@authress/login-react-native 0.0.0

package/package.json

@@ -0,0 +1,63 @@
+{
+  "name": "@authress/login-react-native",
+  "version": "0.0.0",
+  "description": "Authress authentication SDK for React Native. Implements the full OAuth 2.0+ flow with native mobile storage and deep link handling for iOS and Android.",
+  "type": "module",
+  "main": "./src/index.ts",
+  "types": "./src/index.ts",
+  "files": [
+    "src"
+  ],
+  "exports": {
+    ".": {
+      "types": "./src/index.ts",
+      "import": "./src/index.ts"
+    }
+  },
+  "scripts": {
+    "build": "node make.js",
+    "lint": "eslint src tests",
+    "test": "vitest"
+  },
+  "peerDependencies": {
+    "react-native": ">=0.74.0",
+    "react-native-encrypted-storage": ">=4.0.0",
+    "react-native-nitro-cookies": ">=0.1.0",
+    "react-native-quick-crypto": ">=0.7.0"
+  },
+  "devDependencies": {
+    "@authress/eslint-config": "^2.0.18",
+    "@typescript-eslint/eslint-plugin": "^8.49.0",
+    "@typescript-eslint/parser": "^8.49.0",
+    "eslint": "^9.39.1",
+    "react-native-nitro-cookies": "^1.1.0",
+    "typescript": "^5.9.3",
+    "typescript-eslint": "^8.49.0",
+    "fs-extra": "^11.3.4",
+    "vitest": "^4.0.15"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/Authress/authress-login-react-native"
+  },
+  "keywords": [
+    "authentication",
+    "react-native",
+    "OAuth2",
+    "PKCE",
+    "Authress",
+    "login",
+    "iOS",
+    "Android"
+  ],
+  "author": "Authress Developers <developers@authress.io> (https://authress.io)",
+  "license": "Apache-2.0",
+  "engines": {
+    "node": ">=20"
+  },
+  "dependencies": {
+    "eslint-plugin-import": "^2.32.0",
+    "js-base64": "^3.7.8",
+    "neverthrow": "^8.2.0"
+  }
+}

