@bigso/auth-sdk 0.5.1 → 0.5.3

package/dist/express/index.d.ts

@@ -0,0 +1,46 @@
+import { Request, Response, NextFunction, Router } from 'express';
+import { BigsoSsoClient } from '../node/index.js';
+import { S as SsoJwtTenant, b as SsoTokenPayload, V as V2ExchangeResponse } from '../types-K3V5MV8v.js';
+
+interface SsoAuthMiddlewareOptions {
+    ssoClient: BigsoSsoClient;
+}
+declare global {
+    namespace Express {
+        interface Request {
+            user?: {
+                userId: string;
+                email: string;
+                firstName: string;
+                lastName: string;
+            };
+            tenant?: SsoJwtTenant;
+            tokenPayload?: SsoTokenPayload;
+        }
+    }
+}
+declare function ssoAuthMiddleware(options: SsoAuthMiddlewareOptions): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+
+interface SsoSyncGuardOptions {
+    ssoBackendUrl: string;
+    isProduction?: boolean;
+}
+declare function ssoSyncGuardMiddleware(options: SsoSyncGuardOptions): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+
+interface CreateSsoAuthRouterOptions {
+    ssoClient: BigsoSsoClient;
+    frontendUrl: string;
+    onLoginSuccess?: (session: V2ExchangeResponse) => void | Promise<void>;
+    onLogout?: (accessToken: string) => void | Promise<void>;
+}
+declare function createSsoAuthRouter(options: CreateSsoAuthRouterOptions): Router;
+
+interface SsoSyncRouterOptions {
+    resources: any[];
+    appId: string;
+    ssoBackendUrl: string;
+    isProduction?: boolean;
+}
+declare function createSsoSyncRouter(options: SsoSyncRouterOptions): Router;
+
+export { type CreateSsoAuthRouterOptions, type SsoAuthMiddlewareOptions, type SsoSyncGuardOptions, type SsoSyncRouterOptions, createSsoAuthRouter, createSsoSyncRouter, ssoAuthMiddleware, ssoSyncGuardMiddleware };

