npm - @corvushold/guard-sdk - Versions diffs - 0.14.0 → 0.16.0 - Mend

@corvushold/guard-sdk 0.14.0 → 0.16.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/index.d.cts CHANGED Viewed

@@ -153,16 +153,27 @@ interface components {
         "controller.LoginOptionsResponse": {
             /** @description If email domain matches an SSO provider's configured domains */
             domain_matched_sso?: components["schemas"]["controller.SSOProviderOption"];
+            /** @description Last successful login method for this email in this tenant (if known).
+             *     Values: "sso", "password", "magic_link" */
+            last_successful_method?: string;
             magic_link_enabled?: boolean;
             /** @description Authentication methods available */
             password_enabled?: boolean;
             /** @description Recommended/preferred login method based on context
-             *     Values: "sso", "password", "magic_link", "social" */
+             *     Values: "sso", "password", "magic_link" */
             preferred_method?: string;
+            /** @description Reason for the top recommendation.
+             *     Values: "sso_required", "last_successful_method", "domain_matched_sso", "preferred_method", "default_order" */
+            recommended_method_reason?: string;
+            /** @description Ordered recommendation list for clients that support adaptive UI.
+             *     Values: "sso", "password", "magic_link" */
+            recommended_methods?: string[];
             /** @description Whether new user signup is enabled for this tenant */
             signup_enabled?: boolean;
             /** @description Social login providers (tenant-wide or global) */
             social_providers?: components["schemas"]["controller.SocialProviderOption"][];
+            /** @description Explicit policy flag for SSO-only login UX. */
+            sso_only?: boolean;
             /** @description SSO providers configured for this tenant */
             sso_providers?: components["schemas"]["controller.SSOProviderOption"][];
             /** @description If true, SSO is required for this domain/tenant (password disabled) */
@@ -1034,6 +1045,19 @@ interface GuardClientOptions {
     defaultHeaders?: Record<string, string>;
     authMode?: 'bearer' | 'cookie';
 }
+interface OAuth2AuthorizeParams {
+    client_id: string;
+    redirect_uri: string;
+    response_type?: 'code';
+    scope?: string | string[];
+    state?: string;
+    nonce?: string;
+    code_challenge?: string;
+    code_challenge_method?: 'S256' | 'plain';
+    prompt?: string;
+    login_hint?: string;
+    max_age?: number;
+}
 type TokensResp = {
     access_token?: string | null;
     refresh_token?: string | null;
@@ -1349,7 +1373,11 @@ interface LoginOptionsResp {
     signup_enabled: boolean;
     sso_providers: SsoProviderOption[];
     preferred_method: AuthMethod;
+    recommended_methods?: AuthMethod[];
+    recommended_method_reason?: 'sso_required' | 'last_successful_method' | 'domain_matched_sso' | 'preferred_method' | 'default_order';
+    last_successful_method?: AuthMethod;
     sso_required: boolean;
+    sso_only?: boolean;
     user_exists: boolean;
     tenant_id?: string;
     tenant_name?: string;
@@ -1777,6 +1805,26 @@ declare class GuardClient {
     getOAuthClient(id: string): Promise<ResponseWrapper<OAuthClientItem>>;
     updateOAuthClient(id: string, body: UpdateOAuthClientReq): Promise<ResponseWrapper<unknown>>;
     deleteOAuthClient(id: string): Promise<ResponseWrapper<unknown>>;
+    /**
+     * Build an OAuth2 Authorization Code URL using this Guard client's baseUrl.
+     *
+     * This prevents accidental redirects to the current app origin when initiating
+     * OAuth2 flows from SPAs.
+     *
+     * @example
+     * ```ts
+     * const url = client.buildOAuth2AuthorizeUrl({
+     *   client_id: 'gc_123',
+     *   redirect_uri: 'https://app.example.com/callback',
+     *   code_challenge: 'abc...',
+     *   code_challenge_method: 'S256',
+     *   scope: ['openid', 'profile', 'email'],
+     *   state: 'csrf-state',
+     * });
+     * window.location.href = url;
+     * ```
+     */
+    buildOAuth2AuthorizeUrl(params: OAuth2AuthorizeParams): string;
     /**
      * Fetch OAuth 2.0 Authorization Server Metadata (RFC 8414)
      * Returns server capabilities including supported auth modes, endpoints, and grant types.