package/src/authStorageManager.ts

@@ -0,0 +1,142 @@
+import { ResultAsync } from 'neverthrow';
+import EncryptedStorage from 'react-native-encrypted-storage';
+import NitroCookies from 'react-native-nitro-cookies';
+
+const PENDING_AUTH_KEY = 'authress-pending-auth';
+const COOKIES_BACKUP_KEY = 'authress-cookies';
+
+export interface PendingAuthentication {
+  codeVerifier: string;
+  authenticationRequestId: string;
+  redirectUrl: string;
+}
+
+export class SecurityContextError extends Error {
+  readonly code = 'SecurityContextError' as const;
+  constructor(message: string) { super(message); this.name = 'SecurityContextError'; }
+}
+
+export interface StoredCookie {
+  name: string;
+  value: string;
+}
+
+type RawCookieEntry = { name: string; value: string };
+type RawCookieMap = Record<string, RawCookieEntry | RawCookieEntry[]>;
+
+/** Multiple API calls may each set the same cookie name on different paths. NitroCookies may return an array for that name — pick the last value set. */
+function lastValue(entry: RawCookieEntry | RawCookieEntry[] | undefined): string | null {
+  if (!entry) { return null; }
+  if (Array.isArray(entry)) { return entry[entry.length - 1]?.value ?? null; }
+  return entry.value ?? null;
+}
+
+/** Flatten a potentially-duplicated cookie map into a deduplicated name→value list, last value wins. */
+function deduplicateCookies(cookies: RawCookieMap): StoredCookie[] {
+  const seen = new Map<string, string>();
+  for (const raw of Object.values(cookies)) {
+    const entries = Array.isArray(raw) ? raw : [raw];
+    for (const e of entries) {
+      if (e?.name) { seen.set(e.name, e.value); }
+    }
+  }
+  return [...seen.entries()].map(([name, value]) => ({ name, value }));
+}
+
+class AuthStorageManager {
+  // ── PKCE state ──────────────────────────────────────────────────────────────
+
+  setAuthenticationRequest(state?: PendingAuthentication | null): ResultAsync<void, SecurityContextError> {
+    return ResultAsync.fromPromise(
+      state
+        ? EncryptedStorage.setItem(PENDING_AUTH_KEY, JSON.stringify(state))
+        : EncryptedStorage.removeItem(PENDING_AUTH_KEY),
+      e => new SecurityContextError(String(e))
+    );
+  }
+
+  getAuthenticationRequest(): ResultAsync<PendingAuthentication | null, never> {
+    return ResultAsync.fromSafePromise(
+      EncryptedStorage.getItem(PENDING_AUTH_KEY)
+        .then(raw => raw ? JSON.parse(raw) as PendingAuthentication : null)
+        .catch(() => null)
+    );
+  }
+
+  // ── cookies ─────────────────────────────────────────────────────────────────
+
+  backupCookies(url: string): ResultAsync<void, never> {
+    return ResultAsync.fromSafePromise(
+      NitroCookies.get(url)
+        .then(async cookies => {
+          const deduplicated = deduplicateCookies(cookies as RawCookieMap);
+          if (!deduplicated.length) {return;}
+          await EncryptedStorage.setItem(COOKIES_BACKUP_KEY, JSON.stringify(deduplicated));
+        })
+        .catch(() => {})
+    );
+  }
+
+  restoreCookies(url: string): ResultAsync<void, never> {
+    return ResultAsync.fromSafePromise(
+      (async () => {
+        const existing = await NitroCookies.get(url);
+        if (Object.keys(existing).length) {return;}
+
+        const raw = await EncryptedStorage.getItem(COOKIES_BACKUP_KEY);
+        if (!raw) {return;}
+
+        const cookies: StoredCookie[] = JSON.parse(raw);
+        await Promise.all(
+          cookies.map(c => NitroCookies.set(url, { name: c.name, value: c.value, path: '/', httpOnly: true, secure: true }))
+        );
+      })().catch(() => {})
+    );
+  }
+
+  getAuthorizationCookie(url: string): ResultAsync<string | null, never> {
+    return ResultAsync.fromSafePromise(
+      NitroCookies.get(url)
+        .then(cookies => lastValue((cookies as RawCookieMap).authorization))
+        .catch(() => null)
+    );
+  }
+
+  getUserCookie(url: string): ResultAsync<string | null, never> {
+    return ResultAsync.fromSafePromise(
+      NitroCookies.get(url)
+        .then(cookies => lastValue((cookies as RawCookieMap).user))
+        .catch(() => null)
+    );
+  }
+
+  getCookieBackups(): ResultAsync<StoredCookie[] | null, never> {
+    return ResultAsync.fromSafePromise(
+      EncryptedStorage.getItem(COOKIES_BACKUP_KEY)
+        .then(raw => raw ? JSON.parse(raw) as StoredCookie[] : null)
+        .catch(() => null)
+    );
+  }
+
+  // ── clear ───────────────────────────────────────────────────────────────────
+
+  /** Clears all native cookies for the given URL and removes all encrypted storage keys. */
+  clear(url: string): ResultAsync<void, never> {
+    return ResultAsync.fromSafePromise(
+      (async () => {
+        await EncryptedStorage.removeItem(COOKIES_BACKUP_KEY);
+        await EncryptedStorage.removeItem(PENDING_AUTH_KEY);
+        try {
+          const cookies = await NitroCookies.get(url);
+          await Promise.all(
+            Object.keys(cookies).map(name => NitroCookies.clearByName(url, name).catch(() => {}))
+          );
+        } catch (_) {
+          /* best effort */
+        }
+      })().catch(() => {})
+    );
+  }
+}
+
+export default new AuthStorageManager();

