@cedros/login-react 0.0.1

package/dist/types/org.d.ts

@@ -0,0 +1,101 @@
+/**
+ * Organization role in RBAC hierarchy
+ * owner > admin > member > viewer
+ */
+export type OrgRole = 'owner' | 'admin' | 'member' | 'viewer';
+/**
+ * Organization entity
+ */
+export interface Organization {
+    id: string;
+    name: string;
+    slug: string;
+    logoUrl?: string;
+    isPersonal: boolean;
+    createdAt: string;
+    updatedAt: string;
+}
+/**
+ * Membership - user's relationship to an organization
+ */
+export interface Membership {
+    id?: string;
+    userId?: string;
+    orgId?: string;
+    role: OrgRole;
+    joinedAt?: string;
+}
+/**
+ * Organization with membership details for the current user
+ */
+export interface OrgWithMembership extends Organization {
+    membership: Membership;
+}
+/**
+ * Permission types for RBAC
+ */
+export type Permission = 'org:delete' | 'org:update' | 'org:read' | 'member:invite' | 'member:remove' | 'member:role_change' | 'member:read' | 'invite:create' | 'invite:cancel' | 'invite:read' | 'audit:read';
+/**
+ * Create organization request
+ */
+export interface CreateOrgRequest {
+    name: string;
+    slug?: string;
+}
+/**
+ * Update organization request
+ */
+export interface UpdateOrgRequest {
+    name?: string;
+    slug?: string;
+    logoUrl?: string;
+}
+/**
+ * List organizations response
+ */
+export interface ListOrgsResponse {
+    orgs: Array<Organization & {
+        role: OrgRole;
+    }>;
+    total?: number;
+    limit?: number;
+    offset?: number;
+}
+/**
+ * Authorization check request
+ */
+export interface AuthorizeRequest {
+    orgId: string;
+    action: string;
+    resource?: string;
+    resourceId?: string;
+}
+/**
+ * Authorization check response
+ */
+export interface AuthorizeResponse {
+    allowed: boolean;
+    reason?: string;
+}
+/**
+ * Permissions response
+ */
+export interface PermissionsResponse {
+    permissions: Permission[];
+    role: OrgRole;
+}
+/**
+ * Organization state for context
+ */
+export interface OrgState {
+    /** Currently active organization */
+    activeOrg: OrgWithMembership | null;
+    /** All organizations the user belongs to */
+    orgs: OrgWithMembership[];
+    /** User's permissions in the active org */
+    permissions: Permission[];
+    /** User's role in the active org */
+    role: OrgRole | null;
+    /** Loading state for org operations */
+    isLoading: boolean;
+}

package/dist/types/session.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Active session information
+ */
+export interface Session {
+    id: string;
+    ipAddress?: string;
+    userAgent?: string;
+    createdAt: string;
+    expiresAt: string;
+    /** Whether this is the current session */
+    isCurrent: boolean;
+}
+/**
+ * Response from listing sessions
+ */
+export interface ListSessionsResponse {
+    sessions: Session[];
+    total: number;
+    limit: number;
+    offset: number;
+}
+/**
+ * Response from revoking all sessions
+ */
+export interface RevokeAllSessionsResponse {
+    revokedCount: number;
+    message: string;
+}

