npm - @dalgoridim/headless-cms - Versions diffs - 0.2.1 → 0.3.1 - Mend

@dalgoridim/headless-cms 0.2.1 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/dist/auth/google/client/index.cjs +205 -0
package/dist/auth/google/client/index.cjs.map +1 -0
package/dist/auth/google/client/index.d.cts +76 -0
package/dist/auth/google/client/index.d.ts +76 -0
package/dist/auth/google/client/index.js +187 -0
package/dist/auth/google/client/index.js.map +1 -0
package/dist/auth/google/index.cjs +121 -0
package/dist/auth/google/index.cjs.map +1 -0
package/dist/auth/google/index.d.cts +45 -0
package/dist/auth/google/index.d.ts +45 -0
package/dist/auth/google/index.js +95 -0
package/dist/auth/google/index.js.map +1 -0
package/package.json +11 -1

package/dist/auth/google/client/index.cjs ADDED Viewed

@@ -0,0 +1,205 @@
+"use strict";
+"use client";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// src/auth/google/client/index.tsx
+var client_exports = {};
+__export(client_exports, {
+  GoogleAuthProvider: () => GoogleAuthProvider,
+  useGoogleAuth: () => useGoogleAuth
+});
+module.exports = __toCommonJS(client_exports);
+var import_react = require("react");
+var import_client = require("@dalgoridim/headless-cms/client");
+var import_jsx_runtime = require("react/jsx-runtime");
+var GSI_SRC = "https://accounts.google.com/gsi/client";
+var GoogleAuthContext = (0, import_react.createContext)(
+  void 0
+);
+function setCookie(name, value) {
+  document.cookie = `${name}=${encodeURIComponent(value)}; path=/; samesite=lax`;
+}
+function deleteCookie(name) {
+  document.cookie = `${name}=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT`;
+}
+function readCookie(name) {
+  for (const part of document.cookie.split(";")) {
+    const [k, ...v] = part.trim().split("=");
+    if (k === name) return decodeURIComponent(v.join("="));
+  }
+  return null;
+}
+function decodeJwt(token) {
+  try {
+    const payload = token.split(".")[1];
+    const json = atob(payload.replace(/-/g, "+").replace(/_/g, "/"));
+    const data = JSON.parse(json);
+    return data;
+  } catch (e) {
+    return null;
+  }
+}
+function GoogleAuthProvider({
+  children,
+  clientId,
+  adminEmails,
+  cookieName = "adminToken",
+  onLogout
+}) {
+  const [user, setUser] = (0, import_react.useState)(null);
+  const [isAdmin, setIsAdmin] = (0, import_react.useState)(false);
+  const [isEditing, setIsEditing] = (0, import_react.useState)(false);
+  const [ready, setReady] = (0, import_react.useState)(false);
+  const [failed, setFailed] = (0, import_react.useState)(false);
+  const allowed = (0, import_react.useRef)(
+    (adminEmails != null ? adminEmails : []).map((e) => e.trim().toLowerCase())
+  );
+  const applyToken = (0, import_react.useCallback)(
+    (token) => {
+      var _a;
+      const claims = decodeJwt(token);
+      if (!claims) return;
+      if (claims.exp && claims.exp * 1e3 <= Date.now()) {
+        deleteCookie(cookieName);
+        return;
+      }
+      const email = (_a = claims.email) == null ? void 0 : _a.toLowerCase();
+      const admin = allowed.current.length === 0 ? true : !!email && allowed.current.includes(email);
+      setCookie(cookieName, token);
+      setUser({
+        sub: claims.sub,
+        email: claims.email,
+        name: claims.name,
+        picture: claims.picture
+      });
+      setIsAdmin(admin);
+    },
+    [cookieName]
+  );
+  (0, import_react.useEffect)(() => {
+    const existing = readCookie(cookieName);
+    if (existing) applyToken(existing);
+  }, [cookieName, applyToken]);
+  (0, import_react.useEffect)(() => {
+    let cancelled = false;
+    function tryInit() {
+      var _a, _b;
+      if (cancelled || !((_b = (_a = window.google) == null ? void 0 : _a.accounts) == null ? void 0 : _b.id)) return false;
+      window.google.accounts.id.initialize({
+        client_id: clientId,
+        callback: (res) => applyToken(res.credential),
+        auto_select: false,
+        cancel_on_tap_outside: true
+      });
+      setReady(true);
+      return true;
+    }
+    if (tryInit()) return;
+    if (!document.querySelector(`script[src="${GSI_SRC}"]`)) {
+      const script = document.createElement("script");
+      script.src = GSI_SRC;
+      script.async = true;
+      script.defer = true;
+      document.head.appendChild(script);
+    }
+    const startedAt = Date.now();
+    const timer = setInterval(() => {
+      if (tryInit()) {
+        clearInterval(timer);
+      } else if (Date.now() - startedAt > 1e4) {
+        clearInterval(timer);
+        if (!cancelled) setFailed(true);
+      }
+    }, 120);
+    return () => {
+      cancelled = true;
+      clearInterval(timer);
+    };
+  }, [clientId, applyToken]);
+  (0, import_react.useEffect)(() => {
+    const originalFetch = window.fetch;
+    window.fetch = async (...args) => {
+      const response = await originalFetch(...args);
+      if (response.status === 401) {
+        try {
+          const data = await response.clone().json();
+          if (data == null ? void 0 : data.logout) doLogout();
+        } catch (e) {
+        }
+      }
+      return response;
+    };
+    return () => {
+      window.fetch = originalFetch;
+    };
+  }, []);
+  function doLogout() {
+    var _a;
+    (_a = window.google) == null ? void 0 : _a.accounts.id.disableAutoSelect();
+    deleteCookie(cookieName);
+    setUser(null);
+    setIsAdmin(false);
+    setIsEditing(false);
+    onLogout == null ? void 0 : onLogout();
+  }
+  const promptSignIn = (0, import_react.useCallback)(() => {
+    var _a;
+    if (!ready) return;
+    (_a = window.google) == null ? void 0 : _a.accounts.id.prompt();
+  }, [ready]);
+  const renderButton = (0, import_react.useCallback)(
+    (el, options) => {
+      var _a;
+      if (!ready) return;
+      (_a = window.google) == null ? void 0 : _a.accounts.id.renderButton(el, options);
+    },
+    [ready]
+  );
+  const toggleEdit = (0, import_react.useCallback)(() => setIsEditing((p) => !p), []);
+  return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
+    GoogleAuthContext.Provider,
+    {
+      value: {
+        user,
+        isAdmin,
+        isEditing,
+        toggleEdit,
+        ready,
+        failed,
+        promptSignIn,
+        renderButton,
+        logout: doLogout
+      },
+      children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)(import_client.CmsAuthProvider, { value: { isAdmin, isEditing, toggleEdit }, children })
+    }
+  );
+}
+function useGoogleAuth() {
+  const ctx = (0, import_react.useContext)(GoogleAuthContext);
+  if (!ctx) {
+    throw new Error("useGoogleAuth must be used within a GoogleAuthProvider");
+  }
+  return ctx;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  GoogleAuthProvider,
+  useGoogleAuth
+});
+//# sourceMappingURL=index.cjs.map

