@bigso/auth-sdk 0.5.2 → 0.5.3

package/dist/browser/index.cjs

@@ -98,6 +98,7 @@ var BigsoAuth = class extends EventEmitter {
     const nonce = generateRandomId();
     const verifier = generateVerifier();
     const requestId = this.requestId;
+    const codeChallenge = await sha256Base64Url(verifier);
     sessionStorage.setItem("sso_ctx", JSON.stringify({ state, nonce, verifier, requestId }));
     this.createUI();
     return new Promise((resolve, reject) => {
@@ -130,11 +131,10 @@ var BigsoAuth = class extends EventEmitter {
               this.closeUI();
               cleanup();
               this.emit("fallback");
-              window.location.href = this.buildFallbackUrl();
+              window.location.href = this.buildFallbackUrl(codeChallenge, state);
               reject(new Error("Timeout"));
             }
           }, this.options.timeout);
-          const codeChallenge = await sha256Base64Url(verifier);
           const initPayload = {
             state,
             nonce,
@@ -207,7 +207,7 @@ var BigsoAuth = class extends EventEmitter {
           cleanup();
           if (errorPayload.code === "version_mismatch") {
             this.emit("error", errorPayload);
-            window.location.href = this.buildFallbackUrl();
+            window.location.href = this.buildFallbackUrl(codeChallenge, state);
             reject(new Error(`Version mismatch: expected ${errorPayload.expected_version}`));
           } else {
             this.emit("error", errorPayload);
@@ -342,12 +342,13 @@ var BigsoAuth = class extends EventEmitter {
         `;
   }
   // ─── Helpers ──────────────────────────────────────────────────────
-  buildFallbackUrl() {
+  buildFallbackUrl(codeChallenge, state) {
     const url = new URL(this.options.ssoOrigin);
     url.searchParams.set("app_id", this.options.clientId);
     url.searchParams.set("redirect_uri", this.options.redirectUri || window.location.origin);
     url.searchParams.set("response_type", "code");
-    url.searchParams.set("state", generateRandomId());
+    url.searchParams.set("state", state);
+    url.searchParams.set("code_challenge", codeChallenge);
     url.searchParams.set("code_challenge_method", "S256");
     url.searchParams.set("client_id", this.options.clientId);
     return url.toString();

package/dist/browser/index.d.cts

@@ -1,4 +1,4 @@
-import { B as BigsoAuthOptions, a as BigsoAuthResult } from '../types-D5BaCbus.cjs';
+import { B as BigsoAuthOptions, a as BigsoAuthResult } from '../types-K3V5MV8v.cjs';
 
 declare class EventEmitter {
     private events;

package/dist/browser/index.d.ts

@@ -1,4 +1,4 @@
-import { B as BigsoAuthOptions, a as BigsoAuthResult } from '../types-D5BaCbus.js';
+import { B as BigsoAuthOptions, a as BigsoAuthResult } from '../types-K3V5MV8v.js';
 
 declare class EventEmitter {
     private events;

package/dist/browser/index.js

@@ -1,6 +1,6 @@
 import {
   verifySignedPayload
-} from "../chunk-5ECHA2VH.js";
+} from "../chunk-PB3GVAEJ.js";
 
 // src/utils/crypto.ts
 async function sha256Base64Url(input) {
@@ -66,6 +66,7 @@ var BigsoAuth = class extends EventEmitter {
     const nonce = generateRandomId();
     const verifier = generateVerifier();
     const requestId = this.requestId;
+    const codeChallenge = await sha256Base64Url(verifier);
     sessionStorage.setItem("sso_ctx", JSON.stringify({ state, nonce, verifier, requestId }));
     this.createUI();
     return new Promise((resolve, reject) => {
@@ -98,11 +99,10 @@ var BigsoAuth = class extends EventEmitter {
               this.closeUI();
               cleanup();
               this.emit("fallback");
-              window.location.href = this.buildFallbackUrl();
+              window.location.href = this.buildFallbackUrl(codeChallenge, state);
               reject(new Error("Timeout"));
             }
           }, this.options.timeout);
-          const codeChallenge = await sha256Base64Url(verifier);
           const initPayload = {
             state,
             nonce,
@@ -175,7 +175,7 @@ var BigsoAuth = class extends EventEmitter {
           cleanup();
           if (errorPayload.code === "version_mismatch") {
             this.emit("error", errorPayload);
-            window.location.href = this.buildFallbackUrl();
+            window.location.href = this.buildFallbackUrl(codeChallenge, state);
             reject(new Error(`Version mismatch: expected ${errorPayload.expected_version}`));
           } else {
             this.emit("error", errorPayload);
@@ -310,12 +310,13 @@ var BigsoAuth = class extends EventEmitter {
         `;
   }
   // ─── Helpers ──────────────────────────────────────────────────────
-  buildFallbackUrl() {
+  buildFallbackUrl(codeChallenge, state) {
     const url = new URL(this.options.ssoOrigin);
     url.searchParams.set("app_id", this.options.clientId);
     url.searchParams.set("redirect_uri", this.options.redirectUri || window.location.origin);
     url.searchParams.set("response_type", "code");
-    url.searchParams.set("state", generateRandomId());
+    url.searchParams.set("state", state);
+    url.searchParams.set("code_challenge", codeChallenge);
     url.searchParams.set("code_challenge_method", "S256");
     url.searchParams.set("client_id", this.options.clientId);
     return url.toString();

