@classic-homes/auth 0.1.43 → 0.1.44

package/dist/{auth.svelte-LJJ7MGDE.js → auth.svelte-DTSHZMJ4.js}

@@ -1,3 +1,3 @@
-export { authActions, authStore, currentUser, isAuthenticated } from './chunk-7M4DUK45.js';
-import './chunk-BDIQSTES.js';
+export { authActions, authStore, currentUser, isAuthenticated } from './chunk-DSNTNK6T.js';
+import './chunk-ES4UOD62.js';
 import './chunk-DCGC6CNV.js';

package/dist/{chunk-7M4DUK45.js → chunk-DSNTNK6T.js}

@@ -1,10 +1,13 @@
-import { authApi } from './chunk-BDIQSTES.js';
+import { authApi } from './chunk-ES4UOD62.js';
 import { decodeJWT, isInitialized, getConfig, getStorage, getDefaultStorage } from './chunk-DCGC6CNV.js';
 
 // src/svelte/stores/auth.svelte.ts
 function getStorageKey() {
   return isInitialized() ? getConfig().storageKey ?? "classic_auth" : "classic_auth";
 }
+function getSessionTokenKey() {
+  return `${getStorageKey()}_session`;
+}
 function getStorageAdapter() {
   return isInitialized() ? getStorage() : getDefaultStorage();
 }
@@ -101,7 +104,7 @@ var AuthStore = class {
     };
     saveAuthToStorage(this.state);
     if (sessionToken && typeof window !== "undefined") {
-      getStorageAdapter().setItem("sessionToken", sessionToken);
+      getStorageAdapter().setItem(getSessionTokenKey(), sessionToken);
     }
     if (typeof window !== "undefined") {
       window.dispatchEvent(
@@ -170,7 +173,7 @@ var AuthStore = class {
     };
     const storage = getStorageAdapter();
     storage.removeItem(getStorageKey());
-    storage.removeItem("sessionToken");
+    storage.removeItem(getSessionTokenKey());
     if (typeof window !== "undefined") {
       window.dispatchEvent(new CustomEvent("auth:logout"));
     }
@@ -196,6 +199,35 @@ var AuthStore = class {
     }
     return {};
   }
+  /**
+   * Handle session expiration (e.g., token refresh failure).
+   * Clears auth state and calls the onSessionExpired callback if configured.
+   *
+   * Use this instead of logout() when the session expires unexpectedly,
+   * to trigger different handling (e.g., redirect with error message).
+   */
+  handleSessionExpired() {
+    const currentPath = typeof window !== "undefined" ? window.location.pathname : "/";
+    this.state = {
+      accessToken: null,
+      refreshToken: null,
+      user: null,
+      isAuthenticated: false
+    };
+    const storage = getStorageAdapter();
+    storage.removeItem(getStorageKey());
+    storage.removeItem(getSessionTokenKey());
+    if (typeof window !== "undefined") {
+      window.dispatchEvent(new CustomEvent("auth:session-expired"));
+    }
+    if (isInitialized()) {
+      const config = getConfig();
+      if (config.onSessionExpired) {
+        config.onSessionExpired(currentPath);
+      }
+    }
+    this.notify();
+  }
   /**
    * Check if user has a specific permission.
    */
@@ -239,6 +271,36 @@ var AuthStore = class {
     this.state = loadAuthFromStorage();
     this.notify();
   }
+  /**
+   * Reset the store to initial state and clear all storage.
+   * Primarily intended for testing scenarios where auth needs to be fully reset.
+   *
+   * Unlike logout(), this also clears all subscribers and doesn't
+   * dispatch events or call config callbacks.
+   *
+   * @example
+   * ```typescript
+   * // In test setup/teardown
+   * beforeEach(() => {
+   *   authStore.reset();
+   * });
+   * ```
+   */
+  reset() {
+    this.state = {
+      accessToken: null,
+      refreshToken: null,
+      user: null,
+      isAuthenticated: false
+    };
+    try {
+      const storage = getStorageAdapter();
+      storage.removeItem(getStorageKey());
+      storage.removeItem(getSessionTokenKey());
+    } catch {
+    }
+    this.subscribers.clear();
+  }
 };
 var authStore = new AuthStore();
 var authActions = {
@@ -247,13 +309,15 @@ var authActions = {
   updateUser: (user) => authStore.updateUser(user),
   logout: () => authStore.logout(),
   logoutWithSSO: () => authStore.logoutWithSSO(),
+  handleSessionExpired: () => authStore.handleSessionExpired(),
   hasPermission: (permission) => authStore.hasPermission(permission),
   hasRole: (role) => authStore.hasRole(role),
   hasAnyRole: (roles) => authStore.hasAnyRole(roles),
   hasAllRoles: (roles) => authStore.hasAllRoles(roles),
   hasAnyPermission: (permissions) => authStore.hasAnyPermission(permissions),
   hasAllPermissions: (permissions) => authStore.hasAllPermissions(permissions),
-  rehydrate: () => authStore.rehydrate()
+  rehydrate: () => authStore.rehydrate(),
+  reset: () => authStore.reset()
 };
 var isAuthenticated = {
   subscribe: (subscriber) => {

