@bigso/auth-sdk 0.4.7 → 0.5.0

package/dist/node/index.cjs

@@ -33,6 +33,24 @@ async function verifySignedPayload(token, jwksUrl, expectedAudience) {
   });
   return payload;
 }
+async function verifyAccessToken(accessToken, jwksUrl) {
+  const JWKS = (0, import_jose.createRemoteJWKSet)(new URL(jwksUrl));
+  const { payload } = await (0, import_jose.jwtVerify)(accessToken, JWKS);
+  if (!payload.sub || !payload.jti) {
+    throw new Error("Invalid token structure: missing sub or jti");
+  }
+  return {
+    sub: payload.sub,
+    jti: payload.jti,
+    iss: payload.iss,
+    aud: payload.aud || "",
+    exp: payload.exp,
+    iat: payload.iat,
+    tenants: payload.tenants || [],
+    systemRole: payload.systemRole || "user",
+    deviceFingerprint: payload.deviceFingerprint
+  };
+}
 
 // src/node/SsoClient.ts
 var BigsoSsoClient = class {
@@ -41,126 +59,79 @@ var BigsoSsoClient = class {
     this.appId = options.appId;
     this.ssoJwksUrl = options.ssoJwksUrl;
   }
-  /**
-   * Verify a signed payload (JWS) against the SSO's JWKS
-   * @param token - The compact JWS token
-   * @param expectedAudience - The expected audience (app origin)
-   * @returns The verified payload
-   */
   async verifySignedPayload(token, expectedAudience) {
     if (!this.ssoJwksUrl) {
       throw new Error("ssoJwksUrl is required for verifySignedPayload");
     }
     return await verifySignedPayload(token, this.ssoJwksUrl, expectedAudience);
   }
-  /**
-   * Validate session token with SSO Backend
-   * @param sessionToken - JWT token from cookie
-   * @returns Session data or null if invalid
-   */
-  async validateSessionToken(sessionToken) {
+  async validateAccessToken(accessToken) {
+    if (!this.ssoJwksUrl) {
+      throw new Error("ssoJwksUrl is required for validateAccessToken");
+    }
     try {
-      const response = await fetch(`${this.ssoBackendUrl}/api/v1/auth/verify-session`, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json"
-        },
-        body: JSON.stringify({
-          sessionToken,
-          appId: this.appId
-        })
-        // Node 18+ allows abort signals to enforce timeout, but we will rely on native fetch timeout if available or no timeout for simplicity.
-        // In production, we might want to implement an AbortController wrapper.
-      });
-      if (!response.ok) {
-        return null;
-      }
-      const data = await response.json();
-      if (data.valid) {
-        return {
-          user: data.user,
-          tenant: data.tenant,
-          appId: data.appId,
-          expiresAt: data.expiresAt
-        };
-      }
-      return null;
-    } catch (error) {
-      console.error("\u274C [BigsoSsoClient] Error validating session:", error instanceof Error ? error.message : error);
+      return await verifyAccessToken(accessToken, this.ssoJwksUrl);
+    } catch {
       return null;
     }
   }
-  /**
-   * Exchange authorization code for session token from SSO
-   * @param code - The auth code
-   * @returns The SSO exchange response
-   */
-  async exchangeCodeForToken(code) {
-    const response = await fetch(`${this.ssoBackendUrl}/api/v1/auth/token`, {
+  async login(emailOrNuid, password) {
+    const isEmail = emailOrNuid.includes("@");
+    const payload = isEmail ? { email: emailOrNuid, password } : { nuid: emailOrNuid, password };
+    const response = await fetch(`${this.ssoBackendUrl}/api/v2/auth/login`, {
       method: "POST",
-      headers: {
-        "Content-Type": "application/json"
-      },
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(payload),
+      credentials: "include"
+    });
+    if (!response.ok) {
+      const err = await response.json().catch(() => ({}));
+      throw new Error(err.message || "Login failed");
+    }
+    return await response.json();
+  }
+  async exchangeCode(code, codeVerifier) {
+    const response = await fetch(`${this.ssoBackendUrl}/api/v2/auth/exchange`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
       body: JSON.stringify({
-        authCode: code,
-        appId: this.appId
-      })
+        code,
+        appId: this.appId,
+        codeVerifier
+      }),
+      credentials: "include"
     });
     if (!response.ok) {
-      const errData = await response.json().catch(() => ({}));
-      throw new Error(errData.message || "Failed to exchange token");
+      const err = await response.json().catch(() => ({}));
+      throw new Error(err.message || "Token exchange failed");
     }
     return await response.json();
   }
-  /**
-   * Revoke session in SSO backend
-   * @param sessionToken - The active session token
-   */
-  async revokeSession(sessionToken) {
-    const response = await fetch(`${this.ssoBackendUrl}/api/v1/session/revoke`, {
+  async refreshTokens() {
+    const response = await fetch(`${this.ssoBackendUrl}/api/v2/auth/refresh`, {
       method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        "Authorization": `Bearer ${sessionToken}`
-      }
+      headers: { "Content-Type": "application/json" },
+      credentials: "include"
     });
     if (!response.ok) {
-      throw new Error("Failed to revoke session");
+      const err = await response.json().catch(() => ({}));
+      throw new Error(err.message || "Token refresh failed");
     }
+    return await response.json();
   }
-  /**
-   * Refreshes the application session using a refresh token
-   * @param refreshToken - The stored refresh token
-   * @returns The new session tokens or null if failed
-   */
-  async refreshAppSession(refreshToken) {
-    try {
-      const response = await fetch(`${this.ssoBackendUrl}/api/v1/auth/app-refresh`, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json"
-        },
-        body: JSON.stringify({
-          refreshToken,
-          appId: this.appId
-        })
-      });
-      if (!response.ok) {
-        return null;
-      }
-      const data = await response.json();
-      if (data.success) {
-        return {
-          sessionToken: data.sessionToken,
-          refreshToken: data.refreshToken,
-          expiresAt: data.expiresAt,
-          refreshExpiresAt: data.refreshExpiresAt
-        };
-      }
-      return null;
-    } catch (error) {
-      console.error("\u274C [BigsoSsoClient] Error refreshing app session:", error instanceof Error ? error.message : error);
-      return null;
+  async logout(accessToken, revokeAll = false) {
+    const response = await fetch(`${this.ssoBackendUrl}/api/v2/auth/logout`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Authorization": `Bearer ${accessToken}`
+      },
+      body: JSON.stringify({ revokeAll }),
+      credentials: "include"
+    });
+    if (!response.ok) {
+      const err = await response.json().catch(() => ({}));
+      throw new Error(err.message || "Logout failed");
     }
   }
 };