package/dist/express/index.js

@@ -0,0 +1,196 @@
+// src/express/middlewares/ssoAuth.ts
+function ssoAuthMiddleware(options) {
+  return async (req, res, next) => {
+    try {
+      const authHeader = req.headers.authorization;
+      if (!authHeader || !authHeader.startsWith("Bearer ")) {
+        res.status(401).json({ error: "Missing access token" });
+        return;
+      }
+      const accessToken = authHeader.substring(7);
+      const payload = await options.ssoClient.validateAccessToken(accessToken);
+      if (!payload) {
+        res.status(401).json({ error: "Invalid or expired access token" });
+        return;
+      }
+      const primaryTenant = payload.tenants?.[0];
+      req.user = {
+        userId: payload.sub,
+        email: "",
+        firstName: "",
+        lastName: ""
+      };
+      req.tenant = primaryTenant || void 0;
+      req.tokenPayload = payload;
+      next();
+    } catch (error) {
+      console.error("[BigsoAuthSDK] Authentication Middleware Error:", error instanceof Error ? error.message : error);
+      res.status(401).json({ error: "Authentication failed" });
+    }
+  };
+}
+
+// src/express/middlewares/ssoSyncGuard.ts
+import { promises as dns } from "dns";
+function ssoSyncGuardMiddleware(options) {
+  const isProduction = options.isProduction ?? process.env.NODE_ENV === "production";
+  return async (req, res, next) => {
+    try {
+      const isSecure = req.secure || req.headers["x-forwarded-proto"] === "https";
+      if (!isSecure && isProduction) {
+        console.warn("\u26A0\uFE0F  [BigsoAuthSDK] Blocked non-HTTPS sync request");
+        res.status(403).json({ error: "HTTPS required" });
+        return;
+      }
+      const clientIp = req.ip || req.socket.remoteAddress || "";
+      const isLoopback = clientIp === "::1" || clientIp === "127.0.0.1" || clientIp === "::ffff:127.0.0.1";
+      if (!isProduction && isLoopback) {
+        return next();
+      }
+      const ssoUrl = new URL(options.ssoBackendUrl);
+      const ssoHostname = ssoUrl.hostname;
+      const ssoIps = await dns.resolve4(ssoHostname).catch(() => []);
+      const cleanClientIp = clientIp.replace(/^.*:/, "");
+      const isPrivateIp = cleanClientIp.startsWith("10.") || cleanClientIp.startsWith("192.168.") || cleanClientIp.startsWith("172.") && parseInt(cleanClientIp.split(".")[1], 10) >= 16 && parseInt(cleanClientIp.split(".")[1], 10) <= 31;
+      if (!ssoIps.includes(cleanClientIp) && !isPrivateIp) {
+        console.warn(`\u26D4\uFE0F [BigsoAuthSDK] Blocked sync request from unauthorized IP: ${clientIp}`);
+        res.status(403).json({ error: "Unauthorized origin" });
+        return;
+      }
+      next();
+    } catch (error) {
+      console.error("\u274C [BigsoAuthSDK] Sync Guard Validation Error:", error instanceof Error ? error.message : error);
+      res.status(500).json({ error: "Security validation failed" });
+    }
+  };
+}
+
+// src/express/routes/createSsoAuthRouter.ts
+import { Router } from "express";
+function createSsoAuthRouter(options) {
+  const router = Router();
+  router.post("/exchange", async (req, res) => {
+    try {
+      const { code, codeVerifier } = req.body;
+      if (!code || !codeVerifier) {
+        res.status(400).json({ error: "code and codeVerifier are required" });
+        return;
+      }
+      const ssoResponse = await options.ssoClient.exchangeCode(code, codeVerifier);
+      if (options.onLoginSuccess) {
+        await options.onLoginSuccess(ssoResponse);
+      }
+      res.json({
+        success: true,
+        tokens: ssoResponse.tokens,
+        user: ssoResponse.user,
+        tenant: ssoResponse.tenant
+      });
+    } catch (error) {
+      console.error("[BigsoAuthSDK] Error exchanging code:", error.message);
