@bigso/auth-sdk 0.4.7 → 0.5.1

package/dist/express/index.d.ts

@@ -1,48 +0,0 @@
-import { Request, Response, NextFunction, Router } from 'express';
-import { BigsoSsoClient } from '../node/index.js';
-import { S as SsoSessionData } from '../types-CoXgtTry.js';
-
-interface SsoAuthMiddlewareOptions {
-    ssoClient: BigsoSsoClient;
-    cookieName?: string;
-    cookieDomain?: string;
-    isProduction?: boolean;
-    onSessionValidated?: (session: SsoSessionData, req: Request) => Promise<void> | void;
-}
-declare global {
-    namespace Express {
-        interface Request {
-            user?: SsoSessionData['user'];
-            tenant?: SsoSessionData['tenant'];
-            ssoSession?: SsoSessionData;
-        }
-    }
-}
-declare function ssoAuthMiddleware(options: SsoAuthMiddlewareOptions): (req: Request, res: Response, next: NextFunction) => Promise<void>;
-
-interface SsoSyncGuardOptions {
-    ssoBackendUrl: string;
-    isProduction?: boolean;
-}
-declare function ssoSyncGuardMiddleware(options: SsoSyncGuardOptions): (req: Request, res: Response, next: NextFunction) => Promise<void>;
-
-interface CreateSsoAuthRouterOptions {
-    ssoClient: BigsoSsoClient;
-    frontendUrl: string;
-    cookieName?: string;
-    cookieDomain?: string;
-    isProduction?: boolean;
-    onLoginSuccess?: (session: SsoSessionData) => void | Promise<void>;
-    onLogout?: (sessionToken: string) => void | Promise<void>;
-}
-declare function createSsoAuthRouter(options: CreateSsoAuthRouterOptions): Router;
-
-interface SsoSyncRouterOptions {
-    resources: any[];
-    appId: string;
-    ssoBackendUrl: string;
-    isProduction?: boolean;
-}
-declare function createSsoSyncRouter(options: SsoSyncRouterOptions): Router;
-
-export { type CreateSsoAuthRouterOptions, type SsoAuthMiddlewareOptions, type SsoSyncGuardOptions, type SsoSyncRouterOptions, createSsoAuthRouter, createSsoSyncRouter, ssoAuthMiddleware, ssoSyncGuardMiddleware };

