@diskominfo/sso-kukar-sdk-js 1.1.0

package/README.md

@@ -0,0 +1,218 @@
+# SSO Kukar SDK Express
+
+## Instalasi
+
+```bash
+npm install git+https://reporepo.kukarkab.go.id/rizkipadhil/sso-kukar-sdk-express
+```
+
+## Frontend
+
+pastikan **application** dan **callback url** telah terdaftar pada Server SSO Kukar,
+kemudian gunakan salah satu metode dibawah
+
+### Handle Dengan Redirect
+
+```ts
+import SsoKukarFrontend from "sso-kukar-sdk-express/client";
+
+// konfigurasi
+const sso = new SsoKukarFrontend({
+  client_id: "masukkan-client-id",
+  auth_url: "masukkan-url-sso-server",
+});
+
+// pindah ke halaman login atau callback
+await sso.redirectLogin();
+```
+
+---
+
+pada halaman callback
+
+```ts
+import SsoKukarFrontend from "sso-kukar-sdk-express/client";
+
+const sso = new SsoKukarFrontend({
+  client_id: "masukkan-client-id",
+  auth_url: "masukkan-url-sso-server",
+});
+
+// penggunaan
+const userData = await sso.handleRedirectLogin();
+
+/*
+{
+  payload: {
+    user: {...}
+    ...
+  },
+  tokens: {
+    access_token: ...,
+    refresh_token: ...
+  }
+}
+*/
+```
+
+---
+
+simpan `access_token` dan `refresh_token` yang didapatkan dari `handleRedirectLogin`
+pada local storage atau cookies
+
+ketika mengakes endpoint ke backend, taruh `access_token` pada request header
+
+`Authorization: Bearer {access_token}`
+
+### Handle Dengan Popup
+
+```ts
+import SsoKukarFrontend from "sso-kukar-sdk-express/client";
+
+// konfigurasi
+const sso = new SsoKukarFrontend({
+  client_id: "masukkan-client-id",
+  auth_url: "masukkan-url-sso-server",
+});
+
+// penggunaan data
+const userData = await sso.openLoginPopup();
+
+/*
+{
+  payload: {
+    user: {...}
+    ...
+  },
+  tokens: {
+    access_token: ...,
+    refresh_token: ...
+  }
+}
+*/
+```
+
+---
+
+pada halaman callback
+
+```ts
+import SsoKukarFrontend from "sso-kukar-sdk-express/client";
+
+const sso = new SsoKukarFrontend({
+  client_id: "masukkan-client-id",
+  auth_url: "masukkan-url-sso-server",
+});
+
+sso.closeLoginPopup();
+```
+
+atau bisa juga dengan snippet dibawah ini
+
+```ts
+const queryParams = new URLSearchParams(window.location.search);
+const code = queryParams.get("code");
+window.opener.postMessage({ code });
+window.close();
+```
+
+---
+
+simpan `access_token` dan `refresh_token` yang didapatkan dari `openLoginPopup`
+pada local storage atau cookies
+
+ketika mengakes endpoint ke backend, taruh `access_token` pada request header
+
+`Authorization: Bearer {access_token}`
+
+## Backend
+
+```ts
+import express from "express";
+import SsoKukarSdkExpress from "sso-kukar-sdk-express";
+
+const app = express();
+
+const sso = new SsoKukarSdkExpress({
+  client_id: "masukkan-client-id",
+  client_secret: "masukkan-client-secret",
+  auth_url: "masukkan-url-sso-server",
+});
+
+// register callback handler, endpoint yang akan memproses code dari SSO Kukar
+app.use("/callback", sso.callbackHandler(req, res) => {
+  // setelah callback berhasil, redirect ke halaman dashboard atau halaman lain
+  res.redirect('/dashboard');
+});
+
+// register middleware untuk endpoint yang memerlukan otentikasi
+app.use('/restricted', sso.middleware(), (req, res) => {
+  // data user yang telah diverifikasi akan tersedia di req.user_sso
+  res.json({ user: req.user_sso });
+});
+
+// register endpoint untuk logout
+app.use('/logout', sso.logoutHandler());
+```
+
+middleware ini memeriksa `access_token` pada header `Authorization` atau cookies
+dan secara otomatis mengisi `req.user_sso` dengan data pengguna yang telah diverifikasi.
+
+apabila `access_token` berasal dari cookies dan tidak valid, maka akan mencoba untuk
+mengambil `refresh_token` dari cookies dan memperbarui `access_token` jika berhasil.
+
+---
+
+jika callback dilakukan pada halaman popup, ganti `callbackHandler` dengan `callbackPopupHandler`
+
+```ts
+app.use("/callback", sso.callbackPopupHandler());
+```
+
+---
+
+jika ingin agar import bisa embed pada header html, gunakan `frontendHandler`
+
+```ts
+app.use("/sso-client.js", sso.frontendHandler());
+```
+
+pada frontend, import seperti ini:
+
+```ts
+import SsoKukarFrontend from "/sso-client.js";
+```
+
+## Validasi
+
+untuk validasi secara manual baik pada frontend maupun backend, gunakan `verifyAccessToken`
+
+```ts
+const verify_token = await sso.verifyAccessToken("masukkan-access-token");
+/*
+{
+  verified: true | false,
+  expired: true | false,
+  data: {
+    user: {...},
+    ...
+  },
+};
+*/
+```
+
+---
+
+apabila `access_token` tidak bisa lagi divalidasi, minta lagi `access_token` baru dengan `refreshAccessToken`
+
+```ts
+const response_token = await sso.refreshAccessToken("masukkan-refresh-token");
+/*
+{
+  success: true,
+  data: {
+    access_token: ...,
+  },
+};
+*/
+```