package/dist/{chunk-BDIQSTES.js → chunk-ES4UOD62.js}

@@ -34,9 +34,14 @@ function getRefreshToken() {
     return null;
   }
 }
+function getSessionTokenKey() {
+  const config = getConfig();
+  const storageKey = config.storageKey ?? "classic_auth";
+  return `${storageKey}_session`;
+}
 function getSessionToken() {
   const storage = getStorage();
-  return storage.getItem("sessionToken");
+  return storage.getItem(getSessionTokenKey());
 }
 function updateStoredTokens(accessToken, refreshToken) {
   const config = getConfig();
@@ -53,7 +58,7 @@ function updateStoredTokens(accessToken, refreshToken) {
   parsed.accessToken = accessToken;
   parsed.refreshToken = refreshToken;
   storage.setItem(storageKey, JSON.stringify(parsed));
-  import('./auth.svelte-LJJ7MGDE.js').then(({ authStore }) => {
+  import('./auth.svelte-DTSHZMJ4.js').then(({ authStore }) => {
     authStore.updateTokens(accessToken, refreshToken);
   }).catch(() => {
   });
@@ -63,7 +68,7 @@ function clearStoredAuth() {
   const config = getConfig();
   const storage = getStorage();
   storage.removeItem(config.storageKey ?? "classic_auth");
-  storage.removeItem("sessionToken");
+  storage.removeItem(getSessionTokenKey());
 }
 async function refreshAccessToken() {
   const refreshToken = getRefreshToken();
@@ -160,9 +165,21 @@ async function apiRequest(endpoint, options = {}) {
           throw new Error("Authentication failed. Please sign in again.");
         }
       } else {
+        const REFRESH_TIMEOUT_MS = 3e4;
         return new Promise((resolve, reject) => {
+          let settled = false;
+          const timeoutId = setTimeout(() => {
+            if (!settled) {
+              settled = true;
+              reject(new Error("Token refresh timed out. Please sign in again."));
+            }
+          }, REFRESH_TIMEOUT_MS);
           subscribeTokenRefresh(() => {
-            apiRequest(endpoint, options).then(resolve).catch(reject);
+            if (!settled) {
+              settled = true;
+              clearTimeout(timeoutId);
+              apiRequest(endpoint, options).then(resolve).catch(reject);
+            }
           });
         });
       }
@@ -259,12 +276,17 @@ var authApi = {
   /**
    * Logout the current user.
    * Returns SSO logout URL if applicable for SSO users.
+   *
+   * Note: API errors are logged via onAuthError callback but still return success
+   * so the client can clear local state even if the server call fails.
    */
   async logout() {
     try {
       const response = await api.post("/auth/logout", {}, true);
       return extractData(response);
-    } catch {
+    } catch (error) {
+      const config = getConfig();
+      config.onAuthError?.(error instanceof Error ? error : new Error("Logout API call failed"));
       return { success: true };
     }
   },
@@ -530,6 +552,8 @@ var authApi = {
   // ============================================================================
   /**
    * Get user preferences.
+   *
+   * @throws Error if the API returns a malformed response
    */
   async getPreferences(customFetch) {
     const response = await api.get(
@@ -540,7 +564,10 @@ var authApi = {
     if (response && typeof response === "object" && "preferences" in response) {
       return response.preferences;
     }
-    return response ?? {};
+    if (response && typeof response === "object") {
+      return response;
+    }
+    throw new Error("Invalid response from preferences API: expected object with preferences");
   },
   /**
    * Update user preferences.
@@ -572,7 +599,10 @@ var authApi = {
     await api.delete("/auth/sso/unlink", true, void 0, { provider, password });
   },
   /**
-   * Link an SSO account (redirects to SSO provider).
+   * Link an SSO account (redirects to SSO provider via form POST).
+   *
+   * Uses form submission to avoid exposing the access token in URL parameters,
+   * which could leak via browser history, referrer headers, or server logs.
    */
   async linkSSOAccount(provider = "authentik") {
     if (typeof window === "undefined") return;
@@ -581,11 +611,22 @@ var authApi = {
       throw new Error("Not authenticated");
     }
     const config = getConfig();
-    const params = new URLSearchParams({
-      token: accessToken,
-      provider
-    });
-    window.location.href = `${config.baseUrl}/auth/sso/link?${params.toString()}`;
+    const form = document.createElement("form");
+    form.method = "POST";
+    form.action = `${config.baseUrl}/auth/sso/link`;
+    form.style.display = "none";
+    const tokenInput = document.createElement("input");
+    tokenInput.type = "hidden";
+    tokenInput.name = "token";
+    tokenInput.value = accessToken;
+    form.appendChild(tokenInput);
+    const providerInput = document.createElement("input");
+    providerInput.type = "hidden";
+    providerInput.name = "provider";
+    providerInput.value = provider;
+    form.appendChild(providerInput);
+    document.body.appendChild(form);
+    form.submit();
   },
   // ============================================================================
   // Security Events

