@bigso/auth-sdk 0.4.4 → 0.4.6

package/dist/{index.cjs → browser/index.cjs}

@@ -17,12 +17,12 @@ var __copyProps = (to, from, except, desc) => {
 };
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
-// src/index.ts
-var index_exports = {};
-__export(index_exports, {
+// src/browser/index.ts
+var browser_exports = {};
+__export(browser_exports, {
   BigsoAuth: () => BigsoAuth
 });
-module.exports = __toCommonJS(index_exports);
+module.exports = __toCommonJS(browser_exports);
 
 // src/utils/crypto.ts
 async function sha256Base64Url(input) {
@@ -71,7 +71,7 @@ async function verifySignedPayload(token, jwksUrl, expectedAudience) {
   return payload;
 }
 
-// src/core/auth.ts
+// src/browser/auth.ts
 var BigsoAuth = class extends EventEmitter {
   constructor(options) {
     super();
@@ -355,12 +355,13 @@ var BigsoAuth = class extends EventEmitter {
   }
   // ─── Helpers ──────────────────────────────────────────────────────
   buildFallbackUrl() {
-    const url = new URL(`${this.options.ssoOrigin}/authorize`);
-    url.searchParams.set("client_id", this.options.clientId);
-    url.searchParams.set("response_type", "code");
+    const url = new URL(this.options.ssoOrigin);
+    url.searchParams.set("app_id", this.options.clientId);
     url.searchParams.set("redirect_uri", this.options.redirectUri || window.location.origin);
+    url.searchParams.set("response_type", "code");
     url.searchParams.set("state", generateRandomId());
     url.searchParams.set("code_challenge_method", "S256");
+    url.searchParams.set("client_id", this.options.clientId);
     return url.toString();
   }
   debug(...args) {

package/dist/{index.d.cts → browser/index.d.cts}

@@ -1,3 +1,5 @@
+import { B as BigsoAuthOptions } from '../types-CoXgtTry.cjs';
+
 declare class EventEmitter {
     private events;
     on(event: string, handler: Function): void;
@@ -5,25 +7,6 @@ declare class EventEmitter {
     emit(event: string, data?: any): void;
 }
 
-interface BigsoAuthOptions {
-    /** Client ID registrado en el SSO */
-    clientId: string;
-    /** Origen del SSO (ej: https://sso.bigso.co) */
-    ssoOrigin: string;
-    /** URL del JWKS para verificar firmas (ej: https://sso.bigso.co/.well-known/jwks.json) */
-    jwksUrl: string;
-    /** Timeout en milisegundos (por defecto 5000) */
-    timeout?: number;
-    /** Activar logs de depuración */
-    debug?: boolean;
-    /** URI de redirección registrada (opcional, si se requiere validación exacta) */
-    redirectUri?: string;
-    /** Sugerencia de tenant (opcional) */
-    tenantHint?: string;
-    /** Tema visual del iframe ('light' | 'dark', por defecto 'light') */
-    theme?: 'light' | 'dark';
-}
-
 declare class BigsoAuth extends EventEmitter {
     private options;
     private iframe?;
@@ -63,4 +46,4 @@ declare class BigsoAuth extends EventEmitter {
     private debug;
 }
 
-export { BigsoAuth, type BigsoAuthOptions };
+export { BigsoAuth, BigsoAuthOptions };

package/dist/{index.d.ts → browser/index.d.ts}

@@ -1,3 +1,5 @@
+import { B as BigsoAuthOptions } from '../types-CoXgtTry.js';
+
 declare class EventEmitter {
     private events;
     on(event: string, handler: Function): void;
@@ -5,25 +7,6 @@ declare class EventEmitter {
     emit(event: string, data?: any): void;
 }
 
-interface BigsoAuthOptions {
-    /** Client ID registrado en el SSO */
-    clientId: string;
-    /** Origen del SSO (ej: https://sso.bigso.co) */
-    ssoOrigin: string;
-    /** URL del JWKS para verificar firmas (ej: https://sso.bigso.co/.well-known/jwks.json) */
-    jwksUrl: string;
-    /** Timeout en milisegundos (por defecto 5000) */
-    timeout?: number;
-    /** Activar logs de depuración */
-    debug?: boolean;
-    /** URI de redirección registrada (opcional, si se requiere validación exacta) */
-    redirectUri?: string;
-    /** Sugerencia de tenant (opcional) */
-    tenantHint?: string;
-    /** Tema visual del iframe ('light' | 'dark', por defecto 'light') */
-    theme?: 'light' | 'dark';
-}
-
 declare class BigsoAuth extends EventEmitter {
     private options;
     private iframe?;
@@ -63,4 +46,4 @@ declare class BigsoAuth extends EventEmitter {
     private debug;
 }
 