package/dist/express/index.js

@@ -1,257 +0,0 @@
-// src/express/middlewares/ssoAuth.ts
-function ssoAuthMiddleware(options) {
-  const cookieName = options.cookieName || "sso_session";
-  const isProduction = options.isProduction ?? process.env.NODE_ENV === "production";
-  return async (req, res, next) => {
-    try {
-      let sessionToken = req.cookies?.[cookieName];
-      let session = null;
-      if (sessionToken) {
-        session = await options.ssoClient.validateSessionToken(sessionToken);
-      }
-      if (!session) {
-        const refreshToken = req.cookies?.[`${cookieName}_refresh`];
-        if (refreshToken) {
-          const newSessionData = await options.ssoClient.refreshAppSession(refreshToken);
-          if (newSessionData) {
-            const sessionMaxAge = new Date(newSessionData.expiresAt).getTime() - Date.now();
-            const refreshMaxAge = newSessionData.refreshExpiresAt ? new Date(newSessionData.refreshExpiresAt).getTime() - Date.now() : 7 * 24 * 60 * 60 * 1e3;
-            const sessionCookieOptions = {
-              httpOnly: true,
-              secure: isProduction,
-              sameSite: "lax",
-              path: "/",
-              maxAge: sessionMaxAge > 0 ? sessionMaxAge : 0,
-              ...isProduction && options.cookieDomain ? { domain: options.cookieDomain } : {}
-            };
-            const refreshCookieOptions = {
-              ...sessionCookieOptions,
-              maxAge: refreshMaxAge > 0 ? refreshMaxAge : 0
-            };
-            res.cookie(cookieName, newSessionData.sessionToken, sessionCookieOptions);
-            res.cookie(`${cookieName}_refresh`, newSessionData.refreshToken, refreshCookieOptions);
-            session = await options.ssoClient.validateSessionToken(newSessionData.sessionToken);
-          }
-        }
-        if (!session) {
-          res.clearCookie(cookieName);
-          res.clearCookie(`${cookieName}_refresh`);
-          res.status(401).json({ error: "Session expired or invalid" });
-          return;
-        }
-      }
-      if (options.onSessionValidated) {
-        await options.onSessionValidated(session, req);
-      }
-      req.user = session.user;
-      req.tenant = session.tenant;
-      req.ssoSession = session;
-      next();
-    } catch (error) {
-      console.error("\u274C [BigsoAuthSDK] Authentication Middleware Error:", error instanceof Error ? error.message : error);
-      res.status(500).json({ error: "Internal authentication error" });
-    }
-  };
-}
-
-// src/express/middlewares/ssoSyncGuard.ts
-import { promises as dns } from "dns";
-function ssoSyncGuardMiddleware(options) {
-  const isProduction = options.isProduction ?? process.env.NODE_ENV === "production";
-  return async (req, res, next) => {
-    try {
-      const isSecure = req.secure || req.headers["x-forwarded-proto"] === "https";
-      if (!isSecure && isProduction) {
-        console.warn("\u26A0\uFE0F  [BigsoAuthSDK] Blocked non-HTTPS sync request");
-        res.status(403).json({ error: "HTTPS required" });
-        return;
-      }
-      const clientIp = req.ip || req.socket.remoteAddress || "";
-      const isLoopback = clientIp === "::1" || clientIp === "127.0.0.1" || clientIp === "::ffff:127.0.0.1";
-      if (!isProduction && isLoopback) {
-        return next();
-      }
-      const ssoUrl = new URL(options.ssoBackendUrl);
-      const ssoHostname = ssoUrl.hostname;
-      const ssoIps = await dns.resolve4(ssoHostname).catch(() => []);
-      const cleanClientIp = clientIp.replace(/^.*:/, "");
-      const isPrivateIp = cleanClientIp.startsWith("10.") || cleanClientIp.startsWith("192.168.") || cleanClientIp.startsWith("172.") && parseInt(cleanClientIp.split(".")[1], 10) >= 16 && parseInt(cleanClientIp.split(".")[1], 10) <= 31;
-      if (!ssoIps.includes(cleanClientIp) && !isPrivateIp) {
-        console.warn(`\u26D4\uFE0F [BigsoAuthSDK] Blocked sync request from unauthorized IP: ${clientIp}`);
-        res.status(403).json({ error: "Unauthorized origin" });
-        return;
-      }
-      next();
-    } catch (error) {
-      console.error("\u274C [BigsoAuthSDK] Sync Guard Validation Error:", error instanceof Error ? error.message : error);
-      res.status(500).json({ error: "Security validation failed" });
-    }
-  };
-}
-
-// src/express/routes/createSsoAuthRouter.ts
-import { Router } from "express";
-function createSsoAuthRouter(options) {
-  const router = Router();
-  const cookieName = options.cookieName || "sso_session";
-  const isProduction = options.isProduction ?? process.env.NODE_ENV === "production";
-  const getCookieOptions = (customOptions = {}) => {
-    const base = {
-      httpOnly: true,
-      secure: isProduction,
-      sameSite: "lax",
-      path: "/",
-      ...customOptions
-    };
-    if (isProduction && options.cookieDomain) {
-      base.domain = options.cookieDomain;
-    }
-    return base;
-  };
-  router.post("/exchange", async (req, res) => {
-    try {
-      const { code } = req.body;
-      if (!code) {
-        res.status(400).json({ error: "Authorization code is required" });
-        return;
-      }
-      const ssoResponse = await options.ssoClient.exchangeCodeForToken(code);