package/bun.lock

@@ -0,0 +1,172 @@
+{
+  "lockfileVersion": 1,
+  "configVersion": 0,
+  "workspaces": {
+    "": {
+      "name": "sso-kukar-sdk-express",
+      "devDependencies": {
+        "@types/express": "^5.0.3",
+        "express": "^5.1.0",
+      },
+    },
+  },
+  "packages": {
+    "@types/body-parser": ["@types/body-parser@1.19.6", "", { "dependencies": { "@types/connect": "*", "@types/node": "*" } }, "sha512-HLFeCYgz89uk22N5Qg3dvGvsv46B8GLvKKo1zKG4NybA8U2DiEO3w9lqGg29t/tfLRJpJ6iQxnVw4OnB7MoM9g=="],
+
+    "@types/connect": ["@types/connect@3.4.38", "", { "dependencies": { "@types/node": "*" } }, "sha512-K6uROf1LD88uDQqJCktA4yzL1YYAK6NgfsI0v/mTgyPKWsX1CnJ0XPSDhViejru1GcRkLWb8RlzFYJRqGUbaug=="],
+
+    "@types/express": ["@types/express@5.0.3", "", { "dependencies": { "@types/body-parser": "*", "@types/express-serve-static-core": "^5.0.0", "@types/serve-static": "*" } }, "sha512-wGA0NX93b19/dZC1J18tKWVIYWyyF2ZjT9vin/NRu0qzzvfVzWjs04iq2rQ3H65vCTQYlRqs3YHfY7zjdV+9Kw=="],
+
+    "@types/express-serve-static-core": ["@types/express-serve-static-core@5.0.6", "", { "dependencies": { "@types/node": "*", "@types/qs": "*", "@types/range-parser": "*", "@types/send": "*" } }, "sha512-3xhRnjJPkULekpSzgtoNYYcTWgEZkp4myc+Saevii5JPnHNvHMRlBSHDbs7Bh1iPPoVTERHEZXyhyLbMEsExsA=="],
+
+    "@types/http-errors": ["@types/http-errors@2.0.5", "", {}, "sha512-r8Tayk8HJnX0FztbZN7oVqGccWgw98T/0neJphO91KkmOzug1KkofZURD4UaD5uH8AqcFLfdPErnBod0u71/qg=="],
+
+    "@types/mime": ["@types/mime@1.3.5", "", {}, "sha512-/pyBZWSLD2n0dcHE3hq8s8ZvcETHtEuF+3E7XVt0Ig2nvsVQXdghHVcEkIWjy9A0wKfTn97a/PSDYohKIlnP/w=="],
+
+    "@types/node": ["@types/node@24.0.3", "", { "dependencies": { "undici-types": "~7.8.0" } }, "sha512-R4I/kzCYAdRLzfiCabn9hxWfbuHS573x+r0dJMkkzThEa7pbrcDWK+9zu3e7aBOouf+rQAciqPFMnxwr0aWgKg=="],
+
+    "@types/qs": ["@types/qs@6.14.0", "", {}, "sha512-eOunJqu0K1923aExK6y8p6fsihYEn/BYuQ4g0CxAAgFc4b/ZLN4CrsRZ55srTdqoiLzU2B2evC+apEIxprEzkQ=="],
+
+    "@types/range-parser": ["@types/range-parser@1.2.7", "", {}, "sha512-hKormJbkJqzQGhziax5PItDUTMAM9uE2XXQmM37dyd4hVM+5aVl7oVxMVUiVQn2oCQFN/LKCZdvSM0pFRqbSmQ=="],
+
+    "@types/send": ["@types/send@0.17.5", "", { "dependencies": { "@types/mime": "^1", "@types/node": "*" } }, "sha512-z6F2D3cOStZvuk2SaP6YrwkNO65iTZcwA2ZkSABegdkAh/lf+Aa/YQndZVfmEXT5vgAp6zv06VQ3ejSVjAny4w=="],
+
+    "@types/serve-static": ["@types/serve-static@1.15.8", "", { "dependencies": { "@types/http-errors": "*", "@types/node": "*", "@types/send": "*" } }, "sha512-roei0UY3LhpOJvjbIP6ZZFngyLKl5dskOtDhxY5THRSpO+ZI+nzJ+m5yUMzGrp89YRa7lvknKkMYjqQFGwA7Sg=="],
+
+    "accepts": ["accepts@2.0.0", "", { "dependencies": { "mime-types": "^3.0.0", "negotiator": "^1.0.0" } }, "sha512-5cvg6CtKwfgdmVqY1WIiXKc3Q1bkRqGLi+2W/6ao+6Y7gu/RCwRuAhGEzh5B4KlszSuTLgZYuqFqo5bImjNKng=="],
+
+    "body-parser": ["body-parser@2.2.0", "", { "dependencies": { "bytes": "^3.1.2", "content-type": "^1.0.5", "debug": "^4.4.0", "http-errors": "^2.0.0", "iconv-lite": "^0.6.3", "on-finished": "^2.4.1", "qs": "^6.14.0", "raw-body": "^3.0.0", "type-is": "^2.0.0" } }, "sha512-02qvAaxv8tp7fBa/mw1ga98OGm+eCbqzJOKoRt70sLmfEEi+jyBYVTDGfCL/k06/4EMk/z01gCe7HoCH/f2LTg=="],
+
+    "bytes": ["bytes@3.1.2", "", {}, "sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg=="],
+
+    "call-bind-apply-helpers": ["call-bind-apply-helpers@1.0.2", "", { "dependencies": { "es-errors": "^1.3.0", "function-bind": "^1.1.2" } }, "sha512-Sp1ablJ0ivDkSzjcaJdxEunN5/XvksFJ2sMBFfq6x0ryhQV/2b/KwFe21cMpmHtPOSij8K99/wSfoEuTObmuMQ=="],
+
+    "call-bound": ["call-bound@1.0.4", "", { "dependencies": { "call-bind-apply-helpers": "^1.0.2", "get-intrinsic": "^1.3.0" } }, "sha512-+ys997U96po4Kx/ABpBCqhA9EuxJaQWDQg7295H4hBphv3IZg0boBKuwYpt4YXp6MZ5AmZQnU/tyMTlRpaSejg=="],
+
+    "content-disposition": ["content-disposition@1.0.0", "", { "dependencies": { "safe-buffer": "5.2.1" } }, "sha512-Au9nRL8VNUut/XSzbQA38+M78dzP4D+eqg3gfJHMIHHYa3bg067xj1KxMUWj+VULbiZMowKngFFbKczUrNJ1mg=="],
+
+    "content-type": ["content-type@1.0.5", "", {}, "sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA=="],
+
+    "cookie": ["cookie@0.7.2", "", {}, "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w=="],
+
+    "cookie-signature": ["cookie-signature@1.2.2", "", {}, "sha512-D76uU73ulSXrD1UXF4KE2TMxVVwhsnCgfAyTg9k8P6KGZjlXKrOLe4dJQKI3Bxi5wjesZoFXJWElNWBjPZMbhg=="],
+
+    "debug": ["debug@4.4.1", "", { "dependencies": { "ms": "^2.1.3" } }, "sha512-KcKCqiftBJcZr++7ykoDIEwSa3XWowTfNPo92BYxjXiyYEVrUQh2aLyhxBCwww+heortUFxEJYcRzosstTEBYQ=="],
+
+    "depd": ["depd@2.0.0", "", {}, "sha512-g7nH6P6dyDioJogAAGprGpCtVImJhpPk/roCzdb3fIh61/s/nPsfR6onyMwkCAR/OlC3yBC0lESvUoQEAssIrw=="],
+
+    "dunder-proto": ["dunder-proto@1.0.1", "", { "dependencies": { "call-bind-apply-helpers": "^1.0.1", "es-errors": "^1.3.0", "gopd": "^1.2.0" } }, "sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A=="],
+
+    "ee-first": ["ee-first@1.1.1", "", {}, "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow=="],
+
+    "encodeurl": ["encodeurl@2.0.0", "", {}, "sha512-Q0n9HRi4m6JuGIV1eFlmvJB7ZEVxu93IrMyiMsGC0lrMJMWzRgx6WGquyfQgZVb31vhGgXnfmPNNXmxnOkRBrg=="],
+
