@cemiar/auth-sdk 1.0.15 → 1.0.17

package/README.md

@@ -1,149 +1,149 @@
-# @cemiar/auth-sdk
-
-Reusable helpers for integrating Cemiar Auth in web front-ends and Node.js APIs.
-
-This package bundles:
-
-- A browser-friendly Cemiar Auth client with email codes, Microsoft login support, token storage, refresh and logout helpers
-- Axios utilities to attach automatic Authorization headers and refresh tokens on 401 responses
-- A Hapi JWT strategy helper that fetches Cemiar Auth signing keys from JWKS and validates incoming requests
-
-## Installation
-
-```bash
-npm install @cemiar/auth-sdk
-```
-
-When working inside this monorepo, you can add it via a file reference:
-
-```bash
-npm install @cemiar/auth-sdk@file:../packages/cemiar-auth-sdk
-```
-
-Make sure the host project also has the required peer dependencies installed (`@hapi/hapi`, `hapi-auth-jwt2`).
-
-## Usage
-
-### Front-end (Vue/React/etc.)
-
-```ts
-import { createCemiarAuthClient } from "@cemiar/auth-sdk";
-
-const authClient = createCemiarAuthClient({
-    baseUrl: import.meta.env.VITE_CEMIAR_AUTH_URL!,
-    tenantId: import.meta.env.VITE_CEMIAR_TENANT_ID!,
-    auds: (import.meta.env.VITE_CEMIAR_AUDS || "").split(","),
-    redirectUrl: `${window.location.origin}/auth/microsoft/callback`,
-    logoutRedirectUrl: `${window.location.origin}/login`
-});
-
-// Trigger Microsoft login
-window.location.href = authClient.getMicrosoftLoginUrl();
-
-// Email code flow
-await authClient.sendEmailCode("user@example.com");
-const { accessToken } = await authClient.verifyEmailCode("user@example.com", "123456");
-
-// Axios client with automatic Authorization header and refresh-on-401
-const api = authClient.createApiClient({ baseURL: import.meta.env.VITE_API_BASE });
-const jobs = await api.get("/api/jobs");
-
-// Manual interceptor attachment if you already have an axios instance
-authClient.attachInterceptors(existingAxiosInstance);
-```
-
-#### Handling the Microsoft callback
-
-```ts
-const params = Object.fromEntries(new URLSearchParams(window.location.search));
-const user = authClient.handleRedirectMicrosoftCallback(params);
-
-if (user) {
-    history.replaceState(null, "", "/dashboard");
-}
-```
-
-`handleRedirectMicrosoftCallback` stores the returned access token, infers the login method for future logouts, and gives you the signed-in user details. Call it once on your redirect page, then clean up the query string if needed.
-
-#### Token storage hooks
-
-By default the client stores tokens in `localStorage`. Override storage to customize behaviour:
-
-```ts
-import { createCemiarAuthClient, TokenStorage } from "@cemiar/auth-sdk";
-
-const storage: TokenStorage = {
-    getToken: () => cookies.get("cemiar-access"),
-    setToken: token => {
-        token ? cookies.set("cemiar-access", token) : cookies.remove("cemiar-access");
-    }
-};
-
-const authClient = createCemiarAuthClient({
-    baseUrl: import.meta.env.VITE_CEMIAR_AUTH_URL!,
-    tenantId: import.meta.env.VITE_CEMIAR_TENANT_ID!,
-    auds: ["cemiar-jobs"],
-    storage
-});
-```
-
-#### Logging out
-
-```ts
-await authClient.logout();
-```
-
-Logout automatically detects whether the user signed in with Microsoft or email and routes to the matching Cemiar Auth endpoint. Override behaviour with the optional flags:
-
-- `redirectUrl`: override the post-logout redirect (defaults to `logoutRedirectUrl` from the constructor)
-- `performRedirect`: set to `false` to stay on the page and only clear the server session
-- `clearToken`: set to `false` to retain the locally cached access token
-
-You can still specify `method: "microsoft" | "emailCode"` if you need to force a flow.
-
-### Backend (Hapi)
-
-```ts
-import { registerCemiarAuthHapi } from "@cemiar/auth-sdk";
-
-await registerCemiarAuthHapi(server, {
-    authUrl: process.env.CEMIAR_AUTH_URL!,
-    strategyName: "jwt",
-    validate: async decoded => ({
-        isValid: true,
-        credentials: decoded.payload
-    })
-});
-```
-
-The helper automatically fetches signing keys from Cemiar Auth JWKS endpoint and keeps them cached.
-
-To customise the cache and algorithms:
-
-```ts
-await registerCemiarAuthHapi(server, {
-    authUrl: process.env.CEMIAR_AUTH_URL!,
-    algorithms: ["RS256"],
-    cacheMaxAgeMs: 12 * 60 * 60 * 1000
-});
-```
-
-### Environment Variables
-
-| Variable                   | Description                                                        |
-| -------------------------- | ------------------------------------------------------------------ |
-| `VITE_CEMIAR_AUTH_URL`     | Base Cemiar Auth URL (e.g. `https://cemiar-auth.example.com/auth`) |
-| `VITE_CEMIAR_TENANT_ID`    | Tenant identifier provided by Cemiar Auth                          |
-| `VITE_CEMIAR_AUDS`         | Comma separated list of audiences                                  |
-| `VITE_CEMIAR_REDIRECT_URL` | Optional override for Microsoft redirect                           |
-| `CEMIAR_AUTH_URL`          | Backend URL for Cemiar Auth (no Vite prefix)                       |
-
-### Building
-
-```bash
-cd packages/cemiar-auth-sdk
-npm install
-npm run build
-```
-