package/dist/types/systemSettings.d.ts

@@ -0,0 +1,81 @@
+/**
+ * System settings types for admin configuration management
+ */
+/** Individual system setting */
+export interface SystemSetting {
+    key: string;
+    value: string;
+    description: string | null;
+    updatedAt: string;
+    updatedBy: string | null;
+}
+/** Response from GET /admin/settings */
+export interface ListSystemSettingsResponse {
+    /** Settings grouped by category (privacy, withdrawal, rate_limit) */
+    settings: Record<string, SystemSetting[]>;
+}
+/** Request to update a single setting */
+export interface UpdateSettingRequest {
+    key: string;
+    value: string;
+}
+/** Request body for PATCH /admin/settings */
+export interface UpdateSystemSettingsRequest {
+    settings: UpdateSettingRequest[];
+}
+/** Response from PATCH /admin/settings */
+export interface UpdateSystemSettingsResponse {
+    updated: SystemSetting[];
+}
+/** Category metadata for UI display */
+export interface SettingCategoryMeta {
+    label: string;
+    description: string;
+}
+/** Preset option for settings with suggested values */
+export interface SettingPreset {
+    label: string;
+    value: string;
+}
+/** Setting metadata for UI rendering */
+export interface SettingMeta {
+    key: string;
+    label: string;
+    /** Detailed description explaining what this setting does */
+    description: string;
+    /** Unit for display (e.g., 'seconds', 'requests', '%') */
+    unit?: string;
+    /** Minimum allowed value */
+    min?: number;
+    /** Maximum allowed value */
+    max?: number;
+    /** Input type determines how the setting is rendered */
+    inputType: 'number' | 'duration' | 'percentage' | 'select' | 'text' | 'tokenSymbolList' | 'tokenList';
+    /** Preset values for quick selection (used with 'select' or as suggestions) */
+    presets?: SettingPreset[];
+    /** Value threshold that triggers a warning */
+    warningThreshold?: {
+        above?: number;
+        below?: number;
+        message: string;
+    };
+    /** Step for number inputs */
+    step?: number;
+}
+/** Return type for useSystemSettings hook */
+export interface UseSystemSettingsReturn {
+    /** Settings grouped by category */
+    settings: Record<string, SystemSetting[]>;
+    /** Whether data is loading */
+    isLoading: boolean;
+    /** Whether an update is in progress */
+    isUpdating: boolean;
+    /** Error state */
+    error: Error | null;
+    /** Fetch settings from server */
+    fetchSettings: () => Promise<void>;
+    /** Update one or more settings */
+    updateSettings: (updates: UpdateSettingRequest[]) => Promise<void>;
+    /** Get a setting value by key */
+    getValue: (key: string) => string | undefined;
+}

package/dist/types/totp.d.ts

@@ -0,0 +1,52 @@
+/**
+ * TOTP (Time-based One-Time Password) types for two-factor authentication
+ */
+/**
+ * User's TOTP status
+ */
+export interface TotpStatus {
+    /** Whether TOTP is enabled for this user */
+    enabled: boolean;
+    /** Number of unused recovery codes remaining */
+    recoveryCodesRemaining: number;
+}
+/**
+ * Response from TOTP setup initiation
+ */
+export interface TotpSetupResponse {
+    /** Base32-encoded secret for manual entry */
+    secret: string;
+    /** otpauth:// URI for QR code generation */
+    otpauthUri: string;
+    /** One-time recovery codes (shown only once) */
+    recoveryCodes: string[];
+}
+/**
+ * Request to verify and enable TOTP
+ */
+export interface TotpEnableRequest {
+    /** 6-digit code from authenticator app */
+    code: string;
+}
+/**
+ * Request to verify TOTP during login
+ */
+export interface TotpVerifyRequest {
+    /** 6-digit code from authenticator app or recovery code */
+    code: string;
+}
+/**
+ * Response with new backup codes
+ */
+export interface TotpBackupCodesResponse {
+    /** New one-time recovery codes */
+    recoveryCodes: string[];
+}
+/**
+ * TOTP setup state for the enrollment flow
+ */
+export type TotpSetupState = 'idle' | 'loading' | 'setup' | 'verifying' | 'success' | 'error';
+/**
+ * TOTP verification state for the login flow
+ */
+export type TotpVerifyState = 'idle' | 'verifying' | 'success' | 'error';

