@claudiocc2/oauth2-client 2.0.0 → 2.0.2

package/index.js

@@ -0,0 +1,845 @@
+// =====================================================
+// OAuth2 PKCE Client - COMPLETE EDITION
+// Session Flow + PKCE + Zanzibar + Webhooks + Introspection
+// =====================================================
+
+/**
+ * Cliente OAuth2 completo con flujo de sesión
+ * @class OAuth2Client
+ */
+class OAuth2Client {
+  /**
+   * @param {Object} config - Configuración
+   * @param {string} config.clientId - Client ID
+   * @param {string} config.authServerUrl - URL del servidor OAuth (Go)
+   * @param {string} config.backendUrl - URL de tu backend (que intercambia tokens)
+   * @param {string} config.loginPageUrl - URL del frontend de login (Go)
+   * @param {string} config.redirectUri - URI de callback
+   * @param {string[]} config.scopes - Scopes
+   * @param {boolean} config.usePKCE - Usar PKCE (default: true)
+   */
+  constructor(config) {
+    this.clientId = config.clientId;
+    this.authServerUrl = config.authServerUrl.replace(/\/$/, '');
+    this.backendUrl = config.backendUrl?.replace(/\/$/, '') || '';
+    this.loginPageUrl = config.loginPageUrl || `${this.authServerUrl}/login`;
+    this.redirectUri = config.redirectUri;
+    this.scopes = config.scopes || ['read', 'write'];
+    this.usePKCE = config.usePKCE !== false;
+    
+    this.STORAGE_PREFIX = 'oauth2_';
+    this.CODE_VERIFIER_KEY = this.STORAGE_PREFIX + 'code_verifier';
+    this.STATE_KEY = this.STORAGE_PREFIX + 'state';
+    this.ACCESS_TOKEN_KEY = this.STORAGE_PREFIX + 'access_token';
+    this.REFRESH_TOKEN_KEY = this.STORAGE_PREFIX + 'refresh_token';
+    this.EXPIRES_AT_KEY = this.STORAGE_PREFIX + 'expires_at';
+  }
+
+  // =====================================================
+  // SESSION CHECK (con cookies del servidor Go)
+  // =====================================================
+
+  /**
+   * Verifica si hay sesión en el servidor Go
+   * @returns {Promise<Object>} { authenticated: boolean, user?: Object }
+   */
+  async checkSession() {
+    try {
+      const response = await fetch(`${this.authServerUrl}/oauth/session`, {
+        method: 'GET',
+        credentials: 'include', // Envía cookies
+        headers: {
+          'Accept': 'application/json'
+        }
+      });
+
+      if (!response.ok) {
+        return { authenticated: false };
+      }
+
+      return await response.json();
+    } catch (err) {
+      console.error('Session check failed:', err);
+      return { authenticated: false };
+    }
+  }
+
+  /**
+   * Verifica sesión y redirige a login si no está autenticado
+   * @param {string} redirectAfterLogin - URL a donde volver después del login
+   * @returns {Promise<Object|null>} Session o null si redirige
+   */
+  async ensureAuthenticated(redirectAfterLogin) {
+    const session = await this.checkSession();
+    
+    if (!session.authenticated) {
+      const redirect = redirectAfterLogin || window.location.href;
+      const loginUrl = `${this.loginPageUrl}?redirect=${encodeURIComponent(redirect)}`;
+      window.location.href = loginUrl;
+      return null;
+    }
+    
+    return session;
+  }
+
+  // =====================================================
+  // PKCE UTILITIES
+  // =====================================================
+
+  _generateCodeVerifier() {
+    const array = new Uint8Array(32);
+    crypto.getRandomValues(array);
+    return this._base64URLEncode(array);
+  }
+
+  async _generateCodeChallenge(verifier) {
+    const encoder = new TextEncoder();
+    const data = encoder.encode(verifier);
+    const hash = await crypto.subtle.digest('SHA-256', data);
+    return this._base64URLEncode(new Uint8Array(hash));
+  }
+
+  _base64URLEncode(buffer) {
+    const base64 = btoa(String.fromCharCode(...buffer));
+    return base64
+      .replace(/\+/g, '-')
+      .replace(/\//g, '_')
+      .replace(/=/g, '');
+  }
