npm - @alien-id/sso - Versions diffs - 1.0.25 - Mend

@alien-id/sso 1.0.25

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md ADDED Viewed

@@ -0,0 +1,87 @@
+# @alien_org/sso-sdk-core
+Core TypeScript client for [Alien SSO](https://alien.org) authentication. Provides OIDC-compatible authentication with blockchain and TEE backing.
+## ⚠️ Alpha Version Notice
+**This is an early alpha version.** The SDK is under active development and may contain bugs or undergo breaking changes. Use with caution in production environments.
+## Installation
+```bash
+npm install @alien_org/sso-sdk-core
+```
+## Features
+- ✅ **TypeScript-first** with full type safety
+- ✅ **Runtime validation** via Zod schemas
+- ✅ **PKCE support** for secure authorization
+- ✅ **Dual exports**: ESM and CJS
+- ✅ **Zero UI dependencies** - use in any JavaScript environment
+- ✅ **Storage management** for tokens and session data
+## Documentation
+📚 **Full documentation at [dev.alien.org/docs](https://dev.alien.org/docs)**
+- **[Integration Guide](https://dev.alien.org/docs/sso-guide/core-integration)** - Complete integration walkthrough
+- **[API Reference](https://dev.alien.org/docs/sso-api-reference/api-reference-core)** - Detailed API documentation
+- **[What is Alien Session?](https://dev.alien.org/docs/what-is-alien-session)** - Session architecture explained
+- **[Demo App](https://dev.alien.org/docs/sso-demo-app)** - Example application
+### React Integration
+If you're using React, check out [@alien_org/sso-sdk-react](https://www.npmjs.com/package/@alien_org/sso-sdk-react) for hooks and pre-built components:
+```bash
+npm install @alien_org/sso-sdk-react
+```
+## Authentication Flow
+1. **Generate deeplink** → Display QR code or redirect
+2. **User authenticates** in Alien mobile app
+3. **Poll for completion** → Get authorization code
+4. **Exchange code** → Receive access token
+5. **Verify token** → Validate with server (optional)
+## Storage
+The SDK uses browser storage for session management:
+- **localStorage**: `alien-sso_access_token` - Access token
+- **sessionStorage**: `alien-sso_code_verifier` - PKCE code verifier
+## Getting a Provider Address
+Register your application at the [Developer Portal](https://dev.alien.org/dashboard) to get your provider credentials.
+## TypeScript Support
+Includes full TypeScript declarations with Zod runtime validation:
+```typescript
+import type {
+  AlienSsoClientConfig,
+  AuthorizeResponse,
+  PollResponse,
+  ExchangeCodeResponse,
+  TokenInfo
+} from '@alien_org/sso-sdk-core';
+```
+## Browser Support
+- Modern browsers with ES2020+ support
+- Chrome, Firefox, Safari, Edge (latest versions)
+## License
+MIT
+## Links
+- [Documentation](https://dev.alien.org/docs)
+- [GitHub Repository](https://github.com/alien-org/sso-sdk-js)
+- [NPM Package](https://www.npmjs.com/package/@alien_org/sso-sdk-core)

package/dist/index.cjs ADDED Viewed

@@ -0,0 +1 @@

+ "use strict";var h=(u,e,o)=>new Promise((r,s)=>{var a=l=>{try{c(o.next(l))}catch(S){s(S)}},n=l=>{try{c(o.throw(l))}catch(S){s(S)}},c=l=>l.done?r(l.value):Promise.resolve(l.value).then(a,n);c((o=o.apply(u,e)).next())});Object.defineProperty(exports,Symbol.toStringTag,{value:"Module"});const