sst 3.0.1-9 → 3.0.2

package/dist/auth/adapter/adapter.d.ts

@@ -0,0 +1,24 @@
+/// <reference types="node" resolution-mode="require"/>
+import type { Context, Hono } from "hono";
+import { KeyLike } from "jose";
+export type Adapter<Properties = any> = (route: AdapterRoute, options: AdapterOptions<Properties>) => void;
+export type AdapterRoute = Hono;
+export interface AdapterOptions<Properties> {
+    name: string;
+    algorithm: string;
+    encryption: {
+        publicKey: Promise<KeyLike>;
+        privateKey: Promise<KeyLike>;
+    };
+    signing: {
+        publicKey: Promise<KeyLike>;
+        privateKey: Promise<KeyLike>;
+    };
+    success: (ctx: Context, properties: Properties) => Promise<Response>;
+    forward: (ctx: Context, response: Response) => Response;
+    cookie: (ctx: Context, key: string, value: string, maxAge: number) => void;
+}
+export declare class AdapterError extends Error {
+}
+export declare class AdapterUnknownError extends AdapterError {
+}

package/dist/auth/adapter/adapter.js

@@ -0,0 +1,4 @@
+export class AdapterError extends Error {
+}
+export class AdapterUnknownError extends AdapterError {
+}

package/dist/auth/adapter/apple.d.ts

@@ -0,0 +1,5 @@
+import { OauthBasicConfig } from "./oauth.js";
+export declare const AppleAdapter: (config: OauthBasicConfig) => (routes: import("./adapter.js").AdapterRoute, ctx: import("./adapter.js").AdapterOptions<{
+    tokenset: import("openid-client").TokenSet;
+    client: import("openid-client").BaseClient;
+}>) => Promise<void>;

package/dist/auth/adapter/apple.js

@@ -0,0 +1,22 @@
+import { Issuer } from "openid-client";
+import { OauthAdapter } from "./oauth.js";
+// This adapter support the OAuth flow with the response_mode "form_post" for now.
+// More details about the flow:
+// https://developer.apple.com/documentation/devicemanagement/user_enrollment/onboarding_users_with_account_sign-in/implementing_the_oauth2_authentication_user-enrollment_flow
+//
+// Also note that Apple's discover uri does not work for the OAuth flow, as the
+// userinfo_endpoint are not included in the response.
+// await Issuer.discover("https://appleid.apple.com/.well-known/openid-configuration/");
+const issuer = await Issuer.discover("https://appleid.apple.com/.well-known/openid-configuration");
+export const AppleAdapter = 
+/* @__PURE__ */
+(config) => {
+    return OauthAdapter({
+        issuer,
+        ...config,
+        params: {
+            ...config.params,
+            response_mode: "form_post",
+        },
+    });
+};

package/dist/auth/adapter/code.d.ts

@@ -0,0 +1,8 @@
+/// <reference types="node" resolution-mode="require"/>
+export declare function CodeAdapter(config: {
+    length?: number;
+    onCodeRequest: (code: string, claims: Record<string, any>, req: Request) => Promise<Response>;
+    onCodeInvalid: (code: string, claims: Record<string, any>, req: Request) => Promise<Response>;
+}): (routes: import("./adapter.js").AdapterRoute, ctx: import("./adapter.js").AdapterOptions<{
+    claims: Record<string, string>;
+}>) => void;

package/dist/auth/adapter/code.js

@@ -0,0 +1,49 @@
+import * as jose from "jose";
+import { deleteCookie, getCookie } from "hono/cookie";
+import { UnknownStateError } from "../index.js";
+export function CodeAdapter(config) {
+    const length = config.length || 6;
+    function generate() {
+        const buffer = crypto.getRandomValues(new Uint8Array(length));
+        const otp = Array.from(buffer)
+            .map((byte) => byte % 10)
+            .join("");
+        return otp;
+    }
+    return function (routes, ctx) {
+        routes.get("/authorize", async (c) => {
+            const code = generate();
+            const claims = c.req.query();
+            delete claims["client_id"];
+            delete claims["redirect_uri"];
+            delete claims["response_type"];
+            delete claims["provider"];
+            const authorization = await new jose.CompactEncrypt(new TextEncoder().encode(JSON.stringify({
+                claims,
+                code,
+            })))
+                .setProtectedHeader({ alg: "RSA-OAEP-512", enc: "A256GCM" })
+                .encrypt(await ctx.encryption.publicKey);
+            ctx.cookie(c, "authorization", authorization, 60 * 10);
+            return ctx.forward(c, await config.onCodeRequest(code, claims, c.req.raw));
+        });
+        routes.get("/callback", async (c) => {
+            const authorization = getCookie(c, "authorization");
+            if (!authorization)
+                throw new UnknownStateError();
+            const { code, claims } = JSON.parse(new TextDecoder().decode(await jose
+                .compactDecrypt(authorization, await ctx.encryption.privateKey)
+                .then((value) => value.plaintext)));
+            if (!code || !claims) {
+                return ctx.forward(c, await config.onCodeInvalid(code, claims, c.req.raw));
+            }
+            const compare = c.req.query("code");
+            console.log("comparing", code, "to", compare);
+            if (code !== compare) {
+                return ctx.forward(c, await config.onCodeInvalid(code, claims, c.req.raw));
+            }
+            deleteCookie(c, "authorization");
+            return ctx.forward(c, await ctx.success(c, { claims }));
+        });
+    };
+}

