@aithos/sdk 0.1.0-alpha.4 → 0.1.0-alpha.40

package/dist/src/auth-api.js

@@ -41,6 +41,19 @@ async function postJson(http, path, body, jwt) {
         throw await readError(res, "request_failed");
     return (await res.json());
 }
+async function putJson(http, path, body, jwt) {
+    const res = await http.fetchImpl(`${http.authBaseUrl}${path}`, {
+        method: "PUT",
+        headers: {
+            "content-type": "application/json",
+            authorization: `Bearer ${jwt}`,
+        },
+        body: JSON.stringify(body),
+    });
+    if (!res.ok)
+        throw await readError(res, "request_failed");
+    return (await res.json());
+}
 export async function registerAccount(http, input) {
     return postJson(http, "/auth/register", {
         email: input.email,
@@ -56,6 +69,13 @@ export async function registerAccount(http, input) {
         blob_version: input.blobVersion,
     });
 }
+export async function putBlob(http, input) {
+    return putJson(http, "/auth/blob", {
+        blob_b64: bytesToB64(input.blob),
+        blob_nonce_b64: bytesToB64(input.blobNonce),
+        blob_version: input.blobVersion,
+    }, input.jwt);
+}
 export async function loginChallenge(http, email) {
     const wire = await postJson(http, "/auth/login/challenge", { email });
     return {
@@ -79,4 +99,152 @@ export async function loginVerify(http, email, authKey) {
         blobVersion: wire.blob_version,
     };
 }
+/**
+ * Provision a custodial-mode account on behalf of a registered app.
+ *
+ * Two integration paths:
+ *   - **Backend** caller passes `apiKey` (server-only secret).
+ *   - **Browser** caller passes `publicKey` (safe to ship in the bundle).
+ *     The browser also sends its `Origin` header automatically and the
+ *     auth backend validates it against the app's allowed_origins list.
+ *
+ * On success the account exists in DDB with `email_verified: false` and
+ * the response carries `status: "pending_verification"` — call
+ * {@link custodialVerifyEmail} after the user clicks the confirmation
+ * link before attempting sign-in.
+ */
+export async function custodialSignUp(http, input) {
+    if (!input.apiKey && !input.publicKey) {
+        throw new AithosSDKError("auth_missing_api_key", "signUpCustodial requires either apiKey or publicKey");
+    }
+    if (input.apiKey && input.publicKey) {
+        throw new AithosSDKError("auth_invalid_input", "signUpCustodial: pass exactly one of apiKey or publicKey, not both");
+    }
+    const bearer = (input.apiKey ?? input.publicKey);
+    const res = await http.fetchImpl(`${http.authBaseUrl}/auth/custodial/sign-up`, {
+        method: "POST",
+        headers: {
+            "content-type": "application/json",
+            authorization: `Bearer ${bearer}`,
+        },
+        body: JSON.stringify({
+            email: input.email,
+            password: input.password,
+            ...(input.displayName ? { display_name: input.displayName } : {}),
+            ...(input.handleHint ? { handle_hint: input.handleHint } : {}),
+        }),
+    });
+    if (!res.ok)
+        throw await readError(res, "custodial_signup_failed");
+    const wire = (await res.json());
+    return {
+        status: "pending_verification",
+        email: wire.email,
+        mailSent: wire.mail_sent,
+        ...(wire.mail_message_id !== undefined
+            ? { mailMessageId: wire.mail_message_id }
+            : {}),
+    };
+}
+/**
+ * Consume the verification token from the confirmation link. On a fresh
+ * click: returns a full session payload (magic-link auto-signin). On a
+ * replayed click of an already-consumed link: returns
+ * `{ status: "already_verified" }`.
+ *
+ * Throws `auth_token_invalid_or_expired` if the token is wrong, consumed,
+ * or past its TTL.
+ */
+export async function custodialVerifyEmail(http, input) {
+    const res = await http.fetchImpl(`${http.authBaseUrl}/auth/custodial/verify`, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({ email: input.email, token: input.token }),
+    });
+    if (!res.ok)
+        throw await readError(res, "custodial_verify_failed");
+    const wire = (await res.json());
+    if (wire.status === "already_verified") {
+        return { status: "already_verified", email: wire.email };
+    }
+    return {
+        status: "signed_in",
+        session: wire.session,
+        exp: wire.exp,
+        did: wire.did,
+        handle: wire.handle,
+        displayName: wire.display_name,
+        seed: b64ToBytes(wire.seed_b64),
+        encKey: b64ToBytes(wire.enc_key_b64),
+        blob: wire.blob_b64 ? b64ToBytes(wire.blob_b64) : new Uint8Array(0),
+        blobNonce: wire.blob_nonce_b64
+            ? b64ToBytes(wire.blob_nonce_b64)
+            : new Uint8Array(0),
+        blobVersion: wire.blob_version,
+    };
+}
+/* ---- POST /auth/custodial/verify/resend -------------------------------- */
+/** Re-send the verification mail for a pending account. The backend
+ *  is anti-enum (always 200) and rate-limited 1/h/account, so this is
+ *  safe to call even when the user state is unknown. Accepts the same
+ *  credential families as {@link custodialSignUp}. */
+export async function custodialResendVerify(http, args) {
+    if (!args.apiKey && !args.publicKey) {
+        throw new AithosSDKError("auth_missing_api_key", "resendVerificationEmail requires either apiKey or publicKey");
+    }
+    const bearer = (args.apiKey ?? args.publicKey);
+    const res = await http.fetchImpl(`${http.authBaseUrl}/auth/custodial/verify/resend`, {
+        method: "POST",
+        headers: {
+            "content-type": "application/json",
+            authorization: `Bearer ${bearer}`,
+        },
+        body: JSON.stringify({ email: args.email }),
+    });
+    if (!res.ok)
+        throw await readError(res, "custodial_resend_failed");
+}
+export async function custodialSignIn(http, input) {
+    const wire = await postJson(http, "/auth/custodial/sign-in", { email: input.email, password: input.password });
+    return {
+        session: wire.session,
+        exp: wire.exp,
+        did: wire.did,
+        handle: wire.handle,
+        displayName: wire.display_name,
+        seed: b64ToBytes(wire.seed_b64),
+        encKey: b64ToBytes(wire.enc_key_b64),
+        blob: wire.blob_b64 ? b64ToBytes(wire.blob_b64) : new Uint8Array(0),
+        blobNonce: wire.blob_nonce_b64
+            ? b64ToBytes(wire.blob_nonce_b64)
+            : new Uint8Array(0),
+        blobVersion: wire.blob_version,
+        passwordMustChange: wire.password_must_change,
+    };
+}
+/* ---- POST /auth/custodial/reset/request --------------------------------- */
+export async function custodialResetRequest(http, email) {
+    // Backend always returns 200 { ok: true } regardless. We accept any
+    // 2xx body, even non-JSON, to be defensive.
+    const res = await http.fetchImpl(`${http.authBaseUrl}/auth/custodial/reset/request`, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({ email }),
+    });
+    if (!res.ok)
+        throw await readError(res, "custodial_reset_request_failed");
+}
+export async function custodialResetFinalize(http, input) {
+    const wire = await postJson(http, "/auth/custodial/reset/finalize", {
+        email: input.email,
+        token: input.token,
+        new_password: input.newPassword,
+    });
+    return {
+        session: wire.session,
+        exp: wire.exp,
+        did: wire.did,
+        handle: wire.handle,
+    };
+}
 //# sourceMappingURL=auth-api.js.map