@@ -1805,4 +1853,4 @@ declare class GuardClient {
 declare function generateTOTPCode(base32Secret: string): string;
-export { type AcceptInvitationReq, type AdminCreateUserReq, type AdminCreateUserResp, type AdminUser, type AdminUsersResp, ApiError, type AsyncStorageLike, type AuthMethod, type CreateOAuthClientReq, type CreateOAuthClientResp, type CreateSsoProviderReq, type DiscoverTenantsResp, type FetchLike, type FgaAclTuple, type FgaGroup, type FgaGroupsResp, GuardClient, type GuardClientOptions, type HeadersMap, HttpClient, InMemoryStorage, type Interceptors, type Invitation, type InvitationStatus, type InvitationsListResp, type InviteUserReq, type InviteUserResp, type LoginOptionsResp, type Meta, type OAuthClientItem, RateLimitError, type RequestInterceptor, type ResponseInterceptor, type ResponseWrapper, type SessionItem, type SessionsListResp, type SsoLinkingPolicy, type SsoPortalContext, type SsoPortalSessionResp, type SsoProvider, type SsoProviderItem, type SsoProviderOption, type SsoProviderSlug, type SsoProviderType, type SsoProvidersListResp, type SsoSPInfoResp, type SsoTestProviderResp, type TenantId, type TenantOption, type TenantSelectionRequiredResp, type TenantSettingsPutRequest, type TenantSettingsResponse, type TenantSummary, type TokenProvider, type TokenStorage, type TransportOptions, type UpdateOAuthClientReq, type UpdateSsoProviderReq, WebLocalStorage, applyRequestInterceptors, applyResponseInterceptors, buildRateLimitError, generateTOTPCode, isApiError, isMfaChallengeResp, isRateLimitError, isTenantSelectionRequired, isTokensResp, noopStorage, parseRetryAfter, reactNativeStorageAdapter, toHeadersMap };
+export { type AcceptInvitationReq, type AdminCreateUserReq, type AdminCreateUserResp, type AdminUser, type AdminUsersResp, ApiError, type AsyncStorageLike, type AuthMethod, type CreateOAuthClientReq, type CreateOAuthClientResp, type CreateSsoProviderReq, type DiscoverTenantsResp, type FetchLike, type FgaAclTuple, type FgaGroup, type FgaGroupsResp, GuardClient, type GuardClientOptions, type HeadersMap, HttpClient, InMemoryStorage, type Interceptors, type Invitation, type InvitationStatus, type InvitationsListResp, type InviteUserReq, type InviteUserResp, type LoginOptionsResp, type Meta, type OAuth2AuthorizeParams, type OAuthClientItem, RateLimitError, type RequestInterceptor, type ResponseInterceptor, type ResponseWrapper, type SessionItem, type SessionsListResp, type SsoLinkingPolicy, type SsoPortalContext, type SsoPortalSessionResp, type SsoProvider, type SsoProviderItem, type SsoProviderOption, type SsoProviderSlug, type SsoProviderType, type SsoProvidersListResp, type SsoSPInfoResp, type SsoTestProviderResp, type TenantId, type TenantOption, type TenantSelectionRequiredResp, type TenantSettingsPutRequest, type TenantSettingsResponse, type TenantSummary, type TokenProvider, type TokenStorage, type TransportOptions, type UpdateOAuthClientReq, type UpdateSsoProviderReq, WebLocalStorage, applyRequestInterceptors, applyResponseInterceptors, buildRateLimitError, generateTOTPCode, isApiError, isMfaChallengeResp, isRateLimitError, isTenantSelectionRequired, isTokensResp, noopStorage, parseRetryAfter, reactNativeStorageAdapter, toHeadersMap };

package/dist/index.d.ts CHANGED Viewed

@@ -153,16 +153,27 @@ interface components {
         "controller.LoginOptionsResponse": {
             /** @description If email domain matches an SSO provider's configured domains */
             domain_matched_sso?: components["schemas"]["controller.SSOProviderOption"];
+            /** @description Last successful login method for this email in this tenant (if known).
+             *     Values: "sso", "password", "magic_link" */
+            last_successful_method?: string;
             magic_link_enabled?: boolean;
             /** @description Authentication methods available */
             password_enabled?: boolean;
             /** @description Recommended/preferred login method based on context
-             *     Values: "sso", "password", "magic_link", "social" */
+             *     Values: "sso", "password", "magic_link" */
             preferred_method?: string;
+            /** @description Reason for the top recommendation.
+             *     Values: "sso_required", "last_successful_method", "domain_matched_sso", "preferred_method", "default_order" */
+            recommended_method_reason?: string;
+            /** @description Ordered recommendation list for clients that support adaptive UI.