package/dist/auth/adapter/facebook.d.ts

@@ -0,0 +1,5 @@
+import { OauthBasicConfig } from "./oauth.js";
+export declare const FacebookAdapter: (config: OauthBasicConfig) => (routes: import("./adapter.js").AdapterRoute, ctx: import("./adapter.js").AdapterOptions<{
+    tokenset: import("openid-client").TokenSet;
+    client: import("openid-client").BaseClient;
+}>) => Promise<void>;

package/dist/auth/adapter/facebook.js

@@ -0,0 +1,27 @@
+import { Issuer } from "openid-client";
+import { OauthAdapter } from "./oauth.js";
+// Facebook's OIDC flow returns "id_token" as uri hash in redirect uri. Hashes
+// are not passed to Lambda event object. It is likely that Facebook only wants
+// to support redirecting to a frontend uri.
+//
+// We are only going to support the OAuth flow for now. More details about the flow:
+// https://developers.facebook.com/docs/facebook-login/guides/advanced/oidc-token
+//
+// Also note that Facebook's discover uri does not work for the OAuth flow, as the
+// token_endpoint and userinfo_endpoint are not included in the response.
+// await Issuer.discover("https://www.facebook.com/.well-known/openid-configuration/");
+const issuer = new Issuer({
+    issuer: "https://www.facebook.com",
+    authorization_endpoint: "https://facebook.com/dialog/oauth/",
+    jwks_uri: "https://www.facebook.com/.well-known/oauth/openid/jwks/",
+    token_endpoint: "https://graph.facebook.com/oauth/access_token",
+    userinfo_endpoint: "https://graph.facebook.com/oauth/access_token",
+});
+export const FacebookAdapter = 
+/* @__PURE__ */
+(config) => {
+    return OauthAdapter({
+        issuer,
+        ...config,
+    });
+};

package/dist/auth/adapter/github.d.ts

@@ -0,0 +1,12 @@
+import { OauthBasicConfig } from "./oauth.js";
+import { OidcBasicConfig } from "./oidc.js";
+type Config = ({
+    mode: "oauth";
+} & OauthBasicConfig) | ({
+    mode: "oidc";
+} & OidcBasicConfig);
+export declare const GithubAdapter: (config: Config) => (routes: import("./adapter.js").AdapterRoute, ctx: import("./adapter.js").AdapterOptions<{
+    tokenset: import("openid-client").TokenSet;
+    client: import("openid-client").BaseClient;
+}>) => Promise<void>;
+export {};

package/dist/auth/adapter/github.js

@@ -0,0 +1,23 @@
+import { Issuer } from "openid-client";
+import { OauthAdapter } from "./oauth.js";
+import { OidcAdapter } from "./oidc.js";
+const issuer = new Issuer({
+    issuer: "https://github.com",
+    authorization_endpoint: "https://github.com/login/oauth/authorize",
+    token_endpoint: "https://github.com/login/oauth/access_token",
+});
+export const GithubAdapter = 
+/* @__PURE__ */
+(config) => {
+    if (config.mode === "oauth") {
+        return OauthAdapter({
+            issuer,
+            ...config,
+        });
+    }
+    return OidcAdapter({
+        issuer,
+        scope: "openid email profile",
+        ...config,
+    });
+};

package/dist/auth/adapter/google.d.ts

@@ -0,0 +1,17 @@
+import { OidcBasicConfig } from "./oidc.js";
+import { OauthBasicConfig } from "./oauth.js";
+type GooglePrompt = "none" | "consent" | "select_account";
+type GoogleAccessType = "offline" | "online";
+type GoogleConfig = (OauthBasicConfig & {
+    mode: "oauth";
+    prompt?: GooglePrompt;
+    accessType?: GoogleAccessType;
+}) | (OidcBasicConfig & {
+    mode: "oidc";
+    prompt?: GooglePrompt;
+});
+export declare function GoogleAdapter(config: GoogleConfig): (routes: import("./adapter.js").AdapterRoute, ctx: import("./adapter.js").AdapterOptions<{
+    tokenset: import("openid-client").TokenSet;
+    client: import("openid-client").BaseClient;
+}>) => Promise<void>;
+export {};

package/dist/auth/adapter/google.js

@@ -0,0 +1,22 @@
+import { Issuer } from "openid-client";
+import { OidcAdapter } from "./oidc.js";
+import { OauthAdapter } from "./oauth.js";
+const issuer = await Issuer.discover("https://accounts.google.com");
+export function GoogleAdapter(config) {
+    /* @__PURE__ */
+    if (config.mode === "oauth") {
+        return OauthAdapter({
+            issuer,
+            ...config,
+            params: {
+                ...(config.accessType && { access_type: config.accessType }),
+                ...config.params,
+            },
+        });
+    }
+    return OidcAdapter({
+        issuer,
+        scope: "openid email profile",
+        ...config,
+    });
+}

package/dist/auth/adapter/link.d.ts

@@ -0,0 +1,6 @@
+/// <reference types="node" resolution-mode="require"/>
+export declare function LinkAdapter(config: {
+    onLink: (link: string, claims: Record<string, any>) => Promise<Response>;
+}): (routes: import("./adapter.js").AdapterRoute, ctx: import("./adapter.js").AdapterOptions<{
+    claims: Record<string, string>;
+}>) => void;

