npm - @dloizides/auth-client - Versions diffs - 3.2.1 → 3.3.0 - Mend

@dloizides/auth-client 3.2.1 → 3.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/CHANGELOG.md +38 -0
package/README.md +38 -1
package/dist/{AuthClient-D8Ul-aGa.d.mts → AuthClient-3lu6Y1bY.d.mts} +1 -1
package/dist/{AuthClient-Cv7btBX0.d.ts → AuthClient-Bb7N2shJ.d.ts} +1 -1
package/dist/{TokenResponse-CY1CaU2l.d.mts → TokenResponse-BkIDjenX.d.mts} +7 -0
package/dist/{TokenResponse-CY1CaU2l.d.ts → TokenResponse-BkIDjenX.d.ts} +7 -0
package/dist/index.d.mts +149 -5
package/dist/index.d.ts +149 -5
package/dist/index.js +198 -6
package/dist/index.js.map +1 -1
package/dist/index.mjs +198 -6
package/dist/index.mjs.map +1 -1
package/dist/oidc/index.d.mts +1 -1
package/dist/oidc/index.d.ts +1 -1
package/dist/react.d.mts +2 -2
package/dist/react.d.ts +2 -2
package/package.json +124 -124

package/dist/index.js CHANGED Viewed

@@ -944,7 +944,8 @@ function createFetchHttpClient(fetchImpl) {
     return {
       status: response.status,
       ok: response.ok,
-      data
+      data,
+      header: (name) => response.headers.get(name)
     };
   };
 }
@@ -1072,8 +1073,20 @@ var ENDPOINTS = {
   resetPassword: "/bff/reset-password",
   otpRequest: "/bff/otp/request",
   otpVerify: "/bff/otp/verify",
-  pinLogin: "/bff/pin/login"
+  pinLogin: "/bff/pin/login",
+  config: "/bff/config",
+  pinEnroll: "/bff/pin/enroll",
+  pinUnlock: "/bff/pin/unlock",
+  pinDisable: "/bff/pin/disable"
 };
+var HTTP_OK = 200;
+var HTTP_MULTIPLE_CHOICES = 300;
+var HTTP_BAD_REQUEST = 400;
+var HTTP_UNAUTHORIZED = 401;
+var HTTP_FORBIDDEN = 403;
+var HTTP_TOO_MANY_REQUESTS = 429;
+var FALLBACK_METHODS = ["password"];
+var ALLOWED_PIN_DIGITS = [4, 6, 8];
 function isRecord(value) {
   return typeof value === "object" && value !== null;
 }
@@ -1094,6 +1107,81 @@ function toOtpRequestResult(data) {
     code: typeof data.code === "string" ? data.code : null
   };
 }
+var FALLBACK_LOGIN_CONFIG = {
+  methods: [...FALLBACK_METHODS],
+  registrationEnabled: false,
+  deviceState: {
+    rememberedUsername: null,
+    hasPin: false,
+    pinDigits: null,
+    preferredMethod: null
+  }
+};
+function readOptionalString(record, key) {
+  const value = record[key];
+  if (typeof value !== "string" || value === "") {
+    return null;
+  }
+  return value;
+}
+function parseDeviceState(body) {
+  const rawDigits = body.pinDigits;
+  const hasValidDigits = typeof rawDigits === "number" && ALLOWED_PIN_DIGITS.includes(rawDigits);
+  return {
+    rememberedUsername: readOptionalString(body, "rememberedUsername"),
+    hasPin: body.hasPin === true,
+    pinDigits: hasValidDigits ? rawDigits : null,
+    preferredMethod: readOptionalString(body, "preferredMethod")
+  };
+}
+function parseMethods(body) {
+  const raw = body.methods;
+  if (!Array.isArray(raw)) {
+    return [...FALLBACK_METHODS];
+  }
+  const parsed = raw.filter((value) => typeof value === "string" && value !== "").map((value) => value.toLowerCase());
+  return parsed.length === 0 ? [...FALLBACK_METHODS] : Array.from(new Set(parsed));
+}
+function parseLoginConfig(data) {
+  if (!isRecord(data)) {
+    return FALLBACK_LOGIN_CONFIG;
+  }
+  return {
+    methods: parseMethods(data),
+    registrationEnabled: data.registrationEnabled === true,
+    deviceState: parseDeviceState(data)
+  };
+}
+function parseRetryAfter(response) {
+  const raw = response.header?.("Retry-After");
+  if (raw === null || raw === void 0) {
+    return null;
+  }
+  const seconds = Number.parseInt(raw, 10);
+  if (Number.isNaN(seconds) || seconds < 0) {
+    return null;
+  }
+  return seconds;
+}
+function classifyTooManyRequests(response) {
+  const retryAfterSeconds = parseRetryAfter(response);
+  if (isRecord(response.data)) {
+    return { status: "locked", retryAfterSeconds };
+  }
+  return { status: "rateLimited", retryAfterSeconds };
+}
+function classifyEnrollFailure(status) {
+  if (status === HTTP_UNAUTHORIZED) {
+    return { status: "unauthorized" };
+  }
+  if (status === HTTP_FORBIDDEN) {
+    return { status: "forbidden" };
+  }
+  if (status === HTTP_BAD_REQUEST) {
+    return { status: "invalidPin" };
+  }
+  return { status: "error" };
+}
 var BffAuthClient = class {
   constructor(options) {
     this.http = options.http;
@@ -1209,22 +1297,126 @@ var BffAuthClient = class {
     return user;
   }
   /**
-   * Shared POST for every state-changing `/bff/*` call: same-origin, cookie
-   * included, `X-BFF-Csrf` header attached. Throws a labelled error on non-2xx.
+   * `GET /bff/config` — which login methods this BFF advertises, whether
+   * registration is enabled, and the optional per-device state (remembered