-export { BigsoAuth, type BigsoAuthOptions };
+export { BigsoAuth, BigsoAuthOptions };

package/dist/{index.js → browser/index.js}

@@ -1,3 +1,7 @@
+import {
+  verifySignedPayload
+} from "../chunk-LDDK6SJD.js";
+
 // src/utils/crypto.ts
 async function sha256Base64Url(input) {
   const encoder = new TextEncoder();
@@ -35,17 +39,7 @@ var EventEmitter = class {
   }
 };
 
-// src/utils/jws.ts
-import { jwtVerify, createRemoteJWKSet } from "jose";
-async function verifySignedPayload(token, jwksUrl, expectedAudience) {
-  const JWKS = createRemoteJWKSet(new URL(jwksUrl));
-  const { payload } = await jwtVerify(token, JWKS, {
-    audience: expectedAudience
-  });
-  return payload;
-}
-
-// src/core/auth.ts
+// src/browser/auth.ts
 var BigsoAuth = class extends EventEmitter {
   constructor(options) {
     super();
@@ -329,12 +323,13 @@ var BigsoAuth = class extends EventEmitter {
   }
   // ─── Helpers ──────────────────────────────────────────────────────
   buildFallbackUrl() {
-    const url = new URL(`${this.options.ssoOrigin}/authorize`);
-    url.searchParams.set("client_id", this.options.clientId);
-    url.searchParams.set("response_type", "code");
+    const url = new URL(this.options.ssoOrigin);
+    url.searchParams.set("app_id", this.options.clientId);
     url.searchParams.set("redirect_uri", this.options.redirectUri || window.location.origin);
+    url.searchParams.set("response_type", "code");
     url.searchParams.set("state", generateRandomId());
     url.searchParams.set("code_challenge_method", "S256");
+    url.searchParams.set("client_id", this.options.clientId);
     return url.toString();
   }
   debug(...args) {

package/dist/chunk-LDDK6SJD.js

@@ -0,0 +1,13 @@
+// src/utils/jws.ts
+import { jwtVerify, createRemoteJWKSet } from "jose";
+async function verifySignedPayload(token, jwksUrl, expectedAudience) {
+  const JWKS = createRemoteJWKSet(new URL(jwksUrl));
+  const { payload } = await jwtVerify(token, JWKS, {
+    audience: expectedAudience
+  });
+  return payload;
+}
+
+export {
+  verifySignedPayload
+};