package/dist/auth/adapter/link.js

@@ -0,0 +1,27 @@
+import * as jose from "jose";
+export function LinkAdapter(config) {
+    return function (routes, ctx) {
+        routes.get("/authorize", async (c) => {
+            const token = await new jose.SignJWT(c.req.query())
+                .setProtectedHeader({ alg: ctx.algorithm })
+                .setExpirationTime("10m")
+                .sign(await ctx.signing.privateKey);
+            const url = new URL(new URL(c.req.url).origin);
+            url.pathname = `/${ctx.name}/callback`;
+            for (const key of url.searchParams.keys()) {
+                url.searchParams.delete(key);
+            }
+            url.searchParams.set("token", token);
+            const resp = ctx.forward(c, await config.onLink(url.toString(), c.req.query()));
+            return resp;
+        });
+        routes.get("/callback", async (c) => {
+            const token = c.req.query("token");
+            if (!token)
+                throw new Error("Missing token parameter");
+            const verified = await jose.jwtVerify(token, await ctx.signing.publicKey);
+            const resp = await ctx.success(c, { claims: verified.payload });
+            return resp;
+        });
+    };
+}

package/dist/auth/adapter/microsoft.d.ts

@@ -0,0 +1,11 @@
+import { OidcBasicConfig } from "./oidc.js";
+type MicrosoftConfig = OidcBasicConfig & {
+    mode: "oidc";
+    prompt?: "login" | "none" | "consent" | "select_account";
+    tenantID?: string;
+};
+export declare function MicrosoftAdapter(config: MicrosoftConfig): (routes: import("./adapter.js").AdapterRoute, ctx: import("./adapter.js").AdapterOptions<{
+    tokenset: import("openid-client").TokenSet;
+    client: import("openid-client").BaseClient;
+}>) => Promise<never>;
+export {};

package/dist/auth/adapter/microsoft.js

@@ -0,0 +1,16 @@
+import { Issuer } from "openid-client";
+import { OidcAdapter } from "./oidc.js";
+export function MicrosoftAdapter(config) {
+    const authority = config?.tenantID ?? "common";
+    const issuer = `https://login.microsoftonline.com/${authority}`;
+    return OidcAdapter({
+        issuer: new Issuer({
+            issuer: `${issuer}/v2.0`,
+            authorization_endpoint: `${issuer}/oauth2/v2.0/authorize`,
+            token_endpoint: `${issuer}/oauth2/v2.0/token`,
+            jwks_uri: `${issuer}/discovery/v2.0/keys`,
+        }),
+        scope: "openid email profile",
+        ...config,
+    });
+}

package/dist/auth/adapter/oauth.d.ts

@@ -0,0 +1,33 @@
+import { BaseClient, Issuer, TokenSet } from "openid-client";
+import { AdapterError } from "./adapter.js";
+export interface OauthBasicConfig {
+    /**
+     * The clientID provided by the third party oauth service
+     */
+    clientID: string;
+    /**
+     * The clientSecret provided by the third party oauth service
+     */
+    clientSecret: string;
+    /**
+     * Various scopes requested for the access token
+     */
+    scope: string;
+    /**
+     * Determines whether users will be prompted for reauthentication and consent
+     */
+    prompt?: string;
+    /**
+     * Additional parameters to be passed to the authorization endpoint
+     */
+    params?: Record<string, string>;
+}
+export interface OauthConfig extends OauthBasicConfig {
+    issuer: Issuer;
+}
+export declare class OauthError extends AdapterError {
+}
+export declare const OauthAdapter: (config: OauthConfig) => (routes: import("./adapter.js").AdapterRoute, ctx: import("./adapter.js").AdapterOptions<{
+    tokenset: TokenSet;
+    client: BaseClient;
+}>) => Promise<void>;

package/dist/auth/adapter/oauth.js

@@ -0,0 +1,79 @@
+import { generators } from "openid-client";
+import { AdapterError } from "./adapter.js";
+import { getCookie } from "hono/cookie";
+export class OauthError extends AdapterError {
+}
+export const OauthAdapter = 
+/* @__PURE__ */
+(config) => {
+    return async function (routes, ctx) {
+        function getClient(c) {
+            const callback = c.req.url.replace(/authorize$/, "callback");
+            return [
+                callback,
+                new config.issuer.Client({
+                    client_id: config.clientID,
+                    client_secret: config.clientSecret,
+                    redirect_uris: [callback],
+                    response_types: ["code"],
+                }),
+            ];
+        }
+        routes.get("/authorize", async (c) => {
+            const [_, client] = getClient(c);
+            const code_verifier = generators.codeVerifier();
+            const state = generators.state();
+            const code_challenge = generators.codeChallenge(code_verifier);
+            const url = client.authorizationUrl({
+                scope: config.scope,
+                code_challenge: code_challenge,
+                code_challenge_method: "S256",
+                state,
+                prompt: config.prompt,
+                ...config.params,
+            });
+            ctx.cookie(c, "auth_code_verifier", code_verifier, 60 * 10);
+            ctx.cookie(c, "auth_state", state, 60 * 10);
+            return c.redirect(url);
+        });
+        routes.get("/callback", async (c) => {
+            const [callback, client] = getClient(c);
+            const query = c.req.query();
+            if (query.error) {
+                throw new OauthError(query.error);
+            }
+            const code_verifier = getCookie(c, "auth_code_verifier");
+            const state = getCookie(c, "auth_state");
+            const tokenset = await client[config.issuer.metadata.userinfo_endpoint
+                ? "callback"
+                : "oauthCallback"](callback, query, {
+                code_verifier,
+                state,
+            });
+            return ctx.success(c, {
+                client,
+                tokenset,
+            });
+        });
+        // response_mode=form_post
+        routes.get("/callback", async (c) => {
+            const [callback, client] = getClient(c);
+            const form = await c.req.formData();
+            if (form.get("error")) {
+                throw new OauthError(form.get("error").toString());
+            }
+            const code_verifier = getCookie(c, "auth_code_verifier");
+            const state = getCookie(c, "auth_state");
+            const tokenset = await client[config.issuer.metadata.userinfo_endpoint
+                ? "callback"
+                : "oauthCallback"](callback, Object.fromEntries(form), {
+                code_verifier,
+                state,
+            });
+            return ctx.success(c, {
+                client,
+                tokenset,
+            });
+        });
+    };
+};