package/dist/types/wallet.d.ts

@@ -0,0 +1,309 @@
+import { WalletStatus, CryptoCapabilities, EnrollmentState, RecoveryState, KdfParams } from '../crypto';
+export type { WalletStatus, CryptoCapabilities, EnrollmentState, RecoveryState, KdfParams };
+/**
+ * Wallet recovery mode (configured server-side via WALLET_RECOVERY_MODE)
+ * - share_c_only: User gets Share C only. Recovery within app, not portable.
+ * - full_seed: User gets full seed. Can use wallet elsewhere (portable).
+ * - none: No recovery option. Used for Privacy Cash deposits to prevent front-running.
+ */
+export type WalletRecoveryMode = 'share_c_only' | 'full_seed' | 'none';
+/**
+ * Wallet discovery config from server
+ */
+export interface WalletDiscoveryConfig {
+    /** Whether wallet feature is enabled */
+    enabled: boolean;
+    /** Recovery mode: share_c_only or full_seed */
+    recoveryMode: WalletRecoveryMode;
+    /** Session unlock TTL in seconds */
+    unlockTtlSeconds: number;
+}
+/**
+ * Authentication method for Share A encryption
+ * - password: Email users use their login password (Argon2id KDF)
+ * - passkey: Users with passkey login use PRF extension (HKDF)
+ */
+export type ShareAAuthMethod = 'password' | 'passkey';
+/**
+ * Wallet material response from server
+ * Note: Server no longer returns share ciphertexts - shares stay on server
+ */
+export interface WalletMaterialResponse {
+    solanaPubkey: string;
+    schemeVersion: number;
+    shareAAuthMethod: ShareAAuthMethod;
+    /** PRF salt for passkey auth method (base64, 32 bytes) */
+    prfSalt?: string;
+    createdAt: string;
+    updatedAt: string;
+}
+/** Request to enroll wallet  */
+export interface WalletEnrollRequest {
+    solanaPubkey: string;
+    /** Auth method for Share A encryption */
+    shareAAuthMethod: ShareAAuthMethod;
+    /** Encrypted Share A (base64) */
+    shareACiphertext: string;
+    /** Nonce for Share A encryption (base64, 12 bytes) */
+    shareANonce: string;
+    /** KDF salt for password/PIN method (base64) */
+    shareAKdfSalt?: string;
+    /** KDF params for password/PIN method */
+    shareAKdfParams?: KdfParams;
+    /** PRF salt for passkey method (base64, 32 bytes) */
+    prfSalt?: string;
+    /** Plaintext Share B (base64) - SSS math protects it */
+    shareB: string;
+    /**
+     * Recovery data (base64) - sent when recovery mode is enabled
+     * Contains the full seed for server-side storage until user acknowledges
+     */
+    recoveryData?: string;
+}
+/** Request to get Share B for Share C recovery mode */
+export interface ShareCRecoveryRequest {
+    /** Share C data (base64, 32 bytes decoded from mnemonic) */
+    shareC: string;
+}
+/** Response from Share C recovery endpoint */
+export interface ShareCRecoveryResponse {
+    /** Share B (base64) */
+    shareB: string;
+    /** Solana pubkey (for verification) */
+    solanaPubkey: string;
+}
+/** Request to recover wallet (replace existing with new credentials) */
+export interface WalletRecoverRequest {
+    /** Solana pubkey (must match existing wallet to prove ownership) */
+    solanaPubkey: string;
+    /** Auth method for Share A encryption */
+    shareAAuthMethod: ShareAAuthMethod;
+    /** Encrypted Share A (base64) */
+    shareACiphertext: string;
+    /** Nonce for Share A encryption (base64, 12 bytes) */
+    shareANonce: string;
+    /** KDF salt for password/PIN method (base64) */
+    shareAKdfSalt?: string;
+    /** KDF params for password/PIN method */
+    shareAKdfParams?: KdfParams;
+    /** PRF salt for passkey method (base64, 32 bytes) */
+    prfSalt?: string;
+    /** Plaintext Share B (base64) */
+    shareB: string;
+}
+/**
+ * Credential for unlocking wallet / signing transactions (frontend internal use)
+ *
+ * TYPE-02: This type uses explicit `type` discriminator for TypeScript narrowing.
+ * When sending to server API, convert to `UnlockCredentialRequest` which uses
+ * the flattened format expected by the backend (`{ password: '...' }` not
+ * `{ type: 'password', password: '...' }`).
+ *
+ * @see UnlockCredentialRequest for API request format
+ */
+export type UnlockCredential = {
+    type: 'password';
+    password: string;
+} | {
+    type: 'prfOutput';
+    prfOutput: string;
+};
+/** Request to sign a transaction  */
+export interface SignTransactionRequest {
+    /** Transaction bytes (base64) */
+    transaction: string;
+    /** Unlock credential */
+    credential?: UnlockCredentialRequest;
+}
+/**
+ * Credential for API request (flattened format matching server)
+ *
+ * TYPE-02: Server uses Serde's flattened enum format, so only ONE of these
+ * fields should be present in the request object. Do NOT include `type` field.
+ *
+ * @example { password: 'secret' }
+ * @example { prfOutput: 'base64...' }
+ */
+export type UnlockCredentialRequest = {
+    password: string;
+} | {
+    prfOutput: string;
+};
+/** Response from transaction signing */
+export interface SignTransactionResponse {
+    /** Ed25519 signature (base64, 64 bytes) */
+    signature: string;
+    /** Solana pubkey that signed */
+    pubkey: string;
+}
+/**
+ * Request to rotate user secret (re-encrypt Share A)
+ *
+ * TYPE-04: Current credential fields are FLATTENED into this struct (not nested).
+ * The server uses `#[serde(flatten)]` so credential fields appear at root level.
+ * E.g., send `{ password: "xxx", newAuthMethod: "passkey", ... }` not `{ currentCredential: {...} }`
+ *
+ * BUILD-01: Uses intersection type instead of interface-extends because
+ * UnlockCredentialRequest is a union type (TypeScript doesn't allow interfaces
+ * to extend union types).
+ */
+export type RotateUserSecretRequest = UnlockCredentialRequest & {
+    /** New auth method */
+    newAuthMethod: ShareAAuthMethod;
+    /** New encrypted Share A (base64) */
+    shareACiphertext: string;
+    /** New nonce (base64, 12 bytes) */
+    shareANonce: string;
+    /** New KDF salt for password/PIN (base64) */
+    shareAKdfSalt?: string;
+    /** New KDF params for password/PIN */
