@bagelink/auth 1.7.94 → 1.7.98

package/src/api.ts

@@ -37,17 +37,33 @@ import type {
 	SSOCallbackResponse,
 	SSOLinkResponse,
 	SSOUnlinkResponse,
+	GetTenantsResponse,
 } from './types'
 import { createAxiosInstance } from './utils'
 
 export class AuthApi {
 	private api: AxiosInstance
+	private currentTenantId: string | null = null
 
 	constructor(baseURL: string = '') {
 		this.api = createAxiosInstance(baseURL)
 		this.setupInterceptors()
 	}
 
+	/**
+	 * Set the current tenant ID for multi-tenant requests
+	 */
+	setTenantId(tenantId: string | null) {
+		this.currentTenantId = tenantId
+	}
+
+	/**
+	 * Get the current tenant ID
+	 */
+	getTenantId(): string | null {
+		return this.currentTenantId
+	}
+
 	private setupInterceptors() {
 		this.api.interceptors.request.use((config: InternalAxiosRequestConfig) => {
 			// Handle password reset token from URL
@@ -56,6 +72,12 @@ export class AuthApi {
 			if (resetToken !== null) {
 				config.headers['X-Reset-Token'] = resetToken
 			}
+
+			// Add tenant ID header if set
+			if (this.currentTenantId !== null) {
+				config.headers['X-Tenant-ID'] = this.currentTenantId
+			}
+
 			return config
 		})
 	}
@@ -68,14 +90,14 @@ export class AuthApi {
 	 * Get available authentication methods
 	 */
 	async getAuthMethods(): Promise<GetMethodsResponse> {
-		return this.api.get('/authentication/methods')
+		return this.api.get('authentication/methods')
 	}
 
 	/**
 	 * Register a new account
 	 */
 	async register(data: RegisterRequest): Promise<RegisterResponse> {
-		return this.api.post('/authentication/register', {
+		return this.api.post('authentication/register', {
 			...data,
 			email: data.email.toLowerCase(),
 		})
@@ -85,7 +107,7 @@ export class AuthApi {
 	 * Login with password
 	 */
 	async login(email: string, password: string): Promise<LoginResponse> {
-		return this.api.post('/authentication/login/password', {
+		return this.api.post('authentication/login/password', {
 			email: email.toLowerCase(),
 			password,
 		})
@@ -95,14 +117,14 @@ export class AuthApi {
 	 * Logout and clear session
 	 */
 	async logout(): Promise<LogoutResponse> {
-		return this.api.post('/authentication/logout', {})
+		return this.api.post('authentication/logout', {})
 	}
 
 	/**
 	 * Refresh current session
 	 */
 	async refreshSession(): Promise<RefreshSessionResponse> {
-		return this.api.post('/authentication/refresh', {})
+		return this.api.post('authentication/refresh', {})
 	}
 
 	// ============================================
@@ -114,7 +136,7 @@ export class AuthApi {
 	 * Returns authorization URL to redirect user to
 	 */
 	async initiateSSO(data: SSOInitiateRequest): Promise<SSOInitiateResponse> {
-		return this.api.post(`/authentication/sso/${data.provider}/initiate`, {
+		return this.api.post(`authentication/sso/${data.provider}/initiate`, {
 			redirect_uri: data.redirect_uri,
 			state: data.state,
 		})
@@ -124,7 +146,7 @@ export class AuthApi {
 	 * Complete SSO login after callback from provider
 	 */
 	async ssoCallback(data: SSOCallbackRequest): Promise<SSOCallbackResponse> {
-		return this.api.post(`/authentication/sso/${data.provider}/callback`, {
+		return this.api.post(`authentication/sso/${data.provider}/callback`, {
 			code: data.code,
 			state: data.state,
 		})
@@ -134,7 +156,7 @@ export class AuthApi {
 	 * Link an SSO provider to existing account
 	 */
 	async linkSSOProvider(data: SSOLinkRequest): Promise<SSOLinkResponse> {
-		return this.api.post(`/authentication/sso/${data.provider}/link`, {
+		return this.api.post(`authentication/sso/${data.provider}/link`, {
 			code: data.code,
 			state: data.state,
 		})
@@ -144,7 +166,7 @@ export class AuthApi {
 	 * Unlink an SSO provider from account
 	 */
 	async unlinkSSOProvider(provider: SSOProvider): Promise<SSOUnlinkResponse> {
-		return this.api.delete(`/authentication/sso/${provider}/unlink`)
+		return this.api.delete(`authentication/sso/${provider}/unlink`)
 	}
 
