@approvio/ts-sdk 0.0.8 → 0.0.9

package/dist/index.mjs

@@ -0,0 +1,571 @@
+import * as jose from "jose";
+import { decodeJwt } from "jose";
+import axios from "axios";
+import * as crypto$1 from "node:crypto";
+import * as TE from "fp-ts/TaskEither";
+import { pipe } from "fp-ts/function";
+//#region src/auth/utils.ts
+function isJwtTokenExpired(token) {
+	if (!token) return true;
+	const decoded = decodeJwt(token);
+	return !decoded.exp || decoded.exp < Date.now() / 1e3;
+}
+//#endregion
+//#region src/client/utils.ts
+/**
+* Checks if the given data matches the APIError structure.
+*/
+function isApprovioError(data) {
+	return data !== null && typeof data === "object" && "message" in data && "code" in data && typeof data.message === "string" && typeof data.code === "string";
+}
+function validateURL(url) {
+	try {
+		const validatedUrl = new URL(url);
+		if (validatedUrl.search.length > 0) throw new Error("URL must not contain query parameters");
+		if (validatedUrl.hash.length > 0) throw new Error("URL must not contain hash");
+	} catch (e) {
+		throw new Error("Invalid URL", { cause: e });
+	}
+}
+function removeTrailingSlash(url) {
+	return url.endsWith("/") ? url.slice(0, -1) : url;
+}
+//#endregion
+//#region src/auth/user.authenticator.ts
+/**
+* Authenticator for Approvio Users (Human sessions).
+* Handles automatic token renewal using a refresh token when the access token expires.
+*/
+var CliUserAuthenticator = class {
+	endpoint;
+	constructor(endpoint, accessToken, refreshToken, onTokenRefreshed) {
+		this.accessToken = accessToken;
+		this.refreshToken = refreshToken;
+		this.onTokenRefreshed = onTokenRefreshed;
+		validateURL(endpoint);
+		this.endpoint = removeTrailingSlash(endpoint);
+	}
+	customizeAxios(axios) {
+		axios.interceptors.request.use(async (axiosConfig) => {
+			const accessToken = await this.getAccessToken();
+			axiosConfig.headers.set("Authorization", `Bearer ${accessToken}`);
+			return axiosConfig;
+		});
+	}
+	/**
+	* Returns a valid access token.
+	* If the token is expired, it will automatically attempt to renew it using the refresh token.
+	*/
+	async getAccessToken() {
+		if (this.isTokenExpired()) {
+			const { accessToken, refreshToken } = await this.renewToken();
+			this.accessToken = accessToken;
+			this.refreshToken = refreshToken;
+			this.onTokenRefreshed?.(this.accessToken, this.refreshToken);
+		}
+		return this.accessToken;
+	}
+	isTokenExpired() {
+		if (!this.accessToken) return true;
+		return isJwtTokenExpired(this.accessToken);
+	}
+	async renewToken() {
+		const request = { refreshToken: this.refreshToken };
+		return (await axios.post(`${this.endpoint}/auth/cli/refresh`, request)).data;
+	}
+};
+//#endregion
+//#region src/auth/web.authenticator.ts
+/**
+* WebAuthenticator is designed for browser-based environments
+* where authentication is managed automatically via HttpOnly cookies.
+*
+*/
+var WebAuthenticator = class {
+	customizeAxios(axios) {
+		axios.defaults.withCredentials = true;
+		axios.interceptors.response.use((response) => response, async (error) => {
+			const originalRequest = error.config;
+			if (error.response?.status === 401 && (originalRequest.retry === void 0 || !originalRequest.retry)) {
+				originalRequest.retry = true;
+				try {
+					await axios.post("/auth/web/refresh", {}, { retry: true });
+					return axios(originalRequest);
+				} catch (refreshError) {
+					return Promise.reject(refreshError);
+				}
+			}
+			return Promise.reject(error);
+		});
+	}
+};
+//#endregion
+//#region src/auth/auth.helpers.ts
+/**
+* Helper class for managing Approvio authentication flows.
+* Provides methods for both user-based OIDC login and agent-based challenge-response authentication.
+*/
+var AuthHelper = class {
+	endpoint;
+	constructor(endpoint) {
+		validateURL(endpoint);
+		this.endpoint = removeTrailingSlash(endpoint);
+	}
+	/**
+	* Generates the login URL to initiate the OIDC authentication flow for users.