package/dist/auth/google/client/index.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../../../src/auth/google/client/index.tsx"],"sourcesContent":["\"use client\";\n\nimport {\n createContext,\n useCallback,\n useContext,\n useEffect,\n useRef,\n useState,\n type ReactNode,\n} from \"react\";\n// Imported via the public specifier so we share the SAME context instance as\n// the consumer's edit primitives at runtime (see tsup `external` + tsconfig paths).\nimport { CmsAuthProvider } from \"@dalgoridim/headless-cms/client\";\n\n/**\n * Client provider for **Google Identity Services** sign-in — the Firebase-free\n * counterpart to `FirebaseAuthProvider`. It loads the GSI script, lets the user\n * sign in with Google, stashes the resulting ID token in a cookie for the\n * server `googleAuth` adapter to verify, and feeds the shared CMS auth context\n * so the edit primitives light up. Admin status is optimistic on the client\n * (via `adminEmails`); the server gate remains authoritative.\n */\n\nconst GSI_SRC = \"https://accounts.google.com/gsi/client\";\n\n/** Minimal slice of the Google Identity Services API we use. */\ninterface GsiCredentialResponse {\n credential: string;\n}\ninterface GsiButtonOptions {\n type?: \"standard\" | \"icon\";\n theme?: \"outline\" | \"filled_blue\" | \"filled_black\";\n size?: \"small\" | \"medium\" | \"large\";\n text?: \"signin_with\" | \"signup_with\" | \"continue_with\" | \"signin\";\n shape?: \"rectangular\" | \"pill\" | \"circle\" | \"square\";\n width?: number;\n}\ninterface GsiClient {\n accounts: {\n id: {\n initialize: (config: {\n client_id: string;\n callback: (res: GsiCredentialResponse) => void;\n auto_select?: boolean;\n cancel_on_tap_outside?: boolean;\n }) => void;\n prompt: () => void;\n renderButton: (el: HTMLElement, options?: GsiButtonOptions) => void;\n disableAutoSelect: () => void;\n };\n };\n}\n\ndeclare global {\n interface Window {\n google?: GsiClient;\n }\n}\n\nexport interface GoogleUser {\n sub: string;\n email?: string;\n name?: string;\n picture?: string;\n}\n\nexport interface GoogleAuthProviderProps {\n children: ReactNode;\n /** OAuth 2.0 Web client ID (from Google Cloud Console → Credentials). */\n clientId: string;\n /**\n * Optional admin allowlist for *optimistic* client-side `isAdmin`. The server\n * `googleAuth` adapter still enforces the real gate. Omit to treat any\n * successful sign-in as optimistically admin (server will correct via 401).\n */\n adminEmails?: string[];\n /** Cookie name for the ID token. Default `adminToken`. */\n cookieName?: string;\n /** Called when a 401 `{ logout: true }` response is intercepted. */\n onLogout?: () => void;\n}\n\nexport interface GoogleAuthContextValue {\n user: GoogleUser | null;\n isAdmin: boolean;\n isEditing: boolean;\n toggleEdit: () => void;\n /** True once the GSI script has loaded and the client is initialized. */\n ready: boolean;\n /** True if GSI failed to load within the timeout (blocked/offline). */\n failed: boolean;\n /** Trigger Google One Tap / sign-in prompt. */\n promptSignIn: () => void;\n /** Render the official Google button into `el` (most reliable trigger). */\n renderButton: (el: HTMLElement, options?: GsiButtonOptions) => void;\n logout: () => void;\n}\n\nconst GoogleAuthContext = createContext<GoogleAuthContextValue | undefined>(\n undefined,\n);\n\nfunction setCookie(name: string, value: string) {\n document.cookie = `${name}=${encodeURIComponent(value)}; path=/; samesite=lax`;\n}\nfunction deleteCookie(name: string) {\n document.cookie = `${name}=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT`;\n}\nfunction readCookie(name: string): string | null {\n for (const part of document.cookie.split(\";\")) {\n const [k, ...v] = part.trim().split(\"=\");\n if (k === name) return decodeURIComponent(v.join(\"=\"));\n }\n return null;\n}\n\n/** Decode a JWT payload client-side (no verification — the server does that). */\nfunction decodeJwt(token: string): (GoogleUser & { exp?: number }) | null {\n try {\n const payload = token.split(\".\")[1];\n const json = atob(payload.replace(/-/g, \"+\").replace(/_/g, \"/\"));\n const data = JSON.parse(json) as {\n sub: string;\n email?: string;\n name?: string;\n picture?: string;\n exp?: number;\n };\n return data;\n } catch {\n return null;\n }\n}\n\nexport function GoogleAuthProvider({\n children,\n clientId,\n adminEmails,\n cookieName = \"adminToken\",\n onLogout,\n}: GoogleAuthProviderProps) {\n const [user, setUser] = useState<GoogleUser | null>(null);\n const [isAdmin, setIsAdmin] = useState(false);\n const [isEditing, setIsEditing] = useState(false);\n const [ready, setReady] = useState(false);\n const [failed, setFailed] = useState(false);\n const allowed = useRef(\n (adminEmails ?? []).map((e) => e.trim().toLowerCase()),\n );\n\n const applyToken = useCallback(\n (token: string) => {\n const claims = decodeJwt(token);\n if (!claims) return;\n if (claims.exp && claims.exp * 1000 <= Date.now()) {\n deleteCookie(cookieName);\n return;\n }\n const email = claims.email?.toLowerCase();\n // Optimistic: if no allowlist supplied, trust the sign-in and let the\n // server correct a non-admin via the 401 interceptor below.\n const admin =\n allowed.current.length === 0\n ? true\n : !!email && allowed.current.includes(email);\n setCookie(cookieName, token);\n setUser({\n sub: claims.sub,\n email: claims.email,\n name: claims.name,\n picture: claims.picture,\n });\n setIsAdmin(admin);\n },\n [cookieName],\n );\n\n // Restore an existing session from the cookie on mount.\n useEffect(() => {\n const existing = readCookie(cookieName);\n if (existing) applyToken(existing);\n }, [cookieName, applyToken]);\n\n // Load the GSI script and initialize the client. Polling (rather than relying\n // on a `load` event) makes this robust against React's dev double-mount, a\n // cached/already-loaded script, and missed load events — any of which could\n // otherwise leave `ready` stuck false and the UI spinning forever.\n useEffect(() => {\n let cancelled = false;\n\n function tryInit(): boolean {\n if (cancelled || !window.google?.accounts?.id) return false;\n window.google.accounts.id.initialize({\n client_id: clientId,\n callback: (res) => applyToken(res.credential),\n auto_select: false,\n cancel_on_tap_outside: true,\n });\n setReady(true);\n return true;\n }\n\n if (tryInit()) return;\n\n // Ensure the script tag exists exactly once across mounts.\n if (!document.querySelector(`script[src=\"${GSI_SRC}\"]`)) {\n const script = document.createElement(\"script\");\n script.src = GSI_SRC;\n script.async = true;\n script.defer = true;\n document.head.appendChild(script);\n }\n\n const startedAt = Date.now();\n const timer = setInterval(() => {\n if (tryInit()) {\n clearInterval(timer);\n } else if (Date.now() - startedAt > 10_000) {\n // Blocked (ad/privacy extension) or offline — surface a failure so the\n // UI can show a fallback instead of an endless spinner.\n clearInterval(timer);\n if (!cancelled) setFailed(true);\n }\n }, 120);\n\n return () => {\n cancelled = true;\n clearInterval(timer);\n };\n }, [clientId, applyToken]);\n\n // Intercept admin 401s so an expired/forbidden session forces sign-out.\n useEffect(() => {\n const originalFetch = window.fetch;\n window.fetch = async (...args: Parameters<typeof fetch>) => {\n const response = await originalFetch(...args);\n if (response.status === 401) {\n try {\n const data = await response.clone().json();\n if (data?.logout) doLogout();\n } catch {\n /* not a JSON body — ignore */\n }\n }\n return response;\n };\n return () => {\n window.fetch = originalFetch;\n };\n // eslint-disable-next-line react-hooks/exhaustive-deps\n }, []);\n\n function doLogout() {\n window.google?.accounts.id.disableAutoSelect();\n deleteCookie(cookieName);\n setUser(null);\n setIsAdmin(false);\n setIsEditing(false);\n onLogout?.();\n }\n\n const promptSignIn = useCallback(() => {\n if (!ready) return;\n window.google?.accounts.id.prompt();\n }, [ready]);\n\n const renderButton = useCallback(\n (el: HTMLElement, options?: GsiButtonOptions) => {\n if (!ready) return;\n window.google?.accounts.id.renderButton(el, options);\n },\n [ready],\n );\n\n const toggleEdit = useCallback(() => setIsEditing((p) => !p), []);\n\n return (\n <GoogleAuthContext.Provider\n value={{\n user,\n isAdmin,\n isEditing,\n toggleEdit,\n ready,\n failed,\n promptSignIn,\n renderButton,\n logout: doLogout,\n }}\n >\n <CmsAuthProvider value={{ isAdmin, isEditing, toggleEdit }}>\n {children}\n </CmsAuthProvider>\n </GoogleAuthContext.Provider>\n );\n}\n\n/** Google auth API (user/login/logout) for login pages and toolbars. */\nexport function useGoogleAuth(): GoogleAuthContextValue {\n const ctx = useContext(GoogleAuthContext);\n if (!ctx) {\n throw new Error(\"useGoogleAuth must be used within a GoogleAuthProvider\");\n }\n return ctx;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAEA,mBAQO;AAGP,oBAAgC;AAsR1B;AA3QN,IAAM,UAAU;AA2EhB,IAAM,wBAAoB;AAAA,EACxB;AACF;AAEA,SAAS,UAAU,MAAc,OAAe;AAC9C,WAAS,SAAS,GAAG,IAAI,IAAI,mBAAmB,KAAK,CAAC;AACxD;AACA,SAAS,aAAa,MAAc;AAClC,WAAS,SAAS,GAAG,IAAI;AAC3B;AACA,SAAS,WAAW,MAA6B;AAC/C,aAAW,QAAQ,SAAS,OAAO,MAAM,GAAG,GAAG;AAC7C,UAAM,CAAC,GAAG,GAAG,CAAC,IAAI,KAAK,KAAK,EAAE,MAAM,GAAG;AACvC,QAAI,MAAM,KAAM,QAAO,mBAAmB,EAAE,KAAK,GAAG,CAAC;AAAA,EACvD;AACA,SAAO;AACT;AAGA,SAAS,UAAU,OAAuD;AACxE,MAAI;AACF,UAAM,UAAU,MAAM,MAAM,GAAG,EAAE,CAAC;AAClC,UAAM,OAAO,KAAK,QAAQ,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG,CAAC;AAC/D,UAAM,OAAO,KAAK,MAAM,IAAI;AAO5B,WAAO;AAAA,EACT,SAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,mBAAmB;AAAA,EACjC;AAAA,EACA;AAAA,EACA;AAAA,EACA,aAAa;AAAA,EACb;AACF,GAA4B;AAC1B,QAAM,CAAC,MAAM,OAAO,QAAI,uBAA4B,IAAI;AACxD,QAAM,CAAC,SAAS,UAAU,QAAI,uBAAS,KAAK;AAC5C,QAAM,CAAC,WAAW,YAAY,QAAI,uBAAS,KAAK;AAChD,QAAM,CAAC,OAAO,QAAQ,QAAI,uBAAS,KAAK;AACxC,QAAM,CAAC,QAAQ,SAAS,QAAI,uBAAS,KAAK;AAC1C,QAAM,cAAU;AAAA,KACb,oCAAe,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,YAAY,CAAC;AAAA,EACvD;AAEA,QAAM,iBAAa;AAAA,IACjB,CAAC,UAAkB;AAxJvB;AAyJM,YAAM,SAAS,UAAU,KAAK;AAC9B,UAAI,CAAC,OAAQ;AACb,UAAI,OAAO,OAAO,OAAO,MAAM,OAAQ,KAAK,IAAI,GAAG;AACjD,qBAAa,UAAU;AACvB;AAAA,MACF;AACA,YAAM,SAAQ,YAAO,UAAP,mBAAc;AAG5B,YAAM,QACJ,QAAQ,QAAQ,WAAW,IACvB,OACA,CAAC,CAAC,SAAS,QAAQ,QAAQ,SAAS,KAAK;AAC/C,gBAAU,YAAY,KAAK;AAC3B,cAAQ;AAAA,QACN,KAAK,OAAO;AAAA,QACZ,OAAO,OAAO;AAAA,QACd,MAAM,OAAO;AAAA,QACb,SAAS,OAAO;AAAA,MAClB,CAAC;AACD,iBAAW,KAAK;AAAA,IAClB;AAAA,IACA,CAAC,UAAU;AAAA,EACb;AAGA,8BAAU,MAAM;AACd,UAAM,WAAW,WAAW,UAAU;AACtC,QAAI,SAAU,YAAW,QAAQ;AAAA,EACnC,GAAG,CAAC,YAAY,UAAU,CAAC;AAM3B,8BAAU,MAAM;AACd,QAAI,YAAY;AAEhB,aAAS,UAAmB;AA/LhC;AAgMM,UAAI,aAAa,GAAC,kBAAO,WAAP,mBAAe,aAAf,mBAAyB,IAAI,QAAO;AACtD,aAAO,OAAO,SAAS,GAAG,WAAW;AAAA,QACnC,WAAW;AAAA,QACX,UAAU,CAAC,QAAQ,WAAW,IAAI,UAAU;AAAA,QAC5C,aAAa;AAAA,QACb,uBAAuB;AAAA,MACzB,CAAC;AACD,eAAS,IAAI;AACb,aAAO;AAAA,IACT;AAEA,QAAI,QAAQ,EAAG;AAGf,QAAI,CAAC,SAAS,cAAc,eAAe,OAAO,IAAI,GAAG;AACvD,YAAM,SAAS,SAAS,cAAc,QAAQ;AAC9C,aAAO,MAAM;AACb,aAAO,QAAQ;AACf,aAAO,QAAQ;AACf,eAAS,KAAK,YAAY,MAAM;AAAA,IAClC;AAEA,UAAM,YAAY,KAAK,IAAI;AAC3B,UAAM,QAAQ,YAAY,MAAM;AAC9B,UAAI,QAAQ,GAAG;AACb,sBAAc,KAAK;AAAA,MACrB,WAAW,KAAK,IAAI,IAAI,YAAY,KAAQ;AAG1C,sBAAc,KAAK;AACnB,YAAI,CAAC,UAAW,WAAU,IAAI;AAAA,MAChC;AAAA,IACF,GAAG,GAAG;AAEN,WAAO,MAAM;AACX,kBAAY;AACZ,oBAAc,KAAK;AAAA,IACrB;AAAA,EACF,GAAG,CAAC,UAAU,UAAU,CAAC;AAGzB,8BAAU,MAAM;AACd,UAAM,gBAAgB,OAAO;AAC7B,WAAO,QAAQ,UAAU,SAAmC;AAC1D,YAAM,WAAW,MAAM,cAAc,GAAG,IAAI;AAC5C,UAAI,SAAS,WAAW,KAAK;AAC3B,YAAI;AACF,gBAAM,OAAO,MAAM,SAAS,MAAM,EAAE,KAAK;AACzC,cAAI,6BAAM,OAAQ,UAAS;AAAA,QAC7B,SAAQ;AAAA,QAER;AAAA,MACF;AACA,aAAO;AAAA,IACT;AACA,WAAO,MAAM;AACX,aAAO,QAAQ;AAAA,IACjB;AAAA,EAEF,GAAG,CAAC,CAAC;AAEL,WAAS,WAAW;AA7PtB;AA8PI,iBAAO,WAAP,mBAAe,SAAS,GAAG;AAC3B,iBAAa,UAAU;AACvB,YAAQ,IAAI;AACZ,eAAW,KAAK;AAChB,iBAAa,KAAK;AAClB;AAAA,EACF;AAEA,QAAM,mBAAe,0BAAY,MAAM;AAtQzC;AAuQI,QAAI,CAAC,MAAO;AACZ,iBAAO,WAAP,mBAAe,SAAS,GAAG;AAAA,EAC7B,GAAG,CAAC,KAAK,CAAC;AAEV,QAAM,mBAAe;AAAA,IACnB,CAAC,IAAiB,YAA+B;AA5QrD;AA6QM,UAAI,CAAC,MAAO;AACZ,mBAAO,WAAP,mBAAe,SAAS,GAAG,aAAa,IAAI;AAAA,IAC9C;AAAA,IACA,CAAC,KAAK;AAAA,EACR;AAEA,QAAM,iBAAa,0BAAY,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC;AAEhE,SACE;AAAA,IAAC,kBAAkB;AAAA,IAAlB;AAAA,MACC,OAAO;AAAA,QACL;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA,QAAQ;AAAA,MACV;AAAA,MAEA,sDAAC,iCAAgB,OAAO,EAAE,SAAS,WAAW,WAAW,GACtD,UACH;AAAA;AAAA,EACF;AAEJ;AAGO,SAAS,gBAAwC;AACtD,QAAM,UAAM,yBAAW,iBAAiB;AACxC,MAAI,CAAC,KAAK;AACR,UAAM,IAAI,MAAM,wDAAwD;AAAA,EAC1E;AACA,SAAO;AACT;","names":[]}