+
+  _generateState() {
+    const array = new Uint8Array(16);
+    crypto.getRandomValues(array);
+    return this._base64URLEncode(array);
+  }
+
+  // =====================================================
+  // AUTHORIZATION FLOW (con sesión)
+  // =====================================================
+
+  /**
+   * Solicita código de autorización al servidor Go (POST con sesión)
+   * @returns {Promise<string>} Código de autorización
+   */
+  async requestAuthorizationCode() {
+    const state = this._generateState();
+    localStorage.setItem(this.STATE_KEY, state);
+
+    let body = {
+      client_id: this.clientId,
+      redirect_uri: this.redirectUri,
+      scope: this.scopes.join(' '),
+      state: state
+    };
+
+    // PKCE
+    if (this.usePKCE) {
+      const codeVerifier = this._generateCodeVerifier();
+      const codeChallenge = await this._generateCodeChallenge(codeVerifier);
+      localStorage.setItem(this.CODE_VERIFIER_KEY, codeVerifier);
+      
+      body.code_challenge = codeChallenge;
+      body.code_challenge_method = 'S256';
+    }
+
+    // Solicitar código (con cookies de sesión)
+    const response = await fetch(`${this.authServerUrl}/oauth/authorize`, {
+      method: 'POST',
+      credentials: 'include', // Envía cookies de sesión
+      headers: {
+        'Content-Type': 'application/json',
+        'Accept': 'application/json'
+      },
+      body: JSON.stringify(body)
+    });
+
+    if (!response.ok) {
+      const error = await response.json();
+      throw new Error(`Authorization failed: ${error.error || 'Unknown error'}`);
+    }
+
+    const result = await response.json();
+    return result.code;
+  }
+
+  /**
+   * Flujo completo: Verifica sesión → Solicita código → Intercambia con backend
+   * @returns {Promise<Object>} Tokens
+   */
+  async authenticate() {
+    // 1. Verificar sesión en servidor Go
+    const session = await this.ensureAuthenticated();
+    if (!session) return null; // Redirigió a login
+
+    // 2. Solicitar código de autorización
+    const code = await this.requestAuthorizationCode();
+
+    // 3. Enviar código a tu backend para intercambio
+    const tokens = await this.exchangeCodeWithBackend(code);
+
+    return tokens;
+  }
+
+  /**
+   * Intercambia código por tokens usando TU backend
+   * @param {string} code - Código de autorización
+   * @returns {Promise<Object>} Tokens
+   */
+  async exchangeCodeWithBackend(code) {
+    const codeVerifier = localStorage.getItem(this.CODE_VERIFIER_KEY);
+    const state = localStorage.getItem(this.STATE_KEY);
+
+    const response = await fetch(`${this.backendUrl}/api/oauth/exchange`, {
+      method: 'POST',
+      credentials: 'include', // Para que tu backend cree cookies
+      headers: {
+        'Content-Type': 'application/json'
+      },
+      body: JSON.stringify({
+        code: code,
+        code_verifier: codeVerifier,
+        state: state
+      })
+    });
+
+    if (!response.ok) {
+      throw new Error('Token exchange failed');
+    }
+
+    const tokens = await response.json();
+    
+    // Guardar en localStorage (backup)
+    this._saveTokens(tokens);
+
+    // Limpiar PKCE
+    localStorage.removeItem(this.CODE_VERIFIER_KEY);
+    localStorage.removeItem(this.STATE_KEY);
+
+    return tokens;
+  }
+
+  // =====================================================
+  // TOKEN MANAGEMENT (con introspection)
+  // =====================================================
+
+  _saveTokens(tokens) {
+    if (tokens.access_token) {
+      localStorage.setItem(this.ACCESS_TOKEN_KEY, tokens.access_token);
+    }
+    
+    if (tokens.refresh_token) {
+      localStorage.setItem(this.REFRESH_TOKEN_KEY, tokens.refresh_token);
+    }
+    
+    if (tokens.expires_in) {
+      const expiresAt = Date.now() + (tokens.expires_in * 1000);
+      localStorage.setItem(this.EXPIRES_AT_KEY, expiresAt.toString());