-Output will be generated under `dist/`.
+# @cemiar/auth-sdk
+
+Reusable helpers for integrating Cemiar Auth in web front-ends and Node.js APIs.
+
+This package bundles:
+
+- A browser-friendly Cemiar Auth client with email codes, Microsoft login support, token storage, refresh and logout helpers
+- Axios utilities to attach automatic Authorization headers and refresh tokens on 401 responses
+- A Hapi JWT strategy helper that fetches Cemiar Auth signing keys from JWKS and validates incoming requests
+
+## Installation
+
+```bash
+npm install @cemiar/auth-sdk
+```
+
+When working inside this monorepo, you can add it via a file reference:
+
+```bash
+npm install @cemiar/auth-sdk@file:../packages/cemiar-auth-sdk
+```
+
+Make sure the host project also has the required peer dependencies installed (`@hapi/hapi`, `hapi-auth-jwt2`).
+
+## Usage
+
+### Front-end (Vue/React/etc.)
+
+```ts
+import { createCemiarAuthClient } from "@cemiar/auth-sdk";
+
+const authClient = createCemiarAuthClient({
+    baseUrl: import.meta.env.VITE_CEMIAR_AUTH_URL!,
+    tenantId: import.meta.env.VITE_CEMIAR_TENANT_ID!,
+    auds: (import.meta.env.VITE_CEMIAR_AUDS || "").split(","),
+    redirectUrl: `${window.location.origin}/auth/microsoft/callback`,
+    logoutRedirectUrl: `${window.location.origin}/login`
+});
+
+// Trigger Microsoft login
+window.location.href = authClient.getMicrosoftLoginUrl();
+
+// Email code flow
+await authClient.sendEmailCode("user@example.com");
+const { accessToken } = await authClient.verifyEmailCode("user@example.com", "123456");
+
+// Axios client with automatic Authorization header and refresh-on-401
+const api = authClient.createApiClient({ baseURL: import.meta.env.VITE_API_BASE });
+const jobs = await api.get("/api/jobs");
+
+// Manual interceptor attachment if you already have an axios instance
+authClient.attachInterceptors(existingAxiosInstance);
+```
+
+#### Handling the Microsoft callback
+
+```ts
+const params = Object.fromEntries(new URLSearchParams(window.location.search));
+const user = authClient.handleRedirectMicrosoftCallback(params);
+
+if (user) {
+    history.replaceState(null, "", "/dashboard");
+}
+```
+
+`handleRedirectMicrosoftCallback` stores the returned access token, infers the login method for future logouts, and gives you the signed-in user details. Call it once on your redirect page, then clean up the query string if needed.
+
+#### Token storage hooks
+
+By default the client stores tokens in `localStorage`. Override storage to customize behaviour:
+
+```ts
+import { createCemiarAuthClient, TokenStorage } from "@cemiar/auth-sdk";
+
+const storage: TokenStorage = {
+    getToken: () => cookies.get("cemiar-access"),
+    setToken: token => {
+        token ? cookies.set("cemiar-access", token) : cookies.remove("cemiar-access");
+    }
+};
+
+const authClient = createCemiarAuthClient({
+    baseUrl: import.meta.env.VITE_CEMIAR_AUTH_URL!,
+    tenantId: import.meta.env.VITE_CEMIAR_TENANT_ID!,
+    auds: ["cemiar-jobs"],
+    storage
+});
+```
+
+#### Logging out
+
+```ts
+await authClient.logout();
+```
+
+Logout automatically detects whether the user signed in with Microsoft or email and routes to the matching Cemiar Auth endpoint. Override behaviour with the optional flags:
+
+- `redirectUrl`: override the post-logout redirect (defaults to `logoutRedirectUrl` from the constructor)
+- `performRedirect`: set to `false` to stay on the page and only clear the server session
+- `clearToken`: set to `false` to retain the locally cached access token
+
+You can still specify `method: "microsoft" | "emailCode"` if you need to force a flow.
+
+### Backend (Hapi)
+
+```ts
+import { registerCemiarAuthHapi } from "@cemiar/auth-sdk";
+
+await registerCemiarAuthHapi(server, {
+    authUrl: process.env.CEMIAR_AUTH_URL!,
+    strategyName: "jwt",
+    validate: async decoded => ({
+        isValid: true,
+        credentials: decoded.payload
+    })
+});
+```
+
+The helper automatically fetches signing keys from Cemiar Auth JWKS endpoint and keeps them cached.
+
+To customise the cache and algorithms:
+
+```ts
+await registerCemiarAuthHapi(server, {
+    authUrl: process.env.CEMIAR_AUTH_URL!,
+    algorithms: ["RS256"],
+    cacheMaxAgeMs: 12 * 60 * 60 * 1000
+});
+```
+
+### Environment Variables
+
+| Variable                   | Description                                                        |
+| -------------------------- | ------------------------------------------------------------------ |
+| `VITE_CEMIAR_AUTH_URL`     | Base Cemiar Auth URL (e.g. `https://cemiar-auth.example.com/auth`) |
+| `VITE_CEMIAR_TENANT_ID`    | Tenant identifier provided by Cemiar Auth                          |
+| `VITE_CEMIAR_AUDS`         | Comma separated list of audiences                                  |
+| `VITE_CEMIAR_REDIRECT_URL` | Optional override for Microsoft redirect                           |
+| `CEMIAR_AUTH_URL`          | Backend URL for Cemiar Auth (no Vite prefix)                       |
+
+### Building
+
+```bash
+cd packages/cemiar-auth-sdk
+npm install
+npm run build
+```
+
+Output will be generated under `dist/`.