t=require("zod/v4-mini"),I=require("js-sha256"),y=t.z.object({deep_link:t.z.string(),polling_code:t.z.string(),expired_at:t.z.number()}),T=t.z.object({polling_code:t.z.string()}),j=["pending","authorized","rejected","expired"],x=t.z.enum(j),z=t.z.object({status:x,authorization_code:t.z.optional(t.z.string())}),m=t.z.object({access_token:t.z.string(),token_type:t.z.string(),expires_in:t.z.number(),id_token:t.z.optional(t.z.string()),refresh_token:t.z.string()}),R=t.z.object({sub:t.z.string()}),A=t.z.object({iss:t.z.string(),sub:t.z.string(),aud:t.z.union([t.z.string(),t.z.array(t.z.string())]),exp:t.z.number(),iat:t.z.number(),nonce:t.z.optional(t.z.string()),auth_time:t.z.optional(t.z.number())}),E=m;function _(u){return btoa(u).replace(/\+/g,"-").replace(/\//g,"_").replace(/=/g,"")}function w(u){let e=u.replace(/-/g,"+").replace(/_/g,"/");for(;e.length%4;)e+="=";return atob(e)}const v="https://sso.alien.com",P=5e3,i="alien-sso_",g=i+"refresh_token",p=i+"token_expiry",f=(u,e)=>new URL(e,u).toString(),b=t.z.object({ssoBaseUrl:t.z.url(),providerAddress:t.z.string(),pollingInterval:t.z.optional(t.z.number())}),d=class d{constructor(e){this.config=b.parse(e),this.ssoBaseUrl=this.config.ssoBaseUrl||v,this.providerAddress=this.config.providerAddress,this.pollingInterval=this.config.pollingInterval||P}generateCodeVerifier(e=128){let o;const r=typeof window!="undefined"&&window.crypto;if(r&&r.getRandomValues)o=new Uint8Array(e),r.getRandomValues(o);else{o=new Uint8Array(e);for(let a=0;a<e;a++)o[a]=Math.floor(Math.random()*256)}let s="";for(let a=0;a<o.length;a++)s+=String.fromCharCode(o[a]);return _(s)}generateCodeChallenge(e){const o=I.sha256.array(e),r=String.fromCharCode(...o);return _(r)}generateDeeplink(){return h(this,null,function*(){const e=this.generateCodeVerifier(),o=this.generateCodeChallenge(e);sessionStorage.setItem(i+"code_verifier",e);const r=new URLSearchParams({response_type:"code",response_mode:"json",client_id:this.providerAddress,scope:"openid",code_challenge:o,code_challenge_method:"S256"}),s=`${this.config.ssoBaseUrl}/oauth/authorize?${r.toString()}`,a=yield fetch(s,{method:"GET"});if(!a.ok){const c=yield a.json().catch(()=>({error:a.statusText}));throw new Error(`Authorize failed: ${c.error_description||c.error||a.statusText}`)}const n=yield a.json();return y.parse(n)})}pollAuth(e){return h(this,null,function*(){const o={polling_code:e};T.parse(o);const r=yield fetch(f(this.config.ssoBaseUrl,"/oauth/poll"),{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify(o)});if(!r.ok)throw new Error(`Poll failed: ${r.statusText}`);const s=yield r.json();return z.parse(s)})}exchangeToken(e){return h(this,null,function*(){const o=sessionStorage.getItem(i+"code_verifier");if(!o)throw new Error("Missing code verifier.");const r=new URLSearchParams({grant_type:"authorization_code",code:e,client_id:this.providerAddress,code_verifier:o}),s=yield fetch(f(this.config.ssoBaseUrl,"/oauth/token"),{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded"},body:r.toString()});if(!s.ok){const l=yield s.json().catch(()=>({error:s.statusText}));throw new Error(`Token exchange failed: ${l.error_description||l.error||s.statusText}`)}const a=yield s.json(),n=m.parse(a);localStorage.setItem(i+"access_token",n.access_token),n.id_token&&localStorage.setItem(i+"id_token",n.id_token),localStorage.setItem(g,n.refresh_token);const c=Date.now()+n.expires_in*1e3;return localStorage.setItem(p,c.toString()),sessionStorage.removeItem(i+"code_verifier"),n})}verifyAuth(){return h(this,null,function*(){return this.withAutoRefresh(()=>h(this,null,function*(){const e=this.getAccessToken();if(!e)return null;const o=yield fetch(f(this.config.ssoBaseUrl,"/oauth/userinfo"),{method:"GET",headers:{Authorization:`Bearer ${e}`}});if(!o.ok){if(o.status===401){const s=new Error("Unauthorized");throw s.response={status:401},s}return null}const r=yield o.json();return R.parse(r)}))})}getAccessToken(){return localStorage.getItem(i+"access_token")}getIdToken(){return localStorage.getItem(i+"id_token")}getAuthData(){const e=this.getIdToken()||this.getAccessToken();if(!e)return null;const o=e.split(".");if(o.length!