@cubist-labs/cubesigner-sdk 0.4.239 → 0.4.241

package/src/client/api_client.ts

@@ -160,13 +160,19 @@ import {
   type BucketInfo,
 } from "../index";
 import { assertOk, op, type Op, type Operation, apiFetch } from "../fetch";
-import { BaseClient, type ClientConfig, signerSessionFromSessionInfo } from "./base_client";
+import {
+  authHeader,
+  BaseClient,
+  type ClientConfig,
+  signerSessionFromSessionInfo,
+} from "./base_client";
 import { retryOn5XX } from "../retry";
 import { PasskeyLoginChallenge } from "../passkey";
 
 // these types are used in doc comments only
 // eslint-disable-next-line @typescript-eslint/no-unused-vars
 import type { RoleAttestationClaims, KeyAttestationClaims } from "../schema_types";
+import { mergeHeaders } from "openapi-fetch";
 
 /**
  * String returned by API when a user does not have an email address (for backwards compatibility)
@@ -217,10 +223,7 @@ export class ApiClient extends BaseClient {
     return new ApiClient(this.sessionMeta, this.sessionManager, this.orgId, {
       ...this.config,
       ...cfg,
-      headers: {
-        ...(this.config.headers ?? {}),
-        ...(cfg.headers ?? {}),
-      },
+      headers: mergeHeaders(this.config.headers, cfg.headers),
     });
   }
 
@@ -258,12 +261,14 @@ export class ApiClient extends BaseClient {
    * @param env The environment to use
    * @param orgId The org to login to
    * @param email The email to send the signature to
+   * @param headers Optional headers to set
    * @returns The partial OIDC token that must be combined with the signature in the email
    */
   static async initEmailOtpAuth(
     env: EnvInterface,
     orgId: string,
     email: string,
+    headers?: HeadersInit,
   ): Promise<EmailOtpResponse> {
     const o = op("/v0/org/{org_id}/oidc/email-otp", "post");
 
@@ -272,6 +277,7 @@ export class ApiClient extends BaseClient {
         baseUrl: env.SignerApiRoot,
         params: { path: { org_id: orgId } },
         body: { email },
+        headers,
       }),
     ).then(assertOk);
   }
@@ -2934,14 +2940,16 @@ export class ApiClient extends BaseClient {
    *
    * @param env The environment to use
    * @param email The user's email
+   * @param headers Optional headers to set
    * @returns Empty response
    */
-  static async emailMyOrgs(env: EnvInterface, email: string) {
+  static async emailMyOrgs(env: EnvInterface, email: string, headers?: HeadersInit) {
     const o = op("/v0/email/orgs", "get");
     return await retryOn5XX(() =>
       o({
         baseUrl: env.SignerApiRoot,
         params: { query: { email } },
+        headers,
       }),
     ).then(assertOk);
   }
@@ -2956,6 +2964,7 @@ export class ApiClient extends BaseClient {
    * @param lifetimes Lifetimes of the new session.
    * @param mfaReceipt Optional MFA receipt(s)
    * @param purpose Optional session description.
+   * @param headers Additional headers to set
    * @returns The session data.
    */
   static async oidcSessionCreate(
@@ -2966,18 +2975,16 @@ export class ApiClient extends BaseClient {
     lifetimes?: RatchetConfig,
     mfaReceipt?: MfaReceipts,
     purpose?: string,
+    headers?: HeadersInit,
   ): Promise<CubeSignerResponse<SessionData>> {
     const o = op("/v0/org/{org_id}/oidc", "post");
 
