@dloizides/auth-client 3.0.0 → 3.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +40 -0
- package/dist/{AuthClient-D95OMajD.d.ts → AuthClient-Cv7btBX0.d.ts} +1 -1
- package/dist/{AuthClient-BGr8L03W.d.mts → AuthClient-D8Ul-aGa.d.mts} +1 -1
- package/dist/index.d.mts +76 -3
- package/dist/index.d.ts +76 -3
- package/dist/index.js +59 -1
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +59 -1
- package/dist/index.mjs.map +1 -1
- package/dist/react.d.mts +1 -1
- package/dist/react.d.ts +1 -1
- package/package.json +124 -124
package/dist/index.mjs
CHANGED
|
@@ -1067,7 +1067,10 @@ var ENDPOINTS = {
|
|
|
1067
1067
|
me: "/bff/me",
|
|
1068
1068
|
register: "/bff/register",
|
|
1069
1069
|
forgotPassword: "/bff/forgot-password",
|
|
1070
|
-
resetPassword: "/bff/reset-password"
|
|
1070
|
+
resetPassword: "/bff/reset-password",
|
|
1071
|
+
otpRequest: "/bff/otp/request",
|
|
1072
|
+
otpVerify: "/bff/otp/verify",
|
|
1073
|
+
pinLogin: "/bff/pin/login"
|
|
1071
1074
|
};
|
|
1072
1075
|
function isRecord(value) {
|
|
1073
1076
|
return typeof value === "object" && value !== null;
|
|
@@ -1079,6 +1082,16 @@ function extractUser(data) {
|
|
|
1079
1082
|
const envelope = data;
|
|
1080
1083
|
return isRecord(envelope.user) ? envelope.user : null;
|
|
1081
1084
|
}
|
|
1085
|
+
function toOtpRequestResult(data) {
|
|
1086
|
+
if (!isRecord(data)) {
|
|
1087
|
+
return { success: true, expiresIn: 0, code: null };
|
|
1088
|
+
}
|
|
1089
|
+
return {
|
|
1090
|
+
success: typeof data.success === "boolean" ? data.success : true,
|
|
1091
|
+
expiresIn: typeof data.expiresIn === "number" ? data.expiresIn : 0,
|
|
1092
|
+
code: typeof data.code === "string" ? data.code : null
|
|
1093
|
+
};
|
|
1094
|
+
}
|
|
1082
1095
|
var BffAuthClient = class {
|
|
1083
1096
|
constructor(options) {
|
|
1084
1097
|
this.http = options.http;
|
|
@@ -1148,6 +1161,51 @@ var BffAuthClient = class {
|
|
|
1148
1161
|
async resetPassword(request) {
|
|
1149
1162
|
await this.postState(ENDPOINTS.resetPassword, request, "reset-password");
|
|
1150
1163
|
}
|
|
1164
|
+
/**
|
|
1165
|
+
* `POST /bff/otp/request` — the BFF proxies to TenantService, which generates
|
|
1166
|
+
* a short-TTL code and emails it.
|
|
1167
|
+
*
|
|
1168
|
+
* The endpoint is anti-enumeration: a `200` is the normal path whether or not
|
|
1169
|
+
* the identifier is registered. This method therefore **returns** the relayed
|
|
1170
|
+
* `{ success, expiresIn, code }` body (so the UI can show the expiry) rather
|
|
1171
|
+
* than treating a 200 as opaque. It still throws on a non-2xx — a `501`
|
|
1172
|
+
* (OTP not enabled) or `502` (upstream down) is a real failure to surface.
|
|
1173
|
+
*/
|
|
1174
|
+
async requestOtp(request) {
|
|
1175
|
+
const data = await this.postState(ENDPOINTS.otpRequest, request, "otp-request");
|
|
1176
|
+
return toOtpRequestResult(data);
|
|
1177
|
+
}
|
|
1178
|
+
/**
|
|
1179
|
+
* `POST /bff/otp/verify` — the BFF runs the OTP direct-grant against Keycloak
|
|
1180
|
+
* server-side, stores the tokens in its Redis vault, and sets the httpOnly
|
|
1181
|
+
* session cookie. Returns the sanitised user, exactly like `login`. Throws on
|
|
1182
|
+
* a non-2xx (e.g. `401` for a bad / expired code).
|
|
1183
|
+
*/
|
|
1184
|
+
async verifyOtp(request) {
|
|
1185
|
+
const data = await this.postState(ENDPOINTS.otpVerify, request, "otp-verify");
|
|
1186
|
+
const user = extractUser(data);
|
|
1187
|
+
if (user === null) {
|
|
1188
|
+
throw new Error("otp-verify: BFF response missing user");
|
|
1189
|
+
}
|
|
1190
|
+
return user;
|
|
1191
|
+
}
|
|
1192
|
+
/**
|
|
1193
|
+
* `POST /bff/pin/login` — the BFF runs the event-scoped PIN direct-grant
|
|
1194
|
+
* against Keycloak server-side (the `(event, pin)` pair resolves to the
|
|
1195
|
+
* staff member's KC account + event-scoped role), stores the tokens in its
|
|
1196
|
+
* Redis vault, and sets the httpOnly session cookie. Returns the sanitised
|
|
1197
|
+
* user, exactly like `login` / `verifyOtp`. Throws on a non-2xx — `401` for
|
|
1198
|
+
* a bad / expired / locked-out PIN or an unknown event, `501` when PIN login
|
|
1199
|
+
* is not an enabled method for this BFF.
|
|
1200
|
+
*/
|
|
1201
|
+
async pinLogin(request) {
|
|
1202
|
+
const data = await this.postState(ENDPOINTS.pinLogin, request, "pin-login");
|
|
1203
|
+
const user = extractUser(data);
|
|
1204
|
+
if (user === null) {
|
|
1205
|
+
throw new Error("pin-login: BFF response missing user");
|
|
1206
|
+
}
|
|
1207
|
+
return user;
|
|
1208
|
+
}
|
|
1151
1209
|
/**
|
|
1152
1210
|
* Shared POST for every state-changing `/bff/*` call: same-origin, cookie
|
|
1153
1211
|
* included, `X-BFF-Csrf` header attached. Throws a labelled error on non-2xx.
|