+	*/
+	getUserLoginUrl() {
+		return `${this.endpoint}/auth/web/login`;
+	}
+	/**
+	* Initiates the CLI login flow using a local loopback redirect URI.
+	* Prompts the backend to return an authorization URL for the IDP.
+	*/
+	initiateCliLogin(redirectUri) {
+		return TE.tryCatch(async () => {
+			return (await axios.post(`${this.endpoint}/auth/cli/initiate`, { redirectUri })).data.authorizationUrl;
+		}, (error) => this.handleError(error));
+	}
+	/**
+	* Exchanges an authorization code and state for a set of JWT tokens (access and refresh).
+	* This is typically the final step of the OIDC login flow.
+	*/
+	exchangeTokenForUser(code, state) {
+		const request = {
+			code,
+			state
+		};
+		return TE.tryCatch(async () => {
+			return (await axios.post(`${this.endpoint}/auth/cli/token`, request)).data;
+		}, (error) => this.handleError(error));
+	}
+	/**
+	* Authenticates an agent using the challenge-response flow.
+	* 1. Request a challenge from the server.
+	* 2. Decrypt the challenge using the agent's private key.
+	* 3. specific claims and sign a JWT assertion.
+	* 4. Exchange the assertion for an access token.
+	*/
+	authenticateAgent(agentName, privateKeyPem) {
+		return TE.tryCatch(async () => {
+			const challengeRequest = { agentName };
+			const { challenge: b64EncodedChallenge } = (await axios.post(`${this.endpoint}/auth/agents/challenge`, challengeRequest)).data;
+			const encryptedBuffer = Buffer.from(b64EncodedChallenge, "base64");
+			const decryptedContent = crypto$1.privateDecrypt({
+				key: privateKeyPem,
+				padding: crypto$1.constants.RSA_PKCS1_OAEP_PADDING,
+				oaepHash: "sha256"
+			}, encryptedBuffer).toString("utf-8");
+			const { nonce } = JSON.parse(decryptedContent);
+			const privateKey = await jose.importPKCS8(privateKeyPem, "RS256");
+			const tokenRequest = {
+				grantType: "urn:ietf:params:oauth:grant-type:jwt-bearer",
+				clientAssertionType: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
+				clientAssertion: await new jose.SignJWT({
+					iss: agentName,
+					sub: agentName,
+					aud: "approvio-api",
+					jti: nonce
+				}).setProtectedHeader({
+					alg: "RS256",
+					typ: "JWT"
+				}).setIssuedAt().setExpirationTime("5m").sign(privateKey)
+			};
+			return (await axios.post(`${this.endpoint}/auth/agents/token`, tokenRequest)).data;
+		}, (error) => this.handleError(error));
+	}
+	handleError(error) {
+		if (axios.isAxiosError(error)) {
+			const status = error.response?.status;
+			const data = error.response?.data;
+			if (status && isApprovioError(data)) return {
+				...data,
+				status
+			};
+		}
+		if (error instanceof Error) return error;
+		return new Error(String(error));
+	}
+};
+//#endregion
+//#region src/auth/agent.authenticator.ts
+/**
+* Authenticator for Approvio Agents.
+* Handles automatic token renewal using a refresh token and DPoP proof when the access token expires.
+*/
+var AgentAuthenticator = class {
+	endpoint;
+	constructor(endpoint, privateKey, accessToken, refreshToken, onTokenRefreshed) {
+		this.privateKey = privateKey;
+		this.accessToken = accessToken;
+		this.refreshToken = refreshToken;
+		this.onTokenRefreshed = onTokenRefreshed;
+		validateURL(endpoint);
+		this.endpoint = removeTrailingSlash(endpoint);
+	}
+	customizeAxios(axios) {
+		axios.interceptors.request.use(async (axiosConfig) => {
+			const accessToken = await this.getAccessToken();
+			axiosConfig.headers.set("Authorization", `Bearer ${accessToken}`);
+			return axiosConfig;
+		});
+	}
+	/**
+	* Returns a valid access token.
+	* If the token is expired, it will automatically attempt to renew it using the refresh token.