-    const loginFn = async (headers?: HeadersInit) => {
+    const loginFn = async (mfaHeaders?: HeadersInit) => {
       const data = await retryOn5XX(() =>
         o({
           baseUrl: env.SignerApiRoot,
           params: { path: { org_id: orgId } },
-          headers: {
-            ...headers,
-            Authorization: token,
-          },
+          headers: mergeHeaders(headers, mfaHeaders, authHeader(token)),
           body: {
             scopes,
             purpose,
@@ -3013,12 +3020,14 @@ export class ApiClient extends BaseClient {
    * @param env The environment to use
    * @param orgId The org to login to
    * @param body The request body
+   * @param headers Optional headers to set
    * @returns The challenge that needs to be answered via {@link siweLoginComplete}
    */
   static async siweLoginInit(
     env: EnvInterface,
     orgId: string,
     body: schemas["SiweInitRequest"],
+    headers?: HeadersInit,
   ): Promise<schemas["SiweInitResponse"]> {
     const o = op("/v0/org/{org_id}/oidc/siwe", "post");
     return await retryOn5XX(() =>
@@ -3026,6 +3035,7 @@ export class ApiClient extends BaseClient {
         baseUrl: env.SignerApiRoot,
         params: { path: { org_id: orgId } },
         body,
+        headers,
       }),
     ).then(assertOk);
   }
@@ -3040,12 +3050,14 @@ export class ApiClient extends BaseClient {
    * @param env The environment to use
    * @param orgId The org to login to
    * @param body The request body
+   * @param headers Optional headers to set
    * @returns An OIDC token which can be used to log in via OIDC (see {@link oidcSessionCreate})
    */
   static async siweLoginComplete(
     env: EnvInterface,
     orgId: string,
     body: schemas["SiweCompleteRequest"],
+    headers?: HeadersInit,
   ): Promise<schemas["SiweCompleteResponse"]> {
     const o = op("/v0/org/{org_id}/oidc/siwe", "patch");
     return await retryOn5XX(() =>
@@ -3053,6 +3065,7 @@ export class ApiClient extends BaseClient {
         baseUrl: env.SignerApiRoot,
         params: { path: { org_id: orgId } },
         body,
+        headers,
       }),
     ).then(assertOk);
   }
@@ -3062,17 +3075,20 @@ export class ApiClient extends BaseClient {
    *
    * @param env The environment to log into
    * @param body The login request
+   * @param headers Optional headers to set
    * @returns The challenge that must be answered (see {@link passkeyLoginComplete}) to log in.
    */
   static async passkeyLoginInit(
     env: EnvInterface,
     body: LoginRequest,
+    headers?: HeadersInit,
   ): Promise<PasskeyLoginChallenge> {
     const o = op("/v0/passkey", "post");
     const resp = await retryOn5XX(() =>
       o({
         baseUrl: env.SignerApiRoot,
         body,
+        headers,
       }),
     ).then(assertOk);
     return new PasskeyLoginChallenge(env, resp, body.purpose);
@@ -3084,18 +3100,21 @@ export class ApiClient extends BaseClient {
    * @param env The environment to log into
    * @param body The request body
    * @param purpose Optional descriptive session purpose
+   * @param headers Optional headers to set
    * @returns The session data
    */
   static async passkeyLoginComplete(
     env: EnvInterface,
     body: PasskeyAssertAnswer,
     purpose?: string | null,
+    headers?: HeadersInit,
   ): Promise<SessionData> {
     const o = op("/v0/passkey", "patch");
     const resp = await retryOn5XX(() =>
       o({
         baseUrl: env.SignerApiRoot,
         body,
+        headers,
       }),
     ).then(assertOk);
     return {
@@ -3117,11 +3136,13 @@ export class ApiClient extends BaseClient {
    * @param env The environment to log into
    * @param orgId The id of the organization
    * @param body The request body
+   * @param headers Optional headers to set
    */
   static async idpAcceptInvite(
     env: EnvInterface,
     orgId: string,
     body: InvitationAcceptRequest,
+    headers?: HeadersInit,
   ): Promise<void> {
     const o = op("/v0/org/{org_id}/invitation/accept", "post");
     await retryOn5XX(() =>
@@ -3129,6 +3150,7 @@ export class ApiClient extends BaseClient {
         baseUrl: env.SignerApiRoot,
         params: { path: { org_id: orgId } },
         body,
+        headers,
       }),
     ).then(assertOk);
   }
@@ -3139,6 +3161,7 @@ export class ApiClient extends BaseClient {
    * @param env The environment to log into
    * @param orgId The id of the organization
    * @param body The request body
+   * @param headers Optional headers to set
    * @returns Returns an OIDC token which can be used
    *   to log in via OIDC (see {@link oidcSessionCreate}).
    */
@@ -3146,6 +3169,7 @@ export class ApiClient extends BaseClient {
     env: EnvInterface,
     orgId: string,
     body: AuthenticationRequest,
+    headers?: HeadersInit,
   ): Promise<AuthenticationResponse> {
     const o = op("/v0/org/{org_id}/idp/authenticate", "post");
     return retryOn5XX(() =>
@@ -3153,6 +3177,7 @@ export class ApiClient extends BaseClient {
         baseUrl: env.SignerApiRoot,
         params: { path: { org_id: orgId } },
         body,
+        headers,
       }),
     ).then(assertOk);
   }
@@ -3163,12 +3188,14 @@ export class ApiClient extends BaseClient {
    * @param env The environment to log into
    * @param orgId The id of the organization
    * @param body The request body
+   * @param headers Optional headers to set
    * @returns Returns the partial token (`${header}.${claims}.`) while the signature is sent via email.
    */
   static async idpPasswordResetRequest(
     env: EnvInterface,
     orgId: string,
     body: PasswordResetRequest,
+    headers?: HeadersInit,
   ): Promise<EmailOtpResponse> {
     const o = op("/v0/org/{org_id}/idp/password_reset", "post");
     return retryOn5XX(() =>
@@ -3176,6 +3203,7 @@ export class ApiClient extends BaseClient {
         baseUrl: env.SignerApiRoot,
         params: { path: { org_id: orgId } },
         body,
+        headers,
       }),
     ).then(assertOk);
   }
@@ -3188,6 +3216,7 @@ export class ApiClient extends BaseClient {
    * @param partialToken The partial token returned by {@link passwordResetRequest}
    * @param signature The one-time code (signature in this case) sent via email
    * @param newPassword The new password
+   * @param headers Optional headers to set
    */
   static async idpPasswordResetConfirm(
     env: EnvInterface,
@@ -3195,6 +3224,7 @@ export class ApiClient extends BaseClient {
     partialToken: string,
     signature: string,
     newPassword: string,
+    headers?: HeadersInit,
   ): Promise<void> {
     const o = op("/v0/org/{org_id}/idp/password_reset", "patch");
     await retryOn5XX(() =>
@@ -3205,6 +3235,7 @@ export class ApiClient extends BaseClient {
           token: `${partialToken}${signature}`,
           new_password: newPassword,
         },
+        headers,
       }),
     ).then(assertOk);
   }
@@ -3215,21 +3246,21 @@ export class ApiClient extends BaseClient {
    * @param env The environment to log into
    * @param orgId The org id in which to generate proof
    * @param token The oidc token
+   * @param headers Optional headers to set
    * @returns Proof of authentication
    */
   static async identityProveOidc(
     env: EnvInterface,
     orgId: string,
     token: string,
+    headers?: HeadersInit,
   ): Promise<IdentityProof> {
     const o = op("/v0/org/{org_id}/identity/prove/oidc", "post");
     return retryOn5XX(() =>
       o({
         baseUrl: env.SignerApiRoot,
         params: { path: { org_id: orgId } },
-        headers: {
-          Authorization: token,
-        },
+        headers: mergeHeaders(headers, authHeader(token)),
       }),
     ).then(assertOk);
   }
@@ -3239,16 +3270,19 @@ export class ApiClient extends BaseClient {
    *
    * @param env The environment to log into
    * @param token The oidc token identifying the user
+   * @param headers Optional headers to set
    * @returns The organization the user belongs to
    */
-  static async userOrgs(env: EnvInterface, token: string): Promise<UserOrgsResponse> {
+  static async userOrgs(
+    env: EnvInterface,
+    token: string,
+    headers?: HeadersInit,
+  ): Promise<UserOrgsResponse> {
     const o = op("/v0/user/orgs", "get");
     return retryOn5XX(() =>
       o({
         baseUrl: env.SignerApiRoot,
-        headers: {
-          Authorization: token,
-        },
+        headers: mergeHeaders(headers, authHeader(token)),
       }),
     ).then(assertOk);
   }