+             *     Values: "sso", "password", "magic_link" */
+            recommended_methods?: string[];
             /** @description Whether new user signup is enabled for this tenant */
             signup_enabled?: boolean;
             /** @description Social login providers (tenant-wide or global) */
             social_providers?: components["schemas"]["controller.SocialProviderOption"][];
+            /** @description Explicit policy flag for SSO-only login UX. */
+            sso_only?: boolean;
             /** @description SSO providers configured for this tenant */
             sso_providers?: components["schemas"]["controller.SSOProviderOption"][];
             /** @description If true, SSO is required for this domain/tenant (password disabled) */
@@ -1034,6 +1045,19 @@ interface GuardClientOptions {
     defaultHeaders?: Record<string, string>;
     authMode?: 'bearer' | 'cookie';
 }
+interface OAuth2AuthorizeParams {
+    client_id: string;
+    redirect_uri: string;
+    response_type?: 'code';
+    scope?: string | string[];
+    state?: string;
+    nonce?: string;
+    code_challenge?: string;
+    code_challenge_method?: 'S256' | 'plain';
+    prompt?: string;
+    login_hint?: string;
+    max_age?: number;
+}
 type TokensResp = {
     access_token?: string | null;
     refresh_token?: string | null;
@@ -1349,7 +1373,11 @@ interface LoginOptionsResp {
     signup_enabled: boolean;
     sso_providers: SsoProviderOption[];
     preferred_method: AuthMethod;
+    recommended_methods?: AuthMethod[];
+    recommended_method_reason?: 'sso_required' | 'last_successful_method' | 'domain_matched_sso' | 'preferred_method' | 'default_order';
+    last_successful_method?: AuthMethod;
     sso_required: boolean;
+    sso_only?: boolean;
     user_exists: boolean;
     tenant_id?: string;
     tenant_name?: string;
@@ -1777,6 +1805,26 @@ declare class GuardClient {
     getOAuthClient(id: string): Promise<ResponseWrapper<OAuthClientItem>>;
     updateOAuthClient(id: string, body: UpdateOAuthClientReq): Promise<ResponseWrapper<unknown>>;
     deleteOAuthClient(id: string): Promise<ResponseWrapper<unknown>>;
+    /**
+     * Build an OAuth2 Authorization Code URL using this Guard client's baseUrl.
+     *
+     * This prevents accidental redirects to the current app origin when initiating
+     * OAuth2 flows from SPAs.
+     *
+     * @example
+     * ```ts
+     * const url = client.buildOAuth2AuthorizeUrl({
+     *   client_id: 'gc_123',
+     *   redirect_uri: 'https://app.example.com/callback',
+     *   code_challenge: 'abc...',
+     *   code_challenge_method: 'S256',
+     *   scope: ['openid', 'profile', 'email'],
+     *   state: 'csrf-state',
+     * });
+     * window.location.href = url;
+     * ```
+     */
+    buildOAuth2AuthorizeUrl(params: OAuth2AuthorizeParams): string;
     /**
      * Fetch OAuth 2.0 Authorization Server Metadata (RFC 8414)
      * Returns server capabilities including supported auth modes, endpoints, and grant types.
@@ -1805,4 +1853,4 @@ declare class GuardClient {
 declare function generateTOTPCode(base32Secret: string): string;
-export { type AcceptInvitationReq, type AdminCreateUserReq, type AdminCreateUserResp, type AdminUser, type AdminUsersResp, ApiError, type AsyncStorageLike, type AuthMethod, type CreateOAuthClientReq, type CreateOAuthClientResp, type CreateSsoProviderReq, type DiscoverTenantsResp, type FetchLike, type FgaAclTuple, type FgaGroup, type FgaGroupsResp, GuardClient, type GuardClientOptions, type HeadersMap, HttpClient, InMemoryStorage, type Interceptors, type Invitation, type InvitationStatus, type InvitationsListResp, type InviteUserReq, type InviteUserResp, type LoginOptionsResp, type Meta, type OAuthClientItem, RateLimitError, type RequestInterceptor, type ResponseInterceptor, type ResponseWrapper, type SessionItem, type SessionsListResp, type SsoLinkingPolicy, type SsoPortalContext, type SsoPortalSessionResp, type SsoProvider, type SsoProviderItem, type SsoProviderOption, type SsoProviderSlug, type SsoProviderType, type SsoProvidersListResp, type SsoSPInfoResp, type SsoTestProviderResp, type TenantId, type TenantOption, type TenantSelectionRequiredResp, type TenantSettingsPutRequest, type TenantSettingsResponse, type TenantSummary, type TokenProvider, type TokenStorage, type TransportOptions, type UpdateOAuthClientReq, type UpdateSsoProviderReq, WebLocalStorage, applyRequestInterceptors, applyResponseInterceptors, buildRateLimitError, generateTOTPCode, isApiError, isMfaChallengeResp, isRateLimitError, isTenantSelectionRequired, isTokensResp, noopStorage, parseRetryAfter, reactNativeStorageAdapter, toHeadersMap };