package/dist/node/index.d.cts

@@ -1,4 +1,4 @@
-import { S as SsoSessionData, a as SsoExchangeResponse, b as SsoRefreshData } from '../types-CoXgtTry.cjs';
+import { S as SsoTokenPayload, b as V2LoginResponse, V as V2ExchangeResponse, c as V2RefreshResponse } from '../types-BQzACpj3.cjs';
 
 interface SsoClientOptions {
     ssoBackendUrl: string;
@@ -10,36 +10,12 @@ declare class BigsoSsoClient {
     private appId;
     private ssoJwksUrl?;
     constructor(options: SsoClientOptions);
-    /**
-     * Verify a signed payload (JWS) against the SSO's JWKS
-     * @param token - The compact JWS token
-     * @param expectedAudience - The expected audience (app origin)
-     * @returns The verified payload
-     */
     verifySignedPayload(token: string, expectedAudience: string): Promise<any>;
-    /**
-     * Validate session token with SSO Backend
-     * @param sessionToken - JWT token from cookie
-     * @returns Session data or null if invalid
-     */
-    validateSessionToken(sessionToken: string): Promise<SsoSessionData | null>;
-    /**
-     * Exchange authorization code for session token from SSO
-     * @param code - The auth code
-     * @returns The SSO exchange response
-     */
-    exchangeCodeForToken(code: string): Promise<SsoExchangeResponse>;
-    /**
-     * Revoke session in SSO backend
-     * @param sessionToken - The active session token
-     */
-    revokeSession(sessionToken: string): Promise<void>;
-    /**
-     * Refreshes the application session using a refresh token
-     * @param refreshToken - The stored refresh token
-     * @returns The new session tokens or null if failed
-     */
-    refreshAppSession(refreshToken: string): Promise<SsoRefreshData | null>;
+    validateAccessToken(accessToken: string): Promise<SsoTokenPayload | null>;
+    login(emailOrNuid: string, password: string): Promise<V2LoginResponse>;
+    exchangeCode(code: string, codeVerifier: string): Promise<V2ExchangeResponse>;
+    refreshTokens(): Promise<V2RefreshResponse>;
+    logout(accessToken: string, revokeAll?: boolean): Promise<void>;
 }
 