-      if (!ssoResponse.success) {
-        res.status(401).json({ error: "Invalid authorization code" });
-        return;
-      }
-      const sessionMaxAge = new Date(ssoResponse.expiresAt).getTime() - Date.now();
-      const refreshMaxAge = ssoResponse.refreshExpiresAt ? new Date(ssoResponse.refreshExpiresAt).getTime() - Date.now() : 7 * 24 * 60 * 60 * 1e3;
-      const sessionCookieOptions = getCookieOptions({
-        maxAge: sessionMaxAge > 0 ? sessionMaxAge : 0
-      });
-      const refreshCookieOptions = getCookieOptions({
-        maxAge: refreshMaxAge > 0 ? refreshMaxAge : 0
-      });
-      res.cookie(cookieName, ssoResponse.sessionToken, sessionCookieOptions);
-      if (ssoResponse.refreshToken) {
-        res.cookie(`${cookieName}_refresh`, ssoResponse.refreshToken, refreshCookieOptions);
-      }
-      if (options.onLoginSuccess) {
-        await options.onLoginSuccess(ssoResponse);
-      }
-      res.json({
-        success: true,
-        user: ssoResponse.user,
-        tenant: ssoResponse.tenant,
-        expiresAt: ssoResponse.expiresAt
-      });
-    } catch (error) {
-      console.error("\u274C [BigsoAuthSDK] Error exchanging code:", error.message);
-      res.status(500).json({
-        error: error.message || "Failed to exchange authorization code"
-      });
-    }
-  });
-  router.post("/exchange-v2", async (req, res) => {
-    try {
-      const { payload } = req.body;
-      if (!payload) {
-        res.status(400).json({ error: "Signed payload is required" });
-        return;
-      }
-      const verified = await options.ssoClient.verifySignedPayload(payload, options.frontendUrl);
-      if (!verified.code) {
-        res.status(400).json({ error: "No authorization code found in payload" });
-        return;
-      }
-      const ssoResponse = await options.ssoClient.exchangeCodeForToken(verified.code);
-      if (!ssoResponse.success) {
-        res.status(401).json({ error: "Invalid authorization code" });
-        return;
-      }
-      const sessionMaxAge = new Date(ssoResponse.expiresAt).getTime() - Date.now();
-      const refreshMaxAge = ssoResponse.refreshExpiresAt ? new Date(ssoResponse.refreshExpiresAt).getTime() - Date.now() : 7 * 24 * 60 * 60 * 1e3;
-      const sessionCookieOptions = getCookieOptions({
-        maxAge: sessionMaxAge > 0 ? sessionMaxAge : 0
-      });
-      const refreshCookieOptions = getCookieOptions({
-        maxAge: refreshMaxAge > 0 ? refreshMaxAge : 0
-      });
-      res.cookie(cookieName, ssoResponse.sessionToken, sessionCookieOptions);
-      if (ssoResponse.refreshToken) {
-        res.cookie(`${cookieName}_refresh`, ssoResponse.refreshToken, refreshCookieOptions);
-      }
-      if (options.onLoginSuccess) {
-        await options.onLoginSuccess(ssoResponse);
-      }
-      res.json({
-        success: true,
-        user: ssoResponse.user,
-        tenant: ssoResponse.tenant,
-        expiresAt: ssoResponse.expiresAt
-      });
-    } catch (error) {
-      console.error("\u274C [BigsoAuthSDK] Error exchanging v2 payload:", error.message);
-      res.status(401).json({
-        error: error.message || "Failed to verify signed payload"
-      });
-    }
-  });
-  router.get("/session", ssoAuthMiddleware(options), (req, res) => {
-    res.set("Cache-Control", "no-store, no-cache, must-revalidate, private");
-    res.set("Pragma", "no-cache");
-    res.set("Expires", "0");
-    res.json({
-      success: true,
-      user: req.user,
-      tenant: req.tenant,
-      expiresAt: req.ssoSession?.expiresAt
-    });
-  });
-  router.post("/logout", async (req, res) => {
-    const sessionToken = req.cookies?.[cookieName];
-    if (sessionToken) {
-      try {
-        await options.ssoClient.revokeSession(sessionToken);
-      } catch (error) {
-        console.warn("\u26A0\uFE0F [BigsoAuthSDK] Failed to revoke session in SSO Backend. Clearing local anyway.", error.message);
-      }
-    }
-    const cookieOptions = getCookieOptions({ maxAge: 0 });
-    res.clearCookie(cookieName, cookieOptions);
-    res.clearCookie(`${cookieName}_refresh`, cookieOptions);
-    if (options.onLogout && sessionToken) {
-      await options.onLogout(sessionToken);
-    }
-    res.json({ success: true, message: "Logged out" });
-  });
-  return router;
-}
-
-// src/express/routes/createSsoSyncRouter.ts
-import { Router as Router2 } from "express";
-function createSsoSyncRouter(options) {
-  const router = Router2();
-  router.get("/resources", ssoSyncGuardMiddleware({
-    ssoBackendUrl: options.ssoBackendUrl,
-    isProduction: options.isProduction
-  }), (req, res) => {
-    try {
-      res.json({
-        success: true,
-        resources: options.resources,
-        meta: {
-          appId: options.appId,
-          count: options.resources.length,
-          timestamp: (/* @__PURE__ */ new Date()).toISOString()
-        }
-      });
-    } catch (error) {
-      console.error("\u274C [BigsoAuthSDK] Error in sync endpoint:", error.message);
-      res.status(500).json({ error: error.message });
-    }
-  });
-  return router;
-}
-export {
-  createSsoAuthRouter,
-  createSsoSyncRouter,
-  ssoAuthMiddleware,
-  ssoSyncGuardMiddleware
-};