==3)return null;let r;try{const n=w(o[0]);r=JSON.parse(n)}catch(n){return null}if(r.alg!=="RS256"||r.typ!=="JWT")return null;let s;try{const n=JSON.parse(w(o[1]));s=A.parse(n)}catch(n){return null}return(Array.isArray(s.aud)?s.aud:[s.aud]).includes(this.providerAddress)?s:null}getSubject(){const e=this.getAuthData();return(e==null?void 0:e.sub)||null}isTokenExpired(){const e=this.getAuthData();return e?Date.now()/1e3>e.exp:!0}logout(){localStorage.removeItem(i+"access_token"),localStorage.removeItem(i+"id_token"),localStorage.removeItem(g),localStorage.removeItem(p),sessionStorage.removeItem(i+"code_verifier")}getRefreshToken(){return localStorage.getItem(g)}hasRefreshToken(){return!!this.getRefreshToken()}isAccessTokenExpired(){const e=localStorage.getItem(p);if(!e)return!0;const o=parseInt(e,10),r=Date.now(),s=300*1e3;return r>=o-s}refreshAccessToken(){return h(this,null,function*(){return d.refreshPromise||(d.refreshPromise=this.doRefreshAccessToken().finally(()=>{d.refreshPromise=null})),d.refreshPromise})}doRefreshAccessToken(){return h(this,null,function*(){const e=this.getRefreshToken();if(!e)throw new Error("No refresh token available");const o=new URLSearchParams({grant_type:"refresh_token",refresh_token:e,client_id:this.providerAddress}),r=yield fetch(f(this.config.ssoBaseUrl,"/oauth/token"),{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded"},body:o.toString()});if(!r.ok){const c=yield r.json().catch(()=>({error:r.statusText}));throw this.logout(),new Error(`Token refresh failed: ${c.error_description||c.error||r.statusText}`)}const s=yield r.json(),a=m.parse(s);localStorage.setItem(i+"access_token",a.access_token),a.id_token&&localStorage.setItem(i+"id_token",a.id_token),localStorage.setItem(g,a.refresh_token);const n=Date.now()+a.expires_in*1e3;return localStorage.setItem(p,n.toString()),a})}withAutoRefresh(e,o=1){return h(this,null,function*(){var r,s,a;try{return yield e()}catch(n){if((((r=n==null?void 0:n.response)==null?void 0:r.status)===401||((s=n==null?void 0:n.message)==null?void 0:s.includes("401"))||((a=n==null?void 0:n.message)==null?void 0:a.includes("Unauthorized")))&&o>0&&this.hasRefreshToken())try{return yield this.refreshAccessToken(),yield e()}catch(l){throw n}throw n}})}};d.refreshPromise=null;let k=d;exports.AlienSsoClient=k;exports.AlienSsoClientSchema=b;exports.AuthorizeResponseSchema=y;exports.ExchangeCodeResponseSchema=E;exports.PollRequestSchema=T;exports.PollResponseSchema=z;exports.TokenInfoSchema=A;exports.TokenResponseSchema=m;exports.UserInfoResponseSchema=R;

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,186 @@
+import { z } from 'zod/v4-mini';
+export declare class AlienSsoClient {
+    readonly config: AlienSsoClientConfig;
+    readonly pollingInterval: number;
+    readonly ssoBaseUrl: string;
+    readonly providerAddress: string;
+    private static refreshPromise;
+    constructor(config: AlienSsoClientConfig);
+    private generateCodeVerifier;
+    private generateCodeChallenge;
+    /**
+     * Initiates OAuth2 authorization flow with response_mode=json for SPA
+     * GET /oauth/authorize?response_type=code&response_mode=json&...