package/dist/index.d.ts

@@ -1,3 +1,5 @@
 export { CemiarAuthClient, createCemiarAuthClient } from "./browser/CemiarAuthClient.js";
 export { registerCemiarAuthHapi } from "./server/ServerHandler.js";
 export * from "./shared/Types.js";
+export { tokenToClaim, tokenToClaimBrowser, normalizeBaseUrl, isBrowser } from "./shared/Utils.js";
+export { authorizeRoute } from "./server/AuthorizationHandler.js";

package/dist/index.js

@@ -1,3 +1,5 @@
 export { CemiarAuthClient, createCemiarAuthClient } from "./browser/CemiarAuthClient.js";
 export { registerCemiarAuthHapi } from "./server/ServerHandler.js";
 export * from "./shared/Types.js";
+export { tokenToClaim, tokenToClaimBrowser, normalizeBaseUrl, isBrowser } from "./shared/Utils.js";
+export { authorizeRoute } from "./server/AuthorizationHandler.js";

package/dist/server/AuthorizationHandler.d.ts

@@ -0,0 +1,5 @@
+import { ReqRefDefaults, ResponseToolkit } from "@hapi/hapi";
+export declare function authorizeRoute({ resource, action }: {
+    resource: string;
+    action: string;
+}): (request: any, h: ResponseToolkit<ReqRefDefaults>) => Promise<symbol | import("@hapi/hapi").ResponseObject>;

package/dist/server/AuthorizationHandler.js

@@ -0,0 +1,52 @@
+import axios from "axios";
+import { tokenToClaim } from "../shared/Utils.js";
+export function authorizeRoute({ resource, action }) {
+    return async (request, h) => {
+        const context = buildContextFromRequest(request);
+        if (!context) {
+            return h.response({ error: "Unauthorized: Invalid token or missing context" }).code(401).takeover();
+        }
+        const authzRequest = {
+            tenantId: context.tenantId,
+            resource,
+            action,
+            context
+        };
+        try {
+            const response = await axios.post(`${process.env.CEMIAR_AUTHZ_URL}/authorize`, authzRequest);
+            h;
+            if (response.status === 200 && response.data.allowed) {
+                h.request.headers["x-user-email"] = context.email || "";
+                return h.continue;
+            }
+            else {
+                return h.response({ error: "Forbidden: Access denied" }).code(403).takeover();
+            }
+        }
+        catch (error) {
+            return h
+                .response({ error: "Authorization service error: " + error.message })
+                .code(500)
+                .takeover();
+        }
+    };
+}
+function buildContextFromRequest(request) {
+    var _a, _b;
+    const token = (_b = (_a = request.headers) === null || _a === void 0 ? void 0 : _a.authorization) === null || _b === void 0 ? void 0 : _b.split(" ")[1];
+    if (!token) {
+        return null;
+    }
+    if (!token) {
+        return null;
+    }
+    const claim = tokenToClaim(token);
+    if (!claim) {
+        return null;
+    }
+    return {
+        email: claim.sub,
+        roles: [],
+        tenantId: process.env.CEMIAR_AUTH_TENANT_ID || ""
+    };
+}