package/dist/{chunk-EVKXT3NR.js → chunk-XSQYERC6.js}

@@ -1,4 +1,4 @@
-import { authApi } from './chunk-BDIQSTES.js';
+import { authApi } from './chunk-ES4UOD62.js';
 
 // src/core/guards.ts
 function isMfaChallengeResponse(response) {
@@ -14,6 +14,26 @@ function getAvailableMethods(response) {
   return response.availableMethods ?? ["totp"];
 }
 
+// src/core/errors.ts
+var RoleDeniedError = class _RoleDeniedError extends Error {
+  constructor(user, requiredRoles, redirectTo) {
+    const userRoles = user.roles?.join(", ") || user.role || "none";
+    super(
+      `User "${user.username}" does not have required role(s). Has: [${userRoles}], Required: [${requiredRoles.join(", ")}]`
+    );
+    this.name = "RoleDeniedError";
+    this.user = user;
+    this.requiredRoles = requiredRoles;
+    this.redirectTo = redirectTo;
+    if (Error.captureStackTrace) {
+      Error.captureStackTrace(this, _RoleDeniedError);
+    }
+  }
+};
+function isRoleDeniedError(error) {
+  return error instanceof RoleDeniedError || error?.name === "RoleDeniedError";
+}
+
 // src/core/service.ts
 var AuthService = class {
   // ============================================================================
@@ -27,9 +47,20 @@ var AuthService = class {
    */
   async login(credentials, options) {
     const response = await authApi.login(credentials);
+    if (options?.allowedRoles?.length && !isMfaChallengeResponse(response)) {
+      const userRoles = response.user.roles || (response.user.role ? [response.user.role] : []);
+      const hasAllowedRole = options.allowedRoles.some((r) => userRoles.includes(r));
+      if (!hasAllowedRole) {
+        throw new RoleDeniedError(
+          response.user,
+          options.allowedRoles,
+          options.onRoleDeniedRedirect
+        );
+      }
+    }
     if (options?.autoSetAuth !== false && !isMfaChallengeResponse(response)) {
       try {
-        const { authStore } = await import('./auth.svelte-LJJ7MGDE.js');
+        const { authStore } = await import('./auth.svelte-DTSHZMJ4.js');
         authStore.setAuth(
           response.accessToken,
           response.refreshToken,
@@ -202,9 +233,20 @@ var AuthService = class {
    */
   async verifyMFAChallenge(data, options) {
     const response = await authApi.verifyMFAChallenge(data);
+    if (options?.allowedRoles?.length) {
+      const userRoles = response.user.roles || (response.user.role ? [response.user.role] : []);
+      const hasAllowedRole = options.allowedRoles.some((r) => userRoles.includes(r));
+      if (!hasAllowedRole) {
+        throw new RoleDeniedError(
+          response.user,
+          options.allowedRoles,
+          options.onRoleDeniedRedirect
+        );
+      }
+    }
     if (options?.autoSetAuth !== false) {
       try {