+      res.status(401).json({ error: error.message || "Failed to exchange authorization code" });
+    }
+  });
+  router.post("/exchange-v2", async (req, res) => {
+    try {
+      const { payload } = req.body;
+      if (!payload) {
+        res.status(400).json({ error: "Signed payload is required" });
+        return;
+      }
+      const verified = await options.ssoClient.verifySignedPayload(payload, options.frontendUrl);
+      if (!verified.code) {
+        res.status(400).json({ error: "No authorization code found in payload" });
+        return;
+      }
+      const codeVerifier = verified.code_verifier;
+      if (!codeVerifier) {
+        res.status(400).json({ error: "code_verifier is required for PKCE exchange" });
+        return;
+      }
+      const ssoResponse = await options.ssoClient.exchangeCode(verified.code, codeVerifier);
+      if (options.onLoginSuccess) {
+        await options.onLoginSuccess(ssoResponse);
+      }
+      res.json({
+        success: true,
+        tokens: ssoResponse.tokens,
+        user: ssoResponse.user,
+        tenant: ssoResponse.tenant
+      });
+    } catch (error) {
+      console.error("[BigsoAuthSDK] Error exchanging v2 payload:", error.message);
+      res.status(401).json({ error: error.message || "Failed to verify signed payload" });
+    }
+  });
+  router.get("/session", ssoAuthMiddleware({ ssoClient: options.ssoClient }), (req, res) => {
+    res.set("Cache-Control", "no-store, no-cache, must-revalidate, private");
+    res.set("Pragma", "no-cache");
+    res.set("Expires", "0");
+    res.json({
+      success: true,
+      user: req.user,
+      tenant: req.tenant,
+      tokenPayload: req.tokenPayload
+    });
+  });
+  router.post("/refresh", async (req, res) => {
+    try {
+      const ssoResponse = await options.ssoClient.refreshTokens();
+      res.json({
+        success: true,
+        tokens: ssoResponse.tokens
+      });
+    } catch (error) {
+      console.error("[BigsoAuthSDK] Error refreshing tokens:", error.message);
+      res.status(401).json({ error: error.message || "Failed to refresh tokens" });
+    }
+  });
+  router.post("/logout", ssoAuthMiddleware({ ssoClient: options.ssoClient }), async (req, res) => {
+    try {
+      const accessToken = req.headers.authorization?.substring(7) || "";
+      const { revokeAll = false } = req.body || {};
+      await options.ssoClient.logout(accessToken, revokeAll);
+      if (options.onLogout) {
+        await options.onLogout(accessToken);
+      }
+      res.json({ success: true, message: "Logged out" });
+    } catch (error) {
+      console.warn("[BigsoAuthSDK] Failed to logout in SSO Backend.", error.message);
+      res.json({ success: true, message: "Logged out (backend revocation failed)" });
+    }
+  });
+  return router;
+}
+
+// src/express/routes/createSsoSyncRouter.ts
+import { Router as Router2 } from "express";
+function createSsoSyncRouter(options) {
+  const router = Router2();
+  router.get("/resources", ssoSyncGuardMiddleware({
+    ssoBackendUrl: options.ssoBackendUrl,
+    isProduction: options.isProduction
+  }), (req, res) => {
+    try {
+      res.json({
+        success: true,
+        resources: options.resources,
+        meta: {
+          appId: options.appId,
+          count: options.resources.length,
+          timestamp: (/* @__PURE__ */ new Date()).toISOString()
+        }
+      });
+    } catch (error) {
+      console.error("\u274C [BigsoAuthSDK] Error in sync endpoint:", error.message);
+      res.status(500).json({ error: error.message });
+    }
+  });
+  return router;
+}
+export {
+  createSsoAuthRouter,
+  createSsoSyncRouter,
+  ssoAuthMiddleware,
+  ssoSyncGuardMiddleware
+};