+    "es-define-property": ["es-define-property@1.0.1", "", {}, "sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g=="],
+
+    "es-errors": ["es-errors@1.3.0", "", {}, "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw=="],
+
+    "es-object-atoms": ["es-object-atoms@1.1.1", "", { "dependencies": { "es-errors": "^1.3.0" } }, "sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA=="],
+
+    "escape-html": ["escape-html@1.0.3", "", {}, "sha512-NiSupZ4OeuGwr68lGIeym/ksIZMJodUGOSCZ/FSnTxcrekbvqrgdUxlJOMpijaKZVjAJrWrGs/6Jy8OMuyj9ow=="],
+
+    "etag": ["etag@1.8.1", "", {}, "sha512-aIL5Fx7mawVa300al2BnEE4iNvo1qETxLrPI/o05L7z6go7fCw1J6EQmbK4FmJ2AS7kgVF/KEZWufBfdClMcPg=="],
+
+    "express": ["express@5.1.0", "", { "dependencies": { "accepts": "^2.0.0", "body-parser": "^2.2.0", "content-disposition": "^1.0.0", "content-type": "^1.0.5", "cookie": "^0.7.1", "cookie-signature": "^1.2.1", "debug": "^4.4.0", "encodeurl": "^2.0.0", "escape-html": "^1.0.3", "etag": "^1.8.1", "finalhandler": "^2.1.0", "fresh": "^2.0.0", "http-errors": "^2.0.0", "merge-descriptors": "^2.0.0", "mime-types": "^3.0.0", "on-finished": "^2.4.1", "once": "^1.4.0", "parseurl": "^1.3.3", "proxy-addr": "^2.0.7", "qs": "^6.14.0", "range-parser": "^1.2.1", "router": "^2.2.0", "send": "^1.1.0", "serve-static": "^2.2.0", "statuses": "^2.0.1", "type-is": "^2.0.1", "vary": "^1.1.2" } }, "sha512-DT9ck5YIRU+8GYzzU5kT3eHGA5iL+1Zd0EutOmTE9Dtk+Tvuzd23VBU+ec7HPNSTxXYO55gPV/hq4pSBJDjFpA=="],
+
+    "finalhandler": ["finalhandler@2.1.0", "", { "dependencies": { "debug": "^4.4.0", "encodeurl": "^2.0.0", "escape-html": "^1.0.3", "on-finished": "^2.4.1", "parseurl": "^1.3.3", "statuses": "^2.0.1" } }, "sha512-/t88Ty3d5JWQbWYgaOGCCYfXRwV1+be02WqYYlL6h0lEiUAMPM8o8qKGO01YIkOHzka2up08wvgYD0mDiI+q3Q=="],
+
+    "forwarded": ["forwarded@0.2.0", "", {}, "sha512-buRG0fpBtRHSTCOASe6hD258tEubFoRLb4ZNA6NxMVHNw2gOcwHo9wyablzMzOA5z9xA9L1KNjk/Nt6MT9aYow=="],
+
+    "fresh": ["fresh@2.0.0", "", {}, "sha512-Rx/WycZ60HOaqLKAi6cHRKKI7zxWbJ31MhntmtwMoaTeF7XFH9hhBp8vITaMidfljRQ6eYWCKkaTK+ykVJHP2A=="],
+
+    "function-bind": ["function-bind@1.1.2", "", {}, "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA=="],
+
+    "get-intrinsic": ["get-intrinsic@1.3.0", "", { "dependencies": { "call-bind-apply-helpers": "^1.0.2", "es-define-property": "^1.0.1", "es-errors": "^1.3.0", "es-object-atoms": "^1.1.1", "function-bind": "^1.1.2", "get-proto": "^1.0.1", "gopd": "^1.2.0", "has-symbols": "^1.1.0", "hasown": "^2.0.2", "math-intrinsics": "^1.1.0" } }, "sha512-9fSjSaos/fRIVIp+xSJlE6lfwhES7LNtKaCBIamHsjr2na1BiABJPo0mOjjz8GJDURarmCPGqaiVg5mfjb98CQ=="],
+
+    "get-proto": ["get-proto@1.0.1", "", { "dependencies": { "dunder-proto": "^1.0.1", "es-object-atoms": "^1.0.0" } }, "sha512-sTSfBjoXBp89JvIKIefqw7U2CCebsc74kiY6awiGogKtoSGbgjYE/G/+l9sF3MWFPNc9IcoOC4ODfKHfxFmp0g=="],
+
+    "gopd": ["gopd@1.2.0", "", {}, "sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg=="],
+
+    "has-symbols": ["has-symbols@1.1.0", "", {}, "sha512-1cDNdwJ2Jaohmb3sg4OmKaMBwuC48sYni5HUw2DvsC8LjGTLK9h+eb1X6RyuOHe4hT0ULCW68iomhjUoKUqlPQ=="],
+
+    "hasown": ["hasown@2.0.2", "", { "dependencies": { "function-bind": "^1.1.2" } }, "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ=="],
+
+    "http-errors": ["http-errors@2.0.0", "", { "dependencies": { "depd": "2.0.0", "inherits": "2.0.4", "setprototypeof": "1.2.0", "statuses": "2.0.1", "toidentifier": "1.0.1" } }, "sha512-FtwrG/euBzaEjYeRqOgly7G0qviiXoJWnvEH2Z1plBdXgbyjv34pHTSb9zoeHMyDy33+DWy5Wt9Wo+TURtOYSQ=="],
+
+    "iconv-lite": ["iconv-lite@0.6.3", "", { "dependencies": { "safer-buffer": ">= 2.1.2 < 3.0.0" } }, "sha512-4fCk79wshMdzMp2rH06qWrJE4iolqLhCUH+OiuIgU++RB0+94NlDL81atO7GX55uUKueo0txHNtvEyI6D7WdMw=="],
+
+    "inherits": ["inherits@2.0.4", "", {}, "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ=="],
+
+    "ipaddr.js": ["ipaddr.js@1.9.1", "", {}, "sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g=="],
+
+    "is-promise": ["is-promise@4.0.0", "", {}, "sha512-hvpoI6korhJMnej285dSg6nu1+e6uxs7zG3BYAm5byqDsgJNWwxzM6z6iZiAgQR4TJ30JmBTOwqZUw3WlyH3AQ=="],
+
+    "math-intrinsics": ["math-intrinsics@1.1.0", "", {}, "sha512-/IXtbwEk5HTPyEwyKX6hGkYXxM9nbj64B+ilVJnC/R6B0pH5G4V3b0pVbL7DBj4tkhBAppbQUlf6F6Xl9LHu1g=="],
+
+    "media-typer": ["media-typer@1.1.0", "", {}, "sha512-aisnrDP4GNe06UcKFnV5bfMNPBUw4jsLGaWwWfnH3v02GnBuXX2MCVn5RbrWo0j3pczUilYblq7fQ7Nw2t5XKw=="],
+
+    "merge-descriptors": ["merge-descriptors@2.0.0", "", {}, "sha512-Snk314V5ayFLhp3fkUREub6WtjBfPdCPY1Ln8/8munuLuiYhsABgBVWsozAG+MWMbVEvcdcpbi9R7ww22l9Q3g=="],
+
+    "mime-db": ["mime-db@1.54.0", "", {}, "sha512-aU5EJuIN2WDemCcAp2vFBfp/m4EAhWJnUNSSw0ixs7/kXbd6Pg64EmwJkNdFhB8aWt1sH2CTXrLxo/iAGV3oPQ=="],
+
+    "mime-types": ["mime-types@3.0.1", "", { "dependencies": { "mime-db": "^1.54.0" } }, "sha512-xRc4oEhT6eaBpU1XF7AjpOFD+xQmXNB5OVKwp4tqCuBpHLS/ZbBDrc07mYTDqVMg6PfxUjjNp85O6Cd2Z/5HWA=="],
+
+    "ms": ["ms@2.1.3", "", {}, "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="],
+
+    "negotiator": ["negotiator@1.0.0", "", {}, "sha512-8Ofs/AUQh8MaEcrlq5xOX0CQ9ypTF5dl78mjlMNfOK08fzpgTHQRQPBxcPlEtIw0yRpws+Zo/3r+5WRby7u3Gg=="],
+