package/dist/auth/google/client/index.d.cts ADDED Viewed

@@ -0,0 +1,76 @@
+import * as React from 'react';
+import { ReactNode } from 'react';
+/** Minimal slice of the Google Identity Services API we use. */
+interface GsiCredentialResponse {
+    credential: string;
+}
+interface GsiButtonOptions {
+    type?: "standard" | "icon";
+    theme?: "outline" | "filled_blue" | "filled_black";
+    size?: "small" | "medium" | "large";
+    text?: "signin_with" | "signup_with" | "continue_with" | "signin";
+    shape?: "rectangular" | "pill" | "circle" | "square";
+    width?: number;
+}
+interface GsiClient {
+    accounts: {
+        id: {
+            initialize: (config: {
+                client_id: string;
+                callback: (res: GsiCredentialResponse) => void;
+                auto_select?: boolean;
+                cancel_on_tap_outside?: boolean;
+            }) => void;
+            prompt: () => void;
+            renderButton: (el: HTMLElement, options?: GsiButtonOptions) => void;
+            disableAutoSelect: () => void;
+        };
+    };
+}
+declare global {
+    interface Window {
+        google?: GsiClient;
+    }
+}
+interface GoogleUser {
+    sub: string;
+    email?: string;
+    name?: string;
+    picture?: string;
+}
+interface GoogleAuthProviderProps {
+    children: ReactNode;
+    /** OAuth 2.0 Web client ID (from Google Cloud Console → Credentials). */
+    clientId: string;
+    /**
+     * Optional admin allowlist for *optimistic* client-side `isAdmin`. The server
+     * `googleAuth` adapter still enforces the real gate. Omit to treat any
+     * successful sign-in as optimistically admin (server will correct via 401).
+     */
+    adminEmails?: string[];
+    /** Cookie name for the ID token. Default `adminToken`. */
+    cookieName?: string;
+    /** Called when a 401 `{ logout: true }` response is intercepted. */
+    onLogout?: () => void;
+}
+interface GoogleAuthContextValue {
+    user: GoogleUser | null;
+    isAdmin: boolean;
+    isEditing: boolean;
+    toggleEdit: () => void;
+    /** True once the GSI script has loaded and the client is initialized. */
+    ready: boolean;
+    /** True if GSI failed to load within the timeout (blocked/offline). */
+    failed: boolean;
+    /** Trigger Google One Tap / sign-in prompt. */
+    promptSignIn: () => void;
+    /** Render the official Google button into `el` (most reliable trigger). */
+    renderButton: (el: HTMLElement, options?: GsiButtonOptions) => void;
+    logout: () => void;
+}
+declare function GoogleAuthProvider({ children, clientId, adminEmails, cookieName, onLogout, }: GoogleAuthProviderProps): React.JSX.Element;
+/** Google auth API (user/login/logout) for login pages and toolbars. */
+declare function useGoogleAuth(): GoogleAuthContextValue;
+export { type GoogleAuthContextValue, GoogleAuthProvider, type GoogleAuthProviderProps, type GoogleUser, useGoogleAuth };

package/dist/auth/google/client/index.d.ts ADDED Viewed

@@ -0,0 +1,76 @@
+import * as React from 'react';
+import { ReactNode } from 'react';
+/** Minimal slice of the Google Identity Services API we use. */
+interface GsiCredentialResponse {
+    credential: string;
+}
+interface GsiButtonOptions {
+    type?: "standard" | "icon";
+    theme?: "outline" | "filled_blue" | "filled_black";
+    size?: "small" | "medium" | "large";
+    text?: "signin_with" | "signup_with" | "continue_with" | "signin";
+    shape?: "rectangular" | "pill" | "circle" | "square";
+    width?: number;
+}
+interface GsiClient {
+    accounts: {
+        id: {
+            initialize: (config: {
+                client_id: string;
+                callback: (res: GsiCredentialResponse) => void;
+                auto_select?: boolean;
+                cancel_on_tap_outside?: boolean;
+            }) => void;
+            prompt: () => void;
+            renderButton: (el: HTMLElement, options?: GsiButtonOptions) => void;
+            disableAutoSelect: () => void;
+        };
+    };
+}
+declare global {
+    interface Window {
+        google?: GsiClient;
+    }
+}
+interface GoogleUser {
+    sub: string;
+    email?: string;
+    name?: string;
+    picture?: string;
+}
+interface GoogleAuthProviderProps {
+    children: ReactNode;
+    /** OAuth 2.0 Web client ID (from Google Cloud Console → Credentials). */
+    clientId: string;
+    /**
+     * Optional admin allowlist for *optimistic* client-side `isAdmin`. The server
+     * `googleAuth` adapter still enforces the real gate. Omit to treat any
+     * successful sign-in as optimistically admin (server will correct via 401).
+     */
+    adminEmails?: string[];
+    /** Cookie name for the ID token. Default `adminToken`. */
+    cookieName?: string;
+    /** Called when a 401 `{ logout: true }` response is intercepted. */
+    onLogout?: () => void;
+}
+interface GoogleAuthContextValue {
+    user: GoogleUser | null;
+    isAdmin: boolean;
+    isEditing: boolean;
+    toggleEdit: () => void;
+    /** True once the GSI script has loaded and the client is initialized. */
+    ready: boolean;
+    /** True if GSI failed to load within the timeout (blocked/offline). */
+    failed: boolean;
+    /** Trigger Google One Tap / sign-in prompt. */
+    promptSignIn: () => void;
+    /** Render the official Google button into `el` (most reliable trigger). */
+    renderButton: (el: HTMLElement, options?: GsiButtonOptions) => void;
+    logout: () => void;
+}
+declare function GoogleAuthProvider({ children, clientId, adminEmails, cookieName, onLogout, }: GoogleAuthProviderProps): React.JSX.Element;
+/** Google auth API (user/login/logout) for login pages and toolbars. */
+declare function useGoogleAuth(): GoogleAuthContextValue;
+export { type GoogleAuthContextValue, GoogleAuthProvider, type GoogleAuthProviderProps, type GoogleUser, useGoogleAuth };

package/dist/auth/google/client/index.js ADDED Viewed

@@ -0,0 +1,187 @@
+"use client";
+// src/auth/google/client/index.tsx
+import {
+  createContext,
+  useCallback,
+  useContext,
+  useEffect,
+  useRef,
+  useState
+} from "react";
+import { CmsAuthProvider } from "@dalgoridim/headless-cms/client";
+import { jsx } from "react/jsx-runtime";
+var GSI_SRC = "https://accounts.google.com/gsi/client";
+var GoogleAuthContext = createContext(
+  void 0
+);
+function setCookie(name, value) {
+  document.cookie = `${name}=${encodeURIComponent(value)}; path=/; samesite=lax`;
+}
+function deleteCookie(name) {
+  document.cookie = `${name}=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT`;
+}
+function readCookie(name) {
+  for (const part of document.cookie.split(";")) {
+    const [k, ...v] = part.trim().split("=");
+    if (k === name) return decodeURIComponent(v.join("="));
+  }
+  return null;
+}
+function decodeJwt(token) {
+  try {
+    const payload = token.split(".")[1];
+    const json = atob(payload.replace(/-/g, "+").replace(/_/g, "/"));
+    const data = JSON.parse(json);
+    return data;
+  } catch (e) {
+    return null;
+  }
+}
+function GoogleAuthProvider({
+  children,
+  clientId,
+  adminEmails,
+  cookieName = "adminToken",
+  onLogout
+}) {
+  const [user, setUser] = useState(null);
+  const [isAdmin, setIsAdmin] = useState(false);
+  const [isEditing, setIsEditing] = useState(false);
+  const [ready, setReady] = useState(false);
+  const [failed, setFailed] = useState(false);
+  const allowed = useRef(
+    (adminEmails != null ? adminEmails : []).map((e) => e.trim().toLowerCase())
+  );
+  const applyToken = useCallback(
+    (token) => {
+      var _a;
+      const claims = decodeJwt(token);
+      if (!claims) return;
+      if (claims.exp && claims.exp * 1e3 <= Date.now()) {
+        deleteCookie(cookieName);
+        return;
+      }
+      const email = (_a = claims.email) == null ? void 0 : _a.toLowerCase();
+      const admin = allowed.current.length === 0 ? true : !!email && allowed.current.includes(email);
+      setCookie(cookieName, token);
+      setUser({
+        sub: claims.sub,
+        email: claims.email,
+        name: claims.name,
+        picture: claims.picture
+      });
+      setIsAdmin(admin);
+    },
+    [cookieName]
+  );
+  useEffect(() => {
+    const existing = readCookie(cookieName);
+    if (existing) applyToken(existing);
+  }, [cookieName, applyToken]);
+  useEffect(() => {
+    let cancelled = false;
+    function tryInit() {
+      var _a, _b;
+      if (cancelled || !((_b = (_a = window.google) == null ? void 0 : _a.accounts) == null ? void 0 : _b.id)) return false;
+      window.google.accounts.id.initialize({
+        client_id: clientId,
+        callback: (res) => applyToken(res.credential),
+        auto_select: false,
+        cancel_on_tap_outside: true
+      });
+      setReady(true);
+      return true;
+    }
+    if (tryInit()) return;
+    if (!document.querySelector(`script[src="${GSI_SRC}"]`)) {
+      const script = document.createElement("script");
+      script.src = GSI_SRC;
+      script.async = true;
+      script.defer = true;
+      document.head.appendChild(script);
+    }
+    const startedAt = Date.now();
+    const timer = setInterval(() => {
+      if (tryInit()) {
+        clearInterval(timer);
+      } else if (Date.now() - startedAt > 1e4) {
+        clearInterval(timer);
+        if (!cancelled) setFailed(true);
+      }
+    }, 120);
+    return () => {
+      cancelled = true;
+      clearInterval(timer);
+    };
+  }, [clientId, applyToken]);
+  useEffect(() => {
+    const originalFetch = window.fetch;
+    window.fetch = async (...args) => {
+      const response = await originalFetch(...args);
+      if (response.status === 401) {
+        try {
+          const data = await response.clone().json();
+          if (data == null ? void 0 : data.logout) doLogout();
+        } catch (e) {
+        }
+      }
+      return response;
+    };
+    return () => {
+      window.fetch = originalFetch;
+    };
+  }, []);
+  function doLogout() {
+    var _a;
+    (_a = window.google) == null ? void 0 : _a.accounts.id.disableAutoSelect();
+    deleteCookie(cookieName);
+    setUser(null);
+    setIsAdmin(false);
+    setIsEditing(false);
+    onLogout == null ? void 0 : onLogout();
+  }
+  const promptSignIn = useCallback(() => {
+    var _a;
+    if (!ready) return;
+    (_a = window.google) == null ? void 0 : _a.accounts.id.prompt();
+  }, [ready]);
+  const renderButton = useCallback(
+    (el, options) => {
+      var _a;
+      if (!ready) return;
+      (_a = window.google) == null ? void 0 : _a.accounts.id.renderButton(el, options);
+    },
+    [ready]
+  );
+  const toggleEdit = useCallback(() => setIsEditing((p) => !p), []);
+  return /* @__PURE__ */ jsx(
+    GoogleAuthContext.Provider,
+    {
+      value: {
+        user,
+        isAdmin,
+        isEditing,
+        toggleEdit,
+        ready,
+        failed,
+        promptSignIn,
+        renderButton,
+        logout: doLogout
+      },
+      children: /* @__PURE__ */ jsx(CmsAuthProvider, { value: { isAdmin, isEditing, toggleEdit }, children })
+    }
+  );
+}
+function useGoogleAuth() {
+  const ctx = useContext(GoogleAuthContext);
+  if (!ctx) {
+    throw new Error("useGoogleAuth must be used within a GoogleAuthProvider");
+  }
+  return ctx;
+}
+export {
+  GoogleAuthProvider,
+  useGoogleAuth
+};
+//# sourceMappingURL=index.js.map