+    shareAKdfParams?: KdfParams;
+    /** New PRF salt for passkey (base64, 32 bytes) */
+    prfSalt?: string;
+};
+/** Message response from server */
+export interface MessageResponse {
+    message: string;
+}
+/** Request to unlock wallet for session-based signing */
+export interface WalletUnlockRequest {
+    /** Unlock credential (flattened format) */
+    credential: UnlockCredentialRequest;
+}
+/** Response from wallet unlock */
+export interface WalletUnlockResponse {
+    /** Whether wallet is now unlocked */
+    unlocked: boolean;
+    /** TTL in seconds until auto-lock */
+    ttlSeconds: number;
+}
+/** Wallet status response from server */
+export interface WalletStatusApiResponse {
+    /** Whether SSS embedded wallet is enrolled */
+    enrolled: boolean;
+    /** Whether wallet is currently unlocked for signing */
+    unlocked: boolean;
+    /** Solana public key (from SSS wallet if enrolled, or external wallet if connected) */
+    solanaPubkey?: string;
+    /** Auth method for SSS wallet (if enrolled) */
+    authMethod?: ShareAAuthMethod;
+    /** Whether user signed in with external Solana wallet (not SSS) */
+    hasExternalWallet: boolean;
+}
+/** Wallet context value */
+export interface WalletContextValue {
+    /** Current wallet status */
+    status: WalletStatus;
+    /** Solana public key (from SSS wallet if enrolled, or external wallet) */
+    solanaPubkey: string | null;
+    /** Auth method for Share A (if enrolled in SSS wallet) */
+    authMethod: ShareAAuthMethod | null;
+    /** Whether user signed in with external Solana wallet (not SSS) */
+    hasExternalWallet: boolean;
+    /** Whether SSS wallet is unlocked for signing */
+    isUnlocked: boolean;
+    /** Crypto capabilities */
+    capabilities: CryptoCapabilities | null;
+    /** Whether all required capabilities are available */
+    isSupported: boolean;
+    /** Error message if any */
+    error: string | null;
+    /** Refresh wallet status */
+    refresh: () => Promise<void>;
+    /** Clear error */
+    clearError: () => void;
+}
+/** Enrollment hook return value  */
+export interface UseWalletEnrollmentReturn {
+    /** Current enrollment state */
+    state: EnrollmentState;
+    /** Start enrollment with password (email users) */
+    startEnrollmentWithPassword: (password: string) => Promise<void>;
+    /** Start enrollment with passkey PRF */
+    startEnrollmentWithPasskey: () => Promise<void>;
+    /** Confirm user has saved recovery phrase */
+    confirmRecoveryPhrase: () => void;
+    /** Cancel enrollment */
+    cancel: () => void;
+    /** Whether enrollment is in progress */
+    isEnrolling: boolean;
+}
+/**
+ * Signing hook return value
+ * Signing is server-side. Client just provides credential.
+ */
+export interface UseWalletSigningReturn {
+    /** Sign a transaction */
+    signTransaction: (transaction: Uint8Array, credential?: UnlockCredential) => Promise<Uint8Array>;
+    /** Whether signing is in progress */
+    isSigning: boolean;
+    /** Error from last signing attempt */
+    error: string | null;
+    /** Clear error */
+    clearError: () => void;
+}
+/** Recovery hook return value */
+export interface UseWalletRecoveryReturn {
+    /** Current recovery state */
+    state: RecoveryState;
+    /** Start recovery: validate phrase, then set new credential */
+    startRecovery: (words: string[], method: ShareAAuthMethod, credential: string) => Promise<void>;
+    /** Cancel recovery */
+    cancel: () => void;
+    /** Whether recovery is in progress */
+    isRecovering: boolean;
+}
+/** Wallet material hook return value */
+export interface UseWalletMaterialReturn {
+    /** Fetch wallet status (enrolled, unlocked, external wallet) */
+    getStatus: () => Promise<WalletStatusApiResponse>;
+    /** Fetch wallet material (for SSS wallet details) */
+    getMaterial: () => Promise<WalletMaterialResponse | null>;
+    /** Enroll new SSS wallet */
+    enroll: (request: WalletEnrollRequest) => Promise<void>;
+    /** Recover wallet (replace existing with new credentials) */
+    recover: (request: WalletRecoverRequest) => Promise<void>;
+    /** Sign a transaction (SSS wallet) */
+    signTransaction: (request: SignTransactionRequest) => Promise<SignTransactionResponse>;
+    /** Rotate user secret */
+    rotateUserSecret: (request: RotateUserSecretRequest) => Promise<void>;
+    /** Unlock wallet for session-based signing (credential cached server-side) */
+    unlock: (credential: UnlockCredential) => Promise<WalletUnlockResponse>;
+    /** Lock wallet (clear cached credential) */
+    lock: () => Promise<void>;
+    /** Get Share B for Share C recovery mode (proves ownership via Share C) */
+    getShareBForRecovery: (request: ShareCRecoveryRequest) => Promise<ShareCRecoveryResponse>;
+    /** Whether request is in progress */
+    isLoading: boolean;
+    /** Error from last request */
+    error: string | null;
+    /** Clear error */
+    clearError: () => void;
+}
+/** PRF capability hook return value */
+export interface UsePrfCapabilityReturn {
+    /** Whether PRF is supported */
+    isSupported: boolean;
+    /** Whether check is in progress */
+    isChecking: boolean;
+    /** Error message if check failed */
+    error: string | null;
+    /** Recheck PRF support */
+    recheck: () => Promise<void>;
+}
+/** Response from pending wallet recovery check */
+export interface PendingWalletRecoveryResponse {
+    /** Whether there is pending recovery data to acknowledge */
+    hasPendingRecovery: boolean;
+    /** Type of recovery data: "share_c" or "full_seed" */
+    recoveryType?: string;
+    /** Recovery phrase (BIP-39 mnemonic or base64 seed) */
+    recoveryPhrase?: string;
+    /** When the recovery data expires */
+    expiresAt?: string;
+}
+/** Request to acknowledge receipt of recovery phrase */
+export interface AcknowledgeRecoveryRequest {
+    /** Confirmation that user has saved the recovery phrase */
+    confirmed: boolean;
+}