+    }
+  }
+
+  getAccessToken() {
+    return localStorage.getItem(this.ACCESS_TOKEN_KEY);
+  }
+
+  getRefreshToken() {
+    return localStorage.getItem(this.REFRESH_TOKEN_KEY);
+  }
+
+  isTokenExpired() {
+    const expiresAt = localStorage.getItem(this.EXPIRES_AT_KEY);
+    if (!expiresAt) return true;
+    return Date.now() >= (parseInt(expiresAt) - 30000);
+  }
+
+  isAuthenticated() {
+    return !!this.getAccessToken() && !this.isTokenExpired();
+  }
+
+  /**
+   * Verifica token usando introspection (en el servidor Go)
+   * @param {string} token - Token a verificar
+   * @returns {Promise<Object>} { active: boolean, ... }
+   */
+  async introspectToken(token) {
+    const response = await fetch(`${this.authServerUrl}/oauth/introspect`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        token: token,
+        client_id: this.clientId
+      })
+    });
+
+    if (!response.ok) {
+      throw new Error('Introspection failed');
+    }
+
+    return await response.json();
+  }
+
+  /**
+   * Verifica si un token es válido
+   * @param {string} token - Token
+   * @returns {Promise<boolean>}
+   */
+  async isTokenValid(token) {
+    try {
+      const result = await this.introspectToken(token);
+      return result.active || false;
+    } catch (err) {
+      return false;
+    }
+  }
+
+  /**
+   * Obtiene token válido (verifica con introspection si es necesario)
+   * @returns {Promise<string|null>}
+   */
+  async getValidToken() {
+    const token = this.getAccessToken();
+    if (!token) return null;
+
+    // Verificar con introspection
+    try {
+      const info = await this.introspectToken(token);
+      if (info.active) {
+        return token;
+      }
+    } catch (err) {
+      console.error('Token validation failed:', err);
+    }
+
+    // Token inválido, intentar refresh
+    return await this.refreshTokenWithBackend();
+  }
+
+  /**
+   * Refresca token usando tu backend
+   * @returns {Promise<string|null>}
+   */
+  async refreshTokenWithBackend() {
+    try {
+      const response = await fetch(`${this.backendUrl}/api/oauth/refresh`, {
+        method: 'POST',
+        credentials: 'include'
+      });
+
+      if (!response.ok) {
+        this.logout();
+        return null;
+      }
+
+      const tokens = await response.json();
+      this._saveTokens(tokens);
+      
+      return tokens.access_token;
+    } catch (err) {
+      console.error('Token refresh failed:', err);
+      this.logout();
+      return null;
+    }
+  }
+
+  /**
+   * Refresca tokens (método tradicional, sin backend)
+   * @returns {Promise<Object>}
+   */
+  async refreshToken() {
+    const refreshToken = this.getRefreshToken();
+    if (!refreshToken) {
+      throw new Error('No refresh token available');
+    }
+
+    const response = await fetch(`${this.authServerUrl}/oauth/token`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        grant_type: 'refresh_token',
+        client_id: this.clientId,
+        refresh_token: refreshToken
+      })
+    });
+
+    if (!response.ok) {
+      if (response.status === 401) {
+        this.logout();
+      }
+      throw new Error('Token refresh failed');
+    }
+
+    const tokens = await response.json();
+    this._saveTokens(tokens);
+    return tokens;
+  }
+
+  logout() {
+    localStorage.removeItem(this.ACCESS_TOKEN_KEY);
+    localStorage.removeItem(this.REFRESH_TOKEN_KEY);
+    localStorage.removeItem(this.EXPIRES_AT_KEY);
+    localStorage.removeItem(this.CODE_VERIFIER_KEY);
+    localStorage.removeItem(this.STATE_KEY);
+  }
+
+  // =====================================================
+  // HTTP CLIENT (auto-refresh con introspection)
+  // =====================================================
+
+  /**
+   * Fetch con auto-validación y refresh
+   * @param {string} url - URL
+   * @param {Object} options - Opciones fetch
+   * @returns {Promise<Response>}