package/dist/auth/google/client/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../../../src/auth/google/client/index.tsx"],"sourcesContent":["\"use client\";\n\nimport {\n createContext,\n useCallback,\n useContext,\n useEffect,\n useRef,\n useState,\n type ReactNode,\n} from \"react\";\n// Imported via the public specifier so we share the SAME context instance as\n// the consumer's edit primitives at runtime (see tsup `external` + tsconfig paths).\nimport { CmsAuthProvider } from \"@dalgoridim/headless-cms/client\";\n\n/**\n * Client provider for **Google Identity Services** sign-in — the Firebase-free\n * counterpart to `FirebaseAuthProvider`. It loads the GSI script, lets the user\n * sign in with Google, stashes the resulting ID token in a cookie for the\n * server `googleAuth` adapter to verify, and feeds the shared CMS auth context\n * so the edit primitives light up. Admin status is optimistic on the client\n * (via `adminEmails`); the server gate remains authoritative.\n */\n\nconst GSI_SRC = \"https://accounts.google.com/gsi/client\";\n\n/** Minimal slice of the Google Identity Services API we use. */\ninterface GsiCredentialResponse {\n credential: string;\n}\ninterface GsiButtonOptions {\n type?: \"standard\" | \"icon\";\n theme?: \"outline\" | \"filled_blue\" | \"filled_black\";\n size?: \"small\" | \"medium\" | \"large\";\n text?: \"signin_with\" | \"signup_with\" | \"continue_with\" | \"signin\";\n shape?: \"rectangular\" | \"pill\" | \"circle\" | \"square\";\n width?: number;\n}\ninterface GsiClient {\n accounts: {\n id: {\n initialize: (config: {\n client_id: string;\n callback: (res: GsiCredentialResponse) => void;\n auto_select?: boolean;\n cancel_on_tap_outside?: boolean;\n }) => void;\n prompt: () => void;\n renderButton: (el: HTMLElement, options?: GsiButtonOptions) => void;\n disableAutoSelect: () => void;\n };\n };\n}\n\ndeclare global {\n interface Window {\n google?: GsiClient;\n }\n}\n\nexport interface GoogleUser {\n sub: string;\n email?: string;\n name?: string;\n picture?: string;\n}\n\nexport interface GoogleAuthProviderProps {\n children: ReactNode;\n /** OAuth 2.0 Web client ID (from Google Cloud Console → Credentials). */\n clientId: string;\n /**\n * Optional admin allowlist for *optimistic* client-side `isAdmin`. The server\n * `googleAuth` adapter still enforces the real gate. Omit to treat any\n * successful sign-in as optimistically admin (server will correct via 401).\n */\n adminEmails?: string[];\n /** Cookie name for the ID token. Default `adminToken`. */\n cookieName?: string;\n /** Called when a 401 `{ logout: true }` response is intercepted. */\n onLogout?: () => void;\n}\n\nexport interface GoogleAuthContextValue {\n user: GoogleUser | null;\n isAdmin: boolean;\n isEditing: boolean;\n toggleEdit: () => void;\n /** True once the GSI script has loaded and the client is initialized. */\n ready: boolean;\n /** True if GSI failed to load within the timeout (blocked/offline). */\n failed: boolean;\n /** Trigger Google One Tap / sign-in prompt. */\n promptSignIn: () => void;\n /** Render the official Google button into `el` (most reliable trigger). */\n renderButton: (el: HTMLElement, options?: GsiButtonOptions) => void;\n logout: () => void;\n}\n\nconst GoogleAuthContext = createContext<GoogleAuthContextValue | undefined>(\n undefined,\n);\n\nfunction setCookie(name: string, value: string) {\n document.cookie = `${name}=${encodeURIComponent(value)}; path=/; samesite=lax`;\n}\nfunction deleteCookie(name: string) {\n document.cookie = `${name}=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT`;\n}\nfunction readCookie(name: string): string | null {\n for (const part of document.cookie.split(\";\")) {\n const [k, ...v] = part.trim().split(\"=\");\n if (k === name) return decodeURIComponent(v.join(\"=\"));\n }\n return null;\n}\n\n/** Decode a JWT payload client-side (no verification — the server does that). */\nfunction decodeJwt(token: string): (GoogleUser & { exp?: number }) | null {\n try {\n const payload = token.split(\".\")[1];\n const json = atob(payload.replace(/-/g, \"+\").replace(/_/g, \"/\"));\n const data = JSON.parse(json) as {\n sub: string;\n email?: string;\n name?: string;\n picture?: string;\n exp?: number;\n };\n return data;\n } catch {\n return null;\n }\n}\n\nexport function GoogleAuthProvider({\n children,\n clientId,\n adminEmails,\n cookieName = \"adminToken\",\n onLogout,\n}: GoogleAuthProviderProps) {\n const [user, setUser] = useState<GoogleUser | null>(null);\n const [isAdmin, setIsAdmin] = useState(false);\n const [isEditing, setIsEditing] = useState(false);\n const [ready, setReady] = useState(false);\n const [failed, setFailed] = useState(false);\n const allowed = useRef(\n (adminEmails ?? []).map((e) => e.trim().toLowerCase()),\n );\n\n const applyToken = useCallback(\n (token: string) => {\n const claims = decodeJwt(token);\n if (!claims) return;\n if (claims.exp && claims.exp * 1000 <= Date.now()) {\n deleteCookie(cookieName);\n return;\n }\n const email = claims.email?.toLowerCase();\n // Optimistic: if no allowlist supplied, trust the sign-in and let the\n // server correct a non-admin via the 401 interceptor below.\n const admin =\n allowed.current.length === 0\n ? true\n : !!email && allowed.current.includes(email);\n setCookie(cookieName, token);\n setUser({\n sub: claims.sub,\n email: claims.email,\n name: claims.name,\n picture: claims.picture,\n });\n setIsAdmin(admin);\n },\n [cookieName],\n );\n\n // Restore an existing session from the cookie on mount.\n useEffect(() => {\n const existing = readCookie(cookieName);\n if (existing) applyToken(existing);\n }, [cookieName, applyToken]);\n\n // Load the GSI script and initialize the client. Polling (rather than relying\n // on a `load` event) makes this robust against React's dev double-mount, a\n // cached/already-loaded script, and missed load events — any of which could\n // otherwise leave `ready` stuck false and the UI spinning forever.\n useEffect(() => {\n let cancelled = false;\n\n function tryInit(): boolean {\n if (cancelled || !window.google?.accounts?.id) return false;\n window.google.accounts.id.initialize({\n client_id: clientId,\n callback: (res) => applyToken(res.credential),\n auto_select: false,\n cancel_on_tap_outside: true,\n });\n setReady(true);\n return true;\n }\n\n if (tryInit()) return;\n\n // Ensure the script tag exists exactly once across mounts.\n if (!document.querySelector(`script[src=\"${GSI_SRC}\"]`)) {\n const script = document.createElement(\"script\");\n script.src = GSI_SRC;\n script.async = true;\n script.defer = true;\n document.head.appendChild(script);\n }\n\n const startedAt = Date.now();\n const timer = setInterval(() => {\n if (tryInit()) {\n clearInterval(timer);\n } else if (Date.now() - startedAt > 10_000) {\n // Blocked (ad/privacy extension) or offline — surface a failure so the\n // UI can show a fallback instead of an endless spinner.\n clearInterval(timer);\n if (!cancelled) setFailed(true);\n }\n }, 120);\n\n return () => {\n cancelled = true;\n clearInterval(timer);\n };\n }, [clientId, applyToken]);\n\n // Intercept admin 401s so an expired/forbidden session forces sign-out.\n useEffect(() => {\n const originalFetch = window.fetch;\n window.fetch = async (...args: Parameters<typeof fetch>) => {\n const response = await originalFetch(...args);\n if (response.status === 401) {\n try {\n const data = await response.clone().json();\n if (data?.logout) doLogout();\n } catch {\n /* not a JSON body — ignore */\n }\n }\n return response;\n };\n return () => {\n window.fetch = originalFetch;\n };\n // eslint-disable-next-line react-hooks/exhaustive-deps\n }, []);\n\n function doLogout() {\n window.google?.accounts.id.disableAutoSelect();\n deleteCookie(cookieName);\n setUser(null);\n setIsAdmin(false);\n setIsEditing(false);\n onLogout?.();\n }\n\n const promptSignIn = useCallback(() => {\n if (!ready) return;\n window.google?.accounts.id.prompt();\n }, [ready]);\n\n const renderButton = useCallback(\n (el: HTMLElement, options?: GsiButtonOptions) => {\n if (!ready) return;\n window.google?.accounts.id.renderButton(el, options);\n },\n [ready],\n );\n\n const toggleEdit = useCallback(() => setIsEditing((p) => !p), []);\n\n return (\n <GoogleAuthContext.Provider\n value={{\n user,\n isAdmin,\n isEditing,\n toggleEdit,\n ready,\n failed,\n promptSignIn,\n renderButton,\n logout: doLogout,\n }}\n >\n <CmsAuthProvider value={{ isAdmin, isEditing, toggleEdit }}>\n {children}\n </CmsAuthProvider>\n </GoogleAuthContext.Provider>\n );\n}\n\n/** Google auth API (user/login/logout) for login pages and toolbars. */\nexport function useGoogleAuth(): GoogleAuthContextValue {\n const ctx = useContext(GoogleAuthContext);\n if (!ctx) {\n throw new Error(\"useGoogleAuth must be used within a GoogleAuthProvider\");\n }\n return ctx;\n}\n"],"mappings":";;;AAEA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OAEK;AAGP,SAAS,uBAAuB;AAsR1B;AA3QN,IAAM,UAAU;AA2EhB,IAAM,oBAAoB;AAAA,EACxB;AACF;AAEA,SAAS,UAAU,MAAc,OAAe;AAC9C,WAAS,SAAS,GAAG,IAAI,IAAI,mBAAmB,KAAK,CAAC;AACxD;AACA,SAAS,aAAa,MAAc;AAClC,WAAS,SAAS,GAAG,IAAI;AAC3B;AACA,SAAS,WAAW,MAA6B;AAC/C,aAAW,QAAQ,SAAS,OAAO,MAAM,GAAG,GAAG;AAC7C,UAAM,CAAC,GAAG,GAAG,CAAC,IAAI,KAAK,KAAK,EAAE,MAAM,GAAG;AACvC,QAAI,MAAM,KAAM,QAAO,mBAAmB,EAAE,KAAK,GAAG,CAAC;AAAA,EACvD;AACA,SAAO;AACT;AAGA,SAAS,UAAU,OAAuD;AACxE,MAAI;AACF,UAAM,UAAU,MAAM,MAAM,GAAG,EAAE,CAAC;AAClC,UAAM,OAAO,KAAK,QAAQ,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG,CAAC;AAC/D,UAAM,OAAO,KAAK,MAAM,IAAI;AAO5B,WAAO;AAAA,EACT,SAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,mBAAmB;AAAA,EACjC;AAAA,EACA;AAAA,EACA;AAAA,EACA,aAAa;AAAA,EACb;AACF,GAA4B;AAC1B,QAAM,CAAC,MAAM,OAAO,IAAI,SAA4B,IAAI;AACxD,QAAM,CAAC,SAAS,UAAU,IAAI,SAAS,KAAK;AAC5C,QAAM,CAAC,WAAW,YAAY,IAAI,SAAS,KAAK;AAChD,QAAM,CAAC,OAAO,QAAQ,IAAI,SAAS,KAAK;AACxC,QAAM,CAAC,QAAQ,SAAS,IAAI,SAAS,KAAK;AAC1C,QAAM,UAAU;AAAA,KACb,oCAAe,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,YAAY,CAAC;AAAA,EACvD;AAEA,QAAM,aAAa;AAAA,IACjB,CAAC,UAAkB;AAxJvB;AAyJM,YAAM,SAAS,UAAU,KAAK;AAC9B,UAAI,CAAC,OAAQ;AACb,UAAI,OAAO,OAAO,OAAO,MAAM,OAAQ,KAAK,IAAI,GAAG;AACjD,qBAAa,UAAU;AACvB;AAAA,MACF;AACA,YAAM,SAAQ,YAAO,UAAP,mBAAc;AAG5B,YAAM,QACJ,QAAQ,QAAQ,WAAW,IACvB,OACA,CAAC,CAAC,SAAS,QAAQ,QAAQ,SAAS,KAAK;AAC/C,gBAAU,YAAY,KAAK;AAC3B,cAAQ;AAAA,QACN,KAAK,OAAO;AAAA,QACZ,OAAO,OAAO;AAAA,QACd,MAAM,OAAO;AAAA,QACb,SAAS,OAAO;AAAA,MAClB,CAAC;AACD,iBAAW,KAAK;AAAA,IAClB;AAAA,IACA,CAAC,UAAU;AAAA,EACb;AAGA,YAAU,MAAM;AACd,UAAM,WAAW,WAAW,UAAU;AACtC,QAAI,SAAU,YAAW,QAAQ;AAAA,EACnC,GAAG,CAAC,YAAY,UAAU,CAAC;AAM3B,YAAU,MAAM;AACd,QAAI,YAAY;AAEhB,aAAS,UAAmB;AA/LhC;AAgMM,UAAI,aAAa,GAAC,kBAAO,WAAP,mBAAe,aAAf,mBAAyB,IAAI,QAAO;AACtD,aAAO,OAAO,SAAS,GAAG,WAAW;AAAA,QACnC,WAAW;AAAA,QACX,UAAU,CAAC,QAAQ,WAAW,IAAI,UAAU;AAAA,QAC5C,aAAa;AAAA,QACb,uBAAuB;AAAA,MACzB,CAAC;AACD,eAAS,IAAI;AACb,aAAO;AAAA,IACT;AAEA,QAAI,QAAQ,EAAG;AAGf,QAAI,CAAC,SAAS,cAAc,eAAe,OAAO,IAAI,GAAG;AACvD,YAAM,SAAS,SAAS,cAAc,QAAQ;AAC9C,aAAO,MAAM;AACb,aAAO,QAAQ;AACf,aAAO,QAAQ;AACf,eAAS,KAAK,YAAY,MAAM;AAAA,IAClC;AAEA,UAAM,YAAY,KAAK,IAAI;AAC3B,UAAM,QAAQ,YAAY,MAAM;AAC9B,UAAI,QAAQ,GAAG;AACb,sBAAc,KAAK;AAAA,MACrB,WAAW,KAAK,IAAI,IAAI,YAAY,KAAQ;AAG1C,sBAAc,KAAK;AACnB,YAAI,CAAC,UAAW,WAAU,IAAI;AAAA,MAChC;AAAA,IACF,GAAG,GAAG;AAEN,WAAO,MAAM;AACX,kBAAY;AACZ,oBAAc,KAAK;AAAA,IACrB;AAAA,EACF,GAAG,CAAC,UAAU,UAAU,CAAC;AAGzB,YAAU,MAAM;AACd,UAAM,gBAAgB,OAAO;AAC7B,WAAO,QAAQ,UAAU,SAAmC;AAC1D,YAAM,WAAW,MAAM,cAAc,GAAG,IAAI;AAC5C,UAAI,SAAS,WAAW,KAAK;AAC3B,YAAI;AACF,gBAAM,OAAO,MAAM,SAAS,MAAM,EAAE,KAAK;AACzC,cAAI,6BAAM,OAAQ,UAAS;AAAA,QAC7B,SAAQ;AAAA,QAER;AAAA,MACF;AACA,aAAO;AAAA,IACT;AACA,WAAO,MAAM;AACX,aAAO,QAAQ;AAAA,IACjB;AAAA,EAEF,GAAG,CAAC,CAAC;AAEL,WAAS,WAAW;AA7PtB;AA8PI,iBAAO,WAAP,mBAAe,SAAS,GAAG;AAC3B,iBAAa,UAAU;AACvB,YAAQ,IAAI;AACZ,eAAW,KAAK;AAChB,iBAAa,KAAK;AAClB;AAAA,EACF;AAEA,QAAM,eAAe,YAAY,MAAM;AAtQzC;AAuQI,QAAI,CAAC,MAAO;AACZ,iBAAO,WAAP,mBAAe,SAAS,GAAG;AAAA,EAC7B,GAAG,CAAC,KAAK,CAAC;AAEV,QAAM,eAAe;AAAA,IACnB,CAAC,IAAiB,YAA+B;AA5QrD;AA6QM,UAAI,CAAC,MAAO;AACZ,mBAAO,WAAP,mBAAe,SAAS,GAAG,aAAa,IAAI;AAAA,IAC9C;AAAA,IACA,CAAC,KAAK;AAAA,EACR;AAEA,QAAM,aAAa,YAAY,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC;AAEhE,SACE;AAAA,IAAC,kBAAkB;AAAA,IAAlB;AAAA,MACC,OAAO;AAAA,QACL;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA,QAAQ;AAAA,MACV;AAAA,MAEA,8BAAC,mBAAgB,OAAO,EAAE,SAAS,WAAW,WAAW,GACtD,UACH;AAAA;AAAA,EACF;AAEJ;AAGO,SAAS,gBAAwC;AACtD,QAAM,MAAM,WAAW,iBAAiB;AACxC,MAAI,CAAC,KAAK;AACR,UAAM,IAAI,MAAM,wDAAwD;AAAA,EAC1E;AACA,SAAO;AACT;","names":[]}