+     */
+    generateDeeplink(): Promise<AuthorizeResponse>;
+    /**
+     * Polls for authorization completion
+     * POST /oauth/poll
+     */
+    pollAuth(pollingCode: string): Promise<PollResponse>;
+    /**
+     * Exchanges authorization code for tokens
+     * POST /oauth/token (application/x-www-form-urlencoded)
+     * Returns both access_token and id_token
+     */
+    exchangeToken(authorizationCode: string): Promise<TokenResponse>;
+    /**
+     * Verifies authentication by calling userinfo endpoint
+     * GET /oauth/userinfo
+     * Automatically refreshes token on 401 if refresh token is available
+     */
+    verifyAuth(): Promise<UserInfoResponse | null>;
+    /**
+     * Gets stored access token
+     */
+    getAccessToken(): string | null;
+    /**
+     * Gets stored ID token
+     */
+    getIdToken(): string | null;
+    /**
+     * Decodes and validates JWT token to extract claims
+     * Works with both access_token and id_token (EdDSA signed)
+     */
+    getAuthData(): TokenInfo | null;
+    /**
+     * Gets the subject (user identifier) from the token
+     */
+    getSubject(): string | null;
+    /**
+     * Checks if the current token is expired
+     */
+    isTokenExpired(): boolean;
+    /**
+     * Clears all stored authentication data
+     */
+    logout(): void;
+    /**
+     * Gets stored refresh token
+     */
+    getRefreshToken(): string | null;
+    /**
+     * Checks if a refresh token is available
+     */
+    hasRefreshToken(): boolean;
+    /**
+     * Checks if the access token is expired or will expire soon (within 5 minutes)
+     */
+    isAccessTokenExpired(): boolean;
+    /**
+     * Refreshes the access token using the stored refresh token
+     * POST /oauth/token with grant_type=refresh_token
+     * Uses singleton pattern to prevent concurrent refresh requests (race condition)
+     */
+    refreshAccessToken(): Promise<TokenResponse>;
+    /**
+     * Internal method that performs the actual token refresh
+     */
+    private doRefreshAccessToken;
+    /**
+     * Executes a function that makes an authenticated request
+     * Automatically refreshes token and retries on 401 error
+     */
+    withAutoRefresh<T>(requestFn: () => Promise<T>, maxRetries?: number): Promise<T>;
+}
+export declare type AlienSsoClientConfig = z.infer<typeof AlienSsoClientSchema>;
+export declare const AlienSsoClientSchema: z.ZodMiniObject<{
+    ssoBaseUrl: z.ZodMiniURL;
+    providerAddress: z.ZodMiniString<string>;
+    pollingInterval: z.ZodMiniOptional<z.ZodMiniNumber<number>>;
+}, z.core.$strip>;
+export declare type AuthorizeResponse = z.infer<typeof AuthorizeResponseSchema>;
+/**
+ * Authorize response schema (for response_mode=json)
+ * GET /oauth/authorize?response_mode=json&...