package/src/client/base_client.ts

@@ -9,6 +9,7 @@ import type { SessionData, SessionManager, SessionMetadata } from "./session";
 import { MemorySessionManager, metadata, parseBase64SessionData } from "./session";
 import type { NewSessionResponse, ErrorResponse } from "../schema_types";
 import type { EnvInterface } from "../env";
+import { mergeHeaders } from "openapi-fetch";
 
 /** CubeSigner SDK package name */
 export const NAME: string = pkg.name;
@@ -163,14 +164,16 @@ export class BaseClient extends EventEmitter<ClientEvents> {
       // If we have an activeSession, let it dictate the baseUrl. Otherwise fall back to the one set at construction
       baseUrl,
       ...opts,
-      headers: {
-        "User-Agent": browserUserAgent ?? `${NAME}@${VERSION}`,
-        "X-Cubist-Ts-Sdk": `${NAME}@${VERSION}`,
-        Origin: this.config.origin,
-        Authorization: token,
-        ...(this.config.headers ?? {}),
-        ...opts.headers,
-      },
+      headers: mergeHeaders(
+        {
+          "User-Agent": browserUserAgent ?? `${NAME}@${VERSION}`,
+          "X-Cubist-Ts-Sdk": `${NAME}@${VERSION}`,
+          Origin: this.config.origin,
+        },
+        authHeader(token),
+        this.config.headers,
+        opts.headers,
+      ),
       params: {
         ...opts.params,
         path: {
@@ -308,3 +311,13 @@ export type OmitAutoParams<O> = DeepOmit<
     params: { path: { org_id: string } };
   }
 > & { params?: { path?: Record<string, unknown> } };
+
+/**
+ * Creates {@link HeadersInit} containing a single "Authorization" header with a given value.
+ *
+ * @param token The "Authorization" header value
+ * @returns A {@link HeadersInit} object containing a single "Authorization" header with a given value.
+ */
+export function authHeader(token: string): HeadersInit {
+  return { Authorization: token };
+}