package/dist/utils/adminUserApi.d.ts

@@ -0,0 +1,51 @@
+import { AdminUser, AdminUserCreditsResponse, AdjustCreditsRequest, ListAdminUsersResponse, ListUsersParams, UpdateUserRequest } from '../types';
+import { AdminDepositListResponse, AdminUserWithdrawalHistoryResponse } from '../types/deposit';
+/**
+ * API client for admin user operations
+ *
+ * Requires system admin privileges.
+ */
+export declare class AdminUserApiClient {
+    private client;
+    constructor(baseUrl: string, timeoutMs?: number, retryAttempts?: number, getAccessToken?: () => string | null);
+    /**
+     * List all users in the system
+     */
+    listUsers(params?: ListUsersParams): Promise<ListAdminUsersResponse>;
+    /**
+     * Get a specific user by ID
+     */
+    getUser(userId: string): Promise<AdminUser>;
+    /**
+     * Set a user's system admin status
+     */
+    setSystemAdmin(userId: string, isAdmin: boolean): Promise<void>;
+    /**
+     * Update a user's profile
+     */
+    updateUser(userId: string, data: UpdateUserRequest): Promise<AdminUser>;
+    /**
+     * Delete a user
+     */
+    deleteUser(userId: string): Promise<void>;
+    /**
+     * Send a password reset email to a user
+     */
+    forcePasswordReset(userId: string): Promise<void>;
+    /**
+     * Adjust a user's credits
+     */
+    adjustCredits(userId: string, data: AdjustCreditsRequest): Promise<void>;
+    /**
+     * Get a user's deposit history
+     */
+    getUserDeposits(userId: string, params?: ListUsersParams): Promise<AdminDepositListResponse>;
+    /**
+     * Get a user's credit stats and transaction history
+     */
+    getUserCredits(userId: string, params?: ListUsersParams): Promise<AdminUserCreditsResponse>;
+    /**
+     * Get a user's withdrawal history
+     */
+    getUserWithdrawalHistory(userId: string, params?: ListUsersParams): Promise<AdminUserWithdrawalHistoryResponse>;
+}