 	// ============================================
@@ -155,21 +177,21 @@ export class AuthApi {
 	 * Get current user account info
 	 */
 	async getCurrentUser(): Promise<GetMeResponse> {
-		return this.api.get('/authentication/me')
+		return this.api.get('authentication/me')
 	}
 
 	/**
 	 * Update current user profile
 	 */
 	async updateCurrentUser(data: UpdateAccountRequest): Promise<UpdateMeResponse> {
-		return this.api.patch('/authentication/me', data)
+		return this.api.patch('authentication/me', data)
 	}
 
 	/**
 	 * Delete current user account
 	 */
 	async deleteCurrentUser(): Promise<DeleteMeResponse> {
-		return this.api.delete('/authentication/me')
+		return this.api.delete('authentication/me')
 	}
 
 	// ============================================
@@ -180,7 +202,7 @@ export class AuthApi {
 	 * Get account information by ID
 	 */
 	async getAccount(accountId: string): Promise<GetAccountResponse> {
-		return this.api.get(`/authentication/account/${accountId}`)
+		return this.api.get(`authentication/account/${accountId}`)
 	}
 
 	/**
@@ -190,21 +212,21 @@ export class AuthApi {
 		accountId: string,
 		data: UpdateAccountRequest
 	): Promise<UpdateAccountResponse> {
-		return this.api.patch(`/authentication/account/${accountId}`, data)
+		return this.api.patch(`authentication/account/${accountId}`, data)
 	}
 
 	/**
 	 * Delete account by ID
 	 */
 	async deleteAccount(accountId: string): Promise<DeleteAccountResponse> {
-		return this.api.delete(`/authentication/account/${accountId}`)
+		return this.api.delete(`authentication/account/${accountId}`)
 	}
 
 	/**
 	 * Activate account by ID
 	 */
 	async activateAccount(accountId: string): Promise<ActivateAccountResponse> {
-		return this.api.post(`/authentication/account/${accountId}/activate`, {})
+		return this.api.post(`authentication/account/${accountId}/activate`, {})
 	}
 
 	/**
@@ -213,7 +235,7 @@ export class AuthApi {
 	async deactivateAccount(
 		accountId: string
 	): Promise<DeactivateAccountResponse> {
-		return this.api.post(`/authentication/account/${accountId}/deactivate`, {})
+		return this.api.post(`authentication/account/${accountId}/deactivate`, {})
 	}
 
 	// ============================================
@@ -224,14 +246,14 @@ export class AuthApi {
 	 * Change password (requires current password)
 	 */
 	async changePassword(data: ChangePasswordRequest): Promise<ChangePasswordResponse> {
-		return this.api.post('/authentication/password/change', data)
+		return this.api.post('authentication/password/change', data)
 	}
 
 	/**
 	 * Initiate forgot password flow
 	 */
 	async forgotPassword(email: string): Promise<ForgotPasswordResponse> {
-		return this.api.post('/authentication/password/forgot', {
+		return this.api.post('authentication/password/forgot', {
 			email: email.toLowerCase(),
 		})
 	}
@@ -240,14 +262,14 @@ export class AuthApi {
 	 * Verify password reset token
 	 */
 	async verifyResetToken(token: string): Promise<VerifyResetTokenResponse> {
-		return this.api.get(`/authentication/password/verify-reset-token/${token}`)
+		return this.api.get(`authentication/password/verify-reset-token/${token}`)
 	}
 
 	/**
 	 * Reset password with token
 	 */
 	async resetPassword(data: ResetPasswordRequest): Promise<ResetPasswordResponse> {
-		return this.api.post('/authentication/password/reset', data)
+		return this.api.post('authentication/password/reset', data)
 	}
 
