Ma/dbconnections

.husky/pre-commit

@@ -1,3 +1,3 @@
 pnpm interfaces build
 pnpm kysely build
-pnpm kysely authhero
+pnpm authhero build

apps/demo/CHANGELOG.md

@@ -1,5 +1,14 @@
 # @authhero/demo
 
+## 0.5.4
+
+### Patch Changes
+
+- Updated dependencies
+- Updated dependencies
+  - [email protected]
+  - @authhero/[email protected]
+
 ## 0.5.3
 
 ### Patch Changes

apps/demo/package.json

@@ -1,16 +1,16 @@
 {
   "name": "@authhero/demo",
   "private": true,
-  "version": "0.5.3",
+  "version": "0.5.4",
   "scripts": {
     "dev": "bun --watch src/bun.ts"
   },
   "dependencies": {
-    "@authhero/kysely-adapter": "^0.25.1",
+    "@authhero/kysely-adapter": "^0.25.3",
     "@hono/swagger-ui": "^0.5.0",
     "@hono/zod-openapi": "^0.18.3",
     "@peculiar/x509": "^1.12.3",
-    "authhero": "^0.25.0",
+    "authhero": "^0.26.0",
     "hono": "^4.6.13",
     "hono-openapi-middlewares": "^1.0.11",
     "kysely-bun-sqlite": "^0.3.2",

packages/adapter-interfaces/CHANGELOG.md

@@ -1,5 +1,18 @@
 # @authhero/adapter-interfaces
 
+## 0.33.0
+
+### Minor Changes
+
+- add sendgrid and postmark mail services
+- migrate dbconnections and setup email providers
+
+## 0.32.1
+
+### Patch Changes
+
+- update all build packages
+
 ## 0.32.0
 
 ### Minor Changes

packages/adapter-interfaces/package.json

@@ -11,7 +11,7 @@
     "type": "git",
     "url": "https://github.com/markusahlstrand/authhero"
   },
-  "version": "0.32.0",
+  "version": "0.33.0",
   "files": [
     "dist"
   ],

packages/adapter-interfaces/src/types/Client.ts

@@ -8,9 +8,7 @@ const ClientDomainSchema = z.object({
   dkim_private_key: z.string().optional(),
   dkim_public_key: z.string().optional(),
   email_api_key: z.string().optional(),
-  email_service: z
-    .union([z.literal("mailgun"), z.literal("mailchannels")])
-    .optional(),
+  email_service: z.string().optional(),
 });
 
 const ClientSchema = z.object({

packages/adapter-interfaces/src/types/Domain.ts

@@ -6,7 +6,7 @@ export const domainInsertSchema = z.object({
   dkim_private_key: z.string().optional(),
   dkim_public_key: z.string().optional(),
   email_api_key: z.string().optional(),
-  email_service: z.enum(["mailgun", "mailchannels"]),
+  email_service: z.string().optional(),
 });
 export type DomainInsert = z.infer<typeof domainInsertSchema>;
 

packages/authhero/CHANGELOG.md

@@ -1,5 +1,32 @@
 # authhero
 
+## 0.26.0
+
+### Minor Changes
+
+- add id-token support to hook
+- migrate dbconnections and setup email providers
+
+### Patch Changes
+
+- Updated dependencies
+- Updated dependencies
+  - @authhero/[email protected]
+
+## 0.25.2
+
+### Patch Changes
+
+- update all build packages
+- Updated dependencies
+  - @authhero/[email protected]
+
+## 0.25.1
+
+### Patch Changes
+
+- update the build
+
 ## 0.25.0
 
 ### Minor Changes

packages/authhero/package.json

@@ -1,6 +1,6 @@
 {
   "name": "authhero",
-  "version": "0.25.0",
+  "version": "0.26.0",
   "files": [
     "dist"
   ],

packages/authhero/src/auth-app.ts

@@ -8,6 +8,7 @@ import {
   tokenRoutes,
   wellKnownRoutes,
   userinfoRoutes,
+  dbConnectionRoutes,
 } from "./routes/auth-api";
 
 export interface CreateAuthParams {
@@ -26,7 +27,8 @@ export default function create() {
     .route("/v2/logout", logoutRoutes)
     .route("/userinfo", userinfoRoutes)
     .route("/.well-known", wellKnownRoutes)
-    .route("/oauth/token", tokenRoutes);
+    .route("/oauth/token", tokenRoutes)
+    .route("/dbconnections", dbConnectionRoutes);
 
   oauthApp.doc("/spec", {
     openapi: "3.0.0",

packages/authhero/src/authentication-flows/common.ts

@@ -13,6 +13,8 @@ export interface CreateAuthTokensParams {
   sid?: string;
 }
 
+const RESERVED_CLAIMS = ["sub", "iss", "aud", "exp", "nbf", "iat", "jti"];
+
 export async function createAuthTokens(
   ctx: Context<{ Bindings: Bindings; Variables: Variables }>,
   params: CreateAuthTokensParams,
@@ -31,7 +33,7 @@ export async function createAuthTokens(
 
   const keyBuffer = pemToBuffer(signingKey.pkcs7);
 
-  const payload = {
+  const accessTokenPayload = {
     // TODO: consider if the dafault should be removed
     aud: authParams.audience || "default",
     scope: authParams.scope || "",
@@ -41,6 +43,26 @@ export async function createAuthTokens(
     sid,
   };
 