-        const { authStore } = await import('./auth.svelte-LJJ7MGDE.js');
+        const { authStore } = await import('./auth.svelte-DTSHZMJ4.js');
         authStore.setAuth(
           response.accessToken,
           response.refreshToken,
@@ -303,4 +345,67 @@ var AuthService = class {
 };
 var authService = new AuthService();
 
-export { AuthService, authService, getAvailableMethods, getMfaToken, isLoginSuccessResponse, isMfaChallengeResponse };
+// src/core/user-utils.ts
+function getDisplayName(user) {
+  if (!user) return "Unknown";
+  if (user.firstName && user.lastName) {
+    return `${user.firstName} ${user.lastName}`;
+  }
+  return user.firstName || user.username || user.email || "Unknown";
+}
+function getUserInitials(user, maxLength = 2) {
+  const name = getDisplayName(user);
+  if (name === "Unknown") {
+    return "?";
+  }
+  return name.split(" ").filter((part) => part.length > 0).map((part) => part[0]).join("").toUpperCase().slice(0, maxLength);
+}
+function getAvatarFallback(user) {
+  return getUserInitials(user);
+}
+function getUserEmail(user, masked = false) {
+  if (!user?.email) return "";
+  if (!masked) {
+    return user.email;
+  }
+  const [local, domain] = user.email.split("@");
+  if (!domain) return user.email;
+  const maskedLocal = local.length > 1 ? local[0] + "***" : local;
+  return `${maskedLocal}@${domain}`;
+}
+function getGreeting(user, includeTime = true) {
+  const name = user?.firstName || getDisplayName(user);
+  if (!includeTime) {
+    return `Hello, ${name}`;
+  }
+  const hour = (/* @__PURE__ */ new Date()).getHours();
+  let timeGreeting;
+  if (hour < 12) {
+    timeGreeting = "Good morning";
+  } else if (hour < 17) {
+    timeGreeting = "Good afternoon";
+  } else {
+    timeGreeting = "Good evening";
+  }
+  return `${timeGreeting}, ${name}`;
+}
+function formatUserRoles(user, options = {}) {
+  if (!user) return "";
+  const { max, separator = ", ", lowercase = false, capitalize = true } = options;
+  const roles = user.roles || (user.role ? [user.role] : []);
+  if (roles.length === 0) return "";
+  const formatRole = (role) => {
+    if (lowercase) return role.toLowerCase();
+    if (capitalize) return role.charAt(0).toUpperCase() + role.slice(1).toLowerCase();
+    return role;
+  };
+  const formatted = roles.map(formatRole);
+  if (max && formatted.length > max) {
+    const shown = formatted.slice(0, max);
+    const remaining = formatted.length - max;
+    return `${shown.join(separator)} +${remaining} more`;
+  }
+  return formatted.join(separator);
+}
+
+export { AuthService, RoleDeniedError, authService, formatUserRoles, getAvailableMethods, getAvatarFallback, getDisplayName, getGreeting, getMfaToken, getUserEmail, getUserInitials, isLoginSuccessResponse, isMfaChallengeResponse, isRoleDeniedError };