+ */
+export declare const AuthorizeResponseSchema: z.ZodMiniObject<{
+    deep_link: z.ZodMiniString<string>;
+    polling_code: z.ZodMiniString<string>;
+    expired_at: z.ZodMiniNumber<number>;
+}, z.core.$strip>;
+export declare type ExchangeCodeResponse = TokenResponse;
+export declare const ExchangeCodeResponseSchema: z.ZodMiniObject<{
+    access_token: z.ZodMiniString<string>;
+    token_type: z.ZodMiniString<string>;
+    expires_in: z.ZodMiniNumber<number>;
+    id_token: z.ZodMiniOptional<z.ZodMiniString<string>>;
+    refresh_token: z.ZodMiniString<string>;
+}, z.core.$strip>;
+export declare interface JWTHeader {
+    alg: string;
+    typ: string;
+    kid?: string;
+}
+export declare type PollRequest = z.infer<typeof PollRequestSchema>;
+/**
+ * Poll request/response schema
+ * POST /oauth/poll
+ */
+export declare const PollRequestSchema: z.ZodMiniObject<{
+    polling_code: z.ZodMiniString<string>;
+}, z.core.$strip>;
+export declare type PollResponse = z.infer<typeof PollResponseSchema>;
+export declare const PollResponseSchema: z.ZodMiniObject<{
+    status: z.ZodMiniEnum<{
+        pending: "pending";
+        authorized: "authorized";
+        rejected: "rejected";
+        expired: "expired";
+    }>;
+    authorization_code: z.ZodMiniOptional<z.ZodMiniString<string>>;
+}, z.core.$strip>;
+export declare type TokenInfo = z.infer<typeof TokenInfoSchema>;
+/**
+ * Token info schema (parsed from JWT)
+ * Standard OIDC claims
+ */
+export declare const TokenInfoSchema: z.ZodMiniObject<{
+    iss: z.ZodMiniString<string>;
+    sub: z.ZodMiniString<string>;
+    aud: z.ZodMiniUnion<readonly [z.ZodMiniString<string>, z.ZodMiniArray<z.ZodMiniString<string>>]>;
+    exp: z.ZodMiniNumber<number>;
+    iat: z.ZodMiniNumber<number>;
+    nonce: z.ZodMiniOptional<z.ZodMiniString<string>>;
+    auth_time: z.ZodMiniOptional<z.ZodMiniNumber<number>>;
+}, z.core.$strip>;
+export declare type TokenResponse = z.infer<typeof TokenResponseSchema>;
+/**
+ * Token exchange response schema (OAuth2 standard)
+ * POST /oauth/token
+ */
+export declare const TokenResponseSchema: z.ZodMiniObject<{
+    access_token: z.ZodMiniString<string>;
+    token_type: z.ZodMiniString<string>;
+    expires_in: z.ZodMiniNumber<number>;
+    id_token: z.ZodMiniOptional<z.ZodMiniString<string>>;
+    refresh_token: z.ZodMiniString<string>;
+}, z.core.$strip>;
+export declare type UserInfoResponse = z.infer<typeof UserInfoResponseSchema>;
+/**
+ * UserInfo response schema
+ * GET /oauth/userinfo
+ */
+export declare const UserInfoResponseSchema: z.ZodMiniObject<{
+    sub: z.ZodMiniString<string>;
+}, z.core.$strip>;
+export { }

package/dist/index.esm.js ADDED Viewed

@@ -0,0 +1,355 @@
+var h = (u, e, o) => new Promise((r, s) => {
+  var a = (l) => {
+    try {
+      c(o.next(l));
+    } catch (m) {
+      s(m);
+    }
+  }, n = (l) => {
+    try {
+      c(o.throw(l));
+    } catch (m) {
+      s(m);
+    }
+  }, c = (l) => l.done ? r(l.value) : Promise.resolve(l.value).then(a, n);
+  c((o = o.apply(u, e)).next());
+});
+import { z as t } from "zod/v4-mini";
+import { sha256 as y } from "js-sha256";
+const T = t.object({
+  deep_link: t.string(),
+  polling_code: t.string(),
+  expired_at: t.number()
+}), b = t.object({
+  polling_code: t.string()
+}), A = ["pending", "authorized", "rejected", "expired"], I = t.enum(A), R = t.object({
+  status: I,
+  authorization_code: t.optional(t.string())
+}), k = t.object({
+  access_token: t.string(),
+  token_type: t.string(),
+  expires_in: t.number(),
+  id_token: t.optional(t.string()),
+  // Optional - not returned on refresh_token grant
+  refresh_token: t.string()
+}), x = t.object({
+  sub: t.string()
+}), j = t.object({
+  iss: t.string(),
+  sub: t.string(),
+  aud: t.union([t.string(), t.array(t.string())]),