package/dist/auth/adapter/oidc.d.ts

@@ -0,0 +1,19 @@
+import { BaseClient, Issuer, TokenSet } from "openid-client";
+export interface OidcBasicConfig {
+    /**
+     * The clientID provided by the third party oauth service
+     */
+    clientID: string;
+    /**
+     * Determines whether users will be prompted for reauthentication and consent
+     */
+    prompt?: string;
+}
+export interface OidcConfig extends OidcBasicConfig {
+    issuer: Issuer;
+    scope: string;
+}
+export declare const OidcAdapter: (config: OidcConfig) => (routes: import("./adapter.js").AdapterRoute, ctx: import("./adapter.js").AdapterOptions<{
+    tokenset: TokenSet;
+    client: BaseClient;
+}>) => Promise<never>;

package/dist/auth/adapter/oidc.js

@@ -0,0 +1,46 @@
+import { generators } from "openid-client";
+import { getCookie } from "hono/cookie";
+export const OidcAdapter = /* @__PURE__ */ (config) => {
+    return async function (routes, ctx) {
+        routes.get("/authorize", async (c) => {
+            const callback = c.req.url.replace(/authorize$/, "callback");
+            const client = new config.issuer.Client({
+                client_id: config.clientID,
+                redirect_uris: [callback],
+                response_types: ["id_token"],
+            });
+            const nonce = generators.nonce();
+            const state = generators.state();
+            const url = client.authorizationUrl({
+                scope: config.scope,
+                response_mode: "form_post",
+                nonce,
+                state,
+                prompt: config.prompt,
+            });
+            ctx.cookie(c, "auth_nonce", nonce, 60 * 10);
+            ctx.cookie(c, "auth_state", state, 60 * 10);
+            return c.redirect(url);
+        });
+        routes.post("/callback", async (c) => {
+            const callback = c.req.url.replace(/authorize$/, "callback");
+            const client = new config.issuer.Client({
+                client_id: config.clientID,
+                redirect_uris: [callback],
+                response_types: ["id_token"],
+            });
+            const form = await c.req.formData();
+            const nonce = getCookie(c, "auth_nonce");
+            const state = getCookie(c, "auth_state");
+            const tokenset = await client.callback(callback, Object.fromEntries(form), {
+                nonce,
+                state,
+            });
+            return ctx.success(c, {
+                tokenset,
+                client,
+            });
+        });
+        throw new Error("Invalid auth request");
+    };
+};

package/dist/auth/adapter/spotify.d.ts

@@ -0,0 +1,12 @@
+import { OauthBasicConfig } from "./oauth.js";
+/**
+ * The Spotify Adapter follows the PKCE flow outlined here:
+ * https://developer.spotify.com/documentation/web-api/tutorials/code-pkce-flow
+ *
+ * List of scopes available:
+ * https://developer.spotify.com/documentation/web-api/concepts/scopes
+ */
+export declare const SpotifyAdapter: (config: OauthBasicConfig) => (routes: import("./adapter.js").AdapterRoute, ctx: import("./adapter.js").AdapterOptions<{
+    tokenset: import("openid-client").TokenSet;
+    client: import("openid-client").BaseClient;
+}>) => Promise<void>;

package/dist/auth/adapter/spotify.js

@@ -0,0 +1,22 @@
+import { Issuer } from "openid-client";
+import { OauthAdapter } from "./oauth.js";
+const issuer = new Issuer({
+    issuer: "https://accounts.spotify.com",
+    authorization_endpoint: "https://accounts.spotify.com/authorize",
+    token_endpoint: "https://accounts.spotify.com/api/token",
+});
+/**
+ * The Spotify Adapter follows the PKCE flow outlined here:
+ * https://developer.spotify.com/documentation/web-api/tutorials/code-pkce-flow
+ *
+ * List of scopes available:
+ * https://developer.spotify.com/documentation/web-api/concepts/scopes
+ */
+export const SpotifyAdapter = 
+/* @__PURE__ */
+(config) => {
+    return OauthAdapter({
+        issuer,
+        ...config,
+    });
+};

package/dist/auth/example/bun.d.ts

@@ -0,0 +1,2 @@
+declare const _default: import("hono/tiny").Hono<import("hono").Env, import("hono/types").BlankSchema, "/">;
+export default _default;

package/dist/auth/example/bun.js

@@ -0,0 +1,46 @@
+import { AuthHandler } from "../handler.js";
+import { LinkAdapter } from "../adapter/link.js";
+import { createSessionBuilder } from "../session.js";
+import { CodeAdapter } from "../index.js";
+const sessions = createSessionBuilder();
+export default AuthHandler({
+    providers: {
+        link: LinkAdapter({
+            async onLink(link, claims) {
+                return new Response(link, {
+                    status: 200,
+                    headers: { "Content-Type": "text/plain" },
+                });
+            },
+        }),
+        code: CodeAdapter({
+            onCodeRequest: async (code, claims) => {
+                return new Response("Your code is " + code, {
+                    status: 200,
+                    headers: { "Content-Type": "text/plain" },
+                });
+            },
+            onCodeInvalid: async (code, claims) => {
+                return new Response("Code is invalid " + code, {
+                    status: 200,
+                    headers: { "Content-Type": "text/plain" },
+                });
+            },
+        }),
+    },
+    callbacks: {
+        auth: {
+            async allowClient(input) {
+                return true;
+            },
+            async success(ctx, input) {
+                return ctx.session({
+                    type: "user",
+                    properties: {
+                        email: input.claims.email,
+                    },
+                });
+            },
+        },
+    },
+});

