@bagelink/auth 1.7.72 → 1.7.76

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@bagelink/auth",
   "type": "module",
-  "version": "1.7.72",
+  "version": "1.7.76",
   "description": "Bagelink auth package",
   "author": {
     "name": "Bagel Studio",

package/src/index.ts

@@ -14,17 +14,25 @@ export { default as ForgotPasswordPage } from './pages/ForgotPasswordPage.vue'
 export { default as LoginPage } from './pages/LoginPage.vue'
 export { default as ResetPasswordPage } from './pages/ResetPasswordPage.vue'
 export { default as SignupPage } from './pages/SignupPage.vue'
+
+// Redirect utilities
+export * from './redirect'
+
+// Router integration
+export * from './router'
+
 // Routes
 export * from './routes'
 export * from './sso'
 
-// Types (re-export from types file and module)
+// Types (	e-export fro	 types file and modu	e)
 export * from './types'
-
 export type {
 	ForgotPasswordTexts,
 	LoginTexts,
 	ResetPasswordTexts,
 	SignupTexts,
 } from './types/'
+
+export * from './types/redirect'
 export * from './useAuth'

package/src/redirect.ts

@@ -0,0 +1,95 @@
+import type { Router } from 'vue-router'
+import type { NormalizedRedirectConfig } from './types/redirect'
+
+/**
+ * Redirect utilities for handling post-authentication navigation
+ */
+
+/**
+ * Get redirect URL from current route query params
+ */
+export function getRedirectUrl(
+	router: Router,
+	config: NormalizedRedirectConfig,
+): string {
+	const redirect = router.currentRoute.value.query[config.queryKey] as string
+	return redirect || config.fallback
+}
+
+/**
+ * Validate redirect URL is safe (prevents open redirect attacks)
+ */
+export function isValidRedirect(
+	redirectUrl: string,
+	allowedPaths?: RegExp[],
+): boolean {
+	// Null or empty check
+	if (!redirectUrl) {
+		return false
+	}
+
+	// Prevent redirects to external URLs (absolute URLs with protocol)
+	if (redirectUrl.startsWith('http://') || redirectUrl.startsWith('https://')) {
+		return false
+	}
+
+	// Prevent protocol-relative URLs
+	if (redirectUrl.startsWith('//')) {
+		return false
+	}
+
+	// Prevent javascript: and data: URLs
+	if (redirectUrl.startsWith('javascript:') || redirectUrl.startsWith('data:')) {
+		return false
+	}
+
+	// Ensure it starts with /
+	if (!redirectUrl.startsWith('/')) {
+		return false
+	}
+
+	// If allowed paths are specified, check against them
+	if (allowedPaths && allowedPaths.length > 0) {
+		return allowedPaths.some(pattern => pattern.test(redirectUrl))
+	}
+
+	return true
+}
+
+/**
+ * Perform redirect after login with security validation
+ */
+export async function performRedirect(
+	router: Router,
+	config: NormalizedRedirectConfig,
+): Promise<void> {
+	const redirect = getRedirectUrl(router, config)
+
+	// Always validate redirect URL for security
+	if (redirect !== config.fallback && !isValidRedirect(redirect, config.allowedPaths)) {
+		console.warn('[Auth] Invalid redirect URL detected, using fallback:', redirect)
+		await router.push(config.fallback)
+		return
+	}
+
+	await router.push(redirect)
+}
+
+/**
+ * Build query params for redirect to login
+ */
+export function buildLoginQuery(
+	currentPath: string,
+	config: NormalizedRedirectConfig,
+): Record<string, string> {
+	if (!config.preserveRedirect) {
+		return {}
+	}
+
+	// Validate the current path before storing it
+	if (isValidRedirect(currentPath, config.allowedPaths)) {
+		return { [config.queryKey]: currentPath }
+	}
+
+	return {}
+}