 	// ============================================
@@ -261,7 +283,7 @@ export class AuthApi {
 		data: SendVerificationRequest = {},
 		user?: AuthenticationAccount
 	): Promise<SendVerificationResponse> {
-		return this.api.post('/authentication/verify/send', data, {
+		return this.api.post('authentication/verify/send', data, {
 			params: user ? { user } : undefined,
 		})
 	}
@@ -270,7 +292,7 @@ export class AuthApi {
 	 * Verify email with token
 	 */
 	async verifyEmail(token: string): Promise<VerifyEmailResponse> {
-		return this.api.post('/authentication/verify/email', { token })
+		return this.api.post('authentication/verify/email', { token })
 	}
 
 	// ============================================
@@ -281,27 +303,38 @@ export class AuthApi {
 	 * Get sessions for an account
 	 */
 	async getSessions(accountId: string): Promise<GetSessionsResponse> {
-		return this.api.get(`/authentication/sessions/${accountId}`)
+		return this.api.get(`authentication/sessions/${accountId}`)
 	}
 
 	/**
 	 * Revoke a specific session
 	 */
 	async revokeSession(sessionToken: string): Promise<DeleteSessionResponse> {
-		return this.api.delete(`/authentication/sessions/${sessionToken}`)
+		return this.api.delete(`authentication/sessions/${sessionToken}`)
 	}
 
 	/**
 	 * Revoke all sessions for an account
 	 */
 	async revokeAllSessions(accountId: string): Promise<DeleteAllSessionsResponse> {
-		return this.api.delete(`/authentication/sessions/account/${accountId}`)
+		return this.api.delete(`authentication/sessions/account/${accountId}`)
 	}
 
 	/**
 	 * Cleanup expired sessions (admin)
 	 */
 	async cleanupSessions(): Promise<CleanupSessionsResponse> {
-		return this.api.post('/authentication/cleanup-sessions', {})
+		return this.api.post('authentication/cleanup-sessions', {})
+	}
+
+	// ============================================
+	// Multi-Tenancy Methods
+	// ============================================
+
+	/**
+	 * Get list of tenants the authenticated user belongs to
+	 */
+	async getTenants(): Promise<GetTenantsResponse> {
+		return this.api.get('tenants')
 	}
 }

package/src/types.ts

@@ -34,13 +34,33 @@ export interface AuthEventMap {
 // Core Types
 // ============================================
 
-export type AuthenticationAccountType = 'person' | 'entity' | 'service'
+// Note: All accounts are "identity" accounts. An identity may be linked to a person or not.
+export type AuthenticationAccountType = 'identity' | string
 
-export type AuthenticationMethodType =
-	| 'password'
-	| 'email_token'
-	| 'sso'
-	| 'otp'
+// ============================================
+// Multi-Tenancy Types
+// ============================================
+
+export type TenantStatus = 'active' | 'suspended' | 'archived'
+
+export interface TenantInfo {
+	id: string
+	name: string
+	slug: string
+	parent_id: string | null
+	settings: Record<string, any> | null
+	status: TenantStatus
+	suspended_at: string | null
+	suspended_reason: string | null
+	created_at: string
+	updated_at: string
+}
+
+export type AuthenticationMethodType
+	= | 'password'
+		| 'email_token'
+		| 'sso'
+		| 'otp'
 
 export type SSOProvider = 'google' | 'microsoft' | 'github' | 'okta' | 'apple' | 'facebook'
 
@@ -63,11 +83,11 @@ export interface AuthenticationAccount {
 export interface PersonInfo {
 	id: string
 	name: string
-	email?: string
-	phone?: string
-	roles: string[]
 	first_name: string
 	last_name: string
+	email?: string | null
+	phone_number?: string | null
+	roles: string[]
 }
 
 export interface AuthMethodInfo {
@@ -87,12 +107,13 @@ export interface AccountInfo {
 	display_name: string
 	is_active: boolean
 	is_verified: boolean
-	last_login?: string
+	last_login?: string | null
 	authentication_methods: AuthMethodInfo[]
-	person?: PersonInfo
-	entity?: EntityInfo
+	person?: PersonInfo | null
 }
 
