@bigso/auth-sdk 0.5.3 → 0.5.4

package/README.md

@@ -10,6 +10,7 @@ SDK oficial de autenticación para Bigso SSO v2. Flujo basado en JWT Bearer toke
 - **JWS verification** en frontend con JWKS remoto
 - **3 entry points**: Browser, Node.js, Express middleware
 - **Server-to-server** login, exchange, refresh, logout via API v2
+- **Scope array** en JWT para consumir APIs internas
 
 ## Instalación
 
@@ -25,15 +26,15 @@ npm install @bigso/auth-sdk
 │  (consuming)  │  sso-init / sso-success    │  (iframe)     │
 └──────┬───────┘                             └──────┬───────┘
        │                                            │
-       │ 1. auth.login() → codeVerifier             │
-       │ 2. POST /exchange-v2-pkce                  │
-       │    { code, codeVerifier }                  │
+       │ 1. auth.login() → codeVerifier            │
+       │ 2. POST /api/auth/exchange-v2             │
+       │    { payload, codeVerifier }               │
        ▼                                            ▼
 ┌──────────────┐     POST /api/v2/auth/exchange    ┌──────────────┐
 │  App Backend  │──────────────────────────────────►│  SSO Core     │
 │  (Express)   │◄─────────────────────────────────│  (API v2)     │
 │              │     { accessToken, refreshToken }  │              │
-└──────────────┘                                   └──────────────┘
+└──────────────┘        (con scope array)            └──────────────┘
 ```
 
 ## Uso
@@ -44,9 +45,9 @@ npm install @bigso/auth-sdk
 import { BigsoAuth } from '@bigso/auth-sdk';
 
 const auth = new BigsoAuth({
-  clientId: 'crm',
-  ssoOrigin: 'https://sso.bigso.co',
-  jwksUrl: 'https://sso.bigso.co/.well-known/jwks.json',
+  clientId: 'ordamy',
+  ssoOrigin: 'https://sso-portal.bigso.co',
+  jwksUrl: 'https://sso-core.bigso.co/.well-known/jwks.json',
 });
 
 auth.on('success', async (result) => {
@@ -57,11 +58,12 @@ auth.on('success', async (result) => {
   // result.nonce        → matches your original nonce
 
   // Send to your backend:
-  const response = await fetch('/api/auth/exchange-v2-pkce', {
+  const response = await fetch('/api/auth/exchange-v2', {
     method: 'POST',
     headers: { 'Content-Type': 'application/json' },
     body: JSON.stringify({
       payload: result.signed_payload,
+      codeVerifier: result.codeVerifier,
     }),
   });
 });
@@ -76,15 +78,15 @@ import { BigsoSsoClient } from '@bigso/auth-sdk/node';
 import { createSsoAuthRouter, ssoAuthMiddleware } from '@bigso/auth-sdk/express';
 
 const ssoClient = new BigsoSsoClient({
-  ssoBackendUrl: 'https://sso.bigso.co',
-  ssoJwksUrl: 'https://sso.bigso.co/.well-known/jwks.json',
-  appId: 'crm',
+  ssoBackendUrl: 'https://sso-core.bigso.co',
+  ssoJwksUrl: 'https://sso-core.bigso.co/.well-known/jwks.json',
+  appId: 'ordamy',
 });
 
 // Auth routes: /exchange, /exchange-v2, /session, /refresh, /logout
 app.use('/api/auth', createSsoAuthRouter({
   ssoClient,
-  frontendUrl: 'https://myapp.com',
+  frontendUrl: 'https://ordamy.bigso.co',
 }));
 
 // Protected routes: validates Bearer JWT token
@@ -99,9 +101,9 @@ app.get('/api/protected', ssoAuthMiddleware({ ssoClient }), (req, res) => {
 import { BigsoSsoClient } from '@bigso/auth-sdk/node';
 
 const client = new BigsoSsoClient({
-  ssoBackendUrl: 'https://sso.bigso.co',
-  ssoJwksUrl: 'https://sso.bigso.co/.well-known/jwks.json',
-  appId: 'crm',
+  ssoBackendUrl: 'https://sso-core.bigso.co',
+  ssoJwksUrl: 'https://sso-core.bigso.co/.well-known/jwks.json',
+  appId: 'ordamy',
 });
 
 // Exchange authorization code with PKCE
@@ -126,7 +128,7 @@ await client.logout('eyJhbG...', true);  // revokeAll = true
 | Param | Type | Required | Default | Description |
 |---|---|---|---|---|
 | `clientId` | `string` | Yes | — | App ID registered in SSO |
-| `ssoOrigin` | `string` | Yes | — | SSO origin (e.g. `https://sso.bigso.co`) |
+| `ssoOrigin` | `string` | Yes | — | SSO origin (e.g. `https://sso-portal.bigso.co`) |
 | `jwksUrl` | `string` | Yes | — | JWKS URL for JWS verification |
 | `timeout` | `number` | No | `5000` | Timeout after `sso-ready` (ms) |
 | `debug` | `boolean` | No | `false` | Debug logging |
@@ -161,7 +163,7 @@ Returns `Promise<BigsoAuthResult>`:
 | Route | Method | Description |
 |---|---|---|
 | `/exchange` | POST | `{code, codeVerifier}` → v2 exchange |
-| `/exchange-v2` | POST | `{payload}` → verify JWS, then v2 exchange |
+| `/exchange-v2` | POST | `{payload, codeVerifier?}` → verify JWS, then v2 exchange (codeVerifier from body or JWS) |
 | `/session` | GET | Validate Bearer token, return user data |
 | `/refresh` | POST | Proxy to `/api/v2/auth/refresh` |
 | `/logout` | POST | Bearer token → `/api/v2/auth/logout` |
@@ -177,14 +179,34 @@ Reads `Authorization: Bearer <token>`, validates JWT against JWKS, populates `re
 2. Browser SDK computa: codeChallenge = SHA256(codeVerifier)
 3. Browser SDK → iframe: {codeChallenge, state, nonce}
 4. Iframe → SSO Core: POST /api/v2/auth/authorize (con codeChallenge)
-5. Iframe → Browser SDK: {code, state} (firmado como JWS)
+5. Iframe → Browser SDK: {code, signedPayload} (JWS contiene code_verifier si se pasó)
 6. Browser SDK verifica JWS, valida state y nonce
-7. Browser SDK retorna {code, codeVerifier} al consuming app
-8. Consuming app → su backend: POST /exchange-v2-pkce {payload, codeVerifier}
+7. Browser SDK retorna {code, codeVerifier, signed_payload} al consuming app
+8. Consuming app → su backend: POST /exchange-v2 {payload, codeVerifier}
 9. Backend verifica JWS, extrae code, llama /api/v2/auth/exchange {code, appId, codeVerifier}
 10. SSO Core verifica: SHA256(codeVerifier) === codeChallenge → emite tokens
 ```
 
