@dloizides/auth-client 2.0.0 → 3.0.0

package/dist/index.d.mts

@@ -1,5 +1,8 @@
-import { T as TokenStorage, A as AuthTokens } from './AuthClient-Dim7HPRz.mjs';
-export { a as AuthApiClient, b as AuthApiClientOptions, c as AuthClient, d as AuthClientCollaborators, e as AuthClientConfig, f as AuthClientFromIssuerInput, g as AuthEventEmitter, h as AuthEventListener, i as AuthEventName, j as AuthEventUnsubscribe, k as AuthSessionInfo, F as ForgotPasswordRequest, H as HttpClient, l as HttpRequest, m as HttpResponse, I as InactivityStore, n as InactivityTracker, o as InactivityTrackerOptions, L as LoginOptions, p as LogoutOptions, O as OtpLoginRequest, P as PasswordLoginRequest, R as RawAuthLoginResponse, q as RefreshFn, r as RefreshInterceptor, s as RefreshInterceptorOptions, t as ResetPasswordRequest, u as createFetchHttpClient } from './AuthClient-Dim7HPRz.mjs';
+import { T as TokenStorage, c as AuthTokens } from './AuthClient-BGr8L03W.mjs';
+export { A as AuthApiClient, d as AuthApiClientOptions, b as AuthClient, e as AuthClientCollaborators, f as AuthClientConfig, g as AuthClientFromIssuerInput, h as AuthEventEmitter, i as AuthEventListener, j as AuthEventName, k as AuthEventUnsubscribe, a as AuthSessionInfo, D as DirectKcOptions, F as ForgotPasswordRequest, I as InactivityStore, l as InactivityTracker, m as InactivityTrackerOptions, L as LoginOptions, n as LogoutOptions, O as OtpLoginRequest, P as PasswordLoginRequest, o as RawAuthLoginResponse, p as RefreshFn, q as RefreshInterceptor, r as RefreshInterceptorOptions, R as ResetPasswordRequest } from './AuthClient-BGr8L03W.mjs';
+export { ExchangeAuthorizationCodeInput, FetchDiscoveryDocumentInput, OidcDiscoveryDocument, PkcePair, RefreshAccessTokenInput, clearDiscoveryCache, deriveCodeChallenge, exchangeAuthorizationCode, fetchDiscoveryDocument, generateCodeVerifier, generatePkcePair, refreshAccessToken } from './oidc/index.mjs';
+import { H as HttpClient, R as RawTokenResponse, T as TokenResponse } from './TokenResponse-CY1CaU2l.mjs';
+export { a as HttpRequest, b as HttpResponse, c as createFetchHttpClient } from './TokenResponse-CY1CaU2l.mjs';
 
 /**
  * Roles emitted by Keycloak realms in the dloizides.com portfolio.
@@ -65,31 +68,6 @@ interface NormalizedUser {
     raw?: KeycloakUserInfo;
 }
 
-/**
- * Raw token endpoint response (snake_case, OIDC standard).
- */
-interface RawTokenResponse {
-    access_token: string;
-    refresh_token?: string;
-    id_token?: string;
-    expires_in?: number;
-    token_type?: string;
-    scope?: string;
-    [key: string]: unknown;
-}
-/**
- * Application-friendly camelCase view of a token endpoint response.
- */
-interface TokenResponse {
-    accessToken: string;
-    refreshToken?: string;
-    idToken?: string;
-    /** Seconds until expiry, as returned by Keycloak. */
-    expiresIn?: number;
-    tokenType?: string;
-    scope?: string;
-}
-
 /**
  * Subset of `Storage` we actually use. Lets callers inject `localStorage`,
  * `sessionStorage`, or any compatible polyfill.
@@ -337,6 +315,109 @@ declare class BiometricGate {
     unlock(): Promise<void>;
 }
 