+// Note: EntityInfo kept for backward compatibility
+// Current API no longer returns entity in AccountInfo
 export interface EntityInfo {
 	id: string
 	name: string
@@ -114,21 +135,21 @@ export interface SessionInfo {
 // ============================================
 
 /**
- * Unified user representation that works for both person and entity accounts
- * This is the primary interface for accessing user data in the application
+ * Unified user representation
+ * All accounts are "identity" accounts that may be linked to a person
  */
 export interface User {
-	/** Unique identifier (person_id or entity_id) */
+	/** Unique identifier (person_id if linked, otherwise identity_id) */
 	id: string
-	/** Account ID */
+	/** Identity/Account ID */
 	accountId: string
 	/** Display name */
 	name: string
 	/** Email address (from person or authentication methods) */
 	email?: string
-	/** Account type: 'person', 'entity', or 'service' */
+	/** Account type (always 'identity') */
 	type: AuthenticationAccountType
-	/** User roles (only for person accounts) */
+	/** User roles (only when linked to person) */
 	roles?: string[]
 	/** Is the account active */
 	isActive: boolean
@@ -136,12 +157,10 @@ export interface User {
 	isVerified: boolean
 	/** Last login timestamp */
 	lastLogin?: string
-	/** Entity-specific info (only for entity accounts) */
-	entityType?: string
-	/** Additional metadata */
-	metadata?: Record<string, any>
-	/** Person-specific info (only for person accounts) */
+	/** Person info (if identity is linked to a person) */
 	person?: PersonInfo
+	/** Whether identity is linked to a person */
+	hasPersonLinked: boolean
 }
 
 // ============================================
@@ -302,6 +321,7 @@ export type SSOInitiateResponse = AxiosResponse<{ authorization_url: string }>
 export type SSOCallbackResponse = AxiosResponse<AuthenticationResponse>
 export type SSOLinkResponse = AxiosResponse<MessageResponse>
 export type SSOUnlinkResponse = AxiosResponse<MessageResponse>
+export type GetTenantsResponse = AxiosResponse<TenantInfo[]>
 
 // ============================================
 // Helper Functions (exported for convenience)
@@ -309,45 +329,33 @@ export type SSOUnlinkResponse = AxiosResponse<MessageResponse>
 
 /**
  * Extract unified user from account info
+ * All accounts are identities that may be linked to a person
  */
 export function accountToUser(account: AccountInfo | null): User | null {
 	if (account === null) { return null }
 
-	// Person account - most common case
-	if (account.person !== undefined) {
-		return {
-			id: account.person.id,
-			accountId: account.id,
-			name: account.person.name,
-			email: account.person.email,
-			type: account.account_type as AuthenticationAccountType,
-			roles: account.person.roles,
-			isActive: account.is_active,
-			isVerified: account.is_verified,
-			person: account.person,
-			lastLogin: account.last_login,
-		}
-	}
+	const hasPersonLinked = account.person !== undefined && account.person !== null
 
-	// Entity account
-	if (account.entity !== undefined) {
+	// Identity linked to person - use person data
+	if (hasPersonLinked) {
 		return {
-			id: account.entity.id,
+			id: account.person!.id,
 			accountId: account.id,
-			name: account.entity.name,
+			name: account.person!.name,
+			email: account.person!.email ?? undefined,
 			type: account.account_type as AuthenticationAccountType,
+			roles: account.person!.roles,
 			isActive: account.is_active,
 			isVerified: account.is_verified,
-			lastLogin: account.last_login,
-			entityType: account.entity.type,
-			metadata: account.entity.metadata,
+			person: account.person!,
+			lastLogin: account.last_login ?? undefined,
+			hasPersonLinked: true,
 		}
 	}
 