package/dist/chunk-PB3GVAEJ.js

@@ -0,0 +1,33 @@
+// src/utils/jws.ts
+import { jwtVerify, createRemoteJWKSet } from "jose";
+async function verifySignedPayload(token, jwksUrl, expectedAudience) {
+  const JWKS = createRemoteJWKSet(new URL(jwksUrl));
+  const { payload } = await jwtVerify(token, JWKS, {
+    audience: expectedAudience
+  });
+  return payload;
+}
+async function verifyAccessToken(accessToken, jwksUrl) {
+  const JWKS = createRemoteJWKSet(new URL(jwksUrl));
+  const { payload } = await jwtVerify(accessToken, JWKS);
+  if (!payload.sub || !payload.jti) {
+    throw new Error("Invalid token structure: missing sub or jti");
+  }
+  return {
+    sub: payload.sub,
+    jti: payload.jti,
+    iss: payload.iss,
+    aud: payload.aud || "",
+    exp: payload.exp,
+    iat: payload.iat,
+    tenants: payload.tenants || [],
+    systemRole: payload.systemRole || "user",
+    scope: payload.scope,
+    deviceFingerprint: payload.deviceFingerprint
+  };
+}
+
+export {
+  verifySignedPayload,
+  verifyAccessToken
+};

package/dist/express/index.d.cts

@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction, Router } from 'express';
 import { BigsoSsoClient } from '../node/index.cjs';
-import { S as SsoJwtTenant, b as SsoTokenPayload, V as V2ExchangeResponse } from '../types-D5BaCbus.cjs';
+import { S as SsoJwtTenant, b as SsoTokenPayload, V as V2ExchangeResponse } from '../types-K3V5MV8v.cjs';
 
 interface SsoAuthMiddlewareOptions {
     ssoClient: BigsoSsoClient;

package/dist/express/index.d.ts

@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction, Router } from 'express';
 import { BigsoSsoClient } from '../node/index.js';
-import { S as SsoJwtTenant, b as SsoTokenPayload, V as V2ExchangeResponse } from '../types-D5BaCbus.js';
+import { S as SsoJwtTenant, b as SsoTokenPayload, V as V2ExchangeResponse } from '../types-K3V5MV8v.js';
 
 interface SsoAuthMiddlewareOptions {
     ssoClient: BigsoSsoClient;

package/dist/node/index.cjs

@@ -48,6 +48,7 @@ async function verifyAccessToken(accessToken, jwksUrl) {
     iat: payload.iat,
     tenants: payload.tenants || [],
     systemRole: payload.systemRole || "user",
+    scope: payload.scope,
     deviceFingerprint: payload.deviceFingerprint
   };
 }

package/dist/node/index.d.cts

@@ -1,4 +1,4 @@
-import { b as SsoTokenPayload, c as V2LoginResponse, V as V2ExchangeResponse, d as V2RefreshResponse } from '../types-D5BaCbus.cjs';
+import { b as SsoTokenPayload, c as V2LoginResponse, V as V2ExchangeResponse, d as V2RefreshResponse } from '../types-K3V5MV8v.cjs';
 
 interface SsoClientOptions {
     ssoBackendUrl: string;

package/dist/node/index.d.ts

@@ -1,4 +1,4 @@
-import { b as SsoTokenPayload, c as V2LoginResponse, V as V2ExchangeResponse, d as V2RefreshResponse } from '../types-D5BaCbus.js';
+import { b as SsoTokenPayload, c as V2LoginResponse, V as V2ExchangeResponse, d as V2RefreshResponse } from '../types-K3V5MV8v.js';
 
 interface SsoClientOptions {
     ssoBackendUrl: string;

package/dist/node/index.js

@@ -1,7 +1,7 @@
 import {
   verifyAccessToken,
   verifySignedPayload
-} from "../chunk-5ECHA2VH.js";
+} from "../chunk-PB3GVAEJ.js";
 