package/src/httpClient.ts

@@ -0,0 +1,165 @@
+import { Result, ResultAsync, ok, err } from 'neverthrow';
+import packageInfo from '../package.json' with { type: 'json' };
+
+const defaultHeaders: Record<string, string> = {
+  'Content-Type': 'application/json',
+  'X-Powered-By': `Authress Login SDK; React Native; ${packageInfo.version}`
+};
+
+export interface HttpResponse<T = unknown> {
+  url: string;
+  method: string;
+  status: number;
+  headers: Headers;
+  data: T;
+}
+
+/** Network or connectivity failure — the request never reached the Authress service. */
+export interface AuthressHttpNetworkError {
+  name: 'AuthressHttpNetworkError';
+  url: string;
+  method: string;
+  data: string;
+}
+
+/** The Authress service responded with a 4xx status — the client sent a bad request. */
+export interface AuthressHttpClientError {
+  name: 'AuthressHttpClientError';
+  url: string;
+  method: string;
+  status: number;
+  data: unknown;
+  headers: Headers;
+}
+
+/** The Authress service responded with a 5xx status — the service encountered an error. */
+export interface AuthressHttpServiceError {
+  name: 'AuthressHttpServiceError';
+  url: string;
+  method: string;
+  status: number;
+  data: unknown;
+  headers: Headers;
+}
+
+/** Any HTTP-level error — network failure, client error (4xx), or service error (5xx). */
+export type AuthressHttpError = AuthressHttpNetworkError | AuthressHttpClientError | AuthressHttpServiceError;
+
+export interface Logger {
+  debug(...args: unknown[]): void; // eslint-disable-line no-unused-vars
+  log(...args: unknown[]): void; // eslint-disable-line no-unused-vars
+  warn(...args: unknown[]): void; // eslint-disable-line no-unused-vars
+  error(...args: unknown[]): void; // eslint-disable-line no-unused-vars
+}
+
+function retryExecutor<T>(func: () => Promise<Result<T, AuthressHttpError>>): ResultAsync<T, AuthressHttpError> {
+  return new ResultAsync(
+    (async (): Promise<Result<T, AuthressHttpError>> => {
+      let lastNetworkError: AuthressHttpNetworkError | null = null;
+      for (let iteration = 0; iteration < 5; iteration++) {
+        const result = await func();
+        if (result.isOk()) {
+          return result;
+        }
+
+        if (result.error.name !== 'AuthressHttpNetworkError') {
+          return result; // 4xx or 5xx — don't retry
+        }
+
+        lastNetworkError = result.error;
+        await new Promise<void>(resolve => setTimeout(resolve, 10 * 2 ** iteration));
+      }
+      return err<AuthressHttpNetworkError>({ ...lastNetworkError!, name: 'AuthressHttpNetworkError', data: '[Authress Login SDK] Http Request failed due to a Network Error even after multiple retries' });
+    })()
+  );
+}
+
+class HttpClient {
+  private readonly loginUrl: string;
+  private readonly logger: Logger;
+
+  constructor(authressApiUrl: string, logger: Logger) {
+    if (!authressApiUrl) {
+      throw new Error('Custom Authress Domain Host is required');
+    }
+
+    this.logger = logger;
+    const loginHostFullUrl = new URL(authressApiUrl);
+    this.loginUrl = `${loginHostFullUrl.origin}/api`;
+  }
+
+  get<T = unknown>(path: string, headers?: Record<string, string>, ignoreExpectedWarnings?: boolean): ResultAsync<HttpResponse<T>, AuthressHttpError> {
+    return retryExecutor(() => this.fetchWrapper<T>('GET', path, undefined, headers, ignoreExpectedWarnings));
+  }
+