-	// Fallback - use account info directly
-	// Extract email from authentication methods
+	// Identity without person link - extract data from authentication methods
 	const emailMethod = account.authentication_methods.find(
-		m => m.type === 'password' || m.type === 'email_token',
+		m => m.type === 'password' || m.type === 'email_token' || m.type === 'sso',
 	)
 
 	return {
@@ -358,6 +366,7 @@ export function accountToUser(account: AccountInfo | null): User | null {
 		type: account.account_type as AuthenticationAccountType,
 		isActive: account.is_active,
 		isVerified: account.is_verified,
-		lastLogin: account.last_login,
+		lastLogin: account.last_login ?? undefined,
+		hasPersonLinked: false,
 	}
 }

package/src/useAuth.ts

@@ -10,6 +10,7 @@ import type {
 	SSOInitiateRequest,
 	SSOCallbackRequest,
 	SSOLinkRequest,
+	TenantInfo,
 } from './types'
 import type { RedirectConfig, NormalizedRedirectConfig } from './types/redirect'
 import { ref, computed } from 'vue'
@@ -26,6 +27,8 @@ let redirectConfig: NormalizedRedirectConfig | null = null
 let autoRedirectRouter: any = null // Router instance for auto-redirect
 let cachedAuthGuard: any = null // Cached router guard
 const accountInfo = ref<AccountInfo | null>(null)
+const tenants = ref<TenantInfo[]>([])
+const currentTenant = ref<TenantInfo | null>(null)
 
 interface InitParams {
 	baseURL: string
@@ -262,17 +265,16 @@ export function useAuth() {
 	}
 
 	const getAccountType = () => {
-		return user.value?.type ?? 'person'
+		return user.value?.type ?? 'identity'
 	}
 
+	/**
+	 * Check if identity is linked to a person
+	 * @returns true if the identity has a person linked
+	 */
 	const isPersonAccount = () => {
-		return user.value?.type === 'person'
-	}
-
-	const isEntityAccount = () => {
-		return user.value?.type === 'entity'
+		return user.value?.hasPersonLinked === true
 	}
-
 	// Actions
 	async function logout() {
 		// Call logout API
@@ -315,6 +317,55 @@ export function useAuth() {
 		}
 	}
 
+	async function loadTenants(): Promise<TenantInfo[]> {
+		try {
+			const { data } = await api.getTenants()
+			tenants.value = data
+
+			// Auto-select first tenant if none selected and tenants available
+			if (currentTenant.value === null && tenants.value.length > 0) {
+				const firstActiveTenant = tenants.value.find(t => t.status === 'active')
+				if (firstActiveTenant !== undefined) {
+					setTenant(firstActiveTenant.id)
+				}
+			}
+
+			return tenants.value
+		} catch {
+			// If 404 or other error, assume multi-tenancy not supported
+			tenants.value = []
+			return []
+		}
+	}
+
+	function setTenant(tenantId: string | null) {
+		if (tenantId === null) {
+			currentTenant.value = null
+			api.setTenantId(null)
+			return
+		}
+
+		const tenant = tenants.value.find(t => t.id === tenantId)
+		if (tenant !== undefined) {
+			currentTenant.value = tenant
+			api.setTenantId(tenantId)
+		} else {
+			throw new Error(`Tenant with ID ${tenantId} not found`)
+		}
+	}
+
+	function switchTenant(tenantId: string): void {
+		setTenant(tenantId)
+	}
+
+	function getTenants() {
+		return tenants.value
+	}
+
+	function getCurrentTenant() {
+		return currentTenant.value
+	}
+
 	async function signup(newUser: NewUser) {
 		// Check password match if password is provided
 		const hasPassword = newUser.password !== undefined && newUser.password.length > 0
@@ -478,6 +529,10 @@ export function useAuth() {
 		// SSO Providers (ready to use!)
 		sso,
 
+		// Multi-Tenancy State
+		tenants,
+		currentTenant,
+
 		// Getters
 		getFullName,
 		getIsLoggedIn,
@@ -485,7 +540,8 @@ export function useAuth() {
 		getRoles,
 		getAccountType,
 		isPersonAccount,
-		isEntityAccount,
+		getTenants,
+		getCurrentTenant,
 
 		// Authentication Actions
 		login,
@@ -523,5 +579,10 @@ export function useAuth() {
 		getSessions,
 		revokeSession,
 		revokeAllSessions,
+
+		// Multi-Tenancy Actions
+		loadTenants,
+		setTenant,
+		switchTenant,
 	}
 }