 // src/node/SsoClient.ts
 var BigsoSsoClient = class {

package/dist/types-K3V5MV8v.d.cts

@@ -0,0 +1,81 @@
+interface BigsoAuthOptions {
+    clientId: string;
+    ssoOrigin: string;
+    jwksUrl: string;
+    timeout?: number;
+    debug?: boolean;
+    redirectUri?: string;
+    tenantHint?: string;
+    theme?: 'light' | 'dark';
+}
+interface SsoUser {
+    userId: string;
+    email: string;
+    firstName: string;
+    lastName: string;
+}
+interface SsoTenant {
+    tenantId: string;
+    name: string;
+    slug: string;
+    role: string;
+}
+interface SsoJwtTenant {
+    id: string;
+    name: string;
+    slug: string;
+    role: string;
+    apps: string[];
+}
+interface SsoTokenPayload {
+    sub: string;
+    jti: string;
+    iss: string;
+    aud: string;
+    exp: number;
+    iat: number;
+    tenants: SsoJwtTenant[];
+    systemRole: string;
+    scope?: string[];
+    deviceFingerprint?: string;
+}
+interface V2LoginResponse {
+    success: boolean;
+    tokens: {
+        accessToken: string;
+        expiresIn: number;
+    };
+    user: SsoUser;
+}
+interface V2ExchangeResponse {
+    success: boolean;
+    tokens: {
+        accessToken: string;
+        refreshToken: string;
+        expiresIn: number;
+    };
+    user: SsoUser;
+    tenant: SsoTenant;
+}
+interface V2RefreshResponse {
+    success: boolean;
+    tokens: {
+        accessToken: string;
+        expiresIn: number;
+    };
+}
+interface BigsoAuthResult {
+    code: string;
+    state: string;
+    nonce: string;
+    codeVerifier: string;
+    signed_payload: string;
+    tenant?: SsoTenant;
+    jti?: string;
+    iss?: string;
+    aud?: string;
+    exp?: number;
+    iat?: number;
+}
+
+export type { BigsoAuthOptions as B, SsoJwtTenant as S, V2ExchangeResponse as V, BigsoAuthResult as a, SsoTokenPayload as b, V2LoginResponse as c, V2RefreshResponse as d };

package/dist/types-K3V5MV8v.d.ts

@@ -0,0 +1,81 @@
+interface BigsoAuthOptions {
+    clientId: string;
+    ssoOrigin: string;
+    jwksUrl: string;
+    timeout?: number;
+    debug?: boolean;
+    redirectUri?: string;
+    tenantHint?: string;
+    theme?: 'light' | 'dark';
+}
+interface SsoUser {
+    userId: string;
+    email: string;
+    firstName: string;
+    lastName: string;
+}
+interface SsoTenant {
+    tenantId: string;
+    name: string;
+    slug: string;
+    role: string;
+}
+interface SsoJwtTenant {
+    id: string;
+    name: string;
+    slug: string;
+    role: string;
+    apps: string[];
+}
+interface SsoTokenPayload {
+    sub: string;
+    jti: string;
+    iss: string;
+    aud: string;
+    exp: number;
+    iat: number;
+    tenants: SsoJwtTenant[];
+    systemRole: string;
+    scope?: string[];
+    deviceFingerprint?: string;
+}
+interface V2LoginResponse {
+    success: boolean;
+    tokens: {
+        accessToken: string;
+        expiresIn: number;
+    };
+    user: SsoUser;
+}
+interface V2ExchangeResponse {
+    success: boolean;
+    tokens: {
+        accessToken: string;
+        refreshToken: string;
+        expiresIn: number;
+    };
+    user: SsoUser;
+    tenant: SsoTenant;
+}
+interface V2RefreshResponse {
+    success: boolean;
+    tokens: {
+        accessToken: string;
+        expiresIn: number;
+    };
+}
+interface BigsoAuthResult {
+    code: string;
+    state: string;
+    nonce: string;
+    codeVerifier: string;
+    signed_payload: string;
+    tenant?: SsoTenant;
+    jti?: string;
+    iss?: string;
+    aud?: string;
+    exp?: number;
+    iat?: number;
+}
+
+export type { BigsoAuthOptions as B, SsoJwtTenant as S, V2ExchangeResponse as V, BigsoAuthResult as a, SsoTokenPayload as b, V2LoginResponse as c, V2RefreshResponse as d };

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@bigso/auth-sdk",
-    "version": "0.5.2",
+    "version": "0.5.3",
     "description": "SDK de autenticación para SSO v2 - JWT Bearer + PKCE",
     "publishConfig": {
         "registry": "https://registry.npmjs.org/",
@@ -38,6 +38,7 @@
     "scripts": {
         "build": "tsup src/browser/index.ts src/node/index.ts src/express/index.ts --format esm,cjs --dts --out-dir dist",
         "dev": "tsup src/browser/index.ts src/node/index.ts src/express/index.ts --watch --out-dir dist",
+        "prepublishOnly": "npm run build",
         "lint": "eslint .",
         "test": "vitest",
         "release": "git tag v$npm_package_version && git push origin v$npm_package_version"