package/src/router.ts

@@ -0,0 +1,129 @@
+import type { NavigationGuard, NavigationGuardNext, RouteLocationNormalized } from 'vue-router'
+import { buildLoginQuery } from './redirect'
+import { useAuth, getRedirectConfig } from './useAuth'
+
+/**
+ * Auth router integration for Vue Router
+ */
+
+// Track if auth has been initialized (for performance)
+let authInitialized = false
+
+/**
+ * Reset auth initialization state
+ * Useful for testing or app reload scenarios
+ */
+export function resetAuthState() {
+	authInitialized = false
+}
+
+/**
+ * Auth guard for Vue Router
+ *
+ * Protects routes requiring authentication and handles redirect logic.
+ * Reads configuration from the auth instance created via createAuth().
+ *
+ * @example
+ * ```ts
+ * const auth = createAuth({
+ *   baseURL: 'https://api.example.com',
+ *   redirect: { ... }
+ * })
+ * router.beforeEach(authGuard())
+ * ```
+ */
+export function authGuard() {
+	return async function guard(
+
+		to: RouteLocationNormalized,
+		_from: RouteLocationNormalized,
+		next: NavigationGuardNext,
+	): Promise<void> {
+		const auth = useAuth()
+		const config = getRedirectConfig()
+
+		// Check if route requires authentication
+		const requiresAuth = to.meta[config.authMetaKey]
+
+		// Check if route is an auth-only page (login, signup, etc)
+		const requiresNoAuth = config.noAuthRoutes.includes(to.name as string)
+
+		try {
+			// Only check auth once on first navigation for performance
+			if (!authInitialized) {
+				await auth.checkAuth()
+				authInitialized = true
+			}
+
+			// Use cached auth state from reactive user ref
+			const isAuthenticated = !!auth.user.value
+
+			// Redirect authenticated users away from auth pages
+			if (isAuthenticated && requiresNoAuth) {
+				next(config.authenticatedRedirect)
+				return
+			}
+
+			// Redirect unauthenticated users to login for protected pages
+			if (!isAuthenticated && requiresAuth) {
+				const query = buildLoginQuery(to.fullPath, config)
+
+				next({
+					name: config.loginRoute,
+					query,
+				})
+				return
+			}
+
+			// Allow navigation
+			next()
+		} catch (error) {
+			console.error('[Auth Guard] Error:', error)
+			// On error, allow navigation but log the issue
+			next()
+		}
+	}
+}
+
+/**
+ * Compose multiple navigation guards into one
+ * Guards are executed in order, stopping at the first one that calls next with a value
+ *
+ * @example
+ * ```ts
+ * router.beforeEach(composeGuards([
+ *   authGuard(),
+ *   orgAccessGuard(),
+ *   featureFlagGuard(),
+ * ]))
+ * ```
+ */
+export function composeGuards(guards: NavigationGuard[]): NavigationGuard {
+	return async (to, from, next) => {
+		let guardIndex = 0
+
+		const runNextGuard = async (): Promise<void> => {
+			if (guardIndex >= guards.length) {
+				// All guards passed, allow navigation
+				next()
+				return
+			}
+
+			const guard = guards[guardIndex]
+			guardIndex++
+
+			// Run the current guard
+			await guard(to, from, (result?: any) => {
+				if (result !== undefined) {
+					// Guard blocked or redirected, stop here
+					next(result)
+				} else {
+					// Guard passed, run next guard
+					runNextGuard()
+				}
+			})
+		}
+
+		await runNextGuard()
+	}
+}