+/** Credentials posted to `POST /bff/login`. */
+interface BffLoginRequest {
+    username: string;
+    password: string;
+}
+/** Payload for `POST /bff/register` — proxied by the BFF to TenantService. */
+interface BffRegisterRequest {
+    firstName: string;
+    lastName: string;
+    username: string;
+    email: string;
+    password: string;
+    tenantName: string;
+    [key: string]: unknown;
+}
+/** Payload for `POST /bff/forgot-password` — proxied to TenantService. */
+interface BffForgotPasswordRequest {
+    email: string;
+    /** Full URL with a `{token}` placeholder; the backend substitutes the token. */
+    resetUrlTemplate?: string;
+    [key: string]: unknown;
+}
+/** Payload for `POST /bff/reset-password` — proxied to TenantService. */
+interface BffResetPasswordRequest {
+    token: string;
+    newPassword: string;
+}
+/**
+ * The user object returned by `GET /bff/me` and `POST /bff/login`. The BFF
+ * returns the sanitised KC claims under a `user` envelope and **never** a
+ * token. Kept permissive so server-added claims flow through without a bump.
+ */
+interface BffUser {
+    sub?: string;
+    email?: string;
+    email_verified?: boolean;
+    name?: string;
+    preferred_username?: string;
+    given_name?: string;
+    family_name?: string;
+    tenantId?: string;
+    roles?: string[];
+    [key: string]: unknown;
+}
+interface BffAuthClientOptions {
+    /** Runtime-agnostic HTTP transport (wrap native `fetch` with `createFetchHttpClient`). */
+    http: HttpClient;
+    /**
+     * BFF origin. Defaults to `''` (same-origin) — the production wiring. An
+     * explicit origin is only useful for tests or a non-same-origin BFF.
+     */
+    baseUrl?: string;
+}
+/**
+ * Same-origin client for a per-app BFF.
+ *
+ * No token storage, no refresh logic, no realm awareness — the BFF owns all of
+ * that server-side. The browser's only auth artefact is the httpOnly cookie.
+ */
+declare class BffAuthClient {
+    private readonly http;
+    private readonly baseUrl;
+    constructor(options: BffAuthClientOptions);
+    /**
+     * `POST /bff/login` — the BFF does ROPC against Keycloak server-side, stores
+     * the tokens in its Redis vault, and sets the httpOnly session cookie.
+     * Returns the sanitised user. Throws on a non-2xx response.
+     */
+    login(request: BffLoginRequest): Promise<BffUser>;
+    /**
+     * `POST /bff/logout` — the BFF calls KC end-session, deletes the Redis
+     * session, and clears the cookie. Non-fatal: a failed logout still leaves
+     * the SPA logged out client-side. Throws only on a non-2xx response.
+     */
+    logout(): Promise<void>;
+    /**
+     * `GET /bff/me` — the live session's sanitised user, or `null` when there is
+     * no session (the BFF answers `401`). Used at app load to bootstrap auth
+     * state in place of the old token-in-storage check.
+     */
+    getCurrentUser(): Promise<BffUser | null>;
+    /**
+     * `POST /bff/register` — the BFF proxies registration to TenantService and,
+     * on success, establishes a session exactly like `login`. Returns the user.
+     */
+    register(request: BffRegisterRequest): Promise<BffUser>;
+    /**
+     * `POST /bff/forgot-password` — proxied to TenantService. The backend
+     * returns 200 unconditionally (no email enumeration); anything else throws.
+     */
+    forgotPassword(request: BffForgotPasswordRequest): Promise<void>;
+    /**
+     * `POST /bff/reset-password` — proxied to TenantService. Throws on a non-2xx
+     * response (e.g. `400` for an invalid / expired token).
+     */
+    resetPassword(request: BffResetPasswordRequest): Promise<void>;
+    /**
+     * Shared POST for every state-changing `/bff/*` call: same-origin, cookie
+     * included, `X-BFF-Csrf` header attached. Throws a labelled error on non-2xx.
+     */
+    private postState;
+}
+
 /**
  * Convert a Keycloak `/userinfo` payload into a flat, app-friendly user object.
  *
@@ -510,4 +591,4 @@ declare function normalizeTokenResponse(raw: RawTokenResponse): TokenResponse;
  */
 declare function tokenResponseToAuthTokens(response: TokenResponse, now?: number): AuthTokens;
 