package/dist/auth/google/index.cjs ADDED Viewed

@@ -0,0 +1,121 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// src/auth/google/index.ts
+var google_exports = {};
+__export(google_exports, {
+  googleAuth: () => googleAuth,
+  verifyGoogleIdToken: () => verifyGoogleIdToken
+});
+module.exports = __toCommonJS(google_exports);
+var import_node_crypto = require("crypto");
+var GOOGLE_CERTS_URL = "https://www.googleapis.com/oauth2/v3/certs";
+var GOOGLE_ISSUERS = ["https://accounts.google.com", "accounts.google.com"];
+var keyCache = null;
+async function getSigningKey(kid) {
+  var _a, _b;
+  const now = Date.now();
+  if (!keyCache || now >= keyCache.expiresAt) {
+    const res = await fetch(GOOGLE_CERTS_URL);
+    if (!res.ok) throw new Error(`Google JWKS fetch failed: ${res.status}`);
+    const body = await res.json();
+    const keys = new Map(body.keys.map((k) => [k.kid, k]));
+    const maxAge = /max-age=(\d+)/.exec((_a = res.headers.get("cache-control")) != null ? _a : "");
+    keyCache = {
+      keys,
+      expiresAt: now + (maxAge ? Number(maxAge[1]) * 1e3 : 36e5)
+    };
+  }
+  return (_b = keyCache.keys.get(kid)) != null ? _b : null;
+}
+function b64urlToBuffer(input) {
+  return Buffer.from(input.replace(/-/g, "+").replace(/_/g, "/"), "base64");
+}
+function b64urlToJson(input) {
+  return JSON.parse(b64urlToBuffer(input).toString("utf8"));
+}
+function readCookie(req, name) {
+  const header = req.headers.get("cookie");
+  if (!header) return null;
+  for (const part of header.split(";")) {
+    const [k, ...v] = part.trim().split("=");
+    if (k === name) return decodeURIComponent(v.join("="));
+  }
+  return null;
+}
+async function verifyGoogleIdToken(token, opts) {
+  var _a, _b, _c;
+  const parts = token.split(".");
+  if (parts.length !== 3) throw new Error("Malformed ID token");
+  const [headerB64, payloadB64, signatureB64] = parts;
+  const header = b64urlToJson(headerB64);
+  if (header.alg !== "RS256") throw new Error(`Unexpected alg: ${header.alg}`);
+  const jwk = await getSigningKey(header.kid);
+  if (!jwk) throw new Error("No matching Google signing key for token");
+  const publicKey = (0, import_node_crypto.createPublicKey)({
+    key: jwk,
+    format: "jwk"
+  });
+  const verifier = (0, import_node_crypto.createVerify)("RSA-SHA256");
+  verifier.update(`${headerB64}.${payloadB64}`);
+  verifier.end();
+  if (!verifier.verify(publicKey, b64urlToBuffer(signatureB64))) {
+    throw new Error("Invalid ID token signature");
+  }
+  const payload = b64urlToJson(payloadB64);
+  const nowSec = Math.floor(((_b = (_a = opts.now) == null ? void 0 : _a.call(opts)) != null ? _b : Date.now()) / 1e3);
+  if (payload.exp <= nowSec) throw new Error("ID token expired");
+  const issuers = (_c = opts.issuers) != null ? _c : GOOGLE_ISSUERS;
+  if (!issuers.includes(payload.iss)) {
+    throw new Error(`Untrusted issuer: ${payload.iss}`);
+  }
+  const audiences = Array.isArray(opts.clientId) ? opts.clientId : [opts.clientId];
+  if (!audiences.includes(payload.aud)) throw new Error("Audience mismatch");
+  return payload;
+}
+function googleAuth(config) {
+  var _a;
+  const cookieName = (_a = config.cookieName) != null ? _a : "adminToken";
+  const allowed = config.adminEmails.map((e) => e.trim().toLowerCase());
+  return {
+    async verifyRequest(req) {
+      var _a2;
+      const token = readCookie(req, cookieName);
+      if (!token) return null;
+      let payload;
+      try {
+        payload = await verifyGoogleIdToken(token, {
+          clientId: config.clientId,
+          issuers: config.issuers
+        });
+      } catch (e) {
+        return null;
+      }
+      const email = (_a2 = payload.email) == null ? void 0 : _a2.toLowerCase();
+      const isAdmin = !!email && payload.email_verified === true && allowed.includes(email);
+      return { userId: payload.sub, email: payload.email, isAdmin };
+    }
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  googleAuth,
+  verifyGoogleIdToken
+});
+//# sourceMappingURL=index.cjs.map

