/** * MastraAuthWorkos - WorkOS authentication provider for Mastra. * * Uses @workos/authkit-session for session management with encrypted * cookie-based sessions that persist across server restarts. */ import type { IUserProvider, ISSOProvider, ISessionProvider, Session, SSOCallbackResult, SSOLoginConfig } from './_types/@internal_auth/dist/index.d.ts'; import type { EEUser } from './_types/@internal_auth/dist/ee/index.d.ts'; import { MastraAuthProvider } from './_types/@internal_auth/dist/provider/index.d.ts'; import { AuthService } from '@workos/authkit-session'; import type { AuthKitConfig } from '@workos/authkit-session'; import { WorkOS } from '@workos-inc/node'; import type { OrganizationMembership } from '@workos-inc/node'; import { LRUCache } from 'lru-cache'; type HonoRequestLike = { raw?: Request; headers?: Headers; header(name: string): string | undefined; }; type MastraAuthRequest = Request | HonoRequestLike; import type { WorkOSUser, MastraAuthWorkosOptions } from './types.js'; /** * Mastra authentication provider for WorkOS. * * Uses WorkOS AuthKit with encrypted cookie-based sessions. * Sessions are stored in cookies, so they persist across server restarts. * * @example Basic usage with SSO * ```typescript * import { MastraAuthWorkos } from '@mastra/auth-workos'; * * const auth = new MastraAuthWorkos({ * apiKey: process.env.WORKOS_API_KEY, * clientId: process.env.WORKOS_CLIENT_ID, * redirectUri: 'https://myapp.com/auth/callback', * cookiePassword: process.env.WORKOS_COOKIE_PASSWORD, // min 32 chars * }); * ``` */ export declare class MastraAuthWorkos extends MastraAuthProvider implements IUserProvider, ISSOProvider, ISessionProvider { protected workos: WorkOS; protected clientId: string; protected redirectUri: string; protected ssoConfig: MastraAuthWorkosOptions['sso']; protected authService: AuthService; protected config: AuthKitConfig; protected fetchMemberships: boolean; protected trustJwtClaims: boolean; protected jwtClaimOptions?: MastraAuthWorkosOptions['jwtClaims']; protected mapJwtPayloadToUser?: MastraAuthWorkosOptions['mapJwtPayloadToUser']; protected membershipCache: LRUCache; constructor(options?: MastraAuthWorkosOptions); /** * Authenticate a bearer token or session cookie. * * Uses AuthKit's withAuth() for cookie-based sessions, falls back to * JWT verification for bearer tokens. */ authenticateToken(token: string, request: MastraAuthRequest): Promise; /** * Authorize a user for access. */ authorizeUser(user: WorkOSUser): Promise; /** * Get the current user from the request using AuthKit session. */ getCurrentUser(request: Request): Promise; /** * Get a user by their ID. */ getUser(userId: string): Promise; /** * Get the URL to the user's profile page. */ getUserProfileUrl(user: EEUser): string; private getMemberships; private attachMembershipsIfNeeded; private getSingleMembershipOrganizationId; private resolveJwtPayloadUser; private buildUserFromJwtClaims; private mergeJwtPayloadUser; private readJwtClaim; /** * Get the URL to redirect users to for SSO login. */ getLoginUrl(redirectUri: string, state: string): string; /** * Handle the OAuth callback from WorkOS. * * Uses WorkOS SDK's authenticateWithCode directly instead of AuthKit's handleCallback. * AuthKit's handleCallback requires PKCE cookies that must be set during getLoginUrl() * and read during handleCallback(), but our ISSOProvider interface separates these * calls across different requests without cookie propagation. * * This approach was the original implementation before commit 6e4d4f5cf3 introduced * a regression by switching to AuthKit's handleCallback with dummy Request/Response * objects that couldn't provide the required PKCE cookies. */ handleCallback(code: string, _state: string): Promise>; /** * Get the URL to redirect users to for logout. * Extracts session ID from the request's JWT to build a valid WorkOS logout URL. * * @param redirectUri - URL to redirect to after logout * @param request - Request containing session cookie (needed to extract sid) * @returns Logout URL or null if no active session */ getLogoutUrl(redirectUri: string, request?: Request): Promise; /** * Get the configuration for rendering the login button. */ getLoginButtonConfig(): SSOLoginConfig; /** * Create a new session for a user. * * Note: With AuthKit, sessions are created via handleCallback. * This method is kept for interface compatibility. */ createSession(userId: string, metadata?: Record): Promise; /** * Validate a session. * * With AuthKit, sessions are validated via withAuth(). */ validateSession(_sessionId: string): Promise; /** * Destroy a session. */ destroySession(_sessionId: string): Promise; /** * Refresh a session. */ refreshSession(_sessionId: string): Promise; /** * Extract session ID from a request. */ getSessionIdFromRequest(_request: Request): string | null; /** * Get response headers to set the session cookie. */ getSessionHeaders(session: Session): Record; /** * Get response headers to clear the session cookie. */ getClearSessionHeaders(): Record; /** * Get the underlying WorkOS client. */ getWorkOS(): WorkOS; /** * Get the AuthKit AuthService. */ getAuthService(): AuthService; /** * Get the configured client ID. */ getClientId(): string; /** * Get the configured redirect URI. */ getRedirectUri(): string; } export {}; //# sourceMappingURL=auth-provider.d.ts.map