+  exp: t.number(),
+  iat: t.number(),
+  nonce: t.optional(t.string()),
+  auth_time: t.optional(t.number())
+}), z = k;
+function _(u) {
+  return btoa(u).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+function w(u) {
+  let e = u.replace(/-/g, "+").replace(/_/g, "/");
+  for (; e.length % 4; )
+    e += "=";
+  return atob(e);
+}
+const E = "https://sso.alien.com", v = 5e3, i = "alien-sso_", g = i + "refresh_token", p = i + "token_expiry", f = (u, e) => new URL(e, u).toString(), U = t.object({
+  ssoBaseUrl: t.url(),
+  providerAddress: t.string(),
+  pollingInterval: t.optional(t.number())
+}), d = class d {
+  constructor(e) {
+    this.config = U.parse(e), this.ssoBaseUrl = this.config.ssoBaseUrl || E, this.providerAddress = this.config.providerAddress, this.pollingInterval = this.config.pollingInterval || v;
+  }
+  generateCodeVerifier(e = 128) {
+    let o;
+    const r = typeof window != "undefined" && window.crypto;
+    if (r && r.getRandomValues)
+      o = new Uint8Array(e), r.getRandomValues(o);
+    else {
+      o = new Uint8Array(e);
+      for (let a = 0; a < e; a++)
+        o[a] = Math.floor(Math.random() * 256);
+    }
+    let s = "";
+    for (let a = 0; a < o.length; a++)
+      s += String.fromCharCode(o[a]);
+    return _(s);
+  }
+  generateCodeChallenge(e) {
+    const o = y.array(e), r = String.fromCharCode(...o);
+    return _(r);
+  }
+  /**
+   * Initiates OAuth2 authorization flow with response_mode=json for SPA
+   * GET /oauth/authorize?response_type=code&response_mode=json&...
+   */
+  generateDeeplink() {
+    return h(this, null, function* () {
+      const e = this.generateCodeVerifier(), o = this.generateCodeChallenge(e);
+      sessionStorage.setItem(i + "code_verifier", e);
+      const r = new URLSearchParams({
+        response_type: "code",
+        response_mode: "json",
+        client_id: this.providerAddress,
+        scope: "openid",
+        code_challenge: o,
+        code_challenge_method: "S256"
+      }), s = `${this.config.ssoBaseUrl}/oauth/authorize?${r.toString()}`, a = yield fetch(s, {
+        method: "GET"
+      });
+      if (!a.ok) {
+        const c = yield a.json().catch(() => ({ error: a.statusText }));
+        throw new Error(`Authorize failed: ${c.error_description || c.error || a.statusText}`);
+      }
+      const n = yield a.json();
+      return T.parse(n);
+    });
+  }
+  /**
+   * Polls for authorization completion
+   * POST /oauth/poll
+   */
+  pollAuth(e) {
+    return h(this, null, function* () {
+      const o = {
+        polling_code: e
+      };
+      b.parse(o);
+      const r = yield fetch(f(this.config.ssoBaseUrl, "/oauth/poll"), {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify(o)
+      });
+      if (!r.ok)
+        throw new Error(`Poll failed: ${r.statusText}`);
+      const s = yield r.json();
+      return R.parse(s);
+    });
+  }
+  /**
+   * Exchanges authorization code for tokens
+   * POST /oauth/token (application/x-www-form-urlencoded)
+   * Returns both access_token and id_token
+   */
+  exchangeToken(e) {
+    return h(this, null, function* () {
+      const o = sessionStorage.getItem(i + "code_verifier");
+      if (!o) throw new Error("Missing code verifier.");
+      const r = new URLSearchParams({
+        grant_type: "authorization_code",
+        code: e,
+        client_id: this.providerAddress,
+        code_verifier: o
+      }), s = yield fetch(
+        f(this.config.ssoBaseUrl, "/oauth/token"),
+        {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/x-www-form-urlencoded"
+          },
+          body: r.toString()
+        }
+      );
+      if (!s.ok) {
+        const l = yield s.json().catch(() => ({ error: s.statusText }));
+        throw new Error(`Token exchange failed: ${l.error_description || l.error || s.statusText}`);