+    "object-inspect": ["object-inspect@1.13.4", "", {}, "sha512-W67iLl4J2EXEGTbfeHCffrjDfitvLANg0UlX3wFUUSTx92KXRFegMHUVgSqE+wvhAbi4WqjGg9czysTV2Epbew=="],
+
+    "on-finished": ["on-finished@2.4.1", "", { "dependencies": { "ee-first": "1.1.1" } }, "sha512-oVlzkg3ENAhCk2zdv7IJwd/QUD4z2RxRwpkcGY8psCVcCYZNq4wYnVWALHM+brtuJjePWiYF/ClmuDr8Ch5+kg=="],
+
+    "once": ["once@1.4.0", "", { "dependencies": { "wrappy": "1" } }, "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w=="],
+
+    "parseurl": ["parseurl@1.3.3", "", {}, "sha512-CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ=="],
+
+    "path-to-regexp": ["path-to-regexp@8.2.0", "", {}, "sha512-TdrF7fW9Rphjq4RjrW0Kp2AW0Ahwu9sRGTkS6bvDi0SCwZlEZYmcfDbEsTz8RVk0EHIS/Vd1bv3JhG+1xZuAyQ=="],
+
+    "proxy-addr": ["proxy-addr@2.0.7", "", { "dependencies": { "forwarded": "0.2.0", "ipaddr.js": "1.9.1" } }, "sha512-llQsMLSUDUPT44jdrU/O37qlnifitDP+ZwrmmZcoSKyLKvtZxpyV0n2/bD/N4tBAAZ/gJEdZU7KMraoK1+XYAg=="],
+
+    "qs": ["qs@6.14.0", "", { "dependencies": { "side-channel": "^1.1.0" } }, "sha512-YWWTjgABSKcvs/nWBi9PycY/JiPJqOD4JA6o9Sej2AtvSGarXxKC3OQSk4pAarbdQlKAh5D4FCQkJNkW+GAn3w=="],
+
+    "range-parser": ["range-parser@1.2.1", "", {}, "sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg=="],
+
+    "raw-body": ["raw-body@3.0.0", "", { "dependencies": { "bytes": "3.1.2", "http-errors": "2.0.0", "iconv-lite": "0.6.3", "unpipe": "1.0.0" } }, "sha512-RmkhL8CAyCRPXCE28MMH0z2PNWQBNk2Q09ZdxM9IOOXwxwZbN+qbWaatPkdkWIKL2ZVDImrN/pK5HTRz2PcS4g=="],
+
+    "router": ["router@2.2.0", "", { "dependencies": { "debug": "^4.4.0", "depd": "^2.0.0", "is-promise": "^4.0.0", "parseurl": "^1.3.3", "path-to-regexp": "^8.0.0" } }, "sha512-nLTrUKm2UyiL7rlhapu/Zl45FwNgkZGaCpZbIHajDYgwlJCOzLSk+cIPAnsEqV955GjILJnKbdQC1nVPz+gAYQ=="],
+
+    "safe-buffer": ["safe-buffer@5.2.1", "", {}, "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ=="],
+
+    "safer-buffer": ["safer-buffer@2.1.2", "", {}, "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="],
+
+    "send": ["send@1.2.0", "", { "dependencies": { "debug": "^4.3.5", "encodeurl": "^2.0.0", "escape-html": "^1.0.3", "etag": "^1.8.1", "fresh": "^2.0.0", "http-errors": "^2.0.0", "mime-types": "^3.0.1", "ms": "^2.1.3", "on-finished": "^2.4.1", "range-parser": "^1.2.1", "statuses": "^2.0.1" } }, "sha512-uaW0WwXKpL9blXE2o0bRhoL2EGXIrZxQ2ZQ4mgcfoBxdFmQold+qWsD2jLrfZ0trjKL6vOw0j//eAwcALFjKSw=="],
+
+    "serve-static": ["serve-static@2.2.0", "", { "dependencies": { "encodeurl": "^2.0.0", "escape-html": "^1.0.3", "parseurl": "^1.3.3", "send": "^1.2.0" } }, "sha512-61g9pCh0Vnh7IutZjtLGGpTA355+OPn2TyDv/6ivP2h/AdAVX9azsoxmg2/M6nZeQZNYBEwIcsne1mJd9oQItQ=="],
+
+    "setprototypeof": ["setprototypeof@1.2.0", "", {}, "sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw=="],
+
+    "side-channel": ["side-channel@1.1.0", "", { "dependencies": { "es-errors": "^1.3.0", "object-inspect": "^1.13.3", "side-channel-list": "^1.0.0", "side-channel-map": "^1.0.1", "side-channel-weakmap": "^1.0.2" } }, "sha512-ZX99e6tRweoUXqR+VBrslhda51Nh5MTQwou5tnUDgbtyM0dBgmhEDtWGP/xbKn6hqfPRHujUNwz5fy/wbbhnpw=="],
+
+    "side-channel-list": ["side-channel-list@1.0.0", "", { "dependencies": { "es-errors": "^1.3.0", "object-inspect": "^1.13.3" } }, "sha512-FCLHtRD/gnpCiCHEiJLOwdmFP+wzCmDEkc9y7NsYxeF4u7Btsn1ZuwgwJGxImImHicJArLP4R0yX4c2KCrMrTA=="],
+
+    "side-channel-map": ["side-channel-map@1.0.1", "", { "dependencies": { "call-bound": "^1.0.2", "es-errors": "^1.3.0", "get-intrinsic": "^1.2.5", "object-inspect": "^1.13.3" } }, "sha512-VCjCNfgMsby3tTdo02nbjtM/ewra6jPHmpThenkTYh8pG9ucZ/1P8So4u4FGBek/BjpOVsDCMoLA/iuBKIFXRA=="],
+
+    "side-channel-weakmap": ["side-channel-weakmap@1.0.2", "", { "dependencies": { "call-bound": "^1.0.2", "es-errors": "^1.3.0", "get-intrinsic": "^1.2.5", "object-inspect": "^1.13.3", "side-channel-map": "^1.0.1" } }, "sha512-WPS/HvHQTYnHisLo9McqBHOJk2FkHO/tlpvldyrnem4aeQp4hai3gythswg6p01oSoTl58rcpiFAjF2br2Ak2A=="],
+
+    "statuses": ["statuses@2.0.2", "", {}, "sha512-DvEy55V3DB7uknRo+4iOGT5fP1slR8wQohVdknigZPMpMstaKJQWhwiYBACJE3Ul2pTnATihhBYnRhZQHGBiRw=="],
+
+    "toidentifier": ["toidentifier@1.0.1", "", {}, "sha512-o5sSPKEkg/DIQNmH43V0/uerLrpzVedkUh8tGNvaeXpfpuwjKenlSox/2O/BTlZUtEe+JG7s5YhEz608PlAHRA=="],
+
+    "type-is": ["type-is@2.0.1", "", { "dependencies": { "content-type": "^1.0.5", "media-typer": "^1.1.0", "mime-types": "^3.0.0" } }, "sha512-OZs6gsjF4vMp32qrCbiVSkrFmXtG/AZhY3t0iAMrMBiAZyV9oALtXO8hsrHbMXF9x6L3grlFuwW2oAz7cav+Gw=="],
+
+    "undici-types": ["undici-types@7.8.0", "", {}, "sha512-9UJ2xGDvQ43tYyVMpuHlsgApydB8ZKfVYTsLDhXkFL/6gfkp+U8xTGdh8pMJv1SpZna0zxG1DwsKZsreLbXBxw=="],
+
+    "unpipe": ["unpipe@1.0.0", "", {}, "sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ=="],
+
+    "vary": ["vary@1.1.2", "", {}, "sha512-BNGbWLfd0eUPabhkXUVm0j8uuvREyTh5ovRa/dyow/BqAbZJyC+5fU+IzQOzmAKzYqYRAISoRhdQr3eIZ/PXqg=="],
+
+    "wrappy": ["wrappy@1.0.2", "", {}, "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ=="],
+
+    "http-errors/statuses": ["statuses@2.0.1", "", {}, "sha512-RwNA9Z/7PrK06rYLIzFMlaF+l73iwpzsqRIFgbMLbTcLD6cOao82TaWefPXQvB2fOC4AjuYSEndS7N/mTCbkdQ=="],
+  }
+}