package/dist/auth/handler.d.ts

@@ -0,0 +1,57 @@
+/// <reference types="node" resolution-mode="require"/>
+import { Adapter } from "./adapter/adapter.js";
+import * as jose from "jose";
+import { SessionBuilder } from "./session.js";
+import { Hono } from "hono/tiny";
+interface OnSuccessResponder<T extends {
+    type: any;
+    properties: any;
+}> {
+    session(input: T & jose.JWTPayload): Promise<Response>;
+}
+export declare class UnknownProviderError extends Error {
+    provider?: string | undefined;
+    constructor(provider?: string | undefined);
+}
+export declare class MissingParameterError extends Error {
+    parameter: string;
+    constructor(parameter: string);
+}
+export declare class UnknownStateError extends Error {
+    constructor();
+}
+export declare class UnauthorizedClientError extends Error {
+    client: string;
+    redirect_uri: string;
+    constructor(client: string, redirect_uri: string);
+}
+export declare class InvalidSessionError extends Error {
+    constructor();
+}
+export type Prettify<T> = {
+    [K in keyof T]: T[K];
+} & {};
+export declare function AuthHandler<Providers extends Record<string, Adapter<any>>, Sessions extends SessionBuilder = SessionBuilder, Result = {
+    [key in keyof Providers]: Prettify<{
+        provider: key;
+    } & (Providers[key] extends Adapter<infer T> ? T : {})>;
+}[keyof Providers]>(input: {
+    session?: Sessions;
+    providers: Providers;
+    callbacks: {
+        index?(req: Request): Promise<Response>;
+        error?(error: UnknownStateError, req: Request): Promise<Response | undefined>;
+        auth: {
+            error?(error: MissingParameterError | UnauthorizedClientError | UnknownProviderError, req: Request): Promise<Response>;
+            start?(event: Request): Promise<void>;
+            allowClient(clientID: string, redirect: string, req: Request): Promise<boolean>;
+            success(response: OnSuccessResponder<Sessions["$typeValues"]>, input: Result, req: Request): Promise<Response>;
+        };
+        connect?: {
+            error?(error: InvalidSessionError | UnknownProviderError, req: Request): Promise<Response | undefined>;
+            start?(session: Sessions["$typeValues"], req: Request): Promise<void>;
+            success?(session: Sessions["$typeValues"], input: {}): Promise<Response>;
+        };
+    };
+}): Hono<import("hono").Env, import("hono/types").BlankSchema, "/">;
+export {};