package/dist/auth/google/index.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../../src/auth/google/index.ts"],"sourcesContent":["import { createPublicKey, createVerify, type JsonWebKey } from \"node:crypto\";\nimport type { AuthAdapter, AuthIdentity } from \"../../types\";\n\n/**\n * Server auth adapter backed by **Google Identity Services** ID tokens — the\n * lightweight alternative to the Firebase adapter when all you want is \"Sign in\n * with Google\". No Firebase project, no service account: the browser obtains a\n * signed Google ID token (a JWT), drops it in a cookie, and this adapter\n * verifies it locally against Google's public keys, then gates on an email\n * allowlist.\n *\n * Verification is dependency-free (Node's built-in `crypto` + `fetch`), so the\n * package keeps its zero-runtime-deps contract.\n */\n\nconst GOOGLE_CERTS_URL = \"https://www.googleapis.com/oauth2/v3/certs\";\nconst GOOGLE_ISSUERS = [\"https://accounts.google.com\", \"accounts.google.com\"];\n\n/** A Google JWKS entry (RSA public key in JWK form). */\ninterface GoogleJwk {\n kid: string;\n kty: string;\n n: string;\n e: string;\n alg?: string;\n use?: string;\n}\n\nlet keyCache: { keys: Map<string, GoogleJwk>; expiresAt: number } | null = null;\n\n/** Fetch (and cache, honoring `cache-control: max-age`) Google's signing keys. */\nasync function getSigningKey(kid: string): Promise<GoogleJwk | null> {\n const now = Date.now();\n if (!keyCache || now >= keyCache.expiresAt) {\n const res = await fetch(GOOGLE_CERTS_URL);\n if (!res.ok) throw new Error(`Google JWKS fetch failed: ${res.status}`);\n const body = (await res.json()) as { keys: GoogleJwk[] };\n const keys = new Map(body.keys.map((k) => [k.kid, k]));\n const maxAge = /max-age=(\\d+)/.exec(res.headers.get(\"cache-control\") ?? \"\");\n keyCache = {\n keys,\n expiresAt: now + (maxAge ? Number(maxAge[1]) * 1000 : 3_600_000),\n };\n }\n return keyCache.keys.get(kid) ?? null;\n}\n\nfunction b64urlToBuffer(input: string): Buffer {\n return Buffer.from(input.replace(/-/g, \"+\").replace(/_/g, \"/\"), \"base64\");\n}\n\nfunction b64urlToJson<T>(input: string): T {\n return JSON.parse(b64urlToBuffer(input).toString(\"utf8\")) as T;\n}\n\nfunction readCookie(req: Request, name: string): string | null {\n const header = req.headers.get(\"cookie\");\n if (!header) return null;\n for (const part of header.split(\";\")) {\n const [k, ...v] = part.trim().split(\"=\");\n if (k === name) return decodeURIComponent(v.join(\"=\"));\n }\n return null;\n}\n\n/** Claims of interest from a verified Google ID token. */\nexport interface GoogleIdTokenPayload {\n iss: string;\n aud: string;\n sub: string;\n exp: number;\n iat: number;\n email?: string;\n email_verified?: boolean;\n name?: string;\n picture?: string;\n}\n\nexport interface VerifyGoogleIdTokenOptions {\n /** Expected audience — your OAuth 2.0 Web client ID(s). */\n clientId: string | string[];\n /** Accepted issuers. Defaults to Google's two canonical issuers. */\n issuers?: string[];\n /** Clock injection for tests. Defaults to `Date.now`. */\n now?: () => number;\n}\n\n/**\n * Verify a Google ID token end-to-end: RS256 signature against Google's JWKS,\n * plus `exp` / `iss` / `aud` checks. Throws on any failure; resolves with the\n * decoded payload on success. Exported standalone for custom flows/tests.\n */\nexport async function verifyGoogleIdToken(\n token: string,\n opts: VerifyGoogleIdTokenOptions,\n): Promise<GoogleIdTokenPayload> {\n const parts = token.split(\".\");\n if (parts.length !== 3) throw new Error(\"Malformed ID token\");\n const [headerB64, payloadB64, signatureB64] = parts;\n\n const header = b64urlToJson<{ alg: string; kid: string }>(headerB64);\n if (header.alg !== \"RS256\") throw new Error(`Unexpected alg: ${header.alg}`);\n\n const jwk = await getSigningKey(header.kid);\n if (!jwk) throw new Error(\"No matching Google signing key for token\");\n\n const publicKey = createPublicKey({\n key: jwk as unknown as JsonWebKey,\n format: \"jwk\",\n });\n const verifier = createVerify(\"RSA-SHA256\");\n verifier.update(`${headerB64}.${payloadB64}`);\n verifier.end();\n if (!verifier.verify(publicKey, b64urlToBuffer(signatureB64))) {\n throw new Error(\"Invalid ID token signature\");\n }\n\n const payload = b64urlToJson<GoogleIdTokenPayload>(payloadB64);\n const nowSec = Math.floor((opts.now?.() ?? Date.now()) / 1000);\n if (payload.exp <= nowSec) throw new Error(\"ID token expired\");\n\n const issuers = opts.issuers ?? GOOGLE_ISSUERS;\n if (!issuers.includes(payload.iss)) {\n throw new Error(`Untrusted issuer: ${payload.iss}`);\n }\n const audiences = Array.isArray(opts.clientId)\n ? opts.clientId\n : [opts.clientId];\n if (!audiences.includes(payload.aud)) throw new Error(\"Audience mismatch\");\n\n return payload;\n}\n\nexport interface GoogleAuthConfig {\n /** OAuth 2.0 Web client ID(s); the token's `aud` must match one of these. */\n clientId: string | string[];\n /** Allowlist of admin emails (compared case-insensitively). */\n adminEmails: string[];\n /** Cookie carrying the Google ID token. Default `adminToken`. */\n cookieName?: string;\n /** Accepted issuers (override for testing). */\n issuers?: string[];\n}\n\n/**\n * Build an {@link AuthAdapter} that verifies the Google ID token from the\n * request cookie and grants admin only to a verified email in `adminEmails`.\n */\nexport function googleAuth(config: GoogleAuthConfig): AuthAdapter {\n const cookieName = config.cookieName ?? \"adminToken\";\n const allowed = config.adminEmails.map((e) => e.trim().toLowerCase());\n\n return {\n async verifyRequest(req: Request): Promise<AuthIdentity | null> {\n const token = readCookie(req, cookieName);\n if (!token) return null;\n\n let payload: GoogleIdTokenPayload;\n try {\n payload = await verifyGoogleIdToken(token, {\n clientId: config.clientId,\n issuers: config.issuers,\n });\n } catch {\n // Expired/invalid/tampered → unauthorized, so the gate emits a\n // 401 { logout: true } and the client can force sign-out.\n return null;\n }\n\n const email = payload.email?.toLowerCase();\n const isAdmin =\n !!email && payload.email_verified === true && allowed.includes(email);\n\n return { userId: payload.sub, email: payload.email, isAdmin };\n },\n };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,yBAA+D;AAe/D,IAAM,mBAAmB;AACzB,IAAM,iBAAiB,CAAC,+BAA+B,qBAAqB;AAY5E,IAAI,WAAuE;AAG3E,eAAe,cAAc,KAAwC;AA/BrE;AAgCE,QAAM,MAAM,KAAK,IAAI;AACrB,MAAI,CAAC,YAAY,OAAO,SAAS,WAAW;AAC1C,UAAM,MAAM,MAAM,MAAM,gBAAgB;AACxC,QAAI,CAAC,IAAI,GAAI,OAAM,IAAI,MAAM,6BAA6B,IAAI,MAAM,EAAE;AACtE,UAAM,OAAQ,MAAM,IAAI,KAAK;AAC7B,UAAM,OAAO,IAAI,IAAI,KAAK,KAAK,IAAI,CAAC,MAAM,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC;AACrD,UAAM,SAAS,gBAAgB,MAAK,SAAI,QAAQ,IAAI,eAAe,MAA/B,YAAoC,EAAE;AAC1E,eAAW;AAAA,MACT;AAAA,MACA,WAAW,OAAO,SAAS,OAAO,OAAO,CAAC,CAAC,IAAI,MAAO;AAAA,IACxD;AAAA,EACF;AACA,UAAO,cAAS,KAAK,IAAI,GAAG,MAArB,YAA0B;AACnC;AAEA,SAAS,eAAe,OAAuB;AAC7C,SAAO,OAAO,KAAK,MAAM,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG,GAAG,QAAQ;AAC1E;AAEA,SAAS,aAAgB,OAAkB;AACzC,SAAO,KAAK,MAAM,eAAe,KAAK,EAAE,SAAS,MAAM,CAAC;AAC1D;AAEA,SAAS,WAAW,KAAc,MAA6B;AAC7D,QAAM,SAAS,IAAI,QAAQ,IAAI,QAAQ;AACvC,MAAI,CAAC,OAAQ,QAAO;AACpB,aAAW,QAAQ,OAAO,MAAM,GAAG,GAAG;AACpC,UAAM,CAAC,GAAG,GAAG,CAAC,IAAI,KAAK,KAAK,EAAE,MAAM,GAAG;AACvC,QAAI,MAAM,KAAM,QAAO,mBAAmB,EAAE,KAAK,GAAG,CAAC;AAAA,EACvD;AACA,SAAO;AACT;AA6BA,eAAsB,oBACpB,OACA,MAC+B;AA/FjC;AAgGE,QAAM,QAAQ,MAAM,MAAM,GAAG;AAC7B,MAAI,MAAM,WAAW,EAAG,OAAM,IAAI,MAAM,oBAAoB;AAC5D,QAAM,CAAC,WAAW,YAAY,YAAY,IAAI;AAE9C,QAAM,SAAS,aAA2C,SAAS;AACnE,MAAI,OAAO,QAAQ,QAAS,OAAM,IAAI,MAAM,mBAAmB,OAAO,GAAG,EAAE;AAE3E,QAAM,MAAM,MAAM,cAAc,OAAO,GAAG;AAC1C,MAAI,CAAC,IAAK,OAAM,IAAI,MAAM,0CAA0C;AAEpE,QAAM,gBAAY,oCAAgB;AAAA,IAChC,KAAK;AAAA,IACL,QAAQ;AAAA,EACV,CAAC;AACD,QAAM,eAAW,iCAAa,YAAY;AAC1C,WAAS,OAAO,GAAG,SAAS,IAAI,UAAU,EAAE;AAC5C,WAAS,IAAI;AACb,MAAI,CAAC,SAAS,OAAO,WAAW,eAAe,YAAY,CAAC,GAAG;AAC7D,UAAM,IAAI,MAAM,4BAA4B;AAAA,EAC9C;AAEA,QAAM,UAAU,aAAmC,UAAU;AAC7D,QAAM,SAAS,KAAK,QAAO,gBAAK,QAAL,8CAAgB,KAAK,IAAI,KAAK,GAAI;AAC7D,MAAI,QAAQ,OAAO,OAAQ,OAAM,IAAI,MAAM,kBAAkB;AAE7D,QAAM,WAAU,UAAK,YAAL,YAAgB;AAChC,MAAI,CAAC,QAAQ,SAAS,QAAQ,GAAG,GAAG;AAClC,UAAM,IAAI,MAAM,qBAAqB,QAAQ,GAAG,EAAE;AAAA,EACpD;AACA,QAAM,YAAY,MAAM,QAAQ,KAAK,QAAQ,IACzC,KAAK,WACL,CAAC,KAAK,QAAQ;AAClB,MAAI,CAAC,UAAU,SAAS,QAAQ,GAAG,EAAG,OAAM,IAAI,MAAM,mBAAmB;AAEzE,SAAO;AACT;AAiBO,SAAS,WAAW,QAAuC;AApJlE;AAqJE,QAAM,cAAa,YAAO,eAAP,YAAqB;AACxC,QAAM,UAAU,OAAO,YAAY,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,YAAY,CAAC;AAEpE,SAAO;AAAA,IACL,MAAM,cAAc,KAA4C;AAzJpE,UAAAA;AA0JM,YAAM,QAAQ,WAAW,KAAK,UAAU;AACxC,UAAI,CAAC,MAAO,QAAO;AAEnB,UAAI;AACJ,UAAI;AACF,kBAAU,MAAM,oBAAoB,OAAO;AAAA,UACzC,UAAU,OAAO;AAAA,UACjB,SAAS,OAAO;AAAA,QAClB,CAAC;AAAA,MACH,SAAQ;AAGN,eAAO;AAAA,MACT;AAEA,YAAM,SAAQA,MAAA,QAAQ,UAAR,gBAAAA,IAAe;AAC7B,YAAM,UACJ,CAAC,CAAC,SAAS,QAAQ,mBAAmB,QAAQ,QAAQ,SAAS,KAAK;AAEtE,aAAO,EAAE,QAAQ,QAAQ,KAAK,OAAO,QAAQ,OAAO,QAAQ;AAAA,IAC9D;AAAA,EACF;AACF;","names":["_a"]}

