npm - @dloizides/auth-client - Versions diffs - 2.1.0 → 3.2.1 - Mend

@dloizides/auth-client 2.1.0 → 3.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/CHANGELOG.md +67 -0
package/README.md +37 -1
package/dist/{AuthClient-D95OMajD.d.ts → AuthClient-Cv7btBX0.d.ts} +1 -1
package/dist/{AuthClient-BGr8L03W.d.mts → AuthClient-D8Ul-aGa.d.mts} +1 -1
package/dist/index.d.mts +181 -5
package/dist/index.d.ts +181 -5
package/dist/index.js +174 -0
package/dist/index.js.map +1 -1
package/dist/index.mjs +174 -1
package/dist/index.mjs.map +1 -1
package/dist/react.d.mts +1 -1
package/dist/react.d.ts +1 -1
package/package.json +124 -124

package/dist/index.js CHANGED Viewed

@@ -1059,6 +1059,179 @@ var AuthApiClient = class {
   }
 };
+// src/bff/BffAuthClient.ts
+var CSRF_HEADER = "X-BFF-Csrf";
+var CSRF_HEADER_VALUE = "1";
+var JSON_CONTENT_TYPE = "application/json";
+var ENDPOINTS = {
+  login: "/bff/login",
+  logout: "/bff/logout",
+  me: "/bff/me",
+  register: "/bff/register",
+  forgotPassword: "/bff/forgot-password",
+  resetPassword: "/bff/reset-password",
+  otpRequest: "/bff/otp/request",
+  otpVerify: "/bff/otp/verify",
+  pinLogin: "/bff/pin/login"
+};
+function isRecord(value) {
+  return typeof value === "object" && value !== null;
+}
+function extractUser(data) {
+  if (!isRecord(data)) {
+    return null;
+  }
+  const envelope = data;
+  return isRecord(envelope.user) ? envelope.user : null;
+}
+function toOtpRequestResult(data) {
+  if (!isRecord(data)) {
+    return { success: true, expiresIn: 0, code: null };
+  }
+  return {
+    success: typeof data.success === "boolean" ? data.success : true,
+    expiresIn: typeof data.expiresIn === "number" ? data.expiresIn : 0,
+    code: typeof data.code === "string" ? data.code : null
+  };
+}
+var BffAuthClient = class {
+  constructor(options) {
+    this.http = options.http;
+    this.baseUrl = (options.baseUrl ?? "").replace(/\/$/, "");
+  }
+  /**
+   * `POST /bff/login` — the BFF does ROPC against Keycloak server-side, stores
+   * the tokens in its Redis vault, and sets the httpOnly session cookie.
+   * Returns the sanitised user. Throws on a non-2xx response.
+   */
+  async login(request) {
+    const data = await this.postState(ENDPOINTS.login, request, "login");
+    const user = extractUser(data);
+    if (user === null) {
+      throw new Error("login: BFF response missing user");
+    }
+    return user;
+  }
+  /**
+   * `POST /bff/logout` — the BFF calls KC end-session, deletes the Redis
+   * session, and clears the cookie. Non-fatal: a failed logout still leaves
+   * the SPA logged out client-side. Throws only on a non-2xx response.
+   */
+  async logout() {
+    await this.postState(ENDPOINTS.logout, void 0, "logout");
+  }
+  /**
+   * `GET /bff/me` — the live session's sanitised user, or `null` when there is
+   * no session (the BFF answers `401`). Used at app load to bootstrap auth
+   * state in place of the old token-in-storage check.
+   */
+  async getCurrentUser() {
+    const response = await this.http({
+      url: `${this.baseUrl}${ENDPOINTS.me}`,
+      method: "GET",
+      headers: { Accept: JSON_CONTENT_TYPE },
+      credentials: "include"
+    });
+    if (!response.ok) {
+      return null;
+    }
+    return extractUser(response.data);
+  }
+  /**
+   * `POST /bff/register` — the BFF proxies registration to TenantService and,
+   * on success, establishes a session exactly like `login`. Returns the user.
+   */
+  async register(request) {
+    const data = await this.postState(ENDPOINTS.register, request, "register");
+    const user = extractUser(data);
+    if (user === null) {
+      throw new Error("register: BFF response missing user");
+    }
+    return user;
+  }
+  /**
+   * `POST /bff/forgot-password` — proxied to TenantService. The backend