package/dist/node/index.cjs

@@ -0,0 +1,142 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/node/index.ts
+var node_exports = {};
+__export(node_exports, {
+  BigsoSsoClient: () => BigsoSsoClient
+});
+module.exports = __toCommonJS(node_exports);
+
+// src/utils/jws.ts
+var import_jose = require("jose");
+async function verifySignedPayload(token, jwksUrl, expectedAudience) {
+  const JWKS = (0, import_jose.createRemoteJWKSet)(new URL(jwksUrl));
+  const { payload } = await (0, import_jose.jwtVerify)(token, JWKS, {
+    audience: expectedAudience
+  });
+  return payload;
+}
+async function verifyAccessToken(accessToken, jwksUrl) {
+  const JWKS = (0, import_jose.createRemoteJWKSet)(new URL(jwksUrl));
+  const { payload } = await (0, import_jose.jwtVerify)(accessToken, JWKS);
+  if (!payload.sub || !payload.jti) {
+    throw new Error("Invalid token structure: missing sub or jti");
+  }
+  return {
+    sub: payload.sub,
+    jti: payload.jti,
+    iss: payload.iss,
+    aud: payload.aud || "",
+    exp: payload.exp,
+    iat: payload.iat,
+    tenants: payload.tenants || [],
+    systemRole: payload.systemRole || "user",
+    scope: payload.scope,
+    deviceFingerprint: payload.deviceFingerprint
+  };
+}
+
+// src/node/SsoClient.ts
+var BigsoSsoClient = class {
+  constructor(options) {
+    this.ssoBackendUrl = options.ssoBackendUrl;
+    this.appId = options.appId;
+    this.ssoJwksUrl = options.ssoJwksUrl;
+  }
+  async verifySignedPayload(token, expectedAudience) {
+    if (!this.ssoJwksUrl) {
+      throw new Error("ssoJwksUrl is required for verifySignedPayload");
+    }
+    return await verifySignedPayload(token, this.ssoJwksUrl, expectedAudience);
+  }
+  async validateAccessToken(accessToken) {
+    if (!this.ssoJwksUrl) {
+      throw new Error("ssoJwksUrl is required for validateAccessToken");
+    }
+    try {
+      return await verifyAccessToken(accessToken, this.ssoJwksUrl);
+    } catch {
+      return null;
+    }
+  }
+  async login(emailOrNuid, password) {
+    const isEmail = emailOrNuid.includes("@");
+    const payload = isEmail ? { email: emailOrNuid, password } : { nuid: emailOrNuid, password };
+    const response = await fetch(`${this.ssoBackendUrl}/api/v2/auth/login`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(payload),
+      credentials: "include"
+    });
+    if (!response.ok) {
+      const err = await response.json().catch(() => ({}));
+      throw new Error(err.message || "Login failed");
+    }
+    return await response.json();
+  }
+  async exchangeCode(code, codeVerifier) {
+    const response = await fetch(`${this.ssoBackendUrl}/api/v2/auth/exchange`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        code,
+        appId: this.appId,
+        codeVerifier
+      }),
+      credentials: "include"
+    });
+    if (!response.ok) {
+      const err = await response.json().catch(() => ({}));
+      throw new Error(err.message || "Token exchange failed");
+    }
+    return await response.json();
+  }
+  async refreshTokens() {
+    const response = await fetch(`${this.ssoBackendUrl}/api/v2/auth/refresh`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      credentials: "include"
+    });
+    if (!response.ok) {
+      const err = await response.json().catch(() => ({}));
+      throw new Error(err.message || "Token refresh failed");
+    }
+    return await response.json();
+  }
+  async logout(accessToken, revokeAll = false) {
+    const response = await fetch(`${this.ssoBackendUrl}/api/v2/auth/logout`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Authorization": `Bearer ${accessToken}`
+      },
+      body: JSON.stringify({ revokeAll }),
+      credentials: "include"
+    });
+    if (!response.ok) {
+      const err = await response.json().catch(() => ({}));
+      throw new Error(err.message || "Logout failed");
+    }
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  BigsoSsoClient
+});

package/dist/node/index.d.cts

@@ -0,0 +1,21 @@
+import { b as SsoTokenPayload, c as V2LoginResponse, V as V2ExchangeResponse, d as V2RefreshResponse } from '../types-K3V5MV8v.cjs';
+
+interface SsoClientOptions {
+    ssoBackendUrl: string;
+    ssoJwksUrl?: string;
+    appId: string;
+}
+declare class BigsoSsoClient {
+    private ssoBackendUrl;
+    private appId;
+    private ssoJwksUrl?;
+    constructor(options: SsoClientOptions);
+    verifySignedPayload(token: string, expectedAudience: string): Promise<any>;
+    validateAccessToken(accessToken: string): Promise<SsoTokenPayload | null>;
+    login(emailOrNuid: string, password: string): Promise<V2LoginResponse>;
+    exchangeCode(code: string, codeVerifier: string): Promise<V2ExchangeResponse>;
+    refreshTokens(): Promise<V2RefreshResponse>;
+    logout(accessToken: string, revokeAll?: boolean): Promise<void>;
+}
+
+export { BigsoSsoClient, type SsoClientOptions };