+  delete<T = unknown>(path: string, headers?: Record<string, string>, ignoreExpectedWarnings?: boolean): ResultAsync<HttpResponse<T>, AuthressHttpError> {
+    return retryExecutor(() => this.fetchWrapper<T>('DELETE', path, undefined, headers, ignoreExpectedWarnings));
+  }
+
+  post<T = unknown>(path: string, data?: unknown, headers?: Record<string, string>, ignoreExpectedWarnings?: boolean): ResultAsync<HttpResponse<T>, AuthressHttpError> {
+    return retryExecutor(() => this.fetchWrapper<T>('POST', path, data, headers, ignoreExpectedWarnings));
+  }
+
+  put<T = unknown>(path: string, data?: unknown, headers?: Record<string, string>, ignoreExpectedWarnings?: boolean): ResultAsync<HttpResponse<T>, AuthressHttpError> {
+    return retryExecutor(() => this.fetchWrapper<T>('PUT', path, data, headers, ignoreExpectedWarnings));
+  }
+
+  patch<T = unknown>(path: string, data?: unknown, headers?: Record<string, string>, ignoreExpectedWarnings?: boolean): ResultAsync<HttpResponse<T>, AuthressHttpError> {
+    return retryExecutor(() => this.fetchWrapper<T>('PATCH', path, data, headers, ignoreExpectedWarnings));
+  }
+
+  private async fetchWrapper<T = unknown>(rawMethod: string, path: string, data: unknown, requestHeaders?: Record<string, string>, ignoreExpectedWarnings?: boolean):
+    Promise<Result<HttpResponse<T>, AuthressHttpError>> {
+    const url = `${this.loginUrl}${path}`;
+    const method = rawMethod.toUpperCase();
+    const headers = Object.assign({}, defaultHeaders, requestHeaders);
+
+    this.logger.debug({ title: '[Authress Login SDK] HttpClient Request', method, url });
+
+    let response: Response;
+    try {
+      const init: RequestInit = { method, headers, credentials: 'include' };
+      if (data !== undefined) {
+        init.body = JSON.stringify(data);
+      }
+      response = await fetch(url, init);
+    } catch (error: unknown) {
+      return err<AuthressHttpNetworkError>({ name: 'AuthressHttpNetworkError', url, method, data: (error as Error)?.message ?? '' });
+    }
+
+    if (!response.ok) {
+      let resolvedError: unknown = {};
+      try {
+        resolvedError = await response.text();
+        resolvedError = JSON.parse(resolvedError as string);
+      } catch (_) {
+        /* non-JSON response — resolvedError remains the raw text string */
+      }
+
+      const status = response.status;
+      let level: 'debug' | 'warn' = 'warn';
+      if (status === 401 || status === 404) {
+        level = 'debug';
+      } else if (status < 500 && ignoreExpectedWarnings) {
+        level = 'debug';
+      }
+
+      this.logger[level]({ title: '[Authress Login SDK] HttpClient Response Error', method, url, status, data, headers, error: resolvedError });
+      return status >= 500
+        ? err<AuthressHttpServiceError>({ name: 'AuthressHttpServiceError', url, method, status, data: resolvedError, headers: response.headers })
+        : err<AuthressHttpClientError>({ name: 'AuthressHttpClientError', url, method, status, data: resolvedError, headers: response.headers });
+    }
+
+    let responseBody: unknown = {};
+    try {
+      responseBody = await response.text();
+      responseBody = JSON.parse(responseBody as string);
+    } catch (_) {
+      /* non-JSON response — responseBody remains the raw text string */
+    }
+
+    return ok({ url, method, status: response.status, headers: response.headers, data: responseBody as T });
+  }
+}
+
+export default HttpClient;