package/dist/express/index.cjs

@@ -0,0 +1,287 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/express/index.ts
+var express_exports = {};
+__export(express_exports, {
+  createSsoAuthRouter: () => createSsoAuthRouter,
+  createSsoSyncRouter: () => createSsoSyncRouter,
+  ssoAuthMiddleware: () => ssoAuthMiddleware,
+  ssoSyncGuardMiddleware: () => ssoSyncGuardMiddleware
+});
+module.exports = __toCommonJS(express_exports);
+
+// src/express/middlewares/ssoAuth.ts
+function ssoAuthMiddleware(options) {
+  const cookieName = options.cookieName || "sso_session";
+  const isProduction = options.isProduction ?? process.env.NODE_ENV === "production";
+  return async (req, res, next) => {
+    try {
+      let sessionToken = req.cookies?.[cookieName];
+      let session = null;
+      if (sessionToken) {
+        session = await options.ssoClient.validateSessionToken(sessionToken);
+      }
+      if (!session) {
+        const refreshToken = req.cookies?.[`${cookieName}_refresh`];
+        if (refreshToken) {
+          const newSessionData = await options.ssoClient.refreshAppSession(refreshToken);
+          if (newSessionData) {
+            const sessionMaxAge = new Date(newSessionData.expiresAt).getTime() - Date.now();
+            const refreshMaxAge = newSessionData.refreshExpiresAt ? new Date(newSessionData.refreshExpiresAt).getTime() - Date.now() : 7 * 24 * 60 * 60 * 1e3;
+            const sessionCookieOptions = {
+              httpOnly: true,
+              secure: isProduction,
+              sameSite: "lax",
+              path: "/",
+              maxAge: sessionMaxAge > 0 ? sessionMaxAge : 0,
+              ...isProduction && options.cookieDomain ? { domain: options.cookieDomain } : {}
+            };
+            const refreshCookieOptions = {
+              ...sessionCookieOptions,
+              maxAge: refreshMaxAge > 0 ? refreshMaxAge : 0
+            };
+            res.cookie(cookieName, newSessionData.sessionToken, sessionCookieOptions);
+            res.cookie(`${cookieName}_refresh`, newSessionData.refreshToken, refreshCookieOptions);
+            session = await options.ssoClient.validateSessionToken(newSessionData.sessionToken);
+          }
+        }
+        if (!session) {
+          res.clearCookie(cookieName);
+          res.clearCookie(`${cookieName}_refresh`);
+          res.status(401).json({ error: "Session expired or invalid" });
+          return;
+        }
+      }
+      if (options.onSessionValidated) {
+        await options.onSessionValidated(session, req);
+      }
+      req.user = session.user;
+      req.tenant = session.tenant;
+      req.ssoSession = session;
+      next();
+    } catch (error) {
+      console.error("\u274C [BigsoAuthSDK] Authentication Middleware Error:", error instanceof Error ? error.message : error);
+      res.status(500).json({ error: "Internal authentication error" });
+    }
+  };
+}
+
+// src/express/middlewares/ssoSyncGuard.ts
+var import_dns = require("dns");
+function ssoSyncGuardMiddleware(options) {
+  const isProduction = options.isProduction ?? process.env.NODE_ENV === "production";
+  return async (req, res, next) => {
+    try {
+      const isSecure = req.secure || req.headers["x-forwarded-proto"] === "https";
+      if (!isSecure && isProduction) {
+        console.warn("\u26A0\uFE0F  [BigsoAuthSDK] Blocked non-HTTPS sync request");
+        res.status(403).json({ error: "HTTPS required" });
+        return;
+      }
+      const clientIp = req.ip || req.socket.remoteAddress || "";
+      const isLoopback = clientIp === "::1" || clientIp === "127.0.0.1" || clientIp === "::ffff:127.0.0.1";
+      if (!isProduction && isLoopback) {
+        return next();
+      }
+      const ssoUrl = new URL(options.ssoBackendUrl);
+      const ssoHostname = ssoUrl.hostname;
+      const ssoIps = await import_dns.promises.resolve4(ssoHostname).catch(() => []);
+      const cleanClientIp = clientIp.replace(/^.*:/, "");
+      const isPrivateIp = cleanClientIp.startsWith("10.") || cleanClientIp.startsWith("192.168.") || cleanClientIp.startsWith("172.") && parseInt(cleanClientIp.split(".")[1], 10) >= 16 && parseInt(cleanClientIp.split(".")[1], 10) <= 31;
+      if (!ssoIps.includes(cleanClientIp) && !isPrivateIp) {
+        console.warn(`\u26D4\uFE0F [BigsoAuthSDK] Blocked sync request from unauthorized IP: ${clientIp}`);
+        res.status(403).json({ error: "Unauthorized origin" });
+        return;
+      }
+      next();
+    } catch (error) {
+      console.error("\u274C [BigsoAuthSDK] Sync Guard Validation Error:", error instanceof Error ? error.message : error);
+      res.status(500).json({ error: "Security validation failed" });
+    }
+  };
+}
+
+// src/express/routes/createSsoAuthRouter.ts
+var import_express = require("express");
+function createSsoAuthRouter(options) {
+  const router = (0, import_express.Router)();
+  const cookieName = options.cookieName || "sso_session";
+  const isProduction = options.isProduction ?? process.env.NODE_ENV === "production";
+  const getCookieOptions = (customOptions = {}) => {
+    const base = {
+      httpOnly: true,
+      secure: isProduction,
+      sameSite: "lax",
+      path: "/",
+      ...customOptions
+    };
+    if (isProduction && options.cookieDomain) {
+      base.domain = options.cookieDomain;
+    }
+    return base;
+  };
+  router.post("/exchange", async (req, res) => {
+    try {
+      const { code } = req.body;