+   */
+  async fetch(url, options = {}) {
+    const token = await this.getValidToken();
+    
+    if (!token) {
+      throw new Error('No valid token available');
+    }
+
+    const headers = {
+      ...options.headers,
+      'Authorization': `Bearer ${token}`
+    };
+
+    const response = await fetch(url, {
+      ...options,
+      headers,
+      credentials: 'include'
+    });
+
+    // Si falla autenticación, intentar refresh una vez
+    if (response.status === 401 && !options._retry) {
+      const newToken = await this.refreshTokenWithBackend();
+      if (newToken) {
+        return await this.fetch(url, { ...options, _retry: true });
+      }
+    }
+
+    return response;
+  }
+
+  // =====================================================
+  // ZANZIBAR (PERMISOS)
+  // =====================================================
+
+  /**
+   * Verifica un permiso
+   * @param {Object} check - Verificación de permiso
+   * @returns {Promise<boolean>}
+   */
+  async checkPermission(check) {
+    try {
+      const response = await this.fetch(`${this.authServerUrl}/authz/check`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify(check)
+      });
+
+      if (!response.ok) return false;
+      
+      const result = await response.json();
+      return result.allowed || false;
+    } catch (err) {
+      console.error('Permission check failed:', err);
+      return false;
+    }
+  }
+
+  /**
+   * Verifica múltiples permisos
+   * @param {Array} checks - Array de verificaciones
+   * @returns {Promise<Array>}
+   */
+  async checkPermissions(checks) {
+    const response = await this.fetch(`${this.authServerUrl}/authz/check-batch`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ checks })
+    });
+
+    if (!response.ok) {
+      throw new Error('Batch check failed');
+    }
+
+    const result = await response.json();
+    return result.results || [];
+  }
+
+  /**
+   * Otorga un permiso
+   * @param {Object} relation - Relación de permiso
+   * @returns {Promise<boolean>}
+   */
+  async grantPermission(relation) {
+    try {
+      const response = await this.fetch(`${this.authServerUrl}/authz/write`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify(relation)
+      });
+
+      return response.ok;
+    } catch (err) {
+      console.error('Grant permission failed:', err);
+      return false;
+    }
+  }
+
+  /**
+   * Revoca un permiso
+   * @param {Object} relation - Relación de permiso
+   * @returns {Promise<boolean>}
+   */
+  async revokePermission(relation) {
+    try {
+      const response = await this.fetch(`${this.authServerUrl}/authz/delete`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify(relation)
+      });
+
+      return response.ok;
+    } catch (err) {
+      console.error('Revoke permission failed:', err);
+      return false;
+    }
+  }
+
+  /**
+   * Lista permisos de un usuario
+   * @param {string} namespace - Namespace
+   * @param {string} subjectId - Subject ID
+   * @returns {Promise<Array>}
+   */
+  async listPermissions(namespace, subjectId) {
+    const query = new URLSearchParams({ namespace, subject_id: subjectId });
+    
+    const response = await this.fetch(`${this.authServerUrl}/authz/list?${query}`, {
+      method: 'GET'
+    });
+
+    if (!response.ok) {
+      throw new Error('List permissions failed');
+    }
+
+    const result = await response.json();
+    return result.permissions || [];
+  }
+
+  // =====================================================
+  // WEBHOOKS
+  // =====================================================
+
+  /**
+   * Crea un webhook
+   * @param {Object} webhook - Configuración del webhook
+   * @returns {Promise<Object>}
+   */
+  async createWebhook(webhook) {
+    const response = await this.fetch(`${this.authServerUrl}/api/webhooks`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(webhook)
+    });
+