+   * returns 200 unconditionally (no email enumeration); anything else throws.
+   */
+  async forgotPassword(request) {
+    await this.postState(ENDPOINTS.forgotPassword, request, "forgot-password");
+  }
+  /**
+   * `POST /bff/reset-password` — proxied to TenantService. Throws on a non-2xx
+   * response (e.g. `400` for an invalid / expired token).
+   */
+  async resetPassword(request) {
+    await this.postState(ENDPOINTS.resetPassword, request, "reset-password");
+  }
+  /**
+   * `POST /bff/otp/request` — the BFF proxies to TenantService, which generates
+   * a short-TTL code and emails it.
+   *
+   * The endpoint is anti-enumeration: a `200` is the normal path whether or not
+   * the identifier is registered. This method therefore **returns** the relayed
+   * `{ success, expiresIn, code }` body (so the UI can show the expiry) rather
+   * than treating a 200 as opaque. It still throws on a non-2xx — a `501`
+   * (OTP not enabled) or `502` (upstream down) is a real failure to surface.
+   */
+  async requestOtp(request) {
+    const data = await this.postState(ENDPOINTS.otpRequest, request, "otp-request");
+    return toOtpRequestResult(data);
+  }
+  /**
+   * `POST /bff/otp/verify` — the BFF runs the OTP direct-grant against Keycloak
+   * server-side, stores the tokens in its Redis vault, and sets the httpOnly
+   * session cookie. Returns the sanitised user, exactly like `login`. Throws on
+   * a non-2xx (e.g. `401` for a bad / expired code).
+   */
+  async verifyOtp(request) {
+    const data = await this.postState(ENDPOINTS.otpVerify, request, "otp-verify");
+    const user = extractUser(data);
+    if (user === null) {
+      throw new Error("otp-verify: BFF response missing user");
+    }
+    return user;
+  }
+  /**
+   * `POST /bff/pin/login` — the BFF runs the event-scoped PIN direct-grant
+   * against Keycloak server-side (the `(event, pin)` pair resolves to the
+   * staff member's KC account + event-scoped role), stores the tokens in its
+   * Redis vault, and sets the httpOnly session cookie. Returns the sanitised
+   * user, exactly like `login` / `verifyOtp`. Throws on a non-2xx — `401` for
+   * a bad / expired / locked-out PIN or an unknown event, `501` when PIN login
+   * is not an enabled method for this BFF.
+   */
+  async pinLogin(request) {
+    const data = await this.postState(ENDPOINTS.pinLogin, request, "pin-login");
+    const user = extractUser(data);
+    if (user === null) {
+      throw new Error("pin-login: BFF response missing user");
+    }
+    return user;
+  }
+  /**
+   * Shared POST for every state-changing `/bff/*` call: same-origin, cookie
+   * included, `X-BFF-Csrf` header attached. Throws a labelled error on non-2xx.
+   */
+  async postState(path, body, label) {
+    const headers = {
+      "Content-Type": JSON_CONTENT_TYPE,
+      Accept: JSON_CONTENT_TYPE,
+      [CSRF_HEADER]: CSRF_HEADER_VALUE
+    };
+    const response = await this.http({
+      url: `${this.baseUrl}${path}`,
+      method: "POST",
+      headers,
+      body: body === void 0 ? void 0 : JSON.stringify(body),
+      credentials: "include"
+    });
+    if (!response.ok) {
+      throw new Error(`${label} failed with status ${String(response.status)}`);
+    }
+    return response.data;
+  }
+};
 // src/utils/normalizeKeycloakUser.ts
 function isNonEmptyString(value) {
   return typeof value === "string" && value !== "";
@@ -1172,6 +1345,7 @@ function decodeUtf8(binary) {
 exports.AuthApiClient = AuthApiClient;
 exports.AuthClient = AuthClient;
 exports.AuthEventEmitter = AuthEventEmitter;
+exports.BffAuthClient = BffAuthClient;
 exports.BiometricGate = BiometricGate;
 exports.BrowserStorageTokenStorage = BrowserStorageTokenStorage;
 exports.CookieTokenStorage = CookieTokenStorage;