+      if (!code) {
+        res.status(400).json({ error: "Authorization code is required" });
+        return;
+      }
+      const ssoResponse = await options.ssoClient.exchangeCodeForToken(code);
+      if (!ssoResponse.success) {
+        res.status(401).json({ error: "Invalid authorization code" });
+        return;
+      }
+      const sessionMaxAge = new Date(ssoResponse.expiresAt).getTime() - Date.now();
+      const refreshMaxAge = ssoResponse.refreshExpiresAt ? new Date(ssoResponse.refreshExpiresAt).getTime() - Date.now() : 7 * 24 * 60 * 60 * 1e3;
+      const sessionCookieOptions = getCookieOptions({
+        maxAge: sessionMaxAge > 0 ? sessionMaxAge : 0
+      });
+      const refreshCookieOptions = getCookieOptions({
+        maxAge: refreshMaxAge > 0 ? refreshMaxAge : 0
+      });
+      res.cookie(cookieName, ssoResponse.sessionToken, sessionCookieOptions);
+      if (ssoResponse.refreshToken) {
+        res.cookie(`${cookieName}_refresh`, ssoResponse.refreshToken, refreshCookieOptions);
+      }
+      if (options.onLoginSuccess) {
+        await options.onLoginSuccess(ssoResponse);
+      }
+      res.json({
+        success: true,
+        user: ssoResponse.user,
+        tenant: ssoResponse.tenant,
+        expiresAt: ssoResponse.expiresAt
+      });
+    } catch (error) {
+      console.error("\u274C [BigsoAuthSDK] Error exchanging code:", error.message);
+      res.status(500).json({
+        error: error.message || "Failed to exchange authorization code"
+      });
+    }
+  });
+  router.post("/exchange-v2", async (req, res) => {
+    try {
+      const { payload } = req.body;
+      if (!payload) {
+        res.status(400).json({ error: "Signed payload is required" });
+        return;
+      }
+      const verified = await options.ssoClient.verifySignedPayload(payload, options.frontendUrl);
+      if (!verified.code) {
+        res.status(400).json({ error: "No authorization code found in payload" });
+        return;
+      }
+      const ssoResponse = await options.ssoClient.exchangeCodeForToken(verified.code);
+      if (!ssoResponse.success) {
+        res.status(401).json({ error: "Invalid authorization code" });
+        return;
+      }
+      const sessionMaxAge = new Date(ssoResponse.expiresAt).getTime() - Date.now();
+      const refreshMaxAge = ssoResponse.refreshExpiresAt ? new Date(ssoResponse.refreshExpiresAt).getTime() - Date.now() : 7 * 24 * 60 * 60 * 1e3;
+      const sessionCookieOptions = getCookieOptions({
+        maxAge: sessionMaxAge > 0 ? sessionMaxAge : 0
+      });
+      const refreshCookieOptions = getCookieOptions({
+        maxAge: refreshMaxAge > 0 ? refreshMaxAge : 0
+      });
+      res.cookie(cookieName, ssoResponse.sessionToken, sessionCookieOptions);
+      if (ssoResponse.refreshToken) {
+        res.cookie(`${cookieName}_refresh`, ssoResponse.refreshToken, refreshCookieOptions);
+      }
+      if (options.onLoginSuccess) {
+        await options.onLoginSuccess(ssoResponse);
+      }
+      res.json({
+        success: true,
+        user: ssoResponse.user,
+        tenant: ssoResponse.tenant,
+        expiresAt: ssoResponse.expiresAt
+      });
+    } catch (error) {
+      console.error("\u274C [BigsoAuthSDK] Error exchanging v2 payload:", error.message);
+      res.status(401).json({
+        error: error.message || "Failed to verify signed payload"
+      });
+    }
+  });
+  router.get("/session", ssoAuthMiddleware(options), (req, res) => {
+    res.set("Cache-Control", "no-store, no-cache, must-revalidate, private");
+    res.set("Pragma", "no-cache");
+    res.set("Expires", "0");
+    res.json({
+      success: true,
+      user: req.user,
+      tenant: req.tenant,
+      expiresAt: req.ssoSession?.expiresAt
+    });
+  });
+  router.post("/logout", async (req, res) => {
+    const sessionToken = req.cookies?.[cookieName];
+    if (sessionToken) {
+      try {
+        await options.ssoClient.revokeSession(sessionToken);
+      } catch (error) {
+        console.warn("\u26A0\uFE0F [BigsoAuthSDK] Failed to revoke session in SSO Backend. Clearing local anyway.", error.message);
+      }
+    }
+    const cookieOptions = getCookieOptions({ maxAge: 0 });
+    res.clearCookie(cookieName, cookieOptions);
+    res.clearCookie(`${cookieName}_refresh`, cookieOptions);
+    if (options.onLogout && sessionToken) {
+      await options.onLogout(sessionToken);
+    }
+    res.json({ success: true, message: "Logged out" });
+  });
+  return router;
+}
+
+// src/express/routes/createSsoSyncRouter.ts
+var import_express2 = require("express");
+function createSsoSyncRouter(options) {
+  const router = (0, import_express2.Router)();
+  router.get("/resources", ssoSyncGuardMiddleware({
+    ssoBackendUrl: options.ssoBackendUrl,
+    isProduction: options.isProduction
+  }), (req, res) => {
+    try {
+      res.json({
+        success: true,
+        resources: options.resources,
+        meta: {
+          appId: options.appId,
+          count: options.resources.length,
+          timestamp: (/* @__PURE__ */ new Date()).toISOString()
+        }
+      });
+    } catch (error) {
+      console.error("\u274C [BigsoAuthSDK] Error in sync endpoint:", error.message);
+      res.status(500).json({ error: error.message });
+    }
+  });
+  return router;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createSsoAuthRouter,
+  createSsoSyncRouter,
+  ssoAuthMiddleware,
+  ssoSyncGuardMiddleware
+});