+    if (!response.ok) {
+      throw new Error('Create webhook failed');
+    }
+
+    return await response.json();
+  }
+
+  /**
+   * Lista webhooks
+   * @param {number} limit - Límite
+   * @param {number} offset - Offset
+   * @returns {Promise<Object>}
+   */
+  async listWebhooks(limit = 20, offset = 0) {
+    const query = new URLSearchParams({ limit, offset });
+    
+    const response = await this.fetch(`${this.authServerUrl}/api/webhooks?${query}`, {
+      method: 'GET'
+    });
+
+    if (!response.ok) {
+      throw new Error('List webhooks failed');
+    }
+
+    return await response.json();
+  }
+
+  /**
+   * Obtiene un webhook
+   * @param {string} webhookId - Webhook ID
+   * @returns {Promise<Object>}
+   */
+  async getWebhook(webhookId) {
+    const response = await this.fetch(`${this.authServerUrl}/api/webhooks/${webhookId}`, {
+      method: 'GET'
+    });
+
+    if (!response.ok) {
+      throw new Error('Get webhook failed');
+    }
+
+    return await response.json();
+  }
+
+  /**
+   * Actualiza un webhook
+   * @param {string} webhookId - Webhook ID
+   * @param {Object} data - Datos a actualizar
+   * @returns {Promise<Object>}
+   */
+  async updateWebhook(webhookId, data) {
+    const response = await this.fetch(`${this.authServerUrl}/api/webhooks/${webhookId}`, {
+      method: 'PUT',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(data)
+    });
+
+    if (!response.ok) {
+      throw new Error('Update webhook failed');
+    }
+
+    return await response.json();
+  }
+
+  /**
+   * Elimina un webhook
+   * @param {string} webhookId - Webhook ID
+   * @returns {Promise<boolean>}
+   */
+  async deleteWebhook(webhookId) {
+    try {
+      const response = await this.fetch(`${this.authServerUrl}/api/webhooks/${webhookId}`, {
+        method: 'DELETE'
+      });
+
+      return response.ok;
+    } catch (err) {
+      console.error('Delete webhook failed:', err);
+      return false;
+    }
+  }
+
+  /**
+   * Lista entregas de un webhook
+   * @param {string} webhookId - Webhook ID
+   * @param {number} limit - Límite
+   * @param {number} offset - Offset
+   * @returns {Promise<Object>}
+   */
+  async listWebhookDeliveries(webhookId, limit = 50, offset = 0) {
+    const query = new URLSearchParams({ limit, offset });
+    
+    const response = await this.fetch(`${this.authServerUrl}/api/webhooks/${webhookId}/deliveries?${query}`, {
+      method: 'GET'
+    });
+
+    if (!response.ok) {
+      throw new Error('List deliveries failed');
+    }
+
+    return await response.json();
+  }
+
+  /**
+   * Prueba un webhook
+   * @param {string} webhookId - Webhook ID
+   * @returns {Promise<boolean>}
+   */
+  async testWebhook(webhookId) {
+    try {
+      const response = await this.fetch(`${this.authServerUrl}/api/webhooks/${webhookId}/test`, {
+        method: 'POST'
+      });
+
+      return response.ok;
+    } catch (err) {
+      console.error('Test webhook failed:', err);
+      return false;
+    }
+  }
+
+  /**
+   * Verifica la firma de un webhook entrante
+   * @param {string} payload - Payload (JSON string)
+   * @param {string} signature - Firma recibida
+   * @param {string} secret - Secret del webhook
+   * @returns {Promise<boolean>}
+   */
+  async verifyWebhookSignature(payload, signature, secret) {
+    const encoder = new TextEncoder();
+    const keyData = encoder.encode(secret);
+    const messageData = encoder.encode(payload);
+
+    const key = await crypto.subtle.importKey(
+      'raw',
+      keyData,
+      { name: 'HMAC', hash: 'SHA-256' },
+      false,
+      ['sign']
+    );
+
+    const signatureBuffer = await crypto.subtle.sign('HMAC', key, messageData);
+    const expectedSignature = Array.from(new Uint8Array(signatureBuffer))
+      .map(b => b.toString(16).padStart(2, '0'))
+      .join('');
+
+    return expectedSignature === signature;
+  }
+
+  /**