package/dist/auth/google/index.d.cts ADDED Viewed

@@ -0,0 +1,45 @@
+import { AuthAdapter } from '../../index.cjs';
+/** Claims of interest from a verified Google ID token. */
+interface GoogleIdTokenPayload {
+    iss: string;
+    aud: string;
+    sub: string;
+    exp: number;
+    iat: number;
+    email?: string;
+    email_verified?: boolean;
+    name?: string;
+    picture?: string;
+}
+interface VerifyGoogleIdTokenOptions {
+    /** Expected audience — your OAuth 2.0 Web client ID(s). */
+    clientId: string | string[];
+    /** Accepted issuers. Defaults to Google's two canonical issuers. */
+    issuers?: string[];
+    /** Clock injection for tests. Defaults to `Date.now`. */
+    now?: () => number;
+}
+/**
+ * Verify a Google ID token end-to-end: RS256 signature against Google's JWKS,
+ * plus `exp` / `iss` / `aud` checks. Throws on any failure; resolves with the
+ * decoded payload on success. Exported standalone for custom flows/tests.
+ */
+declare function verifyGoogleIdToken(token: string, opts: VerifyGoogleIdTokenOptions): Promise<GoogleIdTokenPayload>;
+interface GoogleAuthConfig {
+    /** OAuth 2.0 Web client ID(s); the token's `aud` must match one of these. */
+    clientId: string | string[];
+    /** Allowlist of admin emails (compared case-insensitively). */
+    adminEmails: string[];
+    /** Cookie carrying the Google ID token. Default `adminToken`. */
+    cookieName?: string;
+    /** Accepted issuers (override for testing). */
+    issuers?: string[];
+}
+/**
+ * Build an {@link AuthAdapter} that verifies the Google ID token from the
+ * request cookie and grants admin only to a verified email in `adminEmails`.
+ */
+declare function googleAuth(config: GoogleAuthConfig): AuthAdapter;
+export { type GoogleAuthConfig, type GoogleIdTokenPayload, type VerifyGoogleIdTokenOptions, googleAuth, verifyGoogleIdToken };

package/dist/auth/google/index.d.ts ADDED Viewed

@@ -0,0 +1,45 @@
+import { AuthAdapter } from '../../index.js';
+/** Claims of interest from a verified Google ID token. */
+interface GoogleIdTokenPayload {
+    iss: string;
+    aud: string;
+    sub: string;
+    exp: number;
+    iat: number;
+    email?: string;
+    email_verified?: boolean;
+    name?: string;
+    picture?: string;
+}
+interface VerifyGoogleIdTokenOptions {
+    /** Expected audience — your OAuth 2.0 Web client ID(s). */
+    clientId: string | string[];
+    /** Accepted issuers. Defaults to Google's two canonical issuers. */
+    issuers?: string[];
+    /** Clock injection for tests. Defaults to `Date.now`. */
+    now?: () => number;
+}
+/**
+ * Verify a Google ID token end-to-end: RS256 signature against Google's JWKS,
+ * plus `exp` / `iss` / `aud` checks. Throws on any failure; resolves with the
+ * decoded payload on success. Exported standalone for custom flows/tests.
+ */
+declare function verifyGoogleIdToken(token: string, opts: VerifyGoogleIdTokenOptions): Promise<GoogleIdTokenPayload>;
+interface GoogleAuthConfig {
+    /** OAuth 2.0 Web client ID(s); the token's `aud` must match one of these. */
+    clientId: string | string[];
+    /** Allowlist of admin emails (compared case-insensitively). */
+    adminEmails: string[];
+    /** Cookie carrying the Google ID token. Default `adminToken`. */
+    cookieName?: string;
+    /** Accepted issuers (override for testing). */
+    issuers?: string[];
+}
+/**
+ * Build an {@link AuthAdapter} that verifies the Google ID token from the
+ * request cookie and grants admin only to a verified email in `adminEmails`.
+ */
+declare function googleAuth(config: GoogleAuthConfig): AuthAdapter;
+export { type GoogleAuthConfig, type GoogleIdTokenPayload, type VerifyGoogleIdTokenOptions, googleAuth, verifyGoogleIdToken };

package/dist/auth/google/index.js ADDED Viewed

@@ -0,0 +1,95 @@
+// src/auth/google/index.ts
+import { createPublicKey, createVerify } from "crypto";
+var GOOGLE_CERTS_URL = "https://www.googleapis.com/oauth2/v3/certs";
+var GOOGLE_ISSUERS = ["https://accounts.google.com", "accounts.google.com"];
+var keyCache = null;
+async function getSigningKey(kid) {
+  var _a, _b;
+  const now = Date.now();
+  if (!keyCache || now >= keyCache.expiresAt) {
+    const res = await fetch(GOOGLE_CERTS_URL);
+    if (!res.ok) throw new Error(`Google JWKS fetch failed: ${res.status}`);
+    const body = await res.json();
+    const keys = new Map(body.keys.map((k) => [k.kid, k]));
+    const maxAge = /max-age=(\d+)/.exec((_a = res.headers.get("cache-control")) != null ? _a : "");
+    keyCache = {
+      keys,
+      expiresAt: now + (maxAge ? Number(maxAge[1]) * 1e3 : 36e5)
+    };
+  }
+  return (_b = keyCache.keys.get(kid)) != null ? _b : null;
+}
+function b64urlToBuffer(input) {
+  return Buffer.from(input.replace(/-/g, "+").replace(/_/g, "/"), "base64");
+}
+function b64urlToJson(input) {
+  return JSON.parse(b64urlToBuffer(input).toString("utf8"));
+}
+function readCookie(req, name) {
+  const header = req.headers.get("cookie");
+  if (!header) return null;
+  for (const part of header.split(";")) {
+    const [k, ...v] = part.trim().split("=");
+    if (k === name) return decodeURIComponent(v.join("="));
+  }
+  return null;
+}
+async function verifyGoogleIdToken(token, opts) {
+  var _a, _b, _c;
+  const parts = token.split(".");
+  if (parts.length !== 3) throw new Error("Malformed ID token");
+  const [headerB64, payloadB64, signatureB64] = parts;
+  const header = b64urlToJson(headerB64);
+  if (header.alg !== "RS256") throw new Error(`Unexpected alg: ${header.alg}`);
+  const jwk = await getSigningKey(header.kid);
+  if (!jwk) throw new Error("No matching Google signing key for token");
+  const publicKey = createPublicKey({
+    key: jwk,
+    format: "jwk"
+  });
+  const verifier = createVerify("RSA-SHA256");
+  verifier.update(`${headerB64}.${payloadB64}`);
+  verifier.end();
+  if (!verifier.verify(publicKey, b64urlToBuffer(signatureB64))) {
+    throw new Error("Invalid ID token signature");
+  }
+  const payload = b64urlToJson(payloadB64);
+  const nowSec = Math.floor(((_b = (_a = opts.now) == null ? void 0 : _a.call(opts)) != null ? _b : Date.now()) / 1e3);
+  if (payload.exp <= nowSec) throw new Error("ID token expired");
+  const issuers = (_c = opts.issuers) != null ? _c : GOOGLE_ISSUERS;
+  if (!issuers.includes(payload.iss)) {
+    throw new Error(`Untrusted issuer: ${payload.iss}`);
+  }
+  const audiences = Array.isArray(opts.clientId) ? opts.clientId : [opts.clientId];
+  if (!audiences.includes(payload.aud)) throw new Error("Audience mismatch");
+  return payload;
+}
+function googleAuth(config) {
+  var _a;
+  const cookieName = (_a = config.cookieName) != null ? _a : "adminToken";
+  const allowed = config.adminEmails.map((e) => e.trim().toLowerCase());
+  return {
+    async verifyRequest(req) {
+      var _a2;
+      const token = readCookie(req, cookieName);
+      if (!token) return null;
+      let payload;
+      try {
+        payload = await verifyGoogleIdToken(token, {
+          clientId: config.clientId,
+          issuers: config.issuers
+        });
+      } catch (e) {
+        return null;
+      }
+      const email = (_a2 = payload.email) == null ? void 0 : _a2.toLowerCase();
+      const isAdmin = !!email && payload.email_verified === true && allowed.includes(email);
+      return { userId: payload.sub, email: payload.email, isAdmin };
+    }
+  };
+}
+export {
+  googleAuth,
+  verifyGoogleIdToken
+};
+//# sourceMappingURL=index.js.map