 export { BigsoSsoClient, type SsoClientOptions };

package/dist/node/index.d.ts

@@ -1,4 +1,4 @@
-import { S as SsoSessionData, a as SsoExchangeResponse, b as SsoRefreshData } from '../types-CoXgtTry.js';
+import { S as SsoTokenPayload, b as V2LoginResponse, V as V2ExchangeResponse, c as V2RefreshResponse } from '../types-BQzACpj3.js';
 
 interface SsoClientOptions {
     ssoBackendUrl: string;
@@ -10,36 +10,12 @@ declare class BigsoSsoClient {
     private appId;
     private ssoJwksUrl?;
     constructor(options: SsoClientOptions);
-    /**
-     * Verify a signed payload (JWS) against the SSO's JWKS
-     * @param token - The compact JWS token
-     * @param expectedAudience - The expected audience (app origin)
-     * @returns The verified payload
-     */
     verifySignedPayload(token: string, expectedAudience: string): Promise<any>;
-    /**
-     * Validate session token with SSO Backend
-     * @param sessionToken - JWT token from cookie
-     * @returns Session data or null if invalid
-     */
-    validateSessionToken(sessionToken: string): Promise<SsoSessionData | null>;
-    /**
-     * Exchange authorization code for session token from SSO
-     * @param code - The auth code
-     * @returns The SSO exchange response
-     */
-    exchangeCodeForToken(code: string): Promise<SsoExchangeResponse>;
-    /**
-     * Revoke session in SSO backend
-     * @param sessionToken - The active session token
-     */
-    revokeSession(sessionToken: string): Promise<void>;
-    /**
-     * Refreshes the application session using a refresh token
-     * @param refreshToken - The stored refresh token
-     * @returns The new session tokens or null if failed
-     */
-    refreshAppSession(refreshToken: string): Promise<SsoRefreshData | null>;
+    validateAccessToken(accessToken: string): Promise<SsoTokenPayload | null>;
+    login(emailOrNuid: string, password: string): Promise<V2LoginResponse>;
+    exchangeCode(code: string, codeVerifier: string): Promise<V2ExchangeResponse>;
+    refreshTokens(): Promise<V2RefreshResponse>;
+    logout(accessToken: string, revokeAll?: boolean): Promise<void>;
 }
 
 export { BigsoSsoClient, type SsoClientOptions };

package/dist/node/index.js

@@ -1,6 +1,7 @@
 import {
+  verifyAccessToken,
   verifySignedPayload
-} from "../chunk-LDDK6SJD.js";
+} from "../chunk-5ECHA2VH.js";
 