package/dist/chunk-YTMFXVJR.js

@@ -0,0 +1,216 @@
+import { authService } from './chunk-XSQYERC6.js';
+import { authStore, currentUser, isAuthenticated, authActions } from './chunk-DSNTNK6T.js';
+import { isInitialized, initAuth } from './chunk-DCGC6CNV.js';
+
+// src/svelte/guards/auth-guard.ts
+function checkAuth(options = {}) {
+  const { roles, permissions, requireAllRoles, requireAllPermissions } = options;
+  if (!authStore.isAuthenticated) {
+    return {
+      allowed: false,
+      reason: "not_authenticated",
+      redirectTo: "/login"
+    };
+  }
+  if (roles && roles.length > 0) {
+    const hasRoles = requireAllRoles ? authStore.hasAllRoles(roles) : authStore.hasAnyRole(roles);
+    if (!hasRoles) {
+      return {
+        allowed: false,
+        reason: "missing_role",
+        redirectTo: "/unauthorized"
+      };
+    }
+  }
+  if (permissions && permissions.length > 0) {
+    const hasPermissions = requireAllPermissions ? authStore.hasAllPermissions(permissions) : authStore.hasAnyPermission(permissions);
+    if (!hasPermissions) {
+      return {
+        allowed: false,
+        reason: "missing_permission",
+        redirectTo: "/unauthorized"
+      };
+    }
+  }
+  return { allowed: true };
+}
+function createAuthGuard(options = {}) {
+  return (onDenied) => {
+    const result = checkAuth(options);
+    if (!result.allowed) {
+      onDenied(result.redirectTo ?? "/login", result.reason ?? "not_authenticated");
+      return false;
+    }
+    return true;
+  };
+}
+function requireAuth() {
+  return checkAuth();
+}
+function requireRole(roles, requireAll = false) {
+  const roleArray = Array.isArray(roles) ? roles : [roles];
+  return checkAuth({ roles: roleArray, requireAllRoles: requireAll });
+}
+function requirePermission(permissions, requireAll = false) {
+  const permArray = Array.isArray(permissions) ? permissions : [permissions];
+  return checkAuth({ permissions: permArray, requireAllPermissions: requireAll });
+}
+function protectedLoad(options, loadFn) {
+  return async (event) => {
+    const result = checkAuth(options);
+    if (!result.allowed) {
+      return { redirect: result.redirectTo ?? "/login" };
+    }
+    return loadFn(event);
+  };
+}
+
+// src/svelte/client.ts
+function createAuthClient(options) {
+  const { autoRehydrate = true, ...config } = options;
+  if (!isInitialized()) {
+    initAuth(config);
+  }
+  if (autoRehydrate && typeof window !== "undefined") {
+    authStore.rehydrate();
+  }
+  return {
+    authStore,
+    authActions,
+    authService,
+    isAuthenticated,
+    currentUser
+  };
+}
+
+// src/svelte/utils/nav-filter.ts
+function filterByAccess(items, user, options = {}) {
+  const {
+    requireAllRoles = false,
+    requireAllPermissions = false,
+    hideUnrestrictedForGuests = false
+  } = options;
+  const userRoles = user?.roles || (user?.role ? [user.role] : []);
+  const userPerms = user?.permissions || [];
+  return items.filter((item) => {
+    const hasRoleRestriction = item.roles && item.roles.length > 0;
+    const hasPermRestriction = item.permissions && item.permissions.length > 0;
+    if (!hasRoleRestriction && !hasPermRestriction) {
+      if (hideUnrestrictedForGuests && !user) {
+        return false;
+      }
+      return true;
+    }
+    if (!user) {
+      return false;
+    }
+    if (hasRoleRestriction) {
+      const hasRoles = requireAllRoles ? item.roles.every((r) => userRoles.includes(r)) : item.roles.some((r) => userRoles.includes(r));
+      if (!hasRoles) {
+        return false;