-export { AuthTokens, type AuthorizationCodeBodyInput, type AuthorizationResponseLike, type AuthorizationUrlInput, type BiometricFlagStore, BiometricGate, type BiometricGateLike, type BiometricGateOptions, BrowserStorageTokenStorage, type BrowserStorageTokenStorageOptions, CookieTokenStorage, InMemoryTokenStorage, KeycloakRoles, type KeycloakUserInfo, type LocalAuthLike, type NormalizedUser, type RawTokenResponse, type RefreshTokenBodyInput, type SecureStoreLike, SecureStoreTokenStorage, type SecureStoreTokenStorageOptions, type StorageLike, type TokenResponse, TokenStorage, buildAuthorizationCodeBody, buildAuthorizationEndpoint, buildAuthorizationUrl, buildIssuerUrl, buildLogoutEndpoint, buildRefreshTokenBody, buildTokenEndpoint, buildUserInfoEndpoint, computeExpiresAt, decodeJwt, extractAuthCode, isKeycloakRole, isTokenExpired, normalizeKeycloakUser, normalizeTokenResponse, parseBaseUrlFromIssuer, parseRealmFromIssuer, tokenResponseToAuthTokens };
+export { AuthTokens, type AuthorizationCodeBodyInput, type AuthorizationResponseLike, type AuthorizationUrlInput, BffAuthClient, type BffAuthClientOptions, type BffForgotPasswordRequest, type BffLoginRequest, type BffRegisterRequest, type BffResetPasswordRequest, type BffUser, type BiometricFlagStore, BiometricGate, type BiometricGateLike, type BiometricGateOptions, BrowserStorageTokenStorage, type BrowserStorageTokenStorageOptions, CookieTokenStorage, HttpClient, InMemoryTokenStorage, KeycloakRoles, type KeycloakUserInfo, type LocalAuthLike, type NormalizedUser, RawTokenResponse, type RefreshTokenBodyInput, type SecureStoreLike, SecureStoreTokenStorage, type SecureStoreTokenStorageOptions, type StorageLike, TokenResponse, TokenStorage, buildAuthorizationCodeBody, buildAuthorizationEndpoint, buildAuthorizationUrl, buildIssuerUrl, buildLogoutEndpoint, buildRefreshTokenBody, buildTokenEndpoint, buildUserInfoEndpoint, computeExpiresAt, decodeJwt, extractAuthCode, isKeycloakRole, isTokenExpired, normalizeKeycloakUser, normalizeTokenResponse, parseBaseUrlFromIssuer, parseRealmFromIssuer, tokenResponseToAuthTokens };

package/dist/index.d.ts

@@ -1,5 +1,8 @@
-import { T as TokenStorage, A as AuthTokens } from './AuthClient-Dim7HPRz.js';
-export { a as AuthApiClient, b as AuthApiClientOptions, c as AuthClient, d as AuthClientCollaborators, e as AuthClientConfig, f as AuthClientFromIssuerInput, g as AuthEventEmitter, h as AuthEventListener, i as AuthEventName, j as AuthEventUnsubscribe, k as AuthSessionInfo, F as ForgotPasswordRequest, H as HttpClient, l as HttpRequest, m as HttpResponse, I as InactivityStore, n as InactivityTracker, o as InactivityTrackerOptions, L as LoginOptions, p as LogoutOptions, O as OtpLoginRequest, P as PasswordLoginRequest, R as RawAuthLoginResponse, q as RefreshFn, r as RefreshInterceptor, s as RefreshInterceptorOptions, t as ResetPasswordRequest, u as createFetchHttpClient } from './AuthClient-Dim7HPRz.js';
+import { T as TokenStorage, c as AuthTokens } from './AuthClient-D95OMajD.js';
+export { A as AuthApiClient, d as AuthApiClientOptions, b as AuthClient, e as AuthClientCollaborators, f as AuthClientConfig, g as AuthClientFromIssuerInput, h as AuthEventEmitter, i as AuthEventListener, j as AuthEventName, k as AuthEventUnsubscribe, a as AuthSessionInfo, D as DirectKcOptions, F as ForgotPasswordRequest, I as InactivityStore, l as InactivityTracker, m as InactivityTrackerOptions, L as LoginOptions, n as LogoutOptions, O as OtpLoginRequest, P as PasswordLoginRequest, o as RawAuthLoginResponse, p as RefreshFn, q as RefreshInterceptor, r as RefreshInterceptorOptions, R as ResetPasswordRequest } from './AuthClient-D95OMajD.js';
+export { ExchangeAuthorizationCodeInput, FetchDiscoveryDocumentInput, OidcDiscoveryDocument, PkcePair, RefreshAccessTokenInput, clearDiscoveryCache, deriveCodeChallenge, exchangeAuthorizationCode, fetchDiscoveryDocument, generateCodeVerifier, generatePkcePair, refreshAccessToken } from './oidc/index.js';
+import { H as HttpClient, R as RawTokenResponse, T as TokenResponse } from './TokenResponse-CY1CaU2l.js';
+export { a as HttpRequest, b as HttpResponse, c as createFetchHttpClient } from './TokenResponse-CY1CaU2l.js';
 