package/src/index.ts

@@ -0,0 +1,24 @@
+export { LoginClient } from './loginClient.ts';
+export type {
+  Settings,
+  AuthenticateResponse,
+  AuthenticationParameters,
+  LinkIdentityParameters,
+  UserIdentity,
+  UserProfile,
+  LinkedIdentity,
+  LinkedIdentityConnection,
+  TokenParameters,
+  Device,
+  AuthFlowError
+} from './types.ts';
+export {
+  TokenTimeoutError,
+  NoAuthenticationRequestInProgressError,
+  AuthenticationRequestMismatchError,
+  NotLoggedInError,
+  InvalidConnectionError
+} from './types.ts';
+export type { Logger, AuthressHttpNetworkError, AuthressHttpClientError, AuthressHttpServiceError, AuthressHttpError } from './httpClient.ts';
+export { SecurityContextError } from './authStorageManager.ts';
+export type { StoredCookie } from './authStorageManager.ts';

package/src/jwtManager.ts

@@ -0,0 +1,101 @@
+import { toBase64, fromBase64 } from 'js-base64';
+import crypto from 'react-native-quick-crypto';
+
+function b64urlEncode(input: string | ArrayBuffer | Uint8Array): string {
+  if (input instanceof ArrayBuffer || input instanceof Uint8Array) {
+    return toBase64(new Uint8Array(input instanceof ArrayBuffer ? input : input.buffer), true);
+  }
+  return toBase64(input, true);
+}
+
+function b64urlDecode(input: string): string {
+  return fromBase64(input);
+}
+
+interface JwtPayload {
+  exp?: number;
+  [key: string]: unknown;
+}
+
+interface DecodedJwt {
+  header: Record<string, unknown> | null;
+  payload: JwtPayload;
+}
+
+class JwtManager {
+  decode(token: string): JwtPayload | null {
+    if (!token) {
+      return null;
+    }
+    return this.decodeFull(token)?.payload ?? null;
+  }
+
+  decodeOrParse(token: string | object): JwtPayload | object | null {
+    if (!token) {
+      return null;
+    }
+    if (typeof token === 'object') {
+      return token;
+    }
+    try {
+      return JSON.parse(token);
+    } catch (_) {
+      return this.decode(token);
+    }
+  }
+
+  decodeFull(token: string): DecodedJwt | null {
+    if (!token) {
+      return null;
+    }
+
+    let header: Record<string, unknown> | null = null;
+    try {
+      header = JSON.parse(b64urlDecode(token.split('.')[0]));
+    } catch (_) {
+      // Header errors are non-fatal
+    }
+
+    try {
+      const payload: JwtPayload = JSON.parse(b64urlDecode(token.split('.')[1]));
+      if (payload.exp) {
+        payload.exp = payload.exp - 10;
+      }
+      return { header, payload };
+    } catch (_) {
+      return null;
+    }
+  }
+
+  async getAuthCodes(): Promise<{ codeVerifier: string; codeChallenge: string }> {
+    const codeVerifier = b64urlEncode(crypto.getRandomValues(new Uint32Array(16)).toString());
+    const hashBuffer = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(codeVerifier));
+    const codeChallenge = b64urlEncode(hashBuffer);
+    return { codeVerifier, codeChallenge };
+  }
+
+  async calculateAntiAbuseHash(props: Record<string, unknown>): Promise<string> {
+    const timestamp = Date.now();
+    const valueString = Object.values(props)
+      .filter(v => v)
+      .map(v => {
+        if (!v || typeof v !== 'object' || Array.isArray(v)) {
+          return v;
+        }
+        return Object.keys(v as object).sort((a, b) => a.localeCompare(b)).map(key => (v as Record<string, unknown>)[key]).join('-');
+      })
+      .join('|');
+
+    let fineTuner = 0;
+    while (++fineTuner) {
+      const hash = b64urlEncode(await crypto.subtle.digest('SHA-256', new TextEncoder().encode(`${timestamp};${fineTuner};${valueString}`)));
+      if (hash.match(/^00/)) {
+        return `v2;${timestamp};${fineTuner};${hash}`;
+      }
+    }
+
+    throw new Error('HashFailed');
+  }
+}
+
+export default new JwtManager();