package/dist/node/index.cjs

@@ -1,170 +0,0 @@
-"use strict";
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-
-// src/node/index.ts
-var node_exports = {};
-__export(node_exports, {
-  BigsoSsoClient: () => BigsoSsoClient
-});
-module.exports = __toCommonJS(node_exports);
-
-// src/utils/jws.ts
-var import_jose = require("jose");
-async function verifySignedPayload(token, jwksUrl, expectedAudience) {
-  const JWKS = (0, import_jose.createRemoteJWKSet)(new URL(jwksUrl));
-  const { payload } = await (0, import_jose.jwtVerify)(token, JWKS, {
-    audience: expectedAudience
-  });
-  return payload;
-}
-
-// src/node/SsoClient.ts
-var BigsoSsoClient = class {
-  constructor(options) {
-    this.ssoBackendUrl = options.ssoBackendUrl;
-    this.appId = options.appId;
-    this.ssoJwksUrl = options.ssoJwksUrl;
-  }
-  /**
-   * Verify a signed payload (JWS) against the SSO's JWKS
-   * @param token - The compact JWS token
-   * @param expectedAudience - The expected audience (app origin)
-   * @returns The verified payload
-   */
-  async verifySignedPayload(token, expectedAudience) {
-    if (!this.ssoJwksUrl) {
-      throw new Error("ssoJwksUrl is required for verifySignedPayload");
-    }
-    return await verifySignedPayload(token, this.ssoJwksUrl, expectedAudience);
-  }
-  /**
-   * Validate session token with SSO Backend
-   * @param sessionToken - JWT token from cookie
-   * @returns Session data or null if invalid
-   */
-  async validateSessionToken(sessionToken) {
-    try {
-      const response = await fetch(`${this.ssoBackendUrl}/api/v1/auth/verify-session`, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json"
-        },
-        body: JSON.stringify({
-          sessionToken,
-          appId: this.appId
-        })
-        // Node 18+ allows abort signals to enforce timeout, but we will rely on native fetch timeout if available or no timeout for simplicity.
-        // In production, we might want to implement an AbortController wrapper.
-      });
-      if (!response.ok) {
-        return null;
-      }
-      const data = await response.json();
-      if (data.valid) {
-        return {
-          user: data.user,
-          tenant: data.tenant,
-          appId: data.appId,
-          expiresAt: data.expiresAt
-        };
-      }
-      return null;
-    } catch (error) {
-      console.error("\u274C [BigsoSsoClient] Error validating session:", error instanceof Error ? error.message : error);
-      return null;
-    }
-  }
-  /**
-   * Exchange authorization code for session token from SSO
-   * @param code - The auth code
-   * @returns The SSO exchange response
-   */
-  async exchangeCodeForToken(code) {
-    const response = await fetch(`${this.ssoBackendUrl}/api/v1/auth/token`, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json"
-      },
-      body: JSON.stringify({
-        authCode: code,
-        appId: this.appId
-      })
-    });
-    if (!response.ok) {
-      const errData = await response.json().catch(() => ({}));
-      throw new Error(errData.message || "Failed to exchange token");
-    }
-    return await response.json();
-  }
-  /**
-   * Revoke session in SSO backend
-   * @param sessionToken - The active session token
-   */
-  async revokeSession(sessionToken) {
-    const response = await fetch(`${this.ssoBackendUrl}/api/v1/session/revoke`, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        "Authorization": `Bearer ${sessionToken}`
-      }
-    });
-    if (!response.ok) {
-      throw new Error("Failed to revoke session");
-    }
-  }
-  /**
-   * Refreshes the application session using a refresh token
-   * @param refreshToken - The stored refresh token
-   * @returns The new session tokens or null if failed
-   */
-  async refreshAppSession(refreshToken) {
-    try {
-      const response = await fetch(`${this.ssoBackendUrl}/api/v1/auth/app-refresh`, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json"
-        },
-        body: JSON.stringify({
-          refreshToken,
-          appId: this.appId
-        })
-      });
-      if (!response.ok) {
-        return null;
-      }
-      const data = await response.json();
-      if (data.success) {
-        return {
-          sessionToken: data.sessionToken,
-          refreshToken: data.refreshToken,
-          expiresAt: data.expiresAt,
-          refreshExpiresAt: data.refreshExpiresAt
-        };
-      }
-      return null;
-    } catch (error) {
-      console.error("\u274C [BigsoSsoClient] Error refreshing app session:", error instanceof Error ? error.message : error);
-      return null;
-    }
-  }
-};
-// Annotate the CommonJS export names for ESM import in node:
-0 && (module.exports = {
-  BigsoSsoClient
-});