+export { type AcceptInvitationReq, type AdminCreateUserReq, type AdminCreateUserResp, type AdminUser, type AdminUsersResp, ApiError, type AsyncStorageLike, type AuthMethod, type CreateOAuthClientReq, type CreateOAuthClientResp, type CreateSsoProviderReq, type DiscoverTenantsResp, type FetchLike, type FgaAclTuple, type FgaGroup, type FgaGroupsResp, GuardClient, type GuardClientOptions, type HeadersMap, HttpClient, InMemoryStorage, type Interceptors, type Invitation, type InvitationStatus, type InvitationsListResp, type InviteUserReq, type InviteUserResp, type LoginOptionsResp, type Meta, type OAuth2AuthorizeParams, type OAuthClientItem, RateLimitError, type RequestInterceptor, type ResponseInterceptor, type ResponseWrapper, type SessionItem, type SessionsListResp, type SsoLinkingPolicy, type SsoPortalContext, type SsoPortalSessionResp, type SsoProvider, type SsoProviderItem, type SsoProviderOption, type SsoProviderSlug, type SsoProviderType, type SsoProvidersListResp, type SsoSPInfoResp, type SsoTestProviderResp, type TenantId, type TenantOption, type TenantSelectionRequiredResp, type TenantSettingsPutRequest, type TenantSettingsResponse, type TenantSummary, type TokenProvider, type TokenStorage, type TransportOptions, type UpdateOAuthClientReq, type UpdateSsoProviderReq, WebLocalStorage, applyRequestInterceptors, applyResponseInterceptors, buildRateLimitError, generateTOTPCode, isApiError, isMfaChallengeResp, isRateLimitError, isTenantSelectionRequired, isTokensResp, noopStorage, parseRetryAfter, reactNativeStorageAdapter, toHeadersMap };

package/dist/index.js CHANGED Viewed

@@ -277,7 +277,7 @@ var HttpClient = class {
 // package.json
 var package_default = {
-  version: "0.14.0"};
+  version: "0.16.0"};
 // src/client.ts
 function isTenantSelectionRequired(data) {
@@ -1048,6 +1048,51 @@ var GuardClient = class {
   // ==============================
   // OAuth2 Discovery (RFC 8414)
   // ==============================
+  /**
+   * Build an OAuth2 Authorization Code URL using this Guard client's baseUrl.
+   *
+   * This prevents accidental redirects to the current app origin when initiating
+   * OAuth2 flows from SPAs.
+   *
+   * @example
+   * ```ts
+   * const url = client.buildOAuth2AuthorizeUrl({
+   *   client_id: 'gc_123',
+   *   redirect_uri: 'https://app.example.com/callback',
+   *   code_challenge: 'abc...',
+   *   code_challenge_method: 'S256',
+   *   scope: ['openid', 'profile', 'email'],
+   *   state: 'csrf-state',
+   * });
+   * window.location.href = url;
+   * ```
+   */
+  buildOAuth2AuthorizeUrl(params) {
+    const clientID = params.client_id?.trim();
+    if (!clientID) throw new Error("client_id is required");
+    const redirectURI = params.redirect_uri?.trim();
+    if (!redirectURI) throw new Error("redirect_uri is required");
+    const responseType = params.response_type ?? "code";
+    if (responseType !== "code") {
+      throw new Error('response_type must be "code"');
+    }
+    const scope = Array.isArray(params.scope) ? params.scope.filter(Boolean).join(" ").trim() : params.scope?.trim();
+    const u = new URL("/oauth/authorize", this.baseUrl);
+    u.searchParams.set("response_type", responseType);
+    u.searchParams.set("client_id", clientID);
+    u.searchParams.set("redirect_uri", redirectURI);
+    if (scope) u.searchParams.set("scope", scope);
+    if (params.state) u.searchParams.set("state", params.state);
+    if (params.nonce) u.searchParams.set("nonce", params.nonce);
+    if (params.code_challenge) u.searchParams.set("code_challenge", params.code_challenge);
+    if (params.code_challenge) {
+      u.searchParams.set("code_challenge_method", params.code_challenge_method ?? "S256");
+    }
+    if (params.prompt) u.searchParams.set("prompt", params.prompt);
+    if (params.login_hint) u.searchParams.set("login_hint", params.login_hint);
+    if (params.max_age !== void 0) u.searchParams.set("max_age", String(params.max_age));
+    return u.toString();
+  }
   /**
    * Fetch OAuth 2.0 Authorization Server Metadata (RFC 8414)
    * Returns server capabilities including supported auth modes, endpoints, and grant types.