+      }
+      const a = yield s.json(), n = k.parse(a);
+      localStorage.setItem(i + "access_token", n.access_token), n.id_token && localStorage.setItem(i + "id_token", n.id_token), localStorage.setItem(g, n.refresh_token);
+      const c = Date.now() + n.expires_in * 1e3;
+      return localStorage.setItem(p, c.toString()), sessionStorage.removeItem(i + "code_verifier"), n;
+    });
+  }
+  /**
+   * Verifies authentication by calling userinfo endpoint
+   * GET /oauth/userinfo
+   * Automatically refreshes token on 401 if refresh token is available
+   */
+  verifyAuth() {
+    return h(this, null, function* () {
+      return this.withAutoRefresh(() => h(this, null, function* () {
+        const e = this.getAccessToken();
+        if (!e)
+          return null;
+        const o = yield fetch(
+          f(this.config.ssoBaseUrl, "/oauth/userinfo"),
+          {
+            method: "GET",
+            headers: {
+              Authorization: `Bearer ${e}`
+            }
+          }
+        );
+        if (!o.ok) {
+          if (o.status === 401) {
+            const s = new Error("Unauthorized");
+            throw s.response = { status: 401 }, s;
+          }
+          return null;
+        }
+        const r = yield o.json();
+        return x.parse(r);
+      }));
+    });
+  }
+  /**
+   * Gets stored access token
+   */
+  getAccessToken() {
+    return localStorage.getItem(i + "access_token");
+  }
+  /**
+   * Gets stored ID token
+   */
+  getIdToken() {
+    return localStorage.getItem(i + "id_token");
+  }
+  /**
+   * Decodes and validates JWT token to extract claims
+   * Works with both access_token and id_token (EdDSA signed)
+   */
+  getAuthData() {
+    const e = this.getIdToken() || this.getAccessToken();
+    if (!e) return null;
+    const o = e.split(".");
+    if (o.length !== 3)
+      return null;
+    let r;
+    try {
+      const n = w(o[0]);
+      r = JSON.parse(n);
+    } catch (n) {
+      return null;
+    }
+    if (r.alg !== "RS256" || r.typ !== "JWT")
+      return null;
+    let s;
+    try {
+      const n = JSON.parse(w(o[1]));
+      s = j.parse(n);
+    } catch (n) {
+      return null;
+    }
+    return (Array.isArray(s.aud) ? s.aud : [s.aud]).includes(this.providerAddress) ? s : null;
+  }
+  /**
+   * Gets the subject (user identifier) from the token
+   */
+  getSubject() {
+    const e = this.getAuthData();
+    return (e == null ? void 0 : e.sub) || null;
+  }
+  /**
+   * Checks if the current token is expired
+   */
+  isTokenExpired() {
+    const e = this.getAuthData();
+    return e ? Date.now() / 1e3 > e.exp : !0;
+  }
+  /**
+   * Clears all stored authentication data
+   */
+  logout() {
+    localStorage.removeItem(i + "access_token"), localStorage.removeItem(i + "id_token"), localStorage.removeItem(g), localStorage.removeItem(p), sessionStorage.removeItem(i + "code_verifier");
+  }
+  /**
+   * Gets stored refresh token
+   */
+  getRefreshToken() {
+    return localStorage.getItem(g);
+  }
+  /**
+   * Checks if a refresh token is available
+   */
+  hasRefreshToken() {
+    return !!this.getRefreshToken();
+  }
+  /**
+   * Checks if the access token is expired or will expire soon (within 5 minutes)
+   */
+  isAccessTokenExpired() {
+    const e = localStorage.getItem(p);
+    if (!e) return !0;
+    const o = parseInt(e, 10), r = Date.now(), s = 300 * 1e3;
+    return r >= o - s;
+  }
+  /**
+   * Refreshes the access token using the stored refresh token
+   * POST /oauth/token with grant_type=refresh_token
+   * Uses singleton pattern to prevent concurrent refresh requests (race condition)
+   */
+  refreshAccessToken() {
+    return h(this, null, function* () {
+      return d.refreshPromise || (d.refreshPromise = this.doRefreshAccessToken().finally(() => {