package/dist/sso-kukar-sdk-express.js

@@ -0,0 +1,272 @@
+var __create = Object.create;
+var __getProtoOf = Object.getPrototypeOf;
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __toESM = (mod, isNodeMode, target) => {
+  target = mod != null ? __create(__getProtoOf(mod)) : {};
+  const to = isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target;
+  for (let key of __getOwnPropNames(mod))
+    if (!__hasOwnProp.call(to, key))
+      __defProp(to, key, {
+        get: () => mod[key],
+        enumerable: true
+      });
+  return to;
+};
+var __moduleCache = /* @__PURE__ */ new WeakMap;
+var __toCommonJS = (from) => {
+  var entry = __moduleCache.get(from), desc;
+  if (entry)
+    return entry;
+  entry = __defProp({}, "__esModule", { value: true });
+  if (from && typeof from === "object" || typeof from === "function")
+    __getOwnPropNames(from).map((key) => !__hasOwnProp.call(entry, key) && __defProp(entry, key, {
+      get: () => from[key],
+      enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
+    }));
+  __moduleCache.set(from, entry);
+  return entry;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: (newValue) => all[name] = () => newValue
+    });
+};
+
+// src/SsoKukarSdkExpress.ts
+var exports_SsoKukarSdkExpress = {};
+__export(exports_SsoKukarSdkExpress, {
+  default: () => SsoKukarSdkExpress,
+  SsoKukarSdkError: () => SsoKukarSdkError
+});
+module.exports = __toCommonJS(exports_SsoKukarSdkExpress);
+var import_path = __toESM(require("path"));
+
+// src/SsoKukarClient.ts
+class SsoKukarClient {
+  config;
+  #pubkey;
+  constructor(config) {
+    this.config = config;
+  }
+  async fetchPublicKey() {
+    if (this.#pubkey) {
+      return this.#pubkey;
+    }
+    const pubkeyPath = `${this.config.auth_url}/.well-known/public.pem`;
+    this.#pubkey = await fetch(pubkeyPath).then((res) => res.text()).then((pem) => pem.replace(/-----(BEGIN|END) PUBLIC KEY-----/g, "").replace(/\s+/g, ""));
+    return this.#pubkey;
+  }
+  async verifyAccessToken(accessToken) {
+    const pubkey = await this.fetchPublicKey();
+    const binaryDer = Uint8Array.from(atob(pubkey), (c) => c.charCodeAt(0));
+    const cryptoKey = await crypto.subtle.importKey("spki", binaryDer.buffer, {
+      name: "RSASSA-PKCS1-v1_5",
+      hash: "SHA-256"
+    }, false, ["verify"]);
+    const [header, payload, signature] = accessToken.split(".");
+    const base64Signature = signature.replace(/-/g, "+").replace(/_/g, "/");
+    const verified = await crypto.subtle.verify({ name: "RSASSA-PKCS1-v1_5" }, cryptoKey, Uint8Array.from(atob(base64Signature), (c) => c.charCodeAt(0)), new TextEncoder().encode([header, payload].join(".")));
+    const data = JSON.parse(atob(payload));
+    const expired = data.exp && data.exp < Date.now() / 1000;
+    return {
+      verified,
+      expired,
+      data
+    };
+  }
+  async refreshAccessToken(refresh_token) {
+    const res = await fetch(this.config.auth_url + "/sso/token", {
+      method: "POST",
+      headers: {
+        "content-type": "application/json"
+      },
+      body: JSON.stringify({
+        grant_type: "refresh_token",
+        client_id: this.config.client_id,
+        refresh_token
+      })
+    });
+    return res.json();
+  }
+  async generateAccessToken(code, code_verifier) {
+    const res = await fetch(this.config.auth_url + "/sso/token", {
+      method: "POST",
+      headers: {
+        "content-type": "application/json"
+      },
+      body: JSON.stringify({
+        grant_type: "authorization_code",
+        client_id: this.config.client_id,
+        code,
+        code_verifier
+      })
+    });
+    return res.json();
+  }
+}
+
+// src/SsoKukarSdkExpress.ts
+var __dirname = "/home/aldinh777/Projects/simpeg/sso-kukar-sdk-express/src";
+
+class SsoKukarSdkError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "SsoKukarSdkError";
+  }
+}
+
+class SsoKukarSdkExpress extends SsoKukarClient {
+  ssoRedirectUrl() {
+    const { client_id, auth_url } = this.config;
+    return `${auth_url}/sso/auth?response_type=code&client_id=${client_id}`;
+  }
+  obtainHeaderAccessToken(req) {
+    const authHeader = req.headers.authorization;
+    if (authHeader && authHeader.startsWith("Bearer ")) {
+      return authHeader.split(" ")[1];
+    }
+    return null;
+  }
+  obtainCookiesAccessToken(req) {
+    const token = req.cookies?.access_token;
+    if (token) {
+      return token;
+    }
+    return null;
+  }
+  obtainCookiesRefreshToken(req) {
+    const token = req.cookies?.refresh_token;
+    if (token) {
+      return token;
+    }
+    return null;
+  }
+  setCookie(res, key, value) {
+    res.cookie(key, value, {
+      httpOnly: true,
+      secure: true,
+      sameSite: "strict",
+      maxAge: 30 * 24 * 60 * 60 * 1000
+    });
+  }
+  clearCookie(res, key) {
+    res.clearCookie(key, {
+      httpOnly: true,
+      secure: true,
+      sameSite: "strict"
+    });
+  }
+  middleware() {
+    return async (req, res, next) => {
+      try {
+        const accessToken = this.obtainHeaderAccessToken(req) || this.obtainCookiesAccessToken(req);
+        if (!accessToken) {
+          return next(new SsoKukarSdkError("Access token not found"));
+        }
+        let user = await this.verifyAccessToken(accessToken);
+        if (user.verified === false) {
+          const refresh_token = this.obtainCookiesRefreshToken(req);
+          if (!refresh_token) {
+            this.clearCookie(res, "access_token");
+            return next(new SsoKukarSdkError("Unauthorized"));
+          }
+          const tokenResponse = await this.refreshAccessToken(refresh_token);
+          const newAccessToken = tokenResponse.data?.access_token;
+          if (!newAccessToken) {
+            this.clearCookie(res, "access_token");
+            this.clearCookie(res, "refresh_token");
+            return next(new SsoKukarSdkError("Unauthorized"));
+          }
+          user = await this.verifyAccessToken(newAccessToken);
+          if (user.verified === false) {
+            this.clearCookie(res, "access_token");
+            this.clearCookie(res, "refresh_token");
+            return next(new SsoKukarSdkError("Unauthorized"));
+          }
+          this.setCookie(res, "access_token", newAccessToken);
+        }
+        req.user_sso = user.data;
+        next();
+      } catch (error) {
+        console.error("Authentication error:", error);
+        next(error);
+      }
+    };
+  }
+  async refreshAccessToken(refresh_token) {
+    const res = await fetch(this.config.auth_url + "/sso/token", {
+      method: "POST",
+      headers: {
+        "content-type": "application/json"
+      },
+      body: JSON.stringify({
+        grant_type: "refresh_token",
+        client_id: this.config.client_id,
+        client_secret: this.config.client_secret,
+        refresh_token
+      })
+    });
+    return res.json();
+  }
+  async generateAccessToken(code) {
+    const res = await fetch(this.config.auth_url + "/sso/token", {
+      method: "POST",
+      headers: {
+        "content-type": "application/json"
+      },
+      body: JSON.stringify({
+        grant_type: "authorization_code",
+        client_id: this.config.client_id,
+        client_secret: this.config.client_secret,
+        code
+      })
+    });
+    return res.json();
+  }
+  frontendHandler() {
+    return (_req, res) => {
+      res.sendFile(import_path.default.join(__dirname, "../resource/client.js"));
+    };
+  }
+  callbackHandler(onSuccess) {
+    return async (req, res, next) => {
+      const { code } = req.query;
+      if (!code || typeof code !== "string") {
+        res.status(400).json({ error: "Invalid code" });
+        return;
+      }
+      try {
+        const response = await this.generateAccessToken(code);
+        const { access_token, refresh_token } = response.data;
+        this.setCookie(res, "access_token", access_token);
+        this.setCookie(res, "refresh_token", refresh_token);
+        onSuccess(req, res, next);
+      } catch (error) {
+        next(error);
+      }
+    };
+  }
+  callbackPopupHandler() {
+    return (_req, res) => {
+      res.sendFile(import_path.default.join(__dirname, "../resource/callback.html"));
+    };
+  }
+  logoutHandler() {
+    return async (_req, res, next) => {
+      try {
+        this.clearCookie(res, "access_token");
+        this.clearCookie(res, "refresh_token");
+        res.status(204).json({ message: "Logged out successfully" });
+      } catch (error) {
+        next(error);
+      }
+    };
+  }
+}