+  const idTokenPayload =
+    user && authParams.scope?.split(" ").includes("openid")
+      ? {
+          // The audience for an id token is the client id
+          aud: authParams.client_id,
+          sub: user.user_id,
+          iss: ctx.env.ISSUER,
+          sid,
+          nonce: authParams.nonce,
+          given_name: user.given_name,
+          family_name: user.family_name,
+          nickname: user.nickname,
+          picture: user.picture,
+          locale: user.locale,
+          name: user.name,
+          email: user.email,
+          email_verified: user.email_verified,
+        }
+      : undefined;
+
   if (ctx.env.hooks?.onExecuteCredentialsExchange) {
     await ctx.env.hooks.onExecuteCredentialsExchange(
       {
@@ -52,19 +74,21 @@ export async function createAuthTokens(
       {
         accessToken: {
           setCustomClaim: (claim, value) => {
-            const reservedClaims = [
-              "sub",
-              "iss",
-              "aud",
-              "exp",
-              "nbf",
-              "iat",
-              "jti",
-            ];
-            if (reservedClaims.includes(claim)) {
+            if (RESERVED_CLAIMS.includes(claim)) {
+              throw new Error(`Cannot overwrite reserved claim '${claim}'`);
+            }
+            accessTokenPayload[claim] = value;
+          },
+        },
+        idToken: {
+          setCustomClaim: (claim, value) => {
+            if (RESERVED_CLAIMS.includes(claim)) {
               throw new Error(`Cannot overwrite reserved claim '${claim}'`);
             }
-            payload[claim] = value;
+
+            if (idTokenPayload) {
+              idTokenPayload[claim] = value;
+            }
           },
         },
         access: {
@@ -78,44 +102,24 @@ export async function createAuthTokens(
     );
   }
 
-  const access_token = await createJWT("RS256", keyBuffer, payload, {
+  const header = {
     includeIssuedTimestamp: true,
     expiresIn: new TimeSpan(1, "d"),
     headers: {
       kid: signingKey.kid,
     },
-  });
+  };
 
-  const id_token =
-    user && authParams.scope?.split(" ").includes("openid")
-      ? await createJWT(
-          "RS256",
-          keyBuffer,
-          {
-            // The audience for an id token is the client id
-            aud: authParams.client_id,
-            sub: user.user_id,
-            iss: ctx.env.ISSUER,
-            sid,
-            nonce: authParams.nonce,
-            given_name: user.given_name,
-            family_name: user.family_name,
-            nickname: user.nickname,
-            picture: user.picture,
-            locale: user.locale,
-            name: user.name,
-            email: user.email,
-            email_verified: user.email_verified,
-          },
-          {
-            includeIssuedTimestamp: true,
-            expiresIn: new TimeSpan(1, "d"),
-            headers: {
-              kid: signingKey.kid,
-            },
-          },
-        )
-      : undefined;
+  const access_token = await createJWT(
+    "RS256",
+    keyBuffer,
+    accessTokenPayload,
+    header,
+  );
+
+  const id_token = idTokenPayload
+    ? await createJWT("RS256", keyBuffer, idTokenPayload, header)
+    : undefined;
 
   return {
     access_token,

packages/authhero/src/constants.ts

@@ -1,3 +1,4 @@
 export const JWKS_CACHE_TIMEOUT_IN_SECONDS = 60 * 5; // 5 minutes
 export const SILENT_AUTH_MAX_AGE = 30 * 24 * 60 * 60; // 30 days
+export const UNIVERSAL_AUTH_SESSION_EXPIRES_IN_SECONDS = 24 * 60 * 60; // 1 day
 export const SILENT_COOKIE_NAME = "auth-token";

packages/authhero/src/emails/index.ts

@@ -0,0 +1,61 @@
+import { Context } from "hono";
+import { Bindings, Variables } from "../types";
+import { User } from "@authhero/adapter-interfaces";
+import { HTTPException } from "hono/http-exception";
+
+export async function sendEmail(
+  ctx: Context<{ Bindings: Bindings; Variables: Variables }>,
+  tenant_id: string,
+  to: string,
+  subject: string,
+  html: string,
+) {
+  const emailProvider = await ctx.env.data.emailProviders.get(tenant_id);
+
+  if (!emailProvider) {
+    throw new HTTPException(500, { message: "Email provider not found" });
+  }
+
+  const emailService = ctx.env.emailProviders?.[emailProvider.name];
+  if (!emailService) {
+    throw new HTTPException(500, { message: "Email provider not found" });
+  }
+
+  emailService({
+    to,
+    from: emailProvider.default_from_address || `login@${ctx.env.ISSUER}`,
+    subject,
+    html,
+  });
+}
+
+export async function sendResetPassword(
+  ctx: Context<{ Bindings: Bindings; Variables: Variables }>,
+  tenant_id: string,
+  to: string,
+  // auth0 just has a ticket, but we have a code and a state
+  code: string,
+  state?: string,
+) {
+  await sendEmail(
+    ctx,
+    tenant_id,
+    to,
+    `Reset your password`,
+    `Click here to reset your password: ${ctx.env.ISSUER}u/reset-password?state=${state}&code=${code}`,
+  );
+}
+
+export async function sendValidateEmailAddress(
+  ctx: Context<{ Bindings: Bindings; Variables: Variables }>,
+  tenant_id: string,
+  user: User,
+) {
+  await sendEmail(
+    ctx,
+    tenant_id,
+    user.email,
+    `Validate your email address`,
+    `Click here to validate your email: ${ctx.env.ISSUER}u/validate-email`,
+  );
+}