+        d.refreshPromise = null;
+      })), d.refreshPromise;
+    });
+  }
+  /**
+   * Internal method that performs the actual token refresh
+   */
+  doRefreshAccessToken() {
+    return h(this, null, function* () {
+      const e = this.getRefreshToken();
+      if (!e)
+        throw new Error("No refresh token available");
+      const o = new URLSearchParams({
+        grant_type: "refresh_token",
+        refresh_token: e,
+        client_id: this.providerAddress
+      }), r = yield fetch(
+        f(this.config.ssoBaseUrl, "/oauth/token"),
+        {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/x-www-form-urlencoded"
+          },
+          body: o.toString()
+        }
+      );
+      if (!r.ok) {
+        const c = yield r.json().catch(() => ({ error: r.statusText }));
+        throw this.logout(), new Error(`Token refresh failed: ${c.error_description || c.error || r.statusText}`);
+      }
+      const s = yield r.json(), a = k.parse(s);
+      localStorage.setItem(i + "access_token", a.access_token), a.id_token && localStorage.setItem(i + "id_token", a.id_token), localStorage.setItem(g, a.refresh_token);
+      const n = Date.now() + a.expires_in * 1e3;
+      return localStorage.setItem(p, n.toString()), a;
+    });
+  }
+  /**
+   * Executes a function that makes an authenticated request
+   * Automatically refreshes token and retries on 401 error
+   */
+  withAutoRefresh(e, o = 1) {
+    return h(this, null, function* () {
+      var r, s, a;
+      try {
+        return yield e();
+      } catch (n) {
+        if ((((r = n == null ? void 0 : n.response) == null ? void 0 : r.status) === 401 || ((s = n == null ? void 0 : n.message) == null ? void 0 : s.includes("401")) || ((a = n == null ? void 0 : n.message) == null ? void 0 : a.includes("Unauthorized"))) && o > 0 && this.hasRefreshToken())
+          try {
+            return yield this.refreshAccessToken(), yield e();
+          } catch (l) {
+            throw n;
+          }
+        throw n;
+      }
+    });
+  }
+};
+d.refreshPromise = null;
+let S = d;
+export {
+  S as AlienSsoClient,
+  U as AlienSsoClientSchema,
+  T as AuthorizeResponseSchema,
+  z as ExchangeCodeResponseSchema,
+  b as PollRequestSchema,
+  R as PollResponseSchema,
+  j as TokenInfoSchema,
+  k as TokenResponseSchema,
+  x as UserInfoResponseSchema
+};

package/dist/index.umd.js ADDED Viewed

@@ -0,0 +1 @@

package/package.json ADDED Viewed

@@ -0,0 +1,56 @@
+{
+  "name": "@alien-id/sso",
+  "version": "1.0.25",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/alien-id/sso-sdk-js.git"
+  },
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.esm.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.esm.js",
+      "require": "./dist/index.cjs"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "vite build",
+    "dev": "vite build --watch",
+    "test": "jest",
+    "test:unit": "jest tests/unit",
+    "test:integration": "jest tests/integration",
+    "test:watch": "jest --watch",
+    "release": "npm publish --access public",
+    "prepublishOnly": "npm run build"
+  },
+  "devDependencies": {
+    "@types/express": "^5.0.3",
+    "@types/jest": "^30.0.0",
+    "@types/node": "^24.3.0",
+    "@typescript-eslint/eslint-plugin": "^8.41.0",
+    "@typescript-eslint/parser": "^8.41.0",
+    "cross-fetch": "^4.1.0",
+    "eslint": "^9.34.0",
+    "eslint-config-prettier": "^10.1.8",
+    "eslint-plugin-prettier": "^5.5.4",
+    "express": "^5.1.0",
+    "jest": "^30.1.2",
+    "jest-environment-jsdom": "^30.1.2",
+    "nock": "^14.0.10",
+    "prettier": "^3.6.2",
+    "ts-jest": "^29.4.1",
+    "turbo": "^2.5.6",
+    "vite": "^7.1.12",
+    "vite-plugin-dts": "^4.5.4"
+  },
+  "dependencies": {
+    "js-sha256": "^0.11.1",
+    "zod": "^4.1.5"
+  }
+}