 /**
  * Roles emitted by Keycloak realms in the dloizides.com portfolio.
@@ -65,31 +68,6 @@ interface NormalizedUser {
     raw?: KeycloakUserInfo;
 }
 
-/**
- * Raw token endpoint response (snake_case, OIDC standard).
- */
-interface RawTokenResponse {
-    access_token: string;
-    refresh_token?: string;
-    id_token?: string;
-    expires_in?: number;
-    token_type?: string;
-    scope?: string;
-    [key: string]: unknown;
-}
-/**
- * Application-friendly camelCase view of a token endpoint response.
- */
-interface TokenResponse {
-    accessToken: string;
-    refreshToken?: string;
-    idToken?: string;
-    /** Seconds until expiry, as returned by Keycloak. */
-    expiresIn?: number;
-    tokenType?: string;
-    scope?: string;
-}
-
 /**
  * Subset of `Storage` we actually use. Lets callers inject `localStorage`,
  * `sessionStorage`, or any compatible polyfill.
@@ -337,6 +315,109 @@ declare class BiometricGate {
     unlock(): Promise<void>;
 }
 
+/** Credentials posted to `POST /bff/login`. */
+interface BffLoginRequest {
+    username: string;
+    password: string;
+}
+/** Payload for `POST /bff/register` — proxied by the BFF to TenantService. */
+interface BffRegisterRequest {
+    firstName: string;
+    lastName: string;
+    username: string;
+    email: string;
+    password: string;
+    tenantName: string;
+    [key: string]: unknown;
+}
+/** Payload for `POST /bff/forgot-password` — proxied to TenantService. */
+interface BffForgotPasswordRequest {
+    email: string;
+    /** Full URL with a `{token}` placeholder; the backend substitutes the token. */
+    resetUrlTemplate?: string;
+    [key: string]: unknown;
+}
+/** Payload for `POST /bff/reset-password` — proxied to TenantService. */
+interface BffResetPasswordRequest {
+    token: string;
+    newPassword: string;
+}
+/**
+ * The user object returned by `GET /bff/me` and `POST /bff/login`. The BFF
+ * returns the sanitised KC claims under a `user` envelope and **never** a
+ * token. Kept permissive so server-added claims flow through without a bump.
+ */
+interface BffUser {
+    sub?: string;
+    email?: string;
+    email_verified?: boolean;
+    name?: string;
+    preferred_username?: string;
+    given_name?: string;
+    family_name?: string;
+    tenantId?: string;
+    roles?: string[];
+    [key: string]: unknown;
+}
+interface BffAuthClientOptions {
+    /** Runtime-agnostic HTTP transport (wrap native `fetch` with `createFetchHttpClient`). */
+    http: HttpClient;
+    /**
+     * BFF origin. Defaults to `''` (same-origin) — the production wiring. An
+     * explicit origin is only useful for tests or a non-same-origin BFF.
+     */
+    baseUrl?: string;
+}
+/**
+ * Same-origin client for a per-app BFF.
+ *
+ * No token storage, no refresh logic, no realm awareness — the BFF owns all of
+ * that server-side. The browser's only auth artefact is the httpOnly cookie.
+ */
+declare class BffAuthClient {
+    private readonly http;
+    private readonly baseUrl;
+    constructor(options: BffAuthClientOptions);
+    /**
+     * `POST /bff/login` — the BFF does ROPC against Keycloak server-side, stores
+     * the tokens in its Redis vault, and sets the httpOnly session cookie.
+     * Returns the sanitised user. Throws on a non-2xx response.
+     */
+    login(request: BffLoginRequest): Promise<BffUser>;
+    /**
+     * `POST /bff/logout` — the BFF calls KC end-session, deletes the Redis
+     * session, and clears the cookie. Non-fatal: a failed logout still leaves
+     * the SPA logged out client-side. Throws only on a non-2xx response.
+     */
+    logout(): Promise<void>;
+    /**
+     * `GET /bff/me` — the live session's sanitised user, or `null` when there is
+     * no session (the BFF answers `401`). Used at app load to bootstrap auth
+     * state in place of the old token-in-storage check.
+     */
+    getCurrentUser(): Promise<BffUser | null>;
+    /**
+     * `POST /bff/register` — the BFF proxies registration to TenantService and,
+     * on success, establishes a session exactly like `login`. Returns the user.
+     */
+    register(request: BffRegisterRequest): Promise<BffUser>;
+    /**
+     * `POST /bff/forgot-password` — proxied to TenantService. The backend
+     * returns 200 unconditionally (no email enumeration); anything else throws.
+     */
+    forgotPassword(request: BffForgotPasswordRequest): Promise<void>;
+    /**
+     * `POST /bff/reset-password` — proxied to TenantService. Throws on a non-2xx
+     * response (e.g. `400` for an invalid / expired token).
+     */
+    resetPassword(request: BffResetPasswordRequest): Promise<void>;
+    /**
+     * Shared POST for every state-changing `/bff/*` call: same-origin, cookie
+     * included, `X-BFF-Csrf` header attached. Throws a labelled error on non-2xx.
+     */
+    private postState;
+}
+
 /**
  * Convert a Keycloak `/userinfo` payload into a flat, app-friendly user object.
  *
@@ -510,4 +591,4 @@ declare function normalizeTokenResponse(raw: RawTokenResponse): TokenResponse;
  */
 declare function tokenResponseToAuthTokens(response: TokenResponse, now?: number): AuthTokens;
 