package/dist/node/index.d.cts

@@ -1,45 +0,0 @@
-import { S as SsoSessionData, a as SsoExchangeResponse, b as SsoRefreshData } from '../types-CoXgtTry.cjs';
-
-interface SsoClientOptions {
-    ssoBackendUrl: string;
-    ssoJwksUrl?: string;
-    appId: string;
-}
-declare class BigsoSsoClient {
-    private ssoBackendUrl;
-    private appId;
-    private ssoJwksUrl?;
-    constructor(options: SsoClientOptions);
-    /**
-     * Verify a signed payload (JWS) against the SSO's JWKS
-     * @param token - The compact JWS token
-     * @param expectedAudience - The expected audience (app origin)
-     * @returns The verified payload
-     */
-    verifySignedPayload(token: string, expectedAudience: string): Promise<any>;
-    /**
-     * Validate session token with SSO Backend
-     * @param sessionToken - JWT token from cookie
-     * @returns Session data or null if invalid
-     */
-    validateSessionToken(sessionToken: string): Promise<SsoSessionData | null>;
-    /**
-     * Exchange authorization code for session token from SSO
-     * @param code - The auth code
-     * @returns The SSO exchange response
-     */
-    exchangeCodeForToken(code: string): Promise<SsoExchangeResponse>;
-    /**
-     * Revoke session in SSO backend
-     * @param sessionToken - The active session token
-     */
-    revokeSession(sessionToken: string): Promise<void>;
-    /**
-     * Refreshes the application session using a refresh token
-     * @param refreshToken - The stored refresh token
-     * @returns The new session tokens or null if failed
-     */
-    refreshAppSession(refreshToken: string): Promise<SsoRefreshData | null>;
-}
-
-export { BigsoSsoClient, type SsoClientOptions };

package/dist/node/index.d.ts

@@ -1,45 +0,0 @@
-import { S as SsoSessionData, a as SsoExchangeResponse, b as SsoRefreshData } from '../types-CoXgtTry.js';
-
-interface SsoClientOptions {
-    ssoBackendUrl: string;
-    ssoJwksUrl?: string;
-    appId: string;
-}
-declare class BigsoSsoClient {
-    private ssoBackendUrl;
-    private appId;
-    private ssoJwksUrl?;
-    constructor(options: SsoClientOptions);
-    /**
-     * Verify a signed payload (JWS) against the SSO's JWKS
-     * @param token - The compact JWS token
-     * @param expectedAudience - The expected audience (app origin)
-     * @returns The verified payload
-     */
-    verifySignedPayload(token: string, expectedAudience: string): Promise<any>;
-    /**
-     * Validate session token with SSO Backend
-     * @param sessionToken - JWT token from cookie
-     * @returns Session data or null if invalid
-     */
-    validateSessionToken(sessionToken: string): Promise<SsoSessionData | null>;
-    /**
-     * Exchange authorization code for session token from SSO
-     * @param code - The auth code
-     * @returns The SSO exchange response
-     */
-    exchangeCodeForToken(code: string): Promise<SsoExchangeResponse>;
-    /**
-     * Revoke session in SSO backend
-     * @param sessionToken - The active session token
-     */
-    revokeSession(sessionToken: string): Promise<void>;
-    /**
-     * Refreshes the application session using a refresh token
-     * @param refreshToken - The stored refresh token
-     * @returns The new session tokens or null if failed
-     */
-    refreshAppSession(refreshToken: string): Promise<SsoRefreshData | null>;
-}
-
-export { BigsoSsoClient, type SsoClientOptions };