+	*/
+	async getAccessToken() {
+		if (isJwtTokenExpired(this.accessToken)) {
+			const { accessToken, refreshToken } = await this.renewToken();
+			this.accessToken = accessToken;
+			this.refreshToken = refreshToken;
+			this.onTokenRefreshed?.(this.accessToken, this.refreshToken);
+		}
+		return this.accessToken;
+	}
+	async renewToken() {
+		const request = { refreshToken: this.refreshToken };
+		const dpopProof = await this.generateDpopProof("POST", `${this.endpoint}/auth/agents/refresh`);
+		return (await axios.post(`${this.endpoint}/auth/agents/refresh`, request, { headers: { DPoP: dpopProof } })).data;
+	}
+	async generateDpopProof(method, url) {
+		const privateKey = await jose.importPKCS8(this.privateKey, "RS256");
+		return await new jose.SignJWT({
+			htu: url,
+			htm: method,
+			jti: crypto.randomUUID()
+		}).setProtectedHeader({
+			alg: "RS256",
+			typ: "dpop+jwt"
+		}).setIssuedAt().setJti(crypto.randomUUID()).sign(privateKey);
+	}
+};
+//#endregion
+//#region src/client/errors.ts
+var LocationNotFoundError = class extends Error {
+	constructor() {
+		super("Location header was expected but not found");
+	}
+};
+var NetworkError = class extends Error {
+	constructor(message) {
+		super(message);
+	}
+};
+//#endregion
+//#region src/client/base.client.ts
+const networkCodes = [
+	"ECONNREFUSED",
+	"ETIMEDOUT",
+	"ENOTFOUND",
+	"ECONNRESET"
+];
+/**
+* Base client for Approvio API.
+*/
+var BaseApprovioClient = class {
+	axios;
+	constructor(config, authenticator) {
+		this.config = config;
+		this.authenticator = authenticator;
+		validateURL(config.endpoint);
+		this.axios = axios.create({ baseURL: removeTrailingSlash(config.endpoint) });
+		this.authenticator.customizeAxios(this.axios);
+	}
+	handleError(error) {
+		if (axios.isAxiosError(error)) {
+			if (networkCodes.includes(error.code ?? "")) return new NetworkError(`Network error ${error.code}`);
+			const status = error.response?.status;
+			const data = error.response?.data;
+			if (status && isApprovioError(data)) return {
+				...data,
+				status
+			};
+		}
+		if (error instanceof Error) return error;
+		return new Error(String(error));
+	}
+	/**
+	* Performs a GET request.
+	*/
+	get(url, params) {
+		return TE.tryCatch(async () => {
+			return (await this.axios.get(url, { params })).data;
+		}, (error) => this.handleError(error));
+	}
+	/**
+	* Performs a POST request.
+	*/
+	post(url, data) {
+		return TE.tryCatch(async () => {
+			return (await this.axios.post(url, data)).data;
+		}, (error) => this.handleError(error));
+	}
+	postWithLocation(url, data) {
+		return TE.tryCatch(async () => {
+			const response = await this.axios.post(url, data);
+			const location = response.headers["location"];
+			if (!location) throw new LocationNotFoundError();
+			return {
+				data: response.data,
+				location
+			};
+		}, (error) => this.handleError(error));
+	}
+	/**
+	* Performs a PUT request.
+	*/
+	put(url, data) {
+		return TE.tryCatch(async () => {
+			return (await this.axios.put(url, data)).data;
+		}, (error) => this.handleError(error));
+	}
+	/**
+	* Performs a DELETE request.
+	*/
+	delete(url, data) {
+		return TE.tryCatch(async () => {
+			const config = data !== void 0 ? { data } : void 0;
+			return (await this.axios.delete(url, config)).data;
+		}, (error) => this.handleError(error));
+	}
+	/**
+	* Get workflow details.
+	*/
+	getWorkflow(workflowId, params) {
+		return this.get(`/workflows/${workflowId}`, params);
+	}
+	/**
+	* List workflows.
+	*/
+	listWorkflows(params) {
+		const queryParams = {
+			page: params?.page,
+			limit: params?.limit,
+			"include-only-non-terminal-state": params?.includeOnlyNonTerminalState,
+			include: params?.include
+		};
+		return this.get("/workflows", queryParams);
+	}
+	/**
+	* Create a new workflow.
+	*/
+	createWorkflow(data) {
+		return this.post("/workflows", data);
+	}
+	/**
+	* Vote on a workflow.
+	*/
+	voteOnWorkflow(workflowId, data) {
+		return this.post(`/workflows/${workflowId}/vote`, data);
+	}
+	/**
+	* Check if the current entity can vote on a workflow.