+   * username + device PIN). Unauthenticated, no CSRF (GET).
+   *
+   * NEVER throws: on a non-2xx, a network error, or a malformed body it returns
+   * a safe fallback (`{ methods: ['password'], registrationEnabled: false,
+   * deviceState: { rememberedUsername: null, hasPin: false, pinDigits: null,
+   * preferredMethod: null } }`) so the login surface stays usable even when the
+   * config endpoint is unreachable.
    */
-  async postState(path, body, label) {
+  async getLoginConfig() {
+    try {
+      const response = await this.http({
+        url: `${this.baseUrl}${ENDPOINTS.config}`,
+        method: "GET",
+        headers: { Accept: JSON_CONTENT_TYPE },
+        credentials: "include"
+      });
+      if (!response.ok) {
+        return FALLBACK_LOGIN_CONFIG;
+      }
+      return parseLoginConfig(response.data);
+    } catch {
+      return FALLBACK_LOGIN_CONFIG;
+    }
+  }
+  /**
+   * `POST /bff/pin/enroll` — bind a device PIN to the CURRENT strong session.
+   * Requires an authenticated session (the cookie travels via
+   * `credentials: 'include'`); the BFF requests an offline token, hashes the
+   * PIN, and sets the device cookie.
+   *
+   * NEVER throws — resolves a discriminated {@link DevicePinEnrollResult}:
+   *  - 200 → `success`;
+   *  - 401 → `unauthorized` (no session);
+   *  - 403 → `forbidden` (a PIN-established session can't enrol);
+   *  - 400 → `invalidPin` (bad format);
+   *  - anything else (501 disabled / 502 grant failed) / network → `error`.
+   */
+  async enrollDevicePin(request) {
+    try {
+      const response = await this.postRaw(ENDPOINTS.pinEnroll, request);
+      if (response.ok) {
+        return { status: "success" };
+      }
+      return classifyEnrollFailure(response.status);
+    } catch {
+      return { status: "error" };
+    }
+  }
+  /**
+   * `POST /bff/pin/unlock` — re-establish a session from a remembered device.
+   * No prior session; the device cookie travels via `credentials: 'include'`.
+   *
+   * NEVER throws — resolves a discriminated {@link DevicePinUnlockResult}:
+   *  - 200 + `{ user }` → `success` (a session cookie was set);
+   *  - 401             → `invalid` (wrong PIN / unknown-or-revoked device);
+   *  - 429 + JSON body → `locked` (device lockout; `Retry-After` parsed);
+   *  - 429 + empty body → `rateLimited` (per-IP limiter; `Retry-After` parsed);
+   *  - anything else / malformed 200 body / network → `error`.
+   */
+  async unlockWithDevicePin(request) {
+    try {
+      const response = await this.postRaw(ENDPOINTS.pinUnlock, request);
+      const isSuccess = response.status >= HTTP_OK && response.status < HTTP_MULTIPLE_CHOICES;
+      if (isSuccess) {
+        const user = extractUser(response.data);
+        return user === null ? { status: "error" } : { status: "success", user };
+      }
+      if (response.status === HTTP_UNAUTHORIZED) {
+        return { status: "invalid" };
+      }
+      if (response.status === HTTP_TOO_MANY_REQUESTS) {
+        return classifyTooManyRequests(response);
+      }
+      return { status: "error" };
+    } catch {
+      return { status: "error" };
+    }
+  }
+  /**
+   * `POST /bff/pin/disable` — drop the device PIN for the CURRENT session. The
+   * BFF revokes the offline token at Keycloak, deletes the device record, and
+   * clears the device cookie. Requires an authenticated session.
+   *
+   * NEVER throws — resolves `true` on a 2xx, `false` on anything else.
+   */
+  async disableDevicePin() {
+    try {
+      const response = await this.postRaw(ENDPOINTS.pinDisable, void 0);
+      return response.ok;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Shared POST for the never-throw device-PIN calls: same-origin, cookie
+   * included, `X-BFF-Csrf` header attached. Returns the raw {@link HttpResponse}
+   * (status + body + headers) so the caller can route on it instead of throwing.
+   */
+  postRaw(path, body) {
     const headers = {
       "Content-Type": JSON_CONTENT_TYPE,
       Accept: JSON_CONTENT_TYPE,
       [CSRF_HEADER]: CSRF_HEADER_VALUE
     };
-    const response = await this.http({
+    return this.http({
       url: `${this.baseUrl}${path}`,
       method: "POST",
       headers,
       body: body === void 0 ? void 0 : JSON.stringify(body),
       credentials: "include"
     });
+  }
+  /**
+   * Shared POST for every state-changing `/bff/*` call: same-origin, cookie
+   * included, `X-BFF-Csrf` header attached. Throws a labelled error on non-2xx.
+   */
+  async postState(path, body, label) {
+    const response = await this.postRaw(path, body);
     if (!response.ok) {
       throw new Error(`${label} failed with status ${String(response.status)}`);
     }