package/dist/node/index.d.ts

@@ -0,0 +1,21 @@
+import { b as SsoTokenPayload, c as V2LoginResponse, V as V2ExchangeResponse, d as V2RefreshResponse } from '../types-K3V5MV8v.js';
+
+interface SsoClientOptions {
+    ssoBackendUrl: string;
+    ssoJwksUrl?: string;
+    appId: string;
+}
+declare class BigsoSsoClient {
+    private ssoBackendUrl;
+    private appId;
+    private ssoJwksUrl?;
+    constructor(options: SsoClientOptions);
+    verifySignedPayload(token: string, expectedAudience: string): Promise<any>;
+    validateAccessToken(accessToken: string): Promise<SsoTokenPayload | null>;
+    login(emailOrNuid: string, password: string): Promise<V2LoginResponse>;
+    exchangeCode(code: string, codeVerifier: string): Promise<V2ExchangeResponse>;
+    refreshTokens(): Promise<V2RefreshResponse>;
+    logout(accessToken: string, revokeAll?: boolean): Promise<void>;
+}
+
+export { BigsoSsoClient, type SsoClientOptions };

package/dist/node/index.js

@@ -0,0 +1,91 @@
+import {
+  verifyAccessToken,
+  verifySignedPayload
+} from "../chunk-PB3GVAEJ.js";
+
+// src/node/SsoClient.ts
+var BigsoSsoClient = class {
+  constructor(options) {
+    this.ssoBackendUrl = options.ssoBackendUrl;
+    this.appId = options.appId;
+    this.ssoJwksUrl = options.ssoJwksUrl;
+  }
+  async verifySignedPayload(token, expectedAudience) {
+    if (!this.ssoJwksUrl) {
+      throw new Error("ssoJwksUrl is required for verifySignedPayload");
+    }
+    return await verifySignedPayload(token, this.ssoJwksUrl, expectedAudience);
+  }
+  async validateAccessToken(accessToken) {
+    if (!this.ssoJwksUrl) {
+      throw new Error("ssoJwksUrl is required for validateAccessToken");
+    }
+    try {
+      return await verifyAccessToken(accessToken, this.ssoJwksUrl);
+    } catch {
+      return null;
+    }
+  }
+  async login(emailOrNuid, password) {
+    const isEmail = emailOrNuid.includes("@");
+    const payload = isEmail ? { email: emailOrNuid, password } : { nuid: emailOrNuid, password };
+    const response = await fetch(`${this.ssoBackendUrl}/api/v2/auth/login`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(payload),
+      credentials: "include"
+    });
+    if (!response.ok) {
+      const err = await response.json().catch(() => ({}));
+      throw new Error(err.message || "Login failed");
+    }
+    return await response.json();
+  }
+  async exchangeCode(code, codeVerifier) {
+    const response = await fetch(`${this.ssoBackendUrl}/api/v2/auth/exchange`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        code,
+        appId: this.appId,
+        codeVerifier
+      }),
+      credentials: "include"
+    });
+    if (!response.ok) {
+      const err = await response.json().catch(() => ({}));
+      throw new Error(err.message || "Token exchange failed");
+    }
+    return await response.json();
+  }
+  async refreshTokens() {
+    const response = await fetch(`${this.ssoBackendUrl}/api/v2/auth/refresh`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      credentials: "include"
+    });
+    if (!response.ok) {
+      const err = await response.json().catch(() => ({}));
+      throw new Error(err.message || "Token refresh failed");
+    }
+    return await response.json();
+  }
+  async logout(accessToken, revokeAll = false) {
+    const response = await fetch(`${this.ssoBackendUrl}/api/v2/auth/logout`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Authorization": `Bearer ${accessToken}`
+      },
+      body: JSON.stringify({ revokeAll }),
+      credentials: "include"
+    });
+    if (!response.ok) {
+      const err = await response.json().catch(() => ({}));
+      throw new Error(err.message || "Logout failed");
+    }
+  }
+};
+export {
+  BigsoSsoClient
+};