+      }
+    }
+    if (hasPermRestriction) {
+      const hasPerms = requireAllPermissions ? item.permissions.every((p) => userPerms.includes(p)) : item.permissions.some((p) => userPerms.includes(p));
+      if (!hasPerms) {
+        return false;
+      }
+    }
+    return true;
+  });
+}
+function filterNavSections(sections, user, options = {}) {
+  return sections.map((section) => ({
+    ...section,
+    items: filterByAccess(section.items, user, options)
+  })).filter((section) => section.items.length > 0);
+}
+function canAccess(item, user, options = {}) {
+  return filterByAccess([item], user, options).length > 0;
+}
+function createNavFilter(defaultOptions = {}) {
+  return (items, user, options) => {
+    return filterByAccess(items, user, { ...defaultOptions, ...options });
+  };
+}
+
+// src/svelte/hooks/auth-hook.ts
+function createAuthHook(options = {}) {
+  const {
+    loginPath = "/login",
+    publicRoutes = [/^\/auth\//, /^\/api\/auth\//],
+    protectedRoutes,
+    cookieName = "classic_auth",
+    headerName,
+    redirectParam = "redirect",
+    isAuthenticated: customIsAuthenticated,
+    onUnauthenticated,
+    onAuthCheck
+  } = options;
+  return async ({
+    event,
+    resolve
+  }) => {
+    const { pathname } = event.url;
+    const isPublic = publicRoutes.some((r) => r.test(pathname));
+    if (isPublic) {
+      return resolve(event);
+    }
+    if (protectedRoutes && !protectedRoutes.some((r) => r.test(pathname))) {
+      return resolve(event);
+    }
+    let authenticated;
+    if (customIsAuthenticated) {
+      authenticated = await customIsAuthenticated(event);
+    } else {
+      const hasCookie = !!event.cookies.get(cookieName);
+      const hasHeader = headerName ? !!event.request.headers.get(headerName) : false;
+      authenticated = hasCookie || hasHeader;
+    }
+    onAuthCheck?.(event, authenticated);
+    if (!authenticated) {
+      if (onUnauthenticated) {
+        return onUnauthenticated(event);
+      }
+      const redirectUrl = encodeURIComponent(pathname + event.url.search);
+      const loginUrl = new URL(loginPath, event.url.origin);
+      loginUrl.searchParams.set(redirectParam, redirectUrl);
+      return new Response(null, {
+        status: 302,
+        headers: { Location: loginUrl.pathname + loginUrl.search }
+      });
+    }
+    return resolve(event);
+  };
+}
+function matchesRoute(pathname, patterns) {
+  return patterns.some((pattern) => pattern.test(pathname));
+}
+var routePatterns = {
+  /** Match all /auth/* routes */
+  auth: /^\/auth\//,
+  /** Match all /api/* routes */
+  api: /^\/api\//,
+  /** Match all /api/auth/* routes */
+  apiAuth: /^\/api\/auth\//,
+  /** Match all /public/* routes */
+  public: /^\/public\//,
+  /** Match all /admin/* routes */
+  admin: /^\/admin\//,
+  /** Match exact root path */
+  root: /^\/$/,
+  /** Match health check endpoints */
+  health: /^\/(api\/)?(health|healthz|ready|live)\/?$/,
+  /**
+   * Create a pattern for a specific path prefix.
+   * @param prefix - Path prefix (e.g., '/dashboard')
+   */
+  prefix: (prefix) => new RegExp(`^${prefix.replace(/\//g, "\\/")}`),
+  /**
+   * Create a pattern for exact path match.
+   * @param path - Exact path (e.g., '/about')
+   */
+  exact: (path) => new RegExp(`^${path.replace(/\//g, "\\/")}$`)
+};
+
+export { canAccess, checkAuth, createAuthClient, createAuthGuard, createAuthHook, createNavFilter, filterByAccess, filterNavSections, matchesRoute, protectedLoad, requireAuth, requirePermission, requireRole, routePatterns };