package/dist/auth/handler.js

@@ -0,0 +1,189 @@
+import * as jose from "jose";
+import { Hono } from "hono/tiny";
+import { deleteCookie, getCookie, setCookie } from "hono/cookie";
+export class UnknownProviderError extends Error {
+    provider;
+    constructor(provider) {
+        super("Unknown provider: " + provider);
+        this.provider = provider;
+    }
+}
+export class MissingParameterError extends Error {
+    parameter;
+    constructor(parameter) {
+        super("Missing parameter: " + parameter);
+        this.parameter = parameter;
+    }
+}
+export class UnknownStateError extends Error {
+    constructor() {
+        super("The browser was in an unknown state. This could be because certain cookies expired or the browser was switched in the middle of an authentication flow");
+    }
+}
+export class UnauthorizedClientError extends Error {
+    client;
+    redirect_uri;
+    constructor(client, redirect_uri) {
+        super("Unauthorized client");
+        this.client = client;
+        this.redirect_uri = redirect_uri;
+    }
+}
+export class InvalidSessionError extends Error {
+    constructor() {
+        super("Invalid session");
+    }
+}
+export function AuthHandler(input) {
+    const app = new Hono();
+    if (!input.callbacks.auth.error) {
+        input.callbacks.auth.error = async (err) => {
+            return new Response(err.message, {
+                status: 400,
+                headers: {
+                    "Content-Type": "text/plain",
+                },
+            });
+        };
+    }
+    const options = {
+        signing: {
+            privateKey: jose.importPKCS8(process.env.AUTH_PRIVATE_KEY, "RS512"),
+            publicKey: jose.importSPKI(process.env.AUTH_PUBLIC_KEY, "RS512"),
+        },
+        encryption: {
+            privateKey: jose.importPKCS8(process.env.AUTH_PRIVATE_KEY, "RSA-OAEP-512"),
+            publicKey: jose.importSPKI(process.env.AUTH_PUBLIC_KEY, "RSA-OAEP-512"),
+        },
+        algorithm: "RS512",
+        async success(ctx, properties) {
+            const redirect_uri = getCookie(ctx, "redirect_uri");
+            const response_type = getCookie(ctx, "response_type");
+            if (!redirect_uri) {
+                return options.forward(ctx, await input.callbacks.auth.error(new UnknownStateError(), ctx.req.raw));
+            }
+            return await input.callbacks.auth.success({
+                async session(session) {
+                    const token = await new jose.SignJWT(session)
+                        .setProtectedHeader({ alg: "RS512" })
+                        .setExpirationTime("1yr")
+                        .sign(await options.signing.privateKey);
+                    deleteCookie(ctx, "provider");
+                    deleteCookie(ctx, "response_type");
+                    deleteCookie(ctx, "redirect_uri");
+                    deleteCookie(ctx, "state");
+                    const client_id = getCookie(ctx, "client_id");
+                    const state = getCookie(ctx, "state");
+                    if (response_type === "token") {
+                        const location = new URL(redirect_uri);
+                        location.hash = `access_token=${token}&state=${state || ""}`;
+                        return ctx.redirect(location.toString(), 302);
+                    }
+                    if (response_type === "code") {
+                        // This allows the code to be reused within a 30 second window
+                        // The code should be single use but we're making this tradeoff to remain stateless
+                        // In the future can store this in a dynamo table to ensure single use
+                        const code = await new jose.SignJWT({
+                            client_id,
+                            redirect_uri,
+                            token,
+                        })
+                            .setProtectedHeader({ alg: "RS512" })
+                            .setExpirationTime("30s")
+                            .sign(await options.signing.privateKey);
+                        const location = new URL(redirect_uri);
+                        location.searchParams.set("code", code);
+                        location.searchParams.set("state", state || "");
+                        return ctx.redirect(location.toString(), 302);
+                    }
+                    ctx.status(400);
+                    return ctx.text(`Unsupported response_type: ${response_type}`);
+                },
+            }, {
+                provider: ctx.get("provider"),
+                ...properties,
+            }, ctx.req.raw);
+        },
+        forward(ctx, response) {
+            return ctx.newResponse(response.body, response.status, Object.fromEntries(response.headers.entries()));
+        },
+        cookie(c, key, value, maxAge) {
+            setCookie(c, key, value, {
+                maxAge,
+                httpOnly: true,
+                ...(c.req.url.startsWith("https://")
+                    ? { secure: true, sameSite: "None" }
+                    : {}),
+            });
+        },
+    };
+    app.get("/token", async (c) => {
+        console.log("token request");
+        const form = await c.req.formData();
+        if (form.get("grant_type") !== "authorization_code") {
+            c.status(400);
+            return c.text("Invalid grant_type");
+        }
+        const code = form.get("code");
+        if (!code) {
+            c.status(400);
+            return c.text("Missing code");
+        }
+        const { payload } = await jose.jwtVerify(code, await options.signing.publicKey);
+        if (payload.redirect_uri !== form.get("redirect_uri")) {
+            c.status(400);
+            return c.text("redirect_uri mismatch");
+        }
+        if (payload.client_id !== form.get("client_id")) {
+            c.status(400);
+            return c.text("client_id mismatch");
+        }
+        return c.json({
+            access_token: payload.token,
+        });
+    });
+    app.use("/:provider/authorize", async (c, next) => {
+        const provider = c.req.param("provider");
+        console.log("authorize request for", provider);
+        const response_type = c.req.query("response_type") || getCookie(c, "response_type");
+        const redirect_uri = c.req.query("redirect_uri") || getCookie(c, "redirect_uri");
+        const state = c.req.query("state") || getCookie(c, "state");
+        if (!provider) {
+            c.status(400);
+            return c.text("Missing provider");
+        }
+        if (!redirect_uri) {
+            c.status(400);
+            return c.text("Missing redirect_uri");
+        }
+        if (!response_type) {
+            c.status(400);
+            return c.text("Missing response_type");
+        }
+        options.cookie(c, "provider", provider, 60 * 10);
+        options.cookie(c, "response_type", response_type, 60 * 10);
+        options.cookie(c, "redirect_uri", redirect_uri, 60 * 10);
+        options.cookie(c, "state", state || "", 60 * 10);
+        if (input.callbacks.auth.start) {
+            await input.callbacks.auth.start(c.req.raw);
+        }
+        await next();
+    });
+    for (const [name, value] of Object.entries(input.providers)) {
+        const route = new Hono();
+        route.use(async (c, next) => {
+            c.set("provider", name);
+            await next();
+        });
+        value(route, {
+            name,
+            ...options,
+        });
+        app.route(`/${name}`, route);
+    }
+    app.all("/*", async (c) => {
+        return c.notFound();
+    });
+    console.log(app.routes);
+    return app;
+}

package/dist/auth/index.d.ts

@@ -0,0 +1,14 @@
+export * from "./adapter/oidc.js";
+export * from "./adapter/google.js";
+export * from "./adapter/link.js";
+export * from "./adapter/github.js";
+export * from "./adapter/facebook.js";
+export * from "./adapter/microsoft.js";
+export * from "./adapter/oauth.js";
+export * from "./adapter/spotify.js";
+export * from "./adapter/code.js";
+export * from "./adapter/apple.js";
+export type { Adapter } from "./adapter/adapter.js";
+export * from "./session.js";
+export * from "./handler.js";
+export { Issuer } from "openid-client";

package/dist/auth/index.js

@@ -0,0 +1,13 @@
+export * from "./adapter/oidc.js";
+export * from "./adapter/google.js";
+export * from "./adapter/link.js";
+export * from "./adapter/github.js";
+export * from "./adapter/facebook.js";
+export * from "./adapter/microsoft.js";
+export * from "./adapter/oauth.js";
+export * from "./adapter/spotify.js";
+export * from "./adapter/code.js";
+export * from "./adapter/apple.js";
+export * from "./session.js";
+export * from "./handler.js";
+export { Issuer } from "openid-client";