package/dist/types-D5BaCbus.d.cts

@@ -0,0 +1,80 @@
+interface BigsoAuthOptions {
+    clientId: string;
+    ssoOrigin: string;
+    jwksUrl: string;
+    timeout?: number;
+    debug?: boolean;
+    redirectUri?: string;
+    tenantHint?: string;
+    theme?: 'light' | 'dark';
+}
+interface SsoUser {
+    userId: string;
+    email: string;
+    firstName: string;
+    lastName: string;
+}
+interface SsoTenant {
+    tenantId: string;
+    name: string;
+    slug: string;
+    role: string;
+}
+interface SsoJwtTenant {
+    id: string;
+    name: string;
+    slug: string;
+    role: string;
+    apps: string[];
+}
+interface SsoTokenPayload {
+    sub: string;
+    jti: string;
+    iss: string;
+    aud: string;
+    exp: number;
+    iat: number;
+    tenants: SsoJwtTenant[];
+    systemRole: string;
+    deviceFingerprint?: string;
+}
+interface V2LoginResponse {
+    success: boolean;
+    tokens: {
+        accessToken: string;
+        expiresIn: number;
+    };
+    user: SsoUser;
+}
+interface V2ExchangeResponse {
+    success: boolean;
+    tokens: {
+        accessToken: string;
+        refreshToken: string;
+        expiresIn: number;
+    };
+    user: SsoUser;
+    tenant: SsoTenant;
+}
+interface V2RefreshResponse {
+    success: boolean;
+    tokens: {
+        accessToken: string;
+        expiresIn: number;
+    };
+}
+interface BigsoAuthResult {
+    code: string;
+    state: string;
+    nonce: string;
+    codeVerifier: string;
+    signed_payload: string;
+    tenant?: SsoTenant;
+    jti?: string;
+    iss?: string;
+    aud?: string;
+    exp?: number;
+    iat?: number;
+}
+
+export type { BigsoAuthOptions as B, SsoJwtTenant as S, V2ExchangeResponse as V, BigsoAuthResult as a, SsoTokenPayload as b, V2LoginResponse as c, V2RefreshResponse as d };

package/dist/types-D5BaCbus.d.ts

@@ -0,0 +1,80 @@
+interface BigsoAuthOptions {
+    clientId: string;
+    ssoOrigin: string;
+    jwksUrl: string;
+    timeout?: number;
+    debug?: boolean;
+    redirectUri?: string;
+    tenantHint?: string;
+    theme?: 'light' | 'dark';
+}
+interface SsoUser {
+    userId: string;
+    email: string;
+    firstName: string;
+    lastName: string;
+}
+interface SsoTenant {
+    tenantId: string;
+    name: string;
+    slug: string;
+    role: string;
+}
+interface SsoJwtTenant {
+    id: string;
+    name: string;
+    slug: string;
+    role: string;
+    apps: string[];
+}
+interface SsoTokenPayload {
+    sub: string;
+    jti: string;
+    iss: string;
+    aud: string;
+    exp: number;
+    iat: number;
+    tenants: SsoJwtTenant[];
+    systemRole: string;
+    deviceFingerprint?: string;
+}
+interface V2LoginResponse {
+    success: boolean;
+    tokens: {
+        accessToken: string;
+        expiresIn: number;
+    };
+    user: SsoUser;
+}
+interface V2ExchangeResponse {
+    success: boolean;
+    tokens: {
+        accessToken: string;
+        refreshToken: string;
+        expiresIn: number;
+    };
+    user: SsoUser;
+    tenant: SsoTenant;
+}
+interface V2RefreshResponse {
+    success: boolean;
+    tokens: {
+        accessToken: string;
+        expiresIn: number;
+    };
+}
+interface BigsoAuthResult {
+    code: string;
+    state: string;
+    nonce: string;
+    codeVerifier: string;
+    signed_payload: string;
+    tenant?: SsoTenant;
+    jti?: string;
+    iss?: string;
+    aud?: string;
+    exp?: number;
+    iat?: number;
+}
+
+export type { BigsoAuthOptions as B, SsoJwtTenant as S, V2ExchangeResponse as V, BigsoAuthResult as a, SsoTokenPayload as b, V2LoginResponse as c, V2RefreshResponse as d };