package/dist/server/index.d.ts

@@ -1,2 +1,3 @@
 export { registerCemiarAuthHapi, createSigningKeyResolver } from "./ServerHandler.js";
 export type { JwtValidateFn, JwtValidateResult, JwtParts, HapiJwtStrategyOptions } from "../shared/Types.js";
+export { authorizeRoute } from "./AuthorizationHandler.js";

package/dist/server/index.js

@@ -1 +1,2 @@
 export { registerCemiarAuthHapi, createSigningKeyResolver } from "./ServerHandler.js";
+export { authorizeRoute } from "./AuthorizationHandler.js";

package/package.json

@@ -1,68 +1,68 @@
-{
-  "name": "@cemiar/auth-sdk",
-  "version": "1.0.15",
-  "description": "Cemiar Auth integration helpers for web apps and APIs.",
-  "type": "module",
-  "main": "dist/index.js",
-  "types": "dist/index.d.ts",
-  "exports": {
-    ".": {
-      "types": "./dist/index.d.ts",
-      "import": "./dist/index.js",
-      "require": "./dist/index.js"
-    },
-    "./server": {
-      "types": "./dist/server/index.d.ts",
-      "import": "./dist/server/index.js",
-      "require": "./dist/server/index.js"
-    },
-    "./browser": {
-      "types": "./dist/browser/CemiarAuthClient.d.ts",
-      "import": "./dist/browser/CemiarAuthClient.js"
-    }
-  },
-  "typesVersions": {
-    "*": {
-      "server": [
-        "./dist/server/index.d.ts"
-      ],
-      "browser": [
-        "./dist/browser/CemiarAuthClient.d.ts"
-      ]
-    }
-  },
-  "files": [
-    "dist"
-  ],
-  "scripts": {
-    "build": "tsc -p tsconfig.json",
-    "clean": "rimraf dist"
-  },
-  "keywords": [
-    "cemiar",
-    "auth",
-    "jwt",
-    "hapi",
-    "axios"
-  ],
-  "author": "Cemiar",
-  "license": "MIT",
-  "dependencies": {
-    "axios": "^1.7.0",
-    "jwks-rsa": "^3.1.0"
-  },
-  "peerDependencies": {
-    "@hapi/hapi": "^21.3.0",
-    "hapi-auth-jwt2": "^10.5.0"
-  },
-  "devDependencies": {
-    "@hapi/hapi": "^21.3.0",
-    "@types/node": "^20.11.30",
-    "hapi-auth-jwt2": "^10.5.0",
-    "rimraf": "^5.0.5",
-    "typescript": "^5.3.3"
-  },
-  "publishConfig": {
-    "access": "public"
-  }
-}
+{
+    "name": "@cemiar/auth-sdk",
+    "version": "1.0.17",
+    "description": "Cemiar Auth integration helpers for web apps and APIs.",
+    "type": "module",
+    "main": "dist/index.js",
+    "types": "dist/index.d.ts",
+    "exports": {
+        ".": {
+            "types": "./dist/index.d.ts",
+            "import": "./dist/index.js",
+            "require": "./dist/index.js"
+        },
+        "./server": {
+            "types": "./dist/server/index.d.ts",
+            "import": "./dist/server/index.js",
+            "require": "./dist/server/index.js"
+        },
+        "./browser": {
+            "types": "./dist/browser/CemiarAuthClient.d.ts",
+            "import": "./dist/browser/CemiarAuthClient.js"
+        }
+    },
+    "typesVersions": {
+        "*": {
+            "server": [
+                "./dist/server/index.d.ts"
+            ],
+            "browser": [
+                "./dist/browser/CemiarAuthClient.d.ts"
+            ]
+        }
+    },
+    "files": [
+        "dist"
+    ],
+    "scripts": {
+        "build": "tsc -p tsconfig.json",
+        "clean": "rimraf dist"
+    },
+    "keywords": [
+        "cemiar",
+        "auth",
+        "jwt",
+        "hapi",
+        "axios"
+    ],
+    "author": "Cemiar",
+    "license": "MIT",
+    "dependencies": {
+        "axios": "^1.7.0",
+        "jwks-rsa": "^3.1.0"
+    },
+    "peerDependencies": {
+        "@hapi/hapi": "^21.3.0",
+        "hapi-auth-jwt2": "^10.5.0"
+    },
+    "devDependencies": {
+        "@hapi/hapi": "^21.3.0",
+        "@types/node": "^20.11.30",
+        "hapi-auth-jwt2": "^10.5.0",
+        "rimraf": "^5.0.5",
+        "typescript": "^5.3.3"
+    },
+    "publishConfig": {
+        "access": "public"
+    }
+}