package/src/types/redirect.ts

@@ -0,0 +1,96 @@
+/**
+ * Redirect configuration types for auth library
+ */
+
+export interface RedirectConfig {
+	/**
+	 * Query parameter key used to store the redirect URL
+	 * After login, read this param to redirect users back to their intended destination
+	 * @default 'redirect'
+	 */
+	queryKey?: string
+
+	/**
+	 * Default fallback URL when no redirect is specified
+	 * @default '/'
+	 */
+	fallback?: string
+
+	/**
+	 * Routes that require NO authentication (login, signup, forgot password, etc)
+	 * Authenticated users will be automatically redirected away from these pages
+	 * @default ['Login', 'Signup', 'ForgotPassword', 'ResetPassword', 'Callback']
+	 */
+	noAuthRoutes?: string[]
+
+	/**
+	 * Route name to redirect to when authenticated users try to access auth-only pages
+	 * @default '/'
+	 */
+	authenticatedRedirect?: string
+
+	/**
+	 * Route name to redirect to when unauthenticated users try to access protected pages
+	 * @default 'Login'
+	 */
+	loginRoute?: string
+
+	/**
+	 * Meta key used to check if a route requires authentication
+	 * @default 'auth'
+	 * @example In your route: `meta: { auth: true }`
+	 */
+	authMetaKey?: string
+
+	/**
+	 * Enable automatic redirect handling after login
+	 * When true, the library automatically redirects users after successful login
+	 * @default true
+	 */
+	autoRedirect?: boolean
+
+	/**
+	 * Enable redirect preservation for protected routes
+	 * When enabled, the original URL is preserved as a query param after redirecting to login
+	 * @default true
+	 */
+	preserveRedirect?: boolean
+
+	/**
+	 * Optional allowed redirect path patterns for security validation
+	 * If specified, only URLs matching these patterns will be allowed
+	 * @default undefined (allows all internal paths)
+	 */
+	allowedPaths?: RegExp[]
+}
+
+/**
+ * Normalized redirect configuration with all defaults applied
+ */
+export interface NormalizedRedirectConfig extends Required<Omit<RedirectConfig, 'allowedPaths'>> {
+	allowedPaths?: RegExp[]
+}
+
+/**
+ * Default redirect configuration
+ */
+export const DEFAULT_REDIRECT_CONFIG: NormalizedRedirectConfig = {
+	queryKey: 'redirect',
+	fallback: '/',
+	noAuthRoutes: ['Login', 'Signup', 'ForgotPassword', 'ResetPassword', 'Callback'],
+	authenticatedRedirect: '/',
+	loginRoute: 'Login',
+	authMetaKey: 'auth',
+	autoRedirect: true,
+	preserveRedirect: true,
+}
+
+/**
+ * Normalize redirect configuration by applying defaults
+ */
+export function normalizeRedirectConfig(config?: RedirectConfig): NormalizedRedirectConfig {
+	return {
+		...DEFAULT_REDIRECT_CONFIG,
+		...config,
+	}
+}

package/src/useAuth.ts

@@ -11,19 +11,40 @@ import type {
 	SSOCallbackRequest,
 	SSOLinkRequest,
 } from './types'
+import type { RedirectConfig, NormalizedRedirectConfig } from './types/redirect'
 import { ref, computed } from 'vue'
 import { AuthApi } from './api'
 import { setAuthContext, sso } from './sso'
 import { AuthState, accountToUser } from './types'
+import { normalizeRedirectConfig } from './types/redirect'
 import { EventEmitter } from './utils'
 
 // Global state
 let authApi: AuthApi | null = null
 let eventEmitter: EventEmitter | null = null
+let redirectConfig: NormalizedRedirectConfig | null = null
+let autoRedirectRouter: any = null // Router instance for auto-redirect
+let cachedAuthGuard: any = null // Cached router guard
 const accountInfo = ref<AccountInfo | null>(null)
 
 interface InitParams {
 	baseURL: string
+	/**
+	 * Redirect configuration for authentication flows
+	 * @see RedirectConfig
+	 */
+	redirect?: RedirectConfig
+}
+
+/**
+ * Get the current redirect configuration
+ * Used internally by router guard
+ */
+export function getRedirectConfig(): NormalizedRedirectConfig {
+	if (!redirectConfig) {
+		throw new Error('Redirect config not initialized. Did you call createAuth with redirect config?')
+	}
+	return redirectConfig
 }
 
 // Initialize auth
@@ -36,7 +57,17 @@ export function createAuth(params: InitParams) {
 		eventEmitter = new EventEmitter()
 	}
 