package/src/client.ts

@@ -1,19 +1,11 @@
 import { ApiClient } from "./client/api_client";
-import type { IdentityProof, RatchetConfig, EmailOtpResponse } from "./schema_types";
+import type { EmailOtpResponse, IdentityProof, RatchetConfig } from "./schema_types";
 
 // used in doc comments
 // eslint-disable-next-line @typescript-eslint/no-unused-vars
 import { AddFidoChallenge, TotpChallenge } from "./mfa";
 import { Org } from "./org";
-import type {
-  CubeSignerResponse,
-  EnvInterface,
-  MfaReceipts,
-  Scope,
-  SessionData,
-  SessionInfo,
-  SessionManager,
-} from ".";
+import type { MfaReceipts, SessionData, SessionInfo, SessionManager } from ".";
 import { Key } from ".";
 
 /** Options for logging in with OIDC token */
@@ -122,71 +114,45 @@ export class CubeSignerClient {
   }
 
   /**
-   * Exchange an OIDC token for a CubeSigner session token.
-   *
-   * @param env The environment to log into
-   * @param orgId The org to log into.
-   * @param token The OIDC token to exchange
-   * @param scopes The scopes for the new session
-   * @param lifetimes Lifetimes of the new session.
-   * @param mfaReceipt Optional MFA receipt(s)
-   * @param purpose Optional session description.
-   * @returns The session data.
+   * Create a new OIDC-backed session.
+   *
+   * Same as {@link ApiClient.oidcSessionCreate}, see its documentation for more details.
+   *
+   * @param args Request arguments
+   * @returns The new session data
    */
   static async createOidcSession(
-    env: EnvInterface,
-    orgId: string,
-    token: string,
-    scopes: Array<Scope>,
-    lifetimes?: RatchetConfig,
-    mfaReceipt?: MfaReceipts,
-    purpose?: string,
-  ): Promise<CubeSignerResponse<SessionData>> {
-    return await ApiClient.oidcSessionCreate(
-      env,
-      orgId,
-      token,
-      scopes,
-      lifetimes,
-      mfaReceipt,
-      purpose,
-    );
+    ...args: Parameters<typeof ApiClient.oidcSessionCreate>
+  ): Promise<Awaited<ReturnType<typeof ApiClient.oidcSessionCreate>>> {
+    return await ApiClient.oidcSessionCreate(...args);
   }
 
   /**
-   * Exchange an OIDC token for a proof of authentication.
+   * Prove an OIDC identity.
+   *
+   * Same as {@link ApiClient.identityProveOidc}, see its documentation for more details.
    *
-   * @param env The environment to log into
-   * @param orgId The org id in which to generate proof
-   * @param token The oidc token
+   * @param args Request arguments
    * @returns Proof of authentication
    */
   static async proveOidcIdentity(
-    env: EnvInterface,
-    orgId: string,
-    token: string,
+    ...args: Parameters<typeof ApiClient.identityProveOidc>
   ): Promise<IdentityProof> {
-    return await ApiClient.identityProveOidc(env, orgId, token);
+    return await ApiClient.identityProveOidc(...args);
   }
 
   /**
-   * Initiates login via Email OTP.
-   * Returns an unsigned OIDC token and sends an email to the user containing the signature of that token.
-   * The OIDC token can be reconstructed by appending the signature to the partial token like so:
+   * Initialize email OTP authentication.
    *
-   * token = partial_token + signature
+   * Same as {@link ApiClient.initEmailOtpAuth}, see its documentation for more details.
    *
-   * @param env The environment to use
-   * @param orgId The org to login to
-   * @param email The email to send the signature to
-   * @returns The partial OIDC token that must be combined with the signature in the email
+   * @param args Request arguments
+   * @returns — The partial OIDC token that must be combined with the signature in the email
    */
   static async initEmailOtpAuth(
-    env: EnvInterface,
-    orgId: string,
-    email: string,
+    ...args: Parameters<typeof ApiClient.initEmailOtpAuth>
   ): Promise<EmailOtpResponse> {
-    return await ApiClient.initEmailOtpAuth(env, orgId, email);
+    return await ApiClient.initEmailOtpAuth(...args);
   }
 
   /**