+## JWT Access Token
+
+El access token contiene:
+
+```json
+{
+  "sub": "user-uuid",
+  "jti": "token-uuid",
+  "iss": "https://sso.bigso.co",
+  "aud": "https://ordamy.bigso.co",
+  "exp": 1234567890,
+  "iat": 1234567890,
+  "tenants": [{ "id": "...", "name": "...", "slug": "...", "role": "...", "apps": ["ordamy"] }],
+  "systemRole": "user",
+  "scope": ["https://ordamy.bigso.co", "https://api-interna.bigso.co"]
+}
+```
+
+El campo `scope` define qué APIs puede consumir este token. Cada aplicación tiene su `scope` configurado en la BD de SSO Core.
+
 ## Seguridad
 
 - **PKCE**: codeVerifier nunca sale del browser hasta el paso 7, pero jamás se envía al SSO iframe
@@ -192,6 +214,7 @@ Reads `Authorization: Bearer <token>`, validates JWT against JWKS, populates `re
 - **state + nonce**: Validados en ambos lados para prevenir CSRF y replay
 - **JWT Bearer**: Access tokens validados localmente contra JWKS, revocables en Redis/PG
 - **httpOnly cookies**: Refresh tokens via cookie, nunca accesibles via JS
+- **Scope validation**: APIs internas deben verificar que su URL esté en el array `scope` del token
 