-export { AuthTokens, type AuthorizationCodeBodyInput, type AuthorizationResponseLike, type AuthorizationUrlInput, type BiometricFlagStore, BiometricGate, type BiometricGateLike, type BiometricGateOptions, BrowserStorageTokenStorage, type BrowserStorageTokenStorageOptions, CookieTokenStorage, InMemoryTokenStorage, KeycloakRoles, type KeycloakUserInfo, type LocalAuthLike, type NormalizedUser, type RawTokenResponse, type RefreshTokenBodyInput, type SecureStoreLike, SecureStoreTokenStorage, type SecureStoreTokenStorageOptions, type StorageLike, type TokenResponse, TokenStorage, buildAuthorizationCodeBody, buildAuthorizationEndpoint, buildAuthorizationUrl, buildIssuerUrl, buildLogoutEndpoint, buildRefreshTokenBody, buildTokenEndpoint, buildUserInfoEndpoint, computeExpiresAt, decodeJwt, extractAuthCode, isKeycloakRole, isTokenExpired, normalizeKeycloakUser, normalizeTokenResponse, parseBaseUrlFromIssuer, parseRealmFromIssuer, tokenResponseToAuthTokens };
+export { AuthTokens, type AuthorizationCodeBodyInput, type AuthorizationResponseLike, type AuthorizationUrlInput, BffAuthClient, type BffAuthClientOptions, type BffForgotPasswordRequest, type BffLoginRequest, type BffRegisterRequest, type BffResetPasswordRequest, type BffUser, type BiometricFlagStore, BiometricGate, type BiometricGateLike, type BiometricGateOptions, BrowserStorageTokenStorage, type BrowserStorageTokenStorageOptions, CookieTokenStorage, HttpClient, InMemoryTokenStorage, KeycloakRoles, type KeycloakUserInfo, type LocalAuthLike, type NormalizedUser, RawTokenResponse, type RefreshTokenBodyInput, type SecureStoreLike, SecureStoreTokenStorage, type SecureStoreTokenStorageOptions, type StorageLike, TokenResponse, TokenStorage, buildAuthorizationCodeBody, buildAuthorizationEndpoint, buildAuthorizationUrl, buildIssuerUrl, buildLogoutEndpoint, buildRefreshTokenBody, buildTokenEndpoint, buildUserInfoEndpoint, computeExpiresAt, decodeJwt, extractAuthCode, isKeycloakRole, isTokenExpired, normalizeKeycloakUser, normalizeTokenResponse, parseBaseUrlFromIssuer, parseRealmFromIssuer, tokenResponseToAuthTokens };