package/dist/auth/session.d.ts

@@ -0,0 +1,18 @@
+export type SessionBuilder = ReturnType<typeof createSessionBuilder>;
+export declare function createSessionBuilder<SessionTypes extends Record<string, any> = {}>(): {
+    verify(token: string): Promise<{ [type in keyof SessionTypes]: {
+        type: type;
+        properties: SessionTypes[type];
+    }; }[keyof SessionTypes] | {
+        type: "public";
+        properties: {};
+    }>;
+    $type: SessionTypes;
+    $typeValues: { [type in keyof SessionTypes]: {
+        type: type;
+        properties: SessionTypes[type];
+    }; }[keyof SessionTypes] | {
+        type: "public";
+        properties: {};
+    };
+};

package/dist/auth/session.js

@@ -0,0 +1,17 @@
+import { importSPKI, jwtVerify } from "jose";
+import { Resource } from "../resource.js";
+export function createSessionBuilder() {
+    return {
+        async verify(token) {
+            const auth = Object.values(Resource).find((value) => value.publicKey);
+            if (!auth) {
+                throw new Error("No auth resource found");
+            }
+            const publicKey = auth.publicKey;
+            const result = await jwtVerify(token, await importSPKI(publicKey, "RS512"));
+            return result.payload;
+        },
+        $type: {},
+        $typeValues: {},
+    };
+}

package/dist/resource.js

@@ -1,13 +1,16 @@
-const $SST_LINKS = {};
-export const Resource = new Proxy({}, {
+const raw = {
+    // @ts-expect-error,
+    ...globalThis.$SST_LINKS,
+};
+for (const [key, value] of Object.entries(process.env)) {
+    if (key.startsWith("SST_RESOURCE_") && value) {
+        raw[key.slice("SST_RESOURCE_".length)] = JSON.parse(value);
+    }
+}
+export const Resource = new Proxy(raw, {
     get(target, prop) {
-        // Read from environment first
-        const envName = `SST_RESOURCE_${prop}`;
-        if (process.env[envName]) {
-            return JSON.parse(process.env[envName]);
-        }
-        if (prop in $SST_LINKS) {
-            return $SST_LINKS[prop];
+        if (prop in target) {
+            return target[prop];
         }
         throw new Error(`"${prop}" is not linked`);
     },

package/dist/vector-client.d.ts

@@ -1,16 +1,8 @@
+import { Resource } from "./resource.js";
 export type IngestEvent = {
-    /**
-     * The external ID of the event.
-     * If the external ID already exists, the embedding and metadata will be updated.
-     * @example
-     * ```js
-     * {
-     *   externalId: "37043bc3-2166-437d-bbf8-a2238d7a5796"
-     * }
-     */
-    externalId: string;
     /**
      * The text used to generate the embedding vector.
+     * At least one of `text` or `image` must be provided.
      * @example
      * ```js
      * {
@@ -18,9 +10,10 @@ export type IngestEvent = {
      * }
      * ```
      */
-    text: string;
+    text?: string;
     /**
      * The base64 representation of the image used to generate the embedding vector.
+     * At least one of `text` or `image` must be provided.
      * @example
      * ```js
      * {
@@ -30,64 +23,107 @@ export type IngestEvent = {
      */
     image?: string;
     /**
-     * Additional metadata for the event in JSON format.
-     * This metadata will be used to filter the retrieval of events.
+     * Metadata for the event in JSON format.
+     * This metadata will be used to filter when retrieving and removing embeddings.
      * @example
      * ```js
      * {
      *   metadata: {
-     *     key1: "value1",
-     *     key2: "value2"
+     *     type: "movie",
+     *     id: "movie-123",
+     *     name: "Spiderman",
      *   }
      * }
      * ```
      */
-    metadata: any;
+    metadata: Record<string, any>;
 };
 export type RetrieveEvent = {
     /**
-     * The prompt used to retrieve events.
+     * The text prompt used to retrieve embeddings.
+     * At least one of `text` or `image` must be provided.
      * @example
      * ```js
      * {
-     *   prompt: "This is an example text.",
+     *   text: "This is an example text.",
      * }
      * ```
      */
-    prompt: string;
+    text?: string;
     /**
-     * The metadata used to filter the retrieval of events.
-     * Only events with metadata that match the provided fields will be returned.
+     * The base64 representation of the image prompt used to retrive embeddings.
+     * At least one of `text` or `image` must be provided.
      * @example
      * ```js
      * {
-     *   metadata: {
+     *   image: await fs.readFile("./file.jpg").toString("base64"),
+     * }
+     * ```
+     */
+    image?: string;
+    /**
+     * The metadata used to filter the retrieval of embeddings.
+     * Only embeddings with metadata that match the provided fields will be returned.
+     * @example
+     * ```js
+     * {
+     *   include: {
      *     type: "movie",
-     *     name: "Spiderman",
+     *     release: "2001",
      *   }
      * }
      * ```
-     * This will match event with metadata:
+     * This will match the embedding with metadata:
      *  {
      *    type: "movie",
      *    name: "Spiderman",
      *    release: "2001",
      *  }
-     * But this will not match event with metadata:
+     *
+     * But not the embedding with metadata:
      *  {
      *    type: "book",
      *    name: "Spiderman",
-     *    release: "1962",
+     *    release: "2001",
      *  }
      */
-    metadata: any;
+    include: Record<string, any>;
     /**
-     * The threshold of similarity between the prompt and the retrieved events.
-     * Only events with a similarity score higher than the threshold will be returned.
+     * Exclude embeddings with metadata that match the provided fields.
+     * @example
+     * ```js
+     * {
+     *   include: {
+     *     type: "movie",
+     *     release: "2001",
+     *   },
+     *   exclude: {
+     *     name: "Spiderman",
+     *   }
+     * }
+     * ```
+     * This will match the embedding with metadata:
+     *  {
+     *    type: "movie",
+     *    name: "A Beautiful Mind",
+     *    release: "2001",
+     *  }
+     *
+     * But not the embedding with metadata:
+     *  {
+     *    type: "book",
+     *    name: "Spiderman",
+     *    release: "2001",
+     *  }
+     */
+    exclude?: Record<string, any>;
+    /**
+     * The threshold of similarity between the prompt and the retrieved embeddings.
+     * Only embeddings with a similarity score higher than the threshold will be returned.
      * Expected value is between 0 and 1.
-     * - 0 means the prompt and the retrieved events are completely different.
-     * - 1 means the prompt and the retrieved events are identical.
-     * @default 0
+     * - 0 means the prompt and the retrieved embeddings are completely different.
+     * - 1 means the prompt and the retrieved embeddings are identical.
+     * @default `0`
      * @example
      * ```js
      * {
@@ -98,7 +134,7 @@ export type RetrieveEvent = {
     threshold?: number;
     /**
      * The number of results to return.
-     * @default 10
+     * @default `10`
      * @example
      * ```js
      * {
@@ -110,17 +146,41 @@ export type RetrieveEvent = {
 };
 export type RemoveEvent = {
     /**
-     * The external ID of the event to remove.
+     * The metadata used to filter the removal of embeddings.
+     * Only embeddings with metadata that match the provided fields will be removed.
      * @example
+     * To remove embeddings for movie with id "movie-123":
      * ```js
      * {
-     *   externalId: "37043bc3-2166-437d-bbf8-a2238d7a5796"
+     *   include: {
+     *     id: "movie-123",
+     *   }
      * }
+     * ```
+     * To remove embeddings for all movies:
+     *  {
+     *   include: {
+     *    type: "movie",
+     *   }
+     *  }
+     */
+    include: Record<string, any>;
+};
+type RetriveResponse = {
+    /**
+     * Metadata for the event in JSON format that was provided when ingesting the embedding.
+     */
+    metadata: Record<string, any>;
+    /**
+     * The similarity score between the prompt and the retrieved embedding.
      */
-    externalId: string;
+    score: number;
 };
-export declare const VectorClient: (name: string) => {
-    ingest: (event: IngestEvent) => Promise<any>;
-    retrieve: (event: RetrieveEvent) => Promise<any>;
-    delete: (event: RemoveEvent) => Promise<any>;
+export declare function VectorClient<T extends keyof {
+    [key in keyof Resource as "sst.aws.Vector" extends Resource[key]["type"] ? string extends key ? never : key : never]: Resource[key];
+}>(name: T): {
+    ingest: (event: IngestEvent) => Promise<void>;
+    retrieve: (event: RetrieveEvent) => Promise<RetriveResponse>;
+    remove: (event: RemoveEvent) => Promise<void>;
 };
+export {};