package/package.json

@@ -0,0 +1,26 @@
+{
+  "name": "@diskominfo/sso-kukar-sdk-js",
+  "version": "1.1.0",
+  "description": "express middleware untuk sso-kukar",
+  "license": "ISC",
+  "type": "module",
+  "scripts": {
+    "build-client": "bun build src/SsoKukarFrontend.ts --outfile=resource/client.js --target=browser --format=esm",
+    "build-server": "bun build src/SsoKukarSdkExpress.ts --outfile=dist/sso-kukar-sdk-express.js --target=node --format=cjs"
+  },
+  "exports": {
+    ".": "./dist/sso-kukar-sdk-express.js",
+    "./client": "./resource/client.js"
+  },
+  "devDependencies": {
+    "@types/express": "^5.0.3",
+    "express": "^5.1.0"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://reporepo.kukarkab.go.id/rizkipadhil/sso-kukar-sdk-express.git"
+  },
+  "publishConfig": {
+    "access": "public"
+  }
+}

package/resource/callback.html

@@ -0,0 +1,6 @@
+<script>
+  const queryParams = new URLSearchParams(window.location.search);
+  const code = queryParams.get("code");
+  window.opener.postMessage({ code });
+  window.close();
+</script>

package/resource/client.js

@@ -0,0 +1,159 @@
+// src/SsoKukarClient.ts
+class SsoKukarClient {
+  config;
+  #pubkey;
+  constructor(config) {
+    this.config = config;
+  }
+  async fetchPublicKey() {
+    if (this.#pubkey) {
+      return this.#pubkey;
+    }
+    const pubkeyPath = `${this.config.auth_url}/.well-known/public.pem`;
+    this.#pubkey = await fetch(pubkeyPath).then((res) => res.text()).then((pem) => pem.replace(/-----(BEGIN|END) PUBLIC KEY-----/g, "").replace(/\s+/g, ""));
+    return this.#pubkey;
+  }
+  async verifyAccessToken(accessToken) {
+    const pubkey = await this.fetchPublicKey();
+    const binaryDer = Uint8Array.from(atob(pubkey), (c) => c.charCodeAt(0));
+    const cryptoKey = await crypto.subtle.importKey("spki", binaryDer.buffer, {
+      name: "RSASSA-PKCS1-v1_5",
+      hash: "SHA-256"
+    }, false, ["verify"]);
+    const [header, payload, signature] = accessToken.split(".");
+    const base64Signature = signature.replace(/-/g, "+").replace(/_/g, "/");
+    const verified = await crypto.subtle.verify({ name: "RSASSA-PKCS1-v1_5" }, cryptoKey, Uint8Array.from(atob(base64Signature), (c) => c.charCodeAt(0)), new TextEncoder().encode([header, payload].join(".")));
+    const data = JSON.parse(atob(payload));
+    const expired = data.exp && data.exp < Date.now() / 1000;
+    return {
+      verified,
+      expired,
+      data
+    };
+  }
+  async refreshAccessToken(refresh_token) {
+    const res = await fetch(this.config.auth_url + "/sso/token", {
+      method: "POST",
+      headers: {
+        "content-type": "application/json"
+      },
+      body: JSON.stringify({
+        grant_type: "refresh_token",
+        client_id: this.config.client_id,
+        refresh_token
+      })
+    });
+    return res.json();
+  }
+  async generateAccessToken(code, code_verifier) {
+    const res = await fetch(this.config.auth_url + "/sso/token", {
+      method: "POST",
+      headers: {
+        "content-type": "application/json"
+      },
+      body: JSON.stringify({
+        grant_type: "authorization_code",
+        client_id: this.config.client_id,
+        code,
+        code_verifier
+      })
+    });
+    return res.json();
+  }
+}
+
+// src/SsoKukarFrontend.ts
+class SsoKukarFrontend extends SsoKukarClient {
+  static verifier_code_name = "sso_kukar_verifier_code";
+  async generateCodeChallengePair() {
+    const code_verifier = Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15);
+    const encoder = new TextEncoder;
+    const data = encoder.encode(code_verifier);
+    const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+    const hashArray = Array.from(new Uint8Array(hashBuffer));
+    const code_challenge = hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
+    return { code_challenge, code_verifier };
+  }
+  handleLoginPopup(url, width = 500, height = 600) {
+    return new Promise((resolve, reject) => {
+      const left = window.screenX + (window.outerWidth - width) / 2;
+      const top = window.screenY + (window.outerHeight - height) / 2;
+      const popup = window.open(url, "_blank", `width=${width},height=${height},left=${left},top=${top},resizable,scrollbars`);
+      if (!popup) {
+        return reject("Popup blocked");
+      }
+      const interval = setInterval(() => {
+        if (popup.closed) {
+          clearInterval(interval);
+          window.removeEventListener("message", msgHandler);
+          reject("Failed to authenticate");
+        }
+      }, 500);
+      const msgHandler = (event) => {
+        if (event.origin !== window.location.origin || !event.data?.code) {
+          return;
+        }
+        clearInterval(interval);
+        window.removeEventListener("message", msgHandler);
+        resolve(event.data);
+      };
+      window.addEventListener("message", msgHandler);
+    });
+  }
+  async redirectLogin() {
+    const { auth_url, client_id } = this.config;
+    const { code_challenge, code_verifier } = await this.generateCodeChallengePair();
+    const url = `${auth_url}/sso/auth?response_type=code&client_id=${client_id}&code_challenge=${code_challenge}`;
+    localStorage.setItem(SsoKukarFrontend.verifier_code_name, code_verifier);
+    window.location.href = url;
+  }
+  async handleRedirectLogin() {
+    const params = new URLSearchParams(window.location.search);
+    const code = params.get("code");
+    const code_verifier = localStorage.getItem(SsoKukarFrontend.verifier_code_name);
+    if (!code || !code_verifier) {
+      return null;
+    }
+    const res_tokens = await this.generateAccessToken(code, code_verifier);
+    localStorage.removeItem(SsoKukarFrontend.verifier_code_name);
+    const access_token = res_tokens.data.access_token;
+    const refresh_token = res_tokens.data.refresh_token;
+    const verifyToken = await this.verifyAccessToken(access_token);
+    if (verifyToken.verified) {
+      return {
+        tokens: {
+          access_token,
+          refresh_token
+        },
+        payload: verifyToken.data
+      };
+    }
+  }
+  async openLoginPopup() {
+    const { auth_url, client_id } = this.config;
+    const { code_challenge, code_verifier } = await this.generateCodeChallengePair();
+    const { code } = await this.handleLoginPopup(`${auth_url}/sso/auth?response_type=code&client_id=${client_id}&code_challenge=${code_challenge}`);
+    const res_tokens = await this.generateAccessToken(code, code_verifier);
+    const access_token = res_tokens.data.access_token;
+    const refresh_token = res_tokens.data.refresh_token;
+    const verifyToken = await this.verifyAccessToken(access_token);
+    if (verifyToken.verified) {
+      return {
+        tokens: {
+          access_token,
+          refresh_token
+        },
+        payload: verifyToken.data
+      };
+    }
+  }
+  closeLoginPopup() {
+    const queryParams = new URLSearchParams(window.location.search);
+    const code = queryParams.get("code");
+    window.opener.postMessage({ client_id: this.config.client_id, code });
+    window.close();
+  }
+}
+export {
+  SsoKukarFrontend as default
+};