-	return {
+	// Store redirect configuration
+	if (params.redirect) {
+		redirectConfig = normalizeRedirectConfig(params.redirect)
+	}
+
+	// Setup auto-redirect on login if enabled
+	if (redirectConfig?.autoRedirect) {
+		setupAutoRedirect()
+	}
+
+	const authInstance = {
 		// Event listener methods
 		on<K extends AuthState>(event: K, handler: AuthEventMap[K]): void {
 			if (eventEmitter) {
@@ -56,11 +87,107 @@ export function createAuth(params: InitParams) {
 			}
 		},
 
+		/**
+		 * Connect external dependencies like Vue Router
+		 * Automatically sets up router guard when router is provided
+		 * @param dependency - Vue Router instance or other plugins
+		 * @param options - Configuration options
+		 * @param options.guard - Whether to automatically set up auth guard (default: true)
+		 * @example
+		 * ```ts
+		 * // Auto setup (default)
+		 * auth.use(router)
+		 *
+		 * // Manual guard control (for custom composition)
+		 * auth.use(router, { guard: false })
+		 * router.beforeEach(async (to, from, next) => {
+		 *   // Custom logic first
+		 *   if (!hasOrgAccess(to)) return next('/no-access')
+		 *   // Then run auth guard
+		 *   return auth.routerGuard()(to, from, next)
+		 * })
+		 * ```
+		 */
+		use(dependency: any, options: { guard?: boolean } = {}) {
+			const { guard = true } = options
+
+			// Detect if it's a router by checking for common router properties
+			if (dependency && (dependency.beforeEach || dependency.push || dependency.currentRoute)) {
+				autoRedirectRouter = dependency
+				// Automatically set up the auth guard unless disabled
+				if (guard) {
+					dependency.beforeEach(authInstance.routerGuard())
+				}
+			}
+			return authInstance
+		},
+
+		/**
+		 * Create a Vue Router navigation guard for authentication
+		 * Protects routes requiring authentication and handles redirect logic
+		 * Note: Automatically called by auth.use(router), only use directly for custom setups
+		 * @example
+		 * ```ts
+		 * // Automatic (recommended)
+		 * auth.use(router)
+		 *
+		 * // Manual (for custom setups)
+		 * router.beforeEach(auth.routerGuard())
+		 * ```
+		 */
+		routerGuard() {
+			// Return factory that lazily loads authGuard to avoid circular dependency
+			if (cachedAuthGuard === null) {
+				cachedAuthGuard = async (to: any, from: any, next: any) => {
+					const { authGuard } = await import('./router')
+					const guard = authGuard()
+					// Cache the actual guard for next time
+					cachedAuthGuard = guard
+					return guard(to, from, next)
+				}
+			}
+			return cachedAuthGuard
+		},
+
+		/**
+		 * Vue plugin install method
+		 * Makes auth available globally as $auth
+		 * @example
+		 * ```ts
+		 * app.use(auth)
+		 * ```
+		 */
 		install(app: App) {
 			// Make auth available globally
 			app.config.globalProperties.$auth = useAuth()
 		},
 	}
+
+	return authInstance
+}
+
+/**
+ * Setup automatic redirect after successful login
+ */
+function setupAutoRedirect() {
+	if (!eventEmitter || !redirectConfig) return
+
+	eventEmitter.on(AuthState.LOGIN, async () => {
+		// Only auto-redirect if router is available
+		if (!autoRedirectRouter) {
+			console.warn('[Auth] Auto-redirect enabled but router not set. Call setAuthRouter(router) in your app setup.')
+			return
+		}
+
+		// Dynamic import to avoid circular dependency
+		const { performRedirect } = await import('./redirect')
+
+		try {
+			await performRedirect(autoRedirectRouter, redirectConfig!)
+		} catch (error) {
+			console.error('[Auth] Auto-redirect error:', error)
+		}
+	})
 }
 
 // Composable