package/dist/auth/google/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../../src/auth/google/index.ts"],"sourcesContent":["import { createPublicKey, createVerify, type JsonWebKey } from \"node:crypto\";\nimport type { AuthAdapter, AuthIdentity } from \"../../types\";\n\n/**\n * Server auth adapter backed by **Google Identity Services** ID tokens — the\n * lightweight alternative to the Firebase adapter when all you want is \"Sign in\n * with Google\". No Firebase project, no service account: the browser obtains a\n * signed Google ID token (a JWT), drops it in a cookie, and this adapter\n * verifies it locally against Google's public keys, then gates on an email\n * allowlist.\n *\n * Verification is dependency-free (Node's built-in `crypto` + `fetch`), so the\n * package keeps its zero-runtime-deps contract.\n */\n\nconst GOOGLE_CERTS_URL = \"https://www.googleapis.com/oauth2/v3/certs\";\nconst GOOGLE_ISSUERS = [\"https://accounts.google.com\", \"accounts.google.com\"];\n\n/** A Google JWKS entry (RSA public key in JWK form). */\ninterface GoogleJwk {\n kid: string;\n kty: string;\n n: string;\n e: string;\n alg?: string;\n use?: string;\n}\n\nlet keyCache: { keys: Map<string, GoogleJwk>; expiresAt: number } | null = null;\n\n/** Fetch (and cache, honoring `cache-control: max-age`) Google's signing keys. */\nasync function getSigningKey(kid: string): Promise<GoogleJwk | null> {\n const now = Date.now();\n if (!keyCache || now >= keyCache.expiresAt) {\n const res = await fetch(GOOGLE_CERTS_URL);\n if (!res.ok) throw new Error(`Google JWKS fetch failed: ${res.status}`);\n const body = (await res.json()) as { keys: GoogleJwk[] };\n const keys = new Map(body.keys.map((k) => [k.kid, k]));\n const maxAge = /max-age=(\\d+)/.exec(res.headers.get(\"cache-control\") ?? \"\");\n keyCache = {\n keys,\n expiresAt: now + (maxAge ? Number(maxAge[1]) * 1000 : 3_600_000),\n };\n }\n return keyCache.keys.get(kid) ?? null;\n}\n\nfunction b64urlToBuffer(input: string): Buffer {\n return Buffer.from(input.replace(/-/g, \"+\").replace(/_/g, \"/\"), \"base64\");\n}\n\nfunction b64urlToJson<T>(input: string): T {\n return JSON.parse(b64urlToBuffer(input).toString(\"utf8\")) as T;\n}\n\nfunction readCookie(req: Request, name: string): string | null {\n const header = req.headers.get(\"cookie\");\n if (!header) return null;\n for (const part of header.split(\";\")) {\n const [k, ...v] = part.trim().split(\"=\");\n if (k === name) return decodeURIComponent(v.join(\"=\"));\n }\n return null;\n}\n\n/** Claims of interest from a verified Google ID token. */\nexport interface GoogleIdTokenPayload {\n iss: string;\n aud: string;\n sub: string;\n exp: number;\n iat: number;\n email?: string;\n email_verified?: boolean;\n name?: string;\n picture?: string;\n}\n\nexport interface VerifyGoogleIdTokenOptions {\n /** Expected audience — your OAuth 2.0 Web client ID(s). */\n clientId: string | string[];\n /** Accepted issuers. Defaults to Google's two canonical issuers. */\n issuers?: string[];\n /** Clock injection for tests. Defaults to `Date.now`. */\n now?: () => number;\n}\n\n/**\n * Verify a Google ID token end-to-end: RS256 signature against Google's JWKS,\n * plus `exp` / `iss` / `aud` checks. Throws on any failure; resolves with the\n * decoded payload on success. Exported standalone for custom flows/tests.\n */\nexport async function verifyGoogleIdToken(\n token: string,\n opts: VerifyGoogleIdTokenOptions,\n): Promise<GoogleIdTokenPayload> {\n const parts = token.split(\".\");\n if (parts.length !== 3) throw new Error(\"Malformed ID token\");\n const [headerB64, payloadB64, signatureB64] = parts;\n\n const header = b64urlToJson<{ alg: string; kid: string }>(headerB64);\n if (header.alg !== \"RS256\") throw new Error(`Unexpected alg: ${header.alg}`);\n\n const jwk = await getSigningKey(header.kid);\n if (!jwk) throw new Error(\"No matching Google signing key for token\");\n\n const publicKey = createPublicKey({\n key: jwk as unknown as JsonWebKey,\n format: \"jwk\",\n });\n const verifier = createVerify(\"RSA-SHA256\");\n verifier.update(`${headerB64}.${payloadB64}`);\n verifier.end();\n if (!verifier.verify(publicKey, b64urlToBuffer(signatureB64))) {\n throw new Error(\"Invalid ID token signature\");\n }\n\n const payload = b64urlToJson<GoogleIdTokenPayload>(payloadB64);\n const nowSec = Math.floor((opts.now?.() ?? Date.now()) / 1000);\n if (payload.exp <= nowSec) throw new Error(\"ID token expired\");\n\n const issuers = opts.issuers ?? GOOGLE_ISSUERS;\n if (!issuers.includes(payload.iss)) {\n throw new Error(`Untrusted issuer: ${payload.iss}`);\n }\n const audiences = Array.isArray(opts.clientId)\n ? opts.clientId\n : [opts.clientId];\n if (!audiences.includes(payload.aud)) throw new Error(\"Audience mismatch\");\n\n return payload;\n}\n\nexport interface GoogleAuthConfig {\n /** OAuth 2.0 Web client ID(s); the token's `aud` must match one of these. */\n clientId: string | string[];\n /** Allowlist of admin emails (compared case-insensitively). */\n adminEmails: string[];\n /** Cookie carrying the Google ID token. Default `adminToken`. */\n cookieName?: string;\n /** Accepted issuers (override for testing). */\n issuers?: string[];\n}\n\n/**\n * Build an {@link AuthAdapter} that verifies the Google ID token from the\n * request cookie and grants admin only to a verified email in `adminEmails`.\n */\nexport function googleAuth(config: GoogleAuthConfig): AuthAdapter {\n const cookieName = config.cookieName ?? \"adminToken\";\n const allowed = config.adminEmails.map((e) => e.trim().toLowerCase());\n\n return {\n async verifyRequest(req: Request): Promise<AuthIdentity | null> {\n const token = readCookie(req, cookieName);\n if (!token) return null;\n\n let payload: GoogleIdTokenPayload;\n try {\n payload = await verifyGoogleIdToken(token, {\n clientId: config.clientId,\n issuers: config.issuers,\n });\n } catch {\n // Expired/invalid/tampered → unauthorized, so the gate emits a\n // 401 { logout: true } and the client can force sign-out.\n return null;\n }\n\n const email = payload.email?.toLowerCase();\n const isAdmin =\n !!email && payload.email_verified === true && allowed.includes(email);\n\n return { userId: payload.sub, email: payload.email, isAdmin };\n },\n };\n}\n"],"mappings":";AAAA,SAAS,iBAAiB,oBAAqC;AAe/D,IAAM,mBAAmB;AACzB,IAAM,iBAAiB,CAAC,+BAA+B,qBAAqB;AAY5E,IAAI,WAAuE;AAG3E,eAAe,cAAc,KAAwC;AA/BrE;AAgCE,QAAM,MAAM,KAAK,IAAI;AACrB,MAAI,CAAC,YAAY,OAAO,SAAS,WAAW;AAC1C,UAAM,MAAM,MAAM,MAAM,gBAAgB;AACxC,QAAI,CAAC,IAAI,GAAI,OAAM,IAAI,MAAM,6BAA6B,IAAI,MAAM,EAAE;AACtE,UAAM,OAAQ,MAAM,IAAI,KAAK;AAC7B,UAAM,OAAO,IAAI,IAAI,KAAK,KAAK,IAAI,CAAC,MAAM,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC;AACrD,UAAM,SAAS,gBAAgB,MAAK,SAAI,QAAQ,IAAI,eAAe,MAA/B,YAAoC,EAAE;AAC1E,eAAW;AAAA,MACT;AAAA,MACA,WAAW,OAAO,SAAS,OAAO,OAAO,CAAC,CAAC,IAAI,MAAO;AAAA,IACxD;AAAA,EACF;AACA,UAAO,cAAS,KAAK,IAAI,GAAG,MAArB,YAA0B;AACnC;AAEA,SAAS,eAAe,OAAuB;AAC7C,SAAO,OAAO,KAAK,MAAM,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG,GAAG,QAAQ;AAC1E;AAEA,SAAS,aAAgB,OAAkB;AACzC,SAAO,KAAK,MAAM,eAAe,KAAK,EAAE,SAAS,MAAM,CAAC;AAC1D;AAEA,SAAS,WAAW,KAAc,MAA6B;AAC7D,QAAM,SAAS,IAAI,QAAQ,IAAI,QAAQ;AACvC,MAAI,CAAC,OAAQ,QAAO;AACpB,aAAW,QAAQ,OAAO,MAAM,GAAG,GAAG;AACpC,UAAM,CAAC,GAAG,GAAG,CAAC,IAAI,KAAK,KAAK,EAAE,MAAM,GAAG;AACvC,QAAI,MAAM,KAAM,QAAO,mBAAmB,EAAE,KAAK,GAAG,CAAC;AAAA,EACvD;AACA,SAAO;AACT;AA6BA,eAAsB,oBACpB,OACA,MAC+B;AA/FjC;AAgGE,QAAM,QAAQ,MAAM,MAAM,GAAG;AAC7B,MAAI,MAAM,WAAW,EAAG,OAAM,IAAI,MAAM,oBAAoB;AAC5D,QAAM,CAAC,WAAW,YAAY,YAAY,IAAI;AAE9C,QAAM,SAAS,aAA2C,SAAS;AACnE,MAAI,OAAO,QAAQ,QAAS,OAAM,IAAI,MAAM,mBAAmB,OAAO,GAAG,EAAE;AAE3E,QAAM,MAAM,MAAM,cAAc,OAAO,GAAG;AAC1C,MAAI,CAAC,IAAK,OAAM,IAAI,MAAM,0CAA0C;AAEpE,QAAM,YAAY,gBAAgB;AAAA,IAChC,KAAK;AAAA,IACL,QAAQ;AAAA,EACV,CAAC;AACD,QAAM,WAAW,aAAa,YAAY;AAC1C,WAAS,OAAO,GAAG,SAAS,IAAI,UAAU,EAAE;AAC5C,WAAS,IAAI;AACb,MAAI,CAAC,SAAS,OAAO,WAAW,eAAe,YAAY,CAAC,GAAG;AAC7D,UAAM,IAAI,MAAM,4BAA4B;AAAA,EAC9C;AAEA,QAAM,UAAU,aAAmC,UAAU;AAC7D,QAAM,SAAS,KAAK,QAAO,gBAAK,QAAL,8CAAgB,KAAK,IAAI,KAAK,GAAI;AAC7D,MAAI,QAAQ,OAAO,OAAQ,OAAM,IAAI,MAAM,kBAAkB;AAE7D,QAAM,WAAU,UAAK,YAAL,YAAgB;AAChC,MAAI,CAAC,QAAQ,SAAS,QAAQ,GAAG,GAAG;AAClC,UAAM,IAAI,MAAM,qBAAqB,QAAQ,GAAG,EAAE;AAAA,EACpD;AACA,QAAM,YAAY,MAAM,QAAQ,KAAK,QAAQ,IACzC,KAAK,WACL,CAAC,KAAK,QAAQ;AAClB,MAAI,CAAC,UAAU,SAAS,QAAQ,GAAG,EAAG,OAAM,IAAI,MAAM,mBAAmB;AAEzE,SAAO;AACT;AAiBO,SAAS,WAAW,QAAuC;AApJlE;AAqJE,QAAM,cAAa,YAAO,eAAP,YAAqB;AACxC,QAAM,UAAU,OAAO,YAAY,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,YAAY,CAAC;AAEpE,SAAO;AAAA,IACL,MAAM,cAAc,KAA4C;AAzJpE,UAAAA;AA0JM,YAAM,QAAQ,WAAW,KAAK,UAAU;AACxC,UAAI,CAAC,MAAO,QAAO;AAEnB,UAAI;AACJ,UAAI;AACF,kBAAU,MAAM,oBAAoB,OAAO;AAAA,UACzC,UAAU,OAAO;AAAA,UACjB,SAAS,OAAO;AAAA,QAClB,CAAC;AAAA,MACH,SAAQ;AAGN,eAAO;AAAA,MACT;AAEA,YAAM,SAAQA,MAAA,QAAQ,UAAR,gBAAAA,IAAe;AAC7B,YAAM,UACJ,CAAC,CAAC,SAAS,QAAQ,mBAAmB,QAAQ,QAAQ,SAAS,KAAK;AAEtE,aAAO,EAAE,QAAQ,QAAQ,KAAK,OAAO,QAAQ,OAAO,QAAQ;AAAA,IAC9D;AAAA,EACF;AACF;","names":["_a"]}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@dalgoridim/headless-cms",
-  "version": "0.2.1",
+  "version": "0.3.1",
   "description": "Database-agnostic, inline-edit headless CMS engine for React / Next.js apps",
   "license": "UNLICENSED",
   "author": "dalgoridim",
@@ -92,6 +92,16 @@
       "types": "./dist/auth/nextauth/index.d.ts",
       "import": "./dist/auth/nextauth/index.js",
       "require": "./dist/auth/nextauth/index.cjs"
+    },
+    "./auth/google": {
+      "types": "./dist/auth/google/index.d.ts",
+      "import": "./dist/auth/google/index.js",
+      "require": "./dist/auth/google/index.cjs"
+    },
+    "./auth/google/client": {
+      "types": "./dist/auth/google/client/index.d.ts",
+      "import": "./dist/auth/google/client/index.js",
+      "require": "./dist/auth/google/client/index.cjs"
     }
   },
   "files": [