package/src/SsoKukarClient.ts

@@ -0,0 +1,98 @@
+export type SsoClientConfig = {
+  client_id: string;
+  auth_url: string;
+};
+
+export default class SsoKukarClient<
+  T extends SsoClientConfig = SsoClientConfig,
+> {
+  config: T;
+  #pubkey: string;
+
+  constructor(config: T) {
+    this.config = config;
+  }
+
+  async fetchPublicKey() {
+    if (this.#pubkey) {
+      return this.#pubkey;
+    }
+    const pubkeyPath = `${this.config.auth_url}/.well-known/public.pem`;
+    this.#pubkey = await fetch(pubkeyPath)
+      .then((res) => res.text())
+      .then((pem) =>
+        pem
+          .replace(/-----(BEGIN|END) PUBLIC KEY-----/g, "")
+          .replace(/\s+/g, ""),
+      );
+    return this.#pubkey;
+  }
+
+  async verifyAccessToken(accessToken: string) {
+    const pubkey = await this.fetchPublicKey();
+    const binaryDer = Uint8Array.from(atob(pubkey), (c) => c.charCodeAt(0));
+
+    const cryptoKey = await crypto.subtle.importKey(
+      "spki",
+      binaryDer.buffer,
+      {
+        name: "RSASSA-PKCS1-v1_5",
+        hash: "SHA-256",
+      },
+      false,
+      ["verify"],
+    );
+
+    const [header, payload, signature] = accessToken.split(".");
+
+    const base64Signature = signature.replace(/-/g, "+").replace(/_/g, "/");
+    const verified = await crypto.subtle.verify(
+      { name: "RSASSA-PKCS1-v1_5" },
+      cryptoKey,
+      Uint8Array.from(atob(base64Signature), (c) => c.charCodeAt(0)),
+      new TextEncoder().encode([header, payload].join(".")),
+    );
+
+    const data = JSON.parse(atob(payload));
+    const expired = data.exp && data.exp < Date.now() / 1000;
+
+    return {
+      verified,
+      expired,
+      data,
+    };
+  }
+
+  async refreshAccessToken(refresh_token: string) {
+    const res = await fetch(this.config.auth_url + "/sso/token", {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+      },
+      body: JSON.stringify({
+        grant_type: "refresh_token",
+        client_id: this.config.client_id,
+        refresh_token,
+      }),
+    });
+
+    return res.json();
+  }
+
+  async generateAccessToken(code: string, code_verifier: string) {
+    const res = await fetch(this.config.auth_url + "/sso/token", {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+      },
+      body: JSON.stringify({
+        grant_type: "authorization_code",
+        client_id: this.config.client_id,
+        code,
+        code_verifier,
+      }),
+    });
+
+    return res.json();
+  }
+}

package/src/SsoKukarFrontend.ts

@@ -0,0 +1,135 @@
+import SsoKukarClient from "./SsoKukarClient";
+
+type PopupResponse = {
+  client_id: string;
+  code: string;
+};
+
+export default class SsoKukarFrontend extends SsoKukarClient {
+  static verifier_code_name: string = "sso_kukar_verifier_code";
+
+  async generateCodeChallengePair() {
+    const code_verifier =
+      Math.random().toString(36).substring(2, 15) +
+      Math.random().toString(36).substring(2, 15);
+
+    // Encode string to Uint8Array
+    const encoder = new TextEncoder();
+    const data = encoder.encode(code_verifier);
+
+    // Hash with SHA-256 using SubtleCrypto
+    const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+
+    // Convert ArrayBuffer to hex string
+    const hashArray = Array.from(new Uint8Array(hashBuffer));
+    const code_challenge = hashArray
+      .map((b) => b.toString(16).padStart(2, "0"))
+      .join("");
+
+    return { code_challenge, code_verifier };
+  }
+
+  handleLoginPopup(url: string, width = 500, height = 600) {
+    return new Promise<PopupResponse>((resolve, reject) => {
+      const left = window.screenX + (window.outerWidth - width) / 2;
+      const top = window.screenY + (window.outerHeight - height) / 2;
+      const popup = window.open(
+        url,
+        "_blank",
+        `width=${width},height=${height},left=${left},top=${top},resizable,scrollbars`,
+      );
+
+      if (!popup) {
+        return reject("Popup blocked");
+      }
+
+      const interval = setInterval(() => {
+        // window closed unsuccessfully
+        if (popup.closed) {
+          clearInterval(interval);
+          window.removeEventListener("message", msgHandler);
+          reject("Failed to authenticate");
+        }
+      }, 500);
+
+      const msgHandler = (event: MessageEvent) => {
+        if (event.origin !== window.location.origin || !event.data?.code) {
+          return;
+        }
+        // window closed successfully
+        clearInterval(interval);
+        window.removeEventListener("message", msgHandler);
+        resolve(event.data);
+      };
+
+      window.addEventListener("message", msgHandler);
+    });
+  }
+
+  async redirectLogin() {
+    const { auth_url, client_id } = this.config;
+    const { code_challenge, code_verifier } =
+      await this.generateCodeChallengePair();
+    const url = `${auth_url}/sso/auth?response_type=code&client_id=${client_id}&code_challenge=${code_challenge}`;
+    localStorage.setItem(SsoKukarFrontend.verifier_code_name, code_verifier);
+    window.location.href = url;
+  }
+
+  async handleRedirectLogin() {
+    const params = new URLSearchParams(window.location.search);
+    const code = params.get("code");
+    const code_verifier = localStorage.getItem(
+      SsoKukarFrontend.verifier_code_name,
+    );
+
+    if (!code || !code_verifier) {
+      return null;
+    }
+
+    const res_tokens = await this.generateAccessToken(code, code_verifier);
+    localStorage.removeItem(SsoKukarFrontend.verifier_code_name);
+
+    const access_token = res_tokens.data.access_token;
+    const refresh_token = res_tokens.data.refresh_token;
+    const verifyToken = await this.verifyAccessToken(access_token);
+    if (verifyToken.verified) {
+      return {
+        tokens: {
+          access_token,
+          refresh_token,
+        },
+        payload: verifyToken.data,
+      };
+    }
+  }
+
+  async openLoginPopup() {
+    const { auth_url, client_id } = this.config;
+    const { code_challenge, code_verifier } =
+      await this.generateCodeChallengePair();
+    const { code } = await this.handleLoginPopup(
+      `${auth_url}/sso/auth?response_type=code&client_id=${client_id}&code_challenge=${code_challenge}`,
+    );
+    const res_tokens = await this.generateAccessToken(code, code_verifier);
+    const access_token = res_tokens.data.access_token;
+    const refresh_token = res_tokens.data.refresh_token;
+
+    const verifyToken = await this.verifyAccessToken(access_token);
+    if (verifyToken.verified) {
+      return {
+        tokens: {
+          access_token,
+          refresh_token,
+        },
+        payload: verifyToken.data,
+      };
+    }
+  }
+
+  closeLoginPopup() {
+    const queryParams = new URLSearchParams(window.location.search);
+    const code = queryParams.get("code");
+    window.opener.postMessage({ client_id: this.config.client_id, code });
+    window.close();
+  }
+}