+	*/
+	canVoteOnWorkflow(workflowId) {
+		return this.get(`/workflows/${workflowId}/canVote`);
+	}
+	/**
+	* List role templates.
+	*/
+	listRoleTemplates() {
+		return this.get("/roles");
+	}
+	/**
+	* Get authenticated entity information.
+	*/
+	getEntityInfo() {
+		return this.get("/auth/info");
+	}
+};
+//#endregion
+//#region src/client/user.client.ts
+/**
+* Client for Approvio API (Human/User).
+*/
+var ApprovioUserClient = class extends BaseApprovioClient {
+	constructor(config, authenticator) {
+		super(config, authenticator);
+		this.authenticator = authenticator;
+	}
+	/**
+	* Lists users.
+	*/
+	listUsers(params) {
+		return this.get("/users", params);
+	}
+	registerAgent(data) {
+		return this.post("/agents/register", data);
+	}
+	/**
+	* Assign roles to an agent.
+	*/
+	assignAgentRoles(agentId, data) {
+		return this.put(`/agents/${agentId}/roles`, data);
+	}
+	/**
+	* Remove roles from an agent.
+	*/
+	removeAgentRoles(agentId, data) {
+		return this.delete(`/agents/${agentId}/roles`, data);
+	}
+	/**
+	* Creates a new user.
+	*/
+	createUser(data) {
+		return pipe(this.postWithLocation("/users", data), TE.map(({ location }) => location), TE.chain((location) => {
+			const id = location.split("/").pop();
+			if (!id) return TE.left(/* @__PURE__ */ new Error("Invalid location"));
+			return TE.right(id);
+		}));
+	}
+	/**
+	* Get user details.
+	*/
+	getUser(userId) {
+		return this.get(`/users/${userId}`);
+	}
+	/**
+	* Assign roles to a user.
+	*/
+	assignUserRoles(userId, data) {
+		return this.put(`/users/${userId}/roles`, data);
+	}
+	/**
+	* Remove roles from a user.
+	*/
+	removeUserRoles(userId, data) {
+		return this.delete(`/users/${userId}/roles`, data);
+	}
+	/**
+	* Create a new workflow template.
+	*/
+	createWorkflowTemplate(data) {
+		return this.post("/workflow-templates", data);
+	}
+	/**
+	* List workflow templates.
+	*/
+	listWorkflowTemplates(params) {
+		return this.get("/workflow-templates", params);
+	}
+	/**
+	* Get workflow template details.
+	*/
+	getWorkflowTemplate(templateIdentifier) {
+		return this.get(`/workflow-templates/${templateIdentifier}`);
+	}
+	/**
+	* Update a workflow template.
+	*/
+	updateWorkflowTemplate(templateIdentifier, data) {
+		return this.put(`/workflow-templates/${templateIdentifier}`, data);
+	}
+	/**
+	* Deprecate a workflow template.
+	*/
+	deprecateWorkflowTemplate(templateName, data) {
+		return this.post(`/workflow-templates/${templateName}/deprecate`, data);
+	}
+	/**
+	* Create a new group.
+	*/
+	createGroup(data) {
+		return pipe(this.postWithLocation("/groups", data), TE.map(({ location }) => location), TE.chain((location) => {
+			const id = location.split("/").pop();
+			if (!id) return TE.left(/* @__PURE__ */ new Error("Invalid location"));
+			return TE.right(id);
+		}));
+	}
+	/**
+	* List groups.
+	*/
+	listGroups(params) {
+		return this.get("/groups", params);
+	}
+	/**
+	* Get group details.
+	*/
+	getGroup(groupIdentifier) {
+		return this.get(`/groups/${groupIdentifier}`);
+	}
+	/**
+	* List entities in a group.
+	*/
+	listGroupEntities(groupId, params) {
+		return this.get(`/groups/${groupId}/entities`, params);
+	}
+	/**
+	* Add entities to a group.
+	*/
+	addGroupEntities(groupId, data) {
+		return this.post(`/groups/${groupId}/entities`, data);
+	}
+	/**
+	* Remove entities from a group.
+	*/
+	removeGroupEntities(groupId, data) {
+		return this.delete(`/groups/${groupId}/entities`, data);
+	}
+	/**
+	* Create a new space.