 // src/node/SsoClient.ts
 var BigsoSsoClient = class {
@@ -9,126 +10,79 @@ var BigsoSsoClient = class {
     this.appId = options.appId;
     this.ssoJwksUrl = options.ssoJwksUrl;
   }
-  /**
-   * Verify a signed payload (JWS) against the SSO's JWKS
-   * @param token - The compact JWS token
-   * @param expectedAudience - The expected audience (app origin)
-   * @returns The verified payload
-   */
   async verifySignedPayload(token, expectedAudience) {
     if (!this.ssoJwksUrl) {
       throw new Error("ssoJwksUrl is required for verifySignedPayload");
     }
     return await verifySignedPayload(token, this.ssoJwksUrl, expectedAudience);
   }
-  /**
-   * Validate session token with SSO Backend
-   * @param sessionToken - JWT token from cookie
-   * @returns Session data or null if invalid
-   */
-  async validateSessionToken(sessionToken) {
+  async validateAccessToken(accessToken) {
+    if (!this.ssoJwksUrl) {
+      throw new Error("ssoJwksUrl is required for validateAccessToken");
+    }
     try {
-      const response = await fetch(`${this.ssoBackendUrl}/api/v1/auth/verify-session`, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json"
-        },
-        body: JSON.stringify({
-          sessionToken,
-          appId: this.appId
-        })
-        // Node 18+ allows abort signals to enforce timeout, but we will rely on native fetch timeout if available or no timeout for simplicity.
-        // In production, we might want to implement an AbortController wrapper.
-      });
-      if (!response.ok) {
-        return null;
-      }
-      const data = await response.json();
-      if (data.valid) {
-        return {
-          user: data.user,
-          tenant: data.tenant,
-          appId: data.appId,
-          expiresAt: data.expiresAt
-        };
-      }
-      return null;
-    } catch (error) {
-      console.error("\u274C [BigsoSsoClient] Error validating session:", error instanceof Error ? error.message : error);
+      return await verifyAccessToken(accessToken, this.ssoJwksUrl);
+    } catch {
       return null;
     }
   }
-  /**
-   * Exchange authorization code for session token from SSO
-   * @param code - The auth code
-   * @returns The SSO exchange response
-   */
-  async exchangeCodeForToken(code) {
-    const response = await fetch(`${this.ssoBackendUrl}/api/v1/auth/token`, {
+  async login(emailOrNuid, password) {
+    const isEmail = emailOrNuid.includes("@");
+    const payload = isEmail ? { email: emailOrNuid, password } : { nuid: emailOrNuid, password };
+    const response = await fetch(`${this.ssoBackendUrl}/api/v2/auth/login`, {
       method: "POST",
-      headers: {
-        "Content-Type": "application/json"
-      },
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(payload),
+      credentials: "include"
+    });
+    if (!response.ok) {
+      const err = await response.json().catch(() => ({}));
+      throw new Error(err.message || "Login failed");
+    }
+    return await response.json();
+  }
+  async exchangeCode(code, codeVerifier) {
+    const response = await fetch(`${this.ssoBackendUrl}/api/v2/auth/exchange`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
       body: JSON.stringify({
-        authCode: code,
-        appId: this.appId
-      })
+        code,
+        appId: this.appId,
+        codeVerifier
+      }),
+      credentials: "include"
     });
     if (!response.ok) {
-      const errData = await response.json().catch(() => ({}));
-      throw new Error(errData.message || "Failed to exchange token");
+      const err = await response.json().catch(() => ({}));
+      throw new Error(err.message || "Token exchange failed");
     }
     return await response.json();
   }
-  /**
-   * Revoke session in SSO backend
-   * @param sessionToken - The active session token
-   */
-  async revokeSession(sessionToken) {
-    const response = await fetch(`${this.ssoBackendUrl}/api/v1/session/revoke`, {
+  async refreshTokens() {
+    const response = await fetch(`${this.ssoBackendUrl}/api/v2/auth/refresh`, {
       method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        "Authorization": `Bearer ${sessionToken}`
-      }
+      headers: { "Content-Type": "application/json" },
+      credentials: "include"
     });
     if (!response.ok) {
-      throw new Error("Failed to revoke session");
+      const err = await response.json().catch(() => ({}));
+      throw new Error(err.message || "Token refresh failed");
     }
+    return await response.json();
   }
-  /**
-   * Refreshes the application session using a refresh token
-   * @param refreshToken - The stored refresh token
-   * @returns The new session tokens or null if failed
-   */
-  async refreshAppSession(refreshToken) {
-    try {
-      const response = await fetch(`${this.ssoBackendUrl}/api/v1/auth/app-refresh`, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json"
-        },
-        body: JSON.stringify({
-          refreshToken,
-          appId: this.appId
-        })
-      });
-      if (!response.ok) {
-        return null;
-      }
-      const data = await response.json();
-      if (data.success) {
-        return {
-          sessionToken: data.sessionToken,
-          refreshToken: data.refreshToken,
-          expiresAt: data.expiresAt,
-          refreshExpiresAt: data.refreshExpiresAt
-        };
-      }
-      return null;
-    } catch (error) {
-      console.error("\u274C [BigsoSsoClient] Error refreshing app session:", error instanceof Error ? error.message : error);
-      return null;
+  async logout(accessToken, revokeAll = false) {
+    const response = await fetch(`${this.ssoBackendUrl}/api/v2/auth/logout`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Authorization": `Bearer ${accessToken}`
+      },
+      body: JSON.stringify({ revokeAll }),
+      credentials: "include"
+    });
+    if (!response.ok) {
+      const err = await response.json().catch(() => ({}));
+      throw new Error(err.message || "Logout failed");
     }
   }
 };