package/src/SsoKukarSdkExpress.ts

@@ -0,0 +1,201 @@
+import path from "path";
+import { NextFunction, Request, Response, Router } from "express";
+import SsoKukarClient, { SsoClientConfig } from "./SsoKukarClient";
+
+type SsoServerConfig = SsoClientConfig & {
+  client_secret: string;
+  onSuccessRedirect?: string;
+  onErrorRedirect?: string;
+};
+
+declare global {
+  namespace Express {
+    interface Request {
+      user_sso?: any;
+    }
+  }
+}
+
+export class SsoKukarSdkError extends Error {
+  constructor(message: string) {
+    super(message);
+    this.name = "SsoKukarSdkError";
+  }
+}
+
+export default class SsoKukarSdkExpress extends SsoKukarClient<SsoServerConfig> {
+  ssoRedirectUrl() {
+    const { client_id, auth_url } = this.config;
+    return `${auth_url}/sso/auth?response_type=code&client_id=${client_id}`;
+  }
+
+  obtainHeaderAccessToken(req: Request): string | null {
+    const authHeader = req.headers.authorization;
+    if (authHeader && authHeader.startsWith("Bearer ")) {
+      return authHeader.split(" ")[1];
+    }
+    return null;
+  }
+
+  obtainCookiesAccessToken(req: Request): string | null {
+    const token = req.cookies?.access_token;
+    if (token) {
+      return token;
+    }
+    return null;
+  }
+
+  obtainCookiesRefreshToken(req: Request): string | null {
+    const token = req.cookies?.refresh_token;
+    if (token) {
+      return token;
+    }
+    return null;
+  }
+
+  setCookie(res: Response, key: string, value: string) {
+    res.cookie(key, value, {
+      httpOnly: true,
+      secure: true,
+      sameSite: "strict",
+      maxAge: 30 * 24 * 60 * 60 * 1000,
+    });
+  }
+
+  clearCookie(res: Response, key: string) {
+    res.clearCookie(key, {
+      httpOnly: true,
+      secure: true,
+      sameSite: "strict",
+    });
+  }
+
+  middleware() {
+    return async (req: Request, res: Response, next: NextFunction) => {
+      try {
+        const accessToken =
+          this.obtainHeaderAccessToken(req) ||
+          this.obtainCookiesAccessToken(req);
+
+        if (!accessToken) {
+          return next(new SsoKukarSdkError("Access token not found"));
+        }
+
+        let user = await this.verifyAccessToken(accessToken);
+        if (user.verified === false) {
+          const refresh_token = this.obtainCookiesRefreshToken(req);
+          if (!refresh_token) {
+            this.clearCookie(res, "access_token");
+            return next(new SsoKukarSdkError("Unauthorized"));
+          }
+
+          const tokenResponse = await this.refreshAccessToken(refresh_token);
+          const newAccessToken = tokenResponse.data?.access_token;
+          if (!newAccessToken) {
+            this.clearCookie(res, "access_token");
+            this.clearCookie(res, "refresh_token");
+            return next(new SsoKukarSdkError("Unauthorized"));
+          }
+
+          user = await this.verifyAccessToken(newAccessToken);
+          if (user.verified === false) {
+            this.clearCookie(res, "access_token");
+            this.clearCookie(res, "refresh_token");
+            return next(new SsoKukarSdkError("Unauthorized"));
+          }
+
+          this.setCookie(res, "access_token", newAccessToken);
+        }
+
+        req.user_sso = user.data;
+
+        next();
+      } catch (error) {
+        console.error("Authentication error:", error);
+        next(error);
+      }
+    };
+  }
+
+  // override
+  async refreshAccessToken(refresh_token: string) {
+    const res = await fetch(this.config.auth_url + "/sso/token", {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+      },
+      body: JSON.stringify({
+        grant_type: "refresh_token",
+        client_id: this.config.client_id,
+        client_secret: this.config.client_secret,
+        refresh_token,
+      }),
+    });
+
+    return res.json();
+  }
+
+  // override
+  async generateAccessToken(code: string) {
+    const res = await fetch(this.config.auth_url + "/sso/token", {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+      },
+      body: JSON.stringify({
+        grant_type: "authorization_code",
+        client_id: this.config.client_id,
+        client_secret: this.config.client_secret,
+        code,
+      }),
+    });
+
+    return res.json();
+  }
+
+  frontendHandler() {
+    return (_req: Request, res: Response) => {
+      res.sendFile(path.join(__dirname, "../resource/client.js"));
+    };
+  }
+
+  callbackHandler(
+    onSuccess: (req: Request, res: Response, next: NextFunction) => any,
+  ) {
+    return async (req: Request, res: Response, next: NextFunction) => {
+      const { code } = req.query;
+      if (!code || typeof code !== "string") {
+        res.status(400).json({ error: "Invalid code" });
+        return;
+      }
+      try {
+        const response = await this.generateAccessToken(code);
+        const { access_token, refresh_token } = response.data;
+        this.setCookie(res, "access_token", access_token);
+        this.setCookie(res, "refresh_token", refresh_token);
+
+        onSuccess(req, res, next);
+      } catch (error) {
+        next(error);
+      }
+    };
+  }
+
+  callbackPopupHandler() {
+    return (_req: Request, res: Response) => {
+      res.sendFile(path.join(__dirname, "../resource/callback.html"));
+    };
+  }
+
+  logoutHandler() {
+    return async (_req: Request, res: Response, next: NextFunction) => {
+      try {
+        this.clearCookie(res, "access_token");
+        this.clearCookie(res, "refresh_token");
+        res.status(204).json({ message: "Logged out successfully" });
+      } catch (error) {
+        next(error);
+      }
+    };
+  }
+}