package/dist/express/index.d.cts

@@ -0,0 +1,48 @@
+import { Request, Response, NextFunction, Router } from 'express';
+import { BigsoSsoClient } from '../node/index.cjs';
+import { S as SsoSessionData } from '../types-CoXgtTry.cjs';
+
+interface SsoAuthMiddlewareOptions {
+    ssoClient: BigsoSsoClient;
+    cookieName?: string;
+    cookieDomain?: string;
+    isProduction?: boolean;
+    onSessionValidated?: (session: SsoSessionData, req: Request) => Promise<void> | void;
+}
+declare global {
+    namespace Express {
+        interface Request {
+            user?: SsoSessionData['user'];
+            tenant?: SsoSessionData['tenant'];
+            ssoSession?: SsoSessionData;
+        }
+    }
+}
+declare function ssoAuthMiddleware(options: SsoAuthMiddlewareOptions): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+
+interface SsoSyncGuardOptions {
+    ssoBackendUrl: string;
+    isProduction?: boolean;
+}
+declare function ssoSyncGuardMiddleware(options: SsoSyncGuardOptions): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+
+interface CreateSsoAuthRouterOptions {
+    ssoClient: BigsoSsoClient;
+    frontendUrl: string;
+    cookieName?: string;
+    cookieDomain?: string;
+    isProduction?: boolean;
+    onLoginSuccess?: (session: SsoSessionData) => void | Promise<void>;
+    onLogout?: (sessionToken: string) => void | Promise<void>;
+}
+declare function createSsoAuthRouter(options: CreateSsoAuthRouterOptions): Router;
+
+interface SsoSyncRouterOptions {
+    resources: any[];
+    appId: string;
+    ssoBackendUrl: string;
+    isProduction?: boolean;
+}
+declare function createSsoSyncRouter(options: SsoSyncRouterOptions): Router;
+
+export { type CreateSsoAuthRouterOptions, type SsoAuthMiddlewareOptions, type SsoSyncGuardOptions, type SsoSyncRouterOptions, createSsoAuthRouter, createSsoSyncRouter, ssoAuthMiddleware, ssoSyncGuardMiddleware };

package/dist/express/index.d.ts

@@ -0,0 +1,48 @@
+import { Request, Response, NextFunction, Router } from 'express';
+import { BigsoSsoClient } from '../node/index.js';
+import { S as SsoSessionData } from '../types-CoXgtTry.js';
+
+interface SsoAuthMiddlewareOptions {
+    ssoClient: BigsoSsoClient;
+    cookieName?: string;
+    cookieDomain?: string;
+    isProduction?: boolean;
+    onSessionValidated?: (session: SsoSessionData, req: Request) => Promise<void> | void;
+}
+declare global {
+    namespace Express {
+        interface Request {
+            user?: SsoSessionData['user'];
+            tenant?: SsoSessionData['tenant'];
+            ssoSession?: SsoSessionData;
+        }
+    }
+}
+declare function ssoAuthMiddleware(options: SsoAuthMiddlewareOptions): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+
+interface SsoSyncGuardOptions {
+    ssoBackendUrl: string;
+    isProduction?: boolean;
+}
+declare function ssoSyncGuardMiddleware(options: SsoSyncGuardOptions): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+
+interface CreateSsoAuthRouterOptions {
+    ssoClient: BigsoSsoClient;
+    frontendUrl: string;
+    cookieName?: string;
+    cookieDomain?: string;
+    isProduction?: boolean;
+    onLoginSuccess?: (session: SsoSessionData) => void | Promise<void>;
+    onLogout?: (sessionToken: string) => void | Promise<void>;
+}
+declare function createSsoAuthRouter(options: CreateSsoAuthRouterOptions): Router;
+
+interface SsoSyncRouterOptions {
+    resources: any[];
+    appId: string;
+    ssoBackendUrl: string;
+    isProduction?: boolean;
+}
+declare function createSsoSyncRouter(options: SsoSyncRouterOptions): Router;
+
+export { type CreateSsoAuthRouterOptions, type SsoAuthMiddlewareOptions, type SsoSyncGuardOptions, type SsoSyncRouterOptions, createSsoAuthRouter, createSsoSyncRouter, ssoAuthMiddleware, ssoSyncGuardMiddleware };