package/dist/types-BQzACpj3.d.cts

@@ -0,0 +1,73 @@
+interface BigsoAuthOptions {
+    clientId: string;
+    ssoOrigin: string;
+    jwksUrl: string;
+    timeout?: number;
+    debug?: boolean;
+    redirectUri?: string;
+    tenantHint?: string;
+    theme?: 'light' | 'dark';
+}
+interface SsoUser {
+    userId: string;
+    email: string;
+    firstName: string;
+    lastName: string;
+}
+interface SsoTenant {
+    tenantId: string;
+    name: string;
+    slug: string;
+    role: string;
+}
+interface SsoTokenPayload {
+    sub: string;
+    jti: string;
+    iss: string;
+    aud: string;
+    exp: number;
+    iat: number;
+    tenants: SsoTenant[];
+    systemRole: string;
+    deviceFingerprint?: string;
+}
+interface V2LoginResponse {
+    success: boolean;
+    tokens: {
+        accessToken: string;
+        expiresIn: number;
+    };
+    user: SsoUser;
+}
+interface V2ExchangeResponse {
+    success: boolean;
+    tokens: {
+        accessToken: string;
+        refreshToken: string;
+        expiresIn: number;
+    };
+    user: SsoUser;
+    tenant: SsoTenant;
+}
+interface V2RefreshResponse {
+    success: boolean;
+    tokens: {
+        accessToken: string;
+        expiresIn: number;
+    };
+}
+interface BigsoAuthResult {
+    code: string;
+    state: string;
+    nonce: string;
+    codeVerifier: string;
+    signed_payload: string;
+    tenant?: SsoTenant;
+    jti?: string;
+    iss?: string;
+    aud?: string;
+    exp?: number;
+    iat?: number;
+}
+
+export type { BigsoAuthOptions as B, SsoTokenPayload as S, V2ExchangeResponse as V, BigsoAuthResult as a, V2LoginResponse as b, V2RefreshResponse as c };

package/dist/types-BQzACpj3.d.ts

@@ -0,0 +1,73 @@
+interface BigsoAuthOptions {
+    clientId: string;
+    ssoOrigin: string;
+    jwksUrl: string;
+    timeout?: number;
+    debug?: boolean;
+    redirectUri?: string;
+    tenantHint?: string;
+    theme?: 'light' | 'dark';
+}
+interface SsoUser {
+    userId: string;
+    email: string;
+    firstName: string;
+    lastName: string;
+}
+interface SsoTenant {
+    tenantId: string;
+    name: string;
+    slug: string;
+    role: string;
+}
+interface SsoTokenPayload {
+    sub: string;
+    jti: string;
+    iss: string;
+    aud: string;
+    exp: number;
+    iat: number;
+    tenants: SsoTenant[];
+    systemRole: string;
+    deviceFingerprint?: string;
+}
+interface V2LoginResponse {
+    success: boolean;
+    tokens: {
+        accessToken: string;
+        expiresIn: number;
+    };
+    user: SsoUser;
+}
+interface V2ExchangeResponse {
+    success: boolean;
+    tokens: {
+        accessToken: string;
+        refreshToken: string;
+        expiresIn: number;
+    };
+    user: SsoUser;
+    tenant: SsoTenant;
+}
+interface V2RefreshResponse {
+    success: boolean;
+    tokens: {
+        accessToken: string;
+        expiresIn: number;
+    };
+}
+interface BigsoAuthResult {
+    code: string;
+    state: string;
+    nonce: string;
+    codeVerifier: string;
+    signed_payload: string;
+    tenant?: SsoTenant;
+    jti?: string;
+    iss?: string;
+    aud?: string;
+    exp?: number;
+    iat?: number;
+}
+
+export type { BigsoAuthOptions as B, SsoTokenPayload as S, V2ExchangeResponse as V, BigsoAuthResult as a, V2LoginResponse as b, V2RefreshResponse as c };

package/package.json

@@ -1,7 +1,7 @@
 {
     "name": "@bigso/auth-sdk",
-    "version": "0.4.7",
-    "description": "SDK de autenticación para SSO v2.3 con iframe seguro",
+    "version": "0.5.0",
+    "description": "SDK de autenticación para SSO v2 - JWT Bearer + PKCE",
     "publishConfig": {
         "registry": "https://registry.npmjs.org/",
         "access": "public"

package/dist/chunk-LDDK6SJD.js

@@ -1,13 +0,0 @@
-// src/utils/jws.ts
-import { jwtVerify, createRemoteJWKSet } from "jose";
-async function verifySignedPayload(token, jwksUrl, expectedAudience) {
-  const JWKS = createRemoteJWKSet(new URL(jwksUrl));
-  const { payload } = await jwtVerify(token, JWKS, {
-    audience: expectedAudience
-  });
-  return payload;
-}
-
-export {
-  verifySignedPayload
-};