
-* @example
-* ```ts
-* const data = await unsealData<{ userId: number }>(sealed, { password: "my-secret-key" })
-* ```
-*/
-const unsealData = createUnsealData();
-//#endregion
-export { sealData as n, unsealData as r, normalizePassword as t };