+	*/
+	createSpace(data) {
+		return this.post("/spaces", data);
+	}
+	/**
+	* List spaces.
+	*/
+	listSpaces(params) {
+		return this.get("/spaces", params);
+	}
+	/**
+	* Get space details.
+	*/
+	getSpace(spaceId) {
+		return this.get(`/spaces/${spaceId}`);
+	}
+	/**
+	* Delete a space.
+	*/
+	deleteSpace(spaceId) {
+		return this.delete(`/spaces/${spaceId}`);
+	}
+	/**
+	* Add an organization admin.
+	*/
+	addOrganizationAdminToOrg(organizationName, data) {
+		return this.post(`/organization/${organizationName}/admins`, data);
+	}
+	/**
+	* List organization admins.
+	*/
+	listOrganizationAdminsForOrg(organizationName, params) {
+		return this.get(`/organization/${organizationName}/admins`, params);
+	}
+	/**
+	* Remove an organization admin.
+	*/
+	removeOrganizationAdminFromOrg(organizationName, data) {
+		return this.delete(`/organization/${organizationName}/admins`, data);
+	}
+	getAgent(agentId) {
+		return this.get(`/agents/${agentId}`);
+	}
+};
+//#endregion
+//#region src/client/agent.client.ts
+/**
+* Client for Approvio API (Agent).
+*/
+var ApprovioAgentClient = class extends BaseApprovioClient {
+	constructor(config, authenticator) {
+		super(config, authenticator);
+		this.authenticator = authenticator;
+	}
+	getAuthenticator() {
+		return this.authenticator;
+	}
+};
+//#endregion
+export { AgentAuthenticator, ApprovioAgentClient, ApprovioUserClient, AuthHelper, BaseApprovioClient, CliUserAuthenticator, WebAuthenticator };

package/package.json

@@ -1,8 +1,17 @@
 {
   "name": "@approvio/ts-sdk",
-  "version": "0.0.8",
-  "main": "dist/index.js",
-  "types": "dist/index.d.ts",
+  "version": "0.0.9",
+  "type": "module",
+  "main": "dist/index.cjs",
+  "module": "./dist/index.mjs",
+  "types": "dist/index.d.mts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.mts",
+      "import": "./dist/index.mjs",
+      "require": "./dist/index.cjs"
+    }
+  },
   "files": [
     "dist",
     "README.md",
@@ -14,19 +23,21 @@
   },
   "packageManager": "yarn@4.7.0",
   "scripts": {
-    "build": "tsc",
+    "build": "tsdown src/index.ts --format esm,cjs --dts",
     "lint": "eslint --cache --fix .",
     "format": "prettier --config .prettierrc . --write",
     "test": "jest",
     "prepublishOnly": "yarn format && yarn lint && yarn build"
   },
   "dependencies": {
-    "@approvio/api": "0.0.29",
+    "@approvio/api": "0.0.31",
     "axios": "1.13.2",
-    "fp-ts": "2.16.11",
-    "io-ts": "2.2.22",
     "jose": "6.1.3"
   },
+  "peerDependencies": {
+    "fp-ts": "^2.0.0",
+    "io-ts": "^2.0.0"
+  },
   "devDependencies": {
     "@types/jest": "29.5.14",
     "@types/node": "22.18.0",
@@ -37,9 +48,12 @@
     "eslint-plugin-jest": "28.14.0",
     "eslint-plugin-node": "11.1.0",
     "eslint-plugin-prettier": "5.5.4",
+    "fp-ts": "2.16.11",
+    "io-ts": "2.2.20",
     "jest": "29.7.0",
     "prettier": "3.7.4",
     "ts-jest": "29.4.6",
+    "tsdown": "^0.21.4",
     "typescript": "5.9.3"
   }
 }

package/dist/auth/agent.authenticator.d.ts

@@ -1,12 +0,0 @@
-import { Authenticator } from "../interfaces";
-export declare class AgentAuthenticator implements Authenticator {
-    private readonly privateKey;
-    private accessToken;
-    private refreshToken;
-    private readonly onTokenRefreshed?;
-    private readonly endpoint;
-    constructor(endpoint: string, privateKey: string, accessToken: string, refreshToken: string, onTokenRefreshed?: ((accessToken: string, refreshToken: string) => void) | undefined);
-    getAccessToken(): Promise<string>;
-    private renewToken;
-    private generateDpopProof;
-}