 ## Desarrollo
 
@@ -204,6 +227,22 @@ npm test        # vitest
 
 ## Changelog
 
+### v0.5.3 (2026-04-09)
+
+- `exchange-v2` ahora acepta `codeVerifier` del body del request o del JWS (antes solo del JWS)
+- Fix de fallback: `buildFallbackUrl()` ahora incluye `code_challenge` en la URL
+
+### v0.5.2 (2026-04-08)
+
+- Nuevo campo `scope?: string[]` en `SsoTokenPayload`
+- `verifyAccessToken()` mapea `scope` del JWT payload
+- `prepublishOnly` script agregado para build automático antes de publish
+
+### v0.5.1 (2026-04-08)
+
+- Fix: SDK sin dist/ — `prepublishOnly: "npm run build"` agregado
+- `SsoJwtTenant` con `apps: string[]`
+
 ### v0.5.0 (2026-04-07) — Full v2
 
 **Breaking changes:**
@@ -219,7 +258,7 @@ npm test        # vitest
 - `BigsoSsoClient.refreshTokens()` — via `/api/v2/auth/refresh`
 - `BigsoSsoClient.logout(accessToken)` — via `/api/v2/auth/logout`
 - `BigsoSsoClient.validateAccessToken(token)` — Local JWT verification against JWKS
-- Express `/exchange-v2-pkce` route with full PKCE support
+- Express `/exchange-v2` route with full PKCE support
 - Express `/refresh` and `/logout` routes for v2 API
 - `ssoAuthMiddleware` validates Bearer JWT tokens locally
 

package/dist/express/index.cjs

@@ -122,7 +122,7 @@ function createSsoAuthRouter(options) {
   });
   router.post("/exchange-v2", async (req, res) => {
     try {
-      const { payload } = req.body;
+      const { payload, codeVerifier: codeVerifierFromBody } = req.body;
       if (!payload) {
         res.status(400).json({ error: "Signed payload is required" });
         return;
@@ -132,12 +132,12 @@ function createSsoAuthRouter(options) {
         res.status(400).json({ error: "No authorization code found in payload" });
         return;
       }
-      const codeVerifier = verified.code_verifier;
-      if (!codeVerifier) {
-        res.status(400).json({ error: "code_verifier is required for PKCE exchange" });
+      const verifier = codeVerifierFromBody || verified.code_verifier;
+      if (!verifier) {
+        res.status(400).json({ error: "codeVerifier is required for PKCE exchange" });
         return;
       }
-      const ssoResponse = await options.ssoClient.exchangeCode(verified.code, codeVerifier);
+      const ssoResponse = await options.ssoClient.exchangeCode(verified.code, verifier);
       if (options.onLoginSuccess) {
         await options.onLoginSuccess(ssoResponse);
       }

package/dist/express/index.js

@@ -93,7 +93,7 @@ function createSsoAuthRouter(options) {
   });
   router.post("/exchange-v2", async (req, res) => {
     try {
-      const { payload } = req.body;
+      const { payload, codeVerifier: codeVerifierFromBody } = req.body;
       if (!payload) {
         res.status(400).json({ error: "Signed payload is required" });
         return;
@@ -103,12 +103,12 @@ function createSsoAuthRouter(options) {
         res.status(400).json({ error: "No authorization code found in payload" });
         return;
       }
-      const codeVerifier = verified.code_verifier;
-      if (!codeVerifier) {
-        res.status(400).json({ error: "code_verifier is required for PKCE exchange" });
+      const verifier = codeVerifierFromBody || verified.code_verifier;
+      if (!verifier) {
+        res.status(400).json({ error: "codeVerifier is required for PKCE exchange" });
         return;
       }
-      const ssoResponse = await options.ssoClient.exchangeCode(verified.code, codeVerifier);
+      const ssoResponse = await options.ssoClient.exchangeCode(verified.code, verifier);
       if (options.onLoginSuccess) {
         await options.onLoginSuccess(ssoResponse);
       }

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@bigso/auth-sdk",
-    "version": "0.5.3",
+    "version": "0.5.4",
     "description": "SDK de autenticación para SSO v2 - JWT Bearer + PKCE",
     "publishConfig": {
         "registry": "https://registry.npmjs.org/",