package/dist/vector-client.js

@@ -1,31 +1,31 @@
 import { LambdaClient, InvokeCommand, } from "@aws-sdk/client-lambda";
 import { Resource } from "./resource.js";
 const lambda = new LambdaClient();
-export const VectorClient = (name) => {
+export function VectorClient(name) {
     return {
         ingest: async (event) => {
             const ret = await lambda.send(new InvokeCommand({
-                FunctionName: Resource[name].ingestorFunctionName,
+                FunctionName: Resource[name].ingestor,
                 Payload: JSON.stringify(event),
             }));
-            return parsePayload(ret, "Failed to ingest into the vector db");
+            parsePayload(ret, "Failed to ingest into the vector db");
         },
         retrieve: async (event) => {
             const ret = await lambda.send(new InvokeCommand({
-                FunctionName: Resource[name].retrieverFunctionName,
+                FunctionName: Resource[name].retriever,
                 Payload: JSON.stringify(event),
             }));
             return parsePayload(ret, "Failed to retrieve from the vector db");
         },
-        delete: async (event) => {
+        remove: async (event) => {
             const ret = await lambda.send(new InvokeCommand({
-                FunctionName: Resource[name].removerFunctionName,
+                FunctionName: Resource[name].remover,
                 Payload: JSON.stringify(event),
             }));
-            return parsePayload(ret, "Failed to remove from the vector db");
+            parsePayload(ret, "Failed to remove from the vector db");
         },
     };
-};
+}
 function parsePayload(output, message) {
     const payload = JSON.parse(Buffer.from(output.Payload).toString());
     // Set cause to the payload so that it can be logged in CloudWatch

package/package.json

@@ -2,7 +2,8 @@
   "$schema": "https://json.schemastore.org/package.json",
   "name": "sst",
   "type": "module",
-  "version": "3.0.1-9",
+  "sideEffects": false,
+  "version": "3.0.2",
   "main": "./dist/index.js",
   "exports": {
     ".": "./dist/index.js",
@@ -17,11 +18,14 @@
     "dist"
   ],
   "dependencies": {
-    "@aws-sdk/client-lambda": "3.478.0"
+    "@aws-sdk/client-lambda": "3.478.0",
+    "hono": "^4.0.1",
+    "jose": "^5.2.1",
+    "openid-client": "^5.6.4"
   },
   "scripts": {
     "build": "tsc",
     "dev": "tsc -w",
-    "release": "pnpm build && pnpm version prerelease && pnpm publish --no-git-checks --tag=ion --access=public"
+    "release": "pnpm build && pnpm version patch && pnpm publish --no-git-checks --tag=ion --access=public"
   }
 }