+   * Lista eventos disponibles
+   * @returns {Promise<Array>}
+   */
+  async listWebhookEvents() {
+    const response = await fetch(`${this.authServerUrl}/api/webhooks/events`, {
+      method: 'GET'
+    });
+
+    if (!response.ok) {
+      throw new Error('List events failed');
+    }
+
+    const result = await response.json();
+    return result.events || [];
+  }
+
+  // =====================================================
+  // PASSWORD MANAGEMENT
+  // =====================================================
+
+  /**
+   * Solicita reset de contraseña
+   * @param {string} email - Email del usuario
+   * @returns {Promise<boolean>}
+   */
+  async forgotPassword(email) {
+    try {
+      const response = await fetch(`${this.authServerUrl}/api/auth/forgot-password`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ email })
+      });
+
+      return response.ok;
+    } catch (err) {
+      console.error('Forgot password failed:', err);
+      return false;
+    }
+  }
+
+  /**
+   * Resetea contraseña con token
+   * @param {string} token - Token de reset
+   * @param {string} newPassword - Nueva contraseña
+   * @returns {Promise<boolean>}
+   */
+  async resetPassword(token, newPassword) {
+    try {
+      const response = await fetch(`${this.authServerUrl}/api/auth/reset-password`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          token: token,
+          new_password: newPassword
+        })
+      });
+
+      return response.ok;
+    } catch (err) {
+      console.error('Reset password failed:', err);
+      return false;
+    }
+  }
+
+  /**
+   * Cambia contraseña (autenticado)
+   * @param {string} currentPassword - Contraseña actual
+   * @param {string} newPassword - Nueva contraseña
+   * @returns {Promise<boolean>}
+   */
+  async changePassword(currentPassword, newPassword) {
+    try {
+      const response = await this.fetch(`${this.authServerUrl}/api/users/me/change-password`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          current_password: currentPassword,
+          new_password: newPassword
+        })
+      });
+
+      return response.ok;
+    } catch (err) {
+      console.error('Change password failed:', err);
+      return false;
+    }
+  }
+
+  /**
+   * Cambia username
+   * @param {string} newUsername - Nuevo username
+   * @param {string} password - Contraseña para confirmar
+   * @returns {Promise<Object>}
+   */
+  async changeUsername(newUsername, password) {
+    const response = await this.fetch(`${this.authServerUrl}/api/users/me/username`, {
+      method: 'PUT',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        new_username: newUsername,
+        password: password
+      })
+    });
+
+    if (!response.ok) {
+      throw new Error('Change username failed');
+    }
+
+    return await response.json();
+  }
+}
+
+// =====================================================
+// HELPER PARA INICIALIZACIÓN AUTOMÁTICA
+// =====================================================
+
+/**
+ * Inicializa automáticamente y verifica sesión
+ * @param {Object} config - Configuración
+ * @returns {Promise<OAuth2Client>}
+ */
+OAuth2Client.autoInit = async function(config) {
+  const client = new OAuth2Client(config);
+  
+  // Verificar si hay sesión
+  const session = await client.checkSession();
+  
+  if (!session.authenticated) {
+    console.log('No session found, redirecting to login...');
+    await client.ensureAuthenticated();
+    return null;
+  }
+  
+  console.log('Session active:', session.user);
+  return client;
+};
+
+// =====================================================
+// EXPORT
+// =====================================================
+
+if (typeof module !== 'undefined' && module.exports) {
+  module.exports = OAuth2Client;
+}
+
+if (typeof window !== 'undefined') {
+  window.OAuth2Client = OAuth2Client;
+}
+
+export default OAuth2Client;